xref: /freebsd/contrib/wpa/src/ap/ieee802_1x.c (revision 10b9d77bf1ccf2f3affafa6261692cb92cf7e992)
1 /*
2  * hostapd / IEEE 802.1X-2004 Authenticator
3  * Copyright (c) 2002-2009, Jouni Malinen <j@w1.fi>
4  *
5  * This program is free software; you can redistribute it and/or modify
6  * it under the terms of the GNU General Public License version 2 as
7  * published by the Free Software Foundation.
8  *
9  * Alternatively, this software may be distributed under the terms of BSD
10  * license.
11  *
12  * See README and COPYING for more details.
13  */
14 
15 #include "utils/includes.h"
16 
17 #include "utils/common.h"
18 #include "utils/eloop.h"
19 #include "crypto/md5.h"
20 #include "crypto/crypto.h"
21 #include "common/ieee802_11_defs.h"
22 #include "common/wpa_ctrl.h"
23 #include "radius/radius.h"
24 #include "radius/radius_client.h"
25 #include "eap_server/eap.h"
26 #include "eap_common/eap_wsc_common.h"
27 #include "eapol_auth/eapol_auth_sm.h"
28 #include "eapol_auth/eapol_auth_sm_i.h"
29 #include "hostapd.h"
30 #include "accounting.h"
31 #include "sta_info.h"
32 #include "wpa_auth.h"
33 #include "preauth_auth.h"
34 #include "pmksa_cache_auth.h"
35 #include "ap_config.h"
36 #include "ieee802_1x.h"
37 
38 
39 static void ieee802_1x_finished(struct hostapd_data *hapd,
40 				struct sta_info *sta, int success);
41 
42 
43 static void ieee802_1x_send(struct hostapd_data *hapd, struct sta_info *sta,
44 			    u8 type, const u8 *data, size_t datalen)
45 {
46 	u8 *buf;
47 	struct ieee802_1x_hdr *xhdr;
48 	size_t len;
49 	int encrypt = 0;
50 
51 	len = sizeof(*xhdr) + datalen;
52 	buf = os_zalloc(len);
53 	if (buf == NULL) {
54 		wpa_printf(MSG_ERROR, "malloc() failed for "
55 			   "ieee802_1x_send(len=%lu)",
56 			   (unsigned long) len);
57 		return;
58 	}
59 
60 	xhdr = (struct ieee802_1x_hdr *) buf;
61 	xhdr->version = hapd->conf->eapol_version;
62 	xhdr->type = type;
63 	xhdr->length = host_to_be16(datalen);
64 
65 	if (datalen > 0 && data != NULL)
66 		os_memcpy(xhdr + 1, data, datalen);
67 
68 	if (wpa_auth_pairwise_set(sta->wpa_sm))
69 		encrypt = 1;
70 	if (sta->flags & WLAN_STA_PREAUTH) {
71 		rsn_preauth_send(hapd, sta, buf, len);
72 	} else {
73 		hapd->drv.send_eapol(hapd, sta->addr, buf, len, encrypt);
74 	}
75 
76 	os_free(buf);
77 }
78 
79 
80 void ieee802_1x_set_sta_authorized(struct hostapd_data *hapd,
81 				   struct sta_info *sta, int authorized)
82 {
83 	int res;
84 
85 	if (sta->flags & WLAN_STA_PREAUTH)
86 		return;
87 
88 	if (authorized) {
89 		if (!(sta->flags & WLAN_STA_AUTHORIZED))
90 			wpa_msg(hapd->msg_ctx, MSG_INFO,
91 				AP_STA_CONNECTED MACSTR, MAC2STR(sta->addr));
92 		sta->flags |= WLAN_STA_AUTHORIZED;
93 		res = hapd->drv.set_authorized(hapd, sta, 1);
94 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
95 			       HOSTAPD_LEVEL_DEBUG, "authorizing port");
96 	} else {
97 		if ((sta->flags & (WLAN_STA_AUTHORIZED | WLAN_STA_ASSOC)) ==
98 		    (WLAN_STA_AUTHORIZED | WLAN_STA_ASSOC))
99 			wpa_msg(hapd->msg_ctx, MSG_INFO,
100 				AP_STA_DISCONNECTED MACSTR,
101 				MAC2STR(sta->addr));
102 		sta->flags &= ~WLAN_STA_AUTHORIZED;
103 		res = hapd->drv.set_authorized(hapd, sta, 0);
104 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
105 			       HOSTAPD_LEVEL_DEBUG, "unauthorizing port");
106 	}
107 
108 	if (res && errno != ENOENT) {
109 		printf("Could not set station " MACSTR " flags for kernel "
110 		       "driver (errno=%d).\n", MAC2STR(sta->addr), errno);
111 	}
112 
113 	if (authorized)
114 		accounting_sta_start(hapd, sta);
115 }
116 
117 
118 static void ieee802_1x_tx_key_one(struct hostapd_data *hapd,
119 				  struct sta_info *sta,
120 				  int idx, int broadcast,
121 				  u8 *key_data, size_t key_len)
122 {
123 	u8 *buf, *ekey;
124 	struct ieee802_1x_hdr *hdr;
125 	struct ieee802_1x_eapol_key *key;
126 	size_t len, ekey_len;
127 	struct eapol_state_machine *sm = sta->eapol_sm;
128 
129 	if (sm == NULL)
130 		return;
131 
132 	len = sizeof(*key) + key_len;
133 	buf = os_zalloc(sizeof(*hdr) + len);
134 	if (buf == NULL)
135 		return;
136 
137 	hdr = (struct ieee802_1x_hdr *) buf;
138 	key = (struct ieee802_1x_eapol_key *) (hdr + 1);
139 	key->type = EAPOL_KEY_TYPE_RC4;
140 	key->key_length = htons(key_len);
141 	wpa_get_ntp_timestamp(key->replay_counter);
142 
143 	if (os_get_random(key->key_iv, sizeof(key->key_iv))) {
144 		wpa_printf(MSG_ERROR, "Could not get random numbers");
145 		os_free(buf);
146 		return;
147 	}
148 
149 	key->key_index = idx | (broadcast ? 0 : BIT(7));
150 	if (hapd->conf->eapol_key_index_workaround) {
151 		/* According to some information, WinXP Supplicant seems to
152 		 * interpret bit7 as an indication whether the key is to be
153 		 * activated, so make it possible to enable workaround that
154 		 * sets this bit for all keys. */
155 		key->key_index |= BIT(7);
156 	}
157 
158 	/* Key is encrypted using "Key-IV + MSK[0..31]" as the RC4-key and
159 	 * MSK[32..63] is used to sign the message. */
160 	if (sm->eap_if->eapKeyData == NULL || sm->eap_if->eapKeyDataLen < 64) {
161 		wpa_printf(MSG_ERROR, "No eapKeyData available for encrypting "
162 			   "and signing EAPOL-Key");
163 		os_free(buf);
164 		return;
165 	}
166 	os_memcpy((u8 *) (key + 1), key_data, key_len);
167 	ekey_len = sizeof(key->key_iv) + 32;
168 	ekey = os_malloc(ekey_len);
169 	if (ekey == NULL) {
170 		wpa_printf(MSG_ERROR, "Could not encrypt key");
171 		os_free(buf);
172 		return;
173 	}
174 	os_memcpy(ekey, key->key_iv, sizeof(key->key_iv));
175 	os_memcpy(ekey + sizeof(key->key_iv), sm->eap_if->eapKeyData, 32);
176 	rc4_skip(ekey, ekey_len, 0, (u8 *) (key + 1), key_len);
177 	os_free(ekey);
178 
179 	/* This header is needed here for HMAC-MD5, but it will be regenerated
180 	 * in ieee802_1x_send() */
181 	hdr->version = hapd->conf->eapol_version;
182 	hdr->type = IEEE802_1X_TYPE_EAPOL_KEY;
183 	hdr->length = host_to_be16(len);
184 	hmac_md5(sm->eap_if->eapKeyData + 32, 32, buf, sizeof(*hdr) + len,
185 		 key->key_signature);
186 
187 	wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key to " MACSTR
188 		   " (%s index=%d)", MAC2STR(sm->addr),
189 		   broadcast ? "broadcast" : "unicast", idx);
190 	ieee802_1x_send(hapd, sta, IEEE802_1X_TYPE_EAPOL_KEY, (u8 *) key, len);
191 	if (sta->eapol_sm)
192 		sta->eapol_sm->dot1xAuthEapolFramesTx++;
193 	os_free(buf);
194 }
195 
196 
197 #ifndef CONFIG_NO_VLAN
198 static struct hostapd_wep_keys *
199 ieee802_1x_group_alloc(struct hostapd_data *hapd, const char *ifname)
200 {
201 	struct hostapd_wep_keys *key;
202 
203 	key = os_zalloc(sizeof(*key));
204 	if (key == NULL)
205 		return NULL;
206 
207 	key->default_len = hapd->conf->default_wep_key_len;
208 
209 	if (key->idx >= hapd->conf->broadcast_key_idx_max ||
210 	    key->idx < hapd->conf->broadcast_key_idx_min)
211 		key->idx = hapd->conf->broadcast_key_idx_min;
212 	else
213 		key->idx++;
214 
215 	if (!key->key[key->idx])
216 		key->key[key->idx] = os_malloc(key->default_len);
217 	if (key->key[key->idx] == NULL ||
218 	    os_get_random(key->key[key->idx], key->default_len)) {
219 		printf("Could not generate random WEP key (dynamic VLAN).\n");
220 		os_free(key->key[key->idx]);
221 		key->key[key->idx] = NULL;
222 		os_free(key);
223 		return NULL;
224 	}
225 	key->len[key->idx] = key->default_len;
226 
227 	wpa_printf(MSG_DEBUG, "%s: Default WEP idx %d for dynamic VLAN\n",
228 		   ifname, key->idx);
229 	wpa_hexdump_key(MSG_DEBUG, "Default WEP key (dynamic VLAN)",
230 			key->key[key->idx], key->len[key->idx]);
231 
232 	if (hapd->drv.set_key(ifname, hapd, WPA_ALG_WEP, NULL, key->idx, 1,
233 			      NULL, 0, key->key[key->idx], key->len[key->idx]))
234 		printf("Could not set dynamic VLAN WEP encryption key.\n");
235 
236 	hapd->drv.set_drv_ieee8021x(hapd, ifname, 1);
237 
238 	return key;
239 }
240 
241 
242 static struct hostapd_wep_keys *
243 ieee802_1x_get_group(struct hostapd_data *hapd, struct hostapd_ssid *ssid,
244 		     size_t vlan_id)
245 {
246 	const char *ifname;
247 
248 	if (vlan_id == 0)
249 		return &ssid->wep;
250 
251 	if (vlan_id <= ssid->max_dyn_vlan_keys && ssid->dyn_vlan_keys &&
252 	    ssid->dyn_vlan_keys[vlan_id])
253 		return ssid->dyn_vlan_keys[vlan_id];
254 
255 	wpa_printf(MSG_DEBUG, "IEEE 802.1X: Creating new group "
256 		   "state machine for VLAN ID %lu",
257 		   (unsigned long) vlan_id);
258 
259 	ifname = hostapd_get_vlan_id_ifname(hapd->conf->vlan, vlan_id);
260 	if (ifname == NULL) {
261 		wpa_printf(MSG_DEBUG, "IEEE 802.1X: Unknown VLAN ID %lu - "
262 			   "cannot create group key state machine",
263 			   (unsigned long) vlan_id);
264 		return NULL;
265 	}
266 
267 	if (ssid->dyn_vlan_keys == NULL) {
268 		int size = (vlan_id + 1) * sizeof(ssid->dyn_vlan_keys[0]);
269 		ssid->dyn_vlan_keys = os_zalloc(size);
270 		if (ssid->dyn_vlan_keys == NULL)
271 			return NULL;
272 		ssid->max_dyn_vlan_keys = vlan_id;
273 	}
274 
275 	if (ssid->max_dyn_vlan_keys < vlan_id) {
276 		struct hostapd_wep_keys **na;
277 		int size = (vlan_id + 1) * sizeof(ssid->dyn_vlan_keys[0]);
278 		na = os_realloc(ssid->dyn_vlan_keys, size);
279 		if (na == NULL)
280 			return NULL;
281 		ssid->dyn_vlan_keys = na;
282 		os_memset(&ssid->dyn_vlan_keys[ssid->max_dyn_vlan_keys + 1], 0,
283 			  (vlan_id - ssid->max_dyn_vlan_keys) *
284 			  sizeof(ssid->dyn_vlan_keys[0]));
285 		ssid->max_dyn_vlan_keys = vlan_id;
286 	}
287 
288 	ssid->dyn_vlan_keys[vlan_id] = ieee802_1x_group_alloc(hapd, ifname);
289 
290 	return ssid->dyn_vlan_keys[vlan_id];
291 }
292 #endif /* CONFIG_NO_VLAN */
293 
294 
295 void ieee802_1x_tx_key(struct hostapd_data *hapd, struct sta_info *sta)
296 {
297 	struct eapol_authenticator *eapol = hapd->eapol_auth;
298 	struct eapol_state_machine *sm = sta->eapol_sm;
299 #ifndef CONFIG_NO_VLAN
300 	struct hostapd_wep_keys *key = NULL;
301 	int vlan_id;
302 #endif /* CONFIG_NO_VLAN */
303 
304 	if (sm == NULL || !sm->eap_if->eapKeyData)
305 		return;
306 
307 	wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key(s) to " MACSTR,
308 		   MAC2STR(sta->addr));
309 
310 #ifndef CONFIG_NO_VLAN
311 	vlan_id = sta->vlan_id;
312 	if (vlan_id < 0 || vlan_id > MAX_VLAN_ID)
313 		vlan_id = 0;
314 
315 	if (vlan_id) {
316 		key = ieee802_1x_get_group(hapd, sta->ssid, vlan_id);
317 		if (key && key->key[key->idx])
318 			ieee802_1x_tx_key_one(hapd, sta, key->idx, 1,
319 					      key->key[key->idx],
320 					      key->len[key->idx]);
321 	} else
322 #endif /* CONFIG_NO_VLAN */
323 	if (eapol->default_wep_key) {
324 		ieee802_1x_tx_key_one(hapd, sta, eapol->default_wep_key_idx, 1,
325 				      eapol->default_wep_key,
326 				      hapd->conf->default_wep_key_len);
327 	}
328 
329 	if (hapd->conf->individual_wep_key_len > 0) {
330 		u8 *ikey;
331 		ikey = os_malloc(hapd->conf->individual_wep_key_len);
332 		if (ikey == NULL ||
333 		    os_get_random(ikey, hapd->conf->individual_wep_key_len)) {
334 			wpa_printf(MSG_ERROR, "Could not generate random "
335 				   "individual WEP key.");
336 			os_free(ikey);
337 			return;
338 		}
339 
340 		wpa_hexdump_key(MSG_DEBUG, "Individual WEP key",
341 				ikey, hapd->conf->individual_wep_key_len);
342 
343 		ieee802_1x_tx_key_one(hapd, sta, 0, 0, ikey,
344 				      hapd->conf->individual_wep_key_len);
345 
346 		/* TODO: set encryption in TX callback, i.e., only after STA
347 		 * has ACKed EAPOL-Key frame */
348 		if (hapd->drv.set_key(hapd->conf->iface, hapd, WPA_ALG_WEP,
349 				      sta->addr, 0, 1, NULL, 0, ikey,
350 				      hapd->conf->individual_wep_key_len)) {
351 			wpa_printf(MSG_ERROR, "Could not set individual WEP "
352 				   "encryption.");
353 		}
354 
355 		os_free(ikey);
356 	}
357 }
358 
359 
360 const char *radius_mode_txt(struct hostapd_data *hapd)
361 {
362 	switch (hapd->iface->conf->hw_mode) {
363 	case HOSTAPD_MODE_IEEE80211A:
364 		return "802.11a";
365 	case HOSTAPD_MODE_IEEE80211G:
366 		return "802.11g";
367 	case HOSTAPD_MODE_IEEE80211B:
368 	default:
369 		return "802.11b";
370 	}
371 }
372 
373 
374 int radius_sta_rate(struct hostapd_data *hapd, struct sta_info *sta)
375 {
376 	int i;
377 	u8 rate = 0;
378 
379 	for (i = 0; i < sta->supported_rates_len; i++)
380 		if ((sta->supported_rates[i] & 0x7f) > rate)
381 			rate = sta->supported_rates[i] & 0x7f;
382 
383 	return rate;
384 }
385 
386 
387 #ifndef CONFIG_NO_RADIUS
388 static void ieee802_1x_learn_identity(struct hostapd_data *hapd,
389 				      struct eapol_state_machine *sm,
390 				      const u8 *eap, size_t len)
391 {
392 	const u8 *identity;
393 	size_t identity_len;
394 
395 	if (len <= sizeof(struct eap_hdr) ||
396 	    eap[sizeof(struct eap_hdr)] != EAP_TYPE_IDENTITY)
397 		return;
398 
399 	identity = eap_get_identity(sm->eap, &identity_len);
400 	if (identity == NULL)
401 		return;
402 
403 	/* Save station identity for future RADIUS packets */
404 	os_free(sm->identity);
405 	sm->identity = os_malloc(identity_len + 1);
406 	if (sm->identity == NULL) {
407 		sm->identity_len = 0;
408 		return;
409 	}
410 
411 	os_memcpy(sm->identity, identity, identity_len);
412 	sm->identity_len = identity_len;
413 	sm->identity[identity_len] = '\0';
414 	hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X,
415 		       HOSTAPD_LEVEL_DEBUG, "STA identity '%s'", sm->identity);
416 	sm->dot1xAuthEapolRespIdFramesRx++;
417 }
418 
419 
420 static void ieee802_1x_encapsulate_radius(struct hostapd_data *hapd,
421 					  struct sta_info *sta,
422 					  const u8 *eap, size_t len)
423 {
424 	struct radius_msg *msg;
425 	char buf[128];
426 	struct eapol_state_machine *sm = sta->eapol_sm;
427 
428 	if (sm == NULL)
429 		return;
430 
431 	ieee802_1x_learn_identity(hapd, sm, eap, len);
432 
433 	wpa_printf(MSG_DEBUG, "Encapsulating EAP message into a RADIUS "
434 		   "packet");
435 
436 	sm->radius_identifier = radius_client_get_id(hapd->radius);
437 	msg = radius_msg_new(RADIUS_CODE_ACCESS_REQUEST,
438 			     sm->radius_identifier);
439 	if (msg == NULL) {
440 		printf("Could not create net RADIUS packet\n");
441 		return;
442 	}
443 
444 	radius_msg_make_authenticator(msg, (u8 *) sta, sizeof(*sta));
445 
446 	if (sm->identity &&
447 	    !radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME,
448 				 sm->identity, sm->identity_len)) {
449 		printf("Could not add User-Name\n");
450 		goto fail;
451 	}
452 
453 	if (hapd->conf->own_ip_addr.af == AF_INET &&
454 	    !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IP_ADDRESS,
455 				 (u8 *) &hapd->conf->own_ip_addr.u.v4, 4)) {
456 		printf("Could not add NAS-IP-Address\n");
457 		goto fail;
458 	}
459 
460 #ifdef CONFIG_IPV6
461 	if (hapd->conf->own_ip_addr.af == AF_INET6 &&
462 	    !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IPV6_ADDRESS,
463 				 (u8 *) &hapd->conf->own_ip_addr.u.v6, 16)) {
464 		printf("Could not add NAS-IPv6-Address\n");
465 		goto fail;
466 	}
467 #endif /* CONFIG_IPV6 */
468 
469 	if (hapd->conf->nas_identifier &&
470 	    !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IDENTIFIER,
471 				 (u8 *) hapd->conf->nas_identifier,
472 				 os_strlen(hapd->conf->nas_identifier))) {
473 		printf("Could not add NAS-Identifier\n");
474 		goto fail;
475 	}
476 
477 	if (!radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT, sta->aid)) {
478 		printf("Could not add NAS-Port\n");
479 		goto fail;
480 	}
481 
482 	os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT ":%s",
483 		    MAC2STR(hapd->own_addr), hapd->conf->ssid.ssid);
484 	buf[sizeof(buf) - 1] = '\0';
485 	if (!radius_msg_add_attr(msg, RADIUS_ATTR_CALLED_STATION_ID,
486 				 (u8 *) buf, os_strlen(buf))) {
487 		printf("Could not add Called-Station-Id\n");
488 		goto fail;
489 	}
490 
491 	os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT,
492 		    MAC2STR(sta->addr));
493 	buf[sizeof(buf) - 1] = '\0';
494 	if (!radius_msg_add_attr(msg, RADIUS_ATTR_CALLING_STATION_ID,
495 				 (u8 *) buf, os_strlen(buf))) {
496 		printf("Could not add Calling-Station-Id\n");
497 		goto fail;
498 	}
499 
500 	/* TODO: should probably check MTU from driver config; 2304 is max for
501 	 * IEEE 802.11, but use 1400 to avoid problems with too large packets
502 	 */
503 	if (!radius_msg_add_attr_int32(msg, RADIUS_ATTR_FRAMED_MTU, 1400)) {
504 		printf("Could not add Framed-MTU\n");
505 		goto fail;
506 	}
507 
508 	if (!radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT_TYPE,
509 				       RADIUS_NAS_PORT_TYPE_IEEE_802_11)) {
510 		printf("Could not add NAS-Port-Type\n");
511 		goto fail;
512 	}
513 
514 	if (sta->flags & WLAN_STA_PREAUTH) {
515 		os_strlcpy(buf, "IEEE 802.11i Pre-Authentication",
516 			   sizeof(buf));
517 	} else {
518 		os_snprintf(buf, sizeof(buf), "CONNECT %d%sMbps %s",
519 			    radius_sta_rate(hapd, sta) / 2,
520 			    (radius_sta_rate(hapd, sta) & 1) ? ".5" : "",
521 			    radius_mode_txt(hapd));
522 		buf[sizeof(buf) - 1] = '\0';
523 	}
524 	if (!radius_msg_add_attr(msg, RADIUS_ATTR_CONNECT_INFO,
525 				 (u8 *) buf, os_strlen(buf))) {
526 		printf("Could not add Connect-Info\n");
527 		goto fail;
528 	}
529 
530 	if (eap && !radius_msg_add_eap(msg, eap, len)) {
531 		printf("Could not add EAP-Message\n");
532 		goto fail;
533 	}
534 
535 	/* State attribute must be copied if and only if this packet is
536 	 * Access-Request reply to the previous Access-Challenge */
537 	if (sm->last_recv_radius &&
538 	    radius_msg_get_hdr(sm->last_recv_radius)->code ==
539 	    RADIUS_CODE_ACCESS_CHALLENGE) {
540 		int res = radius_msg_copy_attr(msg, sm->last_recv_radius,
541 					       RADIUS_ATTR_STATE);
542 		if (res < 0) {
543 			printf("Could not copy State attribute from previous "
544 			       "Access-Challenge\n");
545 			goto fail;
546 		}
547 		if (res > 0) {
548 			wpa_printf(MSG_DEBUG, "Copied RADIUS State Attribute");
549 		}
550 	}
551 
552 	radius_client_send(hapd->radius, msg, RADIUS_AUTH, sta->addr);
553 	return;
554 
555  fail:
556 	radius_msg_free(msg);
557 }
558 #endif /* CONFIG_NO_RADIUS */
559 
560 
561 static void handle_eap_response(struct hostapd_data *hapd,
562 				struct sta_info *sta, struct eap_hdr *eap,
563 				size_t len)
564 {
565 	u8 type, *data;
566 	struct eapol_state_machine *sm = sta->eapol_sm;
567 	if (sm == NULL)
568 		return;
569 
570 	data = (u8 *) (eap + 1);
571 
572 	if (len < sizeof(*eap) + 1) {
573 		printf("handle_eap_response: too short response data\n");
574 		return;
575 	}
576 
577 	sm->eap_type_supp = type = data[0];
578 
579 	hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X,
580 		       HOSTAPD_LEVEL_DEBUG, "received EAP packet (code=%d "
581 		       "id=%d len=%d) from STA: EAP Response-%s (%d)",
582 		       eap->code, eap->identifier, be_to_host16(eap->length),
583 		       eap_server_get_name(0, type), type);
584 
585 	sm->dot1xAuthEapolRespFramesRx++;
586 
587 	wpabuf_free(sm->eap_if->eapRespData);
588 	sm->eap_if->eapRespData = wpabuf_alloc_copy(eap, len);
589 	sm->eapolEap = TRUE;
590 }
591 
592 
593 /* Process incoming EAP packet from Supplicant */
594 static void handle_eap(struct hostapd_data *hapd, struct sta_info *sta,
595 		       u8 *buf, size_t len)
596 {
597 	struct eap_hdr *eap;
598 	u16 eap_len;
599 
600 	if (len < sizeof(*eap)) {
601 		printf("   too short EAP packet\n");
602 		return;
603 	}
604 
605 	eap = (struct eap_hdr *) buf;
606 
607 	eap_len = be_to_host16(eap->length);
608 	wpa_printf(MSG_DEBUG, "EAP: code=%d identifier=%d length=%d",
609 		   eap->code, eap->identifier, eap_len);
610 	if (eap_len < sizeof(*eap)) {
611 		wpa_printf(MSG_DEBUG, "   Invalid EAP length");
612 		return;
613 	} else if (eap_len > len) {
614 		wpa_printf(MSG_DEBUG, "   Too short frame to contain this EAP "
615 			   "packet");
616 		return;
617 	} else if (eap_len < len) {
618 		wpa_printf(MSG_DEBUG, "   Ignoring %lu extra bytes after EAP "
619 			   "packet", (unsigned long) len - eap_len);
620 	}
621 
622 	switch (eap->code) {
623 	case EAP_CODE_REQUEST:
624 		wpa_printf(MSG_DEBUG, " (request)");
625 		return;
626 	case EAP_CODE_RESPONSE:
627 		wpa_printf(MSG_DEBUG, " (response)");
628 		handle_eap_response(hapd, sta, eap, eap_len);
629 		break;
630 	case EAP_CODE_SUCCESS:
631 		wpa_printf(MSG_DEBUG, " (success)");
632 		return;
633 	case EAP_CODE_FAILURE:
634 		wpa_printf(MSG_DEBUG, " (failure)");
635 		return;
636 	default:
637 		wpa_printf(MSG_DEBUG, " (unknown code)");
638 		return;
639 	}
640 }
641 
642 
643 static struct eapol_state_machine *
644 ieee802_1x_alloc_eapol_sm(struct hostapd_data *hapd, struct sta_info *sta)
645 {
646 	int flags = 0;
647 	if (sta->flags & WLAN_STA_PREAUTH)
648 		flags |= EAPOL_SM_PREAUTH;
649 	if (sta->wpa_sm) {
650 		flags |= EAPOL_SM_USES_WPA;
651 		if (wpa_auth_sta_get_pmksa(sta->wpa_sm))
652 			flags |= EAPOL_SM_FROM_PMKSA_CACHE;
653 	}
654 	return eapol_auth_alloc(hapd->eapol_auth, sta->addr, flags,
655 				sta->wps_ie, sta);
656 }
657 
658 
659 /**
660  * ieee802_1x_receive - Process the EAPOL frames from the Supplicant
661  * @hapd: hostapd BSS data
662  * @sa: Source address (sender of the EAPOL frame)
663  * @buf: EAPOL frame
664  * @len: Length of buf in octets
665  *
666  * This function is called for each incoming EAPOL frame from the interface
667  */
668 void ieee802_1x_receive(struct hostapd_data *hapd, const u8 *sa, const u8 *buf,
669 			size_t len)
670 {
671 	struct sta_info *sta;
672 	struct ieee802_1x_hdr *hdr;
673 	struct ieee802_1x_eapol_key *key;
674 	u16 datalen;
675 	struct rsn_pmksa_cache_entry *pmksa;
676 
677 	if (!hapd->conf->ieee802_1x && !hapd->conf->wpa &&
678 	    !hapd->conf->wps_state)
679 		return;
680 
681 	wpa_printf(MSG_DEBUG, "IEEE 802.1X: %lu bytes from " MACSTR,
682 		   (unsigned long) len, MAC2STR(sa));
683 	sta = ap_get_sta(hapd, sa);
684 	if (!sta || !(sta->flags & WLAN_STA_ASSOC)) {
685 		wpa_printf(MSG_DEBUG, "IEEE 802.1X data frame from not "
686 			   "associated STA");
687 		return;
688 	}
689 
690 	if (len < sizeof(*hdr)) {
691 		printf("   too short IEEE 802.1X packet\n");
692 		return;
693 	}
694 
695 	hdr = (struct ieee802_1x_hdr *) buf;
696 	datalen = be_to_host16(hdr->length);
697 	wpa_printf(MSG_DEBUG, "   IEEE 802.1X: version=%d type=%d length=%d",
698 		   hdr->version, hdr->type, datalen);
699 
700 	if (len - sizeof(*hdr) < datalen) {
701 		printf("   frame too short for this IEEE 802.1X packet\n");
702 		if (sta->eapol_sm)
703 			sta->eapol_sm->dot1xAuthEapLengthErrorFramesRx++;
704 		return;
705 	}
706 	if (len - sizeof(*hdr) > datalen) {
707 		wpa_printf(MSG_DEBUG, "   ignoring %lu extra octets after "
708 			   "IEEE 802.1X packet",
709 			   (unsigned long) len - sizeof(*hdr) - datalen);
710 	}
711 
712 	if (sta->eapol_sm) {
713 		sta->eapol_sm->dot1xAuthLastEapolFrameVersion = hdr->version;
714 		sta->eapol_sm->dot1xAuthEapolFramesRx++;
715 	}
716 
717 	key = (struct ieee802_1x_eapol_key *) (hdr + 1);
718 	if (datalen >= sizeof(struct ieee802_1x_eapol_key) &&
719 	    hdr->type == IEEE802_1X_TYPE_EAPOL_KEY &&
720 	    (key->type == EAPOL_KEY_TYPE_WPA ||
721 	     key->type == EAPOL_KEY_TYPE_RSN)) {
722 		wpa_receive(hapd->wpa_auth, sta->wpa_sm, (u8 *) hdr,
723 			    sizeof(*hdr) + datalen);
724 		return;
725 	}
726 
727 	if ((!hapd->conf->ieee802_1x &&
728 	     !(sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS))) ||
729 	    wpa_key_mgmt_wpa_psk(wpa_auth_sta_key_mgmt(sta->wpa_sm)))
730 		return;
731 
732 	if (!sta->eapol_sm) {
733 		sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta);
734 		if (!sta->eapol_sm)
735 			return;
736 
737 #ifdef CONFIG_WPS
738 		if (!hapd->conf->ieee802_1x &&
739 		    ((sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS)) ==
740 		     WLAN_STA_MAYBE_WPS)) {
741 			/*
742 			 * Delay EAPOL frame transmission until a possible WPS
743 			 * STA initiates the handshake with EAPOL-Start.
744 			 */
745 			sta->eapol_sm->flags |= EAPOL_SM_WAIT_START;
746 		}
747 #endif /* CONFIG_WPS */
748 
749 		sta->eapol_sm->eap_if->portEnabled = TRUE;
750 	}
751 
752 	/* since we support version 1, we can ignore version field and proceed
753 	 * as specified in version 1 standard [IEEE Std 802.1X-2001, 7.5.5] */
754 	/* TODO: actually, we are not version 1 anymore.. However, Version 2
755 	 * does not change frame contents, so should be ok to process frames
756 	 * more or less identically. Some changes might be needed for
757 	 * verification of fields. */
758 
759 	switch (hdr->type) {
760 	case IEEE802_1X_TYPE_EAP_PACKET:
761 		handle_eap(hapd, sta, (u8 *) (hdr + 1), datalen);
762 		break;
763 
764 	case IEEE802_1X_TYPE_EAPOL_START:
765 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
766 			       HOSTAPD_LEVEL_DEBUG, "received EAPOL-Start "
767 			       "from STA");
768 		sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START;
769 		pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm);
770 		if (pmksa) {
771 			hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA,
772 				       HOSTAPD_LEVEL_DEBUG, "cached PMKSA "
773 				       "available - ignore it since "
774 				       "STA sent EAPOL-Start");
775 			wpa_auth_sta_clear_pmksa(sta->wpa_sm, pmksa);
776 		}
777 		sta->eapol_sm->eapolStart = TRUE;
778 		sta->eapol_sm->dot1xAuthEapolStartFramesRx++;
779 		wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL);
780 		break;
781 
782 	case IEEE802_1X_TYPE_EAPOL_LOGOFF:
783 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
784 			       HOSTAPD_LEVEL_DEBUG, "received EAPOL-Logoff "
785 			       "from STA");
786 		sta->acct_terminate_cause =
787 			RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST;
788 		accounting_sta_stop(hapd, sta);
789 		sta->eapol_sm->eapolLogoff = TRUE;
790 		sta->eapol_sm->dot1xAuthEapolLogoffFramesRx++;
791 		break;
792 
793 	case IEEE802_1X_TYPE_EAPOL_KEY:
794 		wpa_printf(MSG_DEBUG, "   EAPOL-Key");
795 		if (!(sta->flags & WLAN_STA_AUTHORIZED)) {
796 			wpa_printf(MSG_DEBUG, "   Dropped key data from "
797 				   "unauthorized Supplicant");
798 			break;
799 		}
800 		break;
801 
802 	case IEEE802_1X_TYPE_EAPOL_ENCAPSULATED_ASF_ALERT:
803 		wpa_printf(MSG_DEBUG, "   EAPOL-Encapsulated-ASF-Alert");
804 		/* TODO: implement support for this; show data */
805 		break;
806 
807 	default:
808 		wpa_printf(MSG_DEBUG, "   unknown IEEE 802.1X packet type");
809 		sta->eapol_sm->dot1xAuthInvalidEapolFramesRx++;
810 		break;
811 	}
812 
813 	eapol_auth_step(sta->eapol_sm);
814 }
815 
816 
817 /**
818  * ieee802_1x_new_station - Start IEEE 802.1X authentication
819  * @hapd: hostapd BSS data
820  * @sta: The station
821  *
822  * This function is called to start IEEE 802.1X authentication when a new
823  * station completes IEEE 802.11 association.
824  */
825 void ieee802_1x_new_station(struct hostapd_data *hapd, struct sta_info *sta)
826 {
827 	struct rsn_pmksa_cache_entry *pmksa;
828 	int reassoc = 1;
829 	int force_1x = 0;
830 
831 #ifdef CONFIG_WPS
832 	if (hapd->conf->wps_state && hapd->conf->wpa &&
833 	    (sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS))) {
834 		/*
835 		 * Need to enable IEEE 802.1X/EAPOL state machines for possible
836 		 * WPS handshake even if IEEE 802.1X/EAPOL is not used for
837 		 * authentication in this BSS.
838 		 */
839 		force_1x = 1;
840 	}
841 #endif /* CONFIG_WPS */
842 
843 	if ((!force_1x && !hapd->conf->ieee802_1x) ||
844 	    wpa_key_mgmt_wpa_psk(wpa_auth_sta_key_mgmt(sta->wpa_sm)))
845 		return;
846 
847 	if (sta->eapol_sm == NULL) {
848 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
849 			       HOSTAPD_LEVEL_DEBUG, "start authentication");
850 		sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta);
851 		if (sta->eapol_sm == NULL) {
852 			hostapd_logger(hapd, sta->addr,
853 				       HOSTAPD_MODULE_IEEE8021X,
854 				       HOSTAPD_LEVEL_INFO,
855 				       "failed to allocate state machine");
856 			return;
857 		}
858 		reassoc = 0;
859 	}
860 
861 #ifdef CONFIG_WPS
862 	sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START;
863 	if (!hapd->conf->ieee802_1x && !(sta->flags & WLAN_STA_WPS)) {
864 		/*
865 		 * Delay EAPOL frame transmission until a possible WPS
866 		 * initiates the handshake with EAPOL-Start.
867 		 */
868 		sta->eapol_sm->flags |= EAPOL_SM_WAIT_START;
869 	}
870 #endif /* CONFIG_WPS */
871 
872 	sta->eapol_sm->eap_if->portEnabled = TRUE;
873 
874 	pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm);
875 	if (pmksa) {
876 		int old_vlanid;
877 
878 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
879 			       HOSTAPD_LEVEL_DEBUG,
880 			       "PMK from PMKSA cache - skip IEEE 802.1X/EAP");
881 		/* Setup EAPOL state machines to already authenticated state
882 		 * because of existing PMKSA information in the cache. */
883 		sta->eapol_sm->keyRun = TRUE;
884 		sta->eapol_sm->eap_if->eapKeyAvailable = TRUE;
885 		sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING;
886 		sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS;
887 		sta->eapol_sm->authSuccess = TRUE;
888 		if (sta->eapol_sm->eap)
889 			eap_sm_notify_cached(sta->eapol_sm->eap);
890 		old_vlanid = sta->vlan_id;
891 		pmksa_cache_to_eapol_data(pmksa, sta->eapol_sm);
892 		if (sta->ssid->dynamic_vlan == DYNAMIC_VLAN_DISABLED)
893 			sta->vlan_id = 0;
894 		ap_sta_bind_vlan(hapd, sta, old_vlanid);
895 	} else {
896 		if (reassoc) {
897 			/*
898 			 * Force EAPOL state machines to start
899 			 * re-authentication without having to wait for the
900 			 * Supplicant to send EAPOL-Start.
901 			 */
902 			sta->eapol_sm->reAuthenticate = TRUE;
903 		}
904 		eapol_auth_step(sta->eapol_sm);
905 	}
906 }
907 
908 
909 void ieee802_1x_free_station(struct sta_info *sta)
910 {
911 	struct eapol_state_machine *sm = sta->eapol_sm;
912 
913 	if (sm == NULL)
914 		return;
915 
916 	sta->eapol_sm = NULL;
917 
918 #ifndef CONFIG_NO_RADIUS
919 	radius_msg_free(sm->last_recv_radius);
920 	radius_free_class(&sm->radius_class);
921 #endif /* CONFIG_NO_RADIUS */
922 
923 	os_free(sm->identity);
924 	eapol_auth_free(sm);
925 }
926 
927 
928 #ifndef CONFIG_NO_RADIUS
929 static void ieee802_1x_decapsulate_radius(struct hostapd_data *hapd,
930 					  struct sta_info *sta)
931 {
932 	u8 *eap;
933 	size_t len;
934 	struct eap_hdr *hdr;
935 	int eap_type = -1;
936 	char buf[64];
937 	struct radius_msg *msg;
938 	struct eapol_state_machine *sm = sta->eapol_sm;
939 
940 	if (sm == NULL || sm->last_recv_radius == NULL) {
941 		if (sm)
942 			sm->eap_if->aaaEapNoReq = TRUE;
943 		return;
944 	}
945 
946 	msg = sm->last_recv_radius;
947 
948 	eap = radius_msg_get_eap(msg, &len);
949 	if (eap == NULL) {
950 		/* RFC 3579, Chap. 2.6.3:
951 		 * RADIUS server SHOULD NOT send Access-Reject/no EAP-Message
952 		 * attribute */
953 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
954 			       HOSTAPD_LEVEL_WARNING, "could not extract "
955 			       "EAP-Message from RADIUS message");
956 		sm->eap_if->aaaEapNoReq = TRUE;
957 		return;
958 	}
959 
960 	if (len < sizeof(*hdr)) {
961 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
962 			       HOSTAPD_LEVEL_WARNING, "too short EAP packet "
963 			       "received from authentication server");
964 		os_free(eap);
965 		sm->eap_if->aaaEapNoReq = TRUE;
966 		return;
967 	}
968 
969 	if (len > sizeof(*hdr))
970 		eap_type = eap[sizeof(*hdr)];
971 
972 	hdr = (struct eap_hdr *) eap;
973 	switch (hdr->code) {
974 	case EAP_CODE_REQUEST:
975 		if (eap_type >= 0)
976 			sm->eap_type_authsrv = eap_type;
977 		os_snprintf(buf, sizeof(buf), "EAP-Request-%s (%d)",
978 			    eap_type >= 0 ? eap_server_get_name(0, eap_type) :
979 			    "??",
980 			    eap_type);
981 		break;
982 	case EAP_CODE_RESPONSE:
983 		os_snprintf(buf, sizeof(buf), "EAP Response-%s (%d)",
984 			    eap_type >= 0 ? eap_server_get_name(0, eap_type) :
985 			    "??",
986 			    eap_type);
987 		break;
988 	case EAP_CODE_SUCCESS:
989 		os_strlcpy(buf, "EAP Success", sizeof(buf));
990 		break;
991 	case EAP_CODE_FAILURE:
992 		os_strlcpy(buf, "EAP Failure", sizeof(buf));
993 		break;
994 	default:
995 		os_strlcpy(buf, "unknown EAP code", sizeof(buf));
996 		break;
997 	}
998 	buf[sizeof(buf) - 1] = '\0';
999 	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
1000 		       HOSTAPD_LEVEL_DEBUG, "decapsulated EAP packet (code=%d "
1001 		       "id=%d len=%d) from RADIUS server: %s",
1002 		       hdr->code, hdr->identifier, be_to_host16(hdr->length),
1003 		       buf);
1004 	sm->eap_if->aaaEapReq = TRUE;
1005 
1006 	wpabuf_free(sm->eap_if->aaaEapReqData);
1007 	sm->eap_if->aaaEapReqData = wpabuf_alloc_ext_data(eap, len);
1008 }
1009 
1010 
1011 static void ieee802_1x_get_keys(struct hostapd_data *hapd,
1012 				struct sta_info *sta, struct radius_msg *msg,
1013 				struct radius_msg *req,
1014 				const u8 *shared_secret,
1015 				size_t shared_secret_len)
1016 {
1017 	struct radius_ms_mppe_keys *keys;
1018 	struct eapol_state_machine *sm = sta->eapol_sm;
1019 	if (sm == NULL)
1020 		return;
1021 
1022 	keys = radius_msg_get_ms_keys(msg, req, shared_secret,
1023 				      shared_secret_len);
1024 
1025 	if (keys && keys->send && keys->recv) {
1026 		size_t len = keys->send_len + keys->recv_len;
1027 		wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Send-Key",
1028 				keys->send, keys->send_len);
1029 		wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Recv-Key",
1030 				keys->recv, keys->recv_len);
1031 
1032 		os_free(sm->eap_if->aaaEapKeyData);
1033 		sm->eap_if->aaaEapKeyData = os_malloc(len);
1034 		if (sm->eap_if->aaaEapKeyData) {
1035 			os_memcpy(sm->eap_if->aaaEapKeyData, keys->recv,
1036 				  keys->recv_len);
1037 			os_memcpy(sm->eap_if->aaaEapKeyData + keys->recv_len,
1038 				  keys->send, keys->send_len);
1039 			sm->eap_if->aaaEapKeyDataLen = len;
1040 			sm->eap_if->aaaEapKeyAvailable = TRUE;
1041 		}
1042 	}
1043 
1044 	if (keys) {
1045 		os_free(keys->send);
1046 		os_free(keys->recv);
1047 		os_free(keys);
1048 	}
1049 }
1050 
1051 
1052 static void ieee802_1x_store_radius_class(struct hostapd_data *hapd,
1053 					  struct sta_info *sta,
1054 					  struct radius_msg *msg)
1055 {
1056 	u8 *class;
1057 	size_t class_len;
1058 	struct eapol_state_machine *sm = sta->eapol_sm;
1059 	int count, i;
1060 	struct radius_attr_data *nclass;
1061 	size_t nclass_count;
1062 
1063 	if (!hapd->conf->radius->acct_server || hapd->radius == NULL ||
1064 	    sm == NULL)
1065 		return;
1066 
1067 	radius_free_class(&sm->radius_class);
1068 	count = radius_msg_count_attr(msg, RADIUS_ATTR_CLASS, 1);
1069 	if (count <= 0)
1070 		return;
1071 
1072 	nclass = os_zalloc(count * sizeof(struct radius_attr_data));
1073 	if (nclass == NULL)
1074 		return;
1075 
1076 	nclass_count = 0;
1077 
1078 	class = NULL;
1079 	for (i = 0; i < count; i++) {
1080 		do {
1081 			if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CLASS,
1082 						    &class, &class_len,
1083 						    class) < 0) {
1084 				i = count;
1085 				break;
1086 			}
1087 		} while (class_len < 1);
1088 
1089 		nclass[nclass_count].data = os_malloc(class_len);
1090 		if (nclass[nclass_count].data == NULL)
1091 			break;
1092 
1093 		os_memcpy(nclass[nclass_count].data, class, class_len);
1094 		nclass[nclass_count].len = class_len;
1095 		nclass_count++;
1096 	}
1097 
1098 	sm->radius_class.attr = nclass;
1099 	sm->radius_class.count = nclass_count;
1100 	wpa_printf(MSG_DEBUG, "IEEE 802.1X: Stored %lu RADIUS Class "
1101 		   "attributes for " MACSTR,
1102 		   (unsigned long) sm->radius_class.count,
1103 		   MAC2STR(sta->addr));
1104 }
1105 
1106 
1107 /* Update sta->identity based on User-Name attribute in Access-Accept */
1108 static void ieee802_1x_update_sta_identity(struct hostapd_data *hapd,
1109 					   struct sta_info *sta,
1110 					   struct radius_msg *msg)
1111 {
1112 	u8 *buf, *identity;
1113 	size_t len;
1114 	struct eapol_state_machine *sm = sta->eapol_sm;
1115 
1116 	if (sm == NULL)
1117 		return;
1118 
1119 	if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_USER_NAME, &buf, &len,
1120 				    NULL) < 0)
1121 		return;
1122 
1123 	identity = os_malloc(len + 1);
1124 	if (identity == NULL)
1125 		return;
1126 
1127 	os_memcpy(identity, buf, len);
1128 	identity[len] = '\0';
1129 
1130 	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
1131 		       HOSTAPD_LEVEL_DEBUG, "old identity '%s' updated with "
1132 		       "User-Name from Access-Accept '%s'",
1133 		       sm->identity ? (char *) sm->identity : "N/A",
1134 		       (char *) identity);
1135 
1136 	os_free(sm->identity);
1137 	sm->identity = identity;
1138 	sm->identity_len = len;
1139 }
1140 
1141 
1142 struct sta_id_search {
1143 	u8 identifier;
1144 	struct eapol_state_machine *sm;
1145 };
1146 
1147 
1148 static int ieee802_1x_select_radius_identifier(struct hostapd_data *hapd,
1149 					       struct sta_info *sta,
1150 					       void *ctx)
1151 {
1152 	struct sta_id_search *id_search = ctx;
1153 	struct eapol_state_machine *sm = sta->eapol_sm;
1154 
1155 	if (sm && sm->radius_identifier >= 0 &&
1156 	    sm->radius_identifier == id_search->identifier) {
1157 		id_search->sm = sm;
1158 		return 1;
1159 	}
1160 	return 0;
1161 }
1162 
1163 
1164 static struct eapol_state_machine *
1165 ieee802_1x_search_radius_identifier(struct hostapd_data *hapd, u8 identifier)
1166 {
1167 	struct sta_id_search id_search;
1168 	id_search.identifier = identifier;
1169 	id_search.sm = NULL;
1170 	ap_for_each_sta(hapd, ieee802_1x_select_radius_identifier, &id_search);
1171 	return id_search.sm;
1172 }
1173 
1174 
1175 /**
1176  * ieee802_1x_receive_auth - Process RADIUS frames from Authentication Server
1177  * @msg: RADIUS response message
1178  * @req: RADIUS request message
1179  * @shared_secret: RADIUS shared secret
1180  * @shared_secret_len: Length of shared_secret in octets
1181  * @data: Context data (struct hostapd_data *)
1182  * Returns: Processing status
1183  */
1184 static RadiusRxResult
1185 ieee802_1x_receive_auth(struct radius_msg *msg, struct radius_msg *req,
1186 			const u8 *shared_secret, size_t shared_secret_len,
1187 			void *data)
1188 {
1189 	struct hostapd_data *hapd = data;
1190 	struct sta_info *sta;
1191 	u32 session_timeout = 0, termination_action, acct_interim_interval;
1192 	int session_timeout_set, old_vlanid = 0;
1193 	struct eapol_state_machine *sm;
1194 	int override_eapReq = 0;
1195 	struct radius_hdr *hdr = radius_msg_get_hdr(msg);
1196 
1197 	sm = ieee802_1x_search_radius_identifier(hapd, hdr->identifier);
1198 	if (sm == NULL) {
1199 		wpa_printf(MSG_DEBUG, "IEEE 802.1X: Could not find matching "
1200 			   "station for this RADIUS message");
1201 		return RADIUS_RX_UNKNOWN;
1202 	}
1203 	sta = sm->sta;
1204 
1205 	/* RFC 2869, Ch. 5.13: valid Message-Authenticator attribute MUST be
1206 	 * present when packet contains an EAP-Message attribute */
1207 	if (hdr->code == RADIUS_CODE_ACCESS_REJECT &&
1208 	    radius_msg_get_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, NULL,
1209 				0) < 0 &&
1210 	    radius_msg_get_attr(msg, RADIUS_ATTR_EAP_MESSAGE, NULL, 0) < 0) {
1211 		wpa_printf(MSG_DEBUG, "Allowing RADIUS Access-Reject without "
1212 			   "Message-Authenticator since it does not include "
1213 			   "EAP-Message");
1214 	} else if (radius_msg_verify(msg, shared_secret, shared_secret_len,
1215 				     req, 1)) {
1216 		printf("Incoming RADIUS packet did not have correct "
1217 		       "Message-Authenticator - dropped\n");
1218 		return RADIUS_RX_INVALID_AUTHENTICATOR;
1219 	}
1220 
1221 	if (hdr->code != RADIUS_CODE_ACCESS_ACCEPT &&
1222 	    hdr->code != RADIUS_CODE_ACCESS_REJECT &&
1223 	    hdr->code != RADIUS_CODE_ACCESS_CHALLENGE) {
1224 		printf("Unknown RADIUS message code\n");
1225 		return RADIUS_RX_UNKNOWN;
1226 	}
1227 
1228 	sm->radius_identifier = -1;
1229 	wpa_printf(MSG_DEBUG, "RADIUS packet matching with station " MACSTR,
1230 		   MAC2STR(sta->addr));
1231 
1232 	radius_msg_free(sm->last_recv_radius);
1233 	sm->last_recv_radius = msg;
1234 
1235 	session_timeout_set =
1236 		!radius_msg_get_attr_int32(msg, RADIUS_ATTR_SESSION_TIMEOUT,
1237 					   &session_timeout);
1238 	if (radius_msg_get_attr_int32(msg, RADIUS_ATTR_TERMINATION_ACTION,
1239 				      &termination_action))
1240 		termination_action = RADIUS_TERMINATION_ACTION_DEFAULT;
1241 
1242 	if (hapd->conf->acct_interim_interval == 0 &&
1243 	    hdr->code == RADIUS_CODE_ACCESS_ACCEPT &&
1244 	    radius_msg_get_attr_int32(msg, RADIUS_ATTR_ACCT_INTERIM_INTERVAL,
1245 				      &acct_interim_interval) == 0) {
1246 		if (acct_interim_interval < 60) {
1247 			hostapd_logger(hapd, sta->addr,
1248 				       HOSTAPD_MODULE_IEEE8021X,
1249 				       HOSTAPD_LEVEL_INFO,
1250 				       "ignored too small "
1251 				       "Acct-Interim-Interval %d",
1252 				       acct_interim_interval);
1253 		} else
1254 			sta->acct_interim_interval = acct_interim_interval;
1255 	}
1256 
1257 
1258 	switch (hdr->code) {
1259 	case RADIUS_CODE_ACCESS_ACCEPT:
1260 		if (sta->ssid->dynamic_vlan == DYNAMIC_VLAN_DISABLED)
1261 			sta->vlan_id = 0;
1262 #ifndef CONFIG_NO_VLAN
1263 		else {
1264 			old_vlanid = sta->vlan_id;
1265 			sta->vlan_id = radius_msg_get_vlanid(msg);
1266 		}
1267 		if (sta->vlan_id > 0 &&
1268 		    hostapd_get_vlan_id_ifname(hapd->conf->vlan,
1269 					       sta->vlan_id)) {
1270 			hostapd_logger(hapd, sta->addr,
1271 				       HOSTAPD_MODULE_RADIUS,
1272 				       HOSTAPD_LEVEL_INFO,
1273 				       "VLAN ID %d", sta->vlan_id);
1274 		} else if (sta->ssid->dynamic_vlan == DYNAMIC_VLAN_REQUIRED) {
1275 			sta->eapol_sm->authFail = TRUE;
1276 			hostapd_logger(hapd, sta->addr,
1277 				       HOSTAPD_MODULE_IEEE8021X,
1278 				       HOSTAPD_LEVEL_INFO, "authentication "
1279 				       "server did not include required VLAN "
1280 				       "ID in Access-Accept");
1281 			break;
1282 		}
1283 #endif /* CONFIG_NO_VLAN */
1284 
1285 		if (ap_sta_bind_vlan(hapd, sta, old_vlanid) < 0)
1286 			break;
1287 
1288 		/* RFC 3580, Ch. 3.17 */
1289 		if (session_timeout_set && termination_action ==
1290 		    RADIUS_TERMINATION_ACTION_RADIUS_REQUEST) {
1291 			sm->reAuthPeriod = session_timeout;
1292 		} else if (session_timeout_set)
1293 			ap_sta_session_timeout(hapd, sta, session_timeout);
1294 
1295 		sm->eap_if->aaaSuccess = TRUE;
1296 		override_eapReq = 1;
1297 		ieee802_1x_get_keys(hapd, sta, msg, req, shared_secret,
1298 				    shared_secret_len);
1299 		ieee802_1x_store_radius_class(hapd, sta, msg);
1300 		ieee802_1x_update_sta_identity(hapd, sta, msg);
1301 		if (sm->eap_if->eapKeyAvailable &&
1302 		    wpa_auth_pmksa_add(sta->wpa_sm, sm->eapol_key_crypt,
1303 				       session_timeout_set ?
1304 				       (int) session_timeout : -1, sm) == 0) {
1305 			hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA,
1306 				       HOSTAPD_LEVEL_DEBUG,
1307 				       "Added PMKSA cache entry");
1308 		}
1309 		break;
1310 	case RADIUS_CODE_ACCESS_REJECT:
1311 		sm->eap_if->aaaFail = TRUE;
1312 		override_eapReq = 1;
1313 		break;
1314 	case RADIUS_CODE_ACCESS_CHALLENGE:
1315 		sm->eap_if->aaaEapReq = TRUE;
1316 		if (session_timeout_set) {
1317 			/* RFC 2869, Ch. 2.3.2; RFC 3580, Ch. 3.17 */
1318 			sm->eap_if->aaaMethodTimeout = session_timeout;
1319 			hostapd_logger(hapd, sm->addr,
1320 				       HOSTAPD_MODULE_IEEE8021X,
1321 				       HOSTAPD_LEVEL_DEBUG,
1322 				       "using EAP timeout of %d seconds (from "
1323 				       "RADIUS)",
1324 				       sm->eap_if->aaaMethodTimeout);
1325 		} else {
1326 			/*
1327 			 * Use dynamic retransmission behavior per EAP
1328 			 * specification.
1329 			 */
1330 			sm->eap_if->aaaMethodTimeout = 0;
1331 		}
1332 		break;
1333 	}
1334 
1335 	ieee802_1x_decapsulate_radius(hapd, sta);
1336 	if (override_eapReq)
1337 		sm->eap_if->aaaEapReq = FALSE;
1338 
1339 	eapol_auth_step(sm);
1340 
1341 	return RADIUS_RX_QUEUED;
1342 }
1343 #endif /* CONFIG_NO_RADIUS */
1344 
1345 
1346 void ieee802_1x_abort_auth(struct hostapd_data *hapd, struct sta_info *sta)
1347 {
1348 	struct eapol_state_machine *sm = sta->eapol_sm;
1349 	if (sm == NULL)
1350 		return;
1351 
1352 	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
1353 		       HOSTAPD_LEVEL_DEBUG, "aborting authentication");
1354 
1355 #ifndef CONFIG_NO_RADIUS
1356 	radius_msg_free(sm->last_recv_radius);
1357 	sm->last_recv_radius = NULL;
1358 #endif /* CONFIG_NO_RADIUS */
1359 
1360 	if (sm->eap_if->eapTimeout) {
1361 		/*
1362 		 * Disconnect the STA since it did not reply to the last EAP
1363 		 * request and we cannot continue EAP processing (EAP-Failure
1364 		 * could only be sent if the EAP peer actually replied).
1365 		 */
1366 		sm->eap_if->portEnabled = FALSE;
1367 		ap_sta_disconnect(hapd, sta, sta->addr,
1368 				  WLAN_REASON_PREV_AUTH_NOT_VALID);
1369 	}
1370 }
1371 
1372 
1373 static int ieee802_1x_rekey_broadcast(struct hostapd_data *hapd)
1374 {
1375 	struct eapol_authenticator *eapol = hapd->eapol_auth;
1376 
1377 	if (hapd->conf->default_wep_key_len < 1)
1378 		return 0;
1379 
1380 	os_free(eapol->default_wep_key);
1381 	eapol->default_wep_key = os_malloc(hapd->conf->default_wep_key_len);
1382 	if (eapol->default_wep_key == NULL ||
1383 	    os_get_random(eapol->default_wep_key,
1384 			  hapd->conf->default_wep_key_len)) {
1385 		printf("Could not generate random WEP key.\n");
1386 		os_free(eapol->default_wep_key);
1387 		eapol->default_wep_key = NULL;
1388 		return -1;
1389 	}
1390 
1391 	wpa_hexdump_key(MSG_DEBUG, "IEEE 802.1X: New default WEP key",
1392 			eapol->default_wep_key,
1393 			hapd->conf->default_wep_key_len);
1394 
1395 	return 0;
1396 }
1397 
1398 
1399 static int ieee802_1x_sta_key_available(struct hostapd_data *hapd,
1400 					struct sta_info *sta, void *ctx)
1401 {
1402 	if (sta->eapol_sm) {
1403 		sta->eapol_sm->eap_if->eapKeyAvailable = TRUE;
1404 		eapol_auth_step(sta->eapol_sm);
1405 	}
1406 	return 0;
1407 }
1408 
1409 
1410 static void ieee802_1x_rekey(void *eloop_ctx, void *timeout_ctx)
1411 {
1412 	struct hostapd_data *hapd = eloop_ctx;
1413 	struct eapol_authenticator *eapol = hapd->eapol_auth;
1414 
1415 	if (eapol->default_wep_key_idx >= 3)
1416 		eapol->default_wep_key_idx =
1417 			hapd->conf->individual_wep_key_len > 0 ? 1 : 0;
1418 	else
1419 		eapol->default_wep_key_idx++;
1420 
1421 	wpa_printf(MSG_DEBUG, "IEEE 802.1X: New default WEP key index %d",
1422 		   eapol->default_wep_key_idx);
1423 
1424 	if (ieee802_1x_rekey_broadcast(hapd)) {
1425 		hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X,
1426 			       HOSTAPD_LEVEL_WARNING, "failed to generate a "
1427 			       "new broadcast key");
1428 		os_free(eapol->default_wep_key);
1429 		eapol->default_wep_key = NULL;
1430 		return;
1431 	}
1432 
1433 	/* TODO: Could setup key for RX here, but change default TX keyid only
1434 	 * after new broadcast key has been sent to all stations. */
1435 	if (hapd->drv.set_key(hapd->conf->iface, hapd, WPA_ALG_WEP, NULL,
1436 			      eapol->default_wep_key_idx, 1, NULL, 0,
1437 			      eapol->default_wep_key,
1438 			      hapd->conf->default_wep_key_len)) {
1439 		hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X,
1440 			       HOSTAPD_LEVEL_WARNING, "failed to configure a "
1441 			       "new broadcast key");
1442 		os_free(eapol->default_wep_key);
1443 		eapol->default_wep_key = NULL;
1444 		return;
1445 	}
1446 
1447 	ap_for_each_sta(hapd, ieee802_1x_sta_key_available, NULL);
1448 
1449 	if (hapd->conf->wep_rekeying_period > 0) {
1450 		eloop_register_timeout(hapd->conf->wep_rekeying_period, 0,
1451 				       ieee802_1x_rekey, hapd, NULL);
1452 	}
1453 }
1454 
1455 
1456 static void ieee802_1x_eapol_send(void *ctx, void *sta_ctx, u8 type,
1457 				  const u8 *data, size_t datalen)
1458 {
1459 #ifdef CONFIG_WPS
1460 	struct sta_info *sta = sta_ctx;
1461 
1462 	if ((sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS)) ==
1463 	    WLAN_STA_MAYBE_WPS) {
1464 		const u8 *identity;
1465 		size_t identity_len;
1466 		struct eapol_state_machine *sm = sta->eapol_sm;
1467 
1468 		identity = eap_get_identity(sm->eap, &identity_len);
1469 		if (identity &&
1470 		    ((identity_len == WSC_ID_ENROLLEE_LEN &&
1471 		      os_memcmp(identity, WSC_ID_ENROLLEE,
1472 				WSC_ID_ENROLLEE_LEN) == 0) ||
1473 		     (identity_len == WSC_ID_REGISTRAR_LEN &&
1474 		      os_memcmp(identity, WSC_ID_REGISTRAR,
1475 				WSC_ID_REGISTRAR_LEN) == 0))) {
1476 			wpa_printf(MSG_DEBUG, "WPS: WLAN_STA_MAYBE_WPS -> "
1477 				   "WLAN_STA_WPS");
1478 			sta->flags |= WLAN_STA_WPS;
1479 		}
1480 	}
1481 #endif /* CONFIG_WPS */
1482 
1483 	ieee802_1x_send(ctx, sta_ctx, type, data, datalen);
1484 }
1485 
1486 
1487 static void ieee802_1x_aaa_send(void *ctx, void *sta_ctx,
1488 				const u8 *data, size_t datalen)
1489 {
1490 #ifndef CONFIG_NO_RADIUS
1491 	struct hostapd_data *hapd = ctx;
1492 	struct sta_info *sta = sta_ctx;
1493 
1494 	ieee802_1x_encapsulate_radius(hapd, sta, data, datalen);
1495 #endif /* CONFIG_NO_RADIUS */
1496 }
1497 
1498 
1499 static void _ieee802_1x_finished(void *ctx, void *sta_ctx, int success,
1500 				 int preauth)
1501 {
1502 	struct hostapd_data *hapd = ctx;
1503 	struct sta_info *sta = sta_ctx;
1504 	if (preauth)
1505 		rsn_preauth_finished(hapd, sta, success);
1506 	else
1507 		ieee802_1x_finished(hapd, sta, success);
1508 }
1509 
1510 
1511 static int ieee802_1x_get_eap_user(void *ctx, const u8 *identity,
1512 				   size_t identity_len, int phase2,
1513 				   struct eap_user *user)
1514 {
1515 	struct hostapd_data *hapd = ctx;
1516 	const struct hostapd_eap_user *eap_user;
1517 	int i, count;
1518 
1519 	eap_user = hostapd_get_eap_user(hapd->conf, identity,
1520 					identity_len, phase2);
1521 	if (eap_user == NULL)
1522 		return -1;
1523 
1524 	os_memset(user, 0, sizeof(*user));
1525 	user->phase2 = phase2;
1526 	count = EAP_USER_MAX_METHODS;
1527 	if (count > EAP_MAX_METHODS)
1528 		count = EAP_MAX_METHODS;
1529 	for (i = 0; i < count; i++) {
1530 		user->methods[i].vendor = eap_user->methods[i].vendor;
1531 		user->methods[i].method = eap_user->methods[i].method;
1532 	}
1533 
1534 	if (eap_user->password) {
1535 		user->password = os_malloc(eap_user->password_len);
1536 		if (user->password == NULL)
1537 			return -1;
1538 		os_memcpy(user->password, eap_user->password,
1539 			  eap_user->password_len);
1540 		user->password_len = eap_user->password_len;
1541 	}
1542 	user->force_version = eap_user->force_version;
1543 	user->ttls_auth = eap_user->ttls_auth;
1544 
1545 	return 0;
1546 }
1547 
1548 
1549 static int ieee802_1x_sta_entry_alive(void *ctx, const u8 *addr)
1550 {
1551 	struct hostapd_data *hapd = ctx;
1552 	struct sta_info *sta;
1553 	sta = ap_get_sta(hapd, addr);
1554 	if (sta == NULL || sta->eapol_sm == NULL)
1555 		return 0;
1556 	return 1;
1557 }
1558 
1559 
1560 static void ieee802_1x_logger(void *ctx, const u8 *addr,
1561 			      eapol_logger_level level, const char *txt)
1562 {
1563 #ifndef CONFIG_NO_HOSTAPD_LOGGER
1564 	struct hostapd_data *hapd = ctx;
1565 	int hlevel;
1566 
1567 	switch (level) {
1568 	case EAPOL_LOGGER_WARNING:
1569 		hlevel = HOSTAPD_LEVEL_WARNING;
1570 		break;
1571 	case EAPOL_LOGGER_INFO:
1572 		hlevel = HOSTAPD_LEVEL_INFO;
1573 		break;
1574 	case EAPOL_LOGGER_DEBUG:
1575 	default:
1576 		hlevel = HOSTAPD_LEVEL_DEBUG;
1577 		break;
1578 	}
1579 
1580 	hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE8021X, hlevel, "%s",
1581 		       txt);
1582 #endif /* CONFIG_NO_HOSTAPD_LOGGER */
1583 }
1584 
1585 
1586 static void ieee802_1x_set_port_authorized(void *ctx, void *sta_ctx,
1587 					   int authorized)
1588 {
1589 	struct hostapd_data *hapd = ctx;
1590 	struct sta_info *sta = sta_ctx;
1591 	ieee802_1x_set_sta_authorized(hapd, sta, authorized);
1592 }
1593 
1594 
1595 static void _ieee802_1x_abort_auth(void *ctx, void *sta_ctx)
1596 {
1597 	struct hostapd_data *hapd = ctx;
1598 	struct sta_info *sta = sta_ctx;
1599 	ieee802_1x_abort_auth(hapd, sta);
1600 }
1601 
1602 
1603 static void _ieee802_1x_tx_key(void *ctx, void *sta_ctx)
1604 {
1605 	struct hostapd_data *hapd = ctx;
1606 	struct sta_info *sta = sta_ctx;
1607 	ieee802_1x_tx_key(hapd, sta);
1608 }
1609 
1610 
1611 static void ieee802_1x_eapol_event(void *ctx, void *sta_ctx,
1612 				   enum eapol_event type)
1613 {
1614 	/* struct hostapd_data *hapd = ctx; */
1615 	struct sta_info *sta = sta_ctx;
1616 	switch (type) {
1617 	case EAPOL_AUTH_SM_CHANGE:
1618 		wpa_auth_sm_notify(sta->wpa_sm);
1619 		break;
1620 	case EAPOL_AUTH_REAUTHENTICATE:
1621 		wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL);
1622 		break;
1623 	}
1624 }
1625 
1626 
1627 int ieee802_1x_init(struct hostapd_data *hapd)
1628 {
1629 	int i;
1630 	struct eapol_auth_config conf;
1631 	struct eapol_auth_cb cb;
1632 
1633 	os_memset(&conf, 0, sizeof(conf));
1634 	conf.ctx = hapd;
1635 	conf.eap_reauth_period = hapd->conf->eap_reauth_period;
1636 	conf.wpa = hapd->conf->wpa;
1637 	conf.individual_wep_key_len = hapd->conf->individual_wep_key_len;
1638 	conf.eap_server = hapd->conf->eap_server;
1639 	conf.ssl_ctx = hapd->ssl_ctx;
1640 	conf.msg_ctx = hapd->msg_ctx;
1641 	conf.eap_sim_db_priv = hapd->eap_sim_db_priv;
1642 	conf.eap_req_id_text = hapd->conf->eap_req_id_text;
1643 	conf.eap_req_id_text_len = hapd->conf->eap_req_id_text_len;
1644 	conf.pac_opaque_encr_key = hapd->conf->pac_opaque_encr_key;
1645 	conf.eap_fast_a_id = hapd->conf->eap_fast_a_id;
1646 	conf.eap_fast_a_id_len = hapd->conf->eap_fast_a_id_len;
1647 	conf.eap_fast_a_id_info = hapd->conf->eap_fast_a_id_info;
1648 	conf.eap_fast_prov = hapd->conf->eap_fast_prov;
1649 	conf.pac_key_lifetime = hapd->conf->pac_key_lifetime;
1650 	conf.pac_key_refresh_time = hapd->conf->pac_key_refresh_time;
1651 	conf.eap_sim_aka_result_ind = hapd->conf->eap_sim_aka_result_ind;
1652 	conf.tnc = hapd->conf->tnc;
1653 	conf.wps = hapd->wps;
1654 
1655 	os_memset(&cb, 0, sizeof(cb));
1656 	cb.eapol_send = ieee802_1x_eapol_send;
1657 	cb.aaa_send = ieee802_1x_aaa_send;
1658 	cb.finished = _ieee802_1x_finished;
1659 	cb.get_eap_user = ieee802_1x_get_eap_user;
1660 	cb.sta_entry_alive = ieee802_1x_sta_entry_alive;
1661 	cb.logger = ieee802_1x_logger;
1662 	cb.set_port_authorized = ieee802_1x_set_port_authorized;
1663 	cb.abort_auth = _ieee802_1x_abort_auth;
1664 	cb.tx_key = _ieee802_1x_tx_key;
1665 	cb.eapol_event = ieee802_1x_eapol_event;
1666 
1667 	hapd->eapol_auth = eapol_auth_init(&conf, &cb);
1668 	if (hapd->eapol_auth == NULL)
1669 		return -1;
1670 
1671 	if ((hapd->conf->ieee802_1x || hapd->conf->wpa) &&
1672 	    hapd->drv.set_drv_ieee8021x(hapd, hapd->conf->iface, 1))
1673 		return -1;
1674 
1675 #ifndef CONFIG_NO_RADIUS
1676 	if (radius_client_register(hapd->radius, RADIUS_AUTH,
1677 				   ieee802_1x_receive_auth, hapd))
1678 		return -1;
1679 #endif /* CONFIG_NO_RADIUS */
1680 
1681 	if (hapd->conf->default_wep_key_len) {
1682 		for (i = 0; i < 4; i++)
1683 			hapd->drv.set_key(hapd->conf->iface, hapd,
1684 					  WPA_ALG_NONE, NULL, i, 0, NULL, 0,
1685 					  NULL, 0);
1686 
1687 		ieee802_1x_rekey(hapd, NULL);
1688 
1689 		if (hapd->eapol_auth->default_wep_key == NULL)
1690 			return -1;
1691 	}
1692 
1693 	return 0;
1694 }
1695 
1696 
1697 void ieee802_1x_deinit(struct hostapd_data *hapd)
1698 {
1699 	eloop_cancel_timeout(ieee802_1x_rekey, hapd, NULL);
1700 
1701 	if (hapd->driver != NULL &&
1702 	    (hapd->conf->ieee802_1x || hapd->conf->wpa))
1703 		hapd->drv.set_drv_ieee8021x(hapd, hapd->conf->iface, 0);
1704 
1705 	eapol_auth_deinit(hapd->eapol_auth);
1706 	hapd->eapol_auth = NULL;
1707 }
1708 
1709 
1710 int ieee802_1x_tx_status(struct hostapd_data *hapd, struct sta_info *sta,
1711 			 const u8 *buf, size_t len, int ack)
1712 {
1713 	struct ieee80211_hdr *hdr;
1714 	struct ieee802_1x_hdr *xhdr;
1715 	struct ieee802_1x_eapol_key *key;
1716 	u8 *pos;
1717 	const unsigned char rfc1042_hdr[ETH_ALEN] =
1718 		{ 0xaa, 0xaa, 0x03, 0x00, 0x00, 0x00 };
1719 
1720 	if (sta == NULL)
1721 		return -1;
1722 	if (len < sizeof(*hdr) + sizeof(rfc1042_hdr) + 2 + sizeof(*xhdr))
1723 		return 0;
1724 
1725 	hdr = (struct ieee80211_hdr *) buf;
1726 	pos = (u8 *) (hdr + 1);
1727 	if (os_memcmp(pos, rfc1042_hdr, sizeof(rfc1042_hdr)) != 0)
1728 		return 0;
1729 	pos += sizeof(rfc1042_hdr);
1730 	if (WPA_GET_BE16(pos) != ETH_P_PAE)
1731 		return 0;
1732 	pos += 2;
1733 
1734 	xhdr = (struct ieee802_1x_hdr *) pos;
1735 	pos += sizeof(*xhdr);
1736 
1737 	wpa_printf(MSG_DEBUG, "IEEE 802.1X: " MACSTR " TX status - version=%d "
1738 		   "type=%d length=%d - ack=%d",
1739 		   MAC2STR(sta->addr), xhdr->version, xhdr->type,
1740 		   be_to_host16(xhdr->length), ack);
1741 
1742 	/* EAPOL EAP-Packet packets are eventually re-sent by either Supplicant
1743 	 * or Authenticator state machines, but EAPOL-Key packets are not
1744 	 * retransmitted in case of failure. Try to re-sent failed EAPOL-Key
1745 	 * packets couple of times because otherwise STA keys become
1746 	 * unsynchronized with AP. */
1747 	if (xhdr->type == IEEE802_1X_TYPE_EAPOL_KEY && !ack &&
1748 	    pos + sizeof(*key) <= buf + len) {
1749 		key = (struct ieee802_1x_eapol_key *) pos;
1750 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
1751 			       HOSTAPD_LEVEL_DEBUG, "did not Ack EAPOL-Key "
1752 			       "frame (%scast index=%d)",
1753 			       key->key_index & BIT(7) ? "uni" : "broad",
1754 			       key->key_index & ~BIT(7));
1755 		/* TODO: re-send EAPOL-Key couple of times (with short delay
1756 		 * between them?). If all attempt fail, report error and
1757 		 * deauthenticate STA so that it will get new keys when
1758 		 * authenticating again (e.g., after returning in range).
1759 		 * Separate limit/transmit state needed both for unicast and
1760 		 * broadcast keys(?) */
1761 	}
1762 	/* TODO: could move unicast key configuration from ieee802_1x_tx_key()
1763 	 * to here and change the key only if the EAPOL-Key packet was Acked.
1764 	 */
1765 
1766 	return 1;
1767 }
1768 
1769 
1770 u8 * ieee802_1x_get_identity(struct eapol_state_machine *sm, size_t *len)
1771 {
1772 	if (sm == NULL || sm->identity == NULL)
1773 		return NULL;
1774 
1775 	*len = sm->identity_len;
1776 	return sm->identity;
1777 }
1778 
1779 
1780 u8 * ieee802_1x_get_radius_class(struct eapol_state_machine *sm, size_t *len,
1781 				 int idx)
1782 {
1783 	if (sm == NULL || sm->radius_class.attr == NULL ||
1784 	    idx >= (int) sm->radius_class.count)
1785 		return NULL;
1786 
1787 	*len = sm->radius_class.attr[idx].len;
1788 	return sm->radius_class.attr[idx].data;
1789 }
1790 
1791 
1792 const u8 * ieee802_1x_get_key(struct eapol_state_machine *sm, size_t *len)
1793 {
1794 	if (sm == NULL)
1795 		return NULL;
1796 
1797 	*len = sm->eap_if->eapKeyDataLen;
1798 	return sm->eap_if->eapKeyData;
1799 }
1800 
1801 
1802 void ieee802_1x_notify_port_enabled(struct eapol_state_machine *sm,
1803 				    int enabled)
1804 {
1805 	if (sm == NULL)
1806 		return;
1807 	sm->eap_if->portEnabled = enabled ? TRUE : FALSE;
1808 	eapol_auth_step(sm);
1809 }
1810 
1811 
1812 void ieee802_1x_notify_port_valid(struct eapol_state_machine *sm,
1813 				  int valid)
1814 {
1815 	if (sm == NULL)
1816 		return;
1817 	sm->portValid = valid ? TRUE : FALSE;
1818 	eapol_auth_step(sm);
1819 }
1820 
1821 
1822 void ieee802_1x_notify_pre_auth(struct eapol_state_machine *sm, int pre_auth)
1823 {
1824 	if (sm == NULL)
1825 		return;
1826 	if (pre_auth)
1827 		sm->flags |= EAPOL_SM_PREAUTH;
1828 	else
1829 		sm->flags &= ~EAPOL_SM_PREAUTH;
1830 }
1831 
1832 
1833 static const char * bool_txt(Boolean bool)
1834 {
1835 	return bool ? "TRUE" : "FALSE";
1836 }
1837 
1838 
1839 int ieee802_1x_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen)
1840 {
1841 	/* TODO */
1842 	return 0;
1843 }
1844 
1845 
1846 int ieee802_1x_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta,
1847 			   char *buf, size_t buflen)
1848 {
1849 	int len = 0, ret;
1850 	struct eapol_state_machine *sm = sta->eapol_sm;
1851 
1852 	if (sm == NULL)
1853 		return 0;
1854 
1855 	ret = os_snprintf(buf + len, buflen - len,
1856 			  "dot1xPaePortNumber=%d\n"
1857 			  "dot1xPaePortProtocolVersion=%d\n"
1858 			  "dot1xPaePortCapabilities=1\n"
1859 			  "dot1xPaePortInitialize=%d\n"
1860 			  "dot1xPaePortReauthenticate=FALSE\n",
1861 			  sta->aid,
1862 			  EAPOL_VERSION,
1863 			  sm->initialize);
1864 	if (ret < 0 || (size_t) ret >= buflen - len)
1865 		return len;
1866 	len += ret;
1867 
1868 	/* dot1xAuthConfigTable */
1869 	ret = os_snprintf(buf + len, buflen - len,
1870 			  "dot1xAuthPaeState=%d\n"
1871 			  "dot1xAuthBackendAuthState=%d\n"
1872 			  "dot1xAuthAdminControlledDirections=%d\n"
1873 			  "dot1xAuthOperControlledDirections=%d\n"
1874 			  "dot1xAuthAuthControlledPortStatus=%d\n"
1875 			  "dot1xAuthAuthControlledPortControl=%d\n"
1876 			  "dot1xAuthQuietPeriod=%u\n"
1877 			  "dot1xAuthServerTimeout=%u\n"
1878 			  "dot1xAuthReAuthPeriod=%u\n"
1879 			  "dot1xAuthReAuthEnabled=%s\n"
1880 			  "dot1xAuthKeyTxEnabled=%s\n",
1881 			  sm->auth_pae_state + 1,
1882 			  sm->be_auth_state + 1,
1883 			  sm->adminControlledDirections,
1884 			  sm->operControlledDirections,
1885 			  sm->authPortStatus,
1886 			  sm->portControl,
1887 			  sm->quietPeriod,
1888 			  sm->serverTimeout,
1889 			  sm->reAuthPeriod,
1890 			  bool_txt(sm->reAuthEnabled),
1891 			  bool_txt(sm->keyTxEnabled));
1892 	if (ret < 0 || (size_t) ret >= buflen - len)
1893 		return len;
1894 	len += ret;
1895 
1896 	/* dot1xAuthStatsTable */
1897 	ret = os_snprintf(buf + len, buflen - len,
1898 			  "dot1xAuthEapolFramesRx=%u\n"
1899 			  "dot1xAuthEapolFramesTx=%u\n"
1900 			  "dot1xAuthEapolStartFramesRx=%u\n"
1901 			  "dot1xAuthEapolLogoffFramesRx=%u\n"
1902 			  "dot1xAuthEapolRespIdFramesRx=%u\n"
1903 			  "dot1xAuthEapolRespFramesRx=%u\n"
1904 			  "dot1xAuthEapolReqIdFramesTx=%u\n"
1905 			  "dot1xAuthEapolReqFramesTx=%u\n"
1906 			  "dot1xAuthInvalidEapolFramesRx=%u\n"
1907 			  "dot1xAuthEapLengthErrorFramesRx=%u\n"
1908 			  "dot1xAuthLastEapolFrameVersion=%u\n"
1909 			  "dot1xAuthLastEapolFrameSource=" MACSTR "\n",
1910 			  sm->dot1xAuthEapolFramesRx,
1911 			  sm->dot1xAuthEapolFramesTx,
1912 			  sm->dot1xAuthEapolStartFramesRx,
1913 			  sm->dot1xAuthEapolLogoffFramesRx,
1914 			  sm->dot1xAuthEapolRespIdFramesRx,
1915 			  sm->dot1xAuthEapolRespFramesRx,
1916 			  sm->dot1xAuthEapolReqIdFramesTx,
1917 			  sm->dot1xAuthEapolReqFramesTx,
1918 			  sm->dot1xAuthInvalidEapolFramesRx,
1919 			  sm->dot1xAuthEapLengthErrorFramesRx,
1920 			  sm->dot1xAuthLastEapolFrameVersion,
1921 			  MAC2STR(sm->addr));
1922 	if (ret < 0 || (size_t) ret >= buflen - len)
1923 		return len;
1924 	len += ret;
1925 
1926 	/* dot1xAuthDiagTable */
1927 	ret = os_snprintf(buf + len, buflen - len,
1928 			  "dot1xAuthEntersConnecting=%u\n"
1929 			  "dot1xAuthEapLogoffsWhileConnecting=%u\n"
1930 			  "dot1xAuthEntersAuthenticating=%u\n"
1931 			  "dot1xAuthAuthSuccessesWhileAuthenticating=%u\n"
1932 			  "dot1xAuthAuthTimeoutsWhileAuthenticating=%u\n"
1933 			  "dot1xAuthAuthFailWhileAuthenticating=%u\n"
1934 			  "dot1xAuthAuthEapStartsWhileAuthenticating=%u\n"
1935 			  "dot1xAuthAuthEapLogoffWhileAuthenticating=%u\n"
1936 			  "dot1xAuthAuthReauthsWhileAuthenticated=%u\n"
1937 			  "dot1xAuthAuthEapStartsWhileAuthenticated=%u\n"
1938 			  "dot1xAuthAuthEapLogoffWhileAuthenticated=%u\n"
1939 			  "dot1xAuthBackendResponses=%u\n"
1940 			  "dot1xAuthBackendAccessChallenges=%u\n"
1941 			  "dot1xAuthBackendOtherRequestsToSupplicant=%u\n"
1942 			  "dot1xAuthBackendAuthSuccesses=%u\n"
1943 			  "dot1xAuthBackendAuthFails=%u\n",
1944 			  sm->authEntersConnecting,
1945 			  sm->authEapLogoffsWhileConnecting,
1946 			  sm->authEntersAuthenticating,
1947 			  sm->authAuthSuccessesWhileAuthenticating,
1948 			  sm->authAuthTimeoutsWhileAuthenticating,
1949 			  sm->authAuthFailWhileAuthenticating,
1950 			  sm->authAuthEapStartsWhileAuthenticating,
1951 			  sm->authAuthEapLogoffWhileAuthenticating,
1952 			  sm->authAuthReauthsWhileAuthenticated,
1953 			  sm->authAuthEapStartsWhileAuthenticated,
1954 			  sm->authAuthEapLogoffWhileAuthenticated,
1955 			  sm->backendResponses,
1956 			  sm->backendAccessChallenges,
1957 			  sm->backendOtherRequestsToSupplicant,
1958 			  sm->backendAuthSuccesses,
1959 			  sm->backendAuthFails);
1960 	if (ret < 0 || (size_t) ret >= buflen - len)
1961 		return len;
1962 	len += ret;
1963 
1964 	/* dot1xAuthSessionStatsTable */
1965 	ret = os_snprintf(buf + len, buflen - len,
1966 			  /* TODO: dot1xAuthSessionOctetsRx */
1967 			  /* TODO: dot1xAuthSessionOctetsTx */
1968 			  /* TODO: dot1xAuthSessionFramesRx */
1969 			  /* TODO: dot1xAuthSessionFramesTx */
1970 			  "dot1xAuthSessionId=%08X-%08X\n"
1971 			  "dot1xAuthSessionAuthenticMethod=%d\n"
1972 			  "dot1xAuthSessionTime=%u\n"
1973 			  "dot1xAuthSessionTerminateCause=999\n"
1974 			  "dot1xAuthSessionUserName=%s\n",
1975 			  sta->acct_session_id_hi, sta->acct_session_id_lo,
1976 			  (wpa_key_mgmt_wpa_ieee8021x(
1977 				   wpa_auth_sta_key_mgmt(sta->wpa_sm))) ?
1978 			  1 : 2,
1979 			  (unsigned int) (time(NULL) -
1980 					  sta->acct_session_start),
1981 			  sm->identity);
1982 	if (ret < 0 || (size_t) ret >= buflen - len)
1983 		return len;
1984 	len += ret;
1985 
1986 	return len;
1987 }
1988 
1989 
1990 static void ieee802_1x_finished(struct hostapd_data *hapd,
1991 				struct sta_info *sta, int success)
1992 {
1993 	const u8 *key;
1994 	size_t len;
1995 	/* TODO: get PMKLifetime from WPA parameters */
1996 	static const int dot11RSNAConfigPMKLifetime = 43200;
1997 
1998 	key = ieee802_1x_get_key(sta->eapol_sm, &len);
1999 	if (success && key && len >= PMK_LEN &&
2000 	    wpa_auth_pmksa_add(sta->wpa_sm, key, dot11RSNAConfigPMKLifetime,
2001 			       sta->eapol_sm) == 0) {
2002 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA,
2003 			       HOSTAPD_LEVEL_DEBUG,
2004 			       "Added PMKSA cache entry (IEEE 802.1X)");
2005 	}
2006 
2007 #ifdef CONFIG_WPS
2008 	if (!success && (sta->flags & WLAN_STA_WPS)) {
2009 		/*
2010 		 * Many devices require deauthentication after WPS provisioning
2011 		 * and some may not be be able to do that themselves, so
2012 		 * disconnect the client here.
2013 		 */
2014 		wpa_printf(MSG_DEBUG, "WPS: Force disconnection after "
2015 			   "EAP-Failure");
2016 		/* Add a small sleep to increase likelihood of previously
2017 		 * requested EAP-Failure TX getting out before this should the
2018 		 * driver reorder operations.
2019 		 */
2020 		os_sleep(0, 10000);
2021 		ap_sta_disconnect(hapd, sta, sta->addr,
2022 				  WLAN_REASON_PREV_AUTH_NOT_VALID);
2023 	}
2024 #endif /* CONFIG_WPS */
2025 }
2026