1 /* 2 * hostapd / IEEE 802.1X-2004 Authenticator 3 * Copyright (c) 2002-2019, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "utils/includes.h" 10 #ifdef CONFIG_SQLITE 11 #include <sqlite3.h> 12 #endif /* CONFIG_SQLITE */ 13 14 #include "utils/common.h" 15 #include "utils/eloop.h" 16 #include "crypto/md5.h" 17 #include "crypto/crypto.h" 18 #include "crypto/random.h" 19 #include "common/ieee802_11_defs.h" 20 #include "radius/radius.h" 21 #include "radius/radius_client.h" 22 #include "eap_server/eap.h" 23 #include "eap_common/eap_wsc_common.h" 24 #include "eapol_auth/eapol_auth_sm.h" 25 #include "eapol_auth/eapol_auth_sm_i.h" 26 #include "p2p/p2p.h" 27 #include "hostapd.h" 28 #include "accounting.h" 29 #include "sta_info.h" 30 #include "wpa_auth.h" 31 #include "preauth_auth.h" 32 #include "pmksa_cache_auth.h" 33 #include "ap_config.h" 34 #include "ap_drv_ops.h" 35 #include "wps_hostapd.h" 36 #include "hs20.h" 37 /* FIX: Not really a good thing to require ieee802_11.h here.. (FILS) */ 38 #include "ieee802_11.h" 39 #include "ieee802_1x.h" 40 #include "wpa_auth_kay.h" 41 42 43 #ifdef CONFIG_HS20 44 static void ieee802_1x_wnm_notif_send(void *eloop_ctx, void *timeout_ctx); 45 #endif /* CONFIG_HS20 */ 46 static void ieee802_1x_finished(struct hostapd_data *hapd, 47 struct sta_info *sta, int success, 48 int remediation); 49 50 51 static void ieee802_1x_send(struct hostapd_data *hapd, struct sta_info *sta, 52 u8 type, const u8 *data, size_t datalen) 53 { 54 u8 *buf; 55 struct ieee802_1x_hdr *xhdr; 56 size_t len; 57 int encrypt = 0; 58 59 len = sizeof(*xhdr) + datalen; 60 buf = os_zalloc(len); 61 if (buf == NULL) { 62 wpa_printf(MSG_ERROR, "malloc() failed for " 63 "ieee802_1x_send(len=%lu)", 64 (unsigned long) len); 65 return; 66 } 67 68 xhdr = (struct ieee802_1x_hdr *) buf; 69 xhdr->version = hapd->conf->eapol_version; 70 #ifdef CONFIG_MACSEC 71 if (xhdr->version > 2 && hapd->conf->macsec_policy == 0) 72 xhdr->version = 2; 73 #endif /* CONFIG_MACSEC */ 74 xhdr->type = type; 75 xhdr->length = host_to_be16(datalen); 76 77 if (datalen > 0 && data != NULL) 78 os_memcpy(xhdr + 1, data, datalen); 79 80 if (wpa_auth_pairwise_set(sta->wpa_sm)) 81 encrypt = 1; 82 #ifdef CONFIG_TESTING_OPTIONS 83 if (hapd->ext_eapol_frame_io) { 84 size_t hex_len = 2 * len + 1; 85 char *hex = os_malloc(hex_len); 86 87 if (hex) { 88 wpa_snprintf_hex(hex, hex_len, buf, len); 89 wpa_msg(hapd->msg_ctx, MSG_INFO, 90 "EAPOL-TX " MACSTR " %s", 91 MAC2STR(sta->addr), hex); 92 os_free(hex); 93 } 94 } else 95 #endif /* CONFIG_TESTING_OPTIONS */ 96 if (sta->flags & WLAN_STA_PREAUTH) { 97 rsn_preauth_send(hapd, sta, buf, len); 98 } else { 99 hostapd_drv_hapd_send_eapol( 100 hapd, sta->addr, buf, len, 101 encrypt, hostapd_sta_flags_to_drv(sta->flags)); 102 } 103 104 os_free(buf); 105 } 106 107 108 void ieee802_1x_set_sta_authorized(struct hostapd_data *hapd, 109 struct sta_info *sta, int authorized) 110 { 111 int res; 112 113 if (sta->flags & WLAN_STA_PREAUTH) 114 return; 115 116 if (authorized) { 117 ap_sta_set_authorized(hapd, sta, 1); 118 res = hostapd_set_authorized(hapd, sta, 1); 119 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 120 HOSTAPD_LEVEL_DEBUG, "authorizing port"); 121 } else { 122 ap_sta_set_authorized(hapd, sta, 0); 123 res = hostapd_set_authorized(hapd, sta, 0); 124 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 125 HOSTAPD_LEVEL_DEBUG, "unauthorizing port"); 126 } 127 128 if (res && errno != ENOENT) { 129 wpa_printf(MSG_DEBUG, "Could not set station " MACSTR 130 " flags for kernel driver (errno=%d).", 131 MAC2STR(sta->addr), errno); 132 } 133 134 if (authorized) { 135 os_get_reltime(&sta->connected_time); 136 accounting_sta_start(hapd, sta); 137 } 138 } 139 140 141 #ifndef CONFIG_FIPS 142 #ifndef CONFIG_NO_RC4 143 144 static void ieee802_1x_tx_key_one(struct hostapd_data *hapd, 145 struct sta_info *sta, 146 int idx, int broadcast, 147 u8 *key_data, size_t key_len) 148 { 149 u8 *buf, *ekey; 150 struct ieee802_1x_hdr *hdr; 151 struct ieee802_1x_eapol_key *key; 152 size_t len, ekey_len; 153 struct eapol_state_machine *sm = sta->eapol_sm; 154 155 if (sm == NULL) 156 return; 157 158 len = sizeof(*key) + key_len; 159 buf = os_zalloc(sizeof(*hdr) + len); 160 if (buf == NULL) 161 return; 162 163 hdr = (struct ieee802_1x_hdr *) buf; 164 key = (struct ieee802_1x_eapol_key *) (hdr + 1); 165 key->type = EAPOL_KEY_TYPE_RC4; 166 WPA_PUT_BE16(key->key_length, key_len); 167 wpa_get_ntp_timestamp(key->replay_counter); 168 if (os_memcmp(key->replay_counter, 169 hapd->last_1x_eapol_key_replay_counter, 170 IEEE8021X_REPLAY_COUNTER_LEN) <= 0) { 171 /* NTP timestamp did not increment from last EAPOL-Key frame; 172 * use previously used value + 1 instead. */ 173 inc_byte_array(hapd->last_1x_eapol_key_replay_counter, 174 IEEE8021X_REPLAY_COUNTER_LEN); 175 os_memcpy(key->replay_counter, 176 hapd->last_1x_eapol_key_replay_counter, 177 IEEE8021X_REPLAY_COUNTER_LEN); 178 } else { 179 os_memcpy(hapd->last_1x_eapol_key_replay_counter, 180 key->replay_counter, 181 IEEE8021X_REPLAY_COUNTER_LEN); 182 } 183 184 if (random_get_bytes(key->key_iv, sizeof(key->key_iv))) { 185 wpa_printf(MSG_ERROR, "Could not get random numbers"); 186 os_free(buf); 187 return; 188 } 189 190 key->key_index = idx | (broadcast ? 0 : BIT(7)); 191 if (hapd->conf->eapol_key_index_workaround) { 192 /* According to some information, WinXP Supplicant seems to 193 * interpret bit7 as an indication whether the key is to be 194 * activated, so make it possible to enable workaround that 195 * sets this bit for all keys. */ 196 key->key_index |= BIT(7); 197 } 198 199 /* Key is encrypted using "Key-IV + MSK[0..31]" as the RC4-key and 200 * MSK[32..63] is used to sign the message. */ 201 if (sm->eap_if->eapKeyData == NULL || sm->eap_if->eapKeyDataLen < 64) { 202 wpa_printf(MSG_ERROR, "No eapKeyData available for encrypting " 203 "and signing EAPOL-Key"); 204 os_free(buf); 205 return; 206 } 207 os_memcpy((u8 *) (key + 1), key_data, key_len); 208 ekey_len = sizeof(key->key_iv) + 32; 209 ekey = os_malloc(ekey_len); 210 if (ekey == NULL) { 211 wpa_printf(MSG_ERROR, "Could not encrypt key"); 212 os_free(buf); 213 return; 214 } 215 os_memcpy(ekey, key->key_iv, sizeof(key->key_iv)); 216 os_memcpy(ekey + sizeof(key->key_iv), sm->eap_if->eapKeyData, 32); 217 rc4_skip(ekey, ekey_len, 0, (u8 *) (key + 1), key_len); 218 os_free(ekey); 219 220 /* This header is needed here for HMAC-MD5, but it will be regenerated 221 * in ieee802_1x_send() */ 222 hdr->version = hapd->conf->eapol_version; 223 #ifdef CONFIG_MACSEC 224 if (hdr->version > 2) 225 hdr->version = 2; 226 #endif /* CONFIG_MACSEC */ 227 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 228 hdr->length = host_to_be16(len); 229 hmac_md5(sm->eap_if->eapKeyData + 32, 32, buf, sizeof(*hdr) + len, 230 key->key_signature); 231 232 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key to " MACSTR 233 " (%s index=%d)", MAC2STR(sm->addr), 234 broadcast ? "broadcast" : "unicast", idx); 235 ieee802_1x_send(hapd, sta, IEEE802_1X_TYPE_EAPOL_KEY, (u8 *) key, len); 236 if (sta->eapol_sm) 237 sta->eapol_sm->dot1xAuthEapolFramesTx++; 238 os_free(buf); 239 } 240 241 242 static void ieee802_1x_tx_key(struct hostapd_data *hapd, struct sta_info *sta) 243 { 244 struct eapol_authenticator *eapol = hapd->eapol_auth; 245 struct eapol_state_machine *sm = sta->eapol_sm; 246 247 if (sm == NULL || !sm->eap_if->eapKeyData) 248 return; 249 250 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key(s) to " MACSTR, 251 MAC2STR(sta->addr)); 252 253 #ifndef CONFIG_NO_VLAN 254 if (sta->vlan_id > 0) { 255 wpa_printf(MSG_ERROR, "Using WEP with vlans is not supported."); 256 return; 257 } 258 #endif /* CONFIG_NO_VLAN */ 259 260 if (eapol->default_wep_key) { 261 ieee802_1x_tx_key_one(hapd, sta, eapol->default_wep_key_idx, 1, 262 eapol->default_wep_key, 263 hapd->conf->default_wep_key_len); 264 } 265 266 if (hapd->conf->individual_wep_key_len > 0) { 267 u8 *ikey; 268 ikey = os_malloc(hapd->conf->individual_wep_key_len); 269 if (ikey == NULL || 270 random_get_bytes(ikey, hapd->conf->individual_wep_key_len)) 271 { 272 wpa_printf(MSG_ERROR, "Could not generate random " 273 "individual WEP key."); 274 os_free(ikey); 275 return; 276 } 277 278 wpa_hexdump_key(MSG_DEBUG, "Individual WEP key", 279 ikey, hapd->conf->individual_wep_key_len); 280 281 ieee802_1x_tx_key_one(hapd, sta, 0, 0, ikey, 282 hapd->conf->individual_wep_key_len); 283 284 /* TODO: set encryption in TX callback, i.e., only after STA 285 * has ACKed EAPOL-Key frame */ 286 if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP, 287 sta->addr, 0, 1, NULL, 0, ikey, 288 hapd->conf->individual_wep_key_len)) { 289 wpa_printf(MSG_ERROR, "Could not set individual WEP " 290 "encryption."); 291 } 292 293 os_free(ikey); 294 } 295 } 296 297 #endif /* CONFIG_NO_RC4 */ 298 #endif /* CONFIG_FIPS */ 299 300 301 const char *radius_mode_txt(struct hostapd_data *hapd) 302 { 303 switch (hapd->iface->conf->hw_mode) { 304 case HOSTAPD_MODE_IEEE80211AD: 305 return "802.11ad"; 306 case HOSTAPD_MODE_IEEE80211A: 307 return "802.11a"; 308 case HOSTAPD_MODE_IEEE80211G: 309 return "802.11g"; 310 case HOSTAPD_MODE_IEEE80211B: 311 default: 312 return "802.11b"; 313 } 314 } 315 316 317 int radius_sta_rate(struct hostapd_data *hapd, struct sta_info *sta) 318 { 319 int i; 320 u8 rate = 0; 321 322 for (i = 0; i < sta->supported_rates_len; i++) 323 if ((sta->supported_rates[i] & 0x7f) > rate) 324 rate = sta->supported_rates[i] & 0x7f; 325 326 return rate; 327 } 328 329 330 #ifndef CONFIG_NO_RADIUS 331 static void ieee802_1x_learn_identity(struct hostapd_data *hapd, 332 struct eapol_state_machine *sm, 333 const u8 *eap, size_t len) 334 { 335 const u8 *identity; 336 size_t identity_len; 337 const struct eap_hdr *hdr = (const struct eap_hdr *) eap; 338 339 if (len <= sizeof(struct eap_hdr) || 340 (hdr->code == EAP_CODE_RESPONSE && 341 eap[sizeof(struct eap_hdr)] != EAP_TYPE_IDENTITY) || 342 (hdr->code == EAP_CODE_INITIATE && 343 eap[sizeof(struct eap_hdr)] != EAP_ERP_TYPE_REAUTH) || 344 (hdr->code != EAP_CODE_RESPONSE && 345 hdr->code != EAP_CODE_INITIATE)) 346 return; 347 348 eap_erp_update_identity(sm->eap, eap, len); 349 identity = eap_get_identity(sm->eap, &identity_len); 350 if (identity == NULL) 351 return; 352 353 /* Save station identity for future RADIUS packets */ 354 os_free(sm->identity); 355 sm->identity = (u8 *) dup_binstr(identity, identity_len); 356 if (sm->identity == NULL) { 357 sm->identity_len = 0; 358 return; 359 } 360 361 sm->identity_len = identity_len; 362 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, 363 HOSTAPD_LEVEL_DEBUG, "STA identity '%s'", sm->identity); 364 sm->dot1xAuthEapolRespIdFramesRx++; 365 } 366 367 368 static int add_common_radius_sta_attr_rsn(struct hostapd_data *hapd, 369 struct hostapd_radius_attr *req_attr, 370 struct sta_info *sta, 371 struct radius_msg *msg) 372 { 373 u32 suite; 374 int ver, val; 375 376 ver = wpa_auth_sta_wpa_version(sta->wpa_sm); 377 val = wpa_auth_get_pairwise(sta->wpa_sm); 378 suite = wpa_cipher_to_suite(ver, val); 379 if (val != -1 && 380 !hostapd_config_get_radius_attr(req_attr, 381 RADIUS_ATTR_WLAN_PAIRWISE_CIPHER) && 382 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_WLAN_PAIRWISE_CIPHER, 383 suite)) { 384 wpa_printf(MSG_ERROR, "Could not add WLAN-Pairwise-Cipher"); 385 return -1; 386 } 387 388 suite = wpa_cipher_to_suite(((hapd->conf->wpa & 0x2) || 389 hapd->conf->osen) ? 390 WPA_PROTO_RSN : WPA_PROTO_WPA, 391 hapd->conf->wpa_group); 392 if (!hostapd_config_get_radius_attr(req_attr, 393 RADIUS_ATTR_WLAN_GROUP_CIPHER) && 394 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_WLAN_GROUP_CIPHER, 395 suite)) { 396 wpa_printf(MSG_ERROR, "Could not add WLAN-Group-Cipher"); 397 return -1; 398 } 399 400 val = wpa_auth_sta_key_mgmt(sta->wpa_sm); 401 suite = wpa_akm_to_suite(val); 402 if (val != -1 && 403 !hostapd_config_get_radius_attr(req_attr, 404 RADIUS_ATTR_WLAN_AKM_SUITE) && 405 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_WLAN_AKM_SUITE, 406 suite)) { 407 wpa_printf(MSG_ERROR, "Could not add WLAN-AKM-Suite"); 408 return -1; 409 } 410 411 #ifdef CONFIG_IEEE80211W 412 if (hapd->conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) { 413 suite = wpa_cipher_to_suite(WPA_PROTO_RSN, 414 hapd->conf->group_mgmt_cipher); 415 if (!hostapd_config_get_radius_attr( 416 req_attr, RADIUS_ATTR_WLAN_GROUP_MGMT_CIPHER) && 417 !radius_msg_add_attr_int32( 418 msg, RADIUS_ATTR_WLAN_GROUP_MGMT_CIPHER, suite)) { 419 wpa_printf(MSG_ERROR, 420 "Could not add WLAN-Group-Mgmt-Cipher"); 421 return -1; 422 } 423 } 424 #endif /* CONFIG_IEEE80211W */ 425 426 return 0; 427 } 428 429 430 static int add_common_radius_sta_attr(struct hostapd_data *hapd, 431 struct hostapd_radius_attr *req_attr, 432 struct sta_info *sta, 433 struct radius_msg *msg) 434 { 435 char buf[128]; 436 437 if (!hostapd_config_get_radius_attr(req_attr, 438 RADIUS_ATTR_SERVICE_TYPE) && 439 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_SERVICE_TYPE, 440 RADIUS_SERVICE_TYPE_FRAMED)) { 441 wpa_printf(MSG_ERROR, "Could not add Service-Type"); 442 return -1; 443 } 444 445 if (!hostapd_config_get_radius_attr(req_attr, 446 RADIUS_ATTR_NAS_PORT) && 447 sta->aid > 0 && 448 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT, sta->aid)) { 449 wpa_printf(MSG_ERROR, "Could not add NAS-Port"); 450 return -1; 451 } 452 453 os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT, 454 MAC2STR(sta->addr)); 455 buf[sizeof(buf) - 1] = '\0'; 456 if (!radius_msg_add_attr(msg, RADIUS_ATTR_CALLING_STATION_ID, 457 (u8 *) buf, os_strlen(buf))) { 458 wpa_printf(MSG_ERROR, "Could not add Calling-Station-Id"); 459 return -1; 460 } 461 462 if (sta->flags & WLAN_STA_PREAUTH) { 463 os_strlcpy(buf, "IEEE 802.11i Pre-Authentication", 464 sizeof(buf)); 465 } else { 466 os_snprintf(buf, sizeof(buf), "CONNECT %d%sMbps %s", 467 radius_sta_rate(hapd, sta) / 2, 468 (radius_sta_rate(hapd, sta) & 1) ? ".5" : "", 469 radius_mode_txt(hapd)); 470 buf[sizeof(buf) - 1] = '\0'; 471 } 472 if (!hostapd_config_get_radius_attr(req_attr, 473 RADIUS_ATTR_CONNECT_INFO) && 474 !radius_msg_add_attr(msg, RADIUS_ATTR_CONNECT_INFO, 475 (u8 *) buf, os_strlen(buf))) { 476 wpa_printf(MSG_ERROR, "Could not add Connect-Info"); 477 return -1; 478 } 479 480 if (sta->acct_session_id) { 481 os_snprintf(buf, sizeof(buf), "%016llX", 482 (unsigned long long) sta->acct_session_id); 483 if (!radius_msg_add_attr(msg, RADIUS_ATTR_ACCT_SESSION_ID, 484 (u8 *) buf, os_strlen(buf))) { 485 wpa_printf(MSG_ERROR, "Could not add Acct-Session-Id"); 486 return -1; 487 } 488 } 489 490 if ((hapd->conf->wpa & 2) && 491 !hapd->conf->disable_pmksa_caching && 492 sta->eapol_sm && sta->eapol_sm->acct_multi_session_id) { 493 os_snprintf(buf, sizeof(buf), "%016llX", 494 (unsigned long long) 495 sta->eapol_sm->acct_multi_session_id); 496 if (!radius_msg_add_attr( 497 msg, RADIUS_ATTR_ACCT_MULTI_SESSION_ID, 498 (u8 *) buf, os_strlen(buf))) { 499 wpa_printf(MSG_INFO, 500 "Could not add Acct-Multi-Session-Id"); 501 return -1; 502 } 503 } 504 505 #ifdef CONFIG_IEEE80211R_AP 506 if (hapd->conf->wpa && wpa_key_mgmt_ft(hapd->conf->wpa_key_mgmt) && 507 sta->wpa_sm && 508 (wpa_key_mgmt_ft(wpa_auth_sta_key_mgmt(sta->wpa_sm)) || 509 sta->auth_alg == WLAN_AUTH_FT) && 510 !hostapd_config_get_radius_attr(req_attr, 511 RADIUS_ATTR_MOBILITY_DOMAIN_ID) && 512 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_MOBILITY_DOMAIN_ID, 513 WPA_GET_BE16( 514 hapd->conf->mobility_domain))) { 515 wpa_printf(MSG_ERROR, "Could not add Mobility-Domain-Id"); 516 return -1; 517 } 518 #endif /* CONFIG_IEEE80211R_AP */ 519 520 if ((hapd->conf->wpa || hapd->conf->osen) && sta->wpa_sm && 521 add_common_radius_sta_attr_rsn(hapd, req_attr, sta, msg) < 0) 522 return -1; 523 524 return 0; 525 } 526 527 528 int add_common_radius_attr(struct hostapd_data *hapd, 529 struct hostapd_radius_attr *req_attr, 530 struct sta_info *sta, 531 struct radius_msg *msg) 532 { 533 char buf[128]; 534 struct hostapd_radius_attr *attr; 535 int len; 536 537 if (!hostapd_config_get_radius_attr(req_attr, 538 RADIUS_ATTR_NAS_IP_ADDRESS) && 539 hapd->conf->own_ip_addr.af == AF_INET && 540 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IP_ADDRESS, 541 (u8 *) &hapd->conf->own_ip_addr.u.v4, 4)) { 542 wpa_printf(MSG_ERROR, "Could not add NAS-IP-Address"); 543 return -1; 544 } 545 546 #ifdef CONFIG_IPV6 547 if (!hostapd_config_get_radius_attr(req_attr, 548 RADIUS_ATTR_NAS_IPV6_ADDRESS) && 549 hapd->conf->own_ip_addr.af == AF_INET6 && 550 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IPV6_ADDRESS, 551 (u8 *) &hapd->conf->own_ip_addr.u.v6, 16)) { 552 wpa_printf(MSG_ERROR, "Could not add NAS-IPv6-Address"); 553 return -1; 554 } 555 #endif /* CONFIG_IPV6 */ 556 557 if (!hostapd_config_get_radius_attr(req_attr, 558 RADIUS_ATTR_NAS_IDENTIFIER) && 559 hapd->conf->nas_identifier && 560 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IDENTIFIER, 561 (u8 *) hapd->conf->nas_identifier, 562 os_strlen(hapd->conf->nas_identifier))) { 563 wpa_printf(MSG_ERROR, "Could not add NAS-Identifier"); 564 return -1; 565 } 566 567 len = os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT ":", 568 MAC2STR(hapd->own_addr)); 569 os_memcpy(&buf[len], hapd->conf->ssid.ssid, 570 hapd->conf->ssid.ssid_len); 571 len += hapd->conf->ssid.ssid_len; 572 if (!hostapd_config_get_radius_attr(req_attr, 573 RADIUS_ATTR_CALLED_STATION_ID) && 574 !radius_msg_add_attr(msg, RADIUS_ATTR_CALLED_STATION_ID, 575 (u8 *) buf, len)) { 576 wpa_printf(MSG_ERROR, "Could not add Called-Station-Id"); 577 return -1; 578 } 579 580 if (!hostapd_config_get_radius_attr(req_attr, 581 RADIUS_ATTR_NAS_PORT_TYPE) && 582 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT_TYPE, 583 RADIUS_NAS_PORT_TYPE_IEEE_802_11)) { 584 wpa_printf(MSG_ERROR, "Could not add NAS-Port-Type"); 585 return -1; 586 } 587 588 #ifdef CONFIG_INTERWORKING 589 if (hapd->conf->interworking && 590 !is_zero_ether_addr(hapd->conf->hessid)) { 591 os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT, 592 MAC2STR(hapd->conf->hessid)); 593 buf[sizeof(buf) - 1] = '\0'; 594 if (!hostapd_config_get_radius_attr(req_attr, 595 RADIUS_ATTR_WLAN_HESSID) && 596 !radius_msg_add_attr(msg, RADIUS_ATTR_WLAN_HESSID, 597 (u8 *) buf, os_strlen(buf))) { 598 wpa_printf(MSG_ERROR, "Could not add WLAN-HESSID"); 599 return -1; 600 } 601 } 602 #endif /* CONFIG_INTERWORKING */ 603 604 if (sta && add_common_radius_sta_attr(hapd, req_attr, sta, msg) < 0) 605 return -1; 606 607 for (attr = req_attr; attr; attr = attr->next) { 608 if (!radius_msg_add_attr(msg, attr->type, 609 wpabuf_head(attr->val), 610 wpabuf_len(attr->val))) { 611 wpa_printf(MSG_ERROR, "Could not add RADIUS " 612 "attribute"); 613 return -1; 614 } 615 } 616 617 return 0; 618 } 619 620 621 int add_sqlite_radius_attr(struct hostapd_data *hapd, struct sta_info *sta, 622 struct radius_msg *msg, int acct) 623 { 624 #ifdef CONFIG_SQLITE 625 const char *attrtxt; 626 char addrtxt[3 * ETH_ALEN]; 627 char *sql; 628 sqlite3_stmt *stmt = NULL; 629 630 if (!hapd->rad_attr_db) 631 return 0; 632 633 os_snprintf(addrtxt, sizeof(addrtxt), MACSTR, MAC2STR(sta->addr)); 634 635 sql = "SELECT attr FROM radius_attributes WHERE sta=? AND (reqtype=? OR reqtype IS NULL);"; 636 if (sqlite3_prepare_v2(hapd->rad_attr_db, sql, os_strlen(sql), &stmt, 637 NULL) != SQLITE_OK) { 638 wpa_printf(MSG_ERROR, "DB: Failed to prepare SQL statement: %s", 639 sqlite3_errmsg(hapd->rad_attr_db)); 640 return -1; 641 } 642 sqlite3_bind_text(stmt, 1, addrtxt, os_strlen(addrtxt), SQLITE_STATIC); 643 sqlite3_bind_text(stmt, 2, acct ? "acct" : "auth", 4, SQLITE_STATIC); 644 while (sqlite3_step(stmt) == SQLITE_ROW) { 645 struct hostapd_radius_attr *attr; 646 struct radius_attr_hdr *hdr; 647 648 attrtxt = (const char *) sqlite3_column_text(stmt, 0); 649 attr = hostapd_parse_radius_attr(attrtxt); 650 if (!attr) { 651 wpa_printf(MSG_ERROR, 652 "Skipping invalid attribute from SQL: %s", 653 attrtxt); 654 continue; 655 } 656 wpa_printf(MSG_DEBUG, "Adding RADIUS attribute from SQL: %s", 657 attrtxt); 658 hdr = radius_msg_add_attr(msg, attr->type, 659 wpabuf_head(attr->val), 660 wpabuf_len(attr->val)); 661 hostapd_config_free_radius_attr(attr); 662 if (!hdr) { 663 wpa_printf(MSG_ERROR, 664 "Could not add RADIUS attribute from SQL"); 665 continue; 666 } 667 } 668 669 sqlite3_reset(stmt); 670 sqlite3_clear_bindings(stmt); 671 sqlite3_finalize(stmt); 672 #endif /* CONFIG_SQLITE */ 673 674 return 0; 675 } 676 677 678 void ieee802_1x_encapsulate_radius(struct hostapd_data *hapd, 679 struct sta_info *sta, 680 const u8 *eap, size_t len) 681 { 682 struct radius_msg *msg; 683 struct eapol_state_machine *sm = sta->eapol_sm; 684 685 if (sm == NULL) 686 return; 687 688 ieee802_1x_learn_identity(hapd, sm, eap, len); 689 690 wpa_printf(MSG_DEBUG, "Encapsulating EAP message into a RADIUS " 691 "packet"); 692 693 sm->radius_identifier = radius_client_get_id(hapd->radius); 694 msg = radius_msg_new(RADIUS_CODE_ACCESS_REQUEST, 695 sm->radius_identifier); 696 if (msg == NULL) { 697 wpa_printf(MSG_INFO, "Could not create new RADIUS packet"); 698 return; 699 } 700 701 if (radius_msg_make_authenticator(msg) < 0) { 702 wpa_printf(MSG_INFO, "Could not make Request Authenticator"); 703 goto fail; 704 } 705 706 if (sm->identity && 707 !radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME, 708 sm->identity, sm->identity_len)) { 709 wpa_printf(MSG_INFO, "Could not add User-Name"); 710 goto fail; 711 } 712 713 if (add_common_radius_attr(hapd, hapd->conf->radius_auth_req_attr, sta, 714 msg) < 0) 715 goto fail; 716 717 if (sta && add_sqlite_radius_attr(hapd, sta, msg, 0) < 0) 718 goto fail; 719 720 /* TODO: should probably check MTU from driver config; 2304 is max for 721 * IEEE 802.11, but use 1400 to avoid problems with too large packets 722 */ 723 if (!hostapd_config_get_radius_attr(hapd->conf->radius_auth_req_attr, 724 RADIUS_ATTR_FRAMED_MTU) && 725 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_FRAMED_MTU, 1400)) { 726 wpa_printf(MSG_INFO, "Could not add Framed-MTU"); 727 goto fail; 728 } 729 730 if (!radius_msg_add_eap(msg, eap, len)) { 731 wpa_printf(MSG_INFO, "Could not add EAP-Message"); 732 goto fail; 733 } 734 735 /* State attribute must be copied if and only if this packet is 736 * Access-Request reply to the previous Access-Challenge */ 737 if (sm->last_recv_radius && 738 radius_msg_get_hdr(sm->last_recv_radius)->code == 739 RADIUS_CODE_ACCESS_CHALLENGE) { 740 int res = radius_msg_copy_attr(msg, sm->last_recv_radius, 741 RADIUS_ATTR_STATE); 742 if (res < 0) { 743 wpa_printf(MSG_INFO, "Could not copy State attribute from previous Access-Challenge"); 744 goto fail; 745 } 746 if (res > 0) { 747 wpa_printf(MSG_DEBUG, "Copied RADIUS State Attribute"); 748 } 749 } 750 751 if (hapd->conf->radius_request_cui) { 752 const u8 *cui; 753 size_t cui_len; 754 /* Add previously learned CUI or nul CUI to request CUI */ 755 if (sm->radius_cui) { 756 cui = wpabuf_head(sm->radius_cui); 757 cui_len = wpabuf_len(sm->radius_cui); 758 } else { 759 cui = (const u8 *) "\0"; 760 cui_len = 1; 761 } 762 if (!radius_msg_add_attr(msg, 763 RADIUS_ATTR_CHARGEABLE_USER_IDENTITY, 764 cui, cui_len)) { 765 wpa_printf(MSG_ERROR, "Could not add CUI"); 766 goto fail; 767 } 768 } 769 770 #ifdef CONFIG_HS20 771 if (hapd->conf->hs20) { 772 u8 ver = hapd->conf->hs20_release - 1; 773 774 if (!radius_msg_add_wfa( 775 msg, RADIUS_VENDOR_ATTR_WFA_HS20_AP_VERSION, 776 &ver, 1)) { 777 wpa_printf(MSG_ERROR, "Could not add HS 2.0 AP " 778 "version"); 779 goto fail; 780 } 781 782 if (sta->hs20_ie && wpabuf_len(sta->hs20_ie) > 0) { 783 const u8 *pos; 784 u8 buf[3]; 785 u16 id; 786 pos = wpabuf_head_u8(sta->hs20_ie); 787 buf[0] = (*pos) >> 4; 788 if (((*pos) & HS20_PPS_MO_ID_PRESENT) && 789 wpabuf_len(sta->hs20_ie) >= 3) 790 id = WPA_GET_LE16(pos + 1); 791 else 792 id = 0; 793 WPA_PUT_BE16(buf + 1, id); 794 if (!radius_msg_add_wfa( 795 msg, 796 RADIUS_VENDOR_ATTR_WFA_HS20_STA_VERSION, 797 buf, sizeof(buf))) { 798 wpa_printf(MSG_ERROR, "Could not add HS 2.0 " 799 "STA version"); 800 goto fail; 801 } 802 } 803 804 if (sta->roaming_consortium && 805 !radius_msg_add_wfa( 806 msg, RADIUS_VENDOR_ATTR_WFA_HS20_ROAMING_CONSORTIUM, 807 wpabuf_head(sta->roaming_consortium), 808 wpabuf_len(sta->roaming_consortium))) { 809 wpa_printf(MSG_ERROR, 810 "Could not add HS 2.0 Roaming Consortium"); 811 goto fail; 812 } 813 814 if (hapd->conf->t_c_filename) { 815 be32 timestamp; 816 817 if (!radius_msg_add_wfa( 818 msg, 819 RADIUS_VENDOR_ATTR_WFA_HS20_T_C_FILENAME, 820 (const u8 *) hapd->conf->t_c_filename, 821 os_strlen(hapd->conf->t_c_filename))) { 822 wpa_printf(MSG_ERROR, 823 "Could not add HS 2.0 T&C Filename"); 824 goto fail; 825 } 826 827 timestamp = host_to_be32(hapd->conf->t_c_timestamp); 828 if (!radius_msg_add_wfa( 829 msg, 830 RADIUS_VENDOR_ATTR_WFA_HS20_TIMESTAMP, 831 (const u8 *) ×tamp, 832 sizeof(timestamp))) { 833 wpa_printf(MSG_ERROR, 834 "Could not add HS 2.0 Timestamp"); 835 goto fail; 836 } 837 } 838 } 839 #endif /* CONFIG_HS20 */ 840 841 if (radius_client_send(hapd->radius, msg, RADIUS_AUTH, sta->addr) < 0) 842 goto fail; 843 844 return; 845 846 fail: 847 radius_msg_free(msg); 848 } 849 #endif /* CONFIG_NO_RADIUS */ 850 851 852 static void handle_eap_response(struct hostapd_data *hapd, 853 struct sta_info *sta, struct eap_hdr *eap, 854 size_t len) 855 { 856 u8 type, *data; 857 struct eapol_state_machine *sm = sta->eapol_sm; 858 if (sm == NULL) 859 return; 860 861 data = (u8 *) (eap + 1); 862 863 if (len < sizeof(*eap) + 1) { 864 wpa_printf(MSG_INFO, "handle_eap_response: too short response data"); 865 return; 866 } 867 868 sm->eap_type_supp = type = data[0]; 869 870 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, 871 HOSTAPD_LEVEL_DEBUG, "received EAP packet (code=%d " 872 "id=%d len=%d) from STA: EAP Response-%s (%d)", 873 eap->code, eap->identifier, be_to_host16(eap->length), 874 eap_server_get_name(0, type), type); 875 876 sm->dot1xAuthEapolRespFramesRx++; 877 878 wpabuf_free(sm->eap_if->eapRespData); 879 sm->eap_if->eapRespData = wpabuf_alloc_copy(eap, len); 880 sm->eapolEap = TRUE; 881 } 882 883 884 static void handle_eap_initiate(struct hostapd_data *hapd, 885 struct sta_info *sta, struct eap_hdr *eap, 886 size_t len) 887 { 888 #ifdef CONFIG_ERP 889 u8 type, *data; 890 struct eapol_state_machine *sm = sta->eapol_sm; 891 892 if (sm == NULL) 893 return; 894 895 if (len < sizeof(*eap) + 1) { 896 wpa_printf(MSG_INFO, 897 "handle_eap_initiate: too short response data"); 898 return; 899 } 900 901 data = (u8 *) (eap + 1); 902 type = data[0]; 903 904 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, 905 HOSTAPD_LEVEL_DEBUG, "received EAP packet (code=%d " 906 "id=%d len=%d) from STA: EAP Initiate type %u", 907 eap->code, eap->identifier, be_to_host16(eap->length), 908 type); 909 910 wpabuf_free(sm->eap_if->eapRespData); 911 sm->eap_if->eapRespData = wpabuf_alloc_copy(eap, len); 912 sm->eapolEap = TRUE; 913 #endif /* CONFIG_ERP */ 914 } 915 916 917 /* Process incoming EAP packet from Supplicant */ 918 static void handle_eap(struct hostapd_data *hapd, struct sta_info *sta, 919 u8 *buf, size_t len) 920 { 921 struct eap_hdr *eap; 922 u16 eap_len; 923 924 if (len < sizeof(*eap)) { 925 wpa_printf(MSG_INFO, " too short EAP packet"); 926 return; 927 } 928 929 eap = (struct eap_hdr *) buf; 930 931 eap_len = be_to_host16(eap->length); 932 wpa_printf(MSG_DEBUG, "EAP: code=%d identifier=%d length=%d", 933 eap->code, eap->identifier, eap_len); 934 if (eap_len < sizeof(*eap)) { 935 wpa_printf(MSG_DEBUG, " Invalid EAP length"); 936 return; 937 } else if (eap_len > len) { 938 wpa_printf(MSG_DEBUG, " Too short frame to contain this EAP " 939 "packet"); 940 return; 941 } else if (eap_len < len) { 942 wpa_printf(MSG_DEBUG, " Ignoring %lu extra bytes after EAP " 943 "packet", (unsigned long) len - eap_len); 944 } 945 946 switch (eap->code) { 947 case EAP_CODE_REQUEST: 948 wpa_printf(MSG_DEBUG, " (request)"); 949 return; 950 case EAP_CODE_RESPONSE: 951 wpa_printf(MSG_DEBUG, " (response)"); 952 handle_eap_response(hapd, sta, eap, eap_len); 953 break; 954 case EAP_CODE_SUCCESS: 955 wpa_printf(MSG_DEBUG, " (success)"); 956 return; 957 case EAP_CODE_FAILURE: 958 wpa_printf(MSG_DEBUG, " (failure)"); 959 return; 960 case EAP_CODE_INITIATE: 961 wpa_printf(MSG_DEBUG, " (initiate)"); 962 handle_eap_initiate(hapd, sta, eap, eap_len); 963 break; 964 case EAP_CODE_FINISH: 965 wpa_printf(MSG_DEBUG, " (finish)"); 966 break; 967 default: 968 wpa_printf(MSG_DEBUG, " (unknown code)"); 969 return; 970 } 971 } 972 973 974 struct eapol_state_machine * 975 ieee802_1x_alloc_eapol_sm(struct hostapd_data *hapd, struct sta_info *sta) 976 { 977 int flags = 0; 978 if (sta->flags & WLAN_STA_PREAUTH) 979 flags |= EAPOL_SM_PREAUTH; 980 if (sta->wpa_sm) { 981 flags |= EAPOL_SM_USES_WPA; 982 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) 983 flags |= EAPOL_SM_FROM_PMKSA_CACHE; 984 } 985 return eapol_auth_alloc(hapd->eapol_auth, sta->addr, flags, 986 sta->wps_ie, sta->p2p_ie, sta, 987 sta->identity, sta->radius_cui); 988 } 989 990 991 static void ieee802_1x_save_eapol(struct sta_info *sta, const u8 *buf, 992 size_t len) 993 { 994 if (sta->pending_eapol_rx) { 995 wpabuf_free(sta->pending_eapol_rx->buf); 996 } else { 997 sta->pending_eapol_rx = 998 os_malloc(sizeof(*sta->pending_eapol_rx)); 999 if (!sta->pending_eapol_rx) 1000 return; 1001 } 1002 1003 sta->pending_eapol_rx->buf = wpabuf_alloc_copy(buf, len); 1004 if (!sta->pending_eapol_rx->buf) { 1005 os_free(sta->pending_eapol_rx); 1006 sta->pending_eapol_rx = NULL; 1007 return; 1008 } 1009 1010 os_get_reltime(&sta->pending_eapol_rx->rx_time); 1011 } 1012 1013 1014 /** 1015 * ieee802_1x_receive - Process the EAPOL frames from the Supplicant 1016 * @hapd: hostapd BSS data 1017 * @sa: Source address (sender of the EAPOL frame) 1018 * @buf: EAPOL frame 1019 * @len: Length of buf in octets 1020 * 1021 * This function is called for each incoming EAPOL frame from the interface 1022 */ 1023 void ieee802_1x_receive(struct hostapd_data *hapd, const u8 *sa, const u8 *buf, 1024 size_t len) 1025 { 1026 struct sta_info *sta; 1027 struct ieee802_1x_hdr *hdr; 1028 struct ieee802_1x_eapol_key *key; 1029 u16 datalen; 1030 struct rsn_pmksa_cache_entry *pmksa; 1031 int key_mgmt; 1032 1033 if (!hapd->conf->ieee802_1x && !hapd->conf->wpa && !hapd->conf->osen && 1034 !hapd->conf->wps_state) 1035 return; 1036 1037 wpa_printf(MSG_DEBUG, "IEEE 802.1X: %lu bytes from " MACSTR, 1038 (unsigned long) len, MAC2STR(sa)); 1039 sta = ap_get_sta(hapd, sa); 1040 if (!sta || (!(sta->flags & (WLAN_STA_ASSOC | WLAN_STA_PREAUTH)) && 1041 !(hapd->iface->drv_flags & WPA_DRIVER_FLAGS_WIRED))) { 1042 wpa_printf(MSG_DEBUG, "IEEE 802.1X data frame from not " 1043 "associated/Pre-authenticating STA"); 1044 1045 if (sta && (sta->flags & WLAN_STA_AUTH)) { 1046 wpa_printf(MSG_DEBUG, "Saving EAPOL frame from " MACSTR 1047 " for later use", MAC2STR(sta->addr)); 1048 ieee802_1x_save_eapol(sta, buf, len); 1049 } 1050 1051 return; 1052 } 1053 1054 if (len < sizeof(*hdr)) { 1055 wpa_printf(MSG_INFO, " too short IEEE 802.1X packet"); 1056 return; 1057 } 1058 1059 hdr = (struct ieee802_1x_hdr *) buf; 1060 datalen = be_to_host16(hdr->length); 1061 wpa_printf(MSG_DEBUG, " IEEE 802.1X: version=%d type=%d length=%d", 1062 hdr->version, hdr->type, datalen); 1063 1064 if (len - sizeof(*hdr) < datalen) { 1065 wpa_printf(MSG_INFO, " frame too short for this IEEE 802.1X packet"); 1066 if (sta->eapol_sm) 1067 sta->eapol_sm->dot1xAuthEapLengthErrorFramesRx++; 1068 return; 1069 } 1070 if (len - sizeof(*hdr) > datalen) { 1071 wpa_printf(MSG_DEBUG, " ignoring %lu extra octets after " 1072 "IEEE 802.1X packet", 1073 (unsigned long) len - sizeof(*hdr) - datalen); 1074 } 1075 1076 if (sta->eapol_sm) { 1077 sta->eapol_sm->dot1xAuthLastEapolFrameVersion = hdr->version; 1078 sta->eapol_sm->dot1xAuthEapolFramesRx++; 1079 } 1080 1081 key = (struct ieee802_1x_eapol_key *) (hdr + 1); 1082 if (datalen >= sizeof(struct ieee802_1x_eapol_key) && 1083 hdr->type == IEEE802_1X_TYPE_EAPOL_KEY && 1084 (key->type == EAPOL_KEY_TYPE_WPA || 1085 key->type == EAPOL_KEY_TYPE_RSN)) { 1086 wpa_receive(hapd->wpa_auth, sta->wpa_sm, (u8 *) hdr, 1087 sizeof(*hdr) + datalen); 1088 return; 1089 } 1090 1091 if (!hapd->conf->ieee802_1x && !hapd->conf->osen && 1092 !(sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS))) { 1093 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore EAPOL message - " 1094 "802.1X not enabled and WPS not used"); 1095 return; 1096 } 1097 1098 key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm); 1099 if (key_mgmt != -1 && 1100 (wpa_key_mgmt_wpa_psk(key_mgmt) || key_mgmt == WPA_KEY_MGMT_OWE || 1101 key_mgmt == WPA_KEY_MGMT_DPP)) { 1102 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore EAPOL message - " 1103 "STA is using PSK"); 1104 return; 1105 } 1106 1107 if (!sta->eapol_sm) { 1108 sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta); 1109 if (!sta->eapol_sm) 1110 return; 1111 1112 #ifdef CONFIG_WPS 1113 if (!hapd->conf->ieee802_1x && hapd->conf->wps_state) { 1114 u32 wflags = sta->flags & (WLAN_STA_WPS | 1115 WLAN_STA_WPS2 | 1116 WLAN_STA_MAYBE_WPS); 1117 if (wflags == WLAN_STA_MAYBE_WPS || 1118 wflags == (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS)) { 1119 /* 1120 * Delay EAPOL frame transmission until a 1121 * possible WPS STA initiates the handshake 1122 * with EAPOL-Start. Only allow the wait to be 1123 * skipped if the STA is known to support WPS 1124 * 2.0. 1125 */ 1126 wpa_printf(MSG_DEBUG, "WPS: Do not start " 1127 "EAPOL until EAPOL-Start is " 1128 "received"); 1129 sta->eapol_sm->flags |= EAPOL_SM_WAIT_START; 1130 } 1131 } 1132 #endif /* CONFIG_WPS */ 1133 1134 sta->eapol_sm->eap_if->portEnabled = TRUE; 1135 } 1136 1137 /* since we support version 1, we can ignore version field and proceed 1138 * as specified in version 1 standard [IEEE Std 802.1X-2001, 7.5.5] */ 1139 /* TODO: actually, we are not version 1 anymore.. However, Version 2 1140 * does not change frame contents, so should be ok to process frames 1141 * more or less identically. Some changes might be needed for 1142 * verification of fields. */ 1143 1144 switch (hdr->type) { 1145 case IEEE802_1X_TYPE_EAP_PACKET: 1146 handle_eap(hapd, sta, (u8 *) (hdr + 1), datalen); 1147 break; 1148 1149 case IEEE802_1X_TYPE_EAPOL_START: 1150 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1151 HOSTAPD_LEVEL_DEBUG, "received EAPOL-Start " 1152 "from STA"); 1153 sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START; 1154 pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm); 1155 if (pmksa) { 1156 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 1157 HOSTAPD_LEVEL_DEBUG, "cached PMKSA " 1158 "available - ignore it since " 1159 "STA sent EAPOL-Start"); 1160 wpa_auth_sta_clear_pmksa(sta->wpa_sm, pmksa); 1161 } 1162 sta->eapol_sm->eapolStart = TRUE; 1163 sta->eapol_sm->dot1xAuthEapolStartFramesRx++; 1164 eap_server_clear_identity(sta->eapol_sm->eap); 1165 wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL); 1166 break; 1167 1168 case IEEE802_1X_TYPE_EAPOL_LOGOFF: 1169 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1170 HOSTAPD_LEVEL_DEBUG, "received EAPOL-Logoff " 1171 "from STA"); 1172 sta->acct_terminate_cause = 1173 RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST; 1174 accounting_sta_stop(hapd, sta); 1175 sta->eapol_sm->eapolLogoff = TRUE; 1176 sta->eapol_sm->dot1xAuthEapolLogoffFramesRx++; 1177 eap_server_clear_identity(sta->eapol_sm->eap); 1178 break; 1179 1180 case IEEE802_1X_TYPE_EAPOL_KEY: 1181 wpa_printf(MSG_DEBUG, " EAPOL-Key"); 1182 if (!ap_sta_is_authorized(sta)) { 1183 wpa_printf(MSG_DEBUG, " Dropped key data from " 1184 "unauthorized Supplicant"); 1185 break; 1186 } 1187 break; 1188 1189 case IEEE802_1X_TYPE_EAPOL_ENCAPSULATED_ASF_ALERT: 1190 wpa_printf(MSG_DEBUG, " EAPOL-Encapsulated-ASF-Alert"); 1191 /* TODO: implement support for this; show data */ 1192 break; 1193 1194 #ifdef CONFIG_MACSEC 1195 case IEEE802_1X_TYPE_EAPOL_MKA: 1196 wpa_printf(MSG_EXCESSIVE, 1197 "EAPOL type %d will be handled by MKA", hdr->type); 1198 break; 1199 #endif /* CONFIG_MACSEC */ 1200 1201 default: 1202 wpa_printf(MSG_DEBUG, " unknown IEEE 802.1X packet type"); 1203 sta->eapol_sm->dot1xAuthInvalidEapolFramesRx++; 1204 break; 1205 } 1206 1207 eapol_auth_step(sta->eapol_sm); 1208 } 1209 1210 1211 /** 1212 * ieee802_1x_new_station - Start IEEE 802.1X authentication 1213 * @hapd: hostapd BSS data 1214 * @sta: The station 1215 * 1216 * This function is called to start IEEE 802.1X authentication when a new 1217 * station completes IEEE 802.11 association. 1218 */ 1219 void ieee802_1x_new_station(struct hostapd_data *hapd, struct sta_info *sta) 1220 { 1221 struct rsn_pmksa_cache_entry *pmksa; 1222 int reassoc = 1; 1223 int force_1x = 0; 1224 int key_mgmt; 1225 1226 #ifdef CONFIG_WPS 1227 if (hapd->conf->wps_state && 1228 ((hapd->conf->wpa && (sta->flags & WLAN_STA_MAYBE_WPS)) || 1229 (sta->flags & WLAN_STA_WPS))) { 1230 /* 1231 * Need to enable IEEE 802.1X/EAPOL state machines for possible 1232 * WPS handshake even if IEEE 802.1X/EAPOL is not used for 1233 * authentication in this BSS. 1234 */ 1235 force_1x = 1; 1236 } 1237 #endif /* CONFIG_WPS */ 1238 1239 if (!force_1x && !hapd->conf->ieee802_1x && !hapd->conf->osen) { 1240 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore STA - " 1241 "802.1X not enabled or forced for WPS"); 1242 /* 1243 * Clear any possible EAPOL authenticator state to support 1244 * reassociation change from WPS to PSK. 1245 */ 1246 ieee802_1x_free_station(hapd, sta); 1247 return; 1248 } 1249 1250 key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm); 1251 if (key_mgmt != -1 && 1252 (wpa_key_mgmt_wpa_psk(key_mgmt) || key_mgmt == WPA_KEY_MGMT_OWE || 1253 key_mgmt == WPA_KEY_MGMT_DPP)) { 1254 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore STA - using PSK"); 1255 /* 1256 * Clear any possible EAPOL authenticator state to support 1257 * reassociation change from WPA-EAP to PSK. 1258 */ 1259 ieee802_1x_free_station(hapd, sta); 1260 return; 1261 } 1262 1263 if (sta->eapol_sm == NULL) { 1264 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1265 HOSTAPD_LEVEL_DEBUG, "start authentication"); 1266 sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta); 1267 if (sta->eapol_sm == NULL) { 1268 hostapd_logger(hapd, sta->addr, 1269 HOSTAPD_MODULE_IEEE8021X, 1270 HOSTAPD_LEVEL_INFO, 1271 "failed to allocate state machine"); 1272 return; 1273 } 1274 reassoc = 0; 1275 } 1276 1277 #ifdef CONFIG_WPS 1278 sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START; 1279 if (!hapd->conf->ieee802_1x && hapd->conf->wps_state && 1280 !(sta->flags & WLAN_STA_WPS2)) { 1281 /* 1282 * Delay EAPOL frame transmission until a possible WPS STA 1283 * initiates the handshake with EAPOL-Start. Only allow the 1284 * wait to be skipped if the STA is known to support WPS 2.0. 1285 */ 1286 wpa_printf(MSG_DEBUG, "WPS: Do not start EAPOL until " 1287 "EAPOL-Start is received"); 1288 sta->eapol_sm->flags |= EAPOL_SM_WAIT_START; 1289 } 1290 #endif /* CONFIG_WPS */ 1291 1292 sta->eapol_sm->eap_if->portEnabled = TRUE; 1293 1294 #ifdef CONFIG_IEEE80211R_AP 1295 if (sta->auth_alg == WLAN_AUTH_FT) { 1296 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1297 HOSTAPD_LEVEL_DEBUG, 1298 "PMK from FT - skip IEEE 802.1X/EAP"); 1299 /* Setup EAPOL state machines to already authenticated state 1300 * because of existing FT information from R0KH. */ 1301 sta->eapol_sm->keyRun = TRUE; 1302 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 1303 sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING; 1304 sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS; 1305 sta->eapol_sm->authSuccess = TRUE; 1306 sta->eapol_sm->authFail = FALSE; 1307 sta->eapol_sm->portValid = TRUE; 1308 if (sta->eapol_sm->eap) 1309 eap_sm_notify_cached(sta->eapol_sm->eap); 1310 ap_sta_bind_vlan(hapd, sta); 1311 return; 1312 } 1313 #endif /* CONFIG_IEEE80211R_AP */ 1314 1315 #ifdef CONFIG_FILS 1316 if (sta->auth_alg == WLAN_AUTH_FILS_SK || 1317 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS || 1318 sta->auth_alg == WLAN_AUTH_FILS_PK) { 1319 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1320 HOSTAPD_LEVEL_DEBUG, 1321 "PMK from FILS - skip IEEE 802.1X/EAP"); 1322 /* Setup EAPOL state machines to already authenticated state 1323 * because of existing FILS information. */ 1324 sta->eapol_sm->keyRun = TRUE; 1325 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 1326 sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING; 1327 sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS; 1328 sta->eapol_sm->authSuccess = TRUE; 1329 sta->eapol_sm->authFail = FALSE; 1330 sta->eapol_sm->portValid = TRUE; 1331 if (sta->eapol_sm->eap) 1332 eap_sm_notify_cached(sta->eapol_sm->eap); 1333 wpa_auth_set_ptk_rekey_timer(sta->wpa_sm); 1334 return; 1335 } 1336 #endif /* CONFIG_FILS */ 1337 1338 pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm); 1339 if (pmksa) { 1340 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1341 HOSTAPD_LEVEL_DEBUG, 1342 "PMK from PMKSA cache - skip IEEE 802.1X/EAP"); 1343 /* Setup EAPOL state machines to already authenticated state 1344 * because of existing PMKSA information in the cache. */ 1345 sta->eapol_sm->keyRun = TRUE; 1346 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 1347 sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING; 1348 sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS; 1349 sta->eapol_sm->authSuccess = TRUE; 1350 sta->eapol_sm->authFail = FALSE; 1351 if (sta->eapol_sm->eap) 1352 eap_sm_notify_cached(sta->eapol_sm->eap); 1353 pmksa_cache_to_eapol_data(hapd, pmksa, sta->eapol_sm); 1354 ap_sta_bind_vlan(hapd, sta); 1355 } else { 1356 if (reassoc) { 1357 /* 1358 * Force EAPOL state machines to start 1359 * re-authentication without having to wait for the 1360 * Supplicant to send EAPOL-Start. 1361 */ 1362 sta->eapol_sm->reAuthenticate = TRUE; 1363 } 1364 eapol_auth_step(sta->eapol_sm); 1365 } 1366 } 1367 1368 1369 void ieee802_1x_free_station(struct hostapd_data *hapd, struct sta_info *sta) 1370 { 1371 struct eapol_state_machine *sm = sta->eapol_sm; 1372 1373 #ifdef CONFIG_HS20 1374 eloop_cancel_timeout(ieee802_1x_wnm_notif_send, hapd, sta); 1375 #endif /* CONFIG_HS20 */ 1376 1377 if (sta->pending_eapol_rx) { 1378 wpabuf_free(sta->pending_eapol_rx->buf); 1379 os_free(sta->pending_eapol_rx); 1380 sta->pending_eapol_rx = NULL; 1381 } 1382 1383 if (sm == NULL) 1384 return; 1385 1386 sta->eapol_sm = NULL; 1387 1388 #ifndef CONFIG_NO_RADIUS 1389 radius_msg_free(sm->last_recv_radius); 1390 radius_free_class(&sm->radius_class); 1391 #endif /* CONFIG_NO_RADIUS */ 1392 1393 eapol_auth_free(sm); 1394 } 1395 1396 1397 #ifndef CONFIG_NO_RADIUS 1398 static void ieee802_1x_decapsulate_radius(struct hostapd_data *hapd, 1399 struct sta_info *sta) 1400 { 1401 struct wpabuf *eap; 1402 const struct eap_hdr *hdr; 1403 int eap_type = -1; 1404 char buf[64]; 1405 struct radius_msg *msg; 1406 struct eapol_state_machine *sm = sta->eapol_sm; 1407 1408 if (sm == NULL || sm->last_recv_radius == NULL) { 1409 if (sm) 1410 sm->eap_if->aaaEapNoReq = TRUE; 1411 return; 1412 } 1413 1414 msg = sm->last_recv_radius; 1415 1416 eap = radius_msg_get_eap(msg); 1417 if (eap == NULL) { 1418 /* RFC 3579, Chap. 2.6.3: 1419 * RADIUS server SHOULD NOT send Access-Reject/no EAP-Message 1420 * attribute */ 1421 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1422 HOSTAPD_LEVEL_WARNING, "could not extract " 1423 "EAP-Message from RADIUS message"); 1424 sm->eap_if->aaaEapNoReq = TRUE; 1425 return; 1426 } 1427 1428 if (wpabuf_len(eap) < sizeof(*hdr)) { 1429 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1430 HOSTAPD_LEVEL_WARNING, "too short EAP packet " 1431 "received from authentication server"); 1432 wpabuf_free(eap); 1433 sm->eap_if->aaaEapNoReq = TRUE; 1434 return; 1435 } 1436 1437 if (wpabuf_len(eap) > sizeof(*hdr)) 1438 eap_type = (wpabuf_head_u8(eap))[sizeof(*hdr)]; 1439 1440 hdr = wpabuf_head(eap); 1441 switch (hdr->code) { 1442 case EAP_CODE_REQUEST: 1443 if (eap_type >= 0) 1444 sm->eap_type_authsrv = eap_type; 1445 os_snprintf(buf, sizeof(buf), "EAP-Request-%s (%d)", 1446 eap_server_get_name(0, eap_type), eap_type); 1447 break; 1448 case EAP_CODE_RESPONSE: 1449 os_snprintf(buf, sizeof(buf), "EAP Response-%s (%d)", 1450 eap_server_get_name(0, eap_type), eap_type); 1451 break; 1452 case EAP_CODE_SUCCESS: 1453 os_strlcpy(buf, "EAP Success", sizeof(buf)); 1454 break; 1455 case EAP_CODE_FAILURE: 1456 os_strlcpy(buf, "EAP Failure", sizeof(buf)); 1457 break; 1458 default: 1459 os_strlcpy(buf, "unknown EAP code", sizeof(buf)); 1460 break; 1461 } 1462 buf[sizeof(buf) - 1] = '\0'; 1463 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1464 HOSTAPD_LEVEL_DEBUG, "decapsulated EAP packet (code=%d " 1465 "id=%d len=%d) from RADIUS server: %s", 1466 hdr->code, hdr->identifier, be_to_host16(hdr->length), 1467 buf); 1468 sm->eap_if->aaaEapReq = TRUE; 1469 1470 wpabuf_free(sm->eap_if->aaaEapReqData); 1471 sm->eap_if->aaaEapReqData = eap; 1472 } 1473 1474 1475 static void ieee802_1x_get_keys(struct hostapd_data *hapd, 1476 struct sta_info *sta, struct radius_msg *msg, 1477 struct radius_msg *req, 1478 const u8 *shared_secret, 1479 size_t shared_secret_len) 1480 { 1481 struct radius_ms_mppe_keys *keys; 1482 u8 *buf; 1483 size_t len; 1484 struct eapol_state_machine *sm = sta->eapol_sm; 1485 if (sm == NULL) 1486 return; 1487 1488 keys = radius_msg_get_ms_keys(msg, req, shared_secret, 1489 shared_secret_len); 1490 1491 if (keys && keys->send && keys->recv) { 1492 len = keys->send_len + keys->recv_len; 1493 wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Send-Key", 1494 keys->send, keys->send_len); 1495 wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Recv-Key", 1496 keys->recv, keys->recv_len); 1497 1498 os_free(sm->eap_if->aaaEapKeyData); 1499 sm->eap_if->aaaEapKeyData = os_malloc(len); 1500 if (sm->eap_if->aaaEapKeyData) { 1501 os_memcpy(sm->eap_if->aaaEapKeyData, keys->recv, 1502 keys->recv_len); 1503 os_memcpy(sm->eap_if->aaaEapKeyData + keys->recv_len, 1504 keys->send, keys->send_len); 1505 sm->eap_if->aaaEapKeyDataLen = len; 1506 sm->eap_if->aaaEapKeyAvailable = TRUE; 1507 } 1508 } else { 1509 wpa_printf(MSG_DEBUG, 1510 "MS-MPPE: 1x_get_keys, could not get keys: %p send: %p recv: %p", 1511 keys, keys ? keys->send : NULL, 1512 keys ? keys->recv : NULL); 1513 } 1514 1515 if (keys) { 1516 os_free(keys->send); 1517 os_free(keys->recv); 1518 os_free(keys); 1519 } 1520 1521 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_EAP_KEY_NAME, &buf, &len, 1522 NULL) == 0) { 1523 os_free(sm->eap_if->eapSessionId); 1524 sm->eap_if->eapSessionId = os_memdup(buf, len); 1525 if (sm->eap_if->eapSessionId) { 1526 sm->eap_if->eapSessionIdLen = len; 1527 wpa_hexdump(MSG_DEBUG, "EAP-Key Name", 1528 sm->eap_if->eapSessionId, 1529 sm->eap_if->eapSessionIdLen); 1530 } 1531 } else { 1532 sm->eap_if->eapSessionIdLen = 0; 1533 } 1534 } 1535 1536 1537 static void ieee802_1x_store_radius_class(struct hostapd_data *hapd, 1538 struct sta_info *sta, 1539 struct radius_msg *msg) 1540 { 1541 u8 *attr_class; 1542 size_t class_len; 1543 struct eapol_state_machine *sm = sta->eapol_sm; 1544 int count, i; 1545 struct radius_attr_data *nclass; 1546 size_t nclass_count; 1547 1548 if (!hapd->conf->radius->acct_server || hapd->radius == NULL || 1549 sm == NULL) 1550 return; 1551 1552 radius_free_class(&sm->radius_class); 1553 count = radius_msg_count_attr(msg, RADIUS_ATTR_CLASS, 1); 1554 if (count <= 0) 1555 return; 1556 1557 nclass = os_calloc(count, sizeof(struct radius_attr_data)); 1558 if (nclass == NULL) 1559 return; 1560 1561 nclass_count = 0; 1562 1563 attr_class = NULL; 1564 for (i = 0; i < count; i++) { 1565 do { 1566 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CLASS, 1567 &attr_class, &class_len, 1568 attr_class) < 0) { 1569 i = count; 1570 break; 1571 } 1572 } while (class_len < 1); 1573 1574 nclass[nclass_count].data = os_memdup(attr_class, class_len); 1575 if (nclass[nclass_count].data == NULL) 1576 break; 1577 1578 nclass[nclass_count].len = class_len; 1579 nclass_count++; 1580 } 1581 1582 sm->radius_class.attr = nclass; 1583 sm->radius_class.count = nclass_count; 1584 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Stored %lu RADIUS Class " 1585 "attributes for " MACSTR, 1586 (unsigned long) sm->radius_class.count, 1587 MAC2STR(sta->addr)); 1588 } 1589 1590 1591 /* Update sta->identity based on User-Name attribute in Access-Accept */ 1592 static void ieee802_1x_update_sta_identity(struct hostapd_data *hapd, 1593 struct sta_info *sta, 1594 struct radius_msg *msg) 1595 { 1596 u8 *buf, *identity; 1597 size_t len; 1598 struct eapol_state_machine *sm = sta->eapol_sm; 1599 1600 if (sm == NULL) 1601 return; 1602 1603 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_USER_NAME, &buf, &len, 1604 NULL) < 0) 1605 return; 1606 1607 identity = (u8 *) dup_binstr(buf, len); 1608 if (identity == NULL) 1609 return; 1610 1611 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1612 HOSTAPD_LEVEL_DEBUG, "old identity '%s' updated with " 1613 "User-Name from Access-Accept '%s'", 1614 sm->identity ? (char *) sm->identity : "N/A", 1615 (char *) identity); 1616 1617 os_free(sm->identity); 1618 sm->identity = identity; 1619 sm->identity_len = len; 1620 } 1621 1622 1623 /* Update CUI based on Chargeable-User-Identity attribute in Access-Accept */ 1624 static void ieee802_1x_update_sta_cui(struct hostapd_data *hapd, 1625 struct sta_info *sta, 1626 struct radius_msg *msg) 1627 { 1628 struct eapol_state_machine *sm = sta->eapol_sm; 1629 struct wpabuf *cui; 1630 u8 *buf; 1631 size_t len; 1632 1633 if (sm == NULL) 1634 return; 1635 1636 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CHARGEABLE_USER_IDENTITY, 1637 &buf, &len, NULL) < 0) 1638 return; 1639 1640 cui = wpabuf_alloc_copy(buf, len); 1641 if (cui == NULL) 1642 return; 1643 1644 wpabuf_free(sm->radius_cui); 1645 sm->radius_cui = cui; 1646 } 1647 1648 1649 #ifdef CONFIG_HS20 1650 1651 static void ieee802_1x_hs20_sub_rem(struct sta_info *sta, u8 *pos, size_t len) 1652 { 1653 sta->remediation = 1; 1654 os_free(sta->remediation_url); 1655 if (len > 2) { 1656 sta->remediation_url = os_malloc(len); 1657 if (!sta->remediation_url) 1658 return; 1659 sta->remediation_method = pos[0]; 1660 os_memcpy(sta->remediation_url, pos + 1, len - 1); 1661 sta->remediation_url[len - 1] = '\0'; 1662 wpa_printf(MSG_DEBUG, "HS 2.0: Subscription remediation needed " 1663 "for " MACSTR " - server method %u URL %s", 1664 MAC2STR(sta->addr), sta->remediation_method, 1665 sta->remediation_url); 1666 } else { 1667 sta->remediation_url = NULL; 1668 wpa_printf(MSG_DEBUG, "HS 2.0: Subscription remediation needed " 1669 "for " MACSTR, MAC2STR(sta->addr)); 1670 } 1671 /* TODO: assign the STA into remediation VLAN or add filtering */ 1672 } 1673 1674 1675 static void ieee802_1x_hs20_deauth_req(struct hostapd_data *hapd, 1676 struct sta_info *sta, u8 *pos, 1677 size_t len) 1678 { 1679 if (len < 3) 1680 return; /* Malformed information */ 1681 sta->hs20_deauth_requested = 1; 1682 wpa_printf(MSG_DEBUG, "HS 2.0: Deauthentication request - Code %u " 1683 "Re-auth Delay %u", 1684 *pos, WPA_GET_LE16(pos + 1)); 1685 wpabuf_free(sta->hs20_deauth_req); 1686 sta->hs20_deauth_req = wpabuf_alloc(len + 1); 1687 if (sta->hs20_deauth_req) { 1688 wpabuf_put_data(sta->hs20_deauth_req, pos, 3); 1689 wpabuf_put_u8(sta->hs20_deauth_req, len - 3); 1690 wpabuf_put_data(sta->hs20_deauth_req, pos + 3, len - 3); 1691 } 1692 ap_sta_session_timeout(hapd, sta, hapd->conf->hs20_deauth_req_timeout); 1693 } 1694 1695 1696 static void ieee802_1x_hs20_session_info(struct hostapd_data *hapd, 1697 struct sta_info *sta, u8 *pos, 1698 size_t len, int session_timeout) 1699 { 1700 unsigned int swt; 1701 int warning_time, beacon_int; 1702 1703 if (len < 1) 1704 return; /* Malformed information */ 1705 os_free(sta->hs20_session_info_url); 1706 sta->hs20_session_info_url = os_malloc(len); 1707 if (sta->hs20_session_info_url == NULL) 1708 return; 1709 swt = pos[0]; 1710 os_memcpy(sta->hs20_session_info_url, pos + 1, len - 1); 1711 sta->hs20_session_info_url[len - 1] = '\0'; 1712 wpa_printf(MSG_DEBUG, "HS 2.0: Session Information URL='%s' SWT=%u " 1713 "(session_timeout=%d)", 1714 sta->hs20_session_info_url, swt, session_timeout); 1715 if (session_timeout < 0) { 1716 wpa_printf(MSG_DEBUG, "HS 2.0: No Session-Timeout set - ignore session info URL"); 1717 return; 1718 } 1719 if (swt == 255) 1720 swt = 1; /* Use one minute as the AP selected value */ 1721 1722 if ((unsigned int) session_timeout < swt * 60) 1723 warning_time = 0; 1724 else 1725 warning_time = session_timeout - swt * 60; 1726 1727 beacon_int = hapd->iconf->beacon_int; 1728 if (beacon_int < 1) 1729 beacon_int = 100; /* best guess */ 1730 sta->hs20_disassoc_timer = swt * 60 * 1000 / beacon_int * 125 / 128; 1731 if (sta->hs20_disassoc_timer > 65535) 1732 sta->hs20_disassoc_timer = 65535; 1733 1734 ap_sta_session_warning_timeout(hapd, sta, warning_time); 1735 } 1736 1737 1738 static void ieee802_1x_hs20_t_c_filtering(struct hostapd_data *hapd, 1739 struct sta_info *sta, u8 *pos, 1740 size_t len) 1741 { 1742 if (len < 4) 1743 return; /* Malformed information */ 1744 wpa_printf(MSG_DEBUG, 1745 "HS 2.0: Terms and Conditions filtering %02x %02x %02x %02x", 1746 pos[0], pos[1], pos[2], pos[3]); 1747 hs20_t_c_filtering(hapd, sta, pos[0] & BIT(0)); 1748 } 1749 1750 1751 static void ieee802_1x_hs20_t_c_url(struct hostapd_data *hapd, 1752 struct sta_info *sta, u8 *pos, size_t len) 1753 { 1754 os_free(sta->t_c_url); 1755 sta->t_c_url = os_malloc(len + 1); 1756 if (!sta->t_c_url) 1757 return; 1758 os_memcpy(sta->t_c_url, pos, len); 1759 sta->t_c_url[len] = '\0'; 1760 wpa_printf(MSG_DEBUG, 1761 "HS 2.0: Terms and Conditions URL %s", sta->t_c_url); 1762 } 1763 1764 #endif /* CONFIG_HS20 */ 1765 1766 1767 static void ieee802_1x_check_hs20(struct hostapd_data *hapd, 1768 struct sta_info *sta, 1769 struct radius_msg *msg, 1770 int session_timeout) 1771 { 1772 #ifdef CONFIG_HS20 1773 u8 *buf, *pos, *end, type, sublen; 1774 size_t len; 1775 1776 buf = NULL; 1777 sta->remediation = 0; 1778 sta->hs20_deauth_requested = 0; 1779 1780 for (;;) { 1781 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_VENDOR_SPECIFIC, 1782 &buf, &len, buf) < 0) 1783 break; 1784 if (len < 6) 1785 continue; 1786 pos = buf; 1787 end = buf + len; 1788 if (WPA_GET_BE32(pos) != RADIUS_VENDOR_ID_WFA) 1789 continue; 1790 pos += 4; 1791 1792 type = *pos++; 1793 sublen = *pos++; 1794 if (sublen < 2) 1795 continue; /* invalid length */ 1796 sublen -= 2; /* skip header */ 1797 if (pos + sublen > end) 1798 continue; /* invalid WFA VSA */ 1799 1800 switch (type) { 1801 case RADIUS_VENDOR_ATTR_WFA_HS20_SUBSCR_REMEDIATION: 1802 ieee802_1x_hs20_sub_rem(sta, pos, sublen); 1803 break; 1804 case RADIUS_VENDOR_ATTR_WFA_HS20_DEAUTH_REQ: 1805 ieee802_1x_hs20_deauth_req(hapd, sta, pos, sublen); 1806 break; 1807 case RADIUS_VENDOR_ATTR_WFA_HS20_SESSION_INFO_URL: 1808 ieee802_1x_hs20_session_info(hapd, sta, pos, sublen, 1809 session_timeout); 1810 break; 1811 case RADIUS_VENDOR_ATTR_WFA_HS20_T_C_FILTERING: 1812 ieee802_1x_hs20_t_c_filtering(hapd, sta, pos, sublen); 1813 break; 1814 case RADIUS_VENDOR_ATTR_WFA_HS20_T_C_URL: 1815 ieee802_1x_hs20_t_c_url(hapd, sta, pos, sublen); 1816 break; 1817 } 1818 } 1819 #endif /* CONFIG_HS20 */ 1820 } 1821 1822 1823 struct sta_id_search { 1824 u8 identifier; 1825 struct eapol_state_machine *sm; 1826 }; 1827 1828 1829 static int ieee802_1x_select_radius_identifier(struct hostapd_data *hapd, 1830 struct sta_info *sta, 1831 void *ctx) 1832 { 1833 struct sta_id_search *id_search = ctx; 1834 struct eapol_state_machine *sm = sta->eapol_sm; 1835 1836 if (sm && sm->radius_identifier >= 0 && 1837 sm->radius_identifier == id_search->identifier) { 1838 id_search->sm = sm; 1839 return 1; 1840 } 1841 return 0; 1842 } 1843 1844 1845 static struct eapol_state_machine * 1846 ieee802_1x_search_radius_identifier(struct hostapd_data *hapd, u8 identifier) 1847 { 1848 struct sta_id_search id_search; 1849 id_search.identifier = identifier; 1850 id_search.sm = NULL; 1851 ap_for_each_sta(hapd, ieee802_1x_select_radius_identifier, &id_search); 1852 return id_search.sm; 1853 } 1854 1855 1856 #ifndef CONFIG_NO_VLAN 1857 static int ieee802_1x_update_vlan(struct radius_msg *msg, 1858 struct hostapd_data *hapd, 1859 struct sta_info *sta) 1860 { 1861 struct vlan_description vlan_desc; 1862 1863 os_memset(&vlan_desc, 0, sizeof(vlan_desc)); 1864 vlan_desc.notempty = !!radius_msg_get_vlanid(msg, &vlan_desc.untagged, 1865 MAX_NUM_TAGGED_VLAN, 1866 vlan_desc.tagged); 1867 1868 if (vlan_desc.notempty && 1869 !hostapd_vlan_valid(hapd->conf->vlan, &vlan_desc)) { 1870 sta->eapol_sm->authFail = TRUE; 1871 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS, 1872 HOSTAPD_LEVEL_INFO, 1873 "Invalid VLAN %d%s received from RADIUS server", 1874 vlan_desc.untagged, 1875 vlan_desc.tagged[0] ? "+" : ""); 1876 os_memset(&vlan_desc, 0, sizeof(vlan_desc)); 1877 ap_sta_set_vlan(hapd, sta, &vlan_desc); 1878 return -1; 1879 } 1880 1881 if (hapd->conf->ssid.dynamic_vlan == DYNAMIC_VLAN_REQUIRED && 1882 !vlan_desc.notempty) { 1883 sta->eapol_sm->authFail = TRUE; 1884 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1885 HOSTAPD_LEVEL_INFO, 1886 "authentication server did not include required VLAN ID in Access-Accept"); 1887 return -1; 1888 } 1889 1890 return ap_sta_set_vlan(hapd, sta, &vlan_desc); 1891 } 1892 #endif /* CONFIG_NO_VLAN */ 1893 1894 1895 /** 1896 * ieee802_1x_receive_auth - Process RADIUS frames from Authentication Server 1897 * @msg: RADIUS response message 1898 * @req: RADIUS request message 1899 * @shared_secret: RADIUS shared secret 1900 * @shared_secret_len: Length of shared_secret in octets 1901 * @data: Context data (struct hostapd_data *) 1902 * Returns: Processing status 1903 */ 1904 static RadiusRxResult 1905 ieee802_1x_receive_auth(struct radius_msg *msg, struct radius_msg *req, 1906 const u8 *shared_secret, size_t shared_secret_len, 1907 void *data) 1908 { 1909 struct hostapd_data *hapd = data; 1910 struct sta_info *sta; 1911 u32 session_timeout = 0, termination_action, acct_interim_interval; 1912 int session_timeout_set; 1913 u32 reason_code; 1914 struct eapol_state_machine *sm; 1915 int override_eapReq = 0; 1916 struct radius_hdr *hdr = radius_msg_get_hdr(msg); 1917 1918 sm = ieee802_1x_search_radius_identifier(hapd, hdr->identifier); 1919 if (sm == NULL) { 1920 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Could not find matching " 1921 "station for this RADIUS message"); 1922 return RADIUS_RX_UNKNOWN; 1923 } 1924 sta = sm->sta; 1925 1926 /* RFC 2869, Ch. 5.13: valid Message-Authenticator attribute MUST be 1927 * present when packet contains an EAP-Message attribute */ 1928 if (hdr->code == RADIUS_CODE_ACCESS_REJECT && 1929 radius_msg_get_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, NULL, 1930 0) < 0 && 1931 radius_msg_get_attr(msg, RADIUS_ATTR_EAP_MESSAGE, NULL, 0) < 0) { 1932 wpa_printf(MSG_DEBUG, "Allowing RADIUS Access-Reject without " 1933 "Message-Authenticator since it does not include " 1934 "EAP-Message"); 1935 } else if (radius_msg_verify(msg, shared_secret, shared_secret_len, 1936 req, 1)) { 1937 wpa_printf(MSG_INFO, "Incoming RADIUS packet did not have correct Message-Authenticator - dropped"); 1938 return RADIUS_RX_INVALID_AUTHENTICATOR; 1939 } 1940 1941 if (hdr->code != RADIUS_CODE_ACCESS_ACCEPT && 1942 hdr->code != RADIUS_CODE_ACCESS_REJECT && 1943 hdr->code != RADIUS_CODE_ACCESS_CHALLENGE) { 1944 wpa_printf(MSG_INFO, "Unknown RADIUS message code"); 1945 return RADIUS_RX_UNKNOWN; 1946 } 1947 1948 sm->radius_identifier = -1; 1949 wpa_printf(MSG_DEBUG, "RADIUS packet matching with station " MACSTR, 1950 MAC2STR(sta->addr)); 1951 1952 radius_msg_free(sm->last_recv_radius); 1953 sm->last_recv_radius = msg; 1954 1955 session_timeout_set = 1956 !radius_msg_get_attr_int32(msg, RADIUS_ATTR_SESSION_TIMEOUT, 1957 &session_timeout); 1958 if (radius_msg_get_attr_int32(msg, RADIUS_ATTR_TERMINATION_ACTION, 1959 &termination_action)) 1960 termination_action = RADIUS_TERMINATION_ACTION_DEFAULT; 1961 1962 if (hapd->conf->acct_interim_interval == 0 && 1963 hdr->code == RADIUS_CODE_ACCESS_ACCEPT && 1964 radius_msg_get_attr_int32(msg, RADIUS_ATTR_ACCT_INTERIM_INTERVAL, 1965 &acct_interim_interval) == 0) { 1966 if (acct_interim_interval < 60) { 1967 hostapd_logger(hapd, sta->addr, 1968 HOSTAPD_MODULE_IEEE8021X, 1969 HOSTAPD_LEVEL_INFO, 1970 "ignored too small " 1971 "Acct-Interim-Interval %d", 1972 acct_interim_interval); 1973 } else 1974 sta->acct_interim_interval = acct_interim_interval; 1975 } 1976 1977 1978 switch (hdr->code) { 1979 case RADIUS_CODE_ACCESS_ACCEPT: 1980 #ifndef CONFIG_NO_VLAN 1981 if (hapd->conf->ssid.dynamic_vlan != DYNAMIC_VLAN_DISABLED && 1982 ieee802_1x_update_vlan(msg, hapd, sta) < 0) 1983 break; 1984 1985 if (sta->vlan_id > 0) { 1986 hostapd_logger(hapd, sta->addr, 1987 HOSTAPD_MODULE_RADIUS, 1988 HOSTAPD_LEVEL_INFO, 1989 "VLAN ID %d", sta->vlan_id); 1990 } 1991 1992 if ((sta->flags & WLAN_STA_ASSOC) && 1993 ap_sta_bind_vlan(hapd, sta) < 0) 1994 break; 1995 #endif /* CONFIG_NO_VLAN */ 1996 1997 sta->session_timeout_set = !!session_timeout_set; 1998 os_get_reltime(&sta->session_timeout); 1999 sta->session_timeout.sec += session_timeout; 2000 2001 /* RFC 3580, Ch. 3.17 */ 2002 if (session_timeout_set && termination_action == 2003 RADIUS_TERMINATION_ACTION_RADIUS_REQUEST) 2004 sm->reAuthPeriod = session_timeout; 2005 else if (session_timeout_set) 2006 ap_sta_session_timeout(hapd, sta, session_timeout); 2007 else 2008 ap_sta_no_session_timeout(hapd, sta); 2009 2010 sm->eap_if->aaaSuccess = TRUE; 2011 override_eapReq = 1; 2012 ieee802_1x_get_keys(hapd, sta, msg, req, shared_secret, 2013 shared_secret_len); 2014 ieee802_1x_store_radius_class(hapd, sta, msg); 2015 ieee802_1x_update_sta_identity(hapd, sta, msg); 2016 ieee802_1x_update_sta_cui(hapd, sta, msg); 2017 ieee802_1x_check_hs20(hapd, sta, msg, 2018 session_timeout_set ? 2019 (int) session_timeout : -1); 2020 break; 2021 case RADIUS_CODE_ACCESS_REJECT: 2022 sm->eap_if->aaaFail = TRUE; 2023 override_eapReq = 1; 2024 if (radius_msg_get_attr_int32(msg, RADIUS_ATTR_WLAN_REASON_CODE, 2025 &reason_code) == 0) { 2026 wpa_printf(MSG_DEBUG, 2027 "RADIUS server indicated WLAN-Reason-Code %u in Access-Reject for " 2028 MACSTR, reason_code, MAC2STR(sta->addr)); 2029 sta->disconnect_reason_code = reason_code; 2030 } 2031 break; 2032 case RADIUS_CODE_ACCESS_CHALLENGE: 2033 sm->eap_if->aaaEapReq = TRUE; 2034 if (session_timeout_set) { 2035 /* RFC 2869, Ch. 2.3.2; RFC 3580, Ch. 3.17 */ 2036 sm->eap_if->aaaMethodTimeout = session_timeout; 2037 hostapd_logger(hapd, sm->addr, 2038 HOSTAPD_MODULE_IEEE8021X, 2039 HOSTAPD_LEVEL_DEBUG, 2040 "using EAP timeout of %d seconds (from " 2041 "RADIUS)", 2042 sm->eap_if->aaaMethodTimeout); 2043 } else { 2044 /* 2045 * Use dynamic retransmission behavior per EAP 2046 * specification. 2047 */ 2048 sm->eap_if->aaaMethodTimeout = 0; 2049 } 2050 break; 2051 } 2052 2053 ieee802_1x_decapsulate_radius(hapd, sta); 2054 if (override_eapReq) 2055 sm->eap_if->aaaEapReq = FALSE; 2056 2057 #ifdef CONFIG_FILS 2058 #ifdef NEED_AP_MLME 2059 if (sta->flags & WLAN_STA_PENDING_FILS_ERP) { 2060 /* TODO: Add a PMKSA entry on success? */ 2061 ieee802_11_finish_fils_auth( 2062 hapd, sta, hdr->code == RADIUS_CODE_ACCESS_ACCEPT, 2063 sm->eap_if->aaaEapReqData, 2064 sm->eap_if->aaaEapKeyData, 2065 sm->eap_if->aaaEapKeyDataLen); 2066 } 2067 #endif /* NEED_AP_MLME */ 2068 #endif /* CONFIG_FILS */ 2069 2070 eapol_auth_step(sm); 2071 2072 return RADIUS_RX_QUEUED; 2073 } 2074 #endif /* CONFIG_NO_RADIUS */ 2075 2076 2077 void ieee802_1x_abort_auth(struct hostapd_data *hapd, struct sta_info *sta) 2078 { 2079 struct eapol_state_machine *sm = sta->eapol_sm; 2080 if (sm == NULL) 2081 return; 2082 2083 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 2084 HOSTAPD_LEVEL_DEBUG, "aborting authentication"); 2085 2086 #ifndef CONFIG_NO_RADIUS 2087 radius_msg_free(sm->last_recv_radius); 2088 sm->last_recv_radius = NULL; 2089 #endif /* CONFIG_NO_RADIUS */ 2090 2091 if (sm->eap_if->eapTimeout) { 2092 /* 2093 * Disconnect the STA since it did not reply to the last EAP 2094 * request and we cannot continue EAP processing (EAP-Failure 2095 * could only be sent if the EAP peer actually replied). 2096 */ 2097 wpa_dbg(hapd->msg_ctx, MSG_DEBUG, "EAP Timeout, STA " MACSTR, 2098 MAC2STR(sta->addr)); 2099 2100 sm->eap_if->portEnabled = FALSE; 2101 ap_sta_disconnect(hapd, sta, sta->addr, 2102 WLAN_REASON_PREV_AUTH_NOT_VALID); 2103 } 2104 } 2105 2106 2107 static int ieee802_1x_rekey_broadcast(struct hostapd_data *hapd) 2108 { 2109 struct eapol_authenticator *eapol = hapd->eapol_auth; 2110 2111 if (hapd->conf->default_wep_key_len < 1) 2112 return 0; 2113 2114 os_free(eapol->default_wep_key); 2115 eapol->default_wep_key = os_malloc(hapd->conf->default_wep_key_len); 2116 if (eapol->default_wep_key == NULL || 2117 random_get_bytes(eapol->default_wep_key, 2118 hapd->conf->default_wep_key_len)) { 2119 wpa_printf(MSG_INFO, "Could not generate random WEP key"); 2120 os_free(eapol->default_wep_key); 2121 eapol->default_wep_key = NULL; 2122 return -1; 2123 } 2124 2125 wpa_hexdump_key(MSG_DEBUG, "IEEE 802.1X: New default WEP key", 2126 eapol->default_wep_key, 2127 hapd->conf->default_wep_key_len); 2128 2129 return 0; 2130 } 2131 2132 2133 static int ieee802_1x_sta_key_available(struct hostapd_data *hapd, 2134 struct sta_info *sta, void *ctx) 2135 { 2136 if (sta->eapol_sm) { 2137 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 2138 eapol_auth_step(sta->eapol_sm); 2139 } 2140 return 0; 2141 } 2142 2143 2144 static void ieee802_1x_rekey(void *eloop_ctx, void *timeout_ctx) 2145 { 2146 struct hostapd_data *hapd = eloop_ctx; 2147 struct eapol_authenticator *eapol = hapd->eapol_auth; 2148 2149 if (eapol->default_wep_key_idx >= 3) 2150 eapol->default_wep_key_idx = 2151 hapd->conf->individual_wep_key_len > 0 ? 1 : 0; 2152 else 2153 eapol->default_wep_key_idx++; 2154 2155 wpa_printf(MSG_DEBUG, "IEEE 802.1X: New default WEP key index %d", 2156 eapol->default_wep_key_idx); 2157 2158 if (ieee802_1x_rekey_broadcast(hapd)) { 2159 hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X, 2160 HOSTAPD_LEVEL_WARNING, "failed to generate a " 2161 "new broadcast key"); 2162 os_free(eapol->default_wep_key); 2163 eapol->default_wep_key = NULL; 2164 return; 2165 } 2166 2167 /* TODO: Could setup key for RX here, but change default TX keyid only 2168 * after new broadcast key has been sent to all stations. */ 2169 if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP, 2170 broadcast_ether_addr, 2171 eapol->default_wep_key_idx, 1, NULL, 0, 2172 eapol->default_wep_key, 2173 hapd->conf->default_wep_key_len)) { 2174 hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X, 2175 HOSTAPD_LEVEL_WARNING, "failed to configure a " 2176 "new broadcast key"); 2177 os_free(eapol->default_wep_key); 2178 eapol->default_wep_key = NULL; 2179 return; 2180 } 2181 2182 ap_for_each_sta(hapd, ieee802_1x_sta_key_available, NULL); 2183 2184 if (hapd->conf->wep_rekeying_period > 0) { 2185 eloop_register_timeout(hapd->conf->wep_rekeying_period, 0, 2186 ieee802_1x_rekey, hapd, NULL); 2187 } 2188 } 2189 2190 2191 static void ieee802_1x_eapol_send(void *ctx, void *sta_ctx, u8 type, 2192 const u8 *data, size_t datalen) 2193 { 2194 #ifdef CONFIG_WPS 2195 struct sta_info *sta = sta_ctx; 2196 2197 if ((sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS)) == 2198 WLAN_STA_MAYBE_WPS) { 2199 const u8 *identity; 2200 size_t identity_len; 2201 struct eapol_state_machine *sm = sta->eapol_sm; 2202 2203 identity = eap_get_identity(sm->eap, &identity_len); 2204 if (identity && 2205 ((identity_len == WSC_ID_ENROLLEE_LEN && 2206 os_memcmp(identity, WSC_ID_ENROLLEE, 2207 WSC_ID_ENROLLEE_LEN) == 0) || 2208 (identity_len == WSC_ID_REGISTRAR_LEN && 2209 os_memcmp(identity, WSC_ID_REGISTRAR, 2210 WSC_ID_REGISTRAR_LEN) == 0))) { 2211 wpa_printf(MSG_DEBUG, "WPS: WLAN_STA_MAYBE_WPS -> " 2212 "WLAN_STA_WPS"); 2213 sta->flags |= WLAN_STA_WPS; 2214 } 2215 } 2216 #endif /* CONFIG_WPS */ 2217 2218 ieee802_1x_send(ctx, sta_ctx, type, data, datalen); 2219 } 2220 2221 2222 static void ieee802_1x_aaa_send(void *ctx, void *sta_ctx, 2223 const u8 *data, size_t datalen) 2224 { 2225 #ifndef CONFIG_NO_RADIUS 2226 struct hostapd_data *hapd = ctx; 2227 struct sta_info *sta = sta_ctx; 2228 2229 ieee802_1x_encapsulate_radius(hapd, sta, data, datalen); 2230 #endif /* CONFIG_NO_RADIUS */ 2231 } 2232 2233 2234 static void _ieee802_1x_finished(void *ctx, void *sta_ctx, int success, 2235 int preauth, int remediation) 2236 { 2237 struct hostapd_data *hapd = ctx; 2238 struct sta_info *sta = sta_ctx; 2239 if (preauth) 2240 rsn_preauth_finished(hapd, sta, success); 2241 else 2242 ieee802_1x_finished(hapd, sta, success, remediation); 2243 } 2244 2245 2246 static int ieee802_1x_get_eap_user(void *ctx, const u8 *identity, 2247 size_t identity_len, int phase2, 2248 struct eap_user *user) 2249 { 2250 struct hostapd_data *hapd = ctx; 2251 const struct hostapd_eap_user *eap_user; 2252 int i; 2253 int rv = -1; 2254 2255 eap_user = hostapd_get_eap_user(hapd, identity, identity_len, phase2); 2256 if (eap_user == NULL) 2257 goto out; 2258 2259 os_memset(user, 0, sizeof(*user)); 2260 user->phase2 = phase2; 2261 for (i = 0; i < EAP_MAX_METHODS; i++) { 2262 user->methods[i].vendor = eap_user->methods[i].vendor; 2263 user->methods[i].method = eap_user->methods[i].method; 2264 } 2265 2266 if (eap_user->password) { 2267 user->password = os_memdup(eap_user->password, 2268 eap_user->password_len); 2269 if (user->password == NULL) 2270 goto out; 2271 user->password_len = eap_user->password_len; 2272 user->password_hash = eap_user->password_hash; 2273 if (eap_user->salt && eap_user->salt_len) { 2274 user->salt = os_memdup(eap_user->salt, 2275 eap_user->salt_len); 2276 if (!user->salt) 2277 goto out; 2278 user->salt_len = eap_user->salt_len; 2279 } 2280 } 2281 user->force_version = eap_user->force_version; 2282 user->macacl = eap_user->macacl; 2283 user->ttls_auth = eap_user->ttls_auth; 2284 user->remediation = eap_user->remediation; 2285 rv = 0; 2286 2287 out: 2288 if (rv) 2289 wpa_printf(MSG_DEBUG, "%s: Failed to find user", __func__); 2290 2291 return rv; 2292 } 2293 2294 2295 static int ieee802_1x_sta_entry_alive(void *ctx, const u8 *addr) 2296 { 2297 struct hostapd_data *hapd = ctx; 2298 struct sta_info *sta; 2299 sta = ap_get_sta(hapd, addr); 2300 if (sta == NULL || sta->eapol_sm == NULL) 2301 return 0; 2302 return 1; 2303 } 2304 2305 2306 static void ieee802_1x_logger(void *ctx, const u8 *addr, 2307 eapol_logger_level level, const char *txt) 2308 { 2309 #ifndef CONFIG_NO_HOSTAPD_LOGGER 2310 struct hostapd_data *hapd = ctx; 2311 int hlevel; 2312 2313 switch (level) { 2314 case EAPOL_LOGGER_WARNING: 2315 hlevel = HOSTAPD_LEVEL_WARNING; 2316 break; 2317 case EAPOL_LOGGER_INFO: 2318 hlevel = HOSTAPD_LEVEL_INFO; 2319 break; 2320 case EAPOL_LOGGER_DEBUG: 2321 default: 2322 hlevel = HOSTAPD_LEVEL_DEBUG; 2323 break; 2324 } 2325 2326 hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE8021X, hlevel, "%s", 2327 txt); 2328 #endif /* CONFIG_NO_HOSTAPD_LOGGER */ 2329 } 2330 2331 2332 static void ieee802_1x_set_port_authorized(void *ctx, void *sta_ctx, 2333 int authorized) 2334 { 2335 struct hostapd_data *hapd = ctx; 2336 struct sta_info *sta = sta_ctx; 2337 ieee802_1x_set_sta_authorized(hapd, sta, authorized); 2338 } 2339 2340 2341 static void _ieee802_1x_abort_auth(void *ctx, void *sta_ctx) 2342 { 2343 struct hostapd_data *hapd = ctx; 2344 struct sta_info *sta = sta_ctx; 2345 ieee802_1x_abort_auth(hapd, sta); 2346 } 2347 2348 2349 static void _ieee802_1x_tx_key(void *ctx, void *sta_ctx) 2350 { 2351 #ifndef CONFIG_FIPS 2352 #ifndef CONFIG_NO_RC4 2353 struct hostapd_data *hapd = ctx; 2354 struct sta_info *sta = sta_ctx; 2355 ieee802_1x_tx_key(hapd, sta); 2356 #endif /* CONFIG_NO_RC4 */ 2357 #endif /* CONFIG_FIPS */ 2358 } 2359 2360 2361 static void ieee802_1x_eapol_event(void *ctx, void *sta_ctx, 2362 enum eapol_event type) 2363 { 2364 /* struct hostapd_data *hapd = ctx; */ 2365 struct sta_info *sta = sta_ctx; 2366 switch (type) { 2367 case EAPOL_AUTH_SM_CHANGE: 2368 wpa_auth_sm_notify(sta->wpa_sm); 2369 break; 2370 case EAPOL_AUTH_REAUTHENTICATE: 2371 wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL); 2372 break; 2373 } 2374 } 2375 2376 2377 #ifdef CONFIG_ERP 2378 2379 static struct eap_server_erp_key * 2380 ieee802_1x_erp_get_key(void *ctx, const char *keyname) 2381 { 2382 struct hostapd_data *hapd = ctx; 2383 struct eap_server_erp_key *erp; 2384 2385 dl_list_for_each(erp, &hapd->erp_keys, struct eap_server_erp_key, 2386 list) { 2387 if (os_strcmp(erp->keyname_nai, keyname) == 0) 2388 return erp; 2389 } 2390 2391 return NULL; 2392 } 2393 2394 2395 static int ieee802_1x_erp_add_key(void *ctx, struct eap_server_erp_key *erp) 2396 { 2397 struct hostapd_data *hapd = ctx; 2398 2399 dl_list_add(&hapd->erp_keys, &erp->list); 2400 return 0; 2401 } 2402 2403 #endif /* CONFIG_ERP */ 2404 2405 2406 int ieee802_1x_init(struct hostapd_data *hapd) 2407 { 2408 int i; 2409 struct eapol_auth_config conf; 2410 struct eapol_auth_cb cb; 2411 2412 dl_list_init(&hapd->erp_keys); 2413 2414 os_memset(&conf, 0, sizeof(conf)); 2415 conf.ctx = hapd; 2416 conf.eap_reauth_period = hapd->conf->eap_reauth_period; 2417 conf.wpa = hapd->conf->wpa; 2418 conf.individual_wep_key_len = hapd->conf->individual_wep_key_len; 2419 conf.eap_server = hapd->conf->eap_server; 2420 conf.ssl_ctx = hapd->ssl_ctx; 2421 conf.msg_ctx = hapd->msg_ctx; 2422 conf.eap_sim_db_priv = hapd->eap_sim_db_priv; 2423 conf.eap_req_id_text = hapd->conf->eap_req_id_text; 2424 conf.eap_req_id_text_len = hapd->conf->eap_req_id_text_len; 2425 conf.erp_send_reauth_start = hapd->conf->erp_send_reauth_start; 2426 conf.erp_domain = hapd->conf->erp_domain; 2427 conf.erp = hapd->conf->eap_server_erp; 2428 conf.tls_session_lifetime = hapd->conf->tls_session_lifetime; 2429 conf.tls_flags = hapd->conf->tls_flags; 2430 conf.pac_opaque_encr_key = hapd->conf->pac_opaque_encr_key; 2431 conf.eap_fast_a_id = hapd->conf->eap_fast_a_id; 2432 conf.eap_fast_a_id_len = hapd->conf->eap_fast_a_id_len; 2433 conf.eap_fast_a_id_info = hapd->conf->eap_fast_a_id_info; 2434 conf.eap_fast_prov = hapd->conf->eap_fast_prov; 2435 conf.pac_key_lifetime = hapd->conf->pac_key_lifetime; 2436 conf.pac_key_refresh_time = hapd->conf->pac_key_refresh_time; 2437 conf.eap_teap_auth = hapd->conf->eap_teap_auth; 2438 conf.eap_teap_pac_no_inner = hapd->conf->eap_teap_pac_no_inner; 2439 conf.eap_sim_aka_result_ind = hapd->conf->eap_sim_aka_result_ind; 2440 conf.eap_sim_id = hapd->conf->eap_sim_id; 2441 conf.tnc = hapd->conf->tnc; 2442 conf.wps = hapd->wps; 2443 conf.fragment_size = hapd->conf->fragment_size; 2444 conf.pwd_group = hapd->conf->pwd_group; 2445 conf.pbc_in_m1 = hapd->conf->pbc_in_m1; 2446 if (hapd->conf->server_id) { 2447 conf.server_id = (const u8 *) hapd->conf->server_id; 2448 conf.server_id_len = os_strlen(hapd->conf->server_id); 2449 } else { 2450 conf.server_id = (const u8 *) "hostapd"; 2451 conf.server_id_len = 7; 2452 } 2453 2454 os_memset(&cb, 0, sizeof(cb)); 2455 cb.eapol_send = ieee802_1x_eapol_send; 2456 cb.aaa_send = ieee802_1x_aaa_send; 2457 cb.finished = _ieee802_1x_finished; 2458 cb.get_eap_user = ieee802_1x_get_eap_user; 2459 cb.sta_entry_alive = ieee802_1x_sta_entry_alive; 2460 cb.logger = ieee802_1x_logger; 2461 cb.set_port_authorized = ieee802_1x_set_port_authorized; 2462 cb.abort_auth = _ieee802_1x_abort_auth; 2463 cb.tx_key = _ieee802_1x_tx_key; 2464 cb.eapol_event = ieee802_1x_eapol_event; 2465 #ifdef CONFIG_ERP 2466 cb.erp_get_key = ieee802_1x_erp_get_key; 2467 cb.erp_add_key = ieee802_1x_erp_add_key; 2468 #endif /* CONFIG_ERP */ 2469 2470 hapd->eapol_auth = eapol_auth_init(&conf, &cb); 2471 if (hapd->eapol_auth == NULL) 2472 return -1; 2473 2474 if ((hapd->conf->ieee802_1x || hapd->conf->wpa) && 2475 hostapd_set_drv_ieee8021x(hapd, hapd->conf->iface, 1)) 2476 return -1; 2477 2478 #ifndef CONFIG_NO_RADIUS 2479 if (radius_client_register(hapd->radius, RADIUS_AUTH, 2480 ieee802_1x_receive_auth, hapd)) 2481 return -1; 2482 #endif /* CONFIG_NO_RADIUS */ 2483 2484 if (hapd->conf->default_wep_key_len) { 2485 for (i = 0; i < 4; i++) 2486 hostapd_drv_set_key(hapd->conf->iface, hapd, 2487 WPA_ALG_NONE, NULL, i, 0, NULL, 0, 2488 NULL, 0); 2489 2490 ieee802_1x_rekey(hapd, NULL); 2491 2492 if (hapd->eapol_auth->default_wep_key == NULL) 2493 return -1; 2494 } 2495 2496 return 0; 2497 } 2498 2499 2500 void ieee802_1x_erp_flush(struct hostapd_data *hapd) 2501 { 2502 struct eap_server_erp_key *erp; 2503 2504 while ((erp = dl_list_first(&hapd->erp_keys, struct eap_server_erp_key, 2505 list)) != NULL) { 2506 dl_list_del(&erp->list); 2507 bin_clear_free(erp, sizeof(*erp)); 2508 } 2509 } 2510 2511 2512 void ieee802_1x_deinit(struct hostapd_data *hapd) 2513 { 2514 eloop_cancel_timeout(ieee802_1x_rekey, hapd, NULL); 2515 2516 if (hapd->driver && hapd->drv_priv && 2517 (hapd->conf->ieee802_1x || hapd->conf->wpa)) 2518 hostapd_set_drv_ieee8021x(hapd, hapd->conf->iface, 0); 2519 2520 eapol_auth_deinit(hapd->eapol_auth); 2521 hapd->eapol_auth = NULL; 2522 2523 ieee802_1x_erp_flush(hapd); 2524 } 2525 2526 2527 int ieee802_1x_tx_status(struct hostapd_data *hapd, struct sta_info *sta, 2528 const u8 *buf, size_t len, int ack) 2529 { 2530 struct ieee80211_hdr *hdr; 2531 u8 *pos; 2532 const unsigned char rfc1042_hdr[ETH_ALEN] = 2533 { 0xaa, 0xaa, 0x03, 0x00, 0x00, 0x00 }; 2534 2535 if (sta == NULL) 2536 return -1; 2537 if (len < sizeof(*hdr) + sizeof(rfc1042_hdr) + 2) 2538 return 0; 2539 2540 hdr = (struct ieee80211_hdr *) buf; 2541 pos = (u8 *) (hdr + 1); 2542 if (os_memcmp(pos, rfc1042_hdr, sizeof(rfc1042_hdr)) != 0) 2543 return 0; 2544 pos += sizeof(rfc1042_hdr); 2545 if (WPA_GET_BE16(pos) != ETH_P_PAE) 2546 return 0; 2547 pos += 2; 2548 2549 return ieee802_1x_eapol_tx_status(hapd, sta, pos, buf + len - pos, 2550 ack); 2551 } 2552 2553 2554 int ieee802_1x_eapol_tx_status(struct hostapd_data *hapd, struct sta_info *sta, 2555 const u8 *buf, int len, int ack) 2556 { 2557 const struct ieee802_1x_hdr *xhdr = 2558 (const struct ieee802_1x_hdr *) buf; 2559 const u8 *pos = buf + sizeof(*xhdr); 2560 struct ieee802_1x_eapol_key *key; 2561 2562 if (len < (int) sizeof(*xhdr)) 2563 return 0; 2564 wpa_printf(MSG_DEBUG, "IEEE 802.1X: " MACSTR " TX status - version=%d " 2565 "type=%d length=%d - ack=%d", 2566 MAC2STR(sta->addr), xhdr->version, xhdr->type, 2567 be_to_host16(xhdr->length), ack); 2568 2569 #ifdef CONFIG_WPS 2570 if (xhdr->type == IEEE802_1X_TYPE_EAP_PACKET && ack && 2571 (sta->flags & WLAN_STA_WPS) && 2572 ap_sta_pending_delayed_1x_auth_fail_disconnect(hapd, sta)) { 2573 wpa_printf(MSG_DEBUG, 2574 "WPS: Indicate EAP completion on ACK for EAP-Failure"); 2575 hostapd_wps_eap_completed(hapd); 2576 } 2577 #endif /* CONFIG_WPS */ 2578 2579 if (xhdr->type != IEEE802_1X_TYPE_EAPOL_KEY) 2580 return 0; 2581 2582 if (pos + sizeof(struct wpa_eapol_key) <= buf + len) { 2583 const struct wpa_eapol_key *wpa; 2584 wpa = (const struct wpa_eapol_key *) pos; 2585 if (wpa->type == EAPOL_KEY_TYPE_RSN || 2586 wpa->type == EAPOL_KEY_TYPE_WPA) 2587 wpa_auth_eapol_key_tx_status(hapd->wpa_auth, 2588 sta->wpa_sm, ack); 2589 } 2590 2591 /* EAPOL EAP-Packet packets are eventually re-sent by either Supplicant 2592 * or Authenticator state machines, but EAPOL-Key packets are not 2593 * retransmitted in case of failure. Try to re-send failed EAPOL-Key 2594 * packets couple of times because otherwise STA keys become 2595 * unsynchronized with AP. */ 2596 if (!ack && pos + sizeof(*key) <= buf + len) { 2597 key = (struct ieee802_1x_eapol_key *) pos; 2598 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 2599 HOSTAPD_LEVEL_DEBUG, "did not Ack EAPOL-Key " 2600 "frame (%scast index=%d)", 2601 key->key_index & BIT(7) ? "uni" : "broad", 2602 key->key_index & ~BIT(7)); 2603 /* TODO: re-send EAPOL-Key couple of times (with short delay 2604 * between them?). If all attempt fail, report error and 2605 * deauthenticate STA so that it will get new keys when 2606 * authenticating again (e.g., after returning in range). 2607 * Separate limit/transmit state needed both for unicast and 2608 * broadcast keys(?) */ 2609 } 2610 /* TODO: could move unicast key configuration from ieee802_1x_tx_key() 2611 * to here and change the key only if the EAPOL-Key packet was Acked. 2612 */ 2613 2614 return 1; 2615 } 2616 2617 2618 u8 * ieee802_1x_get_identity(struct eapol_state_machine *sm, size_t *len) 2619 { 2620 if (sm == NULL || sm->identity == NULL) 2621 return NULL; 2622 2623 *len = sm->identity_len; 2624 return sm->identity; 2625 } 2626 2627 2628 u8 * ieee802_1x_get_radius_class(struct eapol_state_machine *sm, size_t *len, 2629 int idx) 2630 { 2631 if (sm == NULL || sm->radius_class.attr == NULL || 2632 idx >= (int) sm->radius_class.count) 2633 return NULL; 2634 2635 *len = sm->radius_class.attr[idx].len; 2636 return sm->radius_class.attr[idx].data; 2637 } 2638 2639 2640 struct wpabuf * ieee802_1x_get_radius_cui(struct eapol_state_machine *sm) 2641 { 2642 if (sm == NULL) 2643 return NULL; 2644 return sm->radius_cui; 2645 } 2646 2647 2648 const u8 * ieee802_1x_get_key(struct eapol_state_machine *sm, size_t *len) 2649 { 2650 *len = 0; 2651 if (sm == NULL) 2652 return NULL; 2653 2654 *len = sm->eap_if->eapKeyDataLen; 2655 return sm->eap_if->eapKeyData; 2656 } 2657 2658 2659 #ifdef CONFIG_MACSEC 2660 const u8 * ieee802_1x_get_session_id(struct eapol_state_machine *sm, 2661 size_t *len) 2662 { 2663 *len = 0; 2664 if (!sm || !sm->eap_if) 2665 return NULL; 2666 2667 *len = sm->eap_if->eapSessionIdLen; 2668 return sm->eap_if->eapSessionId; 2669 } 2670 #endif /* CONFIG_MACSEC */ 2671 2672 2673 void ieee802_1x_notify_port_enabled(struct eapol_state_machine *sm, 2674 int enabled) 2675 { 2676 if (sm == NULL) 2677 return; 2678 sm->eap_if->portEnabled = enabled ? TRUE : FALSE; 2679 eapol_auth_step(sm); 2680 } 2681 2682 2683 void ieee802_1x_notify_port_valid(struct eapol_state_machine *sm, 2684 int valid) 2685 { 2686 if (sm == NULL) 2687 return; 2688 sm->portValid = valid ? TRUE : FALSE; 2689 eapol_auth_step(sm); 2690 } 2691 2692 2693 void ieee802_1x_notify_pre_auth(struct eapol_state_machine *sm, int pre_auth) 2694 { 2695 if (sm == NULL) 2696 return; 2697 if (pre_auth) 2698 sm->flags |= EAPOL_SM_PREAUTH; 2699 else 2700 sm->flags &= ~EAPOL_SM_PREAUTH; 2701 } 2702 2703 2704 static const char * bool_txt(Boolean val) 2705 { 2706 return val ? "TRUE" : "FALSE"; 2707 } 2708 2709 2710 int ieee802_1x_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen) 2711 { 2712 /* TODO */ 2713 return 0; 2714 } 2715 2716 2717 int ieee802_1x_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta, 2718 char *buf, size_t buflen) 2719 { 2720 int len = 0, ret; 2721 struct eapol_state_machine *sm = sta->eapol_sm; 2722 struct os_reltime diff; 2723 const char *name1; 2724 const char *name2; 2725 char *identity_buf = NULL; 2726 2727 if (sm == NULL) 2728 return 0; 2729 2730 ret = os_snprintf(buf + len, buflen - len, 2731 "dot1xPaePortNumber=%d\n" 2732 "dot1xPaePortProtocolVersion=%d\n" 2733 "dot1xPaePortCapabilities=1\n" 2734 "dot1xPaePortInitialize=%d\n" 2735 "dot1xPaePortReauthenticate=FALSE\n", 2736 sta->aid, 2737 EAPOL_VERSION, 2738 sm->initialize); 2739 if (os_snprintf_error(buflen - len, ret)) 2740 return len; 2741 len += ret; 2742 2743 /* dot1xAuthConfigTable */ 2744 ret = os_snprintf(buf + len, buflen - len, 2745 "dot1xAuthPaeState=%d\n" 2746 "dot1xAuthBackendAuthState=%d\n" 2747 "dot1xAuthAdminControlledDirections=%d\n" 2748 "dot1xAuthOperControlledDirections=%d\n" 2749 "dot1xAuthAuthControlledPortStatus=%d\n" 2750 "dot1xAuthAuthControlledPortControl=%d\n" 2751 "dot1xAuthQuietPeriod=%u\n" 2752 "dot1xAuthServerTimeout=%u\n" 2753 "dot1xAuthReAuthPeriod=%u\n" 2754 "dot1xAuthReAuthEnabled=%s\n" 2755 "dot1xAuthKeyTxEnabled=%s\n", 2756 sm->auth_pae_state + 1, 2757 sm->be_auth_state + 1, 2758 sm->adminControlledDirections, 2759 sm->operControlledDirections, 2760 sm->authPortStatus, 2761 sm->portControl, 2762 sm->quietPeriod, 2763 sm->serverTimeout, 2764 sm->reAuthPeriod, 2765 bool_txt(sm->reAuthEnabled), 2766 bool_txt(sm->keyTxEnabled)); 2767 if (os_snprintf_error(buflen - len, ret)) 2768 return len; 2769 len += ret; 2770 2771 /* dot1xAuthStatsTable */ 2772 ret = os_snprintf(buf + len, buflen - len, 2773 "dot1xAuthEapolFramesRx=%u\n" 2774 "dot1xAuthEapolFramesTx=%u\n" 2775 "dot1xAuthEapolStartFramesRx=%u\n" 2776 "dot1xAuthEapolLogoffFramesRx=%u\n" 2777 "dot1xAuthEapolRespIdFramesRx=%u\n" 2778 "dot1xAuthEapolRespFramesRx=%u\n" 2779 "dot1xAuthEapolReqIdFramesTx=%u\n" 2780 "dot1xAuthEapolReqFramesTx=%u\n" 2781 "dot1xAuthInvalidEapolFramesRx=%u\n" 2782 "dot1xAuthEapLengthErrorFramesRx=%u\n" 2783 "dot1xAuthLastEapolFrameVersion=%u\n" 2784 "dot1xAuthLastEapolFrameSource=" MACSTR "\n", 2785 sm->dot1xAuthEapolFramesRx, 2786 sm->dot1xAuthEapolFramesTx, 2787 sm->dot1xAuthEapolStartFramesRx, 2788 sm->dot1xAuthEapolLogoffFramesRx, 2789 sm->dot1xAuthEapolRespIdFramesRx, 2790 sm->dot1xAuthEapolRespFramesRx, 2791 sm->dot1xAuthEapolReqIdFramesTx, 2792 sm->dot1xAuthEapolReqFramesTx, 2793 sm->dot1xAuthInvalidEapolFramesRx, 2794 sm->dot1xAuthEapLengthErrorFramesRx, 2795 sm->dot1xAuthLastEapolFrameVersion, 2796 MAC2STR(sm->addr)); 2797 if (os_snprintf_error(buflen - len, ret)) 2798 return len; 2799 len += ret; 2800 2801 /* dot1xAuthDiagTable */ 2802 ret = os_snprintf(buf + len, buflen - len, 2803 "dot1xAuthEntersConnecting=%u\n" 2804 "dot1xAuthEapLogoffsWhileConnecting=%u\n" 2805 "dot1xAuthEntersAuthenticating=%u\n" 2806 "dot1xAuthAuthSuccessesWhileAuthenticating=%u\n" 2807 "dot1xAuthAuthTimeoutsWhileAuthenticating=%u\n" 2808 "dot1xAuthAuthFailWhileAuthenticating=%u\n" 2809 "dot1xAuthAuthEapStartsWhileAuthenticating=%u\n" 2810 "dot1xAuthAuthEapLogoffWhileAuthenticating=%u\n" 2811 "dot1xAuthAuthReauthsWhileAuthenticated=%u\n" 2812 "dot1xAuthAuthEapStartsWhileAuthenticated=%u\n" 2813 "dot1xAuthAuthEapLogoffWhileAuthenticated=%u\n" 2814 "dot1xAuthBackendResponses=%u\n" 2815 "dot1xAuthBackendAccessChallenges=%u\n" 2816 "dot1xAuthBackendOtherRequestsToSupplicant=%u\n" 2817 "dot1xAuthBackendAuthSuccesses=%u\n" 2818 "dot1xAuthBackendAuthFails=%u\n", 2819 sm->authEntersConnecting, 2820 sm->authEapLogoffsWhileConnecting, 2821 sm->authEntersAuthenticating, 2822 sm->authAuthSuccessesWhileAuthenticating, 2823 sm->authAuthTimeoutsWhileAuthenticating, 2824 sm->authAuthFailWhileAuthenticating, 2825 sm->authAuthEapStartsWhileAuthenticating, 2826 sm->authAuthEapLogoffWhileAuthenticating, 2827 sm->authAuthReauthsWhileAuthenticated, 2828 sm->authAuthEapStartsWhileAuthenticated, 2829 sm->authAuthEapLogoffWhileAuthenticated, 2830 sm->backendResponses, 2831 sm->backendAccessChallenges, 2832 sm->backendOtherRequestsToSupplicant, 2833 sm->backendAuthSuccesses, 2834 sm->backendAuthFails); 2835 if (os_snprintf_error(buflen - len, ret)) 2836 return len; 2837 len += ret; 2838 2839 /* dot1xAuthSessionStatsTable */ 2840 os_reltime_age(&sta->acct_session_start, &diff); 2841 if (sm->eap && !sm->identity) { 2842 const u8 *id; 2843 size_t id_len; 2844 2845 id = eap_get_identity(sm->eap, &id_len); 2846 if (id) 2847 identity_buf = dup_binstr(id, id_len); 2848 } 2849 ret = os_snprintf(buf + len, buflen - len, 2850 /* TODO: dot1xAuthSessionOctetsRx */ 2851 /* TODO: dot1xAuthSessionOctetsTx */ 2852 /* TODO: dot1xAuthSessionFramesRx */ 2853 /* TODO: dot1xAuthSessionFramesTx */ 2854 "dot1xAuthSessionId=%016llX\n" 2855 "dot1xAuthSessionAuthenticMethod=%d\n" 2856 "dot1xAuthSessionTime=%u\n" 2857 "dot1xAuthSessionTerminateCause=999\n" 2858 "dot1xAuthSessionUserName=%s\n", 2859 (unsigned long long) sta->acct_session_id, 2860 (wpa_key_mgmt_wpa_ieee8021x( 2861 wpa_auth_sta_key_mgmt(sta->wpa_sm))) ? 2862 1 : 2, 2863 (unsigned int) diff.sec, 2864 sm->identity ? (char *) sm->identity : 2865 (identity_buf ? identity_buf : "N/A")); 2866 os_free(identity_buf); 2867 if (os_snprintf_error(buflen - len, ret)) 2868 return len; 2869 len += ret; 2870 2871 if (sm->acct_multi_session_id) { 2872 ret = os_snprintf(buf + len, buflen - len, 2873 "authMultiSessionId=%016llX\n", 2874 (unsigned long long) 2875 sm->acct_multi_session_id); 2876 if (os_snprintf_error(buflen - len, ret)) 2877 return len; 2878 len += ret; 2879 } 2880 2881 name1 = eap_server_get_name(0, sm->eap_type_authsrv); 2882 name2 = eap_server_get_name(0, sm->eap_type_supp); 2883 ret = os_snprintf(buf + len, buflen - len, 2884 "last_eap_type_as=%d (%s)\n" 2885 "last_eap_type_sta=%d (%s)\n", 2886 sm->eap_type_authsrv, name1, 2887 sm->eap_type_supp, name2); 2888 if (os_snprintf_error(buflen - len, ret)) 2889 return len; 2890 len += ret; 2891 2892 return len; 2893 } 2894 2895 2896 #ifdef CONFIG_HS20 2897 static void ieee802_1x_wnm_notif_send(void *eloop_ctx, void *timeout_ctx) 2898 { 2899 struct hostapd_data *hapd = eloop_ctx; 2900 struct sta_info *sta = timeout_ctx; 2901 2902 if (sta->remediation) { 2903 wpa_printf(MSG_DEBUG, "HS 2.0: Send WNM-Notification to " 2904 MACSTR " to indicate Subscription Remediation", 2905 MAC2STR(sta->addr)); 2906 hs20_send_wnm_notification(hapd, sta->addr, 2907 sta->remediation_method, 2908 sta->remediation_url); 2909 os_free(sta->remediation_url); 2910 sta->remediation_url = NULL; 2911 } 2912 2913 if (sta->hs20_deauth_req) { 2914 wpa_printf(MSG_DEBUG, "HS 2.0: Send WNM-Notification to " 2915 MACSTR " to indicate imminent deauthentication", 2916 MAC2STR(sta->addr)); 2917 hs20_send_wnm_notification_deauth_req(hapd, sta->addr, 2918 sta->hs20_deauth_req); 2919 } 2920 2921 if (sta->hs20_t_c_filtering) { 2922 wpa_printf(MSG_DEBUG, "HS 2.0: Send WNM-Notification to " 2923 MACSTR " to indicate Terms and Conditions filtering", 2924 MAC2STR(sta->addr)); 2925 hs20_send_wnm_notification_t_c(hapd, sta->addr, sta->t_c_url); 2926 os_free(sta->t_c_url); 2927 sta->t_c_url = NULL; 2928 } 2929 } 2930 #endif /* CONFIG_HS20 */ 2931 2932 2933 static void ieee802_1x_finished(struct hostapd_data *hapd, 2934 struct sta_info *sta, int success, 2935 int remediation) 2936 { 2937 const u8 *key; 2938 size_t len; 2939 /* TODO: get PMKLifetime from WPA parameters */ 2940 static const int dot11RSNAConfigPMKLifetime = 43200; 2941 unsigned int session_timeout; 2942 struct os_reltime now, remaining; 2943 2944 #ifdef CONFIG_HS20 2945 if (remediation && !sta->remediation) { 2946 sta->remediation = 1; 2947 os_free(sta->remediation_url); 2948 sta->remediation_url = 2949 os_strdup(hapd->conf->subscr_remediation_url); 2950 sta->remediation_method = 1; /* SOAP-XML SPP */ 2951 } 2952 2953 if (success && (sta->remediation || sta->hs20_deauth_req || 2954 sta->hs20_t_c_filtering)) { 2955 wpa_printf(MSG_DEBUG, "HS 2.0: Schedule WNM-Notification to " 2956 MACSTR " in 100 ms", MAC2STR(sta->addr)); 2957 eloop_cancel_timeout(ieee802_1x_wnm_notif_send, hapd, sta); 2958 eloop_register_timeout(0, 100000, ieee802_1x_wnm_notif_send, 2959 hapd, sta); 2960 } 2961 #endif /* CONFIG_HS20 */ 2962 2963 #ifdef CONFIG_MACSEC 2964 ieee802_1x_notify_create_actor_hapd(hapd, sta); 2965 #endif /* CONFIG_MACSEC */ 2966 2967 key = ieee802_1x_get_key(sta->eapol_sm, &len); 2968 if (sta->session_timeout_set) { 2969 os_get_reltime(&now); 2970 os_reltime_sub(&sta->session_timeout, &now, &remaining); 2971 session_timeout = (remaining.sec > 0) ? remaining.sec : 1; 2972 } else { 2973 session_timeout = dot11RSNAConfigPMKLifetime; 2974 } 2975 if (success && key && len >= PMK_LEN && !sta->remediation && 2976 !sta->hs20_deauth_requested && 2977 wpa_auth_pmksa_add(sta->wpa_sm, key, len, session_timeout, 2978 sta->eapol_sm) == 0) { 2979 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 2980 HOSTAPD_LEVEL_DEBUG, 2981 "Added PMKSA cache entry (IEEE 802.1X)"); 2982 } 2983 2984 if (!success) { 2985 /* 2986 * Many devices require deauthentication after WPS provisioning 2987 * and some may not be be able to do that themselves, so 2988 * disconnect the client here. In addition, this may also 2989 * benefit IEEE 802.1X/EAPOL authentication cases, too since 2990 * the EAPOL PAE state machine would remain in HELD state for 2991 * considerable amount of time and some EAP methods, like 2992 * EAP-FAST with anonymous provisioning, may require another 2993 * EAPOL authentication to be started to complete connection. 2994 */ 2995 ap_sta_delayed_1x_auth_fail_disconnect(hapd, sta); 2996 } 2997 } 2998