1 /* 2 * hostapd / IEEE 802.1X-2004 Authenticator 3 * Copyright (c) 2002-2019, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "utils/includes.h" 10 #ifdef CONFIG_SQLITE 11 #include <sqlite3.h> 12 #endif /* CONFIG_SQLITE */ 13 14 #include "utils/common.h" 15 #include "utils/eloop.h" 16 #include "crypto/md5.h" 17 #include "crypto/crypto.h" 18 #include "crypto/random.h" 19 #include "common/ieee802_11_defs.h" 20 #include "radius/radius.h" 21 #include "radius/radius_client.h" 22 #include "eap_server/eap.h" 23 #include "eap_common/eap_wsc_common.h" 24 #include "eapol_auth/eapol_auth_sm.h" 25 #include "eapol_auth/eapol_auth_sm_i.h" 26 #include "p2p/p2p.h" 27 #include "hostapd.h" 28 #include "accounting.h" 29 #include "sta_info.h" 30 #include "wpa_auth.h" 31 #include "preauth_auth.h" 32 #include "pmksa_cache_auth.h" 33 #include "ap_config.h" 34 #include "ap_drv_ops.h" 35 #include "wps_hostapd.h" 36 #include "hs20.h" 37 /* FIX: Not really a good thing to require ieee802_11.h here.. (FILS) */ 38 #include "ieee802_11.h" 39 #include "ieee802_1x.h" 40 #include "wpa_auth_kay.h" 41 42 43 #ifdef CONFIG_HS20 44 static void ieee802_1x_wnm_notif_send(void *eloop_ctx, void *timeout_ctx); 45 #endif /* CONFIG_HS20 */ 46 static void ieee802_1x_finished(struct hostapd_data *hapd, 47 struct sta_info *sta, int success, 48 int remediation); 49 50 51 static void ieee802_1x_send(struct hostapd_data *hapd, struct sta_info *sta, 52 u8 type, const u8 *data, size_t datalen) 53 { 54 u8 *buf; 55 struct ieee802_1x_hdr *xhdr; 56 size_t len; 57 int encrypt = 0; 58 59 len = sizeof(*xhdr) + datalen; 60 buf = os_zalloc(len); 61 if (!buf) { 62 wpa_printf(MSG_ERROR, "malloc() failed for %s(len=%lu)", 63 __func__, (unsigned long) len); 64 return; 65 } 66 67 xhdr = (struct ieee802_1x_hdr *) buf; 68 xhdr->version = hapd->conf->eapol_version; 69 #ifdef CONFIG_MACSEC 70 if (xhdr->version > 2 && hapd->conf->macsec_policy == 0) 71 xhdr->version = 2; 72 #endif /* CONFIG_MACSEC */ 73 xhdr->type = type; 74 xhdr->length = host_to_be16(datalen); 75 76 if (datalen > 0 && data != NULL) 77 os_memcpy(xhdr + 1, data, datalen); 78 79 if (wpa_auth_pairwise_set(sta->wpa_sm)) 80 encrypt = 1; 81 #ifdef CONFIG_TESTING_OPTIONS 82 if (hapd->ext_eapol_frame_io) { 83 size_t hex_len = 2 * len + 1; 84 char *hex = os_malloc(hex_len); 85 86 if (hex) { 87 wpa_snprintf_hex(hex, hex_len, buf, len); 88 wpa_msg(hapd->msg_ctx, MSG_INFO, 89 "EAPOL-TX " MACSTR " %s", 90 MAC2STR(sta->addr), hex); 91 os_free(hex); 92 } 93 } else 94 #endif /* CONFIG_TESTING_OPTIONS */ 95 if (sta->flags & WLAN_STA_PREAUTH) { 96 rsn_preauth_send(hapd, sta, buf, len); 97 } else { 98 hostapd_drv_hapd_send_eapol( 99 hapd, sta->addr, buf, len, 100 encrypt, hostapd_sta_flags_to_drv(sta->flags)); 101 } 102 103 os_free(buf); 104 } 105 106 107 void ieee802_1x_set_sta_authorized(struct hostapd_data *hapd, 108 struct sta_info *sta, int authorized) 109 { 110 int res; 111 112 if (sta->flags & WLAN_STA_PREAUTH) 113 return; 114 115 if (authorized) { 116 ap_sta_set_authorized(hapd, sta, 1); 117 res = hostapd_set_authorized(hapd, sta, 1); 118 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 119 HOSTAPD_LEVEL_DEBUG, "authorizing port"); 120 } else { 121 ap_sta_set_authorized(hapd, sta, 0); 122 res = hostapd_set_authorized(hapd, sta, 0); 123 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 124 HOSTAPD_LEVEL_DEBUG, "unauthorizing port"); 125 } 126 127 if (res && errno != ENOENT) { 128 wpa_printf(MSG_DEBUG, "Could not set station " MACSTR 129 " flags for kernel driver (errno=%d).", 130 MAC2STR(sta->addr), errno); 131 } 132 133 if (authorized) { 134 os_get_reltime(&sta->connected_time); 135 accounting_sta_start(hapd, sta); 136 } 137 } 138 139 140 #ifdef CONFIG_WEP 141 #ifndef CONFIG_FIPS 142 #ifndef CONFIG_NO_RC4 143 144 static void ieee802_1x_tx_key_one(struct hostapd_data *hapd, 145 struct sta_info *sta, 146 int idx, int broadcast, 147 u8 *key_data, size_t key_len) 148 { 149 u8 *buf, *ekey; 150 struct ieee802_1x_hdr *hdr; 151 struct ieee802_1x_eapol_key *key; 152 size_t len, ekey_len; 153 struct eapol_state_machine *sm = sta->eapol_sm; 154 155 if (!sm) 156 return; 157 158 len = sizeof(*key) + key_len; 159 buf = os_zalloc(sizeof(*hdr) + len); 160 if (!buf) 161 return; 162 163 hdr = (struct ieee802_1x_hdr *) buf; 164 key = (struct ieee802_1x_eapol_key *) (hdr + 1); 165 key->type = EAPOL_KEY_TYPE_RC4; 166 WPA_PUT_BE16(key->key_length, key_len); 167 wpa_get_ntp_timestamp(key->replay_counter); 168 if (os_memcmp(key->replay_counter, 169 hapd->last_1x_eapol_key_replay_counter, 170 IEEE8021X_REPLAY_COUNTER_LEN) <= 0) { 171 /* NTP timestamp did not increment from last EAPOL-Key frame; 172 * use previously used value + 1 instead. */ 173 inc_byte_array(hapd->last_1x_eapol_key_replay_counter, 174 IEEE8021X_REPLAY_COUNTER_LEN); 175 os_memcpy(key->replay_counter, 176 hapd->last_1x_eapol_key_replay_counter, 177 IEEE8021X_REPLAY_COUNTER_LEN); 178 } else { 179 os_memcpy(hapd->last_1x_eapol_key_replay_counter, 180 key->replay_counter, 181 IEEE8021X_REPLAY_COUNTER_LEN); 182 } 183 184 if (random_get_bytes(key->key_iv, sizeof(key->key_iv))) { 185 wpa_printf(MSG_ERROR, "Could not get random numbers"); 186 os_free(buf); 187 return; 188 } 189 190 key->key_index = idx | (broadcast ? 0 : BIT(7)); 191 if (hapd->conf->eapol_key_index_workaround) { 192 /* According to some information, WinXP Supplicant seems to 193 * interpret bit7 as an indication whether the key is to be 194 * activated, so make it possible to enable workaround that 195 * sets this bit for all keys. */ 196 key->key_index |= BIT(7); 197 } 198 199 /* Key is encrypted using "Key-IV + MSK[0..31]" as the RC4-key and 200 * MSK[32..63] is used to sign the message. */ 201 if (!sm->eap_if->eapKeyData || sm->eap_if->eapKeyDataLen < 64) { 202 wpa_printf(MSG_ERROR, 203 "No eapKeyData available for encrypting and signing EAPOL-Key"); 204 os_free(buf); 205 return; 206 } 207 os_memcpy((u8 *) (key + 1), key_data, key_len); 208 ekey_len = sizeof(key->key_iv) + 32; 209 ekey = os_malloc(ekey_len); 210 if (!ekey) { 211 wpa_printf(MSG_ERROR, "Could not encrypt key"); 212 os_free(buf); 213 return; 214 } 215 os_memcpy(ekey, key->key_iv, sizeof(key->key_iv)); 216 os_memcpy(ekey + sizeof(key->key_iv), sm->eap_if->eapKeyData, 32); 217 rc4_skip(ekey, ekey_len, 0, (u8 *) (key + 1), key_len); 218 os_free(ekey); 219 220 /* This header is needed here for HMAC-MD5, but it will be regenerated 221 * in ieee802_1x_send() */ 222 hdr->version = hapd->conf->eapol_version; 223 #ifdef CONFIG_MACSEC 224 if (hdr->version > 2) 225 hdr->version = 2; 226 #endif /* CONFIG_MACSEC */ 227 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 228 hdr->length = host_to_be16(len); 229 hmac_md5(sm->eap_if->eapKeyData + 32, 32, buf, sizeof(*hdr) + len, 230 key->key_signature); 231 232 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key to " MACSTR 233 " (%s index=%d)", MAC2STR(sm->addr), 234 broadcast ? "broadcast" : "unicast", idx); 235 ieee802_1x_send(hapd, sta, IEEE802_1X_TYPE_EAPOL_KEY, (u8 *) key, len); 236 if (sta->eapol_sm) 237 sta->eapol_sm->dot1xAuthEapolFramesTx++; 238 os_free(buf); 239 } 240 241 242 static void ieee802_1x_tx_key(struct hostapd_data *hapd, struct sta_info *sta) 243 { 244 struct eapol_authenticator *eapol = hapd->eapol_auth; 245 struct eapol_state_machine *sm = sta->eapol_sm; 246 247 if (!sm || !sm->eap_if->eapKeyData) 248 return; 249 250 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key(s) to " MACSTR, 251 MAC2STR(sta->addr)); 252 253 #ifndef CONFIG_NO_VLAN 254 if (sta->vlan_id > 0) { 255 wpa_printf(MSG_ERROR, "Using WEP with vlans is not supported."); 256 return; 257 } 258 #endif /* CONFIG_NO_VLAN */ 259 260 if (eapol->default_wep_key) { 261 ieee802_1x_tx_key_one(hapd, sta, eapol->default_wep_key_idx, 1, 262 eapol->default_wep_key, 263 hapd->conf->default_wep_key_len); 264 } 265 266 if (hapd->conf->individual_wep_key_len > 0) { 267 u8 *ikey; 268 269 ikey = os_malloc(hapd->conf->individual_wep_key_len); 270 if (!ikey || 271 random_get_bytes(ikey, hapd->conf->individual_wep_key_len)) 272 { 273 wpa_printf(MSG_ERROR, 274 "Could not generate random individual WEP key"); 275 os_free(ikey); 276 return; 277 } 278 279 wpa_hexdump_key(MSG_DEBUG, "Individual WEP key", 280 ikey, hapd->conf->individual_wep_key_len); 281 282 ieee802_1x_tx_key_one(hapd, sta, 0, 0, ikey, 283 hapd->conf->individual_wep_key_len); 284 285 /* TODO: set encryption in TX callback, i.e., only after STA 286 * has ACKed EAPOL-Key frame */ 287 if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP, 288 sta->addr, 0, 0, 1, NULL, 0, ikey, 289 hapd->conf->individual_wep_key_len, 290 KEY_FLAG_PAIRWISE_RX_TX)) { 291 wpa_printf(MSG_ERROR, 292 "Could not set individual WEP encryption"); 293 } 294 295 os_free(ikey); 296 } 297 } 298 299 #endif /* CONFIG_NO_RC4 */ 300 #endif /* CONFIG_FIPS */ 301 #endif /* CONFIG_WEP */ 302 303 304 const char *radius_mode_txt(struct hostapd_data *hapd) 305 { 306 switch (hapd->iface->conf->hw_mode) { 307 case HOSTAPD_MODE_IEEE80211AD: 308 return "802.11ad"; 309 case HOSTAPD_MODE_IEEE80211A: 310 return "802.11a"; 311 case HOSTAPD_MODE_IEEE80211G: 312 return "802.11g"; 313 case HOSTAPD_MODE_IEEE80211B: 314 default: 315 return "802.11b"; 316 } 317 } 318 319 320 int radius_sta_rate(struct hostapd_data *hapd, struct sta_info *sta) 321 { 322 int i; 323 u8 rate = 0; 324 325 for (i = 0; i < sta->supported_rates_len; i++) 326 if ((sta->supported_rates[i] & 0x7f) > rate) 327 rate = sta->supported_rates[i] & 0x7f; 328 329 return rate; 330 } 331 332 333 #ifndef CONFIG_NO_RADIUS 334 static void ieee802_1x_learn_identity(struct hostapd_data *hapd, 335 struct eapol_state_machine *sm, 336 const u8 *eap, size_t len) 337 { 338 const u8 *identity; 339 size_t identity_len; 340 const struct eap_hdr *hdr = (const struct eap_hdr *) eap; 341 342 if (len <= sizeof(struct eap_hdr) || 343 (hdr->code == EAP_CODE_RESPONSE && 344 eap[sizeof(struct eap_hdr)] != EAP_TYPE_IDENTITY) || 345 (hdr->code == EAP_CODE_INITIATE && 346 eap[sizeof(struct eap_hdr)] != EAP_ERP_TYPE_REAUTH) || 347 (hdr->code != EAP_CODE_RESPONSE && 348 hdr->code != EAP_CODE_INITIATE)) 349 return; 350 351 eap_erp_update_identity(sm->eap, eap, len); 352 identity = eap_get_identity(sm->eap, &identity_len); 353 if (!identity) 354 return; 355 356 /* Save station identity for future RADIUS packets */ 357 os_free(sm->identity); 358 sm->identity = (u8 *) dup_binstr(identity, identity_len); 359 if (!sm->identity) { 360 sm->identity_len = 0; 361 return; 362 } 363 364 sm->identity_len = identity_len; 365 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, 366 HOSTAPD_LEVEL_DEBUG, "STA identity '%s'", sm->identity); 367 sm->dot1xAuthEapolRespIdFramesRx++; 368 } 369 370 371 static int add_common_radius_sta_attr_rsn(struct hostapd_data *hapd, 372 struct hostapd_radius_attr *req_attr, 373 struct sta_info *sta, 374 struct radius_msg *msg) 375 { 376 u32 suite; 377 int ver, val; 378 379 ver = wpa_auth_sta_wpa_version(sta->wpa_sm); 380 val = wpa_auth_get_pairwise(sta->wpa_sm); 381 suite = wpa_cipher_to_suite(ver, val); 382 if (val != -1 && 383 !hostapd_config_get_radius_attr(req_attr, 384 RADIUS_ATTR_WLAN_PAIRWISE_CIPHER) && 385 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_WLAN_PAIRWISE_CIPHER, 386 suite)) { 387 wpa_printf(MSG_ERROR, "Could not add WLAN-Pairwise-Cipher"); 388 return -1; 389 } 390 391 suite = wpa_cipher_to_suite(((hapd->conf->wpa & 0x2) || 392 hapd->conf->osen) ? 393 WPA_PROTO_RSN : WPA_PROTO_WPA, 394 hapd->conf->wpa_group); 395 if (!hostapd_config_get_radius_attr(req_attr, 396 RADIUS_ATTR_WLAN_GROUP_CIPHER) && 397 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_WLAN_GROUP_CIPHER, 398 suite)) { 399 wpa_printf(MSG_ERROR, "Could not add WLAN-Group-Cipher"); 400 return -1; 401 } 402 403 val = wpa_auth_sta_key_mgmt(sta->wpa_sm); 404 suite = wpa_akm_to_suite(val); 405 if (val != -1 && 406 !hostapd_config_get_radius_attr(req_attr, 407 RADIUS_ATTR_WLAN_AKM_SUITE) && 408 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_WLAN_AKM_SUITE, 409 suite)) { 410 wpa_printf(MSG_ERROR, "Could not add WLAN-AKM-Suite"); 411 return -1; 412 } 413 414 if (hapd->conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) { 415 suite = wpa_cipher_to_suite(WPA_PROTO_RSN, 416 hapd->conf->group_mgmt_cipher); 417 if (!hostapd_config_get_radius_attr( 418 req_attr, RADIUS_ATTR_WLAN_GROUP_MGMT_CIPHER) && 419 !radius_msg_add_attr_int32( 420 msg, RADIUS_ATTR_WLAN_GROUP_MGMT_CIPHER, suite)) { 421 wpa_printf(MSG_ERROR, 422 "Could not add WLAN-Group-Mgmt-Cipher"); 423 return -1; 424 } 425 } 426 427 return 0; 428 } 429 430 431 static int add_common_radius_sta_attr(struct hostapd_data *hapd, 432 struct hostapd_radius_attr *req_attr, 433 struct sta_info *sta, 434 struct radius_msg *msg) 435 { 436 char buf[128]; 437 438 if (!hostapd_config_get_radius_attr(req_attr, 439 RADIUS_ATTR_SERVICE_TYPE) && 440 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_SERVICE_TYPE, 441 RADIUS_SERVICE_TYPE_FRAMED)) { 442 wpa_printf(MSG_ERROR, "Could not add Service-Type"); 443 return -1; 444 } 445 446 if (!hostapd_config_get_radius_attr(req_attr, 447 RADIUS_ATTR_NAS_PORT) && 448 sta->aid > 0 && 449 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT, sta->aid)) { 450 wpa_printf(MSG_ERROR, "Could not add NAS-Port"); 451 return -1; 452 } 453 454 os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT, 455 MAC2STR(sta->addr)); 456 buf[sizeof(buf) - 1] = '\0'; 457 if (!radius_msg_add_attr(msg, RADIUS_ATTR_CALLING_STATION_ID, 458 (u8 *) buf, os_strlen(buf))) { 459 wpa_printf(MSG_ERROR, "Could not add Calling-Station-Id"); 460 return -1; 461 } 462 463 if (sta->flags & WLAN_STA_PREAUTH) { 464 os_strlcpy(buf, "IEEE 802.11i Pre-Authentication", 465 sizeof(buf)); 466 } else { 467 os_snprintf(buf, sizeof(buf), "CONNECT %d%sMbps %s", 468 radius_sta_rate(hapd, sta) / 2, 469 (radius_sta_rate(hapd, sta) & 1) ? ".5" : "", 470 radius_mode_txt(hapd)); 471 buf[sizeof(buf) - 1] = '\0'; 472 } 473 if (!hostapd_config_get_radius_attr(req_attr, 474 RADIUS_ATTR_CONNECT_INFO) && 475 !radius_msg_add_attr(msg, RADIUS_ATTR_CONNECT_INFO, 476 (u8 *) buf, os_strlen(buf))) { 477 wpa_printf(MSG_ERROR, "Could not add Connect-Info"); 478 return -1; 479 } 480 481 if (sta->acct_session_id) { 482 os_snprintf(buf, sizeof(buf), "%016llX", 483 (unsigned long long) sta->acct_session_id); 484 if (!radius_msg_add_attr(msg, RADIUS_ATTR_ACCT_SESSION_ID, 485 (u8 *) buf, os_strlen(buf))) { 486 wpa_printf(MSG_ERROR, "Could not add Acct-Session-Id"); 487 return -1; 488 } 489 } 490 491 if ((hapd->conf->wpa & 2) && 492 !hapd->conf->disable_pmksa_caching && 493 sta->eapol_sm && sta->eapol_sm->acct_multi_session_id) { 494 os_snprintf(buf, sizeof(buf), "%016llX", 495 (unsigned long long) 496 sta->eapol_sm->acct_multi_session_id); 497 if (!radius_msg_add_attr( 498 msg, RADIUS_ATTR_ACCT_MULTI_SESSION_ID, 499 (u8 *) buf, os_strlen(buf))) { 500 wpa_printf(MSG_INFO, 501 "Could not add Acct-Multi-Session-Id"); 502 return -1; 503 } 504 } 505 506 #ifdef CONFIG_IEEE80211R_AP 507 if (hapd->conf->wpa && wpa_key_mgmt_ft(hapd->conf->wpa_key_mgmt) && 508 sta->wpa_sm && 509 (wpa_key_mgmt_ft(wpa_auth_sta_key_mgmt(sta->wpa_sm)) || 510 sta->auth_alg == WLAN_AUTH_FT) && 511 !hostapd_config_get_radius_attr(req_attr, 512 RADIUS_ATTR_MOBILITY_DOMAIN_ID) && 513 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_MOBILITY_DOMAIN_ID, 514 WPA_GET_BE16( 515 hapd->conf->mobility_domain))) { 516 wpa_printf(MSG_ERROR, "Could not add Mobility-Domain-Id"); 517 return -1; 518 } 519 #endif /* CONFIG_IEEE80211R_AP */ 520 521 if ((hapd->conf->wpa || hapd->conf->osen) && sta->wpa_sm && 522 add_common_radius_sta_attr_rsn(hapd, req_attr, sta, msg) < 0) 523 return -1; 524 525 return 0; 526 } 527 528 529 int add_common_radius_attr(struct hostapd_data *hapd, 530 struct hostapd_radius_attr *req_attr, 531 struct sta_info *sta, 532 struct radius_msg *msg) 533 { 534 char buf[128]; 535 struct hostapd_radius_attr *attr; 536 int len; 537 538 if (!hostapd_config_get_radius_attr(req_attr, 539 RADIUS_ATTR_NAS_IP_ADDRESS) && 540 hapd->conf->own_ip_addr.af == AF_INET && 541 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IP_ADDRESS, 542 (u8 *) &hapd->conf->own_ip_addr.u.v4, 4)) { 543 wpa_printf(MSG_ERROR, "Could not add NAS-IP-Address"); 544 return -1; 545 } 546 547 #ifdef CONFIG_IPV6 548 if (!hostapd_config_get_radius_attr(req_attr, 549 RADIUS_ATTR_NAS_IPV6_ADDRESS) && 550 hapd->conf->own_ip_addr.af == AF_INET6 && 551 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IPV6_ADDRESS, 552 (u8 *) &hapd->conf->own_ip_addr.u.v6, 16)) { 553 wpa_printf(MSG_ERROR, "Could not add NAS-IPv6-Address"); 554 return -1; 555 } 556 #endif /* CONFIG_IPV6 */ 557 558 if (!hostapd_config_get_radius_attr(req_attr, 559 RADIUS_ATTR_NAS_IDENTIFIER) && 560 hapd->conf->nas_identifier && 561 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IDENTIFIER, 562 (u8 *) hapd->conf->nas_identifier, 563 os_strlen(hapd->conf->nas_identifier))) { 564 wpa_printf(MSG_ERROR, "Could not add NAS-Identifier"); 565 return -1; 566 } 567 568 len = os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT ":", 569 MAC2STR(hapd->own_addr)); 570 os_memcpy(&buf[len], hapd->conf->ssid.ssid, 571 hapd->conf->ssid.ssid_len); 572 len += hapd->conf->ssid.ssid_len; 573 if (!hostapd_config_get_radius_attr(req_attr, 574 RADIUS_ATTR_CALLED_STATION_ID) && 575 !radius_msg_add_attr(msg, RADIUS_ATTR_CALLED_STATION_ID, 576 (u8 *) buf, len)) { 577 wpa_printf(MSG_ERROR, "Could not add Called-Station-Id"); 578 return -1; 579 } 580 581 if (!hostapd_config_get_radius_attr(req_attr, 582 RADIUS_ATTR_NAS_PORT_TYPE) && 583 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT_TYPE, 584 RADIUS_NAS_PORT_TYPE_IEEE_802_11)) { 585 wpa_printf(MSG_ERROR, "Could not add NAS-Port-Type"); 586 return -1; 587 } 588 589 #ifdef CONFIG_INTERWORKING 590 if (hapd->conf->interworking && 591 !is_zero_ether_addr(hapd->conf->hessid)) { 592 os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT, 593 MAC2STR(hapd->conf->hessid)); 594 buf[sizeof(buf) - 1] = '\0'; 595 if (!hostapd_config_get_radius_attr(req_attr, 596 RADIUS_ATTR_WLAN_HESSID) && 597 !radius_msg_add_attr(msg, RADIUS_ATTR_WLAN_HESSID, 598 (u8 *) buf, os_strlen(buf))) { 599 wpa_printf(MSG_ERROR, "Could not add WLAN-HESSID"); 600 return -1; 601 } 602 } 603 #endif /* CONFIG_INTERWORKING */ 604 605 if (sta && add_common_radius_sta_attr(hapd, req_attr, sta, msg) < 0) 606 return -1; 607 608 for (attr = req_attr; attr; attr = attr->next) { 609 if (!radius_msg_add_attr(msg, attr->type, 610 wpabuf_head(attr->val), 611 wpabuf_len(attr->val))) { 612 wpa_printf(MSG_ERROR, "Could not add RADIUS attribute"); 613 return -1; 614 } 615 } 616 617 return 0; 618 } 619 620 621 int add_sqlite_radius_attr(struct hostapd_data *hapd, struct sta_info *sta, 622 struct radius_msg *msg, int acct) 623 { 624 #ifdef CONFIG_SQLITE 625 const char *attrtxt; 626 char addrtxt[3 * ETH_ALEN]; 627 char *sql; 628 sqlite3_stmt *stmt = NULL; 629 630 if (!hapd->rad_attr_db) 631 return 0; 632 633 os_snprintf(addrtxt, sizeof(addrtxt), MACSTR, MAC2STR(sta->addr)); 634 635 sql = "SELECT attr FROM radius_attributes WHERE sta=? AND (reqtype=? OR reqtype IS NULL);"; 636 if (sqlite3_prepare_v2(hapd->rad_attr_db, sql, os_strlen(sql), &stmt, 637 NULL) != SQLITE_OK) { 638 wpa_printf(MSG_ERROR, "DB: Failed to prepare SQL statement: %s", 639 sqlite3_errmsg(hapd->rad_attr_db)); 640 return -1; 641 } 642 sqlite3_bind_text(stmt, 1, addrtxt, os_strlen(addrtxt), SQLITE_STATIC); 643 sqlite3_bind_text(stmt, 2, acct ? "acct" : "auth", 4, SQLITE_STATIC); 644 while (sqlite3_step(stmt) == SQLITE_ROW) { 645 struct hostapd_radius_attr *attr; 646 struct radius_attr_hdr *hdr; 647 648 attrtxt = (const char *) sqlite3_column_text(stmt, 0); 649 attr = hostapd_parse_radius_attr(attrtxt); 650 if (!attr) { 651 wpa_printf(MSG_ERROR, 652 "Skipping invalid attribute from SQL: %s", 653 attrtxt); 654 continue; 655 } 656 wpa_printf(MSG_DEBUG, "Adding RADIUS attribute from SQL: %s", 657 attrtxt); 658 hdr = radius_msg_add_attr(msg, attr->type, 659 wpabuf_head(attr->val), 660 wpabuf_len(attr->val)); 661 hostapd_config_free_radius_attr(attr); 662 if (!hdr) { 663 wpa_printf(MSG_ERROR, 664 "Could not add RADIUS attribute from SQL"); 665 continue; 666 } 667 } 668 669 sqlite3_reset(stmt); 670 sqlite3_clear_bindings(stmt); 671 sqlite3_finalize(stmt); 672 #endif /* CONFIG_SQLITE */ 673 674 return 0; 675 } 676 677 678 void ieee802_1x_encapsulate_radius(struct hostapd_data *hapd, 679 struct sta_info *sta, 680 const u8 *eap, size_t len) 681 { 682 struct radius_msg *msg; 683 struct eapol_state_machine *sm = sta->eapol_sm; 684 685 if (!sm) 686 return; 687 688 ieee802_1x_learn_identity(hapd, sm, eap, len); 689 690 wpa_printf(MSG_DEBUG, "Encapsulating EAP message into a RADIUS packet"); 691 692 sm->radius_identifier = radius_client_get_id(hapd->radius); 693 msg = radius_msg_new(RADIUS_CODE_ACCESS_REQUEST, 694 sm->radius_identifier); 695 if (!msg) { 696 wpa_printf(MSG_INFO, "Could not create new RADIUS packet"); 697 return; 698 } 699 700 if (radius_msg_make_authenticator(msg) < 0) { 701 wpa_printf(MSG_INFO, "Could not make Request Authenticator"); 702 goto fail; 703 } 704 705 if (sm->identity && 706 !radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME, 707 sm->identity, sm->identity_len)) { 708 wpa_printf(MSG_INFO, "Could not add User-Name"); 709 goto fail; 710 } 711 712 if (add_common_radius_attr(hapd, hapd->conf->radius_auth_req_attr, sta, 713 msg) < 0) 714 goto fail; 715 716 if (sta && add_sqlite_radius_attr(hapd, sta, msg, 0) < 0) 717 goto fail; 718 719 /* TODO: should probably check MTU from driver config; 2304 is max for 720 * IEEE 802.11, but use 1400 to avoid problems with too large packets 721 */ 722 if (!hostapd_config_get_radius_attr(hapd->conf->radius_auth_req_attr, 723 RADIUS_ATTR_FRAMED_MTU) && 724 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_FRAMED_MTU, 1400)) { 725 wpa_printf(MSG_INFO, "Could not add Framed-MTU"); 726 goto fail; 727 } 728 729 if (!radius_msg_add_eap(msg, eap, len)) { 730 wpa_printf(MSG_INFO, "Could not add EAP-Message"); 731 goto fail; 732 } 733 734 /* State attribute must be copied if and only if this packet is 735 * Access-Request reply to the previous Access-Challenge */ 736 if (sm->last_recv_radius && 737 radius_msg_get_hdr(sm->last_recv_radius)->code == 738 RADIUS_CODE_ACCESS_CHALLENGE) { 739 int res = radius_msg_copy_attr(msg, sm->last_recv_radius, 740 RADIUS_ATTR_STATE); 741 if (res < 0) { 742 wpa_printf(MSG_INFO, 743 "Could not copy State attribute from previous Access-Challenge"); 744 goto fail; 745 } 746 if (res > 0) 747 wpa_printf(MSG_DEBUG, "Copied RADIUS State Attribute"); 748 } 749 750 if (hapd->conf->radius_request_cui) { 751 const u8 *cui; 752 size_t cui_len; 753 /* Add previously learned CUI or nul CUI to request CUI */ 754 if (sm->radius_cui) { 755 cui = wpabuf_head(sm->radius_cui); 756 cui_len = wpabuf_len(sm->radius_cui); 757 } else { 758 cui = (const u8 *) "\0"; 759 cui_len = 1; 760 } 761 if (!radius_msg_add_attr(msg, 762 RADIUS_ATTR_CHARGEABLE_USER_IDENTITY, 763 cui, cui_len)) { 764 wpa_printf(MSG_ERROR, "Could not add CUI"); 765 goto fail; 766 } 767 } 768 769 #ifdef CONFIG_HS20 770 if (hapd->conf->hs20) { 771 u8 ver = hapd->conf->hs20_release - 1; 772 773 if (!radius_msg_add_wfa( 774 msg, RADIUS_VENDOR_ATTR_WFA_HS20_AP_VERSION, 775 &ver, 1)) { 776 wpa_printf(MSG_ERROR, 777 "Could not add HS 2.0 AP version"); 778 goto fail; 779 } 780 781 if (sta->hs20_ie && wpabuf_len(sta->hs20_ie) > 0) { 782 const u8 *pos; 783 u8 buf[3]; 784 u16 id; 785 786 pos = wpabuf_head_u8(sta->hs20_ie); 787 buf[0] = (*pos) >> 4; 788 if (((*pos) & HS20_PPS_MO_ID_PRESENT) && 789 wpabuf_len(sta->hs20_ie) >= 3) 790 id = WPA_GET_LE16(pos + 1); 791 else 792 id = 0; 793 WPA_PUT_BE16(buf + 1, id); 794 if (!radius_msg_add_wfa( 795 msg, 796 RADIUS_VENDOR_ATTR_WFA_HS20_STA_VERSION, 797 buf, sizeof(buf))) { 798 wpa_printf(MSG_ERROR, 799 "Could not add HS 2.0 STA version"); 800 goto fail; 801 } 802 } 803 804 if (sta->roaming_consortium && 805 !radius_msg_add_wfa( 806 msg, RADIUS_VENDOR_ATTR_WFA_HS20_ROAMING_CONSORTIUM, 807 wpabuf_head(sta->roaming_consortium), 808 wpabuf_len(sta->roaming_consortium))) { 809 wpa_printf(MSG_ERROR, 810 "Could not add HS 2.0 Roaming Consortium"); 811 goto fail; 812 } 813 814 if (hapd->conf->t_c_filename) { 815 be32 timestamp; 816 817 if (!radius_msg_add_wfa( 818 msg, 819 RADIUS_VENDOR_ATTR_WFA_HS20_T_C_FILENAME, 820 (const u8 *) hapd->conf->t_c_filename, 821 os_strlen(hapd->conf->t_c_filename))) { 822 wpa_printf(MSG_ERROR, 823 "Could not add HS 2.0 T&C Filename"); 824 goto fail; 825 } 826 827 timestamp = host_to_be32(hapd->conf->t_c_timestamp); 828 if (!radius_msg_add_wfa( 829 msg, 830 RADIUS_VENDOR_ATTR_WFA_HS20_TIMESTAMP, 831 (const u8 *) ×tamp, 832 sizeof(timestamp))) { 833 wpa_printf(MSG_ERROR, 834 "Could not add HS 2.0 Timestamp"); 835 goto fail; 836 } 837 } 838 } 839 #endif /* CONFIG_HS20 */ 840 841 if (radius_client_send(hapd->radius, msg, RADIUS_AUTH, sta->addr) < 0) 842 goto fail; 843 844 return; 845 846 fail: 847 radius_msg_free(msg); 848 } 849 #endif /* CONFIG_NO_RADIUS */ 850 851 852 static void handle_eap_response(struct hostapd_data *hapd, 853 struct sta_info *sta, struct eap_hdr *eap, 854 size_t len) 855 { 856 u8 type, *data; 857 struct eapol_state_machine *sm = sta->eapol_sm; 858 859 if (!sm) 860 return; 861 862 data = (u8 *) (eap + 1); 863 864 if (len < sizeof(*eap) + 1) { 865 wpa_printf(MSG_INFO, "%s: too short response data", __func__); 866 return; 867 } 868 869 sm->eap_type_supp = type = data[0]; 870 871 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, 872 HOSTAPD_LEVEL_DEBUG, "received EAP packet (code=%d " 873 "id=%d len=%d) from STA: EAP Response-%s (%d)", 874 eap->code, eap->identifier, be_to_host16(eap->length), 875 eap_server_get_name(0, type), type); 876 877 sm->dot1xAuthEapolRespFramesRx++; 878 879 wpabuf_free(sm->eap_if->eapRespData); 880 sm->eap_if->eapRespData = wpabuf_alloc_copy(eap, len); 881 sm->eapolEap = true; 882 } 883 884 885 static void handle_eap_initiate(struct hostapd_data *hapd, 886 struct sta_info *sta, struct eap_hdr *eap, 887 size_t len) 888 { 889 #ifdef CONFIG_ERP 890 u8 type, *data; 891 struct eapol_state_machine *sm = sta->eapol_sm; 892 893 if (!sm) 894 return; 895 896 if (len < sizeof(*eap) + 1) { 897 wpa_printf(MSG_INFO, "%s: too short response data", __func__); 898 return; 899 } 900 901 data = (u8 *) (eap + 1); 902 type = data[0]; 903 904 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, 905 HOSTAPD_LEVEL_DEBUG, 906 "received EAP packet (code=%d id=%d len=%d) from STA: EAP Initiate type %u", 907 eap->code, eap->identifier, be_to_host16(eap->length), 908 type); 909 910 wpabuf_free(sm->eap_if->eapRespData); 911 sm->eap_if->eapRespData = wpabuf_alloc_copy(eap, len); 912 sm->eapolEap = true; 913 #endif /* CONFIG_ERP */ 914 } 915 916 917 #ifndef CONFIG_NO_STDOUT_DEBUG 918 static const char * eap_code_str(u8 code) 919 { 920 switch (code) { 921 case EAP_CODE_REQUEST: 922 return "request"; 923 case EAP_CODE_RESPONSE: 924 return "response"; 925 case EAP_CODE_SUCCESS: 926 return "success"; 927 case EAP_CODE_FAILURE: 928 return "failure"; 929 case EAP_CODE_INITIATE: 930 return "initiate"; 931 case EAP_CODE_FINISH: 932 return "finish"; 933 default: 934 return "unknown"; 935 } 936 } 937 #endif /* CONFIG_NO_STDOUT_DEBUG */ 938 939 940 /* Process incoming EAP packet from Supplicant */ 941 static void handle_eap(struct hostapd_data *hapd, struct sta_info *sta, 942 u8 *buf, size_t len) 943 { 944 struct eap_hdr *eap; 945 u16 eap_len; 946 947 if (len < sizeof(*eap)) { 948 wpa_printf(MSG_INFO, " too short EAP packet"); 949 return; 950 } 951 952 eap = (struct eap_hdr *) buf; 953 954 eap_len = be_to_host16(eap->length); 955 wpa_printf(MSG_DEBUG, "EAP: code=%d (%s) identifier=%d length=%d", 956 eap->code, eap_code_str(eap->code), eap->identifier, 957 eap_len); 958 if (eap_len < sizeof(*eap)) { 959 wpa_printf(MSG_DEBUG, " Invalid EAP length"); 960 return; 961 } else if (eap_len > len) { 962 wpa_printf(MSG_DEBUG, 963 " Too short frame to contain this EAP packet"); 964 return; 965 } else if (eap_len < len) { 966 wpa_printf(MSG_DEBUG, 967 " Ignoring %lu extra bytes after EAP packet", 968 (unsigned long) len - eap_len); 969 } 970 971 switch (eap->code) { 972 case EAP_CODE_RESPONSE: 973 handle_eap_response(hapd, sta, eap, eap_len); 974 break; 975 case EAP_CODE_INITIATE: 976 handle_eap_initiate(hapd, sta, eap, eap_len); 977 break; 978 } 979 } 980 981 982 struct eapol_state_machine * 983 ieee802_1x_alloc_eapol_sm(struct hostapd_data *hapd, struct sta_info *sta) 984 { 985 int flags = 0; 986 987 if (sta->flags & WLAN_STA_PREAUTH) 988 flags |= EAPOL_SM_PREAUTH; 989 if (sta->wpa_sm) { 990 flags |= EAPOL_SM_USES_WPA; 991 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) 992 flags |= EAPOL_SM_FROM_PMKSA_CACHE; 993 } 994 return eapol_auth_alloc(hapd->eapol_auth, sta->addr, flags, 995 sta->wps_ie, sta->p2p_ie, sta, 996 sta->identity, sta->radius_cui); 997 } 998 999 1000 static void ieee802_1x_save_eapol(struct sta_info *sta, const u8 *buf, 1001 size_t len) 1002 { 1003 if (sta->pending_eapol_rx) { 1004 wpabuf_free(sta->pending_eapol_rx->buf); 1005 } else { 1006 sta->pending_eapol_rx = 1007 os_malloc(sizeof(*sta->pending_eapol_rx)); 1008 if (!sta->pending_eapol_rx) 1009 return; 1010 } 1011 1012 sta->pending_eapol_rx->buf = wpabuf_alloc_copy(buf, len); 1013 if (!sta->pending_eapol_rx->buf) { 1014 os_free(sta->pending_eapol_rx); 1015 sta->pending_eapol_rx = NULL; 1016 return; 1017 } 1018 1019 os_get_reltime(&sta->pending_eapol_rx->rx_time); 1020 } 1021 1022 1023 /** 1024 * ieee802_1x_receive - Process the EAPOL frames from the Supplicant 1025 * @hapd: hostapd BSS data 1026 * @sa: Source address (sender of the EAPOL frame) 1027 * @buf: EAPOL frame 1028 * @len: Length of buf in octets 1029 * 1030 * This function is called for each incoming EAPOL frame from the interface 1031 */ 1032 void ieee802_1x_receive(struct hostapd_data *hapd, const u8 *sa, const u8 *buf, 1033 size_t len) 1034 { 1035 struct sta_info *sta; 1036 struct ieee802_1x_hdr *hdr; 1037 struct ieee802_1x_eapol_key *key; 1038 u16 datalen; 1039 struct rsn_pmksa_cache_entry *pmksa; 1040 int key_mgmt; 1041 1042 if (!hapd->conf->ieee802_1x && !hapd->conf->wpa && !hapd->conf->osen && 1043 !hapd->conf->wps_state) 1044 return; 1045 1046 wpa_printf(MSG_DEBUG, "IEEE 802.1X: %lu bytes from " MACSTR, 1047 (unsigned long) len, MAC2STR(sa)); 1048 sta = ap_get_sta(hapd, sa); 1049 if (!sta || (!(sta->flags & (WLAN_STA_ASSOC | WLAN_STA_PREAUTH)) && 1050 !(hapd->iface->drv_flags & WPA_DRIVER_FLAGS_WIRED))) { 1051 wpa_printf(MSG_DEBUG, 1052 "IEEE 802.1X data frame from not associated/Pre-authenticating STA"); 1053 1054 if (sta && (sta->flags & WLAN_STA_AUTH)) { 1055 wpa_printf(MSG_DEBUG, "Saving EAPOL frame from " MACSTR 1056 " for later use", MAC2STR(sta->addr)); 1057 ieee802_1x_save_eapol(sta, buf, len); 1058 } 1059 1060 return; 1061 } 1062 1063 if (len < sizeof(*hdr)) { 1064 wpa_printf(MSG_INFO, " too short IEEE 802.1X packet"); 1065 return; 1066 } 1067 1068 hdr = (struct ieee802_1x_hdr *) buf; 1069 datalen = be_to_host16(hdr->length); 1070 wpa_printf(MSG_DEBUG, " IEEE 802.1X: version=%d type=%d length=%d", 1071 hdr->version, hdr->type, datalen); 1072 1073 if (len - sizeof(*hdr) < datalen) { 1074 wpa_printf(MSG_INFO, 1075 " frame too short for this IEEE 802.1X packet"); 1076 if (sta->eapol_sm) 1077 sta->eapol_sm->dot1xAuthEapLengthErrorFramesRx++; 1078 return; 1079 } 1080 if (len - sizeof(*hdr) > datalen) { 1081 wpa_printf(MSG_DEBUG, 1082 " ignoring %lu extra octets after IEEE 802.1X packet", 1083 (unsigned long) len - sizeof(*hdr) - datalen); 1084 } 1085 1086 if (sta->eapol_sm) { 1087 sta->eapol_sm->dot1xAuthLastEapolFrameVersion = hdr->version; 1088 sta->eapol_sm->dot1xAuthEapolFramesRx++; 1089 } 1090 1091 key = (struct ieee802_1x_eapol_key *) (hdr + 1); 1092 if (datalen >= sizeof(struct ieee802_1x_eapol_key) && 1093 hdr->type == IEEE802_1X_TYPE_EAPOL_KEY && 1094 (key->type == EAPOL_KEY_TYPE_WPA || 1095 key->type == EAPOL_KEY_TYPE_RSN)) { 1096 wpa_receive(hapd->wpa_auth, sta->wpa_sm, (u8 *) hdr, 1097 sizeof(*hdr) + datalen); 1098 return; 1099 } 1100 1101 if (!hapd->conf->ieee802_1x && !hapd->conf->osen && 1102 !(sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS))) { 1103 wpa_printf(MSG_DEBUG, 1104 "IEEE 802.1X: Ignore EAPOL message - 802.1X not enabled and WPS not used"); 1105 return; 1106 } 1107 1108 key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm); 1109 if (key_mgmt != -1 && 1110 (wpa_key_mgmt_wpa_psk(key_mgmt) || key_mgmt == WPA_KEY_MGMT_OWE || 1111 key_mgmt == WPA_KEY_MGMT_DPP)) { 1112 wpa_printf(MSG_DEBUG, 1113 "IEEE 802.1X: Ignore EAPOL message - STA is using PSK"); 1114 return; 1115 } 1116 1117 if (!sta->eapol_sm) { 1118 sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta); 1119 if (!sta->eapol_sm) 1120 return; 1121 1122 #ifdef CONFIG_WPS 1123 if (!hapd->conf->ieee802_1x && hapd->conf->wps_state) { 1124 u32 wflags = sta->flags & (WLAN_STA_WPS | 1125 WLAN_STA_WPS2 | 1126 WLAN_STA_MAYBE_WPS); 1127 if (wflags == WLAN_STA_MAYBE_WPS || 1128 wflags == (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS)) { 1129 /* 1130 * Delay EAPOL frame transmission until a 1131 * possible WPS STA initiates the handshake 1132 * with EAPOL-Start. Only allow the wait to be 1133 * skipped if the STA is known to support WPS 1134 * 2.0. 1135 */ 1136 wpa_printf(MSG_DEBUG, 1137 "WPS: Do not start EAPOL until EAPOL-Start is received"); 1138 sta->eapol_sm->flags |= EAPOL_SM_WAIT_START; 1139 } 1140 } 1141 #endif /* CONFIG_WPS */ 1142 1143 sta->eapol_sm->eap_if->portEnabled = true; 1144 } 1145 1146 /* since we support version 1, we can ignore version field and proceed 1147 * as specified in version 1 standard [IEEE Std 802.1X-2001, 7.5.5] */ 1148 /* TODO: actually, we are not version 1 anymore.. However, Version 2 1149 * does not change frame contents, so should be ok to process frames 1150 * more or less identically. Some changes might be needed for 1151 * verification of fields. */ 1152 1153 switch (hdr->type) { 1154 case IEEE802_1X_TYPE_EAP_PACKET: 1155 handle_eap(hapd, sta, (u8 *) (hdr + 1), datalen); 1156 break; 1157 1158 case IEEE802_1X_TYPE_EAPOL_START: 1159 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1160 HOSTAPD_LEVEL_DEBUG, 1161 "received EAPOL-Start from STA"); 1162 sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START; 1163 pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm); 1164 if (pmksa) { 1165 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 1166 HOSTAPD_LEVEL_DEBUG, 1167 "cached PMKSA available - ignore it since STA sent EAPOL-Start"); 1168 wpa_auth_sta_clear_pmksa(sta->wpa_sm, pmksa); 1169 } 1170 sta->eapol_sm->eapolStart = true; 1171 sta->eapol_sm->dot1xAuthEapolStartFramesRx++; 1172 eap_server_clear_identity(sta->eapol_sm->eap); 1173 wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL); 1174 break; 1175 1176 case IEEE802_1X_TYPE_EAPOL_LOGOFF: 1177 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1178 HOSTAPD_LEVEL_DEBUG, 1179 "received EAPOL-Logoff from STA"); 1180 sta->acct_terminate_cause = 1181 RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST; 1182 accounting_sta_stop(hapd, sta); 1183 sta->eapol_sm->eapolLogoff = true; 1184 sta->eapol_sm->dot1xAuthEapolLogoffFramesRx++; 1185 eap_server_clear_identity(sta->eapol_sm->eap); 1186 break; 1187 1188 case IEEE802_1X_TYPE_EAPOL_KEY: 1189 wpa_printf(MSG_DEBUG, " EAPOL-Key"); 1190 if (!ap_sta_is_authorized(sta)) { 1191 wpa_printf(MSG_DEBUG, 1192 " Dropped key data from unauthorized Supplicant"); 1193 break; 1194 } 1195 break; 1196 1197 case IEEE802_1X_TYPE_EAPOL_ENCAPSULATED_ASF_ALERT: 1198 wpa_printf(MSG_DEBUG, " EAPOL-Encapsulated-ASF-Alert"); 1199 /* TODO: implement support for this; show data */ 1200 break; 1201 1202 #ifdef CONFIG_MACSEC 1203 case IEEE802_1X_TYPE_EAPOL_MKA: 1204 wpa_printf(MSG_EXCESSIVE, 1205 "EAPOL type %d will be handled by MKA", hdr->type); 1206 break; 1207 #endif /* CONFIG_MACSEC */ 1208 1209 default: 1210 wpa_printf(MSG_DEBUG, " unknown IEEE 802.1X packet type"); 1211 sta->eapol_sm->dot1xAuthInvalidEapolFramesRx++; 1212 break; 1213 } 1214 1215 eapol_auth_step(sta->eapol_sm); 1216 } 1217 1218 1219 /** 1220 * ieee802_1x_new_station - Start IEEE 802.1X authentication 1221 * @hapd: hostapd BSS data 1222 * @sta: The station 1223 * 1224 * This function is called to start IEEE 802.1X authentication when a new 1225 * station completes IEEE 802.11 association. 1226 */ 1227 void ieee802_1x_new_station(struct hostapd_data *hapd, struct sta_info *sta) 1228 { 1229 struct rsn_pmksa_cache_entry *pmksa; 1230 int reassoc = 1; 1231 int force_1x = 0; 1232 int key_mgmt; 1233 1234 #ifdef CONFIG_WPS 1235 if (hapd->conf->wps_state && 1236 ((hapd->conf->wpa && (sta->flags & WLAN_STA_MAYBE_WPS)) || 1237 (sta->flags & WLAN_STA_WPS))) { 1238 /* 1239 * Need to enable IEEE 802.1X/EAPOL state machines for possible 1240 * WPS handshake even if IEEE 802.1X/EAPOL is not used for 1241 * authentication in this BSS. 1242 */ 1243 force_1x = 1; 1244 } 1245 #endif /* CONFIG_WPS */ 1246 1247 if (!force_1x && !hapd->conf->ieee802_1x && !hapd->conf->osen) { 1248 wpa_printf(MSG_DEBUG, 1249 "IEEE 802.1X: Ignore STA - 802.1X not enabled or forced for WPS"); 1250 /* 1251 * Clear any possible EAPOL authenticator state to support 1252 * reassociation change from WPS to PSK. 1253 */ 1254 ieee802_1x_free_station(hapd, sta); 1255 return; 1256 } 1257 1258 key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm); 1259 if (key_mgmt != -1 && 1260 (wpa_key_mgmt_wpa_psk(key_mgmt) || key_mgmt == WPA_KEY_MGMT_OWE || 1261 key_mgmt == WPA_KEY_MGMT_DPP)) { 1262 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore STA - using PSK"); 1263 /* 1264 * Clear any possible EAPOL authenticator state to support 1265 * reassociation change from WPA-EAP to PSK. 1266 */ 1267 ieee802_1x_free_station(hapd, sta); 1268 return; 1269 } 1270 1271 if (!sta->eapol_sm) { 1272 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1273 HOSTAPD_LEVEL_DEBUG, "start authentication"); 1274 sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta); 1275 if (!sta->eapol_sm) { 1276 hostapd_logger(hapd, sta->addr, 1277 HOSTAPD_MODULE_IEEE8021X, 1278 HOSTAPD_LEVEL_INFO, 1279 "failed to allocate state machine"); 1280 return; 1281 } 1282 reassoc = 0; 1283 } 1284 1285 #ifdef CONFIG_WPS 1286 sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START; 1287 if (!hapd->conf->ieee802_1x && hapd->conf->wps_state && 1288 !(sta->flags & WLAN_STA_WPS2)) { 1289 /* 1290 * Delay EAPOL frame transmission until a possible WPS STA 1291 * initiates the handshake with EAPOL-Start. Only allow the 1292 * wait to be skipped if the STA is known to support WPS 2.0. 1293 */ 1294 wpa_printf(MSG_DEBUG, 1295 "WPS: Do not start EAPOL until EAPOL-Start is received"); 1296 sta->eapol_sm->flags |= EAPOL_SM_WAIT_START; 1297 } 1298 #endif /* CONFIG_WPS */ 1299 1300 sta->eapol_sm->eap_if->portEnabled = true; 1301 1302 #ifdef CONFIG_IEEE80211R_AP 1303 if (sta->auth_alg == WLAN_AUTH_FT) { 1304 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1305 HOSTAPD_LEVEL_DEBUG, 1306 "PMK from FT - skip IEEE 802.1X/EAP"); 1307 /* Setup EAPOL state machines to already authenticated state 1308 * because of existing FT information from R0KH. */ 1309 sta->eapol_sm->keyRun = true; 1310 sta->eapol_sm->eap_if->eapKeyAvailable = true; 1311 sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING; 1312 sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS; 1313 sta->eapol_sm->authSuccess = true; 1314 sta->eapol_sm->authFail = false; 1315 sta->eapol_sm->portValid = true; 1316 if (sta->eapol_sm->eap) 1317 eap_sm_notify_cached(sta->eapol_sm->eap); 1318 ap_sta_bind_vlan(hapd, sta); 1319 return; 1320 } 1321 #endif /* CONFIG_IEEE80211R_AP */ 1322 1323 #ifdef CONFIG_FILS 1324 if (sta->auth_alg == WLAN_AUTH_FILS_SK || 1325 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS || 1326 sta->auth_alg == WLAN_AUTH_FILS_PK) { 1327 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1328 HOSTAPD_LEVEL_DEBUG, 1329 "PMK from FILS - skip IEEE 802.1X/EAP"); 1330 /* Setup EAPOL state machines to already authenticated state 1331 * because of existing FILS information. */ 1332 sta->eapol_sm->keyRun = true; 1333 sta->eapol_sm->eap_if->eapKeyAvailable = true; 1334 sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING; 1335 sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS; 1336 sta->eapol_sm->authSuccess = true; 1337 sta->eapol_sm->authFail = false; 1338 sta->eapol_sm->portValid = true; 1339 if (sta->eapol_sm->eap) 1340 eap_sm_notify_cached(sta->eapol_sm->eap); 1341 wpa_auth_set_ptk_rekey_timer(sta->wpa_sm); 1342 return; 1343 } 1344 #endif /* CONFIG_FILS */ 1345 1346 pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm); 1347 if (pmksa) { 1348 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1349 HOSTAPD_LEVEL_DEBUG, 1350 "PMK from PMKSA cache - skip IEEE 802.1X/EAP"); 1351 /* Setup EAPOL state machines to already authenticated state 1352 * because of existing PMKSA information in the cache. */ 1353 sta->eapol_sm->keyRun = true; 1354 sta->eapol_sm->eap_if->eapKeyAvailable = true; 1355 sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING; 1356 sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS; 1357 sta->eapol_sm->authSuccess = true; 1358 sta->eapol_sm->authFail = false; 1359 if (sta->eapol_sm->eap) 1360 eap_sm_notify_cached(sta->eapol_sm->eap); 1361 pmksa_cache_to_eapol_data(hapd, pmksa, sta->eapol_sm); 1362 ap_sta_bind_vlan(hapd, sta); 1363 } else { 1364 if (reassoc) { 1365 /* 1366 * Force EAPOL state machines to start 1367 * re-authentication without having to wait for the 1368 * Supplicant to send EAPOL-Start. 1369 */ 1370 sta->eapol_sm->reAuthenticate = true; 1371 } 1372 eapol_auth_step(sta->eapol_sm); 1373 } 1374 } 1375 1376 1377 void ieee802_1x_free_station(struct hostapd_data *hapd, struct sta_info *sta) 1378 { 1379 struct eapol_state_machine *sm = sta->eapol_sm; 1380 1381 #ifdef CONFIG_HS20 1382 eloop_cancel_timeout(ieee802_1x_wnm_notif_send, hapd, sta); 1383 #endif /* CONFIG_HS20 */ 1384 1385 if (sta->pending_eapol_rx) { 1386 wpabuf_free(sta->pending_eapol_rx->buf); 1387 os_free(sta->pending_eapol_rx); 1388 sta->pending_eapol_rx = NULL; 1389 } 1390 1391 if (!sm) 1392 return; 1393 1394 sta->eapol_sm = NULL; 1395 1396 #ifndef CONFIG_NO_RADIUS 1397 radius_msg_free(sm->last_recv_radius); 1398 radius_free_class(&sm->radius_class); 1399 #endif /* CONFIG_NO_RADIUS */ 1400 1401 eapol_auth_free(sm); 1402 } 1403 1404 1405 #ifndef CONFIG_NO_RADIUS 1406 static void ieee802_1x_decapsulate_radius(struct hostapd_data *hapd, 1407 struct sta_info *sta) 1408 { 1409 struct wpabuf *eap; 1410 const struct eap_hdr *hdr; 1411 int eap_type = -1; 1412 char buf[64]; 1413 struct radius_msg *msg; 1414 struct eapol_state_machine *sm = sta->eapol_sm; 1415 1416 if (!sm || !sm->last_recv_radius) { 1417 if (sm) 1418 sm->eap_if->aaaEapNoReq = true; 1419 return; 1420 } 1421 1422 msg = sm->last_recv_radius; 1423 1424 eap = radius_msg_get_eap(msg); 1425 if (!eap) { 1426 /* RFC 3579, Chap. 2.6.3: 1427 * RADIUS server SHOULD NOT send Access-Reject/no EAP-Message 1428 * attribute */ 1429 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1430 HOSTAPD_LEVEL_WARNING, 1431 "could not extract EAP-Message from RADIUS message"); 1432 sm->eap_if->aaaEapNoReq = true; 1433 return; 1434 } 1435 1436 if (wpabuf_len(eap) < sizeof(*hdr)) { 1437 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1438 HOSTAPD_LEVEL_WARNING, 1439 "too short EAP packet received from authentication server"); 1440 wpabuf_free(eap); 1441 sm->eap_if->aaaEapNoReq = true; 1442 return; 1443 } 1444 1445 if (wpabuf_len(eap) > sizeof(*hdr)) 1446 eap_type = (wpabuf_head_u8(eap))[sizeof(*hdr)]; 1447 1448 hdr = wpabuf_head(eap); 1449 switch (hdr->code) { 1450 case EAP_CODE_REQUEST: 1451 if (eap_type >= 0) 1452 sm->eap_type_authsrv = eap_type; 1453 os_snprintf(buf, sizeof(buf), "EAP-Request-%s (%d)", 1454 eap_server_get_name(0, eap_type), eap_type); 1455 break; 1456 case EAP_CODE_RESPONSE: 1457 os_snprintf(buf, sizeof(buf), "EAP Response-%s (%d)", 1458 eap_server_get_name(0, eap_type), eap_type); 1459 break; 1460 case EAP_CODE_SUCCESS: 1461 os_strlcpy(buf, "EAP Success", sizeof(buf)); 1462 break; 1463 case EAP_CODE_FAILURE: 1464 os_strlcpy(buf, "EAP Failure", sizeof(buf)); 1465 break; 1466 default: 1467 os_strlcpy(buf, "unknown EAP code", sizeof(buf)); 1468 break; 1469 } 1470 buf[sizeof(buf) - 1] = '\0'; 1471 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1472 HOSTAPD_LEVEL_DEBUG, 1473 "decapsulated EAP packet (code=%d id=%d len=%d) from RADIUS server: %s", 1474 hdr->code, hdr->identifier, be_to_host16(hdr->length), 1475 buf); 1476 sm->eap_if->aaaEapReq = true; 1477 1478 wpabuf_free(sm->eap_if->aaaEapReqData); 1479 sm->eap_if->aaaEapReqData = eap; 1480 } 1481 1482 1483 static void ieee802_1x_get_keys(struct hostapd_data *hapd, 1484 struct sta_info *sta, struct radius_msg *msg, 1485 struct radius_msg *req, 1486 const u8 *shared_secret, 1487 size_t shared_secret_len) 1488 { 1489 struct radius_ms_mppe_keys *keys; 1490 u8 *buf; 1491 size_t len; 1492 struct eapol_state_machine *sm = sta->eapol_sm; 1493 1494 if (!sm) 1495 return; 1496 1497 keys = radius_msg_get_ms_keys(msg, req, shared_secret, 1498 shared_secret_len); 1499 1500 if (keys && keys->send && keys->recv) { 1501 len = keys->send_len + keys->recv_len; 1502 wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Send-Key", 1503 keys->send, keys->send_len); 1504 wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Recv-Key", 1505 keys->recv, keys->recv_len); 1506 1507 os_free(sm->eap_if->aaaEapKeyData); 1508 sm->eap_if->aaaEapKeyData = os_malloc(len); 1509 if (sm->eap_if->aaaEapKeyData) { 1510 os_memcpy(sm->eap_if->aaaEapKeyData, keys->recv, 1511 keys->recv_len); 1512 os_memcpy(sm->eap_if->aaaEapKeyData + keys->recv_len, 1513 keys->send, keys->send_len); 1514 sm->eap_if->aaaEapKeyDataLen = len; 1515 sm->eap_if->aaaEapKeyAvailable = true; 1516 } 1517 } else { 1518 wpa_printf(MSG_DEBUG, 1519 "MS-MPPE: 1x_get_keys, could not get keys: %p send: %p recv: %p", 1520 keys, keys ? keys->send : NULL, 1521 keys ? keys->recv : NULL); 1522 } 1523 1524 if (keys) { 1525 os_free(keys->send); 1526 os_free(keys->recv); 1527 os_free(keys); 1528 } 1529 1530 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_EAP_KEY_NAME, &buf, &len, 1531 NULL) == 0) { 1532 os_free(sm->eap_if->eapSessionId); 1533 sm->eap_if->eapSessionId = os_memdup(buf, len); 1534 if (sm->eap_if->eapSessionId) { 1535 sm->eap_if->eapSessionIdLen = len; 1536 wpa_hexdump(MSG_DEBUG, "EAP-Key Name", 1537 sm->eap_if->eapSessionId, 1538 sm->eap_if->eapSessionIdLen); 1539 } 1540 } else { 1541 sm->eap_if->eapSessionIdLen = 0; 1542 } 1543 } 1544 1545 1546 static void ieee802_1x_store_radius_class(struct hostapd_data *hapd, 1547 struct sta_info *sta, 1548 struct radius_msg *msg) 1549 { 1550 u8 *attr_class; 1551 size_t class_len; 1552 struct eapol_state_machine *sm = sta->eapol_sm; 1553 int count, i; 1554 struct radius_attr_data *nclass; 1555 size_t nclass_count; 1556 1557 if (!hapd->conf->radius->acct_server || !hapd->radius || !sm) 1558 return; 1559 1560 radius_free_class(&sm->radius_class); 1561 count = radius_msg_count_attr(msg, RADIUS_ATTR_CLASS, 1); 1562 if (count <= 0) 1563 return; 1564 1565 nclass = os_calloc(count, sizeof(struct radius_attr_data)); 1566 if (!nclass) 1567 return; 1568 1569 nclass_count = 0; 1570 1571 attr_class = NULL; 1572 for (i = 0; i < count; i++) { 1573 do { 1574 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CLASS, 1575 &attr_class, &class_len, 1576 attr_class) < 0) { 1577 i = count; 1578 break; 1579 } 1580 } while (class_len < 1); 1581 1582 nclass[nclass_count].data = os_memdup(attr_class, class_len); 1583 if (!nclass[nclass_count].data) 1584 break; 1585 1586 nclass[nclass_count].len = class_len; 1587 nclass_count++; 1588 } 1589 1590 sm->radius_class.attr = nclass; 1591 sm->radius_class.count = nclass_count; 1592 wpa_printf(MSG_DEBUG, 1593 "IEEE 802.1X: Stored %lu RADIUS Class attributes for " 1594 MACSTR, 1595 (unsigned long) sm->radius_class.count, 1596 MAC2STR(sta->addr)); 1597 } 1598 1599 1600 /* Update sta->identity based on User-Name attribute in Access-Accept */ 1601 static void ieee802_1x_update_sta_identity(struct hostapd_data *hapd, 1602 struct sta_info *sta, 1603 struct radius_msg *msg) 1604 { 1605 u8 *buf, *identity; 1606 size_t len; 1607 struct eapol_state_machine *sm = sta->eapol_sm; 1608 1609 if (!sm) 1610 return; 1611 1612 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_USER_NAME, &buf, &len, 1613 NULL) < 0) 1614 return; 1615 1616 identity = (u8 *) dup_binstr(buf, len); 1617 if (!identity) 1618 return; 1619 1620 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1621 HOSTAPD_LEVEL_DEBUG, 1622 "old identity '%s' updated with User-Name from Access-Accept '%s'", 1623 sm->identity ? (char *) sm->identity : "N/A", 1624 (char *) identity); 1625 1626 os_free(sm->identity); 1627 sm->identity = identity; 1628 sm->identity_len = len; 1629 } 1630 1631 1632 /* Update CUI based on Chargeable-User-Identity attribute in Access-Accept */ 1633 static void ieee802_1x_update_sta_cui(struct hostapd_data *hapd, 1634 struct sta_info *sta, 1635 struct radius_msg *msg) 1636 { 1637 struct eapol_state_machine *sm = sta->eapol_sm; 1638 struct wpabuf *cui; 1639 u8 *buf; 1640 size_t len; 1641 1642 if (!sm) 1643 return; 1644 1645 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CHARGEABLE_USER_IDENTITY, 1646 &buf, &len, NULL) < 0) 1647 return; 1648 1649 cui = wpabuf_alloc_copy(buf, len); 1650 if (!cui) 1651 return; 1652 1653 wpabuf_free(sm->radius_cui); 1654 sm->radius_cui = cui; 1655 } 1656 1657 1658 #ifdef CONFIG_HS20 1659 1660 static void ieee802_1x_hs20_sub_rem(struct sta_info *sta, u8 *pos, size_t len) 1661 { 1662 sta->remediation = 1; 1663 os_free(sta->remediation_url); 1664 if (len > 2) { 1665 sta->remediation_url = os_malloc(len); 1666 if (!sta->remediation_url) 1667 return; 1668 sta->remediation_method = pos[0]; 1669 os_memcpy(sta->remediation_url, pos + 1, len - 1); 1670 sta->remediation_url[len - 1] = '\0'; 1671 wpa_printf(MSG_DEBUG, 1672 "HS 2.0: Subscription remediation needed for " 1673 MACSTR " - server method %u URL %s", 1674 MAC2STR(sta->addr), sta->remediation_method, 1675 sta->remediation_url); 1676 } else { 1677 sta->remediation_url = NULL; 1678 wpa_printf(MSG_DEBUG, 1679 "HS 2.0: Subscription remediation needed for " 1680 MACSTR, MAC2STR(sta->addr)); 1681 } 1682 /* TODO: assign the STA into remediation VLAN or add filtering */ 1683 } 1684 1685 1686 static void ieee802_1x_hs20_deauth_req(struct hostapd_data *hapd, 1687 struct sta_info *sta, u8 *pos, 1688 size_t len) 1689 { 1690 if (len < 3) 1691 return; /* Malformed information */ 1692 sta->hs20_deauth_requested = 1; 1693 wpa_printf(MSG_DEBUG, 1694 "HS 2.0: Deauthentication request - Code %u Re-auth Delay %u", 1695 *pos, WPA_GET_LE16(pos + 1)); 1696 wpabuf_free(sta->hs20_deauth_req); 1697 sta->hs20_deauth_req = wpabuf_alloc(len + 1); 1698 if (sta->hs20_deauth_req) { 1699 wpabuf_put_data(sta->hs20_deauth_req, pos, 3); 1700 wpabuf_put_u8(sta->hs20_deauth_req, len - 3); 1701 wpabuf_put_data(sta->hs20_deauth_req, pos + 3, len - 3); 1702 } 1703 ap_sta_session_timeout(hapd, sta, hapd->conf->hs20_deauth_req_timeout); 1704 } 1705 1706 1707 static void ieee802_1x_hs20_session_info(struct hostapd_data *hapd, 1708 struct sta_info *sta, u8 *pos, 1709 size_t len, int session_timeout) 1710 { 1711 unsigned int swt; 1712 int warning_time, beacon_int; 1713 1714 if (len < 1) 1715 return; /* Malformed information */ 1716 os_free(sta->hs20_session_info_url); 1717 sta->hs20_session_info_url = os_malloc(len); 1718 if (!sta->hs20_session_info_url) 1719 return; 1720 swt = pos[0]; 1721 os_memcpy(sta->hs20_session_info_url, pos + 1, len - 1); 1722 sta->hs20_session_info_url[len - 1] = '\0'; 1723 wpa_printf(MSG_DEBUG, 1724 "HS 2.0: Session Information URL='%s' SWT=%u (session_timeout=%d)", 1725 sta->hs20_session_info_url, swt, session_timeout); 1726 if (session_timeout < 0) { 1727 wpa_printf(MSG_DEBUG, 1728 "HS 2.0: No Session-Timeout set - ignore session info URL"); 1729 return; 1730 } 1731 if (swt == 255) 1732 swt = 1; /* Use one minute as the AP selected value */ 1733 1734 if ((unsigned int) session_timeout < swt * 60) 1735 warning_time = 0; 1736 else 1737 warning_time = session_timeout - swt * 60; 1738 1739 beacon_int = hapd->iconf->beacon_int; 1740 if (beacon_int < 1) 1741 beacon_int = 100; /* best guess */ 1742 sta->hs20_disassoc_timer = swt * 60 * 1000 / beacon_int * 125 / 128; 1743 if (sta->hs20_disassoc_timer > 65535) 1744 sta->hs20_disassoc_timer = 65535; 1745 1746 ap_sta_session_warning_timeout(hapd, sta, warning_time); 1747 } 1748 1749 1750 static void ieee802_1x_hs20_t_c_filtering(struct hostapd_data *hapd, 1751 struct sta_info *sta, u8 *pos, 1752 size_t len) 1753 { 1754 if (len < 4) 1755 return; /* Malformed information */ 1756 wpa_printf(MSG_DEBUG, 1757 "HS 2.0: Terms and Conditions filtering %02x %02x %02x %02x", 1758 pos[0], pos[1], pos[2], pos[3]); 1759 hs20_t_c_filtering(hapd, sta, pos[0] & BIT(0)); 1760 } 1761 1762 1763 static void ieee802_1x_hs20_t_c_url(struct hostapd_data *hapd, 1764 struct sta_info *sta, u8 *pos, size_t len) 1765 { 1766 os_free(sta->t_c_url); 1767 sta->t_c_url = os_malloc(len + 1); 1768 if (!sta->t_c_url) 1769 return; 1770 os_memcpy(sta->t_c_url, pos, len); 1771 sta->t_c_url[len] = '\0'; 1772 wpa_printf(MSG_DEBUG, 1773 "HS 2.0: Terms and Conditions URL %s", sta->t_c_url); 1774 } 1775 1776 #endif /* CONFIG_HS20 */ 1777 1778 1779 static void ieee802_1x_check_hs20(struct hostapd_data *hapd, 1780 struct sta_info *sta, 1781 struct radius_msg *msg, 1782 int session_timeout) 1783 { 1784 #ifdef CONFIG_HS20 1785 u8 *buf, *pos, *end, type, sublen; 1786 size_t len; 1787 1788 buf = NULL; 1789 sta->remediation = 0; 1790 sta->hs20_deauth_requested = 0; 1791 1792 for (;;) { 1793 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_VENDOR_SPECIFIC, 1794 &buf, &len, buf) < 0) 1795 break; 1796 if (len < 6) 1797 continue; 1798 pos = buf; 1799 end = buf + len; 1800 if (WPA_GET_BE32(pos) != RADIUS_VENDOR_ID_WFA) 1801 continue; 1802 pos += 4; 1803 1804 type = *pos++; 1805 sublen = *pos++; 1806 if (sublen < 2) 1807 continue; /* invalid length */ 1808 sublen -= 2; /* skip header */ 1809 if (pos + sublen > end) 1810 continue; /* invalid WFA VSA */ 1811 1812 switch (type) { 1813 case RADIUS_VENDOR_ATTR_WFA_HS20_SUBSCR_REMEDIATION: 1814 ieee802_1x_hs20_sub_rem(sta, pos, sublen); 1815 break; 1816 case RADIUS_VENDOR_ATTR_WFA_HS20_DEAUTH_REQ: 1817 ieee802_1x_hs20_deauth_req(hapd, sta, pos, sublen); 1818 break; 1819 case RADIUS_VENDOR_ATTR_WFA_HS20_SESSION_INFO_URL: 1820 ieee802_1x_hs20_session_info(hapd, sta, pos, sublen, 1821 session_timeout); 1822 break; 1823 case RADIUS_VENDOR_ATTR_WFA_HS20_T_C_FILTERING: 1824 ieee802_1x_hs20_t_c_filtering(hapd, sta, pos, sublen); 1825 break; 1826 case RADIUS_VENDOR_ATTR_WFA_HS20_T_C_URL: 1827 ieee802_1x_hs20_t_c_url(hapd, sta, pos, sublen); 1828 break; 1829 } 1830 } 1831 #endif /* CONFIG_HS20 */ 1832 } 1833 1834 1835 struct sta_id_search { 1836 u8 identifier; 1837 struct eapol_state_machine *sm; 1838 }; 1839 1840 1841 static int ieee802_1x_select_radius_identifier(struct hostapd_data *hapd, 1842 struct sta_info *sta, 1843 void *ctx) 1844 { 1845 struct sta_id_search *id_search = ctx; 1846 struct eapol_state_machine *sm = sta->eapol_sm; 1847 1848 if (sm && sm->radius_identifier >= 0 && 1849 sm->radius_identifier == id_search->identifier) { 1850 id_search->sm = sm; 1851 return 1; 1852 } 1853 return 0; 1854 } 1855 1856 1857 static struct eapol_state_machine * 1858 ieee802_1x_search_radius_identifier(struct hostapd_data *hapd, u8 identifier) 1859 { 1860 struct sta_id_search id_search; 1861 1862 id_search.identifier = identifier; 1863 id_search.sm = NULL; 1864 ap_for_each_sta(hapd, ieee802_1x_select_radius_identifier, &id_search); 1865 return id_search.sm; 1866 } 1867 1868 1869 #ifndef CONFIG_NO_VLAN 1870 static int ieee802_1x_update_vlan(struct radius_msg *msg, 1871 struct hostapd_data *hapd, 1872 struct sta_info *sta) 1873 { 1874 struct vlan_description vlan_desc; 1875 1876 os_memset(&vlan_desc, 0, sizeof(vlan_desc)); 1877 vlan_desc.notempty = !!radius_msg_get_vlanid(msg, &vlan_desc.untagged, 1878 MAX_NUM_TAGGED_VLAN, 1879 vlan_desc.tagged); 1880 1881 if (vlan_desc.notempty && 1882 !hostapd_vlan_valid(hapd->conf->vlan, &vlan_desc)) { 1883 sta->eapol_sm->authFail = true; 1884 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS, 1885 HOSTAPD_LEVEL_INFO, 1886 "Invalid VLAN %d%s received from RADIUS server", 1887 vlan_desc.untagged, 1888 vlan_desc.tagged[0] ? "+" : ""); 1889 os_memset(&vlan_desc, 0, sizeof(vlan_desc)); 1890 ap_sta_set_vlan(hapd, sta, &vlan_desc); 1891 return -1; 1892 } 1893 1894 if (hapd->conf->ssid.dynamic_vlan == DYNAMIC_VLAN_REQUIRED && 1895 !vlan_desc.notempty) { 1896 sta->eapol_sm->authFail = true; 1897 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1898 HOSTAPD_LEVEL_INFO, 1899 "authentication server did not include required VLAN ID in Access-Accept"); 1900 return -1; 1901 } 1902 1903 return ap_sta_set_vlan(hapd, sta, &vlan_desc); 1904 } 1905 #endif /* CONFIG_NO_VLAN */ 1906 1907 1908 /** 1909 * ieee802_1x_receive_auth - Process RADIUS frames from Authentication Server 1910 * @msg: RADIUS response message 1911 * @req: RADIUS request message 1912 * @shared_secret: RADIUS shared secret 1913 * @shared_secret_len: Length of shared_secret in octets 1914 * @data: Context data (struct hostapd_data *) 1915 * Returns: Processing status 1916 */ 1917 static RadiusRxResult 1918 ieee802_1x_receive_auth(struct radius_msg *msg, struct radius_msg *req, 1919 const u8 *shared_secret, size_t shared_secret_len, 1920 void *data) 1921 { 1922 struct hostapd_data *hapd = data; 1923 struct sta_info *sta; 1924 u32 session_timeout = 0, termination_action, acct_interim_interval; 1925 int session_timeout_set; 1926 u32 reason_code; 1927 struct eapol_state_machine *sm; 1928 int override_eapReq = 0; 1929 struct radius_hdr *hdr = radius_msg_get_hdr(msg); 1930 1931 sm = ieee802_1x_search_radius_identifier(hapd, hdr->identifier); 1932 if (!sm) { 1933 wpa_printf(MSG_DEBUG, 1934 "IEEE 802.1X: Could not find matching station for this RADIUS message"); 1935 return RADIUS_RX_UNKNOWN; 1936 } 1937 sta = sm->sta; 1938 1939 /* RFC 2869, Ch. 5.13: valid Message-Authenticator attribute MUST be 1940 * present when packet contains an EAP-Message attribute */ 1941 if (hdr->code == RADIUS_CODE_ACCESS_REJECT && 1942 radius_msg_get_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, NULL, 1943 0) < 0 && 1944 radius_msg_get_attr(msg, RADIUS_ATTR_EAP_MESSAGE, NULL, 0) < 0) { 1945 wpa_printf(MSG_DEBUG, 1946 "Allowing RADIUS Access-Reject without Message-Authenticator since it does not include EAP-Message"); 1947 } else if (radius_msg_verify(msg, shared_secret, shared_secret_len, 1948 req, 1)) { 1949 wpa_printf(MSG_INFO, 1950 "Incoming RADIUS packet did not have correct Message-Authenticator - dropped"); 1951 return RADIUS_RX_INVALID_AUTHENTICATOR; 1952 } 1953 1954 if (hdr->code != RADIUS_CODE_ACCESS_ACCEPT && 1955 hdr->code != RADIUS_CODE_ACCESS_REJECT && 1956 hdr->code != RADIUS_CODE_ACCESS_CHALLENGE) { 1957 wpa_printf(MSG_INFO, "Unknown RADIUS message code"); 1958 return RADIUS_RX_UNKNOWN; 1959 } 1960 1961 sm->radius_identifier = -1; 1962 wpa_printf(MSG_DEBUG, "RADIUS packet matching with station " MACSTR, 1963 MAC2STR(sta->addr)); 1964 1965 radius_msg_free(sm->last_recv_radius); 1966 sm->last_recv_radius = msg; 1967 1968 session_timeout_set = 1969 !radius_msg_get_attr_int32(msg, RADIUS_ATTR_SESSION_TIMEOUT, 1970 &session_timeout); 1971 if (radius_msg_get_attr_int32(msg, RADIUS_ATTR_TERMINATION_ACTION, 1972 &termination_action)) 1973 termination_action = RADIUS_TERMINATION_ACTION_DEFAULT; 1974 1975 if (hapd->conf->acct_interim_interval == 0 && 1976 hdr->code == RADIUS_CODE_ACCESS_ACCEPT && 1977 radius_msg_get_attr_int32(msg, RADIUS_ATTR_ACCT_INTERIM_INTERVAL, 1978 &acct_interim_interval) == 0) { 1979 if (acct_interim_interval < 60) { 1980 hostapd_logger(hapd, sta->addr, 1981 HOSTAPD_MODULE_IEEE8021X, 1982 HOSTAPD_LEVEL_INFO, 1983 "ignored too small Acct-Interim-Interval %d", 1984 acct_interim_interval); 1985 } else 1986 sta->acct_interim_interval = acct_interim_interval; 1987 } 1988 1989 1990 switch (hdr->code) { 1991 case RADIUS_CODE_ACCESS_ACCEPT: 1992 #ifndef CONFIG_NO_VLAN 1993 if (hapd->conf->ssid.dynamic_vlan != DYNAMIC_VLAN_DISABLED && 1994 ieee802_1x_update_vlan(msg, hapd, sta) < 0) 1995 break; 1996 1997 if (sta->vlan_id > 0) { 1998 hostapd_logger(hapd, sta->addr, 1999 HOSTAPD_MODULE_RADIUS, 2000 HOSTAPD_LEVEL_INFO, 2001 "VLAN ID %d", sta->vlan_id); 2002 } 2003 2004 if ((sta->flags & WLAN_STA_ASSOC) && 2005 ap_sta_bind_vlan(hapd, sta) < 0) 2006 break; 2007 #endif /* CONFIG_NO_VLAN */ 2008 2009 sta->session_timeout_set = !!session_timeout_set; 2010 os_get_reltime(&sta->session_timeout); 2011 sta->session_timeout.sec += session_timeout; 2012 2013 /* RFC 3580, Ch. 3.17 */ 2014 if (session_timeout_set && termination_action == 2015 RADIUS_TERMINATION_ACTION_RADIUS_REQUEST) 2016 sm->reAuthPeriod = session_timeout; 2017 else if (session_timeout_set) 2018 ap_sta_session_timeout(hapd, sta, session_timeout); 2019 else 2020 ap_sta_no_session_timeout(hapd, sta); 2021 2022 sm->eap_if->aaaSuccess = true; 2023 override_eapReq = 1; 2024 ieee802_1x_get_keys(hapd, sta, msg, req, shared_secret, 2025 shared_secret_len); 2026 ieee802_1x_store_radius_class(hapd, sta, msg); 2027 ieee802_1x_update_sta_identity(hapd, sta, msg); 2028 ieee802_1x_update_sta_cui(hapd, sta, msg); 2029 ieee802_1x_check_hs20(hapd, sta, msg, 2030 session_timeout_set ? 2031 (int) session_timeout : -1); 2032 break; 2033 case RADIUS_CODE_ACCESS_REJECT: 2034 sm->eap_if->aaaFail = true; 2035 override_eapReq = 1; 2036 if (radius_msg_get_attr_int32(msg, RADIUS_ATTR_WLAN_REASON_CODE, 2037 &reason_code) == 0) { 2038 wpa_printf(MSG_DEBUG, 2039 "RADIUS server indicated WLAN-Reason-Code %u in Access-Reject for " 2040 MACSTR, reason_code, MAC2STR(sta->addr)); 2041 sta->disconnect_reason_code = reason_code; 2042 } 2043 break; 2044 case RADIUS_CODE_ACCESS_CHALLENGE: 2045 sm->eap_if->aaaEapReq = true; 2046 if (session_timeout_set) { 2047 /* RFC 2869, Ch. 2.3.2; RFC 3580, Ch. 3.17 */ 2048 sm->eap_if->aaaMethodTimeout = session_timeout; 2049 hostapd_logger(hapd, sm->addr, 2050 HOSTAPD_MODULE_IEEE8021X, 2051 HOSTAPD_LEVEL_DEBUG, 2052 "using EAP timeout of %d seconds (from RADIUS)", 2053 sm->eap_if->aaaMethodTimeout); 2054 } else { 2055 /* 2056 * Use dynamic retransmission behavior per EAP 2057 * specification. 2058 */ 2059 sm->eap_if->aaaMethodTimeout = 0; 2060 } 2061 break; 2062 } 2063 2064 ieee802_1x_decapsulate_radius(hapd, sta); 2065 if (override_eapReq) 2066 sm->eap_if->aaaEapReq = false; 2067 2068 #ifdef CONFIG_FILS 2069 #ifdef NEED_AP_MLME 2070 if (sta->flags & 2071 (WLAN_STA_PENDING_FILS_ERP | WLAN_STA_PENDING_PASN_FILS_ERP)) { 2072 /* TODO: Add a PMKSA entry on success? */ 2073 ieee802_11_finish_fils_auth( 2074 hapd, sta, hdr->code == RADIUS_CODE_ACCESS_ACCEPT, 2075 sm->eap_if->aaaEapReqData, 2076 sm->eap_if->aaaEapKeyData, 2077 sm->eap_if->aaaEapKeyDataLen); 2078 } 2079 #endif /* NEED_AP_MLME */ 2080 #endif /* CONFIG_FILS */ 2081 2082 eapol_auth_step(sm); 2083 2084 return RADIUS_RX_QUEUED; 2085 } 2086 #endif /* CONFIG_NO_RADIUS */ 2087 2088 2089 void ieee802_1x_abort_auth(struct hostapd_data *hapd, struct sta_info *sta) 2090 { 2091 struct eapol_state_machine *sm = sta->eapol_sm; 2092 2093 if (!sm) 2094 return; 2095 2096 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 2097 HOSTAPD_LEVEL_DEBUG, "aborting authentication"); 2098 2099 #ifndef CONFIG_NO_RADIUS 2100 radius_msg_free(sm->last_recv_radius); 2101 sm->last_recv_radius = NULL; 2102 #endif /* CONFIG_NO_RADIUS */ 2103 2104 if (sm->eap_if->eapTimeout) { 2105 /* 2106 * Disconnect the STA since it did not reply to the last EAP 2107 * request and we cannot continue EAP processing (EAP-Failure 2108 * could only be sent if the EAP peer actually replied). 2109 */ 2110 wpa_dbg(hapd->msg_ctx, MSG_DEBUG, "EAP Timeout, STA " MACSTR, 2111 MAC2STR(sta->addr)); 2112 2113 sm->eap_if->portEnabled = false; 2114 ap_sta_disconnect(hapd, sta, sta->addr, 2115 WLAN_REASON_PREV_AUTH_NOT_VALID); 2116 } 2117 } 2118 2119 2120 #ifdef CONFIG_WEP 2121 2122 static int ieee802_1x_rekey_broadcast(struct hostapd_data *hapd) 2123 { 2124 struct eapol_authenticator *eapol = hapd->eapol_auth; 2125 2126 if (hapd->conf->default_wep_key_len < 1) 2127 return 0; 2128 2129 os_free(eapol->default_wep_key); 2130 eapol->default_wep_key = os_malloc(hapd->conf->default_wep_key_len); 2131 if (!eapol->default_wep_key || 2132 random_get_bytes(eapol->default_wep_key, 2133 hapd->conf->default_wep_key_len)) { 2134 wpa_printf(MSG_INFO, "Could not generate random WEP key"); 2135 os_free(eapol->default_wep_key); 2136 eapol->default_wep_key = NULL; 2137 return -1; 2138 } 2139 2140 wpa_hexdump_key(MSG_DEBUG, "IEEE 802.1X: New default WEP key", 2141 eapol->default_wep_key, 2142 hapd->conf->default_wep_key_len); 2143 2144 return 0; 2145 } 2146 2147 2148 static int ieee802_1x_sta_key_available(struct hostapd_data *hapd, 2149 struct sta_info *sta, void *ctx) 2150 { 2151 if (sta->eapol_sm) { 2152 sta->eapol_sm->eap_if->eapKeyAvailable = true; 2153 eapol_auth_step(sta->eapol_sm); 2154 } 2155 return 0; 2156 } 2157 2158 2159 static void ieee802_1x_rekey(void *eloop_ctx, void *timeout_ctx) 2160 { 2161 struct hostapd_data *hapd = eloop_ctx; 2162 struct eapol_authenticator *eapol = hapd->eapol_auth; 2163 2164 if (eapol->default_wep_key_idx >= 3) 2165 eapol->default_wep_key_idx = 2166 hapd->conf->individual_wep_key_len > 0 ? 1 : 0; 2167 else 2168 eapol->default_wep_key_idx++; 2169 2170 wpa_printf(MSG_DEBUG, "IEEE 802.1X: New default WEP key index %d", 2171 eapol->default_wep_key_idx); 2172 2173 if (ieee802_1x_rekey_broadcast(hapd)) { 2174 hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X, 2175 HOSTAPD_LEVEL_WARNING, 2176 "failed to generate a new broadcast key"); 2177 os_free(eapol->default_wep_key); 2178 eapol->default_wep_key = NULL; 2179 return; 2180 } 2181 2182 /* TODO: Could setup key for RX here, but change default TX keyid only 2183 * after new broadcast key has been sent to all stations. */ 2184 if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP, 2185 broadcast_ether_addr, 2186 eapol->default_wep_key_idx, 0, 1, NULL, 0, 2187 eapol->default_wep_key, 2188 hapd->conf->default_wep_key_len, 2189 KEY_FLAG_GROUP_RX_TX_DEFAULT)) { 2190 hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X, 2191 HOSTAPD_LEVEL_WARNING, 2192 "failed to configure a new broadcast key"); 2193 os_free(eapol->default_wep_key); 2194 eapol->default_wep_key = NULL; 2195 return; 2196 } 2197 2198 ap_for_each_sta(hapd, ieee802_1x_sta_key_available, NULL); 2199 2200 if (hapd->conf->wep_rekeying_period > 0) { 2201 eloop_register_timeout(hapd->conf->wep_rekeying_period, 0, 2202 ieee802_1x_rekey, hapd, NULL); 2203 } 2204 } 2205 2206 #endif /* CONFIG_WEP */ 2207 2208 2209 static void ieee802_1x_eapol_send(void *ctx, void *sta_ctx, u8 type, 2210 const u8 *data, size_t datalen) 2211 { 2212 #ifdef CONFIG_WPS 2213 struct sta_info *sta = sta_ctx; 2214 2215 if ((sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS)) == 2216 WLAN_STA_MAYBE_WPS) { 2217 const u8 *identity; 2218 size_t identity_len; 2219 struct eapol_state_machine *sm = sta->eapol_sm; 2220 2221 identity = eap_get_identity(sm->eap, &identity_len); 2222 if (identity && 2223 ((identity_len == WSC_ID_ENROLLEE_LEN && 2224 os_memcmp(identity, WSC_ID_ENROLLEE, 2225 WSC_ID_ENROLLEE_LEN) == 0) || 2226 (identity_len == WSC_ID_REGISTRAR_LEN && 2227 os_memcmp(identity, WSC_ID_REGISTRAR, 2228 WSC_ID_REGISTRAR_LEN) == 0))) { 2229 wpa_printf(MSG_DEBUG, 2230 "WPS: WLAN_STA_MAYBE_WPS -> WLAN_STA_WPS"); 2231 sta->flags |= WLAN_STA_WPS; 2232 } 2233 } 2234 #endif /* CONFIG_WPS */ 2235 2236 ieee802_1x_send(ctx, sta_ctx, type, data, datalen); 2237 } 2238 2239 2240 static void ieee802_1x_aaa_send(void *ctx, void *sta_ctx, 2241 const u8 *data, size_t datalen) 2242 { 2243 #ifndef CONFIG_NO_RADIUS 2244 struct hostapd_data *hapd = ctx; 2245 struct sta_info *sta = sta_ctx; 2246 2247 ieee802_1x_encapsulate_radius(hapd, sta, data, datalen); 2248 #endif /* CONFIG_NO_RADIUS */ 2249 } 2250 2251 2252 static void _ieee802_1x_finished(void *ctx, void *sta_ctx, int success, 2253 int preauth, int remediation) 2254 { 2255 struct hostapd_data *hapd = ctx; 2256 struct sta_info *sta = sta_ctx; 2257 2258 if (preauth) 2259 rsn_preauth_finished(hapd, sta, success); 2260 else 2261 ieee802_1x_finished(hapd, sta, success, remediation); 2262 } 2263 2264 2265 static int ieee802_1x_get_eap_user(void *ctx, const u8 *identity, 2266 size_t identity_len, int phase2, 2267 struct eap_user *user) 2268 { 2269 struct hostapd_data *hapd = ctx; 2270 const struct hostapd_eap_user *eap_user; 2271 int i; 2272 int rv = -1; 2273 2274 eap_user = hostapd_get_eap_user(hapd, identity, identity_len, phase2); 2275 if (!eap_user) 2276 goto out; 2277 2278 os_memset(user, 0, sizeof(*user)); 2279 user->phase2 = phase2; 2280 for (i = 0; i < EAP_MAX_METHODS; i++) { 2281 user->methods[i].vendor = eap_user->methods[i].vendor; 2282 user->methods[i].method = eap_user->methods[i].method; 2283 } 2284 2285 if (eap_user->password) { 2286 user->password = os_memdup(eap_user->password, 2287 eap_user->password_len); 2288 if (!user->password) 2289 goto out; 2290 user->password_len = eap_user->password_len; 2291 user->password_hash = eap_user->password_hash; 2292 if (eap_user->salt && eap_user->salt_len) { 2293 user->salt = os_memdup(eap_user->salt, 2294 eap_user->salt_len); 2295 if (!user->salt) 2296 goto out; 2297 user->salt_len = eap_user->salt_len; 2298 } 2299 } 2300 user->force_version = eap_user->force_version; 2301 user->macacl = eap_user->macacl; 2302 user->ttls_auth = eap_user->ttls_auth; 2303 user->remediation = eap_user->remediation; 2304 rv = 0; 2305 2306 out: 2307 if (rv) 2308 wpa_printf(MSG_DEBUG, "%s: Failed to find user", __func__); 2309 2310 return rv; 2311 } 2312 2313 2314 static int ieee802_1x_sta_entry_alive(void *ctx, const u8 *addr) 2315 { 2316 struct hostapd_data *hapd = ctx; 2317 struct sta_info *sta; 2318 2319 sta = ap_get_sta(hapd, addr); 2320 if (!sta || !sta->eapol_sm) 2321 return 0; 2322 return 1; 2323 } 2324 2325 2326 static void ieee802_1x_logger(void *ctx, const u8 *addr, 2327 eapol_logger_level level, const char *txt) 2328 { 2329 #ifndef CONFIG_NO_HOSTAPD_LOGGER 2330 struct hostapd_data *hapd = ctx; 2331 int hlevel; 2332 2333 switch (level) { 2334 case EAPOL_LOGGER_WARNING: 2335 hlevel = HOSTAPD_LEVEL_WARNING; 2336 break; 2337 case EAPOL_LOGGER_INFO: 2338 hlevel = HOSTAPD_LEVEL_INFO; 2339 break; 2340 case EAPOL_LOGGER_DEBUG: 2341 default: 2342 hlevel = HOSTAPD_LEVEL_DEBUG; 2343 break; 2344 } 2345 2346 hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE8021X, hlevel, "%s", 2347 txt); 2348 #endif /* CONFIG_NO_HOSTAPD_LOGGER */ 2349 } 2350 2351 2352 static void ieee802_1x_set_port_authorized(void *ctx, void *sta_ctx, 2353 int authorized) 2354 { 2355 struct hostapd_data *hapd = ctx; 2356 struct sta_info *sta = sta_ctx; 2357 2358 ieee802_1x_set_sta_authorized(hapd, sta, authorized); 2359 } 2360 2361 2362 static void _ieee802_1x_abort_auth(void *ctx, void *sta_ctx) 2363 { 2364 struct hostapd_data *hapd = ctx; 2365 struct sta_info *sta = sta_ctx; 2366 2367 ieee802_1x_abort_auth(hapd, sta); 2368 } 2369 2370 2371 #ifdef CONFIG_WEP 2372 static void _ieee802_1x_tx_key(void *ctx, void *sta_ctx) 2373 { 2374 #ifndef CONFIG_FIPS 2375 #ifndef CONFIG_NO_RC4 2376 struct hostapd_data *hapd = ctx; 2377 struct sta_info *sta = sta_ctx; 2378 2379 ieee802_1x_tx_key(hapd, sta); 2380 #endif /* CONFIG_NO_RC4 */ 2381 #endif /* CONFIG_FIPS */ 2382 } 2383 #endif /* CONFIG_WEP */ 2384 2385 2386 static void ieee802_1x_eapol_event(void *ctx, void *sta_ctx, 2387 enum eapol_event type) 2388 { 2389 /* struct hostapd_data *hapd = ctx; */ 2390 struct sta_info *sta = sta_ctx; 2391 2392 switch (type) { 2393 case EAPOL_AUTH_SM_CHANGE: 2394 wpa_auth_sm_notify(sta->wpa_sm); 2395 break; 2396 case EAPOL_AUTH_REAUTHENTICATE: 2397 wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL); 2398 break; 2399 } 2400 } 2401 2402 2403 #ifdef CONFIG_ERP 2404 2405 static struct eap_server_erp_key * 2406 ieee802_1x_erp_get_key(void *ctx, const char *keyname) 2407 { 2408 struct hostapd_data *hapd = ctx; 2409 struct eap_server_erp_key *erp; 2410 2411 dl_list_for_each(erp, &hapd->erp_keys, struct eap_server_erp_key, 2412 list) { 2413 if (os_strcmp(erp->keyname_nai, keyname) == 0) 2414 return erp; 2415 } 2416 2417 return NULL; 2418 } 2419 2420 2421 static int ieee802_1x_erp_add_key(void *ctx, struct eap_server_erp_key *erp) 2422 { 2423 struct hostapd_data *hapd = ctx; 2424 2425 dl_list_add(&hapd->erp_keys, &erp->list); 2426 return 0; 2427 } 2428 2429 #endif /* CONFIG_ERP */ 2430 2431 2432 int ieee802_1x_init(struct hostapd_data *hapd) 2433 { 2434 struct eapol_auth_config conf; 2435 struct eapol_auth_cb cb; 2436 2437 dl_list_init(&hapd->erp_keys); 2438 2439 os_memset(&conf, 0, sizeof(conf)); 2440 conf.eap_cfg = hapd->eap_cfg; 2441 conf.ctx = hapd; 2442 conf.eap_reauth_period = hapd->conf->eap_reauth_period; 2443 conf.wpa = hapd->conf->wpa; 2444 #ifdef CONFIG_WEP 2445 conf.individual_wep_key_len = hapd->conf->individual_wep_key_len; 2446 #endif /* CONFIG_WEP */ 2447 conf.eap_req_id_text = hapd->conf->eap_req_id_text; 2448 conf.eap_req_id_text_len = hapd->conf->eap_req_id_text_len; 2449 conf.erp_send_reauth_start = hapd->conf->erp_send_reauth_start; 2450 conf.erp_domain = hapd->conf->erp_domain; 2451 2452 os_memset(&cb, 0, sizeof(cb)); 2453 cb.eapol_send = ieee802_1x_eapol_send; 2454 cb.aaa_send = ieee802_1x_aaa_send; 2455 cb.finished = _ieee802_1x_finished; 2456 cb.get_eap_user = ieee802_1x_get_eap_user; 2457 cb.sta_entry_alive = ieee802_1x_sta_entry_alive; 2458 cb.logger = ieee802_1x_logger; 2459 cb.set_port_authorized = ieee802_1x_set_port_authorized; 2460 cb.abort_auth = _ieee802_1x_abort_auth; 2461 #ifdef CONFIG_WEP 2462 cb.tx_key = _ieee802_1x_tx_key; 2463 #endif /* CONFIG_WEP */ 2464 cb.eapol_event = ieee802_1x_eapol_event; 2465 #ifdef CONFIG_ERP 2466 cb.erp_get_key = ieee802_1x_erp_get_key; 2467 cb.erp_add_key = ieee802_1x_erp_add_key; 2468 #endif /* CONFIG_ERP */ 2469 2470 hapd->eapol_auth = eapol_auth_init(&conf, &cb); 2471 if (!hapd->eapol_auth) 2472 return -1; 2473 2474 if ((hapd->conf->ieee802_1x || hapd->conf->wpa) && 2475 hostapd_set_drv_ieee8021x(hapd, hapd->conf->iface, 1)) 2476 return -1; 2477 2478 #ifndef CONFIG_NO_RADIUS 2479 if (radius_client_register(hapd->radius, RADIUS_AUTH, 2480 ieee802_1x_receive_auth, hapd)) 2481 return -1; 2482 #endif /* CONFIG_NO_RADIUS */ 2483 2484 #ifdef CONFIG_WEP 2485 if (hapd->conf->default_wep_key_len) { 2486 int i; 2487 2488 for (i = 0; i < 4; i++) 2489 hostapd_drv_set_key(hapd->conf->iface, hapd, 2490 WPA_ALG_NONE, NULL, i, 0, 0, NULL, 2491 0, NULL, 0, KEY_FLAG_GROUP); 2492 2493 ieee802_1x_rekey(hapd, NULL); 2494 2495 if (!hapd->eapol_auth->default_wep_key) 2496 return -1; 2497 } 2498 #endif /* CONFIG_WEP */ 2499 2500 return 0; 2501 } 2502 2503 2504 void ieee802_1x_erp_flush(struct hostapd_data *hapd) 2505 { 2506 struct eap_server_erp_key *erp; 2507 2508 while ((erp = dl_list_first(&hapd->erp_keys, struct eap_server_erp_key, 2509 list)) != NULL) { 2510 dl_list_del(&erp->list); 2511 bin_clear_free(erp, sizeof(*erp)); 2512 } 2513 } 2514 2515 2516 void ieee802_1x_deinit(struct hostapd_data *hapd) 2517 { 2518 #ifdef CONFIG_WEP 2519 eloop_cancel_timeout(ieee802_1x_rekey, hapd, NULL); 2520 #endif /* CONFIG_WEP */ 2521 2522 if (hapd->driver && hapd->drv_priv && 2523 (hapd->conf->ieee802_1x || hapd->conf->wpa)) 2524 hostapd_set_drv_ieee8021x(hapd, hapd->conf->iface, 0); 2525 2526 eapol_auth_deinit(hapd->eapol_auth); 2527 hapd->eapol_auth = NULL; 2528 2529 ieee802_1x_erp_flush(hapd); 2530 } 2531 2532 2533 int ieee802_1x_tx_status(struct hostapd_data *hapd, struct sta_info *sta, 2534 const u8 *buf, size_t len, int ack) 2535 { 2536 struct ieee80211_hdr *hdr; 2537 u8 *pos; 2538 const unsigned char rfc1042_hdr[ETH_ALEN] = 2539 { 0xaa, 0xaa, 0x03, 0x00, 0x00, 0x00 }; 2540 2541 if (!sta) 2542 return -1; 2543 if (len < sizeof(*hdr) + sizeof(rfc1042_hdr) + 2) 2544 return 0; 2545 2546 hdr = (struct ieee80211_hdr *) buf; 2547 pos = (u8 *) (hdr + 1); 2548 if (os_memcmp(pos, rfc1042_hdr, sizeof(rfc1042_hdr)) != 0) 2549 return 0; 2550 pos += sizeof(rfc1042_hdr); 2551 if (WPA_GET_BE16(pos) != ETH_P_PAE) 2552 return 0; 2553 pos += 2; 2554 2555 return ieee802_1x_eapol_tx_status(hapd, sta, pos, buf + len - pos, 2556 ack); 2557 } 2558 2559 2560 int ieee802_1x_eapol_tx_status(struct hostapd_data *hapd, struct sta_info *sta, 2561 const u8 *buf, int len, int ack) 2562 { 2563 const struct ieee802_1x_hdr *xhdr = 2564 (const struct ieee802_1x_hdr *) buf; 2565 const u8 *pos = buf + sizeof(*xhdr); 2566 struct ieee802_1x_eapol_key *key; 2567 2568 if (len < (int) sizeof(*xhdr)) 2569 return 0; 2570 wpa_printf(MSG_DEBUG, "IEEE 802.1X: " MACSTR 2571 " TX status - version=%d type=%d length=%d - ack=%d", 2572 MAC2STR(sta->addr), xhdr->version, xhdr->type, 2573 be_to_host16(xhdr->length), ack); 2574 2575 #ifdef CONFIG_WPS 2576 if (xhdr->type == IEEE802_1X_TYPE_EAP_PACKET && ack && 2577 (sta->flags & WLAN_STA_WPS) && 2578 ap_sta_pending_delayed_1x_auth_fail_disconnect(hapd, sta)) { 2579 wpa_printf(MSG_DEBUG, 2580 "WPS: Indicate EAP completion on ACK for EAP-Failure"); 2581 hostapd_wps_eap_completed(hapd); 2582 } 2583 #endif /* CONFIG_WPS */ 2584 2585 if (xhdr->type != IEEE802_1X_TYPE_EAPOL_KEY) 2586 return 0; 2587 2588 if (pos + sizeof(struct wpa_eapol_key) <= buf + len) { 2589 const struct wpa_eapol_key *wpa; 2590 2591 wpa = (const struct wpa_eapol_key *) pos; 2592 if (wpa->type == EAPOL_KEY_TYPE_RSN || 2593 wpa->type == EAPOL_KEY_TYPE_WPA) 2594 wpa_auth_eapol_key_tx_status(hapd->wpa_auth, 2595 sta->wpa_sm, ack); 2596 } 2597 2598 /* EAPOL EAP-Packet packets are eventually re-sent by either Supplicant 2599 * or Authenticator state machines, but EAPOL-Key packets are not 2600 * retransmitted in case of failure. Try to re-send failed EAPOL-Key 2601 * packets couple of times because otherwise STA keys become 2602 * unsynchronized with AP. */ 2603 if (!ack && pos + sizeof(*key) <= buf + len) { 2604 key = (struct ieee802_1x_eapol_key *) pos; 2605 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 2606 HOSTAPD_LEVEL_DEBUG, 2607 "did not Ack EAPOL-Key frame (%scast index=%d)", 2608 key->key_index & BIT(7) ? "uni" : "broad", 2609 key->key_index & ~BIT(7)); 2610 /* TODO: re-send EAPOL-Key couple of times (with short delay 2611 * between them?). If all attempt fail, report error and 2612 * deauthenticate STA so that it will get new keys when 2613 * authenticating again (e.g., after returning in range). 2614 * Separate limit/transmit state needed both for unicast and 2615 * broadcast keys(?) */ 2616 } 2617 /* TODO: could move unicast key configuration from ieee802_1x_tx_key() 2618 * to here and change the key only if the EAPOL-Key packet was Acked. 2619 */ 2620 2621 return 1; 2622 } 2623 2624 2625 u8 * ieee802_1x_get_identity(struct eapol_state_machine *sm, size_t *len) 2626 { 2627 if (!sm || !sm->identity) 2628 return NULL; 2629 2630 *len = sm->identity_len; 2631 return sm->identity; 2632 } 2633 2634 2635 u8 * ieee802_1x_get_radius_class(struct eapol_state_machine *sm, size_t *len, 2636 int idx) 2637 { 2638 if (!sm || !sm->radius_class.attr || 2639 idx >= (int) sm->radius_class.count) 2640 return NULL; 2641 2642 *len = sm->radius_class.attr[idx].len; 2643 return sm->radius_class.attr[idx].data; 2644 } 2645 2646 2647 struct wpabuf * ieee802_1x_get_radius_cui(struct eapol_state_machine *sm) 2648 { 2649 if (!sm) 2650 return NULL; 2651 return sm->radius_cui; 2652 } 2653 2654 2655 const u8 * ieee802_1x_get_key(struct eapol_state_machine *sm, size_t *len) 2656 { 2657 *len = 0; 2658 if (!sm) 2659 return NULL; 2660 2661 *len = sm->eap_if->eapKeyDataLen; 2662 return sm->eap_if->eapKeyData; 2663 } 2664 2665 2666 #ifdef CONFIG_MACSEC 2667 const u8 * ieee802_1x_get_session_id(struct eapol_state_machine *sm, 2668 size_t *len) 2669 { 2670 *len = 0; 2671 if (!sm || !sm->eap_if) 2672 return NULL; 2673 2674 *len = sm->eap_if->eapSessionIdLen; 2675 return sm->eap_if->eapSessionId; 2676 } 2677 #endif /* CONFIG_MACSEC */ 2678 2679 2680 void ieee802_1x_notify_port_enabled(struct eapol_state_machine *sm, 2681 bool enabled) 2682 { 2683 if (!sm) 2684 return; 2685 sm->eap_if->portEnabled = enabled; 2686 eapol_auth_step(sm); 2687 } 2688 2689 2690 void ieee802_1x_notify_port_valid(struct eapol_state_machine *sm, bool valid) 2691 { 2692 if (!sm) 2693 return; 2694 sm->portValid = valid; 2695 eapol_auth_step(sm); 2696 } 2697 2698 2699 void ieee802_1x_notify_pre_auth(struct eapol_state_machine *sm, bool pre_auth) 2700 { 2701 if (!sm) 2702 return; 2703 if (pre_auth) 2704 sm->flags |= EAPOL_SM_PREAUTH; 2705 else 2706 sm->flags &= ~EAPOL_SM_PREAUTH; 2707 } 2708 2709 2710 static const char * bool_txt(bool val) 2711 { 2712 return val ? "TRUE" : "FALSE"; 2713 } 2714 2715 2716 int ieee802_1x_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen) 2717 { 2718 /* TODO */ 2719 return 0; 2720 } 2721 2722 2723 int ieee802_1x_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta, 2724 char *buf, size_t buflen) 2725 { 2726 int len = 0, ret; 2727 struct eapol_state_machine *sm = sta->eapol_sm; 2728 struct os_reltime diff; 2729 const char *name1; 2730 const char *name2; 2731 char *identity_buf = NULL; 2732 2733 if (!sm) 2734 return 0; 2735 2736 ret = os_snprintf(buf + len, buflen - len, 2737 "dot1xPaePortNumber=%d\n" 2738 "dot1xPaePortProtocolVersion=%d\n" 2739 "dot1xPaePortCapabilities=1\n" 2740 "dot1xPaePortInitialize=%d\n" 2741 "dot1xPaePortReauthenticate=FALSE\n", 2742 sta->aid, 2743 EAPOL_VERSION, 2744 sm->initialize); 2745 if (os_snprintf_error(buflen - len, ret)) 2746 return len; 2747 len += ret; 2748 2749 /* dot1xAuthConfigTable */ 2750 ret = os_snprintf(buf + len, buflen - len, 2751 "dot1xAuthPaeState=%d\n" 2752 "dot1xAuthBackendAuthState=%d\n" 2753 "dot1xAuthAdminControlledDirections=%d\n" 2754 "dot1xAuthOperControlledDirections=%d\n" 2755 "dot1xAuthAuthControlledPortStatus=%d\n" 2756 "dot1xAuthAuthControlledPortControl=%d\n" 2757 "dot1xAuthQuietPeriod=%u\n" 2758 "dot1xAuthServerTimeout=%u\n" 2759 "dot1xAuthReAuthPeriod=%u\n" 2760 "dot1xAuthReAuthEnabled=%s\n" 2761 "dot1xAuthKeyTxEnabled=%s\n", 2762 sm->auth_pae_state + 1, 2763 sm->be_auth_state + 1, 2764 sm->adminControlledDirections, 2765 sm->operControlledDirections, 2766 sm->authPortStatus, 2767 sm->portControl, 2768 sm->quietPeriod, 2769 sm->serverTimeout, 2770 sm->reAuthPeriod, 2771 bool_txt(sm->reAuthEnabled), 2772 bool_txt(sm->keyTxEnabled)); 2773 if (os_snprintf_error(buflen - len, ret)) 2774 return len; 2775 len += ret; 2776 2777 /* dot1xAuthStatsTable */ 2778 ret = os_snprintf(buf + len, buflen - len, 2779 "dot1xAuthEapolFramesRx=%u\n" 2780 "dot1xAuthEapolFramesTx=%u\n" 2781 "dot1xAuthEapolStartFramesRx=%u\n" 2782 "dot1xAuthEapolLogoffFramesRx=%u\n" 2783 "dot1xAuthEapolRespIdFramesRx=%u\n" 2784 "dot1xAuthEapolRespFramesRx=%u\n" 2785 "dot1xAuthEapolReqIdFramesTx=%u\n" 2786 "dot1xAuthEapolReqFramesTx=%u\n" 2787 "dot1xAuthInvalidEapolFramesRx=%u\n" 2788 "dot1xAuthEapLengthErrorFramesRx=%u\n" 2789 "dot1xAuthLastEapolFrameVersion=%u\n" 2790 "dot1xAuthLastEapolFrameSource=" MACSTR "\n", 2791 sm->dot1xAuthEapolFramesRx, 2792 sm->dot1xAuthEapolFramesTx, 2793 sm->dot1xAuthEapolStartFramesRx, 2794 sm->dot1xAuthEapolLogoffFramesRx, 2795 sm->dot1xAuthEapolRespIdFramesRx, 2796 sm->dot1xAuthEapolRespFramesRx, 2797 sm->dot1xAuthEapolReqIdFramesTx, 2798 sm->dot1xAuthEapolReqFramesTx, 2799 sm->dot1xAuthInvalidEapolFramesRx, 2800 sm->dot1xAuthEapLengthErrorFramesRx, 2801 sm->dot1xAuthLastEapolFrameVersion, 2802 MAC2STR(sm->addr)); 2803 if (os_snprintf_error(buflen - len, ret)) 2804 return len; 2805 len += ret; 2806 2807 /* dot1xAuthDiagTable */ 2808 ret = os_snprintf(buf + len, buflen - len, 2809 "dot1xAuthEntersConnecting=%u\n" 2810 "dot1xAuthEapLogoffsWhileConnecting=%u\n" 2811 "dot1xAuthEntersAuthenticating=%u\n" 2812 "dot1xAuthAuthSuccessesWhileAuthenticating=%u\n" 2813 "dot1xAuthAuthTimeoutsWhileAuthenticating=%u\n" 2814 "dot1xAuthAuthFailWhileAuthenticating=%u\n" 2815 "dot1xAuthAuthEapStartsWhileAuthenticating=%u\n" 2816 "dot1xAuthAuthEapLogoffWhileAuthenticating=%u\n" 2817 "dot1xAuthAuthReauthsWhileAuthenticated=%u\n" 2818 "dot1xAuthAuthEapStartsWhileAuthenticated=%u\n" 2819 "dot1xAuthAuthEapLogoffWhileAuthenticated=%u\n" 2820 "dot1xAuthBackendResponses=%u\n" 2821 "dot1xAuthBackendAccessChallenges=%u\n" 2822 "dot1xAuthBackendOtherRequestsToSupplicant=%u\n" 2823 "dot1xAuthBackendAuthSuccesses=%u\n" 2824 "dot1xAuthBackendAuthFails=%u\n", 2825 sm->authEntersConnecting, 2826 sm->authEapLogoffsWhileConnecting, 2827 sm->authEntersAuthenticating, 2828 sm->authAuthSuccessesWhileAuthenticating, 2829 sm->authAuthTimeoutsWhileAuthenticating, 2830 sm->authAuthFailWhileAuthenticating, 2831 sm->authAuthEapStartsWhileAuthenticating, 2832 sm->authAuthEapLogoffWhileAuthenticating, 2833 sm->authAuthReauthsWhileAuthenticated, 2834 sm->authAuthEapStartsWhileAuthenticated, 2835 sm->authAuthEapLogoffWhileAuthenticated, 2836 sm->backendResponses, 2837 sm->backendAccessChallenges, 2838 sm->backendOtherRequestsToSupplicant, 2839 sm->backendAuthSuccesses, 2840 sm->backendAuthFails); 2841 if (os_snprintf_error(buflen - len, ret)) 2842 return len; 2843 len += ret; 2844 2845 /* dot1xAuthSessionStatsTable */ 2846 os_reltime_age(&sta->acct_session_start, &diff); 2847 if (sm->eap && !sm->identity) { 2848 const u8 *id; 2849 size_t id_len; 2850 2851 id = eap_get_identity(sm->eap, &id_len); 2852 if (id) 2853 identity_buf = dup_binstr(id, id_len); 2854 } 2855 ret = os_snprintf(buf + len, buflen - len, 2856 /* TODO: dot1xAuthSessionOctetsRx */ 2857 /* TODO: dot1xAuthSessionOctetsTx */ 2858 /* TODO: dot1xAuthSessionFramesRx */ 2859 /* TODO: dot1xAuthSessionFramesTx */ 2860 "dot1xAuthSessionId=%016llX\n" 2861 "dot1xAuthSessionAuthenticMethod=%d\n" 2862 "dot1xAuthSessionTime=%u\n" 2863 "dot1xAuthSessionTerminateCause=999\n" 2864 "dot1xAuthSessionUserName=%s\n", 2865 (unsigned long long) sta->acct_session_id, 2866 (wpa_key_mgmt_wpa_ieee8021x( 2867 wpa_auth_sta_key_mgmt(sta->wpa_sm))) ? 2868 1 : 2, 2869 (unsigned int) diff.sec, 2870 sm->identity ? (char *) sm->identity : 2871 (identity_buf ? identity_buf : "N/A")); 2872 os_free(identity_buf); 2873 if (os_snprintf_error(buflen - len, ret)) 2874 return len; 2875 len += ret; 2876 2877 if (sm->acct_multi_session_id) { 2878 ret = os_snprintf(buf + len, buflen - len, 2879 "authMultiSessionId=%016llX\n", 2880 (unsigned long long) 2881 sm->acct_multi_session_id); 2882 if (os_snprintf_error(buflen - len, ret)) 2883 return len; 2884 len += ret; 2885 } 2886 2887 name1 = eap_server_get_name(0, sm->eap_type_authsrv); 2888 name2 = eap_server_get_name(0, sm->eap_type_supp); 2889 ret = os_snprintf(buf + len, buflen - len, 2890 "last_eap_type_as=%d (%s)\n" 2891 "last_eap_type_sta=%d (%s)\n", 2892 sm->eap_type_authsrv, name1, 2893 sm->eap_type_supp, name2); 2894 if (os_snprintf_error(buflen - len, ret)) 2895 return len; 2896 len += ret; 2897 2898 return len; 2899 } 2900 2901 2902 #ifdef CONFIG_HS20 2903 static void ieee802_1x_wnm_notif_send(void *eloop_ctx, void *timeout_ctx) 2904 { 2905 struct hostapd_data *hapd = eloop_ctx; 2906 struct sta_info *sta = timeout_ctx; 2907 2908 if (sta->remediation) { 2909 wpa_printf(MSG_DEBUG, "HS 2.0: Send WNM-Notification to " 2910 MACSTR " to indicate Subscription Remediation", 2911 MAC2STR(sta->addr)); 2912 hs20_send_wnm_notification(hapd, sta->addr, 2913 sta->remediation_method, 2914 sta->remediation_url); 2915 os_free(sta->remediation_url); 2916 sta->remediation_url = NULL; 2917 } 2918 2919 if (sta->hs20_deauth_req) { 2920 wpa_printf(MSG_DEBUG, "HS 2.0: Send WNM-Notification to " 2921 MACSTR " to indicate imminent deauthentication", 2922 MAC2STR(sta->addr)); 2923 hs20_send_wnm_notification_deauth_req(hapd, sta->addr, 2924 sta->hs20_deauth_req); 2925 } 2926 2927 if (sta->hs20_t_c_filtering) { 2928 wpa_printf(MSG_DEBUG, "HS 2.0: Send WNM-Notification to " 2929 MACSTR " to indicate Terms and Conditions filtering", 2930 MAC2STR(sta->addr)); 2931 hs20_send_wnm_notification_t_c(hapd, sta->addr, sta->t_c_url); 2932 os_free(sta->t_c_url); 2933 sta->t_c_url = NULL; 2934 } 2935 } 2936 #endif /* CONFIG_HS20 */ 2937 2938 2939 static void ieee802_1x_finished(struct hostapd_data *hapd, 2940 struct sta_info *sta, int success, 2941 int remediation) 2942 { 2943 const u8 *key; 2944 size_t len; 2945 /* TODO: get PMKLifetime from WPA parameters */ 2946 static const int dot11RSNAConfigPMKLifetime = 43200; 2947 unsigned int session_timeout; 2948 struct os_reltime now, remaining; 2949 2950 #ifdef CONFIG_HS20 2951 if (remediation && !sta->remediation) { 2952 sta->remediation = 1; 2953 os_free(sta->remediation_url); 2954 sta->remediation_url = 2955 os_strdup(hapd->conf->subscr_remediation_url); 2956 sta->remediation_method = 1; /* SOAP-XML SPP */ 2957 } 2958 2959 if (success && (sta->remediation || sta->hs20_deauth_req || 2960 sta->hs20_t_c_filtering)) { 2961 wpa_printf(MSG_DEBUG, "HS 2.0: Schedule WNM-Notification to " 2962 MACSTR " in 100 ms", MAC2STR(sta->addr)); 2963 eloop_cancel_timeout(ieee802_1x_wnm_notif_send, hapd, sta); 2964 eloop_register_timeout(0, 100000, ieee802_1x_wnm_notif_send, 2965 hapd, sta); 2966 } 2967 #endif /* CONFIG_HS20 */ 2968 2969 #ifdef CONFIG_MACSEC 2970 ieee802_1x_notify_create_actor_hapd(hapd, sta); 2971 #endif /* CONFIG_MACSEC */ 2972 2973 key = ieee802_1x_get_key(sta->eapol_sm, &len); 2974 if (sta->session_timeout_set) { 2975 os_get_reltime(&now); 2976 os_reltime_sub(&sta->session_timeout, &now, &remaining); 2977 session_timeout = (remaining.sec > 0) ? remaining.sec : 1; 2978 } else { 2979 session_timeout = dot11RSNAConfigPMKLifetime; 2980 } 2981 if (success && key && len >= PMK_LEN && !sta->remediation && 2982 !sta->hs20_deauth_requested && 2983 wpa_auth_pmksa_add(sta->wpa_sm, key, len, session_timeout, 2984 sta->eapol_sm) == 0) { 2985 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 2986 HOSTAPD_LEVEL_DEBUG, 2987 "Added PMKSA cache entry (IEEE 802.1X)"); 2988 } 2989 2990 if (!success) { 2991 /* 2992 * Many devices require deauthentication after WPS provisioning 2993 * and some may not be be able to do that themselves, so 2994 * disconnect the client here. In addition, this may also 2995 * benefit IEEE 802.1X/EAPOL authentication cases, too since 2996 * the EAPOL PAE state machine would remain in HELD state for 2997 * considerable amount of time and some EAP methods, like 2998 * EAP-FAST with anonymous provisioning, may require another 2999 * EAPOL authentication to be started to complete connection. 3000 */ 3001 ap_sta_delayed_1x_auth_fail_disconnect(hapd, sta); 3002 } 3003 } 3004