1 /* 2 * hostapd / IEEE 802.1X-2004 Authenticator 3 * Copyright (c) 2002-2012, Jouni Malinen <j (at) w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "utils/includes.h" 10 11 #include "utils/common.h" 12 #include "utils/eloop.h" 13 #include "crypto/md5.h" 14 #include "crypto/crypto.h" 15 #include "crypto/random.h" 16 #include "common/ieee802_11_defs.h" 17 #include "radius/radius.h" 18 #include "radius/radius_client.h" 19 #include "eap_server/eap.h" 20 #include "eap_common/eap_wsc_common.h" 21 #include "eapol_auth/eapol_auth_sm.h" 22 #include "eapol_auth/eapol_auth_sm_i.h" 23 #include "p2p/p2p.h" 24 #include "hostapd.h" 25 #include "accounting.h" 26 #include "sta_info.h" 27 #include "wpa_auth.h" 28 #include "preauth_auth.h" 29 #include "pmksa_cache_auth.h" 30 #include "ap_config.h" 31 #include "ap_drv_ops.h" 32 #include "ieee802_1x.h" 33 34 35 static void ieee802_1x_finished(struct hostapd_data *hapd, 36 struct sta_info *sta, int success); 37 38 39 static void ieee802_1x_send(struct hostapd_data *hapd, struct sta_info *sta, 40 u8 type, const u8 *data, size_t datalen) 41 { 42 u8 *buf; 43 struct ieee802_1x_hdr *xhdr; 44 size_t len; 45 int encrypt = 0; 46 47 len = sizeof(*xhdr) + datalen; 48 buf = os_zalloc(len); 49 if (buf == NULL) { 50 wpa_printf(MSG_ERROR, "malloc() failed for " 51 "ieee802_1x_send(len=%lu)", 52 (unsigned long) len); 53 return; 54 } 55 56 xhdr = (struct ieee802_1x_hdr *) buf; 57 xhdr->version = hapd->conf->eapol_version; 58 xhdr->type = type; 59 xhdr->length = host_to_be16(datalen); 60 61 if (datalen > 0 && data != NULL) 62 os_memcpy(xhdr + 1, data, datalen); 63 64 if (wpa_auth_pairwise_set(sta->wpa_sm)) 65 encrypt = 1; 66 if (sta->flags & WLAN_STA_PREAUTH) { 67 rsn_preauth_send(hapd, sta, buf, len); 68 } else { 69 hostapd_drv_hapd_send_eapol(hapd, sta->addr, buf, len, 70 encrypt, sta->flags); 71 } 72 73 os_free(buf); 74 } 75 76 77 void ieee802_1x_set_sta_authorized(struct hostapd_data *hapd, 78 struct sta_info *sta, int authorized) 79 { 80 int res; 81 82 if (sta->flags & WLAN_STA_PREAUTH) 83 return; 84 85 if (authorized) { 86 ap_sta_set_authorized(hapd, sta, 1); 87 res = hostapd_set_authorized(hapd, sta, 1); 88 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 89 HOSTAPD_LEVEL_DEBUG, "authorizing port"); 90 } else { 91 ap_sta_set_authorized(hapd, sta, 0); 92 res = hostapd_set_authorized(hapd, sta, 0); 93 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 94 HOSTAPD_LEVEL_DEBUG, "unauthorizing port"); 95 } 96 97 if (res && errno != ENOENT) { 98 printf("Could not set station " MACSTR " flags for kernel " 99 "driver (errno=%d).\n", MAC2STR(sta->addr), errno); 100 } 101 102 if (authorized) 103 accounting_sta_start(hapd, sta); 104 } 105 106 107 static void ieee802_1x_tx_key_one(struct hostapd_data *hapd, 108 struct sta_info *sta, 109 int idx, int broadcast, 110 u8 *key_data, size_t key_len) 111 { 112 u8 *buf, *ekey; 113 struct ieee802_1x_hdr *hdr; 114 struct ieee802_1x_eapol_key *key; 115 size_t len, ekey_len; 116 struct eapol_state_machine *sm = sta->eapol_sm; 117 118 if (sm == NULL) 119 return; 120 121 len = sizeof(*key) + key_len; 122 buf = os_zalloc(sizeof(*hdr) + len); 123 if (buf == NULL) 124 return; 125 126 hdr = (struct ieee802_1x_hdr *) buf; 127 key = (struct ieee802_1x_eapol_key *) (hdr + 1); 128 key->type = EAPOL_KEY_TYPE_RC4; 129 WPA_PUT_BE16(key->key_length, key_len); 130 wpa_get_ntp_timestamp(key->replay_counter); 131 132 if (random_get_bytes(key->key_iv, sizeof(key->key_iv))) { 133 wpa_printf(MSG_ERROR, "Could not get random numbers"); 134 os_free(buf); 135 return; 136 } 137 138 key->key_index = idx | (broadcast ? 0 : BIT(7)); 139 if (hapd->conf->eapol_key_index_workaround) { 140 /* According to some information, WinXP Supplicant seems to 141 * interpret bit7 as an indication whether the key is to be 142 * activated, so make it possible to enable workaround that 143 * sets this bit for all keys. */ 144 key->key_index |= BIT(7); 145 } 146 147 /* Key is encrypted using "Key-IV + MSK[0..31]" as the RC4-key and 148 * MSK[32..63] is used to sign the message. */ 149 if (sm->eap_if->eapKeyData == NULL || sm->eap_if->eapKeyDataLen < 64) { 150 wpa_printf(MSG_ERROR, "No eapKeyData available for encrypting " 151 "and signing EAPOL-Key"); 152 os_free(buf); 153 return; 154 } 155 os_memcpy((u8 *) (key + 1), key_data, key_len); 156 ekey_len = sizeof(key->key_iv) + 32; 157 ekey = os_malloc(ekey_len); 158 if (ekey == NULL) { 159 wpa_printf(MSG_ERROR, "Could not encrypt key"); 160 os_free(buf); 161 return; 162 } 163 os_memcpy(ekey, key->key_iv, sizeof(key->key_iv)); 164 os_memcpy(ekey + sizeof(key->key_iv), sm->eap_if->eapKeyData, 32); 165 rc4_skip(ekey, ekey_len, 0, (u8 *) (key + 1), key_len); 166 os_free(ekey); 167 168 /* This header is needed here for HMAC-MD5, but it will be regenerated 169 * in ieee802_1x_send() */ 170 hdr->version = hapd->conf->eapol_version; 171 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 172 hdr->length = host_to_be16(len); 173 hmac_md5(sm->eap_if->eapKeyData + 32, 32, buf, sizeof(*hdr) + len, 174 key->key_signature); 175 176 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key to " MACSTR 177 " (%s index=%d)", MAC2STR(sm->addr), 178 broadcast ? "broadcast" : "unicast", idx); 179 ieee802_1x_send(hapd, sta, IEEE802_1X_TYPE_EAPOL_KEY, (u8 *) key, len); 180 if (sta->eapol_sm) 181 sta->eapol_sm->dot1xAuthEapolFramesTx++; 182 os_free(buf); 183 } 184 185 186 #ifndef CONFIG_NO_VLAN 187 static struct hostapd_wep_keys * 188 ieee802_1x_group_alloc(struct hostapd_data *hapd, const char *ifname) 189 { 190 struct hostapd_wep_keys *key; 191 192 key = os_zalloc(sizeof(*key)); 193 if (key == NULL) 194 return NULL; 195 196 key->default_len = hapd->conf->default_wep_key_len; 197 198 if (key->idx >= hapd->conf->broadcast_key_idx_max || 199 key->idx < hapd->conf->broadcast_key_idx_min) 200 key->idx = hapd->conf->broadcast_key_idx_min; 201 else 202 key->idx++; 203 204 if (!key->key[key->idx]) 205 key->key[key->idx] = os_malloc(key->default_len); 206 if (key->key[key->idx] == NULL || 207 random_get_bytes(key->key[key->idx], key->default_len)) { 208 printf("Could not generate random WEP key (dynamic VLAN).\n"); 209 os_free(key->key[key->idx]); 210 key->key[key->idx] = NULL; 211 os_free(key); 212 return NULL; 213 } 214 key->len[key->idx] = key->default_len; 215 216 wpa_printf(MSG_DEBUG, "%s: Default WEP idx %d for dynamic VLAN\n", 217 ifname, key->idx); 218 wpa_hexdump_key(MSG_DEBUG, "Default WEP key (dynamic VLAN)", 219 key->key[key->idx], key->len[key->idx]); 220 221 if (hostapd_drv_set_key(ifname, hapd, WPA_ALG_WEP, 222 broadcast_ether_addr, key->idx, 1, 223 NULL, 0, key->key[key->idx], 224 key->len[key->idx])) 225 printf("Could not set dynamic VLAN WEP encryption key.\n"); 226 227 hostapd_set_drv_ieee8021x(hapd, ifname, 1); 228 229 return key; 230 } 231 232 233 static struct hostapd_wep_keys * 234 ieee802_1x_get_group(struct hostapd_data *hapd, struct hostapd_ssid *ssid, 235 size_t vlan_id) 236 { 237 const char *ifname; 238 239 if (vlan_id == 0) 240 return &ssid->wep; 241 242 if (vlan_id <= ssid->max_dyn_vlan_keys && ssid->dyn_vlan_keys && 243 ssid->dyn_vlan_keys[vlan_id]) 244 return ssid->dyn_vlan_keys[vlan_id]; 245 246 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Creating new group " 247 "state machine for VLAN ID %lu", 248 (unsigned long) vlan_id); 249 250 ifname = hostapd_get_vlan_id_ifname(hapd->conf->vlan, vlan_id); 251 if (ifname == NULL) { 252 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Unknown VLAN ID %lu - " 253 "cannot create group key state machine", 254 (unsigned long) vlan_id); 255 return NULL; 256 } 257 258 if (ssid->dyn_vlan_keys == NULL) { 259 int size = (vlan_id + 1) * sizeof(ssid->dyn_vlan_keys[0]); 260 ssid->dyn_vlan_keys = os_zalloc(size); 261 if (ssid->dyn_vlan_keys == NULL) 262 return NULL; 263 ssid->max_dyn_vlan_keys = vlan_id; 264 } 265 266 if (ssid->max_dyn_vlan_keys < vlan_id) { 267 struct hostapd_wep_keys **na; 268 int size = (vlan_id + 1) * sizeof(ssid->dyn_vlan_keys[0]); 269 na = os_realloc(ssid->dyn_vlan_keys, size); 270 if (na == NULL) 271 return NULL; 272 ssid->dyn_vlan_keys = na; 273 os_memset(&ssid->dyn_vlan_keys[ssid->max_dyn_vlan_keys + 1], 0, 274 (vlan_id - ssid->max_dyn_vlan_keys) * 275 sizeof(ssid->dyn_vlan_keys[0])); 276 ssid->max_dyn_vlan_keys = vlan_id; 277 } 278 279 ssid->dyn_vlan_keys[vlan_id] = ieee802_1x_group_alloc(hapd, ifname); 280 281 return ssid->dyn_vlan_keys[vlan_id]; 282 } 283 #endif /* CONFIG_NO_VLAN */ 284 285 286 void ieee802_1x_tx_key(struct hostapd_data *hapd, struct sta_info *sta) 287 { 288 struct eapol_authenticator *eapol = hapd->eapol_auth; 289 struct eapol_state_machine *sm = sta->eapol_sm; 290 #ifndef CONFIG_NO_VLAN 291 struct hostapd_wep_keys *key = NULL; 292 int vlan_id; 293 #endif /* CONFIG_NO_VLAN */ 294 295 if (sm == NULL || !sm->eap_if->eapKeyData) 296 return; 297 298 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key(s) to " MACSTR, 299 MAC2STR(sta->addr)); 300 301 #ifndef CONFIG_NO_VLAN 302 vlan_id = sta->vlan_id; 303 if (vlan_id < 0 || vlan_id > MAX_VLAN_ID) 304 vlan_id = 0; 305 306 if (vlan_id) { 307 key = ieee802_1x_get_group(hapd, sta->ssid, vlan_id); 308 if (key && key->key[key->idx]) 309 ieee802_1x_tx_key_one(hapd, sta, key->idx, 1, 310 key->key[key->idx], 311 key->len[key->idx]); 312 } else 313 #endif /* CONFIG_NO_VLAN */ 314 if (eapol->default_wep_key) { 315 ieee802_1x_tx_key_one(hapd, sta, eapol->default_wep_key_idx, 1, 316 eapol->default_wep_key, 317 hapd->conf->default_wep_key_len); 318 } 319 320 if (hapd->conf->individual_wep_key_len > 0) { 321 u8 *ikey; 322 ikey = os_malloc(hapd->conf->individual_wep_key_len); 323 if (ikey == NULL || 324 random_get_bytes(ikey, hapd->conf->individual_wep_key_len)) 325 { 326 wpa_printf(MSG_ERROR, "Could not generate random " 327 "individual WEP key."); 328 os_free(ikey); 329 return; 330 } 331 332 wpa_hexdump_key(MSG_DEBUG, "Individual WEP key", 333 ikey, hapd->conf->individual_wep_key_len); 334 335 ieee802_1x_tx_key_one(hapd, sta, 0, 0, ikey, 336 hapd->conf->individual_wep_key_len); 337 338 /* TODO: set encryption in TX callback, i.e., only after STA 339 * has ACKed EAPOL-Key frame */ 340 if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP, 341 sta->addr, 0, 1, NULL, 0, ikey, 342 hapd->conf->individual_wep_key_len)) { 343 wpa_printf(MSG_ERROR, "Could not set individual WEP " 344 "encryption."); 345 } 346 347 os_free(ikey); 348 } 349 } 350 351 352 const char *radius_mode_txt(struct hostapd_data *hapd) 353 { 354 switch (hapd->iface->conf->hw_mode) { 355 case HOSTAPD_MODE_IEEE80211A: 356 return "802.11a"; 357 case HOSTAPD_MODE_IEEE80211G: 358 return "802.11g"; 359 case HOSTAPD_MODE_IEEE80211B: 360 default: 361 return "802.11b"; 362 } 363 } 364 365 366 int radius_sta_rate(struct hostapd_data *hapd, struct sta_info *sta) 367 { 368 int i; 369 u8 rate = 0; 370 371 for (i = 0; i < sta->supported_rates_len; i++) 372 if ((sta->supported_rates[i] & 0x7f) > rate) 373 rate = sta->supported_rates[i] & 0x7f; 374 375 return rate; 376 } 377 378 379 #ifndef CONFIG_NO_RADIUS 380 static void ieee802_1x_learn_identity(struct hostapd_data *hapd, 381 struct eapol_state_machine *sm, 382 const u8 *eap, size_t len) 383 { 384 const u8 *identity; 385 size_t identity_len; 386 387 if (len <= sizeof(struct eap_hdr) || 388 eap[sizeof(struct eap_hdr)] != EAP_TYPE_IDENTITY) 389 return; 390 391 identity = eap_get_identity(sm->eap, &identity_len); 392 if (identity == NULL) 393 return; 394 395 /* Save station identity for future RADIUS packets */ 396 os_free(sm->identity); 397 sm->identity = os_malloc(identity_len + 1); 398 if (sm->identity == NULL) { 399 sm->identity_len = 0; 400 return; 401 } 402 403 os_memcpy(sm->identity, identity, identity_len); 404 sm->identity_len = identity_len; 405 sm->identity[identity_len] = '\0'; 406 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, 407 HOSTAPD_LEVEL_DEBUG, "STA identity '%s'", sm->identity); 408 sm->dot1xAuthEapolRespIdFramesRx++; 409 } 410 411 412 static int add_common_radius_sta_attr(struct hostapd_data *hapd, 413 struct hostapd_radius_attr *req_attr, 414 struct sta_info *sta, 415 struct radius_msg *msg) 416 { 417 char buf[128]; 418 419 if (!hostapd_config_get_radius_attr(req_attr, 420 RADIUS_ATTR_NAS_PORT) && 421 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT, sta->aid)) { 422 wpa_printf(MSG_ERROR, "Could not add NAS-Port"); 423 return -1; 424 } 425 426 os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT, 427 MAC2STR(sta->addr)); 428 buf[sizeof(buf) - 1] = '\0'; 429 if (!radius_msg_add_attr(msg, RADIUS_ATTR_CALLING_STATION_ID, 430 (u8 *) buf, os_strlen(buf))) { 431 wpa_printf(MSG_ERROR, "Could not add Calling-Station-Id"); 432 return -1; 433 } 434 435 if (sta->flags & WLAN_STA_PREAUTH) { 436 os_strlcpy(buf, "IEEE 802.11i Pre-Authentication", 437 sizeof(buf)); 438 } else { 439 os_snprintf(buf, sizeof(buf), "CONNECT %d%sMbps %s", 440 radius_sta_rate(hapd, sta) / 2, 441 (radius_sta_rate(hapd, sta) & 1) ? ".5" : "", 442 radius_mode_txt(hapd)); 443 buf[sizeof(buf) - 1] = '\0'; 444 } 445 if (!hostapd_config_get_radius_attr(req_attr, 446 RADIUS_ATTR_CONNECT_INFO) && 447 !radius_msg_add_attr(msg, RADIUS_ATTR_CONNECT_INFO, 448 (u8 *) buf, os_strlen(buf))) { 449 wpa_printf(MSG_ERROR, "Could not add Connect-Info"); 450 return -1; 451 } 452 453 return 0; 454 } 455 456 457 int add_common_radius_attr(struct hostapd_data *hapd, 458 struct hostapd_radius_attr *req_attr, 459 struct sta_info *sta, 460 struct radius_msg *msg) 461 { 462 char buf[128]; 463 struct hostapd_radius_attr *attr; 464 465 if (!hostapd_config_get_radius_attr(req_attr, 466 RADIUS_ATTR_NAS_IP_ADDRESS) && 467 hapd->conf->own_ip_addr.af == AF_INET && 468 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IP_ADDRESS, 469 (u8 *) &hapd->conf->own_ip_addr.u.v4, 4)) { 470 wpa_printf(MSG_ERROR, "Could not add NAS-IP-Address"); 471 return -1; 472 } 473 474 #ifdef CONFIG_IPV6 475 if (!hostapd_config_get_radius_attr(req_attr, 476 RADIUS_ATTR_NAS_IPV6_ADDRESS) && 477 hapd->conf->own_ip_addr.af == AF_INET6 && 478 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IPV6_ADDRESS, 479 (u8 *) &hapd->conf->own_ip_addr.u.v6, 16)) { 480 wpa_printf(MSG_ERROR, "Could not add NAS-IPv6-Address"); 481 return -1; 482 } 483 #endif /* CONFIG_IPV6 */ 484 485 if (!hostapd_config_get_radius_attr(req_attr, 486 RADIUS_ATTR_NAS_IDENTIFIER) && 487 hapd->conf->nas_identifier && 488 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IDENTIFIER, 489 (u8 *) hapd->conf->nas_identifier, 490 os_strlen(hapd->conf->nas_identifier))) { 491 wpa_printf(MSG_ERROR, "Could not add NAS-Identifier"); 492 return -1; 493 } 494 495 os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT ":%s", 496 MAC2STR(hapd->own_addr), 497 wpa_ssid_txt(hapd->conf->ssid.ssid, 498 hapd->conf->ssid.ssid_len)); 499 buf[sizeof(buf) - 1] = '\0'; 500 if (!hostapd_config_get_radius_attr(req_attr, 501 RADIUS_ATTR_CALLED_STATION_ID) && 502 !radius_msg_add_attr(msg, RADIUS_ATTR_CALLED_STATION_ID, 503 (u8 *) buf, os_strlen(buf))) { 504 wpa_printf(MSG_ERROR, "Could not add Called-Station-Id"); 505 return -1; 506 } 507 508 if (!hostapd_config_get_radius_attr(req_attr, 509 RADIUS_ATTR_NAS_PORT_TYPE) && 510 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT_TYPE, 511 RADIUS_NAS_PORT_TYPE_IEEE_802_11)) { 512 wpa_printf(MSG_ERROR, "Could not add NAS-Port-Type"); 513 return -1; 514 } 515 516 if (sta && add_common_radius_sta_attr(hapd, req_attr, sta, msg) < 0) 517 return -1; 518 519 for (attr = req_attr; attr; attr = attr->next) { 520 if (!radius_msg_add_attr(msg, attr->type, 521 wpabuf_head(attr->val), 522 wpabuf_len(attr->val))) { 523 wpa_printf(MSG_ERROR, "Could not add RADIUS " 524 "attribute"); 525 return -1; 526 } 527 } 528 529 return 0; 530 } 531 532 533 static void ieee802_1x_encapsulate_radius(struct hostapd_data *hapd, 534 struct sta_info *sta, 535 const u8 *eap, size_t len) 536 { 537 struct radius_msg *msg; 538 struct eapol_state_machine *sm = sta->eapol_sm; 539 540 if (sm == NULL) 541 return; 542 543 ieee802_1x_learn_identity(hapd, sm, eap, len); 544 545 wpa_printf(MSG_DEBUG, "Encapsulating EAP message into a RADIUS " 546 "packet"); 547 548 sm->radius_identifier = radius_client_get_id(hapd->radius); 549 msg = radius_msg_new(RADIUS_CODE_ACCESS_REQUEST, 550 sm->radius_identifier); 551 if (msg == NULL) { 552 printf("Could not create net RADIUS packet\n"); 553 return; 554 } 555 556 radius_msg_make_authenticator(msg, (u8 *) sta, sizeof(*sta)); 557 558 if (sm->identity && 559 !radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME, 560 sm->identity, sm->identity_len)) { 561 printf("Could not add User-Name\n"); 562 goto fail; 563 } 564 565 if (add_common_radius_attr(hapd, hapd->conf->radius_auth_req_attr, sta, 566 msg) < 0) 567 goto fail; 568 569 /* TODO: should probably check MTU from driver config; 2304 is max for 570 * IEEE 802.11, but use 1400 to avoid problems with too large packets 571 */ 572 if (!hostapd_config_get_radius_attr(hapd->conf->radius_auth_req_attr, 573 RADIUS_ATTR_FRAMED_MTU) && 574 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_FRAMED_MTU, 1400)) { 575 printf("Could not add Framed-MTU\n"); 576 goto fail; 577 } 578 579 if (eap && !radius_msg_add_eap(msg, eap, len)) { 580 printf("Could not add EAP-Message\n"); 581 goto fail; 582 } 583 584 /* State attribute must be copied if and only if this packet is 585 * Access-Request reply to the previous Access-Challenge */ 586 if (sm->last_recv_radius && 587 radius_msg_get_hdr(sm->last_recv_radius)->code == 588 RADIUS_CODE_ACCESS_CHALLENGE) { 589 int res = radius_msg_copy_attr(msg, sm->last_recv_radius, 590 RADIUS_ATTR_STATE); 591 if (res < 0) { 592 printf("Could not copy State attribute from previous " 593 "Access-Challenge\n"); 594 goto fail; 595 } 596 if (res > 0) { 597 wpa_printf(MSG_DEBUG, "Copied RADIUS State Attribute"); 598 } 599 } 600 601 if (hapd->conf->radius_request_cui) { 602 const u8 *cui; 603 size_t cui_len; 604 /* Add previously learned CUI or nul CUI to request CUI */ 605 if (sm->radius_cui) { 606 cui = wpabuf_head(sm->radius_cui); 607 cui_len = wpabuf_len(sm->radius_cui); 608 } else { 609 cui = (const u8 *) "\0"; 610 cui_len = 1; 611 } 612 if (!radius_msg_add_attr(msg, 613 RADIUS_ATTR_CHARGEABLE_USER_IDENTITY, 614 cui, cui_len)) { 615 wpa_printf(MSG_ERROR, "Could not add CUI"); 616 goto fail; 617 } 618 } 619 620 if (radius_client_send(hapd->radius, msg, RADIUS_AUTH, sta->addr) < 0) 621 goto fail; 622 623 return; 624 625 fail: 626 radius_msg_free(msg); 627 } 628 #endif /* CONFIG_NO_RADIUS */ 629 630 631 static void handle_eap_response(struct hostapd_data *hapd, 632 struct sta_info *sta, struct eap_hdr *eap, 633 size_t len) 634 { 635 u8 type, *data; 636 struct eapol_state_machine *sm = sta->eapol_sm; 637 if (sm == NULL) 638 return; 639 640 data = (u8 *) (eap + 1); 641 642 if (len < sizeof(*eap) + 1) { 643 printf("handle_eap_response: too short response data\n"); 644 return; 645 } 646 647 sm->eap_type_supp = type = data[0]; 648 649 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, 650 HOSTAPD_LEVEL_DEBUG, "received EAP packet (code=%d " 651 "id=%d len=%d) from STA: EAP Response-%s (%d)", 652 eap->code, eap->identifier, be_to_host16(eap->length), 653 eap_server_get_name(0, type), type); 654 655 sm->dot1xAuthEapolRespFramesRx++; 656 657 wpabuf_free(sm->eap_if->eapRespData); 658 sm->eap_if->eapRespData = wpabuf_alloc_copy(eap, len); 659 sm->eapolEap = TRUE; 660 } 661 662 663 /* Process incoming EAP packet from Supplicant */ 664 static void handle_eap(struct hostapd_data *hapd, struct sta_info *sta, 665 u8 *buf, size_t len) 666 { 667 struct eap_hdr *eap; 668 u16 eap_len; 669 670 if (len < sizeof(*eap)) { 671 printf(" too short EAP packet\n"); 672 return; 673 } 674 675 eap = (struct eap_hdr *) buf; 676 677 eap_len = be_to_host16(eap->length); 678 wpa_printf(MSG_DEBUG, "EAP: code=%d identifier=%d length=%d", 679 eap->code, eap->identifier, eap_len); 680 if (eap_len < sizeof(*eap)) { 681 wpa_printf(MSG_DEBUG, " Invalid EAP length"); 682 return; 683 } else if (eap_len > len) { 684 wpa_printf(MSG_DEBUG, " Too short frame to contain this EAP " 685 "packet"); 686 return; 687 } else if (eap_len < len) { 688 wpa_printf(MSG_DEBUG, " Ignoring %lu extra bytes after EAP " 689 "packet", (unsigned long) len - eap_len); 690 } 691 692 switch (eap->code) { 693 case EAP_CODE_REQUEST: 694 wpa_printf(MSG_DEBUG, " (request)"); 695 return; 696 case EAP_CODE_RESPONSE: 697 wpa_printf(MSG_DEBUG, " (response)"); 698 handle_eap_response(hapd, sta, eap, eap_len); 699 break; 700 case EAP_CODE_SUCCESS: 701 wpa_printf(MSG_DEBUG, " (success)"); 702 return; 703 case EAP_CODE_FAILURE: 704 wpa_printf(MSG_DEBUG, " (failure)"); 705 return; 706 default: 707 wpa_printf(MSG_DEBUG, " (unknown code)"); 708 return; 709 } 710 } 711 712 713 static struct eapol_state_machine * 714 ieee802_1x_alloc_eapol_sm(struct hostapd_data *hapd, struct sta_info *sta) 715 { 716 int flags = 0; 717 if (sta->flags & WLAN_STA_PREAUTH) 718 flags |= EAPOL_SM_PREAUTH; 719 if (sta->wpa_sm) { 720 flags |= EAPOL_SM_USES_WPA; 721 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) 722 flags |= EAPOL_SM_FROM_PMKSA_CACHE; 723 } 724 return eapol_auth_alloc(hapd->eapol_auth, sta->addr, flags, 725 sta->wps_ie, sta->p2p_ie, sta, 726 sta->identity, sta->radius_cui); 727 } 728 729 730 /** 731 * ieee802_1x_receive - Process the EAPOL frames from the Supplicant 732 * @hapd: hostapd BSS data 733 * @sa: Source address (sender of the EAPOL frame) 734 * @buf: EAPOL frame 735 * @len: Length of buf in octets 736 * 737 * This function is called for each incoming EAPOL frame from the interface 738 */ 739 void ieee802_1x_receive(struct hostapd_data *hapd, const u8 *sa, const u8 *buf, 740 size_t len) 741 { 742 struct sta_info *sta; 743 struct ieee802_1x_hdr *hdr; 744 struct ieee802_1x_eapol_key *key; 745 u16 datalen; 746 struct rsn_pmksa_cache_entry *pmksa; 747 int key_mgmt; 748 749 if (!hapd->conf->ieee802_1x && !hapd->conf->wpa && 750 !hapd->conf->wps_state) 751 return; 752 753 wpa_printf(MSG_DEBUG, "IEEE 802.1X: %lu bytes from " MACSTR, 754 (unsigned long) len, MAC2STR(sa)); 755 sta = ap_get_sta(hapd, sa); 756 if (!sta || (!(sta->flags & (WLAN_STA_ASSOC | WLAN_STA_PREAUTH)) && 757 !(hapd->iface->drv_flags & WPA_DRIVER_FLAGS_WIRED))) { 758 wpa_printf(MSG_DEBUG, "IEEE 802.1X data frame from not " 759 "associated/Pre-authenticating STA"); 760 return; 761 } 762 763 if (len < sizeof(*hdr)) { 764 printf(" too short IEEE 802.1X packet\n"); 765 return; 766 } 767 768 hdr = (struct ieee802_1x_hdr *) buf; 769 datalen = be_to_host16(hdr->length); 770 wpa_printf(MSG_DEBUG, " IEEE 802.1X: version=%d type=%d length=%d", 771 hdr->version, hdr->type, datalen); 772 773 if (len - sizeof(*hdr) < datalen) { 774 printf(" frame too short for this IEEE 802.1X packet\n"); 775 if (sta->eapol_sm) 776 sta->eapol_sm->dot1xAuthEapLengthErrorFramesRx++; 777 return; 778 } 779 if (len - sizeof(*hdr) > datalen) { 780 wpa_printf(MSG_DEBUG, " ignoring %lu extra octets after " 781 "IEEE 802.1X packet", 782 (unsigned long) len - sizeof(*hdr) - datalen); 783 } 784 785 if (sta->eapol_sm) { 786 sta->eapol_sm->dot1xAuthLastEapolFrameVersion = hdr->version; 787 sta->eapol_sm->dot1xAuthEapolFramesRx++; 788 } 789 790 key = (struct ieee802_1x_eapol_key *) (hdr + 1); 791 if (datalen >= sizeof(struct ieee802_1x_eapol_key) && 792 hdr->type == IEEE802_1X_TYPE_EAPOL_KEY && 793 (key->type == EAPOL_KEY_TYPE_WPA || 794 key->type == EAPOL_KEY_TYPE_RSN)) { 795 wpa_receive(hapd->wpa_auth, sta->wpa_sm, (u8 *) hdr, 796 sizeof(*hdr) + datalen); 797 return; 798 } 799 800 if (!hapd->conf->ieee802_1x && 801 !(sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS))) { 802 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore EAPOL message - " 803 "802.1X not enabled and WPS not used"); 804 return; 805 } 806 807 key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm); 808 if (key_mgmt != -1 && wpa_key_mgmt_wpa_psk(key_mgmt)) { 809 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore EAPOL message - " 810 "STA is using PSK"); 811 return; 812 } 813 814 if (!sta->eapol_sm) { 815 sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta); 816 if (!sta->eapol_sm) 817 return; 818 819 #ifdef CONFIG_WPS 820 if (!hapd->conf->ieee802_1x) { 821 u32 wflags = sta->flags & (WLAN_STA_WPS | 822 WLAN_STA_WPS2 | 823 WLAN_STA_MAYBE_WPS); 824 if (wflags == WLAN_STA_MAYBE_WPS || 825 wflags == (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS)) { 826 /* 827 * Delay EAPOL frame transmission until a 828 * possible WPS STA initiates the handshake 829 * with EAPOL-Start. Only allow the wait to be 830 * skipped if the STA is known to support WPS 831 * 2.0. 832 */ 833 wpa_printf(MSG_DEBUG, "WPS: Do not start " 834 "EAPOL until EAPOL-Start is " 835 "received"); 836 sta->eapol_sm->flags |= EAPOL_SM_WAIT_START; 837 } 838 } 839 #endif /* CONFIG_WPS */ 840 841 sta->eapol_sm->eap_if->portEnabled = TRUE; 842 } 843 844 /* since we support version 1, we can ignore version field and proceed 845 * as specified in version 1 standard [IEEE Std 802.1X-2001, 7.5.5] */ 846 /* TODO: actually, we are not version 1 anymore.. However, Version 2 847 * does not change frame contents, so should be ok to process frames 848 * more or less identically. Some changes might be needed for 849 * verification of fields. */ 850 851 switch (hdr->type) { 852 case IEEE802_1X_TYPE_EAP_PACKET: 853 handle_eap(hapd, sta, (u8 *) (hdr + 1), datalen); 854 break; 855 856 case IEEE802_1X_TYPE_EAPOL_START: 857 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 858 HOSTAPD_LEVEL_DEBUG, "received EAPOL-Start " 859 "from STA"); 860 sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START; 861 pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm); 862 if (pmksa) { 863 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 864 HOSTAPD_LEVEL_DEBUG, "cached PMKSA " 865 "available - ignore it since " 866 "STA sent EAPOL-Start"); 867 wpa_auth_sta_clear_pmksa(sta->wpa_sm, pmksa); 868 } 869 sta->eapol_sm->eapolStart = TRUE; 870 sta->eapol_sm->dot1xAuthEapolStartFramesRx++; 871 eap_server_clear_identity(sta->eapol_sm->eap); 872 wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL); 873 break; 874 875 case IEEE802_1X_TYPE_EAPOL_LOGOFF: 876 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 877 HOSTAPD_LEVEL_DEBUG, "received EAPOL-Logoff " 878 "from STA"); 879 sta->acct_terminate_cause = 880 RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST; 881 accounting_sta_stop(hapd, sta); 882 sta->eapol_sm->eapolLogoff = TRUE; 883 sta->eapol_sm->dot1xAuthEapolLogoffFramesRx++; 884 eap_server_clear_identity(sta->eapol_sm->eap); 885 break; 886 887 case IEEE802_1X_TYPE_EAPOL_KEY: 888 wpa_printf(MSG_DEBUG, " EAPOL-Key"); 889 if (!ap_sta_is_authorized(sta)) { 890 wpa_printf(MSG_DEBUG, " Dropped key data from " 891 "unauthorized Supplicant"); 892 break; 893 } 894 break; 895 896 case IEEE802_1X_TYPE_EAPOL_ENCAPSULATED_ASF_ALERT: 897 wpa_printf(MSG_DEBUG, " EAPOL-Encapsulated-ASF-Alert"); 898 /* TODO: implement support for this; show data */ 899 break; 900 901 default: 902 wpa_printf(MSG_DEBUG, " unknown IEEE 802.1X packet type"); 903 sta->eapol_sm->dot1xAuthInvalidEapolFramesRx++; 904 break; 905 } 906 907 eapol_auth_step(sta->eapol_sm); 908 } 909 910 911 /** 912 * ieee802_1x_new_station - Start IEEE 802.1X authentication 913 * @hapd: hostapd BSS data 914 * @sta: The station 915 * 916 * This function is called to start IEEE 802.1X authentication when a new 917 * station completes IEEE 802.11 association. 918 */ 919 void ieee802_1x_new_station(struct hostapd_data *hapd, struct sta_info *sta) 920 { 921 struct rsn_pmksa_cache_entry *pmksa; 922 int reassoc = 1; 923 int force_1x = 0; 924 int key_mgmt; 925 926 #ifdef CONFIG_WPS 927 if (hapd->conf->wps_state && hapd->conf->wpa && 928 (sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS))) { 929 /* 930 * Need to enable IEEE 802.1X/EAPOL state machines for possible 931 * WPS handshake even if IEEE 802.1X/EAPOL is not used for 932 * authentication in this BSS. 933 */ 934 force_1x = 1; 935 } 936 #endif /* CONFIG_WPS */ 937 938 if (!force_1x && !hapd->conf->ieee802_1x) { 939 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore STA - " 940 "802.1X not enabled or forced for WPS"); 941 /* 942 * Clear any possible EAPOL authenticator state to support 943 * reassociation change from WPS to PSK. 944 */ 945 ieee802_1x_free_station(sta); 946 return; 947 } 948 949 key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm); 950 if (key_mgmt != -1 && wpa_key_mgmt_wpa_psk(key_mgmt)) { 951 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore STA - using PSK"); 952 /* 953 * Clear any possible EAPOL authenticator state to support 954 * reassociation change from WPA-EAP to PSK. 955 */ 956 ieee802_1x_free_station(sta); 957 return; 958 } 959 960 if (sta->eapol_sm == NULL) { 961 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 962 HOSTAPD_LEVEL_DEBUG, "start authentication"); 963 sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta); 964 if (sta->eapol_sm == NULL) { 965 hostapd_logger(hapd, sta->addr, 966 HOSTAPD_MODULE_IEEE8021X, 967 HOSTAPD_LEVEL_INFO, 968 "failed to allocate state machine"); 969 return; 970 } 971 reassoc = 0; 972 } 973 974 #ifdef CONFIG_WPS 975 sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START; 976 if (!hapd->conf->ieee802_1x && !(sta->flags & WLAN_STA_WPS2)) { 977 /* 978 * Delay EAPOL frame transmission until a possible WPS STA 979 * initiates the handshake with EAPOL-Start. Only allow the 980 * wait to be skipped if the STA is known to support WPS 2.0. 981 */ 982 wpa_printf(MSG_DEBUG, "WPS: Do not start EAPOL until " 983 "EAPOL-Start is received"); 984 sta->eapol_sm->flags |= EAPOL_SM_WAIT_START; 985 } 986 #endif /* CONFIG_WPS */ 987 988 sta->eapol_sm->eap_if->portEnabled = TRUE; 989 990 #ifdef CONFIG_IEEE80211R 991 if (sta->auth_alg == WLAN_AUTH_FT) { 992 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 993 HOSTAPD_LEVEL_DEBUG, 994 "PMK from FT - skip IEEE 802.1X/EAP"); 995 /* Setup EAPOL state machines to already authenticated state 996 * because of existing FT information from R0KH. */ 997 sta->eapol_sm->keyRun = TRUE; 998 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 999 sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING; 1000 sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS; 1001 sta->eapol_sm->authSuccess = TRUE; 1002 sta->eapol_sm->authFail = FALSE; 1003 if (sta->eapol_sm->eap) 1004 eap_sm_notify_cached(sta->eapol_sm->eap); 1005 /* TODO: get vlan_id from R0KH using RRB message */ 1006 return; 1007 } 1008 #endif /* CONFIG_IEEE80211R */ 1009 1010 pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm); 1011 if (pmksa) { 1012 int old_vlanid; 1013 1014 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1015 HOSTAPD_LEVEL_DEBUG, 1016 "PMK from PMKSA cache - skip IEEE 802.1X/EAP"); 1017 /* Setup EAPOL state machines to already authenticated state 1018 * because of existing PMKSA information in the cache. */ 1019 sta->eapol_sm->keyRun = TRUE; 1020 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 1021 sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING; 1022 sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS; 1023 sta->eapol_sm->authSuccess = TRUE; 1024 sta->eapol_sm->authFail = FALSE; 1025 if (sta->eapol_sm->eap) 1026 eap_sm_notify_cached(sta->eapol_sm->eap); 1027 old_vlanid = sta->vlan_id; 1028 pmksa_cache_to_eapol_data(pmksa, sta->eapol_sm); 1029 if (sta->ssid->dynamic_vlan == DYNAMIC_VLAN_DISABLED) 1030 sta->vlan_id = 0; 1031 ap_sta_bind_vlan(hapd, sta, old_vlanid); 1032 } else { 1033 if (reassoc) { 1034 /* 1035 * Force EAPOL state machines to start 1036 * re-authentication without having to wait for the 1037 * Supplicant to send EAPOL-Start. 1038 */ 1039 sta->eapol_sm->reAuthenticate = TRUE; 1040 } 1041 eapol_auth_step(sta->eapol_sm); 1042 } 1043 } 1044 1045 1046 void ieee802_1x_free_station(struct sta_info *sta) 1047 { 1048 struct eapol_state_machine *sm = sta->eapol_sm; 1049 1050 if (sm == NULL) 1051 return; 1052 1053 sta->eapol_sm = NULL; 1054 1055 #ifndef CONFIG_NO_RADIUS 1056 radius_msg_free(sm->last_recv_radius); 1057 radius_free_class(&sm->radius_class); 1058 wpabuf_free(sm->radius_cui); 1059 #endif /* CONFIG_NO_RADIUS */ 1060 1061 os_free(sm->identity); 1062 eapol_auth_free(sm); 1063 } 1064 1065 1066 #ifndef CONFIG_NO_RADIUS 1067 static void ieee802_1x_decapsulate_radius(struct hostapd_data *hapd, 1068 struct sta_info *sta) 1069 { 1070 struct wpabuf *eap; 1071 const struct eap_hdr *hdr; 1072 int eap_type = -1; 1073 char buf[64]; 1074 struct radius_msg *msg; 1075 struct eapol_state_machine *sm = sta->eapol_sm; 1076 1077 if (sm == NULL || sm->last_recv_radius == NULL) { 1078 if (sm) 1079 sm->eap_if->aaaEapNoReq = TRUE; 1080 return; 1081 } 1082 1083 msg = sm->last_recv_radius; 1084 1085 eap = radius_msg_get_eap(msg); 1086 if (eap == NULL) { 1087 /* RFC 3579, Chap. 2.6.3: 1088 * RADIUS server SHOULD NOT send Access-Reject/no EAP-Message 1089 * attribute */ 1090 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1091 HOSTAPD_LEVEL_WARNING, "could not extract " 1092 "EAP-Message from RADIUS message"); 1093 sm->eap_if->aaaEapNoReq = TRUE; 1094 return; 1095 } 1096 1097 if (wpabuf_len(eap) < sizeof(*hdr)) { 1098 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1099 HOSTAPD_LEVEL_WARNING, "too short EAP packet " 1100 "received from authentication server"); 1101 wpabuf_free(eap); 1102 sm->eap_if->aaaEapNoReq = TRUE; 1103 return; 1104 } 1105 1106 if (wpabuf_len(eap) > sizeof(*hdr)) 1107 eap_type = (wpabuf_head_u8(eap))[sizeof(*hdr)]; 1108 1109 hdr = wpabuf_head(eap); 1110 switch (hdr->code) { 1111 case EAP_CODE_REQUEST: 1112 if (eap_type >= 0) 1113 sm->eap_type_authsrv = eap_type; 1114 os_snprintf(buf, sizeof(buf), "EAP-Request-%s (%d)", 1115 eap_type >= 0 ? eap_server_get_name(0, eap_type) : 1116 "??", 1117 eap_type); 1118 break; 1119 case EAP_CODE_RESPONSE: 1120 os_snprintf(buf, sizeof(buf), "EAP Response-%s (%d)", 1121 eap_type >= 0 ? eap_server_get_name(0, eap_type) : 1122 "??", 1123 eap_type); 1124 break; 1125 case EAP_CODE_SUCCESS: 1126 os_strlcpy(buf, "EAP Success", sizeof(buf)); 1127 break; 1128 case EAP_CODE_FAILURE: 1129 os_strlcpy(buf, "EAP Failure", sizeof(buf)); 1130 break; 1131 default: 1132 os_strlcpy(buf, "unknown EAP code", sizeof(buf)); 1133 break; 1134 } 1135 buf[sizeof(buf) - 1] = '\0'; 1136 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1137 HOSTAPD_LEVEL_DEBUG, "decapsulated EAP packet (code=%d " 1138 "id=%d len=%d) from RADIUS server: %s", 1139 hdr->code, hdr->identifier, be_to_host16(hdr->length), 1140 buf); 1141 sm->eap_if->aaaEapReq = TRUE; 1142 1143 wpabuf_free(sm->eap_if->aaaEapReqData); 1144 sm->eap_if->aaaEapReqData = eap; 1145 } 1146 1147 1148 static void ieee802_1x_get_keys(struct hostapd_data *hapd, 1149 struct sta_info *sta, struct radius_msg *msg, 1150 struct radius_msg *req, 1151 const u8 *shared_secret, 1152 size_t shared_secret_len) 1153 { 1154 struct radius_ms_mppe_keys *keys; 1155 struct eapol_state_machine *sm = sta->eapol_sm; 1156 if (sm == NULL) 1157 return; 1158 1159 keys = radius_msg_get_ms_keys(msg, req, shared_secret, 1160 shared_secret_len); 1161 1162 if (keys && keys->send && keys->recv) { 1163 size_t len = keys->send_len + keys->recv_len; 1164 wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Send-Key", 1165 keys->send, keys->send_len); 1166 wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Recv-Key", 1167 keys->recv, keys->recv_len); 1168 1169 os_free(sm->eap_if->aaaEapKeyData); 1170 sm->eap_if->aaaEapKeyData = os_malloc(len); 1171 if (sm->eap_if->aaaEapKeyData) { 1172 os_memcpy(sm->eap_if->aaaEapKeyData, keys->recv, 1173 keys->recv_len); 1174 os_memcpy(sm->eap_if->aaaEapKeyData + keys->recv_len, 1175 keys->send, keys->send_len); 1176 sm->eap_if->aaaEapKeyDataLen = len; 1177 sm->eap_if->aaaEapKeyAvailable = TRUE; 1178 } 1179 } 1180 1181 if (keys) { 1182 os_free(keys->send); 1183 os_free(keys->recv); 1184 os_free(keys); 1185 } 1186 } 1187 1188 1189 static void ieee802_1x_store_radius_class(struct hostapd_data *hapd, 1190 struct sta_info *sta, 1191 struct radius_msg *msg) 1192 { 1193 u8 *class; 1194 size_t class_len; 1195 struct eapol_state_machine *sm = sta->eapol_sm; 1196 int count, i; 1197 struct radius_attr_data *nclass; 1198 size_t nclass_count; 1199 1200 if (!hapd->conf->radius->acct_server || hapd->radius == NULL || 1201 sm == NULL) 1202 return; 1203 1204 radius_free_class(&sm->radius_class); 1205 count = radius_msg_count_attr(msg, RADIUS_ATTR_CLASS, 1); 1206 if (count <= 0) 1207 return; 1208 1209 nclass = os_calloc(count, sizeof(struct radius_attr_data)); 1210 if (nclass == NULL) 1211 return; 1212 1213 nclass_count = 0; 1214 1215 class = NULL; 1216 for (i = 0; i < count; i++) { 1217 do { 1218 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CLASS, 1219 &class, &class_len, 1220 class) < 0) { 1221 i = count; 1222 break; 1223 } 1224 } while (class_len < 1); 1225 1226 nclass[nclass_count].data = os_malloc(class_len); 1227 if (nclass[nclass_count].data == NULL) 1228 break; 1229 1230 os_memcpy(nclass[nclass_count].data, class, class_len); 1231 nclass[nclass_count].len = class_len; 1232 nclass_count++; 1233 } 1234 1235 sm->radius_class.attr = nclass; 1236 sm->radius_class.count = nclass_count; 1237 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Stored %lu RADIUS Class " 1238 "attributes for " MACSTR, 1239 (unsigned long) sm->radius_class.count, 1240 MAC2STR(sta->addr)); 1241 } 1242 1243 1244 /* Update sta->identity based on User-Name attribute in Access-Accept */ 1245 static void ieee802_1x_update_sta_identity(struct hostapd_data *hapd, 1246 struct sta_info *sta, 1247 struct radius_msg *msg) 1248 { 1249 u8 *buf, *identity; 1250 size_t len; 1251 struct eapol_state_machine *sm = sta->eapol_sm; 1252 1253 if (sm == NULL) 1254 return; 1255 1256 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_USER_NAME, &buf, &len, 1257 NULL) < 0) 1258 return; 1259 1260 identity = os_malloc(len + 1); 1261 if (identity == NULL) 1262 return; 1263 1264 os_memcpy(identity, buf, len); 1265 identity[len] = '\0'; 1266 1267 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1268 HOSTAPD_LEVEL_DEBUG, "old identity '%s' updated with " 1269 "User-Name from Access-Accept '%s'", 1270 sm->identity ? (char *) sm->identity : "N/A", 1271 (char *) identity); 1272 1273 os_free(sm->identity); 1274 sm->identity = identity; 1275 sm->identity_len = len; 1276 } 1277 1278 1279 /* Update CUI based on Chargeable-User-Identity attribute in Access-Accept */ 1280 static void ieee802_1x_update_sta_cui(struct hostapd_data *hapd, 1281 struct sta_info *sta, 1282 struct radius_msg *msg) 1283 { 1284 struct eapol_state_machine *sm = sta->eapol_sm; 1285 struct wpabuf *cui; 1286 u8 *buf; 1287 size_t len; 1288 1289 if (sm == NULL) 1290 return; 1291 1292 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CHARGEABLE_USER_IDENTITY, 1293 &buf, &len, NULL) < 0) 1294 return; 1295 1296 cui = wpabuf_alloc_copy(buf, len); 1297 if (cui == NULL) 1298 return; 1299 1300 wpabuf_free(sm->radius_cui); 1301 sm->radius_cui = cui; 1302 } 1303 1304 1305 struct sta_id_search { 1306 u8 identifier; 1307 struct eapol_state_machine *sm; 1308 }; 1309 1310 1311 static int ieee802_1x_select_radius_identifier(struct hostapd_data *hapd, 1312 struct sta_info *sta, 1313 void *ctx) 1314 { 1315 struct sta_id_search *id_search = ctx; 1316 struct eapol_state_machine *sm = sta->eapol_sm; 1317 1318 if (sm && sm->radius_identifier >= 0 && 1319 sm->radius_identifier == id_search->identifier) { 1320 id_search->sm = sm; 1321 return 1; 1322 } 1323 return 0; 1324 } 1325 1326 1327 static struct eapol_state_machine * 1328 ieee802_1x_search_radius_identifier(struct hostapd_data *hapd, u8 identifier) 1329 { 1330 struct sta_id_search id_search; 1331 id_search.identifier = identifier; 1332 id_search.sm = NULL; 1333 ap_for_each_sta(hapd, ieee802_1x_select_radius_identifier, &id_search); 1334 return id_search.sm; 1335 } 1336 1337 1338 /** 1339 * ieee802_1x_receive_auth - Process RADIUS frames from Authentication Server 1340 * @msg: RADIUS response message 1341 * @req: RADIUS request message 1342 * @shared_secret: RADIUS shared secret 1343 * @shared_secret_len: Length of shared_secret in octets 1344 * @data: Context data (struct hostapd_data *) 1345 * Returns: Processing status 1346 */ 1347 static RadiusRxResult 1348 ieee802_1x_receive_auth(struct radius_msg *msg, struct radius_msg *req, 1349 const u8 *shared_secret, size_t shared_secret_len, 1350 void *data) 1351 { 1352 struct hostapd_data *hapd = data; 1353 struct sta_info *sta; 1354 u32 session_timeout = 0, termination_action, acct_interim_interval; 1355 int session_timeout_set, old_vlanid = 0; 1356 struct eapol_state_machine *sm; 1357 int override_eapReq = 0; 1358 struct radius_hdr *hdr = radius_msg_get_hdr(msg); 1359 1360 sm = ieee802_1x_search_radius_identifier(hapd, hdr->identifier); 1361 if (sm == NULL) { 1362 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Could not find matching " 1363 "station for this RADIUS message"); 1364 return RADIUS_RX_UNKNOWN; 1365 } 1366 sta = sm->sta; 1367 1368 /* RFC 2869, Ch. 5.13: valid Message-Authenticator attribute MUST be 1369 * present when packet contains an EAP-Message attribute */ 1370 if (hdr->code == RADIUS_CODE_ACCESS_REJECT && 1371 radius_msg_get_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, NULL, 1372 0) < 0 && 1373 radius_msg_get_attr(msg, RADIUS_ATTR_EAP_MESSAGE, NULL, 0) < 0) { 1374 wpa_printf(MSG_DEBUG, "Allowing RADIUS Access-Reject without " 1375 "Message-Authenticator since it does not include " 1376 "EAP-Message"); 1377 } else if (radius_msg_verify(msg, shared_secret, shared_secret_len, 1378 req, 1)) { 1379 printf("Incoming RADIUS packet did not have correct " 1380 "Message-Authenticator - dropped\n"); 1381 return RADIUS_RX_INVALID_AUTHENTICATOR; 1382 } 1383 1384 if (hdr->code != RADIUS_CODE_ACCESS_ACCEPT && 1385 hdr->code != RADIUS_CODE_ACCESS_REJECT && 1386 hdr->code != RADIUS_CODE_ACCESS_CHALLENGE) { 1387 printf("Unknown RADIUS message code\n"); 1388 return RADIUS_RX_UNKNOWN; 1389 } 1390 1391 sm->radius_identifier = -1; 1392 wpa_printf(MSG_DEBUG, "RADIUS packet matching with station " MACSTR, 1393 MAC2STR(sta->addr)); 1394 1395 radius_msg_free(sm->last_recv_radius); 1396 sm->last_recv_radius = msg; 1397 1398 session_timeout_set = 1399 !radius_msg_get_attr_int32(msg, RADIUS_ATTR_SESSION_TIMEOUT, 1400 &session_timeout); 1401 if (radius_msg_get_attr_int32(msg, RADIUS_ATTR_TERMINATION_ACTION, 1402 &termination_action)) 1403 termination_action = RADIUS_TERMINATION_ACTION_DEFAULT; 1404 1405 if (hapd->conf->acct_interim_interval == 0 && 1406 hdr->code == RADIUS_CODE_ACCESS_ACCEPT && 1407 radius_msg_get_attr_int32(msg, RADIUS_ATTR_ACCT_INTERIM_INTERVAL, 1408 &acct_interim_interval) == 0) { 1409 if (acct_interim_interval < 60) { 1410 hostapd_logger(hapd, sta->addr, 1411 HOSTAPD_MODULE_IEEE8021X, 1412 HOSTAPD_LEVEL_INFO, 1413 "ignored too small " 1414 "Acct-Interim-Interval %d", 1415 acct_interim_interval); 1416 } else 1417 sta->acct_interim_interval = acct_interim_interval; 1418 } 1419 1420 1421 switch (hdr->code) { 1422 case RADIUS_CODE_ACCESS_ACCEPT: 1423 if (sta->ssid->dynamic_vlan == DYNAMIC_VLAN_DISABLED) 1424 sta->vlan_id = 0; 1425 #ifndef CONFIG_NO_VLAN 1426 else { 1427 old_vlanid = sta->vlan_id; 1428 sta->vlan_id = radius_msg_get_vlanid(msg); 1429 } 1430 if (sta->vlan_id > 0 && 1431 hostapd_get_vlan_id_ifname(hapd->conf->vlan, 1432 sta->vlan_id)) { 1433 hostapd_logger(hapd, sta->addr, 1434 HOSTAPD_MODULE_RADIUS, 1435 HOSTAPD_LEVEL_INFO, 1436 "VLAN ID %d", sta->vlan_id); 1437 } else if (sta->ssid->dynamic_vlan == DYNAMIC_VLAN_REQUIRED) { 1438 sta->eapol_sm->authFail = TRUE; 1439 hostapd_logger(hapd, sta->addr, 1440 HOSTAPD_MODULE_IEEE8021X, 1441 HOSTAPD_LEVEL_INFO, "authentication " 1442 "server did not include required VLAN " 1443 "ID in Access-Accept"); 1444 break; 1445 } 1446 #endif /* CONFIG_NO_VLAN */ 1447 1448 if (ap_sta_bind_vlan(hapd, sta, old_vlanid) < 0) 1449 break; 1450 1451 /* RFC 3580, Ch. 3.17 */ 1452 if (session_timeout_set && termination_action == 1453 RADIUS_TERMINATION_ACTION_RADIUS_REQUEST) { 1454 sm->reAuthPeriod = session_timeout; 1455 } else if (session_timeout_set) 1456 ap_sta_session_timeout(hapd, sta, session_timeout); 1457 1458 sm->eap_if->aaaSuccess = TRUE; 1459 override_eapReq = 1; 1460 ieee802_1x_get_keys(hapd, sta, msg, req, shared_secret, 1461 shared_secret_len); 1462 ieee802_1x_store_radius_class(hapd, sta, msg); 1463 ieee802_1x_update_sta_identity(hapd, sta, msg); 1464 ieee802_1x_update_sta_cui(hapd, sta, msg); 1465 if (sm->eap_if->eapKeyAvailable && 1466 wpa_auth_pmksa_add(sta->wpa_sm, sm->eapol_key_crypt, 1467 session_timeout_set ? 1468 (int) session_timeout : -1, sm) == 0) { 1469 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 1470 HOSTAPD_LEVEL_DEBUG, 1471 "Added PMKSA cache entry"); 1472 } 1473 break; 1474 case RADIUS_CODE_ACCESS_REJECT: 1475 sm->eap_if->aaaFail = TRUE; 1476 override_eapReq = 1; 1477 break; 1478 case RADIUS_CODE_ACCESS_CHALLENGE: 1479 sm->eap_if->aaaEapReq = TRUE; 1480 if (session_timeout_set) { 1481 /* RFC 2869, Ch. 2.3.2; RFC 3580, Ch. 3.17 */ 1482 sm->eap_if->aaaMethodTimeout = session_timeout; 1483 hostapd_logger(hapd, sm->addr, 1484 HOSTAPD_MODULE_IEEE8021X, 1485 HOSTAPD_LEVEL_DEBUG, 1486 "using EAP timeout of %d seconds (from " 1487 "RADIUS)", 1488 sm->eap_if->aaaMethodTimeout); 1489 } else { 1490 /* 1491 * Use dynamic retransmission behavior per EAP 1492 * specification. 1493 */ 1494 sm->eap_if->aaaMethodTimeout = 0; 1495 } 1496 break; 1497 } 1498 1499 ieee802_1x_decapsulate_radius(hapd, sta); 1500 if (override_eapReq) 1501 sm->eap_if->aaaEapReq = FALSE; 1502 1503 eapol_auth_step(sm); 1504 1505 return RADIUS_RX_QUEUED; 1506 } 1507 #endif /* CONFIG_NO_RADIUS */ 1508 1509 1510 void ieee802_1x_abort_auth(struct hostapd_data *hapd, struct sta_info *sta) 1511 { 1512 struct eapol_state_machine *sm = sta->eapol_sm; 1513 if (sm == NULL) 1514 return; 1515 1516 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1517 HOSTAPD_LEVEL_DEBUG, "aborting authentication"); 1518 1519 #ifndef CONFIG_NO_RADIUS 1520 radius_msg_free(sm->last_recv_radius); 1521 sm->last_recv_radius = NULL; 1522 #endif /* CONFIG_NO_RADIUS */ 1523 1524 if (sm->eap_if->eapTimeout) { 1525 /* 1526 * Disconnect the STA since it did not reply to the last EAP 1527 * request and we cannot continue EAP processing (EAP-Failure 1528 * could only be sent if the EAP peer actually replied). 1529 */ 1530 wpa_dbg(hapd->msg_ctx, MSG_DEBUG, "EAP Timeout, STA " MACSTR, 1531 MAC2STR(sta->addr)); 1532 1533 sm->eap_if->portEnabled = FALSE; 1534 ap_sta_disconnect(hapd, sta, sta->addr, 1535 WLAN_REASON_PREV_AUTH_NOT_VALID); 1536 } 1537 } 1538 1539 1540 static int ieee802_1x_rekey_broadcast(struct hostapd_data *hapd) 1541 { 1542 struct eapol_authenticator *eapol = hapd->eapol_auth; 1543 1544 if (hapd->conf->default_wep_key_len < 1) 1545 return 0; 1546 1547 os_free(eapol->default_wep_key); 1548 eapol->default_wep_key = os_malloc(hapd->conf->default_wep_key_len); 1549 if (eapol->default_wep_key == NULL || 1550 random_get_bytes(eapol->default_wep_key, 1551 hapd->conf->default_wep_key_len)) { 1552 printf("Could not generate random WEP key.\n"); 1553 os_free(eapol->default_wep_key); 1554 eapol->default_wep_key = NULL; 1555 return -1; 1556 } 1557 1558 wpa_hexdump_key(MSG_DEBUG, "IEEE 802.1X: New default WEP key", 1559 eapol->default_wep_key, 1560 hapd->conf->default_wep_key_len); 1561 1562 return 0; 1563 } 1564 1565 1566 static int ieee802_1x_sta_key_available(struct hostapd_data *hapd, 1567 struct sta_info *sta, void *ctx) 1568 { 1569 if (sta->eapol_sm) { 1570 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 1571 eapol_auth_step(sta->eapol_sm); 1572 } 1573 return 0; 1574 } 1575 1576 1577 static void ieee802_1x_rekey(void *eloop_ctx, void *timeout_ctx) 1578 { 1579 struct hostapd_data *hapd = eloop_ctx; 1580 struct eapol_authenticator *eapol = hapd->eapol_auth; 1581 1582 if (eapol->default_wep_key_idx >= 3) 1583 eapol->default_wep_key_idx = 1584 hapd->conf->individual_wep_key_len > 0 ? 1 : 0; 1585 else 1586 eapol->default_wep_key_idx++; 1587 1588 wpa_printf(MSG_DEBUG, "IEEE 802.1X: New default WEP key index %d", 1589 eapol->default_wep_key_idx); 1590 1591 if (ieee802_1x_rekey_broadcast(hapd)) { 1592 hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X, 1593 HOSTAPD_LEVEL_WARNING, "failed to generate a " 1594 "new broadcast key"); 1595 os_free(eapol->default_wep_key); 1596 eapol->default_wep_key = NULL; 1597 return; 1598 } 1599 1600 /* TODO: Could setup key for RX here, but change default TX keyid only 1601 * after new broadcast key has been sent to all stations. */ 1602 if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP, 1603 broadcast_ether_addr, 1604 eapol->default_wep_key_idx, 1, NULL, 0, 1605 eapol->default_wep_key, 1606 hapd->conf->default_wep_key_len)) { 1607 hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X, 1608 HOSTAPD_LEVEL_WARNING, "failed to configure a " 1609 "new broadcast key"); 1610 os_free(eapol->default_wep_key); 1611 eapol->default_wep_key = NULL; 1612 return; 1613 } 1614 1615 ap_for_each_sta(hapd, ieee802_1x_sta_key_available, NULL); 1616 1617 if (hapd->conf->wep_rekeying_period > 0) { 1618 eloop_register_timeout(hapd->conf->wep_rekeying_period, 0, 1619 ieee802_1x_rekey, hapd, NULL); 1620 } 1621 } 1622 1623 1624 static void ieee802_1x_eapol_send(void *ctx, void *sta_ctx, u8 type, 1625 const u8 *data, size_t datalen) 1626 { 1627 #ifdef CONFIG_WPS 1628 struct sta_info *sta = sta_ctx; 1629 1630 if ((sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS)) == 1631 WLAN_STA_MAYBE_WPS) { 1632 const u8 *identity; 1633 size_t identity_len; 1634 struct eapol_state_machine *sm = sta->eapol_sm; 1635 1636 identity = eap_get_identity(sm->eap, &identity_len); 1637 if (identity && 1638 ((identity_len == WSC_ID_ENROLLEE_LEN && 1639 os_memcmp(identity, WSC_ID_ENROLLEE, 1640 WSC_ID_ENROLLEE_LEN) == 0) || 1641 (identity_len == WSC_ID_REGISTRAR_LEN && 1642 os_memcmp(identity, WSC_ID_REGISTRAR, 1643 WSC_ID_REGISTRAR_LEN) == 0))) { 1644 wpa_printf(MSG_DEBUG, "WPS: WLAN_STA_MAYBE_WPS -> " 1645 "WLAN_STA_WPS"); 1646 sta->flags |= WLAN_STA_WPS; 1647 } 1648 } 1649 #endif /* CONFIG_WPS */ 1650 1651 ieee802_1x_send(ctx, sta_ctx, type, data, datalen); 1652 } 1653 1654 1655 static void ieee802_1x_aaa_send(void *ctx, void *sta_ctx, 1656 const u8 *data, size_t datalen) 1657 { 1658 #ifndef CONFIG_NO_RADIUS 1659 struct hostapd_data *hapd = ctx; 1660 struct sta_info *sta = sta_ctx; 1661 1662 ieee802_1x_encapsulate_radius(hapd, sta, data, datalen); 1663 #endif /* CONFIG_NO_RADIUS */ 1664 } 1665 1666 1667 static void _ieee802_1x_finished(void *ctx, void *sta_ctx, int success, 1668 int preauth) 1669 { 1670 struct hostapd_data *hapd = ctx; 1671 struct sta_info *sta = sta_ctx; 1672 if (preauth) 1673 rsn_preauth_finished(hapd, sta, success); 1674 else 1675 ieee802_1x_finished(hapd, sta, success); 1676 } 1677 1678 1679 static int ieee802_1x_get_eap_user(void *ctx, const u8 *identity, 1680 size_t identity_len, int phase2, 1681 struct eap_user *user) 1682 { 1683 struct hostapd_data *hapd = ctx; 1684 const struct hostapd_eap_user *eap_user; 1685 int i; 1686 1687 eap_user = hostapd_get_eap_user(hapd->conf, identity, 1688 identity_len, phase2); 1689 if (eap_user == NULL) 1690 return -1; 1691 1692 os_memset(user, 0, sizeof(*user)); 1693 user->phase2 = phase2; 1694 for (i = 0; i < EAP_MAX_METHODS; i++) { 1695 user->methods[i].vendor = eap_user->methods[i].vendor; 1696 user->methods[i].method = eap_user->methods[i].method; 1697 } 1698 1699 if (eap_user->password) { 1700 user->password = os_malloc(eap_user->password_len); 1701 if (user->password == NULL) 1702 return -1; 1703 os_memcpy(user->password, eap_user->password, 1704 eap_user->password_len); 1705 user->password_len = eap_user->password_len; 1706 user->password_hash = eap_user->password_hash; 1707 } 1708 user->force_version = eap_user->force_version; 1709 user->ttls_auth = eap_user->ttls_auth; 1710 1711 return 0; 1712 } 1713 1714 1715 static int ieee802_1x_sta_entry_alive(void *ctx, const u8 *addr) 1716 { 1717 struct hostapd_data *hapd = ctx; 1718 struct sta_info *sta; 1719 sta = ap_get_sta(hapd, addr); 1720 if (sta == NULL || sta->eapol_sm == NULL) 1721 return 0; 1722 return 1; 1723 } 1724 1725 1726 static void ieee802_1x_logger(void *ctx, const u8 *addr, 1727 eapol_logger_level level, const char *txt) 1728 { 1729 #ifndef CONFIG_NO_HOSTAPD_LOGGER 1730 struct hostapd_data *hapd = ctx; 1731 int hlevel; 1732 1733 switch (level) { 1734 case EAPOL_LOGGER_WARNING: 1735 hlevel = HOSTAPD_LEVEL_WARNING; 1736 break; 1737 case EAPOL_LOGGER_INFO: 1738 hlevel = HOSTAPD_LEVEL_INFO; 1739 break; 1740 case EAPOL_LOGGER_DEBUG: 1741 default: 1742 hlevel = HOSTAPD_LEVEL_DEBUG; 1743 break; 1744 } 1745 1746 hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE8021X, hlevel, "%s", 1747 txt); 1748 #endif /* CONFIG_NO_HOSTAPD_LOGGER */ 1749 } 1750 1751 1752 static void ieee802_1x_set_port_authorized(void *ctx, void *sta_ctx, 1753 int authorized) 1754 { 1755 struct hostapd_data *hapd = ctx; 1756 struct sta_info *sta = sta_ctx; 1757 ieee802_1x_set_sta_authorized(hapd, sta, authorized); 1758 } 1759 1760 1761 static void _ieee802_1x_abort_auth(void *ctx, void *sta_ctx) 1762 { 1763 struct hostapd_data *hapd = ctx; 1764 struct sta_info *sta = sta_ctx; 1765 ieee802_1x_abort_auth(hapd, sta); 1766 } 1767 1768 1769 static void _ieee802_1x_tx_key(void *ctx, void *sta_ctx) 1770 { 1771 struct hostapd_data *hapd = ctx; 1772 struct sta_info *sta = sta_ctx; 1773 ieee802_1x_tx_key(hapd, sta); 1774 } 1775 1776 1777 static void ieee802_1x_eapol_event(void *ctx, void *sta_ctx, 1778 enum eapol_event type) 1779 { 1780 /* struct hostapd_data *hapd = ctx; */ 1781 struct sta_info *sta = sta_ctx; 1782 switch (type) { 1783 case EAPOL_AUTH_SM_CHANGE: 1784 wpa_auth_sm_notify(sta->wpa_sm); 1785 break; 1786 case EAPOL_AUTH_REAUTHENTICATE: 1787 wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL); 1788 break; 1789 } 1790 } 1791 1792 1793 int ieee802_1x_init(struct hostapd_data *hapd) 1794 { 1795 int i; 1796 struct eapol_auth_config conf; 1797 struct eapol_auth_cb cb; 1798 1799 os_memset(&conf, 0, sizeof(conf)); 1800 conf.ctx = hapd; 1801 conf.eap_reauth_period = hapd->conf->eap_reauth_period; 1802 conf.wpa = hapd->conf->wpa; 1803 conf.individual_wep_key_len = hapd->conf->individual_wep_key_len; 1804 conf.eap_server = hapd->conf->eap_server; 1805 conf.ssl_ctx = hapd->ssl_ctx; 1806 conf.msg_ctx = hapd->msg_ctx; 1807 conf.eap_sim_db_priv = hapd->eap_sim_db_priv; 1808 conf.eap_req_id_text = hapd->conf->eap_req_id_text; 1809 conf.eap_req_id_text_len = hapd->conf->eap_req_id_text_len; 1810 conf.pac_opaque_encr_key = hapd->conf->pac_opaque_encr_key; 1811 conf.eap_fast_a_id = hapd->conf->eap_fast_a_id; 1812 conf.eap_fast_a_id_len = hapd->conf->eap_fast_a_id_len; 1813 conf.eap_fast_a_id_info = hapd->conf->eap_fast_a_id_info; 1814 conf.eap_fast_prov = hapd->conf->eap_fast_prov; 1815 conf.pac_key_lifetime = hapd->conf->pac_key_lifetime; 1816 conf.pac_key_refresh_time = hapd->conf->pac_key_refresh_time; 1817 conf.eap_sim_aka_result_ind = hapd->conf->eap_sim_aka_result_ind; 1818 conf.tnc = hapd->conf->tnc; 1819 conf.wps = hapd->wps; 1820 conf.fragment_size = hapd->conf->fragment_size; 1821 conf.pwd_group = hapd->conf->pwd_group; 1822 conf.pbc_in_m1 = hapd->conf->pbc_in_m1; 1823 1824 os_memset(&cb, 0, sizeof(cb)); 1825 cb.eapol_send = ieee802_1x_eapol_send; 1826 cb.aaa_send = ieee802_1x_aaa_send; 1827 cb.finished = _ieee802_1x_finished; 1828 cb.get_eap_user = ieee802_1x_get_eap_user; 1829 cb.sta_entry_alive = ieee802_1x_sta_entry_alive; 1830 cb.logger = ieee802_1x_logger; 1831 cb.set_port_authorized = ieee802_1x_set_port_authorized; 1832 cb.abort_auth = _ieee802_1x_abort_auth; 1833 cb.tx_key = _ieee802_1x_tx_key; 1834 cb.eapol_event = ieee802_1x_eapol_event; 1835 1836 hapd->eapol_auth = eapol_auth_init(&conf, &cb); 1837 if (hapd->eapol_auth == NULL) 1838 return -1; 1839 1840 if ((hapd->conf->ieee802_1x || hapd->conf->wpa) && 1841 hostapd_set_drv_ieee8021x(hapd, hapd->conf->iface, 1)) 1842 return -1; 1843 1844 #ifndef CONFIG_NO_RADIUS 1845 if (radius_client_register(hapd->radius, RADIUS_AUTH, 1846 ieee802_1x_receive_auth, hapd)) 1847 return -1; 1848 #endif /* CONFIG_NO_RADIUS */ 1849 1850 if (hapd->conf->default_wep_key_len) { 1851 for (i = 0; i < 4; i++) 1852 hostapd_drv_set_key(hapd->conf->iface, hapd, 1853 WPA_ALG_NONE, NULL, i, 0, NULL, 0, 1854 NULL, 0); 1855 1856 ieee802_1x_rekey(hapd, NULL); 1857 1858 if (hapd->eapol_auth->default_wep_key == NULL) 1859 return -1; 1860 } 1861 1862 return 0; 1863 } 1864 1865 1866 void ieee802_1x_deinit(struct hostapd_data *hapd) 1867 { 1868 eloop_cancel_timeout(ieee802_1x_rekey, hapd, NULL); 1869 1870 if (hapd->driver != NULL && 1871 (hapd->conf->ieee802_1x || hapd->conf->wpa)) 1872 hostapd_set_drv_ieee8021x(hapd, hapd->conf->iface, 0); 1873 1874 eapol_auth_deinit(hapd->eapol_auth); 1875 hapd->eapol_auth = NULL; 1876 } 1877 1878 1879 int ieee802_1x_tx_status(struct hostapd_data *hapd, struct sta_info *sta, 1880 const u8 *buf, size_t len, int ack) 1881 { 1882 struct ieee80211_hdr *hdr; 1883 u8 *pos; 1884 const unsigned char rfc1042_hdr[ETH_ALEN] = 1885 { 0xaa, 0xaa, 0x03, 0x00, 0x00, 0x00 }; 1886 1887 if (sta == NULL) 1888 return -1; 1889 if (len < sizeof(*hdr) + sizeof(rfc1042_hdr) + 2) 1890 return 0; 1891 1892 hdr = (struct ieee80211_hdr *) buf; 1893 pos = (u8 *) (hdr + 1); 1894 if (os_memcmp(pos, rfc1042_hdr, sizeof(rfc1042_hdr)) != 0) 1895 return 0; 1896 pos += sizeof(rfc1042_hdr); 1897 if (WPA_GET_BE16(pos) != ETH_P_PAE) 1898 return 0; 1899 pos += 2; 1900 1901 return ieee802_1x_eapol_tx_status(hapd, sta, pos, buf + len - pos, 1902 ack); 1903 } 1904 1905 1906 int ieee802_1x_eapol_tx_status(struct hostapd_data *hapd, struct sta_info *sta, 1907 const u8 *buf, int len, int ack) 1908 { 1909 const struct ieee802_1x_hdr *xhdr = 1910 (const struct ieee802_1x_hdr *) buf; 1911 const u8 *pos = buf + sizeof(*xhdr); 1912 struct ieee802_1x_eapol_key *key; 1913 1914 if (len < (int) sizeof(*xhdr)) 1915 return 0; 1916 wpa_printf(MSG_DEBUG, "IEEE 802.1X: " MACSTR " TX status - version=%d " 1917 "type=%d length=%d - ack=%d", 1918 MAC2STR(sta->addr), xhdr->version, xhdr->type, 1919 be_to_host16(xhdr->length), ack); 1920 1921 if (xhdr->type != IEEE802_1X_TYPE_EAPOL_KEY) 1922 return 0; 1923 1924 if (pos + sizeof(struct wpa_eapol_key) <= buf + len) { 1925 const struct wpa_eapol_key *wpa; 1926 wpa = (const struct wpa_eapol_key *) pos; 1927 if (wpa->type == EAPOL_KEY_TYPE_RSN || 1928 wpa->type == EAPOL_KEY_TYPE_WPA) 1929 wpa_auth_eapol_key_tx_status(hapd->wpa_auth, 1930 sta->wpa_sm, ack); 1931 } 1932 1933 /* EAPOL EAP-Packet packets are eventually re-sent by either Supplicant 1934 * or Authenticator state machines, but EAPOL-Key packets are not 1935 * retransmitted in case of failure. Try to re-send failed EAPOL-Key 1936 * packets couple of times because otherwise STA keys become 1937 * unsynchronized with AP. */ 1938 if (!ack && pos + sizeof(*key) <= buf + len) { 1939 key = (struct ieee802_1x_eapol_key *) pos; 1940 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1941 HOSTAPD_LEVEL_DEBUG, "did not Ack EAPOL-Key " 1942 "frame (%scast index=%d)", 1943 key->key_index & BIT(7) ? "uni" : "broad", 1944 key->key_index & ~BIT(7)); 1945 /* TODO: re-send EAPOL-Key couple of times (with short delay 1946 * between them?). If all attempt fail, report error and 1947 * deauthenticate STA so that it will get new keys when 1948 * authenticating again (e.g., after returning in range). 1949 * Separate limit/transmit state needed both for unicast and 1950 * broadcast keys(?) */ 1951 } 1952 /* TODO: could move unicast key configuration from ieee802_1x_tx_key() 1953 * to here and change the key only if the EAPOL-Key packet was Acked. 1954 */ 1955 1956 return 1; 1957 } 1958 1959 1960 u8 * ieee802_1x_get_identity(struct eapol_state_machine *sm, size_t *len) 1961 { 1962 if (sm == NULL || sm->identity == NULL) 1963 return NULL; 1964 1965 *len = sm->identity_len; 1966 return sm->identity; 1967 } 1968 1969 1970 u8 * ieee802_1x_get_radius_class(struct eapol_state_machine *sm, size_t *len, 1971 int idx) 1972 { 1973 if (sm == NULL || sm->radius_class.attr == NULL || 1974 idx >= (int) sm->radius_class.count) 1975 return NULL; 1976 1977 *len = sm->radius_class.attr[idx].len; 1978 return sm->radius_class.attr[idx].data; 1979 } 1980 1981 1982 struct wpabuf * ieee802_1x_get_radius_cui(struct eapol_state_machine *sm) 1983 { 1984 if (sm == NULL) 1985 return NULL; 1986 return sm->radius_cui; 1987 } 1988 1989 1990 const u8 * ieee802_1x_get_key(struct eapol_state_machine *sm, size_t *len) 1991 { 1992 *len = 0; 1993 if (sm == NULL) 1994 return NULL; 1995 1996 *len = sm->eap_if->eapKeyDataLen; 1997 return sm->eap_if->eapKeyData; 1998 } 1999 2000 2001 void ieee802_1x_notify_port_enabled(struct eapol_state_machine *sm, 2002 int enabled) 2003 { 2004 if (sm == NULL) 2005 return; 2006 sm->eap_if->portEnabled = enabled ? TRUE : FALSE; 2007 eapol_auth_step(sm); 2008 } 2009 2010 2011 void ieee802_1x_notify_port_valid(struct eapol_state_machine *sm, 2012 int valid) 2013 { 2014 if (sm == NULL) 2015 return; 2016 sm->portValid = valid ? TRUE : FALSE; 2017 eapol_auth_step(sm); 2018 } 2019 2020 2021 void ieee802_1x_notify_pre_auth(struct eapol_state_machine *sm, int pre_auth) 2022 { 2023 if (sm == NULL) 2024 return; 2025 if (pre_auth) 2026 sm->flags |= EAPOL_SM_PREAUTH; 2027 else 2028 sm->flags &= ~EAPOL_SM_PREAUTH; 2029 } 2030 2031 2032 static const char * bool_txt(Boolean bool) 2033 { 2034 return bool ? "TRUE" : "FALSE"; 2035 } 2036 2037 2038 int ieee802_1x_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen) 2039 { 2040 /* TODO */ 2041 return 0; 2042 } 2043 2044 2045 int ieee802_1x_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta, 2046 char *buf, size_t buflen) 2047 { 2048 int len = 0, ret; 2049 struct eapol_state_machine *sm = sta->eapol_sm; 2050 struct os_time t; 2051 2052 if (sm == NULL) 2053 return 0; 2054 2055 ret = os_snprintf(buf + len, buflen - len, 2056 "dot1xPaePortNumber=%d\n" 2057 "dot1xPaePortProtocolVersion=%d\n" 2058 "dot1xPaePortCapabilities=1\n" 2059 "dot1xPaePortInitialize=%d\n" 2060 "dot1xPaePortReauthenticate=FALSE\n", 2061 sta->aid, 2062 EAPOL_VERSION, 2063 sm->initialize); 2064 if (ret < 0 || (size_t) ret >= buflen - len) 2065 return len; 2066 len += ret; 2067 2068 /* dot1xAuthConfigTable */ 2069 ret = os_snprintf(buf + len, buflen - len, 2070 "dot1xAuthPaeState=%d\n" 2071 "dot1xAuthBackendAuthState=%d\n" 2072 "dot1xAuthAdminControlledDirections=%d\n" 2073 "dot1xAuthOperControlledDirections=%d\n" 2074 "dot1xAuthAuthControlledPortStatus=%d\n" 2075 "dot1xAuthAuthControlledPortControl=%d\n" 2076 "dot1xAuthQuietPeriod=%u\n" 2077 "dot1xAuthServerTimeout=%u\n" 2078 "dot1xAuthReAuthPeriod=%u\n" 2079 "dot1xAuthReAuthEnabled=%s\n" 2080 "dot1xAuthKeyTxEnabled=%s\n", 2081 sm->auth_pae_state + 1, 2082 sm->be_auth_state + 1, 2083 sm->adminControlledDirections, 2084 sm->operControlledDirections, 2085 sm->authPortStatus, 2086 sm->portControl, 2087 sm->quietPeriod, 2088 sm->serverTimeout, 2089 sm->reAuthPeriod, 2090 bool_txt(sm->reAuthEnabled), 2091 bool_txt(sm->keyTxEnabled)); 2092 if (ret < 0 || (size_t) ret >= buflen - len) 2093 return len; 2094 len += ret; 2095 2096 /* dot1xAuthStatsTable */ 2097 ret = os_snprintf(buf + len, buflen - len, 2098 "dot1xAuthEapolFramesRx=%u\n" 2099 "dot1xAuthEapolFramesTx=%u\n" 2100 "dot1xAuthEapolStartFramesRx=%u\n" 2101 "dot1xAuthEapolLogoffFramesRx=%u\n" 2102 "dot1xAuthEapolRespIdFramesRx=%u\n" 2103 "dot1xAuthEapolRespFramesRx=%u\n" 2104 "dot1xAuthEapolReqIdFramesTx=%u\n" 2105 "dot1xAuthEapolReqFramesTx=%u\n" 2106 "dot1xAuthInvalidEapolFramesRx=%u\n" 2107 "dot1xAuthEapLengthErrorFramesRx=%u\n" 2108 "dot1xAuthLastEapolFrameVersion=%u\n" 2109 "dot1xAuthLastEapolFrameSource=" MACSTR "\n", 2110 sm->dot1xAuthEapolFramesRx, 2111 sm->dot1xAuthEapolFramesTx, 2112 sm->dot1xAuthEapolStartFramesRx, 2113 sm->dot1xAuthEapolLogoffFramesRx, 2114 sm->dot1xAuthEapolRespIdFramesRx, 2115 sm->dot1xAuthEapolRespFramesRx, 2116 sm->dot1xAuthEapolReqIdFramesTx, 2117 sm->dot1xAuthEapolReqFramesTx, 2118 sm->dot1xAuthInvalidEapolFramesRx, 2119 sm->dot1xAuthEapLengthErrorFramesRx, 2120 sm->dot1xAuthLastEapolFrameVersion, 2121 MAC2STR(sm->addr)); 2122 if (ret < 0 || (size_t) ret >= buflen - len) 2123 return len; 2124 len += ret; 2125 2126 /* dot1xAuthDiagTable */ 2127 ret = os_snprintf(buf + len, buflen - len, 2128 "dot1xAuthEntersConnecting=%u\n" 2129 "dot1xAuthEapLogoffsWhileConnecting=%u\n" 2130 "dot1xAuthEntersAuthenticating=%u\n" 2131 "dot1xAuthAuthSuccessesWhileAuthenticating=%u\n" 2132 "dot1xAuthAuthTimeoutsWhileAuthenticating=%u\n" 2133 "dot1xAuthAuthFailWhileAuthenticating=%u\n" 2134 "dot1xAuthAuthEapStartsWhileAuthenticating=%u\n" 2135 "dot1xAuthAuthEapLogoffWhileAuthenticating=%u\n" 2136 "dot1xAuthAuthReauthsWhileAuthenticated=%u\n" 2137 "dot1xAuthAuthEapStartsWhileAuthenticated=%u\n" 2138 "dot1xAuthAuthEapLogoffWhileAuthenticated=%u\n" 2139 "dot1xAuthBackendResponses=%u\n" 2140 "dot1xAuthBackendAccessChallenges=%u\n" 2141 "dot1xAuthBackendOtherRequestsToSupplicant=%u\n" 2142 "dot1xAuthBackendAuthSuccesses=%u\n" 2143 "dot1xAuthBackendAuthFails=%u\n", 2144 sm->authEntersConnecting, 2145 sm->authEapLogoffsWhileConnecting, 2146 sm->authEntersAuthenticating, 2147 sm->authAuthSuccessesWhileAuthenticating, 2148 sm->authAuthTimeoutsWhileAuthenticating, 2149 sm->authAuthFailWhileAuthenticating, 2150 sm->authAuthEapStartsWhileAuthenticating, 2151 sm->authAuthEapLogoffWhileAuthenticating, 2152 sm->authAuthReauthsWhileAuthenticated, 2153 sm->authAuthEapStartsWhileAuthenticated, 2154 sm->authAuthEapLogoffWhileAuthenticated, 2155 sm->backendResponses, 2156 sm->backendAccessChallenges, 2157 sm->backendOtherRequestsToSupplicant, 2158 sm->backendAuthSuccesses, 2159 sm->backendAuthFails); 2160 if (ret < 0 || (size_t) ret >= buflen - len) 2161 return len; 2162 len += ret; 2163 2164 /* dot1xAuthSessionStatsTable */ 2165 os_get_time(&t); 2166 ret = os_snprintf(buf + len, buflen - len, 2167 /* TODO: dot1xAuthSessionOctetsRx */ 2168 /* TODO: dot1xAuthSessionOctetsTx */ 2169 /* TODO: dot1xAuthSessionFramesRx */ 2170 /* TODO: dot1xAuthSessionFramesTx */ 2171 "dot1xAuthSessionId=%08X-%08X\n" 2172 "dot1xAuthSessionAuthenticMethod=%d\n" 2173 "dot1xAuthSessionTime=%u\n" 2174 "dot1xAuthSessionTerminateCause=999\n" 2175 "dot1xAuthSessionUserName=%s\n", 2176 sta->acct_session_id_hi, sta->acct_session_id_lo, 2177 (wpa_key_mgmt_wpa_ieee8021x( 2178 wpa_auth_sta_key_mgmt(sta->wpa_sm))) ? 2179 1 : 2, 2180 (unsigned int) (t.sec - sta->acct_session_start), 2181 sm->identity); 2182 if (ret < 0 || (size_t) ret >= buflen - len) 2183 return len; 2184 len += ret; 2185 2186 return len; 2187 } 2188 2189 2190 static void ieee802_1x_finished(struct hostapd_data *hapd, 2191 struct sta_info *sta, int success) 2192 { 2193 const u8 *key; 2194 size_t len; 2195 /* TODO: get PMKLifetime from WPA parameters */ 2196 static const int dot11RSNAConfigPMKLifetime = 43200; 2197 2198 key = ieee802_1x_get_key(sta->eapol_sm, &len); 2199 if (success && key && len >= PMK_LEN && 2200 wpa_auth_pmksa_add(sta->wpa_sm, key, dot11RSNAConfigPMKLifetime, 2201 sta->eapol_sm) == 0) { 2202 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 2203 HOSTAPD_LEVEL_DEBUG, 2204 "Added PMKSA cache entry (IEEE 802.1X)"); 2205 } 2206 2207 if (!success) { 2208 /* 2209 * Many devices require deauthentication after WPS provisioning 2210 * and some may not be be able to do that themselves, so 2211 * disconnect the client here. In addition, this may also 2212 * benefit IEEE 802.1X/EAPOL authentication cases, too since 2213 * the EAPOL PAE state machine would remain in HELD state for 2214 * considerable amount of time and some EAP methods, like 2215 * EAP-FAST with anonymous provisioning, may require another 2216 * EAPOL authentication to be started to complete connection. 2217 */ 2218 wpa_dbg(hapd->msg_ctx, MSG_DEBUG, "IEEE 802.1X: Force " 2219 "disconnection after EAP-Failure"); 2220 /* Add a small sleep to increase likelihood of previously 2221 * requested EAP-Failure TX getting out before this should the 2222 * driver reorder operations. 2223 */ 2224 os_sleep(0, 10000); 2225 #ifndef ANDROID_P2P 2226 /* We need not do this for driver. For AP-SME flags if we send this disassoc, 2227 * the p2p_client is gettig disassoc after it has completed the assoc 2228 */ 2229 ap_sta_disconnect(hapd, sta, sta->addr, 2230 WLAN_REASON_IEEE_802_1X_AUTH_FAILED); 2231 #endif 2232 } 2233 } 2234
