1 /* 2 * hostapd / IEEE 802.1X-2004 Authenticator 3 * Copyright (c) 2002-2012, Jouni Malinen <j (at) w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "utils/includes.h" 10 11 #include "utils/common.h" 12 #include "utils/eloop.h" 13 #include "crypto/md5.h" 14 #include "crypto/crypto.h" 15 #include "crypto/random.h" 16 #include "common/ieee802_11_defs.h" 17 #include "radius/radius.h" 18 #include "radius/radius_client.h" 19 #include "eap_server/eap.h" 20 #include "eap_common/eap_wsc_common.h" 21 #include "eapol_auth/eapol_auth_sm.h" 22 #include "eapol_auth/eapol_auth_sm_i.h" 23 #include "p2p/p2p.h" 24 #include "hostapd.h" 25 #include "accounting.h" 26 #include "sta_info.h" 27 #include "wpa_auth.h" 28 #include "preauth_auth.h" 29 #include "pmksa_cache_auth.h" 30 #include "ap_config.h" 31 #include "ap_drv_ops.h" 32 #include "ieee802_1x.h" 33 34 35 static void ieee802_1x_finished(struct hostapd_data *hapd, 36 struct sta_info *sta, int success); 37 38 39 static void ieee802_1x_send(struct hostapd_data *hapd, struct sta_info *sta, 40 u8 type, const u8 *data, size_t datalen) 41 { 42 u8 *buf; 43 struct ieee802_1x_hdr *xhdr; 44 size_t len; 45 int encrypt = 0; 46 47 len = sizeof(*xhdr) + datalen; 48 buf = os_zalloc(len); 49 if (buf == NULL) { 50 wpa_printf(MSG_ERROR, "malloc() failed for " 51 "ieee802_1x_send(len=%lu)", 52 (unsigned long) len); 53 return; 54 } 55 56 xhdr = (struct ieee802_1x_hdr *) buf; 57 xhdr->version = hapd->conf->eapol_version; 58 xhdr->type = type; 59 xhdr->length = host_to_be16(datalen); 60 61 if (datalen > 0 && data != NULL) 62 os_memcpy(xhdr + 1, data, datalen); 63 64 if (wpa_auth_pairwise_set(sta->wpa_sm)) 65 encrypt = 1; 66 if (sta->flags & WLAN_STA_PREAUTH) { 67 rsn_preauth_send(hapd, sta, buf, len); 68 } else { 69 hostapd_drv_hapd_send_eapol(hapd, sta->addr, buf, len, 70 encrypt, sta->flags); 71 } 72 73 os_free(buf); 74 } 75 76 77 void ieee802_1x_set_sta_authorized(struct hostapd_data *hapd, 78 struct sta_info *sta, int authorized) 79 { 80 int res; 81 82 if (sta->flags & WLAN_STA_PREAUTH) 83 return; 84 85 if (authorized) { 86 ap_sta_set_authorized(hapd, sta, 1); 87 res = hostapd_set_authorized(hapd, sta, 1); 88 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 89 HOSTAPD_LEVEL_DEBUG, "authorizing port"); 90 } else { 91 ap_sta_set_authorized(hapd, sta, 0); 92 res = hostapd_set_authorized(hapd, sta, 0); 93 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 94 HOSTAPD_LEVEL_DEBUG, "unauthorizing port"); 95 } 96 97 if (res && errno != ENOENT) { 98 printf("Could not set station " MACSTR " flags for kernel " 99 "driver (errno=%d).\n", MAC2STR(sta->addr), errno); 100 } 101 102 if (authorized) 103 accounting_sta_start(hapd, sta); 104 } 105 106 107 static void ieee802_1x_tx_key_one(struct hostapd_data *hapd, 108 struct sta_info *sta, 109 int idx, int broadcast, 110 u8 *key_data, size_t key_len) 111 { 112 u8 *buf, *ekey; 113 struct ieee802_1x_hdr *hdr; 114 struct ieee802_1x_eapol_key *key; 115 size_t len, ekey_len; 116 struct eapol_state_machine *sm = sta->eapol_sm; 117 118 if (sm == NULL) 119 return; 120 121 len = sizeof(*key) + key_len; 122 buf = os_zalloc(sizeof(*hdr) + len); 123 if (buf == NULL) 124 return; 125 126 hdr = (struct ieee802_1x_hdr *) buf; 127 key = (struct ieee802_1x_eapol_key *) (hdr + 1); 128 key->type = EAPOL_KEY_TYPE_RC4; 129 key->key_length = htons(key_len); 130 wpa_get_ntp_timestamp(key->replay_counter); 131 132 if (random_get_bytes(key->key_iv, sizeof(key->key_iv))) { 133 wpa_printf(MSG_ERROR, "Could not get random numbers"); 134 os_free(buf); 135 return; 136 } 137 138 key->key_index = idx | (broadcast ? 0 : BIT(7)); 139 if (hapd->conf->eapol_key_index_workaround) { 140 /* According to some information, WinXP Supplicant seems to 141 * interpret bit7 as an indication whether the key is to be 142 * activated, so make it possible to enable workaround that 143 * sets this bit for all keys. */ 144 key->key_index |= BIT(7); 145 } 146 147 /* Key is encrypted using "Key-IV + MSK[0..31]" as the RC4-key and 148 * MSK[32..63] is used to sign the message. */ 149 if (sm->eap_if->eapKeyData == NULL || sm->eap_if->eapKeyDataLen < 64) { 150 wpa_printf(MSG_ERROR, "No eapKeyData available for encrypting " 151 "and signing EAPOL-Key"); 152 os_free(buf); 153 return; 154 } 155 os_memcpy((u8 *) (key + 1), key_data, key_len); 156 ekey_len = sizeof(key->key_iv) + 32; 157 ekey = os_malloc(ekey_len); 158 if (ekey == NULL) { 159 wpa_printf(MSG_ERROR, "Could not encrypt key"); 160 os_free(buf); 161 return; 162 } 163 os_memcpy(ekey, key->key_iv, sizeof(key->key_iv)); 164 os_memcpy(ekey + sizeof(key->key_iv), sm->eap_if->eapKeyData, 32); 165 rc4_skip(ekey, ekey_len, 0, (u8 *) (key + 1), key_len); 166 os_free(ekey); 167 168 /* This header is needed here for HMAC-MD5, but it will be regenerated 169 * in ieee802_1x_send() */ 170 hdr->version = hapd->conf->eapol_version; 171 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 172 hdr->length = host_to_be16(len); 173 hmac_md5(sm->eap_if->eapKeyData + 32, 32, buf, sizeof(*hdr) + len, 174 key->key_signature); 175 176 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key to " MACSTR 177 " (%s index=%d)", MAC2STR(sm->addr), 178 broadcast ? "broadcast" : "unicast", idx); 179 ieee802_1x_send(hapd, sta, IEEE802_1X_TYPE_EAPOL_KEY, (u8 *) key, len); 180 if (sta->eapol_sm) 181 sta->eapol_sm->dot1xAuthEapolFramesTx++; 182 os_free(buf); 183 } 184 185 186 #ifndef CONFIG_NO_VLAN 187 static struct hostapd_wep_keys * 188 ieee802_1x_group_alloc(struct hostapd_data *hapd, const char *ifname) 189 { 190 struct hostapd_wep_keys *key; 191 192 key = os_zalloc(sizeof(*key)); 193 if (key == NULL) 194 return NULL; 195 196 key->default_len = hapd->conf->default_wep_key_len; 197 198 if (key->idx >= hapd->conf->broadcast_key_idx_max || 199 key->idx < hapd->conf->broadcast_key_idx_min) 200 key->idx = hapd->conf->broadcast_key_idx_min; 201 else 202 key->idx++; 203 204 if (!key->key[key->idx]) 205 key->key[key->idx] = os_malloc(key->default_len); 206 if (key->key[key->idx] == NULL || 207 random_get_bytes(key->key[key->idx], key->default_len)) { 208 printf("Could not generate random WEP key (dynamic VLAN).\n"); 209 os_free(key->key[key->idx]); 210 key->key[key->idx] = NULL; 211 os_free(key); 212 return NULL; 213 } 214 key->len[key->idx] = key->default_len; 215 216 wpa_printf(MSG_DEBUG, "%s: Default WEP idx %d for dynamic VLAN\n", 217 ifname, key->idx); 218 wpa_hexdump_key(MSG_DEBUG, "Default WEP key (dynamic VLAN)", 219 key->key[key->idx], key->len[key->idx]); 220 221 if (hostapd_drv_set_key(ifname, hapd, WPA_ALG_WEP, 222 broadcast_ether_addr, key->idx, 1, 223 NULL, 0, key->key[key->idx], 224 key->len[key->idx])) 225 printf("Could not set dynamic VLAN WEP encryption key.\n"); 226 227 hostapd_set_drv_ieee8021x(hapd, ifname, 1); 228 229 return key; 230 } 231 232 233 static struct hostapd_wep_keys * 234 ieee802_1x_get_group(struct hostapd_data *hapd, struct hostapd_ssid *ssid, 235 size_t vlan_id) 236 { 237 const char *ifname; 238 239 if (vlan_id == 0) 240 return &ssid->wep; 241 242 if (vlan_id <= ssid->max_dyn_vlan_keys && ssid->dyn_vlan_keys && 243 ssid->dyn_vlan_keys[vlan_id]) 244 return ssid->dyn_vlan_keys[vlan_id]; 245 246 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Creating new group " 247 "state machine for VLAN ID %lu", 248 (unsigned long) vlan_id); 249 250 ifname = hostapd_get_vlan_id_ifname(hapd->conf->vlan, vlan_id); 251 if (ifname == NULL) { 252 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Unknown VLAN ID %lu - " 253 "cannot create group key state machine", 254 (unsigned long) vlan_id); 255 return NULL; 256 } 257 258 if (ssid->dyn_vlan_keys == NULL) { 259 int size = (vlan_id + 1) * sizeof(ssid->dyn_vlan_keys[0]); 260 ssid->dyn_vlan_keys = os_zalloc(size); 261 if (ssid->dyn_vlan_keys == NULL) 262 return NULL; 263 ssid->max_dyn_vlan_keys = vlan_id; 264 } 265 266 if (ssid->max_dyn_vlan_keys < vlan_id) { 267 struct hostapd_wep_keys **na; 268 int size = (vlan_id + 1) * sizeof(ssid->dyn_vlan_keys[0]); 269 na = os_realloc(ssid->dyn_vlan_keys, size); 270 if (na == NULL) 271 return NULL; 272 ssid->dyn_vlan_keys = na; 273 os_memset(&ssid->dyn_vlan_keys[ssid->max_dyn_vlan_keys + 1], 0, 274 (vlan_id - ssid->max_dyn_vlan_keys) * 275 sizeof(ssid->dyn_vlan_keys[0])); 276 ssid->max_dyn_vlan_keys = vlan_id; 277 } 278 279 ssid->dyn_vlan_keys[vlan_id] = ieee802_1x_group_alloc(hapd, ifname); 280 281 return ssid->dyn_vlan_keys[vlan_id]; 282 } 283 #endif /* CONFIG_NO_VLAN */ 284 285 286 void ieee802_1x_tx_key(struct hostapd_data *hapd, struct sta_info *sta) 287 { 288 struct eapol_authenticator *eapol = hapd->eapol_auth; 289 struct eapol_state_machine *sm = sta->eapol_sm; 290 #ifndef CONFIG_NO_VLAN 291 struct hostapd_wep_keys *key = NULL; 292 int vlan_id; 293 #endif /* CONFIG_NO_VLAN */ 294 295 if (sm == NULL || !sm->eap_if->eapKeyData) 296 return; 297 298 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key(s) to " MACSTR, 299 MAC2STR(sta->addr)); 300 301 #ifndef CONFIG_NO_VLAN 302 vlan_id = sta->vlan_id; 303 if (vlan_id < 0 || vlan_id > MAX_VLAN_ID) 304 vlan_id = 0; 305 306 if (vlan_id) { 307 key = ieee802_1x_get_group(hapd, sta->ssid, vlan_id); 308 if (key && key->key[key->idx]) 309 ieee802_1x_tx_key_one(hapd, sta, key->idx, 1, 310 key->key[key->idx], 311 key->len[key->idx]); 312 } else 313 #endif /* CONFIG_NO_VLAN */ 314 if (eapol->default_wep_key) { 315 ieee802_1x_tx_key_one(hapd, sta, eapol->default_wep_key_idx, 1, 316 eapol->default_wep_key, 317 hapd->conf->default_wep_key_len); 318 } 319 320 if (hapd->conf->individual_wep_key_len > 0) { 321 u8 *ikey; 322 ikey = os_malloc(hapd->conf->individual_wep_key_len); 323 if (ikey == NULL || 324 random_get_bytes(ikey, hapd->conf->individual_wep_key_len)) 325 { 326 wpa_printf(MSG_ERROR, "Could not generate random " 327 "individual WEP key."); 328 os_free(ikey); 329 return; 330 } 331 332 wpa_hexdump_key(MSG_DEBUG, "Individual WEP key", 333 ikey, hapd->conf->individual_wep_key_len); 334 335 ieee802_1x_tx_key_one(hapd, sta, 0, 0, ikey, 336 hapd->conf->individual_wep_key_len); 337 338 /* TODO: set encryption in TX callback, i.e., only after STA 339 * has ACKed EAPOL-Key frame */ 340 if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP, 341 sta->addr, 0, 1, NULL, 0, ikey, 342 hapd->conf->individual_wep_key_len)) { 343 wpa_printf(MSG_ERROR, "Could not set individual WEP " 344 "encryption."); 345 } 346 347 os_free(ikey); 348 } 349 } 350 351 352 const char *radius_mode_txt(struct hostapd_data *hapd) 353 { 354 switch (hapd->iface->conf->hw_mode) { 355 case HOSTAPD_MODE_IEEE80211A: 356 return "802.11a"; 357 case HOSTAPD_MODE_IEEE80211G: 358 return "802.11g"; 359 case HOSTAPD_MODE_IEEE80211B: 360 default: 361 return "802.11b"; 362 } 363 } 364 365 366 int radius_sta_rate(struct hostapd_data *hapd, struct sta_info *sta) 367 { 368 int i; 369 u8 rate = 0; 370 371 for (i = 0; i < sta->supported_rates_len; i++) 372 if ((sta->supported_rates[i] & 0x7f) > rate) 373 rate = sta->supported_rates[i] & 0x7f; 374 375 return rate; 376 } 377 378 379 #ifndef CONFIG_NO_RADIUS 380 static void ieee802_1x_learn_identity(struct hostapd_data *hapd, 381 struct eapol_state_machine *sm, 382 const u8 *eap, size_t len) 383 { 384 const u8 *identity; 385 size_t identity_len; 386 387 if (len <= sizeof(struct eap_hdr) || 388 eap[sizeof(struct eap_hdr)] != EAP_TYPE_IDENTITY) 389 return; 390 391 identity = eap_get_identity(sm->eap, &identity_len); 392 if (identity == NULL) 393 return; 394 395 /* Save station identity for future RADIUS packets */ 396 os_free(sm->identity); 397 sm->identity = os_malloc(identity_len + 1); 398 if (sm->identity == NULL) { 399 sm->identity_len = 0; 400 return; 401 } 402 403 os_memcpy(sm->identity, identity, identity_len); 404 sm->identity_len = identity_len; 405 sm->identity[identity_len] = '\0'; 406 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, 407 HOSTAPD_LEVEL_DEBUG, "STA identity '%s'", sm->identity); 408 sm->dot1xAuthEapolRespIdFramesRx++; 409 } 410 411 412 static void ieee802_1x_encapsulate_radius(struct hostapd_data *hapd, 413 struct sta_info *sta, 414 const u8 *eap, size_t len) 415 { 416 struct radius_msg *msg; 417 char buf[128]; 418 struct eapol_state_machine *sm = sta->eapol_sm; 419 420 if (sm == NULL) 421 return; 422 423 ieee802_1x_learn_identity(hapd, sm, eap, len); 424 425 wpa_printf(MSG_DEBUG, "Encapsulating EAP message into a RADIUS " 426 "packet"); 427 428 sm->radius_identifier = radius_client_get_id(hapd->radius); 429 msg = radius_msg_new(RADIUS_CODE_ACCESS_REQUEST, 430 sm->radius_identifier); 431 if (msg == NULL) { 432 printf("Could not create net RADIUS packet\n"); 433 return; 434 } 435 436 radius_msg_make_authenticator(msg, (u8 *) sta, sizeof(*sta)); 437 438 if (sm->identity && 439 !radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME, 440 sm->identity, sm->identity_len)) { 441 printf("Could not add User-Name\n"); 442 goto fail; 443 } 444 445 if (hapd->conf->own_ip_addr.af == AF_INET && 446 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IP_ADDRESS, 447 (u8 *) &hapd->conf->own_ip_addr.u.v4, 4)) { 448 printf("Could not add NAS-IP-Address\n"); 449 goto fail; 450 } 451 452 #ifdef CONFIG_IPV6 453 if (hapd->conf->own_ip_addr.af == AF_INET6 && 454 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IPV6_ADDRESS, 455 (u8 *) &hapd->conf->own_ip_addr.u.v6, 16)) { 456 printf("Could not add NAS-IPv6-Address\n"); 457 goto fail; 458 } 459 #endif /* CONFIG_IPV6 */ 460 461 if (hapd->conf->nas_identifier && 462 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IDENTIFIER, 463 (u8 *) hapd->conf->nas_identifier, 464 os_strlen(hapd->conf->nas_identifier))) { 465 printf("Could not add NAS-Identifier\n"); 466 goto fail; 467 } 468 469 if (!radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT, sta->aid)) { 470 printf("Could not add NAS-Port\n"); 471 goto fail; 472 } 473 474 os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT ":%s", 475 MAC2STR(hapd->own_addr), hapd->conf->ssid.ssid); 476 buf[sizeof(buf) - 1] = '\0'; 477 if (!radius_msg_add_attr(msg, RADIUS_ATTR_CALLED_STATION_ID, 478 (u8 *) buf, os_strlen(buf))) { 479 printf("Could not add Called-Station-Id\n"); 480 goto fail; 481 } 482 483 os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT, 484 MAC2STR(sta->addr)); 485 buf[sizeof(buf) - 1] = '\0'; 486 if (!radius_msg_add_attr(msg, RADIUS_ATTR_CALLING_STATION_ID, 487 (u8 *) buf, os_strlen(buf))) { 488 printf("Could not add Calling-Station-Id\n"); 489 goto fail; 490 } 491 492 /* TODO: should probably check MTU from driver config; 2304 is max for 493 * IEEE 802.11, but use 1400 to avoid problems with too large packets 494 */ 495 if (!radius_msg_add_attr_int32(msg, RADIUS_ATTR_FRAMED_MTU, 1400)) { 496 printf("Could not add Framed-MTU\n"); 497 goto fail; 498 } 499 500 if (!radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT_TYPE, 501 RADIUS_NAS_PORT_TYPE_IEEE_802_11)) { 502 printf("Could not add NAS-Port-Type\n"); 503 goto fail; 504 } 505 506 if (sta->flags & WLAN_STA_PREAUTH) { 507 os_strlcpy(buf, "IEEE 802.11i Pre-Authentication", 508 sizeof(buf)); 509 } else { 510 os_snprintf(buf, sizeof(buf), "CONNECT %d%sMbps %s", 511 radius_sta_rate(hapd, sta) / 2, 512 (radius_sta_rate(hapd, sta) & 1) ? ".5" : "", 513 radius_mode_txt(hapd)); 514 buf[sizeof(buf) - 1] = '\0'; 515 } 516 if (!radius_msg_add_attr(msg, RADIUS_ATTR_CONNECT_INFO, 517 (u8 *) buf, os_strlen(buf))) { 518 printf("Could not add Connect-Info\n"); 519 goto fail; 520 } 521 522 if (eap && !radius_msg_add_eap(msg, eap, len)) { 523 printf("Could not add EAP-Message\n"); 524 goto fail; 525 } 526 527 /* State attribute must be copied if and only if this packet is 528 * Access-Request reply to the previous Access-Challenge */ 529 if (sm->last_recv_radius && 530 radius_msg_get_hdr(sm->last_recv_radius)->code == 531 RADIUS_CODE_ACCESS_CHALLENGE) { 532 int res = radius_msg_copy_attr(msg, sm->last_recv_radius, 533 RADIUS_ATTR_STATE); 534 if (res < 0) { 535 printf("Could not copy State attribute from previous " 536 "Access-Challenge\n"); 537 goto fail; 538 } 539 if (res > 0) { 540 wpa_printf(MSG_DEBUG, "Copied RADIUS State Attribute"); 541 } 542 } 543 544 if (radius_client_send(hapd->radius, msg, RADIUS_AUTH, sta->addr) < 0) 545 goto fail; 546 547 return; 548 549 fail: 550 radius_msg_free(msg); 551 } 552 #endif /* CONFIG_NO_RADIUS */ 553 554 555 static void handle_eap_response(struct hostapd_data *hapd, 556 struct sta_info *sta, struct eap_hdr *eap, 557 size_t len) 558 { 559 u8 type, *data; 560 struct eapol_state_machine *sm = sta->eapol_sm; 561 if (sm == NULL) 562 return; 563 564 data = (u8 *) (eap + 1); 565 566 if (len < sizeof(*eap) + 1) { 567 printf("handle_eap_response: too short response data\n"); 568 return; 569 } 570 571 sm->eap_type_supp = type = data[0]; 572 573 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, 574 HOSTAPD_LEVEL_DEBUG, "received EAP packet (code=%d " 575 "id=%d len=%d) from STA: EAP Response-%s (%d)", 576 eap->code, eap->identifier, be_to_host16(eap->length), 577 eap_server_get_name(0, type), type); 578 579 sm->dot1xAuthEapolRespFramesRx++; 580 581 wpabuf_free(sm->eap_if->eapRespData); 582 sm->eap_if->eapRespData = wpabuf_alloc_copy(eap, len); 583 sm->eapolEap = TRUE; 584 } 585 586 587 /* Process incoming EAP packet from Supplicant */ 588 static void handle_eap(struct hostapd_data *hapd, struct sta_info *sta, 589 u8 *buf, size_t len) 590 { 591 struct eap_hdr *eap; 592 u16 eap_len; 593 594 if (len < sizeof(*eap)) { 595 printf(" too short EAP packet\n"); 596 return; 597 } 598 599 eap = (struct eap_hdr *) buf; 600 601 eap_len = be_to_host16(eap->length); 602 wpa_printf(MSG_DEBUG, "EAP: code=%d identifier=%d length=%d", 603 eap->code, eap->identifier, eap_len); 604 if (eap_len < sizeof(*eap)) { 605 wpa_printf(MSG_DEBUG, " Invalid EAP length"); 606 return; 607 } else if (eap_len > len) { 608 wpa_printf(MSG_DEBUG, " Too short frame to contain this EAP " 609 "packet"); 610 return; 611 } else if (eap_len < len) { 612 wpa_printf(MSG_DEBUG, " Ignoring %lu extra bytes after EAP " 613 "packet", (unsigned long) len - eap_len); 614 } 615 616 switch (eap->code) { 617 case EAP_CODE_REQUEST: 618 wpa_printf(MSG_DEBUG, " (request)"); 619 return; 620 case EAP_CODE_RESPONSE: 621 wpa_printf(MSG_DEBUG, " (response)"); 622 handle_eap_response(hapd, sta, eap, eap_len); 623 break; 624 case EAP_CODE_SUCCESS: 625 wpa_printf(MSG_DEBUG, " (success)"); 626 return; 627 case EAP_CODE_FAILURE: 628 wpa_printf(MSG_DEBUG, " (failure)"); 629 return; 630 default: 631 wpa_printf(MSG_DEBUG, " (unknown code)"); 632 return; 633 } 634 } 635 636 637 static struct eapol_state_machine * 638 ieee802_1x_alloc_eapol_sm(struct hostapd_data *hapd, struct sta_info *sta) 639 { 640 int flags = 0; 641 if (sta->flags & WLAN_STA_PREAUTH) 642 flags |= EAPOL_SM_PREAUTH; 643 if (sta->wpa_sm) { 644 flags |= EAPOL_SM_USES_WPA; 645 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) 646 flags |= EAPOL_SM_FROM_PMKSA_CACHE; 647 } 648 return eapol_auth_alloc(hapd->eapol_auth, sta->addr, flags, 649 sta->wps_ie, sta->p2p_ie, sta); 650 } 651 652 653 /** 654 * ieee802_1x_receive - Process the EAPOL frames from the Supplicant 655 * @hapd: hostapd BSS data 656 * @sa: Source address (sender of the EAPOL frame) 657 * @buf: EAPOL frame 658 * @len: Length of buf in octets 659 * 660 * This function is called for each incoming EAPOL frame from the interface 661 */ 662 void ieee802_1x_receive(struct hostapd_data *hapd, const u8 *sa, const u8 *buf, 663 size_t len) 664 { 665 struct sta_info *sta; 666 struct ieee802_1x_hdr *hdr; 667 struct ieee802_1x_eapol_key *key; 668 u16 datalen; 669 struct rsn_pmksa_cache_entry *pmksa; 670 int key_mgmt; 671 672 if (!hapd->conf->ieee802_1x && !hapd->conf->wpa && 673 !hapd->conf->wps_state) 674 return; 675 676 wpa_printf(MSG_DEBUG, "IEEE 802.1X: %lu bytes from " MACSTR, 677 (unsigned long) len, MAC2STR(sa)); 678 sta = ap_get_sta(hapd, sa); 679 if (!sta || (!(sta->flags & (WLAN_STA_ASSOC | WLAN_STA_PREAUTH)) && 680 !(hapd->iface->drv_flags & WPA_DRIVER_FLAGS_WIRED))) { 681 wpa_printf(MSG_DEBUG, "IEEE 802.1X data frame from not " 682 "associated/Pre-authenticating STA"); 683 return; 684 } 685 686 if (len < sizeof(*hdr)) { 687 printf(" too short IEEE 802.1X packet\n"); 688 return; 689 } 690 691 hdr = (struct ieee802_1x_hdr *) buf; 692 datalen = be_to_host16(hdr->length); 693 wpa_printf(MSG_DEBUG, " IEEE 802.1X: version=%d type=%d length=%d", 694 hdr->version, hdr->type, datalen); 695 696 if (len - sizeof(*hdr) < datalen) { 697 printf(" frame too short for this IEEE 802.1X packet\n"); 698 if (sta->eapol_sm) 699 sta->eapol_sm->dot1xAuthEapLengthErrorFramesRx++; 700 return; 701 } 702 if (len - sizeof(*hdr) > datalen) { 703 wpa_printf(MSG_DEBUG, " ignoring %lu extra octets after " 704 "IEEE 802.1X packet", 705 (unsigned long) len - sizeof(*hdr) - datalen); 706 } 707 708 if (sta->eapol_sm) { 709 sta->eapol_sm->dot1xAuthLastEapolFrameVersion = hdr->version; 710 sta->eapol_sm->dot1xAuthEapolFramesRx++; 711 } 712 713 key = (struct ieee802_1x_eapol_key *) (hdr + 1); 714 if (datalen >= sizeof(struct ieee802_1x_eapol_key) && 715 hdr->type == IEEE802_1X_TYPE_EAPOL_KEY && 716 (key->type == EAPOL_KEY_TYPE_WPA || 717 key->type == EAPOL_KEY_TYPE_RSN)) { 718 wpa_receive(hapd->wpa_auth, sta->wpa_sm, (u8 *) hdr, 719 sizeof(*hdr) + datalen); 720 return; 721 } 722 723 if (!hapd->conf->ieee802_1x && 724 !(sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS))) { 725 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore EAPOL message - " 726 "802.1X not enabled and WPS not used"); 727 return; 728 } 729 730 key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm); 731 if (key_mgmt != -1 && wpa_key_mgmt_wpa_psk(key_mgmt)) { 732 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore EAPOL message - " 733 "STA is using PSK"); 734 return; 735 } 736 737 if (!sta->eapol_sm) { 738 sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta); 739 if (!sta->eapol_sm) 740 return; 741 742 #ifdef CONFIG_WPS 743 if (!hapd->conf->ieee802_1x) { 744 u32 wflags = sta->flags & (WLAN_STA_WPS | 745 WLAN_STA_WPS2 | 746 WLAN_STA_MAYBE_WPS); 747 if (wflags == WLAN_STA_MAYBE_WPS || 748 wflags == (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS)) { 749 /* 750 * Delay EAPOL frame transmission until a 751 * possible WPS STA initiates the handshake 752 * with EAPOL-Start. Only allow the wait to be 753 * skipped if the STA is known to support WPS 754 * 2.0. 755 */ 756 wpa_printf(MSG_DEBUG, "WPS: Do not start " 757 "EAPOL until EAPOL-Start is " 758 "received"); 759 sta->eapol_sm->flags |= EAPOL_SM_WAIT_START; 760 } 761 } 762 #endif /* CONFIG_WPS */ 763 764 sta->eapol_sm->eap_if->portEnabled = TRUE; 765 } 766 767 /* since we support version 1, we can ignore version field and proceed 768 * as specified in version 1 standard [IEEE Std 802.1X-2001, 7.5.5] */ 769 /* TODO: actually, we are not version 1 anymore.. However, Version 2 770 * does not change frame contents, so should be ok to process frames 771 * more or less identically. Some changes might be needed for 772 * verification of fields. */ 773 774 switch (hdr->type) { 775 case IEEE802_1X_TYPE_EAP_PACKET: 776 handle_eap(hapd, sta, (u8 *) (hdr + 1), datalen); 777 break; 778 779 case IEEE802_1X_TYPE_EAPOL_START: 780 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 781 HOSTAPD_LEVEL_DEBUG, "received EAPOL-Start " 782 "from STA"); 783 sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START; 784 pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm); 785 if (pmksa) { 786 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 787 HOSTAPD_LEVEL_DEBUG, "cached PMKSA " 788 "available - ignore it since " 789 "STA sent EAPOL-Start"); 790 wpa_auth_sta_clear_pmksa(sta->wpa_sm, pmksa); 791 } 792 sta->eapol_sm->eapolStart = TRUE; 793 sta->eapol_sm->dot1xAuthEapolStartFramesRx++; 794 eap_server_clear_identity(sta->eapol_sm->eap); 795 wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL); 796 break; 797 798 case IEEE802_1X_TYPE_EAPOL_LOGOFF: 799 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 800 HOSTAPD_LEVEL_DEBUG, "received EAPOL-Logoff " 801 "from STA"); 802 sta->acct_terminate_cause = 803 RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST; 804 accounting_sta_stop(hapd, sta); 805 sta->eapol_sm->eapolLogoff = TRUE; 806 sta->eapol_sm->dot1xAuthEapolLogoffFramesRx++; 807 eap_server_clear_identity(sta->eapol_sm->eap); 808 break; 809 810 case IEEE802_1X_TYPE_EAPOL_KEY: 811 wpa_printf(MSG_DEBUG, " EAPOL-Key"); 812 if (!ap_sta_is_authorized(sta)) { 813 wpa_printf(MSG_DEBUG, " Dropped key data from " 814 "unauthorized Supplicant"); 815 break; 816 } 817 break; 818 819 case IEEE802_1X_TYPE_EAPOL_ENCAPSULATED_ASF_ALERT: 820 wpa_printf(MSG_DEBUG, " EAPOL-Encapsulated-ASF-Alert"); 821 /* TODO: implement support for this; show data */ 822 break; 823 824 default: 825 wpa_printf(MSG_DEBUG, " unknown IEEE 802.1X packet type"); 826 sta->eapol_sm->dot1xAuthInvalidEapolFramesRx++; 827 break; 828 } 829 830 eapol_auth_step(sta->eapol_sm); 831 } 832 833 834 /** 835 * ieee802_1x_new_station - Start IEEE 802.1X authentication 836 * @hapd: hostapd BSS data 837 * @sta: The station 838 * 839 * This function is called to start IEEE 802.1X authentication when a new 840 * station completes IEEE 802.11 association. 841 */ 842 void ieee802_1x_new_station(struct hostapd_data *hapd, struct sta_info *sta) 843 { 844 struct rsn_pmksa_cache_entry *pmksa; 845 int reassoc = 1; 846 int force_1x = 0; 847 int key_mgmt; 848 849 #ifdef CONFIG_WPS 850 if (hapd->conf->wps_state && hapd->conf->wpa && 851 (sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS))) { 852 /* 853 * Need to enable IEEE 802.1X/EAPOL state machines for possible 854 * WPS handshake even if IEEE 802.1X/EAPOL is not used for 855 * authentication in this BSS. 856 */ 857 force_1x = 1; 858 } 859 #endif /* CONFIG_WPS */ 860 861 if (!force_1x && !hapd->conf->ieee802_1x) { 862 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore STA - " 863 "802.1X not enabled or forced for WPS"); 864 return; 865 } 866 867 key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm); 868 if (key_mgmt != -1 && wpa_key_mgmt_wpa_psk(key_mgmt)) { 869 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore STA - using PSK"); 870 return; 871 } 872 873 if (sta->eapol_sm == NULL) { 874 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 875 HOSTAPD_LEVEL_DEBUG, "start authentication"); 876 sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta); 877 if (sta->eapol_sm == NULL) { 878 hostapd_logger(hapd, sta->addr, 879 HOSTAPD_MODULE_IEEE8021X, 880 HOSTAPD_LEVEL_INFO, 881 "failed to allocate state machine"); 882 return; 883 } 884 reassoc = 0; 885 } 886 887 #ifdef CONFIG_WPS 888 sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START; 889 if (!hapd->conf->ieee802_1x && !(sta->flags & WLAN_STA_WPS2)) { 890 /* 891 * Delay EAPOL frame transmission until a possible WPS STA 892 * initiates the handshake with EAPOL-Start. Only allow the 893 * wait to be skipped if the STA is known to support WPS 2.0. 894 */ 895 wpa_printf(MSG_DEBUG, "WPS: Do not start EAPOL until " 896 "EAPOL-Start is received"); 897 sta->eapol_sm->flags |= EAPOL_SM_WAIT_START; 898 } 899 #endif /* CONFIG_WPS */ 900 901 sta->eapol_sm->eap_if->portEnabled = TRUE; 902 903 #ifdef CONFIG_IEEE80211R 904 if (sta->auth_alg == WLAN_AUTH_FT) { 905 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 906 HOSTAPD_LEVEL_DEBUG, 907 "PMK from FT - skip IEEE 802.1X/EAP"); 908 /* Setup EAPOL state machines to already authenticated state 909 * because of existing FT information from R0KH. */ 910 sta->eapol_sm->keyRun = TRUE; 911 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 912 sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING; 913 sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS; 914 sta->eapol_sm->authSuccess = TRUE; 915 sta->eapol_sm->authFail = FALSE; 916 if (sta->eapol_sm->eap) 917 eap_sm_notify_cached(sta->eapol_sm->eap); 918 /* TODO: get vlan_id from R0KH using RRB message */ 919 return; 920 } 921 #endif /* CONFIG_IEEE80211R */ 922 923 pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm); 924 if (pmksa) { 925 int old_vlanid; 926 927 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 928 HOSTAPD_LEVEL_DEBUG, 929 "PMK from PMKSA cache - skip IEEE 802.1X/EAP"); 930 /* Setup EAPOL state machines to already authenticated state 931 * because of existing PMKSA information in the cache. */ 932 sta->eapol_sm->keyRun = TRUE; 933 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 934 sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING; 935 sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS; 936 sta->eapol_sm->authSuccess = TRUE; 937 sta->eapol_sm->authFail = FALSE; 938 if (sta->eapol_sm->eap) 939 eap_sm_notify_cached(sta->eapol_sm->eap); 940 old_vlanid = sta->vlan_id; 941 pmksa_cache_to_eapol_data(pmksa, sta->eapol_sm); 942 if (sta->ssid->dynamic_vlan == DYNAMIC_VLAN_DISABLED) 943 sta->vlan_id = 0; 944 ap_sta_bind_vlan(hapd, sta, old_vlanid); 945 } else { 946 if (reassoc) { 947 /* 948 * Force EAPOL state machines to start 949 * re-authentication without having to wait for the 950 * Supplicant to send EAPOL-Start. 951 */ 952 sta->eapol_sm->reAuthenticate = TRUE; 953 } 954 eapol_auth_step(sta->eapol_sm); 955 } 956 } 957 958 959 void ieee802_1x_free_station(struct sta_info *sta) 960 { 961 struct eapol_state_machine *sm = sta->eapol_sm; 962 963 if (sm == NULL) 964 return; 965 966 sta->eapol_sm = NULL; 967 968 #ifndef CONFIG_NO_RADIUS 969 radius_msg_free(sm->last_recv_radius); 970 radius_free_class(&sm->radius_class); 971 #endif /* CONFIG_NO_RADIUS */ 972 973 os_free(sm->identity); 974 eapol_auth_free(sm); 975 } 976 977 978 #ifndef CONFIG_NO_RADIUS 979 static void ieee802_1x_decapsulate_radius(struct hostapd_data *hapd, 980 struct sta_info *sta) 981 { 982 u8 *eap; 983 size_t len; 984 struct eap_hdr *hdr; 985 int eap_type = -1; 986 char buf[64]; 987 struct radius_msg *msg; 988 struct eapol_state_machine *sm = sta->eapol_sm; 989 990 if (sm == NULL || sm->last_recv_radius == NULL) { 991 if (sm) 992 sm->eap_if->aaaEapNoReq = TRUE; 993 return; 994 } 995 996 msg = sm->last_recv_radius; 997 998 eap = radius_msg_get_eap(msg, &len); 999 if (eap == NULL) { 1000 /* RFC 3579, Chap. 2.6.3: 1001 * RADIUS server SHOULD NOT send Access-Reject/no EAP-Message 1002 * attribute */ 1003 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1004 HOSTAPD_LEVEL_WARNING, "could not extract " 1005 "EAP-Message from RADIUS message"); 1006 sm->eap_if->aaaEapNoReq = TRUE; 1007 return; 1008 } 1009 1010 if (len < sizeof(*hdr)) { 1011 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1012 HOSTAPD_LEVEL_WARNING, "too short EAP packet " 1013 "received from authentication server"); 1014 os_free(eap); 1015 sm->eap_if->aaaEapNoReq = TRUE; 1016 return; 1017 } 1018 1019 if (len > sizeof(*hdr)) 1020 eap_type = eap[sizeof(*hdr)]; 1021 1022 hdr = (struct eap_hdr *) eap; 1023 switch (hdr->code) { 1024 case EAP_CODE_REQUEST: 1025 if (eap_type >= 0) 1026 sm->eap_type_authsrv = eap_type; 1027 os_snprintf(buf, sizeof(buf), "EAP-Request-%s (%d)", 1028 eap_type >= 0 ? eap_server_get_name(0, eap_type) : 1029 "??", 1030 eap_type); 1031 break; 1032 case EAP_CODE_RESPONSE: 1033 os_snprintf(buf, sizeof(buf), "EAP Response-%s (%d)", 1034 eap_type >= 0 ? eap_server_get_name(0, eap_type) : 1035 "??", 1036 eap_type); 1037 break; 1038 case EAP_CODE_SUCCESS: 1039 os_strlcpy(buf, "EAP Success", sizeof(buf)); 1040 break; 1041 case EAP_CODE_FAILURE: 1042 os_strlcpy(buf, "EAP Failure", sizeof(buf)); 1043 break; 1044 default: 1045 os_strlcpy(buf, "unknown EAP code", sizeof(buf)); 1046 break; 1047 } 1048 buf[sizeof(buf) - 1] = '\0'; 1049 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1050 HOSTAPD_LEVEL_DEBUG, "decapsulated EAP packet (code=%d " 1051 "id=%d len=%d) from RADIUS server: %s", 1052 hdr->code, hdr->identifier, be_to_host16(hdr->length), 1053 buf); 1054 sm->eap_if->aaaEapReq = TRUE; 1055 1056 wpabuf_free(sm->eap_if->aaaEapReqData); 1057 sm->eap_if->aaaEapReqData = wpabuf_alloc_ext_data(eap, len); 1058 } 1059 1060 1061 static void ieee802_1x_get_keys(struct hostapd_data *hapd, 1062 struct sta_info *sta, struct radius_msg *msg, 1063 struct radius_msg *req, 1064 const u8 *shared_secret, 1065 size_t shared_secret_len) 1066 { 1067 struct radius_ms_mppe_keys *keys; 1068 struct eapol_state_machine *sm = sta->eapol_sm; 1069 if (sm == NULL) 1070 return; 1071 1072 keys = radius_msg_get_ms_keys(msg, req, shared_secret, 1073 shared_secret_len); 1074 1075 if (keys && keys->send && keys->recv) { 1076 size_t len = keys->send_len + keys->recv_len; 1077 wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Send-Key", 1078 keys->send, keys->send_len); 1079 wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Recv-Key", 1080 keys->recv, keys->recv_len); 1081 1082 os_free(sm->eap_if->aaaEapKeyData); 1083 sm->eap_if->aaaEapKeyData = os_malloc(len); 1084 if (sm->eap_if->aaaEapKeyData) { 1085 os_memcpy(sm->eap_if->aaaEapKeyData, keys->recv, 1086 keys->recv_len); 1087 os_memcpy(sm->eap_if->aaaEapKeyData + keys->recv_len, 1088 keys->send, keys->send_len); 1089 sm->eap_if->aaaEapKeyDataLen = len; 1090 sm->eap_if->aaaEapKeyAvailable = TRUE; 1091 } 1092 } 1093 1094 if (keys) { 1095 os_free(keys->send); 1096 os_free(keys->recv); 1097 os_free(keys); 1098 } 1099 } 1100 1101 1102 static void ieee802_1x_store_radius_class(struct hostapd_data *hapd, 1103 struct sta_info *sta, 1104 struct radius_msg *msg) 1105 { 1106 u8 *class; 1107 size_t class_len; 1108 struct eapol_state_machine *sm = sta->eapol_sm; 1109 int count, i; 1110 struct radius_attr_data *nclass; 1111 size_t nclass_count; 1112 1113 if (!hapd->conf->radius->acct_server || hapd->radius == NULL || 1114 sm == NULL) 1115 return; 1116 1117 radius_free_class(&sm->radius_class); 1118 count = radius_msg_count_attr(msg, RADIUS_ATTR_CLASS, 1); 1119 if (count <= 0) 1120 return; 1121 1122 nclass = os_zalloc(count * sizeof(struct radius_attr_data)); 1123 if (nclass == NULL) 1124 return; 1125 1126 nclass_count = 0; 1127 1128 class = NULL; 1129 for (i = 0; i < count; i++) { 1130 do { 1131 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CLASS, 1132 &class, &class_len, 1133 class) < 0) { 1134 i = count; 1135 break; 1136 } 1137 } while (class_len < 1); 1138 1139 nclass[nclass_count].data = os_malloc(class_len); 1140 if (nclass[nclass_count].data == NULL) 1141 break; 1142 1143 os_memcpy(nclass[nclass_count].data, class, class_len); 1144 nclass[nclass_count].len = class_len; 1145 nclass_count++; 1146 } 1147 1148 sm->radius_class.attr = nclass; 1149 sm->radius_class.count = nclass_count; 1150 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Stored %lu RADIUS Class " 1151 "attributes for " MACSTR, 1152 (unsigned long) sm->radius_class.count, 1153 MAC2STR(sta->addr)); 1154 } 1155 1156 1157 /* Update sta->identity based on User-Name attribute in Access-Accept */ 1158 static void ieee802_1x_update_sta_identity(struct hostapd_data *hapd, 1159 struct sta_info *sta, 1160 struct radius_msg *msg) 1161 { 1162 u8 *buf, *identity; 1163 size_t len; 1164 struct eapol_state_machine *sm = sta->eapol_sm; 1165 1166 if (sm == NULL) 1167 return; 1168 1169 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_USER_NAME, &buf, &len, 1170 NULL) < 0) 1171 return; 1172 1173 identity = os_malloc(len + 1); 1174 if (identity == NULL) 1175 return; 1176 1177 os_memcpy(identity, buf, len); 1178 identity[len] = '\0'; 1179 1180 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1181 HOSTAPD_LEVEL_DEBUG, "old identity '%s' updated with " 1182 "User-Name from Access-Accept '%s'", 1183 sm->identity ? (char *) sm->identity : "N/A", 1184 (char *) identity); 1185 1186 os_free(sm->identity); 1187 sm->identity = identity; 1188 sm->identity_len = len; 1189 } 1190 1191 1192 struct sta_id_search { 1193 u8 identifier; 1194 struct eapol_state_machine *sm; 1195 }; 1196 1197 1198 static int ieee802_1x_select_radius_identifier(struct hostapd_data *hapd, 1199 struct sta_info *sta, 1200 void *ctx) 1201 { 1202 struct sta_id_search *id_search = ctx; 1203 struct eapol_state_machine *sm = sta->eapol_sm; 1204 1205 if (sm && sm->radius_identifier >= 0 && 1206 sm->radius_identifier == id_search->identifier) { 1207 id_search->sm = sm; 1208 return 1; 1209 } 1210 return 0; 1211 } 1212 1213 1214 static struct eapol_state_machine * 1215 ieee802_1x_search_radius_identifier(struct hostapd_data *hapd, u8 identifier) 1216 { 1217 struct sta_id_search id_search; 1218 id_search.identifier = identifier; 1219 id_search.sm = NULL; 1220 ap_for_each_sta(hapd, ieee802_1x_select_radius_identifier, &id_search); 1221 return id_search.sm; 1222 } 1223 1224 1225 /** 1226 * ieee802_1x_receive_auth - Process RADIUS frames from Authentication Server 1227 * @msg: RADIUS response message 1228 * @req: RADIUS request message 1229 * @shared_secret: RADIUS shared secret 1230 * @shared_secret_len: Length of shared_secret in octets 1231 * @data: Context data (struct hostapd_data *) 1232 * Returns: Processing status 1233 */ 1234 static RadiusRxResult 1235 ieee802_1x_receive_auth(struct radius_msg *msg, struct radius_msg *req, 1236 const u8 *shared_secret, size_t shared_secret_len, 1237 void *data) 1238 { 1239 struct hostapd_data *hapd = data; 1240 struct sta_info *sta; 1241 u32 session_timeout = 0, termination_action, acct_interim_interval; 1242 int session_timeout_set, old_vlanid = 0; 1243 struct eapol_state_machine *sm; 1244 int override_eapReq = 0; 1245 struct radius_hdr *hdr = radius_msg_get_hdr(msg); 1246 1247 sm = ieee802_1x_search_radius_identifier(hapd, hdr->identifier); 1248 if (sm == NULL) { 1249 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Could not find matching " 1250 "station for this RADIUS message"); 1251 return RADIUS_RX_UNKNOWN; 1252 } 1253 sta = sm->sta; 1254 1255 /* RFC 2869, Ch. 5.13: valid Message-Authenticator attribute MUST be 1256 * present when packet contains an EAP-Message attribute */ 1257 if (hdr->code == RADIUS_CODE_ACCESS_REJECT && 1258 radius_msg_get_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, NULL, 1259 0) < 0 && 1260 radius_msg_get_attr(msg, RADIUS_ATTR_EAP_MESSAGE, NULL, 0) < 0) { 1261 wpa_printf(MSG_DEBUG, "Allowing RADIUS Access-Reject without " 1262 "Message-Authenticator since it does not include " 1263 "EAP-Message"); 1264 } else if (radius_msg_verify(msg, shared_secret, shared_secret_len, 1265 req, 1)) { 1266 printf("Incoming RADIUS packet did not have correct " 1267 "Message-Authenticator - dropped\n"); 1268 return RADIUS_RX_INVALID_AUTHENTICATOR; 1269 } 1270 1271 if (hdr->code != RADIUS_CODE_ACCESS_ACCEPT && 1272 hdr->code != RADIUS_CODE_ACCESS_REJECT && 1273 hdr->code != RADIUS_CODE_ACCESS_CHALLENGE) { 1274 printf("Unknown RADIUS message code\n"); 1275 return RADIUS_RX_UNKNOWN; 1276 } 1277 1278 sm->radius_identifier = -1; 1279 wpa_printf(MSG_DEBUG, "RADIUS packet matching with station " MACSTR, 1280 MAC2STR(sta->addr)); 1281 1282 radius_msg_free(sm->last_recv_radius); 1283 sm->last_recv_radius = msg; 1284 1285 session_timeout_set = 1286 !radius_msg_get_attr_int32(msg, RADIUS_ATTR_SESSION_TIMEOUT, 1287 &session_timeout); 1288 if (radius_msg_get_attr_int32(msg, RADIUS_ATTR_TERMINATION_ACTION, 1289 &termination_action)) 1290 termination_action = RADIUS_TERMINATION_ACTION_DEFAULT; 1291 1292 if (hapd->conf->acct_interim_interval == 0 && 1293 hdr->code == RADIUS_CODE_ACCESS_ACCEPT && 1294 radius_msg_get_attr_int32(msg, RADIUS_ATTR_ACCT_INTERIM_INTERVAL, 1295 &acct_interim_interval) == 0) { 1296 if (acct_interim_interval < 60) { 1297 hostapd_logger(hapd, sta->addr, 1298 HOSTAPD_MODULE_IEEE8021X, 1299 HOSTAPD_LEVEL_INFO, 1300 "ignored too small " 1301 "Acct-Interim-Interval %d", 1302 acct_interim_interval); 1303 } else 1304 sta->acct_interim_interval = acct_interim_interval; 1305 } 1306 1307 1308 switch (hdr->code) { 1309 case RADIUS_CODE_ACCESS_ACCEPT: 1310 if (sta->ssid->dynamic_vlan == DYNAMIC_VLAN_DISABLED) 1311 sta->vlan_id = 0; 1312 #ifndef CONFIG_NO_VLAN 1313 else { 1314 old_vlanid = sta->vlan_id; 1315 sta->vlan_id = radius_msg_get_vlanid(msg); 1316 } 1317 if (sta->vlan_id > 0 && 1318 hostapd_get_vlan_id_ifname(hapd->conf->vlan, 1319 sta->vlan_id)) { 1320 hostapd_logger(hapd, sta->addr, 1321 HOSTAPD_MODULE_RADIUS, 1322 HOSTAPD_LEVEL_INFO, 1323 "VLAN ID %d", sta->vlan_id); 1324 } else if (sta->ssid->dynamic_vlan == DYNAMIC_VLAN_REQUIRED) { 1325 sta->eapol_sm->authFail = TRUE; 1326 hostapd_logger(hapd, sta->addr, 1327 HOSTAPD_MODULE_IEEE8021X, 1328 HOSTAPD_LEVEL_INFO, "authentication " 1329 "server did not include required VLAN " 1330 "ID in Access-Accept"); 1331 break; 1332 } 1333 #endif /* CONFIG_NO_VLAN */ 1334 1335 if (ap_sta_bind_vlan(hapd, sta, old_vlanid) < 0) 1336 break; 1337 1338 /* RFC 3580, Ch. 3.17 */ 1339 if (session_timeout_set && termination_action == 1340 RADIUS_TERMINATION_ACTION_RADIUS_REQUEST) { 1341 sm->reAuthPeriod = session_timeout; 1342 } else if (session_timeout_set) 1343 ap_sta_session_timeout(hapd, sta, session_timeout); 1344 1345 sm->eap_if->aaaSuccess = TRUE; 1346 override_eapReq = 1; 1347 ieee802_1x_get_keys(hapd, sta, msg, req, shared_secret, 1348 shared_secret_len); 1349 ieee802_1x_store_radius_class(hapd, sta, msg); 1350 ieee802_1x_update_sta_identity(hapd, sta, msg); 1351 if (sm->eap_if->eapKeyAvailable && 1352 wpa_auth_pmksa_add(sta->wpa_sm, sm->eapol_key_crypt, 1353 session_timeout_set ? 1354 (int) session_timeout : -1, sm) == 0) { 1355 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 1356 HOSTAPD_LEVEL_DEBUG, 1357 "Added PMKSA cache entry"); 1358 } 1359 break; 1360 case RADIUS_CODE_ACCESS_REJECT: 1361 sm->eap_if->aaaFail = TRUE; 1362 override_eapReq = 1; 1363 break; 1364 case RADIUS_CODE_ACCESS_CHALLENGE: 1365 sm->eap_if->aaaEapReq = TRUE; 1366 if (session_timeout_set) { 1367 /* RFC 2869, Ch. 2.3.2; RFC 3580, Ch. 3.17 */ 1368 sm->eap_if->aaaMethodTimeout = session_timeout; 1369 hostapd_logger(hapd, sm->addr, 1370 HOSTAPD_MODULE_IEEE8021X, 1371 HOSTAPD_LEVEL_DEBUG, 1372 "using EAP timeout of %d seconds (from " 1373 "RADIUS)", 1374 sm->eap_if->aaaMethodTimeout); 1375 } else { 1376 /* 1377 * Use dynamic retransmission behavior per EAP 1378 * specification. 1379 */ 1380 sm->eap_if->aaaMethodTimeout = 0; 1381 } 1382 break; 1383 } 1384 1385 ieee802_1x_decapsulate_radius(hapd, sta); 1386 if (override_eapReq) 1387 sm->eap_if->aaaEapReq = FALSE; 1388 1389 eapol_auth_step(sm); 1390 1391 return RADIUS_RX_QUEUED; 1392 } 1393 #endif /* CONFIG_NO_RADIUS */ 1394 1395 1396 void ieee802_1x_abort_auth(struct hostapd_data *hapd, struct sta_info *sta) 1397 { 1398 struct eapol_state_machine *sm = sta->eapol_sm; 1399 if (sm == NULL) 1400 return; 1401 1402 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1403 HOSTAPD_LEVEL_DEBUG, "aborting authentication"); 1404 1405 #ifndef CONFIG_NO_RADIUS 1406 radius_msg_free(sm->last_recv_radius); 1407 sm->last_recv_radius = NULL; 1408 #endif /* CONFIG_NO_RADIUS */ 1409 1410 if (sm->eap_if->eapTimeout) { 1411 /* 1412 * Disconnect the STA since it did not reply to the last EAP 1413 * request and we cannot continue EAP processing (EAP-Failure 1414 * could only be sent if the EAP peer actually replied). 1415 */ 1416 wpa_dbg(hapd->msg_ctx, MSG_DEBUG, "EAP Timeout, STA " MACSTR, 1417 MAC2STR(sta->addr)); 1418 1419 sm->eap_if->portEnabled = FALSE; 1420 ap_sta_disconnect(hapd, sta, sta->addr, 1421 WLAN_REASON_PREV_AUTH_NOT_VALID); 1422 } 1423 } 1424 1425 1426 static int ieee802_1x_rekey_broadcast(struct hostapd_data *hapd) 1427 { 1428 struct eapol_authenticator *eapol = hapd->eapol_auth; 1429 1430 if (hapd->conf->default_wep_key_len < 1) 1431 return 0; 1432 1433 os_free(eapol->default_wep_key); 1434 eapol->default_wep_key = os_malloc(hapd->conf->default_wep_key_len); 1435 if (eapol->default_wep_key == NULL || 1436 random_get_bytes(eapol->default_wep_key, 1437 hapd->conf->default_wep_key_len)) { 1438 printf("Could not generate random WEP key.\n"); 1439 os_free(eapol->default_wep_key); 1440 eapol->default_wep_key = NULL; 1441 return -1; 1442 } 1443 1444 wpa_hexdump_key(MSG_DEBUG, "IEEE 802.1X: New default WEP key", 1445 eapol->default_wep_key, 1446 hapd->conf->default_wep_key_len); 1447 1448 return 0; 1449 } 1450 1451 1452 static int ieee802_1x_sta_key_available(struct hostapd_data *hapd, 1453 struct sta_info *sta, void *ctx) 1454 { 1455 if (sta->eapol_sm) { 1456 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 1457 eapol_auth_step(sta->eapol_sm); 1458 } 1459 return 0; 1460 } 1461 1462 1463 static void ieee802_1x_rekey(void *eloop_ctx, void *timeout_ctx) 1464 { 1465 struct hostapd_data *hapd = eloop_ctx; 1466 struct eapol_authenticator *eapol = hapd->eapol_auth; 1467 1468 if (eapol->default_wep_key_idx >= 3) 1469 eapol->default_wep_key_idx = 1470 hapd->conf->individual_wep_key_len > 0 ? 1 : 0; 1471 else 1472 eapol->default_wep_key_idx++; 1473 1474 wpa_printf(MSG_DEBUG, "IEEE 802.1X: New default WEP key index %d", 1475 eapol->default_wep_key_idx); 1476 1477 if (ieee802_1x_rekey_broadcast(hapd)) { 1478 hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X, 1479 HOSTAPD_LEVEL_WARNING, "failed to generate a " 1480 "new broadcast key"); 1481 os_free(eapol->default_wep_key); 1482 eapol->default_wep_key = NULL; 1483 return; 1484 } 1485 1486 /* TODO: Could setup key for RX here, but change default TX keyid only 1487 * after new broadcast key has been sent to all stations. */ 1488 if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP, 1489 broadcast_ether_addr, 1490 eapol->default_wep_key_idx, 1, NULL, 0, 1491 eapol->default_wep_key, 1492 hapd->conf->default_wep_key_len)) { 1493 hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X, 1494 HOSTAPD_LEVEL_WARNING, "failed to configure a " 1495 "new broadcast key"); 1496 os_free(eapol->default_wep_key); 1497 eapol->default_wep_key = NULL; 1498 return; 1499 } 1500 1501 ap_for_each_sta(hapd, ieee802_1x_sta_key_available, NULL); 1502 1503 if (hapd->conf->wep_rekeying_period > 0) { 1504 eloop_register_timeout(hapd->conf->wep_rekeying_period, 0, 1505 ieee802_1x_rekey, hapd, NULL); 1506 } 1507 } 1508 1509 1510 static void ieee802_1x_eapol_send(void *ctx, void *sta_ctx, u8 type, 1511 const u8 *data, size_t datalen) 1512 { 1513 #ifdef CONFIG_WPS 1514 struct sta_info *sta = sta_ctx; 1515 1516 if ((sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS)) == 1517 WLAN_STA_MAYBE_WPS) { 1518 const u8 *identity; 1519 size_t identity_len; 1520 struct eapol_state_machine *sm = sta->eapol_sm; 1521 1522 identity = eap_get_identity(sm->eap, &identity_len); 1523 if (identity && 1524 ((identity_len == WSC_ID_ENROLLEE_LEN && 1525 os_memcmp(identity, WSC_ID_ENROLLEE, 1526 WSC_ID_ENROLLEE_LEN) == 0) || 1527 (identity_len == WSC_ID_REGISTRAR_LEN && 1528 os_memcmp(identity, WSC_ID_REGISTRAR, 1529 WSC_ID_REGISTRAR_LEN) == 0))) { 1530 wpa_printf(MSG_DEBUG, "WPS: WLAN_STA_MAYBE_WPS -> " 1531 "WLAN_STA_WPS"); 1532 sta->flags |= WLAN_STA_WPS; 1533 } 1534 } 1535 #endif /* CONFIG_WPS */ 1536 1537 ieee802_1x_send(ctx, sta_ctx, type, data, datalen); 1538 } 1539 1540 1541 static void ieee802_1x_aaa_send(void *ctx, void *sta_ctx, 1542 const u8 *data, size_t datalen) 1543 { 1544 #ifndef CONFIG_NO_RADIUS 1545 struct hostapd_data *hapd = ctx; 1546 struct sta_info *sta = sta_ctx; 1547 1548 ieee802_1x_encapsulate_radius(hapd, sta, data, datalen); 1549 #endif /* CONFIG_NO_RADIUS */ 1550 } 1551 1552 1553 static void _ieee802_1x_finished(void *ctx, void *sta_ctx, int success, 1554 int preauth) 1555 { 1556 struct hostapd_data *hapd = ctx; 1557 struct sta_info *sta = sta_ctx; 1558 if (preauth) 1559 rsn_preauth_finished(hapd, sta, success); 1560 else 1561 ieee802_1x_finished(hapd, sta, success); 1562 } 1563 1564 1565 static int ieee802_1x_get_eap_user(void *ctx, const u8 *identity, 1566 size_t identity_len, int phase2, 1567 struct eap_user *user) 1568 { 1569 struct hostapd_data *hapd = ctx; 1570 const struct hostapd_eap_user *eap_user; 1571 int i; 1572 1573 eap_user = hostapd_get_eap_user(hapd->conf, identity, 1574 identity_len, phase2); 1575 if (eap_user == NULL) 1576 return -1; 1577 1578 os_memset(user, 0, sizeof(*user)); 1579 user->phase2 = phase2; 1580 for (i = 0; i < EAP_MAX_METHODS; i++) { 1581 user->methods[i].vendor = eap_user->methods[i].vendor; 1582 user->methods[i].method = eap_user->methods[i].method; 1583 } 1584 1585 if (eap_user->password) { 1586 user->password = os_malloc(eap_user->password_len); 1587 if (user->password == NULL) 1588 return -1; 1589 os_memcpy(user->password, eap_user->password, 1590 eap_user->password_len); 1591 user->password_len = eap_user->password_len; 1592 user->password_hash = eap_user->password_hash; 1593 } 1594 user->force_version = eap_user->force_version; 1595 user->ttls_auth = eap_user->ttls_auth; 1596 1597 return 0; 1598 } 1599 1600 1601 static int ieee802_1x_sta_entry_alive(void *ctx, const u8 *addr) 1602 { 1603 struct hostapd_data *hapd = ctx; 1604 struct sta_info *sta; 1605 sta = ap_get_sta(hapd, addr); 1606 if (sta == NULL || sta->eapol_sm == NULL) 1607 return 0; 1608 return 1; 1609 } 1610 1611 1612 static void ieee802_1x_logger(void *ctx, const u8 *addr, 1613 eapol_logger_level level, const char *txt) 1614 { 1615 #ifndef CONFIG_NO_HOSTAPD_LOGGER 1616 struct hostapd_data *hapd = ctx; 1617 int hlevel; 1618 1619 switch (level) { 1620 case EAPOL_LOGGER_WARNING: 1621 hlevel = HOSTAPD_LEVEL_WARNING; 1622 break; 1623 case EAPOL_LOGGER_INFO: 1624 hlevel = HOSTAPD_LEVEL_INFO; 1625 break; 1626 case EAPOL_LOGGER_DEBUG: 1627 default: 1628 hlevel = HOSTAPD_LEVEL_DEBUG; 1629 break; 1630 } 1631 1632 hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE8021X, hlevel, "%s", 1633 txt); 1634 #endif /* CONFIG_NO_HOSTAPD_LOGGER */ 1635 } 1636 1637 1638 static void ieee802_1x_set_port_authorized(void *ctx, void *sta_ctx, 1639 int authorized) 1640 { 1641 struct hostapd_data *hapd = ctx; 1642 struct sta_info *sta = sta_ctx; 1643 ieee802_1x_set_sta_authorized(hapd, sta, authorized); 1644 } 1645 1646 1647 static void _ieee802_1x_abort_auth(void *ctx, void *sta_ctx) 1648 { 1649 struct hostapd_data *hapd = ctx; 1650 struct sta_info *sta = sta_ctx; 1651 ieee802_1x_abort_auth(hapd, sta); 1652 } 1653 1654 1655 static void _ieee802_1x_tx_key(void *ctx, void *sta_ctx) 1656 { 1657 struct hostapd_data *hapd = ctx; 1658 struct sta_info *sta = sta_ctx; 1659 ieee802_1x_tx_key(hapd, sta); 1660 } 1661 1662 1663 static void ieee802_1x_eapol_event(void *ctx, void *sta_ctx, 1664 enum eapol_event type) 1665 { 1666 /* struct hostapd_data *hapd = ctx; */ 1667 struct sta_info *sta = sta_ctx; 1668 switch (type) { 1669 case EAPOL_AUTH_SM_CHANGE: 1670 wpa_auth_sm_notify(sta->wpa_sm); 1671 break; 1672 case EAPOL_AUTH_REAUTHENTICATE: 1673 wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL); 1674 break; 1675 } 1676 } 1677 1678 1679 int ieee802_1x_init(struct hostapd_data *hapd) 1680 { 1681 int i; 1682 struct eapol_auth_config conf; 1683 struct eapol_auth_cb cb; 1684 1685 os_memset(&conf, 0, sizeof(conf)); 1686 conf.ctx = hapd; 1687 conf.eap_reauth_period = hapd->conf->eap_reauth_period; 1688 conf.wpa = hapd->conf->wpa; 1689 conf.individual_wep_key_len = hapd->conf->individual_wep_key_len; 1690 conf.eap_server = hapd->conf->eap_server; 1691 conf.ssl_ctx = hapd->ssl_ctx; 1692 conf.msg_ctx = hapd->msg_ctx; 1693 conf.eap_sim_db_priv = hapd->eap_sim_db_priv; 1694 conf.eap_req_id_text = hapd->conf->eap_req_id_text; 1695 conf.eap_req_id_text_len = hapd->conf->eap_req_id_text_len; 1696 conf.pac_opaque_encr_key = hapd->conf->pac_opaque_encr_key; 1697 conf.eap_fast_a_id = hapd->conf->eap_fast_a_id; 1698 conf.eap_fast_a_id_len = hapd->conf->eap_fast_a_id_len; 1699 conf.eap_fast_a_id_info = hapd->conf->eap_fast_a_id_info; 1700 conf.eap_fast_prov = hapd->conf->eap_fast_prov; 1701 conf.pac_key_lifetime = hapd->conf->pac_key_lifetime; 1702 conf.pac_key_refresh_time = hapd->conf->pac_key_refresh_time; 1703 conf.eap_sim_aka_result_ind = hapd->conf->eap_sim_aka_result_ind; 1704 conf.tnc = hapd->conf->tnc; 1705 conf.wps = hapd->wps; 1706 conf.fragment_size = hapd->conf->fragment_size; 1707 conf.pwd_group = hapd->conf->pwd_group; 1708 conf.pbc_in_m1 = hapd->conf->pbc_in_m1; 1709 1710 os_memset(&cb, 0, sizeof(cb)); 1711 cb.eapol_send = ieee802_1x_eapol_send; 1712 cb.aaa_send = ieee802_1x_aaa_send; 1713 cb.finished = _ieee802_1x_finished; 1714 cb.get_eap_user = ieee802_1x_get_eap_user; 1715 cb.sta_entry_alive = ieee802_1x_sta_entry_alive; 1716 cb.logger = ieee802_1x_logger; 1717 cb.set_port_authorized = ieee802_1x_set_port_authorized; 1718 cb.abort_auth = _ieee802_1x_abort_auth; 1719 cb.tx_key = _ieee802_1x_tx_key; 1720 cb.eapol_event = ieee802_1x_eapol_event; 1721 1722 hapd->eapol_auth = eapol_auth_init(&conf, &cb); 1723 if (hapd->eapol_auth == NULL) 1724 return -1; 1725 1726 if ((hapd->conf->ieee802_1x || hapd->conf->wpa) && 1727 hostapd_set_drv_ieee8021x(hapd, hapd->conf->iface, 1)) 1728 return -1; 1729 1730 #ifndef CONFIG_NO_RADIUS 1731 if (radius_client_register(hapd->radius, RADIUS_AUTH, 1732 ieee802_1x_receive_auth, hapd)) 1733 return -1; 1734 #endif /* CONFIG_NO_RADIUS */ 1735 1736 if (hapd->conf->default_wep_key_len) { 1737 for (i = 0; i < 4; i++) 1738 hostapd_drv_set_key(hapd->conf->iface, hapd, 1739 WPA_ALG_NONE, NULL, i, 0, NULL, 0, 1740 NULL, 0); 1741 1742 ieee802_1x_rekey(hapd, NULL); 1743 1744 if (hapd->eapol_auth->default_wep_key == NULL) 1745 return -1; 1746 } 1747 1748 return 0; 1749 } 1750 1751 1752 void ieee802_1x_deinit(struct hostapd_data *hapd) 1753 { 1754 eloop_cancel_timeout(ieee802_1x_rekey, hapd, NULL); 1755 1756 if (hapd->driver != NULL && 1757 (hapd->conf->ieee802_1x || hapd->conf->wpa)) 1758 hostapd_set_drv_ieee8021x(hapd, hapd->conf->iface, 0); 1759 1760 eapol_auth_deinit(hapd->eapol_auth); 1761 hapd->eapol_auth = NULL; 1762 } 1763 1764 1765 int ieee802_1x_tx_status(struct hostapd_data *hapd, struct sta_info *sta, 1766 const u8 *buf, size_t len, int ack) 1767 { 1768 struct ieee80211_hdr *hdr; 1769 u8 *pos; 1770 const unsigned char rfc1042_hdr[ETH_ALEN] = 1771 { 0xaa, 0xaa, 0x03, 0x00, 0x00, 0x00 }; 1772 1773 if (sta == NULL) 1774 return -1; 1775 if (len < sizeof(*hdr) + sizeof(rfc1042_hdr) + 2) 1776 return 0; 1777 1778 hdr = (struct ieee80211_hdr *) buf; 1779 pos = (u8 *) (hdr + 1); 1780 if (os_memcmp(pos, rfc1042_hdr, sizeof(rfc1042_hdr)) != 0) 1781 return 0; 1782 pos += sizeof(rfc1042_hdr); 1783 if (WPA_GET_BE16(pos) != ETH_P_PAE) 1784 return 0; 1785 pos += 2; 1786 1787 return ieee802_1x_eapol_tx_status(hapd, sta, pos, buf + len - pos, 1788 ack); 1789 } 1790 1791 1792 int ieee802_1x_eapol_tx_status(struct hostapd_data *hapd, struct sta_info *sta, 1793 const u8 *buf, int len, int ack) 1794 { 1795 const struct ieee802_1x_hdr *xhdr = 1796 (const struct ieee802_1x_hdr *) buf; 1797 const u8 *pos = buf + sizeof(*xhdr); 1798 struct ieee802_1x_eapol_key *key; 1799 1800 if (len < (int) sizeof(*xhdr)) 1801 return 0; 1802 wpa_printf(MSG_DEBUG, "IEEE 802.1X: " MACSTR " TX status - version=%d " 1803 "type=%d length=%d - ack=%d", 1804 MAC2STR(sta->addr), xhdr->version, xhdr->type, 1805 be_to_host16(xhdr->length), ack); 1806 1807 if (xhdr->type != IEEE802_1X_TYPE_EAPOL_KEY) 1808 return 0; 1809 1810 if (pos + sizeof(struct wpa_eapol_key) <= buf + len) { 1811 const struct wpa_eapol_key *wpa; 1812 wpa = (const struct wpa_eapol_key *) pos; 1813 if (wpa->type == EAPOL_KEY_TYPE_RSN || 1814 wpa->type == EAPOL_KEY_TYPE_WPA) 1815 wpa_auth_eapol_key_tx_status(hapd->wpa_auth, 1816 sta->wpa_sm, ack); 1817 } 1818 1819 /* EAPOL EAP-Packet packets are eventually re-sent by either Supplicant 1820 * or Authenticator state machines, but EAPOL-Key packets are not 1821 * retransmitted in case of failure. Try to re-send failed EAPOL-Key 1822 * packets couple of times because otherwise STA keys become 1823 * unsynchronized with AP. */ 1824 if (!ack && pos + sizeof(*key) <= buf + len) { 1825 key = (struct ieee802_1x_eapol_key *) pos; 1826 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1827 HOSTAPD_LEVEL_DEBUG, "did not Ack EAPOL-Key " 1828 "frame (%scast index=%d)", 1829 key->key_index & BIT(7) ? "uni" : "broad", 1830 key->key_index & ~BIT(7)); 1831 /* TODO: re-send EAPOL-Key couple of times (with short delay 1832 * between them?). If all attempt fail, report error and 1833 * deauthenticate STA so that it will get new keys when 1834 * authenticating again (e.g., after returning in range). 1835 * Separate limit/transmit state needed both for unicast and 1836 * broadcast keys(?) */ 1837 } 1838 /* TODO: could move unicast key configuration from ieee802_1x_tx_key() 1839 * to here and change the key only if the EAPOL-Key packet was Acked. 1840 */ 1841 1842 return 1; 1843 } 1844 1845 1846 u8 * ieee802_1x_get_identity(struct eapol_state_machine *sm, size_t *len) 1847 { 1848 if (sm == NULL || sm->identity == NULL) 1849 return NULL; 1850 1851 *len = sm->identity_len; 1852 return sm->identity; 1853 } 1854 1855 1856 u8 * ieee802_1x_get_radius_class(struct eapol_state_machine *sm, size_t *len, 1857 int idx) 1858 { 1859 if (sm == NULL || sm->radius_class.attr == NULL || 1860 idx >= (int) sm->radius_class.count) 1861 return NULL; 1862 1863 *len = sm->radius_class.attr[idx].len; 1864 return sm->radius_class.attr[idx].data; 1865 } 1866 1867 1868 const u8 * ieee802_1x_get_key(struct eapol_state_machine *sm, size_t *len) 1869 { 1870 *len = 0; 1871 if (sm == NULL) 1872 return NULL; 1873 1874 *len = sm->eap_if->eapKeyDataLen; 1875 return sm->eap_if->eapKeyData; 1876 } 1877 1878 1879 void ieee802_1x_notify_port_enabled(struct eapol_state_machine *sm, 1880 int enabled) 1881 { 1882 if (sm == NULL) 1883 return; 1884 sm->eap_if->portEnabled = enabled ? TRUE : FALSE; 1885 eapol_auth_step(sm); 1886 } 1887 1888 1889 void ieee802_1x_notify_port_valid(struct eapol_state_machine *sm, 1890 int valid) 1891 { 1892 if (sm == NULL) 1893 return; 1894 sm->portValid = valid ? TRUE : FALSE; 1895 eapol_auth_step(sm); 1896 } 1897 1898 1899 void ieee802_1x_notify_pre_auth(struct eapol_state_machine *sm, int pre_auth) 1900 { 1901 if (sm == NULL) 1902 return; 1903 if (pre_auth) 1904 sm->flags |= EAPOL_SM_PREAUTH; 1905 else 1906 sm->flags &= ~EAPOL_SM_PREAUTH; 1907 } 1908 1909 1910 static const char * bool_txt(Boolean bool) 1911 { 1912 return bool ? "TRUE" : "FALSE"; 1913 } 1914 1915 1916 int ieee802_1x_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen) 1917 { 1918 /* TODO */ 1919 return 0; 1920 } 1921 1922 1923 int ieee802_1x_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta, 1924 char *buf, size_t buflen) 1925 { 1926 int len = 0, ret; 1927 struct eapol_state_machine *sm = sta->eapol_sm; 1928 struct os_time t; 1929 1930 if (sm == NULL) 1931 return 0; 1932 1933 ret = os_snprintf(buf + len, buflen - len, 1934 "dot1xPaePortNumber=%d\n" 1935 "dot1xPaePortProtocolVersion=%d\n" 1936 "dot1xPaePortCapabilities=1\n" 1937 "dot1xPaePortInitialize=%d\n" 1938 "dot1xPaePortReauthenticate=FALSE\n", 1939 sta->aid, 1940 EAPOL_VERSION, 1941 sm->initialize); 1942 if (ret < 0 || (size_t) ret >= buflen - len) 1943 return len; 1944 len += ret; 1945 1946 /* dot1xAuthConfigTable */ 1947 ret = os_snprintf(buf + len, buflen - len, 1948 "dot1xAuthPaeState=%d\n" 1949 "dot1xAuthBackendAuthState=%d\n" 1950 "dot1xAuthAdminControlledDirections=%d\n" 1951 "dot1xAuthOperControlledDirections=%d\n" 1952 "dot1xAuthAuthControlledPortStatus=%d\n" 1953 "dot1xAuthAuthControlledPortControl=%d\n" 1954 "dot1xAuthQuietPeriod=%u\n" 1955 "dot1xAuthServerTimeout=%u\n" 1956 "dot1xAuthReAuthPeriod=%u\n" 1957 "dot1xAuthReAuthEnabled=%s\n" 1958 "dot1xAuthKeyTxEnabled=%s\n", 1959 sm->auth_pae_state + 1, 1960 sm->be_auth_state + 1, 1961 sm->adminControlledDirections, 1962 sm->operControlledDirections, 1963 sm->authPortStatus, 1964 sm->portControl, 1965 sm->quietPeriod, 1966 sm->serverTimeout, 1967 sm->reAuthPeriod, 1968 bool_txt(sm->reAuthEnabled), 1969 bool_txt(sm->keyTxEnabled)); 1970 if (ret < 0 || (size_t) ret >= buflen - len) 1971 return len; 1972 len += ret; 1973 1974 /* dot1xAuthStatsTable */ 1975 ret = os_snprintf(buf + len, buflen - len, 1976 "dot1xAuthEapolFramesRx=%u\n" 1977 "dot1xAuthEapolFramesTx=%u\n" 1978 "dot1xAuthEapolStartFramesRx=%u\n" 1979 "dot1xAuthEapolLogoffFramesRx=%u\n" 1980 "dot1xAuthEapolRespIdFramesRx=%u\n" 1981 "dot1xAuthEapolRespFramesRx=%u\n" 1982 "dot1xAuthEapolReqIdFramesTx=%u\n" 1983 "dot1xAuthEapolReqFramesTx=%u\n" 1984 "dot1xAuthInvalidEapolFramesRx=%u\n" 1985 "dot1xAuthEapLengthErrorFramesRx=%u\n" 1986 "dot1xAuthLastEapolFrameVersion=%u\n" 1987 "dot1xAuthLastEapolFrameSource=" MACSTR "\n", 1988 sm->dot1xAuthEapolFramesRx, 1989 sm->dot1xAuthEapolFramesTx, 1990 sm->dot1xAuthEapolStartFramesRx, 1991 sm->dot1xAuthEapolLogoffFramesRx, 1992 sm->dot1xAuthEapolRespIdFramesRx, 1993 sm->dot1xAuthEapolRespFramesRx, 1994 sm->dot1xAuthEapolReqIdFramesTx, 1995 sm->dot1xAuthEapolReqFramesTx, 1996 sm->dot1xAuthInvalidEapolFramesRx, 1997 sm->dot1xAuthEapLengthErrorFramesRx, 1998 sm->dot1xAuthLastEapolFrameVersion, 1999 MAC2STR(sm->addr)); 2000 if (ret < 0 || (size_t) ret >= buflen - len) 2001 return len; 2002 len += ret; 2003 2004 /* dot1xAuthDiagTable */ 2005 ret = os_snprintf(buf + len, buflen - len, 2006 "dot1xAuthEntersConnecting=%u\n" 2007 "dot1xAuthEapLogoffsWhileConnecting=%u\n" 2008 "dot1xAuthEntersAuthenticating=%u\n" 2009 "dot1xAuthAuthSuccessesWhileAuthenticating=%u\n" 2010 "dot1xAuthAuthTimeoutsWhileAuthenticating=%u\n" 2011 "dot1xAuthAuthFailWhileAuthenticating=%u\n" 2012 "dot1xAuthAuthEapStartsWhileAuthenticating=%u\n" 2013 "dot1xAuthAuthEapLogoffWhileAuthenticating=%u\n" 2014 "dot1xAuthAuthReauthsWhileAuthenticated=%u\n" 2015 "dot1xAuthAuthEapStartsWhileAuthenticated=%u\n" 2016 "dot1xAuthAuthEapLogoffWhileAuthenticated=%u\n" 2017 "dot1xAuthBackendResponses=%u\n" 2018 "dot1xAuthBackendAccessChallenges=%u\n" 2019 "dot1xAuthBackendOtherRequestsToSupplicant=%u\n" 2020 "dot1xAuthBackendAuthSuccesses=%u\n" 2021 "dot1xAuthBackendAuthFails=%u\n", 2022 sm->authEntersConnecting, 2023 sm->authEapLogoffsWhileConnecting, 2024 sm->authEntersAuthenticating, 2025 sm->authAuthSuccessesWhileAuthenticating, 2026 sm->authAuthTimeoutsWhileAuthenticating, 2027 sm->authAuthFailWhileAuthenticating, 2028 sm->authAuthEapStartsWhileAuthenticating, 2029 sm->authAuthEapLogoffWhileAuthenticating, 2030 sm->authAuthReauthsWhileAuthenticated, 2031 sm->authAuthEapStartsWhileAuthenticated, 2032 sm->authAuthEapLogoffWhileAuthenticated, 2033 sm->backendResponses, 2034 sm->backendAccessChallenges, 2035 sm->backendOtherRequestsToSupplicant, 2036 sm->backendAuthSuccesses, 2037 sm->backendAuthFails); 2038 if (ret < 0 || (size_t) ret >= buflen - len) 2039 return len; 2040 len += ret; 2041 2042 /* dot1xAuthSessionStatsTable */ 2043 os_get_time(&t); 2044 ret = os_snprintf(buf + len, buflen - len, 2045 /* TODO: dot1xAuthSessionOctetsRx */ 2046 /* TODO: dot1xAuthSessionOctetsTx */ 2047 /* TODO: dot1xAuthSessionFramesRx */ 2048 /* TODO: dot1xAuthSessionFramesTx */ 2049 "dot1xAuthSessionId=%08X-%08X\n" 2050 "dot1xAuthSessionAuthenticMethod=%d\n" 2051 "dot1xAuthSessionTime=%u\n" 2052 "dot1xAuthSessionTerminateCause=999\n" 2053 "dot1xAuthSessionUserName=%s\n", 2054 sta->acct_session_id_hi, sta->acct_session_id_lo, 2055 (wpa_key_mgmt_wpa_ieee8021x( 2056 wpa_auth_sta_key_mgmt(sta->wpa_sm))) ? 2057 1 : 2, 2058 (unsigned int) (t.sec - sta->acct_session_start), 2059 sm->identity); 2060 if (ret < 0 || (size_t) ret >= buflen - len) 2061 return len; 2062 len += ret; 2063 2064 return len; 2065 } 2066 2067 2068 static void ieee802_1x_finished(struct hostapd_data *hapd, 2069 struct sta_info *sta, int success) 2070 { 2071 const u8 *key; 2072 size_t len; 2073 /* TODO: get PMKLifetime from WPA parameters */ 2074 static const int dot11RSNAConfigPMKLifetime = 43200; 2075 2076 key = ieee802_1x_get_key(sta->eapol_sm, &len); 2077 if (success && key && len >= PMK_LEN && 2078 wpa_auth_pmksa_add(sta->wpa_sm, key, dot11RSNAConfigPMKLifetime, 2079 sta->eapol_sm) == 0) { 2080 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 2081 HOSTAPD_LEVEL_DEBUG, 2082 "Added PMKSA cache entry (IEEE 802.1X)"); 2083 } 2084 2085 if (!success) { 2086 /* 2087 * Many devices require deauthentication after WPS provisioning 2088 * and some may not be be able to do that themselves, so 2089 * disconnect the client here. In addition, this may also 2090 * benefit IEEE 802.1X/EAPOL authentication cases, too since 2091 * the EAPOL PAE state machine would remain in HELD state for 2092 * considerable amount of time and some EAP methods, like 2093 * EAP-FAST with anonymous provisioning, may require another 2094 * EAPOL authentication to be started to complete connection. 2095 */ 2096 wpa_dbg(hapd->msg_ctx, MSG_DEBUG, "IEEE 802.1X: Force " 2097 "disconnection after EAP-Failure"); 2098 /* Add a small sleep to increase likelihood of previously 2099 * requested EAP-Failure TX getting out before this should the 2100 * driver reorder operations. 2101 */ 2102 os_sleep(0, 10000); 2103 ap_sta_disconnect(hapd, sta, sta->addr, 2104 WLAN_REASON_IEEE_802_1X_AUTH_FAILED); 2105 } 2106 } 2107
