1 /* 2 * hostapd / IEEE 802.1X-2004 Authenticator 3 * Copyright (c) 2002-2019, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "utils/includes.h" 10 11 #include "utils/common.h" 12 #include "utils/eloop.h" 13 #include "crypto/md5.h" 14 #include "crypto/crypto.h" 15 #include "crypto/random.h" 16 #include "common/ieee802_11_defs.h" 17 #include "radius/radius.h" 18 #include "radius/radius_client.h" 19 #include "eap_server/eap.h" 20 #include "eap_common/eap_wsc_common.h" 21 #include "eapol_auth/eapol_auth_sm.h" 22 #include "eapol_auth/eapol_auth_sm_i.h" 23 #include "p2p/p2p.h" 24 #include "hostapd.h" 25 #include "accounting.h" 26 #include "sta_info.h" 27 #include "wpa_auth.h" 28 #include "preauth_auth.h" 29 #include "pmksa_cache_auth.h" 30 #include "ap_config.h" 31 #include "ap_drv_ops.h" 32 #include "wps_hostapd.h" 33 #include "hs20.h" 34 /* FIX: Not really a good thing to require ieee802_11.h here.. (FILS) */ 35 #include "ieee802_11.h" 36 #include "ieee802_1x.h" 37 38 39 #ifdef CONFIG_HS20 40 static void ieee802_1x_wnm_notif_send(void *eloop_ctx, void *timeout_ctx); 41 #endif /* CONFIG_HS20 */ 42 static void ieee802_1x_finished(struct hostapd_data *hapd, 43 struct sta_info *sta, int success, 44 int remediation); 45 46 47 static void ieee802_1x_send(struct hostapd_data *hapd, struct sta_info *sta, 48 u8 type, const u8 *data, size_t datalen) 49 { 50 u8 *buf; 51 struct ieee802_1x_hdr *xhdr; 52 size_t len; 53 int encrypt = 0; 54 55 len = sizeof(*xhdr) + datalen; 56 buf = os_zalloc(len); 57 if (buf == NULL) { 58 wpa_printf(MSG_ERROR, "malloc() failed for " 59 "ieee802_1x_send(len=%lu)", 60 (unsigned long) len); 61 return; 62 } 63 64 xhdr = (struct ieee802_1x_hdr *) buf; 65 xhdr->version = hapd->conf->eapol_version; 66 xhdr->type = type; 67 xhdr->length = host_to_be16(datalen); 68 69 if (datalen > 0 && data != NULL) 70 os_memcpy(xhdr + 1, data, datalen); 71 72 if (wpa_auth_pairwise_set(sta->wpa_sm)) 73 encrypt = 1; 74 #ifdef CONFIG_TESTING_OPTIONS 75 if (hapd->ext_eapol_frame_io) { 76 size_t hex_len = 2 * len + 1; 77 char *hex = os_malloc(hex_len); 78 79 if (hex) { 80 wpa_snprintf_hex(hex, hex_len, buf, len); 81 wpa_msg(hapd->msg_ctx, MSG_INFO, 82 "EAPOL-TX " MACSTR " %s", 83 MAC2STR(sta->addr), hex); 84 os_free(hex); 85 } 86 } else 87 #endif /* CONFIG_TESTING_OPTIONS */ 88 if (sta->flags & WLAN_STA_PREAUTH) { 89 rsn_preauth_send(hapd, sta, buf, len); 90 } else { 91 hostapd_drv_hapd_send_eapol( 92 hapd, sta->addr, buf, len, 93 encrypt, hostapd_sta_flags_to_drv(sta->flags)); 94 } 95 96 os_free(buf); 97 } 98 99 100 void ieee802_1x_set_sta_authorized(struct hostapd_data *hapd, 101 struct sta_info *sta, int authorized) 102 { 103 int res; 104 105 if (sta->flags & WLAN_STA_PREAUTH) 106 return; 107 108 if (authorized) { 109 ap_sta_set_authorized(hapd, sta, 1); 110 res = hostapd_set_authorized(hapd, sta, 1); 111 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 112 HOSTAPD_LEVEL_DEBUG, "authorizing port"); 113 } else { 114 ap_sta_set_authorized(hapd, sta, 0); 115 res = hostapd_set_authorized(hapd, sta, 0); 116 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 117 HOSTAPD_LEVEL_DEBUG, "unauthorizing port"); 118 } 119 120 if (res && errno != ENOENT) { 121 wpa_printf(MSG_DEBUG, "Could not set station " MACSTR 122 " flags for kernel driver (errno=%d).", 123 MAC2STR(sta->addr), errno); 124 } 125 126 if (authorized) { 127 os_get_reltime(&sta->connected_time); 128 accounting_sta_start(hapd, sta); 129 } 130 } 131 132 133 #ifndef CONFIG_FIPS 134 #ifndef CONFIG_NO_RC4 135 136 static void ieee802_1x_tx_key_one(struct hostapd_data *hapd, 137 struct sta_info *sta, 138 int idx, int broadcast, 139 u8 *key_data, size_t key_len) 140 { 141 u8 *buf, *ekey; 142 struct ieee802_1x_hdr *hdr; 143 struct ieee802_1x_eapol_key *key; 144 size_t len, ekey_len; 145 struct eapol_state_machine *sm = sta->eapol_sm; 146 147 if (sm == NULL) 148 return; 149 150 len = sizeof(*key) + key_len; 151 buf = os_zalloc(sizeof(*hdr) + len); 152 if (buf == NULL) 153 return; 154 155 hdr = (struct ieee802_1x_hdr *) buf; 156 key = (struct ieee802_1x_eapol_key *) (hdr + 1); 157 key->type = EAPOL_KEY_TYPE_RC4; 158 WPA_PUT_BE16(key->key_length, key_len); 159 wpa_get_ntp_timestamp(key->replay_counter); 160 161 if (random_get_bytes(key->key_iv, sizeof(key->key_iv))) { 162 wpa_printf(MSG_ERROR, "Could not get random numbers"); 163 os_free(buf); 164 return; 165 } 166 167 key->key_index = idx | (broadcast ? 0 : BIT(7)); 168 if (hapd->conf->eapol_key_index_workaround) { 169 /* According to some information, WinXP Supplicant seems to 170 * interpret bit7 as an indication whether the key is to be 171 * activated, so make it possible to enable workaround that 172 * sets this bit for all keys. */ 173 key->key_index |= BIT(7); 174 } 175 176 /* Key is encrypted using "Key-IV + MSK[0..31]" as the RC4-key and 177 * MSK[32..63] is used to sign the message. */ 178 if (sm->eap_if->eapKeyData == NULL || sm->eap_if->eapKeyDataLen < 64) { 179 wpa_printf(MSG_ERROR, "No eapKeyData available for encrypting " 180 "and signing EAPOL-Key"); 181 os_free(buf); 182 return; 183 } 184 os_memcpy((u8 *) (key + 1), key_data, key_len); 185 ekey_len = sizeof(key->key_iv) + 32; 186 ekey = os_malloc(ekey_len); 187 if (ekey == NULL) { 188 wpa_printf(MSG_ERROR, "Could not encrypt key"); 189 os_free(buf); 190 return; 191 } 192 os_memcpy(ekey, key->key_iv, sizeof(key->key_iv)); 193 os_memcpy(ekey + sizeof(key->key_iv), sm->eap_if->eapKeyData, 32); 194 rc4_skip(ekey, ekey_len, 0, (u8 *) (key + 1), key_len); 195 os_free(ekey); 196 197 /* This header is needed here for HMAC-MD5, but it will be regenerated 198 * in ieee802_1x_send() */ 199 hdr->version = hapd->conf->eapol_version; 200 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 201 hdr->length = host_to_be16(len); 202 hmac_md5(sm->eap_if->eapKeyData + 32, 32, buf, sizeof(*hdr) + len, 203 key->key_signature); 204 205 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key to " MACSTR 206 " (%s index=%d)", MAC2STR(sm->addr), 207 broadcast ? "broadcast" : "unicast", idx); 208 ieee802_1x_send(hapd, sta, IEEE802_1X_TYPE_EAPOL_KEY, (u8 *) key, len); 209 if (sta->eapol_sm) 210 sta->eapol_sm->dot1xAuthEapolFramesTx++; 211 os_free(buf); 212 } 213 214 215 static void ieee802_1x_tx_key(struct hostapd_data *hapd, struct sta_info *sta) 216 { 217 struct eapol_authenticator *eapol = hapd->eapol_auth; 218 struct eapol_state_machine *sm = sta->eapol_sm; 219 220 if (sm == NULL || !sm->eap_if->eapKeyData) 221 return; 222 223 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key(s) to " MACSTR, 224 MAC2STR(sta->addr)); 225 226 #ifndef CONFIG_NO_VLAN 227 if (sta->vlan_id > 0) { 228 wpa_printf(MSG_ERROR, "Using WEP with vlans is not supported."); 229 return; 230 } 231 #endif /* CONFIG_NO_VLAN */ 232 233 if (eapol->default_wep_key) { 234 ieee802_1x_tx_key_one(hapd, sta, eapol->default_wep_key_idx, 1, 235 eapol->default_wep_key, 236 hapd->conf->default_wep_key_len); 237 } 238 239 if (hapd->conf->individual_wep_key_len > 0) { 240 u8 *ikey; 241 ikey = os_malloc(hapd->conf->individual_wep_key_len); 242 if (ikey == NULL || 243 random_get_bytes(ikey, hapd->conf->individual_wep_key_len)) 244 { 245 wpa_printf(MSG_ERROR, "Could not generate random " 246 "individual WEP key."); 247 os_free(ikey); 248 return; 249 } 250 251 wpa_hexdump_key(MSG_DEBUG, "Individual WEP key", 252 ikey, hapd->conf->individual_wep_key_len); 253 254 ieee802_1x_tx_key_one(hapd, sta, 0, 0, ikey, 255 hapd->conf->individual_wep_key_len); 256 257 /* TODO: set encryption in TX callback, i.e., only after STA 258 * has ACKed EAPOL-Key frame */ 259 if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP, 260 sta->addr, 0, 1, NULL, 0, ikey, 261 hapd->conf->individual_wep_key_len)) { 262 wpa_printf(MSG_ERROR, "Could not set individual WEP " 263 "encryption."); 264 } 265 266 os_free(ikey); 267 } 268 } 269 270 #endif /* CONFIG_NO_RC4 */ 271 #endif /* CONFIG_FIPS */ 272 273 274 const char *radius_mode_txt(struct hostapd_data *hapd) 275 { 276 switch (hapd->iface->conf->hw_mode) { 277 case HOSTAPD_MODE_IEEE80211AD: 278 return "802.11ad"; 279 case HOSTAPD_MODE_IEEE80211A: 280 return "802.11a"; 281 case HOSTAPD_MODE_IEEE80211G: 282 return "802.11g"; 283 case HOSTAPD_MODE_IEEE80211B: 284 default: 285 return "802.11b"; 286 } 287 } 288 289 290 int radius_sta_rate(struct hostapd_data *hapd, struct sta_info *sta) 291 { 292 int i; 293 u8 rate = 0; 294 295 for (i = 0; i < sta->supported_rates_len; i++) 296 if ((sta->supported_rates[i] & 0x7f) > rate) 297 rate = sta->supported_rates[i] & 0x7f; 298 299 return rate; 300 } 301 302 303 #ifndef CONFIG_NO_RADIUS 304 static void ieee802_1x_learn_identity(struct hostapd_data *hapd, 305 struct eapol_state_machine *sm, 306 const u8 *eap, size_t len) 307 { 308 const u8 *identity; 309 size_t identity_len; 310 const struct eap_hdr *hdr = (const struct eap_hdr *) eap; 311 312 if (len <= sizeof(struct eap_hdr) || 313 (hdr->code == EAP_CODE_RESPONSE && 314 eap[sizeof(struct eap_hdr)] != EAP_TYPE_IDENTITY) || 315 (hdr->code == EAP_CODE_INITIATE && 316 eap[sizeof(struct eap_hdr)] != EAP_ERP_TYPE_REAUTH) || 317 (hdr->code != EAP_CODE_RESPONSE && 318 hdr->code != EAP_CODE_INITIATE)) 319 return; 320 321 eap_erp_update_identity(sm->eap, eap, len); 322 identity = eap_get_identity(sm->eap, &identity_len); 323 if (identity == NULL) 324 return; 325 326 /* Save station identity for future RADIUS packets */ 327 os_free(sm->identity); 328 sm->identity = (u8 *) dup_binstr(identity, identity_len); 329 if (sm->identity == NULL) { 330 sm->identity_len = 0; 331 return; 332 } 333 334 sm->identity_len = identity_len; 335 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, 336 HOSTAPD_LEVEL_DEBUG, "STA identity '%s'", sm->identity); 337 sm->dot1xAuthEapolRespIdFramesRx++; 338 } 339 340 341 static int add_common_radius_sta_attr_rsn(struct hostapd_data *hapd, 342 struct hostapd_radius_attr *req_attr, 343 struct sta_info *sta, 344 struct radius_msg *msg) 345 { 346 u32 suite; 347 int ver, val; 348 349 ver = wpa_auth_sta_wpa_version(sta->wpa_sm); 350 val = wpa_auth_get_pairwise(sta->wpa_sm); 351 suite = wpa_cipher_to_suite(ver, val); 352 if (val != -1 && 353 !hostapd_config_get_radius_attr(req_attr, 354 RADIUS_ATTR_WLAN_PAIRWISE_CIPHER) && 355 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_WLAN_PAIRWISE_CIPHER, 356 suite)) { 357 wpa_printf(MSG_ERROR, "Could not add WLAN-Pairwise-Cipher"); 358 return -1; 359 } 360 361 suite = wpa_cipher_to_suite(((hapd->conf->wpa & 0x2) || 362 hapd->conf->osen) ? 363 WPA_PROTO_RSN : WPA_PROTO_WPA, 364 hapd->conf->wpa_group); 365 if (!hostapd_config_get_radius_attr(req_attr, 366 RADIUS_ATTR_WLAN_GROUP_CIPHER) && 367 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_WLAN_GROUP_CIPHER, 368 suite)) { 369 wpa_printf(MSG_ERROR, "Could not add WLAN-Group-Cipher"); 370 return -1; 371 } 372 373 val = wpa_auth_sta_key_mgmt(sta->wpa_sm); 374 suite = wpa_akm_to_suite(val); 375 if (val != -1 && 376 !hostapd_config_get_radius_attr(req_attr, 377 RADIUS_ATTR_WLAN_AKM_SUITE) && 378 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_WLAN_AKM_SUITE, 379 suite)) { 380 wpa_printf(MSG_ERROR, "Could not add WLAN-AKM-Suite"); 381 return -1; 382 } 383 384 #ifdef CONFIG_IEEE80211W 385 if (hapd->conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) { 386 suite = wpa_cipher_to_suite(WPA_PROTO_RSN, 387 hapd->conf->group_mgmt_cipher); 388 if (!hostapd_config_get_radius_attr( 389 req_attr, RADIUS_ATTR_WLAN_GROUP_MGMT_CIPHER) && 390 !radius_msg_add_attr_int32( 391 msg, RADIUS_ATTR_WLAN_GROUP_MGMT_CIPHER, suite)) { 392 wpa_printf(MSG_ERROR, 393 "Could not add WLAN-Group-Mgmt-Cipher"); 394 return -1; 395 } 396 } 397 #endif /* CONFIG_IEEE80211W */ 398 399 return 0; 400 } 401 402 403 static int add_common_radius_sta_attr(struct hostapd_data *hapd, 404 struct hostapd_radius_attr *req_attr, 405 struct sta_info *sta, 406 struct radius_msg *msg) 407 { 408 char buf[128]; 409 410 if (!hostapd_config_get_radius_attr(req_attr, 411 RADIUS_ATTR_SERVICE_TYPE) && 412 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_SERVICE_TYPE, 413 RADIUS_SERVICE_TYPE_FRAMED)) { 414 wpa_printf(MSG_ERROR, "Could not add Service-Type"); 415 return -1; 416 } 417 418 if (!hostapd_config_get_radius_attr(req_attr, 419 RADIUS_ATTR_NAS_PORT) && 420 sta->aid > 0 && 421 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT, sta->aid)) { 422 wpa_printf(MSG_ERROR, "Could not add NAS-Port"); 423 return -1; 424 } 425 426 os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT, 427 MAC2STR(sta->addr)); 428 buf[sizeof(buf) - 1] = '\0'; 429 if (!radius_msg_add_attr(msg, RADIUS_ATTR_CALLING_STATION_ID, 430 (u8 *) buf, os_strlen(buf))) { 431 wpa_printf(MSG_ERROR, "Could not add Calling-Station-Id"); 432 return -1; 433 } 434 435 if (sta->flags & WLAN_STA_PREAUTH) { 436 os_strlcpy(buf, "IEEE 802.11i Pre-Authentication", 437 sizeof(buf)); 438 } else { 439 os_snprintf(buf, sizeof(buf), "CONNECT %d%sMbps %s", 440 radius_sta_rate(hapd, sta) / 2, 441 (radius_sta_rate(hapd, sta) & 1) ? ".5" : "", 442 radius_mode_txt(hapd)); 443 buf[sizeof(buf) - 1] = '\0'; 444 } 445 if (!hostapd_config_get_radius_attr(req_attr, 446 RADIUS_ATTR_CONNECT_INFO) && 447 !radius_msg_add_attr(msg, RADIUS_ATTR_CONNECT_INFO, 448 (u8 *) buf, os_strlen(buf))) { 449 wpa_printf(MSG_ERROR, "Could not add Connect-Info"); 450 return -1; 451 } 452 453 if (sta->acct_session_id) { 454 os_snprintf(buf, sizeof(buf), "%016llX", 455 (unsigned long long) sta->acct_session_id); 456 if (!radius_msg_add_attr(msg, RADIUS_ATTR_ACCT_SESSION_ID, 457 (u8 *) buf, os_strlen(buf))) { 458 wpa_printf(MSG_ERROR, "Could not add Acct-Session-Id"); 459 return -1; 460 } 461 } 462 463 if ((hapd->conf->wpa & 2) && 464 !hapd->conf->disable_pmksa_caching && 465 sta->eapol_sm && sta->eapol_sm->acct_multi_session_id) { 466 os_snprintf(buf, sizeof(buf), "%016llX", 467 (unsigned long long) 468 sta->eapol_sm->acct_multi_session_id); 469 if (!radius_msg_add_attr( 470 msg, RADIUS_ATTR_ACCT_MULTI_SESSION_ID, 471 (u8 *) buf, os_strlen(buf))) { 472 wpa_printf(MSG_INFO, 473 "Could not add Acct-Multi-Session-Id"); 474 return -1; 475 } 476 } 477 478 #ifdef CONFIG_IEEE80211R_AP 479 if (hapd->conf->wpa && wpa_key_mgmt_ft(hapd->conf->wpa_key_mgmt) && 480 sta->wpa_sm && 481 (wpa_key_mgmt_ft(wpa_auth_sta_key_mgmt(sta->wpa_sm)) || 482 sta->auth_alg == WLAN_AUTH_FT) && 483 !hostapd_config_get_radius_attr(req_attr, 484 RADIUS_ATTR_MOBILITY_DOMAIN_ID) && 485 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_MOBILITY_DOMAIN_ID, 486 WPA_GET_BE16( 487 hapd->conf->mobility_domain))) { 488 wpa_printf(MSG_ERROR, "Could not add Mobility-Domain-Id"); 489 return -1; 490 } 491 #endif /* CONFIG_IEEE80211R_AP */ 492 493 if ((hapd->conf->wpa || hapd->conf->osen) && sta->wpa_sm && 494 add_common_radius_sta_attr_rsn(hapd, req_attr, sta, msg) < 0) 495 return -1; 496 497 return 0; 498 } 499 500 501 int add_common_radius_attr(struct hostapd_data *hapd, 502 struct hostapd_radius_attr *req_attr, 503 struct sta_info *sta, 504 struct radius_msg *msg) 505 { 506 char buf[128]; 507 struct hostapd_radius_attr *attr; 508 int len; 509 510 if (!hostapd_config_get_radius_attr(req_attr, 511 RADIUS_ATTR_NAS_IP_ADDRESS) && 512 hapd->conf->own_ip_addr.af == AF_INET && 513 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IP_ADDRESS, 514 (u8 *) &hapd->conf->own_ip_addr.u.v4, 4)) { 515 wpa_printf(MSG_ERROR, "Could not add NAS-IP-Address"); 516 return -1; 517 } 518 519 #ifdef CONFIG_IPV6 520 if (!hostapd_config_get_radius_attr(req_attr, 521 RADIUS_ATTR_NAS_IPV6_ADDRESS) && 522 hapd->conf->own_ip_addr.af == AF_INET6 && 523 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IPV6_ADDRESS, 524 (u8 *) &hapd->conf->own_ip_addr.u.v6, 16)) { 525 wpa_printf(MSG_ERROR, "Could not add NAS-IPv6-Address"); 526 return -1; 527 } 528 #endif /* CONFIG_IPV6 */ 529 530 if (!hostapd_config_get_radius_attr(req_attr, 531 RADIUS_ATTR_NAS_IDENTIFIER) && 532 hapd->conf->nas_identifier && 533 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IDENTIFIER, 534 (u8 *) hapd->conf->nas_identifier, 535 os_strlen(hapd->conf->nas_identifier))) { 536 wpa_printf(MSG_ERROR, "Could not add NAS-Identifier"); 537 return -1; 538 } 539 540 len = os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT ":", 541 MAC2STR(hapd->own_addr)); 542 os_memcpy(&buf[len], hapd->conf->ssid.ssid, 543 hapd->conf->ssid.ssid_len); 544 len += hapd->conf->ssid.ssid_len; 545 if (!hostapd_config_get_radius_attr(req_attr, 546 RADIUS_ATTR_CALLED_STATION_ID) && 547 !radius_msg_add_attr(msg, RADIUS_ATTR_CALLED_STATION_ID, 548 (u8 *) buf, len)) { 549 wpa_printf(MSG_ERROR, "Could not add Called-Station-Id"); 550 return -1; 551 } 552 553 if (!hostapd_config_get_radius_attr(req_attr, 554 RADIUS_ATTR_NAS_PORT_TYPE) && 555 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT_TYPE, 556 RADIUS_NAS_PORT_TYPE_IEEE_802_11)) { 557 wpa_printf(MSG_ERROR, "Could not add NAS-Port-Type"); 558 return -1; 559 } 560 561 #ifdef CONFIG_INTERWORKING 562 if (hapd->conf->interworking && 563 !is_zero_ether_addr(hapd->conf->hessid)) { 564 os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT, 565 MAC2STR(hapd->conf->hessid)); 566 buf[sizeof(buf) - 1] = '\0'; 567 if (!hostapd_config_get_radius_attr(req_attr, 568 RADIUS_ATTR_WLAN_HESSID) && 569 !radius_msg_add_attr(msg, RADIUS_ATTR_WLAN_HESSID, 570 (u8 *) buf, os_strlen(buf))) { 571 wpa_printf(MSG_ERROR, "Could not add WLAN-HESSID"); 572 return -1; 573 } 574 } 575 #endif /* CONFIG_INTERWORKING */ 576 577 if (sta && add_common_radius_sta_attr(hapd, req_attr, sta, msg) < 0) 578 return -1; 579 580 for (attr = req_attr; attr; attr = attr->next) { 581 if (!radius_msg_add_attr(msg, attr->type, 582 wpabuf_head(attr->val), 583 wpabuf_len(attr->val))) { 584 wpa_printf(MSG_ERROR, "Could not add RADIUS " 585 "attribute"); 586 return -1; 587 } 588 } 589 590 return 0; 591 } 592 593 594 void ieee802_1x_encapsulate_radius(struct hostapd_data *hapd, 595 struct sta_info *sta, 596 const u8 *eap, size_t len) 597 { 598 struct radius_msg *msg; 599 struct eapol_state_machine *sm = sta->eapol_sm; 600 601 if (sm == NULL) 602 return; 603 604 ieee802_1x_learn_identity(hapd, sm, eap, len); 605 606 wpa_printf(MSG_DEBUG, "Encapsulating EAP message into a RADIUS " 607 "packet"); 608 609 sm->radius_identifier = radius_client_get_id(hapd->radius); 610 msg = radius_msg_new(RADIUS_CODE_ACCESS_REQUEST, 611 sm->radius_identifier); 612 if (msg == NULL) { 613 wpa_printf(MSG_INFO, "Could not create new RADIUS packet"); 614 return; 615 } 616 617 if (radius_msg_make_authenticator(msg) < 0) { 618 wpa_printf(MSG_INFO, "Could not make Request Authenticator"); 619 goto fail; 620 } 621 622 if (sm->identity && 623 !radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME, 624 sm->identity, sm->identity_len)) { 625 wpa_printf(MSG_INFO, "Could not add User-Name"); 626 goto fail; 627 } 628 629 if (add_common_radius_attr(hapd, hapd->conf->radius_auth_req_attr, sta, 630 msg) < 0) 631 goto fail; 632 633 /* TODO: should probably check MTU from driver config; 2304 is max for 634 * IEEE 802.11, but use 1400 to avoid problems with too large packets 635 */ 636 if (!hostapd_config_get_radius_attr(hapd->conf->radius_auth_req_attr, 637 RADIUS_ATTR_FRAMED_MTU) && 638 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_FRAMED_MTU, 1400)) { 639 wpa_printf(MSG_INFO, "Could not add Framed-MTU"); 640 goto fail; 641 } 642 643 if (!radius_msg_add_eap(msg, eap, len)) { 644 wpa_printf(MSG_INFO, "Could not add EAP-Message"); 645 goto fail; 646 } 647 648 /* State attribute must be copied if and only if this packet is 649 * Access-Request reply to the previous Access-Challenge */ 650 if (sm->last_recv_radius && 651 radius_msg_get_hdr(sm->last_recv_radius)->code == 652 RADIUS_CODE_ACCESS_CHALLENGE) { 653 int res = radius_msg_copy_attr(msg, sm->last_recv_radius, 654 RADIUS_ATTR_STATE); 655 if (res < 0) { 656 wpa_printf(MSG_INFO, "Could not copy State attribute from previous Access-Challenge"); 657 goto fail; 658 } 659 if (res > 0) { 660 wpa_printf(MSG_DEBUG, "Copied RADIUS State Attribute"); 661 } 662 } 663 664 if (hapd->conf->radius_request_cui) { 665 const u8 *cui; 666 size_t cui_len; 667 /* Add previously learned CUI or nul CUI to request CUI */ 668 if (sm->radius_cui) { 669 cui = wpabuf_head(sm->radius_cui); 670 cui_len = wpabuf_len(sm->radius_cui); 671 } else { 672 cui = (const u8 *) "\0"; 673 cui_len = 1; 674 } 675 if (!radius_msg_add_attr(msg, 676 RADIUS_ATTR_CHARGEABLE_USER_IDENTITY, 677 cui, cui_len)) { 678 wpa_printf(MSG_ERROR, "Could not add CUI"); 679 goto fail; 680 } 681 } 682 683 #ifdef CONFIG_HS20 684 if (hapd->conf->hs20) { 685 u8 ver = hapd->conf->hs20_release - 1; 686 687 if (!radius_msg_add_wfa( 688 msg, RADIUS_VENDOR_ATTR_WFA_HS20_AP_VERSION, 689 &ver, 1)) { 690 wpa_printf(MSG_ERROR, "Could not add HS 2.0 AP " 691 "version"); 692 goto fail; 693 } 694 695 if (sta->hs20_ie && wpabuf_len(sta->hs20_ie) > 0) { 696 const u8 *pos; 697 u8 buf[3]; 698 u16 id; 699 pos = wpabuf_head_u8(sta->hs20_ie); 700 buf[0] = (*pos) >> 4; 701 if (((*pos) & HS20_PPS_MO_ID_PRESENT) && 702 wpabuf_len(sta->hs20_ie) >= 3) 703 id = WPA_GET_LE16(pos + 1); 704 else 705 id = 0; 706 WPA_PUT_BE16(buf + 1, id); 707 if (!radius_msg_add_wfa( 708 msg, 709 RADIUS_VENDOR_ATTR_WFA_HS20_STA_VERSION, 710 buf, sizeof(buf))) { 711 wpa_printf(MSG_ERROR, "Could not add HS 2.0 " 712 "STA version"); 713 goto fail; 714 } 715 } 716 717 if (sta->roaming_consortium && 718 !radius_msg_add_wfa( 719 msg, RADIUS_VENDOR_ATTR_WFA_HS20_ROAMING_CONSORTIUM, 720 wpabuf_head(sta->roaming_consortium), 721 wpabuf_len(sta->roaming_consortium))) { 722 wpa_printf(MSG_ERROR, 723 "Could not add HS 2.0 Roaming Consortium"); 724 goto fail; 725 } 726 727 if (hapd->conf->t_c_filename) { 728 be32 timestamp; 729 730 if (!radius_msg_add_wfa( 731 msg, 732 RADIUS_VENDOR_ATTR_WFA_HS20_T_C_FILENAME, 733 (const u8 *) hapd->conf->t_c_filename, 734 os_strlen(hapd->conf->t_c_filename))) { 735 wpa_printf(MSG_ERROR, 736 "Could not add HS 2.0 T&C Filename"); 737 goto fail; 738 } 739 740 timestamp = host_to_be32(hapd->conf->t_c_timestamp); 741 if (!radius_msg_add_wfa( 742 msg, 743 RADIUS_VENDOR_ATTR_WFA_HS20_TIMESTAMP, 744 (const u8 *) ×tamp, 745 sizeof(timestamp))) { 746 wpa_printf(MSG_ERROR, 747 "Could not add HS 2.0 Timestamp"); 748 goto fail; 749 } 750 } 751 } 752 #endif /* CONFIG_HS20 */ 753 754 if (radius_client_send(hapd->radius, msg, RADIUS_AUTH, sta->addr) < 0) 755 goto fail; 756 757 return; 758 759 fail: 760 radius_msg_free(msg); 761 } 762 #endif /* CONFIG_NO_RADIUS */ 763 764 765 static void handle_eap_response(struct hostapd_data *hapd, 766 struct sta_info *sta, struct eap_hdr *eap, 767 size_t len) 768 { 769 u8 type, *data; 770 struct eapol_state_machine *sm = sta->eapol_sm; 771 if (sm == NULL) 772 return; 773 774 data = (u8 *) (eap + 1); 775 776 if (len < sizeof(*eap) + 1) { 777 wpa_printf(MSG_INFO, "handle_eap_response: too short response data"); 778 return; 779 } 780 781 sm->eap_type_supp = type = data[0]; 782 783 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, 784 HOSTAPD_LEVEL_DEBUG, "received EAP packet (code=%d " 785 "id=%d len=%d) from STA: EAP Response-%s (%d)", 786 eap->code, eap->identifier, be_to_host16(eap->length), 787 eap_server_get_name(0, type), type); 788 789 sm->dot1xAuthEapolRespFramesRx++; 790 791 wpabuf_free(sm->eap_if->eapRespData); 792 sm->eap_if->eapRespData = wpabuf_alloc_copy(eap, len); 793 sm->eapolEap = TRUE; 794 } 795 796 797 static void handle_eap_initiate(struct hostapd_data *hapd, 798 struct sta_info *sta, struct eap_hdr *eap, 799 size_t len) 800 { 801 #ifdef CONFIG_ERP 802 u8 type, *data; 803 struct eapol_state_machine *sm = sta->eapol_sm; 804 805 if (sm == NULL) 806 return; 807 808 if (len < sizeof(*eap) + 1) { 809 wpa_printf(MSG_INFO, 810 "handle_eap_initiate: too short response data"); 811 return; 812 } 813 814 data = (u8 *) (eap + 1); 815 type = data[0]; 816 817 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, 818 HOSTAPD_LEVEL_DEBUG, "received EAP packet (code=%d " 819 "id=%d len=%d) from STA: EAP Initiate type %u", 820 eap->code, eap->identifier, be_to_host16(eap->length), 821 type); 822 823 wpabuf_free(sm->eap_if->eapRespData); 824 sm->eap_if->eapRespData = wpabuf_alloc_copy(eap, len); 825 sm->eapolEap = TRUE; 826 #endif /* CONFIG_ERP */ 827 } 828 829 830 /* Process incoming EAP packet from Supplicant */ 831 static void handle_eap(struct hostapd_data *hapd, struct sta_info *sta, 832 u8 *buf, size_t len) 833 { 834 struct eap_hdr *eap; 835 u16 eap_len; 836 837 if (len < sizeof(*eap)) { 838 wpa_printf(MSG_INFO, " too short EAP packet"); 839 return; 840 } 841 842 eap = (struct eap_hdr *) buf; 843 844 eap_len = be_to_host16(eap->length); 845 wpa_printf(MSG_DEBUG, "EAP: code=%d identifier=%d length=%d", 846 eap->code, eap->identifier, eap_len); 847 if (eap_len < sizeof(*eap)) { 848 wpa_printf(MSG_DEBUG, " Invalid EAP length"); 849 return; 850 } else if (eap_len > len) { 851 wpa_printf(MSG_DEBUG, " Too short frame to contain this EAP " 852 "packet"); 853 return; 854 } else if (eap_len < len) { 855 wpa_printf(MSG_DEBUG, " Ignoring %lu extra bytes after EAP " 856 "packet", (unsigned long) len - eap_len); 857 } 858 859 switch (eap->code) { 860 case EAP_CODE_REQUEST: 861 wpa_printf(MSG_DEBUG, " (request)"); 862 return; 863 case EAP_CODE_RESPONSE: 864 wpa_printf(MSG_DEBUG, " (response)"); 865 handle_eap_response(hapd, sta, eap, eap_len); 866 break; 867 case EAP_CODE_SUCCESS: 868 wpa_printf(MSG_DEBUG, " (success)"); 869 return; 870 case EAP_CODE_FAILURE: 871 wpa_printf(MSG_DEBUG, " (failure)"); 872 return; 873 case EAP_CODE_INITIATE: 874 wpa_printf(MSG_DEBUG, " (initiate)"); 875 handle_eap_initiate(hapd, sta, eap, eap_len); 876 break; 877 case EAP_CODE_FINISH: 878 wpa_printf(MSG_DEBUG, " (finish)"); 879 break; 880 default: 881 wpa_printf(MSG_DEBUG, " (unknown code)"); 882 return; 883 } 884 } 885 886 887 struct eapol_state_machine * 888 ieee802_1x_alloc_eapol_sm(struct hostapd_data *hapd, struct sta_info *sta) 889 { 890 int flags = 0; 891 if (sta->flags & WLAN_STA_PREAUTH) 892 flags |= EAPOL_SM_PREAUTH; 893 if (sta->wpa_sm) { 894 flags |= EAPOL_SM_USES_WPA; 895 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) 896 flags |= EAPOL_SM_FROM_PMKSA_CACHE; 897 } 898 return eapol_auth_alloc(hapd->eapol_auth, sta->addr, flags, 899 sta->wps_ie, sta->p2p_ie, sta, 900 sta->identity, sta->radius_cui); 901 } 902 903 904 static void ieee802_1x_save_eapol(struct sta_info *sta, const u8 *buf, 905 size_t len) 906 { 907 if (sta->pending_eapol_rx) { 908 wpabuf_free(sta->pending_eapol_rx->buf); 909 } else { 910 sta->pending_eapol_rx = 911 os_malloc(sizeof(*sta->pending_eapol_rx)); 912 if (!sta->pending_eapol_rx) 913 return; 914 } 915 916 sta->pending_eapol_rx->buf = wpabuf_alloc_copy(buf, len); 917 if (!sta->pending_eapol_rx->buf) { 918 os_free(sta->pending_eapol_rx); 919 sta->pending_eapol_rx = NULL; 920 return; 921 } 922 923 os_get_reltime(&sta->pending_eapol_rx->rx_time); 924 } 925 926 927 /** 928 * ieee802_1x_receive - Process the EAPOL frames from the Supplicant 929 * @hapd: hostapd BSS data 930 * @sa: Source address (sender of the EAPOL frame) 931 * @buf: EAPOL frame 932 * @len: Length of buf in octets 933 * 934 * This function is called for each incoming EAPOL frame from the interface 935 */ 936 void ieee802_1x_receive(struct hostapd_data *hapd, const u8 *sa, const u8 *buf, 937 size_t len) 938 { 939 struct sta_info *sta; 940 struct ieee802_1x_hdr *hdr; 941 struct ieee802_1x_eapol_key *key; 942 u16 datalen; 943 struct rsn_pmksa_cache_entry *pmksa; 944 int key_mgmt; 945 946 if (!hapd->conf->ieee802_1x && !hapd->conf->wpa && !hapd->conf->osen && 947 !hapd->conf->wps_state) 948 return; 949 950 wpa_printf(MSG_DEBUG, "IEEE 802.1X: %lu bytes from " MACSTR, 951 (unsigned long) len, MAC2STR(sa)); 952 sta = ap_get_sta(hapd, sa); 953 if (!sta || (!(sta->flags & (WLAN_STA_ASSOC | WLAN_STA_PREAUTH)) && 954 !(hapd->iface->drv_flags & WPA_DRIVER_FLAGS_WIRED))) { 955 wpa_printf(MSG_DEBUG, "IEEE 802.1X data frame from not " 956 "associated/Pre-authenticating STA"); 957 958 if (sta && (sta->flags & WLAN_STA_AUTH)) { 959 wpa_printf(MSG_DEBUG, "Saving EAPOL frame from " MACSTR 960 " for later use", MAC2STR(sta->addr)); 961 ieee802_1x_save_eapol(sta, buf, len); 962 } 963 964 return; 965 } 966 967 if (len < sizeof(*hdr)) { 968 wpa_printf(MSG_INFO, " too short IEEE 802.1X packet"); 969 return; 970 } 971 972 hdr = (struct ieee802_1x_hdr *) buf; 973 datalen = be_to_host16(hdr->length); 974 wpa_printf(MSG_DEBUG, " IEEE 802.1X: version=%d type=%d length=%d", 975 hdr->version, hdr->type, datalen); 976 977 if (len - sizeof(*hdr) < datalen) { 978 wpa_printf(MSG_INFO, " frame too short for this IEEE 802.1X packet"); 979 if (sta->eapol_sm) 980 sta->eapol_sm->dot1xAuthEapLengthErrorFramesRx++; 981 return; 982 } 983 if (len - sizeof(*hdr) > datalen) { 984 wpa_printf(MSG_DEBUG, " ignoring %lu extra octets after " 985 "IEEE 802.1X packet", 986 (unsigned long) len - sizeof(*hdr) - datalen); 987 } 988 989 if (sta->eapol_sm) { 990 sta->eapol_sm->dot1xAuthLastEapolFrameVersion = hdr->version; 991 sta->eapol_sm->dot1xAuthEapolFramesRx++; 992 } 993 994 key = (struct ieee802_1x_eapol_key *) (hdr + 1); 995 if (datalen >= sizeof(struct ieee802_1x_eapol_key) && 996 hdr->type == IEEE802_1X_TYPE_EAPOL_KEY && 997 (key->type == EAPOL_KEY_TYPE_WPA || 998 key->type == EAPOL_KEY_TYPE_RSN)) { 999 wpa_receive(hapd->wpa_auth, sta->wpa_sm, (u8 *) hdr, 1000 sizeof(*hdr) + datalen); 1001 return; 1002 } 1003 1004 if (!hapd->conf->ieee802_1x && !hapd->conf->osen && 1005 !(sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS))) { 1006 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore EAPOL message - " 1007 "802.1X not enabled and WPS not used"); 1008 return; 1009 } 1010 1011 key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm); 1012 if (key_mgmt != -1 && 1013 (wpa_key_mgmt_wpa_psk(key_mgmt) || key_mgmt == WPA_KEY_MGMT_OWE || 1014 key_mgmt == WPA_KEY_MGMT_DPP)) { 1015 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore EAPOL message - " 1016 "STA is using PSK"); 1017 return; 1018 } 1019 1020 if (!sta->eapol_sm) { 1021 sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta); 1022 if (!sta->eapol_sm) 1023 return; 1024 1025 #ifdef CONFIG_WPS 1026 if (!hapd->conf->ieee802_1x && hapd->conf->wps_state) { 1027 u32 wflags = sta->flags & (WLAN_STA_WPS | 1028 WLAN_STA_WPS2 | 1029 WLAN_STA_MAYBE_WPS); 1030 if (wflags == WLAN_STA_MAYBE_WPS || 1031 wflags == (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS)) { 1032 /* 1033 * Delay EAPOL frame transmission until a 1034 * possible WPS STA initiates the handshake 1035 * with EAPOL-Start. Only allow the wait to be 1036 * skipped if the STA is known to support WPS 1037 * 2.0. 1038 */ 1039 wpa_printf(MSG_DEBUG, "WPS: Do not start " 1040 "EAPOL until EAPOL-Start is " 1041 "received"); 1042 sta->eapol_sm->flags |= EAPOL_SM_WAIT_START; 1043 } 1044 } 1045 #endif /* CONFIG_WPS */ 1046 1047 sta->eapol_sm->eap_if->portEnabled = TRUE; 1048 } 1049 1050 /* since we support version 1, we can ignore version field and proceed 1051 * as specified in version 1 standard [IEEE Std 802.1X-2001, 7.5.5] */ 1052 /* TODO: actually, we are not version 1 anymore.. However, Version 2 1053 * does not change frame contents, so should be ok to process frames 1054 * more or less identically. Some changes might be needed for 1055 * verification of fields. */ 1056 1057 switch (hdr->type) { 1058 case IEEE802_1X_TYPE_EAP_PACKET: 1059 handle_eap(hapd, sta, (u8 *) (hdr + 1), datalen); 1060 break; 1061 1062 case IEEE802_1X_TYPE_EAPOL_START: 1063 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1064 HOSTAPD_LEVEL_DEBUG, "received EAPOL-Start " 1065 "from STA"); 1066 sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START; 1067 pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm); 1068 if (pmksa) { 1069 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 1070 HOSTAPD_LEVEL_DEBUG, "cached PMKSA " 1071 "available - ignore it since " 1072 "STA sent EAPOL-Start"); 1073 wpa_auth_sta_clear_pmksa(sta->wpa_sm, pmksa); 1074 } 1075 sta->eapol_sm->eapolStart = TRUE; 1076 sta->eapol_sm->dot1xAuthEapolStartFramesRx++; 1077 eap_server_clear_identity(sta->eapol_sm->eap); 1078 wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL); 1079 break; 1080 1081 case IEEE802_1X_TYPE_EAPOL_LOGOFF: 1082 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1083 HOSTAPD_LEVEL_DEBUG, "received EAPOL-Logoff " 1084 "from STA"); 1085 sta->acct_terminate_cause = 1086 RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST; 1087 accounting_sta_stop(hapd, sta); 1088 sta->eapol_sm->eapolLogoff = TRUE; 1089 sta->eapol_sm->dot1xAuthEapolLogoffFramesRx++; 1090 eap_server_clear_identity(sta->eapol_sm->eap); 1091 break; 1092 1093 case IEEE802_1X_TYPE_EAPOL_KEY: 1094 wpa_printf(MSG_DEBUG, " EAPOL-Key"); 1095 if (!ap_sta_is_authorized(sta)) { 1096 wpa_printf(MSG_DEBUG, " Dropped key data from " 1097 "unauthorized Supplicant"); 1098 break; 1099 } 1100 break; 1101 1102 case IEEE802_1X_TYPE_EAPOL_ENCAPSULATED_ASF_ALERT: 1103 wpa_printf(MSG_DEBUG, " EAPOL-Encapsulated-ASF-Alert"); 1104 /* TODO: implement support for this; show data */ 1105 break; 1106 1107 default: 1108 wpa_printf(MSG_DEBUG, " unknown IEEE 802.1X packet type"); 1109 sta->eapol_sm->dot1xAuthInvalidEapolFramesRx++; 1110 break; 1111 } 1112 1113 eapol_auth_step(sta->eapol_sm); 1114 } 1115 1116 1117 /** 1118 * ieee802_1x_new_station - Start IEEE 802.1X authentication 1119 * @hapd: hostapd BSS data 1120 * @sta: The station 1121 * 1122 * This function is called to start IEEE 802.1X authentication when a new 1123 * station completes IEEE 802.11 association. 1124 */ 1125 void ieee802_1x_new_station(struct hostapd_data *hapd, struct sta_info *sta) 1126 { 1127 struct rsn_pmksa_cache_entry *pmksa; 1128 int reassoc = 1; 1129 int force_1x = 0; 1130 int key_mgmt; 1131 1132 #ifdef CONFIG_WPS 1133 if (hapd->conf->wps_state && 1134 ((hapd->conf->wpa && (sta->flags & WLAN_STA_MAYBE_WPS)) || 1135 (sta->flags & WLAN_STA_WPS))) { 1136 /* 1137 * Need to enable IEEE 802.1X/EAPOL state machines for possible 1138 * WPS handshake even if IEEE 802.1X/EAPOL is not used for 1139 * authentication in this BSS. 1140 */ 1141 force_1x = 1; 1142 } 1143 #endif /* CONFIG_WPS */ 1144 1145 if (!force_1x && !hapd->conf->ieee802_1x && !hapd->conf->osen) { 1146 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore STA - " 1147 "802.1X not enabled or forced for WPS"); 1148 /* 1149 * Clear any possible EAPOL authenticator state to support 1150 * reassociation change from WPS to PSK. 1151 */ 1152 ieee802_1x_free_station(hapd, sta); 1153 return; 1154 } 1155 1156 key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm); 1157 if (key_mgmt != -1 && 1158 (wpa_key_mgmt_wpa_psk(key_mgmt) || key_mgmt == WPA_KEY_MGMT_OWE || 1159 key_mgmt == WPA_KEY_MGMT_DPP)) { 1160 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore STA - using PSK"); 1161 /* 1162 * Clear any possible EAPOL authenticator state to support 1163 * reassociation change from WPA-EAP to PSK. 1164 */ 1165 ieee802_1x_free_station(hapd, sta); 1166 return; 1167 } 1168 1169 if (sta->eapol_sm == NULL) { 1170 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1171 HOSTAPD_LEVEL_DEBUG, "start authentication"); 1172 sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta); 1173 if (sta->eapol_sm == NULL) { 1174 hostapd_logger(hapd, sta->addr, 1175 HOSTAPD_MODULE_IEEE8021X, 1176 HOSTAPD_LEVEL_INFO, 1177 "failed to allocate state machine"); 1178 return; 1179 } 1180 reassoc = 0; 1181 } 1182 1183 #ifdef CONFIG_WPS 1184 sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START; 1185 if (!hapd->conf->ieee802_1x && hapd->conf->wps_state && 1186 !(sta->flags & WLAN_STA_WPS2)) { 1187 /* 1188 * Delay EAPOL frame transmission until a possible WPS STA 1189 * initiates the handshake with EAPOL-Start. Only allow the 1190 * wait to be skipped if the STA is known to support WPS 2.0. 1191 */ 1192 wpa_printf(MSG_DEBUG, "WPS: Do not start EAPOL until " 1193 "EAPOL-Start is received"); 1194 sta->eapol_sm->flags |= EAPOL_SM_WAIT_START; 1195 } 1196 #endif /* CONFIG_WPS */ 1197 1198 sta->eapol_sm->eap_if->portEnabled = TRUE; 1199 1200 #ifdef CONFIG_IEEE80211R_AP 1201 if (sta->auth_alg == WLAN_AUTH_FT) { 1202 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1203 HOSTAPD_LEVEL_DEBUG, 1204 "PMK from FT - skip IEEE 802.1X/EAP"); 1205 /* Setup EAPOL state machines to already authenticated state 1206 * because of existing FT information from R0KH. */ 1207 sta->eapol_sm->keyRun = TRUE; 1208 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 1209 sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING; 1210 sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS; 1211 sta->eapol_sm->authSuccess = TRUE; 1212 sta->eapol_sm->authFail = FALSE; 1213 sta->eapol_sm->portValid = TRUE; 1214 if (sta->eapol_sm->eap) 1215 eap_sm_notify_cached(sta->eapol_sm->eap); 1216 ap_sta_bind_vlan(hapd, sta); 1217 return; 1218 } 1219 #endif /* CONFIG_IEEE80211R_AP */ 1220 1221 #ifdef CONFIG_FILS 1222 if (sta->auth_alg == WLAN_AUTH_FILS_SK || 1223 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS || 1224 sta->auth_alg == WLAN_AUTH_FILS_PK) { 1225 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1226 HOSTAPD_LEVEL_DEBUG, 1227 "PMK from FILS - skip IEEE 802.1X/EAP"); 1228 /* Setup EAPOL state machines to already authenticated state 1229 * because of existing FILS information. */ 1230 sta->eapol_sm->keyRun = TRUE; 1231 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 1232 sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING; 1233 sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS; 1234 sta->eapol_sm->authSuccess = TRUE; 1235 sta->eapol_sm->authFail = FALSE; 1236 sta->eapol_sm->portValid = TRUE; 1237 if (sta->eapol_sm->eap) 1238 eap_sm_notify_cached(sta->eapol_sm->eap); 1239 wpa_auth_set_ptk_rekey_timer(sta->wpa_sm); 1240 return; 1241 } 1242 #endif /* CONFIG_FILS */ 1243 1244 pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm); 1245 if (pmksa) { 1246 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1247 HOSTAPD_LEVEL_DEBUG, 1248 "PMK from PMKSA cache - skip IEEE 802.1X/EAP"); 1249 /* Setup EAPOL state machines to already authenticated state 1250 * because of existing PMKSA information in the cache. */ 1251 sta->eapol_sm->keyRun = TRUE; 1252 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 1253 sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING; 1254 sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS; 1255 sta->eapol_sm->authSuccess = TRUE; 1256 sta->eapol_sm->authFail = FALSE; 1257 if (sta->eapol_sm->eap) 1258 eap_sm_notify_cached(sta->eapol_sm->eap); 1259 pmksa_cache_to_eapol_data(hapd, pmksa, sta->eapol_sm); 1260 ap_sta_bind_vlan(hapd, sta); 1261 } else { 1262 if (reassoc) { 1263 /* 1264 * Force EAPOL state machines to start 1265 * re-authentication without having to wait for the 1266 * Supplicant to send EAPOL-Start. 1267 */ 1268 sta->eapol_sm->reAuthenticate = TRUE; 1269 } 1270 eapol_auth_step(sta->eapol_sm); 1271 } 1272 } 1273 1274 1275 void ieee802_1x_free_station(struct hostapd_data *hapd, struct sta_info *sta) 1276 { 1277 struct eapol_state_machine *sm = sta->eapol_sm; 1278 1279 #ifdef CONFIG_HS20 1280 eloop_cancel_timeout(ieee802_1x_wnm_notif_send, hapd, sta); 1281 #endif /* CONFIG_HS20 */ 1282 1283 if (sta->pending_eapol_rx) { 1284 wpabuf_free(sta->pending_eapol_rx->buf); 1285 os_free(sta->pending_eapol_rx); 1286 sta->pending_eapol_rx = NULL; 1287 } 1288 1289 if (sm == NULL) 1290 return; 1291 1292 sta->eapol_sm = NULL; 1293 1294 #ifndef CONFIG_NO_RADIUS 1295 radius_msg_free(sm->last_recv_radius); 1296 radius_free_class(&sm->radius_class); 1297 #endif /* CONFIG_NO_RADIUS */ 1298 1299 eapol_auth_free(sm); 1300 } 1301 1302 1303 #ifndef CONFIG_NO_RADIUS 1304 static void ieee802_1x_decapsulate_radius(struct hostapd_data *hapd, 1305 struct sta_info *sta) 1306 { 1307 struct wpabuf *eap; 1308 const struct eap_hdr *hdr; 1309 int eap_type = -1; 1310 char buf[64]; 1311 struct radius_msg *msg; 1312 struct eapol_state_machine *sm = sta->eapol_sm; 1313 1314 if (sm == NULL || sm->last_recv_radius == NULL) { 1315 if (sm) 1316 sm->eap_if->aaaEapNoReq = TRUE; 1317 return; 1318 } 1319 1320 msg = sm->last_recv_radius; 1321 1322 eap = radius_msg_get_eap(msg); 1323 if (eap == NULL) { 1324 /* RFC 3579, Chap. 2.6.3: 1325 * RADIUS server SHOULD NOT send Access-Reject/no EAP-Message 1326 * attribute */ 1327 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1328 HOSTAPD_LEVEL_WARNING, "could not extract " 1329 "EAP-Message from RADIUS message"); 1330 sm->eap_if->aaaEapNoReq = TRUE; 1331 return; 1332 } 1333 1334 if (wpabuf_len(eap) < sizeof(*hdr)) { 1335 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1336 HOSTAPD_LEVEL_WARNING, "too short EAP packet " 1337 "received from authentication server"); 1338 wpabuf_free(eap); 1339 sm->eap_if->aaaEapNoReq = TRUE; 1340 return; 1341 } 1342 1343 if (wpabuf_len(eap) > sizeof(*hdr)) 1344 eap_type = (wpabuf_head_u8(eap))[sizeof(*hdr)]; 1345 1346 hdr = wpabuf_head(eap); 1347 switch (hdr->code) { 1348 case EAP_CODE_REQUEST: 1349 if (eap_type >= 0) 1350 sm->eap_type_authsrv = eap_type; 1351 os_snprintf(buf, sizeof(buf), "EAP-Request-%s (%d)", 1352 eap_server_get_name(0, eap_type), eap_type); 1353 break; 1354 case EAP_CODE_RESPONSE: 1355 os_snprintf(buf, sizeof(buf), "EAP Response-%s (%d)", 1356 eap_server_get_name(0, eap_type), eap_type); 1357 break; 1358 case EAP_CODE_SUCCESS: 1359 os_strlcpy(buf, "EAP Success", sizeof(buf)); 1360 break; 1361 case EAP_CODE_FAILURE: 1362 os_strlcpy(buf, "EAP Failure", sizeof(buf)); 1363 break; 1364 default: 1365 os_strlcpy(buf, "unknown EAP code", sizeof(buf)); 1366 break; 1367 } 1368 buf[sizeof(buf) - 1] = '\0'; 1369 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1370 HOSTAPD_LEVEL_DEBUG, "decapsulated EAP packet (code=%d " 1371 "id=%d len=%d) from RADIUS server: %s", 1372 hdr->code, hdr->identifier, be_to_host16(hdr->length), 1373 buf); 1374 sm->eap_if->aaaEapReq = TRUE; 1375 1376 wpabuf_free(sm->eap_if->aaaEapReqData); 1377 sm->eap_if->aaaEapReqData = eap; 1378 } 1379 1380 1381 static void ieee802_1x_get_keys(struct hostapd_data *hapd, 1382 struct sta_info *sta, struct radius_msg *msg, 1383 struct radius_msg *req, 1384 const u8 *shared_secret, 1385 size_t shared_secret_len) 1386 { 1387 struct radius_ms_mppe_keys *keys; 1388 struct eapol_state_machine *sm = sta->eapol_sm; 1389 if (sm == NULL) 1390 return; 1391 1392 keys = radius_msg_get_ms_keys(msg, req, shared_secret, 1393 shared_secret_len); 1394 1395 if (keys && keys->send && keys->recv) { 1396 size_t len = keys->send_len + keys->recv_len; 1397 wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Send-Key", 1398 keys->send, keys->send_len); 1399 wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Recv-Key", 1400 keys->recv, keys->recv_len); 1401 1402 os_free(sm->eap_if->aaaEapKeyData); 1403 sm->eap_if->aaaEapKeyData = os_malloc(len); 1404 if (sm->eap_if->aaaEapKeyData) { 1405 os_memcpy(sm->eap_if->aaaEapKeyData, keys->recv, 1406 keys->recv_len); 1407 os_memcpy(sm->eap_if->aaaEapKeyData + keys->recv_len, 1408 keys->send, keys->send_len); 1409 sm->eap_if->aaaEapKeyDataLen = len; 1410 sm->eap_if->aaaEapKeyAvailable = TRUE; 1411 } 1412 } else { 1413 wpa_printf(MSG_DEBUG, 1414 "MS-MPPE: 1x_get_keys, could not get keys: %p send: %p recv: %p", 1415 keys, keys ? keys->send : NULL, 1416 keys ? keys->recv : NULL); 1417 } 1418 1419 if (keys) { 1420 os_free(keys->send); 1421 os_free(keys->recv); 1422 os_free(keys); 1423 } 1424 } 1425 1426 1427 static void ieee802_1x_store_radius_class(struct hostapd_data *hapd, 1428 struct sta_info *sta, 1429 struct radius_msg *msg) 1430 { 1431 u8 *attr_class; 1432 size_t class_len; 1433 struct eapol_state_machine *sm = sta->eapol_sm; 1434 int count, i; 1435 struct radius_attr_data *nclass; 1436 size_t nclass_count; 1437 1438 if (!hapd->conf->radius->acct_server || hapd->radius == NULL || 1439 sm == NULL) 1440 return; 1441 1442 radius_free_class(&sm->radius_class); 1443 count = radius_msg_count_attr(msg, RADIUS_ATTR_CLASS, 1); 1444 if (count <= 0) 1445 return; 1446 1447 nclass = os_calloc(count, sizeof(struct radius_attr_data)); 1448 if (nclass == NULL) 1449 return; 1450 1451 nclass_count = 0; 1452 1453 attr_class = NULL; 1454 for (i = 0; i < count; i++) { 1455 do { 1456 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CLASS, 1457 &attr_class, &class_len, 1458 attr_class) < 0) { 1459 i = count; 1460 break; 1461 } 1462 } while (class_len < 1); 1463 1464 nclass[nclass_count].data = os_memdup(attr_class, class_len); 1465 if (nclass[nclass_count].data == NULL) 1466 break; 1467 1468 nclass[nclass_count].len = class_len; 1469 nclass_count++; 1470 } 1471 1472 sm->radius_class.attr = nclass; 1473 sm->radius_class.count = nclass_count; 1474 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Stored %lu RADIUS Class " 1475 "attributes for " MACSTR, 1476 (unsigned long) sm->radius_class.count, 1477 MAC2STR(sta->addr)); 1478 } 1479 1480 1481 /* Update sta->identity based on User-Name attribute in Access-Accept */ 1482 static void ieee802_1x_update_sta_identity(struct hostapd_data *hapd, 1483 struct sta_info *sta, 1484 struct radius_msg *msg) 1485 { 1486 u8 *buf, *identity; 1487 size_t len; 1488 struct eapol_state_machine *sm = sta->eapol_sm; 1489 1490 if (sm == NULL) 1491 return; 1492 1493 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_USER_NAME, &buf, &len, 1494 NULL) < 0) 1495 return; 1496 1497 identity = (u8 *) dup_binstr(buf, len); 1498 if (identity == NULL) 1499 return; 1500 1501 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1502 HOSTAPD_LEVEL_DEBUG, "old identity '%s' updated with " 1503 "User-Name from Access-Accept '%s'", 1504 sm->identity ? (char *) sm->identity : "N/A", 1505 (char *) identity); 1506 1507 os_free(sm->identity); 1508 sm->identity = identity; 1509 sm->identity_len = len; 1510 } 1511 1512 1513 /* Update CUI based on Chargeable-User-Identity attribute in Access-Accept */ 1514 static void ieee802_1x_update_sta_cui(struct hostapd_data *hapd, 1515 struct sta_info *sta, 1516 struct radius_msg *msg) 1517 { 1518 struct eapol_state_machine *sm = sta->eapol_sm; 1519 struct wpabuf *cui; 1520 u8 *buf; 1521 size_t len; 1522 1523 if (sm == NULL) 1524 return; 1525 1526 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CHARGEABLE_USER_IDENTITY, 1527 &buf, &len, NULL) < 0) 1528 return; 1529 1530 cui = wpabuf_alloc_copy(buf, len); 1531 if (cui == NULL) 1532 return; 1533 1534 wpabuf_free(sm->radius_cui); 1535 sm->radius_cui = cui; 1536 } 1537 1538 1539 #ifdef CONFIG_HS20 1540 1541 static void ieee802_1x_hs20_sub_rem(struct sta_info *sta, u8 *pos, size_t len) 1542 { 1543 sta->remediation = 1; 1544 os_free(sta->remediation_url); 1545 if (len > 2) { 1546 sta->remediation_url = os_malloc(len); 1547 if (!sta->remediation_url) 1548 return; 1549 sta->remediation_method = pos[0]; 1550 os_memcpy(sta->remediation_url, pos + 1, len - 1); 1551 sta->remediation_url[len - 1] = '\0'; 1552 wpa_printf(MSG_DEBUG, "HS 2.0: Subscription remediation needed " 1553 "for " MACSTR " - server method %u URL %s", 1554 MAC2STR(sta->addr), sta->remediation_method, 1555 sta->remediation_url); 1556 } else { 1557 sta->remediation_url = NULL; 1558 wpa_printf(MSG_DEBUG, "HS 2.0: Subscription remediation needed " 1559 "for " MACSTR, MAC2STR(sta->addr)); 1560 } 1561 /* TODO: assign the STA into remediation VLAN or add filtering */ 1562 } 1563 1564 1565 static void ieee802_1x_hs20_deauth_req(struct hostapd_data *hapd, 1566 struct sta_info *sta, u8 *pos, 1567 size_t len) 1568 { 1569 if (len < 3) 1570 return; /* Malformed information */ 1571 sta->hs20_deauth_requested = 1; 1572 wpa_printf(MSG_DEBUG, "HS 2.0: Deauthentication request - Code %u " 1573 "Re-auth Delay %u", 1574 *pos, WPA_GET_LE16(pos + 1)); 1575 wpabuf_free(sta->hs20_deauth_req); 1576 sta->hs20_deauth_req = wpabuf_alloc(len + 1); 1577 if (sta->hs20_deauth_req) { 1578 wpabuf_put_data(sta->hs20_deauth_req, pos, 3); 1579 wpabuf_put_u8(sta->hs20_deauth_req, len - 3); 1580 wpabuf_put_data(sta->hs20_deauth_req, pos + 3, len - 3); 1581 } 1582 ap_sta_session_timeout(hapd, sta, hapd->conf->hs20_deauth_req_timeout); 1583 } 1584 1585 1586 static void ieee802_1x_hs20_session_info(struct hostapd_data *hapd, 1587 struct sta_info *sta, u8 *pos, 1588 size_t len, int session_timeout) 1589 { 1590 unsigned int swt; 1591 int warning_time, beacon_int; 1592 1593 if (len < 1) 1594 return; /* Malformed information */ 1595 os_free(sta->hs20_session_info_url); 1596 sta->hs20_session_info_url = os_malloc(len); 1597 if (sta->hs20_session_info_url == NULL) 1598 return; 1599 swt = pos[0]; 1600 os_memcpy(sta->hs20_session_info_url, pos + 1, len - 1); 1601 sta->hs20_session_info_url[len - 1] = '\0'; 1602 wpa_printf(MSG_DEBUG, "HS 2.0: Session Information URL='%s' SWT=%u " 1603 "(session_timeout=%d)", 1604 sta->hs20_session_info_url, swt, session_timeout); 1605 if (session_timeout < 0) { 1606 wpa_printf(MSG_DEBUG, "HS 2.0: No Session-Timeout set - ignore session info URL"); 1607 return; 1608 } 1609 if (swt == 255) 1610 swt = 1; /* Use one minute as the AP selected value */ 1611 1612 if ((unsigned int) session_timeout < swt * 60) 1613 warning_time = 0; 1614 else 1615 warning_time = session_timeout - swt * 60; 1616 1617 beacon_int = hapd->iconf->beacon_int; 1618 if (beacon_int < 1) 1619 beacon_int = 100; /* best guess */ 1620 sta->hs20_disassoc_timer = swt * 60 * 1000 / beacon_int * 125 / 128; 1621 if (sta->hs20_disassoc_timer > 65535) 1622 sta->hs20_disassoc_timer = 65535; 1623 1624 ap_sta_session_warning_timeout(hapd, sta, warning_time); 1625 } 1626 1627 1628 static void ieee802_1x_hs20_t_c_filtering(struct hostapd_data *hapd, 1629 struct sta_info *sta, u8 *pos, 1630 size_t len) 1631 { 1632 if (len < 4) 1633 return; /* Malformed information */ 1634 wpa_printf(MSG_DEBUG, 1635 "HS 2.0: Terms and Conditions filtering %02x %02x %02x %02x", 1636 pos[0], pos[1], pos[2], pos[3]); 1637 hs20_t_c_filtering(hapd, sta, pos[0] & BIT(0)); 1638 } 1639 1640 1641 static void ieee802_1x_hs20_t_c_url(struct hostapd_data *hapd, 1642 struct sta_info *sta, u8 *pos, size_t len) 1643 { 1644 os_free(sta->t_c_url); 1645 sta->t_c_url = os_malloc(len + 1); 1646 if (!sta->t_c_url) 1647 return; 1648 os_memcpy(sta->t_c_url, pos, len); 1649 sta->t_c_url[len] = '\0'; 1650 wpa_printf(MSG_DEBUG, 1651 "HS 2.0: Terms and Conditions URL %s", sta->t_c_url); 1652 } 1653 1654 #endif /* CONFIG_HS20 */ 1655 1656 1657 static void ieee802_1x_check_hs20(struct hostapd_data *hapd, 1658 struct sta_info *sta, 1659 struct radius_msg *msg, 1660 int session_timeout) 1661 { 1662 #ifdef CONFIG_HS20 1663 u8 *buf, *pos, *end, type, sublen; 1664 size_t len; 1665 1666 buf = NULL; 1667 sta->remediation = 0; 1668 sta->hs20_deauth_requested = 0; 1669 1670 for (;;) { 1671 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_VENDOR_SPECIFIC, 1672 &buf, &len, buf) < 0) 1673 break; 1674 if (len < 6) 1675 continue; 1676 pos = buf; 1677 end = buf + len; 1678 if (WPA_GET_BE32(pos) != RADIUS_VENDOR_ID_WFA) 1679 continue; 1680 pos += 4; 1681 1682 type = *pos++; 1683 sublen = *pos++; 1684 if (sublen < 2) 1685 continue; /* invalid length */ 1686 sublen -= 2; /* skip header */ 1687 if (pos + sublen > end) 1688 continue; /* invalid WFA VSA */ 1689 1690 switch (type) { 1691 case RADIUS_VENDOR_ATTR_WFA_HS20_SUBSCR_REMEDIATION: 1692 ieee802_1x_hs20_sub_rem(sta, pos, sublen); 1693 break; 1694 case RADIUS_VENDOR_ATTR_WFA_HS20_DEAUTH_REQ: 1695 ieee802_1x_hs20_deauth_req(hapd, sta, pos, sublen); 1696 break; 1697 case RADIUS_VENDOR_ATTR_WFA_HS20_SESSION_INFO_URL: 1698 ieee802_1x_hs20_session_info(hapd, sta, pos, sublen, 1699 session_timeout); 1700 break; 1701 case RADIUS_VENDOR_ATTR_WFA_HS20_T_C_FILTERING: 1702 ieee802_1x_hs20_t_c_filtering(hapd, sta, pos, sublen); 1703 break; 1704 case RADIUS_VENDOR_ATTR_WFA_HS20_T_C_URL: 1705 ieee802_1x_hs20_t_c_url(hapd, sta, pos, sublen); 1706 break; 1707 } 1708 } 1709 #endif /* CONFIG_HS20 */ 1710 } 1711 1712 1713 struct sta_id_search { 1714 u8 identifier; 1715 struct eapol_state_machine *sm; 1716 }; 1717 1718 1719 static int ieee802_1x_select_radius_identifier(struct hostapd_data *hapd, 1720 struct sta_info *sta, 1721 void *ctx) 1722 { 1723 struct sta_id_search *id_search = ctx; 1724 struct eapol_state_machine *sm = sta->eapol_sm; 1725 1726 if (sm && sm->radius_identifier >= 0 && 1727 sm->radius_identifier == id_search->identifier) { 1728 id_search->sm = sm; 1729 return 1; 1730 } 1731 return 0; 1732 } 1733 1734 1735 static struct eapol_state_machine * 1736 ieee802_1x_search_radius_identifier(struct hostapd_data *hapd, u8 identifier) 1737 { 1738 struct sta_id_search id_search; 1739 id_search.identifier = identifier; 1740 id_search.sm = NULL; 1741 ap_for_each_sta(hapd, ieee802_1x_select_radius_identifier, &id_search); 1742 return id_search.sm; 1743 } 1744 1745 1746 #ifndef CONFIG_NO_VLAN 1747 static int ieee802_1x_update_vlan(struct radius_msg *msg, 1748 struct hostapd_data *hapd, 1749 struct sta_info *sta) 1750 { 1751 struct vlan_description vlan_desc; 1752 1753 os_memset(&vlan_desc, 0, sizeof(vlan_desc)); 1754 vlan_desc.notempty = !!radius_msg_get_vlanid(msg, &vlan_desc.untagged, 1755 MAX_NUM_TAGGED_VLAN, 1756 vlan_desc.tagged); 1757 1758 if (vlan_desc.notempty && 1759 !hostapd_vlan_valid(hapd->conf->vlan, &vlan_desc)) { 1760 sta->eapol_sm->authFail = TRUE; 1761 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS, 1762 HOSTAPD_LEVEL_INFO, 1763 "Invalid VLAN %d%s received from RADIUS server", 1764 vlan_desc.untagged, 1765 vlan_desc.tagged[0] ? "+" : ""); 1766 os_memset(&vlan_desc, 0, sizeof(vlan_desc)); 1767 ap_sta_set_vlan(hapd, sta, &vlan_desc); 1768 return -1; 1769 } 1770 1771 if (hapd->conf->ssid.dynamic_vlan == DYNAMIC_VLAN_REQUIRED && 1772 !vlan_desc.notempty) { 1773 sta->eapol_sm->authFail = TRUE; 1774 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1775 HOSTAPD_LEVEL_INFO, 1776 "authentication server did not include required VLAN ID in Access-Accept"); 1777 return -1; 1778 } 1779 1780 return ap_sta_set_vlan(hapd, sta, &vlan_desc); 1781 } 1782 #endif /* CONFIG_NO_VLAN */ 1783 1784 1785 /** 1786 * ieee802_1x_receive_auth - Process RADIUS frames from Authentication Server 1787 * @msg: RADIUS response message 1788 * @req: RADIUS request message 1789 * @shared_secret: RADIUS shared secret 1790 * @shared_secret_len: Length of shared_secret in octets 1791 * @data: Context data (struct hostapd_data *) 1792 * Returns: Processing status 1793 */ 1794 static RadiusRxResult 1795 ieee802_1x_receive_auth(struct radius_msg *msg, struct radius_msg *req, 1796 const u8 *shared_secret, size_t shared_secret_len, 1797 void *data) 1798 { 1799 struct hostapd_data *hapd = data; 1800 struct sta_info *sta; 1801 u32 session_timeout = 0, termination_action, acct_interim_interval; 1802 int session_timeout_set; 1803 u32 reason_code; 1804 struct eapol_state_machine *sm; 1805 int override_eapReq = 0; 1806 struct radius_hdr *hdr = radius_msg_get_hdr(msg); 1807 1808 sm = ieee802_1x_search_radius_identifier(hapd, hdr->identifier); 1809 if (sm == NULL) { 1810 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Could not find matching " 1811 "station for this RADIUS message"); 1812 return RADIUS_RX_UNKNOWN; 1813 } 1814 sta = sm->sta; 1815 1816 /* RFC 2869, Ch. 5.13: valid Message-Authenticator attribute MUST be 1817 * present when packet contains an EAP-Message attribute */ 1818 if (hdr->code == RADIUS_CODE_ACCESS_REJECT && 1819 radius_msg_get_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, NULL, 1820 0) < 0 && 1821 radius_msg_get_attr(msg, RADIUS_ATTR_EAP_MESSAGE, NULL, 0) < 0) { 1822 wpa_printf(MSG_DEBUG, "Allowing RADIUS Access-Reject without " 1823 "Message-Authenticator since it does not include " 1824 "EAP-Message"); 1825 } else if (radius_msg_verify(msg, shared_secret, shared_secret_len, 1826 req, 1)) { 1827 wpa_printf(MSG_INFO, "Incoming RADIUS packet did not have correct Message-Authenticator - dropped"); 1828 return RADIUS_RX_INVALID_AUTHENTICATOR; 1829 } 1830 1831 if (hdr->code != RADIUS_CODE_ACCESS_ACCEPT && 1832 hdr->code != RADIUS_CODE_ACCESS_REJECT && 1833 hdr->code != RADIUS_CODE_ACCESS_CHALLENGE) { 1834 wpa_printf(MSG_INFO, "Unknown RADIUS message code"); 1835 return RADIUS_RX_UNKNOWN; 1836 } 1837 1838 sm->radius_identifier = -1; 1839 wpa_printf(MSG_DEBUG, "RADIUS packet matching with station " MACSTR, 1840 MAC2STR(sta->addr)); 1841 1842 radius_msg_free(sm->last_recv_radius); 1843 sm->last_recv_radius = msg; 1844 1845 session_timeout_set = 1846 !radius_msg_get_attr_int32(msg, RADIUS_ATTR_SESSION_TIMEOUT, 1847 &session_timeout); 1848 if (radius_msg_get_attr_int32(msg, RADIUS_ATTR_TERMINATION_ACTION, 1849 &termination_action)) 1850 termination_action = RADIUS_TERMINATION_ACTION_DEFAULT; 1851 1852 if (hapd->conf->acct_interim_interval == 0 && 1853 hdr->code == RADIUS_CODE_ACCESS_ACCEPT && 1854 radius_msg_get_attr_int32(msg, RADIUS_ATTR_ACCT_INTERIM_INTERVAL, 1855 &acct_interim_interval) == 0) { 1856 if (acct_interim_interval < 60) { 1857 hostapd_logger(hapd, sta->addr, 1858 HOSTAPD_MODULE_IEEE8021X, 1859 HOSTAPD_LEVEL_INFO, 1860 "ignored too small " 1861 "Acct-Interim-Interval %d", 1862 acct_interim_interval); 1863 } else 1864 sta->acct_interim_interval = acct_interim_interval; 1865 } 1866 1867 1868 switch (hdr->code) { 1869 case RADIUS_CODE_ACCESS_ACCEPT: 1870 #ifndef CONFIG_NO_VLAN 1871 if (hapd->conf->ssid.dynamic_vlan != DYNAMIC_VLAN_DISABLED && 1872 ieee802_1x_update_vlan(msg, hapd, sta) < 0) 1873 break; 1874 1875 if (sta->vlan_id > 0) { 1876 hostapd_logger(hapd, sta->addr, 1877 HOSTAPD_MODULE_RADIUS, 1878 HOSTAPD_LEVEL_INFO, 1879 "VLAN ID %d", sta->vlan_id); 1880 } 1881 1882 if ((sta->flags & WLAN_STA_ASSOC) && 1883 ap_sta_bind_vlan(hapd, sta) < 0) 1884 break; 1885 #endif /* CONFIG_NO_VLAN */ 1886 1887 sta->session_timeout_set = !!session_timeout_set; 1888 os_get_reltime(&sta->session_timeout); 1889 sta->session_timeout.sec += session_timeout; 1890 1891 /* RFC 3580, Ch. 3.17 */ 1892 if (session_timeout_set && termination_action == 1893 RADIUS_TERMINATION_ACTION_RADIUS_REQUEST) 1894 sm->reAuthPeriod = session_timeout; 1895 else if (session_timeout_set) 1896 ap_sta_session_timeout(hapd, sta, session_timeout); 1897 else 1898 ap_sta_no_session_timeout(hapd, sta); 1899 1900 sm->eap_if->aaaSuccess = TRUE; 1901 override_eapReq = 1; 1902 ieee802_1x_get_keys(hapd, sta, msg, req, shared_secret, 1903 shared_secret_len); 1904 ieee802_1x_store_radius_class(hapd, sta, msg); 1905 ieee802_1x_update_sta_identity(hapd, sta, msg); 1906 ieee802_1x_update_sta_cui(hapd, sta, msg); 1907 ieee802_1x_check_hs20(hapd, sta, msg, 1908 session_timeout_set ? 1909 (int) session_timeout : -1); 1910 break; 1911 case RADIUS_CODE_ACCESS_REJECT: 1912 sm->eap_if->aaaFail = TRUE; 1913 override_eapReq = 1; 1914 if (radius_msg_get_attr_int32(msg, RADIUS_ATTR_WLAN_REASON_CODE, 1915 &reason_code) == 0) { 1916 wpa_printf(MSG_DEBUG, 1917 "RADIUS server indicated WLAN-Reason-Code %u in Access-Reject for " 1918 MACSTR, reason_code, MAC2STR(sta->addr)); 1919 sta->disconnect_reason_code = reason_code; 1920 } 1921 break; 1922 case RADIUS_CODE_ACCESS_CHALLENGE: 1923 sm->eap_if->aaaEapReq = TRUE; 1924 if (session_timeout_set) { 1925 /* RFC 2869, Ch. 2.3.2; RFC 3580, Ch. 3.17 */ 1926 sm->eap_if->aaaMethodTimeout = session_timeout; 1927 hostapd_logger(hapd, sm->addr, 1928 HOSTAPD_MODULE_IEEE8021X, 1929 HOSTAPD_LEVEL_DEBUG, 1930 "using EAP timeout of %d seconds (from " 1931 "RADIUS)", 1932 sm->eap_if->aaaMethodTimeout); 1933 } else { 1934 /* 1935 * Use dynamic retransmission behavior per EAP 1936 * specification. 1937 */ 1938 sm->eap_if->aaaMethodTimeout = 0; 1939 } 1940 break; 1941 } 1942 1943 ieee802_1x_decapsulate_radius(hapd, sta); 1944 if (override_eapReq) 1945 sm->eap_if->aaaEapReq = FALSE; 1946 1947 #ifdef CONFIG_FILS 1948 #ifdef NEED_AP_MLME 1949 if (sta->flags & WLAN_STA_PENDING_FILS_ERP) { 1950 /* TODO: Add a PMKSA entry on success? */ 1951 ieee802_11_finish_fils_auth( 1952 hapd, sta, hdr->code == RADIUS_CODE_ACCESS_ACCEPT, 1953 sm->eap_if->aaaEapReqData, 1954 sm->eap_if->aaaEapKeyData, 1955 sm->eap_if->aaaEapKeyDataLen); 1956 } 1957 #endif /* NEED_AP_MLME */ 1958 #endif /* CONFIG_FILS */ 1959 1960 eapol_auth_step(sm); 1961 1962 return RADIUS_RX_QUEUED; 1963 } 1964 #endif /* CONFIG_NO_RADIUS */ 1965 1966 1967 void ieee802_1x_abort_auth(struct hostapd_data *hapd, struct sta_info *sta) 1968 { 1969 struct eapol_state_machine *sm = sta->eapol_sm; 1970 if (sm == NULL) 1971 return; 1972 1973 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1974 HOSTAPD_LEVEL_DEBUG, "aborting authentication"); 1975 1976 #ifndef CONFIG_NO_RADIUS 1977 radius_msg_free(sm->last_recv_radius); 1978 sm->last_recv_radius = NULL; 1979 #endif /* CONFIG_NO_RADIUS */ 1980 1981 if (sm->eap_if->eapTimeout) { 1982 /* 1983 * Disconnect the STA since it did not reply to the last EAP 1984 * request and we cannot continue EAP processing (EAP-Failure 1985 * could only be sent if the EAP peer actually replied). 1986 */ 1987 wpa_dbg(hapd->msg_ctx, MSG_DEBUG, "EAP Timeout, STA " MACSTR, 1988 MAC2STR(sta->addr)); 1989 1990 sm->eap_if->portEnabled = FALSE; 1991 ap_sta_disconnect(hapd, sta, sta->addr, 1992 WLAN_REASON_PREV_AUTH_NOT_VALID); 1993 } 1994 } 1995 1996 1997 static int ieee802_1x_rekey_broadcast(struct hostapd_data *hapd) 1998 { 1999 struct eapol_authenticator *eapol = hapd->eapol_auth; 2000 2001 if (hapd->conf->default_wep_key_len < 1) 2002 return 0; 2003 2004 os_free(eapol->default_wep_key); 2005 eapol->default_wep_key = os_malloc(hapd->conf->default_wep_key_len); 2006 if (eapol->default_wep_key == NULL || 2007 random_get_bytes(eapol->default_wep_key, 2008 hapd->conf->default_wep_key_len)) { 2009 wpa_printf(MSG_INFO, "Could not generate random WEP key"); 2010 os_free(eapol->default_wep_key); 2011 eapol->default_wep_key = NULL; 2012 return -1; 2013 } 2014 2015 wpa_hexdump_key(MSG_DEBUG, "IEEE 802.1X: New default WEP key", 2016 eapol->default_wep_key, 2017 hapd->conf->default_wep_key_len); 2018 2019 return 0; 2020 } 2021 2022 2023 static int ieee802_1x_sta_key_available(struct hostapd_data *hapd, 2024 struct sta_info *sta, void *ctx) 2025 { 2026 if (sta->eapol_sm) { 2027 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 2028 eapol_auth_step(sta->eapol_sm); 2029 } 2030 return 0; 2031 } 2032 2033 2034 static void ieee802_1x_rekey(void *eloop_ctx, void *timeout_ctx) 2035 { 2036 struct hostapd_data *hapd = eloop_ctx; 2037 struct eapol_authenticator *eapol = hapd->eapol_auth; 2038 2039 if (eapol->default_wep_key_idx >= 3) 2040 eapol->default_wep_key_idx = 2041 hapd->conf->individual_wep_key_len > 0 ? 1 : 0; 2042 else 2043 eapol->default_wep_key_idx++; 2044 2045 wpa_printf(MSG_DEBUG, "IEEE 802.1X: New default WEP key index %d", 2046 eapol->default_wep_key_idx); 2047 2048 if (ieee802_1x_rekey_broadcast(hapd)) { 2049 hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X, 2050 HOSTAPD_LEVEL_WARNING, "failed to generate a " 2051 "new broadcast key"); 2052 os_free(eapol->default_wep_key); 2053 eapol->default_wep_key = NULL; 2054 return; 2055 } 2056 2057 /* TODO: Could setup key for RX here, but change default TX keyid only 2058 * after new broadcast key has been sent to all stations. */ 2059 if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP, 2060 broadcast_ether_addr, 2061 eapol->default_wep_key_idx, 1, NULL, 0, 2062 eapol->default_wep_key, 2063 hapd->conf->default_wep_key_len)) { 2064 hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X, 2065 HOSTAPD_LEVEL_WARNING, "failed to configure a " 2066 "new broadcast key"); 2067 os_free(eapol->default_wep_key); 2068 eapol->default_wep_key = NULL; 2069 return; 2070 } 2071 2072 ap_for_each_sta(hapd, ieee802_1x_sta_key_available, NULL); 2073 2074 if (hapd->conf->wep_rekeying_period > 0) { 2075 eloop_register_timeout(hapd->conf->wep_rekeying_period, 0, 2076 ieee802_1x_rekey, hapd, NULL); 2077 } 2078 } 2079 2080 2081 static void ieee802_1x_eapol_send(void *ctx, void *sta_ctx, u8 type, 2082 const u8 *data, size_t datalen) 2083 { 2084 #ifdef CONFIG_WPS 2085 struct sta_info *sta = sta_ctx; 2086 2087 if ((sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS)) == 2088 WLAN_STA_MAYBE_WPS) { 2089 const u8 *identity; 2090 size_t identity_len; 2091 struct eapol_state_machine *sm = sta->eapol_sm; 2092 2093 identity = eap_get_identity(sm->eap, &identity_len); 2094 if (identity && 2095 ((identity_len == WSC_ID_ENROLLEE_LEN && 2096 os_memcmp(identity, WSC_ID_ENROLLEE, 2097 WSC_ID_ENROLLEE_LEN) == 0) || 2098 (identity_len == WSC_ID_REGISTRAR_LEN && 2099 os_memcmp(identity, WSC_ID_REGISTRAR, 2100 WSC_ID_REGISTRAR_LEN) == 0))) { 2101 wpa_printf(MSG_DEBUG, "WPS: WLAN_STA_MAYBE_WPS -> " 2102 "WLAN_STA_WPS"); 2103 sta->flags |= WLAN_STA_WPS; 2104 } 2105 } 2106 #endif /* CONFIG_WPS */ 2107 2108 ieee802_1x_send(ctx, sta_ctx, type, data, datalen); 2109 } 2110 2111 2112 static void ieee802_1x_aaa_send(void *ctx, void *sta_ctx, 2113 const u8 *data, size_t datalen) 2114 { 2115 #ifndef CONFIG_NO_RADIUS 2116 struct hostapd_data *hapd = ctx; 2117 struct sta_info *sta = sta_ctx; 2118 2119 ieee802_1x_encapsulate_radius(hapd, sta, data, datalen); 2120 #endif /* CONFIG_NO_RADIUS */ 2121 } 2122 2123 2124 static void _ieee802_1x_finished(void *ctx, void *sta_ctx, int success, 2125 int preauth, int remediation) 2126 { 2127 struct hostapd_data *hapd = ctx; 2128 struct sta_info *sta = sta_ctx; 2129 if (preauth) 2130 rsn_preauth_finished(hapd, sta, success); 2131 else 2132 ieee802_1x_finished(hapd, sta, success, remediation); 2133 } 2134 2135 2136 static int ieee802_1x_get_eap_user(void *ctx, const u8 *identity, 2137 size_t identity_len, int phase2, 2138 struct eap_user *user) 2139 { 2140 struct hostapd_data *hapd = ctx; 2141 const struct hostapd_eap_user *eap_user; 2142 int i; 2143 int rv = -1; 2144 2145 eap_user = hostapd_get_eap_user(hapd, identity, identity_len, phase2); 2146 if (eap_user == NULL) 2147 goto out; 2148 2149 os_memset(user, 0, sizeof(*user)); 2150 user->phase2 = phase2; 2151 for (i = 0; i < EAP_MAX_METHODS; i++) { 2152 user->methods[i].vendor = eap_user->methods[i].vendor; 2153 user->methods[i].method = eap_user->methods[i].method; 2154 } 2155 2156 if (eap_user->password) { 2157 user->password = os_memdup(eap_user->password, 2158 eap_user->password_len); 2159 if (user->password == NULL) 2160 goto out; 2161 user->password_len = eap_user->password_len; 2162 user->password_hash = eap_user->password_hash; 2163 if (eap_user->salt && eap_user->salt_len) { 2164 user->salt = os_memdup(eap_user->salt, 2165 eap_user->salt_len); 2166 if (!user->salt) 2167 goto out; 2168 user->salt_len = eap_user->salt_len; 2169 } 2170 } 2171 user->force_version = eap_user->force_version; 2172 user->macacl = eap_user->macacl; 2173 user->ttls_auth = eap_user->ttls_auth; 2174 user->remediation = eap_user->remediation; 2175 rv = 0; 2176 2177 out: 2178 if (rv) 2179 wpa_printf(MSG_DEBUG, "%s: Failed to find user", __func__); 2180 2181 return rv; 2182 } 2183 2184 2185 static int ieee802_1x_sta_entry_alive(void *ctx, const u8 *addr) 2186 { 2187 struct hostapd_data *hapd = ctx; 2188 struct sta_info *sta; 2189 sta = ap_get_sta(hapd, addr); 2190 if (sta == NULL || sta->eapol_sm == NULL) 2191 return 0; 2192 return 1; 2193 } 2194 2195 2196 static void ieee802_1x_logger(void *ctx, const u8 *addr, 2197 eapol_logger_level level, const char *txt) 2198 { 2199 #ifndef CONFIG_NO_HOSTAPD_LOGGER 2200 struct hostapd_data *hapd = ctx; 2201 int hlevel; 2202 2203 switch (level) { 2204 case EAPOL_LOGGER_WARNING: 2205 hlevel = HOSTAPD_LEVEL_WARNING; 2206 break; 2207 case EAPOL_LOGGER_INFO: 2208 hlevel = HOSTAPD_LEVEL_INFO; 2209 break; 2210 case EAPOL_LOGGER_DEBUG: 2211 default: 2212 hlevel = HOSTAPD_LEVEL_DEBUG; 2213 break; 2214 } 2215 2216 hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE8021X, hlevel, "%s", 2217 txt); 2218 #endif /* CONFIG_NO_HOSTAPD_LOGGER */ 2219 } 2220 2221 2222 static void ieee802_1x_set_port_authorized(void *ctx, void *sta_ctx, 2223 int authorized) 2224 { 2225 struct hostapd_data *hapd = ctx; 2226 struct sta_info *sta = sta_ctx; 2227 ieee802_1x_set_sta_authorized(hapd, sta, authorized); 2228 } 2229 2230 2231 static void _ieee802_1x_abort_auth(void *ctx, void *sta_ctx) 2232 { 2233 struct hostapd_data *hapd = ctx; 2234 struct sta_info *sta = sta_ctx; 2235 ieee802_1x_abort_auth(hapd, sta); 2236 } 2237 2238 2239 static void _ieee802_1x_tx_key(void *ctx, void *sta_ctx) 2240 { 2241 #ifndef CONFIG_FIPS 2242 #ifndef CONFIG_NO_RC4 2243 struct hostapd_data *hapd = ctx; 2244 struct sta_info *sta = sta_ctx; 2245 ieee802_1x_tx_key(hapd, sta); 2246 #endif /* CONFIG_NO_RC4 */ 2247 #endif /* CONFIG_FIPS */ 2248 } 2249 2250 2251 static void ieee802_1x_eapol_event(void *ctx, void *sta_ctx, 2252 enum eapol_event type) 2253 { 2254 /* struct hostapd_data *hapd = ctx; */ 2255 struct sta_info *sta = sta_ctx; 2256 switch (type) { 2257 case EAPOL_AUTH_SM_CHANGE: 2258 wpa_auth_sm_notify(sta->wpa_sm); 2259 break; 2260 case EAPOL_AUTH_REAUTHENTICATE: 2261 wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL); 2262 break; 2263 } 2264 } 2265 2266 2267 #ifdef CONFIG_ERP 2268 2269 static struct eap_server_erp_key * 2270 ieee802_1x_erp_get_key(void *ctx, const char *keyname) 2271 { 2272 struct hostapd_data *hapd = ctx; 2273 struct eap_server_erp_key *erp; 2274 2275 dl_list_for_each(erp, &hapd->erp_keys, struct eap_server_erp_key, 2276 list) { 2277 if (os_strcmp(erp->keyname_nai, keyname) == 0) 2278 return erp; 2279 } 2280 2281 return NULL; 2282 } 2283 2284 2285 static int ieee802_1x_erp_add_key(void *ctx, struct eap_server_erp_key *erp) 2286 { 2287 struct hostapd_data *hapd = ctx; 2288 2289 dl_list_add(&hapd->erp_keys, &erp->list); 2290 return 0; 2291 } 2292 2293 #endif /* CONFIG_ERP */ 2294 2295 2296 int ieee802_1x_init(struct hostapd_data *hapd) 2297 { 2298 int i; 2299 struct eapol_auth_config conf; 2300 struct eapol_auth_cb cb; 2301 2302 dl_list_init(&hapd->erp_keys); 2303 2304 os_memset(&conf, 0, sizeof(conf)); 2305 conf.ctx = hapd; 2306 conf.eap_reauth_period = hapd->conf->eap_reauth_period; 2307 conf.wpa = hapd->conf->wpa; 2308 conf.individual_wep_key_len = hapd->conf->individual_wep_key_len; 2309 conf.eap_server = hapd->conf->eap_server; 2310 conf.ssl_ctx = hapd->ssl_ctx; 2311 conf.msg_ctx = hapd->msg_ctx; 2312 conf.eap_sim_db_priv = hapd->eap_sim_db_priv; 2313 conf.eap_req_id_text = hapd->conf->eap_req_id_text; 2314 conf.eap_req_id_text_len = hapd->conf->eap_req_id_text_len; 2315 conf.erp_send_reauth_start = hapd->conf->erp_send_reauth_start; 2316 conf.erp_domain = hapd->conf->erp_domain; 2317 conf.erp = hapd->conf->eap_server_erp; 2318 conf.tls_session_lifetime = hapd->conf->tls_session_lifetime; 2319 conf.tls_flags = hapd->conf->tls_flags; 2320 conf.pac_opaque_encr_key = hapd->conf->pac_opaque_encr_key; 2321 conf.eap_fast_a_id = hapd->conf->eap_fast_a_id; 2322 conf.eap_fast_a_id_len = hapd->conf->eap_fast_a_id_len; 2323 conf.eap_fast_a_id_info = hapd->conf->eap_fast_a_id_info; 2324 conf.eap_fast_prov = hapd->conf->eap_fast_prov; 2325 conf.pac_key_lifetime = hapd->conf->pac_key_lifetime; 2326 conf.pac_key_refresh_time = hapd->conf->pac_key_refresh_time; 2327 conf.eap_sim_aka_result_ind = hapd->conf->eap_sim_aka_result_ind; 2328 conf.tnc = hapd->conf->tnc; 2329 conf.wps = hapd->wps; 2330 conf.fragment_size = hapd->conf->fragment_size; 2331 conf.pwd_group = hapd->conf->pwd_group; 2332 conf.pbc_in_m1 = hapd->conf->pbc_in_m1; 2333 if (hapd->conf->server_id) { 2334 conf.server_id = (const u8 *) hapd->conf->server_id; 2335 conf.server_id_len = os_strlen(hapd->conf->server_id); 2336 } else { 2337 conf.server_id = (const u8 *) "hostapd"; 2338 conf.server_id_len = 7; 2339 } 2340 2341 os_memset(&cb, 0, sizeof(cb)); 2342 cb.eapol_send = ieee802_1x_eapol_send; 2343 cb.aaa_send = ieee802_1x_aaa_send; 2344 cb.finished = _ieee802_1x_finished; 2345 cb.get_eap_user = ieee802_1x_get_eap_user; 2346 cb.sta_entry_alive = ieee802_1x_sta_entry_alive; 2347 cb.logger = ieee802_1x_logger; 2348 cb.set_port_authorized = ieee802_1x_set_port_authorized; 2349 cb.abort_auth = _ieee802_1x_abort_auth; 2350 cb.tx_key = _ieee802_1x_tx_key; 2351 cb.eapol_event = ieee802_1x_eapol_event; 2352 #ifdef CONFIG_ERP 2353 cb.erp_get_key = ieee802_1x_erp_get_key; 2354 cb.erp_add_key = ieee802_1x_erp_add_key; 2355 #endif /* CONFIG_ERP */ 2356 2357 hapd->eapol_auth = eapol_auth_init(&conf, &cb); 2358 if (hapd->eapol_auth == NULL) 2359 return -1; 2360 2361 if ((hapd->conf->ieee802_1x || hapd->conf->wpa) && 2362 hostapd_set_drv_ieee8021x(hapd, hapd->conf->iface, 1)) 2363 return -1; 2364 2365 #ifndef CONFIG_NO_RADIUS 2366 if (radius_client_register(hapd->radius, RADIUS_AUTH, 2367 ieee802_1x_receive_auth, hapd)) 2368 return -1; 2369 #endif /* CONFIG_NO_RADIUS */ 2370 2371 if (hapd->conf->default_wep_key_len) { 2372 for (i = 0; i < 4; i++) 2373 hostapd_drv_set_key(hapd->conf->iface, hapd, 2374 WPA_ALG_NONE, NULL, i, 0, NULL, 0, 2375 NULL, 0); 2376 2377 ieee802_1x_rekey(hapd, NULL); 2378 2379 if (hapd->eapol_auth->default_wep_key == NULL) 2380 return -1; 2381 } 2382 2383 return 0; 2384 } 2385 2386 2387 void ieee802_1x_erp_flush(struct hostapd_data *hapd) 2388 { 2389 struct eap_server_erp_key *erp; 2390 2391 while ((erp = dl_list_first(&hapd->erp_keys, struct eap_server_erp_key, 2392 list)) != NULL) { 2393 dl_list_del(&erp->list); 2394 bin_clear_free(erp, sizeof(*erp)); 2395 } 2396 } 2397 2398 2399 void ieee802_1x_deinit(struct hostapd_data *hapd) 2400 { 2401 eloop_cancel_timeout(ieee802_1x_rekey, hapd, NULL); 2402 2403 if (hapd->driver && hapd->drv_priv && 2404 (hapd->conf->ieee802_1x || hapd->conf->wpa)) 2405 hostapd_set_drv_ieee8021x(hapd, hapd->conf->iface, 0); 2406 2407 eapol_auth_deinit(hapd->eapol_auth); 2408 hapd->eapol_auth = NULL; 2409 2410 ieee802_1x_erp_flush(hapd); 2411 } 2412 2413 2414 int ieee802_1x_tx_status(struct hostapd_data *hapd, struct sta_info *sta, 2415 const u8 *buf, size_t len, int ack) 2416 { 2417 struct ieee80211_hdr *hdr; 2418 u8 *pos; 2419 const unsigned char rfc1042_hdr[ETH_ALEN] = 2420 { 0xaa, 0xaa, 0x03, 0x00, 0x00, 0x00 }; 2421 2422 if (sta == NULL) 2423 return -1; 2424 if (len < sizeof(*hdr) + sizeof(rfc1042_hdr) + 2) 2425 return 0; 2426 2427 hdr = (struct ieee80211_hdr *) buf; 2428 pos = (u8 *) (hdr + 1); 2429 if (os_memcmp(pos, rfc1042_hdr, sizeof(rfc1042_hdr)) != 0) 2430 return 0; 2431 pos += sizeof(rfc1042_hdr); 2432 if (WPA_GET_BE16(pos) != ETH_P_PAE) 2433 return 0; 2434 pos += 2; 2435 2436 return ieee802_1x_eapol_tx_status(hapd, sta, pos, buf + len - pos, 2437 ack); 2438 } 2439 2440 2441 int ieee802_1x_eapol_tx_status(struct hostapd_data *hapd, struct sta_info *sta, 2442 const u8 *buf, int len, int ack) 2443 { 2444 const struct ieee802_1x_hdr *xhdr = 2445 (const struct ieee802_1x_hdr *) buf; 2446 const u8 *pos = buf + sizeof(*xhdr); 2447 struct ieee802_1x_eapol_key *key; 2448 2449 if (len < (int) sizeof(*xhdr)) 2450 return 0; 2451 wpa_printf(MSG_DEBUG, "IEEE 802.1X: " MACSTR " TX status - version=%d " 2452 "type=%d length=%d - ack=%d", 2453 MAC2STR(sta->addr), xhdr->version, xhdr->type, 2454 be_to_host16(xhdr->length), ack); 2455 2456 #ifdef CONFIG_WPS 2457 if (xhdr->type == IEEE802_1X_TYPE_EAP_PACKET && ack && 2458 (sta->flags & WLAN_STA_WPS) && 2459 ap_sta_pending_delayed_1x_auth_fail_disconnect(hapd, sta)) { 2460 wpa_printf(MSG_DEBUG, 2461 "WPS: Indicate EAP completion on ACK for EAP-Failure"); 2462 hostapd_wps_eap_completed(hapd); 2463 } 2464 #endif /* CONFIG_WPS */ 2465 2466 if (xhdr->type != IEEE802_1X_TYPE_EAPOL_KEY) 2467 return 0; 2468 2469 if (pos + sizeof(struct wpa_eapol_key) <= buf + len) { 2470 const struct wpa_eapol_key *wpa; 2471 wpa = (const struct wpa_eapol_key *) pos; 2472 if (wpa->type == EAPOL_KEY_TYPE_RSN || 2473 wpa->type == EAPOL_KEY_TYPE_WPA) 2474 wpa_auth_eapol_key_tx_status(hapd->wpa_auth, 2475 sta->wpa_sm, ack); 2476 } 2477 2478 /* EAPOL EAP-Packet packets are eventually re-sent by either Supplicant 2479 * or Authenticator state machines, but EAPOL-Key packets are not 2480 * retransmitted in case of failure. Try to re-send failed EAPOL-Key 2481 * packets couple of times because otherwise STA keys become 2482 * unsynchronized with AP. */ 2483 if (!ack && pos + sizeof(*key) <= buf + len) { 2484 key = (struct ieee802_1x_eapol_key *) pos; 2485 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 2486 HOSTAPD_LEVEL_DEBUG, "did not Ack EAPOL-Key " 2487 "frame (%scast index=%d)", 2488 key->key_index & BIT(7) ? "uni" : "broad", 2489 key->key_index & ~BIT(7)); 2490 /* TODO: re-send EAPOL-Key couple of times (with short delay 2491 * between them?). If all attempt fail, report error and 2492 * deauthenticate STA so that it will get new keys when 2493 * authenticating again (e.g., after returning in range). 2494 * Separate limit/transmit state needed both for unicast and 2495 * broadcast keys(?) */ 2496 } 2497 /* TODO: could move unicast key configuration from ieee802_1x_tx_key() 2498 * to here and change the key only if the EAPOL-Key packet was Acked. 2499 */ 2500 2501 return 1; 2502 } 2503 2504 2505 u8 * ieee802_1x_get_identity(struct eapol_state_machine *sm, size_t *len) 2506 { 2507 if (sm == NULL || sm->identity == NULL) 2508 return NULL; 2509 2510 *len = sm->identity_len; 2511 return sm->identity; 2512 } 2513 2514 2515 u8 * ieee802_1x_get_radius_class(struct eapol_state_machine *sm, size_t *len, 2516 int idx) 2517 { 2518 if (sm == NULL || sm->radius_class.attr == NULL || 2519 idx >= (int) sm->radius_class.count) 2520 return NULL; 2521 2522 *len = sm->radius_class.attr[idx].len; 2523 return sm->radius_class.attr[idx].data; 2524 } 2525 2526 2527 struct wpabuf * ieee802_1x_get_radius_cui(struct eapol_state_machine *sm) 2528 { 2529 if (sm == NULL) 2530 return NULL; 2531 return sm->radius_cui; 2532 } 2533 2534 2535 const u8 * ieee802_1x_get_key(struct eapol_state_machine *sm, size_t *len) 2536 { 2537 *len = 0; 2538 if (sm == NULL) 2539 return NULL; 2540 2541 *len = sm->eap_if->eapKeyDataLen; 2542 return sm->eap_if->eapKeyData; 2543 } 2544 2545 2546 void ieee802_1x_notify_port_enabled(struct eapol_state_machine *sm, 2547 int enabled) 2548 { 2549 if (sm == NULL) 2550 return; 2551 sm->eap_if->portEnabled = enabled ? TRUE : FALSE; 2552 eapol_auth_step(sm); 2553 } 2554 2555 2556 void ieee802_1x_notify_port_valid(struct eapol_state_machine *sm, 2557 int valid) 2558 { 2559 if (sm == NULL) 2560 return; 2561 sm->portValid = valid ? TRUE : FALSE; 2562 eapol_auth_step(sm); 2563 } 2564 2565 2566 void ieee802_1x_notify_pre_auth(struct eapol_state_machine *sm, int pre_auth) 2567 { 2568 if (sm == NULL) 2569 return; 2570 if (pre_auth) 2571 sm->flags |= EAPOL_SM_PREAUTH; 2572 else 2573 sm->flags &= ~EAPOL_SM_PREAUTH; 2574 } 2575 2576 2577 static const char * bool_txt(Boolean val) 2578 { 2579 return val ? "TRUE" : "FALSE"; 2580 } 2581 2582 2583 int ieee802_1x_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen) 2584 { 2585 /* TODO */ 2586 return 0; 2587 } 2588 2589 2590 int ieee802_1x_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta, 2591 char *buf, size_t buflen) 2592 { 2593 int len = 0, ret; 2594 struct eapol_state_machine *sm = sta->eapol_sm; 2595 struct os_reltime diff; 2596 const char *name1; 2597 const char *name2; 2598 char *identity_buf = NULL; 2599 2600 if (sm == NULL) 2601 return 0; 2602 2603 ret = os_snprintf(buf + len, buflen - len, 2604 "dot1xPaePortNumber=%d\n" 2605 "dot1xPaePortProtocolVersion=%d\n" 2606 "dot1xPaePortCapabilities=1\n" 2607 "dot1xPaePortInitialize=%d\n" 2608 "dot1xPaePortReauthenticate=FALSE\n", 2609 sta->aid, 2610 EAPOL_VERSION, 2611 sm->initialize); 2612 if (os_snprintf_error(buflen - len, ret)) 2613 return len; 2614 len += ret; 2615 2616 /* dot1xAuthConfigTable */ 2617 ret = os_snprintf(buf + len, buflen - len, 2618 "dot1xAuthPaeState=%d\n" 2619 "dot1xAuthBackendAuthState=%d\n" 2620 "dot1xAuthAdminControlledDirections=%d\n" 2621 "dot1xAuthOperControlledDirections=%d\n" 2622 "dot1xAuthAuthControlledPortStatus=%d\n" 2623 "dot1xAuthAuthControlledPortControl=%d\n" 2624 "dot1xAuthQuietPeriod=%u\n" 2625 "dot1xAuthServerTimeout=%u\n" 2626 "dot1xAuthReAuthPeriod=%u\n" 2627 "dot1xAuthReAuthEnabled=%s\n" 2628 "dot1xAuthKeyTxEnabled=%s\n", 2629 sm->auth_pae_state + 1, 2630 sm->be_auth_state + 1, 2631 sm->adminControlledDirections, 2632 sm->operControlledDirections, 2633 sm->authPortStatus, 2634 sm->portControl, 2635 sm->quietPeriod, 2636 sm->serverTimeout, 2637 sm->reAuthPeriod, 2638 bool_txt(sm->reAuthEnabled), 2639 bool_txt(sm->keyTxEnabled)); 2640 if (os_snprintf_error(buflen - len, ret)) 2641 return len; 2642 len += ret; 2643 2644 /* dot1xAuthStatsTable */ 2645 ret = os_snprintf(buf + len, buflen - len, 2646 "dot1xAuthEapolFramesRx=%u\n" 2647 "dot1xAuthEapolFramesTx=%u\n" 2648 "dot1xAuthEapolStartFramesRx=%u\n" 2649 "dot1xAuthEapolLogoffFramesRx=%u\n" 2650 "dot1xAuthEapolRespIdFramesRx=%u\n" 2651 "dot1xAuthEapolRespFramesRx=%u\n" 2652 "dot1xAuthEapolReqIdFramesTx=%u\n" 2653 "dot1xAuthEapolReqFramesTx=%u\n" 2654 "dot1xAuthInvalidEapolFramesRx=%u\n" 2655 "dot1xAuthEapLengthErrorFramesRx=%u\n" 2656 "dot1xAuthLastEapolFrameVersion=%u\n" 2657 "dot1xAuthLastEapolFrameSource=" MACSTR "\n", 2658 sm->dot1xAuthEapolFramesRx, 2659 sm->dot1xAuthEapolFramesTx, 2660 sm->dot1xAuthEapolStartFramesRx, 2661 sm->dot1xAuthEapolLogoffFramesRx, 2662 sm->dot1xAuthEapolRespIdFramesRx, 2663 sm->dot1xAuthEapolRespFramesRx, 2664 sm->dot1xAuthEapolReqIdFramesTx, 2665 sm->dot1xAuthEapolReqFramesTx, 2666 sm->dot1xAuthInvalidEapolFramesRx, 2667 sm->dot1xAuthEapLengthErrorFramesRx, 2668 sm->dot1xAuthLastEapolFrameVersion, 2669 MAC2STR(sm->addr)); 2670 if (os_snprintf_error(buflen - len, ret)) 2671 return len; 2672 len += ret; 2673 2674 /* dot1xAuthDiagTable */ 2675 ret = os_snprintf(buf + len, buflen - len, 2676 "dot1xAuthEntersConnecting=%u\n" 2677 "dot1xAuthEapLogoffsWhileConnecting=%u\n" 2678 "dot1xAuthEntersAuthenticating=%u\n" 2679 "dot1xAuthAuthSuccessesWhileAuthenticating=%u\n" 2680 "dot1xAuthAuthTimeoutsWhileAuthenticating=%u\n" 2681 "dot1xAuthAuthFailWhileAuthenticating=%u\n" 2682 "dot1xAuthAuthEapStartsWhileAuthenticating=%u\n" 2683 "dot1xAuthAuthEapLogoffWhileAuthenticating=%u\n" 2684 "dot1xAuthAuthReauthsWhileAuthenticated=%u\n" 2685 "dot1xAuthAuthEapStartsWhileAuthenticated=%u\n" 2686 "dot1xAuthAuthEapLogoffWhileAuthenticated=%u\n" 2687 "dot1xAuthBackendResponses=%u\n" 2688 "dot1xAuthBackendAccessChallenges=%u\n" 2689 "dot1xAuthBackendOtherRequestsToSupplicant=%u\n" 2690 "dot1xAuthBackendAuthSuccesses=%u\n" 2691 "dot1xAuthBackendAuthFails=%u\n", 2692 sm->authEntersConnecting, 2693 sm->authEapLogoffsWhileConnecting, 2694 sm->authEntersAuthenticating, 2695 sm->authAuthSuccessesWhileAuthenticating, 2696 sm->authAuthTimeoutsWhileAuthenticating, 2697 sm->authAuthFailWhileAuthenticating, 2698 sm->authAuthEapStartsWhileAuthenticating, 2699 sm->authAuthEapLogoffWhileAuthenticating, 2700 sm->authAuthReauthsWhileAuthenticated, 2701 sm->authAuthEapStartsWhileAuthenticated, 2702 sm->authAuthEapLogoffWhileAuthenticated, 2703 sm->backendResponses, 2704 sm->backendAccessChallenges, 2705 sm->backendOtherRequestsToSupplicant, 2706 sm->backendAuthSuccesses, 2707 sm->backendAuthFails); 2708 if (os_snprintf_error(buflen - len, ret)) 2709 return len; 2710 len += ret; 2711 2712 /* dot1xAuthSessionStatsTable */ 2713 os_reltime_age(&sta->acct_session_start, &diff); 2714 if (sm->eap && !sm->identity) { 2715 const u8 *id; 2716 size_t id_len; 2717 2718 id = eap_get_identity(sm->eap, &id_len); 2719 if (id) 2720 identity_buf = dup_binstr(id, id_len); 2721 } 2722 ret = os_snprintf(buf + len, buflen - len, 2723 /* TODO: dot1xAuthSessionOctetsRx */ 2724 /* TODO: dot1xAuthSessionOctetsTx */ 2725 /* TODO: dot1xAuthSessionFramesRx */ 2726 /* TODO: dot1xAuthSessionFramesTx */ 2727 "dot1xAuthSessionId=%016llX\n" 2728 "dot1xAuthSessionAuthenticMethod=%d\n" 2729 "dot1xAuthSessionTime=%u\n" 2730 "dot1xAuthSessionTerminateCause=999\n" 2731 "dot1xAuthSessionUserName=%s\n", 2732 (unsigned long long) sta->acct_session_id, 2733 (wpa_key_mgmt_wpa_ieee8021x( 2734 wpa_auth_sta_key_mgmt(sta->wpa_sm))) ? 2735 1 : 2, 2736 (unsigned int) diff.sec, 2737 sm->identity ? (char *) sm->identity : 2738 (identity_buf ? identity_buf : "N/A")); 2739 os_free(identity_buf); 2740 if (os_snprintf_error(buflen - len, ret)) 2741 return len; 2742 len += ret; 2743 2744 if (sm->acct_multi_session_id) { 2745 ret = os_snprintf(buf + len, buflen - len, 2746 "authMultiSessionId=%016llX\n", 2747 (unsigned long long) 2748 sm->acct_multi_session_id); 2749 if (os_snprintf_error(buflen - len, ret)) 2750 return len; 2751 len += ret; 2752 } 2753 2754 name1 = eap_server_get_name(0, sm->eap_type_authsrv); 2755 name2 = eap_server_get_name(0, sm->eap_type_supp); 2756 ret = os_snprintf(buf + len, buflen - len, 2757 "last_eap_type_as=%d (%s)\n" 2758 "last_eap_type_sta=%d (%s)\n", 2759 sm->eap_type_authsrv, name1, 2760 sm->eap_type_supp, name2); 2761 if (os_snprintf_error(buflen - len, ret)) 2762 return len; 2763 len += ret; 2764 2765 return len; 2766 } 2767 2768 2769 #ifdef CONFIG_HS20 2770 static void ieee802_1x_wnm_notif_send(void *eloop_ctx, void *timeout_ctx) 2771 { 2772 struct hostapd_data *hapd = eloop_ctx; 2773 struct sta_info *sta = timeout_ctx; 2774 2775 if (sta->remediation) { 2776 wpa_printf(MSG_DEBUG, "HS 2.0: Send WNM-Notification to " 2777 MACSTR " to indicate Subscription Remediation", 2778 MAC2STR(sta->addr)); 2779 hs20_send_wnm_notification(hapd, sta->addr, 2780 sta->remediation_method, 2781 sta->remediation_url); 2782 os_free(sta->remediation_url); 2783 sta->remediation_url = NULL; 2784 } 2785 2786 if (sta->hs20_deauth_req) { 2787 wpa_printf(MSG_DEBUG, "HS 2.0: Send WNM-Notification to " 2788 MACSTR " to indicate imminent deauthentication", 2789 MAC2STR(sta->addr)); 2790 hs20_send_wnm_notification_deauth_req(hapd, sta->addr, 2791 sta->hs20_deauth_req); 2792 } 2793 2794 if (sta->hs20_t_c_filtering) { 2795 wpa_printf(MSG_DEBUG, "HS 2.0: Send WNM-Notification to " 2796 MACSTR " to indicate Terms and Conditions filtering", 2797 MAC2STR(sta->addr)); 2798 hs20_send_wnm_notification_t_c(hapd, sta->addr, sta->t_c_url); 2799 os_free(sta->t_c_url); 2800 sta->t_c_url = NULL; 2801 } 2802 } 2803 #endif /* CONFIG_HS20 */ 2804 2805 2806 static void ieee802_1x_finished(struct hostapd_data *hapd, 2807 struct sta_info *sta, int success, 2808 int remediation) 2809 { 2810 const u8 *key; 2811 size_t len; 2812 /* TODO: get PMKLifetime from WPA parameters */ 2813 static const int dot11RSNAConfigPMKLifetime = 43200; 2814 unsigned int session_timeout; 2815 struct os_reltime now, remaining; 2816 2817 #ifdef CONFIG_HS20 2818 if (remediation && !sta->remediation) { 2819 sta->remediation = 1; 2820 os_free(sta->remediation_url); 2821 sta->remediation_url = 2822 os_strdup(hapd->conf->subscr_remediation_url); 2823 sta->remediation_method = 1; /* SOAP-XML SPP */ 2824 } 2825 2826 if (success && (sta->remediation || sta->hs20_deauth_req || 2827 sta->hs20_t_c_filtering)) { 2828 wpa_printf(MSG_DEBUG, "HS 2.0: Schedule WNM-Notification to " 2829 MACSTR " in 100 ms", MAC2STR(sta->addr)); 2830 eloop_cancel_timeout(ieee802_1x_wnm_notif_send, hapd, sta); 2831 eloop_register_timeout(0, 100000, ieee802_1x_wnm_notif_send, 2832 hapd, sta); 2833 } 2834 #endif /* CONFIG_HS20 */ 2835 2836 key = ieee802_1x_get_key(sta->eapol_sm, &len); 2837 if (sta->session_timeout_set) { 2838 os_get_reltime(&now); 2839 os_reltime_sub(&sta->session_timeout, &now, &remaining); 2840 session_timeout = (remaining.sec > 0) ? remaining.sec : 1; 2841 } else { 2842 session_timeout = dot11RSNAConfigPMKLifetime; 2843 } 2844 if (success && key && len >= PMK_LEN && !sta->remediation && 2845 !sta->hs20_deauth_requested && 2846 wpa_auth_pmksa_add(sta->wpa_sm, key, len, session_timeout, 2847 sta->eapol_sm) == 0) { 2848 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 2849 HOSTAPD_LEVEL_DEBUG, 2850 "Added PMKSA cache entry (IEEE 802.1X)"); 2851 } 2852 2853 if (!success) { 2854 /* 2855 * Many devices require deauthentication after WPS provisioning 2856 * and some may not be be able to do that themselves, so 2857 * disconnect the client here. In addition, this may also 2858 * benefit IEEE 802.1X/EAPOL authentication cases, too since 2859 * the EAPOL PAE state machine would remain in HELD state for 2860 * considerable amount of time and some EAP methods, like 2861 * EAP-FAST with anonymous provisioning, may require another 2862 * EAPOL authentication to be started to complete connection. 2863 */ 2864 ap_sta_delayed_1x_auth_fail_disconnect(hapd, sta); 2865 } 2866 } 2867