2 * hostapd / IEEE 802.1X-2004 Authenticator
3 * Copyright (c) 2002-2019, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
9 #include "utils/includes.h"
12 #endif /* CONFIG_SQLITE */
14 #include "utils/common.h"
15 #include "utils/eloop.h"
16 #include "crypto/md5.h"
17 #include "crypto/crypto.h"
18 #include "crypto/random.h"
19 #include "common/ieee802_11_defs.h"
20 #include "radius/radius.h"
21 #include "radius/radius_client.h"
22 #include "eap_server/eap.h"
23 #include "eap_common/eap_wsc_common.h"
24 #include "eapol_auth/eapol_auth_sm.h"
25 #include "eapol_auth/eapol_auth_sm_i.h"
28 #include "accounting.h"
31 #include "preauth_auth.h"
32 #include "pmksa_cache_auth.h"
33 #include "ap_config.h"
34 #include "ap_drv_ops.h"
35 #include "wps_hostapd.h"
37 /* FIX: Not really a good thing to require ieee802_11.h here.. (FILS) */
38 #include "ieee802_11.h"
39 #include "ieee802_1x.h"
40 #include "wpa_auth_kay.h"
44 static void ieee802_1x_wnm_notif_send(void *eloop_ctx
, void *timeout_ctx
);
45 #endif /* CONFIG_HS20 */
46 static void ieee802_1x_finished(struct hostapd_data
*hapd
,
47 struct sta_info
*sta
, int success
,
51 static void ieee802_1x_send(struct hostapd_data
*hapd
, struct sta_info
*sta
,
52 u8 type
, const u8
*data
, size_t datalen
)
55 struct ieee802_1x_hdr
*xhdr
;
59 len
= sizeof(*xhdr
) + datalen
;
62 wpa_printf(MSG_ERROR
, "malloc() failed for %s(len=%lu)",
63 __func__
, (unsigned long) len
);
67 xhdr
= (struct ieee802_1x_hdr
*) buf
;
68 xhdr
->version
= hapd
->conf
->eapol_version
;
70 if (xhdr
->version
> 2 && hapd
->conf
->macsec_policy
== 0)
72 #endif /* CONFIG_MACSEC */
74 xhdr
->length
= host_to_be16(datalen
);
76 if (datalen
> 0 && data
!= NULL
)
77 os_memcpy(xhdr
+ 1, data
, datalen
);
79 if (wpa_auth_pairwise_set(sta
->wpa_sm
))
81 #ifdef CONFIG_TESTING_OPTIONS
82 if (hapd
->ext_eapol_frame_io
) {
83 size_t hex_len
= 2 * len
+ 1;
84 char *hex
= os_malloc(hex_len
);
87 wpa_snprintf_hex(hex
, hex_len
, buf
, len
);
88 wpa_msg(hapd
->msg_ctx
, MSG_INFO
,
89 "EAPOL-TX " MACSTR
" %s",
90 MAC2STR(sta
->addr
), hex
);
94 #endif /* CONFIG_TESTING_OPTIONS */
95 if (sta
->flags
& WLAN_STA_PREAUTH
) {
96 rsn_preauth_send(hapd
, sta
, buf
, len
);
98 hostapd_drv_hapd_send_eapol(
99 hapd
, sta
->addr
, buf
, len
,
100 encrypt
, hostapd_sta_flags_to_drv(sta
->flags
));
107 void ieee802_1x_set_sta_authorized(struct hostapd_data
*hapd
,
108 struct sta_info
*sta
, int authorized
)
112 if (sta
->flags
& WLAN_STA_PREAUTH
)
116 ap_sta_set_authorized(hapd
, sta
, 1);
117 res
= hostapd_set_authorized(hapd
, sta
, 1);
118 hostapd_logger(hapd
, sta
->addr
, HOSTAPD_MODULE_IEEE8021X
,
119 HOSTAPD_LEVEL_DEBUG
, "authorizing port");
121 ap_sta_set_authorized(hapd
, sta
, 0);
122 res
= hostapd_set_authorized(hapd
, sta
, 0);
123 hostapd_logger(hapd
, sta
->addr
, HOSTAPD_MODULE_IEEE8021X
,
124 HOSTAPD_LEVEL_DEBUG
, "unauthorizing port");
127 if (res
&& errno
!= ENOENT
) {
128 wpa_printf(MSG_DEBUG
, "Could not set station " MACSTR
129 " flags for kernel driver (errno=%d).",
130 MAC2STR(sta
->addr
), errno
);
134 os_get_reltime(&sta
->connected_time
);
135 accounting_sta_start(hapd
, sta
);
141 #ifndef CONFIG_NO_RC4
143 static void ieee802_1x_tx_key_one(struct hostapd_data
*hapd
,
144 struct sta_info
*sta
,
145 int idx
, int broadcast
,
146 u8
*key_data
, size_t key_len
)
149 struct ieee802_1x_hdr
*hdr
;
150 struct ieee802_1x_eapol_key
*key
;
151 size_t len
, ekey_len
;
152 struct eapol_state_machine
*sm
= sta
->eapol_sm
;
157 len
= sizeof(*key
) + key_len
;
158 buf
= os_zalloc(sizeof(*hdr
) + len
);
162 hdr
= (struct ieee802_1x_hdr
*) buf
;
163 key
= (struct ieee802_1x_eapol_key
*) (hdr
+ 1);
164 key
->type
= EAPOL_KEY_TYPE_RC4
;
165 WPA_PUT_BE16(key
->key_length
, key_len
);
166 wpa_get_ntp_timestamp(key
->replay_counter
);
167 if (os_memcmp(key
->replay_counter
,
168 hapd
->last_1x_eapol_key_replay_counter
,
169 IEEE8021X_REPLAY_COUNTER_LEN
) <= 0) {
170 /* NTP timestamp did not increment from last EAPOL-Key frame;
171 * use previously used value + 1 instead. */
172 inc_byte_array(hapd
->last_1x_eapol_key_replay_counter
,
173 IEEE8021X_REPLAY_COUNTER_LEN
);
174 os_memcpy(key
->replay_counter
,
175 hapd
->last_1x_eapol_key_replay_counter
,
176 IEEE8021X_REPLAY_COUNTER_LEN
);
178 os_memcpy(hapd
->last_1x_eapol_key_replay_counter
,
180 IEEE8021X_REPLAY_COUNTER_LEN
);
183 if (random_get_bytes(key
->key_iv
, sizeof(key
->key_iv
))) {
184 wpa_printf(MSG_ERROR
, "Could not get random numbers");
189 key
->key_index
= idx
| (broadcast
? 0 : BIT(7));
190 if (hapd
->conf
->eapol_key_index_workaround
) {
191 /* According to some information, WinXP Supplicant seems to
192 * interpret bit7 as an indication whether the key is to be
193 * activated, so make it possible to enable workaround that
194 * sets this bit for all keys. */
195 key
->key_index
|= BIT(7);
198 /* Key is encrypted using "Key-IV + MSK[0..31]" as the RC4-key and
199 * MSK[32..63] is used to sign the message. */
200 if (!sm
->eap_if
->eapKeyData
|| sm
->eap_if
->eapKeyDataLen
< 64) {
201 wpa_printf(MSG_ERROR
,
202 "No eapKeyData available for encrypting and signing EAPOL-Key");
206 os_memcpy((u8
*) (key
+ 1), key_data
, key_len
);
207 ekey_len
= sizeof(key
->key_iv
) + 32;
208 ekey
= os_malloc(ekey_len
);
210 wpa_printf(MSG_ERROR
, "Could not encrypt key");
214 os_memcpy(ekey
, key
->key_iv
, sizeof(key
->key_iv
));
215 os_memcpy(ekey
+ sizeof(key
->key_iv
), sm
->eap_if
->eapKeyData
, 32);
216 rc4_skip(ekey
, ekey_len
, 0, (u8
*) (key
+ 1), key_len
);
219 /* This header is needed here for HMAC-MD5, but it will be regenerated
220 * in ieee802_1x_send() */
221 hdr
->version
= hapd
->conf
->eapol_version
;
223 if (hdr
->version
> 2)
225 #endif /* CONFIG_MACSEC */
226 hdr
->type
= IEEE802_1X_TYPE_EAPOL_KEY
;
227 hdr
->length
= host_to_be16(len
);
228 hmac_md5(sm
->eap_if
->eapKeyData
+ 32, 32, buf
, sizeof(*hdr
) + len
,
231 wpa_printf(MSG_DEBUG
, "IEEE 802.1X: Sending EAPOL-Key to " MACSTR
232 " (%s index=%d)", MAC2STR(sm
->addr
),
233 broadcast
? "broadcast" : "unicast", idx
);
234 ieee802_1x_send(hapd
, sta
, IEEE802_1X_TYPE_EAPOL_KEY
, (u8
*) key
, len
);
236 sta
->eapol_sm
->dot1xAuthEapolFramesTx
++;
241 static void ieee802_1x_tx_key(struct hostapd_data
*hapd
, struct sta_info
*sta
)
243 struct eapol_authenticator
*eapol
= hapd
->eapol_auth
;
244 struct eapol_state_machine
*sm
= sta
->eapol_sm
;
246 if (!sm
|| !sm
->eap_if
->eapKeyData
)
249 wpa_printf(MSG_DEBUG
, "IEEE 802.1X: Sending EAPOL-Key(s) to " MACSTR
,
252 #ifndef CONFIG_NO_VLAN
253 if (sta
->vlan_id
> 0) {
254 wpa_printf(MSG_ERROR
, "Using WEP with vlans is not supported.");
257 #endif /* CONFIG_NO_VLAN */
259 if (eapol
->default_wep_key
) {
260 ieee802_1x_tx_key_one(hapd
, sta
, eapol
->default_wep_key_idx
, 1,
261 eapol
->default_wep_key
,
262 hapd
->conf
->default_wep_key_len
);
265 if (hapd
->conf
->individual_wep_key_len
> 0) {
268 ikey
= os_malloc(hapd
->conf
->individual_wep_key_len
);
270 random_get_bytes(ikey
, hapd
->conf
->individual_wep_key_len
))
272 wpa_printf(MSG_ERROR
,
273 "Could not generate random individual WEP key");
278 wpa_hexdump_key(MSG_DEBUG
, "Individual WEP key",
279 ikey
, hapd
->conf
->individual_wep_key_len
);
281 ieee802_1x_tx_key_one(hapd
, sta
, 0, 0, ikey
,
282 hapd
->conf
->individual_wep_key_len
);
284 /* TODO: set encryption in TX callback, i.e., only after STA
285 * has ACKed EAPOL-Key frame */
286 if (hostapd_drv_set_key(hapd
->conf
->iface
, hapd
, WPA_ALG_WEP
,
287 sta
->addr
, 0, 0, 1, NULL
, 0, ikey
,
288 hapd
->conf
->individual_wep_key_len
)) {
289 wpa_printf(MSG_ERROR
,
290 "Could not set individual WEP encryption");
297 #endif /* CONFIG_NO_RC4 */
298 #endif /* CONFIG_FIPS */
301 const char *radius_mode_txt(struct hostapd_data
*hapd
)
303 switch (hapd
->iface
->conf
->hw_mode
) {
304 case HOSTAPD_MODE_IEEE80211AD
:
306 case HOSTAPD_MODE_IEEE80211A
:
308 case HOSTAPD_MODE_IEEE80211G
:
310 case HOSTAPD_MODE_IEEE80211B
:
317 int radius_sta_rate(struct hostapd_data
*hapd
, struct sta_info
*sta
)
322 for (i
= 0; i
< sta
->supported_rates_len
; i
++)
323 if ((sta
->supported_rates
[i
] & 0x7f) > rate
)
324 rate
= sta
->supported_rates
[i
] & 0x7f;
330 #ifndef CONFIG_NO_RADIUS
331 static void ieee802_1x_learn_identity(struct hostapd_data
*hapd
,
332 struct eapol_state_machine
*sm
,
333 const u8
*eap
, size_t len
)
337 const struct eap_hdr
*hdr
= (const struct eap_hdr
*) eap
;
339 if (len
<= sizeof(struct eap_hdr
) ||
340 (hdr
->code
== EAP_CODE_RESPONSE
&&
341 eap
[sizeof(struct eap_hdr
)] != EAP_TYPE_IDENTITY
) ||
342 (hdr
->code
== EAP_CODE_INITIATE
&&
343 eap
[sizeof(struct eap_hdr
)] != EAP_ERP_TYPE_REAUTH
) ||
344 (hdr
->code
!= EAP_CODE_RESPONSE
&&
345 hdr
->code
!= EAP_CODE_INITIATE
))
348 eap_erp_update_identity(sm
->eap
, eap
, len
);
349 identity
= eap_get_identity(sm
->eap
, &identity_len
);
353 /* Save station identity for future RADIUS packets */
354 os_free(sm
->identity
);
355 sm
->identity
= (u8
*) dup_binstr(identity
, identity_len
);
357 sm
->identity_len
= 0;
361 sm
->identity_len
= identity_len
;
362 hostapd_logger(hapd
, sm
->addr
, HOSTAPD_MODULE_IEEE8021X
,
363 HOSTAPD_LEVEL_DEBUG
, "STA identity '%s'", sm
->identity
);
364 sm
->dot1xAuthEapolRespIdFramesRx
++;
368 static int add_common_radius_sta_attr_rsn(struct hostapd_data
*hapd
,
369 struct hostapd_radius_attr
*req_attr
,
370 struct sta_info
*sta
,
371 struct radius_msg
*msg
)
376 ver
= wpa_auth_sta_wpa_version(sta
->wpa_sm
);
377 val
= wpa_auth_get_pairwise(sta
->wpa_sm
);
378 suite
= wpa_cipher_to_suite(ver
, val
);
380 !hostapd_config_get_radius_attr(req_attr
,
381 RADIUS_ATTR_WLAN_PAIRWISE_CIPHER
) &&
382 !radius_msg_add_attr_int32(msg
, RADIUS_ATTR_WLAN_PAIRWISE_CIPHER
,
384 wpa_printf(MSG_ERROR
, "Could not add WLAN-Pairwise-Cipher");
388 suite
= wpa_cipher_to_suite(((hapd
->conf
->wpa
& 0x2) ||
390 WPA_PROTO_RSN
: WPA_PROTO_WPA
,
391 hapd
->conf
->wpa_group
);
392 if (!hostapd_config_get_radius_attr(req_attr
,
393 RADIUS_ATTR_WLAN_GROUP_CIPHER
) &&
394 !radius_msg_add_attr_int32(msg
, RADIUS_ATTR_WLAN_GROUP_CIPHER
,
396 wpa_printf(MSG_ERROR
, "Could not add WLAN-Group-Cipher");
400 val
= wpa_auth_sta_key_mgmt(sta
->wpa_sm
);
401 suite
= wpa_akm_to_suite(val
);
403 !hostapd_config_get_radius_attr(req_attr
,
404 RADIUS_ATTR_WLAN_AKM_SUITE
) &&
405 !radius_msg_add_attr_int32(msg
, RADIUS_ATTR_WLAN_AKM_SUITE
,
407 wpa_printf(MSG_ERROR
, "Could not add WLAN-AKM-Suite");
411 if (hapd
->conf
->ieee80211w
!= NO_MGMT_FRAME_PROTECTION
) {
412 suite
= wpa_cipher_to_suite(WPA_PROTO_RSN
,
413 hapd
->conf
->group_mgmt_cipher
);
414 if (!hostapd_config_get_radius_attr(
415 req_attr
, RADIUS_ATTR_WLAN_GROUP_MGMT_CIPHER
) &&
416 !radius_msg_add_attr_int32(
417 msg
, RADIUS_ATTR_WLAN_GROUP_MGMT_CIPHER
, suite
)) {
418 wpa_printf(MSG_ERROR
,
419 "Could not add WLAN-Group-Mgmt-Cipher");
428 static int add_common_radius_sta_attr(struct hostapd_data
*hapd
,
429 struct hostapd_radius_attr
*req_attr
,
430 struct sta_info
*sta
,
431 struct radius_msg
*msg
)
435 if (!hostapd_config_get_radius_attr(req_attr
,
436 RADIUS_ATTR_SERVICE_TYPE
) &&
437 !radius_msg_add_attr_int32(msg
, RADIUS_ATTR_SERVICE_TYPE
,
438 RADIUS_SERVICE_TYPE_FRAMED
)) {
439 wpa_printf(MSG_ERROR
, "Could not add Service-Type");
443 if (!hostapd_config_get_radius_attr(req_attr
,
444 RADIUS_ATTR_NAS_PORT
) &&
446 !radius_msg_add_attr_int32(msg
, RADIUS_ATTR_NAS_PORT
, sta
->aid
)) {
447 wpa_printf(MSG_ERROR
, "Could not add NAS-Port");
451 os_snprintf(buf
, sizeof(buf
), RADIUS_802_1X_ADDR_FORMAT
,
453 buf
[sizeof(buf
) - 1] = '\0';
454 if (!radius_msg_add_attr(msg
, RADIUS_ATTR_CALLING_STATION_ID
,
455 (u8
*) buf
, os_strlen(buf
))) {
456 wpa_printf(MSG_ERROR
, "Could not add Calling-Station-Id");
460 if (sta
->flags
& WLAN_STA_PREAUTH
) {
461 os_strlcpy(buf
, "IEEE 802.11i Pre-Authentication",
464 os_snprintf(buf
, sizeof(buf
), "CONNECT %d%sMbps %s",
465 radius_sta_rate(hapd
, sta
) / 2,
466 (radius_sta_rate(hapd
, sta
) & 1) ? ".5" : "",
467 radius_mode_txt(hapd
));
468 buf
[sizeof(buf
) - 1] = '\0';
470 if (!hostapd_config_get_radius_attr(req_attr
,
471 RADIUS_ATTR_CONNECT_INFO
) &&
472 !radius_msg_add_attr(msg
, RADIUS_ATTR_CONNECT_INFO
,
473 (u8
*) buf
, os_strlen(buf
))) {
474 wpa_printf(MSG_ERROR
, "Could not add Connect-Info");
478 if (sta
->acct_session_id
) {
479 os_snprintf(buf
, sizeof(buf
), "%016llX",
480 (unsigned long long) sta
->acct_session_id
);
481 if (!radius_msg_add_attr(msg
, RADIUS_ATTR_ACCT_SESSION_ID
,
482 (u8
*) buf
, os_strlen(buf
))) {
483 wpa_printf(MSG_ERROR
, "Could not add Acct-Session-Id");
488 if ((hapd
->conf
->wpa
& 2) &&
489 !hapd
->conf
->disable_pmksa_caching
&&
490 sta
->eapol_sm
&& sta
->eapol_sm
->acct_multi_session_id
) {
491 os_snprintf(buf
, sizeof(buf
), "%016llX",
493 sta
->eapol_sm
->acct_multi_session_id
);
494 if (!radius_msg_add_attr(
495 msg
, RADIUS_ATTR_ACCT_MULTI_SESSION_ID
,
496 (u8
*) buf
, os_strlen(buf
))) {
498 "Could not add Acct-Multi-Session-Id");
503 #ifdef CONFIG_IEEE80211R_AP
504 if (hapd
->conf
->wpa
&& wpa_key_mgmt_ft(hapd
->conf
->wpa_key_mgmt
) &&
506 (wpa_key_mgmt_ft(wpa_auth_sta_key_mgmt(sta
->wpa_sm
)) ||
507 sta
->auth_alg
== WLAN_AUTH_FT
) &&
508 !hostapd_config_get_radius_attr(req_attr
,
509 RADIUS_ATTR_MOBILITY_DOMAIN_ID
) &&
510 !radius_msg_add_attr_int32(msg
, RADIUS_ATTR_MOBILITY_DOMAIN_ID
,
512 hapd
->conf
->mobility_domain
))) {
513 wpa_printf(MSG_ERROR
, "Could not add Mobility-Domain-Id");
516 #endif /* CONFIG_IEEE80211R_AP */
518 if ((hapd
->conf
->wpa
|| hapd
->conf
->osen
) && sta
->wpa_sm
&&
519 add_common_radius_sta_attr_rsn(hapd
, req_attr
, sta
, msg
) < 0)
526 int add_common_radius_attr(struct hostapd_data
*hapd
,
527 struct hostapd_radius_attr
*req_attr
,
528 struct sta_info
*sta
,
529 struct radius_msg
*msg
)
532 struct hostapd_radius_attr
*attr
;
535 if (!hostapd_config_get_radius_attr(req_attr
,
536 RADIUS_ATTR_NAS_IP_ADDRESS
) &&
537 hapd
->conf
->own_ip_addr
.af
== AF_INET
&&
538 !radius_msg_add_attr(msg
, RADIUS_ATTR_NAS_IP_ADDRESS
,
539 (u8
*) &hapd
->conf
->own_ip_addr
.u
.v4
, 4)) {
540 wpa_printf(MSG_ERROR
, "Could not add NAS-IP-Address");
545 if (!hostapd_config_get_radius_attr(req_attr
,
546 RADIUS_ATTR_NAS_IPV6_ADDRESS
) &&
547 hapd
->conf
->own_ip_addr
.af
== AF_INET6
&&
548 !radius_msg_add_attr(msg
, RADIUS_ATTR_NAS_IPV6_ADDRESS
,
549 (u8
*) &hapd
->conf
->own_ip_addr
.u
.v6
, 16)) {
550 wpa_printf(MSG_ERROR
, "Could not add NAS-IPv6-Address");
553 #endif /* CONFIG_IPV6 */
555 if (!hostapd_config_get_radius_attr(req_attr
,
556 RADIUS_ATTR_NAS_IDENTIFIER
) &&
557 hapd
->conf
->nas_identifier
&&
558 !radius_msg_add_attr(msg
, RADIUS_ATTR_NAS_IDENTIFIER
,
559 (u8
*) hapd
->conf
->nas_identifier
,
560 os_strlen(hapd
->conf
->nas_identifier
))) {
561 wpa_printf(MSG_ERROR
, "Could not add NAS-Identifier");
565 len
= os_snprintf(buf
, sizeof(buf
), RADIUS_802_1X_ADDR_FORMAT
":",
566 MAC2STR(hapd
->own_addr
));
567 os_memcpy(&buf
[len
], hapd
->conf
->ssid
.ssid
,
568 hapd
->conf
->ssid
.ssid_len
);
569 len
+= hapd
->conf
->ssid
.ssid_len
;
570 if (!hostapd_config_get_radius_attr(req_attr
,
571 RADIUS_ATTR_CALLED_STATION_ID
) &&
572 !radius_msg_add_attr(msg
, RADIUS_ATTR_CALLED_STATION_ID
,
574 wpa_printf(MSG_ERROR
, "Could not add Called-Station-Id");
578 if (!hostapd_config_get_radius_attr(req_attr
,
579 RADIUS_ATTR_NAS_PORT_TYPE
) &&
580 !radius_msg_add_attr_int32(msg
, RADIUS_ATTR_NAS_PORT_TYPE
,
581 RADIUS_NAS_PORT_TYPE_IEEE_802_11
)) {
582 wpa_printf(MSG_ERROR
, "Could not add NAS-Port-Type");
586 #ifdef CONFIG_INTERWORKING
587 if (hapd
->conf
->interworking
&&
588 !is_zero_ether_addr(hapd
->conf
->hessid
)) {
589 os_snprintf(buf
, sizeof(buf
), RADIUS_802_1X_ADDR_FORMAT
,
590 MAC2STR(hapd
->conf
->hessid
));
591 buf
[sizeof(buf
) - 1] = '\0';
592 if (!hostapd_config_get_radius_attr(req_attr
,
593 RADIUS_ATTR_WLAN_HESSID
) &&
594 !radius_msg_add_attr(msg
, RADIUS_ATTR_WLAN_HESSID
,
595 (u8
*) buf
, os_strlen(buf
))) {
596 wpa_printf(MSG_ERROR
, "Could not add WLAN-HESSID");
600 #endif /* CONFIG_INTERWORKING */
602 if (sta
&& add_common_radius_sta_attr(hapd
, req_attr
, sta
, msg
) < 0)
605 for (attr
= req_attr
; attr
; attr
= attr
->next
) {
606 if (!radius_msg_add_attr(msg
, attr
->type
,
607 wpabuf_head(attr
->val
),
608 wpabuf_len(attr
->val
))) {
609 wpa_printf(MSG_ERROR
, "Could not add RADIUS attribute");
618 int add_sqlite_radius_attr(struct hostapd_data
*hapd
, struct sta_info
*sta
,
619 struct radius_msg
*msg
, int acct
)
623 char addrtxt
[3 * ETH_ALEN
];
625 sqlite3_stmt
*stmt
= NULL
;
627 if (!hapd
->rad_attr_db
)
630 os_snprintf(addrtxt
, sizeof(addrtxt
), MACSTR
, MAC2STR(sta
->addr
));
632 sql
= "SELECT attr FROM radius_attributes WHERE sta=? AND (reqtype=? OR reqtype IS NULL);";
633 if (sqlite3_prepare_v2(hapd
->rad_attr_db
, sql
, os_strlen(sql
), &stmt
,
634 NULL
) != SQLITE_OK
) {
635 wpa_printf(MSG_ERROR
, "DB: Failed to prepare SQL statement: %s",
636 sqlite3_errmsg(hapd
->rad_attr_db
));
639 sqlite3_bind_text(stmt
, 1, addrtxt
, os_strlen(addrtxt
), SQLITE_STATIC
);
640 sqlite3_bind_text(stmt
, 2, acct
? "acct" : "auth", 4, SQLITE_STATIC
);
641 while (sqlite3_step(stmt
) == SQLITE_ROW
) {
642 struct hostapd_radius_attr
*attr
;
643 struct radius_attr_hdr
*hdr
;
645 attrtxt
= (const char *) sqlite3_column_text(stmt
, 0);
646 attr
= hostapd_parse_radius_attr(attrtxt
);
648 wpa_printf(MSG_ERROR
,
649 "Skipping invalid attribute from SQL: %s",
653 wpa_printf(MSG_DEBUG
, "Adding RADIUS attribute from SQL: %s",
655 hdr
= radius_msg_add_attr(msg
, attr
->type
,
656 wpabuf_head(attr
->val
),
657 wpabuf_len(attr
->val
));
658 hostapd_config_free_radius_attr(attr
);
660 wpa_printf(MSG_ERROR
,
661 "Could not add RADIUS attribute from SQL");
667 sqlite3_clear_bindings(stmt
);
668 sqlite3_finalize(stmt
);
669 #endif /* CONFIG_SQLITE */
675 void ieee802_1x_encapsulate_radius(struct hostapd_data
*hapd
,
676 struct sta_info
*sta
,
677 const u8
*eap
, size_t len
)
679 struct radius_msg
*msg
;
680 struct eapol_state_machine
*sm
= sta
->eapol_sm
;
685 ieee802_1x_learn_identity(hapd
, sm
, eap
, len
);
687 wpa_printf(MSG_DEBUG
, "Encapsulating EAP message into a RADIUS packet");
689 sm
->radius_identifier
= radius_client_get_id(hapd
->radius
);
690 msg
= radius_msg_new(RADIUS_CODE_ACCESS_REQUEST
,
691 sm
->radius_identifier
);
693 wpa_printf(MSG_INFO
, "Could not create new RADIUS packet");
697 if (radius_msg_make_authenticator(msg
) < 0) {
698 wpa_printf(MSG_INFO
, "Could not make Request Authenticator");
703 !radius_msg_add_attr(msg
, RADIUS_ATTR_USER_NAME
,
704 sm
->identity
, sm
->identity_len
)) {
705 wpa_printf(MSG_INFO
, "Could not add User-Name");
709 if (add_common_radius_attr(hapd
, hapd
->conf
->radius_auth_req_attr
, sta
,
713 if (sta
&& add_sqlite_radius_attr(hapd
, sta
, msg
, 0) < 0)
716 /* TODO: should probably check MTU from driver config; 2304 is max for
717 * IEEE 802.11, but use 1400 to avoid problems with too large packets
719 if (!hostapd_config_get_radius_attr(hapd
->conf
->radius_auth_req_attr
,
720 RADIUS_ATTR_FRAMED_MTU
) &&
721 !radius_msg_add_attr_int32(msg
, RADIUS_ATTR_FRAMED_MTU
, 1400)) {
722 wpa_printf(MSG_INFO
, "Could not add Framed-MTU");
726 if (!radius_msg_add_eap(msg
, eap
, len
)) {
727 wpa_printf(MSG_INFO
, "Could not add EAP-Message");
731 /* State attribute must be copied if and only if this packet is
732 * Access-Request reply to the previous Access-Challenge */
733 if (sm
->last_recv_radius
&&
734 radius_msg_get_hdr(sm
->last_recv_radius
)->code
==
735 RADIUS_CODE_ACCESS_CHALLENGE
) {
736 int res
= radius_msg_copy_attr(msg
, sm
->last_recv_radius
,
740 "Could not copy State attribute from previous Access-Challenge");
744 wpa_printf(MSG_DEBUG
, "Copied RADIUS State Attribute");
747 if (hapd
->conf
->radius_request_cui
) {
750 /* Add previously learned CUI or nul CUI to request CUI */
751 if (sm
->radius_cui
) {
752 cui
= wpabuf_head(sm
->radius_cui
);
753 cui_len
= wpabuf_len(sm
->radius_cui
);
755 cui
= (const u8
*) "\0";
758 if (!radius_msg_add_attr(msg
,
759 RADIUS_ATTR_CHARGEABLE_USER_IDENTITY
,
761 wpa_printf(MSG_ERROR
, "Could not add CUI");
767 if (hapd
->conf
->hs20
) {
768 u8 ver
= hapd
->conf
->hs20_release
- 1;
770 if (!radius_msg_add_wfa(
771 msg
, RADIUS_VENDOR_ATTR_WFA_HS20_AP_VERSION
,
773 wpa_printf(MSG_ERROR
,
774 "Could not add HS 2.0 AP version");
778 if (sta
->hs20_ie
&& wpabuf_len(sta
->hs20_ie
) > 0) {
783 pos
= wpabuf_head_u8(sta
->hs20_ie
);
784 buf
[0] = (*pos
) >> 4;
785 if (((*pos
) & HS20_PPS_MO_ID_PRESENT
) &&
786 wpabuf_len(sta
->hs20_ie
) >= 3)
787 id
= WPA_GET_LE16(pos
+ 1);
790 WPA_PUT_BE16(buf
+ 1, id
);
791 if (!radius_msg_add_wfa(
793 RADIUS_VENDOR_ATTR_WFA_HS20_STA_VERSION
,
795 wpa_printf(MSG_ERROR
,
796 "Could not add HS 2.0 STA version");
801 if (sta
->roaming_consortium
&&
803 msg
, RADIUS_VENDOR_ATTR_WFA_HS20_ROAMING_CONSORTIUM
,
804 wpabuf_head(sta
->roaming_consortium
),
805 wpabuf_len(sta
->roaming_consortium
))) {
806 wpa_printf(MSG_ERROR
,
807 "Could not add HS 2.0 Roaming Consortium");
811 if (hapd
->conf
->t_c_filename
) {
814 if (!radius_msg_add_wfa(
816 RADIUS_VENDOR_ATTR_WFA_HS20_T_C_FILENAME
,
817 (const u8
*) hapd
->conf
->t_c_filename
,
818 os_strlen(hapd
->conf
->t_c_filename
))) {
819 wpa_printf(MSG_ERROR
,
820 "Could not add HS 2.0 T&C Filename");
824 timestamp
= host_to_be32(hapd
->conf
->t_c_timestamp
);
825 if (!radius_msg_add_wfa(
827 RADIUS_VENDOR_ATTR_WFA_HS20_TIMESTAMP
,
828 (const u8
*) ×tamp
,
829 sizeof(timestamp
))) {
830 wpa_printf(MSG_ERROR
,
831 "Could not add HS 2.0 Timestamp");
836 #endif /* CONFIG_HS20 */
838 if (radius_client_send(hapd
->radius
, msg
, RADIUS_AUTH
, sta
->addr
) < 0)
844 radius_msg_free(msg
);
846 #endif /* CONFIG_NO_RADIUS */
849 static void handle_eap_response(struct hostapd_data
*hapd
,
850 struct sta_info
*sta
, struct eap_hdr
*eap
,
854 struct eapol_state_machine
*sm
= sta
->eapol_sm
;
859 data
= (u8
*) (eap
+ 1);
861 if (len
< sizeof(*eap
) + 1) {
862 wpa_printf(MSG_INFO
, "%s: too short response data", __func__
);
866 sm
->eap_type_supp
= type
= data
[0];
868 hostapd_logger(hapd
, sm
->addr
, HOSTAPD_MODULE_IEEE8021X
,
869 HOSTAPD_LEVEL_DEBUG
, "received EAP packet (code=%d "
870 "id=%d len=%d) from STA: EAP Response-%s (%d)",
871 eap
->code
, eap
->identifier
, be_to_host16(eap
->length
),
872 eap_server_get_name(0, type
), type
);
874 sm
->dot1xAuthEapolRespFramesRx
++;
876 wpabuf_free(sm
->eap_if
->eapRespData
);
877 sm
->eap_if
->eapRespData
= wpabuf_alloc_copy(eap
, len
);
882 static void handle_eap_initiate(struct hostapd_data
*hapd
,
883 struct sta_info
*sta
, struct eap_hdr
*eap
,
888 struct eapol_state_machine
*sm
= sta
->eapol_sm
;
893 if (len
< sizeof(*eap
) + 1) {
894 wpa_printf(MSG_INFO
, "%s: too short response data", __func__
);
898 data
= (u8
*) (eap
+ 1);
901 hostapd_logger(hapd
, sm
->addr
, HOSTAPD_MODULE_IEEE8021X
,
903 "received EAP packet (code=%d id=%d len=%d) from STA: EAP Initiate type %u",
904 eap
->code
, eap
->identifier
, be_to_host16(eap
->length
),
907 wpabuf_free(sm
->eap_if
->eapRespData
);
908 sm
->eap_if
->eapRespData
= wpabuf_alloc_copy(eap
, len
);
910 #endif /* CONFIG_ERP */
914 #ifndef CONFIG_NO_STDOUT_DEBUG
915 static const char * eap_code_str(u8 code
)
918 case EAP_CODE_REQUEST
:
920 case EAP_CODE_RESPONSE
:
922 case EAP_CODE_SUCCESS
:
924 case EAP_CODE_FAILURE
:
926 case EAP_CODE_INITIATE
:
928 case EAP_CODE_FINISH
:
934 #endif /* CONFIG_NO_STDOUT_DEBUG */
937 /* Process incoming EAP packet from Supplicant */
938 static void handle_eap(struct hostapd_data
*hapd
, struct sta_info
*sta
,
944 if (len
< sizeof(*eap
)) {
945 wpa_printf(MSG_INFO
, " too short EAP packet");
949 eap
= (struct eap_hdr
*) buf
;
951 eap_len
= be_to_host16(eap
->length
);
952 wpa_printf(MSG_DEBUG
, "EAP: code=%d (%s) identifier=%d length=%d",
953 eap
->code
, eap_code_str(eap
->code
), eap
->identifier
,
955 if (eap_len
< sizeof(*eap
)) {
956 wpa_printf(MSG_DEBUG
, " Invalid EAP length");
958 } else if (eap_len
> len
) {
959 wpa_printf(MSG_DEBUG
,
960 " Too short frame to contain this EAP packet");
962 } else if (eap_len
< len
) {
963 wpa_printf(MSG_DEBUG
,
964 " Ignoring %lu extra bytes after EAP packet",
965 (unsigned long) len
- eap_len
);
969 case EAP_CODE_RESPONSE
:
970 handle_eap_response(hapd
, sta
, eap
, eap_len
);
972 case EAP_CODE_INITIATE
:
973 handle_eap_initiate(hapd
, sta
, eap
, eap_len
);
979 struct eapol_state_machine
*
980 ieee802_1x_alloc_eapol_sm(struct hostapd_data
*hapd
, struct sta_info
*sta
)
984 if (sta
->flags
& WLAN_STA_PREAUTH
)
985 flags
|= EAPOL_SM_PREAUTH
;
987 flags
|= EAPOL_SM_USES_WPA
;
988 if (wpa_auth_sta_get_pmksa(sta
->wpa_sm
))
989 flags
|= EAPOL_SM_FROM_PMKSA_CACHE
;
991 return eapol_auth_alloc(hapd
->eapol_auth
, sta
->addr
, flags
,
992 sta
->wps_ie
, sta
->p2p_ie
, sta
,
993 sta
->identity
, sta
->radius_cui
);
997 static void ieee802_1x_save_eapol(struct sta_info
*sta
, const u8
*buf
,
1000 if (sta
->pending_eapol_rx
) {
1001 wpabuf_free(sta
->pending_eapol_rx
->buf
);
1003 sta
->pending_eapol_rx
=
1004 os_malloc(sizeof(*sta
->pending_eapol_rx
));
1005 if (!sta
->pending_eapol_rx
)
1009 sta
->pending_eapol_rx
->buf
= wpabuf_alloc_copy(buf
, len
);
1010 if (!sta
->pending_eapol_rx
->buf
) {
1011 os_free(sta
->pending_eapol_rx
);
1012 sta
->pending_eapol_rx
= NULL
;
1016 os_get_reltime(&sta
->pending_eapol_rx
->rx_time
);
1021 * ieee802_1x_receive - Process the EAPOL frames from the Supplicant
1022 * @hapd: hostapd BSS data
1023 * @sa: Source address (sender of the EAPOL frame)
1025 * @len: Length of buf in octets
1027 * This function is called for each incoming EAPOL frame from the interface
1029 void ieee802_1x_receive(struct hostapd_data
*hapd
, const u8
*sa
, const u8
*buf
,
1032 struct sta_info
*sta
;
1033 struct ieee802_1x_hdr
*hdr
;
1034 struct ieee802_1x_eapol_key
*key
;
1036 struct rsn_pmksa_cache_entry
*pmksa
;
1039 if (!hapd
->conf
->ieee802_1x
&& !hapd
->conf
->wpa
&& !hapd
->conf
->osen
&&
1040 !hapd
->conf
->wps_state
)
1043 wpa_printf(MSG_DEBUG
, "IEEE 802.1X: %lu bytes from " MACSTR
,
1044 (unsigned long) len
, MAC2STR(sa
));
1045 sta
= ap_get_sta(hapd
, sa
);
1046 if (!sta
|| (!(sta
->flags
& (WLAN_STA_ASSOC
| WLAN_STA_PREAUTH
)) &&
1047 !(hapd
->iface
->drv_flags
& WPA_DRIVER_FLAGS_WIRED
))) {
1048 wpa_printf(MSG_DEBUG
,
1049 "IEEE 802.1X data frame from not associated/Pre-authenticating STA");
1051 if (sta
&& (sta
->flags
& WLAN_STA_AUTH
)) {
1052 wpa_printf(MSG_DEBUG
, "Saving EAPOL frame from " MACSTR
1053 " for later use", MAC2STR(sta
->addr
));
1054 ieee802_1x_save_eapol(sta
, buf
, len
);
1060 if (len
< sizeof(*hdr
)) {
1061 wpa_printf(MSG_INFO
, " too short IEEE 802.1X packet");
1065 hdr
= (struct ieee802_1x_hdr
*) buf
;
1066 datalen
= be_to_host16(hdr
->length
);
1067 wpa_printf(MSG_DEBUG
, " IEEE 802.1X: version=%d type=%d length=%d",
1068 hdr
->version
, hdr
->type
, datalen
);
1070 if (len
- sizeof(*hdr
) < datalen
) {
1071 wpa_printf(MSG_INFO
,
1072 " frame too short for this IEEE 802.1X packet");
1074 sta
->eapol_sm
->dot1xAuthEapLengthErrorFramesRx
++;
1077 if (len
- sizeof(*hdr
) > datalen
) {
1078 wpa_printf(MSG_DEBUG
,
1079 " ignoring %lu extra octets after IEEE 802.1X packet",
1080 (unsigned long) len
- sizeof(*hdr
) - datalen
);
1083 if (sta
->eapol_sm
) {
1084 sta
->eapol_sm
->dot1xAuthLastEapolFrameVersion
= hdr
->version
;
1085 sta
->eapol_sm
->dot1xAuthEapolFramesRx
++;
1088 key
= (struct ieee802_1x_eapol_key
*) (hdr
+ 1);
1089 if (datalen
>= sizeof(struct ieee802_1x_eapol_key
) &&
1090 hdr
->type
== IEEE802_1X_TYPE_EAPOL_KEY
&&
1091 (key
->type
== EAPOL_KEY_TYPE_WPA
||
1092 key
->type
== EAPOL_KEY_TYPE_RSN
)) {
1093 wpa_receive(hapd
->wpa_auth
, sta
->wpa_sm
, (u8
*) hdr
,
1094 sizeof(*hdr
) + datalen
);
1098 if (!hapd
->conf
->ieee802_1x
&& !hapd
->conf
->osen
&&
1099 !(sta
->flags
& (WLAN_STA_WPS
| WLAN_STA_MAYBE_WPS
))) {
1100 wpa_printf(MSG_DEBUG
,
1101 "IEEE 802.1X: Ignore EAPOL message - 802.1X not enabled and WPS not used");
1105 key_mgmt
= wpa_auth_sta_key_mgmt(sta
->wpa_sm
);
1106 if (key_mgmt
!= -1 &&
1107 (wpa_key_mgmt_wpa_psk(key_mgmt
) || key_mgmt
== WPA_KEY_MGMT_OWE
||
1108 key_mgmt
== WPA_KEY_MGMT_DPP
)) {
1109 wpa_printf(MSG_DEBUG
,
1110 "IEEE 802.1X: Ignore EAPOL message - STA is using PSK");
1114 if (!sta
->eapol_sm
) {
1115 sta
->eapol_sm
= ieee802_1x_alloc_eapol_sm(hapd
, sta
);
1120 if (!hapd
->conf
->ieee802_1x
&& hapd
->conf
->wps_state
) {
1121 u32 wflags
= sta
->flags
& (WLAN_STA_WPS
|
1123 WLAN_STA_MAYBE_WPS
);
1124 if (wflags
== WLAN_STA_MAYBE_WPS
||
1125 wflags
== (WLAN_STA_WPS
| WLAN_STA_MAYBE_WPS
)) {
1127 * Delay EAPOL frame transmission until a
1128 * possible WPS STA initiates the handshake
1129 * with EAPOL-Start. Only allow the wait to be
1130 * skipped if the STA is known to support WPS
1133 wpa_printf(MSG_DEBUG
,
1134 "WPS: Do not start EAPOL until EAPOL-Start is received");
1135 sta
->eapol_sm
->flags
|= EAPOL_SM_WAIT_START
;
1138 #endif /* CONFIG_WPS */
1140 sta
->eapol_sm
->eap_if
->portEnabled
= TRUE
;
1143 /* since we support version 1, we can ignore version field and proceed
1144 * as specified in version 1 standard [IEEE Std 802.1X-2001, 7.5.5] */
1145 /* TODO: actually, we are not version 1 anymore.. However, Version 2
1146 * does not change frame contents, so should be ok to process frames
1147 * more or less identically. Some changes might be needed for
1148 * verification of fields. */
1150 switch (hdr
->type
) {
1151 case IEEE802_1X_TYPE_EAP_PACKET
:
1152 handle_eap(hapd
, sta
, (u8
*) (hdr
+ 1), datalen
);
1155 case IEEE802_1X_TYPE_EAPOL_START
:
1156 hostapd_logger(hapd
, sta
->addr
, HOSTAPD_MODULE_IEEE8021X
,
1157 HOSTAPD_LEVEL_DEBUG
,
1158 "received EAPOL-Start from STA");
1159 sta
->eapol_sm
->flags
&= ~EAPOL_SM_WAIT_START
;
1160 pmksa
= wpa_auth_sta_get_pmksa(sta
->wpa_sm
);
1162 hostapd_logger(hapd
, sta
->addr
, HOSTAPD_MODULE_WPA
,
1163 HOSTAPD_LEVEL_DEBUG
,
1164 "cached PMKSA available - ignore it since STA sent EAPOL-Start");
1165 wpa_auth_sta_clear_pmksa(sta
->wpa_sm
, pmksa
);
1167 sta
->eapol_sm
->eapolStart
= TRUE
;
1168 sta
->eapol_sm
->dot1xAuthEapolStartFramesRx
++;
1169 eap_server_clear_identity(sta
->eapol_sm
->eap
);
1170 wpa_auth_sm_event(sta
->wpa_sm
, WPA_REAUTH_EAPOL
);
1173 case IEEE802_1X_TYPE_EAPOL_LOGOFF
:
1174 hostapd_logger(hapd
, sta
->addr
, HOSTAPD_MODULE_IEEE8021X
,
1175 HOSTAPD_LEVEL_DEBUG
,
1176 "received EAPOL-Logoff from STA");
1177 sta
->acct_terminate_cause
=
1178 RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST
;
1179 accounting_sta_stop(hapd
, sta
);
1180 sta
->eapol_sm
->eapolLogoff
= TRUE
;
1181 sta
->eapol_sm
->dot1xAuthEapolLogoffFramesRx
++;
1182 eap_server_clear_identity(sta
->eapol_sm
->eap
);
1185 case IEEE802_1X_TYPE_EAPOL_KEY
:
1186 wpa_printf(MSG_DEBUG
, " EAPOL-Key");
1187 if (!ap_sta_is_authorized(sta
)) {
1188 wpa_printf(MSG_DEBUG
,
1189 " Dropped key data from unauthorized Supplicant");
1194 case IEEE802_1X_TYPE_EAPOL_ENCAPSULATED_ASF_ALERT
:
1195 wpa_printf(MSG_DEBUG
, " EAPOL-Encapsulated-ASF-Alert");
1196 /* TODO: implement support for this; show data */
1199 #ifdef CONFIG_MACSEC
1200 case IEEE802_1X_TYPE_EAPOL_MKA
:
1201 wpa_printf(MSG_EXCESSIVE
,
1202 "EAPOL type %d will be handled by MKA", hdr
->type
);
1204 #endif /* CONFIG_MACSEC */
1207 wpa_printf(MSG_DEBUG
, " unknown IEEE 802.1X packet type");
1208 sta
->eapol_sm
->dot1xAuthInvalidEapolFramesRx
++;
1212 eapol_auth_step(sta
->eapol_sm
);
1217 * ieee802_1x_new_station - Start IEEE 802.1X authentication
1218 * @hapd: hostapd BSS data
1221 * This function is called to start IEEE 802.1X authentication when a new
1222 * station completes IEEE 802.11 association.
1224 void ieee802_1x_new_station(struct hostapd_data
*hapd
, struct sta_info
*sta
)
1226 struct rsn_pmksa_cache_entry
*pmksa
;
1232 if (hapd
->conf
->wps_state
&&
1233 ((hapd
->conf
->wpa
&& (sta
->flags
& WLAN_STA_MAYBE_WPS
)) ||
1234 (sta
->flags
& WLAN_STA_WPS
))) {
1236 * Need to enable IEEE 802.1X/EAPOL state machines for possible
1237 * WPS handshake even if IEEE 802.1X/EAPOL is not used for
1238 * authentication in this BSS.
1242 #endif /* CONFIG_WPS */
1244 if (!force_1x
&& !hapd
->conf
->ieee802_1x
&& !hapd
->conf
->osen
) {
1245 wpa_printf(MSG_DEBUG
,
1246 "IEEE 802.1X: Ignore STA - 802.1X not enabled or forced for WPS");
1248 * Clear any possible EAPOL authenticator state to support
1249 * reassociation change from WPS to PSK.
1251 ieee802_1x_free_station(hapd
, sta
);
1255 key_mgmt
= wpa_auth_sta_key_mgmt(sta
->wpa_sm
);
1256 if (key_mgmt
!= -1 &&
1257 (wpa_key_mgmt_wpa_psk(key_mgmt
) || key_mgmt
== WPA_KEY_MGMT_OWE
||
1258 key_mgmt
== WPA_KEY_MGMT_DPP
)) {
1259 wpa_printf(MSG_DEBUG
, "IEEE 802.1X: Ignore STA - using PSK");
1261 * Clear any possible EAPOL authenticator state to support
1262 * reassociation change from WPA-EAP to PSK.
1264 ieee802_1x_free_station(hapd
, sta
);
1268 if (!sta
->eapol_sm
) {
1269 hostapd_logger(hapd
, sta
->addr
, HOSTAPD_MODULE_IEEE8021X
,
1270 HOSTAPD_LEVEL_DEBUG
, "start authentication");
1271 sta
->eapol_sm
= ieee802_1x_alloc_eapol_sm(hapd
, sta
);
1272 if (!sta
->eapol_sm
) {
1273 hostapd_logger(hapd
, sta
->addr
,
1274 HOSTAPD_MODULE_IEEE8021X
,
1276 "failed to allocate state machine");
1283 sta
->eapol_sm
->flags
&= ~EAPOL_SM_WAIT_START
;
1284 if (!hapd
->conf
->ieee802_1x
&& hapd
->conf
->wps_state
&&
1285 !(sta
->flags
& WLAN_STA_WPS2
)) {
1287 * Delay EAPOL frame transmission until a possible WPS STA
1288 * initiates the handshake with EAPOL-Start. Only allow the
1289 * wait to be skipped if the STA is known to support WPS 2.0.
1291 wpa_printf(MSG_DEBUG
,
1292 "WPS: Do not start EAPOL until EAPOL-Start is received");
1293 sta
->eapol_sm
->flags
|= EAPOL_SM_WAIT_START
;
1295 #endif /* CONFIG_WPS */
1297 sta
->eapol_sm
->eap_if
->portEnabled
= TRUE
;
1299 #ifdef CONFIG_IEEE80211R_AP
1300 if (sta
->auth_alg
== WLAN_AUTH_FT
) {
1301 hostapd_logger(hapd
, sta
->addr
, HOSTAPD_MODULE_IEEE8021X
,
1302 HOSTAPD_LEVEL_DEBUG
,
1303 "PMK from FT - skip IEEE 802.1X/EAP");
1304 /* Setup EAPOL state machines to already authenticated state
1305 * because of existing FT information from R0KH. */
1306 sta
->eapol_sm
->keyRun
= TRUE
;
1307 sta
->eapol_sm
->eap_if
->eapKeyAvailable
= TRUE
;
1308 sta
->eapol_sm
->auth_pae_state
= AUTH_PAE_AUTHENTICATING
;
1309 sta
->eapol_sm
->be_auth_state
= BE_AUTH_SUCCESS
;
1310 sta
->eapol_sm
->authSuccess
= TRUE
;
1311 sta
->eapol_sm
->authFail
= FALSE
;
1312 sta
->eapol_sm
->portValid
= TRUE
;
1313 if (sta
->eapol_sm
->eap
)
1314 eap_sm_notify_cached(sta
->eapol_sm
->eap
);
1315 ap_sta_bind_vlan(hapd
, sta
);
1318 #endif /* CONFIG_IEEE80211R_AP */
1321 if (sta
->auth_alg
== WLAN_AUTH_FILS_SK
||
1322 sta
->auth_alg
== WLAN_AUTH_FILS_SK_PFS
||
1323 sta
->auth_alg
== WLAN_AUTH_FILS_PK
) {
1324 hostapd_logger(hapd
, sta
->addr
, HOSTAPD_MODULE_IEEE8021X
,
1325 HOSTAPD_LEVEL_DEBUG
,
1326 "PMK from FILS - skip IEEE 802.1X/EAP");
1327 /* Setup EAPOL state machines to already authenticated state
1328 * because of existing FILS information. */
1329 sta
->eapol_sm
->keyRun
= TRUE
;
1330 sta
->eapol_sm
->eap_if
->eapKeyAvailable
= TRUE
;
1331 sta
->eapol_sm
->auth_pae_state
= AUTH_PAE_AUTHENTICATING
;
1332 sta
->eapol_sm
->be_auth_state
= BE_AUTH_SUCCESS
;
1333 sta
->eapol_sm
->authSuccess
= TRUE
;
1334 sta
->eapol_sm
->authFail
= FALSE
;
1335 sta
->eapol_sm
->portValid
= TRUE
;
1336 if (sta
->eapol_sm
->eap
)
1337 eap_sm_notify_cached(sta
->eapol_sm
->eap
);
1338 wpa_auth_set_ptk_rekey_timer(sta
->wpa_sm
);
1341 #endif /* CONFIG_FILS */
1343 pmksa
= wpa_auth_sta_get_pmksa(sta
->wpa_sm
);
1345 hostapd_logger(hapd
, sta
->addr
, HOSTAPD_MODULE_IEEE8021X
,
1346 HOSTAPD_LEVEL_DEBUG
,
1347 "PMK from PMKSA cache - skip IEEE 802.1X/EAP");
1348 /* Setup EAPOL state machines to already authenticated state
1349 * because of existing PMKSA information in the cache. */
1350 sta
->eapol_sm
->keyRun
= TRUE
;
1351 sta
->eapol_sm
->eap_if
->eapKeyAvailable
= TRUE
;
1352 sta
->eapol_sm
->auth_pae_state
= AUTH_PAE_AUTHENTICATING
;
1353 sta
->eapol_sm
->be_auth_state
= BE_AUTH_SUCCESS
;
1354 sta
->eapol_sm
->authSuccess
= TRUE
;
1355 sta
->eapol_sm
->authFail
= FALSE
;
1356 if (sta
->eapol_sm
->eap
)
1357 eap_sm_notify_cached(sta
->eapol_sm
->eap
);
1358 pmksa_cache_to_eapol_data(hapd
, pmksa
, sta
->eapol_sm
);
1359 ap_sta_bind_vlan(hapd
, sta
);
1363 * Force EAPOL state machines to start
1364 * re-authentication without having to wait for the
1365 * Supplicant to send EAPOL-Start.
1367 sta
->eapol_sm
->reAuthenticate
= TRUE
;
1369 eapol_auth_step(sta
->eapol_sm
);
1374 void ieee802_1x_free_station(struct hostapd_data
*hapd
, struct sta_info
*sta
)
1376 struct eapol_state_machine
*sm
= sta
->eapol_sm
;
1379 eloop_cancel_timeout(ieee802_1x_wnm_notif_send
, hapd
, sta
);
1380 #endif /* CONFIG_HS20 */
1382 if (sta
->pending_eapol_rx
) {
1383 wpabuf_free(sta
->pending_eapol_rx
->buf
);
1384 os_free(sta
->pending_eapol_rx
);
1385 sta
->pending_eapol_rx
= NULL
;
1391 sta
->eapol_sm
= NULL
;
1393 #ifndef CONFIG_NO_RADIUS
1394 radius_msg_free(sm
->last_recv_radius
);
1395 radius_free_class(&sm
->radius_class
);
1396 #endif /* CONFIG_NO_RADIUS */
1398 eapol_auth_free(sm
);
1402 #ifndef CONFIG_NO_RADIUS
1403 static void ieee802_1x_decapsulate_radius(struct hostapd_data
*hapd
,
1404 struct sta_info
*sta
)
1407 const struct eap_hdr
*hdr
;
1410 struct radius_msg
*msg
;
1411 struct eapol_state_machine
*sm
= sta
->eapol_sm
;
1413 if (!sm
|| !sm
->last_recv_radius
) {
1415 sm
->eap_if
->aaaEapNoReq
= TRUE
;
1419 msg
= sm
->last_recv_radius
;
1421 eap
= radius_msg_get_eap(msg
);
1423 /* RFC 3579, Chap. 2.6.3:
1424 * RADIUS server SHOULD NOT send Access-Reject/no EAP-Message
1426 hostapd_logger(hapd
, sta
->addr
, HOSTAPD_MODULE_IEEE8021X
,
1427 HOSTAPD_LEVEL_WARNING
,
1428 "could not extract EAP-Message from RADIUS message");
1429 sm
->eap_if
->aaaEapNoReq
= TRUE
;
1433 if (wpabuf_len(eap
) < sizeof(*hdr
)) {
1434 hostapd_logger(hapd
, sta
->addr
, HOSTAPD_MODULE_IEEE8021X
,
1435 HOSTAPD_LEVEL_WARNING
,
1436 "too short EAP packet received from authentication server");
1438 sm
->eap_if
->aaaEapNoReq
= TRUE
;
1442 if (wpabuf_len(eap
) > sizeof(*hdr
))
1443 eap_type
= (wpabuf_head_u8(eap
))[sizeof(*hdr
)];
1445 hdr
= wpabuf_head(eap
);
1446 switch (hdr
->code
) {
1447 case EAP_CODE_REQUEST
:
1449 sm
->eap_type_authsrv
= eap_type
;
1450 os_snprintf(buf
, sizeof(buf
), "EAP-Request-%s (%d)",
1451 eap_server_get_name(0, eap_type
), eap_type
);
1453 case EAP_CODE_RESPONSE
:
1454 os_snprintf(buf
, sizeof(buf
), "EAP Response-%s (%d)",
1455 eap_server_get_name(0, eap_type
), eap_type
);
1457 case EAP_CODE_SUCCESS
:
1458 os_strlcpy(buf
, "EAP Success", sizeof(buf
));
1460 case EAP_CODE_FAILURE
:
1461 os_strlcpy(buf
, "EAP Failure", sizeof(buf
));
1464 os_strlcpy(buf
, "unknown EAP code", sizeof(buf
));
1467 buf
[sizeof(buf
) - 1] = '\0';
1468 hostapd_logger(hapd
, sta
->addr
, HOSTAPD_MODULE_IEEE8021X
,
1469 HOSTAPD_LEVEL_DEBUG
,
1470 "decapsulated EAP packet (code=%d id=%d len=%d) from RADIUS server: %s",
1471 hdr
->code
, hdr
->identifier
, be_to_host16(hdr
->length
),
1473 sm
->eap_if
->aaaEapReq
= TRUE
;
1475 wpabuf_free(sm
->eap_if
->aaaEapReqData
);
1476 sm
->eap_if
->aaaEapReqData
= eap
;
1480 static void ieee802_1x_get_keys(struct hostapd_data
*hapd
,
1481 struct sta_info
*sta
, struct radius_msg
*msg
,
1482 struct radius_msg
*req
,
1483 const u8
*shared_secret
,
1484 size_t shared_secret_len
)
1486 struct radius_ms_mppe_keys
*keys
;
1489 struct eapol_state_machine
*sm
= sta
->eapol_sm
;
1494 keys
= radius_msg_get_ms_keys(msg
, req
, shared_secret
,
1497 if (keys
&& keys
->send
&& keys
->recv
) {
1498 len
= keys
->send_len
+ keys
->recv_len
;
1499 wpa_hexdump_key(MSG_DEBUG
, "MS-MPPE-Send-Key",
1500 keys
->send
, keys
->send_len
);
1501 wpa_hexdump_key(MSG_DEBUG
, "MS-MPPE-Recv-Key",
1502 keys
->recv
, keys
->recv_len
);
1504 os_free(sm
->eap_if
->aaaEapKeyData
);
1505 sm
->eap_if
->aaaEapKeyData
= os_malloc(len
);
1506 if (sm
->eap_if
->aaaEapKeyData
) {
1507 os_memcpy(sm
->eap_if
->aaaEapKeyData
, keys
->recv
,
1509 os_memcpy(sm
->eap_if
->aaaEapKeyData
+ keys
->recv_len
,
1510 keys
->send
, keys
->send_len
);
1511 sm
->eap_if
->aaaEapKeyDataLen
= len
;
1512 sm
->eap_if
->aaaEapKeyAvailable
= TRUE
;
1515 wpa_printf(MSG_DEBUG
,
1516 "MS-MPPE: 1x_get_keys, could not get keys: %p send: %p recv: %p",
1517 keys
, keys
? keys
->send
: NULL
,
1518 keys
? keys
->recv
: NULL
);
1522 os_free(keys
->send
);
1523 os_free(keys
->recv
);
1527 if (radius_msg_get_attr_ptr(msg
, RADIUS_ATTR_EAP_KEY_NAME
, &buf
, &len
,
1529 os_free(sm
->eap_if
->eapSessionId
);
1530 sm
->eap_if
->eapSessionId
= os_memdup(buf
, len
);
1531 if (sm
->eap_if
->eapSessionId
) {
1532 sm
->eap_if
->eapSessionIdLen
= len
;
1533 wpa_hexdump(MSG_DEBUG
, "EAP-Key Name",
1534 sm
->eap_if
->eapSessionId
,
1535 sm
->eap_if
->eapSessionIdLen
);
1538 sm
->eap_if
->eapSessionIdLen
= 0;
1543 static void ieee802_1x_store_radius_class(struct hostapd_data
*hapd
,
1544 struct sta_info
*sta
,
1545 struct radius_msg
*msg
)
1549 struct eapol_state_machine
*sm
= sta
->eapol_sm
;
1551 struct radius_attr_data
*nclass
;
1552 size_t nclass_count
;
1554 if (!hapd
->conf
->radius
->acct_server
|| !hapd
->radius
|| !sm
)
1557 radius_free_class(&sm
->radius_class
);
1558 count
= radius_msg_count_attr(msg
, RADIUS_ATTR_CLASS
, 1);
1562 nclass
= os_calloc(count
, sizeof(struct radius_attr_data
));
1569 for (i
= 0; i
< count
; i
++) {
1571 if (radius_msg_get_attr_ptr(msg
, RADIUS_ATTR_CLASS
,
1572 &attr_class
, &class_len
,
1577 } while (class_len
< 1);
1579 nclass
[nclass_count
].data
= os_memdup(attr_class
, class_len
);
1580 if (!nclass
[nclass_count
].data
)
1583 nclass
[nclass_count
].len
= class_len
;
1587 sm
->radius_class
.attr
= nclass
;
1588 sm
->radius_class
.count
= nclass_count
;
1589 wpa_printf(MSG_DEBUG
,
1590 "IEEE 802.1X: Stored %lu RADIUS Class attributes for "
1592 (unsigned long) sm
->radius_class
.count
,
1593 MAC2STR(sta
->addr
));
1597 /* Update sta->identity based on User-Name attribute in Access-Accept */
1598 static void ieee802_1x_update_sta_identity(struct hostapd_data
*hapd
,
1599 struct sta_info
*sta
,
1600 struct radius_msg
*msg
)
1604 struct eapol_state_machine
*sm
= sta
->eapol_sm
;
1609 if (radius_msg_get_attr_ptr(msg
, RADIUS_ATTR_USER_NAME
, &buf
, &len
,
1613 identity
= (u8
*) dup_binstr(buf
, len
);
1617 hostapd_logger(hapd
, sta
->addr
, HOSTAPD_MODULE_IEEE8021X
,
1618 HOSTAPD_LEVEL_DEBUG
,
1619 "old identity '%s' updated with User-Name from Access-Accept '%s'",
1620 sm
->identity
? (char *) sm
->identity
: "N/A",
1623 os_free(sm
->identity
);
1624 sm
->identity
= identity
;
1625 sm
->identity_len
= len
;
1629 /* Update CUI based on Chargeable-User-Identity attribute in Access-Accept */
1630 static void ieee802_1x_update_sta_cui(struct hostapd_data
*hapd
,
1631 struct sta_info
*sta
,
1632 struct radius_msg
*msg
)
1634 struct eapol_state_machine
*sm
= sta
->eapol_sm
;
1642 if (radius_msg_get_attr_ptr(msg
, RADIUS_ATTR_CHARGEABLE_USER_IDENTITY
,
1643 &buf
, &len
, NULL
) < 0)
1646 cui
= wpabuf_alloc_copy(buf
, len
);
1650 wpabuf_free(sm
->radius_cui
);
1651 sm
->radius_cui
= cui
;
1657 static void ieee802_1x_hs20_sub_rem(struct sta_info
*sta
, u8
*pos
, size_t len
)
1659 sta
->remediation
= 1;
1660 os_free(sta
->remediation_url
);
1662 sta
->remediation_url
= os_malloc(len
);
1663 if (!sta
->remediation_url
)
1665 sta
->remediation_method
= pos
[0];
1666 os_memcpy(sta
->remediation_url
, pos
+ 1, len
- 1);
1667 sta
->remediation_url
[len
- 1] = '\0';
1668 wpa_printf(MSG_DEBUG
,
1669 "HS 2.0: Subscription remediation needed for "
1670 MACSTR
" - server method %u URL %s",
1671 MAC2STR(sta
->addr
), sta
->remediation_method
,
1672 sta
->remediation_url
);
1674 sta
->remediation_url
= NULL
;
1675 wpa_printf(MSG_DEBUG
,
1676 "HS 2.0: Subscription remediation needed for "
1677 MACSTR
, MAC2STR(sta
->addr
));
1679 /* TODO: assign the STA into remediation VLAN or add filtering */
1683 static void ieee802_1x_hs20_deauth_req(struct hostapd_data
*hapd
,
1684 struct sta_info
*sta
, u8
*pos
,
1688 return; /* Malformed information */
1689 sta
->hs20_deauth_requested
= 1;
1690 wpa_printf(MSG_DEBUG
,
1691 "HS 2.0: Deauthentication request - Code %u Re-auth Delay %u",
1692 *pos
, WPA_GET_LE16(pos
+ 1));
1693 wpabuf_free(sta
->hs20_deauth_req
);
1694 sta
->hs20_deauth_req
= wpabuf_alloc(len
+ 1);
1695 if (sta
->hs20_deauth_req
) {
1696 wpabuf_put_data(sta
->hs20_deauth_req
, pos
, 3);
1697 wpabuf_put_u8(sta
->hs20_deauth_req
, len
- 3);
1698 wpabuf_put_data(sta
->hs20_deauth_req
, pos
+ 3, len
- 3);
1700 ap_sta_session_timeout(hapd
, sta
, hapd
->conf
->hs20_deauth_req_timeout
);
1704 static void ieee802_1x_hs20_session_info(struct hostapd_data
*hapd
,
1705 struct sta_info
*sta
, u8
*pos
,
1706 size_t len
, int session_timeout
)
1709 int warning_time
, beacon_int
;
1712 return; /* Malformed information */
1713 os_free(sta
->hs20_session_info_url
);
1714 sta
->hs20_session_info_url
= os_malloc(len
);
1715 if (!sta
->hs20_session_info_url
)
1718 os_memcpy(sta
->hs20_session_info_url
, pos
+ 1, len
- 1);
1719 sta
->hs20_session_info_url
[len
- 1] = '\0';
1720 wpa_printf(MSG_DEBUG
,
1721 "HS 2.0: Session Information URL='%s' SWT=%u (session_timeout=%d)",
1722 sta
->hs20_session_info_url
, swt
, session_timeout
);
1723 if (session_timeout
< 0) {
1724 wpa_printf(MSG_DEBUG
,
1725 "HS 2.0: No Session-Timeout set - ignore session info URL");
1729 swt
= 1; /* Use one minute as the AP selected value */
1731 if ((unsigned int) session_timeout
< swt
* 60)
1734 warning_time
= session_timeout
- swt
* 60;
1736 beacon_int
= hapd
->iconf
->beacon_int
;
1738 beacon_int
= 100; /* best guess */
1739 sta
->hs20_disassoc_timer
= swt
* 60 * 1000 / beacon_int
* 125 / 128;
1740 if (sta
->hs20_disassoc_timer
> 65535)
1741 sta
->hs20_disassoc_timer
= 65535;
1743 ap_sta_session_warning_timeout(hapd
, sta
, warning_time
);
1747 static void ieee802_1x_hs20_t_c_filtering(struct hostapd_data
*hapd
,
1748 struct sta_info
*sta
, u8
*pos
,
1752 return; /* Malformed information */
1753 wpa_printf(MSG_DEBUG
,
1754 "HS 2.0: Terms and Conditions filtering %02x %02x %02x %02x",
1755 pos
[0], pos
[1], pos
[2], pos
[3]);
1756 hs20_t_c_filtering(hapd
, sta
, pos
[0] & BIT(0));
1760 static void ieee802_1x_hs20_t_c_url(struct hostapd_data
*hapd
,
1761 struct sta_info
*sta
, u8
*pos
, size_t len
)
1763 os_free(sta
->t_c_url
);
1764 sta
->t_c_url
= os_malloc(len
+ 1);
1767 os_memcpy(sta
->t_c_url
, pos
, len
);
1768 sta
->t_c_url
[len
] = '\0';
1769 wpa_printf(MSG_DEBUG
,
1770 "HS 2.0: Terms and Conditions URL %s", sta
->t_c_url
);
1773 #endif /* CONFIG_HS20 */
1776 static void ieee802_1x_check_hs20(struct hostapd_data
*hapd
,
1777 struct sta_info
*sta
,
1778 struct radius_msg
*msg
,
1779 int session_timeout
)
1782 u8
*buf
, *pos
, *end
, type
, sublen
;
1786 sta
->remediation
= 0;
1787 sta
->hs20_deauth_requested
= 0;
1790 if (radius_msg_get_attr_ptr(msg
, RADIUS_ATTR_VENDOR_SPECIFIC
,
1791 &buf
, &len
, buf
) < 0)
1797 if (WPA_GET_BE32(pos
) != RADIUS_VENDOR_ID_WFA
)
1804 continue; /* invalid length */
1805 sublen
-= 2; /* skip header */
1806 if (pos
+ sublen
> end
)
1807 continue; /* invalid WFA VSA */
1810 case RADIUS_VENDOR_ATTR_WFA_HS20_SUBSCR_REMEDIATION
:
1811 ieee802_1x_hs20_sub_rem(sta
, pos
, sublen
);
1813 case RADIUS_VENDOR_ATTR_WFA_HS20_DEAUTH_REQ
:
1814 ieee802_1x_hs20_deauth_req(hapd
, sta
, pos
, sublen
);
1816 case RADIUS_VENDOR_ATTR_WFA_HS20_SESSION_INFO_URL
:
1817 ieee802_1x_hs20_session_info(hapd
, sta
, pos
, sublen
,
1820 case RADIUS_VENDOR_ATTR_WFA_HS20_T_C_FILTERING
:
1821 ieee802_1x_hs20_t_c_filtering(hapd
, sta
, pos
, sublen
);
1823 case RADIUS_VENDOR_ATTR_WFA_HS20_T_C_URL
:
1824 ieee802_1x_hs20_t_c_url(hapd
, sta
, pos
, sublen
);
1828 #endif /* CONFIG_HS20 */
1832 struct sta_id_search
{
1834 struct eapol_state_machine
*sm
;
1838 static int ieee802_1x_select_radius_identifier(struct hostapd_data
*hapd
,
1839 struct sta_info
*sta
,
1842 struct sta_id_search
*id_search
= ctx
;
1843 struct eapol_state_machine
*sm
= sta
->eapol_sm
;
1845 if (sm
&& sm
->radius_identifier
>= 0 &&
1846 sm
->radius_identifier
== id_search
->identifier
) {
1854 static struct eapol_state_machine
*
1855 ieee802_1x_search_radius_identifier(struct hostapd_data
*hapd
, u8 identifier
)
1857 struct sta_id_search id_search
;
1859 id_search
.identifier
= identifier
;
1860 id_search
.sm
= NULL
;
1861 ap_for_each_sta(hapd
, ieee802_1x_select_radius_identifier
, &id_search
);
1862 return id_search
.sm
;
1866 #ifndef CONFIG_NO_VLAN
1867 static int ieee802_1x_update_vlan(struct radius_msg
*msg
,
1868 struct hostapd_data
*hapd
,
1869 struct sta_info
*sta
)
1871 struct vlan_description vlan_desc
;
1873 os_memset(&vlan_desc
, 0, sizeof(vlan_desc
));
1874 vlan_desc
.notempty
= !!radius_msg_get_vlanid(msg
, &vlan_desc
.untagged
,
1875 MAX_NUM_TAGGED_VLAN
,
1878 if (vlan_desc
.notempty
&&
1879 !hostapd_vlan_valid(hapd
->conf
->vlan
, &vlan_desc
)) {
1880 sta
->eapol_sm
->authFail
= TRUE
;
1881 hostapd_logger(hapd
, sta
->addr
, HOSTAPD_MODULE_RADIUS
,
1883 "Invalid VLAN %d%s received from RADIUS server",
1885 vlan_desc
.tagged
[0] ? "+" : "");
1886 os_memset(&vlan_desc
, 0, sizeof(vlan_desc
));
1887 ap_sta_set_vlan(hapd
, sta
, &vlan_desc
);
1891 if (hapd
->conf
->ssid
.dynamic_vlan
== DYNAMIC_VLAN_REQUIRED
&&
1892 !vlan_desc
.notempty
) {
1893 sta
->eapol_sm
->authFail
= TRUE
;
1894 hostapd_logger(hapd
, sta
->addr
, HOSTAPD_MODULE_IEEE8021X
,
1896 "authentication server did not include required VLAN ID in Access-Accept");
1900 return ap_sta_set_vlan(hapd
, sta
, &vlan_desc
);
1902 #endif /* CONFIG_NO_VLAN */
1906 * ieee802_1x_receive_auth - Process RADIUS frames from Authentication Server
1907 * @msg: RADIUS response message
1908 * @req: RADIUS request message
1909 * @shared_secret: RADIUS shared secret
1910 * @shared_secret_len: Length of shared_secret in octets
1911 * @data: Context data (struct hostapd_data *)
1912 * Returns: Processing status
1914 static RadiusRxResult
1915 ieee802_1x_receive_auth(struct radius_msg
*msg
, struct radius_msg
*req
,
1916 const u8
*shared_secret
, size_t shared_secret_len
,
1919 struct hostapd_data
*hapd
= data
;
1920 struct sta_info
*sta
;
1921 u32 session_timeout
= 0, termination_action
, acct_interim_interval
;
1922 int session_timeout_set
;
1924 struct eapol_state_machine
*sm
;
1925 int override_eapReq
= 0;
1926 struct radius_hdr
*hdr
= radius_msg_get_hdr(msg
);
1928 sm
= ieee802_1x_search_radius_identifier(hapd
, hdr
->identifier
);
1930 wpa_printf(MSG_DEBUG
,
1931 "IEEE 802.1X: Could not find matching station for this RADIUS message");
1932 return RADIUS_RX_UNKNOWN
;
1936 /* RFC 2869, Ch. 5.13: valid Message-Authenticator attribute MUST be
1937 * present when packet contains an EAP-Message attribute */
1938 if (hdr
->code
== RADIUS_CODE_ACCESS_REJECT
&&
1939 radius_msg_get_attr(msg
, RADIUS_ATTR_MESSAGE_AUTHENTICATOR
, NULL
,
1941 radius_msg_get_attr(msg
, RADIUS_ATTR_EAP_MESSAGE
, NULL
, 0) < 0) {
1942 wpa_printf(MSG_DEBUG
,
1943 "Allowing RADIUS Access-Reject without Message-Authenticator since it does not include EAP-Message");
1944 } else if (radius_msg_verify(msg
, shared_secret
, shared_secret_len
,
1946 wpa_printf(MSG_INFO
,
1947 "Incoming RADIUS packet did not have correct Message-Authenticator - dropped");
1948 return RADIUS_RX_INVALID_AUTHENTICATOR
;
1951 if (hdr
->code
!= RADIUS_CODE_ACCESS_ACCEPT
&&
1952 hdr
->code
!= RADIUS_CODE_ACCESS_REJECT
&&
1953 hdr
->code
!= RADIUS_CODE_ACCESS_CHALLENGE
) {
1954 wpa_printf(MSG_INFO
, "Unknown RADIUS message code");
1955 return RADIUS_RX_UNKNOWN
;
1958 sm
->radius_identifier
= -1;
1959 wpa_printf(MSG_DEBUG
, "RADIUS packet matching with station " MACSTR
,
1960 MAC2STR(sta
->addr
));
1962 radius_msg_free(sm
->last_recv_radius
);
1963 sm
->last_recv_radius
= msg
;
1965 session_timeout_set
=
1966 !radius_msg_get_attr_int32(msg
, RADIUS_ATTR_SESSION_TIMEOUT
,
1968 if (radius_msg_get_attr_int32(msg
, RADIUS_ATTR_TERMINATION_ACTION
,
1969 &termination_action
))
1970 termination_action
= RADIUS_TERMINATION_ACTION_DEFAULT
;
1972 if (hapd
->conf
->acct_interim_interval
== 0 &&
1973 hdr
->code
== RADIUS_CODE_ACCESS_ACCEPT
&&
1974 radius_msg_get_attr_int32(msg
, RADIUS_ATTR_ACCT_INTERIM_INTERVAL
,
1975 &acct_interim_interval
) == 0) {
1976 if (acct_interim_interval
< 60) {
1977 hostapd_logger(hapd
, sta
->addr
,
1978 HOSTAPD_MODULE_IEEE8021X
,
1980 "ignored too small Acct-Interim-Interval %d",
1981 acct_interim_interval
);
1983 sta
->acct_interim_interval
= acct_interim_interval
;
1987 switch (hdr
->code
) {
1988 case RADIUS_CODE_ACCESS_ACCEPT
:
1989 #ifndef CONFIG_NO_VLAN
1990 if (hapd
->conf
->ssid
.dynamic_vlan
!= DYNAMIC_VLAN_DISABLED
&&
1991 ieee802_1x_update_vlan(msg
, hapd
, sta
) < 0)
1994 if (sta
->vlan_id
> 0) {
1995 hostapd_logger(hapd
, sta
->addr
,
1996 HOSTAPD_MODULE_RADIUS
,
1998 "VLAN ID %d", sta
->vlan_id
);
2001 if ((sta
->flags
& WLAN_STA_ASSOC
) &&
2002 ap_sta_bind_vlan(hapd
, sta
) < 0)
2004 #endif /* CONFIG_NO_VLAN */
2006 sta
->session_timeout_set
= !!session_timeout_set
;
2007 os_get_reltime(&sta
->session_timeout
);
2008 sta
->session_timeout
.sec
+= session_timeout
;
2010 /* RFC 3580, Ch. 3.17 */
2011 if (session_timeout_set
&& termination_action
==
2012 RADIUS_TERMINATION_ACTION_RADIUS_REQUEST
)
2013 sm
->reAuthPeriod
= session_timeout
;
2014 else if (session_timeout_set
)
2015 ap_sta_session_timeout(hapd
, sta
, session_timeout
);
2017 ap_sta_no_session_timeout(hapd
, sta
);
2019 sm
->eap_if
->aaaSuccess
= TRUE
;
2020 override_eapReq
= 1;
2021 ieee802_1x_get_keys(hapd
, sta
, msg
, req
, shared_secret
,
2023 ieee802_1x_store_radius_class(hapd
, sta
, msg
);
2024 ieee802_1x_update_sta_identity(hapd
, sta
, msg
);
2025 ieee802_1x_update_sta_cui(hapd
, sta
, msg
);
2026 ieee802_1x_check_hs20(hapd
, sta
, msg
,
2027 session_timeout_set
?
2028 (int) session_timeout
: -1);
2030 case RADIUS_CODE_ACCESS_REJECT
:
2031 sm
->eap_if
->aaaFail
= TRUE
;
2032 override_eapReq
= 1;
2033 if (radius_msg_get_attr_int32(msg
, RADIUS_ATTR_WLAN_REASON_CODE
,
2034 &reason_code
) == 0) {
2035 wpa_printf(MSG_DEBUG
,
2036 "RADIUS server indicated WLAN-Reason-Code %u in Access-Reject for "
2037 MACSTR
, reason_code
, MAC2STR(sta
->addr
));
2038 sta
->disconnect_reason_code
= reason_code
;
2041 case RADIUS_CODE_ACCESS_CHALLENGE
:
2042 sm
->eap_if
->aaaEapReq
= TRUE
;
2043 if (session_timeout_set
) {
2044 /* RFC 2869, Ch. 2.3.2; RFC 3580, Ch. 3.17 */
2045 sm
->eap_if
->aaaMethodTimeout
= session_timeout
;
2046 hostapd_logger(hapd
, sm
->addr
,
2047 HOSTAPD_MODULE_IEEE8021X
,
2048 HOSTAPD_LEVEL_DEBUG
,
2049 "using EAP timeout of %d seconds (from RADIUS)",
2050 sm
->eap_if
->aaaMethodTimeout
);
2053 * Use dynamic retransmission behavior per EAP
2056 sm
->eap_if
->aaaMethodTimeout
= 0;
2061 ieee802_1x_decapsulate_radius(hapd
, sta
);
2062 if (override_eapReq
)
2063 sm
->eap_if
->aaaEapReq
= FALSE
;
2067 if (sta
->flags
& WLAN_STA_PENDING_FILS_ERP
) {
2068 /* TODO: Add a PMKSA entry on success? */
2069 ieee802_11_finish_fils_auth(
2070 hapd
, sta
, hdr
->code
== RADIUS_CODE_ACCESS_ACCEPT
,
2071 sm
->eap_if
->aaaEapReqData
,
2072 sm
->eap_if
->aaaEapKeyData
,
2073 sm
->eap_if
->aaaEapKeyDataLen
);
2075 #endif /* NEED_AP_MLME */
2076 #endif /* CONFIG_FILS */
2078 eapol_auth_step(sm
);
2080 return RADIUS_RX_QUEUED
;
2082 #endif /* CONFIG_NO_RADIUS */
2085 void ieee802_1x_abort_auth(struct hostapd_data
*hapd
, struct sta_info
*sta
)
2087 struct eapol_state_machine
*sm
= sta
->eapol_sm
;
2092 hostapd_logger(hapd
, sta
->addr
, HOSTAPD_MODULE_IEEE8021X
,
2093 HOSTAPD_LEVEL_DEBUG
, "aborting authentication");
2095 #ifndef CONFIG_NO_RADIUS
2096 radius_msg_free(sm
->last_recv_radius
);
2097 sm
->last_recv_radius
= NULL
;
2098 #endif /* CONFIG_NO_RADIUS */
2100 if (sm
->eap_if
->eapTimeout
) {
2102 * Disconnect the STA since it did not reply to the last EAP
2103 * request and we cannot continue EAP processing (EAP-Failure
2104 * could only be sent if the EAP peer actually replied).
2106 wpa_dbg(hapd
->msg_ctx
, MSG_DEBUG
, "EAP Timeout, STA " MACSTR
,
2107 MAC2STR(sta
->addr
));
2109 sm
->eap_if
->portEnabled
= FALSE
;
2110 ap_sta_disconnect(hapd
, sta
, sta
->addr
,
2111 WLAN_REASON_PREV_AUTH_NOT_VALID
);
2116 static int ieee802_1x_rekey_broadcast(struct hostapd_data
*hapd
)
2118 struct eapol_authenticator
*eapol
= hapd
->eapol_auth
;
2120 if (hapd
->conf
->default_wep_key_len
< 1)
2123 os_free(eapol
->default_wep_key
);
2124 eapol
->default_wep_key
= os_malloc(hapd
->conf
->default_wep_key_len
);
2125 if (!eapol
->default_wep_key
||
2126 random_get_bytes(eapol
->default_wep_key
,
2127 hapd
->conf
->default_wep_key_len
)) {
2128 wpa_printf(MSG_INFO
, "Could not generate random WEP key");
2129 os_free(eapol
->default_wep_key
);
2130 eapol
->default_wep_key
= NULL
;
2134 wpa_hexdump_key(MSG_DEBUG
, "IEEE 802.1X: New default WEP key",
2135 eapol
->default_wep_key
,
2136 hapd
->conf
->default_wep_key_len
);
2142 static int ieee802_1x_sta_key_available(struct hostapd_data
*hapd
,
2143 struct sta_info
*sta
, void *ctx
)
2145 if (sta
->eapol_sm
) {
2146 sta
->eapol_sm
->eap_if
->eapKeyAvailable
= TRUE
;
2147 eapol_auth_step(sta
->eapol_sm
);
2153 static void ieee802_1x_rekey(void *eloop_ctx
, void *timeout_ctx
)
2155 struct hostapd_data
*hapd
= eloop_ctx
;
2156 struct eapol_authenticator
*eapol
= hapd
->eapol_auth
;
2158 if (eapol
->default_wep_key_idx
>= 3)
2159 eapol
->default_wep_key_idx
=
2160 hapd
->conf
->individual_wep_key_len
> 0 ? 1 : 0;
2162 eapol
->default_wep_key_idx
++;
2164 wpa_printf(MSG_DEBUG
, "IEEE 802.1X: New default WEP key index %d",
2165 eapol
->default_wep_key_idx
);
2167 if (ieee802_1x_rekey_broadcast(hapd
)) {
2168 hostapd_logger(hapd
, NULL
, HOSTAPD_MODULE_IEEE8021X
,
2169 HOSTAPD_LEVEL_WARNING
,
2170 "failed to generate a new broadcast key");
2171 os_free(eapol
->default_wep_key
);
2172 eapol
->default_wep_key
= NULL
;
2176 /* TODO: Could setup key for RX here, but change default TX keyid only
2177 * after new broadcast key has been sent to all stations. */
2178 if (hostapd_drv_set_key(hapd
->conf
->iface
, hapd
, WPA_ALG_WEP
,
2179 broadcast_ether_addr
,
2180 eapol
->default_wep_key_idx
, 0, 1, NULL
, 0,
2181 eapol
->default_wep_key
,
2182 hapd
->conf
->default_wep_key_len
)) {
2183 hostapd_logger(hapd
, NULL
, HOSTAPD_MODULE_IEEE8021X
,
2184 HOSTAPD_LEVEL_WARNING
,
2185 "failed to configure a new broadcast key");
2186 os_free(eapol
->default_wep_key
);
2187 eapol
->default_wep_key
= NULL
;
2191 ap_for_each_sta(hapd
, ieee802_1x_sta_key_available
, NULL
);
2193 if (hapd
->conf
->wep_rekeying_period
> 0) {
2194 eloop_register_timeout(hapd
->conf
->wep_rekeying_period
, 0,
2195 ieee802_1x_rekey
, hapd
, NULL
);
2200 static void ieee802_1x_eapol_send(void *ctx
, void *sta_ctx
, u8 type
,
2201 const u8
*data
, size_t datalen
)
2204 struct sta_info
*sta
= sta_ctx
;
2206 if ((sta
->flags
& (WLAN_STA_WPS
| WLAN_STA_MAYBE_WPS
)) ==
2207 WLAN_STA_MAYBE_WPS
) {
2209 size_t identity_len
;
2210 struct eapol_state_machine
*sm
= sta
->eapol_sm
;
2212 identity
= eap_get_identity(sm
->eap
, &identity_len
);
2214 ((identity_len
== WSC_ID_ENROLLEE_LEN
&&
2215 os_memcmp(identity
, WSC_ID_ENROLLEE
,
2216 WSC_ID_ENROLLEE_LEN
) == 0) ||
2217 (identity_len
== WSC_ID_REGISTRAR_LEN
&&
2218 os_memcmp(identity
, WSC_ID_REGISTRAR
,
2219 WSC_ID_REGISTRAR_LEN
) == 0))) {
2220 wpa_printf(MSG_DEBUG
,
2221 "WPS: WLAN_STA_MAYBE_WPS -> WLAN_STA_WPS");
2222 sta
->flags
|= WLAN_STA_WPS
;
2225 #endif /* CONFIG_WPS */
2227 ieee802_1x_send(ctx
, sta_ctx
, type
, data
, datalen
);
2231 static void ieee802_1x_aaa_send(void *ctx
, void *sta_ctx
,
2232 const u8
*data
, size_t datalen
)
2234 #ifndef CONFIG_NO_RADIUS
2235 struct hostapd_data
*hapd
= ctx
;
2236 struct sta_info
*sta
= sta_ctx
;
2238 ieee802_1x_encapsulate_radius(hapd
, sta
, data
, datalen
);
2239 #endif /* CONFIG_NO_RADIUS */
2243 static void _ieee802_1x_finished(void *ctx
, void *sta_ctx
, int success
,
2244 int preauth
, int remediation
)
2246 struct hostapd_data
*hapd
= ctx
;
2247 struct sta_info
*sta
= sta_ctx
;
2250 rsn_preauth_finished(hapd
, sta
, success
);
2252 ieee802_1x_finished(hapd
, sta
, success
, remediation
);
2256 static int ieee802_1x_get_eap_user(void *ctx
, const u8
*identity
,
2257 size_t identity_len
, int phase2
,
2258 struct eap_user
*user
)
2260 struct hostapd_data
*hapd
= ctx
;
2261 const struct hostapd_eap_user
*eap_user
;
2265 eap_user
= hostapd_get_eap_user(hapd
, identity
, identity_len
, phase2
);
2269 os_memset(user
, 0, sizeof(*user
));
2270 user
->phase2
= phase2
;
2271 for (i
= 0; i
< EAP_MAX_METHODS
; i
++) {
2272 user
->methods
[i
].vendor
= eap_user
->methods
[i
].vendor
;
2273 user
->methods
[i
].method
= eap_user
->methods
[i
].method
;
2276 if (eap_user
->password
) {
2277 user
->password
= os_memdup(eap_user
->password
,
2278 eap_user
->password_len
);
2279 if (!user
->password
)
2281 user
->password_len
= eap_user
->password_len
;
2282 user
->password_hash
= eap_user
->password_hash
;
2283 if (eap_user
->salt
&& eap_user
->salt_len
) {
2284 user
->salt
= os_memdup(eap_user
->salt
,
2285 eap_user
->salt_len
);
2288 user
->salt_len
= eap_user
->salt_len
;
2291 user
->force_version
= eap_user
->force_version
;
2292 user
->macacl
= eap_user
->macacl
;
2293 user
->ttls_auth
= eap_user
->ttls_auth
;
2294 user
->remediation
= eap_user
->remediation
;
2299 wpa_printf(MSG_DEBUG
, "%s: Failed to find user", __func__
);
2305 static int ieee802_1x_sta_entry_alive(void *ctx
, const u8
*addr
)
2307 struct hostapd_data
*hapd
= ctx
;
2308 struct sta_info
*sta
;
2310 sta
= ap_get_sta(hapd
, addr
);
2311 if (!sta
|| !sta
->eapol_sm
)
2317 static void ieee802_1x_logger(void *ctx
, const u8
*addr
,
2318 eapol_logger_level level
, const char *txt
)
2320 #ifndef CONFIG_NO_HOSTAPD_LOGGER
2321 struct hostapd_data
*hapd
= ctx
;
2325 case EAPOL_LOGGER_WARNING
:
2326 hlevel
= HOSTAPD_LEVEL_WARNING
;
2328 case EAPOL_LOGGER_INFO
:
2329 hlevel
= HOSTAPD_LEVEL_INFO
;
2331 case EAPOL_LOGGER_DEBUG
:
2333 hlevel
= HOSTAPD_LEVEL_DEBUG
;
2337 hostapd_logger(hapd
, addr
, HOSTAPD_MODULE_IEEE8021X
, hlevel
, "%s",
2339 #endif /* CONFIG_NO_HOSTAPD_LOGGER */
2343 static void ieee802_1x_set_port_authorized(void *ctx
, void *sta_ctx
,
2346 struct hostapd_data
*hapd
= ctx
;
2347 struct sta_info
*sta
= sta_ctx
;
2349 ieee802_1x_set_sta_authorized(hapd
, sta
, authorized
);
2353 static void _ieee802_1x_abort_auth(void *ctx
, void *sta_ctx
)
2355 struct hostapd_data
*hapd
= ctx
;
2356 struct sta_info
*sta
= sta_ctx
;
2358 ieee802_1x_abort_auth(hapd
, sta
);
2362 static void _ieee802_1x_tx_key(void *ctx
, void *sta_ctx
)
2365 #ifndef CONFIG_NO_RC4
2366 struct hostapd_data
*hapd
= ctx
;
2367 struct sta_info
*sta
= sta_ctx
;
2369 ieee802_1x_tx_key(hapd
, sta
);
2370 #endif /* CONFIG_NO_RC4 */
2371 #endif /* CONFIG_FIPS */
2375 static void ieee802_1x_eapol_event(void *ctx
, void *sta_ctx
,
2376 enum eapol_event type
)
2378 /* struct hostapd_data *hapd = ctx; */
2379 struct sta_info
*sta
= sta_ctx
;
2382 case EAPOL_AUTH_SM_CHANGE
:
2383 wpa_auth_sm_notify(sta
->wpa_sm
);
2385 case EAPOL_AUTH_REAUTHENTICATE
:
2386 wpa_auth_sm_event(sta
->wpa_sm
, WPA_REAUTH_EAPOL
);
2394 static struct eap_server_erp_key
*
2395 ieee802_1x_erp_get_key(void *ctx
, const char *keyname
)
2397 struct hostapd_data
*hapd
= ctx
;
2398 struct eap_server_erp_key
*erp
;
2400 dl_list_for_each(erp
, &hapd
->erp_keys
, struct eap_server_erp_key
,
2402 if (os_strcmp(erp
->keyname_nai
, keyname
) == 0)
2410 static int ieee802_1x_erp_add_key(void *ctx
, struct eap_server_erp_key
*erp
)
2412 struct hostapd_data
*hapd
= ctx
;
2414 dl_list_add(&hapd
->erp_keys
, &erp
->list
);
2418 #endif /* CONFIG_ERP */
2421 int ieee802_1x_init(struct hostapd_data
*hapd
)
2424 struct eapol_auth_config conf
;
2425 struct eapol_auth_cb cb
;
2427 dl_list_init(&hapd
->erp_keys
);
2429 os_memset(&conf
, 0, sizeof(conf
));
2430 conf
.eap_cfg
= hapd
->eap_cfg
;
2432 conf
.eap_reauth_period
= hapd
->conf
->eap_reauth_period
;
2433 conf
.wpa
= hapd
->conf
->wpa
;
2434 conf
.individual_wep_key_len
= hapd
->conf
->individual_wep_key_len
;
2435 conf
.eap_req_id_text
= hapd
->conf
->eap_req_id_text
;
2436 conf
.eap_req_id_text_len
= hapd
->conf
->eap_req_id_text_len
;
2437 conf
.erp_send_reauth_start
= hapd
->conf
->erp_send_reauth_start
;
2438 conf
.erp_domain
= hapd
->conf
->erp_domain
;
2440 os_memset(&cb
, 0, sizeof(cb
));
2441 cb
.eapol_send
= ieee802_1x_eapol_send
;
2442 cb
.aaa_send
= ieee802_1x_aaa_send
;
2443 cb
.finished
= _ieee802_1x_finished
;
2444 cb
.get_eap_user
= ieee802_1x_get_eap_user
;
2445 cb
.sta_entry_alive
= ieee802_1x_sta_entry_alive
;
2446 cb
.logger
= ieee802_1x_logger
;
2447 cb
.set_port_authorized
= ieee802_1x_set_port_authorized
;
2448 cb
.abort_auth
= _ieee802_1x_abort_auth
;
2449 cb
.tx_key
= _ieee802_1x_tx_key
;
2450 cb
.eapol_event
= ieee802_1x_eapol_event
;
2452 cb
.erp_get_key
= ieee802_1x_erp_get_key
;
2453 cb
.erp_add_key
= ieee802_1x_erp_add_key
;
2454 #endif /* CONFIG_ERP */
2456 hapd
->eapol_auth
= eapol_auth_init(&conf
, &cb
);
2457 if (!hapd
->eapol_auth
)
2460 if ((hapd
->conf
->ieee802_1x
|| hapd
->conf
->wpa
) &&
2461 hostapd_set_drv_ieee8021x(hapd
, hapd
->conf
->iface
, 1))
2464 #ifndef CONFIG_NO_RADIUS
2465 if (radius_client_register(hapd
->radius
, RADIUS_AUTH
,
2466 ieee802_1x_receive_auth
, hapd
))
2468 #endif /* CONFIG_NO_RADIUS */
2470 if (hapd
->conf
->default_wep_key_len
) {
2471 for (i
= 0; i
< 4; i
++)
2472 hostapd_drv_set_key(hapd
->conf
->iface
, hapd
,
2473 WPA_ALG_NONE
, NULL
, i
, 0, 0, NULL
,
2476 ieee802_1x_rekey(hapd
, NULL
);
2478 if (!hapd
->eapol_auth
->default_wep_key
)
2486 void ieee802_1x_erp_flush(struct hostapd_data
*hapd
)
2488 struct eap_server_erp_key
*erp
;
2490 while ((erp
= dl_list_first(&hapd
->erp_keys
, struct eap_server_erp_key
,
2492 dl_list_del(&erp
->list
);
2493 bin_clear_free(erp
, sizeof(*erp
));
2498 void ieee802_1x_deinit(struct hostapd_data
*hapd
)
2500 eloop_cancel_timeout(ieee802_1x_rekey
, hapd
, NULL
);
2502 if (hapd
->driver
&& hapd
->drv_priv
&&
2503 (hapd
->conf
->ieee802_1x
|| hapd
->conf
->wpa
))
2504 hostapd_set_drv_ieee8021x(hapd
, hapd
->conf
->iface
, 0);
2506 eapol_auth_deinit(hapd
->eapol_auth
);
2507 hapd
->eapol_auth
= NULL
;
2509 ieee802_1x_erp_flush(hapd
);
2513 int ieee802_1x_tx_status(struct hostapd_data
*hapd
, struct sta_info
*sta
,
2514 const u8
*buf
, size_t len
, int ack
)
2516 struct ieee80211_hdr
*hdr
;
2518 const unsigned char rfc1042_hdr
[ETH_ALEN
] =
2519 { 0xaa, 0xaa, 0x03, 0x00, 0x00, 0x00 };
2523 if (len
< sizeof(*hdr
) + sizeof(rfc1042_hdr
) + 2)
2526 hdr
= (struct ieee80211_hdr
*) buf
;
2527 pos
= (u8
*) (hdr
+ 1);
2528 if (os_memcmp(pos
, rfc1042_hdr
, sizeof(rfc1042_hdr
)) != 0)
2530 pos
+= sizeof(rfc1042_hdr
);
2531 if (WPA_GET_BE16(pos
) != ETH_P_PAE
)
2535 return ieee802_1x_eapol_tx_status(hapd
, sta
, pos
, buf
+ len
- pos
,
2540 int ieee802_1x_eapol_tx_status(struct hostapd_data
*hapd
, struct sta_info
*sta
,
2541 const u8
*buf
, int len
, int ack
)
2543 const struct ieee802_1x_hdr
*xhdr
=
2544 (const struct ieee802_1x_hdr
*) buf
;
2545 const u8
*pos
= buf
+ sizeof(*xhdr
);
2546 struct ieee802_1x_eapol_key
*key
;
2548 if (len
< (int) sizeof(*xhdr
))
2550 wpa_printf(MSG_DEBUG
, "IEEE 802.1X: " MACSTR
2551 " TX status - version=%d type=%d length=%d - ack=%d",
2552 MAC2STR(sta
->addr
), xhdr
->version
, xhdr
->type
,
2553 be_to_host16(xhdr
->length
), ack
);
2556 if (xhdr
->type
== IEEE802_1X_TYPE_EAP_PACKET
&& ack
&&
2557 (sta
->flags
& WLAN_STA_WPS
) &&
2558 ap_sta_pending_delayed_1x_auth_fail_disconnect(hapd
, sta
)) {
2559 wpa_printf(MSG_DEBUG
,
2560 "WPS: Indicate EAP completion on ACK for EAP-Failure");
2561 hostapd_wps_eap_completed(hapd
);
2563 #endif /* CONFIG_WPS */
2565 if (xhdr
->type
!= IEEE802_1X_TYPE_EAPOL_KEY
)
2568 if (pos
+ sizeof(struct wpa_eapol_key
) <= buf
+ len
) {
2569 const struct wpa_eapol_key
*wpa
;
2571 wpa
= (const struct wpa_eapol_key
*) pos
;
2572 if (wpa
->type
== EAPOL_KEY_TYPE_RSN
||
2573 wpa
->type
== EAPOL_KEY_TYPE_WPA
)
2574 wpa_auth_eapol_key_tx_status(hapd
->wpa_auth
,
2578 /* EAPOL EAP-Packet packets are eventually re-sent by either Supplicant
2579 * or Authenticator state machines, but EAPOL-Key packets are not
2580 * retransmitted in case of failure. Try to re-send failed EAPOL-Key
2581 * packets couple of times because otherwise STA keys become
2582 * unsynchronized with AP. */
2583 if (!ack
&& pos
+ sizeof(*key
) <= buf
+ len
) {
2584 key
= (struct ieee802_1x_eapol_key
*) pos
;
2585 hostapd_logger(hapd
, sta
->addr
, HOSTAPD_MODULE_IEEE8021X
,
2586 HOSTAPD_LEVEL_DEBUG
,
2587 "did not Ack EAPOL-Key frame (%scast index=%d)",
2588 key
->key_index
& BIT(7) ? "uni" : "broad",
2589 key
->key_index
& ~BIT(7));
2590 /* TODO: re-send EAPOL-Key couple of times (with short delay
2591 * between them?). If all attempt fail, report error and
2592 * deauthenticate STA so that it will get new keys when
2593 * authenticating again (e.g., after returning in range).
2594 * Separate limit/transmit state needed both for unicast and
2595 * broadcast keys(?) */
2597 /* TODO: could move unicast key configuration from ieee802_1x_tx_key()
2598 * to here and change the key only if the EAPOL-Key packet was Acked.
2605 u8
* ieee802_1x_get_identity(struct eapol_state_machine
*sm
, size_t *len
)
2607 if (!sm
|| !sm
->identity
)
2610 *len
= sm
->identity_len
;
2611 return sm
->identity
;
2615 u8
* ieee802_1x_get_radius_class(struct eapol_state_machine
*sm
, size_t *len
,
2618 if (!sm
|| !sm
->radius_class
.attr
||
2619 idx
>= (int) sm
->radius_class
.count
)
2622 *len
= sm
->radius_class
.attr
[idx
].len
;
2623 return sm
->radius_class
.attr
[idx
].data
;
2627 struct wpabuf
* ieee802_1x_get_radius_cui(struct eapol_state_machine
*sm
)
2631 return sm
->radius_cui
;
2635 const u8
* ieee802_1x_get_key(struct eapol_state_machine
*sm
, size_t *len
)
2641 *len
= sm
->eap_if
->eapKeyDataLen
;
2642 return sm
->eap_if
->eapKeyData
;
2646 #ifdef CONFIG_MACSEC
2647 const u8
* ieee802_1x_get_session_id(struct eapol_state_machine
*sm
,
2651 if (!sm
|| !sm
->eap_if
)
2654 *len
= sm
->eap_if
->eapSessionIdLen
;
2655 return sm
->eap_if
->eapSessionId
;
2657 #endif /* CONFIG_MACSEC */
2660 void ieee802_1x_notify_port_enabled(struct eapol_state_machine
*sm
,
2665 sm
->eap_if
->portEnabled
= enabled
? TRUE
: FALSE
;
2666 eapol_auth_step(sm
);
2670 void ieee802_1x_notify_port_valid(struct eapol_state_machine
*sm
,
2675 sm
->portValid
= valid
? TRUE
: FALSE
;
2676 eapol_auth_step(sm
);
2680 void ieee802_1x_notify_pre_auth(struct eapol_state_machine
*sm
, int pre_auth
)
2685 sm
->flags
|= EAPOL_SM_PREAUTH
;
2687 sm
->flags
&= ~EAPOL_SM_PREAUTH
;
2691 static const char * bool_txt(Boolean val
)
2693 return val
? "TRUE" : "FALSE";
2697 int ieee802_1x_get_mib(struct hostapd_data
*hapd
, char *buf
, size_t buflen
)
2704 int ieee802_1x_get_mib_sta(struct hostapd_data
*hapd
, struct sta_info
*sta
,
2705 char *buf
, size_t buflen
)
2708 struct eapol_state_machine
*sm
= sta
->eapol_sm
;
2709 struct os_reltime diff
;
2712 char *identity_buf
= NULL
;
2717 ret
= os_snprintf(buf
+ len
, buflen
- len
,
2718 "dot1xPaePortNumber=%d\n"
2719 "dot1xPaePortProtocolVersion=%d\n"
2720 "dot1xPaePortCapabilities=1\n"
2721 "dot1xPaePortInitialize=%d\n"
2722 "dot1xPaePortReauthenticate=FALSE\n",
2726 if (os_snprintf_error(buflen
- len
, ret
))
2730 /* dot1xAuthConfigTable */
2731 ret
= os_snprintf(buf
+ len
, buflen
- len
,
2732 "dot1xAuthPaeState=%d\n"
2733 "dot1xAuthBackendAuthState=%d\n"
2734 "dot1xAuthAdminControlledDirections=%d\n"
2735 "dot1xAuthOperControlledDirections=%d\n"
2736 "dot1xAuthAuthControlledPortStatus=%d\n"
2737 "dot1xAuthAuthControlledPortControl=%d\n"
2738 "dot1xAuthQuietPeriod=%u\n"
2739 "dot1xAuthServerTimeout=%u\n"
2740 "dot1xAuthReAuthPeriod=%u\n"
2741 "dot1xAuthReAuthEnabled=%s\n"
2742 "dot1xAuthKeyTxEnabled=%s\n",
2743 sm
->auth_pae_state
+ 1,
2744 sm
->be_auth_state
+ 1,
2745 sm
->adminControlledDirections
,
2746 sm
->operControlledDirections
,
2752 bool_txt(sm
->reAuthEnabled
),
2753 bool_txt(sm
->keyTxEnabled
));
2754 if (os_snprintf_error(buflen
- len
, ret
))
2758 /* dot1xAuthStatsTable */
2759 ret
= os_snprintf(buf
+ len
, buflen
- len
,
2760 "dot1xAuthEapolFramesRx=%u\n"
2761 "dot1xAuthEapolFramesTx=%u\n"
2762 "dot1xAuthEapolStartFramesRx=%u\n"
2763 "dot1xAuthEapolLogoffFramesRx=%u\n"
2764 "dot1xAuthEapolRespIdFramesRx=%u\n"
2765 "dot1xAuthEapolRespFramesRx=%u\n"
2766 "dot1xAuthEapolReqIdFramesTx=%u\n"
2767 "dot1xAuthEapolReqFramesTx=%u\n"
2768 "dot1xAuthInvalidEapolFramesRx=%u\n"
2769 "dot1xAuthEapLengthErrorFramesRx=%u\n"
2770 "dot1xAuthLastEapolFrameVersion=%u\n"
2771 "dot1xAuthLastEapolFrameSource=" MACSTR
"\n",
2772 sm
->dot1xAuthEapolFramesRx
,
2773 sm
->dot1xAuthEapolFramesTx
,
2774 sm
->dot1xAuthEapolStartFramesRx
,
2775 sm
->dot1xAuthEapolLogoffFramesRx
,
2776 sm
->dot1xAuthEapolRespIdFramesRx
,
2777 sm
->dot1xAuthEapolRespFramesRx
,
2778 sm
->dot1xAuthEapolReqIdFramesTx
,
2779 sm
->dot1xAuthEapolReqFramesTx
,
2780 sm
->dot1xAuthInvalidEapolFramesRx
,
2781 sm
->dot1xAuthEapLengthErrorFramesRx
,
2782 sm
->dot1xAuthLastEapolFrameVersion
,
2784 if (os_snprintf_error(buflen
- len
, ret
))
2788 /* dot1xAuthDiagTable */
2789 ret
= os_snprintf(buf
+ len
, buflen
- len
,
2790 "dot1xAuthEntersConnecting=%u\n"
2791 "dot1xAuthEapLogoffsWhileConnecting=%u\n"
2792 "dot1xAuthEntersAuthenticating=%u\n"
2793 "dot1xAuthAuthSuccessesWhileAuthenticating=%u\n"
2794 "dot1xAuthAuthTimeoutsWhileAuthenticating=%u\n"
2795 "dot1xAuthAuthFailWhileAuthenticating=%u\n"
2796 "dot1xAuthAuthEapStartsWhileAuthenticating=%u\n"
2797 "dot1xAuthAuthEapLogoffWhileAuthenticating=%u\n"
2798 "dot1xAuthAuthReauthsWhileAuthenticated=%u\n"
2799 "dot1xAuthAuthEapStartsWhileAuthenticated=%u\n"
2800 "dot1xAuthAuthEapLogoffWhileAuthenticated=%u\n"
2801 "dot1xAuthBackendResponses=%u\n"
2802 "dot1xAuthBackendAccessChallenges=%u\n"
2803 "dot1xAuthBackendOtherRequestsToSupplicant=%u\n"
2804 "dot1xAuthBackendAuthSuccesses=%u\n"
2805 "dot1xAuthBackendAuthFails=%u\n",
2806 sm
->authEntersConnecting
,
2807 sm
->authEapLogoffsWhileConnecting
,
2808 sm
->authEntersAuthenticating
,
2809 sm
->authAuthSuccessesWhileAuthenticating
,
2810 sm
->authAuthTimeoutsWhileAuthenticating
,
2811 sm
->authAuthFailWhileAuthenticating
,
2812 sm
->authAuthEapStartsWhileAuthenticating
,
2813 sm
->authAuthEapLogoffWhileAuthenticating
,
2814 sm
->authAuthReauthsWhileAuthenticated
,
2815 sm
->authAuthEapStartsWhileAuthenticated
,
2816 sm
->authAuthEapLogoffWhileAuthenticated
,
2817 sm
->backendResponses
,
2818 sm
->backendAccessChallenges
,
2819 sm
->backendOtherRequestsToSupplicant
,
2820 sm
->backendAuthSuccesses
,
2821 sm
->backendAuthFails
);
2822 if (os_snprintf_error(buflen
- len
, ret
))
2826 /* dot1xAuthSessionStatsTable */
2827 os_reltime_age(&sta
->acct_session_start
, &diff
);
2828 if (sm
->eap
&& !sm
->identity
) {
2832 id
= eap_get_identity(sm
->eap
, &id_len
);
2834 identity_buf
= dup_binstr(id
, id_len
);
2836 ret
= os_snprintf(buf
+ len
, buflen
- len
,
2837 /* TODO: dot1xAuthSessionOctetsRx */
2838 /* TODO: dot1xAuthSessionOctetsTx */
2839 /* TODO: dot1xAuthSessionFramesRx */
2840 /* TODO: dot1xAuthSessionFramesTx */
2841 "dot1xAuthSessionId=%016llX\n"
2842 "dot1xAuthSessionAuthenticMethod=%d\n"
2843 "dot1xAuthSessionTime=%u\n"
2844 "dot1xAuthSessionTerminateCause=999\n"
2845 "dot1xAuthSessionUserName=%s\n",
2846 (unsigned long long) sta
->acct_session_id
,
2847 (wpa_key_mgmt_wpa_ieee8021x(
2848 wpa_auth_sta_key_mgmt(sta
->wpa_sm
))) ?
2850 (unsigned int) diff
.sec
,
2851 sm
->identity
? (char *) sm
->identity
:
2852 (identity_buf
? identity_buf
: "N/A"));
2853 os_free(identity_buf
);
2854 if (os_snprintf_error(buflen
- len
, ret
))
2858 if (sm
->acct_multi_session_id
) {
2859 ret
= os_snprintf(buf
+ len
, buflen
- len
,
2860 "authMultiSessionId=%016llX\n",
2861 (unsigned long long)
2862 sm
->acct_multi_session_id
);
2863 if (os_snprintf_error(buflen
- len
, ret
))
2868 name1
= eap_server_get_name(0, sm
->eap_type_authsrv
);
2869 name2
= eap_server_get_name(0, sm
->eap_type_supp
);
2870 ret
= os_snprintf(buf
+ len
, buflen
- len
,
2871 "last_eap_type_as=%d (%s)\n"
2872 "last_eap_type_sta=%d (%s)\n",
2873 sm
->eap_type_authsrv
, name1
,
2874 sm
->eap_type_supp
, name2
);
2875 if (os_snprintf_error(buflen
- len
, ret
))
2884 static void ieee802_1x_wnm_notif_send(void *eloop_ctx
, void *timeout_ctx
)
2886 struct hostapd_data
*hapd
= eloop_ctx
;
2887 struct sta_info
*sta
= timeout_ctx
;
2889 if (sta
->remediation
) {
2890 wpa_printf(MSG_DEBUG
, "HS 2.0: Send WNM-Notification to "
2891 MACSTR
" to indicate Subscription Remediation",
2892 MAC2STR(sta
->addr
));
2893 hs20_send_wnm_notification(hapd
, sta
->addr
,
2894 sta
->remediation_method
,
2895 sta
->remediation_url
);
2896 os_free(sta
->remediation_url
);
2897 sta
->remediation_url
= NULL
;
2900 if (sta
->hs20_deauth_req
) {
2901 wpa_printf(MSG_DEBUG
, "HS 2.0: Send WNM-Notification to "
2902 MACSTR
" to indicate imminent deauthentication",
2903 MAC2STR(sta
->addr
));
2904 hs20_send_wnm_notification_deauth_req(hapd
, sta
->addr
,
2905 sta
->hs20_deauth_req
);
2908 if (sta
->hs20_t_c_filtering
) {
2909 wpa_printf(MSG_DEBUG
, "HS 2.0: Send WNM-Notification to "
2910 MACSTR
" to indicate Terms and Conditions filtering",
2911 MAC2STR(sta
->addr
));
2912 hs20_send_wnm_notification_t_c(hapd
, sta
->addr
, sta
->t_c_url
);
2913 os_free(sta
->t_c_url
);
2914 sta
->t_c_url
= NULL
;
2917 #endif /* CONFIG_HS20 */
2920 static void ieee802_1x_finished(struct hostapd_data
*hapd
,
2921 struct sta_info
*sta
, int success
,
2926 /* TODO: get PMKLifetime from WPA parameters */
2927 static const int dot11RSNAConfigPMKLifetime
= 43200;
2928 unsigned int session_timeout
;
2929 struct os_reltime now
, remaining
;
2932 if (remediation
&& !sta
->remediation
) {
2933 sta
->remediation
= 1;
2934 os_free(sta
->remediation_url
);
2935 sta
->remediation_url
=
2936 os_strdup(hapd
->conf
->subscr_remediation_url
);
2937 sta
->remediation_method
= 1; /* SOAP-XML SPP */
2940 if (success
&& (sta
->remediation
|| sta
->hs20_deauth_req
||
2941 sta
->hs20_t_c_filtering
)) {
2942 wpa_printf(MSG_DEBUG
, "HS 2.0: Schedule WNM-Notification to "
2943 MACSTR
" in 100 ms", MAC2STR(sta
->addr
));
2944 eloop_cancel_timeout(ieee802_1x_wnm_notif_send
, hapd
, sta
);
2945 eloop_register_timeout(0, 100000, ieee802_1x_wnm_notif_send
,
2948 #endif /* CONFIG_HS20 */
2950 #ifdef CONFIG_MACSEC
2951 ieee802_1x_notify_create_actor_hapd(hapd
, sta
);
2952 #endif /* CONFIG_MACSEC */
2954 key
= ieee802_1x_get_key(sta
->eapol_sm
, &len
);
2955 if (sta
->session_timeout_set
) {
2956 os_get_reltime(&now
);
2957 os_reltime_sub(&sta
->session_timeout
, &now
, &remaining
);
2958 session_timeout
= (remaining
.sec
> 0) ? remaining
.sec
: 1;
2960 session_timeout
= dot11RSNAConfigPMKLifetime
;
2962 if (success
&& key
&& len
>= PMK_LEN
&& !sta
->remediation
&&
2963 !sta
->hs20_deauth_requested
&&
2964 wpa_auth_pmksa_add(sta
->wpa_sm
, key
, len
, session_timeout
,
2965 sta
->eapol_sm
) == 0) {
2966 hostapd_logger(hapd
, sta
->addr
, HOSTAPD_MODULE_WPA
,
2967 HOSTAPD_LEVEL_DEBUG
,
2968 "Added PMKSA cache entry (IEEE 802.1X)");
2973 * Many devices require deauthentication after WPS provisioning
2974 * and some may not be be able to do that themselves, so
2975 * disconnect the client here. In addition, this may also
2976 * benefit IEEE 802.1X/EAPOL authentication cases, too since
2977 * the EAPOL PAE state machine would remain in HELD state for
2978 * considerable amount of time and some EAP methods, like
2979 * EAP-FAST with anonymous provisioning, may require another
2980 * EAPOL authentication to be started to complete connection.
2982 ap_sta_delayed_1x_auth_fail_disconnect(hapd
, sta
);