Line data Source code
1 : /*
2 : * hostapd / IEEE 802.1X-2004 Authenticator
3 : * Copyright (c) 2002-2012, Jouni Malinen <j@w1.fi>
4 : *
5 : * This software may be distributed under the terms of the BSD license.
6 : * See README for more details.
7 : */
8 :
9 : #include "utils/includes.h"
10 :
11 : #include "utils/common.h"
12 : #include "utils/eloop.h"
13 : #include "crypto/md5.h"
14 : #include "crypto/crypto.h"
15 : #include "crypto/random.h"
16 : #include "common/ieee802_11_defs.h"
17 : #include "radius/radius.h"
18 : #include "radius/radius_client.h"
19 : #include "eap_server/eap.h"
20 : #include "eap_common/eap_wsc_common.h"
21 : #include "eapol_auth/eapol_auth_sm.h"
22 : #include "eapol_auth/eapol_auth_sm_i.h"
23 : #include "p2p/p2p.h"
24 : #include "hostapd.h"
25 : #include "accounting.h"
26 : #include "sta_info.h"
27 : #include "wpa_auth.h"
28 : #include "preauth_auth.h"
29 : #include "pmksa_cache_auth.h"
30 : #include "ap_config.h"
31 : #include "ap_drv_ops.h"
32 : #include "wps_hostapd.h"
33 : #include "hs20.h"
34 : #include "ieee802_1x.h"
35 :
36 :
37 : #ifdef CONFIG_HS20
38 : static void ieee802_1x_wnm_notif_send(void *eloop_ctx, void *timeout_ctx);
39 : #endif /* CONFIG_HS20 */
40 : static void ieee802_1x_finished(struct hostapd_data *hapd,
41 : struct sta_info *sta, int success,
42 : int remediation);
43 :
44 :
45 14794 : static void ieee802_1x_send(struct hostapd_data *hapd, struct sta_info *sta,
46 : u8 type, const u8 *data, size_t datalen)
47 : {
48 : u8 *buf;
49 : struct ieee802_1x_hdr *xhdr;
50 : size_t len;
51 14794 : int encrypt = 0;
52 :
53 14794 : len = sizeof(*xhdr) + datalen;
54 14794 : buf = os_zalloc(len);
55 14794 : if (buf == NULL) {
56 7 : wpa_printf(MSG_ERROR, "malloc() failed for "
57 : "ieee802_1x_send(len=%lu)",
58 : (unsigned long) len);
59 14801 : return;
60 : }
61 :
62 14787 : xhdr = (struct ieee802_1x_hdr *) buf;
63 14787 : xhdr->version = hapd->conf->eapol_version;
64 14787 : xhdr->type = type;
65 14787 : xhdr->length = host_to_be16(datalen);
66 :
67 14787 : if (datalen > 0 && data != NULL)
68 14787 : os_memcpy(xhdr + 1, data, datalen);
69 :
70 14787 : if (wpa_auth_pairwise_set(sta->wpa_sm))
71 547 : encrypt = 1;
72 : #ifdef CONFIG_TESTING_OPTIONS
73 14787 : if (hapd->ext_eapol_frame_io) {
74 406 : size_t hex_len = 2 * len + 1;
75 406 : char *hex = os_malloc(hex_len);
76 :
77 406 : if (hex) {
78 406 : wpa_snprintf_hex(hex, hex_len, buf, len);
79 2436 : wpa_msg(hapd->msg_ctx, MSG_INFO,
80 : "EAPOL-TX " MACSTR " %s",
81 2436 : MAC2STR(sta->addr), hex);
82 406 : os_free(hex);
83 : }
84 : } else
85 : #endif /* CONFIG_TESTING_OPTIONS */
86 14381 : if (sta->flags & WLAN_STA_PREAUTH) {
87 30 : rsn_preauth_send(hapd, sta, buf, len);
88 : } else {
89 28702 : hostapd_drv_hapd_send_eapol(
90 14351 : hapd, sta->addr, buf, len,
91 : encrypt, hostapd_sta_flags_to_drv(sta->flags));
92 : }
93 :
94 14787 : os_free(buf);
95 : }
96 :
97 :
98 7344 : void ieee802_1x_set_sta_authorized(struct hostapd_data *hapd,
99 : struct sta_info *sta, int authorized)
100 : {
101 : int res;
102 :
103 7344 : if (sta->flags & WLAN_STA_PREAUTH)
104 7360 : return;
105 :
106 7328 : if (authorized) {
107 2167 : ap_sta_set_authorized(hapd, sta, 1);
108 2167 : res = hostapd_set_authorized(hapd, sta, 1);
109 2167 : hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
110 : HOSTAPD_LEVEL_DEBUG, "authorizing port");
111 : } else {
112 5161 : ap_sta_set_authorized(hapd, sta, 0);
113 5161 : res = hostapd_set_authorized(hapd, sta, 0);
114 5161 : hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
115 : HOSTAPD_LEVEL_DEBUG, "unauthorizing port");
116 : }
117 :
118 7328 : if (res && errno != ENOENT) {
119 0 : wpa_printf(MSG_DEBUG, "Could not set station " MACSTR
120 : " flags for kernel driver (errno=%d).",
121 0 : MAC2STR(sta->addr), errno);
122 : }
123 :
124 7328 : if (authorized) {
125 2167 : os_get_reltime(&sta->connected_time);
126 2167 : accounting_sta_start(hapd, sta);
127 : }
128 : }
129 :
130 :
131 : #ifndef CONFIG_FIPS
132 : #ifndef CONFIG_NO_RC4
133 :
134 14 : static void ieee802_1x_tx_key_one(struct hostapd_data *hapd,
135 : struct sta_info *sta,
136 : int idx, int broadcast,
137 : u8 *key_data, size_t key_len)
138 : {
139 : u8 *buf, *ekey;
140 : struct ieee802_1x_hdr *hdr;
141 : struct ieee802_1x_eapol_key *key;
142 : size_t len, ekey_len;
143 14 : struct eapol_state_machine *sm = sta->eapol_sm;
144 :
145 14 : if (sm == NULL)
146 0 : return;
147 :
148 14 : len = sizeof(*key) + key_len;
149 14 : buf = os_zalloc(sizeof(*hdr) + len);
150 14 : if (buf == NULL)
151 0 : return;
152 :
153 14 : hdr = (struct ieee802_1x_hdr *) buf;
154 14 : key = (struct ieee802_1x_eapol_key *) (hdr + 1);
155 14 : key->type = EAPOL_KEY_TYPE_RC4;
156 14 : WPA_PUT_BE16(key->key_length, key_len);
157 14 : wpa_get_ntp_timestamp(key->replay_counter);
158 :
159 14 : if (random_get_bytes(key->key_iv, sizeof(key->key_iv))) {
160 0 : wpa_printf(MSG_ERROR, "Could not get random numbers");
161 0 : os_free(buf);
162 0 : return;
163 : }
164 :
165 14 : key->key_index = idx | (broadcast ? 0 : BIT(7));
166 14 : if (hapd->conf->eapol_key_index_workaround) {
167 : /* According to some information, WinXP Supplicant seems to
168 : * interpret bit7 as an indication whether the key is to be
169 : * activated, so make it possible to enable workaround that
170 : * sets this bit for all keys. */
171 0 : key->key_index |= BIT(7);
172 : }
173 :
174 : /* Key is encrypted using "Key-IV + MSK[0..31]" as the RC4-key and
175 : * MSK[32..63] is used to sign the message. */
176 14 : if (sm->eap_if->eapKeyData == NULL || sm->eap_if->eapKeyDataLen < 64) {
177 0 : wpa_printf(MSG_ERROR, "No eapKeyData available for encrypting "
178 : "and signing EAPOL-Key");
179 0 : os_free(buf);
180 0 : return;
181 : }
182 14 : os_memcpy((u8 *) (key + 1), key_data, key_len);
183 14 : ekey_len = sizeof(key->key_iv) + 32;
184 14 : ekey = os_malloc(ekey_len);
185 14 : if (ekey == NULL) {
186 0 : wpa_printf(MSG_ERROR, "Could not encrypt key");
187 0 : os_free(buf);
188 0 : return;
189 : }
190 14 : os_memcpy(ekey, key->key_iv, sizeof(key->key_iv));
191 14 : os_memcpy(ekey + sizeof(key->key_iv), sm->eap_if->eapKeyData, 32);
192 14 : rc4_skip(ekey, ekey_len, 0, (u8 *) (key + 1), key_len);
193 14 : os_free(ekey);
194 :
195 : /* This header is needed here for HMAC-MD5, but it will be regenerated
196 : * in ieee802_1x_send() */
197 14 : hdr->version = hapd->conf->eapol_version;
198 14 : hdr->type = IEEE802_1X_TYPE_EAPOL_KEY;
199 14 : hdr->length = host_to_be16(len);
200 14 : hmac_md5(sm->eap_if->eapKeyData + 32, 32, buf, sizeof(*hdr) + len,
201 14 : key->key_signature);
202 :
203 98 : wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key to " MACSTR
204 84 : " (%s index=%d)", MAC2STR(sm->addr),
205 : broadcast ? "broadcast" : "unicast", idx);
206 14 : ieee802_1x_send(hapd, sta, IEEE802_1X_TYPE_EAPOL_KEY, (u8 *) key, len);
207 14 : if (sta->eapol_sm)
208 14 : sta->eapol_sm->dot1xAuthEapolFramesTx++;
209 14 : os_free(buf);
210 : }
211 :
212 :
213 8 : static void ieee802_1x_tx_key(struct hostapd_data *hapd, struct sta_info *sta)
214 : {
215 8 : struct eapol_authenticator *eapol = hapd->eapol_auth;
216 8 : struct eapol_state_machine *sm = sta->eapol_sm;
217 :
218 8 : if (sm == NULL || !sm->eap_if->eapKeyData)
219 0 : return;
220 :
221 48 : wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key(s) to " MACSTR,
222 48 : MAC2STR(sta->addr));
223 :
224 : #ifndef CONFIG_NO_VLAN
225 8 : if (sta->vlan_id > 0) {
226 0 : wpa_printf(MSG_ERROR, "Using WEP with vlans is not supported.");
227 0 : return;
228 : }
229 : #endif /* CONFIG_NO_VLAN */
230 :
231 8 : if (eapol->default_wep_key) {
232 7 : ieee802_1x_tx_key_one(hapd, sta, eapol->default_wep_key_idx, 1,
233 : eapol->default_wep_key,
234 7 : hapd->conf->default_wep_key_len);
235 : }
236 :
237 8 : if (hapd->conf->individual_wep_key_len > 0) {
238 : u8 *ikey;
239 7 : ikey = os_malloc(hapd->conf->individual_wep_key_len);
240 14 : if (ikey == NULL ||
241 7 : random_get_bytes(ikey, hapd->conf->individual_wep_key_len))
242 : {
243 0 : wpa_printf(MSG_ERROR, "Could not generate random "
244 : "individual WEP key.");
245 0 : os_free(ikey);
246 0 : return;
247 : }
248 :
249 7 : wpa_hexdump_key(MSG_DEBUG, "Individual WEP key",
250 7 : ikey, hapd->conf->individual_wep_key_len);
251 :
252 7 : ieee802_1x_tx_key_one(hapd, sta, 0, 0, ikey,
253 7 : hapd->conf->individual_wep_key_len);
254 :
255 : /* TODO: set encryption in TX callback, i.e., only after STA
256 : * has ACKed EAPOL-Key frame */
257 14 : if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP,
258 7 : sta->addr, 0, 1, NULL, 0, ikey,
259 7 : hapd->conf->individual_wep_key_len)) {
260 0 : wpa_printf(MSG_ERROR, "Could not set individual WEP "
261 : "encryption.");
262 : }
263 :
264 7 : os_free(ikey);
265 : }
266 : }
267 :
268 : #endif /* CONFIG_NO_RC4 */
269 : #endif /* CONFIG_FIPS */
270 :
271 :
272 7723 : const char *radius_mode_txt(struct hostapd_data *hapd)
273 : {
274 7723 : switch (hapd->iface->conf->hw_mode) {
275 : case HOSTAPD_MODE_IEEE80211AD:
276 0 : return "802.11ad";
277 : case HOSTAPD_MODE_IEEE80211A:
278 0 : return "802.11a";
279 : case HOSTAPD_MODE_IEEE80211G:
280 7723 : return "802.11g";
281 : case HOSTAPD_MODE_IEEE80211B:
282 : default:
283 0 : return "802.11b";
284 : }
285 : }
286 :
287 :
288 15446 : int radius_sta_rate(struct hostapd_data *hapd, struct sta_info *sta)
289 : {
290 : int i;
291 15446 : u8 rate = 0;
292 :
293 200798 : for (i = 0; i < sta->supported_rates_len; i++)
294 185352 : if ((sta->supported_rates[i] & 0x7f) > rate)
295 154460 : rate = sta->supported_rates[i] & 0x7f;
296 :
297 15446 : return rate;
298 : }
299 :
300 :
301 : #ifndef CONFIG_NO_RADIUS
302 7275 : static void ieee802_1x_learn_identity(struct hostapd_data *hapd,
303 : struct eapol_state_machine *sm,
304 : const u8 *eap, size_t len)
305 : {
306 : const u8 *identity;
307 : size_t identity_len;
308 7275 : const struct eap_hdr *hdr = (const struct eap_hdr *) eap;
309 :
310 14550 : if (len <= sizeof(struct eap_hdr) ||
311 14534 : (hdr->code == EAP_CODE_RESPONSE &&
312 9338 : eap[sizeof(struct eap_hdr)] != EAP_TYPE_IDENTITY) ||
313 2095 : (hdr->code == EAP_CODE_INITIATE &&
314 2095 : eap[sizeof(struct eap_hdr)] != EAP_ERP_TYPE_REAUTH) ||
315 2095 : (hdr->code != EAP_CODE_RESPONSE &&
316 16 : hdr->code != EAP_CODE_INITIATE))
317 10392 : return;
318 :
319 2079 : identity = eap_get_identity(sm->eap, &identity_len);
320 2079 : if (identity == NULL)
321 0 : return;
322 :
323 : /* Save station identity for future RADIUS packets */
324 2079 : os_free(sm->identity);
325 2079 : sm->identity = (u8 *) dup_binstr(identity, identity_len);
326 2079 : if (sm->identity == NULL) {
327 0 : sm->identity_len = 0;
328 0 : return;
329 : }
330 :
331 2079 : sm->identity_len = identity_len;
332 2079 : hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X,
333 : HOSTAPD_LEVEL_DEBUG, "STA identity '%s'", sm->identity);
334 2079 : sm->dot1xAuthEapolRespIdFramesRx++;
335 : }
336 :
337 :
338 7643 : static int add_common_radius_sta_attr_rsn(struct hostapd_data *hapd,
339 : struct hostapd_radius_attr *req_attr,
340 : struct sta_info *sta,
341 : struct radius_msg *msg)
342 : {
343 : u32 suite;
344 : int ver, val;
345 :
346 7643 : ver = wpa_auth_sta_wpa_version(sta->wpa_sm);
347 7643 : val = wpa_auth_get_pairwise(sta->wpa_sm);
348 7643 : suite = wpa_cipher_to_suite(ver, val);
349 15286 : if (val != -1 &&
350 7643 : !hostapd_config_get_radius_attr(req_attr,
351 7643 : RADIUS_ATTR_WLAN_PAIRWISE_CIPHER) &&
352 7643 : !radius_msg_add_attr_int32(msg, RADIUS_ATTR_WLAN_PAIRWISE_CIPHER,
353 : suite)) {
354 0 : wpa_printf(MSG_ERROR, "Could not add WLAN-Pairwise-Cipher");
355 0 : return -1;
356 : }
357 :
358 7673 : suite = wpa_cipher_to_suite(((hapd->conf->wpa & 0x2) ||
359 30 : hapd->conf->osen) ?
360 : WPA_PROTO_RSN : WPA_PROTO_WPA,
361 7643 : hapd->conf->wpa_group);
362 7643 : if (!hostapd_config_get_radius_attr(req_attr,
363 7643 : RADIUS_ATTR_WLAN_GROUP_CIPHER) &&
364 7643 : !radius_msg_add_attr_int32(msg, RADIUS_ATTR_WLAN_GROUP_CIPHER,
365 : suite)) {
366 0 : wpa_printf(MSG_ERROR, "Could not add WLAN-Group-Cipher");
367 0 : return -1;
368 : }
369 :
370 7643 : val = wpa_auth_sta_key_mgmt(sta->wpa_sm);
371 7643 : suite = wpa_akm_to_suite(val);
372 15286 : if (val != -1 &&
373 7643 : !hostapd_config_get_radius_attr(req_attr,
374 7643 : RADIUS_ATTR_WLAN_AKM_SUITE) &&
375 7643 : !radius_msg_add_attr_int32(msg, RADIUS_ATTR_WLAN_AKM_SUITE,
376 : suite)) {
377 0 : wpa_printf(MSG_ERROR, "Could not add WLAN-AKM-Suite");
378 0 : return -1;
379 : }
380 :
381 : #ifdef CONFIG_IEEE80211W
382 7643 : if (hapd->conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
383 769 : suite = wpa_cipher_to_suite(WPA_PROTO_RSN,
384 769 : hapd->conf->group_mgmt_cipher);
385 769 : if (!hostapd_config_get_radius_attr(
386 769 : req_attr, RADIUS_ATTR_WLAN_GROUP_MGMT_CIPHER) &&
387 769 : !radius_msg_add_attr_int32(
388 : msg, RADIUS_ATTR_WLAN_GROUP_MGMT_CIPHER, suite)) {
389 0 : wpa_printf(MSG_ERROR,
390 : "Could not add WLAN-Group-Mgmt-Cipher");
391 0 : return -1;
392 : }
393 : }
394 : #endif /* CONFIG_IEEE80211W */
395 :
396 7643 : return 0;
397 : }
398 :
399 :
400 7744 : static int add_common_radius_sta_attr(struct hostapd_data *hapd,
401 : struct hostapd_radius_attr *req_attr,
402 : struct sta_info *sta,
403 : struct radius_msg *msg)
404 : {
405 : char buf[128];
406 :
407 7744 : if (!hostapd_config_get_radius_attr(req_attr,
408 7744 : RADIUS_ATTR_SERVICE_TYPE) &&
409 7744 : !radius_msg_add_attr_int32(msg, RADIUS_ATTR_SERVICE_TYPE,
410 : RADIUS_SERVICE_TYPE_FRAMED)) {
411 0 : wpa_printf(MSG_ERROR, "Could not add Service-Type");
412 0 : return -1;
413 : }
414 :
415 7744 : if (!hostapd_config_get_radius_attr(req_attr,
416 7744 : RADIUS_ATTR_NAS_PORT) &&
417 15467 : sta->aid > 0 &&
418 7723 : !radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT, sta->aid)) {
419 0 : wpa_printf(MSG_ERROR, "Could not add NAS-Port");
420 0 : return -1;
421 : }
422 :
423 46464 : os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT,
424 46464 : MAC2STR(sta->addr));
425 7744 : buf[sizeof(buf) - 1] = '\0';
426 7744 : if (!radius_msg_add_attr(msg, RADIUS_ATTR_CALLING_STATION_ID,
427 : (u8 *) buf, os_strlen(buf))) {
428 0 : wpa_printf(MSG_ERROR, "Could not add Calling-Station-Id");
429 0 : return -1;
430 : }
431 :
432 7744 : if (sta->flags & WLAN_STA_PREAUTH) {
433 21 : os_strlcpy(buf, "IEEE 802.11i Pre-Authentication",
434 : sizeof(buf));
435 : } else {
436 23169 : os_snprintf(buf, sizeof(buf), "CONNECT %d%sMbps %s",
437 7723 : radius_sta_rate(hapd, sta) / 2,
438 7723 : (radius_sta_rate(hapd, sta) & 1) ? ".5" : "",
439 : radius_mode_txt(hapd));
440 7723 : buf[sizeof(buf) - 1] = '\0';
441 : }
442 7744 : if (!hostapd_config_get_radius_attr(req_attr,
443 7729 : RADIUS_ATTR_CONNECT_INFO) &&
444 7729 : !radius_msg_add_attr(msg, RADIUS_ATTR_CONNECT_INFO,
445 : (u8 *) buf, os_strlen(buf))) {
446 0 : wpa_printf(MSG_ERROR, "Could not add Connect-Info");
447 0 : return -1;
448 : }
449 :
450 7744 : if (sta->acct_session_id) {
451 7744 : os_snprintf(buf, sizeof(buf), "%016llX",
452 7744 : (unsigned long long) sta->acct_session_id);
453 7744 : if (!radius_msg_add_attr(msg, RADIUS_ATTR_ACCT_SESSION_ID,
454 : (u8 *) buf, os_strlen(buf))) {
455 0 : wpa_printf(MSG_ERROR, "Could not add Acct-Session-Id");
456 0 : return -1;
457 : }
458 : }
459 :
460 15378 : if ((hapd->conf->wpa & 2) &&
461 15188 : !hapd->conf->disable_pmksa_caching &&
462 15102 : sta->eapol_sm && sta->eapol_sm->acct_multi_session_id) {
463 7548 : os_snprintf(buf, sizeof(buf), "%016llX",
464 : (unsigned long long)
465 7548 : sta->eapol_sm->acct_multi_session_id);
466 7548 : if (!radius_msg_add_attr(
467 : msg, RADIUS_ATTR_ACCT_MULTI_SESSION_ID,
468 : (u8 *) buf, os_strlen(buf))) {
469 0 : wpa_printf(MSG_INFO,
470 : "Could not add Acct-Multi-Session-Id");
471 0 : return -1;
472 : }
473 : }
474 :
475 : #ifdef CONFIG_IEEE80211R
476 7764 : if (hapd->conf->wpa && wpa_key_mgmt_ft(hapd->conf->wpa_key_mgmt) &&
477 40 : sta->wpa_sm &&
478 20 : (wpa_key_mgmt_ft(wpa_auth_sta_key_mgmt(sta->wpa_sm)) ||
479 20 : sta->auth_alg == WLAN_AUTH_FT) &&
480 20 : !hostapd_config_get_radius_attr(req_attr,
481 20 : RADIUS_ATTR_MOBILITY_DOMAIN_ID) &&
482 20 : !radius_msg_add_attr_int32(msg, RADIUS_ATTR_MOBILITY_DOMAIN_ID,
483 20 : WPA_GET_BE16(
484 20 : hapd->conf->mobility_domain))) {
485 0 : wpa_printf(MSG_ERROR, "Could not add Mobility-Domain-Id");
486 0 : return -1;
487 : }
488 : #endif /* CONFIG_IEEE80211R */
489 :
490 15387 : if ((hapd->conf->wpa || hapd->conf->osen) && sta->wpa_sm &&
491 7643 : add_common_radius_sta_attr_rsn(hapd, req_attr, sta, msg) < 0)
492 0 : return -1;
493 :
494 7744 : return 0;
495 : }
496 :
497 :
498 7877 : int add_common_radius_attr(struct hostapd_data *hapd,
499 : struct hostapd_radius_attr *req_attr,
500 : struct sta_info *sta,
501 : struct radius_msg *msg)
502 : {
503 : char buf[128];
504 : struct hostapd_radius_attr *attr;
505 : int len;
506 :
507 7877 : if (!hostapd_config_get_radius_attr(req_attr,
508 7877 : RADIUS_ATTR_NAS_IP_ADDRESS) &&
509 7910 : hapd->conf->own_ip_addr.af == AF_INET &&
510 33 : !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IP_ADDRESS,
511 33 : (u8 *) &hapd->conf->own_ip_addr.u.v4, 4)) {
512 0 : wpa_printf(MSG_ERROR, "Could not add NAS-IP-Address");
513 0 : return -1;
514 : }
515 :
516 : #ifdef CONFIG_IPV6
517 7877 : if (!hostapd_config_get_radius_attr(req_attr,
518 7877 : RADIUS_ATTR_NAS_IPV6_ADDRESS) &&
519 7884 : hapd->conf->own_ip_addr.af == AF_INET6 &&
520 7 : !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IPV6_ADDRESS,
521 7 : (u8 *) &hapd->conf->own_ip_addr.u.v6, 16)) {
522 0 : wpa_printf(MSG_ERROR, "Could not add NAS-IPv6-Address");
523 0 : return -1;
524 : }
525 : #endif /* CONFIG_IPV6 */
526 :
527 7877 : if (!hostapd_config_get_radius_attr(req_attr,
528 7877 : RADIUS_ATTR_NAS_IDENTIFIER) &&
529 15008 : hapd->conf->nas_identifier &&
530 14262 : !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IDENTIFIER,
531 7131 : (u8 *) hapd->conf->nas_identifier,
532 7131 : os_strlen(hapd->conf->nas_identifier))) {
533 0 : wpa_printf(MSG_ERROR, "Could not add NAS-Identifier");
534 0 : return -1;
535 : }
536 :
537 47262 : len = os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT ":",
538 47262 : MAC2STR(hapd->own_addr));
539 7877 : os_memcpy(&buf[len], hapd->conf->ssid.ssid,
540 : hapd->conf->ssid.ssid_len);
541 7877 : len += hapd->conf->ssid.ssid_len;
542 7877 : if (!hostapd_config_get_radius_attr(req_attr,
543 7877 : RADIUS_ATTR_CALLED_STATION_ID) &&
544 7877 : !radius_msg_add_attr(msg, RADIUS_ATTR_CALLED_STATION_ID,
545 : (u8 *) buf, len)) {
546 0 : wpa_printf(MSG_ERROR, "Could not add Called-Station-Id");
547 0 : return -1;
548 : }
549 :
550 7877 : if (!hostapd_config_get_radius_attr(req_attr,
551 7877 : RADIUS_ATTR_NAS_PORT_TYPE) &&
552 7877 : !radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT_TYPE,
553 : RADIUS_NAS_PORT_TYPE_IEEE_802_11)) {
554 0 : wpa_printf(MSG_ERROR, "Could not add NAS-Port-Type");
555 0 : return -1;
556 : }
557 :
558 : #ifdef CONFIG_INTERWORKING
559 8604 : if (hapd->conf->interworking &&
560 727 : !is_zero_ether_addr(hapd->conf->hessid)) {
561 1938 : os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT,
562 1938 : MAC2STR(hapd->conf->hessid));
563 323 : buf[sizeof(buf) - 1] = '\0';
564 323 : if (!hostapd_config_get_radius_attr(req_attr,
565 323 : RADIUS_ATTR_WLAN_HESSID) &&
566 323 : !radius_msg_add_attr(msg, RADIUS_ATTR_WLAN_HESSID,
567 : (u8 *) buf, os_strlen(buf))) {
568 0 : wpa_printf(MSG_ERROR, "Could not add WLAN-HESSID");
569 0 : return -1;
570 : }
571 : }
572 : #endif /* CONFIG_INTERWORKING */
573 :
574 7877 : if (sta && add_common_radius_sta_attr(hapd, req_attr, sta, msg) < 0)
575 0 : return -1;
576 :
577 7911 : for (attr = req_attr; attr; attr = attr->next) {
578 68 : if (!radius_msg_add_attr(msg, attr->type,
579 34 : wpabuf_head(attr->val),
580 34 : wpabuf_len(attr->val))) {
581 0 : wpa_printf(MSG_ERROR, "Could not add RADIUS "
582 : "attribute");
583 0 : return -1;
584 : }
585 : }
586 :
587 7877 : return 0;
588 : }
589 :
590 :
591 7275 : static void ieee802_1x_encapsulate_radius(struct hostapd_data *hapd,
592 : struct sta_info *sta,
593 : const u8 *eap, size_t len)
594 : {
595 : struct radius_msg *msg;
596 7275 : struct eapol_state_machine *sm = sta->eapol_sm;
597 :
598 7275 : if (sm == NULL)
599 0 : return;
600 :
601 7275 : ieee802_1x_learn_identity(hapd, sm, eap, len);
602 :
603 7275 : wpa_printf(MSG_DEBUG, "Encapsulating EAP message into a RADIUS "
604 : "packet");
605 :
606 7275 : sm->radius_identifier = radius_client_get_id(hapd->radius);
607 7275 : msg = radius_msg_new(RADIUS_CODE_ACCESS_REQUEST,
608 7275 : sm->radius_identifier);
609 7275 : if (msg == NULL) {
610 5 : wpa_printf(MSG_INFO, "Could not create new RADIUS packet");
611 5 : return;
612 : }
613 :
614 7270 : if (radius_msg_make_authenticator(msg) < 0) {
615 0 : wpa_printf(MSG_INFO, "Could not make Request Authenticator");
616 0 : goto fail;
617 : }
618 :
619 14540 : if (sm->identity &&
620 14540 : !radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME,
621 7270 : sm->identity, sm->identity_len)) {
622 0 : wpa_printf(MSG_INFO, "Could not add User-Name");
623 0 : goto fail;
624 : }
625 :
626 7270 : if (add_common_radius_attr(hapd, hapd->conf->radius_auth_req_attr, sta,
627 : msg) < 0)
628 0 : goto fail;
629 :
630 : /* TODO: should probably check MTU from driver config; 2304 is max for
631 : * IEEE 802.11, but use 1400 to avoid problems with too large packets
632 : */
633 7270 : if (!hostapd_config_get_radius_attr(hapd->conf->radius_auth_req_attr,
634 7270 : RADIUS_ATTR_FRAMED_MTU) &&
635 7270 : !radius_msg_add_attr_int32(msg, RADIUS_ATTR_FRAMED_MTU, 1400)) {
636 0 : wpa_printf(MSG_INFO, "Could not add Framed-MTU");
637 0 : goto fail;
638 : }
639 :
640 7270 : if (!radius_msg_add_eap(msg, eap, len)) {
641 0 : wpa_printf(MSG_INFO, "Could not add EAP-Message");
642 0 : goto fail;
643 : }
644 :
645 : /* State attribute must be copied if and only if this packet is
646 : * Access-Request reply to the previous Access-Challenge */
647 12631 : if (sm->last_recv_radius &&
648 5361 : radius_msg_get_hdr(sm->last_recv_radius)->code ==
649 : RADIUS_CODE_ACCESS_CHALLENGE) {
650 5194 : int res = radius_msg_copy_attr(msg, sm->last_recv_radius,
651 : RADIUS_ATTR_STATE);
652 5194 : if (res < 0) {
653 0 : wpa_printf(MSG_INFO, "Could not copy State attribute from previous Access-Challenge");
654 0 : goto fail;
655 : }
656 5194 : if (res > 0) {
657 4764 : wpa_printf(MSG_DEBUG, "Copied RADIUS State Attribute");
658 : }
659 : }
660 :
661 7270 : if (hapd->conf->radius_request_cui) {
662 : const u8 *cui;
663 : size_t cui_len;
664 : /* Add previously learned CUI or nul CUI to request CUI */
665 6 : if (sm->radius_cui) {
666 3 : cui = wpabuf_head(sm->radius_cui);
667 3 : cui_len = wpabuf_len(sm->radius_cui);
668 : } else {
669 3 : cui = (const u8 *) "\0";
670 3 : cui_len = 1;
671 : }
672 6 : if (!radius_msg_add_attr(msg,
673 : RADIUS_ATTR_CHARGEABLE_USER_IDENTITY,
674 : cui, cui_len)) {
675 0 : wpa_printf(MSG_ERROR, "Could not add CUI");
676 0 : goto fail;
677 : }
678 : }
679 :
680 : #ifdef CONFIG_HS20
681 7270 : if (hapd->conf->hs20) {
682 727 : u8 ver = 1; /* Release 2 */
683 727 : if (!radius_msg_add_wfa(
684 : msg, RADIUS_VENDOR_ATTR_WFA_HS20_AP_VERSION,
685 : &ver, 1)) {
686 0 : wpa_printf(MSG_ERROR, "Could not add HS 2.0 AP "
687 : "version");
688 0 : goto fail;
689 : }
690 :
691 727 : if (sta->hs20_ie && wpabuf_len(sta->hs20_ie) > 0) {
692 : const u8 *pos;
693 : u8 buf[3];
694 : u16 id;
695 685 : pos = wpabuf_head_u8(sta->hs20_ie);
696 685 : buf[0] = (*pos) >> 4;
697 1370 : if (((*pos) & HS20_PPS_MO_ID_PRESENT) &&
698 685 : wpabuf_len(sta->hs20_ie) >= 3)
699 685 : id = WPA_GET_LE16(pos + 1);
700 : else
701 0 : id = 0;
702 685 : WPA_PUT_BE16(buf + 1, id);
703 685 : if (!radius_msg_add_wfa(
704 : msg,
705 : RADIUS_VENDOR_ATTR_WFA_HS20_STA_VERSION,
706 : buf, sizeof(buf))) {
707 0 : wpa_printf(MSG_ERROR, "Could not add HS 2.0 "
708 : "STA version");
709 0 : goto fail;
710 : }
711 : }
712 : }
713 : #endif /* CONFIG_HS20 */
714 :
715 7270 : if (radius_client_send(hapd->radius, msg, RADIUS_AUTH, sta->addr) < 0)
716 2 : goto fail;
717 :
718 7268 : return;
719 :
720 : fail:
721 2 : radius_msg_free(msg);
722 : }
723 : #endif /* CONFIG_NO_RADIUS */
724 :
725 :
726 11900 : static void handle_eap_response(struct hostapd_data *hapd,
727 : struct sta_info *sta, struct eap_hdr *eap,
728 : size_t len)
729 : {
730 : u8 type, *data;
731 11900 : struct eapol_state_machine *sm = sta->eapol_sm;
732 11900 : if (sm == NULL)
733 0 : return;
734 :
735 11900 : data = (u8 *) (eap + 1);
736 :
737 11900 : if (len < sizeof(*eap) + 1) {
738 0 : wpa_printf(MSG_INFO, "handle_eap_response: too short response data");
739 0 : return;
740 : }
741 :
742 11900 : sm->eap_type_supp = type = data[0];
743 :
744 47600 : hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X,
745 : HOSTAPD_LEVEL_DEBUG, "received EAP packet (code=%d "
746 : "id=%d len=%d) from STA: EAP Response-%s (%d)",
747 35700 : eap->code, eap->identifier, be_to_host16(eap->length),
748 : eap_server_get_name(0, type), type);
749 :
750 11900 : sm->dot1xAuthEapolRespFramesRx++;
751 :
752 11900 : wpabuf_free(sm->eap_if->eapRespData);
753 11900 : sm->eap_if->eapRespData = wpabuf_alloc_copy(eap, len);
754 11900 : sm->eapolEap = TRUE;
755 : }
756 :
757 :
758 27 : static void handle_eap_initiate(struct hostapd_data *hapd,
759 : struct sta_info *sta, struct eap_hdr *eap,
760 : size_t len)
761 : {
762 : #ifdef CONFIG_ERP
763 : u8 type, *data;
764 27 : struct eapol_state_machine *sm = sta->eapol_sm;
765 :
766 27 : if (sm == NULL)
767 0 : return;
768 :
769 27 : if (len < sizeof(*eap) + 1) {
770 0 : wpa_printf(MSG_INFO,
771 : "handle_eap_initiate: too short response data");
772 0 : return;
773 : }
774 :
775 27 : data = (u8 *) (eap + 1);
776 27 : type = data[0];
777 :
778 108 : hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X,
779 : HOSTAPD_LEVEL_DEBUG, "received EAP packet (code=%d "
780 : "id=%d len=%d) from STA: EAP Initiate type %u",
781 81 : eap->code, eap->identifier, be_to_host16(eap->length),
782 : type);
783 :
784 27 : wpabuf_free(sm->eap_if->eapRespData);
785 27 : sm->eap_if->eapRespData = wpabuf_alloc_copy(eap, len);
786 27 : sm->eapolEap = TRUE;
787 : #endif /* CONFIG_ERP */
788 : }
789 :
790 :
791 : /* Process incoming EAP packet from Supplicant */
792 11928 : static void handle_eap(struct hostapd_data *hapd, struct sta_info *sta,
793 : u8 *buf, size_t len)
794 : {
795 : struct eap_hdr *eap;
796 : u16 eap_len;
797 :
798 11928 : if (len < sizeof(*eap)) {
799 0 : wpa_printf(MSG_INFO, " too short EAP packet");
800 0 : return;
801 : }
802 :
803 11928 : eap = (struct eap_hdr *) buf;
804 :
805 11928 : eap_len = be_to_host16(eap->length);
806 35784 : wpa_printf(MSG_DEBUG, "EAP: code=%d identifier=%d length=%d",
807 23856 : eap->code, eap->identifier, eap_len);
808 11928 : if (eap_len < sizeof(*eap)) {
809 0 : wpa_printf(MSG_DEBUG, " Invalid EAP length");
810 0 : return;
811 11928 : } else if (eap_len > len) {
812 0 : wpa_printf(MSG_DEBUG, " Too short frame to contain this EAP "
813 : "packet");
814 0 : return;
815 11928 : } else if (eap_len < len) {
816 0 : wpa_printf(MSG_DEBUG, " Ignoring %lu extra bytes after EAP "
817 : "packet", (unsigned long) len - eap_len);
818 : }
819 :
820 11928 : switch (eap->code) {
821 : case EAP_CODE_REQUEST:
822 1 : wpa_printf(MSG_DEBUG, " (request)");
823 1 : return;
824 : case EAP_CODE_RESPONSE:
825 11900 : wpa_printf(MSG_DEBUG, " (response)");
826 11900 : handle_eap_response(hapd, sta, eap, eap_len);
827 11900 : break;
828 : case EAP_CODE_SUCCESS:
829 0 : wpa_printf(MSG_DEBUG, " (success)");
830 0 : return;
831 : case EAP_CODE_FAILURE:
832 0 : wpa_printf(MSG_DEBUG, " (failure)");
833 0 : return;
834 : case EAP_CODE_INITIATE:
835 27 : wpa_printf(MSG_DEBUG, " (initiate)");
836 27 : handle_eap_initiate(hapd, sta, eap, eap_len);
837 27 : break;
838 : case EAP_CODE_FINISH:
839 0 : wpa_printf(MSG_DEBUG, " (finish)");
840 0 : break;
841 : default:
842 0 : wpa_printf(MSG_DEBUG, " (unknown code)");
843 0 : return;
844 : }
845 : }
846 :
847 :
848 : static struct eapol_state_machine *
849 2699 : ieee802_1x_alloc_eapol_sm(struct hostapd_data *hapd, struct sta_info *sta)
850 : {
851 2699 : int flags = 0;
852 2699 : if (sta->flags & WLAN_STA_PREAUTH)
853 9 : flags |= EAPOL_SM_PREAUTH;
854 2699 : if (sta->wpa_sm) {
855 2138 : flags |= EAPOL_SM_USES_WPA;
856 2138 : if (wpa_auth_sta_get_pmksa(sta->wpa_sm))
857 37 : flags |= EAPOL_SM_FROM_PMKSA_CACHE;
858 : }
859 2699 : return eapol_auth_alloc(hapd->eapol_auth, sta->addr, flags,
860 2699 : sta->wps_ie, sta->p2p_ie, sta,
861 2699 : sta->identity, sta->radius_cui);
862 : }
863 :
864 :
865 12 : static void ieee802_1x_save_eapol(struct sta_info *sta, const u8 *buf,
866 : size_t len)
867 : {
868 12 : if (sta->pending_eapol_rx) {
869 6 : wpabuf_free(sta->pending_eapol_rx->buf);
870 : } else {
871 6 : sta->pending_eapol_rx =
872 6 : os_malloc(sizeof(*sta->pending_eapol_rx));
873 6 : if (!sta->pending_eapol_rx)
874 0 : return;
875 : }
876 :
877 12 : sta->pending_eapol_rx->buf = wpabuf_alloc_copy(buf, len);
878 12 : if (!sta->pending_eapol_rx->buf) {
879 0 : os_free(sta->pending_eapol_rx);
880 0 : sta->pending_eapol_rx = NULL;
881 0 : return;
882 : }
883 :
884 12 : os_get_reltime(&sta->pending_eapol_rx->rx_time);
885 : }
886 :
887 :
888 : /**
889 : * ieee802_1x_receive - Process the EAPOL frames from the Supplicant
890 : * @hapd: hostapd BSS data
891 : * @sa: Source address (sender of the EAPOL frame)
892 : * @buf: EAPOL frame
893 : * @len: Length of buf in octets
894 : *
895 : * This function is called for each incoming EAPOL frame from the interface
896 : */
897 16550 : void ieee802_1x_receive(struct hostapd_data *hapd, const u8 *sa, const u8 *buf,
898 : size_t len)
899 : {
900 : struct sta_info *sta;
901 : struct ieee802_1x_hdr *hdr;
902 : struct ieee802_1x_eapol_key *key;
903 : u16 datalen;
904 : struct rsn_pmksa_cache_entry *pmksa;
905 : int key_mgmt;
906 :
907 16654 : if (!hapd->conf->ieee802_1x && !hapd->conf->wpa && !hapd->conf->osen &&
908 104 : !hapd->conf->wps_state)
909 0 : return;
910 :
911 99300 : wpa_printf(MSG_DEBUG, "IEEE 802.1X: %lu bytes from " MACSTR,
912 99300 : (unsigned long) len, MAC2STR(sa));
913 16550 : sta = ap_get_sta(hapd, sa);
914 16566 : if (!sta || (!(sta->flags & (WLAN_STA_ASSOC | WLAN_STA_PREAUTH)) &&
915 16 : !(hapd->iface->drv_flags & WPA_DRIVER_FLAGS_WIRED))) {
916 32 : wpa_printf(MSG_DEBUG, "IEEE 802.1X data frame from not "
917 : "associated/Pre-authenticating STA");
918 :
919 32 : if (sta && (sta->flags & WLAN_STA_AUTH)) {
920 72 : wpa_printf(MSG_DEBUG, "Saving EAPOL frame from " MACSTR
921 72 : " for later use", MAC2STR(sta->addr));
922 12 : ieee802_1x_save_eapol(sta, buf, len);
923 : }
924 :
925 32 : return;
926 : }
927 :
928 16518 : if (len < sizeof(*hdr)) {
929 0 : wpa_printf(MSG_INFO, " too short IEEE 802.1X packet");
930 0 : return;
931 : }
932 :
933 16518 : hdr = (struct ieee802_1x_hdr *) buf;
934 16518 : datalen = be_to_host16(hdr->length);
935 49554 : wpa_printf(MSG_DEBUG, " IEEE 802.1X: version=%d type=%d length=%d",
936 33036 : hdr->version, hdr->type, datalen);
937 :
938 16518 : if (len - sizeof(*hdr) < datalen) {
939 1 : wpa_printf(MSG_INFO, " frame too short for this IEEE 802.1X packet");
940 1 : if (sta->eapol_sm)
941 0 : sta->eapol_sm->dot1xAuthEapLengthErrorFramesRx++;
942 1 : return;
943 : }
944 16517 : if (len - sizeof(*hdr) > datalen) {
945 1 : wpa_printf(MSG_DEBUG, " ignoring %lu extra octets after "
946 : "IEEE 802.1X packet",
947 1 : (unsigned long) len - sizeof(*hdr) - datalen);
948 : }
949 :
950 16517 : if (sta->eapol_sm) {
951 14582 : sta->eapol_sm->dot1xAuthLastEapolFrameVersion = hdr->version;
952 14582 : sta->eapol_sm->dot1xAuthEapolFramesRx++;
953 : }
954 :
955 16517 : key = (struct ieee802_1x_eapol_key *) (hdr + 1);
956 26623 : if (datalen >= sizeof(struct ieee802_1x_eapol_key) &&
957 14516 : hdr->type == IEEE802_1X_TYPE_EAPOL_KEY &&
958 8725 : (key->type == EAPOL_KEY_TYPE_WPA ||
959 4315 : key->type == EAPOL_KEY_TYPE_RSN)) {
960 4409 : wpa_receive(hapd->wpa_auth, sta->wpa_sm, (u8 *) hdr,
961 : sizeof(*hdr) + datalen);
962 4409 : return;
963 : }
964 :
965 14740 : if (!hapd->conf->ieee802_1x && !hapd->conf->osen &&
966 2632 : !(sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS))) {
967 1 : wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore EAPOL message - "
968 : "802.1X not enabled and WPS not used");
969 1 : return;
970 : }
971 :
972 12107 : key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm);
973 12107 : if (key_mgmt != -1 && wpa_key_mgmt_wpa_psk(key_mgmt)) {
974 0 : wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore EAPOL message - "
975 : "STA is using PSK");
976 0 : return;
977 : }
978 :
979 12107 : if (!sta->eapol_sm) {
980 2 : sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta);
981 2 : if (!sta->eapol_sm)
982 0 : return;
983 :
984 : #ifdef CONFIG_WPS
985 2 : if (!hapd->conf->ieee802_1x && hapd->conf->wps_state) {
986 0 : u32 wflags = sta->flags & (WLAN_STA_WPS |
987 : WLAN_STA_WPS2 |
988 : WLAN_STA_MAYBE_WPS);
989 0 : if (wflags == WLAN_STA_MAYBE_WPS ||
990 : wflags == (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS)) {
991 : /*
992 : * Delay EAPOL frame transmission until a
993 : * possible WPS STA initiates the handshake
994 : * with EAPOL-Start. Only allow the wait to be
995 : * skipped if the STA is known to support WPS
996 : * 2.0.
997 : */
998 0 : wpa_printf(MSG_DEBUG, "WPS: Do not start "
999 : "EAPOL until EAPOL-Start is "
1000 : "received");
1001 0 : sta->eapol_sm->flags |= EAPOL_SM_WAIT_START;
1002 : }
1003 : }
1004 : #endif /* CONFIG_WPS */
1005 :
1006 2 : sta->eapol_sm->eap_if->portEnabled = TRUE;
1007 : }
1008 :
1009 : /* since we support version 1, we can ignore version field and proceed
1010 : * as specified in version 1 standard [IEEE Std 802.1X-2001, 7.5.5] */
1011 : /* TODO: actually, we are not version 1 anymore.. However, Version 2
1012 : * does not change frame contents, so should be ok to process frames
1013 : * more or less identically. Some changes might be needed for
1014 : * verification of fields. */
1015 :
1016 12107 : switch (hdr->type) {
1017 : case IEEE802_1X_TYPE_EAP_PACKET:
1018 11928 : handle_eap(hapd, sta, (u8 *) (hdr + 1), datalen);
1019 11928 : break;
1020 :
1021 : case IEEE802_1X_TYPE_EAPOL_START:
1022 177 : hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
1023 : HOSTAPD_LEVEL_DEBUG, "received EAPOL-Start "
1024 : "from STA");
1025 177 : sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START;
1026 177 : pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm);
1027 177 : if (pmksa) {
1028 1 : hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA,
1029 : HOSTAPD_LEVEL_DEBUG, "cached PMKSA "
1030 : "available - ignore it since "
1031 : "STA sent EAPOL-Start");
1032 1 : wpa_auth_sta_clear_pmksa(sta->wpa_sm, pmksa);
1033 : }
1034 177 : sta->eapol_sm->eapolStart = TRUE;
1035 177 : sta->eapol_sm->dot1xAuthEapolStartFramesRx++;
1036 177 : eap_server_clear_identity(sta->eapol_sm->eap);
1037 177 : wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL);
1038 177 : break;
1039 :
1040 : case IEEE802_1X_TYPE_EAPOL_LOGOFF:
1041 2 : hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
1042 : HOSTAPD_LEVEL_DEBUG, "received EAPOL-Logoff "
1043 : "from STA");
1044 2 : sta->acct_terminate_cause =
1045 : RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST;
1046 2 : accounting_sta_stop(hapd, sta);
1047 2 : sta->eapol_sm->eapolLogoff = TRUE;
1048 2 : sta->eapol_sm->dot1xAuthEapolLogoffFramesRx++;
1049 2 : eap_server_clear_identity(sta->eapol_sm->eap);
1050 2 : break;
1051 :
1052 : case IEEE802_1X_TYPE_EAPOL_KEY:
1053 0 : wpa_printf(MSG_DEBUG, " EAPOL-Key");
1054 0 : if (!ap_sta_is_authorized(sta)) {
1055 0 : wpa_printf(MSG_DEBUG, " Dropped key data from "
1056 : "unauthorized Supplicant");
1057 0 : break;
1058 : }
1059 0 : break;
1060 :
1061 : case IEEE802_1X_TYPE_EAPOL_ENCAPSULATED_ASF_ALERT:
1062 0 : wpa_printf(MSG_DEBUG, " EAPOL-Encapsulated-ASF-Alert");
1063 : /* TODO: implement support for this; show data */
1064 0 : break;
1065 :
1066 : default:
1067 0 : wpa_printf(MSG_DEBUG, " unknown IEEE 802.1X packet type");
1068 0 : sta->eapol_sm->dot1xAuthInvalidEapolFramesRx++;
1069 0 : break;
1070 : }
1071 :
1072 12107 : eapol_auth_step(sta->eapol_sm);
1073 : }
1074 :
1075 :
1076 : /**
1077 : * ieee802_1x_new_station - Start IEEE 802.1X authentication
1078 : * @hapd: hostapd BSS data
1079 : * @sta: The station
1080 : *
1081 : * This function is called to start IEEE 802.1X authentication when a new
1082 : * station completes IEEE 802.11 association.
1083 : */
1084 4766 : void ieee802_1x_new_station(struct hostapd_data *hapd, struct sta_info *sta)
1085 : {
1086 : struct rsn_pmksa_cache_entry *pmksa;
1087 4766 : int reassoc = 1;
1088 4766 : int force_1x = 0;
1089 : int key_mgmt;
1090 :
1091 : #ifdef CONFIG_WPS
1092 5740 : if (hapd->conf->wps_state &&
1093 2879 : ((hapd->conf->wpa && (sta->flags & WLAN_STA_MAYBE_WPS)) ||
1094 974 : (sta->flags & WLAN_STA_WPS))) {
1095 : /*
1096 : * Need to enable IEEE 802.1X/EAPOL state machines for possible
1097 : * WPS handshake even if IEEE 802.1X/EAPOL is not used for
1098 : * authentication in this BSS.
1099 : */
1100 535 : force_1x = 1;
1101 : }
1102 : #endif /* CONFIG_WPS */
1103 :
1104 4766 : if (!force_1x && !hapd->conf->ieee802_1x && !hapd->conf->osen) {
1105 1895 : wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore STA - "
1106 : "802.1X not enabled or forced for WPS");
1107 : /*
1108 : * Clear any possible EAPOL authenticator state to support
1109 : * reassociation change from WPS to PSK.
1110 : */
1111 1895 : ieee802_1x_free_station(hapd, sta);
1112 1895 : return;
1113 : }
1114 :
1115 2871 : key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm);
1116 2871 : if (key_mgmt != -1 && wpa_key_mgmt_wpa_psk(key_mgmt)) {
1117 6 : wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore STA - using PSK");
1118 : /*
1119 : * Clear any possible EAPOL authenticator state to support
1120 : * reassociation change from WPA-EAP to PSK.
1121 : */
1122 6 : ieee802_1x_free_station(hapd, sta);
1123 6 : return;
1124 : }
1125 :
1126 2865 : if (sta->eapol_sm == NULL) {
1127 2697 : hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
1128 : HOSTAPD_LEVEL_DEBUG, "start authentication");
1129 2697 : sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta);
1130 2697 : if (sta->eapol_sm == NULL) {
1131 1 : hostapd_logger(hapd, sta->addr,
1132 : HOSTAPD_MODULE_IEEE8021X,
1133 : HOSTAPD_LEVEL_INFO,
1134 : "failed to allocate state machine");
1135 1 : return;
1136 : }
1137 2696 : reassoc = 0;
1138 : }
1139 :
1140 : #ifdef CONFIG_WPS
1141 2864 : sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START;
1142 3399 : if (!hapd->conf->ieee802_1x && hapd->conf->wps_state &&
1143 535 : !(sta->flags & WLAN_STA_WPS2)) {
1144 : /*
1145 : * Delay EAPOL frame transmission until a possible WPS STA
1146 : * initiates the handshake with EAPOL-Start. Only allow the
1147 : * wait to be skipped if the STA is known to support WPS 2.0.
1148 : */
1149 3 : wpa_printf(MSG_DEBUG, "WPS: Do not start EAPOL until "
1150 : "EAPOL-Start is received");
1151 3 : sta->eapol_sm->flags |= EAPOL_SM_WAIT_START;
1152 : }
1153 : #endif /* CONFIG_WPS */
1154 :
1155 2864 : sta->eapol_sm->eap_if->portEnabled = TRUE;
1156 :
1157 : #ifdef CONFIG_IEEE80211R
1158 2864 : if (sta->auth_alg == WLAN_AUTH_FT) {
1159 4 : hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
1160 : HOSTAPD_LEVEL_DEBUG,
1161 : "PMK from FT - skip IEEE 802.1X/EAP");
1162 : /* Setup EAPOL state machines to already authenticated state
1163 : * because of existing FT information from R0KH. */
1164 4 : sta->eapol_sm->keyRun = TRUE;
1165 4 : sta->eapol_sm->eap_if->eapKeyAvailable = TRUE;
1166 4 : sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING;
1167 4 : sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS;
1168 4 : sta->eapol_sm->authSuccess = TRUE;
1169 4 : sta->eapol_sm->authFail = FALSE;
1170 4 : sta->eapol_sm->portValid = TRUE;
1171 4 : if (sta->eapol_sm->eap)
1172 4 : eap_sm_notify_cached(sta->eapol_sm->eap);
1173 : /* TODO: get vlan_id from R0KH using RRB message */
1174 4 : return;
1175 : }
1176 : #endif /* CONFIG_IEEE80211R */
1177 :
1178 2860 : pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm);
1179 2860 : if (pmksa) {
1180 37 : hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
1181 : HOSTAPD_LEVEL_DEBUG,
1182 : "PMK from PMKSA cache - skip IEEE 802.1X/EAP");
1183 : /* Setup EAPOL state machines to already authenticated state
1184 : * because of existing PMKSA information in the cache. */
1185 37 : sta->eapol_sm->keyRun = TRUE;
1186 37 : sta->eapol_sm->eap_if->eapKeyAvailable = TRUE;
1187 37 : sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING;
1188 37 : sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS;
1189 37 : sta->eapol_sm->authSuccess = TRUE;
1190 37 : sta->eapol_sm->authFail = FALSE;
1191 37 : if (sta->eapol_sm->eap)
1192 37 : eap_sm_notify_cached(sta->eapol_sm->eap);
1193 37 : pmksa_cache_to_eapol_data(hapd, pmksa, sta->eapol_sm);
1194 37 : ap_sta_bind_vlan(hapd, sta);
1195 : } else {
1196 2823 : if (reassoc) {
1197 : /*
1198 : * Force EAPOL state machines to start
1199 : * re-authentication without having to wait for the
1200 : * Supplicant to send EAPOL-Start.
1201 : */
1202 168 : sta->eapol_sm->reAuthenticate = TRUE;
1203 : }
1204 2823 : eapol_auth_step(sta->eapol_sm);
1205 : }
1206 : }
1207 :
1208 :
1209 6745 : void ieee802_1x_free_station(struct hostapd_data *hapd, struct sta_info *sta)
1210 : {
1211 6745 : struct eapol_state_machine *sm = sta->eapol_sm;
1212 :
1213 : #ifdef CONFIG_HS20
1214 6745 : eloop_cancel_timeout(ieee802_1x_wnm_notif_send, hapd, sta);
1215 : #endif /* CONFIG_HS20 */
1216 :
1217 6745 : if (sta->pending_eapol_rx) {
1218 6 : wpabuf_free(sta->pending_eapol_rx->buf);
1219 6 : os_free(sta->pending_eapol_rx);
1220 6 : sta->pending_eapol_rx = NULL;
1221 : }
1222 :
1223 6745 : if (sm == NULL)
1224 10792 : return;
1225 :
1226 2698 : sta->eapol_sm = NULL;
1227 :
1228 : #ifndef CONFIG_NO_RADIUS
1229 2440 : radius_msg_free(sm->last_recv_radius);
1230 2440 : radius_free_class(&sm->radius_class);
1231 : #endif /* CONFIG_NO_RADIUS */
1232 :
1233 2698 : eapol_auth_free(sm);
1234 : }
1235 :
1236 :
1237 : #ifndef CONFIG_NO_RADIUS
1238 7135 : static void ieee802_1x_decapsulate_radius(struct hostapd_data *hapd,
1239 : struct sta_info *sta)
1240 : {
1241 : struct wpabuf *eap;
1242 : const struct eap_hdr *hdr;
1243 7135 : int eap_type = -1;
1244 : char buf[64];
1245 : struct radius_msg *msg;
1246 7135 : struct eapol_state_machine *sm = sta->eapol_sm;
1247 :
1248 7135 : if (sm == NULL || sm->last_recv_radius == NULL) {
1249 0 : if (sm)
1250 0 : sm->eap_if->aaaEapNoReq = TRUE;
1251 17 : return;
1252 : }
1253 :
1254 7135 : msg = sm->last_recv_radius;
1255 :
1256 7135 : eap = radius_msg_get_eap(msg);
1257 7135 : if (eap == NULL) {
1258 : /* RFC 3579, Chap. 2.6.3:
1259 : * RADIUS server SHOULD NOT send Access-Reject/no EAP-Message
1260 : * attribute */
1261 17 : hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
1262 : HOSTAPD_LEVEL_WARNING, "could not extract "
1263 : "EAP-Message from RADIUS message");
1264 17 : sm->eap_if->aaaEapNoReq = TRUE;
1265 17 : return;
1266 : }
1267 :
1268 7118 : if (wpabuf_len(eap) < sizeof(*hdr)) {
1269 0 : hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
1270 : HOSTAPD_LEVEL_WARNING, "too short EAP packet "
1271 : "received from authentication server");
1272 0 : wpabuf_free(eap);
1273 0 : sm->eap_if->aaaEapNoReq = TRUE;
1274 0 : return;
1275 : }
1276 :
1277 7118 : if (wpabuf_len(eap) > sizeof(*hdr))
1278 5653 : eap_type = (wpabuf_head_u8(eap))[sizeof(*hdr)];
1279 :
1280 7118 : hdr = wpabuf_head(eap);
1281 7118 : switch (hdr->code) {
1282 : case EAP_CODE_REQUEST:
1283 5609 : if (eap_type >= 0)
1284 5609 : sm->eap_type_authsrv = eap_type;
1285 5609 : os_snprintf(buf, sizeof(buf), "EAP-Request-%s (%d)",
1286 : eap_server_get_name(0, eap_type), eap_type);
1287 5609 : break;
1288 : case EAP_CODE_RESPONSE:
1289 13 : os_snprintf(buf, sizeof(buf), "EAP Response-%s (%d)",
1290 : eap_server_get_name(0, eap_type), eap_type);
1291 13 : break;
1292 : case EAP_CODE_SUCCESS:
1293 1115 : os_strlcpy(buf, "EAP Success", sizeof(buf));
1294 1115 : break;
1295 : case EAP_CODE_FAILURE:
1296 350 : os_strlcpy(buf, "EAP Failure", sizeof(buf));
1297 350 : break;
1298 : default:
1299 31 : os_strlcpy(buf, "unknown EAP code", sizeof(buf));
1300 31 : break;
1301 : }
1302 7118 : buf[sizeof(buf) - 1] = '\0';
1303 21354 : hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
1304 : HOSTAPD_LEVEL_DEBUG, "decapsulated EAP packet (code=%d "
1305 : "id=%d len=%d) from RADIUS server: %s",
1306 21354 : hdr->code, hdr->identifier, be_to_host16(hdr->length),
1307 : buf);
1308 7118 : sm->eap_if->aaaEapReq = TRUE;
1309 :
1310 7118 : wpabuf_free(sm->eap_if->aaaEapReqData);
1311 7118 : sm->eap_if->aaaEapReqData = eap;
1312 : }
1313 :
1314 :
1315 1119 : static void ieee802_1x_get_keys(struct hostapd_data *hapd,
1316 : struct sta_info *sta, struct radius_msg *msg,
1317 : struct radius_msg *req,
1318 : const u8 *shared_secret,
1319 : size_t shared_secret_len)
1320 : {
1321 : struct radius_ms_mppe_keys *keys;
1322 1119 : struct eapol_state_machine *sm = sta->eapol_sm;
1323 1119 : if (sm == NULL)
1324 1119 : return;
1325 :
1326 1119 : keys = radius_msg_get_ms_keys(msg, req, shared_secret,
1327 : shared_secret_len);
1328 :
1329 2223 : if (keys && keys->send && keys->recv) {
1330 1104 : size_t len = keys->send_len + keys->recv_len;
1331 2208 : wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Send-Key",
1332 1104 : keys->send, keys->send_len);
1333 2208 : wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Recv-Key",
1334 1104 : keys->recv, keys->recv_len);
1335 :
1336 1104 : os_free(sm->eap_if->aaaEapKeyData);
1337 1104 : sm->eap_if->aaaEapKeyData = os_malloc(len);
1338 1104 : if (sm->eap_if->aaaEapKeyData) {
1339 1102 : os_memcpy(sm->eap_if->aaaEapKeyData, keys->recv,
1340 : keys->recv_len);
1341 1102 : os_memcpy(sm->eap_if->aaaEapKeyData + keys->recv_len,
1342 : keys->send, keys->send_len);
1343 1102 : sm->eap_if->aaaEapKeyDataLen = len;
1344 1102 : sm->eap_if->aaaEapKeyAvailable = TRUE;
1345 : }
1346 : } else {
1347 15 : wpa_printf(MSG_DEBUG,
1348 : "MS-MPPE: 1x_get_keys, could not get keys: %p send: %p recv: %p",
1349 : keys, keys ? keys->send : NULL,
1350 : keys ? keys->recv : NULL);
1351 : }
1352 :
1353 1119 : if (keys) {
1354 1119 : os_free(keys->send);
1355 1119 : os_free(keys->recv);
1356 1119 : os_free(keys);
1357 : }
1358 : }
1359 :
1360 :
1361 1119 : static void ieee802_1x_store_radius_class(struct hostapd_data *hapd,
1362 : struct sta_info *sta,
1363 : struct radius_msg *msg)
1364 : {
1365 : u8 *attr_class;
1366 : size_t class_len;
1367 1119 : struct eapol_state_machine *sm = sta->eapol_sm;
1368 : int count, i;
1369 : struct radius_attr_data *nclass;
1370 : size_t nclass_count;
1371 :
1372 1119 : if (!hapd->conf->radius->acct_server || hapd->radius == NULL ||
1373 : sm == NULL)
1374 1993 : return;
1375 :
1376 240 : radius_free_class(&sm->radius_class);
1377 240 : count = radius_msg_count_attr(msg, RADIUS_ATTR_CLASS, 1);
1378 240 : if (count <= 0)
1379 235 : return;
1380 :
1381 5 : nclass = os_calloc(count, sizeof(struct radius_attr_data));
1382 5 : if (nclass == NULL)
1383 0 : return;
1384 :
1385 5 : nclass_count = 0;
1386 :
1387 5 : attr_class = NULL;
1388 10 : for (i = 0; i < count; i++) {
1389 : do {
1390 5 : if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CLASS,
1391 : &attr_class, &class_len,
1392 : attr_class) < 0) {
1393 0 : i = count;
1394 0 : break;
1395 : }
1396 5 : } while (class_len < 1);
1397 :
1398 5 : nclass[nclass_count].data = os_malloc(class_len);
1399 5 : if (nclass[nclass_count].data == NULL)
1400 0 : break;
1401 :
1402 5 : os_memcpy(nclass[nclass_count].data, attr_class, class_len);
1403 5 : nclass[nclass_count].len = class_len;
1404 5 : nclass_count++;
1405 : }
1406 :
1407 5 : sm->radius_class.attr = nclass;
1408 5 : sm->radius_class.count = nclass_count;
1409 30 : wpa_printf(MSG_DEBUG, "IEEE 802.1X: Stored %lu RADIUS Class "
1410 : "attributes for " MACSTR,
1411 : (unsigned long) sm->radius_class.count,
1412 30 : MAC2STR(sta->addr));
1413 : }
1414 :
1415 :
1416 : /* Update sta->identity based on User-Name attribute in Access-Accept */
1417 1119 : static void ieee802_1x_update_sta_identity(struct hostapd_data *hapd,
1418 : struct sta_info *sta,
1419 : struct radius_msg *msg)
1420 : {
1421 : u8 *buf, *identity;
1422 : size_t len;
1423 1119 : struct eapol_state_machine *sm = sta->eapol_sm;
1424 :
1425 1119 : if (sm == NULL)
1426 1119 : return;
1427 :
1428 1119 : if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_USER_NAME, &buf, &len,
1429 : NULL) < 0)
1430 1119 : return;
1431 :
1432 0 : identity = (u8 *) dup_binstr(buf, len);
1433 0 : if (identity == NULL)
1434 0 : return;
1435 :
1436 0 : hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
1437 : HOSTAPD_LEVEL_DEBUG, "old identity '%s' updated with "
1438 : "User-Name from Access-Accept '%s'",
1439 0 : sm->identity ? (char *) sm->identity : "N/A",
1440 : (char *) identity);
1441 :
1442 0 : os_free(sm->identity);
1443 0 : sm->identity = identity;
1444 0 : sm->identity_len = len;
1445 : }
1446 :
1447 :
1448 : /* Update CUI based on Chargeable-User-Identity attribute in Access-Accept */
1449 1119 : static void ieee802_1x_update_sta_cui(struct hostapd_data *hapd,
1450 : struct sta_info *sta,
1451 : struct radius_msg *msg)
1452 : {
1453 1119 : struct eapol_state_machine *sm = sta->eapol_sm;
1454 : struct wpabuf *cui;
1455 : u8 *buf;
1456 : size_t len;
1457 :
1458 1119 : if (sm == NULL)
1459 1114 : return;
1460 :
1461 1119 : if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CHARGEABLE_USER_IDENTITY,
1462 : &buf, &len, NULL) < 0)
1463 1114 : return;
1464 :
1465 5 : cui = wpabuf_alloc_copy(buf, len);
1466 5 : if (cui == NULL)
1467 0 : return;
1468 :
1469 5 : wpabuf_free(sm->radius_cui);
1470 5 : sm->radius_cui = cui;
1471 : }
1472 :
1473 :
1474 : #ifdef CONFIG_HS20
1475 :
1476 2 : static void ieee802_1x_hs20_sub_rem(struct sta_info *sta, u8 *pos, size_t len)
1477 : {
1478 2 : sta->remediation = 1;
1479 2 : os_free(sta->remediation_url);
1480 2 : if (len > 2) {
1481 2 : sta->remediation_url = os_malloc(len);
1482 2 : if (!sta->remediation_url)
1483 2 : return;
1484 2 : sta->remediation_method = pos[0];
1485 2 : os_memcpy(sta->remediation_url, pos + 1, len - 1);
1486 2 : sta->remediation_url[len - 1] = '\0';
1487 16 : wpa_printf(MSG_DEBUG, "HS 2.0: Subscription remediation needed "
1488 : "for " MACSTR " - server method %u URL %s",
1489 14 : MAC2STR(sta->addr), sta->remediation_method,
1490 : sta->remediation_url);
1491 : } else {
1492 0 : sta->remediation_url = NULL;
1493 0 : wpa_printf(MSG_DEBUG, "HS 2.0: Subscription remediation needed "
1494 0 : "for " MACSTR, MAC2STR(sta->addr));
1495 : }
1496 : /* TODO: assign the STA into remediation VLAN or add filtering */
1497 : }
1498 :
1499 :
1500 1 : static void ieee802_1x_hs20_deauth_req(struct hostapd_data *hapd,
1501 : struct sta_info *sta, u8 *pos,
1502 : size_t len)
1503 : {
1504 1 : if (len < 3)
1505 1 : return; /* Malformed information */
1506 1 : sta->hs20_deauth_requested = 1;
1507 2 : wpa_printf(MSG_DEBUG, "HS 2.0: Deauthentication request - Code %u "
1508 : "Re-auth Delay %u",
1509 2 : *pos, WPA_GET_LE16(pos + 1));
1510 1 : wpabuf_free(sta->hs20_deauth_req);
1511 1 : sta->hs20_deauth_req = wpabuf_alloc(len + 1);
1512 1 : if (sta->hs20_deauth_req) {
1513 1 : wpabuf_put_data(sta->hs20_deauth_req, pos, 3);
1514 1 : wpabuf_put_u8(sta->hs20_deauth_req, len - 3);
1515 1 : wpabuf_put_data(sta->hs20_deauth_req, pos + 3, len - 3);
1516 : }
1517 1 : ap_sta_session_timeout(hapd, sta, hapd->conf->hs20_deauth_req_timeout);
1518 : }
1519 :
1520 :
1521 1 : static void ieee802_1x_hs20_session_info(struct hostapd_data *hapd,
1522 : struct sta_info *sta, u8 *pos,
1523 : size_t len, int session_timeout)
1524 : {
1525 : unsigned int swt;
1526 : int warning_time, beacon_int;
1527 :
1528 1 : if (len < 1)
1529 0 : return; /* Malformed information */
1530 1 : os_free(sta->hs20_session_info_url);
1531 1 : sta->hs20_session_info_url = os_malloc(len);
1532 1 : if (sta->hs20_session_info_url == NULL)
1533 0 : return;
1534 1 : swt = pos[0];
1535 1 : os_memcpy(sta->hs20_session_info_url, pos + 1, len - 1);
1536 1 : sta->hs20_session_info_url[len - 1] = '\0';
1537 1 : wpa_printf(MSG_DEBUG, "HS 2.0: Session Information URL='%s' SWT=%u "
1538 : "(session_timeout=%d)",
1539 : sta->hs20_session_info_url, swt, session_timeout);
1540 1 : if (session_timeout < 0) {
1541 0 : wpa_printf(MSG_DEBUG, "HS 2.0: No Session-Timeout set - ignore session info URL");
1542 0 : return;
1543 : }
1544 1 : if (swt == 255)
1545 0 : swt = 1; /* Use one minute as the AP selected value */
1546 :
1547 1 : if ((unsigned int) session_timeout < swt * 60)
1548 0 : warning_time = 0;
1549 : else
1550 1 : warning_time = session_timeout - swt * 60;
1551 :
1552 1 : beacon_int = hapd->iconf->beacon_int;
1553 1 : if (beacon_int < 1)
1554 0 : beacon_int = 100; /* best guess */
1555 1 : sta->hs20_disassoc_timer = swt * 60 * 1000 / beacon_int * 125 / 128;
1556 1 : if (sta->hs20_disassoc_timer > 65535)
1557 0 : sta->hs20_disassoc_timer = 65535;
1558 :
1559 1 : ap_sta_session_warning_timeout(hapd, sta, warning_time);
1560 : }
1561 :
1562 : #endif /* CONFIG_HS20 */
1563 :
1564 :
1565 1119 : static void ieee802_1x_check_hs20(struct hostapd_data *hapd,
1566 : struct sta_info *sta,
1567 : struct radius_msg *msg,
1568 : int session_timeout)
1569 : {
1570 : #ifdef CONFIG_HS20
1571 : u8 *buf, *pos, *end, type, sublen;
1572 : size_t len;
1573 :
1574 1119 : buf = NULL;
1575 1119 : sta->remediation = 0;
1576 1119 : sta->hs20_deauth_requested = 0;
1577 :
1578 : for (;;) {
1579 3351 : if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_VENDOR_SPECIFIC,
1580 : &buf, &len, buf) < 0)
1581 1119 : break;
1582 2232 : if (len < 6)
1583 0 : continue;
1584 2232 : pos = buf;
1585 2232 : end = buf + len;
1586 2232 : if (WPA_GET_BE32(pos) != RADIUS_VENDOR_ID_WFA)
1587 2228 : continue;
1588 4 : pos += 4;
1589 :
1590 4 : type = *pos++;
1591 4 : sublen = *pos++;
1592 4 : if (sublen < 2)
1593 0 : continue; /* invalid length */
1594 4 : sublen -= 2; /* skip header */
1595 4 : if (pos + sublen > end)
1596 0 : continue; /* invalid WFA VSA */
1597 :
1598 4 : switch (type) {
1599 : case RADIUS_VENDOR_ATTR_WFA_HS20_SUBSCR_REMEDIATION:
1600 2 : ieee802_1x_hs20_sub_rem(sta, pos, sublen);
1601 2 : break;
1602 : case RADIUS_VENDOR_ATTR_WFA_HS20_DEAUTH_REQ:
1603 1 : ieee802_1x_hs20_deauth_req(hapd, sta, pos, sublen);
1604 1 : break;
1605 : case RADIUS_VENDOR_ATTR_WFA_HS20_SESSION_INFO_URL:
1606 1 : ieee802_1x_hs20_session_info(hapd, sta, pos, sublen,
1607 : session_timeout);
1608 1 : break;
1609 : }
1610 2232 : }
1611 : #endif /* CONFIG_HS20 */
1612 1119 : }
1613 :
1614 :
1615 : struct sta_id_search {
1616 : u8 identifier;
1617 : struct eapol_state_machine *sm;
1618 : };
1619 :
1620 :
1621 8353 : static int ieee802_1x_select_radius_identifier(struct hostapd_data *hapd,
1622 : struct sta_info *sta,
1623 : void *ctx)
1624 : {
1625 8353 : struct sta_id_search *id_search = ctx;
1626 8353 : struct eapol_state_machine *sm = sta->eapol_sm;
1627 :
1628 16213 : if (sm && sm->radius_identifier >= 0 &&
1629 7860 : sm->radius_identifier == id_search->identifier) {
1630 7141 : id_search->sm = sm;
1631 7141 : return 1;
1632 : }
1633 1212 : return 0;
1634 : }
1635 :
1636 :
1637 : static struct eapol_state_machine *
1638 7141 : ieee802_1x_search_radius_identifier(struct hostapd_data *hapd, u8 identifier)
1639 : {
1640 : struct sta_id_search id_search;
1641 7141 : id_search.identifier = identifier;
1642 7141 : id_search.sm = NULL;
1643 7141 : ap_for_each_sta(hapd, ieee802_1x_select_radius_identifier, &id_search);
1644 7141 : return id_search.sm;
1645 : }
1646 :
1647 :
1648 : /**
1649 : * ieee802_1x_receive_auth - Process RADIUS frames from Authentication Server
1650 : * @msg: RADIUS response message
1651 : * @req: RADIUS request message
1652 : * @shared_secret: RADIUS shared secret
1653 : * @shared_secret_len: Length of shared_secret in octets
1654 : * @data: Context data (struct hostapd_data *)
1655 : * Returns: Processing status
1656 : */
1657 : static RadiusRxResult
1658 7141 : ieee802_1x_receive_auth(struct radius_msg *msg, struct radius_msg *req,
1659 : const u8 *shared_secret, size_t shared_secret_len,
1660 : void *data)
1661 : {
1662 7141 : struct hostapd_data *hapd = data;
1663 : struct sta_info *sta;
1664 7141 : u32 session_timeout = 0, termination_action, acct_interim_interval;
1665 : int session_timeout_set;
1666 : struct eapol_state_machine *sm;
1667 7141 : int override_eapReq = 0;
1668 7141 : struct radius_hdr *hdr = radius_msg_get_hdr(msg);
1669 : struct vlan_description vlan_desc;
1670 : #ifndef CONFIG_NO_VLAN
1671 : int *untagged, *tagged, *notempty;
1672 : #endif /* CONFIG_NO_VLAN */
1673 :
1674 7141 : os_memset(&vlan_desc, 0, sizeof(vlan_desc));
1675 :
1676 7141 : sm = ieee802_1x_search_radius_identifier(hapd, hdr->identifier);
1677 7141 : if (sm == NULL) {
1678 0 : wpa_printf(MSG_DEBUG, "IEEE 802.1X: Could not find matching "
1679 : "station for this RADIUS message");
1680 0 : return RADIUS_RX_UNKNOWN;
1681 : }
1682 7141 : sta = sm->sta;
1683 :
1684 : /* RFC 2869, Ch. 5.13: valid Message-Authenticator attribute MUST be
1685 : * present when packet contains an EAP-Message attribute */
1686 7327 : if (hdr->code == RADIUS_CODE_ACCESS_REJECT &&
1687 186 : radius_msg_get_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, NULL,
1688 0 : 0) < 0 &&
1689 0 : radius_msg_get_attr(msg, RADIUS_ATTR_EAP_MESSAGE, NULL, 0) < 0) {
1690 0 : wpa_printf(MSG_DEBUG, "Allowing RADIUS Access-Reject without "
1691 : "Message-Authenticator since it does not include "
1692 : "EAP-Message");
1693 7141 : } else if (radius_msg_verify(msg, shared_secret, shared_secret_len,
1694 : req, 1)) {
1695 6 : wpa_printf(MSG_INFO, "Incoming RADIUS packet did not have correct Message-Authenticator - dropped");
1696 6 : return RADIUS_RX_INVALID_AUTHENTICATOR;
1697 : }
1698 :
1699 13150 : if (hdr->code != RADIUS_CODE_ACCESS_ACCEPT &&
1700 11844 : hdr->code != RADIUS_CODE_ACCESS_REJECT &&
1701 5829 : hdr->code != RADIUS_CODE_ACCESS_CHALLENGE) {
1702 0 : wpa_printf(MSG_INFO, "Unknown RADIUS message code");
1703 0 : return RADIUS_RX_UNKNOWN;
1704 : }
1705 :
1706 7135 : sm->radius_identifier = -1;
1707 42810 : wpa_printf(MSG_DEBUG, "RADIUS packet matching with station " MACSTR,
1708 42810 : MAC2STR(sta->addr));
1709 :
1710 7135 : radius_msg_free(sm->last_recv_radius);
1711 7135 : sm->last_recv_radius = msg;
1712 :
1713 7135 : session_timeout_set =
1714 7135 : !radius_msg_get_attr_int32(msg, RADIUS_ATTR_SESSION_TIMEOUT,
1715 : &session_timeout);
1716 7135 : if (radius_msg_get_attr_int32(msg, RADIUS_ATTR_TERMINATION_ACTION,
1717 : &termination_action))
1718 7135 : termination_action = RADIUS_TERMINATION_ACTION_DEFAULT;
1719 :
1720 14261 : if (hapd->conf->acct_interim_interval == 0 &&
1721 8243 : hdr->code == RADIUS_CODE_ACCESS_ACCEPT &&
1722 1117 : radius_msg_get_attr_int32(msg, RADIUS_ATTR_ACCT_INTERIM_INTERVAL,
1723 : &acct_interim_interval) == 0) {
1724 0 : if (acct_interim_interval < 60) {
1725 0 : hostapd_logger(hapd, sta->addr,
1726 : HOSTAPD_MODULE_IEEE8021X,
1727 : HOSTAPD_LEVEL_INFO,
1728 : "ignored too small "
1729 : "Acct-Interim-Interval %d",
1730 : acct_interim_interval);
1731 : } else
1732 0 : sta->acct_interim_interval = acct_interim_interval;
1733 : }
1734 :
1735 :
1736 7135 : switch (hdr->code) {
1737 : case RADIUS_CODE_ACCESS_ACCEPT:
1738 : #ifndef CONFIG_NO_VLAN
1739 1120 : if (hapd->conf->ssid.dynamic_vlan != DYNAMIC_VLAN_DISABLED) {
1740 30 : notempty = &vlan_desc.notempty;
1741 30 : untagged = &vlan_desc.untagged;
1742 30 : tagged = vlan_desc.tagged;
1743 30 : *notempty = !!radius_msg_get_vlanid(msg, untagged,
1744 : MAX_NUM_TAGGED_VLAN,
1745 : tagged);
1746 : }
1747 :
1748 1144 : if (vlan_desc.notempty &&
1749 24 : !hostapd_vlan_valid(hapd->conf->vlan, &vlan_desc)) {
1750 0 : sta->eapol_sm->authFail = TRUE;
1751 0 : hostapd_logger(hapd, sta->addr,
1752 : HOSTAPD_MODULE_RADIUS,
1753 : HOSTAPD_LEVEL_INFO,
1754 : "Invalid VLAN %d%s received from RADIUS server",
1755 : vlan_desc.untagged,
1756 0 : vlan_desc.tagged[0] ? "+" : "");
1757 0 : os_memset(&vlan_desc, 0, sizeof(vlan_desc));
1758 0 : ap_sta_set_vlan(hapd, sta, &vlan_desc);
1759 0 : break;
1760 : }
1761 :
1762 1122 : if (hapd->conf->ssid.dynamic_vlan == DYNAMIC_VLAN_REQUIRED &&
1763 2 : !vlan_desc.notempty) {
1764 1 : sta->eapol_sm->authFail = TRUE;
1765 1 : hostapd_logger(hapd, sta->addr,
1766 : HOSTAPD_MODULE_IEEE8021X,
1767 : HOSTAPD_LEVEL_INFO, "authentication "
1768 : "server did not include required VLAN "
1769 : "ID in Access-Accept");
1770 1 : break;
1771 : }
1772 : #endif /* CONFIG_NO_VLAN */
1773 :
1774 1119 : if (ap_sta_set_vlan(hapd, sta, &vlan_desc) < 0)
1775 0 : break;
1776 :
1777 : #ifndef CONFIG_NO_VLAN
1778 1119 : if (sta->vlan_id > 0) {
1779 28 : hostapd_logger(hapd, sta->addr,
1780 : HOSTAPD_MODULE_RADIUS,
1781 : HOSTAPD_LEVEL_INFO,
1782 : "VLAN ID %d", sta->vlan_id);
1783 : }
1784 : #endif /* CONFIG_NO_VLAN */
1785 :
1786 2231 : if ((sta->flags & WLAN_STA_ASSOC) &&
1787 1112 : ap_sta_bind_vlan(hapd, sta) < 0)
1788 0 : break;
1789 :
1790 1119 : sta->session_timeout_set = !!session_timeout_set;
1791 1119 : sta->session_timeout = session_timeout;
1792 :
1793 : /* RFC 3580, Ch. 3.17 */
1794 1119 : if (session_timeout_set && termination_action ==
1795 : RADIUS_TERMINATION_ACTION_RADIUS_REQUEST) {
1796 0 : sm->reAuthPeriod = session_timeout;
1797 1119 : } else if (session_timeout_set)
1798 9 : ap_sta_session_timeout(hapd, sta, session_timeout);
1799 :
1800 1119 : sm->eap_if->aaaSuccess = TRUE;
1801 1119 : override_eapReq = 1;
1802 1119 : ieee802_1x_get_keys(hapd, sta, msg, req, shared_secret,
1803 : shared_secret_len);
1804 1119 : ieee802_1x_store_radius_class(hapd, sta, msg);
1805 1119 : ieee802_1x_update_sta_identity(hapd, sta, msg);
1806 1119 : ieee802_1x_update_sta_cui(hapd, sta, msg);
1807 1128 : ieee802_1x_check_hs20(hapd, sta, msg,
1808 : session_timeout_set ?
1809 9 : (int) session_timeout : -1);
1810 1119 : break;
1811 : case RADIUS_CODE_ACCESS_REJECT:
1812 186 : sm->eap_if->aaaFail = TRUE;
1813 186 : override_eapReq = 1;
1814 186 : break;
1815 : case RADIUS_CODE_ACCESS_CHALLENGE:
1816 5829 : sm->eap_if->aaaEapReq = TRUE;
1817 5829 : if (session_timeout_set) {
1818 : /* RFC 2869, Ch. 2.3.2; RFC 3580, Ch. 3.17 */
1819 0 : sm->eap_if->aaaMethodTimeout = session_timeout;
1820 0 : hostapd_logger(hapd, sm->addr,
1821 : HOSTAPD_MODULE_IEEE8021X,
1822 : HOSTAPD_LEVEL_DEBUG,
1823 : "using EAP timeout of %d seconds (from "
1824 : "RADIUS)",
1825 0 : sm->eap_if->aaaMethodTimeout);
1826 : } else {
1827 : /*
1828 : * Use dynamic retransmission behavior per EAP
1829 : * specification.
1830 : */
1831 5829 : sm->eap_if->aaaMethodTimeout = 0;
1832 : }
1833 5829 : break;
1834 : }
1835 :
1836 7135 : ieee802_1x_decapsulate_radius(hapd, sta);
1837 7135 : if (override_eapReq)
1838 1305 : sm->eap_if->aaaEapReq = FALSE;
1839 :
1840 7135 : eapol_auth_step(sm);
1841 :
1842 7135 : return RADIUS_RX_QUEUED;
1843 : }
1844 : #endif /* CONFIG_NO_RADIUS */
1845 :
1846 :
1847 2773 : void ieee802_1x_abort_auth(struct hostapd_data *hapd, struct sta_info *sta)
1848 : {
1849 2773 : struct eapol_state_machine *sm = sta->eapol_sm;
1850 2773 : if (sm == NULL)
1851 5471 : return;
1852 :
1853 75 : hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
1854 : HOSTAPD_LEVEL_DEBUG, "aborting authentication");
1855 :
1856 : #ifndef CONFIG_NO_RADIUS
1857 75 : radius_msg_free(sm->last_recv_radius);
1858 75 : sm->last_recv_radius = NULL;
1859 : #endif /* CONFIG_NO_RADIUS */
1860 :
1861 75 : if (sm->eap_if->eapTimeout) {
1862 : /*
1863 : * Disconnect the STA since it did not reply to the last EAP
1864 : * request and we cannot continue EAP processing (EAP-Failure
1865 : * could only be sent if the EAP peer actually replied).
1866 : */
1867 0 : wpa_dbg(hapd->msg_ctx, MSG_DEBUG, "EAP Timeout, STA " MACSTR,
1868 : MAC2STR(sta->addr));
1869 :
1870 0 : sm->eap_if->portEnabled = FALSE;
1871 0 : ap_sta_disconnect(hapd, sta, sta->addr,
1872 : WLAN_REASON_PREV_AUTH_NOT_VALID);
1873 : }
1874 : }
1875 :
1876 :
1877 6 : static int ieee802_1x_rekey_broadcast(struct hostapd_data *hapd)
1878 : {
1879 6 : struct eapol_authenticator *eapol = hapd->eapol_auth;
1880 :
1881 6 : if (hapd->conf->default_wep_key_len < 1)
1882 0 : return 0;
1883 :
1884 6 : os_free(eapol->default_wep_key);
1885 6 : eapol->default_wep_key = os_malloc(hapd->conf->default_wep_key_len);
1886 12 : if (eapol->default_wep_key == NULL ||
1887 6 : random_get_bytes(eapol->default_wep_key,
1888 : hapd->conf->default_wep_key_len)) {
1889 0 : wpa_printf(MSG_INFO, "Could not generate random WEP key");
1890 0 : os_free(eapol->default_wep_key);
1891 0 : eapol->default_wep_key = NULL;
1892 0 : return -1;
1893 : }
1894 :
1895 12 : wpa_hexdump_key(MSG_DEBUG, "IEEE 802.1X: New default WEP key",
1896 6 : eapol->default_wep_key,
1897 6 : hapd->conf->default_wep_key_len);
1898 :
1899 6 : return 0;
1900 : }
1901 :
1902 :
1903 0 : static int ieee802_1x_sta_key_available(struct hostapd_data *hapd,
1904 : struct sta_info *sta, void *ctx)
1905 : {
1906 0 : if (sta->eapol_sm) {
1907 0 : sta->eapol_sm->eap_if->eapKeyAvailable = TRUE;
1908 0 : eapol_auth_step(sta->eapol_sm);
1909 : }
1910 0 : return 0;
1911 : }
1912 :
1913 :
1914 6 : static void ieee802_1x_rekey(void *eloop_ctx, void *timeout_ctx)
1915 : {
1916 6 : struct hostapd_data *hapd = eloop_ctx;
1917 6 : struct eapol_authenticator *eapol = hapd->eapol_auth;
1918 :
1919 6 : if (eapol->default_wep_key_idx >= 3)
1920 0 : eapol->default_wep_key_idx =
1921 0 : hapd->conf->individual_wep_key_len > 0 ? 1 : 0;
1922 : else
1923 6 : eapol->default_wep_key_idx++;
1924 :
1925 6 : wpa_printf(MSG_DEBUG, "IEEE 802.1X: New default WEP key index %d",
1926 6 : eapol->default_wep_key_idx);
1927 :
1928 6 : if (ieee802_1x_rekey_broadcast(hapd)) {
1929 0 : hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X,
1930 : HOSTAPD_LEVEL_WARNING, "failed to generate a "
1931 : "new broadcast key");
1932 0 : os_free(eapol->default_wep_key);
1933 0 : eapol->default_wep_key = NULL;
1934 0 : return;
1935 : }
1936 :
1937 : /* TODO: Could setup key for RX here, but change default TX keyid only
1938 : * after new broadcast key has been sent to all stations. */
1939 12 : if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP,
1940 : broadcast_ether_addr,
1941 6 : eapol->default_wep_key_idx, 1, NULL, 0,
1942 6 : eapol->default_wep_key,
1943 6 : hapd->conf->default_wep_key_len)) {
1944 0 : hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X,
1945 : HOSTAPD_LEVEL_WARNING, "failed to configure a "
1946 : "new broadcast key");
1947 0 : os_free(eapol->default_wep_key);
1948 0 : eapol->default_wep_key = NULL;
1949 0 : return;
1950 : }
1951 :
1952 6 : ap_for_each_sta(hapd, ieee802_1x_sta_key_available, NULL);
1953 :
1954 6 : if (hapd->conf->wep_rekeying_period > 0) {
1955 6 : eloop_register_timeout(hapd->conf->wep_rekeying_period, 0,
1956 : ieee802_1x_rekey, hapd, NULL);
1957 : }
1958 : }
1959 :
1960 :
1961 14780 : static void ieee802_1x_eapol_send(void *ctx, void *sta_ctx, u8 type,
1962 : const u8 *data, size_t datalen)
1963 : {
1964 : #ifdef CONFIG_WPS
1965 14780 : struct sta_info *sta = sta_ctx;
1966 :
1967 14780 : if ((sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS)) ==
1968 : WLAN_STA_MAYBE_WPS) {
1969 : const u8 *identity;
1970 : size_t identity_len;
1971 0 : struct eapol_state_machine *sm = sta->eapol_sm;
1972 :
1973 0 : identity = eap_get_identity(sm->eap, &identity_len);
1974 0 : if (identity &&
1975 0 : ((identity_len == WSC_ID_ENROLLEE_LEN &&
1976 0 : os_memcmp(identity, WSC_ID_ENROLLEE,
1977 0 : WSC_ID_ENROLLEE_LEN) == 0) ||
1978 0 : (identity_len == WSC_ID_REGISTRAR_LEN &&
1979 0 : os_memcmp(identity, WSC_ID_REGISTRAR,
1980 : WSC_ID_REGISTRAR_LEN) == 0))) {
1981 0 : wpa_printf(MSG_DEBUG, "WPS: WLAN_STA_MAYBE_WPS -> "
1982 : "WLAN_STA_WPS");
1983 0 : sta->flags |= WLAN_STA_WPS;
1984 : }
1985 : }
1986 : #endif /* CONFIG_WPS */
1987 :
1988 14780 : ieee802_1x_send(ctx, sta_ctx, type, data, datalen);
1989 14780 : }
1990 :
1991 :
1992 7275 : static void ieee802_1x_aaa_send(void *ctx, void *sta_ctx,
1993 : const u8 *data, size_t datalen)
1994 : {
1995 : #ifndef CONFIG_NO_RADIUS
1996 7275 : struct hostapd_data *hapd = ctx;
1997 7275 : struct sta_info *sta = sta_ctx;
1998 :
1999 7275 : ieee802_1x_encapsulate_radius(hapd, sta, data, datalen);
2000 : #endif /* CONFIG_NO_RADIUS */
2001 7275 : }
2002 :
2003 :
2004 2013 : static void _ieee802_1x_finished(void *ctx, void *sta_ctx, int success,
2005 : int preauth, int remediation)
2006 : {
2007 2013 : struct hostapd_data *hapd = ctx;
2008 2013 : struct sta_info *sta = sta_ctx;
2009 2013 : if (preauth)
2010 7 : rsn_preauth_finished(hapd, sta, success);
2011 : else
2012 2006 : ieee802_1x_finished(hapd, sta, success, remediation);
2013 2013 : }
2014 :
2015 :
2016 1074 : static int ieee802_1x_get_eap_user(void *ctx, const u8 *identity,
2017 : size_t identity_len, int phase2,
2018 : struct eap_user *user)
2019 : {
2020 1074 : struct hostapd_data *hapd = ctx;
2021 : const struct hostapd_eap_user *eap_user;
2022 : int i;
2023 1074 : int rv = -1;
2024 :
2025 1074 : eap_user = hostapd_get_eap_user(hapd, identity, identity_len, phase2);
2026 1074 : if (eap_user == NULL)
2027 1 : goto out;
2028 :
2029 1073 : os_memset(user, 0, sizeof(*user));
2030 1073 : user->phase2 = phase2;
2031 9657 : for (i = 0; i < EAP_MAX_METHODS; i++) {
2032 8584 : user->methods[i].vendor = eap_user->methods[i].vendor;
2033 8584 : user->methods[i].method = eap_user->methods[i].method;
2034 : }
2035 :
2036 1073 : if (eap_user->password) {
2037 364 : user->password = os_malloc(eap_user->password_len);
2038 364 : if (user->password == NULL)
2039 3 : goto out;
2040 361 : os_memcpy(user->password, eap_user->password,
2041 : eap_user->password_len);
2042 361 : user->password_len = eap_user->password_len;
2043 361 : user->password_hash = eap_user->password_hash;
2044 : }
2045 1070 : user->force_version = eap_user->force_version;
2046 1070 : user->macacl = eap_user->macacl;
2047 1070 : user->ttls_auth = eap_user->ttls_auth;
2048 1070 : user->remediation = eap_user->remediation;
2049 1070 : rv = 0;
2050 :
2051 : out:
2052 1074 : if (rv)
2053 4 : wpa_printf(MSG_DEBUG, "%s: Failed to find user", __func__);
2054 :
2055 1074 : return rv;
2056 : }
2057 :
2058 :
2059 588030 : static int ieee802_1x_sta_entry_alive(void *ctx, const u8 *addr)
2060 : {
2061 588030 : struct hostapd_data *hapd = ctx;
2062 : struct sta_info *sta;
2063 588030 : sta = ap_get_sta(hapd, addr);
2064 588030 : if (sta == NULL || sta->eapol_sm == NULL)
2065 10792 : return 0;
2066 577238 : return 1;
2067 : }
2068 :
2069 :
2070 17358 : static void ieee802_1x_logger(void *ctx, const u8 *addr,
2071 : eapol_logger_level level, const char *txt)
2072 : {
2073 : #ifndef CONFIG_NO_HOSTAPD_LOGGER
2074 17358 : struct hostapd_data *hapd = ctx;
2075 : int hlevel;
2076 :
2077 17358 : switch (level) {
2078 : case EAPOL_LOGGER_WARNING:
2079 753 : hlevel = HOSTAPD_LEVEL_WARNING;
2080 753 : break;
2081 : case EAPOL_LOGGER_INFO:
2082 1827 : hlevel = HOSTAPD_LEVEL_INFO;
2083 1827 : break;
2084 : case EAPOL_LOGGER_DEBUG:
2085 : default:
2086 14778 : hlevel = HOSTAPD_LEVEL_DEBUG;
2087 14778 : break;
2088 : }
2089 :
2090 17358 : hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE8021X, hlevel, "%s",
2091 : txt);
2092 : #endif /* CONFIG_NO_HOSTAPD_LOGGER */
2093 17358 : }
2094 :
2095 :
2096 4840 : static void ieee802_1x_set_port_authorized(void *ctx, void *sta_ctx,
2097 : int authorized)
2098 : {
2099 4840 : struct hostapd_data *hapd = ctx;
2100 4840 : struct sta_info *sta = sta_ctx;
2101 4840 : ieee802_1x_set_sta_authorized(hapd, sta, authorized);
2102 4840 : }
2103 :
2104 :
2105 2773 : static void _ieee802_1x_abort_auth(void *ctx, void *sta_ctx)
2106 : {
2107 2773 : struct hostapd_data *hapd = ctx;
2108 2773 : struct sta_info *sta = sta_ctx;
2109 2773 : ieee802_1x_abort_auth(hapd, sta);
2110 2773 : }
2111 :
2112 :
2113 8 : static void _ieee802_1x_tx_key(void *ctx, void *sta_ctx)
2114 : {
2115 : #ifndef CONFIG_FIPS
2116 : #ifndef CONFIG_NO_RC4
2117 8 : struct hostapd_data *hapd = ctx;
2118 8 : struct sta_info *sta = sta_ctx;
2119 8 : ieee802_1x_tx_key(hapd, sta);
2120 : #endif /* CONFIG_NO_RC4 */
2121 : #endif /* CONFIG_FIPS */
2122 8 : }
2123 :
2124 :
2125 34527 : static void ieee802_1x_eapol_event(void *ctx, void *sta_ctx,
2126 : enum eapol_event type)
2127 : {
2128 : /* struct hostapd_data *hapd = ctx; */
2129 34527 : struct sta_info *sta = sta_ctx;
2130 34527 : switch (type) {
2131 : case EAPOL_AUTH_SM_CHANGE:
2132 34526 : wpa_auth_sm_notify(sta->wpa_sm);
2133 34526 : break;
2134 : case EAPOL_AUTH_REAUTHENTICATE:
2135 1 : wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL);
2136 1 : break;
2137 : }
2138 34527 : }
2139 :
2140 :
2141 : #ifdef CONFIG_ERP
2142 :
2143 : static struct eap_server_erp_key *
2144 11 : ieee802_1x_erp_get_key(void *ctx, const char *keyname)
2145 : {
2146 11 : struct hostapd_data *hapd = ctx;
2147 : struct eap_server_erp_key *erp;
2148 :
2149 11 : dl_list_for_each(erp, &hapd->erp_keys, struct eap_server_erp_key,
2150 : list) {
2151 10 : if (os_strcmp(erp->keyname_nai, keyname) == 0)
2152 10 : return erp;
2153 : }
2154 :
2155 1 : return NULL;
2156 : }
2157 :
2158 :
2159 24 : static int ieee802_1x_erp_add_key(void *ctx, struct eap_server_erp_key *erp)
2160 : {
2161 24 : struct hostapd_data *hapd = ctx;
2162 :
2163 24 : dl_list_add(&hapd->erp_keys, &erp->list);
2164 24 : return 0;
2165 : }
2166 :
2167 : #endif /* CONFIG_ERP */
2168 :
2169 :
2170 2652 : int ieee802_1x_init(struct hostapd_data *hapd)
2171 : {
2172 : int i;
2173 : struct eapol_auth_config conf;
2174 : struct eapol_auth_cb cb;
2175 :
2176 2652 : dl_list_init(&hapd->erp_keys);
2177 :
2178 2652 : os_memset(&conf, 0, sizeof(conf));
2179 2652 : conf.ctx = hapd;
2180 2652 : conf.eap_reauth_period = hapd->conf->eap_reauth_period;
2181 2652 : conf.wpa = hapd->conf->wpa;
2182 2652 : conf.individual_wep_key_len = hapd->conf->individual_wep_key_len;
2183 2652 : conf.eap_server = hapd->conf->eap_server;
2184 2652 : conf.ssl_ctx = hapd->ssl_ctx;
2185 2652 : conf.msg_ctx = hapd->msg_ctx;
2186 2652 : conf.eap_sim_db_priv = hapd->eap_sim_db_priv;
2187 2652 : conf.eap_req_id_text = hapd->conf->eap_req_id_text;
2188 2652 : conf.eap_req_id_text_len = hapd->conf->eap_req_id_text_len;
2189 2652 : conf.erp_send_reauth_start = hapd->conf->erp_send_reauth_start;
2190 2652 : conf.erp_domain = hapd->conf->erp_domain;
2191 2652 : conf.erp = hapd->conf->eap_server_erp;
2192 2652 : conf.tls_session_lifetime = hapd->conf->tls_session_lifetime;
2193 2652 : conf.pac_opaque_encr_key = hapd->conf->pac_opaque_encr_key;
2194 2652 : conf.eap_fast_a_id = hapd->conf->eap_fast_a_id;
2195 2652 : conf.eap_fast_a_id_len = hapd->conf->eap_fast_a_id_len;
2196 2652 : conf.eap_fast_a_id_info = hapd->conf->eap_fast_a_id_info;
2197 2652 : conf.eap_fast_prov = hapd->conf->eap_fast_prov;
2198 2652 : conf.pac_key_lifetime = hapd->conf->pac_key_lifetime;
2199 2652 : conf.pac_key_refresh_time = hapd->conf->pac_key_refresh_time;
2200 2652 : conf.eap_sim_aka_result_ind = hapd->conf->eap_sim_aka_result_ind;
2201 2652 : conf.tnc = hapd->conf->tnc;
2202 2652 : conf.wps = hapd->wps;
2203 2652 : conf.fragment_size = hapd->conf->fragment_size;
2204 2652 : conf.pwd_group = hapd->conf->pwd_group;
2205 2652 : conf.pbc_in_m1 = hapd->conf->pbc_in_m1;
2206 2652 : if (hapd->conf->server_id) {
2207 13 : conf.server_id = (const u8 *) hapd->conf->server_id;
2208 13 : conf.server_id_len = os_strlen(hapd->conf->server_id);
2209 : } else {
2210 2639 : conf.server_id = (const u8 *) "hostapd";
2211 2639 : conf.server_id_len = 7;
2212 : }
2213 :
2214 2652 : os_memset(&cb, 0, sizeof(cb));
2215 2652 : cb.eapol_send = ieee802_1x_eapol_send;
2216 2652 : cb.aaa_send = ieee802_1x_aaa_send;
2217 2652 : cb.finished = _ieee802_1x_finished;
2218 2652 : cb.get_eap_user = ieee802_1x_get_eap_user;
2219 2652 : cb.sta_entry_alive = ieee802_1x_sta_entry_alive;
2220 2652 : cb.logger = ieee802_1x_logger;
2221 2652 : cb.set_port_authorized = ieee802_1x_set_port_authorized;
2222 2652 : cb.abort_auth = _ieee802_1x_abort_auth;
2223 2652 : cb.tx_key = _ieee802_1x_tx_key;
2224 2652 : cb.eapol_event = ieee802_1x_eapol_event;
2225 : #ifdef CONFIG_ERP
2226 2652 : cb.erp_get_key = ieee802_1x_erp_get_key;
2227 2652 : cb.erp_add_key = ieee802_1x_erp_add_key;
2228 : #endif /* CONFIG_ERP */
2229 :
2230 2652 : hapd->eapol_auth = eapol_auth_init(&conf, &cb);
2231 2652 : if (hapd->eapol_auth == NULL)
2232 1 : return -1;
2233 :
2234 4256 : if ((hapd->conf->ieee802_1x || hapd->conf->wpa) &&
2235 1605 : hostapd_set_drv_ieee8021x(hapd, hapd->conf->iface, 1))
2236 0 : return -1;
2237 :
2238 : #ifndef CONFIG_NO_RADIUS
2239 2039 : if (radius_client_register(hapd->radius, RADIUS_AUTH,
2240 : ieee802_1x_receive_auth, hapd))
2241 0 : return -1;
2242 : #endif /* CONFIG_NO_RADIUS */
2243 :
2244 2651 : if (hapd->conf->default_wep_key_len) {
2245 30 : for (i = 0; i < 4; i++)
2246 24 : hostapd_drv_set_key(hapd->conf->iface, hapd,
2247 : WPA_ALG_NONE, NULL, i, 0, NULL, 0,
2248 : NULL, 0);
2249 :
2250 6 : ieee802_1x_rekey(hapd, NULL);
2251 :
2252 6 : if (hapd->eapol_auth->default_wep_key == NULL)
2253 0 : return -1;
2254 : }
2255 :
2256 2651 : return 0;
2257 : }
2258 :
2259 :
2260 2660 : void ieee802_1x_erp_flush(struct hostapd_data *hapd)
2261 : {
2262 : struct eap_server_erp_key *erp;
2263 :
2264 5344 : while ((erp = dl_list_first(&hapd->erp_keys, struct eap_server_erp_key,
2265 : list)) != NULL) {
2266 24 : dl_list_del(&erp->list);
2267 24 : bin_clear_free(erp, sizeof(*erp));
2268 : }
2269 2660 : }
2270 :
2271 :
2272 2659 : void ieee802_1x_deinit(struct hostapd_data *hapd)
2273 : {
2274 2659 : eloop_cancel_timeout(ieee802_1x_rekey, hapd, NULL);
2275 :
2276 5316 : if (hapd->driver && hapd->drv_priv &&
2277 4641 : (hapd->conf->ieee802_1x || hapd->conf->wpa))
2278 1693 : hostapd_set_drv_ieee8021x(hapd, hapd->conf->iface, 0);
2279 :
2280 2659 : eapol_auth_deinit(hapd->eapol_auth);
2281 2659 : hapd->eapol_auth = NULL;
2282 :
2283 2659 : ieee802_1x_erp_flush(hapd);
2284 2659 : }
2285 :
2286 :
2287 2092 : int ieee802_1x_tx_status(struct hostapd_data *hapd, struct sta_info *sta,
2288 : const u8 *buf, size_t len, int ack)
2289 : {
2290 : struct ieee80211_hdr *hdr;
2291 : u8 *pos;
2292 2092 : const unsigned char rfc1042_hdr[ETH_ALEN] =
2293 : { 0xaa, 0xaa, 0x03, 0x00, 0x00, 0x00 };
2294 :
2295 2092 : if (sta == NULL)
2296 0 : return -1;
2297 2092 : if (len < sizeof(*hdr) + sizeof(rfc1042_hdr) + 2)
2298 507 : return 0;
2299 :
2300 1585 : hdr = (struct ieee80211_hdr *) buf;
2301 1585 : pos = (u8 *) (hdr + 1);
2302 1585 : if (os_memcmp(pos, rfc1042_hdr, sizeof(rfc1042_hdr)) != 0)
2303 1585 : return 0;
2304 0 : pos += sizeof(rfc1042_hdr);
2305 0 : if (WPA_GET_BE16(pos) != ETH_P_PAE)
2306 0 : return 0;
2307 0 : pos += 2;
2308 :
2309 0 : return ieee802_1x_eapol_tx_status(hapd, sta, pos, buf + len - pos,
2310 : ack);
2311 : }
2312 :
2313 :
2314 15867 : int ieee802_1x_eapol_tx_status(struct hostapd_data *hapd, struct sta_info *sta,
2315 : const u8 *buf, int len, int ack)
2316 : {
2317 15867 : const struct ieee802_1x_hdr *xhdr =
2318 : (const struct ieee802_1x_hdr *) buf;
2319 15867 : const u8 *pos = buf + sizeof(*xhdr);
2320 : struct ieee802_1x_eapol_key *key;
2321 :
2322 15867 : if (len < (int) sizeof(*xhdr))
2323 0 : return 0;
2324 142803 : wpa_printf(MSG_DEBUG, "IEEE 802.1X: " MACSTR " TX status - version=%d "
2325 : "type=%d length=%d - ack=%d",
2326 126936 : MAC2STR(sta->addr), xhdr->version, xhdr->type,
2327 15867 : be_to_host16(xhdr->length), ack);
2328 :
2329 15867 : if (xhdr->type != IEEE802_1X_TYPE_EAPOL_KEY)
2330 12077 : return 0;
2331 :
2332 3790 : if (pos + sizeof(struct wpa_eapol_key) <= buf + len) {
2333 : const struct wpa_eapol_key *wpa;
2334 3776 : wpa = (const struct wpa_eapol_key *) pos;
2335 3861 : if (wpa->type == EAPOL_KEY_TYPE_RSN ||
2336 85 : wpa->type == EAPOL_KEY_TYPE_WPA)
2337 3776 : wpa_auth_eapol_key_tx_status(hapd->wpa_auth,
2338 : sta->wpa_sm, ack);
2339 : }
2340 :
2341 : /* EAPOL EAP-Packet packets are eventually re-sent by either Supplicant
2342 : * or Authenticator state machines, but EAPOL-Key packets are not
2343 : * retransmitted in case of failure. Try to re-send failed EAPOL-Key
2344 : * packets couple of times because otherwise STA keys become
2345 : * unsynchronized with AP. */
2346 3790 : if (!ack && pos + sizeof(*key) <= buf + len) {
2347 1 : key = (struct ieee802_1x_eapol_key *) pos;
2348 2 : hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
2349 : HOSTAPD_LEVEL_DEBUG, "did not Ack EAPOL-Key "
2350 : "frame (%scast index=%d)",
2351 1 : key->key_index & BIT(7) ? "uni" : "broad",
2352 1 : key->key_index & ~BIT(7));
2353 : /* TODO: re-send EAPOL-Key couple of times (with short delay
2354 : * between them?). If all attempt fail, report error and
2355 : * deauthenticate STA so that it will get new keys when
2356 : * authenticating again (e.g., after returning in range).
2357 : * Separate limit/transmit state needed both for unicast and
2358 : * broadcast keys(?) */
2359 : }
2360 : /* TODO: could move unicast key configuration from ieee802_1x_tx_key()
2361 : * to here and change the key only if the EAPOL-Key packet was Acked.
2362 : */
2363 :
2364 3790 : return 1;
2365 : }
2366 :
2367 :
2368 481 : u8 * ieee802_1x_get_identity(struct eapol_state_machine *sm, size_t *len)
2369 : {
2370 481 : if (sm == NULL || sm->identity == NULL)
2371 14 : return NULL;
2372 :
2373 467 : *len = sm->identity_len;
2374 467 : return sm->identity;
2375 : }
2376 :
2377 :
2378 486 : u8 * ieee802_1x_get_radius_class(struct eapol_state_machine *sm, size_t *len,
2379 : int idx)
2380 : {
2381 510 : if (sm == NULL || sm->radius_class.attr == NULL ||
2382 24 : idx >= (int) sm->radius_class.count)
2383 474 : return NULL;
2384 :
2385 12 : *len = sm->radius_class.attr[idx].len;
2386 12 : return sm->radius_class.attr[idx].data;
2387 : }
2388 :
2389 :
2390 477 : struct wpabuf * ieee802_1x_get_radius_cui(struct eapol_state_machine *sm)
2391 : {
2392 477 : if (sm == NULL)
2393 14 : return NULL;
2394 463 : return sm->radius_cui;
2395 : }
2396 :
2397 :
2398 3260 : const u8 * ieee802_1x_get_key(struct eapol_state_machine *sm, size_t *len)
2399 : {
2400 3260 : *len = 0;
2401 3260 : if (sm == NULL)
2402 0 : return NULL;
2403 :
2404 3260 : *len = sm->eap_if->eapKeyDataLen;
2405 3260 : return sm->eap_if->eapKeyData;
2406 : }
2407 :
2408 :
2409 18809 : void ieee802_1x_notify_port_enabled(struct eapol_state_machine *sm,
2410 : int enabled)
2411 : {
2412 18809 : if (sm == NULL)
2413 24627 : return;
2414 12991 : sm->eap_if->portEnabled = enabled ? TRUE : FALSE;
2415 12991 : eapol_auth_step(sm);
2416 : }
2417 :
2418 :
2419 8177 : void ieee802_1x_notify_port_valid(struct eapol_state_machine *sm,
2420 : int valid)
2421 : {
2422 8177 : if (sm == NULL)
2423 10682 : return;
2424 5672 : sm->portValid = valid ? TRUE : FALSE;
2425 5672 : eapol_auth_step(sm);
2426 : }
2427 :
2428 :
2429 5241 : void ieee802_1x_notify_pre_auth(struct eapol_state_machine *sm, int pre_auth)
2430 : {
2431 5241 : if (sm == NULL)
2432 10313 : return;
2433 169 : if (pre_auth)
2434 0 : sm->flags |= EAPOL_SM_PREAUTH;
2435 : else
2436 169 : sm->flags &= ~EAPOL_SM_PREAUTH;
2437 : }
2438 :
2439 :
2440 22 : static const char * bool_txt(Boolean val)
2441 : {
2442 22 : return val ? "TRUE" : "FALSE";
2443 : }
2444 :
2445 :
2446 13 : int ieee802_1x_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen)
2447 : {
2448 : /* TODO */
2449 13 : return 0;
2450 : }
2451 :
2452 :
2453 221 : int ieee802_1x_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta,
2454 : char *buf, size_t buflen)
2455 : {
2456 221 : int len = 0, ret;
2457 221 : struct eapol_state_machine *sm = sta->eapol_sm;
2458 : struct os_reltime diff;
2459 : const char *name1;
2460 : const char *name2;
2461 :
2462 221 : if (sm == NULL)
2463 210 : return 0;
2464 :
2465 11 : ret = os_snprintf(buf + len, buflen - len,
2466 : "dot1xPaePortNumber=%d\n"
2467 : "dot1xPaePortProtocolVersion=%d\n"
2468 : "dot1xPaePortCapabilities=1\n"
2469 : "dot1xPaePortInitialize=%d\n"
2470 : "dot1xPaePortReauthenticate=FALSE\n",
2471 11 : sta->aid,
2472 : EAPOL_VERSION,
2473 11 : sm->initialize);
2474 11 : if (os_snprintf_error(buflen - len, ret))
2475 0 : return len;
2476 11 : len += ret;
2477 :
2478 : /* dot1xAuthConfigTable */
2479 33 : ret = os_snprintf(buf + len, buflen - len,
2480 : "dot1xAuthPaeState=%d\n"
2481 : "dot1xAuthBackendAuthState=%d\n"
2482 : "dot1xAuthAdminControlledDirections=%d\n"
2483 : "dot1xAuthOperControlledDirections=%d\n"
2484 : "dot1xAuthAuthControlledPortStatus=%d\n"
2485 : "dot1xAuthAuthControlledPortControl=%d\n"
2486 : "dot1xAuthQuietPeriod=%u\n"
2487 : "dot1xAuthServerTimeout=%u\n"
2488 : "dot1xAuthReAuthPeriod=%u\n"
2489 : "dot1xAuthReAuthEnabled=%s\n"
2490 : "dot1xAuthKeyTxEnabled=%s\n",
2491 11 : sm->auth_pae_state + 1,
2492 11 : sm->be_auth_state + 1,
2493 11 : sm->adminControlledDirections,
2494 11 : sm->operControlledDirections,
2495 11 : sm->authPortStatus,
2496 11 : sm->portControl,
2497 : sm->quietPeriod,
2498 : sm->serverTimeout,
2499 : sm->reAuthPeriod,
2500 : bool_txt(sm->reAuthEnabled),
2501 : bool_txt(sm->keyTxEnabled));
2502 11 : if (os_snprintf_error(buflen - len, ret))
2503 0 : return len;
2504 11 : len += ret;
2505 :
2506 : /* dot1xAuthStatsTable */
2507 66 : ret = os_snprintf(buf + len, buflen - len,
2508 : "dot1xAuthEapolFramesRx=%u\n"
2509 : "dot1xAuthEapolFramesTx=%u\n"
2510 : "dot1xAuthEapolStartFramesRx=%u\n"
2511 : "dot1xAuthEapolLogoffFramesRx=%u\n"
2512 : "dot1xAuthEapolRespIdFramesRx=%u\n"
2513 : "dot1xAuthEapolRespFramesRx=%u\n"
2514 : "dot1xAuthEapolReqIdFramesTx=%u\n"
2515 : "dot1xAuthEapolReqFramesTx=%u\n"
2516 : "dot1xAuthInvalidEapolFramesRx=%u\n"
2517 : "dot1xAuthEapLengthErrorFramesRx=%u\n"
2518 : "dot1xAuthLastEapolFrameVersion=%u\n"
2519 : "dot1xAuthLastEapolFrameSource=" MACSTR "\n",
2520 : sm->dot1xAuthEapolFramesRx,
2521 : sm->dot1xAuthEapolFramesTx,
2522 : sm->dot1xAuthEapolStartFramesRx,
2523 : sm->dot1xAuthEapolLogoffFramesRx,
2524 : sm->dot1xAuthEapolRespIdFramesRx,
2525 : sm->dot1xAuthEapolRespFramesRx,
2526 : sm->dot1xAuthEapolReqIdFramesTx,
2527 : sm->dot1xAuthEapolReqFramesTx,
2528 : sm->dot1xAuthInvalidEapolFramesRx,
2529 : sm->dot1xAuthEapLengthErrorFramesRx,
2530 : sm->dot1xAuthLastEapolFrameVersion,
2531 66 : MAC2STR(sm->addr));
2532 11 : if (os_snprintf_error(buflen - len, ret))
2533 0 : return len;
2534 11 : len += ret;
2535 :
2536 : /* dot1xAuthDiagTable */
2537 11 : ret = os_snprintf(buf + len, buflen - len,
2538 : "dot1xAuthEntersConnecting=%u\n"
2539 : "dot1xAuthEapLogoffsWhileConnecting=%u\n"
2540 : "dot1xAuthEntersAuthenticating=%u\n"
2541 : "dot1xAuthAuthSuccessesWhileAuthenticating=%u\n"
2542 : "dot1xAuthAuthTimeoutsWhileAuthenticating=%u\n"
2543 : "dot1xAuthAuthFailWhileAuthenticating=%u\n"
2544 : "dot1xAuthAuthEapStartsWhileAuthenticating=%u\n"
2545 : "dot1xAuthAuthEapLogoffWhileAuthenticating=%u\n"
2546 : "dot1xAuthAuthReauthsWhileAuthenticated=%u\n"
2547 : "dot1xAuthAuthEapStartsWhileAuthenticated=%u\n"
2548 : "dot1xAuthAuthEapLogoffWhileAuthenticated=%u\n"
2549 : "dot1xAuthBackendResponses=%u\n"
2550 : "dot1xAuthBackendAccessChallenges=%u\n"
2551 : "dot1xAuthBackendOtherRequestsToSupplicant=%u\n"
2552 : "dot1xAuthBackendAuthSuccesses=%u\n"
2553 : "dot1xAuthBackendAuthFails=%u\n",
2554 : sm->authEntersConnecting,
2555 : sm->authEapLogoffsWhileConnecting,
2556 : sm->authEntersAuthenticating,
2557 : sm->authAuthSuccessesWhileAuthenticating,
2558 : sm->authAuthTimeoutsWhileAuthenticating,
2559 : sm->authAuthFailWhileAuthenticating,
2560 : sm->authAuthEapStartsWhileAuthenticating,
2561 : sm->authAuthEapLogoffWhileAuthenticating,
2562 : sm->authAuthReauthsWhileAuthenticated,
2563 : sm->authAuthEapStartsWhileAuthenticated,
2564 : sm->authAuthEapLogoffWhileAuthenticated,
2565 : sm->backendResponses,
2566 : sm->backendAccessChallenges,
2567 : sm->backendOtherRequestsToSupplicant,
2568 : sm->backendAuthSuccesses,
2569 : sm->backendAuthFails);
2570 11 : if (os_snprintf_error(buflen - len, ret))
2571 0 : return len;
2572 11 : len += ret;
2573 :
2574 : /* dot1xAuthSessionStatsTable */
2575 11 : os_reltime_age(&sta->acct_session_start, &diff);
2576 44 : ret = os_snprintf(buf + len, buflen - len,
2577 : /* TODO: dot1xAuthSessionOctetsRx */
2578 : /* TODO: dot1xAuthSessionOctetsTx */
2579 : /* TODO: dot1xAuthSessionFramesRx */
2580 : /* TODO: dot1xAuthSessionFramesTx */
2581 : "dot1xAuthSessionId=%016llX\n"
2582 : "dot1xAuthSessionAuthenticMethod=%d\n"
2583 : "dot1xAuthSessionTime=%u\n"
2584 : "dot1xAuthSessionTerminateCause=999\n"
2585 : "dot1xAuthSessionUserName=%s\n",
2586 11 : (unsigned long long) sta->acct_session_id,
2587 11 : (wpa_key_mgmt_wpa_ieee8021x(
2588 : wpa_auth_sta_key_mgmt(sta->wpa_sm))) ?
2589 : 1 : 2,
2590 11 : (unsigned int) diff.sec,
2591 : sm->identity);
2592 11 : if (os_snprintf_error(buflen - len, ret))
2593 0 : return len;
2594 11 : len += ret;
2595 :
2596 11 : if (sm->acct_multi_session_id) {
2597 11 : ret = os_snprintf(buf + len, buflen - len,
2598 : "authMultiSessionId=%016llX\n",
2599 : (unsigned long long)
2600 11 : sm->acct_multi_session_id);
2601 11 : if (os_snprintf_error(buflen - len, ret))
2602 0 : return len;
2603 11 : len += ret;
2604 : }
2605 :
2606 11 : name1 = eap_server_get_name(0, sm->eap_type_authsrv);
2607 11 : name2 = eap_server_get_name(0, sm->eap_type_supp);
2608 22 : ret = os_snprintf(buf + len, buflen - len,
2609 : "last_eap_type_as=%d (%s)\n"
2610 : "last_eap_type_sta=%d (%s)\n",
2611 11 : sm->eap_type_authsrv, name1,
2612 11 : sm->eap_type_supp, name2);
2613 11 : if (os_snprintf_error(buflen - len, ret))
2614 0 : return len;
2615 11 : len += ret;
2616 :
2617 11 : return len;
2618 : }
2619 :
2620 :
2621 : #ifdef CONFIG_HS20
2622 3 : static void ieee802_1x_wnm_notif_send(void *eloop_ctx, void *timeout_ctx)
2623 : {
2624 3 : struct hostapd_data *hapd = eloop_ctx;
2625 3 : struct sta_info *sta = timeout_ctx;
2626 :
2627 3 : if (sta->remediation) {
2628 12 : wpa_printf(MSG_DEBUG, "HS 2.0: Send WNM-Notification to "
2629 : MACSTR " to indicate Subscription Remediation",
2630 12 : MAC2STR(sta->addr));
2631 2 : hs20_send_wnm_notification(hapd, sta->addr,
2632 2 : sta->remediation_method,
2633 2 : sta->remediation_url);
2634 2 : os_free(sta->remediation_url);
2635 2 : sta->remediation_url = NULL;
2636 : }
2637 :
2638 3 : if (sta->hs20_deauth_req) {
2639 6 : wpa_printf(MSG_DEBUG, "HS 2.0: Send WNM-Notification to "
2640 : MACSTR " to indicate imminent deauthentication",
2641 6 : MAC2STR(sta->addr));
2642 1 : hs20_send_wnm_notification_deauth_req(hapd, sta->addr,
2643 1 : sta->hs20_deauth_req);
2644 : }
2645 3 : }
2646 : #endif /* CONFIG_HS20 */
2647 :
2648 :
2649 2006 : static void ieee802_1x_finished(struct hostapd_data *hapd,
2650 : struct sta_info *sta, int success,
2651 : int remediation)
2652 : {
2653 : const u8 *key;
2654 : size_t len;
2655 : /* TODO: get PMKLifetime from WPA parameters */
2656 : static const int dot11RSNAConfigPMKLifetime = 43200;
2657 : unsigned int session_timeout;
2658 :
2659 : #ifdef CONFIG_HS20
2660 2006 : if (remediation && !sta->remediation) {
2661 0 : sta->remediation = 1;
2662 0 : os_free(sta->remediation_url);
2663 0 : sta->remediation_url =
2664 0 : os_strdup(hapd->conf->subscr_remediation_url);
2665 0 : sta->remediation_method = 1; /* SOAP-XML SPP */
2666 : }
2667 :
2668 2006 : if (success && (sta->remediation || sta->hs20_deauth_req)) {
2669 18 : wpa_printf(MSG_DEBUG, "HS 2.0: Schedule WNM-Notification to "
2670 18 : MACSTR " in 100 ms", MAC2STR(sta->addr));
2671 3 : eloop_cancel_timeout(ieee802_1x_wnm_notif_send, hapd, sta);
2672 3 : eloop_register_timeout(0, 100000, ieee802_1x_wnm_notif_send,
2673 : hapd, sta);
2674 : }
2675 : #endif /* CONFIG_HS20 */
2676 :
2677 2006 : key = ieee802_1x_get_key(sta->eapol_sm, &len);
2678 2006 : if (sta->session_timeout_set)
2679 11 : session_timeout = sta->session_timeout;
2680 : else
2681 1995 : session_timeout = dot11RSNAConfigPMKLifetime;
2682 3210 : if (success && key && len >= PMK_LEN && !sta->remediation &&
2683 2407 : !sta->hs20_deauth_requested &&
2684 1203 : wpa_auth_pmksa_add(sta->wpa_sm, key, len, session_timeout,
2685 : sta->eapol_sm) == 0) {
2686 1112 : hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA,
2687 : HOSTAPD_LEVEL_DEBUG,
2688 : "Added PMKSA cache entry (IEEE 802.1X)");
2689 : }
2690 :
2691 2006 : if (!success) {
2692 : /*
2693 : * Many devices require deauthentication after WPS provisioning
2694 : * and some may not be be able to do that themselves, so
2695 : * disconnect the client here. In addition, this may also
2696 : * benefit IEEE 802.1X/EAPOL authentication cases, too since
2697 : * the EAPOL PAE state machine would remain in HELD state for
2698 : * considerable amount of time and some EAP methods, like
2699 : * EAP-FAST with anonymous provisioning, may require another
2700 : * EAPOL authentication to be started to complete connection.
2701 : */
2702 759 : wpa_dbg(hapd->msg_ctx, MSG_DEBUG, "IEEE 802.1X: Force "
2703 : "disconnection after EAP-Failure");
2704 : /* Add a small sleep to increase likelihood of previously
2705 : * requested EAP-Failure TX getting out before this should the
2706 : * driver reorder operations.
2707 : */
2708 759 : os_sleep(0, 10000);
2709 759 : ap_sta_disconnect(hapd, sta, sta->addr,
2710 : WLAN_REASON_IEEE_802_1X_AUTH_FAILED);
2711 759 : hostapd_wps_eap_completed(hapd);
2712 : }
2713 2006 : }
|
