1 /* 2 * hostapd / IEEE 802.1X-2004 Authenticator 3 * Copyright (c) 2002-2012, Jouni Malinen <j (at) w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "utils/includes.h" 10 11 #include "utils/common.h" 12 #include "utils/eloop.h" 13 #include "crypto/md5.h" 14 #include "crypto/crypto.h" 15 #include "crypto/random.h" 16 #include "common/ieee802_11_defs.h" 17 #include "radius/radius.h" 18 #include "radius/radius_client.h" 19 #include "eap_server/eap.h" 20 #include "eap_common/eap_wsc_common.h" 21 #include "eapol_auth/eapol_auth_sm.h" 22 #include "eapol_auth/eapol_auth_sm_i.h" 23 #include "p2p/p2p.h" 24 #include "hostapd.h" 25 #include "accounting.h" 26 #include "sta_info.h" 27 #include "wpa_auth.h" 28 #include "preauth_auth.h" 29 #include "pmksa_cache_auth.h" 30 #include "ap_config.h" 31 #include "ap_drv_ops.h" 32 #include "wps_hostapd.h" 33 #include "hs20.h" 34 #include "ieee802_1x.h" 35 36 37 #ifdef CONFIG_HS20 38 static void ieee802_1x_wnm_notif_send(void *eloop_ctx, void *timeout_ctx); 39 #endif /* CONFIG_HS20 */ 40 static void ieee802_1x_finished(struct hostapd_data *hapd, 41 struct sta_info *sta, int success, 42 int remediation); 43 44 45 static void ieee802_1x_send(struct hostapd_data *hapd, struct sta_info *sta, 46 u8 type, const u8 *data, size_t datalen) 47 { 48 u8 *buf; 49 struct ieee802_1x_hdr *xhdr; 50 size_t len; 51 int encrypt = 0; 52 53 len = sizeof(*xhdr) + datalen; 54 buf = os_zalloc(len); 55 if (buf == NULL) { 56 wpa_printf(MSG_ERROR, "malloc() failed for " 57 "ieee802_1x_send(len=%lu)", 58 (unsigned long) len); 59 return; 60 } 61 62 xhdr = (struct ieee802_1x_hdr *) buf; 63 xhdr->version = hapd->conf->eapol_version; 64 xhdr->type = type; 65 xhdr->length = host_to_be16(datalen); 66 67 if (datalen > 0 && data != NULL) 68 os_memcpy(xhdr + 1, data, datalen); 69 70 if (wpa_auth_pairwise_set(sta->wpa_sm)) 71 encrypt = 1; 72 #ifdef CONFIG_TESTING_OPTIONS 73 if (hapd->ext_eapol_frame_io) { 74 size_t hex_len = 2 * len + 1; 75 char *hex = os_malloc(hex_len); 76 77 if (hex) { 78 wpa_snprintf_hex(hex, hex_len, buf, len); 79 wpa_msg(hapd->msg_ctx, MSG_INFO, 80 "EAPOL-TX " MACSTR " %s", 81 MAC2STR(sta->addr), hex); 82 os_free(hex); 83 } 84 } else 85 #endif /* CONFIG_TESTING_OPTIONS */ 86 if (sta->flags & WLAN_STA_PREAUTH) { 87 rsn_preauth_send(hapd, sta, buf, len); 88 } else { 89 hostapd_drv_hapd_send_eapol( 90 hapd, sta->addr, buf, len, 91 encrypt, hostapd_sta_flags_to_drv(sta->flags)); 92 } 93 94 os_free(buf); 95 } 96 97 98 void ieee802_1x_set_sta_authorized(struct hostapd_data *hapd, 99 struct sta_info *sta, int authorized) 100 { 101 int res; 102 103 if (sta->flags & WLAN_STA_PREAUTH) 104 return; 105 106 if (authorized) { 107 ap_sta_set_authorized(hapd, sta, 1); 108 res = hostapd_set_authorized(hapd, sta, 1); 109 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 110 HOSTAPD_LEVEL_DEBUG, "authorizing port"); 111 } else { 112 ap_sta_set_authorized(hapd, sta, 0); 113 res = hostapd_set_authorized(hapd, sta, 0); 114 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 115 HOSTAPD_LEVEL_DEBUG, "unauthorizing port"); 116 } 117 118 if (res && errno != ENOENT) { 119 wpa_printf(MSG_DEBUG, "Could not set station " MACSTR 120 " flags for kernel driver (errno=%d).", 121 MAC2STR(sta->addr), errno); 122 } 123 124 if (authorized) { 125 os_get_reltime(&sta->connected_time); 126 accounting_sta_start(hapd, sta); 127 } 128 } 129 130 131 #ifndef CONFIG_FIPS 132 #ifndef CONFIG_NO_RC4 133 134 static void ieee802_1x_tx_key_one(struct hostapd_data *hapd, 135 struct sta_info *sta, 136 int idx, int broadcast, 137 u8 *key_data, size_t key_len) 138 { 139 u8 *buf, *ekey; 140 struct ieee802_1x_hdr *hdr; 141 struct ieee802_1x_eapol_key *key; 142 size_t len, ekey_len; 143 struct eapol_state_machine *sm = sta->eapol_sm; 144 145 if (sm == NULL) 146 return; 147 148 len = sizeof(*key) + key_len; 149 buf = os_zalloc(sizeof(*hdr) + len); 150 if (buf == NULL) 151 return; 152 153 hdr = (struct ieee802_1x_hdr *) buf; 154 key = (struct ieee802_1x_eapol_key *) (hdr + 1); 155 key->type = EAPOL_KEY_TYPE_RC4; 156 WPA_PUT_BE16(key->key_length, key_len); 157 wpa_get_ntp_timestamp(key->replay_counter); 158 159 if (random_get_bytes(key->key_iv, sizeof(key->key_iv))) { 160 wpa_printf(MSG_ERROR, "Could not get random numbers"); 161 os_free(buf); 162 return; 163 } 164 165 key->key_index = idx | (broadcast ? 0 : BIT(7)); 166 if (hapd->conf->eapol_key_index_workaround) { 167 /* According to some information, WinXP Supplicant seems to 168 * interpret bit7 as an indication whether the key is to be 169 * activated, so make it possible to enable workaround that 170 * sets this bit for all keys. */ 171 key->key_index |= BIT(7); 172 } 173 174 /* Key is encrypted using "Key-IV + MSK[0..31]" as the RC4-key and 175 * MSK[32..63] is used to sign the message. */ 176 if (sm->eap_if->eapKeyData == NULL || sm->eap_if->eapKeyDataLen < 64) { 177 wpa_printf(MSG_ERROR, "No eapKeyData available for encrypting " 178 "and signing EAPOL-Key"); 179 os_free(buf); 180 return; 181 } 182 os_memcpy((u8 *) (key + 1), key_data, key_len); 183 ekey_len = sizeof(key->key_iv) + 32; 184 ekey = os_malloc(ekey_len); 185 if (ekey == NULL) { 186 wpa_printf(MSG_ERROR, "Could not encrypt key"); 187 os_free(buf); 188 return; 189 } 190 os_memcpy(ekey, key->key_iv, sizeof(key->key_iv)); 191 os_memcpy(ekey + sizeof(key->key_iv), sm->eap_if->eapKeyData, 32); 192 rc4_skip(ekey, ekey_len, 0, (u8 *) (key + 1), key_len); 193 os_free(ekey); 194 195 /* This header is needed here for HMAC-MD5, but it will be regenerated 196 * in ieee802_1x_send() */ 197 hdr->version = hapd->conf->eapol_version; 198 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 199 hdr->length = host_to_be16(len); 200 hmac_md5(sm->eap_if->eapKeyData + 32, 32, buf, sizeof(*hdr) + len, 201 key->key_signature); 202 203 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key to " MACSTR 204 " (%s index=%d)", MAC2STR(sm->addr), 205 broadcast ? "broadcast" : "unicast", idx); 206 ieee802_1x_send(hapd, sta, IEEE802_1X_TYPE_EAPOL_KEY, (u8 *) key, len); 207 if (sta->eapol_sm) 208 sta->eapol_sm->dot1xAuthEapolFramesTx++; 209 os_free(buf); 210 } 211 212 213 static void ieee802_1x_tx_key(struct hostapd_data *hapd, struct sta_info *sta) 214 { 215 struct eapol_authenticator *eapol = hapd->eapol_auth; 216 struct eapol_state_machine *sm = sta->eapol_sm; 217 218 if (sm == NULL || !sm->eap_if->eapKeyData) 219 return; 220 221 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key(s) to " MACSTR, 222 MAC2STR(sta->addr)); 223 224 #ifndef CONFIG_NO_VLAN 225 if (sta->vlan_id > 0) { 226 wpa_printf(MSG_ERROR, "Using WEP with vlans is not supported."); 227 return; 228 } 229 #endif /* CONFIG_NO_VLAN */ 230 231 if (eapol->default_wep_key) { 232 ieee802_1x_tx_key_one(hapd, sta, eapol->default_wep_key_idx, 1, 233 eapol->default_wep_key, 234 hapd->conf->default_wep_key_len); 235 } 236 237 if (hapd->conf->individual_wep_key_len > 0) { 238 u8 *ikey; 239 ikey = os_malloc(hapd->conf->individual_wep_key_len); 240 if (ikey == NULL || 241 random_get_bytes(ikey, hapd->conf->individual_wep_key_len)) 242 { 243 wpa_printf(MSG_ERROR, "Could not generate random " 244 "individual WEP key."); 245 os_free(ikey); 246 return; 247 } 248 249 wpa_hexdump_key(MSG_DEBUG, "Individual WEP key", 250 ikey, hapd->conf->individual_wep_key_len); 251 252 ieee802_1x_tx_key_one(hapd, sta, 0, 0, ikey, 253 hapd->conf->individual_wep_key_len); 254 255 /* TODO: set encryption in TX callback, i.e., only after STA 256 * has ACKed EAPOL-Key frame */ 257 if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP, 258 sta->addr, 0, 1, NULL, 0, ikey, 259 hapd->conf->individual_wep_key_len)) { 260 wpa_printf(MSG_ERROR, "Could not set individual WEP " 261 "encryption."); 262 } 263 264 os_free(ikey); 265 } 266 } 267 268 #endif /* CONFIG_NO_RC4 */ 269 #endif /* CONFIG_FIPS */ 270 271 272 const char *radius_mode_txt(struct hostapd_data *hapd) 273 { 274 switch (hapd->iface->conf->hw_mode) { 275 case HOSTAPD_MODE_IEEE80211AD: 276 return "802.11ad"; 277 case HOSTAPD_MODE_IEEE80211A: 278 return "802.11a"; 279 case HOSTAPD_MODE_IEEE80211G: 280 return "802.11g"; 281 case HOSTAPD_MODE_IEEE80211B: 282 default: 283 return "802.11b"; 284 } 285 } 286 287 288 int radius_sta_rate(struct hostapd_data *hapd, struct sta_info *sta) 289 { 290 int i; 291 u8 rate = 0; 292 293 for (i = 0; i < sta->supported_rates_len; i++) 294 if ((sta->supported_rates[i] & 0x7f) > rate) 295 rate = sta->supported_rates[i] & 0x7f; 296 297 return rate; 298 } 299 300 301 #ifndef CONFIG_NO_RADIUS 302 static void ieee802_1x_learn_identity(struct hostapd_data *hapd, 303 struct eapol_state_machine *sm, 304 const u8 *eap, size_t len) 305 { 306 const u8 *identity; 307 size_t identity_len; 308 const struct eap_hdr *hdr = (const struct eap_hdr *) eap; 309 310 if (len <= sizeof(struct eap_hdr) || 311 (hdr->code == EAP_CODE_RESPONSE && 312 eap[sizeof(struct eap_hdr)] != EAP_TYPE_IDENTITY) || 313 (hdr->code == EAP_CODE_INITIATE && 314 eap[sizeof(struct eap_hdr)] != EAP_ERP_TYPE_REAUTH) || 315 (hdr->code != EAP_CODE_RESPONSE && 316 hdr->code != EAP_CODE_INITIATE)) 317 return; 318 319 identity = eap_get_identity(sm->eap, &identity_len); 320 if (identity == NULL) 321 return; 322 323 /* Save station identity for future RADIUS packets */ 324 os_free(sm->identity); 325 sm->identity = (u8 *) dup_binstr(identity, identity_len); 326 if (sm->identity == NULL) { 327 sm->identity_len = 0; 328 return; 329 } 330 331 sm->identity_len = identity_len; 332 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, 333 HOSTAPD_LEVEL_DEBUG, "STA identity '%s'", sm->identity); 334 sm->dot1xAuthEapolRespIdFramesRx++; 335 } 336 337 338 static int add_common_radius_sta_attr_rsn(struct hostapd_data *hapd, 339 struct hostapd_radius_attr *req_attr, 340 struct sta_info *sta, 341 struct radius_msg *msg) 342 { 343 u32 suite; 344 int ver, val; 345 346 ver = wpa_auth_sta_wpa_version(sta->wpa_sm); 347 val = wpa_auth_get_pairwise(sta->wpa_sm); 348 suite = wpa_cipher_to_suite(ver, val); 349 if (val != -1 && 350 !hostapd_config_get_radius_attr(req_attr, 351 RADIUS_ATTR_WLAN_PAIRWISE_CIPHER) && 352 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_WLAN_PAIRWISE_CIPHER, 353 suite)) { 354 wpa_printf(MSG_ERROR, "Could not add WLAN-Pairwise-Cipher"); 355 return -1; 356 } 357 358 suite = wpa_cipher_to_suite(((hapd->conf->wpa & 0x2) || 359 hapd->conf->osen) ? 360 WPA_PROTO_RSN : WPA_PROTO_WPA, 361 hapd->conf->wpa_group); 362 if (!hostapd_config_get_radius_attr(req_attr, 363 RADIUS_ATTR_WLAN_GROUP_CIPHER) && 364 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_WLAN_GROUP_CIPHER, 365 suite)) { 366 wpa_printf(MSG_ERROR, "Could not add WLAN-Group-Cipher"); 367 return -1; 368 } 369 370 val = wpa_auth_sta_key_mgmt(sta->wpa_sm); 371 suite = wpa_akm_to_suite(val); 372 if (val != -1 && 373 !hostapd_config_get_radius_attr(req_attr, 374 RADIUS_ATTR_WLAN_AKM_SUITE) && 375 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_WLAN_AKM_SUITE, 376 suite)) { 377 wpa_printf(MSG_ERROR, "Could not add WLAN-AKM-Suite"); 378 return -1; 379 } 380 381 #ifdef CONFIG_IEEE80211W 382 if (hapd->conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) { 383 suite = wpa_cipher_to_suite(WPA_PROTO_RSN, 384 hapd->conf->group_mgmt_cipher); 385 if (!hostapd_config_get_radius_attr( 386 req_attr, RADIUS_ATTR_WLAN_GROUP_MGMT_CIPHER) && 387 !radius_msg_add_attr_int32( 388 msg, RADIUS_ATTR_WLAN_GROUP_MGMT_CIPHER, suite)) { 389 wpa_printf(MSG_ERROR, 390 "Could not add WLAN-Group-Mgmt-Cipher"); 391 return -1; 392 } 393 } 394 #endif /* CONFIG_IEEE80211W */ 395 396 return 0; 397 } 398 399 400 static int add_common_radius_sta_attr(struct hostapd_data *hapd, 401 struct hostapd_radius_attr *req_attr, 402 struct sta_info *sta, 403 struct radius_msg *msg) 404 { 405 char buf[128]; 406 407 if (!hostapd_config_get_radius_attr(req_attr, 408 RADIUS_ATTR_SERVICE_TYPE) && 409 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_SERVICE_TYPE, 410 RADIUS_SERVICE_TYPE_FRAMED)) { 411 wpa_printf(MSG_ERROR, "Could not add Service-Type"); 412 return -1; 413 } 414 415 if (!hostapd_config_get_radius_attr(req_attr, 416 RADIUS_ATTR_NAS_PORT) && 417 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT, sta->aid)) { 418 wpa_printf(MSG_ERROR, "Could not add NAS-Port"); 419 return -1; 420 } 421 422 os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT, 423 MAC2STR(sta->addr)); 424 buf[sizeof(buf) - 1] = '\0'; 425 if (!radius_msg_add_attr(msg, RADIUS_ATTR_CALLING_STATION_ID, 426 (u8 *) buf, os_strlen(buf))) { 427 wpa_printf(MSG_ERROR, "Could not add Calling-Station-Id"); 428 return -1; 429 } 430 431 if (sta->flags & WLAN_STA_PREAUTH) { 432 os_strlcpy(buf, "IEEE 802.11i Pre-Authentication", 433 sizeof(buf)); 434 } else { 435 os_snprintf(buf, sizeof(buf), "CONNECT %d%sMbps %s", 436 radius_sta_rate(hapd, sta) / 2, 437 (radius_sta_rate(hapd, sta) & 1) ? ".5" : "", 438 radius_mode_txt(hapd)); 439 buf[sizeof(buf) - 1] = '\0'; 440 } 441 if (!hostapd_config_get_radius_attr(req_attr, 442 RADIUS_ATTR_CONNECT_INFO) && 443 !radius_msg_add_attr(msg, RADIUS_ATTR_CONNECT_INFO, 444 (u8 *) buf, os_strlen(buf))) { 445 wpa_printf(MSG_ERROR, "Could not add Connect-Info"); 446 return -1; 447 } 448 449 if (sta->acct_session_id) { 450 os_snprintf(buf, sizeof(buf), "%016llX", 451 (unsigned long long) sta->acct_session_id); 452 if (!radius_msg_add_attr(msg, RADIUS_ATTR_ACCT_SESSION_ID, 453 (u8 *) buf, os_strlen(buf))) { 454 wpa_printf(MSG_ERROR, "Could not add Acct-Session-Id"); 455 return -1; 456 } 457 } 458 459 if ((hapd->conf->wpa & 2) && 460 !hapd->conf->disable_pmksa_caching && 461 sta->eapol_sm && sta->eapol_sm->acct_multi_session_id) { 462 os_snprintf(buf, sizeof(buf), "%016llX", 463 (unsigned long long) 464 sta->eapol_sm->acct_multi_session_id); 465 if (!radius_msg_add_attr( 466 msg, RADIUS_ATTR_ACCT_MULTI_SESSION_ID, 467 (u8 *) buf, os_strlen(buf))) { 468 wpa_printf(MSG_INFO, 469 "Could not add Acct-Multi-Session-Id"); 470 return -1; 471 } 472 } 473 474 #ifdef CONFIG_IEEE80211R 475 if (hapd->conf->wpa && wpa_key_mgmt_ft(hapd->conf->wpa_key_mgmt) && 476 sta->wpa_sm && 477 (wpa_key_mgmt_ft(wpa_auth_sta_key_mgmt(sta->wpa_sm)) || 478 sta->auth_alg == WLAN_AUTH_FT) && 479 !hostapd_config_get_radius_attr(req_attr, 480 RADIUS_ATTR_MOBILITY_DOMAIN_ID) && 481 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_MOBILITY_DOMAIN_ID, 482 WPA_GET_BE16( 483 hapd->conf->mobility_domain))) { 484 wpa_printf(MSG_ERROR, "Could not add Mobility-Domain-Id"); 485 return -1; 486 } 487 #endif /* CONFIG_IEEE80211R */ 488 489 if ((hapd->conf->wpa || hapd->conf->osen) && sta->wpa_sm && 490 add_common_radius_sta_attr_rsn(hapd, req_attr, sta, msg) < 0) 491 return -1; 492 493 return 0; 494 } 495 496 497 int add_common_radius_attr(struct hostapd_data *hapd, 498 struct hostapd_radius_attr *req_attr, 499 struct sta_info *sta, 500 struct radius_msg *msg) 501 { 502 char buf[128]; 503 struct hostapd_radius_attr *attr; 504 int len; 505 506 if (!hostapd_config_get_radius_attr(req_attr, 507 RADIUS_ATTR_NAS_IP_ADDRESS) && 508 hapd->conf->own_ip_addr.af == AF_INET && 509 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IP_ADDRESS, 510 (u8 *) &hapd->conf->own_ip_addr.u.v4, 4)) { 511 wpa_printf(MSG_ERROR, "Could not add NAS-IP-Address"); 512 return -1; 513 } 514 515 #ifdef CONFIG_IPV6 516 if (!hostapd_config_get_radius_attr(req_attr, 517 RADIUS_ATTR_NAS_IPV6_ADDRESS) && 518 hapd->conf->own_ip_addr.af == AF_INET6 && 519 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IPV6_ADDRESS, 520 (u8 *) &hapd->conf->own_ip_addr.u.v6, 16)) { 521 wpa_printf(MSG_ERROR, "Could not add NAS-IPv6-Address"); 522 return -1; 523 } 524 #endif /* CONFIG_IPV6 */ 525 526 if (!hostapd_config_get_radius_attr(req_attr, 527 RADIUS_ATTR_NAS_IDENTIFIER) && 528 hapd->conf->nas_identifier && 529 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IDENTIFIER, 530 (u8 *) hapd->conf->nas_identifier, 531 os_strlen(hapd->conf->nas_identifier))) { 532 wpa_printf(MSG_ERROR, "Could not add NAS-Identifier"); 533 return -1; 534 } 535 536 len = os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT ":", 537 MAC2STR(hapd->own_addr)); 538 os_memcpy(&buf[len], hapd->conf->ssid.ssid, 539 hapd->conf->ssid.ssid_len); 540 len += hapd->conf->ssid.ssid_len; 541 if (!hostapd_config_get_radius_attr(req_attr, 542 RADIUS_ATTR_CALLED_STATION_ID) && 543 !radius_msg_add_attr(msg, RADIUS_ATTR_CALLED_STATION_ID, 544 (u8 *) buf, len)) { 545 wpa_printf(MSG_ERROR, "Could not add Called-Station-Id"); 546 return -1; 547 } 548 549 if (!hostapd_config_get_radius_attr(req_attr, 550 RADIUS_ATTR_NAS_PORT_TYPE) && 551 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT_TYPE, 552 RADIUS_NAS_PORT_TYPE_IEEE_802_11)) { 553 wpa_printf(MSG_ERROR, "Could not add NAS-Port-Type"); 554 return -1; 555 } 556 557 #ifdef CONFIG_INTERWORKING 558 if (hapd->conf->interworking && 559 !is_zero_ether_addr(hapd->conf->hessid)) { 560 os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT, 561 MAC2STR(hapd->conf->hessid)); 562 buf[sizeof(buf) - 1] = '\0'; 563 if (!hostapd_config_get_radius_attr(req_attr, 564 RADIUS_ATTR_WLAN_HESSID) && 565 !radius_msg_add_attr(msg, RADIUS_ATTR_WLAN_HESSID, 566 (u8 *) buf, os_strlen(buf))) { 567 wpa_printf(MSG_ERROR, "Could not add WLAN-HESSID"); 568 return -1; 569 } 570 } 571 #endif /* CONFIG_INTERWORKING */ 572 573 if (sta && add_common_radius_sta_attr(hapd, req_attr, sta, msg) < 0) 574 return -1; 575 576 for (attr = req_attr; attr; attr = attr->next) { 577 if (!radius_msg_add_attr(msg, attr->type, 578 wpabuf_head(attr->val), 579 wpabuf_len(attr->val))) { 580 wpa_printf(MSG_ERROR, "Could not add RADIUS " 581 "attribute"); 582 return -1; 583 } 584 } 585 586 return 0; 587 } 588 589 590 static void ieee802_1x_encapsulate_radius(struct hostapd_data *hapd, 591 struct sta_info *sta, 592 const u8 *eap, size_t len) 593 { 594 struct radius_msg *msg; 595 struct eapol_state_machine *sm = sta->eapol_sm; 596 597 if (sm == NULL) 598 return; 599 600 ieee802_1x_learn_identity(hapd, sm, eap, len); 601 602 wpa_printf(MSG_DEBUG, "Encapsulating EAP message into a RADIUS " 603 "packet"); 604 605 sm->radius_identifier = radius_client_get_id(hapd->radius); 606 msg = radius_msg_new(RADIUS_CODE_ACCESS_REQUEST, 607 sm->radius_identifier); 608 if (msg == NULL) { 609 wpa_printf(MSG_INFO, "Could not create new RADIUS packet"); 610 return; 611 } 612 613 if (radius_msg_make_authenticator(msg) < 0) { 614 wpa_printf(MSG_INFO, "Could not make Request Authenticator"); 615 goto fail; 616 } 617 618 if (sm->identity && 619 !radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME, 620 sm->identity, sm->identity_len)) { 621 wpa_printf(MSG_INFO, "Could not add User-Name"); 622 goto fail; 623 } 624 625 if (add_common_radius_attr(hapd, hapd->conf->radius_auth_req_attr, sta, 626 msg) < 0) 627 goto fail; 628 629 /* TODO: should probably check MTU from driver config; 2304 is max for 630 * IEEE 802.11, but use 1400 to avoid problems with too large packets 631 */ 632 if (!hostapd_config_get_radius_attr(hapd->conf->radius_auth_req_attr, 633 RADIUS_ATTR_FRAMED_MTU) && 634 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_FRAMED_MTU, 1400)) { 635 wpa_printf(MSG_INFO, "Could not add Framed-MTU"); 636 goto fail; 637 } 638 639 if (!radius_msg_add_eap(msg, eap, len)) { 640 wpa_printf(MSG_INFO, "Could not add EAP-Message"); 641 goto fail; 642 } 643 644 /* State attribute must be copied if and only if this packet is 645 * Access-Request reply to the previous Access-Challenge */ 646 if (sm->last_recv_radius && 647 radius_msg_get_hdr(sm->last_recv_radius)->code == 648 RADIUS_CODE_ACCESS_CHALLENGE) { 649 int res = radius_msg_copy_attr(msg, sm->last_recv_radius, 650 RADIUS_ATTR_STATE); 651 if (res < 0) { 652 wpa_printf(MSG_INFO, "Could not copy State attribute from previous Access-Challenge"); 653 goto fail; 654 } 655 if (res > 0) { 656 wpa_printf(MSG_DEBUG, "Copied RADIUS State Attribute"); 657 } 658 } 659 660 if (hapd->conf->radius_request_cui) { 661 const u8 *cui; 662 size_t cui_len; 663 /* Add previously learned CUI or nul CUI to request CUI */ 664 if (sm->radius_cui) { 665 cui = wpabuf_head(sm->radius_cui); 666 cui_len = wpabuf_len(sm->radius_cui); 667 } else { 668 cui = (const u8 *) "\0"; 669 cui_len = 1; 670 } 671 if (!radius_msg_add_attr(msg, 672 RADIUS_ATTR_CHARGEABLE_USER_IDENTITY, 673 cui, cui_len)) { 674 wpa_printf(MSG_ERROR, "Could not add CUI"); 675 goto fail; 676 } 677 } 678 679 #ifdef CONFIG_HS20 680 if (hapd->conf->hs20) { 681 u8 ver = 1; /* Release 2 */ 682 if (!radius_msg_add_wfa( 683 msg, RADIUS_VENDOR_ATTR_WFA_HS20_AP_VERSION, 684 &ver, 1)) { 685 wpa_printf(MSG_ERROR, "Could not add HS 2.0 AP " 686 "version"); 687 goto fail; 688 } 689 690 if (sta->hs20_ie && wpabuf_len(sta->hs20_ie) > 0) { 691 const u8 *pos; 692 u8 buf[3]; 693 u16 id; 694 pos = wpabuf_head_u8(sta->hs20_ie); 695 buf[0] = (*pos) >> 4; 696 if (((*pos) & HS20_PPS_MO_ID_PRESENT) && 697 wpabuf_len(sta->hs20_ie) >= 3) 698 id = WPA_GET_LE16(pos + 1); 699 else 700 id = 0; 701 WPA_PUT_BE16(buf + 1, id); 702 if (!radius_msg_add_wfa( 703 msg, 704 RADIUS_VENDOR_ATTR_WFA_HS20_STA_VERSION, 705 buf, sizeof(buf))) { 706 wpa_printf(MSG_ERROR, "Could not add HS 2.0 " 707 "STA version"); 708 goto fail; 709 } 710 } 711 } 712 #endif /* CONFIG_HS20 */ 713 714 if (radius_client_send(hapd->radius, msg, RADIUS_AUTH, sta->addr) < 0) 715 goto fail; 716 717 return; 718 719 fail: 720 radius_msg_free(msg); 721 } 722 #endif /* CONFIG_NO_RADIUS */ 723 724 725 static void handle_eap_response(struct hostapd_data *hapd, 726 struct sta_info *sta, struct eap_hdr *eap, 727 size_t len) 728 { 729 u8 type, *data; 730 struct eapol_state_machine *sm = sta->eapol_sm; 731 if (sm == NULL) 732 return; 733 734 data = (u8 *) (eap + 1); 735 736 if (len < sizeof(*eap) + 1) { 737 wpa_printf(MSG_INFO, "handle_eap_response: too short response data"); 738 return; 739 } 740 741 sm->eap_type_supp = type = data[0]; 742 743 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, 744 HOSTAPD_LEVEL_DEBUG, "received EAP packet (code=%d " 745 "id=%d len=%d) from STA: EAP Response-%s (%d)", 746 eap->code, eap->identifier, be_to_host16(eap->length), 747 eap_server_get_name(0, type), type); 748 749 sm->dot1xAuthEapolRespFramesRx++; 750 751 wpabuf_free(sm->eap_if->eapRespData); 752 sm->eap_if->eapRespData = wpabuf_alloc_copy(eap, len); 753 sm->eapolEap = TRUE; 754 } 755 756 757 static void handle_eap_initiate(struct hostapd_data *hapd, 758 struct sta_info *sta, struct eap_hdr *eap, 759 size_t len) 760 { 761 #ifdef CONFIG_ERP 762 u8 type, *data; 763 struct eapol_state_machine *sm = sta->eapol_sm; 764 765 if (sm == NULL) 766 return; 767 768 if (len < sizeof(*eap) + 1) { 769 wpa_printf(MSG_INFO, 770 "handle_eap_initiate: too short response data"); 771 return; 772 } 773 774 data = (u8 *) (eap + 1); 775 type = data[0]; 776 777 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, 778 HOSTAPD_LEVEL_DEBUG, "received EAP packet (code=%d " 779 "id=%d len=%d) from STA: EAP Initiate type %u", 780 eap->code, eap->identifier, be_to_host16(eap->length), 781 type); 782 783 wpabuf_free(sm->eap_if->eapRespData); 784 sm->eap_if->eapRespData = wpabuf_alloc_copy(eap, len); 785 sm->eapolEap = TRUE; 786 #endif /* CONFIG_ERP */ 787 } 788 789 790 /* Process incoming EAP packet from Supplicant */ 791 static void handle_eap(struct hostapd_data *hapd, struct sta_info *sta, 792 u8 *buf, size_t len) 793 { 794 struct eap_hdr *eap; 795 u16 eap_len; 796 797 if (len < sizeof(*eap)) { 798 wpa_printf(MSG_INFO, " too short EAP packet"); 799 return; 800 } 801 802 eap = (struct eap_hdr *) buf; 803 804 eap_len = be_to_host16(eap->length); 805 wpa_printf(MSG_DEBUG, "EAP: code=%d identifier=%d length=%d", 806 eap->code, eap->identifier, eap_len); 807 if (eap_len < sizeof(*eap)) { 808 wpa_printf(MSG_DEBUG, " Invalid EAP length"); 809 return; 810 } else if (eap_len > len) { 811 wpa_printf(MSG_DEBUG, " Too short frame to contain this EAP " 812 "packet"); 813 return; 814 } else if (eap_len < len) { 815 wpa_printf(MSG_DEBUG, " Ignoring %lu extra bytes after EAP " 816 "packet", (unsigned long) len - eap_len); 817 } 818 819 switch (eap->code) { 820 case EAP_CODE_REQUEST: 821 wpa_printf(MSG_DEBUG, " (request)"); 822 return; 823 case EAP_CODE_RESPONSE: 824 wpa_printf(MSG_DEBUG, " (response)"); 825 handle_eap_response(hapd, sta, eap, eap_len); 826 break; 827 case EAP_CODE_SUCCESS: 828 wpa_printf(MSG_DEBUG, " (success)"); 829 return; 830 case EAP_CODE_FAILURE: 831 wpa_printf(MSG_DEBUG, " (failure)"); 832 return; 833 case EAP_CODE_INITIATE: 834 wpa_printf(MSG_DEBUG, " (initiate)"); 835 handle_eap_initiate(hapd, sta, eap, eap_len); 836 break; 837 case EAP_CODE_FINISH: 838 wpa_printf(MSG_DEBUG, " (finish)"); 839 break; 840 default: 841 wpa_printf(MSG_DEBUG, " (unknown code)"); 842 return; 843 } 844 } 845 846 847 static struct eapol_state_machine * 848 ieee802_1x_alloc_eapol_sm(struct hostapd_data *hapd, struct sta_info *sta) 849 { 850 int flags = 0; 851 if (sta->flags & WLAN_STA_PREAUTH) 852 flags |= EAPOL_SM_PREAUTH; 853 if (sta->wpa_sm) { 854 flags |= EAPOL_SM_USES_WPA; 855 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) 856 flags |= EAPOL_SM_FROM_PMKSA_CACHE; 857 } 858 return eapol_auth_alloc(hapd->eapol_auth, sta->addr, flags, 859 sta->wps_ie, sta->p2p_ie, sta, 860 sta->identity, sta->radius_cui); 861 } 862 863 864 static void ieee802_1x_save_eapol(struct sta_info *sta, const u8 *buf, 865 size_t len) 866 { 867 if (sta->pending_eapol_rx) { 868 wpabuf_free(sta->pending_eapol_rx->buf); 869 } else { 870 sta->pending_eapol_rx = 871 os_malloc(sizeof(*sta->pending_eapol_rx)); 872 if (!sta->pending_eapol_rx) 873 return; 874 } 875 876 sta->pending_eapol_rx->buf = wpabuf_alloc_copy(buf, len); 877 if (!sta->pending_eapol_rx->buf) { 878 os_free(sta->pending_eapol_rx); 879 sta->pending_eapol_rx = NULL; 880 return; 881 } 882 883 os_get_reltime(&sta->pending_eapol_rx->rx_time); 884 } 885 886 887 /** 888 * ieee802_1x_receive - Process the EAPOL frames from the Supplicant 889 * @hapd: hostapd BSS data 890 * @sa: Source address (sender of the EAPOL frame) 891 * @buf: EAPOL frame 892 * @len: Length of buf in octets 893 * 894 * This function is called for each incoming EAPOL frame from the interface 895 */ 896 void ieee802_1x_receive(struct hostapd_data *hapd, const u8 *sa, const u8 *buf, 897 size_t len) 898 { 899 struct sta_info *sta; 900 struct ieee802_1x_hdr *hdr; 901 struct ieee802_1x_eapol_key *key; 902 u16 datalen; 903 struct rsn_pmksa_cache_entry *pmksa; 904 int key_mgmt; 905 906 if (!hapd->conf->ieee802_1x && !hapd->conf->wpa && !hapd->conf->osen && 907 !hapd->conf->wps_state) 908 return; 909 910 wpa_printf(MSG_DEBUG, "IEEE 802.1X: %lu bytes from " MACSTR, 911 (unsigned long) len, MAC2STR(sa)); 912 sta = ap_get_sta(hapd, sa); 913 if (!sta || (!(sta->flags & (WLAN_STA_ASSOC | WLAN_STA_PREAUTH)) && 914 !(hapd->iface->drv_flags & WPA_DRIVER_FLAGS_WIRED))) { 915 wpa_printf(MSG_DEBUG, "IEEE 802.1X data frame from not " 916 "associated/Pre-authenticating STA"); 917 918 if (sta && (sta->flags & WLAN_STA_AUTH)) { 919 wpa_printf(MSG_DEBUG, "Saving EAPOL frame from " MACSTR 920 " for later use", MAC2STR(sta->addr)); 921 ieee802_1x_save_eapol(sta, buf, len); 922 } 923 924 return; 925 } 926 927 if (len < sizeof(*hdr)) { 928 wpa_printf(MSG_INFO, " too short IEEE 802.1X packet"); 929 return; 930 } 931 932 hdr = (struct ieee802_1x_hdr *) buf; 933 datalen = be_to_host16(hdr->length); 934 wpa_printf(MSG_DEBUG, " IEEE 802.1X: version=%d type=%d length=%d", 935 hdr->version, hdr->type, datalen); 936 937 if (len - sizeof(*hdr) < datalen) { 938 wpa_printf(MSG_INFO, " frame too short for this IEEE 802.1X packet"); 939 if (sta->eapol_sm) 940 sta->eapol_sm->dot1xAuthEapLengthErrorFramesRx++; 941 return; 942 } 943 if (len - sizeof(*hdr) > datalen) { 944 wpa_printf(MSG_DEBUG, " ignoring %lu extra octets after " 945 "IEEE 802.1X packet", 946 (unsigned long) len - sizeof(*hdr) - datalen); 947 } 948 949 if (sta->eapol_sm) { 950 sta->eapol_sm->dot1xAuthLastEapolFrameVersion = hdr->version; 951 sta->eapol_sm->dot1xAuthEapolFramesRx++; 952 } 953 954 key = (struct ieee802_1x_eapol_key *) (hdr + 1); 955 if (datalen >= sizeof(struct ieee802_1x_eapol_key) && 956 hdr->type == IEEE802_1X_TYPE_EAPOL_KEY && 957 (key->type == EAPOL_KEY_TYPE_WPA || 958 key->type == EAPOL_KEY_TYPE_RSN)) { 959 wpa_receive(hapd->wpa_auth, sta->wpa_sm, (u8 *) hdr, 960 sizeof(*hdr) + datalen); 961 return; 962 } 963 964 if (!hapd->conf->ieee802_1x && !hapd->conf->osen && 965 !(sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS))) { 966 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore EAPOL message - " 967 "802.1X not enabled and WPS not used"); 968 return; 969 } 970 971 key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm); 972 if (key_mgmt != -1 && wpa_key_mgmt_wpa_psk(key_mgmt)) { 973 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore EAPOL message - " 974 "STA is using PSK"); 975 return; 976 } 977 978 if (!sta->eapol_sm) { 979 sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta); 980 if (!sta->eapol_sm) 981 return; 982 983 #ifdef CONFIG_WPS 984 if (!hapd->conf->ieee802_1x && hapd->conf->wps_state) { 985 u32 wflags = sta->flags & (WLAN_STA_WPS | 986 WLAN_STA_WPS2 | 987 WLAN_STA_MAYBE_WPS); 988 if (wflags == WLAN_STA_MAYBE_WPS || 989 wflags == (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS)) { 990 /* 991 * Delay EAPOL frame transmission until a 992 * possible WPS STA initiates the handshake 993 * with EAPOL-Start. Only allow the wait to be 994 * skipped if the STA is known to support WPS 995 * 2.0. 996 */ 997 wpa_printf(MSG_DEBUG, "WPS: Do not start " 998 "EAPOL until EAPOL-Start is " 999 "received"); 1000 sta->eapol_sm->flags |= EAPOL_SM_WAIT_START; 1001 } 1002 } 1003 #endif /* CONFIG_WPS */ 1004 1005 sta->eapol_sm->eap_if->portEnabled = TRUE; 1006 } 1007 1008 /* since we support version 1, we can ignore version field and proceed 1009 * as specified in version 1 standard [IEEE Std 802.1X-2001, 7.5.5] */ 1010 /* TODO: actually, we are not version 1 anymore.. However, Version 2 1011 * does not change frame contents, so should be ok to process frames 1012 * more or less identically. Some changes might be needed for 1013 * verification of fields. */ 1014 1015 switch (hdr->type) { 1016 case IEEE802_1X_TYPE_EAP_PACKET: 1017 handle_eap(hapd, sta, (u8 *) (hdr + 1), datalen); 1018 break; 1019 1020 case IEEE802_1X_TYPE_EAPOL_START: 1021 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1022 HOSTAPD_LEVEL_DEBUG, "received EAPOL-Start " 1023 "from STA"); 1024 sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START; 1025 pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm); 1026 if (pmksa) { 1027 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 1028 HOSTAPD_LEVEL_DEBUG, "cached PMKSA " 1029 "available - ignore it since " 1030 "STA sent EAPOL-Start"); 1031 wpa_auth_sta_clear_pmksa(sta->wpa_sm, pmksa); 1032 } 1033 sta->eapol_sm->eapolStart = TRUE; 1034 sta->eapol_sm->dot1xAuthEapolStartFramesRx++; 1035 eap_server_clear_identity(sta->eapol_sm->eap); 1036 wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL); 1037 break; 1038 1039 case IEEE802_1X_TYPE_EAPOL_LOGOFF: 1040 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1041 HOSTAPD_LEVEL_DEBUG, "received EAPOL-Logoff " 1042 "from STA"); 1043 sta->acct_terminate_cause = 1044 RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST; 1045 accounting_sta_stop(hapd, sta); 1046 sta->eapol_sm->eapolLogoff = TRUE; 1047 sta->eapol_sm->dot1xAuthEapolLogoffFramesRx++; 1048 eap_server_clear_identity(sta->eapol_sm->eap); 1049 break; 1050 1051 case IEEE802_1X_TYPE_EAPOL_KEY: 1052 wpa_printf(MSG_DEBUG, " EAPOL-Key"); 1053 if (!ap_sta_is_authorized(sta)) { 1054 wpa_printf(MSG_DEBUG, " Dropped key data from " 1055 "unauthorized Supplicant"); 1056 break; 1057 } 1058 break; 1059 1060 case IEEE802_1X_TYPE_EAPOL_ENCAPSULATED_ASF_ALERT: 1061 wpa_printf(MSG_DEBUG, " EAPOL-Encapsulated-ASF-Alert"); 1062 /* TODO: implement support for this; show data */ 1063 break; 1064 1065 default: 1066 wpa_printf(MSG_DEBUG, " unknown IEEE 802.1X packet type"); 1067 sta->eapol_sm->dot1xAuthInvalidEapolFramesRx++; 1068 break; 1069 } 1070 1071 eapol_auth_step(sta->eapol_sm); 1072 } 1073 1074 1075 /** 1076 * ieee802_1x_new_station - Start IEEE 802.1X authentication 1077 * @hapd: hostapd BSS data 1078 * @sta: The station 1079 * 1080 * This function is called to start IEEE 802.1X authentication when a new 1081 * station completes IEEE 802.11 association. 1082 */ 1083 void ieee802_1x_new_station(struct hostapd_data *hapd, struct sta_info *sta) 1084 { 1085 struct rsn_pmksa_cache_entry *pmksa; 1086 int reassoc = 1; 1087 int force_1x = 0; 1088 int key_mgmt; 1089 1090 #ifdef CONFIG_WPS 1091 if (hapd->conf->wps_state && 1092 ((hapd->conf->wpa && (sta->flags & WLAN_STA_MAYBE_WPS)) || 1093 (sta->flags & WLAN_STA_WPS))) { 1094 /* 1095 * Need to enable IEEE 802.1X/EAPOL state machines for possible 1096 * WPS handshake even if IEEE 802.1X/EAPOL is not used for 1097 * authentication in this BSS. 1098 */ 1099 force_1x = 1; 1100 } 1101 #endif /* CONFIG_WPS */ 1102 1103 if (!force_1x && !hapd->conf->ieee802_1x && !hapd->conf->osen) { 1104 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore STA - " 1105 "802.1X not enabled or forced for WPS"); 1106 /* 1107 * Clear any possible EAPOL authenticator state to support 1108 * reassociation change from WPS to PSK. 1109 */ 1110 ieee802_1x_free_station(hapd, sta); 1111 return; 1112 } 1113 1114 key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm); 1115 if (key_mgmt != -1 && wpa_key_mgmt_wpa_psk(key_mgmt)) { 1116 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore STA - using PSK"); 1117 /* 1118 * Clear any possible EAPOL authenticator state to support 1119 * reassociation change from WPA-EAP to PSK. 1120 */ 1121 ieee802_1x_free_station(hapd, sta); 1122 return; 1123 } 1124 1125 if (sta->eapol_sm == NULL) { 1126 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1127 HOSTAPD_LEVEL_DEBUG, "start authentication"); 1128 sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta); 1129 if (sta->eapol_sm == NULL) { 1130 hostapd_logger(hapd, sta->addr, 1131 HOSTAPD_MODULE_IEEE8021X, 1132 HOSTAPD_LEVEL_INFO, 1133 "failed to allocate state machine"); 1134 return; 1135 } 1136 reassoc = 0; 1137 } 1138 1139 #ifdef CONFIG_WPS 1140 sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START; 1141 if (!hapd->conf->ieee802_1x && hapd->conf->wps_state && 1142 !(sta->flags & WLAN_STA_WPS2)) { 1143 /* 1144 * Delay EAPOL frame transmission until a possible WPS STA 1145 * initiates the handshake with EAPOL-Start. Only allow the 1146 * wait to be skipped if the STA is known to support WPS 2.0. 1147 */ 1148 wpa_printf(MSG_DEBUG, "WPS: Do not start EAPOL until " 1149 "EAPOL-Start is received"); 1150 sta->eapol_sm->flags |= EAPOL_SM_WAIT_START; 1151 } 1152 #endif /* CONFIG_WPS */ 1153 1154 sta->eapol_sm->eap_if->portEnabled = TRUE; 1155 1156 #ifdef CONFIG_IEEE80211R 1157 if (sta->auth_alg == WLAN_AUTH_FT) { 1158 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1159 HOSTAPD_LEVEL_DEBUG, 1160 "PMK from FT - skip IEEE 802.1X/EAP"); 1161 /* Setup EAPOL state machines to already authenticated state 1162 * because of existing FT information from R0KH. */ 1163 sta->eapol_sm->keyRun = TRUE; 1164 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 1165 sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING; 1166 sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS; 1167 sta->eapol_sm->authSuccess = TRUE; 1168 sta->eapol_sm->authFail = FALSE; 1169 sta->eapol_sm->portValid = TRUE; 1170 if (sta->eapol_sm->eap) 1171 eap_sm_notify_cached(sta->eapol_sm->eap); 1172 /* TODO: get vlan_id from R0KH using RRB message */ 1173 return; 1174 } 1175 #endif /* CONFIG_IEEE80211R */ 1176 1177 pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm); 1178 if (pmksa) { 1179 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1180 HOSTAPD_LEVEL_DEBUG, 1181 "PMK from PMKSA cache - skip IEEE 802.1X/EAP"); 1182 /* Setup EAPOL state machines to already authenticated state 1183 * because of existing PMKSA information in the cache. */ 1184 sta->eapol_sm->keyRun = TRUE; 1185 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 1186 sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING; 1187 sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS; 1188 sta->eapol_sm->authSuccess = TRUE; 1189 sta->eapol_sm->authFail = FALSE; 1190 if (sta->eapol_sm->eap) 1191 eap_sm_notify_cached(sta->eapol_sm->eap); 1192 pmksa_cache_to_eapol_data(hapd, pmksa, sta->eapol_sm); 1193 ap_sta_bind_vlan(hapd, sta); 1194 } else { 1195 if (reassoc) { 1196 /* 1197 * Force EAPOL state machines to start 1198 * re-authentication without having to wait for the 1199 * Supplicant to send EAPOL-Start. 1200 */ 1201 sta->eapol_sm->reAuthenticate = TRUE; 1202 } 1203 eapol_auth_step(sta->eapol_sm); 1204 } 1205 } 1206 1207 1208 void ieee802_1x_free_station(struct hostapd_data *hapd, struct sta_info *sta) 1209 { 1210 struct eapol_state_machine *sm = sta->eapol_sm; 1211 1212 #ifdef CONFIG_HS20 1213 eloop_cancel_timeout(ieee802_1x_wnm_notif_send, hapd, sta); 1214 #endif /* CONFIG_HS20 */ 1215 1216 if (sta->pending_eapol_rx) { 1217 wpabuf_free(sta->pending_eapol_rx->buf); 1218 os_free(sta->pending_eapol_rx); 1219 sta->pending_eapol_rx = NULL; 1220 } 1221 1222 if (sm == NULL) 1223 return; 1224 1225 sta->eapol_sm = NULL; 1226 1227 #ifndef CONFIG_NO_RADIUS 1228 radius_msg_free(sm->last_recv_radius); 1229 radius_free_class(&sm->radius_class); 1230 #endif /* CONFIG_NO_RADIUS */ 1231 1232 eapol_auth_free(sm); 1233 } 1234 1235 1236 #ifndef CONFIG_NO_RADIUS 1237 static void ieee802_1x_decapsulate_radius(struct hostapd_data *hapd, 1238 struct sta_info *sta) 1239 { 1240 struct wpabuf *eap; 1241 const struct eap_hdr *hdr; 1242 int eap_type = -1; 1243 char buf[64]; 1244 struct radius_msg *msg; 1245 struct eapol_state_machine *sm = sta->eapol_sm; 1246 1247 if (sm == NULL || sm->last_recv_radius == NULL) { 1248 if (sm) 1249 sm->eap_if->aaaEapNoReq = TRUE; 1250 return; 1251 } 1252 1253 msg = sm->last_recv_radius; 1254 1255 eap = radius_msg_get_eap(msg); 1256 if (eap == NULL) { 1257 /* RFC 3579, Chap. 2.6.3: 1258 * RADIUS server SHOULD NOT send Access-Reject/no EAP-Message 1259 * attribute */ 1260 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1261 HOSTAPD_LEVEL_WARNING, "could not extract " 1262 "EAP-Message from RADIUS message"); 1263 sm->eap_if->aaaEapNoReq = TRUE; 1264 return; 1265 } 1266 1267 if (wpabuf_len(eap) < sizeof(*hdr)) { 1268 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1269 HOSTAPD_LEVEL_WARNING, "too short EAP packet " 1270 "received from authentication server"); 1271 wpabuf_free(eap); 1272 sm->eap_if->aaaEapNoReq = TRUE; 1273 return; 1274 } 1275 1276 if (wpabuf_len(eap) > sizeof(*hdr)) 1277 eap_type = (wpabuf_head_u8(eap))[sizeof(*hdr)]; 1278 1279 hdr = wpabuf_head(eap); 1280 switch (hdr->code) { 1281 case EAP_CODE_REQUEST: 1282 if (eap_type >= 0) 1283 sm->eap_type_authsrv = eap_type; 1284 os_snprintf(buf, sizeof(buf), "EAP-Request-%s (%d)", 1285 eap_server_get_name(0, eap_type), eap_type); 1286 break; 1287 case EAP_CODE_RESPONSE: 1288 os_snprintf(buf, sizeof(buf), "EAP Response-%s (%d)", 1289 eap_server_get_name(0, eap_type), eap_type); 1290 break; 1291 case EAP_CODE_SUCCESS: 1292 os_strlcpy(buf, "EAP Success", sizeof(buf)); 1293 break; 1294 case EAP_CODE_FAILURE: 1295 os_strlcpy(buf, "EAP Failure", sizeof(buf)); 1296 break; 1297 default: 1298 os_strlcpy(buf, "unknown EAP code", sizeof(buf)); 1299 break; 1300 } 1301 buf[sizeof(buf) - 1] = '\0'; 1302 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1303 HOSTAPD_LEVEL_DEBUG, "decapsulated EAP packet (code=%d " 1304 "id=%d len=%d) from RADIUS server: %s", 1305 hdr->code, hdr->identifier, be_to_host16(hdr->length), 1306 buf); 1307 sm->eap_if->aaaEapReq = TRUE; 1308 1309 wpabuf_free(sm->eap_if->aaaEapReqData); 1310 sm->eap_if->aaaEapReqData = eap; 1311 } 1312 1313 1314 static void ieee802_1x_get_keys(struct hostapd_data *hapd, 1315 struct sta_info *sta, struct radius_msg *msg, 1316 struct radius_msg *req, 1317 const u8 *shared_secret, 1318 size_t shared_secret_len) 1319 { 1320 struct radius_ms_mppe_keys *keys; 1321 struct eapol_state_machine *sm = sta->eapol_sm; 1322 if (sm == NULL) 1323 return; 1324 1325 keys = radius_msg_get_ms_keys(msg, req, shared_secret, 1326 shared_secret_len); 1327 1328 if (keys && keys->send && keys->recv) { 1329 size_t len = keys->send_len + keys->recv_len; 1330 wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Send-Key", 1331 keys->send, keys->send_len); 1332 wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Recv-Key", 1333 keys->recv, keys->recv_len); 1334 1335 os_free(sm->eap_if->aaaEapKeyData); 1336 sm->eap_if->aaaEapKeyData = os_malloc(len); 1337 if (sm->eap_if->aaaEapKeyData) { 1338 os_memcpy(sm->eap_if->aaaEapKeyData, keys->recv, 1339 keys->recv_len); 1340 os_memcpy(sm->eap_if->aaaEapKeyData + keys->recv_len, 1341 keys->send, keys->send_len); 1342 sm->eap_if->aaaEapKeyDataLen = len; 1343 sm->eap_if->aaaEapKeyAvailable = TRUE; 1344 } 1345 } else { 1346 wpa_printf(MSG_DEBUG, 1347 "MS-MPPE: 1x_get_keys, could not get keys: %p send: %p recv: %p", 1348 keys, keys ? keys->send : NULL, 1349 keys ? keys->recv : NULL); 1350 } 1351 1352 if (keys) { 1353 os_free(keys->send); 1354 os_free(keys->recv); 1355 os_free(keys); 1356 } 1357 } 1358 1359 1360 static void ieee802_1x_store_radius_class(struct hostapd_data *hapd, 1361 struct sta_info *sta, 1362 struct radius_msg *msg) 1363 { 1364 u8 *attr_class; 1365 size_t class_len; 1366 struct eapol_state_machine *sm = sta->eapol_sm; 1367 int count, i; 1368 struct radius_attr_data *nclass; 1369 size_t nclass_count; 1370 1371 if (!hapd->conf->radius->acct_server || hapd->radius == NULL || 1372 sm == NULL) 1373 return; 1374 1375 radius_free_class(&sm->radius_class); 1376 count = radius_msg_count_attr(msg, RADIUS_ATTR_CLASS, 1); 1377 if (count <= 0) 1378 return; 1379 1380 nclass = os_calloc(count, sizeof(struct radius_attr_data)); 1381 if (nclass == NULL) 1382 return; 1383 1384 nclass_count = 0; 1385 1386 attr_class = NULL; 1387 for (i = 0; i < count; i++) { 1388 do { 1389 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CLASS, 1390 &attr_class, &class_len, 1391 attr_class) < 0) { 1392 i = count; 1393 break; 1394 } 1395 } while (class_len < 1); 1396 1397 nclass[nclass_count].data = os_malloc(class_len); 1398 if (nclass[nclass_count].data == NULL) 1399 break; 1400 1401 os_memcpy(nclass[nclass_count].data, attr_class, class_len); 1402 nclass[nclass_count].len = class_len; 1403 nclass_count++; 1404 } 1405 1406 sm->radius_class.attr = nclass; 1407 sm->radius_class.count = nclass_count; 1408 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Stored %lu RADIUS Class " 1409 "attributes for " MACSTR, 1410 (unsigned long) sm->radius_class.count, 1411 MAC2STR(sta->addr)); 1412 } 1413 1414 1415 /* Update sta->identity based on User-Name attribute in Access-Accept */ 1416 static void ieee802_1x_update_sta_identity(struct hostapd_data *hapd, 1417 struct sta_info *sta, 1418 struct radius_msg *msg) 1419 { 1420 u8 *buf, *identity; 1421 size_t len; 1422 struct eapol_state_machine *sm = sta->eapol_sm; 1423 1424 if (sm == NULL) 1425 return; 1426 1427 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_USER_NAME, &buf, &len, 1428 NULL) < 0) 1429 return; 1430 1431 identity = (u8 *) dup_binstr(buf, len); 1432 if (identity == NULL) 1433 return; 1434 1435 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1436 HOSTAPD_LEVEL_DEBUG, "old identity '%s' updated with " 1437 "User-Name from Access-Accept '%s'", 1438 sm->identity ? (char *) sm->identity : "N/A", 1439 (char *) identity); 1440 1441 os_free(sm->identity); 1442 sm->identity = identity; 1443 sm->identity_len = len; 1444 } 1445 1446 1447 /* Update CUI based on Chargeable-User-Identity attribute in Access-Accept */ 1448 static void ieee802_1x_update_sta_cui(struct hostapd_data *hapd, 1449 struct sta_info *sta, 1450 struct radius_msg *msg) 1451 { 1452 struct eapol_state_machine *sm = sta->eapol_sm; 1453 struct wpabuf *cui; 1454 u8 *buf; 1455 size_t len; 1456 1457 if (sm == NULL) 1458 return; 1459 1460 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CHARGEABLE_USER_IDENTITY, 1461 &buf, &len, NULL) < 0) 1462 return; 1463 1464 cui = wpabuf_alloc_copy(buf, len); 1465 if (cui == NULL) 1466 return; 1467 1468 wpabuf_free(sm->radius_cui); 1469 sm->radius_cui = cui; 1470 } 1471 1472 1473 #ifdef CONFIG_HS20 1474 1475 static void ieee802_1x_hs20_sub_rem(struct sta_info *sta, u8 *pos, size_t len) 1476 { 1477 sta->remediation = 1; 1478 os_free(sta->remediation_url); 1479 if (len > 2) { 1480 sta->remediation_url = os_malloc(len); 1481 if (!sta->remediation_url) 1482 return; 1483 sta->remediation_method = pos[0]; 1484 os_memcpy(sta->remediation_url, pos + 1, len - 1); 1485 sta->remediation_url[len - 1] = '\0'; 1486 wpa_printf(MSG_DEBUG, "HS 2.0: Subscription remediation needed " 1487 "for " MACSTR " - server method %u URL %s", 1488 MAC2STR(sta->addr), sta->remediation_method, 1489 sta->remediation_url); 1490 } else { 1491 sta->remediation_url = NULL; 1492 wpa_printf(MSG_DEBUG, "HS 2.0: Subscription remediation needed " 1493 "for " MACSTR, MAC2STR(sta->addr)); 1494 } 1495 /* TODO: assign the STA into remediation VLAN or add filtering */ 1496 } 1497 1498 1499 static void ieee802_1x_hs20_deauth_req(struct hostapd_data *hapd, 1500 struct sta_info *sta, u8 *pos, 1501 size_t len) 1502 { 1503 if (len < 3) 1504 return; /* Malformed information */ 1505 sta->hs20_deauth_requested = 1; 1506 wpa_printf(MSG_DEBUG, "HS 2.0: Deauthentication request - Code %u " 1507 "Re-auth Delay %u", 1508 *pos, WPA_GET_LE16(pos + 1)); 1509 wpabuf_free(sta->hs20_deauth_req); 1510 sta->hs20_deauth_req = wpabuf_alloc(len + 1); 1511 if (sta->hs20_deauth_req) { 1512 wpabuf_put_data(sta->hs20_deauth_req, pos, 3); 1513 wpabuf_put_u8(sta->hs20_deauth_req, len - 3); 1514 wpabuf_put_data(sta->hs20_deauth_req, pos + 3, len - 3); 1515 } 1516 ap_sta_session_timeout(hapd, sta, hapd->conf->hs20_deauth_req_timeout); 1517 } 1518 1519 1520 static void ieee802_1x_hs20_session_info(struct hostapd_data *hapd, 1521 struct sta_info *sta, u8 *pos, 1522 size_t len, int session_timeout) 1523 { 1524 unsigned int swt; 1525 int warning_time, beacon_int; 1526 1527 if (len < 1) 1528 return; /* Malformed information */ 1529 os_free(sta->hs20_session_info_url); 1530 sta->hs20_session_info_url = os_malloc(len); 1531 if (sta->hs20_session_info_url == NULL) 1532 return; 1533 swt = pos[0]; 1534 os_memcpy(sta->hs20_session_info_url, pos + 1, len - 1); 1535 sta->hs20_session_info_url[len - 1] = '\0'; 1536 wpa_printf(MSG_DEBUG, "HS 2.0: Session Information URL='%s' SWT=%u " 1537 "(session_timeout=%d)", 1538 sta->hs20_session_info_url, swt, session_timeout); 1539 if (session_timeout < 0) { 1540 wpa_printf(MSG_DEBUG, "HS 2.0: No Session-Timeout set - ignore session info URL"); 1541 return; 1542 } 1543 if (swt == 255) 1544 swt = 1; /* Use one minute as the AP selected value */ 1545 1546 if ((unsigned int) session_timeout < swt * 60) 1547 warning_time = 0; 1548 else 1549 warning_time = session_timeout - swt * 60; 1550 1551 beacon_int = hapd->iconf->beacon_int; 1552 if (beacon_int < 1) 1553 beacon_int = 100; /* best guess */ 1554 sta->hs20_disassoc_timer = swt * 60 * 1000 / beacon_int * 125 / 128; 1555 if (sta->hs20_disassoc_timer > 65535) 1556 sta->hs20_disassoc_timer = 65535; 1557 1558 ap_sta_session_warning_timeout(hapd, sta, warning_time); 1559 } 1560 1561 #endif /* CONFIG_HS20 */ 1562 1563 1564 static void ieee802_1x_check_hs20(struct hostapd_data *hapd, 1565 struct sta_info *sta, 1566 struct radius_msg *msg, 1567 int session_timeout) 1568 { 1569 #ifdef CONFIG_HS20 1570 u8 *buf, *pos, *end, type, sublen; 1571 size_t len; 1572 1573 buf = NULL; 1574 sta->remediation = 0; 1575 sta->hs20_deauth_requested = 0; 1576 1577 for (;;) { 1578 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_VENDOR_SPECIFIC, 1579 &buf, &len, buf) < 0) 1580 break; 1581 if (len < 6) 1582 continue; 1583 pos = buf; 1584 end = buf + len; 1585 if (WPA_GET_BE32(pos) != RADIUS_VENDOR_ID_WFA) 1586 continue; 1587 pos += 4; 1588 1589 type = *pos++; 1590 sublen = *pos++; 1591 if (sublen < 2) 1592 continue; /* invalid length */ 1593 sublen -= 2; /* skip header */ 1594 if (pos + sublen > end) 1595 continue; /* invalid WFA VSA */ 1596 1597 switch (type) { 1598 case RADIUS_VENDOR_ATTR_WFA_HS20_SUBSCR_REMEDIATION: 1599 ieee802_1x_hs20_sub_rem(sta, pos, sublen); 1600 break; 1601 case RADIUS_VENDOR_ATTR_WFA_HS20_DEAUTH_REQ: 1602 ieee802_1x_hs20_deauth_req(hapd, sta, pos, sublen); 1603 break; 1604 case RADIUS_VENDOR_ATTR_WFA_HS20_SESSION_INFO_URL: 1605 ieee802_1x_hs20_session_info(hapd, sta, pos, sublen, 1606 session_timeout); 1607 break; 1608 } 1609 } 1610 #endif /* CONFIG_HS20 */ 1611 } 1612 1613 1614 struct sta_id_search { 1615 u8 identifier; 1616 struct eapol_state_machine *sm; 1617 }; 1618 1619 1620 static int ieee802_1x_select_radius_identifier(struct hostapd_data *hapd, 1621 struct sta_info *sta, 1622 void *ctx) 1623 { 1624 struct sta_id_search *id_search = ctx; 1625 struct eapol_state_machine *sm = sta->eapol_sm; 1626 1627 if (sm && sm->radius_identifier >= 0 && 1628 sm->radius_identifier == id_search->identifier) { 1629 id_search->sm = sm; 1630 return 1; 1631 } 1632 return 0; 1633 } 1634 1635 1636 static struct eapol_state_machine * 1637 ieee802_1x_search_radius_identifier(struct hostapd_data *hapd, u8 identifier) 1638 { 1639 struct sta_id_search id_search; 1640 id_search.identifier = identifier; 1641 id_search.sm = NULL; 1642 ap_for_each_sta(hapd, ieee802_1x_select_radius_identifier, &id_search); 1643 return id_search.sm; 1644 } 1645 1646 1647 /** 1648 * ieee802_1x_receive_auth - Process RADIUS frames from Authentication Server 1649 * @msg: RADIUS response message 1650 * @req: RADIUS request message 1651 * @shared_secret: RADIUS shared secret 1652 * @shared_secret_len: Length of shared_secret in octets 1653 * @data: Context data (struct hostapd_data *) 1654 * Returns: Processing status 1655 */ 1656 static RadiusRxResult 1657 ieee802_1x_receive_auth(struct radius_msg *msg, struct radius_msg *req, 1658 const u8 *shared_secret, size_t shared_secret_len, 1659 void *data) 1660 { 1661 struct hostapd_data *hapd = data; 1662 struct sta_info *sta; 1663 u32 session_timeout = 0, termination_action, acct_interim_interval; 1664 int session_timeout_set; 1665 struct eapol_state_machine *sm; 1666 int override_eapReq = 0; 1667 struct radius_hdr *hdr = radius_msg_get_hdr(msg); 1668 struct vlan_description vlan_desc; 1669 #ifndef CONFIG_NO_VLAN 1670 int *untagged, *tagged, *notempty; 1671 #endif /* CONFIG_NO_VLAN */ 1672 1673 os_memset(&vlan_desc, 0, sizeof(vlan_desc)); 1674 1675 sm = ieee802_1x_search_radius_identifier(hapd, hdr->identifier); 1676 if (sm == NULL) { 1677 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Could not find matching " 1678 "station for this RADIUS message"); 1679 return RADIUS_RX_UNKNOWN; 1680 } 1681 sta = sm->sta; 1682 1683 /* RFC 2869, Ch. 5.13: valid Message-Authenticator attribute MUST be 1684 * present when packet contains an EAP-Message attribute */ 1685 if (hdr->code == RADIUS_CODE_ACCESS_REJECT && 1686 radius_msg_get_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, NULL, 1687 0) < 0 && 1688 radius_msg_get_attr(msg, RADIUS_ATTR_EAP_MESSAGE, NULL, 0) < 0) { 1689 wpa_printf(MSG_DEBUG, "Allowing RADIUS Access-Reject without " 1690 "Message-Authenticator since it does not include " 1691 "EAP-Message"); 1692 } else if (radius_msg_verify(msg, shared_secret, shared_secret_len, 1693 req, 1)) { 1694 wpa_printf(MSG_INFO, "Incoming RADIUS packet did not have correct Message-Authenticator - dropped"); 1695 return RADIUS_RX_INVALID_AUTHENTICATOR; 1696 } 1697 1698 if (hdr->code != RADIUS_CODE_ACCESS_ACCEPT && 1699 hdr->code != RADIUS_CODE_ACCESS_REJECT && 1700 hdr->code != RADIUS_CODE_ACCESS_CHALLENGE) { 1701 wpa_printf(MSG_INFO, "Unknown RADIUS message code"); 1702 return RADIUS_RX_UNKNOWN; 1703 } 1704 1705 sm->radius_identifier = -1; 1706 wpa_printf(MSG_DEBUG, "RADIUS packet matching with station " MACSTR, 1707 MAC2STR(sta->addr)); 1708 1709 radius_msg_free(sm->last_recv_radius); 1710 sm->last_recv_radius = msg; 1711 1712 session_timeout_set = 1713 !radius_msg_get_attr_int32(msg, RADIUS_ATTR_SESSION_TIMEOUT, 1714 &session_timeout); 1715 if (radius_msg_get_attr_int32(msg, RADIUS_ATTR_TERMINATION_ACTION, 1716 &termination_action)) 1717 termination_action = RADIUS_TERMINATION_ACTION_DEFAULT; 1718 1719 if (hapd->conf->acct_interim_interval == 0 && 1720 hdr->code == RADIUS_CODE_ACCESS_ACCEPT && 1721 radius_msg_get_attr_int32(msg, RADIUS_ATTR_ACCT_INTERIM_INTERVAL, 1722 &acct_interim_interval) == 0) { 1723 if (acct_interim_interval < 60) { 1724 hostapd_logger(hapd, sta->addr, 1725 HOSTAPD_MODULE_IEEE8021X, 1726 HOSTAPD_LEVEL_INFO, 1727 "ignored too small " 1728 "Acct-Interim-Interval %d", 1729 acct_interim_interval); 1730 } else 1731 sta->acct_interim_interval = acct_interim_interval; 1732 } 1733 1734 1735 switch (hdr->code) { 1736 case RADIUS_CODE_ACCESS_ACCEPT: 1737 #ifndef CONFIG_NO_VLAN 1738 if (hapd->conf->ssid.dynamic_vlan != DYNAMIC_VLAN_DISABLED) { 1739 notempty = &vlan_desc.notempty; 1740 untagged = &vlan_desc.untagged; 1741 tagged = vlan_desc.tagged; 1742 *notempty = !!radius_msg_get_vlanid(msg, untagged, 1743 MAX_NUM_TAGGED_VLAN, 1744 tagged); 1745 } 1746 1747 if (vlan_desc.notempty && 1748 !hostapd_vlan_valid(hapd->conf->vlan, &vlan_desc)) { 1749 sta->eapol_sm->authFail = TRUE; 1750 hostapd_logger(hapd, sta->addr, 1751 HOSTAPD_MODULE_RADIUS, 1752 HOSTAPD_LEVEL_INFO, 1753 "Invalid VLAN %d%s received from RADIUS server", 1754 vlan_desc.untagged, 1755 vlan_desc.tagged[0] ? "+" : ""); 1756 os_memset(&vlan_desc, 0, sizeof(vlan_desc)); 1757 ap_sta_set_vlan(hapd, sta, &vlan_desc); 1758 break; 1759 } 1760 1761 if (hapd->conf->ssid.dynamic_vlan == DYNAMIC_VLAN_REQUIRED && 1762 !vlan_desc.notempty) { 1763 sta->eapol_sm->authFail = TRUE; 1764 hostapd_logger(hapd, sta->addr, 1765 HOSTAPD_MODULE_IEEE8021X, 1766 HOSTAPD_LEVEL_INFO, "authentication " 1767 "server did not include required VLAN " 1768 "ID in Access-Accept"); 1769 break; 1770 } 1771 #endif /* CONFIG_NO_VLAN */ 1772 1773 if (ap_sta_set_vlan(hapd, sta, &vlan_desc) < 0) 1774 break; 1775 1776 #ifndef CONFIG_NO_VLAN 1777 if (sta->vlan_id > 0) { 1778 hostapd_logger(hapd, sta->addr, 1779 HOSTAPD_MODULE_RADIUS, 1780 HOSTAPD_LEVEL_INFO, 1781 "VLAN ID %d", sta->vlan_id); 1782 } 1783 #endif /* CONFIG_NO_VLAN */ 1784 1785 if ((sta->flags & WLAN_STA_ASSOC) && 1786 ap_sta_bind_vlan(hapd, sta) < 0) 1787 break; 1788 1789 sta->session_timeout_set = !!session_timeout_set; 1790 sta->session_timeout = session_timeout; 1791 1792 /* RFC 3580, Ch. 3.17 */ 1793 if (session_timeout_set && termination_action == 1794 RADIUS_TERMINATION_ACTION_RADIUS_REQUEST) { 1795 sm->reAuthPeriod = session_timeout; 1796 } else if (session_timeout_set) 1797 ap_sta_session_timeout(hapd, sta, session_timeout); 1798 1799 sm->eap_if->aaaSuccess = TRUE; 1800 override_eapReq = 1; 1801 ieee802_1x_get_keys(hapd, sta, msg, req, shared_secret, 1802 shared_secret_len); 1803 ieee802_1x_store_radius_class(hapd, sta, msg); 1804 ieee802_1x_update_sta_identity(hapd, sta, msg); 1805 ieee802_1x_update_sta_cui(hapd, sta, msg); 1806 ieee802_1x_check_hs20(hapd, sta, msg, 1807 session_timeout_set ? 1808 (int) session_timeout : -1); 1809 break; 1810 case RADIUS_CODE_ACCESS_REJECT: 1811 sm->eap_if->aaaFail = TRUE; 1812 override_eapReq = 1; 1813 break; 1814 case RADIUS_CODE_ACCESS_CHALLENGE: 1815 sm->eap_if->aaaEapReq = TRUE; 1816 if (session_timeout_set) { 1817 /* RFC 2869, Ch. 2.3.2; RFC 3580, Ch. 3.17 */ 1818 sm->eap_if->aaaMethodTimeout = session_timeout; 1819 hostapd_logger(hapd, sm->addr, 1820 HOSTAPD_MODULE_IEEE8021X, 1821 HOSTAPD_LEVEL_DEBUG, 1822 "using EAP timeout of %d seconds (from " 1823 "RADIUS)", 1824 sm->eap_if->aaaMethodTimeout); 1825 } else { 1826 /* 1827 * Use dynamic retransmission behavior per EAP 1828 * specification. 1829 */ 1830 sm->eap_if->aaaMethodTimeout = 0; 1831 } 1832 break; 1833 } 1834 1835 ieee802_1x_decapsulate_radius(hapd, sta); 1836 if (override_eapReq) 1837 sm->eap_if->aaaEapReq = FALSE; 1838 1839 eapol_auth_step(sm); 1840 1841 return RADIUS_RX_QUEUED; 1842 } 1843 #endif /* CONFIG_NO_RADIUS */ 1844 1845 1846 void ieee802_1x_abort_auth(struct hostapd_data *hapd, struct sta_info *sta) 1847 { 1848 struct eapol_state_machine *sm = sta->eapol_sm; 1849 if (sm == NULL) 1850 return; 1851 1852 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1853 HOSTAPD_LEVEL_DEBUG, "aborting authentication"); 1854 1855 #ifndef CONFIG_NO_RADIUS 1856 radius_msg_free(sm->last_recv_radius); 1857 sm->last_recv_radius = NULL; 1858 #endif /* CONFIG_NO_RADIUS */ 1859 1860 if (sm->eap_if->eapTimeout) { 1861 /* 1862 * Disconnect the STA since it did not reply to the last EAP 1863 * request and we cannot continue EAP processing (EAP-Failure 1864 * could only be sent if the EAP peer actually replied). 1865 */ 1866 wpa_dbg(hapd->msg_ctx, MSG_DEBUG, "EAP Timeout, STA " MACSTR, 1867 MAC2STR(sta->addr)); 1868 1869 sm->eap_if->portEnabled = FALSE; 1870 ap_sta_disconnect(hapd, sta, sta->addr, 1871 WLAN_REASON_PREV_AUTH_NOT_VALID); 1872 } 1873 } 1874 1875 1876 static int ieee802_1x_rekey_broadcast(struct hostapd_data *hapd) 1877 { 1878 struct eapol_authenticator *eapol = hapd->eapol_auth; 1879 1880 if (hapd->conf->default_wep_key_len < 1) 1881 return 0; 1882 1883 os_free(eapol->default_wep_key); 1884 eapol->default_wep_key = os_malloc(hapd->conf->default_wep_key_len); 1885 if (eapol->default_wep_key == NULL || 1886 random_get_bytes(eapol->default_wep_key, 1887 hapd->conf->default_wep_key_len)) { 1888 wpa_printf(MSG_INFO, "Could not generate random WEP key"); 1889 os_free(eapol->default_wep_key); 1890 eapol->default_wep_key = NULL; 1891 return -1; 1892 } 1893 1894 wpa_hexdump_key(MSG_DEBUG, "IEEE 802.1X: New default WEP key", 1895 eapol->default_wep_key, 1896 hapd->conf->default_wep_key_len); 1897 1898 return 0; 1899 } 1900 1901 1902 static int ieee802_1x_sta_key_available(struct hostapd_data *hapd, 1903 struct sta_info *sta, void *ctx) 1904 { 1905 if (sta->eapol_sm) { 1906 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 1907 eapol_auth_step(sta->eapol_sm); 1908 } 1909 return 0; 1910 } 1911 1912 1913 static void ieee802_1x_rekey(void *eloop_ctx, void *timeout_ctx) 1914 { 1915 struct hostapd_data *hapd = eloop_ctx; 1916 struct eapol_authenticator *eapol = hapd->eapol_auth; 1917 1918 if (eapol->default_wep_key_idx >= 3) 1919 eapol->default_wep_key_idx = 1920 hapd->conf->individual_wep_key_len > 0 ? 1 : 0; 1921 else 1922 eapol->default_wep_key_idx++; 1923 1924 wpa_printf(MSG_DEBUG, "IEEE 802.1X: New default WEP key index %d", 1925 eapol->default_wep_key_idx); 1926 1927 if (ieee802_1x_rekey_broadcast(hapd)) { 1928 hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X, 1929 HOSTAPD_LEVEL_WARNING, "failed to generate a " 1930 "new broadcast key"); 1931 os_free(eapol->default_wep_key); 1932 eapol->default_wep_key = NULL; 1933 return; 1934 } 1935 1936 /* TODO: Could setup key for RX here, but change default TX keyid only 1937 * after new broadcast key has been sent to all stations. */ 1938 if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP, 1939 broadcast_ether_addr, 1940 eapol->default_wep_key_idx, 1, NULL, 0, 1941 eapol->default_wep_key, 1942 hapd->conf->default_wep_key_len)) { 1943 hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X, 1944 HOSTAPD_LEVEL_WARNING, "failed to configure a " 1945 "new broadcast key"); 1946 os_free(eapol->default_wep_key); 1947 eapol->default_wep_key = NULL; 1948 return; 1949 } 1950 1951 ap_for_each_sta(hapd, ieee802_1x_sta_key_available, NULL); 1952 1953 if (hapd->conf->wep_rekeying_period > 0) { 1954 eloop_register_timeout(hapd->conf->wep_rekeying_period, 0, 1955 ieee802_1x_rekey, hapd, NULL); 1956 } 1957 } 1958 1959 1960 static void ieee802_1x_eapol_send(void *ctx, void *sta_ctx, u8 type, 1961 const u8 *data, size_t datalen) 1962 { 1963 #ifdef CONFIG_WPS 1964 struct sta_info *sta = sta_ctx; 1965 1966 if ((sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS)) == 1967 WLAN_STA_MAYBE_WPS) { 1968 const u8 *identity; 1969 size_t identity_len; 1970 struct eapol_state_machine *sm = sta->eapol_sm; 1971 1972 identity = eap_get_identity(sm->eap, &identity_len); 1973 if (identity && 1974 ((identity_len == WSC_ID_ENROLLEE_LEN && 1975 os_memcmp(identity, WSC_ID_ENROLLEE, 1976 WSC_ID_ENROLLEE_LEN) == 0) || 1977 (identity_len == WSC_ID_REGISTRAR_LEN && 1978 os_memcmp(identity, WSC_ID_REGISTRAR, 1979 WSC_ID_REGISTRAR_LEN) == 0))) { 1980 wpa_printf(MSG_DEBUG, "WPS: WLAN_STA_MAYBE_WPS -> " 1981 "WLAN_STA_WPS"); 1982 sta->flags |= WLAN_STA_WPS; 1983 } 1984 } 1985 #endif /* CONFIG_WPS */ 1986 1987 ieee802_1x_send(ctx, sta_ctx, type, data, datalen); 1988 } 1989 1990 1991 static void ieee802_1x_aaa_send(void *ctx, void *sta_ctx, 1992 const u8 *data, size_t datalen) 1993 { 1994 #ifndef CONFIG_NO_RADIUS 1995 struct hostapd_data *hapd = ctx; 1996 struct sta_info *sta = sta_ctx; 1997 1998 ieee802_1x_encapsulate_radius(hapd, sta, data, datalen); 1999 #endif /* CONFIG_NO_RADIUS */ 2000 } 2001 2002 2003 static void _ieee802_1x_finished(void *ctx, void *sta_ctx, int success, 2004 int preauth, int remediation) 2005 { 2006 struct hostapd_data *hapd = ctx; 2007 struct sta_info *sta = sta_ctx; 2008 if (preauth) 2009 rsn_preauth_finished(hapd, sta, success); 2010 else 2011 ieee802_1x_finished(hapd, sta, success, remediation); 2012 } 2013 2014 2015 static int ieee802_1x_get_eap_user(void *ctx, const u8 *identity, 2016 size_t identity_len, int phase2, 2017 struct eap_user *user) 2018 { 2019 struct hostapd_data *hapd = ctx; 2020 const struct hostapd_eap_user *eap_user; 2021 int i; 2022 int rv = -1; 2023 2024 eap_user = hostapd_get_eap_user(hapd, identity, identity_len, phase2); 2025 if (eap_user == NULL) 2026 goto out; 2027 2028 os_memset(user, 0, sizeof(*user)); 2029 user->phase2 = phase2; 2030 for (i = 0; i < EAP_MAX_METHODS; i++) { 2031 user->methods[i].vendor = eap_user->methods[i].vendor; 2032 user->methods[i].method = eap_user->methods[i].method; 2033 } 2034 2035 if (eap_user->password) { 2036 user->password = os_malloc(eap_user->password_len); 2037 if (user->password == NULL) 2038 goto out; 2039 os_memcpy(user->password, eap_user->password, 2040 eap_user->password_len); 2041 user->password_len = eap_user->password_len; 2042 user->password_hash = eap_user->password_hash; 2043 } 2044 user->force_version = eap_user->force_version; 2045 user->macacl = eap_user->macacl; 2046 user->ttls_auth = eap_user->ttls_auth; 2047 user->remediation = eap_user->remediation; 2048 rv = 0; 2049 2050 out: 2051 if (rv) 2052 wpa_printf(MSG_DEBUG, "%s: Failed to find user", __func__); 2053 2054 return rv; 2055 } 2056 2057 2058 static int ieee802_1x_sta_entry_alive(void *ctx, const u8 *addr) 2059 { 2060 struct hostapd_data *hapd = ctx; 2061 struct sta_info *sta; 2062 sta = ap_get_sta(hapd, addr); 2063 if (sta == NULL || sta->eapol_sm == NULL) 2064 return 0; 2065 return 1; 2066 } 2067 2068 2069 static void ieee802_1x_logger(void *ctx, const u8 *addr, 2070 eapol_logger_level level, const char *txt) 2071 { 2072 #ifndef CONFIG_NO_HOSTAPD_LOGGER 2073 struct hostapd_data *hapd = ctx; 2074 int hlevel; 2075 2076 switch (level) { 2077 case EAPOL_LOGGER_WARNING: 2078 hlevel = HOSTAPD_LEVEL_WARNING; 2079 break; 2080 case EAPOL_LOGGER_INFO: 2081 hlevel = HOSTAPD_LEVEL_INFO; 2082 break; 2083 case EAPOL_LOGGER_DEBUG: 2084 default: 2085 hlevel = HOSTAPD_LEVEL_DEBUG; 2086 break; 2087 } 2088 2089 hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE8021X, hlevel, "%s", 2090 txt); 2091 #endif /* CONFIG_NO_HOSTAPD_LOGGER */ 2092 } 2093 2094 2095 static void ieee802_1x_set_port_authorized(void *ctx, void *sta_ctx, 2096 int authorized) 2097 { 2098 struct hostapd_data *hapd = ctx; 2099 struct sta_info *sta = sta_ctx; 2100 ieee802_1x_set_sta_authorized(hapd, sta, authorized); 2101 } 2102 2103 2104 static void _ieee802_1x_abort_auth(void *ctx, void *sta_ctx) 2105 { 2106 struct hostapd_data *hapd = ctx; 2107 struct sta_info *sta = sta_ctx; 2108 ieee802_1x_abort_auth(hapd, sta); 2109 } 2110 2111 2112 static void _ieee802_1x_tx_key(void *ctx, void *sta_ctx) 2113 { 2114 #ifndef CONFIG_FIPS 2115 #ifndef CONFIG_NO_RC4 2116 struct hostapd_data *hapd = ctx; 2117 struct sta_info *sta = sta_ctx; 2118 ieee802_1x_tx_key(hapd, sta); 2119 #endif /* CONFIG_NO_RC4 */ 2120 #endif /* CONFIG_FIPS */ 2121 } 2122 2123 2124 static void ieee802_1x_eapol_event(void *ctx, void *sta_ctx, 2125 enum eapol_event type) 2126 { 2127 /* struct hostapd_data *hapd = ctx; */ 2128 struct sta_info *sta = sta_ctx; 2129 switch (type) { 2130 case EAPOL_AUTH_SM_CHANGE: 2131 wpa_auth_sm_notify(sta->wpa_sm); 2132 break; 2133 case EAPOL_AUTH_REAUTHENTICATE: 2134 wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL); 2135 break; 2136 } 2137 } 2138 2139 2140 #ifdef CONFIG_ERP 2141 2142 static struct eap_server_erp_key * 2143 ieee802_1x_erp_get_key(void *ctx, const char *keyname) 2144 { 2145 struct hostapd_data *hapd = ctx; 2146 struct eap_server_erp_key *erp; 2147 2148 dl_list_for_each(erp, &hapd->erp_keys, struct eap_server_erp_key, 2149 list) { 2150 if (os_strcmp(erp->keyname_nai, keyname) == 0) 2151 return erp; 2152 } 2153 2154 return NULL; 2155 } 2156 2157 2158 static int ieee802_1x_erp_add_key(void *ctx, struct eap_server_erp_key *erp) 2159 { 2160 struct hostapd_data *hapd = ctx; 2161 2162 dl_list_add(&hapd->erp_keys, &erp->list); 2163 return 0; 2164 } 2165 2166 #endif /* CONFIG_ERP */ 2167 2168 2169 int ieee802_1x_init(struct hostapd_data *hapd) 2170 { 2171 int i; 2172 struct eapol_auth_config conf; 2173 struct eapol_auth_cb cb; 2174 2175 dl_list_init(&hapd->erp_keys); 2176 2177 os_memset(&conf, 0, sizeof(conf)); 2178 conf.ctx = hapd; 2179 conf.eap_reauth_period = hapd->conf->eap_reauth_period; 2180 conf.wpa = hapd->conf->wpa; 2181 conf.individual_wep_key_len = hapd->conf->individual_wep_key_len; 2182 conf.eap_server = hapd->conf->eap_server; 2183 conf.ssl_ctx = hapd->ssl_ctx; 2184 conf.msg_ctx = hapd->msg_ctx; 2185 conf.eap_sim_db_priv = hapd->eap_sim_db_priv; 2186 conf.eap_req_id_text = hapd->conf->eap_req_id_text; 2187 conf.eap_req_id_text_len = hapd->conf->eap_req_id_text_len; 2188 conf.erp_send_reauth_start = hapd->conf->erp_send_reauth_start; 2189 conf.erp_domain = hapd->conf->erp_domain; 2190 conf.erp = hapd->conf->eap_server_erp; 2191 conf.tls_session_lifetime = hapd->conf->tls_session_lifetime; 2192 conf.pac_opaque_encr_key = hapd->conf->pac_opaque_encr_key; 2193 conf.eap_fast_a_id = hapd->conf->eap_fast_a_id; 2194 conf.eap_fast_a_id_len = hapd->conf->eap_fast_a_id_len; 2195 conf.eap_fast_a_id_info = hapd->conf->eap_fast_a_id_info; 2196 conf.eap_fast_prov = hapd->conf->eap_fast_prov; 2197 conf.pac_key_lifetime = hapd->conf->pac_key_lifetime; 2198 conf.pac_key_refresh_time = hapd->conf->pac_key_refresh_time; 2199 conf.eap_sim_aka_result_ind = hapd->conf->eap_sim_aka_result_ind; 2200 conf.tnc = hapd->conf->tnc; 2201 conf.wps = hapd->wps; 2202 conf.fragment_size = hapd->conf->fragment_size; 2203 conf.pwd_group = hapd->conf->pwd_group; 2204 conf.pbc_in_m1 = hapd->conf->pbc_in_m1; 2205 if (hapd->conf->server_id) { 2206 conf.server_id = (const u8 *) hapd->conf->server_id; 2207 conf.server_id_len = os_strlen(hapd->conf->server_id); 2208 } else { 2209 conf.server_id = (const u8 *) "hostapd"; 2210 conf.server_id_len = 7; 2211 } 2212 2213 os_memset(&cb, 0, sizeof(cb)); 2214 cb.eapol_send = ieee802_1x_eapol_send; 2215 cb.aaa_send = ieee802_1x_aaa_send; 2216 cb.finished = _ieee802_1x_finished; 2217 cb.get_eap_user = ieee802_1x_get_eap_user; 2218 cb.sta_entry_alive = ieee802_1x_sta_entry_alive; 2219 cb.logger = ieee802_1x_logger; 2220 cb.set_port_authorized = ieee802_1x_set_port_authorized; 2221 cb.abort_auth = _ieee802_1x_abort_auth; 2222 cb.tx_key = _ieee802_1x_tx_key; 2223 cb.eapol_event = ieee802_1x_eapol_event; 2224 #ifdef CONFIG_ERP 2225 cb.erp_get_key = ieee802_1x_erp_get_key; 2226 cb.erp_add_key = ieee802_1x_erp_add_key; 2227 #endif /* CONFIG_ERP */ 2228 2229 hapd->eapol_auth = eapol_auth_init(&conf, &cb); 2230 if (hapd->eapol_auth == NULL) 2231 return -1; 2232 2233 if ((hapd->conf->ieee802_1x || hapd->conf->wpa) && 2234 hostapd_set_drv_ieee8021x(hapd, hapd->conf->iface, 1)) 2235 return -1; 2236 2237 #ifndef CONFIG_NO_RADIUS 2238 if (radius_client_register(hapd->radius, RADIUS_AUTH, 2239 ieee802_1x_receive_auth, hapd)) 2240 return -1; 2241 #endif /* CONFIG_NO_RADIUS */ 2242 2243 if (hapd->conf->default_wep_key_len) { 2244 for (i = 0; i < 4; i++) 2245 hostapd_drv_set_key(hapd->conf->iface, hapd, 2246 WPA_ALG_NONE, NULL, i, 0, NULL, 0, 2247 NULL, 0); 2248 2249 ieee802_1x_rekey(hapd, NULL); 2250 2251 if (hapd->eapol_auth->default_wep_key == NULL) 2252 return -1; 2253 } 2254 2255 return 0; 2256 } 2257 2258 2259 void ieee802_1x_erp_flush(struct hostapd_data *hapd) 2260 { 2261 struct eap_server_erp_key *erp; 2262 2263 while ((erp = dl_list_first(&hapd->erp_keys, struct eap_server_erp_key, 2264 list)) != NULL) { 2265 dl_list_del(&erp->list); 2266 bin_clear_free(erp, sizeof(*erp)); 2267 } 2268 } 2269 2270 2271 void ieee802_1x_deinit(struct hostapd_data *hapd) 2272 { 2273 eloop_cancel_timeout(ieee802_1x_rekey, hapd, NULL); 2274 2275 if (hapd->driver && hapd->drv_priv && 2276 (hapd->conf->ieee802_1x || hapd->conf->wpa)) 2277 hostapd_set_drv_ieee8021x(hapd, hapd->conf->iface, 0); 2278 2279 eapol_auth_deinit(hapd->eapol_auth); 2280 hapd->eapol_auth = NULL; 2281 2282 ieee802_1x_erp_flush(hapd); 2283 } 2284 2285 2286 int ieee802_1x_tx_status(struct hostapd_data *hapd, struct sta_info *sta, 2287 const u8 *buf, size_t len, int ack) 2288 { 2289 struct ieee80211_hdr *hdr; 2290 u8 *pos; 2291 const unsigned char rfc1042_hdr[ETH_ALEN] = 2292 { 0xaa, 0xaa, 0x03, 0x00, 0x00, 0x00 }; 2293 2294 if (sta == NULL) 2295 return -1; 2296 if (len < sizeof(*hdr) + sizeof(rfc1042_hdr) + 2) 2297 return 0; 2298 2299 hdr = (struct ieee80211_hdr *) buf; 2300 pos = (u8 *) (hdr + 1); 2301 if (os_memcmp(pos, rfc1042_hdr, sizeof(rfc1042_hdr)) != 0) 2302 return 0; 2303 pos += sizeof(rfc1042_hdr); 2304 if (WPA_GET_BE16(pos) != ETH_P_PAE) 2305 return 0; 2306 pos += 2; 2307 2308 return ieee802_1x_eapol_tx_status(hapd, sta, pos, buf + len - pos, 2309 ack); 2310 } 2311 2312 2313 int ieee802_1x_eapol_tx_status(struct hostapd_data *hapd, struct sta_info *sta, 2314 const u8 *buf, int len, int ack) 2315 { 2316 const struct ieee802_1x_hdr *xhdr = 2317 (const struct ieee802_1x_hdr *) buf; 2318 const u8 *pos = buf + sizeof(*xhdr); 2319 struct ieee802_1x_eapol_key *key; 2320 2321 if (len < (int) sizeof(*xhdr)) 2322 return 0; 2323 wpa_printf(MSG_DEBUG, "IEEE 802.1X: " MACSTR " TX status - version=%d " 2324 "type=%d length=%d - ack=%d", 2325 MAC2STR(sta->addr), xhdr->version, xhdr->type, 2326 be_to_host16(xhdr->length), ack); 2327 2328 if (xhdr->type != IEEE802_1X_TYPE_EAPOL_KEY) 2329 return 0; 2330 2331 if (pos + sizeof(struct wpa_eapol_key) <= buf + len) { 2332 const struct wpa_eapol_key *wpa; 2333 wpa = (const struct wpa_eapol_key *) pos; 2334 if (wpa->type == EAPOL_KEY_TYPE_RSN || 2335 wpa->type == EAPOL_KEY_TYPE_WPA) 2336 wpa_auth_eapol_key_tx_status(hapd->wpa_auth, 2337 sta->wpa_sm, ack); 2338 } 2339 2340 /* EAPOL EAP-Packet packets are eventually re-sent by either Supplicant 2341 * or Authenticator state machines, but EAPOL-Key packets are not 2342 * retransmitted in case of failure. Try to re-send failed EAPOL-Key 2343 * packets couple of times because otherwise STA keys become 2344 * unsynchronized with AP. */ 2345 if (!ack && pos + sizeof(*key) <= buf + len) { 2346 key = (struct ieee802_1x_eapol_key *) pos; 2347 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 2348 HOSTAPD_LEVEL_DEBUG, "did not Ack EAPOL-Key " 2349 "frame (%scast index=%d)", 2350 key->key_index & BIT(7) ? "uni" : "broad", 2351 key->key_index & ~BIT(7)); 2352 /* TODO: re-send EAPOL-Key couple of times (with short delay 2353 * between them?). If all attempt fail, report error and 2354 * deauthenticate STA so that it will get new keys when 2355 * authenticating again (e.g., after returning in range). 2356 * Separate limit/transmit state needed both for unicast and 2357 * broadcast keys(?) */ 2358 } 2359 /* TODO: could move unicast key configuration from ieee802_1x_tx_key() 2360 * to here and change the key only if the EAPOL-Key packet was Acked. 2361 */ 2362 2363 return 1; 2364 } 2365 2366 2367 u8 * ieee802_1x_get_identity(struct eapol_state_machine *sm, size_t *len) 2368 { 2369 if (sm == NULL || sm->identity == NULL) 2370 return NULL; 2371 2372 *len = sm->identity_len; 2373 return sm->identity; 2374 } 2375 2376 2377 u8 * ieee802_1x_get_radius_class(struct eapol_state_machine *sm, size_t *len, 2378 int idx) 2379 { 2380 if (sm == NULL || sm->radius_class.attr == NULL || 2381 idx >= (int) sm->radius_class.count) 2382 return NULL; 2383 2384 *len = sm->radius_class.attr[idx].len; 2385 return sm->radius_class.attr[idx].data; 2386 } 2387 2388 2389 struct wpabuf * ieee802_1x_get_radius_cui(struct eapol_state_machine *sm) 2390 { 2391 if (sm == NULL) 2392 return NULL; 2393 return sm->radius_cui; 2394 } 2395 2396 2397 const u8 * ieee802_1x_get_key(struct eapol_state_machine *sm, size_t *len) 2398 { 2399 *len = 0; 2400 if (sm == NULL) 2401 return NULL; 2402 2403 *len = sm->eap_if->eapKeyDataLen; 2404 return sm->eap_if->eapKeyData; 2405 } 2406 2407 2408 void ieee802_1x_notify_port_enabled(struct eapol_state_machine *sm, 2409 int enabled) 2410 { 2411 if (sm == NULL) 2412 return; 2413 sm->eap_if->portEnabled = enabled ? TRUE : FALSE; 2414 eapol_auth_step(sm); 2415 } 2416 2417 2418 void ieee802_1x_notify_port_valid(struct eapol_state_machine *sm, 2419 int valid) 2420 { 2421 if (sm == NULL) 2422 return; 2423 sm->portValid = valid ? TRUE : FALSE; 2424 eapol_auth_step(sm); 2425 } 2426 2427 2428 void ieee802_1x_notify_pre_auth(struct eapol_state_machine *sm, int pre_auth) 2429 { 2430 if (sm == NULL) 2431 return; 2432 if (pre_auth) 2433 sm->flags |= EAPOL_SM_PREAUTH; 2434 else 2435 sm->flags &= ~EAPOL_SM_PREAUTH; 2436 } 2437 2438 2439 static const char * bool_txt(Boolean val) 2440 { 2441 return val ? "TRUE" : "FALSE"; 2442 } 2443 2444 2445 int ieee802_1x_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen) 2446 { 2447 /* TODO */ 2448 return 0; 2449 } 2450 2451 2452 int ieee802_1x_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta, 2453 char *buf, size_t buflen) 2454 { 2455 int len = 0, ret; 2456 struct eapol_state_machine *sm = sta->eapol_sm; 2457 struct os_reltime diff; 2458 const char *name1; 2459 const char *name2; 2460 2461 if (sm == NULL) 2462 return 0; 2463 2464 ret = os_snprintf(buf + len, buflen - len, 2465 "dot1xPaePortNumber=%d\n" 2466 "dot1xPaePortProtocolVersion=%d\n" 2467 "dot1xPaePortCapabilities=1\n" 2468 "dot1xPaePortInitialize=%d\n" 2469 "dot1xPaePortReauthenticate=FALSE\n", 2470 sta->aid, 2471 EAPOL_VERSION, 2472 sm->initialize); 2473 if (os_snprintf_error(buflen - len, ret)) 2474 return len; 2475 len += ret; 2476 2477 /* dot1xAuthConfigTable */ 2478 ret = os_snprintf(buf + len, buflen - len, 2479 "dot1xAuthPaeState=%d\n" 2480 "dot1xAuthBackendAuthState=%d\n" 2481 "dot1xAuthAdminControlledDirections=%d\n" 2482 "dot1xAuthOperControlledDirections=%d\n" 2483 "dot1xAuthAuthControlledPortStatus=%d\n" 2484 "dot1xAuthAuthControlledPortControl=%d\n" 2485 "dot1xAuthQuietPeriod=%u\n" 2486 "dot1xAuthServerTimeout=%u\n" 2487 "dot1xAuthReAuthPeriod=%u\n" 2488 "dot1xAuthReAuthEnabled=%s\n" 2489 "dot1xAuthKeyTxEnabled=%s\n", 2490 sm->auth_pae_state + 1, 2491 sm->be_auth_state + 1, 2492 sm->adminControlledDirections, 2493 sm->operControlledDirections, 2494 sm->authPortStatus, 2495 sm->portControl, 2496 sm->quietPeriod, 2497 sm->serverTimeout, 2498 sm->reAuthPeriod, 2499 bool_txt(sm->reAuthEnabled), 2500 bool_txt(sm->keyTxEnabled)); 2501 if (os_snprintf_error(buflen - len, ret)) 2502 return len; 2503 len += ret; 2504 2505 /* dot1xAuthStatsTable */ 2506 ret = os_snprintf(buf + len, buflen - len, 2507 "dot1xAuthEapolFramesRx=%u\n" 2508 "dot1xAuthEapolFramesTx=%u\n" 2509 "dot1xAuthEapolStartFramesRx=%u\n" 2510 "dot1xAuthEapolLogoffFramesRx=%u\n" 2511 "dot1xAuthEapolRespIdFramesRx=%u\n" 2512 "dot1xAuthEapolRespFramesRx=%u\n" 2513 "dot1xAuthEapolReqIdFramesTx=%u\n" 2514 "dot1xAuthEapolReqFramesTx=%u\n" 2515 "dot1xAuthInvalidEapolFramesRx=%u\n" 2516 "dot1xAuthEapLengthErrorFramesRx=%u\n" 2517 "dot1xAuthLastEapolFrameVersion=%u\n" 2518 "dot1xAuthLastEapolFrameSource=" MACSTR "\n", 2519 sm->dot1xAuthEapolFramesRx, 2520 sm->dot1xAuthEapolFramesTx, 2521 sm->dot1xAuthEapolStartFramesRx, 2522 sm->dot1xAuthEapolLogoffFramesRx, 2523 sm->dot1xAuthEapolRespIdFramesRx, 2524 sm->dot1xAuthEapolRespFramesRx, 2525 sm->dot1xAuthEapolReqIdFramesTx, 2526 sm->dot1xAuthEapolReqFramesTx, 2527 sm->dot1xAuthInvalidEapolFramesRx, 2528 sm->dot1xAuthEapLengthErrorFramesRx, 2529 sm->dot1xAuthLastEapolFrameVersion, 2530 MAC2STR(sm->addr)); 2531 if (os_snprintf_error(buflen - len, ret)) 2532 return len; 2533 len += ret; 2534 2535 /* dot1xAuthDiagTable */ 2536 ret = os_snprintf(buf + len, buflen - len, 2537 "dot1xAuthEntersConnecting=%u\n" 2538 "dot1xAuthEapLogoffsWhileConnecting=%u\n" 2539 "dot1xAuthEntersAuthenticating=%u\n" 2540 "dot1xAuthAuthSuccessesWhileAuthenticating=%u\n" 2541 "dot1xAuthAuthTimeoutsWhileAuthenticating=%u\n" 2542 "dot1xAuthAuthFailWhileAuthenticating=%u\n" 2543 "dot1xAuthAuthEapStartsWhileAuthenticating=%u\n" 2544 "dot1xAuthAuthEapLogoffWhileAuthenticating=%u\n" 2545 "dot1xAuthAuthReauthsWhileAuthenticated=%u\n" 2546 "dot1xAuthAuthEapStartsWhileAuthenticated=%u\n" 2547 "dot1xAuthAuthEapLogoffWhileAuthenticated=%u\n" 2548 "dot1xAuthBackendResponses=%u\n" 2549 "dot1xAuthBackendAccessChallenges=%u\n" 2550 "dot1xAuthBackendOtherRequestsToSupplicant=%u\n" 2551 "dot1xAuthBackendAuthSuccesses=%u\n" 2552 "dot1xAuthBackendAuthFails=%u\n", 2553 sm->authEntersConnecting, 2554 sm->authEapLogoffsWhileConnecting, 2555 sm->authEntersAuthenticating, 2556 sm->authAuthSuccessesWhileAuthenticating, 2557 sm->authAuthTimeoutsWhileAuthenticating, 2558 sm->authAuthFailWhileAuthenticating, 2559 sm->authAuthEapStartsWhileAuthenticating, 2560 sm->authAuthEapLogoffWhileAuthenticating, 2561 sm->authAuthReauthsWhileAuthenticated, 2562 sm->authAuthEapStartsWhileAuthenticated, 2563 sm->authAuthEapLogoffWhileAuthenticated, 2564 sm->backendResponses, 2565 sm->backendAccessChallenges, 2566 sm->backendOtherRequestsToSupplicant, 2567 sm->backendAuthSuccesses, 2568 sm->backendAuthFails); 2569 if (os_snprintf_error(buflen - len, ret)) 2570 return len; 2571 len += ret; 2572 2573 /* dot1xAuthSessionStatsTable */ 2574 os_reltime_age(&sta->acct_session_start, &diff); 2575 ret = os_snprintf(buf + len, buflen - len, 2576 /* TODO: dot1xAuthSessionOctetsRx */ 2577 /* TODO: dot1xAuthSessionOctetsTx */ 2578 /* TODO: dot1xAuthSessionFramesRx */ 2579 /* TODO: dot1xAuthSessionFramesTx */ 2580 "dot1xAuthSessionId=%016llX\n" 2581 "dot1xAuthSessionAuthenticMethod=%d\n" 2582 "dot1xAuthSessionTime=%u\n" 2583 "dot1xAuthSessionTerminateCause=999\n" 2584 "dot1xAuthSessionUserName=%s\n", 2585 (unsigned long long) sta->acct_session_id, 2586 (wpa_key_mgmt_wpa_ieee8021x( 2587 wpa_auth_sta_key_mgmt(sta->wpa_sm))) ? 2588 1 : 2, 2589 (unsigned int) diff.sec, 2590 sm->identity); 2591 if (os_snprintf_error(buflen - len, ret)) 2592 return len; 2593 len += ret; 2594 2595 if (sm->acct_multi_session_id) { 2596 ret = os_snprintf(buf + len, buflen - len, 2597 "authMultiSessionId=%016llX\n", 2598 (unsigned long long) 2599 sm->acct_multi_session_id); 2600 if (os_snprintf_error(buflen - len, ret)) 2601 return len; 2602 len += ret; 2603 } 2604 2605 name1 = eap_server_get_name(0, sm->eap_type_authsrv); 2606 name2 = eap_server_get_name(0, sm->eap_type_supp); 2607 ret = os_snprintf(buf + len, buflen - len, 2608 "last_eap_type_as=%d (%s)\n" 2609 "last_eap_type_sta=%d (%s)\n", 2610 sm->eap_type_authsrv, name1, 2611 sm->eap_type_supp, name2); 2612 if (os_snprintf_error(buflen - len, ret)) 2613 return len; 2614 len += ret; 2615 2616 return len; 2617 } 2618 2619 2620 #ifdef CONFIG_HS20 2621 static void ieee802_1x_wnm_notif_send(void *eloop_ctx, void *timeout_ctx) 2622 { 2623 struct hostapd_data *hapd = eloop_ctx; 2624 struct sta_info *sta = timeout_ctx; 2625 2626 if (sta->remediation) { 2627 wpa_printf(MSG_DEBUG, "HS 2.0: Send WNM-Notification to " 2628 MACSTR " to indicate Subscription Remediation", 2629 MAC2STR(sta->addr)); 2630 hs20_send_wnm_notification(hapd, sta->addr, 2631 sta->remediation_method, 2632 sta->remediation_url); 2633 os_free(sta->remediation_url); 2634 sta->remediation_url = NULL; 2635 } 2636 2637 if (sta->hs20_deauth_req) { 2638 wpa_printf(MSG_DEBUG, "HS 2.0: Send WNM-Notification to " 2639 MACSTR " to indicate imminent deauthentication", 2640 MAC2STR(sta->addr)); 2641 hs20_send_wnm_notification_deauth_req(hapd, sta->addr, 2642 sta->hs20_deauth_req); 2643 } 2644 } 2645 #endif /* CONFIG_HS20 */ 2646 2647 2648 static void ieee802_1x_finished(struct hostapd_data *hapd, 2649 struct sta_info *sta, int success, 2650 int remediation) 2651 { 2652 const u8 *key; 2653 size_t len; 2654 /* TODO: get PMKLifetime from WPA parameters */ 2655 static const int dot11RSNAConfigPMKLifetime = 43200; 2656 unsigned int session_timeout; 2657 2658 #ifdef CONFIG_HS20 2659 if (remediation && !sta->remediation) { 2660 sta->remediation = 1; 2661 os_free(sta->remediation_url); 2662 sta->remediation_url = 2663 os_strdup(hapd->conf->subscr_remediation_url); 2664 sta->remediation_method = 1; /* SOAP-XML SPP */ 2665 } 2666 2667 if (success && (sta->remediation || sta->hs20_deauth_req)) { 2668 wpa_printf(MSG_DEBUG, "HS 2.0: Schedule WNM-Notification to " 2669 MACSTR " in 100 ms", MAC2STR(sta->addr)); 2670 eloop_cancel_timeout(ieee802_1x_wnm_notif_send, hapd, sta); 2671 eloop_register_timeout(0, 100000, ieee802_1x_wnm_notif_send, 2672 hapd, sta); 2673 } 2674 #endif /* CONFIG_HS20 */ 2675 2676 key = ieee802_1x_get_key(sta->eapol_sm, &len); 2677 if (sta->session_timeout_set) 2678 session_timeout = sta->session_timeout; 2679 else 2680 session_timeout = dot11RSNAConfigPMKLifetime; 2681 if (success && key && len >= PMK_LEN && !sta->remediation && 2682 !sta->hs20_deauth_requested && 2683 wpa_auth_pmksa_add(sta->wpa_sm, key, len, session_timeout, 2684 sta->eapol_sm) == 0) { 2685 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 2686 HOSTAPD_LEVEL_DEBUG, 2687 "Added PMKSA cache entry (IEEE 802.1X)"); 2688 } 2689 2690 if (!success) { 2691 /* 2692 * Many devices require deauthentication after WPS provisioning 2693 * and some may not be be able to do that themselves, so 2694 * disconnect the client here. In addition, this may also 2695 * benefit IEEE 802.1X/EAPOL authentication cases, too since 2696 * the EAPOL PAE state machine would remain in HELD state for 2697 * considerable amount of time and some EAP methods, like 2698 * EAP-FAST with anonymous provisioning, may require another 2699 * EAPOL authentication to be started to complete connection. 2700 */ 2701 wpa_dbg(hapd->msg_ctx, MSG_DEBUG, "IEEE 802.1X: Force " 2702 "disconnection after EAP-Failure"); 2703 /* Add a small sleep to increase likelihood of previously 2704 * requested EAP-Failure TX getting out before this should the 2705 * driver reorder operations. 2706 */ 2707 os_sleep(0, 10000); 2708 ap_sta_disconnect(hapd, sta, sta->addr, 2709 WLAN_REASON_IEEE_802_1X_AUTH_FAILED); 2710 hostapd_wps_eap_completed(hapd); 2711 } 2712 } 2713
