ieee802_1x.c revision dca3979ccdf869f140f096b83df322a0efc84f22
1/* 2 * hostapd / IEEE 802.1X-2004 Authenticator 3 * Copyright (c) 2002-2011, Jouni Malinen <j@w1.fi> 4 * 5 * This program is free software; you can redistribute it and/or modify 6 * it under the terms of the GNU General Public License version 2 as 7 * published by the Free Software Foundation. 8 * 9 * Alternatively, this software may be distributed under the terms of BSD 10 * license. 11 * 12 * See README and COPYING for more details. 13 */ 14 15#include "utils/includes.h" 16 17#include "utils/common.h" 18#include "utils/eloop.h" 19#include "crypto/md5.h" 20#include "crypto/crypto.h" 21#include "crypto/random.h" 22#include "common/ieee802_11_defs.h" 23#include "common/wpa_ctrl.h" 24#include "radius/radius.h" 25#include "radius/radius_client.h" 26#include "eap_server/eap.h" 27#include "eap_common/eap_wsc_common.h" 28#include "eapol_auth/eapol_auth_sm.h" 29#include "eapol_auth/eapol_auth_sm_i.h" 30#include "hostapd.h" 31#include "accounting.h" 32#include "sta_info.h" 33#include "wpa_auth.h" 34#include "preauth_auth.h" 35#include "pmksa_cache_auth.h" 36#include "ap_config.h" 37#include "ap_drv_ops.h" 38#include "ieee802_1x.h" 39#ifdef ANDROID_BRCM_P2P_PATCH 40#include "p2p/p2p_i.h" 41#endif 42 43 44static void ieee802_1x_finished(struct hostapd_data *hapd, 45 struct sta_info *sta, int success); 46 47 48static void ieee802_1x_send(struct hostapd_data *hapd, struct sta_info *sta, 49 u8 type, const u8 *data, size_t datalen) 50{ 51 u8 *buf; 52 struct ieee802_1x_hdr *xhdr; 53 size_t len; 54 int encrypt = 0; 55 56 len = sizeof(*xhdr) + datalen; 57 buf = os_zalloc(len); 58 if (buf == NULL) { 59 wpa_printf(MSG_ERROR, "malloc() failed for " 60 "ieee802_1x_send(len=%lu)", 61 (unsigned long) len); 62 return; 63 } 64 65 xhdr = (struct ieee802_1x_hdr *) buf; 66 xhdr->version = hapd->conf->eapol_version; 67 xhdr->type = type; 68 xhdr->length = host_to_be16(datalen); 69 70 if (datalen > 0 && data != NULL) 71 os_memcpy(xhdr + 1, data, datalen); 72 73 if (wpa_auth_pairwise_set(sta->wpa_sm)) 74 encrypt = 1; 75 if (sta->flags & WLAN_STA_PREAUTH) { 76 rsn_preauth_send(hapd, sta, buf, len); 77 } else { 78 hostapd_drv_hapd_send_eapol(hapd, sta->addr, buf, len, 79 encrypt, sta->flags); 80 } 81 82 os_free(buf); 83} 84 85 86void ieee802_1x_set_sta_authorized(struct hostapd_data *hapd, 87 struct sta_info *sta, int authorized) 88{ 89 int res; 90#ifdef ANDROID_BRCM_P2P_PATCH 91 u8 *dev_addr = NULL; 92#endif 93 94 if (sta->flags & WLAN_STA_PREAUTH) 95 return; 96 97 if (authorized) { 98 if (!ap_sta_is_authorized(sta)) { 99#if defined(ANDROID_BRCM_P2P_PATCH) && defined(CONFIG_P2P) 100 if((dev_addr = p2p_group_get_dev_addr(hapd->p2p_group, sta->addr))) 101 wpa_msg(hapd->msg_ctx, MSG_INFO, 102 AP_STA_CONNECTED MACSTR " dev_addr="MACSTR, MAC2STR(sta->addr), MAC2STR(dev_addr)); 103 else 104#endif /*ANDROID_BRCM_P2P_PATCH*/ 105 wpa_msg(hapd->msg_ctx, MSG_INFO, 106 AP_STA_CONNECTED MACSTR, MAC2STR(sta->addr)); 107 108#ifdef ANDROID_BRCM_P2P_PATCH 109 /* Sending the event to parent is required as SSL listens on parent ctrl iface */ 110 if(hapd->msg_ctx_parent) { 111 if(dev_addr) 112 wpa_msg(hapd->msg_ctx_parent, MSG_INFO, 113 AP_STA_CONNECTED MACSTR " dev_addr="MACSTR, MAC2STR(sta->addr), MAC2STR(dev_addr)); 114 else 115 wpa_msg(hapd->msg_ctx_parent, MSG_INFO, 116 AP_STA_CONNECTED MACSTR , MAC2STR(sta->addr)); 117 } 118#endif /* ANDROID_BRCM_P2P_PATCH */ 119 } 120 121 ap_sta_set_authorized(hapd, sta, 1); 122 res = hostapd_set_authorized(hapd, sta, 1); 123 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 124 HOSTAPD_LEVEL_DEBUG, "authorizing port"); 125 } else { 126 if (ap_sta_is_authorized(sta) && (sta->flags & WLAN_STA_ASSOC)) { 127 wpa_msg(hapd->msg_ctx, MSG_INFO, 128 AP_STA_DISCONNECTED MACSTR, 129 MAC2STR(sta->addr)); 130#ifdef ANDROID_BRCM_P2P_PATCH 131 if(hapd->msg_ctx_parent) 132 wpa_msg(hapd->msg_ctx_parent, MSG_INFO, 133 AP_STA_DISCONNECTED MACSTR, 134 MAC2STR(sta->addr)); 135#endif /* ANDROID_BRCM_P2P_PATCH */ 136 } 137 ap_sta_set_authorized(hapd, sta, 0); 138 res = hostapd_set_authorized(hapd, sta, 0); 139 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 140 HOSTAPD_LEVEL_DEBUG, "unauthorizing port"); 141 } 142 143 if (res && errno != ENOENT) { 144 printf("Could not set station " MACSTR " flags for kernel " 145 "driver (errno=%d).\n", MAC2STR(sta->addr), errno); 146 } 147 148 if (authorized) 149 accounting_sta_start(hapd, sta); 150} 151 152 153static void ieee802_1x_tx_key_one(struct hostapd_data *hapd, 154 struct sta_info *sta, 155 int idx, int broadcast, 156 u8 *key_data, size_t key_len) 157{ 158 u8 *buf, *ekey; 159 struct ieee802_1x_hdr *hdr; 160 struct ieee802_1x_eapol_key *key; 161 size_t len, ekey_len; 162 struct eapol_state_machine *sm = sta->eapol_sm; 163 164 if (sm == NULL) 165 return; 166 167 len = sizeof(*key) + key_len; 168 buf = os_zalloc(sizeof(*hdr) + len); 169 if (buf == NULL) 170 return; 171 172 hdr = (struct ieee802_1x_hdr *) buf; 173 key = (struct ieee802_1x_eapol_key *) (hdr + 1); 174 key->type = EAPOL_KEY_TYPE_RC4; 175 key->key_length = htons(key_len); 176 wpa_get_ntp_timestamp(key->replay_counter); 177 178 if (random_get_bytes(key->key_iv, sizeof(key->key_iv))) { 179 wpa_printf(MSG_ERROR, "Could not get random numbers"); 180 os_free(buf); 181 return; 182 } 183 184 key->key_index = idx | (broadcast ? 0 : BIT(7)); 185 if (hapd->conf->eapol_key_index_workaround) { 186 /* According to some information, WinXP Supplicant seems to 187 * interpret bit7 as an indication whether the key is to be 188 * activated, so make it possible to enable workaround that 189 * sets this bit for all keys. */ 190 key->key_index |= BIT(7); 191 } 192 193 /* Key is encrypted using "Key-IV + MSK[0..31]" as the RC4-key and 194 * MSK[32..63] is used to sign the message. */ 195 if (sm->eap_if->eapKeyData == NULL || sm->eap_if->eapKeyDataLen < 64) { 196 wpa_printf(MSG_ERROR, "No eapKeyData available for encrypting " 197 "and signing EAPOL-Key"); 198 os_free(buf); 199 return; 200 } 201 os_memcpy((u8 *) (key + 1), key_data, key_len); 202 ekey_len = sizeof(key->key_iv) + 32; 203 ekey = os_malloc(ekey_len); 204 if (ekey == NULL) { 205 wpa_printf(MSG_ERROR, "Could not encrypt key"); 206 os_free(buf); 207 return; 208 } 209 os_memcpy(ekey, key->key_iv, sizeof(key->key_iv)); 210 os_memcpy(ekey + sizeof(key->key_iv), sm->eap_if->eapKeyData, 32); 211 rc4_skip(ekey, ekey_len, 0, (u8 *) (key + 1), key_len); 212 os_free(ekey); 213 214 /* This header is needed here for HMAC-MD5, but it will be regenerated 215 * in ieee802_1x_send() */ 216 hdr->version = hapd->conf->eapol_version; 217 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 218 hdr->length = host_to_be16(len); 219 hmac_md5(sm->eap_if->eapKeyData + 32, 32, buf, sizeof(*hdr) + len, 220 key->key_signature); 221 222 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key to " MACSTR 223 " (%s index=%d)", MAC2STR(sm->addr), 224 broadcast ? "broadcast" : "unicast", idx); 225 ieee802_1x_send(hapd, sta, IEEE802_1X_TYPE_EAPOL_KEY, (u8 *) key, len); 226 if (sta->eapol_sm) 227 sta->eapol_sm->dot1xAuthEapolFramesTx++; 228 os_free(buf); 229} 230 231 232#ifndef CONFIG_NO_VLAN 233static struct hostapd_wep_keys * 234ieee802_1x_group_alloc(struct hostapd_data *hapd, const char *ifname) 235{ 236 struct hostapd_wep_keys *key; 237 238 key = os_zalloc(sizeof(*key)); 239 if (key == NULL) 240 return NULL; 241 242 key->default_len = hapd->conf->default_wep_key_len; 243 244 if (key->idx >= hapd->conf->broadcast_key_idx_max || 245 key->idx < hapd->conf->broadcast_key_idx_min) 246 key->idx = hapd->conf->broadcast_key_idx_min; 247 else 248 key->idx++; 249 250 if (!key->key[key->idx]) 251 key->key[key->idx] = os_malloc(key->default_len); 252 if (key->key[key->idx] == NULL || 253 random_get_bytes(key->key[key->idx], key->default_len)) { 254 printf("Could not generate random WEP key (dynamic VLAN).\n"); 255 os_free(key->key[key->idx]); 256 key->key[key->idx] = NULL; 257 os_free(key); 258 return NULL; 259 } 260 key->len[key->idx] = key->default_len; 261 262 wpa_printf(MSG_DEBUG, "%s: Default WEP idx %d for dynamic VLAN\n", 263 ifname, key->idx); 264 wpa_hexdump_key(MSG_DEBUG, "Default WEP key (dynamic VLAN)", 265 key->key[key->idx], key->len[key->idx]); 266 267 if (hostapd_drv_set_key(ifname, hapd, WPA_ALG_WEP, 268 broadcast_ether_addr, key->idx, 1, 269 NULL, 0, key->key[key->idx], 270 key->len[key->idx])) 271 printf("Could not set dynamic VLAN WEP encryption key.\n"); 272 273 hostapd_set_drv_ieee8021x(hapd, ifname, 1); 274 275 return key; 276} 277 278 279static struct hostapd_wep_keys * 280ieee802_1x_get_group(struct hostapd_data *hapd, struct hostapd_ssid *ssid, 281 size_t vlan_id) 282{ 283 const char *ifname; 284 285 if (vlan_id == 0) 286 return &ssid->wep; 287 288 if (vlan_id <= ssid->max_dyn_vlan_keys && ssid->dyn_vlan_keys && 289 ssid->dyn_vlan_keys[vlan_id]) 290 return ssid->dyn_vlan_keys[vlan_id]; 291 292 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Creating new group " 293 "state machine for VLAN ID %lu", 294 (unsigned long) vlan_id); 295 296 ifname = hostapd_get_vlan_id_ifname(hapd->conf->vlan, vlan_id); 297 if (ifname == NULL) { 298 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Unknown VLAN ID %lu - " 299 "cannot create group key state machine", 300 (unsigned long) vlan_id); 301 return NULL; 302 } 303 304 if (ssid->dyn_vlan_keys == NULL) { 305 int size = (vlan_id + 1) * sizeof(ssid->dyn_vlan_keys[0]); 306 ssid->dyn_vlan_keys = os_zalloc(size); 307 if (ssid->dyn_vlan_keys == NULL) 308 return NULL; 309 ssid->max_dyn_vlan_keys = vlan_id; 310 } 311 312 if (ssid->max_dyn_vlan_keys < vlan_id) { 313 struct hostapd_wep_keys **na; 314 int size = (vlan_id + 1) * sizeof(ssid->dyn_vlan_keys[0]); 315 na = os_realloc(ssid->dyn_vlan_keys, size); 316 if (na == NULL) 317 return NULL; 318 ssid->dyn_vlan_keys = na; 319 os_memset(&ssid->dyn_vlan_keys[ssid->max_dyn_vlan_keys + 1], 0, 320 (vlan_id - ssid->max_dyn_vlan_keys) * 321 sizeof(ssid->dyn_vlan_keys[0])); 322 ssid->max_dyn_vlan_keys = vlan_id; 323 } 324 325 ssid->dyn_vlan_keys[vlan_id] = ieee802_1x_group_alloc(hapd, ifname); 326 327 return ssid->dyn_vlan_keys[vlan_id]; 328} 329#endif /* CONFIG_NO_VLAN */ 330 331 332void ieee802_1x_tx_key(struct hostapd_data *hapd, struct sta_info *sta) 333{ 334 struct eapol_authenticator *eapol = hapd->eapol_auth; 335 struct eapol_state_machine *sm = sta->eapol_sm; 336#ifndef CONFIG_NO_VLAN 337 struct hostapd_wep_keys *key = NULL; 338 int vlan_id; 339#endif /* CONFIG_NO_VLAN */ 340 341 if (sm == NULL || !sm->eap_if->eapKeyData) 342 return; 343 344 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key(s) to " MACSTR, 345 MAC2STR(sta->addr)); 346 347#ifndef CONFIG_NO_VLAN 348 vlan_id = sta->vlan_id; 349 if (vlan_id < 0 || vlan_id > MAX_VLAN_ID) 350 vlan_id = 0; 351 352 if (vlan_id) { 353 key = ieee802_1x_get_group(hapd, sta->ssid, vlan_id); 354 if (key && key->key[key->idx]) 355 ieee802_1x_tx_key_one(hapd, sta, key->idx, 1, 356 key->key[key->idx], 357 key->len[key->idx]); 358 } else 359#endif /* CONFIG_NO_VLAN */ 360 if (eapol->default_wep_key) { 361 ieee802_1x_tx_key_one(hapd, sta, eapol->default_wep_key_idx, 1, 362 eapol->default_wep_key, 363 hapd->conf->default_wep_key_len); 364 } 365 366 if (hapd->conf->individual_wep_key_len > 0) { 367 u8 *ikey; 368 ikey = os_malloc(hapd->conf->individual_wep_key_len); 369 if (ikey == NULL || 370 random_get_bytes(ikey, hapd->conf->individual_wep_key_len)) 371 { 372 wpa_printf(MSG_ERROR, "Could not generate random " 373 "individual WEP key."); 374 os_free(ikey); 375 return; 376 } 377 378 wpa_hexdump_key(MSG_DEBUG, "Individual WEP key", 379 ikey, hapd->conf->individual_wep_key_len); 380 381 ieee802_1x_tx_key_one(hapd, sta, 0, 0, ikey, 382 hapd->conf->individual_wep_key_len); 383 384 /* TODO: set encryption in TX callback, i.e., only after STA 385 * has ACKed EAPOL-Key frame */ 386 if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP, 387 sta->addr, 0, 1, NULL, 0, ikey, 388 hapd->conf->individual_wep_key_len)) { 389 wpa_printf(MSG_ERROR, "Could not set individual WEP " 390 "encryption."); 391 } 392 393 os_free(ikey); 394 } 395} 396 397 398const char *radius_mode_txt(struct hostapd_data *hapd) 399{ 400 switch (hapd->iface->conf->hw_mode) { 401 case HOSTAPD_MODE_IEEE80211A: 402 return "802.11a"; 403 case HOSTAPD_MODE_IEEE80211G: 404 return "802.11g"; 405 case HOSTAPD_MODE_IEEE80211B: 406 default: 407 return "802.11b"; 408 } 409} 410 411 412int radius_sta_rate(struct hostapd_data *hapd, struct sta_info *sta) 413{ 414 int i; 415 u8 rate = 0; 416 417 for (i = 0; i < sta->supported_rates_len; i++) 418 if ((sta->supported_rates[i] & 0x7f) > rate) 419 rate = sta->supported_rates[i] & 0x7f; 420 421 return rate; 422} 423 424 425#ifndef CONFIG_NO_RADIUS 426static void ieee802_1x_learn_identity(struct hostapd_data *hapd, 427 struct eapol_state_machine *sm, 428 const u8 *eap, size_t len) 429{ 430 const u8 *identity; 431 size_t identity_len; 432 433 if (len <= sizeof(struct eap_hdr) || 434 eap[sizeof(struct eap_hdr)] != EAP_TYPE_IDENTITY) 435 return; 436 437 identity = eap_get_identity(sm->eap, &identity_len); 438 if (identity == NULL) 439 return; 440 441 /* Save station identity for future RADIUS packets */ 442 os_free(sm->identity); 443 sm->identity = os_malloc(identity_len + 1); 444 if (sm->identity == NULL) { 445 sm->identity_len = 0; 446 return; 447 } 448 449 os_memcpy(sm->identity, identity, identity_len); 450 sm->identity_len = identity_len; 451 sm->identity[identity_len] = '\0'; 452 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, 453 HOSTAPD_LEVEL_DEBUG, "STA identity '%s'", sm->identity); 454 sm->dot1xAuthEapolRespIdFramesRx++; 455} 456 457 458static void ieee802_1x_encapsulate_radius(struct hostapd_data *hapd, 459 struct sta_info *sta, 460 const u8 *eap, size_t len) 461{ 462 struct radius_msg *msg; 463 char buf[128]; 464 struct eapol_state_machine *sm = sta->eapol_sm; 465 466 if (sm == NULL) 467 return; 468 469 ieee802_1x_learn_identity(hapd, sm, eap, len); 470 471 wpa_printf(MSG_DEBUG, "Encapsulating EAP message into a RADIUS " 472 "packet"); 473 474 sm->radius_identifier = radius_client_get_id(hapd->radius); 475 msg = radius_msg_new(RADIUS_CODE_ACCESS_REQUEST, 476 sm->radius_identifier); 477 if (msg == NULL) { 478 printf("Could not create net RADIUS packet\n"); 479 return; 480 } 481 482 radius_msg_make_authenticator(msg, (u8 *) sta, sizeof(*sta)); 483 484 if (sm->identity && 485 !radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME, 486 sm->identity, sm->identity_len)) { 487 printf("Could not add User-Name\n"); 488 goto fail; 489 } 490 491 if (hapd->conf->own_ip_addr.af == AF_INET && 492 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IP_ADDRESS, 493 (u8 *) &hapd->conf->own_ip_addr.u.v4, 4)) { 494 printf("Could not add NAS-IP-Address\n"); 495 goto fail; 496 } 497 498#ifdef CONFIG_IPV6 499 if (hapd->conf->own_ip_addr.af == AF_INET6 && 500 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IPV6_ADDRESS, 501 (u8 *) &hapd->conf->own_ip_addr.u.v6, 16)) { 502 printf("Could not add NAS-IPv6-Address\n"); 503 goto fail; 504 } 505#endif /* CONFIG_IPV6 */ 506 507 if (hapd->conf->nas_identifier && 508 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IDENTIFIER, 509 (u8 *) hapd->conf->nas_identifier, 510 os_strlen(hapd->conf->nas_identifier))) { 511 printf("Could not add NAS-Identifier\n"); 512 goto fail; 513 } 514 515 if (!radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT, sta->aid)) { 516 printf("Could not add NAS-Port\n"); 517 goto fail; 518 } 519 520 os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT ":%s", 521 MAC2STR(hapd->own_addr), hapd->conf->ssid.ssid); 522 buf[sizeof(buf) - 1] = '\0'; 523 if (!radius_msg_add_attr(msg, RADIUS_ATTR_CALLED_STATION_ID, 524 (u8 *) buf, os_strlen(buf))) { 525 printf("Could not add Called-Station-Id\n"); 526 goto fail; 527 } 528 529 os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT, 530 MAC2STR(sta->addr)); 531 buf[sizeof(buf) - 1] = '\0'; 532 if (!radius_msg_add_attr(msg, RADIUS_ATTR_CALLING_STATION_ID, 533 (u8 *) buf, os_strlen(buf))) { 534 printf("Could not add Calling-Station-Id\n"); 535 goto fail; 536 } 537 538 /* TODO: should probably check MTU from driver config; 2304 is max for 539 * IEEE 802.11, but use 1400 to avoid problems with too large packets 540 */ 541 if (!radius_msg_add_attr_int32(msg, RADIUS_ATTR_FRAMED_MTU, 1400)) { 542 printf("Could not add Framed-MTU\n"); 543 goto fail; 544 } 545 546 if (!radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT_TYPE, 547 RADIUS_NAS_PORT_TYPE_IEEE_802_11)) { 548 printf("Could not add NAS-Port-Type\n"); 549 goto fail; 550 } 551 552 if (sta->flags & WLAN_STA_PREAUTH) { 553 os_strlcpy(buf, "IEEE 802.11i Pre-Authentication", 554 sizeof(buf)); 555 } else { 556 os_snprintf(buf, sizeof(buf), "CONNECT %d%sMbps %s", 557 radius_sta_rate(hapd, sta) / 2, 558 (radius_sta_rate(hapd, sta) & 1) ? ".5" : "", 559 radius_mode_txt(hapd)); 560 buf[sizeof(buf) - 1] = '\0'; 561 } 562 if (!radius_msg_add_attr(msg, RADIUS_ATTR_CONNECT_INFO, 563 (u8 *) buf, os_strlen(buf))) { 564 printf("Could not add Connect-Info\n"); 565 goto fail; 566 } 567 568 if (eap && !radius_msg_add_eap(msg, eap, len)) { 569 printf("Could not add EAP-Message\n"); 570 goto fail; 571 } 572 573 /* State attribute must be copied if and only if this packet is 574 * Access-Request reply to the previous Access-Challenge */ 575 if (sm->last_recv_radius && 576 radius_msg_get_hdr(sm->last_recv_radius)->code == 577 RADIUS_CODE_ACCESS_CHALLENGE) { 578 int res = radius_msg_copy_attr(msg, sm->last_recv_radius, 579 RADIUS_ATTR_STATE); 580 if (res < 0) { 581 printf("Could not copy State attribute from previous " 582 "Access-Challenge\n"); 583 goto fail; 584 } 585 if (res > 0) { 586 wpa_printf(MSG_DEBUG, "Copied RADIUS State Attribute"); 587 } 588 } 589 590 if (radius_client_send(hapd->radius, msg, RADIUS_AUTH, sta->addr) < 0) 591 goto fail; 592 593 return; 594 595 fail: 596 radius_msg_free(msg); 597} 598#endif /* CONFIG_NO_RADIUS */ 599 600 601static void handle_eap_response(struct hostapd_data *hapd, 602 struct sta_info *sta, struct eap_hdr *eap, 603 size_t len) 604{ 605 u8 type, *data; 606 struct eapol_state_machine *sm = sta->eapol_sm; 607 if (sm == NULL) 608 return; 609 610 data = (u8 *) (eap + 1); 611 612 if (len < sizeof(*eap) + 1) { 613 printf("handle_eap_response: too short response data\n"); 614 return; 615 } 616 617 sm->eap_type_supp = type = data[0]; 618 619 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, 620 HOSTAPD_LEVEL_DEBUG, "received EAP packet (code=%d " 621 "id=%d len=%d) from STA: EAP Response-%s (%d)", 622 eap->code, eap->identifier, be_to_host16(eap->length), 623 eap_server_get_name(0, type), type); 624 625 sm->dot1xAuthEapolRespFramesRx++; 626 627 wpabuf_free(sm->eap_if->eapRespData); 628 sm->eap_if->eapRespData = wpabuf_alloc_copy(eap, len); 629 sm->eapolEap = TRUE; 630} 631 632 633/* Process incoming EAP packet from Supplicant */ 634static void handle_eap(struct hostapd_data *hapd, struct sta_info *sta, 635 u8 *buf, size_t len) 636{ 637 struct eap_hdr *eap; 638 u16 eap_len; 639 640 if (len < sizeof(*eap)) { 641 printf(" too short EAP packet\n"); 642 return; 643 } 644 645 eap = (struct eap_hdr *) buf; 646 647 eap_len = be_to_host16(eap->length); 648 wpa_printf(MSG_DEBUG, "EAP: code=%d identifier=%d length=%d", 649 eap->code, eap->identifier, eap_len); 650 if (eap_len < sizeof(*eap)) { 651 wpa_printf(MSG_DEBUG, " Invalid EAP length"); 652 return; 653 } else if (eap_len > len) { 654 wpa_printf(MSG_DEBUG, " Too short frame to contain this EAP " 655 "packet"); 656 return; 657 } else if (eap_len < len) { 658 wpa_printf(MSG_DEBUG, " Ignoring %lu extra bytes after EAP " 659 "packet", (unsigned long) len - eap_len); 660 } 661 662 switch (eap->code) { 663 case EAP_CODE_REQUEST: 664 wpa_printf(MSG_DEBUG, " (request)"); 665 return; 666 case EAP_CODE_RESPONSE: 667 wpa_printf(MSG_DEBUG, " (response)"); 668 handle_eap_response(hapd, sta, eap, eap_len); 669 break; 670 case EAP_CODE_SUCCESS: 671 wpa_printf(MSG_DEBUG, " (success)"); 672 return; 673 case EAP_CODE_FAILURE: 674 wpa_printf(MSG_DEBUG, " (failure)"); 675 return; 676 default: 677 wpa_printf(MSG_DEBUG, " (unknown code)"); 678 return; 679 } 680} 681 682 683static struct eapol_state_machine * 684ieee802_1x_alloc_eapol_sm(struct hostapd_data *hapd, struct sta_info *sta) 685{ 686 int flags = 0; 687 if (sta->flags & WLAN_STA_PREAUTH) 688 flags |= EAPOL_SM_PREAUTH; 689 if (sta->wpa_sm) { 690 flags |= EAPOL_SM_USES_WPA; 691 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) 692 flags |= EAPOL_SM_FROM_PMKSA_CACHE; 693 } 694 return eapol_auth_alloc(hapd->eapol_auth, sta->addr, flags, 695 sta->wps_ie, sta->p2p_ie, sta); 696} 697 698 699/** 700 * ieee802_1x_receive - Process the EAPOL frames from the Supplicant 701 * @hapd: hostapd BSS data 702 * @sa: Source address (sender of the EAPOL frame) 703 * @buf: EAPOL frame 704 * @len: Length of buf in octets 705 * 706 * This function is called for each incoming EAPOL frame from the interface 707 */ 708void ieee802_1x_receive(struct hostapd_data *hapd, const u8 *sa, const u8 *buf, 709 size_t len) 710{ 711 struct sta_info *sta; 712 struct ieee802_1x_hdr *hdr; 713 struct ieee802_1x_eapol_key *key; 714 u16 datalen; 715 struct rsn_pmksa_cache_entry *pmksa; 716 int key_mgmt; 717 718 if (!hapd->conf->ieee802_1x && !hapd->conf->wpa && 719 !hapd->conf->wps_state) 720 return; 721 722 wpa_printf(MSG_DEBUG, "IEEE 802.1X: %lu bytes from " MACSTR, 723 (unsigned long) len, MAC2STR(sa)); 724 sta = ap_get_sta(hapd, sa); 725 if (!sta || !(sta->flags & (WLAN_STA_ASSOC | WLAN_STA_PREAUTH))) { 726 wpa_printf(MSG_DEBUG, "IEEE 802.1X data frame from not " 727 "associated/Pre-authenticating STA"); 728 return; 729 } 730 731 if (len < sizeof(*hdr)) { 732 printf(" too short IEEE 802.1X packet\n"); 733 return; 734 } 735 736 hdr = (struct ieee802_1x_hdr *) buf; 737 datalen = be_to_host16(hdr->length); 738 wpa_printf(MSG_DEBUG, " IEEE 802.1X: version=%d type=%d length=%d", 739 hdr->version, hdr->type, datalen); 740 741 if (len - sizeof(*hdr) < datalen) { 742 printf(" frame too short for this IEEE 802.1X packet\n"); 743 if (sta->eapol_sm) 744 sta->eapol_sm->dot1xAuthEapLengthErrorFramesRx++; 745 return; 746 } 747 if (len - sizeof(*hdr) > datalen) { 748 wpa_printf(MSG_DEBUG, " ignoring %lu extra octets after " 749 "IEEE 802.1X packet", 750 (unsigned long) len - sizeof(*hdr) - datalen); 751 } 752 753 if (sta->eapol_sm) { 754 sta->eapol_sm->dot1xAuthLastEapolFrameVersion = hdr->version; 755 sta->eapol_sm->dot1xAuthEapolFramesRx++; 756 } 757 758 key = (struct ieee802_1x_eapol_key *) (hdr + 1); 759 if (datalen >= sizeof(struct ieee802_1x_eapol_key) && 760 hdr->type == IEEE802_1X_TYPE_EAPOL_KEY && 761 (key->type == EAPOL_KEY_TYPE_WPA || 762 key->type == EAPOL_KEY_TYPE_RSN)) { 763 wpa_receive(hapd->wpa_auth, sta->wpa_sm, (u8 *) hdr, 764 sizeof(*hdr) + datalen); 765 return; 766 } 767 768 if (!hapd->conf->ieee802_1x && 769 !(sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS))) { 770 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore EAPOL message - " 771 "802.1X not enabled and WPS not used"); 772 return; 773 } 774 775 key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm); 776 if (key_mgmt != -1 && wpa_key_mgmt_wpa_psk(key_mgmt)) { 777 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore EAPOL message - " 778 "STA is using PSK"); 779 return; 780 } 781 782 if (!sta->eapol_sm) { 783 sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta); 784 if (!sta->eapol_sm) 785 return; 786 787#ifdef CONFIG_WPS 788 if (!hapd->conf->ieee802_1x && 789 ((sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS)) == 790 WLAN_STA_MAYBE_WPS)) { 791 /* 792 * Delay EAPOL frame transmission until a possible WPS 793 * STA initiates the handshake with EAPOL-Start. 794 */ 795 sta->eapol_sm->flags |= EAPOL_SM_WAIT_START; 796 } 797#endif /* CONFIG_WPS */ 798 799 sta->eapol_sm->eap_if->portEnabled = TRUE; 800 } 801 802 /* since we support version 1, we can ignore version field and proceed 803 * as specified in version 1 standard [IEEE Std 802.1X-2001, 7.5.5] */ 804 /* TODO: actually, we are not version 1 anymore.. However, Version 2 805 * does not change frame contents, so should be ok to process frames 806 * more or less identically. Some changes might be needed for 807 * verification of fields. */ 808 809 switch (hdr->type) { 810 case IEEE802_1X_TYPE_EAP_PACKET: 811 handle_eap(hapd, sta, (u8 *) (hdr + 1), datalen); 812 break; 813 814 case IEEE802_1X_TYPE_EAPOL_START: 815 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 816 HOSTAPD_LEVEL_DEBUG, "received EAPOL-Start " 817 "from STA"); 818 sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START; 819 pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm); 820 if (pmksa) { 821 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 822 HOSTAPD_LEVEL_DEBUG, "cached PMKSA " 823 "available - ignore it since " 824 "STA sent EAPOL-Start"); 825 wpa_auth_sta_clear_pmksa(sta->wpa_sm, pmksa); 826 } 827 sta->eapol_sm->eapolStart = TRUE; 828 sta->eapol_sm->dot1xAuthEapolStartFramesRx++; 829 eap_server_clear_identity(sta->eapol_sm->eap); 830 wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL); 831 break; 832 833 case IEEE802_1X_TYPE_EAPOL_LOGOFF: 834 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 835 HOSTAPD_LEVEL_DEBUG, "received EAPOL-Logoff " 836 "from STA"); 837 sta->acct_terminate_cause = 838 RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST; 839 accounting_sta_stop(hapd, sta); 840 sta->eapol_sm->eapolLogoff = TRUE; 841 sta->eapol_sm->dot1xAuthEapolLogoffFramesRx++; 842 eap_server_clear_identity(sta->eapol_sm->eap); 843 break; 844 845 case IEEE802_1X_TYPE_EAPOL_KEY: 846 wpa_printf(MSG_DEBUG, " EAPOL-Key"); 847 if (!ap_sta_is_authorized(sta)) { 848 wpa_printf(MSG_DEBUG, " Dropped key data from " 849 "unauthorized Supplicant"); 850 break; 851 } 852 break; 853 854 case IEEE802_1X_TYPE_EAPOL_ENCAPSULATED_ASF_ALERT: 855 wpa_printf(MSG_DEBUG, " EAPOL-Encapsulated-ASF-Alert"); 856 /* TODO: implement support for this; show data */ 857 break; 858 859 default: 860 wpa_printf(MSG_DEBUG, " unknown IEEE 802.1X packet type"); 861 sta->eapol_sm->dot1xAuthInvalidEapolFramesRx++; 862 break; 863 } 864 865 eapol_auth_step(sta->eapol_sm); 866} 867 868 869/** 870 * ieee802_1x_new_station - Start IEEE 802.1X authentication 871 * @hapd: hostapd BSS data 872 * @sta: The station 873 * 874 * This function is called to start IEEE 802.1X authentication when a new 875 * station completes IEEE 802.11 association. 876 */ 877void ieee802_1x_new_station(struct hostapd_data *hapd, struct sta_info *sta) 878{ 879 struct rsn_pmksa_cache_entry *pmksa; 880 int reassoc = 1; 881 int force_1x = 0; 882 int key_mgmt; 883 884#ifdef CONFIG_WPS 885 if (hapd->conf->wps_state && hapd->conf->wpa && 886 (sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS))) { 887 /* 888 * Need to enable IEEE 802.1X/EAPOL state machines for possible 889 * WPS handshake even if IEEE 802.1X/EAPOL is not used for 890 * authentication in this BSS. 891 */ 892 force_1x = 1; 893 } 894#endif /* CONFIG_WPS */ 895 896 if (!force_1x && !hapd->conf->ieee802_1x) { 897 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore STA - " 898 "802.1X not enabled or forced for WPS"); 899 return; 900 } 901 902 key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm); 903 if (key_mgmt != -1 && wpa_key_mgmt_wpa_psk(key_mgmt)) { 904 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore STA - using PSK"); 905 return; 906 } 907 908 if (sta->eapol_sm == NULL) { 909 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 910 HOSTAPD_LEVEL_DEBUG, "start authentication"); 911 sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta); 912 if (sta->eapol_sm == NULL) { 913 hostapd_logger(hapd, sta->addr, 914 HOSTAPD_MODULE_IEEE8021X, 915 HOSTAPD_LEVEL_INFO, 916 "failed to allocate state machine"); 917 return; 918 } 919 reassoc = 0; 920 } 921 922#ifdef CONFIG_WPS 923 sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START; 924 if (!hapd->conf->ieee802_1x && !(sta->flags & WLAN_STA_WPS)) { 925 /* 926 * Delay EAPOL frame transmission until a possible WPS 927 * initiates the handshake with EAPOL-Start. 928 */ 929 sta->eapol_sm->flags |= EAPOL_SM_WAIT_START; 930 } 931#endif /* CONFIG_WPS */ 932 933 sta->eapol_sm->eap_if->portEnabled = TRUE; 934 935#ifdef CONFIG_IEEE80211R 936 if (sta->auth_alg == WLAN_AUTH_FT) { 937 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 938 HOSTAPD_LEVEL_DEBUG, 939 "PMK from FT - skip IEEE 802.1X/EAP"); 940 /* Setup EAPOL state machines to already authenticated state 941 * because of existing FT information from R0KH. */ 942 sta->eapol_sm->keyRun = TRUE; 943 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 944 sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING; 945 sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS; 946 sta->eapol_sm->authSuccess = TRUE; 947 if (sta->eapol_sm->eap) 948 eap_sm_notify_cached(sta->eapol_sm->eap); 949 /* TODO: get vlan_id from R0KH using RRB message */ 950 return; 951 } 952#endif /* CONFIG_IEEE80211R */ 953 954 pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm); 955 if (pmksa) { 956 int old_vlanid; 957 958 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 959 HOSTAPD_LEVEL_DEBUG, 960 "PMK from PMKSA cache - skip IEEE 802.1X/EAP"); 961 /* Setup EAPOL state machines to already authenticated state 962 * because of existing PMKSA information in the cache. */ 963 sta->eapol_sm->keyRun = TRUE; 964 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 965 sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING; 966 sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS; 967 sta->eapol_sm->authSuccess = TRUE; 968 if (sta->eapol_sm->eap) 969 eap_sm_notify_cached(sta->eapol_sm->eap); 970 old_vlanid = sta->vlan_id; 971 pmksa_cache_to_eapol_data(pmksa, sta->eapol_sm); 972 if (sta->ssid->dynamic_vlan == DYNAMIC_VLAN_DISABLED) 973 sta->vlan_id = 0; 974 ap_sta_bind_vlan(hapd, sta, old_vlanid); 975 } else { 976 if (reassoc) { 977 /* 978 * Force EAPOL state machines to start 979 * re-authentication without having to wait for the 980 * Supplicant to send EAPOL-Start. 981 */ 982 sta->eapol_sm->reAuthenticate = TRUE; 983 } 984 eapol_auth_step(sta->eapol_sm); 985 } 986} 987 988 989void ieee802_1x_free_station(struct sta_info *sta) 990{ 991 struct eapol_state_machine *sm = sta->eapol_sm; 992 993 if (sm == NULL) 994 return; 995 996 sta->eapol_sm = NULL; 997 998#ifndef CONFIG_NO_RADIUS 999 radius_msg_free(sm->last_recv_radius); 1000 radius_free_class(&sm->radius_class); 1001#endif /* CONFIG_NO_RADIUS */ 1002 1003 os_free(sm->identity); 1004 eapol_auth_free(sm); 1005} 1006 1007 1008#ifndef CONFIG_NO_RADIUS 1009static void ieee802_1x_decapsulate_radius(struct hostapd_data *hapd, 1010 struct sta_info *sta) 1011{ 1012 u8 *eap; 1013 size_t len; 1014 struct eap_hdr *hdr; 1015 int eap_type = -1; 1016 char buf[64]; 1017 struct radius_msg *msg; 1018 struct eapol_state_machine *sm = sta->eapol_sm; 1019 1020 if (sm == NULL || sm->last_recv_radius == NULL) { 1021 if (sm) 1022 sm->eap_if->aaaEapNoReq = TRUE; 1023 return; 1024 } 1025 1026 msg = sm->last_recv_radius; 1027 1028 eap = radius_msg_get_eap(msg, &len); 1029 if (eap == NULL) { 1030 /* RFC 3579, Chap. 2.6.3: 1031 * RADIUS server SHOULD NOT send Access-Reject/no EAP-Message 1032 * attribute */ 1033 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1034 HOSTAPD_LEVEL_WARNING, "could not extract " 1035 "EAP-Message from RADIUS message"); 1036 sm->eap_if->aaaEapNoReq = TRUE; 1037 return; 1038 } 1039 1040 if (len < sizeof(*hdr)) { 1041 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1042 HOSTAPD_LEVEL_WARNING, "too short EAP packet " 1043 "received from authentication server"); 1044 os_free(eap); 1045 sm->eap_if->aaaEapNoReq = TRUE; 1046 return; 1047 } 1048 1049 if (len > sizeof(*hdr)) 1050 eap_type = eap[sizeof(*hdr)]; 1051 1052 hdr = (struct eap_hdr *) eap; 1053 switch (hdr->code) { 1054 case EAP_CODE_REQUEST: 1055 if (eap_type >= 0) 1056 sm->eap_type_authsrv = eap_type; 1057 os_snprintf(buf, sizeof(buf), "EAP-Request-%s (%d)", 1058 eap_type >= 0 ? eap_server_get_name(0, eap_type) : 1059 "??", 1060 eap_type); 1061 break; 1062 case EAP_CODE_RESPONSE: 1063 os_snprintf(buf, sizeof(buf), "EAP Response-%s (%d)", 1064 eap_type >= 0 ? eap_server_get_name(0, eap_type) : 1065 "??", 1066 eap_type); 1067 break; 1068 case EAP_CODE_SUCCESS: 1069 os_strlcpy(buf, "EAP Success", sizeof(buf)); 1070 break; 1071 case EAP_CODE_FAILURE: 1072 os_strlcpy(buf, "EAP Failure", sizeof(buf)); 1073 break; 1074 default: 1075 os_strlcpy(buf, "unknown EAP code", sizeof(buf)); 1076 break; 1077 } 1078 buf[sizeof(buf) - 1] = '\0'; 1079 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1080 HOSTAPD_LEVEL_DEBUG, "decapsulated EAP packet (code=%d " 1081 "id=%d len=%d) from RADIUS server: %s", 1082 hdr->code, hdr->identifier, be_to_host16(hdr->length), 1083 buf); 1084 sm->eap_if->aaaEapReq = TRUE; 1085 1086 wpabuf_free(sm->eap_if->aaaEapReqData); 1087 sm->eap_if->aaaEapReqData = wpabuf_alloc_ext_data(eap, len); 1088} 1089 1090 1091static void ieee802_1x_get_keys(struct hostapd_data *hapd, 1092 struct sta_info *sta, struct radius_msg *msg, 1093 struct radius_msg *req, 1094 const u8 *shared_secret, 1095 size_t shared_secret_len) 1096{ 1097 struct radius_ms_mppe_keys *keys; 1098 struct eapol_state_machine *sm = sta->eapol_sm; 1099 if (sm == NULL) 1100 return; 1101 1102 keys = radius_msg_get_ms_keys(msg, req, shared_secret, 1103 shared_secret_len); 1104 1105 if (keys && keys->send && keys->recv) { 1106 size_t len = keys->send_len + keys->recv_len; 1107 wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Send-Key", 1108 keys->send, keys->send_len); 1109 wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Recv-Key", 1110 keys->recv, keys->recv_len); 1111 1112 os_free(sm->eap_if->aaaEapKeyData); 1113 sm->eap_if->aaaEapKeyData = os_malloc(len); 1114 if (sm->eap_if->aaaEapKeyData) { 1115 os_memcpy(sm->eap_if->aaaEapKeyData, keys->recv, 1116 keys->recv_len); 1117 os_memcpy(sm->eap_if->aaaEapKeyData + keys->recv_len, 1118 keys->send, keys->send_len); 1119 sm->eap_if->aaaEapKeyDataLen = len; 1120 sm->eap_if->aaaEapKeyAvailable = TRUE; 1121 } 1122 } 1123 1124 if (keys) { 1125 os_free(keys->send); 1126 os_free(keys->recv); 1127 os_free(keys); 1128 } 1129} 1130 1131 1132static void ieee802_1x_store_radius_class(struct hostapd_data *hapd, 1133 struct sta_info *sta, 1134 struct radius_msg *msg) 1135{ 1136 u8 *class; 1137 size_t class_len; 1138 struct eapol_state_machine *sm = sta->eapol_sm; 1139 int count, i; 1140 struct radius_attr_data *nclass; 1141 size_t nclass_count; 1142 1143 if (!hapd->conf->radius->acct_server || hapd->radius == NULL || 1144 sm == NULL) 1145 return; 1146 1147 radius_free_class(&sm->radius_class); 1148 count = radius_msg_count_attr(msg, RADIUS_ATTR_CLASS, 1); 1149 if (count <= 0) 1150 return; 1151 1152 nclass = os_zalloc(count * sizeof(struct radius_attr_data)); 1153 if (nclass == NULL) 1154 return; 1155 1156 nclass_count = 0; 1157 1158 class = NULL; 1159 for (i = 0; i < count; i++) { 1160 do { 1161 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CLASS, 1162 &class, &class_len, 1163 class) < 0) { 1164 i = count; 1165 break; 1166 } 1167 } while (class_len < 1); 1168 1169 nclass[nclass_count].data = os_malloc(class_len); 1170 if (nclass[nclass_count].data == NULL) 1171 break; 1172 1173 os_memcpy(nclass[nclass_count].data, class, class_len); 1174 nclass[nclass_count].len = class_len; 1175 nclass_count++; 1176 } 1177 1178 sm->radius_class.attr = nclass; 1179 sm->radius_class.count = nclass_count; 1180 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Stored %lu RADIUS Class " 1181 "attributes for " MACSTR, 1182 (unsigned long) sm->radius_class.count, 1183 MAC2STR(sta->addr)); 1184} 1185 1186 1187/* Update sta->identity based on User-Name attribute in Access-Accept */ 1188static void ieee802_1x_update_sta_identity(struct hostapd_data *hapd, 1189 struct sta_info *sta, 1190 struct radius_msg *msg) 1191{ 1192 u8 *buf, *identity; 1193 size_t len; 1194 struct eapol_state_machine *sm = sta->eapol_sm; 1195 1196 if (sm == NULL) 1197 return; 1198 1199 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_USER_NAME, &buf, &len, 1200 NULL) < 0) 1201 return; 1202 1203 identity = os_malloc(len + 1); 1204 if (identity == NULL) 1205 return; 1206 1207 os_memcpy(identity, buf, len); 1208 identity[len] = '\0'; 1209 1210 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1211 HOSTAPD_LEVEL_DEBUG, "old identity '%s' updated with " 1212 "User-Name from Access-Accept '%s'", 1213 sm->identity ? (char *) sm->identity : "N/A", 1214 (char *) identity); 1215 1216 os_free(sm->identity); 1217 sm->identity = identity; 1218 sm->identity_len = len; 1219} 1220 1221 1222struct sta_id_search { 1223 u8 identifier; 1224 struct eapol_state_machine *sm; 1225}; 1226 1227 1228static int ieee802_1x_select_radius_identifier(struct hostapd_data *hapd, 1229 struct sta_info *sta, 1230 void *ctx) 1231{ 1232 struct sta_id_search *id_search = ctx; 1233 struct eapol_state_machine *sm = sta->eapol_sm; 1234 1235 if (sm && sm->radius_identifier >= 0 && 1236 sm->radius_identifier == id_search->identifier) { 1237 id_search->sm = sm; 1238 return 1; 1239 } 1240 return 0; 1241} 1242 1243 1244static struct eapol_state_machine * 1245ieee802_1x_search_radius_identifier(struct hostapd_data *hapd, u8 identifier) 1246{ 1247 struct sta_id_search id_search; 1248 id_search.identifier = identifier; 1249 id_search.sm = NULL; 1250 ap_for_each_sta(hapd, ieee802_1x_select_radius_identifier, &id_search); 1251 return id_search.sm; 1252} 1253 1254 1255/** 1256 * ieee802_1x_receive_auth - Process RADIUS frames from Authentication Server 1257 * @msg: RADIUS response message 1258 * @req: RADIUS request message 1259 * @shared_secret: RADIUS shared secret 1260 * @shared_secret_len: Length of shared_secret in octets 1261 * @data: Context data (struct hostapd_data *) 1262 * Returns: Processing status 1263 */ 1264static RadiusRxResult 1265ieee802_1x_receive_auth(struct radius_msg *msg, struct radius_msg *req, 1266 const u8 *shared_secret, size_t shared_secret_len, 1267 void *data) 1268{ 1269 struct hostapd_data *hapd = data; 1270 struct sta_info *sta; 1271 u32 session_timeout = 0, termination_action, acct_interim_interval; 1272 int session_timeout_set, old_vlanid = 0; 1273 struct eapol_state_machine *sm; 1274 int override_eapReq = 0; 1275 struct radius_hdr *hdr = radius_msg_get_hdr(msg); 1276 1277 sm = ieee802_1x_search_radius_identifier(hapd, hdr->identifier); 1278 if (sm == NULL) { 1279 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Could not find matching " 1280 "station for this RADIUS message"); 1281 return RADIUS_RX_UNKNOWN; 1282 } 1283 sta = sm->sta; 1284 1285 /* RFC 2869, Ch. 5.13: valid Message-Authenticator attribute MUST be 1286 * present when packet contains an EAP-Message attribute */ 1287 if (hdr->code == RADIUS_CODE_ACCESS_REJECT && 1288 radius_msg_get_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, NULL, 1289 0) < 0 && 1290 radius_msg_get_attr(msg, RADIUS_ATTR_EAP_MESSAGE, NULL, 0) < 0) { 1291 wpa_printf(MSG_DEBUG, "Allowing RADIUS Access-Reject without " 1292 "Message-Authenticator since it does not include " 1293 "EAP-Message"); 1294 } else if (radius_msg_verify(msg, shared_secret, shared_secret_len, 1295 req, 1)) { 1296 printf("Incoming RADIUS packet did not have correct " 1297 "Message-Authenticator - dropped\n"); 1298 return RADIUS_RX_INVALID_AUTHENTICATOR; 1299 } 1300 1301 if (hdr->code != RADIUS_CODE_ACCESS_ACCEPT && 1302 hdr->code != RADIUS_CODE_ACCESS_REJECT && 1303 hdr->code != RADIUS_CODE_ACCESS_CHALLENGE) { 1304 printf("Unknown RADIUS message code\n"); 1305 return RADIUS_RX_UNKNOWN; 1306 } 1307 1308 sm->radius_identifier = -1; 1309 wpa_printf(MSG_DEBUG, "RADIUS packet matching with station " MACSTR, 1310 MAC2STR(sta->addr)); 1311 1312 radius_msg_free(sm->last_recv_radius); 1313 sm->last_recv_radius = msg; 1314 1315 session_timeout_set = 1316 !radius_msg_get_attr_int32(msg, RADIUS_ATTR_SESSION_TIMEOUT, 1317 &session_timeout); 1318 if (radius_msg_get_attr_int32(msg, RADIUS_ATTR_TERMINATION_ACTION, 1319 &termination_action)) 1320 termination_action = RADIUS_TERMINATION_ACTION_DEFAULT; 1321 1322 if (hapd->conf->acct_interim_interval == 0 && 1323 hdr->code == RADIUS_CODE_ACCESS_ACCEPT && 1324 radius_msg_get_attr_int32(msg, RADIUS_ATTR_ACCT_INTERIM_INTERVAL, 1325 &acct_interim_interval) == 0) { 1326 if (acct_interim_interval < 60) { 1327 hostapd_logger(hapd, sta->addr, 1328 HOSTAPD_MODULE_IEEE8021X, 1329 HOSTAPD_LEVEL_INFO, 1330 "ignored too small " 1331 "Acct-Interim-Interval %d", 1332 acct_interim_interval); 1333 } else 1334 sta->acct_interim_interval = acct_interim_interval; 1335 } 1336 1337 1338 switch (hdr->code) { 1339 case RADIUS_CODE_ACCESS_ACCEPT: 1340 if (sta->ssid->dynamic_vlan == DYNAMIC_VLAN_DISABLED) 1341 sta->vlan_id = 0; 1342#ifndef CONFIG_NO_VLAN 1343 else { 1344 old_vlanid = sta->vlan_id; 1345 sta->vlan_id = radius_msg_get_vlanid(msg); 1346 } 1347 if (sta->vlan_id > 0 && 1348 hostapd_get_vlan_id_ifname(hapd->conf->vlan, 1349 sta->vlan_id)) { 1350 hostapd_logger(hapd, sta->addr, 1351 HOSTAPD_MODULE_RADIUS, 1352 HOSTAPD_LEVEL_INFO, 1353 "VLAN ID %d", sta->vlan_id); 1354 } else if (sta->ssid->dynamic_vlan == DYNAMIC_VLAN_REQUIRED) { 1355 sta->eapol_sm->authFail = TRUE; 1356 hostapd_logger(hapd, sta->addr, 1357 HOSTAPD_MODULE_IEEE8021X, 1358 HOSTAPD_LEVEL_INFO, "authentication " 1359 "server did not include required VLAN " 1360 "ID in Access-Accept"); 1361 break; 1362 } 1363#endif /* CONFIG_NO_VLAN */ 1364 1365 if (ap_sta_bind_vlan(hapd, sta, old_vlanid) < 0) 1366 break; 1367 1368 /* RFC 3580, Ch. 3.17 */ 1369 if (session_timeout_set && termination_action == 1370 RADIUS_TERMINATION_ACTION_RADIUS_REQUEST) { 1371 sm->reAuthPeriod = session_timeout; 1372 } else if (session_timeout_set) 1373 ap_sta_session_timeout(hapd, sta, session_timeout); 1374 1375 sm->eap_if->aaaSuccess = TRUE; 1376 override_eapReq = 1; 1377 ieee802_1x_get_keys(hapd, sta, msg, req, shared_secret, 1378 shared_secret_len); 1379 ieee802_1x_store_radius_class(hapd, sta, msg); 1380 ieee802_1x_update_sta_identity(hapd, sta, msg); 1381 if (sm->eap_if->eapKeyAvailable && 1382 wpa_auth_pmksa_add(sta->wpa_sm, sm->eapol_key_crypt, 1383 session_timeout_set ? 1384 (int) session_timeout : -1, sm) == 0) { 1385 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 1386 HOSTAPD_LEVEL_DEBUG, 1387 "Added PMKSA cache entry"); 1388 } 1389 break; 1390 case RADIUS_CODE_ACCESS_REJECT: 1391 sm->eap_if->aaaFail = TRUE; 1392 override_eapReq = 1; 1393 break; 1394 case RADIUS_CODE_ACCESS_CHALLENGE: 1395 sm->eap_if->aaaEapReq = TRUE; 1396 if (session_timeout_set) { 1397 /* RFC 2869, Ch. 2.3.2; RFC 3580, Ch. 3.17 */ 1398 sm->eap_if->aaaMethodTimeout = session_timeout; 1399 hostapd_logger(hapd, sm->addr, 1400 HOSTAPD_MODULE_IEEE8021X, 1401 HOSTAPD_LEVEL_DEBUG, 1402 "using EAP timeout of %d seconds (from " 1403 "RADIUS)", 1404 sm->eap_if->aaaMethodTimeout); 1405 } else { 1406 /* 1407 * Use dynamic retransmission behavior per EAP 1408 * specification. 1409 */ 1410 sm->eap_if->aaaMethodTimeout = 0; 1411 } 1412 break; 1413 } 1414 1415 ieee802_1x_decapsulate_radius(hapd, sta); 1416 if (override_eapReq) 1417 sm->eap_if->aaaEapReq = FALSE; 1418 1419 eapol_auth_step(sm); 1420 1421 return RADIUS_RX_QUEUED; 1422} 1423#endif /* CONFIG_NO_RADIUS */ 1424 1425 1426void ieee802_1x_abort_auth(struct hostapd_data *hapd, struct sta_info *sta) 1427{ 1428 struct eapol_state_machine *sm = sta->eapol_sm; 1429 if (sm == NULL) 1430 return; 1431 1432 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1433 HOSTAPD_LEVEL_DEBUG, "aborting authentication"); 1434 1435#ifndef CONFIG_NO_RADIUS 1436 radius_msg_free(sm->last_recv_radius); 1437 sm->last_recv_radius = NULL; 1438#endif /* CONFIG_NO_RADIUS */ 1439 1440 if (sm->eap_if->eapTimeout) { 1441 /* 1442 * Disconnect the STA since it did not reply to the last EAP 1443 * request and we cannot continue EAP processing (EAP-Failure 1444 * could only be sent if the EAP peer actually replied). 1445 */ 1446 sm->eap_if->portEnabled = FALSE; 1447 ap_sta_disconnect(hapd, sta, sta->addr, 1448 WLAN_REASON_PREV_AUTH_NOT_VALID); 1449 } 1450} 1451 1452 1453static int ieee802_1x_rekey_broadcast(struct hostapd_data *hapd) 1454{ 1455 struct eapol_authenticator *eapol = hapd->eapol_auth; 1456 1457 if (hapd->conf->default_wep_key_len < 1) 1458 return 0; 1459 1460 os_free(eapol->default_wep_key); 1461 eapol->default_wep_key = os_malloc(hapd->conf->default_wep_key_len); 1462 if (eapol->default_wep_key == NULL || 1463 random_get_bytes(eapol->default_wep_key, 1464 hapd->conf->default_wep_key_len)) { 1465 printf("Could not generate random WEP key.\n"); 1466 os_free(eapol->default_wep_key); 1467 eapol->default_wep_key = NULL; 1468 return -1; 1469 } 1470 1471 wpa_hexdump_key(MSG_DEBUG, "IEEE 802.1X: New default WEP key", 1472 eapol->default_wep_key, 1473 hapd->conf->default_wep_key_len); 1474 1475 return 0; 1476} 1477 1478 1479static int ieee802_1x_sta_key_available(struct hostapd_data *hapd, 1480 struct sta_info *sta, void *ctx) 1481{ 1482 if (sta->eapol_sm) { 1483 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 1484 eapol_auth_step(sta->eapol_sm); 1485 } 1486 return 0; 1487} 1488 1489 1490static void ieee802_1x_rekey(void *eloop_ctx, void *timeout_ctx) 1491{ 1492 struct hostapd_data *hapd = eloop_ctx; 1493 struct eapol_authenticator *eapol = hapd->eapol_auth; 1494 1495 if (eapol->default_wep_key_idx >= 3) 1496 eapol->default_wep_key_idx = 1497 hapd->conf->individual_wep_key_len > 0 ? 1 : 0; 1498 else 1499 eapol->default_wep_key_idx++; 1500 1501 wpa_printf(MSG_DEBUG, "IEEE 802.1X: New default WEP key index %d", 1502 eapol->default_wep_key_idx); 1503 1504 if (ieee802_1x_rekey_broadcast(hapd)) { 1505 hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X, 1506 HOSTAPD_LEVEL_WARNING, "failed to generate a " 1507 "new broadcast key"); 1508 os_free(eapol->default_wep_key); 1509 eapol->default_wep_key = NULL; 1510 return; 1511 } 1512 1513 /* TODO: Could setup key for RX here, but change default TX keyid only 1514 * after new broadcast key has been sent to all stations. */ 1515 if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP, 1516 broadcast_ether_addr, 1517 eapol->default_wep_key_idx, 1, NULL, 0, 1518 eapol->default_wep_key, 1519 hapd->conf->default_wep_key_len)) { 1520 hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X, 1521 HOSTAPD_LEVEL_WARNING, "failed to configure a " 1522 "new broadcast key"); 1523 os_free(eapol->default_wep_key); 1524 eapol->default_wep_key = NULL; 1525 return; 1526 } 1527 1528 ap_for_each_sta(hapd, ieee802_1x_sta_key_available, NULL); 1529 1530 if (hapd->conf->wep_rekeying_period > 0) { 1531 eloop_register_timeout(hapd->conf->wep_rekeying_period, 0, 1532 ieee802_1x_rekey, hapd, NULL); 1533 } 1534} 1535 1536 1537static void ieee802_1x_eapol_send(void *ctx, void *sta_ctx, u8 type, 1538 const u8 *data, size_t datalen) 1539{ 1540#ifdef CONFIG_WPS 1541 struct sta_info *sta = sta_ctx; 1542 1543 if ((sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS)) == 1544 WLAN_STA_MAYBE_WPS) { 1545 const u8 *identity; 1546 size_t identity_len; 1547 struct eapol_state_machine *sm = sta->eapol_sm; 1548 1549 identity = eap_get_identity(sm->eap, &identity_len); 1550 if (identity && 1551 ((identity_len == WSC_ID_ENROLLEE_LEN && 1552 os_memcmp(identity, WSC_ID_ENROLLEE, 1553 WSC_ID_ENROLLEE_LEN) == 0) || 1554 (identity_len == WSC_ID_REGISTRAR_LEN && 1555 os_memcmp(identity, WSC_ID_REGISTRAR, 1556 WSC_ID_REGISTRAR_LEN) == 0))) { 1557 wpa_printf(MSG_DEBUG, "WPS: WLAN_STA_MAYBE_WPS -> " 1558 "WLAN_STA_WPS"); 1559 sta->flags |= WLAN_STA_WPS; 1560 } 1561 } 1562#endif /* CONFIG_WPS */ 1563 1564 ieee802_1x_send(ctx, sta_ctx, type, data, datalen); 1565} 1566 1567 1568static void ieee802_1x_aaa_send(void *ctx, void *sta_ctx, 1569 const u8 *data, size_t datalen) 1570{ 1571#ifndef CONFIG_NO_RADIUS 1572 struct hostapd_data *hapd = ctx; 1573 struct sta_info *sta = sta_ctx; 1574 1575 ieee802_1x_encapsulate_radius(hapd, sta, data, datalen); 1576#endif /* CONFIG_NO_RADIUS */ 1577} 1578 1579 1580static void _ieee802_1x_finished(void *ctx, void *sta_ctx, int success, 1581 int preauth) 1582{ 1583 struct hostapd_data *hapd = ctx; 1584 struct sta_info *sta = sta_ctx; 1585 if (preauth) 1586 rsn_preauth_finished(hapd, sta, success); 1587 else 1588 ieee802_1x_finished(hapd, sta, success); 1589} 1590 1591 1592static int ieee802_1x_get_eap_user(void *ctx, const u8 *identity, 1593 size_t identity_len, int phase2, 1594 struct eap_user *user) 1595{ 1596 struct hostapd_data *hapd = ctx; 1597 const struct hostapd_eap_user *eap_user; 1598 int i, count; 1599 1600 eap_user = hostapd_get_eap_user(hapd->conf, identity, 1601 identity_len, phase2); 1602 if (eap_user == NULL) 1603 return -1; 1604 1605 os_memset(user, 0, sizeof(*user)); 1606 user->phase2 = phase2; 1607 count = EAP_USER_MAX_METHODS; 1608 if (count > EAP_MAX_METHODS) 1609 count = EAP_MAX_METHODS; 1610 for (i = 0; i < count; i++) { 1611 user->methods[i].vendor = eap_user->methods[i].vendor; 1612 user->methods[i].method = eap_user->methods[i].method; 1613 } 1614 1615 if (eap_user->password) { 1616 user->password = os_malloc(eap_user->password_len); 1617 if (user->password == NULL) 1618 return -1; 1619 os_memcpy(user->password, eap_user->password, 1620 eap_user->password_len); 1621 user->password_len = eap_user->password_len; 1622 } 1623 user->force_version = eap_user->force_version; 1624 user->ttls_auth = eap_user->ttls_auth; 1625 1626 return 0; 1627} 1628 1629 1630static int ieee802_1x_sta_entry_alive(void *ctx, const u8 *addr) 1631{ 1632 struct hostapd_data *hapd = ctx; 1633 struct sta_info *sta; 1634 sta = ap_get_sta(hapd, addr); 1635 if (sta == NULL || sta->eapol_sm == NULL) 1636 return 0; 1637 return 1; 1638} 1639 1640 1641static void ieee802_1x_logger(void *ctx, const u8 *addr, 1642 eapol_logger_level level, const char *txt) 1643{ 1644#ifndef CONFIG_NO_HOSTAPD_LOGGER 1645 struct hostapd_data *hapd = ctx; 1646 int hlevel; 1647 1648 switch (level) { 1649 case EAPOL_LOGGER_WARNING: 1650 hlevel = HOSTAPD_LEVEL_WARNING; 1651 break; 1652 case EAPOL_LOGGER_INFO: 1653 hlevel = HOSTAPD_LEVEL_INFO; 1654 break; 1655 case EAPOL_LOGGER_DEBUG: 1656 default: 1657 hlevel = HOSTAPD_LEVEL_DEBUG; 1658 break; 1659 } 1660 1661 hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE8021X, hlevel, "%s", 1662 txt); 1663#endif /* CONFIG_NO_HOSTAPD_LOGGER */ 1664} 1665 1666 1667static void ieee802_1x_set_port_authorized(void *ctx, void *sta_ctx, 1668 int authorized) 1669{ 1670 struct hostapd_data *hapd = ctx; 1671 struct sta_info *sta = sta_ctx; 1672 ieee802_1x_set_sta_authorized(hapd, sta, authorized); 1673} 1674 1675 1676static void _ieee802_1x_abort_auth(void *ctx, void *sta_ctx) 1677{ 1678 struct hostapd_data *hapd = ctx; 1679 struct sta_info *sta = sta_ctx; 1680 ieee802_1x_abort_auth(hapd, sta); 1681} 1682 1683 1684static void _ieee802_1x_tx_key(void *ctx, void *sta_ctx) 1685{ 1686 struct hostapd_data *hapd = ctx; 1687 struct sta_info *sta = sta_ctx; 1688 ieee802_1x_tx_key(hapd, sta); 1689} 1690 1691 1692static void ieee802_1x_eapol_event(void *ctx, void *sta_ctx, 1693 enum eapol_event type) 1694{ 1695 /* struct hostapd_data *hapd = ctx; */ 1696 struct sta_info *sta = sta_ctx; 1697 switch (type) { 1698 case EAPOL_AUTH_SM_CHANGE: 1699 wpa_auth_sm_notify(sta->wpa_sm); 1700 break; 1701 case EAPOL_AUTH_REAUTHENTICATE: 1702 wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL); 1703 break; 1704 } 1705} 1706 1707 1708int ieee802_1x_init(struct hostapd_data *hapd) 1709{ 1710 int i; 1711 struct eapol_auth_config conf; 1712 struct eapol_auth_cb cb; 1713 1714 os_memset(&conf, 0, sizeof(conf)); 1715 conf.ctx = hapd; 1716 conf.eap_reauth_period = hapd->conf->eap_reauth_period; 1717 conf.wpa = hapd->conf->wpa; 1718 conf.individual_wep_key_len = hapd->conf->individual_wep_key_len; 1719 conf.eap_server = hapd->conf->eap_server; 1720 conf.ssl_ctx = hapd->ssl_ctx; 1721 conf.msg_ctx = hapd->msg_ctx; 1722 conf.eap_sim_db_priv = hapd->eap_sim_db_priv; 1723 conf.eap_req_id_text = hapd->conf->eap_req_id_text; 1724 conf.eap_req_id_text_len = hapd->conf->eap_req_id_text_len; 1725 conf.pac_opaque_encr_key = hapd->conf->pac_opaque_encr_key; 1726 conf.eap_fast_a_id = hapd->conf->eap_fast_a_id; 1727 conf.eap_fast_a_id_len = hapd->conf->eap_fast_a_id_len; 1728 conf.eap_fast_a_id_info = hapd->conf->eap_fast_a_id_info; 1729 conf.eap_fast_prov = hapd->conf->eap_fast_prov; 1730 conf.pac_key_lifetime = hapd->conf->pac_key_lifetime; 1731 conf.pac_key_refresh_time = hapd->conf->pac_key_refresh_time; 1732 conf.eap_sim_aka_result_ind = hapd->conf->eap_sim_aka_result_ind; 1733 conf.tnc = hapd->conf->tnc; 1734 conf.wps = hapd->wps; 1735 conf.fragment_size = hapd->conf->fragment_size; 1736 conf.pwd_group = hapd->conf->pwd_group; 1737 conf.pbc_in_m1 = hapd->conf->pbc_in_m1; 1738 1739 os_memset(&cb, 0, sizeof(cb)); 1740 cb.eapol_send = ieee802_1x_eapol_send; 1741 cb.aaa_send = ieee802_1x_aaa_send; 1742 cb.finished = _ieee802_1x_finished; 1743 cb.get_eap_user = ieee802_1x_get_eap_user; 1744 cb.sta_entry_alive = ieee802_1x_sta_entry_alive; 1745 cb.logger = ieee802_1x_logger; 1746 cb.set_port_authorized = ieee802_1x_set_port_authorized; 1747 cb.abort_auth = _ieee802_1x_abort_auth; 1748 cb.tx_key = _ieee802_1x_tx_key; 1749 cb.eapol_event = ieee802_1x_eapol_event; 1750 1751 hapd->eapol_auth = eapol_auth_init(&conf, &cb); 1752 if (hapd->eapol_auth == NULL) 1753 return -1; 1754 1755 if ((hapd->conf->ieee802_1x || hapd->conf->wpa) && 1756 hostapd_set_drv_ieee8021x(hapd, hapd->conf->iface, 1)) 1757 return -1; 1758 1759#ifndef CONFIG_NO_RADIUS 1760 if (radius_client_register(hapd->radius, RADIUS_AUTH, 1761 ieee802_1x_receive_auth, hapd)) 1762 return -1; 1763#endif /* CONFIG_NO_RADIUS */ 1764 1765 if (hapd->conf->default_wep_key_len) { 1766 for (i = 0; i < 4; i++) 1767 hostapd_drv_set_key(hapd->conf->iface, hapd, 1768 WPA_ALG_NONE, NULL, i, 0, NULL, 0, 1769 NULL, 0); 1770 1771 ieee802_1x_rekey(hapd, NULL); 1772 1773 if (hapd->eapol_auth->default_wep_key == NULL) 1774 return -1; 1775 } 1776 1777 return 0; 1778} 1779 1780 1781void ieee802_1x_deinit(struct hostapd_data *hapd) 1782{ 1783 eloop_cancel_timeout(ieee802_1x_rekey, hapd, NULL); 1784 1785 if (hapd->driver != NULL && 1786 (hapd->conf->ieee802_1x || hapd->conf->wpa)) 1787 hostapd_set_drv_ieee8021x(hapd, hapd->conf->iface, 0); 1788 1789 eapol_auth_deinit(hapd->eapol_auth); 1790 hapd->eapol_auth = NULL; 1791} 1792 1793 1794int ieee802_1x_tx_status(struct hostapd_data *hapd, struct sta_info *sta, 1795 const u8 *buf, size_t len, int ack) 1796{ 1797 struct ieee80211_hdr *hdr; 1798 struct ieee802_1x_hdr *xhdr; 1799 struct ieee802_1x_eapol_key *key; 1800 u8 *pos; 1801 const unsigned char rfc1042_hdr[ETH_ALEN] = 1802 { 0xaa, 0xaa, 0x03, 0x00, 0x00, 0x00 }; 1803 1804 if (sta == NULL) 1805 return -1; 1806 if (len < sizeof(*hdr) + sizeof(rfc1042_hdr) + 2 + sizeof(*xhdr)) 1807 return 0; 1808 1809 hdr = (struct ieee80211_hdr *) buf; 1810 pos = (u8 *) (hdr + 1); 1811 if (os_memcmp(pos, rfc1042_hdr, sizeof(rfc1042_hdr)) != 0) 1812 return 0; 1813 pos += sizeof(rfc1042_hdr); 1814 if (WPA_GET_BE16(pos) != ETH_P_PAE) 1815 return 0; 1816 pos += 2; 1817 1818 xhdr = (struct ieee802_1x_hdr *) pos; 1819 pos += sizeof(*xhdr); 1820 1821 wpa_printf(MSG_DEBUG, "IEEE 802.1X: " MACSTR " TX status - version=%d " 1822 "type=%d length=%d - ack=%d", 1823 MAC2STR(sta->addr), xhdr->version, xhdr->type, 1824 be_to_host16(xhdr->length), ack); 1825 1826 if (xhdr->type == IEEE802_1X_TYPE_EAPOL_KEY && 1827 pos + sizeof(struct wpa_eapol_key) <= buf + len) { 1828 const struct wpa_eapol_key *wpa; 1829 wpa = (const struct wpa_eapol_key *) pos; 1830 if (wpa->type == EAPOL_KEY_TYPE_RSN || 1831 wpa->type == EAPOL_KEY_TYPE_WPA) 1832 wpa_auth_eapol_key_tx_status(hapd->wpa_auth, 1833 sta->wpa_sm, ack); 1834 } 1835 1836 /* EAPOL EAP-Packet packets are eventually re-sent by either Supplicant 1837 * or Authenticator state machines, but EAPOL-Key packets are not 1838 * retransmitted in case of failure. Try to re-sent failed EAPOL-Key 1839 * packets couple of times because otherwise STA keys become 1840 * unsynchronized with AP. */ 1841 if (xhdr->type == IEEE802_1X_TYPE_EAPOL_KEY && !ack && 1842 pos + sizeof(*key) <= buf + len) { 1843 key = (struct ieee802_1x_eapol_key *) pos; 1844 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1845 HOSTAPD_LEVEL_DEBUG, "did not Ack EAPOL-Key " 1846 "frame (%scast index=%d)", 1847 key->key_index & BIT(7) ? "uni" : "broad", 1848 key->key_index & ~BIT(7)); 1849 /* TODO: re-send EAPOL-Key couple of times (with short delay 1850 * between them?). If all attempt fail, report error and 1851 * deauthenticate STA so that it will get new keys when 1852 * authenticating again (e.g., after returning in range). 1853 * Separate limit/transmit state needed both for unicast and 1854 * broadcast keys(?) */ 1855 } 1856 /* TODO: could move unicast key configuration from ieee802_1x_tx_key() 1857 * to here and change the key only if the EAPOL-Key packet was Acked. 1858 */ 1859 1860 return 1; 1861} 1862 1863 1864u8 * ieee802_1x_get_identity(struct eapol_state_machine *sm, size_t *len) 1865{ 1866 if (sm == NULL || sm->identity == NULL) 1867 return NULL; 1868 1869 *len = sm->identity_len; 1870 return sm->identity; 1871} 1872 1873 1874u8 * ieee802_1x_get_radius_class(struct eapol_state_machine *sm, size_t *len, 1875 int idx) 1876{ 1877 if (sm == NULL || sm->radius_class.attr == NULL || 1878 idx >= (int) sm->radius_class.count) 1879 return NULL; 1880 1881 *len = sm->radius_class.attr[idx].len; 1882 return sm->radius_class.attr[idx].data; 1883} 1884 1885 1886const u8 * ieee802_1x_get_key(struct eapol_state_machine *sm, size_t *len) 1887{ 1888 *len = 0; 1889 if (sm == NULL) 1890 return NULL; 1891 1892 *len = sm->eap_if->eapKeyDataLen; 1893 return sm->eap_if->eapKeyData; 1894} 1895 1896 1897void ieee802_1x_notify_port_enabled(struct eapol_state_machine *sm, 1898 int enabled) 1899{ 1900 if (sm == NULL) 1901 return; 1902 sm->eap_if->portEnabled = enabled ? TRUE : FALSE; 1903 eapol_auth_step(sm); 1904} 1905 1906 1907void ieee802_1x_notify_port_valid(struct eapol_state_machine *sm, 1908 int valid) 1909{ 1910 if (sm == NULL) 1911 return; 1912 sm->portValid = valid ? TRUE : FALSE; 1913 eapol_auth_step(sm); 1914} 1915 1916 1917void ieee802_1x_notify_pre_auth(struct eapol_state_machine *sm, int pre_auth) 1918{ 1919 if (sm == NULL) 1920 return; 1921 if (pre_auth) 1922 sm->flags |= EAPOL_SM_PREAUTH; 1923 else 1924 sm->flags &= ~EAPOL_SM_PREAUTH; 1925} 1926 1927 1928static const char * bool_txt(Boolean bool) 1929{ 1930 return bool ? "TRUE" : "FALSE"; 1931} 1932 1933 1934int ieee802_1x_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen) 1935{ 1936 /* TODO */ 1937 return 0; 1938} 1939 1940 1941int ieee802_1x_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta, 1942 char *buf, size_t buflen) 1943{ 1944 int len = 0, ret; 1945 struct eapol_state_machine *sm = sta->eapol_sm; 1946 1947 if (sm == NULL) 1948 return 0; 1949 1950 ret = os_snprintf(buf + len, buflen - len, 1951 "dot1xPaePortNumber=%d\n" 1952 "dot1xPaePortProtocolVersion=%d\n" 1953 "dot1xPaePortCapabilities=1\n" 1954 "dot1xPaePortInitialize=%d\n" 1955 "dot1xPaePortReauthenticate=FALSE\n", 1956 sta->aid, 1957 EAPOL_VERSION, 1958 sm->initialize); 1959 if (ret < 0 || (size_t) ret >= buflen - len) 1960 return len; 1961 len += ret; 1962 1963 /* dot1xAuthConfigTable */ 1964 ret = os_snprintf(buf + len, buflen - len, 1965 "dot1xAuthPaeState=%d\n" 1966 "dot1xAuthBackendAuthState=%d\n" 1967 "dot1xAuthAdminControlledDirections=%d\n" 1968 "dot1xAuthOperControlledDirections=%d\n" 1969 "dot1xAuthAuthControlledPortStatus=%d\n" 1970 "dot1xAuthAuthControlledPortControl=%d\n" 1971 "dot1xAuthQuietPeriod=%u\n" 1972 "dot1xAuthServerTimeout=%u\n" 1973 "dot1xAuthReAuthPeriod=%u\n" 1974 "dot1xAuthReAuthEnabled=%s\n" 1975 "dot1xAuthKeyTxEnabled=%s\n", 1976 sm->auth_pae_state + 1, 1977 sm->be_auth_state + 1, 1978 sm->adminControlledDirections, 1979 sm->operControlledDirections, 1980 sm->authPortStatus, 1981 sm->portControl, 1982 sm->quietPeriod, 1983 sm->serverTimeout, 1984 sm->reAuthPeriod, 1985 bool_txt(sm->reAuthEnabled), 1986 bool_txt(sm->keyTxEnabled)); 1987 if (ret < 0 || (size_t) ret >= buflen - len) 1988 return len; 1989 len += ret; 1990 1991 /* dot1xAuthStatsTable */ 1992 ret = os_snprintf(buf + len, buflen - len, 1993 "dot1xAuthEapolFramesRx=%u\n" 1994 "dot1xAuthEapolFramesTx=%u\n" 1995 "dot1xAuthEapolStartFramesRx=%u\n" 1996 "dot1xAuthEapolLogoffFramesRx=%u\n" 1997 "dot1xAuthEapolRespIdFramesRx=%u\n" 1998 "dot1xAuthEapolRespFramesRx=%u\n" 1999 "dot1xAuthEapolReqIdFramesTx=%u\n" 2000 "dot1xAuthEapolReqFramesTx=%u\n" 2001 "dot1xAuthInvalidEapolFramesRx=%u\n" 2002 "dot1xAuthEapLengthErrorFramesRx=%u\n" 2003 "dot1xAuthLastEapolFrameVersion=%u\n" 2004 "dot1xAuthLastEapolFrameSource=" MACSTR "\n", 2005 sm->dot1xAuthEapolFramesRx, 2006 sm->dot1xAuthEapolFramesTx, 2007 sm->dot1xAuthEapolStartFramesRx, 2008 sm->dot1xAuthEapolLogoffFramesRx, 2009 sm->dot1xAuthEapolRespIdFramesRx, 2010 sm->dot1xAuthEapolRespFramesRx, 2011 sm->dot1xAuthEapolReqIdFramesTx, 2012 sm->dot1xAuthEapolReqFramesTx, 2013 sm->dot1xAuthInvalidEapolFramesRx, 2014 sm->dot1xAuthEapLengthErrorFramesRx, 2015 sm->dot1xAuthLastEapolFrameVersion, 2016 MAC2STR(sm->addr)); 2017 if (ret < 0 || (size_t) ret >= buflen - len) 2018 return len; 2019 len += ret; 2020 2021 /* dot1xAuthDiagTable */ 2022 ret = os_snprintf(buf + len, buflen - len, 2023 "dot1xAuthEntersConnecting=%u\n" 2024 "dot1xAuthEapLogoffsWhileConnecting=%u\n" 2025 "dot1xAuthEntersAuthenticating=%u\n" 2026 "dot1xAuthAuthSuccessesWhileAuthenticating=%u\n" 2027 "dot1xAuthAuthTimeoutsWhileAuthenticating=%u\n" 2028 "dot1xAuthAuthFailWhileAuthenticating=%u\n" 2029 "dot1xAuthAuthEapStartsWhileAuthenticating=%u\n" 2030 "dot1xAuthAuthEapLogoffWhileAuthenticating=%u\n" 2031 "dot1xAuthAuthReauthsWhileAuthenticated=%u\n" 2032 "dot1xAuthAuthEapStartsWhileAuthenticated=%u\n" 2033 "dot1xAuthAuthEapLogoffWhileAuthenticated=%u\n" 2034 "dot1xAuthBackendResponses=%u\n" 2035 "dot1xAuthBackendAccessChallenges=%u\n" 2036 "dot1xAuthBackendOtherRequestsToSupplicant=%u\n" 2037 "dot1xAuthBackendAuthSuccesses=%u\n" 2038 "dot1xAuthBackendAuthFails=%u\n", 2039 sm->authEntersConnecting, 2040 sm->authEapLogoffsWhileConnecting, 2041 sm->authEntersAuthenticating, 2042 sm->authAuthSuccessesWhileAuthenticating, 2043 sm->authAuthTimeoutsWhileAuthenticating, 2044 sm->authAuthFailWhileAuthenticating, 2045 sm->authAuthEapStartsWhileAuthenticating, 2046 sm->authAuthEapLogoffWhileAuthenticating, 2047 sm->authAuthReauthsWhileAuthenticated, 2048 sm->authAuthEapStartsWhileAuthenticated, 2049 sm->authAuthEapLogoffWhileAuthenticated, 2050 sm->backendResponses, 2051 sm->backendAccessChallenges, 2052 sm->backendOtherRequestsToSupplicant, 2053 sm->backendAuthSuccesses, 2054 sm->backendAuthFails); 2055 if (ret < 0 || (size_t) ret >= buflen - len) 2056 return len; 2057 len += ret; 2058 2059 /* dot1xAuthSessionStatsTable */ 2060 ret = os_snprintf(buf + len, buflen - len, 2061 /* TODO: dot1xAuthSessionOctetsRx */ 2062 /* TODO: dot1xAuthSessionOctetsTx */ 2063 /* TODO: dot1xAuthSessionFramesRx */ 2064 /* TODO: dot1xAuthSessionFramesTx */ 2065 "dot1xAuthSessionId=%08X-%08X\n" 2066 "dot1xAuthSessionAuthenticMethod=%d\n" 2067 "dot1xAuthSessionTime=%u\n" 2068 "dot1xAuthSessionTerminateCause=999\n" 2069 "dot1xAuthSessionUserName=%s\n", 2070 sta->acct_session_id_hi, sta->acct_session_id_lo, 2071 (wpa_key_mgmt_wpa_ieee8021x( 2072 wpa_auth_sta_key_mgmt(sta->wpa_sm))) ? 2073 1 : 2, 2074 (unsigned int) (time(NULL) - 2075 sta->acct_session_start), 2076 sm->identity); 2077 if (ret < 0 || (size_t) ret >= buflen - len) 2078 return len; 2079 len += ret; 2080 2081 return len; 2082} 2083 2084 2085static void ieee802_1x_finished(struct hostapd_data *hapd, 2086 struct sta_info *sta, int success) 2087{ 2088 const u8 *key; 2089 size_t len; 2090 /* TODO: get PMKLifetime from WPA parameters */ 2091 static const int dot11RSNAConfigPMKLifetime = 43200; 2092 2093 key = ieee802_1x_get_key(sta->eapol_sm, &len); 2094 if (success && key && len >= PMK_LEN && 2095 wpa_auth_pmksa_add(sta->wpa_sm, key, dot11RSNAConfigPMKLifetime, 2096 sta->eapol_sm) == 0) { 2097 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 2098 HOSTAPD_LEVEL_DEBUG, 2099 "Added PMKSA cache entry (IEEE 802.1X)"); 2100 } 2101 2102#ifdef CONFIG_WPS 2103 if (!success && (sta->flags & WLAN_STA_WPS)) { 2104 /* 2105 * Many devices require deauthentication after WPS provisioning 2106 * and some may not be be able to do that themselves, so 2107 * disconnect the client here. 2108 */ 2109 wpa_printf(MSG_DEBUG, "WPS: Force disconnection after " 2110 "EAP-Failure"); 2111 /* Add a small sleep to increase likelihood of previously 2112 * requested EAP-Failure TX getting out before this should the 2113 * driver reorder operations. 2114 */ 2115 os_sleep(0, 10000); 2116 ap_sta_disconnect(hapd, sta, sta->addr, 2117 WLAN_REASON_PREV_AUTH_NOT_VALID); 2118 } 2119#endif /* CONFIG_WPS */ 2120} 2121