ieee802_1x.c revision 1d755d025b206e22b06aeb322e25a79f98ca7777
1/* 2 * hostapd / IEEE 802.1X-2004 Authenticator 3 * Copyright (c) 2002-2012, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9#include "utils/includes.h" 10 11#include "utils/common.h" 12#include "utils/eloop.h" 13#include "crypto/md5.h" 14#include "crypto/crypto.h" 15#include "crypto/random.h" 16#include "common/ieee802_11_defs.h" 17#include "radius/radius.h" 18#include "radius/radius_client.h" 19#include "eap_server/eap.h" 20#include "eap_common/eap_wsc_common.h" 21#include "eapol_auth/eapol_auth_sm.h" 22#include "eapol_auth/eapol_auth_sm_i.h" 23#include "p2p/p2p.h" 24#include "hostapd.h" 25#include "accounting.h" 26#include "sta_info.h" 27#include "wpa_auth.h" 28#include "preauth_auth.h" 29#include "pmksa_cache_auth.h" 30#include "ap_config.h" 31#include "ap_drv_ops.h" 32#include "wps_hostapd.h" 33#include "hs20.h" 34#include "ieee802_1x.h" 35 36 37static void ieee802_1x_finished(struct hostapd_data *hapd, 38 struct sta_info *sta, int success, 39 int remediation); 40 41 42static void ieee802_1x_send(struct hostapd_data *hapd, struct sta_info *sta, 43 u8 type, const u8 *data, size_t datalen) 44{ 45 u8 *buf; 46 struct ieee802_1x_hdr *xhdr; 47 size_t len; 48 int encrypt = 0; 49 50 len = sizeof(*xhdr) + datalen; 51 buf = os_zalloc(len); 52 if (buf == NULL) { 53 wpa_printf(MSG_ERROR, "malloc() failed for " 54 "ieee802_1x_send(len=%lu)", 55 (unsigned long) len); 56 return; 57 } 58 59 xhdr = (struct ieee802_1x_hdr *) buf; 60 xhdr->version = hapd->conf->eapol_version; 61 xhdr->type = type; 62 xhdr->length = host_to_be16(datalen); 63 64 if (datalen > 0 && data != NULL) 65 os_memcpy(xhdr + 1, data, datalen); 66 67 if (wpa_auth_pairwise_set(sta->wpa_sm)) 68 encrypt = 1; 69#ifdef CONFIG_TESTING_OPTIONS 70 if (hapd->ext_eapol_frame_io) { 71 size_t hex_len = 2 * len + 1; 72 char *hex = os_malloc(hex_len); 73 74 if (hex) { 75 wpa_snprintf_hex(hex, hex_len, buf, len); 76 wpa_msg(hapd->msg_ctx, MSG_INFO, 77 "EAPOL-TX " MACSTR " %s", 78 MAC2STR(sta->addr), hex); 79 os_free(hex); 80 } 81 } else 82#endif /* CONFIG_TESTING_OPTIONS */ 83 if (sta->flags & WLAN_STA_PREAUTH) { 84 rsn_preauth_send(hapd, sta, buf, len); 85 } else { 86 hostapd_drv_hapd_send_eapol( 87 hapd, sta->addr, buf, len, 88 encrypt, hostapd_sta_flags_to_drv(sta->flags)); 89 } 90 91 os_free(buf); 92} 93 94 95void ieee802_1x_set_sta_authorized(struct hostapd_data *hapd, 96 struct sta_info *sta, int authorized) 97{ 98 int res; 99 100 if (sta->flags & WLAN_STA_PREAUTH) 101 return; 102 103 if (authorized) { 104 ap_sta_set_authorized(hapd, sta, 1); 105 res = hostapd_set_authorized(hapd, sta, 1); 106 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 107 HOSTAPD_LEVEL_DEBUG, "authorizing port"); 108 } else { 109 ap_sta_set_authorized(hapd, sta, 0); 110 res = hostapd_set_authorized(hapd, sta, 0); 111 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 112 HOSTAPD_LEVEL_DEBUG, "unauthorizing port"); 113 } 114 115 if (res && errno != ENOENT) { 116 wpa_printf(MSG_DEBUG, "Could not set station " MACSTR 117 " flags for kernel driver (errno=%d).", 118 MAC2STR(sta->addr), errno); 119 } 120 121 if (authorized) { 122 os_get_reltime(&sta->connected_time); 123 accounting_sta_start(hapd, sta); 124 } 125} 126 127 128static void ieee802_1x_tx_key_one(struct hostapd_data *hapd, 129 struct sta_info *sta, 130 int idx, int broadcast, 131 u8 *key_data, size_t key_len) 132{ 133 u8 *buf, *ekey; 134 struct ieee802_1x_hdr *hdr; 135 struct ieee802_1x_eapol_key *key; 136 size_t len, ekey_len; 137 struct eapol_state_machine *sm = sta->eapol_sm; 138 139 if (sm == NULL) 140 return; 141 142 len = sizeof(*key) + key_len; 143 buf = os_zalloc(sizeof(*hdr) + len); 144 if (buf == NULL) 145 return; 146 147 hdr = (struct ieee802_1x_hdr *) buf; 148 key = (struct ieee802_1x_eapol_key *) (hdr + 1); 149 key->type = EAPOL_KEY_TYPE_RC4; 150 WPA_PUT_BE16(key->key_length, key_len); 151 wpa_get_ntp_timestamp(key->replay_counter); 152 153 if (random_get_bytes(key->key_iv, sizeof(key->key_iv))) { 154 wpa_printf(MSG_ERROR, "Could not get random numbers"); 155 os_free(buf); 156 return; 157 } 158 159 key->key_index = idx | (broadcast ? 0 : BIT(7)); 160 if (hapd->conf->eapol_key_index_workaround) { 161 /* According to some information, WinXP Supplicant seems to 162 * interpret bit7 as an indication whether the key is to be 163 * activated, so make it possible to enable workaround that 164 * sets this bit for all keys. */ 165 key->key_index |= BIT(7); 166 } 167 168 /* Key is encrypted using "Key-IV + MSK[0..31]" as the RC4-key and 169 * MSK[32..63] is used to sign the message. */ 170 if (sm->eap_if->eapKeyData == NULL || sm->eap_if->eapKeyDataLen < 64) { 171 wpa_printf(MSG_ERROR, "No eapKeyData available for encrypting " 172 "and signing EAPOL-Key"); 173 os_free(buf); 174 return; 175 } 176 os_memcpy((u8 *) (key + 1), key_data, key_len); 177 ekey_len = sizeof(key->key_iv) + 32; 178 ekey = os_malloc(ekey_len); 179 if (ekey == NULL) { 180 wpa_printf(MSG_ERROR, "Could not encrypt key"); 181 os_free(buf); 182 return; 183 } 184 os_memcpy(ekey, key->key_iv, sizeof(key->key_iv)); 185 os_memcpy(ekey + sizeof(key->key_iv), sm->eap_if->eapKeyData, 32); 186 rc4_skip(ekey, ekey_len, 0, (u8 *) (key + 1), key_len); 187 os_free(ekey); 188 189 /* This header is needed here for HMAC-MD5, but it will be regenerated 190 * in ieee802_1x_send() */ 191 hdr->version = hapd->conf->eapol_version; 192 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 193 hdr->length = host_to_be16(len); 194 hmac_md5(sm->eap_if->eapKeyData + 32, 32, buf, sizeof(*hdr) + len, 195 key->key_signature); 196 197 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key to " MACSTR 198 " (%s index=%d)", MAC2STR(sm->addr), 199 broadcast ? "broadcast" : "unicast", idx); 200 ieee802_1x_send(hapd, sta, IEEE802_1X_TYPE_EAPOL_KEY, (u8 *) key, len); 201 if (sta->eapol_sm) 202 sta->eapol_sm->dot1xAuthEapolFramesTx++; 203 os_free(buf); 204} 205 206 207void ieee802_1x_tx_key(struct hostapd_data *hapd, struct sta_info *sta) 208{ 209 struct eapol_authenticator *eapol = hapd->eapol_auth; 210 struct eapol_state_machine *sm = sta->eapol_sm; 211 212 if (sm == NULL || !sm->eap_if->eapKeyData) 213 return; 214 215 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key(s) to " MACSTR, 216 MAC2STR(sta->addr)); 217 218#ifndef CONFIG_NO_VLAN 219 if (sta->vlan_id > 0 && sta->vlan_id <= MAX_VLAN_ID) { 220 wpa_printf(MSG_ERROR, "Using WEP with vlans is not supported."); 221 return; 222 } 223#endif /* CONFIG_NO_VLAN */ 224 225 if (eapol->default_wep_key) { 226 ieee802_1x_tx_key_one(hapd, sta, eapol->default_wep_key_idx, 1, 227 eapol->default_wep_key, 228 hapd->conf->default_wep_key_len); 229 } 230 231 if (hapd->conf->individual_wep_key_len > 0) { 232 u8 *ikey; 233 ikey = os_malloc(hapd->conf->individual_wep_key_len); 234 if (ikey == NULL || 235 random_get_bytes(ikey, hapd->conf->individual_wep_key_len)) 236 { 237 wpa_printf(MSG_ERROR, "Could not generate random " 238 "individual WEP key."); 239 os_free(ikey); 240 return; 241 } 242 243 wpa_hexdump_key(MSG_DEBUG, "Individual WEP key", 244 ikey, hapd->conf->individual_wep_key_len); 245 246 ieee802_1x_tx_key_one(hapd, sta, 0, 0, ikey, 247 hapd->conf->individual_wep_key_len); 248 249 /* TODO: set encryption in TX callback, i.e., only after STA 250 * has ACKed EAPOL-Key frame */ 251 if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP, 252 sta->addr, 0, 1, NULL, 0, ikey, 253 hapd->conf->individual_wep_key_len)) { 254 wpa_printf(MSG_ERROR, "Could not set individual WEP " 255 "encryption."); 256 } 257 258 os_free(ikey); 259 } 260} 261 262 263const char *radius_mode_txt(struct hostapd_data *hapd) 264{ 265 switch (hapd->iface->conf->hw_mode) { 266 case HOSTAPD_MODE_IEEE80211AD: 267 return "802.11ad"; 268 case HOSTAPD_MODE_IEEE80211A: 269 return "802.11a"; 270 case HOSTAPD_MODE_IEEE80211G: 271 return "802.11g"; 272 case HOSTAPD_MODE_IEEE80211B: 273 default: 274 return "802.11b"; 275 } 276} 277 278 279int radius_sta_rate(struct hostapd_data *hapd, struct sta_info *sta) 280{ 281 int i; 282 u8 rate = 0; 283 284 for (i = 0; i < sta->supported_rates_len; i++) 285 if ((sta->supported_rates[i] & 0x7f) > rate) 286 rate = sta->supported_rates[i] & 0x7f; 287 288 return rate; 289} 290 291 292#ifndef CONFIG_NO_RADIUS 293static void ieee802_1x_learn_identity(struct hostapd_data *hapd, 294 struct eapol_state_machine *sm, 295 const u8 *eap, size_t len) 296{ 297 const u8 *identity; 298 size_t identity_len; 299 const struct eap_hdr *hdr = (const struct eap_hdr *) eap; 300 301 if (len <= sizeof(struct eap_hdr) || 302 (hdr->code == EAP_CODE_RESPONSE && 303 eap[sizeof(struct eap_hdr)] != EAP_TYPE_IDENTITY) || 304 (hdr->code == EAP_CODE_INITIATE && 305 eap[sizeof(struct eap_hdr)] != EAP_ERP_TYPE_REAUTH) || 306 (hdr->code != EAP_CODE_RESPONSE && 307 hdr->code != EAP_CODE_INITIATE)) 308 return; 309 310 identity = eap_get_identity(sm->eap, &identity_len); 311 if (identity == NULL) 312 return; 313 314 /* Save station identity for future RADIUS packets */ 315 os_free(sm->identity); 316 sm->identity = (u8 *) dup_binstr(identity, identity_len); 317 if (sm->identity == NULL) { 318 sm->identity_len = 0; 319 return; 320 } 321 322 sm->identity_len = identity_len; 323 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, 324 HOSTAPD_LEVEL_DEBUG, "STA identity '%s'", sm->identity); 325 sm->dot1xAuthEapolRespIdFramesRx++; 326} 327 328 329static int add_common_radius_sta_attr_rsn(struct hostapd_data *hapd, 330 struct hostapd_radius_attr *req_attr, 331 struct sta_info *sta, 332 struct radius_msg *msg) 333{ 334 u32 suite; 335 int ver, val; 336 337 ver = wpa_auth_sta_wpa_version(sta->wpa_sm); 338 val = wpa_auth_get_pairwise(sta->wpa_sm); 339 suite = wpa_cipher_to_suite(ver, val); 340 if (val != -1 && 341 !hostapd_config_get_radius_attr(req_attr, 342 RADIUS_ATTR_WLAN_PAIRWISE_CIPHER) && 343 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_WLAN_PAIRWISE_CIPHER, 344 suite)) { 345 wpa_printf(MSG_ERROR, "Could not add WLAN-Pairwise-Cipher"); 346 return -1; 347 } 348 349 suite = wpa_cipher_to_suite((hapd->conf->wpa & 0x2) ? 350 WPA_PROTO_RSN : WPA_PROTO_WPA, 351 hapd->conf->wpa_group); 352 if (!hostapd_config_get_radius_attr(req_attr, 353 RADIUS_ATTR_WLAN_GROUP_CIPHER) && 354 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_WLAN_GROUP_CIPHER, 355 suite)) { 356 wpa_printf(MSG_ERROR, "Could not add WLAN-Group-Cipher"); 357 return -1; 358 } 359 360 val = wpa_auth_sta_key_mgmt(sta->wpa_sm); 361 suite = wpa_akm_to_suite(val); 362 if (val != -1 && 363 !hostapd_config_get_radius_attr(req_attr, 364 RADIUS_ATTR_WLAN_AKM_SUITE) && 365 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_WLAN_AKM_SUITE, 366 suite)) { 367 wpa_printf(MSG_ERROR, "Could not add WLAN-AKM-Suite"); 368 return -1; 369 } 370 371#ifdef CONFIG_IEEE80211W 372 if (hapd->conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) { 373 suite = wpa_cipher_to_suite(WPA_PROTO_RSN, 374 hapd->conf->group_mgmt_cipher); 375 if (!hostapd_config_get_radius_attr( 376 req_attr, RADIUS_ATTR_WLAN_GROUP_MGMT_CIPHER) && 377 !radius_msg_add_attr_int32( 378 msg, RADIUS_ATTR_WLAN_GROUP_MGMT_CIPHER, suite)) { 379 wpa_printf(MSG_ERROR, 380 "Could not add WLAN-Group-Mgmt-Cipher"); 381 return -1; 382 } 383 } 384#endif /* CONFIG_IEEE80211W */ 385 386 return 0; 387} 388 389 390static int add_common_radius_sta_attr(struct hostapd_data *hapd, 391 struct hostapd_radius_attr *req_attr, 392 struct sta_info *sta, 393 struct radius_msg *msg) 394{ 395 char buf[128]; 396 397 if (!hostapd_config_get_radius_attr(req_attr, 398 RADIUS_ATTR_NAS_PORT) && 399 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT, sta->aid)) { 400 wpa_printf(MSG_ERROR, "Could not add NAS-Port"); 401 return -1; 402 } 403 404 os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT, 405 MAC2STR(sta->addr)); 406 buf[sizeof(buf) - 1] = '\0'; 407 if (!radius_msg_add_attr(msg, RADIUS_ATTR_CALLING_STATION_ID, 408 (u8 *) buf, os_strlen(buf))) { 409 wpa_printf(MSG_ERROR, "Could not add Calling-Station-Id"); 410 return -1; 411 } 412 413 if (sta->flags & WLAN_STA_PREAUTH) { 414 os_strlcpy(buf, "IEEE 802.11i Pre-Authentication", 415 sizeof(buf)); 416 } else { 417 os_snprintf(buf, sizeof(buf), "CONNECT %d%sMbps %s", 418 radius_sta_rate(hapd, sta) / 2, 419 (radius_sta_rate(hapd, sta) & 1) ? ".5" : "", 420 radius_mode_txt(hapd)); 421 buf[sizeof(buf) - 1] = '\0'; 422 } 423 if (!hostapd_config_get_radius_attr(req_attr, 424 RADIUS_ATTR_CONNECT_INFO) && 425 !radius_msg_add_attr(msg, RADIUS_ATTR_CONNECT_INFO, 426 (u8 *) buf, os_strlen(buf))) { 427 wpa_printf(MSG_ERROR, "Could not add Connect-Info"); 428 return -1; 429 } 430 431 if (sta->acct_session_id_hi || sta->acct_session_id_lo) { 432 os_snprintf(buf, sizeof(buf), "%08X-%08X", 433 sta->acct_session_id_hi, sta->acct_session_id_lo); 434 if (!radius_msg_add_attr(msg, RADIUS_ATTR_ACCT_SESSION_ID, 435 (u8 *) buf, os_strlen(buf))) { 436 wpa_printf(MSG_ERROR, "Could not add Acct-Session-Id"); 437 return -1; 438 } 439 } 440 441#ifdef CONFIG_IEEE80211R 442 if (hapd->conf->wpa && wpa_key_mgmt_ft(hapd->conf->wpa_key_mgmt) && 443 sta->wpa_sm && 444 (wpa_key_mgmt_ft(wpa_auth_sta_key_mgmt(sta->wpa_sm)) || 445 sta->auth_alg == WLAN_AUTH_FT) && 446 !hostapd_config_get_radius_attr(req_attr, 447 RADIUS_ATTR_MOBILITY_DOMAIN_ID) && 448 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_MOBILITY_DOMAIN_ID, 449 WPA_GET_BE16( 450 hapd->conf->mobility_domain))) { 451 wpa_printf(MSG_ERROR, "Could not add Mobility-Domain-Id"); 452 return -1; 453 } 454#endif /* CONFIG_IEEE80211R */ 455 456 if (hapd->conf->wpa && sta->wpa_sm && 457 add_common_radius_sta_attr_rsn(hapd, req_attr, sta, msg) < 0) 458 return -1; 459 460 return 0; 461} 462 463 464int add_common_radius_attr(struct hostapd_data *hapd, 465 struct hostapd_radius_attr *req_attr, 466 struct sta_info *sta, 467 struct radius_msg *msg) 468{ 469 char buf[128]; 470 struct hostapd_radius_attr *attr; 471 472 if (!hostapd_config_get_radius_attr(req_attr, 473 RADIUS_ATTR_NAS_IP_ADDRESS) && 474 hapd->conf->own_ip_addr.af == AF_INET && 475 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IP_ADDRESS, 476 (u8 *) &hapd->conf->own_ip_addr.u.v4, 4)) { 477 wpa_printf(MSG_ERROR, "Could not add NAS-IP-Address"); 478 return -1; 479 } 480 481#ifdef CONFIG_IPV6 482 if (!hostapd_config_get_radius_attr(req_attr, 483 RADIUS_ATTR_NAS_IPV6_ADDRESS) && 484 hapd->conf->own_ip_addr.af == AF_INET6 && 485 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IPV6_ADDRESS, 486 (u8 *) &hapd->conf->own_ip_addr.u.v6, 16)) { 487 wpa_printf(MSG_ERROR, "Could not add NAS-IPv6-Address"); 488 return -1; 489 } 490#endif /* CONFIG_IPV6 */ 491 492 if (!hostapd_config_get_radius_attr(req_attr, 493 RADIUS_ATTR_NAS_IDENTIFIER) && 494 hapd->conf->nas_identifier && 495 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IDENTIFIER, 496 (u8 *) hapd->conf->nas_identifier, 497 os_strlen(hapd->conf->nas_identifier))) { 498 wpa_printf(MSG_ERROR, "Could not add NAS-Identifier"); 499 return -1; 500 } 501 502 os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT ":%s", 503 MAC2STR(hapd->own_addr), 504 wpa_ssid_txt(hapd->conf->ssid.ssid, 505 hapd->conf->ssid.ssid_len)); 506 buf[sizeof(buf) - 1] = '\0'; 507 if (!hostapd_config_get_radius_attr(req_attr, 508 RADIUS_ATTR_CALLED_STATION_ID) && 509 !radius_msg_add_attr(msg, RADIUS_ATTR_CALLED_STATION_ID, 510 (u8 *) buf, os_strlen(buf))) { 511 wpa_printf(MSG_ERROR, "Could not add Called-Station-Id"); 512 return -1; 513 } 514 515 if (!hostapd_config_get_radius_attr(req_attr, 516 RADIUS_ATTR_NAS_PORT_TYPE) && 517 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT_TYPE, 518 RADIUS_NAS_PORT_TYPE_IEEE_802_11)) { 519 wpa_printf(MSG_ERROR, "Could not add NAS-Port-Type"); 520 return -1; 521 } 522 523#ifdef CONFIG_INTERWORKING 524 if (hapd->conf->interworking && 525 !is_zero_ether_addr(hapd->conf->hessid)) { 526 os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT, 527 MAC2STR(hapd->conf->hessid)); 528 buf[sizeof(buf) - 1] = '\0'; 529 if (!hostapd_config_get_radius_attr(req_attr, 530 RADIUS_ATTR_WLAN_HESSID) && 531 !radius_msg_add_attr(msg, RADIUS_ATTR_WLAN_HESSID, 532 (u8 *) buf, os_strlen(buf))) { 533 wpa_printf(MSG_ERROR, "Could not add WLAN-HESSID"); 534 return -1; 535 } 536 } 537#endif /* CONFIG_INTERWORKING */ 538 539 if (sta && add_common_radius_sta_attr(hapd, req_attr, sta, msg) < 0) 540 return -1; 541 542 for (attr = req_attr; attr; attr = attr->next) { 543 if (!radius_msg_add_attr(msg, attr->type, 544 wpabuf_head(attr->val), 545 wpabuf_len(attr->val))) { 546 wpa_printf(MSG_ERROR, "Could not add RADIUS " 547 "attribute"); 548 return -1; 549 } 550 } 551 552 return 0; 553} 554 555 556static void ieee802_1x_encapsulate_radius(struct hostapd_data *hapd, 557 struct sta_info *sta, 558 const u8 *eap, size_t len) 559{ 560 struct radius_msg *msg; 561 struct eapol_state_machine *sm = sta->eapol_sm; 562 563 if (sm == NULL) 564 return; 565 566 ieee802_1x_learn_identity(hapd, sm, eap, len); 567 568 wpa_printf(MSG_DEBUG, "Encapsulating EAP message into a RADIUS " 569 "packet"); 570 571 sm->radius_identifier = radius_client_get_id(hapd->radius); 572 msg = radius_msg_new(RADIUS_CODE_ACCESS_REQUEST, 573 sm->radius_identifier); 574 if (msg == NULL) { 575 wpa_printf(MSG_INFO, "Could not create new RADIUS packet"); 576 return; 577 } 578 579 radius_msg_make_authenticator(msg, (u8 *) sta, sizeof(*sta)); 580 581 if (sm->identity && 582 !radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME, 583 sm->identity, sm->identity_len)) { 584 wpa_printf(MSG_INFO, "Could not add User-Name"); 585 goto fail; 586 } 587 588 if (add_common_radius_attr(hapd, hapd->conf->radius_auth_req_attr, sta, 589 msg) < 0) 590 goto fail; 591 592 /* TODO: should probably check MTU from driver config; 2304 is max for 593 * IEEE 802.11, but use 1400 to avoid problems with too large packets 594 */ 595 if (!hostapd_config_get_radius_attr(hapd->conf->radius_auth_req_attr, 596 RADIUS_ATTR_FRAMED_MTU) && 597 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_FRAMED_MTU, 1400)) { 598 wpa_printf(MSG_INFO, "Could not add Framed-MTU"); 599 goto fail; 600 } 601 602 if (eap && !radius_msg_add_eap(msg, eap, len)) { 603 wpa_printf(MSG_INFO, "Could not add EAP-Message"); 604 goto fail; 605 } 606 607 /* State attribute must be copied if and only if this packet is 608 * Access-Request reply to the previous Access-Challenge */ 609 if (sm->last_recv_radius && 610 radius_msg_get_hdr(sm->last_recv_radius)->code == 611 RADIUS_CODE_ACCESS_CHALLENGE) { 612 int res = radius_msg_copy_attr(msg, sm->last_recv_radius, 613 RADIUS_ATTR_STATE); 614 if (res < 0) { 615 wpa_printf(MSG_INFO, "Could not copy State attribute from previous Access-Challenge"); 616 goto fail; 617 } 618 if (res > 0) { 619 wpa_printf(MSG_DEBUG, "Copied RADIUS State Attribute"); 620 } 621 } 622 623 if (hapd->conf->radius_request_cui) { 624 const u8 *cui; 625 size_t cui_len; 626 /* Add previously learned CUI or nul CUI to request CUI */ 627 if (sm->radius_cui) { 628 cui = wpabuf_head(sm->radius_cui); 629 cui_len = wpabuf_len(sm->radius_cui); 630 } else { 631 cui = (const u8 *) "\0"; 632 cui_len = 1; 633 } 634 if (!radius_msg_add_attr(msg, 635 RADIUS_ATTR_CHARGEABLE_USER_IDENTITY, 636 cui, cui_len)) { 637 wpa_printf(MSG_ERROR, "Could not add CUI"); 638 goto fail; 639 } 640 } 641 642#ifdef CONFIG_HS20 643 if (hapd->conf->hs20) { 644 u8 ver = 1; /* Release 2 */ 645 if (!radius_msg_add_wfa( 646 msg, RADIUS_VENDOR_ATTR_WFA_HS20_AP_VERSION, 647 &ver, 1)) { 648 wpa_printf(MSG_ERROR, "Could not add HS 2.0 AP " 649 "version"); 650 goto fail; 651 } 652 653 if (sta->hs20_ie && wpabuf_len(sta->hs20_ie) > 0) { 654 const u8 *pos; 655 u8 buf[3]; 656 u16 id; 657 pos = wpabuf_head_u8(sta->hs20_ie); 658 buf[0] = (*pos) >> 4; 659 if (((*pos) & HS20_PPS_MO_ID_PRESENT) && 660 wpabuf_len(sta->hs20_ie) >= 3) 661 id = WPA_GET_LE16(pos + 1); 662 else 663 id = 0; 664 WPA_PUT_BE16(buf + 1, id); 665 if (!radius_msg_add_wfa( 666 msg, 667 RADIUS_VENDOR_ATTR_WFA_HS20_STA_VERSION, 668 buf, sizeof(buf))) { 669 wpa_printf(MSG_ERROR, "Could not add HS 2.0 " 670 "STA version"); 671 goto fail; 672 } 673 } 674 } 675#endif /* CONFIG_HS20 */ 676 677 if (radius_client_send(hapd->radius, msg, RADIUS_AUTH, sta->addr) < 0) 678 goto fail; 679 680 return; 681 682 fail: 683 radius_msg_free(msg); 684} 685#endif /* CONFIG_NO_RADIUS */ 686 687 688static void handle_eap_response(struct hostapd_data *hapd, 689 struct sta_info *sta, struct eap_hdr *eap, 690 size_t len) 691{ 692 u8 type, *data; 693 struct eapol_state_machine *sm = sta->eapol_sm; 694 if (sm == NULL) 695 return; 696 697 data = (u8 *) (eap + 1); 698 699 if (len < sizeof(*eap) + 1) { 700 wpa_printf(MSG_INFO, "handle_eap_response: too short response data"); 701 return; 702 } 703 704 sm->eap_type_supp = type = data[0]; 705 706 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, 707 HOSTAPD_LEVEL_DEBUG, "received EAP packet (code=%d " 708 "id=%d len=%d) from STA: EAP Response-%s (%d)", 709 eap->code, eap->identifier, be_to_host16(eap->length), 710 eap_server_get_name(0, type), type); 711 712 sm->dot1xAuthEapolRespFramesRx++; 713 714 wpabuf_free(sm->eap_if->eapRespData); 715 sm->eap_if->eapRespData = wpabuf_alloc_copy(eap, len); 716 sm->eapolEap = TRUE; 717} 718 719 720static void handle_eap_initiate(struct hostapd_data *hapd, 721 struct sta_info *sta, struct eap_hdr *eap, 722 size_t len) 723{ 724#ifdef CONFIG_ERP 725 u8 type, *data; 726 struct eapol_state_machine *sm = sta->eapol_sm; 727 728 if (sm == NULL) 729 return; 730 731 if (len < sizeof(*eap) + 1) { 732 wpa_printf(MSG_INFO, 733 "handle_eap_initiate: too short response data"); 734 return; 735 } 736 737 data = (u8 *) (eap + 1); 738 type = data[0]; 739 740 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, 741 HOSTAPD_LEVEL_DEBUG, "received EAP packet (code=%d " 742 "id=%d len=%d) from STA: EAP Initiate type %u", 743 eap->code, eap->identifier, be_to_host16(eap->length), 744 type); 745 746 wpabuf_free(sm->eap_if->eapRespData); 747 sm->eap_if->eapRespData = wpabuf_alloc_copy(eap, len); 748 sm->eapolEap = TRUE; 749#endif /* CONFIG_ERP */ 750} 751 752 753/* Process incoming EAP packet from Supplicant */ 754static void handle_eap(struct hostapd_data *hapd, struct sta_info *sta, 755 u8 *buf, size_t len) 756{ 757 struct eap_hdr *eap; 758 u16 eap_len; 759 760 if (len < sizeof(*eap)) { 761 wpa_printf(MSG_INFO, " too short EAP packet"); 762 return; 763 } 764 765 eap = (struct eap_hdr *) buf; 766 767 eap_len = be_to_host16(eap->length); 768 wpa_printf(MSG_DEBUG, "EAP: code=%d identifier=%d length=%d", 769 eap->code, eap->identifier, eap_len); 770 if (eap_len < sizeof(*eap)) { 771 wpa_printf(MSG_DEBUG, " Invalid EAP length"); 772 return; 773 } else if (eap_len > len) { 774 wpa_printf(MSG_DEBUG, " Too short frame to contain this EAP " 775 "packet"); 776 return; 777 } else if (eap_len < len) { 778 wpa_printf(MSG_DEBUG, " Ignoring %lu extra bytes after EAP " 779 "packet", (unsigned long) len - eap_len); 780 } 781 782 switch (eap->code) { 783 case EAP_CODE_REQUEST: 784 wpa_printf(MSG_DEBUG, " (request)"); 785 return; 786 case EAP_CODE_RESPONSE: 787 wpa_printf(MSG_DEBUG, " (response)"); 788 handle_eap_response(hapd, sta, eap, eap_len); 789 break; 790 case EAP_CODE_SUCCESS: 791 wpa_printf(MSG_DEBUG, " (success)"); 792 return; 793 case EAP_CODE_FAILURE: 794 wpa_printf(MSG_DEBUG, " (failure)"); 795 return; 796 case EAP_CODE_INITIATE: 797 wpa_printf(MSG_DEBUG, " (initiate)"); 798 handle_eap_initiate(hapd, sta, eap, eap_len); 799 break; 800 case EAP_CODE_FINISH: 801 wpa_printf(MSG_DEBUG, " (finish)"); 802 break; 803 default: 804 wpa_printf(MSG_DEBUG, " (unknown code)"); 805 return; 806 } 807} 808 809 810static struct eapol_state_machine * 811ieee802_1x_alloc_eapol_sm(struct hostapd_data *hapd, struct sta_info *sta) 812{ 813 int flags = 0; 814 if (sta->flags & WLAN_STA_PREAUTH) 815 flags |= EAPOL_SM_PREAUTH; 816 if (sta->wpa_sm) { 817 flags |= EAPOL_SM_USES_WPA; 818 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) 819 flags |= EAPOL_SM_FROM_PMKSA_CACHE; 820 } 821 return eapol_auth_alloc(hapd->eapol_auth, sta->addr, flags, 822 sta->wps_ie, sta->p2p_ie, sta, 823 sta->identity, sta->radius_cui); 824} 825 826 827/** 828 * ieee802_1x_receive - Process the EAPOL frames from the Supplicant 829 * @hapd: hostapd BSS data 830 * @sa: Source address (sender of the EAPOL frame) 831 * @buf: EAPOL frame 832 * @len: Length of buf in octets 833 * 834 * This function is called for each incoming EAPOL frame from the interface 835 */ 836void ieee802_1x_receive(struct hostapd_data *hapd, const u8 *sa, const u8 *buf, 837 size_t len) 838{ 839 struct sta_info *sta; 840 struct ieee802_1x_hdr *hdr; 841 struct ieee802_1x_eapol_key *key; 842 u16 datalen; 843 struct rsn_pmksa_cache_entry *pmksa; 844 int key_mgmt; 845 846 if (!hapd->conf->ieee802_1x && !hapd->conf->wpa && !hapd->conf->osen && 847 !hapd->conf->wps_state) 848 return; 849 850 wpa_printf(MSG_DEBUG, "IEEE 802.1X: %lu bytes from " MACSTR, 851 (unsigned long) len, MAC2STR(sa)); 852 sta = ap_get_sta(hapd, sa); 853 if (!sta || (!(sta->flags & (WLAN_STA_ASSOC | WLAN_STA_PREAUTH)) && 854 !(hapd->iface->drv_flags & WPA_DRIVER_FLAGS_WIRED))) { 855 wpa_printf(MSG_DEBUG, "IEEE 802.1X data frame from not " 856 "associated/Pre-authenticating STA"); 857 return; 858 } 859 860 if (len < sizeof(*hdr)) { 861 wpa_printf(MSG_INFO, " too short IEEE 802.1X packet"); 862 return; 863 } 864 865 hdr = (struct ieee802_1x_hdr *) buf; 866 datalen = be_to_host16(hdr->length); 867 wpa_printf(MSG_DEBUG, " IEEE 802.1X: version=%d type=%d length=%d", 868 hdr->version, hdr->type, datalen); 869 870 if (len - sizeof(*hdr) < datalen) { 871 wpa_printf(MSG_INFO, " frame too short for this IEEE 802.1X packet"); 872 if (sta->eapol_sm) 873 sta->eapol_sm->dot1xAuthEapLengthErrorFramesRx++; 874 return; 875 } 876 if (len - sizeof(*hdr) > datalen) { 877 wpa_printf(MSG_DEBUG, " ignoring %lu extra octets after " 878 "IEEE 802.1X packet", 879 (unsigned long) len - sizeof(*hdr) - datalen); 880 } 881 882 if (sta->eapol_sm) { 883 sta->eapol_sm->dot1xAuthLastEapolFrameVersion = hdr->version; 884 sta->eapol_sm->dot1xAuthEapolFramesRx++; 885 } 886 887 key = (struct ieee802_1x_eapol_key *) (hdr + 1); 888 if (datalen >= sizeof(struct ieee802_1x_eapol_key) && 889 hdr->type == IEEE802_1X_TYPE_EAPOL_KEY && 890 (key->type == EAPOL_KEY_TYPE_WPA || 891 key->type == EAPOL_KEY_TYPE_RSN)) { 892 wpa_receive(hapd->wpa_auth, sta->wpa_sm, (u8 *) hdr, 893 sizeof(*hdr) + datalen); 894 return; 895 } 896 897 if (!hapd->conf->ieee802_1x && !hapd->conf->osen && 898 !(sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS))) { 899 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore EAPOL message - " 900 "802.1X not enabled and WPS not used"); 901 return; 902 } 903 904 key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm); 905 if (key_mgmt != -1 && wpa_key_mgmt_wpa_psk(key_mgmt)) { 906 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore EAPOL message - " 907 "STA is using PSK"); 908 return; 909 } 910 911 if (!sta->eapol_sm) { 912 sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta); 913 if (!sta->eapol_sm) 914 return; 915 916#ifdef CONFIG_WPS 917 if (!hapd->conf->ieee802_1x && hapd->conf->wps_state) { 918 u32 wflags = sta->flags & (WLAN_STA_WPS | 919 WLAN_STA_WPS2 | 920 WLAN_STA_MAYBE_WPS); 921 if (wflags == WLAN_STA_MAYBE_WPS || 922 wflags == (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS)) { 923 /* 924 * Delay EAPOL frame transmission until a 925 * possible WPS STA initiates the handshake 926 * with EAPOL-Start. Only allow the wait to be 927 * skipped if the STA is known to support WPS 928 * 2.0. 929 */ 930 wpa_printf(MSG_DEBUG, "WPS: Do not start " 931 "EAPOL until EAPOL-Start is " 932 "received"); 933 sta->eapol_sm->flags |= EAPOL_SM_WAIT_START; 934 } 935 } 936#endif /* CONFIG_WPS */ 937 938 sta->eapol_sm->eap_if->portEnabled = TRUE; 939 } 940 941 /* since we support version 1, we can ignore version field and proceed 942 * as specified in version 1 standard [IEEE Std 802.1X-2001, 7.5.5] */ 943 /* TODO: actually, we are not version 1 anymore.. However, Version 2 944 * does not change frame contents, so should be ok to process frames 945 * more or less identically. Some changes might be needed for 946 * verification of fields. */ 947 948 switch (hdr->type) { 949 case IEEE802_1X_TYPE_EAP_PACKET: 950 handle_eap(hapd, sta, (u8 *) (hdr + 1), datalen); 951 break; 952 953 case IEEE802_1X_TYPE_EAPOL_START: 954 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 955 HOSTAPD_LEVEL_DEBUG, "received EAPOL-Start " 956 "from STA"); 957 sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START; 958 pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm); 959 if (pmksa) { 960 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 961 HOSTAPD_LEVEL_DEBUG, "cached PMKSA " 962 "available - ignore it since " 963 "STA sent EAPOL-Start"); 964 wpa_auth_sta_clear_pmksa(sta->wpa_sm, pmksa); 965 } 966 sta->eapol_sm->eapolStart = TRUE; 967 sta->eapol_sm->dot1xAuthEapolStartFramesRx++; 968 eap_server_clear_identity(sta->eapol_sm->eap); 969 wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL); 970 break; 971 972 case IEEE802_1X_TYPE_EAPOL_LOGOFF: 973 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 974 HOSTAPD_LEVEL_DEBUG, "received EAPOL-Logoff " 975 "from STA"); 976 sta->acct_terminate_cause = 977 RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST; 978 accounting_sta_stop(hapd, sta); 979 sta->eapol_sm->eapolLogoff = TRUE; 980 sta->eapol_sm->dot1xAuthEapolLogoffFramesRx++; 981 eap_server_clear_identity(sta->eapol_sm->eap); 982 break; 983 984 case IEEE802_1X_TYPE_EAPOL_KEY: 985 wpa_printf(MSG_DEBUG, " EAPOL-Key"); 986 if (!ap_sta_is_authorized(sta)) { 987 wpa_printf(MSG_DEBUG, " Dropped key data from " 988 "unauthorized Supplicant"); 989 break; 990 } 991 break; 992 993 case IEEE802_1X_TYPE_EAPOL_ENCAPSULATED_ASF_ALERT: 994 wpa_printf(MSG_DEBUG, " EAPOL-Encapsulated-ASF-Alert"); 995 /* TODO: implement support for this; show data */ 996 break; 997 998 default: 999 wpa_printf(MSG_DEBUG, " unknown IEEE 802.1X packet type"); 1000 sta->eapol_sm->dot1xAuthInvalidEapolFramesRx++; 1001 break; 1002 } 1003 1004 eapol_auth_step(sta->eapol_sm); 1005} 1006 1007 1008/** 1009 * ieee802_1x_new_station - Start IEEE 802.1X authentication 1010 * @hapd: hostapd BSS data 1011 * @sta: The station 1012 * 1013 * This function is called to start IEEE 802.1X authentication when a new 1014 * station completes IEEE 802.11 association. 1015 */ 1016void ieee802_1x_new_station(struct hostapd_data *hapd, struct sta_info *sta) 1017{ 1018 struct rsn_pmksa_cache_entry *pmksa; 1019 int reassoc = 1; 1020 int force_1x = 0; 1021 int key_mgmt; 1022 1023#ifdef CONFIG_WPS 1024 if (hapd->conf->wps_state && 1025 ((hapd->conf->wpa && (sta->flags & WLAN_STA_MAYBE_WPS)) || 1026 (sta->flags & WLAN_STA_WPS))) { 1027 /* 1028 * Need to enable IEEE 802.1X/EAPOL state machines for possible 1029 * WPS handshake even if IEEE 802.1X/EAPOL is not used for 1030 * authentication in this BSS. 1031 */ 1032 force_1x = 1; 1033 } 1034#endif /* CONFIG_WPS */ 1035 1036 if (!force_1x && !hapd->conf->ieee802_1x && !hapd->conf->osen) { 1037 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore STA - " 1038 "802.1X not enabled or forced for WPS"); 1039 /* 1040 * Clear any possible EAPOL authenticator state to support 1041 * reassociation change from WPS to PSK. 1042 */ 1043 ieee802_1x_free_station(sta); 1044 return; 1045 } 1046 1047 key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm); 1048 if (key_mgmt != -1 && wpa_key_mgmt_wpa_psk(key_mgmt)) { 1049 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore STA - using PSK"); 1050 /* 1051 * Clear any possible EAPOL authenticator state to support 1052 * reassociation change from WPA-EAP to PSK. 1053 */ 1054 ieee802_1x_free_station(sta); 1055 return; 1056 } 1057 1058 if (sta->eapol_sm == NULL) { 1059 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1060 HOSTAPD_LEVEL_DEBUG, "start authentication"); 1061 sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta); 1062 if (sta->eapol_sm == NULL) { 1063 hostapd_logger(hapd, sta->addr, 1064 HOSTAPD_MODULE_IEEE8021X, 1065 HOSTAPD_LEVEL_INFO, 1066 "failed to allocate state machine"); 1067 return; 1068 } 1069 reassoc = 0; 1070 } 1071 1072#ifdef CONFIG_WPS 1073 sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START; 1074 if (!hapd->conf->ieee802_1x && hapd->conf->wps_state && 1075 !(sta->flags & WLAN_STA_WPS2)) { 1076 /* 1077 * Delay EAPOL frame transmission until a possible WPS STA 1078 * initiates the handshake with EAPOL-Start. Only allow the 1079 * wait to be skipped if the STA is known to support WPS 2.0. 1080 */ 1081 wpa_printf(MSG_DEBUG, "WPS: Do not start EAPOL until " 1082 "EAPOL-Start is received"); 1083 sta->eapol_sm->flags |= EAPOL_SM_WAIT_START; 1084 } 1085#endif /* CONFIG_WPS */ 1086 1087 sta->eapol_sm->eap_if->portEnabled = TRUE; 1088 1089#ifdef CONFIG_IEEE80211R 1090 if (sta->auth_alg == WLAN_AUTH_FT) { 1091 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1092 HOSTAPD_LEVEL_DEBUG, 1093 "PMK from FT - skip IEEE 802.1X/EAP"); 1094 /* Setup EAPOL state machines to already authenticated state 1095 * because of existing FT information from R0KH. */ 1096 sta->eapol_sm->keyRun = TRUE; 1097 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 1098 sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING; 1099 sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS; 1100 sta->eapol_sm->authSuccess = TRUE; 1101 sta->eapol_sm->authFail = FALSE; 1102 if (sta->eapol_sm->eap) 1103 eap_sm_notify_cached(sta->eapol_sm->eap); 1104 /* TODO: get vlan_id from R0KH using RRB message */ 1105 return; 1106 } 1107#endif /* CONFIG_IEEE80211R */ 1108 1109 pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm); 1110 if (pmksa) { 1111 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1112 HOSTAPD_LEVEL_DEBUG, 1113 "PMK from PMKSA cache - skip IEEE 802.1X/EAP"); 1114 /* Setup EAPOL state machines to already authenticated state 1115 * because of existing PMKSA information in the cache. */ 1116 sta->eapol_sm->keyRun = TRUE; 1117 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 1118 sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING; 1119 sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS; 1120 sta->eapol_sm->authSuccess = TRUE; 1121 sta->eapol_sm->authFail = FALSE; 1122 if (sta->eapol_sm->eap) 1123 eap_sm_notify_cached(sta->eapol_sm->eap); 1124 pmksa_cache_to_eapol_data(pmksa, sta->eapol_sm); 1125 ap_sta_bind_vlan(hapd, sta); 1126 } else { 1127 if (reassoc) { 1128 /* 1129 * Force EAPOL state machines to start 1130 * re-authentication without having to wait for the 1131 * Supplicant to send EAPOL-Start. 1132 */ 1133 sta->eapol_sm->reAuthenticate = TRUE; 1134 } 1135 eapol_auth_step(sta->eapol_sm); 1136 } 1137} 1138 1139 1140void ieee802_1x_free_station(struct sta_info *sta) 1141{ 1142 struct eapol_state_machine *sm = sta->eapol_sm; 1143 1144 if (sm == NULL) 1145 return; 1146 1147 sta->eapol_sm = NULL; 1148 1149#ifndef CONFIG_NO_RADIUS 1150 radius_msg_free(sm->last_recv_radius); 1151 radius_free_class(&sm->radius_class); 1152 wpabuf_free(sm->radius_cui); 1153#endif /* CONFIG_NO_RADIUS */ 1154 1155 os_free(sm->identity); 1156 eapol_auth_free(sm); 1157} 1158 1159 1160#ifndef CONFIG_NO_RADIUS 1161static void ieee802_1x_decapsulate_radius(struct hostapd_data *hapd, 1162 struct sta_info *sta) 1163{ 1164 struct wpabuf *eap; 1165 const struct eap_hdr *hdr; 1166 int eap_type = -1; 1167 char buf[64]; 1168 struct radius_msg *msg; 1169 struct eapol_state_machine *sm = sta->eapol_sm; 1170 1171 if (sm == NULL || sm->last_recv_radius == NULL) { 1172 if (sm) 1173 sm->eap_if->aaaEapNoReq = TRUE; 1174 return; 1175 } 1176 1177 msg = sm->last_recv_radius; 1178 1179 eap = radius_msg_get_eap(msg); 1180 if (eap == NULL) { 1181 /* RFC 3579, Chap. 2.6.3: 1182 * RADIUS server SHOULD NOT send Access-Reject/no EAP-Message 1183 * attribute */ 1184 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1185 HOSTAPD_LEVEL_WARNING, "could not extract " 1186 "EAP-Message from RADIUS message"); 1187 sm->eap_if->aaaEapNoReq = TRUE; 1188 return; 1189 } 1190 1191 if (wpabuf_len(eap) < sizeof(*hdr)) { 1192 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1193 HOSTAPD_LEVEL_WARNING, "too short EAP packet " 1194 "received from authentication server"); 1195 wpabuf_free(eap); 1196 sm->eap_if->aaaEapNoReq = TRUE; 1197 return; 1198 } 1199 1200 if (wpabuf_len(eap) > sizeof(*hdr)) 1201 eap_type = (wpabuf_head_u8(eap))[sizeof(*hdr)]; 1202 1203 hdr = wpabuf_head(eap); 1204 switch (hdr->code) { 1205 case EAP_CODE_REQUEST: 1206 if (eap_type >= 0) 1207 sm->eap_type_authsrv = eap_type; 1208 os_snprintf(buf, sizeof(buf), "EAP-Request-%s (%d)", 1209 eap_server_get_name(0, eap_type), eap_type); 1210 break; 1211 case EAP_CODE_RESPONSE: 1212 os_snprintf(buf, sizeof(buf), "EAP Response-%s (%d)", 1213 eap_server_get_name(0, eap_type), eap_type); 1214 break; 1215 case EAP_CODE_SUCCESS: 1216 os_strlcpy(buf, "EAP Success", sizeof(buf)); 1217 break; 1218 case EAP_CODE_FAILURE: 1219 os_strlcpy(buf, "EAP Failure", sizeof(buf)); 1220 break; 1221 default: 1222 os_strlcpy(buf, "unknown EAP code", sizeof(buf)); 1223 break; 1224 } 1225 buf[sizeof(buf) - 1] = '\0'; 1226 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1227 HOSTAPD_LEVEL_DEBUG, "decapsulated EAP packet (code=%d " 1228 "id=%d len=%d) from RADIUS server: %s", 1229 hdr->code, hdr->identifier, be_to_host16(hdr->length), 1230 buf); 1231 sm->eap_if->aaaEapReq = TRUE; 1232 1233 wpabuf_free(sm->eap_if->aaaEapReqData); 1234 sm->eap_if->aaaEapReqData = eap; 1235} 1236 1237 1238static void ieee802_1x_get_keys(struct hostapd_data *hapd, 1239 struct sta_info *sta, struct radius_msg *msg, 1240 struct radius_msg *req, 1241 const u8 *shared_secret, 1242 size_t shared_secret_len) 1243{ 1244 struct radius_ms_mppe_keys *keys; 1245 struct eapol_state_machine *sm = sta->eapol_sm; 1246 if (sm == NULL) 1247 return; 1248 1249 keys = radius_msg_get_ms_keys(msg, req, shared_secret, 1250 shared_secret_len); 1251 1252 if (keys && keys->send && keys->recv) { 1253 size_t len = keys->send_len + keys->recv_len; 1254 wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Send-Key", 1255 keys->send, keys->send_len); 1256 wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Recv-Key", 1257 keys->recv, keys->recv_len); 1258 1259 os_free(sm->eap_if->aaaEapKeyData); 1260 sm->eap_if->aaaEapKeyData = os_malloc(len); 1261 if (sm->eap_if->aaaEapKeyData) { 1262 os_memcpy(sm->eap_if->aaaEapKeyData, keys->recv, 1263 keys->recv_len); 1264 os_memcpy(sm->eap_if->aaaEapKeyData + keys->recv_len, 1265 keys->send, keys->send_len); 1266 sm->eap_if->aaaEapKeyDataLen = len; 1267 sm->eap_if->aaaEapKeyAvailable = TRUE; 1268 } 1269 } else { 1270 wpa_printf(MSG_DEBUG, 1271 "MS-MPPE: 1x_get_keys, could not get keys: %p send: %p recv: %p", 1272 keys, keys ? keys->send : NULL, 1273 keys ? keys->recv : NULL); 1274 } 1275 1276 if (keys) { 1277 os_free(keys->send); 1278 os_free(keys->recv); 1279 os_free(keys); 1280 } 1281} 1282 1283 1284static void ieee802_1x_store_radius_class(struct hostapd_data *hapd, 1285 struct sta_info *sta, 1286 struct radius_msg *msg) 1287{ 1288 u8 *attr_class; 1289 size_t class_len; 1290 struct eapol_state_machine *sm = sta->eapol_sm; 1291 int count, i; 1292 struct radius_attr_data *nclass; 1293 size_t nclass_count; 1294 1295 if (!hapd->conf->radius->acct_server || hapd->radius == NULL || 1296 sm == NULL) 1297 return; 1298 1299 radius_free_class(&sm->radius_class); 1300 count = radius_msg_count_attr(msg, RADIUS_ATTR_CLASS, 1); 1301 if (count <= 0) 1302 return; 1303 1304 nclass = os_calloc(count, sizeof(struct radius_attr_data)); 1305 if (nclass == NULL) 1306 return; 1307 1308 nclass_count = 0; 1309 1310 attr_class = NULL; 1311 for (i = 0; i < count; i++) { 1312 do { 1313 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CLASS, 1314 &attr_class, &class_len, 1315 attr_class) < 0) { 1316 i = count; 1317 break; 1318 } 1319 } while (class_len < 1); 1320 1321 nclass[nclass_count].data = os_malloc(class_len); 1322 if (nclass[nclass_count].data == NULL) 1323 break; 1324 1325 os_memcpy(nclass[nclass_count].data, attr_class, class_len); 1326 nclass[nclass_count].len = class_len; 1327 nclass_count++; 1328 } 1329 1330 sm->radius_class.attr = nclass; 1331 sm->radius_class.count = nclass_count; 1332 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Stored %lu RADIUS Class " 1333 "attributes for " MACSTR, 1334 (unsigned long) sm->radius_class.count, 1335 MAC2STR(sta->addr)); 1336} 1337 1338 1339/* Update sta->identity based on User-Name attribute in Access-Accept */ 1340static void ieee802_1x_update_sta_identity(struct hostapd_data *hapd, 1341 struct sta_info *sta, 1342 struct radius_msg *msg) 1343{ 1344 u8 *buf, *identity; 1345 size_t len; 1346 struct eapol_state_machine *sm = sta->eapol_sm; 1347 1348 if (sm == NULL) 1349 return; 1350 1351 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_USER_NAME, &buf, &len, 1352 NULL) < 0) 1353 return; 1354 1355 identity = (u8 *) dup_binstr(buf, len); 1356 if (identity == NULL) 1357 return; 1358 1359 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1360 HOSTAPD_LEVEL_DEBUG, "old identity '%s' updated with " 1361 "User-Name from Access-Accept '%s'", 1362 sm->identity ? (char *) sm->identity : "N/A", 1363 (char *) identity); 1364 1365 os_free(sm->identity); 1366 sm->identity = identity; 1367 sm->identity_len = len; 1368} 1369 1370 1371/* Update CUI based on Chargeable-User-Identity attribute in Access-Accept */ 1372static void ieee802_1x_update_sta_cui(struct hostapd_data *hapd, 1373 struct sta_info *sta, 1374 struct radius_msg *msg) 1375{ 1376 struct eapol_state_machine *sm = sta->eapol_sm; 1377 struct wpabuf *cui; 1378 u8 *buf; 1379 size_t len; 1380 1381 if (sm == NULL) 1382 return; 1383 1384 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CHARGEABLE_USER_IDENTITY, 1385 &buf, &len, NULL) < 0) 1386 return; 1387 1388 cui = wpabuf_alloc_copy(buf, len); 1389 if (cui == NULL) 1390 return; 1391 1392 wpabuf_free(sm->radius_cui); 1393 sm->radius_cui = cui; 1394} 1395 1396 1397#ifdef CONFIG_HS20 1398 1399static void ieee802_1x_hs20_sub_rem(struct sta_info *sta, u8 *pos, size_t len) 1400{ 1401 sta->remediation = 1; 1402 os_free(sta->remediation_url); 1403 if (len > 2) { 1404 sta->remediation_url = os_malloc(len); 1405 if (!sta->remediation_url) 1406 return; 1407 sta->remediation_method = pos[0]; 1408 os_memcpy(sta->remediation_url, pos + 1, len - 1); 1409 sta->remediation_url[len - 1] = '\0'; 1410 wpa_printf(MSG_DEBUG, "HS 2.0: Subscription remediation needed " 1411 "for " MACSTR " - server method %u URL %s", 1412 MAC2STR(sta->addr), sta->remediation_method, 1413 sta->remediation_url); 1414 } else { 1415 sta->remediation_url = NULL; 1416 wpa_printf(MSG_DEBUG, "HS 2.0: Subscription remediation needed " 1417 "for " MACSTR, MAC2STR(sta->addr)); 1418 } 1419 /* TODO: assign the STA into remediation VLAN or add filtering */ 1420} 1421 1422 1423static void ieee802_1x_hs20_deauth_req(struct hostapd_data *hapd, 1424 struct sta_info *sta, u8 *pos, 1425 size_t len) 1426{ 1427 if (len < 3) 1428 return; /* Malformed information */ 1429 sta->hs20_deauth_requested = 1; 1430 wpa_printf(MSG_DEBUG, "HS 2.0: Deauthentication request - Code %u " 1431 "Re-auth Delay %u", 1432 *pos, WPA_GET_LE16(pos + 1)); 1433 wpabuf_free(sta->hs20_deauth_req); 1434 sta->hs20_deauth_req = wpabuf_alloc(len + 1); 1435 if (sta->hs20_deauth_req) { 1436 wpabuf_put_data(sta->hs20_deauth_req, pos, 3); 1437 wpabuf_put_u8(sta->hs20_deauth_req, len - 3); 1438 wpabuf_put_data(sta->hs20_deauth_req, pos + 3, len - 3); 1439 } 1440 ap_sta_session_timeout(hapd, sta, hapd->conf->hs20_deauth_req_timeout); 1441} 1442 1443 1444static void ieee802_1x_hs20_session_info(struct hostapd_data *hapd, 1445 struct sta_info *sta, u8 *pos, 1446 size_t len, int session_timeout) 1447{ 1448 unsigned int swt; 1449 int warning_time, beacon_int; 1450 1451 if (len < 1) 1452 return; /* Malformed information */ 1453 os_free(sta->hs20_session_info_url); 1454 sta->hs20_session_info_url = os_malloc(len); 1455 if (sta->hs20_session_info_url == NULL) 1456 return; 1457 swt = pos[0]; 1458 os_memcpy(sta->hs20_session_info_url, pos + 1, len - 1); 1459 sta->hs20_session_info_url[len - 1] = '\0'; 1460 wpa_printf(MSG_DEBUG, "HS 2.0: Session Information URL='%s' SWT=%u " 1461 "(session_timeout=%d)", 1462 sta->hs20_session_info_url, swt, session_timeout); 1463 if (session_timeout < 0) { 1464 wpa_printf(MSG_DEBUG, "HS 2.0: No Session-Timeout set - ignore session info URL"); 1465 return; 1466 } 1467 if (swt == 255) 1468 swt = 1; /* Use one minute as the AP selected value */ 1469 1470 if ((unsigned int) session_timeout < swt * 60) 1471 warning_time = 0; 1472 else 1473 warning_time = session_timeout - swt * 60; 1474 1475 beacon_int = hapd->iconf->beacon_int; 1476 if (beacon_int < 1) 1477 beacon_int = 100; /* best guess */ 1478 sta->hs20_disassoc_timer = swt * 60 * 1000 / beacon_int * 125 / 128; 1479 if (sta->hs20_disassoc_timer > 65535) 1480 sta->hs20_disassoc_timer = 65535; 1481 1482 ap_sta_session_warning_timeout(hapd, sta, warning_time); 1483} 1484 1485#endif /* CONFIG_HS20 */ 1486 1487 1488static void ieee802_1x_check_hs20(struct hostapd_data *hapd, 1489 struct sta_info *sta, 1490 struct radius_msg *msg, 1491 int session_timeout) 1492{ 1493#ifdef CONFIG_HS20 1494 u8 *buf, *pos, *end, type, sublen; 1495 size_t len; 1496 1497 buf = NULL; 1498 sta->remediation = 0; 1499 sta->hs20_deauth_requested = 0; 1500 1501 for (;;) { 1502 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_VENDOR_SPECIFIC, 1503 &buf, &len, buf) < 0) 1504 break; 1505 if (len < 6) 1506 continue; 1507 pos = buf; 1508 end = buf + len; 1509 if (WPA_GET_BE32(pos) != RADIUS_VENDOR_ID_WFA) 1510 continue; 1511 pos += 4; 1512 1513 type = *pos++; 1514 sublen = *pos++; 1515 if (sublen < 2) 1516 continue; /* invalid length */ 1517 sublen -= 2; /* skip header */ 1518 if (pos + sublen > end) 1519 continue; /* invalid WFA VSA */ 1520 1521 switch (type) { 1522 case RADIUS_VENDOR_ATTR_WFA_HS20_SUBSCR_REMEDIATION: 1523 ieee802_1x_hs20_sub_rem(sta, pos, sublen); 1524 break; 1525 case RADIUS_VENDOR_ATTR_WFA_HS20_DEAUTH_REQ: 1526 ieee802_1x_hs20_deauth_req(hapd, sta, pos, sublen); 1527 break; 1528 case RADIUS_VENDOR_ATTR_WFA_HS20_SESSION_INFO_URL: 1529 ieee802_1x_hs20_session_info(hapd, sta, pos, sublen, 1530 session_timeout); 1531 break; 1532 } 1533 } 1534#endif /* CONFIG_HS20 */ 1535} 1536 1537 1538struct sta_id_search { 1539 u8 identifier; 1540 struct eapol_state_machine *sm; 1541}; 1542 1543 1544static int ieee802_1x_select_radius_identifier(struct hostapd_data *hapd, 1545 struct sta_info *sta, 1546 void *ctx) 1547{ 1548 struct sta_id_search *id_search = ctx; 1549 struct eapol_state_machine *sm = sta->eapol_sm; 1550 1551 if (sm && sm->radius_identifier >= 0 && 1552 sm->radius_identifier == id_search->identifier) { 1553 id_search->sm = sm; 1554 return 1; 1555 } 1556 return 0; 1557} 1558 1559 1560static struct eapol_state_machine * 1561ieee802_1x_search_radius_identifier(struct hostapd_data *hapd, u8 identifier) 1562{ 1563 struct sta_id_search id_search; 1564 id_search.identifier = identifier; 1565 id_search.sm = NULL; 1566 ap_for_each_sta(hapd, ieee802_1x_select_radius_identifier, &id_search); 1567 return id_search.sm; 1568} 1569 1570 1571/** 1572 * ieee802_1x_receive_auth - Process RADIUS frames from Authentication Server 1573 * @msg: RADIUS response message 1574 * @req: RADIUS request message 1575 * @shared_secret: RADIUS shared secret 1576 * @shared_secret_len: Length of shared_secret in octets 1577 * @data: Context data (struct hostapd_data *) 1578 * Returns: Processing status 1579 */ 1580static RadiusRxResult 1581ieee802_1x_receive_auth(struct radius_msg *msg, struct radius_msg *req, 1582 const u8 *shared_secret, size_t shared_secret_len, 1583 void *data) 1584{ 1585 struct hostapd_data *hapd = data; 1586 struct sta_info *sta; 1587 u32 session_timeout = 0, termination_action, acct_interim_interval; 1588 int session_timeout_set, vlan_id = 0; 1589 struct eapol_state_machine *sm; 1590 int override_eapReq = 0; 1591 struct radius_hdr *hdr = radius_msg_get_hdr(msg); 1592 1593 sm = ieee802_1x_search_radius_identifier(hapd, hdr->identifier); 1594 if (sm == NULL) { 1595 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Could not find matching " 1596 "station for this RADIUS message"); 1597 return RADIUS_RX_UNKNOWN; 1598 } 1599 sta = sm->sta; 1600 1601 /* RFC 2869, Ch. 5.13: valid Message-Authenticator attribute MUST be 1602 * present when packet contains an EAP-Message attribute */ 1603 if (hdr->code == RADIUS_CODE_ACCESS_REJECT && 1604 radius_msg_get_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, NULL, 1605 0) < 0 && 1606 radius_msg_get_attr(msg, RADIUS_ATTR_EAP_MESSAGE, NULL, 0) < 0) { 1607 wpa_printf(MSG_DEBUG, "Allowing RADIUS Access-Reject without " 1608 "Message-Authenticator since it does not include " 1609 "EAP-Message"); 1610 } else if (radius_msg_verify(msg, shared_secret, shared_secret_len, 1611 req, 1)) { 1612 wpa_printf(MSG_INFO, "Incoming RADIUS packet did not have correct Message-Authenticator - dropped"); 1613 return RADIUS_RX_INVALID_AUTHENTICATOR; 1614 } 1615 1616 if (hdr->code != RADIUS_CODE_ACCESS_ACCEPT && 1617 hdr->code != RADIUS_CODE_ACCESS_REJECT && 1618 hdr->code != RADIUS_CODE_ACCESS_CHALLENGE) { 1619 wpa_printf(MSG_INFO, "Unknown RADIUS message code"); 1620 return RADIUS_RX_UNKNOWN; 1621 } 1622 1623 sm->radius_identifier = -1; 1624 wpa_printf(MSG_DEBUG, "RADIUS packet matching with station " MACSTR, 1625 MAC2STR(sta->addr)); 1626 1627 radius_msg_free(sm->last_recv_radius); 1628 sm->last_recv_radius = msg; 1629 1630 session_timeout_set = 1631 !radius_msg_get_attr_int32(msg, RADIUS_ATTR_SESSION_TIMEOUT, 1632 &session_timeout); 1633 if (radius_msg_get_attr_int32(msg, RADIUS_ATTR_TERMINATION_ACTION, 1634 &termination_action)) 1635 termination_action = RADIUS_TERMINATION_ACTION_DEFAULT; 1636 1637 if (hapd->conf->acct_interim_interval == 0 && 1638 hdr->code == RADIUS_CODE_ACCESS_ACCEPT && 1639 radius_msg_get_attr_int32(msg, RADIUS_ATTR_ACCT_INTERIM_INTERVAL, 1640 &acct_interim_interval) == 0) { 1641 if (acct_interim_interval < 60) { 1642 hostapd_logger(hapd, sta->addr, 1643 HOSTAPD_MODULE_IEEE8021X, 1644 HOSTAPD_LEVEL_INFO, 1645 "ignored too small " 1646 "Acct-Interim-Interval %d", 1647 acct_interim_interval); 1648 } else 1649 sta->acct_interim_interval = acct_interim_interval; 1650 } 1651 1652 1653 switch (hdr->code) { 1654 case RADIUS_CODE_ACCESS_ACCEPT: 1655 if (hapd->conf->ssid.dynamic_vlan == DYNAMIC_VLAN_DISABLED) 1656 vlan_id = 0; 1657#ifndef CONFIG_NO_VLAN 1658 else 1659 vlan_id = radius_msg_get_vlanid(msg); 1660 if (vlan_id > 0 && 1661 hostapd_vlan_id_valid(hapd->conf->vlan, vlan_id)) { 1662 hostapd_logger(hapd, sta->addr, 1663 HOSTAPD_MODULE_RADIUS, 1664 HOSTAPD_LEVEL_INFO, 1665 "VLAN ID %d", vlan_id); 1666 } else if (vlan_id > 0) { 1667 sta->eapol_sm->authFail = TRUE; 1668 hostapd_logger(hapd, sta->addr, 1669 HOSTAPD_MODULE_RADIUS, 1670 HOSTAPD_LEVEL_INFO, 1671 "Invalid VLAN ID %d received from RADIUS server", 1672 vlan_id); 1673 break; 1674 } else if (hapd->conf->ssid.dynamic_vlan == 1675 DYNAMIC_VLAN_REQUIRED) { 1676 sta->eapol_sm->authFail = TRUE; 1677 hostapd_logger(hapd, sta->addr, 1678 HOSTAPD_MODULE_IEEE8021X, 1679 HOSTAPD_LEVEL_INFO, "authentication " 1680 "server did not include required VLAN " 1681 "ID in Access-Accept"); 1682 break; 1683 } 1684#endif /* CONFIG_NO_VLAN */ 1685 1686 sta->vlan_id = vlan_id; 1687 if ((sta->flags & WLAN_STA_ASSOC) && 1688 ap_sta_bind_vlan(hapd, sta) < 0) 1689 break; 1690 1691 sta->session_timeout_set = !!session_timeout_set; 1692 sta->session_timeout = session_timeout; 1693 1694 /* RFC 3580, Ch. 3.17 */ 1695 if (session_timeout_set && termination_action == 1696 RADIUS_TERMINATION_ACTION_RADIUS_REQUEST) { 1697 sm->reAuthPeriod = session_timeout; 1698 } else if (session_timeout_set) 1699 ap_sta_session_timeout(hapd, sta, session_timeout); 1700 1701 sm->eap_if->aaaSuccess = TRUE; 1702 override_eapReq = 1; 1703 ieee802_1x_get_keys(hapd, sta, msg, req, shared_secret, 1704 shared_secret_len); 1705 ieee802_1x_store_radius_class(hapd, sta, msg); 1706 ieee802_1x_update_sta_identity(hapd, sta, msg); 1707 ieee802_1x_update_sta_cui(hapd, sta, msg); 1708 ieee802_1x_check_hs20(hapd, sta, msg, 1709 session_timeout_set ? 1710 (int) session_timeout : -1); 1711 if (sm->eap_if->eapKeyAvailable && !sta->remediation && 1712 !sta->hs20_deauth_requested && 1713 wpa_auth_pmksa_add(sta->wpa_sm, sm->eapol_key_crypt, 1714 session_timeout_set ? 1715 (int) session_timeout : -1, sm) == 0) { 1716 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 1717 HOSTAPD_LEVEL_DEBUG, 1718 "Added PMKSA cache entry"); 1719 } 1720 break; 1721 case RADIUS_CODE_ACCESS_REJECT: 1722 sm->eap_if->aaaFail = TRUE; 1723 override_eapReq = 1; 1724 break; 1725 case RADIUS_CODE_ACCESS_CHALLENGE: 1726 sm->eap_if->aaaEapReq = TRUE; 1727 if (session_timeout_set) { 1728 /* RFC 2869, Ch. 2.3.2; RFC 3580, Ch. 3.17 */ 1729 sm->eap_if->aaaMethodTimeout = session_timeout; 1730 hostapd_logger(hapd, sm->addr, 1731 HOSTAPD_MODULE_IEEE8021X, 1732 HOSTAPD_LEVEL_DEBUG, 1733 "using EAP timeout of %d seconds (from " 1734 "RADIUS)", 1735 sm->eap_if->aaaMethodTimeout); 1736 } else { 1737 /* 1738 * Use dynamic retransmission behavior per EAP 1739 * specification. 1740 */ 1741 sm->eap_if->aaaMethodTimeout = 0; 1742 } 1743 break; 1744 } 1745 1746 ieee802_1x_decapsulate_radius(hapd, sta); 1747 if (override_eapReq) 1748 sm->eap_if->aaaEapReq = FALSE; 1749 1750 eapol_auth_step(sm); 1751 1752 return RADIUS_RX_QUEUED; 1753} 1754#endif /* CONFIG_NO_RADIUS */ 1755 1756 1757void ieee802_1x_abort_auth(struct hostapd_data *hapd, struct sta_info *sta) 1758{ 1759 struct eapol_state_machine *sm = sta->eapol_sm; 1760 if (sm == NULL) 1761 return; 1762 1763 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1764 HOSTAPD_LEVEL_DEBUG, "aborting authentication"); 1765 1766#ifndef CONFIG_NO_RADIUS 1767 radius_msg_free(sm->last_recv_radius); 1768 sm->last_recv_radius = NULL; 1769#endif /* CONFIG_NO_RADIUS */ 1770 1771 if (sm->eap_if->eapTimeout) { 1772 /* 1773 * Disconnect the STA since it did not reply to the last EAP 1774 * request and we cannot continue EAP processing (EAP-Failure 1775 * could only be sent if the EAP peer actually replied). 1776 */ 1777 wpa_dbg(hapd->msg_ctx, MSG_DEBUG, "EAP Timeout, STA " MACSTR, 1778 MAC2STR(sta->addr)); 1779 1780 sm->eap_if->portEnabled = FALSE; 1781 ap_sta_disconnect(hapd, sta, sta->addr, 1782 WLAN_REASON_PREV_AUTH_NOT_VALID); 1783 } 1784} 1785 1786 1787static int ieee802_1x_rekey_broadcast(struct hostapd_data *hapd) 1788{ 1789 struct eapol_authenticator *eapol = hapd->eapol_auth; 1790 1791 if (hapd->conf->default_wep_key_len < 1) 1792 return 0; 1793 1794 os_free(eapol->default_wep_key); 1795 eapol->default_wep_key = os_malloc(hapd->conf->default_wep_key_len); 1796 if (eapol->default_wep_key == NULL || 1797 random_get_bytes(eapol->default_wep_key, 1798 hapd->conf->default_wep_key_len)) { 1799 wpa_printf(MSG_INFO, "Could not generate random WEP key"); 1800 os_free(eapol->default_wep_key); 1801 eapol->default_wep_key = NULL; 1802 return -1; 1803 } 1804 1805 wpa_hexdump_key(MSG_DEBUG, "IEEE 802.1X: New default WEP key", 1806 eapol->default_wep_key, 1807 hapd->conf->default_wep_key_len); 1808 1809 return 0; 1810} 1811 1812 1813static int ieee802_1x_sta_key_available(struct hostapd_data *hapd, 1814 struct sta_info *sta, void *ctx) 1815{ 1816 if (sta->eapol_sm) { 1817 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 1818 eapol_auth_step(sta->eapol_sm); 1819 } 1820 return 0; 1821} 1822 1823 1824static void ieee802_1x_rekey(void *eloop_ctx, void *timeout_ctx) 1825{ 1826 struct hostapd_data *hapd = eloop_ctx; 1827 struct eapol_authenticator *eapol = hapd->eapol_auth; 1828 1829 if (eapol->default_wep_key_idx >= 3) 1830 eapol->default_wep_key_idx = 1831 hapd->conf->individual_wep_key_len > 0 ? 1 : 0; 1832 else 1833 eapol->default_wep_key_idx++; 1834 1835 wpa_printf(MSG_DEBUG, "IEEE 802.1X: New default WEP key index %d", 1836 eapol->default_wep_key_idx); 1837 1838 if (ieee802_1x_rekey_broadcast(hapd)) { 1839 hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X, 1840 HOSTAPD_LEVEL_WARNING, "failed to generate a " 1841 "new broadcast key"); 1842 os_free(eapol->default_wep_key); 1843 eapol->default_wep_key = NULL; 1844 return; 1845 } 1846 1847 /* TODO: Could setup key for RX here, but change default TX keyid only 1848 * after new broadcast key has been sent to all stations. */ 1849 if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP, 1850 broadcast_ether_addr, 1851 eapol->default_wep_key_idx, 1, NULL, 0, 1852 eapol->default_wep_key, 1853 hapd->conf->default_wep_key_len)) { 1854 hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X, 1855 HOSTAPD_LEVEL_WARNING, "failed to configure a " 1856 "new broadcast key"); 1857 os_free(eapol->default_wep_key); 1858 eapol->default_wep_key = NULL; 1859 return; 1860 } 1861 1862 ap_for_each_sta(hapd, ieee802_1x_sta_key_available, NULL); 1863 1864 if (hapd->conf->wep_rekeying_period > 0) { 1865 eloop_register_timeout(hapd->conf->wep_rekeying_period, 0, 1866 ieee802_1x_rekey, hapd, NULL); 1867 } 1868} 1869 1870 1871static void ieee802_1x_eapol_send(void *ctx, void *sta_ctx, u8 type, 1872 const u8 *data, size_t datalen) 1873{ 1874#ifdef CONFIG_WPS 1875 struct sta_info *sta = sta_ctx; 1876 1877 if ((sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS)) == 1878 WLAN_STA_MAYBE_WPS) { 1879 const u8 *identity; 1880 size_t identity_len; 1881 struct eapol_state_machine *sm = sta->eapol_sm; 1882 1883 identity = eap_get_identity(sm->eap, &identity_len); 1884 if (identity && 1885 ((identity_len == WSC_ID_ENROLLEE_LEN && 1886 os_memcmp(identity, WSC_ID_ENROLLEE, 1887 WSC_ID_ENROLLEE_LEN) == 0) || 1888 (identity_len == WSC_ID_REGISTRAR_LEN && 1889 os_memcmp(identity, WSC_ID_REGISTRAR, 1890 WSC_ID_REGISTRAR_LEN) == 0))) { 1891 wpa_printf(MSG_DEBUG, "WPS: WLAN_STA_MAYBE_WPS -> " 1892 "WLAN_STA_WPS"); 1893 sta->flags |= WLAN_STA_WPS; 1894 } 1895 } 1896#endif /* CONFIG_WPS */ 1897 1898 ieee802_1x_send(ctx, sta_ctx, type, data, datalen); 1899} 1900 1901 1902static void ieee802_1x_aaa_send(void *ctx, void *sta_ctx, 1903 const u8 *data, size_t datalen) 1904{ 1905#ifndef CONFIG_NO_RADIUS 1906 struct hostapd_data *hapd = ctx; 1907 struct sta_info *sta = sta_ctx; 1908 1909 ieee802_1x_encapsulate_radius(hapd, sta, data, datalen); 1910#endif /* CONFIG_NO_RADIUS */ 1911} 1912 1913 1914static void _ieee802_1x_finished(void *ctx, void *sta_ctx, int success, 1915 int preauth, int remediation) 1916{ 1917 struct hostapd_data *hapd = ctx; 1918 struct sta_info *sta = sta_ctx; 1919 if (preauth) 1920 rsn_preauth_finished(hapd, sta, success); 1921 else 1922 ieee802_1x_finished(hapd, sta, success, remediation); 1923} 1924 1925 1926static int ieee802_1x_get_eap_user(void *ctx, const u8 *identity, 1927 size_t identity_len, int phase2, 1928 struct eap_user *user) 1929{ 1930 struct hostapd_data *hapd = ctx; 1931 const struct hostapd_eap_user *eap_user; 1932 int i; 1933 int rv = -1; 1934 1935 eap_user = hostapd_get_eap_user(hapd, identity, identity_len, phase2); 1936 if (eap_user == NULL) 1937 goto out; 1938 1939 os_memset(user, 0, sizeof(*user)); 1940 user->phase2 = phase2; 1941 for (i = 0; i < EAP_MAX_METHODS; i++) { 1942 user->methods[i].vendor = eap_user->methods[i].vendor; 1943 user->methods[i].method = eap_user->methods[i].method; 1944 } 1945 1946 if (eap_user->password) { 1947 user->password = os_malloc(eap_user->password_len); 1948 if (user->password == NULL) 1949 goto out; 1950 os_memcpy(user->password, eap_user->password, 1951 eap_user->password_len); 1952 user->password_len = eap_user->password_len; 1953 user->password_hash = eap_user->password_hash; 1954 } 1955 user->force_version = eap_user->force_version; 1956 user->macacl = eap_user->macacl; 1957 user->ttls_auth = eap_user->ttls_auth; 1958 user->remediation = eap_user->remediation; 1959 rv = 0; 1960 1961out: 1962 if (rv) 1963 wpa_printf(MSG_DEBUG, "%s: Failed to find user", __func__); 1964 1965 return rv; 1966} 1967 1968 1969static int ieee802_1x_sta_entry_alive(void *ctx, const u8 *addr) 1970{ 1971 struct hostapd_data *hapd = ctx; 1972 struct sta_info *sta; 1973 sta = ap_get_sta(hapd, addr); 1974 if (sta == NULL || sta->eapol_sm == NULL) 1975 return 0; 1976 return 1; 1977} 1978 1979 1980static void ieee802_1x_logger(void *ctx, const u8 *addr, 1981 eapol_logger_level level, const char *txt) 1982{ 1983#ifndef CONFIG_NO_HOSTAPD_LOGGER 1984 struct hostapd_data *hapd = ctx; 1985 int hlevel; 1986 1987 switch (level) { 1988 case EAPOL_LOGGER_WARNING: 1989 hlevel = HOSTAPD_LEVEL_WARNING; 1990 break; 1991 case EAPOL_LOGGER_INFO: 1992 hlevel = HOSTAPD_LEVEL_INFO; 1993 break; 1994 case EAPOL_LOGGER_DEBUG: 1995 default: 1996 hlevel = HOSTAPD_LEVEL_DEBUG; 1997 break; 1998 } 1999 2000 hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE8021X, hlevel, "%s", 2001 txt); 2002#endif /* CONFIG_NO_HOSTAPD_LOGGER */ 2003} 2004 2005 2006static void ieee802_1x_set_port_authorized(void *ctx, void *sta_ctx, 2007 int authorized) 2008{ 2009 struct hostapd_data *hapd = ctx; 2010 struct sta_info *sta = sta_ctx; 2011 ieee802_1x_set_sta_authorized(hapd, sta, authorized); 2012} 2013 2014 2015static void _ieee802_1x_abort_auth(void *ctx, void *sta_ctx) 2016{ 2017 struct hostapd_data *hapd = ctx; 2018 struct sta_info *sta = sta_ctx; 2019 ieee802_1x_abort_auth(hapd, sta); 2020} 2021 2022 2023static void _ieee802_1x_tx_key(void *ctx, void *sta_ctx) 2024{ 2025 struct hostapd_data *hapd = ctx; 2026 struct sta_info *sta = sta_ctx; 2027 ieee802_1x_tx_key(hapd, sta); 2028} 2029 2030 2031static void ieee802_1x_eapol_event(void *ctx, void *sta_ctx, 2032 enum eapol_event type) 2033{ 2034 /* struct hostapd_data *hapd = ctx; */ 2035 struct sta_info *sta = sta_ctx; 2036 switch (type) { 2037 case EAPOL_AUTH_SM_CHANGE: 2038 wpa_auth_sm_notify(sta->wpa_sm); 2039 break; 2040 case EAPOL_AUTH_REAUTHENTICATE: 2041 wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL); 2042 break; 2043 } 2044} 2045 2046 2047#ifdef CONFIG_ERP 2048 2049static struct eap_server_erp_key * 2050ieee802_1x_erp_get_key(void *ctx, const char *keyname) 2051{ 2052 struct hostapd_data *hapd = ctx; 2053 struct eap_server_erp_key *erp; 2054 2055 dl_list_for_each(erp, &hapd->erp_keys, struct eap_server_erp_key, 2056 list) { 2057 if (os_strcmp(erp->keyname_nai, keyname) == 0) 2058 return erp; 2059 } 2060 2061 return NULL; 2062} 2063 2064 2065static int ieee802_1x_erp_add_key(void *ctx, struct eap_server_erp_key *erp) 2066{ 2067 struct hostapd_data *hapd = ctx; 2068 2069 dl_list_add(&hapd->erp_keys, &erp->list); 2070 return 0; 2071} 2072 2073#endif /* CONFIG_ERP */ 2074 2075 2076int ieee802_1x_init(struct hostapd_data *hapd) 2077{ 2078 int i; 2079 struct eapol_auth_config conf; 2080 struct eapol_auth_cb cb; 2081 2082 dl_list_init(&hapd->erp_keys); 2083 2084 os_memset(&conf, 0, sizeof(conf)); 2085 conf.ctx = hapd; 2086 conf.eap_reauth_period = hapd->conf->eap_reauth_period; 2087 conf.wpa = hapd->conf->wpa; 2088 conf.individual_wep_key_len = hapd->conf->individual_wep_key_len; 2089 conf.eap_server = hapd->conf->eap_server; 2090 conf.ssl_ctx = hapd->ssl_ctx; 2091 conf.msg_ctx = hapd->msg_ctx; 2092 conf.eap_sim_db_priv = hapd->eap_sim_db_priv; 2093 conf.eap_req_id_text = hapd->conf->eap_req_id_text; 2094 conf.eap_req_id_text_len = hapd->conf->eap_req_id_text_len; 2095 conf.erp_send_reauth_start = hapd->conf->erp_send_reauth_start; 2096 conf.erp_domain = hapd->conf->erp_domain; 2097 conf.erp = hapd->conf->eap_server_erp; 2098 conf.pac_opaque_encr_key = hapd->conf->pac_opaque_encr_key; 2099 conf.eap_fast_a_id = hapd->conf->eap_fast_a_id; 2100 conf.eap_fast_a_id_len = hapd->conf->eap_fast_a_id_len; 2101 conf.eap_fast_a_id_info = hapd->conf->eap_fast_a_id_info; 2102 conf.eap_fast_prov = hapd->conf->eap_fast_prov; 2103 conf.pac_key_lifetime = hapd->conf->pac_key_lifetime; 2104 conf.pac_key_refresh_time = hapd->conf->pac_key_refresh_time; 2105 conf.eap_sim_aka_result_ind = hapd->conf->eap_sim_aka_result_ind; 2106 conf.tnc = hapd->conf->tnc; 2107 conf.wps = hapd->wps; 2108 conf.fragment_size = hapd->conf->fragment_size; 2109 conf.pwd_group = hapd->conf->pwd_group; 2110 conf.pbc_in_m1 = hapd->conf->pbc_in_m1; 2111 if (hapd->conf->server_id) { 2112 conf.server_id = (const u8 *) hapd->conf->server_id; 2113 conf.server_id_len = os_strlen(hapd->conf->server_id); 2114 } else { 2115 conf.server_id = (const u8 *) "hostapd"; 2116 conf.server_id_len = 7; 2117 } 2118 2119 os_memset(&cb, 0, sizeof(cb)); 2120 cb.eapol_send = ieee802_1x_eapol_send; 2121 cb.aaa_send = ieee802_1x_aaa_send; 2122 cb.finished = _ieee802_1x_finished; 2123 cb.get_eap_user = ieee802_1x_get_eap_user; 2124 cb.sta_entry_alive = ieee802_1x_sta_entry_alive; 2125 cb.logger = ieee802_1x_logger; 2126 cb.set_port_authorized = ieee802_1x_set_port_authorized; 2127 cb.abort_auth = _ieee802_1x_abort_auth; 2128 cb.tx_key = _ieee802_1x_tx_key; 2129 cb.eapol_event = ieee802_1x_eapol_event; 2130#ifdef CONFIG_ERP 2131 cb.erp_get_key = ieee802_1x_erp_get_key; 2132 cb.erp_add_key = ieee802_1x_erp_add_key; 2133#endif /* CONFIG_ERP */ 2134 2135 hapd->eapol_auth = eapol_auth_init(&conf, &cb); 2136 if (hapd->eapol_auth == NULL) 2137 return -1; 2138 2139 if ((hapd->conf->ieee802_1x || hapd->conf->wpa) && 2140 hostapd_set_drv_ieee8021x(hapd, hapd->conf->iface, 1)) 2141 return -1; 2142 2143#ifndef CONFIG_NO_RADIUS 2144 if (radius_client_register(hapd->radius, RADIUS_AUTH, 2145 ieee802_1x_receive_auth, hapd)) 2146 return -1; 2147#endif /* CONFIG_NO_RADIUS */ 2148 2149 if (hapd->conf->default_wep_key_len) { 2150 for (i = 0; i < 4; i++) 2151 hostapd_drv_set_key(hapd->conf->iface, hapd, 2152 WPA_ALG_NONE, NULL, i, 0, NULL, 0, 2153 NULL, 0); 2154 2155 ieee802_1x_rekey(hapd, NULL); 2156 2157 if (hapd->eapol_auth->default_wep_key == NULL) 2158 return -1; 2159 } 2160 2161 return 0; 2162} 2163 2164 2165void ieee802_1x_erp_flush(struct hostapd_data *hapd) 2166{ 2167 struct eap_server_erp_key *erp; 2168 2169 while ((erp = dl_list_first(&hapd->erp_keys, struct eap_server_erp_key, 2170 list)) != NULL) { 2171 dl_list_del(&erp->list); 2172 bin_clear_free(erp, sizeof(*erp)); 2173 } 2174} 2175 2176 2177void ieee802_1x_deinit(struct hostapd_data *hapd) 2178{ 2179 eloop_cancel_timeout(ieee802_1x_rekey, hapd, NULL); 2180 2181 if (hapd->driver != NULL && 2182 (hapd->conf->ieee802_1x || hapd->conf->wpa)) 2183 hostapd_set_drv_ieee8021x(hapd, hapd->conf->iface, 0); 2184 2185 eapol_auth_deinit(hapd->eapol_auth); 2186 hapd->eapol_auth = NULL; 2187 2188 ieee802_1x_erp_flush(hapd); 2189} 2190 2191 2192int ieee802_1x_tx_status(struct hostapd_data *hapd, struct sta_info *sta, 2193 const u8 *buf, size_t len, int ack) 2194{ 2195 struct ieee80211_hdr *hdr; 2196 u8 *pos; 2197 const unsigned char rfc1042_hdr[ETH_ALEN] = 2198 { 0xaa, 0xaa, 0x03, 0x00, 0x00, 0x00 }; 2199 2200 if (sta == NULL) 2201 return -1; 2202 if (len < sizeof(*hdr) + sizeof(rfc1042_hdr) + 2) 2203 return 0; 2204 2205 hdr = (struct ieee80211_hdr *) buf; 2206 pos = (u8 *) (hdr + 1); 2207 if (os_memcmp(pos, rfc1042_hdr, sizeof(rfc1042_hdr)) != 0) 2208 return 0; 2209 pos += sizeof(rfc1042_hdr); 2210 if (WPA_GET_BE16(pos) != ETH_P_PAE) 2211 return 0; 2212 pos += 2; 2213 2214 return ieee802_1x_eapol_tx_status(hapd, sta, pos, buf + len - pos, 2215 ack); 2216} 2217 2218 2219int ieee802_1x_eapol_tx_status(struct hostapd_data *hapd, struct sta_info *sta, 2220 const u8 *buf, int len, int ack) 2221{ 2222 const struct ieee802_1x_hdr *xhdr = 2223 (const struct ieee802_1x_hdr *) buf; 2224 const u8 *pos = buf + sizeof(*xhdr); 2225 struct ieee802_1x_eapol_key *key; 2226 2227 if (len < (int) sizeof(*xhdr)) 2228 return 0; 2229 wpa_printf(MSG_DEBUG, "IEEE 802.1X: " MACSTR " TX status - version=%d " 2230 "type=%d length=%d - ack=%d", 2231 MAC2STR(sta->addr), xhdr->version, xhdr->type, 2232 be_to_host16(xhdr->length), ack); 2233 2234 if (xhdr->type != IEEE802_1X_TYPE_EAPOL_KEY) 2235 return 0; 2236 2237 if (pos + sizeof(struct wpa_eapol_key) <= buf + len) { 2238 const struct wpa_eapol_key *wpa; 2239 wpa = (const struct wpa_eapol_key *) pos; 2240 if (wpa->type == EAPOL_KEY_TYPE_RSN || 2241 wpa->type == EAPOL_KEY_TYPE_WPA) 2242 wpa_auth_eapol_key_tx_status(hapd->wpa_auth, 2243 sta->wpa_sm, ack); 2244 } 2245 2246 /* EAPOL EAP-Packet packets are eventually re-sent by either Supplicant 2247 * or Authenticator state machines, but EAPOL-Key packets are not 2248 * retransmitted in case of failure. Try to re-send failed EAPOL-Key 2249 * packets couple of times because otherwise STA keys become 2250 * unsynchronized with AP. */ 2251 if (!ack && pos + sizeof(*key) <= buf + len) { 2252 key = (struct ieee802_1x_eapol_key *) pos; 2253 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 2254 HOSTAPD_LEVEL_DEBUG, "did not Ack EAPOL-Key " 2255 "frame (%scast index=%d)", 2256 key->key_index & BIT(7) ? "uni" : "broad", 2257 key->key_index & ~BIT(7)); 2258 /* TODO: re-send EAPOL-Key couple of times (with short delay 2259 * between them?). If all attempt fail, report error and 2260 * deauthenticate STA so that it will get new keys when 2261 * authenticating again (e.g., after returning in range). 2262 * Separate limit/transmit state needed both for unicast and 2263 * broadcast keys(?) */ 2264 } 2265 /* TODO: could move unicast key configuration from ieee802_1x_tx_key() 2266 * to here and change the key only if the EAPOL-Key packet was Acked. 2267 */ 2268 2269 return 1; 2270} 2271 2272 2273u8 * ieee802_1x_get_identity(struct eapol_state_machine *sm, size_t *len) 2274{ 2275 if (sm == NULL || sm->identity == NULL) 2276 return NULL; 2277 2278 *len = sm->identity_len; 2279 return sm->identity; 2280} 2281 2282 2283u8 * ieee802_1x_get_radius_class(struct eapol_state_machine *sm, size_t *len, 2284 int idx) 2285{ 2286 if (sm == NULL || sm->radius_class.attr == NULL || 2287 idx >= (int) sm->radius_class.count) 2288 return NULL; 2289 2290 *len = sm->radius_class.attr[idx].len; 2291 return sm->radius_class.attr[idx].data; 2292} 2293 2294 2295struct wpabuf * ieee802_1x_get_radius_cui(struct eapol_state_machine *sm) 2296{ 2297 if (sm == NULL) 2298 return NULL; 2299 return sm->radius_cui; 2300} 2301 2302 2303const u8 * ieee802_1x_get_key(struct eapol_state_machine *sm, size_t *len) 2304{ 2305 *len = 0; 2306 if (sm == NULL) 2307 return NULL; 2308 2309 *len = sm->eap_if->eapKeyDataLen; 2310 return sm->eap_if->eapKeyData; 2311} 2312 2313 2314void ieee802_1x_notify_port_enabled(struct eapol_state_machine *sm, 2315 int enabled) 2316{ 2317 if (sm == NULL) 2318 return; 2319 sm->eap_if->portEnabled = enabled ? TRUE : FALSE; 2320 eapol_auth_step(sm); 2321} 2322 2323 2324void ieee802_1x_notify_port_valid(struct eapol_state_machine *sm, 2325 int valid) 2326{ 2327 if (sm == NULL) 2328 return; 2329 sm->portValid = valid ? TRUE : FALSE; 2330 eapol_auth_step(sm); 2331} 2332 2333 2334void ieee802_1x_notify_pre_auth(struct eapol_state_machine *sm, int pre_auth) 2335{ 2336 if (sm == NULL) 2337 return; 2338 if (pre_auth) 2339 sm->flags |= EAPOL_SM_PREAUTH; 2340 else 2341 sm->flags &= ~EAPOL_SM_PREAUTH; 2342} 2343 2344 2345static const char * bool_txt(Boolean val) 2346{ 2347 return val ? "TRUE" : "FALSE"; 2348} 2349 2350 2351int ieee802_1x_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen) 2352{ 2353 /* TODO */ 2354 return 0; 2355} 2356 2357 2358int ieee802_1x_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta, 2359 char *buf, size_t buflen) 2360{ 2361 int len = 0, ret; 2362 struct eapol_state_machine *sm = sta->eapol_sm; 2363 struct os_reltime diff; 2364 const char *name1; 2365 const char *name2; 2366 2367 if (sm == NULL) 2368 return 0; 2369 2370 ret = os_snprintf(buf + len, buflen - len, 2371 "dot1xPaePortNumber=%d\n" 2372 "dot1xPaePortProtocolVersion=%d\n" 2373 "dot1xPaePortCapabilities=1\n" 2374 "dot1xPaePortInitialize=%d\n" 2375 "dot1xPaePortReauthenticate=FALSE\n", 2376 sta->aid, 2377 EAPOL_VERSION, 2378 sm->initialize); 2379 if (os_snprintf_error(buflen - len, ret)) 2380 return len; 2381 len += ret; 2382 2383 /* dot1xAuthConfigTable */ 2384 ret = os_snprintf(buf + len, buflen - len, 2385 "dot1xAuthPaeState=%d\n" 2386 "dot1xAuthBackendAuthState=%d\n" 2387 "dot1xAuthAdminControlledDirections=%d\n" 2388 "dot1xAuthOperControlledDirections=%d\n" 2389 "dot1xAuthAuthControlledPortStatus=%d\n" 2390 "dot1xAuthAuthControlledPortControl=%d\n" 2391 "dot1xAuthQuietPeriod=%u\n" 2392 "dot1xAuthServerTimeout=%u\n" 2393 "dot1xAuthReAuthPeriod=%u\n" 2394 "dot1xAuthReAuthEnabled=%s\n" 2395 "dot1xAuthKeyTxEnabled=%s\n", 2396 sm->auth_pae_state + 1, 2397 sm->be_auth_state + 1, 2398 sm->adminControlledDirections, 2399 sm->operControlledDirections, 2400 sm->authPortStatus, 2401 sm->portControl, 2402 sm->quietPeriod, 2403 sm->serverTimeout, 2404 sm->reAuthPeriod, 2405 bool_txt(sm->reAuthEnabled), 2406 bool_txt(sm->keyTxEnabled)); 2407 if (os_snprintf_error(buflen - len, ret)) 2408 return len; 2409 len += ret; 2410 2411 /* dot1xAuthStatsTable */ 2412 ret = os_snprintf(buf + len, buflen - len, 2413 "dot1xAuthEapolFramesRx=%u\n" 2414 "dot1xAuthEapolFramesTx=%u\n" 2415 "dot1xAuthEapolStartFramesRx=%u\n" 2416 "dot1xAuthEapolLogoffFramesRx=%u\n" 2417 "dot1xAuthEapolRespIdFramesRx=%u\n" 2418 "dot1xAuthEapolRespFramesRx=%u\n" 2419 "dot1xAuthEapolReqIdFramesTx=%u\n" 2420 "dot1xAuthEapolReqFramesTx=%u\n" 2421 "dot1xAuthInvalidEapolFramesRx=%u\n" 2422 "dot1xAuthEapLengthErrorFramesRx=%u\n" 2423 "dot1xAuthLastEapolFrameVersion=%u\n" 2424 "dot1xAuthLastEapolFrameSource=" MACSTR "\n", 2425 sm->dot1xAuthEapolFramesRx, 2426 sm->dot1xAuthEapolFramesTx, 2427 sm->dot1xAuthEapolStartFramesRx, 2428 sm->dot1xAuthEapolLogoffFramesRx, 2429 sm->dot1xAuthEapolRespIdFramesRx, 2430 sm->dot1xAuthEapolRespFramesRx, 2431 sm->dot1xAuthEapolReqIdFramesTx, 2432 sm->dot1xAuthEapolReqFramesTx, 2433 sm->dot1xAuthInvalidEapolFramesRx, 2434 sm->dot1xAuthEapLengthErrorFramesRx, 2435 sm->dot1xAuthLastEapolFrameVersion, 2436 MAC2STR(sm->addr)); 2437 if (os_snprintf_error(buflen - len, ret)) 2438 return len; 2439 len += ret; 2440 2441 /* dot1xAuthDiagTable */ 2442 ret = os_snprintf(buf + len, buflen - len, 2443 "dot1xAuthEntersConnecting=%u\n" 2444 "dot1xAuthEapLogoffsWhileConnecting=%u\n" 2445 "dot1xAuthEntersAuthenticating=%u\n" 2446 "dot1xAuthAuthSuccessesWhileAuthenticating=%u\n" 2447 "dot1xAuthAuthTimeoutsWhileAuthenticating=%u\n" 2448 "dot1xAuthAuthFailWhileAuthenticating=%u\n" 2449 "dot1xAuthAuthEapStartsWhileAuthenticating=%u\n" 2450 "dot1xAuthAuthEapLogoffWhileAuthenticating=%u\n" 2451 "dot1xAuthAuthReauthsWhileAuthenticated=%u\n" 2452 "dot1xAuthAuthEapStartsWhileAuthenticated=%u\n" 2453 "dot1xAuthAuthEapLogoffWhileAuthenticated=%u\n" 2454 "dot1xAuthBackendResponses=%u\n" 2455 "dot1xAuthBackendAccessChallenges=%u\n" 2456 "dot1xAuthBackendOtherRequestsToSupplicant=%u\n" 2457 "dot1xAuthBackendAuthSuccesses=%u\n" 2458 "dot1xAuthBackendAuthFails=%u\n", 2459 sm->authEntersConnecting, 2460 sm->authEapLogoffsWhileConnecting, 2461 sm->authEntersAuthenticating, 2462 sm->authAuthSuccessesWhileAuthenticating, 2463 sm->authAuthTimeoutsWhileAuthenticating, 2464 sm->authAuthFailWhileAuthenticating, 2465 sm->authAuthEapStartsWhileAuthenticating, 2466 sm->authAuthEapLogoffWhileAuthenticating, 2467 sm->authAuthReauthsWhileAuthenticated, 2468 sm->authAuthEapStartsWhileAuthenticated, 2469 sm->authAuthEapLogoffWhileAuthenticated, 2470 sm->backendResponses, 2471 sm->backendAccessChallenges, 2472 sm->backendOtherRequestsToSupplicant, 2473 sm->backendAuthSuccesses, 2474 sm->backendAuthFails); 2475 if (os_snprintf_error(buflen - len, ret)) 2476 return len; 2477 len += ret; 2478 2479 /* dot1xAuthSessionStatsTable */ 2480 os_reltime_age(&sta->acct_session_start, &diff); 2481 ret = os_snprintf(buf + len, buflen - len, 2482 /* TODO: dot1xAuthSessionOctetsRx */ 2483 /* TODO: dot1xAuthSessionOctetsTx */ 2484 /* TODO: dot1xAuthSessionFramesRx */ 2485 /* TODO: dot1xAuthSessionFramesTx */ 2486 "dot1xAuthSessionId=%08X-%08X\n" 2487 "dot1xAuthSessionAuthenticMethod=%d\n" 2488 "dot1xAuthSessionTime=%u\n" 2489 "dot1xAuthSessionTerminateCause=999\n" 2490 "dot1xAuthSessionUserName=%s\n", 2491 sta->acct_session_id_hi, sta->acct_session_id_lo, 2492 (wpa_key_mgmt_wpa_ieee8021x( 2493 wpa_auth_sta_key_mgmt(sta->wpa_sm))) ? 2494 1 : 2, 2495 (unsigned int) diff.sec, 2496 sm->identity); 2497 if (os_snprintf_error(buflen - len, ret)) 2498 return len; 2499 len += ret; 2500 2501 if (sm->acct_multi_session_id_hi) { 2502 ret = os_snprintf(buf + len, buflen - len, 2503 "authMultiSessionId=%08X+%08X\n", 2504 sm->acct_multi_session_id_hi, 2505 sm->acct_multi_session_id_lo); 2506 if (os_snprintf_error(buflen - len, ret)) 2507 return len; 2508 len += ret; 2509 } 2510 2511 name1 = eap_server_get_name(0, sm->eap_type_authsrv); 2512 name2 = eap_server_get_name(0, sm->eap_type_supp); 2513 ret = os_snprintf(buf + len, buflen - len, 2514 "last_eap_type_as=%d (%s)\n" 2515 "last_eap_type_sta=%d (%s)\n", 2516 sm->eap_type_authsrv, name1, 2517 sm->eap_type_supp, name2); 2518 if (os_snprintf_error(buflen - len, ret)) 2519 return len; 2520 len += ret; 2521 2522 return len; 2523} 2524 2525 2526static void ieee802_1x_finished(struct hostapd_data *hapd, 2527 struct sta_info *sta, int success, 2528 int remediation) 2529{ 2530 const u8 *key; 2531 size_t len; 2532 /* TODO: get PMKLifetime from WPA parameters */ 2533 static const int dot11RSNAConfigPMKLifetime = 43200; 2534 unsigned int session_timeout; 2535 2536#ifdef CONFIG_HS20 2537 if (remediation && !sta->remediation) { 2538 sta->remediation = 1; 2539 os_free(sta->remediation_url); 2540 sta->remediation_url = 2541 os_strdup(hapd->conf->subscr_remediation_url); 2542 sta->remediation_method = 1; /* SOAP-XML SPP */ 2543 } 2544 2545 if (success) { 2546 if (sta->remediation) { 2547 wpa_printf(MSG_DEBUG, "HS 2.0: Send WNM-Notification " 2548 "to " MACSTR " to indicate Subscription " 2549 "Remediation", 2550 MAC2STR(sta->addr)); 2551 hs20_send_wnm_notification(hapd, sta->addr, 2552 sta->remediation_method, 2553 sta->remediation_url); 2554 os_free(sta->remediation_url); 2555 sta->remediation_url = NULL; 2556 } 2557 2558 if (sta->hs20_deauth_req) { 2559 wpa_printf(MSG_DEBUG, "HS 2.0: Send WNM-Notification " 2560 "to " MACSTR " to indicate imminent " 2561 "deauthentication", MAC2STR(sta->addr)); 2562 hs20_send_wnm_notification_deauth_req( 2563 hapd, sta->addr, sta->hs20_deauth_req); 2564 } 2565 } 2566#endif /* CONFIG_HS20 */ 2567 2568 key = ieee802_1x_get_key(sta->eapol_sm, &len); 2569 if (sta->session_timeout_set) 2570 session_timeout = sta->session_timeout; 2571 else 2572 session_timeout = dot11RSNAConfigPMKLifetime; 2573 if (success && key && len >= PMK_LEN && !sta->remediation && 2574 !sta->hs20_deauth_requested && 2575 wpa_auth_pmksa_add(sta->wpa_sm, key, session_timeout, 2576 sta->eapol_sm) == 0) { 2577 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 2578 HOSTAPD_LEVEL_DEBUG, 2579 "Added PMKSA cache entry (IEEE 802.1X)"); 2580 } 2581 2582 if (!success) { 2583 /* 2584 * Many devices require deauthentication after WPS provisioning 2585 * and some may not be be able to do that themselves, so 2586 * disconnect the client here. In addition, this may also 2587 * benefit IEEE 802.1X/EAPOL authentication cases, too since 2588 * the EAPOL PAE state machine would remain in HELD state for 2589 * considerable amount of time and some EAP methods, like 2590 * EAP-FAST with anonymous provisioning, may require another 2591 * EAPOL authentication to be started to complete connection. 2592 */ 2593 wpa_dbg(hapd->msg_ctx, MSG_DEBUG, "IEEE 802.1X: Force " 2594 "disconnection after EAP-Failure"); 2595 /* Add a small sleep to increase likelihood of previously 2596 * requested EAP-Failure TX getting out before this should the 2597 * driver reorder operations. 2598 */ 2599 os_sleep(0, 10000); 2600 ap_sta_disconnect(hapd, sta, sta->addr, 2601 WLAN_REASON_IEEE_802_1X_AUTH_FAILED); 2602 hostapd_wps_eap_completed(hapd); 2603 } 2604} 2605