ieee802_1x.c revision de47be75037bccd4a11b62eedb3d4aed1b36fa67
1/* 2 * hostapd / IEEE 802.1X-2004 Authenticator 3 * Copyright (c) 2002-2012, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9#include "utils/includes.h" 10 11#include "utils/common.h" 12#include "utils/eloop.h" 13#include "crypto/md5.h" 14#include "crypto/crypto.h" 15#include "crypto/random.h" 16#include "common/ieee802_11_defs.h" 17#include "radius/radius.h" 18#include "radius/radius_client.h" 19#include "eap_server/eap.h" 20#include "eap_common/eap_wsc_common.h" 21#include "eapol_auth/eapol_auth_sm.h" 22#include "eapol_auth/eapol_auth_sm_i.h" 23#include "p2p/p2p.h" 24#include "hostapd.h" 25#include "accounting.h" 26#include "sta_info.h" 27#include "wpa_auth.h" 28#include "preauth_auth.h" 29#include "pmksa_cache_auth.h" 30#include "ap_config.h" 31#include "ap_drv_ops.h" 32#include "wps_hostapd.h" 33#include "hs20.h" 34#include "ieee802_1x.h" 35 36 37#ifdef CONFIG_HS20 38static void ieee802_1x_wnm_notif_send(void *eloop_ctx, void *timeout_ctx); 39#endif /* CONFIG_HS20 */ 40static void ieee802_1x_finished(struct hostapd_data *hapd, 41 struct sta_info *sta, int success, 42 int remediation); 43 44 45static void ieee802_1x_send(struct hostapd_data *hapd, struct sta_info *sta, 46 u8 type, const u8 *data, size_t datalen) 47{ 48 u8 *buf; 49 struct ieee802_1x_hdr *xhdr; 50 size_t len; 51 int encrypt = 0; 52 53 len = sizeof(*xhdr) + datalen; 54 buf = os_zalloc(len); 55 if (buf == NULL) { 56 wpa_printf(MSG_ERROR, "malloc() failed for " 57 "ieee802_1x_send(len=%lu)", 58 (unsigned long) len); 59 return; 60 } 61 62 xhdr = (struct ieee802_1x_hdr *) buf; 63 xhdr->version = hapd->conf->eapol_version; 64 xhdr->type = type; 65 xhdr->length = host_to_be16(datalen); 66 67 if (datalen > 0 && data != NULL) 68 os_memcpy(xhdr + 1, data, datalen); 69 70 if (wpa_auth_pairwise_set(sta->wpa_sm)) 71 encrypt = 1; 72#ifdef CONFIG_TESTING_OPTIONS 73 if (hapd->ext_eapol_frame_io) { 74 size_t hex_len = 2 * len + 1; 75 char *hex = os_malloc(hex_len); 76 77 if (hex) { 78 wpa_snprintf_hex(hex, hex_len, buf, len); 79 wpa_msg(hapd->msg_ctx, MSG_INFO, 80 "EAPOL-TX " MACSTR " %s", 81 MAC2STR(sta->addr), hex); 82 os_free(hex); 83 } 84 } else 85#endif /* CONFIG_TESTING_OPTIONS */ 86 if (sta->flags & WLAN_STA_PREAUTH) { 87 rsn_preauth_send(hapd, sta, buf, len); 88 } else { 89 hostapd_drv_hapd_send_eapol( 90 hapd, sta->addr, buf, len, 91 encrypt, hostapd_sta_flags_to_drv(sta->flags)); 92 } 93 94 os_free(buf); 95} 96 97 98void ieee802_1x_set_sta_authorized(struct hostapd_data *hapd, 99 struct sta_info *sta, int authorized) 100{ 101 int res; 102 103 if (sta->flags & WLAN_STA_PREAUTH) 104 return; 105 106 if (authorized) { 107 ap_sta_set_authorized(hapd, sta, 1); 108 res = hostapd_set_authorized(hapd, sta, 1); 109 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 110 HOSTAPD_LEVEL_DEBUG, "authorizing port"); 111 } else { 112 ap_sta_set_authorized(hapd, sta, 0); 113 res = hostapd_set_authorized(hapd, sta, 0); 114 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 115 HOSTAPD_LEVEL_DEBUG, "unauthorizing port"); 116 } 117 118 if (res && errno != ENOENT) { 119 wpa_printf(MSG_DEBUG, "Could not set station " MACSTR 120 " flags for kernel driver (errno=%d).", 121 MAC2STR(sta->addr), errno); 122 } 123 124 if (authorized) { 125 os_get_reltime(&sta->connected_time); 126 accounting_sta_start(hapd, sta); 127 } 128} 129 130 131#ifndef CONFIG_FIPS 132#ifndef CONFIG_NO_RC4 133 134static void ieee802_1x_tx_key_one(struct hostapd_data *hapd, 135 struct sta_info *sta, 136 int idx, int broadcast, 137 u8 *key_data, size_t key_len) 138{ 139 u8 *buf, *ekey; 140 struct ieee802_1x_hdr *hdr; 141 struct ieee802_1x_eapol_key *key; 142 size_t len, ekey_len; 143 struct eapol_state_machine *sm = sta->eapol_sm; 144 145 if (sm == NULL) 146 return; 147 148 len = sizeof(*key) + key_len; 149 buf = os_zalloc(sizeof(*hdr) + len); 150 if (buf == NULL) 151 return; 152 153 hdr = (struct ieee802_1x_hdr *) buf; 154 key = (struct ieee802_1x_eapol_key *) (hdr + 1); 155 key->type = EAPOL_KEY_TYPE_RC4; 156 WPA_PUT_BE16(key->key_length, key_len); 157 wpa_get_ntp_timestamp(key->replay_counter); 158 159 if (random_get_bytes(key->key_iv, sizeof(key->key_iv))) { 160 wpa_printf(MSG_ERROR, "Could not get random numbers"); 161 os_free(buf); 162 return; 163 } 164 165 key->key_index = idx | (broadcast ? 0 : BIT(7)); 166 if (hapd->conf->eapol_key_index_workaround) { 167 /* According to some information, WinXP Supplicant seems to 168 * interpret bit7 as an indication whether the key is to be 169 * activated, so make it possible to enable workaround that 170 * sets this bit for all keys. */ 171 key->key_index |= BIT(7); 172 } 173 174 /* Key is encrypted using "Key-IV + MSK[0..31]" as the RC4-key and 175 * MSK[32..63] is used to sign the message. */ 176 if (sm->eap_if->eapKeyData == NULL || sm->eap_if->eapKeyDataLen < 64) { 177 wpa_printf(MSG_ERROR, "No eapKeyData available for encrypting " 178 "and signing EAPOL-Key"); 179 os_free(buf); 180 return; 181 } 182 os_memcpy((u8 *) (key + 1), key_data, key_len); 183 ekey_len = sizeof(key->key_iv) + 32; 184 ekey = os_malloc(ekey_len); 185 if (ekey == NULL) { 186 wpa_printf(MSG_ERROR, "Could not encrypt key"); 187 os_free(buf); 188 return; 189 } 190 os_memcpy(ekey, key->key_iv, sizeof(key->key_iv)); 191 os_memcpy(ekey + sizeof(key->key_iv), sm->eap_if->eapKeyData, 32); 192 rc4_skip(ekey, ekey_len, 0, (u8 *) (key + 1), key_len); 193 os_free(ekey); 194 195 /* This header is needed here for HMAC-MD5, but it will be regenerated 196 * in ieee802_1x_send() */ 197 hdr->version = hapd->conf->eapol_version; 198 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 199 hdr->length = host_to_be16(len); 200 hmac_md5(sm->eap_if->eapKeyData + 32, 32, buf, sizeof(*hdr) + len, 201 key->key_signature); 202 203 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key to " MACSTR 204 " (%s index=%d)", MAC2STR(sm->addr), 205 broadcast ? "broadcast" : "unicast", idx); 206 ieee802_1x_send(hapd, sta, IEEE802_1X_TYPE_EAPOL_KEY, (u8 *) key, len); 207 if (sta->eapol_sm) 208 sta->eapol_sm->dot1xAuthEapolFramesTx++; 209 os_free(buf); 210} 211 212 213static void ieee802_1x_tx_key(struct hostapd_data *hapd, struct sta_info *sta) 214{ 215 struct eapol_authenticator *eapol = hapd->eapol_auth; 216 struct eapol_state_machine *sm = sta->eapol_sm; 217 218 if (sm == NULL || !sm->eap_if->eapKeyData) 219 return; 220 221 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key(s) to " MACSTR, 222 MAC2STR(sta->addr)); 223 224#ifndef CONFIG_NO_VLAN 225 if (sta->vlan_id > 0 && sta->vlan_id <= MAX_VLAN_ID) { 226 wpa_printf(MSG_ERROR, "Using WEP with vlans is not supported."); 227 return; 228 } 229#endif /* CONFIG_NO_VLAN */ 230 231 if (eapol->default_wep_key) { 232 ieee802_1x_tx_key_one(hapd, sta, eapol->default_wep_key_idx, 1, 233 eapol->default_wep_key, 234 hapd->conf->default_wep_key_len); 235 } 236 237 if (hapd->conf->individual_wep_key_len > 0) { 238 u8 *ikey; 239 ikey = os_malloc(hapd->conf->individual_wep_key_len); 240 if (ikey == NULL || 241 random_get_bytes(ikey, hapd->conf->individual_wep_key_len)) 242 { 243 wpa_printf(MSG_ERROR, "Could not generate random " 244 "individual WEP key."); 245 os_free(ikey); 246 return; 247 } 248 249 wpa_hexdump_key(MSG_DEBUG, "Individual WEP key", 250 ikey, hapd->conf->individual_wep_key_len); 251 252 ieee802_1x_tx_key_one(hapd, sta, 0, 0, ikey, 253 hapd->conf->individual_wep_key_len); 254 255 /* TODO: set encryption in TX callback, i.e., only after STA 256 * has ACKed EAPOL-Key frame */ 257 if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP, 258 sta->addr, 0, 1, NULL, 0, ikey, 259 hapd->conf->individual_wep_key_len)) { 260 wpa_printf(MSG_ERROR, "Could not set individual WEP " 261 "encryption."); 262 } 263 264 os_free(ikey); 265 } 266} 267 268#endif /* CONFIG_NO_RC4 */ 269#endif /* CONFIG_FIPS */ 270 271 272const char *radius_mode_txt(struct hostapd_data *hapd) 273{ 274 switch (hapd->iface->conf->hw_mode) { 275 case HOSTAPD_MODE_IEEE80211AD: 276 return "802.11ad"; 277 case HOSTAPD_MODE_IEEE80211A: 278 return "802.11a"; 279 case HOSTAPD_MODE_IEEE80211G: 280 return "802.11g"; 281 case HOSTAPD_MODE_IEEE80211B: 282 default: 283 return "802.11b"; 284 } 285} 286 287 288int radius_sta_rate(struct hostapd_data *hapd, struct sta_info *sta) 289{ 290 int i; 291 u8 rate = 0; 292 293 for (i = 0; i < sta->supported_rates_len; i++) 294 if ((sta->supported_rates[i] & 0x7f) > rate) 295 rate = sta->supported_rates[i] & 0x7f; 296 297 return rate; 298} 299 300 301#ifndef CONFIG_NO_RADIUS 302static void ieee802_1x_learn_identity(struct hostapd_data *hapd, 303 struct eapol_state_machine *sm, 304 const u8 *eap, size_t len) 305{ 306 const u8 *identity; 307 size_t identity_len; 308 const struct eap_hdr *hdr = (const struct eap_hdr *) eap; 309 310 if (len <= sizeof(struct eap_hdr) || 311 (hdr->code == EAP_CODE_RESPONSE && 312 eap[sizeof(struct eap_hdr)] != EAP_TYPE_IDENTITY) || 313 (hdr->code == EAP_CODE_INITIATE && 314 eap[sizeof(struct eap_hdr)] != EAP_ERP_TYPE_REAUTH) || 315 (hdr->code != EAP_CODE_RESPONSE && 316 hdr->code != EAP_CODE_INITIATE)) 317 return; 318 319 identity = eap_get_identity(sm->eap, &identity_len); 320 if (identity == NULL) 321 return; 322 323 /* Save station identity for future RADIUS packets */ 324 os_free(sm->identity); 325 sm->identity = (u8 *) dup_binstr(identity, identity_len); 326 if (sm->identity == NULL) { 327 sm->identity_len = 0; 328 return; 329 } 330 331 sm->identity_len = identity_len; 332 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, 333 HOSTAPD_LEVEL_DEBUG, "STA identity '%s'", sm->identity); 334 sm->dot1xAuthEapolRespIdFramesRx++; 335} 336 337 338static int add_common_radius_sta_attr_rsn(struct hostapd_data *hapd, 339 struct hostapd_radius_attr *req_attr, 340 struct sta_info *sta, 341 struct radius_msg *msg) 342{ 343 u32 suite; 344 int ver, val; 345 346 ver = wpa_auth_sta_wpa_version(sta->wpa_sm); 347 val = wpa_auth_get_pairwise(sta->wpa_sm); 348 suite = wpa_cipher_to_suite(ver, val); 349 if (val != -1 && 350 !hostapd_config_get_radius_attr(req_attr, 351 RADIUS_ATTR_WLAN_PAIRWISE_CIPHER) && 352 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_WLAN_PAIRWISE_CIPHER, 353 suite)) { 354 wpa_printf(MSG_ERROR, "Could not add WLAN-Pairwise-Cipher"); 355 return -1; 356 } 357 358 suite = wpa_cipher_to_suite(((hapd->conf->wpa & 0x2) || 359 hapd->conf->osen) ? 360 WPA_PROTO_RSN : WPA_PROTO_WPA, 361 hapd->conf->wpa_group); 362 if (!hostapd_config_get_radius_attr(req_attr, 363 RADIUS_ATTR_WLAN_GROUP_CIPHER) && 364 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_WLAN_GROUP_CIPHER, 365 suite)) { 366 wpa_printf(MSG_ERROR, "Could not add WLAN-Group-Cipher"); 367 return -1; 368 } 369 370 val = wpa_auth_sta_key_mgmt(sta->wpa_sm); 371 suite = wpa_akm_to_suite(val); 372 if (val != -1 && 373 !hostapd_config_get_radius_attr(req_attr, 374 RADIUS_ATTR_WLAN_AKM_SUITE) && 375 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_WLAN_AKM_SUITE, 376 suite)) { 377 wpa_printf(MSG_ERROR, "Could not add WLAN-AKM-Suite"); 378 return -1; 379 } 380 381#ifdef CONFIG_IEEE80211W 382 if (hapd->conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) { 383 suite = wpa_cipher_to_suite(WPA_PROTO_RSN, 384 hapd->conf->group_mgmt_cipher); 385 if (!hostapd_config_get_radius_attr( 386 req_attr, RADIUS_ATTR_WLAN_GROUP_MGMT_CIPHER) && 387 !radius_msg_add_attr_int32( 388 msg, RADIUS_ATTR_WLAN_GROUP_MGMT_CIPHER, suite)) { 389 wpa_printf(MSG_ERROR, 390 "Could not add WLAN-Group-Mgmt-Cipher"); 391 return -1; 392 } 393 } 394#endif /* CONFIG_IEEE80211W */ 395 396 return 0; 397} 398 399 400static int add_common_radius_sta_attr(struct hostapd_data *hapd, 401 struct hostapd_radius_attr *req_attr, 402 struct sta_info *sta, 403 struct radius_msg *msg) 404{ 405 char buf[128]; 406 407 if (!hostapd_config_get_radius_attr(req_attr, 408 RADIUS_ATTR_NAS_PORT) && 409 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT, sta->aid)) { 410 wpa_printf(MSG_ERROR, "Could not add NAS-Port"); 411 return -1; 412 } 413 414 os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT, 415 MAC2STR(sta->addr)); 416 buf[sizeof(buf) - 1] = '\0'; 417 if (!radius_msg_add_attr(msg, RADIUS_ATTR_CALLING_STATION_ID, 418 (u8 *) buf, os_strlen(buf))) { 419 wpa_printf(MSG_ERROR, "Could not add Calling-Station-Id"); 420 return -1; 421 } 422 423 if (sta->flags & WLAN_STA_PREAUTH) { 424 os_strlcpy(buf, "IEEE 802.11i Pre-Authentication", 425 sizeof(buf)); 426 } else { 427 os_snprintf(buf, sizeof(buf), "CONNECT %d%sMbps %s", 428 radius_sta_rate(hapd, sta) / 2, 429 (radius_sta_rate(hapd, sta) & 1) ? ".5" : "", 430 radius_mode_txt(hapd)); 431 buf[sizeof(buf) - 1] = '\0'; 432 } 433 if (!hostapd_config_get_radius_attr(req_attr, 434 RADIUS_ATTR_CONNECT_INFO) && 435 !radius_msg_add_attr(msg, RADIUS_ATTR_CONNECT_INFO, 436 (u8 *) buf, os_strlen(buf))) { 437 wpa_printf(MSG_ERROR, "Could not add Connect-Info"); 438 return -1; 439 } 440 441 if (sta->acct_session_id_hi || sta->acct_session_id_lo) { 442 os_snprintf(buf, sizeof(buf), "%08X-%08X", 443 sta->acct_session_id_hi, sta->acct_session_id_lo); 444 if (!radius_msg_add_attr(msg, RADIUS_ATTR_ACCT_SESSION_ID, 445 (u8 *) buf, os_strlen(buf))) { 446 wpa_printf(MSG_ERROR, "Could not add Acct-Session-Id"); 447 return -1; 448 } 449 } 450 451#ifdef CONFIG_IEEE80211R 452 if (hapd->conf->wpa && wpa_key_mgmt_ft(hapd->conf->wpa_key_mgmt) && 453 sta->wpa_sm && 454 (wpa_key_mgmt_ft(wpa_auth_sta_key_mgmt(sta->wpa_sm)) || 455 sta->auth_alg == WLAN_AUTH_FT) && 456 !hostapd_config_get_radius_attr(req_attr, 457 RADIUS_ATTR_MOBILITY_DOMAIN_ID) && 458 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_MOBILITY_DOMAIN_ID, 459 WPA_GET_BE16( 460 hapd->conf->mobility_domain))) { 461 wpa_printf(MSG_ERROR, "Could not add Mobility-Domain-Id"); 462 return -1; 463 } 464#endif /* CONFIG_IEEE80211R */ 465 466 if ((hapd->conf->wpa || hapd->conf->osen) && sta->wpa_sm && 467 add_common_radius_sta_attr_rsn(hapd, req_attr, sta, msg) < 0) 468 return -1; 469 470 return 0; 471} 472 473 474int add_common_radius_attr(struct hostapd_data *hapd, 475 struct hostapd_radius_attr *req_attr, 476 struct sta_info *sta, 477 struct radius_msg *msg) 478{ 479 char buf[128]; 480 struct hostapd_radius_attr *attr; 481 int len; 482 483 if (!hostapd_config_get_radius_attr(req_attr, 484 RADIUS_ATTR_NAS_IP_ADDRESS) && 485 hapd->conf->own_ip_addr.af == AF_INET && 486 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IP_ADDRESS, 487 (u8 *) &hapd->conf->own_ip_addr.u.v4, 4)) { 488 wpa_printf(MSG_ERROR, "Could not add NAS-IP-Address"); 489 return -1; 490 } 491 492#ifdef CONFIG_IPV6 493 if (!hostapd_config_get_radius_attr(req_attr, 494 RADIUS_ATTR_NAS_IPV6_ADDRESS) && 495 hapd->conf->own_ip_addr.af == AF_INET6 && 496 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IPV6_ADDRESS, 497 (u8 *) &hapd->conf->own_ip_addr.u.v6, 16)) { 498 wpa_printf(MSG_ERROR, "Could not add NAS-IPv6-Address"); 499 return -1; 500 } 501#endif /* CONFIG_IPV6 */ 502 503 if (!hostapd_config_get_radius_attr(req_attr, 504 RADIUS_ATTR_NAS_IDENTIFIER) && 505 hapd->conf->nas_identifier && 506 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IDENTIFIER, 507 (u8 *) hapd->conf->nas_identifier, 508 os_strlen(hapd->conf->nas_identifier))) { 509 wpa_printf(MSG_ERROR, "Could not add NAS-Identifier"); 510 return -1; 511 } 512 513 len = os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT ":", 514 MAC2STR(hapd->own_addr)); 515 os_memcpy(&buf[len], hapd->conf->ssid.ssid, 516 hapd->conf->ssid.ssid_len); 517 len += hapd->conf->ssid.ssid_len; 518 if (!hostapd_config_get_radius_attr(req_attr, 519 RADIUS_ATTR_CALLED_STATION_ID) && 520 !radius_msg_add_attr(msg, RADIUS_ATTR_CALLED_STATION_ID, 521 (u8 *) buf, len)) { 522 wpa_printf(MSG_ERROR, "Could not add Called-Station-Id"); 523 return -1; 524 } 525 526 if (!hostapd_config_get_radius_attr(req_attr, 527 RADIUS_ATTR_NAS_PORT_TYPE) && 528 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT_TYPE, 529 RADIUS_NAS_PORT_TYPE_IEEE_802_11)) { 530 wpa_printf(MSG_ERROR, "Could not add NAS-Port-Type"); 531 return -1; 532 } 533 534#ifdef CONFIG_INTERWORKING 535 if (hapd->conf->interworking && 536 !is_zero_ether_addr(hapd->conf->hessid)) { 537 os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT, 538 MAC2STR(hapd->conf->hessid)); 539 buf[sizeof(buf) - 1] = '\0'; 540 if (!hostapd_config_get_radius_attr(req_attr, 541 RADIUS_ATTR_WLAN_HESSID) && 542 !radius_msg_add_attr(msg, RADIUS_ATTR_WLAN_HESSID, 543 (u8 *) buf, os_strlen(buf))) { 544 wpa_printf(MSG_ERROR, "Could not add WLAN-HESSID"); 545 return -1; 546 } 547 } 548#endif /* CONFIG_INTERWORKING */ 549 550 if (sta && add_common_radius_sta_attr(hapd, req_attr, sta, msg) < 0) 551 return -1; 552 553 for (attr = req_attr; attr; attr = attr->next) { 554 if (!radius_msg_add_attr(msg, attr->type, 555 wpabuf_head(attr->val), 556 wpabuf_len(attr->val))) { 557 wpa_printf(MSG_ERROR, "Could not add RADIUS " 558 "attribute"); 559 return -1; 560 } 561 } 562 563 return 0; 564} 565 566 567static void ieee802_1x_encapsulate_radius(struct hostapd_data *hapd, 568 struct sta_info *sta, 569 const u8 *eap, size_t len) 570{ 571 struct radius_msg *msg; 572 struct eapol_state_machine *sm = sta->eapol_sm; 573 574 if (sm == NULL) 575 return; 576 577 ieee802_1x_learn_identity(hapd, sm, eap, len); 578 579 wpa_printf(MSG_DEBUG, "Encapsulating EAP message into a RADIUS " 580 "packet"); 581 582 sm->radius_identifier = radius_client_get_id(hapd->radius); 583 msg = radius_msg_new(RADIUS_CODE_ACCESS_REQUEST, 584 sm->radius_identifier); 585 if (msg == NULL) { 586 wpa_printf(MSG_INFO, "Could not create new RADIUS packet"); 587 return; 588 } 589 590 radius_msg_make_authenticator(msg, (u8 *) sta, sizeof(*sta)); 591 592 if (sm->identity && 593 !radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME, 594 sm->identity, sm->identity_len)) { 595 wpa_printf(MSG_INFO, "Could not add User-Name"); 596 goto fail; 597 } 598 599 if (add_common_radius_attr(hapd, hapd->conf->radius_auth_req_attr, sta, 600 msg) < 0) 601 goto fail; 602 603 /* TODO: should probably check MTU from driver config; 2304 is max for 604 * IEEE 802.11, but use 1400 to avoid problems with too large packets 605 */ 606 if (!hostapd_config_get_radius_attr(hapd->conf->radius_auth_req_attr, 607 RADIUS_ATTR_FRAMED_MTU) && 608 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_FRAMED_MTU, 1400)) { 609 wpa_printf(MSG_INFO, "Could not add Framed-MTU"); 610 goto fail; 611 } 612 613 if (!radius_msg_add_eap(msg, eap, len)) { 614 wpa_printf(MSG_INFO, "Could not add EAP-Message"); 615 goto fail; 616 } 617 618 /* State attribute must be copied if and only if this packet is 619 * Access-Request reply to the previous Access-Challenge */ 620 if (sm->last_recv_radius && 621 radius_msg_get_hdr(sm->last_recv_radius)->code == 622 RADIUS_CODE_ACCESS_CHALLENGE) { 623 int res = radius_msg_copy_attr(msg, sm->last_recv_radius, 624 RADIUS_ATTR_STATE); 625 if (res < 0) { 626 wpa_printf(MSG_INFO, "Could not copy State attribute from previous Access-Challenge"); 627 goto fail; 628 } 629 if (res > 0) { 630 wpa_printf(MSG_DEBUG, "Copied RADIUS State Attribute"); 631 } 632 } 633 634 if (hapd->conf->radius_request_cui) { 635 const u8 *cui; 636 size_t cui_len; 637 /* Add previously learned CUI or nul CUI to request CUI */ 638 if (sm->radius_cui) { 639 cui = wpabuf_head(sm->radius_cui); 640 cui_len = wpabuf_len(sm->radius_cui); 641 } else { 642 cui = (const u8 *) "\0"; 643 cui_len = 1; 644 } 645 if (!radius_msg_add_attr(msg, 646 RADIUS_ATTR_CHARGEABLE_USER_IDENTITY, 647 cui, cui_len)) { 648 wpa_printf(MSG_ERROR, "Could not add CUI"); 649 goto fail; 650 } 651 } 652 653#ifdef CONFIG_HS20 654 if (hapd->conf->hs20) { 655 u8 ver = 1; /* Release 2 */ 656 if (!radius_msg_add_wfa( 657 msg, RADIUS_VENDOR_ATTR_WFA_HS20_AP_VERSION, 658 &ver, 1)) { 659 wpa_printf(MSG_ERROR, "Could not add HS 2.0 AP " 660 "version"); 661 goto fail; 662 } 663 664 if (sta->hs20_ie && wpabuf_len(sta->hs20_ie) > 0) { 665 const u8 *pos; 666 u8 buf[3]; 667 u16 id; 668 pos = wpabuf_head_u8(sta->hs20_ie); 669 buf[0] = (*pos) >> 4; 670 if (((*pos) & HS20_PPS_MO_ID_PRESENT) && 671 wpabuf_len(sta->hs20_ie) >= 3) 672 id = WPA_GET_LE16(pos + 1); 673 else 674 id = 0; 675 WPA_PUT_BE16(buf + 1, id); 676 if (!radius_msg_add_wfa( 677 msg, 678 RADIUS_VENDOR_ATTR_WFA_HS20_STA_VERSION, 679 buf, sizeof(buf))) { 680 wpa_printf(MSG_ERROR, "Could not add HS 2.0 " 681 "STA version"); 682 goto fail; 683 } 684 } 685 } 686#endif /* CONFIG_HS20 */ 687 688 if (radius_client_send(hapd->radius, msg, RADIUS_AUTH, sta->addr) < 0) 689 goto fail; 690 691 return; 692 693 fail: 694 radius_msg_free(msg); 695} 696#endif /* CONFIG_NO_RADIUS */ 697 698 699static void handle_eap_response(struct hostapd_data *hapd, 700 struct sta_info *sta, struct eap_hdr *eap, 701 size_t len) 702{ 703 u8 type, *data; 704 struct eapol_state_machine *sm = sta->eapol_sm; 705 if (sm == NULL) 706 return; 707 708 data = (u8 *) (eap + 1); 709 710 if (len < sizeof(*eap) + 1) { 711 wpa_printf(MSG_INFO, "handle_eap_response: too short response data"); 712 return; 713 } 714 715 sm->eap_type_supp = type = data[0]; 716 717 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, 718 HOSTAPD_LEVEL_DEBUG, "received EAP packet (code=%d " 719 "id=%d len=%d) from STA: EAP Response-%s (%d)", 720 eap->code, eap->identifier, be_to_host16(eap->length), 721 eap_server_get_name(0, type), type); 722 723 sm->dot1xAuthEapolRespFramesRx++; 724 725 wpabuf_free(sm->eap_if->eapRespData); 726 sm->eap_if->eapRespData = wpabuf_alloc_copy(eap, len); 727 sm->eapolEap = TRUE; 728} 729 730 731static void handle_eap_initiate(struct hostapd_data *hapd, 732 struct sta_info *sta, struct eap_hdr *eap, 733 size_t len) 734{ 735#ifdef CONFIG_ERP 736 u8 type, *data; 737 struct eapol_state_machine *sm = sta->eapol_sm; 738 739 if (sm == NULL) 740 return; 741 742 if (len < sizeof(*eap) + 1) { 743 wpa_printf(MSG_INFO, 744 "handle_eap_initiate: too short response data"); 745 return; 746 } 747 748 data = (u8 *) (eap + 1); 749 type = data[0]; 750 751 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, 752 HOSTAPD_LEVEL_DEBUG, "received EAP packet (code=%d " 753 "id=%d len=%d) from STA: EAP Initiate type %u", 754 eap->code, eap->identifier, be_to_host16(eap->length), 755 type); 756 757 wpabuf_free(sm->eap_if->eapRespData); 758 sm->eap_if->eapRespData = wpabuf_alloc_copy(eap, len); 759 sm->eapolEap = TRUE; 760#endif /* CONFIG_ERP */ 761} 762 763 764/* Process incoming EAP packet from Supplicant */ 765static void handle_eap(struct hostapd_data *hapd, struct sta_info *sta, 766 u8 *buf, size_t len) 767{ 768 struct eap_hdr *eap; 769 u16 eap_len; 770 771 if (len < sizeof(*eap)) { 772 wpa_printf(MSG_INFO, " too short EAP packet"); 773 return; 774 } 775 776 eap = (struct eap_hdr *) buf; 777 778 eap_len = be_to_host16(eap->length); 779 wpa_printf(MSG_DEBUG, "EAP: code=%d identifier=%d length=%d", 780 eap->code, eap->identifier, eap_len); 781 if (eap_len < sizeof(*eap)) { 782 wpa_printf(MSG_DEBUG, " Invalid EAP length"); 783 return; 784 } else if (eap_len > len) { 785 wpa_printf(MSG_DEBUG, " Too short frame to contain this EAP " 786 "packet"); 787 return; 788 } else if (eap_len < len) { 789 wpa_printf(MSG_DEBUG, " Ignoring %lu extra bytes after EAP " 790 "packet", (unsigned long) len - eap_len); 791 } 792 793 switch (eap->code) { 794 case EAP_CODE_REQUEST: 795 wpa_printf(MSG_DEBUG, " (request)"); 796 return; 797 case EAP_CODE_RESPONSE: 798 wpa_printf(MSG_DEBUG, " (response)"); 799 handle_eap_response(hapd, sta, eap, eap_len); 800 break; 801 case EAP_CODE_SUCCESS: 802 wpa_printf(MSG_DEBUG, " (success)"); 803 return; 804 case EAP_CODE_FAILURE: 805 wpa_printf(MSG_DEBUG, " (failure)"); 806 return; 807 case EAP_CODE_INITIATE: 808 wpa_printf(MSG_DEBUG, " (initiate)"); 809 handle_eap_initiate(hapd, sta, eap, eap_len); 810 break; 811 case EAP_CODE_FINISH: 812 wpa_printf(MSG_DEBUG, " (finish)"); 813 break; 814 default: 815 wpa_printf(MSG_DEBUG, " (unknown code)"); 816 return; 817 } 818} 819 820 821static struct eapol_state_machine * 822ieee802_1x_alloc_eapol_sm(struct hostapd_data *hapd, struct sta_info *sta) 823{ 824 int flags = 0; 825 if (sta->flags & WLAN_STA_PREAUTH) 826 flags |= EAPOL_SM_PREAUTH; 827 if (sta->wpa_sm) { 828 flags |= EAPOL_SM_USES_WPA; 829 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) 830 flags |= EAPOL_SM_FROM_PMKSA_CACHE; 831 } 832 return eapol_auth_alloc(hapd->eapol_auth, sta->addr, flags, 833 sta->wps_ie, sta->p2p_ie, sta, 834 sta->identity, sta->radius_cui); 835} 836 837 838/** 839 * ieee802_1x_receive - Process the EAPOL frames from the Supplicant 840 * @hapd: hostapd BSS data 841 * @sa: Source address (sender of the EAPOL frame) 842 * @buf: EAPOL frame 843 * @len: Length of buf in octets 844 * 845 * This function is called for each incoming EAPOL frame from the interface 846 */ 847void ieee802_1x_receive(struct hostapd_data *hapd, const u8 *sa, const u8 *buf, 848 size_t len) 849{ 850 struct sta_info *sta; 851 struct ieee802_1x_hdr *hdr; 852 struct ieee802_1x_eapol_key *key; 853 u16 datalen; 854 struct rsn_pmksa_cache_entry *pmksa; 855 int key_mgmt; 856 857 if (!hapd->conf->ieee802_1x && !hapd->conf->wpa && !hapd->conf->osen && 858 !hapd->conf->wps_state) 859 return; 860 861 wpa_printf(MSG_DEBUG, "IEEE 802.1X: %lu bytes from " MACSTR, 862 (unsigned long) len, MAC2STR(sa)); 863 sta = ap_get_sta(hapd, sa); 864 if (!sta || (!(sta->flags & (WLAN_STA_ASSOC | WLAN_STA_PREAUTH)) && 865 !(hapd->iface->drv_flags & WPA_DRIVER_FLAGS_WIRED))) { 866 wpa_printf(MSG_DEBUG, "IEEE 802.1X data frame from not " 867 "associated/Pre-authenticating STA"); 868 return; 869 } 870 871 if (len < sizeof(*hdr)) { 872 wpa_printf(MSG_INFO, " too short IEEE 802.1X packet"); 873 return; 874 } 875 876 hdr = (struct ieee802_1x_hdr *) buf; 877 datalen = be_to_host16(hdr->length); 878 wpa_printf(MSG_DEBUG, " IEEE 802.1X: version=%d type=%d length=%d", 879 hdr->version, hdr->type, datalen); 880 881 if (len - sizeof(*hdr) < datalen) { 882 wpa_printf(MSG_INFO, " frame too short for this IEEE 802.1X packet"); 883 if (sta->eapol_sm) 884 sta->eapol_sm->dot1xAuthEapLengthErrorFramesRx++; 885 return; 886 } 887 if (len - sizeof(*hdr) > datalen) { 888 wpa_printf(MSG_DEBUG, " ignoring %lu extra octets after " 889 "IEEE 802.1X packet", 890 (unsigned long) len - sizeof(*hdr) - datalen); 891 } 892 893 if (sta->eapol_sm) { 894 sta->eapol_sm->dot1xAuthLastEapolFrameVersion = hdr->version; 895 sta->eapol_sm->dot1xAuthEapolFramesRx++; 896 } 897 898 key = (struct ieee802_1x_eapol_key *) (hdr + 1); 899 if (datalen >= sizeof(struct ieee802_1x_eapol_key) && 900 hdr->type == IEEE802_1X_TYPE_EAPOL_KEY && 901 (key->type == EAPOL_KEY_TYPE_WPA || 902 key->type == EAPOL_KEY_TYPE_RSN)) { 903 wpa_receive(hapd->wpa_auth, sta->wpa_sm, (u8 *) hdr, 904 sizeof(*hdr) + datalen); 905 return; 906 } 907 908 if (!hapd->conf->ieee802_1x && !hapd->conf->osen && 909 !(sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS))) { 910 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore EAPOL message - " 911 "802.1X not enabled and WPS not used"); 912 return; 913 } 914 915 key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm); 916 if (key_mgmt != -1 && wpa_key_mgmt_wpa_psk(key_mgmt)) { 917 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore EAPOL message - " 918 "STA is using PSK"); 919 return; 920 } 921 922 if (!sta->eapol_sm) { 923 sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta); 924 if (!sta->eapol_sm) 925 return; 926 927#ifdef CONFIG_WPS 928 if (!hapd->conf->ieee802_1x && hapd->conf->wps_state) { 929 u32 wflags = sta->flags & (WLAN_STA_WPS | 930 WLAN_STA_WPS2 | 931 WLAN_STA_MAYBE_WPS); 932 if (wflags == WLAN_STA_MAYBE_WPS || 933 wflags == (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS)) { 934 /* 935 * Delay EAPOL frame transmission until a 936 * possible WPS STA initiates the handshake 937 * with EAPOL-Start. Only allow the wait to be 938 * skipped if the STA is known to support WPS 939 * 2.0. 940 */ 941 wpa_printf(MSG_DEBUG, "WPS: Do not start " 942 "EAPOL until EAPOL-Start is " 943 "received"); 944 sta->eapol_sm->flags |= EAPOL_SM_WAIT_START; 945 } 946 } 947#endif /* CONFIG_WPS */ 948 949 sta->eapol_sm->eap_if->portEnabled = TRUE; 950 } 951 952 /* since we support version 1, we can ignore version field and proceed 953 * as specified in version 1 standard [IEEE Std 802.1X-2001, 7.5.5] */ 954 /* TODO: actually, we are not version 1 anymore.. However, Version 2 955 * does not change frame contents, so should be ok to process frames 956 * more or less identically. Some changes might be needed for 957 * verification of fields. */ 958 959 switch (hdr->type) { 960 case IEEE802_1X_TYPE_EAP_PACKET: 961 handle_eap(hapd, sta, (u8 *) (hdr + 1), datalen); 962 break; 963 964 case IEEE802_1X_TYPE_EAPOL_START: 965 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 966 HOSTAPD_LEVEL_DEBUG, "received EAPOL-Start " 967 "from STA"); 968 sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START; 969 pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm); 970 if (pmksa) { 971 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 972 HOSTAPD_LEVEL_DEBUG, "cached PMKSA " 973 "available - ignore it since " 974 "STA sent EAPOL-Start"); 975 wpa_auth_sta_clear_pmksa(sta->wpa_sm, pmksa); 976 } 977 sta->eapol_sm->eapolStart = TRUE; 978 sta->eapol_sm->dot1xAuthEapolStartFramesRx++; 979 eap_server_clear_identity(sta->eapol_sm->eap); 980 wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL); 981 break; 982 983 case IEEE802_1X_TYPE_EAPOL_LOGOFF: 984 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 985 HOSTAPD_LEVEL_DEBUG, "received EAPOL-Logoff " 986 "from STA"); 987 sta->acct_terminate_cause = 988 RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST; 989 accounting_sta_stop(hapd, sta); 990 sta->eapol_sm->eapolLogoff = TRUE; 991 sta->eapol_sm->dot1xAuthEapolLogoffFramesRx++; 992 eap_server_clear_identity(sta->eapol_sm->eap); 993 break; 994 995 case IEEE802_1X_TYPE_EAPOL_KEY: 996 wpa_printf(MSG_DEBUG, " EAPOL-Key"); 997 if (!ap_sta_is_authorized(sta)) { 998 wpa_printf(MSG_DEBUG, " Dropped key data from " 999 "unauthorized Supplicant"); 1000 break; 1001 } 1002 break; 1003 1004 case IEEE802_1X_TYPE_EAPOL_ENCAPSULATED_ASF_ALERT: 1005 wpa_printf(MSG_DEBUG, " EAPOL-Encapsulated-ASF-Alert"); 1006 /* TODO: implement support for this; show data */ 1007 break; 1008 1009 default: 1010 wpa_printf(MSG_DEBUG, " unknown IEEE 802.1X packet type"); 1011 sta->eapol_sm->dot1xAuthInvalidEapolFramesRx++; 1012 break; 1013 } 1014 1015 eapol_auth_step(sta->eapol_sm); 1016} 1017 1018 1019/** 1020 * ieee802_1x_new_station - Start IEEE 802.1X authentication 1021 * @hapd: hostapd BSS data 1022 * @sta: The station 1023 * 1024 * This function is called to start IEEE 802.1X authentication when a new 1025 * station completes IEEE 802.11 association. 1026 */ 1027void ieee802_1x_new_station(struct hostapd_data *hapd, struct sta_info *sta) 1028{ 1029 struct rsn_pmksa_cache_entry *pmksa; 1030 int reassoc = 1; 1031 int force_1x = 0; 1032 int key_mgmt; 1033 1034#ifdef CONFIG_WPS 1035 if (hapd->conf->wps_state && 1036 ((hapd->conf->wpa && (sta->flags & WLAN_STA_MAYBE_WPS)) || 1037 (sta->flags & WLAN_STA_WPS))) { 1038 /* 1039 * Need to enable IEEE 802.1X/EAPOL state machines for possible 1040 * WPS handshake even if IEEE 802.1X/EAPOL is not used for 1041 * authentication in this BSS. 1042 */ 1043 force_1x = 1; 1044 } 1045#endif /* CONFIG_WPS */ 1046 1047 if (!force_1x && !hapd->conf->ieee802_1x && !hapd->conf->osen) { 1048 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore STA - " 1049 "802.1X not enabled or forced for WPS"); 1050 /* 1051 * Clear any possible EAPOL authenticator state to support 1052 * reassociation change from WPS to PSK. 1053 */ 1054 ieee802_1x_free_station(hapd, sta); 1055 return; 1056 } 1057 1058 key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm); 1059 if (key_mgmt != -1 && wpa_key_mgmt_wpa_psk(key_mgmt)) { 1060 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore STA - using PSK"); 1061 /* 1062 * Clear any possible EAPOL authenticator state to support 1063 * reassociation change from WPA-EAP to PSK. 1064 */ 1065 ieee802_1x_free_station(hapd, sta); 1066 return; 1067 } 1068 1069 if (sta->eapol_sm == NULL) { 1070 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1071 HOSTAPD_LEVEL_DEBUG, "start authentication"); 1072 sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta); 1073 if (sta->eapol_sm == NULL) { 1074 hostapd_logger(hapd, sta->addr, 1075 HOSTAPD_MODULE_IEEE8021X, 1076 HOSTAPD_LEVEL_INFO, 1077 "failed to allocate state machine"); 1078 return; 1079 } 1080 reassoc = 0; 1081 } 1082 1083#ifdef CONFIG_WPS 1084 sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START; 1085 if (!hapd->conf->ieee802_1x && hapd->conf->wps_state && 1086 !(sta->flags & WLAN_STA_WPS2)) { 1087 /* 1088 * Delay EAPOL frame transmission until a possible WPS STA 1089 * initiates the handshake with EAPOL-Start. Only allow the 1090 * wait to be skipped if the STA is known to support WPS 2.0. 1091 */ 1092 wpa_printf(MSG_DEBUG, "WPS: Do not start EAPOL until " 1093 "EAPOL-Start is received"); 1094 sta->eapol_sm->flags |= EAPOL_SM_WAIT_START; 1095 } 1096#endif /* CONFIG_WPS */ 1097 1098 sta->eapol_sm->eap_if->portEnabled = TRUE; 1099 1100#ifdef CONFIG_IEEE80211R 1101 if (sta->auth_alg == WLAN_AUTH_FT) { 1102 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1103 HOSTAPD_LEVEL_DEBUG, 1104 "PMK from FT - skip IEEE 802.1X/EAP"); 1105 /* Setup EAPOL state machines to already authenticated state 1106 * because of existing FT information from R0KH. */ 1107 sta->eapol_sm->keyRun = TRUE; 1108 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 1109 sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING; 1110 sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS; 1111 sta->eapol_sm->authSuccess = TRUE; 1112 sta->eapol_sm->authFail = FALSE; 1113 sta->eapol_sm->portValid = TRUE; 1114 if (sta->eapol_sm->eap) 1115 eap_sm_notify_cached(sta->eapol_sm->eap); 1116 /* TODO: get vlan_id from R0KH using RRB message */ 1117 return; 1118 } 1119#endif /* CONFIG_IEEE80211R */ 1120 1121 pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm); 1122 if (pmksa) { 1123 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1124 HOSTAPD_LEVEL_DEBUG, 1125 "PMK from PMKSA cache - skip IEEE 802.1X/EAP"); 1126 /* Setup EAPOL state machines to already authenticated state 1127 * because of existing PMKSA information in the cache. */ 1128 sta->eapol_sm->keyRun = TRUE; 1129 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 1130 sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING; 1131 sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS; 1132 sta->eapol_sm->authSuccess = TRUE; 1133 sta->eapol_sm->authFail = FALSE; 1134 if (sta->eapol_sm->eap) 1135 eap_sm_notify_cached(sta->eapol_sm->eap); 1136 pmksa_cache_to_eapol_data(pmksa, sta->eapol_sm); 1137 ap_sta_bind_vlan(hapd, sta); 1138 } else { 1139 if (reassoc) { 1140 /* 1141 * Force EAPOL state machines to start 1142 * re-authentication without having to wait for the 1143 * Supplicant to send EAPOL-Start. 1144 */ 1145 sta->eapol_sm->reAuthenticate = TRUE; 1146 } 1147 eapol_auth_step(sta->eapol_sm); 1148 } 1149} 1150 1151 1152void ieee802_1x_free_station(struct hostapd_data *hapd, struct sta_info *sta) 1153{ 1154 struct eapol_state_machine *sm = sta->eapol_sm; 1155 1156#ifdef CONFIG_HS20 1157 eloop_cancel_timeout(ieee802_1x_wnm_notif_send, hapd, sta); 1158#endif /* CONFIG_HS20 */ 1159 1160 if (sm == NULL) 1161 return; 1162 1163 sta->eapol_sm = NULL; 1164 1165#ifndef CONFIG_NO_RADIUS 1166 radius_msg_free(sm->last_recv_radius); 1167 radius_free_class(&sm->radius_class); 1168 wpabuf_free(sm->radius_cui); 1169#endif /* CONFIG_NO_RADIUS */ 1170 1171 os_free(sm->identity); 1172 eapol_auth_free(sm); 1173} 1174 1175 1176#ifndef CONFIG_NO_RADIUS 1177static void ieee802_1x_decapsulate_radius(struct hostapd_data *hapd, 1178 struct sta_info *sta) 1179{ 1180 struct wpabuf *eap; 1181 const struct eap_hdr *hdr; 1182 int eap_type = -1; 1183 char buf[64]; 1184 struct radius_msg *msg; 1185 struct eapol_state_machine *sm = sta->eapol_sm; 1186 1187 if (sm == NULL || sm->last_recv_radius == NULL) { 1188 if (sm) 1189 sm->eap_if->aaaEapNoReq = TRUE; 1190 return; 1191 } 1192 1193 msg = sm->last_recv_radius; 1194 1195 eap = radius_msg_get_eap(msg); 1196 if (eap == NULL) { 1197 /* RFC 3579, Chap. 2.6.3: 1198 * RADIUS server SHOULD NOT send Access-Reject/no EAP-Message 1199 * attribute */ 1200 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1201 HOSTAPD_LEVEL_WARNING, "could not extract " 1202 "EAP-Message from RADIUS message"); 1203 sm->eap_if->aaaEapNoReq = TRUE; 1204 return; 1205 } 1206 1207 if (wpabuf_len(eap) < sizeof(*hdr)) { 1208 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1209 HOSTAPD_LEVEL_WARNING, "too short EAP packet " 1210 "received from authentication server"); 1211 wpabuf_free(eap); 1212 sm->eap_if->aaaEapNoReq = TRUE; 1213 return; 1214 } 1215 1216 if (wpabuf_len(eap) > sizeof(*hdr)) 1217 eap_type = (wpabuf_head_u8(eap))[sizeof(*hdr)]; 1218 1219 hdr = wpabuf_head(eap); 1220 switch (hdr->code) { 1221 case EAP_CODE_REQUEST: 1222 if (eap_type >= 0) 1223 sm->eap_type_authsrv = eap_type; 1224 os_snprintf(buf, sizeof(buf), "EAP-Request-%s (%d)", 1225 eap_server_get_name(0, eap_type), eap_type); 1226 break; 1227 case EAP_CODE_RESPONSE: 1228 os_snprintf(buf, sizeof(buf), "EAP Response-%s (%d)", 1229 eap_server_get_name(0, eap_type), eap_type); 1230 break; 1231 case EAP_CODE_SUCCESS: 1232 os_strlcpy(buf, "EAP Success", sizeof(buf)); 1233 break; 1234 case EAP_CODE_FAILURE: 1235 os_strlcpy(buf, "EAP Failure", sizeof(buf)); 1236 break; 1237 default: 1238 os_strlcpy(buf, "unknown EAP code", sizeof(buf)); 1239 break; 1240 } 1241 buf[sizeof(buf) - 1] = '\0'; 1242 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1243 HOSTAPD_LEVEL_DEBUG, "decapsulated EAP packet (code=%d " 1244 "id=%d len=%d) from RADIUS server: %s", 1245 hdr->code, hdr->identifier, be_to_host16(hdr->length), 1246 buf); 1247 sm->eap_if->aaaEapReq = TRUE; 1248 1249 wpabuf_free(sm->eap_if->aaaEapReqData); 1250 sm->eap_if->aaaEapReqData = eap; 1251} 1252 1253 1254static void ieee802_1x_get_keys(struct hostapd_data *hapd, 1255 struct sta_info *sta, struct radius_msg *msg, 1256 struct radius_msg *req, 1257 const u8 *shared_secret, 1258 size_t shared_secret_len) 1259{ 1260 struct radius_ms_mppe_keys *keys; 1261 struct eapol_state_machine *sm = sta->eapol_sm; 1262 if (sm == NULL) 1263 return; 1264 1265 keys = radius_msg_get_ms_keys(msg, req, shared_secret, 1266 shared_secret_len); 1267 1268 if (keys && keys->send && keys->recv) { 1269 size_t len = keys->send_len + keys->recv_len; 1270 wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Send-Key", 1271 keys->send, keys->send_len); 1272 wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Recv-Key", 1273 keys->recv, keys->recv_len); 1274 1275 os_free(sm->eap_if->aaaEapKeyData); 1276 sm->eap_if->aaaEapKeyData = os_malloc(len); 1277 if (sm->eap_if->aaaEapKeyData) { 1278 os_memcpy(sm->eap_if->aaaEapKeyData, keys->recv, 1279 keys->recv_len); 1280 os_memcpy(sm->eap_if->aaaEapKeyData + keys->recv_len, 1281 keys->send, keys->send_len); 1282 sm->eap_if->aaaEapKeyDataLen = len; 1283 sm->eap_if->aaaEapKeyAvailable = TRUE; 1284 } 1285 } else { 1286 wpa_printf(MSG_DEBUG, 1287 "MS-MPPE: 1x_get_keys, could not get keys: %p send: %p recv: %p", 1288 keys, keys ? keys->send : NULL, 1289 keys ? keys->recv : NULL); 1290 } 1291 1292 if (keys) { 1293 os_free(keys->send); 1294 os_free(keys->recv); 1295 os_free(keys); 1296 } 1297} 1298 1299 1300static void ieee802_1x_store_radius_class(struct hostapd_data *hapd, 1301 struct sta_info *sta, 1302 struct radius_msg *msg) 1303{ 1304 u8 *attr_class; 1305 size_t class_len; 1306 struct eapol_state_machine *sm = sta->eapol_sm; 1307 int count, i; 1308 struct radius_attr_data *nclass; 1309 size_t nclass_count; 1310 1311 if (!hapd->conf->radius->acct_server || hapd->radius == NULL || 1312 sm == NULL) 1313 return; 1314 1315 radius_free_class(&sm->radius_class); 1316 count = radius_msg_count_attr(msg, RADIUS_ATTR_CLASS, 1); 1317 if (count <= 0) 1318 return; 1319 1320 nclass = os_calloc(count, sizeof(struct radius_attr_data)); 1321 if (nclass == NULL) 1322 return; 1323 1324 nclass_count = 0; 1325 1326 attr_class = NULL; 1327 for (i = 0; i < count; i++) { 1328 do { 1329 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CLASS, 1330 &attr_class, &class_len, 1331 attr_class) < 0) { 1332 i = count; 1333 break; 1334 } 1335 } while (class_len < 1); 1336 1337 nclass[nclass_count].data = os_malloc(class_len); 1338 if (nclass[nclass_count].data == NULL) 1339 break; 1340 1341 os_memcpy(nclass[nclass_count].data, attr_class, class_len); 1342 nclass[nclass_count].len = class_len; 1343 nclass_count++; 1344 } 1345 1346 sm->radius_class.attr = nclass; 1347 sm->radius_class.count = nclass_count; 1348 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Stored %lu RADIUS Class " 1349 "attributes for " MACSTR, 1350 (unsigned long) sm->radius_class.count, 1351 MAC2STR(sta->addr)); 1352} 1353 1354 1355/* Update sta->identity based on User-Name attribute in Access-Accept */ 1356static void ieee802_1x_update_sta_identity(struct hostapd_data *hapd, 1357 struct sta_info *sta, 1358 struct radius_msg *msg) 1359{ 1360 u8 *buf, *identity; 1361 size_t len; 1362 struct eapol_state_machine *sm = sta->eapol_sm; 1363 1364 if (sm == NULL) 1365 return; 1366 1367 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_USER_NAME, &buf, &len, 1368 NULL) < 0) 1369 return; 1370 1371 identity = (u8 *) dup_binstr(buf, len); 1372 if (identity == NULL) 1373 return; 1374 1375 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1376 HOSTAPD_LEVEL_DEBUG, "old identity '%s' updated with " 1377 "User-Name from Access-Accept '%s'", 1378 sm->identity ? (char *) sm->identity : "N/A", 1379 (char *) identity); 1380 1381 os_free(sm->identity); 1382 sm->identity = identity; 1383 sm->identity_len = len; 1384} 1385 1386 1387/* Update CUI based on Chargeable-User-Identity attribute in Access-Accept */ 1388static void ieee802_1x_update_sta_cui(struct hostapd_data *hapd, 1389 struct sta_info *sta, 1390 struct radius_msg *msg) 1391{ 1392 struct eapol_state_machine *sm = sta->eapol_sm; 1393 struct wpabuf *cui; 1394 u8 *buf; 1395 size_t len; 1396 1397 if (sm == NULL) 1398 return; 1399 1400 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CHARGEABLE_USER_IDENTITY, 1401 &buf, &len, NULL) < 0) 1402 return; 1403 1404 cui = wpabuf_alloc_copy(buf, len); 1405 if (cui == NULL) 1406 return; 1407 1408 wpabuf_free(sm->radius_cui); 1409 sm->radius_cui = cui; 1410} 1411 1412 1413#ifdef CONFIG_HS20 1414 1415static void ieee802_1x_hs20_sub_rem(struct sta_info *sta, u8 *pos, size_t len) 1416{ 1417 sta->remediation = 1; 1418 os_free(sta->remediation_url); 1419 if (len > 2) { 1420 sta->remediation_url = os_malloc(len); 1421 if (!sta->remediation_url) 1422 return; 1423 sta->remediation_method = pos[0]; 1424 os_memcpy(sta->remediation_url, pos + 1, len - 1); 1425 sta->remediation_url[len - 1] = '\0'; 1426 wpa_printf(MSG_DEBUG, "HS 2.0: Subscription remediation needed " 1427 "for " MACSTR " - server method %u URL %s", 1428 MAC2STR(sta->addr), sta->remediation_method, 1429 sta->remediation_url); 1430 } else { 1431 sta->remediation_url = NULL; 1432 wpa_printf(MSG_DEBUG, "HS 2.0: Subscription remediation needed " 1433 "for " MACSTR, MAC2STR(sta->addr)); 1434 } 1435 /* TODO: assign the STA into remediation VLAN or add filtering */ 1436} 1437 1438 1439static void ieee802_1x_hs20_deauth_req(struct hostapd_data *hapd, 1440 struct sta_info *sta, u8 *pos, 1441 size_t len) 1442{ 1443 if (len < 3) 1444 return; /* Malformed information */ 1445 sta->hs20_deauth_requested = 1; 1446 wpa_printf(MSG_DEBUG, "HS 2.0: Deauthentication request - Code %u " 1447 "Re-auth Delay %u", 1448 *pos, WPA_GET_LE16(pos + 1)); 1449 wpabuf_free(sta->hs20_deauth_req); 1450 sta->hs20_deauth_req = wpabuf_alloc(len + 1); 1451 if (sta->hs20_deauth_req) { 1452 wpabuf_put_data(sta->hs20_deauth_req, pos, 3); 1453 wpabuf_put_u8(sta->hs20_deauth_req, len - 3); 1454 wpabuf_put_data(sta->hs20_deauth_req, pos + 3, len - 3); 1455 } 1456 ap_sta_session_timeout(hapd, sta, hapd->conf->hs20_deauth_req_timeout); 1457} 1458 1459 1460static void ieee802_1x_hs20_session_info(struct hostapd_data *hapd, 1461 struct sta_info *sta, u8 *pos, 1462 size_t len, int session_timeout) 1463{ 1464 unsigned int swt; 1465 int warning_time, beacon_int; 1466 1467 if (len < 1) 1468 return; /* Malformed information */ 1469 os_free(sta->hs20_session_info_url); 1470 sta->hs20_session_info_url = os_malloc(len); 1471 if (sta->hs20_session_info_url == NULL) 1472 return; 1473 swt = pos[0]; 1474 os_memcpy(sta->hs20_session_info_url, pos + 1, len - 1); 1475 sta->hs20_session_info_url[len - 1] = '\0'; 1476 wpa_printf(MSG_DEBUG, "HS 2.0: Session Information URL='%s' SWT=%u " 1477 "(session_timeout=%d)", 1478 sta->hs20_session_info_url, swt, session_timeout); 1479 if (session_timeout < 0) { 1480 wpa_printf(MSG_DEBUG, "HS 2.0: No Session-Timeout set - ignore session info URL"); 1481 return; 1482 } 1483 if (swt == 255) 1484 swt = 1; /* Use one minute as the AP selected value */ 1485 1486 if ((unsigned int) session_timeout < swt * 60) 1487 warning_time = 0; 1488 else 1489 warning_time = session_timeout - swt * 60; 1490 1491 beacon_int = hapd->iconf->beacon_int; 1492 if (beacon_int < 1) 1493 beacon_int = 100; /* best guess */ 1494 sta->hs20_disassoc_timer = swt * 60 * 1000 / beacon_int * 125 / 128; 1495 if (sta->hs20_disassoc_timer > 65535) 1496 sta->hs20_disassoc_timer = 65535; 1497 1498 ap_sta_session_warning_timeout(hapd, sta, warning_time); 1499} 1500 1501#endif /* CONFIG_HS20 */ 1502 1503 1504static void ieee802_1x_check_hs20(struct hostapd_data *hapd, 1505 struct sta_info *sta, 1506 struct radius_msg *msg, 1507 int session_timeout) 1508{ 1509#ifdef CONFIG_HS20 1510 u8 *buf, *pos, *end, type, sublen; 1511 size_t len; 1512 1513 buf = NULL; 1514 sta->remediation = 0; 1515 sta->hs20_deauth_requested = 0; 1516 1517 for (;;) { 1518 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_VENDOR_SPECIFIC, 1519 &buf, &len, buf) < 0) 1520 break; 1521 if (len < 6) 1522 continue; 1523 pos = buf; 1524 end = buf + len; 1525 if (WPA_GET_BE32(pos) != RADIUS_VENDOR_ID_WFA) 1526 continue; 1527 pos += 4; 1528 1529 type = *pos++; 1530 sublen = *pos++; 1531 if (sublen < 2) 1532 continue; /* invalid length */ 1533 sublen -= 2; /* skip header */ 1534 if (pos + sublen > end) 1535 continue; /* invalid WFA VSA */ 1536 1537 switch (type) { 1538 case RADIUS_VENDOR_ATTR_WFA_HS20_SUBSCR_REMEDIATION: 1539 ieee802_1x_hs20_sub_rem(sta, pos, sublen); 1540 break; 1541 case RADIUS_VENDOR_ATTR_WFA_HS20_DEAUTH_REQ: 1542 ieee802_1x_hs20_deauth_req(hapd, sta, pos, sublen); 1543 break; 1544 case RADIUS_VENDOR_ATTR_WFA_HS20_SESSION_INFO_URL: 1545 ieee802_1x_hs20_session_info(hapd, sta, pos, sublen, 1546 session_timeout); 1547 break; 1548 } 1549 } 1550#endif /* CONFIG_HS20 */ 1551} 1552 1553 1554struct sta_id_search { 1555 u8 identifier; 1556 struct eapol_state_machine *sm; 1557}; 1558 1559 1560static int ieee802_1x_select_radius_identifier(struct hostapd_data *hapd, 1561 struct sta_info *sta, 1562 void *ctx) 1563{ 1564 struct sta_id_search *id_search = ctx; 1565 struct eapol_state_machine *sm = sta->eapol_sm; 1566 1567 if (sm && sm->radius_identifier >= 0 && 1568 sm->radius_identifier == id_search->identifier) { 1569 id_search->sm = sm; 1570 return 1; 1571 } 1572 return 0; 1573} 1574 1575 1576static struct eapol_state_machine * 1577ieee802_1x_search_radius_identifier(struct hostapd_data *hapd, u8 identifier) 1578{ 1579 struct sta_id_search id_search; 1580 id_search.identifier = identifier; 1581 id_search.sm = NULL; 1582 ap_for_each_sta(hapd, ieee802_1x_select_radius_identifier, &id_search); 1583 return id_search.sm; 1584} 1585 1586 1587/** 1588 * ieee802_1x_receive_auth - Process RADIUS frames from Authentication Server 1589 * @msg: RADIUS response message 1590 * @req: RADIUS request message 1591 * @shared_secret: RADIUS shared secret 1592 * @shared_secret_len: Length of shared_secret in octets 1593 * @data: Context data (struct hostapd_data *) 1594 * Returns: Processing status 1595 */ 1596static RadiusRxResult 1597ieee802_1x_receive_auth(struct radius_msg *msg, struct radius_msg *req, 1598 const u8 *shared_secret, size_t shared_secret_len, 1599 void *data) 1600{ 1601 struct hostapd_data *hapd = data; 1602 struct sta_info *sta; 1603 u32 session_timeout = 0, termination_action, acct_interim_interval; 1604 int session_timeout_set, vlan_id = 0; 1605 struct eapol_state_machine *sm; 1606 int override_eapReq = 0; 1607 struct radius_hdr *hdr = radius_msg_get_hdr(msg); 1608 1609 sm = ieee802_1x_search_radius_identifier(hapd, hdr->identifier); 1610 if (sm == NULL) { 1611 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Could not find matching " 1612 "station for this RADIUS message"); 1613 return RADIUS_RX_UNKNOWN; 1614 } 1615 sta = sm->sta; 1616 1617 /* RFC 2869, Ch. 5.13: valid Message-Authenticator attribute MUST be 1618 * present when packet contains an EAP-Message attribute */ 1619 if (hdr->code == RADIUS_CODE_ACCESS_REJECT && 1620 radius_msg_get_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, NULL, 1621 0) < 0 && 1622 radius_msg_get_attr(msg, RADIUS_ATTR_EAP_MESSAGE, NULL, 0) < 0) { 1623 wpa_printf(MSG_DEBUG, "Allowing RADIUS Access-Reject without " 1624 "Message-Authenticator since it does not include " 1625 "EAP-Message"); 1626 } else if (radius_msg_verify(msg, shared_secret, shared_secret_len, 1627 req, 1)) { 1628 wpa_printf(MSG_INFO, "Incoming RADIUS packet did not have correct Message-Authenticator - dropped"); 1629 return RADIUS_RX_INVALID_AUTHENTICATOR; 1630 } 1631 1632 if (hdr->code != RADIUS_CODE_ACCESS_ACCEPT && 1633 hdr->code != RADIUS_CODE_ACCESS_REJECT && 1634 hdr->code != RADIUS_CODE_ACCESS_CHALLENGE) { 1635 wpa_printf(MSG_INFO, "Unknown RADIUS message code"); 1636 return RADIUS_RX_UNKNOWN; 1637 } 1638 1639 sm->radius_identifier = -1; 1640 wpa_printf(MSG_DEBUG, "RADIUS packet matching with station " MACSTR, 1641 MAC2STR(sta->addr)); 1642 1643 radius_msg_free(sm->last_recv_radius); 1644 sm->last_recv_radius = msg; 1645 1646 session_timeout_set = 1647 !radius_msg_get_attr_int32(msg, RADIUS_ATTR_SESSION_TIMEOUT, 1648 &session_timeout); 1649 if (radius_msg_get_attr_int32(msg, RADIUS_ATTR_TERMINATION_ACTION, 1650 &termination_action)) 1651 termination_action = RADIUS_TERMINATION_ACTION_DEFAULT; 1652 1653 if (hapd->conf->acct_interim_interval == 0 && 1654 hdr->code == RADIUS_CODE_ACCESS_ACCEPT && 1655 radius_msg_get_attr_int32(msg, RADIUS_ATTR_ACCT_INTERIM_INTERVAL, 1656 &acct_interim_interval) == 0) { 1657 if (acct_interim_interval < 60) { 1658 hostapd_logger(hapd, sta->addr, 1659 HOSTAPD_MODULE_IEEE8021X, 1660 HOSTAPD_LEVEL_INFO, 1661 "ignored too small " 1662 "Acct-Interim-Interval %d", 1663 acct_interim_interval); 1664 } else 1665 sta->acct_interim_interval = acct_interim_interval; 1666 } 1667 1668 1669 switch (hdr->code) { 1670 case RADIUS_CODE_ACCESS_ACCEPT: 1671 if (hapd->conf->ssid.dynamic_vlan == DYNAMIC_VLAN_DISABLED) 1672 vlan_id = 0; 1673#ifndef CONFIG_NO_VLAN 1674 else 1675 vlan_id = radius_msg_get_vlanid(msg); 1676 if (vlan_id > 0 && 1677 hostapd_vlan_id_valid(hapd->conf->vlan, vlan_id)) { 1678 hostapd_logger(hapd, sta->addr, 1679 HOSTAPD_MODULE_RADIUS, 1680 HOSTAPD_LEVEL_INFO, 1681 "VLAN ID %d", vlan_id); 1682 } else if (vlan_id > 0) { 1683 sta->eapol_sm->authFail = TRUE; 1684 hostapd_logger(hapd, sta->addr, 1685 HOSTAPD_MODULE_RADIUS, 1686 HOSTAPD_LEVEL_INFO, 1687 "Invalid VLAN ID %d received from RADIUS server", 1688 vlan_id); 1689 break; 1690 } else if (hapd->conf->ssid.dynamic_vlan == 1691 DYNAMIC_VLAN_REQUIRED) { 1692 sta->eapol_sm->authFail = TRUE; 1693 hostapd_logger(hapd, sta->addr, 1694 HOSTAPD_MODULE_IEEE8021X, 1695 HOSTAPD_LEVEL_INFO, "authentication " 1696 "server did not include required VLAN " 1697 "ID in Access-Accept"); 1698 break; 1699 } 1700#endif /* CONFIG_NO_VLAN */ 1701 1702 sta->vlan_id = vlan_id; 1703 if ((sta->flags & WLAN_STA_ASSOC) && 1704 ap_sta_bind_vlan(hapd, sta) < 0) 1705 break; 1706 1707 sta->session_timeout_set = !!session_timeout_set; 1708 sta->session_timeout = session_timeout; 1709 1710 /* RFC 3580, Ch. 3.17 */ 1711 if (session_timeout_set && termination_action == 1712 RADIUS_TERMINATION_ACTION_RADIUS_REQUEST) { 1713 sm->reAuthPeriod = session_timeout; 1714 } else if (session_timeout_set) 1715 ap_sta_session_timeout(hapd, sta, session_timeout); 1716 1717 sm->eap_if->aaaSuccess = TRUE; 1718 override_eapReq = 1; 1719 ieee802_1x_get_keys(hapd, sta, msg, req, shared_secret, 1720 shared_secret_len); 1721 ieee802_1x_store_radius_class(hapd, sta, msg); 1722 ieee802_1x_update_sta_identity(hapd, sta, msg); 1723 ieee802_1x_update_sta_cui(hapd, sta, msg); 1724 ieee802_1x_check_hs20(hapd, sta, msg, 1725 session_timeout_set ? 1726 (int) session_timeout : -1); 1727 break; 1728 case RADIUS_CODE_ACCESS_REJECT: 1729 sm->eap_if->aaaFail = TRUE; 1730 override_eapReq = 1; 1731 break; 1732 case RADIUS_CODE_ACCESS_CHALLENGE: 1733 sm->eap_if->aaaEapReq = TRUE; 1734 if (session_timeout_set) { 1735 /* RFC 2869, Ch. 2.3.2; RFC 3580, Ch. 3.17 */ 1736 sm->eap_if->aaaMethodTimeout = session_timeout; 1737 hostapd_logger(hapd, sm->addr, 1738 HOSTAPD_MODULE_IEEE8021X, 1739 HOSTAPD_LEVEL_DEBUG, 1740 "using EAP timeout of %d seconds (from " 1741 "RADIUS)", 1742 sm->eap_if->aaaMethodTimeout); 1743 } else { 1744 /* 1745 * Use dynamic retransmission behavior per EAP 1746 * specification. 1747 */ 1748 sm->eap_if->aaaMethodTimeout = 0; 1749 } 1750 break; 1751 } 1752 1753 ieee802_1x_decapsulate_radius(hapd, sta); 1754 if (override_eapReq) 1755 sm->eap_if->aaaEapReq = FALSE; 1756 1757 eapol_auth_step(sm); 1758 1759 return RADIUS_RX_QUEUED; 1760} 1761#endif /* CONFIG_NO_RADIUS */ 1762 1763 1764void ieee802_1x_abort_auth(struct hostapd_data *hapd, struct sta_info *sta) 1765{ 1766 struct eapol_state_machine *sm = sta->eapol_sm; 1767 if (sm == NULL) 1768 return; 1769 1770 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1771 HOSTAPD_LEVEL_DEBUG, "aborting authentication"); 1772 1773#ifndef CONFIG_NO_RADIUS 1774 radius_msg_free(sm->last_recv_radius); 1775 sm->last_recv_radius = NULL; 1776#endif /* CONFIG_NO_RADIUS */ 1777 1778 if (sm->eap_if->eapTimeout) { 1779 /* 1780 * Disconnect the STA since it did not reply to the last EAP 1781 * request and we cannot continue EAP processing (EAP-Failure 1782 * could only be sent if the EAP peer actually replied). 1783 */ 1784 wpa_dbg(hapd->msg_ctx, MSG_DEBUG, "EAP Timeout, STA " MACSTR, 1785 MAC2STR(sta->addr)); 1786 1787 sm->eap_if->portEnabled = FALSE; 1788 ap_sta_disconnect(hapd, sta, sta->addr, 1789 WLAN_REASON_PREV_AUTH_NOT_VALID); 1790 } 1791} 1792 1793 1794static int ieee802_1x_rekey_broadcast(struct hostapd_data *hapd) 1795{ 1796 struct eapol_authenticator *eapol = hapd->eapol_auth; 1797 1798 if (hapd->conf->default_wep_key_len < 1) 1799 return 0; 1800 1801 os_free(eapol->default_wep_key); 1802 eapol->default_wep_key = os_malloc(hapd->conf->default_wep_key_len); 1803 if (eapol->default_wep_key == NULL || 1804 random_get_bytes(eapol->default_wep_key, 1805 hapd->conf->default_wep_key_len)) { 1806 wpa_printf(MSG_INFO, "Could not generate random WEP key"); 1807 os_free(eapol->default_wep_key); 1808 eapol->default_wep_key = NULL; 1809 return -1; 1810 } 1811 1812 wpa_hexdump_key(MSG_DEBUG, "IEEE 802.1X: New default WEP key", 1813 eapol->default_wep_key, 1814 hapd->conf->default_wep_key_len); 1815 1816 return 0; 1817} 1818 1819 1820static int ieee802_1x_sta_key_available(struct hostapd_data *hapd, 1821 struct sta_info *sta, void *ctx) 1822{ 1823 if (sta->eapol_sm) { 1824 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 1825 eapol_auth_step(sta->eapol_sm); 1826 } 1827 return 0; 1828} 1829 1830 1831static void ieee802_1x_rekey(void *eloop_ctx, void *timeout_ctx) 1832{ 1833 struct hostapd_data *hapd = eloop_ctx; 1834 struct eapol_authenticator *eapol = hapd->eapol_auth; 1835 1836 if (eapol->default_wep_key_idx >= 3) 1837 eapol->default_wep_key_idx = 1838 hapd->conf->individual_wep_key_len > 0 ? 1 : 0; 1839 else 1840 eapol->default_wep_key_idx++; 1841 1842 wpa_printf(MSG_DEBUG, "IEEE 802.1X: New default WEP key index %d", 1843 eapol->default_wep_key_idx); 1844 1845 if (ieee802_1x_rekey_broadcast(hapd)) { 1846 hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X, 1847 HOSTAPD_LEVEL_WARNING, "failed to generate a " 1848 "new broadcast key"); 1849 os_free(eapol->default_wep_key); 1850 eapol->default_wep_key = NULL; 1851 return; 1852 } 1853 1854 /* TODO: Could setup key for RX here, but change default TX keyid only 1855 * after new broadcast key has been sent to all stations. */ 1856 if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP, 1857 broadcast_ether_addr, 1858 eapol->default_wep_key_idx, 1, NULL, 0, 1859 eapol->default_wep_key, 1860 hapd->conf->default_wep_key_len)) { 1861 hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X, 1862 HOSTAPD_LEVEL_WARNING, "failed to configure a " 1863 "new broadcast key"); 1864 os_free(eapol->default_wep_key); 1865 eapol->default_wep_key = NULL; 1866 return; 1867 } 1868 1869 ap_for_each_sta(hapd, ieee802_1x_sta_key_available, NULL); 1870 1871 if (hapd->conf->wep_rekeying_period > 0) { 1872 eloop_register_timeout(hapd->conf->wep_rekeying_period, 0, 1873 ieee802_1x_rekey, hapd, NULL); 1874 } 1875} 1876 1877 1878static void ieee802_1x_eapol_send(void *ctx, void *sta_ctx, u8 type, 1879 const u8 *data, size_t datalen) 1880{ 1881#ifdef CONFIG_WPS 1882 struct sta_info *sta = sta_ctx; 1883 1884 if ((sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS)) == 1885 WLAN_STA_MAYBE_WPS) { 1886 const u8 *identity; 1887 size_t identity_len; 1888 struct eapol_state_machine *sm = sta->eapol_sm; 1889 1890 identity = eap_get_identity(sm->eap, &identity_len); 1891 if (identity && 1892 ((identity_len == WSC_ID_ENROLLEE_LEN && 1893 os_memcmp(identity, WSC_ID_ENROLLEE, 1894 WSC_ID_ENROLLEE_LEN) == 0) || 1895 (identity_len == WSC_ID_REGISTRAR_LEN && 1896 os_memcmp(identity, WSC_ID_REGISTRAR, 1897 WSC_ID_REGISTRAR_LEN) == 0))) { 1898 wpa_printf(MSG_DEBUG, "WPS: WLAN_STA_MAYBE_WPS -> " 1899 "WLAN_STA_WPS"); 1900 sta->flags |= WLAN_STA_WPS; 1901 } 1902 } 1903#endif /* CONFIG_WPS */ 1904 1905 ieee802_1x_send(ctx, sta_ctx, type, data, datalen); 1906} 1907 1908 1909static void ieee802_1x_aaa_send(void *ctx, void *sta_ctx, 1910 const u8 *data, size_t datalen) 1911{ 1912#ifndef CONFIG_NO_RADIUS 1913 struct hostapd_data *hapd = ctx; 1914 struct sta_info *sta = sta_ctx; 1915 1916 ieee802_1x_encapsulate_radius(hapd, sta, data, datalen); 1917#endif /* CONFIG_NO_RADIUS */ 1918} 1919 1920 1921static void _ieee802_1x_finished(void *ctx, void *sta_ctx, int success, 1922 int preauth, int remediation) 1923{ 1924 struct hostapd_data *hapd = ctx; 1925 struct sta_info *sta = sta_ctx; 1926 if (preauth) 1927 rsn_preauth_finished(hapd, sta, success); 1928 else 1929 ieee802_1x_finished(hapd, sta, success, remediation); 1930} 1931 1932 1933static int ieee802_1x_get_eap_user(void *ctx, const u8 *identity, 1934 size_t identity_len, int phase2, 1935 struct eap_user *user) 1936{ 1937 struct hostapd_data *hapd = ctx; 1938 const struct hostapd_eap_user *eap_user; 1939 int i; 1940 int rv = -1; 1941 1942 eap_user = hostapd_get_eap_user(hapd, identity, identity_len, phase2); 1943 if (eap_user == NULL) 1944 goto out; 1945 1946 os_memset(user, 0, sizeof(*user)); 1947 user->phase2 = phase2; 1948 for (i = 0; i < EAP_MAX_METHODS; i++) { 1949 user->methods[i].vendor = eap_user->methods[i].vendor; 1950 user->methods[i].method = eap_user->methods[i].method; 1951 } 1952 1953 if (eap_user->password) { 1954 user->password = os_malloc(eap_user->password_len); 1955 if (user->password == NULL) 1956 goto out; 1957 os_memcpy(user->password, eap_user->password, 1958 eap_user->password_len); 1959 user->password_len = eap_user->password_len; 1960 user->password_hash = eap_user->password_hash; 1961 } 1962 user->force_version = eap_user->force_version; 1963 user->macacl = eap_user->macacl; 1964 user->ttls_auth = eap_user->ttls_auth; 1965 user->remediation = eap_user->remediation; 1966 rv = 0; 1967 1968out: 1969 if (rv) 1970 wpa_printf(MSG_DEBUG, "%s: Failed to find user", __func__); 1971 1972 return rv; 1973} 1974 1975 1976static int ieee802_1x_sta_entry_alive(void *ctx, const u8 *addr) 1977{ 1978 struct hostapd_data *hapd = ctx; 1979 struct sta_info *sta; 1980 sta = ap_get_sta(hapd, addr); 1981 if (sta == NULL || sta->eapol_sm == NULL) 1982 return 0; 1983 return 1; 1984} 1985 1986 1987static void ieee802_1x_logger(void *ctx, const u8 *addr, 1988 eapol_logger_level level, const char *txt) 1989{ 1990#ifndef CONFIG_NO_HOSTAPD_LOGGER 1991 struct hostapd_data *hapd = ctx; 1992 int hlevel; 1993 1994 switch (level) { 1995 case EAPOL_LOGGER_WARNING: 1996 hlevel = HOSTAPD_LEVEL_WARNING; 1997 break; 1998 case EAPOL_LOGGER_INFO: 1999 hlevel = HOSTAPD_LEVEL_INFO; 2000 break; 2001 case EAPOL_LOGGER_DEBUG: 2002 default: 2003 hlevel = HOSTAPD_LEVEL_DEBUG; 2004 break; 2005 } 2006 2007 hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE8021X, hlevel, "%s", 2008 txt); 2009#endif /* CONFIG_NO_HOSTAPD_LOGGER */ 2010} 2011 2012 2013static void ieee802_1x_set_port_authorized(void *ctx, void *sta_ctx, 2014 int authorized) 2015{ 2016 struct hostapd_data *hapd = ctx; 2017 struct sta_info *sta = sta_ctx; 2018 ieee802_1x_set_sta_authorized(hapd, sta, authorized); 2019} 2020 2021 2022static void _ieee802_1x_abort_auth(void *ctx, void *sta_ctx) 2023{ 2024 struct hostapd_data *hapd = ctx; 2025 struct sta_info *sta = sta_ctx; 2026 ieee802_1x_abort_auth(hapd, sta); 2027} 2028 2029 2030static void _ieee802_1x_tx_key(void *ctx, void *sta_ctx) 2031{ 2032#ifndef CONFIG_FIPS 2033#ifndef CONFIG_NO_RC4 2034 struct hostapd_data *hapd = ctx; 2035 struct sta_info *sta = sta_ctx; 2036 ieee802_1x_tx_key(hapd, sta); 2037#endif /* CONFIG_NO_RC4 */ 2038#endif /* CONFIG_FIPS */ 2039} 2040 2041 2042static void ieee802_1x_eapol_event(void *ctx, void *sta_ctx, 2043 enum eapol_event type) 2044{ 2045 /* struct hostapd_data *hapd = ctx; */ 2046 struct sta_info *sta = sta_ctx; 2047 switch (type) { 2048 case EAPOL_AUTH_SM_CHANGE: 2049 wpa_auth_sm_notify(sta->wpa_sm); 2050 break; 2051 case EAPOL_AUTH_REAUTHENTICATE: 2052 wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL); 2053 break; 2054 } 2055} 2056 2057 2058#ifdef CONFIG_ERP 2059 2060static struct eap_server_erp_key * 2061ieee802_1x_erp_get_key(void *ctx, const char *keyname) 2062{ 2063 struct hostapd_data *hapd = ctx; 2064 struct eap_server_erp_key *erp; 2065 2066 dl_list_for_each(erp, &hapd->erp_keys, struct eap_server_erp_key, 2067 list) { 2068 if (os_strcmp(erp->keyname_nai, keyname) == 0) 2069 return erp; 2070 } 2071 2072 return NULL; 2073} 2074 2075 2076static int ieee802_1x_erp_add_key(void *ctx, struct eap_server_erp_key *erp) 2077{ 2078 struct hostapd_data *hapd = ctx; 2079 2080 dl_list_add(&hapd->erp_keys, &erp->list); 2081 return 0; 2082} 2083 2084#endif /* CONFIG_ERP */ 2085 2086 2087int ieee802_1x_init(struct hostapd_data *hapd) 2088{ 2089 int i; 2090 struct eapol_auth_config conf; 2091 struct eapol_auth_cb cb; 2092 2093 dl_list_init(&hapd->erp_keys); 2094 2095 os_memset(&conf, 0, sizeof(conf)); 2096 conf.ctx = hapd; 2097 conf.eap_reauth_period = hapd->conf->eap_reauth_period; 2098 conf.wpa = hapd->conf->wpa; 2099 conf.individual_wep_key_len = hapd->conf->individual_wep_key_len; 2100 conf.eap_server = hapd->conf->eap_server; 2101 conf.ssl_ctx = hapd->ssl_ctx; 2102 conf.msg_ctx = hapd->msg_ctx; 2103 conf.eap_sim_db_priv = hapd->eap_sim_db_priv; 2104 conf.eap_req_id_text = hapd->conf->eap_req_id_text; 2105 conf.eap_req_id_text_len = hapd->conf->eap_req_id_text_len; 2106 conf.erp_send_reauth_start = hapd->conf->erp_send_reauth_start; 2107 conf.erp_domain = hapd->conf->erp_domain; 2108 conf.erp = hapd->conf->eap_server_erp; 2109 conf.tls_session_lifetime = hapd->conf->tls_session_lifetime; 2110 conf.pac_opaque_encr_key = hapd->conf->pac_opaque_encr_key; 2111 conf.eap_fast_a_id = hapd->conf->eap_fast_a_id; 2112 conf.eap_fast_a_id_len = hapd->conf->eap_fast_a_id_len; 2113 conf.eap_fast_a_id_info = hapd->conf->eap_fast_a_id_info; 2114 conf.eap_fast_prov = hapd->conf->eap_fast_prov; 2115 conf.pac_key_lifetime = hapd->conf->pac_key_lifetime; 2116 conf.pac_key_refresh_time = hapd->conf->pac_key_refresh_time; 2117 conf.eap_sim_aka_result_ind = hapd->conf->eap_sim_aka_result_ind; 2118 conf.tnc = hapd->conf->tnc; 2119 conf.wps = hapd->wps; 2120 conf.fragment_size = hapd->conf->fragment_size; 2121 conf.pwd_group = hapd->conf->pwd_group; 2122 conf.pbc_in_m1 = hapd->conf->pbc_in_m1; 2123 if (hapd->conf->server_id) { 2124 conf.server_id = (const u8 *) hapd->conf->server_id; 2125 conf.server_id_len = os_strlen(hapd->conf->server_id); 2126 } else { 2127 conf.server_id = (const u8 *) "hostapd"; 2128 conf.server_id_len = 7; 2129 } 2130 2131 os_memset(&cb, 0, sizeof(cb)); 2132 cb.eapol_send = ieee802_1x_eapol_send; 2133 cb.aaa_send = ieee802_1x_aaa_send; 2134 cb.finished = _ieee802_1x_finished; 2135 cb.get_eap_user = ieee802_1x_get_eap_user; 2136 cb.sta_entry_alive = ieee802_1x_sta_entry_alive; 2137 cb.logger = ieee802_1x_logger; 2138 cb.set_port_authorized = ieee802_1x_set_port_authorized; 2139 cb.abort_auth = _ieee802_1x_abort_auth; 2140 cb.tx_key = _ieee802_1x_tx_key; 2141 cb.eapol_event = ieee802_1x_eapol_event; 2142#ifdef CONFIG_ERP 2143 cb.erp_get_key = ieee802_1x_erp_get_key; 2144 cb.erp_add_key = ieee802_1x_erp_add_key; 2145#endif /* CONFIG_ERP */ 2146 2147 hapd->eapol_auth = eapol_auth_init(&conf, &cb); 2148 if (hapd->eapol_auth == NULL) 2149 return -1; 2150 2151 if ((hapd->conf->ieee802_1x || hapd->conf->wpa) && 2152 hostapd_set_drv_ieee8021x(hapd, hapd->conf->iface, 1)) 2153 return -1; 2154 2155#ifndef CONFIG_NO_RADIUS 2156 if (radius_client_register(hapd->radius, RADIUS_AUTH, 2157 ieee802_1x_receive_auth, hapd)) 2158 return -1; 2159#endif /* CONFIG_NO_RADIUS */ 2160 2161 if (hapd->conf->default_wep_key_len) { 2162 for (i = 0; i < 4; i++) 2163 hostapd_drv_set_key(hapd->conf->iface, hapd, 2164 WPA_ALG_NONE, NULL, i, 0, NULL, 0, 2165 NULL, 0); 2166 2167 ieee802_1x_rekey(hapd, NULL); 2168 2169 if (hapd->eapol_auth->default_wep_key == NULL) 2170 return -1; 2171 } 2172 2173 return 0; 2174} 2175 2176 2177void ieee802_1x_erp_flush(struct hostapd_data *hapd) 2178{ 2179 struct eap_server_erp_key *erp; 2180 2181 while ((erp = dl_list_first(&hapd->erp_keys, struct eap_server_erp_key, 2182 list)) != NULL) { 2183 dl_list_del(&erp->list); 2184 bin_clear_free(erp, sizeof(*erp)); 2185 } 2186} 2187 2188 2189void ieee802_1x_deinit(struct hostapd_data *hapd) 2190{ 2191 eloop_cancel_timeout(ieee802_1x_rekey, hapd, NULL); 2192 2193 if (hapd->driver && hapd->drv_priv && 2194 (hapd->conf->ieee802_1x || hapd->conf->wpa)) 2195 hostapd_set_drv_ieee8021x(hapd, hapd->conf->iface, 0); 2196 2197 eapol_auth_deinit(hapd->eapol_auth); 2198 hapd->eapol_auth = NULL; 2199 2200 ieee802_1x_erp_flush(hapd); 2201} 2202 2203 2204int ieee802_1x_tx_status(struct hostapd_data *hapd, struct sta_info *sta, 2205 const u8 *buf, size_t len, int ack) 2206{ 2207 struct ieee80211_hdr *hdr; 2208 u8 *pos; 2209 const unsigned char rfc1042_hdr[ETH_ALEN] = 2210 { 0xaa, 0xaa, 0x03, 0x00, 0x00, 0x00 }; 2211 2212 if (sta == NULL) 2213 return -1; 2214 if (len < sizeof(*hdr) + sizeof(rfc1042_hdr) + 2) 2215 return 0; 2216 2217 hdr = (struct ieee80211_hdr *) buf; 2218 pos = (u8 *) (hdr + 1); 2219 if (os_memcmp(pos, rfc1042_hdr, sizeof(rfc1042_hdr)) != 0) 2220 return 0; 2221 pos += sizeof(rfc1042_hdr); 2222 if (WPA_GET_BE16(pos) != ETH_P_PAE) 2223 return 0; 2224 pos += 2; 2225 2226 return ieee802_1x_eapol_tx_status(hapd, sta, pos, buf + len - pos, 2227 ack); 2228} 2229 2230 2231int ieee802_1x_eapol_tx_status(struct hostapd_data *hapd, struct sta_info *sta, 2232 const u8 *buf, int len, int ack) 2233{ 2234 const struct ieee802_1x_hdr *xhdr = 2235 (const struct ieee802_1x_hdr *) buf; 2236 const u8 *pos = buf + sizeof(*xhdr); 2237 struct ieee802_1x_eapol_key *key; 2238 2239 if (len < (int) sizeof(*xhdr)) 2240 return 0; 2241 wpa_printf(MSG_DEBUG, "IEEE 802.1X: " MACSTR " TX status - version=%d " 2242 "type=%d length=%d - ack=%d", 2243 MAC2STR(sta->addr), xhdr->version, xhdr->type, 2244 be_to_host16(xhdr->length), ack); 2245 2246 if (xhdr->type != IEEE802_1X_TYPE_EAPOL_KEY) 2247 return 0; 2248 2249 if (pos + sizeof(struct wpa_eapol_key) <= buf + len) { 2250 const struct wpa_eapol_key *wpa; 2251 wpa = (const struct wpa_eapol_key *) pos; 2252 if (wpa->type == EAPOL_KEY_TYPE_RSN || 2253 wpa->type == EAPOL_KEY_TYPE_WPA) 2254 wpa_auth_eapol_key_tx_status(hapd->wpa_auth, 2255 sta->wpa_sm, ack); 2256 } 2257 2258 /* EAPOL EAP-Packet packets are eventually re-sent by either Supplicant 2259 * or Authenticator state machines, but EAPOL-Key packets are not 2260 * retransmitted in case of failure. Try to re-send failed EAPOL-Key 2261 * packets couple of times because otherwise STA keys become 2262 * unsynchronized with AP. */ 2263 if (!ack && pos + sizeof(*key) <= buf + len) { 2264 key = (struct ieee802_1x_eapol_key *) pos; 2265 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 2266 HOSTAPD_LEVEL_DEBUG, "did not Ack EAPOL-Key " 2267 "frame (%scast index=%d)", 2268 key->key_index & BIT(7) ? "uni" : "broad", 2269 key->key_index & ~BIT(7)); 2270 /* TODO: re-send EAPOL-Key couple of times (with short delay 2271 * between them?). If all attempt fail, report error and 2272 * deauthenticate STA so that it will get new keys when 2273 * authenticating again (e.g., after returning in range). 2274 * Separate limit/transmit state needed both for unicast and 2275 * broadcast keys(?) */ 2276 } 2277 /* TODO: could move unicast key configuration from ieee802_1x_tx_key() 2278 * to here and change the key only if the EAPOL-Key packet was Acked. 2279 */ 2280 2281 return 1; 2282} 2283 2284 2285u8 * ieee802_1x_get_identity(struct eapol_state_machine *sm, size_t *len) 2286{ 2287 if (sm == NULL || sm->identity == NULL) 2288 return NULL; 2289 2290 *len = sm->identity_len; 2291 return sm->identity; 2292} 2293 2294 2295u8 * ieee802_1x_get_radius_class(struct eapol_state_machine *sm, size_t *len, 2296 int idx) 2297{ 2298 if (sm == NULL || sm->radius_class.attr == NULL || 2299 idx >= (int) sm->radius_class.count) 2300 return NULL; 2301 2302 *len = sm->radius_class.attr[idx].len; 2303 return sm->radius_class.attr[idx].data; 2304} 2305 2306 2307struct wpabuf * ieee802_1x_get_radius_cui(struct eapol_state_machine *sm) 2308{ 2309 if (sm == NULL) 2310 return NULL; 2311 return sm->radius_cui; 2312} 2313 2314 2315const u8 * ieee802_1x_get_key(struct eapol_state_machine *sm, size_t *len) 2316{ 2317 *len = 0; 2318 if (sm == NULL) 2319 return NULL; 2320 2321 *len = sm->eap_if->eapKeyDataLen; 2322 return sm->eap_if->eapKeyData; 2323} 2324 2325 2326void ieee802_1x_notify_port_enabled(struct eapol_state_machine *sm, 2327 int enabled) 2328{ 2329 if (sm == NULL) 2330 return; 2331 sm->eap_if->portEnabled = enabled ? TRUE : FALSE; 2332 eapol_auth_step(sm); 2333} 2334 2335 2336void ieee802_1x_notify_port_valid(struct eapol_state_machine *sm, 2337 int valid) 2338{ 2339 if (sm == NULL) 2340 return; 2341 sm->portValid = valid ? TRUE : FALSE; 2342 eapol_auth_step(sm); 2343} 2344 2345 2346void ieee802_1x_notify_pre_auth(struct eapol_state_machine *sm, int pre_auth) 2347{ 2348 if (sm == NULL) 2349 return; 2350 if (pre_auth) 2351 sm->flags |= EAPOL_SM_PREAUTH; 2352 else 2353 sm->flags &= ~EAPOL_SM_PREAUTH; 2354} 2355 2356 2357static const char * bool_txt(Boolean val) 2358{ 2359 return val ? "TRUE" : "FALSE"; 2360} 2361 2362 2363int ieee802_1x_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen) 2364{ 2365 /* TODO */ 2366 return 0; 2367} 2368 2369 2370int ieee802_1x_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta, 2371 char *buf, size_t buflen) 2372{ 2373 int len = 0, ret; 2374 struct eapol_state_machine *sm = sta->eapol_sm; 2375 struct os_reltime diff; 2376 const char *name1; 2377 const char *name2; 2378 2379 if (sm == NULL) 2380 return 0; 2381 2382 ret = os_snprintf(buf + len, buflen - len, 2383 "dot1xPaePortNumber=%d\n" 2384 "dot1xPaePortProtocolVersion=%d\n" 2385 "dot1xPaePortCapabilities=1\n" 2386 "dot1xPaePortInitialize=%d\n" 2387 "dot1xPaePortReauthenticate=FALSE\n", 2388 sta->aid, 2389 EAPOL_VERSION, 2390 sm->initialize); 2391 if (os_snprintf_error(buflen - len, ret)) 2392 return len; 2393 len += ret; 2394 2395 /* dot1xAuthConfigTable */ 2396 ret = os_snprintf(buf + len, buflen - len, 2397 "dot1xAuthPaeState=%d\n" 2398 "dot1xAuthBackendAuthState=%d\n" 2399 "dot1xAuthAdminControlledDirections=%d\n" 2400 "dot1xAuthOperControlledDirections=%d\n" 2401 "dot1xAuthAuthControlledPortStatus=%d\n" 2402 "dot1xAuthAuthControlledPortControl=%d\n" 2403 "dot1xAuthQuietPeriod=%u\n" 2404 "dot1xAuthServerTimeout=%u\n" 2405 "dot1xAuthReAuthPeriod=%u\n" 2406 "dot1xAuthReAuthEnabled=%s\n" 2407 "dot1xAuthKeyTxEnabled=%s\n", 2408 sm->auth_pae_state + 1, 2409 sm->be_auth_state + 1, 2410 sm->adminControlledDirections, 2411 sm->operControlledDirections, 2412 sm->authPortStatus, 2413 sm->portControl, 2414 sm->quietPeriod, 2415 sm->serverTimeout, 2416 sm->reAuthPeriod, 2417 bool_txt(sm->reAuthEnabled), 2418 bool_txt(sm->keyTxEnabled)); 2419 if (os_snprintf_error(buflen - len, ret)) 2420 return len; 2421 len += ret; 2422 2423 /* dot1xAuthStatsTable */ 2424 ret = os_snprintf(buf + len, buflen - len, 2425 "dot1xAuthEapolFramesRx=%u\n" 2426 "dot1xAuthEapolFramesTx=%u\n" 2427 "dot1xAuthEapolStartFramesRx=%u\n" 2428 "dot1xAuthEapolLogoffFramesRx=%u\n" 2429 "dot1xAuthEapolRespIdFramesRx=%u\n" 2430 "dot1xAuthEapolRespFramesRx=%u\n" 2431 "dot1xAuthEapolReqIdFramesTx=%u\n" 2432 "dot1xAuthEapolReqFramesTx=%u\n" 2433 "dot1xAuthInvalidEapolFramesRx=%u\n" 2434 "dot1xAuthEapLengthErrorFramesRx=%u\n" 2435 "dot1xAuthLastEapolFrameVersion=%u\n" 2436 "dot1xAuthLastEapolFrameSource=" MACSTR "\n", 2437 sm->dot1xAuthEapolFramesRx, 2438 sm->dot1xAuthEapolFramesTx, 2439 sm->dot1xAuthEapolStartFramesRx, 2440 sm->dot1xAuthEapolLogoffFramesRx, 2441 sm->dot1xAuthEapolRespIdFramesRx, 2442 sm->dot1xAuthEapolRespFramesRx, 2443 sm->dot1xAuthEapolReqIdFramesTx, 2444 sm->dot1xAuthEapolReqFramesTx, 2445 sm->dot1xAuthInvalidEapolFramesRx, 2446 sm->dot1xAuthEapLengthErrorFramesRx, 2447 sm->dot1xAuthLastEapolFrameVersion, 2448 MAC2STR(sm->addr)); 2449 if (os_snprintf_error(buflen - len, ret)) 2450 return len; 2451 len += ret; 2452 2453 /* dot1xAuthDiagTable */ 2454 ret = os_snprintf(buf + len, buflen - len, 2455 "dot1xAuthEntersConnecting=%u\n" 2456 "dot1xAuthEapLogoffsWhileConnecting=%u\n" 2457 "dot1xAuthEntersAuthenticating=%u\n" 2458 "dot1xAuthAuthSuccessesWhileAuthenticating=%u\n" 2459 "dot1xAuthAuthTimeoutsWhileAuthenticating=%u\n" 2460 "dot1xAuthAuthFailWhileAuthenticating=%u\n" 2461 "dot1xAuthAuthEapStartsWhileAuthenticating=%u\n" 2462 "dot1xAuthAuthEapLogoffWhileAuthenticating=%u\n" 2463 "dot1xAuthAuthReauthsWhileAuthenticated=%u\n" 2464 "dot1xAuthAuthEapStartsWhileAuthenticated=%u\n" 2465 "dot1xAuthAuthEapLogoffWhileAuthenticated=%u\n" 2466 "dot1xAuthBackendResponses=%u\n" 2467 "dot1xAuthBackendAccessChallenges=%u\n" 2468 "dot1xAuthBackendOtherRequestsToSupplicant=%u\n" 2469 "dot1xAuthBackendAuthSuccesses=%u\n" 2470 "dot1xAuthBackendAuthFails=%u\n", 2471 sm->authEntersConnecting, 2472 sm->authEapLogoffsWhileConnecting, 2473 sm->authEntersAuthenticating, 2474 sm->authAuthSuccessesWhileAuthenticating, 2475 sm->authAuthTimeoutsWhileAuthenticating, 2476 sm->authAuthFailWhileAuthenticating, 2477 sm->authAuthEapStartsWhileAuthenticating, 2478 sm->authAuthEapLogoffWhileAuthenticating, 2479 sm->authAuthReauthsWhileAuthenticated, 2480 sm->authAuthEapStartsWhileAuthenticated, 2481 sm->authAuthEapLogoffWhileAuthenticated, 2482 sm->backendResponses, 2483 sm->backendAccessChallenges, 2484 sm->backendOtherRequestsToSupplicant, 2485 sm->backendAuthSuccesses, 2486 sm->backendAuthFails); 2487 if (os_snprintf_error(buflen - len, ret)) 2488 return len; 2489 len += ret; 2490 2491 /* dot1xAuthSessionStatsTable */ 2492 os_reltime_age(&sta->acct_session_start, &diff); 2493 ret = os_snprintf(buf + len, buflen - len, 2494 /* TODO: dot1xAuthSessionOctetsRx */ 2495 /* TODO: dot1xAuthSessionOctetsTx */ 2496 /* TODO: dot1xAuthSessionFramesRx */ 2497 /* TODO: dot1xAuthSessionFramesTx */ 2498 "dot1xAuthSessionId=%08X-%08X\n" 2499 "dot1xAuthSessionAuthenticMethod=%d\n" 2500 "dot1xAuthSessionTime=%u\n" 2501 "dot1xAuthSessionTerminateCause=999\n" 2502 "dot1xAuthSessionUserName=%s\n", 2503 sta->acct_session_id_hi, sta->acct_session_id_lo, 2504 (wpa_key_mgmt_wpa_ieee8021x( 2505 wpa_auth_sta_key_mgmt(sta->wpa_sm))) ? 2506 1 : 2, 2507 (unsigned int) diff.sec, 2508 sm->identity); 2509 if (os_snprintf_error(buflen - len, ret)) 2510 return len; 2511 len += ret; 2512 2513 if (sm->acct_multi_session_id_hi) { 2514 ret = os_snprintf(buf + len, buflen - len, 2515 "authMultiSessionId=%08X+%08X\n", 2516 sm->acct_multi_session_id_hi, 2517 sm->acct_multi_session_id_lo); 2518 if (os_snprintf_error(buflen - len, ret)) 2519 return len; 2520 len += ret; 2521 } 2522 2523 name1 = eap_server_get_name(0, sm->eap_type_authsrv); 2524 name2 = eap_server_get_name(0, sm->eap_type_supp); 2525 ret = os_snprintf(buf + len, buflen - len, 2526 "last_eap_type_as=%d (%s)\n" 2527 "last_eap_type_sta=%d (%s)\n", 2528 sm->eap_type_authsrv, name1, 2529 sm->eap_type_supp, name2); 2530 if (os_snprintf_error(buflen - len, ret)) 2531 return len; 2532 len += ret; 2533 2534 return len; 2535} 2536 2537 2538#ifdef CONFIG_HS20 2539static void ieee802_1x_wnm_notif_send(void *eloop_ctx, void *timeout_ctx) 2540{ 2541 struct hostapd_data *hapd = eloop_ctx; 2542 struct sta_info *sta = timeout_ctx; 2543 2544 if (sta->remediation) { 2545 wpa_printf(MSG_DEBUG, "HS 2.0: Send WNM-Notification to " 2546 MACSTR " to indicate Subscription Remediation", 2547 MAC2STR(sta->addr)); 2548 hs20_send_wnm_notification(hapd, sta->addr, 2549 sta->remediation_method, 2550 sta->remediation_url); 2551 os_free(sta->remediation_url); 2552 sta->remediation_url = NULL; 2553 } 2554 2555 if (sta->hs20_deauth_req) { 2556 wpa_printf(MSG_DEBUG, "HS 2.0: Send WNM-Notification to " 2557 MACSTR " to indicate imminent deauthentication", 2558 MAC2STR(sta->addr)); 2559 hs20_send_wnm_notification_deauth_req(hapd, sta->addr, 2560 sta->hs20_deauth_req); 2561 } 2562} 2563#endif /* CONFIG_HS20 */ 2564 2565 2566static void ieee802_1x_finished(struct hostapd_data *hapd, 2567 struct sta_info *sta, int success, 2568 int remediation) 2569{ 2570 const u8 *key; 2571 size_t len; 2572 /* TODO: get PMKLifetime from WPA parameters */ 2573 static const int dot11RSNAConfigPMKLifetime = 43200; 2574 unsigned int session_timeout; 2575 2576#ifdef CONFIG_HS20 2577 if (remediation && !sta->remediation) { 2578 sta->remediation = 1; 2579 os_free(sta->remediation_url); 2580 sta->remediation_url = 2581 os_strdup(hapd->conf->subscr_remediation_url); 2582 sta->remediation_method = 1; /* SOAP-XML SPP */ 2583 } 2584 2585 if (success && (sta->remediation || sta->hs20_deauth_req)) { 2586 wpa_printf(MSG_DEBUG, "HS 2.0: Schedule WNM-Notification to " 2587 MACSTR " in 100 ms", MAC2STR(sta->addr)); 2588 eloop_cancel_timeout(ieee802_1x_wnm_notif_send, hapd, sta); 2589 eloop_register_timeout(0, 100000, ieee802_1x_wnm_notif_send, 2590 hapd, sta); 2591 } 2592#endif /* CONFIG_HS20 */ 2593 2594 key = ieee802_1x_get_key(sta->eapol_sm, &len); 2595 if (sta->session_timeout_set) 2596 session_timeout = sta->session_timeout; 2597 else 2598 session_timeout = dot11RSNAConfigPMKLifetime; 2599 if (success && key && len >= PMK_LEN && !sta->remediation && 2600 !sta->hs20_deauth_requested && 2601 wpa_auth_pmksa_add(sta->wpa_sm, key, len, session_timeout, 2602 sta->eapol_sm) == 0) { 2603 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 2604 HOSTAPD_LEVEL_DEBUG, 2605 "Added PMKSA cache entry (IEEE 802.1X)"); 2606 } 2607 2608 if (!success) { 2609 /* 2610 * Many devices require deauthentication after WPS provisioning 2611 * and some may not be be able to do that themselves, so 2612 * disconnect the client here. In addition, this may also 2613 * benefit IEEE 802.1X/EAPOL authentication cases, too since 2614 * the EAPOL PAE state machine would remain in HELD state for 2615 * considerable amount of time and some EAP methods, like 2616 * EAP-FAST with anonymous provisioning, may require another 2617 * EAPOL authentication to be started to complete connection. 2618 */ 2619 wpa_dbg(hapd->msg_ctx, MSG_DEBUG, "IEEE 802.1X: Force " 2620 "disconnection after EAP-Failure"); 2621 /* Add a small sleep to increase likelihood of previously 2622 * requested EAP-Failure TX getting out before this should the 2623 * driver reorder operations. 2624 */ 2625 os_sleep(0, 10000); 2626 ap_sta_disconnect(hapd, sta, sta->addr, 2627 WLAN_REASON_IEEE_802_1X_AUTH_FAILED); 2628 hostapd_wps_eap_completed(hapd); 2629 } 2630} 2631