📄 ieee802_1x.c

📁 hostapd无线ＡＰ工具
💻 C
📖 第 1 页 / 共 4 页
字号:
		return;	sta->eapol_sm = NULL;	if (sm->last_recv_radius) {		radius_msg_free(sm->last_recv_radius);		free(sm->last_recv_radius);	}	free(sm->last_eap_supp);	free(sm->last_eap_radius);	free(sm->identity);	ieee802_1x_free_radius_class(sm);	free(sm->eapol_key_sign);	free(sm->eapol_key_crypt);	eapol_sm_free(sm);}static void ieee802_1x_decapsulate_radius(hostapd *hapd, struct sta_info *sta){	u8 *eap;	size_t len;	struct eap_hdr *hdr;	int eap_type = -1;	char buf[64];	struct radius_msg *msg;	struct eapol_state_machine *sm = sta->eapol_sm;	if (sm == NULL || sm->last_recv_radius == NULL) {		if (sm)			sm->be_auth.eapNoReq = TRUE;		return;	}	msg = sm->last_recv_radius;	eap = radius_msg_get_eap(msg, &len);	if (eap == NULL) {		/* draft-aboba-radius-rfc2869bis-20.txt, Chap. 2.6.3:		 * RADIUS server SHOULD NOT send Access-Reject/no EAP-Message		 * attribute */		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,			       HOSTAPD_LEVEL_WARNING, "could not extract "			       "EAP-Message from RADIUS message");		free(sm->last_eap_radius);		sm->last_eap_radius = NULL;		sm->last_eap_radius_len = 0;		sm->be_auth.eapNoReq = TRUE;		return;	}	if (len < sizeof(*hdr)) {		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,			       HOSTAPD_LEVEL_WARNING, "too short EAP packet "			       "received from authentication server");		free(eap);		sm->be_auth.eapNoReq = TRUE;		return;	}	if (len > sizeof(*hdr))		eap_type = eap[sizeof(*hdr)];	hdr = (struct eap_hdr *) eap;	switch (hdr->code) {	case EAP_CODE_REQUEST:		snprintf(buf, sizeof(buf), "EAP-Request-%s (%d)",			 eap_type >= 0 ? eap_type_text(eap_type) : "??",			 eap_type);		break;	case EAP_CODE_RESPONSE:		snprintf(buf, sizeof(buf), "EAP Response-%s (%d)",			 eap_type >= 0 ? eap_type_text(eap_type) : "??",			 eap_type);		break;	case EAP_CODE_SUCCESS:		snprintf(buf, sizeof(buf), "EAP Success");		break;	case EAP_CODE_FAILURE:		snprintf(buf, sizeof(buf), "EAP Failure");		break;	default:		snprintf(buf, sizeof(buf), "unknown EAP code");		break;	}	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,		       HOSTAPD_LEVEL_DEBUG, "decapsulated EAP packet (code=%d "		       "id=%d len=%d) from RADIUS server: %s",		      hdr->code, hdr->identifier, ntohs(hdr->length), buf);	sm->be_auth.eapReq = TRUE;	free(sm->last_eap_radius);	sm->last_eap_radius = eap;	sm->last_eap_radius_len = len;}static void ieee802_1x_get_keys(hostapd *hapd, struct sta_info *sta,				struct radius_msg *msg, struct radius_msg *req,				u8 *shared_secret, size_t shared_secret_len){	struct radius_ms_mppe_keys *keys;	struct eapol_state_machine *sm = sta->eapol_sm;	if (sm == NULL)		return;	keys = radius_msg_get_ms_keys(msg, req, shared_secret,				      shared_secret_len);	if (keys) {		if (HOSTAPD_DEBUG_COND(HOSTAPD_DEBUG_MINIMAL) && keys->send) {			size_t i;			printf("MS-MPPE-Send-Key (len=%lu):",			       (unsigned long) keys->send_len);			for (i = 0; i < keys->send_len; i++)				printf(" %02x", keys->send[i]);			printf("\n");		}		if (HOSTAPD_DEBUG_COND(HOSTAPD_DEBUG_MINIMAL) && keys->recv) {			size_t i;			printf("MS-MPPE-Recv-Key (len=%lu):",			       (unsigned long) keys->recv_len);			for (i = 0; i < keys->recv_len; i++)				printf(" %02x", keys->recv[i]);			printf("\n");		}		if (keys->send && keys->recv) {			free(sm->eapol_key_sign);			free(sm->eapol_key_crypt);			sm->eapol_key_sign = keys->send;			sm->eapol_key_sign_len = keys->send_len;			sm->eapol_key_crypt = keys->recv;			sm->eapol_key_crypt_len = keys->recv_len;			if (hapd->default_wep_key ||			    hapd->conf->individual_wep_key_len > 0 ||			    hapd->conf->wpa)				sta->eapol_sm->keyAvailable = TRUE;		} else {			free(keys->send);			free(keys->recv);		}		free(keys);	}}static void ieee802_1x_store_radius_class(struct hostapd_data *hapd,					  struct sta_info *sta,					  struct radius_msg *msg){	u8 *class;	size_t class_len;	struct eapol_state_machine *sm = sta->eapol_sm;	int count, i;	struct radius_attr_data *nclass;	size_t nclass_count;	if (!hapd->conf->radius->acct_server || hapd->radius == NULL ||	    sm == NULL)		return;	ieee802_1x_free_radius_class(sm);	count = radius_msg_count_attr(msg, RADIUS_ATTR_CLASS, 1);	if (count <= 0)		return;	nclass = malloc(count * sizeof(struct radius_attr_data));	if (nclass == NULL)		return;	nclass_count = 0;	memset(nclass, 0, count * sizeof(struct radius_attr_data));	class = NULL;	for (i = 0; i < count; i++) {		do {			if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CLASS,						    &class, &class_len,						    class) < 0) {				i = count;				break;			}		} while (class_len < 1);		nclass[nclass_count].data = malloc(class_len);		if (nclass[nclass_count].data == NULL)			break;		memcpy(nclass[nclass_count].data, class, class_len);		nclass[nclass_count].len = class_len;		nclass_count++;	}	sm->radius_class = nclass;	sm->radius_class_count = nclass_count;	HOSTAPD_DEBUG(HOSTAPD_DEBUG_MINIMAL, "IEEE 802.1X: Stored %d RADIUS "		      "Class attributes for " MACSTR "\n",		      sm->radius_class_count, MAC2STR(sta->addr));}struct sta_id_search {	u8 identifier;	struct eapol_state_machine *sm;};static int ieee802_1x_select_radius_identifier(struct hostapd_data *hapd,					       struct sta_info *sta,					       void *ctx){	struct sta_id_search *id_search = ctx;	struct eapol_state_machine *sm = sta->eapol_sm;	if (sm && sm->radius_identifier >= 0 &&	    sm->radius_identifier == id_search->identifier) {		id_search->sm = sm;		return 1;	}	return 0;}static struct eapol_state_machine *ieee802_1x_search_radius_identifier(struct hostapd_data *hapd, u8 identifier){	struct sta_id_search id_search;	id_search.identifier = identifier;	id_search.sm = NULL;	ap_for_each_sta(hapd, ieee802_1x_select_radius_identifier, &id_search);	return id_search.sm;}/* Process the RADIUS frames from Authentication Server */static RadiusRxResultieee802_1x_receive_auth(struct radius_msg *msg, struct radius_msg *req,			u8 *shared_secret, size_t shared_secret_len,			void *data){	struct hostapd_data *hapd = data;	struct sta_info *sta;	u32 session_timeout = 0, termination_action, acct_interim_interval;	int session_timeout_set;	int eap_timeout;	struct eapol_state_machine *sm;	int override_eapReq = 0;	sm = ieee802_1x_search_radius_identifier(hapd, msg->hdr->identifier);	if (sm == NULL) {		HOSTAPD_DEBUG(HOSTAPD_DEBUG_MINIMAL, "IEEE 802.1X: Could not "			      "find matching station for this RADIUS "			      "message\n");		return RADIUS_RX_UNKNOWN;	}	sta = sm->sta;	/* RFC 2869, Ch. 5.13: valid Message-Authenticator attribute MUST be	 * present when packet contains an EAP-Message attribute */	if (msg->hdr->code == RADIUS_CODE_ACCESS_REJECT &&	    radius_msg_get_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, NULL,				0) < 0 &&	    radius_msg_get_attr(msg, RADIUS_ATTR_EAP_MESSAGE, NULL, 0) < 0) {		HOSTAPD_DEBUG(HOSTAPD_DEBUG_MINIMAL, "Allowing RADIUS "			      "Access-Reject without Message-Authenticator "			      "since it does not include EAP-Message\n");	} else if (radius_msg_verify(msg, shared_secret, shared_secret_len,				     req)) {		printf("Incoming RADIUS packet did not have correct "		       "Message-Authenticator - dropped\n");		return RADIUS_RX_INVALID_AUTHENTICATOR;	}	if (msg->hdr->code != RADIUS_CODE_ACCESS_ACCEPT &&	    msg->hdr->code != RADIUS_CODE_ACCESS_REJECT &&	    msg->hdr->code != RADIUS_CODE_ACCESS_CHALLENGE) {		printf("Unknown RADIUS message code\n");		return RADIUS_RX_UNKNOWN;	}	sm->radius_identifier = -1;	HOSTAPD_DEBUG(HOSTAPD_DEBUG_MINIMAL,		      "RADIUS packet matching with station " MACSTR "\n",		      MAC2STR(sta->addr));	if (sm->last_recv_radius) {		radius_msg_free(sm->last_recv_radius);		free(sm->last_recv_radius);	}	sm->last_recv_radius = msg;	session_timeout_set =		!radius_msg_get_attr_int32(msg, RADIUS_ATTR_SESSION_TIMEOUT,					   &session_timeout);	if (radius_msg_get_attr_int32(msg, RADIUS_ATTR_TERMINATION_ACTION,				      &termination_action))		termination_action = RADIUS_TERMINATION_ACTION_DEFAULT;	if (hapd->conf->radius->acct_interim_interval == 0 &&	    msg->hdr->code == RADIUS_CODE_ACCESS_ACCEPT &&	    radius_msg_get_attr_int32(msg, RADIUS_ATTR_ACCT_INTERIM_INTERVAL,				      &acct_interim_interval) == 0) {		if (acct_interim_interval < 60) {			hostapd_logger(hapd, sta->addr,				       HOSTAPD_MODULE_IEEE8021X,				       HOSTAPD_LEVEL_INFO,				       "ignored too small "				       "Acct-Interim-Interval %d",				       acct_interim_interval);		} else			sta->acct_interim_interval = acct_interim_interval;	}	switch (msg->hdr->code) {	case RADIUS_CODE_ACCESS_ACCEPT:		/* RFC 3580, Ch. 3.17 */		if (session_timeout_set && termination_action ==		    RADIUS_TERMINATION_ACTION_RADIUS_REQUEST) {			sm->reauth_timer.reAuthPeriod = session_timeout;		} else if (session_timeout_set)			ap_sta_session_timeout(hapd, sta, session_timeout);		sm->eapSuccess = TRUE;		override_eapReq = 1;		ieee802_1x_get_keys(hapd, sta, msg, req, shared_secret,				    shared_secret_len);		if (sm->keyAvailable) {			pmksa_cache_add(hapd, sta, sm->eapol_key_crypt,					session_timeout_set ?					session_timeout : -1);		}		ieee802_1x_store_radius_class(hapd, sta, msg);		break;	case RADIUS_CODE_ACCESS_REJECT:		sm->eapFail = TRUE;		override_eapReq = 1;		break;	case RADIUS_CODE_ACCESS_CHALLENGE:		if (session_timeout_set) {			/* RFC 2869, Ch. 2.3.2; RFC 3580, Ch. 3.17 */			eap_timeout = session_timeout;		} else			eap_timeout = 30;		hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X,			       HOSTAPD_LEVEL_DEBUG,			       "using EAP timeout of %d seconds%s",			       eap_timeout,			       session_timeout_set ? " (from RADIUS)" : "");		eloop_cancel_timeout(ieee802_1x_eap_timeout, sta, NULL);		eloop_register_timeout(eap_timeout, 0, ieee802_1x_eap_timeout,				       sta, NULL);		sm->eapTimeout = FALSE;		break;	}	ieee802_1x_decapsulate_radius(hapd, sta);	if (override_eapReq)		sm->be_auth.eapReq = FALSE;	eapol_sm_step(sm);	return RADIUS_RX_QUEUED;}/* Handler for EAPOL Backend Authentication state machine sendRespToServer. * Forward the EAP Response from Supplicant to Authentication Server. */void ieee802_1x_send_resp_to_server(hostapd *hapd, struct sta_info *sta){	struct eapol_state_machine *sm = sta->eapol_sm;	if (sm == NULL)		return;	if (hapd->conf->eap_server) {		eap_set_eapRespData(sm->eap, sm->last_eap_supp,				    sm->last_eap_supp_len);	} else {		ieee802_1x_encapsulate_radius(hapd, sta, sm->last_eap_supp,					      sm->last_eap_supp_len);	}}void ieee802_1x_abort_auth(struct hostapd_data *hapd, struct sta_info *sta){	struct eapol_state_machine *sm = sta->eapol_sm;	if (sm == NULL)		return;	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,		       HOSTAPD_LEVEL_DEBUG, "aborting authentication");	if (sm->last_recv_radius) {		radius_msg_free(sm->last_recv_radius);		free(sm->last_recv_radius);		sm->last_recv_radius = NULL;	}	free(sm->last_eap_supp);	sm->last_eap_supp = NULL;	sm->last_eap_supp_len = 0;	free(sm->last_eap_radius);	sm->last_eap_radius = NULL;	sm->last_eap_radius_len = 0;}void ieee802_1x_set_port_enabled(hostapd *hapd, struct sta_info *sta,				 int enabled){	if (!sta->eapol_sm)		return;	HOSTAPD_DEBUG(HOSTAPD_DEBUG_MINIMAL,		      "IEEE 802.1X: station " MACSTR " port %s\n",		      MAC2STR(sta->addr), enabled ? "enabled" : "disabled");	sta->eapol_sm->portEnabled = enabled ? TRUE : FALSE;	eapol_sm_step(sta->eapol_sm);}#ifdef HOSTAPD_DUMP_STATEvoid ieee802_1x_dump_state(FILE *f, const char *prefix, struct sta_info *sta){	struct eapol_state_machine *sm = sta->eapol_sm;	if (sm == NULL)		return;
⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -