1 /* 2 * hostapd / IEEE 802.1X-2004 Authenticator 3 * Copyright (c) 2002-2019, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "utils/includes.h" 10 #ifdef CONFIG_SQLITE 11 #include <sqlite3.h> 12 #endif /* CONFIG_SQLITE */ 13 14 #include "utils/common.h" 15 #include "utils/eloop.h" 16 #include "crypto/md5.h" 17 #include "crypto/crypto.h" 18 #include "crypto/random.h" 19 #include "common/ieee802_11_defs.h" 20 #include "radius/radius.h" 21 #include "radius/radius_client.h" 22 #include "eap_server/eap.h" 23 #include "eap_common/eap_wsc_common.h" 24 #include "eapol_auth/eapol_auth_sm.h" 25 #include "eapol_auth/eapol_auth_sm_i.h" 26 #include "p2p/p2p.h" 27 #include "hostapd.h" 28 #include "accounting.h" 29 #include "sta_info.h" 30 #include "wpa_auth.h" 31 #include "preauth_auth.h" 32 #include "pmksa_cache_auth.h" 33 #include "ap_config.h" 34 #include "ap_drv_ops.h" 35 #include "wps_hostapd.h" 36 #include "hs20.h" 37 /* FIX: Not really a good thing to require ieee802_11.h here.. (FILS) */ 38 #include "ieee802_11.h" 39 #include "ieee802_1x.h" 40 #include "wpa_auth_kay.h" 41 42 43 #ifdef CONFIG_HS20 44 static void ieee802_1x_wnm_notif_send(void *eloop_ctx, void *timeout_ctx); 45 #endif /* CONFIG_HS20 */ 46 static bool ieee802_1x_finished(struct hostapd_data *hapd, 47 struct sta_info *sta, int success, 48 bool logoff); 49 50 ieee802_1x_send(struct hostapd_data * hapd,struct sta_info * sta,u8 type,const u8 * data,size_t datalen)51 static void ieee802_1x_send(struct hostapd_data *hapd, struct sta_info *sta, 52 u8 type, const u8 *data, size_t datalen) 53 { 54 u8 *buf; 55 struct ieee802_1x_hdr *xhdr; 56 size_t len; 57 int encrypt = 0; 58 59 len = sizeof(*xhdr) + datalen; 60 buf = os_zalloc(len); 61 if (!buf) { 62 wpa_printf(MSG_ERROR, "malloc() failed for %s(len=%lu)", 63 __func__, (unsigned long) len); 64 return; 65 } 66 67 xhdr = (struct ieee802_1x_hdr *) buf; 68 xhdr->version = hapd->conf->eapol_version; 69 #ifdef CONFIG_MACSEC 70 if (xhdr->version > 2 && hapd->conf->macsec_policy == 0) 71 xhdr->version = 2; 72 #endif /* CONFIG_MACSEC */ 73 xhdr->type = type; 74 xhdr->length = host_to_be16(datalen); 75 76 if (datalen > 0 && data != NULL) 77 os_memcpy(xhdr + 1, data, datalen); 78 79 if (wpa_auth_pairwise_set(sta->wpa_sm)) 80 encrypt = 1; 81 #ifdef CONFIG_TESTING_OPTIONS 82 if (hapd->ext_eapol_frame_io) { 83 size_t hex_len = 2 * len + 1; 84 char *hex = os_malloc(hex_len); 85 86 if (hex) { 87 wpa_snprintf_hex(hex, hex_len, buf, len); 88 wpa_msg(hapd->msg_ctx, MSG_INFO, 89 "EAPOL-TX " MACSTR " %s", 90 MAC2STR(sta->addr), hex); 91 os_free(hex); 92 } 93 } else 94 #endif /* CONFIG_TESTING_OPTIONS */ 95 if (sta->flags & WLAN_STA_PREAUTH) { 96 rsn_preauth_send(hapd, sta, buf, len); 97 } else { 98 int link_id = -1; 99 100 #ifdef CONFIG_IEEE80211BE 101 link_id = hapd->conf->mld_ap ? hapd->mld_link_id : -1; 102 #endif /* CONFIG_IEEE80211BE */ 103 hostapd_drv_hapd_send_eapol( 104 hapd, sta->addr, buf, len, 105 encrypt, hostapd_sta_flags_to_drv(sta->flags), link_id); 106 } 107 108 os_free(buf); 109 } 110 111 ieee802_1x_set_authorized(struct hostapd_data * hapd,struct sta_info * sta,bool authorized,bool mld)112 static void ieee802_1x_set_authorized(struct hostapd_data *hapd, 113 struct sta_info *sta, 114 bool authorized, bool mld) 115 { 116 int res; 117 bool update; 118 119 if (sta->flags & WLAN_STA_PREAUTH) 120 return; 121 122 update = ap_sta_set_authorized_flag(hapd, sta, authorized); 123 res = hostapd_set_authorized(hapd, sta, authorized); 124 if (update) 125 ap_sta_set_authorized_event(hapd, sta, authorized); 126 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 127 HOSTAPD_LEVEL_DEBUG, "%sauthorizing port", 128 authorized ? "" : "un"); 129 130 if (!mld && res && errno != ENOENT) { 131 wpa_printf(MSG_DEBUG, "Could not set station " MACSTR 132 " flags for kernel driver (errno=%d).", 133 MAC2STR(sta->addr), errno); 134 } else if (mld && res) { 135 wpa_printf(MSG_DEBUG, 136 "MLD: Could not set station " MACSTR " flags", 137 MAC2STR(sta->addr)); 138 } 139 140 if (authorized) { 141 os_get_reltime(&sta->connected_time); 142 accounting_sta_start(hapd, sta); 143 } 144 } 145 146 ieee802_1x_ml_set_sta_authorized(struct hostapd_data * hapd,struct sta_info * sta,bool authorized)147 static void ieee802_1x_ml_set_sta_authorized(struct hostapd_data *hapd, 148 struct sta_info *sta, 149 bool authorized) 150 { 151 #ifdef CONFIG_IEEE80211BE 152 unsigned int i; 153 154 if (!hostapd_is_mld_ap(hapd)) 155 return; 156 157 /* 158 * Authorizing the station should be done only in the station 159 * performing the association 160 */ 161 if (authorized && hapd->mld_link_id != sta->mld_assoc_link_id) 162 return; 163 164 for (i = 0; i < hapd->iface->interfaces->count; i++) { 165 struct sta_info *tmp_sta; 166 struct mld_link_info *link; 167 struct hostapd_data *tmp_hapd = 168 hapd->iface->interfaces->iface[i]->bss[0]; 169 170 if (!hostapd_is_ml_partner(hapd, tmp_hapd)) 171 continue; 172 173 link = &sta->mld_info.links[tmp_hapd->mld_link_id]; 174 if (!link->valid) 175 continue; 176 177 for (tmp_sta = tmp_hapd->sta_list; tmp_sta; 178 tmp_sta = tmp_sta->next) { 179 if (tmp_sta == sta || 180 tmp_sta->mld_assoc_link_id != 181 sta->mld_assoc_link_id || 182 tmp_sta->aid != sta->aid) 183 continue; 184 185 ieee802_1x_set_authorized(tmp_hapd, tmp_sta, 186 authorized, true); 187 break; 188 } 189 } 190 #endif /* CONFIG_IEEE80211BE */ 191 } 192 193 194 ieee802_1x_set_sta_authorized(struct hostapd_data * hapd,struct sta_info * sta,int authorized)195 void ieee802_1x_set_sta_authorized(struct hostapd_data *hapd, 196 struct sta_info *sta, int authorized) 197 { 198 ieee802_1x_set_authorized(hapd, sta, authorized, false); 199 ieee802_1x_ml_set_sta_authorized(hapd, sta, !!authorized); 200 } 201 202 203 #ifdef CONFIG_WEP 204 #ifndef CONFIG_FIPS 205 #ifndef CONFIG_NO_RC4 206 ieee802_1x_tx_key_one(struct hostapd_data * hapd,struct sta_info * sta,int idx,int broadcast,u8 * key_data,size_t key_len)207 static void ieee802_1x_tx_key_one(struct hostapd_data *hapd, 208 struct sta_info *sta, 209 int idx, int broadcast, 210 u8 *key_data, size_t key_len) 211 { 212 u8 *buf, *ekey; 213 struct ieee802_1x_hdr *hdr; 214 struct ieee802_1x_eapol_key *key; 215 size_t len, ekey_len; 216 struct eapol_state_machine *sm = sta->eapol_sm; 217 218 if (!sm) 219 return; 220 221 len = sizeof(*key) + key_len; 222 buf = os_zalloc(sizeof(*hdr) + len); 223 if (!buf) 224 return; 225 226 hdr = (struct ieee802_1x_hdr *) buf; 227 key = (struct ieee802_1x_eapol_key *) (hdr + 1); 228 key->type = EAPOL_KEY_TYPE_RC4; 229 WPA_PUT_BE16(key->key_length, key_len); 230 wpa_get_ntp_timestamp(key->replay_counter); 231 if (os_memcmp(key->replay_counter, 232 hapd->last_1x_eapol_key_replay_counter, 233 IEEE8021X_REPLAY_COUNTER_LEN) <= 0) { 234 /* NTP timestamp did not increment from last EAPOL-Key frame; 235 * use previously used value + 1 instead. */ 236 inc_byte_array(hapd->last_1x_eapol_key_replay_counter, 237 IEEE8021X_REPLAY_COUNTER_LEN); 238 os_memcpy(key->replay_counter, 239 hapd->last_1x_eapol_key_replay_counter, 240 IEEE8021X_REPLAY_COUNTER_LEN); 241 } else { 242 os_memcpy(hapd->last_1x_eapol_key_replay_counter, 243 key->replay_counter, 244 IEEE8021X_REPLAY_COUNTER_LEN); 245 } 246 247 if (random_get_bytes(key->key_iv, sizeof(key->key_iv))) { 248 wpa_printf(MSG_ERROR, "Could not get random numbers"); 249 os_free(buf); 250 return; 251 } 252 253 key->key_index = idx | (broadcast ? 0 : BIT(7)); 254 if (hapd->conf->eapol_key_index_workaround) { 255 /* According to some information, WinXP Supplicant seems to 256 * interpret bit7 as an indication whether the key is to be 257 * activated, so make it possible to enable workaround that 258 * sets this bit for all keys. */ 259 key->key_index |= BIT(7); 260 } 261 262 /* Key is encrypted using "Key-IV + MSK[0..31]" as the RC4-key and 263 * MSK[32..63] is used to sign the message. */ 264 if (!sm->eap_if->eapKeyData || sm->eap_if->eapKeyDataLen < 64) { 265 wpa_printf(MSG_ERROR, 266 "No eapKeyData available for encrypting and signing EAPOL-Key"); 267 os_free(buf); 268 return; 269 } 270 os_memcpy((u8 *) (key + 1), key_data, key_len); 271 ekey_len = sizeof(key->key_iv) + 32; 272 ekey = os_malloc(ekey_len); 273 if (!ekey) { 274 wpa_printf(MSG_ERROR, "Could not encrypt key"); 275 os_free(buf); 276 return; 277 } 278 os_memcpy(ekey, key->key_iv, sizeof(key->key_iv)); 279 os_memcpy(ekey + sizeof(key->key_iv), sm->eap_if->eapKeyData, 32); 280 rc4_skip(ekey, ekey_len, 0, (u8 *) (key + 1), key_len); 281 os_free(ekey); 282 283 /* This header is needed here for HMAC-MD5, but it will be regenerated 284 * in ieee802_1x_send() */ 285 hdr->version = hapd->conf->eapol_version; 286 #ifdef CONFIG_MACSEC 287 if (hdr->version > 2) 288 hdr->version = 2; 289 #endif /* CONFIG_MACSEC */ 290 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 291 hdr->length = host_to_be16(len); 292 hmac_md5(sm->eap_if->eapKeyData + 32, 32, buf, sizeof(*hdr) + len, 293 key->key_signature); 294 295 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key to " MACSTR 296 " (%s index=%d)", MAC2STR(sm->addr), 297 broadcast ? "broadcast" : "unicast", idx); 298 ieee802_1x_send(hapd, sta, IEEE802_1X_TYPE_EAPOL_KEY, (u8 *) key, len); 299 if (sta->eapol_sm) 300 sta->eapol_sm->dot1xAuthEapolFramesTx++; 301 os_free(buf); 302 } 303 304 ieee802_1x_tx_key(struct hostapd_data * hapd,struct sta_info * sta)305 static void ieee802_1x_tx_key(struct hostapd_data *hapd, struct sta_info *sta) 306 { 307 struct eapol_authenticator *eapol = hapd->eapol_auth; 308 struct eapol_state_machine *sm = sta->eapol_sm; 309 310 if (!sm || !sm->eap_if->eapKeyData) 311 return; 312 313 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key(s) to " MACSTR, 314 MAC2STR(sta->addr)); 315 316 #ifndef CONFIG_NO_VLAN 317 if (sta->vlan_id > 0) { 318 wpa_printf(MSG_ERROR, "Using WEP with vlans is not supported."); 319 return; 320 } 321 #endif /* CONFIG_NO_VLAN */ 322 323 if (eapol->default_wep_key) { 324 ieee802_1x_tx_key_one(hapd, sta, eapol->default_wep_key_idx, 1, 325 eapol->default_wep_key, 326 hapd->conf->default_wep_key_len); 327 } 328 329 if (hapd->conf->individual_wep_key_len > 0) { 330 u8 *ikey; 331 332 ikey = os_malloc(hapd->conf->individual_wep_key_len); 333 if (!ikey || 334 random_get_bytes(ikey, hapd->conf->individual_wep_key_len)) 335 { 336 wpa_printf(MSG_ERROR, 337 "Could not generate random individual WEP key"); 338 os_free(ikey); 339 return; 340 } 341 342 wpa_hexdump_key(MSG_DEBUG, "Individual WEP key", 343 ikey, hapd->conf->individual_wep_key_len); 344 345 ieee802_1x_tx_key_one(hapd, sta, 0, 0, ikey, 346 hapd->conf->individual_wep_key_len); 347 348 /* TODO: set encryption in TX callback, i.e., only after STA 349 * has ACKed EAPOL-Key frame */ 350 if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP, 351 sta->addr, 0, 0, 1, NULL, 0, ikey, 352 hapd->conf->individual_wep_key_len, 353 KEY_FLAG_PAIRWISE_RX_TX)) { 354 wpa_printf(MSG_ERROR, 355 "Could not set individual WEP encryption"); 356 } 357 358 os_free(ikey); 359 } 360 } 361 362 #endif /* CONFIG_NO_RC4 */ 363 #endif /* CONFIG_FIPS */ 364 #endif /* CONFIG_WEP */ 365 366 radius_mode_txt(struct hostapd_data * hapd)367 const char *radius_mode_txt(struct hostapd_data *hapd) 368 { 369 switch (hapd->iface->conf->hw_mode) { 370 case HOSTAPD_MODE_IEEE80211AD: 371 return "802.11ad"; 372 case HOSTAPD_MODE_IEEE80211A: 373 return "802.11a"; 374 case HOSTAPD_MODE_IEEE80211G: 375 return "802.11g"; 376 case HOSTAPD_MODE_IEEE80211B: 377 default: 378 return "802.11b"; 379 } 380 } 381 382 radius_sta_rate(struct hostapd_data * hapd,struct sta_info * sta)383 int radius_sta_rate(struct hostapd_data *hapd, struct sta_info *sta) 384 { 385 int i; 386 u8 rate = 0; 387 388 for (i = 0; i < sta->supported_rates_len; i++) 389 if ((sta->supported_rates[i] & 0x7f) > rate) 390 rate = sta->supported_rates[i] & 0x7f; 391 392 return rate; 393 } 394 395 396 #ifndef CONFIG_NO_RADIUS ieee802_1x_learn_identity(struct hostapd_data * hapd,struct eapol_state_machine * sm,const u8 * eap,size_t len)397 static void ieee802_1x_learn_identity(struct hostapd_data *hapd, 398 struct eapol_state_machine *sm, 399 const u8 *eap, size_t len) 400 { 401 const u8 *identity; 402 size_t identity_len; 403 const struct eap_hdr *hdr = (const struct eap_hdr *) eap; 404 405 if (len <= sizeof(struct eap_hdr) || 406 (hdr->code == EAP_CODE_RESPONSE && 407 eap[sizeof(struct eap_hdr)] != EAP_TYPE_IDENTITY) || 408 (hdr->code == EAP_CODE_INITIATE && 409 eap[sizeof(struct eap_hdr)] != EAP_ERP_TYPE_REAUTH) || 410 (hdr->code != EAP_CODE_RESPONSE && 411 hdr->code != EAP_CODE_INITIATE)) 412 return; 413 414 eap_erp_update_identity(sm->eap, eap, len); 415 identity = eap_get_identity(sm->eap, &identity_len); 416 if (!identity) 417 return; 418 419 /* Save station identity for future RADIUS packets */ 420 os_free(sm->identity); 421 sm->identity = (u8 *) dup_binstr(identity, identity_len); 422 if (!sm->identity) { 423 sm->identity_len = 0; 424 return; 425 } 426 427 sm->identity_len = identity_len; 428 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, 429 HOSTAPD_LEVEL_DEBUG, "STA identity '%s'", sm->identity); 430 sm->dot1xAuthEapolRespIdFramesRx++; 431 } 432 433 add_common_radius_sta_attr_rsn(struct hostapd_data * hapd,struct hostapd_radius_attr * req_attr,struct sta_info * sta,struct radius_msg * msg)434 static int add_common_radius_sta_attr_rsn(struct hostapd_data *hapd, 435 struct hostapd_radius_attr *req_attr, 436 struct sta_info *sta, 437 struct radius_msg *msg) 438 { 439 u32 suite; 440 int ver, val; 441 442 ver = wpa_auth_sta_wpa_version(sta->wpa_sm); 443 val = wpa_auth_get_pairwise(sta->wpa_sm); 444 suite = wpa_cipher_to_suite(ver, val); 445 if (val != -1 && 446 !hostapd_config_get_radius_attr(req_attr, 447 RADIUS_ATTR_WLAN_PAIRWISE_CIPHER) && 448 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_WLAN_PAIRWISE_CIPHER, 449 suite)) { 450 wpa_printf(MSG_ERROR, "Could not add WLAN-Pairwise-Cipher"); 451 return -1; 452 } 453 454 suite = wpa_cipher_to_suite(((hapd->conf->wpa & 0x2)) ? 455 WPA_PROTO_RSN : WPA_PROTO_WPA, 456 hapd->conf->wpa_group); 457 if (!hostapd_config_get_radius_attr(req_attr, 458 RADIUS_ATTR_WLAN_GROUP_CIPHER) && 459 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_WLAN_GROUP_CIPHER, 460 suite)) { 461 wpa_printf(MSG_ERROR, "Could not add WLAN-Group-Cipher"); 462 return -1; 463 } 464 465 val = wpa_auth_sta_key_mgmt(sta->wpa_sm); 466 suite = wpa_akm_to_suite(val); 467 if (val != -1 && 468 !hostapd_config_get_radius_attr(req_attr, 469 RADIUS_ATTR_WLAN_AKM_SUITE) && 470 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_WLAN_AKM_SUITE, 471 suite)) { 472 wpa_printf(MSG_ERROR, "Could not add WLAN-AKM-Suite"); 473 return -1; 474 } 475 476 if (hapd->conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) { 477 suite = wpa_cipher_to_suite(WPA_PROTO_RSN, 478 hapd->conf->group_mgmt_cipher); 479 if (!hostapd_config_get_radius_attr( 480 req_attr, RADIUS_ATTR_WLAN_GROUP_MGMT_CIPHER) && 481 !radius_msg_add_attr_int32( 482 msg, RADIUS_ATTR_WLAN_GROUP_MGMT_CIPHER, suite)) { 483 wpa_printf(MSG_ERROR, 484 "Could not add WLAN-Group-Mgmt-Cipher"); 485 return -1; 486 } 487 } 488 489 return 0; 490 } 491 492 add_common_radius_sta_attr(struct hostapd_data * hapd,struct hostapd_radius_attr * req_attr,struct sta_info * sta,struct radius_msg * msg)493 static int add_common_radius_sta_attr(struct hostapd_data *hapd, 494 struct hostapd_radius_attr *req_attr, 495 struct sta_info *sta, 496 struct radius_msg *msg) 497 { 498 char buf[128]; 499 500 if (!hostapd_config_get_radius_attr(req_attr, 501 RADIUS_ATTR_SERVICE_TYPE) && 502 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_SERVICE_TYPE, 503 RADIUS_SERVICE_TYPE_FRAMED)) { 504 wpa_printf(MSG_ERROR, "Could not add Service-Type"); 505 return -1; 506 } 507 508 if (!hostapd_config_get_radius_attr(req_attr, 509 RADIUS_ATTR_NAS_PORT) && 510 sta->aid > 0 && 511 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT, sta->aid)) { 512 wpa_printf(MSG_ERROR, "Could not add NAS-Port"); 513 return -1; 514 } 515 516 os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT, 517 MAC2STR(sta->addr)); 518 buf[sizeof(buf) - 1] = '\0'; 519 if (!radius_msg_add_attr(msg, RADIUS_ATTR_CALLING_STATION_ID, 520 (u8 *) buf, os_strlen(buf))) { 521 wpa_printf(MSG_ERROR, "Could not add Calling-Station-Id"); 522 return -1; 523 } 524 525 if (sta->flags & WLAN_STA_PREAUTH) { 526 os_strlcpy(buf, "IEEE 802.11i Pre-Authentication", 527 sizeof(buf)); 528 } else { 529 os_snprintf(buf, sizeof(buf), "CONNECT %d%sMbps %s", 530 radius_sta_rate(hapd, sta) / 2, 531 (radius_sta_rate(hapd, sta) & 1) ? ".5" : "", 532 radius_mode_txt(hapd)); 533 buf[sizeof(buf) - 1] = '\0'; 534 } 535 if (!hostapd_config_get_radius_attr(req_attr, 536 RADIUS_ATTR_CONNECT_INFO) && 537 !radius_msg_add_attr(msg, RADIUS_ATTR_CONNECT_INFO, 538 (u8 *) buf, os_strlen(buf))) { 539 wpa_printf(MSG_ERROR, "Could not add Connect-Info"); 540 return -1; 541 } 542 543 if (sta->acct_session_id) { 544 os_snprintf(buf, sizeof(buf), "%016llX", 545 (unsigned long long) sta->acct_session_id); 546 if (!radius_msg_add_attr(msg, RADIUS_ATTR_ACCT_SESSION_ID, 547 (u8 *) buf, os_strlen(buf))) { 548 wpa_printf(MSG_ERROR, "Could not add Acct-Session-Id"); 549 return -1; 550 } 551 } 552 553 if ((hapd->conf->wpa & 2) && 554 !hapd->conf->disable_pmksa_caching && 555 sta->eapol_sm && sta->eapol_sm->acct_multi_session_id) { 556 os_snprintf(buf, sizeof(buf), "%016llX", 557 (unsigned long long) 558 sta->eapol_sm->acct_multi_session_id); 559 if (!radius_msg_add_attr( 560 msg, RADIUS_ATTR_ACCT_MULTI_SESSION_ID, 561 (u8 *) buf, os_strlen(buf))) { 562 wpa_printf(MSG_INFO, 563 "Could not add Acct-Multi-Session-Id"); 564 return -1; 565 } 566 } 567 568 #ifdef CONFIG_IEEE80211R_AP 569 if (hapd->conf->wpa && wpa_key_mgmt_ft(hapd->conf->wpa_key_mgmt) && 570 sta->wpa_sm && 571 (wpa_key_mgmt_ft(wpa_auth_sta_key_mgmt(sta->wpa_sm)) || 572 sta->auth_alg == WLAN_AUTH_FT) && 573 !hostapd_config_get_radius_attr(req_attr, 574 RADIUS_ATTR_MOBILITY_DOMAIN_ID) && 575 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_MOBILITY_DOMAIN_ID, 576 WPA_GET_BE16( 577 hapd->conf->mobility_domain))) { 578 wpa_printf(MSG_ERROR, "Could not add Mobility-Domain-Id"); 579 return -1; 580 } 581 #endif /* CONFIG_IEEE80211R_AP */ 582 583 if (hapd->conf->wpa && sta->wpa_sm && 584 add_common_radius_sta_attr_rsn(hapd, req_attr, sta, msg) < 0) 585 return -1; 586 587 return 0; 588 } 589 590 add_common_radius_attr(struct hostapd_data * hapd,struct hostapd_radius_attr * req_attr,struct sta_info * sta,struct radius_msg * msg)591 int add_common_radius_attr(struct hostapd_data *hapd, 592 struct hostapd_radius_attr *req_attr, 593 struct sta_info *sta, 594 struct radius_msg *msg) 595 { 596 char buf[128]; 597 struct hostapd_radius_attr *attr; 598 int len; 599 600 if (!hostapd_config_get_radius_attr(req_attr, 601 RADIUS_ATTR_NAS_IP_ADDRESS) && 602 hapd->conf->own_ip_addr.af == AF_INET && 603 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IP_ADDRESS, 604 (u8 *) &hapd->conf->own_ip_addr.u.v4, 4)) { 605 wpa_printf(MSG_ERROR, "Could not add NAS-IP-Address"); 606 return -1; 607 } 608 609 #ifdef CONFIG_IPV6 610 if (!hostapd_config_get_radius_attr(req_attr, 611 RADIUS_ATTR_NAS_IPV6_ADDRESS) && 612 hapd->conf->own_ip_addr.af == AF_INET6 && 613 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IPV6_ADDRESS, 614 (u8 *) &hapd->conf->own_ip_addr.u.v6, 16)) { 615 wpa_printf(MSG_ERROR, "Could not add NAS-IPv6-Address"); 616 return -1; 617 } 618 #endif /* CONFIG_IPV6 */ 619 620 if (!hostapd_config_get_radius_attr(req_attr, 621 RADIUS_ATTR_NAS_IDENTIFIER) && 622 hapd->conf->nas_identifier && 623 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IDENTIFIER, 624 (u8 *) hapd->conf->nas_identifier, 625 os_strlen(hapd->conf->nas_identifier))) { 626 wpa_printf(MSG_ERROR, "Could not add NAS-Identifier"); 627 return -1; 628 } 629 630 len = os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT ":", 631 MAC2STR(hapd->own_addr)); 632 os_memcpy(&buf[len], hapd->conf->ssid.ssid, 633 hapd->conf->ssid.ssid_len); 634 len += hapd->conf->ssid.ssid_len; 635 if (!hostapd_config_get_radius_attr(req_attr, 636 RADIUS_ATTR_CALLED_STATION_ID) && 637 !radius_msg_add_attr(msg, RADIUS_ATTR_CALLED_STATION_ID, 638 (u8 *) buf, len)) { 639 wpa_printf(MSG_ERROR, "Could not add Called-Station-Id"); 640 return -1; 641 } 642 643 if (!hostapd_config_get_radius_attr(req_attr, 644 RADIUS_ATTR_NAS_PORT_TYPE) && 645 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT_TYPE, 646 RADIUS_NAS_PORT_TYPE_IEEE_802_11)) { 647 wpa_printf(MSG_ERROR, "Could not add NAS-Port-Type"); 648 return -1; 649 } 650 651 #ifdef CONFIG_INTERWORKING 652 if (hapd->conf->interworking && 653 !is_zero_ether_addr(hapd->conf->hessid)) { 654 os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT, 655 MAC2STR(hapd->conf->hessid)); 656 buf[sizeof(buf) - 1] = '\0'; 657 if (!hostapd_config_get_radius_attr(req_attr, 658 RADIUS_ATTR_WLAN_HESSID) && 659 !radius_msg_add_attr(msg, RADIUS_ATTR_WLAN_HESSID, 660 (u8 *) buf, os_strlen(buf))) { 661 wpa_printf(MSG_ERROR, "Could not add WLAN-HESSID"); 662 return -1; 663 } 664 } 665 #endif /* CONFIG_INTERWORKING */ 666 667 if (sta && add_common_radius_sta_attr(hapd, req_attr, sta, msg) < 0) 668 return -1; 669 670 for (attr = req_attr; attr; attr = attr->next) { 671 if (!radius_msg_add_attr(msg, attr->type, 672 wpabuf_head(attr->val), 673 wpabuf_len(attr->val))) { 674 wpa_printf(MSG_ERROR, "Could not add RADIUS attribute"); 675 return -1; 676 } 677 } 678 679 return 0; 680 } 681 682 add_sqlite_radius_attr(struct hostapd_data * hapd,struct sta_info * sta,struct radius_msg * msg,int acct)683 int add_sqlite_radius_attr(struct hostapd_data *hapd, struct sta_info *sta, 684 struct radius_msg *msg, int acct) 685 { 686 #ifdef CONFIG_SQLITE 687 const char *attrtxt; 688 char addrtxt[3 * ETH_ALEN]; 689 char *sql; 690 sqlite3_stmt *stmt = NULL; 691 692 if (!hapd->rad_attr_db) 693 return 0; 694 695 os_snprintf(addrtxt, sizeof(addrtxt), MACSTR, MAC2STR(sta->addr)); 696 697 sql = "SELECT attr FROM radius_attributes WHERE sta=? AND (reqtype=? OR reqtype IS NULL);"; 698 if (sqlite3_prepare_v2(hapd->rad_attr_db, sql, os_strlen(sql), &stmt, 699 NULL) != SQLITE_OK) { 700 wpa_printf(MSG_ERROR, "DB: Failed to prepare SQL statement: %s", 701 sqlite3_errmsg(hapd->rad_attr_db)); 702 return -1; 703 } 704 sqlite3_bind_text(stmt, 1, addrtxt, os_strlen(addrtxt), SQLITE_STATIC); 705 sqlite3_bind_text(stmt, 2, acct ? "acct" : "auth", 4, SQLITE_STATIC); 706 while (sqlite3_step(stmt) == SQLITE_ROW) { 707 struct hostapd_radius_attr *attr; 708 struct radius_attr_hdr *hdr; 709 710 attrtxt = (const char *) sqlite3_column_text(stmt, 0); 711 attr = hostapd_parse_radius_attr(attrtxt); 712 if (!attr) { 713 wpa_printf(MSG_ERROR, 714 "Skipping invalid attribute from SQL: %s", 715 attrtxt); 716 continue; 717 } 718 wpa_printf(MSG_DEBUG, "Adding RADIUS attribute from SQL: %s", 719 attrtxt); 720 hdr = radius_msg_add_attr(msg, attr->type, 721 wpabuf_head(attr->val), 722 wpabuf_len(attr->val)); 723 hostapd_config_free_radius_attr(attr); 724 if (!hdr) { 725 wpa_printf(MSG_ERROR, 726 "Could not add RADIUS attribute from SQL"); 727 continue; 728 } 729 } 730 731 sqlite3_reset(stmt); 732 sqlite3_clear_bindings(stmt); 733 sqlite3_finalize(stmt); 734 #endif /* CONFIG_SQLITE */ 735 736 return 0; 737 } 738 739 ieee802_1x_encapsulate_radius(struct hostapd_data * hapd,struct sta_info * sta,const u8 * eap,size_t len)740 void ieee802_1x_encapsulate_radius(struct hostapd_data *hapd, 741 struct sta_info *sta, 742 const u8 *eap, size_t len) 743 { 744 struct radius_msg *msg; 745 struct eapol_state_machine *sm = sta->eapol_sm; 746 747 if (!sm) 748 return; 749 750 ieee802_1x_learn_identity(hapd, sm, eap, len); 751 752 wpa_printf(MSG_DEBUG, "Encapsulating EAP message into a RADIUS packet"); 753 754 sm->radius_identifier = radius_client_get_id(hapd->radius); 755 msg = radius_msg_new(RADIUS_CODE_ACCESS_REQUEST, 756 sm->radius_identifier); 757 if (!msg) { 758 wpa_printf(MSG_INFO, "Could not create new RADIUS packet"); 759 return; 760 } 761 762 if (radius_msg_make_authenticator(msg) < 0) { 763 wpa_printf(MSG_INFO, "Could not make Request Authenticator"); 764 goto fail; 765 } 766 767 if (!radius_msg_add_msg_auth(msg)) 768 goto fail; 769 770 if (sm->identity && 771 !radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME, 772 sm->identity, sm->identity_len)) { 773 wpa_printf(MSG_INFO, "Could not add User-Name"); 774 goto fail; 775 } 776 777 if (add_common_radius_attr(hapd, hapd->conf->radius_auth_req_attr, sta, 778 msg) < 0) 779 goto fail; 780 781 if (sta && add_sqlite_radius_attr(hapd, sta, msg, 0) < 0) 782 goto fail; 783 784 /* TODO: should probably check MTU from driver config; 2304 is max for 785 * IEEE 802.11, but use 1400 to avoid problems with too large packets 786 */ 787 if (!hostapd_config_get_radius_attr(hapd->conf->radius_auth_req_attr, 788 RADIUS_ATTR_FRAMED_MTU) && 789 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_FRAMED_MTU, 1400)) { 790 wpa_printf(MSG_INFO, "Could not add Framed-MTU"); 791 goto fail; 792 } 793 794 if (!radius_msg_add_eap(msg, eap, len)) { 795 wpa_printf(MSG_INFO, "Could not add EAP-Message"); 796 goto fail; 797 } 798 799 /* State attribute must be copied if and only if this packet is 800 * Access-Request reply to the previous Access-Challenge */ 801 if (sm->last_recv_radius && 802 radius_msg_get_hdr(sm->last_recv_radius)->code == 803 RADIUS_CODE_ACCESS_CHALLENGE) { 804 int res = radius_msg_copy_attr(msg, sm->last_recv_radius, 805 RADIUS_ATTR_STATE); 806 if (res < 0) { 807 wpa_printf(MSG_INFO, 808 "Could not copy State attribute from previous Access-Challenge"); 809 goto fail; 810 } 811 if (res > 0) 812 wpa_printf(MSG_DEBUG, "Copied RADIUS State Attribute"); 813 } 814 815 if (hapd->conf->radius_request_cui) { 816 const u8 *cui; 817 size_t cui_len; 818 /* Add previously learned CUI or nul CUI to request CUI */ 819 if (sm->radius_cui) { 820 cui = wpabuf_head(sm->radius_cui); 821 cui_len = wpabuf_len(sm->radius_cui); 822 } else { 823 cui = (const u8 *) "\0"; 824 cui_len = 1; 825 } 826 if (!radius_msg_add_attr(msg, 827 RADIUS_ATTR_CHARGEABLE_USER_IDENTITY, 828 cui, cui_len)) { 829 wpa_printf(MSG_ERROR, "Could not add CUI"); 830 goto fail; 831 } 832 } 833 834 #ifdef CONFIG_HS20 835 if (hapd->conf->hs20) { 836 u8 ver = hapd->conf->hs20_release - 1; 837 838 if (!radius_msg_add_wfa( 839 msg, RADIUS_VENDOR_ATTR_WFA_HS20_AP_VERSION, 840 &ver, 1)) { 841 wpa_printf(MSG_ERROR, 842 "Could not add HS 2.0 AP version"); 843 goto fail; 844 } 845 846 if (sta->hs20_ie && wpabuf_len(sta->hs20_ie) > 0) { 847 const u8 *pos; 848 u8 buf[3]; 849 u16 id; 850 851 pos = wpabuf_head_u8(sta->hs20_ie); 852 buf[0] = (*pos) >> 4; 853 if (((*pos) & HS20_PPS_MO_ID_PRESENT) && 854 wpabuf_len(sta->hs20_ie) >= 3) 855 id = WPA_GET_LE16(pos + 1); 856 else 857 id = 0; 858 WPA_PUT_BE16(buf + 1, id); 859 if (!radius_msg_add_wfa( 860 msg, 861 RADIUS_VENDOR_ATTR_WFA_HS20_STA_VERSION, 862 buf, sizeof(buf))) { 863 wpa_printf(MSG_ERROR, 864 "Could not add HS 2.0 STA version"); 865 goto fail; 866 } 867 } 868 869 if (sta->roaming_consortium && 870 !radius_msg_add_wfa( 871 msg, RADIUS_VENDOR_ATTR_WFA_HS20_ROAMING_CONSORTIUM, 872 wpabuf_head(sta->roaming_consortium), 873 wpabuf_len(sta->roaming_consortium))) { 874 wpa_printf(MSG_ERROR, 875 "Could not add HS 2.0 Roaming Consortium"); 876 goto fail; 877 } 878 879 if (hapd->conf->t_c_filename) { 880 be32 timestamp; 881 882 if (!radius_msg_add_wfa( 883 msg, 884 RADIUS_VENDOR_ATTR_WFA_HS20_T_C_FILENAME, 885 (const u8 *) hapd->conf->t_c_filename, 886 os_strlen(hapd->conf->t_c_filename))) { 887 wpa_printf(MSG_ERROR, 888 "Could not add HS 2.0 T&C Filename"); 889 goto fail; 890 } 891 892 timestamp = host_to_be32(hapd->conf->t_c_timestamp); 893 if (!radius_msg_add_wfa( 894 msg, 895 RADIUS_VENDOR_ATTR_WFA_HS20_TIMESTAMP, 896 (const u8 *) ×tamp, 897 sizeof(timestamp))) { 898 wpa_printf(MSG_ERROR, 899 "Could not add HS 2.0 Timestamp"); 900 goto fail; 901 } 902 } 903 } 904 #endif /* CONFIG_HS20 */ 905 906 if (radius_client_send(hapd->radius, msg, RADIUS_AUTH, sta->addr) < 0) 907 goto fail; 908 909 return; 910 911 fail: 912 radius_msg_free(msg); 913 } 914 #endif /* CONFIG_NO_RADIUS */ 915 916 handle_eap_response(struct hostapd_data * hapd,struct sta_info * sta,struct eap_hdr * eap,size_t len)917 static void handle_eap_response(struct hostapd_data *hapd, 918 struct sta_info *sta, struct eap_hdr *eap, 919 size_t len) 920 { 921 u8 type, *data; 922 struct eapol_state_machine *sm = sta->eapol_sm; 923 924 if (!sm) 925 return; 926 927 data = (u8 *) (eap + 1); 928 929 if (len < sizeof(*eap) + 1) { 930 wpa_printf(MSG_INFO, "%s: too short response data", __func__); 931 return; 932 } 933 934 sm->eap_type_supp = type = data[0]; 935 936 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, 937 HOSTAPD_LEVEL_DEBUG, "received EAP packet (code=%d " 938 "id=%d len=%d) from STA: EAP Response-%s (%d)", 939 eap->code, eap->identifier, be_to_host16(eap->length), 940 eap_server_get_name(0, type), type); 941 942 sm->dot1xAuthEapolRespFramesRx++; 943 944 wpabuf_free(sm->eap_if->eapRespData); 945 sm->eap_if->eapRespData = wpabuf_alloc_copy(eap, len); 946 sm->eapolEap = true; 947 } 948 949 handle_eap_initiate(struct hostapd_data * hapd,struct sta_info * sta,struct eap_hdr * eap,size_t len)950 static void handle_eap_initiate(struct hostapd_data *hapd, 951 struct sta_info *sta, struct eap_hdr *eap, 952 size_t len) 953 { 954 #ifdef CONFIG_ERP 955 u8 type, *data; 956 struct eapol_state_machine *sm = sta->eapol_sm; 957 958 if (!sm) 959 return; 960 961 if (len < sizeof(*eap) + 1) { 962 wpa_printf(MSG_INFO, "%s: too short response data", __func__); 963 return; 964 } 965 966 data = (u8 *) (eap + 1); 967 type = data[0]; 968 969 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, 970 HOSTAPD_LEVEL_DEBUG, 971 "received EAP packet (code=%d id=%d len=%d) from STA: EAP Initiate type %u", 972 eap->code, eap->identifier, be_to_host16(eap->length), 973 type); 974 975 wpabuf_free(sm->eap_if->eapRespData); 976 sm->eap_if->eapRespData = wpabuf_alloc_copy(eap, len); 977 sm->eapolEap = true; 978 #endif /* CONFIG_ERP */ 979 } 980 981 982 #ifndef CONFIG_NO_STDOUT_DEBUG eap_code_str(u8 code)983 static const char * eap_code_str(u8 code) 984 { 985 switch (code) { 986 case EAP_CODE_REQUEST: 987 return "request"; 988 case EAP_CODE_RESPONSE: 989 return "response"; 990 case EAP_CODE_SUCCESS: 991 return "success"; 992 case EAP_CODE_FAILURE: 993 return "failure"; 994 case EAP_CODE_INITIATE: 995 return "initiate"; 996 case EAP_CODE_FINISH: 997 return "finish"; 998 default: 999 return "unknown"; 1000 } 1001 } 1002 #endif /* CONFIG_NO_STDOUT_DEBUG */ 1003 1004 1005 /* Process incoming EAP packet from Supplicant */ handle_eap(struct hostapd_data * hapd,struct sta_info * sta,u8 * buf,size_t len)1006 static void handle_eap(struct hostapd_data *hapd, struct sta_info *sta, 1007 u8 *buf, size_t len) 1008 { 1009 struct eap_hdr *eap; 1010 u16 eap_len; 1011 1012 if (len < sizeof(*eap)) { 1013 wpa_printf(MSG_INFO, " too short EAP packet"); 1014 return; 1015 } 1016 1017 eap = (struct eap_hdr *) buf; 1018 1019 eap_len = be_to_host16(eap->length); 1020 wpa_printf(MSG_DEBUG, "EAP: code=%d (%s) identifier=%d length=%d", 1021 eap->code, eap_code_str(eap->code), eap->identifier, 1022 eap_len); 1023 if (eap_len < sizeof(*eap)) { 1024 wpa_printf(MSG_DEBUG, " Invalid EAP length"); 1025 return; 1026 } else if (eap_len > len) { 1027 wpa_printf(MSG_DEBUG, 1028 " Too short frame to contain this EAP packet"); 1029 return; 1030 } else if (eap_len < len) { 1031 wpa_printf(MSG_DEBUG, 1032 " Ignoring %lu extra bytes after EAP packet", 1033 (unsigned long) len - eap_len); 1034 } 1035 1036 switch (eap->code) { 1037 case EAP_CODE_RESPONSE: 1038 handle_eap_response(hapd, sta, eap, eap_len); 1039 break; 1040 case EAP_CODE_INITIATE: 1041 handle_eap_initiate(hapd, sta, eap, eap_len); 1042 break; 1043 } 1044 } 1045 1046 1047 struct eapol_state_machine * ieee802_1x_alloc_eapol_sm(struct hostapd_data * hapd,struct sta_info * sta)1048 ieee802_1x_alloc_eapol_sm(struct hostapd_data *hapd, struct sta_info *sta) 1049 { 1050 int flags = 0; 1051 1052 if (sta->flags & WLAN_STA_PREAUTH) 1053 flags |= EAPOL_SM_PREAUTH; 1054 if (sta->wpa_sm) { 1055 flags |= EAPOL_SM_USES_WPA; 1056 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) 1057 flags |= EAPOL_SM_FROM_PMKSA_CACHE; 1058 } 1059 return eapol_auth_alloc(hapd->eapol_auth, sta->addr, flags, 1060 sta->wps_ie, sta->p2p_ie, sta, 1061 sta->identity, sta->radius_cui); 1062 } 1063 1064 ieee802_1x_save_eapol(struct sta_info * sta,const u8 * buf,size_t len,enum frame_encryption encrypted)1065 static void ieee802_1x_save_eapol(struct sta_info *sta, const u8 *buf, 1066 size_t len, enum frame_encryption encrypted) 1067 { 1068 if (sta->pending_eapol_rx) { 1069 wpabuf_free(sta->pending_eapol_rx->buf); 1070 } else { 1071 sta->pending_eapol_rx = 1072 os_malloc(sizeof(*sta->pending_eapol_rx)); 1073 if (!sta->pending_eapol_rx) 1074 return; 1075 } 1076 1077 sta->pending_eapol_rx->buf = wpabuf_alloc_copy(buf, len); 1078 if (!sta->pending_eapol_rx->buf) { 1079 os_free(sta->pending_eapol_rx); 1080 sta->pending_eapol_rx = NULL; 1081 return; 1082 } 1083 1084 sta->pending_eapol_rx->encrypted = encrypted; 1085 os_get_reltime(&sta->pending_eapol_rx->rx_time); 1086 } 1087 1088 ieee802_1x_check_encryption(struct sta_info * sta,enum frame_encryption encrypted,u8 type)1089 static bool ieee802_1x_check_encryption(struct sta_info *sta, 1090 enum frame_encryption encrypted, 1091 u8 type) 1092 { 1093 if (encrypted != FRAME_NOT_ENCRYPTED) 1094 return true; 1095 if (type != IEEE802_1X_TYPE_EAP_PACKET && 1096 type != IEEE802_1X_TYPE_EAPOL_START && 1097 type != IEEE802_1X_TYPE_EAPOL_LOGOFF) 1098 return true; 1099 if (!(sta->flags & WLAN_STA_MFP)) 1100 return true; 1101 return !wpa_auth_pairwise_set(sta->wpa_sm); 1102 } 1103 1104 1105 /** 1106 * ieee802_1x_receive - Process the EAPOL frames from the Supplicant 1107 * @hapd: hostapd BSS data 1108 * @sa: Source address (sender of the EAPOL frame) 1109 * @buf: EAPOL frame 1110 * @len: Length of buf in octets 1111 * @encrypted: Whether the frame was encrypted 1112 * 1113 * This function is called for each incoming EAPOL frame from the interface 1114 */ ieee802_1x_receive(struct hostapd_data * hapd,const u8 * sa,const u8 * buf,size_t len,enum frame_encryption encrypted)1115 void ieee802_1x_receive(struct hostapd_data *hapd, const u8 *sa, const u8 *buf, 1116 size_t len, enum frame_encryption encrypted) 1117 { 1118 struct sta_info *sta; 1119 struct ieee802_1x_hdr *hdr; 1120 struct ieee802_1x_eapol_key *key; 1121 u16 datalen; 1122 struct rsn_pmksa_cache_entry *pmksa; 1123 int key_mgmt; 1124 1125 if (!hapd->conf->ieee802_1x && !hapd->conf->wpa && 1126 !hapd->conf->wps_state) 1127 return; 1128 1129 wpa_printf(MSG_DEBUG, "IEEE 802.1X: %lu bytes from " MACSTR 1130 " (encrypted=%d)", 1131 (unsigned long) len, MAC2STR(sa), encrypted); 1132 sta = ap_get_sta(hapd, sa); 1133 if (!sta || (!(sta->flags & (WLAN_STA_ASSOC | WLAN_STA_PREAUTH)) && 1134 !(hapd->iface->drv_flags & WPA_DRIVER_FLAGS_WIRED))) { 1135 wpa_printf(MSG_DEBUG, 1136 "IEEE 802.1X data frame from not associated/Pre-authenticating STA"); 1137 1138 if (sta && (sta->flags & WLAN_STA_AUTH)) { 1139 wpa_printf(MSG_DEBUG, "Saving EAPOL frame from " MACSTR 1140 " for later use", MAC2STR(sta->addr)); 1141 ieee802_1x_save_eapol(sta, buf, len, encrypted); 1142 } 1143 1144 return; 1145 } 1146 1147 if (len < sizeof(*hdr)) { 1148 wpa_printf(MSG_INFO, " too short IEEE 802.1X packet"); 1149 return; 1150 } 1151 1152 hdr = (struct ieee802_1x_hdr *) buf; 1153 datalen = be_to_host16(hdr->length); 1154 wpa_printf(MSG_DEBUG, " IEEE 802.1X: version=%d type=%d length=%d", 1155 hdr->version, hdr->type, datalen); 1156 1157 if (len - sizeof(*hdr) < datalen) { 1158 wpa_printf(MSG_INFO, 1159 " frame too short for this IEEE 802.1X packet"); 1160 if (sta->eapol_sm) 1161 sta->eapol_sm->dot1xAuthEapLengthErrorFramesRx++; 1162 return; 1163 } 1164 if (len - sizeof(*hdr) > datalen) { 1165 wpa_printf(MSG_DEBUG, 1166 " ignoring %lu extra octets after IEEE 802.1X packet", 1167 (unsigned long) len - sizeof(*hdr) - datalen); 1168 } 1169 1170 if (sta->eapol_sm) { 1171 sta->eapol_sm->dot1xAuthLastEapolFrameVersion = hdr->version; 1172 sta->eapol_sm->dot1xAuthEapolFramesRx++; 1173 } 1174 1175 key = (struct ieee802_1x_eapol_key *) (hdr + 1); 1176 if (datalen >= sizeof(struct ieee802_1x_eapol_key) && 1177 hdr->type == IEEE802_1X_TYPE_EAPOL_KEY && 1178 (key->type == EAPOL_KEY_TYPE_WPA || 1179 key->type == EAPOL_KEY_TYPE_RSN)) { 1180 wpa_receive(hapd->wpa_auth, sta->wpa_sm, (u8 *) hdr, 1181 sizeof(*hdr) + datalen); 1182 return; 1183 } 1184 1185 if (!hapd->conf->ieee802_1x && 1186 !(sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS))) { 1187 wpa_printf(MSG_DEBUG, 1188 "IEEE 802.1X: Ignore EAPOL message - 802.1X not enabled and WPS not used"); 1189 return; 1190 } 1191 1192 key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm); 1193 if (key_mgmt != -1 && 1194 (wpa_key_mgmt_wpa_psk(key_mgmt) || key_mgmt == WPA_KEY_MGMT_OWE || 1195 key_mgmt == WPA_KEY_MGMT_DPP)) { 1196 wpa_printf(MSG_DEBUG, 1197 "IEEE 802.1X: Ignore EAPOL message - STA is using PSK"); 1198 return; 1199 } 1200 1201 if (!ieee802_1x_check_encryption(sta, encrypted, hdr->type)) { 1202 wpa_printf(MSG_DEBUG, 1203 "IEEE 802.1X: Discard unencrypted EAPOL message - encryption was expected"); 1204 return; 1205 } 1206 1207 if (!sta->eapol_sm) { 1208 sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta); 1209 if (!sta->eapol_sm) 1210 return; 1211 1212 #ifdef CONFIG_WPS 1213 if (!hapd->conf->ieee802_1x && hapd->conf->wps_state) { 1214 u32 wflags = sta->flags & (WLAN_STA_WPS | 1215 WLAN_STA_WPS2 | 1216 WLAN_STA_MAYBE_WPS); 1217 if (wflags == WLAN_STA_MAYBE_WPS || 1218 wflags == (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS)) { 1219 /* 1220 * Delay EAPOL frame transmission until a 1221 * possible WPS STA initiates the handshake 1222 * with EAPOL-Start. Only allow the wait to be 1223 * skipped if the STA is known to support WPS 1224 * 2.0. 1225 */ 1226 wpa_printf(MSG_DEBUG, 1227 "WPS: Do not start EAPOL until EAPOL-Start is received"); 1228 sta->eapol_sm->flags |= EAPOL_SM_WAIT_START; 1229 } 1230 } 1231 #endif /* CONFIG_WPS */ 1232 1233 sta->eapol_sm->eap_if->portEnabled = true; 1234 } 1235 1236 /* since we support version 1, we can ignore version field and proceed 1237 * as specified in version 1 standard [IEEE Std 802.1X-2001, 7.5.5] */ 1238 /* TODO: actually, we are not version 1 anymore.. However, Version 2 1239 * does not change frame contents, so should be ok to process frames 1240 * more or less identically. Some changes might be needed for 1241 * verification of fields. */ 1242 1243 switch (hdr->type) { 1244 case IEEE802_1X_TYPE_EAP_PACKET: 1245 handle_eap(hapd, sta, (u8 *) (hdr + 1), datalen); 1246 break; 1247 1248 case IEEE802_1X_TYPE_EAPOL_START: 1249 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1250 HOSTAPD_LEVEL_DEBUG, 1251 "received EAPOL-Start from STA"); 1252 #ifdef CONFIG_IEEE80211R_AP 1253 if (hapd->conf->wpa && 1254 wpa_key_mgmt_ft(hapd->conf->wpa_key_mgmt) && sta->wpa_sm && 1255 ((wpa_key_mgmt_ft(wpa_auth_sta_key_mgmt(sta->wpa_sm)) && 1256 (sta->flags & WLAN_STA_AUTHORIZED)) || 1257 sta->auth_alg == WLAN_AUTH_FT)) { 1258 /* When FT is used, reauthentication to generate a new 1259 * PMK-R0 would be complicated since the current AP 1260 * might not be the one with which the currently used 1261 * PMK-R0 was generated. IEEE Std 802.11-2020, 13.4.2 1262 * (FT initial mobility domain association in an RSN) 1263 * mandates STA to perform a new FT initial mobility 1264 * domain association whenever its Supplicant would 1265 * trigger sending of an EAPOL-Start frame. As such, 1266 * this EAPOL-Start frame should not have been sent. 1267 * Discard it to avoid unexpected behavior. */ 1268 hostapd_logger(hapd, sta->addr, 1269 HOSTAPD_MODULE_IEEE8021X, 1270 HOSTAPD_LEVEL_DEBUG, 1271 "discard unexpected EAPOL-Start from STA that uses FT"); 1272 break; 1273 } 1274 #endif /* CONFIG_IEEE80211R_AP */ 1275 sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START; 1276 pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm); 1277 if (pmksa) { 1278 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 1279 HOSTAPD_LEVEL_DEBUG, 1280 "cached PMKSA available - ignore it since STA sent EAPOL-Start"); 1281 wpa_auth_sta_clear_pmksa(sta->wpa_sm, pmksa); 1282 } 1283 sta->eapol_sm->eapolStart = true; 1284 sta->eapol_sm->dot1xAuthEapolStartFramesRx++; 1285 eap_server_clear_identity(sta->eapol_sm->eap); 1286 wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL); 1287 break; 1288 1289 case IEEE802_1X_TYPE_EAPOL_LOGOFF: 1290 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1291 HOSTAPD_LEVEL_DEBUG, 1292 "received EAPOL-Logoff from STA"); 1293 sta->acct_terminate_cause = 1294 RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST; 1295 accounting_sta_stop(hapd, sta); 1296 sta->eapol_sm->eapolLogoff = true; 1297 sta->eapol_sm->dot1xAuthEapolLogoffFramesRx++; 1298 eap_server_clear_identity(sta->eapol_sm->eap); 1299 break; 1300 1301 case IEEE802_1X_TYPE_EAPOL_KEY: 1302 wpa_printf(MSG_DEBUG, " EAPOL-Key"); 1303 if (!ap_sta_is_authorized(sta)) { 1304 wpa_printf(MSG_DEBUG, 1305 " Dropped key data from unauthorized Supplicant"); 1306 break; 1307 } 1308 break; 1309 1310 case IEEE802_1X_TYPE_EAPOL_ENCAPSULATED_ASF_ALERT: 1311 wpa_printf(MSG_DEBUG, " EAPOL-Encapsulated-ASF-Alert"); 1312 /* TODO: implement support for this; show data */ 1313 break; 1314 1315 #ifdef CONFIG_MACSEC 1316 case IEEE802_1X_TYPE_EAPOL_MKA: 1317 wpa_printf(MSG_EXCESSIVE, 1318 "EAPOL type %d will be handled by MKA", hdr->type); 1319 break; 1320 #endif /* CONFIG_MACSEC */ 1321 1322 default: 1323 wpa_printf(MSG_DEBUG, " unknown IEEE 802.1X packet type"); 1324 sta->eapol_sm->dot1xAuthInvalidEapolFramesRx++; 1325 break; 1326 } 1327 1328 eapol_auth_step(sta->eapol_sm); 1329 } 1330 1331 1332 /** 1333 * ieee802_1x_new_station - Start IEEE 802.1X authentication 1334 * @hapd: hostapd BSS data 1335 * @sta: The station 1336 * 1337 * This function is called to start IEEE 802.1X authentication when a new 1338 * station completes IEEE 802.11 association. 1339 */ ieee802_1x_new_station(struct hostapd_data * hapd,struct sta_info * sta)1340 void ieee802_1x_new_station(struct hostapd_data *hapd, struct sta_info *sta) 1341 { 1342 struct rsn_pmksa_cache_entry *pmksa; 1343 int reassoc = 1; 1344 int force_1x = 0; 1345 int key_mgmt; 1346 1347 #ifdef CONFIG_WPS 1348 if (hapd->conf->wps_state && 1349 ((hapd->conf->wpa && (sta->flags & WLAN_STA_MAYBE_WPS)) || 1350 (sta->flags & WLAN_STA_WPS))) { 1351 /* 1352 * Need to enable IEEE 802.1X/EAPOL state machines for possible 1353 * WPS handshake even if IEEE 802.1X/EAPOL is not used for 1354 * authentication in this BSS. 1355 */ 1356 force_1x = 1; 1357 } 1358 #endif /* CONFIG_WPS */ 1359 1360 if (!force_1x && !hapd->conf->ieee802_1x) { 1361 wpa_printf(MSG_DEBUG, 1362 "IEEE 802.1X: Ignore STA - 802.1X not enabled or forced for WPS"); 1363 /* 1364 * Clear any possible EAPOL authenticator state to support 1365 * reassociation change from WPS to PSK. 1366 */ 1367 ieee802_1x_free_station(hapd, sta); 1368 return; 1369 } 1370 1371 key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm); 1372 if (key_mgmt != -1 && 1373 (wpa_key_mgmt_wpa_psk(key_mgmt) || key_mgmt == WPA_KEY_MGMT_OWE || 1374 key_mgmt == WPA_KEY_MGMT_DPP)) { 1375 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore STA - using PSK"); 1376 /* 1377 * Clear any possible EAPOL authenticator state to support 1378 * reassociation change from WPA-EAP to PSK. 1379 */ 1380 ieee802_1x_free_station(hapd, sta); 1381 return; 1382 } 1383 1384 if (!sta->eapol_sm) { 1385 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1386 HOSTAPD_LEVEL_DEBUG, "start authentication"); 1387 sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta); 1388 if (!sta->eapol_sm) { 1389 hostapd_logger(hapd, sta->addr, 1390 HOSTAPD_MODULE_IEEE8021X, 1391 HOSTAPD_LEVEL_INFO, 1392 "failed to allocate state machine"); 1393 return; 1394 } 1395 reassoc = 0; 1396 } 1397 1398 #ifdef CONFIG_WPS 1399 sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START; 1400 if (!hapd->conf->ieee802_1x && hapd->conf->wps_state && 1401 !(sta->flags & WLAN_STA_WPS2)) { 1402 /* 1403 * Delay EAPOL frame transmission until a possible WPS STA 1404 * initiates the handshake with EAPOL-Start. Only allow the 1405 * wait to be skipped if the STA is known to support WPS 2.0. 1406 */ 1407 wpa_printf(MSG_DEBUG, 1408 "WPS: Do not start EAPOL until EAPOL-Start is received"); 1409 sta->eapol_sm->flags |= EAPOL_SM_WAIT_START; 1410 } 1411 #endif /* CONFIG_WPS */ 1412 1413 sta->eapol_sm->eap_if->portEnabled = true; 1414 1415 #ifdef CONFIG_IEEE80211R_AP 1416 if (sta->auth_alg == WLAN_AUTH_FT) { 1417 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1418 HOSTAPD_LEVEL_DEBUG, 1419 "PMK from FT - skip IEEE 802.1X/EAP"); 1420 /* Setup EAPOL state machines to already authenticated state 1421 * because of existing FT information from R0KH. */ 1422 sta->eapol_sm->keyRun = true; 1423 sta->eapol_sm->eap_if->eapKeyAvailable = true; 1424 sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING; 1425 sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS; 1426 sta->eapol_sm->authSuccess = true; 1427 sta->eapol_sm->authFail = false; 1428 sta->eapol_sm->portValid = true; 1429 if (sta->eapol_sm->eap) 1430 eap_sm_notify_cached(sta->eapol_sm->eap); 1431 ap_sta_bind_vlan(hapd, sta); 1432 return; 1433 } 1434 #endif /* CONFIG_IEEE80211R_AP */ 1435 1436 #ifdef CONFIG_FILS 1437 if (sta->auth_alg == WLAN_AUTH_FILS_SK || 1438 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS || 1439 sta->auth_alg == WLAN_AUTH_FILS_PK) { 1440 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1441 HOSTAPD_LEVEL_DEBUG, 1442 "PMK from FILS - skip IEEE 802.1X/EAP"); 1443 /* Setup EAPOL state machines to already authenticated state 1444 * because of existing FILS information. */ 1445 sta->eapol_sm->keyRun = true; 1446 sta->eapol_sm->eap_if->eapKeyAvailable = true; 1447 sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING; 1448 sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS; 1449 sta->eapol_sm->authSuccess = true; 1450 sta->eapol_sm->authFail = false; 1451 sta->eapol_sm->portValid = true; 1452 if (sta->eapol_sm->eap) 1453 eap_sm_notify_cached(sta->eapol_sm->eap); 1454 wpa_auth_set_ptk_rekey_timer(sta->wpa_sm); 1455 return; 1456 } 1457 #endif /* CONFIG_FILS */ 1458 1459 pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm); 1460 if (pmksa) { 1461 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1462 HOSTAPD_LEVEL_DEBUG, 1463 "PMK from PMKSA cache - skip IEEE 802.1X/EAP"); 1464 /* Setup EAPOL state machines to already authenticated state 1465 * because of existing PMKSA information in the cache. */ 1466 sta->eapol_sm->keyRun = true; 1467 sta->eapol_sm->eap_if->eapKeyAvailable = true; 1468 sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING; 1469 sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS; 1470 sta->eapol_sm->authSuccess = true; 1471 sta->eapol_sm->authFail = false; 1472 if (sta->eapol_sm->eap) 1473 eap_sm_notify_cached(sta->eapol_sm->eap); 1474 pmksa_cache_to_eapol_data(hapd, pmksa, sta->eapol_sm); 1475 ap_sta_bind_vlan(hapd, sta); 1476 } else { 1477 if (reassoc) { 1478 /* 1479 * Force EAPOL state machines to start 1480 * re-authentication without having to wait for the 1481 * Supplicant to send EAPOL-Start. 1482 */ 1483 sta->eapol_sm->reAuthenticate = true; 1484 } 1485 eapol_auth_step(sta->eapol_sm); 1486 } 1487 } 1488 1489 ieee802_1x_free_station(struct hostapd_data * hapd,struct sta_info * sta)1490 void ieee802_1x_free_station(struct hostapd_data *hapd, struct sta_info *sta) 1491 { 1492 struct eapol_state_machine *sm = sta->eapol_sm; 1493 1494 if (sta->pending_eapol_rx) { 1495 wpabuf_free(sta->pending_eapol_rx->buf); 1496 os_free(sta->pending_eapol_rx); 1497 sta->pending_eapol_rx = NULL; 1498 } 1499 1500 if (!sm) 1501 return; 1502 1503 sta->eapol_sm = NULL; 1504 1505 #ifndef CONFIG_NO_RADIUS 1506 radius_msg_free(sm->last_recv_radius); 1507 radius_free_class(&sm->radius_class); 1508 #endif /* CONFIG_NO_RADIUS */ 1509 1510 eapol_auth_free(sm); 1511 } 1512 1513 1514 #ifndef CONFIG_NO_RADIUS ieee802_1x_decapsulate_radius(struct hostapd_data * hapd,struct sta_info * sta)1515 static void ieee802_1x_decapsulate_radius(struct hostapd_data *hapd, 1516 struct sta_info *sta) 1517 { 1518 struct wpabuf *eap; 1519 const struct eap_hdr *hdr; 1520 int eap_type = -1; 1521 char buf[64]; 1522 struct radius_msg *msg; 1523 struct eapol_state_machine *sm = sta->eapol_sm; 1524 1525 if (!sm || !sm->last_recv_radius) { 1526 if (sm) 1527 sm->eap_if->aaaEapNoReq = true; 1528 return; 1529 } 1530 1531 msg = sm->last_recv_radius; 1532 1533 eap = radius_msg_get_eap(msg); 1534 if (!eap) { 1535 /* RFC 3579, Chap. 2.6.3: 1536 * RADIUS server SHOULD NOT send Access-Reject/no EAP-Message 1537 * attribute */ 1538 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1539 HOSTAPD_LEVEL_WARNING, 1540 "could not extract EAP-Message from RADIUS message"); 1541 sm->eap_if->aaaEapNoReq = true; 1542 return; 1543 } 1544 1545 if (wpabuf_len(eap) < sizeof(*hdr)) { 1546 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1547 HOSTAPD_LEVEL_WARNING, 1548 "too short EAP packet received from authentication server"); 1549 wpabuf_free(eap); 1550 sm->eap_if->aaaEapNoReq = true; 1551 return; 1552 } 1553 1554 if (wpabuf_len(eap) > sizeof(*hdr)) 1555 eap_type = (wpabuf_head_u8(eap))[sizeof(*hdr)]; 1556 1557 hdr = wpabuf_head(eap); 1558 switch (hdr->code) { 1559 case EAP_CODE_REQUEST: 1560 if (eap_type >= 0) 1561 sm->eap_type_authsrv = eap_type; 1562 os_snprintf(buf, sizeof(buf), "EAP-Request-%s (%d)", 1563 eap_server_get_name(0, eap_type), eap_type); 1564 break; 1565 case EAP_CODE_RESPONSE: 1566 os_snprintf(buf, sizeof(buf), "EAP Response-%s (%d)", 1567 eap_server_get_name(0, eap_type), eap_type); 1568 break; 1569 case EAP_CODE_SUCCESS: 1570 os_strlcpy(buf, "EAP Success", sizeof(buf)); 1571 break; 1572 case EAP_CODE_FAILURE: 1573 os_strlcpy(buf, "EAP Failure", sizeof(buf)); 1574 break; 1575 default: 1576 os_strlcpy(buf, "unknown EAP code", sizeof(buf)); 1577 break; 1578 } 1579 buf[sizeof(buf) - 1] = '\0'; 1580 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1581 HOSTAPD_LEVEL_DEBUG, 1582 "decapsulated EAP packet (code=%d id=%d len=%d) from RADIUS server: %s", 1583 hdr->code, hdr->identifier, be_to_host16(hdr->length), 1584 buf); 1585 sm->eap_if->aaaEapReq = true; 1586 1587 wpabuf_free(sm->eap_if->aaaEapReqData); 1588 sm->eap_if->aaaEapReqData = eap; 1589 } 1590 1591 ieee802_1x_get_keys(struct hostapd_data * hapd,struct sta_info * sta,struct radius_msg * msg,struct radius_msg * req,const u8 * shared_secret,size_t shared_secret_len)1592 static void ieee802_1x_get_keys(struct hostapd_data *hapd, 1593 struct sta_info *sta, struct radius_msg *msg, 1594 struct radius_msg *req, 1595 const u8 *shared_secret, 1596 size_t shared_secret_len) 1597 { 1598 struct radius_ms_mppe_keys *keys; 1599 u8 *buf; 1600 size_t len; 1601 struct eapol_state_machine *sm = sta->eapol_sm; 1602 1603 if (!sm) 1604 return; 1605 1606 keys = radius_msg_get_ms_keys(msg, req, shared_secret, 1607 shared_secret_len); 1608 1609 if (keys && keys->send && keys->recv) { 1610 len = keys->send_len + keys->recv_len; 1611 wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Send-Key", 1612 keys->send, keys->send_len); 1613 wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Recv-Key", 1614 keys->recv, keys->recv_len); 1615 1616 os_free(sm->eap_if->aaaEapKeyData); 1617 sm->eap_if->aaaEapKeyData = os_malloc(len); 1618 if (sm->eap_if->aaaEapKeyData) { 1619 os_memcpy(sm->eap_if->aaaEapKeyData, keys->recv, 1620 keys->recv_len); 1621 os_memcpy(sm->eap_if->aaaEapKeyData + keys->recv_len, 1622 keys->send, keys->send_len); 1623 sm->eap_if->aaaEapKeyDataLen = len; 1624 sm->eap_if->aaaEapKeyAvailable = true; 1625 } 1626 } else { 1627 wpa_printf(MSG_DEBUG, 1628 "MS-MPPE: 1x_get_keys, could not get keys: %p send: %p recv: %p", 1629 keys, keys ? keys->send : NULL, 1630 keys ? keys->recv : NULL); 1631 } 1632 1633 if (keys) { 1634 os_free(keys->send); 1635 os_free(keys->recv); 1636 os_free(keys); 1637 } 1638 1639 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_EAP_KEY_NAME, &buf, &len, 1640 NULL) == 0) { 1641 os_free(sm->eap_if->eapSessionId); 1642 sm->eap_if->eapSessionId = os_memdup(buf, len); 1643 if (sm->eap_if->eapSessionId) { 1644 sm->eap_if->eapSessionIdLen = len; 1645 wpa_hexdump(MSG_DEBUG, "EAP-Key Name", 1646 sm->eap_if->eapSessionId, 1647 sm->eap_if->eapSessionIdLen); 1648 } 1649 } else { 1650 sm->eap_if->eapSessionIdLen = 0; 1651 } 1652 } 1653 1654 ieee802_1x_store_radius_class(struct hostapd_data * hapd,struct sta_info * sta,struct radius_msg * msg)1655 static void ieee802_1x_store_radius_class(struct hostapd_data *hapd, 1656 struct sta_info *sta, 1657 struct radius_msg *msg) 1658 { 1659 u8 *attr_class; 1660 size_t class_len; 1661 struct eapol_state_machine *sm = sta->eapol_sm; 1662 int count, i; 1663 struct radius_attr_data *nclass; 1664 size_t nclass_count; 1665 1666 if (!hapd->conf->radius->acct_server || !hapd->radius || !sm) 1667 return; 1668 1669 radius_free_class(&sm->radius_class); 1670 count = radius_msg_count_attr(msg, RADIUS_ATTR_CLASS, 1); 1671 if (count <= 0) 1672 return; 1673 1674 nclass = os_calloc(count, sizeof(struct radius_attr_data)); 1675 if (!nclass) 1676 return; 1677 1678 nclass_count = 0; 1679 1680 attr_class = NULL; 1681 for (i = 0; i < count; i++) { 1682 do { 1683 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CLASS, 1684 &attr_class, &class_len, 1685 attr_class) < 0) { 1686 i = count; 1687 break; 1688 } 1689 } while (class_len < 1); 1690 1691 nclass[nclass_count].data = os_memdup(attr_class, class_len); 1692 if (!nclass[nclass_count].data) 1693 break; 1694 1695 nclass[nclass_count].len = class_len; 1696 nclass_count++; 1697 } 1698 1699 sm->radius_class.attr = nclass; 1700 sm->radius_class.count = nclass_count; 1701 wpa_printf(MSG_DEBUG, 1702 "IEEE 802.1X: Stored %lu RADIUS Class attributes for " 1703 MACSTR, 1704 (unsigned long) sm->radius_class.count, 1705 MAC2STR(sta->addr)); 1706 } 1707 1708 1709 /* Update sta->identity based on User-Name attribute in Access-Accept */ ieee802_1x_update_sta_identity(struct hostapd_data * hapd,struct sta_info * sta,struct radius_msg * msg)1710 static void ieee802_1x_update_sta_identity(struct hostapd_data *hapd, 1711 struct sta_info *sta, 1712 struct radius_msg *msg) 1713 { 1714 u8 *buf, *identity; 1715 size_t len; 1716 struct eapol_state_machine *sm = sta->eapol_sm; 1717 1718 if (!sm) 1719 return; 1720 1721 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_USER_NAME, &buf, &len, 1722 NULL) < 0) 1723 return; 1724 1725 identity = (u8 *) dup_binstr(buf, len); 1726 if (!identity) 1727 return; 1728 1729 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1730 HOSTAPD_LEVEL_DEBUG, 1731 "old identity '%s' updated with User-Name from Access-Accept '%s'", 1732 sm->identity ? (char *) sm->identity : "N/A", 1733 (char *) identity); 1734 1735 os_free(sm->identity); 1736 sm->identity = identity; 1737 sm->identity_len = len; 1738 } 1739 1740 1741 /* Update CUI based on Chargeable-User-Identity attribute in Access-Accept */ ieee802_1x_update_sta_cui(struct hostapd_data * hapd,struct sta_info * sta,struct radius_msg * msg)1742 static void ieee802_1x_update_sta_cui(struct hostapd_data *hapd, 1743 struct sta_info *sta, 1744 struct radius_msg *msg) 1745 { 1746 struct eapol_state_machine *sm = sta->eapol_sm; 1747 struct wpabuf *cui; 1748 u8 *buf; 1749 size_t len; 1750 1751 if (!sm) 1752 return; 1753 1754 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CHARGEABLE_USER_IDENTITY, 1755 &buf, &len, NULL) < 0) 1756 return; 1757 1758 cui = wpabuf_alloc_copy(buf, len); 1759 if (!cui) 1760 return; 1761 1762 wpabuf_free(sm->radius_cui); 1763 sm->radius_cui = cui; 1764 } 1765 1766 1767 #ifdef CONFIG_HS20 1768 ieee802_1x_hs20_deauth_req(struct hostapd_data * hapd,struct sta_info * sta,const u8 * pos,size_t len)1769 static void ieee802_1x_hs20_deauth_req(struct hostapd_data *hapd, 1770 struct sta_info *sta, const u8 *pos, 1771 size_t len) 1772 { 1773 size_t url_len; 1774 unsigned int timeout; 1775 1776 if (len < 3) 1777 return; /* Malformed information */ 1778 url_len = len - 3; 1779 sta->hs20_deauth_requested = 1; 1780 sta->hs20_deauth_on_ack = url_len == 0; 1781 wpa_printf(MSG_DEBUG, 1782 "HS 2.0: Deauthentication request - Code %u Re-auth Delay %u URL length %zu", 1783 *pos, WPA_GET_LE16(pos + 1), url_len); 1784 wpabuf_free(sta->hs20_deauth_req); 1785 sta->hs20_deauth_req = wpabuf_alloc(len + 1); 1786 if (sta->hs20_deauth_req) { 1787 wpabuf_put_data(sta->hs20_deauth_req, pos, 3); 1788 wpabuf_put_u8(sta->hs20_deauth_req, url_len); 1789 wpabuf_put_data(sta->hs20_deauth_req, pos + 3, url_len); 1790 } 1791 timeout = hapd->conf->hs20_deauth_req_timeout; 1792 /* If there is no URL, no need to provide time to fetch it. Use a short 1793 * timeout here to allow maximum time for completing 4-way handshake and 1794 * WNM-Notification delivery. Acknowledgement of the frame will result 1795 * in cutting this wait further. */ 1796 if (!url_len && timeout > 2) 1797 timeout = 2; 1798 ap_sta_session_timeout(hapd, sta, timeout); 1799 } 1800 1801 ieee802_1x_hs20_session_info(struct hostapd_data * hapd,struct sta_info * sta,u8 * pos,size_t len,int session_timeout)1802 static void ieee802_1x_hs20_session_info(struct hostapd_data *hapd, 1803 struct sta_info *sta, u8 *pos, 1804 size_t len, int session_timeout) 1805 { 1806 unsigned int swt; 1807 int warning_time, beacon_int; 1808 1809 if (len < 1) 1810 return; /* Malformed information */ 1811 os_free(sta->hs20_session_info_url); 1812 sta->hs20_session_info_url = os_malloc(len); 1813 if (!sta->hs20_session_info_url) 1814 return; 1815 swt = pos[0]; 1816 os_memcpy(sta->hs20_session_info_url, pos + 1, len - 1); 1817 sta->hs20_session_info_url[len - 1] = '\0'; 1818 wpa_printf(MSG_DEBUG, 1819 "HS 2.0: Session Information URL='%s' SWT=%u (session_timeout=%d)", 1820 sta->hs20_session_info_url, swt, session_timeout); 1821 if (session_timeout < 0) { 1822 wpa_printf(MSG_DEBUG, 1823 "HS 2.0: No Session-Timeout set - ignore session info URL"); 1824 return; 1825 } 1826 if (swt == 255) 1827 swt = 1; /* Use one minute as the AP selected value */ 1828 1829 if ((unsigned int) session_timeout < swt * 60) 1830 warning_time = 0; 1831 else 1832 warning_time = session_timeout - swt * 60; 1833 1834 beacon_int = hapd->iconf->beacon_int; 1835 if (beacon_int < 1) 1836 beacon_int = 100; /* best guess */ 1837 sta->hs20_disassoc_timer = swt * 60 * 1000 / beacon_int * 125 / 128; 1838 if (sta->hs20_disassoc_timer > 65535) 1839 sta->hs20_disassoc_timer = 65535; 1840 1841 ap_sta_session_warning_timeout(hapd, sta, warning_time); 1842 } 1843 1844 ieee802_1x_hs20_t_c_filtering(struct hostapd_data * hapd,struct sta_info * sta,u8 * pos,size_t len)1845 static void ieee802_1x_hs20_t_c_filtering(struct hostapd_data *hapd, 1846 struct sta_info *sta, u8 *pos, 1847 size_t len) 1848 { 1849 if (len < 4) 1850 return; /* Malformed information */ 1851 wpa_printf(MSG_DEBUG, 1852 "HS 2.0: Terms and Conditions filtering %02x %02x %02x %02x", 1853 pos[0], pos[1], pos[2], pos[3]); 1854 hs20_t_c_filtering(hapd, sta, pos[0] & BIT(0)); 1855 } 1856 1857 ieee802_1x_hs20_t_c_url(struct hostapd_data * hapd,struct sta_info * sta,u8 * pos,size_t len)1858 static void ieee802_1x_hs20_t_c_url(struct hostapd_data *hapd, 1859 struct sta_info *sta, u8 *pos, size_t len) 1860 { 1861 os_free(sta->t_c_url); 1862 sta->t_c_url = os_malloc(len + 1); 1863 if (!sta->t_c_url) 1864 return; 1865 os_memcpy(sta->t_c_url, pos, len); 1866 sta->t_c_url[len] = '\0'; 1867 wpa_printf(MSG_DEBUG, 1868 "HS 2.0: Terms and Conditions URL %s", sta->t_c_url); 1869 } 1870 1871 #endif /* CONFIG_HS20 */ 1872 1873 ieee802_1x_check_hs20(struct hostapd_data * hapd,struct sta_info * sta,struct radius_msg * msg,int session_timeout)1874 static void ieee802_1x_check_hs20(struct hostapd_data *hapd, 1875 struct sta_info *sta, 1876 struct radius_msg *msg, 1877 int session_timeout) 1878 { 1879 #ifdef CONFIG_HS20 1880 u8 *buf, *pos, *end, type, sublen; 1881 size_t len; 1882 1883 buf = NULL; 1884 sta->hs20_deauth_requested = 0; 1885 sta->hs20_deauth_on_ack = 0; 1886 1887 for (;;) { 1888 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_VENDOR_SPECIFIC, 1889 &buf, &len, buf) < 0) 1890 break; 1891 if (len < 6) 1892 continue; 1893 pos = buf; 1894 end = buf + len; 1895 if (WPA_GET_BE32(pos) != RADIUS_VENDOR_ID_WFA) 1896 continue; 1897 pos += 4; 1898 1899 type = *pos++; 1900 sublen = *pos++; 1901 if (sublen < 2) 1902 continue; /* invalid length */ 1903 sublen -= 2; /* skip header */ 1904 if (pos + sublen > end) 1905 continue; /* invalid WFA VSA */ 1906 1907 switch (type) { 1908 case RADIUS_VENDOR_ATTR_WFA_HS20_DEAUTH_REQ: 1909 ieee802_1x_hs20_deauth_req(hapd, sta, pos, sublen); 1910 break; 1911 case RADIUS_VENDOR_ATTR_WFA_HS20_SESSION_INFO_URL: 1912 ieee802_1x_hs20_session_info(hapd, sta, pos, sublen, 1913 session_timeout); 1914 break; 1915 case RADIUS_VENDOR_ATTR_WFA_HS20_T_C_FILTERING: 1916 ieee802_1x_hs20_t_c_filtering(hapd, sta, pos, sublen); 1917 break; 1918 case RADIUS_VENDOR_ATTR_WFA_HS20_T_C_URL: 1919 ieee802_1x_hs20_t_c_url(hapd, sta, pos, sublen); 1920 break; 1921 } 1922 } 1923 #endif /* CONFIG_HS20 */ 1924 } 1925 1926 1927 struct sta_id_search { 1928 u8 identifier; 1929 struct eapol_state_machine *sm; 1930 }; 1931 1932 ieee802_1x_select_radius_identifier(struct hostapd_data * hapd,struct sta_info * sta,void * ctx)1933 static int ieee802_1x_select_radius_identifier(struct hostapd_data *hapd, 1934 struct sta_info *sta, 1935 void *ctx) 1936 { 1937 struct sta_id_search *id_search = ctx; 1938 struct eapol_state_machine *sm = sta->eapol_sm; 1939 1940 if (sm && sm->radius_identifier >= 0 && 1941 sm->radius_identifier == id_search->identifier) { 1942 id_search->sm = sm; 1943 return 1; 1944 } 1945 return 0; 1946 } 1947 1948 1949 static struct eapol_state_machine * ieee802_1x_search_radius_identifier(struct hostapd_data * hapd,u8 identifier)1950 ieee802_1x_search_radius_identifier(struct hostapd_data *hapd, u8 identifier) 1951 { 1952 struct sta_id_search id_search; 1953 1954 id_search.identifier = identifier; 1955 id_search.sm = NULL; 1956 ap_for_each_sta(hapd, ieee802_1x_select_radius_identifier, &id_search); 1957 return id_search.sm; 1958 } 1959 1960 1961 #ifndef CONFIG_NO_VLAN ieee802_1x_update_vlan(struct radius_msg * msg,struct hostapd_data * hapd,struct sta_info * sta)1962 static int ieee802_1x_update_vlan(struct radius_msg *msg, 1963 struct hostapd_data *hapd, 1964 struct sta_info *sta) 1965 { 1966 struct vlan_description vlan_desc; 1967 1968 os_memset(&vlan_desc, 0, sizeof(vlan_desc)); 1969 vlan_desc.notempty = !!radius_msg_get_vlanid(msg, &vlan_desc.untagged, 1970 MAX_NUM_TAGGED_VLAN, 1971 vlan_desc.tagged); 1972 1973 if (vlan_desc.notempty && 1974 !hostapd_vlan_valid(hapd->conf->vlan, &vlan_desc)) { 1975 sta->eapol_sm->authFail = true; 1976 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS, 1977 HOSTAPD_LEVEL_INFO, 1978 "Invalid VLAN %d%s received from RADIUS server", 1979 vlan_desc.untagged, 1980 vlan_desc.tagged[0] ? "+" : ""); 1981 os_memset(&vlan_desc, 0, sizeof(vlan_desc)); 1982 ap_sta_set_vlan(hapd, sta, &vlan_desc); 1983 return -1; 1984 } 1985 1986 if (hapd->conf->ssid.dynamic_vlan == DYNAMIC_VLAN_REQUIRED && 1987 !vlan_desc.notempty) { 1988 sta->eapol_sm->authFail = true; 1989 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1990 HOSTAPD_LEVEL_INFO, 1991 "authentication server did not include required VLAN ID in Access-Accept"); 1992 return -1; 1993 } 1994 1995 return ap_sta_set_vlan(hapd, sta, &vlan_desc); 1996 } 1997 #endif /* CONFIG_NO_VLAN */ 1998 1999 2000 /** 2001 * ieee802_1x_receive_auth - Process RADIUS frames from Authentication Server 2002 * @msg: RADIUS response message 2003 * @req: RADIUS request message 2004 * @shared_secret: RADIUS shared secret 2005 * @shared_secret_len: Length of shared_secret in octets 2006 * @data: Context data (struct hostapd_data *) 2007 * Returns: Processing status 2008 */ 2009 static RadiusRxResult ieee802_1x_receive_auth(struct radius_msg * msg,struct radius_msg * req,const u8 * shared_secret,size_t shared_secret_len,void * data)2010 ieee802_1x_receive_auth(struct radius_msg *msg, struct radius_msg *req, 2011 const u8 *shared_secret, size_t shared_secret_len, 2012 void *data) 2013 { 2014 struct hostapd_data *hapd = data; 2015 struct sta_info *sta; 2016 u32 session_timeout = 0, termination_action, acct_interim_interval; 2017 int session_timeout_set; 2018 u32 reason_code; 2019 struct eapol_state_machine *sm; 2020 int override_eapReq = 0; 2021 struct radius_hdr *hdr = radius_msg_get_hdr(msg); 2022 2023 sm = ieee802_1x_search_radius_identifier(hapd, hdr->identifier); 2024 if (!sm) { 2025 wpa_printf(MSG_DEBUG, 2026 "IEEE 802.1X: Could not find matching station for this RADIUS message"); 2027 return RADIUS_RX_UNKNOWN; 2028 } 2029 sta = sm->sta; 2030 2031 if (radius_msg_verify(msg, shared_secret, shared_secret_len, req, 1)) { 2032 wpa_printf(MSG_INFO, 2033 "Incoming RADIUS packet did not have correct Message-Authenticator - dropped"); 2034 return RADIUS_RX_INVALID_AUTHENTICATOR; 2035 } 2036 2037 if (hdr->code != RADIUS_CODE_ACCESS_ACCEPT && 2038 hdr->code != RADIUS_CODE_ACCESS_REJECT && 2039 hdr->code != RADIUS_CODE_ACCESS_CHALLENGE) { 2040 wpa_printf(MSG_INFO, "Unknown RADIUS message code"); 2041 return RADIUS_RX_UNKNOWN; 2042 } 2043 2044 sm->radius_identifier = -1; 2045 wpa_printf(MSG_DEBUG, "RADIUS packet matching with station " MACSTR, 2046 MAC2STR(sta->addr)); 2047 2048 radius_msg_free(sm->last_recv_radius); 2049 sm->last_recv_radius = msg; 2050 2051 session_timeout_set = 2052 !radius_msg_get_attr_int32(msg, RADIUS_ATTR_SESSION_TIMEOUT, 2053 &session_timeout); 2054 if (radius_msg_get_attr_int32(msg, RADIUS_ATTR_TERMINATION_ACTION, 2055 &termination_action)) 2056 termination_action = RADIUS_TERMINATION_ACTION_DEFAULT; 2057 2058 if (hapd->conf->acct_interim_interval == 0 && 2059 hdr->code == RADIUS_CODE_ACCESS_ACCEPT && 2060 radius_msg_get_attr_int32(msg, RADIUS_ATTR_ACCT_INTERIM_INTERVAL, 2061 &acct_interim_interval) == 0) { 2062 if (acct_interim_interval < 60) { 2063 hostapd_logger(hapd, sta->addr, 2064 HOSTAPD_MODULE_IEEE8021X, 2065 HOSTAPD_LEVEL_INFO, 2066 "ignored too small Acct-Interim-Interval %d", 2067 acct_interim_interval); 2068 } else 2069 sta->acct_interim_interval = acct_interim_interval; 2070 } 2071 2072 2073 switch (hdr->code) { 2074 case RADIUS_CODE_ACCESS_ACCEPT: 2075 #ifndef CONFIG_NO_VLAN 2076 if (hapd->conf->ssid.dynamic_vlan != DYNAMIC_VLAN_DISABLED && 2077 ieee802_1x_update_vlan(msg, hapd, sta) < 0) 2078 break; 2079 2080 if (sta->vlan_id > 0) { 2081 hostapd_logger(hapd, sta->addr, 2082 HOSTAPD_MODULE_RADIUS, 2083 HOSTAPD_LEVEL_INFO, 2084 "VLAN ID %d", sta->vlan_id); 2085 } 2086 2087 if ((sta->flags & WLAN_STA_ASSOC) && 2088 ap_sta_bind_vlan(hapd, sta) < 0) 2089 break; 2090 #endif /* CONFIG_NO_VLAN */ 2091 2092 sta->session_timeout_set = !!session_timeout_set; 2093 os_get_reltime(&sta->session_timeout); 2094 sta->session_timeout.sec += session_timeout; 2095 2096 /* RFC 3580, Ch. 3.17 */ 2097 if (session_timeout_set && termination_action == 2098 RADIUS_TERMINATION_ACTION_RADIUS_REQUEST) 2099 sm->reAuthPeriod = session_timeout; 2100 else if (session_timeout_set) 2101 ap_sta_session_timeout(hapd, sta, session_timeout); 2102 else 2103 ap_sta_no_session_timeout(hapd, sta); 2104 2105 sm->eap_if->aaaSuccess = true; 2106 override_eapReq = 1; 2107 ieee802_1x_get_keys(hapd, sta, msg, req, shared_secret, 2108 shared_secret_len); 2109 ieee802_1x_store_radius_class(hapd, sta, msg); 2110 ieee802_1x_update_sta_identity(hapd, sta, msg); 2111 ieee802_1x_update_sta_cui(hapd, sta, msg); 2112 ieee802_1x_check_hs20(hapd, sta, msg, 2113 session_timeout_set ? 2114 (int) session_timeout : -1); 2115 break; 2116 case RADIUS_CODE_ACCESS_REJECT: 2117 sm->eap_if->aaaFail = true; 2118 override_eapReq = 1; 2119 if (radius_msg_get_attr_int32(msg, RADIUS_ATTR_WLAN_REASON_CODE, 2120 &reason_code) == 0) { 2121 wpa_printf(MSG_DEBUG, 2122 "RADIUS server indicated WLAN-Reason-Code %u in Access-Reject for " 2123 MACSTR, reason_code, MAC2STR(sta->addr)); 2124 sta->disconnect_reason_code = reason_code; 2125 } 2126 break; 2127 case RADIUS_CODE_ACCESS_CHALLENGE: 2128 sm->eap_if->aaaEapReq = true; 2129 if (session_timeout_set) { 2130 /* RFC 2869, Ch. 2.3.2; RFC 3580, Ch. 3.17 */ 2131 sm->eap_if->aaaMethodTimeout = session_timeout; 2132 hostapd_logger(hapd, sm->addr, 2133 HOSTAPD_MODULE_IEEE8021X, 2134 HOSTAPD_LEVEL_DEBUG, 2135 "using EAP timeout of %d seconds (from RADIUS)", 2136 sm->eap_if->aaaMethodTimeout); 2137 } else { 2138 /* 2139 * Use dynamic retransmission behavior per EAP 2140 * specification. 2141 */ 2142 sm->eap_if->aaaMethodTimeout = 0; 2143 } 2144 break; 2145 } 2146 2147 ieee802_1x_decapsulate_radius(hapd, sta); 2148 if (override_eapReq) 2149 sm->eap_if->aaaEapReq = false; 2150 2151 #ifdef CONFIG_FILS 2152 #ifdef NEED_AP_MLME 2153 if (sta->flags & 2154 (WLAN_STA_PENDING_FILS_ERP | WLAN_STA_PENDING_PASN_FILS_ERP)) { 2155 /* TODO: Add a PMKSA entry on success? */ 2156 ieee802_11_finish_fils_auth( 2157 hapd, sta, hdr->code == RADIUS_CODE_ACCESS_ACCEPT, 2158 sm->eap_if->aaaEapReqData, 2159 sm->eap_if->aaaEapKeyData, 2160 sm->eap_if->aaaEapKeyDataLen); 2161 } 2162 #endif /* NEED_AP_MLME */ 2163 #endif /* CONFIG_FILS */ 2164 2165 eapol_auth_step(sm); 2166 2167 return RADIUS_RX_QUEUED; 2168 } 2169 #endif /* CONFIG_NO_RADIUS */ 2170 2171 ieee802_1x_abort_auth(struct hostapd_data * hapd,struct sta_info * sta)2172 void ieee802_1x_abort_auth(struct hostapd_data *hapd, struct sta_info *sta) 2173 { 2174 struct eapol_state_machine *sm = sta->eapol_sm; 2175 2176 if (!sm) 2177 return; 2178 2179 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 2180 HOSTAPD_LEVEL_DEBUG, "aborting authentication"); 2181 2182 #ifndef CONFIG_NO_RADIUS 2183 radius_msg_free(sm->last_recv_radius); 2184 sm->last_recv_radius = NULL; 2185 #endif /* CONFIG_NO_RADIUS */ 2186 2187 if (sm->eap_if->eapTimeout) { 2188 /* 2189 * Disconnect the STA since it did not reply to the last EAP 2190 * request and we cannot continue EAP processing (EAP-Failure 2191 * could only be sent if the EAP peer actually replied). 2192 */ 2193 wpa_dbg(hapd->msg_ctx, MSG_DEBUG, "EAP Timeout, STA " MACSTR, 2194 MAC2STR(sta->addr)); 2195 2196 sm->eap_if->portEnabled = false; 2197 ap_sta_disconnect(hapd, sta, sta->addr, 2198 WLAN_REASON_PREV_AUTH_NOT_VALID); 2199 } 2200 } 2201 2202 2203 #ifdef CONFIG_WEP 2204 ieee802_1x_rekey_broadcast(struct hostapd_data * hapd)2205 static int ieee802_1x_rekey_broadcast(struct hostapd_data *hapd) 2206 { 2207 struct eapol_authenticator *eapol = hapd->eapol_auth; 2208 2209 if (hapd->conf->default_wep_key_len < 1) 2210 return 0; 2211 2212 os_free(eapol->default_wep_key); 2213 eapol->default_wep_key = os_malloc(hapd->conf->default_wep_key_len); 2214 if (!eapol->default_wep_key || 2215 random_get_bytes(eapol->default_wep_key, 2216 hapd->conf->default_wep_key_len)) { 2217 wpa_printf(MSG_INFO, "Could not generate random WEP key"); 2218 os_free(eapol->default_wep_key); 2219 eapol->default_wep_key = NULL; 2220 return -1; 2221 } 2222 2223 wpa_hexdump_key(MSG_DEBUG, "IEEE 802.1X: New default WEP key", 2224 eapol->default_wep_key, 2225 hapd->conf->default_wep_key_len); 2226 2227 return 0; 2228 } 2229 2230 ieee802_1x_sta_key_available(struct hostapd_data * hapd,struct sta_info * sta,void * ctx)2231 static int ieee802_1x_sta_key_available(struct hostapd_data *hapd, 2232 struct sta_info *sta, void *ctx) 2233 { 2234 if (sta->eapol_sm) { 2235 sta->eapol_sm->eap_if->eapKeyAvailable = true; 2236 eapol_auth_step(sta->eapol_sm); 2237 } 2238 return 0; 2239 } 2240 2241 ieee802_1x_rekey(void * eloop_ctx,void * timeout_ctx)2242 static void ieee802_1x_rekey(void *eloop_ctx, void *timeout_ctx) 2243 { 2244 struct hostapd_data *hapd = eloop_ctx; 2245 struct eapol_authenticator *eapol = hapd->eapol_auth; 2246 2247 if (eapol->default_wep_key_idx >= 3) 2248 eapol->default_wep_key_idx = 2249 hapd->conf->individual_wep_key_len > 0 ? 1 : 0; 2250 else 2251 eapol->default_wep_key_idx++; 2252 2253 wpa_printf(MSG_DEBUG, "IEEE 802.1X: New default WEP key index %d", 2254 eapol->default_wep_key_idx); 2255 2256 if (ieee802_1x_rekey_broadcast(hapd)) { 2257 hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X, 2258 HOSTAPD_LEVEL_WARNING, 2259 "failed to generate a new broadcast key"); 2260 os_free(eapol->default_wep_key); 2261 eapol->default_wep_key = NULL; 2262 return; 2263 } 2264 2265 /* TODO: Could setup key for RX here, but change default TX keyid only 2266 * after new broadcast key has been sent to all stations. */ 2267 if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP, 2268 broadcast_ether_addr, 2269 eapol->default_wep_key_idx, 0, 1, NULL, 0, 2270 eapol->default_wep_key, 2271 hapd->conf->default_wep_key_len, 2272 KEY_FLAG_GROUP_RX_TX_DEFAULT)) { 2273 hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X, 2274 HOSTAPD_LEVEL_WARNING, 2275 "failed to configure a new broadcast key"); 2276 os_free(eapol->default_wep_key); 2277 eapol->default_wep_key = NULL; 2278 return; 2279 } 2280 2281 ap_for_each_sta(hapd, ieee802_1x_sta_key_available, NULL); 2282 2283 if (hapd->conf->wep_rekeying_period > 0) { 2284 eloop_register_timeout(hapd->conf->wep_rekeying_period, 0, 2285 ieee802_1x_rekey, hapd, NULL); 2286 } 2287 } 2288 2289 #endif /* CONFIG_WEP */ 2290 2291 ieee802_1x_eapol_send(void * ctx,void * sta_ctx,u8 type,const u8 * data,size_t datalen)2292 static void ieee802_1x_eapol_send(void *ctx, void *sta_ctx, u8 type, 2293 const u8 *data, size_t datalen) 2294 { 2295 #ifdef CONFIG_WPS 2296 struct sta_info *sta = sta_ctx; 2297 2298 if ((sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS)) == 2299 WLAN_STA_MAYBE_WPS) { 2300 const u8 *identity; 2301 size_t identity_len; 2302 struct eapol_state_machine *sm = sta->eapol_sm; 2303 2304 identity = eap_get_identity(sm->eap, &identity_len); 2305 if (identity && 2306 ((identity_len == WSC_ID_ENROLLEE_LEN && 2307 os_memcmp(identity, WSC_ID_ENROLLEE, 2308 WSC_ID_ENROLLEE_LEN) == 0) || 2309 (identity_len == WSC_ID_REGISTRAR_LEN && 2310 os_memcmp(identity, WSC_ID_REGISTRAR, 2311 WSC_ID_REGISTRAR_LEN) == 0))) { 2312 wpa_printf(MSG_DEBUG, 2313 "WPS: WLAN_STA_MAYBE_WPS -> WLAN_STA_WPS"); 2314 sta->flags |= WLAN_STA_WPS; 2315 } 2316 } 2317 #endif /* CONFIG_WPS */ 2318 2319 ieee802_1x_send(ctx, sta_ctx, type, data, datalen); 2320 } 2321 2322 ieee802_1x_aaa_send(void * ctx,void * sta_ctx,const u8 * data,size_t datalen)2323 static void ieee802_1x_aaa_send(void *ctx, void *sta_ctx, 2324 const u8 *data, size_t datalen) 2325 { 2326 #ifndef CONFIG_NO_RADIUS 2327 struct hostapd_data *hapd = ctx; 2328 struct sta_info *sta = sta_ctx; 2329 2330 ieee802_1x_encapsulate_radius(hapd, sta, data, datalen); 2331 #endif /* CONFIG_NO_RADIUS */ 2332 } 2333 2334 _ieee802_1x_finished(void * ctx,void * sta_ctx,int success,int preauth,bool logoff)2335 static bool _ieee802_1x_finished(void *ctx, void *sta_ctx, int success, 2336 int preauth, bool logoff) 2337 { 2338 struct hostapd_data *hapd = ctx; 2339 struct sta_info *sta = sta_ctx; 2340 2341 if (preauth) { 2342 rsn_preauth_finished(hapd, sta, success); 2343 return false; 2344 } 2345 2346 return ieee802_1x_finished(hapd, sta, success, logoff); 2347 } 2348 2349 ieee802_1x_get_eap_user(void * ctx,const u8 * identity,size_t identity_len,int phase2,struct eap_user * user)2350 static int ieee802_1x_get_eap_user(void *ctx, const u8 *identity, 2351 size_t identity_len, int phase2, 2352 struct eap_user *user) 2353 { 2354 struct hostapd_data *hapd = ctx; 2355 const struct hostapd_eap_user *eap_user; 2356 int i; 2357 int rv = -1; 2358 2359 eap_user = hostapd_get_eap_user(hapd, identity, identity_len, phase2); 2360 if (!eap_user) 2361 goto out; 2362 2363 os_memset(user, 0, sizeof(*user)); 2364 user->phase2 = phase2; 2365 for (i = 0; i < EAP_MAX_METHODS; i++) { 2366 user->methods[i].vendor = eap_user->methods[i].vendor; 2367 user->methods[i].method = eap_user->methods[i].method; 2368 } 2369 2370 if (eap_user->password) { 2371 user->password = os_memdup(eap_user->password, 2372 eap_user->password_len); 2373 if (!user->password) 2374 goto out; 2375 user->password_len = eap_user->password_len; 2376 user->password_hash = eap_user->password_hash; 2377 if (eap_user->salt && eap_user->salt_len) { 2378 user->salt = os_memdup(eap_user->salt, 2379 eap_user->salt_len); 2380 if (!user->salt) 2381 goto out; 2382 user->salt_len = eap_user->salt_len; 2383 } 2384 } 2385 user->force_version = eap_user->force_version; 2386 user->macacl = eap_user->macacl; 2387 user->ttls_auth = eap_user->ttls_auth; 2388 rv = 0; 2389 2390 out: 2391 if (rv) 2392 wpa_printf(MSG_DEBUG, "%s: Failed to find user", __func__); 2393 2394 return rv; 2395 } 2396 2397 ieee802_1x_sta_entry_alive(void * ctx,const u8 * addr)2398 static int ieee802_1x_sta_entry_alive(void *ctx, const u8 *addr) 2399 { 2400 struct hostapd_data *hapd = ctx; 2401 struct sta_info *sta; 2402 2403 sta = ap_get_sta(hapd, addr); 2404 if (!sta || !sta->eapol_sm) 2405 return 0; 2406 return 1; 2407 } 2408 2409 ieee802_1x_logger(void * ctx,const u8 * addr,eapol_logger_level level,const char * txt)2410 static void ieee802_1x_logger(void *ctx, const u8 *addr, 2411 eapol_logger_level level, const char *txt) 2412 { 2413 #ifndef CONFIG_NO_HOSTAPD_LOGGER 2414 struct hostapd_data *hapd = ctx; 2415 int hlevel; 2416 2417 switch (level) { 2418 case EAPOL_LOGGER_WARNING: 2419 hlevel = HOSTAPD_LEVEL_WARNING; 2420 break; 2421 case EAPOL_LOGGER_INFO: 2422 hlevel = HOSTAPD_LEVEL_INFO; 2423 break; 2424 case EAPOL_LOGGER_DEBUG: 2425 default: 2426 hlevel = HOSTAPD_LEVEL_DEBUG; 2427 break; 2428 } 2429 2430 hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE8021X, hlevel, "%s", 2431 txt); 2432 #endif /* CONFIG_NO_HOSTAPD_LOGGER */ 2433 } 2434 2435 ieee802_1x_set_port_authorized(void * ctx,void * sta_ctx,int authorized)2436 static void ieee802_1x_set_port_authorized(void *ctx, void *sta_ctx, 2437 int authorized) 2438 { 2439 struct hostapd_data *hapd = ctx; 2440 struct sta_info *sta = sta_ctx; 2441 2442 ieee802_1x_set_sta_authorized(hapd, sta, authorized); 2443 } 2444 2445 _ieee802_1x_abort_auth(void * ctx,void * sta_ctx)2446 static void _ieee802_1x_abort_auth(void *ctx, void *sta_ctx) 2447 { 2448 struct hostapd_data *hapd = ctx; 2449 struct sta_info *sta = sta_ctx; 2450 2451 ieee802_1x_abort_auth(hapd, sta); 2452 } 2453 2454 2455 #ifdef CONFIG_WEP _ieee802_1x_tx_key(void * ctx,void * sta_ctx)2456 static void _ieee802_1x_tx_key(void *ctx, void *sta_ctx) 2457 { 2458 #ifndef CONFIG_FIPS 2459 #ifndef CONFIG_NO_RC4 2460 struct hostapd_data *hapd = ctx; 2461 struct sta_info *sta = sta_ctx; 2462 2463 ieee802_1x_tx_key(hapd, sta); 2464 #endif /* CONFIG_NO_RC4 */ 2465 #endif /* CONFIG_FIPS */ 2466 } 2467 #endif /* CONFIG_WEP */ 2468 2469 ieee802_1x_eapol_event(void * ctx,void * sta_ctx,enum eapol_event type)2470 static void ieee802_1x_eapol_event(void *ctx, void *sta_ctx, 2471 enum eapol_event type) 2472 { 2473 /* struct hostapd_data *hapd = ctx; */ 2474 struct sta_info *sta = sta_ctx; 2475 2476 switch (type) { 2477 case EAPOL_AUTH_SM_CHANGE: 2478 wpa_auth_sm_notify(sta->wpa_sm); 2479 break; 2480 case EAPOL_AUTH_REAUTHENTICATE: 2481 wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL); 2482 break; 2483 } 2484 } 2485 2486 2487 #ifdef CONFIG_ERP 2488 2489 static struct eap_server_erp_key * ieee802_1x_erp_get_key(void * ctx,const char * keyname)2490 ieee802_1x_erp_get_key(void *ctx, const char *keyname) 2491 { 2492 struct hostapd_data *hapd = ctx; 2493 struct eap_server_erp_key *erp; 2494 2495 dl_list_for_each(erp, &hapd->erp_keys, struct eap_server_erp_key, 2496 list) { 2497 if (os_strcmp(erp->keyname_nai, keyname) == 0) 2498 return erp; 2499 } 2500 2501 return NULL; 2502 } 2503 2504 ieee802_1x_erp_add_key(void * ctx,struct eap_server_erp_key * erp)2505 static int ieee802_1x_erp_add_key(void *ctx, struct eap_server_erp_key *erp) 2506 { 2507 struct hostapd_data *hapd = ctx; 2508 2509 dl_list_add(&hapd->erp_keys, &erp->list); 2510 return 0; 2511 } 2512 2513 #endif /* CONFIG_ERP */ 2514 2515 ieee802_1x_init(struct hostapd_data * hapd)2516 int ieee802_1x_init(struct hostapd_data *hapd) 2517 { 2518 struct eapol_auth_config conf; 2519 struct eapol_auth_cb cb; 2520 2521 #ifdef CONFIG_IEEE80211BE 2522 if (!hostapd_mld_is_first_bss(hapd)) { 2523 struct hostapd_data *first; 2524 2525 first = hostapd_mld_get_first_bss(hapd); 2526 if (!first) 2527 return -1; 2528 2529 if (!first->eapol_auth) { 2530 wpa_printf(MSG_DEBUG, 2531 "MLD: First BSS IEEE 802.1X state machine does not exist. Init on its behalf"); 2532 2533 if (ieee802_1x_init(first)) 2534 return -1; 2535 } 2536 2537 wpa_printf(MSG_DEBUG, 2538 "MLD: Using IEEE 802.1X state machine of the first BSS"); 2539 2540 hapd->eapol_auth = first->eapol_auth; 2541 return 0; 2542 } 2543 #endif /* CONFIG_IEEE80211BE */ 2544 2545 os_memset(&conf, 0, sizeof(conf)); 2546 conf.eap_cfg = hapd->eap_cfg; 2547 conf.ctx = hapd; 2548 conf.eap_reauth_period = hapd->conf->eap_reauth_period; 2549 conf.wpa = hapd->conf->wpa; 2550 #ifdef CONFIG_WEP 2551 conf.individual_wep_key_len = hapd->conf->individual_wep_key_len; 2552 #endif /* CONFIG_WEP */ 2553 conf.eap_req_id_text = hapd->conf->eap_req_id_text; 2554 conf.eap_req_id_text_len = hapd->conf->eap_req_id_text_len; 2555 conf.erp_send_reauth_start = hapd->conf->erp_send_reauth_start; 2556 conf.erp_domain = hapd->conf->erp_domain; 2557 #ifdef CONFIG_TESTING_OPTIONS 2558 conf.eap_skip_prot_success = hapd->conf->eap_skip_prot_success; 2559 #endif /* CONFIG_TESTING_OPTIONS */ 2560 2561 os_memset(&cb, 0, sizeof(cb)); 2562 cb.eapol_send = ieee802_1x_eapol_send; 2563 cb.aaa_send = ieee802_1x_aaa_send; 2564 cb.finished = _ieee802_1x_finished; 2565 cb.get_eap_user = ieee802_1x_get_eap_user; 2566 cb.sta_entry_alive = ieee802_1x_sta_entry_alive; 2567 cb.logger = ieee802_1x_logger; 2568 cb.set_port_authorized = ieee802_1x_set_port_authorized; 2569 cb.abort_auth = _ieee802_1x_abort_auth; 2570 #ifdef CONFIG_WEP 2571 cb.tx_key = _ieee802_1x_tx_key; 2572 #endif /* CONFIG_WEP */ 2573 cb.eapol_event = ieee802_1x_eapol_event; 2574 #ifdef CONFIG_ERP 2575 cb.erp_get_key = ieee802_1x_erp_get_key; 2576 cb.erp_add_key = ieee802_1x_erp_add_key; 2577 #endif /* CONFIG_ERP */ 2578 2579 hapd->eapol_auth = eapol_auth_init(&conf, &cb); 2580 if (!hapd->eapol_auth) 2581 return -1; 2582 2583 if ((hapd->conf->ieee802_1x || hapd->conf->wpa) && 2584 hostapd_set_drv_ieee8021x(hapd, hapd->conf->iface, 1)) 2585 return -1; 2586 2587 #ifndef CONFIG_NO_RADIUS 2588 if (radius_client_register(hapd->radius, RADIUS_AUTH, 2589 ieee802_1x_receive_auth, hapd)) 2590 return -1; 2591 #endif /* CONFIG_NO_RADIUS */ 2592 2593 #ifdef CONFIG_WEP 2594 if (hapd->conf->default_wep_key_len) { 2595 int i; 2596 2597 for (i = 0; i < 4; i++) 2598 hostapd_drv_set_key(hapd->conf->iface, hapd, 2599 WPA_ALG_NONE, NULL, i, 0, 0, NULL, 2600 0, NULL, 0, KEY_FLAG_GROUP); 2601 2602 ieee802_1x_rekey(hapd, NULL); 2603 2604 if (!hapd->eapol_auth->default_wep_key) 2605 return -1; 2606 } 2607 #endif /* CONFIG_WEP */ 2608 2609 return 0; 2610 } 2611 2612 ieee802_1x_erp_flush(struct hostapd_data * hapd)2613 void ieee802_1x_erp_flush(struct hostapd_data *hapd) 2614 { 2615 struct eap_server_erp_key *erp; 2616 2617 while ((erp = dl_list_first(&hapd->erp_keys, struct eap_server_erp_key, 2618 list)) != NULL) { 2619 dl_list_del(&erp->list); 2620 bin_clear_free(erp, sizeof(*erp)); 2621 } 2622 } 2623 2624 ieee802_1x_deinit(struct hostapd_data * hapd)2625 void ieee802_1x_deinit(struct hostapd_data *hapd) 2626 { 2627 #ifdef CONFIG_IEEE80211BE 2628 if (!hostapd_mld_is_first_bss(hapd)) { 2629 wpa_printf(MSG_DEBUG, 2630 "MLD: Deinit IEEE 802.1X state machine of a non-first BSS"); 2631 2632 hapd->eapol_auth = NULL; 2633 return; 2634 } 2635 #endif /* CONFIG_IEEE80211BE */ 2636 2637 #ifdef CONFIG_WEP 2638 eloop_cancel_timeout(ieee802_1x_rekey, hapd, NULL); 2639 #endif /* CONFIG_WEP */ 2640 2641 if (hapd->driver && hapd->drv_priv && 2642 (hapd->conf->ieee802_1x || hapd->conf->wpa)) 2643 hostapd_set_drv_ieee8021x(hapd, hapd->conf->iface, 0); 2644 2645 eapol_auth_deinit(hapd->eapol_auth); 2646 hapd->eapol_auth = NULL; 2647 2648 ieee802_1x_erp_flush(hapd); 2649 } 2650 2651 ieee802_1x_tx_status(struct hostapd_data * hapd,struct sta_info * sta,const u8 * buf,size_t len,int ack)2652 int ieee802_1x_tx_status(struct hostapd_data *hapd, struct sta_info *sta, 2653 const u8 *buf, size_t len, int ack) 2654 { 2655 struct ieee80211_hdr *hdr; 2656 u8 *pos; 2657 const unsigned char rfc1042_hdr[ETH_ALEN] = 2658 { 0xaa, 0xaa, 0x03, 0x00, 0x00, 0x00 }; 2659 2660 if (!sta) 2661 return -1; 2662 if (len < sizeof(*hdr) + sizeof(rfc1042_hdr) + 2) 2663 return 0; 2664 2665 hdr = (struct ieee80211_hdr *) buf; 2666 pos = (u8 *) (hdr + 1); 2667 if (os_memcmp(pos, rfc1042_hdr, sizeof(rfc1042_hdr)) != 0) 2668 return 0; 2669 pos += sizeof(rfc1042_hdr); 2670 if (WPA_GET_BE16(pos) != ETH_P_PAE) 2671 return 0; 2672 pos += 2; 2673 2674 return ieee802_1x_eapol_tx_status(hapd, sta, pos, buf + len - pos, 2675 ack); 2676 } 2677 2678 ieee802_1x_eapol_tx_status(struct hostapd_data * hapd,struct sta_info * sta,const u8 * buf,int len,int ack)2679 int ieee802_1x_eapol_tx_status(struct hostapd_data *hapd, struct sta_info *sta, 2680 const u8 *buf, int len, int ack) 2681 { 2682 const struct ieee802_1x_hdr *xhdr = 2683 (const struct ieee802_1x_hdr *) buf; 2684 const u8 *pos = buf + sizeof(*xhdr); 2685 struct ieee802_1x_eapol_key *key; 2686 2687 if (len < (int) sizeof(*xhdr)) 2688 return 0; 2689 wpa_printf(MSG_DEBUG, "IEEE 802.1X: " MACSTR 2690 " TX status - version=%d type=%d length=%d - ack=%d", 2691 MAC2STR(sta->addr), xhdr->version, xhdr->type, 2692 be_to_host16(xhdr->length), ack); 2693 2694 #ifdef CONFIG_WPS 2695 if (xhdr->type == IEEE802_1X_TYPE_EAP_PACKET && ack && 2696 (sta->flags & WLAN_STA_WPS) && 2697 ap_sta_pending_delayed_1x_auth_fail_disconnect(hapd, sta)) { 2698 wpa_printf(MSG_DEBUG, 2699 "WPS: Indicate EAP completion on ACK for EAP-Failure"); 2700 hostapd_wps_eap_completed(hapd); 2701 } 2702 #endif /* CONFIG_WPS */ 2703 2704 if (xhdr->type != IEEE802_1X_TYPE_EAPOL_KEY) 2705 return 0; 2706 2707 if (pos + sizeof(struct wpa_eapol_key) <= buf + len) { 2708 const struct wpa_eapol_key *wpa; 2709 2710 wpa = (const struct wpa_eapol_key *) pos; 2711 if (wpa->type == EAPOL_KEY_TYPE_RSN || 2712 wpa->type == EAPOL_KEY_TYPE_WPA) 2713 wpa_auth_eapol_key_tx_status(hapd->wpa_auth, 2714 sta->wpa_sm, ack); 2715 } 2716 2717 /* EAPOL EAP-Packet packets are eventually re-sent by either Supplicant 2718 * or Authenticator state machines, but EAPOL-Key packets are not 2719 * retransmitted in case of failure. Try to re-send failed EAPOL-Key 2720 * packets couple of times because otherwise STA keys become 2721 * unsynchronized with AP. */ 2722 if (!ack && pos + sizeof(*key) <= buf + len) { 2723 key = (struct ieee802_1x_eapol_key *) pos; 2724 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 2725 HOSTAPD_LEVEL_DEBUG, 2726 "did not Ack EAPOL-Key frame (%scast index=%d)", 2727 key->key_index & BIT(7) ? "uni" : "broad", 2728 key->key_index & ~BIT(7)); 2729 /* TODO: re-send EAPOL-Key couple of times (with short delay 2730 * between them?). If all attempt fail, report error and 2731 * deauthenticate STA so that it will get new keys when 2732 * authenticating again (e.g., after returning in range). 2733 * Separate limit/transmit state needed both for unicast and 2734 * broadcast keys(?) */ 2735 } 2736 /* TODO: could move unicast key configuration from ieee802_1x_tx_key() 2737 * to here and change the key only if the EAPOL-Key packet was Acked. 2738 */ 2739 2740 return 1; 2741 } 2742 2743 ieee802_1x_get_identity(struct eapol_state_machine * sm,size_t * len)2744 u8 * ieee802_1x_get_identity(struct eapol_state_machine *sm, size_t *len) 2745 { 2746 if (!sm || !sm->identity) 2747 return NULL; 2748 2749 *len = sm->identity_len; 2750 return sm->identity; 2751 } 2752 2753 ieee802_1x_get_radius_class(struct eapol_state_machine * sm,size_t * len,int idx)2754 u8 * ieee802_1x_get_radius_class(struct eapol_state_machine *sm, size_t *len, 2755 int idx) 2756 { 2757 if (!sm || !sm->radius_class.attr || 2758 idx >= (int) sm->radius_class.count) 2759 return NULL; 2760 2761 *len = sm->radius_class.attr[idx].len; 2762 return sm->radius_class.attr[idx].data; 2763 } 2764 2765 ieee802_1x_get_radius_cui(struct eapol_state_machine * sm)2766 struct wpabuf * ieee802_1x_get_radius_cui(struct eapol_state_machine *sm) 2767 { 2768 if (!sm) 2769 return NULL; 2770 return sm->radius_cui; 2771 } 2772 2773 ieee802_1x_get_key(struct eapol_state_machine * sm,size_t * len)2774 const u8 * ieee802_1x_get_key(struct eapol_state_machine *sm, size_t *len) 2775 { 2776 *len = 0; 2777 if (!sm) 2778 return NULL; 2779 2780 *len = sm->eap_if->eapKeyDataLen; 2781 return sm->eap_if->eapKeyData; 2782 } 2783 2784 2785 #ifdef CONFIG_MACSEC ieee802_1x_get_session_id(struct eapol_state_machine * sm,size_t * len)2786 const u8 * ieee802_1x_get_session_id(struct eapol_state_machine *sm, 2787 size_t *len) 2788 { 2789 *len = 0; 2790 if (!sm || !sm->eap_if) 2791 return NULL; 2792 2793 *len = sm->eap_if->eapSessionIdLen; 2794 return sm->eap_if->eapSessionId; 2795 } 2796 #endif /* CONFIG_MACSEC */ 2797 2798 ieee802_1x_notify_port_enabled(struct eapol_state_machine * sm,bool enabled)2799 void ieee802_1x_notify_port_enabled(struct eapol_state_machine *sm, 2800 bool enabled) 2801 { 2802 if (!sm) 2803 return; 2804 sm->eap_if->portEnabled = enabled; 2805 eapol_auth_step(sm); 2806 } 2807 2808 ieee802_1x_notify_port_valid(struct eapol_state_machine * sm,bool valid)2809 void ieee802_1x_notify_port_valid(struct eapol_state_machine *sm, bool valid) 2810 { 2811 if (!sm) 2812 return; 2813 sm->portValid = valid; 2814 eapol_auth_step(sm); 2815 } 2816 2817 ieee802_1x_notify_pre_auth(struct eapol_state_machine * sm,bool pre_auth)2818 void ieee802_1x_notify_pre_auth(struct eapol_state_machine *sm, bool pre_auth) 2819 { 2820 if (!sm) 2821 return; 2822 if (pre_auth) 2823 sm->flags |= EAPOL_SM_PREAUTH; 2824 else 2825 sm->flags &= ~EAPOL_SM_PREAUTH; 2826 } 2827 2828 bool_txt(bool val)2829 static const char * bool_txt(bool val) 2830 { 2831 return val ? "TRUE" : "FALSE"; 2832 } 2833 2834 ieee802_1x_get_mib(struct hostapd_data * hapd,char * buf,size_t buflen)2835 int ieee802_1x_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen) 2836 { 2837 /* TODO */ 2838 return 0; 2839 } 2840 2841 ieee802_1x_get_mib_sta(struct hostapd_data * hapd,struct sta_info * sta,char * buf,size_t buflen)2842 int ieee802_1x_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta, 2843 char *buf, size_t buflen) 2844 { 2845 int len = 0, ret; 2846 struct eapol_state_machine *sm = sta->eapol_sm; 2847 struct os_reltime diff; 2848 const char *name1; 2849 const char *name2; 2850 char *identity_buf = NULL; 2851 2852 if (!sm) 2853 return 0; 2854 2855 ret = os_snprintf(buf + len, buflen - len, 2856 "dot1xPaePortNumber=%d\n" 2857 "dot1xPaePortProtocolVersion=%d\n" 2858 "dot1xPaePortCapabilities=1\n" 2859 "dot1xPaePortInitialize=%d\n" 2860 "dot1xPaePortReauthenticate=FALSE\n", 2861 sta->aid, 2862 EAPOL_VERSION, 2863 sm->initialize); 2864 if (os_snprintf_error(buflen - len, ret)) 2865 return len; 2866 len += ret; 2867 2868 /* dot1xAuthConfigTable */ 2869 ret = os_snprintf(buf + len, buflen - len, 2870 "dot1xAuthPaeState=%d\n" 2871 "dot1xAuthBackendAuthState=%d\n" 2872 "dot1xAuthAdminControlledDirections=%d\n" 2873 "dot1xAuthOperControlledDirections=%d\n" 2874 "dot1xAuthAuthControlledPortStatus=%d\n" 2875 "dot1xAuthAuthControlledPortControl=%d\n" 2876 "dot1xAuthQuietPeriod=%u\n" 2877 "dot1xAuthServerTimeout=%u\n" 2878 "dot1xAuthReAuthPeriod=%u\n" 2879 "dot1xAuthReAuthEnabled=%s\n" 2880 "dot1xAuthKeyTxEnabled=%s\n", 2881 sm->auth_pae_state + 1, 2882 sm->be_auth_state + 1, 2883 sm->adminControlledDirections, 2884 sm->operControlledDirections, 2885 sm->authPortStatus, 2886 sm->portControl, 2887 sm->quietPeriod, 2888 sm->serverTimeout, 2889 sm->reAuthPeriod, 2890 bool_txt(sm->reAuthEnabled), 2891 bool_txt(sm->keyTxEnabled)); 2892 if (os_snprintf_error(buflen - len, ret)) 2893 return len; 2894 len += ret; 2895 2896 /* dot1xAuthStatsTable */ 2897 ret = os_snprintf(buf + len, buflen - len, 2898 "dot1xAuthEapolFramesRx=%u\n" 2899 "dot1xAuthEapolFramesTx=%u\n" 2900 "dot1xAuthEapolStartFramesRx=%u\n" 2901 "dot1xAuthEapolLogoffFramesRx=%u\n" 2902 "dot1xAuthEapolRespIdFramesRx=%u\n" 2903 "dot1xAuthEapolRespFramesRx=%u\n" 2904 "dot1xAuthEapolReqIdFramesTx=%u\n" 2905 "dot1xAuthEapolReqFramesTx=%u\n" 2906 "dot1xAuthInvalidEapolFramesRx=%u\n" 2907 "dot1xAuthEapLengthErrorFramesRx=%u\n" 2908 "dot1xAuthLastEapolFrameVersion=%u\n" 2909 "dot1xAuthLastEapolFrameSource=" MACSTR "\n", 2910 sm->dot1xAuthEapolFramesRx, 2911 sm->dot1xAuthEapolFramesTx, 2912 sm->dot1xAuthEapolStartFramesRx, 2913 sm->dot1xAuthEapolLogoffFramesRx, 2914 sm->dot1xAuthEapolRespIdFramesRx, 2915 sm->dot1xAuthEapolRespFramesRx, 2916 sm->dot1xAuthEapolReqIdFramesTx, 2917 sm->dot1xAuthEapolReqFramesTx, 2918 sm->dot1xAuthInvalidEapolFramesRx, 2919 sm->dot1xAuthEapLengthErrorFramesRx, 2920 sm->dot1xAuthLastEapolFrameVersion, 2921 MAC2STR(sm->addr)); 2922 if (os_snprintf_error(buflen - len, ret)) 2923 return len; 2924 len += ret; 2925 2926 /* dot1xAuthDiagTable */ 2927 ret = os_snprintf(buf + len, buflen - len, 2928 "dot1xAuthEntersConnecting=%u\n" 2929 "dot1xAuthEapLogoffsWhileConnecting=%u\n" 2930 "dot1xAuthEntersAuthenticating=%u\n" 2931 "dot1xAuthAuthSuccessesWhileAuthenticating=%u\n" 2932 "dot1xAuthAuthTimeoutsWhileAuthenticating=%u\n" 2933 "dot1xAuthAuthFailWhileAuthenticating=%u\n" 2934 "dot1xAuthAuthEapStartsWhileAuthenticating=%u\n" 2935 "dot1xAuthAuthEapLogoffWhileAuthenticating=%u\n" 2936 "dot1xAuthAuthReauthsWhileAuthenticated=%u\n" 2937 "dot1xAuthAuthEapStartsWhileAuthenticated=%u\n" 2938 "dot1xAuthAuthEapLogoffWhileAuthenticated=%u\n" 2939 "dot1xAuthBackendResponses=%u\n" 2940 "dot1xAuthBackendAccessChallenges=%u\n" 2941 "dot1xAuthBackendOtherRequestsToSupplicant=%u\n" 2942 "dot1xAuthBackendAuthSuccesses=%u\n" 2943 "dot1xAuthBackendAuthFails=%u\n", 2944 sm->authEntersConnecting, 2945 sm->authEapLogoffsWhileConnecting, 2946 sm->authEntersAuthenticating, 2947 sm->authAuthSuccessesWhileAuthenticating, 2948 sm->authAuthTimeoutsWhileAuthenticating, 2949 sm->authAuthFailWhileAuthenticating, 2950 sm->authAuthEapStartsWhileAuthenticating, 2951 sm->authAuthEapLogoffWhileAuthenticating, 2952 sm->authAuthReauthsWhileAuthenticated, 2953 sm->authAuthEapStartsWhileAuthenticated, 2954 sm->authAuthEapLogoffWhileAuthenticated, 2955 sm->backendResponses, 2956 sm->backendAccessChallenges, 2957 sm->backendOtherRequestsToSupplicant, 2958 sm->backendAuthSuccesses, 2959 sm->backendAuthFails); 2960 if (os_snprintf_error(buflen - len, ret)) 2961 return len; 2962 len += ret; 2963 2964 /* dot1xAuthSessionStatsTable */ 2965 os_reltime_age(&sta->acct_session_start, &diff); 2966 if (sm->eap && !sm->identity) { 2967 const u8 *id; 2968 size_t id_len; 2969 2970 id = eap_get_identity(sm->eap, &id_len); 2971 if (id) 2972 identity_buf = dup_binstr(id, id_len); 2973 } 2974 ret = os_snprintf(buf + len, buflen - len, 2975 /* TODO: dot1xAuthSessionOctetsRx */ 2976 /* TODO: dot1xAuthSessionOctetsTx */ 2977 /* TODO: dot1xAuthSessionFramesRx */ 2978 /* TODO: dot1xAuthSessionFramesTx */ 2979 "dot1xAuthSessionId=%016llX\n" 2980 "dot1xAuthSessionAuthenticMethod=%d\n" 2981 "dot1xAuthSessionTime=%u\n" 2982 "dot1xAuthSessionTerminateCause=999\n" 2983 "dot1xAuthSessionUserName=%s\n", 2984 (unsigned long long) sta->acct_session_id, 2985 (wpa_key_mgmt_wpa_ieee8021x( 2986 wpa_auth_sta_key_mgmt(sta->wpa_sm))) ? 2987 1 : 2, 2988 (unsigned int) diff.sec, 2989 sm->identity ? (char *) sm->identity : 2990 (identity_buf ? identity_buf : "N/A")); 2991 os_free(identity_buf); 2992 if (os_snprintf_error(buflen - len, ret)) 2993 return len; 2994 len += ret; 2995 2996 if (sm->acct_multi_session_id) { 2997 ret = os_snprintf(buf + len, buflen - len, 2998 "authMultiSessionId=%016llX\n", 2999 (unsigned long long) 3000 sm->acct_multi_session_id); 3001 if (os_snprintf_error(buflen - len, ret)) 3002 return len; 3003 len += ret; 3004 } 3005 3006 name1 = eap_server_get_name(0, sm->eap_type_authsrv); 3007 name2 = eap_server_get_name(0, sm->eap_type_supp); 3008 ret = os_snprintf(buf + len, buflen - len, 3009 "last_eap_type_as=%d (%s)\n" 3010 "last_eap_type_sta=%d (%s)\n", 3011 sm->eap_type_authsrv, name1, 3012 sm->eap_type_supp, name2); 3013 if (os_snprintf_error(buflen - len, ret)) 3014 return len; 3015 len += ret; 3016 3017 return len; 3018 } 3019 3020 3021 #ifdef CONFIG_HS20 ieee802_1x_wnm_notif_send(void * eloop_ctx,void * timeout_ctx)3022 static void ieee802_1x_wnm_notif_send(void *eloop_ctx, void *timeout_ctx) 3023 { 3024 struct hostapd_data *hapd = eloop_ctx; 3025 struct sta_info *sta = timeout_ctx; 3026 3027 if (sta->hs20_deauth_req) { 3028 wpa_printf(MSG_DEBUG, "HS 2.0: Send WNM-Notification to " 3029 MACSTR " to indicate imminent deauthentication", 3030 MAC2STR(sta->addr)); 3031 hs20_send_wnm_notification_deauth_req(hapd, sta->addr, 3032 sta->hs20_deauth_req); 3033 } 3034 3035 if (sta->hs20_t_c_filtering) { 3036 wpa_printf(MSG_DEBUG, "HS 2.0: Send WNM-Notification to " 3037 MACSTR " to indicate Terms and Conditions filtering", 3038 MAC2STR(sta->addr)); 3039 hs20_send_wnm_notification_t_c(hapd, sta->addr, sta->t_c_url); 3040 os_free(sta->t_c_url); 3041 sta->t_c_url = NULL; 3042 } 3043 } 3044 #endif /* CONFIG_HS20 */ 3045 3046 ieee802_1x_finished(struct hostapd_data * hapd,struct sta_info * sta,int success,bool logoff)3047 static bool ieee802_1x_finished(struct hostapd_data *hapd, 3048 struct sta_info *sta, int success, 3049 bool logoff) 3050 { 3051 const u8 *key; 3052 size_t len; 3053 /* TODO: get PMKLifetime from WPA parameters */ 3054 static const int dot11RSNAConfigPMKLifetime = 43200; 3055 unsigned int session_timeout; 3056 struct os_reltime now, remaining; 3057 3058 #ifdef CONFIG_HS20 3059 if (success && (sta->hs20_deauth_req || sta->hs20_t_c_filtering)) { 3060 wpa_printf(MSG_DEBUG, "HS 2.0: Schedule WNM-Notification to " 3061 MACSTR " in 100 ms", MAC2STR(sta->addr)); 3062 eloop_cancel_timeout(ieee802_1x_wnm_notif_send, hapd, sta); 3063 eloop_register_timeout(0, 100000, ieee802_1x_wnm_notif_send, 3064 hapd, sta); 3065 } 3066 #endif /* CONFIG_HS20 */ 3067 3068 #ifdef CONFIG_MACSEC 3069 ieee802_1x_notify_create_actor_hapd(hapd, sta); 3070 #endif /* CONFIG_MACSEC */ 3071 3072 key = ieee802_1x_get_key(sta->eapol_sm, &len); 3073 if (sta->session_timeout_set) { 3074 os_get_reltime(&now); 3075 os_reltime_sub(&sta->session_timeout, &now, &remaining); 3076 session_timeout = (remaining.sec > 0) ? remaining.sec : 1; 3077 } else { 3078 session_timeout = dot11RSNAConfigPMKLifetime; 3079 } 3080 if (success && key && len >= PMK_LEN && 3081 !sta->hs20_deauth_requested && 3082 wpa_auth_pmksa_add(sta->wpa_sm, key, len, session_timeout, 3083 sta->eapol_sm) == 0) { 3084 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 3085 HOSTAPD_LEVEL_DEBUG, 3086 "Added PMKSA cache entry (IEEE 802.1X)"); 3087 } 3088 3089 if (!success) { 3090 /* 3091 * Many devices require deauthentication after WPS provisioning 3092 * and some may not be be able to do that themselves, so 3093 * disconnect the client here. In addition, this may also 3094 * benefit IEEE 802.1X/EAPOL authentication cases, too since 3095 * the EAPOL PAE state machine would remain in HELD state for 3096 * considerable amount of time and some EAP methods, like 3097 * EAP-FAST with anonymous provisioning, may require another 3098 * EAPOL authentication to be started to complete connection. 3099 */ 3100 ap_sta_delayed_1x_auth_fail_disconnect(hapd, sta, 3101 logoff ? 0 : 10); 3102 if (logoff && sta->wpa_sm) 3103 return true; 3104 } 3105 3106 return false; 3107 } 3108