1 /* 2 * hostapd / IEEE 802.1X-2004 Authenticator 3 * Copyright (c) 2002-2012, Jouni Malinen <j (at) w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "utils/includes.h" 10 11 #include "utils/common.h" 12 #include "utils/eloop.h" 13 #include "crypto/md5.h" 14 #include "crypto/crypto.h" 15 #include "crypto/random.h" 16 #include "common/ieee802_11_defs.h" 17 #include "radius/radius.h" 18 #include "radius/radius_client.h" 19 #include "eap_server/eap.h" 20 #include "eap_common/eap_wsc_common.h" 21 #include "eapol_auth/eapol_auth_sm.h" 22 #include "eapol_auth/eapol_auth_sm_i.h" 23 #include "p2p/p2p.h" 24 #include "hostapd.h" 25 #include "accounting.h" 26 #include "sta_info.h" 27 #include "wpa_auth.h" 28 #include "preauth_auth.h" 29 #include "pmksa_cache_auth.h" 30 #include "ap_config.h" 31 #include "ap_drv_ops.h" 32 #include "wps_hostapd.h" 33 #include "hs20.h" 34 #include "ieee802_1x.h" 35 36 37 static void ieee802_1x_finished(struct hostapd_data *hapd, 38 struct sta_info *sta, int success, 39 int remediation); 40 41 42 static void ieee802_1x_send(struct hostapd_data *hapd, struct sta_info *sta, 43 u8 type, const u8 *data, size_t datalen) 44 { 45 u8 *buf; 46 struct ieee802_1x_hdr *xhdr; 47 size_t len; 48 int encrypt = 0; 49 50 len = sizeof(*xhdr) + datalen; 51 buf = os_zalloc(len); 52 if (buf == NULL) { 53 wpa_printf(MSG_ERROR, "malloc() failed for " 54 "ieee802_1x_send(len=%lu)", 55 (unsigned long) len); 56 return; 57 } 58 59 xhdr = (struct ieee802_1x_hdr *) buf; 60 xhdr->version = hapd->conf->eapol_version; 61 xhdr->type = type; 62 xhdr->length = host_to_be16(datalen); 63 64 if (datalen > 0 && data != NULL) 65 os_memcpy(xhdr + 1, data, datalen); 66 67 if (wpa_auth_pairwise_set(sta->wpa_sm)) 68 encrypt = 1; 69 #ifdef CONFIG_TESTING_OPTIONS 70 if (hapd->ext_eapol_frame_io) { 71 size_t hex_len = 2 * len + 1; 72 char *hex = os_malloc(hex_len); 73 74 if (hex) { 75 wpa_snprintf_hex(hex, hex_len, buf, len); 76 wpa_msg(hapd->msg_ctx, MSG_INFO, 77 "EAPOL-TX " MACSTR " %s", 78 MAC2STR(sta->addr), hex); 79 os_free(hex); 80 } 81 } else 82 #endif /* CONFIG_TESTING_OPTIONS */ 83 if (sta->flags & WLAN_STA_PREAUTH) { 84 rsn_preauth_send(hapd, sta, buf, len); 85 } else { 86 hostapd_drv_hapd_send_eapol( 87 hapd, sta->addr, buf, len, 88 encrypt, hostapd_sta_flags_to_drv(sta->flags)); 89 } 90 91 os_free(buf); 92 } 93 94 95 void ieee802_1x_set_sta_authorized(struct hostapd_data *hapd, 96 struct sta_info *sta, int authorized) 97 { 98 int res; 99 100 if (sta->flags & WLAN_STA_PREAUTH) 101 return; 102 103 if (authorized) { 104 ap_sta_set_authorized(hapd, sta, 1); 105 res = hostapd_set_authorized(hapd, sta, 1); 106 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 107 HOSTAPD_LEVEL_DEBUG, "authorizing port"); 108 } else { 109 ap_sta_set_authorized(hapd, sta, 0); 110 res = hostapd_set_authorized(hapd, sta, 0); 111 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 112 HOSTAPD_LEVEL_DEBUG, "unauthorizing port"); 113 } 114 115 if (res && errno != ENOENT) { 116 wpa_printf(MSG_DEBUG, "Could not set station " MACSTR 117 " flags for kernel driver (errno=%d).", 118 MAC2STR(sta->addr), errno); 119 } 120 121 if (authorized) { 122 os_get_reltime(&sta->connected_time); 123 accounting_sta_start(hapd, sta); 124 } 125 } 126 127 128 static void ieee802_1x_tx_key_one(struct hostapd_data *hapd, 129 struct sta_info *sta, 130 int idx, int broadcast, 131 u8 *key_data, size_t key_len) 132 { 133 u8 *buf, *ekey; 134 struct ieee802_1x_hdr *hdr; 135 struct ieee802_1x_eapol_key *key; 136 size_t len, ekey_len; 137 struct eapol_state_machine *sm = sta->eapol_sm; 138 139 if (sm == NULL) 140 return; 141 142 len = sizeof(*key) + key_len; 143 buf = os_zalloc(sizeof(*hdr) + len); 144 if (buf == NULL) 145 return; 146 147 hdr = (struct ieee802_1x_hdr *) buf; 148 key = (struct ieee802_1x_eapol_key *) (hdr + 1); 149 key->type = EAPOL_KEY_TYPE_RC4; 150 WPA_PUT_BE16(key->key_length, key_len); 151 wpa_get_ntp_timestamp(key->replay_counter); 152 153 if (random_get_bytes(key->key_iv, sizeof(key->key_iv))) { 154 wpa_printf(MSG_ERROR, "Could not get random numbers"); 155 os_free(buf); 156 return; 157 } 158 159 key->key_index = idx | (broadcast ? 0 : BIT(7)); 160 if (hapd->conf->eapol_key_index_workaround) { 161 /* According to some information, WinXP Supplicant seems to 162 * interpret bit7 as an indication whether the key is to be 163 * activated, so make it possible to enable workaround that 164 * sets this bit for all keys. */ 165 key->key_index |= BIT(7); 166 } 167 168 /* Key is encrypted using "Key-IV + MSK[0..31]" as the RC4-key and 169 * MSK[32..63] is used to sign the message. */ 170 if (sm->eap_if->eapKeyData == NULL || sm->eap_if->eapKeyDataLen < 64) { 171 wpa_printf(MSG_ERROR, "No eapKeyData available for encrypting " 172 "and signing EAPOL-Key"); 173 os_free(buf); 174 return; 175 } 176 os_memcpy((u8 *) (key + 1), key_data, key_len); 177 ekey_len = sizeof(key->key_iv) + 32; 178 ekey = os_malloc(ekey_len); 179 if (ekey == NULL) { 180 wpa_printf(MSG_ERROR, "Could not encrypt key"); 181 os_free(buf); 182 return; 183 } 184 os_memcpy(ekey, key->key_iv, sizeof(key->key_iv)); 185 os_memcpy(ekey + sizeof(key->key_iv), sm->eap_if->eapKeyData, 32); 186 rc4_skip(ekey, ekey_len, 0, (u8 *) (key + 1), key_len); 187 os_free(ekey); 188 189 /* This header is needed here for HMAC-MD5, but it will be regenerated 190 * in ieee802_1x_send() */ 191 hdr->version = hapd->conf->eapol_version; 192 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 193 hdr->length = host_to_be16(len); 194 hmac_md5(sm->eap_if->eapKeyData + 32, 32, buf, sizeof(*hdr) + len, 195 key->key_signature); 196 197 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key to " MACSTR 198 " (%s index=%d)", MAC2STR(sm->addr), 199 broadcast ? "broadcast" : "unicast", idx); 200 ieee802_1x_send(hapd, sta, IEEE802_1X_TYPE_EAPOL_KEY, (u8 *) key, len); 201 if (sta->eapol_sm) 202 sta->eapol_sm->dot1xAuthEapolFramesTx++; 203 os_free(buf); 204 } 205 206 207 void ieee802_1x_tx_key(struct hostapd_data *hapd, struct sta_info *sta) 208 { 209 struct eapol_authenticator *eapol = hapd->eapol_auth; 210 struct eapol_state_machine *sm = sta->eapol_sm; 211 212 if (sm == NULL || !sm->eap_if->eapKeyData) 213 return; 214 215 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key(s) to " MACSTR, 216 MAC2STR(sta->addr)); 217 218 #ifndef CONFIG_NO_VLAN 219 if (sta->vlan_id > 0 && sta->vlan_id <= MAX_VLAN_ID) { 220 wpa_printf(MSG_ERROR, "Using WEP with vlans is not supported."); 221 return; 222 } 223 #endif /* CONFIG_NO_VLAN */ 224 225 if (eapol->default_wep_key) { 226 ieee802_1x_tx_key_one(hapd, sta, eapol->default_wep_key_idx, 1, 227 eapol->default_wep_key, 228 hapd->conf->default_wep_key_len); 229 } 230 231 if (hapd->conf->individual_wep_key_len > 0) { 232 u8 *ikey; 233 ikey = os_malloc(hapd->conf->individual_wep_key_len); 234 if (ikey == NULL || 235 random_get_bytes(ikey, hapd->conf->individual_wep_key_len)) 236 { 237 wpa_printf(MSG_ERROR, "Could not generate random " 238 "individual WEP key."); 239 os_free(ikey); 240 return; 241 } 242 243 wpa_hexdump_key(MSG_DEBUG, "Individual WEP key", 244 ikey, hapd->conf->individual_wep_key_len); 245 246 ieee802_1x_tx_key_one(hapd, sta, 0, 0, ikey, 247 hapd->conf->individual_wep_key_len); 248 249 /* TODO: set encryption in TX callback, i.e., only after STA 250 * has ACKed EAPOL-Key frame */ 251 if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP, 252 sta->addr, 0, 1, NULL, 0, ikey, 253 hapd->conf->individual_wep_key_len)) { 254 wpa_printf(MSG_ERROR, "Could not set individual WEP " 255 "encryption."); 256 } 257 258 os_free(ikey); 259 } 260 } 261 262 263 const char *radius_mode_txt(struct hostapd_data *hapd) 264 { 265 switch (hapd->iface->conf->hw_mode) { 266 case HOSTAPD_MODE_IEEE80211AD: 267 return "802.11ad"; 268 case HOSTAPD_MODE_IEEE80211A: 269 return "802.11a"; 270 case HOSTAPD_MODE_IEEE80211G: 271 return "802.11g"; 272 case HOSTAPD_MODE_IEEE80211B: 273 default: 274 return "802.11b"; 275 } 276 } 277 278 279 int radius_sta_rate(struct hostapd_data *hapd, struct sta_info *sta) 280 { 281 int i; 282 u8 rate = 0; 283 284 for (i = 0; i < sta->supported_rates_len; i++) 285 if ((sta->supported_rates[i] & 0x7f) > rate) 286 rate = sta->supported_rates[i] & 0x7f; 287 288 return rate; 289 } 290 291 292 #ifndef CONFIG_NO_RADIUS 293 static void ieee802_1x_learn_identity(struct hostapd_data *hapd, 294 struct eapol_state_machine *sm, 295 const u8 *eap, size_t len) 296 { 297 const u8 *identity; 298 size_t identity_len; 299 const struct eap_hdr *hdr = (const struct eap_hdr *) eap; 300 301 if (len <= sizeof(struct eap_hdr) || 302 (hdr->code == EAP_CODE_RESPONSE && 303 eap[sizeof(struct eap_hdr)] != EAP_TYPE_IDENTITY) || 304 (hdr->code == EAP_CODE_INITIATE && 305 eap[sizeof(struct eap_hdr)] != EAP_ERP_TYPE_REAUTH) || 306 (hdr->code != EAP_CODE_RESPONSE && 307 hdr->code != EAP_CODE_INITIATE)) 308 return; 309 310 identity = eap_get_identity(sm->eap, &identity_len); 311 if (identity == NULL) 312 return; 313 314 /* Save station identity for future RADIUS packets */ 315 os_free(sm->identity); 316 sm->identity = (u8 *) dup_binstr(identity, identity_len); 317 if (sm->identity == NULL) { 318 sm->identity_len = 0; 319 return; 320 } 321 322 sm->identity_len = identity_len; 323 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, 324 HOSTAPD_LEVEL_DEBUG, "STA identity '%s'", sm->identity); 325 sm->dot1xAuthEapolRespIdFramesRx++; 326 } 327 328 329 static int add_common_radius_sta_attr_rsn(struct hostapd_data *hapd, 330 struct hostapd_radius_attr *req_attr, 331 struct sta_info *sta, 332 struct radius_msg *msg) 333 { 334 u32 suite; 335 int ver, val; 336 337 ver = wpa_auth_sta_wpa_version(sta->wpa_sm); 338 val = wpa_auth_get_pairwise(sta->wpa_sm); 339 suite = wpa_cipher_to_suite(ver, val); 340 if (val != -1 && 341 !hostapd_config_get_radius_attr(req_attr, 342 RADIUS_ATTR_WLAN_PAIRWISE_CIPHER) && 343 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_WLAN_PAIRWISE_CIPHER, 344 suite)) { 345 wpa_printf(MSG_ERROR, "Could not add WLAN-Pairwise-Cipher"); 346 return -1; 347 } 348 349 suite = wpa_cipher_to_suite(((hapd->conf->wpa & 0x2) || 350 hapd->conf->osen) ? 351 WPA_PROTO_RSN : WPA_PROTO_WPA, 352 hapd->conf->wpa_group); 353 if (!hostapd_config_get_radius_attr(req_attr, 354 RADIUS_ATTR_WLAN_GROUP_CIPHER) && 355 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_WLAN_GROUP_CIPHER, 356 suite)) { 357 wpa_printf(MSG_ERROR, "Could not add WLAN-Group-Cipher"); 358 return -1; 359 } 360 361 val = wpa_auth_sta_key_mgmt(sta->wpa_sm); 362 suite = wpa_akm_to_suite(val); 363 if (val != -1 && 364 !hostapd_config_get_radius_attr(req_attr, 365 RADIUS_ATTR_WLAN_AKM_SUITE) && 366 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_WLAN_AKM_SUITE, 367 suite)) { 368 wpa_printf(MSG_ERROR, "Could not add WLAN-AKM-Suite"); 369 return -1; 370 } 371 372 #ifdef CONFIG_IEEE80211W 373 if (hapd->conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) { 374 suite = wpa_cipher_to_suite(WPA_PROTO_RSN, 375 hapd->conf->group_mgmt_cipher); 376 if (!hostapd_config_get_radius_attr( 377 req_attr, RADIUS_ATTR_WLAN_GROUP_MGMT_CIPHER) && 378 !radius_msg_add_attr_int32( 379 msg, RADIUS_ATTR_WLAN_GROUP_MGMT_CIPHER, suite)) { 380 wpa_printf(MSG_ERROR, 381 "Could not add WLAN-Group-Mgmt-Cipher"); 382 return -1; 383 } 384 } 385 #endif /* CONFIG_IEEE80211W */ 386 387 return 0; 388 } 389 390 391 static int add_common_radius_sta_attr(struct hostapd_data *hapd, 392 struct hostapd_radius_attr *req_attr, 393 struct sta_info *sta, 394 struct radius_msg *msg) 395 { 396 char buf[128]; 397 398 if (!hostapd_config_get_radius_attr(req_attr, 399 RADIUS_ATTR_NAS_PORT) && 400 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT, sta->aid)) { 401 wpa_printf(MSG_ERROR, "Could not add NAS-Port"); 402 return -1; 403 } 404 405 os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT, 406 MAC2STR(sta->addr)); 407 buf[sizeof(buf) - 1] = '\0'; 408 if (!radius_msg_add_attr(msg, RADIUS_ATTR_CALLING_STATION_ID, 409 (u8 *) buf, os_strlen(buf))) { 410 wpa_printf(MSG_ERROR, "Could not add Calling-Station-Id"); 411 return -1; 412 } 413 414 if (sta->flags & WLAN_STA_PREAUTH) { 415 os_strlcpy(buf, "IEEE 802.11i Pre-Authentication", 416 sizeof(buf)); 417 } else { 418 os_snprintf(buf, sizeof(buf), "CONNECT %d%sMbps %s", 419 radius_sta_rate(hapd, sta) / 2, 420 (radius_sta_rate(hapd, sta) & 1) ? ".5" : "", 421 radius_mode_txt(hapd)); 422 buf[sizeof(buf) - 1] = '\0'; 423 } 424 if (!hostapd_config_get_radius_attr(req_attr, 425 RADIUS_ATTR_CONNECT_INFO) && 426 !radius_msg_add_attr(msg, RADIUS_ATTR_CONNECT_INFO, 427 (u8 *) buf, os_strlen(buf))) { 428 wpa_printf(MSG_ERROR, "Could not add Connect-Info"); 429 return -1; 430 } 431 432 if (sta->acct_session_id_hi || sta->acct_session_id_lo) { 433 os_snprintf(buf, sizeof(buf), "%08X-%08X", 434 sta->acct_session_id_hi, sta->acct_session_id_lo); 435 if (!radius_msg_add_attr(msg, RADIUS_ATTR_ACCT_SESSION_ID, 436 (u8 *) buf, os_strlen(buf))) { 437 wpa_printf(MSG_ERROR, "Could not add Acct-Session-Id"); 438 return -1; 439 } 440 } 441 442 #ifdef CONFIG_IEEE80211R 443 if (hapd->conf->wpa && wpa_key_mgmt_ft(hapd->conf->wpa_key_mgmt) && 444 sta->wpa_sm && 445 (wpa_key_mgmt_ft(wpa_auth_sta_key_mgmt(sta->wpa_sm)) || 446 sta->auth_alg == WLAN_AUTH_FT) && 447 !hostapd_config_get_radius_attr(req_attr, 448 RADIUS_ATTR_MOBILITY_DOMAIN_ID) && 449 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_MOBILITY_DOMAIN_ID, 450 WPA_GET_BE16( 451 hapd->conf->mobility_domain))) { 452 wpa_printf(MSG_ERROR, "Could not add Mobility-Domain-Id"); 453 return -1; 454 } 455 #endif /* CONFIG_IEEE80211R */ 456 457 if ((hapd->conf->wpa || hapd->conf->osen) && sta->wpa_sm && 458 add_common_radius_sta_attr_rsn(hapd, req_attr, sta, msg) < 0) 459 return -1; 460 461 return 0; 462 } 463 464 465 int add_common_radius_attr(struct hostapd_data *hapd, 466 struct hostapd_radius_attr *req_attr, 467 struct sta_info *sta, 468 struct radius_msg *msg) 469 { 470 char buf[128]; 471 struct hostapd_radius_attr *attr; 472 473 if (!hostapd_config_get_radius_attr(req_attr, 474 RADIUS_ATTR_NAS_IP_ADDRESS) && 475 hapd->conf->own_ip_addr.af == AF_INET && 476 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IP_ADDRESS, 477 (u8 *) &hapd->conf->own_ip_addr.u.v4, 4)) { 478 wpa_printf(MSG_ERROR, "Could not add NAS-IP-Address"); 479 return -1; 480 } 481 482 #ifdef CONFIG_IPV6 483 if (!hostapd_config_get_radius_attr(req_attr, 484 RADIUS_ATTR_NAS_IPV6_ADDRESS) && 485 hapd->conf->own_ip_addr.af == AF_INET6 && 486 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IPV6_ADDRESS, 487 (u8 *) &hapd->conf->own_ip_addr.u.v6, 16)) { 488 wpa_printf(MSG_ERROR, "Could not add NAS-IPv6-Address"); 489 return -1; 490 } 491 #endif /* CONFIG_IPV6 */ 492 493 if (!hostapd_config_get_radius_attr(req_attr, 494 RADIUS_ATTR_NAS_IDENTIFIER) && 495 hapd->conf->nas_identifier && 496 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IDENTIFIER, 497 (u8 *) hapd->conf->nas_identifier, 498 os_strlen(hapd->conf->nas_identifier))) { 499 wpa_printf(MSG_ERROR, "Could not add NAS-Identifier"); 500 return -1; 501 } 502 503 os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT ":%s", 504 MAC2STR(hapd->own_addr), 505 wpa_ssid_txt(hapd->conf->ssid.ssid, 506 hapd->conf->ssid.ssid_len)); 507 buf[sizeof(buf) - 1] = '\0'; 508 if (!hostapd_config_get_radius_attr(req_attr, 509 RADIUS_ATTR_CALLED_STATION_ID) && 510 !radius_msg_add_attr(msg, RADIUS_ATTR_CALLED_STATION_ID, 511 (u8 *) buf, os_strlen(buf))) { 512 wpa_printf(MSG_ERROR, "Could not add Called-Station-Id"); 513 return -1; 514 } 515 516 if (!hostapd_config_get_radius_attr(req_attr, 517 RADIUS_ATTR_NAS_PORT_TYPE) && 518 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT_TYPE, 519 RADIUS_NAS_PORT_TYPE_IEEE_802_11)) { 520 wpa_printf(MSG_ERROR, "Could not add NAS-Port-Type"); 521 return -1; 522 } 523 524 #ifdef CONFIG_INTERWORKING 525 if (hapd->conf->interworking && 526 !is_zero_ether_addr(hapd->conf->hessid)) { 527 os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT, 528 MAC2STR(hapd->conf->hessid)); 529 buf[sizeof(buf) - 1] = '\0'; 530 if (!hostapd_config_get_radius_attr(req_attr, 531 RADIUS_ATTR_WLAN_HESSID) && 532 !radius_msg_add_attr(msg, RADIUS_ATTR_WLAN_HESSID, 533 (u8 *) buf, os_strlen(buf))) { 534 wpa_printf(MSG_ERROR, "Could not add WLAN-HESSID"); 535 return -1; 536 } 537 } 538 #endif /* CONFIG_INTERWORKING */ 539 540 if (sta && add_common_radius_sta_attr(hapd, req_attr, sta, msg) < 0) 541 return -1; 542 543 for (attr = req_attr; attr; attr = attr->next) { 544 if (!radius_msg_add_attr(msg, attr->type, 545 wpabuf_head(attr->val), 546 wpabuf_len(attr->val))) { 547 wpa_printf(MSG_ERROR, "Could not add RADIUS " 548 "attribute"); 549 return -1; 550 } 551 } 552 553 return 0; 554 } 555 556 557 static void ieee802_1x_encapsulate_radius(struct hostapd_data *hapd, 558 struct sta_info *sta, 559 const u8 *eap, size_t len) 560 { 561 struct radius_msg *msg; 562 struct eapol_state_machine *sm = sta->eapol_sm; 563 564 if (sm == NULL) 565 return; 566 567 ieee802_1x_learn_identity(hapd, sm, eap, len); 568 569 wpa_printf(MSG_DEBUG, "Encapsulating EAP message into a RADIUS " 570 "packet"); 571 572 sm->radius_identifier = radius_client_get_id(hapd->radius); 573 msg = radius_msg_new(RADIUS_CODE_ACCESS_REQUEST, 574 sm->radius_identifier); 575 if (msg == NULL) { 576 wpa_printf(MSG_INFO, "Could not create new RADIUS packet"); 577 return; 578 } 579 580 radius_msg_make_authenticator(msg, (u8 *) sta, sizeof(*sta)); 581 582 if (sm->identity && 583 !radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME, 584 sm->identity, sm->identity_len)) { 585 wpa_printf(MSG_INFO, "Could not add User-Name"); 586 goto fail; 587 } 588 589 if (add_common_radius_attr(hapd, hapd->conf->radius_auth_req_attr, sta, 590 msg) < 0) 591 goto fail; 592 593 /* TODO: should probably check MTU from driver config; 2304 is max for 594 * IEEE 802.11, but use 1400 to avoid problems with too large packets 595 */ 596 if (!hostapd_config_get_radius_attr(hapd->conf->radius_auth_req_attr, 597 RADIUS_ATTR_FRAMED_MTU) && 598 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_FRAMED_MTU, 1400)) { 599 wpa_printf(MSG_INFO, "Could not add Framed-MTU"); 600 goto fail; 601 } 602 603 if (!radius_msg_add_eap(msg, eap, len)) { 604 wpa_printf(MSG_INFO, "Could not add EAP-Message"); 605 goto fail; 606 } 607 608 /* State attribute must be copied if and only if this packet is 609 * Access-Request reply to the previous Access-Challenge */ 610 if (sm->last_recv_radius && 611 radius_msg_get_hdr(sm->last_recv_radius)->code == 612 RADIUS_CODE_ACCESS_CHALLENGE) { 613 int res = radius_msg_copy_attr(msg, sm->last_recv_radius, 614 RADIUS_ATTR_STATE); 615 if (res < 0) { 616 wpa_printf(MSG_INFO, "Could not copy State attribute from previous Access-Challenge"); 617 goto fail; 618 } 619 if (res > 0) { 620 wpa_printf(MSG_DEBUG, "Copied RADIUS State Attribute"); 621 } 622 } 623 624 if (hapd->conf->radius_request_cui) { 625 const u8 *cui; 626 size_t cui_len; 627 /* Add previously learned CUI or nul CUI to request CUI */ 628 if (sm->radius_cui) { 629 cui = wpabuf_head(sm->radius_cui); 630 cui_len = wpabuf_len(sm->radius_cui); 631 } else { 632 cui = (const u8 *) "\0"; 633 cui_len = 1; 634 } 635 if (!radius_msg_add_attr(msg, 636 RADIUS_ATTR_CHARGEABLE_USER_IDENTITY, 637 cui, cui_len)) { 638 wpa_printf(MSG_ERROR, "Could not add CUI"); 639 goto fail; 640 } 641 } 642 643 #ifdef CONFIG_HS20 644 if (hapd->conf->hs20) { 645 u8 ver = 1; /* Release 2 */ 646 if (!radius_msg_add_wfa( 647 msg, RADIUS_VENDOR_ATTR_WFA_HS20_AP_VERSION, 648 &ver, 1)) { 649 wpa_printf(MSG_ERROR, "Could not add HS 2.0 AP " 650 "version"); 651 goto fail; 652 } 653 654 if (sta->hs20_ie && wpabuf_len(sta->hs20_ie) > 0) { 655 const u8 *pos; 656 u8 buf[3]; 657 u16 id; 658 pos = wpabuf_head_u8(sta->hs20_ie); 659 buf[0] = (*pos) >> 4; 660 if (((*pos) & HS20_PPS_MO_ID_PRESENT) && 661 wpabuf_len(sta->hs20_ie) >= 3) 662 id = WPA_GET_LE16(pos + 1); 663 else 664 id = 0; 665 WPA_PUT_BE16(buf + 1, id); 666 if (!radius_msg_add_wfa( 667 msg, 668 RADIUS_VENDOR_ATTR_WFA_HS20_STA_VERSION, 669 buf, sizeof(buf))) { 670 wpa_printf(MSG_ERROR, "Could not add HS 2.0 " 671 "STA version"); 672 goto fail; 673 } 674 } 675 } 676 #endif /* CONFIG_HS20 */ 677 678 if (radius_client_send(hapd->radius, msg, RADIUS_AUTH, sta->addr) < 0) 679 goto fail; 680 681 return; 682 683 fail: 684 radius_msg_free(msg); 685 } 686 #endif /* CONFIG_NO_RADIUS */ 687 688 689 static void handle_eap_response(struct hostapd_data *hapd, 690 struct sta_info *sta, struct eap_hdr *eap, 691 size_t len) 692 { 693 u8 type, *data; 694 struct eapol_state_machine *sm = sta->eapol_sm; 695 if (sm == NULL) 696 return; 697 698 data = (u8 *) (eap + 1); 699 700 if (len < sizeof(*eap) + 1) { 701 wpa_printf(MSG_INFO, "handle_eap_response: too short response data"); 702 return; 703 } 704 705 sm->eap_type_supp = type = data[0]; 706 707 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, 708 HOSTAPD_LEVEL_DEBUG, "received EAP packet (code=%d " 709 "id=%d len=%d) from STA: EAP Response-%s (%d)", 710 eap->code, eap->identifier, be_to_host16(eap->length), 711 eap_server_get_name(0, type), type); 712 713 sm->dot1xAuthEapolRespFramesRx++; 714 715 wpabuf_free(sm->eap_if->eapRespData); 716 sm->eap_if->eapRespData = wpabuf_alloc_copy(eap, len); 717 sm->eapolEap = TRUE; 718 } 719 720 721 static void handle_eap_initiate(struct hostapd_data *hapd, 722 struct sta_info *sta, struct eap_hdr *eap, 723 size_t len) 724 { 725 #ifdef CONFIG_ERP 726 u8 type, *data; 727 struct eapol_state_machine *sm = sta->eapol_sm; 728 729 if (sm == NULL) 730 return; 731 732 if (len < sizeof(*eap) + 1) { 733 wpa_printf(MSG_INFO, 734 "handle_eap_initiate: too short response data"); 735 return; 736 } 737 738 data = (u8 *) (eap + 1); 739 type = data[0]; 740 741 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, 742 HOSTAPD_LEVEL_DEBUG, "received EAP packet (code=%d " 743 "id=%d len=%d) from STA: EAP Initiate type %u", 744 eap->code, eap->identifier, be_to_host16(eap->length), 745 type); 746 747 wpabuf_free(sm->eap_if->eapRespData); 748 sm->eap_if->eapRespData = wpabuf_alloc_copy(eap, len); 749 sm->eapolEap = TRUE; 750 #endif /* CONFIG_ERP */ 751 } 752 753 754 /* Process incoming EAP packet from Supplicant */ 755 static void handle_eap(struct hostapd_data *hapd, struct sta_info *sta, 756 u8 *buf, size_t len) 757 { 758 struct eap_hdr *eap; 759 u16 eap_len; 760 761 if (len < sizeof(*eap)) { 762 wpa_printf(MSG_INFO, " too short EAP packet"); 763 return; 764 } 765 766 eap = (struct eap_hdr *) buf; 767 768 eap_len = be_to_host16(eap->length); 769 wpa_printf(MSG_DEBUG, "EAP: code=%d identifier=%d length=%d", 770 eap->code, eap->identifier, eap_len); 771 if (eap_len < sizeof(*eap)) { 772 wpa_printf(MSG_DEBUG, " Invalid EAP length"); 773 return; 774 } else if (eap_len > len) { 775 wpa_printf(MSG_DEBUG, " Too short frame to contain this EAP " 776 "packet"); 777 return; 778 } else if (eap_len < len) { 779 wpa_printf(MSG_DEBUG, " Ignoring %lu extra bytes after EAP " 780 "packet", (unsigned long) len - eap_len); 781 } 782 783 switch (eap->code) { 784 case EAP_CODE_REQUEST: 785 wpa_printf(MSG_DEBUG, " (request)"); 786 return; 787 case EAP_CODE_RESPONSE: 788 wpa_printf(MSG_DEBUG, " (response)"); 789 handle_eap_response(hapd, sta, eap, eap_len); 790 break; 791 case EAP_CODE_SUCCESS: 792 wpa_printf(MSG_DEBUG, " (success)"); 793 return; 794 case EAP_CODE_FAILURE: 795 wpa_printf(MSG_DEBUG, " (failure)"); 796 return; 797 case EAP_CODE_INITIATE: 798 wpa_printf(MSG_DEBUG, " (initiate)"); 799 handle_eap_initiate(hapd, sta, eap, eap_len); 800 break; 801 case EAP_CODE_FINISH: 802 wpa_printf(MSG_DEBUG, " (finish)"); 803 break; 804 default: 805 wpa_printf(MSG_DEBUG, " (unknown code)"); 806 return; 807 } 808 } 809 810 811 static struct eapol_state_machine * 812 ieee802_1x_alloc_eapol_sm(struct hostapd_data *hapd, struct sta_info *sta) 813 { 814 int flags = 0; 815 if (sta->flags & WLAN_STA_PREAUTH) 816 flags |= EAPOL_SM_PREAUTH; 817 if (sta->wpa_sm) { 818 flags |= EAPOL_SM_USES_WPA; 819 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) 820 flags |= EAPOL_SM_FROM_PMKSA_CACHE; 821 } 822 return eapol_auth_alloc(hapd->eapol_auth, sta->addr, flags, 823 sta->wps_ie, sta->p2p_ie, sta, 824 sta->identity, sta->radius_cui); 825 } 826 827 828 /** 829 * ieee802_1x_receive - Process the EAPOL frames from the Supplicant 830 * @hapd: hostapd BSS data 831 * @sa: Source address (sender of the EAPOL frame) 832 * @buf: EAPOL frame 833 * @len: Length of buf in octets 834 * 835 * This function is called for each incoming EAPOL frame from the interface 836 */ 837 void ieee802_1x_receive(struct hostapd_data *hapd, const u8 *sa, const u8 *buf, 838 size_t len) 839 { 840 struct sta_info *sta; 841 struct ieee802_1x_hdr *hdr; 842 struct ieee802_1x_eapol_key *key; 843 u16 datalen; 844 struct rsn_pmksa_cache_entry *pmksa; 845 int key_mgmt; 846 847 if (!hapd->conf->ieee802_1x && !hapd->conf->wpa && !hapd->conf->osen && 848 !hapd->conf->wps_state) 849 return; 850 851 wpa_printf(MSG_DEBUG, "IEEE 802.1X: %lu bytes from " MACSTR, 852 (unsigned long) len, MAC2STR(sa)); 853 sta = ap_get_sta(hapd, sa); 854 if (!sta || (!(sta->flags & (WLAN_STA_ASSOC | WLAN_STA_PREAUTH)) && 855 !(hapd->iface->drv_flags & WPA_DRIVER_FLAGS_WIRED))) { 856 wpa_printf(MSG_DEBUG, "IEEE 802.1X data frame from not " 857 "associated/Pre-authenticating STA"); 858 return; 859 } 860 861 if (len < sizeof(*hdr)) { 862 wpa_printf(MSG_INFO, " too short IEEE 802.1X packet"); 863 return; 864 } 865 866 hdr = (struct ieee802_1x_hdr *) buf; 867 datalen = be_to_host16(hdr->length); 868 wpa_printf(MSG_DEBUG, " IEEE 802.1X: version=%d type=%d length=%d", 869 hdr->version, hdr->type, datalen); 870 871 if (len - sizeof(*hdr) < datalen) { 872 wpa_printf(MSG_INFO, " frame too short for this IEEE 802.1X packet"); 873 if (sta->eapol_sm) 874 sta->eapol_sm->dot1xAuthEapLengthErrorFramesRx++; 875 return; 876 } 877 if (len - sizeof(*hdr) > datalen) { 878 wpa_printf(MSG_DEBUG, " ignoring %lu extra octets after " 879 "IEEE 802.1X packet", 880 (unsigned long) len - sizeof(*hdr) - datalen); 881 } 882 883 if (sta->eapol_sm) { 884 sta->eapol_sm->dot1xAuthLastEapolFrameVersion = hdr->version; 885 sta->eapol_sm->dot1xAuthEapolFramesRx++; 886 } 887 888 key = (struct ieee802_1x_eapol_key *) (hdr + 1); 889 if (datalen >= sizeof(struct ieee802_1x_eapol_key) && 890 hdr->type == IEEE802_1X_TYPE_EAPOL_KEY && 891 (key->type == EAPOL_KEY_TYPE_WPA || 892 key->type == EAPOL_KEY_TYPE_RSN)) { 893 wpa_receive(hapd->wpa_auth, sta->wpa_sm, (u8 *) hdr, 894 sizeof(*hdr) + datalen); 895 return; 896 } 897 898 if (!hapd->conf->ieee802_1x && !hapd->conf->osen && 899 !(sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS))) { 900 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore EAPOL message - " 901 "802.1X not enabled and WPS not used"); 902 return; 903 } 904 905 key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm); 906 if (key_mgmt != -1 && wpa_key_mgmt_wpa_psk(key_mgmt)) { 907 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore EAPOL message - " 908 "STA is using PSK"); 909 return; 910 } 911 912 if (!sta->eapol_sm) { 913 sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta); 914 if (!sta->eapol_sm) 915 return; 916 917 #ifdef CONFIG_WPS 918 if (!hapd->conf->ieee802_1x && hapd->conf->wps_state) { 919 u32 wflags = sta->flags & (WLAN_STA_WPS | 920 WLAN_STA_WPS2 | 921 WLAN_STA_MAYBE_WPS); 922 if (wflags == WLAN_STA_MAYBE_WPS || 923 wflags == (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS)) { 924 /* 925 * Delay EAPOL frame transmission until a 926 * possible WPS STA initiates the handshake 927 * with EAPOL-Start. Only allow the wait to be 928 * skipped if the STA is known to support WPS 929 * 2.0. 930 */ 931 wpa_printf(MSG_DEBUG, "WPS: Do not start " 932 "EAPOL until EAPOL-Start is " 933 "received"); 934 sta->eapol_sm->flags |= EAPOL_SM_WAIT_START; 935 } 936 } 937 #endif /* CONFIG_WPS */ 938 939 sta->eapol_sm->eap_if->portEnabled = TRUE; 940 } 941 942 /* since we support version 1, we can ignore version field and proceed 943 * as specified in version 1 standard [IEEE Std 802.1X-2001, 7.5.5] */ 944 /* TODO: actually, we are not version 1 anymore.. However, Version 2 945 * does not change frame contents, so should be ok to process frames 946 * more or less identically. Some changes might be needed for 947 * verification of fields. */ 948 949 switch (hdr->type) { 950 case IEEE802_1X_TYPE_EAP_PACKET: 951 handle_eap(hapd, sta, (u8 *) (hdr + 1), datalen); 952 break; 953 954 case IEEE802_1X_TYPE_EAPOL_START: 955 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 956 HOSTAPD_LEVEL_DEBUG, "received EAPOL-Start " 957 "from STA"); 958 sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START; 959 pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm); 960 if (pmksa) { 961 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 962 HOSTAPD_LEVEL_DEBUG, "cached PMKSA " 963 "available - ignore it since " 964 "STA sent EAPOL-Start"); 965 wpa_auth_sta_clear_pmksa(sta->wpa_sm, pmksa); 966 } 967 sta->eapol_sm->eapolStart = TRUE; 968 sta->eapol_sm->dot1xAuthEapolStartFramesRx++; 969 eap_server_clear_identity(sta->eapol_sm->eap); 970 wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL); 971 break; 972 973 case IEEE802_1X_TYPE_EAPOL_LOGOFF: 974 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 975 HOSTAPD_LEVEL_DEBUG, "received EAPOL-Logoff " 976 "from STA"); 977 sta->acct_terminate_cause = 978 RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST; 979 accounting_sta_stop(hapd, sta); 980 sta->eapol_sm->eapolLogoff = TRUE; 981 sta->eapol_sm->dot1xAuthEapolLogoffFramesRx++; 982 eap_server_clear_identity(sta->eapol_sm->eap); 983 break; 984 985 case IEEE802_1X_TYPE_EAPOL_KEY: 986 wpa_printf(MSG_DEBUG, " EAPOL-Key"); 987 if (!ap_sta_is_authorized(sta)) { 988 wpa_printf(MSG_DEBUG, " Dropped key data from " 989 "unauthorized Supplicant"); 990 break; 991 } 992 break; 993 994 case IEEE802_1X_TYPE_EAPOL_ENCAPSULATED_ASF_ALERT: 995 wpa_printf(MSG_DEBUG, " EAPOL-Encapsulated-ASF-Alert"); 996 /* TODO: implement support for this; show data */ 997 break; 998 999 default: 1000 wpa_printf(MSG_DEBUG, " unknown IEEE 802.1X packet type"); 1001 sta->eapol_sm->dot1xAuthInvalidEapolFramesRx++; 1002 break; 1003 } 1004 1005 eapol_auth_step(sta->eapol_sm); 1006 } 1007 1008 1009 /** 1010 * ieee802_1x_new_station - Start IEEE 802.1X authentication 1011 * @hapd: hostapd BSS data 1012 * @sta: The station 1013 * 1014 * This function is called to start IEEE 802.1X authentication when a new 1015 * station completes IEEE 802.11 association. 1016 */ 1017 void ieee802_1x_new_station(struct hostapd_data *hapd, struct sta_info *sta) 1018 { 1019 struct rsn_pmksa_cache_entry *pmksa; 1020 int reassoc = 1; 1021 int force_1x = 0; 1022 int key_mgmt; 1023 1024 #ifdef CONFIG_WPS 1025 if (hapd->conf->wps_state && 1026 ((hapd->conf->wpa && (sta->flags & WLAN_STA_MAYBE_WPS)) || 1027 (sta->flags & WLAN_STA_WPS))) { 1028 /* 1029 * Need to enable IEEE 802.1X/EAPOL state machines for possible 1030 * WPS handshake even if IEEE 802.1X/EAPOL is not used for 1031 * authentication in this BSS. 1032 */ 1033 force_1x = 1; 1034 } 1035 #endif /* CONFIG_WPS */ 1036 1037 if (!force_1x && !hapd->conf->ieee802_1x && !hapd->conf->osen) { 1038 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore STA - " 1039 "802.1X not enabled or forced for WPS"); 1040 /* 1041 * Clear any possible EAPOL authenticator state to support 1042 * reassociation change from WPS to PSK. 1043 */ 1044 ieee802_1x_free_station(sta); 1045 return; 1046 } 1047 1048 key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm); 1049 if (key_mgmt != -1 && wpa_key_mgmt_wpa_psk(key_mgmt)) { 1050 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore STA - using PSK"); 1051 /* 1052 * Clear any possible EAPOL authenticator state to support 1053 * reassociation change from WPA-EAP to PSK. 1054 */ 1055 ieee802_1x_free_station(sta); 1056 return; 1057 } 1058 1059 if (sta->eapol_sm == NULL) { 1060 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1061 HOSTAPD_LEVEL_DEBUG, "start authentication"); 1062 sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta); 1063 if (sta->eapol_sm == NULL) { 1064 hostapd_logger(hapd, sta->addr, 1065 HOSTAPD_MODULE_IEEE8021X, 1066 HOSTAPD_LEVEL_INFO, 1067 "failed to allocate state machine"); 1068 return; 1069 } 1070 reassoc = 0; 1071 } 1072 1073 #ifdef CONFIG_WPS 1074 sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START; 1075 if (!hapd->conf->ieee802_1x && hapd->conf->wps_state && 1076 !(sta->flags & WLAN_STA_WPS2)) { 1077 /* 1078 * Delay EAPOL frame transmission until a possible WPS STA 1079 * initiates the handshake with EAPOL-Start. Only allow the 1080 * wait to be skipped if the STA is known to support WPS 2.0. 1081 */ 1082 wpa_printf(MSG_DEBUG, "WPS: Do not start EAPOL until " 1083 "EAPOL-Start is received"); 1084 sta->eapol_sm->flags |= EAPOL_SM_WAIT_START; 1085 } 1086 #endif /* CONFIG_WPS */ 1087 1088 sta->eapol_sm->eap_if->portEnabled = TRUE; 1089 1090 #ifdef CONFIG_IEEE80211R 1091 if (sta->auth_alg == WLAN_AUTH_FT) { 1092 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1093 HOSTAPD_LEVEL_DEBUG, 1094 "PMK from FT - skip IEEE 802.1X/EAP"); 1095 /* Setup EAPOL state machines to already authenticated state 1096 * because of existing FT information from R0KH. */ 1097 sta->eapol_sm->keyRun = TRUE; 1098 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 1099 sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING; 1100 sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS; 1101 sta->eapol_sm->authSuccess = TRUE; 1102 sta->eapol_sm->authFail = FALSE; 1103 if (sta->eapol_sm->eap) 1104 eap_sm_notify_cached(sta->eapol_sm->eap); 1105 /* TODO: get vlan_id from R0KH using RRB message */ 1106 return; 1107 } 1108 #endif /* CONFIG_IEEE80211R */ 1109 1110 pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm); 1111 if (pmksa) { 1112 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1113 HOSTAPD_LEVEL_DEBUG, 1114 "PMK from PMKSA cache - skip IEEE 802.1X/EAP"); 1115 /* Setup EAPOL state machines to already authenticated state 1116 * because of existing PMKSA information in the cache. */ 1117 sta->eapol_sm->keyRun = TRUE; 1118 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 1119 sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING; 1120 sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS; 1121 sta->eapol_sm->authSuccess = TRUE; 1122 sta->eapol_sm->authFail = FALSE; 1123 if (sta->eapol_sm->eap) 1124 eap_sm_notify_cached(sta->eapol_sm->eap); 1125 pmksa_cache_to_eapol_data(pmksa, sta->eapol_sm); 1126 ap_sta_bind_vlan(hapd, sta); 1127 } else { 1128 if (reassoc) { 1129 /* 1130 * Force EAPOL state machines to start 1131 * re-authentication without having to wait for the 1132 * Supplicant to send EAPOL-Start. 1133 */ 1134 sta->eapol_sm->reAuthenticate = TRUE; 1135 } 1136 eapol_auth_step(sta->eapol_sm); 1137 } 1138 } 1139 1140 1141 void ieee802_1x_free_station(struct sta_info *sta) 1142 { 1143 struct eapol_state_machine *sm = sta->eapol_sm; 1144 1145 if (sm == NULL) 1146 return; 1147 1148 sta->eapol_sm = NULL; 1149 1150 #ifndef CONFIG_NO_RADIUS 1151 radius_msg_free(sm->last_recv_radius); 1152 radius_free_class(&sm->radius_class); 1153 wpabuf_free(sm->radius_cui); 1154 #endif /* CONFIG_NO_RADIUS */ 1155 1156 os_free(sm->identity); 1157 eapol_auth_free(sm); 1158 } 1159 1160 1161 #ifndef CONFIG_NO_RADIUS 1162 static void ieee802_1x_decapsulate_radius(struct hostapd_data *hapd, 1163 struct sta_info *sta) 1164 { 1165 struct wpabuf *eap; 1166 const struct eap_hdr *hdr; 1167 int eap_type = -1; 1168 char buf[64]; 1169 struct radius_msg *msg; 1170 struct eapol_state_machine *sm = sta->eapol_sm; 1171 1172 if (sm == NULL || sm->last_recv_radius == NULL) { 1173 if (sm) 1174 sm->eap_if->aaaEapNoReq = TRUE; 1175 return; 1176 } 1177 1178 msg = sm->last_recv_radius; 1179 1180 eap = radius_msg_get_eap(msg); 1181 if (eap == NULL) { 1182 /* RFC 3579, Chap. 2.6.3: 1183 * RADIUS server SHOULD NOT send Access-Reject/no EAP-Message 1184 * attribute */ 1185 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1186 HOSTAPD_LEVEL_WARNING, "could not extract " 1187 "EAP-Message from RADIUS message"); 1188 sm->eap_if->aaaEapNoReq = TRUE; 1189 return; 1190 } 1191 1192 if (wpabuf_len(eap) < sizeof(*hdr)) { 1193 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1194 HOSTAPD_LEVEL_WARNING, "too short EAP packet " 1195 "received from authentication server"); 1196 wpabuf_free(eap); 1197 sm->eap_if->aaaEapNoReq = TRUE; 1198 return; 1199 } 1200 1201 if (wpabuf_len(eap) > sizeof(*hdr)) 1202 eap_type = (wpabuf_head_u8(eap))[sizeof(*hdr)]; 1203 1204 hdr = wpabuf_head(eap); 1205 switch (hdr->code) { 1206 case EAP_CODE_REQUEST: 1207 if (eap_type >= 0) 1208 sm->eap_type_authsrv = eap_type; 1209 os_snprintf(buf, sizeof(buf), "EAP-Request-%s (%d)", 1210 eap_server_get_name(0, eap_type), eap_type); 1211 break; 1212 case EAP_CODE_RESPONSE: 1213 os_snprintf(buf, sizeof(buf), "EAP Response-%s (%d)", 1214 eap_server_get_name(0, eap_type), eap_type); 1215 break; 1216 case EAP_CODE_SUCCESS: 1217 os_strlcpy(buf, "EAP Success", sizeof(buf)); 1218 break; 1219 case EAP_CODE_FAILURE: 1220 os_strlcpy(buf, "EAP Failure", sizeof(buf)); 1221 break; 1222 default: 1223 os_strlcpy(buf, "unknown EAP code", sizeof(buf)); 1224 break; 1225 } 1226 buf[sizeof(buf) - 1] = '\0'; 1227 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1228 HOSTAPD_LEVEL_DEBUG, "decapsulated EAP packet (code=%d " 1229 "id=%d len=%d) from RADIUS server: %s", 1230 hdr->code, hdr->identifier, be_to_host16(hdr->length), 1231 buf); 1232 sm->eap_if->aaaEapReq = TRUE; 1233 1234 wpabuf_free(sm->eap_if->aaaEapReqData); 1235 sm->eap_if->aaaEapReqData = eap; 1236 } 1237 1238 1239 static void ieee802_1x_get_keys(struct hostapd_data *hapd, 1240 struct sta_info *sta, struct radius_msg *msg, 1241 struct radius_msg *req, 1242 const u8 *shared_secret, 1243 size_t shared_secret_len) 1244 { 1245 struct radius_ms_mppe_keys *keys; 1246 struct eapol_state_machine *sm = sta->eapol_sm; 1247 if (sm == NULL) 1248 return; 1249 1250 keys = radius_msg_get_ms_keys(msg, req, shared_secret, 1251 shared_secret_len); 1252 1253 if (keys && keys->send && keys->recv) { 1254 size_t len = keys->send_len + keys->recv_len; 1255 wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Send-Key", 1256 keys->send, keys->send_len); 1257 wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Recv-Key", 1258 keys->recv, keys->recv_len); 1259 1260 os_free(sm->eap_if->aaaEapKeyData); 1261 sm->eap_if->aaaEapKeyData = os_malloc(len); 1262 if (sm->eap_if->aaaEapKeyData) { 1263 os_memcpy(sm->eap_if->aaaEapKeyData, keys->recv, 1264 keys->recv_len); 1265 os_memcpy(sm->eap_if->aaaEapKeyData + keys->recv_len, 1266 keys->send, keys->send_len); 1267 sm->eap_if->aaaEapKeyDataLen = len; 1268 sm->eap_if->aaaEapKeyAvailable = TRUE; 1269 } 1270 } else { 1271 wpa_printf(MSG_DEBUG, 1272 "MS-MPPE: 1x_get_keys, could not get keys: %p send: %p recv: %p", 1273 keys, keys ? keys->send : NULL, 1274 keys ? keys->recv : NULL); 1275 } 1276 1277 if (keys) { 1278 os_free(keys->send); 1279 os_free(keys->recv); 1280 os_free(keys); 1281 } 1282 } 1283 1284 1285 static void ieee802_1x_store_radius_class(struct hostapd_data *hapd, 1286 struct sta_info *sta, 1287 struct radius_msg *msg) 1288 { 1289 u8 *attr_class; 1290 size_t class_len; 1291 struct eapol_state_machine *sm = sta->eapol_sm; 1292 int count, i; 1293 struct radius_attr_data *nclass; 1294 size_t nclass_count; 1295 1296 if (!hapd->conf->radius->acct_server || hapd->radius == NULL || 1297 sm == NULL) 1298 return; 1299 1300 radius_free_class(&sm->radius_class); 1301 count = radius_msg_count_attr(msg, RADIUS_ATTR_CLASS, 1); 1302 if (count <= 0) 1303 return; 1304 1305 nclass = os_calloc(count, sizeof(struct radius_attr_data)); 1306 if (nclass == NULL) 1307 return; 1308 1309 nclass_count = 0; 1310 1311 attr_class = NULL; 1312 for (i = 0; i < count; i++) { 1313 do { 1314 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CLASS, 1315 &attr_class, &class_len, 1316 attr_class) < 0) { 1317 i = count; 1318 break; 1319 } 1320 } while (class_len < 1); 1321 1322 nclass[nclass_count].data = os_malloc(class_len); 1323 if (nclass[nclass_count].data == NULL) 1324 break; 1325 1326 os_memcpy(nclass[nclass_count].data, attr_class, class_len); 1327 nclass[nclass_count].len = class_len; 1328 nclass_count++; 1329 } 1330 1331 sm->radius_class.attr = nclass; 1332 sm->radius_class.count = nclass_count; 1333 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Stored %lu RADIUS Class " 1334 "attributes for " MACSTR, 1335 (unsigned long) sm->radius_class.count, 1336 MAC2STR(sta->addr)); 1337 } 1338 1339 1340 /* Update sta->identity based on User-Name attribute in Access-Accept */ 1341 static void ieee802_1x_update_sta_identity(struct hostapd_data *hapd, 1342 struct sta_info *sta, 1343 struct radius_msg *msg) 1344 { 1345 u8 *buf, *identity; 1346 size_t len; 1347 struct eapol_state_machine *sm = sta->eapol_sm; 1348 1349 if (sm == NULL) 1350 return; 1351 1352 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_USER_NAME, &buf, &len, 1353 NULL) < 0) 1354 return; 1355 1356 identity = (u8 *) dup_binstr(buf, len); 1357 if (identity == NULL) 1358 return; 1359 1360 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1361 HOSTAPD_LEVEL_DEBUG, "old identity '%s' updated with " 1362 "User-Name from Access-Accept '%s'", 1363 sm->identity ? (char *) sm->identity : "N/A", 1364 (char *) identity); 1365 1366 os_free(sm->identity); 1367 sm->identity = identity; 1368 sm->identity_len = len; 1369 } 1370 1371 1372 /* Update CUI based on Chargeable-User-Identity attribute in Access-Accept */ 1373 static void ieee802_1x_update_sta_cui(struct hostapd_data *hapd, 1374 struct sta_info *sta, 1375 struct radius_msg *msg) 1376 { 1377 struct eapol_state_machine *sm = sta->eapol_sm; 1378 struct wpabuf *cui; 1379 u8 *buf; 1380 size_t len; 1381 1382 if (sm == NULL) 1383 return; 1384 1385 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CHARGEABLE_USER_IDENTITY, 1386 &buf, &len, NULL) < 0) 1387 return; 1388 1389 cui = wpabuf_alloc_copy(buf, len); 1390 if (cui == NULL) 1391 return; 1392 1393 wpabuf_free(sm->radius_cui); 1394 sm->radius_cui = cui; 1395 } 1396 1397 1398 #ifdef CONFIG_HS20 1399 1400 static void ieee802_1x_hs20_sub_rem(struct sta_info *sta, u8 *pos, size_t len) 1401 { 1402 sta->remediation = 1; 1403 os_free(sta->remediation_url); 1404 if (len > 2) { 1405 sta->remediation_url = os_malloc(len); 1406 if (!sta->remediation_url) 1407 return; 1408 sta->remediation_method = pos[0]; 1409 os_memcpy(sta->remediation_url, pos + 1, len - 1); 1410 sta->remediation_url[len - 1] = '\0'; 1411 wpa_printf(MSG_DEBUG, "HS 2.0: Subscription remediation needed " 1412 "for " MACSTR " - server method %u URL %s", 1413 MAC2STR(sta->addr), sta->remediation_method, 1414 sta->remediation_url); 1415 } else { 1416 sta->remediation_url = NULL; 1417 wpa_printf(MSG_DEBUG, "HS 2.0: Subscription remediation needed " 1418 "for " MACSTR, MAC2STR(sta->addr)); 1419 } 1420 /* TODO: assign the STA into remediation VLAN or add filtering */ 1421 } 1422 1423 1424 static void ieee802_1x_hs20_deauth_req(struct hostapd_data *hapd, 1425 struct sta_info *sta, u8 *pos, 1426 size_t len) 1427 { 1428 if (len < 3) 1429 return; /* Malformed information */ 1430 sta->hs20_deauth_requested = 1; 1431 wpa_printf(MSG_DEBUG, "HS 2.0: Deauthentication request - Code %u " 1432 "Re-auth Delay %u", 1433 *pos, WPA_GET_LE16(pos + 1)); 1434 wpabuf_free(sta->hs20_deauth_req); 1435 sta->hs20_deauth_req = wpabuf_alloc(len + 1); 1436 if (sta->hs20_deauth_req) { 1437 wpabuf_put_data(sta->hs20_deauth_req, pos, 3); 1438 wpabuf_put_u8(sta->hs20_deauth_req, len - 3); 1439 wpabuf_put_data(sta->hs20_deauth_req, pos + 3, len - 3); 1440 } 1441 ap_sta_session_timeout(hapd, sta, hapd->conf->hs20_deauth_req_timeout); 1442 } 1443 1444 1445 static void ieee802_1x_hs20_session_info(struct hostapd_data *hapd, 1446 struct sta_info *sta, u8 *pos, 1447 size_t len, int session_timeout) 1448 { 1449 unsigned int swt; 1450 int warning_time, beacon_int; 1451 1452 if (len < 1) 1453 return; /* Malformed information */ 1454 os_free(sta->hs20_session_info_url); 1455 sta->hs20_session_info_url = os_malloc(len); 1456 if (sta->hs20_session_info_url == NULL) 1457 return; 1458 swt = pos[0]; 1459 os_memcpy(sta->hs20_session_info_url, pos + 1, len - 1); 1460 sta->hs20_session_info_url[len - 1] = '\0'; 1461 wpa_printf(MSG_DEBUG, "HS 2.0: Session Information URL='%s' SWT=%u " 1462 "(session_timeout=%d)", 1463 sta->hs20_session_info_url, swt, session_timeout); 1464 if (session_timeout < 0) { 1465 wpa_printf(MSG_DEBUG, "HS 2.0: No Session-Timeout set - ignore session info URL"); 1466 return; 1467 } 1468 if (swt == 255) 1469 swt = 1; /* Use one minute as the AP selected value */ 1470 1471 if ((unsigned int) session_timeout < swt * 60) 1472 warning_time = 0; 1473 else 1474 warning_time = session_timeout - swt * 60; 1475 1476 beacon_int = hapd->iconf->beacon_int; 1477 if (beacon_int < 1) 1478 beacon_int = 100; /* best guess */ 1479 sta->hs20_disassoc_timer = swt * 60 * 1000 / beacon_int * 125 / 128; 1480 if (sta->hs20_disassoc_timer > 65535) 1481 sta->hs20_disassoc_timer = 65535; 1482 1483 ap_sta_session_warning_timeout(hapd, sta, warning_time); 1484 } 1485 1486 #endif /* CONFIG_HS20 */ 1487 1488 1489 static void ieee802_1x_check_hs20(struct hostapd_data *hapd, 1490 struct sta_info *sta, 1491 struct radius_msg *msg, 1492 int session_timeout) 1493 { 1494 #ifdef CONFIG_HS20 1495 u8 *buf, *pos, *end, type, sublen; 1496 size_t len; 1497 1498 buf = NULL; 1499 sta->remediation = 0; 1500 sta->hs20_deauth_requested = 0; 1501 1502 for (;;) { 1503 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_VENDOR_SPECIFIC, 1504 &buf, &len, buf) < 0) 1505 break; 1506 if (len < 6) 1507 continue; 1508 pos = buf; 1509 end = buf + len; 1510 if (WPA_GET_BE32(pos) != RADIUS_VENDOR_ID_WFA) 1511 continue; 1512 pos += 4; 1513 1514 type = *pos++; 1515 sublen = *pos++; 1516 if (sublen < 2) 1517 continue; /* invalid length */ 1518 sublen -= 2; /* skip header */ 1519 if (pos + sublen > end) 1520 continue; /* invalid WFA VSA */ 1521 1522 switch (type) { 1523 case RADIUS_VENDOR_ATTR_WFA_HS20_SUBSCR_REMEDIATION: 1524 ieee802_1x_hs20_sub_rem(sta, pos, sublen); 1525 break; 1526 case RADIUS_VENDOR_ATTR_WFA_HS20_DEAUTH_REQ: 1527 ieee802_1x_hs20_deauth_req(hapd, sta, pos, sublen); 1528 break; 1529 case RADIUS_VENDOR_ATTR_WFA_HS20_SESSION_INFO_URL: 1530 ieee802_1x_hs20_session_info(hapd, sta, pos, sublen, 1531 session_timeout); 1532 break; 1533 } 1534 } 1535 #endif /* CONFIG_HS20 */ 1536 } 1537 1538 1539 struct sta_id_search { 1540 u8 identifier; 1541 struct eapol_state_machine *sm; 1542 }; 1543 1544 1545 static int ieee802_1x_select_radius_identifier(struct hostapd_data *hapd, 1546 struct sta_info *sta, 1547 void *ctx) 1548 { 1549 struct sta_id_search *id_search = ctx; 1550 struct eapol_state_machine *sm = sta->eapol_sm; 1551 1552 if (sm && sm->radius_identifier >= 0 && 1553 sm->radius_identifier == id_search->identifier) { 1554 id_search->sm = sm; 1555 return 1; 1556 } 1557 return 0; 1558 } 1559 1560 1561 static struct eapol_state_machine * 1562 ieee802_1x_search_radius_identifier(struct hostapd_data *hapd, u8 identifier) 1563 { 1564 struct sta_id_search id_search; 1565 id_search.identifier = identifier; 1566 id_search.sm = NULL; 1567 ap_for_each_sta(hapd, ieee802_1x_select_radius_identifier, &id_search); 1568 return id_search.sm; 1569 } 1570 1571 1572 /** 1573 * ieee802_1x_receive_auth - Process RADIUS frames from Authentication Server 1574 * @msg: RADIUS response message 1575 * @req: RADIUS request message 1576 * @shared_secret: RADIUS shared secret 1577 * @shared_secret_len: Length of shared_secret in octets 1578 * @data: Context data (struct hostapd_data *) 1579 * Returns: Processing status 1580 */ 1581 static RadiusRxResult 1582 ieee802_1x_receive_auth(struct radius_msg *msg, struct radius_msg *req, 1583 const u8 *shared_secret, size_t shared_secret_len, 1584 void *data) 1585 { 1586 struct hostapd_data *hapd = data; 1587 struct sta_info *sta; 1588 u32 session_timeout = 0, termination_action, acct_interim_interval; 1589 int session_timeout_set, vlan_id = 0; 1590 struct eapol_state_machine *sm; 1591 int override_eapReq = 0; 1592 struct radius_hdr *hdr = radius_msg_get_hdr(msg); 1593 1594 sm = ieee802_1x_search_radius_identifier(hapd, hdr->identifier); 1595 if (sm == NULL) { 1596 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Could not find matching " 1597 "station for this RADIUS message"); 1598 return RADIUS_RX_UNKNOWN; 1599 } 1600 sta = sm->sta; 1601 1602 /* RFC 2869, Ch. 5.13: valid Message-Authenticator attribute MUST be 1603 * present when packet contains an EAP-Message attribute */ 1604 if (hdr->code == RADIUS_CODE_ACCESS_REJECT && 1605 radius_msg_get_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, NULL, 1606 0) < 0 && 1607 radius_msg_get_attr(msg, RADIUS_ATTR_EAP_MESSAGE, NULL, 0) < 0) { 1608 wpa_printf(MSG_DEBUG, "Allowing RADIUS Access-Reject without " 1609 "Message-Authenticator since it does not include " 1610 "EAP-Message"); 1611 } else if (radius_msg_verify(msg, shared_secret, shared_secret_len, 1612 req, 1)) { 1613 wpa_printf(MSG_INFO, "Incoming RADIUS packet did not have correct Message-Authenticator - dropped"); 1614 return RADIUS_RX_INVALID_AUTHENTICATOR; 1615 } 1616 1617 if (hdr->code != RADIUS_CODE_ACCESS_ACCEPT && 1618 hdr->code != RADIUS_CODE_ACCESS_REJECT && 1619 hdr->code != RADIUS_CODE_ACCESS_CHALLENGE) { 1620 wpa_printf(MSG_INFO, "Unknown RADIUS message code"); 1621 return RADIUS_RX_UNKNOWN; 1622 } 1623 1624 sm->radius_identifier = -1; 1625 wpa_printf(MSG_DEBUG, "RADIUS packet matching with station " MACSTR, 1626 MAC2STR(sta->addr)); 1627 1628 radius_msg_free(sm->last_recv_radius); 1629 sm->last_recv_radius = msg; 1630 1631 session_timeout_set = 1632 !radius_msg_get_attr_int32(msg, RADIUS_ATTR_SESSION_TIMEOUT, 1633 &session_timeout); 1634 if (radius_msg_get_attr_int32(msg, RADIUS_ATTR_TERMINATION_ACTION, 1635 &termination_action)) 1636 termination_action = RADIUS_TERMINATION_ACTION_DEFAULT; 1637 1638 if (hapd->conf->acct_interim_interval == 0 && 1639 hdr->code == RADIUS_CODE_ACCESS_ACCEPT && 1640 radius_msg_get_attr_int32(msg, RADIUS_ATTR_ACCT_INTERIM_INTERVAL, 1641 &acct_interim_interval) == 0) { 1642 if (acct_interim_interval < 60) { 1643 hostapd_logger(hapd, sta->addr, 1644 HOSTAPD_MODULE_IEEE8021X, 1645 HOSTAPD_LEVEL_INFO, 1646 "ignored too small " 1647 "Acct-Interim-Interval %d", 1648 acct_interim_interval); 1649 } else 1650 sta->acct_interim_interval = acct_interim_interval; 1651 } 1652 1653 1654 switch (hdr->code) { 1655 case RADIUS_CODE_ACCESS_ACCEPT: 1656 if (hapd->conf->ssid.dynamic_vlan == DYNAMIC_VLAN_DISABLED) 1657 vlan_id = 0; 1658 #ifndef CONFIG_NO_VLAN 1659 else 1660 vlan_id = radius_msg_get_vlanid(msg); 1661 if (vlan_id > 0 && 1662 hostapd_vlan_id_valid(hapd->conf->vlan, vlan_id)) { 1663 hostapd_logger(hapd, sta->addr, 1664 HOSTAPD_MODULE_RADIUS, 1665 HOSTAPD_LEVEL_INFO, 1666 "VLAN ID %d", vlan_id); 1667 } else if (vlan_id > 0) { 1668 sta->eapol_sm->authFail = TRUE; 1669 hostapd_logger(hapd, sta->addr, 1670 HOSTAPD_MODULE_RADIUS, 1671 HOSTAPD_LEVEL_INFO, 1672 "Invalid VLAN ID %d received from RADIUS server", 1673 vlan_id); 1674 break; 1675 } else if (hapd->conf->ssid.dynamic_vlan == 1676 DYNAMIC_VLAN_REQUIRED) { 1677 sta->eapol_sm->authFail = TRUE; 1678 hostapd_logger(hapd, sta->addr, 1679 HOSTAPD_MODULE_IEEE8021X, 1680 HOSTAPD_LEVEL_INFO, "authentication " 1681 "server did not include required VLAN " 1682 "ID in Access-Accept"); 1683 break; 1684 } 1685 #endif /* CONFIG_NO_VLAN */ 1686 1687 sta->vlan_id = vlan_id; 1688 if ((sta->flags & WLAN_STA_ASSOC) && 1689 ap_sta_bind_vlan(hapd, sta) < 0) 1690 break; 1691 1692 sta->session_timeout_set = !!session_timeout_set; 1693 sta->session_timeout = session_timeout; 1694 1695 /* RFC 3580, Ch. 3.17 */ 1696 if (session_timeout_set && termination_action == 1697 RADIUS_TERMINATION_ACTION_RADIUS_REQUEST) { 1698 sm->reAuthPeriod = session_timeout; 1699 } else if (session_timeout_set) 1700 ap_sta_session_timeout(hapd, sta, session_timeout); 1701 1702 sm->eap_if->aaaSuccess = TRUE; 1703 override_eapReq = 1; 1704 ieee802_1x_get_keys(hapd, sta, msg, req, shared_secret, 1705 shared_secret_len); 1706 ieee802_1x_store_radius_class(hapd, sta, msg); 1707 ieee802_1x_update_sta_identity(hapd, sta, msg); 1708 ieee802_1x_update_sta_cui(hapd, sta, msg); 1709 ieee802_1x_check_hs20(hapd, sta, msg, 1710 session_timeout_set ? 1711 (int) session_timeout : -1); 1712 if (sm->eap_if->eapKeyAvailable && !sta->remediation && 1713 !sta->hs20_deauth_requested && 1714 wpa_auth_pmksa_add(sta->wpa_sm, sm->eapol_key_crypt, 1715 session_timeout_set ? 1716 (int) session_timeout : -1, sm) == 0) { 1717 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 1718 HOSTAPD_LEVEL_DEBUG, 1719 "Added PMKSA cache entry"); 1720 } 1721 break; 1722 case RADIUS_CODE_ACCESS_REJECT: 1723 sm->eap_if->aaaFail = TRUE; 1724 override_eapReq = 1; 1725 break; 1726 case RADIUS_CODE_ACCESS_CHALLENGE: 1727 sm->eap_if->aaaEapReq = TRUE; 1728 if (session_timeout_set) { 1729 /* RFC 2869, Ch. 2.3.2; RFC 3580, Ch. 3.17 */ 1730 sm->eap_if->aaaMethodTimeout = session_timeout; 1731 hostapd_logger(hapd, sm->addr, 1732 HOSTAPD_MODULE_IEEE8021X, 1733 HOSTAPD_LEVEL_DEBUG, 1734 "using EAP timeout of %d seconds (from " 1735 "RADIUS)", 1736 sm->eap_if->aaaMethodTimeout); 1737 } else { 1738 /* 1739 * Use dynamic retransmission behavior per EAP 1740 * specification. 1741 */ 1742 sm->eap_if->aaaMethodTimeout = 0; 1743 } 1744 break; 1745 } 1746 1747 ieee802_1x_decapsulate_radius(hapd, sta); 1748 if (override_eapReq) 1749 sm->eap_if->aaaEapReq = FALSE; 1750 1751 eapol_auth_step(sm); 1752 1753 return RADIUS_RX_QUEUED; 1754 } 1755 #endif /* CONFIG_NO_RADIUS */ 1756 1757 1758 void ieee802_1x_abort_auth(struct hostapd_data *hapd, struct sta_info *sta) 1759 { 1760 struct eapol_state_machine *sm = sta->eapol_sm; 1761 if (sm == NULL) 1762 return; 1763 1764 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1765 HOSTAPD_LEVEL_DEBUG, "aborting authentication"); 1766 1767 #ifndef CONFIG_NO_RADIUS 1768 radius_msg_free(sm->last_recv_radius); 1769 sm->last_recv_radius = NULL; 1770 #endif /* CONFIG_NO_RADIUS */ 1771 1772 if (sm->eap_if->eapTimeout) { 1773 /* 1774 * Disconnect the STA since it did not reply to the last EAP 1775 * request and we cannot continue EAP processing (EAP-Failure 1776 * could only be sent if the EAP peer actually replied). 1777 */ 1778 wpa_dbg(hapd->msg_ctx, MSG_DEBUG, "EAP Timeout, STA " MACSTR, 1779 MAC2STR(sta->addr)); 1780 1781 sm->eap_if->portEnabled = FALSE; 1782 ap_sta_disconnect(hapd, sta, sta->addr, 1783 WLAN_REASON_PREV_AUTH_NOT_VALID); 1784 } 1785 } 1786 1787 1788 static int ieee802_1x_rekey_broadcast(struct hostapd_data *hapd) 1789 { 1790 struct eapol_authenticator *eapol = hapd->eapol_auth; 1791 1792 if (hapd->conf->default_wep_key_len < 1) 1793 return 0; 1794 1795 os_free(eapol->default_wep_key); 1796 eapol->default_wep_key = os_malloc(hapd->conf->default_wep_key_len); 1797 if (eapol->default_wep_key == NULL || 1798 random_get_bytes(eapol->default_wep_key, 1799 hapd->conf->default_wep_key_len)) { 1800 wpa_printf(MSG_INFO, "Could not generate random WEP key"); 1801 os_free(eapol->default_wep_key); 1802 eapol->default_wep_key = NULL; 1803 return -1; 1804 } 1805 1806 wpa_hexdump_key(MSG_DEBUG, "IEEE 802.1X: New default WEP key", 1807 eapol->default_wep_key, 1808 hapd->conf->default_wep_key_len); 1809 1810 return 0; 1811 } 1812 1813 1814 static int ieee802_1x_sta_key_available(struct hostapd_data *hapd, 1815 struct sta_info *sta, void *ctx) 1816 { 1817 if (sta->eapol_sm) { 1818 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 1819 eapol_auth_step(sta->eapol_sm); 1820 } 1821 return 0; 1822 } 1823 1824 1825 static void ieee802_1x_rekey(void *eloop_ctx, void *timeout_ctx) 1826 { 1827 struct hostapd_data *hapd = eloop_ctx; 1828 struct eapol_authenticator *eapol = hapd->eapol_auth; 1829 1830 if (eapol->default_wep_key_idx >= 3) 1831 eapol->default_wep_key_idx = 1832 hapd->conf->individual_wep_key_len > 0 ? 1 : 0; 1833 else 1834 eapol->default_wep_key_idx++; 1835 1836 wpa_printf(MSG_DEBUG, "IEEE 802.1X: New default WEP key index %d", 1837 eapol->default_wep_key_idx); 1838 1839 if (ieee802_1x_rekey_broadcast(hapd)) { 1840 hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X, 1841 HOSTAPD_LEVEL_WARNING, "failed to generate a " 1842 "new broadcast key"); 1843 os_free(eapol->default_wep_key); 1844 eapol->default_wep_key = NULL; 1845 return; 1846 } 1847 1848 /* TODO: Could setup key for RX here, but change default TX keyid only 1849 * after new broadcast key has been sent to all stations. */ 1850 if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP, 1851 broadcast_ether_addr, 1852 eapol->default_wep_key_idx, 1, NULL, 0, 1853 eapol->default_wep_key, 1854 hapd->conf->default_wep_key_len)) { 1855 hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X, 1856 HOSTAPD_LEVEL_WARNING, "failed to configure a " 1857 "new broadcast key"); 1858 os_free(eapol->default_wep_key); 1859 eapol->default_wep_key = NULL; 1860 return; 1861 } 1862 1863 ap_for_each_sta(hapd, ieee802_1x_sta_key_available, NULL); 1864 1865 if (hapd->conf->wep_rekeying_period > 0) { 1866 eloop_register_timeout(hapd->conf->wep_rekeying_period, 0, 1867 ieee802_1x_rekey, hapd, NULL); 1868 } 1869 } 1870 1871 1872 static void ieee802_1x_eapol_send(void *ctx, void *sta_ctx, u8 type, 1873 const u8 *data, size_t datalen) 1874 { 1875 #ifdef CONFIG_WPS 1876 struct sta_info *sta = sta_ctx; 1877 1878 if ((sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS)) == 1879 WLAN_STA_MAYBE_WPS) { 1880 const u8 *identity; 1881 size_t identity_len; 1882 struct eapol_state_machine *sm = sta->eapol_sm; 1883 1884 identity = eap_get_identity(sm->eap, &identity_len); 1885 if (identity && 1886 ((identity_len == WSC_ID_ENROLLEE_LEN && 1887 os_memcmp(identity, WSC_ID_ENROLLEE, 1888 WSC_ID_ENROLLEE_LEN) == 0) || 1889 (identity_len == WSC_ID_REGISTRAR_LEN && 1890 os_memcmp(identity, WSC_ID_REGISTRAR, 1891 WSC_ID_REGISTRAR_LEN) == 0))) { 1892 wpa_printf(MSG_DEBUG, "WPS: WLAN_STA_MAYBE_WPS -> " 1893 "WLAN_STA_WPS"); 1894 sta->flags |= WLAN_STA_WPS; 1895 } 1896 } 1897 #endif /* CONFIG_WPS */ 1898 1899 ieee802_1x_send(ctx, sta_ctx, type, data, datalen); 1900 } 1901 1902 1903 static void ieee802_1x_aaa_send(void *ctx, void *sta_ctx, 1904 const u8 *data, size_t datalen) 1905 { 1906 #ifndef CONFIG_NO_RADIUS 1907 struct hostapd_data *hapd = ctx; 1908 struct sta_info *sta = sta_ctx; 1909 1910 ieee802_1x_encapsulate_radius(hapd, sta, data, datalen); 1911 #endif /* CONFIG_NO_RADIUS */ 1912 } 1913 1914 1915 static void _ieee802_1x_finished(void *ctx, void *sta_ctx, int success, 1916 int preauth, int remediation) 1917 { 1918 struct hostapd_data *hapd = ctx; 1919 struct sta_info *sta = sta_ctx; 1920 if (preauth) 1921 rsn_preauth_finished(hapd, sta, success); 1922 else 1923 ieee802_1x_finished(hapd, sta, success, remediation); 1924 } 1925 1926 1927 static int ieee802_1x_get_eap_user(void *ctx, const u8 *identity, 1928 size_t identity_len, int phase2, 1929 struct eap_user *user) 1930 { 1931 struct hostapd_data *hapd = ctx; 1932 const struct hostapd_eap_user *eap_user; 1933 int i; 1934 int rv = -1; 1935 1936 eap_user = hostapd_get_eap_user(hapd, identity, identity_len, phase2); 1937 if (eap_user == NULL) 1938 goto out; 1939 1940 os_memset(user, 0, sizeof(*user)); 1941 user->phase2 = phase2; 1942 for (i = 0; i < EAP_MAX_METHODS; i++) { 1943 user->methods[i].vendor = eap_user->methods[i].vendor; 1944 user->methods[i].method = eap_user->methods[i].method; 1945 } 1946 1947 if (eap_user->password) { 1948 user->password = os_malloc(eap_user->password_len); 1949 if (user->password == NULL) 1950 goto out; 1951 os_memcpy(user->password, eap_user->password, 1952 eap_user->password_len); 1953 user->password_len = eap_user->password_len; 1954 user->password_hash = eap_user->password_hash; 1955 } 1956 user->force_version = eap_user->force_version; 1957 user->macacl = eap_user->macacl; 1958 user->ttls_auth = eap_user->ttls_auth; 1959 user->remediation = eap_user->remediation; 1960 rv = 0; 1961 1962 out: 1963 if (rv) 1964 wpa_printf(MSG_DEBUG, "%s: Failed to find user", __func__); 1965 1966 return rv; 1967 } 1968 1969 1970 static int ieee802_1x_sta_entry_alive(void *ctx, const u8 *addr) 1971 { 1972 struct hostapd_data *hapd = ctx; 1973 struct sta_info *sta; 1974 sta = ap_get_sta(hapd, addr); 1975 if (sta == NULL || sta->eapol_sm == NULL) 1976 return 0; 1977 return 1; 1978 } 1979 1980 1981 static void ieee802_1x_logger(void *ctx, const u8 *addr, 1982 eapol_logger_level level, const char *txt) 1983 { 1984 #ifndef CONFIG_NO_HOSTAPD_LOGGER 1985 struct hostapd_data *hapd = ctx; 1986 int hlevel; 1987 1988 switch (level) { 1989 case EAPOL_LOGGER_WARNING: 1990 hlevel = HOSTAPD_LEVEL_WARNING; 1991 break; 1992 case EAPOL_LOGGER_INFO: 1993 hlevel = HOSTAPD_LEVEL_INFO; 1994 break; 1995 case EAPOL_LOGGER_DEBUG: 1996 default: 1997 hlevel = HOSTAPD_LEVEL_DEBUG; 1998 break; 1999 } 2000 2001 hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE8021X, hlevel, "%s", 2002 txt); 2003 #endif /* CONFIG_NO_HOSTAPD_LOGGER */ 2004 } 2005 2006 2007 static void ieee802_1x_set_port_authorized(void *ctx, void *sta_ctx, 2008 int authorized) 2009 { 2010 struct hostapd_data *hapd = ctx; 2011 struct sta_info *sta = sta_ctx; 2012 ieee802_1x_set_sta_authorized(hapd, sta, authorized); 2013 } 2014 2015 2016 static void _ieee802_1x_abort_auth(void *ctx, void *sta_ctx) 2017 { 2018 struct hostapd_data *hapd = ctx; 2019 struct sta_info *sta = sta_ctx; 2020 ieee802_1x_abort_auth(hapd, sta); 2021 } 2022 2023 2024 static void _ieee802_1x_tx_key(void *ctx, void *sta_ctx) 2025 { 2026 struct hostapd_data *hapd = ctx; 2027 struct sta_info *sta = sta_ctx; 2028 ieee802_1x_tx_key(hapd, sta); 2029 } 2030 2031 2032 static void ieee802_1x_eapol_event(void *ctx, void *sta_ctx, 2033 enum eapol_event type) 2034 { 2035 /* struct hostapd_data *hapd = ctx; */ 2036 struct sta_info *sta = sta_ctx; 2037 switch (type) { 2038 case EAPOL_AUTH_SM_CHANGE: 2039 wpa_auth_sm_notify(sta->wpa_sm); 2040 break; 2041 case EAPOL_AUTH_REAUTHENTICATE: 2042 wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL); 2043 break; 2044 } 2045 } 2046 2047 2048 #ifdef CONFIG_ERP 2049 2050 static struct eap_server_erp_key * 2051 ieee802_1x_erp_get_key(void *ctx, const char *keyname) 2052 { 2053 struct hostapd_data *hapd = ctx; 2054 struct eap_server_erp_key *erp; 2055 2056 dl_list_for_each(erp, &hapd->erp_keys, struct eap_server_erp_key, 2057 list) { 2058 if (os_strcmp(erp->keyname_nai, keyname) == 0) 2059 return erp; 2060 } 2061 2062 return NULL; 2063 } 2064 2065 2066 static int ieee802_1x_erp_add_key(void *ctx, struct eap_server_erp_key *erp) 2067 { 2068 struct hostapd_data *hapd = ctx; 2069 2070 dl_list_add(&hapd->erp_keys, &erp->list); 2071 return 0; 2072 } 2073 2074 #endif /* CONFIG_ERP */ 2075 2076 2077 int ieee802_1x_init(struct hostapd_data *hapd) 2078 { 2079 int i; 2080 struct eapol_auth_config conf; 2081 struct eapol_auth_cb cb; 2082 2083 dl_list_init(&hapd->erp_keys); 2084 2085 os_memset(&conf, 0, sizeof(conf)); 2086 conf.ctx = hapd; 2087 conf.eap_reauth_period = hapd->conf->eap_reauth_period; 2088 conf.wpa = hapd->conf->wpa; 2089 conf.individual_wep_key_len = hapd->conf->individual_wep_key_len; 2090 conf.eap_server = hapd->conf->eap_server; 2091 conf.ssl_ctx = hapd->ssl_ctx; 2092 conf.msg_ctx = hapd->msg_ctx; 2093 conf.eap_sim_db_priv = hapd->eap_sim_db_priv; 2094 conf.eap_req_id_text = hapd->conf->eap_req_id_text; 2095 conf.eap_req_id_text_len = hapd->conf->eap_req_id_text_len; 2096 conf.erp_send_reauth_start = hapd->conf->erp_send_reauth_start; 2097 conf.erp_domain = hapd->conf->erp_domain; 2098 conf.erp = hapd->conf->eap_server_erp; 2099 conf.pac_opaque_encr_key = hapd->conf->pac_opaque_encr_key; 2100 conf.eap_fast_a_id = hapd->conf->eap_fast_a_id; 2101 conf.eap_fast_a_id_len = hapd->conf->eap_fast_a_id_len; 2102 conf.eap_fast_a_id_info = hapd->conf->eap_fast_a_id_info; 2103 conf.eap_fast_prov = hapd->conf->eap_fast_prov; 2104 conf.pac_key_lifetime = hapd->conf->pac_key_lifetime; 2105 conf.pac_key_refresh_time = hapd->conf->pac_key_refresh_time; 2106 conf.eap_sim_aka_result_ind = hapd->conf->eap_sim_aka_result_ind; 2107 conf.tnc = hapd->conf->tnc; 2108 conf.wps = hapd->wps; 2109 conf.fragment_size = hapd->conf->fragment_size; 2110 conf.pwd_group = hapd->conf->pwd_group; 2111 conf.pbc_in_m1 = hapd->conf->pbc_in_m1; 2112 if (hapd->conf->server_id) { 2113 conf.server_id = (const u8 *) hapd->conf->server_id; 2114 conf.server_id_len = os_strlen(hapd->conf->server_id); 2115 } else { 2116 conf.server_id = (const u8 *) "hostapd"; 2117 conf.server_id_len = 7; 2118 } 2119 2120 os_memset(&cb, 0, sizeof(cb)); 2121 cb.eapol_send = ieee802_1x_eapol_send; 2122 cb.aaa_send = ieee802_1x_aaa_send; 2123 cb.finished = _ieee802_1x_finished; 2124 cb.get_eap_user = ieee802_1x_get_eap_user; 2125 cb.sta_entry_alive = ieee802_1x_sta_entry_alive; 2126 cb.logger = ieee802_1x_logger; 2127 cb.set_port_authorized = ieee802_1x_set_port_authorized; 2128 cb.abort_auth = _ieee802_1x_abort_auth; 2129 cb.tx_key = _ieee802_1x_tx_key; 2130 cb.eapol_event = ieee802_1x_eapol_event; 2131 #ifdef CONFIG_ERP 2132 cb.erp_get_key = ieee802_1x_erp_get_key; 2133 cb.erp_add_key = ieee802_1x_erp_add_key; 2134 #endif /* CONFIG_ERP */ 2135 2136 hapd->eapol_auth = eapol_auth_init(&conf, &cb); 2137 if (hapd->eapol_auth == NULL) 2138 return -1; 2139 2140 if ((hapd->conf->ieee802_1x || hapd->conf->wpa) && 2141 hostapd_set_drv_ieee8021x(hapd, hapd->conf->iface, 1)) 2142 return -1; 2143 2144 #ifndef CONFIG_NO_RADIUS 2145 if (radius_client_register(hapd->radius, RADIUS_AUTH, 2146 ieee802_1x_receive_auth, hapd)) 2147 return -1; 2148 #endif /* CONFIG_NO_RADIUS */ 2149 2150 if (hapd->conf->default_wep_key_len) { 2151 for (i = 0; i < 4; i++) 2152 hostapd_drv_set_key(hapd->conf->iface, hapd, 2153 WPA_ALG_NONE, NULL, i, 0, NULL, 0, 2154 NULL, 0); 2155 2156 ieee802_1x_rekey(hapd, NULL); 2157 2158 if (hapd->eapol_auth->default_wep_key == NULL) 2159 return -1; 2160 } 2161 2162 return 0; 2163 } 2164 2165 2166 void ieee802_1x_erp_flush(struct hostapd_data *hapd) 2167 { 2168 struct eap_server_erp_key *erp; 2169 2170 while ((erp = dl_list_first(&hapd->erp_keys, struct eap_server_erp_key, 2171 list)) != NULL) { 2172 dl_list_del(&erp->list); 2173 bin_clear_free(erp, sizeof(*erp)); 2174 } 2175 } 2176 2177 2178 void ieee802_1x_deinit(struct hostapd_data *hapd) 2179 { 2180 eloop_cancel_timeout(ieee802_1x_rekey, hapd, NULL); 2181 2182 if (hapd->driver != NULL && 2183 (hapd->conf->ieee802_1x || hapd->conf->wpa)) 2184 hostapd_set_drv_ieee8021x(hapd, hapd->conf->iface, 0); 2185 2186 eapol_auth_deinit(hapd->eapol_auth); 2187 hapd->eapol_auth = NULL; 2188 2189 ieee802_1x_erp_flush(hapd); 2190 } 2191 2192 2193 int ieee802_1x_tx_status(struct hostapd_data *hapd, struct sta_info *sta, 2194 const u8 *buf, size_t len, int ack) 2195 { 2196 struct ieee80211_hdr *hdr; 2197 u8 *pos; 2198 const unsigned char rfc1042_hdr[ETH_ALEN] = 2199 { 0xaa, 0xaa, 0x03, 0x00, 0x00, 0x00 }; 2200 2201 if (sta == NULL) 2202 return -1; 2203 if (len < sizeof(*hdr) + sizeof(rfc1042_hdr) + 2) 2204 return 0; 2205 2206 hdr = (struct ieee80211_hdr *) buf; 2207 pos = (u8 *) (hdr + 1); 2208 if (os_memcmp(pos, rfc1042_hdr, sizeof(rfc1042_hdr)) != 0) 2209 return 0; 2210 pos += sizeof(rfc1042_hdr); 2211 if (WPA_GET_BE16(pos) != ETH_P_PAE) 2212 return 0; 2213 pos += 2; 2214 2215 return ieee802_1x_eapol_tx_status(hapd, sta, pos, buf + len - pos, 2216 ack); 2217 } 2218 2219 2220 int ieee802_1x_eapol_tx_status(struct hostapd_data *hapd, struct sta_info *sta, 2221 const u8 *buf, int len, int ack) 2222 { 2223 const struct ieee802_1x_hdr *xhdr = 2224 (const struct ieee802_1x_hdr *) buf; 2225 const u8 *pos = buf + sizeof(*xhdr); 2226 struct ieee802_1x_eapol_key *key; 2227 2228 if (len < (int) sizeof(*xhdr)) 2229 return 0; 2230 wpa_printf(MSG_DEBUG, "IEEE 802.1X: " MACSTR " TX status - version=%d " 2231 "type=%d length=%d - ack=%d", 2232 MAC2STR(sta->addr), xhdr->version, xhdr->type, 2233 be_to_host16(xhdr->length), ack); 2234 2235 if (xhdr->type != IEEE802_1X_TYPE_EAPOL_KEY) 2236 return 0; 2237 2238 if (pos + sizeof(struct wpa_eapol_key) <= buf + len) { 2239 const struct wpa_eapol_key *wpa; 2240 wpa = (const struct wpa_eapol_key *) pos; 2241 if (wpa->type == EAPOL_KEY_TYPE_RSN || 2242 wpa->type == EAPOL_KEY_TYPE_WPA) 2243 wpa_auth_eapol_key_tx_status(hapd->wpa_auth, 2244 sta->wpa_sm, ack); 2245 } 2246 2247 /* EAPOL EAP-Packet packets are eventually re-sent by either Supplicant 2248 * or Authenticator state machines, but EAPOL-Key packets are not 2249 * retransmitted in case of failure. Try to re-send failed EAPOL-Key 2250 * packets couple of times because otherwise STA keys become 2251 * unsynchronized with AP. */ 2252 if (!ack && pos + sizeof(*key) <= buf + len) { 2253 key = (struct ieee802_1x_eapol_key *) pos; 2254 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 2255 HOSTAPD_LEVEL_DEBUG, "did not Ack EAPOL-Key " 2256 "frame (%scast index=%d)", 2257 key->key_index & BIT(7) ? "uni" : "broad", 2258 key->key_index & ~BIT(7)); 2259 /* TODO: re-send EAPOL-Key couple of times (with short delay 2260 * between them?). If all attempt fail, report error and 2261 * deauthenticate STA so that it will get new keys when 2262 * authenticating again (e.g., after returning in range). 2263 * Separate limit/transmit state needed both for unicast and 2264 * broadcast keys(?) */ 2265 } 2266 /* TODO: could move unicast key configuration from ieee802_1x_tx_key() 2267 * to here and change the key only if the EAPOL-Key packet was Acked. 2268 */ 2269 2270 return 1; 2271 } 2272 2273 2274 u8 * ieee802_1x_get_identity(struct eapol_state_machine *sm, size_t *len) 2275 { 2276 if (sm == NULL || sm->identity == NULL) 2277 return NULL; 2278 2279 *len = sm->identity_len; 2280 return sm->identity; 2281 } 2282 2283 2284 u8 * ieee802_1x_get_radius_class(struct eapol_state_machine *sm, size_t *len, 2285 int idx) 2286 { 2287 if (sm == NULL || sm->radius_class.attr == NULL || 2288 idx >= (int) sm->radius_class.count) 2289 return NULL; 2290 2291 *len = sm->radius_class.attr[idx].len; 2292 return sm->radius_class.attr[idx].data; 2293 } 2294 2295 2296 struct wpabuf * ieee802_1x_get_radius_cui(struct eapol_state_machine *sm) 2297 { 2298 if (sm == NULL) 2299 return NULL; 2300 return sm->radius_cui; 2301 } 2302 2303 2304 const u8 * ieee802_1x_get_key(struct eapol_state_machine *sm, size_t *len) 2305 { 2306 *len = 0; 2307 if (sm == NULL) 2308 return NULL; 2309 2310 *len = sm->eap_if->eapKeyDataLen; 2311 return sm->eap_if->eapKeyData; 2312 } 2313 2314 2315 void ieee802_1x_notify_port_enabled(struct eapol_state_machine *sm, 2316 int enabled) 2317 { 2318 if (sm == NULL) 2319 return; 2320 sm->eap_if->portEnabled = enabled ? TRUE : FALSE; 2321 eapol_auth_step(sm); 2322 } 2323 2324 2325 void ieee802_1x_notify_port_valid(struct eapol_state_machine *sm, 2326 int valid) 2327 { 2328 if (sm == NULL) 2329 return; 2330 sm->portValid = valid ? TRUE : FALSE; 2331 eapol_auth_step(sm); 2332 } 2333 2334 2335 void ieee802_1x_notify_pre_auth(struct eapol_state_machine *sm, int pre_auth) 2336 { 2337 if (sm == NULL) 2338 return; 2339 if (pre_auth) 2340 sm->flags |= EAPOL_SM_PREAUTH; 2341 else 2342 sm->flags &= ~EAPOL_SM_PREAUTH; 2343 } 2344 2345 2346 static const char * bool_txt(Boolean val) 2347 { 2348 return val ? "TRUE" : "FALSE"; 2349 } 2350 2351 2352 int ieee802_1x_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen) 2353 { 2354 /* TODO */ 2355 return 0; 2356 } 2357 2358 2359 int ieee802_1x_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta, 2360 char *buf, size_t buflen) 2361 { 2362 int len = 0, ret; 2363 struct eapol_state_machine *sm = sta->eapol_sm; 2364 struct os_reltime diff; 2365 const char *name1; 2366 const char *name2; 2367 2368 if (sm == NULL) 2369 return 0; 2370 2371 ret = os_snprintf(buf + len, buflen - len, 2372 "dot1xPaePortNumber=%d\n" 2373 "dot1xPaePortProtocolVersion=%d\n" 2374 "dot1xPaePortCapabilities=1\n" 2375 "dot1xPaePortInitialize=%d\n" 2376 "dot1xPaePortReauthenticate=FALSE\n", 2377 sta->aid, 2378 EAPOL_VERSION, 2379 sm->initialize); 2380 if (os_snprintf_error(buflen - len, ret)) 2381 return len; 2382 len += ret; 2383 2384 /* dot1xAuthConfigTable */ 2385 ret = os_snprintf(buf + len, buflen - len, 2386 "dot1xAuthPaeState=%d\n" 2387 "dot1xAuthBackendAuthState=%d\n" 2388 "dot1xAuthAdminControlledDirections=%d\n" 2389 "dot1xAuthOperControlledDirections=%d\n" 2390 "dot1xAuthAuthControlledPortStatus=%d\n" 2391 "dot1xAuthAuthControlledPortControl=%d\n" 2392 "dot1xAuthQuietPeriod=%u\n" 2393 "dot1xAuthServerTimeout=%u\n" 2394 "dot1xAuthReAuthPeriod=%u\n" 2395 "dot1xAuthReAuthEnabled=%s\n" 2396 "dot1xAuthKeyTxEnabled=%s\n", 2397 sm->auth_pae_state + 1, 2398 sm->be_auth_state + 1, 2399 sm->adminControlledDirections, 2400 sm->operControlledDirections, 2401 sm->authPortStatus, 2402 sm->portControl, 2403 sm->quietPeriod, 2404 sm->serverTimeout, 2405 sm->reAuthPeriod, 2406 bool_txt(sm->reAuthEnabled), 2407 bool_txt(sm->keyTxEnabled)); 2408 if (os_snprintf_error(buflen - len, ret)) 2409 return len; 2410 len += ret; 2411 2412 /* dot1xAuthStatsTable */ 2413 ret = os_snprintf(buf + len, buflen - len, 2414 "dot1xAuthEapolFramesRx=%u\n" 2415 "dot1xAuthEapolFramesTx=%u\n" 2416 "dot1xAuthEapolStartFramesRx=%u\n" 2417 "dot1xAuthEapolLogoffFramesRx=%u\n" 2418 "dot1xAuthEapolRespIdFramesRx=%u\n" 2419 "dot1xAuthEapolRespFramesRx=%u\n" 2420 "dot1xAuthEapolReqIdFramesTx=%u\n" 2421 "dot1xAuthEapolReqFramesTx=%u\n" 2422 "dot1xAuthInvalidEapolFramesRx=%u\n" 2423 "dot1xAuthEapLengthErrorFramesRx=%u\n" 2424 "dot1xAuthLastEapolFrameVersion=%u\n" 2425 "dot1xAuthLastEapolFrameSource=" MACSTR "\n", 2426 sm->dot1xAuthEapolFramesRx, 2427 sm->dot1xAuthEapolFramesTx, 2428 sm->dot1xAuthEapolStartFramesRx, 2429 sm->dot1xAuthEapolLogoffFramesRx, 2430 sm->dot1xAuthEapolRespIdFramesRx, 2431 sm->dot1xAuthEapolRespFramesRx, 2432 sm->dot1xAuthEapolReqIdFramesTx, 2433 sm->dot1xAuthEapolReqFramesTx, 2434 sm->dot1xAuthInvalidEapolFramesRx, 2435 sm->dot1xAuthEapLengthErrorFramesRx, 2436 sm->dot1xAuthLastEapolFrameVersion, 2437 MAC2STR(sm->addr)); 2438 if (os_snprintf_error(buflen - len, ret)) 2439 return len; 2440 len += ret; 2441 2442 /* dot1xAuthDiagTable */ 2443 ret = os_snprintf(buf + len, buflen - len, 2444 "dot1xAuthEntersConnecting=%u\n" 2445 "dot1xAuthEapLogoffsWhileConnecting=%u\n" 2446 "dot1xAuthEntersAuthenticating=%u\n" 2447 "dot1xAuthAuthSuccessesWhileAuthenticating=%u\n" 2448 "dot1xAuthAuthTimeoutsWhileAuthenticating=%u\n" 2449 "dot1xAuthAuthFailWhileAuthenticating=%u\n" 2450 "dot1xAuthAuthEapStartsWhileAuthenticating=%u\n" 2451 "dot1xAuthAuthEapLogoffWhileAuthenticating=%u\n" 2452 "dot1xAuthAuthReauthsWhileAuthenticated=%u\n" 2453 "dot1xAuthAuthEapStartsWhileAuthenticated=%u\n" 2454 "dot1xAuthAuthEapLogoffWhileAuthenticated=%u\n" 2455 "dot1xAuthBackendResponses=%u\n" 2456 "dot1xAuthBackendAccessChallenges=%u\n" 2457 "dot1xAuthBackendOtherRequestsToSupplicant=%u\n" 2458 "dot1xAuthBackendAuthSuccesses=%u\n" 2459 "dot1xAuthBackendAuthFails=%u\n", 2460 sm->authEntersConnecting, 2461 sm->authEapLogoffsWhileConnecting, 2462 sm->authEntersAuthenticating, 2463 sm->authAuthSuccessesWhileAuthenticating, 2464 sm->authAuthTimeoutsWhileAuthenticating, 2465 sm->authAuthFailWhileAuthenticating, 2466 sm->authAuthEapStartsWhileAuthenticating, 2467 sm->authAuthEapLogoffWhileAuthenticating, 2468 sm->authAuthReauthsWhileAuthenticated, 2469 sm->authAuthEapStartsWhileAuthenticated, 2470 sm->authAuthEapLogoffWhileAuthenticated, 2471 sm->backendResponses, 2472 sm->backendAccessChallenges, 2473 sm->backendOtherRequestsToSupplicant, 2474 sm->backendAuthSuccesses, 2475 sm->backendAuthFails); 2476 if (os_snprintf_error(buflen - len, ret)) 2477 return len; 2478 len += ret; 2479 2480 /* dot1xAuthSessionStatsTable */ 2481 os_reltime_age(&sta->acct_session_start, &diff); 2482 ret = os_snprintf(buf + len, buflen - len, 2483 /* TODO: dot1xAuthSessionOctetsRx */ 2484 /* TODO: dot1xAuthSessionOctetsTx */ 2485 /* TODO: dot1xAuthSessionFramesRx */ 2486 /* TODO: dot1xAuthSessionFramesTx */ 2487 "dot1xAuthSessionId=%08X-%08X\n" 2488 "dot1xAuthSessionAuthenticMethod=%d\n" 2489 "dot1xAuthSessionTime=%u\n" 2490 "dot1xAuthSessionTerminateCause=999\n" 2491 "dot1xAuthSessionUserName=%s\n", 2492 sta->acct_session_id_hi, sta->acct_session_id_lo, 2493 (wpa_key_mgmt_wpa_ieee8021x( 2494 wpa_auth_sta_key_mgmt(sta->wpa_sm))) ? 2495 1 : 2, 2496 (unsigned int) diff.sec, 2497 sm->identity); 2498 if (os_snprintf_error(buflen - len, ret)) 2499 return len; 2500 len += ret; 2501 2502 if (sm->acct_multi_session_id_hi) { 2503 ret = os_snprintf(buf + len, buflen - len, 2504 "authMultiSessionId=%08X+%08X\n", 2505 sm->acct_multi_session_id_hi, 2506 sm->acct_multi_session_id_lo); 2507 if (os_snprintf_error(buflen - len, ret)) 2508 return len; 2509 len += ret; 2510 } 2511 2512 name1 = eap_server_get_name(0, sm->eap_type_authsrv); 2513 name2 = eap_server_get_name(0, sm->eap_type_supp); 2514 ret = os_snprintf(buf + len, buflen - len, 2515 "last_eap_type_as=%d (%s)\n" 2516 "last_eap_type_sta=%d (%s)\n", 2517 sm->eap_type_authsrv, name1, 2518 sm->eap_type_supp, name2); 2519 if (os_snprintf_error(buflen - len, ret)) 2520 return len; 2521 len += ret; 2522 2523 return len; 2524 } 2525 2526 2527 static void ieee802_1x_finished(struct hostapd_data *hapd, 2528 struct sta_info *sta, int success, 2529 int remediation) 2530 { 2531 const u8 *key; 2532 size_t len; 2533 /* TODO: get PMKLifetime from WPA parameters */ 2534 static const int dot11RSNAConfigPMKLifetime = 43200; 2535 unsigned int session_timeout; 2536 2537 #ifdef CONFIG_HS20 2538 if (remediation && !sta->remediation) { 2539 sta->remediation = 1; 2540 os_free(sta->remediation_url); 2541 sta->remediation_url = 2542 os_strdup(hapd->conf->subscr_remediation_url); 2543 sta->remediation_method = 1; /* SOAP-XML SPP */ 2544 } 2545 2546 if (success) { 2547 if (sta->remediation) { 2548 wpa_printf(MSG_DEBUG, "HS 2.0: Send WNM-Notification " 2549 "to " MACSTR " to indicate Subscription " 2550 "Remediation", 2551 MAC2STR(sta->addr)); 2552 hs20_send_wnm_notification(hapd, sta->addr, 2553 sta->remediation_method, 2554 sta->remediation_url); 2555 os_free(sta->remediation_url); 2556 sta->remediation_url = NULL; 2557 } 2558 2559 if (sta->hs20_deauth_req) { 2560 wpa_printf(MSG_DEBUG, "HS 2.0: Send WNM-Notification " 2561 "to " MACSTR " to indicate imminent " 2562 "deauthentication", MAC2STR(sta->addr)); 2563 hs20_send_wnm_notification_deauth_req( 2564 hapd, sta->addr, sta->hs20_deauth_req); 2565 } 2566 } 2567 #endif /* CONFIG_HS20 */ 2568 2569 key = ieee802_1x_get_key(sta->eapol_sm, &len); 2570 if (sta->session_timeout_set) 2571 session_timeout = sta->session_timeout; 2572 else 2573 session_timeout = dot11RSNAConfigPMKLifetime; 2574 if (success && key && len >= PMK_LEN && !sta->remediation && 2575 !sta->hs20_deauth_requested && 2576 wpa_auth_pmksa_add(sta->wpa_sm, key, session_timeout, 2577 sta->eapol_sm) == 0) { 2578 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 2579 HOSTAPD_LEVEL_DEBUG, 2580 "Added PMKSA cache entry (IEEE 802.1X)"); 2581 } 2582 2583 if (!success) { 2584 /* 2585 * Many devices require deauthentication after WPS provisioning 2586 * and some may not be be able to do that themselves, so 2587 * disconnect the client here. In addition, this may also 2588 * benefit IEEE 802.1X/EAPOL authentication cases, too since 2589 * the EAPOL PAE state machine would remain in HELD state for 2590 * considerable amount of time and some EAP methods, like 2591 * EAP-FAST with anonymous provisioning, may require another 2592 * EAPOL authentication to be started to complete connection. 2593 */ 2594 wpa_dbg(hapd->msg_ctx, MSG_DEBUG, "IEEE 802.1X: Force " 2595 "disconnection after EAP-Failure"); 2596 /* Add a small sleep to increase likelihood of previously 2597 * requested EAP-Failure TX getting out before this should the 2598 * driver reorder operations. 2599 */ 2600 os_sleep(0, 10000); 2601 ap_sta_disconnect(hapd, sta, sta->addr, 2602 WLAN_REASON_IEEE_802_1X_AUTH_FAILED); 2603 hostapd_wps_eap_completed(hapd); 2604 } 2605 } 2606