Context Navigation

source: src/router/hostapd2/hostapd/ieee802_1x.c @ 17829

Last change on this file since 17829 was 17829, checked in by chris, 19 months ago
hostapd/pppd/rp-pppoe/rt2860apd needed fixes for new qos
File size: 56.0 KB

Line
1	/*
2	* hostapd / IEEE 802.1X-2004 Authenticator
3	* Copyright (c) 2002-2008, Jouni Malinen <j@w1.fi>
4	*
5	* This program is free software; you can redistribute it and/or modify
6	* it under the terms of the GNU General Public License version 2 as
7	* published by the Free Software Foundation.
8	*
9	* Alternatively, this software may be distributed under the terms of BSD
10	* license.
11	*
12	* See README and COPYING for more details.
13	*/
14
15	#include "includes.h"
16
17	#include "hostapd.h"
18	#include "ieee802_1x.h"
19	#include "accounting.h"
20	#include "radius/radius.h"
21	#include "radius/radius_client.h"
22	#include "eapol_sm.h"
23	#include "md5.h"
24	#include "rc4.h"
25	#include "eloop.h"
26	#include "sta_info.h"
27	#include "wpa.h"
28	#include "preauth.h"
29	#include "pmksa_cache.h"
30	#include "driver.h"
31	#include "hw_features.h"
32	#include "eap_server/eap.h"
33
34
35	static void ieee802_1x_finished(struct hostapd_data *hapd,
36	struct sta_info *sta, int success);
37
38
39	static void ieee802_1x_send(struct hostapd_data hapd, struct sta_info sta,
40	u8 type, const u8 *data, size_t datalen)
41	{
42	u8 *buf;
43	struct ieee802_1x_hdr *xhdr;
44	size_t len;
45	int encrypt = 0;
46
47	len = sizeof(*xhdr) + datalen;
48	buf = os_zalloc(len);
49	if (buf == NULL) {
50	wpa_printf(MSG_ERROR, "malloc() failed for "
51	"ieee802_1x_send(len=%lu)",
52	(unsigned long) len);
53	return;
54	}
55
56	xhdr = (struct ieee802_1x_hdr *) buf;
57	xhdr->version = hapd->conf->eapol_version;
58	xhdr->type = type;
59	xhdr->length = host_to_be16(datalen);
60
61	if (datalen > 0 && data != NULL)
62	os_memcpy(xhdr + 1, data, datalen);
63
64	if (wpa_auth_pairwise_set(sta->wpa_sm))
65	encrypt = 1;
66	if (sta->flags & WLAN_STA_PREAUTH) {
67	rsn_preauth_send(hapd, sta, buf, len);
68	} else {
69	hostapd_send_eapol(hapd, sta->addr, buf, len, encrypt);
70	}
71
72	os_free(buf);
73	}
74
75
76	void ieee802_1x_set_sta_authorized(struct hostapd_data *hapd,
77	struct sta_info *sta, int authorized)
78	{
79	int res;
80
81	if (sta->flags & WLAN_STA_PREAUTH)
82	return;
83
84	if (authorized) {
85	sta->flags \|= WLAN_STA_AUTHORIZED;
86	res = hostapd_sta_set_flags(hapd, sta->addr, sta->flags,
87	WLAN_STA_AUTHORIZED, ~0);
88	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
89	HOSTAPD_LEVEL_DEBUG, "authorizing port");
90	} else {
91	sta->flags &= ~WLAN_STA_AUTHORIZED;
92	res = hostapd_sta_set_flags(hapd, sta->addr, sta->flags,
93	0, ~WLAN_STA_AUTHORIZED);
94	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
95	HOSTAPD_LEVEL_DEBUG, "unauthorizing port");
96	}
97
98	if (res && errno != ENOENT) {
99	printf("Could not set station " MACSTR " flags for kernel "
100	"driver (errno=%d).\n", MAC2STR(sta->addr), errno);
101	}
102
103	if (authorized)
104	accounting_sta_start(hapd, sta);
105	}
106
107
108	static void ieee802_1x_eap_timeout(void eloop_ctx, void timeout_ctx)
109	{
110	struct sta_info *sta = eloop_ctx;
111	struct eapol_state_machine *sm = sta->eapol_sm;
112	if (sm == NULL)
113	return;
114	hostapd_logger(sm->hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
115	HOSTAPD_LEVEL_DEBUG, "EAP timeout");
116	sm->eap_if->eapTimeout = TRUE;
117	eapol_auth_step(sm);
118	}
119
120
121	static void ieee802_1x_tx_key_one(struct hostapd_data *hapd,
122	struct sta_info *sta,
123	int idx, int broadcast,
124	u8 *key_data, size_t key_len)
125	{
126	u8 buf, ekey;
127	struct ieee802_1x_hdr *hdr;
128	struct ieee802_1x_eapol_key *key;
129	size_t len, ekey_len;
130	struct eapol_state_machine *sm = sta->eapol_sm;
131
132	if (sm == NULL)
133	return;
134
135	len = sizeof(*key) + key_len;
136	buf = os_zalloc(sizeof(*hdr) + len);
137	if (buf == NULL)
138	return;
139
140	hdr = (struct ieee802_1x_hdr *) buf;
141	key = (struct ieee802_1x_eapol_key *) (hdr + 1);
142	key->type = EAPOL_KEY_TYPE_RC4;
143	key->key_length = htons(key_len);
144	wpa_get_ntp_timestamp(key->replay_counter);
145
146	if (os_get_random(key->key_iv, sizeof(key->key_iv))) {
147	wpa_printf(MSG_ERROR, "Could not get random numbers");
148	os_free(buf);
149	return;
150	}
151
152	key->key_index = idx \| (broadcast ? 0 : BIT(7));
153	if (hapd->conf->eapol_key_index_workaround) {
154	/* According to some information, WinXP Supplicant seems to
155	* interpret bit7 as an indication whether the key is to be
156	* activated, so make it possible to enable workaround that
157	* sets this bit for all keys. */
158	key->key_index \|= BIT(7);
159	}
160
161	/* Key is encrypted using "Key-IV + MSK[0..31]" as the RC4-key and
162	* MSK[32..63] is used to sign the message. */
163	if (sm->eap_if->eapKeyData == NULL \|\| sm->eap_if->eapKeyDataLen < 64) {
164	wpa_printf(MSG_ERROR, "No eapKeyData available for encrypting "
165	"and signing EAPOL-Key");
166	os_free(buf);
167	return;
168	}
169	os_memcpy((u8 *) (key + 1), key_data, key_len);
170	ekey_len = sizeof(key->key_iv) + 32;
171	ekey = os_malloc(ekey_len);
172	if (ekey == NULL) {
173	wpa_printf(MSG_ERROR, "Could not encrypt key");
174	os_free(buf);
175	return;
176	}
177	os_memcpy(ekey, key->key_iv, sizeof(key->key_iv));
178	os_memcpy(ekey + sizeof(key->key_iv), sm->eap_if->eapKeyData, 32);
179	rc4((u8 *) (key + 1), key_len, ekey, ekey_len);
180	os_free(ekey);
181
182	/* This header is needed here for HMAC-MD5, but it will be regenerated
183	* in ieee802_1x_send() */
184	hdr->version = hapd->conf->eapol_version;
185	hdr->type = IEEE802_1X_TYPE_EAPOL_KEY;
186	hdr->length = host_to_be16(len);
187	hmac_md5(sm->eap_if->eapKeyData + 32, 32, buf, sizeof(*hdr) + len,
188	key->key_signature);
189
190	wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key to " MACSTR
191	" (%s index=%d)", MAC2STR(sm->addr),
192	broadcast ? "broadcast" : "unicast", idx);
193	ieee802_1x_send(hapd, sta, IEEE802_1X_TYPE_EAPOL_KEY, (u8 *) key, len);
194	if (sta->eapol_sm)
195	sta->eapol_sm->dot1xAuthEapolFramesTx++;
196	os_free(buf);
197	}
198
199
200	static struct hostapd_wep_keys *
201	ieee802_1x_group_alloc(struct hostapd_data hapd, const char ifname)
202	{
203	struct hostapd_wep_keys *key;
204
205	key = os_zalloc(sizeof(*key));
206	if (key == NULL)
207	return NULL;
208
209	key->default_len = hapd->conf->default_wep_key_len;
210
211	if (key->idx >= hapd->conf->broadcast_key_idx_max \|\|
212	key->idx < hapd->conf->broadcast_key_idx_min)
213	key->idx = hapd->conf->broadcast_key_idx_min;
214	else
215	key->idx++;
216
217	if (!key->key[key->idx])
218	key->key[key->idx] = os_malloc(key->default_len);
219	if (key->key[key->idx] == NULL \|\|
220	os_get_random(key->key[key->idx], key->default_len)) {
221	printf("Could not generate random WEP key (dynamic VLAN).\n");
222	os_free(key->key[key->idx]);
223	key->key[key->idx] = NULL;
224	os_free(key);
225	return NULL;
226	}
227	key->len[key->idx] = key->default_len;
228
229	wpa_printf(MSG_DEBUG, "%s: Default WEP idx %d for dynamic VLAN\n",
230	ifname, key->idx);
231	wpa_hexdump_key(MSG_DEBUG, "Default WEP key (dynamic VLAN)",
232	key->key[key->idx], key->len[key->idx]);
233
234	if (hostapd_set_encryption(ifname, hapd, "WEP", NULL, key->idx,
235	key->key[key->idx], key->len[key->idx], 1))
236	printf("Could not set dynamic VLAN WEP encryption key.\n");
237
238	hostapd_set_ieee8021x(ifname, hapd, 1);
239
240	return key;
241	}
242
243
244	static struct hostapd_wep_keys *
245	ieee802_1x_get_group(struct hostapd_data hapd, struct hostapd_ssid ssid,
246	size_t vlan_id)
247	{
248	const char *ifname;
249
250	if (vlan_id == 0)
251	return &ssid->wep;
252
253	if (vlan_id <= ssid->max_dyn_vlan_keys && ssid->dyn_vlan_keys &&
254	ssid->dyn_vlan_keys[vlan_id])
255	return ssid->dyn_vlan_keys[vlan_id];
256
257	wpa_printf(MSG_DEBUG, "IEEE 802.1X: Creating new group "
258	"state machine for VLAN ID %lu",
259	(unsigned long) vlan_id);
260
261	ifname = hostapd_get_vlan_id_ifname(hapd->conf->vlan, vlan_id);
262	if (ifname == NULL) {
263	wpa_printf(MSG_DEBUG, "IEEE 802.1X: Unknown VLAN ID %lu - "
264	"cannot create group key state machine",
265	(unsigned long) vlan_id);
266	return NULL;
267	}
268
269	if (ssid->dyn_vlan_keys == NULL) {
270	int size = (vlan_id + 1) * sizeof(ssid->dyn_vlan_keys[0]);
271	ssid->dyn_vlan_keys = os_zalloc(size);
272	if (ssid->dyn_vlan_keys == NULL)
273	return NULL;
274	ssid->max_dyn_vlan_keys = vlan_id;
275	}
276
277	if (ssid->max_dyn_vlan_keys < vlan_id) {
278	struct hostapd_wep_keys **na;
279	int size = (vlan_id + 1) * sizeof(ssid->dyn_vlan_keys[0]);
280	na = os_realloc(ssid->dyn_vlan_keys, size);
281	if (na == NULL)
282	return NULL;
283	ssid->dyn_vlan_keys = na;
284	os_memset(&ssid->dyn_vlan_keys[ssid->max_dyn_vlan_keys + 1], 0,
285	(vlan_id - ssid->max_dyn_vlan_keys) *
286	sizeof(ssid->dyn_vlan_keys[0]));
287	ssid->max_dyn_vlan_keys = vlan_id;
288	}
289
290	ssid->dyn_vlan_keys[vlan_id] = ieee802_1x_group_alloc(hapd, ifname);
291
292	return ssid->dyn_vlan_keys[vlan_id];
293	}
294
295
296	void ieee802_1x_tx_key(struct hostapd_data hapd, struct sta_info sta)
297	{
298	struct hostapd_wep_keys *key = NULL;
299	struct eapol_state_machine *sm = sta->eapol_sm;
300	int vlan_id;
301
302	if (sm == NULL \|\| !sm->eap_if->eapKeyData)
303	return;
304
305	wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key(s) to " MACSTR,
306	MAC2STR(sta->addr));
307
308	vlan_id = sta->vlan_id;
309	if (vlan_id < 0 \|\| vlan_id > MAX_VLAN_ID)
310	vlan_id = 0;
311
312	if (vlan_id) {
313	key = ieee802_1x_get_group(hapd, sta->ssid, vlan_id);
314	if (key && key->key[key->idx])
315	ieee802_1x_tx_key_one(hapd, sta, key->idx, 1,
316	key->key[key->idx],
317	key->len[key->idx]);
318	} else if (hapd->default_wep_key) {
319	ieee802_1x_tx_key_one(hapd, sta, hapd->default_wep_key_idx, 1,
320	hapd->default_wep_key,
321	hapd->conf->default_wep_key_len);
322	}
323
324	if (hapd->conf->individual_wep_key_len > 0) {
325	u8 *ikey;
326	ikey = os_malloc(hapd->conf->individual_wep_key_len);
327	if (ikey == NULL \|\|
328	os_get_random(ikey, hapd->conf->individual_wep_key_len)) {
329	wpa_printf(MSG_ERROR, "Could not generate random "
330	"individual WEP key.");
331	os_free(ikey);
332	return;
333	}
334
335	wpa_hexdump_key(MSG_DEBUG, "Individual WEP key",
336	ikey, hapd->conf->individual_wep_key_len);
337
338	ieee802_1x_tx_key_one(hapd, sta, 0, 0, ikey,
339	hapd->conf->individual_wep_key_len);
340
341	/* TODO: set encryption in TX callback, i.e., only after STA
342	* has ACKed EAPOL-Key frame */
343	if (hostapd_set_encryption(hapd->conf->iface, hapd, "WEP",
344	sta->addr, 0, ikey,
345	hapd->conf->individual_wep_key_len,
346	1)) {
347	wpa_printf(MSG_ERROR, "Could not set individual WEP "
348	"encryption.");
349	}
350
351	os_free(ikey);
352	}
353	}
354
355
356	const char radius_mode_txt(struct hostapd_data hapd)
357	{
358	if (hapd->iface->current_mode == NULL)
359	return "802.11";
360
361	switch (hapd->iface->current_mode->mode) {
362	case HOSTAPD_MODE_IEEE80211A:
363	return "802.11a";
364	case HOSTAPD_MODE_IEEE80211G:
365	return "802.11g";
366	case HOSTAPD_MODE_IEEE80211B:
367	default:
368	return "802.11b";
369	}
370	}
371
372
373	int radius_sta_rate(struct hostapd_data hapd, struct sta_info sta)
374	{
375	int i;
376	u8 rate = 0;
377
378	for (i = 0; i < sta->supported_rates_len; i++)
379	if ((sta->supported_rates[i] & 0x7f) > rate)
380	rate = sta->supported_rates[i] & 0x7f;
381
382	return rate;
383	}
384
385
386	static void ieee802_1x_learn_identity(struct hostapd_data *hapd,
387	struct eapol_state_machine *sm,
388	const u8 *eap, size_t len)
389	{
390	const u8 *identity;
391	size_t identity_len;
392
393	if (len <= sizeof(struct eap_hdr) \|\|
394	eap[sizeof(struct eap_hdr)] != EAP_TYPE_IDENTITY)
395	return;
396
397	identity = eap_get_identity(sm->eap, &identity_len);
398	if (identity == NULL)
399	return;
400
401	/* Save station identity for future RADIUS packets */
402	os_free(sm->identity);
403	sm->identity = os_malloc(identity_len + 1);
404	if (sm->identity == NULL) {
405	sm->identity_len = 0;
406	return;
407	}
408
409	os_memcpy(sm->identity, identity, identity_len);
410	sm->identity_len = identity_len;
411	sm->identity[identity_len] = '\0';
412	hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X,
413	HOSTAPD_LEVEL_DEBUG, "STA identity '%s'", sm->identity);
414	sm->dot1xAuthEapolRespIdFramesRx++;
415	}
416
417
418	static void ieee802_1x_encapsulate_radius(struct hostapd_data *hapd,
419	struct sta_info *sta,
420	const u8 *eap, size_t len)
421	{
422	struct radius_msg *msg;
423	char buf[128];
424	struct eapol_state_machine *sm = sta->eapol_sm;
425
426	if (sm == NULL)
427	return;
428
429	ieee802_1x_learn_identity(hapd, sm, eap, len);
430
431	wpa_printf(MSG_DEBUG, "Encapsulating EAP message into a RADIUS "
432	"packet");
433
434	sm->radius_identifier = radius_client_get_id(hapd->radius);
435	msg = radius_msg_new(RADIUS_CODE_ACCESS_REQUEST,
436	sm->radius_identifier);
437	if (msg == NULL) {
438	printf("Could not create net RADIUS packet\n");
439	return;
440	}
441
442	radius_msg_make_authenticator(msg, (u8 ) sta, sizeof(sta));
443
444	if (sm->identity &&
445	!radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME,
446	sm->identity, sm->identity_len)) {
447	printf("Could not add User-Name\n");
448	goto fail;
449	}
450
451	if (hapd->conf->own_ip_addr.af == AF_INET &&
452	!radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IP_ADDRESS,
453	(u8 *) &hapd->conf->own_ip_addr.u.v4, 4)) {
454	printf("Could not add NAS-IP-Address\n");
455	goto fail;
456	}
457
458	#ifdef CONFIG_IPV6
459	if (hapd->conf->own_ip_addr.af == AF_INET6 &&
460	!radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IPV6_ADDRESS,
461	(u8 *) &hapd->conf->own_ip_addr.u.v6, 16)) {
462	printf("Could not add NAS-IPv6-Address\n");
463	goto fail;
464	}
465	#endif /* CONFIG_IPV6 */
466
467	if (hapd->conf->nas_identifier &&
468	!radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IDENTIFIER,
469	(u8 *) hapd->conf->nas_identifier,
470	os_strlen(hapd->conf->nas_identifier))) {
471	printf("Could not add NAS-Identifier\n");
472	goto fail;
473	}
474
475	if (!radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT, sta->aid)) {
476	printf("Could not add NAS-Port\n");
477	goto fail;
478	}
479
480	os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT ":%s",
481	MAC2STR(hapd->own_addr), hapd->conf->ssid.ssid);
482	buf[sizeof(buf) - 1] = '\0';
483	if (!radius_msg_add_attr(msg, RADIUS_ATTR_CALLED_STATION_ID,
484	(u8 *) buf, os_strlen(buf))) {
485	printf("Could not add Called-Station-Id\n");
486	goto fail;
487	}
488
489	os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT,
490	MAC2STR(sta->addr));
491	buf[sizeof(buf) - 1] = '\0';
492	if (!radius_msg_add_attr(msg, RADIUS_ATTR_CALLING_STATION_ID,
493	(u8 *) buf, os_strlen(buf))) {
494	printf("Could not add Calling-Station-Id\n");
495	goto fail;
496	}
497
498	/* TODO: should probably check MTU from driver config; 2304 is max for
499	* IEEE 802.11, but use 1400 to avoid problems with too large packets
500	*/
501	if (!radius_msg_add_attr_int32(msg, RADIUS_ATTR_FRAMED_MTU, 1400)) {
502	printf("Could not add Framed-MTU\n");
503	goto fail;
504	}
505
506	if (!radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT_TYPE,
507	RADIUS_NAS_PORT_TYPE_IEEE_802_11)) {
508	printf("Could not add NAS-Port-Type\n");
509	goto fail;
510	}
511
512	if (sta->flags & WLAN_STA_PREAUTH) {
513	os_strlcpy(buf, "IEEE 802.11i Pre-Authentication",
514	sizeof(buf));
515	} else {
516	os_snprintf(buf, sizeof(buf), "CONNECT %d%sMbps %s",
517	radius_sta_rate(hapd, sta) / 2,
518	(radius_sta_rate(hapd, sta) & 1) ? ".5" : "",
519	radius_mode_txt(hapd));
520	buf[sizeof(buf) - 1] = '\0';
521	}
522	if (!radius_msg_add_attr(msg, RADIUS_ATTR_CONNECT_INFO,
523	(u8 *) buf, os_strlen(buf))) {
524	printf("Could not add Connect-Info\n");
525	goto fail;
526	}
527
528	if (eap && !radius_msg_add_eap(msg, eap, len)) {
529	printf("Could not add EAP-Message\n");
530	goto fail;
531	}
532
533	/* State attribute must be copied if and only if this packet is
534	* Access-Request reply to the previous Access-Challenge */
535	if (sm->last_recv_radius && sm->last_recv_radius->hdr->code ==
536	RADIUS_CODE_ACCESS_CHALLENGE) {
537	int res = radius_msg_copy_attr(msg, sm->last_recv_radius,
538	RADIUS_ATTR_STATE);
539	if (res < 0) {
540	printf("Could not copy State attribute from previous "
541	"Access-Challenge\n");
542	goto fail;
543	}
544	if (res > 0) {
545	wpa_printf(MSG_DEBUG, "Copied RADIUS State Attribute");
546	}
547	}
548
549	radius_client_send(hapd->radius, msg, RADIUS_AUTH, sta->addr);
550	return;
551
552	fail:
553	radius_msg_free(msg);
554	os_free(msg);
555	}
556
557
558	char *eap_type_text(u8 type)
559	{
560	switch (type) {
561	case EAP_TYPE_IDENTITY: return "Identity";
562	case EAP_TYPE_NOTIFICATION: return "Notification";
563	case EAP_TYPE_NAK: return "Nak";
564	case EAP_TYPE_MD5: return "MD5-Challenge";
565	case EAP_TYPE_OTP: return "One-Time Password";
566	case EAP_TYPE_GTC: return "Generic Token Card";
567	case EAP_TYPE_TLS: return "TLS";
568	case EAP_TYPE_TTLS: return "TTLS";
569	case EAP_TYPE_PEAP: return "PEAP";
570	case EAP_TYPE_SIM: return "SIM";
571	case EAP_TYPE_FAST: return "FAST";
572	case EAP_TYPE_SAKE: return "SAKE";
573	case EAP_TYPE_PSK: return "PSK";
574	case EAP_TYPE_PAX: return "PAX";
575	default: return "Unknown";
576	}
577	}
578
579
580	static void handle_eap_response(struct hostapd_data *hapd,
581	struct sta_info sta, struct eap_hdr eap,
582	size_t len)
583	{
584	u8 type, *data;
585	struct eapol_state_machine *sm = sta->eapol_sm;
586	if (sm == NULL)
587	return;
588
589	data = (u8 *) (eap + 1);
590
591	if (len < sizeof(*eap) + 1) {
592	printf("handle_eap_response: too short response data\n");
593	return;
594	}
595
596	sm->eap_type_supp = type = data[0];
597	eloop_cancel_timeout(ieee802_1x_eap_timeout, sta, NULL);
598
599	hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X,
600	HOSTAPD_LEVEL_DEBUG, "received EAP packet (code=%d "
601	"id=%d len=%d) from STA: EAP Response-%s (%d)",
602	eap->code, eap->identifier, be_to_host16(eap->length),
603	eap_type_text(type), type);
604
605	sm->dot1xAuthEapolRespFramesRx++;
606
607	wpabuf_free(sm->eap_if->eapRespData);
608	sm->eap_if->eapRespData = wpabuf_alloc_copy(eap, len);
609	sm->eapolEap = TRUE;
610	}
611
612
613	/* Process incoming EAP packet from Supplicant */
614	static void handle_eap(struct hostapd_data hapd, struct sta_info sta,
615	u8 *buf, size_t len)
616	{
617	struct eap_hdr *eap;
618	u16 eap_len;
619
620	if (len < sizeof(*eap)) {
621	printf(" too short EAP packet\n");
622	return;
623	}
624
625	eap = (struct eap_hdr *) buf;
626
627	eap_len = be_to_host16(eap->length);
628	wpa_printf(MSG_DEBUG, "EAP: code=%d identifier=%d length=%d",
629	eap->code, eap->identifier, eap_len);
630	if (eap_len < sizeof(*eap)) {
631	wpa_printf(MSG_DEBUG, " Invalid EAP length");
632	return;
633	} else if (eap_len > len) {
634	wpa_printf(MSG_DEBUG, " Too short frame to contain this EAP "
635	"packet");
636	return;
637	} else if (eap_len < len) {
638	wpa_printf(MSG_DEBUG, " Ignoring %lu extra bytes after EAP "
639	"packet", (unsigned long) len - eap_len);
640	}
641
642	switch (eap->code) {
643	case EAP_CODE_REQUEST:
644	wpa_printf(MSG_DEBUG, " (request)");
645	return;
646	case EAP_CODE_RESPONSE:
647	wpa_printf(MSG_DEBUG, " (response)");
648	handle_eap_response(hapd, sta, eap, eap_len);
649	break;
650	case EAP_CODE_SUCCESS:
651	wpa_printf(MSG_DEBUG, " (success)");
652	return;
653	case EAP_CODE_FAILURE:
654	wpa_printf(MSG_DEBUG, " (failure)");
655	return;
656	default:
657	wpa_printf(MSG_DEBUG, " (unknown code)");
658	return;
659	}
660	}
661
662
663	/* Process the EAPOL frames from the Supplicant */
664	void ieee802_1x_receive(struct hostapd_data hapd, const u8 sa, const u8 *buf,
665	size_t len)
666	{
667	struct sta_info *sta;
668	struct ieee802_1x_hdr *hdr;
669	struct ieee802_1x_eapol_key *key;
670	u16 datalen;
671	struct rsn_pmksa_cache_entry *pmksa;
672
673	if (!hapd->conf->ieee802_1x && !hapd->conf->wpa)
674	return;
675
676	wpa_printf(MSG_DEBUG, "IEEE 802.1X: %lu bytes from " MACSTR,
677	(unsigned long) len, MAC2STR(sa));
678	sta = ap_get_sta(hapd, sa);
679	if (!sta) {
680	printf(" no station information available\n");
681	return;
682	}
683
684	if (len < sizeof(*hdr)) {
685	printf(" too short IEEE 802.1X packet\n");
686	return;
687	}
688
689	hdr = (struct ieee802_1x_hdr *) buf;
690	datalen = be_to_host16(hdr->length);
691	wpa_printf(MSG_DEBUG, " IEEE 802.1X: version=%d type=%d length=%d",
692	hdr->version, hdr->type, datalen);
693
694	if (len - sizeof(*hdr) < datalen) {
695	printf(" frame too short for this IEEE 802.1X packet\n");
696	if (sta->eapol_sm)
697	sta->eapol_sm->dot1xAuthEapLengthErrorFramesRx++;
698	return;
699	}
700	if (len - sizeof(*hdr) > datalen) {
701	wpa_printf(MSG_DEBUG, " ignoring %lu extra octets after "
702	"IEEE 802.1X packet",
703	(unsigned long) len - sizeof(*hdr) - datalen);
704	}
705
706	if (sta->eapol_sm) {
707	sta->eapol_sm->dot1xAuthLastEapolFrameVersion = hdr->version;
708	sta->eapol_sm->dot1xAuthEapolFramesRx++;
709	}
710
711	key = (struct ieee802_1x_eapol_key *) (hdr + 1);
712	if (datalen >= sizeof(struct ieee802_1x_eapol_key) &&
713	hdr->type == IEEE802_1X_TYPE_EAPOL_KEY &&
714	(key->type == EAPOL_KEY_TYPE_WPA \|\|
715	key->type == EAPOL_KEY_TYPE_RSN)) {
716	wpa_receive(hapd->wpa_auth, sta->wpa_sm, (u8 *) hdr,
717	sizeof(*hdr) + datalen);
718	return;
719	}
720
721	if (!hapd->conf->ieee802_1x \|\|
722	wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_PSK \|\|
723	wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_FT_PSK)
724	return;
725
726	if (!sta->eapol_sm) {
727	sta->eapol_sm = eapol_auth_alloc(hapd->eapol_auth, sta->addr,
728	sta->flags & WLAN_STA_PREAUTH,
729	sta);
730	if (!sta->eapol_sm)
731	return;
732	}
733
734	/* since we support version 1, we can ignore version field and proceed
735	* as specified in version 1 standard [IEEE Std 802.1X-2001, 7.5.5] */
736	/* TODO: actually, we are not version 1 anymore.. However, Version 2
737	* does not change frame contents, so should be ok to process frames
738	* more or less identically. Some changes might be needed for
739	* verification of fields. */
740
741	switch (hdr->type) {
742	case IEEE802_1X_TYPE_EAP_PACKET:
743	handle_eap(hapd, sta, (u8 *) (hdr + 1), datalen);
744	break;
745
746	case IEEE802_1X_TYPE_EAPOL_START:
747	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
748	HOSTAPD_LEVEL_DEBUG, "received EAPOL-Start "
749	"from STA");
750	sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START;
751	pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm);
752	if (pmksa) {
753	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA,
754	HOSTAPD_LEVEL_DEBUG, "cached PMKSA "
755	"available - ignore it since "
756	"STA sent EAPOL-Start");
757	wpa_auth_sta_clear_pmksa(sta->wpa_sm, pmksa);
758	}
759	sta->eapol_sm->eapolStart = TRUE;
760	sta->eapol_sm->dot1xAuthEapolStartFramesRx++;
761	wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL);
762	break;
763
764	case IEEE802_1X_TYPE_EAPOL_LOGOFF:
765	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
766	HOSTAPD_LEVEL_DEBUG, "received EAPOL-Logoff "
767	"from STA");
768	sta->acct_terminate_cause =
769	RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST;
770	sta->eapol_sm->eapolLogoff = TRUE;
771	sta->eapol_sm->dot1xAuthEapolLogoffFramesRx++;
772	break;
773
774	case IEEE802_1X_TYPE_EAPOL_KEY:
775	wpa_printf(MSG_DEBUG, " EAPOL-Key");
776	if (!(sta->flags & WLAN_STA_AUTHORIZED)) {
777	wpa_printf(MSG_DEBUG, " Dropped key data from "
778	"unauthorized Supplicant");
779	break;
780	}
781	break;
782
783	case IEEE802_1X_TYPE_EAPOL_ENCAPSULATED_ASF_ALERT:
784	wpa_printf(MSG_DEBUG, " EAPOL-Encapsulated-ASF-Alert");
785	/* TODO: implement support for this; show data */
786	break;
787
788	default:
789	wpa_printf(MSG_DEBUG, " unknown IEEE 802.1X packet type");
790	sta->eapol_sm->dot1xAuthInvalidEapolFramesRx++;
791	break;
792	}
793
794	eapol_auth_step(sta->eapol_sm);
795	}
796
797
798	void ieee802_1x_new_station(struct hostapd_data hapd, struct sta_info sta)
799	{
800	struct rsn_pmksa_cache_entry *pmksa;
801	int reassoc = 1;
802	int force_1x = 0;
803
804	if ((!force_1x && !hapd->conf->ieee802_1x) \|\|
805	wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_PSK \|\|
806	wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_FT_PSK)
807	return;
808
809	if (sta->eapol_sm == NULL) {
810	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
811	HOSTAPD_LEVEL_DEBUG, "start authentication");
812	sta->eapol_sm = eapol_auth_alloc(hapd->eapol_auth, sta->addr,
813	sta->flags & WLAN_STA_PREAUTH,
814	sta);
815	if (sta->eapol_sm == NULL) {
816	hostapd_logger(hapd, sta->addr,
817	HOSTAPD_MODULE_IEEE8021X,
818	HOSTAPD_LEVEL_INFO,
819	"failed to allocate state machine");
820	return;
821	}
822	reassoc = 0;
823	}
824
825	sta->eapol_sm->eap_if->portEnabled = TRUE;
826
827	pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm);
828	if (pmksa) {
829	int old_vlanid;
830
831	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
832	HOSTAPD_LEVEL_DEBUG,
833	"PMK from PMKSA cache - skip IEEE 802.1X/EAP");
834	/* Setup EAPOL state machines to already authenticated state
835	* because of existing PMKSA information in the cache. */
836	sta->eapol_sm->keyRun = TRUE;
837	sta->eapol_sm->eap_if->eapKeyAvailable = TRUE;
838	sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING;
839	sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS;
840	sta->eapol_sm->authSuccess = TRUE;
841	if (sta->eapol_sm->eap)
842	eap_sm_notify_cached(sta->eapol_sm->eap);
843	old_vlanid = sta->vlan_id;
844	pmksa_cache_to_eapol_data(pmksa, sta->eapol_sm);
845	if (sta->ssid->dynamic_vlan == DYNAMIC_VLAN_DISABLED)
846	sta->vlan_id = 0;
847	ap_sta_bind_vlan(hapd, sta, old_vlanid);
848	} else {
849	if (reassoc) {
850	/*
851	* Force EAPOL state machines to start
852	* re-authentication without having to wait for the
853	* Supplicant to send EAPOL-Start.
854	*/
855	sta->eapol_sm->reAuthenticate = TRUE;
856	}
857	eapol_auth_step(sta->eapol_sm);
858	}
859	}
860
861
862	void ieee802_1x_free_radius_class(struct radius_class_data *class)
863	{
864	size_t i;
865	if (class == NULL)
866	return;
867	for (i = 0; i < class->count; i++)
868	os_free(class->attr[i].data);
869	os_free(class->attr);
870	class->attr = NULL;
871	class->count = 0;
872	}
873
874
875	int ieee802_1x_copy_radius_class(struct radius_class_data *dst,
876	const struct radius_class_data *src)
877	{
878	size_t i;
879
880	if (src->attr == NULL)
881	return 0;
882
883	dst->attr = os_zalloc(src->count * sizeof(struct radius_attr_data));
884	if (dst->attr == NULL)
885	return -1;
886
887	dst->count = 0;
888
889	for (i = 0; i < src->count; i++) {
890	dst->attr[i].data = os_malloc(src->attr[i].len);
891	if (dst->attr[i].data == NULL)
892	break;
893	dst->count++;
894	os_memcpy(dst->attr[i].data, src->attr[i].data,
895	src->attr[i].len);
896	dst->attr[i].len = src->attr[i].len;
897	}
898
899	return 0;
900	}
901
902
903	void ieee802_1x_free_station(struct sta_info *sta)
904	{
905	struct eapol_state_machine *sm = sta->eapol_sm;
906
907	eloop_cancel_timeout(ieee802_1x_eap_timeout, sta, NULL);
908
909	if (sm == NULL)
910	return;
911
912	sta->eapol_sm = NULL;
913
914	if (sm->last_recv_radius) {
915	radius_msg_free(sm->last_recv_radius);
916	os_free(sm->last_recv_radius);
917	}
918
919	os_free(sm->identity);
920	ieee802_1x_free_radius_class(&sm->radius_class);
921	eapol_auth_free(sm);
922	}
923
924
925	static void ieee802_1x_decapsulate_radius(struct hostapd_data *hapd,
926	struct sta_info *sta)
927	{
928	u8 *eap;
929	size_t len;
930	struct eap_hdr *hdr;
931	int eap_type = -1;
932	char buf[64];
933	struct radius_msg *msg;
934	struct eapol_state_machine *sm = sta->eapol_sm;
935
936	if (sm == NULL \|\| sm->last_recv_radius == NULL) {
937	if (sm)
938	sm->eap_if->aaaEapNoReq = TRUE;
939	return;
940	}
941
942	msg = sm->last_recv_radius;
943
944	eap = radius_msg_get_eap(msg, &len);
945	if (eap == NULL) {
946	/* RFC 3579, Chap. 2.6.3:
947	* RADIUS server SHOULD NOT send Access-Reject/no EAP-Message
948	* attribute */
949	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
950	HOSTAPD_LEVEL_WARNING, "could not extract "
951	"EAP-Message from RADIUS message");
952	sm->eap_if->aaaEapNoReq = TRUE;
953	return;
954	}
955
956	if (len < sizeof(*hdr)) {
957	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
958	HOSTAPD_LEVEL_WARNING, "too short EAP packet "
959	"received from authentication server");
960	os_free(eap);
961	sm->eap_if->aaaEapNoReq = TRUE;
962	return;
963	}
964
965	if (len > sizeof(*hdr))
966	eap_type = eap[sizeof(*hdr)];
967
968	hdr = (struct eap_hdr *) eap;
969	switch (hdr->code) {
970	case EAP_CODE_REQUEST:
971	if (eap_type >= 0)
972	sm->eap_type_authsrv = eap_type;
973	os_snprintf(buf, sizeof(buf), "EAP-Request-%s (%d)",
974	eap_type >= 0 ? eap_type_text(eap_type) : "??",
975	eap_type);
976	break;
977	case EAP_CODE_RESPONSE:
978	os_snprintf(buf, sizeof(buf), "EAP Response-%s (%d)",
979	eap_type >= 0 ? eap_type_text(eap_type) : "??",
980	eap_type);
981	break;
982	case EAP_CODE_SUCCESS:
983	os_strlcpy(buf, "EAP Success", sizeof(buf));
984	break;
985	case EAP_CODE_FAILURE:
986	os_strlcpy(buf, "EAP Failure", sizeof(buf));
987	break;
988	default:
989	os_strlcpy(buf, "unknown EAP code", sizeof(buf));
990	break;
991	}
992	buf[sizeof(buf) - 1] = '\0';
993	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
994	HOSTAPD_LEVEL_DEBUG, "decapsulated EAP packet (code=%d "
995	"id=%d len=%d) from RADIUS server: %s",
996	hdr->code, hdr->identifier, be_to_host16(hdr->length),
997	buf);
998	sm->eap_if->aaaEapReq = TRUE;
999	//brainslayer. hier bandwidth attribut abfragen
1000
1001	wpabuf_free(sm->eap_if->aaaEapReqData);
1002	sm->eap_if->aaaEapReqData = wpabuf_alloc_ext_data(eap, len);
1003	}
1004
1005
1006	static void ieee802_1x_get_keys(struct hostapd_data *hapd,
1007	struct sta_info sta, struct radius_msg msg,
1008	struct radius_msg *req,
1009	u8 *shared_secret, size_t shared_secret_len)
1010	{
1011	struct radius_ms_mppe_keys *keys;
1012	struct eapol_state_machine *sm = sta->eapol_sm;
1013	if (sm == NULL)
1014	return;
1015
1016	keys = radius_msg_get_ms_keys(msg, req, shared_secret,
1017	shared_secret_len);
1018
1019	if (keys && keys->send && keys->recv) {
1020	size_t len = keys->send_len + keys->recv_len;
1021	wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Send-Key",
1022	keys->send, keys->send_len);
1023	wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Recv-Key",
1024	keys->recv, keys->recv_len);
1025
1026	os_free(sm->eap_if->aaaEapKeyData);
1027	sm->eap_if->aaaEapKeyData = os_malloc(len);
1028	if (sm->eap_if->aaaEapKeyData) {
1029	os_memcpy(sm->eap_if->aaaEapKeyData, keys->recv,
1030	keys->recv_len);
1031	os_memcpy(sm->eap_if->aaaEapKeyData + keys->recv_len,
1032	keys->send, keys->send_len);
1033	sm->eap_if->aaaEapKeyDataLen = len;
1034	sm->eap_if->aaaEapKeyAvailable = TRUE;
1035	}
1036	}
1037
1038	if (keys) {
1039	os_free(keys->send);
1040	os_free(keys->recv);
1041	os_free(keys);
1042	}
1043	}
1044
1045
1046	static void ieee802_1x_store_radius_class(struct hostapd_data *hapd,
1047	struct sta_info *sta,
1048	struct radius_msg *msg)
1049	{
1050	u8 *class;
1051	size_t class_len;
1052	struct eapol_state_machine *sm = sta->eapol_sm;
1053	int count, i;
1054	struct radius_attr_data *nclass;
1055	size_t nclass_count;
1056
1057	if (!hapd->conf->radius->acct_server \|\| hapd->radius == NULL \|\|
1058	sm == NULL)
1059	return;
1060
1061	ieee802_1x_free_radius_class(&sm->radius_class);
1062	count = radius_msg_count_attr(msg, RADIUS_ATTR_CLASS, 1);
1063	if (count <= 0)
1064	return;
1065
1066	nclass = os_zalloc(count * sizeof(struct radius_attr_data));
1067	if (nclass == NULL)
1068	return;
1069
1070	nclass_count = 0;
1071
1072	class = NULL;
1073	for (i = 0; i < count; i++) {
1074	do {
1075	if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CLASS,
1076	&class, &class_len,
1077	class) < 0) {
1078	i = count;
1079	break;
1080	}
1081	} while (class_len < 1);
1082
1083	nclass[nclass_count].data = os_malloc(class_len);
1084	if (nclass[nclass_count].data == NULL)
1085	break;
1086
1087	os_memcpy(nclass[nclass_count].data, class, class_len);
1088	nclass[nclass_count].len = class_len;
1089	nclass_count++;
1090	}
1091
1092	sm->radius_class.attr = nclass;
1093	sm->radius_class.count = nclass_count;
1094	wpa_printf(MSG_DEBUG, "IEEE 802.1X: Stored %lu RADIUS Class "
1095	"attributes for " MACSTR,
1096	(unsigned long) sm->radius_class.count,
1097	MAC2STR(sta->addr));
1098	}
1099
1100
1101	/* Update sta->identity based on User-Name attribute in Access-Accept */
1102	static void ieee802_1x_update_sta_identity(struct hostapd_data *hapd,
1103	struct sta_info *sta,
1104	struct radius_msg *msg)
1105	{
1106	u8 buf, identity;
1107	size_t len;
1108	struct eapol_state_machine *sm = sta->eapol_sm;
1109
1110	if (sm == NULL)
1111	return;
1112
1113	if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_USER_NAME, &buf, &len,
1114	NULL) < 0)
1115	return;
1116
1117	identity = os_malloc(len + 1);
1118	if (identity == NULL)
1119	return;
1120
1121	os_memcpy(identity, buf, len);
1122	identity[len] = '\0';
1123
1124	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
1125	HOSTAPD_LEVEL_DEBUG, "old identity '%s' updated with "
1126	"User-Name from Access-Accept '%s'",
1127	sm->identity ? (char *) sm->identity : "N/A",
1128	(char *) identity);
1129
1130	os_free(sm->identity);
1131	sm->identity = identity;
1132	sm->identity_len = len;
1133	}
1134
1135
1136	struct sta_id_search {
1137	u8 identifier;
1138	struct eapol_state_machine *sm;
1139	};
1140
1141
1142	static int ieee802_1x_select_radius_identifier(struct hostapd_data *hapd,
1143	struct sta_info *sta,
1144	void *ctx)
1145	{
1146	struct sta_id_search *id_search = ctx;
1147	struct eapol_state_machine *sm = sta->eapol_sm;
1148
1149	if (sm && sm->radius_identifier >= 0 &&
1150	sm->radius_identifier == id_search->identifier) {
1151	id_search->sm = sm;
1152	return 1;
1153	}
1154	return 0;
1155	}
1156
1157
1158	static struct eapol_state_machine *
1159	ieee802_1x_search_radius_identifier(struct hostapd_data *hapd, u8 identifier)
1160	{
1161	struct sta_id_search id_search;
1162	id_search.identifier = identifier;
1163	id_search.sm = NULL;
1164	ap_for_each_sta(hapd, ieee802_1x_select_radius_identifier, &id_search);
1165	return id_search.sm;
1166	}
1167
1168
1169	#ifdef HAVE_AQOS
1170	extern void add_usermac( char mac, int idx, char upstream,
1171	char downstream, char lanstream );
1172	extern char nvram_safe_get(const char name);
1173
1174	int addrule(char mac, char upstream, char *downstream)
1175	{
1176	char *qos_mac = nvram_safe_get( "svqos_macs" );
1177	char *newqos;
1178	int ret = 0;
1179	int len = strlen(qos_mac);
1180
1181	newqos = malloc(len + 128);
1182	memset(newqos, 0, len + 128);
1183
1184	char level[32], level2[32], level3[32], data[32], type[32];
1185	strcpy(level3, "0");
1186	if (len > 0) {
1187	do {
1188	if(sscanf( qos_mac, "%31s %31s %31s %31s %31s \|", data, level, level2, type, level3) < 5)
1189	break;
1190	if (!strcasecmp(data,mac)) {
1191	sprintf(newqos,"%s %s %s %s %s %s \|",newqos,data,upstream,downstream,"hostapd",level3);
1192	if (!strcmp(level,upstream) && !strcmp(level2,downstream))
1193	ret = 1;
1194	else
1195	ret = 2;
1196	} else
1197	sprintf(newqos,"%s %s %s %s %s %s \|",newqos,data,level,level2,type,level3);
1198	} while( ( qos_mac = strpbrk( ++qos_mac, "\|" ) ) && qos_mac++ );
1199	}
1200
1201	if (!ret)
1202	sprintf(newqos,"%s %s %s %s %s %s \|",newqos,mac,upstream,downstream,"hostapd",level3);
1203
1204	nvram_set("svqos_macs",newqos);
1205	free(newqos);
1206	}
1207
1208	#endif
1209	/* Process the RADIUS frames from Authentication Server */
1210	static RadiusRxResult
1211	ieee802_1x_receive_auth(struct radius_msg msg, struct radius_msg req,
1212	u8 *shared_secret, size_t shared_secret_len,
1213	void *data)
1214	{
1215	struct hostapd_data *hapd = data;
1216	struct sta_info *sta;
1217	u32 session_timeout = 0, termination_action, acct_interim_interval;
1218	int session_timeout_set, old_vlanid = 0;
1219	int eap_timeout;
1220	struct eapol_state_machine *sm;
1221	int override_eapReq = 0;
1222	static int qosidx=500;
1223	sm = ieee802_1x_search_radius_identifier(hapd, msg->hdr->identifier);
1224	if (sm == NULL) {
1225	wpa_printf(MSG_DEBUG, "IEEE 802.1X: Could not find matching "
1226	"station for this RADIUS message");
1227	return RADIUS_RX_UNKNOWN;
1228	}
1229	sta = sm->sta;
1230
1231	/* RFC 2869, Ch. 5.13: valid Message-Authenticator attribute MUST be
1232	* present when packet contains an EAP-Message attribute */
1233	if (msg->hdr->code == RADIUS_CODE_ACCESS_REJECT &&
1234	radius_msg_get_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, NULL,
1235	0) < 0 &&
1236	radius_msg_get_attr(msg, RADIUS_ATTR_EAP_MESSAGE, NULL, 0) < 0) {
1237	wpa_printf(MSG_DEBUG, "Allowing RADIUS Access-Reject without "
1238	"Message-Authenticator since it does not include "
1239	"EAP-Message");
1240	} else if (radius_msg_verify(msg, shared_secret, shared_secret_len,
1241	req, 1)) {
1242	printf("Incoming RADIUS packet did not have correct "
1243	"Message-Authenticator - dropped\n");
1244	return RADIUS_RX_INVALID_AUTHENTICATOR;
1245	}
1246
1247	if (msg->hdr->code != RADIUS_CODE_ACCESS_ACCEPT &&
1248	msg->hdr->code != RADIUS_CODE_ACCESS_REJECT &&
1249	msg->hdr->code != RADIUS_CODE_ACCESS_CHALLENGE) {
1250	printf("Unknown RADIUS message code\n");
1251	return RADIUS_RX_UNKNOWN;
1252	}
1253
1254	sm->radius_identifier = -1;
1255	wpa_printf(MSG_DEBUG, "RADIUS packet matching with station " MACSTR,
1256	MAC2STR(sta->addr));
1257
1258	if (sm->last_recv_radius) {
1259	radius_msg_free(sm->last_recv_radius);
1260	os_free(sm->last_recv_radius);
1261	}
1262
1263	sm->last_recv_radius = msg;
1264
1265	session_timeout_set =
1266	!radius_msg_get_attr_int32(msg, RADIUS_ATTR_SESSION_TIMEOUT,
1267	&session_timeout);
1268	if (radius_msg_get_attr_int32(msg, RADIUS_ATTR_TERMINATION_ACTION,
1269	&termination_action))
1270	termination_action = RADIUS_TERMINATION_ACTION_DEFAULT;
1271
1272	if (hapd->conf->radius->acct_interim_interval == 0 &&
1273	msg->hdr->code == RADIUS_CODE_ACCESS_ACCEPT &&
1274	radius_msg_get_attr_int32(msg, RADIUS_ATTR_ACCT_INTERIM_INTERVAL,
1275	&acct_interim_interval) == 0) {
1276	if (acct_interim_interval < 60) {
1277	hostapd_logger(hapd, sta->addr,
1278	HOSTAPD_MODULE_IEEE8021X,
1279	HOSTAPD_LEVEL_INFO,
1280	"ignored too small "
1281	"Acct-Interim-Interval %d",
1282	acct_interim_interval);
1283	} else
1284	sta->acct_interim_interval = acct_interim_interval;
1285	}
1286
1287
1288	switch (msg->hdr->code) {
1289	case RADIUS_CODE_ACCESS_ACCEPT:
1290	#ifdef HAVE_AQOS
1291	wpa_printf(MSG_DEBUG, "check user bandwith shaping\n");
1292	u32 down,up;
1293	size_t len;
1294	if ((down=(u32*)radius_msg_get_vendor_attr(msg,RADIUS_VENDOR_ID_WISPR, RADIUS_ATTR_WISPR_BANDWIDTH_MAX_DOWN ,&len)) == NULL) {
1295	wpa_printf(MSG_DEBUG, "no downstream level found\n");
1296	}else
1297	{
1298	if ((up=(u32*)radius_msg_get_vendor_attr(msg,RADIUS_VENDOR_ID_WISPR, RADIUS_ATTR_WISPR_BANDWIDTH_MAX_UP ,&len)) == NULL) {
1299	wpa_printf(MSG_DEBUG, "no up level found\n");
1300	os_free(down);
1301	}else{
1302	down=ntohl(down);
1303	up=ntohl(up);
1304	wpa_printf(MSG_DEBUG, "downstream %d kbits, upstream %d kbits level found\n",down,up);
1305	char mac[64];
1306	sprintf(mac, MACSTR, MAC2STR(sta->addr));
1307	char uplevel[64];
1308	char downlevel[64];
1309	sprintf(uplevel,"%d",*up/1000);
1310	sprintf(downlevel,"%d",*down/1000);
1311	int ret = addrule(mac,uplevel,downlevel);
1312	//case 0 = does not exists, should just be added, no restart
1313	//case 1 = no change required, already added
1314	//case 2 = change required, exists, but new settings
1315	//case 3 = change required, exists, new setting
1316	if (!ret)
1317	{
1318	qosidx+=2;
1319	if (qosidx>500)
1320	qosidx=0;
1321	wpa_printf(MSG_DEBUG, "bandwidth rule is new, no flush required!\n");
1322	add_usermac(mac, qosidx, uplevel,downlevel,"0" );
1323	}else if (ret>1)
1324	{
1325	wpa_printf(MSG_DEBUG, "bandwidth rule change detected, flush table and reset it to new values! (status %d)\n",ret);
1326	system("startstop_f wshaper");
1327	}
1328	os_free(up);
1329	os_free(down);
1330	}
1331
1332	}
1333	#endif
1334	if (sta->ssid->dynamic_vlan == DYNAMIC_VLAN_DISABLED)
1335	sta->vlan_id = 0;
1336	else {
1337	old_vlanid = sta->vlan_id;
1338	sta->vlan_id = radius_msg_get_vlanid(msg);
1339	}
1340	if (sta->vlan_id > 0 &&
1341	hostapd_get_vlan_id_ifname(hapd->conf->vlan,
1342	sta->vlan_id)) {
1343	hostapd_logger(hapd, sta->addr,
1344	HOSTAPD_MODULE_RADIUS,
1345	HOSTAPD_LEVEL_INFO,
1346	"VLAN ID %d", sta->vlan_id);
1347	} else if (sta->ssid->dynamic_vlan == DYNAMIC_VLAN_REQUIRED) {
1348	sta->eapol_sm->authFail = TRUE;
1349	hostapd_logger(hapd, sta->addr,
1350	HOSTAPD_MODULE_IEEE8021X,
1351	HOSTAPD_LEVEL_INFO, "authentication "
1352	"server did not include required VLAN "
1353	"ID in Access-Accept");
1354	break;
1355	}
1356
1357	ap_sta_bind_vlan(hapd, sta, old_vlanid);
1358
1359	/* RFC 3580, Ch. 3.17 */
1360	if (session_timeout_set && termination_action ==
1361	RADIUS_TERMINATION_ACTION_RADIUS_REQUEST) {
1362	sm->reAuthPeriod = session_timeout;
1363	} else if (session_timeout_set)
1364	ap_sta_session_timeout(hapd, sta, session_timeout);
1365
1366	sm->eap_if->aaaSuccess = TRUE;
1367	override_eapReq = 1;
1368	ieee802_1x_get_keys(hapd, sta, msg, req, shared_secret,
1369	shared_secret_len);
1370	ieee802_1x_store_radius_class(hapd, sta, msg);
1371	ieee802_1x_update_sta_identity(hapd, sta, msg);
1372	if (sm->eap_if->eapKeyAvailable &&
1373	wpa_auth_pmksa_add(sta->wpa_sm, sm->eapol_key_crypt,
1374	session_timeout_set ?
1375	(int) session_timeout : -1, sm) == 0) {
1376	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA,
1377	HOSTAPD_LEVEL_DEBUG,
1378	"Added PMKSA cache entry");
1379	}
1380	break;
1381	case RADIUS_CODE_ACCESS_REJECT:
1382	sm->eap_if->aaaFail = TRUE;
1383	override_eapReq = 1;
1384	break;
1385	case RADIUS_CODE_ACCESS_CHALLENGE:
1386	sm->eap_if->aaaEapReq = TRUE;
1387	if (session_timeout_set) {
1388	/* RFC 2869, Ch. 2.3.2; RFC 3580, Ch. 3.17 */
1389	eap_timeout = session_timeout;
1390	} else
1391	eap_timeout = 30;
1392	hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X,
1393	HOSTAPD_LEVEL_DEBUG,
1394	"using EAP timeout of %d seconds%s",
1395	eap_timeout,
1396	session_timeout_set ? " (from RADIUS)" : "");
1397	eloop_cancel_timeout(ieee802_1x_eap_timeout, sta, NULL);
1398	eloop_register_timeout(eap_timeout, 0, ieee802_1x_eap_timeout,
1399	sta, NULL);
1400	sm->eap_if->eapTimeout = FALSE;
1401	break;
1402	}
1403
1404	ieee802_1x_decapsulate_radius(hapd, sta);
1405	if (override_eapReq)
1406	sm->eap_if->aaaEapReq = FALSE;
1407
1408	eapol_auth_step(sm);
1409
1410	return RADIUS_RX_QUEUED;
1411	}
1412
1413
1414	void ieee802_1x_abort_auth(struct hostapd_data hapd, struct sta_info sta)
1415	{
1416	struct eapol_state_machine *sm = sta->eapol_sm;
1417	if (sm == NULL)
1418	return;
1419
1420	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
1421	HOSTAPD_LEVEL_DEBUG, "aborting authentication");
1422
1423	if (sm->last_recv_radius) {
1424	radius_msg_free(sm->last_recv_radius);
1425	os_free(sm->last_recv_radius);
1426	sm->last_recv_radius = NULL;
1427	}
1428	}
1429
1430
1431	#ifdef HOSTAPD_DUMP_STATE
1432	static void fprint_char(FILE *f, char c)
1433	{
1434	if (c >= 32 && c < 127)
1435	fprintf(f, "%c", c);
1436	else
1437	fprintf(f, "<%02x>", c);
1438	}
1439
1440
1441	void ieee802_1x_dump_state(FILE f, const char prefix, struct sta_info *sta)
1442	{
1443	struct eapol_state_machine *sm = sta->eapol_sm;
1444	if (sm == NULL)
1445	return;
1446
1447	fprintf(f, "%sIEEE 802.1X:\n", prefix);
1448
1449	if (sm->identity) {
1450	size_t i;
1451	fprintf(f, "%sidentity=", prefix);
1452	for (i = 0; i < sm->identity_len; i++)
1453	fprint_char(f, sm->identity[i]);
1454	fprintf(f, "\n");
1455	}
1456
1457	fprintf(f, "%slast EAP type: Authentication Server: %d (%s) "
1458	"Supplicant: %d (%s)\n", prefix,
1459	sm->eap_type_authsrv, eap_type_text(sm->eap_type_authsrv),
1460	sm->eap_type_supp, eap_type_text(sm->eap_type_supp));
1461
1462	fprintf(f, "%scached_packets=%s\n", prefix,
1463	sm->last_recv_radius ? "[RX RADIUS]" : "");
1464
1465	eapol_auth_dump_state(f, prefix, sm);
1466	}
1467	#endif /* HOSTAPD_DUMP_STATE */
1468
1469
1470	static int ieee802_1x_rekey_broadcast(struct hostapd_data *hapd)
1471	{
1472	if (hapd->conf->default_wep_key_len < 1)
1473	return 0;
1474
1475	os_free(hapd->default_wep_key);
1476	hapd->default_wep_key = os_malloc(hapd->conf->default_wep_key_len);
1477	if (hapd->default_wep_key == NULL \|\|
1478	os_get_random(hapd->default_wep_key,
1479	hapd->conf->default_wep_key_len)) {
1480	printf("Could not generate random WEP key.\n");
1481	os_free(hapd->default_wep_key);
1482	hapd->default_wep_key = NULL;
1483	return -1;
1484	}
1485
1486	wpa_hexdump_key(MSG_DEBUG, "IEEE 802.1X: New default WEP key",
1487	hapd->default_wep_key,
1488	hapd->conf->default_wep_key_len);
1489
1490	return 0;
1491	}
1492
1493
1494	static int ieee802_1x_sta_key_available(struct hostapd_data *hapd,
1495	struct sta_info sta, void ctx)
1496	{
1497	if (sta->eapol_sm) {
1498	sta->eapol_sm->eap_if->eapKeyAvailable = TRUE;
1499	eapol_auth_step(sta->eapol_sm);
1500	}
1501	return 0;
1502	}
1503
1504
1505	static void ieee802_1x_rekey(void eloop_ctx, void timeout_ctx)
1506	{
1507	struct hostapd_data *hapd = eloop_ctx;
1508
1509	if (hapd->default_wep_key_idx >= 3)
1510	hapd->default_wep_key_idx =
1511	hapd->conf->individual_wep_key_len > 0 ? 1 : 0;
1512	else
1513	hapd->default_wep_key_idx++;
1514
1515	wpa_printf(MSG_DEBUG, "IEEE 802.1X: New default WEP key index %d",
1516	hapd->default_wep_key_idx);
1517
1518	if (ieee802_1x_rekey_broadcast(hapd)) {
1519	hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X,
1520	HOSTAPD_LEVEL_WARNING, "failed to generate a "
1521	"new broadcast key");
1522	os_free(hapd->default_wep_key);
1523	hapd->default_wep_key = NULL;
1524	return;
1525	}
1526
1527	/* TODO: Could setup key for RX here, but change default TX keyid only
1528	* after new broadcast key has been sent to all stations. */
1529	if (hostapd_set_encryption(hapd->conf->iface, hapd, "WEP", NULL,
1530	hapd->default_wep_key_idx,
1531	hapd->default_wep_key,
1532	hapd->conf->default_wep_key_len, 1)) {
1533	hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X,
1534	HOSTAPD_LEVEL_WARNING, "failed to configure a "
1535	"new broadcast key");
1536	os_free(hapd->default_wep_key);
1537	hapd->default_wep_key = NULL;
1538	return;
1539	}
1540
1541	ap_for_each_sta(hapd, ieee802_1x_sta_key_available, NULL);
1542
1543	if (hapd->conf->wep_rekeying_period > 0) {
1544	eloop_register_timeout(hapd->conf->wep_rekeying_period, 0,
1545	ieee802_1x_rekey, hapd, NULL);
1546	}
1547	}
1548
1549
1550	static void ieee802_1x_eapol_send(void ctx, void sta_ctx, u8 type,
1551	const u8 *data, size_t datalen)
1552	{
1553	ieee802_1x_send(ctx, sta_ctx, type, data, datalen);
1554	}
1555
1556
1557	static void ieee802_1x_aaa_send(void ctx, void sta_ctx,
1558	const u8 *data, size_t datalen)
1559	{
1560	struct hostapd_data *hapd = ctx;
1561	struct sta_info *sta = sta_ctx;
1562
1563	ieee802_1x_encapsulate_radius(hapd, sta, data, datalen);
1564	}
1565
1566
1567	static void _ieee802_1x_finished(void ctx, void sta_ctx, int success,
1568	int preauth)
1569	{
1570	struct hostapd_data *hapd = ctx;
1571	struct sta_info *sta = sta_ctx;
1572	if (preauth)
1573	rsn_preauth_finished(hapd, sta, success);
1574	else
1575	ieee802_1x_finished(hapd, sta, success);
1576	}
1577
1578
1579	static int ieee802_1x_get_eap_user(void ctx, const u8 identity,
1580	size_t identity_len, int phase2,
1581	struct eap_user *user)
1582	{
1583	struct hostapd_data *hapd = ctx;
1584	const struct hostapd_eap_user *eap_user;
1585	int i, count;
1586
1587	eap_user = hostapd_get_eap_user(hapd->conf, identity,
1588	identity_len, phase2);
1589	if (eap_user == NULL)
1590	return -1;
1591
1592	os_memset(user, 0, sizeof(*user));
1593	user->phase2 = phase2;
1594	count = EAP_USER_MAX_METHODS;
1595	if (count > EAP_MAX_METHODS)
1596	count = EAP_MAX_METHODS;
1597	for (i = 0; i < count; i++) {
1598	user->methods[i].vendor = eap_user->methods[i].vendor;
1599	user->methods[i].method = eap_user->methods[i].method;
1600	}
1601
1602	if (eap_user->password) {
1603	user->password = os_malloc(eap_user->password_len);
1604	if (user->password == NULL)
1605	return -1;
1606	os_memcpy(user->password, eap_user->password,
1607	eap_user->password_len);
1608	user->password_len = eap_user->password_len;
1609	}
1610	user->force_version = eap_user->force_version;
1611	user->ttls_auth = eap_user->ttls_auth;
1612
1613	return 0;
1614	}
1615
1616
1617	static int ieee802_1x_sta_entry_alive(void ctx, const u8 addr)
1618	{
1619	struct hostapd_data *hapd = ctx;
1620	struct sta_info *sta;
1621	sta = ap_get_sta(hapd, addr);
1622	if (sta == NULL \|\| sta->eapol_sm == NULL)
1623	return 0;
1624	return 1;
1625	}
1626
1627
1628	static void ieee802_1x_logger(void ctx, const u8 addr,
1629	eapol_logger_level level, const char *txt)
1630	{
1631	struct hostapd_data *hapd = ctx;
1632	int hlevel;
1633
1634	switch (level) {
1635	case EAPOL_LOGGER_WARNING:
1636	hlevel = HOSTAPD_LEVEL_WARNING;
1637	break;
1638	case EAPOL_LOGGER_INFO:
1639	hlevel = HOSTAPD_LEVEL_INFO;
1640	break;
1641	case EAPOL_LOGGER_DEBUG:
1642	default:
1643	hlevel = HOSTAPD_LEVEL_DEBUG;
1644	break;
1645	}
1646
1647	hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE8021X, hlevel, "%s",
1648	txt);
1649	}
1650
1651
1652	static void ieee802_1x_set_port_authorized(void ctx, void sta_ctx,
1653	int authorized)
1654	{
1655	struct hostapd_data *hapd = ctx;
1656	struct sta_info *sta = sta_ctx;
1657	ieee802_1x_set_sta_authorized(hapd, sta, authorized);
1658	}
1659
1660
1661	static void _ieee802_1x_abort_auth(void ctx, void sta_ctx)
1662	{
1663	struct hostapd_data *hapd = ctx;
1664	struct sta_info *sta = sta_ctx;
1665	ieee802_1x_abort_auth(hapd, sta);
1666	}
1667
1668
1669	static void _ieee802_1x_tx_key(void ctx, void sta_ctx)
1670	{
1671	struct hostapd_data *hapd = ctx;
1672	struct sta_info *sta = sta_ctx;
1673	ieee802_1x_tx_key(hapd, sta);
1674	}
1675
1676
1677	int ieee802_1x_init(struct hostapd_data *hapd)
1678	{
1679	int i;
1680	struct eapol_auth_config conf;
1681	struct eapol_auth_cb cb;
1682
1683	os_memset(&conf, 0, sizeof(conf));
1684	conf.hapd = hapd;
1685	conf.eap_reauth_period = hapd->conf->eap_reauth_period;
1686	conf.wpa = hapd->conf->wpa;
1687	conf.individual_wep_key_len = hapd->conf->individual_wep_key_len;
1688	conf.eap_server = hapd->conf->eap_server;
1689	conf.ssl_ctx = hapd->ssl_ctx;
1690	conf.eap_sim_db_priv = hapd->eap_sim_db_priv;
1691	conf.eap_req_id_text = hapd->conf->eap_req_id_text;
1692	conf.eap_req_id_text_len = hapd->conf->eap_req_id_text_len;
1693	conf.pac_opaque_encr_key = hapd->conf->pac_opaque_encr_key;
1694	conf.eap_fast_a_id = hapd->conf->eap_fast_a_id;
1695	conf.eap_sim_aka_result_ind = hapd->conf->eap_sim_aka_result_ind;
1696	conf.tnc = hapd->conf->tnc;
1697
1698	os_memset(&cb, 0, sizeof(cb));
1699	cb.eapol_send = ieee802_1x_eapol_send;
1700	cb.aaa_send = ieee802_1x_aaa_send;
1701	cb.finished = _ieee802_1x_finished;
1702	cb.get_eap_user = ieee802_1x_get_eap_user;
1703	cb.sta_entry_alive = ieee802_1x_sta_entry_alive;
1704	cb.logger = ieee802_1x_logger;
1705	cb.set_port_authorized = ieee802_1x_set_port_authorized;
1706	cb.abort_auth = _ieee802_1x_abort_auth;
1707	cb.tx_key = _ieee802_1x_tx_key;
1708
1709	hapd->eapol_auth = eapol_auth_init(&conf, &cb);
1710	if (hapd->eapol_auth == NULL)
1711	return -1;
1712
1713	if ((hapd->conf->ieee802_1x \|\| hapd->conf->wpa) &&
1714	hostapd_set_ieee8021x(hapd->conf->iface, hapd, 1))
1715	return -1;
1716
1717	if (radius_client_register(hapd->radius, RADIUS_AUTH,
1718	ieee802_1x_receive_auth, hapd))
1719	return -1;
1720
1721	if (hapd->conf->default_wep_key_len) {
1722	hostapd_set_privacy(hapd, 1);
1723
1724	for (i = 0; i < 4; i++)
1725	hostapd_set_encryption(hapd->conf->iface, hapd,
1726	"none", NULL, i, NULL, 0, 0);
1727
1728	ieee802_1x_rekey(hapd, NULL);
1729
1730	if (hapd->default_wep_key == NULL)
1731	return -1;
1732	}
1733
1734	return 0;
1735	}
1736
1737
1738	void ieee802_1x_deinit(struct hostapd_data *hapd)
1739	{
1740	eloop_cancel_timeout(ieee802_1x_rekey, hapd, NULL);
1741
1742	if (hapd->driver != NULL &&
1743	(hapd->conf->ieee802_1x \|\| hapd->conf->wpa))
1744	hostapd_set_ieee8021x(hapd->conf->iface, hapd, 0);
1745
1746	eapol_auth_deinit(hapd->eapol_auth);
1747	hapd->eapol_auth = NULL;
1748	}
1749
1750
1751	int ieee802_1x_reconfig(struct hostapd_data *hapd,
1752	struct hostapd_config *oldconf,
1753	struct hostapd_bss_config *oldbss)
1754	{
1755	ieee802_1x_deinit(hapd);
1756	return ieee802_1x_init(hapd);
1757	}
1758
1759
1760	int ieee802_1x_tx_status(struct hostapd_data hapd, struct sta_info sta,
1761	u8 *buf, size_t len, int ack)
1762	{
1763	struct ieee80211_hdr *hdr;
1764	struct ieee802_1x_hdr *xhdr;
1765	struct ieee802_1x_eapol_key *key;
1766	u8 *pos;
1767	const unsigned char rfc1042_hdr[ETH_ALEN] =
1768	{ 0xaa, 0xaa, 0x03, 0x00, 0x00, 0x00 };
1769
1770	if (sta == NULL)
1771	return -1;
1772	if (len < sizeof(hdr) + sizeof(rfc1042_hdr) + 2 + sizeof(xhdr))
1773	return 0;
1774
1775	hdr = (struct ieee80211_hdr *) buf;
1776	pos = (u8 *) (hdr + 1);
1777	if (os_memcmp(pos, rfc1042_hdr, sizeof(rfc1042_hdr)) != 0)
1778	return 0;
1779	pos += sizeof(rfc1042_hdr);
1780	if (WPA_GET_BE16(pos) != ETH_P_PAE)
1781	return 0;
1782	pos += 2;
1783
1784	xhdr = (struct ieee802_1x_hdr *) pos;
1785	pos += sizeof(*xhdr);
1786
1787	wpa_printf(MSG_DEBUG, "IEEE 802.1X: " MACSTR " TX status - version=%d "
1788	"type=%d length=%d - ack=%d",
1789	MAC2STR(sta->addr), xhdr->version, xhdr->type,
1790	be_to_host16(xhdr->length), ack);
1791
1792	/* EAPOL EAP-Packet packets are eventually re-sent by either Supplicant
1793	* or Authenticator state machines, but EAPOL-Key packets are not
1794	* retransmitted in case of failure. Try to re-sent failed EAPOL-Key
1795	* packets couple of times because otherwise STA keys become
1796	* unsynchronized with AP. */
1797	if (xhdr->type == IEEE802_1X_TYPE_EAPOL_KEY && !ack &&
1798	pos + sizeof(*key) <= buf + len) {
1799	key = (struct ieee802_1x_eapol_key *) pos;
1800	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
1801	HOSTAPD_LEVEL_DEBUG, "did not Ack EAPOL-Key "
1802	"frame (%scast index=%d)",
1803	key->key_index & BIT(7) ? "uni" : "broad",
1804	key->key_index & ~BIT(7));
1805	/* TODO: re-send EAPOL-Key couple of times (with short delay
1806	* between them?). If all attempt fail, report error and
1807	* deauthenticate STA so that it will get new keys when
1808	* authenticating again (e.g., after returning in range).
1809	* Separate limit/transmit state needed both for unicast and
1810	* broadcast keys(?) */
1811	}
1812	/* TODO: could move unicast key configuration from ieee802_1x_tx_key()
1813	* to here and change the key only if the EAPOL-Key packet was Acked.
1814	*/
1815
1816	return 1;
1817	}
1818
1819
1820	u8 * ieee802_1x_get_identity(struct eapol_state_machine sm, size_t len)
1821	{
1822	if (sm == NULL \|\| sm->identity == NULL)
1823	return NULL;
1824
1825	*len = sm->identity_len;
1826	return sm->identity;
1827	}
1828
1829
1830	u8 * ieee802_1x_get_radius_class(struct eapol_state_machine sm, size_t len,
1831	int idx)
1832	{
1833	if (sm == NULL \|\| sm->radius_class.attr == NULL \|\|
1834	idx >= (int) sm->radius_class.count)
1835	return NULL;
1836
1837	*len = sm->radius_class.attr[idx].len;
1838	return sm->radius_class.attr[idx].data;
1839	}
1840
1841
1842	const u8 * ieee802_1x_get_key(struct eapol_state_machine sm, size_t len)
1843	{
1844	if (sm == NULL)
1845	return NULL;
1846
1847	*len = sm->eap_if->eapKeyDataLen;
1848	return sm->eap_if->eapKeyData;
1849	}
1850
1851
1852	void ieee802_1x_notify_port_enabled(struct eapol_state_machine *sm,
1853	int enabled)
1854	{
1855	if (sm == NULL)
1856	return;
1857	sm->eap_if->portEnabled = enabled ? TRUE : FALSE;
1858	eapol_auth_step(sm);
1859	}
1860
1861
1862	void ieee802_1x_notify_port_valid(struct eapol_state_machine *sm,
1863	int valid)
1864	{
1865	if (sm == NULL)
1866	return;
1867	sm->portValid = valid ? TRUE : FALSE;
1868	eapol_auth_step(sm);
1869	}
1870
1871
1872	void ieee802_1x_notify_pre_auth(struct eapol_state_machine *sm, int pre_auth)
1873	{
1874	if (sm == NULL)
1875	return;
1876	if (pre_auth)
1877	sm->flags \|= EAPOL_SM_PREAUTH;
1878	else
1879	sm->flags &= ~EAPOL_SM_PREAUTH;
1880	}
1881
1882
1883	static const char * bool_txt(Boolean bool)
1884	{
1885	return bool ? "TRUE" : "FALSE";
1886	}
1887
1888
1889	int ieee802_1x_get_mib(struct hostapd_data hapd, char buf, size_t buflen)
1890	{
1891	/* TODO */
1892	return 0;
1893	}
1894
1895
1896	int ieee802_1x_get_mib_sta(struct hostapd_data hapd, struct sta_info sta,
1897	char *buf, size_t buflen)
1898	{
1899	int len = 0, ret;
1900	struct eapol_state_machine *sm = sta->eapol_sm;
1901
1902	if (sm == NULL)
1903	return 0;
1904
1905	ret = os_snprintf(buf + len, buflen - len,
1906	"dot1xPaePortNumber=%d\n"
1907	"dot1xPaePortProtocolVersion=%d\n"
1908	"dot1xPaePortCapabilities=1\n"
1909	"dot1xPaePortInitialize=%d\n"
1910	"dot1xPaePortReauthenticate=FALSE\n",
1911	sta->aid,
1912	EAPOL_VERSION,
1913	sm->initialize);
1914	if (ret < 0 \|\| (size_t) ret >= buflen - len)
1915	return len;
1916	len += ret;
1917
1918	/* dot1xAuthConfigTable */
1919	ret = os_snprintf(buf + len, buflen - len,
1920	"dot1xAuthPaeState=%d\n"
1921	"dot1xAuthBackendAuthState=%d\n"
1922	"dot1xAuthAdminControlledDirections=%d\n"
1923	"dot1xAuthOperControlledDirections=%d\n"
1924	"dot1xAuthAuthControlledPortStatus=%d\n"
1925	"dot1xAuthAuthControlledPortControl=%d\n"
1926	"dot1xAuthQuietPeriod=%u\n"
1927	"dot1xAuthServerTimeout=%u\n"
1928	"dot1xAuthReAuthPeriod=%u\n"
1929	"dot1xAuthReAuthEnabled=%s\n"
1930	"dot1xAuthKeyTxEnabled=%s\n",
1931	sm->auth_pae_state + 1,
1932	sm->be_auth_state + 1,
1933	sm->adminControlledDirections,
1934	sm->operControlledDirections,
1935	sm->authPortStatus,
1936	sm->portControl,
1937	sm->quietPeriod,
1938	sm->serverTimeout,
1939	sm->reAuthPeriod,
1940	bool_txt(sm->reAuthEnabled),
1941	bool_txt(sm->keyTxEnabled));
1942	if (ret < 0 \|\| (size_t) ret >= buflen - len)
1943	return len;
1944	len += ret;
1945
1946	/* dot1xAuthStatsTable */
1947	ret = os_snprintf(buf + len, buflen - len,
1948	"dot1xAuthEapolFramesRx=%u\n"
1949	"dot1xAuthEapolFramesTx=%u\n"
1950	"dot1xAuthEapolStartFramesRx=%u\n"
1951	"dot1xAuthEapolLogoffFramesRx=%u\n"
1952	"dot1xAuthEapolRespIdFramesRx=%u\n"
1953	"dot1xAuthEapolRespFramesRx=%u\n"
1954	"dot1xAuthEapolReqIdFramesTx=%u\n"
1955	"dot1xAuthEapolReqFramesTx=%u\n"
1956	"dot1xAuthInvalidEapolFramesRx=%u\n"
1957	"dot1xAuthEapLengthErrorFramesRx=%u\n"
1958	"dot1xAuthLastEapolFrameVersion=%u\n"
1959	"dot1xAuthLastEapolFrameSource=" MACSTR "\n",
1960	sm->dot1xAuthEapolFramesRx,
1961	sm->dot1xAuthEapolFramesTx,
1962	sm->dot1xAuthEapolStartFramesRx,
1963	sm->dot1xAuthEapolLogoffFramesRx,
1964	sm->dot1xAuthEapolRespIdFramesRx,
1965	sm->dot1xAuthEapolRespFramesRx,
1966	sm->dot1xAuthEapolReqIdFramesTx,
1967	sm->dot1xAuthEapolReqFramesTx,
1968	sm->dot1xAuthInvalidEapolFramesRx,
1969	sm->dot1xAuthEapLengthErrorFramesRx,
1970	sm->dot1xAuthLastEapolFrameVersion,
1971	MAC2STR(sm->addr));
1972	if (ret < 0 \|\| (size_t) ret >= buflen - len)
1973	return len;
1974	len += ret;
1975
1976	/* dot1xAuthDiagTable */
1977	ret = os_snprintf(buf + len, buflen - len,
1978	"dot1xAuthEntersConnecting=%u\n"
1979	"dot1xAuthEapLogoffsWhileConnecting=%u\n"
1980	"dot1xAuthEntersAuthenticating=%u\n"
1981	"dot1xAuthAuthSuccessesWhileAuthenticating=%u\n"
1982	"dot1xAuthAuthTimeoutsWhileAuthenticating=%u\n"
1983	"dot1xAuthAuthFailWhileAuthenticating=%u\n"
1984	"dot1xAuthAuthEapStartsWhileAuthenticating=%u\n"
1985	"dot1xAuthAuthEapLogoffWhileAuthenticating=%u\n"
1986	"dot1xAuthAuthReauthsWhileAuthenticated=%u\n"
1987	"dot1xAuthAuthEapStartsWhileAuthenticated=%u\n"
1988	"dot1xAuthAuthEapLogoffWhileAuthenticated=%u\n"
1989	"dot1xAuthBackendResponses=%u\n"
1990	"dot1xAuthBackendAccessChallenges=%u\n"
1991	"dot1xAuthBackendOtherRequestsToSupplicant=%u\n"
1992	"dot1xAuthBackendAuthSuccesses=%u\n"
1993	"dot1xAuthBackendAuthFails=%u\n",
1994	sm->authEntersConnecting,
1995	sm->authEapLogoffsWhileConnecting,
1996	sm->authEntersAuthenticating,
1997	sm->authAuthSuccessesWhileAuthenticating,
1998	sm->authAuthTimeoutsWhileAuthenticating,
1999	sm->authAuthFailWhileAuthenticating,
2000	sm->authAuthEapStartsWhileAuthenticating,
2001	sm->authAuthEapLogoffWhileAuthenticating,
2002	sm->authAuthReauthsWhileAuthenticated,
2003	sm->authAuthEapStartsWhileAuthenticated,
2004	sm->authAuthEapLogoffWhileAuthenticated,
2005	sm->backendResponses,
2006	sm->backendAccessChallenges,
2007	sm->backendOtherRequestsToSupplicant,
2008	sm->backendAuthSuccesses,
2009	sm->backendAuthFails);
2010	if (ret < 0 \|\| (size_t) ret >= buflen - len)
2011	return len;
2012	len += ret;
2013
2014	/* dot1xAuthSessionStatsTable */
2015	ret = os_snprintf(buf + len, buflen - len,
2016	/* TODO: dot1xAuthSessionOctetsRx */
2017	/* TODO: dot1xAuthSessionOctetsTx */
2018	/* TODO: dot1xAuthSessionFramesRx */
2019	/* TODO: dot1xAuthSessionFramesTx */
2020	"dot1xAuthSessionId=%08X-%08X\n"
2021	"dot1xAuthSessionAuthenticMethod=%d\n"
2022	"dot1xAuthSessionTime=%u\n"
2023	"dot1xAuthSessionTerminateCause=999\n"
2024	"dot1xAuthSessionUserName=%s\n",
2025	sta->acct_session_id_hi, sta->acct_session_id_lo,
2026	(wpa_auth_sta_key_mgmt(sta->wpa_sm) ==
2027	WPA_KEY_MGMT_IEEE8021X \|\|
2028	wpa_auth_sta_key_mgmt(sta->wpa_sm) ==
2029	WPA_KEY_MGMT_FT_IEEE8021X) ? 1 : 2,
2030	(unsigned int) (time(NULL) -
2031	sta->acct_session_start),
2032	sm->identity);
2033	if (ret < 0 \|\| (size_t) ret >= buflen - len)
2034	return len;
2035	len += ret;
2036
2037	return len;
2038	}
2039
2040
2041	static void ieee802_1x_finished(struct hostapd_data *hapd,
2042	struct sta_info *sta, int success)
2043	{
2044	const u8 *key;
2045	size_t len;
2046	/* TODO: get PMKLifetime from WPA parameters */
2047	static const int dot11RSNAConfigPMKLifetime = 43200;
2048
2049	key = ieee802_1x_get_key(sta->eapol_sm, &len);
2050	if (success && key && len >= PMK_LEN &&
2051	wpa_auth_pmksa_add(sta->wpa_sm, key, dot11RSNAConfigPMKLifetime,
2052	sta->eapol_sm) == 0) {
2053	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA,
2054	HOSTAPD_LEVEL_DEBUG,
2055	"Added PMKSA cache entry (IEEE 802.1X)");
2056	}
2057	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: