From 6153c6d52b4056bf8b0860b343471c041cd38eea Mon Sep 17 00:00:00 2001 From: Vijaya Kumar Abbaraju Date: Mon, 7 Oct 2024 10:49:09 +0530 Subject: [PATCH] Changes to support PAC and 802.1X interaction (#89) #Why I did it These changes are done to support the interaction between PAC and the 8021.X which is in sonic-wpasupplicant. #How I did it #How to verify it --- hostapd/ctrl_iface.c | 3 ++ src/ap/ieee802_1x.c | 58 ++++++++++++++++++++++++++++++-- src/eap_server/eap.h | 3 ++ src/eap_server/eap_server.c | 10 ++++++ src/eapol_auth/eapol_auth_sm.c | 20 +++++++++-- src/eapol_auth/eapol_auth_sm.h | 4 +++ src/eapol_auth/eapol_auth_sm_i.h | 4 +++ src/utils/wpa_debug.c | 3 ++ 8 files changed, 101 insertions(+), 4 deletions(-) diff --git a/hostapd/ctrl_iface.c b/hostapd/ctrl_iface.c index 30fa47f2d..c86f74c0a 100644 --- a/hostapd/ctrl_iface.c +++ b/hostapd/ctrl_iface.c @@ -2773,6 +2773,9 @@ static int hostapd_ctrl_iface_eapol_reauth(struct hostapd_data *hapd, if (!sta || !sta->eapol_sm) return -1; +#ifdef CONFIG_SONIC_HOSTAPD + memset(&sta->attr_info, 0, sizeof (sta->attr_info)); +#endif eapol_auth_reauthenticate(sta->eapol_sm); return 0; } diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c index ee095f618..d65201f2f 100644 --- a/src/ap/ieee802_1x.c +++ b/src/ap/ieee802_1x.c @@ -19,6 +19,9 @@ #include "common/ieee802_11_defs.h" #include "radius/radius.h" #include "radius/radius_client.h" +#ifdef CONFIG_SONIC_RADIUS +#include "radius/radius_attr_parse.h" +#endif #include "eap_server/eap.h" #include "eap_common/eap_wsc_common.h" #include "eapol_auth/eapol_auth_sm.h" @@ -460,6 +463,7 @@ static int add_common_radius_sta_attr(struct hostapd_data *hapd, return -1; } +#ifndef CONFIG_SONIC_RADIUS if (sta->flags & WLAN_STA_PREAUTH) { os_strlcpy(buf, "IEEE 802.11i Pre-Authentication", sizeof(buf)); @@ -487,6 +491,7 @@ static int add_common_radius_sta_attr(struct hostapd_data *hapd, return -1; } } +#endif if ((hapd->conf->wpa & 2) && !hapd->conf->disable_pmksa_caching && @@ -565,8 +570,13 @@ int add_common_radius_attr(struct hostapd_data *hapd, return -1; } +#ifdef CONFIG_SONIC_RADIUS + len = os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT, + MAC2STR(hapd->own_addr)); +#else len = os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT ":", MAC2STR(hapd->own_addr)); +#endif os_memcpy(&buf[len], hapd->conf->ssid.ssid, hapd->conf->ssid.ssid_len); len += hapd->conf->ssid.ssid_len; @@ -708,7 +718,13 @@ void ieee802_1x_encapsulate_radius(struct hostapd_data *hapd, wpa_printf(MSG_INFO, "Could not add User-Name"); goto fail; } - +#ifdef CONFIG_SONIC_RADIUS + else { + memset(sta->attr_info.userName,'\0', sizeof(sta->attr_info.userName)); + strncpy(sta->attr_info.userName, sm->identity, sm->identity_len); + sta->attr_info.userNameLen = sm->identity_len; + } +#endif if (add_common_radius_attr(hapd, hapd->conf->radius_auth_req_attr, sta, msg) < 0) goto fail; @@ -1183,6 +1199,19 @@ void ieee802_1x_receive(struct hostapd_data *hapd, const u8 *sa, const u8 *buf, sta->eapol_sm->eapolLogoff = true; sta->eapol_sm->dot1xAuthEapolLogoffFramesRx++; eap_server_clear_identity(sta->eapol_sm->eap); + +#ifdef CONFIG_SONIC_HOSTAPD + hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, + HOSTAPD_LEVEL_DEBUG, + "sending client_disconnect for EAPOL-Logoff from STA"); + /* Inform PAC */ + if (0 != hostapd_drv_auth_resp_send(hapd, hapd->conf->iface, sta->addr, "client_disconnected", NULL)) + { + hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, + HOSTAPD_LEVEL_DEBUG, + "sending client_disconnect for EAPOL-Logoff from STA not successful"); + } +#endif break; case IEEE802_1X_TYPE_EAPOL_KEY: @@ -2006,6 +2035,14 @@ ieee802_1x_receive_auth(struct radius_msg *msg, struct radius_msg *req, break; #endif /* CONFIG_NO_VLAN */ +#ifdef CONFIG_SONIC_RADIUS + if (0 != radiusClientAcceptProcess(msg, &sta->attr_info)) + { + wpa_printf(MSG_DEBUG, "radiusClientAcceptProcess failed \n"); + } +#endif + +#ifndef CONFIG_SONIC_RADIUS sta->session_timeout_set = !!session_timeout_set; os_get_reltime(&sta->session_timeout); sta->session_timeout.sec += session_timeout; @@ -2018,6 +2055,7 @@ ieee802_1x_receive_auth(struct radius_msg *msg, struct radius_msg *req, ap_sta_session_timeout(hapd, sta, session_timeout); else ap_sta_no_session_timeout(hapd, sta); +#endif sm->eap_if->aaaSuccess = true; override_eapReq = 1; @@ -2110,6 +2148,11 @@ void ieee802_1x_abort_auth(struct hostapd_data *hapd, struct sta_info *sta) MAC2STR(sta->addr)); sm->eap_if->portEnabled = false; +#ifdef CONFIG_SONIC_RADIUS + /* Invoke driver to inform PAC */ + hostapd_drv_auth_resp_send(hapd, hapd->conf->iface, sta->addr, + "auth_timeout", (void *) sta); +#endif ap_sta_disconnect(hapd, sta, sta->addr, WLAN_REASON_PREV_AUTH_NOT_VALID); } @@ -2998,5 +3041,16 @@ static void ieee802_1x_finished(struct hostapd_data *hapd, * EAPOL authentication to be started to complete connection. */ ap_sta_delayed_1x_auth_fail_disconnect(hapd, sta); - } + +#ifdef CONFIG_SONIC_HOSTAPD + /* Invoke driver to inform PAC */ + hostapd_drv_auth_resp_send(hapd, hapd->conf->iface, sta->addr, "auth_fail", (void *) sta); +#endif + } +#ifdef CONFIG_SONIC_HOSTAPD + else { + /* Invoke driver to inform PAC */ + hostapd_drv_auth_resp_send(hapd, hapd->conf->iface, sta->addr, "auth_success", (void *) sta); + } +#endif } diff --git a/src/eap_server/eap.h b/src/eap_server/eap.h index 61032cc01..20ae23fc0 100644 --- a/src/eap_server/eap.h +++ b/src/eap_server/eap.h @@ -82,6 +82,9 @@ struct eap_eapol_interface { struct wpabuf *aaaEapRespData; /* aaaIdentity -> eap_get_identity() */ bool aaaTimeout; +#ifdef CONFIG_SONIC_HOSTAPD + bool client_reauth; +#endif }; struct eap_server_erp_key { diff --git a/src/eap_server/eap_server.c b/src/eap_server/eap_server.c index 0b7a5b98c..a2e81af27 100644 --- a/src/eap_server/eap_server.c +++ b/src/eap_server/eap_server.c @@ -231,7 +231,12 @@ SM_STATE(EAP, INITIALIZE) } sm->try_initiate_reauth = false; +#ifdef CONFIG_SONIC_HOSTAPD + if (!sm->eap_if.client_reauth) + sm->currentId = -1; +#else sm->currentId = -1; +#endif sm->eap_if.eapSuccess = false; sm->eap_if.eapFail = false; sm->eap_if.eapTimeout = false; @@ -402,6 +407,11 @@ SM_STATE(EAP, METHOD_REQUEST) return; } +#ifdef CONFIG_SONIC_HOSTAPD + wpa_printf(MSG_DEBUG, "EAP: lastId %d", + sm->lastId); +#endif + sm->currentId = eap_sm_nextId(sm, sm->currentId); wpa_printf(MSG_DEBUG, "EAP: building EAP-Request: Identifier %d", sm->currentId); diff --git a/src/eapol_auth/eapol_auth_sm.c b/src/eapol_auth/eapol_auth_sm.c index 1c11cb613..fb0f5d33b 100644 --- a/src/eapol_auth/eapol_auth_sm.c +++ b/src/eapol_auth/eapol_auth_sm.c @@ -168,6 +168,7 @@ static void eapol_port_timers_tick(void *eloop_ctx, void *timeout_ctx) } } +#ifndef CONFIG_SONIC_HOSTAPD if (state->reAuthWhen > 0) { state->reAuthWhen--; if (state->reAuthWhen == 0) { @@ -176,6 +177,7 @@ static void eapol_port_timers_tick(void *eloop_ctx, void *timeout_ctx) MAC2STR(state->addr)); } } +#endif if (state->eap_if->retransWhile > 0) { state->eap_if->retransWhile--; @@ -241,6 +243,11 @@ SM_STATE(AUTH_PAE, DISCONNECTED) SM_STATE(AUTH_PAE, RESTART) { +#ifdef CONFIG_SONIC_HOSTAPD +#ifdef HOSTAPD + sm->eap_if->client_reauth = false; +#endif +#endif if (sm->auth_pae_state == AUTH_PAE_AUTHENTICATED) { if (sm->reAuthenticate) sm->authAuthReauthsWhileAuthenticated++; @@ -248,6 +255,13 @@ SM_STATE(AUTH_PAE, RESTART) sm->authAuthEapStartsWhileAuthenticated++; if (sm->eapolLogoff) sm->authAuthEapLogoffWhileAuthenticated++; + +#ifdef CONFIG_SONIC_HOSTAPD +#ifdef HOSTAPD + if (sm->reAuthenticate) + sm->eap_if->client_reauth = true; +#endif +#endif } SM_ENTRY_MA(AUTH_PAE, RESTART, auth_pae); @@ -503,8 +517,9 @@ SM_STATE(BE_AUTH, RESPONSE) SM_STATE(BE_AUTH, SUCCESS) { SM_ENTRY_MA(BE_AUTH, SUCCESS, be_auth); - +#ifndef CONFIG_SONIC_HOSTAPD txReq(); +#endif sm->authSuccess = true; sm->keyRun = true; } @@ -513,8 +528,9 @@ SM_STATE(BE_AUTH, SUCCESS) SM_STATE(BE_AUTH, FAIL) { SM_ENTRY_MA(BE_AUTH, FAIL, be_auth); - +#ifndef CONFIG_SONIC_HOSTAPD txReq(); +#endif sm->authFail = true; } diff --git a/src/eapol_auth/eapol_auth_sm.h b/src/eapol_auth/eapol_auth_sm.h index 5fe89c64b..2b9543c14 100644 --- a/src/eapol_auth/eapol_auth_sm.h +++ b/src/eapol_auth/eapol_auth_sm.h @@ -17,6 +17,10 @@ struct eapol_auth_config { const struct eap_config *eap_cfg; int eap_reauth_period; +#ifdef CONFIG_SONIC_HOSTAPD + int eap_server_timeout; + int eap_quiet_period; +#endif int wpa; int individual_wep_key_len; char *eap_req_id_text; /* a copy of this will be allocated */ diff --git a/src/eapol_auth/eapol_auth_sm_i.h b/src/eapol_auth/eapol_auth_sm_i.h index 3c6898310..8bed3c76f 100644 --- a/src/eapol_auth/eapol_auth_sm_i.h +++ b/src/eapol_auth/eapol_auth_sm_i.h @@ -73,7 +73,11 @@ struct eapol_state_machine { unsigned int reAuthCount; /* constants */ unsigned int quietPeriod; /* default 60; 0..65535 */ +#ifdef CONFIG_SONIC_HOSTAPD +#define AUTH_PAE_DEFAULT_quietPeriod 2 +#else #define AUTH_PAE_DEFAULT_quietPeriod 60 +#endif unsigned int reAuthMax; /* default 2 */ #define AUTH_PAE_DEFAULT_reAuthMax 2 /* counters */ diff --git a/src/utils/wpa_debug.c b/src/utils/wpa_debug.c index a338a2039..9f125f6df 100644 --- a/src/utils/wpa_debug.c +++ b/src/utils/wpa_debug.c @@ -237,6 +237,9 @@ void wpa_printf(int level, const char *fmt, ...) va_start(ap, fmt); vprintf(fmt, ap); printf("\n"); +#ifdef CONFIG_SONIC_RADIUS + fflush(stdout); +#endif va_end(ap); } #endif /* CONFIG_ANDROID_LOG */