1 /* 2 * hostapd / IEEE 802.1X-2004 Authenticator 3 * Copyright (c) 2002-2012, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "utils/includes.h" 10 11 #include "utils/common.h" 12 #include "utils/eloop.h" 13 #include "crypto/md5.h" 14 #include "crypto/crypto.h" 15 #include "crypto/random.h" 16 #include "common/ieee802_11_defs.h" 17 #include "radius/radius.h" 18 #include "radius/radius_client.h" 19 #include "eap_server/eap.h" 20 #include "eap_common/eap_wsc_common.h" 21 #include "eapol_auth/eapol_auth_sm.h" 22 #include "eapol_auth/eapol_auth_sm_i.h" 23 #include "p2p/p2p.h" 24 #include "hostapd.h" 25 #include "accounting.h" 26 #include "sta_info.h" 27 #include "wpa_auth.h" 28 #include "preauth_auth.h" 29 #include "pmksa_cache_auth.h" 30 #include "ap_config.h" 31 #include "ap_drv_ops.h" 32 #include "ieee802_1x.h" 33 34 35 static void ieee802_1x_finished(struct hostapd_data *hapd, 36 struct sta_info *sta, int success); 37 38 39 static void ieee802_1x_send(struct hostapd_data *hapd, struct sta_info *sta, 40 u8 type, const u8 *data, size_t datalen) 41 { 42 u8 *buf; 43 struct ieee802_1x_hdr *xhdr; 44 size_t len; 45 int encrypt = 0; 46 47 len = sizeof(*xhdr) + datalen; 48 buf = os_zalloc(len); 49 if (buf == NULL) { 50 wpa_printf(MSG_ERROR, "malloc() failed for " 51 "ieee802_1x_send(len=%lu)", 52 (unsigned long) len); 53 return; 54 } 55 56 xhdr = (struct ieee802_1x_hdr *) buf; 57 xhdr->version = hapd->conf->eapol_version; 58 xhdr->type = type; 59 xhdr->length = host_to_be16(datalen); 60 61 if (datalen > 0 && data != NULL) 62 os_memcpy(xhdr + 1, data, datalen); 63 64 if (wpa_auth_pairwise_set(sta->wpa_sm)) 65 encrypt = 1; 66 if (sta->flags & WLAN_STA_PREAUTH) { 67 rsn_preauth_send(hapd, sta, buf, len); 68 } else { 69 hostapd_drv_hapd_send_eapol( 70 hapd, sta->addr, buf, len, 71 encrypt, hostapd_sta_flags_to_drv(sta->flags)); 72 } 73 74 os_free(buf); 75 } 76 77 78 void ieee802_1x_set_sta_authorized(struct hostapd_data *hapd, 79 struct sta_info *sta, int authorized) 80 { 81 int res; 82 83 if (sta->flags & WLAN_STA_PREAUTH) 84 return; 85 86 if (authorized) { 87 ap_sta_set_authorized(hapd, sta, 1); 88 res = hostapd_set_authorized(hapd, sta, 1); 89 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 90 HOSTAPD_LEVEL_DEBUG, "authorizing port"); 91 } else { 92 ap_sta_set_authorized(hapd, sta, 0); 93 res = hostapd_set_authorized(hapd, sta, 0); 94 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 95 HOSTAPD_LEVEL_DEBUG, "unauthorizing port"); 96 } 97 98 if (res && errno != ENOENT) { 99 printf("Could not set station " MACSTR " flags for kernel " 100 "driver (errno=%d).\n", MAC2STR(sta->addr), errno); 101 } 102 103 if (authorized) { 104 os_get_time(&sta->connected_time); 105 accounting_sta_start(hapd, sta); 106 } 107 } 108 109 110 static void ieee802_1x_tx_key_one(struct hostapd_data *hapd, 111 struct sta_info *sta, 112 int idx, int broadcast, 113 u8 *key_data, size_t key_len) 114 { 115 u8 *buf, *ekey; 116 struct ieee802_1x_hdr *hdr; 117 struct ieee802_1x_eapol_key *key; 118 size_t len, ekey_len; 119 struct eapol_state_machine *sm = sta->eapol_sm; 120 121 if (sm == NULL) 122 return; 123 124 len = sizeof(*key) + key_len; 125 buf = os_zalloc(sizeof(*hdr) + len); 126 if (buf == NULL) 127 return; 128 129 hdr = (struct ieee802_1x_hdr *) buf; 130 key = (struct ieee802_1x_eapol_key *) (hdr + 1); 131 key->type = EAPOL_KEY_TYPE_RC4; 132 WPA_PUT_BE16(key->key_length, key_len); 133 wpa_get_ntp_timestamp(key->replay_counter); 134 135 if (random_get_bytes(key->key_iv, sizeof(key->key_iv))) { 136 wpa_printf(MSG_ERROR, "Could not get random numbers"); 137 os_free(buf); 138 return; 139 } 140 141 key->key_index = idx | (broadcast ? 0 : BIT(7)); 142 if (hapd->conf->eapol_key_index_workaround) { 143 /* According to some information, WinXP Supplicant seems to 144 * interpret bit7 as an indication whether the key is to be 145 * activated, so make it possible to enable workaround that 146 * sets this bit for all keys. */ 147 key->key_index |= BIT(7); 148 } 149 150 /* Key is encrypted using "Key-IV + MSK[0..31]" as the RC4-key and 151 * MSK[32..63] is used to sign the message. */ 152 if (sm->eap_if->eapKeyData == NULL || sm->eap_if->eapKeyDataLen < 64) { 153 wpa_printf(MSG_ERROR, "No eapKeyData available for encrypting " 154 "and signing EAPOL-Key"); 155 os_free(buf); 156 return; 157 } 158 os_memcpy((u8 *) (key + 1), key_data, key_len); 159 ekey_len = sizeof(key->key_iv) + 32; 160 ekey = os_malloc(ekey_len); 161 if (ekey == NULL) { 162 wpa_printf(MSG_ERROR, "Could not encrypt key"); 163 os_free(buf); 164 return; 165 } 166 os_memcpy(ekey, key->key_iv, sizeof(key->key_iv)); 167 os_memcpy(ekey + sizeof(key->key_iv), sm->eap_if->eapKeyData, 32); 168 rc4_skip(ekey, ekey_len, 0, (u8 *) (key + 1), key_len); 169 os_free(ekey); 170 171 /* This header is needed here for HMAC-MD5, but it will be regenerated 172 * in ieee802_1x_send() */ 173 hdr->version = hapd->conf->eapol_version; 174 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 175 hdr->length = host_to_be16(len); 176 hmac_md5(sm->eap_if->eapKeyData + 32, 32, buf, sizeof(*hdr) + len, 177 key->key_signature); 178 179 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key to " MACSTR 180 " (%s index=%d)", MAC2STR(sm->addr), 181 broadcast ? "broadcast" : "unicast", idx); 182 ieee802_1x_send(hapd, sta, IEEE802_1X_TYPE_EAPOL_KEY, (u8 *) key, len); 183 if (sta->eapol_sm) 184 sta->eapol_sm->dot1xAuthEapolFramesTx++; 185 os_free(buf); 186 } 187 188 189 #ifndef CONFIG_NO_VLAN 190 static struct hostapd_wep_keys * 191 ieee802_1x_group_alloc(struct hostapd_data *hapd, const char *ifname) 192 { 193 struct hostapd_wep_keys *key; 194 195 key = os_zalloc(sizeof(*key)); 196 if (key == NULL) 197 return NULL; 198 199 key->default_len = hapd->conf->default_wep_key_len; 200 201 if (key->idx >= hapd->conf->broadcast_key_idx_max || 202 key->idx < hapd->conf->broadcast_key_idx_min) 203 key->idx = hapd->conf->broadcast_key_idx_min; 204 else 205 key->idx++; 206 207 if (!key->key[key->idx]) 208 key->key[key->idx] = os_malloc(key->default_len); 209 if (key->key[key->idx] == NULL || 210 random_get_bytes(key->key[key->idx], key->default_len)) { 211 printf("Could not generate random WEP key (dynamic VLAN).\n"); 212 os_free(key->key[key->idx]); 213 key->key[key->idx] = NULL; 214 os_free(key); 215 return NULL; 216 } 217 key->len[key->idx] = key->default_len; 218 219 wpa_printf(MSG_DEBUG, "%s: Default WEP idx %d for dynamic VLAN\n", 220 ifname, key->idx); 221 wpa_hexdump_key(MSG_DEBUG, "Default WEP key (dynamic VLAN)", 222 key->key[key->idx], key->len[key->idx]); 223 224 if (hostapd_drv_set_key(ifname, hapd, WPA_ALG_WEP, 225 broadcast_ether_addr, key->idx, 1, 226 NULL, 0, key->key[key->idx], 227 key->len[key->idx])) 228 printf("Could not set dynamic VLAN WEP encryption key.\n"); 229 230 hostapd_set_drv_ieee8021x(hapd, ifname, 1); 231 232 return key; 233 } 234 235 236 static struct hostapd_wep_keys * 237 ieee802_1x_get_group(struct hostapd_data *hapd, struct hostapd_ssid *ssid, 238 size_t vlan_id) 239 { 240 const char *ifname; 241 242 if (vlan_id == 0) 243 return &ssid->wep; 244 245 if (vlan_id <= ssid->max_dyn_vlan_keys && ssid->dyn_vlan_keys && 246 ssid->dyn_vlan_keys[vlan_id]) 247 return ssid->dyn_vlan_keys[vlan_id]; 248 249 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Creating new group " 250 "state machine for VLAN ID %lu", 251 (unsigned long) vlan_id); 252 253 ifname = hostapd_get_vlan_id_ifname(hapd->conf->vlan, vlan_id); 254 if (ifname == NULL) { 255 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Unknown VLAN ID %lu - " 256 "cannot create group key state machine", 257 (unsigned long) vlan_id); 258 return NULL; 259 } 260 261 if (ssid->dyn_vlan_keys == NULL) { 262 int size = (vlan_id + 1) * sizeof(ssid->dyn_vlan_keys[0]); 263 ssid->dyn_vlan_keys = os_zalloc(size); 264 if (ssid->dyn_vlan_keys == NULL) 265 return NULL; 266 ssid->max_dyn_vlan_keys = vlan_id; 267 } 268 269 if (ssid->max_dyn_vlan_keys < vlan_id) { 270 struct hostapd_wep_keys **na; 271 int size = (vlan_id + 1) * sizeof(ssid->dyn_vlan_keys[0]); 272 na = os_realloc(ssid->dyn_vlan_keys, size); 273 if (na == NULL) 274 return NULL; 275 ssid->dyn_vlan_keys = na; 276 os_memset(&ssid->dyn_vlan_keys[ssid->max_dyn_vlan_keys + 1], 0, 277 (vlan_id - ssid->max_dyn_vlan_keys) * 278 sizeof(ssid->dyn_vlan_keys[0])); 279 ssid->max_dyn_vlan_keys = vlan_id; 280 } 281 282 ssid->dyn_vlan_keys[vlan_id] = ieee802_1x_group_alloc(hapd, ifname); 283 284 return ssid->dyn_vlan_keys[vlan_id]; 285 } 286 #endif /* CONFIG_NO_VLAN */ 287 288 289 void ieee802_1x_tx_key(struct hostapd_data *hapd, struct sta_info *sta) 290 { 291 struct eapol_authenticator *eapol = hapd->eapol_auth; 292 struct eapol_state_machine *sm = sta->eapol_sm; 293 #ifndef CONFIG_NO_VLAN 294 struct hostapd_wep_keys *key = NULL; 295 int vlan_id; 296 #endif /* CONFIG_NO_VLAN */ 297 298 if (sm == NULL || !sm->eap_if->eapKeyData) 299 return; 300 301 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key(s) to " MACSTR, 302 MAC2STR(sta->addr)); 303 304 #ifndef CONFIG_NO_VLAN 305 vlan_id = sta->vlan_id; 306 if (vlan_id < 0 || vlan_id > MAX_VLAN_ID) 307 vlan_id = 0; 308 309 if (vlan_id) { 310 key = ieee802_1x_get_group(hapd, sta->ssid, vlan_id); 311 if (key && key->key[key->idx]) 312 ieee802_1x_tx_key_one(hapd, sta, key->idx, 1, 313 key->key[key->idx], 314 key->len[key->idx]); 315 } else 316 #endif /* CONFIG_NO_VLAN */ 317 if (eapol->default_wep_key) { 318 ieee802_1x_tx_key_one(hapd, sta, eapol->default_wep_key_idx, 1, 319 eapol->default_wep_key, 320 hapd->conf->default_wep_key_len); 321 } 322 323 if (hapd->conf->individual_wep_key_len > 0) { 324 u8 *ikey; 325 ikey = os_malloc(hapd->conf->individual_wep_key_len); 326 if (ikey == NULL || 327 random_get_bytes(ikey, hapd->conf->individual_wep_key_len)) 328 { 329 wpa_printf(MSG_ERROR, "Could not generate random " 330 "individual WEP key."); 331 os_free(ikey); 332 return; 333 } 334 335 wpa_hexdump_key(MSG_DEBUG, "Individual WEP key", 336 ikey, hapd->conf->individual_wep_key_len); 337 338 ieee802_1x_tx_key_one(hapd, sta, 0, 0, ikey, 339 hapd->conf->individual_wep_key_len); 340 341 /* TODO: set encryption in TX callback, i.e., only after STA 342 * has ACKed EAPOL-Key frame */ 343 if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP, 344 sta->addr, 0, 1, NULL, 0, ikey, 345 hapd->conf->individual_wep_key_len)) { 346 wpa_printf(MSG_ERROR, "Could not set individual WEP " 347 "encryption."); 348 } 349 350 os_free(ikey); 351 } 352 } 353 354 355 const char *radius_mode_txt(struct hostapd_data *hapd) 356 { 357 switch (hapd->iface->conf->hw_mode) { 358 case HOSTAPD_MODE_IEEE80211AD: 359 return "802.11ad"; 360 case HOSTAPD_MODE_IEEE80211A: 361 return "802.11a"; 362 case HOSTAPD_MODE_IEEE80211G: 363 return "802.11g"; 364 case HOSTAPD_MODE_IEEE80211B: 365 default: 366 return "802.11b"; 367 } 368 } 369 370 371 int radius_sta_rate(struct hostapd_data *hapd, struct sta_info *sta) 372 { 373 int i; 374 u8 rate = 0; 375 376 for (i = 0; i < sta->supported_rates_len; i++) 377 if ((sta->supported_rates[i] & 0x7f) > rate) 378 rate = sta->supported_rates[i] & 0x7f; 379 380 return rate; 381 } 382 383 384 #ifndef CONFIG_NO_RADIUS 385 static void ieee802_1x_learn_identity(struct hostapd_data *hapd, 386 struct eapol_state_machine *sm, 387 const u8 *eap, size_t len) 388 { 389 const u8 *identity; 390 size_t identity_len; 391 392 if (len <= sizeof(struct eap_hdr) || 393 eap[sizeof(struct eap_hdr)] != EAP_TYPE_IDENTITY) 394 return; 395 396 identity = eap_get_identity(sm->eap, &identity_len); 397 if (identity == NULL) 398 return; 399 400 /* Save station identity for future RADIUS packets */ 401 os_free(sm->identity); 402 sm->identity = os_malloc(identity_len + 1); 403 if (sm->identity == NULL) { 404 sm->identity_len = 0; 405 return; 406 } 407 408 os_memcpy(sm->identity, identity, identity_len); 409 sm->identity_len = identity_len; 410 sm->identity[identity_len] = '\0'; 411 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, 412 HOSTAPD_LEVEL_DEBUG, "STA identity '%s'", sm->identity); 413 sm->dot1xAuthEapolRespIdFramesRx++; 414 } 415 416 417 static int add_common_radius_sta_attr(struct hostapd_data *hapd, 418 struct hostapd_radius_attr *req_attr, 419 struct sta_info *sta, 420 struct radius_msg *msg) 421 { 422 char buf[128]; 423 424 if (!hostapd_config_get_radius_attr(req_attr, 425 RADIUS_ATTR_NAS_PORT) && 426 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT, sta->aid)) { 427 wpa_printf(MSG_ERROR, "Could not add NAS-Port"); 428 return -1; 429 } 430 431 os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT, 432 MAC2STR(sta->addr)); 433 buf[sizeof(buf) - 1] = '\0'; 434 if (!radius_msg_add_attr(msg, RADIUS_ATTR_CALLING_STATION_ID, 435 (u8 *) buf, os_strlen(buf))) { 436 wpa_printf(MSG_ERROR, "Could not add Calling-Station-Id"); 437 return -1; 438 } 439 440 if (sta->flags & WLAN_STA_PREAUTH) { 441 os_strlcpy(buf, "IEEE 802.11i Pre-Authentication", 442 sizeof(buf)); 443 } else { 444 os_snprintf(buf, sizeof(buf), "CONNECT %d%sMbps %s", 445 radius_sta_rate(hapd, sta) / 2, 446 (radius_sta_rate(hapd, sta) & 1) ? ".5" : "", 447 radius_mode_txt(hapd)); 448 buf[sizeof(buf) - 1] = '\0'; 449 } 450 if (!hostapd_config_get_radius_attr(req_attr, 451 RADIUS_ATTR_CONNECT_INFO) && 452 !radius_msg_add_attr(msg, RADIUS_ATTR_CONNECT_INFO, 453 (u8 *) buf, os_strlen(buf))) { 454 wpa_printf(MSG_ERROR, "Could not add Connect-Info"); 455 return -1; 456 } 457 458 if (sta->acct_session_id_hi || sta->acct_session_id_lo) { 459 os_snprintf(buf, sizeof(buf), "%08X-%08X", 460 sta->acct_session_id_hi, sta->acct_session_id_lo); 461 if (!radius_msg_add_attr(msg, RADIUS_ATTR_ACCT_SESSION_ID, 462 (u8 *) buf, os_strlen(buf))) { 463 wpa_printf(MSG_ERROR, "Could not add Acct-Session-Id"); 464 return -1; 465 } 466 } 467 468 return 0; 469 } 470 471 472 int add_common_radius_attr(struct hostapd_data *hapd, 473 struct hostapd_radius_attr *req_attr, 474 struct sta_info *sta, 475 struct radius_msg *msg) 476 { 477 char buf[128]; 478 struct hostapd_radius_attr *attr; 479 480 if (!hostapd_config_get_radius_attr(req_attr, 481 RADIUS_ATTR_NAS_IP_ADDRESS) && 482 hapd->conf->own_ip_addr.af == AF_INET && 483 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IP_ADDRESS, 484 (u8 *) &hapd->conf->own_ip_addr.u.v4, 4)) { 485 wpa_printf(MSG_ERROR, "Could not add NAS-IP-Address"); 486 return -1; 487 } 488 489 #ifdef CONFIG_IPV6 490 if (!hostapd_config_get_radius_attr(req_attr, 491 RADIUS_ATTR_NAS_IPV6_ADDRESS) && 492 hapd->conf->own_ip_addr.af == AF_INET6 && 493 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IPV6_ADDRESS, 494 (u8 *) &hapd->conf->own_ip_addr.u.v6, 16)) { 495 wpa_printf(MSG_ERROR, "Could not add NAS-IPv6-Address"); 496 return -1; 497 } 498 #endif /* CONFIG_IPV6 */ 499 500 if (!hostapd_config_get_radius_attr(req_attr, 501 RADIUS_ATTR_NAS_IDENTIFIER) && 502 hapd->conf->nas_identifier && 503 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IDENTIFIER, 504 (u8 *) hapd->conf->nas_identifier, 505 os_strlen(hapd->conf->nas_identifier))) { 506 wpa_printf(MSG_ERROR, "Could not add NAS-Identifier"); 507 return -1; 508 } 509 510 os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT ":%s", 511 MAC2STR(hapd->own_addr), 512 wpa_ssid_txt(hapd->conf->ssid.ssid, 513 hapd->conf->ssid.ssid_len)); 514 buf[sizeof(buf) - 1] = '\0'; 515 if (!hostapd_config_get_radius_attr(req_attr, 516 RADIUS_ATTR_CALLED_STATION_ID) && 517 !radius_msg_add_attr(msg, RADIUS_ATTR_CALLED_STATION_ID, 518 (u8 *) buf, os_strlen(buf))) { 519 wpa_printf(MSG_ERROR, "Could not add Called-Station-Id"); 520 return -1; 521 } 522 523 if (!hostapd_config_get_radius_attr(req_attr, 524 RADIUS_ATTR_NAS_PORT_TYPE) && 525 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT_TYPE, 526 RADIUS_NAS_PORT_TYPE_IEEE_802_11)) { 527 wpa_printf(MSG_ERROR, "Could not add NAS-Port-Type"); 528 return -1; 529 } 530 531 if (sta && add_common_radius_sta_attr(hapd, req_attr, sta, msg) < 0) 532 return -1; 533 534 for (attr = req_attr; attr; attr = attr->next) { 535 if (!radius_msg_add_attr(msg, attr->type, 536 wpabuf_head(attr->val), 537 wpabuf_len(attr->val))) { 538 wpa_printf(MSG_ERROR, "Could not add RADIUS " 539 "attribute"); 540 return -1; 541 } 542 } 543 544 return 0; 545 } 546 547 548 static void ieee802_1x_encapsulate_radius(struct hostapd_data *hapd, 549 struct sta_info *sta, 550 const u8 *eap, size_t len) 551 { 552 struct radius_msg *msg; 553 struct eapol_state_machine *sm = sta->eapol_sm; 554 555 if (sm == NULL) 556 return; 557 558 ieee802_1x_learn_identity(hapd, sm, eap, len); 559 560 wpa_printf(MSG_DEBUG, "Encapsulating EAP message into a RADIUS " 561 "packet"); 562 563 sm->radius_identifier = radius_client_get_id(hapd->radius); 564 msg = radius_msg_new(RADIUS_CODE_ACCESS_REQUEST, 565 sm->radius_identifier); 566 if (msg == NULL) { 567 printf("Could not create net RADIUS packet\n"); 568 return; 569 } 570 571 radius_msg_make_authenticator(msg, (u8 *) sta, sizeof(*sta)); 572 573 if (sm->identity && 574 !radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME, 575 sm->identity, sm->identity_len)) { 576 printf("Could not add User-Name\n"); 577 goto fail; 578 } 579 580 if (add_common_radius_attr(hapd, hapd->conf->radius_auth_req_attr, sta, 581 msg) < 0) 582 goto fail; 583 584 /* TODO: should probably check MTU from driver config; 2304 is max for 585 * IEEE 802.11, but use 1400 to avoid problems with too large packets 586 */ 587 if (!hostapd_config_get_radius_attr(hapd->conf->radius_auth_req_attr, 588 RADIUS_ATTR_FRAMED_MTU) && 589 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_FRAMED_MTU, 1400)) { 590 printf("Could not add Framed-MTU\n"); 591 goto fail; 592 } 593 594 if (eap && !radius_msg_add_eap(msg, eap, len)) { 595 printf("Could not add EAP-Message\n"); 596 goto fail; 597 } 598 599 /* State attribute must be copied if and only if this packet is 600 * Access-Request reply to the previous Access-Challenge */ 601 if (sm->last_recv_radius && 602 radius_msg_get_hdr(sm->last_recv_radius)->code == 603 RADIUS_CODE_ACCESS_CHALLENGE) { 604 int res = radius_msg_copy_attr(msg, sm->last_recv_radius, 605 RADIUS_ATTR_STATE); 606 if (res < 0) { 607 printf("Could not copy State attribute from previous " 608 "Access-Challenge\n"); 609 goto fail; 610 } 611 if (res > 0) { 612 wpa_printf(MSG_DEBUG, "Copied RADIUS State Attribute"); 613 } 614 } 615 616 if (hapd->conf->radius_request_cui) { 617 const u8 *cui; 618 size_t cui_len; 619 /* Add previously learned CUI or nul CUI to request CUI */ 620 if (sm->radius_cui) { 621 cui = wpabuf_head(sm->radius_cui); 622 cui_len = wpabuf_len(sm->radius_cui); 623 } else { 624 cui = (const u8 *) "\0"; 625 cui_len = 1; 626 } 627 if (!radius_msg_add_attr(msg, 628 RADIUS_ATTR_CHARGEABLE_USER_IDENTITY, 629 cui, cui_len)) { 630 wpa_printf(MSG_ERROR, "Could not add CUI"); 631 goto fail; 632 } 633 } 634 635 if (radius_client_send(hapd->radius, msg, RADIUS_AUTH, sta->addr) < 0) 636 goto fail; 637 638 return; 639 640 fail: 641 radius_msg_free(msg); 642 } 643 #endif /* CONFIG_NO_RADIUS */ 644 645 646 static void handle_eap_response(struct hostapd_data *hapd, 647 struct sta_info *sta, struct eap_hdr *eap, 648 size_t len) 649 { 650 u8 type, *data; 651 struct eapol_state_machine *sm = sta->eapol_sm; 652 if (sm == NULL) 653 return; 654 655 data = (u8 *) (eap + 1); 656 657 if (len < sizeof(*eap) + 1) { 658 printf("handle_eap_response: too short response data\n"); 659 return; 660 } 661 662 sm->eap_type_supp = type = data[0]; 663 664 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, 665 HOSTAPD_LEVEL_DEBUG, "received EAP packet (code=%d " 666 "id=%d len=%d) from STA: EAP Response-%s (%d)", 667 eap->code, eap->identifier, be_to_host16(eap->length), 668 eap_server_get_name(0, type), type); 669 670 sm->dot1xAuthEapolRespFramesRx++; 671 672 wpabuf_free(sm->eap_if->eapRespData); 673 sm->eap_if->eapRespData = wpabuf_alloc_copy(eap, len); 674 sm->eapolEap = TRUE; 675 } 676 677 678 /* Process incoming EAP packet from Supplicant */ 679 static void handle_eap(struct hostapd_data *hapd, struct sta_info *sta, 680 u8 *buf, size_t len) 681 { 682 struct eap_hdr *eap; 683 u16 eap_len; 684 685 if (len < sizeof(*eap)) { 686 printf(" too short EAP packet\n"); 687 return; 688 } 689 690 eap = (struct eap_hdr *) buf; 691 692 eap_len = be_to_host16(eap->length); 693 wpa_printf(MSG_DEBUG, "EAP: code=%d identifier=%d length=%d", 694 eap->code, eap->identifier, eap_len); 695 if (eap_len < sizeof(*eap)) { 696 wpa_printf(MSG_DEBUG, " Invalid EAP length"); 697 return; 698 } else if (eap_len > len) { 699 wpa_printf(MSG_DEBUG, " Too short frame to contain this EAP " 700 "packet"); 701 return; 702 } else if (eap_len < len) { 703 wpa_printf(MSG_DEBUG, " Ignoring %lu extra bytes after EAP " 704 "packet", (unsigned long) len - eap_len); 705 } 706 707 switch (eap->code) { 708 case EAP_CODE_REQUEST: 709 wpa_printf(MSG_DEBUG, " (request)"); 710 return; 711 case EAP_CODE_RESPONSE: 712 wpa_printf(MSG_DEBUG, " (response)"); 713 handle_eap_response(hapd, sta, eap, eap_len); 714 break; 715 case EAP_CODE_SUCCESS: 716 wpa_printf(MSG_DEBUG, " (success)"); 717 return; 718 case EAP_CODE_FAILURE: 719 wpa_printf(MSG_DEBUG, " (failure)"); 720 return; 721 default: 722 wpa_printf(MSG_DEBUG, " (unknown code)"); 723 return; 724 } 725 } 726 727 728 static struct eapol_state_machine * 729 ieee802_1x_alloc_eapol_sm(struct hostapd_data *hapd, struct sta_info *sta) 730 { 731 int flags = 0; 732 if (sta->flags & WLAN_STA_PREAUTH) 733 flags |= EAPOL_SM_PREAUTH; 734 if (sta->wpa_sm) { 735 flags |= EAPOL_SM_USES_WPA; 736 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) 737 flags |= EAPOL_SM_FROM_PMKSA_CACHE; 738 } 739 return eapol_auth_alloc(hapd->eapol_auth, sta->addr, flags, 740 sta->wps_ie, sta->p2p_ie, sta, 741 sta->identity, sta->radius_cui); 742 } 743 744 745 /** 746 * ieee802_1x_receive - Process the EAPOL frames from the Supplicant 747 * @hapd: hostapd BSS data 748 * @sa: Source address (sender of the EAPOL frame) 749 * @buf: EAPOL frame 750 * @len: Length of buf in octets 751 * 752 * This function is called for each incoming EAPOL frame from the interface 753 */ 754 void ieee802_1x_receive(struct hostapd_data *hapd, const u8 *sa, const u8 *buf, 755 size_t len) 756 { 757 struct sta_info *sta; 758 struct ieee802_1x_hdr *hdr; 759 struct ieee802_1x_eapol_key *key; 760 u16 datalen; 761 struct rsn_pmksa_cache_entry *pmksa; 762 int key_mgmt; 763 764 if (!hapd->conf->ieee802_1x && !hapd->conf->wpa && 765 !hapd->conf->wps_state) 766 return; 767 768 wpa_printf(MSG_DEBUG, "IEEE 802.1X: %lu bytes from " MACSTR, 769 (unsigned long) len, MAC2STR(sa)); 770 sta = ap_get_sta(hapd, sa); 771 if (!sta || (!(sta->flags & (WLAN_STA_ASSOC | WLAN_STA_PREAUTH)) && 772 !(hapd->iface->drv_flags & WPA_DRIVER_FLAGS_WIRED))) { 773 wpa_printf(MSG_DEBUG, "IEEE 802.1X data frame from not " 774 "associated/Pre-authenticating STA"); 775 return; 776 } 777 778 if (len < sizeof(*hdr)) { 779 printf(" too short IEEE 802.1X packet\n"); 780 return; 781 } 782 783 hdr = (struct ieee802_1x_hdr *) buf; 784 datalen = be_to_host16(hdr->length); 785 wpa_printf(MSG_DEBUG, " IEEE 802.1X: version=%d type=%d length=%d", 786 hdr->version, hdr->type, datalen); 787 788 if (len - sizeof(*hdr) < datalen) { 789 printf(" frame too short for this IEEE 802.1X packet\n"); 790 if (sta->eapol_sm) 791 sta->eapol_sm->dot1xAuthEapLengthErrorFramesRx++; 792 return; 793 } 794 if (len - sizeof(*hdr) > datalen) { 795 wpa_printf(MSG_DEBUG, " ignoring %lu extra octets after " 796 "IEEE 802.1X packet", 797 (unsigned long) len - sizeof(*hdr) - datalen); 798 } 799 800 if (sta->eapol_sm) { 801 sta->eapol_sm->dot1xAuthLastEapolFrameVersion = hdr->version; 802 sta->eapol_sm->dot1xAuthEapolFramesRx++; 803 } 804 805 key = (struct ieee802_1x_eapol_key *) (hdr + 1); 806 if (datalen >= sizeof(struct ieee802_1x_eapol_key) && 807 hdr->type == IEEE802_1X_TYPE_EAPOL_KEY && 808 (key->type == EAPOL_KEY_TYPE_WPA || 809 key->type == EAPOL_KEY_TYPE_RSN)) { 810 wpa_receive(hapd->wpa_auth, sta->wpa_sm, (u8 *) hdr, 811 sizeof(*hdr) + datalen); 812 return; 813 } 814 815 if (!hapd->conf->ieee802_1x && 816 !(sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS))) { 817 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore EAPOL message - " 818 "802.1X not enabled and WPS not used"); 819 return; 820 } 821 822 key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm); 823 if (key_mgmt != -1 && wpa_key_mgmt_wpa_psk(key_mgmt)) { 824 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore EAPOL message - " 825 "STA is using PSK"); 826 return; 827 } 828 829 if (!sta->eapol_sm) { 830 sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta); 831 if (!sta->eapol_sm) 832 return; 833 834 #ifdef CONFIG_WPS 835 if (!hapd->conf->ieee802_1x) { 836 u32 wflags = sta->flags & (WLAN_STA_WPS | 837 WLAN_STA_WPS2 | 838 WLAN_STA_MAYBE_WPS); 839 if (wflags == WLAN_STA_MAYBE_WPS || 840 wflags == (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS)) { 841 /* 842 * Delay EAPOL frame transmission until a 843 * possible WPS STA initiates the handshake 844 * with EAPOL-Start. Only allow the wait to be 845 * skipped if the STA is known to support WPS 846 * 2.0. 847 */ 848 wpa_printf(MSG_DEBUG, "WPS: Do not start " 849 "EAPOL until EAPOL-Start is " 850 "received"); 851 sta->eapol_sm->flags |= EAPOL_SM_WAIT_START; 852 } 853 } 854 #endif /* CONFIG_WPS */ 855 856 sta->eapol_sm->eap_if->portEnabled = TRUE; 857 } 858 859 /* since we support version 1, we can ignore version field and proceed 860 * as specified in version 1 standard [IEEE Std 802.1X-2001, 7.5.5] */ 861 /* TODO: actually, we are not version 1 anymore.. However, Version 2 862 * does not change frame contents, so should be ok to process frames 863 * more or less identically. Some changes might be needed for 864 * verification of fields. */ 865 866 switch (hdr->type) { 867 case IEEE802_1X_TYPE_EAP_PACKET: 868 handle_eap(hapd, sta, (u8 *) (hdr + 1), datalen); 869 break; 870 871 case IEEE802_1X_TYPE_EAPOL_START: 872 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 873 HOSTAPD_LEVEL_DEBUG, "received EAPOL-Start " 874 "from STA"); 875 sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START; 876 pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm); 877 if (pmksa) { 878 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 879 HOSTAPD_LEVEL_DEBUG, "cached PMKSA " 880 "available - ignore it since " 881 "STA sent EAPOL-Start"); 882 wpa_auth_sta_clear_pmksa(sta->wpa_sm, pmksa); 883 } 884 sta->eapol_sm->eapolStart = TRUE; 885 sta->eapol_sm->dot1xAuthEapolStartFramesRx++; 886 eap_server_clear_identity(sta->eapol_sm->eap); 887 wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL); 888 break; 889 890 case IEEE802_1X_TYPE_EAPOL_LOGOFF: 891 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 892 HOSTAPD_LEVEL_DEBUG, "received EAPOL-Logoff " 893 "from STA"); 894 sta->acct_terminate_cause = 895 RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST; 896 accounting_sta_stop(hapd, sta); 897 sta->eapol_sm->eapolLogoff = TRUE; 898 sta->eapol_sm->dot1xAuthEapolLogoffFramesRx++; 899 eap_server_clear_identity(sta->eapol_sm->eap); 900 break; 901 902 case IEEE802_1X_TYPE_EAPOL_KEY: 903 wpa_printf(MSG_DEBUG, " EAPOL-Key"); 904 if (!ap_sta_is_authorized(sta)) { 905 wpa_printf(MSG_DEBUG, " Dropped key data from " 906 "unauthorized Supplicant"); 907 break; 908 } 909 break; 910 911 case IEEE802_1X_TYPE_EAPOL_ENCAPSULATED_ASF_ALERT: 912 wpa_printf(MSG_DEBUG, " EAPOL-Encapsulated-ASF-Alert"); 913 /* TODO: implement support for this; show data */ 914 break; 915 916 default: 917 wpa_printf(MSG_DEBUG, " unknown IEEE 802.1X packet type"); 918 sta->eapol_sm->dot1xAuthInvalidEapolFramesRx++; 919 break; 920 } 921 922 eapol_auth_step(sta->eapol_sm); 923 } 924 925 926 /** 927 * ieee802_1x_new_station - Start IEEE 802.1X authentication 928 * @hapd: hostapd BSS data 929 * @sta: The station 930 * 931 * This function is called to start IEEE 802.1X authentication when a new 932 * station completes IEEE 802.11 association. 933 */ 934 void ieee802_1x_new_station(struct hostapd_data *hapd, struct sta_info *sta) 935 { 936 struct rsn_pmksa_cache_entry *pmksa; 937 int reassoc = 1; 938 int force_1x = 0; 939 int key_mgmt; 940 941 #ifdef CONFIG_WPS 942 if (hapd->conf->wps_state && hapd->conf->wpa && 943 (sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS))) { 944 /* 945 * Need to enable IEEE 802.1X/EAPOL state machines for possible 946 * WPS handshake even if IEEE 802.1X/EAPOL is not used for 947 * authentication in this BSS. 948 */ 949 force_1x = 1; 950 } 951 #endif /* CONFIG_WPS */ 952 953 if (!force_1x && !hapd->conf->ieee802_1x) { 954 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore STA - " 955 "802.1X not enabled or forced for WPS"); 956 /* 957 * Clear any possible EAPOL authenticator state to support 958 * reassociation change from WPS to PSK. 959 */ 960 ieee802_1x_free_station(sta); 961 return; 962 } 963 964 key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm); 965 if (key_mgmt != -1 && wpa_key_mgmt_wpa_psk(key_mgmt)) { 966 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore STA - using PSK"); 967 /* 968 * Clear any possible EAPOL authenticator state to support 969 * reassociation change from WPA-EAP to PSK. 970 */ 971 ieee802_1x_free_station(sta); 972 return; 973 } 974 975 if (sta->eapol_sm == NULL) { 976 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 977 HOSTAPD_LEVEL_DEBUG, "start authentication"); 978 sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta); 979 if (sta->eapol_sm == NULL) { 980 hostapd_logger(hapd, sta->addr, 981 HOSTAPD_MODULE_IEEE8021X, 982 HOSTAPD_LEVEL_INFO, 983 "failed to allocate state machine"); 984 return; 985 } 986 reassoc = 0; 987 } 988 989 #ifdef CONFIG_WPS 990 sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START; 991 if (!hapd->conf->ieee802_1x && !(sta->flags & WLAN_STA_WPS2)) { 992 /* 993 * Delay EAPOL frame transmission until a possible WPS STA 994 * initiates the handshake with EAPOL-Start. Only allow the 995 * wait to be skipped if the STA is known to support WPS 2.0. 996 */ 997 wpa_printf(MSG_DEBUG, "WPS: Do not start EAPOL until " 998 "EAPOL-Start is received"); 999 sta->eapol_sm->flags |= EAPOL_SM_WAIT_START; 1000 } 1001 #endif /* CONFIG_WPS */ 1002 1003 sta->eapol_sm->eap_if->portEnabled = TRUE; 1004 1005 #ifdef CONFIG_IEEE80211R 1006 if (sta->auth_alg == WLAN_AUTH_FT) { 1007 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1008 HOSTAPD_LEVEL_DEBUG, 1009 "PMK from FT - skip IEEE 802.1X/EAP"); 1010 /* Setup EAPOL state machines to already authenticated state 1011 * because of existing FT information from R0KH. */ 1012 sta->eapol_sm->keyRun = TRUE; 1013 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 1014 sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING; 1015 sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS; 1016 sta->eapol_sm->authSuccess = TRUE; 1017 sta->eapol_sm->authFail = FALSE; 1018 if (sta->eapol_sm->eap) 1019 eap_sm_notify_cached(sta->eapol_sm->eap); 1020 /* TODO: get vlan_id from R0KH using RRB message */ 1021 return; 1022 } 1023 #endif /* CONFIG_IEEE80211R */ 1024 1025 pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm); 1026 if (pmksa) { 1027 int old_vlanid; 1028 1029 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1030 HOSTAPD_LEVEL_DEBUG, 1031 "PMK from PMKSA cache - skip IEEE 802.1X/EAP"); 1032 /* Setup EAPOL state machines to already authenticated state 1033 * because of existing PMKSA information in the cache. */ 1034 sta->eapol_sm->keyRun = TRUE; 1035 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 1036 sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING; 1037 sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS; 1038 sta->eapol_sm->authSuccess = TRUE; 1039 sta->eapol_sm->authFail = FALSE; 1040 if (sta->eapol_sm->eap) 1041 eap_sm_notify_cached(sta->eapol_sm->eap); 1042 old_vlanid = sta->vlan_id; 1043 pmksa_cache_to_eapol_data(pmksa, sta->eapol_sm); 1044 if (sta->ssid->dynamic_vlan == DYNAMIC_VLAN_DISABLED) 1045 sta->vlan_id = 0; 1046 ap_sta_bind_vlan(hapd, sta, old_vlanid); 1047 } else { 1048 if (reassoc) { 1049 /* 1050 * Force EAPOL state machines to start 1051 * re-authentication without having to wait for the 1052 * Supplicant to send EAPOL-Start. 1053 */ 1054 sta->eapol_sm->reAuthenticate = TRUE; 1055 } 1056 eapol_auth_step(sta->eapol_sm); 1057 } 1058 } 1059 1060 1061 void ieee802_1x_free_station(struct sta_info *sta) 1062 { 1063 struct eapol_state_machine *sm = sta->eapol_sm; 1064 1065 if (sm == NULL) 1066 return; 1067 1068 sta->eapol_sm = NULL; 1069 1070 #ifndef CONFIG_NO_RADIUS 1071 radius_msg_free(sm->last_recv_radius); 1072 radius_free_class(&sm->radius_class); 1073 wpabuf_free(sm->radius_cui); 1074 #endif /* CONFIG_NO_RADIUS */ 1075 1076 os_free(sm->identity); 1077 eapol_auth_free(sm); 1078 } 1079 1080 1081 #ifndef CONFIG_NO_RADIUS 1082 static void ieee802_1x_decapsulate_radius(struct hostapd_data *hapd, 1083 struct sta_info *sta) 1084 { 1085 struct wpabuf *eap; 1086 const struct eap_hdr *hdr; 1087 int eap_type = -1; 1088 char buf[64]; 1089 struct radius_msg *msg; 1090 struct eapol_state_machine *sm = sta->eapol_sm; 1091 1092 if (sm == NULL || sm->last_recv_radius == NULL) { 1093 if (sm) 1094 sm->eap_if->aaaEapNoReq = TRUE; 1095 return; 1096 } 1097 1098 msg = sm->last_recv_radius; 1099 1100 eap = radius_msg_get_eap(msg); 1101 if (eap == NULL) { 1102 /* RFC 3579, Chap. 2.6.3: 1103 * RADIUS server SHOULD NOT send Access-Reject/no EAP-Message 1104 * attribute */ 1105 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1106 HOSTAPD_LEVEL_WARNING, "could not extract " 1107 "EAP-Message from RADIUS message"); 1108 sm->eap_if->aaaEapNoReq = TRUE; 1109 return; 1110 } 1111 1112 if (wpabuf_len(eap) < sizeof(*hdr)) { 1113 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1114 HOSTAPD_LEVEL_WARNING, "too short EAP packet " 1115 "received from authentication server"); 1116 wpabuf_free(eap); 1117 sm->eap_if->aaaEapNoReq = TRUE; 1118 return; 1119 } 1120 1121 if (wpabuf_len(eap) > sizeof(*hdr)) 1122 eap_type = (wpabuf_head_u8(eap))[sizeof(*hdr)]; 1123 1124 hdr = wpabuf_head(eap); 1125 switch (hdr->code) { 1126 case EAP_CODE_REQUEST: 1127 if (eap_type >= 0) 1128 sm->eap_type_authsrv = eap_type; 1129 os_snprintf(buf, sizeof(buf), "EAP-Request-%s (%d)", 1130 eap_type >= 0 ? eap_server_get_name(0, eap_type) : 1131 "??", 1132 eap_type); 1133 break; 1134 case EAP_CODE_RESPONSE: 1135 os_snprintf(buf, sizeof(buf), "EAP Response-%s (%d)", 1136 eap_type >= 0 ? eap_server_get_name(0, eap_type) : 1137 "??", 1138 eap_type); 1139 break; 1140 case EAP_CODE_SUCCESS: 1141 os_strlcpy(buf, "EAP Success", sizeof(buf)); 1142 break; 1143 case EAP_CODE_FAILURE: 1144 os_strlcpy(buf, "EAP Failure", sizeof(buf)); 1145 break; 1146 default: 1147 os_strlcpy(buf, "unknown EAP code", sizeof(buf)); 1148 break; 1149 } 1150 buf[sizeof(buf) - 1] = '\0'; 1151 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1152 HOSTAPD_LEVEL_DEBUG, "decapsulated EAP packet (code=%d " 1153 "id=%d len=%d) from RADIUS server: %s", 1154 hdr->code, hdr->identifier, be_to_host16(hdr->length), 1155 buf); 1156 sm->eap_if->aaaEapReq = TRUE; 1157 1158 wpabuf_free(sm->eap_if->aaaEapReqData); 1159 sm->eap_if->aaaEapReqData = eap; 1160 } 1161 1162 1163 static void ieee802_1x_get_keys(struct hostapd_data *hapd, 1164 struct sta_info *sta, struct radius_msg *msg, 1165 struct radius_msg *req, 1166 const u8 *shared_secret, 1167 size_t shared_secret_len) 1168 { 1169 struct radius_ms_mppe_keys *keys; 1170 struct eapol_state_machine *sm = sta->eapol_sm; 1171 if (sm == NULL) 1172 return; 1173 1174 keys = radius_msg_get_ms_keys(msg, req, shared_secret, 1175 shared_secret_len); 1176 1177 if (keys && keys->send && keys->recv) { 1178 size_t len = keys->send_len + keys->recv_len; 1179 wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Send-Key", 1180 keys->send, keys->send_len); 1181 wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Recv-Key", 1182 keys->recv, keys->recv_len); 1183 1184 os_free(sm->eap_if->aaaEapKeyData); 1185 sm->eap_if->aaaEapKeyData = os_malloc(len); 1186 if (sm->eap_if->aaaEapKeyData) { 1187 os_memcpy(sm->eap_if->aaaEapKeyData, keys->recv, 1188 keys->recv_len); 1189 os_memcpy(sm->eap_if->aaaEapKeyData + keys->recv_len, 1190 keys->send, keys->send_len); 1191 sm->eap_if->aaaEapKeyDataLen = len; 1192 sm->eap_if->aaaEapKeyAvailable = TRUE; 1193 } 1194 } 1195 1196 if (keys) { 1197 os_free(keys->send); 1198 os_free(keys->recv); 1199 os_free(keys); 1200 } 1201 } 1202 1203 1204 static void ieee802_1x_store_radius_class(struct hostapd_data *hapd, 1205 struct sta_info *sta, 1206 struct radius_msg *msg) 1207 { 1208 u8 *class; 1209 size_t class_len; 1210 struct eapol_state_machine *sm = sta->eapol_sm; 1211 int count, i; 1212 struct radius_attr_data *nclass; 1213 size_t nclass_count; 1214 1215 if (!hapd->conf->radius->acct_server || hapd->radius == NULL || 1216 sm == NULL) 1217 return; 1218 1219 radius_free_class(&sm->radius_class); 1220 count = radius_msg_count_attr(msg, RADIUS_ATTR_CLASS, 1); 1221 if (count <= 0) 1222 return; 1223 1224 nclass = os_calloc(count, sizeof(struct radius_attr_data)); 1225 if (nclass == NULL) 1226 return; 1227 1228 nclass_count = 0; 1229 1230 class = NULL; 1231 for (i = 0; i < count; i++) { 1232 do { 1233 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CLASS, 1234 &class, &class_len, 1235 class) < 0) { 1236 i = count; 1237 break; 1238 } 1239 } while (class_len < 1); 1240 1241 nclass[nclass_count].data = os_malloc(class_len); 1242 if (nclass[nclass_count].data == NULL) 1243 break; 1244 1245 os_memcpy(nclass[nclass_count].data, class, class_len); 1246 nclass[nclass_count].len = class_len; 1247 nclass_count++; 1248 } 1249 1250 sm->radius_class.attr = nclass; 1251 sm->radius_class.count = nclass_count; 1252 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Stored %lu RADIUS Class " 1253 "attributes for " MACSTR, 1254 (unsigned long) sm->radius_class.count, 1255 MAC2STR(sta->addr)); 1256 } 1257 1258 1259 /* Update sta->identity based on User-Name attribute in Access-Accept */ 1260 static void ieee802_1x_update_sta_identity(struct hostapd_data *hapd, 1261 struct sta_info *sta, 1262 struct radius_msg *msg) 1263 { 1264 u8 *buf, *identity; 1265 size_t len; 1266 struct eapol_state_machine *sm = sta->eapol_sm; 1267 1268 if (sm == NULL) 1269 return; 1270 1271 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_USER_NAME, &buf, &len, 1272 NULL) < 0) 1273 return; 1274 1275 identity = os_malloc(len + 1); 1276 if (identity == NULL) 1277 return; 1278 1279 os_memcpy(identity, buf, len); 1280 identity[len] = '\0'; 1281 1282 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1283 HOSTAPD_LEVEL_DEBUG, "old identity '%s' updated with " 1284 "User-Name from Access-Accept '%s'", 1285 sm->identity ? (char *) sm->identity : "N/A", 1286 (char *) identity); 1287 1288 os_free(sm->identity); 1289 sm->identity = identity; 1290 sm->identity_len = len; 1291 } 1292 1293 1294 /* Update CUI based on Chargeable-User-Identity attribute in Access-Accept */ 1295 static void ieee802_1x_update_sta_cui(struct hostapd_data *hapd, 1296 struct sta_info *sta, 1297 struct radius_msg *msg) 1298 { 1299 struct eapol_state_machine *sm = sta->eapol_sm; 1300 struct wpabuf *cui; 1301 u8 *buf; 1302 size_t len; 1303 1304 if (sm == NULL) 1305 return; 1306 1307 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CHARGEABLE_USER_IDENTITY, 1308 &buf, &len, NULL) < 0) 1309 return; 1310 1311 cui = wpabuf_alloc_copy(buf, len); 1312 if (cui == NULL) 1313 return; 1314 1315 wpabuf_free(sm->radius_cui); 1316 sm->radius_cui = cui; 1317 } 1318 1319 1320 struct sta_id_search { 1321 u8 identifier; 1322 struct eapol_state_machine *sm; 1323 }; 1324 1325 1326 static int ieee802_1x_select_radius_identifier(struct hostapd_data *hapd, 1327 struct sta_info *sta, 1328 void *ctx) 1329 { 1330 struct sta_id_search *id_search = ctx; 1331 struct eapol_state_machine *sm = sta->eapol_sm; 1332 1333 if (sm && sm->radius_identifier >= 0 && 1334 sm->radius_identifier == id_search->identifier) { 1335 id_search->sm = sm; 1336 return 1; 1337 } 1338 return 0; 1339 } 1340 1341 1342 static struct eapol_state_machine * 1343 ieee802_1x_search_radius_identifier(struct hostapd_data *hapd, u8 identifier) 1344 { 1345 struct sta_id_search id_search; 1346 id_search.identifier = identifier; 1347 id_search.sm = NULL; 1348 ap_for_each_sta(hapd, ieee802_1x_select_radius_identifier, &id_search); 1349 return id_search.sm; 1350 } 1351 1352 1353 /** 1354 * ieee802_1x_receive_auth - Process RADIUS frames from Authentication Server 1355 * @msg: RADIUS response message 1356 * @req: RADIUS request message 1357 * @shared_secret: RADIUS shared secret 1358 * @shared_secret_len: Length of shared_secret in octets 1359 * @data: Context data (struct hostapd_data *) 1360 * Returns: Processing status 1361 */ 1362 static RadiusRxResult 1363 ieee802_1x_receive_auth(struct radius_msg *msg, struct radius_msg *req, 1364 const u8 *shared_secret, size_t shared_secret_len, 1365 void *data) 1366 { 1367 struct hostapd_data *hapd = data; 1368 struct sta_info *sta; 1369 u32 session_timeout = 0, termination_action, acct_interim_interval; 1370 int session_timeout_set, old_vlanid = 0; 1371 struct eapol_state_machine *sm; 1372 int override_eapReq = 0; 1373 struct radius_hdr *hdr = radius_msg_get_hdr(msg); 1374 1375 sm = ieee802_1x_search_radius_identifier(hapd, hdr->identifier); 1376 if (sm == NULL) { 1377 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Could not find matching " 1378 "station for this RADIUS message"); 1379 return RADIUS_RX_UNKNOWN; 1380 } 1381 sta = sm->sta; 1382 1383 /* RFC 2869, Ch. 5.13: valid Message-Authenticator attribute MUST be 1384 * present when packet contains an EAP-Message attribute */ 1385 if (hdr->code == RADIUS_CODE_ACCESS_REJECT && 1386 radius_msg_get_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, NULL, 1387 0) < 0 && 1388 radius_msg_get_attr(msg, RADIUS_ATTR_EAP_MESSAGE, NULL, 0) < 0) { 1389 wpa_printf(MSG_DEBUG, "Allowing RADIUS Access-Reject without " 1390 "Message-Authenticator since it does not include " 1391 "EAP-Message"); 1392 } else if (radius_msg_verify(msg, shared_secret, shared_secret_len, 1393 req, 1)) { 1394 printf("Incoming RADIUS packet did not have correct " 1395 "Message-Authenticator - dropped\n"); 1396 return RADIUS_RX_INVALID_AUTHENTICATOR; 1397 } 1398 1399 if (hdr->code != RADIUS_CODE_ACCESS_ACCEPT && 1400 hdr->code != RADIUS_CODE_ACCESS_REJECT && 1401 hdr->code != RADIUS_CODE_ACCESS_CHALLENGE) { 1402 printf("Unknown RADIUS message code\n"); 1403 return RADIUS_RX_UNKNOWN; 1404 } 1405 1406 sm->radius_identifier = -1; 1407 wpa_printf(MSG_DEBUG, "RADIUS packet matching with station " MACSTR, 1408 MAC2STR(sta->addr)); 1409 1410 radius_msg_free(sm->last_recv_radius); 1411 sm->last_recv_radius = msg; 1412 1413 session_timeout_set = 1414 !radius_msg_get_attr_int32(msg, RADIUS_ATTR_SESSION_TIMEOUT, 1415 &session_timeout); 1416 if (radius_msg_get_attr_int32(msg, RADIUS_ATTR_TERMINATION_ACTION, 1417 &termination_action)) 1418 termination_action = RADIUS_TERMINATION_ACTION_DEFAULT; 1419 1420 if (hapd->conf->acct_interim_interval == 0 && 1421 hdr->code == RADIUS_CODE_ACCESS_ACCEPT && 1422 radius_msg_get_attr_int32(msg, RADIUS_ATTR_ACCT_INTERIM_INTERVAL, 1423 &acct_interim_interval) == 0) { 1424 if (acct_interim_interval < 60) { 1425 hostapd_logger(hapd, sta->addr, 1426 HOSTAPD_MODULE_IEEE8021X, 1427 HOSTAPD_LEVEL_INFO, 1428 "ignored too small " 1429 "Acct-Interim-Interval %d", 1430 acct_interim_interval); 1431 } else 1432 sta->acct_interim_interval = acct_interim_interval; 1433 } 1434 1435 1436 switch (hdr->code) { 1437 case RADIUS_CODE_ACCESS_ACCEPT: 1438 if (sta->ssid->dynamic_vlan == DYNAMIC_VLAN_DISABLED) 1439 sta->vlan_id = 0; 1440 #ifndef CONFIG_NO_VLAN 1441 else { 1442 old_vlanid = sta->vlan_id; 1443 sta->vlan_id = radius_msg_get_vlanid(msg); 1444 } 1445 if (sta->vlan_id > 0 && 1446 hostapd_get_vlan_id_ifname(hapd->conf->vlan, 1447 sta->vlan_id)) { 1448 hostapd_logger(hapd, sta->addr, 1449 HOSTAPD_MODULE_RADIUS, 1450 HOSTAPD_LEVEL_INFO, 1451 "VLAN ID %d", sta->vlan_id); 1452 } else if (sta->ssid->dynamic_vlan == DYNAMIC_VLAN_REQUIRED) { 1453 sta->eapol_sm->authFail = TRUE; 1454 hostapd_logger(hapd, sta->addr, 1455 HOSTAPD_MODULE_IEEE8021X, 1456 HOSTAPD_LEVEL_INFO, "authentication " 1457 "server did not include required VLAN " 1458 "ID in Access-Accept"); 1459 break; 1460 } 1461 #endif /* CONFIG_NO_VLAN */ 1462 1463 if (ap_sta_bind_vlan(hapd, sta, old_vlanid) < 0) 1464 break; 1465 1466 /* RFC 3580, Ch. 3.17 */ 1467 if (session_timeout_set && termination_action == 1468 RADIUS_TERMINATION_ACTION_RADIUS_REQUEST) { 1469 sm->reAuthPeriod = session_timeout; 1470 } else if (session_timeout_set) 1471 ap_sta_session_timeout(hapd, sta, session_timeout); 1472 1473 sm->eap_if->aaaSuccess = TRUE; 1474 override_eapReq = 1; 1475 ieee802_1x_get_keys(hapd, sta, msg, req, shared_secret, 1476 shared_secret_len); 1477 ieee802_1x_store_radius_class(hapd, sta, msg); 1478 ieee802_1x_update_sta_identity(hapd, sta, msg); 1479 ieee802_1x_update_sta_cui(hapd, sta, msg); 1480 if (sm->eap_if->eapKeyAvailable && 1481 wpa_auth_pmksa_add(sta->wpa_sm, sm->eapol_key_crypt, 1482 session_timeout_set ? 1483 (int) session_timeout : -1, sm) == 0) { 1484 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 1485 HOSTAPD_LEVEL_DEBUG, 1486 "Added PMKSA cache entry"); 1487 } 1488 break; 1489 case RADIUS_CODE_ACCESS_REJECT: 1490 sm->eap_if->aaaFail = TRUE; 1491 override_eapReq = 1; 1492 break; 1493 case RADIUS_CODE_ACCESS_CHALLENGE: 1494 sm->eap_if->aaaEapReq = TRUE; 1495 if (session_timeout_set) { 1496 /* RFC 2869, Ch. 2.3.2; RFC 3580, Ch. 3.17 */ 1497 sm->eap_if->aaaMethodTimeout = session_timeout; 1498 hostapd_logger(hapd, sm->addr, 1499 HOSTAPD_MODULE_IEEE8021X, 1500 HOSTAPD_LEVEL_DEBUG, 1501 "using EAP timeout of %d seconds (from " 1502 "RADIUS)", 1503 sm->eap_if->aaaMethodTimeout); 1504 } else { 1505 /* 1506 * Use dynamic retransmission behavior per EAP 1507 * specification. 1508 */ 1509 sm->eap_if->aaaMethodTimeout = 0; 1510 } 1511 break; 1512 } 1513 1514 ieee802_1x_decapsulate_radius(hapd, sta); 1515 if (override_eapReq) 1516 sm->eap_if->aaaEapReq = FALSE; 1517 1518 eapol_auth_step(sm); 1519 1520 return RADIUS_RX_QUEUED; 1521 } 1522 #endif /* CONFIG_NO_RADIUS */ 1523 1524 1525 void ieee802_1x_abort_auth(struct hostapd_data *hapd, struct sta_info *sta) 1526 { 1527 struct eapol_state_machine *sm = sta->eapol_sm; 1528 if (sm == NULL) 1529 return; 1530 1531 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1532 HOSTAPD_LEVEL_DEBUG, "aborting authentication"); 1533 1534 #ifndef CONFIG_NO_RADIUS 1535 radius_msg_free(sm->last_recv_radius); 1536 sm->last_recv_radius = NULL; 1537 #endif /* CONFIG_NO_RADIUS */ 1538 1539 if (sm->eap_if->eapTimeout) { 1540 /* 1541 * Disconnect the STA since it did not reply to the last EAP 1542 * request and we cannot continue EAP processing (EAP-Failure 1543 * could only be sent if the EAP peer actually replied). 1544 */ 1545 wpa_dbg(hapd->msg_ctx, MSG_DEBUG, "EAP Timeout, STA " MACSTR, 1546 MAC2STR(sta->addr)); 1547 1548 sm->eap_if->portEnabled = FALSE; 1549 ap_sta_disconnect(hapd, sta, sta->addr, 1550 WLAN_REASON_PREV_AUTH_NOT_VALID); 1551 } 1552 } 1553 1554 1555 static int ieee802_1x_rekey_broadcast(struct hostapd_data *hapd) 1556 { 1557 struct eapol_authenticator *eapol = hapd->eapol_auth; 1558 1559 if (hapd->conf->default_wep_key_len < 1) 1560 return 0; 1561 1562 os_free(eapol->default_wep_key); 1563 eapol->default_wep_key = os_malloc(hapd->conf->default_wep_key_len); 1564 if (eapol->default_wep_key == NULL || 1565 random_get_bytes(eapol->default_wep_key, 1566 hapd->conf->default_wep_key_len)) { 1567 printf("Could not generate random WEP key.\n"); 1568 os_free(eapol->default_wep_key); 1569 eapol->default_wep_key = NULL; 1570 return -1; 1571 } 1572 1573 wpa_hexdump_key(MSG_DEBUG, "IEEE 802.1X: New default WEP key", 1574 eapol->default_wep_key, 1575 hapd->conf->default_wep_key_len); 1576 1577 return 0; 1578 } 1579 1580 1581 static int ieee802_1x_sta_key_available(struct hostapd_data *hapd, 1582 struct sta_info *sta, void *ctx) 1583 { 1584 if (sta->eapol_sm) { 1585 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 1586 eapol_auth_step(sta->eapol_sm); 1587 } 1588 return 0; 1589 } 1590 1591 1592 static void ieee802_1x_rekey(void *eloop_ctx, void *timeout_ctx) 1593 { 1594 struct hostapd_data *hapd = eloop_ctx; 1595 struct eapol_authenticator *eapol = hapd->eapol_auth; 1596 1597 if (eapol->default_wep_key_idx >= 3) 1598 eapol->default_wep_key_idx = 1599 hapd->conf->individual_wep_key_len > 0 ? 1 : 0; 1600 else 1601 eapol->default_wep_key_idx++; 1602 1603 wpa_printf(MSG_DEBUG, "IEEE 802.1X: New default WEP key index %d", 1604 eapol->default_wep_key_idx); 1605 1606 if (ieee802_1x_rekey_broadcast(hapd)) { 1607 hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X, 1608 HOSTAPD_LEVEL_WARNING, "failed to generate a " 1609 "new broadcast key"); 1610 os_free(eapol->default_wep_key); 1611 eapol->default_wep_key = NULL; 1612 return; 1613 } 1614 1615 /* TODO: Could setup key for RX here, but change default TX keyid only 1616 * after new broadcast key has been sent to all stations. */ 1617 if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP, 1618 broadcast_ether_addr, 1619 eapol->default_wep_key_idx, 1, NULL, 0, 1620 eapol->default_wep_key, 1621 hapd->conf->default_wep_key_len)) { 1622 hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X, 1623 HOSTAPD_LEVEL_WARNING, "failed to configure a " 1624 "new broadcast key"); 1625 os_free(eapol->default_wep_key); 1626 eapol->default_wep_key = NULL; 1627 return; 1628 } 1629 1630 ap_for_each_sta(hapd, ieee802_1x_sta_key_available, NULL); 1631 1632 if (hapd->conf->wep_rekeying_period > 0) { 1633 eloop_register_timeout(hapd->conf->wep_rekeying_period, 0, 1634 ieee802_1x_rekey, hapd, NULL); 1635 } 1636 } 1637 1638 1639 static void ieee802_1x_eapol_send(void *ctx, void *sta_ctx, u8 type, 1640 const u8 *data, size_t datalen) 1641 { 1642 #ifdef CONFIG_WPS 1643 struct sta_info *sta = sta_ctx; 1644 1645 if ((sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS)) == 1646 WLAN_STA_MAYBE_WPS) { 1647 const u8 *identity; 1648 size_t identity_len; 1649 struct eapol_state_machine *sm = sta->eapol_sm; 1650 1651 identity = eap_get_identity(sm->eap, &identity_len); 1652 if (identity && 1653 ((identity_len == WSC_ID_ENROLLEE_LEN && 1654 os_memcmp(identity, WSC_ID_ENROLLEE, 1655 WSC_ID_ENROLLEE_LEN) == 0) || 1656 (identity_len == WSC_ID_REGISTRAR_LEN && 1657 os_memcmp(identity, WSC_ID_REGISTRAR, 1658 WSC_ID_REGISTRAR_LEN) == 0))) { 1659 wpa_printf(MSG_DEBUG, "WPS: WLAN_STA_MAYBE_WPS -> " 1660 "WLAN_STA_WPS"); 1661 sta->flags |= WLAN_STA_WPS; 1662 } 1663 } 1664 #endif /* CONFIG_WPS */ 1665 1666 ieee802_1x_send(ctx, sta_ctx, type, data, datalen); 1667 } 1668 1669 1670 static void ieee802_1x_aaa_send(void *ctx, void *sta_ctx, 1671 const u8 *data, size_t datalen) 1672 { 1673 #ifndef CONFIG_NO_RADIUS 1674 struct hostapd_data *hapd = ctx; 1675 struct sta_info *sta = sta_ctx; 1676 1677 ieee802_1x_encapsulate_radius(hapd, sta, data, datalen); 1678 #endif /* CONFIG_NO_RADIUS */ 1679 } 1680 1681 1682 static void _ieee802_1x_finished(void *ctx, void *sta_ctx, int success, 1683 int preauth) 1684 { 1685 struct hostapd_data *hapd = ctx; 1686 struct sta_info *sta = sta_ctx; 1687 if (preauth) 1688 rsn_preauth_finished(hapd, sta, success); 1689 else 1690 ieee802_1x_finished(hapd, sta, success); 1691 } 1692 1693 1694 static int ieee802_1x_get_eap_user(void *ctx, const u8 *identity, 1695 size_t identity_len, int phase2, 1696 struct eap_user *user) 1697 { 1698 struct hostapd_data *hapd = ctx; 1699 const struct hostapd_eap_user *eap_user; 1700 int i; 1701 1702 eap_user = hostapd_get_eap_user(hapd, identity, identity_len, phase2); 1703 if (eap_user == NULL) 1704 return -1; 1705 1706 os_memset(user, 0, sizeof(*user)); 1707 user->phase2 = phase2; 1708 for (i = 0; i < EAP_MAX_METHODS; i++) { 1709 user->methods[i].vendor = eap_user->methods[i].vendor; 1710 user->methods[i].method = eap_user->methods[i].method; 1711 } 1712 1713 if (eap_user->password) { 1714 user->password = os_malloc(eap_user->password_len); 1715 if (user->password == NULL) 1716 return -1; 1717 os_memcpy(user->password, eap_user->password, 1718 eap_user->password_len); 1719 user->password_len = eap_user->password_len; 1720 user->password_hash = eap_user->password_hash; 1721 } 1722 user->force_version = eap_user->force_version; 1723 user->ttls_auth = eap_user->ttls_auth; 1724 1725 return 0; 1726 } 1727 1728 1729 static int ieee802_1x_sta_entry_alive(void *ctx, const u8 *addr) 1730 { 1731 struct hostapd_data *hapd = ctx; 1732 struct sta_info *sta; 1733 sta = ap_get_sta(hapd, addr); 1734 if (sta == NULL || sta->eapol_sm == NULL) 1735 return 0; 1736 return 1; 1737 } 1738 1739 1740 static void ieee802_1x_logger(void *ctx, const u8 *addr, 1741 eapol_logger_level level, const char *txt) 1742 { 1743 #ifndef CONFIG_NO_HOSTAPD_LOGGER 1744 struct hostapd_data *hapd = ctx; 1745 int hlevel; 1746 1747 switch (level) { 1748 case EAPOL_LOGGER_WARNING: 1749 hlevel = HOSTAPD_LEVEL_WARNING; 1750 break; 1751 case EAPOL_LOGGER_INFO: 1752 hlevel = HOSTAPD_LEVEL_INFO; 1753 break; 1754 case EAPOL_LOGGER_DEBUG: 1755 default: 1756 hlevel = HOSTAPD_LEVEL_DEBUG; 1757 break; 1758 } 1759 1760 hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE8021X, hlevel, "%s", 1761 txt); 1762 #endif /* CONFIG_NO_HOSTAPD_LOGGER */ 1763 } 1764 1765 1766 static void ieee802_1x_set_port_authorized(void *ctx, void *sta_ctx, 1767 int authorized) 1768 { 1769 struct hostapd_data *hapd = ctx; 1770 struct sta_info *sta = sta_ctx; 1771 ieee802_1x_set_sta_authorized(hapd, sta, authorized); 1772 } 1773 1774 1775 static void _ieee802_1x_abort_auth(void *ctx, void *sta_ctx) 1776 { 1777 struct hostapd_data *hapd = ctx; 1778 struct sta_info *sta = sta_ctx; 1779 ieee802_1x_abort_auth(hapd, sta); 1780 } 1781 1782 1783 static void _ieee802_1x_tx_key(void *ctx, void *sta_ctx) 1784 { 1785 struct hostapd_data *hapd = ctx; 1786 struct sta_info *sta = sta_ctx; 1787 ieee802_1x_tx_key(hapd, sta); 1788 } 1789 1790 1791 static void ieee802_1x_eapol_event(void *ctx, void *sta_ctx, 1792 enum eapol_event type) 1793 { 1794 /* struct hostapd_data *hapd = ctx; */ 1795 struct sta_info *sta = sta_ctx; 1796 switch (type) { 1797 case EAPOL_AUTH_SM_CHANGE: 1798 wpa_auth_sm_notify(sta->wpa_sm); 1799 break; 1800 case EAPOL_AUTH_REAUTHENTICATE: 1801 wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL); 1802 break; 1803 } 1804 } 1805 1806 1807 int ieee802_1x_init(struct hostapd_data *hapd) 1808 { 1809 int i; 1810 struct eapol_auth_config conf; 1811 struct eapol_auth_cb cb; 1812 1813 os_memset(&conf, 0, sizeof(conf)); 1814 conf.ctx = hapd; 1815 conf.eap_reauth_period = hapd->conf->eap_reauth_period; 1816 conf.wpa = hapd->conf->wpa; 1817 conf.individual_wep_key_len = hapd->conf->individual_wep_key_len; 1818 conf.eap_server = hapd->conf->eap_server; 1819 conf.ssl_ctx = hapd->ssl_ctx; 1820 conf.msg_ctx = hapd->msg_ctx; 1821 conf.eap_sim_db_priv = hapd->eap_sim_db_priv; 1822 conf.eap_req_id_text = hapd->conf->eap_req_id_text; 1823 conf.eap_req_id_text_len = hapd->conf->eap_req_id_text_len; 1824 conf.pac_opaque_encr_key = hapd->conf->pac_opaque_encr_key; 1825 conf.eap_fast_a_id = hapd->conf->eap_fast_a_id; 1826 conf.eap_fast_a_id_len = hapd->conf->eap_fast_a_id_len; 1827 conf.eap_fast_a_id_info = hapd->conf->eap_fast_a_id_info; 1828 conf.eap_fast_prov = hapd->conf->eap_fast_prov; 1829 conf.pac_key_lifetime = hapd->conf->pac_key_lifetime; 1830 conf.pac_key_refresh_time = hapd->conf->pac_key_refresh_time; 1831 conf.eap_sim_aka_result_ind = hapd->conf->eap_sim_aka_result_ind; 1832 conf.tnc = hapd->conf->tnc; 1833 conf.wps = hapd->wps; 1834 conf.fragment_size = hapd->conf->fragment_size; 1835 conf.pwd_group = hapd->conf->pwd_group; 1836 conf.pbc_in_m1 = hapd->conf->pbc_in_m1; 1837 1838 os_memset(&cb, 0, sizeof(cb)); 1839 cb.eapol_send = ieee802_1x_eapol_send; 1840 cb.aaa_send = ieee802_1x_aaa_send; 1841 cb.finished = _ieee802_1x_finished; 1842 cb.get_eap_user = ieee802_1x_get_eap_user; 1843 cb.sta_entry_alive = ieee802_1x_sta_entry_alive; 1844 cb.logger = ieee802_1x_logger; 1845 cb.set_port_authorized = ieee802_1x_set_port_authorized; 1846 cb.abort_auth = _ieee802_1x_abort_auth; 1847 cb.tx_key = _ieee802_1x_tx_key; 1848 cb.eapol_event = ieee802_1x_eapol_event; 1849 1850 hapd->eapol_auth = eapol_auth_init(&conf, &cb); 1851 if (hapd->eapol_auth == NULL) 1852 return -1; 1853 1854 if ((hapd->conf->ieee802_1x || hapd->conf->wpa) && 1855 hostapd_set_drv_ieee8021x(hapd, hapd->conf->iface, 1)) 1856 return -1; 1857 1858 #ifndef CONFIG_NO_RADIUS 1859 if (radius_client_register(hapd->radius, RADIUS_AUTH, 1860 ieee802_1x_receive_auth, hapd)) 1861 return -1; 1862 #endif /* CONFIG_NO_RADIUS */ 1863 1864 if (hapd->conf->default_wep_key_len) { 1865 for (i = 0; i < 4; i++) 1866 hostapd_drv_set_key(hapd->conf->iface, hapd, 1867 WPA_ALG_NONE, NULL, i, 0, NULL, 0, 1868 NULL, 0); 1869 1870 ieee802_1x_rekey(hapd, NULL); 1871 1872 if (hapd->eapol_auth->default_wep_key == NULL) 1873 return -1; 1874 } 1875 1876 return 0; 1877 } 1878 1879 1880 void ieee802_1x_deinit(struct hostapd_data *hapd) 1881 { 1882 eloop_cancel_timeout(ieee802_1x_rekey, hapd, NULL); 1883 1884 if (hapd->driver != NULL && 1885 (hapd->conf->ieee802_1x || hapd->conf->wpa)) 1886 hostapd_set_drv_ieee8021x(hapd, hapd->conf->iface, 0); 1887 1888 eapol_auth_deinit(hapd->eapol_auth); 1889 hapd->eapol_auth = NULL; 1890 } 1891 1892 1893 int ieee802_1x_tx_status(struct hostapd_data *hapd, struct sta_info *sta, 1894 const u8 *buf, size_t len, int ack) 1895 { 1896 struct ieee80211_hdr *hdr; 1897 u8 *pos; 1898 const unsigned char rfc1042_hdr[ETH_ALEN] = 1899 { 0xaa, 0xaa, 0x03, 0x00, 0x00, 0x00 }; 1900 1901 if (sta == NULL) 1902 return -1; 1903 if (len < sizeof(*hdr) + sizeof(rfc1042_hdr) + 2) 1904 return 0; 1905 1906 hdr = (struct ieee80211_hdr *) buf; 1907 pos = (u8 *) (hdr + 1); 1908 if (os_memcmp(pos, rfc1042_hdr, sizeof(rfc1042_hdr)) != 0) 1909 return 0; 1910 pos += sizeof(rfc1042_hdr); 1911 if (WPA_GET_BE16(pos) != ETH_P_PAE) 1912 return 0; 1913 pos += 2; 1914 1915 return ieee802_1x_eapol_tx_status(hapd, sta, pos, buf + len - pos, 1916 ack); 1917 } 1918 1919 1920 int ieee802_1x_eapol_tx_status(struct hostapd_data *hapd, struct sta_info *sta, 1921 const u8 *buf, int len, int ack) 1922 { 1923 const struct ieee802_1x_hdr *xhdr = 1924 (const struct ieee802_1x_hdr *) buf; 1925 const u8 *pos = buf + sizeof(*xhdr); 1926 struct ieee802_1x_eapol_key *key; 1927 1928 if (len < (int) sizeof(*xhdr)) 1929 return 0; 1930 wpa_printf(MSG_DEBUG, "IEEE 802.1X: " MACSTR " TX status - version=%d " 1931 "type=%d length=%d - ack=%d", 1932 MAC2STR(sta->addr), xhdr->version, xhdr->type, 1933 be_to_host16(xhdr->length), ack); 1934 1935 if (xhdr->type != IEEE802_1X_TYPE_EAPOL_KEY) 1936 return 0; 1937 1938 if (pos + sizeof(struct wpa_eapol_key) <= buf + len) { 1939 const struct wpa_eapol_key *wpa; 1940 wpa = (const struct wpa_eapol_key *) pos; 1941 if (wpa->type == EAPOL_KEY_TYPE_RSN || 1942 wpa->type == EAPOL_KEY_TYPE_WPA) 1943 wpa_auth_eapol_key_tx_status(hapd->wpa_auth, 1944 sta->wpa_sm, ack); 1945 } 1946 1947 /* EAPOL EAP-Packet packets are eventually re-sent by either Supplicant 1948 * or Authenticator state machines, but EAPOL-Key packets are not 1949 * retransmitted in case of failure. Try to re-send failed EAPOL-Key 1950 * packets couple of times because otherwise STA keys become 1951 * unsynchronized with AP. */ 1952 if (!ack && pos + sizeof(*key) <= buf + len) { 1953 key = (struct ieee802_1x_eapol_key *) pos; 1954 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1955 HOSTAPD_LEVEL_DEBUG, "did not Ack EAPOL-Key " 1956 "frame (%scast index=%d)", 1957 key->key_index & BIT(7) ? "uni" : "broad", 1958 key->key_index & ~BIT(7)); 1959 /* TODO: re-send EAPOL-Key couple of times (with short delay 1960 * between them?). If all attempt fail, report error and 1961 * deauthenticate STA so that it will get new keys when 1962 * authenticating again (e.g., after returning in range). 1963 * Separate limit/transmit state needed both for unicast and 1964 * broadcast keys(?) */ 1965 } 1966 /* TODO: could move unicast key configuration from ieee802_1x_tx_key() 1967 * to here and change the key only if the EAPOL-Key packet was Acked. 1968 */ 1969 1970 return 1; 1971 } 1972 1973 1974 u8 * ieee802_1x_get_identity(struct eapol_state_machine *sm, size_t *len) 1975 { 1976 if (sm == NULL || sm->identity == NULL) 1977 return NULL; 1978 1979 *len = sm->identity_len; 1980 return sm->identity; 1981 } 1982 1983 1984 u8 * ieee802_1x_get_radius_class(struct eapol_state_machine *sm, size_t *len, 1985 int idx) 1986 { 1987 if (sm == NULL || sm->radius_class.attr == NULL || 1988 idx >= (int) sm->radius_class.count) 1989 return NULL; 1990 1991 *len = sm->radius_class.attr[idx].len; 1992 return sm->radius_class.attr[idx].data; 1993 } 1994 1995 1996 struct wpabuf * ieee802_1x_get_radius_cui(struct eapol_state_machine *sm) 1997 { 1998 if (sm == NULL) 1999 return NULL; 2000 return sm->radius_cui; 2001 } 2002 2003 2004 const u8 * ieee802_1x_get_key(struct eapol_state_machine *sm, size_t *len) 2005 { 2006 *len = 0; 2007 if (sm == NULL) 2008 return NULL; 2009 2010 *len = sm->eap_if->eapKeyDataLen; 2011 return sm->eap_if->eapKeyData; 2012 } 2013 2014 2015 void ieee802_1x_notify_port_enabled(struct eapol_state_machine *sm, 2016 int enabled) 2017 { 2018 if (sm == NULL) 2019 return; 2020 sm->eap_if->portEnabled = enabled ? TRUE : FALSE; 2021 eapol_auth_step(sm); 2022 } 2023 2024 2025 void ieee802_1x_notify_port_valid(struct eapol_state_machine *sm, 2026 int valid) 2027 { 2028 if (sm == NULL) 2029 return; 2030 sm->portValid = valid ? TRUE : FALSE; 2031 eapol_auth_step(sm); 2032 } 2033 2034 2035 void ieee802_1x_notify_pre_auth(struct eapol_state_machine *sm, int pre_auth) 2036 { 2037 if (sm == NULL) 2038 return; 2039 if (pre_auth) 2040 sm->flags |= EAPOL_SM_PREAUTH; 2041 else 2042 sm->flags &= ~EAPOL_SM_PREAUTH; 2043 } 2044 2045 2046 static const char * bool_txt(Boolean bool) 2047 { 2048 return bool ? "TRUE" : "FALSE"; 2049 } 2050 2051 2052 int ieee802_1x_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen) 2053 { 2054 /* TODO */ 2055 return 0; 2056 } 2057 2058 2059 int ieee802_1x_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta, 2060 char *buf, size_t buflen) 2061 { 2062 int len = 0, ret; 2063 struct eapol_state_machine *sm = sta->eapol_sm; 2064 struct os_time t; 2065 2066 if (sm == NULL) 2067 return 0; 2068 2069 ret = os_snprintf(buf + len, buflen - len, 2070 "dot1xPaePortNumber=%d\n" 2071 "dot1xPaePortProtocolVersion=%d\n" 2072 "dot1xPaePortCapabilities=1\n" 2073 "dot1xPaePortInitialize=%d\n" 2074 "dot1xPaePortReauthenticate=FALSE\n", 2075 sta->aid, 2076 EAPOL_VERSION, 2077 sm->initialize); 2078 if (ret < 0 || (size_t) ret >= buflen - len) 2079 return len; 2080 len += ret; 2081 2082 /* dot1xAuthConfigTable */ 2083 ret = os_snprintf(buf + len, buflen - len, 2084 "dot1xAuthPaeState=%d\n" 2085 "dot1xAuthBackendAuthState=%d\n" 2086 "dot1xAuthAdminControlledDirections=%d\n" 2087 "dot1xAuthOperControlledDirections=%d\n" 2088 "dot1xAuthAuthControlledPortStatus=%d\n" 2089 "dot1xAuthAuthControlledPortControl=%d\n" 2090 "dot1xAuthQuietPeriod=%u\n" 2091 "dot1xAuthServerTimeout=%u\n" 2092 "dot1xAuthReAuthPeriod=%u\n" 2093 "dot1xAuthReAuthEnabled=%s\n" 2094 "dot1xAuthKeyTxEnabled=%s\n", 2095 sm->auth_pae_state + 1, 2096 sm->be_auth_state + 1, 2097 sm->adminControlledDirections, 2098 sm->operControlledDirections, 2099 sm->authPortStatus, 2100 sm->portControl, 2101 sm->quietPeriod, 2102 sm->serverTimeout, 2103 sm->reAuthPeriod, 2104 bool_txt(sm->reAuthEnabled), 2105 bool_txt(sm->keyTxEnabled)); 2106 if (ret < 0 || (size_t) ret >= buflen - len) 2107 return len; 2108 len += ret; 2109 2110 /* dot1xAuthStatsTable */ 2111 ret = os_snprintf(buf + len, buflen - len, 2112 "dot1xAuthEapolFramesRx=%u\n" 2113 "dot1xAuthEapolFramesTx=%u\n" 2114 "dot1xAuthEapolStartFramesRx=%u\n" 2115 "dot1xAuthEapolLogoffFramesRx=%u\n" 2116 "dot1xAuthEapolRespIdFramesRx=%u\n" 2117 "dot1xAuthEapolRespFramesRx=%u\n" 2118 "dot1xAuthEapolReqIdFramesTx=%u\n" 2119 "dot1xAuthEapolReqFramesTx=%u\n" 2120 "dot1xAuthInvalidEapolFramesRx=%u\n" 2121 "dot1xAuthEapLengthErrorFramesRx=%u\n" 2122 "dot1xAuthLastEapolFrameVersion=%u\n" 2123 "dot1xAuthLastEapolFrameSource=" MACSTR "\n", 2124 sm->dot1xAuthEapolFramesRx, 2125 sm->dot1xAuthEapolFramesTx, 2126 sm->dot1xAuthEapolStartFramesRx, 2127 sm->dot1xAuthEapolLogoffFramesRx, 2128 sm->dot1xAuthEapolRespIdFramesRx, 2129 sm->dot1xAuthEapolRespFramesRx, 2130 sm->dot1xAuthEapolReqIdFramesTx, 2131 sm->dot1xAuthEapolReqFramesTx, 2132 sm->dot1xAuthInvalidEapolFramesRx, 2133 sm->dot1xAuthEapLengthErrorFramesRx, 2134 sm->dot1xAuthLastEapolFrameVersion, 2135 MAC2STR(sm->addr)); 2136 if (ret < 0 || (size_t) ret >= buflen - len) 2137 return len; 2138 len += ret; 2139 2140 /* dot1xAuthDiagTable */ 2141 ret = os_snprintf(buf + len, buflen - len, 2142 "dot1xAuthEntersConnecting=%u\n" 2143 "dot1xAuthEapLogoffsWhileConnecting=%u\n" 2144 "dot1xAuthEntersAuthenticating=%u\n" 2145 "dot1xAuthAuthSuccessesWhileAuthenticating=%u\n" 2146 "dot1xAuthAuthTimeoutsWhileAuthenticating=%u\n" 2147 "dot1xAuthAuthFailWhileAuthenticating=%u\n" 2148 "dot1xAuthAuthEapStartsWhileAuthenticating=%u\n" 2149 "dot1xAuthAuthEapLogoffWhileAuthenticating=%u\n" 2150 "dot1xAuthAuthReauthsWhileAuthenticated=%u\n" 2151 "dot1xAuthAuthEapStartsWhileAuthenticated=%u\n" 2152 "dot1xAuthAuthEapLogoffWhileAuthenticated=%u\n" 2153 "dot1xAuthBackendResponses=%u\n" 2154 "dot1xAuthBackendAccessChallenges=%u\n" 2155 "dot1xAuthBackendOtherRequestsToSupplicant=%u\n" 2156 "dot1xAuthBackendAuthSuccesses=%u\n" 2157 "dot1xAuthBackendAuthFails=%u\n", 2158 sm->authEntersConnecting, 2159 sm->authEapLogoffsWhileConnecting, 2160 sm->authEntersAuthenticating, 2161 sm->authAuthSuccessesWhileAuthenticating, 2162 sm->authAuthTimeoutsWhileAuthenticating, 2163 sm->authAuthFailWhileAuthenticating, 2164 sm->authAuthEapStartsWhileAuthenticating, 2165 sm->authAuthEapLogoffWhileAuthenticating, 2166 sm->authAuthReauthsWhileAuthenticated, 2167 sm->authAuthEapStartsWhileAuthenticated, 2168 sm->authAuthEapLogoffWhileAuthenticated, 2169 sm->backendResponses, 2170 sm->backendAccessChallenges, 2171 sm->backendOtherRequestsToSupplicant, 2172 sm->backendAuthSuccesses, 2173 sm->backendAuthFails); 2174 if (ret < 0 || (size_t) ret >= buflen - len) 2175 return len; 2176 len += ret; 2177 2178 /* dot1xAuthSessionStatsTable */ 2179 os_get_time(&t); 2180 ret = os_snprintf(buf + len, buflen - len, 2181 /* TODO: dot1xAuthSessionOctetsRx */ 2182 /* TODO: dot1xAuthSessionOctetsTx */ 2183 /* TODO: dot1xAuthSessionFramesRx */ 2184 /* TODO: dot1xAuthSessionFramesTx */ 2185 "dot1xAuthSessionId=%08X-%08X\n" 2186 "dot1xAuthSessionAuthenticMethod=%d\n" 2187 "dot1xAuthSessionTime=%u\n" 2188 "dot1xAuthSessionTerminateCause=999\n" 2189 "dot1xAuthSessionUserName=%s\n", 2190 sta->acct_session_id_hi, sta->acct_session_id_lo, 2191 (wpa_key_mgmt_wpa_ieee8021x( 2192 wpa_auth_sta_key_mgmt(sta->wpa_sm))) ? 2193 1 : 2, 2194 (unsigned int) (t.sec - sta->acct_session_start), 2195 sm->identity); 2196 if (ret < 0 || (size_t) ret >= buflen - len) 2197 return len; 2198 len += ret; 2199 2200 return len; 2201 } 2202 2203 2204 static void ieee802_1x_finished(struct hostapd_data *hapd, 2205 struct sta_info *sta, int success) 2206 { 2207 const u8 *key; 2208 size_t len; 2209 /* TODO: get PMKLifetime from WPA parameters */ 2210 static const int dot11RSNAConfigPMKLifetime = 43200; 2211 2212 key = ieee802_1x_get_key(sta->eapol_sm, &len); 2213 if (success && key && len >= PMK_LEN && 2214 wpa_auth_pmksa_add(sta->wpa_sm, key, dot11RSNAConfigPMKLifetime, 2215 sta->eapol_sm) == 0) { 2216 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 2217 HOSTAPD_LEVEL_DEBUG, 2218 "Added PMKSA cache entry (IEEE 802.1X)"); 2219 } 2220 2221 if (!success) { 2222 /* 2223 * Many devices require deauthentication after WPS provisioning 2224 * and some may not be be able to do that themselves, so 2225 * disconnect the client here. In addition, this may also 2226 * benefit IEEE 802.1X/EAPOL authentication cases, too since 2227 * the EAPOL PAE state machine would remain in HELD state for 2228 * considerable amount of time and some EAP methods, like 2229 * EAP-FAST with anonymous provisioning, may require another 2230 * EAPOL authentication to be started to complete connection. 2231 */ 2232 wpa_dbg(hapd->msg_ctx, MSG_DEBUG, "IEEE 802.1X: Force " 2233 "disconnection after EAP-Failure"); 2234 /* Add a small sleep to increase likelihood of previously 2235 * requested EAP-Failure TX getting out before this should the 2236 * driver reorder operations. 2237 */ 2238 os_sleep(0, 10000); 2239 ap_sta_disconnect(hapd, sta, sta->addr, 2240 WLAN_REASON_IEEE_802_1X_AUTH_FAILED); 2241 } 2242 } 2243