1 /*
2 * hostapd / IEEE 802.1X-2004 Authenticator
3 * Copyright (c) 2002-2019, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "utils/includes.h"
10 #ifdef CONFIG_SQLITE
11 #include <sqlite3.h>
12 #endif /* CONFIG_SQLITE */
13
14 #include "utils/common.h"
15 #include "utils/eloop.h"
16 #include "crypto/md5.h"
17 #include "crypto/crypto.h"
18 #include "crypto/random.h"
19 #include "common/ieee802_11_defs.h"
20 #ifndef EXT_CODE_CROP
21 #include "radius/radius.h"
22 #include "radius/radius_client.h"
23 #endif /* EXT_CODE_CROP */
24 #include "eap_server/eap.h"
25 #include "eap_common/eap_wsc_common.h"
26 #include "eapol_auth/eapol_auth_sm.h"
27 #include "eapol_auth/eapol_auth_sm_i.h"
28 #include "p2p/p2p.h"
29 #include "hostapd.h"
30 #include "accounting.h"
31 #include "sta_info.h"
32 #include "wpa_auth.h"
33 #include "preauth_auth.h"
34 #include "pmksa_cache_auth.h"
35 #include "ap_config.h"
36 #include "ap_drv_ops.h"
37 #include "wps_hostapd.h"
38 #include "hs20.h"
39 /* FIX: Not really a good thing to require ieee802_11.h here.. (FILS) */
40 #ifndef EXT_CODE_CROP
41 #include "ieee802_11.h"
42 #endif /* EXT_CODE_CROP */
43 #include "ieee802_1x.h"
44 #include "wpa_auth_kay.h"
45
46
47 #ifdef CONFIG_HS20
48 static void ieee802_1x_wnm_notif_send(void *eloop_ctx, void *timeout_ctx);
49 #endif /* CONFIG_HS20 */
50 static void ieee802_1x_finished(struct hostapd_data *hapd,
51 struct sta_info *sta, int success,
52 int remediation);
53
54
ieee802_1x_send(struct hostapd_data * hapd,struct sta_info * sta,u8 type,const u8 * data,size_t datalen)55 static void ieee802_1x_send(struct hostapd_data *hapd, struct sta_info *sta,
56 u8 type, const u8 *data, size_t datalen)
57 {
58 u8 *buf;
59 struct ieee802_1x_hdr *xhdr;
60 size_t len;
61 int encrypt = 0;
62
63 len = sizeof(*xhdr) + datalen;
64 buf = os_zalloc(len);
65 if (!buf) {
66 wpa_error_log1(MSG_ERROR, "malloc() failed for "
67 "ieee802_1x_send(len=%lu)",
68 (unsigned long) len);
69 return;
70 }
71
72 xhdr = (struct ieee802_1x_hdr *) buf;
73 xhdr->version = hapd->conf->eapol_version;
74 #ifdef CONFIG_MACSEC
75 if (xhdr->version > 2 && hapd->conf->macsec_policy == 0)
76 xhdr->version = 2;
77 #endif /* CONFIG_MACSEC */
78 xhdr->type = type;
79 xhdr->length = host_to_be16(datalen);
80
81 if (datalen > 0 && data != NULL)
82 os_memcpy(xhdr + 1, data, datalen);
83
84 if (wpa_auth_pairwise_set(sta->wpa_sm))
85 encrypt = 1;
86 #ifdef CONFIG_TESTING_OPTIONS
87 if (hapd->ext_eapol_frame_io) {
88 size_t hex_len = 2 * len + 1;
89 char *hex = os_malloc(hex_len);
90
91 if (hex) {
92 wpa_snprintf_hex(hex, hex_len, buf, len);
93 wpa_msg(hapd->msg_ctx, MSG_INFO,
94 "EAPOL-TX " MACSTR " %s",
95 MAC2STR(sta->addr), hex);
96 os_free(hex);
97 }
98 } else
99 #endif /* CONFIG_TESTING_OPTIONS */
100 if (sta->flags & WLAN_STA_PREAUTH) {
101 rsn_preauth_send(hapd, sta, buf, len);
102 } else {
103 hostapd_drv_hapd_send_eapol(
104 hapd, sta->addr, buf, len,
105 encrypt, hostapd_sta_flags_to_drv(sta->flags));
106 }
107
108 os_free(buf);
109 }
110
111
ieee802_1x_set_sta_authorized(struct hostapd_data * hapd,struct sta_info * sta,int authorized)112 void ieee802_1x_set_sta_authorized(struct hostapd_data *hapd,
113 struct sta_info *sta, int authorized)
114 {
115 int res;
116
117 if (sta->flags & WLAN_STA_PREAUTH)
118 return;
119
120 if (authorized) {
121 ap_sta_set_authorized(hapd, sta, 1);
122 #ifndef LOS_CONFIG_EXT_DRIVER_NOT_SUPPORT
123 res = hostapd_set_authorized(hapd, sta, 1);
124 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
125 HOSTAPD_LEVEL_DEBUG, "authorizing port");
126 #endif /* LOS_CONFIG_EXT_DRIVER_NOT_SUPPORT */
127 } else {
128 ap_sta_set_authorized(hapd, sta, 0);
129 #ifndef LOS_CONFIG_EXT_DRIVER_NOT_SUPPORT
130 res = hostapd_set_authorized(hapd, sta, 0);
131 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
132 HOSTAPD_LEVEL_DEBUG, "unauthorizing port");
133 #endif /* LOS_CONFIG_EXT_DRIVER_NOT_SUPPORT */
134 }
135
136 #ifndef EXT_CODE_CROP
137 if (res && errno != ENOENT) {
138 wpa_printf(MSG_DEBUG, "Could not set station " MACSTR
139 " flags for kernel driver (errno=%d).",
140 MAC2STR(sta->addr), errno);
141 }
142 #endif /* EXT_CODE_CROP */
143
144 if (authorized) {
145 os_get_reltime(&sta->connected_time);
146 accounting_sta_start(hapd, sta);
147 }
148 }
149
150
151 #ifdef CONFIG_WEP
152 #ifndef CONFIG_FIPS
153 #ifndef CONFIG_NO_RC4
154 #ifndef LOS_CONFIG_HOSTAPD_SECURITY
ieee802_1x_tx_key_one(struct hostapd_data * hapd,struct sta_info * sta,int idx,int broadcast,u8 * key_data,size_t key_len)155 static void ieee802_1x_tx_key_one(struct hostapd_data *hapd,
156 struct sta_info *sta,
157 int idx, int broadcast,
158 u8 *key_data, size_t key_len)
159 {
160 u8 *buf, *ekey;
161 struct ieee802_1x_hdr *hdr;
162 struct ieee802_1x_eapol_key *key;
163 size_t len, ekey_len;
164 struct eapol_state_machine *sm = sta->eapol_sm;
165
166 if (!sm)
167 return;
168
169 len = sizeof(*key) + key_len;
170 buf = os_zalloc(sizeof(*hdr) + len);
171 if (!buf)
172 return;
173
174 hdr = (struct ieee802_1x_hdr *) buf;
175 key = (struct ieee802_1x_eapol_key *) (hdr + 1);
176 key->type = EAPOL_KEY_TYPE_RC4;
177 WPA_PUT_BE16(key->key_length, key_len);
178 wpa_get_ntp_timestamp(key->replay_counter);
179 if (os_memcmp(key->replay_counter,
180 hapd->last_1x_eapol_key_replay_counter,
181 IEEE8021X_REPLAY_COUNTER_LEN) <= 0) {
182 /* NTP timestamp did not increment from last EAPOL-Key frame;
183 * use previously used value + 1 instead. */
184 inc_byte_array(hapd->last_1x_eapol_key_replay_counter,
185 IEEE8021X_REPLAY_COUNTER_LEN);
186 os_memcpy(key->replay_counter,
187 hapd->last_1x_eapol_key_replay_counter,
188 IEEE8021X_REPLAY_COUNTER_LEN);
189 } else {
190 os_memcpy(hapd->last_1x_eapol_key_replay_counter,
191 key->replay_counter,
192 IEEE8021X_REPLAY_COUNTER_LEN);
193 }
194
195 if (random_get_bytes(key->key_iv, sizeof(key->key_iv))) {
196 wpa_printf(MSG_ERROR, "Could not get random numbers");
197 os_free(buf);
198 return;
199 }
200
201 key->key_index = idx | (broadcast ? 0 : BIT(7));
202 if (hapd->conf->eapol_key_index_workaround) {
203 /* According to some information, WinXP Supplicant seems to
204 * interpret bit7 as an indication whether the key is to be
205 * activated, so make it possible to enable workaround that
206 * sets this bit for all keys. */
207 key->key_index |= BIT(7);
208 }
209
210 /* Key is encrypted using "Key-IV + MSK[0..31]" as the RC4-key and
211 * MSK[32..63] is used to sign the message. */
212 if (!sm->eap_if->eapKeyData || sm->eap_if->eapKeyDataLen < 64) {
213 wpa_printf(MSG_ERROR,
214 "No eapKeyData available for encrypting and signing EAPOL-Key");
215 os_free(buf);
216 return;
217 }
218 os_memcpy((u8 *) (key + 1), key_data, key_len);
219 ekey_len = sizeof(key->key_iv) + 32;
220 ekey = os_malloc(ekey_len);
221 if (!ekey) {
222 wpa_printf(MSG_ERROR, "Could not encrypt key");
223 os_free(buf);
224 return;
225 }
226 os_memcpy(ekey, key->key_iv, sizeof(key->key_iv));
227 os_memcpy(ekey + sizeof(key->key_iv), sm->eap_if->eapKeyData, 32);
228 rc4_skip(ekey, ekey_len, 0, (u8 *) (key + 1), key_len);
229 os_free(ekey);
230
231 /* This header is needed here for HMAC-MD5, but it will be regenerated
232 * in ieee802_1x_send() */
233 hdr->version = hapd->conf->eapol_version;
234 #ifdef CONFIG_MACSEC
235 if (hdr->version > 2)
236 hdr->version = 2;
237 #endif /* CONFIG_MACSEC */
238 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY;
239 hdr->length = host_to_be16(len);
240 hmac_md5(sm->eap_if->eapKeyData + 32, 32, buf, sizeof(*hdr) + len,
241 key->key_signature);
242
243 wpa_warning_log4(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key to " "%02x:xx:xx:%02x:%02x:%02x",
244 (sm->addr)[0], (sm->addr)[3], (sm->addr)[4], (sm->addr)[5]);
245 wpa_warning_buf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key to "
246 " (%s)", broadcast ? "broadcast" : "unicast",
247 broadcast ? strlen("broadcast") : strlen("unicast"));
248 wpa_warning_log1(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key to "
249 " (index=%d)", idx);
250 ieee802_1x_send(hapd, sta, IEEE802_1X_TYPE_EAPOL_KEY, (u8 *) key, len);
251 if (sta->eapol_sm)
252 sta->eapol_sm->dot1xAuthEapolFramesTx++;
253 os_free(buf);
254 }
255
256
ieee802_1x_tx_key(struct hostapd_data * hapd,struct sta_info * sta)257 static void ieee802_1x_tx_key(struct hostapd_data *hapd, struct sta_info *sta)
258 {
259 struct eapol_authenticator *eapol = hapd->eapol_auth;
260 struct eapol_state_machine *sm = sta->eapol_sm;
261
262 if (!sm || !sm->eap_if->eapKeyData)
263 return;
264
265 wpa_warning_log4(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key(s) to " "%02x:xx:xx:%02x:%02x:%02x",
266 (sta->addr)[0], (sta->addr)[3], (sta->addr)[4], (sta->addr)[5]);
267
268 #ifndef CONFIG_NO_VLAN
269 if (sta->vlan_id > 0) {
270 wpa_error_log0(MSG_ERROR, "Using WEP with vlans is not supported.");
271 return;
272 }
273 #endif /* CONFIG_NO_VLAN */
274
275 if (eapol->default_wep_key) {
276 ieee802_1x_tx_key_one(hapd, sta, eapol->default_wep_key_idx, 1,
277 eapol->default_wep_key,
278 hapd->conf->default_wep_key_len);
279 }
280
281 if (hapd->conf->individual_wep_key_len > 0) {
282 u8 *ikey;
283
284 ikey = os_malloc(hapd->conf->individual_wep_key_len);
285 if (!ikey ||
286 random_get_bytes(ikey, hapd->conf->individual_wep_key_len))
287 {
288 wpa_error_log0(MSG_ERROR, "Could not generate random "
289 "individual WEP key.");
290 os_free(ikey);
291 return;
292 }
293
294 wpa_hexdump_key(MSG_DEBUG, "Individual WEP key",
295 ikey, hapd->conf->individual_wep_key_len);
296
297 ieee802_1x_tx_key_one(hapd, sta, 0, 0, ikey,
298 hapd->conf->individual_wep_key_len);
299
300 /* TODO: set encryption in TX callback, i.e., only after STA
301 * has ACKed EAPOL-Key frame */
302 if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP,
303 sta->addr, 0, 0, 1, NULL, 0, ikey,
304 hapd->conf->individual_wep_key_len,
305 KEY_FLAG_PAIRWISE_RX_TX)) {
306 wpa_printf(MSG_ERROR,
307 "Could not set individual WEP encryption");
308 }
309
310 os_free(ikey);
311 }
312 }
313 #endif /* LOS_CONFIG_HOSTAPD_SECURITY */
314 #endif /* CONFIG_NO_RC4 */
315 #endif /* CONFIG_FIPS */
316 #endif /* CONFIG_WEP */
317
318 #ifndef EXT_CODE_CROP
radius_mode_txt(struct hostapd_data * hapd)319 const char *radius_mode_txt(struct hostapd_data *hapd)
320 {
321 switch (hapd->iface->conf->hw_mode) {
322 case HOSTAPD_MODE_IEEE80211AD:
323 return "802.11ad";
324 case HOSTAPD_MODE_IEEE80211A:
325 return "802.11a";
326 case HOSTAPD_MODE_IEEE80211G:
327 return "802.11g";
328 case HOSTAPD_MODE_IEEE80211B:
329 default:
330 return "802.11b";
331 }
332 }
333
334
radius_sta_rate(struct hostapd_data * hapd,struct sta_info * sta)335 int radius_sta_rate(struct hostapd_data *hapd, struct sta_info *sta)
336 {
337 int i;
338 u8 rate = 0;
339
340 for (i = 0; i < sta->supported_rates_len; i++)
341 if ((sta->supported_rates[i] & 0x7f) > rate)
342 rate = sta->supported_rates[i] & 0x7f;
343
344 return rate;
345 }
346
347
348 #ifndef CONFIG_NO_RADIUS
ieee802_1x_learn_identity(struct hostapd_data * hapd,struct eapol_state_machine * sm,const u8 * eap,size_t len)349 static void ieee802_1x_learn_identity(struct hostapd_data *hapd,
350 struct eapol_state_machine *sm,
351 const u8 *eap, size_t len)
352 {
353 const u8 *identity;
354 size_t identity_len;
355 const struct eap_hdr *hdr = (const struct eap_hdr *) eap;
356
357 if (len <= sizeof(struct eap_hdr) ||
358 (hdr->code == EAP_CODE_RESPONSE &&
359 eap[sizeof(struct eap_hdr)] != EAP_TYPE_IDENTITY) ||
360 (hdr->code == EAP_CODE_INITIATE &&
361 eap[sizeof(struct eap_hdr)] != EAP_ERP_TYPE_REAUTH) ||
362 (hdr->code != EAP_CODE_RESPONSE &&
363 hdr->code != EAP_CODE_INITIATE))
364 return;
365
366 eap_erp_update_identity(sm->eap, eap, len);
367 identity = eap_get_identity(sm->eap, &identity_len);
368 if (!identity)
369 return;
370
371 /* Save station identity for future RADIUS packets */
372 os_free(sm->identity);
373 sm->identity = (u8 *) dup_binstr(identity, identity_len);
374 if (!sm->identity) {
375 sm->identity_len = 0;
376 return;
377 }
378
379 sm->identity_len = identity_len;
380 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X,
381 HOSTAPD_LEVEL_DEBUG, "STA identity '%s'", sm->identity);
382 sm->dot1xAuthEapolRespIdFramesRx++;
383 }
384
385
add_common_radius_sta_attr_rsn(struct hostapd_data * hapd,struct hostapd_radius_attr * req_attr,struct sta_info * sta,struct radius_msg * msg)386 static int add_common_radius_sta_attr_rsn(struct hostapd_data *hapd,
387 struct hostapd_radius_attr *req_attr,
388 struct sta_info *sta,
389 struct radius_msg *msg)
390 {
391 u32 suite;
392 int ver, val;
393
394 ver = wpa_auth_sta_wpa_version(sta->wpa_sm);
395 val = wpa_auth_get_pairwise(sta->wpa_sm);
396 suite = wpa_cipher_to_suite(ver, val);
397 if (val != -1 &&
398 !hostapd_config_get_radius_attr(req_attr,
399 RADIUS_ATTR_WLAN_PAIRWISE_CIPHER) &&
400 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_WLAN_PAIRWISE_CIPHER,
401 suite)) {
402 wpa_printf(MSG_ERROR, "Could not add WLAN-Pairwise-Cipher");
403 return -1;
404 }
405
406 suite = wpa_cipher_to_suite(((hapd->conf->wpa & 0x2) ||
407 hapd->conf->osen) ?
408 WPA_PROTO_RSN : WPA_PROTO_WPA,
409 hapd->conf->wpa_group);
410 if (!hostapd_config_get_radius_attr(req_attr,
411 RADIUS_ATTR_WLAN_GROUP_CIPHER) &&
412 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_WLAN_GROUP_CIPHER,
413 suite)) {
414 wpa_printf(MSG_ERROR, "Could not add WLAN-Group-Cipher");
415 return -1;
416 }
417
418 val = wpa_auth_sta_key_mgmt(sta->wpa_sm);
419 suite = wpa_akm_to_suite(val);
420 if (val != -1 &&
421 !hostapd_config_get_radius_attr(req_attr,
422 RADIUS_ATTR_WLAN_AKM_SUITE) &&
423 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_WLAN_AKM_SUITE,
424 suite)) {
425 wpa_printf(MSG_ERROR, "Could not add WLAN-AKM-Suite");
426 return -1;
427 }
428
429 if (hapd->conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
430 suite = wpa_cipher_to_suite(WPA_PROTO_RSN,
431 hapd->conf->group_mgmt_cipher);
432 if (!hostapd_config_get_radius_attr(
433 req_attr, RADIUS_ATTR_WLAN_GROUP_MGMT_CIPHER) &&
434 !radius_msg_add_attr_int32(
435 msg, RADIUS_ATTR_WLAN_GROUP_MGMT_CIPHER, suite)) {
436 wpa_printf(MSG_ERROR,
437 "Could not add WLAN-Group-Mgmt-Cipher");
438 return -1;
439 }
440 }
441
442 return 0;
443 }
444
445
add_common_radius_sta_attr(struct hostapd_data * hapd,struct hostapd_radius_attr * req_attr,struct sta_info * sta,struct radius_msg * msg)446 static int add_common_radius_sta_attr(struct hostapd_data *hapd,
447 struct hostapd_radius_attr *req_attr,
448 struct sta_info *sta,
449 struct radius_msg *msg)
450 {
451 char buf[128];
452
453 if (!hostapd_config_get_radius_attr(req_attr,
454 RADIUS_ATTR_SERVICE_TYPE) &&
455 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_SERVICE_TYPE,
456 RADIUS_SERVICE_TYPE_FRAMED)) {
457 wpa_printf(MSG_ERROR, "Could not add Service-Type");
458 return -1;
459 }
460
461 if (!hostapd_config_get_radius_attr(req_attr,
462 RADIUS_ATTR_NAS_PORT) &&
463 sta->aid > 0 &&
464 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT, sta->aid)) {
465 wpa_printf(MSG_ERROR, "Could not add NAS-Port");
466 return -1;
467 }
468
469 os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT,
470 MAC2STR(sta->addr));
471 buf[sizeof(buf) - 1] = '\0';
472 if (!radius_msg_add_attr(msg, RADIUS_ATTR_CALLING_STATION_ID,
473 (u8 *) buf, os_strlen(buf))) {
474 wpa_printf(MSG_ERROR, "Could not add Calling-Station-Id");
475 return -1;
476 }
477
478 if (sta->flags & WLAN_STA_PREAUTH) {
479 os_strlcpy(buf, "IEEE 802.11i Pre-Authentication",
480 sizeof(buf));
481 } else {
482 os_snprintf(buf, sizeof(buf), "CONNECT %d%sMbps %s",
483 radius_sta_rate(hapd, sta) / 2,
484 (radius_sta_rate(hapd, sta) & 1) ? ".5" : "",
485 radius_mode_txt(hapd));
486 buf[sizeof(buf) - 1] = '\0';
487 }
488 if (!hostapd_config_get_radius_attr(req_attr,
489 RADIUS_ATTR_CONNECT_INFO) &&
490 !radius_msg_add_attr(msg, RADIUS_ATTR_CONNECT_INFO,
491 (u8 *) buf, os_strlen(buf))) {
492 wpa_printf(MSG_ERROR, "Could not add Connect-Info");
493 return -1;
494 }
495
496 if (sta->acct_session_id) {
497 os_snprintf(buf, sizeof(buf), "%016llX",
498 (unsigned long long) sta->acct_session_id);
499 if (!radius_msg_add_attr(msg, RADIUS_ATTR_ACCT_SESSION_ID,
500 (u8 *) buf, os_strlen(buf))) {
501 wpa_printf(MSG_ERROR, "Could not add Acct-Session-Id");
502 return -1;
503 }
504 }
505
506 if ((hapd->conf->wpa & 2) &&
507 !hapd->conf->disable_pmksa_caching &&
508 sta->eapol_sm && sta->eapol_sm->acct_multi_session_id) {
509 os_snprintf(buf, sizeof(buf), "%016llX",
510 (unsigned long long)
511 sta->eapol_sm->acct_multi_session_id);
512 if (!radius_msg_add_attr(
513 msg, RADIUS_ATTR_ACCT_MULTI_SESSION_ID,
514 (u8 *) buf, os_strlen(buf))) {
515 wpa_printf(MSG_INFO,
516 "Could not add Acct-Multi-Session-Id");
517 return -1;
518 }
519 }
520
521 #ifdef CONFIG_IEEE80211R_AP
522 if (hapd->conf->wpa && wpa_key_mgmt_ft(hapd->conf->wpa_key_mgmt) &&
523 sta->wpa_sm &&
524 (wpa_key_mgmt_ft(wpa_auth_sta_key_mgmt(sta->wpa_sm)) ||
525 sta->auth_alg == WLAN_AUTH_FT) &&
526 !hostapd_config_get_radius_attr(req_attr,
527 RADIUS_ATTR_MOBILITY_DOMAIN_ID) &&
528 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_MOBILITY_DOMAIN_ID,
529 WPA_GET_BE16(
530 hapd->conf->mobility_domain))) {
531 wpa_printf(MSG_ERROR, "Could not add Mobility-Domain-Id");
532 return -1;
533 }
534 #endif /* CONFIG_IEEE80211R_AP */
535
536 if ((hapd->conf->wpa || hapd->conf->osen) && sta->wpa_sm &&
537 add_common_radius_sta_attr_rsn(hapd, req_attr, sta, msg) < 0)
538 return -1;
539
540 return 0;
541 }
542
543
add_common_radius_attr(struct hostapd_data * hapd,struct hostapd_radius_attr * req_attr,struct sta_info * sta,struct radius_msg * msg)544 int add_common_radius_attr(struct hostapd_data *hapd,
545 struct hostapd_radius_attr *req_attr,
546 struct sta_info *sta,
547 struct radius_msg *msg)
548 {
549 char buf[128];
550 struct hostapd_radius_attr *attr;
551 int len;
552
553 if (!hostapd_config_get_radius_attr(req_attr,
554 RADIUS_ATTR_NAS_IP_ADDRESS) &&
555 hapd->conf->own_ip_addr.af == AF_INET &&
556 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IP_ADDRESS,
557 (u8 *) &hapd->conf->own_ip_addr.u.v4, 4)) {
558 wpa_printf(MSG_ERROR, "Could not add NAS-IP-Address");
559 return -1;
560 }
561
562 #ifdef CONFIG_IPV6
563 if (!hostapd_config_get_radius_attr(req_attr,
564 RADIUS_ATTR_NAS_IPV6_ADDRESS) &&
565 hapd->conf->own_ip_addr.af == AF_INET6 &&
566 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IPV6_ADDRESS,
567 (u8 *) &hapd->conf->own_ip_addr.u.v6, 16)) {
568 wpa_printf(MSG_ERROR, "Could not add NAS-IPv6-Address");
569 return -1;
570 }
571 #endif /* CONFIG_IPV6 */
572
573 if (!hostapd_config_get_radius_attr(req_attr,
574 RADIUS_ATTR_NAS_IDENTIFIER) &&
575 hapd->conf->nas_identifier &&
576 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IDENTIFIER,
577 (u8 *) hapd->conf->nas_identifier,
578 os_strlen(hapd->conf->nas_identifier))) {
579 wpa_printf(MSG_ERROR, "Could not add NAS-Identifier");
580 return -1;
581 }
582
583 len = os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT ":",
584 MAC2STR(hapd->own_addr));
585 os_memcpy(&buf[len], hapd->conf->ssid.ssid,
586 hapd->conf->ssid.ssid_len);
587 len += hapd->conf->ssid.ssid_len;
588 if (!hostapd_config_get_radius_attr(req_attr,
589 RADIUS_ATTR_CALLED_STATION_ID) &&
590 !radius_msg_add_attr(msg, RADIUS_ATTR_CALLED_STATION_ID,
591 (u8 *) buf, len)) {
592 wpa_printf(MSG_ERROR, "Could not add Called-Station-Id");
593 return -1;
594 }
595
596 if (!hostapd_config_get_radius_attr(req_attr,
597 RADIUS_ATTR_NAS_PORT_TYPE) &&
598 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT_TYPE,
599 RADIUS_NAS_PORT_TYPE_IEEE_802_11)) {
600 wpa_printf(MSG_ERROR, "Could not add NAS-Port-Type");
601 return -1;
602 }
603
604 #ifdef CONFIG_INTERWORKING
605 if (hapd->conf->interworking &&
606 !is_zero_ether_addr(hapd->conf->hessid)) {
607 os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT,
608 MAC2STR(hapd->conf->hessid));
609 buf[sizeof(buf) - 1] = '\0';
610 if (!hostapd_config_get_radius_attr(req_attr,
611 RADIUS_ATTR_WLAN_HESSID) &&
612 !radius_msg_add_attr(msg, RADIUS_ATTR_WLAN_HESSID,
613 (u8 *) buf, os_strlen(buf))) {
614 wpa_printf(MSG_ERROR, "Could not add WLAN-HESSID");
615 return -1;
616 }
617 }
618 #endif /* CONFIG_INTERWORKING */
619
620 if (sta && add_common_radius_sta_attr(hapd, req_attr, sta, msg) < 0)
621 return -1;
622
623 for (attr = req_attr; attr; attr = attr->next) {
624 if (!radius_msg_add_attr(msg, attr->type,
625 wpabuf_head(attr->val),
626 wpabuf_len(attr->val))) {
627 wpa_printf(MSG_ERROR, "Could not add RADIUS attribute");
628 return -1;
629 }
630 }
631
632 return 0;
633 }
634
635
add_sqlite_radius_attr(struct hostapd_data * hapd,struct sta_info * sta,struct radius_msg * msg,int acct)636 int add_sqlite_radius_attr(struct hostapd_data *hapd, struct sta_info *sta,
637 struct radius_msg *msg, int acct)
638 {
639 #ifdef CONFIG_SQLITE
640 const char *attrtxt;
641 char addrtxt[3 * ETH_ALEN];
642 char *sql;
643 sqlite3_stmt *stmt = NULL;
644
645 if (!hapd->rad_attr_db)
646 return 0;
647
648 os_snprintf(addrtxt, sizeof(addrtxt), MACSTR, MAC2STR(sta->addr));
649
650 sql = "SELECT attr FROM radius_attributes WHERE sta=? AND (reqtype=? OR reqtype IS NULL);";
651 if (sqlite3_prepare_v2(hapd->rad_attr_db, sql, os_strlen(sql), &stmt,
652 NULL) != SQLITE_OK) {
653 wpa_printf(MSG_ERROR, "DB: Failed to prepare SQL statement: %s",
654 sqlite3_errmsg(hapd->rad_attr_db));
655 return -1;
656 }
657 sqlite3_bind_text(stmt, 1, addrtxt, os_strlen(addrtxt), SQLITE_STATIC);
658 sqlite3_bind_text(stmt, 2, acct ? "acct" : "auth", 4, SQLITE_STATIC);
659 while (sqlite3_step(stmt) == SQLITE_ROW) {
660 struct hostapd_radius_attr *attr;
661 struct radius_attr_hdr *hdr;
662
663 attrtxt = (const char *) sqlite3_column_text(stmt, 0);
664 attr = hostapd_parse_radius_attr(attrtxt);
665 if (!attr) {
666 wpa_printf(MSG_ERROR,
667 "Skipping invalid attribute from SQL: %s",
668 attrtxt);
669 continue;
670 }
671 wpa_printf(MSG_DEBUG, "Adding RADIUS attribute from SQL: %s",
672 attrtxt);
673 hdr = radius_msg_add_attr(msg, attr->type,
674 wpabuf_head(attr->val),
675 wpabuf_len(attr->val));
676 hostapd_config_free_radius_attr(attr);
677 if (!hdr) {
678 wpa_printf(MSG_ERROR,
679 "Could not add RADIUS attribute from SQL");
680 continue;
681 }
682 }
683
684 sqlite3_reset(stmt);
685 sqlite3_clear_bindings(stmt);
686 sqlite3_finalize(stmt);
687 #endif /* CONFIG_SQLITE */
688
689 return 0;
690 }
691
692
ieee802_1x_encapsulate_radius(struct hostapd_data * hapd,struct sta_info * sta,const u8 * eap,size_t len)693 void ieee802_1x_encapsulate_radius(struct hostapd_data *hapd,
694 struct sta_info *sta,
695 const u8 *eap, size_t len)
696 {
697 struct radius_msg *msg;
698 struct eapol_state_machine *sm = sta->eapol_sm;
699
700 if (!sm)
701 return;
702
703 ieee802_1x_learn_identity(hapd, sm, eap, len);
704
705 wpa_printf(MSG_DEBUG, "Encapsulating EAP message into a RADIUS packet");
706
707 sm->radius_identifier = radius_client_get_id(hapd->radius);
708 msg = radius_msg_new(RADIUS_CODE_ACCESS_REQUEST,
709 sm->radius_identifier);
710 if (!msg) {
711 wpa_printf(MSG_INFO, "Could not create new RADIUS packet");
712 return;
713 }
714
715 if (radius_msg_make_authenticator(msg) < 0) {
716 wpa_printf(MSG_INFO, "Could not make Request Authenticator");
717 goto fail;
718 }
719
720 if (sm->identity &&
721 !radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME,
722 sm->identity, sm->identity_len)) {
723 wpa_printf(MSG_INFO, "Could not add User-Name");
724 goto fail;
725 }
726
727 if (add_common_radius_attr(hapd, hapd->conf->radius_auth_req_attr, sta,
728 msg) < 0)
729 goto fail;
730
731 if (sta && add_sqlite_radius_attr(hapd, sta, msg, 0) < 0)
732 goto fail;
733
734 /* TODO: should probably check MTU from driver config; 2304 is max for
735 * IEEE 802.11, but use 1400 to avoid problems with too large packets
736 */
737 if (!hostapd_config_get_radius_attr(hapd->conf->radius_auth_req_attr,
738 RADIUS_ATTR_FRAMED_MTU) &&
739 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_FRAMED_MTU, 1400)) {
740 wpa_printf(MSG_INFO, "Could not add Framed-MTU");
741 goto fail;
742 }
743
744 if (!radius_msg_add_eap(msg, eap, len)) {
745 wpa_printf(MSG_INFO, "Could not add EAP-Message");
746 goto fail;
747 }
748
749 /* State attribute must be copied if and only if this packet is
750 * Access-Request reply to the previous Access-Challenge */
751 if (sm->last_recv_radius &&
752 radius_msg_get_hdr(sm->last_recv_radius)->code ==
753 RADIUS_CODE_ACCESS_CHALLENGE) {
754 int res = radius_msg_copy_attr(msg, sm->last_recv_radius,
755 RADIUS_ATTR_STATE);
756 if (res < 0) {
757 wpa_printf(MSG_INFO,
758 "Could not copy State attribute from previous Access-Challenge");
759 goto fail;
760 }
761 if (res > 0)
762 wpa_printf(MSG_DEBUG, "Copied RADIUS State Attribute");
763 }
764
765 if (hapd->conf->radius_request_cui) {
766 const u8 *cui;
767 size_t cui_len;
768 /* Add previously learned CUI or nul CUI to request CUI */
769 if (sm->radius_cui) {
770 cui = wpabuf_head(sm->radius_cui);
771 cui_len = wpabuf_len(sm->radius_cui);
772 } else {
773 cui = (const u8 *) "\0";
774 cui_len = 1;
775 }
776 if (!radius_msg_add_attr(msg,
777 RADIUS_ATTR_CHARGEABLE_USER_IDENTITY,
778 cui, cui_len)) {
779 wpa_printf(MSG_ERROR, "Could not add CUI");
780 goto fail;
781 }
782 }
783
784 #ifdef CONFIG_HS20
785 if (hapd->conf->hs20) {
786 u8 ver = hapd->conf->hs20_release - 1;
787
788 if (!radius_msg_add_wfa(
789 msg, RADIUS_VENDOR_ATTR_WFA_HS20_AP_VERSION,
790 &ver, 1)) {
791 wpa_printf(MSG_ERROR,
792 "Could not add HS 2.0 AP version");
793 goto fail;
794 }
795
796 if (sta->hs20_ie && wpabuf_len(sta->hs20_ie) > 0) {
797 const u8 *pos;
798 u8 buf[3];
799 u16 id;
800
801 pos = wpabuf_head_u8(sta->hs20_ie);
802 buf[0] = (*pos) >> 4;
803 if (((*pos) & HS20_PPS_MO_ID_PRESENT) &&
804 wpabuf_len(sta->hs20_ie) >= 3)
805 id = WPA_GET_LE16(pos + 1);
806 else
807 id = 0;
808 WPA_PUT_BE16(buf + 1, id);
809 if (!radius_msg_add_wfa(
810 msg,
811 RADIUS_VENDOR_ATTR_WFA_HS20_STA_VERSION,
812 buf, sizeof(buf))) {
813 wpa_printf(MSG_ERROR,
814 "Could not add HS 2.0 STA version");
815 goto fail;
816 }
817 }
818
819 if (sta->roaming_consortium &&
820 !radius_msg_add_wfa(
821 msg, RADIUS_VENDOR_ATTR_WFA_HS20_ROAMING_CONSORTIUM,
822 wpabuf_head(sta->roaming_consortium),
823 wpabuf_len(sta->roaming_consortium))) {
824 wpa_printf(MSG_ERROR,
825 "Could not add HS 2.0 Roaming Consortium");
826 goto fail;
827 }
828
829 if (hapd->conf->t_c_filename) {
830 be32 timestamp;
831
832 if (!radius_msg_add_wfa(
833 msg,
834 RADIUS_VENDOR_ATTR_WFA_HS20_T_C_FILENAME,
835 (const u8 *) hapd->conf->t_c_filename,
836 os_strlen(hapd->conf->t_c_filename))) {
837 wpa_printf(MSG_ERROR,
838 "Could not add HS 2.0 T&C Filename");
839 goto fail;
840 }
841
842 timestamp = host_to_be32(hapd->conf->t_c_timestamp);
843 if (!radius_msg_add_wfa(
844 msg,
845 RADIUS_VENDOR_ATTR_WFA_HS20_TIMESTAMP,
846 (const u8 *) ×tamp,
847 sizeof(timestamp))) {
848 wpa_printf(MSG_ERROR,
849 "Could not add HS 2.0 Timestamp");
850 goto fail;
851 }
852 }
853 }
854 #endif /* CONFIG_HS20 */
855
856 if (radius_client_send(hapd->radius, msg, RADIUS_AUTH, sta->addr) < 0)
857 goto fail;
858
859 return;
860
861 fail:
862 radius_msg_free(msg);
863 }
864 #endif /* CONFIG_NO_RADIUS */
865 #endif /* EXT_CODE_CROP */
866
867 #ifdef CONFIG_WPS_AP
handle_eap_response(struct hostapd_data * hapd,struct sta_info * sta,struct eap_hdr * eap,size_t len)868 static void handle_eap_response(struct hostapd_data *hapd,
869 struct sta_info *sta, struct eap_hdr *eap,
870 size_t len)
871 {
872 u8 type, *data;
873 struct eapol_state_machine *sm = sta->eapol_sm;
874
875 if (!sm)
876 return;
877
878 data = (u8 *) (eap + 1);
879
880 if (len < sizeof(*eap) + 1) {
881 wpa_printf(MSG_INFO, "%s: too short response data", __func__);
882 return;
883 }
884
885 sm->eap_type_supp = type = data[0];
886
887 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X,
888 HOSTAPD_LEVEL_DEBUG, "received EAP packet (code=%d "
889 "id=%d len=%d) from STA: EAP Response-%s (%d)",
890 eap->code, eap->identifier, be_to_host16(eap->length),
891 eap_server_get_name(0, type), type);
892
893 sm->dot1xAuthEapolRespFramesRx++;
894
895 wpabuf_free(sm->eap_if->eapRespData);
896 sm->eap_if->eapRespData = wpabuf_alloc_copy(eap, len);
897 sm->eapolEap = true;
898 }
899
900
handle_eap_initiate(struct hostapd_data * hapd,struct sta_info * sta,struct eap_hdr * eap,size_t len)901 static void handle_eap_initiate(struct hostapd_data *hapd,
902 struct sta_info *sta, struct eap_hdr *eap,
903 size_t len)
904 {
905 #ifdef CONFIG_ERP
906 u8 type, *data;
907 struct eapol_state_machine *sm = sta->eapol_sm;
908
909 if (!sm)
910 return;
911
912 if (len < sizeof(*eap) + 1) {
913 wpa_warning_log0(MSG_INFO,
914 "handle_eap_initiate: too short response data");
915 return;
916 }
917
918 data = (u8 *) (eap + 1);
919 type = data[0];
920
921 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X,
922 HOSTAPD_LEVEL_DEBUG,
923 "received EAP packet (code=%d id=%d len=%d) from STA: EAP Initiate type %u",
924 eap->code, eap->identifier, be_to_host16(eap->length),
925 type);
926
927 wpabuf_free(sm->eap_if->eapRespData);
928 sm->eap_if->eapRespData = wpabuf_alloc_copy(eap, len);
929 sm->eapolEap = true;
930 #endif /* CONFIG_ERP */
931 }
932
933
934 #ifndef CONFIG_NO_STDOUT_DEBUG
eap_code_str(u8 code)935 static const char * eap_code_str(u8 code)
936 {
937 switch (code) {
938 case EAP_CODE_REQUEST:
939 return "request";
940 case EAP_CODE_RESPONSE:
941 return "response";
942 case EAP_CODE_SUCCESS:
943 return "success";
944 case EAP_CODE_FAILURE:
945 return "failure";
946 case EAP_CODE_INITIATE:
947 return "initiate";
948 case EAP_CODE_FINISH:
949 return "finish";
950 default:
951 return "unknown";
952 }
953 }
954 #endif /* CONFIG_NO_STDOUT_DEBUG */
955
956
957 /* Process incoming EAP packet from Supplicant */
handle_eap(struct hostapd_data * hapd,struct sta_info * sta,u8 * buf,size_t len)958 static void handle_eap(struct hostapd_data *hapd, struct sta_info *sta,
959 u8 *buf, size_t len)
960 {
961 struct eap_hdr *eap;
962 u16 eap_len;
963
964 if (len < sizeof(*eap)) {
965 wpa_warning_log0(MSG_INFO, " too short EAP packet");
966 return;
967 }
968
969 eap = (struct eap_hdr *) buf;
970
971 eap_len = be_to_host16(eap->length);
972 wpa_warning_log3(MSG_DEBUG, "EAP: code=%d identifier=%d length=%d",
973 eap->code, eap->identifier, eap_len);
974 if (eap_len < sizeof(*eap)) {
975 wpa_warning_log0(MSG_DEBUG, " Invalid EAP length");
976 return;
977 } else if (eap_len > len) {
978 wpa_warning_log0(MSG_DEBUG, " Too short frame to contain this EAP "
979 "packet");
980 return;
981 } else if (eap_len < len) {
982 wpa_warning_log1(MSG_DEBUG, " Ignoring %lu extra bytes after EAP "
983 "packet", (unsigned long) len - eap_len);
984 }
985
986 switch (eap->code) {
987 case EAP_CODE_RESPONSE:
988 handle_eap_response(hapd, sta, eap, eap_len);
989 break;
990 case EAP_CODE_INITIATE:
991 handle_eap_initiate(hapd, sta, eap, eap_len);
992 break;
993 }
994 }
995 #endif /* CONFIG_WPS_AP */
996
997 struct eapol_state_machine *
ieee802_1x_alloc_eapol_sm(struct hostapd_data * hapd,struct sta_info * sta)998 ieee802_1x_alloc_eapol_sm(struct hostapd_data *hapd, struct sta_info *sta)
999 {
1000 int flags = 0;
1001
1002 if (sta->flags & WLAN_STA_PREAUTH)
1003 flags |= EAPOL_SM_PREAUTH;
1004 if (sta->wpa_sm) {
1005 flags |= EAPOL_SM_USES_WPA;
1006 #ifndef LOS_CONFIG_HOSTAPD_PMKSA_CROP
1007 if (wpa_auth_sta_get_pmksa(sta->wpa_sm))
1008 flags |= EAPOL_SM_FROM_PMKSA_CACHE;
1009 #endif /* LOS_CONFIG_HOSTAPD_PMKSA_CROP */
1010 }
1011 return eapol_auth_alloc(hapd->eapol_auth, sta->addr, flags,
1012 sta->wps_ie, sta->p2p_ie, sta,
1013 #ifndef EXT_CODE_CROP
1014 sta->identity, sta->radius_cui);
1015 #else
1016 sta->identity);
1017 #endif /* EXT_CODE_CROP */
1018 }
1019
1020 #ifndef EXT_CODE_CROP
ieee802_1x_save_eapol(struct sta_info * sta,const u8 * buf,size_t len)1021 static void ieee802_1x_save_eapol(struct sta_info *sta, const u8 *buf,
1022 size_t len)
1023 {
1024 if (sta->pending_eapol_rx) {
1025 wpabuf_free(sta->pending_eapol_rx->buf);
1026 } else {
1027 sta->pending_eapol_rx =
1028 os_malloc(sizeof(*sta->pending_eapol_rx));
1029 if (!sta->pending_eapol_rx)
1030 return;
1031 }
1032
1033 sta->pending_eapol_rx->buf = wpabuf_alloc_copy(buf, len);
1034 if (!sta->pending_eapol_rx->buf) {
1035 os_free(sta->pending_eapol_rx);
1036 sta->pending_eapol_rx = NULL;
1037 return;
1038 }
1039
1040 os_get_reltime(&sta->pending_eapol_rx->rx_time);
1041 }
1042 #endif /* EXT_CODE_CROP */
1043
1044 /**
1045 * ieee802_1x_receive - Process the EAPOL frames from the Supplicant
1046 * @hapd: hostapd BSS data
1047 * @sa: Source address (sender of the EAPOL frame)
1048 * @buf: EAPOL frame
1049 * @len: Length of buf in octets
1050 *
1051 * This function is called for each incoming EAPOL frame from the interface
1052 */
ieee802_1x_receive(struct hostapd_data * hapd,const u8 * sa,const u8 * buf,size_t len)1053 void ieee802_1x_receive(struct hostapd_data *hapd, const u8 *sa, const u8 *buf,
1054 size_t len)
1055 {
1056 struct sta_info *sta;
1057 struct ieee802_1x_hdr *hdr;
1058 struct ieee802_1x_eapol_key *key;
1059 u16 datalen;
1060 #ifndef LOS_CONFIG_HOSTAPD_PMKSA_CROP
1061 struct rsn_pmksa_cache_entry *pmksa;
1062 #endif /* LOS_CONFIG_HOSTAPD_PMKSA_CROP */
1063 #ifdef CONFIG_WPS_AP
1064 int key_mgmt;
1065 #endif /* CONFIG_WPS_AP */
1066 #ifndef LOS_CONFIG_HOSTAPD_SECURITY
1067 if (!hapd->conf->ieee802_1x && !hapd->conf->wpa && !hapd->conf->osen &&
1068 #else
1069 if (!hapd->conf->wpa &&
1070 #endif
1071 !hapd->conf->wps_state)
1072 return;
1073 #ifndef CONFIG_PRINT_NOUSE
1074 wpa_printf(MSG_DEBUG, "IEEE 802.1X: %lu bytes from " MACSTR,
1075 (unsigned long) len, MAC2STR(sa));
1076 #endif /* CONFIG_PRINT_NOUSE */
1077 sta = ap_get_sta(hapd, sa);
1078 if (!sta || (!(sta->flags & (WLAN_STA_ASSOC | WLAN_STA_PREAUTH)) &&
1079 !(hapd->iface->drv_flags & WPA_DRIVER_FLAGS_WIRED))) {
1080 #ifndef EXT_CODE_CROP
1081 wpa_printf(MSG_DEBUG, "IEEE 802.1X data frame from not "
1082 "associated/Pre-authenticating STA");
1083
1084 if (sta && (sta->flags & WLAN_STA_AUTH)) {
1085 wpa_printf(MSG_DEBUG, "Saving EAPOL frame from " MACSTR
1086 " for later use", MAC2STR(sta->addr));
1087 ieee802_1x_save_eapol(sta, buf, len);
1088 }
1089 #endif /* EXT_CODE_CROP */
1090 return;
1091 }
1092
1093 if (len < sizeof(*hdr)) {
1094 #ifndef CONFIG_PRINT_NOUSE
1095 wpa_printf(MSG_INFO, " too short IEEE 802.1X packet");
1096 #endif /* CONFIG_PRINT_NOUSE */
1097 return;
1098 }
1099
1100 hdr = (struct ieee802_1x_hdr *) buf;
1101 datalen = be_to_host16(hdr->length);
1102 #ifndef CONFIG_PRINT_NOUSE
1103 wpa_printf(MSG_DEBUG, " IEEE 802.1X: version=%d type=%d length=%d",
1104 hdr->version, hdr->type, datalen);
1105 #endif /* CONFIG_PRINT_NOUSE */
1106
1107 if (len - sizeof(*hdr) < datalen) {
1108 #ifndef CONFIG_PRINT_NOUSE
1109 wpa_printf(MSG_INFO, " frame too short for this IEEE 802.1X packet");
1110 #endif /* CONFIG_PRINT_NOUSE */
1111 if (sta->eapol_sm)
1112 sta->eapol_sm->dot1xAuthEapLengthErrorFramesRx++;
1113 return;
1114 }
1115 #ifndef CONFIG_PRINT_NOUSE
1116 if (len - sizeof(*hdr) > datalen) {
1117 wpa_printf(MSG_DEBUG, " ignoring %lu extra octets after "
1118 "IEEE 802.1X packet",
1119 (unsigned long) len - sizeof(*hdr) - datalen);
1120 }
1121 #endif /* CONFIG_PRINT_NOUSE */
1122
1123 if (sta->eapol_sm) {
1124 sta->eapol_sm->dot1xAuthLastEapolFrameVersion = hdr->version;
1125 sta->eapol_sm->dot1xAuthEapolFramesRx++;
1126 }
1127
1128 key = (struct ieee802_1x_eapol_key *) (hdr + 1);
1129 if (datalen >= sizeof(struct ieee802_1x_eapol_key) &&
1130 hdr->type == IEEE802_1X_TYPE_EAPOL_KEY &&
1131 (key->type == EAPOL_KEY_TYPE_WPA ||
1132 key->type == EAPOL_KEY_TYPE_RSN)) {
1133 wpa_receive(hapd->wpa_auth, sta->wpa_sm, (u8 *) hdr,
1134 sizeof(*hdr) + datalen);
1135 return;
1136 }
1137
1138 #ifdef CONFIG_WPS_AP
1139 #ifndef LOS_CONFIG_HOSTAPD_SECURITY
1140 if (!hapd->conf->ieee802_1x && !hapd->conf->osen &&
1141 !(sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS))) {
1142 #ifndef CONFIG_PRINT_NOUSE
1143 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore EAPOL message - "
1144 "802.1X not enabled and WPS not used");
1145 #endif /* CONFIG_PRINT_NOUSE */
1146 return;
1147 }
1148 #else
1149 if (!(sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS))) {
1150 return;
1151 }
1152
1153 #endif
1154 key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm);
1155 #ifndef EXT_WPA_KEY_MGMT_CROP
1156 if (key_mgmt != -1 &&
1157 (wpa_key_mgmt_wpa_psk(key_mgmt) || key_mgmt == WPA_KEY_MGMT_OWE ||
1158 key_mgmt == WPA_KEY_MGMT_DPP)) {
1159 #else
1160 if (key_mgmt != -1 && (wpa_key_mgmt_wpa_psk(key_mgmt) || key_mgmt == WPA_KEY_MGMT_OWE)) {
1161 #endif /* EXT_WPA_KEY_MGMT_CROP */
1162 wpa_warning_log0(MSG_DEBUG, "IEEE 802.1X: Ignore EAPOL message - "
1163 "STA is using PSK");
1164 return;
1165 }
1166
1167 if (!sta->eapol_sm) {
1168 sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta);
1169 if (!sta->eapol_sm)
1170 return;
1171
1172 #ifdef CONFIG_WPS_AP
1173 #ifndef LOS_CONFIG_HOSTAPD_SECURITY
1174 if (!hapd->conf->ieee802_1x && hapd->conf->wps_state) {
1175 #else
1176 if (hapd->conf->wps_state) {
1177 #endif
1178 u32 wflags = sta->flags & (WLAN_STA_WPS |
1179 WLAN_STA_WPS2 |
1180 WLAN_STA_MAYBE_WPS);
1181 if (wflags == WLAN_STA_MAYBE_WPS ||
1182 wflags == (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS)) {
1183 /*
1184 * Delay EAPOL frame transmission until a
1185 * possible WPS STA initiates the handshake
1186 * with EAPOL-Start. Only allow the wait to be
1187 * skipped if the STA is known to support WPS
1188 * 2.0.
1189 */
1190 wpa_warning_log0(MSG_DEBUG, "WPS: Do not start "
1191 "EAPOL until EAPOL-Start is "
1192 "received");
1193 sta->eapol_sm->flags |= EAPOL_SM_WAIT_START;
1194 }
1195 }
1196 #endif /* CONFIG_WPS_AP */
1197
1198 sta->eapol_sm->eap_if->portEnabled = true;
1199 }
1200
1201 /* since we support version 1, we can ignore version field and proceed
1202 * as specified in version 1 standard [IEEE Std 802.1X-2001, 7.5.5] */
1203 /* TODO: actually, we are not version 1 anymore.. However, Version 2
1204 * does not change frame contents, so should be ok to process frames
1205 * more or less identically. Some changes might be needed for
1206 * verification of fields. */
1207
1208 switch (hdr->type) {
1209 case IEEE802_1X_TYPE_EAP_PACKET:
1210 handle_eap(hapd, sta, (u8 *) (hdr + 1), datalen);
1211 break;
1212
1213 case IEEE802_1X_TYPE_EAPOL_START:
1214 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
1215 HOSTAPD_LEVEL_DEBUG,
1216 "received EAPOL-Start from STA");
1217 sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START;
1218 #ifndef LOS_CONFIG_HOSTAPD_PMKSA_CROP
1219 pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm);
1220 if (pmksa) {
1221 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA,
1222 HOSTAPD_LEVEL_DEBUG,
1223 "cached PMKSA available - ignore it since STA sent EAPOL-Start");
1224 wpa_auth_sta_clear_pmksa(sta->wpa_sm, pmksa);
1225 }
1226 #endif /* LOS_CONFIG_HOSTAPD_PMKSA_CROP */
1227 sta->eapol_sm->eapolStart = true;
1228 sta->eapol_sm->dot1xAuthEapolStartFramesRx++;
1229 eap_server_clear_identity(sta->eapol_sm->eap);
1230 wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL);
1231 break;
1232
1233 case IEEE802_1X_TYPE_EAPOL_LOGOFF:
1234 #ifndef EXT_CODE_CROP
1235 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
1236 HOSTAPD_LEVEL_DEBUG,
1237 "received EAPOL-Logoff from STA");
1238 sta->acct_terminate_cause =
1239 RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST;
1240 #endif
1241 accounting_sta_stop(hapd, sta);
1242 sta->eapol_sm->eapolLogoff = true;
1243 sta->eapol_sm->dot1xAuthEapolLogoffFramesRx++;
1244 eap_server_clear_identity(sta->eapol_sm->eap);
1245 break;
1246
1247 case IEEE802_1X_TYPE_EAPOL_KEY:
1248 wpa_warning_log0(MSG_DEBUG, " EAPOL-Key");
1249 if (!ap_sta_is_authorized(sta)) {
1250 wpa_warning_log0(MSG_DEBUG, " Dropped key data from "
1251 "unauthorized Supplicant");
1252 break;
1253 }
1254 break;
1255
1256 case IEEE802_1X_TYPE_EAPOL_ENCAPSULATED_ASF_ALERT:
1257 wpa_warning_log0(MSG_DEBUG, " EAPOL-Encapsulated-ASF-Alert");
1258 /* TODO: implement support for this; show data */
1259 break;
1260
1261 #ifdef CONFIG_MACSEC
1262 case IEEE802_1X_TYPE_EAPOL_MKA:
1263 wpa_printf(MSG_EXCESSIVE,
1264 "EAPOL type %d will be handled by MKA", hdr->type);
1265 break;
1266 #endif /* CONFIG_MACSEC */
1267
1268 default:
1269 wpa_warning_log0(MSG_DEBUG, " unknown IEEE 802.1X packet type");
1270 sta->eapol_sm->dot1xAuthInvalidEapolFramesRx++;
1271 break;
1272 }
1273
1274 eapol_auth_step(sta->eapol_sm);
1275 #endif /* CONFIG_WPS_AP */
1276 }
1277
1278
1279 /**
1280 * ieee802_1x_new_station - Start IEEE 802.1X authentication
1281 * @hapd: hostapd BSS data
1282 * @sta: The station
1283 *
1284 * This function is called to start IEEE 802.1X authentication when a new
1285 * station completes IEEE 802.11 association.
1286 */
1287 void ieee802_1x_new_station(struct hostapd_data *hapd, struct sta_info *sta)
1288 {
1289 #ifndef LOS_CONFIG_HOSTAPD_PMKSA_CROP
1290 struct rsn_pmksa_cache_entry *pmksa;
1291 #endif /* LOS_CONFIG_HOSTAPD_PMKSA_CROP */
1292 int reassoc = 1;
1293 int force_1x = 0;
1294 int key_mgmt;
1295
1296 #ifdef CONFIG_WPS_AP
1297 if (hapd->conf->wps_state &&
1298 ((hapd->conf->wpa && (sta->flags & WLAN_STA_MAYBE_WPS)) ||
1299 (sta->flags & WLAN_STA_WPS))) {
1300 /*
1301 * Need to enable IEEE 802.1X/EAPOL state machines for possible
1302 * WPS handshake even if IEEE 802.1X/EAPOL is not used for
1303 * authentication in this BSS.
1304 */
1305 force_1x = 1;
1306 }
1307 #endif /* CONFIG_WPS_AP */
1308 #ifndef LOS_CONFIG_HOSTAPD_SECURITY
1309 if (!force_1x && !hapd->conf->ieee802_1x && !hapd->conf->osen) {
1310 #else
1311 if (!force_1x) {
1312 #endif
1313 #ifndef CONFIG_PRINT_NOUSE
1314 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore STA - "
1315 "802.1X not enabled or forced for WPS");
1316 #endif /* CONFIG_PRINT_NOUSE */
1317 /*
1318 * Clear any possible EAPOL authenticator state to support
1319 * reassociation change from WPS to PSK.
1320 */
1321 ieee802_1x_free_station(hapd, sta);
1322 return;
1323 }
1324
1325 key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm);
1326 #ifndef EXT_WPA_KEY_MGMT_CROP
1327 if (key_mgmt != -1 &&
1328 (wpa_key_mgmt_wpa_psk(key_mgmt) || key_mgmt == WPA_KEY_MGMT_OWE ||
1329 key_mgmt == WPA_KEY_MGMT_DPP)) {
1330 #else
1331 if (key_mgmt != -1 && (wpa_key_mgmt_wpa_psk(key_mgmt) || key_mgmt == WPA_KEY_MGMT_OWE)) {
1332 #endif /* EXT_WPA_KEY_MGMT_CROP */
1333 wpa_warning_log0(MSG_DEBUG, "IEEE 802.1X: Ignore STA - using PSK");
1334 /*
1335 * Clear any possible EAPOL authenticator state to support
1336 * reassociation change from WPA-EAP to PSK.
1337 */
1338 ieee802_1x_free_station(hapd, sta);
1339 return;
1340 }
1341
1342 if (!sta->eapol_sm) {
1343 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
1344 HOSTAPD_LEVEL_DEBUG, "start authentication");
1345 sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta);
1346 if (!sta->eapol_sm) {
1347 hostapd_logger(hapd, sta->addr,
1348 HOSTAPD_MODULE_IEEE8021X,
1349 HOSTAPD_LEVEL_INFO,
1350 "failed to allocate state machine");
1351 return;
1352 }
1353 reassoc = 0;
1354 }
1355
1356 #ifdef CONFIG_WPS_AP
1357 sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START;
1358 #ifndef LOS_CONFIG_HOSTAPD_SECURITY
1359 if (!hapd->conf->ieee802_1x && hapd->conf->wps_state &&
1360 #else
1361 if (hapd->conf->wps_state &&
1362 #endif
1363 !(sta->flags & WLAN_STA_WPS2)) {
1364 /*
1365 * Delay EAPOL frame transmission until a possible WPS STA
1366 * initiates the handshake with EAPOL-Start. Only allow the
1367 * wait to be skipped if the STA is known to support WPS 2.0.
1368 */
1369 wpa_warning_log0(MSG_DEBUG, "WPS: Do not start EAPOL until "
1370 "EAPOL-Start is received");
1371 sta->eapol_sm->flags |= EAPOL_SM_WAIT_START;
1372 }
1373 #endif /* CONFIG_WPS_AP */
1374
1375 sta->eapol_sm->eap_if->portEnabled = true;
1376
1377 #ifdef CONFIG_IEEE80211R_AP
1378 if (sta->auth_alg == WLAN_AUTH_FT) {
1379 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
1380 HOSTAPD_LEVEL_DEBUG,
1381 "PMK from FT - skip IEEE 802.1X/EAP");
1382 /* Setup EAPOL state machines to already authenticated state
1383 * because of existing FT information from R0KH. */
1384 sta->eapol_sm->keyRun = true;
1385 sta->eapol_sm->eap_if->eapKeyAvailable = true;
1386 sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING;
1387 sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS;
1388 sta->eapol_sm->authSuccess = true;
1389 sta->eapol_sm->authFail = false;
1390 sta->eapol_sm->portValid = true;
1391 if (sta->eapol_sm->eap)
1392 eap_sm_notify_cached(sta->eapol_sm->eap);
1393 ap_sta_bind_vlan(hapd, sta);
1394 return;
1395 }
1396 #endif /* CONFIG_IEEE80211R_AP */
1397
1398 #ifdef CONFIG_FILS
1399 if (sta->auth_alg == WLAN_AUTH_FILS_SK ||
1400 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
1401 sta->auth_alg == WLAN_AUTH_FILS_PK) {
1402 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
1403 HOSTAPD_LEVEL_DEBUG,
1404 "PMK from FILS - skip IEEE 802.1X/EAP");
1405 /* Setup EAPOL state machines to already authenticated state
1406 * because of existing FILS information. */
1407 sta->eapol_sm->keyRun = true;
1408 sta->eapol_sm->eap_if->eapKeyAvailable = true;
1409 sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING;
1410 sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS;
1411 sta->eapol_sm->authSuccess = true;
1412 sta->eapol_sm->authFail = false;
1413 sta->eapol_sm->portValid = true;
1414 if (sta->eapol_sm->eap)
1415 eap_sm_notify_cached(sta->eapol_sm->eap);
1416 wpa_auth_set_ptk_rekey_timer(sta->wpa_sm);
1417 return;
1418 }
1419 #endif /* CONFIG_FILS */
1420
1421 #ifndef LOS_CONFIG_HOSTAPD_PMKSA_CROP
1422 pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm);
1423 if (pmksa) {
1424 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
1425 HOSTAPD_LEVEL_DEBUG,
1426 "PMK from PMKSA cache - skip IEEE 802.1X/EAP");
1427 /* Setup EAPOL state machines to already authenticated state
1428 * because of existing PMKSA information in the cache. */
1429 sta->eapol_sm->keyRun = true;
1430 sta->eapol_sm->eap_if->eapKeyAvailable = true;
1431 sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING;
1432 sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS;
1433 sta->eapol_sm->authSuccess = true;
1434 sta->eapol_sm->authFail = false;
1435 if (sta->eapol_sm->eap)
1436 eap_sm_notify_cached(sta->eapol_sm->eap);
1437 pmksa_cache_to_eapol_data(hapd, pmksa, sta->eapol_sm);
1438 #ifndef LOS_CONFIG_NO_VLAN
1439 ap_sta_bind_vlan(hapd, sta);
1440 #endif
1441 } else {
1442 #endif /* LOS_CONFIG_HOSTAPD_PMKSA_CROP */
1443 if (reassoc) {
1444 /*
1445 * Force EAPOL state machines to start
1446 * re-authentication without having to wait for the
1447 * Supplicant to send EAPOL-Start.
1448 */
1449 sta->eapol_sm->reAuthenticate = true;
1450 }
1451 eapol_auth_step(sta->eapol_sm);
1452 #ifndef LOS_CONFIG_HOSTAPD_PMKSA_CROP
1453 }
1454 #endif /* LOS_CONFIG_HOSTAPD_PMKSA_CROP */
1455 }
1456
1457
1458 void ieee802_1x_free_station(struct hostapd_data *hapd, struct sta_info *sta)
1459 {
1460 struct eapol_state_machine *sm = sta->eapol_sm;
1461
1462 #ifndef EXT_CODE_CROP
1463 #ifdef CONFIG_HS20
1464 eloop_cancel_timeout(ieee802_1x_wnm_notif_send, hapd, sta);
1465 #endif /* CONFIG_HS20 */
1466
1467 if (sta->pending_eapol_rx) {
1468 wpabuf_free(sta->pending_eapol_rx->buf);
1469 os_free(sta->pending_eapol_rx);
1470 sta->pending_eapol_rx = NULL;
1471 }
1472 #endif /* EXT_CODE_CROP */
1473 if (!sm)
1474 return;
1475
1476 sta->eapol_sm = NULL;
1477 #ifndef EXT_CODE_CROP
1478 #ifndef CONFIG_NO_RADIUS
1479 radius_msg_free(sm->last_recv_radius);
1480 radius_free_class(&sm->radius_class);
1481 #endif /* CONFIG_NO_RADIUS */
1482 #endif /* EXT_CODE_CROP */
1483 eapol_auth_free(sm);
1484 }
1485
1486 #ifndef EXT_CODE_CROP
1487 #ifndef CONFIG_NO_RADIUS
1488 static void ieee802_1x_decapsulate_radius(struct hostapd_data *hapd,
1489 struct sta_info *sta)
1490 {
1491 struct wpabuf *eap;
1492 const struct eap_hdr *hdr;
1493 int eap_type = -1;
1494 char buf[64];
1495 struct radius_msg *msg;
1496 struct eapol_state_machine *sm = sta->eapol_sm;
1497
1498 if (!sm || !sm->last_recv_radius) {
1499 if (sm)
1500 sm->eap_if->aaaEapNoReq = true;
1501 return;
1502 }
1503
1504 msg = sm->last_recv_radius;
1505
1506 eap = radius_msg_get_eap(msg);
1507 if (!eap) {
1508 /* RFC 3579, Chap. 2.6.3:
1509 * RADIUS server SHOULD NOT send Access-Reject/no EAP-Message
1510 * attribute */
1511 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
1512 HOSTAPD_LEVEL_WARNING,
1513 "could not extract EAP-Message from RADIUS message");
1514 sm->eap_if->aaaEapNoReq = true;
1515 return;
1516 }
1517
1518 if (wpabuf_len(eap) < sizeof(*hdr)) {
1519 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
1520 HOSTAPD_LEVEL_WARNING,
1521 "too short EAP packet received from authentication server");
1522 wpabuf_free(eap);
1523 sm->eap_if->aaaEapNoReq = true;
1524 return;
1525 }
1526
1527 if (wpabuf_len(eap) > sizeof(*hdr))
1528 eap_type = (wpabuf_head_u8(eap))[sizeof(*hdr)];
1529
1530 hdr = wpabuf_head(eap);
1531 switch (hdr->code) {
1532 case EAP_CODE_REQUEST:
1533 if (eap_type >= 0)
1534 sm->eap_type_authsrv = eap_type;
1535 os_snprintf(buf, sizeof(buf), "EAP-Request-%s (%d)",
1536 eap_server_get_name(0, eap_type), eap_type);
1537 break;
1538 case EAP_CODE_RESPONSE:
1539 os_snprintf(buf, sizeof(buf), "EAP Response-%s (%d)",
1540 eap_server_get_name(0, eap_type), eap_type);
1541 break;
1542 case EAP_CODE_SUCCESS:
1543 os_strlcpy(buf, "EAP Success", sizeof(buf));
1544 break;
1545 case EAP_CODE_FAILURE:
1546 os_strlcpy(buf, "EAP Failure", sizeof(buf));
1547 break;
1548 default:
1549 os_strlcpy(buf, "unknown EAP code", sizeof(buf));
1550 break;
1551 }
1552 buf[sizeof(buf) - 1] = '\0';
1553 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
1554 HOSTAPD_LEVEL_DEBUG,
1555 "decapsulated EAP packet (code=%d id=%d len=%d) from RADIUS server: %s",
1556 hdr->code, hdr->identifier, be_to_host16(hdr->length),
1557 buf);
1558 sm->eap_if->aaaEapReq = true;
1559
1560 wpabuf_free(sm->eap_if->aaaEapReqData);
1561 sm->eap_if->aaaEapReqData = eap;
1562 }
1563
1564
1565 static void ieee802_1x_get_keys(struct hostapd_data *hapd,
1566 struct sta_info *sta, struct radius_msg *msg,
1567 struct radius_msg *req,
1568 const u8 *shared_secret,
1569 size_t shared_secret_len)
1570 {
1571 struct radius_ms_mppe_keys *keys;
1572 u8 *buf;
1573 size_t len;
1574 struct eapol_state_machine *sm = sta->eapol_sm;
1575
1576 if (!sm)
1577 return;
1578
1579 keys = radius_msg_get_ms_keys(msg, req, shared_secret,
1580 shared_secret_len);
1581
1582 if (keys && keys->send && keys->recv) {
1583 len = keys->send_len + keys->recv_len;
1584 wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Send-Key",
1585 keys->send, keys->send_len);
1586 wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Recv-Key",
1587 keys->recv, keys->recv_len);
1588
1589 os_free(sm->eap_if->aaaEapKeyData);
1590 sm->eap_if->aaaEapKeyData = os_malloc(len);
1591 if (sm->eap_if->aaaEapKeyData) {
1592 os_memcpy(sm->eap_if->aaaEapKeyData, keys->recv,
1593 keys->recv_len);
1594 os_memcpy(sm->eap_if->aaaEapKeyData + keys->recv_len,
1595 keys->send, keys->send_len);
1596 sm->eap_if->aaaEapKeyDataLen = len;
1597 sm->eap_if->aaaEapKeyAvailable = true;
1598 }
1599 } else {
1600 wpa_printf(MSG_DEBUG,
1601 "MS-MPPE: 1x_get_keys, could not get keys: %p send: %p recv: %p",
1602 keys, keys ? keys->send : NULL,
1603 keys ? keys->recv : NULL);
1604 }
1605
1606 if (keys) {
1607 os_free(keys->send);
1608 os_free(keys->recv);
1609 os_free(keys);
1610 }
1611
1612 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_EAP_KEY_NAME, &buf, &len,
1613 NULL) == 0) {
1614 os_free(sm->eap_if->eapSessionId);
1615 sm->eap_if->eapSessionId = os_memdup(buf, len);
1616 if (sm->eap_if->eapSessionId) {
1617 sm->eap_if->eapSessionIdLen = len;
1618 wpa_hexdump(MSG_DEBUG, "EAP-Key Name",
1619 sm->eap_if->eapSessionId,
1620 sm->eap_if->eapSessionIdLen);
1621 }
1622 } else {
1623 sm->eap_if->eapSessionIdLen = 0;
1624 }
1625 }
1626
1627
1628 static void ieee802_1x_store_radius_class(struct hostapd_data *hapd,
1629 struct sta_info *sta,
1630 struct radius_msg *msg)
1631 {
1632 u8 *attr_class;
1633 size_t class_len;
1634 struct eapol_state_machine *sm = sta->eapol_sm;
1635 int count, i;
1636 struct radius_attr_data *nclass;
1637 size_t nclass_count;
1638
1639 if (!hapd->conf->radius->acct_server || !hapd->radius || !sm)
1640 return;
1641
1642 radius_free_class(&sm->radius_class);
1643 count = radius_msg_count_attr(msg, RADIUS_ATTR_CLASS, 1);
1644 if (count <= 0)
1645 return;
1646
1647 nclass = os_calloc(count, sizeof(struct radius_attr_data));
1648 if (!nclass)
1649 return;
1650
1651 nclass_count = 0;
1652
1653 attr_class = NULL;
1654 for (i = 0; i < count; i++) {
1655 do {
1656 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CLASS,
1657 &attr_class, &class_len,
1658 attr_class) < 0) {
1659 i = count;
1660 break;
1661 }
1662 } while (class_len < 1);
1663
1664 nclass[nclass_count].data = os_memdup(attr_class, class_len);
1665 if (!nclass[nclass_count].data)
1666 break;
1667
1668 nclass[nclass_count].len = class_len;
1669 nclass_count++;
1670 }
1671
1672 sm->radius_class.attr = nclass;
1673 sm->radius_class.count = nclass_count;
1674 wpa_printf(MSG_DEBUG,
1675 "IEEE 802.1X: Stored %lu RADIUS Class attributes for "
1676 MACSTR,
1677 (unsigned long) sm->radius_class.count,
1678 MAC2STR(sta->addr));
1679 }
1680
1681
1682 /* Update sta->identity based on User-Name attribute in Access-Accept */
1683 static void ieee802_1x_update_sta_identity(struct hostapd_data *hapd,
1684 struct sta_info *sta,
1685 struct radius_msg *msg)
1686 {
1687 u8 *buf, *identity;
1688 size_t len;
1689 struct eapol_state_machine *sm = sta->eapol_sm;
1690
1691 if (!sm)
1692 return;
1693
1694 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_USER_NAME, &buf, &len,
1695 NULL) < 0)
1696 return;
1697
1698 identity = (u8 *) dup_binstr(buf, len);
1699 if (!identity)
1700 return;
1701
1702 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
1703 HOSTAPD_LEVEL_DEBUG,
1704 "old identity '%s' updated with User-Name from Access-Accept '%s'",
1705 sm->identity ? (char *) sm->identity : "N/A",
1706 (char *) identity);
1707
1708 os_free(sm->identity);
1709 sm->identity = identity;
1710 sm->identity_len = len;
1711 }
1712
1713
1714 /* Update CUI based on Chargeable-User-Identity attribute in Access-Accept */
1715 static void ieee802_1x_update_sta_cui(struct hostapd_data *hapd,
1716 struct sta_info *sta,
1717 struct radius_msg *msg)
1718 {
1719 struct eapol_state_machine *sm = sta->eapol_sm;
1720 struct wpabuf *cui;
1721 u8 *buf;
1722 size_t len;
1723
1724 if (!sm)
1725 return;
1726
1727 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CHARGEABLE_USER_IDENTITY,
1728 &buf, &len, NULL) < 0)
1729 return;
1730
1731 cui = wpabuf_alloc_copy(buf, len);
1732 if (!cui)
1733 return;
1734
1735 wpabuf_free(sm->radius_cui);
1736 sm->radius_cui = cui;
1737 }
1738
1739
1740 #ifdef CONFIG_HS20
1741
1742 static void ieee802_1x_hs20_sub_rem(struct sta_info *sta, u8 *pos, size_t len)
1743 {
1744 sta->remediation = 1;
1745 os_free(sta->remediation_url);
1746 if (len > 2) {
1747 sta->remediation_url = os_malloc(len);
1748 if (!sta->remediation_url)
1749 return;
1750 sta->remediation_method = pos[0];
1751 os_memcpy(sta->remediation_url, pos + 1, len - 1);
1752 sta->remediation_url[len - 1] = '\0';
1753 wpa_printf(MSG_DEBUG,
1754 "HS 2.0: Subscription remediation needed for "
1755 MACSTR " - server method %u URL %s",
1756 MAC2STR(sta->addr), sta->remediation_method,
1757 sta->remediation_url);
1758 } else {
1759 sta->remediation_url = NULL;
1760 wpa_printf(MSG_DEBUG,
1761 "HS 2.0: Subscription remediation needed for "
1762 MACSTR, MAC2STR(sta->addr));
1763 }
1764 /* TODO: assign the STA into remediation VLAN or add filtering */
1765 }
1766
1767
1768 static void ieee802_1x_hs20_deauth_req(struct hostapd_data *hapd,
1769 struct sta_info *sta, u8 *pos,
1770 size_t len)
1771 {
1772 if (len < 3)
1773 return; /* Malformed information */
1774 sta->hs20_deauth_requested = 1;
1775 wpa_printf(MSG_DEBUG,
1776 "HS 2.0: Deauthentication request - Code %u Re-auth Delay %u",
1777 *pos, WPA_GET_LE16(pos + 1));
1778 wpabuf_free(sta->hs20_deauth_req);
1779 sta->hs20_deauth_req = wpabuf_alloc(len + 1);
1780 if (sta->hs20_deauth_req) {
1781 wpabuf_put_data(sta->hs20_deauth_req, pos, 3);
1782 wpabuf_put_u8(sta->hs20_deauth_req, len - 3);
1783 wpabuf_put_data(sta->hs20_deauth_req, pos + 3, len - 3);
1784 }
1785 ap_sta_session_timeout(hapd, sta, hapd->conf->hs20_deauth_req_timeout);
1786 }
1787
1788
1789 static void ieee802_1x_hs20_session_info(struct hostapd_data *hapd,
1790 struct sta_info *sta, u8 *pos,
1791 size_t len, int session_timeout)
1792 {
1793 unsigned int swt;
1794 int warning_time, beacon_int;
1795
1796 if (len < 1)
1797 return; /* Malformed information */
1798 os_free(sta->hs20_session_info_url);
1799 sta->hs20_session_info_url = os_malloc(len);
1800 if (!sta->hs20_session_info_url)
1801 return;
1802 swt = pos[0];
1803 os_memcpy(sta->hs20_session_info_url, pos + 1, len - 1);
1804 sta->hs20_session_info_url[len - 1] = '\0';
1805 wpa_printf(MSG_DEBUG,
1806 "HS 2.0: Session Information URL='%s' SWT=%u (session_timeout=%d)",
1807 sta->hs20_session_info_url, swt, session_timeout);
1808 if (session_timeout < 0) {
1809 wpa_printf(MSG_DEBUG,
1810 "HS 2.0: No Session-Timeout set - ignore session info URL");
1811 return;
1812 }
1813 if (swt == 255)
1814 swt = 1; /* Use one minute as the AP selected value */
1815
1816 if ((unsigned int) session_timeout < swt * 60)
1817 warning_time = 0;
1818 else
1819 warning_time = session_timeout - swt * 60;
1820
1821 beacon_int = hapd->iconf->beacon_int;
1822 if (beacon_int < 1)
1823 beacon_int = 100; /* best guess */
1824 sta->hs20_disassoc_timer = swt * 60 * 1000 / beacon_int * 125 / 128;
1825 if (sta->hs20_disassoc_timer > 65535)
1826 sta->hs20_disassoc_timer = 65535;
1827
1828 ap_sta_session_warning_timeout(hapd, sta, warning_time);
1829 }
1830
1831
1832 static void ieee802_1x_hs20_t_c_filtering(struct hostapd_data *hapd,
1833 struct sta_info *sta, u8 *pos,
1834 size_t len)
1835 {
1836 if (len < 4)
1837 return; /* Malformed information */
1838 wpa_printf(MSG_DEBUG,
1839 "HS 2.0: Terms and Conditions filtering %02x %02x %02x %02x",
1840 pos[0], pos[1], pos[2], pos[3]);
1841 hs20_t_c_filtering(hapd, sta, pos[0] & BIT(0));
1842 }
1843
1844
1845 static void ieee802_1x_hs20_t_c_url(struct hostapd_data *hapd,
1846 struct sta_info *sta, u8 *pos, size_t len)
1847 {
1848 os_free(sta->t_c_url);
1849 sta->t_c_url = os_malloc(len + 1);
1850 if (!sta->t_c_url)
1851 return;
1852 os_memcpy(sta->t_c_url, pos, len);
1853 sta->t_c_url[len] = '\0';
1854 wpa_printf(MSG_DEBUG,
1855 "HS 2.0: Terms and Conditions URL %s", sta->t_c_url);
1856 }
1857
1858 #endif /* CONFIG_HS20 */
1859
1860
1861 static void ieee802_1x_check_hs20(struct hostapd_data *hapd,
1862 struct sta_info *sta,
1863 struct radius_msg *msg,
1864 int session_timeout)
1865 {
1866 #ifdef CONFIG_HS20
1867 u8 *buf, *pos, *end, type, sublen;
1868 size_t len;
1869
1870 buf = NULL;
1871 sta->remediation = 0;
1872 sta->hs20_deauth_requested = 0;
1873
1874 for (;;) {
1875 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_VENDOR_SPECIFIC,
1876 &buf, &len, buf) < 0)
1877 break;
1878 if (len < 6)
1879 continue;
1880 pos = buf;
1881 end = buf + len;
1882 if (WPA_GET_BE32(pos) != RADIUS_VENDOR_ID_WFA)
1883 continue;
1884 pos += 4;
1885
1886 type = *pos++;
1887 sublen = *pos++;
1888 if (sublen < 2)
1889 continue; /* invalid length */
1890 sublen -= 2; /* skip header */
1891 if (pos + sublen > end)
1892 continue; /* invalid WFA VSA */
1893
1894 switch (type) {
1895 case RADIUS_VENDOR_ATTR_WFA_HS20_SUBSCR_REMEDIATION:
1896 ieee802_1x_hs20_sub_rem(sta, pos, sublen);
1897 break;
1898 case RADIUS_VENDOR_ATTR_WFA_HS20_DEAUTH_REQ:
1899 ieee802_1x_hs20_deauth_req(hapd, sta, pos, sublen);
1900 break;
1901 case RADIUS_VENDOR_ATTR_WFA_HS20_SESSION_INFO_URL:
1902 ieee802_1x_hs20_session_info(hapd, sta, pos, sublen,
1903 session_timeout);
1904 break;
1905 case RADIUS_VENDOR_ATTR_WFA_HS20_T_C_FILTERING:
1906 ieee802_1x_hs20_t_c_filtering(hapd, sta, pos, sublen);
1907 break;
1908 case RADIUS_VENDOR_ATTR_WFA_HS20_T_C_URL:
1909 ieee802_1x_hs20_t_c_url(hapd, sta, pos, sublen);
1910 break;
1911 }
1912 }
1913 #endif /* CONFIG_HS20 */
1914 }
1915
1916
1917 struct sta_id_search {
1918 u8 identifier;
1919 struct eapol_state_machine *sm;
1920 };
1921
1922
1923 static int ieee802_1x_select_radius_identifier(struct hostapd_data *hapd,
1924 struct sta_info *sta,
1925 void *ctx)
1926 {
1927 struct sta_id_search *id_search = ctx;
1928 struct eapol_state_machine *sm = sta->eapol_sm;
1929
1930 if (sm && sm->radius_identifier >= 0 &&
1931 sm->radius_identifier == id_search->identifier) {
1932 id_search->sm = sm;
1933 return 1;
1934 }
1935 return 0;
1936 }
1937
1938
1939 static struct eapol_state_machine *
1940 ieee802_1x_search_radius_identifier(struct hostapd_data *hapd, u8 identifier)
1941 {
1942 struct sta_id_search id_search;
1943
1944 id_search.identifier = identifier;
1945 id_search.sm = NULL;
1946 ap_for_each_sta(hapd, ieee802_1x_select_radius_identifier, &id_search);
1947 return id_search.sm;
1948 }
1949
1950
1951 #ifndef CONFIG_NO_VLAN
1952 static int ieee802_1x_update_vlan(struct radius_msg *msg,
1953 struct hostapd_data *hapd,
1954 struct sta_info *sta)
1955 {
1956 struct vlan_description vlan_desc;
1957
1958 os_memset(&vlan_desc, 0, sizeof(vlan_desc));
1959 vlan_desc.notempty = !!radius_msg_get_vlanid(msg, &vlan_desc.untagged,
1960 MAX_NUM_TAGGED_VLAN,
1961 vlan_desc.tagged);
1962
1963 if (vlan_desc.notempty &&
1964 !hostapd_vlan_valid(hapd->conf->vlan, &vlan_desc)) {
1965 sta->eapol_sm->authFail = true;
1966 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS,
1967 HOSTAPD_LEVEL_INFO,
1968 "Invalid VLAN %d%s received from RADIUS server",
1969 vlan_desc.untagged,
1970 vlan_desc.tagged[0] ? "+" : "");
1971 os_memset(&vlan_desc, 0, sizeof(vlan_desc));
1972 ap_sta_set_vlan(hapd, sta, &vlan_desc);
1973 return -1;
1974 }
1975
1976 if (hapd->conf->ssid.dynamic_vlan == DYNAMIC_VLAN_REQUIRED &&
1977 !vlan_desc.notempty) {
1978 sta->eapol_sm->authFail = true;
1979 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
1980 HOSTAPD_LEVEL_INFO,
1981 "authentication server did not include required VLAN ID in Access-Accept");
1982 return -1;
1983 }
1984
1985 return ap_sta_set_vlan(hapd, sta, &vlan_desc);
1986 }
1987 #endif /* CONFIG_NO_VLAN */
1988
1989
1990 /**
1991 * ieee802_1x_receive_auth - Process RADIUS frames from Authentication Server
1992 * @msg: RADIUS response message
1993 * @req: RADIUS request message
1994 * @shared_secret: RADIUS shared secret
1995 * @shared_secret_len: Length of shared_secret in octets
1996 * @data: Context data (struct hostapd_data *)
1997 * Returns: Processing status
1998 */
1999 static RadiusRxResult
2000 ieee802_1x_receive_auth(struct radius_msg *msg, struct radius_msg *req,
2001 const u8 *shared_secret, size_t shared_secret_len,
2002 void *data)
2003 {
2004 struct hostapd_data *hapd = data;
2005 struct sta_info *sta;
2006 u32 session_timeout = 0, termination_action, acct_interim_interval;
2007 int session_timeout_set;
2008 u32 reason_code;
2009 struct eapol_state_machine *sm;
2010 int override_eapReq = 0;
2011 struct radius_hdr *hdr = radius_msg_get_hdr(msg);
2012
2013 sm = ieee802_1x_search_radius_identifier(hapd, hdr->identifier);
2014 if (!sm) {
2015 wpa_printf(MSG_DEBUG,
2016 "IEEE 802.1X: Could not find matching station for this RADIUS message");
2017 return RADIUS_RX_UNKNOWN;
2018 }
2019 sta = sm->sta;
2020
2021 /* RFC 2869, Ch. 5.13: valid Message-Authenticator attribute MUST be
2022 * present when packet contains an EAP-Message attribute */
2023 if (hdr->code == RADIUS_CODE_ACCESS_REJECT &&
2024 radius_msg_get_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, NULL,
2025 0) < 0 &&
2026 radius_msg_get_attr(msg, RADIUS_ATTR_EAP_MESSAGE, NULL, 0) < 0) {
2027 wpa_printf(MSG_DEBUG,
2028 "Allowing RADIUS Access-Reject without Message-Authenticator since it does not include EAP-Message");
2029 } else if (radius_msg_verify(msg, shared_secret, shared_secret_len,
2030 req, 1)) {
2031 wpa_printf(MSG_INFO,
2032 "Incoming RADIUS packet did not have correct Message-Authenticator - dropped");
2033 return RADIUS_RX_INVALID_AUTHENTICATOR;
2034 }
2035
2036 if (hdr->code != RADIUS_CODE_ACCESS_ACCEPT &&
2037 hdr->code != RADIUS_CODE_ACCESS_REJECT &&
2038 hdr->code != RADIUS_CODE_ACCESS_CHALLENGE) {
2039 wpa_printf(MSG_INFO, "Unknown RADIUS message code");
2040 return RADIUS_RX_UNKNOWN;
2041 }
2042
2043 sm->radius_identifier = -1;
2044 wpa_printf(MSG_DEBUG, "RADIUS packet matching with station " MACSTR,
2045 MAC2STR(sta->addr));
2046
2047 radius_msg_free(sm->last_recv_radius);
2048 sm->last_recv_radius = msg;
2049
2050 session_timeout_set =
2051 !radius_msg_get_attr_int32(msg, RADIUS_ATTR_SESSION_TIMEOUT,
2052 &session_timeout);
2053 if (radius_msg_get_attr_int32(msg, RADIUS_ATTR_TERMINATION_ACTION,
2054 &termination_action))
2055 termination_action = RADIUS_TERMINATION_ACTION_DEFAULT;
2056
2057 if (hapd->conf->acct_interim_interval == 0 &&
2058 hdr->code == RADIUS_CODE_ACCESS_ACCEPT &&
2059 radius_msg_get_attr_int32(msg, RADIUS_ATTR_ACCT_INTERIM_INTERVAL,
2060 &acct_interim_interval) == 0) {
2061 if (acct_interim_interval < 60) {
2062 hostapd_logger(hapd, sta->addr,
2063 HOSTAPD_MODULE_IEEE8021X,
2064 HOSTAPD_LEVEL_INFO,
2065 "ignored too small Acct-Interim-Interval %d",
2066 acct_interim_interval);
2067 } else
2068 sta->acct_interim_interval = acct_interim_interval;
2069 }
2070
2071
2072 switch (hdr->code) {
2073 case RADIUS_CODE_ACCESS_ACCEPT:
2074 #ifndef CONFIG_NO_VLAN
2075 if (hapd->conf->ssid.dynamic_vlan != DYNAMIC_VLAN_DISABLED &&
2076 ieee802_1x_update_vlan(msg, hapd, sta) < 0)
2077 break;
2078
2079 if (sta->vlan_id > 0) {
2080 hostapd_logger(hapd, sta->addr,
2081 HOSTAPD_MODULE_RADIUS,
2082 HOSTAPD_LEVEL_INFO,
2083 "VLAN ID %d", sta->vlan_id);
2084 }
2085
2086 if ((sta->flags & WLAN_STA_ASSOC) &&
2087 ap_sta_bind_vlan(hapd, sta) < 0)
2088 break;
2089 #endif /* CONFIG_NO_VLAN */
2090
2091 sta->session_timeout_set = !!session_timeout_set;
2092 os_get_reltime(&sta->session_timeout);
2093 sta->session_timeout.sec += session_timeout;
2094
2095 /* RFC 3580, Ch. 3.17 */
2096 if (session_timeout_set && termination_action ==
2097 RADIUS_TERMINATION_ACTION_RADIUS_REQUEST)
2098 sm->reAuthPeriod = session_timeout;
2099 else if (session_timeout_set)
2100 ap_sta_session_timeout(hapd, sta, session_timeout);
2101 else
2102 ap_sta_no_session_timeout(hapd, sta);
2103
2104 sm->eap_if->aaaSuccess = true;
2105 override_eapReq = 1;
2106 ieee802_1x_get_keys(hapd, sta, msg, req, shared_secret,
2107 shared_secret_len);
2108 ieee802_1x_store_radius_class(hapd, sta, msg);
2109 ieee802_1x_update_sta_identity(hapd, sta, msg);
2110 ieee802_1x_update_sta_cui(hapd, sta, msg);
2111 ieee802_1x_check_hs20(hapd, sta, msg,
2112 session_timeout_set ?
2113 (int) session_timeout : -1);
2114 break;
2115 case RADIUS_CODE_ACCESS_REJECT:
2116 sm->eap_if->aaaFail = true;
2117 override_eapReq = 1;
2118 if (radius_msg_get_attr_int32(msg, RADIUS_ATTR_WLAN_REASON_CODE,
2119 &reason_code) == 0) {
2120 wpa_printf(MSG_DEBUG,
2121 "RADIUS server indicated WLAN-Reason-Code %u in Access-Reject for "
2122 MACSTR, reason_code, MAC2STR(sta->addr));
2123 sta->disconnect_reason_code = reason_code;
2124 }
2125 break;
2126 case RADIUS_CODE_ACCESS_CHALLENGE:
2127 sm->eap_if->aaaEapReq = true;
2128 if (session_timeout_set) {
2129 /* RFC 2869, Ch. 2.3.2; RFC 3580, Ch. 3.17 */
2130 sm->eap_if->aaaMethodTimeout = session_timeout;
2131 hostapd_logger(hapd, sm->addr,
2132 HOSTAPD_MODULE_IEEE8021X,
2133 HOSTAPD_LEVEL_DEBUG,
2134 "using EAP timeout of %d seconds (from RADIUS)",
2135 sm->eap_if->aaaMethodTimeout);
2136 } else {
2137 /*
2138 * Use dynamic retransmission behavior per EAP
2139 * specification.
2140 */
2141 sm->eap_if->aaaMethodTimeout = 0;
2142 }
2143 break;
2144 }
2145
2146 ieee802_1x_decapsulate_radius(hapd, sta);
2147 if (override_eapReq)
2148 sm->eap_if->aaaEapReq = false;
2149
2150 #ifdef CONFIG_FILS
2151 #ifdef NEED_AP_MLME
2152 if (sta->flags &
2153 (WLAN_STA_PENDING_FILS_ERP | WLAN_STA_PENDING_PASN_FILS_ERP)) {
2154 /* TODO: Add a PMKSA entry on success? */
2155 ieee802_11_finish_fils_auth(
2156 hapd, sta, hdr->code == RADIUS_CODE_ACCESS_ACCEPT,
2157 sm->eap_if->aaaEapReqData,
2158 sm->eap_if->aaaEapKeyData,
2159 sm->eap_if->aaaEapKeyDataLen);
2160 }
2161 #endif /* NEED_AP_MLME */
2162 #endif /* CONFIG_FILS */
2163
2164 eapol_auth_step(sm);
2165
2166 return RADIUS_RX_QUEUED;
2167 }
2168 #endif /* CONFIG_NO_RADIUS */
2169 #endif /* EXT_CODE_CROP */
2170
2171 void ieee802_1x_abort_auth(struct hostapd_data *hapd, struct sta_info *sta)
2172 {
2173 struct eapol_state_machine *sm = sta->eapol_sm;
2174
2175 if (!sm)
2176 return;
2177
2178 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
2179 HOSTAPD_LEVEL_DEBUG, "aborting authentication");
2180
2181 #ifndef CONFIG_NO_RADIUS
2182 radius_msg_free(sm->last_recv_radius);
2183 sm->last_recv_radius = NULL;
2184 #endif /* CONFIG_NO_RADIUS */
2185
2186 if (sm->eap_if->eapTimeout) {
2187 /*
2188 * Disconnect the STA since it did not reply to the last EAP
2189 * request and we cannot continue EAP processing (EAP-Failure
2190 * could only be sent if the EAP peer actually replied).
2191 */
2192 #ifndef CONFIG_PRINT_NOUSE
2193 wpa_dbg(hapd->msg_ctx, MSG_DEBUG, "EAP Timeout, STA " MACSTR,
2194 MAC2STR(sta->addr));
2195 #endif /* CONFIG_PRINT_NOUSE */
2196 sm->eap_if->portEnabled = false;
2197 ap_sta_disconnect(hapd, sta, sta->addr,
2198 WLAN_REASON_PREV_AUTH_NOT_VALID);
2199 }
2200 }
2201
2202
2203 #ifdef CONFIG_WEP
2204 #ifndef LOS_CONFIG_HOSTAPD_SECURITY
2205 static int ieee802_1x_rekey_broadcast(struct hostapd_data *hapd)
2206 {
2207 struct eapol_authenticator *eapol = hapd->eapol_auth;
2208
2209 if (hapd->conf->default_wep_key_len < 1)
2210 return 0;
2211
2212 os_free(eapol->default_wep_key);
2213 eapol->default_wep_key = os_malloc(hapd->conf->default_wep_key_len);
2214 if (!eapol->default_wep_key ||
2215 random_get_bytes(eapol->default_wep_key,
2216 hapd->conf->default_wep_key_len)) {
2217 wpa_printf(MSG_INFO, "Could not generate random WEP key");
2218 os_free(eapol->default_wep_key);
2219 eapol->default_wep_key = NULL;
2220 return -1;
2221 }
2222
2223 wpa_hexdump_key(MSG_DEBUG, "IEEE 802.1X: New default WEP key",
2224 eapol->default_wep_key,
2225 hapd->conf->default_wep_key_len);
2226
2227 return 0;
2228 }
2229
2230
2231 static int ieee802_1x_sta_key_available(struct hostapd_data *hapd,
2232 struct sta_info *sta, void *ctx)
2233 {
2234 if (sta->eapol_sm) {
2235 sta->eapol_sm->eap_if->eapKeyAvailable = true;
2236 eapol_auth_step(sta->eapol_sm);
2237 }
2238 return 0;
2239 }
2240
2241
2242 static void ieee802_1x_rekey(void *eloop_ctx, void *timeout_ctx)
2243 {
2244 struct hostapd_data *hapd = eloop_ctx;
2245 struct eapol_authenticator *eapol = hapd->eapol_auth;
2246
2247 if (eapol->default_wep_key_idx >= 3)
2248 eapol->default_wep_key_idx =
2249 hapd->conf->individual_wep_key_len > 0 ? 1 : 0;
2250 else
2251 eapol->default_wep_key_idx++;
2252
2253 wpa_warning_log1(MSG_DEBUG, "IEEE 802.1X: New default WEP key index %d",
2254 eapol->default_wep_key_idx);
2255
2256 if (ieee802_1x_rekey_broadcast(hapd)) {
2257 hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X,
2258 HOSTAPD_LEVEL_WARNING,
2259 "failed to generate a new broadcast key");
2260 os_free(eapol->default_wep_key);
2261 eapol->default_wep_key = NULL;
2262 return;
2263 }
2264
2265 /* TODO: Could setup key for RX here, but change default TX keyid only
2266 * after new broadcast key has been sent to all stations. */
2267 if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP,
2268 broadcast_ether_addr,
2269 eapol->default_wep_key_idx, 0, 1, NULL, 0,
2270 eapol->default_wep_key,
2271 hapd->conf->default_wep_key_len,
2272 KEY_FLAG_GROUP_RX_TX_DEFAULT)) {
2273 hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X,
2274 HOSTAPD_LEVEL_WARNING,
2275 "failed to configure a new broadcast key");
2276 os_free(eapol->default_wep_key);
2277 eapol->default_wep_key = NULL;
2278 return;
2279 }
2280
2281 ap_for_each_sta(hapd, ieee802_1x_sta_key_available, NULL);
2282
2283 if (hapd->conf->wep_rekeying_period > 0) {
2284 eloop_register_timeout(hapd->conf->wep_rekeying_period, 0,
2285 ieee802_1x_rekey, hapd, NULL);
2286 }
2287 }
2288 #endif /* LOS_CONFIG_HOSTAPD_SECURITY */
2289 #endif /* CONFIG_WEP */
2290
2291
2292 static void ieee802_1x_eapol_send(void *ctx, void *sta_ctx, u8 type,
2293 const u8 *data, size_t datalen)
2294 {
2295 #ifdef CONFIG_WPS_AP
2296 struct sta_info *sta = sta_ctx;
2297
2298 if ((sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS)) ==
2299 WLAN_STA_MAYBE_WPS) {
2300 const u8 *identity;
2301 size_t identity_len;
2302 struct eapol_state_machine *sm = sta->eapol_sm;
2303
2304 identity = eap_get_identity(sm->eap, &identity_len);
2305 if (identity &&
2306 ((identity_len == WSC_ID_ENROLLEE_LEN &&
2307 os_memcmp(identity, WSC_ID_ENROLLEE,
2308 WSC_ID_ENROLLEE_LEN) == 0) ||
2309 (identity_len == WSC_ID_REGISTRAR_LEN &&
2310 os_memcmp(identity, WSC_ID_REGISTRAR,
2311 WSC_ID_REGISTRAR_LEN) == 0))) {
2312 wpa_warning_log0(MSG_DEBUG, "WPS: WLAN_STA_MAYBE_WPS -> "
2313 "WLAN_STA_WPS");
2314 sta->flags |= WLAN_STA_WPS;
2315 }
2316 }
2317 #endif /* CONFIG_WPS_AP */
2318
2319 ieee802_1x_send(ctx, sta_ctx, type, data, datalen);
2320 }
2321
2322 #ifndef EXT_CODE_CROP
2323 static void ieee802_1x_aaa_send(void *ctx, void *sta_ctx,
2324 const u8 *data, size_t datalen)
2325 {
2326 #ifndef CONFIG_NO_RADIUS
2327 struct hostapd_data *hapd = ctx;
2328 struct sta_info *sta = sta_ctx;
2329
2330 ieee802_1x_encapsulate_radius(hapd, sta, data, datalen);
2331 #endif /* CONFIG_NO_RADIUS */
2332 }
2333 #endif /* EXT_CODE_CROP */
2334
2335 static void _ieee802_1x_finished(void *ctx, void *sta_ctx, int success,
2336 int preauth, int remediation)
2337 {
2338 struct hostapd_data *hapd = ctx;
2339 struct sta_info *sta = sta_ctx;
2340
2341 if (preauth)
2342 rsn_preauth_finished(hapd, sta, success);
2343 else
2344 ieee802_1x_finished(hapd, sta, success, remediation);
2345 }
2346
2347
2348 static int ieee802_1x_get_eap_user(void *ctx, const u8 *identity,
2349 size_t identity_len, int phase2,
2350 struct eap_user *user)
2351 {
2352 struct hostapd_data *hapd = ctx;
2353 const struct hostapd_eap_user *eap_user;
2354 int i;
2355 int rv = -1;
2356
2357 eap_user = hostapd_get_eap_user(hapd, identity, identity_len, phase2);
2358 if (!eap_user)
2359 goto out;
2360
2361 os_memset(user, 0, sizeof(*user));
2362 user->phase2 = phase2;
2363 for (i = 0; i < EAP_MAX_METHODS; i++) {
2364 user->methods[i].vendor = eap_user->methods[i].vendor;
2365 user->methods[i].method = eap_user->methods[i].method;
2366 }
2367
2368 if (eap_user->password) {
2369 user->password = os_memdup(eap_user->password,
2370 eap_user->password_len);
2371 if (!user->password)
2372 goto out;
2373 user->password_len = eap_user->password_len;
2374 user->password_hash = eap_user->password_hash;
2375 if (eap_user->salt && eap_user->salt_len) {
2376 user->salt = os_memdup(eap_user->salt,
2377 eap_user->salt_len);
2378 if (!user->salt)
2379 goto out;
2380 user->salt_len = eap_user->salt_len;
2381 }
2382 }
2383 user->force_version = eap_user->force_version;
2384 #ifndef EXT_CODE_CROP
2385 user->macacl = eap_user->macacl;
2386 user->ttls_auth = eap_user->ttls_auth;
2387 #endif /* EXT_CODE_CROP */
2388 user->remediation = eap_user->remediation;
2389 rv = 0;
2390
2391 out:
2392 if (rv)
2393 wpa_warning_log0(MSG_DEBUG, "ieee802_1x_get_eap_user: Failed to find user");
2394
2395 return rv;
2396 }
2397
2398
2399 static int ieee802_1x_sta_entry_alive(void *ctx, const u8 *addr)
2400 {
2401 struct hostapd_data *hapd = ctx;
2402 struct sta_info *sta;
2403
2404 sta = ap_get_sta(hapd, addr);
2405 if (!sta || !sta->eapol_sm)
2406 return 0;
2407 return 1;
2408 }
2409
2410
2411 static void ieee802_1x_logger(void *ctx, const u8 *addr,
2412 eapol_logger_level level, const char *txt)
2413 {
2414 #ifndef CONFIG_NO_HOSTAPD_LOGGER
2415 struct hostapd_data *hapd = ctx;
2416 int hlevel;
2417
2418 switch (level) {
2419 case EAPOL_LOGGER_WARNING:
2420 hlevel = HOSTAPD_LEVEL_WARNING;
2421 break;
2422 case EAPOL_LOGGER_INFO:
2423 hlevel = HOSTAPD_LEVEL_INFO;
2424 break;
2425 case EAPOL_LOGGER_DEBUG:
2426 default:
2427 hlevel = HOSTAPD_LEVEL_DEBUG;
2428 break;
2429 }
2430
2431 hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE8021X, hlevel, "%s",
2432 txt);
2433 #endif /* CONFIG_NO_HOSTAPD_LOGGER */
2434 }
2435
2436
2437 static void ieee802_1x_set_port_authorized(void *ctx, void *sta_ctx,
2438 int authorized)
2439 {
2440 struct hostapd_data *hapd = ctx;
2441 struct sta_info *sta = sta_ctx;
2442
2443 ieee802_1x_set_sta_authorized(hapd, sta, authorized);
2444 }
2445
2446
2447 static void _ieee802_1x_abort_auth(void *ctx, void *sta_ctx)
2448 {
2449 struct hostapd_data *hapd = ctx;
2450 struct sta_info *sta = sta_ctx;
2451
2452 ieee802_1x_abort_auth(hapd, sta);
2453 }
2454
2455
2456 #ifdef CONFIG_WEP
2457 static void _ieee802_1x_tx_key(void *ctx, void *sta_ctx)
2458 {
2459 #ifndef CONFIG_FIPS
2460 #ifndef CONFIG_NO_RC4
2461 #ifndef LOS_CONFIG_HOSTAPD_SECURITY
2462 struct hostapd_data *hapd = ctx;
2463 struct sta_info *sta = sta_ctx;
2464
2465 ieee802_1x_tx_key(hapd, sta);
2466 #else
2467 (void)ctx;
2468 (void)sta_ctx;
2469 #endif
2470 #endif /* CONFIG_NO_RC4 */
2471 #endif /* CONFIG_FIPS */
2472 }
2473 #endif /* CONFIG_WEP */
2474
2475
2476 static void ieee802_1x_eapol_event(void *ctx, void *sta_ctx,
2477 enum eapol_event type)
2478 {
2479 /* struct hostapd_data *hapd = ctx; */
2480 struct sta_info *sta = sta_ctx;
2481
2482 switch (type) {
2483 case EAPOL_AUTH_SM_CHANGE:
2484 wpa_auth_sm_notify(sta->wpa_sm);
2485 break;
2486 case EAPOL_AUTH_REAUTHENTICATE:
2487 wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL);
2488 break;
2489 }
2490 }
2491
2492
2493 #ifdef CONFIG_ERP
2494
2495 static struct eap_server_erp_key *
2496 ieee802_1x_erp_get_key(void *ctx, const char *keyname)
2497 {
2498 struct hostapd_data *hapd = ctx;
2499 struct eap_server_erp_key *erp;
2500
2501 dl_list_for_each(erp, &hapd->erp_keys, struct eap_server_erp_key,
2502 list) {
2503 if (os_strcmp(erp->keyname_nai, keyname) == 0)
2504 return erp;
2505 }
2506
2507 return NULL;
2508 }
2509
2510
2511 static int ieee802_1x_erp_add_key(void *ctx, struct eap_server_erp_key *erp)
2512 {
2513 struct hostapd_data *hapd = ctx;
2514
2515 dl_list_add(&hapd->erp_keys, &erp->list);
2516 return 0;
2517 }
2518
2519 #endif /* CONFIG_ERP */
2520
2521
2522 int ieee802_1x_init(struct hostapd_data *hapd)
2523 {
2524 struct eapol_auth_config conf;
2525 struct eapol_auth_cb cb;
2526
2527 dl_list_init(&hapd->erp_keys);
2528
2529 os_memset(&conf, 0, sizeof(conf));
2530 conf.eap_cfg = hapd->eap_cfg;
2531 conf.ctx = hapd;
2532 conf.eap_reauth_period = hapd->conf->eap_reauth_period;
2533 conf.wpa = hapd->conf->wpa;
2534 #ifdef CONFIG_WEP
2535 conf.individual_wep_key_len = hapd->conf->individual_wep_key_len;
2536 #endif /* CONFIG_WEP */
2537 #ifndef EXT_CODE_CROP
2538 conf.eap_req_id_text = hapd->conf->eap_req_id_text;
2539 conf.eap_req_id_text_len = hapd->conf->eap_req_id_text_len;
2540 conf.erp_send_reauth_start = hapd->conf->erp_send_reauth_start;
2541 conf.erp_domain = hapd->conf->erp_domain;
2542 #endif /* EXT_CODE_CROP */
2543
2544 os_memset(&cb, 0, sizeof(cb));
2545 cb.eapol_send = ieee802_1x_eapol_send;
2546 #ifndef EXT_CODE_CROP
2547 cb.aaa_send = ieee802_1x_aaa_send;
2548 #else
2549 cb.aaa_send = NULL;
2550 #endif /* EXT_CODE_CROP */
2551 cb.finished = _ieee802_1x_finished;
2552 cb.get_eap_user = ieee802_1x_get_eap_user;
2553 cb.sta_entry_alive = ieee802_1x_sta_entry_alive;
2554 #ifndef CONFIG_NO_HOSTAPD_LOGGER
2555 cb.logger = ieee802_1x_logger;
2556 #endif /* CONFIG_NO_HOSTAPD_LOGGER */
2557 cb.set_port_authorized = ieee802_1x_set_port_authorized;
2558 cb.abort_auth = _ieee802_1x_abort_auth;
2559 #ifdef CONFIG_WEP
2560 cb.tx_key = _ieee802_1x_tx_key;
2561 #endif /* CONFIG_WEP */
2562 cb.eapol_event = ieee802_1x_eapol_event;
2563 #ifdef CONFIG_ERP
2564 cb.erp_get_key = ieee802_1x_erp_get_key;
2565 cb.erp_add_key = ieee802_1x_erp_add_key;
2566 #endif /* CONFIG_ERP */
2567
2568 hapd->eapol_auth = eapol_auth_init(&conf, &cb);
2569 if (!hapd->eapol_auth)
2570 return -1;
2571 #ifndef LOS_CONFIG_EXT_DRIVER_NOT_SUPPORT
2572 if ((hapd->conf->ieee802_1x || hapd->conf->wpa) &&
2573 hostapd_set_drv_ieee8021x(hapd, hapd->conf->iface, 1))
2574 return -1;
2575 #endif /* LOS_CONFIG_EXT_DRIVER_NOT_SUPPORT */
2576 #ifndef CONFIG_NO_RADIUS
2577 if (radius_client_register(hapd->radius, RADIUS_AUTH,
2578 ieee802_1x_receive_auth, hapd))
2579 return -1;
2580 #endif /* CONFIG_NO_RADIUS */
2581
2582 #ifdef CONFIG_WEP
2583 #ifndef LOS_CONFIG_HOSTAPD_SECURITY
2584 if (hapd->conf->default_wep_key_len) {
2585 int i;
2586
2587 for (i = 0; i < 4; i++)
2588 hostapd_drv_set_key(hapd->conf->iface, hapd,
2589 WPA_ALG_NONE, NULL, i, 0, 0, NULL,
2590 0, NULL, 0, KEY_FLAG_GROUP);
2591
2592 ieee802_1x_rekey(hapd, NULL);
2593
2594 if (!hapd->eapol_auth->default_wep_key)
2595 return -1;
2596 }
2597 #endif /* LOS_CONFIG_HOSTAPD_SECURITY */
2598 #endif /* CONFIG_WEP */
2599
2600 return 0;
2601 }
2602
2603 #ifdef CONFIG_ERP
2604 void ieee802_1x_erp_flush(struct hostapd_data *hapd)
2605 {
2606 struct eap_server_erp_key *erp;
2607
2608 while ((erp = dl_list_first(&hapd->erp_keys, struct eap_server_erp_key,
2609 list)) != NULL) {
2610 dl_list_del(&erp->list);
2611 bin_clear_free(erp, sizeof(*erp));
2612 }
2613 }
2614 #endif /* CONFIG_ERP */
2615
2616 void ieee802_1x_deinit(struct hostapd_data *hapd)
2617 {
2618 #ifdef CONFIG_WEP
2619 #ifndef LOS_CONFIG_HOSTAPD_SECURITY
2620 eloop_cancel_timeout(ieee802_1x_rekey, hapd, NULL);
2621 #endif /* LOS_CONFIG_HOSTAPD_SECURITY */
2622 #endif /* CONFIG_WEP */
2623 #ifndef LOS_CONFIG_EXT_DRIVER_NOT_SUPPORT
2624 if (hapd->driver && hapd->drv_priv &&
2625 (hapd->conf->ieee802_1x || hapd->conf->wpa))
2626 hostapd_set_drv_ieee8021x(hapd, hapd->conf->iface, 0);
2627 #endif /* LOS_CONFIG_EXT_DRIVER_NOT_SUPPORT */
2628 eapol_auth_deinit(hapd->eapol_auth);
2629 hapd->eapol_auth = NULL;
2630
2631 #ifdef CONFIG_ERP
2632 ieee802_1x_erp_flush(hapd);
2633 #endif /* CONFIG_ERP */
2634 }
2635
2636
2637 int ieee802_1x_tx_status(struct hostapd_data *hapd, struct sta_info *sta,
2638 const u8 *buf, size_t len, int ack)
2639 {
2640 struct ieee80211_hdr *hdr;
2641 u8 *pos;
2642 const unsigned char rfc1042_hdr[ETH_ALEN] =
2643 { 0xaa, 0xaa, 0x03, 0x00, 0x00, 0x00 };
2644
2645 if (!sta)
2646 return -1;
2647 if (len < sizeof(*hdr) + sizeof(rfc1042_hdr) + 2)
2648 return 0;
2649
2650 hdr = (struct ieee80211_hdr *) buf;
2651 pos = (u8 *) (hdr + 1);
2652 if (os_memcmp(pos, rfc1042_hdr, sizeof(rfc1042_hdr)) != 0)
2653 return 0;
2654 pos += sizeof(rfc1042_hdr);
2655 if (WPA_GET_BE16(pos) != ETH_P_PAE)
2656 return 0;
2657 pos += 2;
2658
2659 return ieee802_1x_eapol_tx_status(hapd, sta, pos, buf + len - pos,
2660 ack);
2661 }
2662
2663
2664 int ieee802_1x_eapol_tx_status(struct hostapd_data *hapd, struct sta_info *sta,
2665 const u8 *buf, int len, int ack)
2666 {
2667 const struct ieee802_1x_hdr *xhdr =
2668 (const struct ieee802_1x_hdr *) buf;
2669 const u8 *pos = buf + sizeof(*xhdr);
2670 struct ieee802_1x_eapol_key *key;
2671
2672 if (len < (int) sizeof(*xhdr))
2673 return 0;
2674 wpa_printf(MSG_DEBUG, "IEEE 802.1X: " MACSTR " TX status - version=%d "
2675 "type=%d length=%d - ack=%d",
2676 MAC2STR(sta->addr), xhdr->version, xhdr->type,
2677 be_to_host16(xhdr->length), ack);
2678
2679 #ifdef CONFIG_WPS_AP
2680 if (xhdr->type == IEEE802_1X_TYPE_EAP_PACKET && ack &&
2681 (sta->flags & WLAN_STA_WPS) &&
2682 ap_sta_pending_delayed_1x_auth_fail_disconnect(hapd, sta)) {
2683 wpa_warning_log0(MSG_DEBUG,
2684 "WPS: Indicate EAP completion on ACK for EAP-Failure");
2685 hostapd_wps_eap_completed(hapd);
2686 }
2687 #endif /* CONFIG_WPS_AP */
2688
2689 if (xhdr->type != IEEE802_1X_TYPE_EAPOL_KEY)
2690 return 0;
2691
2692 if (pos + sizeof(struct wpa_eapol_key) <= buf + len) {
2693 const struct wpa_eapol_key *wpa;
2694
2695 wpa = (const struct wpa_eapol_key *) pos;
2696 if (wpa->type == EAPOL_KEY_TYPE_RSN ||
2697 wpa->type == EAPOL_KEY_TYPE_WPA)
2698 wpa_auth_eapol_key_tx_status(hapd->wpa_auth,
2699 sta->wpa_sm, ack);
2700 }
2701
2702 /* EAPOL EAP-Packet packets are eventually re-sent by either Supplicant
2703 * or Authenticator state machines, but EAPOL-Key packets are not
2704 * retransmitted in case of failure. Try to re-send failed EAPOL-Key
2705 * packets couple of times because otherwise STA keys become
2706 * unsynchronized with AP. */
2707 if (!ack && pos + sizeof(*key) <= buf + len) {
2708 key = (struct ieee802_1x_eapol_key *) pos;
2709 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
2710 HOSTAPD_LEVEL_DEBUG, "did not Ack EAPOL-Key "
2711 "frame (%scast index=%d)",
2712 key->key_index & BIT(7) ? "uni" : "broad",
2713 key->key_index & ~BIT(7));
2714 /* TODO: re-send EAPOL-Key couple of times (with short delay
2715 * between them?). If all attempt fail, report error and
2716 * deauthenticate STA so that it will get new keys when
2717 * authenticating again (e.g., after returning in range).
2718 * Separate limit/transmit state needed both for unicast and
2719 * broadcast keys(?) */
2720 }
2721 /* TODO: could move unicast key configuration from ieee802_1x_tx_key()
2722 * to here and change the key only if the EAPOL-Key packet was Acked.
2723 */
2724
2725 return 1;
2726 }
2727
2728
2729 u8 * ieee802_1x_get_identity(struct eapol_state_machine *sm, size_t *len)
2730 {
2731 if (!sm || !sm->identity)
2732 return NULL;
2733
2734 *len = sm->identity_len;
2735 return sm->identity;
2736 }
2737
2738 #ifndef EXT_CODE_CROP
2739 u8 * ieee802_1x_get_radius_class(struct eapol_state_machine *sm, size_t *len,
2740 int idx)
2741 {
2742 if (!sm || !sm->radius_class.attr ||
2743 idx >= (int) sm->radius_class.count)
2744 return NULL;
2745
2746 *len = sm->radius_class.attr[idx].len;
2747 return sm->radius_class.attr[idx].data;
2748 }
2749
2750
2751 struct wpabuf * ieee802_1x_get_radius_cui(struct eapol_state_machine *sm)
2752 {
2753 if (!sm)
2754 return NULL;
2755 return sm->radius_cui;
2756 }
2757
2758 #endif /* EXT_CODE_CROP */
2759 const u8 * ieee802_1x_get_key(struct eapol_state_machine *sm, size_t *len)
2760 {
2761 *len = 0;
2762 if (!sm)
2763 return NULL;
2764
2765 *len = sm->eap_if->eapKeyDataLen;
2766 return sm->eap_if->eapKeyData;
2767 }
2768
2769
2770 #ifdef CONFIG_MACSEC
2771 const u8 * ieee802_1x_get_session_id(struct eapol_state_machine *sm,
2772 size_t *len)
2773 {
2774 *len = 0;
2775 if (!sm || !sm->eap_if)
2776 return NULL;
2777
2778 *len = sm->eap_if->eapSessionIdLen;
2779 return sm->eap_if->eapSessionId;
2780 }
2781 #endif /* CONFIG_MACSEC */
2782
2783
2784 void ieee802_1x_notify_port_enabled(struct eapol_state_machine *sm,
2785 bool enabled)
2786 {
2787 if (!sm)
2788 return;
2789 sm->eap_if->portEnabled = enabled;
2790 eapol_auth_step(sm);
2791 }
2792
2793
2794 void ieee802_1x_notify_port_valid(struct eapol_state_machine *sm, bool valid)
2795 {
2796 if (!sm)
2797 return;
2798 sm->portValid = valid;
2799 eapol_auth_step(sm);
2800 }
2801
2802
2803 void ieee802_1x_notify_pre_auth(struct eapol_state_machine *sm, bool pre_auth)
2804 {
2805 if (!sm)
2806 return;
2807 if (pre_auth)
2808 sm->flags |= EAPOL_SM_PREAUTH;
2809 else
2810 sm->flags &= ~EAPOL_SM_PREAUTH;
2811 }
2812
2813 #ifndef EXT_CODE_CROP
2814 static const char * bool_txt(bool val)
2815 {
2816 return val ? "TRUE" : "FALSE";
2817 }
2818 #endif /* EXT_CODE_CROP */
2819
2820 int ieee802_1x_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen)
2821 {
2822 /* TODO */
2823 return 0;
2824 }
2825
2826 #ifndef EXT_CODE_CROP
2827 int ieee802_1x_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta,
2828 char *buf, size_t buflen)
2829 {
2830 int len = 0, ret;
2831 struct eapol_state_machine *sm = sta->eapol_sm;
2832 struct os_reltime diff;
2833 const char *name1;
2834 const char *name2;
2835 char *identity_buf = NULL;
2836
2837 if (!sm)
2838 return 0;
2839
2840 ret = os_snprintf(buf + len, buflen - len,
2841 "dot1xPaePortNumber=%d\n"
2842 "dot1xPaePortProtocolVersion=%d\n"
2843 "dot1xPaePortCapabilities=1\n"
2844 "dot1xPaePortInitialize=%d\n"
2845 "dot1xPaePortReauthenticate=FALSE\n",
2846 sta->aid,
2847 EAPOL_VERSION,
2848 sm->initialize);
2849 if (os_snprintf_error(buflen - len, ret))
2850 return len;
2851 len += ret;
2852
2853 /* dot1xAuthConfigTable */
2854 ret = os_snprintf(buf + len, buflen - len,
2855 "dot1xAuthPaeState=%d\n"
2856 "dot1xAuthBackendAuthState=%d\n"
2857 "dot1xAuthAdminControlledDirections=%d\n"
2858 "dot1xAuthOperControlledDirections=%d\n"
2859 "dot1xAuthAuthControlledPortStatus=%d\n"
2860 "dot1xAuthAuthControlledPortControl=%d\n"
2861 "dot1xAuthQuietPeriod=%u\n"
2862 "dot1xAuthServerTimeout=%u\n"
2863 "dot1xAuthReAuthPeriod=%u\n"
2864 "dot1xAuthReAuthEnabled=%s\n"
2865 "dot1xAuthKeyTxEnabled=%s\n",
2866 sm->auth_pae_state + 1,
2867 sm->be_auth_state + 1,
2868 sm->adminControlledDirections,
2869 sm->operControlledDirections,
2870 sm->authPortStatus,
2871 sm->portControl,
2872 sm->quietPeriod,
2873 sm->serverTimeout,
2874 sm->reAuthPeriod,
2875 bool_txt(sm->reAuthEnabled),
2876 bool_txt(sm->keyTxEnabled));
2877 if (os_snprintf_error(buflen - len, ret))
2878 return len;
2879 len += ret;
2880
2881 /* dot1xAuthStatsTable */
2882 ret = os_snprintf(buf + len, buflen - len,
2883 "dot1xAuthEapolFramesRx=%u\n"
2884 "dot1xAuthEapolFramesTx=%u\n"
2885 "dot1xAuthEapolStartFramesRx=%u\n"
2886 "dot1xAuthEapolLogoffFramesRx=%u\n"
2887 "dot1xAuthEapolRespIdFramesRx=%u\n"
2888 "dot1xAuthEapolRespFramesRx=%u\n"
2889 "dot1xAuthEapolReqIdFramesTx=%u\n"
2890 "dot1xAuthEapolReqFramesTx=%u\n"
2891 "dot1xAuthInvalidEapolFramesRx=%u\n"
2892 "dot1xAuthEapLengthErrorFramesRx=%u\n"
2893 "dot1xAuthLastEapolFrameVersion=%u\n"
2894 "dot1xAuthLastEapolFrameSource=" MACSTR "\n",
2895 sm->dot1xAuthEapolFramesRx,
2896 sm->dot1xAuthEapolFramesTx,
2897 sm->dot1xAuthEapolStartFramesRx,
2898 sm->dot1xAuthEapolLogoffFramesRx,
2899 sm->dot1xAuthEapolRespIdFramesRx,
2900 sm->dot1xAuthEapolRespFramesRx,
2901 sm->dot1xAuthEapolReqIdFramesTx,
2902 sm->dot1xAuthEapolReqFramesTx,
2903 sm->dot1xAuthInvalidEapolFramesRx,
2904 sm->dot1xAuthEapLengthErrorFramesRx,
2905 sm->dot1xAuthLastEapolFrameVersion,
2906 MAC2STR(sm->addr));
2907 if (os_snprintf_error(buflen - len, ret))
2908 return len;
2909 len += ret;
2910
2911 /* dot1xAuthDiagTable */
2912 ret = os_snprintf(buf + len, buflen - len,
2913 "dot1xAuthEntersConnecting=%u\n"
2914 "dot1xAuthEapLogoffsWhileConnecting=%u\n"
2915 "dot1xAuthEntersAuthenticating=%u\n"
2916 "dot1xAuthAuthSuccessesWhileAuthenticating=%u\n"
2917 "dot1xAuthAuthTimeoutsWhileAuthenticating=%u\n"
2918 "dot1xAuthAuthFailWhileAuthenticating=%u\n"
2919 "dot1xAuthAuthEapStartsWhileAuthenticating=%u\n"
2920 "dot1xAuthAuthEapLogoffWhileAuthenticating=%u\n"
2921 "dot1xAuthAuthReauthsWhileAuthenticated=%u\n"
2922 "dot1xAuthAuthEapStartsWhileAuthenticated=%u\n"
2923 "dot1xAuthAuthEapLogoffWhileAuthenticated=%u\n"
2924 "dot1xAuthBackendResponses=%u\n"
2925 "dot1xAuthBackendAccessChallenges=%u\n"
2926 "dot1xAuthBackendOtherRequestsToSupplicant=%u\n"
2927 "dot1xAuthBackendAuthSuccesses=%u\n"
2928 "dot1xAuthBackendAuthFails=%u\n",
2929 sm->authEntersConnecting,
2930 sm->authEapLogoffsWhileConnecting,
2931 sm->authEntersAuthenticating,
2932 sm->authAuthSuccessesWhileAuthenticating,
2933 sm->authAuthTimeoutsWhileAuthenticating,
2934 sm->authAuthFailWhileAuthenticating,
2935 sm->authAuthEapStartsWhileAuthenticating,
2936 sm->authAuthEapLogoffWhileAuthenticating,
2937 sm->authAuthReauthsWhileAuthenticated,
2938 sm->authAuthEapStartsWhileAuthenticated,
2939 sm->authAuthEapLogoffWhileAuthenticated,
2940 sm->backendResponses,
2941 sm->backendAccessChallenges,
2942 sm->backendOtherRequestsToSupplicant,
2943 sm->backendAuthSuccesses,
2944 sm->backendAuthFails);
2945 if (os_snprintf_error(buflen - len, ret))
2946 return len;
2947 len += ret;
2948
2949 /* dot1xAuthSessionStatsTable */
2950 os_reltime_age(&sta->acct_session_start, &diff);
2951 if (sm->eap && !sm->identity) {
2952 const u8 *id;
2953 size_t id_len;
2954
2955 id = eap_get_identity(sm->eap, &id_len);
2956 if (id)
2957 identity_buf = dup_binstr(id, id_len);
2958 }
2959 ret = os_snprintf(buf + len, buflen - len,
2960 /* TODO: dot1xAuthSessionOctetsRx */
2961 /* TODO: dot1xAuthSessionOctetsTx */
2962 /* TODO: dot1xAuthSessionFramesRx */
2963 /* TODO: dot1xAuthSessionFramesTx */
2964 "dot1xAuthSessionId=%016llX\n"
2965 "dot1xAuthSessionAuthenticMethod=%d\n"
2966 "dot1xAuthSessionTime=%u\n"
2967 "dot1xAuthSessionTerminateCause=999\n"
2968 "dot1xAuthSessionUserName=%s\n",
2969 (unsigned long long) sta->acct_session_id,
2970 (wpa_key_mgmt_wpa_ieee8021x(
2971 wpa_auth_sta_key_mgmt(sta->wpa_sm))) ?
2972 1 : 2,
2973 (unsigned int) diff.sec,
2974 sm->identity ? (char *) sm->identity :
2975 (identity_buf ? identity_buf : "N/A"));
2976 os_free(identity_buf);
2977 if (os_snprintf_error(buflen - len, ret))
2978 return len;
2979 len += ret;
2980
2981 if (sm->acct_multi_session_id) {
2982 ret = os_snprintf(buf + len, buflen - len,
2983 "authMultiSessionId=%016llX\n",
2984 (unsigned long long)
2985 sm->acct_multi_session_id);
2986 if (os_snprintf_error(buflen - len, ret))
2987 return len;
2988 len += ret;
2989 }
2990
2991 name1 = eap_server_get_name(0, sm->eap_type_authsrv);
2992 name2 = eap_server_get_name(0, sm->eap_type_supp);
2993 ret = os_snprintf(buf + len, buflen - len,
2994 "last_eap_type_as=%d (%s)\n"
2995 "last_eap_type_sta=%d (%s)\n",
2996 sm->eap_type_authsrv, name1,
2997 sm->eap_type_supp, name2);
2998 if (os_snprintf_error(buflen - len, ret))
2999 return len;
3000 len += ret;
3001
3002 return len;
3003 }
3004 #endif /* EXT_CODE_CROP */
3005
3006 #ifdef CONFIG_HS20
3007 static void ieee802_1x_wnm_notif_send(void *eloop_ctx, void *timeout_ctx)
3008 {
3009 struct hostapd_data *hapd = eloop_ctx;
3010 struct sta_info *sta = timeout_ctx;
3011
3012 if (sta->remediation) {
3013 wpa_printf(MSG_DEBUG, "HS 2.0: Send WNM-Notification to "
3014 MACSTR " to indicate Subscription Remediation",
3015 MAC2STR(sta->addr));
3016 hs20_send_wnm_notification(hapd, sta->addr,
3017 sta->remediation_method,
3018 sta->remediation_url);
3019 os_free(sta->remediation_url);
3020 sta->remediation_url = NULL;
3021 }
3022
3023 if (sta->hs20_deauth_req) {
3024 wpa_printf(MSG_DEBUG, "HS 2.0: Send WNM-Notification to "
3025 MACSTR " to indicate imminent deauthentication",
3026 MAC2STR(sta->addr));
3027 hs20_send_wnm_notification_deauth_req(hapd, sta->addr,
3028 sta->hs20_deauth_req);
3029 }
3030
3031 if (sta->hs20_t_c_filtering) {
3032 wpa_printf(MSG_DEBUG, "HS 2.0: Send WNM-Notification to "
3033 MACSTR " to indicate Terms and Conditions filtering",
3034 MAC2STR(sta->addr));
3035 hs20_send_wnm_notification_t_c(hapd, sta->addr, sta->t_c_url);
3036 os_free(sta->t_c_url);
3037 sta->t_c_url = NULL;
3038 }
3039 }
3040 #endif /* CONFIG_HS20 */
3041
3042
3043 static void ieee802_1x_finished(struct hostapd_data *hapd,
3044 struct sta_info *sta, int success,
3045 int remediation)
3046 {
3047 #ifndef LOS_CONFIG_HOSTAPD_PMKSA_CROP
3048 const u8 *key;
3049 size_t len;
3050 /* TODO: get PMKLifetime from WPA parameters */
3051 static const int dot11RSNAConfigPMKLifetime = 43200;
3052 unsigned int session_timeout;
3053 #ifndef EXT_CODE_CROP
3054 struct os_reltime now, remaining;
3055 #endif /* EXT_CODE_CROP */
3056 #endif /* LOS_CONFIG_HOSTAPD_PMKSA_CROP */
3057
3058 #ifdef CONFIG_HS20
3059 if (remediation && !sta->remediation) {
3060 sta->remediation = 1;
3061 os_free(sta->remediation_url);
3062 sta->remediation_url =
3063 os_strdup(hapd->conf->subscr_remediation_url);
3064 sta->remediation_method = 1; /* SOAP-XML SPP */
3065 }
3066
3067 if (success && (sta->remediation || sta->hs20_deauth_req ||
3068 sta->hs20_t_c_filtering)) {
3069 wpa_printf(MSG_DEBUG, "HS 2.0: Schedule WNM-Notification to "
3070 MACSTR " in 100 ms", MAC2STR(sta->addr));
3071 eloop_cancel_timeout(ieee802_1x_wnm_notif_send, hapd, sta);
3072 eloop_register_timeout(0, 100000, ieee802_1x_wnm_notif_send,
3073 hapd, sta);
3074 }
3075 #endif /* CONFIG_HS20 */
3076
3077 #ifdef CONFIG_MACSEC
3078 ieee802_1x_notify_create_actor_hapd(hapd, sta);
3079 #endif /* CONFIG_MACSEC */
3080 #ifndef LOS_CONFIG_HOSTAPD_PMKSA_CROP
3081 key = ieee802_1x_get_key(sta->eapol_sm, &len);
3082 #ifndef EXT_CODE_CROP
3083 if (sta->session_timeout_set) {
3084 os_get_reltime(&now);
3085 os_reltime_sub(&sta->session_timeout, &now, &remaining);
3086 session_timeout = (remaining.sec > 0) ? remaining.sec : 1;
3087 } else {
3088 session_timeout = dot11RSNAConfigPMKLifetime;
3089 }
3090 #else
3091 session_timeout = dot11RSNAConfigPMKLifetime;
3092 #endif /* EXT_CODE_CROP */
3093 if (success && key && len >= PMK_LEN &&
3094 #ifndef EXT_CODE_CROP
3095 !sta->remediation &&
3096 !sta->hs20_deauth_requested &&
3097 #endif /* EXT_CODE_CROP */
3098 wpa_auth_pmksa_add(sta->wpa_sm, key, len, session_timeout,
3099 sta->eapol_sm) == 0) {
3100 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA,
3101 HOSTAPD_LEVEL_DEBUG,
3102 "Added PMKSA cache entry (IEEE 802.1X)");
3103 }
3104 #endif /* LOS_CONFIG_HOSTAPD_PMKSA_CROP */
3105
3106 if (!success) {
3107 /*
3108 * Many devices require deauthentication after WPS provisioning
3109 * and some may not be be able to do that themselves, so
3110 * disconnect the client here. In addition, this may also
3111 * benefit IEEE 802.1X/EAPOL authentication cases, too since
3112 * the EAPOL PAE state machine would remain in HELD state for
3113 * considerable amount of time and some EAP methods, like
3114 * EAP-FAST with anonymous provisioning, may require another
3115 * EAPOL authentication to be started to complete connection.
3116 */
3117 ap_sta_delayed_1x_auth_fail_disconnect(hapd, sta);
3118 }
3119 }
3120