1 /* 2 * hostapd / IEEE 802.1X-2004 Authenticator 3 * Copyright (c) 2002-2012, Jouni Malinen <j@w1.fi> 4 * 5 * This program is free software; you can redistribute it and/or modify 6 * it under the terms of the GNU General Public License version 2 as 7 * published by the Free Software Foundation. 8 * 9 * Alternatively, this software may be distributed under the terms of BSD 10 * license. 11 * 12 * See README and COPYING for more details. 13 */ 14 15 #include "utils/includes.h" 16 17 #include "utils/common.h" 18 #include "utils/eloop.h" 19 #include "crypto/md5.h" 20 #include "crypto/crypto.h" 21 #include "crypto/random.h" 22 #include "common/ieee802_11_defs.h" 23 #include "common/wpa_ctrl.h" 24 #include "radius/radius.h" 25 #include "radius/radius_client.h" 26 #include "eap_server/eap.h" 27 #include "eap_common/eap_wsc_common.h" 28 #include "eapol_auth/eapol_auth_sm.h" 29 #include "eapol_auth/eapol_auth_sm_i.h" 30 #include "p2p/p2p.h" 31 #include "hostapd.h" 32 #include "accounting.h" 33 #include "sta_info.h" 34 #include "wpa_auth.h" 35 #include "preauth_auth.h" 36 #include "pmksa_cache_auth.h" 37 #include "ap_config.h" 38 #include "ap_drv_ops.h" 39 #include "ieee802_1x.h" 40 41 42 static void ieee802_1x_finished(struct hostapd_data *hapd, 43 struct sta_info *sta, int success); 44 45 46 static void ieee802_1x_send(struct hostapd_data *hapd, struct sta_info *sta, 47 u8 type, const u8 *data, size_t datalen) 48 { 49 u8 *buf; 50 struct ieee802_1x_hdr *xhdr; 51 size_t len; 52 int encrypt = 0; 53 54 len = sizeof(*xhdr) + datalen; 55 buf = os_zalloc(len); 56 if (buf == NULL) { 57 wpa_printf(MSG_ERROR, "malloc() failed for " 58 "ieee802_1x_send(len=%lu)", 59 (unsigned long) len); 60 return; 61 } 62 63 xhdr = (struct ieee802_1x_hdr *) buf; 64 xhdr->version = hapd->conf->eapol_version; 65 xhdr->type = type; 66 xhdr->length = host_to_be16(datalen); 67 68 if (datalen > 0 && data != NULL) 69 os_memcpy(xhdr + 1, data, datalen); 70 71 if (wpa_auth_pairwise_set(sta->wpa_sm)) 72 encrypt = 1; 73 if (sta->flags & WLAN_STA_PREAUTH) { 74 rsn_preauth_send(hapd, sta, buf, len); 75 } else { 76 hostapd_drv_hapd_send_eapol(hapd, sta->addr, buf, len, 77 encrypt, sta->flags); 78 } 79 80 os_free(buf); 81 } 82 83 84 void ieee802_1x_set_sta_authorized(struct hostapd_data *hapd, 85 struct sta_info *sta, int authorized) 86 { 87 int res; 88 89 if (sta->flags & WLAN_STA_PREAUTH) 90 return; 91 92 if (authorized) { 93 ap_sta_set_authorized(hapd, sta, 1); 94 res = hostapd_set_authorized(hapd, sta, 1); 95 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 96 HOSTAPD_LEVEL_DEBUG, "authorizing port"); 97 } else { 98 ap_sta_set_authorized(hapd, sta, 0); 99 res = hostapd_set_authorized(hapd, sta, 0); 100 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 101 HOSTAPD_LEVEL_DEBUG, "unauthorizing port"); 102 } 103 104 if (res && errno != ENOENT) { 105 printf("Could not set station " MACSTR " flags for kernel " 106 "driver (errno=%d).\n", MAC2STR(sta->addr), errno); 107 } 108 109 if (authorized) 110 accounting_sta_start(hapd, sta); 111 } 112 113 114 static void ieee802_1x_tx_key_one(struct hostapd_data *hapd, 115 struct sta_info *sta, 116 int idx, int broadcast, 117 u8 *key_data, size_t key_len) 118 { 119 u8 *buf, *ekey; 120 struct ieee802_1x_hdr *hdr; 121 struct ieee802_1x_eapol_key *key; 122 size_t len, ekey_len; 123 struct eapol_state_machine *sm = sta->eapol_sm; 124 125 if (sm == NULL) 126 return; 127 128 len = sizeof(*key) + key_len; 129 buf = os_zalloc(sizeof(*hdr) + len); 130 if (buf == NULL) 131 return; 132 133 hdr = (struct ieee802_1x_hdr *) buf; 134 key = (struct ieee802_1x_eapol_key *) (hdr + 1); 135 key->type = EAPOL_KEY_TYPE_RC4; 136 key->key_length = htons(key_len); 137 wpa_get_ntp_timestamp(key->replay_counter); 138 139 if (random_get_bytes(key->key_iv, sizeof(key->key_iv))) { 140 wpa_printf(MSG_ERROR, "Could not get random numbers"); 141 os_free(buf); 142 return; 143 } 144 145 key->key_index = idx | (broadcast ? 0 : BIT(7)); 146 if (hapd->conf->eapol_key_index_workaround) { 147 /* According to some information, WinXP Supplicant seems to 148 * interpret bit7 as an indication whether the key is to be 149 * activated, so make it possible to enable workaround that 150 * sets this bit for all keys. */ 151 key->key_index |= BIT(7); 152 } 153 154 /* Key is encrypted using "Key-IV + MSK[0..31]" as the RC4-key and 155 * MSK[32..63] is used to sign the message. */ 156 if (sm->eap_if->eapKeyData == NULL || sm->eap_if->eapKeyDataLen < 64) { 157 wpa_printf(MSG_ERROR, "No eapKeyData available for encrypting " 158 "and signing EAPOL-Key"); 159 os_free(buf); 160 return; 161 } 162 os_memcpy((u8 *) (key + 1), key_data, key_len); 163 ekey_len = sizeof(key->key_iv) + 32; 164 ekey = os_malloc(ekey_len); 165 if (ekey == NULL) { 166 wpa_printf(MSG_ERROR, "Could not encrypt key"); 167 os_free(buf); 168 return; 169 } 170 os_memcpy(ekey, key->key_iv, sizeof(key->key_iv)); 171 os_memcpy(ekey + sizeof(key->key_iv), sm->eap_if->eapKeyData, 32); 172 rc4_skip(ekey, ekey_len, 0, (u8 *) (key + 1), key_len); 173 os_free(ekey); 174 175 /* This header is needed here for HMAC-MD5, but it will be regenerated 176 * in ieee802_1x_send() */ 177 hdr->version = hapd->conf->eapol_version; 178 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 179 hdr->length = host_to_be16(len); 180 hmac_md5(sm->eap_if->eapKeyData + 32, 32, buf, sizeof(*hdr) + len, 181 key->key_signature); 182 183 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key to " MACSTR 184 " (%s index=%d)", MAC2STR(sm->addr), 185 broadcast ? "broadcast" : "unicast", idx); 186 ieee802_1x_send(hapd, sta, IEEE802_1X_TYPE_EAPOL_KEY, (u8 *) key, len); 187 if (sta->eapol_sm) 188 sta->eapol_sm->dot1xAuthEapolFramesTx++; 189 os_free(buf); 190 } 191 192 193 #ifndef CONFIG_NO_VLAN 194 static struct hostapd_wep_keys * 195 ieee802_1x_group_alloc(struct hostapd_data *hapd, const char *ifname) 196 { 197 struct hostapd_wep_keys *key; 198 199 key = os_zalloc(sizeof(*key)); 200 if (key == NULL) 201 return NULL; 202 203 key->default_len = hapd->conf->default_wep_key_len; 204 205 if (key->idx >= hapd->conf->broadcast_key_idx_max || 206 key->idx < hapd->conf->broadcast_key_idx_min) 207 key->idx = hapd->conf->broadcast_key_idx_min; 208 else 209 key->idx++; 210 211 if (!key->key[key->idx]) 212 key->key[key->idx] = os_malloc(key->default_len); 213 if (key->key[key->idx] == NULL || 214 random_get_bytes(key->key[key->idx], key->default_len)) { 215 printf("Could not generate random WEP key (dynamic VLAN).\n"); 216 os_free(key->key[key->idx]); 217 key->key[key->idx] = NULL; 218 os_free(key); 219 return NULL; 220 } 221 key->len[key->idx] = key->default_len; 222 223 wpa_printf(MSG_DEBUG, "%s: Default WEP idx %d for dynamic VLAN\n", 224 ifname, key->idx); 225 wpa_hexdump_key(MSG_DEBUG, "Default WEP key (dynamic VLAN)", 226 key->key[key->idx], key->len[key->idx]); 227 228 if (hostapd_drv_set_key(ifname, hapd, WPA_ALG_WEP, 229 broadcast_ether_addr, key->idx, 1, 230 NULL, 0, key->key[key->idx], 231 key->len[key->idx])) 232 printf("Could not set dynamic VLAN WEP encryption key.\n"); 233 234 hostapd_set_drv_ieee8021x(hapd, ifname, 1); 235 236 return key; 237 } 238 239 240 static struct hostapd_wep_keys * 241 ieee802_1x_get_group(struct hostapd_data *hapd, struct hostapd_ssid *ssid, 242 size_t vlan_id) 243 { 244 const char *ifname; 245 246 if (vlan_id == 0) 247 return &ssid->wep; 248 249 if (vlan_id <= ssid->max_dyn_vlan_keys && ssid->dyn_vlan_keys && 250 ssid->dyn_vlan_keys[vlan_id]) 251 return ssid->dyn_vlan_keys[vlan_id]; 252 253 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Creating new group " 254 "state machine for VLAN ID %lu", 255 (unsigned long) vlan_id); 256 257 ifname = hostapd_get_vlan_id_ifname(hapd->conf->vlan, vlan_id); 258 if (ifname == NULL) { 259 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Unknown VLAN ID %lu - " 260 "cannot create group key state machine", 261 (unsigned long) vlan_id); 262 return NULL; 263 } 264 265 if (ssid->dyn_vlan_keys == NULL) { 266 int size = (vlan_id + 1) * sizeof(ssid->dyn_vlan_keys[0]); 267 ssid->dyn_vlan_keys = os_zalloc(size); 268 if (ssid->dyn_vlan_keys == NULL) 269 return NULL; 270 ssid->max_dyn_vlan_keys = vlan_id; 271 } 272 273 if (ssid->max_dyn_vlan_keys < vlan_id) { 274 struct hostapd_wep_keys **na; 275 int size = (vlan_id + 1) * sizeof(ssid->dyn_vlan_keys[0]); 276 na = os_realloc(ssid->dyn_vlan_keys, size); 277 if (na == NULL) 278 return NULL; 279 ssid->dyn_vlan_keys = na; 280 os_memset(&ssid->dyn_vlan_keys[ssid->max_dyn_vlan_keys + 1], 0, 281 (vlan_id - ssid->max_dyn_vlan_keys) * 282 sizeof(ssid->dyn_vlan_keys[0])); 283 ssid->max_dyn_vlan_keys = vlan_id; 284 } 285 286 ssid->dyn_vlan_keys[vlan_id] = ieee802_1x_group_alloc(hapd, ifname); 287 288 return ssid->dyn_vlan_keys[vlan_id]; 289 } 290 #endif /* CONFIG_NO_VLAN */ 291 292 293 void ieee802_1x_tx_key(struct hostapd_data *hapd, struct sta_info *sta) 294 { 295 struct eapol_authenticator *eapol = hapd->eapol_auth; 296 struct eapol_state_machine *sm = sta->eapol_sm; 297 #ifndef CONFIG_NO_VLAN 298 struct hostapd_wep_keys *key = NULL; 299 int vlan_id; 300 #endif /* CONFIG_NO_VLAN */ 301 302 if (sm == NULL || !sm->eap_if->eapKeyData) 303 return; 304 305 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key(s) to " MACSTR, 306 MAC2STR(sta->addr)); 307 308 #ifndef CONFIG_NO_VLAN 309 vlan_id = sta->vlan_id; 310 if (vlan_id < 0 || vlan_id > MAX_VLAN_ID) 311 vlan_id = 0; 312 313 if (vlan_id) { 314 key = ieee802_1x_get_group(hapd, sta->ssid, vlan_id); 315 if (key && key->key[key->idx]) 316 ieee802_1x_tx_key_one(hapd, sta, key->idx, 1, 317 key->key[key->idx], 318 key->len[key->idx]); 319 } else 320 #endif /* CONFIG_NO_VLAN */ 321 if (eapol->default_wep_key) { 322 ieee802_1x_tx_key_one(hapd, sta, eapol->default_wep_key_idx, 1, 323 eapol->default_wep_key, 324 hapd->conf->default_wep_key_len); 325 } 326 327 if (hapd->conf->individual_wep_key_len > 0) { 328 u8 *ikey; 329 ikey = os_malloc(hapd->conf->individual_wep_key_len); 330 if (ikey == NULL || 331 random_get_bytes(ikey, hapd->conf->individual_wep_key_len)) 332 { 333 wpa_printf(MSG_ERROR, "Could not generate random " 334 "individual WEP key."); 335 os_free(ikey); 336 return; 337 } 338 339 wpa_hexdump_key(MSG_DEBUG, "Individual WEP key", 340 ikey, hapd->conf->individual_wep_key_len); 341 342 ieee802_1x_tx_key_one(hapd, sta, 0, 0, ikey, 343 hapd->conf->individual_wep_key_len); 344 345 /* TODO: set encryption in TX callback, i.e., only after STA 346 * has ACKed EAPOL-Key frame */ 347 if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP, 348 sta->addr, 0, 1, NULL, 0, ikey, 349 hapd->conf->individual_wep_key_len)) { 350 wpa_printf(MSG_ERROR, "Could not set individual WEP " 351 "encryption."); 352 } 353 354 os_free(ikey); 355 } 356 } 357 358 359 const char *radius_mode_txt(struct hostapd_data *hapd) 360 { 361 switch (hapd->iface->conf->hw_mode) { 362 case HOSTAPD_MODE_IEEE80211A: 363 return "802.11a"; 364 case HOSTAPD_MODE_IEEE80211G: 365 return "802.11g"; 366 case HOSTAPD_MODE_IEEE80211B: 367 default: 368 return "802.11b"; 369 } 370 } 371 372 373 int radius_sta_rate(struct hostapd_data *hapd, struct sta_info *sta) 374 { 375 int i; 376 u8 rate = 0; 377 378 for (i = 0; i < sta->supported_rates_len; i++) 379 if ((sta->supported_rates[i] & 0x7f) > rate) 380 rate = sta->supported_rates[i] & 0x7f; 381 382 return rate; 383 } 384 385 386 #ifndef CONFIG_NO_RADIUS 387 static void ieee802_1x_learn_identity(struct hostapd_data *hapd, 388 struct eapol_state_machine *sm, 389 const u8 *eap, size_t len) 390 { 391 const u8 *identity; 392 size_t identity_len; 393 394 if (len <= sizeof(struct eap_hdr) || 395 eap[sizeof(struct eap_hdr)] != EAP_TYPE_IDENTITY) 396 return; 397 398 identity = eap_get_identity(sm->eap, &identity_len); 399 if (identity == NULL) 400 return; 401 402 /* Save station identity for future RADIUS packets */ 403 os_free(sm->identity); 404 sm->identity = os_malloc(identity_len + 1); 405 if (sm->identity == NULL) { 406 sm->identity_len = 0; 407 return; 408 } 409 410 os_memcpy(sm->identity, identity, identity_len); 411 sm->identity_len = identity_len; 412 sm->identity[identity_len] = '\0'; 413 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, 414 HOSTAPD_LEVEL_DEBUG, "STA identity '%s'", sm->identity); 415 sm->dot1xAuthEapolRespIdFramesRx++; 416 } 417 418 419 static void ieee802_1x_encapsulate_radius(struct hostapd_data *hapd, 420 struct sta_info *sta, 421 const u8 *eap, size_t len) 422 { 423 struct radius_msg *msg; 424 char buf[128]; 425 struct eapol_state_machine *sm = sta->eapol_sm; 426 427 if (sm == NULL) 428 return; 429 430 ieee802_1x_learn_identity(hapd, sm, eap, len); 431 432 wpa_printf(MSG_DEBUG, "Encapsulating EAP message into a RADIUS " 433 "packet"); 434 435 sm->radius_identifier = radius_client_get_id(hapd->radius); 436 msg = radius_msg_new(RADIUS_CODE_ACCESS_REQUEST, 437 sm->radius_identifier); 438 if (msg == NULL) { 439 printf("Could not create net RADIUS packet\n"); 440 return; 441 } 442 443 radius_msg_make_authenticator(msg, (u8 *) sta, sizeof(*sta)); 444 445 if (sm->identity && 446 !radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME, 447 sm->identity, sm->identity_len)) { 448 printf("Could not add User-Name\n"); 449 goto fail; 450 } 451 452 if (hapd->conf->own_ip_addr.af == AF_INET && 453 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IP_ADDRESS, 454 (u8 *) &hapd->conf->own_ip_addr.u.v4, 4)) { 455 printf("Could not add NAS-IP-Address\n"); 456 goto fail; 457 } 458 459 #ifdef CONFIG_IPV6 460 if (hapd->conf->own_ip_addr.af == AF_INET6 && 461 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IPV6_ADDRESS, 462 (u8 *) &hapd->conf->own_ip_addr.u.v6, 16)) { 463 printf("Could not add NAS-IPv6-Address\n"); 464 goto fail; 465 } 466 #endif /* CONFIG_IPV6 */ 467 468 if (hapd->conf->nas_identifier && 469 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IDENTIFIER, 470 (u8 *) hapd->conf->nas_identifier, 471 os_strlen(hapd->conf->nas_identifier))) { 472 printf("Could not add NAS-Identifier\n"); 473 goto fail; 474 } 475 476 if (!radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT, sta->aid)) { 477 printf("Could not add NAS-Port\n"); 478 goto fail; 479 } 480 481 os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT ":%s", 482 MAC2STR(hapd->own_addr), hapd->conf->ssid.ssid); 483 buf[sizeof(buf) - 1] = '\0'; 484 if (!radius_msg_add_attr(msg, RADIUS_ATTR_CALLED_STATION_ID, 485 (u8 *) buf, os_strlen(buf))) { 486 printf("Could not add Called-Station-Id\n"); 487 goto fail; 488 } 489 490 os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT, 491 MAC2STR(sta->addr)); 492 buf[sizeof(buf) - 1] = '\0'; 493 if (!radius_msg_add_attr(msg, RADIUS_ATTR_CALLING_STATION_ID, 494 (u8 *) buf, os_strlen(buf))) { 495 printf("Could not add Calling-Station-Id\n"); 496 goto fail; 497 } 498 499 /* TODO: should probably check MTU from driver config; 2304 is max for 500 * IEEE 802.11, but use 1400 to avoid problems with too large packets 501 */ 502 if (!radius_msg_add_attr_int32(msg, RADIUS_ATTR_FRAMED_MTU, 1400)) { 503 printf("Could not add Framed-MTU\n"); 504 goto fail; 505 } 506 507 if (!radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT_TYPE, 508 RADIUS_NAS_PORT_TYPE_IEEE_802_11)) { 509 printf("Could not add NAS-Port-Type\n"); 510 goto fail; 511 } 512 513 if (sta->flags & WLAN_STA_PREAUTH) { 514 os_strlcpy(buf, "IEEE 802.11i Pre-Authentication", 515 sizeof(buf)); 516 } else { 517 os_snprintf(buf, sizeof(buf), "CONNECT %d%sMbps %s", 518 radius_sta_rate(hapd, sta) / 2, 519 (radius_sta_rate(hapd, sta) & 1) ? ".5" : "", 520 radius_mode_txt(hapd)); 521 buf[sizeof(buf) - 1] = '\0'; 522 } 523 if (!radius_msg_add_attr(msg, RADIUS_ATTR_CONNECT_INFO, 524 (u8 *) buf, os_strlen(buf))) { 525 printf("Could not add Connect-Info\n"); 526 goto fail; 527 } 528 529 if (eap && !radius_msg_add_eap(msg, eap, len)) { 530 printf("Could not add EAP-Message\n"); 531 goto fail; 532 } 533 534 /* State attribute must be copied if and only if this packet is 535 * Access-Request reply to the previous Access-Challenge */ 536 if (sm->last_recv_radius && 537 radius_msg_get_hdr(sm->last_recv_radius)->code == 538 RADIUS_CODE_ACCESS_CHALLENGE) { 539 int res = radius_msg_copy_attr(msg, sm->last_recv_radius, 540 RADIUS_ATTR_STATE); 541 if (res < 0) { 542 printf("Could not copy State attribute from previous " 543 "Access-Challenge\n"); 544 goto fail; 545 } 546 if (res > 0) { 547 wpa_printf(MSG_DEBUG, "Copied RADIUS State Attribute"); 548 } 549 } 550 551 if (radius_client_send(hapd->radius, msg, RADIUS_AUTH, sta->addr) < 0) 552 goto fail; 553 554 return; 555 556 fail: 557 radius_msg_free(msg); 558 } 559 #endif /* CONFIG_NO_RADIUS */ 560 561 562 static void handle_eap_response(struct hostapd_data *hapd, 563 struct sta_info *sta, struct eap_hdr *eap, 564 size_t len) 565 { 566 u8 type, *data; 567 struct eapol_state_machine *sm = sta->eapol_sm; 568 if (sm == NULL) 569 return; 570 571 data = (u8 *) (eap + 1); 572 573 if (len < sizeof(*eap) + 1) { 574 printf("handle_eap_response: too short response data\n"); 575 return; 576 } 577 578 sm->eap_type_supp = type = data[0]; 579 580 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, 581 HOSTAPD_LEVEL_DEBUG, "received EAP packet (code=%d " 582 "id=%d len=%d) from STA: EAP Response-%s (%d)", 583 eap->code, eap->identifier, be_to_host16(eap->length), 584 eap_server_get_name(0, type), type); 585 586 sm->dot1xAuthEapolRespFramesRx++; 587 588 wpabuf_free(sm->eap_if->eapRespData); 589 sm->eap_if->eapRespData = wpabuf_alloc_copy(eap, len); 590 sm->eapolEap = TRUE; 591 } 592 593 594 /* Process incoming EAP packet from Supplicant */ 595 static void handle_eap(struct hostapd_data *hapd, struct sta_info *sta, 596 u8 *buf, size_t len) 597 { 598 struct eap_hdr *eap; 599 u16 eap_len; 600 601 if (len < sizeof(*eap)) { 602 printf(" too short EAP packet\n"); 603 return; 604 } 605 606 eap = (struct eap_hdr *) buf; 607 608 eap_len = be_to_host16(eap->length); 609 wpa_printf(MSG_DEBUG, "EAP: code=%d identifier=%d length=%d", 610 eap->code, eap->identifier, eap_len); 611 if (eap_len < sizeof(*eap)) { 612 wpa_printf(MSG_DEBUG, " Invalid EAP length"); 613 return; 614 } else if (eap_len > len) { 615 wpa_printf(MSG_DEBUG, " Too short frame to contain this EAP " 616 "packet"); 617 return; 618 } else if (eap_len < len) { 619 wpa_printf(MSG_DEBUG, " Ignoring %lu extra bytes after EAP " 620 "packet", (unsigned long) len - eap_len); 621 } 622 623 switch (eap->code) { 624 case EAP_CODE_REQUEST: 625 wpa_printf(MSG_DEBUG, " (request)"); 626 return; 627 case EAP_CODE_RESPONSE: 628 wpa_printf(MSG_DEBUG, " (response)"); 629 handle_eap_response(hapd, sta, eap, eap_len); 630 break; 631 case EAP_CODE_SUCCESS: 632 wpa_printf(MSG_DEBUG, " (success)"); 633 return; 634 case EAP_CODE_FAILURE: 635 wpa_printf(MSG_DEBUG, " (failure)"); 636 return; 637 default: 638 wpa_printf(MSG_DEBUG, " (unknown code)"); 639 return; 640 } 641 } 642 643 644 static struct eapol_state_machine * 645 ieee802_1x_alloc_eapol_sm(struct hostapd_data *hapd, struct sta_info *sta) 646 { 647 int flags = 0; 648 if (sta->flags & WLAN_STA_PREAUTH) 649 flags |= EAPOL_SM_PREAUTH; 650 if (sta->wpa_sm) { 651 flags |= EAPOL_SM_USES_WPA; 652 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) 653 flags |= EAPOL_SM_FROM_PMKSA_CACHE; 654 } 655 return eapol_auth_alloc(hapd->eapol_auth, sta->addr, flags, 656 sta->wps_ie, sta->p2p_ie, sta); 657 } 658 659 660 /** 661 * ieee802_1x_receive - Process the EAPOL frames from the Supplicant 662 * @hapd: hostapd BSS data 663 * @sa: Source address (sender of the EAPOL frame) 664 * @buf: EAPOL frame 665 * @len: Length of buf in octets 666 * 667 * This function is called for each incoming EAPOL frame from the interface 668 */ 669 void ieee802_1x_receive(struct hostapd_data *hapd, const u8 *sa, const u8 *buf, 670 size_t len) 671 { 672 struct sta_info *sta; 673 struct ieee802_1x_hdr *hdr; 674 struct ieee802_1x_eapol_key *key; 675 u16 datalen; 676 struct rsn_pmksa_cache_entry *pmksa; 677 int key_mgmt; 678 679 if (!hapd->conf->ieee802_1x && !hapd->conf->wpa && 680 !hapd->conf->wps_state) 681 return; 682 683 wpa_printf(MSG_DEBUG, "IEEE 802.1X: %lu bytes from " MACSTR, 684 (unsigned long) len, MAC2STR(sa)); 685 sta = ap_get_sta(hapd, sa); 686 if (!sta || (!(sta->flags & (WLAN_STA_ASSOC | WLAN_STA_PREAUTH)) && 687 !(hapd->iface->drv_flags & WPA_DRIVER_FLAGS_WIRED))) { 688 wpa_printf(MSG_DEBUG, "IEEE 802.1X data frame from not " 689 "associated/Pre-authenticating STA"); 690 return; 691 } 692 693 if (len < sizeof(*hdr)) { 694 printf(" too short IEEE 802.1X packet\n"); 695 return; 696 } 697 698 hdr = (struct ieee802_1x_hdr *) buf; 699 datalen = be_to_host16(hdr->length); 700 wpa_printf(MSG_DEBUG, " IEEE 802.1X: version=%d type=%d length=%d", 701 hdr->version, hdr->type, datalen); 702 703 if (len - sizeof(*hdr) < datalen) { 704 printf(" frame too short for this IEEE 802.1X packet\n"); 705 if (sta->eapol_sm) 706 sta->eapol_sm->dot1xAuthEapLengthErrorFramesRx++; 707 return; 708 } 709 if (len - sizeof(*hdr) > datalen) { 710 wpa_printf(MSG_DEBUG, " ignoring %lu extra octets after " 711 "IEEE 802.1X packet", 712 (unsigned long) len - sizeof(*hdr) - datalen); 713 } 714 715 if (sta->eapol_sm) { 716 sta->eapol_sm->dot1xAuthLastEapolFrameVersion = hdr->version; 717 sta->eapol_sm->dot1xAuthEapolFramesRx++; 718 } 719 720 key = (struct ieee802_1x_eapol_key *) (hdr + 1); 721 if (datalen >= sizeof(struct ieee802_1x_eapol_key) && 722 hdr->type == IEEE802_1X_TYPE_EAPOL_KEY && 723 (key->type == EAPOL_KEY_TYPE_WPA || 724 key->type == EAPOL_KEY_TYPE_RSN)) { 725 wpa_receive(hapd->wpa_auth, sta->wpa_sm, (u8 *) hdr, 726 sizeof(*hdr) + datalen); 727 return; 728 } 729 730 if (!hapd->conf->ieee802_1x && 731 !(sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS))) { 732 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore EAPOL message - " 733 "802.1X not enabled and WPS not used"); 734 return; 735 } 736 737 key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm); 738 if (key_mgmt != -1 && wpa_key_mgmt_wpa_psk(key_mgmt)) { 739 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore EAPOL message - " 740 "STA is using PSK"); 741 return; 742 } 743 744 if (!sta->eapol_sm) { 745 sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta); 746 if (!sta->eapol_sm) 747 return; 748 749 #ifdef CONFIG_WPS 750 if (!hapd->conf->ieee802_1x) { 751 u32 wflags = sta->flags & (WLAN_STA_WPS | 752 WLAN_STA_WPS2 | 753 WLAN_STA_MAYBE_WPS); 754 if (wflags == WLAN_STA_MAYBE_WPS || 755 wflags == (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS)) { 756 /* 757 * Delay EAPOL frame transmission until a 758 * possible WPS STA initiates the handshake 759 * with EAPOL-Start. Only allow the wait to be 760 * skipped if the STA is known to support WPS 761 * 2.0. 762 */ 763 wpa_printf(MSG_DEBUG, "WPS: Do not start " 764 "EAPOL until EAPOL-Start is " 765 "received"); 766 sta->eapol_sm->flags |= EAPOL_SM_WAIT_START; 767 } 768 } 769 #endif /* CONFIG_WPS */ 770 771 sta->eapol_sm->eap_if->portEnabled = TRUE; 772 } 773 774 /* since we support version 1, we can ignore version field and proceed 775 * as specified in version 1 standard [IEEE Std 802.1X-2001, 7.5.5] */ 776 /* TODO: actually, we are not version 1 anymore.. However, Version 2 777 * does not change frame contents, so should be ok to process frames 778 * more or less identically. Some changes might be needed for 779 * verification of fields. */ 780 781 switch (hdr->type) { 782 case IEEE802_1X_TYPE_EAP_PACKET: 783 handle_eap(hapd, sta, (u8 *) (hdr + 1), datalen); 784 break; 785 786 case IEEE802_1X_TYPE_EAPOL_START: 787 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 788 HOSTAPD_LEVEL_DEBUG, "received EAPOL-Start " 789 "from STA"); 790 sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START; 791 pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm); 792 if (pmksa) { 793 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 794 HOSTAPD_LEVEL_DEBUG, "cached PMKSA " 795 "available - ignore it since " 796 "STA sent EAPOL-Start"); 797 wpa_auth_sta_clear_pmksa(sta->wpa_sm, pmksa); 798 } 799 sta->eapol_sm->eapolStart = TRUE; 800 sta->eapol_sm->dot1xAuthEapolStartFramesRx++; 801 eap_server_clear_identity(sta->eapol_sm->eap); 802 wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL); 803 break; 804 805 case IEEE802_1X_TYPE_EAPOL_LOGOFF: 806 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 807 HOSTAPD_LEVEL_DEBUG, "received EAPOL-Logoff " 808 "from STA"); 809 sta->acct_terminate_cause = 810 RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST; 811 accounting_sta_stop(hapd, sta); 812 sta->eapol_sm->eapolLogoff = TRUE; 813 sta->eapol_sm->dot1xAuthEapolLogoffFramesRx++; 814 eap_server_clear_identity(sta->eapol_sm->eap); 815 break; 816 817 case IEEE802_1X_TYPE_EAPOL_KEY: 818 wpa_printf(MSG_DEBUG, " EAPOL-Key"); 819 if (!ap_sta_is_authorized(sta)) { 820 wpa_printf(MSG_DEBUG, " Dropped key data from " 821 "unauthorized Supplicant"); 822 break; 823 } 824 break; 825 826 case IEEE802_1X_TYPE_EAPOL_ENCAPSULATED_ASF_ALERT: 827 wpa_printf(MSG_DEBUG, " EAPOL-Encapsulated-ASF-Alert"); 828 /* TODO: implement support for this; show data */ 829 break; 830 831 default: 832 wpa_printf(MSG_DEBUG, " unknown IEEE 802.1X packet type"); 833 sta->eapol_sm->dot1xAuthInvalidEapolFramesRx++; 834 break; 835 } 836 837 eapol_auth_step(sta->eapol_sm); 838 } 839 840 841 /** 842 * ieee802_1x_new_station - Start IEEE 802.1X authentication 843 * @hapd: hostapd BSS data 844 * @sta: The station 845 * 846 * This function is called to start IEEE 802.1X authentication when a new 847 * station completes IEEE 802.11 association. 848 */ 849 void ieee802_1x_new_station(struct hostapd_data *hapd, struct sta_info *sta) 850 { 851 struct rsn_pmksa_cache_entry *pmksa; 852 int reassoc = 1; 853 int force_1x = 0; 854 int key_mgmt; 855 856 #ifdef CONFIG_WPS 857 if (hapd->conf->wps_state && hapd->conf->wpa && 858 (sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS))) { 859 /* 860 * Need to enable IEEE 802.1X/EAPOL state machines for possible 861 * WPS handshake even if IEEE 802.1X/EAPOL is not used for 862 * authentication in this BSS. 863 */ 864 force_1x = 1; 865 } 866 #endif /* CONFIG_WPS */ 867 868 if (!force_1x && !hapd->conf->ieee802_1x) { 869 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore STA - " 870 "802.1X not enabled or forced for WPS"); 871 /* 872 * Clear any possible EAPOL authenticator state to support 873 * reassociation change from WPS to PSK. 874 */ 875 ieee802_1x_free_station(sta); 876 return; 877 } 878 879 key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm); 880 if (key_mgmt != -1 && wpa_key_mgmt_wpa_psk(key_mgmt)) { 881 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore STA - using PSK"); 882 /* 883 * Clear any possible EAPOL authenticator state to support 884 * reassociation change from WPA-EAP to PSK. 885 */ 886 ieee802_1x_free_station(sta); 887 return; 888 } 889 890 if (sta->eapol_sm == NULL) { 891 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 892 HOSTAPD_LEVEL_DEBUG, "start authentication"); 893 sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta); 894 if (sta->eapol_sm == NULL) { 895 hostapd_logger(hapd, sta->addr, 896 HOSTAPD_MODULE_IEEE8021X, 897 HOSTAPD_LEVEL_INFO, 898 "failed to allocate state machine"); 899 return; 900 } 901 reassoc = 0; 902 } 903 904 #ifdef CONFIG_WPS 905 sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START; 906 if (!hapd->conf->ieee802_1x && !(sta->flags & WLAN_STA_WPS2)) { 907 /* 908 * Delay EAPOL frame transmission until a possible WPS STA 909 * initiates the handshake with EAPOL-Start. Only allow the 910 * wait to be skipped if the STA is known to support WPS 2.0. 911 */ 912 wpa_printf(MSG_DEBUG, "WPS: Do not start EAPOL until " 913 "EAPOL-Start is received"); 914 sta->eapol_sm->flags |= EAPOL_SM_WAIT_START; 915 } 916 #endif /* CONFIG_WPS */ 917 918 sta->eapol_sm->eap_if->portEnabled = TRUE; 919 920 #ifdef CONFIG_IEEE80211R 921 if (sta->auth_alg == WLAN_AUTH_FT) { 922 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 923 HOSTAPD_LEVEL_DEBUG, 924 "PMK from FT - skip IEEE 802.1X/EAP"); 925 /* Setup EAPOL state machines to already authenticated state 926 * because of existing FT information from R0KH. */ 927 sta->eapol_sm->keyRun = TRUE; 928 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 929 sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING; 930 sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS; 931 sta->eapol_sm->authSuccess = TRUE; 932 sta->eapol_sm->authFail = FALSE; 933 if (sta->eapol_sm->eap) 934 eap_sm_notify_cached(sta->eapol_sm->eap); 935 /* TODO: get vlan_id from R0KH using RRB message */ 936 return; 937 } 938 #endif /* CONFIG_IEEE80211R */ 939 940 pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm); 941 if (pmksa) { 942 int old_vlanid; 943 944 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 945 HOSTAPD_LEVEL_DEBUG, 946 "PMK from PMKSA cache - skip IEEE 802.1X/EAP"); 947 /* Setup EAPOL state machines to already authenticated state 948 * because of existing PMKSA information in the cache. */ 949 sta->eapol_sm->keyRun = TRUE; 950 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 951 sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING; 952 sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS; 953 sta->eapol_sm->authSuccess = TRUE; 954 sta->eapol_sm->authFail = FALSE; 955 if (sta->eapol_sm->eap) 956 eap_sm_notify_cached(sta->eapol_sm->eap); 957 old_vlanid = sta->vlan_id; 958 pmksa_cache_to_eapol_data(pmksa, sta->eapol_sm); 959 if (sta->ssid->dynamic_vlan == DYNAMIC_VLAN_DISABLED) 960 sta->vlan_id = 0; 961 ap_sta_bind_vlan(hapd, sta, old_vlanid); 962 } else { 963 if (reassoc) { 964 /* 965 * Force EAPOL state machines to start 966 * re-authentication without having to wait for the 967 * Supplicant to send EAPOL-Start. 968 */ 969 sta->eapol_sm->reAuthenticate = TRUE; 970 } 971 eapol_auth_step(sta->eapol_sm); 972 } 973 } 974 975 976 void ieee802_1x_free_station(struct sta_info *sta) 977 { 978 struct eapol_state_machine *sm = sta->eapol_sm; 979 980 if (sm == NULL) 981 return; 982 983 sta->eapol_sm = NULL; 984 985 #ifndef CONFIG_NO_RADIUS 986 radius_msg_free(sm->last_recv_radius); 987 radius_free_class(&sm->radius_class); 988 #endif /* CONFIG_NO_RADIUS */ 989 990 os_free(sm->identity); 991 eapol_auth_free(sm); 992 } 993 994 995 #ifndef CONFIG_NO_RADIUS 996 static void ieee802_1x_decapsulate_radius(struct hostapd_data *hapd, 997 struct sta_info *sta) 998 { 999 u8 *eap; 1000 size_t len; 1001 struct eap_hdr *hdr; 1002 int eap_type = -1; 1003 char buf[64]; 1004 struct radius_msg *msg; 1005 struct eapol_state_machine *sm = sta->eapol_sm; 1006 1007 if (sm == NULL || sm->last_recv_radius == NULL) { 1008 if (sm) 1009 sm->eap_if->aaaEapNoReq = TRUE; 1010 return; 1011 } 1012 1013 msg = sm->last_recv_radius; 1014 1015 eap = radius_msg_get_eap(msg, &len); 1016 if (eap == NULL) { 1017 /* RFC 3579, Chap. 2.6.3: 1018 * RADIUS server SHOULD NOT send Access-Reject/no EAP-Message 1019 * attribute */ 1020 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1021 HOSTAPD_LEVEL_WARNING, "could not extract " 1022 "EAP-Message from RADIUS message"); 1023 sm->eap_if->aaaEapNoReq = TRUE; 1024 return; 1025 } 1026 1027 if (len < sizeof(*hdr)) { 1028 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1029 HOSTAPD_LEVEL_WARNING, "too short EAP packet " 1030 "received from authentication server"); 1031 os_free(eap); 1032 sm->eap_if->aaaEapNoReq = TRUE; 1033 return; 1034 } 1035 1036 if (len > sizeof(*hdr)) 1037 eap_type = eap[sizeof(*hdr)]; 1038 1039 hdr = (struct eap_hdr *) eap; 1040 switch (hdr->code) { 1041 case EAP_CODE_REQUEST: 1042 if (eap_type >= 0) 1043 sm->eap_type_authsrv = eap_type; 1044 os_snprintf(buf, sizeof(buf), "EAP-Request-%s (%d)", 1045 eap_type >= 0 ? eap_server_get_name(0, eap_type) : 1046 "??", 1047 eap_type); 1048 break; 1049 case EAP_CODE_RESPONSE: 1050 os_snprintf(buf, sizeof(buf), "EAP Response-%s (%d)", 1051 eap_type >= 0 ? eap_server_get_name(0, eap_type) : 1052 "??", 1053 eap_type); 1054 break; 1055 case EAP_CODE_SUCCESS: 1056 os_strlcpy(buf, "EAP Success", sizeof(buf)); 1057 break; 1058 case EAP_CODE_FAILURE: 1059 os_strlcpy(buf, "EAP Failure", sizeof(buf)); 1060 break; 1061 default: 1062 os_strlcpy(buf, "unknown EAP code", sizeof(buf)); 1063 break; 1064 } 1065 buf[sizeof(buf) - 1] = '\0'; 1066 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1067 HOSTAPD_LEVEL_DEBUG, "decapsulated EAP packet (code=%d " 1068 "id=%d len=%d) from RADIUS server: %s", 1069 hdr->code, hdr->identifier, be_to_host16(hdr->length), 1070 buf); 1071 sm->eap_if->aaaEapReq = TRUE; 1072 1073 wpabuf_free(sm->eap_if->aaaEapReqData); 1074 sm->eap_if->aaaEapReqData = wpabuf_alloc_ext_data(eap, len); 1075 } 1076 1077 1078 static void ieee802_1x_get_keys(struct hostapd_data *hapd, 1079 struct sta_info *sta, struct radius_msg *msg, 1080 struct radius_msg *req, 1081 const u8 *shared_secret, 1082 size_t shared_secret_len) 1083 { 1084 struct radius_ms_mppe_keys *keys; 1085 struct eapol_state_machine *sm = sta->eapol_sm; 1086 if (sm == NULL) 1087 return; 1088 1089 keys = radius_msg_get_ms_keys(msg, req, shared_secret, 1090 shared_secret_len); 1091 1092 if (keys && keys->send && keys->recv) { 1093 size_t len = keys->send_len + keys->recv_len; 1094 wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Send-Key", 1095 keys->send, keys->send_len); 1096 wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Recv-Key", 1097 keys->recv, keys->recv_len); 1098 1099 os_free(sm->eap_if->aaaEapKeyData); 1100 sm->eap_if->aaaEapKeyData = os_malloc(len); 1101 if (sm->eap_if->aaaEapKeyData) { 1102 os_memcpy(sm->eap_if->aaaEapKeyData, keys->recv, 1103 keys->recv_len); 1104 os_memcpy(sm->eap_if->aaaEapKeyData + keys->recv_len, 1105 keys->send, keys->send_len); 1106 sm->eap_if->aaaEapKeyDataLen = len; 1107 sm->eap_if->aaaEapKeyAvailable = TRUE; 1108 } 1109 } 1110 1111 if (keys) { 1112 os_free(keys->send); 1113 os_free(keys->recv); 1114 os_free(keys); 1115 } 1116 } 1117 1118 1119 static void ieee802_1x_store_radius_class(struct hostapd_data *hapd, 1120 struct sta_info *sta, 1121 struct radius_msg *msg) 1122 { 1123 u8 *class; 1124 size_t class_len; 1125 struct eapol_state_machine *sm = sta->eapol_sm; 1126 int count, i; 1127 struct radius_attr_data *nclass; 1128 size_t nclass_count; 1129 1130 if (!hapd->conf->radius->acct_server || hapd->radius == NULL || 1131 sm == NULL) 1132 return; 1133 1134 radius_free_class(&sm->radius_class); 1135 count = radius_msg_count_attr(msg, RADIUS_ATTR_CLASS, 1); 1136 if (count <= 0) 1137 return; 1138 1139 nclass = os_zalloc(count * sizeof(struct radius_attr_data)); 1140 if (nclass == NULL) 1141 return; 1142 1143 nclass_count = 0; 1144 1145 class = NULL; 1146 for (i = 0; i < count; i++) { 1147 do { 1148 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CLASS, 1149 &class, &class_len, 1150 class) < 0) { 1151 i = count; 1152 break; 1153 } 1154 } while (class_len < 1); 1155 1156 nclass[nclass_count].data = os_malloc(class_len); 1157 if (nclass[nclass_count].data == NULL) 1158 break; 1159 1160 os_memcpy(nclass[nclass_count].data, class, class_len); 1161 nclass[nclass_count].len = class_len; 1162 nclass_count++; 1163 } 1164 1165 sm->radius_class.attr = nclass; 1166 sm->radius_class.count = nclass_count; 1167 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Stored %lu RADIUS Class " 1168 "attributes for " MACSTR, 1169 (unsigned long) sm->radius_class.count, 1170 MAC2STR(sta->addr)); 1171 } 1172 1173 1174 /* Update sta->identity based on User-Name attribute in Access-Accept */ 1175 static void ieee802_1x_update_sta_identity(struct hostapd_data *hapd, 1176 struct sta_info *sta, 1177 struct radius_msg *msg) 1178 { 1179 u8 *buf, *identity; 1180 size_t len; 1181 struct eapol_state_machine *sm = sta->eapol_sm; 1182 1183 if (sm == NULL) 1184 return; 1185 1186 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_USER_NAME, &buf, &len, 1187 NULL) < 0) 1188 return; 1189 1190 identity = os_malloc(len + 1); 1191 if (identity == NULL) 1192 return; 1193 1194 os_memcpy(identity, buf, len); 1195 identity[len] = '\0'; 1196 1197 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1198 HOSTAPD_LEVEL_DEBUG, "old identity '%s' updated with " 1199 "User-Name from Access-Accept '%s'", 1200 sm->identity ? (char *) sm->identity : "N/A", 1201 (char *) identity); 1202 1203 os_free(sm->identity); 1204 sm->identity = identity; 1205 sm->identity_len = len; 1206 } 1207 1208 1209 struct sta_id_search { 1210 u8 identifier; 1211 struct eapol_state_machine *sm; 1212 }; 1213 1214 1215 static int ieee802_1x_select_radius_identifier(struct hostapd_data *hapd, 1216 struct sta_info *sta, 1217 void *ctx) 1218 { 1219 struct sta_id_search *id_search = ctx; 1220 struct eapol_state_machine *sm = sta->eapol_sm; 1221 1222 if (sm && sm->radius_identifier >= 0 && 1223 sm->radius_identifier == id_search->identifier) { 1224 id_search->sm = sm; 1225 return 1; 1226 } 1227 return 0; 1228 } 1229 1230 1231 static struct eapol_state_machine * 1232 ieee802_1x_search_radius_identifier(struct hostapd_data *hapd, u8 identifier) 1233 { 1234 struct sta_id_search id_search; 1235 id_search.identifier = identifier; 1236 id_search.sm = NULL; 1237 ap_for_each_sta(hapd, ieee802_1x_select_radius_identifier, &id_search); 1238 return id_search.sm; 1239 } 1240 1241 1242 /** 1243 * ieee802_1x_receive_auth - Process RADIUS frames from Authentication Server 1244 * @msg: RADIUS response message 1245 * @req: RADIUS request message 1246 * @shared_secret: RADIUS shared secret 1247 * @shared_secret_len: Length of shared_secret in octets 1248 * @data: Context data (struct hostapd_data *) 1249 * Returns: Processing status 1250 */ 1251 static RadiusRxResult 1252 ieee802_1x_receive_auth(struct radius_msg *msg, struct radius_msg *req, 1253 const u8 *shared_secret, size_t shared_secret_len, 1254 void *data) 1255 { 1256 struct hostapd_data *hapd = data; 1257 struct sta_info *sta; 1258 u32 session_timeout = 0, termination_action, acct_interim_interval; 1259 int session_timeout_set, old_vlanid = 0; 1260 struct eapol_state_machine *sm; 1261 int override_eapReq = 0; 1262 struct radius_hdr *hdr = radius_msg_get_hdr(msg); 1263 1264 sm = ieee802_1x_search_radius_identifier(hapd, hdr->identifier); 1265 if (sm == NULL) { 1266 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Could not find matching " 1267 "station for this RADIUS message"); 1268 return RADIUS_RX_UNKNOWN; 1269 } 1270 sta = sm->sta; 1271 1272 /* RFC 2869, Ch. 5.13: valid Message-Authenticator attribute MUST be 1273 * present when packet contains an EAP-Message attribute */ 1274 if (hdr->code == RADIUS_CODE_ACCESS_REJECT && 1275 radius_msg_get_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, NULL, 1276 0) < 0 && 1277 radius_msg_get_attr(msg, RADIUS_ATTR_EAP_MESSAGE, NULL, 0) < 0) { 1278 wpa_printf(MSG_DEBUG, "Allowing RADIUS Access-Reject without " 1279 "Message-Authenticator since it does not include " 1280 "EAP-Message"); 1281 } else if (radius_msg_verify(msg, shared_secret, shared_secret_len, 1282 req, 1)) { 1283 printf("Incoming RADIUS packet did not have correct " 1284 "Message-Authenticator - dropped\n"); 1285 return RADIUS_RX_INVALID_AUTHENTICATOR; 1286 } 1287 1288 if (hdr->code != RADIUS_CODE_ACCESS_ACCEPT && 1289 hdr->code != RADIUS_CODE_ACCESS_REJECT && 1290 hdr->code != RADIUS_CODE_ACCESS_CHALLENGE) { 1291 printf("Unknown RADIUS message code\n"); 1292 return RADIUS_RX_UNKNOWN; 1293 } 1294 1295 sm->radius_identifier = -1; 1296 wpa_printf(MSG_DEBUG, "RADIUS packet matching with station " MACSTR, 1297 MAC2STR(sta->addr)); 1298 1299 radius_msg_free(sm->last_recv_radius); 1300 sm->last_recv_radius = msg; 1301 1302 session_timeout_set = 1303 !radius_msg_get_attr_int32(msg, RADIUS_ATTR_SESSION_TIMEOUT, 1304 &session_timeout); 1305 if (radius_msg_get_attr_int32(msg, RADIUS_ATTR_TERMINATION_ACTION, 1306 &termination_action)) 1307 termination_action = RADIUS_TERMINATION_ACTION_DEFAULT; 1308 1309 if (hapd->conf->acct_interim_interval == 0 && 1310 hdr->code == RADIUS_CODE_ACCESS_ACCEPT && 1311 radius_msg_get_attr_int32(msg, RADIUS_ATTR_ACCT_INTERIM_INTERVAL, 1312 &acct_interim_interval) == 0) { 1313 if (acct_interim_interval < 60) { 1314 hostapd_logger(hapd, sta->addr, 1315 HOSTAPD_MODULE_IEEE8021X, 1316 HOSTAPD_LEVEL_INFO, 1317 "ignored too small " 1318 "Acct-Interim-Interval %d", 1319 acct_interim_interval); 1320 } else 1321 sta->acct_interim_interval = acct_interim_interval; 1322 } 1323 1324 1325 switch (hdr->code) { 1326 case RADIUS_CODE_ACCESS_ACCEPT: 1327 if (sta->ssid->dynamic_vlan == DYNAMIC_VLAN_DISABLED) 1328 sta->vlan_id = 0; 1329 #ifndef CONFIG_NO_VLAN 1330 else { 1331 old_vlanid = sta->vlan_id; 1332 sta->vlan_id = radius_msg_get_vlanid(msg); 1333 } 1334 if (sta->vlan_id > 0 && 1335 hostapd_get_vlan_id_ifname(hapd->conf->vlan, 1336 sta->vlan_id)) { 1337 hostapd_logger(hapd, sta->addr, 1338 HOSTAPD_MODULE_RADIUS, 1339 HOSTAPD_LEVEL_INFO, 1340 "VLAN ID %d", sta->vlan_id); 1341 } else if (sta->ssid->dynamic_vlan == DYNAMIC_VLAN_REQUIRED) { 1342 sta->eapol_sm->authFail = TRUE; 1343 hostapd_logger(hapd, sta->addr, 1344 HOSTAPD_MODULE_IEEE8021X, 1345 HOSTAPD_LEVEL_INFO, "authentication " 1346 "server did not include required VLAN " 1347 "ID in Access-Accept"); 1348 break; 1349 } 1350 #endif /* CONFIG_NO_VLAN */ 1351 1352 if (ap_sta_bind_vlan(hapd, sta, old_vlanid) < 0) 1353 break; 1354 1355 /* RFC 3580, Ch. 3.17 */ 1356 if (session_timeout_set && termination_action == 1357 RADIUS_TERMINATION_ACTION_RADIUS_REQUEST) { 1358 sm->reAuthPeriod = session_timeout; 1359 } else if (session_timeout_set) 1360 ap_sta_session_timeout(hapd, sta, session_timeout); 1361 1362 sm->eap_if->aaaSuccess = TRUE; 1363 override_eapReq = 1; 1364 ieee802_1x_get_keys(hapd, sta, msg, req, shared_secret, 1365 shared_secret_len); 1366 ieee802_1x_store_radius_class(hapd, sta, msg); 1367 ieee802_1x_update_sta_identity(hapd, sta, msg); 1368 if (sm->eap_if->eapKeyAvailable && 1369 wpa_auth_pmksa_add(sta->wpa_sm, sm->eapol_key_crypt, 1370 session_timeout_set ? 1371 (int) session_timeout : -1, sm) == 0) { 1372 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 1373 HOSTAPD_LEVEL_DEBUG, 1374 "Added PMKSA cache entry"); 1375 } 1376 break; 1377 case RADIUS_CODE_ACCESS_REJECT: 1378 sm->eap_if->aaaFail = TRUE; 1379 override_eapReq = 1; 1380 break; 1381 case RADIUS_CODE_ACCESS_CHALLENGE: 1382 sm->eap_if->aaaEapReq = TRUE; 1383 if (session_timeout_set) { 1384 /* RFC 2869, Ch. 2.3.2; RFC 3580, Ch. 3.17 */ 1385 sm->eap_if->aaaMethodTimeout = session_timeout; 1386 hostapd_logger(hapd, sm->addr, 1387 HOSTAPD_MODULE_IEEE8021X, 1388 HOSTAPD_LEVEL_DEBUG, 1389 "using EAP timeout of %d seconds (from " 1390 "RADIUS)", 1391 sm->eap_if->aaaMethodTimeout); 1392 } else { 1393 /* 1394 * Use dynamic retransmission behavior per EAP 1395 * specification. 1396 */ 1397 sm->eap_if->aaaMethodTimeout = 0; 1398 } 1399 break; 1400 } 1401 1402 ieee802_1x_decapsulate_radius(hapd, sta); 1403 if (override_eapReq) 1404 sm->eap_if->aaaEapReq = FALSE; 1405 1406 eapol_auth_step(sm); 1407 1408 return RADIUS_RX_QUEUED; 1409 } 1410 #endif /* CONFIG_NO_RADIUS */ 1411 1412 1413 void ieee802_1x_abort_auth(struct hostapd_data *hapd, struct sta_info *sta) 1414 { 1415 struct eapol_state_machine *sm = sta->eapol_sm; 1416 if (sm == NULL) 1417 return; 1418 1419 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1420 HOSTAPD_LEVEL_DEBUG, "aborting authentication"); 1421 1422 #ifndef CONFIG_NO_RADIUS 1423 radius_msg_free(sm->last_recv_radius); 1424 sm->last_recv_radius = NULL; 1425 #endif /* CONFIG_NO_RADIUS */ 1426 1427 if (sm->eap_if->eapTimeout) { 1428 /* 1429 * Disconnect the STA since it did not reply to the last EAP 1430 * request and we cannot continue EAP processing (EAP-Failure 1431 * could only be sent if the EAP peer actually replied). 1432 */ 1433 sm->eap_if->portEnabled = FALSE; 1434 ap_sta_disconnect(hapd, sta, sta->addr, 1435 WLAN_REASON_PREV_AUTH_NOT_VALID); 1436 } 1437 } 1438 1439 1440 static int ieee802_1x_rekey_broadcast(struct hostapd_data *hapd) 1441 { 1442 struct eapol_authenticator *eapol = hapd->eapol_auth; 1443 1444 if (hapd->conf->default_wep_key_len < 1) 1445 return 0; 1446 1447 os_free(eapol->default_wep_key); 1448 eapol->default_wep_key = os_malloc(hapd->conf->default_wep_key_len); 1449 if (eapol->default_wep_key == NULL || 1450 random_get_bytes(eapol->default_wep_key, 1451 hapd->conf->default_wep_key_len)) { 1452 printf("Could not generate random WEP key.\n"); 1453 os_free(eapol->default_wep_key); 1454 eapol->default_wep_key = NULL; 1455 return -1; 1456 } 1457 1458 wpa_hexdump_key(MSG_DEBUG, "IEEE 802.1X: New default WEP key", 1459 eapol->default_wep_key, 1460 hapd->conf->default_wep_key_len); 1461 1462 return 0; 1463 } 1464 1465 1466 static int ieee802_1x_sta_key_available(struct hostapd_data *hapd, 1467 struct sta_info *sta, void *ctx) 1468 { 1469 if (sta->eapol_sm) { 1470 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 1471 eapol_auth_step(sta->eapol_sm); 1472 } 1473 return 0; 1474 } 1475 1476 1477 static void ieee802_1x_rekey(void *eloop_ctx, void *timeout_ctx) 1478 { 1479 struct hostapd_data *hapd = eloop_ctx; 1480 struct eapol_authenticator *eapol = hapd->eapol_auth; 1481 1482 if (eapol->default_wep_key_idx >= 3) 1483 eapol->default_wep_key_idx = 1484 hapd->conf->individual_wep_key_len > 0 ? 1 : 0; 1485 else 1486 eapol->default_wep_key_idx++; 1487 1488 wpa_printf(MSG_DEBUG, "IEEE 802.1X: New default WEP key index %d", 1489 eapol->default_wep_key_idx); 1490 1491 if (ieee802_1x_rekey_broadcast(hapd)) { 1492 hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X, 1493 HOSTAPD_LEVEL_WARNING, "failed to generate a " 1494 "new broadcast key"); 1495 os_free(eapol->default_wep_key); 1496 eapol->default_wep_key = NULL; 1497 return; 1498 } 1499 1500 /* TODO: Could setup key for RX here, but change default TX keyid only 1501 * after new broadcast key has been sent to all stations. */ 1502 if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP, 1503 broadcast_ether_addr, 1504 eapol->default_wep_key_idx, 1, NULL, 0, 1505 eapol->default_wep_key, 1506 hapd->conf->default_wep_key_len)) { 1507 hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X, 1508 HOSTAPD_LEVEL_WARNING, "failed to configure a " 1509 "new broadcast key"); 1510 os_free(eapol->default_wep_key); 1511 eapol->default_wep_key = NULL; 1512 return; 1513 } 1514 1515 ap_for_each_sta(hapd, ieee802_1x_sta_key_available, NULL); 1516 1517 if (hapd->conf->wep_rekeying_period > 0) { 1518 eloop_register_timeout(hapd->conf->wep_rekeying_period, 0, 1519 ieee802_1x_rekey, hapd, NULL); 1520 } 1521 } 1522 1523 1524 static void ieee802_1x_eapol_send(void *ctx, void *sta_ctx, u8 type, 1525 const u8 *data, size_t datalen) 1526 { 1527 #ifdef CONFIG_WPS 1528 struct sta_info *sta = sta_ctx; 1529 1530 if ((sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS)) == 1531 WLAN_STA_MAYBE_WPS) { 1532 const u8 *identity; 1533 size_t identity_len; 1534 struct eapol_state_machine *sm = sta->eapol_sm; 1535 1536 identity = eap_get_identity(sm->eap, &identity_len); 1537 if (identity && 1538 ((identity_len == WSC_ID_ENROLLEE_LEN && 1539 os_memcmp(identity, WSC_ID_ENROLLEE, 1540 WSC_ID_ENROLLEE_LEN) == 0) || 1541 (identity_len == WSC_ID_REGISTRAR_LEN && 1542 os_memcmp(identity, WSC_ID_REGISTRAR, 1543 WSC_ID_REGISTRAR_LEN) == 0))) { 1544 wpa_printf(MSG_DEBUG, "WPS: WLAN_STA_MAYBE_WPS -> " 1545 "WLAN_STA_WPS"); 1546 sta->flags |= WLAN_STA_WPS; 1547 } 1548 } 1549 #endif /* CONFIG_WPS */ 1550 1551 ieee802_1x_send(ctx, sta_ctx, type, data, datalen); 1552 } 1553 1554 1555 static void ieee802_1x_aaa_send(void *ctx, void *sta_ctx, 1556 const u8 *data, size_t datalen) 1557 { 1558 #ifndef CONFIG_NO_RADIUS 1559 struct hostapd_data *hapd = ctx; 1560 struct sta_info *sta = sta_ctx; 1561 1562 ieee802_1x_encapsulate_radius(hapd, sta, data, datalen); 1563 #endif /* CONFIG_NO_RADIUS */ 1564 } 1565 1566 1567 static void _ieee802_1x_finished(void *ctx, void *sta_ctx, int success, 1568 int preauth) 1569 { 1570 struct hostapd_data *hapd = ctx; 1571 struct sta_info *sta = sta_ctx; 1572 if (preauth) 1573 rsn_preauth_finished(hapd, sta, success); 1574 else 1575 ieee802_1x_finished(hapd, sta, success); 1576 } 1577 1578 1579 static int ieee802_1x_get_eap_user(void *ctx, const u8 *identity, 1580 size_t identity_len, int phase2, 1581 struct eap_user *user) 1582 { 1583 struct hostapd_data *hapd = ctx; 1584 const struct hostapd_eap_user *eap_user; 1585 int i, count; 1586 1587 eap_user = hostapd_get_eap_user(hapd->conf, identity, 1588 identity_len, phase2); 1589 if (eap_user == NULL) 1590 return -1; 1591 1592 os_memset(user, 0, sizeof(*user)); 1593 user->phase2 = phase2; 1594 count = EAP_USER_MAX_METHODS; 1595 if (count > EAP_MAX_METHODS) 1596 count = EAP_MAX_METHODS; 1597 for (i = 0; i < count; i++) { 1598 user->methods[i].vendor = eap_user->methods[i].vendor; 1599 user->methods[i].method = eap_user->methods[i].method; 1600 } 1601 1602 if (eap_user->password) { 1603 user->password = os_malloc(eap_user->password_len); 1604 if (user->password == NULL) 1605 return -1; 1606 os_memcpy(user->password, eap_user->password, 1607 eap_user->password_len); 1608 user->password_len = eap_user->password_len; 1609 user->password_hash = eap_user->password_hash; 1610 } 1611 user->force_version = eap_user->force_version; 1612 user->ttls_auth = eap_user->ttls_auth; 1613 1614 return 0; 1615 } 1616 1617 1618 static int ieee802_1x_sta_entry_alive(void *ctx, const u8 *addr) 1619 { 1620 struct hostapd_data *hapd = ctx; 1621 struct sta_info *sta; 1622 sta = ap_get_sta(hapd, addr); 1623 if (sta == NULL || sta->eapol_sm == NULL) 1624 return 0; 1625 return 1; 1626 } 1627 1628 1629 static void ieee802_1x_logger(void *ctx, const u8 *addr, 1630 eapol_logger_level level, const char *txt) 1631 { 1632 #ifndef CONFIG_NO_HOSTAPD_LOGGER 1633 struct hostapd_data *hapd = ctx; 1634 int hlevel; 1635 1636 switch (level) { 1637 case EAPOL_LOGGER_WARNING: 1638 hlevel = HOSTAPD_LEVEL_WARNING; 1639 break; 1640 case EAPOL_LOGGER_INFO: 1641 hlevel = HOSTAPD_LEVEL_INFO; 1642 break; 1643 case EAPOL_LOGGER_DEBUG: 1644 default: 1645 hlevel = HOSTAPD_LEVEL_DEBUG; 1646 break; 1647 } 1648 1649 hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE8021X, hlevel, "%s", 1650 txt); 1651 #endif /* CONFIG_NO_HOSTAPD_LOGGER */ 1652 } 1653 1654 1655 static void ieee802_1x_set_port_authorized(void *ctx, void *sta_ctx, 1656 int authorized) 1657 { 1658 struct hostapd_data *hapd = ctx; 1659 struct sta_info *sta = sta_ctx; 1660 ieee802_1x_set_sta_authorized(hapd, sta, authorized); 1661 } 1662 1663 1664 static void _ieee802_1x_abort_auth(void *ctx, void *sta_ctx) 1665 { 1666 struct hostapd_data *hapd = ctx; 1667 struct sta_info *sta = sta_ctx; 1668 ieee802_1x_abort_auth(hapd, sta); 1669 } 1670 1671 1672 static void _ieee802_1x_tx_key(void *ctx, void *sta_ctx) 1673 { 1674 struct hostapd_data *hapd = ctx; 1675 struct sta_info *sta = sta_ctx; 1676 ieee802_1x_tx_key(hapd, sta); 1677 } 1678 1679 1680 static void ieee802_1x_eapol_event(void *ctx, void *sta_ctx, 1681 enum eapol_event type) 1682 { 1683 /* struct hostapd_data *hapd = ctx; */ 1684 struct sta_info *sta = sta_ctx; 1685 switch (type) { 1686 case EAPOL_AUTH_SM_CHANGE: 1687 wpa_auth_sm_notify(sta->wpa_sm); 1688 break; 1689 case EAPOL_AUTH_REAUTHENTICATE: 1690 wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL); 1691 break; 1692 } 1693 } 1694 1695 1696 int ieee802_1x_init(struct hostapd_data *hapd) 1697 { 1698 int i; 1699 struct eapol_auth_config conf; 1700 struct eapol_auth_cb cb; 1701 1702 os_memset(&conf, 0, sizeof(conf)); 1703 conf.ctx = hapd; 1704 conf.eap_reauth_period = hapd->conf->eap_reauth_period; 1705 conf.wpa = hapd->conf->wpa; 1706 conf.individual_wep_key_len = hapd->conf->individual_wep_key_len; 1707 conf.eap_server = hapd->conf->eap_server; 1708 conf.ssl_ctx = hapd->ssl_ctx; 1709 conf.msg_ctx = hapd->msg_ctx; 1710 conf.eap_sim_db_priv = hapd->eap_sim_db_priv; 1711 conf.eap_req_id_text = hapd->conf->eap_req_id_text; 1712 conf.eap_req_id_text_len = hapd->conf->eap_req_id_text_len; 1713 conf.pac_opaque_encr_key = hapd->conf->pac_opaque_encr_key; 1714 conf.eap_fast_a_id = hapd->conf->eap_fast_a_id; 1715 conf.eap_fast_a_id_len = hapd->conf->eap_fast_a_id_len; 1716 conf.eap_fast_a_id_info = hapd->conf->eap_fast_a_id_info; 1717 conf.eap_fast_prov = hapd->conf->eap_fast_prov; 1718 conf.pac_key_lifetime = hapd->conf->pac_key_lifetime; 1719 conf.pac_key_refresh_time = hapd->conf->pac_key_refresh_time; 1720 conf.eap_sim_aka_result_ind = hapd->conf->eap_sim_aka_result_ind; 1721 conf.tnc = hapd->conf->tnc; 1722 conf.wps = hapd->wps; 1723 conf.fragment_size = hapd->conf->fragment_size; 1724 conf.pwd_group = hapd->conf->pwd_group; 1725 conf.pbc_in_m1 = hapd->conf->pbc_in_m1; 1726 1727 os_memset(&cb, 0, sizeof(cb)); 1728 cb.eapol_send = ieee802_1x_eapol_send; 1729 cb.aaa_send = ieee802_1x_aaa_send; 1730 cb.finished = _ieee802_1x_finished; 1731 cb.get_eap_user = ieee802_1x_get_eap_user; 1732 cb.sta_entry_alive = ieee802_1x_sta_entry_alive; 1733 cb.logger = ieee802_1x_logger; 1734 cb.set_port_authorized = ieee802_1x_set_port_authorized; 1735 cb.abort_auth = _ieee802_1x_abort_auth; 1736 cb.tx_key = _ieee802_1x_tx_key; 1737 cb.eapol_event = ieee802_1x_eapol_event; 1738 1739 hapd->eapol_auth = eapol_auth_init(&conf, &cb); 1740 if (hapd->eapol_auth == NULL) 1741 return -1; 1742 1743 if ((hapd->conf->ieee802_1x || hapd->conf->wpa) && 1744 hostapd_set_drv_ieee8021x(hapd, hapd->conf->iface, 1)) 1745 return -1; 1746 1747 #ifndef CONFIG_NO_RADIUS 1748 if (radius_client_register(hapd->radius, RADIUS_AUTH, 1749 ieee802_1x_receive_auth, hapd)) 1750 return -1; 1751 #endif /* CONFIG_NO_RADIUS */ 1752 1753 if (hapd->conf->default_wep_key_len) { 1754 for (i = 0; i < 4; i++) 1755 hostapd_drv_set_key(hapd->conf->iface, hapd, 1756 WPA_ALG_NONE, NULL, i, 0, NULL, 0, 1757 NULL, 0); 1758 1759 ieee802_1x_rekey(hapd, NULL); 1760 1761 if (hapd->eapol_auth->default_wep_key == NULL) 1762 return -1; 1763 } 1764 1765 return 0; 1766 } 1767 1768 1769 void ieee802_1x_deinit(struct hostapd_data *hapd) 1770 { 1771 eloop_cancel_timeout(ieee802_1x_rekey, hapd, NULL); 1772 1773 if (hapd->driver != NULL && 1774 (hapd->conf->ieee802_1x || hapd->conf->wpa)) 1775 hostapd_set_drv_ieee8021x(hapd, hapd->conf->iface, 0); 1776 1777 eapol_auth_deinit(hapd->eapol_auth); 1778 hapd->eapol_auth = NULL; 1779 } 1780 1781 1782 int ieee802_1x_tx_status(struct hostapd_data *hapd, struct sta_info *sta, 1783 const u8 *buf, size_t len, int ack) 1784 { 1785 struct ieee80211_hdr *hdr; 1786 struct ieee802_1x_hdr *xhdr; 1787 struct ieee802_1x_eapol_key *key; 1788 u8 *pos; 1789 const unsigned char rfc1042_hdr[ETH_ALEN] = 1790 { 0xaa, 0xaa, 0x03, 0x00, 0x00, 0x00 }; 1791 1792 if (sta == NULL) 1793 return -1; 1794 if (len < sizeof(*hdr) + sizeof(rfc1042_hdr) + 2 + sizeof(*xhdr)) 1795 return 0; 1796 1797 hdr = (struct ieee80211_hdr *) buf; 1798 pos = (u8 *) (hdr + 1); 1799 if (os_memcmp(pos, rfc1042_hdr, sizeof(rfc1042_hdr)) != 0) 1800 return 0; 1801 pos += sizeof(rfc1042_hdr); 1802 if (WPA_GET_BE16(pos) != ETH_P_PAE) 1803 return 0; 1804 pos += 2; 1805 1806 xhdr = (struct ieee802_1x_hdr *) pos; 1807 pos += sizeof(*xhdr); 1808 1809 wpa_printf(MSG_DEBUG, "IEEE 802.1X: " MACSTR " TX status - version=%d " 1810 "type=%d length=%d - ack=%d", 1811 MAC2STR(sta->addr), xhdr->version, xhdr->type, 1812 be_to_host16(xhdr->length), ack); 1813 1814 if (xhdr->type == IEEE802_1X_TYPE_EAPOL_KEY && 1815 pos + sizeof(struct wpa_eapol_key) <= buf + len) { 1816 const struct wpa_eapol_key *wpa; 1817 wpa = (const struct wpa_eapol_key *) pos; 1818 if (wpa->type == EAPOL_KEY_TYPE_RSN || 1819 wpa->type == EAPOL_KEY_TYPE_WPA) 1820 wpa_auth_eapol_key_tx_status(hapd->wpa_auth, 1821 sta->wpa_sm, ack); 1822 } 1823 1824 /* EAPOL EAP-Packet packets are eventually re-sent by either Supplicant 1825 * or Authenticator state machines, but EAPOL-Key packets are not 1826 * retransmitted in case of failure. Try to re-send failed EAPOL-Key 1827 * packets couple of times because otherwise STA keys become 1828 * unsynchronized with AP. */ 1829 if (xhdr->type == IEEE802_1X_TYPE_EAPOL_KEY && !ack && 1830 pos + sizeof(*key) <= buf + len) { 1831 key = (struct ieee802_1x_eapol_key *) pos; 1832 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1833 HOSTAPD_LEVEL_DEBUG, "did not Ack EAPOL-Key " 1834 "frame (%scast index=%d)", 1835 key->key_index & BIT(7) ? "uni" : "broad", 1836 key->key_index & ~BIT(7)); 1837 /* TODO: re-send EAPOL-Key couple of times (with short delay 1838 * between them?). If all attempt fail, report error and 1839 * deauthenticate STA so that it will get new keys when 1840 * authenticating again (e.g., after returning in range). 1841 * Separate limit/transmit state needed both for unicast and 1842 * broadcast keys(?) */ 1843 } 1844 /* TODO: could move unicast key configuration from ieee802_1x_tx_key() 1845 * to here and change the key only if the EAPOL-Key packet was Acked. 1846 */ 1847 1848 return 1; 1849 } 1850 1851 1852 u8 * ieee802_1x_get_identity(struct eapol_state_machine *sm, size_t *len) 1853 { 1854 if (sm == NULL || sm->identity == NULL) 1855 return NULL; 1856 1857 *len = sm->identity_len; 1858 return sm->identity; 1859 } 1860 1861 1862 u8 * ieee802_1x_get_radius_class(struct eapol_state_machine *sm, size_t *len, 1863 int idx) 1864 { 1865 if (sm == NULL || sm->radius_class.attr == NULL || 1866 idx >= (int) sm->radius_class.count) 1867 return NULL; 1868 1869 *len = sm->radius_class.attr[idx].len; 1870 return sm->radius_class.attr[idx].data; 1871 } 1872 1873 1874 const u8 * ieee802_1x_get_key(struct eapol_state_machine *sm, size_t *len) 1875 { 1876 *len = 0; 1877 if (sm == NULL) 1878 return NULL; 1879 1880 *len = sm->eap_if->eapKeyDataLen; 1881 return sm->eap_if->eapKeyData; 1882 } 1883 1884 1885 void ieee802_1x_notify_port_enabled(struct eapol_state_machine *sm, 1886 int enabled) 1887 { 1888 if (sm == NULL) 1889 return; 1890 sm->eap_if->portEnabled = enabled ? TRUE : FALSE; 1891 eapol_auth_step(sm); 1892 } 1893 1894 1895 void ieee802_1x_notify_port_valid(struct eapol_state_machine *sm, 1896 int valid) 1897 { 1898 if (sm == NULL) 1899 return; 1900 sm->portValid = valid ? TRUE : FALSE; 1901 eapol_auth_step(sm); 1902 } 1903 1904 1905 void ieee802_1x_notify_pre_auth(struct eapol_state_machine *sm, int pre_auth) 1906 { 1907 if (sm == NULL) 1908 return; 1909 if (pre_auth) 1910 sm->flags |= EAPOL_SM_PREAUTH; 1911 else 1912 sm->flags &= ~EAPOL_SM_PREAUTH; 1913 } 1914 1915 1916 static const char * bool_txt(Boolean bool) 1917 { 1918 return bool ? "TRUE" : "FALSE"; 1919 } 1920 1921 1922 int ieee802_1x_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen) 1923 { 1924 /* TODO */ 1925 return 0; 1926 } 1927 1928 1929 int ieee802_1x_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta, 1930 char *buf, size_t buflen) 1931 { 1932 int len = 0, ret; 1933 struct eapol_state_machine *sm = sta->eapol_sm; 1934 struct os_time t; 1935 1936 if (sm == NULL) 1937 return 0; 1938 1939 ret = os_snprintf(buf + len, buflen - len, 1940 "dot1xPaePortNumber=%d\n" 1941 "dot1xPaePortProtocolVersion=%d\n" 1942 "dot1xPaePortCapabilities=1\n" 1943 "dot1xPaePortInitialize=%d\n" 1944 "dot1xPaePortReauthenticate=FALSE\n", 1945 sta->aid, 1946 EAPOL_VERSION, 1947 sm->initialize); 1948 if (ret < 0 || (size_t) ret >= buflen - len) 1949 return len; 1950 len += ret; 1951 1952 /* dot1xAuthConfigTable */ 1953 ret = os_snprintf(buf + len, buflen - len, 1954 "dot1xAuthPaeState=%d\n" 1955 "dot1xAuthBackendAuthState=%d\n" 1956 "dot1xAuthAdminControlledDirections=%d\n" 1957 "dot1xAuthOperControlledDirections=%d\n" 1958 "dot1xAuthAuthControlledPortStatus=%d\n" 1959 "dot1xAuthAuthControlledPortControl=%d\n" 1960 "dot1xAuthQuietPeriod=%u\n" 1961 "dot1xAuthServerTimeout=%u\n" 1962 "dot1xAuthReAuthPeriod=%u\n" 1963 "dot1xAuthReAuthEnabled=%s\n" 1964 "dot1xAuthKeyTxEnabled=%s\n", 1965 sm->auth_pae_state + 1, 1966 sm->be_auth_state + 1, 1967 sm->adminControlledDirections, 1968 sm->operControlledDirections, 1969 sm->authPortStatus, 1970 sm->portControl, 1971 sm->quietPeriod, 1972 sm->serverTimeout, 1973 sm->reAuthPeriod, 1974 bool_txt(sm->reAuthEnabled), 1975 bool_txt(sm->keyTxEnabled)); 1976 if (ret < 0 || (size_t) ret >= buflen - len) 1977 return len; 1978 len += ret; 1979 1980 /* dot1xAuthStatsTable */ 1981 ret = os_snprintf(buf + len, buflen - len, 1982 "dot1xAuthEapolFramesRx=%u\n" 1983 "dot1xAuthEapolFramesTx=%u\n" 1984 "dot1xAuthEapolStartFramesRx=%u\n" 1985 "dot1xAuthEapolLogoffFramesRx=%u\n" 1986 "dot1xAuthEapolRespIdFramesRx=%u\n" 1987 "dot1xAuthEapolRespFramesRx=%u\n" 1988 "dot1xAuthEapolReqIdFramesTx=%u\n" 1989 "dot1xAuthEapolReqFramesTx=%u\n" 1990 "dot1xAuthInvalidEapolFramesRx=%u\n" 1991 "dot1xAuthEapLengthErrorFramesRx=%u\n" 1992 "dot1xAuthLastEapolFrameVersion=%u\n" 1993 "dot1xAuthLastEapolFrameSource=" MACSTR "\n", 1994 sm->dot1xAuthEapolFramesRx, 1995 sm->dot1xAuthEapolFramesTx, 1996 sm->dot1xAuthEapolStartFramesRx, 1997 sm->dot1xAuthEapolLogoffFramesRx, 1998 sm->dot1xAuthEapolRespIdFramesRx, 1999 sm->dot1xAuthEapolRespFramesRx, 2000 sm->dot1xAuthEapolReqIdFramesTx, 2001 sm->dot1xAuthEapolReqFramesTx, 2002 sm->dot1xAuthInvalidEapolFramesRx, 2003 sm->dot1xAuthEapLengthErrorFramesRx, 2004 sm->dot1xAuthLastEapolFrameVersion, 2005 MAC2STR(sm->addr)); 2006 if (ret < 0 || (size_t) ret >= buflen - len) 2007 return len; 2008 len += ret; 2009 2010 /* dot1xAuthDiagTable */ 2011 ret = os_snprintf(buf + len, buflen - len, 2012 "dot1xAuthEntersConnecting=%u\n" 2013 "dot1xAuthEapLogoffsWhileConnecting=%u\n" 2014 "dot1xAuthEntersAuthenticating=%u\n" 2015 "dot1xAuthAuthSuccessesWhileAuthenticating=%u\n" 2016 "dot1xAuthAuthTimeoutsWhileAuthenticating=%u\n" 2017 "dot1xAuthAuthFailWhileAuthenticating=%u\n" 2018 "dot1xAuthAuthEapStartsWhileAuthenticating=%u\n" 2019 "dot1xAuthAuthEapLogoffWhileAuthenticating=%u\n" 2020 "dot1xAuthAuthReauthsWhileAuthenticated=%u\n" 2021 "dot1xAuthAuthEapStartsWhileAuthenticated=%u\n" 2022 "dot1xAuthAuthEapLogoffWhileAuthenticated=%u\n" 2023 "dot1xAuthBackendResponses=%u\n" 2024 "dot1xAuthBackendAccessChallenges=%u\n" 2025 "dot1xAuthBackendOtherRequestsToSupplicant=%u\n" 2026 "dot1xAuthBackendAuthSuccesses=%u\n" 2027 "dot1xAuthBackendAuthFails=%u\n", 2028 sm->authEntersConnecting, 2029 sm->authEapLogoffsWhileConnecting, 2030 sm->authEntersAuthenticating, 2031 sm->authAuthSuccessesWhileAuthenticating, 2032 sm->authAuthTimeoutsWhileAuthenticating, 2033 sm->authAuthFailWhileAuthenticating, 2034 sm->authAuthEapStartsWhileAuthenticating, 2035 sm->authAuthEapLogoffWhileAuthenticating, 2036 sm->authAuthReauthsWhileAuthenticated, 2037 sm->authAuthEapStartsWhileAuthenticated, 2038 sm->authAuthEapLogoffWhileAuthenticated, 2039 sm->backendResponses, 2040 sm->backendAccessChallenges, 2041 sm->backendOtherRequestsToSupplicant, 2042 sm->backendAuthSuccesses, 2043 sm->backendAuthFails); 2044 if (ret < 0 || (size_t) ret >= buflen - len) 2045 return len; 2046 len += ret; 2047 2048 /* dot1xAuthSessionStatsTable */ 2049 os_get_time(&t); 2050 ret = os_snprintf(buf + len, buflen - len, 2051 /* TODO: dot1xAuthSessionOctetsRx */ 2052 /* TODO: dot1xAuthSessionOctetsTx */ 2053 /* TODO: dot1xAuthSessionFramesRx */ 2054 /* TODO: dot1xAuthSessionFramesTx */ 2055 "dot1xAuthSessionId=%08X-%08X\n" 2056 "dot1xAuthSessionAuthenticMethod=%d\n" 2057 "dot1xAuthSessionTime=%u\n" 2058 "dot1xAuthSessionTerminateCause=999\n" 2059 "dot1xAuthSessionUserName=%s\n", 2060 sta->acct_session_id_hi, sta->acct_session_id_lo, 2061 (wpa_key_mgmt_wpa_ieee8021x( 2062 wpa_auth_sta_key_mgmt(sta->wpa_sm))) ? 2063 1 : 2, 2064 (unsigned int) (t.sec - sta->acct_session_start), 2065 sm->identity); 2066 if (ret < 0 || (size_t) ret >= buflen - len) 2067 return len; 2068 len += ret; 2069 2070 return len; 2071 } 2072 2073 2074 static void ieee802_1x_finished(struct hostapd_data *hapd, 2075 struct sta_info *sta, int success) 2076 { 2077 const u8 *key; 2078 size_t len; 2079 /* TODO: get PMKLifetime from WPA parameters */ 2080 static const int dot11RSNAConfigPMKLifetime = 43200; 2081 2082 key = ieee802_1x_get_key(sta->eapol_sm, &len); 2083 if (success && key && len >= PMK_LEN && 2084 wpa_auth_pmksa_add(sta->wpa_sm, key, dot11RSNAConfigPMKLifetime, 2085 sta->eapol_sm) == 0) { 2086 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 2087 HOSTAPD_LEVEL_DEBUG, 2088 "Added PMKSA cache entry (IEEE 802.1X)"); 2089 } 2090 2091 if (!success) { 2092 /* 2093 * Many devices require deauthentication after WPS provisioning 2094 * and some may not be be able to do that themselves, so 2095 * disconnect the client here. In addition, this may also 2096 * benefit IEEE 802.1X/EAPOL authentication cases, too since 2097 * the EAPOL PAE state machine would remain in HELD state for 2098 * considerable amount of time and some EAP methods, like 2099 * EAP-FAST with anonymous provisioning, may require another 2100 * EAPOL authentication to be started to complete connection. 2101 */ 2102 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Force disconnection after " 2103 "EAP-Failure"); 2104 /* Add a small sleep to increase likelihood of previously 2105 * requested EAP-Failure TX getting out before this should the 2106 * driver reorder operations. 2107 */ 2108 os_sleep(0, 10000); 2109 ap_sta_disconnect(hapd, sta, sta->addr, 2110 WLAN_REASON_IEEE_802_1X_AUTH_FAILED); 2111 } 2112 } 2113