2 * hostapd / IEEE 802.1X-2004 Authenticator
3 * Copyright (c) 2002-2019, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
9 #include "utils/includes.h"
12 #endif /* CONFIG_SQLITE */
14 #include "utils/common.h"
15 #include "utils/eloop.h"
16 #include "crypto/md5.h"
17 #include "crypto/crypto.h"
18 #include "crypto/random.h"
19 #include "common/ieee802_11_defs.h"
20 #include "radius/radius.h"
21 #include "radius/radius_client.h"
22 #include "eap_server/eap.h"
23 #include "eap_common/eap_wsc_common.h"
24 #include "eapol_auth/eapol_auth_sm.h"
25 #include "eapol_auth/eapol_auth_sm_i.h"
28 #include "accounting.h"
31 #include "preauth_auth.h"
32 #include "pmksa_cache_auth.h"
33 #include "ap_config.h"
34 #include "ap_drv_ops.h"
35 #include "wps_hostapd.h"
37 /* FIX: Not really a good thing to require ieee802_11.h here.. (FILS) */
38 #include "ieee802_11.h"
39 #include "ieee802_1x.h"
40 #include "wpa_auth_kay.h"
44 static void ieee802_1x_wnm_notif_send(void *eloop_ctx
, void *timeout_ctx
);
45 #endif /* CONFIG_HS20 */
46 static void ieee802_1x_finished(struct hostapd_data
*hapd
,
47 struct sta_info
*sta
, int success
,
51 static void ieee802_1x_send(struct hostapd_data
*hapd
, struct sta_info
*sta
,
52 u8 type
, const u8
*data
, size_t datalen
)
55 struct ieee802_1x_hdr
*xhdr
;
59 len
= sizeof(*xhdr
) + datalen
;
62 wpa_printf(MSG_ERROR
, "malloc() failed for %s(len=%lu)",
63 __func__
, (unsigned long) len
);
67 xhdr
= (struct ieee802_1x_hdr
*) buf
;
68 xhdr
->version
= hapd
->conf
->eapol_version
;
70 if (xhdr
->version
> 2 && hapd
->conf
->macsec_policy
== 0)
72 #endif /* CONFIG_MACSEC */
74 xhdr
->length
= host_to_be16(datalen
);
76 if (datalen
> 0 && data
!= NULL
)
77 os_memcpy(xhdr
+ 1, data
, datalen
);
79 if (wpa_auth_pairwise_set(sta
->wpa_sm
))
81 #ifdef CONFIG_TESTING_OPTIONS
82 if (hapd
->ext_eapol_frame_io
) {
83 size_t hex_len
= 2 * len
+ 1;
84 char *hex
= os_malloc(hex_len
);
87 wpa_snprintf_hex(hex
, hex_len
, buf
, len
);
88 wpa_msg(hapd
->msg_ctx
, MSG_INFO
,
89 "EAPOL-TX " MACSTR
" %s",
90 MAC2STR(sta
->addr
), hex
);
94 #endif /* CONFIG_TESTING_OPTIONS */
95 if (sta
->flags
& WLAN_STA_PREAUTH
) {
96 rsn_preauth_send(hapd
, sta
, buf
, len
);
98 hostapd_drv_hapd_send_eapol(
99 hapd
, sta
->addr
, buf
, len
,
100 encrypt
, hostapd_sta_flags_to_drv(sta
->flags
));
107 void ieee802_1x_set_sta_authorized(struct hostapd_data
*hapd
,
108 struct sta_info
*sta
, int authorized
)
112 if (sta
->flags
& WLAN_STA_PREAUTH
)
116 ap_sta_set_authorized(hapd
, sta
, 1);
117 res
= hostapd_set_authorized(hapd
, sta
, 1);
118 hostapd_logger(hapd
, sta
->addr
, HOSTAPD_MODULE_IEEE8021X
,
119 HOSTAPD_LEVEL_DEBUG
, "authorizing port");
121 ap_sta_set_authorized(hapd
, sta
, 0);
122 res
= hostapd_set_authorized(hapd
, sta
, 0);
123 hostapd_logger(hapd
, sta
->addr
, HOSTAPD_MODULE_IEEE8021X
,
124 HOSTAPD_LEVEL_DEBUG
, "unauthorizing port");
127 if (res
&& errno
!= ENOENT
) {
128 wpa_printf(MSG_DEBUG
, "Could not set station " MACSTR
129 " flags for kernel driver (errno=%d).",
130 MAC2STR(sta
->addr
), errno
);
134 os_get_reltime(&sta
->connected_time
);
135 accounting_sta_start(hapd
, sta
);
141 #ifndef CONFIG_NO_RC4
143 static void ieee802_1x_tx_key_one(struct hostapd_data
*hapd
,
144 struct sta_info
*sta
,
145 int idx
, int broadcast
,
146 u8
*key_data
, size_t key_len
)
149 struct ieee802_1x_hdr
*hdr
;
150 struct ieee802_1x_eapol_key
*key
;
151 size_t len
, ekey_len
;
152 struct eapol_state_machine
*sm
= sta
->eapol_sm
;
157 len
= sizeof(*key
) + key_len
;
158 buf
= os_zalloc(sizeof(*hdr
) + len
);
162 hdr
= (struct ieee802_1x_hdr
*) buf
;
163 key
= (struct ieee802_1x_eapol_key
*) (hdr
+ 1);
164 key
->type
= EAPOL_KEY_TYPE_RC4
;
165 WPA_PUT_BE16(key
->key_length
, key_len
);
166 wpa_get_ntp_timestamp(key
->replay_counter
);
167 if (os_memcmp(key
->replay_counter
,
168 hapd
->last_1x_eapol_key_replay_counter
,
169 IEEE8021X_REPLAY_COUNTER_LEN
) <= 0) {
170 /* NTP timestamp did not increment from last EAPOL-Key frame;
171 * use previously used value + 1 instead. */
172 inc_byte_array(hapd
->last_1x_eapol_key_replay_counter
,
173 IEEE8021X_REPLAY_COUNTER_LEN
);
174 os_memcpy(key
->replay_counter
,
175 hapd
->last_1x_eapol_key_replay_counter
,
176 IEEE8021X_REPLAY_COUNTER_LEN
);
178 os_memcpy(hapd
->last_1x_eapol_key_replay_counter
,
180 IEEE8021X_REPLAY_COUNTER_LEN
);
183 if (random_get_bytes(key
->key_iv
, sizeof(key
->key_iv
))) {
184 wpa_printf(MSG_ERROR
, "Could not get random numbers");
189 key
->key_index
= idx
| (broadcast
? 0 : BIT(7));
190 if (hapd
->conf
->eapol_key_index_workaround
) {
191 /* According to some information, WinXP Supplicant seems to
192 * interpret bit7 as an indication whether the key is to be
193 * activated, so make it possible to enable workaround that
194 * sets this bit for all keys. */
195 key
->key_index
|= BIT(7);
198 /* Key is encrypted using "Key-IV + MSK[0..31]" as the RC4-key and
199 * MSK[32..63] is used to sign the message. */
200 if (!sm
->eap_if
->eapKeyData
|| sm
->eap_if
->eapKeyDataLen
< 64) {
201 wpa_printf(MSG_ERROR
,
202 "No eapKeyData available for encrypting and signing EAPOL-Key");
206 os_memcpy((u8
*) (key
+ 1), key_data
, key_len
);
207 ekey_len
= sizeof(key
->key_iv
) + 32;
208 ekey
= os_malloc(ekey_len
);
210 wpa_printf(MSG_ERROR
, "Could not encrypt key");
214 os_memcpy(ekey
, key
->key_iv
, sizeof(key
->key_iv
));
215 os_memcpy(ekey
+ sizeof(key
->key_iv
), sm
->eap_if
->eapKeyData
, 32);
216 rc4_skip(ekey
, ekey_len
, 0, (u8
*) (key
+ 1), key_len
);
219 /* This header is needed here for HMAC-MD5, but it will be regenerated
220 * in ieee802_1x_send() */
221 hdr
->version
= hapd
->conf
->eapol_version
;
223 if (hdr
->version
> 2)
225 #endif /* CONFIG_MACSEC */
226 hdr
->type
= IEEE802_1X_TYPE_EAPOL_KEY
;
227 hdr
->length
= host_to_be16(len
);
228 hmac_md5(sm
->eap_if
->eapKeyData
+ 32, 32, buf
, sizeof(*hdr
) + len
,
231 wpa_printf(MSG_DEBUG
, "IEEE 802.1X: Sending EAPOL-Key to " MACSTR
232 " (%s index=%d)", MAC2STR(sm
->addr
),
233 broadcast
? "broadcast" : "unicast", idx
);
234 ieee802_1x_send(hapd
, sta
, IEEE802_1X_TYPE_EAPOL_KEY
, (u8
*) key
, len
);
236 sta
->eapol_sm
->dot1xAuthEapolFramesTx
++;
241 static void ieee802_1x_tx_key(struct hostapd_data
*hapd
, struct sta_info
*sta
)
243 struct eapol_authenticator
*eapol
= hapd
->eapol_auth
;
244 struct eapol_state_machine
*sm
= sta
->eapol_sm
;
246 if (!sm
|| !sm
->eap_if
->eapKeyData
)
249 wpa_printf(MSG_DEBUG
, "IEEE 802.1X: Sending EAPOL-Key(s) to " MACSTR
,
252 #ifndef CONFIG_NO_VLAN
253 if (sta
->vlan_id
> 0) {
254 wpa_printf(MSG_ERROR
, "Using WEP with vlans is not supported.");
257 #endif /* CONFIG_NO_VLAN */
259 if (eapol
->default_wep_key
) {
260 ieee802_1x_tx_key_one(hapd
, sta
, eapol
->default_wep_key_idx
, 1,
261 eapol
->default_wep_key
,
262 hapd
->conf
->default_wep_key_len
);
265 if (hapd
->conf
->individual_wep_key_len
> 0) {
268 ikey
= os_malloc(hapd
->conf
->individual_wep_key_len
);
270 random_get_bytes(ikey
, hapd
->conf
->individual_wep_key_len
))
272 wpa_printf(MSG_ERROR
,
273 "Could not generate random individual WEP key");
278 wpa_hexdump_key(MSG_DEBUG
, "Individual WEP key",
279 ikey
, hapd
->conf
->individual_wep_key_len
);
281 ieee802_1x_tx_key_one(hapd
, sta
, 0, 0, ikey
,
282 hapd
->conf
->individual_wep_key_len
);
284 /* TODO: set encryption in TX callback, i.e., only after STA
285 * has ACKed EAPOL-Key frame */
286 if (hostapd_drv_set_key(hapd
->conf
->iface
, hapd
, WPA_ALG_WEP
,
287 sta
->addr
, 0, 0, 1, NULL
, 0, ikey
,
288 hapd
->conf
->individual_wep_key_len
,
289 KEY_FLAG_PAIRWISE_RX_TX
)) {
290 wpa_printf(MSG_ERROR
,
291 "Could not set individual WEP encryption");
298 #endif /* CONFIG_NO_RC4 */
299 #endif /* CONFIG_FIPS */
302 const char *radius_mode_txt(struct hostapd_data
*hapd
)
304 switch (hapd
->iface
->conf
->hw_mode
) {
305 case HOSTAPD_MODE_IEEE80211AD
:
307 case HOSTAPD_MODE_IEEE80211A
:
309 case HOSTAPD_MODE_IEEE80211G
:
311 case HOSTAPD_MODE_IEEE80211B
:
318 int radius_sta_rate(struct hostapd_data
*hapd
, struct sta_info
*sta
)
323 for (i
= 0; i
< sta
->supported_rates_len
; i
++)
324 if ((sta
->supported_rates
[i
] & 0x7f) > rate
)
325 rate
= sta
->supported_rates
[i
] & 0x7f;
331 #ifndef CONFIG_NO_RADIUS
332 static void ieee802_1x_learn_identity(struct hostapd_data
*hapd
,
333 struct eapol_state_machine
*sm
,
334 const u8
*eap
, size_t len
)
338 const struct eap_hdr
*hdr
= (const struct eap_hdr
*) eap
;
340 if (len
<= sizeof(struct eap_hdr
) ||
341 (hdr
->code
== EAP_CODE_RESPONSE
&&
342 eap
[sizeof(struct eap_hdr
)] != EAP_TYPE_IDENTITY
) ||
343 (hdr
->code
== EAP_CODE_INITIATE
&&
344 eap
[sizeof(struct eap_hdr
)] != EAP_ERP_TYPE_REAUTH
) ||
345 (hdr
->code
!= EAP_CODE_RESPONSE
&&
346 hdr
->code
!= EAP_CODE_INITIATE
))
349 eap_erp_update_identity(sm
->eap
, eap
, len
);
350 identity
= eap_get_identity(sm
->eap
, &identity_len
);
354 /* Save station identity for future RADIUS packets */
355 os_free(sm
->identity
);
356 sm
->identity
= (u8
*) dup_binstr(identity
, identity_len
);
358 sm
->identity_len
= 0;
362 sm
->identity_len
= identity_len
;
363 hostapd_logger(hapd
, sm
->addr
, HOSTAPD_MODULE_IEEE8021X
,
364 HOSTAPD_LEVEL_DEBUG
, "STA identity '%s'", sm
->identity
);
365 sm
->dot1xAuthEapolRespIdFramesRx
++;
369 static int add_common_radius_sta_attr_rsn(struct hostapd_data
*hapd
,
370 struct hostapd_radius_attr
*req_attr
,
371 struct sta_info
*sta
,
372 struct radius_msg
*msg
)
377 ver
= wpa_auth_sta_wpa_version(sta
->wpa_sm
);
378 val
= wpa_auth_get_pairwise(sta
->wpa_sm
);
379 suite
= wpa_cipher_to_suite(ver
, val
);
381 !hostapd_config_get_radius_attr(req_attr
,
382 RADIUS_ATTR_WLAN_PAIRWISE_CIPHER
) &&
383 !radius_msg_add_attr_int32(msg
, RADIUS_ATTR_WLAN_PAIRWISE_CIPHER
,
385 wpa_printf(MSG_ERROR
, "Could not add WLAN-Pairwise-Cipher");
389 suite
= wpa_cipher_to_suite(((hapd
->conf
->wpa
& 0x2) ||
391 WPA_PROTO_RSN
: WPA_PROTO_WPA
,
392 hapd
->conf
->wpa_group
);
393 if (!hostapd_config_get_radius_attr(req_attr
,
394 RADIUS_ATTR_WLAN_GROUP_CIPHER
) &&
395 !radius_msg_add_attr_int32(msg
, RADIUS_ATTR_WLAN_GROUP_CIPHER
,
397 wpa_printf(MSG_ERROR
, "Could not add WLAN-Group-Cipher");
401 val
= wpa_auth_sta_key_mgmt(sta
->wpa_sm
);
402 suite
= wpa_akm_to_suite(val
);
404 !hostapd_config_get_radius_attr(req_attr
,
405 RADIUS_ATTR_WLAN_AKM_SUITE
) &&
406 !radius_msg_add_attr_int32(msg
, RADIUS_ATTR_WLAN_AKM_SUITE
,
408 wpa_printf(MSG_ERROR
, "Could not add WLAN-AKM-Suite");
412 if (hapd
->conf
->ieee80211w
!= NO_MGMT_FRAME_PROTECTION
) {
413 suite
= wpa_cipher_to_suite(WPA_PROTO_RSN
,
414 hapd
->conf
->group_mgmt_cipher
);
415 if (!hostapd_config_get_radius_attr(
416 req_attr
, RADIUS_ATTR_WLAN_GROUP_MGMT_CIPHER
) &&
417 !radius_msg_add_attr_int32(
418 msg
, RADIUS_ATTR_WLAN_GROUP_MGMT_CIPHER
, suite
)) {
419 wpa_printf(MSG_ERROR
,
420 "Could not add WLAN-Group-Mgmt-Cipher");
429 static int add_common_radius_sta_attr(struct hostapd_data
*hapd
,
430 struct hostapd_radius_attr
*req_attr
,
431 struct sta_info
*sta
,
432 struct radius_msg
*msg
)
436 if (!hostapd_config_get_radius_attr(req_attr
,
437 RADIUS_ATTR_SERVICE_TYPE
) &&
438 !radius_msg_add_attr_int32(msg
, RADIUS_ATTR_SERVICE_TYPE
,
439 RADIUS_SERVICE_TYPE_FRAMED
)) {
440 wpa_printf(MSG_ERROR
, "Could not add Service-Type");
444 if (!hostapd_config_get_radius_attr(req_attr
,
445 RADIUS_ATTR_NAS_PORT
) &&
447 !radius_msg_add_attr_int32(msg
, RADIUS_ATTR_NAS_PORT
, sta
->aid
)) {
448 wpa_printf(MSG_ERROR
, "Could not add NAS-Port");
452 os_snprintf(buf
, sizeof(buf
), RADIUS_802_1X_ADDR_FORMAT
,
454 buf
[sizeof(buf
) - 1] = '\0';
455 if (!radius_msg_add_attr(msg
, RADIUS_ATTR_CALLING_STATION_ID
,
456 (u8
*) buf
, os_strlen(buf
))) {
457 wpa_printf(MSG_ERROR
, "Could not add Calling-Station-Id");
461 if (sta
->flags
& WLAN_STA_PREAUTH
) {
462 os_strlcpy(buf
, "IEEE 802.11i Pre-Authentication",
465 os_snprintf(buf
, sizeof(buf
), "CONNECT %d%sMbps %s",
466 radius_sta_rate(hapd
, sta
) / 2,
467 (radius_sta_rate(hapd
, sta
) & 1) ? ".5" : "",
468 radius_mode_txt(hapd
));
469 buf
[sizeof(buf
) - 1] = '\0';
471 if (!hostapd_config_get_radius_attr(req_attr
,
472 RADIUS_ATTR_CONNECT_INFO
) &&
473 !radius_msg_add_attr(msg
, RADIUS_ATTR_CONNECT_INFO
,
474 (u8
*) buf
, os_strlen(buf
))) {
475 wpa_printf(MSG_ERROR
, "Could not add Connect-Info");
479 if (sta
->acct_session_id
) {
480 os_snprintf(buf
, sizeof(buf
), "%016llX",
481 (unsigned long long) sta
->acct_session_id
);
482 if (!radius_msg_add_attr(msg
, RADIUS_ATTR_ACCT_SESSION_ID
,
483 (u8
*) buf
, os_strlen(buf
))) {
484 wpa_printf(MSG_ERROR
, "Could not add Acct-Session-Id");
489 if ((hapd
->conf
->wpa
& 2) &&
490 !hapd
->conf
->disable_pmksa_caching
&&
491 sta
->eapol_sm
&& sta
->eapol_sm
->acct_multi_session_id
) {
492 os_snprintf(buf
, sizeof(buf
), "%016llX",
494 sta
->eapol_sm
->acct_multi_session_id
);
495 if (!radius_msg_add_attr(
496 msg
, RADIUS_ATTR_ACCT_MULTI_SESSION_ID
,
497 (u8
*) buf
, os_strlen(buf
))) {
499 "Could not add Acct-Multi-Session-Id");
504 #ifdef CONFIG_IEEE80211R_AP
505 if (hapd
->conf
->wpa
&& wpa_key_mgmt_ft(hapd
->conf
->wpa_key_mgmt
) &&
507 (wpa_key_mgmt_ft(wpa_auth_sta_key_mgmt(sta
->wpa_sm
)) ||
508 sta
->auth_alg
== WLAN_AUTH_FT
) &&
509 !hostapd_config_get_radius_attr(req_attr
,
510 RADIUS_ATTR_MOBILITY_DOMAIN_ID
) &&
511 !radius_msg_add_attr_int32(msg
, RADIUS_ATTR_MOBILITY_DOMAIN_ID
,
513 hapd
->conf
->mobility_domain
))) {
514 wpa_printf(MSG_ERROR
, "Could not add Mobility-Domain-Id");
517 #endif /* CONFIG_IEEE80211R_AP */
519 if ((hapd
->conf
->wpa
|| hapd
->conf
->osen
) && sta
->wpa_sm
&&
520 add_common_radius_sta_attr_rsn(hapd
, req_attr
, sta
, msg
) < 0)
527 int add_common_radius_attr(struct hostapd_data
*hapd
,
528 struct hostapd_radius_attr
*req_attr
,
529 struct sta_info
*sta
,
530 struct radius_msg
*msg
)
533 struct hostapd_radius_attr
*attr
;
536 if (!hostapd_config_get_radius_attr(req_attr
,
537 RADIUS_ATTR_NAS_IP_ADDRESS
) &&
538 hapd
->conf
->own_ip_addr
.af
== AF_INET
&&
539 !radius_msg_add_attr(msg
, RADIUS_ATTR_NAS_IP_ADDRESS
,
540 (u8
*) &hapd
->conf
->own_ip_addr
.u
.v4
, 4)) {
541 wpa_printf(MSG_ERROR
, "Could not add NAS-IP-Address");
546 if (!hostapd_config_get_radius_attr(req_attr
,
547 RADIUS_ATTR_NAS_IPV6_ADDRESS
) &&
548 hapd
->conf
->own_ip_addr
.af
== AF_INET6
&&
549 !radius_msg_add_attr(msg
, RADIUS_ATTR_NAS_IPV6_ADDRESS
,
550 (u8
*) &hapd
->conf
->own_ip_addr
.u
.v6
, 16)) {
551 wpa_printf(MSG_ERROR
, "Could not add NAS-IPv6-Address");
554 #endif /* CONFIG_IPV6 */
556 if (!hostapd_config_get_radius_attr(req_attr
,
557 RADIUS_ATTR_NAS_IDENTIFIER
) &&
558 hapd
->conf
->nas_identifier
&&
559 !radius_msg_add_attr(msg
, RADIUS_ATTR_NAS_IDENTIFIER
,
560 (u8
*) hapd
->conf
->nas_identifier
,
561 os_strlen(hapd
->conf
->nas_identifier
))) {
562 wpa_printf(MSG_ERROR
, "Could not add NAS-Identifier");
566 len
= os_snprintf(buf
, sizeof(buf
), RADIUS_802_1X_ADDR_FORMAT
":",
567 MAC2STR(hapd
->own_addr
));
568 os_memcpy(&buf
[len
], hapd
->conf
->ssid
.ssid
,
569 hapd
->conf
->ssid
.ssid_len
);
570 len
+= hapd
->conf
->ssid
.ssid_len
;
571 if (!hostapd_config_get_radius_attr(req_attr
,
572 RADIUS_ATTR_CALLED_STATION_ID
) &&
573 !radius_msg_add_attr(msg
, RADIUS_ATTR_CALLED_STATION_ID
,
575 wpa_printf(MSG_ERROR
, "Could not add Called-Station-Id");
579 if (!hostapd_config_get_radius_attr(req_attr
,
580 RADIUS_ATTR_NAS_PORT_TYPE
) &&
581 !radius_msg_add_attr_int32(msg
, RADIUS_ATTR_NAS_PORT_TYPE
,
582 RADIUS_NAS_PORT_TYPE_IEEE_802_11
)) {
583 wpa_printf(MSG_ERROR
, "Could not add NAS-Port-Type");
587 #ifdef CONFIG_INTERWORKING
588 if (hapd
->conf
->interworking
&&
589 !is_zero_ether_addr(hapd
->conf
->hessid
)) {
590 os_snprintf(buf
, sizeof(buf
), RADIUS_802_1X_ADDR_FORMAT
,
591 MAC2STR(hapd
->conf
->hessid
));
592 buf
[sizeof(buf
) - 1] = '\0';
593 if (!hostapd_config_get_radius_attr(req_attr
,
594 RADIUS_ATTR_WLAN_HESSID
) &&
595 !radius_msg_add_attr(msg
, RADIUS_ATTR_WLAN_HESSID
,
596 (u8
*) buf
, os_strlen(buf
))) {
597 wpa_printf(MSG_ERROR
, "Could not add WLAN-HESSID");
601 #endif /* CONFIG_INTERWORKING */
603 if (sta
&& add_common_radius_sta_attr(hapd
, req_attr
, sta
, msg
) < 0)
606 for (attr
= req_attr
; attr
; attr
= attr
->next
) {
607 if (!radius_msg_add_attr(msg
, attr
->type
,
608 wpabuf_head(attr
->val
),
609 wpabuf_len(attr
->val
))) {
610 wpa_printf(MSG_ERROR
, "Could not add RADIUS attribute");
619 int add_sqlite_radius_attr(struct hostapd_data
*hapd
, struct sta_info
*sta
,
620 struct radius_msg
*msg
, int acct
)
624 char addrtxt
[3 * ETH_ALEN
];
626 sqlite3_stmt
*stmt
= NULL
;
628 if (!hapd
->rad_attr_db
)
631 os_snprintf(addrtxt
, sizeof(addrtxt
), MACSTR
, MAC2STR(sta
->addr
));
633 sql
= "SELECT attr FROM radius_attributes WHERE sta=? AND (reqtype=? OR reqtype IS NULL);";
634 if (sqlite3_prepare_v2(hapd
->rad_attr_db
, sql
, os_strlen(sql
), &stmt
,
635 NULL
) != SQLITE_OK
) {
636 wpa_printf(MSG_ERROR
, "DB: Failed to prepare SQL statement: %s",
637 sqlite3_errmsg(hapd
->rad_attr_db
));
640 sqlite3_bind_text(stmt
, 1, addrtxt
, os_strlen(addrtxt
), SQLITE_STATIC
);
641 sqlite3_bind_text(stmt
, 2, acct
? "acct" : "auth", 4, SQLITE_STATIC
);
642 while (sqlite3_step(stmt
) == SQLITE_ROW
) {
643 struct hostapd_radius_attr
*attr
;
644 struct radius_attr_hdr
*hdr
;
646 attrtxt
= (const char *) sqlite3_column_text(stmt
, 0);
647 attr
= hostapd_parse_radius_attr(attrtxt
);
649 wpa_printf(MSG_ERROR
,
650 "Skipping invalid attribute from SQL: %s",
654 wpa_printf(MSG_DEBUG
, "Adding RADIUS attribute from SQL: %s",
656 hdr
= radius_msg_add_attr(msg
, attr
->type
,
657 wpabuf_head(attr
->val
),
658 wpabuf_len(attr
->val
));
659 hostapd_config_free_radius_attr(attr
);
661 wpa_printf(MSG_ERROR
,
662 "Could not add RADIUS attribute from SQL");
668 sqlite3_clear_bindings(stmt
);
669 sqlite3_finalize(stmt
);
670 #endif /* CONFIG_SQLITE */
676 void ieee802_1x_encapsulate_radius(struct hostapd_data
*hapd
,
677 struct sta_info
*sta
,
678 const u8
*eap
, size_t len
)
680 struct radius_msg
*msg
;
681 struct eapol_state_machine
*sm
= sta
->eapol_sm
;
686 ieee802_1x_learn_identity(hapd
, sm
, eap
, len
);
688 wpa_printf(MSG_DEBUG
, "Encapsulating EAP message into a RADIUS packet");
690 sm
->radius_identifier
= radius_client_get_id(hapd
->radius
);
691 msg
= radius_msg_new(RADIUS_CODE_ACCESS_REQUEST
,
692 sm
->radius_identifier
);
694 wpa_printf(MSG_INFO
, "Could not create new RADIUS packet");
698 if (radius_msg_make_authenticator(msg
) < 0) {
699 wpa_printf(MSG_INFO
, "Could not make Request Authenticator");
704 !radius_msg_add_attr(msg
, RADIUS_ATTR_USER_NAME
,
705 sm
->identity
, sm
->identity_len
)) {
706 wpa_printf(MSG_INFO
, "Could not add User-Name");
710 if (add_common_radius_attr(hapd
, hapd
->conf
->radius_auth_req_attr
, sta
,
714 if (sta
&& add_sqlite_radius_attr(hapd
, sta
, msg
, 0) < 0)
717 /* TODO: should probably check MTU from driver config; 2304 is max for
718 * IEEE 802.11, but use 1400 to avoid problems with too large packets
720 if (!hostapd_config_get_radius_attr(hapd
->conf
->radius_auth_req_attr
,
721 RADIUS_ATTR_FRAMED_MTU
) &&
722 !radius_msg_add_attr_int32(msg
, RADIUS_ATTR_FRAMED_MTU
, 1400)) {
723 wpa_printf(MSG_INFO
, "Could not add Framed-MTU");
727 if (!radius_msg_add_eap(msg
, eap
, len
)) {
728 wpa_printf(MSG_INFO
, "Could not add EAP-Message");
732 /* State attribute must be copied if and only if this packet is
733 * Access-Request reply to the previous Access-Challenge */
734 if (sm
->last_recv_radius
&&
735 radius_msg_get_hdr(sm
->last_recv_radius
)->code
==
736 RADIUS_CODE_ACCESS_CHALLENGE
) {
737 int res
= radius_msg_copy_attr(msg
, sm
->last_recv_radius
,
741 "Could not copy State attribute from previous Access-Challenge");
745 wpa_printf(MSG_DEBUG
, "Copied RADIUS State Attribute");
748 if (hapd
->conf
->radius_request_cui
) {
751 /* Add previously learned CUI or nul CUI to request CUI */
752 if (sm
->radius_cui
) {
753 cui
= wpabuf_head(sm
->radius_cui
);
754 cui_len
= wpabuf_len(sm
->radius_cui
);
756 cui
= (const u8
*) "\0";
759 if (!radius_msg_add_attr(msg
,
760 RADIUS_ATTR_CHARGEABLE_USER_IDENTITY
,
762 wpa_printf(MSG_ERROR
, "Could not add CUI");
768 if (hapd
->conf
->hs20
) {
769 u8 ver
= hapd
->conf
->hs20_release
- 1;
771 if (!radius_msg_add_wfa(
772 msg
, RADIUS_VENDOR_ATTR_WFA_HS20_AP_VERSION
,
774 wpa_printf(MSG_ERROR
,
775 "Could not add HS 2.0 AP version");
779 if (sta
->hs20_ie
&& wpabuf_len(sta
->hs20_ie
) > 0) {
784 pos
= wpabuf_head_u8(sta
->hs20_ie
);
785 buf
[0] = (*pos
) >> 4;
786 if (((*pos
) & HS20_PPS_MO_ID_PRESENT
) &&
787 wpabuf_len(sta
->hs20_ie
) >= 3)
788 id
= WPA_GET_LE16(pos
+ 1);
791 WPA_PUT_BE16(buf
+ 1, id
);
792 if (!radius_msg_add_wfa(
794 RADIUS_VENDOR_ATTR_WFA_HS20_STA_VERSION
,
796 wpa_printf(MSG_ERROR
,
797 "Could not add HS 2.0 STA version");
802 if (sta
->roaming_consortium
&&
804 msg
, RADIUS_VENDOR_ATTR_WFA_HS20_ROAMING_CONSORTIUM
,
805 wpabuf_head(sta
->roaming_consortium
),
806 wpabuf_len(sta
->roaming_consortium
))) {
807 wpa_printf(MSG_ERROR
,
808 "Could not add HS 2.0 Roaming Consortium");
812 if (hapd
->conf
->t_c_filename
) {
815 if (!radius_msg_add_wfa(
817 RADIUS_VENDOR_ATTR_WFA_HS20_T_C_FILENAME
,
818 (const u8
*) hapd
->conf
->t_c_filename
,
819 os_strlen(hapd
->conf
->t_c_filename
))) {
820 wpa_printf(MSG_ERROR
,
821 "Could not add HS 2.0 T&C Filename");
825 timestamp
= host_to_be32(hapd
->conf
->t_c_timestamp
);
826 if (!radius_msg_add_wfa(
828 RADIUS_VENDOR_ATTR_WFA_HS20_TIMESTAMP
,
829 (const u8
*) ×tamp
,
830 sizeof(timestamp
))) {
831 wpa_printf(MSG_ERROR
,
832 "Could not add HS 2.0 Timestamp");
837 #endif /* CONFIG_HS20 */
839 if (radius_client_send(hapd
->radius
, msg
, RADIUS_AUTH
, sta
->addr
) < 0)
845 radius_msg_free(msg
);
847 #endif /* CONFIG_NO_RADIUS */
850 static void handle_eap_response(struct hostapd_data
*hapd
,
851 struct sta_info
*sta
, struct eap_hdr
*eap
,
855 struct eapol_state_machine
*sm
= sta
->eapol_sm
;
860 data
= (u8
*) (eap
+ 1);
862 if (len
< sizeof(*eap
) + 1) {
863 wpa_printf(MSG_INFO
, "%s: too short response data", __func__
);
867 sm
->eap_type_supp
= type
= data
[0];
869 hostapd_logger(hapd
, sm
->addr
, HOSTAPD_MODULE_IEEE8021X
,
870 HOSTAPD_LEVEL_DEBUG
, "received EAP packet (code=%d "
871 "id=%d len=%d) from STA: EAP Response-%s (%d)",
872 eap
->code
, eap
->identifier
, be_to_host16(eap
->length
),
873 eap_server_get_name(0, type
), type
);
875 sm
->dot1xAuthEapolRespFramesRx
++;
877 wpabuf_free(sm
->eap_if
->eapRespData
);
878 sm
->eap_if
->eapRespData
= wpabuf_alloc_copy(eap
, len
);
883 static void handle_eap_initiate(struct hostapd_data
*hapd
,
884 struct sta_info
*sta
, struct eap_hdr
*eap
,
889 struct eapol_state_machine
*sm
= sta
->eapol_sm
;
894 if (len
< sizeof(*eap
) + 1) {
895 wpa_printf(MSG_INFO
, "%s: too short response data", __func__
);
899 data
= (u8
*) (eap
+ 1);
902 hostapd_logger(hapd
, sm
->addr
, HOSTAPD_MODULE_IEEE8021X
,
904 "received EAP packet (code=%d id=%d len=%d) from STA: EAP Initiate type %u",
905 eap
->code
, eap
->identifier
, be_to_host16(eap
->length
),
908 wpabuf_free(sm
->eap_if
->eapRespData
);
909 sm
->eap_if
->eapRespData
= wpabuf_alloc_copy(eap
, len
);
911 #endif /* CONFIG_ERP */
915 #ifndef CONFIG_NO_STDOUT_DEBUG
916 static const char * eap_code_str(u8 code
)
919 case EAP_CODE_REQUEST
:
921 case EAP_CODE_RESPONSE
:
923 case EAP_CODE_SUCCESS
:
925 case EAP_CODE_FAILURE
:
927 case EAP_CODE_INITIATE
:
929 case EAP_CODE_FINISH
:
935 #endif /* CONFIG_NO_STDOUT_DEBUG */
938 /* Process incoming EAP packet from Supplicant */
939 static void handle_eap(struct hostapd_data
*hapd
, struct sta_info
*sta
,
945 if (len
< sizeof(*eap
)) {
946 wpa_printf(MSG_INFO
, " too short EAP packet");
950 eap
= (struct eap_hdr
*) buf
;
952 eap_len
= be_to_host16(eap
->length
);
953 wpa_printf(MSG_DEBUG
, "EAP: code=%d (%s) identifier=%d length=%d",
954 eap
->code
, eap_code_str(eap
->code
), eap
->identifier
,
956 if (eap_len
< sizeof(*eap
)) {
957 wpa_printf(MSG_DEBUG
, " Invalid EAP length");
959 } else if (eap_len
> len
) {
960 wpa_printf(MSG_DEBUG
,
961 " Too short frame to contain this EAP packet");
963 } else if (eap_len
< len
) {
964 wpa_printf(MSG_DEBUG
,
965 " Ignoring %lu extra bytes after EAP packet",
966 (unsigned long) len
- eap_len
);
970 case EAP_CODE_RESPONSE
:
971 handle_eap_response(hapd
, sta
, eap
, eap_len
);
973 case EAP_CODE_INITIATE
:
974 handle_eap_initiate(hapd
, sta
, eap
, eap_len
);
980 struct eapol_state_machine
*
981 ieee802_1x_alloc_eapol_sm(struct hostapd_data
*hapd
, struct sta_info
*sta
)
985 if (sta
->flags
& WLAN_STA_PREAUTH
)
986 flags
|= EAPOL_SM_PREAUTH
;
988 flags
|= EAPOL_SM_USES_WPA
;
989 if (wpa_auth_sta_get_pmksa(sta
->wpa_sm
))
990 flags
|= EAPOL_SM_FROM_PMKSA_CACHE
;
992 return eapol_auth_alloc(hapd
->eapol_auth
, sta
->addr
, flags
,
993 sta
->wps_ie
, sta
->p2p_ie
, sta
,
994 sta
->identity
, sta
->radius_cui
);
998 static void ieee802_1x_save_eapol(struct sta_info
*sta
, const u8
*buf
,
1001 if (sta
->pending_eapol_rx
) {
1002 wpabuf_free(sta
->pending_eapol_rx
->buf
);
1004 sta
->pending_eapol_rx
=
1005 os_malloc(sizeof(*sta
->pending_eapol_rx
));
1006 if (!sta
->pending_eapol_rx
)
1010 sta
->pending_eapol_rx
->buf
= wpabuf_alloc_copy(buf
, len
);
1011 if (!sta
->pending_eapol_rx
->buf
) {
1012 os_free(sta
->pending_eapol_rx
);
1013 sta
->pending_eapol_rx
= NULL
;
1017 os_get_reltime(&sta
->pending_eapol_rx
->rx_time
);
1022 * ieee802_1x_receive - Process the EAPOL frames from the Supplicant
1023 * @hapd: hostapd BSS data
1024 * @sa: Source address (sender of the EAPOL frame)
1026 * @len: Length of buf in octets
1028 * This function is called for each incoming EAPOL frame from the interface
1030 void ieee802_1x_receive(struct hostapd_data
*hapd
, const u8
*sa
, const u8
*buf
,
1033 struct sta_info
*sta
;
1034 struct ieee802_1x_hdr
*hdr
;
1035 struct ieee802_1x_eapol_key
*key
;
1037 struct rsn_pmksa_cache_entry
*pmksa
;
1040 if (!hapd
->conf
->ieee802_1x
&& !hapd
->conf
->wpa
&& !hapd
->conf
->osen
&&
1041 !hapd
->conf
->wps_state
)
1044 wpa_printf(MSG_DEBUG
, "IEEE 802.1X: %lu bytes from " MACSTR
,
1045 (unsigned long) len
, MAC2STR(sa
));
1046 sta
= ap_get_sta(hapd
, sa
);
1047 if (!sta
|| (!(sta
->flags
& (WLAN_STA_ASSOC
| WLAN_STA_PREAUTH
)) &&
1048 !(hapd
->iface
->drv_flags
& WPA_DRIVER_FLAGS_WIRED
))) {
1049 wpa_printf(MSG_DEBUG
,
1050 "IEEE 802.1X data frame from not associated/Pre-authenticating STA");
1052 if (sta
&& (sta
->flags
& WLAN_STA_AUTH
)) {
1053 wpa_printf(MSG_DEBUG
, "Saving EAPOL frame from " MACSTR
1054 " for later use", MAC2STR(sta
->addr
));
1055 ieee802_1x_save_eapol(sta
, buf
, len
);
1061 if (len
< sizeof(*hdr
)) {
1062 wpa_printf(MSG_INFO
, " too short IEEE 802.1X packet");
1066 hdr
= (struct ieee802_1x_hdr
*) buf
;
1067 datalen
= be_to_host16(hdr
->length
);
1068 wpa_printf(MSG_DEBUG
, " IEEE 802.1X: version=%d type=%d length=%d",
1069 hdr
->version
, hdr
->type
, datalen
);
1071 if (len
- sizeof(*hdr
) < datalen
) {
1072 wpa_printf(MSG_INFO
,
1073 " frame too short for this IEEE 802.1X packet");
1075 sta
->eapol_sm
->dot1xAuthEapLengthErrorFramesRx
++;
1078 if (len
- sizeof(*hdr
) > datalen
) {
1079 wpa_printf(MSG_DEBUG
,
1080 " ignoring %lu extra octets after IEEE 802.1X packet",
1081 (unsigned long) len
- sizeof(*hdr
) - datalen
);
1084 if (sta
->eapol_sm
) {
1085 sta
->eapol_sm
->dot1xAuthLastEapolFrameVersion
= hdr
->version
;
1086 sta
->eapol_sm
->dot1xAuthEapolFramesRx
++;
1089 key
= (struct ieee802_1x_eapol_key
*) (hdr
+ 1);
1090 if (datalen
>= sizeof(struct ieee802_1x_eapol_key
) &&
1091 hdr
->type
== IEEE802_1X_TYPE_EAPOL_KEY
&&
1092 (key
->type
== EAPOL_KEY_TYPE_WPA
||
1093 key
->type
== EAPOL_KEY_TYPE_RSN
)) {
1094 wpa_receive(hapd
->wpa_auth
, sta
->wpa_sm
, (u8
*) hdr
,
1095 sizeof(*hdr
) + datalen
);
1099 if (!hapd
->conf
->ieee802_1x
&& !hapd
->conf
->osen
&&
1100 !(sta
->flags
& (WLAN_STA_WPS
| WLAN_STA_MAYBE_WPS
))) {
1101 wpa_printf(MSG_DEBUG
,
1102 "IEEE 802.1X: Ignore EAPOL message - 802.1X not enabled and WPS not used");
1106 key_mgmt
= wpa_auth_sta_key_mgmt(sta
->wpa_sm
);
1107 if (key_mgmt
!= -1 &&
1108 (wpa_key_mgmt_wpa_psk(key_mgmt
) || key_mgmt
== WPA_KEY_MGMT_OWE
||
1109 key_mgmt
== WPA_KEY_MGMT_DPP
)) {
1110 wpa_printf(MSG_DEBUG
,
1111 "IEEE 802.1X: Ignore EAPOL message - STA is using PSK");
1115 if (!sta
->eapol_sm
) {
1116 sta
->eapol_sm
= ieee802_1x_alloc_eapol_sm(hapd
, sta
);
1121 if (!hapd
->conf
->ieee802_1x
&& hapd
->conf
->wps_state
) {
1122 u32 wflags
= sta
->flags
& (WLAN_STA_WPS
|
1124 WLAN_STA_MAYBE_WPS
);
1125 if (wflags
== WLAN_STA_MAYBE_WPS
||
1126 wflags
== (WLAN_STA_WPS
| WLAN_STA_MAYBE_WPS
)) {
1128 * Delay EAPOL frame transmission until a
1129 * possible WPS STA initiates the handshake
1130 * with EAPOL-Start. Only allow the wait to be
1131 * skipped if the STA is known to support WPS
1134 wpa_printf(MSG_DEBUG
,
1135 "WPS: Do not start EAPOL until EAPOL-Start is received");
1136 sta
->eapol_sm
->flags
|= EAPOL_SM_WAIT_START
;
1139 #endif /* CONFIG_WPS */
1141 sta
->eapol_sm
->eap_if
->portEnabled
= TRUE
;
1144 /* since we support version 1, we can ignore version field and proceed
1145 * as specified in version 1 standard [IEEE Std 802.1X-2001, 7.5.5] */
1146 /* TODO: actually, we are not version 1 anymore.. However, Version 2
1147 * does not change frame contents, so should be ok to process frames
1148 * more or less identically. Some changes might be needed for
1149 * verification of fields. */
1151 switch (hdr
->type
) {
1152 case IEEE802_1X_TYPE_EAP_PACKET
:
1153 handle_eap(hapd
, sta
, (u8
*) (hdr
+ 1), datalen
);
1156 case IEEE802_1X_TYPE_EAPOL_START
:
1157 hostapd_logger(hapd
, sta
->addr
, HOSTAPD_MODULE_IEEE8021X
,
1158 HOSTAPD_LEVEL_DEBUG
,
1159 "received EAPOL-Start from STA");
1160 sta
->eapol_sm
->flags
&= ~EAPOL_SM_WAIT_START
;
1161 pmksa
= wpa_auth_sta_get_pmksa(sta
->wpa_sm
);
1163 hostapd_logger(hapd
, sta
->addr
, HOSTAPD_MODULE_WPA
,
1164 HOSTAPD_LEVEL_DEBUG
,
1165 "cached PMKSA available - ignore it since STA sent EAPOL-Start");
1166 wpa_auth_sta_clear_pmksa(sta
->wpa_sm
, pmksa
);
1168 sta
->eapol_sm
->eapolStart
= TRUE
;
1169 sta
->eapol_sm
->dot1xAuthEapolStartFramesRx
++;
1170 eap_server_clear_identity(sta
->eapol_sm
->eap
);
1171 wpa_auth_sm_event(sta
->wpa_sm
, WPA_REAUTH_EAPOL
);
1174 case IEEE802_1X_TYPE_EAPOL_LOGOFF
:
1175 hostapd_logger(hapd
, sta
->addr
, HOSTAPD_MODULE_IEEE8021X
,
1176 HOSTAPD_LEVEL_DEBUG
,
1177 "received EAPOL-Logoff from STA");
1178 sta
->acct_terminate_cause
=
1179 RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST
;
1180 accounting_sta_stop(hapd
, sta
);
1181 sta
->eapol_sm
->eapolLogoff
= TRUE
;
1182 sta
->eapol_sm
->dot1xAuthEapolLogoffFramesRx
++;
1183 eap_server_clear_identity(sta
->eapol_sm
->eap
);
1186 case IEEE802_1X_TYPE_EAPOL_KEY
:
1187 wpa_printf(MSG_DEBUG
, " EAPOL-Key");
1188 if (!ap_sta_is_authorized(sta
)) {
1189 wpa_printf(MSG_DEBUG
,
1190 " Dropped key data from unauthorized Supplicant");
1195 case IEEE802_1X_TYPE_EAPOL_ENCAPSULATED_ASF_ALERT
:
1196 wpa_printf(MSG_DEBUG
, " EAPOL-Encapsulated-ASF-Alert");
1197 /* TODO: implement support for this; show data */
1200 #ifdef CONFIG_MACSEC
1201 case IEEE802_1X_TYPE_EAPOL_MKA
:
1202 wpa_printf(MSG_EXCESSIVE
,
1203 "EAPOL type %d will be handled by MKA", hdr
->type
);
1205 #endif /* CONFIG_MACSEC */
1208 wpa_printf(MSG_DEBUG
, " unknown IEEE 802.1X packet type");
1209 sta
->eapol_sm
->dot1xAuthInvalidEapolFramesRx
++;
1213 eapol_auth_step(sta
->eapol_sm
);
1218 * ieee802_1x_new_station - Start IEEE 802.1X authentication
1219 * @hapd: hostapd BSS data
1222 * This function is called to start IEEE 802.1X authentication when a new
1223 * station completes IEEE 802.11 association.
1225 void ieee802_1x_new_station(struct hostapd_data
*hapd
, struct sta_info
*sta
)
1227 struct rsn_pmksa_cache_entry
*pmksa
;
1233 if (hapd
->conf
->wps_state
&&
1234 ((hapd
->conf
->wpa
&& (sta
->flags
& WLAN_STA_MAYBE_WPS
)) ||
1235 (sta
->flags
& WLAN_STA_WPS
))) {
1237 * Need to enable IEEE 802.1X/EAPOL state machines for possible
1238 * WPS handshake even if IEEE 802.1X/EAPOL is not used for
1239 * authentication in this BSS.
1243 #endif /* CONFIG_WPS */
1245 if (!force_1x
&& !hapd
->conf
->ieee802_1x
&& !hapd
->conf
->osen
) {
1246 wpa_printf(MSG_DEBUG
,
1247 "IEEE 802.1X: Ignore STA - 802.1X not enabled or forced for WPS");
1249 * Clear any possible EAPOL authenticator state to support
1250 * reassociation change from WPS to PSK.
1252 ieee802_1x_free_station(hapd
, sta
);
1256 key_mgmt
= wpa_auth_sta_key_mgmt(sta
->wpa_sm
);
1257 if (key_mgmt
!= -1 &&
1258 (wpa_key_mgmt_wpa_psk(key_mgmt
) || key_mgmt
== WPA_KEY_MGMT_OWE
||
1259 key_mgmt
== WPA_KEY_MGMT_DPP
)) {
1260 wpa_printf(MSG_DEBUG
, "IEEE 802.1X: Ignore STA - using PSK");
1262 * Clear any possible EAPOL authenticator state to support
1263 * reassociation change from WPA-EAP to PSK.
1265 ieee802_1x_free_station(hapd
, sta
);
1269 if (!sta
->eapol_sm
) {
1270 hostapd_logger(hapd
, sta
->addr
, HOSTAPD_MODULE_IEEE8021X
,
1271 HOSTAPD_LEVEL_DEBUG
, "start authentication");
1272 sta
->eapol_sm
= ieee802_1x_alloc_eapol_sm(hapd
, sta
);
1273 if (!sta
->eapol_sm
) {
1274 hostapd_logger(hapd
, sta
->addr
,
1275 HOSTAPD_MODULE_IEEE8021X
,
1277 "failed to allocate state machine");
1284 sta
->eapol_sm
->flags
&= ~EAPOL_SM_WAIT_START
;
1285 if (!hapd
->conf
->ieee802_1x
&& hapd
->conf
->wps_state
&&
1286 !(sta
->flags
& WLAN_STA_WPS2
)) {
1288 * Delay EAPOL frame transmission until a possible WPS STA
1289 * initiates the handshake with EAPOL-Start. Only allow the
1290 * wait to be skipped if the STA is known to support WPS 2.0.
1292 wpa_printf(MSG_DEBUG
,
1293 "WPS: Do not start EAPOL until EAPOL-Start is received");
1294 sta
->eapol_sm
->flags
|= EAPOL_SM_WAIT_START
;
1296 #endif /* CONFIG_WPS */
1298 sta
->eapol_sm
->eap_if
->portEnabled
= TRUE
;
1300 #ifdef CONFIG_IEEE80211R_AP
1301 if (sta
->auth_alg
== WLAN_AUTH_FT
) {
1302 hostapd_logger(hapd
, sta
->addr
, HOSTAPD_MODULE_IEEE8021X
,
1303 HOSTAPD_LEVEL_DEBUG
,
1304 "PMK from FT - skip IEEE 802.1X/EAP");
1305 /* Setup EAPOL state machines to already authenticated state
1306 * because of existing FT information from R0KH. */
1307 sta
->eapol_sm
->keyRun
= TRUE
;
1308 sta
->eapol_sm
->eap_if
->eapKeyAvailable
= TRUE
;
1309 sta
->eapol_sm
->auth_pae_state
= AUTH_PAE_AUTHENTICATING
;
1310 sta
->eapol_sm
->be_auth_state
= BE_AUTH_SUCCESS
;
1311 sta
->eapol_sm
->authSuccess
= TRUE
;
1312 sta
->eapol_sm
->authFail
= FALSE
;
1313 sta
->eapol_sm
->portValid
= TRUE
;
1314 if (sta
->eapol_sm
->eap
)
1315 eap_sm_notify_cached(sta
->eapol_sm
->eap
);
1316 ap_sta_bind_vlan(hapd
, sta
);
1319 #endif /* CONFIG_IEEE80211R_AP */
1322 if (sta
->auth_alg
== WLAN_AUTH_FILS_SK
||
1323 sta
->auth_alg
== WLAN_AUTH_FILS_SK_PFS
||
1324 sta
->auth_alg
== WLAN_AUTH_FILS_PK
) {
1325 hostapd_logger(hapd
, sta
->addr
, HOSTAPD_MODULE_IEEE8021X
,
1326 HOSTAPD_LEVEL_DEBUG
,
1327 "PMK from FILS - skip IEEE 802.1X/EAP");
1328 /* Setup EAPOL state machines to already authenticated state
1329 * because of existing FILS information. */
1330 sta
->eapol_sm
->keyRun
= TRUE
;
1331 sta
->eapol_sm
->eap_if
->eapKeyAvailable
= TRUE
;
1332 sta
->eapol_sm
->auth_pae_state
= AUTH_PAE_AUTHENTICATING
;
1333 sta
->eapol_sm
->be_auth_state
= BE_AUTH_SUCCESS
;
1334 sta
->eapol_sm
->authSuccess
= TRUE
;
1335 sta
->eapol_sm
->authFail
= FALSE
;
1336 sta
->eapol_sm
->portValid
= TRUE
;
1337 if (sta
->eapol_sm
->eap
)
1338 eap_sm_notify_cached(sta
->eapol_sm
->eap
);
1339 wpa_auth_set_ptk_rekey_timer(sta
->wpa_sm
);
1342 #endif /* CONFIG_FILS */
1344 pmksa
= wpa_auth_sta_get_pmksa(sta
->wpa_sm
);
1346 hostapd_logger(hapd
, sta
->addr
, HOSTAPD_MODULE_IEEE8021X
,
1347 HOSTAPD_LEVEL_DEBUG
,
1348 "PMK from PMKSA cache - skip IEEE 802.1X/EAP");
1349 /* Setup EAPOL state machines to already authenticated state
1350 * because of existing PMKSA information in the cache. */
1351 sta
->eapol_sm
->keyRun
= TRUE
;
1352 sta
->eapol_sm
->eap_if
->eapKeyAvailable
= TRUE
;
1353 sta
->eapol_sm
->auth_pae_state
= AUTH_PAE_AUTHENTICATING
;
1354 sta
->eapol_sm
->be_auth_state
= BE_AUTH_SUCCESS
;
1355 sta
->eapol_sm
->authSuccess
= TRUE
;
1356 sta
->eapol_sm
->authFail
= FALSE
;
1357 if (sta
->eapol_sm
->eap
)
1358 eap_sm_notify_cached(sta
->eapol_sm
->eap
);
1359 pmksa_cache_to_eapol_data(hapd
, pmksa
, sta
->eapol_sm
);
1360 ap_sta_bind_vlan(hapd
, sta
);
1364 * Force EAPOL state machines to start
1365 * re-authentication without having to wait for the
1366 * Supplicant to send EAPOL-Start.
1368 sta
->eapol_sm
->reAuthenticate
= TRUE
;
1370 eapol_auth_step(sta
->eapol_sm
);
1375 void ieee802_1x_free_station(struct hostapd_data
*hapd
, struct sta_info
*sta
)
1377 struct eapol_state_machine
*sm
= sta
->eapol_sm
;
1380 eloop_cancel_timeout(ieee802_1x_wnm_notif_send
, hapd
, sta
);
1381 #endif /* CONFIG_HS20 */
1383 if (sta
->pending_eapol_rx
) {
1384 wpabuf_free(sta
->pending_eapol_rx
->buf
);
1385 os_free(sta
->pending_eapol_rx
);
1386 sta
->pending_eapol_rx
= NULL
;
1392 sta
->eapol_sm
= NULL
;
1394 #ifndef CONFIG_NO_RADIUS
1395 radius_msg_free(sm
->last_recv_radius
);
1396 radius_free_class(&sm
->radius_class
);
1397 #endif /* CONFIG_NO_RADIUS */
1399 eapol_auth_free(sm
);
1403 #ifndef CONFIG_NO_RADIUS
1404 static void ieee802_1x_decapsulate_radius(struct hostapd_data
*hapd
,
1405 struct sta_info
*sta
)
1408 const struct eap_hdr
*hdr
;
1411 struct radius_msg
*msg
;
1412 struct eapol_state_machine
*sm
= sta
->eapol_sm
;
1414 if (!sm
|| !sm
->last_recv_radius
) {
1416 sm
->eap_if
->aaaEapNoReq
= TRUE
;
1420 msg
= sm
->last_recv_radius
;
1422 eap
= radius_msg_get_eap(msg
);
1424 /* RFC 3579, Chap. 2.6.3:
1425 * RADIUS server SHOULD NOT send Access-Reject/no EAP-Message
1427 hostapd_logger(hapd
, sta
->addr
, HOSTAPD_MODULE_IEEE8021X
,
1428 HOSTAPD_LEVEL_WARNING
,
1429 "could not extract EAP-Message from RADIUS message");
1430 sm
->eap_if
->aaaEapNoReq
= TRUE
;
1434 if (wpabuf_len(eap
) < sizeof(*hdr
)) {
1435 hostapd_logger(hapd
, sta
->addr
, HOSTAPD_MODULE_IEEE8021X
,
1436 HOSTAPD_LEVEL_WARNING
,
1437 "too short EAP packet received from authentication server");
1439 sm
->eap_if
->aaaEapNoReq
= TRUE
;
1443 if (wpabuf_len(eap
) > sizeof(*hdr
))
1444 eap_type
= (wpabuf_head_u8(eap
))[sizeof(*hdr
)];
1446 hdr
= wpabuf_head(eap
);
1447 switch (hdr
->code
) {
1448 case EAP_CODE_REQUEST
:
1450 sm
->eap_type_authsrv
= eap_type
;
1451 os_snprintf(buf
, sizeof(buf
), "EAP-Request-%s (%d)",
1452 eap_server_get_name(0, eap_type
), eap_type
);
1454 case EAP_CODE_RESPONSE
:
1455 os_snprintf(buf
, sizeof(buf
), "EAP Response-%s (%d)",
1456 eap_server_get_name(0, eap_type
), eap_type
);
1458 case EAP_CODE_SUCCESS
:
1459 os_strlcpy(buf
, "EAP Success", sizeof(buf
));
1461 case EAP_CODE_FAILURE
:
1462 os_strlcpy(buf
, "EAP Failure", sizeof(buf
));
1465 os_strlcpy(buf
, "unknown EAP code", sizeof(buf
));
1468 buf
[sizeof(buf
) - 1] = '\0';
1469 hostapd_logger(hapd
, sta
->addr
, HOSTAPD_MODULE_IEEE8021X
,
1470 HOSTAPD_LEVEL_DEBUG
,
1471 "decapsulated EAP packet (code=%d id=%d len=%d) from RADIUS server: %s",
1472 hdr
->code
, hdr
->identifier
, be_to_host16(hdr
->length
),
1474 sm
->eap_if
->aaaEapReq
= TRUE
;
1476 wpabuf_free(sm
->eap_if
->aaaEapReqData
);
1477 sm
->eap_if
->aaaEapReqData
= eap
;
1481 static void ieee802_1x_get_keys(struct hostapd_data
*hapd
,
1482 struct sta_info
*sta
, struct radius_msg
*msg
,
1483 struct radius_msg
*req
,
1484 const u8
*shared_secret
,
1485 size_t shared_secret_len
)
1487 struct radius_ms_mppe_keys
*keys
;
1490 struct eapol_state_machine
*sm
= sta
->eapol_sm
;
1495 keys
= radius_msg_get_ms_keys(msg
, req
, shared_secret
,
1498 if (keys
&& keys
->send
&& keys
->recv
) {
1499 len
= keys
->send_len
+ keys
->recv_len
;
1500 wpa_hexdump_key(MSG_DEBUG
, "MS-MPPE-Send-Key",
1501 keys
->send
, keys
->send_len
);
1502 wpa_hexdump_key(MSG_DEBUG
, "MS-MPPE-Recv-Key",
1503 keys
->recv
, keys
->recv_len
);
1505 os_free(sm
->eap_if
->aaaEapKeyData
);
1506 sm
->eap_if
->aaaEapKeyData
= os_malloc(len
);
1507 if (sm
->eap_if
->aaaEapKeyData
) {
1508 os_memcpy(sm
->eap_if
->aaaEapKeyData
, keys
->recv
,
1510 os_memcpy(sm
->eap_if
->aaaEapKeyData
+ keys
->recv_len
,
1511 keys
->send
, keys
->send_len
);
1512 sm
->eap_if
->aaaEapKeyDataLen
= len
;
1513 sm
->eap_if
->aaaEapKeyAvailable
= TRUE
;
1516 wpa_printf(MSG_DEBUG
,
1517 "MS-MPPE: 1x_get_keys, could not get keys: %p send: %p recv: %p",
1518 keys
, keys
? keys
->send
: NULL
,
1519 keys
? keys
->recv
: NULL
);
1523 os_free(keys
->send
);
1524 os_free(keys
->recv
);
1528 if (radius_msg_get_attr_ptr(msg
, RADIUS_ATTR_EAP_KEY_NAME
, &buf
, &len
,
1530 os_free(sm
->eap_if
->eapSessionId
);
1531 sm
->eap_if
->eapSessionId
= os_memdup(buf
, len
);
1532 if (sm
->eap_if
->eapSessionId
) {
1533 sm
->eap_if
->eapSessionIdLen
= len
;
1534 wpa_hexdump(MSG_DEBUG
, "EAP-Key Name",
1535 sm
->eap_if
->eapSessionId
,
1536 sm
->eap_if
->eapSessionIdLen
);
1539 sm
->eap_if
->eapSessionIdLen
= 0;
1544 static void ieee802_1x_store_radius_class(struct hostapd_data
*hapd
,
1545 struct sta_info
*sta
,
1546 struct radius_msg
*msg
)
1550 struct eapol_state_machine
*sm
= sta
->eapol_sm
;
1552 struct radius_attr_data
*nclass
;
1553 size_t nclass_count
;
1555 if (!hapd
->conf
->radius
->acct_server
|| !hapd
->radius
|| !sm
)
1558 radius_free_class(&sm
->radius_class
);
1559 count
= radius_msg_count_attr(msg
, RADIUS_ATTR_CLASS
, 1);
1563 nclass
= os_calloc(count
, sizeof(struct radius_attr_data
));
1570 for (i
= 0; i
< count
; i
++) {
1572 if (radius_msg_get_attr_ptr(msg
, RADIUS_ATTR_CLASS
,
1573 &attr_class
, &class_len
,
1578 } while (class_len
< 1);
1580 nclass
[nclass_count
].data
= os_memdup(attr_class
, class_len
);
1581 if (!nclass
[nclass_count
].data
)
1584 nclass
[nclass_count
].len
= class_len
;
1588 sm
->radius_class
.attr
= nclass
;
1589 sm
->radius_class
.count
= nclass_count
;
1590 wpa_printf(MSG_DEBUG
,
1591 "IEEE 802.1X: Stored %lu RADIUS Class attributes for "
1593 (unsigned long) sm
->radius_class
.count
,
1594 MAC2STR(sta
->addr
));
1598 /* Update sta->identity based on User-Name attribute in Access-Accept */
1599 static void ieee802_1x_update_sta_identity(struct hostapd_data
*hapd
,
1600 struct sta_info
*sta
,
1601 struct radius_msg
*msg
)
1605 struct eapol_state_machine
*sm
= sta
->eapol_sm
;
1610 if (radius_msg_get_attr_ptr(msg
, RADIUS_ATTR_USER_NAME
, &buf
, &len
,
1614 identity
= (u8
*) dup_binstr(buf
, len
);
1618 hostapd_logger(hapd
, sta
->addr
, HOSTAPD_MODULE_IEEE8021X
,
1619 HOSTAPD_LEVEL_DEBUG
,
1620 "old identity '%s' updated with User-Name from Access-Accept '%s'",
1621 sm
->identity
? (char *) sm
->identity
: "N/A",
1624 os_free(sm
->identity
);
1625 sm
->identity
= identity
;
1626 sm
->identity_len
= len
;
1630 /* Update CUI based on Chargeable-User-Identity attribute in Access-Accept */
1631 static void ieee802_1x_update_sta_cui(struct hostapd_data
*hapd
,
1632 struct sta_info
*sta
,
1633 struct radius_msg
*msg
)
1635 struct eapol_state_machine
*sm
= sta
->eapol_sm
;
1643 if (radius_msg_get_attr_ptr(msg
, RADIUS_ATTR_CHARGEABLE_USER_IDENTITY
,
1644 &buf
, &len
, NULL
) < 0)
1647 cui
= wpabuf_alloc_copy(buf
, len
);
1651 wpabuf_free(sm
->radius_cui
);
1652 sm
->radius_cui
= cui
;
1658 static void ieee802_1x_hs20_sub_rem(struct sta_info
*sta
, u8
*pos
, size_t len
)
1660 sta
->remediation
= 1;
1661 os_free(sta
->remediation_url
);
1663 sta
->remediation_url
= os_malloc(len
);
1664 if (!sta
->remediation_url
)
1666 sta
->remediation_method
= pos
[0];
1667 os_memcpy(sta
->remediation_url
, pos
+ 1, len
- 1);
1668 sta
->remediation_url
[len
- 1] = '\0';
1669 wpa_printf(MSG_DEBUG
,
1670 "HS 2.0: Subscription remediation needed for "
1671 MACSTR
" - server method %u URL %s",
1672 MAC2STR(sta
->addr
), sta
->remediation_method
,
1673 sta
->remediation_url
);
1675 sta
->remediation_url
= NULL
;
1676 wpa_printf(MSG_DEBUG
,
1677 "HS 2.0: Subscription remediation needed for "
1678 MACSTR
, MAC2STR(sta
->addr
));
1680 /* TODO: assign the STA into remediation VLAN or add filtering */
1684 static void ieee802_1x_hs20_deauth_req(struct hostapd_data
*hapd
,
1685 struct sta_info
*sta
, u8
*pos
,
1689 return; /* Malformed information */
1690 sta
->hs20_deauth_requested
= 1;
1691 wpa_printf(MSG_DEBUG
,
1692 "HS 2.0: Deauthentication request - Code %u Re-auth Delay %u",
1693 *pos
, WPA_GET_LE16(pos
+ 1));
1694 wpabuf_free(sta
->hs20_deauth_req
);
1695 sta
->hs20_deauth_req
= wpabuf_alloc(len
+ 1);
1696 if (sta
->hs20_deauth_req
) {
1697 wpabuf_put_data(sta
->hs20_deauth_req
, pos
, 3);
1698 wpabuf_put_u8(sta
->hs20_deauth_req
, len
- 3);
1699 wpabuf_put_data(sta
->hs20_deauth_req
, pos
+ 3, len
- 3);
1701 ap_sta_session_timeout(hapd
, sta
, hapd
->conf
->hs20_deauth_req_timeout
);
1705 static void ieee802_1x_hs20_session_info(struct hostapd_data
*hapd
,
1706 struct sta_info
*sta
, u8
*pos
,
1707 size_t len
, int session_timeout
)
1710 int warning_time
, beacon_int
;
1713 return; /* Malformed information */
1714 os_free(sta
->hs20_session_info_url
);
1715 sta
->hs20_session_info_url
= os_malloc(len
);
1716 if (!sta
->hs20_session_info_url
)
1719 os_memcpy(sta
->hs20_session_info_url
, pos
+ 1, len
- 1);
1720 sta
->hs20_session_info_url
[len
- 1] = '\0';
1721 wpa_printf(MSG_DEBUG
,
1722 "HS 2.0: Session Information URL='%s' SWT=%u (session_timeout=%d)",
1723 sta
->hs20_session_info_url
, swt
, session_timeout
);
1724 if (session_timeout
< 0) {
1725 wpa_printf(MSG_DEBUG
,
1726 "HS 2.0: No Session-Timeout set - ignore session info URL");
1730 swt
= 1; /* Use one minute as the AP selected value */
1732 if ((unsigned int) session_timeout
< swt
* 60)
1735 warning_time
= session_timeout
- swt
* 60;
1737 beacon_int
= hapd
->iconf
->beacon_int
;
1739 beacon_int
= 100; /* best guess */
1740 sta
->hs20_disassoc_timer
= swt
* 60 * 1000 / beacon_int
* 125 / 128;
1741 if (sta
->hs20_disassoc_timer
> 65535)
1742 sta
->hs20_disassoc_timer
= 65535;
1744 ap_sta_session_warning_timeout(hapd
, sta
, warning_time
);
1748 static void ieee802_1x_hs20_t_c_filtering(struct hostapd_data
*hapd
,
1749 struct sta_info
*sta
, u8
*pos
,
1753 return; /* Malformed information */
1754 wpa_printf(MSG_DEBUG
,
1755 "HS 2.0: Terms and Conditions filtering %02x %02x %02x %02x",
1756 pos
[0], pos
[1], pos
[2], pos
[3]);
1757 hs20_t_c_filtering(hapd
, sta
, pos
[0] & BIT(0));
1761 static void ieee802_1x_hs20_t_c_url(struct hostapd_data
*hapd
,
1762 struct sta_info
*sta
, u8
*pos
, size_t len
)
1764 os_free(sta
->t_c_url
);
1765 sta
->t_c_url
= os_malloc(len
+ 1);
1768 os_memcpy(sta
->t_c_url
, pos
, len
);
1769 sta
->t_c_url
[len
] = '\0';
1770 wpa_printf(MSG_DEBUG
,
1771 "HS 2.0: Terms and Conditions URL %s", sta
->t_c_url
);
1774 #endif /* CONFIG_HS20 */
1777 static void ieee802_1x_check_hs20(struct hostapd_data
*hapd
,
1778 struct sta_info
*sta
,
1779 struct radius_msg
*msg
,
1780 int session_timeout
)
1783 u8
*buf
, *pos
, *end
, type
, sublen
;
1787 sta
->remediation
= 0;
1788 sta
->hs20_deauth_requested
= 0;
1791 if (radius_msg_get_attr_ptr(msg
, RADIUS_ATTR_VENDOR_SPECIFIC
,
1792 &buf
, &len
, buf
) < 0)
1798 if (WPA_GET_BE32(pos
) != RADIUS_VENDOR_ID_WFA
)
1805 continue; /* invalid length */
1806 sublen
-= 2; /* skip header */
1807 if (pos
+ sublen
> end
)
1808 continue; /* invalid WFA VSA */
1811 case RADIUS_VENDOR_ATTR_WFA_HS20_SUBSCR_REMEDIATION
:
1812 ieee802_1x_hs20_sub_rem(sta
, pos
, sublen
);
1814 case RADIUS_VENDOR_ATTR_WFA_HS20_DEAUTH_REQ
:
1815 ieee802_1x_hs20_deauth_req(hapd
, sta
, pos
, sublen
);
1817 case RADIUS_VENDOR_ATTR_WFA_HS20_SESSION_INFO_URL
:
1818 ieee802_1x_hs20_session_info(hapd
, sta
, pos
, sublen
,
1821 case RADIUS_VENDOR_ATTR_WFA_HS20_T_C_FILTERING
:
1822 ieee802_1x_hs20_t_c_filtering(hapd
, sta
, pos
, sublen
);
1824 case RADIUS_VENDOR_ATTR_WFA_HS20_T_C_URL
:
1825 ieee802_1x_hs20_t_c_url(hapd
, sta
, pos
, sublen
);
1829 #endif /* CONFIG_HS20 */
1833 struct sta_id_search
{
1835 struct eapol_state_machine
*sm
;
1839 static int ieee802_1x_select_radius_identifier(struct hostapd_data
*hapd
,
1840 struct sta_info
*sta
,
1843 struct sta_id_search
*id_search
= ctx
;
1844 struct eapol_state_machine
*sm
= sta
->eapol_sm
;
1846 if (sm
&& sm
->radius_identifier
>= 0 &&
1847 sm
->radius_identifier
== id_search
->identifier
) {
1855 static struct eapol_state_machine
*
1856 ieee802_1x_search_radius_identifier(struct hostapd_data
*hapd
, u8 identifier
)
1858 struct sta_id_search id_search
;
1860 id_search
.identifier
= identifier
;
1861 id_search
.sm
= NULL
;
1862 ap_for_each_sta(hapd
, ieee802_1x_select_radius_identifier
, &id_search
);
1863 return id_search
.sm
;
1867 #ifndef CONFIG_NO_VLAN
1868 static int ieee802_1x_update_vlan(struct radius_msg
*msg
,
1869 struct hostapd_data
*hapd
,
1870 struct sta_info
*sta
)
1872 struct vlan_description vlan_desc
;
1874 os_memset(&vlan_desc
, 0, sizeof(vlan_desc
));
1875 vlan_desc
.notempty
= !!radius_msg_get_vlanid(msg
, &vlan_desc
.untagged
,
1876 MAX_NUM_TAGGED_VLAN
,
1879 if (vlan_desc
.notempty
&&
1880 !hostapd_vlan_valid(hapd
->conf
->vlan
, &vlan_desc
)) {
1881 sta
->eapol_sm
->authFail
= TRUE
;
1882 hostapd_logger(hapd
, sta
->addr
, HOSTAPD_MODULE_RADIUS
,
1884 "Invalid VLAN %d%s received from RADIUS server",
1886 vlan_desc
.tagged
[0] ? "+" : "");
1887 os_memset(&vlan_desc
, 0, sizeof(vlan_desc
));
1888 ap_sta_set_vlan(hapd
, sta
, &vlan_desc
);
1892 if (hapd
->conf
->ssid
.dynamic_vlan
== DYNAMIC_VLAN_REQUIRED
&&
1893 !vlan_desc
.notempty
) {
1894 sta
->eapol_sm
->authFail
= TRUE
;
1895 hostapd_logger(hapd
, sta
->addr
, HOSTAPD_MODULE_IEEE8021X
,
1897 "authentication server did not include required VLAN ID in Access-Accept");
1901 return ap_sta_set_vlan(hapd
, sta
, &vlan_desc
);
1903 #endif /* CONFIG_NO_VLAN */
1907 * ieee802_1x_receive_auth - Process RADIUS frames from Authentication Server
1908 * @msg: RADIUS response message
1909 * @req: RADIUS request message
1910 * @shared_secret: RADIUS shared secret
1911 * @shared_secret_len: Length of shared_secret in octets
1912 * @data: Context data (struct hostapd_data *)
1913 * Returns: Processing status
1915 static RadiusRxResult
1916 ieee802_1x_receive_auth(struct radius_msg
*msg
, struct radius_msg
*req
,
1917 const u8
*shared_secret
, size_t shared_secret_len
,
1920 struct hostapd_data
*hapd
= data
;
1921 struct sta_info
*sta
;
1922 u32 session_timeout
= 0, termination_action
, acct_interim_interval
;
1923 int session_timeout_set
;
1925 struct eapol_state_machine
*sm
;
1926 int override_eapReq
= 0;
1927 struct radius_hdr
*hdr
= radius_msg_get_hdr(msg
);
1929 sm
= ieee802_1x_search_radius_identifier(hapd
, hdr
->identifier
);
1931 wpa_printf(MSG_DEBUG
,
1932 "IEEE 802.1X: Could not find matching station for this RADIUS message");
1933 return RADIUS_RX_UNKNOWN
;
1937 /* RFC 2869, Ch. 5.13: valid Message-Authenticator attribute MUST be
1938 * present when packet contains an EAP-Message attribute */
1939 if (hdr
->code
== RADIUS_CODE_ACCESS_REJECT
&&
1940 radius_msg_get_attr(msg
, RADIUS_ATTR_MESSAGE_AUTHENTICATOR
, NULL
,
1942 radius_msg_get_attr(msg
, RADIUS_ATTR_EAP_MESSAGE
, NULL
, 0) < 0) {
1943 wpa_printf(MSG_DEBUG
,
1944 "Allowing RADIUS Access-Reject without Message-Authenticator since it does not include EAP-Message");
1945 } else if (radius_msg_verify(msg
, shared_secret
, shared_secret_len
,
1947 wpa_printf(MSG_INFO
,
1948 "Incoming RADIUS packet did not have correct Message-Authenticator - dropped");
1949 return RADIUS_RX_INVALID_AUTHENTICATOR
;
1952 if (hdr
->code
!= RADIUS_CODE_ACCESS_ACCEPT
&&
1953 hdr
->code
!= RADIUS_CODE_ACCESS_REJECT
&&
1954 hdr
->code
!= RADIUS_CODE_ACCESS_CHALLENGE
) {
1955 wpa_printf(MSG_INFO
, "Unknown RADIUS message code");
1956 return RADIUS_RX_UNKNOWN
;
1959 sm
->radius_identifier
= -1;
1960 wpa_printf(MSG_DEBUG
, "RADIUS packet matching with station " MACSTR
,
1961 MAC2STR(sta
->addr
));
1963 radius_msg_free(sm
->last_recv_radius
);
1964 sm
->last_recv_radius
= msg
;
1966 session_timeout_set
=
1967 !radius_msg_get_attr_int32(msg
, RADIUS_ATTR_SESSION_TIMEOUT
,
1969 if (radius_msg_get_attr_int32(msg
, RADIUS_ATTR_TERMINATION_ACTION
,
1970 &termination_action
))
1971 termination_action
= RADIUS_TERMINATION_ACTION_DEFAULT
;
1973 if (hapd
->conf
->acct_interim_interval
== 0 &&
1974 hdr
->code
== RADIUS_CODE_ACCESS_ACCEPT
&&
1975 radius_msg_get_attr_int32(msg
, RADIUS_ATTR_ACCT_INTERIM_INTERVAL
,
1976 &acct_interim_interval
) == 0) {
1977 if (acct_interim_interval
< 60) {
1978 hostapd_logger(hapd
, sta
->addr
,
1979 HOSTAPD_MODULE_IEEE8021X
,
1981 "ignored too small Acct-Interim-Interval %d",
1982 acct_interim_interval
);
1984 sta
->acct_interim_interval
= acct_interim_interval
;
1988 switch (hdr
->code
) {
1989 case RADIUS_CODE_ACCESS_ACCEPT
:
1990 #ifndef CONFIG_NO_VLAN
1991 if (hapd
->conf
->ssid
.dynamic_vlan
!= DYNAMIC_VLAN_DISABLED
&&
1992 ieee802_1x_update_vlan(msg
, hapd
, sta
) < 0)
1995 if (sta
->vlan_id
> 0) {
1996 hostapd_logger(hapd
, sta
->addr
,
1997 HOSTAPD_MODULE_RADIUS
,
1999 "VLAN ID %d", sta
->vlan_id
);
2002 if ((sta
->flags
& WLAN_STA_ASSOC
) &&
2003 ap_sta_bind_vlan(hapd
, sta
) < 0)
2005 #endif /* CONFIG_NO_VLAN */
2007 sta
->session_timeout_set
= !!session_timeout_set
;
2008 os_get_reltime(&sta
->session_timeout
);
2009 sta
->session_timeout
.sec
+= session_timeout
;
2011 /* RFC 3580, Ch. 3.17 */
2012 if (session_timeout_set
&& termination_action
==
2013 RADIUS_TERMINATION_ACTION_RADIUS_REQUEST
)
2014 sm
->reAuthPeriod
= session_timeout
;
2015 else if (session_timeout_set
)
2016 ap_sta_session_timeout(hapd
, sta
, session_timeout
);
2018 ap_sta_no_session_timeout(hapd
, sta
);
2020 sm
->eap_if
->aaaSuccess
= TRUE
;
2021 override_eapReq
= 1;
2022 ieee802_1x_get_keys(hapd
, sta
, msg
, req
, shared_secret
,
2024 ieee802_1x_store_radius_class(hapd
, sta
, msg
);
2025 ieee802_1x_update_sta_identity(hapd
, sta
, msg
);
2026 ieee802_1x_update_sta_cui(hapd
, sta
, msg
);
2027 ieee802_1x_check_hs20(hapd
, sta
, msg
,
2028 session_timeout_set
?
2029 (int) session_timeout
: -1);
2031 case RADIUS_CODE_ACCESS_REJECT
:
2032 sm
->eap_if
->aaaFail
= TRUE
;
2033 override_eapReq
= 1;
2034 if (radius_msg_get_attr_int32(msg
, RADIUS_ATTR_WLAN_REASON_CODE
,
2035 &reason_code
) == 0) {
2036 wpa_printf(MSG_DEBUG
,
2037 "RADIUS server indicated WLAN-Reason-Code %u in Access-Reject for "
2038 MACSTR
, reason_code
, MAC2STR(sta
->addr
));
2039 sta
->disconnect_reason_code
= reason_code
;
2042 case RADIUS_CODE_ACCESS_CHALLENGE
:
2043 sm
->eap_if
->aaaEapReq
= TRUE
;
2044 if (session_timeout_set
) {
2045 /* RFC 2869, Ch. 2.3.2; RFC 3580, Ch. 3.17 */
2046 sm
->eap_if
->aaaMethodTimeout
= session_timeout
;
2047 hostapd_logger(hapd
, sm
->addr
,
2048 HOSTAPD_MODULE_IEEE8021X
,
2049 HOSTAPD_LEVEL_DEBUG
,
2050 "using EAP timeout of %d seconds (from RADIUS)",
2051 sm
->eap_if
->aaaMethodTimeout
);
2054 * Use dynamic retransmission behavior per EAP
2057 sm
->eap_if
->aaaMethodTimeout
= 0;
2062 ieee802_1x_decapsulate_radius(hapd
, sta
);
2063 if (override_eapReq
)
2064 sm
->eap_if
->aaaEapReq
= FALSE
;
2068 if (sta
->flags
& WLAN_STA_PENDING_FILS_ERP
) {
2069 /* TODO: Add a PMKSA entry on success? */
2070 ieee802_11_finish_fils_auth(
2071 hapd
, sta
, hdr
->code
== RADIUS_CODE_ACCESS_ACCEPT
,
2072 sm
->eap_if
->aaaEapReqData
,
2073 sm
->eap_if
->aaaEapKeyData
,
2074 sm
->eap_if
->aaaEapKeyDataLen
);
2076 #endif /* NEED_AP_MLME */
2077 #endif /* CONFIG_FILS */
2079 eapol_auth_step(sm
);
2081 return RADIUS_RX_QUEUED
;
2083 #endif /* CONFIG_NO_RADIUS */
2086 void ieee802_1x_abort_auth(struct hostapd_data
*hapd
, struct sta_info
*sta
)
2088 struct eapol_state_machine
*sm
= sta
->eapol_sm
;
2093 hostapd_logger(hapd
, sta
->addr
, HOSTAPD_MODULE_IEEE8021X
,
2094 HOSTAPD_LEVEL_DEBUG
, "aborting authentication");
2096 #ifndef CONFIG_NO_RADIUS
2097 radius_msg_free(sm
->last_recv_radius
);
2098 sm
->last_recv_radius
= NULL
;
2099 #endif /* CONFIG_NO_RADIUS */
2101 if (sm
->eap_if
->eapTimeout
) {
2103 * Disconnect the STA since it did not reply to the last EAP
2104 * request and we cannot continue EAP processing (EAP-Failure
2105 * could only be sent if the EAP peer actually replied).
2107 wpa_dbg(hapd
->msg_ctx
, MSG_DEBUG
, "EAP Timeout, STA " MACSTR
,
2108 MAC2STR(sta
->addr
));
2110 sm
->eap_if
->portEnabled
= FALSE
;
2111 ap_sta_disconnect(hapd
, sta
, sta
->addr
,
2112 WLAN_REASON_PREV_AUTH_NOT_VALID
);
2117 static int ieee802_1x_rekey_broadcast(struct hostapd_data
*hapd
)
2119 struct eapol_authenticator
*eapol
= hapd
->eapol_auth
;
2121 if (hapd
->conf
->default_wep_key_len
< 1)
2124 os_free(eapol
->default_wep_key
);
2125 eapol
->default_wep_key
= os_malloc(hapd
->conf
->default_wep_key_len
);
2126 if (!eapol
->default_wep_key
||
2127 random_get_bytes(eapol
->default_wep_key
,
2128 hapd
->conf
->default_wep_key_len
)) {
2129 wpa_printf(MSG_INFO
, "Could not generate random WEP key");
2130 os_free(eapol
->default_wep_key
);
2131 eapol
->default_wep_key
= NULL
;
2135 wpa_hexdump_key(MSG_DEBUG
, "IEEE 802.1X: New default WEP key",
2136 eapol
->default_wep_key
,
2137 hapd
->conf
->default_wep_key_len
);
2143 static int ieee802_1x_sta_key_available(struct hostapd_data
*hapd
,
2144 struct sta_info
*sta
, void *ctx
)
2146 if (sta
->eapol_sm
) {
2147 sta
->eapol_sm
->eap_if
->eapKeyAvailable
= TRUE
;
2148 eapol_auth_step(sta
->eapol_sm
);
2154 static void ieee802_1x_rekey(void *eloop_ctx
, void *timeout_ctx
)
2156 struct hostapd_data
*hapd
= eloop_ctx
;
2157 struct eapol_authenticator
*eapol
= hapd
->eapol_auth
;
2159 if (eapol
->default_wep_key_idx
>= 3)
2160 eapol
->default_wep_key_idx
=
2161 hapd
->conf
->individual_wep_key_len
> 0 ? 1 : 0;
2163 eapol
->default_wep_key_idx
++;
2165 wpa_printf(MSG_DEBUG
, "IEEE 802.1X: New default WEP key index %d",
2166 eapol
->default_wep_key_idx
);
2168 if (ieee802_1x_rekey_broadcast(hapd
)) {
2169 hostapd_logger(hapd
, NULL
, HOSTAPD_MODULE_IEEE8021X
,
2170 HOSTAPD_LEVEL_WARNING
,
2171 "failed to generate a new broadcast key");
2172 os_free(eapol
->default_wep_key
);
2173 eapol
->default_wep_key
= NULL
;
2177 /* TODO: Could setup key for RX here, but change default TX keyid only
2178 * after new broadcast key has been sent to all stations. */
2179 if (hostapd_drv_set_key(hapd
->conf
->iface
, hapd
, WPA_ALG_WEP
,
2180 broadcast_ether_addr
,
2181 eapol
->default_wep_key_idx
, 0, 1, NULL
, 0,
2182 eapol
->default_wep_key
,
2183 hapd
->conf
->default_wep_key_len
,
2184 KEY_FLAG_GROUP_RX_TX_DEFAULT
)) {
2185 hostapd_logger(hapd
, NULL
, HOSTAPD_MODULE_IEEE8021X
,
2186 HOSTAPD_LEVEL_WARNING
,
2187 "failed to configure a new broadcast key");
2188 os_free(eapol
->default_wep_key
);
2189 eapol
->default_wep_key
= NULL
;
2193 ap_for_each_sta(hapd
, ieee802_1x_sta_key_available
, NULL
);
2195 if (hapd
->conf
->wep_rekeying_period
> 0) {
2196 eloop_register_timeout(hapd
->conf
->wep_rekeying_period
, 0,
2197 ieee802_1x_rekey
, hapd
, NULL
);
2202 static void ieee802_1x_eapol_send(void *ctx
, void *sta_ctx
, u8 type
,
2203 const u8
*data
, size_t datalen
)
2206 struct sta_info
*sta
= sta_ctx
;
2208 if ((sta
->flags
& (WLAN_STA_WPS
| WLAN_STA_MAYBE_WPS
)) ==
2209 WLAN_STA_MAYBE_WPS
) {
2211 size_t identity_len
;
2212 struct eapol_state_machine
*sm
= sta
->eapol_sm
;
2214 identity
= eap_get_identity(sm
->eap
, &identity_len
);
2216 ((identity_len
== WSC_ID_ENROLLEE_LEN
&&
2217 os_memcmp(identity
, WSC_ID_ENROLLEE
,
2218 WSC_ID_ENROLLEE_LEN
) == 0) ||
2219 (identity_len
== WSC_ID_REGISTRAR_LEN
&&
2220 os_memcmp(identity
, WSC_ID_REGISTRAR
,
2221 WSC_ID_REGISTRAR_LEN
) == 0))) {
2222 wpa_printf(MSG_DEBUG
,
2223 "WPS: WLAN_STA_MAYBE_WPS -> WLAN_STA_WPS");
2224 sta
->flags
|= WLAN_STA_WPS
;
2227 #endif /* CONFIG_WPS */
2229 ieee802_1x_send(ctx
, sta_ctx
, type
, data
, datalen
);
2233 static void ieee802_1x_aaa_send(void *ctx
, void *sta_ctx
,
2234 const u8
*data
, size_t datalen
)
2236 #ifndef CONFIG_NO_RADIUS
2237 struct hostapd_data
*hapd
= ctx
;
2238 struct sta_info
*sta
= sta_ctx
;
2240 ieee802_1x_encapsulate_radius(hapd
, sta
, data
, datalen
);
2241 #endif /* CONFIG_NO_RADIUS */
2245 static void _ieee802_1x_finished(void *ctx
, void *sta_ctx
, int success
,
2246 int preauth
, int remediation
)
2248 struct hostapd_data
*hapd
= ctx
;
2249 struct sta_info
*sta
= sta_ctx
;
2252 rsn_preauth_finished(hapd
, sta
, success
);
2254 ieee802_1x_finished(hapd
, sta
, success
, remediation
);
2258 static int ieee802_1x_get_eap_user(void *ctx
, const u8
*identity
,
2259 size_t identity_len
, int phase2
,
2260 struct eap_user
*user
)
2262 struct hostapd_data
*hapd
= ctx
;
2263 const struct hostapd_eap_user
*eap_user
;
2267 eap_user
= hostapd_get_eap_user(hapd
, identity
, identity_len
, phase2
);
2271 os_memset(user
, 0, sizeof(*user
));
2272 user
->phase2
= phase2
;
2273 for (i
= 0; i
< EAP_MAX_METHODS
; i
++) {
2274 user
->methods
[i
].vendor
= eap_user
->methods
[i
].vendor
;
2275 user
->methods
[i
].method
= eap_user
->methods
[i
].method
;
2278 if (eap_user
->password
) {
2279 user
->password
= os_memdup(eap_user
->password
,
2280 eap_user
->password_len
);
2281 if (!user
->password
)
2283 user
->password_len
= eap_user
->password_len
;
2284 user
->password_hash
= eap_user
->password_hash
;
2285 if (eap_user
->salt
&& eap_user
->salt_len
) {
2286 user
->salt
= os_memdup(eap_user
->salt
,
2287 eap_user
->salt_len
);
2290 user
->salt_len
= eap_user
->salt_len
;
2293 user
->force_version
= eap_user
->force_version
;
2294 user
->macacl
= eap_user
->macacl
;
2295 user
->ttls_auth
= eap_user
->ttls_auth
;
2296 user
->remediation
= eap_user
->remediation
;
2301 wpa_printf(MSG_DEBUG
, "%s: Failed to find user", __func__
);
2307 static int ieee802_1x_sta_entry_alive(void *ctx
, const u8
*addr
)
2309 struct hostapd_data
*hapd
= ctx
;
2310 struct sta_info
*sta
;
2312 sta
= ap_get_sta(hapd
, addr
);
2313 if (!sta
|| !sta
->eapol_sm
)
2319 static void ieee802_1x_logger(void *ctx
, const u8
*addr
,
2320 eapol_logger_level level
, const char *txt
)
2322 #ifndef CONFIG_NO_HOSTAPD_LOGGER
2323 struct hostapd_data
*hapd
= ctx
;
2327 case EAPOL_LOGGER_WARNING
:
2328 hlevel
= HOSTAPD_LEVEL_WARNING
;
2330 case EAPOL_LOGGER_INFO
:
2331 hlevel
= HOSTAPD_LEVEL_INFO
;
2333 case EAPOL_LOGGER_DEBUG
:
2335 hlevel
= HOSTAPD_LEVEL_DEBUG
;
2339 hostapd_logger(hapd
, addr
, HOSTAPD_MODULE_IEEE8021X
, hlevel
, "%s",
2341 #endif /* CONFIG_NO_HOSTAPD_LOGGER */
2345 static void ieee802_1x_set_port_authorized(void *ctx
, void *sta_ctx
,
2348 struct hostapd_data
*hapd
= ctx
;
2349 struct sta_info
*sta
= sta_ctx
;
2351 ieee802_1x_set_sta_authorized(hapd
, sta
, authorized
);
2355 static void _ieee802_1x_abort_auth(void *ctx
, void *sta_ctx
)
2357 struct hostapd_data
*hapd
= ctx
;
2358 struct sta_info
*sta
= sta_ctx
;
2360 ieee802_1x_abort_auth(hapd
, sta
);
2364 static void _ieee802_1x_tx_key(void *ctx
, void *sta_ctx
)
2367 #ifndef CONFIG_NO_RC4
2368 struct hostapd_data
*hapd
= ctx
;
2369 struct sta_info
*sta
= sta_ctx
;
2371 ieee802_1x_tx_key(hapd
, sta
);
2372 #endif /* CONFIG_NO_RC4 */
2373 #endif /* CONFIG_FIPS */
2377 static void ieee802_1x_eapol_event(void *ctx
, void *sta_ctx
,
2378 enum eapol_event type
)
2380 /* struct hostapd_data *hapd = ctx; */
2381 struct sta_info
*sta
= sta_ctx
;
2384 case EAPOL_AUTH_SM_CHANGE
:
2385 wpa_auth_sm_notify(sta
->wpa_sm
);
2387 case EAPOL_AUTH_REAUTHENTICATE
:
2388 wpa_auth_sm_event(sta
->wpa_sm
, WPA_REAUTH_EAPOL
);
2396 static struct eap_server_erp_key
*
2397 ieee802_1x_erp_get_key(void *ctx
, const char *keyname
)
2399 struct hostapd_data
*hapd
= ctx
;
2400 struct eap_server_erp_key
*erp
;
2402 dl_list_for_each(erp
, &hapd
->erp_keys
, struct eap_server_erp_key
,
2404 if (os_strcmp(erp
->keyname_nai
, keyname
) == 0)
2412 static int ieee802_1x_erp_add_key(void *ctx
, struct eap_server_erp_key
*erp
)
2414 struct hostapd_data
*hapd
= ctx
;
2416 dl_list_add(&hapd
->erp_keys
, &erp
->list
);
2420 #endif /* CONFIG_ERP */
2423 int ieee802_1x_init(struct hostapd_data
*hapd
)
2426 struct eapol_auth_config conf
;
2427 struct eapol_auth_cb cb
;
2429 dl_list_init(&hapd
->erp_keys
);
2431 os_memset(&conf
, 0, sizeof(conf
));
2432 conf
.eap_cfg
= hapd
->eap_cfg
;
2434 conf
.eap_reauth_period
= hapd
->conf
->eap_reauth_period
;
2435 conf
.wpa
= hapd
->conf
->wpa
;
2436 conf
.individual_wep_key_len
= hapd
->conf
->individual_wep_key_len
;
2437 conf
.eap_req_id_text
= hapd
->conf
->eap_req_id_text
;
2438 conf
.eap_req_id_text_len
= hapd
->conf
->eap_req_id_text_len
;
2439 conf
.erp_send_reauth_start
= hapd
->conf
->erp_send_reauth_start
;
2440 conf
.erp_domain
= hapd
->conf
->erp_domain
;
2442 os_memset(&cb
, 0, sizeof(cb
));
2443 cb
.eapol_send
= ieee802_1x_eapol_send
;
2444 cb
.aaa_send
= ieee802_1x_aaa_send
;
2445 cb
.finished
= _ieee802_1x_finished
;
2446 cb
.get_eap_user
= ieee802_1x_get_eap_user
;
2447 cb
.sta_entry_alive
= ieee802_1x_sta_entry_alive
;
2448 cb
.logger
= ieee802_1x_logger
;
2449 cb
.set_port_authorized
= ieee802_1x_set_port_authorized
;
2450 cb
.abort_auth
= _ieee802_1x_abort_auth
;
2451 cb
.tx_key
= _ieee802_1x_tx_key
;
2452 cb
.eapol_event
= ieee802_1x_eapol_event
;
2454 cb
.erp_get_key
= ieee802_1x_erp_get_key
;
2455 cb
.erp_add_key
= ieee802_1x_erp_add_key
;
2456 #endif /* CONFIG_ERP */
2458 hapd
->eapol_auth
= eapol_auth_init(&conf
, &cb
);
2459 if (!hapd
->eapol_auth
)
2462 if ((hapd
->conf
->ieee802_1x
|| hapd
->conf
->wpa
) &&
2463 hostapd_set_drv_ieee8021x(hapd
, hapd
->conf
->iface
, 1))
2466 #ifndef CONFIG_NO_RADIUS
2467 if (radius_client_register(hapd
->radius
, RADIUS_AUTH
,
2468 ieee802_1x_receive_auth
, hapd
))
2470 #endif /* CONFIG_NO_RADIUS */
2472 if (hapd
->conf
->default_wep_key_len
) {
2473 for (i
= 0; i
< 4; i
++)
2474 hostapd_drv_set_key(hapd
->conf
->iface
, hapd
,
2475 WPA_ALG_NONE
, NULL
, i
, 0, 0, NULL
,
2476 0, NULL
, 0, KEY_FLAG_GROUP_RX_TX
);
2478 ieee802_1x_rekey(hapd
, NULL
);
2480 if (!hapd
->eapol_auth
->default_wep_key
)
2488 void ieee802_1x_erp_flush(struct hostapd_data
*hapd
)
2490 struct eap_server_erp_key
*erp
;
2492 while ((erp
= dl_list_first(&hapd
->erp_keys
, struct eap_server_erp_key
,
2494 dl_list_del(&erp
->list
);
2495 bin_clear_free(erp
, sizeof(*erp
));
2500 void ieee802_1x_deinit(struct hostapd_data
*hapd
)
2502 eloop_cancel_timeout(ieee802_1x_rekey
, hapd
, NULL
);
2504 if (hapd
->driver
&& hapd
->drv_priv
&&
2505 (hapd
->conf
->ieee802_1x
|| hapd
->conf
->wpa
))
2506 hostapd_set_drv_ieee8021x(hapd
, hapd
->conf
->iface
, 0);
2508 eapol_auth_deinit(hapd
->eapol_auth
);
2509 hapd
->eapol_auth
= NULL
;
2511 ieee802_1x_erp_flush(hapd
);
2515 int ieee802_1x_tx_status(struct hostapd_data
*hapd
, struct sta_info
*sta
,
2516 const u8
*buf
, size_t len
, int ack
)
2518 struct ieee80211_hdr
*hdr
;
2520 const unsigned char rfc1042_hdr
[ETH_ALEN
] =
2521 { 0xaa, 0xaa, 0x03, 0x00, 0x00, 0x00 };
2525 if (len
< sizeof(*hdr
) + sizeof(rfc1042_hdr
) + 2)
2528 hdr
= (struct ieee80211_hdr
*) buf
;
2529 pos
= (u8
*) (hdr
+ 1);
2530 if (os_memcmp(pos
, rfc1042_hdr
, sizeof(rfc1042_hdr
)) != 0)
2532 pos
+= sizeof(rfc1042_hdr
);
2533 if (WPA_GET_BE16(pos
) != ETH_P_PAE
)
2537 return ieee802_1x_eapol_tx_status(hapd
, sta
, pos
, buf
+ len
- pos
,
2542 int ieee802_1x_eapol_tx_status(struct hostapd_data
*hapd
, struct sta_info
*sta
,
2543 const u8
*buf
, int len
, int ack
)
2545 const struct ieee802_1x_hdr
*xhdr
=
2546 (const struct ieee802_1x_hdr
*) buf
;
2547 const u8
*pos
= buf
+ sizeof(*xhdr
);
2548 struct ieee802_1x_eapol_key
*key
;
2550 if (len
< (int) sizeof(*xhdr
))
2552 wpa_printf(MSG_DEBUG
, "IEEE 802.1X: " MACSTR
2553 " TX status - version=%d type=%d length=%d - ack=%d",
2554 MAC2STR(sta
->addr
), xhdr
->version
, xhdr
->type
,
2555 be_to_host16(xhdr
->length
), ack
);
2558 if (xhdr
->type
== IEEE802_1X_TYPE_EAP_PACKET
&& ack
&&
2559 (sta
->flags
& WLAN_STA_WPS
) &&
2560 ap_sta_pending_delayed_1x_auth_fail_disconnect(hapd
, sta
)) {
2561 wpa_printf(MSG_DEBUG
,
2562 "WPS: Indicate EAP completion on ACK for EAP-Failure");
2563 hostapd_wps_eap_completed(hapd
);
2565 #endif /* CONFIG_WPS */
2567 if (xhdr
->type
!= IEEE802_1X_TYPE_EAPOL_KEY
)
2570 if (pos
+ sizeof(struct wpa_eapol_key
) <= buf
+ len
) {
2571 const struct wpa_eapol_key
*wpa
;
2573 wpa
= (const struct wpa_eapol_key
*) pos
;
2574 if (wpa
->type
== EAPOL_KEY_TYPE_RSN
||
2575 wpa
->type
== EAPOL_KEY_TYPE_WPA
)
2576 wpa_auth_eapol_key_tx_status(hapd
->wpa_auth
,
2580 /* EAPOL EAP-Packet packets are eventually re-sent by either Supplicant
2581 * or Authenticator state machines, but EAPOL-Key packets are not
2582 * retransmitted in case of failure. Try to re-send failed EAPOL-Key
2583 * packets couple of times because otherwise STA keys become
2584 * unsynchronized with AP. */
2585 if (!ack
&& pos
+ sizeof(*key
) <= buf
+ len
) {
2586 key
= (struct ieee802_1x_eapol_key
*) pos
;
2587 hostapd_logger(hapd
, sta
->addr
, HOSTAPD_MODULE_IEEE8021X
,
2588 HOSTAPD_LEVEL_DEBUG
,
2589 "did not Ack EAPOL-Key frame (%scast index=%d)",
2590 key
->key_index
& BIT(7) ? "uni" : "broad",
2591 key
->key_index
& ~BIT(7));
2592 /* TODO: re-send EAPOL-Key couple of times (with short delay
2593 * between them?). If all attempt fail, report error and
2594 * deauthenticate STA so that it will get new keys when
2595 * authenticating again (e.g., after returning in range).
2596 * Separate limit/transmit state needed both for unicast and
2597 * broadcast keys(?) */
2599 /* TODO: could move unicast key configuration from ieee802_1x_tx_key()
2600 * to here and change the key only if the EAPOL-Key packet was Acked.
2607 u8
* ieee802_1x_get_identity(struct eapol_state_machine
*sm
, size_t *len
)
2609 if (!sm
|| !sm
->identity
)
2612 *len
= sm
->identity_len
;
2613 return sm
->identity
;
2617 u8
* ieee802_1x_get_radius_class(struct eapol_state_machine
*sm
, size_t *len
,
2620 if (!sm
|| !sm
->radius_class
.attr
||
2621 idx
>= (int) sm
->radius_class
.count
)
2624 *len
= sm
->radius_class
.attr
[idx
].len
;
2625 return sm
->radius_class
.attr
[idx
].data
;
2629 struct wpabuf
* ieee802_1x_get_radius_cui(struct eapol_state_machine
*sm
)
2633 return sm
->radius_cui
;
2637 const u8
* ieee802_1x_get_key(struct eapol_state_machine
*sm
, size_t *len
)
2643 *len
= sm
->eap_if
->eapKeyDataLen
;
2644 return sm
->eap_if
->eapKeyData
;
2648 #ifdef CONFIG_MACSEC
2649 const u8
* ieee802_1x_get_session_id(struct eapol_state_machine
*sm
,
2653 if (!sm
|| !sm
->eap_if
)
2656 *len
= sm
->eap_if
->eapSessionIdLen
;
2657 return sm
->eap_if
->eapSessionId
;
2659 #endif /* CONFIG_MACSEC */
2662 void ieee802_1x_notify_port_enabled(struct eapol_state_machine
*sm
,
2667 sm
->eap_if
->portEnabled
= enabled
? TRUE
: FALSE
;
2668 eapol_auth_step(sm
);
2672 void ieee802_1x_notify_port_valid(struct eapol_state_machine
*sm
,
2677 sm
->portValid
= valid
? TRUE
: FALSE
;
2678 eapol_auth_step(sm
);
2682 void ieee802_1x_notify_pre_auth(struct eapol_state_machine
*sm
, int pre_auth
)
2687 sm
->flags
|= EAPOL_SM_PREAUTH
;
2689 sm
->flags
&= ~EAPOL_SM_PREAUTH
;
2693 static const char * bool_txt(Boolean val
)
2695 return val
? "TRUE" : "FALSE";
2699 int ieee802_1x_get_mib(struct hostapd_data
*hapd
, char *buf
, size_t buflen
)
2706 int ieee802_1x_get_mib_sta(struct hostapd_data
*hapd
, struct sta_info
*sta
,
2707 char *buf
, size_t buflen
)
2710 struct eapol_state_machine
*sm
= sta
->eapol_sm
;
2711 struct os_reltime diff
;
2714 char *identity_buf
= NULL
;
2719 ret
= os_snprintf(buf
+ len
, buflen
- len
,
2720 "dot1xPaePortNumber=%d\n"
2721 "dot1xPaePortProtocolVersion=%d\n"
2722 "dot1xPaePortCapabilities=1\n"
2723 "dot1xPaePortInitialize=%d\n"
2724 "dot1xPaePortReauthenticate=FALSE\n",
2728 if (os_snprintf_error(buflen
- len
, ret
))
2732 /* dot1xAuthConfigTable */
2733 ret
= os_snprintf(buf
+ len
, buflen
- len
,
2734 "dot1xAuthPaeState=%d\n"
2735 "dot1xAuthBackendAuthState=%d\n"
2736 "dot1xAuthAdminControlledDirections=%d\n"
2737 "dot1xAuthOperControlledDirections=%d\n"
2738 "dot1xAuthAuthControlledPortStatus=%d\n"
2739 "dot1xAuthAuthControlledPortControl=%d\n"
2740 "dot1xAuthQuietPeriod=%u\n"
2741 "dot1xAuthServerTimeout=%u\n"
2742 "dot1xAuthReAuthPeriod=%u\n"
2743 "dot1xAuthReAuthEnabled=%s\n"
2744 "dot1xAuthKeyTxEnabled=%s\n",
2745 sm
->auth_pae_state
+ 1,
2746 sm
->be_auth_state
+ 1,
2747 sm
->adminControlledDirections
,
2748 sm
->operControlledDirections
,
2754 bool_txt(sm
->reAuthEnabled
),
2755 bool_txt(sm
->keyTxEnabled
));
2756 if (os_snprintf_error(buflen
- len
, ret
))
2760 /* dot1xAuthStatsTable */
2761 ret
= os_snprintf(buf
+ len
, buflen
- len
,
2762 "dot1xAuthEapolFramesRx=%u\n"
2763 "dot1xAuthEapolFramesTx=%u\n"
2764 "dot1xAuthEapolStartFramesRx=%u\n"
2765 "dot1xAuthEapolLogoffFramesRx=%u\n"
2766 "dot1xAuthEapolRespIdFramesRx=%u\n"
2767 "dot1xAuthEapolRespFramesRx=%u\n"
2768 "dot1xAuthEapolReqIdFramesTx=%u\n"
2769 "dot1xAuthEapolReqFramesTx=%u\n"
2770 "dot1xAuthInvalidEapolFramesRx=%u\n"
2771 "dot1xAuthEapLengthErrorFramesRx=%u\n"
2772 "dot1xAuthLastEapolFrameVersion=%u\n"
2773 "dot1xAuthLastEapolFrameSource=" MACSTR
"\n",
2774 sm
->dot1xAuthEapolFramesRx
,
2775 sm
->dot1xAuthEapolFramesTx
,
2776 sm
->dot1xAuthEapolStartFramesRx
,
2777 sm
->dot1xAuthEapolLogoffFramesRx
,
2778 sm
->dot1xAuthEapolRespIdFramesRx
,
2779 sm
->dot1xAuthEapolRespFramesRx
,
2780 sm
->dot1xAuthEapolReqIdFramesTx
,
2781 sm
->dot1xAuthEapolReqFramesTx
,
2782 sm
->dot1xAuthInvalidEapolFramesRx
,
2783 sm
->dot1xAuthEapLengthErrorFramesRx
,
2784 sm
->dot1xAuthLastEapolFrameVersion
,
2786 if (os_snprintf_error(buflen
- len
, ret
))
2790 /* dot1xAuthDiagTable */
2791 ret
= os_snprintf(buf
+ len
, buflen
- len
,
2792 "dot1xAuthEntersConnecting=%u\n"
2793 "dot1xAuthEapLogoffsWhileConnecting=%u\n"
2794 "dot1xAuthEntersAuthenticating=%u\n"
2795 "dot1xAuthAuthSuccessesWhileAuthenticating=%u\n"
2796 "dot1xAuthAuthTimeoutsWhileAuthenticating=%u\n"
2797 "dot1xAuthAuthFailWhileAuthenticating=%u\n"
2798 "dot1xAuthAuthEapStartsWhileAuthenticating=%u\n"
2799 "dot1xAuthAuthEapLogoffWhileAuthenticating=%u\n"
2800 "dot1xAuthAuthReauthsWhileAuthenticated=%u\n"
2801 "dot1xAuthAuthEapStartsWhileAuthenticated=%u\n"
2802 "dot1xAuthAuthEapLogoffWhileAuthenticated=%u\n"
2803 "dot1xAuthBackendResponses=%u\n"
2804 "dot1xAuthBackendAccessChallenges=%u\n"
2805 "dot1xAuthBackendOtherRequestsToSupplicant=%u\n"
2806 "dot1xAuthBackendAuthSuccesses=%u\n"
2807 "dot1xAuthBackendAuthFails=%u\n",
2808 sm
->authEntersConnecting
,
2809 sm
->authEapLogoffsWhileConnecting
,
2810 sm
->authEntersAuthenticating
,
2811 sm
->authAuthSuccessesWhileAuthenticating
,
2812 sm
->authAuthTimeoutsWhileAuthenticating
,
2813 sm
->authAuthFailWhileAuthenticating
,
2814 sm
->authAuthEapStartsWhileAuthenticating
,
2815 sm
->authAuthEapLogoffWhileAuthenticating
,
2816 sm
->authAuthReauthsWhileAuthenticated
,
2817 sm
->authAuthEapStartsWhileAuthenticated
,
2818 sm
->authAuthEapLogoffWhileAuthenticated
,
2819 sm
->backendResponses
,
2820 sm
->backendAccessChallenges
,
2821 sm
->backendOtherRequestsToSupplicant
,
2822 sm
->backendAuthSuccesses
,
2823 sm
->backendAuthFails
);
2824 if (os_snprintf_error(buflen
- len
, ret
))
2828 /* dot1xAuthSessionStatsTable */
2829 os_reltime_age(&sta
->acct_session_start
, &diff
);
2830 if (sm
->eap
&& !sm
->identity
) {
2834 id
= eap_get_identity(sm
->eap
, &id_len
);
2836 identity_buf
= dup_binstr(id
, id_len
);
2838 ret
= os_snprintf(buf
+ len
, buflen
- len
,
2839 /* TODO: dot1xAuthSessionOctetsRx */
2840 /* TODO: dot1xAuthSessionOctetsTx */
2841 /* TODO: dot1xAuthSessionFramesRx */
2842 /* TODO: dot1xAuthSessionFramesTx */
2843 "dot1xAuthSessionId=%016llX\n"
2844 "dot1xAuthSessionAuthenticMethod=%d\n"
2845 "dot1xAuthSessionTime=%u\n"
2846 "dot1xAuthSessionTerminateCause=999\n"
2847 "dot1xAuthSessionUserName=%s\n",
2848 (unsigned long long) sta
->acct_session_id
,
2849 (wpa_key_mgmt_wpa_ieee8021x(
2850 wpa_auth_sta_key_mgmt(sta
->wpa_sm
))) ?
2852 (unsigned int) diff
.sec
,
2853 sm
->identity
? (char *) sm
->identity
:
2854 (identity_buf
? identity_buf
: "N/A"));
2855 os_free(identity_buf
);
2856 if (os_snprintf_error(buflen
- len
, ret
))
2860 if (sm
->acct_multi_session_id
) {
2861 ret
= os_snprintf(buf
+ len
, buflen
- len
,
2862 "authMultiSessionId=%016llX\n",
2863 (unsigned long long)
2864 sm
->acct_multi_session_id
);
2865 if (os_snprintf_error(buflen
- len
, ret
))
2870 name1
= eap_server_get_name(0, sm
->eap_type_authsrv
);
2871 name2
= eap_server_get_name(0, sm
->eap_type_supp
);
2872 ret
= os_snprintf(buf
+ len
, buflen
- len
,
2873 "last_eap_type_as=%d (%s)\n"
2874 "last_eap_type_sta=%d (%s)\n",
2875 sm
->eap_type_authsrv
, name1
,
2876 sm
->eap_type_supp
, name2
);
2877 if (os_snprintf_error(buflen
- len
, ret
))
2886 static void ieee802_1x_wnm_notif_send(void *eloop_ctx
, void *timeout_ctx
)
2888 struct hostapd_data
*hapd
= eloop_ctx
;
2889 struct sta_info
*sta
= timeout_ctx
;
2891 if (sta
->remediation
) {
2892 wpa_printf(MSG_DEBUG
, "HS 2.0: Send WNM-Notification to "
2893 MACSTR
" to indicate Subscription Remediation",
2894 MAC2STR(sta
->addr
));
2895 hs20_send_wnm_notification(hapd
, sta
->addr
,
2896 sta
->remediation_method
,
2897 sta
->remediation_url
);
2898 os_free(sta
->remediation_url
);
2899 sta
->remediation_url
= NULL
;
2902 if (sta
->hs20_deauth_req
) {
2903 wpa_printf(MSG_DEBUG
, "HS 2.0: Send WNM-Notification to "
2904 MACSTR
" to indicate imminent deauthentication",
2905 MAC2STR(sta
->addr
));
2906 hs20_send_wnm_notification_deauth_req(hapd
, sta
->addr
,
2907 sta
->hs20_deauth_req
);
2910 if (sta
->hs20_t_c_filtering
) {
2911 wpa_printf(MSG_DEBUG
, "HS 2.0: Send WNM-Notification to "
2912 MACSTR
" to indicate Terms and Conditions filtering",
2913 MAC2STR(sta
->addr
));
2914 hs20_send_wnm_notification_t_c(hapd
, sta
->addr
, sta
->t_c_url
);
2915 os_free(sta
->t_c_url
);
2916 sta
->t_c_url
= NULL
;
2919 #endif /* CONFIG_HS20 */
2922 static void ieee802_1x_finished(struct hostapd_data
*hapd
,
2923 struct sta_info
*sta
, int success
,
2928 /* TODO: get PMKLifetime from WPA parameters */
2929 static const int dot11RSNAConfigPMKLifetime
= 43200;
2930 unsigned int session_timeout
;
2931 struct os_reltime now
, remaining
;
2934 if (remediation
&& !sta
->remediation
) {
2935 sta
->remediation
= 1;
2936 os_free(sta
->remediation_url
);
2937 sta
->remediation_url
=
2938 os_strdup(hapd
->conf
->subscr_remediation_url
);
2939 sta
->remediation_method
= 1; /* SOAP-XML SPP */
2942 if (success
&& (sta
->remediation
|| sta
->hs20_deauth_req
||
2943 sta
->hs20_t_c_filtering
)) {
2944 wpa_printf(MSG_DEBUG
, "HS 2.0: Schedule WNM-Notification to "
2945 MACSTR
" in 100 ms", MAC2STR(sta
->addr
));
2946 eloop_cancel_timeout(ieee802_1x_wnm_notif_send
, hapd
, sta
);
2947 eloop_register_timeout(0, 100000, ieee802_1x_wnm_notif_send
,
2950 #endif /* CONFIG_HS20 */
2952 #ifdef CONFIG_MACSEC
2953 ieee802_1x_notify_create_actor_hapd(hapd
, sta
);
2954 #endif /* CONFIG_MACSEC */
2956 key
= ieee802_1x_get_key(sta
->eapol_sm
, &len
);
2957 if (sta
->session_timeout_set
) {
2958 os_get_reltime(&now
);
2959 os_reltime_sub(&sta
->session_timeout
, &now
, &remaining
);
2960 session_timeout
= (remaining
.sec
> 0) ? remaining
.sec
: 1;
2962 session_timeout
= dot11RSNAConfigPMKLifetime
;
2964 if (success
&& key
&& len
>= PMK_LEN
&& !sta
->remediation
&&
2965 !sta
->hs20_deauth_requested
&&
2966 wpa_auth_pmksa_add(sta
->wpa_sm
, key
, len
, session_timeout
,
2967 sta
->eapol_sm
) == 0) {
2968 hostapd_logger(hapd
, sta
->addr
, HOSTAPD_MODULE_WPA
,
2969 HOSTAPD_LEVEL_DEBUG
,
2970 "Added PMKSA cache entry (IEEE 802.1X)");
2975 * Many devices require deauthentication after WPS provisioning
2976 * and some may not be be able to do that themselves, so
2977 * disconnect the client here. In addition, this may also
2978 * benefit IEEE 802.1X/EAPOL authentication cases, too since
2979 * the EAPOL PAE state machine would remain in HELD state for
2980 * considerable amount of time and some EAP methods, like
2981 * EAP-FAST with anonymous provisioning, may require another
2982 * EAPOL authentication to be started to complete connection.
2984 ap_sta_delayed_1x_auth_fail_disconnect(hapd
, sta
);