ieee802_1x.c revision 7f2c753f60025528366b5f19b8b490a47bf5080b
1/* 2 * hostapd / IEEE 802.1X-2004 Authenticator 3 * Copyright (c) 2002-2012, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9#include "utils/includes.h" 10 11#include "utils/common.h" 12#include "utils/eloop.h" 13#include "crypto/md5.h" 14#include "crypto/crypto.h" 15#include "crypto/random.h" 16#include "common/ieee802_11_defs.h" 17#include "radius/radius.h" 18#include "radius/radius_client.h" 19#include "eap_server/eap.h" 20#include "eap_common/eap_wsc_common.h" 21#include "eapol_auth/eapol_auth_sm.h" 22#include "eapol_auth/eapol_auth_sm_i.h" 23#include "p2p/p2p.h" 24#include "hostapd.h" 25#include "accounting.h" 26#include "sta_info.h" 27#include "wpa_auth.h" 28#include "preauth_auth.h" 29#include "pmksa_cache_auth.h" 30#include "ap_config.h" 31#include "ap_drv_ops.h" 32#include "wps_hostapd.h" 33#include "hs20.h" 34#include "ieee802_1x.h" 35 36 37#ifdef CONFIG_HS20 38static void ieee802_1x_wnm_notif_send(void *eloop_ctx, void *timeout_ctx); 39#endif /* CONFIG_HS20 */ 40static void ieee802_1x_finished(struct hostapd_data *hapd, 41 struct sta_info *sta, int success, 42 int remediation); 43 44 45static void ieee802_1x_send(struct hostapd_data *hapd, struct sta_info *sta, 46 u8 type, const u8 *data, size_t datalen) 47{ 48 u8 *buf; 49 struct ieee802_1x_hdr *xhdr; 50 size_t len; 51 int encrypt = 0; 52 53 len = sizeof(*xhdr) + datalen; 54 buf = os_zalloc(len); 55 if (buf == NULL) { 56 wpa_printf(MSG_ERROR, "malloc() failed for " 57 "ieee802_1x_send(len=%lu)", 58 (unsigned long) len); 59 return; 60 } 61 62 xhdr = (struct ieee802_1x_hdr *) buf; 63 xhdr->version = hapd->conf->eapol_version; 64 xhdr->type = type; 65 xhdr->length = host_to_be16(datalen); 66 67 if (datalen > 0 && data != NULL) 68 os_memcpy(xhdr + 1, data, datalen); 69 70 if (wpa_auth_pairwise_set(sta->wpa_sm)) 71 encrypt = 1; 72#ifdef CONFIG_TESTING_OPTIONS 73 if (hapd->ext_eapol_frame_io) { 74 size_t hex_len = 2 * len + 1; 75 char *hex = os_malloc(hex_len); 76 77 if (hex) { 78 wpa_snprintf_hex(hex, hex_len, buf, len); 79 wpa_msg(hapd->msg_ctx, MSG_INFO, 80 "EAPOL-TX " MACSTR " %s", 81 MAC2STR(sta->addr), hex); 82 os_free(hex); 83 } 84 } else 85#endif /* CONFIG_TESTING_OPTIONS */ 86 if (sta->flags & WLAN_STA_PREAUTH) { 87 rsn_preauth_send(hapd, sta, buf, len); 88 } else { 89 hostapd_drv_hapd_send_eapol( 90 hapd, sta->addr, buf, len, 91 encrypt, hostapd_sta_flags_to_drv(sta->flags)); 92 } 93 94 os_free(buf); 95} 96 97 98void ieee802_1x_set_sta_authorized(struct hostapd_data *hapd, 99 struct sta_info *sta, int authorized) 100{ 101 int res; 102 103 if (sta->flags & WLAN_STA_PREAUTH) 104 return; 105 106 if (authorized) { 107 ap_sta_set_authorized(hapd, sta, 1); 108 res = hostapd_set_authorized(hapd, sta, 1); 109 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 110 HOSTAPD_LEVEL_DEBUG, "authorizing port"); 111 } else { 112 ap_sta_set_authorized(hapd, sta, 0); 113 res = hostapd_set_authorized(hapd, sta, 0); 114 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 115 HOSTAPD_LEVEL_DEBUG, "unauthorizing port"); 116 } 117 118 if (res && errno != ENOENT) { 119 wpa_printf(MSG_DEBUG, "Could not set station " MACSTR 120 " flags for kernel driver (errno=%d).", 121 MAC2STR(sta->addr), errno); 122 } 123 124 if (authorized) { 125 os_get_reltime(&sta->connected_time); 126 accounting_sta_start(hapd, sta); 127 } 128} 129 130 131#ifndef CONFIG_FIPS 132#ifndef CONFIG_NO_RC4 133 134static void ieee802_1x_tx_key_one(struct hostapd_data *hapd, 135 struct sta_info *sta, 136 int idx, int broadcast, 137 u8 *key_data, size_t key_len) 138{ 139 u8 *buf, *ekey; 140 struct ieee802_1x_hdr *hdr; 141 struct ieee802_1x_eapol_key *key; 142 size_t len, ekey_len; 143 struct eapol_state_machine *sm = sta->eapol_sm; 144 145 if (sm == NULL) 146 return; 147 148 len = sizeof(*key) + key_len; 149 buf = os_zalloc(sizeof(*hdr) + len); 150 if (buf == NULL) 151 return; 152 153 hdr = (struct ieee802_1x_hdr *) buf; 154 key = (struct ieee802_1x_eapol_key *) (hdr + 1); 155 key->type = EAPOL_KEY_TYPE_RC4; 156 WPA_PUT_BE16(key->key_length, key_len); 157 wpa_get_ntp_timestamp(key->replay_counter); 158 159 if (random_get_bytes(key->key_iv, sizeof(key->key_iv))) { 160 wpa_printf(MSG_ERROR, "Could not get random numbers"); 161 os_free(buf); 162 return; 163 } 164 165 key->key_index = idx | (broadcast ? 0 : BIT(7)); 166 if (hapd->conf->eapol_key_index_workaround) { 167 /* According to some information, WinXP Supplicant seems to 168 * interpret bit7 as an indication whether the key is to be 169 * activated, so make it possible to enable workaround that 170 * sets this bit for all keys. */ 171 key->key_index |= BIT(7); 172 } 173 174 /* Key is encrypted using "Key-IV + MSK[0..31]" as the RC4-key and 175 * MSK[32..63] is used to sign the message. */ 176 if (sm->eap_if->eapKeyData == NULL || sm->eap_if->eapKeyDataLen < 64) { 177 wpa_printf(MSG_ERROR, "No eapKeyData available for encrypting " 178 "and signing EAPOL-Key"); 179 os_free(buf); 180 return; 181 } 182 os_memcpy((u8 *) (key + 1), key_data, key_len); 183 ekey_len = sizeof(key->key_iv) + 32; 184 ekey = os_malloc(ekey_len); 185 if (ekey == NULL) { 186 wpa_printf(MSG_ERROR, "Could not encrypt key"); 187 os_free(buf); 188 return; 189 } 190 os_memcpy(ekey, key->key_iv, sizeof(key->key_iv)); 191 os_memcpy(ekey + sizeof(key->key_iv), sm->eap_if->eapKeyData, 32); 192 rc4_skip(ekey, ekey_len, 0, (u8 *) (key + 1), key_len); 193 os_free(ekey); 194 195 /* This header is needed here for HMAC-MD5, but it will be regenerated 196 * in ieee802_1x_send() */ 197 hdr->version = hapd->conf->eapol_version; 198 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 199 hdr->length = host_to_be16(len); 200 hmac_md5(sm->eap_if->eapKeyData + 32, 32, buf, sizeof(*hdr) + len, 201 key->key_signature); 202 203 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key to " MACSTR 204 " (%s index=%d)", MAC2STR(sm->addr), 205 broadcast ? "broadcast" : "unicast", idx); 206 ieee802_1x_send(hapd, sta, IEEE802_1X_TYPE_EAPOL_KEY, (u8 *) key, len); 207 if (sta->eapol_sm) 208 sta->eapol_sm->dot1xAuthEapolFramesTx++; 209 os_free(buf); 210} 211 212 213static void ieee802_1x_tx_key(struct hostapd_data *hapd, struct sta_info *sta) 214{ 215 struct eapol_authenticator *eapol = hapd->eapol_auth; 216 struct eapol_state_machine *sm = sta->eapol_sm; 217 218 if (sm == NULL || !sm->eap_if->eapKeyData) 219 return; 220 221 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key(s) to " MACSTR, 222 MAC2STR(sta->addr)); 223 224#ifndef CONFIG_NO_VLAN 225 if (sta->vlan_id > 0) { 226 wpa_printf(MSG_ERROR, "Using WEP with vlans is not supported."); 227 return; 228 } 229#endif /* CONFIG_NO_VLAN */ 230 231 if (eapol->default_wep_key) { 232 ieee802_1x_tx_key_one(hapd, sta, eapol->default_wep_key_idx, 1, 233 eapol->default_wep_key, 234 hapd->conf->default_wep_key_len); 235 } 236 237 if (hapd->conf->individual_wep_key_len > 0) { 238 u8 *ikey; 239 ikey = os_malloc(hapd->conf->individual_wep_key_len); 240 if (ikey == NULL || 241 random_get_bytes(ikey, hapd->conf->individual_wep_key_len)) 242 { 243 wpa_printf(MSG_ERROR, "Could not generate random " 244 "individual WEP key."); 245 os_free(ikey); 246 return; 247 } 248 249 wpa_hexdump_key(MSG_DEBUG, "Individual WEP key", 250 ikey, hapd->conf->individual_wep_key_len); 251 252 ieee802_1x_tx_key_one(hapd, sta, 0, 0, ikey, 253 hapd->conf->individual_wep_key_len); 254 255 /* TODO: set encryption in TX callback, i.e., only after STA 256 * has ACKed EAPOL-Key frame */ 257 if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP, 258 sta->addr, 0, 1, NULL, 0, ikey, 259 hapd->conf->individual_wep_key_len)) { 260 wpa_printf(MSG_ERROR, "Could not set individual WEP " 261 "encryption."); 262 } 263 264 os_free(ikey); 265 } 266} 267 268#endif /* CONFIG_NO_RC4 */ 269#endif /* CONFIG_FIPS */ 270 271 272const char *radius_mode_txt(struct hostapd_data *hapd) 273{ 274 switch (hapd->iface->conf->hw_mode) { 275 case HOSTAPD_MODE_IEEE80211AD: 276 return "802.11ad"; 277 case HOSTAPD_MODE_IEEE80211A: 278 return "802.11a"; 279 case HOSTAPD_MODE_IEEE80211G: 280 return "802.11g"; 281 case HOSTAPD_MODE_IEEE80211B: 282 default: 283 return "802.11b"; 284 } 285} 286 287 288int radius_sta_rate(struct hostapd_data *hapd, struct sta_info *sta) 289{ 290 int i; 291 u8 rate = 0; 292 293 for (i = 0; i < sta->supported_rates_len; i++) 294 if ((sta->supported_rates[i] & 0x7f) > rate) 295 rate = sta->supported_rates[i] & 0x7f; 296 297 return rate; 298} 299 300 301#ifndef CONFIG_NO_RADIUS 302static void ieee802_1x_learn_identity(struct hostapd_data *hapd, 303 struct eapol_state_machine *sm, 304 const u8 *eap, size_t len) 305{ 306 const u8 *identity; 307 size_t identity_len; 308 const struct eap_hdr *hdr = (const struct eap_hdr *) eap; 309 310 if (len <= sizeof(struct eap_hdr) || 311 (hdr->code == EAP_CODE_RESPONSE && 312 eap[sizeof(struct eap_hdr)] != EAP_TYPE_IDENTITY) || 313 (hdr->code == EAP_CODE_INITIATE && 314 eap[sizeof(struct eap_hdr)] != EAP_ERP_TYPE_REAUTH) || 315 (hdr->code != EAP_CODE_RESPONSE && 316 hdr->code != EAP_CODE_INITIATE)) 317 return; 318 319 identity = eap_get_identity(sm->eap, &identity_len); 320 if (identity == NULL) 321 return; 322 323 /* Save station identity for future RADIUS packets */ 324 os_free(sm->identity); 325 sm->identity = (u8 *) dup_binstr(identity, identity_len); 326 if (sm->identity == NULL) { 327 sm->identity_len = 0; 328 return; 329 } 330 331 sm->identity_len = identity_len; 332 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, 333 HOSTAPD_LEVEL_DEBUG, "STA identity '%s'", sm->identity); 334 sm->dot1xAuthEapolRespIdFramesRx++; 335} 336 337 338static int add_common_radius_sta_attr_rsn(struct hostapd_data *hapd, 339 struct hostapd_radius_attr *req_attr, 340 struct sta_info *sta, 341 struct radius_msg *msg) 342{ 343 u32 suite; 344 int ver, val; 345 346 ver = wpa_auth_sta_wpa_version(sta->wpa_sm); 347 val = wpa_auth_get_pairwise(sta->wpa_sm); 348 suite = wpa_cipher_to_suite(ver, val); 349 if (val != -1 && 350 !hostapd_config_get_radius_attr(req_attr, 351 RADIUS_ATTR_WLAN_PAIRWISE_CIPHER) && 352 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_WLAN_PAIRWISE_CIPHER, 353 suite)) { 354 wpa_printf(MSG_ERROR, "Could not add WLAN-Pairwise-Cipher"); 355 return -1; 356 } 357 358 suite = wpa_cipher_to_suite(((hapd->conf->wpa & 0x2) || 359 hapd->conf->osen) ? 360 WPA_PROTO_RSN : WPA_PROTO_WPA, 361 hapd->conf->wpa_group); 362 if (!hostapd_config_get_radius_attr(req_attr, 363 RADIUS_ATTR_WLAN_GROUP_CIPHER) && 364 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_WLAN_GROUP_CIPHER, 365 suite)) { 366 wpa_printf(MSG_ERROR, "Could not add WLAN-Group-Cipher"); 367 return -1; 368 } 369 370 val = wpa_auth_sta_key_mgmt(sta->wpa_sm); 371 suite = wpa_akm_to_suite(val); 372 if (val != -1 && 373 !hostapd_config_get_radius_attr(req_attr, 374 RADIUS_ATTR_WLAN_AKM_SUITE) && 375 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_WLAN_AKM_SUITE, 376 suite)) { 377 wpa_printf(MSG_ERROR, "Could not add WLAN-AKM-Suite"); 378 return -1; 379 } 380 381#ifdef CONFIG_IEEE80211W 382 if (hapd->conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) { 383 suite = wpa_cipher_to_suite(WPA_PROTO_RSN, 384 hapd->conf->group_mgmt_cipher); 385 if (!hostapd_config_get_radius_attr( 386 req_attr, RADIUS_ATTR_WLAN_GROUP_MGMT_CIPHER) && 387 !radius_msg_add_attr_int32( 388 msg, RADIUS_ATTR_WLAN_GROUP_MGMT_CIPHER, suite)) { 389 wpa_printf(MSG_ERROR, 390 "Could not add WLAN-Group-Mgmt-Cipher"); 391 return -1; 392 } 393 } 394#endif /* CONFIG_IEEE80211W */ 395 396 return 0; 397} 398 399 400static int add_common_radius_sta_attr(struct hostapd_data *hapd, 401 struct hostapd_radius_attr *req_attr, 402 struct sta_info *sta, 403 struct radius_msg *msg) 404{ 405 char buf[128]; 406 407 if (!hostapd_config_get_radius_attr(req_attr, 408 RADIUS_ATTR_SERVICE_TYPE) && 409 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_SERVICE_TYPE, 410 RADIUS_SERVICE_TYPE_FRAMED)) { 411 wpa_printf(MSG_ERROR, "Could not add Service-Type"); 412 return -1; 413 } 414 415 if (!hostapd_config_get_radius_attr(req_attr, 416 RADIUS_ATTR_NAS_PORT) && 417 sta->aid > 0 && 418 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT, sta->aid)) { 419 wpa_printf(MSG_ERROR, "Could not add NAS-Port"); 420 return -1; 421 } 422 423 os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT, 424 MAC2STR(sta->addr)); 425 buf[sizeof(buf) - 1] = '\0'; 426 if (!radius_msg_add_attr(msg, RADIUS_ATTR_CALLING_STATION_ID, 427 (u8 *) buf, os_strlen(buf))) { 428 wpa_printf(MSG_ERROR, "Could not add Calling-Station-Id"); 429 return -1; 430 } 431 432 if (sta->flags & WLAN_STA_PREAUTH) { 433 os_strlcpy(buf, "IEEE 802.11i Pre-Authentication", 434 sizeof(buf)); 435 } else { 436 os_snprintf(buf, sizeof(buf), "CONNECT %d%sMbps %s", 437 radius_sta_rate(hapd, sta) / 2, 438 (radius_sta_rate(hapd, sta) & 1) ? ".5" : "", 439 radius_mode_txt(hapd)); 440 buf[sizeof(buf) - 1] = '\0'; 441 } 442 if (!hostapd_config_get_radius_attr(req_attr, 443 RADIUS_ATTR_CONNECT_INFO) && 444 !radius_msg_add_attr(msg, RADIUS_ATTR_CONNECT_INFO, 445 (u8 *) buf, os_strlen(buf))) { 446 wpa_printf(MSG_ERROR, "Could not add Connect-Info"); 447 return -1; 448 } 449 450 if (sta->acct_session_id) { 451 os_snprintf(buf, sizeof(buf), "%016llX", 452 (unsigned long long) sta->acct_session_id); 453 if (!radius_msg_add_attr(msg, RADIUS_ATTR_ACCT_SESSION_ID, 454 (u8 *) buf, os_strlen(buf))) { 455 wpa_printf(MSG_ERROR, "Could not add Acct-Session-Id"); 456 return -1; 457 } 458 } 459 460 if ((hapd->conf->wpa & 2) && 461 !hapd->conf->disable_pmksa_caching && 462 sta->eapol_sm && sta->eapol_sm->acct_multi_session_id) { 463 os_snprintf(buf, sizeof(buf), "%016llX", 464 (unsigned long long) 465 sta->eapol_sm->acct_multi_session_id); 466 if (!radius_msg_add_attr( 467 msg, RADIUS_ATTR_ACCT_MULTI_SESSION_ID, 468 (u8 *) buf, os_strlen(buf))) { 469 wpa_printf(MSG_INFO, 470 "Could not add Acct-Multi-Session-Id"); 471 return -1; 472 } 473 } 474 475#ifdef CONFIG_IEEE80211R 476 if (hapd->conf->wpa && wpa_key_mgmt_ft(hapd->conf->wpa_key_mgmt) && 477 sta->wpa_sm && 478 (wpa_key_mgmt_ft(wpa_auth_sta_key_mgmt(sta->wpa_sm)) || 479 sta->auth_alg == WLAN_AUTH_FT) && 480 !hostapd_config_get_radius_attr(req_attr, 481 RADIUS_ATTR_MOBILITY_DOMAIN_ID) && 482 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_MOBILITY_DOMAIN_ID, 483 WPA_GET_BE16( 484 hapd->conf->mobility_domain))) { 485 wpa_printf(MSG_ERROR, "Could not add Mobility-Domain-Id"); 486 return -1; 487 } 488#endif /* CONFIG_IEEE80211R */ 489 490 if ((hapd->conf->wpa || hapd->conf->osen) && sta->wpa_sm && 491 add_common_radius_sta_attr_rsn(hapd, req_attr, sta, msg) < 0) 492 return -1; 493 494 return 0; 495} 496 497 498int add_common_radius_attr(struct hostapd_data *hapd, 499 struct hostapd_radius_attr *req_attr, 500 struct sta_info *sta, 501 struct radius_msg *msg) 502{ 503 char buf[128]; 504 struct hostapd_radius_attr *attr; 505 int len; 506 507 if (!hostapd_config_get_radius_attr(req_attr, 508 RADIUS_ATTR_NAS_IP_ADDRESS) && 509 hapd->conf->own_ip_addr.af == AF_INET && 510 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IP_ADDRESS, 511 (u8 *) &hapd->conf->own_ip_addr.u.v4, 4)) { 512 wpa_printf(MSG_ERROR, "Could not add NAS-IP-Address"); 513 return -1; 514 } 515 516#ifdef CONFIG_IPV6 517 if (!hostapd_config_get_radius_attr(req_attr, 518 RADIUS_ATTR_NAS_IPV6_ADDRESS) && 519 hapd->conf->own_ip_addr.af == AF_INET6 && 520 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IPV6_ADDRESS, 521 (u8 *) &hapd->conf->own_ip_addr.u.v6, 16)) { 522 wpa_printf(MSG_ERROR, "Could not add NAS-IPv6-Address"); 523 return -1; 524 } 525#endif /* CONFIG_IPV6 */ 526 527 if (!hostapd_config_get_radius_attr(req_attr, 528 RADIUS_ATTR_NAS_IDENTIFIER) && 529 hapd->conf->nas_identifier && 530 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IDENTIFIER, 531 (u8 *) hapd->conf->nas_identifier, 532 os_strlen(hapd->conf->nas_identifier))) { 533 wpa_printf(MSG_ERROR, "Could not add NAS-Identifier"); 534 return -1; 535 } 536 537 len = os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT ":", 538 MAC2STR(hapd->own_addr)); 539 os_memcpy(&buf[len], hapd->conf->ssid.ssid, 540 hapd->conf->ssid.ssid_len); 541 len += hapd->conf->ssid.ssid_len; 542 if (!hostapd_config_get_radius_attr(req_attr, 543 RADIUS_ATTR_CALLED_STATION_ID) && 544 !radius_msg_add_attr(msg, RADIUS_ATTR_CALLED_STATION_ID, 545 (u8 *) buf, len)) { 546 wpa_printf(MSG_ERROR, "Could not add Called-Station-Id"); 547 return -1; 548 } 549 550 if (!hostapd_config_get_radius_attr(req_attr, 551 RADIUS_ATTR_NAS_PORT_TYPE) && 552 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT_TYPE, 553 RADIUS_NAS_PORT_TYPE_IEEE_802_11)) { 554 wpa_printf(MSG_ERROR, "Could not add NAS-Port-Type"); 555 return -1; 556 } 557 558#ifdef CONFIG_INTERWORKING 559 if (hapd->conf->interworking && 560 !is_zero_ether_addr(hapd->conf->hessid)) { 561 os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT, 562 MAC2STR(hapd->conf->hessid)); 563 buf[sizeof(buf) - 1] = '\0'; 564 if (!hostapd_config_get_radius_attr(req_attr, 565 RADIUS_ATTR_WLAN_HESSID) && 566 !radius_msg_add_attr(msg, RADIUS_ATTR_WLAN_HESSID, 567 (u8 *) buf, os_strlen(buf))) { 568 wpa_printf(MSG_ERROR, "Could not add WLAN-HESSID"); 569 return -1; 570 } 571 } 572#endif /* CONFIG_INTERWORKING */ 573 574 if (sta && add_common_radius_sta_attr(hapd, req_attr, sta, msg) < 0) 575 return -1; 576 577 for (attr = req_attr; attr; attr = attr->next) { 578 if (!radius_msg_add_attr(msg, attr->type, 579 wpabuf_head(attr->val), 580 wpabuf_len(attr->val))) { 581 wpa_printf(MSG_ERROR, "Could not add RADIUS " 582 "attribute"); 583 return -1; 584 } 585 } 586 587 return 0; 588} 589 590 591static void ieee802_1x_encapsulate_radius(struct hostapd_data *hapd, 592 struct sta_info *sta, 593 const u8 *eap, size_t len) 594{ 595 struct radius_msg *msg; 596 struct eapol_state_machine *sm = sta->eapol_sm; 597 598 if (sm == NULL) 599 return; 600 601 ieee802_1x_learn_identity(hapd, sm, eap, len); 602 603 wpa_printf(MSG_DEBUG, "Encapsulating EAP message into a RADIUS " 604 "packet"); 605 606 sm->radius_identifier = radius_client_get_id(hapd->radius); 607 msg = radius_msg_new(RADIUS_CODE_ACCESS_REQUEST, 608 sm->radius_identifier); 609 if (msg == NULL) { 610 wpa_printf(MSG_INFO, "Could not create new RADIUS packet"); 611 return; 612 } 613 614 if (radius_msg_make_authenticator(msg) < 0) { 615 wpa_printf(MSG_INFO, "Could not make Request Authenticator"); 616 goto fail; 617 } 618 619 if (sm->identity && 620 !radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME, 621 sm->identity, sm->identity_len)) { 622 wpa_printf(MSG_INFO, "Could not add User-Name"); 623 goto fail; 624 } 625 626 if (add_common_radius_attr(hapd, hapd->conf->radius_auth_req_attr, sta, 627 msg) < 0) 628 goto fail; 629 630 /* TODO: should probably check MTU from driver config; 2304 is max for 631 * IEEE 802.11, but use 1400 to avoid problems with too large packets 632 */ 633 if (!hostapd_config_get_radius_attr(hapd->conf->radius_auth_req_attr, 634 RADIUS_ATTR_FRAMED_MTU) && 635 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_FRAMED_MTU, 1400)) { 636 wpa_printf(MSG_INFO, "Could not add Framed-MTU"); 637 goto fail; 638 } 639 640 if (!radius_msg_add_eap(msg, eap, len)) { 641 wpa_printf(MSG_INFO, "Could not add EAP-Message"); 642 goto fail; 643 } 644 645 /* State attribute must be copied if and only if this packet is 646 * Access-Request reply to the previous Access-Challenge */ 647 if (sm->last_recv_radius && 648 radius_msg_get_hdr(sm->last_recv_radius)->code == 649 RADIUS_CODE_ACCESS_CHALLENGE) { 650 int res = radius_msg_copy_attr(msg, sm->last_recv_radius, 651 RADIUS_ATTR_STATE); 652 if (res < 0) { 653 wpa_printf(MSG_INFO, "Could not copy State attribute from previous Access-Challenge"); 654 goto fail; 655 } 656 if (res > 0) { 657 wpa_printf(MSG_DEBUG, "Copied RADIUS State Attribute"); 658 } 659 } 660 661 if (hapd->conf->radius_request_cui) { 662 const u8 *cui; 663 size_t cui_len; 664 /* Add previously learned CUI or nul CUI to request CUI */ 665 if (sm->radius_cui) { 666 cui = wpabuf_head(sm->radius_cui); 667 cui_len = wpabuf_len(sm->radius_cui); 668 } else { 669 cui = (const u8 *) "\0"; 670 cui_len = 1; 671 } 672 if (!radius_msg_add_attr(msg, 673 RADIUS_ATTR_CHARGEABLE_USER_IDENTITY, 674 cui, cui_len)) { 675 wpa_printf(MSG_ERROR, "Could not add CUI"); 676 goto fail; 677 } 678 } 679 680#ifdef CONFIG_HS20 681 if (hapd->conf->hs20) { 682 u8 ver = 1; /* Release 2 */ 683 if (!radius_msg_add_wfa( 684 msg, RADIUS_VENDOR_ATTR_WFA_HS20_AP_VERSION, 685 &ver, 1)) { 686 wpa_printf(MSG_ERROR, "Could not add HS 2.0 AP " 687 "version"); 688 goto fail; 689 } 690 691 if (sta->hs20_ie && wpabuf_len(sta->hs20_ie) > 0) { 692 const u8 *pos; 693 u8 buf[3]; 694 u16 id; 695 pos = wpabuf_head_u8(sta->hs20_ie); 696 buf[0] = (*pos) >> 4; 697 if (((*pos) & HS20_PPS_MO_ID_PRESENT) && 698 wpabuf_len(sta->hs20_ie) >= 3) 699 id = WPA_GET_LE16(pos + 1); 700 else 701 id = 0; 702 WPA_PUT_BE16(buf + 1, id); 703 if (!radius_msg_add_wfa( 704 msg, 705 RADIUS_VENDOR_ATTR_WFA_HS20_STA_VERSION, 706 buf, sizeof(buf))) { 707 wpa_printf(MSG_ERROR, "Could not add HS 2.0 " 708 "STA version"); 709 goto fail; 710 } 711 } 712 } 713#endif /* CONFIG_HS20 */ 714 715 if (radius_client_send(hapd->radius, msg, RADIUS_AUTH, sta->addr) < 0) 716 goto fail; 717 718 return; 719 720 fail: 721 radius_msg_free(msg); 722} 723#endif /* CONFIG_NO_RADIUS */ 724 725 726static void handle_eap_response(struct hostapd_data *hapd, 727 struct sta_info *sta, struct eap_hdr *eap, 728 size_t len) 729{ 730 u8 type, *data; 731 struct eapol_state_machine *sm = sta->eapol_sm; 732 if (sm == NULL) 733 return; 734 735 data = (u8 *) (eap + 1); 736 737 if (len < sizeof(*eap) + 1) { 738 wpa_printf(MSG_INFO, "handle_eap_response: too short response data"); 739 return; 740 } 741 742 sm->eap_type_supp = type = data[0]; 743 744 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, 745 HOSTAPD_LEVEL_DEBUG, "received EAP packet (code=%d " 746 "id=%d len=%d) from STA: EAP Response-%s (%d)", 747 eap->code, eap->identifier, be_to_host16(eap->length), 748 eap_server_get_name(0, type), type); 749 750 sm->dot1xAuthEapolRespFramesRx++; 751 752 wpabuf_free(sm->eap_if->eapRespData); 753 sm->eap_if->eapRespData = wpabuf_alloc_copy(eap, len); 754 sm->eapolEap = TRUE; 755} 756 757 758static void handle_eap_initiate(struct hostapd_data *hapd, 759 struct sta_info *sta, struct eap_hdr *eap, 760 size_t len) 761{ 762#ifdef CONFIG_ERP 763 u8 type, *data; 764 struct eapol_state_machine *sm = sta->eapol_sm; 765 766 if (sm == NULL) 767 return; 768 769 if (len < sizeof(*eap) + 1) { 770 wpa_printf(MSG_INFO, 771 "handle_eap_initiate: too short response data"); 772 return; 773 } 774 775 data = (u8 *) (eap + 1); 776 type = data[0]; 777 778 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, 779 HOSTAPD_LEVEL_DEBUG, "received EAP packet (code=%d " 780 "id=%d len=%d) from STA: EAP Initiate type %u", 781 eap->code, eap->identifier, be_to_host16(eap->length), 782 type); 783 784 wpabuf_free(sm->eap_if->eapRespData); 785 sm->eap_if->eapRespData = wpabuf_alloc_copy(eap, len); 786 sm->eapolEap = TRUE; 787#endif /* CONFIG_ERP */ 788} 789 790 791/* Process incoming EAP packet from Supplicant */ 792static void handle_eap(struct hostapd_data *hapd, struct sta_info *sta, 793 u8 *buf, size_t len) 794{ 795 struct eap_hdr *eap; 796 u16 eap_len; 797 798 if (len < sizeof(*eap)) { 799 wpa_printf(MSG_INFO, " too short EAP packet"); 800 return; 801 } 802 803 eap = (struct eap_hdr *) buf; 804 805 eap_len = be_to_host16(eap->length); 806 wpa_printf(MSG_DEBUG, "EAP: code=%d identifier=%d length=%d", 807 eap->code, eap->identifier, eap_len); 808 if (eap_len < sizeof(*eap)) { 809 wpa_printf(MSG_DEBUG, " Invalid EAP length"); 810 return; 811 } else if (eap_len > len) { 812 wpa_printf(MSG_DEBUG, " Too short frame to contain this EAP " 813 "packet"); 814 return; 815 } else if (eap_len < len) { 816 wpa_printf(MSG_DEBUG, " Ignoring %lu extra bytes after EAP " 817 "packet", (unsigned long) len - eap_len); 818 } 819 820 switch (eap->code) { 821 case EAP_CODE_REQUEST: 822 wpa_printf(MSG_DEBUG, " (request)"); 823 return; 824 case EAP_CODE_RESPONSE: 825 wpa_printf(MSG_DEBUG, " (response)"); 826 handle_eap_response(hapd, sta, eap, eap_len); 827 break; 828 case EAP_CODE_SUCCESS: 829 wpa_printf(MSG_DEBUG, " (success)"); 830 return; 831 case EAP_CODE_FAILURE: 832 wpa_printf(MSG_DEBUG, " (failure)"); 833 return; 834 case EAP_CODE_INITIATE: 835 wpa_printf(MSG_DEBUG, " (initiate)"); 836 handle_eap_initiate(hapd, sta, eap, eap_len); 837 break; 838 case EAP_CODE_FINISH: 839 wpa_printf(MSG_DEBUG, " (finish)"); 840 break; 841 default: 842 wpa_printf(MSG_DEBUG, " (unknown code)"); 843 return; 844 } 845} 846 847 848static struct eapol_state_machine * 849ieee802_1x_alloc_eapol_sm(struct hostapd_data *hapd, struct sta_info *sta) 850{ 851 int flags = 0; 852 if (sta->flags & WLAN_STA_PREAUTH) 853 flags |= EAPOL_SM_PREAUTH; 854 if (sta->wpa_sm) { 855 flags |= EAPOL_SM_USES_WPA; 856 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) 857 flags |= EAPOL_SM_FROM_PMKSA_CACHE; 858 } 859 return eapol_auth_alloc(hapd->eapol_auth, sta->addr, flags, 860 sta->wps_ie, sta->p2p_ie, sta, 861 sta->identity, sta->radius_cui); 862} 863 864 865static void ieee802_1x_save_eapol(struct sta_info *sta, const u8 *buf, 866 size_t len) 867{ 868 if (sta->pending_eapol_rx) { 869 wpabuf_free(sta->pending_eapol_rx->buf); 870 } else { 871 sta->pending_eapol_rx = 872 os_malloc(sizeof(*sta->pending_eapol_rx)); 873 if (!sta->pending_eapol_rx) 874 return; 875 } 876 877 sta->pending_eapol_rx->buf = wpabuf_alloc_copy(buf, len); 878 if (!sta->pending_eapol_rx->buf) { 879 os_free(sta->pending_eapol_rx); 880 sta->pending_eapol_rx = NULL; 881 return; 882 } 883 884 os_get_reltime(&sta->pending_eapol_rx->rx_time); 885} 886 887 888/** 889 * ieee802_1x_receive - Process the EAPOL frames from the Supplicant 890 * @hapd: hostapd BSS data 891 * @sa: Source address (sender of the EAPOL frame) 892 * @buf: EAPOL frame 893 * @len: Length of buf in octets 894 * 895 * This function is called for each incoming EAPOL frame from the interface 896 */ 897void ieee802_1x_receive(struct hostapd_data *hapd, const u8 *sa, const u8 *buf, 898 size_t len) 899{ 900 struct sta_info *sta; 901 struct ieee802_1x_hdr *hdr; 902 struct ieee802_1x_eapol_key *key; 903 u16 datalen; 904 struct rsn_pmksa_cache_entry *pmksa; 905 int key_mgmt; 906 907 if (!hapd->conf->ieee802_1x && !hapd->conf->wpa && !hapd->conf->osen && 908 !hapd->conf->wps_state) 909 return; 910 911 wpa_printf(MSG_DEBUG, "IEEE 802.1X: %lu bytes from " MACSTR, 912 (unsigned long) len, MAC2STR(sa)); 913 sta = ap_get_sta(hapd, sa); 914 if (!sta || (!(sta->flags & (WLAN_STA_ASSOC | WLAN_STA_PREAUTH)) && 915 !(hapd->iface->drv_flags & WPA_DRIVER_FLAGS_WIRED))) { 916 wpa_printf(MSG_DEBUG, "IEEE 802.1X data frame from not " 917 "associated/Pre-authenticating STA"); 918 919 if (sta && (sta->flags & WLAN_STA_AUTH)) { 920 wpa_printf(MSG_DEBUG, "Saving EAPOL frame from " MACSTR 921 " for later use", MAC2STR(sta->addr)); 922 ieee802_1x_save_eapol(sta, buf, len); 923 } 924 925 return; 926 } 927 928 if (len < sizeof(*hdr)) { 929 wpa_printf(MSG_INFO, " too short IEEE 802.1X packet"); 930 return; 931 } 932 933 hdr = (struct ieee802_1x_hdr *) buf; 934 datalen = be_to_host16(hdr->length); 935 wpa_printf(MSG_DEBUG, " IEEE 802.1X: version=%d type=%d length=%d", 936 hdr->version, hdr->type, datalen); 937 938 if (len - sizeof(*hdr) < datalen) { 939 wpa_printf(MSG_INFO, " frame too short for this IEEE 802.1X packet"); 940 if (sta->eapol_sm) 941 sta->eapol_sm->dot1xAuthEapLengthErrorFramesRx++; 942 return; 943 } 944 if (len - sizeof(*hdr) > datalen) { 945 wpa_printf(MSG_DEBUG, " ignoring %lu extra octets after " 946 "IEEE 802.1X packet", 947 (unsigned long) len - sizeof(*hdr) - datalen); 948 } 949 950 if (sta->eapol_sm) { 951 sta->eapol_sm->dot1xAuthLastEapolFrameVersion = hdr->version; 952 sta->eapol_sm->dot1xAuthEapolFramesRx++; 953 } 954 955 key = (struct ieee802_1x_eapol_key *) (hdr + 1); 956 if (datalen >= sizeof(struct ieee802_1x_eapol_key) && 957 hdr->type == IEEE802_1X_TYPE_EAPOL_KEY && 958 (key->type == EAPOL_KEY_TYPE_WPA || 959 key->type == EAPOL_KEY_TYPE_RSN)) { 960 wpa_receive(hapd->wpa_auth, sta->wpa_sm, (u8 *) hdr, 961 sizeof(*hdr) + datalen); 962 return; 963 } 964 965 if (!hapd->conf->ieee802_1x && !hapd->conf->osen && 966 !(sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS))) { 967 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore EAPOL message - " 968 "802.1X not enabled and WPS not used"); 969 return; 970 } 971 972 key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm); 973 if (key_mgmt != -1 && wpa_key_mgmt_wpa_psk(key_mgmt)) { 974 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore EAPOL message - " 975 "STA is using PSK"); 976 return; 977 } 978 979 if (!sta->eapol_sm) { 980 sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta); 981 if (!sta->eapol_sm) 982 return; 983 984#ifdef CONFIG_WPS 985 if (!hapd->conf->ieee802_1x && hapd->conf->wps_state) { 986 u32 wflags = sta->flags & (WLAN_STA_WPS | 987 WLAN_STA_WPS2 | 988 WLAN_STA_MAYBE_WPS); 989 if (wflags == WLAN_STA_MAYBE_WPS || 990 wflags == (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS)) { 991 /* 992 * Delay EAPOL frame transmission until a 993 * possible WPS STA initiates the handshake 994 * with EAPOL-Start. Only allow the wait to be 995 * skipped if the STA is known to support WPS 996 * 2.0. 997 */ 998 wpa_printf(MSG_DEBUG, "WPS: Do not start " 999 "EAPOL until EAPOL-Start is " 1000 "received"); 1001 sta->eapol_sm->flags |= EAPOL_SM_WAIT_START; 1002 } 1003 } 1004#endif /* CONFIG_WPS */ 1005 1006 sta->eapol_sm->eap_if->portEnabled = TRUE; 1007 } 1008 1009 /* since we support version 1, we can ignore version field and proceed 1010 * as specified in version 1 standard [IEEE Std 802.1X-2001, 7.5.5] */ 1011 /* TODO: actually, we are not version 1 anymore.. However, Version 2 1012 * does not change frame contents, so should be ok to process frames 1013 * more or less identically. Some changes might be needed for 1014 * verification of fields. */ 1015 1016 switch (hdr->type) { 1017 case IEEE802_1X_TYPE_EAP_PACKET: 1018 handle_eap(hapd, sta, (u8 *) (hdr + 1), datalen); 1019 break; 1020 1021 case IEEE802_1X_TYPE_EAPOL_START: 1022 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1023 HOSTAPD_LEVEL_DEBUG, "received EAPOL-Start " 1024 "from STA"); 1025 sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START; 1026 pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm); 1027 if (pmksa) { 1028 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 1029 HOSTAPD_LEVEL_DEBUG, "cached PMKSA " 1030 "available - ignore it since " 1031 "STA sent EAPOL-Start"); 1032 wpa_auth_sta_clear_pmksa(sta->wpa_sm, pmksa); 1033 } 1034 sta->eapol_sm->eapolStart = TRUE; 1035 sta->eapol_sm->dot1xAuthEapolStartFramesRx++; 1036 eap_server_clear_identity(sta->eapol_sm->eap); 1037 wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL); 1038 break; 1039 1040 case IEEE802_1X_TYPE_EAPOL_LOGOFF: 1041 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1042 HOSTAPD_LEVEL_DEBUG, "received EAPOL-Logoff " 1043 "from STA"); 1044 sta->acct_terminate_cause = 1045 RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST; 1046 accounting_sta_stop(hapd, sta); 1047 sta->eapol_sm->eapolLogoff = TRUE; 1048 sta->eapol_sm->dot1xAuthEapolLogoffFramesRx++; 1049 eap_server_clear_identity(sta->eapol_sm->eap); 1050 break; 1051 1052 case IEEE802_1X_TYPE_EAPOL_KEY: 1053 wpa_printf(MSG_DEBUG, " EAPOL-Key"); 1054 if (!ap_sta_is_authorized(sta)) { 1055 wpa_printf(MSG_DEBUG, " Dropped key data from " 1056 "unauthorized Supplicant"); 1057 break; 1058 } 1059 break; 1060 1061 case IEEE802_1X_TYPE_EAPOL_ENCAPSULATED_ASF_ALERT: 1062 wpa_printf(MSG_DEBUG, " EAPOL-Encapsulated-ASF-Alert"); 1063 /* TODO: implement support for this; show data */ 1064 break; 1065 1066 default: 1067 wpa_printf(MSG_DEBUG, " unknown IEEE 802.1X packet type"); 1068 sta->eapol_sm->dot1xAuthInvalidEapolFramesRx++; 1069 break; 1070 } 1071 1072 eapol_auth_step(sta->eapol_sm); 1073} 1074 1075 1076/** 1077 * ieee802_1x_new_station - Start IEEE 802.1X authentication 1078 * @hapd: hostapd BSS data 1079 * @sta: The station 1080 * 1081 * This function is called to start IEEE 802.1X authentication when a new 1082 * station completes IEEE 802.11 association. 1083 */ 1084void ieee802_1x_new_station(struct hostapd_data *hapd, struct sta_info *sta) 1085{ 1086 struct rsn_pmksa_cache_entry *pmksa; 1087 int reassoc = 1; 1088 int force_1x = 0; 1089 int key_mgmt; 1090 1091#ifdef CONFIG_WPS 1092 if (hapd->conf->wps_state && 1093 ((hapd->conf->wpa && (sta->flags & WLAN_STA_MAYBE_WPS)) || 1094 (sta->flags & WLAN_STA_WPS))) { 1095 /* 1096 * Need to enable IEEE 802.1X/EAPOL state machines for possible 1097 * WPS handshake even if IEEE 802.1X/EAPOL is not used for 1098 * authentication in this BSS. 1099 */ 1100 force_1x = 1; 1101 } 1102#endif /* CONFIG_WPS */ 1103 1104 if (!force_1x && !hapd->conf->ieee802_1x && !hapd->conf->osen) { 1105 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore STA - " 1106 "802.1X not enabled or forced for WPS"); 1107 /* 1108 * Clear any possible EAPOL authenticator state to support 1109 * reassociation change from WPS to PSK. 1110 */ 1111 ieee802_1x_free_station(hapd, sta); 1112 return; 1113 } 1114 1115 key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm); 1116 if (key_mgmt != -1 && wpa_key_mgmt_wpa_psk(key_mgmt)) { 1117 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore STA - using PSK"); 1118 /* 1119 * Clear any possible EAPOL authenticator state to support 1120 * reassociation change from WPA-EAP to PSK. 1121 */ 1122 ieee802_1x_free_station(hapd, sta); 1123 return; 1124 } 1125 1126 if (sta->eapol_sm == NULL) { 1127 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1128 HOSTAPD_LEVEL_DEBUG, "start authentication"); 1129 sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta); 1130 if (sta->eapol_sm == NULL) { 1131 hostapd_logger(hapd, sta->addr, 1132 HOSTAPD_MODULE_IEEE8021X, 1133 HOSTAPD_LEVEL_INFO, 1134 "failed to allocate state machine"); 1135 return; 1136 } 1137 reassoc = 0; 1138 } 1139 1140#ifdef CONFIG_WPS 1141 sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START; 1142 if (!hapd->conf->ieee802_1x && hapd->conf->wps_state && 1143 !(sta->flags & WLAN_STA_WPS2)) { 1144 /* 1145 * Delay EAPOL frame transmission until a possible WPS STA 1146 * initiates the handshake with EAPOL-Start. Only allow the 1147 * wait to be skipped if the STA is known to support WPS 2.0. 1148 */ 1149 wpa_printf(MSG_DEBUG, "WPS: Do not start EAPOL until " 1150 "EAPOL-Start is received"); 1151 sta->eapol_sm->flags |= EAPOL_SM_WAIT_START; 1152 } 1153#endif /* CONFIG_WPS */ 1154 1155 sta->eapol_sm->eap_if->portEnabled = TRUE; 1156 1157#ifdef CONFIG_IEEE80211R 1158 if (sta->auth_alg == WLAN_AUTH_FT) { 1159 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1160 HOSTAPD_LEVEL_DEBUG, 1161 "PMK from FT - skip IEEE 802.1X/EAP"); 1162 /* Setup EAPOL state machines to already authenticated state 1163 * because of existing FT information from R0KH. */ 1164 sta->eapol_sm->keyRun = TRUE; 1165 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 1166 sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING; 1167 sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS; 1168 sta->eapol_sm->authSuccess = TRUE; 1169 sta->eapol_sm->authFail = FALSE; 1170 sta->eapol_sm->portValid = TRUE; 1171 if (sta->eapol_sm->eap) 1172 eap_sm_notify_cached(sta->eapol_sm->eap); 1173 /* TODO: get vlan_id from R0KH using RRB message */ 1174 return; 1175 } 1176#endif /* CONFIG_IEEE80211R */ 1177 1178 pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm); 1179 if (pmksa) { 1180 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1181 HOSTAPD_LEVEL_DEBUG, 1182 "PMK from PMKSA cache - skip IEEE 802.1X/EAP"); 1183 /* Setup EAPOL state machines to already authenticated state 1184 * because of existing PMKSA information in the cache. */ 1185 sta->eapol_sm->keyRun = TRUE; 1186 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 1187 sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING; 1188 sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS; 1189 sta->eapol_sm->authSuccess = TRUE; 1190 sta->eapol_sm->authFail = FALSE; 1191 if (sta->eapol_sm->eap) 1192 eap_sm_notify_cached(sta->eapol_sm->eap); 1193 pmksa_cache_to_eapol_data(hapd, pmksa, sta->eapol_sm); 1194 ap_sta_bind_vlan(hapd, sta); 1195 } else { 1196 if (reassoc) { 1197 /* 1198 * Force EAPOL state machines to start 1199 * re-authentication without having to wait for the 1200 * Supplicant to send EAPOL-Start. 1201 */ 1202 sta->eapol_sm->reAuthenticate = TRUE; 1203 } 1204 eapol_auth_step(sta->eapol_sm); 1205 } 1206} 1207 1208 1209void ieee802_1x_free_station(struct hostapd_data *hapd, struct sta_info *sta) 1210{ 1211 struct eapol_state_machine *sm = sta->eapol_sm; 1212 1213#ifdef CONFIG_HS20 1214 eloop_cancel_timeout(ieee802_1x_wnm_notif_send, hapd, sta); 1215#endif /* CONFIG_HS20 */ 1216 1217 if (sta->pending_eapol_rx) { 1218 wpabuf_free(sta->pending_eapol_rx->buf); 1219 os_free(sta->pending_eapol_rx); 1220 sta->pending_eapol_rx = NULL; 1221 } 1222 1223 if (sm == NULL) 1224 return; 1225 1226 sta->eapol_sm = NULL; 1227 1228#ifndef CONFIG_NO_RADIUS 1229 radius_msg_free(sm->last_recv_radius); 1230 radius_free_class(&sm->radius_class); 1231#endif /* CONFIG_NO_RADIUS */ 1232 1233 eapol_auth_free(sm); 1234} 1235 1236 1237#ifndef CONFIG_NO_RADIUS 1238static void ieee802_1x_decapsulate_radius(struct hostapd_data *hapd, 1239 struct sta_info *sta) 1240{ 1241 struct wpabuf *eap; 1242 const struct eap_hdr *hdr; 1243 int eap_type = -1; 1244 char buf[64]; 1245 struct radius_msg *msg; 1246 struct eapol_state_machine *sm = sta->eapol_sm; 1247 1248 if (sm == NULL || sm->last_recv_radius == NULL) { 1249 if (sm) 1250 sm->eap_if->aaaEapNoReq = TRUE; 1251 return; 1252 } 1253 1254 msg = sm->last_recv_radius; 1255 1256 eap = radius_msg_get_eap(msg); 1257 if (eap == NULL) { 1258 /* RFC 3579, Chap. 2.6.3: 1259 * RADIUS server SHOULD NOT send Access-Reject/no EAP-Message 1260 * attribute */ 1261 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1262 HOSTAPD_LEVEL_WARNING, "could not extract " 1263 "EAP-Message from RADIUS message"); 1264 sm->eap_if->aaaEapNoReq = TRUE; 1265 return; 1266 } 1267 1268 if (wpabuf_len(eap) < sizeof(*hdr)) { 1269 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1270 HOSTAPD_LEVEL_WARNING, "too short EAP packet " 1271 "received from authentication server"); 1272 wpabuf_free(eap); 1273 sm->eap_if->aaaEapNoReq = TRUE; 1274 return; 1275 } 1276 1277 if (wpabuf_len(eap) > sizeof(*hdr)) 1278 eap_type = (wpabuf_head_u8(eap))[sizeof(*hdr)]; 1279 1280 hdr = wpabuf_head(eap); 1281 switch (hdr->code) { 1282 case EAP_CODE_REQUEST: 1283 if (eap_type >= 0) 1284 sm->eap_type_authsrv = eap_type; 1285 os_snprintf(buf, sizeof(buf), "EAP-Request-%s (%d)", 1286 eap_server_get_name(0, eap_type), eap_type); 1287 break; 1288 case EAP_CODE_RESPONSE: 1289 os_snprintf(buf, sizeof(buf), "EAP Response-%s (%d)", 1290 eap_server_get_name(0, eap_type), eap_type); 1291 break; 1292 case EAP_CODE_SUCCESS: 1293 os_strlcpy(buf, "EAP Success", sizeof(buf)); 1294 break; 1295 case EAP_CODE_FAILURE: 1296 os_strlcpy(buf, "EAP Failure", sizeof(buf)); 1297 break; 1298 default: 1299 os_strlcpy(buf, "unknown EAP code", sizeof(buf)); 1300 break; 1301 } 1302 buf[sizeof(buf) - 1] = '\0'; 1303 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1304 HOSTAPD_LEVEL_DEBUG, "decapsulated EAP packet (code=%d " 1305 "id=%d len=%d) from RADIUS server: %s", 1306 hdr->code, hdr->identifier, be_to_host16(hdr->length), 1307 buf); 1308 sm->eap_if->aaaEapReq = TRUE; 1309 1310 wpabuf_free(sm->eap_if->aaaEapReqData); 1311 sm->eap_if->aaaEapReqData = eap; 1312} 1313 1314 1315static void ieee802_1x_get_keys(struct hostapd_data *hapd, 1316 struct sta_info *sta, struct radius_msg *msg, 1317 struct radius_msg *req, 1318 const u8 *shared_secret, 1319 size_t shared_secret_len) 1320{ 1321 struct radius_ms_mppe_keys *keys; 1322 struct eapol_state_machine *sm = sta->eapol_sm; 1323 if (sm == NULL) 1324 return; 1325 1326 keys = radius_msg_get_ms_keys(msg, req, shared_secret, 1327 shared_secret_len); 1328 1329 if (keys && keys->send && keys->recv) { 1330 size_t len = keys->send_len + keys->recv_len; 1331 wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Send-Key", 1332 keys->send, keys->send_len); 1333 wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Recv-Key", 1334 keys->recv, keys->recv_len); 1335 1336 os_free(sm->eap_if->aaaEapKeyData); 1337 sm->eap_if->aaaEapKeyData = os_malloc(len); 1338 if (sm->eap_if->aaaEapKeyData) { 1339 os_memcpy(sm->eap_if->aaaEapKeyData, keys->recv, 1340 keys->recv_len); 1341 os_memcpy(sm->eap_if->aaaEapKeyData + keys->recv_len, 1342 keys->send, keys->send_len); 1343 sm->eap_if->aaaEapKeyDataLen = len; 1344 sm->eap_if->aaaEapKeyAvailable = TRUE; 1345 } 1346 } else { 1347 wpa_printf(MSG_DEBUG, 1348 "MS-MPPE: 1x_get_keys, could not get keys: %p send: %p recv: %p", 1349 keys, keys ? keys->send : NULL, 1350 keys ? keys->recv : NULL); 1351 } 1352 1353 if (keys) { 1354 os_free(keys->send); 1355 os_free(keys->recv); 1356 os_free(keys); 1357 } 1358} 1359 1360 1361static void ieee802_1x_store_radius_class(struct hostapd_data *hapd, 1362 struct sta_info *sta, 1363 struct radius_msg *msg) 1364{ 1365 u8 *attr_class; 1366 size_t class_len; 1367 struct eapol_state_machine *sm = sta->eapol_sm; 1368 int count, i; 1369 struct radius_attr_data *nclass; 1370 size_t nclass_count; 1371 1372 if (!hapd->conf->radius->acct_server || hapd->radius == NULL || 1373 sm == NULL) 1374 return; 1375 1376 radius_free_class(&sm->radius_class); 1377 count = radius_msg_count_attr(msg, RADIUS_ATTR_CLASS, 1); 1378 if (count <= 0) 1379 return; 1380 1381 nclass = os_calloc(count, sizeof(struct radius_attr_data)); 1382 if (nclass == NULL) 1383 return; 1384 1385 nclass_count = 0; 1386 1387 attr_class = NULL; 1388 for (i = 0; i < count; i++) { 1389 do { 1390 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CLASS, 1391 &attr_class, &class_len, 1392 attr_class) < 0) { 1393 i = count; 1394 break; 1395 } 1396 } while (class_len < 1); 1397 1398 nclass[nclass_count].data = os_malloc(class_len); 1399 if (nclass[nclass_count].data == NULL) 1400 break; 1401 1402 os_memcpy(nclass[nclass_count].data, attr_class, class_len); 1403 nclass[nclass_count].len = class_len; 1404 nclass_count++; 1405 } 1406 1407 sm->radius_class.attr = nclass; 1408 sm->radius_class.count = nclass_count; 1409 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Stored %lu RADIUS Class " 1410 "attributes for " MACSTR, 1411 (unsigned long) sm->radius_class.count, 1412 MAC2STR(sta->addr)); 1413} 1414 1415 1416/* Update sta->identity based on User-Name attribute in Access-Accept */ 1417static void ieee802_1x_update_sta_identity(struct hostapd_data *hapd, 1418 struct sta_info *sta, 1419 struct radius_msg *msg) 1420{ 1421 u8 *buf, *identity; 1422 size_t len; 1423 struct eapol_state_machine *sm = sta->eapol_sm; 1424 1425 if (sm == NULL) 1426 return; 1427 1428 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_USER_NAME, &buf, &len, 1429 NULL) < 0) 1430 return; 1431 1432 identity = (u8 *) dup_binstr(buf, len); 1433 if (identity == NULL) 1434 return; 1435 1436 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1437 HOSTAPD_LEVEL_DEBUG, "old identity '%s' updated with " 1438 "User-Name from Access-Accept '%s'", 1439 sm->identity ? (char *) sm->identity : "N/A", 1440 (char *) identity); 1441 1442 os_free(sm->identity); 1443 sm->identity = identity; 1444 sm->identity_len = len; 1445} 1446 1447 1448/* Update CUI based on Chargeable-User-Identity attribute in Access-Accept */ 1449static void ieee802_1x_update_sta_cui(struct hostapd_data *hapd, 1450 struct sta_info *sta, 1451 struct radius_msg *msg) 1452{ 1453 struct eapol_state_machine *sm = sta->eapol_sm; 1454 struct wpabuf *cui; 1455 u8 *buf; 1456 size_t len; 1457 1458 if (sm == NULL) 1459 return; 1460 1461 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CHARGEABLE_USER_IDENTITY, 1462 &buf, &len, NULL) < 0) 1463 return; 1464 1465 cui = wpabuf_alloc_copy(buf, len); 1466 if (cui == NULL) 1467 return; 1468 1469 wpabuf_free(sm->radius_cui); 1470 sm->radius_cui = cui; 1471} 1472 1473 1474#ifdef CONFIG_HS20 1475 1476static void ieee802_1x_hs20_sub_rem(struct sta_info *sta, u8 *pos, size_t len) 1477{ 1478 sta->remediation = 1; 1479 os_free(sta->remediation_url); 1480 if (len > 2) { 1481 sta->remediation_url = os_malloc(len); 1482 if (!sta->remediation_url) 1483 return; 1484 sta->remediation_method = pos[0]; 1485 os_memcpy(sta->remediation_url, pos + 1, len - 1); 1486 sta->remediation_url[len - 1] = '\0'; 1487 wpa_printf(MSG_DEBUG, "HS 2.0: Subscription remediation needed " 1488 "for " MACSTR " - server method %u URL %s", 1489 MAC2STR(sta->addr), sta->remediation_method, 1490 sta->remediation_url); 1491 } else { 1492 sta->remediation_url = NULL; 1493 wpa_printf(MSG_DEBUG, "HS 2.0: Subscription remediation needed " 1494 "for " MACSTR, MAC2STR(sta->addr)); 1495 } 1496 /* TODO: assign the STA into remediation VLAN or add filtering */ 1497} 1498 1499 1500static void ieee802_1x_hs20_deauth_req(struct hostapd_data *hapd, 1501 struct sta_info *sta, u8 *pos, 1502 size_t len) 1503{ 1504 if (len < 3) 1505 return; /* Malformed information */ 1506 sta->hs20_deauth_requested = 1; 1507 wpa_printf(MSG_DEBUG, "HS 2.0: Deauthentication request - Code %u " 1508 "Re-auth Delay %u", 1509 *pos, WPA_GET_LE16(pos + 1)); 1510 wpabuf_free(sta->hs20_deauth_req); 1511 sta->hs20_deauth_req = wpabuf_alloc(len + 1); 1512 if (sta->hs20_deauth_req) { 1513 wpabuf_put_data(sta->hs20_deauth_req, pos, 3); 1514 wpabuf_put_u8(sta->hs20_deauth_req, len - 3); 1515 wpabuf_put_data(sta->hs20_deauth_req, pos + 3, len - 3); 1516 } 1517 ap_sta_session_timeout(hapd, sta, hapd->conf->hs20_deauth_req_timeout); 1518} 1519 1520 1521static void ieee802_1x_hs20_session_info(struct hostapd_data *hapd, 1522 struct sta_info *sta, u8 *pos, 1523 size_t len, int session_timeout) 1524{ 1525 unsigned int swt; 1526 int warning_time, beacon_int; 1527 1528 if (len < 1) 1529 return; /* Malformed information */ 1530 os_free(sta->hs20_session_info_url); 1531 sta->hs20_session_info_url = os_malloc(len); 1532 if (sta->hs20_session_info_url == NULL) 1533 return; 1534 swt = pos[0]; 1535 os_memcpy(sta->hs20_session_info_url, pos + 1, len - 1); 1536 sta->hs20_session_info_url[len - 1] = '\0'; 1537 wpa_printf(MSG_DEBUG, "HS 2.0: Session Information URL='%s' SWT=%u " 1538 "(session_timeout=%d)", 1539 sta->hs20_session_info_url, swt, session_timeout); 1540 if (session_timeout < 0) { 1541 wpa_printf(MSG_DEBUG, "HS 2.0: No Session-Timeout set - ignore session info URL"); 1542 return; 1543 } 1544 if (swt == 255) 1545 swt = 1; /* Use one minute as the AP selected value */ 1546 1547 if ((unsigned int) session_timeout < swt * 60) 1548 warning_time = 0; 1549 else 1550 warning_time = session_timeout - swt * 60; 1551 1552 beacon_int = hapd->iconf->beacon_int; 1553 if (beacon_int < 1) 1554 beacon_int = 100; /* best guess */ 1555 sta->hs20_disassoc_timer = swt * 60 * 1000 / beacon_int * 125 / 128; 1556 if (sta->hs20_disassoc_timer > 65535) 1557 sta->hs20_disassoc_timer = 65535; 1558 1559 ap_sta_session_warning_timeout(hapd, sta, warning_time); 1560} 1561 1562#endif /* CONFIG_HS20 */ 1563 1564 1565static void ieee802_1x_check_hs20(struct hostapd_data *hapd, 1566 struct sta_info *sta, 1567 struct radius_msg *msg, 1568 int session_timeout) 1569{ 1570#ifdef CONFIG_HS20 1571 u8 *buf, *pos, *end, type, sublen; 1572 size_t len; 1573 1574 buf = NULL; 1575 sta->remediation = 0; 1576 sta->hs20_deauth_requested = 0; 1577 1578 for (;;) { 1579 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_VENDOR_SPECIFIC, 1580 &buf, &len, buf) < 0) 1581 break; 1582 if (len < 6) 1583 continue; 1584 pos = buf; 1585 end = buf + len; 1586 if (WPA_GET_BE32(pos) != RADIUS_VENDOR_ID_WFA) 1587 continue; 1588 pos += 4; 1589 1590 type = *pos++; 1591 sublen = *pos++; 1592 if (sublen < 2) 1593 continue; /* invalid length */ 1594 sublen -= 2; /* skip header */ 1595 if (pos + sublen > end) 1596 continue; /* invalid WFA VSA */ 1597 1598 switch (type) { 1599 case RADIUS_VENDOR_ATTR_WFA_HS20_SUBSCR_REMEDIATION: 1600 ieee802_1x_hs20_sub_rem(sta, pos, sublen); 1601 break; 1602 case RADIUS_VENDOR_ATTR_WFA_HS20_DEAUTH_REQ: 1603 ieee802_1x_hs20_deauth_req(hapd, sta, pos, sublen); 1604 break; 1605 case RADIUS_VENDOR_ATTR_WFA_HS20_SESSION_INFO_URL: 1606 ieee802_1x_hs20_session_info(hapd, sta, pos, sublen, 1607 session_timeout); 1608 break; 1609 } 1610 } 1611#endif /* CONFIG_HS20 */ 1612} 1613 1614 1615struct sta_id_search { 1616 u8 identifier; 1617 struct eapol_state_machine *sm; 1618}; 1619 1620 1621static int ieee802_1x_select_radius_identifier(struct hostapd_data *hapd, 1622 struct sta_info *sta, 1623 void *ctx) 1624{ 1625 struct sta_id_search *id_search = ctx; 1626 struct eapol_state_machine *sm = sta->eapol_sm; 1627 1628 if (sm && sm->radius_identifier >= 0 && 1629 sm->radius_identifier == id_search->identifier) { 1630 id_search->sm = sm; 1631 return 1; 1632 } 1633 return 0; 1634} 1635 1636 1637static struct eapol_state_machine * 1638ieee802_1x_search_radius_identifier(struct hostapd_data *hapd, u8 identifier) 1639{ 1640 struct sta_id_search id_search; 1641 id_search.identifier = identifier; 1642 id_search.sm = NULL; 1643 ap_for_each_sta(hapd, ieee802_1x_select_radius_identifier, &id_search); 1644 return id_search.sm; 1645} 1646 1647 1648/** 1649 * ieee802_1x_receive_auth - Process RADIUS frames from Authentication Server 1650 * @msg: RADIUS response message 1651 * @req: RADIUS request message 1652 * @shared_secret: RADIUS shared secret 1653 * @shared_secret_len: Length of shared_secret in octets 1654 * @data: Context data (struct hostapd_data *) 1655 * Returns: Processing status 1656 */ 1657static RadiusRxResult 1658ieee802_1x_receive_auth(struct radius_msg *msg, struct radius_msg *req, 1659 const u8 *shared_secret, size_t shared_secret_len, 1660 void *data) 1661{ 1662 struct hostapd_data *hapd = data; 1663 struct sta_info *sta; 1664 u32 session_timeout = 0, termination_action, acct_interim_interval; 1665 int session_timeout_set; 1666 struct eapol_state_machine *sm; 1667 int override_eapReq = 0; 1668 struct radius_hdr *hdr = radius_msg_get_hdr(msg); 1669 struct vlan_description vlan_desc; 1670#ifndef CONFIG_NO_VLAN 1671 int *untagged, *tagged, *notempty; 1672#endif /* CONFIG_NO_VLAN */ 1673 1674 os_memset(&vlan_desc, 0, sizeof(vlan_desc)); 1675 1676 sm = ieee802_1x_search_radius_identifier(hapd, hdr->identifier); 1677 if (sm == NULL) { 1678 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Could not find matching " 1679 "station for this RADIUS message"); 1680 return RADIUS_RX_UNKNOWN; 1681 } 1682 sta = sm->sta; 1683 1684 /* RFC 2869, Ch. 5.13: valid Message-Authenticator attribute MUST be 1685 * present when packet contains an EAP-Message attribute */ 1686 if (hdr->code == RADIUS_CODE_ACCESS_REJECT && 1687 radius_msg_get_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, NULL, 1688 0) < 0 && 1689 radius_msg_get_attr(msg, RADIUS_ATTR_EAP_MESSAGE, NULL, 0) < 0) { 1690 wpa_printf(MSG_DEBUG, "Allowing RADIUS Access-Reject without " 1691 "Message-Authenticator since it does not include " 1692 "EAP-Message"); 1693 } else if (radius_msg_verify(msg, shared_secret, shared_secret_len, 1694 req, 1)) { 1695 wpa_printf(MSG_INFO, "Incoming RADIUS packet did not have correct Message-Authenticator - dropped"); 1696 return RADIUS_RX_INVALID_AUTHENTICATOR; 1697 } 1698 1699 if (hdr->code != RADIUS_CODE_ACCESS_ACCEPT && 1700 hdr->code != RADIUS_CODE_ACCESS_REJECT && 1701 hdr->code != RADIUS_CODE_ACCESS_CHALLENGE) { 1702 wpa_printf(MSG_INFO, "Unknown RADIUS message code"); 1703 return RADIUS_RX_UNKNOWN; 1704 } 1705 1706 sm->radius_identifier = -1; 1707 wpa_printf(MSG_DEBUG, "RADIUS packet matching with station " MACSTR, 1708 MAC2STR(sta->addr)); 1709 1710 radius_msg_free(sm->last_recv_radius); 1711 sm->last_recv_radius = msg; 1712 1713 session_timeout_set = 1714 !radius_msg_get_attr_int32(msg, RADIUS_ATTR_SESSION_TIMEOUT, 1715 &session_timeout); 1716 if (radius_msg_get_attr_int32(msg, RADIUS_ATTR_TERMINATION_ACTION, 1717 &termination_action)) 1718 termination_action = RADIUS_TERMINATION_ACTION_DEFAULT; 1719 1720 if (hapd->conf->acct_interim_interval == 0 && 1721 hdr->code == RADIUS_CODE_ACCESS_ACCEPT && 1722 radius_msg_get_attr_int32(msg, RADIUS_ATTR_ACCT_INTERIM_INTERVAL, 1723 &acct_interim_interval) == 0) { 1724 if (acct_interim_interval < 60) { 1725 hostapd_logger(hapd, sta->addr, 1726 HOSTAPD_MODULE_IEEE8021X, 1727 HOSTAPD_LEVEL_INFO, 1728 "ignored too small " 1729 "Acct-Interim-Interval %d", 1730 acct_interim_interval); 1731 } else 1732 sta->acct_interim_interval = acct_interim_interval; 1733 } 1734 1735 1736 switch (hdr->code) { 1737 case RADIUS_CODE_ACCESS_ACCEPT: 1738#ifndef CONFIG_NO_VLAN 1739 if (hapd->conf->ssid.dynamic_vlan != DYNAMIC_VLAN_DISABLED) { 1740 notempty = &vlan_desc.notempty; 1741 untagged = &vlan_desc.untagged; 1742 tagged = vlan_desc.tagged; 1743 *notempty = !!radius_msg_get_vlanid(msg, untagged, 1744 MAX_NUM_TAGGED_VLAN, 1745 tagged); 1746 } 1747 1748 if (vlan_desc.notempty && 1749 !hostapd_vlan_valid(hapd->conf->vlan, &vlan_desc)) { 1750 sta->eapol_sm->authFail = TRUE; 1751 hostapd_logger(hapd, sta->addr, 1752 HOSTAPD_MODULE_RADIUS, 1753 HOSTAPD_LEVEL_INFO, 1754 "Invalid VLAN %d%s received from RADIUS server", 1755 vlan_desc.untagged, 1756 vlan_desc.tagged[0] ? "+" : ""); 1757 os_memset(&vlan_desc, 0, sizeof(vlan_desc)); 1758 ap_sta_set_vlan(hapd, sta, &vlan_desc); 1759 break; 1760 } 1761 1762 if (hapd->conf->ssid.dynamic_vlan == DYNAMIC_VLAN_REQUIRED && 1763 !vlan_desc.notempty) { 1764 sta->eapol_sm->authFail = TRUE; 1765 hostapd_logger(hapd, sta->addr, 1766 HOSTAPD_MODULE_IEEE8021X, 1767 HOSTAPD_LEVEL_INFO, "authentication " 1768 "server did not include required VLAN " 1769 "ID in Access-Accept"); 1770 break; 1771 } 1772#endif /* CONFIG_NO_VLAN */ 1773 1774 if (ap_sta_set_vlan(hapd, sta, &vlan_desc) < 0) 1775 break; 1776 1777#ifndef CONFIG_NO_VLAN 1778 if (sta->vlan_id > 0) { 1779 hostapd_logger(hapd, sta->addr, 1780 HOSTAPD_MODULE_RADIUS, 1781 HOSTAPD_LEVEL_INFO, 1782 "VLAN ID %d", sta->vlan_id); 1783 } 1784#endif /* CONFIG_NO_VLAN */ 1785 1786 if ((sta->flags & WLAN_STA_ASSOC) && 1787 ap_sta_bind_vlan(hapd, sta) < 0) 1788 break; 1789 1790 sta->session_timeout_set = !!session_timeout_set; 1791 sta->session_timeout = session_timeout; 1792 1793 /* RFC 3580, Ch. 3.17 */ 1794 if (session_timeout_set && termination_action == 1795 RADIUS_TERMINATION_ACTION_RADIUS_REQUEST) { 1796 sm->reAuthPeriod = session_timeout; 1797 } else if (session_timeout_set) 1798 ap_sta_session_timeout(hapd, sta, session_timeout); 1799 1800 sm->eap_if->aaaSuccess = TRUE; 1801 override_eapReq = 1; 1802 ieee802_1x_get_keys(hapd, sta, msg, req, shared_secret, 1803 shared_secret_len); 1804 ieee802_1x_store_radius_class(hapd, sta, msg); 1805 ieee802_1x_update_sta_identity(hapd, sta, msg); 1806 ieee802_1x_update_sta_cui(hapd, sta, msg); 1807 ieee802_1x_check_hs20(hapd, sta, msg, 1808 session_timeout_set ? 1809 (int) session_timeout : -1); 1810 break; 1811 case RADIUS_CODE_ACCESS_REJECT: 1812 sm->eap_if->aaaFail = TRUE; 1813 override_eapReq = 1; 1814 break; 1815 case RADIUS_CODE_ACCESS_CHALLENGE: 1816 sm->eap_if->aaaEapReq = TRUE; 1817 if (session_timeout_set) { 1818 /* RFC 2869, Ch. 2.3.2; RFC 3580, Ch. 3.17 */ 1819 sm->eap_if->aaaMethodTimeout = session_timeout; 1820 hostapd_logger(hapd, sm->addr, 1821 HOSTAPD_MODULE_IEEE8021X, 1822 HOSTAPD_LEVEL_DEBUG, 1823 "using EAP timeout of %d seconds (from " 1824 "RADIUS)", 1825 sm->eap_if->aaaMethodTimeout); 1826 } else { 1827 /* 1828 * Use dynamic retransmission behavior per EAP 1829 * specification. 1830 */ 1831 sm->eap_if->aaaMethodTimeout = 0; 1832 } 1833 break; 1834 } 1835 1836 ieee802_1x_decapsulate_radius(hapd, sta); 1837 if (override_eapReq) 1838 sm->eap_if->aaaEapReq = FALSE; 1839 1840 eapol_auth_step(sm); 1841 1842 return RADIUS_RX_QUEUED; 1843} 1844#endif /* CONFIG_NO_RADIUS */ 1845 1846 1847void ieee802_1x_abort_auth(struct hostapd_data *hapd, struct sta_info *sta) 1848{ 1849 struct eapol_state_machine *sm = sta->eapol_sm; 1850 if (sm == NULL) 1851 return; 1852 1853 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1854 HOSTAPD_LEVEL_DEBUG, "aborting authentication"); 1855 1856#ifndef CONFIG_NO_RADIUS 1857 radius_msg_free(sm->last_recv_radius); 1858 sm->last_recv_radius = NULL; 1859#endif /* CONFIG_NO_RADIUS */ 1860 1861 if (sm->eap_if->eapTimeout) { 1862 /* 1863 * Disconnect the STA since it did not reply to the last EAP 1864 * request and we cannot continue EAP processing (EAP-Failure 1865 * could only be sent if the EAP peer actually replied). 1866 */ 1867 wpa_dbg(hapd->msg_ctx, MSG_DEBUG, "EAP Timeout, STA " MACSTR, 1868 MAC2STR(sta->addr)); 1869 1870 sm->eap_if->portEnabled = FALSE; 1871 ap_sta_disconnect(hapd, sta, sta->addr, 1872 WLAN_REASON_PREV_AUTH_NOT_VALID); 1873 } 1874} 1875 1876 1877static int ieee802_1x_rekey_broadcast(struct hostapd_data *hapd) 1878{ 1879 struct eapol_authenticator *eapol = hapd->eapol_auth; 1880 1881 if (hapd->conf->default_wep_key_len < 1) 1882 return 0; 1883 1884 os_free(eapol->default_wep_key); 1885 eapol->default_wep_key = os_malloc(hapd->conf->default_wep_key_len); 1886 if (eapol->default_wep_key == NULL || 1887 random_get_bytes(eapol->default_wep_key, 1888 hapd->conf->default_wep_key_len)) { 1889 wpa_printf(MSG_INFO, "Could not generate random WEP key"); 1890 os_free(eapol->default_wep_key); 1891 eapol->default_wep_key = NULL; 1892 return -1; 1893 } 1894 1895 wpa_hexdump_key(MSG_DEBUG, "IEEE 802.1X: New default WEP key", 1896 eapol->default_wep_key, 1897 hapd->conf->default_wep_key_len); 1898 1899 return 0; 1900} 1901 1902 1903static int ieee802_1x_sta_key_available(struct hostapd_data *hapd, 1904 struct sta_info *sta, void *ctx) 1905{ 1906 if (sta->eapol_sm) { 1907 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 1908 eapol_auth_step(sta->eapol_sm); 1909 } 1910 return 0; 1911} 1912 1913 1914static void ieee802_1x_rekey(void *eloop_ctx, void *timeout_ctx) 1915{ 1916 struct hostapd_data *hapd = eloop_ctx; 1917 struct eapol_authenticator *eapol = hapd->eapol_auth; 1918 1919 if (eapol->default_wep_key_idx >= 3) 1920 eapol->default_wep_key_idx = 1921 hapd->conf->individual_wep_key_len > 0 ? 1 : 0; 1922 else 1923 eapol->default_wep_key_idx++; 1924 1925 wpa_printf(MSG_DEBUG, "IEEE 802.1X: New default WEP key index %d", 1926 eapol->default_wep_key_idx); 1927 1928 if (ieee802_1x_rekey_broadcast(hapd)) { 1929 hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X, 1930 HOSTAPD_LEVEL_WARNING, "failed to generate a " 1931 "new broadcast key"); 1932 os_free(eapol->default_wep_key); 1933 eapol->default_wep_key = NULL; 1934 return; 1935 } 1936 1937 /* TODO: Could setup key for RX here, but change default TX keyid only 1938 * after new broadcast key has been sent to all stations. */ 1939 if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP, 1940 broadcast_ether_addr, 1941 eapol->default_wep_key_idx, 1, NULL, 0, 1942 eapol->default_wep_key, 1943 hapd->conf->default_wep_key_len)) { 1944 hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X, 1945 HOSTAPD_LEVEL_WARNING, "failed to configure a " 1946 "new broadcast key"); 1947 os_free(eapol->default_wep_key); 1948 eapol->default_wep_key = NULL; 1949 return; 1950 } 1951 1952 ap_for_each_sta(hapd, ieee802_1x_sta_key_available, NULL); 1953 1954 if (hapd->conf->wep_rekeying_period > 0) { 1955 eloop_register_timeout(hapd->conf->wep_rekeying_period, 0, 1956 ieee802_1x_rekey, hapd, NULL); 1957 } 1958} 1959 1960 1961static void ieee802_1x_eapol_send(void *ctx, void *sta_ctx, u8 type, 1962 const u8 *data, size_t datalen) 1963{ 1964#ifdef CONFIG_WPS 1965 struct sta_info *sta = sta_ctx; 1966 1967 if ((sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS)) == 1968 WLAN_STA_MAYBE_WPS) { 1969 const u8 *identity; 1970 size_t identity_len; 1971 struct eapol_state_machine *sm = sta->eapol_sm; 1972 1973 identity = eap_get_identity(sm->eap, &identity_len); 1974 if (identity && 1975 ((identity_len == WSC_ID_ENROLLEE_LEN && 1976 os_memcmp(identity, WSC_ID_ENROLLEE, 1977 WSC_ID_ENROLLEE_LEN) == 0) || 1978 (identity_len == WSC_ID_REGISTRAR_LEN && 1979 os_memcmp(identity, WSC_ID_REGISTRAR, 1980 WSC_ID_REGISTRAR_LEN) == 0))) { 1981 wpa_printf(MSG_DEBUG, "WPS: WLAN_STA_MAYBE_WPS -> " 1982 "WLAN_STA_WPS"); 1983 sta->flags |= WLAN_STA_WPS; 1984 } 1985 } 1986#endif /* CONFIG_WPS */ 1987 1988 ieee802_1x_send(ctx, sta_ctx, type, data, datalen); 1989} 1990 1991 1992static void ieee802_1x_aaa_send(void *ctx, void *sta_ctx, 1993 const u8 *data, size_t datalen) 1994{ 1995#ifndef CONFIG_NO_RADIUS 1996 struct hostapd_data *hapd = ctx; 1997 struct sta_info *sta = sta_ctx; 1998 1999 ieee802_1x_encapsulate_radius(hapd, sta, data, datalen); 2000#endif /* CONFIG_NO_RADIUS */ 2001} 2002 2003 2004static void _ieee802_1x_finished(void *ctx, void *sta_ctx, int success, 2005 int preauth, int remediation) 2006{ 2007 struct hostapd_data *hapd = ctx; 2008 struct sta_info *sta = sta_ctx; 2009 if (preauth) 2010 rsn_preauth_finished(hapd, sta, success); 2011 else 2012 ieee802_1x_finished(hapd, sta, success, remediation); 2013} 2014 2015 2016static int ieee802_1x_get_eap_user(void *ctx, const u8 *identity, 2017 size_t identity_len, int phase2, 2018 struct eap_user *user) 2019{ 2020 struct hostapd_data *hapd = ctx; 2021 const struct hostapd_eap_user *eap_user; 2022 int i; 2023 int rv = -1; 2024 2025 eap_user = hostapd_get_eap_user(hapd, identity, identity_len, phase2); 2026 if (eap_user == NULL) 2027 goto out; 2028 2029 os_memset(user, 0, sizeof(*user)); 2030 user->phase2 = phase2; 2031 for (i = 0; i < EAP_MAX_METHODS; i++) { 2032 user->methods[i].vendor = eap_user->methods[i].vendor; 2033 user->methods[i].method = eap_user->methods[i].method; 2034 } 2035 2036 if (eap_user->password) { 2037 user->password = os_malloc(eap_user->password_len); 2038 if (user->password == NULL) 2039 goto out; 2040 os_memcpy(user->password, eap_user->password, 2041 eap_user->password_len); 2042 user->password_len = eap_user->password_len; 2043 user->password_hash = eap_user->password_hash; 2044 } 2045 user->force_version = eap_user->force_version; 2046 user->macacl = eap_user->macacl; 2047 user->ttls_auth = eap_user->ttls_auth; 2048 user->remediation = eap_user->remediation; 2049 rv = 0; 2050 2051out: 2052 if (rv) 2053 wpa_printf(MSG_DEBUG, "%s: Failed to find user", __func__); 2054 2055 return rv; 2056} 2057 2058 2059static int ieee802_1x_sta_entry_alive(void *ctx, const u8 *addr) 2060{ 2061 struct hostapd_data *hapd = ctx; 2062 struct sta_info *sta; 2063 sta = ap_get_sta(hapd, addr); 2064 if (sta == NULL || sta->eapol_sm == NULL) 2065 return 0; 2066 return 1; 2067} 2068 2069 2070static void ieee802_1x_logger(void *ctx, const u8 *addr, 2071 eapol_logger_level level, const char *txt) 2072{ 2073#ifndef CONFIG_NO_HOSTAPD_LOGGER 2074 struct hostapd_data *hapd = ctx; 2075 int hlevel; 2076 2077 switch (level) { 2078 case EAPOL_LOGGER_WARNING: 2079 hlevel = HOSTAPD_LEVEL_WARNING; 2080 break; 2081 case EAPOL_LOGGER_INFO: 2082 hlevel = HOSTAPD_LEVEL_INFO; 2083 break; 2084 case EAPOL_LOGGER_DEBUG: 2085 default: 2086 hlevel = HOSTAPD_LEVEL_DEBUG; 2087 break; 2088 } 2089 2090 hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE8021X, hlevel, "%s", 2091 txt); 2092#endif /* CONFIG_NO_HOSTAPD_LOGGER */ 2093} 2094 2095 2096static void ieee802_1x_set_port_authorized(void *ctx, void *sta_ctx, 2097 int authorized) 2098{ 2099 struct hostapd_data *hapd = ctx; 2100 struct sta_info *sta = sta_ctx; 2101 ieee802_1x_set_sta_authorized(hapd, sta, authorized); 2102} 2103 2104 2105static void _ieee802_1x_abort_auth(void *ctx, void *sta_ctx) 2106{ 2107 struct hostapd_data *hapd = ctx; 2108 struct sta_info *sta = sta_ctx; 2109 ieee802_1x_abort_auth(hapd, sta); 2110} 2111 2112 2113static void _ieee802_1x_tx_key(void *ctx, void *sta_ctx) 2114{ 2115#ifndef CONFIG_FIPS 2116#ifndef CONFIG_NO_RC4 2117 struct hostapd_data *hapd = ctx; 2118 struct sta_info *sta = sta_ctx; 2119 ieee802_1x_tx_key(hapd, sta); 2120#endif /* CONFIG_NO_RC4 */ 2121#endif /* CONFIG_FIPS */ 2122} 2123 2124 2125static void ieee802_1x_eapol_event(void *ctx, void *sta_ctx, 2126 enum eapol_event type) 2127{ 2128 /* struct hostapd_data *hapd = ctx; */ 2129 struct sta_info *sta = sta_ctx; 2130 switch (type) { 2131 case EAPOL_AUTH_SM_CHANGE: 2132 wpa_auth_sm_notify(sta->wpa_sm); 2133 break; 2134 case EAPOL_AUTH_REAUTHENTICATE: 2135 wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL); 2136 break; 2137 } 2138} 2139 2140 2141#ifdef CONFIG_ERP 2142 2143static struct eap_server_erp_key * 2144ieee802_1x_erp_get_key(void *ctx, const char *keyname) 2145{ 2146 struct hostapd_data *hapd = ctx; 2147 struct eap_server_erp_key *erp; 2148 2149 dl_list_for_each(erp, &hapd->erp_keys, struct eap_server_erp_key, 2150 list) { 2151 if (os_strcmp(erp->keyname_nai, keyname) == 0) 2152 return erp; 2153 } 2154 2155 return NULL; 2156} 2157 2158 2159static int ieee802_1x_erp_add_key(void *ctx, struct eap_server_erp_key *erp) 2160{ 2161 struct hostapd_data *hapd = ctx; 2162 2163 dl_list_add(&hapd->erp_keys, &erp->list); 2164 return 0; 2165} 2166 2167#endif /* CONFIG_ERP */ 2168 2169 2170int ieee802_1x_init(struct hostapd_data *hapd) 2171{ 2172 int i; 2173 struct eapol_auth_config conf; 2174 struct eapol_auth_cb cb; 2175 2176 dl_list_init(&hapd->erp_keys); 2177 2178 os_memset(&conf, 0, sizeof(conf)); 2179 conf.ctx = hapd; 2180 conf.eap_reauth_period = hapd->conf->eap_reauth_period; 2181 conf.wpa = hapd->conf->wpa; 2182 conf.individual_wep_key_len = hapd->conf->individual_wep_key_len; 2183 conf.eap_server = hapd->conf->eap_server; 2184 conf.ssl_ctx = hapd->ssl_ctx; 2185 conf.msg_ctx = hapd->msg_ctx; 2186 conf.eap_sim_db_priv = hapd->eap_sim_db_priv; 2187 conf.eap_req_id_text = hapd->conf->eap_req_id_text; 2188 conf.eap_req_id_text_len = hapd->conf->eap_req_id_text_len; 2189 conf.erp_send_reauth_start = hapd->conf->erp_send_reauth_start; 2190 conf.erp_domain = hapd->conf->erp_domain; 2191 conf.erp = hapd->conf->eap_server_erp; 2192 conf.tls_session_lifetime = hapd->conf->tls_session_lifetime; 2193 conf.pac_opaque_encr_key = hapd->conf->pac_opaque_encr_key; 2194 conf.eap_fast_a_id = hapd->conf->eap_fast_a_id; 2195 conf.eap_fast_a_id_len = hapd->conf->eap_fast_a_id_len; 2196 conf.eap_fast_a_id_info = hapd->conf->eap_fast_a_id_info; 2197 conf.eap_fast_prov = hapd->conf->eap_fast_prov; 2198 conf.pac_key_lifetime = hapd->conf->pac_key_lifetime; 2199 conf.pac_key_refresh_time = hapd->conf->pac_key_refresh_time; 2200 conf.eap_sim_aka_result_ind = hapd->conf->eap_sim_aka_result_ind; 2201 conf.tnc = hapd->conf->tnc; 2202 conf.wps = hapd->wps; 2203 conf.fragment_size = hapd->conf->fragment_size; 2204 conf.pwd_group = hapd->conf->pwd_group; 2205 conf.pbc_in_m1 = hapd->conf->pbc_in_m1; 2206 if (hapd->conf->server_id) { 2207 conf.server_id = (const u8 *) hapd->conf->server_id; 2208 conf.server_id_len = os_strlen(hapd->conf->server_id); 2209 } else { 2210 conf.server_id = (const u8 *) "hostapd"; 2211 conf.server_id_len = 7; 2212 } 2213 2214 os_memset(&cb, 0, sizeof(cb)); 2215 cb.eapol_send = ieee802_1x_eapol_send; 2216 cb.aaa_send = ieee802_1x_aaa_send; 2217 cb.finished = _ieee802_1x_finished; 2218 cb.get_eap_user = ieee802_1x_get_eap_user; 2219 cb.sta_entry_alive = ieee802_1x_sta_entry_alive; 2220 cb.logger = ieee802_1x_logger; 2221 cb.set_port_authorized = ieee802_1x_set_port_authorized; 2222 cb.abort_auth = _ieee802_1x_abort_auth; 2223 cb.tx_key = _ieee802_1x_tx_key; 2224 cb.eapol_event = ieee802_1x_eapol_event; 2225#ifdef CONFIG_ERP 2226 cb.erp_get_key = ieee802_1x_erp_get_key; 2227 cb.erp_add_key = ieee802_1x_erp_add_key; 2228#endif /* CONFIG_ERP */ 2229 2230 hapd->eapol_auth = eapol_auth_init(&conf, &cb); 2231 if (hapd->eapol_auth == NULL) 2232 return -1; 2233 2234 if ((hapd->conf->ieee802_1x || hapd->conf->wpa) && 2235 hostapd_set_drv_ieee8021x(hapd, hapd->conf->iface, 1)) 2236 return -1; 2237 2238#ifndef CONFIG_NO_RADIUS 2239 if (radius_client_register(hapd->radius, RADIUS_AUTH, 2240 ieee802_1x_receive_auth, hapd)) 2241 return -1; 2242#endif /* CONFIG_NO_RADIUS */ 2243 2244 if (hapd->conf->default_wep_key_len) { 2245 for (i = 0; i < 4; i++) 2246 hostapd_drv_set_key(hapd->conf->iface, hapd, 2247 WPA_ALG_NONE, NULL, i, 0, NULL, 0, 2248 NULL, 0); 2249 2250 ieee802_1x_rekey(hapd, NULL); 2251 2252 if (hapd->eapol_auth->default_wep_key == NULL) 2253 return -1; 2254 } 2255 2256 return 0; 2257} 2258 2259 2260void ieee802_1x_erp_flush(struct hostapd_data *hapd) 2261{ 2262 struct eap_server_erp_key *erp; 2263 2264 while ((erp = dl_list_first(&hapd->erp_keys, struct eap_server_erp_key, 2265 list)) != NULL) { 2266 dl_list_del(&erp->list); 2267 bin_clear_free(erp, sizeof(*erp)); 2268 } 2269} 2270 2271 2272void ieee802_1x_deinit(struct hostapd_data *hapd) 2273{ 2274 eloop_cancel_timeout(ieee802_1x_rekey, hapd, NULL); 2275 2276 if (hapd->driver && hapd->drv_priv && 2277 (hapd->conf->ieee802_1x || hapd->conf->wpa)) 2278 hostapd_set_drv_ieee8021x(hapd, hapd->conf->iface, 0); 2279 2280 eapol_auth_deinit(hapd->eapol_auth); 2281 hapd->eapol_auth = NULL; 2282 2283 ieee802_1x_erp_flush(hapd); 2284} 2285 2286 2287int ieee802_1x_tx_status(struct hostapd_data *hapd, struct sta_info *sta, 2288 const u8 *buf, size_t len, int ack) 2289{ 2290 struct ieee80211_hdr *hdr; 2291 u8 *pos; 2292 const unsigned char rfc1042_hdr[ETH_ALEN] = 2293 { 0xaa, 0xaa, 0x03, 0x00, 0x00, 0x00 }; 2294 2295 if (sta == NULL) 2296 return -1; 2297 if (len < sizeof(*hdr) + sizeof(rfc1042_hdr) + 2) 2298 return 0; 2299 2300 hdr = (struct ieee80211_hdr *) buf; 2301 pos = (u8 *) (hdr + 1); 2302 if (os_memcmp(pos, rfc1042_hdr, sizeof(rfc1042_hdr)) != 0) 2303 return 0; 2304 pos += sizeof(rfc1042_hdr); 2305 if (WPA_GET_BE16(pos) != ETH_P_PAE) 2306 return 0; 2307 pos += 2; 2308 2309 return ieee802_1x_eapol_tx_status(hapd, sta, pos, buf + len - pos, 2310 ack); 2311} 2312 2313 2314int ieee802_1x_eapol_tx_status(struct hostapd_data *hapd, struct sta_info *sta, 2315 const u8 *buf, int len, int ack) 2316{ 2317 const struct ieee802_1x_hdr *xhdr = 2318 (const struct ieee802_1x_hdr *) buf; 2319 const u8 *pos = buf + sizeof(*xhdr); 2320 struct ieee802_1x_eapol_key *key; 2321 2322 if (len < (int) sizeof(*xhdr)) 2323 return 0; 2324 wpa_printf(MSG_DEBUG, "IEEE 802.1X: " MACSTR " TX status - version=%d " 2325 "type=%d length=%d - ack=%d", 2326 MAC2STR(sta->addr), xhdr->version, xhdr->type, 2327 be_to_host16(xhdr->length), ack); 2328 2329 if (xhdr->type != IEEE802_1X_TYPE_EAPOL_KEY) 2330 return 0; 2331 2332 if (pos + sizeof(struct wpa_eapol_key) <= buf + len) { 2333 const struct wpa_eapol_key *wpa; 2334 wpa = (const struct wpa_eapol_key *) pos; 2335 if (wpa->type == EAPOL_KEY_TYPE_RSN || 2336 wpa->type == EAPOL_KEY_TYPE_WPA) 2337 wpa_auth_eapol_key_tx_status(hapd->wpa_auth, 2338 sta->wpa_sm, ack); 2339 } 2340 2341 /* EAPOL EAP-Packet packets are eventually re-sent by either Supplicant 2342 * or Authenticator state machines, but EAPOL-Key packets are not 2343 * retransmitted in case of failure. Try to re-send failed EAPOL-Key 2344 * packets couple of times because otherwise STA keys become 2345 * unsynchronized with AP. */ 2346 if (!ack && pos + sizeof(*key) <= buf + len) { 2347 key = (struct ieee802_1x_eapol_key *) pos; 2348 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 2349 HOSTAPD_LEVEL_DEBUG, "did not Ack EAPOL-Key " 2350 "frame (%scast index=%d)", 2351 key->key_index & BIT(7) ? "uni" : "broad", 2352 key->key_index & ~BIT(7)); 2353 /* TODO: re-send EAPOL-Key couple of times (with short delay 2354 * between them?). If all attempt fail, report error and 2355 * deauthenticate STA so that it will get new keys when 2356 * authenticating again (e.g., after returning in range). 2357 * Separate limit/transmit state needed both for unicast and 2358 * broadcast keys(?) */ 2359 } 2360 /* TODO: could move unicast key configuration from ieee802_1x_tx_key() 2361 * to here and change the key only if the EAPOL-Key packet was Acked. 2362 */ 2363 2364 return 1; 2365} 2366 2367 2368u8 * ieee802_1x_get_identity(struct eapol_state_machine *sm, size_t *len) 2369{ 2370 if (sm == NULL || sm->identity == NULL) 2371 return NULL; 2372 2373 *len = sm->identity_len; 2374 return sm->identity; 2375} 2376 2377 2378u8 * ieee802_1x_get_radius_class(struct eapol_state_machine *sm, size_t *len, 2379 int idx) 2380{ 2381 if (sm == NULL || sm->radius_class.attr == NULL || 2382 idx >= (int) sm->radius_class.count) 2383 return NULL; 2384 2385 *len = sm->radius_class.attr[idx].len; 2386 return sm->radius_class.attr[idx].data; 2387} 2388 2389 2390struct wpabuf * ieee802_1x_get_radius_cui(struct eapol_state_machine *sm) 2391{ 2392 if (sm == NULL) 2393 return NULL; 2394 return sm->radius_cui; 2395} 2396 2397 2398const u8 * ieee802_1x_get_key(struct eapol_state_machine *sm, size_t *len) 2399{ 2400 *len = 0; 2401 if (sm == NULL) 2402 return NULL; 2403 2404 *len = sm->eap_if->eapKeyDataLen; 2405 return sm->eap_if->eapKeyData; 2406} 2407 2408 2409void ieee802_1x_notify_port_enabled(struct eapol_state_machine *sm, 2410 int enabled) 2411{ 2412 if (sm == NULL) 2413 return; 2414 sm->eap_if->portEnabled = enabled ? TRUE : FALSE; 2415 eapol_auth_step(sm); 2416} 2417 2418 2419void ieee802_1x_notify_port_valid(struct eapol_state_machine *sm, 2420 int valid) 2421{ 2422 if (sm == NULL) 2423 return; 2424 sm->portValid = valid ? TRUE : FALSE; 2425 eapol_auth_step(sm); 2426} 2427 2428 2429void ieee802_1x_notify_pre_auth(struct eapol_state_machine *sm, int pre_auth) 2430{ 2431 if (sm == NULL) 2432 return; 2433 if (pre_auth) 2434 sm->flags |= EAPOL_SM_PREAUTH; 2435 else 2436 sm->flags &= ~EAPOL_SM_PREAUTH; 2437} 2438 2439 2440static const char * bool_txt(Boolean val) 2441{ 2442 return val ? "TRUE" : "FALSE"; 2443} 2444 2445 2446int ieee802_1x_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen) 2447{ 2448 /* TODO */ 2449 return 0; 2450} 2451 2452 2453int ieee802_1x_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta, 2454 char *buf, size_t buflen) 2455{ 2456 int len = 0, ret; 2457 struct eapol_state_machine *sm = sta->eapol_sm; 2458 struct os_reltime diff; 2459 const char *name1; 2460 const char *name2; 2461 2462 if (sm == NULL) 2463 return 0; 2464 2465 ret = os_snprintf(buf + len, buflen - len, 2466 "dot1xPaePortNumber=%d\n" 2467 "dot1xPaePortProtocolVersion=%d\n" 2468 "dot1xPaePortCapabilities=1\n" 2469 "dot1xPaePortInitialize=%d\n" 2470 "dot1xPaePortReauthenticate=FALSE\n", 2471 sta->aid, 2472 EAPOL_VERSION, 2473 sm->initialize); 2474 if (os_snprintf_error(buflen - len, ret)) 2475 return len; 2476 len += ret; 2477 2478 /* dot1xAuthConfigTable */ 2479 ret = os_snprintf(buf + len, buflen - len, 2480 "dot1xAuthPaeState=%d\n" 2481 "dot1xAuthBackendAuthState=%d\n" 2482 "dot1xAuthAdminControlledDirections=%d\n" 2483 "dot1xAuthOperControlledDirections=%d\n" 2484 "dot1xAuthAuthControlledPortStatus=%d\n" 2485 "dot1xAuthAuthControlledPortControl=%d\n" 2486 "dot1xAuthQuietPeriod=%u\n" 2487 "dot1xAuthServerTimeout=%u\n" 2488 "dot1xAuthReAuthPeriod=%u\n" 2489 "dot1xAuthReAuthEnabled=%s\n" 2490 "dot1xAuthKeyTxEnabled=%s\n", 2491 sm->auth_pae_state + 1, 2492 sm->be_auth_state + 1, 2493 sm->adminControlledDirections, 2494 sm->operControlledDirections, 2495 sm->authPortStatus, 2496 sm->portControl, 2497 sm->quietPeriod, 2498 sm->serverTimeout, 2499 sm->reAuthPeriod, 2500 bool_txt(sm->reAuthEnabled), 2501 bool_txt(sm->keyTxEnabled)); 2502 if (os_snprintf_error(buflen - len, ret)) 2503 return len; 2504 len += ret; 2505 2506 /* dot1xAuthStatsTable */ 2507 ret = os_snprintf(buf + len, buflen - len, 2508 "dot1xAuthEapolFramesRx=%u\n" 2509 "dot1xAuthEapolFramesTx=%u\n" 2510 "dot1xAuthEapolStartFramesRx=%u\n" 2511 "dot1xAuthEapolLogoffFramesRx=%u\n" 2512 "dot1xAuthEapolRespIdFramesRx=%u\n" 2513 "dot1xAuthEapolRespFramesRx=%u\n" 2514 "dot1xAuthEapolReqIdFramesTx=%u\n" 2515 "dot1xAuthEapolReqFramesTx=%u\n" 2516 "dot1xAuthInvalidEapolFramesRx=%u\n" 2517 "dot1xAuthEapLengthErrorFramesRx=%u\n" 2518 "dot1xAuthLastEapolFrameVersion=%u\n" 2519 "dot1xAuthLastEapolFrameSource=" MACSTR "\n", 2520 sm->dot1xAuthEapolFramesRx, 2521 sm->dot1xAuthEapolFramesTx, 2522 sm->dot1xAuthEapolStartFramesRx, 2523 sm->dot1xAuthEapolLogoffFramesRx, 2524 sm->dot1xAuthEapolRespIdFramesRx, 2525 sm->dot1xAuthEapolRespFramesRx, 2526 sm->dot1xAuthEapolReqIdFramesTx, 2527 sm->dot1xAuthEapolReqFramesTx, 2528 sm->dot1xAuthInvalidEapolFramesRx, 2529 sm->dot1xAuthEapLengthErrorFramesRx, 2530 sm->dot1xAuthLastEapolFrameVersion, 2531 MAC2STR(sm->addr)); 2532 if (os_snprintf_error(buflen - len, ret)) 2533 return len; 2534 len += ret; 2535 2536 /* dot1xAuthDiagTable */ 2537 ret = os_snprintf(buf + len, buflen - len, 2538 "dot1xAuthEntersConnecting=%u\n" 2539 "dot1xAuthEapLogoffsWhileConnecting=%u\n" 2540 "dot1xAuthEntersAuthenticating=%u\n" 2541 "dot1xAuthAuthSuccessesWhileAuthenticating=%u\n" 2542 "dot1xAuthAuthTimeoutsWhileAuthenticating=%u\n" 2543 "dot1xAuthAuthFailWhileAuthenticating=%u\n" 2544 "dot1xAuthAuthEapStartsWhileAuthenticating=%u\n" 2545 "dot1xAuthAuthEapLogoffWhileAuthenticating=%u\n" 2546 "dot1xAuthAuthReauthsWhileAuthenticated=%u\n" 2547 "dot1xAuthAuthEapStartsWhileAuthenticated=%u\n" 2548 "dot1xAuthAuthEapLogoffWhileAuthenticated=%u\n" 2549 "dot1xAuthBackendResponses=%u\n" 2550 "dot1xAuthBackendAccessChallenges=%u\n" 2551 "dot1xAuthBackendOtherRequestsToSupplicant=%u\n" 2552 "dot1xAuthBackendAuthSuccesses=%u\n" 2553 "dot1xAuthBackendAuthFails=%u\n", 2554 sm->authEntersConnecting, 2555 sm->authEapLogoffsWhileConnecting, 2556 sm->authEntersAuthenticating, 2557 sm->authAuthSuccessesWhileAuthenticating, 2558 sm->authAuthTimeoutsWhileAuthenticating, 2559 sm->authAuthFailWhileAuthenticating, 2560 sm->authAuthEapStartsWhileAuthenticating, 2561 sm->authAuthEapLogoffWhileAuthenticating, 2562 sm->authAuthReauthsWhileAuthenticated, 2563 sm->authAuthEapStartsWhileAuthenticated, 2564 sm->authAuthEapLogoffWhileAuthenticated, 2565 sm->backendResponses, 2566 sm->backendAccessChallenges, 2567 sm->backendOtherRequestsToSupplicant, 2568 sm->backendAuthSuccesses, 2569 sm->backendAuthFails); 2570 if (os_snprintf_error(buflen - len, ret)) 2571 return len; 2572 len += ret; 2573 2574 /* dot1xAuthSessionStatsTable */ 2575 os_reltime_age(&sta->acct_session_start, &diff); 2576 ret = os_snprintf(buf + len, buflen - len, 2577 /* TODO: dot1xAuthSessionOctetsRx */ 2578 /* TODO: dot1xAuthSessionOctetsTx */ 2579 /* TODO: dot1xAuthSessionFramesRx */ 2580 /* TODO: dot1xAuthSessionFramesTx */ 2581 "dot1xAuthSessionId=%016llX\n" 2582 "dot1xAuthSessionAuthenticMethod=%d\n" 2583 "dot1xAuthSessionTime=%u\n" 2584 "dot1xAuthSessionTerminateCause=999\n" 2585 "dot1xAuthSessionUserName=%s\n", 2586 (unsigned long long) sta->acct_session_id, 2587 (wpa_key_mgmt_wpa_ieee8021x( 2588 wpa_auth_sta_key_mgmt(sta->wpa_sm))) ? 2589 1 : 2, 2590 (unsigned int) diff.sec, 2591 sm->identity); 2592 if (os_snprintf_error(buflen - len, ret)) 2593 return len; 2594 len += ret; 2595 2596 if (sm->acct_multi_session_id) { 2597 ret = os_snprintf(buf + len, buflen - len, 2598 "authMultiSessionId=%016llX\n", 2599 (unsigned long long) 2600 sm->acct_multi_session_id); 2601 if (os_snprintf_error(buflen - len, ret)) 2602 return len; 2603 len += ret; 2604 } 2605 2606 name1 = eap_server_get_name(0, sm->eap_type_authsrv); 2607 name2 = eap_server_get_name(0, sm->eap_type_supp); 2608 ret = os_snprintf(buf + len, buflen - len, 2609 "last_eap_type_as=%d (%s)\n" 2610 "last_eap_type_sta=%d (%s)\n", 2611 sm->eap_type_authsrv, name1, 2612 sm->eap_type_supp, name2); 2613 if (os_snprintf_error(buflen - len, ret)) 2614 return len; 2615 len += ret; 2616 2617 return len; 2618} 2619 2620 2621#ifdef CONFIG_HS20 2622static void ieee802_1x_wnm_notif_send(void *eloop_ctx, void *timeout_ctx) 2623{ 2624 struct hostapd_data *hapd = eloop_ctx; 2625 struct sta_info *sta = timeout_ctx; 2626 2627 if (sta->remediation) { 2628 wpa_printf(MSG_DEBUG, "HS 2.0: Send WNM-Notification to " 2629 MACSTR " to indicate Subscription Remediation", 2630 MAC2STR(sta->addr)); 2631 hs20_send_wnm_notification(hapd, sta->addr, 2632 sta->remediation_method, 2633 sta->remediation_url); 2634 os_free(sta->remediation_url); 2635 sta->remediation_url = NULL; 2636 } 2637 2638 if (sta->hs20_deauth_req) { 2639 wpa_printf(MSG_DEBUG, "HS 2.0: Send WNM-Notification to " 2640 MACSTR " to indicate imminent deauthentication", 2641 MAC2STR(sta->addr)); 2642 hs20_send_wnm_notification_deauth_req(hapd, sta->addr, 2643 sta->hs20_deauth_req); 2644 } 2645} 2646#endif /* CONFIG_HS20 */ 2647 2648 2649static void ieee802_1x_finished(struct hostapd_data *hapd, 2650 struct sta_info *sta, int success, 2651 int remediation) 2652{ 2653 const u8 *key; 2654 size_t len; 2655 /* TODO: get PMKLifetime from WPA parameters */ 2656 static const int dot11RSNAConfigPMKLifetime = 43200; 2657 unsigned int session_timeout; 2658 2659#ifdef CONFIG_HS20 2660 if (remediation && !sta->remediation) { 2661 sta->remediation = 1; 2662 os_free(sta->remediation_url); 2663 sta->remediation_url = 2664 os_strdup(hapd->conf->subscr_remediation_url); 2665 sta->remediation_method = 1; /* SOAP-XML SPP */ 2666 } 2667 2668 if (success && (sta->remediation || sta->hs20_deauth_req)) { 2669 wpa_printf(MSG_DEBUG, "HS 2.0: Schedule WNM-Notification to " 2670 MACSTR " in 100 ms", MAC2STR(sta->addr)); 2671 eloop_cancel_timeout(ieee802_1x_wnm_notif_send, hapd, sta); 2672 eloop_register_timeout(0, 100000, ieee802_1x_wnm_notif_send, 2673 hapd, sta); 2674 } 2675#endif /* CONFIG_HS20 */ 2676 2677 key = ieee802_1x_get_key(sta->eapol_sm, &len); 2678 if (sta->session_timeout_set) 2679 session_timeout = sta->session_timeout; 2680 else 2681 session_timeout = dot11RSNAConfigPMKLifetime; 2682 if (success && key && len >= PMK_LEN && !sta->remediation && 2683 !sta->hs20_deauth_requested && 2684 wpa_auth_pmksa_add(sta->wpa_sm, key, len, session_timeout, 2685 sta->eapol_sm) == 0) { 2686 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 2687 HOSTAPD_LEVEL_DEBUG, 2688 "Added PMKSA cache entry (IEEE 802.1X)"); 2689 } 2690 2691 if (!success) { 2692 /* 2693 * Many devices require deauthentication after WPS provisioning 2694 * and some may not be be able to do that themselves, so 2695 * disconnect the client here. In addition, this may also 2696 * benefit IEEE 802.1X/EAPOL authentication cases, too since 2697 * the EAPOL PAE state machine would remain in HELD state for 2698 * considerable amount of time and some EAP methods, like 2699 * EAP-FAST with anonymous provisioning, may require another 2700 * EAPOL authentication to be started to complete connection. 2701 */ 2702 wpa_dbg(hapd->msg_ctx, MSG_DEBUG, "IEEE 802.1X: Force " 2703 "disconnection after EAP-Failure"); 2704 /* Add a small sleep to increase likelihood of previously 2705 * requested EAP-Failure TX getting out before this should the 2706 * driver reorder operations. 2707 */ 2708 os_sleep(0, 10000); 2709 ap_sta_disconnect(hapd, sta, sta->addr, 2710 WLAN_REASON_IEEE_802_1X_AUTH_FAILED); 2711 hostapd_wps_eap_completed(hapd); 2712 } 2713} 2714