]>
Commit | Line | Data |
---|---|---|
6fc6879b JM |
1 | /* |
2 | * hostapd / IEEE 802.1X-2004 Authenticator | |
c7bce24d | 3 | * Copyright (c) 2002-2012, Jouni Malinen <j@w1.fi> |
6fc6879b | 4 | * |
0f3d578e JM |
5 | * This software may be distributed under the terms of the BSD license. |
6 | * See README for more details. | |
6fc6879b JM |
7 | */ |
8 | ||
6226e38d | 9 | #include "utils/includes.h" |
6fc6879b | 10 | |
6226e38d JM |
11 | #include "utils/common.h" |
12 | #include "utils/eloop.h" | |
03da66bd JM |
13 | #include "crypto/md5.h" |
14 | #include "crypto/crypto.h" | |
3642c431 | 15 | #include "crypto/random.h" |
03da66bd | 16 | #include "common/ieee802_11_defs.h" |
6fc6879b JM |
17 | #include "radius/radius.h" |
18 | #include "radius/radius_client.h" | |
6226e38d | 19 | #include "eap_server/eap.h" |
4e22adb4 | 20 | #include "eap_common/eap_wsc_common.h" |
281c950b | 21 | #include "eapol_auth/eapol_auth_sm.h" |
e0e14a7b | 22 | #include "eapol_auth/eapol_auth_sm_i.h" |
c9aab274 | 23 | #include "p2p/p2p.h" |
03da66bd | 24 | #include "hostapd.h" |
03da66bd | 25 | #include "accounting.h" |
6fc6879b | 26 | #include "sta_info.h" |
6226e38d JM |
27 | #include "wpa_auth.h" |
28 | #include "preauth_auth.h" | |
29 | #include "pmksa_cache_auth.h" | |
30 | #include "ap_config.h" | |
3acdf771 | 31 | #include "ap_drv_ops.h" |
7b75c301 | 32 | #include "wps_hostapd.h" |
6ca0853d | 33 | #include "hs20.h" |
c4fd6d8a JM |
34 | /* FIX: Not really a good thing to require ieee802_11.h here.. (FILS) */ |
35 | #include "ieee802_11.h" | |
6226e38d | 36 | #include "ieee802_1x.h" |
6fc6879b JM |
37 | |
38 | ||
d7c3347f JM |
39 | #ifdef CONFIG_HS20 |
40 | static void ieee802_1x_wnm_notif_send(void *eloop_ctx, void *timeout_ctx); | |
41 | #endif /* CONFIG_HS20 */ | |
6fc6879b | 42 | static void ieee802_1x_finished(struct hostapd_data *hapd, |
8d2a9921 JM |
43 | struct sta_info *sta, int success, |
44 | int remediation); | |
6fc6879b JM |
45 | |
46 | ||
47 | static void ieee802_1x_send(struct hostapd_data *hapd, struct sta_info *sta, | |
48 | u8 type, const u8 *data, size_t datalen) | |
49 | { | |
50 | u8 *buf; | |
51 | struct ieee802_1x_hdr *xhdr; | |
52 | size_t len; | |
53 | int encrypt = 0; | |
54 | ||
55 | len = sizeof(*xhdr) + datalen; | |
56 | buf = os_zalloc(len); | |
57 | if (buf == NULL) { | |
58 | wpa_printf(MSG_ERROR, "malloc() failed for " | |
59 | "ieee802_1x_send(len=%lu)", | |
60 | (unsigned long) len); | |
61 | return; | |
62 | } | |
63 | ||
64 | xhdr = (struct ieee802_1x_hdr *) buf; | |
65 | xhdr->version = hapd->conf->eapol_version; | |
66 | xhdr->type = type; | |
67 | xhdr->length = host_to_be16(datalen); | |
68 | ||
69 | if (datalen > 0 && data != NULL) | |
70 | os_memcpy(xhdr + 1, data, datalen); | |
71 | ||
72 | if (wpa_auth_pairwise_set(sta->wpa_sm)) | |
73 | encrypt = 1; | |
9d4ff04a JM |
74 | #ifdef CONFIG_TESTING_OPTIONS |
75 | if (hapd->ext_eapol_frame_io) { | |
76 | size_t hex_len = 2 * len + 1; | |
77 | char *hex = os_malloc(hex_len); | |
78 | ||
79 | if (hex) { | |
80 | wpa_snprintf_hex(hex, hex_len, buf, len); | |
81 | wpa_msg(hapd->msg_ctx, MSG_INFO, | |
82 | "EAPOL-TX " MACSTR " %s", | |
83 | MAC2STR(sta->addr), hex); | |
84 | os_free(hex); | |
85 | } | |
86 | } else | |
87 | #endif /* CONFIG_TESTING_OPTIONS */ | |
6fc6879b JM |
88 | if (sta->flags & WLAN_STA_PREAUTH) { |
89 | rsn_preauth_send(hapd, sta, buf, len); | |
90 | } else { | |
af220315 JM |
91 | hostapd_drv_hapd_send_eapol( |
92 | hapd, sta->addr, buf, len, | |
93 | encrypt, hostapd_sta_flags_to_drv(sta->flags)); | |
6fc6879b JM |
94 | } |
95 | ||
96 | os_free(buf); | |
97 | } | |
98 | ||
99 | ||
100 | void ieee802_1x_set_sta_authorized(struct hostapd_data *hapd, | |
101 | struct sta_info *sta, int authorized) | |
102 | { | |
103 | int res; | |
104 | ||
105 | if (sta->flags & WLAN_STA_PREAUTH) | |
106 | return; | |
107 | ||
108 | if (authorized) { | |
6905dcb1 | 109 | ap_sta_set_authorized(hapd, sta, 1); |
0e8a96a9 | 110 | res = hostapd_set_authorized(hapd, sta, 1); |
6fc6879b JM |
111 | hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, |
112 | HOSTAPD_LEVEL_DEBUG, "authorizing port"); | |
113 | } else { | |
6905dcb1 | 114 | ap_sta_set_authorized(hapd, sta, 0); |
0e8a96a9 | 115 | res = hostapd_set_authorized(hapd, sta, 0); |
6fc6879b JM |
116 | hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, |
117 | HOSTAPD_LEVEL_DEBUG, "unauthorizing port"); | |
118 | } | |
119 | ||
120 | if (res && errno != ENOENT) { | |
24d110dc DS |
121 | wpa_printf(MSG_DEBUG, "Could not set station " MACSTR |
122 | " flags for kernel driver (errno=%d).", | |
123 | MAC2STR(sta->addr), errno); | |
6fc6879b JM |
124 | } |
125 | ||
39b1572c | 126 | if (authorized) { |
b3493fa1 | 127 | os_get_reltime(&sta->connected_time); |
6fc6879b | 128 | accounting_sta_start(hapd, sta); |
39b1572c | 129 | } |
6fc6879b JM |
130 | } |
131 | ||
132 | ||
e03e56c3 | 133 | #ifndef CONFIG_FIPS |
7cb53ded | 134 | #ifndef CONFIG_NO_RC4 |
e03e56c3 | 135 | |
6fc6879b JM |
136 | static void ieee802_1x_tx_key_one(struct hostapd_data *hapd, |
137 | struct sta_info *sta, | |
138 | int idx, int broadcast, | |
139 | u8 *key_data, size_t key_len) | |
140 | { | |
141 | u8 *buf, *ekey; | |
142 | struct ieee802_1x_hdr *hdr; | |
143 | struct ieee802_1x_eapol_key *key; | |
144 | size_t len, ekey_len; | |
145 | struct eapol_state_machine *sm = sta->eapol_sm; | |
146 | ||
147 | if (sm == NULL) | |
148 | return; | |
149 | ||
150 | len = sizeof(*key) + key_len; | |
151 | buf = os_zalloc(sizeof(*hdr) + len); | |
152 | if (buf == NULL) | |
153 | return; | |
154 | ||
155 | hdr = (struct ieee802_1x_hdr *) buf; | |
156 | key = (struct ieee802_1x_eapol_key *) (hdr + 1); | |
157 | key->type = EAPOL_KEY_TYPE_RC4; | |
70a26e70 | 158 | WPA_PUT_BE16(key->key_length, key_len); |
6fc6879b JM |
159 | wpa_get_ntp_timestamp(key->replay_counter); |
160 | ||
3642c431 | 161 | if (random_get_bytes(key->key_iv, sizeof(key->key_iv))) { |
6fc6879b JM |
162 | wpa_printf(MSG_ERROR, "Could not get random numbers"); |
163 | os_free(buf); | |
164 | return; | |
165 | } | |
166 | ||
167 | key->key_index = idx | (broadcast ? 0 : BIT(7)); | |
168 | if (hapd->conf->eapol_key_index_workaround) { | |
169 | /* According to some information, WinXP Supplicant seems to | |
170 | * interpret bit7 as an indication whether the key is to be | |
171 | * activated, so make it possible to enable workaround that | |
172 | * sets this bit for all keys. */ | |
173 | key->key_index |= BIT(7); | |
174 | } | |
175 | ||
176 | /* Key is encrypted using "Key-IV + MSK[0..31]" as the RC4-key and | |
177 | * MSK[32..63] is used to sign the message. */ | |
178 | if (sm->eap_if->eapKeyData == NULL || sm->eap_if->eapKeyDataLen < 64) { | |
179 | wpa_printf(MSG_ERROR, "No eapKeyData available for encrypting " | |
180 | "and signing EAPOL-Key"); | |
181 | os_free(buf); | |
182 | return; | |
183 | } | |
184 | os_memcpy((u8 *) (key + 1), key_data, key_len); | |
185 | ekey_len = sizeof(key->key_iv) + 32; | |
186 | ekey = os_malloc(ekey_len); | |
187 | if (ekey == NULL) { | |
188 | wpa_printf(MSG_ERROR, "Could not encrypt key"); | |
189 | os_free(buf); | |
190 | return; | |
191 | } | |
192 | os_memcpy(ekey, key->key_iv, sizeof(key->key_iv)); | |
193 | os_memcpy(ekey + sizeof(key->key_iv), sm->eap_if->eapKeyData, 32); | |
8ef16831 | 194 | rc4_skip(ekey, ekey_len, 0, (u8 *) (key + 1), key_len); |
6fc6879b JM |
195 | os_free(ekey); |
196 | ||
197 | /* This header is needed here for HMAC-MD5, but it will be regenerated | |
198 | * in ieee802_1x_send() */ | |
199 | hdr->version = hapd->conf->eapol_version; | |
200 | hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; | |
201 | hdr->length = host_to_be16(len); | |
202 | hmac_md5(sm->eap_if->eapKeyData + 32, 32, buf, sizeof(*hdr) + len, | |
203 | key->key_signature); | |
204 | ||
205 | wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key to " MACSTR | |
206 | " (%s index=%d)", MAC2STR(sm->addr), | |
207 | broadcast ? "broadcast" : "unicast", idx); | |
208 | ieee802_1x_send(hapd, sta, IEEE802_1X_TYPE_EAPOL_KEY, (u8 *) key, len); | |
209 | if (sta->eapol_sm) | |
210 | sta->eapol_sm->dot1xAuthEapolFramesTx++; | |
211 | os_free(buf); | |
212 | } | |
213 | ||
214 | ||
bfc284c5 | 215 | static void ieee802_1x_tx_key(struct hostapd_data *hapd, struct sta_info *sta) |
6fc6879b | 216 | { |
f55802e8 | 217 | struct eapol_authenticator *eapol = hapd->eapol_auth; |
6fc6879b | 218 | struct eapol_state_machine *sm = sta->eapol_sm; |
6fc6879b JM |
219 | |
220 | if (sm == NULL || !sm->eap_if->eapKeyData) | |
221 | return; | |
222 | ||
223 | wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key(s) to " MACSTR, | |
224 | MAC2STR(sta->addr)); | |
225 | ||
30b32314 | 226 | #ifndef CONFIG_NO_VLAN |
1889af2e | 227 | if (sta->vlan_id > 0) { |
d66dcb0d MB |
228 | wpa_printf(MSG_ERROR, "Using WEP with vlans is not supported."); |
229 | return; | |
230 | } | |
30b32314 | 231 | #endif /* CONFIG_NO_VLAN */ |
d2ba3d6b | 232 | |
f55802e8 JM |
233 | if (eapol->default_wep_key) { |
234 | ieee802_1x_tx_key_one(hapd, sta, eapol->default_wep_key_idx, 1, | |
235 | eapol->default_wep_key, | |
6fc6879b JM |
236 | hapd->conf->default_wep_key_len); |
237 | } | |
238 | ||
239 | if (hapd->conf->individual_wep_key_len > 0) { | |
240 | u8 *ikey; | |
241 | ikey = os_malloc(hapd->conf->individual_wep_key_len); | |
242 | if (ikey == NULL || | |
3642c431 JM |
243 | random_get_bytes(ikey, hapd->conf->individual_wep_key_len)) |
244 | { | |
6fc6879b JM |
245 | wpa_printf(MSG_ERROR, "Could not generate random " |
246 | "individual WEP key."); | |
247 | os_free(ikey); | |
248 | return; | |
249 | } | |
250 | ||
251 | wpa_hexdump_key(MSG_DEBUG, "Individual WEP key", | |
252 | ikey, hapd->conf->individual_wep_key_len); | |
253 | ||
254 | ieee802_1x_tx_key_one(hapd, sta, 0, 0, ikey, | |
255 | hapd->conf->individual_wep_key_len); | |
256 | ||
257 | /* TODO: set encryption in TX callback, i.e., only after STA | |
258 | * has ACKed EAPOL-Key frame */ | |
3acdf771 JM |
259 | if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP, |
260 | sta->addr, 0, 1, NULL, 0, ikey, | |
261 | hapd->conf->individual_wep_key_len)) { | |
6fc6879b JM |
262 | wpa_printf(MSG_ERROR, "Could not set individual WEP " |
263 | "encryption."); | |
264 | } | |
265 | ||
266 | os_free(ikey); | |
267 | } | |
268 | } | |
269 | ||
7cb53ded | 270 | #endif /* CONFIG_NO_RC4 */ |
e03e56c3 JM |
271 | #endif /* CONFIG_FIPS */ |
272 | ||
6fc6879b JM |
273 | |
274 | const char *radius_mode_txt(struct hostapd_data *hapd) | |
275 | { | |
45cefa0b | 276 | switch (hapd->iface->conf->hw_mode) { |
7829894c VK |
277 | case HOSTAPD_MODE_IEEE80211AD: |
278 | return "802.11ad"; | |
6fc6879b JM |
279 | case HOSTAPD_MODE_IEEE80211A: |
280 | return "802.11a"; | |
281 | case HOSTAPD_MODE_IEEE80211G: | |
282 | return "802.11g"; | |
283 | case HOSTAPD_MODE_IEEE80211B: | |
284 | default: | |
285 | return "802.11b"; | |
286 | } | |
287 | } | |
288 | ||
289 | ||
290 | int radius_sta_rate(struct hostapd_data *hapd, struct sta_info *sta) | |
291 | { | |
292 | int i; | |
293 | u8 rate = 0; | |
294 | ||
295 | for (i = 0; i < sta->supported_rates_len; i++) | |
296 | if ((sta->supported_rates[i] & 0x7f) > rate) | |
297 | rate = sta->supported_rates[i] & 0x7f; | |
298 | ||
299 | return rate; | |
300 | } | |
301 | ||
302 | ||
f88bd288 | 303 | #ifndef CONFIG_NO_RADIUS |
6fc6879b JM |
304 | static void ieee802_1x_learn_identity(struct hostapd_data *hapd, |
305 | struct eapol_state_machine *sm, | |
306 | const u8 *eap, size_t len) | |
307 | { | |
308 | const u8 *identity; | |
309 | size_t identity_len; | |
d3bddd8b | 310 | const struct eap_hdr *hdr = (const struct eap_hdr *) eap; |
6fc6879b JM |
311 | |
312 | if (len <= sizeof(struct eap_hdr) || | |
d3bddd8b JM |
313 | (hdr->code == EAP_CODE_RESPONSE && |
314 | eap[sizeof(struct eap_hdr)] != EAP_TYPE_IDENTITY) || | |
315 | (hdr->code == EAP_CODE_INITIATE && | |
316 | eap[sizeof(struct eap_hdr)] != EAP_ERP_TYPE_REAUTH) || | |
317 | (hdr->code != EAP_CODE_RESPONSE && | |
318 | hdr->code != EAP_CODE_INITIATE)) | |
6fc6879b JM |
319 | return; |
320 | ||
a6228b8e | 321 | eap_erp_update_identity(sm->eap, eap, len); |
6fc6879b JM |
322 | identity = eap_get_identity(sm->eap, &identity_len); |
323 | if (identity == NULL) | |
324 | return; | |
325 | ||
326 | /* Save station identity for future RADIUS packets */ | |
327 | os_free(sm->identity); | |
5e24dc8a | 328 | sm->identity = (u8 *) dup_binstr(identity, identity_len); |
6fc6879b JM |
329 | if (sm->identity == NULL) { |
330 | sm->identity_len = 0; | |
331 | return; | |
332 | } | |
333 | ||
6fc6879b | 334 | sm->identity_len = identity_len; |
6fc6879b JM |
335 | hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, |
336 | HOSTAPD_LEVEL_DEBUG, "STA identity '%s'", sm->identity); | |
337 | sm->dot1xAuthEapolRespIdFramesRx++; | |
338 | } | |
339 | ||
340 | ||
6c460eaf JM |
341 | static int add_common_radius_sta_attr_rsn(struct hostapd_data *hapd, |
342 | struct hostapd_radius_attr *req_attr, | |
343 | struct sta_info *sta, | |
344 | struct radius_msg *msg) | |
345 | { | |
346 | u32 suite; | |
347 | int ver, val; | |
348 | ||
349 | ver = wpa_auth_sta_wpa_version(sta->wpa_sm); | |
350 | val = wpa_auth_get_pairwise(sta->wpa_sm); | |
351 | suite = wpa_cipher_to_suite(ver, val); | |
352 | if (val != -1 && | |
353 | !hostapd_config_get_radius_attr(req_attr, | |
354 | RADIUS_ATTR_WLAN_PAIRWISE_CIPHER) && | |
355 | !radius_msg_add_attr_int32(msg, RADIUS_ATTR_WLAN_PAIRWISE_CIPHER, | |
356 | suite)) { | |
357 | wpa_printf(MSG_ERROR, "Could not add WLAN-Pairwise-Cipher"); | |
358 | return -1; | |
359 | } | |
360 | ||
3dce85ce JM |
361 | suite = wpa_cipher_to_suite(((hapd->conf->wpa & 0x2) || |
362 | hapd->conf->osen) ? | |
6c460eaf JM |
363 | WPA_PROTO_RSN : WPA_PROTO_WPA, |
364 | hapd->conf->wpa_group); | |
365 | if (!hostapd_config_get_radius_attr(req_attr, | |
366 | RADIUS_ATTR_WLAN_GROUP_CIPHER) && | |
367 | !radius_msg_add_attr_int32(msg, RADIUS_ATTR_WLAN_GROUP_CIPHER, | |
368 | suite)) { | |
369 | wpa_printf(MSG_ERROR, "Could not add WLAN-Group-Cipher"); | |
370 | return -1; | |
371 | } | |
372 | ||
373 | val = wpa_auth_sta_key_mgmt(sta->wpa_sm); | |
374 | suite = wpa_akm_to_suite(val); | |
375 | if (val != -1 && | |
376 | !hostapd_config_get_radius_attr(req_attr, | |
377 | RADIUS_ATTR_WLAN_AKM_SUITE) && | |
378 | !radius_msg_add_attr_int32(msg, RADIUS_ATTR_WLAN_AKM_SUITE, | |
379 | suite)) { | |
380 | wpa_printf(MSG_ERROR, "Could not add WLAN-AKM-Suite"); | |
381 | return -1; | |
382 | } | |
383 | ||
384 | #ifdef CONFIG_IEEE80211W | |
385 | if (hapd->conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) { | |
386 | suite = wpa_cipher_to_suite(WPA_PROTO_RSN, | |
387 | hapd->conf->group_mgmt_cipher); | |
388 | if (!hostapd_config_get_radius_attr( | |
389 | req_attr, RADIUS_ATTR_WLAN_GROUP_MGMT_CIPHER) && | |
390 | !radius_msg_add_attr_int32( | |
391 | msg, RADIUS_ATTR_WLAN_GROUP_MGMT_CIPHER, suite)) { | |
392 | wpa_printf(MSG_ERROR, | |
393 | "Could not add WLAN-Group-Mgmt-Cipher"); | |
394 | return -1; | |
395 | } | |
396 | } | |
397 | #endif /* CONFIG_IEEE80211W */ | |
398 | ||
399 | return 0; | |
400 | } | |
401 | ||
402 | ||
8bea63e0 JM |
403 | static int add_common_radius_sta_attr(struct hostapd_data *hapd, |
404 | struct hostapd_radius_attr *req_attr, | |
405 | struct sta_info *sta, | |
406 | struct radius_msg *msg) | |
6fc6879b | 407 | { |
6fc6879b | 408 | char buf[128]; |
6fc6879b | 409 | |
8c676b50 NL |
410 | if (!hostapd_config_get_radius_attr(req_attr, |
411 | RADIUS_ATTR_SERVICE_TYPE) && | |
412 | !radius_msg_add_attr_int32(msg, RADIUS_ATTR_SERVICE_TYPE, | |
413 | RADIUS_SERVICE_TYPE_FRAMED)) { | |
414 | wpa_printf(MSG_ERROR, "Could not add Service-Type"); | |
415 | return -1; | |
416 | } | |
417 | ||
8bea63e0 JM |
418 | if (!hostapd_config_get_radius_attr(req_attr, |
419 | RADIUS_ATTR_NAS_PORT) && | |
8468189e | 420 | sta->aid > 0 && |
8bea63e0 JM |
421 | !radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT, sta->aid)) { |
422 | wpa_printf(MSG_ERROR, "Could not add NAS-Port"); | |
423 | return -1; | |
424 | } | |
6fc6879b | 425 | |
8bea63e0 JM |
426 | os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT, |
427 | MAC2STR(sta->addr)); | |
428 | buf[sizeof(buf) - 1] = '\0'; | |
429 | if (!radius_msg_add_attr(msg, RADIUS_ATTR_CALLING_STATION_ID, | |
430 | (u8 *) buf, os_strlen(buf))) { | |
431 | wpa_printf(MSG_ERROR, "Could not add Calling-Station-Id"); | |
432 | return -1; | |
433 | } | |
6fc6879b | 434 | |
8bea63e0 JM |
435 | if (sta->flags & WLAN_STA_PREAUTH) { |
436 | os_strlcpy(buf, "IEEE 802.11i Pre-Authentication", | |
437 | sizeof(buf)); | |
438 | } else { | |
439 | os_snprintf(buf, sizeof(buf), "CONNECT %d%sMbps %s", | |
440 | radius_sta_rate(hapd, sta) / 2, | |
441 | (radius_sta_rate(hapd, sta) & 1) ? ".5" : "", | |
442 | radius_mode_txt(hapd)); | |
443 | buf[sizeof(buf) - 1] = '\0'; | |
444 | } | |
445 | if (!hostapd_config_get_radius_attr(req_attr, | |
446 | RADIUS_ATTR_CONNECT_INFO) && | |
447 | !radius_msg_add_attr(msg, RADIUS_ATTR_CONNECT_INFO, | |
448 | (u8 *) buf, os_strlen(buf))) { | |
449 | wpa_printf(MSG_ERROR, "Could not add Connect-Info"); | |
450 | return -1; | |
6fc6879b JM |
451 | } |
452 | ||
d72a0053 | 453 | if (sta->acct_session_id) { |
1492fbb9 NL |
454 | os_snprintf(buf, sizeof(buf), "%016llX", |
455 | (unsigned long long) sta->acct_session_id); | |
8b248611 JM |
456 | if (!radius_msg_add_attr(msg, RADIUS_ATTR_ACCT_SESSION_ID, |
457 | (u8 *) buf, os_strlen(buf))) { | |
458 | wpa_printf(MSG_ERROR, "Could not add Acct-Session-Id"); | |
459 | return -1; | |
460 | } | |
461 | } | |
462 | ||
b71a64aa NL |
463 | if ((hapd->conf->wpa & 2) && |
464 | !hapd->conf->disable_pmksa_caching && | |
465 | sta->eapol_sm && sta->eapol_sm->acct_multi_session_id) { | |
1492fbb9 NL |
466 | os_snprintf(buf, sizeof(buf), "%016llX", |
467 | (unsigned long long) | |
b71a64aa NL |
468 | sta->eapol_sm->acct_multi_session_id); |
469 | if (!radius_msg_add_attr( | |
470 | msg, RADIUS_ATTR_ACCT_MULTI_SESSION_ID, | |
471 | (u8 *) buf, os_strlen(buf))) { | |
472 | wpa_printf(MSG_INFO, | |
473 | "Could not add Acct-Multi-Session-Id"); | |
474 | return -1; | |
475 | } | |
476 | } | |
477 | ||
4ec1fd8e | 478 | #ifdef CONFIG_IEEE80211R_AP |
69002fb0 JM |
479 | if (hapd->conf->wpa && wpa_key_mgmt_ft(hapd->conf->wpa_key_mgmt) && |
480 | sta->wpa_sm && | |
481 | (wpa_key_mgmt_ft(wpa_auth_sta_key_mgmt(sta->wpa_sm)) || | |
482 | sta->auth_alg == WLAN_AUTH_FT) && | |
483 | !hostapd_config_get_radius_attr(req_attr, | |
484 | RADIUS_ATTR_MOBILITY_DOMAIN_ID) && | |
485 | !radius_msg_add_attr_int32(msg, RADIUS_ATTR_MOBILITY_DOMAIN_ID, | |
486 | WPA_GET_BE16( | |
487 | hapd->conf->mobility_domain))) { | |
488 | wpa_printf(MSG_ERROR, "Could not add Mobility-Domain-Id"); | |
489 | return -1; | |
490 | } | |
4ec1fd8e | 491 | #endif /* CONFIG_IEEE80211R_AP */ |
69002fb0 | 492 | |
3dce85ce | 493 | if ((hapd->conf->wpa || hapd->conf->osen) && sta->wpa_sm && |
6c460eaf JM |
494 | add_common_radius_sta_attr_rsn(hapd, req_attr, sta, msg) < 0) |
495 | return -1; | |
496 | ||
8bea63e0 JM |
497 | return 0; |
498 | } | |
6fc6879b | 499 | |
6fc6879b | 500 | |
8bea63e0 JM |
501 | int add_common_radius_attr(struct hostapd_data *hapd, |
502 | struct hostapd_radius_attr *req_attr, | |
503 | struct sta_info *sta, | |
504 | struct radius_msg *msg) | |
505 | { | |
506 | char buf[128]; | |
507 | struct hostapd_radius_attr *attr; | |
5bd9be4d | 508 | int len; |
8bea63e0 JM |
509 | |
510 | if (!hostapd_config_get_radius_attr(req_attr, | |
af35e7af JM |
511 | RADIUS_ATTR_NAS_IP_ADDRESS) && |
512 | hapd->conf->own_ip_addr.af == AF_INET && | |
6fc6879b JM |
513 | !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IP_ADDRESS, |
514 | (u8 *) &hapd->conf->own_ip_addr.u.v4, 4)) { | |
8bea63e0 JM |
515 | wpa_printf(MSG_ERROR, "Could not add NAS-IP-Address"); |
516 | return -1; | |
6fc6879b JM |
517 | } |
518 | ||
519 | #ifdef CONFIG_IPV6 | |
8bea63e0 | 520 | if (!hostapd_config_get_radius_attr(req_attr, |
af35e7af JM |
521 | RADIUS_ATTR_NAS_IPV6_ADDRESS) && |
522 | hapd->conf->own_ip_addr.af == AF_INET6 && | |
6fc6879b JM |
523 | !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IPV6_ADDRESS, |
524 | (u8 *) &hapd->conf->own_ip_addr.u.v6, 16)) { | |
8bea63e0 JM |
525 | wpa_printf(MSG_ERROR, "Could not add NAS-IPv6-Address"); |
526 | return -1; | |
6fc6879b JM |
527 | } |
528 | #endif /* CONFIG_IPV6 */ | |
529 | ||
8bea63e0 | 530 | if (!hostapd_config_get_radius_attr(req_attr, |
af35e7af JM |
531 | RADIUS_ATTR_NAS_IDENTIFIER) && |
532 | hapd->conf->nas_identifier && | |
6fc6879b JM |
533 | !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IDENTIFIER, |
534 | (u8 *) hapd->conf->nas_identifier, | |
535 | os_strlen(hapd->conf->nas_identifier))) { | |
8bea63e0 JM |
536 | wpa_printf(MSG_ERROR, "Could not add NAS-Identifier"); |
537 | return -1; | |
6fc6879b JM |
538 | } |
539 | ||
5bd9be4d JM |
540 | len = os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT ":", |
541 | MAC2STR(hapd->own_addr)); | |
542 | os_memcpy(&buf[len], hapd->conf->ssid.ssid, | |
543 | hapd->conf->ssid.ssid_len); | |
544 | len += hapd->conf->ssid.ssid_len; | |
8bea63e0 | 545 | if (!hostapd_config_get_radius_attr(req_attr, |
af35e7af JM |
546 | RADIUS_ATTR_CALLED_STATION_ID) && |
547 | !radius_msg_add_attr(msg, RADIUS_ATTR_CALLED_STATION_ID, | |
5bd9be4d | 548 | (u8 *) buf, len)) { |
8bea63e0 JM |
549 | wpa_printf(MSG_ERROR, "Could not add Called-Station-Id"); |
550 | return -1; | |
6fc6879b JM |
551 | } |
552 | ||
8bea63e0 JM |
553 | if (!hostapd_config_get_radius_attr(req_attr, |
554 | RADIUS_ATTR_NAS_PORT_TYPE) && | |
555 | !radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT_TYPE, | |
556 | RADIUS_NAS_PORT_TYPE_IEEE_802_11)) { | |
557 | wpa_printf(MSG_ERROR, "Could not add NAS-Port-Type"); | |
558 | return -1; | |
559 | } | |
560 | ||
cdffd721 JM |
561 | #ifdef CONFIG_INTERWORKING |
562 | if (hapd->conf->interworking && | |
563 | !is_zero_ether_addr(hapd->conf->hessid)) { | |
564 | os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT, | |
565 | MAC2STR(hapd->conf->hessid)); | |
566 | buf[sizeof(buf) - 1] = '\0'; | |
567 | if (!hostapd_config_get_radius_attr(req_attr, | |
568 | RADIUS_ATTR_WLAN_HESSID) && | |
569 | !radius_msg_add_attr(msg, RADIUS_ATTR_WLAN_HESSID, | |
570 | (u8 *) buf, os_strlen(buf))) { | |
571 | wpa_printf(MSG_ERROR, "Could not add WLAN-HESSID"); | |
572 | return -1; | |
573 | } | |
574 | } | |
575 | #endif /* CONFIG_INTERWORKING */ | |
576 | ||
8bea63e0 JM |
577 | if (sta && add_common_radius_sta_attr(hapd, req_attr, sta, msg) < 0) |
578 | return -1; | |
579 | ||
580 | for (attr = req_attr; attr; attr = attr->next) { | |
581 | if (!radius_msg_add_attr(msg, attr->type, | |
582 | wpabuf_head(attr->val), | |
583 | wpabuf_len(attr->val))) { | |
584 | wpa_printf(MSG_ERROR, "Could not add RADIUS " | |
585 | "attribute"); | |
586 | return -1; | |
587 | } | |
588 | } | |
589 | ||
590 | return 0; | |
591 | } | |
592 | ||
593 | ||
c30bd28b JM |
594 | void ieee802_1x_encapsulate_radius(struct hostapd_data *hapd, |
595 | struct sta_info *sta, | |
596 | const u8 *eap, size_t len) | |
8bea63e0 JM |
597 | { |
598 | struct radius_msg *msg; | |
599 | struct eapol_state_machine *sm = sta->eapol_sm; | |
600 | ||
601 | if (sm == NULL) | |
602 | return; | |
603 | ||
604 | ieee802_1x_learn_identity(hapd, sm, eap, len); | |
605 | ||
606 | wpa_printf(MSG_DEBUG, "Encapsulating EAP message into a RADIUS " | |
607 | "packet"); | |
608 | ||
609 | sm->radius_identifier = radius_client_get_id(hapd->radius); | |
610 | msg = radius_msg_new(RADIUS_CODE_ACCESS_REQUEST, | |
611 | sm->radius_identifier); | |
612 | if (msg == NULL) { | |
61323e70 | 613 | wpa_printf(MSG_INFO, "Could not create new RADIUS packet"); |
8bea63e0 JM |
614 | return; |
615 | } | |
616 | ||
2cbc6ffb NL |
617 | if (radius_msg_make_authenticator(msg) < 0) { |
618 | wpa_printf(MSG_INFO, "Could not make Request Authenticator"); | |
619 | goto fail; | |
620 | } | |
8bea63e0 JM |
621 | |
622 | if (sm->identity && | |
623 | !radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME, | |
624 | sm->identity, sm->identity_len)) { | |
61323e70 | 625 | wpa_printf(MSG_INFO, "Could not add User-Name"); |
6fc6879b JM |
626 | goto fail; |
627 | } | |
628 | ||
8bea63e0 JM |
629 | if (add_common_radius_attr(hapd, hapd->conf->radius_auth_req_attr, sta, |
630 | msg) < 0) | |
631 | goto fail; | |
632 | ||
6fc6879b JM |
633 | /* TODO: should probably check MTU from driver config; 2304 is max for |
634 | * IEEE 802.11, but use 1400 to avoid problems with too large packets | |
635 | */ | |
af35e7af JM |
636 | if (!hostapd_config_get_radius_attr(hapd->conf->radius_auth_req_attr, |
637 | RADIUS_ATTR_FRAMED_MTU) && | |
638 | !radius_msg_add_attr_int32(msg, RADIUS_ATTR_FRAMED_MTU, 1400)) { | |
61323e70 | 639 | wpa_printf(MSG_INFO, "Could not add Framed-MTU"); |
6fc6879b JM |
640 | goto fail; |
641 | } | |
642 | ||
c99df201 | 643 | if (!radius_msg_add_eap(msg, eap, len)) { |
61323e70 | 644 | wpa_printf(MSG_INFO, "Could not add EAP-Message"); |
6fc6879b JM |
645 | goto fail; |
646 | } | |
647 | ||
648 | /* State attribute must be copied if and only if this packet is | |
649 | * Access-Request reply to the previous Access-Challenge */ | |
1489e11a JM |
650 | if (sm->last_recv_radius && |
651 | radius_msg_get_hdr(sm->last_recv_radius)->code == | |
6fc6879b JM |
652 | RADIUS_CODE_ACCESS_CHALLENGE) { |
653 | int res = radius_msg_copy_attr(msg, sm->last_recv_radius, | |
654 | RADIUS_ATTR_STATE); | |
655 | if (res < 0) { | |
61323e70 | 656 | wpa_printf(MSG_INFO, "Could not copy State attribute from previous Access-Challenge"); |
6fc6879b JM |
657 | goto fail; |
658 | } | |
659 | if (res > 0) { | |
660 | wpa_printf(MSG_DEBUG, "Copied RADIUS State Attribute"); | |
661 | } | |
662 | } | |
663 | ||
86f6053a JM |
664 | if (hapd->conf->radius_request_cui) { |
665 | const u8 *cui; | |
666 | size_t cui_len; | |
667 | /* Add previously learned CUI or nul CUI to request CUI */ | |
668 | if (sm->radius_cui) { | |
669 | cui = wpabuf_head(sm->radius_cui); | |
670 | cui_len = wpabuf_len(sm->radius_cui); | |
671 | } else { | |
672 | cui = (const u8 *) "\0"; | |
673 | cui_len = 1; | |
674 | } | |
675 | if (!radius_msg_add_attr(msg, | |
676 | RADIUS_ATTR_CHARGEABLE_USER_IDENTITY, | |
677 | cui, cui_len)) { | |
678 | wpa_printf(MSG_ERROR, "Could not add CUI"); | |
679 | goto fail; | |
680 | } | |
681 | } | |
682 | ||
76579ec7 JM |
683 | #ifdef CONFIG_HS20 |
684 | if (hapd->conf->hs20) { | |
685 | u8 ver = 1; /* Release 2 */ | |
686 | if (!radius_msg_add_wfa( | |
687 | msg, RADIUS_VENDOR_ATTR_WFA_HS20_AP_VERSION, | |
688 | &ver, 1)) { | |
689 | wpa_printf(MSG_ERROR, "Could not add HS 2.0 AP " | |
690 | "version"); | |
691 | goto fail; | |
692 | } | |
7bc9c25d JM |
693 | |
694 | if (sta->hs20_ie && wpabuf_len(sta->hs20_ie) > 0) { | |
695 | const u8 *pos; | |
696 | u8 buf[3]; | |
697 | u16 id; | |
698 | pos = wpabuf_head_u8(sta->hs20_ie); | |
699 | buf[0] = (*pos) >> 4; | |
700 | if (((*pos) & HS20_PPS_MO_ID_PRESENT) && | |
701 | wpabuf_len(sta->hs20_ie) >= 3) | |
702 | id = WPA_GET_LE16(pos + 1); | |
703 | else | |
704 | id = 0; | |
705 | WPA_PUT_BE16(buf + 1, id); | |
706 | if (!radius_msg_add_wfa( | |
707 | msg, | |
708 | RADIUS_VENDOR_ATTR_WFA_HS20_STA_VERSION, | |
709 | buf, sizeof(buf))) { | |
710 | wpa_printf(MSG_ERROR, "Could not add HS 2.0 " | |
711 | "STA version"); | |
712 | goto fail; | |
713 | } | |
714 | } | |
76579ec7 JM |
715 | } |
716 | #endif /* CONFIG_HS20 */ | |
717 | ||
dbb6ed7e MH |
718 | if (radius_client_send(hapd->radius, msg, RADIUS_AUTH, sta->addr) < 0) |
719 | goto fail; | |
720 | ||
6fc6879b JM |
721 | return; |
722 | ||
723 | fail: | |
724 | radius_msg_free(msg); | |
6fc6879b | 725 | } |
f88bd288 | 726 | #endif /* CONFIG_NO_RADIUS */ |
6fc6879b JM |
727 | |
728 | ||
6fc6879b JM |
729 | static void handle_eap_response(struct hostapd_data *hapd, |
730 | struct sta_info *sta, struct eap_hdr *eap, | |
731 | size_t len) | |
732 | { | |
733 | u8 type, *data; | |
734 | struct eapol_state_machine *sm = sta->eapol_sm; | |
735 | if (sm == NULL) | |
736 | return; | |
737 | ||
738 | data = (u8 *) (eap + 1); | |
739 | ||
740 | if (len < sizeof(*eap) + 1) { | |
61323e70 | 741 | wpa_printf(MSG_INFO, "handle_eap_response: too short response data"); |
6fc6879b JM |
742 | return; |
743 | } | |
744 | ||
745 | sm->eap_type_supp = type = data[0]; | |
6fc6879b JM |
746 | |
747 | hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, | |
748 | HOSTAPD_LEVEL_DEBUG, "received EAP packet (code=%d " | |
749 | "id=%d len=%d) from STA: EAP Response-%s (%d)", | |
750 | eap->code, eap->identifier, be_to_host16(eap->length), | |
2773ca09 | 751 | eap_server_get_name(0, type), type); |
6fc6879b JM |
752 | |
753 | sm->dot1xAuthEapolRespFramesRx++; | |
754 | ||
755 | wpabuf_free(sm->eap_if->eapRespData); | |
756 | sm->eap_if->eapRespData = wpabuf_alloc_copy(eap, len); | |
757 | sm->eapolEap = TRUE; | |
758 | } | |
759 | ||
760 | ||
d3bddd8b JM |
761 | static void handle_eap_initiate(struct hostapd_data *hapd, |
762 | struct sta_info *sta, struct eap_hdr *eap, | |
763 | size_t len) | |
764 | { | |
765 | #ifdef CONFIG_ERP | |
766 | u8 type, *data; | |
767 | struct eapol_state_machine *sm = sta->eapol_sm; | |
768 | ||
769 | if (sm == NULL) | |
770 | return; | |
771 | ||
772 | if (len < sizeof(*eap) + 1) { | |
773 | wpa_printf(MSG_INFO, | |
774 | "handle_eap_initiate: too short response data"); | |
775 | return; | |
776 | } | |
777 | ||
778 | data = (u8 *) (eap + 1); | |
779 | type = data[0]; | |
780 | ||
781 | hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, | |
782 | HOSTAPD_LEVEL_DEBUG, "received EAP packet (code=%d " | |
783 | "id=%d len=%d) from STA: EAP Initiate type %u", | |
784 | eap->code, eap->identifier, be_to_host16(eap->length), | |
785 | type); | |
786 | ||
787 | wpabuf_free(sm->eap_if->eapRespData); | |
788 | sm->eap_if->eapRespData = wpabuf_alloc_copy(eap, len); | |
789 | sm->eapolEap = TRUE; | |
790 | #endif /* CONFIG_ERP */ | |
791 | } | |
792 | ||
793 | ||
6fc6879b JM |
794 | /* Process incoming EAP packet from Supplicant */ |
795 | static void handle_eap(struct hostapd_data *hapd, struct sta_info *sta, | |
796 | u8 *buf, size_t len) | |
797 | { | |
798 | struct eap_hdr *eap; | |
799 | u16 eap_len; | |
800 | ||
801 | if (len < sizeof(*eap)) { | |
61323e70 | 802 | wpa_printf(MSG_INFO, " too short EAP packet"); |
6fc6879b JM |
803 | return; |
804 | } | |
805 | ||
806 | eap = (struct eap_hdr *) buf; | |
807 | ||
808 | eap_len = be_to_host16(eap->length); | |
809 | wpa_printf(MSG_DEBUG, "EAP: code=%d identifier=%d length=%d", | |
810 | eap->code, eap->identifier, eap_len); | |
811 | if (eap_len < sizeof(*eap)) { | |
812 | wpa_printf(MSG_DEBUG, " Invalid EAP length"); | |
813 | return; | |
814 | } else if (eap_len > len) { | |
815 | wpa_printf(MSG_DEBUG, " Too short frame to contain this EAP " | |
816 | "packet"); | |
817 | return; | |
818 | } else if (eap_len < len) { | |
819 | wpa_printf(MSG_DEBUG, " Ignoring %lu extra bytes after EAP " | |
820 | "packet", (unsigned long) len - eap_len); | |
821 | } | |
822 | ||
823 | switch (eap->code) { | |
824 | case EAP_CODE_REQUEST: | |
825 | wpa_printf(MSG_DEBUG, " (request)"); | |
826 | return; | |
827 | case EAP_CODE_RESPONSE: | |
828 | wpa_printf(MSG_DEBUG, " (response)"); | |
829 | handle_eap_response(hapd, sta, eap, eap_len); | |
830 | break; | |
831 | case EAP_CODE_SUCCESS: | |
832 | wpa_printf(MSG_DEBUG, " (success)"); | |
833 | return; | |
834 | case EAP_CODE_FAILURE: | |
835 | wpa_printf(MSG_DEBUG, " (failure)"); | |
836 | return; | |
d3bddd8b JM |
837 | case EAP_CODE_INITIATE: |
838 | wpa_printf(MSG_DEBUG, " (initiate)"); | |
839 | handle_eap_initiate(hapd, sta, eap, eap_len); | |
840 | break; | |
841 | case EAP_CODE_FINISH: | |
842 | wpa_printf(MSG_DEBUG, " (finish)"); | |
843 | break; | |
6fc6879b JM |
844 | default: |
845 | wpa_printf(MSG_DEBUG, " (unknown code)"); | |
846 | return; | |
847 | } | |
848 | } | |
849 | ||
850 | ||
c30bd28b | 851 | struct eapol_state_machine * |
c02d52b4 JM |
852 | ieee802_1x_alloc_eapol_sm(struct hostapd_data *hapd, struct sta_info *sta) |
853 | { | |
854 | int flags = 0; | |
855 | if (sta->flags & WLAN_STA_PREAUTH) | |
856 | flags |= EAPOL_SM_PREAUTH; | |
857 | if (sta->wpa_sm) { | |
439d4bf9 | 858 | flags |= EAPOL_SM_USES_WPA; |
c02d52b4 JM |
859 | if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) |
860 | flags |= EAPOL_SM_FROM_PMKSA_CACHE; | |
861 | } | |
d79b7792 | 862 | return eapol_auth_alloc(hapd->eapol_auth, sta->addr, flags, |
1a819aa7 MB |
863 | sta->wps_ie, sta->p2p_ie, sta, |
864 | sta->identity, sta->radius_cui); | |
c02d52b4 JM |
865 | } |
866 | ||
867 | ||
f2accfe7 EP |
868 | static void ieee802_1x_save_eapol(struct sta_info *sta, const u8 *buf, |
869 | size_t len) | |
870 | { | |
871 | if (sta->pending_eapol_rx) { | |
872 | wpabuf_free(sta->pending_eapol_rx->buf); | |
873 | } else { | |
874 | sta->pending_eapol_rx = | |
875 | os_malloc(sizeof(*sta->pending_eapol_rx)); | |
876 | if (!sta->pending_eapol_rx) | |
877 | return; | |
878 | } | |
879 | ||
880 | sta->pending_eapol_rx->buf = wpabuf_alloc_copy(buf, len); | |
881 | if (!sta->pending_eapol_rx->buf) { | |
882 | os_free(sta->pending_eapol_rx); | |
883 | sta->pending_eapol_rx = NULL; | |
884 | return; | |
885 | } | |
886 | ||
887 | os_get_reltime(&sta->pending_eapol_rx->rx_time); | |
888 | } | |
889 | ||
890 | ||
1c6e69cc JM |
891 | /** |
892 | * ieee802_1x_receive - Process the EAPOL frames from the Supplicant | |
893 | * @hapd: hostapd BSS data | |
894 | * @sa: Source address (sender of the EAPOL frame) | |
895 | * @buf: EAPOL frame | |
896 | * @len: Length of buf in octets | |
897 | * | |
898 | * This function is called for each incoming EAPOL frame from the interface | |
899 | */ | |
6fc6879b JM |
900 | void ieee802_1x_receive(struct hostapd_data *hapd, const u8 *sa, const u8 *buf, |
901 | size_t len) | |
902 | { | |
903 | struct sta_info *sta; | |
904 | struct ieee802_1x_hdr *hdr; | |
905 | struct ieee802_1x_eapol_key *key; | |
906 | u16 datalen; | |
907 | struct rsn_pmksa_cache_entry *pmksa; | |
df13a1cd | 908 | int key_mgmt; |
6fc6879b | 909 | |
a14896e8 | 910 | if (!hapd->conf->ieee802_1x && !hapd->conf->wpa && !hapd->conf->osen && |
ad08c363 | 911 | !hapd->conf->wps_state) |
6fc6879b JM |
912 | return; |
913 | ||
914 | wpa_printf(MSG_DEBUG, "IEEE 802.1X: %lu bytes from " MACSTR, | |
915 | (unsigned long) len, MAC2STR(sa)); | |
916 | sta = ap_get_sta(hapd, sa); | |
bf689a40 JM |
917 | if (!sta || (!(sta->flags & (WLAN_STA_ASSOC | WLAN_STA_PREAUTH)) && |
918 | !(hapd->iface->drv_flags & WPA_DRIVER_FLAGS_WIRED))) { | |
940a0ce9 | 919 | wpa_printf(MSG_DEBUG, "IEEE 802.1X data frame from not " |
c9265931 | 920 | "associated/Pre-authenticating STA"); |
f2accfe7 EP |
921 | |
922 | if (sta && (sta->flags & WLAN_STA_AUTH)) { | |
923 | wpa_printf(MSG_DEBUG, "Saving EAPOL frame from " MACSTR | |
924 | " for later use", MAC2STR(sta->addr)); | |
925 | ieee802_1x_save_eapol(sta, buf, len); | |
926 | } | |
927 | ||
6fc6879b JM |
928 | return; |
929 | } | |
930 | ||
931 | if (len < sizeof(*hdr)) { | |
61323e70 | 932 | wpa_printf(MSG_INFO, " too short IEEE 802.1X packet"); |
6fc6879b JM |
933 | return; |
934 | } | |
935 | ||
936 | hdr = (struct ieee802_1x_hdr *) buf; | |
937 | datalen = be_to_host16(hdr->length); | |
938 | wpa_printf(MSG_DEBUG, " IEEE 802.1X: version=%d type=%d length=%d", | |
939 | hdr->version, hdr->type, datalen); | |
940 | ||
941 | if (len - sizeof(*hdr) < datalen) { | |
61323e70 | 942 | wpa_printf(MSG_INFO, " frame too short for this IEEE 802.1X packet"); |
6fc6879b JM |
943 | if (sta->eapol_sm) |
944 | sta->eapol_sm->dot1xAuthEapLengthErrorFramesRx++; | |
945 | return; | |
946 | } | |
947 | if (len - sizeof(*hdr) > datalen) { | |
948 | wpa_printf(MSG_DEBUG, " ignoring %lu extra octets after " | |
949 | "IEEE 802.1X packet", | |
950 | (unsigned long) len - sizeof(*hdr) - datalen); | |
951 | } | |
952 | ||
953 | if (sta->eapol_sm) { | |
954 | sta->eapol_sm->dot1xAuthLastEapolFrameVersion = hdr->version; | |
955 | sta->eapol_sm->dot1xAuthEapolFramesRx++; | |
956 | } | |
957 | ||
958 | key = (struct ieee802_1x_eapol_key *) (hdr + 1); | |
959 | if (datalen >= sizeof(struct ieee802_1x_eapol_key) && | |
960 | hdr->type == IEEE802_1X_TYPE_EAPOL_KEY && | |
961 | (key->type == EAPOL_KEY_TYPE_WPA || | |
962 | key->type == EAPOL_KEY_TYPE_RSN)) { | |
963 | wpa_receive(hapd->wpa_auth, sta->wpa_sm, (u8 *) hdr, | |
964 | sizeof(*hdr) + datalen); | |
965 | return; | |
966 | } | |
967 | ||
a14896e8 | 968 | if (!hapd->conf->ieee802_1x && !hapd->conf->osen && |
df13a1cd JM |
969 | !(sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS))) { |
970 | wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore EAPOL message - " | |
971 | "802.1X not enabled and WPS not used"); | |
6fc6879b | 972 | return; |
df13a1cd JM |
973 | } |
974 | ||
975 | key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm); | |
976 | if (key_mgmt != -1 && wpa_key_mgmt_wpa_psk(key_mgmt)) { | |
977 | wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore EAPOL message - " | |
978 | "STA is using PSK"); | |
979 | return; | |
980 | } | |
6fc6879b JM |
981 | |
982 | if (!sta->eapol_sm) { | |
c02d52b4 | 983 | sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta); |
6fc6879b JM |
984 | if (!sta->eapol_sm) |
985 | return; | |
ad08c363 JM |
986 | |
987 | #ifdef CONFIG_WPS | |
a14896e8 | 988 | if (!hapd->conf->ieee802_1x && hapd->conf->wps_state) { |
17f6b900 JM |
989 | u32 wflags = sta->flags & (WLAN_STA_WPS | |
990 | WLAN_STA_WPS2 | | |
991 | WLAN_STA_MAYBE_WPS); | |
992 | if (wflags == WLAN_STA_MAYBE_WPS || | |
993 | wflags == (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS)) { | |
994 | /* | |
995 | * Delay EAPOL frame transmission until a | |
996 | * possible WPS STA initiates the handshake | |
997 | * with EAPOL-Start. Only allow the wait to be | |
998 | * skipped if the STA is known to support WPS | |
999 | * 2.0. | |
1000 | */ | |
1001 | wpa_printf(MSG_DEBUG, "WPS: Do not start " | |
1002 | "EAPOL until EAPOL-Start is " | |
1003 | "received"); | |
1004 | sta->eapol_sm->flags |= EAPOL_SM_WAIT_START; | |
1005 | } | |
ad08c363 JM |
1006 | } |
1007 | #endif /* CONFIG_WPS */ | |
a60e7213 JM |
1008 | |
1009 | sta->eapol_sm->eap_if->portEnabled = TRUE; | |
6fc6879b JM |
1010 | } |
1011 | ||
1012 | /* since we support version 1, we can ignore version field and proceed | |
1013 | * as specified in version 1 standard [IEEE Std 802.1X-2001, 7.5.5] */ | |
1014 | /* TODO: actually, we are not version 1 anymore.. However, Version 2 | |
1015 | * does not change frame contents, so should be ok to process frames | |
1016 | * more or less identically. Some changes might be needed for | |
1017 | * verification of fields. */ | |
1018 | ||
1019 | switch (hdr->type) { | |
1020 | case IEEE802_1X_TYPE_EAP_PACKET: | |
1021 | handle_eap(hapd, sta, (u8 *) (hdr + 1), datalen); | |
1022 | break; | |
1023 | ||
1024 | case IEEE802_1X_TYPE_EAPOL_START: | |
1025 | hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, | |
1026 | HOSTAPD_LEVEL_DEBUG, "received EAPOL-Start " | |
1027 | "from STA"); | |
1028 | sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START; | |
1029 | pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm); | |
1030 | if (pmksa) { | |
1031 | hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, | |
1032 | HOSTAPD_LEVEL_DEBUG, "cached PMKSA " | |
1033 | "available - ignore it since " | |
1034 | "STA sent EAPOL-Start"); | |
1035 | wpa_auth_sta_clear_pmksa(sta->wpa_sm, pmksa); | |
1036 | } | |
1037 | sta->eapol_sm->eapolStart = TRUE; | |
1038 | sta->eapol_sm->dot1xAuthEapolStartFramesRx++; | |
6fc58a89 | 1039 | eap_server_clear_identity(sta->eapol_sm->eap); |
6fc6879b JM |
1040 | wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL); |
1041 | break; | |
1042 | ||
1043 | case IEEE802_1X_TYPE_EAPOL_LOGOFF: | |
1044 | hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, | |
1045 | HOSTAPD_LEVEL_DEBUG, "received EAPOL-Logoff " | |
1046 | "from STA"); | |
1047 | sta->acct_terminate_cause = | |
1048 | RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST; | |
b1fa8bf1 | 1049 | accounting_sta_stop(hapd, sta); |
6fc6879b JM |
1050 | sta->eapol_sm->eapolLogoff = TRUE; |
1051 | sta->eapol_sm->dot1xAuthEapolLogoffFramesRx++; | |
6fc58a89 | 1052 | eap_server_clear_identity(sta->eapol_sm->eap); |
6fc6879b JM |
1053 | break; |
1054 | ||
1055 | case IEEE802_1X_TYPE_EAPOL_KEY: | |
1056 | wpa_printf(MSG_DEBUG, " EAPOL-Key"); | |
6905dcb1 | 1057 | if (!ap_sta_is_authorized(sta)) { |
6fc6879b JM |
1058 | wpa_printf(MSG_DEBUG, " Dropped key data from " |
1059 | "unauthorized Supplicant"); | |
1060 | break; | |
1061 | } | |
1062 | break; | |
1063 | ||
1064 | case IEEE802_1X_TYPE_EAPOL_ENCAPSULATED_ASF_ALERT: | |
1065 | wpa_printf(MSG_DEBUG, " EAPOL-Encapsulated-ASF-Alert"); | |
1066 | /* TODO: implement support for this; show data */ | |
1067 | break; | |
1068 | ||
1069 | default: | |
1070 | wpa_printf(MSG_DEBUG, " unknown IEEE 802.1X packet type"); | |
1071 | sta->eapol_sm->dot1xAuthInvalidEapolFramesRx++; | |
1072 | break; | |
1073 | } | |
1074 | ||
1075 | eapol_auth_step(sta->eapol_sm); | |
1076 | } | |
1077 | ||
1078 | ||
1c6e69cc JM |
1079 | /** |
1080 | * ieee802_1x_new_station - Start IEEE 802.1X authentication | |
1081 | * @hapd: hostapd BSS data | |
1082 | * @sta: The station | |
1083 | * | |
1084 | * This function is called to start IEEE 802.1X authentication when a new | |
1085 | * station completes IEEE 802.11 association. | |
1086 | */ | |
6fc6879b JM |
1087 | void ieee802_1x_new_station(struct hostapd_data *hapd, struct sta_info *sta) |
1088 | { | |
1089 | struct rsn_pmksa_cache_entry *pmksa; | |
1090 | int reassoc = 1; | |
1091 | int force_1x = 0; | |
df13a1cd | 1092 | int key_mgmt; |
6fc6879b | 1093 | |
ad08c363 | 1094 | #ifdef CONFIG_WPS |
80d5a3db JM |
1095 | if (hapd->conf->wps_state && |
1096 | ((hapd->conf->wpa && (sta->flags & WLAN_STA_MAYBE_WPS)) || | |
1097 | (sta->flags & WLAN_STA_WPS))) { | |
ad08c363 JM |
1098 | /* |
1099 | * Need to enable IEEE 802.1X/EAPOL state machines for possible | |
1100 | * WPS handshake even if IEEE 802.1X/EAPOL is not used for | |
1101 | * authentication in this BSS. | |
1102 | */ | |
1103 | force_1x = 1; | |
1104 | } | |
1105 | #endif /* CONFIG_WPS */ | |
1106 | ||
a14896e8 | 1107 | if (!force_1x && !hapd->conf->ieee802_1x && !hapd->conf->osen) { |
df13a1cd JM |
1108 | wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore STA - " |
1109 | "802.1X not enabled or forced for WPS"); | |
31b4961f JM |
1110 | /* |
1111 | * Clear any possible EAPOL authenticator state to support | |
1112 | * reassociation change from WPS to PSK. | |
1113 | */ | |
d7c3347f | 1114 | ieee802_1x_free_station(hapd, sta); |
6fc6879b | 1115 | return; |
df13a1cd JM |
1116 | } |
1117 | ||
1118 | key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm); | |
1119 | if (key_mgmt != -1 && wpa_key_mgmt_wpa_psk(key_mgmt)) { | |
1120 | wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore STA - using PSK"); | |
31b4961f JM |
1121 | /* |
1122 | * Clear any possible EAPOL authenticator state to support | |
1123 | * reassociation change from WPA-EAP to PSK. | |
1124 | */ | |
d7c3347f | 1125 | ieee802_1x_free_station(hapd, sta); |
df13a1cd JM |
1126 | return; |
1127 | } | |
6fc6879b JM |
1128 | |
1129 | if (sta->eapol_sm == NULL) { | |
1130 | hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, | |
1131 | HOSTAPD_LEVEL_DEBUG, "start authentication"); | |
c02d52b4 | 1132 | sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta); |
6fc6879b JM |
1133 | if (sta->eapol_sm == NULL) { |
1134 | hostapd_logger(hapd, sta->addr, | |
1135 | HOSTAPD_MODULE_IEEE8021X, | |
1136 | HOSTAPD_LEVEL_INFO, | |
1137 | "failed to allocate state machine"); | |
1138 | return; | |
1139 | } | |
1140 | reassoc = 0; | |
1141 | } | |
1142 | ||
ad08c363 | 1143 | #ifdef CONFIG_WPS |
a8d05fca | 1144 | sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START; |
a14896e8 JM |
1145 | if (!hapd->conf->ieee802_1x && hapd->conf->wps_state && |
1146 | !(sta->flags & WLAN_STA_WPS2)) { | |
ad08c363 | 1147 | /* |
17f6b900 JM |
1148 | * Delay EAPOL frame transmission until a possible WPS STA |
1149 | * initiates the handshake with EAPOL-Start. Only allow the | |
1150 | * wait to be skipped if the STA is known to support WPS 2.0. | |
ad08c363 | 1151 | */ |
17f6b900 JM |
1152 | wpa_printf(MSG_DEBUG, "WPS: Do not start EAPOL until " |
1153 | "EAPOL-Start is received"); | |
ad08c363 JM |
1154 | sta->eapol_sm->flags |= EAPOL_SM_WAIT_START; |
1155 | } | |
1156 | #endif /* CONFIG_WPS */ | |
1157 | ||
6fc6879b JM |
1158 | sta->eapol_sm->eap_if->portEnabled = TRUE; |
1159 | ||
4ec1fd8e | 1160 | #ifdef CONFIG_IEEE80211R_AP |
55bce124 JM |
1161 | if (sta->auth_alg == WLAN_AUTH_FT) { |
1162 | hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, | |
1163 | HOSTAPD_LEVEL_DEBUG, | |
1164 | "PMK from FT - skip IEEE 802.1X/EAP"); | |
1165 | /* Setup EAPOL state machines to already authenticated state | |
1166 | * because of existing FT information from R0KH. */ | |
1167 | sta->eapol_sm->keyRun = TRUE; | |
1168 | sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; | |
1169 | sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING; | |
1170 | sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS; | |
1171 | sta->eapol_sm->authSuccess = TRUE; | |
c7bce24d | 1172 | sta->eapol_sm->authFail = FALSE; |
f68d491b | 1173 | sta->eapol_sm->portValid = TRUE; |
55bce124 JM |
1174 | if (sta->eapol_sm->eap) |
1175 | eap_sm_notify_cached(sta->eapol_sm->eap); | |
1176 | /* TODO: get vlan_id from R0KH using RRB message */ | |
1177 | return; | |
1178 | } | |
4ec1fd8e | 1179 | #endif /* CONFIG_IEEE80211R_AP */ |
55bce124 | 1180 | |
ff338fab JM |
1181 | #ifdef CONFIG_FILS |
1182 | if (sta->auth_alg == WLAN_AUTH_FILS_SK || | |
1183 | sta->auth_alg == WLAN_AUTH_FILS_SK_PFS || | |
1184 | sta->auth_alg == WLAN_AUTH_FILS_PK) { | |
1185 | hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, | |
1186 | HOSTAPD_LEVEL_DEBUG, | |
1187 | "PMK from FILS - skip IEEE 802.1X/EAP"); | |
1188 | /* Setup EAPOL state machines to already authenticated state | |
1189 | * because of existing FILS information. */ | |
1190 | sta->eapol_sm->keyRun = TRUE; | |
1191 | sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; | |
1192 | sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING; | |
1193 | sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS; | |
1194 | sta->eapol_sm->authSuccess = TRUE; | |
1195 | sta->eapol_sm->authFail = FALSE; | |
1196 | sta->eapol_sm->portValid = TRUE; | |
1197 | if (sta->eapol_sm->eap) | |
1198 | eap_sm_notify_cached(sta->eapol_sm->eap); | |
1199 | return; | |
1200 | } | |
1201 | #endif /* CONFIG_FILS */ | |
1202 | ||
6fc6879b JM |
1203 | pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm); |
1204 | if (pmksa) { | |
6fc6879b JM |
1205 | hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, |
1206 | HOSTAPD_LEVEL_DEBUG, | |
1207 | "PMK from PMKSA cache - skip IEEE 802.1X/EAP"); | |
1208 | /* Setup EAPOL state machines to already authenticated state | |
1209 | * because of existing PMKSA information in the cache. */ | |
1210 | sta->eapol_sm->keyRun = TRUE; | |
1211 | sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; | |
1212 | sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING; | |
1213 | sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS; | |
1214 | sta->eapol_sm->authSuccess = TRUE; | |
c7bce24d | 1215 | sta->eapol_sm->authFail = FALSE; |
6fc6879b JM |
1216 | if (sta->eapol_sm->eap) |
1217 | eap_sm_notify_cached(sta->eapol_sm->eap); | |
1889af2e | 1218 | pmksa_cache_to_eapol_data(hapd, pmksa, sta->eapol_sm); |
c8e6beab | 1219 | ap_sta_bind_vlan(hapd, sta); |
6fc6879b JM |
1220 | } else { |
1221 | if (reassoc) { | |
1222 | /* | |
1223 | * Force EAPOL state machines to start | |
1224 | * re-authentication without having to wait for the | |
1225 | * Supplicant to send EAPOL-Start. | |
1226 | */ | |
1227 | sta->eapol_sm->reAuthenticate = TRUE; | |
1228 | } | |
1229 | eapol_auth_step(sta->eapol_sm); | |
1230 | } | |
1231 | } | |
1232 | ||
1233 | ||
d7c3347f | 1234 | void ieee802_1x_free_station(struct hostapd_data *hapd, struct sta_info *sta) |
6fc6879b JM |
1235 | { |
1236 | struct eapol_state_machine *sm = sta->eapol_sm; | |
1237 | ||
d7c3347f JM |
1238 | #ifdef CONFIG_HS20 |
1239 | eloop_cancel_timeout(ieee802_1x_wnm_notif_send, hapd, sta); | |
1240 | #endif /* CONFIG_HS20 */ | |
1241 | ||
f2accfe7 EP |
1242 | if (sta->pending_eapol_rx) { |
1243 | wpabuf_free(sta->pending_eapol_rx->buf); | |
1244 | os_free(sta->pending_eapol_rx); | |
1245 | sta->pending_eapol_rx = NULL; | |
1246 | } | |
1247 | ||
6fc6879b JM |
1248 | if (sm == NULL) |
1249 | return; | |
1250 | ||
1251 | sta->eapol_sm = NULL; | |
1252 | ||
f88bd288 | 1253 | #ifndef CONFIG_NO_RADIUS |
9e7245bd | 1254 | radius_msg_free(sm->last_recv_radius); |
010dc068 | 1255 | radius_free_class(&sm->radius_class); |
f88bd288 | 1256 | #endif /* CONFIG_NO_RADIUS */ |
6fc6879b | 1257 | |
6fc6879b JM |
1258 | eapol_auth_free(sm); |
1259 | } | |
1260 | ||
1261 | ||
f88bd288 | 1262 | #ifndef CONFIG_NO_RADIUS |
6fc6879b JM |
1263 | static void ieee802_1x_decapsulate_radius(struct hostapd_data *hapd, |
1264 | struct sta_info *sta) | |
1265 | { | |
e100828b JM |
1266 | struct wpabuf *eap; |
1267 | const struct eap_hdr *hdr; | |
6fc6879b JM |
1268 | int eap_type = -1; |
1269 | char buf[64]; | |
1270 | struct radius_msg *msg; | |
1271 | struct eapol_state_machine *sm = sta->eapol_sm; | |
1272 | ||
1273 | if (sm == NULL || sm->last_recv_radius == NULL) { | |
1274 | if (sm) | |
1275 | sm->eap_if->aaaEapNoReq = TRUE; | |
1276 | return; | |
1277 | } | |
1278 | ||
1279 | msg = sm->last_recv_radius; | |
1280 | ||
e100828b | 1281 | eap = radius_msg_get_eap(msg); |
6fc6879b JM |
1282 | if (eap == NULL) { |
1283 | /* RFC 3579, Chap. 2.6.3: | |
1284 | * RADIUS server SHOULD NOT send Access-Reject/no EAP-Message | |
1285 | * attribute */ | |
1286 | hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, | |
1287 | HOSTAPD_LEVEL_WARNING, "could not extract " | |
1288 | "EAP-Message from RADIUS message"); | |
1289 | sm->eap_if->aaaEapNoReq = TRUE; | |
1290 | return; | |
1291 | } | |
1292 | ||
e100828b | 1293 | if (wpabuf_len(eap) < sizeof(*hdr)) { |
6fc6879b JM |
1294 | hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, |
1295 | HOSTAPD_LEVEL_WARNING, "too short EAP packet " | |
1296 | "received from authentication server"); | |
e100828b | 1297 | wpabuf_free(eap); |
6fc6879b JM |
1298 | sm->eap_if->aaaEapNoReq = TRUE; |
1299 | return; | |
1300 | } | |
1301 | ||
e100828b JM |
1302 | if (wpabuf_len(eap) > sizeof(*hdr)) |
1303 | eap_type = (wpabuf_head_u8(eap))[sizeof(*hdr)]; | |
6fc6879b | 1304 | |
e100828b | 1305 | hdr = wpabuf_head(eap); |
6fc6879b JM |
1306 | switch (hdr->code) { |
1307 | case EAP_CODE_REQUEST: | |
1308 | if (eap_type >= 0) | |
1309 | sm->eap_type_authsrv = eap_type; | |
1310 | os_snprintf(buf, sizeof(buf), "EAP-Request-%s (%d)", | |
414f23d8 | 1311 | eap_server_get_name(0, eap_type), eap_type); |
6fc6879b JM |
1312 | break; |
1313 | case EAP_CODE_RESPONSE: | |
1314 | os_snprintf(buf, sizeof(buf), "EAP Response-%s (%d)", | |
414f23d8 | 1315 | eap_server_get_name(0, eap_type), eap_type); |
6fc6879b JM |
1316 | break; |
1317 | case EAP_CODE_SUCCESS: | |
1318 | os_strlcpy(buf, "EAP Success", sizeof(buf)); | |
1319 | break; | |
1320 | case EAP_CODE_FAILURE: | |
1321 | os_strlcpy(buf, "EAP Failure", sizeof(buf)); | |
1322 | break; | |
1323 | default: | |
1324 | os_strlcpy(buf, "unknown EAP code", sizeof(buf)); | |
1325 | break; | |
1326 | } | |
1327 | buf[sizeof(buf) - 1] = '\0'; | |
1328 | hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, | |
1329 | HOSTAPD_LEVEL_DEBUG, "decapsulated EAP packet (code=%d " | |
1330 | "id=%d len=%d) from RADIUS server: %s", | |
1331 | hdr->code, hdr->identifier, be_to_host16(hdr->length), | |
1332 | buf); | |
1333 | sm->eap_if->aaaEapReq = TRUE; | |
1334 | ||
1335 | wpabuf_free(sm->eap_if->aaaEapReqData); | |
e100828b | 1336 | sm->eap_if->aaaEapReqData = eap; |
6fc6879b JM |
1337 | } |
1338 | ||
1339 | ||
1340 | static void ieee802_1x_get_keys(struct hostapd_data *hapd, | |
1341 | struct sta_info *sta, struct radius_msg *msg, | |
1342 | struct radius_msg *req, | |
7d02e641 JM |
1343 | const u8 *shared_secret, |
1344 | size_t shared_secret_len) | |
6fc6879b JM |
1345 | { |
1346 | struct radius_ms_mppe_keys *keys; | |
1347 | struct eapol_state_machine *sm = sta->eapol_sm; | |
1348 | if (sm == NULL) | |
1349 | return; | |
1350 | ||
1351 | keys = radius_msg_get_ms_keys(msg, req, shared_secret, | |
1352 | shared_secret_len); | |
1353 | ||
1354 | if (keys && keys->send && keys->recv) { | |
1355 | size_t len = keys->send_len + keys->recv_len; | |
1356 | wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Send-Key", | |
1357 | keys->send, keys->send_len); | |
1358 | wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Recv-Key", | |
1359 | keys->recv, keys->recv_len); | |
1360 | ||
1361 | os_free(sm->eap_if->aaaEapKeyData); | |
1362 | sm->eap_if->aaaEapKeyData = os_malloc(len); | |
1363 | if (sm->eap_if->aaaEapKeyData) { | |
1364 | os_memcpy(sm->eap_if->aaaEapKeyData, keys->recv, | |
1365 | keys->recv_len); | |
1366 | os_memcpy(sm->eap_if->aaaEapKeyData + keys->recv_len, | |
1367 | keys->send, keys->send_len); | |
1368 | sm->eap_if->aaaEapKeyDataLen = len; | |
1369 | sm->eap_if->aaaEapKeyAvailable = TRUE; | |
1370 | } | |
400de9b1 BG |
1371 | } else { |
1372 | wpa_printf(MSG_DEBUG, | |
1373 | "MS-MPPE: 1x_get_keys, could not get keys: %p send: %p recv: %p", | |
1374 | keys, keys ? keys->send : NULL, | |
1375 | keys ? keys->recv : NULL); | |
6fc6879b JM |
1376 | } |
1377 | ||
1378 | if (keys) { | |
1379 | os_free(keys->send); | |
1380 | os_free(keys->recv); | |
1381 | os_free(keys); | |
1382 | } | |
1383 | } | |
1384 | ||
1385 | ||
1386 | static void ieee802_1x_store_radius_class(struct hostapd_data *hapd, | |
1387 | struct sta_info *sta, | |
1388 | struct radius_msg *msg) | |
1389 | { | |
a6da824b | 1390 | u8 *attr_class; |
6fc6879b JM |
1391 | size_t class_len; |
1392 | struct eapol_state_machine *sm = sta->eapol_sm; | |
1393 | int count, i; | |
1394 | struct radius_attr_data *nclass; | |
1395 | size_t nclass_count; | |
1396 | ||
1397 | if (!hapd->conf->radius->acct_server || hapd->radius == NULL || | |
1398 | sm == NULL) | |
1399 | return; | |
1400 | ||
010dc068 | 1401 | radius_free_class(&sm->radius_class); |
6fc6879b JM |
1402 | count = radius_msg_count_attr(msg, RADIUS_ATTR_CLASS, 1); |
1403 | if (count <= 0) | |
1404 | return; | |
1405 | ||
f9884c09 | 1406 | nclass = os_calloc(count, sizeof(struct radius_attr_data)); |
6fc6879b JM |
1407 | if (nclass == NULL) |
1408 | return; | |
1409 | ||
1410 | nclass_count = 0; | |
1411 | ||
a6da824b | 1412 | attr_class = NULL; |
6fc6879b JM |
1413 | for (i = 0; i < count; i++) { |
1414 | do { | |
1415 | if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CLASS, | |
a6da824b JM |
1416 | &attr_class, &class_len, |
1417 | attr_class) < 0) { | |
6fc6879b JM |
1418 | i = count; |
1419 | break; | |
1420 | } | |
1421 | } while (class_len < 1); | |
1422 | ||
a1f11e34 | 1423 | nclass[nclass_count].data = os_memdup(attr_class, class_len); |
6fc6879b JM |
1424 | if (nclass[nclass_count].data == NULL) |
1425 | break; | |
1426 | ||
6fc6879b JM |
1427 | nclass[nclass_count].len = class_len; |
1428 | nclass_count++; | |
1429 | } | |
1430 | ||
1431 | sm->radius_class.attr = nclass; | |
1432 | sm->radius_class.count = nclass_count; | |
1433 | wpa_printf(MSG_DEBUG, "IEEE 802.1X: Stored %lu RADIUS Class " | |
1434 | "attributes for " MACSTR, | |
1435 | (unsigned long) sm->radius_class.count, | |
1436 | MAC2STR(sta->addr)); | |
1437 | } | |
1438 | ||
1439 | ||
1440 | /* Update sta->identity based on User-Name attribute in Access-Accept */ | |
1441 | static void ieee802_1x_update_sta_identity(struct hostapd_data *hapd, | |
1442 | struct sta_info *sta, | |
1443 | struct radius_msg *msg) | |
1444 | { | |
1445 | u8 *buf, *identity; | |
1446 | size_t len; | |
1447 | struct eapol_state_machine *sm = sta->eapol_sm; | |
1448 | ||
1449 | if (sm == NULL) | |
1450 | return; | |
1451 | ||
1452 | if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_USER_NAME, &buf, &len, | |
1453 | NULL) < 0) | |
1454 | return; | |
1455 | ||
5e24dc8a | 1456 | identity = (u8 *) dup_binstr(buf, len); |
6fc6879b JM |
1457 | if (identity == NULL) |
1458 | return; | |
1459 | ||
6fc6879b JM |
1460 | hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, |
1461 | HOSTAPD_LEVEL_DEBUG, "old identity '%s' updated with " | |
1462 | "User-Name from Access-Accept '%s'", | |
1463 | sm->identity ? (char *) sm->identity : "N/A", | |
1464 | (char *) identity); | |
1465 | ||
1466 | os_free(sm->identity); | |
1467 | sm->identity = identity; | |
1468 | sm->identity_len = len; | |
1469 | } | |
1470 | ||
1471 | ||
4e132a61 JM |
1472 | /* Update CUI based on Chargeable-User-Identity attribute in Access-Accept */ |
1473 | static void ieee802_1x_update_sta_cui(struct hostapd_data *hapd, | |
1474 | struct sta_info *sta, | |
1475 | struct radius_msg *msg) | |
1476 | { | |
1477 | struct eapol_state_machine *sm = sta->eapol_sm; | |
1478 | struct wpabuf *cui; | |
1479 | u8 *buf; | |
1480 | size_t len; | |
1481 | ||
1482 | if (sm == NULL) | |
1483 | return; | |
1484 | ||
1485 | if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CHARGEABLE_USER_IDENTITY, | |
1486 | &buf, &len, NULL) < 0) | |
1487 | return; | |
1488 | ||
1489 | cui = wpabuf_alloc_copy(buf, len); | |
1490 | if (cui == NULL) | |
1491 | return; | |
1492 | ||
1493 | wpabuf_free(sm->radius_cui); | |
1494 | sm->radius_cui = cui; | |
1495 | } | |
1496 | ||
1497 | ||
6ca0853d JM |
1498 | #ifdef CONFIG_HS20 |
1499 | ||
1500 | static void ieee802_1x_hs20_sub_rem(struct sta_info *sta, u8 *pos, size_t len) | |
1501 | { | |
1502 | sta->remediation = 1; | |
1503 | os_free(sta->remediation_url); | |
1504 | if (len > 2) { | |
1505 | sta->remediation_url = os_malloc(len); | |
1506 | if (!sta->remediation_url) | |
1507 | return; | |
1508 | sta->remediation_method = pos[0]; | |
1509 | os_memcpy(sta->remediation_url, pos + 1, len - 1); | |
1510 | sta->remediation_url[len - 1] = '\0'; | |
1511 | wpa_printf(MSG_DEBUG, "HS 2.0: Subscription remediation needed " | |
1512 | "for " MACSTR " - server method %u URL %s", | |
1513 | MAC2STR(sta->addr), sta->remediation_method, | |
1514 | sta->remediation_url); | |
1515 | } else { | |
1516 | sta->remediation_url = NULL; | |
1517 | wpa_printf(MSG_DEBUG, "HS 2.0: Subscription remediation needed " | |
1518 | "for " MACSTR, MAC2STR(sta->addr)); | |
1519 | } | |
1520 | /* TODO: assign the STA into remediation VLAN or add filtering */ | |
1521 | } | |
1522 | ||
8e1146d9 JM |
1523 | |
1524 | static void ieee802_1x_hs20_deauth_req(struct hostapd_data *hapd, | |
1525 | struct sta_info *sta, u8 *pos, | |
1526 | size_t len) | |
1527 | { | |
1528 | if (len < 3) | |
1529 | return; /* Malformed information */ | |
1530 | sta->hs20_deauth_requested = 1; | |
1531 | wpa_printf(MSG_DEBUG, "HS 2.0: Deauthentication request - Code %u " | |
1532 | "Re-auth Delay %u", | |
1533 | *pos, WPA_GET_LE16(pos + 1)); | |
1534 | wpabuf_free(sta->hs20_deauth_req); | |
1535 | sta->hs20_deauth_req = wpabuf_alloc(len + 1); | |
1536 | if (sta->hs20_deauth_req) { | |
1537 | wpabuf_put_data(sta->hs20_deauth_req, pos, 3); | |
1538 | wpabuf_put_u8(sta->hs20_deauth_req, len - 3); | |
1539 | wpabuf_put_data(sta->hs20_deauth_req, pos + 3, len - 3); | |
1540 | } | |
1541 | ap_sta_session_timeout(hapd, sta, hapd->conf->hs20_deauth_req_timeout); | |
1542 | } | |
1543 | ||
97596f8e JM |
1544 | |
1545 | static void ieee802_1x_hs20_session_info(struct hostapd_data *hapd, | |
1546 | struct sta_info *sta, u8 *pos, | |
1547 | size_t len, int session_timeout) | |
1548 | { | |
1549 | unsigned int swt; | |
1550 | int warning_time, beacon_int; | |
1551 | ||
1552 | if (len < 1) | |
1553 | return; /* Malformed information */ | |
1554 | os_free(sta->hs20_session_info_url); | |
1555 | sta->hs20_session_info_url = os_malloc(len); | |
1556 | if (sta->hs20_session_info_url == NULL) | |
1557 | return; | |
1558 | swt = pos[0]; | |
1559 | os_memcpy(sta->hs20_session_info_url, pos + 1, len - 1); | |
1560 | sta->hs20_session_info_url[len - 1] = '\0'; | |
1561 | wpa_printf(MSG_DEBUG, "HS 2.0: Session Information URL='%s' SWT=%u " | |
1562 | "(session_timeout=%d)", | |
1563 | sta->hs20_session_info_url, swt, session_timeout); | |
1564 | if (session_timeout < 0) { | |
1565 | wpa_printf(MSG_DEBUG, "HS 2.0: No Session-Timeout set - ignore session info URL"); | |
1566 | return; | |
1567 | } | |
1568 | if (swt == 255) | |
1569 | swt = 1; /* Use one minute as the AP selected value */ | |
1570 | ||
1571 | if ((unsigned int) session_timeout < swt * 60) | |
1572 | warning_time = 0; | |
1573 | else | |
1574 | warning_time = session_timeout - swt * 60; | |
1575 | ||
1576 | beacon_int = hapd->iconf->beacon_int; | |
1577 | if (beacon_int < 1) | |
1578 | beacon_int = 100; /* best guess */ | |
1579 | sta->hs20_disassoc_timer = swt * 60 * 1000 / beacon_int * 125 / 128; | |
1580 | if (sta->hs20_disassoc_timer > 65535) | |
1581 | sta->hs20_disassoc_timer = 65535; | |
1582 | ||
1583 | ap_sta_session_warning_timeout(hapd, sta, warning_time); | |
1584 | } | |
1585 | ||
6ca0853d JM |
1586 | #endif /* CONFIG_HS20 */ |
1587 | ||
1588 | ||
1589 | static void ieee802_1x_check_hs20(struct hostapd_data *hapd, | |
1590 | struct sta_info *sta, | |
97596f8e JM |
1591 | struct radius_msg *msg, |
1592 | int session_timeout) | |
6ca0853d JM |
1593 | { |
1594 | #ifdef CONFIG_HS20 | |
1595 | u8 *buf, *pos, *end, type, sublen; | |
1596 | size_t len; | |
1597 | ||
1598 | buf = NULL; | |
1599 | sta->remediation = 0; | |
8e1146d9 JM |
1600 | sta->hs20_deauth_requested = 0; |
1601 | ||
6ca0853d JM |
1602 | for (;;) { |
1603 | if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_VENDOR_SPECIFIC, | |
1604 | &buf, &len, buf) < 0) | |
1605 | break; | |
1606 | if (len < 6) | |
1607 | continue; | |
1608 | pos = buf; | |
1609 | end = buf + len; | |
1610 | if (WPA_GET_BE32(pos) != RADIUS_VENDOR_ID_WFA) | |
1611 | continue; | |
1612 | pos += 4; | |
1613 | ||
1614 | type = *pos++; | |
1615 | sublen = *pos++; | |
1616 | if (sublen < 2) | |
1617 | continue; /* invalid length */ | |
1618 | sublen -= 2; /* skip header */ | |
1619 | if (pos + sublen > end) | |
1620 | continue; /* invalid WFA VSA */ | |
1621 | ||
1622 | switch (type) { | |
1623 | case RADIUS_VENDOR_ATTR_WFA_HS20_SUBSCR_REMEDIATION: | |
1624 | ieee802_1x_hs20_sub_rem(sta, pos, sublen); | |
1625 | break; | |
8e1146d9 JM |
1626 | case RADIUS_VENDOR_ATTR_WFA_HS20_DEAUTH_REQ: |
1627 | ieee802_1x_hs20_deauth_req(hapd, sta, pos, sublen); | |
1628 | break; | |
97596f8e JM |
1629 | case RADIUS_VENDOR_ATTR_WFA_HS20_SESSION_INFO_URL: |
1630 | ieee802_1x_hs20_session_info(hapd, sta, pos, sublen, | |
1631 | session_timeout); | |
1632 | break; | |
6ca0853d JM |
1633 | } |
1634 | } | |
1635 | #endif /* CONFIG_HS20 */ | |
1636 | } | |
1637 | ||
1638 | ||
6fc6879b JM |
1639 | struct sta_id_search { |
1640 | u8 identifier; | |
1641 | struct eapol_state_machine *sm; | |
1642 | }; | |
1643 | ||
1644 | ||
1645 | static int ieee802_1x_select_radius_identifier(struct hostapd_data *hapd, | |
1646 | struct sta_info *sta, | |
1647 | void *ctx) | |
1648 | { | |
1649 | struct sta_id_search *id_search = ctx; | |
1650 | struct eapol_state_machine *sm = sta->eapol_sm; | |
1651 | ||
1652 | if (sm && sm->radius_identifier >= 0 && | |
1653 | sm->radius_identifier == id_search->identifier) { | |
1654 | id_search->sm = sm; | |
1655 | return 1; | |
1656 | } | |
1657 | return 0; | |
1658 | } | |
1659 | ||
1660 | ||
1661 | static struct eapol_state_machine * | |
1662 | ieee802_1x_search_radius_identifier(struct hostapd_data *hapd, u8 identifier) | |
1663 | { | |
1664 | struct sta_id_search id_search; | |
1665 | id_search.identifier = identifier; | |
1666 | id_search.sm = NULL; | |
1667 | ap_for_each_sta(hapd, ieee802_1x_select_radius_identifier, &id_search); | |
1668 | return id_search.sm; | |
1669 | } | |
1670 | ||
1671 | ||
1c6e69cc JM |
1672 | /** |
1673 | * ieee802_1x_receive_auth - Process RADIUS frames from Authentication Server | |
1674 | * @msg: RADIUS response message | |
1675 | * @req: RADIUS request message | |
1676 | * @shared_secret: RADIUS shared secret | |
1677 | * @shared_secret_len: Length of shared_secret in octets | |
1678 | * @data: Context data (struct hostapd_data *) | |
1679 | * Returns: Processing status | |
1680 | */ | |
6fc6879b JM |
1681 | static RadiusRxResult |
1682 | ieee802_1x_receive_auth(struct radius_msg *msg, struct radius_msg *req, | |
7d02e641 | 1683 | const u8 *shared_secret, size_t shared_secret_len, |
6fc6879b JM |
1684 | void *data) |
1685 | { | |
1686 | struct hostapd_data *hapd = data; | |
1687 | struct sta_info *sta; | |
1688 | u32 session_timeout = 0, termination_action, acct_interim_interval; | |
1889af2e | 1689 | int session_timeout_set; |
6fc6879b JM |
1690 | struct eapol_state_machine *sm; |
1691 | int override_eapReq = 0; | |
1489e11a | 1692 | struct radius_hdr *hdr = radius_msg_get_hdr(msg); |
1889af2e | 1693 | struct vlan_description vlan_desc; |
8e44c192 MB |
1694 | #ifndef CONFIG_NO_VLAN |
1695 | int *untagged, *tagged, *notempty; | |
1696 | #endif /* CONFIG_NO_VLAN */ | |
1889af2e MB |
1697 | |
1698 | os_memset(&vlan_desc, 0, sizeof(vlan_desc)); | |
6fc6879b | 1699 | |
1489e11a | 1700 | sm = ieee802_1x_search_radius_identifier(hapd, hdr->identifier); |
6fc6879b JM |
1701 | if (sm == NULL) { |
1702 | wpa_printf(MSG_DEBUG, "IEEE 802.1X: Could not find matching " | |
1703 | "station for this RADIUS message"); | |
1704 | return RADIUS_RX_UNKNOWN; | |
1705 | } | |
1706 | sta = sm->sta; | |
1707 | ||
1708 | /* RFC 2869, Ch. 5.13: valid Message-Authenticator attribute MUST be | |
1709 | * present when packet contains an EAP-Message attribute */ | |
1489e11a | 1710 | if (hdr->code == RADIUS_CODE_ACCESS_REJECT && |
6fc6879b JM |
1711 | radius_msg_get_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, NULL, |
1712 | 0) < 0 && | |
1713 | radius_msg_get_attr(msg, RADIUS_ATTR_EAP_MESSAGE, NULL, 0) < 0) { | |
1714 | wpa_printf(MSG_DEBUG, "Allowing RADIUS Access-Reject without " | |
1715 | "Message-Authenticator since it does not include " | |
1716 | "EAP-Message"); | |
1717 | } else if (radius_msg_verify(msg, shared_secret, shared_secret_len, | |
1718 | req, 1)) { | |
61323e70 | 1719 | wpa_printf(MSG_INFO, "Incoming RADIUS packet did not have correct Message-Authenticator - dropped"); |
6fc6879b JM |
1720 | return RADIUS_RX_INVALID_AUTHENTICATOR; |
1721 | } | |
1722 | ||
1489e11a JM |
1723 | if (hdr->code != RADIUS_CODE_ACCESS_ACCEPT && |
1724 | hdr->code != RADIUS_CODE_ACCESS_REJECT && | |
1725 | hdr->code != RADIUS_CODE_ACCESS_CHALLENGE) { | |
61323e70 | 1726 | wpa_printf(MSG_INFO, "Unknown RADIUS message code"); |
6fc6879b JM |
1727 | return RADIUS_RX_UNKNOWN; |
1728 | } | |
1729 | ||
1730 | sm->radius_identifier = -1; | |
1731 | wpa_printf(MSG_DEBUG, "RADIUS packet matching with station " MACSTR, | |
1732 | MAC2STR(sta->addr)); | |
1733 | ||
9e7245bd | 1734 | radius_msg_free(sm->last_recv_radius); |
6fc6879b JM |
1735 | sm->last_recv_radius = msg; |
1736 | ||
1737 | session_timeout_set = | |
1738 | !radius_msg_get_attr_int32(msg, RADIUS_ATTR_SESSION_TIMEOUT, | |
1739 | &session_timeout); | |
1740 | if (radius_msg_get_attr_int32(msg, RADIUS_ATTR_TERMINATION_ACTION, | |
1741 | &termination_action)) | |
1742 | termination_action = RADIUS_TERMINATION_ACTION_DEFAULT; | |
1743 | ||
5843e1c9 | 1744 | if (hapd->conf->acct_interim_interval == 0 && |
1489e11a | 1745 | hdr->code == RADIUS_CODE_ACCESS_ACCEPT && |
6fc6879b JM |
1746 | radius_msg_get_attr_int32(msg, RADIUS_ATTR_ACCT_INTERIM_INTERVAL, |
1747 | &acct_interim_interval) == 0) { | |
1748 | if (acct_interim_interval < 60) { | |
1749 | hostapd_logger(hapd, sta->addr, | |
1750 | HOSTAPD_MODULE_IEEE8021X, | |
1751 | HOSTAPD_LEVEL_INFO, | |
1752 | "ignored too small " | |
1753 | "Acct-Interim-Interval %d", | |
1754 | acct_interim_interval); | |
1755 | } else | |
1756 | sta->acct_interim_interval = acct_interim_interval; | |
1757 | } | |
1758 | ||
1759 | ||
1489e11a | 1760 | switch (hdr->code) { |
6fc6879b | 1761 | case RADIUS_CODE_ACCESS_ACCEPT: |
30b32314 | 1762 | #ifndef CONFIG_NO_VLAN |
1889af2e | 1763 | if (hapd->conf->ssid.dynamic_vlan != DYNAMIC_VLAN_DISABLED) { |
8e44c192 MB |
1764 | notempty = &vlan_desc.notempty; |
1765 | untagged = &vlan_desc.untagged; | |
1766 | tagged = vlan_desc.tagged; | |
1767 | *notempty = !!radius_msg_get_vlanid(msg, untagged, | |
1768 | MAX_NUM_TAGGED_VLAN, | |
1769 | tagged); | |
1889af2e MB |
1770 | } |
1771 | ||
1772 | if (vlan_desc.notempty && | |
1773 | !hostapd_vlan_valid(hapd->conf->vlan, &vlan_desc)) { | |
a5e81ba9 | 1774 | sta->eapol_sm->authFail = TRUE; |
6fc6879b JM |
1775 | hostapd_logger(hapd, sta->addr, |
1776 | HOSTAPD_MODULE_RADIUS, | |
1777 | HOSTAPD_LEVEL_INFO, | |
8e44c192 MB |
1778 | "Invalid VLAN %d%s received from RADIUS server", |
1779 | vlan_desc.untagged, | |
1780 | vlan_desc.tagged[0] ? "+" : ""); | |
1889af2e MB |
1781 | os_memset(&vlan_desc, 0, sizeof(vlan_desc)); |
1782 | ap_sta_set_vlan(hapd, sta, &vlan_desc); | |
a5e81ba9 | 1783 | break; |
1889af2e MB |
1784 | } |
1785 | ||
1786 | if (hapd->conf->ssid.dynamic_vlan == DYNAMIC_VLAN_REQUIRED && | |
1787 | !vlan_desc.notempty) { | |
6fc6879b JM |
1788 | sta->eapol_sm->authFail = TRUE; |
1789 | hostapd_logger(hapd, sta->addr, | |
1790 | HOSTAPD_MODULE_IEEE8021X, | |
1791 | HOSTAPD_LEVEL_INFO, "authentication " | |
1792 | "server did not include required VLAN " | |
1793 | "ID in Access-Accept"); | |
1794 | break; | |
1795 | } | |
30b32314 | 1796 | #endif /* CONFIG_NO_VLAN */ |
6fc6879b | 1797 | |
1889af2e MB |
1798 | if (ap_sta_set_vlan(hapd, sta, &vlan_desc) < 0) |
1799 | break; | |
1800 | ||
1801 | #ifndef CONFIG_NO_VLAN | |
1802 | if (sta->vlan_id > 0) { | |
1803 | hostapd_logger(hapd, sta->addr, | |
1804 | HOSTAPD_MODULE_RADIUS, | |
1805 | HOSTAPD_LEVEL_INFO, | |
1806 | "VLAN ID %d", sta->vlan_id); | |
1807 | } | |
1808 | #endif /* CONFIG_NO_VLAN */ | |
1809 | ||
a5e81ba9 | 1810 | if ((sta->flags & WLAN_STA_ASSOC) && |
c8e6beab | 1811 | ap_sta_bind_vlan(hapd, sta) < 0) |
4254100d | 1812 | break; |
6fc6879b | 1813 | |
47ea24c1 JM |
1814 | sta->session_timeout_set = !!session_timeout_set; |
1815 | sta->session_timeout = session_timeout; | |
1816 | ||
6fc6879b JM |
1817 | /* RFC 3580, Ch. 3.17 */ |
1818 | if (session_timeout_set && termination_action == | |
1819 | RADIUS_TERMINATION_ACTION_RADIUS_REQUEST) { | |
1820 | sm->reAuthPeriod = session_timeout; | |
1821 | } else if (session_timeout_set) | |
1822 | ap_sta_session_timeout(hapd, sta, session_timeout); | |
1823 | ||
1824 | sm->eap_if->aaaSuccess = TRUE; | |
1825 | override_eapReq = 1; | |
1826 | ieee802_1x_get_keys(hapd, sta, msg, req, shared_secret, | |
1827 | shared_secret_len); | |
1828 | ieee802_1x_store_radius_class(hapd, sta, msg); | |
1829 | ieee802_1x_update_sta_identity(hapd, sta, msg); | |
4e132a61 | 1830 | ieee802_1x_update_sta_cui(hapd, sta, msg); |
97596f8e JM |
1831 | ieee802_1x_check_hs20(hapd, sta, msg, |
1832 | session_timeout_set ? | |
1833 | (int) session_timeout : -1); | |
6fc6879b JM |
1834 | break; |
1835 | case RADIUS_CODE_ACCESS_REJECT: | |
1836 | sm->eap_if->aaaFail = TRUE; | |
1837 | override_eapReq = 1; | |
1838 | break; | |
1839 | case RADIUS_CODE_ACCESS_CHALLENGE: | |
1840 | sm->eap_if->aaaEapReq = TRUE; | |
1841 | if (session_timeout_set) { | |
1842 | /* RFC 2869, Ch. 2.3.2; RFC 3580, Ch. 3.17 */ | |
8e09c6d2 JM |
1843 | sm->eap_if->aaaMethodTimeout = session_timeout; |
1844 | hostapd_logger(hapd, sm->addr, | |
1845 | HOSTAPD_MODULE_IEEE8021X, | |
1846 | HOSTAPD_LEVEL_DEBUG, | |
1847 | "using EAP timeout of %d seconds (from " | |
1848 | "RADIUS)", | |
1849 | sm->eap_if->aaaMethodTimeout); | |
1850 | } else { | |
1851 | /* | |
1852 | * Use dynamic retransmission behavior per EAP | |
1853 | * specification. | |
1854 | */ | |
1855 | sm->eap_if->aaaMethodTimeout = 0; | |
1856 | } | |
6fc6879b JM |
1857 | break; |
1858 | } | |
1859 | ||
1860 | ieee802_1x_decapsulate_radius(hapd, sta); | |
1861 | if (override_eapReq) | |
1862 | sm->eap_if->aaaEapReq = FALSE; | |
1863 | ||
c4fd6d8a JM |
1864 | #ifdef CONFIG_FILS |
1865 | #ifdef NEED_AP_MLME | |
1866 | if (sta->flags & WLAN_STA_PENDING_FILS_ERP) { | |
1867 | /* TODO: Add a PMKSA entry on success? */ | |
1868 | ieee802_11_finish_fils_auth( | |
1869 | hapd, sta, hdr->code == RADIUS_CODE_ACCESS_ACCEPT, | |
1870 | sm->eap_if->aaaEapReqData, | |
1871 | sm->eap_if->aaaEapKeyData, | |
1872 | sm->eap_if->aaaEapKeyDataLen); | |
1873 | } | |
1874 | #endif /* NEED_AP_MLME */ | |
1875 | #endif /* CONFIG_FILS */ | |
1876 | ||
6fc6879b JM |
1877 | eapol_auth_step(sm); |
1878 | ||
1879 | return RADIUS_RX_QUEUED; | |
1880 | } | |
f88bd288 | 1881 | #endif /* CONFIG_NO_RADIUS */ |
6fc6879b JM |
1882 | |
1883 | ||
1884 | void ieee802_1x_abort_auth(struct hostapd_data *hapd, struct sta_info *sta) | |
1885 | { | |
1886 | struct eapol_state_machine *sm = sta->eapol_sm; | |
1887 | if (sm == NULL) | |
1888 | return; | |
1889 | ||
1890 | hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, | |
1891 | HOSTAPD_LEVEL_DEBUG, "aborting authentication"); | |
1892 | ||
f88bd288 | 1893 | #ifndef CONFIG_NO_RADIUS |
9e7245bd JM |
1894 | radius_msg_free(sm->last_recv_radius); |
1895 | sm->last_recv_radius = NULL; | |
f88bd288 | 1896 | #endif /* CONFIG_NO_RADIUS */ |
805e6dc6 JM |
1897 | |
1898 | if (sm->eap_if->eapTimeout) { | |
1899 | /* | |
1900 | * Disconnect the STA since it did not reply to the last EAP | |
1901 | * request and we cannot continue EAP processing (EAP-Failure | |
1902 | * could only be sent if the EAP peer actually replied). | |
1903 | */ | |
afcc9ea1 BG |
1904 | wpa_dbg(hapd->msg_ctx, MSG_DEBUG, "EAP Timeout, STA " MACSTR, |
1905 | MAC2STR(sta->addr)); | |
1906 | ||
805e6dc6 | 1907 | sm->eap_if->portEnabled = FALSE; |
45cefa0b JM |
1908 | ap_sta_disconnect(hapd, sta, sta->addr, |
1909 | WLAN_REASON_PREV_AUTH_NOT_VALID); | |
805e6dc6 | 1910 | } |
6fc6879b JM |
1911 | } |
1912 | ||
1913 | ||
6fc6879b JM |
1914 | static int ieee802_1x_rekey_broadcast(struct hostapd_data *hapd) |
1915 | { | |
f55802e8 JM |
1916 | struct eapol_authenticator *eapol = hapd->eapol_auth; |
1917 | ||
6fc6879b JM |
1918 | if (hapd->conf->default_wep_key_len < 1) |
1919 | return 0; | |
1920 | ||
f55802e8 JM |
1921 | os_free(eapol->default_wep_key); |
1922 | eapol->default_wep_key = os_malloc(hapd->conf->default_wep_key_len); | |
1923 | if (eapol->default_wep_key == NULL || | |
3642c431 JM |
1924 | random_get_bytes(eapol->default_wep_key, |
1925 | hapd->conf->default_wep_key_len)) { | |
61323e70 | 1926 | wpa_printf(MSG_INFO, "Could not generate random WEP key"); |
f55802e8 JM |
1927 | os_free(eapol->default_wep_key); |
1928 | eapol->default_wep_key = NULL; | |
6fc6879b JM |
1929 | return -1; |
1930 | } | |
1931 | ||
1932 | wpa_hexdump_key(MSG_DEBUG, "IEEE 802.1X: New default WEP key", | |
f55802e8 | 1933 | eapol->default_wep_key, |
6fc6879b JM |
1934 | hapd->conf->default_wep_key_len); |
1935 | ||
1936 | return 0; | |
1937 | } | |
1938 | ||
1939 | ||
1940 | static int ieee802_1x_sta_key_available(struct hostapd_data *hapd, | |
1941 | struct sta_info *sta, void *ctx) | |
1942 | { | |
1943 | if (sta->eapol_sm) { | |
1944 | sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; | |
1945 | eapol_auth_step(sta->eapol_sm); | |
1946 | } | |
1947 | return 0; | |
1948 | } | |
1949 | ||
1950 | ||
1951 | static void ieee802_1x_rekey(void *eloop_ctx, void *timeout_ctx) | |
1952 | { | |
1953 | struct hostapd_data *hapd = eloop_ctx; | |
f55802e8 | 1954 | struct eapol_authenticator *eapol = hapd->eapol_auth; |
6fc6879b | 1955 | |
f55802e8 JM |
1956 | if (eapol->default_wep_key_idx >= 3) |
1957 | eapol->default_wep_key_idx = | |
6fc6879b JM |
1958 | hapd->conf->individual_wep_key_len > 0 ? 1 : 0; |
1959 | else | |
f55802e8 | 1960 | eapol->default_wep_key_idx++; |
6fc6879b JM |
1961 | |
1962 | wpa_printf(MSG_DEBUG, "IEEE 802.1X: New default WEP key index %d", | |
f55802e8 | 1963 | eapol->default_wep_key_idx); |
95de34a1 | 1964 | |
6fc6879b JM |
1965 | if (ieee802_1x_rekey_broadcast(hapd)) { |
1966 | hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X, | |
1967 | HOSTAPD_LEVEL_WARNING, "failed to generate a " | |
1968 | "new broadcast key"); | |
f55802e8 JM |
1969 | os_free(eapol->default_wep_key); |
1970 | eapol->default_wep_key = NULL; | |
6fc6879b JM |
1971 | return; |
1972 | } | |
1973 | ||
1974 | /* TODO: Could setup key for RX here, but change default TX keyid only | |
1975 | * after new broadcast key has been sent to all stations. */ | |
0382097e JM |
1976 | if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP, |
1977 | broadcast_ether_addr, | |
3acdf771 JM |
1978 | eapol->default_wep_key_idx, 1, NULL, 0, |
1979 | eapol->default_wep_key, | |
1980 | hapd->conf->default_wep_key_len)) { | |
6fc6879b JM |
1981 | hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X, |
1982 | HOSTAPD_LEVEL_WARNING, "failed to configure a " | |
1983 | "new broadcast key"); | |
f55802e8 JM |
1984 | os_free(eapol->default_wep_key); |
1985 | eapol->default_wep_key = NULL; | |
6fc6879b JM |
1986 | return; |
1987 | } | |
1988 | ||
1989 | ap_for_each_sta(hapd, ieee802_1x_sta_key_available, NULL); | |
1990 | ||
1991 | if (hapd->conf->wep_rekeying_period > 0) { | |
1992 | eloop_register_timeout(hapd->conf->wep_rekeying_period, 0, | |
1993 | ieee802_1x_rekey, hapd, NULL); | |
1994 | } | |
1995 | } | |
1996 | ||
1997 | ||
1998 | static void ieee802_1x_eapol_send(void *ctx, void *sta_ctx, u8 type, | |
1999 | const u8 *data, size_t datalen) | |
2000 | { | |
4e22adb4 JM |
2001 | #ifdef CONFIG_WPS |
2002 | struct sta_info *sta = sta_ctx; | |
2003 | ||
2004 | if ((sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS)) == | |
2005 | WLAN_STA_MAYBE_WPS) { | |
2006 | const u8 *identity; | |
2007 | size_t identity_len; | |
2008 | struct eapol_state_machine *sm = sta->eapol_sm; | |
2009 | ||
2010 | identity = eap_get_identity(sm->eap, &identity_len); | |
2011 | if (identity && | |
2012 | ((identity_len == WSC_ID_ENROLLEE_LEN && | |
2013 | os_memcmp(identity, WSC_ID_ENROLLEE, | |
2014 | WSC_ID_ENROLLEE_LEN) == 0) || | |
2015 | (identity_len == WSC_ID_REGISTRAR_LEN && | |
2016 | os_memcmp(identity, WSC_ID_REGISTRAR, | |
2017 | WSC_ID_REGISTRAR_LEN) == 0))) { | |
2018 | wpa_printf(MSG_DEBUG, "WPS: WLAN_STA_MAYBE_WPS -> " | |
2019 | "WLAN_STA_WPS"); | |
2020 | sta->flags |= WLAN_STA_WPS; | |
2021 | } | |
2022 | } | |
2023 | #endif /* CONFIG_WPS */ | |
2024 | ||
6fc6879b JM |
2025 | ieee802_1x_send(ctx, sta_ctx, type, data, datalen); |
2026 | } | |
2027 | ||
2028 | ||
2029 | static void ieee802_1x_aaa_send(void *ctx, void *sta_ctx, | |
2030 | const u8 *data, size_t datalen) | |
2031 | { | |
f88bd288 | 2032 | #ifndef CONFIG_NO_RADIUS |
6fc6879b JM |
2033 | struct hostapd_data *hapd = ctx; |
2034 | struct sta_info *sta = sta_ctx; | |
2035 | ||
2036 | ieee802_1x_encapsulate_radius(hapd, sta, data, datalen); | |
f88bd288 | 2037 | #endif /* CONFIG_NO_RADIUS */ |
6fc6879b JM |
2038 | } |
2039 | ||
2040 | ||
2041 | static void _ieee802_1x_finished(void *ctx, void *sta_ctx, int success, | |
8d2a9921 | 2042 | int preauth, int remediation) |
6fc6879b JM |
2043 | { |
2044 | struct hostapd_data *hapd = ctx; | |
2045 | struct sta_info *sta = sta_ctx; | |
2046 | if (preauth) | |
2047 | rsn_preauth_finished(hapd, sta, success); | |
2048 | else | |
8d2a9921 | 2049 | ieee802_1x_finished(hapd, sta, success, remediation); |
6fc6879b JM |
2050 | } |
2051 | ||
2052 | ||
2053 | static int ieee802_1x_get_eap_user(void *ctx, const u8 *identity, | |
2054 | size_t identity_len, int phase2, | |
2055 | struct eap_user *user) | |
2056 | { | |
2057 | struct hostapd_data *hapd = ctx; | |
2058 | const struct hostapd_eap_user *eap_user; | |
e9447a94 | 2059 | int i; |
fc48d33b | 2060 | int rv = -1; |
6fc6879b | 2061 | |
ee431d77 | 2062 | eap_user = hostapd_get_eap_user(hapd, identity, identity_len, phase2); |
6fc6879b | 2063 | if (eap_user == NULL) |
fc48d33b | 2064 | goto out; |
6fc6879b JM |
2065 | |
2066 | os_memset(user, 0, sizeof(*user)); | |
2067 | user->phase2 = phase2; | |
e9447a94 | 2068 | for (i = 0; i < EAP_MAX_METHODS; i++) { |
6fc6879b JM |
2069 | user->methods[i].vendor = eap_user->methods[i].vendor; |
2070 | user->methods[i].method = eap_user->methods[i].method; | |
2071 | } | |
2072 | ||
2073 | if (eap_user->password) { | |
a1f11e34 JB |
2074 | user->password = os_memdup(eap_user->password, |
2075 | eap_user->password_len); | |
6fc6879b | 2076 | if (user->password == NULL) |
fc48d33b | 2077 | goto out; |
6fc6879b | 2078 | user->password_len = eap_user->password_len; |
5dd80dd6 | 2079 | user->password_hash = eap_user->password_hash; |
6fc6879b JM |
2080 | } |
2081 | user->force_version = eap_user->force_version; | |
8943cc99 | 2082 | user->macacl = eap_user->macacl; |
6fc6879b | 2083 | user->ttls_auth = eap_user->ttls_auth; |
8d2a9921 | 2084 | user->remediation = eap_user->remediation; |
fc48d33b | 2085 | rv = 0; |
6fc6879b | 2086 | |
fc48d33b BG |
2087 | out: |
2088 | if (rv) | |
2089 | wpa_printf(MSG_DEBUG, "%s: Failed to find user", __func__); | |
2090 | ||
2091 | return rv; | |
6fc6879b JM |
2092 | } |
2093 | ||
2094 | ||
2095 | static int ieee802_1x_sta_entry_alive(void *ctx, const u8 *addr) | |
2096 | { | |
2097 | struct hostapd_data *hapd = ctx; | |
2098 | struct sta_info *sta; | |
2099 | sta = ap_get_sta(hapd, addr); | |
2100 | if (sta == NULL || sta->eapol_sm == NULL) | |
2101 | return 0; | |
2102 | return 1; | |
2103 | } | |
2104 | ||
2105 | ||
2106 | static void ieee802_1x_logger(void *ctx, const u8 *addr, | |
2107 | eapol_logger_level level, const char *txt) | |
2108 | { | |
71f04b3c | 2109 | #ifndef CONFIG_NO_HOSTAPD_LOGGER |
6fc6879b JM |
2110 | struct hostapd_data *hapd = ctx; |
2111 | int hlevel; | |
2112 | ||
2113 | switch (level) { | |
2114 | case EAPOL_LOGGER_WARNING: | |
2115 | hlevel = HOSTAPD_LEVEL_WARNING; | |
2116 | break; | |
2117 | case EAPOL_LOGGER_INFO: | |
2118 | hlevel = HOSTAPD_LEVEL_INFO; | |
2119 | break; | |
2120 | case EAPOL_LOGGER_DEBUG: | |
2121 | default: | |
2122 | hlevel = HOSTAPD_LEVEL_DEBUG; | |
2123 | break; | |
2124 | } | |
2125 | ||
2126 | hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE8021X, hlevel, "%s", | |
2127 | txt); | |
71f04b3c | 2128 | #endif /* CONFIG_NO_HOSTAPD_LOGGER */ |
6fc6879b JM |
2129 | } |
2130 | ||
2131 | ||
2132 | static void ieee802_1x_set_port_authorized(void *ctx, void *sta_ctx, | |
2133 | int authorized) | |
2134 | { | |
2135 | struct hostapd_data *hapd = ctx; | |
2136 | struct sta_info *sta = sta_ctx; | |
2137 | ieee802_1x_set_sta_authorized(hapd, sta, authorized); | |
2138 | } | |
2139 | ||
2140 | ||
2141 | static void _ieee802_1x_abort_auth(void *ctx, void *sta_ctx) | |
2142 | { | |
2143 | struct hostapd_data *hapd = ctx; | |
2144 | struct sta_info *sta = sta_ctx; | |
2145 | ieee802_1x_abort_auth(hapd, sta); | |
2146 | } | |
2147 | ||
2148 | ||
2149 | static void _ieee802_1x_tx_key(void *ctx, void *sta_ctx) | |
2150 | { | |
e03e56c3 | 2151 | #ifndef CONFIG_FIPS |
7cb53ded | 2152 | #ifndef CONFIG_NO_RC4 |
6fc6879b JM |
2153 | struct hostapd_data *hapd = ctx; |
2154 | struct sta_info *sta = sta_ctx; | |
2155 | ieee802_1x_tx_key(hapd, sta); | |
7cb53ded | 2156 | #endif /* CONFIG_NO_RC4 */ |
e03e56c3 | 2157 | #endif /* CONFIG_FIPS */ |
6fc6879b JM |
2158 | } |
2159 | ||
2160 | ||
38294200 JM |
2161 | static void ieee802_1x_eapol_event(void *ctx, void *sta_ctx, |
2162 | enum eapol_event type) | |
2163 | { | |
2164 | /* struct hostapd_data *hapd = ctx; */ | |
2165 | struct sta_info *sta = sta_ctx; | |
2166 | switch (type) { | |
2167 | case EAPOL_AUTH_SM_CHANGE: | |
2168 | wpa_auth_sm_notify(sta->wpa_sm); | |
2169 | break; | |
2170 | case EAPOL_AUTH_REAUTHENTICATE: | |
2171 | wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL); | |
2172 | break; | |
2173 | } | |
2174 | } | |
2175 | ||
2176 | ||
d3bddd8b JM |
2177 | #ifdef CONFIG_ERP |
2178 | ||
2179 | static struct eap_server_erp_key * | |
2180 | ieee802_1x_erp_get_key(void *ctx, const char *keyname) | |
2181 | { | |
2182 | struct hostapd_data *hapd = ctx; | |
2183 | struct eap_server_erp_key *erp; | |
2184 | ||
2185 | dl_list_for_each(erp, &hapd->erp_keys, struct eap_server_erp_key, | |
2186 | list) { | |
2187 | if (os_strcmp(erp->keyname_nai, keyname) == 0) | |
2188 | return erp; | |
2189 | } | |
2190 | ||
2191 | return NULL; | |
2192 | } | |
2193 | ||
2194 | ||
2195 | static int ieee802_1x_erp_add_key(void *ctx, struct eap_server_erp_key *erp) | |
2196 | { | |
2197 | struct hostapd_data *hapd = ctx; | |
2198 | ||
2199 | dl_list_add(&hapd->erp_keys, &erp->list); | |
2200 | return 0; | |
2201 | } | |
2202 | ||
2203 | #endif /* CONFIG_ERP */ | |
2204 | ||
2205 | ||
6fc6879b JM |
2206 | int ieee802_1x_init(struct hostapd_data *hapd) |
2207 | { | |
2208 | int i; | |
2209 | struct eapol_auth_config conf; | |
2210 | struct eapol_auth_cb cb; | |
2211 | ||
d3bddd8b JM |
2212 | dl_list_init(&hapd->erp_keys); |
2213 | ||
6fc6879b | 2214 | os_memset(&conf, 0, sizeof(conf)); |
a2befd37 | 2215 | conf.ctx = hapd; |
6fc6879b JM |
2216 | conf.eap_reauth_period = hapd->conf->eap_reauth_period; |
2217 | conf.wpa = hapd->conf->wpa; | |
2218 | conf.individual_wep_key_len = hapd->conf->individual_wep_key_len; | |
2219 | conf.eap_server = hapd->conf->eap_server; | |
2220 | conf.ssl_ctx = hapd->ssl_ctx; | |
bb437f28 | 2221 | conf.msg_ctx = hapd->msg_ctx; |
6fc6879b JM |
2222 | conf.eap_sim_db_priv = hapd->eap_sim_db_priv; |
2223 | conf.eap_req_id_text = hapd->conf->eap_req_id_text; | |
2224 | conf.eap_req_id_text_len = hapd->conf->eap_req_id_text_len; | |
2a5156a6 JM |
2225 | conf.erp_send_reauth_start = hapd->conf->erp_send_reauth_start; |
2226 | conf.erp_domain = hapd->conf->erp_domain; | |
d3bddd8b | 2227 | conf.erp = hapd->conf->eap_server_erp; |
681e199d | 2228 | conf.tls_session_lifetime = hapd->conf->tls_session_lifetime; |
6fc6879b JM |
2229 | conf.pac_opaque_encr_key = hapd->conf->pac_opaque_encr_key; |
2230 | conf.eap_fast_a_id = hapd->conf->eap_fast_a_id; | |
2d867244 JM |
2231 | conf.eap_fast_a_id_len = hapd->conf->eap_fast_a_id_len; |
2232 | conf.eap_fast_a_id_info = hapd->conf->eap_fast_a_id_info; | |
378eae5e | 2233 | conf.eap_fast_prov = hapd->conf->eap_fast_prov; |
a11c90a6 JM |
2234 | conf.pac_key_lifetime = hapd->conf->pac_key_lifetime; |
2235 | conf.pac_key_refresh_time = hapd->conf->pac_key_refresh_time; | |
6fc6879b | 2236 | conf.eap_sim_aka_result_ind = hapd->conf->eap_sim_aka_result_ind; |
c3e258ae | 2237 | conf.tnc = hapd->conf->tnc; |
ad08c363 | 2238 | conf.wps = hapd->wps; |
7f6ec672 | 2239 | conf.fragment_size = hapd->conf->fragment_size; |
df684d82 | 2240 | conf.pwd_group = hapd->conf->pwd_group; |
fa516558 | 2241 | conf.pbc_in_m1 = hapd->conf->pbc_in_m1; |
67fe933d JM |
2242 | if (hapd->conf->server_id) { |
2243 | conf.server_id = (const u8 *) hapd->conf->server_id; | |
2244 | conf.server_id_len = os_strlen(hapd->conf->server_id); | |
2245 | } else { | |
2246 | conf.server_id = (const u8 *) "hostapd"; | |
2247 | conf.server_id_len = 7; | |
2248 | } | |
6fc6879b JM |
2249 | |
2250 | os_memset(&cb, 0, sizeof(cb)); | |
2251 | cb.eapol_send = ieee802_1x_eapol_send; | |
2252 | cb.aaa_send = ieee802_1x_aaa_send; | |
2253 | cb.finished = _ieee802_1x_finished; | |
2254 | cb.get_eap_user = ieee802_1x_get_eap_user; | |
2255 | cb.sta_entry_alive = ieee802_1x_sta_entry_alive; | |
2256 | cb.logger = ieee802_1x_logger; | |
2257 | cb.set_port_authorized = ieee802_1x_set_port_authorized; | |
2258 | cb.abort_auth = _ieee802_1x_abort_auth; | |
2259 | cb.tx_key = _ieee802_1x_tx_key; | |
38294200 | 2260 | cb.eapol_event = ieee802_1x_eapol_event; |
d3bddd8b JM |
2261 | #ifdef CONFIG_ERP |
2262 | cb.erp_get_key = ieee802_1x_erp_get_key; | |
2263 | cb.erp_add_key = ieee802_1x_erp_add_key; | |
2264 | #endif /* CONFIG_ERP */ | |
6fc6879b JM |
2265 | |
2266 | hapd->eapol_auth = eapol_auth_init(&conf, &cb); | |
2267 | if (hapd->eapol_auth == NULL) | |
2268 | return -1; | |
2269 | ||
2270 | if ((hapd->conf->ieee802_1x || hapd->conf->wpa) && | |
0e8a96a9 | 2271 | hostapd_set_drv_ieee8021x(hapd, hapd->conf->iface, 1)) |
6fc6879b JM |
2272 | return -1; |
2273 | ||
f88bd288 | 2274 | #ifndef CONFIG_NO_RADIUS |
6fc6879b JM |
2275 | if (radius_client_register(hapd->radius, RADIUS_AUTH, |
2276 | ieee802_1x_receive_auth, hapd)) | |
2277 | return -1; | |
f88bd288 | 2278 | #endif /* CONFIG_NO_RADIUS */ |
6fc6879b JM |
2279 | |
2280 | if (hapd->conf->default_wep_key_len) { | |
6fc6879b | 2281 | for (i = 0; i < 4; i++) |
3acdf771 JM |
2282 | hostapd_drv_set_key(hapd->conf->iface, hapd, |
2283 | WPA_ALG_NONE, NULL, i, 0, NULL, 0, | |
2284 | NULL, 0); | |
6fc6879b JM |
2285 | |
2286 | ieee802_1x_rekey(hapd, NULL); | |
2287 | ||
f55802e8 | 2288 | if (hapd->eapol_auth->default_wep_key == NULL) |
6fc6879b JM |
2289 | return -1; |
2290 | } | |
2291 | ||
2292 | return 0; | |
2293 | } | |
2294 | ||
2295 | ||
2c6411ed | 2296 | void ieee802_1x_erp_flush(struct hostapd_data *hapd) |
6fc6879b | 2297 | { |
d3bddd8b JM |
2298 | struct eap_server_erp_key *erp; |
2299 | ||
2c6411ed JM |
2300 | while ((erp = dl_list_first(&hapd->erp_keys, struct eap_server_erp_key, |
2301 | list)) != NULL) { | |
2302 | dl_list_del(&erp->list); | |
2303 | bin_clear_free(erp, sizeof(*erp)); | |
2304 | } | |
2305 | } | |
2306 | ||
2307 | ||
2308 | void ieee802_1x_deinit(struct hostapd_data *hapd) | |
2309 | { | |
6fc6879b JM |
2310 | eloop_cancel_timeout(ieee802_1x_rekey, hapd, NULL); |
2311 | ||
1b822f52 | 2312 | if (hapd->driver && hapd->drv_priv && |
6fc6879b | 2313 | (hapd->conf->ieee802_1x || hapd->conf->wpa)) |
0e8a96a9 | 2314 | hostapd_set_drv_ieee8021x(hapd, hapd->conf->iface, 0); |
6fc6879b JM |
2315 | |
2316 | eapol_auth_deinit(hapd->eapol_auth); | |
2317 | hapd->eapol_auth = NULL; | |
d3bddd8b | 2318 | |
2c6411ed | 2319 | ieee802_1x_erp_flush(hapd); |
6fc6879b JM |
2320 | } |
2321 | ||
2322 | ||
6fc6879b | 2323 | int ieee802_1x_tx_status(struct hostapd_data *hapd, struct sta_info *sta, |
8607f4c3 | 2324 | const u8 *buf, size_t len, int ack) |
6fc6879b JM |
2325 | { |
2326 | struct ieee80211_hdr *hdr; | |
6fc6879b JM |
2327 | u8 *pos; |
2328 | const unsigned char rfc1042_hdr[ETH_ALEN] = | |
2329 | { 0xaa, 0xaa, 0x03, 0x00, 0x00, 0x00 }; | |
2330 | ||
2331 | if (sta == NULL) | |
2332 | return -1; | |
dd840f79 | 2333 | if (len < sizeof(*hdr) + sizeof(rfc1042_hdr) + 2) |
6fc6879b JM |
2334 | return 0; |
2335 | ||
2336 | hdr = (struct ieee80211_hdr *) buf; | |
2337 | pos = (u8 *) (hdr + 1); | |
2338 | if (os_memcmp(pos, rfc1042_hdr, sizeof(rfc1042_hdr)) != 0) | |
2339 | return 0; | |
2340 | pos += sizeof(rfc1042_hdr); | |
2341 | if (WPA_GET_BE16(pos) != ETH_P_PAE) | |
2342 | return 0; | |
2343 | pos += 2; | |
2344 | ||
dd840f79 JB |
2345 | return ieee802_1x_eapol_tx_status(hapd, sta, pos, buf + len - pos, |
2346 | ack); | |
2347 | } | |
2348 | ||
2349 | ||
2350 | int ieee802_1x_eapol_tx_status(struct hostapd_data *hapd, struct sta_info *sta, | |
2351 | const u8 *buf, int len, int ack) | |
2352 | { | |
2353 | const struct ieee802_1x_hdr *xhdr = | |
2354 | (const struct ieee802_1x_hdr *) buf; | |
2355 | const u8 *pos = buf + sizeof(*xhdr); | |
2356 | struct ieee802_1x_eapol_key *key; | |
6fc6879b | 2357 | |
dd840f79 JB |
2358 | if (len < (int) sizeof(*xhdr)) |
2359 | return 0; | |
6fc6879b JM |
2360 | wpa_printf(MSG_DEBUG, "IEEE 802.1X: " MACSTR " TX status - version=%d " |
2361 | "type=%d length=%d - ack=%d", | |
2362 | MAC2STR(sta->addr), xhdr->version, xhdr->type, | |
2363 | be_to_host16(xhdr->length), ack); | |
2364 | ||
0f5eb69f JM |
2365 | #ifdef CONFIG_WPS |
2366 | if (xhdr->type == IEEE802_1X_TYPE_EAP_PACKET && ack && | |
2367 | (sta->flags & WLAN_STA_WPS) && | |
2368 | ap_sta_pending_delayed_1x_auth_fail_disconnect(hapd, sta)) { | |
2369 | wpa_printf(MSG_DEBUG, | |
2370 | "WPS: Indicate EAP completion on ACK for EAP-Failure"); | |
2371 | hostapd_wps_eap_completed(hapd); | |
2372 | } | |
2373 | #endif /* CONFIG_WPS */ | |
2374 | ||
dd840f79 JB |
2375 | if (xhdr->type != IEEE802_1X_TYPE_EAPOL_KEY) |
2376 | return 0; | |
2377 | ||
2378 | if (pos + sizeof(struct wpa_eapol_key) <= buf + len) { | |
e4bf4db9 JM |
2379 | const struct wpa_eapol_key *wpa; |
2380 | wpa = (const struct wpa_eapol_key *) pos; | |
2381 | if (wpa->type == EAPOL_KEY_TYPE_RSN || | |
2382 | wpa->type == EAPOL_KEY_TYPE_WPA) | |
2383 | wpa_auth_eapol_key_tx_status(hapd->wpa_auth, | |
2384 | sta->wpa_sm, ack); | |
2385 | } | |
2386 | ||
6fc6879b JM |
2387 | /* EAPOL EAP-Packet packets are eventually re-sent by either Supplicant |
2388 | * or Authenticator state machines, but EAPOL-Key packets are not | |
f935bd4d | 2389 | * retransmitted in case of failure. Try to re-send failed EAPOL-Key |
6fc6879b JM |
2390 | * packets couple of times because otherwise STA keys become |
2391 | * unsynchronized with AP. */ | |
dd840f79 | 2392 | if (!ack && pos + sizeof(*key) <= buf + len) { |
6fc6879b JM |
2393 | key = (struct ieee802_1x_eapol_key *) pos; |
2394 | hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, | |
2395 | HOSTAPD_LEVEL_DEBUG, "did not Ack EAPOL-Key " | |
2396 | "frame (%scast index=%d)", | |
2397 | key->key_index & BIT(7) ? "uni" : "broad", | |
2398 | key->key_index & ~BIT(7)); | |
2399 | /* TODO: re-send EAPOL-Key couple of times (with short delay | |
2400 | * between them?). If all attempt fail, report error and | |
2401 | * deauthenticate STA so that it will get new keys when | |
2402 | * authenticating again (e.g., after returning in range). | |
2403 | * Separate limit/transmit state needed both for unicast and | |
2404 | * broadcast keys(?) */ | |
2405 | } | |
2406 | /* TODO: could move unicast key configuration from ieee802_1x_tx_key() | |
2407 | * to here and change the key only if the EAPOL-Key packet was Acked. | |
2408 | */ | |
2409 | ||
2410 | return 1; | |
2411 | } | |
2412 | ||
2413 | ||
2414 | u8 * ieee802_1x_get_identity(struct eapol_state_machine *sm, size_t *len) | |
2415 | { | |
2416 | if (sm == NULL || sm->identity == NULL) | |
2417 | return NULL; | |
2418 | ||
2419 | *len = sm->identity_len; | |
2420 | return sm->identity; | |
2421 | } | |
2422 | ||
2423 | ||
2424 | u8 * ieee802_1x_get_radius_class(struct eapol_state_machine *sm, size_t *len, | |
2425 | int idx) | |
2426 | { | |
2427 | if (sm == NULL || sm->radius_class.attr == NULL || | |
2428 | idx >= (int) sm->radius_class.count) | |
2429 | return NULL; | |
2430 | ||
2431 | *len = sm->radius_class.attr[idx].len; | |
2432 | return sm->radius_class.attr[idx].data; | |
2433 | } | |
2434 | ||
2435 | ||
4e132a61 JM |
2436 | struct wpabuf * ieee802_1x_get_radius_cui(struct eapol_state_machine *sm) |
2437 | { | |
2438 | if (sm == NULL) | |
2439 | return NULL; | |
2440 | return sm->radius_cui; | |
2441 | } | |
2442 | ||
2443 | ||
6fc6879b JM |
2444 | const u8 * ieee802_1x_get_key(struct eapol_state_machine *sm, size_t *len) |
2445 | { | |
55e632df | 2446 | *len = 0; |
6fc6879b JM |
2447 | if (sm == NULL) |
2448 | return NULL; | |
2449 | ||
2450 | *len = sm->eap_if->eapKeyDataLen; | |
2451 | return sm->eap_if->eapKeyData; | |
2452 | } | |
2453 | ||
2454 | ||
2455 | void ieee802_1x_notify_port_enabled(struct eapol_state_machine *sm, | |
2456 | int enabled) | |
2457 | { | |
2458 | if (sm == NULL) | |
2459 | return; | |
2460 | sm->eap_if->portEnabled = enabled ? TRUE : FALSE; | |
2461 | eapol_auth_step(sm); | |
2462 | } | |
2463 | ||
2464 | ||
2465 | void ieee802_1x_notify_port_valid(struct eapol_state_machine *sm, | |
2466 | int valid) | |
2467 | { | |
2468 | if (sm == NULL) | |
2469 | return; | |
2470 | sm->portValid = valid ? TRUE : FALSE; | |
2471 | eapol_auth_step(sm); | |
2472 | } | |
2473 | ||
2474 | ||
2475 | void ieee802_1x_notify_pre_auth(struct eapol_state_machine *sm, int pre_auth) | |
2476 | { | |
2477 | if (sm == NULL) | |
2478 | return; | |
2479 | if (pre_auth) | |
2480 | sm->flags |= EAPOL_SM_PREAUTH; | |
2481 | else | |
2482 | sm->flags &= ~EAPOL_SM_PREAUTH; | |
2483 | } | |
2484 | ||
2485 | ||
a6da824b | 2486 | static const char * bool_txt(Boolean val) |
6fc6879b | 2487 | { |
a6da824b | 2488 | return val ? "TRUE" : "FALSE"; |
6fc6879b JM |
2489 | } |
2490 | ||
2491 | ||
2492 | int ieee802_1x_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen) | |
2493 | { | |
2494 | /* TODO */ | |
2495 | return 0; | |
2496 | } | |
2497 | ||
2498 | ||
2499 | int ieee802_1x_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta, | |
2500 | char *buf, size_t buflen) | |
2501 | { | |
2502 | int len = 0, ret; | |
2503 | struct eapol_state_machine *sm = sta->eapol_sm; | |
0fc545ae | 2504 | struct os_reltime diff; |
6ceb95c9 EL |
2505 | const char *name1; |
2506 | const char *name2; | |
6fc6879b JM |
2507 | |
2508 | if (sm == NULL) | |
2509 | return 0; | |
2510 | ||
2511 | ret = os_snprintf(buf + len, buflen - len, | |
2512 | "dot1xPaePortNumber=%d\n" | |
2513 | "dot1xPaePortProtocolVersion=%d\n" | |
2514 | "dot1xPaePortCapabilities=1\n" | |
2515 | "dot1xPaePortInitialize=%d\n" | |
2516 | "dot1xPaePortReauthenticate=FALSE\n", | |
2517 | sta->aid, | |
2518 | EAPOL_VERSION, | |
2519 | sm->initialize); | |
d85e1fc8 | 2520 | if (os_snprintf_error(buflen - len, ret)) |
6fc6879b JM |
2521 | return len; |
2522 | len += ret; | |
2523 | ||
2524 | /* dot1xAuthConfigTable */ | |
2525 | ret = os_snprintf(buf + len, buflen - len, | |
2526 | "dot1xAuthPaeState=%d\n" | |
2527 | "dot1xAuthBackendAuthState=%d\n" | |
2528 | "dot1xAuthAdminControlledDirections=%d\n" | |
2529 | "dot1xAuthOperControlledDirections=%d\n" | |
2530 | "dot1xAuthAuthControlledPortStatus=%d\n" | |
2531 | "dot1xAuthAuthControlledPortControl=%d\n" | |
2532 | "dot1xAuthQuietPeriod=%u\n" | |
2533 | "dot1xAuthServerTimeout=%u\n" | |
2534 | "dot1xAuthReAuthPeriod=%u\n" | |
2535 | "dot1xAuthReAuthEnabled=%s\n" | |
2536 | "dot1xAuthKeyTxEnabled=%s\n", | |
2537 | sm->auth_pae_state + 1, | |
2538 | sm->be_auth_state + 1, | |
2539 | sm->adminControlledDirections, | |
2540 | sm->operControlledDirections, | |
2541 | sm->authPortStatus, | |
2542 | sm->portControl, | |
2543 | sm->quietPeriod, | |
2544 | sm->serverTimeout, | |
2545 | sm->reAuthPeriod, | |
2546 | bool_txt(sm->reAuthEnabled), | |
2547 | bool_txt(sm->keyTxEnabled)); | |
d85e1fc8 | 2548 | if (os_snprintf_error(buflen - len, ret)) |
6fc6879b JM |
2549 | return len; |
2550 | len += ret; | |
2551 | ||
2552 | /* dot1xAuthStatsTable */ | |
2553 | ret = os_snprintf(buf + len, buflen - len, | |
2554 | "dot1xAuthEapolFramesRx=%u\n" | |
2555 | "dot1xAuthEapolFramesTx=%u\n" | |
2556 | "dot1xAuthEapolStartFramesRx=%u\n" | |
2557 | "dot1xAuthEapolLogoffFramesRx=%u\n" | |
2558 | "dot1xAuthEapolRespIdFramesRx=%u\n" | |
2559 | "dot1xAuthEapolRespFramesRx=%u\n" | |
2560 | "dot1xAuthEapolReqIdFramesTx=%u\n" | |
2561 | "dot1xAuthEapolReqFramesTx=%u\n" | |
2562 | "dot1xAuthInvalidEapolFramesRx=%u\n" | |
2563 | "dot1xAuthEapLengthErrorFramesRx=%u\n" | |
2564 | "dot1xAuthLastEapolFrameVersion=%u\n" | |
2565 | "dot1xAuthLastEapolFrameSource=" MACSTR "\n", | |
2566 | sm->dot1xAuthEapolFramesRx, | |
2567 | sm->dot1xAuthEapolFramesTx, | |
2568 | sm->dot1xAuthEapolStartFramesRx, | |
2569 | sm->dot1xAuthEapolLogoffFramesRx, | |
2570 | sm->dot1xAuthEapolRespIdFramesRx, | |
2571 | sm->dot1xAuthEapolRespFramesRx, | |
2572 | sm->dot1xAuthEapolReqIdFramesTx, | |
2573 | sm->dot1xAuthEapolReqFramesTx, | |
2574 | sm->dot1xAuthInvalidEapolFramesRx, | |
2575 | sm->dot1xAuthEapLengthErrorFramesRx, | |
2576 | sm->dot1xAuthLastEapolFrameVersion, | |
2577 | MAC2STR(sm->addr)); | |
d85e1fc8 | 2578 | if (os_snprintf_error(buflen - len, ret)) |
6fc6879b JM |
2579 | return len; |
2580 | len += ret; | |
2581 | ||
2582 | /* dot1xAuthDiagTable */ | |
2583 | ret = os_snprintf(buf + len, buflen - len, | |
2584 | "dot1xAuthEntersConnecting=%u\n" | |
2585 | "dot1xAuthEapLogoffsWhileConnecting=%u\n" | |
2586 | "dot1xAuthEntersAuthenticating=%u\n" | |
2587 | "dot1xAuthAuthSuccessesWhileAuthenticating=%u\n" | |
2588 | "dot1xAuthAuthTimeoutsWhileAuthenticating=%u\n" | |
2589 | "dot1xAuthAuthFailWhileAuthenticating=%u\n" | |
2590 | "dot1xAuthAuthEapStartsWhileAuthenticating=%u\n" | |
2591 | "dot1xAuthAuthEapLogoffWhileAuthenticating=%u\n" | |
2592 | "dot1xAuthAuthReauthsWhileAuthenticated=%u\n" | |
2593 | "dot1xAuthAuthEapStartsWhileAuthenticated=%u\n" | |
2594 | "dot1xAuthAuthEapLogoffWhileAuthenticated=%u\n" | |
2595 | "dot1xAuthBackendResponses=%u\n" | |
2596 | "dot1xAuthBackendAccessChallenges=%u\n" | |
2597 | "dot1xAuthBackendOtherRequestsToSupplicant=%u\n" | |
2598 | "dot1xAuthBackendAuthSuccesses=%u\n" | |
2599 | "dot1xAuthBackendAuthFails=%u\n", | |
2600 | sm->authEntersConnecting, | |
2601 | sm->authEapLogoffsWhileConnecting, | |
2602 | sm->authEntersAuthenticating, | |
2603 | sm->authAuthSuccessesWhileAuthenticating, | |
2604 | sm->authAuthTimeoutsWhileAuthenticating, | |
2605 | sm->authAuthFailWhileAuthenticating, | |
2606 | sm->authAuthEapStartsWhileAuthenticating, | |
2607 | sm->authAuthEapLogoffWhileAuthenticating, | |
2608 | sm->authAuthReauthsWhileAuthenticated, | |
2609 | sm->authAuthEapStartsWhileAuthenticated, | |
2610 | sm->authAuthEapLogoffWhileAuthenticated, | |
2611 | sm->backendResponses, | |
2612 | sm->backendAccessChallenges, | |
2613 | sm->backendOtherRequestsToSupplicant, | |
2614 | sm->backendAuthSuccesses, | |
2615 | sm->backendAuthFails); | |
d85e1fc8 | 2616 | if (os_snprintf_error(buflen - len, ret)) |
6fc6879b JM |
2617 | return len; |
2618 | len += ret; | |
2619 | ||
2620 | /* dot1xAuthSessionStatsTable */ | |
0fc545ae | 2621 | os_reltime_age(&sta->acct_session_start, &diff); |
6fc6879b JM |
2622 | ret = os_snprintf(buf + len, buflen - len, |
2623 | /* TODO: dot1xAuthSessionOctetsRx */ | |
2624 | /* TODO: dot1xAuthSessionOctetsTx */ | |
2625 | /* TODO: dot1xAuthSessionFramesRx */ | |
2626 | /* TODO: dot1xAuthSessionFramesTx */ | |
1492fbb9 | 2627 | "dot1xAuthSessionId=%016llX\n" |
6fc6879b JM |
2628 | "dot1xAuthSessionAuthenticMethod=%d\n" |
2629 | "dot1xAuthSessionTime=%u\n" | |
2630 | "dot1xAuthSessionTerminateCause=999\n" | |
2631 | "dot1xAuthSessionUserName=%s\n", | |
1492fbb9 | 2632 | (unsigned long long) sta->acct_session_id, |
56586197 JM |
2633 | (wpa_key_mgmt_wpa_ieee8021x( |
2634 | wpa_auth_sta_key_mgmt(sta->wpa_sm))) ? | |
2635 | 1 : 2, | |
0fc545ae | 2636 | (unsigned int) diff.sec, |
6fc6879b | 2637 | sm->identity); |
d85e1fc8 | 2638 | if (os_snprintf_error(buflen - len, ret)) |
6fc6879b JM |
2639 | return len; |
2640 | len += ret; | |
2641 | ||
d72a0053 | 2642 | if (sm->acct_multi_session_id) { |
b52c0d45 | 2643 | ret = os_snprintf(buf + len, buflen - len, |
1492fbb9 NL |
2644 | "authMultiSessionId=%016llX\n", |
2645 | (unsigned long long) | |
d72a0053 | 2646 | sm->acct_multi_session_id); |
b52c0d45 JM |
2647 | if (os_snprintf_error(buflen - len, ret)) |
2648 | return len; | |
2649 | len += ret; | |
2650 | } | |
2651 | ||
6ceb95c9 EL |
2652 | name1 = eap_server_get_name(0, sm->eap_type_authsrv); |
2653 | name2 = eap_server_get_name(0, sm->eap_type_supp); | |
f538be3e JM |
2654 | ret = os_snprintf(buf + len, buflen - len, |
2655 | "last_eap_type_as=%d (%s)\n" | |
2656 | "last_eap_type_sta=%d (%s)\n", | |
414f23d8 EL |
2657 | sm->eap_type_authsrv, name1, |
2658 | sm->eap_type_supp, name2); | |
d85e1fc8 | 2659 | if (os_snprintf_error(buflen - len, ret)) |
f538be3e JM |
2660 | return len; |
2661 | len += ret; | |
2662 | ||
6fc6879b JM |
2663 | return len; |
2664 | } | |
2665 | ||
2666 | ||
d7c3347f JM |
2667 | #ifdef CONFIG_HS20 |
2668 | static void ieee802_1x_wnm_notif_send(void *eloop_ctx, void *timeout_ctx) | |
2669 | { | |
2670 | struct hostapd_data *hapd = eloop_ctx; | |
2671 | struct sta_info *sta = timeout_ctx; | |
2672 | ||
2673 | if (sta->remediation) { | |
2674 | wpa_printf(MSG_DEBUG, "HS 2.0: Send WNM-Notification to " | |
2675 | MACSTR " to indicate Subscription Remediation", | |
2676 | MAC2STR(sta->addr)); | |
2677 | hs20_send_wnm_notification(hapd, sta->addr, | |
2678 | sta->remediation_method, | |
2679 | sta->remediation_url); | |
2680 | os_free(sta->remediation_url); | |
2681 | sta->remediation_url = NULL; | |
2682 | } | |
2683 | ||
2684 | if (sta->hs20_deauth_req) { | |
2685 | wpa_printf(MSG_DEBUG, "HS 2.0: Send WNM-Notification to " | |
2686 | MACSTR " to indicate imminent deauthentication", | |
2687 | MAC2STR(sta->addr)); | |
2688 | hs20_send_wnm_notification_deauth_req(hapd, sta->addr, | |
2689 | sta->hs20_deauth_req); | |
2690 | } | |
2691 | } | |
2692 | #endif /* CONFIG_HS20 */ | |
2693 | ||
2694 | ||
6fc6879b | 2695 | static void ieee802_1x_finished(struct hostapd_data *hapd, |
8d2a9921 JM |
2696 | struct sta_info *sta, int success, |
2697 | int remediation) | |
6fc6879b JM |
2698 | { |
2699 | const u8 *key; | |
2700 | size_t len; | |
2701 | /* TODO: get PMKLifetime from WPA parameters */ | |
2702 | static const int dot11RSNAConfigPMKLifetime = 43200; | |
47ea24c1 | 2703 | unsigned int session_timeout; |
6fc6879b | 2704 | |
6ca0853d | 2705 | #ifdef CONFIG_HS20 |
8d2a9921 JM |
2706 | if (remediation && !sta->remediation) { |
2707 | sta->remediation = 1; | |
2708 | os_free(sta->remediation_url); | |
2709 | sta->remediation_url = | |
2710 | os_strdup(hapd->conf->subscr_remediation_url); | |
2711 | sta->remediation_method = 1; /* SOAP-XML SPP */ | |
2712 | } | |
2713 | ||
d7c3347f JM |
2714 | if (success && (sta->remediation || sta->hs20_deauth_req)) { |
2715 | wpa_printf(MSG_DEBUG, "HS 2.0: Schedule WNM-Notification to " | |
2716 | MACSTR " in 100 ms", MAC2STR(sta->addr)); | |
2717 | eloop_cancel_timeout(ieee802_1x_wnm_notif_send, hapd, sta); | |
2718 | eloop_register_timeout(0, 100000, ieee802_1x_wnm_notif_send, | |
2719 | hapd, sta); | |
6ca0853d JM |
2720 | } |
2721 | #endif /* CONFIG_HS20 */ | |
2722 | ||
6fc6879b | 2723 | key = ieee802_1x_get_key(sta->eapol_sm, &len); |
47ea24c1 JM |
2724 | if (sta->session_timeout_set) |
2725 | session_timeout = sta->session_timeout; | |
2726 | else | |
2727 | session_timeout = dot11RSNAConfigPMKLifetime; | |
6ca0853d | 2728 | if (success && key && len >= PMK_LEN && !sta->remediation && |
8e1146d9 | 2729 | !sta->hs20_deauth_requested && |
207976f0 | 2730 | wpa_auth_pmksa_add(sta->wpa_sm, key, len, session_timeout, |
6fc6879b JM |
2731 | sta->eapol_sm) == 0) { |
2732 | hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, | |
2733 | HOSTAPD_LEVEL_DEBUG, | |
2734 | "Added PMKSA cache entry (IEEE 802.1X)"); | |
2735 | } | |
32397063 | 2736 | |
fd8e4fda | 2737 | if (!success) { |
32397063 JM |
2738 | /* |
2739 | * Many devices require deauthentication after WPS provisioning | |
2740 | * and some may not be be able to do that themselves, so | |
fd8e4fda JM |
2741 | * disconnect the client here. In addition, this may also |
2742 | * benefit IEEE 802.1X/EAPOL authentication cases, too since | |
2743 | * the EAPOL PAE state machine would remain in HELD state for | |
2744 | * considerable amount of time and some EAP methods, like | |
2745 | * EAP-FAST with anonymous provisioning, may require another | |
2746 | * EAPOL authentication to be started to complete connection. | |
32397063 | 2747 | */ |
0f5eb69f | 2748 | ap_sta_delayed_1x_auth_fail_disconnect(hapd, sta); |
32397063 | 2749 | } |
6fc6879b | 2750 | } |