ieee802_1x.c revision df5a7e4c5c64890c2425bb47d665bbce4992b676
1/* 2 * hostapd / IEEE 802.1X-2004 Authenticator 3 * Copyright (c) 2002-2012, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9#include "utils/includes.h" 10 11#include "utils/common.h" 12#include "utils/eloop.h" 13#include "crypto/md5.h" 14#include "crypto/crypto.h" 15#include "crypto/random.h" 16#include "common/ieee802_11_defs.h" 17#include "radius/radius.h" 18#include "radius/radius_client.h" 19#include "eap_server/eap.h" 20#include "eap_common/eap_wsc_common.h" 21#include "eapol_auth/eapol_auth_sm.h" 22#include "eapol_auth/eapol_auth_sm_i.h" 23#include "p2p/p2p.h" 24#include "hostapd.h" 25#include "accounting.h" 26#include "sta_info.h" 27#include "wpa_auth.h" 28#include "preauth_auth.h" 29#include "pmksa_cache_auth.h" 30#include "ap_config.h" 31#include "ap_drv_ops.h" 32#include "wps_hostapd.h" 33#include "hs20.h" 34#include "ieee802_1x.h" 35 36 37static void ieee802_1x_finished(struct hostapd_data *hapd, 38 struct sta_info *sta, int success, 39 int remediation); 40 41 42static void ieee802_1x_send(struct hostapd_data *hapd, struct sta_info *sta, 43 u8 type, const u8 *data, size_t datalen) 44{ 45 u8 *buf; 46 struct ieee802_1x_hdr *xhdr; 47 size_t len; 48 int encrypt = 0; 49 50 len = sizeof(*xhdr) + datalen; 51 buf = os_zalloc(len); 52 if (buf == NULL) { 53 wpa_printf(MSG_ERROR, "malloc() failed for " 54 "ieee802_1x_send(len=%lu)", 55 (unsigned long) len); 56 return; 57 } 58 59 xhdr = (struct ieee802_1x_hdr *) buf; 60 xhdr->version = hapd->conf->eapol_version; 61 xhdr->type = type; 62 xhdr->length = host_to_be16(datalen); 63 64 if (datalen > 0 && data != NULL) 65 os_memcpy(xhdr + 1, data, datalen); 66 67 if (wpa_auth_pairwise_set(sta->wpa_sm)) 68 encrypt = 1; 69 if (sta->flags & WLAN_STA_PREAUTH) { 70 rsn_preauth_send(hapd, sta, buf, len); 71 } else { 72 hostapd_drv_hapd_send_eapol( 73 hapd, sta->addr, buf, len, 74 encrypt, hostapd_sta_flags_to_drv(sta->flags)); 75 } 76 77 os_free(buf); 78} 79 80 81void ieee802_1x_set_sta_authorized(struct hostapd_data *hapd, 82 struct sta_info *sta, int authorized) 83{ 84 int res; 85 86 if (sta->flags & WLAN_STA_PREAUTH) 87 return; 88 89 if (authorized) { 90 ap_sta_set_authorized(hapd, sta, 1); 91 res = hostapd_set_authorized(hapd, sta, 1); 92 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 93 HOSTAPD_LEVEL_DEBUG, "authorizing port"); 94 } else { 95 ap_sta_set_authorized(hapd, sta, 0); 96 res = hostapd_set_authorized(hapd, sta, 0); 97 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 98 HOSTAPD_LEVEL_DEBUG, "unauthorizing port"); 99 } 100 101 if (res && errno != ENOENT) { 102 wpa_printf(MSG_DEBUG, "Could not set station " MACSTR 103 " flags for kernel driver (errno=%d).", 104 MAC2STR(sta->addr), errno); 105 } 106 107 if (authorized) { 108 os_get_reltime(&sta->connected_time); 109 accounting_sta_start(hapd, sta); 110 } 111} 112 113 114static void ieee802_1x_tx_key_one(struct hostapd_data *hapd, 115 struct sta_info *sta, 116 int idx, int broadcast, 117 u8 *key_data, size_t key_len) 118{ 119 u8 *buf, *ekey; 120 struct ieee802_1x_hdr *hdr; 121 struct ieee802_1x_eapol_key *key; 122 size_t len, ekey_len; 123 struct eapol_state_machine *sm = sta->eapol_sm; 124 125 if (sm == NULL) 126 return; 127 128 len = sizeof(*key) + key_len; 129 buf = os_zalloc(sizeof(*hdr) + len); 130 if (buf == NULL) 131 return; 132 133 hdr = (struct ieee802_1x_hdr *) buf; 134 key = (struct ieee802_1x_eapol_key *) (hdr + 1); 135 key->type = EAPOL_KEY_TYPE_RC4; 136 WPA_PUT_BE16(key->key_length, key_len); 137 wpa_get_ntp_timestamp(key->replay_counter); 138 139 if (random_get_bytes(key->key_iv, sizeof(key->key_iv))) { 140 wpa_printf(MSG_ERROR, "Could not get random numbers"); 141 os_free(buf); 142 return; 143 } 144 145 key->key_index = idx | (broadcast ? 0 : BIT(7)); 146 if (hapd->conf->eapol_key_index_workaround) { 147 /* According to some information, WinXP Supplicant seems to 148 * interpret bit7 as an indication whether the key is to be 149 * activated, so make it possible to enable workaround that 150 * sets this bit for all keys. */ 151 key->key_index |= BIT(7); 152 } 153 154 /* Key is encrypted using "Key-IV + MSK[0..31]" as the RC4-key and 155 * MSK[32..63] is used to sign the message. */ 156 if (sm->eap_if->eapKeyData == NULL || sm->eap_if->eapKeyDataLen < 64) { 157 wpa_printf(MSG_ERROR, "No eapKeyData available for encrypting " 158 "and signing EAPOL-Key"); 159 os_free(buf); 160 return; 161 } 162 os_memcpy((u8 *) (key + 1), key_data, key_len); 163 ekey_len = sizeof(key->key_iv) + 32; 164 ekey = os_malloc(ekey_len); 165 if (ekey == NULL) { 166 wpa_printf(MSG_ERROR, "Could not encrypt key"); 167 os_free(buf); 168 return; 169 } 170 os_memcpy(ekey, key->key_iv, sizeof(key->key_iv)); 171 os_memcpy(ekey + sizeof(key->key_iv), sm->eap_if->eapKeyData, 32); 172 rc4_skip(ekey, ekey_len, 0, (u8 *) (key + 1), key_len); 173 os_free(ekey); 174 175 /* This header is needed here for HMAC-MD5, but it will be regenerated 176 * in ieee802_1x_send() */ 177 hdr->version = hapd->conf->eapol_version; 178 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 179 hdr->length = host_to_be16(len); 180 hmac_md5(sm->eap_if->eapKeyData + 32, 32, buf, sizeof(*hdr) + len, 181 key->key_signature); 182 183 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key to " MACSTR 184 " (%s index=%d)", MAC2STR(sm->addr), 185 broadcast ? "broadcast" : "unicast", idx); 186 ieee802_1x_send(hapd, sta, IEEE802_1X_TYPE_EAPOL_KEY, (u8 *) key, len); 187 if (sta->eapol_sm) 188 sta->eapol_sm->dot1xAuthEapolFramesTx++; 189 os_free(buf); 190} 191 192 193void ieee802_1x_tx_key(struct hostapd_data *hapd, struct sta_info *sta) 194{ 195 struct eapol_authenticator *eapol = hapd->eapol_auth; 196 struct eapol_state_machine *sm = sta->eapol_sm; 197 198 if (sm == NULL || !sm->eap_if->eapKeyData) 199 return; 200 201 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key(s) to " MACSTR, 202 MAC2STR(sta->addr)); 203 204#ifndef CONFIG_NO_VLAN 205 if (sta->vlan_id > 0 && sta->vlan_id <= MAX_VLAN_ID) { 206 wpa_printf(MSG_ERROR, "Using WEP with vlans is not supported."); 207 return; 208 } 209#endif /* CONFIG_NO_VLAN */ 210 211 if (eapol->default_wep_key) { 212 ieee802_1x_tx_key_one(hapd, sta, eapol->default_wep_key_idx, 1, 213 eapol->default_wep_key, 214 hapd->conf->default_wep_key_len); 215 } 216 217 if (hapd->conf->individual_wep_key_len > 0) { 218 u8 *ikey; 219 ikey = os_malloc(hapd->conf->individual_wep_key_len); 220 if (ikey == NULL || 221 random_get_bytes(ikey, hapd->conf->individual_wep_key_len)) 222 { 223 wpa_printf(MSG_ERROR, "Could not generate random " 224 "individual WEP key."); 225 os_free(ikey); 226 return; 227 } 228 229 wpa_hexdump_key(MSG_DEBUG, "Individual WEP key", 230 ikey, hapd->conf->individual_wep_key_len); 231 232 ieee802_1x_tx_key_one(hapd, sta, 0, 0, ikey, 233 hapd->conf->individual_wep_key_len); 234 235 /* TODO: set encryption in TX callback, i.e., only after STA 236 * has ACKed EAPOL-Key frame */ 237 if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP, 238 sta->addr, 0, 1, NULL, 0, ikey, 239 hapd->conf->individual_wep_key_len)) { 240 wpa_printf(MSG_ERROR, "Could not set individual WEP " 241 "encryption."); 242 } 243 244 os_free(ikey); 245 } 246} 247 248 249const char *radius_mode_txt(struct hostapd_data *hapd) 250{ 251 switch (hapd->iface->conf->hw_mode) { 252 case HOSTAPD_MODE_IEEE80211AD: 253 return "802.11ad"; 254 case HOSTAPD_MODE_IEEE80211A: 255 return "802.11a"; 256 case HOSTAPD_MODE_IEEE80211G: 257 return "802.11g"; 258 case HOSTAPD_MODE_IEEE80211B: 259 default: 260 return "802.11b"; 261 } 262} 263 264 265int radius_sta_rate(struct hostapd_data *hapd, struct sta_info *sta) 266{ 267 int i; 268 u8 rate = 0; 269 270 for (i = 0; i < sta->supported_rates_len; i++) 271 if ((sta->supported_rates[i] & 0x7f) > rate) 272 rate = sta->supported_rates[i] & 0x7f; 273 274 return rate; 275} 276 277 278#ifndef CONFIG_NO_RADIUS 279static void ieee802_1x_learn_identity(struct hostapd_data *hapd, 280 struct eapol_state_machine *sm, 281 const u8 *eap, size_t len) 282{ 283 const u8 *identity; 284 size_t identity_len; 285 286 if (len <= sizeof(struct eap_hdr) || 287 eap[sizeof(struct eap_hdr)] != EAP_TYPE_IDENTITY) 288 return; 289 290 identity = eap_get_identity(sm->eap, &identity_len); 291 if (identity == NULL) 292 return; 293 294 /* Save station identity for future RADIUS packets */ 295 os_free(sm->identity); 296 sm->identity = (u8 *) dup_binstr(identity, identity_len); 297 if (sm->identity == NULL) { 298 sm->identity_len = 0; 299 return; 300 } 301 302 sm->identity_len = identity_len; 303 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, 304 HOSTAPD_LEVEL_DEBUG, "STA identity '%s'", sm->identity); 305 sm->dot1xAuthEapolRespIdFramesRx++; 306} 307 308 309static int add_common_radius_sta_attr(struct hostapd_data *hapd, 310 struct hostapd_radius_attr *req_attr, 311 struct sta_info *sta, 312 struct radius_msg *msg) 313{ 314 char buf[128]; 315 316 if (!hostapd_config_get_radius_attr(req_attr, 317 RADIUS_ATTR_NAS_PORT) && 318 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT, sta->aid)) { 319 wpa_printf(MSG_ERROR, "Could not add NAS-Port"); 320 return -1; 321 } 322 323 os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT, 324 MAC2STR(sta->addr)); 325 buf[sizeof(buf) - 1] = '\0'; 326 if (!radius_msg_add_attr(msg, RADIUS_ATTR_CALLING_STATION_ID, 327 (u8 *) buf, os_strlen(buf))) { 328 wpa_printf(MSG_ERROR, "Could not add Calling-Station-Id"); 329 return -1; 330 } 331 332 if (sta->flags & WLAN_STA_PREAUTH) { 333 os_strlcpy(buf, "IEEE 802.11i Pre-Authentication", 334 sizeof(buf)); 335 } else { 336 os_snprintf(buf, sizeof(buf), "CONNECT %d%sMbps %s", 337 radius_sta_rate(hapd, sta) / 2, 338 (radius_sta_rate(hapd, sta) & 1) ? ".5" : "", 339 radius_mode_txt(hapd)); 340 buf[sizeof(buf) - 1] = '\0'; 341 } 342 if (!hostapd_config_get_radius_attr(req_attr, 343 RADIUS_ATTR_CONNECT_INFO) && 344 !radius_msg_add_attr(msg, RADIUS_ATTR_CONNECT_INFO, 345 (u8 *) buf, os_strlen(buf))) { 346 wpa_printf(MSG_ERROR, "Could not add Connect-Info"); 347 return -1; 348 } 349 350 if (sta->acct_session_id_hi || sta->acct_session_id_lo) { 351 os_snprintf(buf, sizeof(buf), "%08X-%08X", 352 sta->acct_session_id_hi, sta->acct_session_id_lo); 353 if (!radius_msg_add_attr(msg, RADIUS_ATTR_ACCT_SESSION_ID, 354 (u8 *) buf, os_strlen(buf))) { 355 wpa_printf(MSG_ERROR, "Could not add Acct-Session-Id"); 356 return -1; 357 } 358 } 359 360 return 0; 361} 362 363 364int add_common_radius_attr(struct hostapd_data *hapd, 365 struct hostapd_radius_attr *req_attr, 366 struct sta_info *sta, 367 struct radius_msg *msg) 368{ 369 char buf[128]; 370 struct hostapd_radius_attr *attr; 371 372 if (!hostapd_config_get_radius_attr(req_attr, 373 RADIUS_ATTR_NAS_IP_ADDRESS) && 374 hapd->conf->own_ip_addr.af == AF_INET && 375 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IP_ADDRESS, 376 (u8 *) &hapd->conf->own_ip_addr.u.v4, 4)) { 377 wpa_printf(MSG_ERROR, "Could not add NAS-IP-Address"); 378 return -1; 379 } 380 381#ifdef CONFIG_IPV6 382 if (!hostapd_config_get_radius_attr(req_attr, 383 RADIUS_ATTR_NAS_IPV6_ADDRESS) && 384 hapd->conf->own_ip_addr.af == AF_INET6 && 385 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IPV6_ADDRESS, 386 (u8 *) &hapd->conf->own_ip_addr.u.v6, 16)) { 387 wpa_printf(MSG_ERROR, "Could not add NAS-IPv6-Address"); 388 return -1; 389 } 390#endif /* CONFIG_IPV6 */ 391 392 if (!hostapd_config_get_radius_attr(req_attr, 393 RADIUS_ATTR_NAS_IDENTIFIER) && 394 hapd->conf->nas_identifier && 395 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IDENTIFIER, 396 (u8 *) hapd->conf->nas_identifier, 397 os_strlen(hapd->conf->nas_identifier))) { 398 wpa_printf(MSG_ERROR, "Could not add NAS-Identifier"); 399 return -1; 400 } 401 402 os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT ":%s", 403 MAC2STR(hapd->own_addr), 404 wpa_ssid_txt(hapd->conf->ssid.ssid, 405 hapd->conf->ssid.ssid_len)); 406 buf[sizeof(buf) - 1] = '\0'; 407 if (!hostapd_config_get_radius_attr(req_attr, 408 RADIUS_ATTR_CALLED_STATION_ID) && 409 !radius_msg_add_attr(msg, RADIUS_ATTR_CALLED_STATION_ID, 410 (u8 *) buf, os_strlen(buf))) { 411 wpa_printf(MSG_ERROR, "Could not add Called-Station-Id"); 412 return -1; 413 } 414 415 if (!hostapd_config_get_radius_attr(req_attr, 416 RADIUS_ATTR_NAS_PORT_TYPE) && 417 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT_TYPE, 418 RADIUS_NAS_PORT_TYPE_IEEE_802_11)) { 419 wpa_printf(MSG_ERROR, "Could not add NAS-Port-Type"); 420 return -1; 421 } 422 423 if (sta && add_common_radius_sta_attr(hapd, req_attr, sta, msg) < 0) 424 return -1; 425 426 for (attr = req_attr; attr; attr = attr->next) { 427 if (!radius_msg_add_attr(msg, attr->type, 428 wpabuf_head(attr->val), 429 wpabuf_len(attr->val))) { 430 wpa_printf(MSG_ERROR, "Could not add RADIUS " 431 "attribute"); 432 return -1; 433 } 434 } 435 436 return 0; 437} 438 439 440static void ieee802_1x_encapsulate_radius(struct hostapd_data *hapd, 441 struct sta_info *sta, 442 const u8 *eap, size_t len) 443{ 444 struct radius_msg *msg; 445 struct eapol_state_machine *sm = sta->eapol_sm; 446 447 if (sm == NULL) 448 return; 449 450 ieee802_1x_learn_identity(hapd, sm, eap, len); 451 452 wpa_printf(MSG_DEBUG, "Encapsulating EAP message into a RADIUS " 453 "packet"); 454 455 sm->radius_identifier = radius_client_get_id(hapd->radius); 456 msg = radius_msg_new(RADIUS_CODE_ACCESS_REQUEST, 457 sm->radius_identifier); 458 if (msg == NULL) { 459 wpa_printf(MSG_INFO, "Could not create new RADIUS packet"); 460 return; 461 } 462 463 radius_msg_make_authenticator(msg, (u8 *) sta, sizeof(*sta)); 464 465 if (sm->identity && 466 !radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME, 467 sm->identity, sm->identity_len)) { 468 wpa_printf(MSG_INFO, "Could not add User-Name"); 469 goto fail; 470 } 471 472 if (add_common_radius_attr(hapd, hapd->conf->radius_auth_req_attr, sta, 473 msg) < 0) 474 goto fail; 475 476 /* TODO: should probably check MTU from driver config; 2304 is max for 477 * IEEE 802.11, but use 1400 to avoid problems with too large packets 478 */ 479 if (!hostapd_config_get_radius_attr(hapd->conf->radius_auth_req_attr, 480 RADIUS_ATTR_FRAMED_MTU) && 481 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_FRAMED_MTU, 1400)) { 482 wpa_printf(MSG_INFO, "Could not add Framed-MTU"); 483 goto fail; 484 } 485 486 if (eap && !radius_msg_add_eap(msg, eap, len)) { 487 wpa_printf(MSG_INFO, "Could not add EAP-Message"); 488 goto fail; 489 } 490 491 /* State attribute must be copied if and only if this packet is 492 * Access-Request reply to the previous Access-Challenge */ 493 if (sm->last_recv_radius && 494 radius_msg_get_hdr(sm->last_recv_radius)->code == 495 RADIUS_CODE_ACCESS_CHALLENGE) { 496 int res = radius_msg_copy_attr(msg, sm->last_recv_radius, 497 RADIUS_ATTR_STATE); 498 if (res < 0) { 499 wpa_printf(MSG_INFO, "Could not copy State attribute from previous Access-Challenge"); 500 goto fail; 501 } 502 if (res > 0) { 503 wpa_printf(MSG_DEBUG, "Copied RADIUS State Attribute"); 504 } 505 } 506 507 if (hapd->conf->radius_request_cui) { 508 const u8 *cui; 509 size_t cui_len; 510 /* Add previously learned CUI or nul CUI to request CUI */ 511 if (sm->radius_cui) { 512 cui = wpabuf_head(sm->radius_cui); 513 cui_len = wpabuf_len(sm->radius_cui); 514 } else { 515 cui = (const u8 *) "\0"; 516 cui_len = 1; 517 } 518 if (!radius_msg_add_attr(msg, 519 RADIUS_ATTR_CHARGEABLE_USER_IDENTITY, 520 cui, cui_len)) { 521 wpa_printf(MSG_ERROR, "Could not add CUI"); 522 goto fail; 523 } 524 } 525 526#ifdef CONFIG_HS20 527 if (hapd->conf->hs20) { 528 u8 ver = 1; /* Release 2 */ 529 if (!radius_msg_add_wfa( 530 msg, RADIUS_VENDOR_ATTR_WFA_HS20_AP_VERSION, 531 &ver, 1)) { 532 wpa_printf(MSG_ERROR, "Could not add HS 2.0 AP " 533 "version"); 534 goto fail; 535 } 536 537 if (sta->hs20_ie && wpabuf_len(sta->hs20_ie) > 0) { 538 const u8 *pos; 539 u8 buf[3]; 540 u16 id; 541 pos = wpabuf_head_u8(sta->hs20_ie); 542 buf[0] = (*pos) >> 4; 543 if (((*pos) & HS20_PPS_MO_ID_PRESENT) && 544 wpabuf_len(sta->hs20_ie) >= 3) 545 id = WPA_GET_LE16(pos + 1); 546 else 547 id = 0; 548 WPA_PUT_BE16(buf + 1, id); 549 if (!radius_msg_add_wfa( 550 msg, 551 RADIUS_VENDOR_ATTR_WFA_HS20_STA_VERSION, 552 buf, sizeof(buf))) { 553 wpa_printf(MSG_ERROR, "Could not add HS 2.0 " 554 "STA version"); 555 goto fail; 556 } 557 } 558 } 559#endif /* CONFIG_HS20 */ 560 561 if (radius_client_send(hapd->radius, msg, RADIUS_AUTH, sta->addr) < 0) 562 goto fail; 563 564 return; 565 566 fail: 567 radius_msg_free(msg); 568} 569#endif /* CONFIG_NO_RADIUS */ 570 571 572static void handle_eap_response(struct hostapd_data *hapd, 573 struct sta_info *sta, struct eap_hdr *eap, 574 size_t len) 575{ 576 u8 type, *data; 577 struct eapol_state_machine *sm = sta->eapol_sm; 578 if (sm == NULL) 579 return; 580 581 data = (u8 *) (eap + 1); 582 583 if (len < sizeof(*eap) + 1) { 584 wpa_printf(MSG_INFO, "handle_eap_response: too short response data"); 585 return; 586 } 587 588 sm->eap_type_supp = type = data[0]; 589 590 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, 591 HOSTAPD_LEVEL_DEBUG, "received EAP packet (code=%d " 592 "id=%d len=%d) from STA: EAP Response-%s (%d)", 593 eap->code, eap->identifier, be_to_host16(eap->length), 594 eap_server_get_name(0, type), type); 595 596 sm->dot1xAuthEapolRespFramesRx++; 597 598 wpabuf_free(sm->eap_if->eapRespData); 599 sm->eap_if->eapRespData = wpabuf_alloc_copy(eap, len); 600 sm->eapolEap = TRUE; 601} 602 603 604/* Process incoming EAP packet from Supplicant */ 605static void handle_eap(struct hostapd_data *hapd, struct sta_info *sta, 606 u8 *buf, size_t len) 607{ 608 struct eap_hdr *eap; 609 u16 eap_len; 610 611 if (len < sizeof(*eap)) { 612 wpa_printf(MSG_INFO, " too short EAP packet"); 613 return; 614 } 615 616 eap = (struct eap_hdr *) buf; 617 618 eap_len = be_to_host16(eap->length); 619 wpa_printf(MSG_DEBUG, "EAP: code=%d identifier=%d length=%d", 620 eap->code, eap->identifier, eap_len); 621 if (eap_len < sizeof(*eap)) { 622 wpa_printf(MSG_DEBUG, " Invalid EAP length"); 623 return; 624 } else if (eap_len > len) { 625 wpa_printf(MSG_DEBUG, " Too short frame to contain this EAP " 626 "packet"); 627 return; 628 } else if (eap_len < len) { 629 wpa_printf(MSG_DEBUG, " Ignoring %lu extra bytes after EAP " 630 "packet", (unsigned long) len - eap_len); 631 } 632 633 switch (eap->code) { 634 case EAP_CODE_REQUEST: 635 wpa_printf(MSG_DEBUG, " (request)"); 636 return; 637 case EAP_CODE_RESPONSE: 638 wpa_printf(MSG_DEBUG, " (response)"); 639 handle_eap_response(hapd, sta, eap, eap_len); 640 break; 641 case EAP_CODE_SUCCESS: 642 wpa_printf(MSG_DEBUG, " (success)"); 643 return; 644 case EAP_CODE_FAILURE: 645 wpa_printf(MSG_DEBUG, " (failure)"); 646 return; 647 default: 648 wpa_printf(MSG_DEBUG, " (unknown code)"); 649 return; 650 } 651} 652 653 654static struct eapol_state_machine * 655ieee802_1x_alloc_eapol_sm(struct hostapd_data *hapd, struct sta_info *sta) 656{ 657 int flags = 0; 658 if (sta->flags & WLAN_STA_PREAUTH) 659 flags |= EAPOL_SM_PREAUTH; 660 if (sta->wpa_sm) { 661 flags |= EAPOL_SM_USES_WPA; 662 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) 663 flags |= EAPOL_SM_FROM_PMKSA_CACHE; 664 } 665 return eapol_auth_alloc(hapd->eapol_auth, sta->addr, flags, 666 sta->wps_ie, sta->p2p_ie, sta, 667 sta->identity, sta->radius_cui); 668} 669 670 671/** 672 * ieee802_1x_receive - Process the EAPOL frames from the Supplicant 673 * @hapd: hostapd BSS data 674 * @sa: Source address (sender of the EAPOL frame) 675 * @buf: EAPOL frame 676 * @len: Length of buf in octets 677 * 678 * This function is called for each incoming EAPOL frame from the interface 679 */ 680void ieee802_1x_receive(struct hostapd_data *hapd, const u8 *sa, const u8 *buf, 681 size_t len) 682{ 683 struct sta_info *sta; 684 struct ieee802_1x_hdr *hdr; 685 struct ieee802_1x_eapol_key *key; 686 u16 datalen; 687 struct rsn_pmksa_cache_entry *pmksa; 688 int key_mgmt; 689 690 if (!hapd->conf->ieee802_1x && !hapd->conf->wpa && !hapd->conf->osen && 691 !hapd->conf->wps_state) 692 return; 693 694 wpa_printf(MSG_DEBUG, "IEEE 802.1X: %lu bytes from " MACSTR, 695 (unsigned long) len, MAC2STR(sa)); 696 sta = ap_get_sta(hapd, sa); 697 if (!sta || (!(sta->flags & (WLAN_STA_ASSOC | WLAN_STA_PREAUTH)) && 698 !(hapd->iface->drv_flags & WPA_DRIVER_FLAGS_WIRED))) { 699 wpa_printf(MSG_DEBUG, "IEEE 802.1X data frame from not " 700 "associated/Pre-authenticating STA"); 701 return; 702 } 703 704 if (len < sizeof(*hdr)) { 705 wpa_printf(MSG_INFO, " too short IEEE 802.1X packet"); 706 return; 707 } 708 709 hdr = (struct ieee802_1x_hdr *) buf; 710 datalen = be_to_host16(hdr->length); 711 wpa_printf(MSG_DEBUG, " IEEE 802.1X: version=%d type=%d length=%d", 712 hdr->version, hdr->type, datalen); 713 714 if (len - sizeof(*hdr) < datalen) { 715 wpa_printf(MSG_INFO, " frame too short for this IEEE 802.1X packet"); 716 if (sta->eapol_sm) 717 sta->eapol_sm->dot1xAuthEapLengthErrorFramesRx++; 718 return; 719 } 720 if (len - sizeof(*hdr) > datalen) { 721 wpa_printf(MSG_DEBUG, " ignoring %lu extra octets after " 722 "IEEE 802.1X packet", 723 (unsigned long) len - sizeof(*hdr) - datalen); 724 } 725 726 if (sta->eapol_sm) { 727 sta->eapol_sm->dot1xAuthLastEapolFrameVersion = hdr->version; 728 sta->eapol_sm->dot1xAuthEapolFramesRx++; 729 } 730 731 key = (struct ieee802_1x_eapol_key *) (hdr + 1); 732 if (datalen >= sizeof(struct ieee802_1x_eapol_key) && 733 hdr->type == IEEE802_1X_TYPE_EAPOL_KEY && 734 (key->type == EAPOL_KEY_TYPE_WPA || 735 key->type == EAPOL_KEY_TYPE_RSN)) { 736 wpa_receive(hapd->wpa_auth, sta->wpa_sm, (u8 *) hdr, 737 sizeof(*hdr) + datalen); 738 return; 739 } 740 741 if (!hapd->conf->ieee802_1x && !hapd->conf->osen && 742 !(sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS))) { 743 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore EAPOL message - " 744 "802.1X not enabled and WPS not used"); 745 return; 746 } 747 748 key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm); 749 if (key_mgmt != -1 && wpa_key_mgmt_wpa_psk(key_mgmt)) { 750 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore EAPOL message - " 751 "STA is using PSK"); 752 return; 753 } 754 755 if (!sta->eapol_sm) { 756 sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta); 757 if (!sta->eapol_sm) 758 return; 759 760#ifdef CONFIG_WPS 761 if (!hapd->conf->ieee802_1x && hapd->conf->wps_state) { 762 u32 wflags = sta->flags & (WLAN_STA_WPS | 763 WLAN_STA_WPS2 | 764 WLAN_STA_MAYBE_WPS); 765 if (wflags == WLAN_STA_MAYBE_WPS || 766 wflags == (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS)) { 767 /* 768 * Delay EAPOL frame transmission until a 769 * possible WPS STA initiates the handshake 770 * with EAPOL-Start. Only allow the wait to be 771 * skipped if the STA is known to support WPS 772 * 2.0. 773 */ 774 wpa_printf(MSG_DEBUG, "WPS: Do not start " 775 "EAPOL until EAPOL-Start is " 776 "received"); 777 sta->eapol_sm->flags |= EAPOL_SM_WAIT_START; 778 } 779 } 780#endif /* CONFIG_WPS */ 781 782 sta->eapol_sm->eap_if->portEnabled = TRUE; 783 } 784 785 /* since we support version 1, we can ignore version field and proceed 786 * as specified in version 1 standard [IEEE Std 802.1X-2001, 7.5.5] */ 787 /* TODO: actually, we are not version 1 anymore.. However, Version 2 788 * does not change frame contents, so should be ok to process frames 789 * more or less identically. Some changes might be needed for 790 * verification of fields. */ 791 792 switch (hdr->type) { 793 case IEEE802_1X_TYPE_EAP_PACKET: 794 handle_eap(hapd, sta, (u8 *) (hdr + 1), datalen); 795 break; 796 797 case IEEE802_1X_TYPE_EAPOL_START: 798 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 799 HOSTAPD_LEVEL_DEBUG, "received EAPOL-Start " 800 "from STA"); 801 sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START; 802 pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm); 803 if (pmksa) { 804 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 805 HOSTAPD_LEVEL_DEBUG, "cached PMKSA " 806 "available - ignore it since " 807 "STA sent EAPOL-Start"); 808 wpa_auth_sta_clear_pmksa(sta->wpa_sm, pmksa); 809 } 810 sta->eapol_sm->eapolStart = TRUE; 811 sta->eapol_sm->dot1xAuthEapolStartFramesRx++; 812 eap_server_clear_identity(sta->eapol_sm->eap); 813 wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL); 814 break; 815 816 case IEEE802_1X_TYPE_EAPOL_LOGOFF: 817 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 818 HOSTAPD_LEVEL_DEBUG, "received EAPOL-Logoff " 819 "from STA"); 820 sta->acct_terminate_cause = 821 RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST; 822 accounting_sta_stop(hapd, sta); 823 sta->eapol_sm->eapolLogoff = TRUE; 824 sta->eapol_sm->dot1xAuthEapolLogoffFramesRx++; 825 eap_server_clear_identity(sta->eapol_sm->eap); 826 break; 827 828 case IEEE802_1X_TYPE_EAPOL_KEY: 829 wpa_printf(MSG_DEBUG, " EAPOL-Key"); 830 if (!ap_sta_is_authorized(sta)) { 831 wpa_printf(MSG_DEBUG, " Dropped key data from " 832 "unauthorized Supplicant"); 833 break; 834 } 835 break; 836 837 case IEEE802_1X_TYPE_EAPOL_ENCAPSULATED_ASF_ALERT: 838 wpa_printf(MSG_DEBUG, " EAPOL-Encapsulated-ASF-Alert"); 839 /* TODO: implement support for this; show data */ 840 break; 841 842 default: 843 wpa_printf(MSG_DEBUG, " unknown IEEE 802.1X packet type"); 844 sta->eapol_sm->dot1xAuthInvalidEapolFramesRx++; 845 break; 846 } 847 848 eapol_auth_step(sta->eapol_sm); 849} 850 851 852/** 853 * ieee802_1x_new_station - Start IEEE 802.1X authentication 854 * @hapd: hostapd BSS data 855 * @sta: The station 856 * 857 * This function is called to start IEEE 802.1X authentication when a new 858 * station completes IEEE 802.11 association. 859 */ 860void ieee802_1x_new_station(struct hostapd_data *hapd, struct sta_info *sta) 861{ 862 struct rsn_pmksa_cache_entry *pmksa; 863 int reassoc = 1; 864 int force_1x = 0; 865 int key_mgmt; 866 867#ifdef CONFIG_WPS 868 if (hapd->conf->wps_state && hapd->conf->wpa && 869 (sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS))) { 870 /* 871 * Need to enable IEEE 802.1X/EAPOL state machines for possible 872 * WPS handshake even if IEEE 802.1X/EAPOL is not used for 873 * authentication in this BSS. 874 */ 875 force_1x = 1; 876 } 877#endif /* CONFIG_WPS */ 878 879 if (!force_1x && !hapd->conf->ieee802_1x && !hapd->conf->osen) { 880 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore STA - " 881 "802.1X not enabled or forced for WPS"); 882 /* 883 * Clear any possible EAPOL authenticator state to support 884 * reassociation change from WPS to PSK. 885 */ 886 ieee802_1x_free_station(sta); 887 return; 888 } 889 890 key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm); 891 if (key_mgmt != -1 && wpa_key_mgmt_wpa_psk(key_mgmt)) { 892 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore STA - using PSK"); 893 /* 894 * Clear any possible EAPOL authenticator state to support 895 * reassociation change from WPA-EAP to PSK. 896 */ 897 ieee802_1x_free_station(sta); 898 return; 899 } 900 901 if (sta->eapol_sm == NULL) { 902 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 903 HOSTAPD_LEVEL_DEBUG, "start authentication"); 904 sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta); 905 if (sta->eapol_sm == NULL) { 906 hostapd_logger(hapd, sta->addr, 907 HOSTAPD_MODULE_IEEE8021X, 908 HOSTAPD_LEVEL_INFO, 909 "failed to allocate state machine"); 910 return; 911 } 912 reassoc = 0; 913 } 914 915#ifdef CONFIG_WPS 916 sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START; 917 if (!hapd->conf->ieee802_1x && hapd->conf->wps_state && 918 !(sta->flags & WLAN_STA_WPS2)) { 919 /* 920 * Delay EAPOL frame transmission until a possible WPS STA 921 * initiates the handshake with EAPOL-Start. Only allow the 922 * wait to be skipped if the STA is known to support WPS 2.0. 923 */ 924 wpa_printf(MSG_DEBUG, "WPS: Do not start EAPOL until " 925 "EAPOL-Start is received"); 926 sta->eapol_sm->flags |= EAPOL_SM_WAIT_START; 927 } 928#endif /* CONFIG_WPS */ 929 930 sta->eapol_sm->eap_if->portEnabled = TRUE; 931 932#ifdef CONFIG_IEEE80211R 933 if (sta->auth_alg == WLAN_AUTH_FT) { 934 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 935 HOSTAPD_LEVEL_DEBUG, 936 "PMK from FT - skip IEEE 802.1X/EAP"); 937 /* Setup EAPOL state machines to already authenticated state 938 * because of existing FT information from R0KH. */ 939 sta->eapol_sm->keyRun = TRUE; 940 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 941 sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING; 942 sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS; 943 sta->eapol_sm->authSuccess = TRUE; 944 sta->eapol_sm->authFail = FALSE; 945 if (sta->eapol_sm->eap) 946 eap_sm_notify_cached(sta->eapol_sm->eap); 947 /* TODO: get vlan_id from R0KH using RRB message */ 948 return; 949 } 950#endif /* CONFIG_IEEE80211R */ 951 952 pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm); 953 if (pmksa) { 954 int old_vlanid; 955 956 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 957 HOSTAPD_LEVEL_DEBUG, 958 "PMK from PMKSA cache - skip IEEE 802.1X/EAP"); 959 /* Setup EAPOL state machines to already authenticated state 960 * because of existing PMKSA information in the cache. */ 961 sta->eapol_sm->keyRun = TRUE; 962 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 963 sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING; 964 sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS; 965 sta->eapol_sm->authSuccess = TRUE; 966 sta->eapol_sm->authFail = FALSE; 967 if (sta->eapol_sm->eap) 968 eap_sm_notify_cached(sta->eapol_sm->eap); 969 old_vlanid = sta->vlan_id; 970 pmksa_cache_to_eapol_data(pmksa, sta->eapol_sm); 971 if (sta->ssid->dynamic_vlan == DYNAMIC_VLAN_DISABLED) 972 sta->vlan_id = 0; 973 ap_sta_bind_vlan(hapd, sta, old_vlanid); 974 } else { 975 if (reassoc) { 976 /* 977 * Force EAPOL state machines to start 978 * re-authentication without having to wait for the 979 * Supplicant to send EAPOL-Start. 980 */ 981 sta->eapol_sm->reAuthenticate = TRUE; 982 } 983 eapol_auth_step(sta->eapol_sm); 984 } 985} 986 987 988void ieee802_1x_free_station(struct sta_info *sta) 989{ 990 struct eapol_state_machine *sm = sta->eapol_sm; 991 992 if (sm == NULL) 993 return; 994 995 sta->eapol_sm = NULL; 996 997#ifndef CONFIG_NO_RADIUS 998 radius_msg_free(sm->last_recv_radius); 999 radius_free_class(&sm->radius_class); 1000 wpabuf_free(sm->radius_cui); 1001#endif /* CONFIG_NO_RADIUS */ 1002 1003 os_free(sm->identity); 1004 eapol_auth_free(sm); 1005} 1006 1007 1008#ifndef CONFIG_NO_RADIUS 1009static void ieee802_1x_decapsulate_radius(struct hostapd_data *hapd, 1010 struct sta_info *sta) 1011{ 1012 struct wpabuf *eap; 1013 const struct eap_hdr *hdr; 1014 int eap_type = -1; 1015 char buf[64]; 1016 struct radius_msg *msg; 1017 struct eapol_state_machine *sm = sta->eapol_sm; 1018 1019 if (sm == NULL || sm->last_recv_radius == NULL) { 1020 if (sm) 1021 sm->eap_if->aaaEapNoReq = TRUE; 1022 return; 1023 } 1024 1025 msg = sm->last_recv_radius; 1026 1027 eap = radius_msg_get_eap(msg); 1028 if (eap == NULL) { 1029 /* RFC 3579, Chap. 2.6.3: 1030 * RADIUS server SHOULD NOT send Access-Reject/no EAP-Message 1031 * attribute */ 1032 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1033 HOSTAPD_LEVEL_WARNING, "could not extract " 1034 "EAP-Message from RADIUS message"); 1035 sm->eap_if->aaaEapNoReq = TRUE; 1036 return; 1037 } 1038 1039 if (wpabuf_len(eap) < sizeof(*hdr)) { 1040 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1041 HOSTAPD_LEVEL_WARNING, "too short EAP packet " 1042 "received from authentication server"); 1043 wpabuf_free(eap); 1044 sm->eap_if->aaaEapNoReq = TRUE; 1045 return; 1046 } 1047 1048 if (wpabuf_len(eap) > sizeof(*hdr)) 1049 eap_type = (wpabuf_head_u8(eap))[sizeof(*hdr)]; 1050 1051 hdr = wpabuf_head(eap); 1052 switch (hdr->code) { 1053 case EAP_CODE_REQUEST: 1054 if (eap_type >= 0) 1055 sm->eap_type_authsrv = eap_type; 1056 os_snprintf(buf, sizeof(buf), "EAP-Request-%s (%d)", 1057 eap_type >= 0 ? eap_server_get_name(0, eap_type) : 1058 "??", 1059 eap_type); 1060 break; 1061 case EAP_CODE_RESPONSE: 1062 os_snprintf(buf, sizeof(buf), "EAP Response-%s (%d)", 1063 eap_type >= 0 ? eap_server_get_name(0, eap_type) : 1064 "??", 1065 eap_type); 1066 break; 1067 case EAP_CODE_SUCCESS: 1068 os_strlcpy(buf, "EAP Success", sizeof(buf)); 1069 break; 1070 case EAP_CODE_FAILURE: 1071 os_strlcpy(buf, "EAP Failure", sizeof(buf)); 1072 break; 1073 default: 1074 os_strlcpy(buf, "unknown EAP code", sizeof(buf)); 1075 break; 1076 } 1077 buf[sizeof(buf) - 1] = '\0'; 1078 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1079 HOSTAPD_LEVEL_DEBUG, "decapsulated EAP packet (code=%d " 1080 "id=%d len=%d) from RADIUS server: %s", 1081 hdr->code, hdr->identifier, be_to_host16(hdr->length), 1082 buf); 1083 sm->eap_if->aaaEapReq = TRUE; 1084 1085 wpabuf_free(sm->eap_if->aaaEapReqData); 1086 sm->eap_if->aaaEapReqData = eap; 1087} 1088 1089 1090static void ieee802_1x_get_keys(struct hostapd_data *hapd, 1091 struct sta_info *sta, struct radius_msg *msg, 1092 struct radius_msg *req, 1093 const u8 *shared_secret, 1094 size_t shared_secret_len) 1095{ 1096 struct radius_ms_mppe_keys *keys; 1097 struct eapol_state_machine *sm = sta->eapol_sm; 1098 if (sm == NULL) 1099 return; 1100 1101 keys = radius_msg_get_ms_keys(msg, req, shared_secret, 1102 shared_secret_len); 1103 1104 if (keys && keys->send && keys->recv) { 1105 size_t len = keys->send_len + keys->recv_len; 1106 wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Send-Key", 1107 keys->send, keys->send_len); 1108 wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Recv-Key", 1109 keys->recv, keys->recv_len); 1110 1111 os_free(sm->eap_if->aaaEapKeyData); 1112 sm->eap_if->aaaEapKeyData = os_malloc(len); 1113 if (sm->eap_if->aaaEapKeyData) { 1114 os_memcpy(sm->eap_if->aaaEapKeyData, keys->recv, 1115 keys->recv_len); 1116 os_memcpy(sm->eap_if->aaaEapKeyData + keys->recv_len, 1117 keys->send, keys->send_len); 1118 sm->eap_if->aaaEapKeyDataLen = len; 1119 sm->eap_if->aaaEapKeyAvailable = TRUE; 1120 } 1121 } 1122 1123 if (keys) { 1124 os_free(keys->send); 1125 os_free(keys->recv); 1126 os_free(keys); 1127 } 1128} 1129 1130 1131static void ieee802_1x_store_radius_class(struct hostapd_data *hapd, 1132 struct sta_info *sta, 1133 struct radius_msg *msg) 1134{ 1135 u8 *class; 1136 size_t class_len; 1137 struct eapol_state_machine *sm = sta->eapol_sm; 1138 int count, i; 1139 struct radius_attr_data *nclass; 1140 size_t nclass_count; 1141 1142 if (!hapd->conf->radius->acct_server || hapd->radius == NULL || 1143 sm == NULL) 1144 return; 1145 1146 radius_free_class(&sm->radius_class); 1147 count = radius_msg_count_attr(msg, RADIUS_ATTR_CLASS, 1); 1148 if (count <= 0) 1149 return; 1150 1151 nclass = os_calloc(count, sizeof(struct radius_attr_data)); 1152 if (nclass == NULL) 1153 return; 1154 1155 nclass_count = 0; 1156 1157 class = NULL; 1158 for (i = 0; i < count; i++) { 1159 do { 1160 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CLASS, 1161 &class, &class_len, 1162 class) < 0) { 1163 i = count; 1164 break; 1165 } 1166 } while (class_len < 1); 1167 1168 nclass[nclass_count].data = os_malloc(class_len); 1169 if (nclass[nclass_count].data == NULL) 1170 break; 1171 1172 os_memcpy(nclass[nclass_count].data, class, class_len); 1173 nclass[nclass_count].len = class_len; 1174 nclass_count++; 1175 } 1176 1177 sm->radius_class.attr = nclass; 1178 sm->radius_class.count = nclass_count; 1179 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Stored %lu RADIUS Class " 1180 "attributes for " MACSTR, 1181 (unsigned long) sm->radius_class.count, 1182 MAC2STR(sta->addr)); 1183} 1184 1185 1186/* Update sta->identity based on User-Name attribute in Access-Accept */ 1187static void ieee802_1x_update_sta_identity(struct hostapd_data *hapd, 1188 struct sta_info *sta, 1189 struct radius_msg *msg) 1190{ 1191 u8 *buf, *identity; 1192 size_t len; 1193 struct eapol_state_machine *sm = sta->eapol_sm; 1194 1195 if (sm == NULL) 1196 return; 1197 1198 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_USER_NAME, &buf, &len, 1199 NULL) < 0) 1200 return; 1201 1202 identity = (u8 *) dup_binstr(buf, len); 1203 if (identity == NULL) 1204 return; 1205 1206 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1207 HOSTAPD_LEVEL_DEBUG, "old identity '%s' updated with " 1208 "User-Name from Access-Accept '%s'", 1209 sm->identity ? (char *) sm->identity : "N/A", 1210 (char *) identity); 1211 1212 os_free(sm->identity); 1213 sm->identity = identity; 1214 sm->identity_len = len; 1215} 1216 1217 1218/* Update CUI based on Chargeable-User-Identity attribute in Access-Accept */ 1219static void ieee802_1x_update_sta_cui(struct hostapd_data *hapd, 1220 struct sta_info *sta, 1221 struct radius_msg *msg) 1222{ 1223 struct eapol_state_machine *sm = sta->eapol_sm; 1224 struct wpabuf *cui; 1225 u8 *buf; 1226 size_t len; 1227 1228 if (sm == NULL) 1229 return; 1230 1231 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CHARGEABLE_USER_IDENTITY, 1232 &buf, &len, NULL) < 0) 1233 return; 1234 1235 cui = wpabuf_alloc_copy(buf, len); 1236 if (cui == NULL) 1237 return; 1238 1239 wpabuf_free(sm->radius_cui); 1240 sm->radius_cui = cui; 1241} 1242 1243 1244#ifdef CONFIG_HS20 1245 1246static void ieee802_1x_hs20_sub_rem(struct sta_info *sta, u8 *pos, size_t len) 1247{ 1248 sta->remediation = 1; 1249 os_free(sta->remediation_url); 1250 if (len > 2) { 1251 sta->remediation_url = os_malloc(len); 1252 if (!sta->remediation_url) 1253 return; 1254 sta->remediation_method = pos[0]; 1255 os_memcpy(sta->remediation_url, pos + 1, len - 1); 1256 sta->remediation_url[len - 1] = '\0'; 1257 wpa_printf(MSG_DEBUG, "HS 2.0: Subscription remediation needed " 1258 "for " MACSTR " - server method %u URL %s", 1259 MAC2STR(sta->addr), sta->remediation_method, 1260 sta->remediation_url); 1261 } else { 1262 sta->remediation_url = NULL; 1263 wpa_printf(MSG_DEBUG, "HS 2.0: Subscription remediation needed " 1264 "for " MACSTR, MAC2STR(sta->addr)); 1265 } 1266 /* TODO: assign the STA into remediation VLAN or add filtering */ 1267} 1268 1269 1270static void ieee802_1x_hs20_deauth_req(struct hostapd_data *hapd, 1271 struct sta_info *sta, u8 *pos, 1272 size_t len) 1273{ 1274 if (len < 3) 1275 return; /* Malformed information */ 1276 sta->hs20_deauth_requested = 1; 1277 wpa_printf(MSG_DEBUG, "HS 2.0: Deauthentication request - Code %u " 1278 "Re-auth Delay %u", 1279 *pos, WPA_GET_LE16(pos + 1)); 1280 wpabuf_free(sta->hs20_deauth_req); 1281 sta->hs20_deauth_req = wpabuf_alloc(len + 1); 1282 if (sta->hs20_deauth_req) { 1283 wpabuf_put_data(sta->hs20_deauth_req, pos, 3); 1284 wpabuf_put_u8(sta->hs20_deauth_req, len - 3); 1285 wpabuf_put_data(sta->hs20_deauth_req, pos + 3, len - 3); 1286 } 1287 ap_sta_session_timeout(hapd, sta, hapd->conf->hs20_deauth_req_timeout); 1288} 1289 1290 1291static void ieee802_1x_hs20_session_info(struct hostapd_data *hapd, 1292 struct sta_info *sta, u8 *pos, 1293 size_t len, int session_timeout) 1294{ 1295 unsigned int swt; 1296 int warning_time, beacon_int; 1297 1298 if (len < 1) 1299 return; /* Malformed information */ 1300 os_free(sta->hs20_session_info_url); 1301 sta->hs20_session_info_url = os_malloc(len); 1302 if (sta->hs20_session_info_url == NULL) 1303 return; 1304 swt = pos[0]; 1305 os_memcpy(sta->hs20_session_info_url, pos + 1, len - 1); 1306 sta->hs20_session_info_url[len - 1] = '\0'; 1307 wpa_printf(MSG_DEBUG, "HS 2.0: Session Information URL='%s' SWT=%u " 1308 "(session_timeout=%d)", 1309 sta->hs20_session_info_url, swt, session_timeout); 1310 if (session_timeout < 0) { 1311 wpa_printf(MSG_DEBUG, "HS 2.0: No Session-Timeout set - ignore session info URL"); 1312 return; 1313 } 1314 if (swt == 255) 1315 swt = 1; /* Use one minute as the AP selected value */ 1316 1317 if ((unsigned int) session_timeout < swt * 60) 1318 warning_time = 0; 1319 else 1320 warning_time = session_timeout - swt * 60; 1321 1322 beacon_int = hapd->iconf->beacon_int; 1323 if (beacon_int < 1) 1324 beacon_int = 100; /* best guess */ 1325 sta->hs20_disassoc_timer = swt * 60 * 1000 / beacon_int * 125 / 128; 1326 if (sta->hs20_disassoc_timer > 65535) 1327 sta->hs20_disassoc_timer = 65535; 1328 1329 ap_sta_session_warning_timeout(hapd, sta, warning_time); 1330} 1331 1332#endif /* CONFIG_HS20 */ 1333 1334 1335static void ieee802_1x_check_hs20(struct hostapd_data *hapd, 1336 struct sta_info *sta, 1337 struct radius_msg *msg, 1338 int session_timeout) 1339{ 1340#ifdef CONFIG_HS20 1341 u8 *buf, *pos, *end, type, sublen; 1342 size_t len; 1343 1344 buf = NULL; 1345 sta->remediation = 0; 1346 sta->hs20_deauth_requested = 0; 1347 1348 for (;;) { 1349 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_VENDOR_SPECIFIC, 1350 &buf, &len, buf) < 0) 1351 break; 1352 if (len < 6) 1353 continue; 1354 pos = buf; 1355 end = buf + len; 1356 if (WPA_GET_BE32(pos) != RADIUS_VENDOR_ID_WFA) 1357 continue; 1358 pos += 4; 1359 1360 type = *pos++; 1361 sublen = *pos++; 1362 if (sublen < 2) 1363 continue; /* invalid length */ 1364 sublen -= 2; /* skip header */ 1365 if (pos + sublen > end) 1366 continue; /* invalid WFA VSA */ 1367 1368 switch (type) { 1369 case RADIUS_VENDOR_ATTR_WFA_HS20_SUBSCR_REMEDIATION: 1370 ieee802_1x_hs20_sub_rem(sta, pos, sublen); 1371 break; 1372 case RADIUS_VENDOR_ATTR_WFA_HS20_DEAUTH_REQ: 1373 ieee802_1x_hs20_deauth_req(hapd, sta, pos, sublen); 1374 break; 1375 case RADIUS_VENDOR_ATTR_WFA_HS20_SESSION_INFO_URL: 1376 ieee802_1x_hs20_session_info(hapd, sta, pos, sublen, 1377 session_timeout); 1378 break; 1379 } 1380 } 1381#endif /* CONFIG_HS20 */ 1382} 1383 1384 1385struct sta_id_search { 1386 u8 identifier; 1387 struct eapol_state_machine *sm; 1388}; 1389 1390 1391static int ieee802_1x_select_radius_identifier(struct hostapd_data *hapd, 1392 struct sta_info *sta, 1393 void *ctx) 1394{ 1395 struct sta_id_search *id_search = ctx; 1396 struct eapol_state_machine *sm = sta->eapol_sm; 1397 1398 if (sm && sm->radius_identifier >= 0 && 1399 sm->radius_identifier == id_search->identifier) { 1400 id_search->sm = sm; 1401 return 1; 1402 } 1403 return 0; 1404} 1405 1406 1407static struct eapol_state_machine * 1408ieee802_1x_search_radius_identifier(struct hostapd_data *hapd, u8 identifier) 1409{ 1410 struct sta_id_search id_search; 1411 id_search.identifier = identifier; 1412 id_search.sm = NULL; 1413 ap_for_each_sta(hapd, ieee802_1x_select_radius_identifier, &id_search); 1414 return id_search.sm; 1415} 1416 1417 1418/** 1419 * ieee802_1x_receive_auth - Process RADIUS frames from Authentication Server 1420 * @msg: RADIUS response message 1421 * @req: RADIUS request message 1422 * @shared_secret: RADIUS shared secret 1423 * @shared_secret_len: Length of shared_secret in octets 1424 * @data: Context data (struct hostapd_data *) 1425 * Returns: Processing status 1426 */ 1427static RadiusRxResult 1428ieee802_1x_receive_auth(struct radius_msg *msg, struct radius_msg *req, 1429 const u8 *shared_secret, size_t shared_secret_len, 1430 void *data) 1431{ 1432 struct hostapd_data *hapd = data; 1433 struct sta_info *sta; 1434 u32 session_timeout = 0, termination_action, acct_interim_interval; 1435 int session_timeout_set, old_vlanid = 0; 1436 struct eapol_state_machine *sm; 1437 int override_eapReq = 0; 1438 struct radius_hdr *hdr = radius_msg_get_hdr(msg); 1439 1440 sm = ieee802_1x_search_radius_identifier(hapd, hdr->identifier); 1441 if (sm == NULL) { 1442 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Could not find matching " 1443 "station for this RADIUS message"); 1444 return RADIUS_RX_UNKNOWN; 1445 } 1446 sta = sm->sta; 1447 1448 /* RFC 2869, Ch. 5.13: valid Message-Authenticator attribute MUST be 1449 * present when packet contains an EAP-Message attribute */ 1450 if (hdr->code == RADIUS_CODE_ACCESS_REJECT && 1451 radius_msg_get_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, NULL, 1452 0) < 0 && 1453 radius_msg_get_attr(msg, RADIUS_ATTR_EAP_MESSAGE, NULL, 0) < 0) { 1454 wpa_printf(MSG_DEBUG, "Allowing RADIUS Access-Reject without " 1455 "Message-Authenticator since it does not include " 1456 "EAP-Message"); 1457 } else if (radius_msg_verify(msg, shared_secret, shared_secret_len, 1458 req, 1)) { 1459 wpa_printf(MSG_INFO, "Incoming RADIUS packet did not have correct Message-Authenticator - dropped"); 1460 return RADIUS_RX_INVALID_AUTHENTICATOR; 1461 } 1462 1463 if (hdr->code != RADIUS_CODE_ACCESS_ACCEPT && 1464 hdr->code != RADIUS_CODE_ACCESS_REJECT && 1465 hdr->code != RADIUS_CODE_ACCESS_CHALLENGE) { 1466 wpa_printf(MSG_INFO, "Unknown RADIUS message code"); 1467 return RADIUS_RX_UNKNOWN; 1468 } 1469 1470 sm->radius_identifier = -1; 1471 wpa_printf(MSG_DEBUG, "RADIUS packet matching with station " MACSTR, 1472 MAC2STR(sta->addr)); 1473 1474 radius_msg_free(sm->last_recv_radius); 1475 sm->last_recv_radius = msg; 1476 1477 session_timeout_set = 1478 !radius_msg_get_attr_int32(msg, RADIUS_ATTR_SESSION_TIMEOUT, 1479 &session_timeout); 1480 if (radius_msg_get_attr_int32(msg, RADIUS_ATTR_TERMINATION_ACTION, 1481 &termination_action)) 1482 termination_action = RADIUS_TERMINATION_ACTION_DEFAULT; 1483 1484 if (hapd->conf->acct_interim_interval == 0 && 1485 hdr->code == RADIUS_CODE_ACCESS_ACCEPT && 1486 radius_msg_get_attr_int32(msg, RADIUS_ATTR_ACCT_INTERIM_INTERVAL, 1487 &acct_interim_interval) == 0) { 1488 if (acct_interim_interval < 60) { 1489 hostapd_logger(hapd, sta->addr, 1490 HOSTAPD_MODULE_IEEE8021X, 1491 HOSTAPD_LEVEL_INFO, 1492 "ignored too small " 1493 "Acct-Interim-Interval %d", 1494 acct_interim_interval); 1495 } else 1496 sta->acct_interim_interval = acct_interim_interval; 1497 } 1498 1499 1500 switch (hdr->code) { 1501 case RADIUS_CODE_ACCESS_ACCEPT: 1502 if (sta->ssid->dynamic_vlan == DYNAMIC_VLAN_DISABLED) 1503 sta->vlan_id = 0; 1504#ifndef CONFIG_NO_VLAN 1505 else { 1506 old_vlanid = sta->vlan_id; 1507 sta->vlan_id = radius_msg_get_vlanid(msg); 1508 } 1509 if (sta->vlan_id > 0 && 1510 hostapd_vlan_id_valid(hapd->conf->vlan, sta->vlan_id)) { 1511 hostapd_logger(hapd, sta->addr, 1512 HOSTAPD_MODULE_RADIUS, 1513 HOSTAPD_LEVEL_INFO, 1514 "VLAN ID %d", sta->vlan_id); 1515 } else if (sta->ssid->dynamic_vlan == DYNAMIC_VLAN_REQUIRED) { 1516 sta->eapol_sm->authFail = TRUE; 1517 hostapd_logger(hapd, sta->addr, 1518 HOSTAPD_MODULE_IEEE8021X, 1519 HOSTAPD_LEVEL_INFO, "authentication " 1520 "server did not include required VLAN " 1521 "ID in Access-Accept"); 1522 break; 1523 } 1524#endif /* CONFIG_NO_VLAN */ 1525 1526 if (ap_sta_bind_vlan(hapd, sta, old_vlanid) < 0) 1527 break; 1528 1529 /* RFC 3580, Ch. 3.17 */ 1530 if (session_timeout_set && termination_action == 1531 RADIUS_TERMINATION_ACTION_RADIUS_REQUEST) { 1532 sm->reAuthPeriod = session_timeout; 1533 } else if (session_timeout_set) 1534 ap_sta_session_timeout(hapd, sta, session_timeout); 1535 1536 sm->eap_if->aaaSuccess = TRUE; 1537 override_eapReq = 1; 1538 ieee802_1x_get_keys(hapd, sta, msg, req, shared_secret, 1539 shared_secret_len); 1540 ieee802_1x_store_radius_class(hapd, sta, msg); 1541 ieee802_1x_update_sta_identity(hapd, sta, msg); 1542 ieee802_1x_update_sta_cui(hapd, sta, msg); 1543 ieee802_1x_check_hs20(hapd, sta, msg, 1544 session_timeout_set ? 1545 (int) session_timeout : -1); 1546 if (sm->eap_if->eapKeyAvailable && !sta->remediation && 1547 !sta->hs20_deauth_requested && 1548 wpa_auth_pmksa_add(sta->wpa_sm, sm->eapol_key_crypt, 1549 session_timeout_set ? 1550 (int) session_timeout : -1, sm) == 0) { 1551 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 1552 HOSTAPD_LEVEL_DEBUG, 1553 "Added PMKSA cache entry"); 1554 } 1555 break; 1556 case RADIUS_CODE_ACCESS_REJECT: 1557 sm->eap_if->aaaFail = TRUE; 1558 override_eapReq = 1; 1559 break; 1560 case RADIUS_CODE_ACCESS_CHALLENGE: 1561 sm->eap_if->aaaEapReq = TRUE; 1562 if (session_timeout_set) { 1563 /* RFC 2869, Ch. 2.3.2; RFC 3580, Ch. 3.17 */ 1564 sm->eap_if->aaaMethodTimeout = session_timeout; 1565 hostapd_logger(hapd, sm->addr, 1566 HOSTAPD_MODULE_IEEE8021X, 1567 HOSTAPD_LEVEL_DEBUG, 1568 "using EAP timeout of %d seconds (from " 1569 "RADIUS)", 1570 sm->eap_if->aaaMethodTimeout); 1571 } else { 1572 /* 1573 * Use dynamic retransmission behavior per EAP 1574 * specification. 1575 */ 1576 sm->eap_if->aaaMethodTimeout = 0; 1577 } 1578 break; 1579 } 1580 1581 ieee802_1x_decapsulate_radius(hapd, sta); 1582 if (override_eapReq) 1583 sm->eap_if->aaaEapReq = FALSE; 1584 1585 eapol_auth_step(sm); 1586 1587 return RADIUS_RX_QUEUED; 1588} 1589#endif /* CONFIG_NO_RADIUS */ 1590 1591 1592void ieee802_1x_abort_auth(struct hostapd_data *hapd, struct sta_info *sta) 1593{ 1594 struct eapol_state_machine *sm = sta->eapol_sm; 1595 if (sm == NULL) 1596 return; 1597 1598 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1599 HOSTAPD_LEVEL_DEBUG, "aborting authentication"); 1600 1601#ifndef CONFIG_NO_RADIUS 1602 radius_msg_free(sm->last_recv_radius); 1603 sm->last_recv_radius = NULL; 1604#endif /* CONFIG_NO_RADIUS */ 1605 1606 if (sm->eap_if->eapTimeout) { 1607 /* 1608 * Disconnect the STA since it did not reply to the last EAP 1609 * request and we cannot continue EAP processing (EAP-Failure 1610 * could only be sent if the EAP peer actually replied). 1611 */ 1612 wpa_dbg(hapd->msg_ctx, MSG_DEBUG, "EAP Timeout, STA " MACSTR, 1613 MAC2STR(sta->addr)); 1614 1615 sm->eap_if->portEnabled = FALSE; 1616 ap_sta_disconnect(hapd, sta, sta->addr, 1617 WLAN_REASON_PREV_AUTH_NOT_VALID); 1618 } 1619} 1620 1621 1622static int ieee802_1x_rekey_broadcast(struct hostapd_data *hapd) 1623{ 1624 struct eapol_authenticator *eapol = hapd->eapol_auth; 1625 1626 if (hapd->conf->default_wep_key_len < 1) 1627 return 0; 1628 1629 os_free(eapol->default_wep_key); 1630 eapol->default_wep_key = os_malloc(hapd->conf->default_wep_key_len); 1631 if (eapol->default_wep_key == NULL || 1632 random_get_bytes(eapol->default_wep_key, 1633 hapd->conf->default_wep_key_len)) { 1634 wpa_printf(MSG_INFO, "Could not generate random WEP key"); 1635 os_free(eapol->default_wep_key); 1636 eapol->default_wep_key = NULL; 1637 return -1; 1638 } 1639 1640 wpa_hexdump_key(MSG_DEBUG, "IEEE 802.1X: New default WEP key", 1641 eapol->default_wep_key, 1642 hapd->conf->default_wep_key_len); 1643 1644 return 0; 1645} 1646 1647 1648static int ieee802_1x_sta_key_available(struct hostapd_data *hapd, 1649 struct sta_info *sta, void *ctx) 1650{ 1651 if (sta->eapol_sm) { 1652 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 1653 eapol_auth_step(sta->eapol_sm); 1654 } 1655 return 0; 1656} 1657 1658 1659static void ieee802_1x_rekey(void *eloop_ctx, void *timeout_ctx) 1660{ 1661 struct hostapd_data *hapd = eloop_ctx; 1662 struct eapol_authenticator *eapol = hapd->eapol_auth; 1663 1664 if (eapol->default_wep_key_idx >= 3) 1665 eapol->default_wep_key_idx = 1666 hapd->conf->individual_wep_key_len > 0 ? 1 : 0; 1667 else 1668 eapol->default_wep_key_idx++; 1669 1670 wpa_printf(MSG_DEBUG, "IEEE 802.1X: New default WEP key index %d", 1671 eapol->default_wep_key_idx); 1672 1673 if (ieee802_1x_rekey_broadcast(hapd)) { 1674 hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X, 1675 HOSTAPD_LEVEL_WARNING, "failed to generate a " 1676 "new broadcast key"); 1677 os_free(eapol->default_wep_key); 1678 eapol->default_wep_key = NULL; 1679 return; 1680 } 1681 1682 /* TODO: Could setup key for RX here, but change default TX keyid only 1683 * after new broadcast key has been sent to all stations. */ 1684 if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP, 1685 broadcast_ether_addr, 1686 eapol->default_wep_key_idx, 1, NULL, 0, 1687 eapol->default_wep_key, 1688 hapd->conf->default_wep_key_len)) { 1689 hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X, 1690 HOSTAPD_LEVEL_WARNING, "failed to configure a " 1691 "new broadcast key"); 1692 os_free(eapol->default_wep_key); 1693 eapol->default_wep_key = NULL; 1694 return; 1695 } 1696 1697 ap_for_each_sta(hapd, ieee802_1x_sta_key_available, NULL); 1698 1699 if (hapd->conf->wep_rekeying_period > 0) { 1700 eloop_register_timeout(hapd->conf->wep_rekeying_period, 0, 1701 ieee802_1x_rekey, hapd, NULL); 1702 } 1703} 1704 1705 1706static void ieee802_1x_eapol_send(void *ctx, void *sta_ctx, u8 type, 1707 const u8 *data, size_t datalen) 1708{ 1709#ifdef CONFIG_WPS 1710 struct sta_info *sta = sta_ctx; 1711 1712 if ((sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS)) == 1713 WLAN_STA_MAYBE_WPS) { 1714 const u8 *identity; 1715 size_t identity_len; 1716 struct eapol_state_machine *sm = sta->eapol_sm; 1717 1718 identity = eap_get_identity(sm->eap, &identity_len); 1719 if (identity && 1720 ((identity_len == WSC_ID_ENROLLEE_LEN && 1721 os_memcmp(identity, WSC_ID_ENROLLEE, 1722 WSC_ID_ENROLLEE_LEN) == 0) || 1723 (identity_len == WSC_ID_REGISTRAR_LEN && 1724 os_memcmp(identity, WSC_ID_REGISTRAR, 1725 WSC_ID_REGISTRAR_LEN) == 0))) { 1726 wpa_printf(MSG_DEBUG, "WPS: WLAN_STA_MAYBE_WPS -> " 1727 "WLAN_STA_WPS"); 1728 sta->flags |= WLAN_STA_WPS; 1729 } 1730 } 1731#endif /* CONFIG_WPS */ 1732 1733 ieee802_1x_send(ctx, sta_ctx, type, data, datalen); 1734} 1735 1736 1737static void ieee802_1x_aaa_send(void *ctx, void *sta_ctx, 1738 const u8 *data, size_t datalen) 1739{ 1740#ifndef CONFIG_NO_RADIUS 1741 struct hostapd_data *hapd = ctx; 1742 struct sta_info *sta = sta_ctx; 1743 1744 ieee802_1x_encapsulate_radius(hapd, sta, data, datalen); 1745#endif /* CONFIG_NO_RADIUS */ 1746} 1747 1748 1749static void _ieee802_1x_finished(void *ctx, void *sta_ctx, int success, 1750 int preauth, int remediation) 1751{ 1752 struct hostapd_data *hapd = ctx; 1753 struct sta_info *sta = sta_ctx; 1754 if (preauth) 1755 rsn_preauth_finished(hapd, sta, success); 1756 else 1757 ieee802_1x_finished(hapd, sta, success, remediation); 1758} 1759 1760 1761static int ieee802_1x_get_eap_user(void *ctx, const u8 *identity, 1762 size_t identity_len, int phase2, 1763 struct eap_user *user) 1764{ 1765 struct hostapd_data *hapd = ctx; 1766 const struct hostapd_eap_user *eap_user; 1767 int i; 1768 1769 eap_user = hostapd_get_eap_user(hapd, identity, identity_len, phase2); 1770 if (eap_user == NULL) 1771 return -1; 1772 1773 os_memset(user, 0, sizeof(*user)); 1774 user->phase2 = phase2; 1775 for (i = 0; i < EAP_MAX_METHODS; i++) { 1776 user->methods[i].vendor = eap_user->methods[i].vendor; 1777 user->methods[i].method = eap_user->methods[i].method; 1778 } 1779 1780 if (eap_user->password) { 1781 user->password = os_malloc(eap_user->password_len); 1782 if (user->password == NULL) 1783 return -1; 1784 os_memcpy(user->password, eap_user->password, 1785 eap_user->password_len); 1786 user->password_len = eap_user->password_len; 1787 user->password_hash = eap_user->password_hash; 1788 } 1789 user->force_version = eap_user->force_version; 1790 user->macacl = eap_user->macacl; 1791 user->ttls_auth = eap_user->ttls_auth; 1792 user->remediation = eap_user->remediation; 1793 1794 return 0; 1795} 1796 1797 1798static int ieee802_1x_sta_entry_alive(void *ctx, const u8 *addr) 1799{ 1800 struct hostapd_data *hapd = ctx; 1801 struct sta_info *sta; 1802 sta = ap_get_sta(hapd, addr); 1803 if (sta == NULL || sta->eapol_sm == NULL) 1804 return 0; 1805 return 1; 1806} 1807 1808 1809static void ieee802_1x_logger(void *ctx, const u8 *addr, 1810 eapol_logger_level level, const char *txt) 1811{ 1812#ifndef CONFIG_NO_HOSTAPD_LOGGER 1813 struct hostapd_data *hapd = ctx; 1814 int hlevel; 1815 1816 switch (level) { 1817 case EAPOL_LOGGER_WARNING: 1818 hlevel = HOSTAPD_LEVEL_WARNING; 1819 break; 1820 case EAPOL_LOGGER_INFO: 1821 hlevel = HOSTAPD_LEVEL_INFO; 1822 break; 1823 case EAPOL_LOGGER_DEBUG: 1824 default: 1825 hlevel = HOSTAPD_LEVEL_DEBUG; 1826 break; 1827 } 1828 1829 hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE8021X, hlevel, "%s", 1830 txt); 1831#endif /* CONFIG_NO_HOSTAPD_LOGGER */ 1832} 1833 1834 1835static void ieee802_1x_set_port_authorized(void *ctx, void *sta_ctx, 1836 int authorized) 1837{ 1838 struct hostapd_data *hapd = ctx; 1839 struct sta_info *sta = sta_ctx; 1840 ieee802_1x_set_sta_authorized(hapd, sta, authorized); 1841} 1842 1843 1844static void _ieee802_1x_abort_auth(void *ctx, void *sta_ctx) 1845{ 1846 struct hostapd_data *hapd = ctx; 1847 struct sta_info *sta = sta_ctx; 1848 ieee802_1x_abort_auth(hapd, sta); 1849} 1850 1851 1852static void _ieee802_1x_tx_key(void *ctx, void *sta_ctx) 1853{ 1854 struct hostapd_data *hapd = ctx; 1855 struct sta_info *sta = sta_ctx; 1856 ieee802_1x_tx_key(hapd, sta); 1857} 1858 1859 1860static void ieee802_1x_eapol_event(void *ctx, void *sta_ctx, 1861 enum eapol_event type) 1862{ 1863 /* struct hostapd_data *hapd = ctx; */ 1864 struct sta_info *sta = sta_ctx; 1865 switch (type) { 1866 case EAPOL_AUTH_SM_CHANGE: 1867 wpa_auth_sm_notify(sta->wpa_sm); 1868 break; 1869 case EAPOL_AUTH_REAUTHENTICATE: 1870 wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL); 1871 break; 1872 } 1873} 1874 1875 1876int ieee802_1x_init(struct hostapd_data *hapd) 1877{ 1878 int i; 1879 struct eapol_auth_config conf; 1880 struct eapol_auth_cb cb; 1881 1882 os_memset(&conf, 0, sizeof(conf)); 1883 conf.ctx = hapd; 1884 conf.eap_reauth_period = hapd->conf->eap_reauth_period; 1885 conf.wpa = hapd->conf->wpa; 1886 conf.individual_wep_key_len = hapd->conf->individual_wep_key_len; 1887 conf.eap_server = hapd->conf->eap_server; 1888 conf.ssl_ctx = hapd->ssl_ctx; 1889 conf.msg_ctx = hapd->msg_ctx; 1890 conf.eap_sim_db_priv = hapd->eap_sim_db_priv; 1891 conf.eap_req_id_text = hapd->conf->eap_req_id_text; 1892 conf.eap_req_id_text_len = hapd->conf->eap_req_id_text_len; 1893 conf.pac_opaque_encr_key = hapd->conf->pac_opaque_encr_key; 1894 conf.eap_fast_a_id = hapd->conf->eap_fast_a_id; 1895 conf.eap_fast_a_id_len = hapd->conf->eap_fast_a_id_len; 1896 conf.eap_fast_a_id_info = hapd->conf->eap_fast_a_id_info; 1897 conf.eap_fast_prov = hapd->conf->eap_fast_prov; 1898 conf.pac_key_lifetime = hapd->conf->pac_key_lifetime; 1899 conf.pac_key_refresh_time = hapd->conf->pac_key_refresh_time; 1900 conf.eap_sim_aka_result_ind = hapd->conf->eap_sim_aka_result_ind; 1901 conf.tnc = hapd->conf->tnc; 1902 conf.wps = hapd->wps; 1903 conf.fragment_size = hapd->conf->fragment_size; 1904 conf.pwd_group = hapd->conf->pwd_group; 1905 conf.pbc_in_m1 = hapd->conf->pbc_in_m1; 1906 if (hapd->conf->server_id) { 1907 conf.server_id = (const u8 *) hapd->conf->server_id; 1908 conf.server_id_len = os_strlen(hapd->conf->server_id); 1909 } else { 1910 conf.server_id = (const u8 *) "hostapd"; 1911 conf.server_id_len = 7; 1912 } 1913 1914 os_memset(&cb, 0, sizeof(cb)); 1915 cb.eapol_send = ieee802_1x_eapol_send; 1916 cb.aaa_send = ieee802_1x_aaa_send; 1917 cb.finished = _ieee802_1x_finished; 1918 cb.get_eap_user = ieee802_1x_get_eap_user; 1919 cb.sta_entry_alive = ieee802_1x_sta_entry_alive; 1920 cb.logger = ieee802_1x_logger; 1921 cb.set_port_authorized = ieee802_1x_set_port_authorized; 1922 cb.abort_auth = _ieee802_1x_abort_auth; 1923 cb.tx_key = _ieee802_1x_tx_key; 1924 cb.eapol_event = ieee802_1x_eapol_event; 1925 1926 hapd->eapol_auth = eapol_auth_init(&conf, &cb); 1927 if (hapd->eapol_auth == NULL) 1928 return -1; 1929 1930 if ((hapd->conf->ieee802_1x || hapd->conf->wpa) && 1931 hostapd_set_drv_ieee8021x(hapd, hapd->conf->iface, 1)) 1932 return -1; 1933 1934#ifndef CONFIG_NO_RADIUS 1935 if (radius_client_register(hapd->radius, RADIUS_AUTH, 1936 ieee802_1x_receive_auth, hapd)) 1937 return -1; 1938#endif /* CONFIG_NO_RADIUS */ 1939 1940 if (hapd->conf->default_wep_key_len) { 1941 for (i = 0; i < 4; i++) 1942 hostapd_drv_set_key(hapd->conf->iface, hapd, 1943 WPA_ALG_NONE, NULL, i, 0, NULL, 0, 1944 NULL, 0); 1945 1946 ieee802_1x_rekey(hapd, NULL); 1947 1948 if (hapd->eapol_auth->default_wep_key == NULL) 1949 return -1; 1950 } 1951 1952 return 0; 1953} 1954 1955 1956void ieee802_1x_deinit(struct hostapd_data *hapd) 1957{ 1958 eloop_cancel_timeout(ieee802_1x_rekey, hapd, NULL); 1959 1960 if (hapd->driver != NULL && 1961 (hapd->conf->ieee802_1x || hapd->conf->wpa)) 1962 hostapd_set_drv_ieee8021x(hapd, hapd->conf->iface, 0); 1963 1964 eapol_auth_deinit(hapd->eapol_auth); 1965 hapd->eapol_auth = NULL; 1966} 1967 1968 1969int ieee802_1x_tx_status(struct hostapd_data *hapd, struct sta_info *sta, 1970 const u8 *buf, size_t len, int ack) 1971{ 1972 struct ieee80211_hdr *hdr; 1973 u8 *pos; 1974 const unsigned char rfc1042_hdr[ETH_ALEN] = 1975 { 0xaa, 0xaa, 0x03, 0x00, 0x00, 0x00 }; 1976 1977 if (sta == NULL) 1978 return -1; 1979 if (len < sizeof(*hdr) + sizeof(rfc1042_hdr) + 2) 1980 return 0; 1981 1982 hdr = (struct ieee80211_hdr *) buf; 1983 pos = (u8 *) (hdr + 1); 1984 if (os_memcmp(pos, rfc1042_hdr, sizeof(rfc1042_hdr)) != 0) 1985 return 0; 1986 pos += sizeof(rfc1042_hdr); 1987 if (WPA_GET_BE16(pos) != ETH_P_PAE) 1988 return 0; 1989 pos += 2; 1990 1991 return ieee802_1x_eapol_tx_status(hapd, sta, pos, buf + len - pos, 1992 ack); 1993} 1994 1995 1996int ieee802_1x_eapol_tx_status(struct hostapd_data *hapd, struct sta_info *sta, 1997 const u8 *buf, int len, int ack) 1998{ 1999 const struct ieee802_1x_hdr *xhdr = 2000 (const struct ieee802_1x_hdr *) buf; 2001 const u8 *pos = buf + sizeof(*xhdr); 2002 struct ieee802_1x_eapol_key *key; 2003 2004 if (len < (int) sizeof(*xhdr)) 2005 return 0; 2006 wpa_printf(MSG_DEBUG, "IEEE 802.1X: " MACSTR " TX status - version=%d " 2007 "type=%d length=%d - ack=%d", 2008 MAC2STR(sta->addr), xhdr->version, xhdr->type, 2009 be_to_host16(xhdr->length), ack); 2010 2011 if (xhdr->type != IEEE802_1X_TYPE_EAPOL_KEY) 2012 return 0; 2013 2014 if (pos + sizeof(struct wpa_eapol_key) <= buf + len) { 2015 const struct wpa_eapol_key *wpa; 2016 wpa = (const struct wpa_eapol_key *) pos; 2017 if (wpa->type == EAPOL_KEY_TYPE_RSN || 2018 wpa->type == EAPOL_KEY_TYPE_WPA) 2019 wpa_auth_eapol_key_tx_status(hapd->wpa_auth, 2020 sta->wpa_sm, ack); 2021 } 2022 2023 /* EAPOL EAP-Packet packets are eventually re-sent by either Supplicant 2024 * or Authenticator state machines, but EAPOL-Key packets are not 2025 * retransmitted in case of failure. Try to re-send failed EAPOL-Key 2026 * packets couple of times because otherwise STA keys become 2027 * unsynchronized with AP. */ 2028 if (!ack && pos + sizeof(*key) <= buf + len) { 2029 key = (struct ieee802_1x_eapol_key *) pos; 2030 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 2031 HOSTAPD_LEVEL_DEBUG, "did not Ack EAPOL-Key " 2032 "frame (%scast index=%d)", 2033 key->key_index & BIT(7) ? "uni" : "broad", 2034 key->key_index & ~BIT(7)); 2035 /* TODO: re-send EAPOL-Key couple of times (with short delay 2036 * between them?). If all attempt fail, report error and 2037 * deauthenticate STA so that it will get new keys when 2038 * authenticating again (e.g., after returning in range). 2039 * Separate limit/transmit state needed both for unicast and 2040 * broadcast keys(?) */ 2041 } 2042 /* TODO: could move unicast key configuration from ieee802_1x_tx_key() 2043 * to here and change the key only if the EAPOL-Key packet was Acked. 2044 */ 2045 2046 return 1; 2047} 2048 2049 2050u8 * ieee802_1x_get_identity(struct eapol_state_machine *sm, size_t *len) 2051{ 2052 if (sm == NULL || sm->identity == NULL) 2053 return NULL; 2054 2055 *len = sm->identity_len; 2056 return sm->identity; 2057} 2058 2059 2060u8 * ieee802_1x_get_radius_class(struct eapol_state_machine *sm, size_t *len, 2061 int idx) 2062{ 2063 if (sm == NULL || sm->radius_class.attr == NULL || 2064 idx >= (int) sm->radius_class.count) 2065 return NULL; 2066 2067 *len = sm->radius_class.attr[idx].len; 2068 return sm->radius_class.attr[idx].data; 2069} 2070 2071 2072struct wpabuf * ieee802_1x_get_radius_cui(struct eapol_state_machine *sm) 2073{ 2074 if (sm == NULL) 2075 return NULL; 2076 return sm->radius_cui; 2077} 2078 2079 2080const u8 * ieee802_1x_get_key(struct eapol_state_machine *sm, size_t *len) 2081{ 2082 *len = 0; 2083 if (sm == NULL) 2084 return NULL; 2085 2086 *len = sm->eap_if->eapKeyDataLen; 2087 return sm->eap_if->eapKeyData; 2088} 2089 2090 2091void ieee802_1x_notify_port_enabled(struct eapol_state_machine *sm, 2092 int enabled) 2093{ 2094 if (sm == NULL) 2095 return; 2096 sm->eap_if->portEnabled = enabled ? TRUE : FALSE; 2097 eapol_auth_step(sm); 2098} 2099 2100 2101void ieee802_1x_notify_port_valid(struct eapol_state_machine *sm, 2102 int valid) 2103{ 2104 if (sm == NULL) 2105 return; 2106 sm->portValid = valid ? TRUE : FALSE; 2107 eapol_auth_step(sm); 2108} 2109 2110 2111void ieee802_1x_notify_pre_auth(struct eapol_state_machine *sm, int pre_auth) 2112{ 2113 if (sm == NULL) 2114 return; 2115 if (pre_auth) 2116 sm->flags |= EAPOL_SM_PREAUTH; 2117 else 2118 sm->flags &= ~EAPOL_SM_PREAUTH; 2119} 2120 2121 2122static const char * bool_txt(Boolean bool) 2123{ 2124 return bool ? "TRUE" : "FALSE"; 2125} 2126 2127 2128int ieee802_1x_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen) 2129{ 2130 /* TODO */ 2131 return 0; 2132} 2133 2134 2135int ieee802_1x_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta, 2136 char *buf, size_t buflen) 2137{ 2138 int len = 0, ret; 2139 struct eapol_state_machine *sm = sta->eapol_sm; 2140 struct os_reltime diff; 2141 const char *name1; 2142 const char *name2; 2143 2144 if (sm == NULL) 2145 return 0; 2146 2147 ret = os_snprintf(buf + len, buflen - len, 2148 "dot1xPaePortNumber=%d\n" 2149 "dot1xPaePortProtocolVersion=%d\n" 2150 "dot1xPaePortCapabilities=1\n" 2151 "dot1xPaePortInitialize=%d\n" 2152 "dot1xPaePortReauthenticate=FALSE\n", 2153 sta->aid, 2154 EAPOL_VERSION, 2155 sm->initialize); 2156 if (ret < 0 || (size_t) ret >= buflen - len) 2157 return len; 2158 len += ret; 2159 2160 /* dot1xAuthConfigTable */ 2161 ret = os_snprintf(buf + len, buflen - len, 2162 "dot1xAuthPaeState=%d\n" 2163 "dot1xAuthBackendAuthState=%d\n" 2164 "dot1xAuthAdminControlledDirections=%d\n" 2165 "dot1xAuthOperControlledDirections=%d\n" 2166 "dot1xAuthAuthControlledPortStatus=%d\n" 2167 "dot1xAuthAuthControlledPortControl=%d\n" 2168 "dot1xAuthQuietPeriod=%u\n" 2169 "dot1xAuthServerTimeout=%u\n" 2170 "dot1xAuthReAuthPeriod=%u\n" 2171 "dot1xAuthReAuthEnabled=%s\n" 2172 "dot1xAuthKeyTxEnabled=%s\n", 2173 sm->auth_pae_state + 1, 2174 sm->be_auth_state + 1, 2175 sm->adminControlledDirections, 2176 sm->operControlledDirections, 2177 sm->authPortStatus, 2178 sm->portControl, 2179 sm->quietPeriod, 2180 sm->serverTimeout, 2181 sm->reAuthPeriod, 2182 bool_txt(sm->reAuthEnabled), 2183 bool_txt(sm->keyTxEnabled)); 2184 if (ret < 0 || (size_t) ret >= buflen - len) 2185 return len; 2186 len += ret; 2187 2188 /* dot1xAuthStatsTable */ 2189 ret = os_snprintf(buf + len, buflen - len, 2190 "dot1xAuthEapolFramesRx=%u\n" 2191 "dot1xAuthEapolFramesTx=%u\n" 2192 "dot1xAuthEapolStartFramesRx=%u\n" 2193 "dot1xAuthEapolLogoffFramesRx=%u\n" 2194 "dot1xAuthEapolRespIdFramesRx=%u\n" 2195 "dot1xAuthEapolRespFramesRx=%u\n" 2196 "dot1xAuthEapolReqIdFramesTx=%u\n" 2197 "dot1xAuthEapolReqFramesTx=%u\n" 2198 "dot1xAuthInvalidEapolFramesRx=%u\n" 2199 "dot1xAuthEapLengthErrorFramesRx=%u\n" 2200 "dot1xAuthLastEapolFrameVersion=%u\n" 2201 "dot1xAuthLastEapolFrameSource=" MACSTR "\n", 2202 sm->dot1xAuthEapolFramesRx, 2203 sm->dot1xAuthEapolFramesTx, 2204 sm->dot1xAuthEapolStartFramesRx, 2205 sm->dot1xAuthEapolLogoffFramesRx, 2206 sm->dot1xAuthEapolRespIdFramesRx, 2207 sm->dot1xAuthEapolRespFramesRx, 2208 sm->dot1xAuthEapolReqIdFramesTx, 2209 sm->dot1xAuthEapolReqFramesTx, 2210 sm->dot1xAuthInvalidEapolFramesRx, 2211 sm->dot1xAuthEapLengthErrorFramesRx, 2212 sm->dot1xAuthLastEapolFrameVersion, 2213 MAC2STR(sm->addr)); 2214 if (ret < 0 || (size_t) ret >= buflen - len) 2215 return len; 2216 len += ret; 2217 2218 /* dot1xAuthDiagTable */ 2219 ret = os_snprintf(buf + len, buflen - len, 2220 "dot1xAuthEntersConnecting=%u\n" 2221 "dot1xAuthEapLogoffsWhileConnecting=%u\n" 2222 "dot1xAuthEntersAuthenticating=%u\n" 2223 "dot1xAuthAuthSuccessesWhileAuthenticating=%u\n" 2224 "dot1xAuthAuthTimeoutsWhileAuthenticating=%u\n" 2225 "dot1xAuthAuthFailWhileAuthenticating=%u\n" 2226 "dot1xAuthAuthEapStartsWhileAuthenticating=%u\n" 2227 "dot1xAuthAuthEapLogoffWhileAuthenticating=%u\n" 2228 "dot1xAuthAuthReauthsWhileAuthenticated=%u\n" 2229 "dot1xAuthAuthEapStartsWhileAuthenticated=%u\n" 2230 "dot1xAuthAuthEapLogoffWhileAuthenticated=%u\n" 2231 "dot1xAuthBackendResponses=%u\n" 2232 "dot1xAuthBackendAccessChallenges=%u\n" 2233 "dot1xAuthBackendOtherRequestsToSupplicant=%u\n" 2234 "dot1xAuthBackendAuthSuccesses=%u\n" 2235 "dot1xAuthBackendAuthFails=%u\n", 2236 sm->authEntersConnecting, 2237 sm->authEapLogoffsWhileConnecting, 2238 sm->authEntersAuthenticating, 2239 sm->authAuthSuccessesWhileAuthenticating, 2240 sm->authAuthTimeoutsWhileAuthenticating, 2241 sm->authAuthFailWhileAuthenticating, 2242 sm->authAuthEapStartsWhileAuthenticating, 2243 sm->authAuthEapLogoffWhileAuthenticating, 2244 sm->authAuthReauthsWhileAuthenticated, 2245 sm->authAuthEapStartsWhileAuthenticated, 2246 sm->authAuthEapLogoffWhileAuthenticated, 2247 sm->backendResponses, 2248 sm->backendAccessChallenges, 2249 sm->backendOtherRequestsToSupplicant, 2250 sm->backendAuthSuccesses, 2251 sm->backendAuthFails); 2252 if (ret < 0 || (size_t) ret >= buflen - len) 2253 return len; 2254 len += ret; 2255 2256 /* dot1xAuthSessionStatsTable */ 2257 os_reltime_age(&sta->acct_session_start, &diff); 2258 ret = os_snprintf(buf + len, buflen - len, 2259 /* TODO: dot1xAuthSessionOctetsRx */ 2260 /* TODO: dot1xAuthSessionOctetsTx */ 2261 /* TODO: dot1xAuthSessionFramesRx */ 2262 /* TODO: dot1xAuthSessionFramesTx */ 2263 "dot1xAuthSessionId=%08X-%08X\n" 2264 "dot1xAuthSessionAuthenticMethod=%d\n" 2265 "dot1xAuthSessionTime=%u\n" 2266 "dot1xAuthSessionTerminateCause=999\n" 2267 "dot1xAuthSessionUserName=%s\n", 2268 sta->acct_session_id_hi, sta->acct_session_id_lo, 2269 (wpa_key_mgmt_wpa_ieee8021x( 2270 wpa_auth_sta_key_mgmt(sta->wpa_sm))) ? 2271 1 : 2, 2272 (unsigned int) diff.sec, 2273 sm->identity); 2274 if (ret < 0 || (size_t) ret >= buflen - len) 2275 return len; 2276 len += ret; 2277 2278 name1 = eap_server_get_name(0, sm->eap_type_authsrv); 2279 name2 = eap_server_get_name(0, sm->eap_type_supp); 2280 ret = os_snprintf(buf + len, buflen - len, 2281 "last_eap_type_as=%d (%s)\n" 2282 "last_eap_type_sta=%d (%s)\n", 2283 sm->eap_type_authsrv, 2284 name1 ? name1 : "", 2285 sm->eap_type_supp, 2286 name2 ? name2 : ""); 2287 if (ret < 0 || (size_t) ret >= buflen - len) 2288 return len; 2289 len += ret; 2290 2291 return len; 2292} 2293 2294 2295static void ieee802_1x_finished(struct hostapd_data *hapd, 2296 struct sta_info *sta, int success, 2297 int remediation) 2298{ 2299 const u8 *key; 2300 size_t len; 2301 /* TODO: get PMKLifetime from WPA parameters */ 2302 static const int dot11RSNAConfigPMKLifetime = 43200; 2303 2304#ifdef CONFIG_HS20 2305 if (remediation && !sta->remediation) { 2306 sta->remediation = 1; 2307 os_free(sta->remediation_url); 2308 sta->remediation_url = 2309 os_strdup(hapd->conf->subscr_remediation_url); 2310 sta->remediation_method = 1; /* SOAP-XML SPP */ 2311 } 2312 2313 if (success) { 2314 if (sta->remediation) { 2315 wpa_printf(MSG_DEBUG, "HS 2.0: Send WNM-Notification " 2316 "to " MACSTR " to indicate Subscription " 2317 "Remediation", 2318 MAC2STR(sta->addr)); 2319 hs20_send_wnm_notification(hapd, sta->addr, 2320 sta->remediation_method, 2321 sta->remediation_url); 2322 os_free(sta->remediation_url); 2323 sta->remediation_url = NULL; 2324 } 2325 2326 if (sta->hs20_deauth_req) { 2327 wpa_printf(MSG_DEBUG, "HS 2.0: Send WNM-Notification " 2328 "to " MACSTR " to indicate imminent " 2329 "deauthentication", MAC2STR(sta->addr)); 2330 hs20_send_wnm_notification_deauth_req( 2331 hapd, sta->addr, sta->hs20_deauth_req); 2332 } 2333 } 2334#endif /* CONFIG_HS20 */ 2335 2336 key = ieee802_1x_get_key(sta->eapol_sm, &len); 2337 if (success && key && len >= PMK_LEN && !sta->remediation && 2338 !sta->hs20_deauth_requested && 2339 wpa_auth_pmksa_add(sta->wpa_sm, key, dot11RSNAConfigPMKLifetime, 2340 sta->eapol_sm) == 0) { 2341 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 2342 HOSTAPD_LEVEL_DEBUG, 2343 "Added PMKSA cache entry (IEEE 802.1X)"); 2344 } 2345 2346 if (!success) { 2347 /* 2348 * Many devices require deauthentication after WPS provisioning 2349 * and some may not be be able to do that themselves, so 2350 * disconnect the client here. In addition, this may also 2351 * benefit IEEE 802.1X/EAPOL authentication cases, too since 2352 * the EAPOL PAE state machine would remain in HELD state for 2353 * considerable amount of time and some EAP methods, like 2354 * EAP-FAST with anonymous provisioning, may require another 2355 * EAPOL authentication to be started to complete connection. 2356 */ 2357 wpa_dbg(hapd->msg_ctx, MSG_DEBUG, "IEEE 802.1X: Force " 2358 "disconnection after EAP-Failure"); 2359 /* Add a small sleep to increase likelihood of previously 2360 * requested EAP-Failure TX getting out before this should the 2361 * driver reorder operations. 2362 */ 2363 os_sleep(0, 10000); 2364 ap_sta_disconnect(hapd, sta, sta->addr, 2365 WLAN_REASON_IEEE_802_1X_AUTH_FAILED); 2366 hostapd_wps_eap_completed(hapd); 2367 } 2368} 2369