• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * hostapd / IEEE 802.1X-2004 Authenticator
3  * Copyright (c) 2002-2012, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "utils/includes.h"
10 
11 #include "utils/common.h"
12 #include "utils/eloop.h"
13 #include "crypto/md5.h"
14 #include "crypto/crypto.h"
15 #include "crypto/random.h"
16 #include "common/ieee802_11_defs.h"
17 #include "radius/radius.h"
18 #include "radius/radius_client.h"
19 #include "eap_server/eap.h"
20 #include "eap_common/eap_wsc_common.h"
21 #include "eapol_auth/eapol_auth_sm.h"
22 #include "eapol_auth/eapol_auth_sm_i.h"
23 #include "p2p/p2p.h"
24 #include "hostapd.h"
25 #include "accounting.h"
26 #include "sta_info.h"
27 #include "wpa_auth.h"
28 #include "preauth_auth.h"
29 #include "pmksa_cache_auth.h"
30 #include "ap_config.h"
31 #include "ap_drv_ops.h"
32 #include "ieee802_1x.h"
33 
34 
35 static void ieee802_1x_finished(struct hostapd_data *hapd,
36 				struct sta_info *sta, int success);
37 
38 
ieee802_1x_send(struct hostapd_data * hapd,struct sta_info * sta,u8 type,const u8 * data,size_t datalen)39 static void ieee802_1x_send(struct hostapd_data *hapd, struct sta_info *sta,
40 			    u8 type, const u8 *data, size_t datalen)
41 {
42 	u8 *buf;
43 	struct ieee802_1x_hdr *xhdr;
44 	size_t len;
45 	int encrypt = 0;
46 
47 	len = sizeof(*xhdr) + datalen;
48 	buf = os_zalloc(len);
49 	if (buf == NULL) {
50 		wpa_printf(MSG_ERROR, "malloc() failed for "
51 			   "ieee802_1x_send(len=%lu)",
52 			   (unsigned long) len);
53 		return;
54 	}
55 
56 	xhdr = (struct ieee802_1x_hdr *) buf;
57 	xhdr->version = hapd->conf->eapol_version;
58 	xhdr->type = type;
59 	xhdr->length = host_to_be16(datalen);
60 
61 	if (datalen > 0 && data != NULL)
62 		os_memcpy(xhdr + 1, data, datalen);
63 
64 	if (wpa_auth_pairwise_set(sta->wpa_sm))
65 		encrypt = 1;
66 	if (sta->flags & WLAN_STA_PREAUTH) {
67 		rsn_preauth_send(hapd, sta, buf, len);
68 	} else {
69 		hostapd_drv_hapd_send_eapol(
70 			hapd, sta->addr, buf, len,
71 			encrypt, hostapd_sta_flags_to_drv(sta->flags));
72 	}
73 
74 	os_free(buf);
75 }
76 
77 
ieee802_1x_set_sta_authorized(struct hostapd_data * hapd,struct sta_info * sta,int authorized)78 void ieee802_1x_set_sta_authorized(struct hostapd_data *hapd,
79 				   struct sta_info *sta, int authorized)
80 {
81 	int res;
82 
83 	if (sta->flags & WLAN_STA_PREAUTH)
84 		return;
85 
86 	if (authorized) {
87 		ap_sta_set_authorized(hapd, sta, 1);
88 		res = hostapd_set_authorized(hapd, sta, 1);
89 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
90 			       HOSTAPD_LEVEL_DEBUG, "authorizing port");
91 	} else {
92 		ap_sta_set_authorized(hapd, sta, 0);
93 		res = hostapd_set_authorized(hapd, sta, 0);
94 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
95 			       HOSTAPD_LEVEL_DEBUG, "unauthorizing port");
96 	}
97 
98 	if (res && errno != ENOENT) {
99 		printf("Could not set station " MACSTR " flags for kernel "
100 		       "driver (errno=%d).\n", MAC2STR(sta->addr), errno);
101 	}
102 
103 	if (authorized) {
104 		os_get_time(&sta->connected_time);
105 		accounting_sta_start(hapd, sta);
106 	}
107 }
108 
109 
ieee802_1x_tx_key_one(struct hostapd_data * hapd,struct sta_info * sta,int idx,int broadcast,u8 * key_data,size_t key_len)110 static void ieee802_1x_tx_key_one(struct hostapd_data *hapd,
111 				  struct sta_info *sta,
112 				  int idx, int broadcast,
113 				  u8 *key_data, size_t key_len)
114 {
115 	u8 *buf, *ekey;
116 	struct ieee802_1x_hdr *hdr;
117 	struct ieee802_1x_eapol_key *key;
118 	size_t len, ekey_len;
119 	struct eapol_state_machine *sm = sta->eapol_sm;
120 
121 	if (sm == NULL)
122 		return;
123 
124 	len = sizeof(*key) + key_len;
125 	buf = os_zalloc(sizeof(*hdr) + len);
126 	if (buf == NULL)
127 		return;
128 
129 	hdr = (struct ieee802_1x_hdr *) buf;
130 	key = (struct ieee802_1x_eapol_key *) (hdr + 1);
131 	key->type = EAPOL_KEY_TYPE_RC4;
132 	WPA_PUT_BE16(key->key_length, key_len);
133 	wpa_get_ntp_timestamp(key->replay_counter);
134 
135 	if (random_get_bytes(key->key_iv, sizeof(key->key_iv))) {
136 		wpa_printf(MSG_ERROR, "Could not get random numbers");
137 		os_free(buf);
138 		return;
139 	}
140 
141 	key->key_index = idx | (broadcast ? 0 : BIT(7));
142 	if (hapd->conf->eapol_key_index_workaround) {
143 		/* According to some information, WinXP Supplicant seems to
144 		 * interpret bit7 as an indication whether the key is to be
145 		 * activated, so make it possible to enable workaround that
146 		 * sets this bit for all keys. */
147 		key->key_index |= BIT(7);
148 	}
149 
150 	/* Key is encrypted using "Key-IV + MSK[0..31]" as the RC4-key and
151 	 * MSK[32..63] is used to sign the message. */
152 	if (sm->eap_if->eapKeyData == NULL || sm->eap_if->eapKeyDataLen < 64) {
153 		wpa_printf(MSG_ERROR, "No eapKeyData available for encrypting "
154 			   "and signing EAPOL-Key");
155 		os_free(buf);
156 		return;
157 	}
158 	os_memcpy((u8 *) (key + 1), key_data, key_len);
159 	ekey_len = sizeof(key->key_iv) + 32;
160 	ekey = os_malloc(ekey_len);
161 	if (ekey == NULL) {
162 		wpa_printf(MSG_ERROR, "Could not encrypt key");
163 		os_free(buf);
164 		return;
165 	}
166 	os_memcpy(ekey, key->key_iv, sizeof(key->key_iv));
167 	os_memcpy(ekey + sizeof(key->key_iv), sm->eap_if->eapKeyData, 32);
168 	rc4_skip(ekey, ekey_len, 0, (u8 *) (key + 1), key_len);
169 	os_free(ekey);
170 
171 	/* This header is needed here for HMAC-MD5, but it will be regenerated
172 	 * in ieee802_1x_send() */
173 	hdr->version = hapd->conf->eapol_version;
174 	hdr->type = IEEE802_1X_TYPE_EAPOL_KEY;
175 	hdr->length = host_to_be16(len);
176 	hmac_md5(sm->eap_if->eapKeyData + 32, 32, buf, sizeof(*hdr) + len,
177 		 key->key_signature);
178 
179 	wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key to " MACSTR
180 		   " (%s index=%d)", MAC2STR(sm->addr),
181 		   broadcast ? "broadcast" : "unicast", idx);
182 	ieee802_1x_send(hapd, sta, IEEE802_1X_TYPE_EAPOL_KEY, (u8 *) key, len);
183 	if (sta->eapol_sm)
184 		sta->eapol_sm->dot1xAuthEapolFramesTx++;
185 	os_free(buf);
186 }
187 
188 
ieee802_1x_tx_key(struct hostapd_data * hapd,struct sta_info * sta)189 void ieee802_1x_tx_key(struct hostapd_data *hapd, struct sta_info *sta)
190 {
191 	struct eapol_authenticator *eapol = hapd->eapol_auth;
192 	struct eapol_state_machine *sm = sta->eapol_sm;
193 
194 	if (sm == NULL || !sm->eap_if->eapKeyData)
195 		return;
196 
197 	wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key(s) to " MACSTR,
198 		   MAC2STR(sta->addr));
199 
200 #ifndef CONFIG_NO_VLAN
201 	if (sta->vlan_id > 0 && sta->vlan_id <= MAX_VLAN_ID) {
202 		wpa_printf(MSG_ERROR, "Using WEP with vlans is not supported.");
203 		return;
204 	}
205 #endif /* CONFIG_NO_VLAN */
206 
207 	if (eapol->default_wep_key) {
208 		ieee802_1x_tx_key_one(hapd, sta, eapol->default_wep_key_idx, 1,
209 				      eapol->default_wep_key,
210 				      hapd->conf->default_wep_key_len);
211 	}
212 
213 	if (hapd->conf->individual_wep_key_len > 0) {
214 		u8 *ikey;
215 		ikey = os_malloc(hapd->conf->individual_wep_key_len);
216 		if (ikey == NULL ||
217 		    random_get_bytes(ikey, hapd->conf->individual_wep_key_len))
218 		{
219 			wpa_printf(MSG_ERROR, "Could not generate random "
220 				   "individual WEP key.");
221 			os_free(ikey);
222 			return;
223 		}
224 
225 		wpa_hexdump_key(MSG_DEBUG, "Individual WEP key",
226 				ikey, hapd->conf->individual_wep_key_len);
227 
228 		ieee802_1x_tx_key_one(hapd, sta, 0, 0, ikey,
229 				      hapd->conf->individual_wep_key_len);
230 
231 		/* TODO: set encryption in TX callback, i.e., only after STA
232 		 * has ACKed EAPOL-Key frame */
233 		if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP,
234 					sta->addr, 0, 1, NULL, 0, ikey,
235 					hapd->conf->individual_wep_key_len)) {
236 			wpa_printf(MSG_ERROR, "Could not set individual WEP "
237 				   "encryption.");
238 		}
239 
240 		os_free(ikey);
241 	}
242 }
243 
244 
radius_mode_txt(struct hostapd_data * hapd)245 const char *radius_mode_txt(struct hostapd_data *hapd)
246 {
247 	switch (hapd->iface->conf->hw_mode) {
248 	case HOSTAPD_MODE_IEEE80211AD:
249 		return "802.11ad";
250 	case HOSTAPD_MODE_IEEE80211A:
251 		return "802.11a";
252 	case HOSTAPD_MODE_IEEE80211G:
253 		return "802.11g";
254 	case HOSTAPD_MODE_IEEE80211B:
255 	default:
256 		return "802.11b";
257 	}
258 }
259 
260 
radius_sta_rate(struct hostapd_data * hapd,struct sta_info * sta)261 int radius_sta_rate(struct hostapd_data *hapd, struct sta_info *sta)
262 {
263 	int i;
264 	u8 rate = 0;
265 
266 	for (i = 0; i < sta->supported_rates_len; i++)
267 		if ((sta->supported_rates[i] & 0x7f) > rate)
268 			rate = sta->supported_rates[i] & 0x7f;
269 
270 	return rate;
271 }
272 
273 
274 #ifndef CONFIG_NO_RADIUS
ieee802_1x_learn_identity(struct hostapd_data * hapd,struct eapol_state_machine * sm,const u8 * eap,size_t len)275 static void ieee802_1x_learn_identity(struct hostapd_data *hapd,
276 				      struct eapol_state_machine *sm,
277 				      const u8 *eap, size_t len)
278 {
279 	const u8 *identity;
280 	size_t identity_len;
281 
282 	if (len <= sizeof(struct eap_hdr) ||
283 	    eap[sizeof(struct eap_hdr)] != EAP_TYPE_IDENTITY)
284 		return;
285 
286 	identity = eap_get_identity(sm->eap, &identity_len);
287 	if (identity == NULL)
288 		return;
289 
290 	/* Save station identity for future RADIUS packets */
291 	os_free(sm->identity);
292 	sm->identity = (u8 *) dup_binstr(identity, identity_len);
293 	if (sm->identity == NULL) {
294 		sm->identity_len = 0;
295 		return;
296 	}
297 
298 	sm->identity_len = identity_len;
299 	hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X,
300 		       HOSTAPD_LEVEL_DEBUG, "STA identity '%s'", sm->identity);
301 	sm->dot1xAuthEapolRespIdFramesRx++;
302 }
303 
304 
add_common_radius_sta_attr(struct hostapd_data * hapd,struct hostapd_radius_attr * req_attr,struct sta_info * sta,struct radius_msg * msg)305 static int add_common_radius_sta_attr(struct hostapd_data *hapd,
306 				      struct hostapd_radius_attr *req_attr,
307 				      struct sta_info *sta,
308 				      struct radius_msg *msg)
309 {
310 	char buf[128];
311 
312 	if (!hostapd_config_get_radius_attr(req_attr,
313 					    RADIUS_ATTR_NAS_PORT) &&
314 	    !radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT, sta->aid)) {
315 		wpa_printf(MSG_ERROR, "Could not add NAS-Port");
316 		return -1;
317 	}
318 
319 	os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT,
320 		    MAC2STR(sta->addr));
321 	buf[sizeof(buf) - 1] = '\0';
322 	if (!radius_msg_add_attr(msg, RADIUS_ATTR_CALLING_STATION_ID,
323 				 (u8 *) buf, os_strlen(buf))) {
324 		wpa_printf(MSG_ERROR, "Could not add Calling-Station-Id");
325 		return -1;
326 	}
327 
328 	if (sta->flags & WLAN_STA_PREAUTH) {
329 		os_strlcpy(buf, "IEEE 802.11i Pre-Authentication",
330 			   sizeof(buf));
331 	} else {
332 		os_snprintf(buf, sizeof(buf), "CONNECT %d%sMbps %s",
333 			    radius_sta_rate(hapd, sta) / 2,
334 			    (radius_sta_rate(hapd, sta) & 1) ? ".5" : "",
335 			    radius_mode_txt(hapd));
336 		buf[sizeof(buf) - 1] = '\0';
337 	}
338 	if (!hostapd_config_get_radius_attr(req_attr,
339 					    RADIUS_ATTR_CONNECT_INFO) &&
340 	    !radius_msg_add_attr(msg, RADIUS_ATTR_CONNECT_INFO,
341 				 (u8 *) buf, os_strlen(buf))) {
342 		wpa_printf(MSG_ERROR, "Could not add Connect-Info");
343 		return -1;
344 	}
345 
346 	if (sta->acct_session_id_hi || sta->acct_session_id_lo) {
347 		os_snprintf(buf, sizeof(buf), "%08X-%08X",
348 			    sta->acct_session_id_hi, sta->acct_session_id_lo);
349 		if (!radius_msg_add_attr(msg, RADIUS_ATTR_ACCT_SESSION_ID,
350 					 (u8 *) buf, os_strlen(buf))) {
351 			wpa_printf(MSG_ERROR, "Could not add Acct-Session-Id");
352 			return -1;
353 		}
354 	}
355 
356 	return 0;
357 }
358 
359 
add_common_radius_attr(struct hostapd_data * hapd,struct hostapd_radius_attr * req_attr,struct sta_info * sta,struct radius_msg * msg)360 int add_common_radius_attr(struct hostapd_data *hapd,
361 			   struct hostapd_radius_attr *req_attr,
362 			   struct sta_info *sta,
363 			   struct radius_msg *msg)
364 {
365 	char buf[128];
366 	struct hostapd_radius_attr *attr;
367 
368 	if (!hostapd_config_get_radius_attr(req_attr,
369 					    RADIUS_ATTR_NAS_IP_ADDRESS) &&
370 	    hapd->conf->own_ip_addr.af == AF_INET &&
371 	    !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IP_ADDRESS,
372 				 (u8 *) &hapd->conf->own_ip_addr.u.v4, 4)) {
373 		wpa_printf(MSG_ERROR, "Could not add NAS-IP-Address");
374 		return -1;
375 	}
376 
377 #ifdef CONFIG_IPV6
378 	if (!hostapd_config_get_radius_attr(req_attr,
379 					    RADIUS_ATTR_NAS_IPV6_ADDRESS) &&
380 	    hapd->conf->own_ip_addr.af == AF_INET6 &&
381 	    !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IPV6_ADDRESS,
382 				 (u8 *) &hapd->conf->own_ip_addr.u.v6, 16)) {
383 		wpa_printf(MSG_ERROR, "Could not add NAS-IPv6-Address");
384 		return -1;
385 	}
386 #endif /* CONFIG_IPV6 */
387 
388 	if (!hostapd_config_get_radius_attr(req_attr,
389 					    RADIUS_ATTR_NAS_IDENTIFIER) &&
390 	    hapd->conf->nas_identifier &&
391 	    !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IDENTIFIER,
392 				 (u8 *) hapd->conf->nas_identifier,
393 				 os_strlen(hapd->conf->nas_identifier))) {
394 		wpa_printf(MSG_ERROR, "Could not add NAS-Identifier");
395 		return -1;
396 	}
397 
398 	os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT ":%s",
399 		    MAC2STR(hapd->own_addr),
400 		    wpa_ssid_txt(hapd->conf->ssid.ssid,
401 				 hapd->conf->ssid.ssid_len));
402 	buf[sizeof(buf) - 1] = '\0';
403 	if (!hostapd_config_get_radius_attr(req_attr,
404 					    RADIUS_ATTR_CALLED_STATION_ID) &&
405 	    !radius_msg_add_attr(msg, RADIUS_ATTR_CALLED_STATION_ID,
406 				 (u8 *) buf, os_strlen(buf))) {
407 		wpa_printf(MSG_ERROR, "Could not add Called-Station-Id");
408 		return -1;
409 	}
410 
411 	if (!hostapd_config_get_radius_attr(req_attr,
412 					    RADIUS_ATTR_NAS_PORT_TYPE) &&
413 	    !radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT_TYPE,
414 				       RADIUS_NAS_PORT_TYPE_IEEE_802_11)) {
415 		wpa_printf(MSG_ERROR, "Could not add NAS-Port-Type");
416 		return -1;
417 	}
418 
419 	if (sta && add_common_radius_sta_attr(hapd, req_attr, sta, msg) < 0)
420 		return -1;
421 
422 	for (attr = req_attr; attr; attr = attr->next) {
423 		if (!radius_msg_add_attr(msg, attr->type,
424 					 wpabuf_head(attr->val),
425 					 wpabuf_len(attr->val))) {
426 			wpa_printf(MSG_ERROR, "Could not add RADIUS "
427 				   "attribute");
428 			return -1;
429 		}
430 	}
431 
432 	return 0;
433 }
434 
435 
ieee802_1x_encapsulate_radius(struct hostapd_data * hapd,struct sta_info * sta,const u8 * eap,size_t len)436 static void ieee802_1x_encapsulate_radius(struct hostapd_data *hapd,
437 					  struct sta_info *sta,
438 					  const u8 *eap, size_t len)
439 {
440 	struct radius_msg *msg;
441 	struct eapol_state_machine *sm = sta->eapol_sm;
442 
443 	if (sm == NULL)
444 		return;
445 
446 	ieee802_1x_learn_identity(hapd, sm, eap, len);
447 
448 	wpa_printf(MSG_DEBUG, "Encapsulating EAP message into a RADIUS "
449 		   "packet");
450 
451 	sm->radius_identifier = radius_client_get_id(hapd->radius);
452 	msg = radius_msg_new(RADIUS_CODE_ACCESS_REQUEST,
453 			     sm->radius_identifier);
454 	if (msg == NULL) {
455 		printf("Could not create net RADIUS packet\n");
456 		return;
457 	}
458 
459 	radius_msg_make_authenticator(msg, (u8 *) sta, sizeof(*sta));
460 
461 	if (sm->identity &&
462 	    !radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME,
463 				 sm->identity, sm->identity_len)) {
464 		printf("Could not add User-Name\n");
465 		goto fail;
466 	}
467 
468 	if (add_common_radius_attr(hapd, hapd->conf->radius_auth_req_attr, sta,
469 				   msg) < 0)
470 		goto fail;
471 
472 	/* TODO: should probably check MTU from driver config; 2304 is max for
473 	 * IEEE 802.11, but use 1400 to avoid problems with too large packets
474 	 */
475 	if (!hostapd_config_get_radius_attr(hapd->conf->radius_auth_req_attr,
476 					    RADIUS_ATTR_FRAMED_MTU) &&
477 	    !radius_msg_add_attr_int32(msg, RADIUS_ATTR_FRAMED_MTU, 1400)) {
478 		printf("Could not add Framed-MTU\n");
479 		goto fail;
480 	}
481 
482 	if (eap && !radius_msg_add_eap(msg, eap, len)) {
483 		printf("Could not add EAP-Message\n");
484 		goto fail;
485 	}
486 
487 	/* State attribute must be copied if and only if this packet is
488 	 * Access-Request reply to the previous Access-Challenge */
489 	if (sm->last_recv_radius &&
490 	    radius_msg_get_hdr(sm->last_recv_radius)->code ==
491 	    RADIUS_CODE_ACCESS_CHALLENGE) {
492 		int res = radius_msg_copy_attr(msg, sm->last_recv_radius,
493 					       RADIUS_ATTR_STATE);
494 		if (res < 0) {
495 			printf("Could not copy State attribute from previous "
496 			       "Access-Challenge\n");
497 			goto fail;
498 		}
499 		if (res > 0) {
500 			wpa_printf(MSG_DEBUG, "Copied RADIUS State Attribute");
501 		}
502 	}
503 
504 	if (hapd->conf->radius_request_cui) {
505 		const u8 *cui;
506 		size_t cui_len;
507 		/* Add previously learned CUI or nul CUI to request CUI */
508 		if (sm->radius_cui) {
509 			cui = wpabuf_head(sm->radius_cui);
510 			cui_len = wpabuf_len(sm->radius_cui);
511 		} else {
512 			cui = (const u8 *) "\0";
513 			cui_len = 1;
514 		}
515 		if (!radius_msg_add_attr(msg,
516 					 RADIUS_ATTR_CHARGEABLE_USER_IDENTITY,
517 					 cui, cui_len)) {
518 			wpa_printf(MSG_ERROR, "Could not add CUI");
519 			goto fail;
520 		}
521 	}
522 
523 	if (radius_client_send(hapd->radius, msg, RADIUS_AUTH, sta->addr) < 0)
524 		goto fail;
525 
526 	return;
527 
528  fail:
529 	radius_msg_free(msg);
530 }
531 #endif /* CONFIG_NO_RADIUS */
532 
533 
handle_eap_response(struct hostapd_data * hapd,struct sta_info * sta,struct eap_hdr * eap,size_t len)534 static void handle_eap_response(struct hostapd_data *hapd,
535 				struct sta_info *sta, struct eap_hdr *eap,
536 				size_t len)
537 {
538 	u8 type, *data;
539 	struct eapol_state_machine *sm = sta->eapol_sm;
540 	if (sm == NULL)
541 		return;
542 
543 	data = (u8 *) (eap + 1);
544 
545 	if (len < sizeof(*eap) + 1) {
546 		printf("handle_eap_response: too short response data\n");
547 		return;
548 	}
549 
550 	sm->eap_type_supp = type = data[0];
551 
552 	hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X,
553 		       HOSTAPD_LEVEL_DEBUG, "received EAP packet (code=%d "
554 		       "id=%d len=%d) from STA: EAP Response-%s (%d)",
555 		       eap->code, eap->identifier, be_to_host16(eap->length),
556 		       eap_server_get_name(0, type), type);
557 
558 	sm->dot1xAuthEapolRespFramesRx++;
559 
560 	wpabuf_free(sm->eap_if->eapRespData);
561 	sm->eap_if->eapRespData = wpabuf_alloc_copy(eap, len);
562 	sm->eapolEap = TRUE;
563 }
564 
565 
566 /* Process incoming EAP packet from Supplicant */
handle_eap(struct hostapd_data * hapd,struct sta_info * sta,u8 * buf,size_t len)567 static void handle_eap(struct hostapd_data *hapd, struct sta_info *sta,
568 		       u8 *buf, size_t len)
569 {
570 	struct eap_hdr *eap;
571 	u16 eap_len;
572 
573 	if (len < sizeof(*eap)) {
574 		printf("   too short EAP packet\n");
575 		return;
576 	}
577 
578 	eap = (struct eap_hdr *) buf;
579 
580 	eap_len = be_to_host16(eap->length);
581 	wpa_printf(MSG_DEBUG, "EAP: code=%d identifier=%d length=%d",
582 		   eap->code, eap->identifier, eap_len);
583 	if (eap_len < sizeof(*eap)) {
584 		wpa_printf(MSG_DEBUG, "   Invalid EAP length");
585 		return;
586 	} else if (eap_len > len) {
587 		wpa_printf(MSG_DEBUG, "   Too short frame to contain this EAP "
588 			   "packet");
589 		return;
590 	} else if (eap_len < len) {
591 		wpa_printf(MSG_DEBUG, "   Ignoring %lu extra bytes after EAP "
592 			   "packet", (unsigned long) len - eap_len);
593 	}
594 
595 	switch (eap->code) {
596 	case EAP_CODE_REQUEST:
597 		wpa_printf(MSG_DEBUG, " (request)");
598 		return;
599 	case EAP_CODE_RESPONSE:
600 		wpa_printf(MSG_DEBUG, " (response)");
601 		handle_eap_response(hapd, sta, eap, eap_len);
602 		break;
603 	case EAP_CODE_SUCCESS:
604 		wpa_printf(MSG_DEBUG, " (success)");
605 		return;
606 	case EAP_CODE_FAILURE:
607 		wpa_printf(MSG_DEBUG, " (failure)");
608 		return;
609 	default:
610 		wpa_printf(MSG_DEBUG, " (unknown code)");
611 		return;
612 	}
613 }
614 
615 
616 static struct eapol_state_machine *
ieee802_1x_alloc_eapol_sm(struct hostapd_data * hapd,struct sta_info * sta)617 ieee802_1x_alloc_eapol_sm(struct hostapd_data *hapd, struct sta_info *sta)
618 {
619 	int flags = 0;
620 	if (sta->flags & WLAN_STA_PREAUTH)
621 		flags |= EAPOL_SM_PREAUTH;
622 	if (sta->wpa_sm) {
623 		flags |= EAPOL_SM_USES_WPA;
624 		if (wpa_auth_sta_get_pmksa(sta->wpa_sm))
625 			flags |= EAPOL_SM_FROM_PMKSA_CACHE;
626 	}
627 	return eapol_auth_alloc(hapd->eapol_auth, sta->addr, flags,
628 				sta->wps_ie, sta->p2p_ie, sta,
629 				sta->identity, sta->radius_cui);
630 }
631 
632 
633 /**
634  * ieee802_1x_receive - Process the EAPOL frames from the Supplicant
635  * @hapd: hostapd BSS data
636  * @sa: Source address (sender of the EAPOL frame)
637  * @buf: EAPOL frame
638  * @len: Length of buf in octets
639  *
640  * This function is called for each incoming EAPOL frame from the interface
641  */
ieee802_1x_receive(struct hostapd_data * hapd,const u8 * sa,const u8 * buf,size_t len)642 void ieee802_1x_receive(struct hostapd_data *hapd, const u8 *sa, const u8 *buf,
643 			size_t len)
644 {
645 	struct sta_info *sta;
646 	struct ieee802_1x_hdr *hdr;
647 	struct ieee802_1x_eapol_key *key;
648 	u16 datalen;
649 	struct rsn_pmksa_cache_entry *pmksa;
650 	int key_mgmt;
651 
652 	if (!hapd->conf->ieee802_1x && !hapd->conf->wpa &&
653 	    !hapd->conf->wps_state)
654 		return;
655 
656 	wpa_printf(MSG_DEBUG, "IEEE 802.1X: %lu bytes from " MACSTR,
657 		   (unsigned long) len, MAC2STR(sa));
658 	sta = ap_get_sta(hapd, sa);
659 	if (!sta || (!(sta->flags & (WLAN_STA_ASSOC | WLAN_STA_PREAUTH)) &&
660 		     !(hapd->iface->drv_flags & WPA_DRIVER_FLAGS_WIRED))) {
661 		wpa_printf(MSG_DEBUG, "IEEE 802.1X data frame from not "
662 			   "associated/Pre-authenticating STA");
663 		return;
664 	}
665 
666 	if (len < sizeof(*hdr)) {
667 		printf("   too short IEEE 802.1X packet\n");
668 		return;
669 	}
670 
671 	hdr = (struct ieee802_1x_hdr *) buf;
672 	datalen = be_to_host16(hdr->length);
673 	wpa_printf(MSG_DEBUG, "   IEEE 802.1X: version=%d type=%d length=%d",
674 		   hdr->version, hdr->type, datalen);
675 
676 	if (len - sizeof(*hdr) < datalen) {
677 		printf("   frame too short for this IEEE 802.1X packet\n");
678 		if (sta->eapol_sm)
679 			sta->eapol_sm->dot1xAuthEapLengthErrorFramesRx++;
680 		return;
681 	}
682 	if (len - sizeof(*hdr) > datalen) {
683 		wpa_printf(MSG_DEBUG, "   ignoring %lu extra octets after "
684 			   "IEEE 802.1X packet",
685 			   (unsigned long) len - sizeof(*hdr) - datalen);
686 	}
687 
688 	if (sta->eapol_sm) {
689 		sta->eapol_sm->dot1xAuthLastEapolFrameVersion = hdr->version;
690 		sta->eapol_sm->dot1xAuthEapolFramesRx++;
691 	}
692 
693 	key = (struct ieee802_1x_eapol_key *) (hdr + 1);
694 	if (datalen >= sizeof(struct ieee802_1x_eapol_key) &&
695 	    hdr->type == IEEE802_1X_TYPE_EAPOL_KEY &&
696 	    (key->type == EAPOL_KEY_TYPE_WPA ||
697 	     key->type == EAPOL_KEY_TYPE_RSN)) {
698 		wpa_receive(hapd->wpa_auth, sta->wpa_sm, (u8 *) hdr,
699 			    sizeof(*hdr) + datalen);
700 		return;
701 	}
702 
703 	if (!hapd->conf->ieee802_1x &&
704 	    !(sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS))) {
705 		wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore EAPOL message - "
706 			   "802.1X not enabled and WPS not used");
707 		return;
708 	}
709 
710 	key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm);
711 	if (key_mgmt != -1 && wpa_key_mgmt_wpa_psk(key_mgmt)) {
712 		wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore EAPOL message - "
713 			   "STA is using PSK");
714 		return;
715 	}
716 
717 	if (!sta->eapol_sm) {
718 		sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta);
719 		if (!sta->eapol_sm)
720 			return;
721 
722 #ifdef CONFIG_WPS
723 		if (!hapd->conf->ieee802_1x) {
724 			u32 wflags = sta->flags & (WLAN_STA_WPS |
725 						   WLAN_STA_WPS2 |
726 						   WLAN_STA_MAYBE_WPS);
727 			if (wflags == WLAN_STA_MAYBE_WPS ||
728 			    wflags == (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS)) {
729 				/*
730 				 * Delay EAPOL frame transmission until a
731 				 * possible WPS STA initiates the handshake
732 				 * with EAPOL-Start. Only allow the wait to be
733 				 * skipped if the STA is known to support WPS
734 				 * 2.0.
735 				 */
736 				wpa_printf(MSG_DEBUG, "WPS: Do not start "
737 					   "EAPOL until EAPOL-Start is "
738 					   "received");
739 				sta->eapol_sm->flags |= EAPOL_SM_WAIT_START;
740 			}
741 		}
742 #endif /* CONFIG_WPS */
743 
744 		sta->eapol_sm->eap_if->portEnabled = TRUE;
745 	}
746 
747 	/* since we support version 1, we can ignore version field and proceed
748 	 * as specified in version 1 standard [IEEE Std 802.1X-2001, 7.5.5] */
749 	/* TODO: actually, we are not version 1 anymore.. However, Version 2
750 	 * does not change frame contents, so should be ok to process frames
751 	 * more or less identically. Some changes might be needed for
752 	 * verification of fields. */
753 
754 	switch (hdr->type) {
755 	case IEEE802_1X_TYPE_EAP_PACKET:
756 		handle_eap(hapd, sta, (u8 *) (hdr + 1), datalen);
757 		break;
758 
759 	case IEEE802_1X_TYPE_EAPOL_START:
760 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
761 			       HOSTAPD_LEVEL_DEBUG, "received EAPOL-Start "
762 			       "from STA");
763 		sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START;
764 		pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm);
765 		if (pmksa) {
766 			hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA,
767 				       HOSTAPD_LEVEL_DEBUG, "cached PMKSA "
768 				       "available - ignore it since "
769 				       "STA sent EAPOL-Start");
770 			wpa_auth_sta_clear_pmksa(sta->wpa_sm, pmksa);
771 		}
772 		sta->eapol_sm->eapolStart = TRUE;
773 		sta->eapol_sm->dot1xAuthEapolStartFramesRx++;
774 		eap_server_clear_identity(sta->eapol_sm->eap);
775 		wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL);
776 		break;
777 
778 	case IEEE802_1X_TYPE_EAPOL_LOGOFF:
779 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
780 			       HOSTAPD_LEVEL_DEBUG, "received EAPOL-Logoff "
781 			       "from STA");
782 		sta->acct_terminate_cause =
783 			RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST;
784 		accounting_sta_stop(hapd, sta);
785 		sta->eapol_sm->eapolLogoff = TRUE;
786 		sta->eapol_sm->dot1xAuthEapolLogoffFramesRx++;
787 		eap_server_clear_identity(sta->eapol_sm->eap);
788 		break;
789 
790 	case IEEE802_1X_TYPE_EAPOL_KEY:
791 		wpa_printf(MSG_DEBUG, "   EAPOL-Key");
792 		if (!ap_sta_is_authorized(sta)) {
793 			wpa_printf(MSG_DEBUG, "   Dropped key data from "
794 				   "unauthorized Supplicant");
795 			break;
796 		}
797 		break;
798 
799 	case IEEE802_1X_TYPE_EAPOL_ENCAPSULATED_ASF_ALERT:
800 		wpa_printf(MSG_DEBUG, "   EAPOL-Encapsulated-ASF-Alert");
801 		/* TODO: implement support for this; show data */
802 		break;
803 
804 	default:
805 		wpa_printf(MSG_DEBUG, "   unknown IEEE 802.1X packet type");
806 		sta->eapol_sm->dot1xAuthInvalidEapolFramesRx++;
807 		break;
808 	}
809 
810 	eapol_auth_step(sta->eapol_sm);
811 }
812 
813 
814 /**
815  * ieee802_1x_new_station - Start IEEE 802.1X authentication
816  * @hapd: hostapd BSS data
817  * @sta: The station
818  *
819  * This function is called to start IEEE 802.1X authentication when a new
820  * station completes IEEE 802.11 association.
821  */
ieee802_1x_new_station(struct hostapd_data * hapd,struct sta_info * sta)822 void ieee802_1x_new_station(struct hostapd_data *hapd, struct sta_info *sta)
823 {
824 	struct rsn_pmksa_cache_entry *pmksa;
825 	int reassoc = 1;
826 	int force_1x = 0;
827 	int key_mgmt;
828 
829 #ifdef CONFIG_WPS
830 	if (hapd->conf->wps_state && hapd->conf->wpa &&
831 	    (sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS))) {
832 		/*
833 		 * Need to enable IEEE 802.1X/EAPOL state machines for possible
834 		 * WPS handshake even if IEEE 802.1X/EAPOL is not used for
835 		 * authentication in this BSS.
836 		 */
837 		force_1x = 1;
838 	}
839 #endif /* CONFIG_WPS */
840 
841 	if (!force_1x && !hapd->conf->ieee802_1x) {
842 		wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore STA - "
843 			   "802.1X not enabled or forced for WPS");
844 		/*
845 		 * Clear any possible EAPOL authenticator state to support
846 		 * reassociation change from WPS to PSK.
847 		 */
848 		ieee802_1x_free_station(sta);
849 		return;
850 	}
851 
852 	key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm);
853 	if (key_mgmt != -1 && wpa_key_mgmt_wpa_psk(key_mgmt)) {
854 		wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore STA - using PSK");
855 		/*
856 		 * Clear any possible EAPOL authenticator state to support
857 		 * reassociation change from WPA-EAP to PSK.
858 		 */
859 		ieee802_1x_free_station(sta);
860 		return;
861 	}
862 
863 	if (sta->eapol_sm == NULL) {
864 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
865 			       HOSTAPD_LEVEL_DEBUG, "start authentication");
866 		sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta);
867 		if (sta->eapol_sm == NULL) {
868 			hostapd_logger(hapd, sta->addr,
869 				       HOSTAPD_MODULE_IEEE8021X,
870 				       HOSTAPD_LEVEL_INFO,
871 				       "failed to allocate state machine");
872 			return;
873 		}
874 		reassoc = 0;
875 	}
876 
877 #ifdef CONFIG_WPS
878 	sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START;
879 	if (!hapd->conf->ieee802_1x && !(sta->flags & WLAN_STA_WPS2)) {
880 		/*
881 		 * Delay EAPOL frame transmission until a possible WPS STA
882 		 * initiates the handshake with EAPOL-Start. Only allow the
883 		 * wait to be skipped if the STA is known to support WPS 2.0.
884 		 */
885 		wpa_printf(MSG_DEBUG, "WPS: Do not start EAPOL until "
886 			   "EAPOL-Start is received");
887 		sta->eapol_sm->flags |= EAPOL_SM_WAIT_START;
888 	}
889 #endif /* CONFIG_WPS */
890 
891 	sta->eapol_sm->eap_if->portEnabled = TRUE;
892 
893 #ifdef CONFIG_IEEE80211R
894 	if (sta->auth_alg == WLAN_AUTH_FT) {
895 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
896 			       HOSTAPD_LEVEL_DEBUG,
897 			       "PMK from FT - skip IEEE 802.1X/EAP");
898 		/* Setup EAPOL state machines to already authenticated state
899 		 * because of existing FT information from R0KH. */
900 		sta->eapol_sm->keyRun = TRUE;
901 		sta->eapol_sm->eap_if->eapKeyAvailable = TRUE;
902 		sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING;
903 		sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS;
904 		sta->eapol_sm->authSuccess = TRUE;
905 		sta->eapol_sm->authFail = FALSE;
906 		if (sta->eapol_sm->eap)
907 			eap_sm_notify_cached(sta->eapol_sm->eap);
908 		/* TODO: get vlan_id from R0KH using RRB message */
909 		return;
910 	}
911 #endif /* CONFIG_IEEE80211R */
912 
913 	pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm);
914 	if (pmksa) {
915 		int old_vlanid;
916 
917 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
918 			       HOSTAPD_LEVEL_DEBUG,
919 			       "PMK from PMKSA cache - skip IEEE 802.1X/EAP");
920 		/* Setup EAPOL state machines to already authenticated state
921 		 * because of existing PMKSA information in the cache. */
922 		sta->eapol_sm->keyRun = TRUE;
923 		sta->eapol_sm->eap_if->eapKeyAvailable = TRUE;
924 		sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING;
925 		sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS;
926 		sta->eapol_sm->authSuccess = TRUE;
927 		sta->eapol_sm->authFail = FALSE;
928 		if (sta->eapol_sm->eap)
929 			eap_sm_notify_cached(sta->eapol_sm->eap);
930 		old_vlanid = sta->vlan_id;
931 		pmksa_cache_to_eapol_data(pmksa, sta->eapol_sm);
932 		if (sta->ssid->dynamic_vlan == DYNAMIC_VLAN_DISABLED)
933 			sta->vlan_id = 0;
934 		ap_sta_bind_vlan(hapd, sta, old_vlanid);
935 	} else {
936 		if (reassoc) {
937 			/*
938 			 * Force EAPOL state machines to start
939 			 * re-authentication without having to wait for the
940 			 * Supplicant to send EAPOL-Start.
941 			 */
942 			sta->eapol_sm->reAuthenticate = TRUE;
943 		}
944 		eapol_auth_step(sta->eapol_sm);
945 	}
946 }
947 
948 
ieee802_1x_free_station(struct sta_info * sta)949 void ieee802_1x_free_station(struct sta_info *sta)
950 {
951 	struct eapol_state_machine *sm = sta->eapol_sm;
952 
953 	if (sm == NULL)
954 		return;
955 
956 	sta->eapol_sm = NULL;
957 
958 #ifndef CONFIG_NO_RADIUS
959 	radius_msg_free(sm->last_recv_radius);
960 	radius_free_class(&sm->radius_class);
961 	wpabuf_free(sm->radius_cui);
962 #endif /* CONFIG_NO_RADIUS */
963 
964 	os_free(sm->identity);
965 	eapol_auth_free(sm);
966 }
967 
968 
969 #ifndef CONFIG_NO_RADIUS
ieee802_1x_decapsulate_radius(struct hostapd_data * hapd,struct sta_info * sta)970 static void ieee802_1x_decapsulate_radius(struct hostapd_data *hapd,
971 					  struct sta_info *sta)
972 {
973 	struct wpabuf *eap;
974 	const struct eap_hdr *hdr;
975 	int eap_type = -1;
976 	char buf[64];
977 	struct radius_msg *msg;
978 	struct eapol_state_machine *sm = sta->eapol_sm;
979 
980 	if (sm == NULL || sm->last_recv_radius == NULL) {
981 		if (sm)
982 			sm->eap_if->aaaEapNoReq = TRUE;
983 		return;
984 	}
985 
986 	msg = sm->last_recv_radius;
987 
988 	eap = radius_msg_get_eap(msg);
989 	if (eap == NULL) {
990 		/* RFC 3579, Chap. 2.6.3:
991 		 * RADIUS server SHOULD NOT send Access-Reject/no EAP-Message
992 		 * attribute */
993 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
994 			       HOSTAPD_LEVEL_WARNING, "could not extract "
995 			       "EAP-Message from RADIUS message");
996 		sm->eap_if->aaaEapNoReq = TRUE;
997 		return;
998 	}
999 
1000 	if (wpabuf_len(eap) < sizeof(*hdr)) {
1001 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
1002 			       HOSTAPD_LEVEL_WARNING, "too short EAP packet "
1003 			       "received from authentication server");
1004 		wpabuf_free(eap);
1005 		sm->eap_if->aaaEapNoReq = TRUE;
1006 		return;
1007 	}
1008 
1009 	if (wpabuf_len(eap) > sizeof(*hdr))
1010 		eap_type = (wpabuf_head_u8(eap))[sizeof(*hdr)];
1011 
1012 	hdr = wpabuf_head(eap);
1013 	switch (hdr->code) {
1014 	case EAP_CODE_REQUEST:
1015 		if (eap_type >= 0)
1016 			sm->eap_type_authsrv = eap_type;
1017 		os_snprintf(buf, sizeof(buf), "EAP-Request-%s (%d)",
1018 			    eap_type >= 0 ? eap_server_get_name(0, eap_type) :
1019 			    "??",
1020 			    eap_type);
1021 		break;
1022 	case EAP_CODE_RESPONSE:
1023 		os_snprintf(buf, sizeof(buf), "EAP Response-%s (%d)",
1024 			    eap_type >= 0 ? eap_server_get_name(0, eap_type) :
1025 			    "??",
1026 			    eap_type);
1027 		break;
1028 	case EAP_CODE_SUCCESS:
1029 		os_strlcpy(buf, "EAP Success", sizeof(buf));
1030 		break;
1031 	case EAP_CODE_FAILURE:
1032 		os_strlcpy(buf, "EAP Failure", sizeof(buf));
1033 		break;
1034 	default:
1035 		os_strlcpy(buf, "unknown EAP code", sizeof(buf));
1036 		break;
1037 	}
1038 	buf[sizeof(buf) - 1] = '\0';
1039 	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
1040 		       HOSTAPD_LEVEL_DEBUG, "decapsulated EAP packet (code=%d "
1041 		       "id=%d len=%d) from RADIUS server: %s",
1042 		       hdr->code, hdr->identifier, be_to_host16(hdr->length),
1043 		       buf);
1044 	sm->eap_if->aaaEapReq = TRUE;
1045 
1046 	wpabuf_free(sm->eap_if->aaaEapReqData);
1047 	sm->eap_if->aaaEapReqData = eap;
1048 }
1049 
1050 
ieee802_1x_get_keys(struct hostapd_data * hapd,struct sta_info * sta,struct radius_msg * msg,struct radius_msg * req,const u8 * shared_secret,size_t shared_secret_len)1051 static void ieee802_1x_get_keys(struct hostapd_data *hapd,
1052 				struct sta_info *sta, struct radius_msg *msg,
1053 				struct radius_msg *req,
1054 				const u8 *shared_secret,
1055 				size_t shared_secret_len)
1056 {
1057 	struct radius_ms_mppe_keys *keys;
1058 	struct eapol_state_machine *sm = sta->eapol_sm;
1059 	if (sm == NULL)
1060 		return;
1061 
1062 	keys = radius_msg_get_ms_keys(msg, req, shared_secret,
1063 				      shared_secret_len);
1064 
1065 	if (keys && keys->send && keys->recv) {
1066 		size_t len = keys->send_len + keys->recv_len;
1067 		wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Send-Key",
1068 				keys->send, keys->send_len);
1069 		wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Recv-Key",
1070 				keys->recv, keys->recv_len);
1071 
1072 		os_free(sm->eap_if->aaaEapKeyData);
1073 		sm->eap_if->aaaEapKeyData = os_malloc(len);
1074 		if (sm->eap_if->aaaEapKeyData) {
1075 			os_memcpy(sm->eap_if->aaaEapKeyData, keys->recv,
1076 				  keys->recv_len);
1077 			os_memcpy(sm->eap_if->aaaEapKeyData + keys->recv_len,
1078 				  keys->send, keys->send_len);
1079 			sm->eap_if->aaaEapKeyDataLen = len;
1080 			sm->eap_if->aaaEapKeyAvailable = TRUE;
1081 		}
1082 	}
1083 
1084 	if (keys) {
1085 		os_free(keys->send);
1086 		os_free(keys->recv);
1087 		os_free(keys);
1088 	}
1089 }
1090 
1091 
ieee802_1x_store_radius_class(struct hostapd_data * hapd,struct sta_info * sta,struct radius_msg * msg)1092 static void ieee802_1x_store_radius_class(struct hostapd_data *hapd,
1093 					  struct sta_info *sta,
1094 					  struct radius_msg *msg)
1095 {
1096 	u8 *class;
1097 	size_t class_len;
1098 	struct eapol_state_machine *sm = sta->eapol_sm;
1099 	int count, i;
1100 	struct radius_attr_data *nclass;
1101 	size_t nclass_count;
1102 
1103 	if (!hapd->conf->radius->acct_server || hapd->radius == NULL ||
1104 	    sm == NULL)
1105 		return;
1106 
1107 	radius_free_class(&sm->radius_class);
1108 	count = radius_msg_count_attr(msg, RADIUS_ATTR_CLASS, 1);
1109 	if (count <= 0)
1110 		return;
1111 
1112 	nclass = os_calloc(count, sizeof(struct radius_attr_data));
1113 	if (nclass == NULL)
1114 		return;
1115 
1116 	nclass_count = 0;
1117 
1118 	class = NULL;
1119 	for (i = 0; i < count; i++) {
1120 		do {
1121 			if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CLASS,
1122 						    &class, &class_len,
1123 						    class) < 0) {
1124 				i = count;
1125 				break;
1126 			}
1127 		} while (class_len < 1);
1128 
1129 		nclass[nclass_count].data = os_malloc(class_len);
1130 		if (nclass[nclass_count].data == NULL)
1131 			break;
1132 
1133 		os_memcpy(nclass[nclass_count].data, class, class_len);
1134 		nclass[nclass_count].len = class_len;
1135 		nclass_count++;
1136 	}
1137 
1138 	sm->radius_class.attr = nclass;
1139 	sm->radius_class.count = nclass_count;
1140 	wpa_printf(MSG_DEBUG, "IEEE 802.1X: Stored %lu RADIUS Class "
1141 		   "attributes for " MACSTR,
1142 		   (unsigned long) sm->radius_class.count,
1143 		   MAC2STR(sta->addr));
1144 }
1145 
1146 
1147 /* Update sta->identity based on User-Name attribute in Access-Accept */
ieee802_1x_update_sta_identity(struct hostapd_data * hapd,struct sta_info * sta,struct radius_msg * msg)1148 static void ieee802_1x_update_sta_identity(struct hostapd_data *hapd,
1149 					   struct sta_info *sta,
1150 					   struct radius_msg *msg)
1151 {
1152 	u8 *buf, *identity;
1153 	size_t len;
1154 	struct eapol_state_machine *sm = sta->eapol_sm;
1155 
1156 	if (sm == NULL)
1157 		return;
1158 
1159 	if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_USER_NAME, &buf, &len,
1160 				    NULL) < 0)
1161 		return;
1162 
1163 	identity = (u8 *) dup_binstr(buf, len);
1164 	if (identity == NULL)
1165 		return;
1166 
1167 	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
1168 		       HOSTAPD_LEVEL_DEBUG, "old identity '%s' updated with "
1169 		       "User-Name from Access-Accept '%s'",
1170 		       sm->identity ? (char *) sm->identity : "N/A",
1171 		       (char *) identity);
1172 
1173 	os_free(sm->identity);
1174 	sm->identity = identity;
1175 	sm->identity_len = len;
1176 }
1177 
1178 
1179 /* Update CUI based on Chargeable-User-Identity attribute in Access-Accept */
ieee802_1x_update_sta_cui(struct hostapd_data * hapd,struct sta_info * sta,struct radius_msg * msg)1180 static void ieee802_1x_update_sta_cui(struct hostapd_data *hapd,
1181 				      struct sta_info *sta,
1182 				      struct radius_msg *msg)
1183 {
1184 	struct eapol_state_machine *sm = sta->eapol_sm;
1185 	struct wpabuf *cui;
1186 	u8 *buf;
1187 	size_t len;
1188 
1189 	if (sm == NULL)
1190 		return;
1191 
1192 	if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CHARGEABLE_USER_IDENTITY,
1193 				    &buf, &len, NULL) < 0)
1194 		return;
1195 
1196 	cui = wpabuf_alloc_copy(buf, len);
1197 	if (cui == NULL)
1198 		return;
1199 
1200 	wpabuf_free(sm->radius_cui);
1201 	sm->radius_cui = cui;
1202 }
1203 
1204 
1205 struct sta_id_search {
1206 	u8 identifier;
1207 	struct eapol_state_machine *sm;
1208 };
1209 
1210 
ieee802_1x_select_radius_identifier(struct hostapd_data * hapd,struct sta_info * sta,void * ctx)1211 static int ieee802_1x_select_radius_identifier(struct hostapd_data *hapd,
1212 					       struct sta_info *sta,
1213 					       void *ctx)
1214 {
1215 	struct sta_id_search *id_search = ctx;
1216 	struct eapol_state_machine *sm = sta->eapol_sm;
1217 
1218 	if (sm && sm->radius_identifier >= 0 &&
1219 	    sm->radius_identifier == id_search->identifier) {
1220 		id_search->sm = sm;
1221 		return 1;
1222 	}
1223 	return 0;
1224 }
1225 
1226 
1227 static struct eapol_state_machine *
ieee802_1x_search_radius_identifier(struct hostapd_data * hapd,u8 identifier)1228 ieee802_1x_search_radius_identifier(struct hostapd_data *hapd, u8 identifier)
1229 {
1230 	struct sta_id_search id_search;
1231 	id_search.identifier = identifier;
1232 	id_search.sm = NULL;
1233 	ap_for_each_sta(hapd, ieee802_1x_select_radius_identifier, &id_search);
1234 	return id_search.sm;
1235 }
1236 
1237 
1238 /**
1239  * ieee802_1x_receive_auth - Process RADIUS frames from Authentication Server
1240  * @msg: RADIUS response message
1241  * @req: RADIUS request message
1242  * @shared_secret: RADIUS shared secret
1243  * @shared_secret_len: Length of shared_secret in octets
1244  * @data: Context data (struct hostapd_data *)
1245  * Returns: Processing status
1246  */
1247 static RadiusRxResult
ieee802_1x_receive_auth(struct radius_msg * msg,struct radius_msg * req,const u8 * shared_secret,size_t shared_secret_len,void * data)1248 ieee802_1x_receive_auth(struct radius_msg *msg, struct radius_msg *req,
1249 			const u8 *shared_secret, size_t shared_secret_len,
1250 			void *data)
1251 {
1252 	struct hostapd_data *hapd = data;
1253 	struct sta_info *sta;
1254 	u32 session_timeout = 0, termination_action, acct_interim_interval;
1255 	int session_timeout_set, old_vlanid = 0;
1256 	struct eapol_state_machine *sm;
1257 	int override_eapReq = 0;
1258 	struct radius_hdr *hdr = radius_msg_get_hdr(msg);
1259 
1260 	sm = ieee802_1x_search_radius_identifier(hapd, hdr->identifier);
1261 	if (sm == NULL) {
1262 		wpa_printf(MSG_DEBUG, "IEEE 802.1X: Could not find matching "
1263 			   "station for this RADIUS message");
1264 		return RADIUS_RX_UNKNOWN;
1265 	}
1266 	sta = sm->sta;
1267 
1268 	/* RFC 2869, Ch. 5.13: valid Message-Authenticator attribute MUST be
1269 	 * present when packet contains an EAP-Message attribute */
1270 	if (hdr->code == RADIUS_CODE_ACCESS_REJECT &&
1271 	    radius_msg_get_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, NULL,
1272 				0) < 0 &&
1273 	    radius_msg_get_attr(msg, RADIUS_ATTR_EAP_MESSAGE, NULL, 0) < 0) {
1274 		wpa_printf(MSG_DEBUG, "Allowing RADIUS Access-Reject without "
1275 			   "Message-Authenticator since it does not include "
1276 			   "EAP-Message");
1277 	} else if (radius_msg_verify(msg, shared_secret, shared_secret_len,
1278 				     req, 1)) {
1279 		printf("Incoming RADIUS packet did not have correct "
1280 		       "Message-Authenticator - dropped\n");
1281 		return RADIUS_RX_INVALID_AUTHENTICATOR;
1282 	}
1283 
1284 	if (hdr->code != RADIUS_CODE_ACCESS_ACCEPT &&
1285 	    hdr->code != RADIUS_CODE_ACCESS_REJECT &&
1286 	    hdr->code != RADIUS_CODE_ACCESS_CHALLENGE) {
1287 		printf("Unknown RADIUS message code\n");
1288 		return RADIUS_RX_UNKNOWN;
1289 	}
1290 
1291 	sm->radius_identifier = -1;
1292 	wpa_printf(MSG_DEBUG, "RADIUS packet matching with station " MACSTR,
1293 		   MAC2STR(sta->addr));
1294 
1295 	radius_msg_free(sm->last_recv_radius);
1296 	sm->last_recv_radius = msg;
1297 
1298 	session_timeout_set =
1299 		!radius_msg_get_attr_int32(msg, RADIUS_ATTR_SESSION_TIMEOUT,
1300 					   &session_timeout);
1301 	if (radius_msg_get_attr_int32(msg, RADIUS_ATTR_TERMINATION_ACTION,
1302 				      &termination_action))
1303 		termination_action = RADIUS_TERMINATION_ACTION_DEFAULT;
1304 
1305 	if (hapd->conf->acct_interim_interval == 0 &&
1306 	    hdr->code == RADIUS_CODE_ACCESS_ACCEPT &&
1307 	    radius_msg_get_attr_int32(msg, RADIUS_ATTR_ACCT_INTERIM_INTERVAL,
1308 				      &acct_interim_interval) == 0) {
1309 		if (acct_interim_interval < 60) {
1310 			hostapd_logger(hapd, sta->addr,
1311 				       HOSTAPD_MODULE_IEEE8021X,
1312 				       HOSTAPD_LEVEL_INFO,
1313 				       "ignored too small "
1314 				       "Acct-Interim-Interval %d",
1315 				       acct_interim_interval);
1316 		} else
1317 			sta->acct_interim_interval = acct_interim_interval;
1318 	}
1319 
1320 
1321 	switch (hdr->code) {
1322 	case RADIUS_CODE_ACCESS_ACCEPT:
1323 		if (sta->ssid->dynamic_vlan == DYNAMIC_VLAN_DISABLED)
1324 			sta->vlan_id = 0;
1325 #ifndef CONFIG_NO_VLAN
1326 		else {
1327 			old_vlanid = sta->vlan_id;
1328 			sta->vlan_id = radius_msg_get_vlanid(msg);
1329 		}
1330 		if (sta->vlan_id > 0 &&
1331 		    hostapd_vlan_id_valid(hapd->conf->vlan, sta->vlan_id)) {
1332 			hostapd_logger(hapd, sta->addr,
1333 				       HOSTAPD_MODULE_RADIUS,
1334 				       HOSTAPD_LEVEL_INFO,
1335 				       "VLAN ID %d", sta->vlan_id);
1336 		} else if (sta->ssid->dynamic_vlan == DYNAMIC_VLAN_REQUIRED) {
1337 			sta->eapol_sm->authFail = TRUE;
1338 			hostapd_logger(hapd, sta->addr,
1339 				       HOSTAPD_MODULE_IEEE8021X,
1340 				       HOSTAPD_LEVEL_INFO, "authentication "
1341 				       "server did not include required VLAN "
1342 				       "ID in Access-Accept");
1343 			break;
1344 		}
1345 #endif /* CONFIG_NO_VLAN */
1346 
1347 		if (ap_sta_bind_vlan(hapd, sta, old_vlanid) < 0)
1348 			break;
1349 
1350 		/* RFC 3580, Ch. 3.17 */
1351 		if (session_timeout_set && termination_action ==
1352 		    RADIUS_TERMINATION_ACTION_RADIUS_REQUEST) {
1353 			sm->reAuthPeriod = session_timeout;
1354 		} else if (session_timeout_set)
1355 			ap_sta_session_timeout(hapd, sta, session_timeout);
1356 
1357 		sm->eap_if->aaaSuccess = TRUE;
1358 		override_eapReq = 1;
1359 		ieee802_1x_get_keys(hapd, sta, msg, req, shared_secret,
1360 				    shared_secret_len);
1361 		ieee802_1x_store_radius_class(hapd, sta, msg);
1362 		ieee802_1x_update_sta_identity(hapd, sta, msg);
1363 		ieee802_1x_update_sta_cui(hapd, sta, msg);
1364 		if (sm->eap_if->eapKeyAvailable &&
1365 		    wpa_auth_pmksa_add(sta->wpa_sm, sm->eapol_key_crypt,
1366 				       session_timeout_set ?
1367 				       (int) session_timeout : -1, sm) == 0) {
1368 			hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA,
1369 				       HOSTAPD_LEVEL_DEBUG,
1370 				       "Added PMKSA cache entry");
1371 		}
1372 		break;
1373 	case RADIUS_CODE_ACCESS_REJECT:
1374 		sm->eap_if->aaaFail = TRUE;
1375 		override_eapReq = 1;
1376 		break;
1377 	case RADIUS_CODE_ACCESS_CHALLENGE:
1378 		sm->eap_if->aaaEapReq = TRUE;
1379 		if (session_timeout_set) {
1380 			/* RFC 2869, Ch. 2.3.2; RFC 3580, Ch. 3.17 */
1381 			sm->eap_if->aaaMethodTimeout = session_timeout;
1382 			hostapd_logger(hapd, sm->addr,
1383 				       HOSTAPD_MODULE_IEEE8021X,
1384 				       HOSTAPD_LEVEL_DEBUG,
1385 				       "using EAP timeout of %d seconds (from "
1386 				       "RADIUS)",
1387 				       sm->eap_if->aaaMethodTimeout);
1388 		} else {
1389 			/*
1390 			 * Use dynamic retransmission behavior per EAP
1391 			 * specification.
1392 			 */
1393 			sm->eap_if->aaaMethodTimeout = 0;
1394 		}
1395 		break;
1396 	}
1397 
1398 	ieee802_1x_decapsulate_radius(hapd, sta);
1399 	if (override_eapReq)
1400 		sm->eap_if->aaaEapReq = FALSE;
1401 
1402 	eapol_auth_step(sm);
1403 
1404 	return RADIUS_RX_QUEUED;
1405 }
1406 #endif /* CONFIG_NO_RADIUS */
1407 
1408 
ieee802_1x_abort_auth(struct hostapd_data * hapd,struct sta_info * sta)1409 void ieee802_1x_abort_auth(struct hostapd_data *hapd, struct sta_info *sta)
1410 {
1411 	struct eapol_state_machine *sm = sta->eapol_sm;
1412 	if (sm == NULL)
1413 		return;
1414 
1415 	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
1416 		       HOSTAPD_LEVEL_DEBUG, "aborting authentication");
1417 
1418 #ifndef CONFIG_NO_RADIUS
1419 	radius_msg_free(sm->last_recv_radius);
1420 	sm->last_recv_radius = NULL;
1421 #endif /* CONFIG_NO_RADIUS */
1422 
1423 	if (sm->eap_if->eapTimeout) {
1424 		/*
1425 		 * Disconnect the STA since it did not reply to the last EAP
1426 		 * request and we cannot continue EAP processing (EAP-Failure
1427 		 * could only be sent if the EAP peer actually replied).
1428 		 */
1429 		wpa_dbg(hapd->msg_ctx, MSG_DEBUG, "EAP Timeout, STA " MACSTR,
1430 			MAC2STR(sta->addr));
1431 
1432 		sm->eap_if->portEnabled = FALSE;
1433 		ap_sta_disconnect(hapd, sta, sta->addr,
1434 				  WLAN_REASON_PREV_AUTH_NOT_VALID);
1435 	}
1436 }
1437 
1438 
ieee802_1x_rekey_broadcast(struct hostapd_data * hapd)1439 static int ieee802_1x_rekey_broadcast(struct hostapd_data *hapd)
1440 {
1441 	struct eapol_authenticator *eapol = hapd->eapol_auth;
1442 
1443 	if (hapd->conf->default_wep_key_len < 1)
1444 		return 0;
1445 
1446 	os_free(eapol->default_wep_key);
1447 	eapol->default_wep_key = os_malloc(hapd->conf->default_wep_key_len);
1448 	if (eapol->default_wep_key == NULL ||
1449 	    random_get_bytes(eapol->default_wep_key,
1450 			     hapd->conf->default_wep_key_len)) {
1451 		printf("Could not generate random WEP key.\n");
1452 		os_free(eapol->default_wep_key);
1453 		eapol->default_wep_key = NULL;
1454 		return -1;
1455 	}
1456 
1457 	wpa_hexdump_key(MSG_DEBUG, "IEEE 802.1X: New default WEP key",
1458 			eapol->default_wep_key,
1459 			hapd->conf->default_wep_key_len);
1460 
1461 	return 0;
1462 }
1463 
1464 
ieee802_1x_sta_key_available(struct hostapd_data * hapd,struct sta_info * sta,void * ctx)1465 static int ieee802_1x_sta_key_available(struct hostapd_data *hapd,
1466 					struct sta_info *sta, void *ctx)
1467 {
1468 	if (sta->eapol_sm) {
1469 		sta->eapol_sm->eap_if->eapKeyAvailable = TRUE;
1470 		eapol_auth_step(sta->eapol_sm);
1471 	}
1472 	return 0;
1473 }
1474 
1475 
ieee802_1x_rekey(void * eloop_ctx,void * timeout_ctx)1476 static void ieee802_1x_rekey(void *eloop_ctx, void *timeout_ctx)
1477 {
1478 	struct hostapd_data *hapd = eloop_ctx;
1479 	struct eapol_authenticator *eapol = hapd->eapol_auth;
1480 
1481 	if (eapol->default_wep_key_idx >= 3)
1482 		eapol->default_wep_key_idx =
1483 			hapd->conf->individual_wep_key_len > 0 ? 1 : 0;
1484 	else
1485 		eapol->default_wep_key_idx++;
1486 
1487 	wpa_printf(MSG_DEBUG, "IEEE 802.1X: New default WEP key index %d",
1488 		   eapol->default_wep_key_idx);
1489 
1490 	if (ieee802_1x_rekey_broadcast(hapd)) {
1491 		hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X,
1492 			       HOSTAPD_LEVEL_WARNING, "failed to generate a "
1493 			       "new broadcast key");
1494 		os_free(eapol->default_wep_key);
1495 		eapol->default_wep_key = NULL;
1496 		return;
1497 	}
1498 
1499 	/* TODO: Could setup key for RX here, but change default TX keyid only
1500 	 * after new broadcast key has been sent to all stations. */
1501 	if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP,
1502 				broadcast_ether_addr,
1503 				eapol->default_wep_key_idx, 1, NULL, 0,
1504 				eapol->default_wep_key,
1505 				hapd->conf->default_wep_key_len)) {
1506 		hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X,
1507 			       HOSTAPD_LEVEL_WARNING, "failed to configure a "
1508 			       "new broadcast key");
1509 		os_free(eapol->default_wep_key);
1510 		eapol->default_wep_key = NULL;
1511 		return;
1512 	}
1513 
1514 	ap_for_each_sta(hapd, ieee802_1x_sta_key_available, NULL);
1515 
1516 	if (hapd->conf->wep_rekeying_period > 0) {
1517 		eloop_register_timeout(hapd->conf->wep_rekeying_period, 0,
1518 				       ieee802_1x_rekey, hapd, NULL);
1519 	}
1520 }
1521 
1522 
ieee802_1x_eapol_send(void * ctx,void * sta_ctx,u8 type,const u8 * data,size_t datalen)1523 static void ieee802_1x_eapol_send(void *ctx, void *sta_ctx, u8 type,
1524 				  const u8 *data, size_t datalen)
1525 {
1526 #ifdef CONFIG_WPS
1527 	struct sta_info *sta = sta_ctx;
1528 
1529 	if ((sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS)) ==
1530 	    WLAN_STA_MAYBE_WPS) {
1531 		const u8 *identity;
1532 		size_t identity_len;
1533 		struct eapol_state_machine *sm = sta->eapol_sm;
1534 
1535 		identity = eap_get_identity(sm->eap, &identity_len);
1536 		if (identity &&
1537 		    ((identity_len == WSC_ID_ENROLLEE_LEN &&
1538 		      os_memcmp(identity, WSC_ID_ENROLLEE,
1539 				WSC_ID_ENROLLEE_LEN) == 0) ||
1540 		     (identity_len == WSC_ID_REGISTRAR_LEN &&
1541 		      os_memcmp(identity, WSC_ID_REGISTRAR,
1542 				WSC_ID_REGISTRAR_LEN) == 0))) {
1543 			wpa_printf(MSG_DEBUG, "WPS: WLAN_STA_MAYBE_WPS -> "
1544 				   "WLAN_STA_WPS");
1545 			sta->flags |= WLAN_STA_WPS;
1546 		}
1547 	}
1548 #endif /* CONFIG_WPS */
1549 
1550 	ieee802_1x_send(ctx, sta_ctx, type, data, datalen);
1551 }
1552 
1553 
ieee802_1x_aaa_send(void * ctx,void * sta_ctx,const u8 * data,size_t datalen)1554 static void ieee802_1x_aaa_send(void *ctx, void *sta_ctx,
1555 				const u8 *data, size_t datalen)
1556 {
1557 #ifndef CONFIG_NO_RADIUS
1558 	struct hostapd_data *hapd = ctx;
1559 	struct sta_info *sta = sta_ctx;
1560 
1561 	ieee802_1x_encapsulate_radius(hapd, sta, data, datalen);
1562 #endif /* CONFIG_NO_RADIUS */
1563 }
1564 
1565 
_ieee802_1x_finished(void * ctx,void * sta_ctx,int success,int preauth)1566 static void _ieee802_1x_finished(void *ctx, void *sta_ctx, int success,
1567 				 int preauth)
1568 {
1569 	struct hostapd_data *hapd = ctx;
1570 	struct sta_info *sta = sta_ctx;
1571 	if (preauth)
1572 		rsn_preauth_finished(hapd, sta, success);
1573 	else
1574 		ieee802_1x_finished(hapd, sta, success);
1575 }
1576 
1577 
ieee802_1x_get_eap_user(void * ctx,const u8 * identity,size_t identity_len,int phase2,struct eap_user * user)1578 static int ieee802_1x_get_eap_user(void *ctx, const u8 *identity,
1579 				   size_t identity_len, int phase2,
1580 				   struct eap_user *user)
1581 {
1582 	struct hostapd_data *hapd = ctx;
1583 	const struct hostapd_eap_user *eap_user;
1584 	int i;
1585 
1586 	eap_user = hostapd_get_eap_user(hapd, identity, identity_len, phase2);
1587 	if (eap_user == NULL)
1588 		return -1;
1589 
1590 	os_memset(user, 0, sizeof(*user));
1591 	user->phase2 = phase2;
1592 	for (i = 0; i < EAP_MAX_METHODS; i++) {
1593 		user->methods[i].vendor = eap_user->methods[i].vendor;
1594 		user->methods[i].method = eap_user->methods[i].method;
1595 	}
1596 
1597 	if (eap_user->password) {
1598 		user->password = os_malloc(eap_user->password_len);
1599 		if (user->password == NULL)
1600 			return -1;
1601 		os_memcpy(user->password, eap_user->password,
1602 			  eap_user->password_len);
1603 		user->password_len = eap_user->password_len;
1604 		user->password_hash = eap_user->password_hash;
1605 	}
1606 	user->force_version = eap_user->force_version;
1607 	user->ttls_auth = eap_user->ttls_auth;
1608 
1609 	return 0;
1610 }
1611 
1612 
ieee802_1x_sta_entry_alive(void * ctx,const u8 * addr)1613 static int ieee802_1x_sta_entry_alive(void *ctx, const u8 *addr)
1614 {
1615 	struct hostapd_data *hapd = ctx;
1616 	struct sta_info *sta;
1617 	sta = ap_get_sta(hapd, addr);
1618 	if (sta == NULL || sta->eapol_sm == NULL)
1619 		return 0;
1620 	return 1;
1621 }
1622 
1623 
ieee802_1x_logger(void * ctx,const u8 * addr,eapol_logger_level level,const char * txt)1624 static void ieee802_1x_logger(void *ctx, const u8 *addr,
1625 			      eapol_logger_level level, const char *txt)
1626 {
1627 #ifndef CONFIG_NO_HOSTAPD_LOGGER
1628 	struct hostapd_data *hapd = ctx;
1629 	int hlevel;
1630 
1631 	switch (level) {
1632 	case EAPOL_LOGGER_WARNING:
1633 		hlevel = HOSTAPD_LEVEL_WARNING;
1634 		break;
1635 	case EAPOL_LOGGER_INFO:
1636 		hlevel = HOSTAPD_LEVEL_INFO;
1637 		break;
1638 	case EAPOL_LOGGER_DEBUG:
1639 	default:
1640 		hlevel = HOSTAPD_LEVEL_DEBUG;
1641 		break;
1642 	}
1643 
1644 	hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE8021X, hlevel, "%s",
1645 		       txt);
1646 #endif /* CONFIG_NO_HOSTAPD_LOGGER */
1647 }
1648 
1649 
ieee802_1x_set_port_authorized(void * ctx,void * sta_ctx,int authorized)1650 static void ieee802_1x_set_port_authorized(void *ctx, void *sta_ctx,
1651 					   int authorized)
1652 {
1653 	struct hostapd_data *hapd = ctx;
1654 	struct sta_info *sta = sta_ctx;
1655 	ieee802_1x_set_sta_authorized(hapd, sta, authorized);
1656 }
1657 
1658 
_ieee802_1x_abort_auth(void * ctx,void * sta_ctx)1659 static void _ieee802_1x_abort_auth(void *ctx, void *sta_ctx)
1660 {
1661 	struct hostapd_data *hapd = ctx;
1662 	struct sta_info *sta = sta_ctx;
1663 	ieee802_1x_abort_auth(hapd, sta);
1664 }
1665 
1666 
_ieee802_1x_tx_key(void * ctx,void * sta_ctx)1667 static void _ieee802_1x_tx_key(void *ctx, void *sta_ctx)
1668 {
1669 	struct hostapd_data *hapd = ctx;
1670 	struct sta_info *sta = sta_ctx;
1671 	ieee802_1x_tx_key(hapd, sta);
1672 }
1673 
1674 
ieee802_1x_eapol_event(void * ctx,void * sta_ctx,enum eapol_event type)1675 static void ieee802_1x_eapol_event(void *ctx, void *sta_ctx,
1676 				   enum eapol_event type)
1677 {
1678 	/* struct hostapd_data *hapd = ctx; */
1679 	struct sta_info *sta = sta_ctx;
1680 	switch (type) {
1681 	case EAPOL_AUTH_SM_CHANGE:
1682 		wpa_auth_sm_notify(sta->wpa_sm);
1683 		break;
1684 	case EAPOL_AUTH_REAUTHENTICATE:
1685 		wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL);
1686 		break;
1687 	}
1688 }
1689 
1690 
ieee802_1x_init(struct hostapd_data * hapd)1691 int ieee802_1x_init(struct hostapd_data *hapd)
1692 {
1693 	int i;
1694 	struct eapol_auth_config conf;
1695 	struct eapol_auth_cb cb;
1696 
1697 	os_memset(&conf, 0, sizeof(conf));
1698 	conf.ctx = hapd;
1699 	conf.eap_reauth_period = hapd->conf->eap_reauth_period;
1700 	conf.wpa = hapd->conf->wpa;
1701 	conf.individual_wep_key_len = hapd->conf->individual_wep_key_len;
1702 	conf.eap_server = hapd->conf->eap_server;
1703 	conf.ssl_ctx = hapd->ssl_ctx;
1704 	conf.msg_ctx = hapd->msg_ctx;
1705 	conf.eap_sim_db_priv = hapd->eap_sim_db_priv;
1706 	conf.eap_req_id_text = hapd->conf->eap_req_id_text;
1707 	conf.eap_req_id_text_len = hapd->conf->eap_req_id_text_len;
1708 	conf.pac_opaque_encr_key = hapd->conf->pac_opaque_encr_key;
1709 	conf.eap_fast_a_id = hapd->conf->eap_fast_a_id;
1710 	conf.eap_fast_a_id_len = hapd->conf->eap_fast_a_id_len;
1711 	conf.eap_fast_a_id_info = hapd->conf->eap_fast_a_id_info;
1712 	conf.eap_fast_prov = hapd->conf->eap_fast_prov;
1713 	conf.pac_key_lifetime = hapd->conf->pac_key_lifetime;
1714 	conf.pac_key_refresh_time = hapd->conf->pac_key_refresh_time;
1715 	conf.eap_sim_aka_result_ind = hapd->conf->eap_sim_aka_result_ind;
1716 	conf.tnc = hapd->conf->tnc;
1717 	conf.wps = hapd->wps;
1718 	conf.fragment_size = hapd->conf->fragment_size;
1719 	conf.pwd_group = hapd->conf->pwd_group;
1720 	conf.pbc_in_m1 = hapd->conf->pbc_in_m1;
1721 	if (hapd->conf->server_id) {
1722 		conf.server_id = (const u8 *) hapd->conf->server_id;
1723 		conf.server_id_len = os_strlen(hapd->conf->server_id);
1724 	} else {
1725 		conf.server_id = (const u8 *) "hostapd";
1726 		conf.server_id_len = 7;
1727 	}
1728 
1729 	os_memset(&cb, 0, sizeof(cb));
1730 	cb.eapol_send = ieee802_1x_eapol_send;
1731 	cb.aaa_send = ieee802_1x_aaa_send;
1732 	cb.finished = _ieee802_1x_finished;
1733 	cb.get_eap_user = ieee802_1x_get_eap_user;
1734 	cb.sta_entry_alive = ieee802_1x_sta_entry_alive;
1735 	cb.logger = ieee802_1x_logger;
1736 	cb.set_port_authorized = ieee802_1x_set_port_authorized;
1737 	cb.abort_auth = _ieee802_1x_abort_auth;
1738 	cb.tx_key = _ieee802_1x_tx_key;
1739 	cb.eapol_event = ieee802_1x_eapol_event;
1740 
1741 	hapd->eapol_auth = eapol_auth_init(&conf, &cb);
1742 	if (hapd->eapol_auth == NULL)
1743 		return -1;
1744 
1745 	if ((hapd->conf->ieee802_1x || hapd->conf->wpa) &&
1746 	    hostapd_set_drv_ieee8021x(hapd, hapd->conf->iface, 1))
1747 		return -1;
1748 
1749 #ifndef CONFIG_NO_RADIUS
1750 	if (radius_client_register(hapd->radius, RADIUS_AUTH,
1751 				   ieee802_1x_receive_auth, hapd))
1752 		return -1;
1753 #endif /* CONFIG_NO_RADIUS */
1754 
1755 	if (hapd->conf->default_wep_key_len) {
1756 		for (i = 0; i < 4; i++)
1757 			hostapd_drv_set_key(hapd->conf->iface, hapd,
1758 					    WPA_ALG_NONE, NULL, i, 0, NULL, 0,
1759 					    NULL, 0);
1760 
1761 		ieee802_1x_rekey(hapd, NULL);
1762 
1763 		if (hapd->eapol_auth->default_wep_key == NULL)
1764 			return -1;
1765 	}
1766 
1767 	return 0;
1768 }
1769 
1770 
ieee802_1x_deinit(struct hostapd_data * hapd)1771 void ieee802_1x_deinit(struct hostapd_data *hapd)
1772 {
1773 	eloop_cancel_timeout(ieee802_1x_rekey, hapd, NULL);
1774 
1775 	if (hapd->driver != NULL &&
1776 	    (hapd->conf->ieee802_1x || hapd->conf->wpa))
1777 		hostapd_set_drv_ieee8021x(hapd, hapd->conf->iface, 0);
1778 
1779 	eapol_auth_deinit(hapd->eapol_auth);
1780 	hapd->eapol_auth = NULL;
1781 }
1782 
1783 
ieee802_1x_tx_status(struct hostapd_data * hapd,struct sta_info * sta,const u8 * buf,size_t len,int ack)1784 int ieee802_1x_tx_status(struct hostapd_data *hapd, struct sta_info *sta,
1785 			 const u8 *buf, size_t len, int ack)
1786 {
1787 	struct ieee80211_hdr *hdr;
1788 	u8 *pos;
1789 	const unsigned char rfc1042_hdr[ETH_ALEN] =
1790 		{ 0xaa, 0xaa, 0x03, 0x00, 0x00, 0x00 };
1791 
1792 	if (sta == NULL)
1793 		return -1;
1794 	if (len < sizeof(*hdr) + sizeof(rfc1042_hdr) + 2)
1795 		return 0;
1796 
1797 	hdr = (struct ieee80211_hdr *) buf;
1798 	pos = (u8 *) (hdr + 1);
1799 	if (os_memcmp(pos, rfc1042_hdr, sizeof(rfc1042_hdr)) != 0)
1800 		return 0;
1801 	pos += sizeof(rfc1042_hdr);
1802 	if (WPA_GET_BE16(pos) != ETH_P_PAE)
1803 		return 0;
1804 	pos += 2;
1805 
1806 	return ieee802_1x_eapol_tx_status(hapd, sta, pos, buf + len - pos,
1807 					  ack);
1808 }
1809 
1810 
ieee802_1x_eapol_tx_status(struct hostapd_data * hapd,struct sta_info * sta,const u8 * buf,int len,int ack)1811 int ieee802_1x_eapol_tx_status(struct hostapd_data *hapd, struct sta_info *sta,
1812 			       const u8 *buf, int len, int ack)
1813 {
1814 	const struct ieee802_1x_hdr *xhdr =
1815 		(const struct ieee802_1x_hdr *) buf;
1816 	const u8 *pos = buf + sizeof(*xhdr);
1817 	struct ieee802_1x_eapol_key *key;
1818 
1819 	if (len < (int) sizeof(*xhdr))
1820 		return 0;
1821 	wpa_printf(MSG_DEBUG, "IEEE 802.1X: " MACSTR " TX status - version=%d "
1822 		   "type=%d length=%d - ack=%d",
1823 		   MAC2STR(sta->addr), xhdr->version, xhdr->type,
1824 		   be_to_host16(xhdr->length), ack);
1825 
1826 	if (xhdr->type != IEEE802_1X_TYPE_EAPOL_KEY)
1827 		return 0;
1828 
1829 	if (pos + sizeof(struct wpa_eapol_key) <= buf + len) {
1830 		const struct wpa_eapol_key *wpa;
1831 		wpa = (const struct wpa_eapol_key *) pos;
1832 		if (wpa->type == EAPOL_KEY_TYPE_RSN ||
1833 		    wpa->type == EAPOL_KEY_TYPE_WPA)
1834 			wpa_auth_eapol_key_tx_status(hapd->wpa_auth,
1835 						     sta->wpa_sm, ack);
1836 	}
1837 
1838 	/* EAPOL EAP-Packet packets are eventually re-sent by either Supplicant
1839 	 * or Authenticator state machines, but EAPOL-Key packets are not
1840 	 * retransmitted in case of failure. Try to re-send failed EAPOL-Key
1841 	 * packets couple of times because otherwise STA keys become
1842 	 * unsynchronized with AP. */
1843 	if (!ack && pos + sizeof(*key) <= buf + len) {
1844 		key = (struct ieee802_1x_eapol_key *) pos;
1845 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
1846 			       HOSTAPD_LEVEL_DEBUG, "did not Ack EAPOL-Key "
1847 			       "frame (%scast index=%d)",
1848 			       key->key_index & BIT(7) ? "uni" : "broad",
1849 			       key->key_index & ~BIT(7));
1850 		/* TODO: re-send EAPOL-Key couple of times (with short delay
1851 		 * between them?). If all attempt fail, report error and
1852 		 * deauthenticate STA so that it will get new keys when
1853 		 * authenticating again (e.g., after returning in range).
1854 		 * Separate limit/transmit state needed both for unicast and
1855 		 * broadcast keys(?) */
1856 	}
1857 	/* TODO: could move unicast key configuration from ieee802_1x_tx_key()
1858 	 * to here and change the key only if the EAPOL-Key packet was Acked.
1859 	 */
1860 
1861 	return 1;
1862 }
1863 
1864 
ieee802_1x_get_identity(struct eapol_state_machine * sm,size_t * len)1865 u8 * ieee802_1x_get_identity(struct eapol_state_machine *sm, size_t *len)
1866 {
1867 	if (sm == NULL || sm->identity == NULL)
1868 		return NULL;
1869 
1870 	*len = sm->identity_len;
1871 	return sm->identity;
1872 }
1873 
1874 
ieee802_1x_get_radius_class(struct eapol_state_machine * sm,size_t * len,int idx)1875 u8 * ieee802_1x_get_radius_class(struct eapol_state_machine *sm, size_t *len,
1876 				 int idx)
1877 {
1878 	if (sm == NULL || sm->radius_class.attr == NULL ||
1879 	    idx >= (int) sm->radius_class.count)
1880 		return NULL;
1881 
1882 	*len = sm->radius_class.attr[idx].len;
1883 	return sm->radius_class.attr[idx].data;
1884 }
1885 
1886 
ieee802_1x_get_radius_cui(struct eapol_state_machine * sm)1887 struct wpabuf * ieee802_1x_get_radius_cui(struct eapol_state_machine *sm)
1888 {
1889 	if (sm == NULL)
1890 		return NULL;
1891 	return sm->radius_cui;
1892 }
1893 
1894 
ieee802_1x_get_key(struct eapol_state_machine * sm,size_t * len)1895 const u8 * ieee802_1x_get_key(struct eapol_state_machine *sm, size_t *len)
1896 {
1897 	*len = 0;
1898 	if (sm == NULL)
1899 		return NULL;
1900 
1901 	*len = sm->eap_if->eapKeyDataLen;
1902 	return sm->eap_if->eapKeyData;
1903 }
1904 
1905 
ieee802_1x_notify_port_enabled(struct eapol_state_machine * sm,int enabled)1906 void ieee802_1x_notify_port_enabled(struct eapol_state_machine *sm,
1907 				    int enabled)
1908 {
1909 	if (sm == NULL)
1910 		return;
1911 	sm->eap_if->portEnabled = enabled ? TRUE : FALSE;
1912 	eapol_auth_step(sm);
1913 }
1914 
1915 
ieee802_1x_notify_port_valid(struct eapol_state_machine * sm,int valid)1916 void ieee802_1x_notify_port_valid(struct eapol_state_machine *sm,
1917 				  int valid)
1918 {
1919 	if (sm == NULL)
1920 		return;
1921 	sm->portValid = valid ? TRUE : FALSE;
1922 	eapol_auth_step(sm);
1923 }
1924 
1925 
ieee802_1x_notify_pre_auth(struct eapol_state_machine * sm,int pre_auth)1926 void ieee802_1x_notify_pre_auth(struct eapol_state_machine *sm, int pre_auth)
1927 {
1928 	if (sm == NULL)
1929 		return;
1930 	if (pre_auth)
1931 		sm->flags |= EAPOL_SM_PREAUTH;
1932 	else
1933 		sm->flags &= ~EAPOL_SM_PREAUTH;
1934 }
1935 
1936 
bool_txt(Boolean bool)1937 static const char * bool_txt(Boolean bool)
1938 {
1939 	return bool ? "TRUE" : "FALSE";
1940 }
1941 
1942 
ieee802_1x_get_mib(struct hostapd_data * hapd,char * buf,size_t buflen)1943 int ieee802_1x_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen)
1944 {
1945 	/* TODO */
1946 	return 0;
1947 }
1948 
1949 
ieee802_1x_get_mib_sta(struct hostapd_data * hapd,struct sta_info * sta,char * buf,size_t buflen)1950 int ieee802_1x_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta,
1951 			   char *buf, size_t buflen)
1952 {
1953 	int len = 0, ret;
1954 	struct eapol_state_machine *sm = sta->eapol_sm;
1955 	struct os_time t;
1956 
1957 	if (sm == NULL)
1958 		return 0;
1959 
1960 	ret = os_snprintf(buf + len, buflen - len,
1961 			  "dot1xPaePortNumber=%d\n"
1962 			  "dot1xPaePortProtocolVersion=%d\n"
1963 			  "dot1xPaePortCapabilities=1\n"
1964 			  "dot1xPaePortInitialize=%d\n"
1965 			  "dot1xPaePortReauthenticate=FALSE\n",
1966 			  sta->aid,
1967 			  EAPOL_VERSION,
1968 			  sm->initialize);
1969 	if (ret < 0 || (size_t) ret >= buflen - len)
1970 		return len;
1971 	len += ret;
1972 
1973 	/* dot1xAuthConfigTable */
1974 	ret = os_snprintf(buf + len, buflen - len,
1975 			  "dot1xAuthPaeState=%d\n"
1976 			  "dot1xAuthBackendAuthState=%d\n"
1977 			  "dot1xAuthAdminControlledDirections=%d\n"
1978 			  "dot1xAuthOperControlledDirections=%d\n"
1979 			  "dot1xAuthAuthControlledPortStatus=%d\n"
1980 			  "dot1xAuthAuthControlledPortControl=%d\n"
1981 			  "dot1xAuthQuietPeriod=%u\n"
1982 			  "dot1xAuthServerTimeout=%u\n"
1983 			  "dot1xAuthReAuthPeriod=%u\n"
1984 			  "dot1xAuthReAuthEnabled=%s\n"
1985 			  "dot1xAuthKeyTxEnabled=%s\n",
1986 			  sm->auth_pae_state + 1,
1987 			  sm->be_auth_state + 1,
1988 			  sm->adminControlledDirections,
1989 			  sm->operControlledDirections,
1990 			  sm->authPortStatus,
1991 			  sm->portControl,
1992 			  sm->quietPeriod,
1993 			  sm->serverTimeout,
1994 			  sm->reAuthPeriod,
1995 			  bool_txt(sm->reAuthEnabled),
1996 			  bool_txt(sm->keyTxEnabled));
1997 	if (ret < 0 || (size_t) ret >= buflen - len)
1998 		return len;
1999 	len += ret;
2000 
2001 	/* dot1xAuthStatsTable */
2002 	ret = os_snprintf(buf + len, buflen - len,
2003 			  "dot1xAuthEapolFramesRx=%u\n"
2004 			  "dot1xAuthEapolFramesTx=%u\n"
2005 			  "dot1xAuthEapolStartFramesRx=%u\n"
2006 			  "dot1xAuthEapolLogoffFramesRx=%u\n"
2007 			  "dot1xAuthEapolRespIdFramesRx=%u\n"
2008 			  "dot1xAuthEapolRespFramesRx=%u\n"
2009 			  "dot1xAuthEapolReqIdFramesTx=%u\n"
2010 			  "dot1xAuthEapolReqFramesTx=%u\n"
2011 			  "dot1xAuthInvalidEapolFramesRx=%u\n"
2012 			  "dot1xAuthEapLengthErrorFramesRx=%u\n"
2013 			  "dot1xAuthLastEapolFrameVersion=%u\n"
2014 			  "dot1xAuthLastEapolFrameSource=" MACSTR "\n",
2015 			  sm->dot1xAuthEapolFramesRx,
2016 			  sm->dot1xAuthEapolFramesTx,
2017 			  sm->dot1xAuthEapolStartFramesRx,
2018 			  sm->dot1xAuthEapolLogoffFramesRx,
2019 			  sm->dot1xAuthEapolRespIdFramesRx,
2020 			  sm->dot1xAuthEapolRespFramesRx,
2021 			  sm->dot1xAuthEapolReqIdFramesTx,
2022 			  sm->dot1xAuthEapolReqFramesTx,
2023 			  sm->dot1xAuthInvalidEapolFramesRx,
2024 			  sm->dot1xAuthEapLengthErrorFramesRx,
2025 			  sm->dot1xAuthLastEapolFrameVersion,
2026 			  MAC2STR(sm->addr));
2027 	if (ret < 0 || (size_t) ret >= buflen - len)
2028 		return len;
2029 	len += ret;
2030 
2031 	/* dot1xAuthDiagTable */
2032 	ret = os_snprintf(buf + len, buflen - len,
2033 			  "dot1xAuthEntersConnecting=%u\n"
2034 			  "dot1xAuthEapLogoffsWhileConnecting=%u\n"
2035 			  "dot1xAuthEntersAuthenticating=%u\n"
2036 			  "dot1xAuthAuthSuccessesWhileAuthenticating=%u\n"
2037 			  "dot1xAuthAuthTimeoutsWhileAuthenticating=%u\n"
2038 			  "dot1xAuthAuthFailWhileAuthenticating=%u\n"
2039 			  "dot1xAuthAuthEapStartsWhileAuthenticating=%u\n"
2040 			  "dot1xAuthAuthEapLogoffWhileAuthenticating=%u\n"
2041 			  "dot1xAuthAuthReauthsWhileAuthenticated=%u\n"
2042 			  "dot1xAuthAuthEapStartsWhileAuthenticated=%u\n"
2043 			  "dot1xAuthAuthEapLogoffWhileAuthenticated=%u\n"
2044 			  "dot1xAuthBackendResponses=%u\n"
2045 			  "dot1xAuthBackendAccessChallenges=%u\n"
2046 			  "dot1xAuthBackendOtherRequestsToSupplicant=%u\n"
2047 			  "dot1xAuthBackendAuthSuccesses=%u\n"
2048 			  "dot1xAuthBackendAuthFails=%u\n",
2049 			  sm->authEntersConnecting,
2050 			  sm->authEapLogoffsWhileConnecting,
2051 			  sm->authEntersAuthenticating,
2052 			  sm->authAuthSuccessesWhileAuthenticating,
2053 			  sm->authAuthTimeoutsWhileAuthenticating,
2054 			  sm->authAuthFailWhileAuthenticating,
2055 			  sm->authAuthEapStartsWhileAuthenticating,
2056 			  sm->authAuthEapLogoffWhileAuthenticating,
2057 			  sm->authAuthReauthsWhileAuthenticated,
2058 			  sm->authAuthEapStartsWhileAuthenticated,
2059 			  sm->authAuthEapLogoffWhileAuthenticated,
2060 			  sm->backendResponses,
2061 			  sm->backendAccessChallenges,
2062 			  sm->backendOtherRequestsToSupplicant,
2063 			  sm->backendAuthSuccesses,
2064 			  sm->backendAuthFails);
2065 	if (ret < 0 || (size_t) ret >= buflen - len)
2066 		return len;
2067 	len += ret;
2068 
2069 	/* dot1xAuthSessionStatsTable */
2070 	os_get_time(&t);
2071 	ret = os_snprintf(buf + len, buflen - len,
2072 			  /* TODO: dot1xAuthSessionOctetsRx */
2073 			  /* TODO: dot1xAuthSessionOctetsTx */
2074 			  /* TODO: dot1xAuthSessionFramesRx */
2075 			  /* TODO: dot1xAuthSessionFramesTx */
2076 			  "dot1xAuthSessionId=%08X-%08X\n"
2077 			  "dot1xAuthSessionAuthenticMethod=%d\n"
2078 			  "dot1xAuthSessionTime=%u\n"
2079 			  "dot1xAuthSessionTerminateCause=999\n"
2080 			  "dot1xAuthSessionUserName=%s\n",
2081 			  sta->acct_session_id_hi, sta->acct_session_id_lo,
2082 			  (wpa_key_mgmt_wpa_ieee8021x(
2083 				   wpa_auth_sta_key_mgmt(sta->wpa_sm))) ?
2084 			  1 : 2,
2085 			  (unsigned int) (t.sec - sta->acct_session_start),
2086 			  sm->identity);
2087 	if (ret < 0 || (size_t) ret >= buflen - len)
2088 		return len;
2089 	len += ret;
2090 
2091 	return len;
2092 }
2093 
2094 
ieee802_1x_finished(struct hostapd_data * hapd,struct sta_info * sta,int success)2095 static void ieee802_1x_finished(struct hostapd_data *hapd,
2096 				struct sta_info *sta, int success)
2097 {
2098 	const u8 *key;
2099 	size_t len;
2100 	/* TODO: get PMKLifetime from WPA parameters */
2101 	static const int dot11RSNAConfigPMKLifetime = 43200;
2102 
2103 	key = ieee802_1x_get_key(sta->eapol_sm, &len);
2104 	if (success && key && len >= PMK_LEN &&
2105 	    wpa_auth_pmksa_add(sta->wpa_sm, key, dot11RSNAConfigPMKLifetime,
2106 			       sta->eapol_sm) == 0) {
2107 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA,
2108 			       HOSTAPD_LEVEL_DEBUG,
2109 			       "Added PMKSA cache entry (IEEE 802.1X)");
2110 	}
2111 
2112 	if (!success) {
2113 		/*
2114 		 * Many devices require deauthentication after WPS provisioning
2115 		 * and some may not be be able to do that themselves, so
2116 		 * disconnect the client here. In addition, this may also
2117 		 * benefit IEEE 802.1X/EAPOL authentication cases, too since
2118 		 * the EAPOL PAE state machine would remain in HELD state for
2119 		 * considerable amount of time and some EAP methods, like
2120 		 * EAP-FAST with anonymous provisioning, may require another
2121 		 * EAPOL authentication to be started to complete connection.
2122 		 */
2123 		wpa_dbg(hapd->msg_ctx, MSG_DEBUG, "IEEE 802.1X: Force "
2124 			"disconnection after EAP-Failure");
2125 		/* Add a small sleep to increase likelihood of previously
2126 		 * requested EAP-Failure TX getting out before this should the
2127 		 * driver reorder operations.
2128 		 */
2129 		os_sleep(0, 10000);
2130 #ifndef ANDROID_P2P
2131 		/* We need not do this for driver. For AP-SME flags if we send this disassoc,
2132 		  * the p2p_client is gettig disassoc after it has completed the assoc
2133 		  */
2134 		ap_sta_disconnect(hapd, sta, sta->addr,
2135 				  WLAN_REASON_IEEE_802_1X_AUTH_FAILED);
2136 #endif
2137 	}
2138 }
2139