ieee802_1x.c 56 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011201220132014201520162017201820192020202120222023202420252026202720282029
  1. /*
  2. * hostapd / IEEE 802.1X-2004 Authenticator
  3. * Copyright (c) 2002-2009, Jouni Malinen <j@w1.fi>
  4. *
  5. * This program is free software; you can redistribute it and/or modify
  6. * it under the terms of the GNU General Public License version 2 as
  7. * published by the Free Software Foundation.
  8. *
  9. * Alternatively, this software may be distributed under the terms of BSD
  10. * license.
  11. *
  12. * See README and COPYING for more details.
  13. */
  14. #include "utils/includes.h"
  15. #include "utils/common.h"
  16. #include "utils/eloop.h"
  17. #include "crypto/md5.h"
  18. #include "crypto/crypto.h"
  19. #include "common/ieee802_11_defs.h"
  20. #include "common/wpa_ctrl.h"
  21. #include "radius/radius.h"
  22. #include "radius/radius_client.h"
  23. #include "eap_server/eap.h"
  24. #include "eap_common/eap_wsc_common.h"
  25. #include "eapol_auth/eapol_auth_sm.h"
  26. #include "eapol_auth/eapol_auth_sm_i.h"
  27. #include "hostapd.h"
  28. #include "accounting.h"
  29. #include "sta_info.h"
  30. #include "wpa_auth.h"
  31. #include "preauth_auth.h"
  32. #include "pmksa_cache_auth.h"
  33. #include "ap_config.h"
  34. #include "ieee802_1x.h"
  35. static void ieee802_1x_finished(struct hostapd_data *hapd,
  36. struct sta_info *sta, int success);
  37. static void ieee802_1x_send(struct hostapd_data *hapd, struct sta_info *sta,
  38. u8 type, const u8 *data, size_t datalen)
  39. {
  40. u8 *buf;
  41. struct ieee802_1x_hdr *xhdr;
  42. size_t len;
  43. int encrypt = 0;
  44. len = sizeof(*xhdr) + datalen;
  45. buf = os_zalloc(len);
  46. if (buf == NULL) {
  47. wpa_printf(MSG_ERROR, "malloc() failed for "
  48. "ieee802_1x_send(len=%lu)",
  49. (unsigned long) len);
  50. return;
  51. }
  52. xhdr = (struct ieee802_1x_hdr *) buf;
  53. xhdr->version = hapd->conf->eapol_version;
  54. xhdr->type = type;
  55. xhdr->length = host_to_be16(datalen);
  56. if (datalen > 0 && data != NULL)
  57. os_memcpy(xhdr + 1, data, datalen);
  58. if (wpa_auth_pairwise_set(sta->wpa_sm))
  59. encrypt = 1;
  60. if (sta->flags & WLAN_STA_PREAUTH) {
  61. rsn_preauth_send(hapd, sta, buf, len);
  62. } else {
  63. hapd->drv.send_eapol(hapd, sta->addr, buf, len, encrypt);
  64. }
  65. os_free(buf);
  66. }
  67. void ieee802_1x_set_sta_authorized(struct hostapd_data *hapd,
  68. struct sta_info *sta, int authorized)
  69. {
  70. int res;
  71. if (sta->flags & WLAN_STA_PREAUTH)
  72. return;
  73. if (authorized) {
  74. if (!(sta->flags & WLAN_STA_AUTHORIZED))
  75. wpa_msg(hapd->msg_ctx, MSG_INFO,
  76. AP_STA_CONNECTED MACSTR, MAC2STR(sta->addr));
  77. sta->flags |= WLAN_STA_AUTHORIZED;
  78. res = hapd->drv.set_authorized(hapd, sta, 1);
  79. hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
  80. HOSTAPD_LEVEL_DEBUG, "authorizing port");
  81. } else {
  82. if ((sta->flags & (WLAN_STA_AUTHORIZED | WLAN_STA_ASSOC)) ==
  83. (WLAN_STA_AUTHORIZED | WLAN_STA_ASSOC))
  84. wpa_msg(hapd->msg_ctx, MSG_INFO,
  85. AP_STA_DISCONNECTED MACSTR,
  86. MAC2STR(sta->addr));
  87. sta->flags &= ~WLAN_STA_AUTHORIZED;
  88. res = hapd->drv.set_authorized(hapd, sta, 0);
  89. hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
  90. HOSTAPD_LEVEL_DEBUG, "unauthorizing port");
  91. }
  92. if (res && errno != ENOENT) {
  93. printf("Could not set station " MACSTR " flags for kernel "
  94. "driver (errno=%d).\n", MAC2STR(sta->addr), errno);
  95. }
  96. if (authorized)
  97. accounting_sta_start(hapd, sta);
  98. }
  99. static void ieee802_1x_tx_key_one(struct hostapd_data *hapd,
  100. struct sta_info *sta,
  101. int idx, int broadcast,
  102. u8 *key_data, size_t key_len)
  103. {
  104. u8 *buf, *ekey;
  105. struct ieee802_1x_hdr *hdr;
  106. struct ieee802_1x_eapol_key *key;
  107. size_t len, ekey_len;
  108. struct eapol_state_machine *sm = sta->eapol_sm;
  109. if (sm == NULL)
  110. return;
  111. len = sizeof(*key) + key_len;
  112. buf = os_zalloc(sizeof(*hdr) + len);
  113. if (buf == NULL)
  114. return;
  115. hdr = (struct ieee802_1x_hdr *) buf;
  116. key = (struct ieee802_1x_eapol_key *) (hdr + 1);
  117. key->type = EAPOL_KEY_TYPE_RC4;
  118. key->key_length = htons(key_len);
  119. wpa_get_ntp_timestamp(key->replay_counter);
  120. if (os_get_random(key->key_iv, sizeof(key->key_iv))) {
  121. wpa_printf(MSG_ERROR, "Could not get random numbers");
  122. os_free(buf);
  123. return;
  124. }
  125. key->key_index = idx | (broadcast ? 0 : BIT(7));
  126. if (hapd->conf->eapol_key_index_workaround) {
  127. /* According to some information, WinXP Supplicant seems to
  128. * interpret bit7 as an indication whether the key is to be
  129. * activated, so make it possible to enable workaround that
  130. * sets this bit for all keys. */
  131. key->key_index |= BIT(7);
  132. }
  133. /* Key is encrypted using "Key-IV + MSK[0..31]" as the RC4-key and
  134. * MSK[32..63] is used to sign the message. */
  135. if (sm->eap_if->eapKeyData == NULL || sm->eap_if->eapKeyDataLen < 64) {
  136. wpa_printf(MSG_ERROR, "No eapKeyData available for encrypting "
  137. "and signing EAPOL-Key");
  138. os_free(buf);
  139. return;
  140. }
  141. os_memcpy((u8 *) (key + 1), key_data, key_len);
  142. ekey_len = sizeof(key->key_iv) + 32;
  143. ekey = os_malloc(ekey_len);
  144. if (ekey == NULL) {
  145. wpa_printf(MSG_ERROR, "Could not encrypt key");
  146. os_free(buf);
  147. return;
  148. }
  149. os_memcpy(ekey, key->key_iv, sizeof(key->key_iv));
  150. os_memcpy(ekey + sizeof(key->key_iv), sm->eap_if->eapKeyData, 32);
  151. rc4_skip(ekey, ekey_len, 0, (u8 *) (key + 1), key_len);
  152. os_free(ekey);
  153. /* This header is needed here for HMAC-MD5, but it will be regenerated
  154. * in ieee802_1x_send() */
  155. hdr->version = hapd->conf->eapol_version;
  156. hdr->type = IEEE802_1X_TYPE_EAPOL_KEY;
  157. hdr->length = host_to_be16(len);
  158. hmac_md5(sm->eap_if->eapKeyData + 32, 32, buf, sizeof(*hdr) + len,
  159. key->key_signature);
  160. wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key to " MACSTR
  161. " (%s index=%d)", MAC2STR(sm->addr),
  162. broadcast ? "broadcast" : "unicast", idx);
  163. ieee802_1x_send(hapd, sta, IEEE802_1X_TYPE_EAPOL_KEY, (u8 *) key, len);
  164. if (sta->eapol_sm)
  165. sta->eapol_sm->dot1xAuthEapolFramesTx++;
  166. os_free(buf);
  167. }
  168. #ifndef CONFIG_NO_VLAN
  169. static struct hostapd_wep_keys *
  170. ieee802_1x_group_alloc(struct hostapd_data *hapd, const char *ifname)
  171. {
  172. struct hostapd_wep_keys *key;
  173. key = os_zalloc(sizeof(*key));
  174. if (key == NULL)
  175. return NULL;
  176. key->default_len = hapd->conf->default_wep_key_len;
  177. if (key->idx >= hapd->conf->broadcast_key_idx_max ||
  178. key->idx < hapd->conf->broadcast_key_idx_min)
  179. key->idx = hapd->conf->broadcast_key_idx_min;
  180. else
  181. key->idx++;
  182. if (!key->key[key->idx])
  183. key->key[key->idx] = os_malloc(key->default_len);
  184. if (key->key[key->idx] == NULL ||
  185. os_get_random(key->key[key->idx], key->default_len)) {
  186. printf("Could not generate random WEP key (dynamic VLAN).\n");
  187. os_free(key->key[key->idx]);
  188. key->key[key->idx] = NULL;
  189. os_free(key);
  190. return NULL;
  191. }
  192. key->len[key->idx] = key->default_len;
  193. wpa_printf(MSG_DEBUG, "%s: Default WEP idx %d for dynamic VLAN\n",
  194. ifname, key->idx);
  195. wpa_hexdump_key(MSG_DEBUG, "Default WEP key (dynamic VLAN)",
  196. key->key[key->idx], key->len[key->idx]);
  197. if (hapd->drv.set_key(ifname, hapd, WPA_ALG_WEP, NULL, key->idx, 1,
  198. NULL, 0, key->key[key->idx], key->len[key->idx]))
  199. printf("Could not set dynamic VLAN WEP encryption key.\n");
  200. hapd->drv.set_drv_ieee8021x(hapd, ifname, 1);
  201. return key;
  202. }
  203. static struct hostapd_wep_keys *
  204. ieee802_1x_get_group(struct hostapd_data *hapd, struct hostapd_ssid *ssid,
  205. size_t vlan_id)
  206. {
  207. const char *ifname;
  208. if (vlan_id == 0)
  209. return &ssid->wep;
  210. if (vlan_id <= ssid->max_dyn_vlan_keys && ssid->dyn_vlan_keys &&
  211. ssid->dyn_vlan_keys[vlan_id])
  212. return ssid->dyn_vlan_keys[vlan_id];
  213. wpa_printf(MSG_DEBUG, "IEEE 802.1X: Creating new group "
  214. "state machine for VLAN ID %lu",
  215. (unsigned long) vlan_id);
  216. ifname = hostapd_get_vlan_id_ifname(hapd->conf->vlan, vlan_id);
  217. if (ifname == NULL) {
  218. wpa_printf(MSG_DEBUG, "IEEE 802.1X: Unknown VLAN ID %lu - "
  219. "cannot create group key state machine",
  220. (unsigned long) vlan_id);
  221. return NULL;
  222. }
  223. if (ssid->dyn_vlan_keys == NULL) {
  224. int size = (vlan_id + 1) * sizeof(ssid->dyn_vlan_keys[0]);
  225. ssid->dyn_vlan_keys = os_zalloc(size);
  226. if (ssid->dyn_vlan_keys == NULL)
  227. return NULL;
  228. ssid->max_dyn_vlan_keys = vlan_id;
  229. }
  230. if (ssid->max_dyn_vlan_keys < vlan_id) {
  231. struct hostapd_wep_keys **na;
  232. int size = (vlan_id + 1) * sizeof(ssid->dyn_vlan_keys[0]);
  233. na = os_realloc(ssid->dyn_vlan_keys, size);
  234. if (na == NULL)
  235. return NULL;
  236. ssid->dyn_vlan_keys = na;
  237. os_memset(&ssid->dyn_vlan_keys[ssid->max_dyn_vlan_keys + 1], 0,
  238. (vlan_id - ssid->max_dyn_vlan_keys) *
  239. sizeof(ssid->dyn_vlan_keys[0]));
  240. ssid->max_dyn_vlan_keys = vlan_id;
  241. }
  242. ssid->dyn_vlan_keys[vlan_id] = ieee802_1x_group_alloc(hapd, ifname);
  243. return ssid->dyn_vlan_keys[vlan_id];
  244. }
  245. #endif /* CONFIG_NO_VLAN */
  246. void ieee802_1x_tx_key(struct hostapd_data *hapd, struct sta_info *sta)
  247. {
  248. struct eapol_authenticator *eapol = hapd->eapol_auth;
  249. struct eapol_state_machine *sm = sta->eapol_sm;
  250. #ifndef CONFIG_NO_VLAN
  251. struct hostapd_wep_keys *key = NULL;
  252. int vlan_id;
  253. #endif /* CONFIG_NO_VLAN */
  254. if (sm == NULL || !sm->eap_if->eapKeyData)
  255. return;
  256. wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key(s) to " MACSTR,
  257. MAC2STR(sta->addr));
  258. #ifndef CONFIG_NO_VLAN
  259. vlan_id = sta->vlan_id;
  260. if (vlan_id < 0 || vlan_id > MAX_VLAN_ID)
  261. vlan_id = 0;
  262. if (vlan_id) {
  263. key = ieee802_1x_get_group(hapd, sta->ssid, vlan_id);
  264. if (key && key->key[key->idx])
  265. ieee802_1x_tx_key_one(hapd, sta, key->idx, 1,
  266. key->key[key->idx],
  267. key->len[key->idx]);
  268. } else
  269. #endif /* CONFIG_NO_VLAN */
  270. if (eapol->default_wep_key) {
  271. ieee802_1x_tx_key_one(hapd, sta, eapol->default_wep_key_idx, 1,
  272. eapol->default_wep_key,
  273. hapd->conf->default_wep_key_len);
  274. }
  275. if (hapd->conf->individual_wep_key_len > 0) {
  276. u8 *ikey;
  277. ikey = os_malloc(hapd->conf->individual_wep_key_len);
  278. if (ikey == NULL ||
  279. os_get_random(ikey, hapd->conf->individual_wep_key_len)) {
  280. wpa_printf(MSG_ERROR, "Could not generate random "
  281. "individual WEP key.");
  282. os_free(ikey);
  283. return;
  284. }
  285. wpa_hexdump_key(MSG_DEBUG, "Individual WEP key",
  286. ikey, hapd->conf->individual_wep_key_len);
  287. ieee802_1x_tx_key_one(hapd, sta, 0, 0, ikey,
  288. hapd->conf->individual_wep_key_len);
  289. /* TODO: set encryption in TX callback, i.e., only after STA
  290. * has ACKed EAPOL-Key frame */
  291. if (hapd->drv.set_key(hapd->conf->iface, hapd, WPA_ALG_WEP,
  292. sta->addr, 0, 1, NULL, 0, ikey,
  293. hapd->conf->individual_wep_key_len)) {
  294. wpa_printf(MSG_ERROR, "Could not set individual WEP "
  295. "encryption.");
  296. }
  297. os_free(ikey);
  298. }
  299. }
  300. const char *radius_mode_txt(struct hostapd_data *hapd)
  301. {
  302. switch (hapd->iface->conf->hw_mode) {
  303. case HOSTAPD_MODE_IEEE80211A:
  304. return "802.11a";
  305. case HOSTAPD_MODE_IEEE80211G:
  306. return "802.11g";
  307. case HOSTAPD_MODE_IEEE80211B:
  308. default:
  309. return "802.11b";
  310. }
  311. }
  312. int radius_sta_rate(struct hostapd_data *hapd, struct sta_info *sta)
  313. {
  314. int i;
  315. u8 rate = 0;
  316. for (i = 0; i < sta->supported_rates_len; i++)
  317. if ((sta->supported_rates[i] & 0x7f) > rate)
  318. rate = sta->supported_rates[i] & 0x7f;
  319. return rate;
  320. }
  321. #ifndef CONFIG_NO_RADIUS
  322. static void ieee802_1x_learn_identity(struct hostapd_data *hapd,
  323. struct eapol_state_machine *sm,
  324. const u8 *eap, size_t len)
  325. {
  326. const u8 *identity;
  327. size_t identity_len;
  328. if (len <= sizeof(struct eap_hdr) ||
  329. eap[sizeof(struct eap_hdr)] != EAP_TYPE_IDENTITY)
  330. return;
  331. identity = eap_get_identity(sm->eap, &identity_len);
  332. if (identity == NULL)
  333. return;
  334. /* Save station identity for future RADIUS packets */
  335. os_free(sm->identity);
  336. sm->identity = os_malloc(identity_len + 1);
  337. if (sm->identity == NULL) {
  338. sm->identity_len = 0;
  339. return;
  340. }
  341. os_memcpy(sm->identity, identity, identity_len);
  342. sm->identity_len = identity_len;
  343. sm->identity[identity_len] = '\0';
  344. hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X,
  345. HOSTAPD_LEVEL_DEBUG, "STA identity '%s'", sm->identity);
  346. sm->dot1xAuthEapolRespIdFramesRx++;
  347. }
  348. static void ieee802_1x_encapsulate_radius(struct hostapd_data *hapd,
  349. struct sta_info *sta,
  350. const u8 *eap, size_t len)
  351. {
  352. struct radius_msg *msg;
  353. char buf[128];
  354. struct eapol_state_machine *sm = sta->eapol_sm;
  355. if (sm == NULL)
  356. return;
  357. ieee802_1x_learn_identity(hapd, sm, eap, len);
  358. wpa_printf(MSG_DEBUG, "Encapsulating EAP message into a RADIUS "
  359. "packet");
  360. sm->radius_identifier = radius_client_get_id(hapd->radius);
  361. msg = radius_msg_new(RADIUS_CODE_ACCESS_REQUEST,
  362. sm->radius_identifier);
  363. if (msg == NULL) {
  364. printf("Could not create net RADIUS packet\n");
  365. return;
  366. }
  367. radius_msg_make_authenticator(msg, (u8 *) sta, sizeof(*sta));
  368. if (sm->identity &&
  369. !radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME,
  370. sm->identity, sm->identity_len)) {
  371. printf("Could not add User-Name\n");
  372. goto fail;
  373. }
  374. if (hapd->conf->own_ip_addr.af == AF_INET &&
  375. !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IP_ADDRESS,
  376. (u8 *) &hapd->conf->own_ip_addr.u.v4, 4)) {
  377. printf("Could not add NAS-IP-Address\n");
  378. goto fail;
  379. }
  380. #ifdef CONFIG_IPV6
  381. if (hapd->conf->own_ip_addr.af == AF_INET6 &&
  382. !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IPV6_ADDRESS,
  383. (u8 *) &hapd->conf->own_ip_addr.u.v6, 16)) {
  384. printf("Could not add NAS-IPv6-Address\n");
  385. goto fail;
  386. }
  387. #endif /* CONFIG_IPV6 */
  388. if (hapd->conf->nas_identifier &&
  389. !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IDENTIFIER,
  390. (u8 *) hapd->conf->nas_identifier,
  391. os_strlen(hapd->conf->nas_identifier))) {
  392. printf("Could not add NAS-Identifier\n");
  393. goto fail;
  394. }
  395. if (!radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT, sta->aid)) {
  396. printf("Could not add NAS-Port\n");
  397. goto fail;
  398. }
  399. os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT ":%s",
  400. MAC2STR(hapd->own_addr), hapd->conf->ssid.ssid);
  401. buf[sizeof(buf) - 1] = '\0';
  402. if (!radius_msg_add_attr(msg, RADIUS_ATTR_CALLED_STATION_ID,
  403. (u8 *) buf, os_strlen(buf))) {
  404. printf("Could not add Called-Station-Id\n");
  405. goto fail;
  406. }
  407. os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT,
  408. MAC2STR(sta->addr));
  409. buf[sizeof(buf) - 1] = '\0';
  410. if (!radius_msg_add_attr(msg, RADIUS_ATTR_CALLING_STATION_ID,
  411. (u8 *) buf, os_strlen(buf))) {
  412. printf("Could not add Calling-Station-Id\n");
  413. goto fail;
  414. }
  415. /* TODO: should probably check MTU from driver config; 2304 is max for
  416. * IEEE 802.11, but use 1400 to avoid problems with too large packets
  417. */
  418. if (!radius_msg_add_attr_int32(msg, RADIUS_ATTR_FRAMED_MTU, 1400)) {
  419. printf("Could not add Framed-MTU\n");
  420. goto fail;
  421. }
  422. if (!radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT_TYPE,
  423. RADIUS_NAS_PORT_TYPE_IEEE_802_11)) {
  424. printf("Could not add NAS-Port-Type\n");
  425. goto fail;
  426. }
  427. if (sta->flags & WLAN_STA_PREAUTH) {
  428. os_strlcpy(buf, "IEEE 802.11i Pre-Authentication",
  429. sizeof(buf));
  430. } else {
  431. os_snprintf(buf, sizeof(buf), "CONNECT %d%sMbps %s",
  432. radius_sta_rate(hapd, sta) / 2,
  433. (radius_sta_rate(hapd, sta) & 1) ? ".5" : "",
  434. radius_mode_txt(hapd));
  435. buf[sizeof(buf) - 1] = '\0';
  436. }
  437. if (!radius_msg_add_attr(msg, RADIUS_ATTR_CONNECT_INFO,
  438. (u8 *) buf, os_strlen(buf))) {
  439. printf("Could not add Connect-Info\n");
  440. goto fail;
  441. }
  442. if (eap && !radius_msg_add_eap(msg, eap, len)) {
  443. printf("Could not add EAP-Message\n");
  444. goto fail;
  445. }
  446. /* State attribute must be copied if and only if this packet is
  447. * Access-Request reply to the previous Access-Challenge */
  448. if (sm->last_recv_radius &&
  449. radius_msg_get_hdr(sm->last_recv_radius)->code ==
  450. RADIUS_CODE_ACCESS_CHALLENGE) {
  451. int res = radius_msg_copy_attr(msg, sm->last_recv_radius,
  452. RADIUS_ATTR_STATE);
  453. if (res < 0) {
  454. printf("Could not copy State attribute from previous "
  455. "Access-Challenge\n");
  456. goto fail;
  457. }
  458. if (res > 0) {
  459. wpa_printf(MSG_DEBUG, "Copied RADIUS State Attribute");
  460. }
  461. }
  462. radius_client_send(hapd->radius, msg, RADIUS_AUTH, sta->addr);
  463. return;
  464. fail:
  465. radius_msg_free(msg);
  466. }
  467. #endif /* CONFIG_NO_RADIUS */
  468. static void handle_eap_response(struct hostapd_data *hapd,
  469. struct sta_info *sta, struct eap_hdr *eap,
  470. size_t len)
  471. {
  472. u8 type, *data;
  473. struct eapol_state_machine *sm = sta->eapol_sm;
  474. if (sm == NULL)
  475. return;
  476. data = (u8 *) (eap + 1);
  477. if (len < sizeof(*eap) + 1) {
  478. printf("handle_eap_response: too short response data\n");
  479. return;
  480. }
  481. sm->eap_type_supp = type = data[0];
  482. hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X,
  483. HOSTAPD_LEVEL_DEBUG, "received EAP packet (code=%d "
  484. "id=%d len=%d) from STA: EAP Response-%s (%d)",
  485. eap->code, eap->identifier, be_to_host16(eap->length),
  486. eap_server_get_name(0, type), type);
  487. sm->dot1xAuthEapolRespFramesRx++;
  488. wpabuf_free(sm->eap_if->eapRespData);
  489. sm->eap_if->eapRespData = wpabuf_alloc_copy(eap, len);
  490. sm->eapolEap = TRUE;
  491. }
  492. /* Process incoming EAP packet from Supplicant */
  493. static void handle_eap(struct hostapd_data *hapd, struct sta_info *sta,
  494. u8 *buf, size_t len)
  495. {
  496. struct eap_hdr *eap;
  497. u16 eap_len;
  498. if (len < sizeof(*eap)) {
  499. printf(" too short EAP packet\n");
  500. return;
  501. }
  502. eap = (struct eap_hdr *) buf;
  503. eap_len = be_to_host16(eap->length);
  504. wpa_printf(MSG_DEBUG, "EAP: code=%d identifier=%d length=%d",
  505. eap->code, eap->identifier, eap_len);
  506. if (eap_len < sizeof(*eap)) {
  507. wpa_printf(MSG_DEBUG, " Invalid EAP length");
  508. return;
  509. } else if (eap_len > len) {
  510. wpa_printf(MSG_DEBUG, " Too short frame to contain this EAP "
  511. "packet");
  512. return;
  513. } else if (eap_len < len) {
  514. wpa_printf(MSG_DEBUG, " Ignoring %lu extra bytes after EAP "
  515. "packet", (unsigned long) len - eap_len);
  516. }
  517. switch (eap->code) {
  518. case EAP_CODE_REQUEST:
  519. wpa_printf(MSG_DEBUG, " (request)");
  520. return;
  521. case EAP_CODE_RESPONSE:
  522. wpa_printf(MSG_DEBUG, " (response)");
  523. handle_eap_response(hapd, sta, eap, eap_len);
  524. break;
  525. case EAP_CODE_SUCCESS:
  526. wpa_printf(MSG_DEBUG, " (success)");
  527. return;
  528. case EAP_CODE_FAILURE:
  529. wpa_printf(MSG_DEBUG, " (failure)");
  530. return;
  531. default:
  532. wpa_printf(MSG_DEBUG, " (unknown code)");
  533. return;
  534. }
  535. }
  536. static struct eapol_state_machine *
  537. ieee802_1x_alloc_eapol_sm(struct hostapd_data *hapd, struct sta_info *sta)
  538. {
  539. int flags = 0;
  540. if (sta->flags & WLAN_STA_PREAUTH)
  541. flags |= EAPOL_SM_PREAUTH;
  542. if (sta->wpa_sm) {
  543. flags |= EAPOL_SM_USES_WPA;
  544. if (wpa_auth_sta_get_pmksa(sta->wpa_sm))
  545. flags |= EAPOL_SM_FROM_PMKSA_CACHE;
  546. }
  547. return eapol_auth_alloc(hapd->eapol_auth, sta->addr, flags,
  548. sta->wps_ie, sta->p2p_ie, sta);
  549. }
  550. /**
  551. * ieee802_1x_receive - Process the EAPOL frames from the Supplicant
  552. * @hapd: hostapd BSS data
  553. * @sa: Source address (sender of the EAPOL frame)
  554. * @buf: EAPOL frame
  555. * @len: Length of buf in octets
  556. *
  557. * This function is called for each incoming EAPOL frame from the interface
  558. */
  559. void ieee802_1x_receive(struct hostapd_data *hapd, const u8 *sa, const u8 *buf,
  560. size_t len)
  561. {
  562. struct sta_info *sta;
  563. struct ieee802_1x_hdr *hdr;
  564. struct ieee802_1x_eapol_key *key;
  565. u16 datalen;
  566. struct rsn_pmksa_cache_entry *pmksa;
  567. if (!hapd->conf->ieee802_1x && !hapd->conf->wpa &&
  568. !hapd->conf->wps_state)
  569. return;
  570. wpa_printf(MSG_DEBUG, "IEEE 802.1X: %lu bytes from " MACSTR,
  571. (unsigned long) len, MAC2STR(sa));
  572. sta = ap_get_sta(hapd, sa);
  573. if (!sta || !(sta->flags & (WLAN_STA_ASSOC | WLAN_STA_PREAUTH))) {
  574. wpa_printf(MSG_DEBUG, "IEEE 802.1X data frame from not "
  575. "associated/Pre-authenticating STA");
  576. return;
  577. }
  578. if (len < sizeof(*hdr)) {
  579. printf(" too short IEEE 802.1X packet\n");
  580. return;
  581. }
  582. hdr = (struct ieee802_1x_hdr *) buf;
  583. datalen = be_to_host16(hdr->length);
  584. wpa_printf(MSG_DEBUG, " IEEE 802.1X: version=%d type=%d length=%d",
  585. hdr->version, hdr->type, datalen);
  586. if (len - sizeof(*hdr) < datalen) {
  587. printf(" frame too short for this IEEE 802.1X packet\n");
  588. if (sta->eapol_sm)
  589. sta->eapol_sm->dot1xAuthEapLengthErrorFramesRx++;
  590. return;
  591. }
  592. if (len - sizeof(*hdr) > datalen) {
  593. wpa_printf(MSG_DEBUG, " ignoring %lu extra octets after "
  594. "IEEE 802.1X packet",
  595. (unsigned long) len - sizeof(*hdr) - datalen);
  596. }
  597. if (sta->eapol_sm) {
  598. sta->eapol_sm->dot1xAuthLastEapolFrameVersion = hdr->version;
  599. sta->eapol_sm->dot1xAuthEapolFramesRx++;
  600. }
  601. key = (struct ieee802_1x_eapol_key *) (hdr + 1);
  602. if (datalen >= sizeof(struct ieee802_1x_eapol_key) &&
  603. hdr->type == IEEE802_1X_TYPE_EAPOL_KEY &&
  604. (key->type == EAPOL_KEY_TYPE_WPA ||
  605. key->type == EAPOL_KEY_TYPE_RSN)) {
  606. wpa_receive(hapd->wpa_auth, sta->wpa_sm, (u8 *) hdr,
  607. sizeof(*hdr) + datalen);
  608. return;
  609. }
  610. if ((!hapd->conf->ieee802_1x &&
  611. !(sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS))) ||
  612. wpa_key_mgmt_wpa_psk(wpa_auth_sta_key_mgmt(sta->wpa_sm)))
  613. return;
  614. if (!sta->eapol_sm) {
  615. sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta);
  616. if (!sta->eapol_sm)
  617. return;
  618. #ifdef CONFIG_WPS
  619. if (!hapd->conf->ieee802_1x &&
  620. ((sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS)) ==
  621. WLAN_STA_MAYBE_WPS)) {
  622. /*
  623. * Delay EAPOL frame transmission until a possible WPS
  624. * STA initiates the handshake with EAPOL-Start.
  625. */
  626. sta->eapol_sm->flags |= EAPOL_SM_WAIT_START;
  627. }
  628. #endif /* CONFIG_WPS */
  629. sta->eapol_sm->eap_if->portEnabled = TRUE;
  630. }
  631. /* since we support version 1, we can ignore version field and proceed
  632. * as specified in version 1 standard [IEEE Std 802.1X-2001, 7.5.5] */
  633. /* TODO: actually, we are not version 1 anymore.. However, Version 2
  634. * does not change frame contents, so should be ok to process frames
  635. * more or less identically. Some changes might be needed for
  636. * verification of fields. */
  637. switch (hdr->type) {
  638. case IEEE802_1X_TYPE_EAP_PACKET:
  639. handle_eap(hapd, sta, (u8 *) (hdr + 1), datalen);
  640. break;
  641. case IEEE802_1X_TYPE_EAPOL_START:
  642. hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
  643. HOSTAPD_LEVEL_DEBUG, "received EAPOL-Start "
  644. "from STA");
  645. sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START;
  646. pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm);
  647. if (pmksa) {
  648. hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA,
  649. HOSTAPD_LEVEL_DEBUG, "cached PMKSA "
  650. "available - ignore it since "
  651. "STA sent EAPOL-Start");
  652. wpa_auth_sta_clear_pmksa(sta->wpa_sm, pmksa);
  653. }
  654. sta->eapol_sm->eapolStart = TRUE;
  655. sta->eapol_sm->dot1xAuthEapolStartFramesRx++;
  656. eap_server_clear_identity(sta->eapol_sm->eap);
  657. wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL);
  658. break;
  659. case IEEE802_1X_TYPE_EAPOL_LOGOFF:
  660. hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
  661. HOSTAPD_LEVEL_DEBUG, "received EAPOL-Logoff "
  662. "from STA");
  663. sta->acct_terminate_cause =
  664. RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST;
  665. accounting_sta_stop(hapd, sta);
  666. sta->eapol_sm->eapolLogoff = TRUE;
  667. sta->eapol_sm->dot1xAuthEapolLogoffFramesRx++;
  668. eap_server_clear_identity(sta->eapol_sm->eap);
  669. break;
  670. case IEEE802_1X_TYPE_EAPOL_KEY:
  671. wpa_printf(MSG_DEBUG, " EAPOL-Key");
  672. if (!(sta->flags & WLAN_STA_AUTHORIZED)) {
  673. wpa_printf(MSG_DEBUG, " Dropped key data from "
  674. "unauthorized Supplicant");
  675. break;
  676. }
  677. break;
  678. case IEEE802_1X_TYPE_EAPOL_ENCAPSULATED_ASF_ALERT:
  679. wpa_printf(MSG_DEBUG, " EAPOL-Encapsulated-ASF-Alert");
  680. /* TODO: implement support for this; show data */
  681. break;
  682. default:
  683. wpa_printf(MSG_DEBUG, " unknown IEEE 802.1X packet type");
  684. sta->eapol_sm->dot1xAuthInvalidEapolFramesRx++;
  685. break;
  686. }
  687. eapol_auth_step(sta->eapol_sm);
  688. }
  689. /**
  690. * ieee802_1x_new_station - Start IEEE 802.1X authentication
  691. * @hapd: hostapd BSS data
  692. * @sta: The station
  693. *
  694. * This function is called to start IEEE 802.1X authentication when a new
  695. * station completes IEEE 802.11 association.
  696. */
  697. void ieee802_1x_new_station(struct hostapd_data *hapd, struct sta_info *sta)
  698. {
  699. struct rsn_pmksa_cache_entry *pmksa;
  700. int reassoc = 1;
  701. int force_1x = 0;
  702. #ifdef CONFIG_WPS
  703. if (hapd->conf->wps_state && hapd->conf->wpa &&
  704. (sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS))) {
  705. /*
  706. * Need to enable IEEE 802.1X/EAPOL state machines for possible
  707. * WPS handshake even if IEEE 802.1X/EAPOL is not used for
  708. * authentication in this BSS.
  709. */
  710. force_1x = 1;
  711. }
  712. #endif /* CONFIG_WPS */
  713. if ((!force_1x && !hapd->conf->ieee802_1x) ||
  714. wpa_key_mgmt_wpa_psk(wpa_auth_sta_key_mgmt(sta->wpa_sm)))
  715. return;
  716. if (sta->eapol_sm == NULL) {
  717. hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
  718. HOSTAPD_LEVEL_DEBUG, "start authentication");
  719. sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta);
  720. if (sta->eapol_sm == NULL) {
  721. hostapd_logger(hapd, sta->addr,
  722. HOSTAPD_MODULE_IEEE8021X,
  723. HOSTAPD_LEVEL_INFO,
  724. "failed to allocate state machine");
  725. return;
  726. }
  727. reassoc = 0;
  728. }
  729. #ifdef CONFIG_WPS
  730. sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START;
  731. if (!hapd->conf->ieee802_1x && !(sta->flags & WLAN_STA_WPS)) {
  732. /*
  733. * Delay EAPOL frame transmission until a possible WPS
  734. * initiates the handshake with EAPOL-Start.
  735. */
  736. sta->eapol_sm->flags |= EAPOL_SM_WAIT_START;
  737. }
  738. #endif /* CONFIG_WPS */
  739. sta->eapol_sm->eap_if->portEnabled = TRUE;
  740. pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm);
  741. if (pmksa) {
  742. int old_vlanid;
  743. hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
  744. HOSTAPD_LEVEL_DEBUG,
  745. "PMK from PMKSA cache - skip IEEE 802.1X/EAP");
  746. /* Setup EAPOL state machines to already authenticated state
  747. * because of existing PMKSA information in the cache. */
  748. sta->eapol_sm->keyRun = TRUE;
  749. sta->eapol_sm->eap_if->eapKeyAvailable = TRUE;
  750. sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING;
  751. sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS;
  752. sta->eapol_sm->authSuccess = TRUE;
  753. if (sta->eapol_sm->eap)
  754. eap_sm_notify_cached(sta->eapol_sm->eap);
  755. old_vlanid = sta->vlan_id;
  756. pmksa_cache_to_eapol_data(pmksa, sta->eapol_sm);
  757. if (sta->ssid->dynamic_vlan == DYNAMIC_VLAN_DISABLED)
  758. sta->vlan_id = 0;
  759. ap_sta_bind_vlan(hapd, sta, old_vlanid);
  760. } else {
  761. if (reassoc) {
  762. /*
  763. * Force EAPOL state machines to start
  764. * re-authentication without having to wait for the
  765. * Supplicant to send EAPOL-Start.
  766. */
  767. sta->eapol_sm->reAuthenticate = TRUE;
  768. }
  769. eapol_auth_step(sta->eapol_sm);
  770. }
  771. }
  772. void ieee802_1x_free_station(struct sta_info *sta)
  773. {
  774. struct eapol_state_machine *sm = sta->eapol_sm;
  775. if (sm == NULL)
  776. return;
  777. sta->eapol_sm = NULL;
  778. #ifndef CONFIG_NO_RADIUS
  779. radius_msg_free(sm->last_recv_radius);
  780. radius_free_class(&sm->radius_class);
  781. #endif /* CONFIG_NO_RADIUS */
  782. os_free(sm->identity);
  783. eapol_auth_free(sm);
  784. }
  785. #ifndef CONFIG_NO_RADIUS
  786. static void ieee802_1x_decapsulate_radius(struct hostapd_data *hapd,
  787. struct sta_info *sta)
  788. {
  789. u8 *eap;
  790. size_t len;
  791. struct eap_hdr *hdr;
  792. int eap_type = -1;
  793. char buf[64];
  794. struct radius_msg *msg;
  795. struct eapol_state_machine *sm = sta->eapol_sm;
  796. if (sm == NULL || sm->last_recv_radius == NULL) {
  797. if (sm)
  798. sm->eap_if->aaaEapNoReq = TRUE;
  799. return;
  800. }
  801. msg = sm->last_recv_radius;
  802. eap = radius_msg_get_eap(msg, &len);
  803. if (eap == NULL) {
  804. /* RFC 3579, Chap. 2.6.3:
  805. * RADIUS server SHOULD NOT send Access-Reject/no EAP-Message
  806. * attribute */
  807. hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
  808. HOSTAPD_LEVEL_WARNING, "could not extract "
  809. "EAP-Message from RADIUS message");
  810. sm->eap_if->aaaEapNoReq = TRUE;
  811. return;
  812. }
  813. if (len < sizeof(*hdr)) {
  814. hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
  815. HOSTAPD_LEVEL_WARNING, "too short EAP packet "
  816. "received from authentication server");
  817. os_free(eap);
  818. sm->eap_if->aaaEapNoReq = TRUE;
  819. return;
  820. }
  821. if (len > sizeof(*hdr))
  822. eap_type = eap[sizeof(*hdr)];
  823. hdr = (struct eap_hdr *) eap;
  824. switch (hdr->code) {
  825. case EAP_CODE_REQUEST:
  826. if (eap_type >= 0)
  827. sm->eap_type_authsrv = eap_type;
  828. os_snprintf(buf, sizeof(buf), "EAP-Request-%s (%d)",
  829. eap_type >= 0 ? eap_server_get_name(0, eap_type) :
  830. "??",
  831. eap_type);
  832. break;
  833. case EAP_CODE_RESPONSE:
  834. os_snprintf(buf, sizeof(buf), "EAP Response-%s (%d)",
  835. eap_type >= 0 ? eap_server_get_name(0, eap_type) :
  836. "??",
  837. eap_type);
  838. break;
  839. case EAP_CODE_SUCCESS:
  840. os_strlcpy(buf, "EAP Success", sizeof(buf));
  841. break;
  842. case EAP_CODE_FAILURE:
  843. os_strlcpy(buf, "EAP Failure", sizeof(buf));
  844. break;
  845. default:
  846. os_strlcpy(buf, "unknown EAP code", sizeof(buf));
  847. break;
  848. }
  849. buf[sizeof(buf) - 1] = '\0';
  850. hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
  851. HOSTAPD_LEVEL_DEBUG, "decapsulated EAP packet (code=%d "
  852. "id=%d len=%d) from RADIUS server: %s",
  853. hdr->code, hdr->identifier, be_to_host16(hdr->length),
  854. buf);
  855. sm->eap_if->aaaEapReq = TRUE;
  856. wpabuf_free(sm->eap_if->aaaEapReqData);
  857. sm->eap_if->aaaEapReqData = wpabuf_alloc_ext_data(eap, len);
  858. }
  859. static void ieee802_1x_get_keys(struct hostapd_data *hapd,
  860. struct sta_info *sta, struct radius_msg *msg,
  861. struct radius_msg *req,
  862. const u8 *shared_secret,
  863. size_t shared_secret_len)
  864. {
  865. struct radius_ms_mppe_keys *keys;
  866. struct eapol_state_machine *sm = sta->eapol_sm;
  867. if (sm == NULL)
  868. return;
  869. keys = radius_msg_get_ms_keys(msg, req, shared_secret,
  870. shared_secret_len);
  871. if (keys && keys->send && keys->recv) {
  872. size_t len = keys->send_len + keys->recv_len;
  873. wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Send-Key",
  874. keys->send, keys->send_len);
  875. wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Recv-Key",
  876. keys->recv, keys->recv_len);
  877. os_free(sm->eap_if->aaaEapKeyData);
  878. sm->eap_if->aaaEapKeyData = os_malloc(len);
  879. if (sm->eap_if->aaaEapKeyData) {
  880. os_memcpy(sm->eap_if->aaaEapKeyData, keys->recv,
  881. keys->recv_len);
  882. os_memcpy(sm->eap_if->aaaEapKeyData + keys->recv_len,
  883. keys->send, keys->send_len);
  884. sm->eap_if->aaaEapKeyDataLen = len;
  885. sm->eap_if->aaaEapKeyAvailable = TRUE;
  886. }
  887. }
  888. if (keys) {
  889. os_free(keys->send);
  890. os_free(keys->recv);
  891. os_free(keys);
  892. }
  893. }
  894. static void ieee802_1x_store_radius_class(struct hostapd_data *hapd,
  895. struct sta_info *sta,
  896. struct radius_msg *msg)
  897. {
  898. u8 *class;
  899. size_t class_len;
  900. struct eapol_state_machine *sm = sta->eapol_sm;
  901. int count, i;
  902. struct radius_attr_data *nclass;
  903. size_t nclass_count;
  904. if (!hapd->conf->radius->acct_server || hapd->radius == NULL ||
  905. sm == NULL)
  906. return;
  907. radius_free_class(&sm->radius_class);
  908. count = radius_msg_count_attr(msg, RADIUS_ATTR_CLASS, 1);
  909. if (count <= 0)
  910. return;
  911. nclass = os_zalloc(count * sizeof(struct radius_attr_data));
  912. if (nclass == NULL)
  913. return;
  914. nclass_count = 0;
  915. class = NULL;
  916. for (i = 0; i < count; i++) {
  917. do {
  918. if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CLASS,
  919. &class, &class_len,
  920. class) < 0) {
  921. i = count;
  922. break;
  923. }
  924. } while (class_len < 1);
  925. nclass[nclass_count].data = os_malloc(class_len);
  926. if (nclass[nclass_count].data == NULL)
  927. break;
  928. os_memcpy(nclass[nclass_count].data, class, class_len);
  929. nclass[nclass_count].len = class_len;
  930. nclass_count++;
  931. }
  932. sm->radius_class.attr = nclass;
  933. sm->radius_class.count = nclass_count;
  934. wpa_printf(MSG_DEBUG, "IEEE 802.1X: Stored %lu RADIUS Class "
  935. "attributes for " MACSTR,
  936. (unsigned long) sm->radius_class.count,
  937. MAC2STR(sta->addr));
  938. }
  939. /* Update sta->identity based on User-Name attribute in Access-Accept */
  940. static void ieee802_1x_update_sta_identity(struct hostapd_data *hapd,
  941. struct sta_info *sta,
  942. struct radius_msg *msg)
  943. {
  944. u8 *buf, *identity;
  945. size_t len;
  946. struct eapol_state_machine *sm = sta->eapol_sm;
  947. if (sm == NULL)
  948. return;
  949. if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_USER_NAME, &buf, &len,
  950. NULL) < 0)
  951. return;
  952. identity = os_malloc(len + 1);
  953. if (identity == NULL)
  954. return;
  955. os_memcpy(identity, buf, len);
  956. identity[len] = '\0';
  957. hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
  958. HOSTAPD_LEVEL_DEBUG, "old identity '%s' updated with "
  959. "User-Name from Access-Accept '%s'",
  960. sm->identity ? (char *) sm->identity : "N/A",
  961. (char *) identity);
  962. os_free(sm->identity);
  963. sm->identity = identity;
  964. sm->identity_len = len;
  965. }
  966. struct sta_id_search {
  967. u8 identifier;
  968. struct eapol_state_machine *sm;
  969. };
  970. static int ieee802_1x_select_radius_identifier(struct hostapd_data *hapd,
  971. struct sta_info *sta,
  972. void *ctx)
  973. {
  974. struct sta_id_search *id_search = ctx;
  975. struct eapol_state_machine *sm = sta->eapol_sm;
  976. if (sm && sm->radius_identifier >= 0 &&
  977. sm->radius_identifier == id_search->identifier) {
  978. id_search->sm = sm;
  979. return 1;
  980. }
  981. return 0;
  982. }
  983. static struct eapol_state_machine *
  984. ieee802_1x_search_radius_identifier(struct hostapd_data *hapd, u8 identifier)
  985. {
  986. struct sta_id_search id_search;
  987. id_search.identifier = identifier;
  988. id_search.sm = NULL;
  989. ap_for_each_sta(hapd, ieee802_1x_select_radius_identifier, &id_search);
  990. return id_search.sm;
  991. }
  992. /**
  993. * ieee802_1x_receive_auth - Process RADIUS frames from Authentication Server
  994. * @msg: RADIUS response message
  995. * @req: RADIUS request message
  996. * @shared_secret: RADIUS shared secret
  997. * @shared_secret_len: Length of shared_secret in octets
  998. * @data: Context data (struct hostapd_data *)
  999. * Returns: Processing status
  1000. */
  1001. static RadiusRxResult
  1002. ieee802_1x_receive_auth(struct radius_msg *msg, struct radius_msg *req,
  1003. const u8 *shared_secret, size_t shared_secret_len,
  1004. void *data)
  1005. {
  1006. struct hostapd_data *hapd = data;
  1007. struct sta_info *sta;
  1008. u32 session_timeout = 0, termination_action, acct_interim_interval;
  1009. int session_timeout_set, old_vlanid = 0;
  1010. struct eapol_state_machine *sm;
  1011. int override_eapReq = 0;
  1012. struct radius_hdr *hdr = radius_msg_get_hdr(msg);
  1013. sm = ieee802_1x_search_radius_identifier(hapd, hdr->identifier);
  1014. if (sm == NULL) {
  1015. wpa_printf(MSG_DEBUG, "IEEE 802.1X: Could not find matching "
  1016. "station for this RADIUS message");
  1017. return RADIUS_RX_UNKNOWN;
  1018. }
  1019. sta = sm->sta;
  1020. /* RFC 2869, Ch. 5.13: valid Message-Authenticator attribute MUST be
  1021. * present when packet contains an EAP-Message attribute */
  1022. if (hdr->code == RADIUS_CODE_ACCESS_REJECT &&
  1023. radius_msg_get_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, NULL,
  1024. 0) < 0 &&
  1025. radius_msg_get_attr(msg, RADIUS_ATTR_EAP_MESSAGE, NULL, 0) < 0) {
  1026. wpa_printf(MSG_DEBUG, "Allowing RADIUS Access-Reject without "
  1027. "Message-Authenticator since it does not include "
  1028. "EAP-Message");
  1029. } else if (radius_msg_verify(msg, shared_secret, shared_secret_len,
  1030. req, 1)) {
  1031. printf("Incoming RADIUS packet did not have correct "
  1032. "Message-Authenticator - dropped\n");
  1033. return RADIUS_RX_INVALID_AUTHENTICATOR;
  1034. }
  1035. if (hdr->code != RADIUS_CODE_ACCESS_ACCEPT &&
  1036. hdr->code != RADIUS_CODE_ACCESS_REJECT &&
  1037. hdr->code != RADIUS_CODE_ACCESS_CHALLENGE) {
  1038. printf("Unknown RADIUS message code\n");
  1039. return RADIUS_RX_UNKNOWN;
  1040. }
  1041. sm->radius_identifier = -1;
  1042. wpa_printf(MSG_DEBUG, "RADIUS packet matching with station " MACSTR,
  1043. MAC2STR(sta->addr));
  1044. radius_msg_free(sm->last_recv_radius);
  1045. sm->last_recv_radius = msg;
  1046. session_timeout_set =
  1047. !radius_msg_get_attr_int32(msg, RADIUS_ATTR_SESSION_TIMEOUT,
  1048. &session_timeout);
  1049. if (radius_msg_get_attr_int32(msg, RADIUS_ATTR_TERMINATION_ACTION,
  1050. &termination_action))
  1051. termination_action = RADIUS_TERMINATION_ACTION_DEFAULT;
  1052. if (hapd->conf->acct_interim_interval == 0 &&
  1053. hdr->code == RADIUS_CODE_ACCESS_ACCEPT &&
  1054. radius_msg_get_attr_int32(msg, RADIUS_ATTR_ACCT_INTERIM_INTERVAL,
  1055. &acct_interim_interval) == 0) {
  1056. if (acct_interim_interval < 60) {
  1057. hostapd_logger(hapd, sta->addr,
  1058. HOSTAPD_MODULE_IEEE8021X,
  1059. HOSTAPD_LEVEL_INFO,
  1060. "ignored too small "
  1061. "Acct-Interim-Interval %d",
  1062. acct_interim_interval);
  1063. } else
  1064. sta->acct_interim_interval = acct_interim_interval;
  1065. }
  1066. switch (hdr->code) {
  1067. case RADIUS_CODE_ACCESS_ACCEPT:
  1068. if (sta->ssid->dynamic_vlan == DYNAMIC_VLAN_DISABLED)
  1069. sta->vlan_id = 0;
  1070. #ifndef CONFIG_NO_VLAN
  1071. else {
  1072. old_vlanid = sta->vlan_id;
  1073. sta->vlan_id = radius_msg_get_vlanid(msg);
  1074. }
  1075. if (sta->vlan_id > 0 &&
  1076. hostapd_get_vlan_id_ifname(hapd->conf->vlan,
  1077. sta->vlan_id)) {
  1078. hostapd_logger(hapd, sta->addr,
  1079. HOSTAPD_MODULE_RADIUS,
  1080. HOSTAPD_LEVEL_INFO,
  1081. "VLAN ID %d", sta->vlan_id);
  1082. } else if (sta->ssid->dynamic_vlan == DYNAMIC_VLAN_REQUIRED) {
  1083. sta->eapol_sm->authFail = TRUE;
  1084. hostapd_logger(hapd, sta->addr,
  1085. HOSTAPD_MODULE_IEEE8021X,
  1086. HOSTAPD_LEVEL_INFO, "authentication "
  1087. "server did not include required VLAN "
  1088. "ID in Access-Accept");
  1089. break;
  1090. }
  1091. #endif /* CONFIG_NO_VLAN */
  1092. if (ap_sta_bind_vlan(hapd, sta, old_vlanid) < 0)
  1093. break;
  1094. /* RFC 3580, Ch. 3.17 */
  1095. if (session_timeout_set && termination_action ==
  1096. RADIUS_TERMINATION_ACTION_RADIUS_REQUEST) {
  1097. sm->reAuthPeriod = session_timeout;
  1098. } else if (session_timeout_set)
  1099. ap_sta_session_timeout(hapd, sta, session_timeout);
  1100. sm->eap_if->aaaSuccess = TRUE;
  1101. override_eapReq = 1;
  1102. ieee802_1x_get_keys(hapd, sta, msg, req, shared_secret,
  1103. shared_secret_len);
  1104. ieee802_1x_store_radius_class(hapd, sta, msg);
  1105. ieee802_1x_update_sta_identity(hapd, sta, msg);
  1106. if (sm->eap_if->eapKeyAvailable &&
  1107. wpa_auth_pmksa_add(sta->wpa_sm, sm->eapol_key_crypt,
  1108. session_timeout_set ?
  1109. (int) session_timeout : -1, sm) == 0) {
  1110. hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA,
  1111. HOSTAPD_LEVEL_DEBUG,
  1112. "Added PMKSA cache entry");
  1113. }
  1114. break;
  1115. case RADIUS_CODE_ACCESS_REJECT:
  1116. sm->eap_if->aaaFail = TRUE;
  1117. override_eapReq = 1;
  1118. break;
  1119. case RADIUS_CODE_ACCESS_CHALLENGE:
  1120. sm->eap_if->aaaEapReq = TRUE;
  1121. if (session_timeout_set) {
  1122. /* RFC 2869, Ch. 2.3.2; RFC 3580, Ch. 3.17 */
  1123. sm->eap_if->aaaMethodTimeout = session_timeout;
  1124. hostapd_logger(hapd, sm->addr,
  1125. HOSTAPD_MODULE_IEEE8021X,
  1126. HOSTAPD_LEVEL_DEBUG,
  1127. "using EAP timeout of %d seconds (from "
  1128. "RADIUS)",
  1129. sm->eap_if->aaaMethodTimeout);
  1130. } else {
  1131. /*
  1132. * Use dynamic retransmission behavior per EAP
  1133. * specification.
  1134. */
  1135. sm->eap_if->aaaMethodTimeout = 0;
  1136. }
  1137. break;
  1138. }
  1139. ieee802_1x_decapsulate_radius(hapd, sta);
  1140. if (override_eapReq)
  1141. sm->eap_if->aaaEapReq = FALSE;
  1142. eapol_auth_step(sm);
  1143. return RADIUS_RX_QUEUED;
  1144. }
  1145. #endif /* CONFIG_NO_RADIUS */
  1146. void ieee802_1x_abort_auth(struct hostapd_data *hapd, struct sta_info *sta)
  1147. {
  1148. struct eapol_state_machine *sm = sta->eapol_sm;
  1149. if (sm == NULL)
  1150. return;
  1151. hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
  1152. HOSTAPD_LEVEL_DEBUG, "aborting authentication");
  1153. #ifndef CONFIG_NO_RADIUS
  1154. radius_msg_free(sm->last_recv_radius);
  1155. sm->last_recv_radius = NULL;
  1156. #endif /* CONFIG_NO_RADIUS */
  1157. if (sm->eap_if->eapTimeout) {
  1158. /*
  1159. * Disconnect the STA since it did not reply to the last EAP
  1160. * request and we cannot continue EAP processing (EAP-Failure
  1161. * could only be sent if the EAP peer actually replied).
  1162. */
  1163. sm->eap_if->portEnabled = FALSE;
  1164. ap_sta_disconnect(hapd, sta, sta->addr,
  1165. WLAN_REASON_PREV_AUTH_NOT_VALID);
  1166. }
  1167. }
  1168. static int ieee802_1x_rekey_broadcast(struct hostapd_data *hapd)
  1169. {
  1170. struct eapol_authenticator *eapol = hapd->eapol_auth;
  1171. if (hapd->conf->default_wep_key_len < 1)
  1172. return 0;
  1173. os_free(eapol->default_wep_key);
  1174. eapol->default_wep_key = os_malloc(hapd->conf->default_wep_key_len);
  1175. if (eapol->default_wep_key == NULL ||
  1176. os_get_random(eapol->default_wep_key,
  1177. hapd->conf->default_wep_key_len)) {
  1178. printf("Could not generate random WEP key.\n");
  1179. os_free(eapol->default_wep_key);
  1180. eapol->default_wep_key = NULL;
  1181. return -1;
  1182. }
  1183. wpa_hexdump_key(MSG_DEBUG, "IEEE 802.1X: New default WEP key",
  1184. eapol->default_wep_key,
  1185. hapd->conf->default_wep_key_len);
  1186. return 0;
  1187. }
  1188. static int ieee802_1x_sta_key_available(struct hostapd_data *hapd,
  1189. struct sta_info *sta, void *ctx)
  1190. {
  1191. if (sta->eapol_sm) {
  1192. sta->eapol_sm->eap_if->eapKeyAvailable = TRUE;
  1193. eapol_auth_step(sta->eapol_sm);
  1194. }
  1195. return 0;
  1196. }
  1197. static void ieee802_1x_rekey(void *eloop_ctx, void *timeout_ctx)
  1198. {
  1199. struct hostapd_data *hapd = eloop_ctx;
  1200. struct eapol_authenticator *eapol = hapd->eapol_auth;
  1201. if (eapol->default_wep_key_idx >= 3)
  1202. eapol->default_wep_key_idx =
  1203. hapd->conf->individual_wep_key_len > 0 ? 1 : 0;
  1204. else
  1205. eapol->default_wep_key_idx++;
  1206. wpa_printf(MSG_DEBUG, "IEEE 802.1X: New default WEP key index %d",
  1207. eapol->default_wep_key_idx);
  1208. if (ieee802_1x_rekey_broadcast(hapd)) {
  1209. hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X,
  1210. HOSTAPD_LEVEL_WARNING, "failed to generate a "
  1211. "new broadcast key");
  1212. os_free(eapol->default_wep_key);
  1213. eapol->default_wep_key = NULL;
  1214. return;
  1215. }
  1216. /* TODO: Could setup key for RX here, but change default TX keyid only
  1217. * after new broadcast key has been sent to all stations. */
  1218. if (hapd->drv.set_key(hapd->conf->iface, hapd, WPA_ALG_WEP, NULL,
  1219. eapol->default_wep_key_idx, 1, NULL, 0,
  1220. eapol->default_wep_key,
  1221. hapd->conf->default_wep_key_len)) {
  1222. hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X,
  1223. HOSTAPD_LEVEL_WARNING, "failed to configure a "
  1224. "new broadcast key");
  1225. os_free(eapol->default_wep_key);
  1226. eapol->default_wep_key = NULL;
  1227. return;
  1228. }
  1229. ap_for_each_sta(hapd, ieee802_1x_sta_key_available, NULL);
  1230. if (hapd->conf->wep_rekeying_period > 0) {
  1231. eloop_register_timeout(hapd->conf->wep_rekeying_period, 0,
  1232. ieee802_1x_rekey, hapd, NULL);
  1233. }
  1234. }
  1235. static void ieee802_1x_eapol_send(void *ctx, void *sta_ctx, u8 type,
  1236. const u8 *data, size_t datalen)
  1237. {
  1238. #ifdef CONFIG_WPS
  1239. struct sta_info *sta = sta_ctx;
  1240. if ((sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS)) ==
  1241. WLAN_STA_MAYBE_WPS) {
  1242. const u8 *identity;
  1243. size_t identity_len;
  1244. struct eapol_state_machine *sm = sta->eapol_sm;
  1245. identity = eap_get_identity(sm->eap, &identity_len);
  1246. if (identity &&
  1247. ((identity_len == WSC_ID_ENROLLEE_LEN &&
  1248. os_memcmp(identity, WSC_ID_ENROLLEE,
  1249. WSC_ID_ENROLLEE_LEN) == 0) ||
  1250. (identity_len == WSC_ID_REGISTRAR_LEN &&
  1251. os_memcmp(identity, WSC_ID_REGISTRAR,
  1252. WSC_ID_REGISTRAR_LEN) == 0))) {
  1253. wpa_printf(MSG_DEBUG, "WPS: WLAN_STA_MAYBE_WPS -> "
  1254. "WLAN_STA_WPS");
  1255. sta->flags |= WLAN_STA_WPS;
  1256. }
  1257. }
  1258. #endif /* CONFIG_WPS */
  1259. ieee802_1x_send(ctx, sta_ctx, type, data, datalen);
  1260. }
  1261. static void ieee802_1x_aaa_send(void *ctx, void *sta_ctx,
  1262. const u8 *data, size_t datalen)
  1263. {
  1264. #ifndef CONFIG_NO_RADIUS
  1265. struct hostapd_data *hapd = ctx;
  1266. struct sta_info *sta = sta_ctx;
  1267. ieee802_1x_encapsulate_radius(hapd, sta, data, datalen);
  1268. #endif /* CONFIG_NO_RADIUS */
  1269. }
  1270. static void _ieee802_1x_finished(void *ctx, void *sta_ctx, int success,
  1271. int preauth)
  1272. {
  1273. struct hostapd_data *hapd = ctx;
  1274. struct sta_info *sta = sta_ctx;
  1275. if (preauth)
  1276. rsn_preauth_finished(hapd, sta, success);
  1277. else
  1278. ieee802_1x_finished(hapd, sta, success);
  1279. }
  1280. static int ieee802_1x_get_eap_user(void *ctx, const u8 *identity,
  1281. size_t identity_len, int phase2,
  1282. struct eap_user *user)
  1283. {
  1284. struct hostapd_data *hapd = ctx;
  1285. const struct hostapd_eap_user *eap_user;
  1286. int i, count;
  1287. eap_user = hostapd_get_eap_user(hapd->conf, identity,
  1288. identity_len, phase2);
  1289. if (eap_user == NULL)
  1290. return -1;
  1291. os_memset(user, 0, sizeof(*user));
  1292. user->phase2 = phase2;
  1293. count = EAP_USER_MAX_METHODS;
  1294. if (count > EAP_MAX_METHODS)
  1295. count = EAP_MAX_METHODS;
  1296. for (i = 0; i < count; i++) {
  1297. user->methods[i].vendor = eap_user->methods[i].vendor;
  1298. user->methods[i].method = eap_user->methods[i].method;
  1299. }
  1300. if (eap_user->password) {
  1301. user->password = os_malloc(eap_user->password_len);
  1302. if (user->password == NULL)
  1303. return -1;
  1304. os_memcpy(user->password, eap_user->password,
  1305. eap_user->password_len);
  1306. user->password_len = eap_user->password_len;
  1307. }
  1308. user->force_version = eap_user->force_version;
  1309. user->ttls_auth = eap_user->ttls_auth;
  1310. return 0;
  1311. }
  1312. static int ieee802_1x_sta_entry_alive(void *ctx, const u8 *addr)
  1313. {
  1314. struct hostapd_data *hapd = ctx;
  1315. struct sta_info *sta;
  1316. sta = ap_get_sta(hapd, addr);
  1317. if (sta == NULL || sta->eapol_sm == NULL)
  1318. return 0;
  1319. return 1;
  1320. }
  1321. static void ieee802_1x_logger(void *ctx, const u8 *addr,
  1322. eapol_logger_level level, const char *txt)
  1323. {
  1324. #ifndef CONFIG_NO_HOSTAPD_LOGGER
  1325. struct hostapd_data *hapd = ctx;
  1326. int hlevel;
  1327. switch (level) {
  1328. case EAPOL_LOGGER_WARNING:
  1329. hlevel = HOSTAPD_LEVEL_WARNING;
  1330. break;
  1331. case EAPOL_LOGGER_INFO:
  1332. hlevel = HOSTAPD_LEVEL_INFO;
  1333. break;
  1334. case EAPOL_LOGGER_DEBUG:
  1335. default:
  1336. hlevel = HOSTAPD_LEVEL_DEBUG;
  1337. break;
  1338. }
  1339. hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE8021X, hlevel, "%s",
  1340. txt);
  1341. #endif /* CONFIG_NO_HOSTAPD_LOGGER */
  1342. }
  1343. static void ieee802_1x_set_port_authorized(void *ctx, void *sta_ctx,
  1344. int authorized)
  1345. {
  1346. struct hostapd_data *hapd = ctx;
  1347. struct sta_info *sta = sta_ctx;
  1348. ieee802_1x_set_sta_authorized(hapd, sta, authorized);
  1349. }
  1350. static void _ieee802_1x_abort_auth(void *ctx, void *sta_ctx)
  1351. {
  1352. struct hostapd_data *hapd = ctx;
  1353. struct sta_info *sta = sta_ctx;
  1354. ieee802_1x_abort_auth(hapd, sta);
  1355. }
  1356. static void _ieee802_1x_tx_key(void *ctx, void *sta_ctx)
  1357. {
  1358. struct hostapd_data *hapd = ctx;
  1359. struct sta_info *sta = sta_ctx;
  1360. ieee802_1x_tx_key(hapd, sta);
  1361. }
  1362. static void ieee802_1x_eapol_event(void *ctx, void *sta_ctx,
  1363. enum eapol_event type)
  1364. {
  1365. /* struct hostapd_data *hapd = ctx; */
  1366. struct sta_info *sta = sta_ctx;
  1367. switch (type) {
  1368. case EAPOL_AUTH_SM_CHANGE:
  1369. wpa_auth_sm_notify(sta->wpa_sm);
  1370. break;
  1371. case EAPOL_AUTH_REAUTHENTICATE:
  1372. wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL);
  1373. break;
  1374. }
  1375. }
  1376. int ieee802_1x_init(struct hostapd_data *hapd)
  1377. {
  1378. int i;
  1379. struct eapol_auth_config conf;
  1380. struct eapol_auth_cb cb;
  1381. os_memset(&conf, 0, sizeof(conf));
  1382. conf.ctx = hapd;
  1383. conf.eap_reauth_period = hapd->conf->eap_reauth_period;
  1384. conf.wpa = hapd->conf->wpa;
  1385. conf.individual_wep_key_len = hapd->conf->individual_wep_key_len;
  1386. conf.eap_server = hapd->conf->eap_server;
  1387. conf.ssl_ctx = hapd->ssl_ctx;
  1388. conf.msg_ctx = hapd->msg_ctx;
  1389. conf.eap_sim_db_priv = hapd->eap_sim_db_priv;
  1390. conf.eap_req_id_text = hapd->conf->eap_req_id_text;
  1391. conf.eap_req_id_text_len = hapd->conf->eap_req_id_text_len;
  1392. conf.pac_opaque_encr_key = hapd->conf->pac_opaque_encr_key;
  1393. conf.eap_fast_a_id = hapd->conf->eap_fast_a_id;
  1394. conf.eap_fast_a_id_len = hapd->conf->eap_fast_a_id_len;
  1395. conf.eap_fast_a_id_info = hapd->conf->eap_fast_a_id_info;
  1396. conf.eap_fast_prov = hapd->conf->eap_fast_prov;
  1397. conf.pac_key_lifetime = hapd->conf->pac_key_lifetime;
  1398. conf.pac_key_refresh_time = hapd->conf->pac_key_refresh_time;
  1399. conf.eap_sim_aka_result_ind = hapd->conf->eap_sim_aka_result_ind;
  1400. conf.tnc = hapd->conf->tnc;
  1401. conf.wps = hapd->wps;
  1402. conf.fragment_size = hapd->conf->fragment_size;
  1403. conf.pwd_group = hapd->conf->pwd_group;
  1404. os_memset(&cb, 0, sizeof(cb));
  1405. cb.eapol_send = ieee802_1x_eapol_send;
  1406. cb.aaa_send = ieee802_1x_aaa_send;
  1407. cb.finished = _ieee802_1x_finished;
  1408. cb.get_eap_user = ieee802_1x_get_eap_user;
  1409. cb.sta_entry_alive = ieee802_1x_sta_entry_alive;
  1410. cb.logger = ieee802_1x_logger;
  1411. cb.set_port_authorized = ieee802_1x_set_port_authorized;
  1412. cb.abort_auth = _ieee802_1x_abort_auth;
  1413. cb.tx_key = _ieee802_1x_tx_key;
  1414. cb.eapol_event = ieee802_1x_eapol_event;
  1415. hapd->eapol_auth = eapol_auth_init(&conf, &cb);
  1416. if (hapd->eapol_auth == NULL)
  1417. return -1;
  1418. if ((hapd->conf->ieee802_1x || hapd->conf->wpa) &&
  1419. hapd->drv.set_drv_ieee8021x(hapd, hapd->conf->iface, 1))
  1420. return -1;
  1421. #ifndef CONFIG_NO_RADIUS
  1422. if (radius_client_register(hapd->radius, RADIUS_AUTH,
  1423. ieee802_1x_receive_auth, hapd))
  1424. return -1;
  1425. #endif /* CONFIG_NO_RADIUS */
  1426. if (hapd->conf->default_wep_key_len) {
  1427. for (i = 0; i < 4; i++)
  1428. hapd->drv.set_key(hapd->conf->iface, hapd,
  1429. WPA_ALG_NONE, NULL, i, 0, NULL, 0,
  1430. NULL, 0);
  1431. ieee802_1x_rekey(hapd, NULL);
  1432. if (hapd->eapol_auth->default_wep_key == NULL)
  1433. return -1;
  1434. }
  1435. return 0;
  1436. }
  1437. void ieee802_1x_deinit(struct hostapd_data *hapd)
  1438. {
  1439. eloop_cancel_timeout(ieee802_1x_rekey, hapd, NULL);
  1440. if (hapd->driver != NULL &&
  1441. (hapd->conf->ieee802_1x || hapd->conf->wpa))
  1442. hapd->drv.set_drv_ieee8021x(hapd, hapd->conf->iface, 0);
  1443. eapol_auth_deinit(hapd->eapol_auth);
  1444. hapd->eapol_auth = NULL;
  1445. }
  1446. int ieee802_1x_tx_status(struct hostapd_data *hapd, struct sta_info *sta,
  1447. const u8 *buf, size_t len, int ack)
  1448. {
  1449. struct ieee80211_hdr *hdr;
  1450. struct ieee802_1x_hdr *xhdr;
  1451. struct ieee802_1x_eapol_key *key;
  1452. u8 *pos;
  1453. const unsigned char rfc1042_hdr[ETH_ALEN] =
  1454. { 0xaa, 0xaa, 0x03, 0x00, 0x00, 0x00 };
  1455. if (sta == NULL)
  1456. return -1;
  1457. if (len < sizeof(*hdr) + sizeof(rfc1042_hdr) + 2 + sizeof(*xhdr))
  1458. return 0;
  1459. hdr = (struct ieee80211_hdr *) buf;
  1460. pos = (u8 *) (hdr + 1);
  1461. if (os_memcmp(pos, rfc1042_hdr, sizeof(rfc1042_hdr)) != 0)
  1462. return 0;
  1463. pos += sizeof(rfc1042_hdr);
  1464. if (WPA_GET_BE16(pos) != ETH_P_PAE)
  1465. return 0;
  1466. pos += 2;
  1467. xhdr = (struct ieee802_1x_hdr *) pos;
  1468. pos += sizeof(*xhdr);
  1469. wpa_printf(MSG_DEBUG, "IEEE 802.1X: " MACSTR " TX status - version=%d "
  1470. "type=%d length=%d - ack=%d",
  1471. MAC2STR(sta->addr), xhdr->version, xhdr->type,
  1472. be_to_host16(xhdr->length), ack);
  1473. /* EAPOL EAP-Packet packets are eventually re-sent by either Supplicant
  1474. * or Authenticator state machines, but EAPOL-Key packets are not
  1475. * retransmitted in case of failure. Try to re-sent failed EAPOL-Key
  1476. * packets couple of times because otherwise STA keys become
  1477. * unsynchronized with AP. */
  1478. if (xhdr->type == IEEE802_1X_TYPE_EAPOL_KEY && !ack &&
  1479. pos + sizeof(*key) <= buf + len) {
  1480. key = (struct ieee802_1x_eapol_key *) pos;
  1481. hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
  1482. HOSTAPD_LEVEL_DEBUG, "did not Ack EAPOL-Key "
  1483. "frame (%scast index=%d)",
  1484. key->key_index & BIT(7) ? "uni" : "broad",
  1485. key->key_index & ~BIT(7));
  1486. /* TODO: re-send EAPOL-Key couple of times (with short delay
  1487. * between them?). If all attempt fail, report error and
  1488. * deauthenticate STA so that it will get new keys when
  1489. * authenticating again (e.g., after returning in range).
  1490. * Separate limit/transmit state needed both for unicast and
  1491. * broadcast keys(?) */
  1492. }
  1493. /* TODO: could move unicast key configuration from ieee802_1x_tx_key()
  1494. * to here and change the key only if the EAPOL-Key packet was Acked.
  1495. */
  1496. return 1;
  1497. }
  1498. u8 * ieee802_1x_get_identity(struct eapol_state_machine *sm, size_t *len)
  1499. {
  1500. if (sm == NULL || sm->identity == NULL)
  1501. return NULL;
  1502. *len = sm->identity_len;
  1503. return sm->identity;
  1504. }
  1505. u8 * ieee802_1x_get_radius_class(struct eapol_state_machine *sm, size_t *len,
  1506. int idx)
  1507. {
  1508. if (sm == NULL || sm->radius_class.attr == NULL ||
  1509. idx >= (int) sm->radius_class.count)
  1510. return NULL;
  1511. *len = sm->radius_class.attr[idx].len;
  1512. return sm->radius_class.attr[idx].data;
  1513. }
  1514. const u8 * ieee802_1x_get_key(struct eapol_state_machine *sm, size_t *len)
  1515. {
  1516. if (sm == NULL)
  1517. return NULL;
  1518. *len = sm->eap_if->eapKeyDataLen;
  1519. return sm->eap_if->eapKeyData;
  1520. }
  1521. void ieee802_1x_notify_port_enabled(struct eapol_state_machine *sm,
  1522. int enabled)
  1523. {
  1524. if (sm == NULL)
  1525. return;
  1526. sm->eap_if->portEnabled = enabled ? TRUE : FALSE;
  1527. eapol_auth_step(sm);
  1528. }
  1529. void ieee802_1x_notify_port_valid(struct eapol_state_machine *sm,
  1530. int valid)
  1531. {
  1532. if (sm == NULL)
  1533. return;
  1534. sm->portValid = valid ? TRUE : FALSE;
  1535. eapol_auth_step(sm);
  1536. }
  1537. void ieee802_1x_notify_pre_auth(struct eapol_state_machine *sm, int pre_auth)
  1538. {
  1539. if (sm == NULL)
  1540. return;
  1541. if (pre_auth)
  1542. sm->flags |= EAPOL_SM_PREAUTH;
  1543. else
  1544. sm->flags &= ~EAPOL_SM_PREAUTH;
  1545. }
  1546. static const char * bool_txt(Boolean bool)
  1547. {
  1548. return bool ? "TRUE" : "FALSE";
  1549. }
  1550. int ieee802_1x_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen)
  1551. {
  1552. /* TODO */
  1553. return 0;
  1554. }
  1555. int ieee802_1x_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta,
  1556. char *buf, size_t buflen)
  1557. {
  1558. int len = 0, ret;
  1559. struct eapol_state_machine *sm = sta->eapol_sm;
  1560. if (sm == NULL)
  1561. return 0;
  1562. ret = os_snprintf(buf + len, buflen - len,
  1563. "dot1xPaePortNumber=%d\n"
  1564. "dot1xPaePortProtocolVersion=%d\n"
  1565. "dot1xPaePortCapabilities=1\n"
  1566. "dot1xPaePortInitialize=%d\n"
  1567. "dot1xPaePortReauthenticate=FALSE\n",
  1568. sta->aid,
  1569. EAPOL_VERSION,
  1570. sm->initialize);
  1571. if (ret < 0 || (size_t) ret >= buflen - len)
  1572. return len;
  1573. len += ret;
  1574. /* dot1xAuthConfigTable */
  1575. ret = os_snprintf(buf + len, buflen - len,
  1576. "dot1xAuthPaeState=%d\n"
  1577. "dot1xAuthBackendAuthState=%d\n"
  1578. "dot1xAuthAdminControlledDirections=%d\n"
  1579. "dot1xAuthOperControlledDirections=%d\n"
  1580. "dot1xAuthAuthControlledPortStatus=%d\n"
  1581. "dot1xAuthAuthControlledPortControl=%d\n"
  1582. "dot1xAuthQuietPeriod=%u\n"
  1583. "dot1xAuthServerTimeout=%u\n"
  1584. "dot1xAuthReAuthPeriod=%u\n"
  1585. "dot1xAuthReAuthEnabled=%s\n"
  1586. "dot1xAuthKeyTxEnabled=%s\n",
  1587. sm->auth_pae_state + 1,
  1588. sm->be_auth_state + 1,
  1589. sm->adminControlledDirections,
  1590. sm->operControlledDirections,
  1591. sm->authPortStatus,
  1592. sm->portControl,
  1593. sm->quietPeriod,
  1594. sm->serverTimeout,
  1595. sm->reAuthPeriod,
  1596. bool_txt(sm->reAuthEnabled),
  1597. bool_txt(sm->keyTxEnabled));
  1598. if (ret < 0 || (size_t) ret >= buflen - len)
  1599. return len;
  1600. len += ret;
  1601. /* dot1xAuthStatsTable */
  1602. ret = os_snprintf(buf + len, buflen - len,
  1603. "dot1xAuthEapolFramesRx=%u\n"
  1604. "dot1xAuthEapolFramesTx=%u\n"
  1605. "dot1xAuthEapolStartFramesRx=%u\n"
  1606. "dot1xAuthEapolLogoffFramesRx=%u\n"
  1607. "dot1xAuthEapolRespIdFramesRx=%u\n"
  1608. "dot1xAuthEapolRespFramesRx=%u\n"
  1609. "dot1xAuthEapolReqIdFramesTx=%u\n"
  1610. "dot1xAuthEapolReqFramesTx=%u\n"
  1611. "dot1xAuthInvalidEapolFramesRx=%u\n"
  1612. "dot1xAuthEapLengthErrorFramesRx=%u\n"
  1613. "dot1xAuthLastEapolFrameVersion=%u\n"
  1614. "dot1xAuthLastEapolFrameSource=" MACSTR "\n",
  1615. sm->dot1xAuthEapolFramesRx,
  1616. sm->dot1xAuthEapolFramesTx,
  1617. sm->dot1xAuthEapolStartFramesRx,
  1618. sm->dot1xAuthEapolLogoffFramesRx,
  1619. sm->dot1xAuthEapolRespIdFramesRx,
  1620. sm->dot1xAuthEapolRespFramesRx,
  1621. sm->dot1xAuthEapolReqIdFramesTx,
  1622. sm->dot1xAuthEapolReqFramesTx,
  1623. sm->dot1xAuthInvalidEapolFramesRx,
  1624. sm->dot1xAuthEapLengthErrorFramesRx,
  1625. sm->dot1xAuthLastEapolFrameVersion,
  1626. MAC2STR(sm->addr));
  1627. if (ret < 0 || (size_t) ret >= buflen - len)
  1628. return len;
  1629. len += ret;
  1630. /* dot1xAuthDiagTable */
  1631. ret = os_snprintf(buf + len, buflen - len,
  1632. "dot1xAuthEntersConnecting=%u\n"
  1633. "dot1xAuthEapLogoffsWhileConnecting=%u\n"
  1634. "dot1xAuthEntersAuthenticating=%u\n"
  1635. "dot1xAuthAuthSuccessesWhileAuthenticating=%u\n"
  1636. "dot1xAuthAuthTimeoutsWhileAuthenticating=%u\n"
  1637. "dot1xAuthAuthFailWhileAuthenticating=%u\n"
  1638. "dot1xAuthAuthEapStartsWhileAuthenticating=%u\n"
  1639. "dot1xAuthAuthEapLogoffWhileAuthenticating=%u\n"
  1640. "dot1xAuthAuthReauthsWhileAuthenticated=%u\n"
  1641. "dot1xAuthAuthEapStartsWhileAuthenticated=%u\n"
  1642. "dot1xAuthAuthEapLogoffWhileAuthenticated=%u\n"
  1643. "dot1xAuthBackendResponses=%u\n"
  1644. "dot1xAuthBackendAccessChallenges=%u\n"
  1645. "dot1xAuthBackendOtherRequestsToSupplicant=%u\n"
  1646. "dot1xAuthBackendAuthSuccesses=%u\n"
  1647. "dot1xAuthBackendAuthFails=%u\n",
  1648. sm->authEntersConnecting,
  1649. sm->authEapLogoffsWhileConnecting,
  1650. sm->authEntersAuthenticating,
  1651. sm->authAuthSuccessesWhileAuthenticating,
  1652. sm->authAuthTimeoutsWhileAuthenticating,
  1653. sm->authAuthFailWhileAuthenticating,
  1654. sm->authAuthEapStartsWhileAuthenticating,
  1655. sm->authAuthEapLogoffWhileAuthenticating,
  1656. sm->authAuthReauthsWhileAuthenticated,
  1657. sm->authAuthEapStartsWhileAuthenticated,
  1658. sm->authAuthEapLogoffWhileAuthenticated,
  1659. sm->backendResponses,
  1660. sm->backendAccessChallenges,
  1661. sm->backendOtherRequestsToSupplicant,
  1662. sm->backendAuthSuccesses,
  1663. sm->backendAuthFails);
  1664. if (ret < 0 || (size_t) ret >= buflen - len)
  1665. return len;
  1666. len += ret;
  1667. /* dot1xAuthSessionStatsTable */
  1668. ret = os_snprintf(buf + len, buflen - len,
  1669. /* TODO: dot1xAuthSessionOctetsRx */
  1670. /* TODO: dot1xAuthSessionOctetsTx */
  1671. /* TODO: dot1xAuthSessionFramesRx */
  1672. /* TODO: dot1xAuthSessionFramesTx */
  1673. "dot1xAuthSessionId=%08X-%08X\n"
  1674. "dot1xAuthSessionAuthenticMethod=%d\n"
  1675. "dot1xAuthSessionTime=%u\n"
  1676. "dot1xAuthSessionTerminateCause=999\n"
  1677. "dot1xAuthSessionUserName=%s\n",
  1678. sta->acct_session_id_hi, sta->acct_session_id_lo,
  1679. (wpa_key_mgmt_wpa_ieee8021x(
  1680. wpa_auth_sta_key_mgmt(sta->wpa_sm))) ?
  1681. 1 : 2,
  1682. (unsigned int) (time(NULL) -
  1683. sta->acct_session_start),
  1684. sm->identity);
  1685. if (ret < 0 || (size_t) ret >= buflen - len)
  1686. return len;
  1687. len += ret;
  1688. return len;
  1689. }
  1690. static void ieee802_1x_finished(struct hostapd_data *hapd,
  1691. struct sta_info *sta, int success)
  1692. {
  1693. const u8 *key;
  1694. size_t len;
  1695. /* TODO: get PMKLifetime from WPA parameters */
  1696. static const int dot11RSNAConfigPMKLifetime = 43200;
  1697. key = ieee802_1x_get_key(sta->eapol_sm, &len);
  1698. if (success && key && len >= PMK_LEN &&
  1699. wpa_auth_pmksa_add(sta->wpa_sm, key, dot11RSNAConfigPMKLifetime,
  1700. sta->eapol_sm) == 0) {
  1701. hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA,
  1702. HOSTAPD_LEVEL_DEBUG,
  1703. "Added PMKSA cache entry (IEEE 802.1X)");
  1704. }
  1705. #ifdef CONFIG_WPS
  1706. if (!success && (sta->flags & WLAN_STA_WPS)) {
  1707. /*
  1708. * Many devices require deauthentication after WPS provisioning
  1709. * and some may not be be able to do that themselves, so
  1710. * disconnect the client here.
  1711. */
  1712. wpa_printf(MSG_DEBUG, "WPS: Force disconnection after "
  1713. "EAP-Failure");
  1714. /* Add a small sleep to increase likelihood of previously
  1715. * requested EAP-Failure TX getting out before this should the
  1716. * driver reorder operations.
  1717. */
  1718. os_sleep(0, 10000);
  1719. ap_sta_disconnect(hapd, sta, sta->addr,
  1720. WLAN_REASON_PREV_AUTH_NOT_VALID);
  1721. }
  1722. #endif /* CONFIG_WPS */
  1723. }