Context Navigation

source: src/router/hostapd-wps/src/ap/ieee802_1x.c @ 17829

Last change on this file since 17829 was 17829, checked in by chris, 19 months ago
hostapd/pppd/rp-pppoe/rt2860apd needed fixes for new qos
File size: 60.4 KB

Line
1	/*
2	* hostapd / IEEE 802.1X-2004 Authenticator
3	* Copyright (c) 2002-2011, Jouni Malinen <j@w1.fi>
4	*
5	* This program is free software; you can redistribute it and/or modify
6	* it under the terms of the GNU General Public License version 2 as
7	* published by the Free Software Foundation.
8	*
9	* Alternatively, this software may be distributed under the terms of BSD
10	* license.
11	*
12	* See README and COPYING for more details.
13	*/
14
15	#include "utils/includes.h"
16
17	#include "utils/common.h"
18	#include "utils/eloop.h"
19	#include "crypto/md5.h"
20	#include "crypto/crypto.h"
21	#include "crypto/random.h"
22	#include "common/ieee802_11_defs.h"
23	#include "common/wpa_ctrl.h"
24	#include "radius/radius.h"
25	#include "radius/radius_client.h"
26	#include "eap_server/eap.h"
27	#include "eap_common/eap_wsc_common.h"
28	#include "eapol_auth/eapol_auth_sm.h"
29	#include "eapol_auth/eapol_auth_sm_i.h"
30	#include "hostapd.h"
31	#include "accounting.h"
32	#include "sta_info.h"
33	#include "wpa_auth.h"
34	#include "preauth_auth.h"
35	#include "pmksa_cache_auth.h"
36	#include "ap_config.h"
37	#include "ap_drv_ops.h"
38	#include "ieee802_1x.h"
39
40
41	static void ieee802_1x_finished(struct hostapd_data *hapd,
42	struct sta_info *sta, int success);
43
44
45	static void ieee802_1x_send(struct hostapd_data hapd, struct sta_info sta,
46	u8 type, const u8 *data, size_t datalen)
47	{
48	u8 *buf;
49	struct ieee802_1x_hdr *xhdr;
50	size_t len;
51	int encrypt = 0;
52
53	len = sizeof(*xhdr) + datalen;
54	buf = os_zalloc(len);
55	if (buf == NULL) {
56	wpa_printf(MSG_ERROR, "malloc() failed for "
57	"ieee802_1x_send(len=%lu)",
58	(unsigned long) len);
59	return;
60	}
61
62	xhdr = (struct ieee802_1x_hdr *) buf;
63	xhdr->version = hapd->conf->eapol_version;
64	xhdr->type = type;
65	xhdr->length = host_to_be16(datalen);
66
67	if (datalen > 0 && data != NULL)
68	os_memcpy(xhdr + 1, data, datalen);
69
70	if (wpa_auth_pairwise_set(sta->wpa_sm))
71	encrypt = 1;
72	if (sta->flags & WLAN_STA_PREAUTH) {
73	rsn_preauth_send(hapd, sta, buf, len);
74	} else {
75	hostapd_drv_hapd_send_eapol(hapd, sta->addr, buf, len,
76	encrypt, sta->flags);
77	}
78
79	os_free(buf);
80	}
81
82
83	void ieee802_1x_set_sta_authorized(struct hostapd_data *hapd,
84	struct sta_info *sta, int authorized)
85	{
86	int res;
87
88	if (sta->flags & WLAN_STA_PREAUTH)
89	return;
90
91	if (authorized) {
92	if (!ap_sta_is_authorized(sta))
93	wpa_msg(hapd->msg_ctx, MSG_INFO,
94	AP_STA_CONNECTED MACSTR, MAC2STR(sta->addr));
95	ap_sta_set_authorized(hapd, sta, 1);
96	res = hostapd_set_authorized(hapd, sta, 1);
97	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
98	HOSTAPD_LEVEL_DEBUG, "authorizing port");
99	} else {
100	if (ap_sta_is_authorized(sta) && (sta->flags & WLAN_STA_ASSOC))
101	wpa_msg(hapd->msg_ctx, MSG_INFO,
102	AP_STA_DISCONNECTED MACSTR,
103	MAC2STR(sta->addr));
104	ap_sta_set_authorized(hapd, sta, 0);
105	res = hostapd_set_authorized(hapd, sta, 0);
106	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
107	HOSTAPD_LEVEL_DEBUG, "unauthorizing port");
108	}
109
110	if (res && errno != ENOENT) {
111	printf("Could not set station " MACSTR " flags for kernel "
112	"driver (errno=%d).\n", MAC2STR(sta->addr), errno);
113	}
114
115	if (authorized)
116	accounting_sta_start(hapd, sta);
117	}
118
119
120	static void ieee802_1x_tx_key_one(struct hostapd_data *hapd,
121	struct sta_info *sta,
122	int idx, int broadcast,
123	u8 *key_data, size_t key_len)
124	{
125	u8 buf, ekey;
126	struct ieee802_1x_hdr *hdr;
127	struct ieee802_1x_eapol_key *key;
128	size_t len, ekey_len;
129	struct eapol_state_machine *sm = sta->eapol_sm;
130
131	if (sm == NULL)
132	return;
133
134	len = sizeof(*key) + key_len;
135	buf = os_zalloc(sizeof(*hdr) + len);
136	if (buf == NULL)
137	return;
138
139	hdr = (struct ieee802_1x_hdr *) buf;
140	key = (struct ieee802_1x_eapol_key *) (hdr + 1);
141	key->type = EAPOL_KEY_TYPE_RC4;
142	key->key_length = htons(key_len);
143	wpa_get_ntp_timestamp(key->replay_counter);
144
145	if (random_get_bytes(key->key_iv, sizeof(key->key_iv))) {
146	wpa_printf(MSG_ERROR, "Could not get random numbers");
147	os_free(buf);
148	return;
149	}
150
151	key->key_index = idx \| (broadcast ? 0 : BIT(7));
152	if (hapd->conf->eapol_key_index_workaround) {
153	/* According to some information, WinXP Supplicant seems to
154	* interpret bit7 as an indication whether the key is to be
155	* activated, so make it possible to enable workaround that
156	* sets this bit for all keys. */
157	key->key_index \|= BIT(7);
158	}
159
160	/* Key is encrypted using "Key-IV + MSK[0..31]" as the RC4-key and
161	* MSK[32..63] is used to sign the message. */
162	if (sm->eap_if->eapKeyData == NULL \|\| sm->eap_if->eapKeyDataLen < 64) {
163	wpa_printf(MSG_ERROR, "No eapKeyData available for encrypting "
164	"and signing EAPOL-Key");
165	os_free(buf);
166	return;
167	}
168	os_memcpy((u8 *) (key + 1), key_data, key_len);
169	ekey_len = sizeof(key->key_iv) + 32;
170	ekey = os_malloc(ekey_len);
171	if (ekey == NULL) {
172	wpa_printf(MSG_ERROR, "Could not encrypt key");
173	os_free(buf);
174	return;
175	}
176	os_memcpy(ekey, key->key_iv, sizeof(key->key_iv));
177	os_memcpy(ekey + sizeof(key->key_iv), sm->eap_if->eapKeyData, 32);
178	rc4_skip(ekey, ekey_len, 0, (u8 *) (key + 1), key_len);
179	os_free(ekey);
180
181	/* This header is needed here for HMAC-MD5, but it will be regenerated
182	* in ieee802_1x_send() */
183	hdr->version = hapd->conf->eapol_version;
184	hdr->type = IEEE802_1X_TYPE_EAPOL_KEY;
185	hdr->length = host_to_be16(len);
186	hmac_md5(sm->eap_if->eapKeyData + 32, 32, buf, sizeof(*hdr) + len,
187	key->key_signature);
188
189	wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key to " MACSTR
190	" (%s index=%d)", MAC2STR(sm->addr),
191	broadcast ? "broadcast" : "unicast", idx);
192	ieee802_1x_send(hapd, sta, IEEE802_1X_TYPE_EAPOL_KEY, (u8 *) key, len);
193	if (sta->eapol_sm)
194	sta->eapol_sm->dot1xAuthEapolFramesTx++;
195	os_free(buf);
196	}
197
198
199	#ifndef CONFIG_NO_VLAN
200	static struct hostapd_wep_keys *
201	ieee802_1x_group_alloc(struct hostapd_data hapd, const char ifname)
202	{
203	struct hostapd_wep_keys *key;
204
205	key = os_zalloc(sizeof(*key));
206	if (key == NULL)
207	return NULL;
208
209	key->default_len = hapd->conf->default_wep_key_len;
210
211	if (key->idx >= hapd->conf->broadcast_key_idx_max \|\|
212	key->idx < hapd->conf->broadcast_key_idx_min)
213	key->idx = hapd->conf->broadcast_key_idx_min;
214	else
215	key->idx++;
216
217	if (!key->key[key->idx])
218	key->key[key->idx] = os_malloc(key->default_len);
219	if (key->key[key->idx] == NULL \|\|
220	random_get_bytes(key->key[key->idx], key->default_len)) {
221	printf("Could not generate random WEP key (dynamic VLAN).\n");
222	os_free(key->key[key->idx]);
223	key->key[key->idx] = NULL;
224	os_free(key);
225	return NULL;
226	}
227	key->len[key->idx] = key->default_len;
228
229	wpa_printf(MSG_DEBUG, "%s: Default WEP idx %d for dynamic VLAN\n",
230	ifname, key->idx);
231	wpa_hexdump_key(MSG_DEBUG, "Default WEP key (dynamic VLAN)",
232	key->key[key->idx], key->len[key->idx]);
233
234	if (hostapd_drv_set_key(ifname, hapd, WPA_ALG_WEP,
235	broadcast_ether_addr, key->idx, 1,
236	NULL, 0, key->key[key->idx],
237	key->len[key->idx]))
238	printf("Could not set dynamic VLAN WEP encryption key.\n");
239
240	hostapd_set_drv_ieee8021x(hapd, ifname, 1);
241
242	return key;
243	}
244
245
246	static struct hostapd_wep_keys *
247	ieee802_1x_get_group(struct hostapd_data hapd, struct hostapd_ssid ssid,
248	size_t vlan_id)
249	{
250	const char *ifname;
251
252	if (vlan_id == 0)
253	return &ssid->wep;
254
255	if (vlan_id <= ssid->max_dyn_vlan_keys && ssid->dyn_vlan_keys &&
256	ssid->dyn_vlan_keys[vlan_id])
257	return ssid->dyn_vlan_keys[vlan_id];
258
259	wpa_printf(MSG_DEBUG, "IEEE 802.1X: Creating new group "
260	"state machine for VLAN ID %lu",
261	(unsigned long) vlan_id);
262
263	ifname = hostapd_get_vlan_id_ifname(hapd->conf->vlan, vlan_id);
264	if (ifname == NULL) {
265	wpa_printf(MSG_DEBUG, "IEEE 802.1X: Unknown VLAN ID %lu - "
266	"cannot create group key state machine",
267	(unsigned long) vlan_id);
268	return NULL;
269	}
270
271	if (ssid->dyn_vlan_keys == NULL) {
272	int size = (vlan_id + 1) * sizeof(ssid->dyn_vlan_keys[0]);
273	ssid->dyn_vlan_keys = os_zalloc(size);
274	if (ssid->dyn_vlan_keys == NULL)
275	return NULL;
276	ssid->max_dyn_vlan_keys = vlan_id;
277	}
278
279	if (ssid->max_dyn_vlan_keys < vlan_id) {
280	struct hostapd_wep_keys **na;
281	int size = (vlan_id + 1) * sizeof(ssid->dyn_vlan_keys[0]);
282	na = os_realloc(ssid->dyn_vlan_keys, size);
283	if (na == NULL)
284	return NULL;
285	ssid->dyn_vlan_keys = na;
286	os_memset(&ssid->dyn_vlan_keys[ssid->max_dyn_vlan_keys + 1], 0,
287	(vlan_id - ssid->max_dyn_vlan_keys) *
288	sizeof(ssid->dyn_vlan_keys[0]));
289	ssid->max_dyn_vlan_keys = vlan_id;
290	}
291
292	ssid->dyn_vlan_keys[vlan_id] = ieee802_1x_group_alloc(hapd, ifname);
293
294	return ssid->dyn_vlan_keys[vlan_id];
295	}
296	#endif /* CONFIG_NO_VLAN */
297
298
299	void ieee802_1x_tx_key(struct hostapd_data hapd, struct sta_info sta)
300	{
301	struct eapol_authenticator *eapol = hapd->eapol_auth;
302	struct eapol_state_machine *sm = sta->eapol_sm;
303	#ifndef CONFIG_NO_VLAN
304	struct hostapd_wep_keys *key = NULL;
305	int vlan_id;
306	#endif /* CONFIG_NO_VLAN */
307
308	if (sm == NULL \|\| !sm->eap_if->eapKeyData)
309	return;
310
311	wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key(s) to " MACSTR,
312	MAC2STR(sta->addr));
313
314	#ifndef CONFIG_NO_VLAN
315	vlan_id = sta->vlan_id;
316	if (vlan_id < 0 \|\| vlan_id > MAX_VLAN_ID)
317	vlan_id = 0;
318
319	if (vlan_id) {
320	key = ieee802_1x_get_group(hapd, sta->ssid, vlan_id);
321	if (key && key->key[key->idx])
322	ieee802_1x_tx_key_one(hapd, sta, key->idx, 1,
323	key->key[key->idx],
324	key->len[key->idx]);
325	} else
326	#endif /* CONFIG_NO_VLAN */
327	if (eapol->default_wep_key) {
328	ieee802_1x_tx_key_one(hapd, sta, eapol->default_wep_key_idx, 1,
329	eapol->default_wep_key,
330	hapd->conf->default_wep_key_len);
331	}
332
333	if (hapd->conf->individual_wep_key_len > 0) {
334	u8 *ikey;
335	ikey = os_malloc(hapd->conf->individual_wep_key_len);
336	if (ikey == NULL \|\|
337	random_get_bytes(ikey, hapd->conf->individual_wep_key_len))
338	{
339	wpa_printf(MSG_ERROR, "Could not generate random "
340	"individual WEP key.");
341	os_free(ikey);
342	return;
343	}
344
345	wpa_hexdump_key(MSG_DEBUG, "Individual WEP key",
346	ikey, hapd->conf->individual_wep_key_len);
347
348	ieee802_1x_tx_key_one(hapd, sta, 0, 0, ikey,
349	hapd->conf->individual_wep_key_len);
350
351	/* TODO: set encryption in TX callback, i.e., only after STA
352	* has ACKed EAPOL-Key frame */
353	if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP,
354	sta->addr, 0, 1, NULL, 0, ikey,
355	hapd->conf->individual_wep_key_len)) {
356	wpa_printf(MSG_ERROR, "Could not set individual WEP "
357	"encryption.");
358	}
359
360	os_free(ikey);
361	}
362	}
363
364
365	const char radius_mode_txt(struct hostapd_data hapd)
366	{
367	switch (hapd->iface->conf->hw_mode) {
368	case HOSTAPD_MODE_IEEE80211A:
369	return "802.11a";
370	case HOSTAPD_MODE_IEEE80211G:
371	return "802.11g";
372	case HOSTAPD_MODE_IEEE80211B:
373	default:
374	return "802.11b";
375	}
376	}
377
378
379	int radius_sta_rate(struct hostapd_data hapd, struct sta_info sta)
380	{
381	int i;
382	u8 rate = 0;
383
384	for (i = 0; i < sta->supported_rates_len; i++)
385	if ((sta->supported_rates[i] & 0x7f) > rate)
386	rate = sta->supported_rates[i] & 0x7f;
387
388	return rate;
389	}
390
391
392	#ifndef CONFIG_NO_RADIUS
393	static void ieee802_1x_learn_identity(struct hostapd_data *hapd,
394	struct eapol_state_machine *sm,
395	const u8 *eap, size_t len)
396	{
397	const u8 *identity;
398	size_t identity_len;
399
400	if (len <= sizeof(struct eap_hdr) \|\|
401	eap[sizeof(struct eap_hdr)] != EAP_TYPE_IDENTITY)
402	return;
403
404	identity = eap_get_identity(sm->eap, &identity_len);
405	if (identity == NULL)
406	return;
407
408	/* Save station identity for future RADIUS packets */
409	os_free(sm->identity);
410	sm->identity = os_malloc(identity_len + 1);
411	if (sm->identity == NULL) {
412	sm->identity_len = 0;
413	return;
414	}
415
416	os_memcpy(sm->identity, identity, identity_len);
417	sm->identity_len = identity_len;
418	sm->identity[identity_len] = '\0';
419	hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X,
420	HOSTAPD_LEVEL_DEBUG, "STA identity '%s'", sm->identity);
421	sm->dot1xAuthEapolRespIdFramesRx++;
422	}
423
424
425	static void ieee802_1x_encapsulate_radius(struct hostapd_data *hapd,
426	struct sta_info *sta,
427	const u8 *eap, size_t len)
428	{
429	struct radius_msg *msg;
430	char buf[128];
431	struct eapol_state_machine *sm = sta->eapol_sm;
432
433	if (sm == NULL)
434	return;
435
436	ieee802_1x_learn_identity(hapd, sm, eap, len);
437
438	wpa_printf(MSG_DEBUG, "Encapsulating EAP message into a RADIUS "
439	"packet");
440
441	sm->radius_identifier = radius_client_get_id(hapd->radius);
442	msg = radius_msg_new(RADIUS_CODE_ACCESS_REQUEST,
443	sm->radius_identifier);
444	if (msg == NULL) {
445	printf("Could not create net RADIUS packet\n");
446	return;
447	}
448
449	radius_msg_make_authenticator(msg, (u8 ) sta, sizeof(sta));
450
451	if (sm->identity &&
452	!radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME,
453	sm->identity, sm->identity_len)) {
454	printf("Could not add User-Name\n");
455	goto fail;
456	}
457
458	if (hapd->conf->own_ip_addr.af == AF_INET &&
459	!radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IP_ADDRESS,
460	(u8 *) &hapd->conf->own_ip_addr.u.v4, 4)) {
461	printf("Could not add NAS-IP-Address\n");
462	goto fail;
463	}
464
465	#ifdef CONFIG_IPV6
466	if (hapd->conf->own_ip_addr.af == AF_INET6 &&
467	!radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IPV6_ADDRESS,
468	(u8 *) &hapd->conf->own_ip_addr.u.v6, 16)) {
469	printf("Could not add NAS-IPv6-Address\n");
470	goto fail;
471	}
472	#endif /* CONFIG_IPV6 */
473
474	if (hapd->conf->nas_identifier &&
475	!radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IDENTIFIER,
476	(u8 *) hapd->conf->nas_identifier,
477	os_strlen(hapd->conf->nas_identifier))) {
478	printf("Could not add NAS-Identifier\n");
479	goto fail;
480	}
481
482	if (!radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT, sta->aid)) {
483	printf("Could not add NAS-Port\n");
484	goto fail;
485	}
486
487	os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT ":%s",
488	MAC2STR(hapd->own_addr), hapd->conf->ssid.ssid);
489	buf[sizeof(buf) - 1] = '\0';
490	if (!radius_msg_add_attr(msg, RADIUS_ATTR_CALLED_STATION_ID,
491	(u8 *) buf, os_strlen(buf))) {
492	printf("Could not add Called-Station-Id\n");
493	goto fail;
494	}
495
496	os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT,
497	MAC2STR(sta->addr));
498	buf[sizeof(buf) - 1] = '\0';
499	if (!radius_msg_add_attr(msg, RADIUS_ATTR_CALLING_STATION_ID,
500	(u8 *) buf, os_strlen(buf))) {
501	printf("Could not add Calling-Station-Id\n");
502	goto fail;
503	}
504
505	/* TODO: should probably check MTU from driver config; 2304 is max for
506	* IEEE 802.11, but use 1400 to avoid problems with too large packets
507	*/
508	if (!radius_msg_add_attr_int32(msg, RADIUS_ATTR_FRAMED_MTU, 1400)) {
509	printf("Could not add Framed-MTU\n");
510	goto fail;
511	}
512
513	if (!radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT_TYPE,
514	RADIUS_NAS_PORT_TYPE_IEEE_802_11)) {
515	printf("Could not add NAS-Port-Type\n");
516	goto fail;
517	}
518
519	if (sta->flags & WLAN_STA_PREAUTH) {
520	os_strlcpy(buf, "IEEE 802.11i Pre-Authentication",
521	sizeof(buf));
522	} else {
523	os_snprintf(buf, sizeof(buf), "CONNECT %d%sMbps %s",
524	radius_sta_rate(hapd, sta) / 2,
525	(radius_sta_rate(hapd, sta) & 1) ? ".5" : "",
526	radius_mode_txt(hapd));
527	buf[sizeof(buf) - 1] = '\0';
528	}
529	if (!radius_msg_add_attr(msg, RADIUS_ATTR_CONNECT_INFO,
530	(u8 *) buf, os_strlen(buf))) {
531	printf("Could not add Connect-Info\n");
532	goto fail;
533	}
534
535	if (eap && !radius_msg_add_eap(msg, eap, len)) {
536	printf("Could not add EAP-Message\n");
537	goto fail;
538	}
539
540	/* State attribute must be copied if and only if this packet is
541	* Access-Request reply to the previous Access-Challenge */
542	if (sm->last_recv_radius &&
543	radius_msg_get_hdr(sm->last_recv_radius)->code ==
544	RADIUS_CODE_ACCESS_CHALLENGE) {
545	int res = radius_msg_copy_attr(msg, sm->last_recv_radius,
546	RADIUS_ATTR_STATE);
547	if (res < 0) {
548	printf("Could not copy State attribute from previous "
549	"Access-Challenge\n");
550	goto fail;
551	}
552	if (res > 0) {
553	wpa_printf(MSG_DEBUG, "Copied RADIUS State Attribute");
554	}
555	}
556
557	if (radius_client_send(hapd->radius, msg, RADIUS_AUTH, sta->addr) < 0)
558	goto fail;
559
560	return;
561
562	fail:
563	radius_msg_free(msg);
564	}
565	#endif /* CONFIG_NO_RADIUS */
566
567
568	static void handle_eap_response(struct hostapd_data *hapd,
569	struct sta_info sta, struct eap_hdr eap,
570	size_t len)
571	{
572	u8 type, *data;
573	struct eapol_state_machine *sm = sta->eapol_sm;
574	if (sm == NULL)
575	return;
576
577	data = (u8 *) (eap + 1);
578
579	if (len < sizeof(*eap) + 1) {
580	printf("handle_eap_response: too short response data\n");
581	return;
582	}
583
584	sm->eap_type_supp = type = data[0];
585
586	hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X,
587	HOSTAPD_LEVEL_DEBUG, "received EAP packet (code=%d "
588	"id=%d len=%d) from STA: EAP Response-%s (%d)",
589	eap->code, eap->identifier, be_to_host16(eap->length),
590	eap_server_get_name(0, type), type);
591
592	sm->dot1xAuthEapolRespFramesRx++;
593
594	wpabuf_free(sm->eap_if->eapRespData);
595	sm->eap_if->eapRespData = wpabuf_alloc_copy(eap, len);
596	sm->eapolEap = TRUE;
597	}
598
599
600	/* Process incoming EAP packet from Supplicant */
601	static void handle_eap(struct hostapd_data hapd, struct sta_info sta,
602	u8 *buf, size_t len)
603	{
604	struct eap_hdr *eap;
605	u16 eap_len;
606
607	if (len < sizeof(*eap)) {
608	printf(" too short EAP packet\n");
609	return;
610	}
611
612	eap = (struct eap_hdr *) buf;
613
614	eap_len = be_to_host16(eap->length);
615	wpa_printf(MSG_DEBUG, "EAP: code=%d identifier=%d length=%d",
616	eap->code, eap->identifier, eap_len);
617	if (eap_len < sizeof(*eap)) {
618	wpa_printf(MSG_DEBUG, " Invalid EAP length");
619	return;
620	} else if (eap_len > len) {
621	wpa_printf(MSG_DEBUG, " Too short frame to contain this EAP "
622	"packet");
623	return;
624	} else if (eap_len < len) {
625	wpa_printf(MSG_DEBUG, " Ignoring %lu extra bytes after EAP "
626	"packet", (unsigned long) len - eap_len);
627	}
628
629	switch (eap->code) {
630	case EAP_CODE_REQUEST:
631	wpa_printf(MSG_DEBUG, " (request)");
632	return;
633	case EAP_CODE_RESPONSE:
634	wpa_printf(MSG_DEBUG, " (response)");
635	handle_eap_response(hapd, sta, eap, eap_len);
636	break;
637	case EAP_CODE_SUCCESS:
638	wpa_printf(MSG_DEBUG, " (success)");
639	return;
640	case EAP_CODE_FAILURE:
641	wpa_printf(MSG_DEBUG, " (failure)");
642	return;
643	default:
644	wpa_printf(MSG_DEBUG, " (unknown code)");
645	return;
646	}
647	}
648
649
650	static struct eapol_state_machine *
651	ieee802_1x_alloc_eapol_sm(struct hostapd_data hapd, struct sta_info sta)
652	{
653	int flags = 0;
654	if (sta->flags & WLAN_STA_PREAUTH)
655	flags \|= EAPOL_SM_PREAUTH;
656	if (sta->wpa_sm) {
657	flags \|= EAPOL_SM_USES_WPA;
658	if (wpa_auth_sta_get_pmksa(sta->wpa_sm))
659	flags \|= EAPOL_SM_FROM_PMKSA_CACHE;
660	}
661	return eapol_auth_alloc(hapd->eapol_auth, sta->addr, flags,
662	sta->wps_ie, sta->p2p_ie, sta);
663	}
664
665
666	/**
667	* ieee802_1x_receive - Process the EAPOL frames from the Supplicant
668	* @hapd: hostapd BSS data
669	* @sa: Source address (sender of the EAPOL frame)
670	* @buf: EAPOL frame
671	* @len: Length of buf in octets
672	*
673	* This function is called for each incoming EAPOL frame from the interface
674	*/
675	void ieee802_1x_receive(struct hostapd_data hapd, const u8 sa, const u8 *buf,
676	size_t len)
677	{
678	struct sta_info *sta;
679	struct ieee802_1x_hdr *hdr;
680	struct ieee802_1x_eapol_key *key;
681	u16 datalen;
682	struct rsn_pmksa_cache_entry *pmksa;
683	int key_mgmt;
684
685	if (!hapd->conf->ieee802_1x && !hapd->conf->wpa &&
686	!hapd->conf->wps_state)
687	return;
688
689	wpa_printf(MSG_DEBUG, "IEEE 802.1X: %lu bytes from " MACSTR,
690	(unsigned long) len, MAC2STR(sa));
691	sta = ap_get_sta(hapd, sa);
692	if (!sta \|\| !(sta->flags & (WLAN_STA_ASSOC \| WLAN_STA_PREAUTH))) {
693	wpa_printf(MSG_DEBUG, "IEEE 802.1X data frame from not "
694	"associated/Pre-authenticating STA");
695	return;
696	}
697
698	if (len < sizeof(*hdr)) {
699	printf(" too short IEEE 802.1X packet\n");
700	return;
701	}
702
703	hdr = (struct ieee802_1x_hdr *) buf;
704	datalen = be_to_host16(hdr->length);
705	wpa_printf(MSG_DEBUG, " IEEE 802.1X: version=%d type=%d length=%d",
706	hdr->version, hdr->type, datalen);
707
708	if (len - sizeof(*hdr) < datalen) {
709	printf(" frame too short for this IEEE 802.1X packet\n");
710	if (sta->eapol_sm)
711	sta->eapol_sm->dot1xAuthEapLengthErrorFramesRx++;
712	return;
713	}
714	if (len - sizeof(*hdr) > datalen) {
715	wpa_printf(MSG_DEBUG, " ignoring %lu extra octets after "
716	"IEEE 802.1X packet",
717	(unsigned long) len - sizeof(*hdr) - datalen);
718	}
719
720	if (sta->eapol_sm) {
721	sta->eapol_sm->dot1xAuthLastEapolFrameVersion = hdr->version;
722	sta->eapol_sm->dot1xAuthEapolFramesRx++;
723	}
724
725	key = (struct ieee802_1x_eapol_key *) (hdr + 1);
726	if (datalen >= sizeof(struct ieee802_1x_eapol_key) &&
727	hdr->type == IEEE802_1X_TYPE_EAPOL_KEY &&
728	(key->type == EAPOL_KEY_TYPE_WPA \|\|
729	key->type == EAPOL_KEY_TYPE_RSN)) {
730	wpa_receive(hapd->wpa_auth, sta->wpa_sm, (u8 *) hdr,
731	sizeof(*hdr) + datalen);
732	return;
733	}
734
735	if (!hapd->conf->ieee802_1x &&
736	!(sta->flags & (WLAN_STA_WPS \| WLAN_STA_MAYBE_WPS))) {
737	wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore EAPOL message - "
738	"802.1X not enabled and WPS not used");
739	return;
740	}
741
742	key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm);
743	if (key_mgmt != -1 && wpa_key_mgmt_wpa_psk(key_mgmt)) {
744	wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore EAPOL message - "
745	"STA is using PSK");
746	return;
747	}
748
749	if (!sta->eapol_sm) {
750	sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta);
751	if (!sta->eapol_sm)
752	return;
753
754	#ifdef CONFIG_WPS
755	if (!hapd->conf->ieee802_1x &&
756	((sta->flags & (WLAN_STA_WPS \| WLAN_STA_MAYBE_WPS)) ==
757	WLAN_STA_MAYBE_WPS)) {
758	/*
759	* Delay EAPOL frame transmission until a possible WPS
760	* STA initiates the handshake with EAPOL-Start.
761	*/
762	sta->eapol_sm->flags \|= EAPOL_SM_WAIT_START;
763	}
764	#endif /* CONFIG_WPS */
765
766	sta->eapol_sm->eap_if->portEnabled = TRUE;
767	}
768
769	/* since we support version 1, we can ignore version field and proceed
770	* as specified in version 1 standard [IEEE Std 802.1X-2001, 7.5.5] */
771	/* TODO: actually, we are not version 1 anymore.. However, Version 2
772	* does not change frame contents, so should be ok to process frames
773	* more or less identically. Some changes might be needed for
774	* verification of fields. */
775
776	switch (hdr->type) {
777	case IEEE802_1X_TYPE_EAP_PACKET:
778	handle_eap(hapd, sta, (u8 *) (hdr + 1), datalen);
779	break;
780
781	case IEEE802_1X_TYPE_EAPOL_START:
782	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
783	HOSTAPD_LEVEL_DEBUG, "received EAPOL-Start "
784	"from STA");
785	sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START;
786	pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm);
787	if (pmksa) {
788	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA,
789	HOSTAPD_LEVEL_DEBUG, "cached PMKSA "
790	"available - ignore it since "
791	"STA sent EAPOL-Start");
792	wpa_auth_sta_clear_pmksa(sta->wpa_sm, pmksa);
793	}
794	sta->eapol_sm->eapolStart = TRUE;
795	sta->eapol_sm->dot1xAuthEapolStartFramesRx++;
796	eap_server_clear_identity(sta->eapol_sm->eap);
797	wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL);
798	break;
799
800	case IEEE802_1X_TYPE_EAPOL_LOGOFF:
801	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
802	HOSTAPD_LEVEL_DEBUG, "received EAPOL-Logoff "
803	"from STA");
804	sta->acct_terminate_cause =
805	RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST;
806	accounting_sta_stop(hapd, sta);
807	sta->eapol_sm->eapolLogoff = TRUE;
808	sta->eapol_sm->dot1xAuthEapolLogoffFramesRx++;
809	eap_server_clear_identity(sta->eapol_sm->eap);
810	break;
811
812	case IEEE802_1X_TYPE_EAPOL_KEY:
813	wpa_printf(MSG_DEBUG, " EAPOL-Key");
814	if (!ap_sta_is_authorized(sta)) {
815	wpa_printf(MSG_DEBUG, " Dropped key data from "
816	"unauthorized Supplicant");
817	break;
818	}
819	break;
820
821	case IEEE802_1X_TYPE_EAPOL_ENCAPSULATED_ASF_ALERT:
822	wpa_printf(MSG_DEBUG, " EAPOL-Encapsulated-ASF-Alert");
823	/* TODO: implement support for this; show data */
824	break;
825
826	default:
827	wpa_printf(MSG_DEBUG, " unknown IEEE 802.1X packet type");
828	sta->eapol_sm->dot1xAuthInvalidEapolFramesRx++;
829	break;
830	}
831
832	eapol_auth_step(sta->eapol_sm);
833	}
834
835
836	/**
837	* ieee802_1x_new_station - Start IEEE 802.1X authentication
838	* @hapd: hostapd BSS data
839	* @sta: The station
840	*
841	* This function is called to start IEEE 802.1X authentication when a new
842	* station completes IEEE 802.11 association.
843	*/
844	void ieee802_1x_new_station(struct hostapd_data hapd, struct sta_info sta)
845	{
846	struct rsn_pmksa_cache_entry *pmksa;
847	int reassoc = 1;
848	int force_1x = 0;
849	int key_mgmt;
850
851	#ifdef CONFIG_WPS
852	if (hapd->conf->wps_state && hapd->conf->wpa &&
853	(sta->flags & (WLAN_STA_WPS \| WLAN_STA_MAYBE_WPS))) {
854	/*
855	* Need to enable IEEE 802.1X/EAPOL state machines for possible
856	* WPS handshake even if IEEE 802.1X/EAPOL is not used for
857	* authentication in this BSS.
858	*/
859	force_1x = 1;
860	}
861	#endif /* CONFIG_WPS */
862
863	if (!force_1x && !hapd->conf->ieee802_1x) {
864	wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore STA - "
865	"802.1X not enabled or forced for WPS");
866	return;
867	}
868
869	key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm);
870	if (key_mgmt != -1 && wpa_key_mgmt_wpa_psk(key_mgmt)) {
871	wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore STA - using PSK");
872	return;
873	}
874
875	if (sta->eapol_sm == NULL) {
876	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
877	HOSTAPD_LEVEL_DEBUG, "start authentication");
878	sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta);
879	if (sta->eapol_sm == NULL) {
880	hostapd_logger(hapd, sta->addr,
881	HOSTAPD_MODULE_IEEE8021X,
882	HOSTAPD_LEVEL_INFO,
883	"failed to allocate state machine");
884	return;
885	}
886	reassoc = 0;
887	}
888
889	#ifdef CONFIG_WPS
890	sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START;
891	if (!hapd->conf->ieee802_1x && !(sta->flags & WLAN_STA_WPS)) {
892	/*
893	* Delay EAPOL frame transmission until a possible WPS
894	* initiates the handshake with EAPOL-Start.
895	*/
896	sta->eapol_sm->flags \|= EAPOL_SM_WAIT_START;
897	}
898	#endif /* CONFIG_WPS */
899
900	sta->eapol_sm->eap_if->portEnabled = TRUE;
901
902	#ifdef CONFIG_IEEE80211R
903	if (sta->auth_alg == WLAN_AUTH_FT) {
904	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
905	HOSTAPD_LEVEL_DEBUG,
906	"PMK from FT - skip IEEE 802.1X/EAP");
907	/* Setup EAPOL state machines to already authenticated state
908	* because of existing FT information from R0KH. */
909	sta->eapol_sm->keyRun = TRUE;
910	sta->eapol_sm->eap_if->eapKeyAvailable = TRUE;
911	sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING;
912	sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS;
913	sta->eapol_sm->authSuccess = TRUE;
914	if (sta->eapol_sm->eap)
915	eap_sm_notify_cached(sta->eapol_sm->eap);
916	/* TODO: get vlan_id from R0KH using RRB message */
917	return;
918	}
919	#endif /* CONFIG_IEEE80211R */
920
921	pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm);
922	if (pmksa) {
923	int old_vlanid;
924
925	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
926	HOSTAPD_LEVEL_DEBUG,
927	"PMK from PMKSA cache - skip IEEE 802.1X/EAP");
928	/* Setup EAPOL state machines to already authenticated state
929	* because of existing PMKSA information in the cache. */
930	sta->eapol_sm->keyRun = TRUE;
931	sta->eapol_sm->eap_if->eapKeyAvailable = TRUE;
932	sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING;
933	sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS;
934	sta->eapol_sm->authSuccess = TRUE;
935	if (sta->eapol_sm->eap)
936	eap_sm_notify_cached(sta->eapol_sm->eap);
937	old_vlanid = sta->vlan_id;
938	pmksa_cache_to_eapol_data(pmksa, sta->eapol_sm);
939	if (sta->ssid->dynamic_vlan == DYNAMIC_VLAN_DISABLED)
940	sta->vlan_id = 0;
941	ap_sta_bind_vlan(hapd, sta, old_vlanid);
942	} else {
943	if (reassoc) {
944	/*
945	* Force EAPOL state machines to start
946	* re-authentication without having to wait for the
947	* Supplicant to send EAPOL-Start.
948	*/
949	sta->eapol_sm->reAuthenticate = TRUE;
950	}
951	eapol_auth_step(sta->eapol_sm);
952	}
953	}
954
955
956	void ieee802_1x_free_station(struct sta_info *sta)
957	{
958	struct eapol_state_machine *sm = sta->eapol_sm;
959
960	if (sm == NULL)
961	return;
962
963	sta->eapol_sm = NULL;
964
965	#ifndef CONFIG_NO_RADIUS
966	radius_msg_free(sm->last_recv_radius);
967	radius_free_class(&sm->radius_class);
968	#endif /* CONFIG_NO_RADIUS */
969
970	os_free(sm->identity);
971	eapol_auth_free(sm);
972	}
973
974
975	#ifndef CONFIG_NO_RADIUS
976	static void ieee802_1x_decapsulate_radius(struct hostapd_data *hapd,
977	struct sta_info *sta)
978	{
979	u8 *eap;
980	size_t len;
981	struct eap_hdr *hdr;
982	int eap_type = -1;
983	char buf[64];
984	struct radius_msg *msg;
985	struct eapol_state_machine *sm = sta->eapol_sm;
986
987	if (sm == NULL \|\| sm->last_recv_radius == NULL) {
988	if (sm)
989	sm->eap_if->aaaEapNoReq = TRUE;
990	return;
991	}
992
993	msg = sm->last_recv_radius;
994
995	eap = radius_msg_get_eap(msg, &len);
996	if (eap == NULL) {
997	/* RFC 3579, Chap. 2.6.3:
998	* RADIUS server SHOULD NOT send Access-Reject/no EAP-Message
999	* attribute */
1000	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
1001	HOSTAPD_LEVEL_WARNING, "could not extract "
1002	"EAP-Message from RADIUS message");
1003	sm->eap_if->aaaEapNoReq = TRUE;
1004	return;
1005	}
1006
1007	if (len < sizeof(*hdr)) {
1008	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
1009	HOSTAPD_LEVEL_WARNING, "too short EAP packet "
1010	"received from authentication server");
1011	os_free(eap);
1012	sm->eap_if->aaaEapNoReq = TRUE;
1013	return;
1014	}
1015
1016	if (len > sizeof(*hdr))
1017	eap_type = eap[sizeof(*hdr)];
1018
1019	hdr = (struct eap_hdr *) eap;
1020	switch (hdr->code) {
1021	case EAP_CODE_REQUEST:
1022	if (eap_type >= 0)
1023	sm->eap_type_authsrv = eap_type;
1024	os_snprintf(buf, sizeof(buf), "EAP-Request-%s (%d)",
1025	eap_type >= 0 ? eap_server_get_name(0, eap_type) :
1026	"??",
1027	eap_type);
1028	break;
1029	case EAP_CODE_RESPONSE:
1030	os_snprintf(buf, sizeof(buf), "EAP Response-%s (%d)",
1031	eap_type >= 0 ? eap_server_get_name(0, eap_type) :
1032	"??",
1033	eap_type);
1034	break;
1035	case EAP_CODE_SUCCESS:
1036	os_strlcpy(buf, "EAP Success", sizeof(buf));
1037	break;
1038	case EAP_CODE_FAILURE:
1039	os_strlcpy(buf, "EAP Failure", sizeof(buf));
1040	break;
1041	default:
1042	os_strlcpy(buf, "unknown EAP code", sizeof(buf));
1043	break;
1044	}
1045	buf[sizeof(buf) - 1] = '\0';
1046	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
1047	HOSTAPD_LEVEL_DEBUG, "decapsulated EAP packet (code=%d "
1048	"id=%d len=%d) from RADIUS server: %s",
1049	hdr->code, hdr->identifier, be_to_host16(hdr->length),
1050	buf);
1051	sm->eap_if->aaaEapReq = TRUE;
1052
1053	wpabuf_free(sm->eap_if->aaaEapReqData);
1054	sm->eap_if->aaaEapReqData = wpabuf_alloc_ext_data(eap, len);
1055	}
1056
1057
1058	static void ieee802_1x_get_keys(struct hostapd_data *hapd,
1059	struct sta_info sta, struct radius_msg msg,
1060	struct radius_msg *req,
1061	const u8 *shared_secret,
1062	size_t shared_secret_len)
1063	{
1064	struct radius_ms_mppe_keys *keys;
1065	struct eapol_state_machine *sm = sta->eapol_sm;
1066	if (sm == NULL)
1067	return;
1068
1069	keys = radius_msg_get_ms_keys(msg, req, shared_secret,
1070	shared_secret_len);
1071
1072	if (keys && keys->send && keys->recv) {
1073	size_t len = keys->send_len + keys->recv_len;
1074	wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Send-Key",
1075	keys->send, keys->send_len);
1076	wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Recv-Key",
1077	keys->recv, keys->recv_len);
1078
1079	os_free(sm->eap_if->aaaEapKeyData);
1080	sm->eap_if->aaaEapKeyData = os_malloc(len);
1081	if (sm->eap_if->aaaEapKeyData) {
1082	os_memcpy(sm->eap_if->aaaEapKeyData, keys->recv,
1083	keys->recv_len);
1084	os_memcpy(sm->eap_if->aaaEapKeyData + keys->recv_len,
1085	keys->send, keys->send_len);
1086	sm->eap_if->aaaEapKeyDataLen = len;
1087	sm->eap_if->aaaEapKeyAvailable = TRUE;
1088	}
1089	}
1090
1091	if (keys) {
1092	os_free(keys->send);
1093	os_free(keys->recv);
1094	os_free(keys);
1095	}
1096	}
1097
1098
1099	static void ieee802_1x_store_radius_class(struct hostapd_data *hapd,
1100	struct sta_info *sta,
1101	struct radius_msg *msg)
1102	{
1103	u8 *class;
1104	size_t class_len;
1105	struct eapol_state_machine *sm = sta->eapol_sm;
1106	int count, i;
1107	struct radius_attr_data *nclass;
1108	size_t nclass_count;
1109
1110	if (!hapd->conf->radius->acct_server \|\| hapd->radius == NULL \|\|
1111	sm == NULL)
1112	return;
1113
1114	radius_free_class(&sm->radius_class);
1115	count = radius_msg_count_attr(msg, RADIUS_ATTR_CLASS, 1);
1116	if (count <= 0)
1117	return;
1118
1119	nclass = os_zalloc(count * sizeof(struct radius_attr_data));
1120	if (nclass == NULL)
1121	return;
1122
1123	nclass_count = 0;
1124
1125	class = NULL;
1126	for (i = 0; i < count; i++) {
1127	do {
1128	if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CLASS,
1129	&class, &class_len,
1130	class) < 0) {
1131	i = count;
1132	break;
1133	}
1134	} while (class_len < 1);
1135
1136	nclass[nclass_count].data = os_malloc(class_len);
1137	if (nclass[nclass_count].data == NULL)
1138	break;
1139
1140	os_memcpy(nclass[nclass_count].data, class, class_len);
1141	nclass[nclass_count].len = class_len;
1142	nclass_count++;
1143	}
1144
1145	sm->radius_class.attr = nclass;
1146	sm->radius_class.count = nclass_count;
1147	wpa_printf(MSG_DEBUG, "IEEE 802.1X: Stored %lu RADIUS Class "
1148	"attributes for " MACSTR,
1149	(unsigned long) sm->radius_class.count,
1150	MAC2STR(sta->addr));
1151	}
1152
1153
1154	/* Update sta->identity based on User-Name attribute in Access-Accept */
1155	static void ieee802_1x_update_sta_identity(struct hostapd_data *hapd,
1156	struct sta_info *sta,
1157	struct radius_msg *msg)
1158	{
1159	u8 buf, identity;
1160	size_t len;
1161	struct eapol_state_machine *sm = sta->eapol_sm;
1162
1163	if (sm == NULL)
1164	return;
1165
1166	if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_USER_NAME, &buf, &len,
1167	NULL) < 0)
1168	return;
1169
1170	identity = os_malloc(len + 1);
1171	if (identity == NULL)
1172	return;
1173
1174	os_memcpy(identity, buf, len);
1175	identity[len] = '\0';
1176
1177	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
1178	HOSTAPD_LEVEL_DEBUG, "old identity '%s' updated with "
1179	"User-Name from Access-Accept '%s'",
1180	sm->identity ? (char *) sm->identity : "N/A",
1181	(char *) identity);
1182
1183	os_free(sm->identity);
1184	sm->identity = identity;
1185	sm->identity_len = len;
1186	}
1187
1188
1189	struct sta_id_search {
1190	u8 identifier;
1191	struct eapol_state_machine *sm;
1192	};
1193
1194
1195	static int ieee802_1x_select_radius_identifier(struct hostapd_data *hapd,
1196	struct sta_info *sta,
1197	void *ctx)
1198	{
1199	struct sta_id_search *id_search = ctx;
1200	struct eapol_state_machine *sm = sta->eapol_sm;
1201
1202	if (sm && sm->radius_identifier >= 0 &&
1203	sm->radius_identifier == id_search->identifier) {
1204	id_search->sm = sm;
1205	return 1;
1206	}
1207	return 0;
1208	}
1209
1210
1211	static struct eapol_state_machine *
1212	ieee802_1x_search_radius_identifier(struct hostapd_data *hapd, u8 identifier)
1213	{
1214	struct sta_id_search id_search;
1215	id_search.identifier = identifier;
1216	id_search.sm = NULL;
1217	ap_for_each_sta(hapd, ieee802_1x_select_radius_identifier, &id_search);
1218	return id_search.sm;
1219	}
1220
1221	#ifdef HAVE_AQOS
1222	extern void add_usermac( char mac, int idx, char upstream,
1223	char downstream, char lanstream );
1224	extern char nvram_safe_get(const char name);
1225
1226	int addrule(char mac, char upstream, char *downstream)
1227	{
1228	char *qos_mac = nvram_safe_get( "svqos_macs" );
1229	char *newqos;
1230	int ret = 0;
1231	int len = strlen(qos_mac);
1232
1233	newqos = malloc(len + 128);
1234	memset(newqos, 0, len + 128);
1235
1236	char level[32], level2[32], level3[32], data[32], type[32];
1237	strcpy(level3, "0");
1238	if (len > 0) {
1239	do {
1240	if(sscanf( qos_mac, "%31s %31s %31s %31s %31s \|", data, level, level2, type, level3) < 5)
1241	break;
1242	if (!strcasecmp(data,mac)) {
1243	sprintf(newqos,"%s %s %s %s %s %s \|",newqos,data,upstream,downstream,"hostapd",level3);
1244	if (!strcmp(level,upstream) && !strcmp(level2,downstream))
1245	ret = 1;
1246	else
1247	ret = 2;
1248	} else
1249	sprintf(newqos,"%s %s %s %s %s %s \|",newqos,data,level,level2,type,level3);
1250	} while( ( qos_mac = strpbrk( ++qos_mac, "\|" ) ) && qos_mac++ );
1251	}
1252
1253	if (!ret)
1254	sprintf(newqos,"%s %s %s %s %s %s \|",newqos,mac,upstream,downstream,"hostapd",level3);
1255
1256	nvram_set("svqos_macs",newqos);
1257	free(newqos);
1258	}
1259
1260	#endif
1261
1262	/**
1263	* ieee802_1x_receive_auth - Process RADIUS frames from Authentication Server
1264	* @msg: RADIUS response message
1265	* @req: RADIUS request message
1266	* @shared_secret: RADIUS shared secret
1267	* @shared_secret_len: Length of shared_secret in octets
1268	* @data: Context data (struct hostapd_data *)
1269	* Returns: Processing status
1270	*/
1271	static RadiusRxResult
1272	ieee802_1x_receive_auth(struct radius_msg msg, struct radius_msg req,
1273	const u8 *shared_secret, size_t shared_secret_len,
1274	void *data)
1275	{
1276	struct hostapd_data *hapd = data;
1277	struct sta_info *sta;
1278	u32 session_timeout = 0, termination_action, acct_interim_interval;
1279	int session_timeout_set, old_vlanid = 0;
1280	struct eapol_state_machine *sm;
1281	int override_eapReq = 0;
1282	struct radius_hdr *hdr = radius_msg_get_hdr(msg);
1283	static int qosidx=500;
1284
1285	sm = ieee802_1x_search_radius_identifier(hapd, hdr->identifier);
1286	if (sm == NULL) {
1287	wpa_printf(MSG_DEBUG, "IEEE 802.1X: Could not find matching "
1288	"station for this RADIUS message");
1289	return RADIUS_RX_UNKNOWN;
1290	}
1291	sta = sm->sta;
1292
1293	/* RFC 2869, Ch. 5.13: valid Message-Authenticator attribute MUST be
1294	* present when packet contains an EAP-Message attribute */
1295	if (hdr->code == RADIUS_CODE_ACCESS_REJECT &&
1296	radius_msg_get_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, NULL,
1297	0) < 0 &&
1298	radius_msg_get_attr(msg, RADIUS_ATTR_EAP_MESSAGE, NULL, 0) < 0) {
1299	wpa_printf(MSG_DEBUG, "Allowing RADIUS Access-Reject without "
1300	"Message-Authenticator since it does not include "
1301	"EAP-Message");
1302	} else if (radius_msg_verify(msg, shared_secret, shared_secret_len,
1303	req, 1)) {
1304	printf("Incoming RADIUS packet did not have correct "
1305	"Message-Authenticator - dropped\n");
1306	return RADIUS_RX_INVALID_AUTHENTICATOR;
1307	}
1308
1309	if (hdr->code != RADIUS_CODE_ACCESS_ACCEPT &&
1310	hdr->code != RADIUS_CODE_ACCESS_REJECT &&
1311	hdr->code != RADIUS_CODE_ACCESS_CHALLENGE) {
1312	printf("Unknown RADIUS message code\n");
1313	return RADIUS_RX_UNKNOWN;
1314	}
1315
1316	sm->radius_identifier = -1;
1317	wpa_printf(MSG_DEBUG, "RADIUS packet matching with station " MACSTR,
1318	MAC2STR(sta->addr));
1319
1320	radius_msg_free(sm->last_recv_radius);
1321	sm->last_recv_radius = msg;
1322
1323	session_timeout_set =
1324	!radius_msg_get_attr_int32(msg, RADIUS_ATTR_SESSION_TIMEOUT,
1325	&session_timeout);
1326	if (radius_msg_get_attr_int32(msg, RADIUS_ATTR_TERMINATION_ACTION,
1327	&termination_action))
1328	termination_action = RADIUS_TERMINATION_ACTION_DEFAULT;
1329
1330	if (hapd->conf->acct_interim_interval == 0 &&
1331	hdr->code == RADIUS_CODE_ACCESS_ACCEPT &&
1332	radius_msg_get_attr_int32(msg, RADIUS_ATTR_ACCT_INTERIM_INTERVAL,
1333	&acct_interim_interval) == 0) {
1334	if (acct_interim_interval < 60) {
1335	hostapd_logger(hapd, sta->addr,
1336	HOSTAPD_MODULE_IEEE8021X,
1337	HOSTAPD_LEVEL_INFO,
1338	"ignored too small "
1339	"Acct-Interim-Interval %d",
1340	acct_interim_interval);
1341	} else
1342	sta->acct_interim_interval = acct_interim_interval;
1343	}
1344
1345
1346	switch (hdr->code) {
1347	case RADIUS_CODE_ACCESS_ACCEPT:
1348	#ifdef HAVE_AQOS
1349	wpa_printf(MSG_DEBUG, "check user bandwith shaping\n");
1350	u32 down,up;
1351	size_t len;
1352	if ((down=(u32*)radius_msg_get_vendor_attr(msg,RADIUS_VENDOR_ID_WISPR, RADIUS_ATTR_WISPR_BANDWIDTH_MAX_DOWN ,&len)) == NULL) {
1353	wpa_printf(MSG_DEBUG, "no downstream level found\n");
1354	}else
1355	{
1356	if ((up=(u32*)radius_msg_get_vendor_attr(msg,RADIUS_VENDOR_ID_WISPR, RADIUS_ATTR_WISPR_BANDWIDTH_MAX_UP ,&len)) == NULL) {
1357	wpa_printf(MSG_DEBUG, "no up level found\n");
1358	os_free(down);
1359	}else{
1360	down=ntohl(down);
1361	up=ntohl(up);
1362	wpa_printf(MSG_DEBUG, "downstream %d kbits, upstream %d kbits level found\n",down,up);
1363	char mac[64];
1364	sprintf(mac, MACSTR, MAC2STR(sta->addr));
1365	char uplevel[64];
1366	char downlevel[64];
1367	sprintf(uplevel,"%d",*up/1000);
1368	sprintf(downlevel,"%d",*down/1000);
1369	int ret = addrule(mac,uplevel,downlevel);
1370	//case 0 = does not exists, should just be added, no restart
1371	//case 1 = no change required, already added
1372	//case 2 = change required, exists, but new settings
1373	//case 3 = change required, exists, new setting
1374	if (!ret)
1375	{
1376	qosidx+=2;
1377	if (qosidx>500)
1378	qosidx=0;
1379	wpa_printf(MSG_DEBUG, "bandwidth rule is new, no flush required!\n");
1380	add_usermac(mac, qosidx, uplevel,downlevel,"0" );
1381	}else if (ret>1)
1382	{
1383	wpa_printf(MSG_DEBUG, "bandwidth rule change detected, flush table and reset it to new values! (status %d)\n",ret);
1384	system("startstop_f wshaper");
1385	}
1386	os_free(up);
1387	os_free(down);
1388	}
1389
1390	}
1391	#endif
1392	if (sta->ssid->dynamic_vlan == DYNAMIC_VLAN_DISABLED)
1393	sta->vlan_id = 0;
1394	#ifndef CONFIG_NO_VLAN
1395	else {
1396	old_vlanid = sta->vlan_id;
1397	sta->vlan_id = radius_msg_get_vlanid(msg);
1398	}
1399	if (sta->vlan_id > 0 &&
1400	hostapd_get_vlan_id_ifname(hapd->conf->vlan,
1401	sta->vlan_id)) {
1402	hostapd_logger(hapd, sta->addr,
1403	HOSTAPD_MODULE_RADIUS,
1404	HOSTAPD_LEVEL_INFO,
1405	"VLAN ID %d", sta->vlan_id);
1406	} else if (sta->ssid->dynamic_vlan == DYNAMIC_VLAN_REQUIRED) {
1407	sta->eapol_sm->authFail = TRUE;
1408	hostapd_logger(hapd, sta->addr,
1409	HOSTAPD_MODULE_IEEE8021X,
1410	HOSTAPD_LEVEL_INFO, "authentication "
1411	"server did not include required VLAN "
1412	"ID in Access-Accept");
1413	break;
1414	}
1415	#endif /* CONFIG_NO_VLAN */
1416
1417	if (ap_sta_bind_vlan(hapd, sta, old_vlanid) < 0)
1418	break;
1419
1420	/* RFC 3580, Ch. 3.17 */
1421	if (session_timeout_set && termination_action ==
1422	RADIUS_TERMINATION_ACTION_RADIUS_REQUEST) {
1423	sm->reAuthPeriod = session_timeout;
1424	} else if (session_timeout_set)
1425	ap_sta_session_timeout(hapd, sta, session_timeout);
1426
1427	sm->eap_if->aaaSuccess = TRUE;
1428	override_eapReq = 1;
1429	ieee802_1x_get_keys(hapd, sta, msg, req, shared_secret,
1430	shared_secret_len);
1431	ieee802_1x_store_radius_class(hapd, sta, msg);
1432	ieee802_1x_update_sta_identity(hapd, sta, msg);
1433	if (sm->eap_if->eapKeyAvailable &&
1434	wpa_auth_pmksa_add(sta->wpa_sm, sm->eapol_key_crypt,
1435	session_timeout_set ?
1436	(int) session_timeout : -1, sm) == 0) {
1437	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA,
1438	HOSTAPD_LEVEL_DEBUG,
1439	"Added PMKSA cache entry");
1440	}
1441	break;
1442	case RADIUS_CODE_ACCESS_REJECT:
1443	sm->eap_if->aaaFail = TRUE;
1444	override_eapReq = 1;
1445	break;
1446	case RADIUS_CODE_ACCESS_CHALLENGE:
1447	sm->eap_if->aaaEapReq = TRUE;
1448	if (session_timeout_set) {
1449	/* RFC 2869, Ch. 2.3.2; RFC 3580, Ch. 3.17 */
1450	sm->eap_if->aaaMethodTimeout = session_timeout;
1451	hostapd_logger(hapd, sm->addr,
1452	HOSTAPD_MODULE_IEEE8021X,
1453	HOSTAPD_LEVEL_DEBUG,
1454	"using EAP timeout of %d seconds (from "
1455	"RADIUS)",
1456	sm->eap_if->aaaMethodTimeout);
1457	} else {
1458	/*
1459	* Use dynamic retransmission behavior per EAP
1460	* specification.
1461	*/
1462	sm->eap_if->aaaMethodTimeout = 0;
1463	}
1464	break;
1465	}
1466
1467	ieee802_1x_decapsulate_radius(hapd, sta);
1468	if (override_eapReq)
1469	sm->eap_if->aaaEapReq = FALSE;
1470
1471	eapol_auth_step(sm);
1472
1473	return RADIUS_RX_QUEUED;
1474	}
1475	#endif /* CONFIG_NO_RADIUS */
1476
1477
1478	void ieee802_1x_abort_auth(struct hostapd_data hapd, struct sta_info sta)
1479	{
1480	struct eapol_state_machine *sm = sta->eapol_sm;
1481	if (sm == NULL)
1482	return;
1483
1484	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
1485	HOSTAPD_LEVEL_DEBUG, "aborting authentication");
1486
1487	#ifndef CONFIG_NO_RADIUS
1488	radius_msg_free(sm->last_recv_radius);
1489	sm->last_recv_radius = NULL;
1490	#endif /* CONFIG_NO_RADIUS */
1491
1492	if (sm->eap_if->eapTimeout) {
1493	/*
1494	* Disconnect the STA since it did not reply to the last EAP
1495	* request and we cannot continue EAP processing (EAP-Failure
1496	* could only be sent if the EAP peer actually replied).
1497	*/
1498	sm->eap_if->portEnabled = FALSE;
1499	ap_sta_disconnect(hapd, sta, sta->addr,
1500	WLAN_REASON_PREV_AUTH_NOT_VALID);
1501	}
1502	}
1503
1504
1505	static int ieee802_1x_rekey_broadcast(struct hostapd_data *hapd)
1506	{
1507	struct eapol_authenticator *eapol = hapd->eapol_auth;
1508
1509	if (hapd->conf->default_wep_key_len < 1)
1510	return 0;
1511
1512	os_free(eapol->default_wep_key);
1513	eapol->default_wep_key = os_malloc(hapd->conf->default_wep_key_len);
1514	if (eapol->default_wep_key == NULL \|\|
1515	random_get_bytes(eapol->default_wep_key,
1516	hapd->conf->default_wep_key_len)) {
1517	printf("Could not generate random WEP key.\n");
1518	os_free(eapol->default_wep_key);
1519	eapol->default_wep_key = NULL;
1520	return -1;
1521	}
1522
1523	wpa_hexdump_key(MSG_DEBUG, "IEEE 802.1X: New default WEP key",
1524	eapol->default_wep_key,
1525	hapd->conf->default_wep_key_len);
1526
1527	return 0;
1528	}
1529
1530
1531	static int ieee802_1x_sta_key_available(struct hostapd_data *hapd,
1532	struct sta_info sta, void ctx)
1533	{
1534	if (sta->eapol_sm) {
1535	sta->eapol_sm->eap_if->eapKeyAvailable = TRUE;
1536	eapol_auth_step(sta->eapol_sm);
1537	}
1538	return 0;
1539	}
1540
1541
1542	static void ieee802_1x_rekey(void eloop_ctx, void timeout_ctx)
1543	{
1544	struct hostapd_data *hapd = eloop_ctx;
1545	struct eapol_authenticator *eapol = hapd->eapol_auth;
1546
1547	if (eapol->default_wep_key_idx >= 3)
1548	eapol->default_wep_key_idx =
1549	hapd->conf->individual_wep_key_len > 0 ? 1 : 0;
1550	else
1551	eapol->default_wep_key_idx++;
1552
1553	wpa_printf(MSG_DEBUG, "IEEE 802.1X: New default WEP key index %d",
1554	eapol->default_wep_key_idx);
1555
1556	if (ieee802_1x_rekey_broadcast(hapd)) {
1557	hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X,
1558	HOSTAPD_LEVEL_WARNING, "failed to generate a "
1559	"new broadcast key");
1560	os_free(eapol->default_wep_key);
1561	eapol->default_wep_key = NULL;
1562	return;
1563	}
1564
1565	/* TODO: Could setup key for RX here, but change default TX keyid only
1566	* after new broadcast key has been sent to all stations. */
1567	if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP,
1568	broadcast_ether_addr,
1569	eapol->default_wep_key_idx, 1, NULL, 0,
1570	eapol->default_wep_key,
1571	hapd->conf->default_wep_key_len)) {
1572	hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X,
1573	HOSTAPD_LEVEL_WARNING, "failed to configure a "
1574	"new broadcast key");
1575	os_free(eapol->default_wep_key);
1576	eapol->default_wep_key = NULL;
1577	return;
1578	}
1579
1580	ap_for_each_sta(hapd, ieee802_1x_sta_key_available, NULL);
1581
1582	if (hapd->conf->wep_rekeying_period > 0) {
1583	eloop_register_timeout(hapd->conf->wep_rekeying_period, 0,
1584	ieee802_1x_rekey, hapd, NULL);
1585	}
1586	}
1587
1588
1589	static void ieee802_1x_eapol_send(void ctx, void sta_ctx, u8 type,
1590	const u8 *data, size_t datalen)
1591	{
1592	#ifdef CONFIG_WPS
1593	struct sta_info *sta = sta_ctx;
1594
1595	if ((sta->flags & (WLAN_STA_WPS \| WLAN_STA_MAYBE_WPS)) ==
1596	WLAN_STA_MAYBE_WPS) {
1597	const u8 *identity;
1598	size_t identity_len;
1599	struct eapol_state_machine *sm = sta->eapol_sm;
1600
1601	identity = eap_get_identity(sm->eap, &identity_len);
1602	if (identity &&
1603	((identity_len == WSC_ID_ENROLLEE_LEN &&
1604	os_memcmp(identity, WSC_ID_ENROLLEE,
1605	WSC_ID_ENROLLEE_LEN) == 0) \|\|
1606	(identity_len == WSC_ID_REGISTRAR_LEN &&
1607	os_memcmp(identity, WSC_ID_REGISTRAR,
1608	WSC_ID_REGISTRAR_LEN) == 0))) {
1609	wpa_printf(MSG_DEBUG, "WPS: WLAN_STA_MAYBE_WPS -> "
1610	"WLAN_STA_WPS");
1611	sta->flags \|= WLAN_STA_WPS;
1612	}
1613	}
1614	#endif /* CONFIG_WPS */
1615
1616	ieee802_1x_send(ctx, sta_ctx, type, data, datalen);
1617	}
1618
1619
1620	static void ieee802_1x_aaa_send(void ctx, void sta_ctx,
1621	const u8 *data, size_t datalen)
1622	{
1623	#ifndef CONFIG_NO_RADIUS
1624	struct hostapd_data *hapd = ctx;
1625	struct sta_info *sta = sta_ctx;
1626
1627	ieee802_1x_encapsulate_radius(hapd, sta, data, datalen);
1628	#endif /* CONFIG_NO_RADIUS */
1629	}
1630
1631
1632	static void _ieee802_1x_finished(void ctx, void sta_ctx, int success,
1633	int preauth)
1634	{
1635	struct hostapd_data *hapd = ctx;
1636	struct sta_info *sta = sta_ctx;
1637	if (preauth)
1638	rsn_preauth_finished(hapd, sta, success);
1639	else
1640	ieee802_1x_finished(hapd, sta, success);
1641	}
1642
1643
1644	static int ieee802_1x_get_eap_user(void ctx, const u8 identity,
1645	size_t identity_len, int phase2,
1646	struct eap_user *user)
1647	{
1648	struct hostapd_data *hapd = ctx;
1649	const struct hostapd_eap_user *eap_user;
1650	int i, count;
1651
1652	eap_user = hostapd_get_eap_user(hapd->conf, identity,
1653	identity_len, phase2);
1654	if (eap_user == NULL)
1655	return -1;
1656
1657	os_memset(user, 0, sizeof(*user));
1658	user->phase2 = phase2;
1659	count = EAP_USER_MAX_METHODS;
1660	if (count > EAP_MAX_METHODS)
1661	count = EAP_MAX_METHODS;
1662	for (i = 0; i < count; i++) {
1663	user->methods[i].vendor = eap_user->methods[i].vendor;
1664	user->methods[i].method = eap_user->methods[i].method;
1665	}
1666
1667	if (eap_user->password) {
1668	user->password = os_malloc(eap_user->password_len);
1669	if (user->password == NULL)
1670	return -1;
1671	os_memcpy(user->password, eap_user->password,
1672	eap_user->password_len);
1673	user->password_len = eap_user->password_len;
1674	}
1675	user->force_version = eap_user->force_version;
1676	user->ttls_auth = eap_user->ttls_auth;
1677
1678	return 0;
1679	}
1680
1681
1682	static int ieee802_1x_sta_entry_alive(void ctx, const u8 addr)
1683	{
1684	struct hostapd_data *hapd = ctx;
1685	struct sta_info *sta;
1686	sta = ap_get_sta(hapd, addr);
1687	if (sta == NULL \|\| sta->eapol_sm == NULL)
1688	return 0;
1689	return 1;
1690	}
1691
1692
1693	static void ieee802_1x_logger(void ctx, const u8 addr,
1694	eapol_logger_level level, const char *txt)
1695	{
1696	#ifndef CONFIG_NO_HOSTAPD_LOGGER
1697	struct hostapd_data *hapd = ctx;
1698	int hlevel;
1699
1700	switch (level) {
1701	case EAPOL_LOGGER_WARNING:
1702	hlevel = HOSTAPD_LEVEL_WARNING;
1703	break;
1704	case EAPOL_LOGGER_INFO:
1705	hlevel = HOSTAPD_LEVEL_INFO;
1706	break;
1707	case EAPOL_LOGGER_DEBUG:
1708	default:
1709	hlevel = HOSTAPD_LEVEL_DEBUG;
1710	break;
1711	}
1712
1713	hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE8021X, hlevel, "%s",
1714	txt);
1715	#endif /* CONFIG_NO_HOSTAPD_LOGGER */
1716	}
1717
1718
1719	static void ieee802_1x_set_port_authorized(void ctx, void sta_ctx,
1720	int authorized)
1721	{
1722	struct hostapd_data *hapd = ctx;
1723	struct sta_info *sta = sta_ctx;
1724	ieee802_1x_set_sta_authorized(hapd, sta, authorized);
1725	}
1726
1727
1728	static void _ieee802_1x_abort_auth(void ctx, void sta_ctx)
1729	{
1730	struct hostapd_data *hapd = ctx;
1731	struct sta_info *sta = sta_ctx;
1732	ieee802_1x_abort_auth(hapd, sta);
1733	}
1734
1735
1736	static void _ieee802_1x_tx_key(void ctx, void sta_ctx)
1737	{
1738	struct hostapd_data *hapd = ctx;
1739	struct sta_info *sta = sta_ctx;
1740	ieee802_1x_tx_key(hapd, sta);
1741	}
1742
1743
1744	static void ieee802_1x_eapol_event(void ctx, void sta_ctx,
1745	enum eapol_event type)
1746	{
1747	/* struct hostapd_data hapd = ctx; /
1748	struct sta_info *sta = sta_ctx;
1749	switch (type) {
1750	case EAPOL_AUTH_SM_CHANGE:
1751	wpa_auth_sm_notify(sta->wpa_sm);
1752	break;
1753	case EAPOL_AUTH_REAUTHENTICATE:
1754	wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL);
1755	break;
1756	}
1757	}
1758
1759
1760	int ieee802_1x_init(struct hostapd_data *hapd)
1761	{
1762	int i;
1763	struct eapol_auth_config conf;
1764	struct eapol_auth_cb cb;
1765
1766	os_memset(&conf, 0, sizeof(conf));
1767	conf.ctx = hapd;
1768	conf.eap_reauth_period = hapd->conf->eap_reauth_period;
1769	conf.wpa = hapd->conf->wpa;
1770	conf.individual_wep_key_len = hapd->conf->individual_wep_key_len;
1771	conf.eap_server = hapd->conf->eap_server;
1772	conf.ssl_ctx = hapd->ssl_ctx;
1773	conf.msg_ctx = hapd->msg_ctx;
1774	conf.eap_sim_db_priv = hapd->eap_sim_db_priv;
1775	conf.eap_req_id_text = hapd->conf->eap_req_id_text;
1776	conf.eap_req_id_text_len = hapd->conf->eap_req_id_text_len;
1777	conf.pac_opaque_encr_key = hapd->conf->pac_opaque_encr_key;
1778	conf.eap_fast_a_id = hapd->conf->eap_fast_a_id;
1779	conf.eap_fast_a_id_len = hapd->conf->eap_fast_a_id_len;
1780	conf.eap_fast_a_id_info = hapd->conf->eap_fast_a_id_info;
1781	conf.eap_fast_prov = hapd->conf->eap_fast_prov;
1782	conf.pac_key_lifetime = hapd->conf->pac_key_lifetime;
1783	conf.pac_key_refresh_time = hapd->conf->pac_key_refresh_time;
1784	conf.eap_sim_aka_result_ind = hapd->conf->eap_sim_aka_result_ind;
1785	conf.tnc = hapd->conf->tnc;
1786	conf.wps = hapd->wps;
1787	conf.fragment_size = hapd->conf->fragment_size;
1788	conf.pwd_group = hapd->conf->pwd_group;
1789	conf.pbc_in_m1 = hapd->conf->pbc_in_m1;
1790
1791	os_memset(&cb, 0, sizeof(cb));
1792	cb.eapol_send = ieee802_1x_eapol_send;
1793	cb.aaa_send = ieee802_1x_aaa_send;
1794	cb.finished = _ieee802_1x_finished;
1795	cb.get_eap_user = ieee802_1x_get_eap_user;
1796	cb.sta_entry_alive = ieee802_1x_sta_entry_alive;
1797	cb.logger = ieee802_1x_logger;
1798	cb.set_port_authorized = ieee802_1x_set_port_authorized;
1799	cb.abort_auth = _ieee802_1x_abort_auth;
1800	cb.tx_key = _ieee802_1x_tx_key;
1801	cb.eapol_event = ieee802_1x_eapol_event;
1802
1803	hapd->eapol_auth = eapol_auth_init(&conf, &cb);
1804	if (hapd->eapol_auth == NULL)
1805	return -1;
1806
1807	if ((hapd->conf->ieee802_1x \|\| hapd->conf->wpa) &&
1808	hostapd_set_drv_ieee8021x(hapd, hapd->conf->iface, 1))
1809	return -1;
1810
1811	#ifndef CONFIG_NO_RADIUS
1812	if (radius_client_register(hapd->radius, RADIUS_AUTH,
1813	ieee802_1x_receive_auth, hapd))
1814	return -1;
1815	#endif /* CONFIG_NO_RADIUS */
1816
1817	if (hapd->conf->default_wep_key_len) {
1818	for (i = 0; i < 4; i++)
1819	hostapd_drv_set_key(hapd->conf->iface, hapd,
1820	WPA_ALG_NONE, NULL, i, 0, NULL, 0,
1821	NULL, 0);
1822
1823	ieee802_1x_rekey(hapd, NULL);
1824
1825	if (hapd->eapol_auth->default_wep_key == NULL)
1826	return -1;
1827	}
1828
1829	return 0;
1830	}
1831
1832
1833	void ieee802_1x_deinit(struct hostapd_data *hapd)
1834	{
1835	eloop_cancel_timeout(ieee802_1x_rekey, hapd, NULL);
1836
1837	if (hapd->driver != NULL &&
1838	(hapd->conf->ieee802_1x \|\| hapd->conf->wpa))
1839	hostapd_set_drv_ieee8021x(hapd, hapd->conf->iface, 0);
1840
1841	eapol_auth_deinit(hapd->eapol_auth);
1842	hapd->eapol_auth = NULL;
1843	}
1844
1845
1846	int ieee802_1x_tx_status(struct hostapd_data hapd, struct sta_info sta,
1847	const u8 *buf, size_t len, int ack)
1848	{
1849	struct ieee80211_hdr *hdr;
1850	struct ieee802_1x_hdr *xhdr;
1851	struct ieee802_1x_eapol_key *key;
1852	u8 *pos;
1853	const unsigned char rfc1042_hdr[ETH_ALEN] =
1854	{ 0xaa, 0xaa, 0x03, 0x00, 0x00, 0x00 };
1855
1856	if (sta == NULL)
1857	return -1;
1858	if (len < sizeof(hdr) + sizeof(rfc1042_hdr) + 2 + sizeof(xhdr))
1859	return 0;
1860
1861	hdr = (struct ieee80211_hdr *) buf;
1862	pos = (u8 *) (hdr + 1);
1863	if (os_memcmp(pos, rfc1042_hdr, sizeof(rfc1042_hdr)) != 0)
1864	return 0;
1865	pos += sizeof(rfc1042_hdr);
1866	if (WPA_GET_BE16(pos) != ETH_P_PAE)
1867	return 0;
1868	pos += 2;
1869
1870	xhdr = (struct ieee802_1x_hdr *) pos;
1871	pos += sizeof(*xhdr);
1872
1873	wpa_printf(MSG_DEBUG, "IEEE 802.1X: " MACSTR " TX status - version=%d "
1874	"type=%d length=%d - ack=%d",
1875	MAC2STR(sta->addr), xhdr->version, xhdr->type,
1876	be_to_host16(xhdr->length), ack);
1877
1878	if (xhdr->type == IEEE802_1X_TYPE_EAPOL_KEY &&
1879	pos + sizeof(struct wpa_eapol_key) <= buf + len) {
1880	const struct wpa_eapol_key *wpa;
1881	wpa = (const struct wpa_eapol_key *) pos;
1882	if (wpa->type == EAPOL_KEY_TYPE_RSN \|\|
1883	wpa->type == EAPOL_KEY_TYPE_WPA)
1884	wpa_auth_eapol_key_tx_status(hapd->wpa_auth,
1885	sta->wpa_sm, ack);
1886	}
1887
1888	/* EAPOL EAP-Packet packets are eventually re-sent by either Supplicant
1889	* or Authenticator state machines, but EAPOL-Key packets are not
1890	* retransmitted in case of failure. Try to re-sent failed EAPOL-Key
1891	* packets couple of times because otherwise STA keys become
1892	* unsynchronized with AP. */
1893	if (xhdr->type == IEEE802_1X_TYPE_EAPOL_KEY && !ack &&
1894	pos + sizeof(*key) <= buf + len) {
1895	key = (struct ieee802_1x_eapol_key *) pos;
1896	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
1897	HOSTAPD_LEVEL_DEBUG, "did not Ack EAPOL-Key "
1898	"frame (%scast index=%d)",
1899	key->key_index & BIT(7) ? "uni" : "broad",
1900	key->key_index & ~BIT(7));
1901	/* TODO: re-send EAPOL-Key couple of times (with short delay
1902	* between them?). If all attempt fail, report error and
1903	* deauthenticate STA so that it will get new keys when
1904	* authenticating again (e.g., after returning in range).
1905	* Separate limit/transmit state needed both for unicast and
1906	* broadcast keys(?) */
1907	}
1908	/* TODO: could move unicast key configuration from ieee802_1x_tx_key()
1909	* to here and change the key only if the EAPOL-Key packet was Acked.
1910	*/
1911
1912	return 1;
1913	}
1914
1915
1916	u8 * ieee802_1x_get_identity(struct eapol_state_machine sm, size_t len)
1917	{
1918	if (sm == NULL \|\| sm->identity == NULL)
1919	return NULL;
1920
1921	*len = sm->identity_len;
1922	return sm->identity;
1923	}
1924
1925
1926	u8 * ieee802_1x_get_radius_class(struct eapol_state_machine sm, size_t len,
1927	int idx)
1928	{
1929	if (sm == NULL \|\| sm->radius_class.attr == NULL \|\|
1930	idx >= (int) sm->radius_class.count)
1931	return NULL;
1932
1933	*len = sm->radius_class.attr[idx].len;
1934	return sm->radius_class.attr[idx].data;
1935	}
1936
1937
1938	const u8 * ieee802_1x_get_key(struct eapol_state_machine sm, size_t len)
1939	{
1940	if (sm == NULL)
1941	return NULL;
1942
1943	*len = sm->eap_if->eapKeyDataLen;
1944	return sm->eap_if->eapKeyData;
1945	}
1946
1947
1948	void ieee802_1x_notify_port_enabled(struct eapol_state_machine *sm,
1949	int enabled)
1950	{
1951	if (sm == NULL)
1952	return;
1953	sm->eap_if->portEnabled = enabled ? TRUE : FALSE;
1954	eapol_auth_step(sm);
1955	}
1956
1957
1958	void ieee802_1x_notify_port_valid(struct eapol_state_machine *sm,
1959	int valid)
1960	{
1961	if (sm == NULL)
1962	return;
1963	sm->portValid = valid ? TRUE : FALSE;
1964	eapol_auth_step(sm);
1965	}
1966
1967
1968	void ieee802_1x_notify_pre_auth(struct eapol_state_machine *sm, int pre_auth)
1969	{
1970	if (sm == NULL)
1971	return;
1972	if (pre_auth)
1973	sm->flags \|= EAPOL_SM_PREAUTH;
1974	else
1975	sm->flags &= ~EAPOL_SM_PREAUTH;
1976	}
1977
1978
1979	static const char * bool_txt(Boolean bool)
1980	{
1981	return bool ? "TRUE" : "FALSE";
1982	}
1983
1984	#ifdef CONFIG_CTRL_IFACE_MIB
1985
1986	int ieee802_1x_get_mib(struct hostapd_data hapd, char buf, size_t buflen)
1987	{
1988	/* TODO */
1989	return 0;
1990	}
1991
1992
1993	int ieee802_1x_get_mib_sta(struct hostapd_data hapd, struct sta_info sta,
1994	char *buf, size_t buflen)
1995	{
1996	int len = 0, ret;
1997	struct eapol_state_machine *sm = sta->eapol_sm;
1998
1999	if (sm == NULL)
2000	return 0;
2001
2002	ret = os_snprintf(buf + len, buflen - len,
2003	"dot1xPaePortNumber=%d\n"
2004	"dot1xPaePortProtocolVersion=%d\n"
2005	"dot1xPaePortCapabilities=1\n"
2006	"dot1xPaePortInitialize=%d\n"
2007	"dot1xPaePortReauthenticate=FALSE\n",
2008	sta->aid,
2009	EAPOL_VERSION,
2010	sm->initialize);
2011	if (ret < 0 \|\| (size_t) ret >= buflen - len)
2012	return len;
2013	len += ret;
2014
2015	/* dot1xAuthConfigTable */
2016	ret = os_snprintf(buf + len, buflen - len,
2017	"dot1xAuthPaeState=%d\n"
2018	"dot1xAuthBackendAuthState=%d\n"
2019	"dot1xAuthAdminControlledDirections=%d\n"
2020	"dot1xAuthOperControlledDirections=%d\n"
2021	"dot1xAuthAuthControlledPortStatus=%d\n"
2022	"dot1xAuthAuthControlledPortControl=%d\n"
2023	"dot1xAuthQuietPeriod=%u\n"
2024	"dot1xAuthServerTimeout=%u\n"
2025	"dot1xAuthReAuthPeriod=%u\n"
2026	"dot1xAuthReAuthEnabled=%s\n"
2027	"dot1xAuthKeyTxEnabled=%s\n",
2028	sm->auth_pae_state + 1,
2029	sm->be_auth_state + 1,
2030	sm->adminControlledDirections,
2031	sm->operControlledDirections,
2032	sm->authPortStatus,
2033	sm->portControl,
2034	sm->quietPeriod,
2035	sm->serverTimeout,
2036	sm->reAuthPeriod,
2037	bool_txt(sm->reAuthEnabled),
2038	bool_txt(sm->keyTxEnabled));
2039	if (ret < 0 \|\| (size_t) ret >= buflen - len)
2040	return len;
2041	len += ret;
2042
2043	/* dot1xAuthStatsTable */
2044	ret = os_snprintf(buf + len, buflen - len,
2045	"dot1xAuthEapolFramesRx=%u\n"
2046	"dot1xAuthEapolFramesTx=%u\n"
2047	"dot1xAuthEapolStartFramesRx=%u\n"
2048	"dot1xAuthEapolLogoffFramesRx=%u\n"
2049	"dot1xAuthEapolRespIdFramesRx=%u\n"
2050	"dot1xAuthEapolRespFramesRx=%u\n"
2051	"dot1xAuthEapolReqIdFramesTx=%u\n"
2052	"dot1xAuthEapolReqFramesTx=%u\n"
2053	"dot1xAuthInvalidEapolFramesRx=%u\n"
2054	"dot1xAuthEapLengthErrorFramesRx=%u\n"
2055	"dot1xAuthLastEapolFrameVersion=%u\n"
2056	"dot1xAuthLastEapolFrameSource=" MACSTR "\n",
2057	sm->dot1xAuthEapolFramesRx,
2058	sm->dot1xAuthEapolFramesTx,
2059	sm->dot1xAuthEapolStartFramesRx,
2060	sm->dot1xAuthEapolLogoffFramesRx,
2061	sm->dot1xAuthEapolRespIdFramesRx,
2062	sm->dot1xAuthEapolRespFramesRx,
2063	sm->dot1xAuthEapolReqIdFramesTx,
2064	sm->dot1xAuthEapolReqFramesTx,
2065	sm->dot1xAuthInvalidEapolFramesRx,
2066	sm->dot1xAuthEapLengthErrorFramesRx,
2067	sm->dot1xAuthLastEapolFrameVersion,
2068	MAC2STR(sm->addr));
2069	if (ret < 0 \|\| (size_t) ret >= buflen - len)
2070	return len;
2071	len += ret;
2072
2073	/* dot1xAuthDiagTable */
2074	ret = os_snprintf(buf + len, buflen - len,
2075	"dot1xAuthEntersConnecting=%u\n"
2076	"dot1xAuthEapLogoffsWhileConnecting=%u\n"
2077	"dot1xAuthEntersAuthenticating=%u\n"
2078	"dot1xAuthAuthSuccessesWhileAuthenticating=%u\n"
2079	"dot1xAuthAuthTimeoutsWhileAuthenticating=%u\n"
2080	"dot1xAuthAuthFailWhileAuthenticating=%u\n"
2081	"dot1xAuthAuthEapStartsWhileAuthenticating=%u\n"
2082	"dot1xAuthAuthEapLogoffWhileAuthenticating=%u\n"
2083	"dot1xAuthAuthReauthsWhileAuthenticated=%u\n"
2084	"dot1xAuthAuthEapStartsWhileAuthenticated=%u\n"
2085	"dot1xAuthAuthEapLogoffWhileAuthenticated=%u\n"
2086	"dot1xAuthBackendResponses=%u\n"
2087	"dot1xAuthBackendAccessChallenges=%u\n"
2088	"dot1xAuthBackendOtherRequestsToSupplicant=%u\n"
2089	"dot1xAuthBackendAuthSuccesses=%u\n"
2090	"dot1xAuthBackendAuthFails=%u\n",
2091	sm->authEntersConnecting,
2092	sm->authEapLogoffsWhileConnecting,
2093	sm->authEntersAuthenticating,
2094	sm->authAuthSuccessesWhileAuthenticating,
2095	sm->authAuthTimeoutsWhileAuthenticating,
2096	sm->authAuthFailWhileAuthenticating,
2097	sm->authAuthEapStartsWhileAuthenticating,
2098	sm->authAuthEapLogoffWhileAuthenticating,
2099	sm->authAuthReauthsWhileAuthenticated,
2100	sm->authAuthEapStartsWhileAuthenticated,
2101	sm->authAuthEapLogoffWhileAuthenticated,
2102	sm->backendResponses,
2103	sm->backendAccessChallenges,
2104	sm->backendOtherRequestsToSupplicant,
2105	sm->backendAuthSuccesses,
2106	sm->backendAuthFails);
2107	if (ret < 0 \|\| (size_t) ret >= buflen - len)
2108	return len;
2109	len += ret;
2110
2111	/* dot1xAuthSessionStatsTable */
2112	ret = os_snprintf(buf + len, buflen - len,
2113	/* TODO: dot1xAuthSessionOctetsRx */
2114	/* TODO: dot1xAuthSessionOctetsTx */
2115	/* TODO: dot1xAuthSessionFramesRx */
2116	/* TODO: dot1xAuthSessionFramesTx */
2117	"dot1xAuthSessionId=%08X-%08X\n"
2118	"dot1xAuthSessionAuthenticMethod=%d\n"
2119	"dot1xAuthSessionTime=%u\n"
2120	"dot1xAuthSessionTerminateCause=999\n"
2121	"dot1xAuthSessionUserName=%s\n",
2122	sta->acct_session_id_hi, sta->acct_session_id_lo,
2123	(wpa_key_mgmt_wpa_ieee8021x(
2124	wpa_auth_sta_key_mgmt(sta->wpa_sm))) ?
2125	1 : 2,
2126	(unsigned int) (time(NULL) -
2127	sta->acct_session_start),
2128	sm->identity);
2129	if (ret < 0 \|\| (size_t) ret >= buflen - len)
2130	return len;
2131	len += ret;
2132
2133	return len;
2134	}
2135
2136	#endif
2137
2138	static void ieee802_1x_finished(struct hostapd_data *hapd,
2139	struct sta_info *sta, int success)
2140	{
2141	const u8 *key;
2142	size_t len;
2143	/* TODO: get PMKLifetime from WPA parameters */
2144	static const int dot11RSNAConfigPMKLifetime = 43200;
2145
2146	key = ieee802_1x_get_key(sta->eapol_sm, &len);
2147	if (success && key && len >= PMK_LEN &&
2148	wpa_auth_pmksa_add(sta->wpa_sm, key, dot11RSNAConfigPMKLifetime,
2149	sta->eapol_sm) == 0) {
2150	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA,
2151	HOSTAPD_LEVEL_DEBUG,
2152	"Added PMKSA cache entry (IEEE 802.1X)");
2153	}
2154
2155	#ifdef CONFIG_WPS
2156	if (!success && (sta->flags & WLAN_STA_WPS)) {
2157	/*
2158	* Many devices require deauthentication after WPS provisioning
2159	* and some may not be be able to do that themselves, so
2160	* disconnect the client here.
2161	*/
2162	wpa_printf(MSG_DEBUG, "WPS: Force disconnection after "
2163	"EAP-Failure");
2164	/* Add a small sleep to increase likelihood of previously
2165	* requested EAP-Failure TX getting out before this should the
2166	* driver reorder operations.
2167	*/
2168	os_sleep(0, 10000);
2169	ap_sta_disconnect(hapd, sta, sta->addr,
2170	WLAN_REASON_PREV_AUTH_NOT_VALID);
2171	}
2172	#endif /* CONFIG_WPS */
2173	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: