]> git.ipfire.org Git - thirdparty/hostap.git/blob - src/ap/ieee802_11.c
projects / thirdparty / hostap.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
SAE: Add Rc variable and peer send-confirm validation
[thirdparty/hostap.git] / src / ap / ieee802_11.c
1 /*
2 * hostapd / IEEE 802.11 Management
3 * Copyright (c) 2002-2017, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "utils/includes.h"
10
11 #ifndef CONFIG_NATIVE_WINDOWS
12
13 #include "utils/common.h"
14 #include "utils/eloop.h"
15 #include "crypto/crypto.h"
16 #include "crypto/sha256.h"
17 #include "crypto/sha384.h"
18 #include "crypto/sha512.h"
19 #include "crypto/random.h"
20 #include "common/ieee802_11_defs.h"
21 #include "common/ieee802_11_common.h"
22 #include "common/wpa_ctrl.h"
23 #include "common/sae.h"
24 #include "radius/radius.h"
25 #include "radius/radius_client.h"
26 #include "p2p/p2p.h"
27 #include "wps/wps.h"
28 #include "fst/fst.h"
29 #include "hostapd.h"
30 #include "beacon.h"
31 #include "ieee802_11_auth.h"
32 #include "sta_info.h"
33 #include "ieee802_1x.h"
34 #include "wpa_auth.h"
35 #include "pmksa_cache_auth.h"
36 #include "wmm.h"
37 #include "ap_list.h"
38 #include "accounting.h"
39 #include "ap_config.h"
40 #include "ap_mlme.h"
41 #include "p2p_hostapd.h"
42 #include "ap_drv_ops.h"
43 #include "wnm_ap.h"
44 #include "hw_features.h"
45 #include "ieee802_11.h"
46 #include "dfs.h"
47 #include "mbo_ap.h"
48 #include "rrm.h"
49 #include "taxonomy.h"
50 #include "fils_hlp.h"
51 #include "dpp_hostapd.h"
52 #include "gas_query_ap.h"
53
54
55 #ifdef CONFIG_FILS
56 static struct wpabuf *
57 prepare_auth_resp_fils(struct hostapd_data *hapd,
58 struct sta_info *sta, u16 *resp,
59 struct rsn_pmksa_cache_entry *pmksa,
60 struct wpabuf *erp_resp,
61 const u8 *msk, size_t msk_len,
62 int *is_pub);
63 #endif /* CONFIG_FILS */
64
65 u8 * hostapd_eid_supp_rates(struct hostapd_data *hapd, u8 *eid)
66 {
67 u8 *pos = eid;
68 int i, num, count;
69
70 if (hapd->iface->current_rates == NULL)
71 return eid;
72
73 *pos++ = WLAN_EID_SUPP_RATES;
74 num = hapd->iface->num_rates;
75 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht)
76 num++;
77 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht)
78 num++;
79 if (num > 8) {
80 /* rest of the rates are encoded in Extended supported
81 * rates element */
82 num = 8;
83 }
84
85 *pos++ = num;
86 for (i = 0, count = 0; i < hapd->iface->num_rates && count < num;
87 i++) {
88 count++;
89 *pos = hapd->iface->current_rates[i].rate / 5;
90 if (hapd->iface->current_rates[i].flags & HOSTAPD_RATE_BASIC)
91 *pos |= 0x80;
92 pos++;
93 }
94
95 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht && count < 8) {
96 count++;
97 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_HT_PHY;
98 }
99
100 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht && count < 8) {
101 count++;
102 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_VHT_PHY;
103 }
104
105 return pos;
106 }
107
108
109 u8 * hostapd_eid_ext_supp_rates(struct hostapd_data *hapd, u8 *eid)
110 {
111 u8 *pos = eid;
112 int i, num, count;
113
114 if (hapd->iface->current_rates == NULL)
115 return eid;
116
117 num = hapd->iface->num_rates;
118 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht)
119 num++;
120 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht)
121 num++;
122 if (num <= 8)
123 return eid;
124 num -= 8;
125
126 *pos++ = WLAN_EID_EXT_SUPP_RATES;
127 *pos++ = num;
128 for (i = 0, count = 0; i < hapd->iface->num_rates && count < num + 8;
129 i++) {
130 count++;
131 if (count <= 8)
132 continue; /* already in SuppRates IE */
133 *pos = hapd->iface->current_rates[i].rate / 5;
134 if (hapd->iface->current_rates[i].flags & HOSTAPD_RATE_BASIC)
135 *pos |= 0x80;
136 pos++;
137 }
138
139 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht) {
140 count++;
141 if (count > 8)
142 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_HT_PHY;
143 }
144
145 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht) {
146 count++;
147 if (count > 8)
148 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_VHT_PHY;
149 }
150
151 return pos;
152 }
153
154
155 u16 hostapd_own_capab_info(struct hostapd_data *hapd)
156 {
157 int capab = WLAN_CAPABILITY_ESS;
158 int privacy;
159 int dfs;
160 int i;
161
162 /* Check if any of configured channels require DFS */
163 dfs = hostapd_is_dfs_required(hapd->iface);
164 if (dfs < 0) {
165 wpa_printf(MSG_WARNING, "Failed to check if DFS is required; ret=%d",
166 dfs);
167 dfs = 0;
168 }
169
170 if (hapd->iface->num_sta_no_short_preamble == 0 &&
171 hapd->iconf->preamble == SHORT_PREAMBLE)
172 capab |= WLAN_CAPABILITY_SHORT_PREAMBLE;
173
174 privacy = hapd->conf->ssid.wep.keys_set;
175
176 if (hapd->conf->ieee802_1x &&
177 (hapd->conf->default_wep_key_len ||
178 hapd->conf->individual_wep_key_len))
179 privacy = 1;
180
181 if (hapd->conf->wpa)
182 privacy = 1;
183
184 #ifdef CONFIG_HS20
185 if (hapd->conf->osen)
186 privacy = 1;
187 #endif /* CONFIG_HS20 */
188
189 if (privacy)
190 capab |= WLAN_CAPABILITY_PRIVACY;
191
192 if (hapd->iface->current_mode &&
193 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G &&
194 hapd->iface->num_sta_no_short_slot_time == 0)
195 capab |= WLAN_CAPABILITY_SHORT_SLOT_TIME;
196
197 /*
198 * Currently, Spectrum Management capability bit is set when directly
199 * requested in configuration by spectrum_mgmt_required or when AP is
200 * running on DFS channel.
201 * TODO: Also consider driver support for TPC to set Spectrum Mgmt bit
202 */
203 if (hapd->iface->current_mode &&
204 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211A &&
205 (hapd->iconf->spectrum_mgmt_required || dfs))
206 capab |= WLAN_CAPABILITY_SPECTRUM_MGMT;
207
208 for (i = 0; i < RRM_CAPABILITIES_IE_LEN; i++) {
209 if (hapd->conf->radio_measurements[i]) {
210 capab |= IEEE80211_CAP_RRM;
211 break;
212 }
213 }
214
215 return capab;
216 }
217
218
219 #ifndef CONFIG_NO_RC4
220 static u16 auth_shared_key(struct hostapd_data *hapd, struct sta_info *sta,
221 u16 auth_transaction, const u8 *challenge,
222 int iswep)
223 {
224 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
225 HOSTAPD_LEVEL_DEBUG,
226 "authentication (shared key, transaction %d)",
227 auth_transaction);
228
229 if (auth_transaction == 1) {
230 if (!sta->challenge) {
231 /* Generate a pseudo-random challenge */
232 u8 key[8];
233
234 sta->challenge = os_zalloc(WLAN_AUTH_CHALLENGE_LEN);
235 if (sta->challenge == NULL)
236 return WLAN_STATUS_UNSPECIFIED_FAILURE;
237
238 if (os_get_random(key, sizeof(key)) < 0) {
239 os_free(sta->challenge);
240 sta->challenge = NULL;
241 return WLAN_STATUS_UNSPECIFIED_FAILURE;
242 }
243
244 rc4_skip(key, sizeof(key), 0,
245 sta->challenge, WLAN_AUTH_CHALLENGE_LEN);
246 }
247 return 0;
248 }
249
250 if (auth_transaction != 3)
251 return WLAN_STATUS_UNSPECIFIED_FAILURE;
252
253 /* Transaction 3 */
254 if (!iswep || !sta->challenge || !challenge ||
255 os_memcmp_const(sta->challenge, challenge,
256 WLAN_AUTH_CHALLENGE_LEN)) {
257 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
258 HOSTAPD_LEVEL_INFO,
259 "shared key authentication - invalid "
260 "challenge-response");
261 return WLAN_STATUS_CHALLENGE_FAIL;
262 }
263
264 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
265 HOSTAPD_LEVEL_DEBUG,
266 "authentication OK (shared key)");
267 sta->flags |= WLAN_STA_AUTH;
268 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
269 os_free(sta->challenge);
270 sta->challenge = NULL;
271
272 return 0;
273 }
274 #endif /* CONFIG_NO_RC4 */
275
276
277 static int send_auth_reply(struct hostapd_data *hapd,
278 const u8 *dst, const u8 *bssid,
279 u16 auth_alg, u16 auth_transaction, u16 resp,
280 const u8 *ies, size_t ies_len)
281 {
282 struct ieee80211_mgmt *reply;
283 u8 *buf;
284 size_t rlen;
285 int reply_res = WLAN_STATUS_UNSPECIFIED_FAILURE;
286
287 rlen = IEEE80211_HDRLEN + sizeof(reply->u.auth) + ies_len;
288 buf = os_zalloc(rlen);
289 if (buf == NULL)
290 return -1;
291
292 reply = (struct ieee80211_mgmt *) buf;
293 reply->frame_control = IEEE80211_FC(WLAN_FC_TYPE_MGMT,
294 WLAN_FC_STYPE_AUTH);
295 os_memcpy(reply->da, dst, ETH_ALEN);
296 os_memcpy(reply->sa, hapd->own_addr, ETH_ALEN);
297 os_memcpy(reply->bssid, bssid, ETH_ALEN);
298
299 reply->u.auth.auth_alg = host_to_le16(auth_alg);
300 reply->u.auth.auth_transaction = host_to_le16(auth_transaction);
301 reply->u.auth.status_code = host_to_le16(resp);
302
303 if (ies && ies_len)
304 os_memcpy(reply->u.auth.variable, ies, ies_len);
305
306 wpa_printf(MSG_DEBUG, "authentication reply: STA=" MACSTR
307 " auth_alg=%d auth_transaction=%d resp=%d (IE len=%lu)",
308 MAC2STR(dst), auth_alg, auth_transaction,
309 resp, (unsigned long) ies_len);
310 if (hostapd_drv_send_mlme(hapd, reply, rlen, 0) < 0)
311 wpa_printf(MSG_INFO, "send_auth_reply: send failed");
312 else
313 reply_res = WLAN_STATUS_SUCCESS;
314
315 os_free(buf);
316
317 return reply_res;
318 }
319
320
321 #ifdef CONFIG_IEEE80211R_AP
322 static void handle_auth_ft_finish(void *ctx, const u8 *dst, const u8 *bssid,
323 u16 auth_transaction, u16 status,
324 const u8 *ies, size_t ies_len)
325 {
326 struct hostapd_data *hapd = ctx;
327 struct sta_info *sta;
328 int reply_res;
329
330 reply_res = send_auth_reply(hapd, dst, bssid, WLAN_AUTH_FT,
331 auth_transaction, status, ies, ies_len);
332
333 sta = ap_get_sta(hapd, dst);
334 if (sta == NULL)
335 return;
336
337 if (sta->added_unassoc && (reply_res != WLAN_STATUS_SUCCESS ||
338 status != WLAN_STATUS_SUCCESS)) {
339 hostapd_drv_sta_remove(hapd, sta->addr);
340 sta->added_unassoc = 0;
341 return;
342 }
343
344 if (status != WLAN_STATUS_SUCCESS)
345 return;
346
347 hostapd_logger(hapd, dst, HOSTAPD_MODULE_IEEE80211,
348 HOSTAPD_LEVEL_DEBUG, "authentication OK (FT)");
349 sta->flags |= WLAN_STA_AUTH;
350 mlme_authenticate_indication(hapd, sta);
351 }
352 #endif /* CONFIG_IEEE80211R_AP */
353
354
355 #ifdef CONFIG_SAE
356
357 static void sae_set_state(struct sta_info *sta, enum sae_state state,
358 const char *reason)
359 {
360 wpa_printf(MSG_DEBUG, "SAE: State %s -> %s for peer " MACSTR " (%s)",
361 sae_state_txt(sta->sae->state), sae_state_txt(state),
362 MAC2STR(sta->addr), reason);
363 sta->sae->state = state;
364 }
365
366
367 static struct wpabuf * auth_build_sae_commit(struct hostapd_data *hapd,
368 struct sta_info *sta, int update)
369 {
370 struct wpabuf *buf;
371 const char *password;
372
373 password = hapd->conf->sae_password;
374 if (!password)
375 password = hapd->conf->ssid.wpa_passphrase;
376 if (!password) {
377 wpa_printf(MSG_DEBUG, "SAE: No password available");
378 return NULL;
379 }
380
381 if (update &&
382 sae_prepare_commit(hapd->own_addr, sta->addr,
383 (u8 *) password, os_strlen(password),
384 sta->sae) < 0) {
385 wpa_printf(MSG_DEBUG, "SAE: Could not pick PWE");
386 return NULL;
387 }
388
389 buf = wpabuf_alloc(SAE_COMMIT_MAX_LEN);
390 if (buf == NULL)
391 return NULL;
392 sae_write_commit(sta->sae, buf, sta->sae->tmp ?
393 sta->sae->tmp->anti_clogging_token : NULL);
394
395 return buf;
396 }
397
398
399 static struct wpabuf * auth_build_sae_confirm(struct hostapd_data *hapd,
400 struct sta_info *sta)
401 {
402 struct wpabuf *buf;
403
404 buf = wpabuf_alloc(SAE_CONFIRM_MAX_LEN);
405 if (buf == NULL)
406 return NULL;
407
408 sae_write_confirm(sta->sae, buf);
409
410 return buf;
411 }
412
413
414 static int auth_sae_send_commit(struct hostapd_data *hapd,
415 struct sta_info *sta,
416 const u8 *bssid, int update)
417 {
418 struct wpabuf *data;
419 int reply_res;
420
421 data = auth_build_sae_commit(hapd, sta, update);
422 if (data == NULL)
423 return WLAN_STATUS_UNSPECIFIED_FAILURE;
424
425 reply_res = send_auth_reply(hapd, sta->addr, bssid, WLAN_AUTH_SAE, 1,
426 WLAN_STATUS_SUCCESS, wpabuf_head(data),
427 wpabuf_len(data));
428
429 wpabuf_free(data);
430
431 return reply_res;
432 }
433
434
435 static int auth_sae_send_confirm(struct hostapd_data *hapd,
436 struct sta_info *sta,
437 const u8 *bssid)
438 {
439 struct wpabuf *data;
440 int reply_res;
441
442 data = auth_build_sae_confirm(hapd, sta);
443 if (data == NULL)
444 return WLAN_STATUS_UNSPECIFIED_FAILURE;
445
446 reply_res = send_auth_reply(hapd, sta->addr, bssid, WLAN_AUTH_SAE, 2,
447 WLAN_STATUS_SUCCESS, wpabuf_head(data),
448 wpabuf_len(data));
449
450 wpabuf_free(data);
451
452 return reply_res;
453 }
454
455
456 static int use_sae_anti_clogging(struct hostapd_data *hapd)
457 {
458 struct sta_info *sta;
459 unsigned int open = 0;
460
461 if (hapd->conf->sae_anti_clogging_threshold == 0)
462 return 1;
463
464 for (sta = hapd->sta_list; sta; sta = sta->next) {
465 if (!sta->sae)
466 continue;
467 if (sta->sae->state != SAE_COMMITTED &&
468 sta->sae->state != SAE_CONFIRMED)
469 continue;
470 open++;
471 if (open >= hapd->conf->sae_anti_clogging_threshold)
472 return 1;
473 }
474
475 return 0;
476 }
477
478
479 static int check_sae_token(struct hostapd_data *hapd, const u8 *addr,
480 const u8 *token, size_t token_len)
481 {
482 u8 mac[SHA256_MAC_LEN];
483
484 if (token_len != SHA256_MAC_LEN)
485 return -1;
486 if (hmac_sha256(hapd->sae_token_key, sizeof(hapd->sae_token_key),
487 addr, ETH_ALEN, mac) < 0 ||
488 os_memcmp_const(token, mac, SHA256_MAC_LEN) != 0)
489 return -1;
490
491 return 0;
492 }
493
494
495 static struct wpabuf * auth_build_token_req(struct hostapd_data *hapd,
496 int group, const u8 *addr)
497 {
498 struct wpabuf *buf;
499 u8 *token;
500 struct os_reltime now;
501
502 os_get_reltime(&now);
503 if (!os_reltime_initialized(&hapd->last_sae_token_key_update) ||
504 os_reltime_expired(&now, &hapd->last_sae_token_key_update, 60)) {
505 if (random_get_bytes(hapd->sae_token_key,
506 sizeof(hapd->sae_token_key)) < 0)
507 return NULL;
508 wpa_hexdump(MSG_DEBUG, "SAE: Updated token key",
509 hapd->sae_token_key, sizeof(hapd->sae_token_key));
510 hapd->last_sae_token_key_update = now;
511 }
512
513 buf = wpabuf_alloc(sizeof(le16) + SHA256_MAC_LEN);
514 if (buf == NULL)
515 return NULL;
516
517 wpabuf_put_le16(buf, group); /* Finite Cyclic Group */
518
519 token = wpabuf_put(buf, SHA256_MAC_LEN);
520 hmac_sha256(hapd->sae_token_key, sizeof(hapd->sae_token_key),
521 addr, ETH_ALEN, token);
522
523 return buf;
524 }
525
526
527 static int sae_check_big_sync(struct hostapd_data *hapd, struct sta_info *sta)
528 {
529 if (sta->sae->sync > hapd->conf->sae_sync) {
530 sae_set_state(sta, SAE_NOTHING, "Sync > dot11RSNASAESync");
531 sta->sae->sync = 0;
532 return -1;
533 }
534 return 0;
535 }
536
537
538 static void auth_sae_retransmit_timer(void *eloop_ctx, void *eloop_data)
539 {
540 struct hostapd_data *hapd = eloop_ctx;
541 struct sta_info *sta = eloop_data;
542 int ret;
543
544 if (sae_check_big_sync(hapd, sta))
545 return;
546 sta->sae->sync++;
547 wpa_printf(MSG_DEBUG, "SAE: Auth SAE retransmit timer for " MACSTR
548 " (sync=%d state=%s)",
549 MAC2STR(sta->addr), sta->sae->sync,
550 sae_state_txt(sta->sae->state));
551
552 switch (sta->sae->state) {
553 case SAE_COMMITTED:
554 ret = auth_sae_send_commit(hapd, sta, hapd->own_addr, 0);
555 eloop_register_timeout(0,
556 hapd->dot11RSNASAERetransPeriod * 1000,
557 auth_sae_retransmit_timer, hapd, sta);
558 break;
559 case SAE_CONFIRMED:
560 ret = auth_sae_send_confirm(hapd, sta, hapd->own_addr);
561 eloop_register_timeout(0,
562 hapd->dot11RSNASAERetransPeriod * 1000,
563 auth_sae_retransmit_timer, hapd, sta);
564 break;
565 default:
566 ret = -1;
567 break;
568 }
569
570 if (ret != WLAN_STATUS_SUCCESS)
571 wpa_printf(MSG_INFO, "SAE: Failed to retransmit: ret=%d", ret);
572 }
573
574
575 void sae_clear_retransmit_timer(struct hostapd_data *hapd, struct sta_info *sta)
576 {
577 eloop_cancel_timeout(auth_sae_retransmit_timer, hapd, sta);
578 }
579
580
581 static void sae_set_retransmit_timer(struct hostapd_data *hapd,
582 struct sta_info *sta)
583 {
584 if (!(hapd->conf->mesh & MESH_ENABLED))
585 return;
586
587 eloop_cancel_timeout(auth_sae_retransmit_timer, hapd, sta);
588 eloop_register_timeout(0, hapd->dot11RSNASAERetransPeriod * 1000,
589 auth_sae_retransmit_timer, hapd, sta);
590 }
591
592
593 void sae_accept_sta(struct hostapd_data *hapd, struct sta_info *sta)
594 {
595 sta->flags |= WLAN_STA_AUTH;
596 sta->auth_alg = WLAN_AUTH_SAE;
597 mlme_authenticate_indication(hapd, sta);
598 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
599 sae_set_state(sta, SAE_ACCEPTED, "Accept Confirm");
600 wpa_auth_pmksa_add_sae(hapd->wpa_auth, sta->addr,
601 sta->sae->pmk, sta->sae->pmkid);
602 }
603
604
605 static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta,
606 const u8 *bssid, u8 auth_transaction)
607 {
608 int ret;
609
610 if (auth_transaction != 1 && auth_transaction != 2)
611 return WLAN_STATUS_UNSPECIFIED_FAILURE;
612
613 wpa_printf(MSG_DEBUG, "SAE: Peer " MACSTR " state=%s auth_trans=%u",
614 MAC2STR(sta->addr), sae_state_txt(sta->sae->state),
615 auth_transaction);
616 switch (sta->sae->state) {
617 case SAE_NOTHING:
618 if (auth_transaction == 1) {
619 ret = auth_sae_send_commit(hapd, sta, bssid, 1);
620 if (ret)
621 return ret;
622 sae_set_state(sta, SAE_COMMITTED, "Sent Commit");
623
624 if (sae_process_commit(sta->sae) < 0)
625 return WLAN_STATUS_UNSPECIFIED_FAILURE;
626
627 /*
628 * In mesh case, both Commit and Confirm can be sent
629 * immediately. In infrastructure BSS, only a single
630 * Authentication frame (Commit) is expected from the AP
631 * here and the second one (Confirm) will be sent once
632 * the STA has sent its second Authentication frame
633 * (Confirm).
634 */
635 if (hapd->conf->mesh & MESH_ENABLED) {
636 /*
637 * Send both Commit and Confirm immediately
638 * based on SAE finite state machine
639 * Nothing -> Confirm transition.
640 */
641 ret = auth_sae_send_confirm(hapd, sta, bssid);
642 if (ret)
643 return ret;
644 sae_set_state(sta, SAE_CONFIRMED,
645 "Sent Confirm (mesh)");
646 } else {
647 /*
648 * For infrastructure BSS, send only the Commit
649 * message now to get alternating sequence of
650 * Authentication frames between the AP and STA.
651 * Confirm will be sent in
652 * Committed -> Confirmed/Accepted transition
653 * when receiving Confirm from STA.
654 */
655 }
656 sta->sae->sync = 0;
657 sae_set_retransmit_timer(hapd, sta);
658 } else {
659 hostapd_logger(hapd, sta->addr,
660 HOSTAPD_MODULE_IEEE80211,
661 HOSTAPD_LEVEL_DEBUG,
662 "SAE confirm before commit");
663 }
664 break;
665 case SAE_COMMITTED:
666 sae_clear_retransmit_timer(hapd, sta);
667 if (auth_transaction == 1) {
668 if (sae_process_commit(sta->sae) < 0)
669 return WLAN_STATUS_UNSPECIFIED_FAILURE;
670
671 ret = auth_sae_send_confirm(hapd, sta, bssid);
672 if (ret)
673 return ret;
674 sae_set_state(sta, SAE_CONFIRMED, "Sent Confirm");
675 sta->sae->sync = 0;
676 sae_set_retransmit_timer(hapd, sta);
677 } else if (hapd->conf->mesh & MESH_ENABLED) {
678 /*
679 * In mesh case, follow SAE finite state machine and
680 * send Commit now, if sync count allows.
681 */
682 if (sae_check_big_sync(hapd, sta))
683 return WLAN_STATUS_SUCCESS;
684 sta->sae->sync++;
685
686 ret = auth_sae_send_commit(hapd, sta, bssid, 0);
687 if (ret)
688 return ret;
689
690 sae_set_retransmit_timer(hapd, sta);
691 } else {
692 /*
693 * For instructure BSS, send the postponed Confirm from
694 * Nothing -> Confirmed transition that was reduced to
695 * Nothing -> Committed above.
696 */
697 ret = auth_sae_send_confirm(hapd, sta, bssid);
698 if (ret)
699 return ret;
700
701 sae_set_state(sta, SAE_CONFIRMED, "Sent Confirm");
702
703 /*
704 * Since this was triggered on Confirm RX, run another
705 * step to get to Accepted without waiting for
706 * additional events.
707 */
708 return sae_sm_step(hapd, sta, bssid, auth_transaction);
709 }
710 break;
711 case SAE_CONFIRMED:
712 sae_clear_retransmit_timer(hapd, sta);
713 if (auth_transaction == 1) {
714 if (sae_check_big_sync(hapd, sta))
715 return WLAN_STATUS_SUCCESS;
716 sta->sae->sync++;
717
718 ret = auth_sae_send_commit(hapd, sta, bssid, 1);
719 if (ret)
720 return ret;
721
722 if (sae_process_commit(sta->sae) < 0)
723 return WLAN_STATUS_UNSPECIFIED_FAILURE;
724
725 ret = auth_sae_send_confirm(hapd, sta, bssid);
726 if (ret)
727 return ret;
728
729 sae_set_retransmit_timer(hapd, sta);
730 } else {
731 sae_accept_sta(hapd, sta);
732 }
733 break;
734 case SAE_ACCEPTED:
735 if (auth_transaction == 1) {
736 wpa_printf(MSG_DEBUG, "SAE: remove the STA (" MACSTR
737 ") doing reauthentication",
738 MAC2STR(sta->addr));
739 ap_free_sta(hapd, sta);
740 wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr);
741 } else {
742 if (sae_check_big_sync(hapd, sta))
743 return WLAN_STATUS_SUCCESS;
744 sta->sae->sync++;
745
746 ret = auth_sae_send_confirm(hapd, sta, bssid);
747 sae_clear_temp_data(sta->sae);
748 if (ret)
749 return ret;
750 }
751 break;
752 default:
753 wpa_printf(MSG_ERROR, "SAE: invalid state %d",
754 sta->sae->state);
755 return WLAN_STATUS_UNSPECIFIED_FAILURE;
756 }
757 return WLAN_STATUS_SUCCESS;
758 }
759
760
761 static void sae_pick_next_group(struct hostapd_data *hapd, struct sta_info *sta)
762 {
763 struct sae_data *sae = sta->sae;
764 int i, *groups = hapd->conf->sae_groups;
765
766 if (sae->state != SAE_COMMITTED)
767 return;
768
769 wpa_printf(MSG_DEBUG, "SAE: Previously selected group: %d", sae->group);
770
771 for (i = 0; groups && groups[i] > 0; i++) {
772 if (sae->group == groups[i])
773 break;
774 }
775
776 if (!groups || groups[i] <= 0) {
777 wpa_printf(MSG_DEBUG,
778 "SAE: Previously selected group not found from the current configuration");
779 return;
780 }
781
782 for (;;) {
783 i++;
784 if (groups[i] <= 0) {
785 wpa_printf(MSG_DEBUG,
786 "SAE: No alternative group enabled");
787 return;
788 }
789
790 if (sae_set_group(sae, groups[i]) < 0)
791 continue;
792
793 break;
794 }
795 wpa_printf(MSG_DEBUG, "SAE: Selected new group: %d", groups[i]);
796 }
797
798
799 static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta,
800 const struct ieee80211_mgmt *mgmt, size_t len,
801 u16 auth_transaction, u16 status_code)
802 {
803 int resp = WLAN_STATUS_SUCCESS;
804 struct wpabuf *data = NULL;
805
806 #ifdef CONFIG_TESTING_OPTIONS
807 if (hapd->conf->sae_reflection_attack && auth_transaction == 1) {
808 const u8 *pos, *end;
809
810 wpa_printf(MSG_DEBUG, "SAE: TESTING - reflection attack");
811 pos = mgmt->u.auth.variable;
812 end = ((const u8 *) mgmt) + len;
813 send_auth_reply(hapd, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
814 auth_transaction, resp, pos, end - pos);
815 goto remove_sta;
816 }
817
818 if (hapd->conf->sae_commit_override && auth_transaction == 1) {
819 wpa_printf(MSG_DEBUG, "SAE: TESTING - commit override");
820 send_auth_reply(hapd, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
821 auth_transaction, resp,
822 wpabuf_head(hapd->conf->sae_commit_override),
823 wpabuf_len(hapd->conf->sae_commit_override));
824 goto remove_sta;
825 }
826 #endif /* CONFIG_TESTING_OPTIONS */
827 if (!sta->sae) {
828 if (auth_transaction != 1 ||
829 status_code != WLAN_STATUS_SUCCESS) {
830 resp = -1;
831 goto remove_sta;
832 }
833 sta->sae = os_zalloc(sizeof(*sta->sae));
834 if (!sta->sae) {
835 resp = -1;
836 goto remove_sta;
837 }
838 sae_set_state(sta, SAE_NOTHING, "Init");
839 sta->sae->sync = 0;
840 }
841
842 if (sta->mesh_sae_pmksa_caching) {
843 wpa_printf(MSG_DEBUG,
844 "SAE: Cancel use of mesh PMKSA caching because peer starts SAE authentication");
845 wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr);
846 sta->mesh_sae_pmksa_caching = 0;
847 }
848
849 if (auth_transaction == 1) {
850 const u8 *token = NULL, *pos, *end;
851 size_t token_len = 0;
852 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
853 HOSTAPD_LEVEL_DEBUG,
854 "start SAE authentication (RX commit, status=%u)",
855 status_code);
856
857 if ((hapd->conf->mesh & MESH_ENABLED) &&
858 status_code == WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ &&
859 sta->sae->tmp) {
860 pos = mgmt->u.auth.variable;
861 end = ((const u8 *) mgmt) + len;
862 if (pos + sizeof(le16) > end) {
863 wpa_printf(MSG_ERROR,
864 "SAE: Too short anti-clogging token request");
865 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
866 goto reply;
867 }
868 resp = sae_group_allowed(sta->sae,
869 hapd->conf->sae_groups,
870 WPA_GET_LE16(pos));
871 if (resp != WLAN_STATUS_SUCCESS) {
872 wpa_printf(MSG_ERROR,
873 "SAE: Invalid group in anti-clogging token request");
874 goto reply;
875 }
876 pos += sizeof(le16);
877
878 wpabuf_free(sta->sae->tmp->anti_clogging_token);
879 sta->sae->tmp->anti_clogging_token =
880 wpabuf_alloc_copy(pos, end - pos);
881 if (sta->sae->tmp->anti_clogging_token == NULL) {
882 wpa_printf(MSG_ERROR,
883 "SAE: Failed to alloc for anti-clogging token");
884 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
885 goto remove_sta;
886 }
887
888 /*
889 * IEEE Std 802.11-2012, 11.3.8.6.4: If the Status code
890 * is 76, a new Commit Message shall be constructed
891 * with the Anti-Clogging Token from the received
892 * Authentication frame, and the commit-scalar and
893 * COMMIT-ELEMENT previously sent.
894 */
895 resp = auth_sae_send_commit(hapd, sta, mgmt->bssid, 0);
896 if (resp != WLAN_STATUS_SUCCESS) {
897 wpa_printf(MSG_ERROR,
898 "SAE: Failed to send commit message");
899 goto remove_sta;
900 }
901 sae_set_state(sta, SAE_COMMITTED,
902 "Sent Commit (anti-clogging token case in mesh)");
903 sta->sae->sync = 0;
904 sae_set_retransmit_timer(hapd, sta);
905 return;
906 }
907
908 if ((hapd->conf->mesh & MESH_ENABLED) &&
909 status_code ==
910 WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED &&
911 sta->sae->tmp) {
912 wpa_printf(MSG_DEBUG,
913 "SAE: Peer did not accept our SAE group");
914 sae_pick_next_group(hapd, sta);
915 goto remove_sta;
916 }
917
918 if (status_code != WLAN_STATUS_SUCCESS)
919 goto remove_sta;
920
921 resp = sae_parse_commit(sta->sae, mgmt->u.auth.variable,
922 ((const u8 *) mgmt) + len -
923 mgmt->u.auth.variable, &token,
924 &token_len, hapd->conf->sae_groups);
925 if (resp == SAE_SILENTLY_DISCARD) {
926 wpa_printf(MSG_DEBUG,
927 "SAE: Drop commit message from " MACSTR " due to reflection attack",
928 MAC2STR(sta->addr));
929 goto remove_sta;
930 }
931 if (token && check_sae_token(hapd, sta->addr, token, token_len)
932 < 0) {
933 wpa_printf(MSG_DEBUG, "SAE: Drop commit message with "
934 "incorrect token from " MACSTR,
935 MAC2STR(sta->addr));
936 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
937 goto remove_sta;
938 }
939
940 if (resp != WLAN_STATUS_SUCCESS)
941 goto reply;
942
943 if (!token && use_sae_anti_clogging(hapd)) {
944 wpa_printf(MSG_DEBUG,
945 "SAE: Request anti-clogging token from "
946 MACSTR, MAC2STR(sta->addr));
947 data = auth_build_token_req(hapd, sta->sae->group,
948 sta->addr);
949 resp = WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ;
950 if (hapd->conf->mesh & MESH_ENABLED)
951 sae_set_state(sta, SAE_NOTHING,
952 "Request anti-clogging token case in mesh");
953 goto reply;
954 }
955
956 resp = sae_sm_step(hapd, sta, mgmt->bssid, auth_transaction);
957 } else if (auth_transaction == 2) {
958 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
959 HOSTAPD_LEVEL_DEBUG,
960 "SAE authentication (RX confirm, status=%u)",
961 status_code);
962 if (status_code != WLAN_STATUS_SUCCESS)
963 goto remove_sta;
964 if (sta->sae->state >= SAE_CONFIRMED ||
965 !(hapd->conf->mesh & MESH_ENABLED)) {
966 const u8 *var;
967 size_t var_len;
968 u16 peer_send_confirm;
969
970 var = mgmt->u.auth.variable;
971 var_len = ((u8 *) mgmt) + len - mgmt->u.auth.variable;
972 if (var_len < 2) {
973 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
974 goto reply;
975 }
976
977 peer_send_confirm = WPA_GET_LE16(var);
978
979 if (sta->sae->state == SAE_ACCEPTED &&
980 (peer_send_confirm <= sta->sae->rc ||
981 peer_send_confirm == 0xffff)) {
982 wpa_printf(MSG_DEBUG,
983 "SAE: Silently ignore unexpected Confirm from peer "
984 MACSTR
985 " (peer-send-confirm=%u Rc=%u)",
986 MAC2STR(sta->addr),
987 peer_send_confirm, sta->sae->rc);
988 return;
989 }
990
991 if (sae_check_confirm(sta->sae, var, var_len) < 0) {
992 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
993 goto reply;
994 }
995 sta->sae->rc = peer_send_confirm;
996 }
997 resp = sae_sm_step(hapd, sta, mgmt->bssid, auth_transaction);
998 } else {
999 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1000 HOSTAPD_LEVEL_DEBUG,
1001 "unexpected SAE authentication transaction %u (status=%u)",
1002 auth_transaction, status_code);
1003 if (status_code != WLAN_STATUS_SUCCESS)
1004 goto remove_sta;
1005 resp = WLAN_STATUS_UNKNOWN_AUTH_TRANSACTION;
1006 }
1007
1008 reply:
1009 if (resp != WLAN_STATUS_SUCCESS) {
1010 send_auth_reply(hapd, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
1011 auth_transaction, resp,
1012 data ? wpabuf_head(data) : (u8 *) "",
1013 data ? wpabuf_len(data) : 0);
1014 }
1015
1016 remove_sta:
1017 if (sta->added_unassoc && (resp != WLAN_STATUS_SUCCESS ||
1018 status_code != WLAN_STATUS_SUCCESS)) {
1019 hostapd_drv_sta_remove(hapd, sta->addr);
1020 sta->added_unassoc = 0;
1021 }
1022 wpabuf_free(data);
1023 }
1024
1025
1026 /**
1027 * auth_sae_init_committed - Send COMMIT and start SAE in committed state
1028 * @hapd: BSS data for the device initiating the authentication
1029 * @sta: the peer to which commit authentication frame is sent
1030 *
1031 * This function implements Init event handling (IEEE Std 802.11-2012,
1032 * 11.3.8.6.3) in which initial COMMIT message is sent. Prior to calling, the
1033 * sta->sae structure should be initialized appropriately via a call to
1034 * sae_prepare_commit().
1035 */
1036 int auth_sae_init_committed(struct hostapd_data *hapd, struct sta_info *sta)
1037 {
1038 int ret;
1039
1040 if (!sta->sae || !sta->sae->tmp)
1041 return -1;
1042
1043 if (sta->sae->state != SAE_NOTHING)
1044 return -1;
1045
1046 ret = auth_sae_send_commit(hapd, sta, hapd->own_addr, 0);
1047 if (ret)
1048 return -1;
1049
1050 sae_set_state(sta, SAE_COMMITTED, "Init and sent commit");
1051 sta->sae->sync = 0;
1052 sae_set_retransmit_timer(hapd, sta);
1053
1054 return 0;
1055 }
1056
1057 #endif /* CONFIG_SAE */
1058
1059
1060 static u16 wpa_res_to_status_code(int res)
1061 {
1062 if (res == WPA_INVALID_GROUP)
1063 return WLAN_STATUS_GROUP_CIPHER_NOT_VALID;
1064 if (res == WPA_INVALID_PAIRWISE)
1065 return WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID;
1066 if (res == WPA_INVALID_AKMP)
1067 return WLAN_STATUS_AKMP_NOT_VALID;
1068 if (res == WPA_ALLOC_FAIL)
1069 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1070 #ifdef CONFIG_IEEE80211W
1071 if (res == WPA_MGMT_FRAME_PROTECTION_VIOLATION)
1072 return WLAN_STATUS_ROBUST_MGMT_FRAME_POLICY_VIOLATION;
1073 if (res == WPA_INVALID_MGMT_GROUP_CIPHER)
1074 return WLAN_STATUS_ROBUST_MGMT_FRAME_POLICY_VIOLATION;
1075 #endif /* CONFIG_IEEE80211W */
1076 if (res == WPA_INVALID_MDIE)
1077 return WLAN_STATUS_INVALID_MDIE;
1078 if (res == WPA_INVALID_PMKID)
1079 return WLAN_STATUS_INVALID_PMKID;
1080 if (res != WPA_IE_OK)
1081 return WLAN_STATUS_INVALID_IE;
1082 return WLAN_STATUS_SUCCESS;
1083 }
1084
1085
1086 #ifdef CONFIG_FILS
1087
1088 static void handle_auth_fils_finish(struct hostapd_data *hapd,
1089 struct sta_info *sta, u16 resp,
1090 struct wpabuf *data, int pub);
1091
1092 void handle_auth_fils(struct hostapd_data *hapd, struct sta_info *sta,
1093 const u8 *pos, size_t len, u16 auth_alg,
1094 u16 auth_transaction, u16 status_code,
1095 void (*cb)(struct hostapd_data *hapd,
1096 struct sta_info *sta, u16 resp,
1097 struct wpabuf *data, int pub))
1098 {
1099 u16 resp = WLAN_STATUS_SUCCESS;
1100 const u8 *end;
1101 struct ieee802_11_elems elems;
1102 int res;
1103 struct wpa_ie_data rsn;
1104 struct rsn_pmksa_cache_entry *pmksa = NULL;
1105
1106 if (auth_transaction != 1 || status_code != WLAN_STATUS_SUCCESS)
1107 return;
1108
1109 end = pos + len;
1110
1111 wpa_hexdump(MSG_DEBUG, "FILS: Authentication frame fields",
1112 pos, end - pos);
1113
1114 /* TODO: FILS PK */
1115 #ifdef CONFIG_FILS_SK_PFS
1116 if (auth_alg == WLAN_AUTH_FILS_SK_PFS) {
1117 u16 group;
1118 struct wpabuf *pub;
1119 size_t elem_len;
1120
1121 /* Using FILS PFS */
1122
1123 /* Finite Cyclic Group */
1124 if (end - pos < 2) {
1125 wpa_printf(MSG_DEBUG,
1126 "FILS: No room for Finite Cyclic Group");
1127 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1128 goto fail;
1129 }
1130 group = WPA_GET_LE16(pos);
1131 pos += 2;
1132 if (group != hapd->conf->fils_dh_group) {
1133 wpa_printf(MSG_DEBUG,
1134 "FILS: Unsupported Finite Cyclic Group: %u (expected %u)",
1135 group, hapd->conf->fils_dh_group);
1136 resp = WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
1137 goto fail;
1138 }
1139
1140 crypto_ecdh_deinit(sta->fils_ecdh);
1141 sta->fils_ecdh = crypto_ecdh_init(group);
1142 if (!sta->fils_ecdh) {
1143 wpa_printf(MSG_INFO,
1144 "FILS: Could not initialize ECDH with group %d",
1145 group);
1146 resp = WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
1147 goto fail;
1148 }
1149
1150 pub = crypto_ecdh_get_pubkey(sta->fils_ecdh, 1);
1151 if (!pub) {
1152 wpa_printf(MSG_DEBUG,
1153 "FILS: Failed to derive ECDH public key");
1154 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1155 goto fail;
1156 }
1157 elem_len = wpabuf_len(pub);
1158 wpabuf_free(pub);
1159
1160 /* Element */
1161 if ((size_t) (end - pos) < elem_len) {
1162 wpa_printf(MSG_DEBUG, "FILS: No room for Element");
1163 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1164 goto fail;
1165 }
1166
1167 wpabuf_free(sta->fils_g_sta);
1168 sta->fils_g_sta = wpabuf_alloc_copy(pos, elem_len);
1169 wpabuf_clear_free(sta->fils_dh_ss);
1170 sta->fils_dh_ss = crypto_ecdh_set_peerkey(sta->fils_ecdh, 1,
1171 pos, elem_len);
1172 if (!sta->fils_dh_ss) {
1173 wpa_printf(MSG_DEBUG, "FILS: ECDH operation failed");
1174 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1175 goto fail;
1176 }
1177 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: DH_SS", sta->fils_dh_ss);
1178 pos += elem_len;
1179 } else {
1180 crypto_ecdh_deinit(sta->fils_ecdh);
1181 sta->fils_ecdh = NULL;
1182 wpabuf_clear_free(sta->fils_dh_ss);
1183 sta->fils_dh_ss = NULL;
1184 }
1185 #endif /* CONFIG_FILS_SK_PFS */
1186
1187 wpa_hexdump(MSG_DEBUG, "FILS: Remaining IEs", pos, end - pos);
1188 if (ieee802_11_parse_elems(pos, end - pos, &elems, 1) == ParseFailed) {
1189 wpa_printf(MSG_DEBUG, "FILS: Could not parse elements");
1190 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1191 goto fail;
1192 }
1193
1194 /* RSNE */
1195 wpa_hexdump(MSG_DEBUG, "FILS: RSN element",
1196 elems.rsn_ie, elems.rsn_ie_len);
1197 if (!elems.rsn_ie ||
1198 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
1199 &rsn) < 0) {
1200 wpa_printf(MSG_DEBUG, "FILS: No valid RSN element");
1201 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1202 goto fail;
1203 }
1204
1205 if (!sta->wpa_sm)
1206 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, sta->addr,
1207 NULL);
1208 if (!sta->wpa_sm) {
1209 wpa_printf(MSG_DEBUG,
1210 "FILS: Failed to initialize RSN state machine");
1211 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1212 goto fail;
1213 }
1214
1215 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
1216 elems.rsn_ie - 2, elems.rsn_ie_len + 2,
1217 elems.mdie, elems.mdie_len, NULL, 0);
1218 resp = wpa_res_to_status_code(res);
1219 if (resp != WLAN_STATUS_SUCCESS)
1220 goto fail;
1221
1222 if (!elems.fils_nonce) {
1223 wpa_printf(MSG_DEBUG, "FILS: No FILS Nonce field");
1224 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1225 goto fail;
1226 }
1227 wpa_hexdump(MSG_DEBUG, "FILS: SNonce", elems.fils_nonce,
1228 FILS_NONCE_LEN);
1229 os_memcpy(sta->fils_snonce, elems.fils_nonce, FILS_NONCE_LEN);
1230
1231 /* PMKID List */
1232 if (rsn.pmkid && rsn.num_pmkid > 0) {
1233 u8 num;
1234 const u8 *pmkid;
1235
1236 wpa_hexdump(MSG_DEBUG, "FILS: PMKID List",
1237 rsn.pmkid, rsn.num_pmkid * PMKID_LEN);
1238
1239 pmkid = rsn.pmkid;
1240 num = rsn.num_pmkid;
1241 while (num) {
1242 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", pmkid, PMKID_LEN);
1243 pmksa = wpa_auth_pmksa_get(hapd->wpa_auth, sta->addr,
1244 pmkid);
1245 if (pmksa)
1246 break;
1247 pmksa = wpa_auth_pmksa_get_fils_cache_id(hapd->wpa_auth,
1248 sta->addr,
1249 pmkid);
1250 if (pmksa)
1251 break;
1252 pmkid += PMKID_LEN;
1253 num--;
1254 }
1255 }
1256 if (pmksa && wpa_auth_sta_key_mgmt(sta->wpa_sm) != pmksa->akmp) {
1257 wpa_printf(MSG_DEBUG,
1258 "FILS: Matching PMKSA cache entry has different AKMP (0x%x != 0x%x) - ignore",
1259 wpa_auth_sta_key_mgmt(sta->wpa_sm), pmksa->akmp);
1260 pmksa = NULL;
1261 }
1262 if (pmksa)
1263 wpa_printf(MSG_DEBUG, "FILS: Found matching PMKSA cache entry");
1264
1265 /* FILS Session */
1266 if (!elems.fils_session) {
1267 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
1268 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1269 goto fail;
1270 }
1271 wpa_hexdump(MSG_DEBUG, "FILS: FILS Session", elems.fils_session,
1272 FILS_SESSION_LEN);
1273 os_memcpy(sta->fils_session, elems.fils_session, FILS_SESSION_LEN);
1274
1275 /* FILS Wrapped Data */
1276 if (elems.fils_wrapped_data) {
1277 wpa_hexdump(MSG_DEBUG, "FILS: Wrapped Data",
1278 elems.fils_wrapped_data,
1279 elems.fils_wrapped_data_len);
1280 if (!pmksa) {
1281 #ifndef CONFIG_NO_RADIUS
1282 if (!sta->eapol_sm) {
1283 sta->eapol_sm =
1284 ieee802_1x_alloc_eapol_sm(hapd, sta);
1285 }
1286 wpa_printf(MSG_DEBUG,
1287 "FILS: Forward EAP-Initiate/Re-auth to authentication server");
1288 ieee802_1x_encapsulate_radius(
1289 hapd, sta, elems.fils_wrapped_data,
1290 elems.fils_wrapped_data_len);
1291 sta->fils_pending_cb = cb;
1292 wpa_printf(MSG_DEBUG,
1293 "FILS: Will send Authentication frame once the response from authentication server is available");
1294 sta->flags |= WLAN_STA_PENDING_FILS_ERP;
1295 /* Calculate pending PMKID here so that we do not need
1296 * to maintain a copy of the EAP-Initiate/Reauth
1297 * message. */
1298 if (fils_pmkid_erp(wpa_auth_sta_key_mgmt(sta->wpa_sm),
1299 elems.fils_wrapped_data,
1300 elems.fils_wrapped_data_len,
1301 sta->fils_erp_pmkid) == 0)
1302 sta->fils_erp_pmkid_set = 1;
1303 return;
1304 #else /* CONFIG_NO_RADIUS */
1305 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1306 goto fail;
1307 #endif /* CONFIG_NO_RADIUS */
1308 }
1309 }
1310
1311 fail:
1312 if (cb) {
1313 struct wpabuf *data;
1314 int pub = 0;
1315
1316 data = prepare_auth_resp_fils(hapd, sta, &resp, pmksa, NULL,
1317 NULL, 0, &pub);
1318 if (!data) {
1319 wpa_printf(MSG_DEBUG,
1320 "%s: prepare_auth_resp_fils() returned failure",
1321 __func__);
1322 }
1323
1324 cb(hapd, sta, resp, data, pub);
1325 }
1326 }
1327
1328
1329 static struct wpabuf *
1330 prepare_auth_resp_fils(struct hostapd_data *hapd,
1331 struct sta_info *sta, u16 *resp,
1332 struct rsn_pmksa_cache_entry *pmksa,
1333 struct wpabuf *erp_resp,
1334 const u8 *msk, size_t msk_len,
1335 int *is_pub)
1336 {
1337 u8 fils_nonce[FILS_NONCE_LEN];
1338 size_t ielen;
1339 struct wpabuf *data = NULL;
1340 const u8 *ie;
1341 u8 *ie_buf = NULL;
1342 const u8 *pmk = NULL;
1343 size_t pmk_len = 0;
1344 u8 pmk_buf[PMK_LEN_MAX];
1345 struct wpabuf *pub = NULL;
1346
1347 if (*resp != WLAN_STATUS_SUCCESS)
1348 goto fail;
1349
1350 ie = wpa_auth_get_wpa_ie(hapd->wpa_auth, &ielen);
1351 if (!ie) {
1352 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1353 goto fail;
1354 }
1355
1356 if (pmksa) {
1357 /* Add PMKID of the selected PMKSA into RSNE */
1358 ie_buf = os_malloc(ielen + 2 + 2 + PMKID_LEN);
1359 if (!ie_buf) {
1360 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1361 goto fail;
1362 }
1363
1364 os_memcpy(ie_buf, ie, ielen);
1365 if (wpa_insert_pmkid(ie_buf, &ielen, pmksa->pmkid) < 0) {
1366 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1367 goto fail;
1368 }
1369 ie = ie_buf;
1370 }
1371
1372 if (random_get_bytes(fils_nonce, FILS_NONCE_LEN) < 0) {
1373 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1374 goto fail;
1375 }
1376 wpa_hexdump(MSG_DEBUG, "RSN: Generated FILS Nonce",
1377 fils_nonce, FILS_NONCE_LEN);
1378
1379 #ifdef CONFIG_FILS_SK_PFS
1380 if (sta->fils_dh_ss && sta->fils_ecdh) {
1381 pub = crypto_ecdh_get_pubkey(sta->fils_ecdh, 1);
1382 if (!pub) {
1383 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1384 goto fail;
1385 }
1386 }
1387 #endif /* CONFIG_FILS_SK_PFS */
1388
1389 data = wpabuf_alloc(1000 + ielen + (pub ? wpabuf_len(pub) : 0));
1390 if (!data) {
1391 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1392 goto fail;
1393 }
1394
1395 /* TODO: FILS PK */
1396 #ifdef CONFIG_FILS_SK_PFS
1397 if (pub) {
1398 /* Finite Cyclic Group */
1399 wpabuf_put_le16(data, hapd->conf->fils_dh_group);
1400
1401 /* Element */
1402 wpabuf_put_buf(data, pub);
1403 }
1404 #endif /* CONFIG_FILS_SK_PFS */
1405
1406 /* RSNE */
1407 wpabuf_put_data(data, ie, ielen);
1408
1409 /* MDE when using FILS+FT (already included in ie,ielen with RSNE) */
1410
1411 #ifdef CONFIG_IEEE80211R_AP
1412 if (wpa_key_mgmt_ft(wpa_auth_sta_key_mgmt(sta->wpa_sm))) {
1413 /* FTE[R1KH-ID,R0KH-ID] when using FILS+FT */
1414 int res;
1415
1416 res = wpa_auth_write_fte(hapd->wpa_auth, wpabuf_put(data, 0),
1417 wpabuf_tailroom(data));
1418 if (res < 0) {
1419 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1420 goto fail;
1421 }
1422 wpabuf_put(data, res);
1423 }
1424 #endif /* CONFIG_IEEE80211R_AP */
1425
1426 /* FILS Nonce */
1427 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
1428 wpabuf_put_u8(data, 1 + FILS_NONCE_LEN); /* Length */
1429 /* Element ID Extension */
1430 wpabuf_put_u8(data, WLAN_EID_EXT_FILS_NONCE);
1431 wpabuf_put_data(data, fils_nonce, FILS_NONCE_LEN);
1432
1433 /* FILS Session */
1434 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
1435 wpabuf_put_u8(data, 1 + FILS_SESSION_LEN); /* Length */
1436 /* Element ID Extension */
1437 wpabuf_put_u8(data, WLAN_EID_EXT_FILS_SESSION);
1438 wpabuf_put_data(data, sta->fils_session, FILS_SESSION_LEN);
1439
1440 /* FILS Wrapped Data */
1441 if (!pmksa && erp_resp) {
1442 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
1443 wpabuf_put_u8(data, 1 + wpabuf_len(erp_resp)); /* Length */
1444 /* Element ID Extension */
1445 wpabuf_put_u8(data, WLAN_EID_EXT_FILS_WRAPPED_DATA);
1446 wpabuf_put_buf(data, erp_resp);
1447
1448 if (fils_rmsk_to_pmk(wpa_auth_sta_key_mgmt(sta->wpa_sm),
1449 msk, msk_len, sta->fils_snonce, fils_nonce,
1450 sta->fils_dh_ss ?
1451 wpabuf_head(sta->fils_dh_ss) : NULL,
1452 sta->fils_dh_ss ?
1453 wpabuf_len(sta->fils_dh_ss) : 0,
1454 pmk_buf, &pmk_len)) {
1455 wpa_printf(MSG_DEBUG, "FILS: Failed to derive PMK");
1456 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1457 wpabuf_free(data);
1458 data = NULL;
1459 goto fail;
1460 }
1461 pmk = pmk_buf;
1462
1463 /* Don't use DHss in PTK derivation if PMKSA caching is not
1464 * used. */
1465 wpabuf_clear_free(sta->fils_dh_ss);
1466 sta->fils_dh_ss = NULL;
1467
1468 if (sta->fils_erp_pmkid_set) {
1469 /* TODO: get PMKLifetime from WPA parameters */
1470 unsigned int dot11RSNAConfigPMKLifetime = 43200;
1471
1472 sta->fils_erp_pmkid_set = 0;
1473 if (wpa_auth_pmksa_add2(
1474 hapd->wpa_auth, sta->addr,
1475 pmk, pmk_len,
1476 sta->fils_erp_pmkid,
1477 sta->session_timeout_set ?
1478 sta->session_timeout :
1479 dot11RSNAConfigPMKLifetime,
1480 wpa_auth_sta_key_mgmt(sta->wpa_sm)) < 0) {
1481 wpa_printf(MSG_ERROR,
1482 "FILS: Failed to add PMKSA cache entry based on ERP");
1483 }
1484 }
1485 } else if (pmksa) {
1486 pmk = pmksa->pmk;
1487 pmk_len = pmksa->pmk_len;
1488 }
1489
1490 if (!pmk) {
1491 wpa_printf(MSG_DEBUG, "FILS: No PMK available");
1492 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1493 wpabuf_free(data);
1494 data = NULL;
1495 goto fail;
1496 }
1497
1498 if (fils_auth_pmk_to_ptk(sta->wpa_sm, pmk, pmk_len,
1499 sta->fils_snonce, fils_nonce,
1500 sta->fils_dh_ss ?
1501 wpabuf_head(sta->fils_dh_ss) : NULL,
1502 sta->fils_dh_ss ?
1503 wpabuf_len(sta->fils_dh_ss) : 0,
1504 sta->fils_g_sta, pub) < 0) {
1505 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1506 wpabuf_free(data);
1507 data = NULL;
1508 goto fail;
1509 }
1510
1511 fail:
1512 if (is_pub)
1513 *is_pub = pub != NULL;
1514 os_free(ie_buf);
1515 wpabuf_free(pub);
1516 wpabuf_clear_free(sta->fils_dh_ss);
1517 sta->fils_dh_ss = NULL;
1518 #ifdef CONFIG_FILS_SK_PFS
1519 crypto_ecdh_deinit(sta->fils_ecdh);
1520 sta->fils_ecdh = NULL;
1521 #endif /* CONFIG_FILS_SK_PFS */
1522 return data;
1523 }
1524
1525
1526 static void handle_auth_fils_finish(struct hostapd_data *hapd,
1527 struct sta_info *sta, u16 resp,
1528 struct wpabuf *data, int pub)
1529 {
1530 u16 auth_alg;
1531
1532 auth_alg = (pub ||
1533 resp == WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED) ?
1534 WLAN_AUTH_FILS_SK_PFS : WLAN_AUTH_FILS_SK;
1535 send_auth_reply(hapd, sta->addr, hapd->own_addr, auth_alg, 2, resp,
1536 data ? wpabuf_head(data) : (u8 *) "",
1537 data ? wpabuf_len(data) : 0);
1538 wpabuf_free(data);
1539
1540 if (resp == WLAN_STATUS_SUCCESS) {
1541 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1542 HOSTAPD_LEVEL_DEBUG,
1543 "authentication OK (FILS)");
1544 sta->flags |= WLAN_STA_AUTH;
1545 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
1546 sta->auth_alg = pub ? WLAN_AUTH_FILS_SK_PFS : WLAN_AUTH_FILS_SK;
1547 mlme_authenticate_indication(hapd, sta);
1548 }
1549 }
1550
1551
1552 void ieee802_11_finish_fils_auth(struct hostapd_data *hapd,
1553 struct sta_info *sta, int success,
1554 struct wpabuf *erp_resp,
1555 const u8 *msk, size_t msk_len)
1556 {
1557 struct wpabuf *data;
1558 int pub = 0;
1559 u16 resp;
1560
1561 sta->flags &= ~WLAN_STA_PENDING_FILS_ERP;
1562
1563 if (!sta->fils_pending_cb)
1564 return;
1565 resp = success ? WLAN_STATUS_SUCCESS : WLAN_STATUS_UNSPECIFIED_FAILURE;
1566 data = prepare_auth_resp_fils(hapd, sta, &resp, NULL, erp_resp,
1567 msk, msk_len, &pub);
1568 if (!data) {
1569 wpa_printf(MSG_DEBUG,
1570 "%s: prepare_auth_resp_fils() returned failure",
1571 __func__);
1572 }
1573 sta->fils_pending_cb(hapd, sta, resp, data, pub);
1574 }
1575
1576 #endif /* CONFIG_FILS */
1577
1578
1579 static int
1580 ieee802_11_allowed_address(struct hostapd_data *hapd, const u8 *addr,
1581 const u8 *msg, size_t len, u32 *session_timeout,
1582 u32 *acct_interim_interval,
1583 struct vlan_description *vlan_id,
1584 struct hostapd_sta_wpa_psk_short **psk,
1585 char **identity, char **radius_cui)
1586 {
1587 int res;
1588
1589 os_memset(vlan_id, 0, sizeof(*vlan_id));
1590 res = hostapd_allowed_address(hapd, addr, msg, len,
1591 session_timeout, acct_interim_interval,
1592 vlan_id, psk, identity, radius_cui);
1593
1594 if (res == HOSTAPD_ACL_REJECT) {
1595 wpa_printf(MSG_INFO,
1596 "Station " MACSTR " not allowed to authenticate",
1597 MAC2STR(addr));
1598 return HOSTAPD_ACL_REJECT;
1599 }
1600
1601 if (res == HOSTAPD_ACL_PENDING) {
1602 wpa_printf(MSG_DEBUG, "Authentication frame from " MACSTR
1603 " waiting for an external authentication",
1604 MAC2STR(addr));
1605 /* Authentication code will re-send the authentication frame
1606 * after it has received (and cached) information from the
1607 * external source. */
1608 return HOSTAPD_ACL_PENDING;
1609 }
1610
1611 return res;
1612 }
1613
1614
1615 static int
1616 ieee802_11_set_radius_info(struct hostapd_data *hapd, struct sta_info *sta,
1617 int res, u32 session_timeout,
1618 u32 acct_interim_interval,
1619 struct vlan_description *vlan_id,
1620 struct hostapd_sta_wpa_psk_short **psk,
1621 char **identity, char **radius_cui)
1622 {
1623 if (vlan_id->notempty &&
1624 !hostapd_vlan_valid(hapd->conf->vlan, vlan_id)) {
1625 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS,
1626 HOSTAPD_LEVEL_INFO,
1627 "Invalid VLAN %d%s received from RADIUS server",
1628 vlan_id->untagged,
1629 vlan_id->tagged[0] ? "+" : "");
1630 return -1;
1631 }
1632 if (ap_sta_set_vlan(hapd, sta, vlan_id) < 0)
1633 return -1;
1634 if (sta->vlan_id)
1635 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS,
1636 HOSTAPD_LEVEL_INFO, "VLAN ID %d", sta->vlan_id);
1637
1638 hostapd_free_psk_list(sta->psk);
1639 if (hapd->conf->wpa_psk_radius != PSK_RADIUS_IGNORED) {
1640 sta->psk = *psk;
1641 *psk = NULL;
1642 } else {
1643 sta->psk = NULL;
1644 }
1645
1646 sta->identity = *identity;
1647 *identity = NULL;
1648 sta->radius_cui = *radius_cui;
1649 *radius_cui = NULL;
1650
1651 if (hapd->conf->acct_interim_interval == 0 && acct_interim_interval)
1652 sta->acct_interim_interval = acct_interim_interval;
1653 if (res == HOSTAPD_ACL_ACCEPT_TIMEOUT)
1654 ap_sta_session_timeout(hapd, sta, session_timeout);
1655 else
1656 ap_sta_no_session_timeout(hapd, sta);
1657
1658 return 0;
1659 }
1660
1661
1662 static void handle_auth(struct hostapd_data *hapd,
1663 const struct ieee80211_mgmt *mgmt, size_t len)
1664 {
1665 u16 auth_alg, auth_transaction, status_code;
1666 u16 resp = WLAN_STATUS_SUCCESS;
1667 struct sta_info *sta = NULL;
1668 int res, reply_res;
1669 u16 fc;
1670 const u8 *challenge = NULL;
1671 u32 session_timeout, acct_interim_interval;
1672 struct vlan_description vlan_id;
1673 struct hostapd_sta_wpa_psk_short *psk = NULL;
1674 u8 resp_ies[2 + WLAN_AUTH_CHALLENGE_LEN];
1675 size_t resp_ies_len = 0;
1676 char *identity = NULL;
1677 char *radius_cui = NULL;
1678 u16 seq_ctrl;
1679
1680 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) {
1681 wpa_printf(MSG_INFO, "handle_auth - too short payload (len=%lu)",
1682 (unsigned long) len);
1683 return;
1684 }
1685
1686 #ifdef CONFIG_TESTING_OPTIONS
1687 if (hapd->iconf->ignore_auth_probability > 0.0 &&
1688 drand48() < hapd->iconf->ignore_auth_probability) {
1689 wpa_printf(MSG_INFO,
1690 "TESTING: ignoring auth frame from " MACSTR,
1691 MAC2STR(mgmt->sa));
1692 return;
1693 }
1694 #endif /* CONFIG_TESTING_OPTIONS */
1695
1696 auth_alg = le_to_host16(mgmt->u.auth.auth_alg);
1697 auth_transaction = le_to_host16(mgmt->u.auth.auth_transaction);
1698 status_code = le_to_host16(mgmt->u.auth.status_code);
1699 fc = le_to_host16(mgmt->frame_control);
1700 seq_ctrl = le_to_host16(mgmt->seq_ctrl);
1701
1702 if (len >= IEEE80211_HDRLEN + sizeof(mgmt->u.auth) +
1703 2 + WLAN_AUTH_CHALLENGE_LEN &&
1704 mgmt->u.auth.variable[0] == WLAN_EID_CHALLENGE &&
1705 mgmt->u.auth.variable[1] == WLAN_AUTH_CHALLENGE_LEN)
1706 challenge = &mgmt->u.auth.variable[2];
1707
1708 wpa_printf(MSG_DEBUG, "authentication: STA=" MACSTR " auth_alg=%d "
1709 "auth_transaction=%d status_code=%d wep=%d%s "
1710 "seq_ctrl=0x%x%s",
1711 MAC2STR(mgmt->sa), auth_alg, auth_transaction,
1712 status_code, !!(fc & WLAN_FC_ISWEP),
1713 challenge ? " challenge" : "",
1714 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "");
1715
1716 #ifdef CONFIG_NO_RC4
1717 if (auth_alg == WLAN_AUTH_SHARED_KEY) {
1718 wpa_printf(MSG_INFO,
1719 "Unsupported authentication algorithm (%d)",
1720 auth_alg);
1721 resp = WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
1722 goto fail;
1723 }
1724 #endif /* CONFIG_NO_RC4 */
1725
1726 if (hapd->tkip_countermeasures) {
1727 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1728 goto fail;
1729 }
1730
1731 if (!(((hapd->conf->auth_algs & WPA_AUTH_ALG_OPEN) &&
1732 auth_alg == WLAN_AUTH_OPEN) ||
1733 #ifdef CONFIG_IEEE80211R_AP
1734 (hapd->conf->wpa && wpa_key_mgmt_ft(hapd->conf->wpa_key_mgmt) &&
1735 auth_alg == WLAN_AUTH_FT) ||
1736 #endif /* CONFIG_IEEE80211R_AP */
1737 #ifdef CONFIG_SAE
1738 (hapd->conf->wpa && wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt) &&
1739 auth_alg == WLAN_AUTH_SAE) ||
1740 #endif /* CONFIG_SAE */
1741 #ifdef CONFIG_FILS
1742 (hapd->conf->wpa && wpa_key_mgmt_fils(hapd->conf->wpa_key_mgmt) &&
1743 auth_alg == WLAN_AUTH_FILS_SK) ||
1744 (hapd->conf->wpa && wpa_key_mgmt_fils(hapd->conf->wpa_key_mgmt) &&
1745 hapd->conf->fils_dh_group &&
1746 auth_alg == WLAN_AUTH_FILS_SK_PFS) ||
1747 #endif /* CONFIG_FILS */
1748 ((hapd->conf->auth_algs & WPA_AUTH_ALG_SHARED) &&
1749 auth_alg == WLAN_AUTH_SHARED_KEY))) {
1750 wpa_printf(MSG_INFO, "Unsupported authentication algorithm (%d)",
1751 auth_alg);
1752 resp = WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
1753 goto fail;
1754 }
1755
1756 if (!(auth_transaction == 1 || auth_alg == WLAN_AUTH_SAE ||
1757 (auth_alg == WLAN_AUTH_SHARED_KEY && auth_transaction == 3))) {
1758 wpa_printf(MSG_INFO, "Unknown authentication transaction number (%d)",
1759 auth_transaction);
1760 resp = WLAN_STATUS_UNKNOWN_AUTH_TRANSACTION;
1761 goto fail;
1762 }
1763
1764 if (os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
1765 wpa_printf(MSG_INFO, "Station " MACSTR " not allowed to authenticate",
1766 MAC2STR(mgmt->sa));
1767 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1768 goto fail;
1769 }
1770
1771 if (hapd->conf->no_auth_if_seen_on) {
1772 struct hostapd_data *other;
1773
1774 other = sta_track_seen_on(hapd->iface, mgmt->sa,
1775 hapd->conf->no_auth_if_seen_on);
1776 if (other) {
1777 u8 *pos;
1778 u32 info;
1779 u8 op_class, channel, phytype;
1780
1781 wpa_printf(MSG_DEBUG, "%s: Reject authentication from "
1782 MACSTR " since STA has been seen on %s",
1783 hapd->conf->iface, MAC2STR(mgmt->sa),
1784 hapd->conf->no_auth_if_seen_on);
1785
1786 resp = WLAN_STATUS_REJECTED_WITH_SUGGESTED_BSS_TRANSITION;
1787 pos = &resp_ies[0];
1788 *pos++ = WLAN_EID_NEIGHBOR_REPORT;
1789 *pos++ = 13;
1790 os_memcpy(pos, other->own_addr, ETH_ALEN);
1791 pos += ETH_ALEN;
1792 info = 0; /* TODO: BSSID Information */
1793 WPA_PUT_LE32(pos, info);
1794 pos += 4;
1795 if (other->iconf->hw_mode == HOSTAPD_MODE_IEEE80211AD)
1796 phytype = 8; /* dmg */
1797 else if (other->iconf->ieee80211ac)
1798 phytype = 9; /* vht */
1799 else if (other->iconf->ieee80211n)
1800 phytype = 7; /* ht */
1801 else if (other->iconf->hw_mode ==
1802 HOSTAPD_MODE_IEEE80211A)
1803 phytype = 4; /* ofdm */
1804 else if (other->iconf->hw_mode ==
1805 HOSTAPD_MODE_IEEE80211G)
1806 phytype = 6; /* erp */
1807 else
1808 phytype = 5; /* hrdsss */
1809 if (ieee80211_freq_to_channel_ext(
1810 hostapd_hw_get_freq(other,
1811 other->iconf->channel),
1812 other->iconf->secondary_channel,
1813 other->iconf->ieee80211ac,
1814 &op_class, &channel) == NUM_HOSTAPD_MODES) {
1815 op_class = 0;
1816 channel = other->iconf->channel;
1817 }
1818 *pos++ = op_class;
1819 *pos++ = channel;
1820 *pos++ = phytype;
1821 resp_ies_len = pos - &resp_ies[0];
1822 goto fail;
1823 }
1824 }
1825
1826 res = ieee802_11_allowed_address(
1827 hapd, mgmt->sa, (const u8 *) mgmt, len, &session_timeout,
1828 &acct_interim_interval, &vlan_id, &psk, &identity, &radius_cui);
1829 if (res == HOSTAPD_ACL_REJECT) {
1830 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1831 goto fail;
1832 }
1833 if (res == HOSTAPD_ACL_PENDING)
1834 return;
1835
1836 sta = ap_get_sta(hapd, mgmt->sa);
1837 if (sta) {
1838 sta->flags &= ~WLAN_STA_PENDING_FILS_ERP;
1839 if ((fc & WLAN_FC_RETRY) &&
1840 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
1841 sta->last_seq_ctrl == seq_ctrl &&
1842 sta->last_subtype == WLAN_FC_STYPE_AUTH) {
1843 hostapd_logger(hapd, sta->addr,
1844 HOSTAPD_MODULE_IEEE80211,
1845 HOSTAPD_LEVEL_DEBUG,
1846 "Drop repeated authentication frame seq_ctrl=0x%x",
1847 seq_ctrl);
1848 return;
1849 }
1850 #ifdef CONFIG_MESH
1851 if ((hapd->conf->mesh & MESH_ENABLED) &&
1852 sta->plink_state == PLINK_BLOCKED) {
1853 wpa_printf(MSG_DEBUG, "Mesh peer " MACSTR
1854 " is blocked - drop Authentication frame",
1855 MAC2STR(mgmt->sa));
1856 return;
1857 }
1858 #endif /* CONFIG_MESH */
1859 } else {
1860 #ifdef CONFIG_MESH
1861 if (hapd->conf->mesh & MESH_ENABLED) {
1862 /* if the mesh peer is not available, we don't do auth.
1863 */
1864 wpa_printf(MSG_DEBUG, "Mesh peer " MACSTR
1865 " not yet known - drop Authentication frame",
1866 MAC2STR(mgmt->sa));
1867 /*
1868 * Save a copy of the frame so that it can be processed
1869 * if a new peer entry is added shortly after this.
1870 */
1871 wpabuf_free(hapd->mesh_pending_auth);
1872 hapd->mesh_pending_auth = wpabuf_alloc_copy(mgmt, len);
1873 os_get_reltime(&hapd->mesh_pending_auth_time);
1874 return;
1875 }
1876 #endif /* CONFIG_MESH */
1877
1878 sta = ap_sta_add(hapd, mgmt->sa);
1879 if (!sta) {
1880 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
1881 goto fail;
1882 }
1883 }
1884 sta->last_seq_ctrl = seq_ctrl;
1885 sta->last_subtype = WLAN_FC_STYPE_AUTH;
1886
1887 res = ieee802_11_set_radius_info(
1888 hapd, sta, res, session_timeout, acct_interim_interval,
1889 &vlan_id, &psk, &identity, &radius_cui);
1890 if (res) {
1891 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1892 goto fail;
1893 }
1894
1895 sta->flags &= ~WLAN_STA_PREAUTH;
1896 ieee802_1x_notify_pre_auth(sta->eapol_sm, 0);
1897
1898 /*
1899 * If the driver supports full AP client state, add a station to the
1900 * driver before sending authentication reply to make sure the driver
1901 * has resources, and not to go through the entire authentication and
1902 * association handshake, and fail it at the end.
1903 *
1904 * If this is not the first transaction, in a multi-step authentication
1905 * algorithm, the station already exists in the driver
1906 * (sta->added_unassoc = 1) so skip it.
1907 *
1908 * In mesh mode, the station was already added to the driver when the
1909 * NEW_PEER_CANDIDATE event is received.
1910 *
1911 * If PMF was negotiated for the existing association, skip this to
1912 * avoid dropping the STA entry and the associated keys. This is needed
1913 * to allow the original connection work until the attempt can complete
1914 * (re)association, so that unprotected Authentication frame cannot be
1915 * used to bypass PMF protection.
1916 */
1917 if (FULL_AP_CLIENT_STATE_SUPP(hapd->iface->drv_flags) &&
1918 (!(sta->flags & WLAN_STA_MFP) || !ap_sta_is_authorized(sta)) &&
1919 !(hapd->conf->mesh & MESH_ENABLED) &&
1920 !(sta->added_unassoc)) {
1921 /*
1922 * If a station that is already associated to the AP, is trying
1923 * to authenticate again, remove the STA entry, in order to make
1924 * sure the STA PS state gets cleared and configuration gets
1925 * updated. To handle this, station's added_unassoc flag is
1926 * cleared once the station has completed association.
1927 */
1928 hostapd_drv_sta_remove(hapd, sta->addr);
1929 sta->flags &= ~(WLAN_STA_ASSOC | WLAN_STA_AUTH |
1930 WLAN_STA_AUTHORIZED);
1931
1932 if (hostapd_sta_add(hapd, sta->addr, 0, 0, NULL, 0, 0,
1933 NULL, NULL, sta->flags, 0, 0, 0, 0)) {
1934 hostapd_logger(hapd, sta->addr,
1935 HOSTAPD_MODULE_IEEE80211,
1936 HOSTAPD_LEVEL_NOTICE,
1937 "Could not add STA to kernel driver");
1938 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
1939 goto fail;
1940 }
1941
1942 sta->added_unassoc = 1;
1943 }
1944
1945 switch (auth_alg) {
1946 case WLAN_AUTH_OPEN:
1947 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1948 HOSTAPD_LEVEL_DEBUG,
1949 "authentication OK (open system)");
1950 sta->flags |= WLAN_STA_AUTH;
1951 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
1952 sta->auth_alg = WLAN_AUTH_OPEN;
1953 mlme_authenticate_indication(hapd, sta);
1954 break;
1955 #ifndef CONFIG_NO_RC4
1956 case WLAN_AUTH_SHARED_KEY:
1957 resp = auth_shared_key(hapd, sta, auth_transaction, challenge,
1958 fc & WLAN_FC_ISWEP);
1959 sta->auth_alg = WLAN_AUTH_SHARED_KEY;
1960 mlme_authenticate_indication(hapd, sta);
1961 if (sta->challenge && auth_transaction == 1) {
1962 resp_ies[0] = WLAN_EID_CHALLENGE;
1963 resp_ies[1] = WLAN_AUTH_CHALLENGE_LEN;
1964 os_memcpy(resp_ies + 2, sta->challenge,
1965 WLAN_AUTH_CHALLENGE_LEN);
1966 resp_ies_len = 2 + WLAN_AUTH_CHALLENGE_LEN;
1967 }
1968 break;
1969 #endif /* CONFIG_NO_RC4 */
1970 #ifdef CONFIG_IEEE80211R_AP
1971 case WLAN_AUTH_FT:
1972 sta->auth_alg = WLAN_AUTH_FT;
1973 if (sta->wpa_sm == NULL)
1974 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
1975 sta->addr, NULL);
1976 if (sta->wpa_sm == NULL) {
1977 wpa_printf(MSG_DEBUG, "FT: Failed to initialize WPA "
1978 "state machine");
1979 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1980 goto fail;
1981 }
1982 wpa_ft_process_auth(sta->wpa_sm, mgmt->bssid,
1983 auth_transaction, mgmt->u.auth.variable,
1984 len - IEEE80211_HDRLEN -
1985 sizeof(mgmt->u.auth),
1986 handle_auth_ft_finish, hapd);
1987 /* handle_auth_ft_finish() callback will complete auth. */
1988 return;
1989 #endif /* CONFIG_IEEE80211R_AP */
1990 #ifdef CONFIG_SAE
1991 case WLAN_AUTH_SAE:
1992 #ifdef CONFIG_MESH
1993 if (status_code == WLAN_STATUS_SUCCESS &&
1994 hapd->conf->mesh & MESH_ENABLED) {
1995 if (sta->wpa_sm == NULL)
1996 sta->wpa_sm =
1997 wpa_auth_sta_init(hapd->wpa_auth,
1998 sta->addr, NULL);
1999 if (sta->wpa_sm == NULL) {
2000 wpa_printf(MSG_DEBUG,
2001 "SAE: Failed to initialize WPA state machine");
2002 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2003 goto fail;
2004 }
2005 }
2006 #endif /* CONFIG_MESH */
2007 handle_auth_sae(hapd, sta, mgmt, len, auth_transaction,
2008 status_code);
2009 return;
2010 #endif /* CONFIG_SAE */
2011 #ifdef CONFIG_FILS
2012 case WLAN_AUTH_FILS_SK:
2013 case WLAN_AUTH_FILS_SK_PFS:
2014 handle_auth_fils(hapd, sta, mgmt->u.auth.variable,
2015 len - IEEE80211_HDRLEN - sizeof(mgmt->u.auth),
2016 auth_alg, auth_transaction, status_code,
2017 handle_auth_fils_finish);
2018 return;
2019 #endif /* CONFIG_FILS */
2020 }
2021
2022 fail:
2023 os_free(identity);
2024 os_free(radius_cui);
2025 hostapd_free_psk_list(psk);
2026
2027 reply_res = send_auth_reply(hapd, mgmt->sa, mgmt->bssid, auth_alg,
2028 auth_transaction + 1, resp, resp_ies,
2029 resp_ies_len);
2030
2031 if (sta && sta->added_unassoc && (resp != WLAN_STATUS_SUCCESS ||
2032 reply_res != WLAN_STATUS_SUCCESS)) {
2033 hostapd_drv_sta_remove(hapd, sta->addr);
2034 sta->added_unassoc = 0;
2035 }
2036 }
2037
2038
2039 int hostapd_get_aid(struct hostapd_data *hapd, struct sta_info *sta)
2040 {
2041 int i, j = 32, aid;
2042
2043 /* get a unique AID */
2044 if (sta->aid > 0) {
2045 wpa_printf(MSG_DEBUG, " old AID %d", sta->aid);
2046 return 0;
2047 }
2048
2049 if (TEST_FAIL())
2050 return -1;
2051
2052 for (i = 0; i < AID_WORDS; i++) {
2053 if (hapd->sta_aid[i] == (u32) -1)
2054 continue;
2055 for (j = 0; j < 32; j++) {
2056 if (!(hapd->sta_aid[i] & BIT(j)))
2057 break;
2058 }
2059 if (j < 32)
2060 break;
2061 }
2062 if (j == 32)
2063 return -1;
2064 aid = i * 32 + j + 1;
2065 if (aid > 2007)
2066 return -1;
2067
2068 sta->aid = aid;
2069 hapd->sta_aid[i] |= BIT(j);
2070 wpa_printf(MSG_DEBUG, " new AID %d", sta->aid);
2071 return 0;
2072 }
2073
2074
2075 static u16 check_ssid(struct hostapd_data *hapd, struct sta_info *sta,
2076 const u8 *ssid_ie, size_t ssid_ie_len)
2077 {
2078 if (ssid_ie == NULL)
2079 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2080
2081 if (ssid_ie_len != hapd->conf->ssid.ssid_len ||
2082 os_memcmp(ssid_ie, hapd->conf->ssid.ssid, ssid_ie_len) != 0) {
2083 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2084 HOSTAPD_LEVEL_INFO,
2085 "Station tried to associate with unknown SSID "
2086 "'%s'", wpa_ssid_txt(ssid_ie, ssid_ie_len));
2087 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2088 }
2089
2090 return WLAN_STATUS_SUCCESS;
2091 }
2092
2093
2094 static u16 check_wmm(struct hostapd_data *hapd, struct sta_info *sta,
2095 const u8 *wmm_ie, size_t wmm_ie_len)
2096 {
2097 sta->flags &= ~WLAN_STA_WMM;
2098 sta->qosinfo = 0;
2099 if (wmm_ie && hapd->conf->wmm_enabled) {
2100 struct wmm_information_element *wmm;
2101
2102 if (!hostapd_eid_wmm_valid(hapd, wmm_ie, wmm_ie_len)) {
2103 hostapd_logger(hapd, sta->addr,
2104 HOSTAPD_MODULE_WPA,
2105 HOSTAPD_LEVEL_DEBUG,
2106 "invalid WMM element in association "
2107 "request");
2108 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2109 }
2110
2111 sta->flags |= WLAN_STA_WMM;
2112 wmm = (struct wmm_information_element *) wmm_ie;
2113 sta->qosinfo = wmm->qos_info;
2114 }
2115 return WLAN_STATUS_SUCCESS;
2116 }
2117
2118
2119 static u16 copy_supp_rates(struct hostapd_data *hapd, struct sta_info *sta,
2120 struct ieee802_11_elems *elems)
2121 {
2122 /* Supported rates not used in IEEE 802.11ad/DMG */
2123 if (hapd->iface->current_mode &&
2124 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211AD)
2125 return WLAN_STATUS_SUCCESS;
2126
2127 if (!elems->supp_rates) {
2128 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2129 HOSTAPD_LEVEL_DEBUG,
2130 "No supported rates element in AssocReq");
2131 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2132 }
2133
2134 if (elems->supp_rates_len + elems->ext_supp_rates_len >
2135 sizeof(sta->supported_rates)) {
2136 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2137 HOSTAPD_LEVEL_DEBUG,
2138 "Invalid supported rates element length %d+%d",
2139 elems->supp_rates_len,
2140 elems->ext_supp_rates_len);
2141 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2142 }
2143
2144 sta->supported_rates_len = merge_byte_arrays(
2145 sta->supported_rates, sizeof(sta->supported_rates),
2146 elems->supp_rates, elems->supp_rates_len,
2147 elems->ext_supp_rates, elems->ext_supp_rates_len);
2148
2149 return WLAN_STATUS_SUCCESS;
2150 }
2151
2152
2153 static u16 check_ext_capab(struct hostapd_data *hapd, struct sta_info *sta,
2154 const u8 *ext_capab_ie, size_t ext_capab_ie_len)
2155 {
2156 #ifdef CONFIG_INTERWORKING
2157 /* check for QoS Map support */
2158 if (ext_capab_ie_len >= 5) {
2159 if (ext_capab_ie[4] & 0x01)
2160 sta->qos_map_enabled = 1;
2161 }
2162 #endif /* CONFIG_INTERWORKING */
2163
2164 if (ext_capab_ie_len > 0) {
2165 sta->ecsa_supported = !!(ext_capab_ie[0] & BIT(2));
2166 os_free(sta->ext_capability);
2167 sta->ext_capability = os_malloc(1 + ext_capab_ie_len);
2168 if (sta->ext_capability) {
2169 sta->ext_capability[0] = ext_capab_ie_len;
2170 os_memcpy(sta->ext_capability + 1, ext_capab_ie,
2171 ext_capab_ie_len);
2172 }
2173 }
2174
2175 return WLAN_STATUS_SUCCESS;
2176 }
2177
2178
2179 #ifdef CONFIG_OWE
2180
2181 static int owe_group_supported(struct hostapd_data *hapd, u16 group)
2182 {
2183 int i;
2184 int *groups = hapd->conf->owe_groups;
2185
2186 if (group != 19 && group != 20 && group != 21)
2187 return 0;
2188
2189 if (!groups)
2190 return 1;
2191
2192 for (i = 0; groups[i] > 0; i++) {
2193 if (groups[i] == group)
2194 return 1;
2195 }
2196
2197 return 0;
2198 }
2199
2200
2201 static u16 owe_process_assoc_req(struct hostapd_data *hapd,
2202 struct sta_info *sta, const u8 *owe_dh,
2203 u8 owe_dh_len)
2204 {
2205 struct wpabuf *secret, *pub, *hkey;
2206 int res;
2207 u8 prk[SHA512_MAC_LEN], pmkid[SHA512_MAC_LEN];
2208 const char *info = "OWE Key Generation";
2209 const u8 *addr[2];
2210 size_t len[2];
2211 u16 group;
2212 size_t hash_len, prime_len;
2213
2214 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) {
2215 wpa_printf(MSG_DEBUG, "OWE: Using PMKSA caching");
2216 return WLAN_STATUS_SUCCESS;
2217 }
2218
2219 group = WPA_GET_LE16(owe_dh);
2220 if (!owe_group_supported(hapd, group)) {
2221 wpa_printf(MSG_DEBUG, "OWE: Unsupported DH group %u", group);
2222 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
2223 }
2224 if (group == 19)
2225 prime_len = 32;
2226 else if (group == 20)
2227 prime_len = 48;
2228 else if (group == 21)
2229 prime_len = 66;
2230 else
2231 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
2232
2233 crypto_ecdh_deinit(sta->owe_ecdh);
2234 sta->owe_ecdh = crypto_ecdh_init(group);
2235 if (!sta->owe_ecdh)
2236 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
2237 sta->owe_group = group;
2238
2239 secret = crypto_ecdh_set_peerkey(sta->owe_ecdh, 0, owe_dh + 2,
2240 owe_dh_len - 2);
2241 secret = wpabuf_zeropad(secret, prime_len);
2242 if (!secret) {
2243 wpa_printf(MSG_DEBUG, "OWE: Invalid peer DH public key");
2244 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2245 }
2246 wpa_hexdump_buf_key(MSG_DEBUG, "OWE: DH shared secret", secret);
2247
2248 /* prk = HKDF-extract(C | A | group, z) */
2249
2250 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
2251 if (!pub) {
2252 wpabuf_clear_free(secret);
2253 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2254 }
2255
2256 /* PMKID = Truncate-128(Hash(C | A)) */
2257 addr[0] = owe_dh + 2;
2258 len[0] = owe_dh_len - 2;
2259 addr[1] = wpabuf_head(pub);
2260 len[1] = wpabuf_len(pub);
2261 if (group == 19) {
2262 res = sha256_vector(2, addr, len, pmkid);
2263 hash_len = SHA256_MAC_LEN;
2264 } else if (group == 20) {
2265 res = sha384_vector(2, addr, len, pmkid);
2266 hash_len = SHA384_MAC_LEN;
2267 } else if (group == 21) {
2268 res = sha512_vector(2, addr, len, pmkid);
2269 hash_len = SHA512_MAC_LEN;
2270 } else {
2271 wpabuf_free(pub);
2272 wpabuf_clear_free(secret);
2273 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2274 }
2275 pub = wpabuf_zeropad(pub, prime_len);
2276 if (res < 0 || !pub) {
2277 wpabuf_free(pub);
2278 wpabuf_clear_free(secret);
2279 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2280 }
2281
2282 hkey = wpabuf_alloc(owe_dh_len - 2 + wpabuf_len(pub) + 2);
2283 if (!hkey) {
2284 wpabuf_free(pub);
2285 wpabuf_clear_free(secret);
2286 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2287 }
2288
2289 wpabuf_put_data(hkey, owe_dh + 2, owe_dh_len - 2); /* C */
2290 wpabuf_put_buf(hkey, pub); /* A */
2291 wpabuf_free(pub);
2292 wpabuf_put_le16(hkey, group); /* group */
2293 if (group == 19)
2294 res = hmac_sha256(wpabuf_head(hkey), wpabuf_len(hkey),
2295 wpabuf_head(secret), wpabuf_len(secret), prk);
2296 else if (group == 20)
2297 res = hmac_sha384(wpabuf_head(hkey), wpabuf_len(hkey),
2298 wpabuf_head(secret), wpabuf_len(secret), prk);
2299 else if (group == 21)
2300 res = hmac_sha512(wpabuf_head(hkey), wpabuf_len(hkey),
2301 wpabuf_head(secret), wpabuf_len(secret), prk);
2302 wpabuf_clear_free(hkey);
2303 wpabuf_clear_free(secret);
2304 if (res < 0)
2305 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2306
2307 wpa_hexdump_key(MSG_DEBUG, "OWE: prk", prk, hash_len);
2308
2309 /* PMK = HKDF-expand(prk, "OWE Key Generation", n) */
2310
2311 os_free(sta->owe_pmk);
2312 sta->owe_pmk = os_malloc(hash_len);
2313 if (!sta->owe_pmk) {
2314 os_memset(prk, 0, SHA512_MAC_LEN);
2315 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2316 }
2317
2318 if (group == 19)
2319 res = hmac_sha256_kdf(prk, hash_len, NULL, (const u8 *) info,
2320 os_strlen(info), sta->owe_pmk, hash_len);
2321 else if (group == 20)
2322 res = hmac_sha384_kdf(prk, hash_len, NULL, (const u8 *) info,
2323 os_strlen(info), sta->owe_pmk, hash_len);
2324 else if (group == 21)
2325 res = hmac_sha512_kdf(prk, hash_len, NULL, (const u8 *) info,
2326 os_strlen(info), sta->owe_pmk, hash_len);
2327 os_memset(prk, 0, SHA512_MAC_LEN);
2328 if (res < 0) {
2329 os_free(sta->owe_pmk);
2330 sta->owe_pmk = NULL;
2331 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2332 }
2333 sta->owe_pmk_len = hash_len;
2334
2335 wpa_hexdump_key(MSG_DEBUG, "OWE: PMK", sta->owe_pmk, sta->owe_pmk_len);
2336 wpa_hexdump(MSG_DEBUG, "OWE: PMKID", pmkid, PMKID_LEN);
2337 wpa_auth_pmksa_add2(hapd->wpa_auth, sta->addr, sta->owe_pmk,
2338 sta->owe_pmk_len, pmkid, 0, WPA_KEY_MGMT_OWE);
2339
2340 return WLAN_STATUS_SUCCESS;
2341 }
2342
2343 #endif /* CONFIG_OWE */
2344
2345
2346 static u16 check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta,
2347 const u8 *ies, size_t ies_len, int reassoc)
2348 {
2349 struct ieee802_11_elems elems;
2350 u16 resp;
2351 const u8 *wpa_ie;
2352 size_t wpa_ie_len;
2353 const u8 *p2p_dev_addr = NULL;
2354
2355 if (ieee802_11_parse_elems(ies, ies_len, &elems, 1) == ParseFailed) {
2356 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2357 HOSTAPD_LEVEL_INFO, "Station sent an invalid "
2358 "association request");
2359 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2360 }
2361
2362 resp = check_ssid(hapd, sta, elems.ssid, elems.ssid_len);
2363 if (resp != WLAN_STATUS_SUCCESS)
2364 return resp;
2365 resp = check_wmm(hapd, sta, elems.wmm, elems.wmm_len);
2366 if (resp != WLAN_STATUS_SUCCESS)
2367 return resp;
2368 resp = check_ext_capab(hapd, sta, elems.ext_capab, elems.ext_capab_len);
2369 if (resp != WLAN_STATUS_SUCCESS)
2370 return resp;
2371 resp = copy_supp_rates(hapd, sta, &elems);
2372 if (resp != WLAN_STATUS_SUCCESS)
2373 return resp;
2374 #ifdef CONFIG_IEEE80211N
2375 resp = copy_sta_ht_capab(hapd, sta, elems.ht_capabilities);
2376 if (resp != WLAN_STATUS_SUCCESS)
2377 return resp;
2378 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht &&
2379 !(sta->flags & WLAN_STA_HT)) {
2380 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2381 HOSTAPD_LEVEL_INFO, "Station does not support "
2382 "mandatory HT PHY - reject association");
2383 return WLAN_STATUS_ASSOC_DENIED_NO_HT;
2384 }
2385 #endif /* CONFIG_IEEE80211N */
2386
2387 #ifdef CONFIG_IEEE80211AC
2388 if (hapd->iconf->ieee80211ac) {
2389 resp = copy_sta_vht_capab(hapd, sta, elems.vht_capabilities);
2390 if (resp != WLAN_STATUS_SUCCESS)
2391 return resp;
2392
2393 resp = set_sta_vht_opmode(hapd, sta, elems.vht_opmode_notif);
2394 if (resp != WLAN_STATUS_SUCCESS)
2395 return resp;
2396 }
2397
2398 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht &&
2399 !(sta->flags & WLAN_STA_VHT)) {
2400 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2401 HOSTAPD_LEVEL_INFO, "Station does not support "
2402 "mandatory VHT PHY - reject association");
2403 return WLAN_STATUS_ASSOC_DENIED_NO_VHT;
2404 }
2405
2406 if (hapd->conf->vendor_vht && !elems.vht_capabilities) {
2407 resp = copy_sta_vendor_vht(hapd, sta, elems.vendor_vht,
2408 elems.vendor_vht_len);
2409 if (resp != WLAN_STATUS_SUCCESS)
2410 return resp;
2411 }
2412 #endif /* CONFIG_IEEE80211AC */
2413
2414 #ifdef CONFIG_P2P
2415 if (elems.p2p) {
2416 wpabuf_free(sta->p2p_ie);
2417 sta->p2p_ie = ieee802_11_vendor_ie_concat(ies, ies_len,
2418 P2P_IE_VENDOR_TYPE);
2419 if (sta->p2p_ie)
2420 p2p_dev_addr = p2p_get_go_dev_addr(sta->p2p_ie);
2421 } else {
2422 wpabuf_free(sta->p2p_ie);
2423 sta->p2p_ie = NULL;
2424 }
2425 #endif /* CONFIG_P2P */
2426
2427 if ((hapd->conf->wpa & WPA_PROTO_RSN) && elems.rsn_ie) {
2428 wpa_ie = elems.rsn_ie;
2429 wpa_ie_len = elems.rsn_ie_len;
2430 } else if ((hapd->conf->wpa & WPA_PROTO_WPA) &&
2431 elems.wpa_ie) {
2432 wpa_ie = elems.wpa_ie;
2433 wpa_ie_len = elems.wpa_ie_len;
2434 } else {
2435 wpa_ie = NULL;
2436 wpa_ie_len = 0;
2437 }
2438
2439 #ifdef CONFIG_WPS
2440 sta->flags &= ~(WLAN_STA_WPS | WLAN_STA_MAYBE_WPS | WLAN_STA_WPS2);
2441 if (hapd->conf->wps_state && elems.wps_ie) {
2442 wpa_printf(MSG_DEBUG, "STA included WPS IE in (Re)Association "
2443 "Request - assume WPS is used");
2444 sta->flags |= WLAN_STA_WPS;
2445 wpabuf_free(sta->wps_ie);
2446 sta->wps_ie = ieee802_11_vendor_ie_concat(ies, ies_len,
2447 WPS_IE_VENDOR_TYPE);
2448 if (sta->wps_ie && wps_is_20(sta->wps_ie)) {
2449 wpa_printf(MSG_DEBUG, "WPS: STA supports WPS 2.0");
2450 sta->flags |= WLAN_STA_WPS2;
2451 }
2452 wpa_ie = NULL;
2453 wpa_ie_len = 0;
2454 if (sta->wps_ie && wps_validate_assoc_req(sta->wps_ie) < 0) {
2455 wpa_printf(MSG_DEBUG, "WPS: Invalid WPS IE in "
2456 "(Re)Association Request - reject");
2457 return WLAN_STATUS_INVALID_IE;
2458 }
2459 } else if (hapd->conf->wps_state && wpa_ie == NULL) {
2460 wpa_printf(MSG_DEBUG, "STA did not include WPA/RSN IE in "
2461 "(Re)Association Request - possible WPS use");
2462 sta->flags |= WLAN_STA_MAYBE_WPS;
2463 } else
2464 #endif /* CONFIG_WPS */
2465 if (hapd->conf->wpa && wpa_ie == NULL) {
2466 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2467 HOSTAPD_LEVEL_INFO,
2468 "No WPA/RSN IE in association request");
2469 return WLAN_STATUS_INVALID_IE;
2470 }
2471
2472 if (hapd->conf->wpa && wpa_ie) {
2473 int res;
2474 wpa_ie -= 2;
2475 wpa_ie_len += 2;
2476 if (sta->wpa_sm == NULL)
2477 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
2478 sta->addr,
2479 p2p_dev_addr);
2480 if (sta->wpa_sm == NULL) {
2481 wpa_printf(MSG_WARNING, "Failed to initialize WPA "
2482 "state machine");
2483 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2484 }
2485 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
2486 wpa_ie, wpa_ie_len,
2487 elems.mdie, elems.mdie_len,
2488 elems.owe_dh, elems.owe_dh_len);
2489 resp = wpa_res_to_status_code(res);
2490 if (resp != WLAN_STATUS_SUCCESS)
2491 return resp;
2492 #ifdef CONFIG_IEEE80211W
2493 if ((sta->flags & WLAN_STA_MFP) && !sta->sa_query_timed_out &&
2494 sta->sa_query_count > 0)
2495 ap_check_sa_query_timeout(hapd, sta);
2496 if ((sta->flags & WLAN_STA_MFP) && !sta->sa_query_timed_out &&
2497 (!reassoc || sta->auth_alg != WLAN_AUTH_FT)) {
2498 /*
2499 * STA has already been associated with MFP and SA
2500 * Query timeout has not been reached. Reject the
2501 * association attempt temporarily and start SA Query,
2502 * if one is not pending.
2503 */
2504
2505 if (sta->sa_query_count == 0)
2506 ap_sta_start_sa_query(hapd, sta);
2507
2508 return WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY;
2509 }
2510
2511 if (wpa_auth_uses_mfp(sta->wpa_sm))
2512 sta->flags |= WLAN_STA_MFP;
2513 else
2514 sta->flags &= ~WLAN_STA_MFP;
2515 #endif /* CONFIG_IEEE80211W */
2516
2517 #ifdef CONFIG_IEEE80211R_AP
2518 if (sta->auth_alg == WLAN_AUTH_FT) {
2519 if (!reassoc) {
2520 wpa_printf(MSG_DEBUG, "FT: " MACSTR " tried "
2521 "to use association (not "
2522 "re-association) with FT auth_alg",
2523 MAC2STR(sta->addr));
2524 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2525 }
2526
2527 resp = wpa_ft_validate_reassoc(sta->wpa_sm, ies,
2528 ies_len);
2529 if (resp != WLAN_STATUS_SUCCESS)
2530 return resp;
2531 }
2532 #endif /* CONFIG_IEEE80211R_AP */
2533
2534 #ifdef CONFIG_SAE
2535 if (wpa_auth_uses_sae(sta->wpa_sm) &&
2536 sta->auth_alg == WLAN_AUTH_OPEN) {
2537 struct rsn_pmksa_cache_entry *sa;
2538 sa = wpa_auth_sta_get_pmksa(sta->wpa_sm);
2539 if (!sa || sa->akmp != WPA_KEY_MGMT_SAE) {
2540 wpa_printf(MSG_DEBUG,
2541 "SAE: No PMKSA cache entry found for "
2542 MACSTR, MAC2STR(sta->addr));
2543 return WLAN_STATUS_INVALID_PMKID;
2544 }
2545 wpa_printf(MSG_DEBUG, "SAE: " MACSTR
2546 " using PMKSA caching", MAC2STR(sta->addr));
2547 } else if (wpa_auth_uses_sae(sta->wpa_sm) &&
2548 sta->auth_alg != WLAN_AUTH_SAE &&
2549 !(sta->auth_alg == WLAN_AUTH_FT &&
2550 wpa_auth_uses_ft_sae(sta->wpa_sm))) {
2551 wpa_printf(MSG_DEBUG, "SAE: " MACSTR " tried to use "
2552 "SAE AKM after non-SAE auth_alg %u",
2553 MAC2STR(sta->addr), sta->auth_alg);
2554 return WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
2555 }
2556 #endif /* CONFIG_SAE */
2557
2558 #ifdef CONFIG_OWE
2559 if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) &&
2560 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE &&
2561 elems.owe_dh) {
2562 resp = owe_process_assoc_req(hapd, sta, elems.owe_dh,
2563 elems.owe_dh_len);
2564 if (resp != WLAN_STATUS_SUCCESS)
2565 return resp;
2566 }
2567 #endif /* CONFIG_OWE */
2568
2569 #ifdef CONFIG_IEEE80211N
2570 if ((sta->flags & (WLAN_STA_HT | WLAN_STA_VHT)) &&
2571 wpa_auth_get_pairwise(sta->wpa_sm) == WPA_CIPHER_TKIP) {
2572 hostapd_logger(hapd, sta->addr,
2573 HOSTAPD_MODULE_IEEE80211,
2574 HOSTAPD_LEVEL_INFO,
2575 "Station tried to use TKIP with HT "
2576 "association");
2577 return WLAN_STATUS_CIPHER_REJECTED_PER_POLICY;
2578 }
2579 #endif /* CONFIG_IEEE80211N */
2580 #ifdef CONFIG_HS20
2581 } else if (hapd->conf->osen) {
2582 if (elems.osen == NULL) {
2583 hostapd_logger(
2584 hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2585 HOSTAPD_LEVEL_INFO,
2586 "No HS 2.0 OSEN element in association request");
2587 return WLAN_STATUS_INVALID_IE;
2588 }
2589
2590 wpa_printf(MSG_DEBUG, "HS 2.0: OSEN association");
2591 if (sta->wpa_sm == NULL)
2592 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
2593 sta->addr, NULL);
2594 if (sta->wpa_sm == NULL) {
2595 wpa_printf(MSG_WARNING, "Failed to initialize WPA "
2596 "state machine");
2597 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2598 }
2599 if (wpa_validate_osen(hapd->wpa_auth, sta->wpa_sm,
2600 elems.osen - 2, elems.osen_len + 2) < 0)
2601 return WLAN_STATUS_INVALID_IE;
2602 #endif /* CONFIG_HS20 */
2603 } else
2604 wpa_auth_sta_no_wpa(sta->wpa_sm);
2605
2606 #ifdef CONFIG_P2P
2607 p2p_group_notif_assoc(hapd->p2p_group, sta->addr, ies, ies_len);
2608 #endif /* CONFIG_P2P */
2609
2610 #ifdef CONFIG_HS20
2611 wpabuf_free(sta->hs20_ie);
2612 if (elems.hs20 && elems.hs20_len > 4) {
2613 sta->hs20_ie = wpabuf_alloc_copy(elems.hs20 + 4,
2614 elems.hs20_len - 4);
2615 } else
2616 sta->hs20_ie = NULL;
2617 #endif /* CONFIG_HS20 */
2618
2619 #ifdef CONFIG_FST
2620 wpabuf_free(sta->mb_ies);
2621 if (hapd->iface->fst)
2622 sta->mb_ies = mb_ies_by_info(&elems.mb_ies);
2623 else
2624 sta->mb_ies = NULL;
2625 #endif /* CONFIG_FST */
2626
2627 #ifdef CONFIG_MBO
2628 mbo_ap_check_sta_assoc(hapd, sta, &elems);
2629
2630 if (hapd->conf->mbo_enabled && (hapd->conf->wpa & 2) &&
2631 elems.mbo && sta->cell_capa && !(sta->flags & WLAN_STA_MFP) &&
2632 hapd->conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
2633 wpa_printf(MSG_INFO,
2634 "MBO: Reject WPA2 association without PMF");
2635 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2636 }
2637 #endif /* CONFIG_MBO */
2638
2639 ap_copy_sta_supp_op_classes(sta, elems.supp_op_classes,
2640 elems.supp_op_classes_len);
2641
2642 if ((sta->capability & WLAN_CAPABILITY_RADIO_MEASUREMENT) &&
2643 elems.rrm_enabled &&
2644 elems.rrm_enabled_len >= sizeof(sta->rrm_enabled_capa))
2645 os_memcpy(sta->rrm_enabled_capa, elems.rrm_enabled,
2646 sizeof(sta->rrm_enabled_capa));
2647
2648 if (elems.power_capab) {
2649 sta->min_tx_power = elems.power_capab[0];
2650 sta->max_tx_power = elems.power_capab[1];
2651 sta->power_capab = 1;
2652 } else {
2653 sta->power_capab = 0;
2654 }
2655
2656 return WLAN_STATUS_SUCCESS;
2657 }
2658
2659
2660 static void send_deauth(struct hostapd_data *hapd, const u8 *addr,
2661 u16 reason_code)
2662 {
2663 int send_len;
2664 struct ieee80211_mgmt reply;
2665
2666 os_memset(&reply, 0, sizeof(reply));
2667 reply.frame_control =
2668 IEEE80211_FC(WLAN_FC_TYPE_MGMT, WLAN_FC_STYPE_DEAUTH);
2669 os_memcpy(reply.da, addr, ETH_ALEN);
2670 os_memcpy(reply.sa, hapd->own_addr, ETH_ALEN);
2671 os_memcpy(reply.bssid, hapd->own_addr, ETH_ALEN);
2672
2673 send_len = IEEE80211_HDRLEN + sizeof(reply.u.deauth);
2674 reply.u.deauth.reason_code = host_to_le16(reason_code);
2675
2676 if (hostapd_drv_send_mlme(hapd, &reply, send_len, 0) < 0)
2677 wpa_printf(MSG_INFO, "Failed to send deauth: %s",
2678 strerror(errno));
2679 }
2680
2681
2682 static int add_associated_sta(struct hostapd_data *hapd,
2683 struct sta_info *sta)
2684 {
2685 struct ieee80211_ht_capabilities ht_cap;
2686 struct ieee80211_vht_capabilities vht_cap;
2687 int set = 1;
2688
2689 /*
2690 * Remove the STA entry to ensure the STA PS state gets cleared and
2691 * configuration gets updated. This is relevant for cases, such as
2692 * FT-over-the-DS, where a station re-associates back to the same AP but
2693 * skips the authentication flow, or if working with a driver that
2694 * does not support full AP client state.
2695 *
2696 * Skip this if the STA has already completed FT reassociation and the
2697 * TK has been configured since the TX/RX PN must not be reset to 0 for
2698 * the same key.
2699 */
2700 if (!sta->added_unassoc &&
2701 (!(sta->flags & WLAN_STA_AUTHORIZED) ||
2702 (!wpa_auth_sta_ft_tk_already_set(sta->wpa_sm) &&
2703 !wpa_auth_sta_fils_tk_already_set(sta->wpa_sm)))) {
2704 hostapd_drv_sta_remove(hapd, sta->addr);
2705 wpa_auth_sm_event(sta->wpa_sm, WPA_DRV_STA_REMOVED);
2706 set = 0;
2707 }
2708
2709 #ifdef CONFIG_IEEE80211N
2710 if (sta->flags & WLAN_STA_HT)
2711 hostapd_get_ht_capab(hapd, sta->ht_capabilities, &ht_cap);
2712 #endif /* CONFIG_IEEE80211N */
2713 #ifdef CONFIG_IEEE80211AC
2714 if (sta->flags & WLAN_STA_VHT)
2715 hostapd_get_vht_capab(hapd, sta->vht_capabilities, &vht_cap);
2716 #endif /* CONFIG_IEEE80211AC */
2717
2718 /*
2719 * Add the station with forced WLAN_STA_ASSOC flag. The sta->flags
2720 * will be set when the ACK frame for the (Re)Association Response frame
2721 * is processed (TX status driver event).
2722 */
2723 if (hostapd_sta_add(hapd, sta->addr, sta->aid, sta->capability,
2724 sta->supported_rates, sta->supported_rates_len,
2725 sta->listen_interval,
2726 sta->flags & WLAN_STA_HT ? &ht_cap : NULL,
2727 sta->flags & WLAN_STA_VHT ? &vht_cap : NULL,
2728 sta->flags | WLAN_STA_ASSOC, sta->qosinfo,
2729 sta->vht_opmode, sta->p2p_ie ? 1 : 0,
2730 set)) {
2731 hostapd_logger(hapd, sta->addr,
2732 HOSTAPD_MODULE_IEEE80211, HOSTAPD_LEVEL_NOTICE,
2733 "Could not %s STA to kernel driver",
2734 set ? "set" : "add");
2735
2736 if (sta->added_unassoc) {
2737 hostapd_drv_sta_remove(hapd, sta->addr);
2738 sta->added_unassoc = 0;
2739 }
2740
2741 return -1;
2742 }
2743
2744 sta->added_unassoc = 0;
2745
2746 return 0;
2747 }
2748
2749
2750 static u16 send_assoc_resp(struct hostapd_data *hapd, struct sta_info *sta,
2751 const u8 *addr, u16 status_code, int reassoc,
2752 const u8 *ies, size_t ies_len)
2753 {
2754 int send_len;
2755 u8 *buf;
2756 size_t buflen;
2757 struct ieee80211_mgmt *reply;
2758 u8 *p;
2759 u16 res = WLAN_STATUS_SUCCESS;
2760
2761 buflen = sizeof(struct ieee80211_mgmt) + 1024;
2762 #ifdef CONFIG_FILS
2763 if (sta && sta->fils_hlp_resp)
2764 buflen += wpabuf_len(sta->fils_hlp_resp);
2765 #endif /* CONFIG_FILS */
2766 #ifdef CONFIG_OWE
2767 if (sta && (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE))
2768 buflen += 150;
2769 #endif /* CONFIG_OWE */
2770 buf = os_zalloc(buflen);
2771 if (!buf) {
2772 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
2773 goto done;
2774 }
2775 reply = (struct ieee80211_mgmt *) buf;
2776 reply->frame_control =
2777 IEEE80211_FC(WLAN_FC_TYPE_MGMT,
2778 (reassoc ? WLAN_FC_STYPE_REASSOC_RESP :
2779 WLAN_FC_STYPE_ASSOC_RESP));
2780 os_memcpy(reply->da, addr, ETH_ALEN);
2781 os_memcpy(reply->sa, hapd->own_addr, ETH_ALEN);
2782 os_memcpy(reply->bssid, hapd->own_addr, ETH_ALEN);
2783
2784 send_len = IEEE80211_HDRLEN;
2785 send_len += sizeof(reply->u.assoc_resp);
2786 reply->u.assoc_resp.capab_info =
2787 host_to_le16(hostapd_own_capab_info(hapd));
2788 reply->u.assoc_resp.status_code = host_to_le16(status_code);
2789
2790 reply->u.assoc_resp.aid = host_to_le16((sta ? sta->aid : 0) |
2791 BIT(14) | BIT(15));
2792 /* Supported rates */
2793 p = hostapd_eid_supp_rates(hapd, reply->u.assoc_resp.variable);
2794 /* Extended supported rates */
2795 p = hostapd_eid_ext_supp_rates(hapd, p);
2796
2797 #ifdef CONFIG_IEEE80211R_AP
2798 if (sta && status_code == WLAN_STATUS_SUCCESS) {
2799 /* IEEE 802.11r: Mobility Domain Information, Fast BSS
2800 * Transition Information, RSN, [RIC Response] */
2801 p = wpa_sm_write_assoc_resp_ies(sta->wpa_sm, p,
2802 buf + buflen - p,
2803 sta->auth_alg, ies, ies_len);
2804 }
2805 #endif /* CONFIG_IEEE80211R_AP */
2806
2807 #ifdef CONFIG_OWE
2808 if (sta && (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE))
2809 p = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, p,
2810 buf + buflen - p,
2811 ies, ies_len);
2812 #endif /* CONFIG_OWE */
2813
2814 #ifdef CONFIG_IEEE80211W
2815 if (sta && status_code == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY)
2816 p = hostapd_eid_assoc_comeback_time(hapd, sta, p);
2817 #endif /* CONFIG_IEEE80211W */
2818
2819 #ifdef CONFIG_IEEE80211N
2820 p = hostapd_eid_ht_capabilities(hapd, p);
2821 p = hostapd_eid_ht_operation(hapd, p);
2822 #endif /* CONFIG_IEEE80211N */
2823
2824 #ifdef CONFIG_IEEE80211AC
2825 if (hapd->iconf->ieee80211ac && !hapd->conf->disable_11ac) {
2826 u32 nsts = 0, sta_nsts;
2827
2828 if (sta && hapd->conf->use_sta_nsts && sta->vht_capabilities) {
2829 struct ieee80211_vht_capabilities *capa;
2830
2831 nsts = (hapd->iface->conf->vht_capab >>
2832 VHT_CAP_BEAMFORMEE_STS_OFFSET) & 7;
2833 capa = sta->vht_capabilities;
2834 sta_nsts = (le_to_host32(capa->vht_capabilities_info) >>
2835 VHT_CAP_BEAMFORMEE_STS_OFFSET) & 7;
2836
2837 if (nsts < sta_nsts)
2838 nsts = 0;
2839 else
2840 nsts = sta_nsts;
2841 }
2842 p = hostapd_eid_vht_capabilities(hapd, p, nsts);
2843 p = hostapd_eid_vht_operation(hapd, p);
2844 }
2845 #endif /* CONFIG_IEEE80211AC */
2846
2847 p = hostapd_eid_ext_capab(hapd, p);
2848 p = hostapd_eid_bss_max_idle_period(hapd, p);
2849 if (sta && sta->qos_map_enabled)
2850 p = hostapd_eid_qos_map_set(hapd, p);
2851
2852 #ifdef CONFIG_FST
2853 if (hapd->iface->fst_ies) {
2854 os_memcpy(p, wpabuf_head(hapd->iface->fst_ies),
2855 wpabuf_len(hapd->iface->fst_ies));
2856 p += wpabuf_len(hapd->iface->fst_ies);
2857 }
2858 #endif /* CONFIG_FST */
2859
2860 #ifdef CONFIG_IEEE80211AC
2861 if (sta && hapd->conf->vendor_vht && (sta->flags & WLAN_STA_VENDOR_VHT))
2862 p = hostapd_eid_vendor_vht(hapd, p);
2863 #endif /* CONFIG_IEEE80211AC */
2864
2865 if (sta && (sta->flags & WLAN_STA_WMM))
2866 p = hostapd_eid_wmm(hapd, p);
2867
2868 #ifdef CONFIG_WPS
2869 if (sta &&
2870 ((sta->flags & WLAN_STA_WPS) ||
2871 ((sta->flags & WLAN_STA_MAYBE_WPS) && hapd->conf->wpa))) {
2872 struct wpabuf *wps = wps_build_assoc_resp_ie();
2873 if (wps) {
2874 os_memcpy(p, wpabuf_head(wps), wpabuf_len(wps));
2875 p += wpabuf_len(wps);
2876 wpabuf_free(wps);
2877 }
2878 }
2879 #endif /* CONFIG_WPS */
2880
2881 #ifdef CONFIG_P2P
2882 if (sta && sta->p2p_ie && hapd->p2p_group) {
2883 struct wpabuf *p2p_resp_ie;
2884 enum p2p_status_code status;
2885 switch (status_code) {
2886 case WLAN_STATUS_SUCCESS:
2887 status = P2P_SC_SUCCESS;
2888 break;
2889 case WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA:
2890 status = P2P_SC_FAIL_LIMIT_REACHED;
2891 break;
2892 default:
2893 status = P2P_SC_FAIL_INVALID_PARAMS;
2894 break;
2895 }
2896 p2p_resp_ie = p2p_group_assoc_resp_ie(hapd->p2p_group, status);
2897 if (p2p_resp_ie) {
2898 os_memcpy(p, wpabuf_head(p2p_resp_ie),
2899 wpabuf_len(p2p_resp_ie));
2900 p += wpabuf_len(p2p_resp_ie);
2901 wpabuf_free(p2p_resp_ie);
2902 }
2903 }
2904 #endif /* CONFIG_P2P */
2905
2906 #ifdef CONFIG_P2P_MANAGER
2907 if (hapd->conf->p2p & P2P_MANAGE)
2908 p = hostapd_eid_p2p_manage(hapd, p);
2909 #endif /* CONFIG_P2P_MANAGER */
2910
2911 p = hostapd_eid_mbo(hapd, p, buf + buflen - p);
2912
2913 if (hapd->conf->assocresp_elements &&
2914 (size_t) (buf + buflen - p) >=
2915 wpabuf_len(hapd->conf->assocresp_elements)) {
2916 os_memcpy(p, wpabuf_head(hapd->conf->assocresp_elements),
2917 wpabuf_len(hapd->conf->assocresp_elements));
2918 p += wpabuf_len(hapd->conf->assocresp_elements);
2919 }
2920
2921 send_len += p - reply->u.assoc_resp.variable;
2922
2923 #ifdef CONFIG_FILS
2924 if (sta &&
2925 (sta->auth_alg == WLAN_AUTH_FILS_SK ||
2926 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
2927 sta->auth_alg == WLAN_AUTH_FILS_PK) &&
2928 status_code == WLAN_STATUS_SUCCESS) {
2929 struct ieee802_11_elems elems;
2930
2931 if (ieee802_11_parse_elems(ies, ies_len, &elems, 0) ==
2932 ParseFailed || !elems.fils_session) {
2933 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
2934 goto done;
2935 }
2936
2937 /* FILS Session */
2938 *p++ = WLAN_EID_EXTENSION; /* Element ID */
2939 *p++ = 1 + FILS_SESSION_LEN; /* Length */
2940 *p++ = WLAN_EID_EXT_FILS_SESSION; /* Element ID Extension */
2941 os_memcpy(p, elems.fils_session, FILS_SESSION_LEN);
2942 send_len += 2 + 1 + FILS_SESSION_LEN;
2943
2944 send_len = fils_encrypt_assoc(sta->wpa_sm, buf, send_len,
2945 buflen, sta->fils_hlp_resp);
2946 if (send_len < 0) {
2947 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
2948 goto done;
2949 }
2950 }
2951 #endif /* CONFIG_FILS */
2952
2953 #ifdef CONFIG_OWE
2954 if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) &&
2955 sta && sta->owe_ecdh &&
2956 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE) {
2957 struct wpabuf *pub;
2958
2959 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
2960 if (!pub) {
2961 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
2962 goto done;
2963 }
2964 /* OWE Diffie-Hellman Parameter element */
2965 *p++ = WLAN_EID_EXTENSION; /* Element ID */
2966 *p++ = 1 + 2 + wpabuf_len(pub); /* Length */
2967 *p++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension */
2968 WPA_PUT_LE16(p, sta->owe_group);
2969 p += 2;
2970 os_memcpy(p, wpabuf_head(pub), wpabuf_len(pub));
2971 p += wpabuf_len(pub);
2972 send_len += 3 + 2 + wpabuf_len(pub);
2973 wpabuf_free(pub);
2974 }
2975 #endif /* CONFIG_OWE */
2976
2977 if (hostapd_drv_send_mlme(hapd, reply, send_len, 0) < 0) {
2978 wpa_printf(MSG_INFO, "Failed to send assoc resp: %s",
2979 strerror(errno));
2980 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
2981 }
2982
2983 done:
2984 os_free(buf);
2985 return res;
2986 }
2987
2988
2989 #ifdef CONFIG_OWE
2990 u8 * owe_auth_req_process(struct hostapd_data *hapd, struct sta_info *sta,
2991 const u8 *owe_dh, u8 owe_dh_len,
2992 u8 *owe_buf, u16 *reason)
2993 {
2994 struct wpabuf *pub;
2995
2996 *reason = owe_process_assoc_req(hapd, sta, owe_dh, owe_dh_len);
2997 if (*reason != WLAN_STATUS_SUCCESS)
2998 return NULL;
2999 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
3000 if (!pub) {
3001 *reason = WLAN_STATUS_UNSPECIFIED_FAILURE;
3002 return NULL;
3003 }
3004
3005 /* OWE Diffie-Hellman Parameter element */
3006 *owe_buf++ = WLAN_EID_EXTENSION; /* Element ID */
3007 *owe_buf++ = 1 + 2 + wpabuf_len(pub); /* Length */
3008 *owe_buf++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension */
3009 WPA_PUT_LE16(owe_buf, OWE_DH_GROUP);
3010 owe_buf += 2;
3011 os_memcpy(owe_buf, wpabuf_head(pub), wpabuf_len(pub));
3012 owe_buf += wpabuf_len(pub);
3013 wpabuf_free(pub);
3014 *reason = WLAN_STATUS_SUCCESS;
3015 return owe_buf;
3016 }
3017 #endif /* CONFIG_OWE */
3018
3019
3020 #ifdef CONFIG_FILS
3021
3022 void fils_hlp_finish_assoc(struct hostapd_data *hapd, struct sta_info *sta)
3023 {
3024 u16 reply_res;
3025
3026 wpa_printf(MSG_DEBUG, "FILS: Finish association with " MACSTR,
3027 MAC2STR(sta->addr));
3028 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
3029 if (!sta->fils_pending_assoc_req)
3030 return;
3031 reply_res = send_assoc_resp(hapd, sta, sta->addr, WLAN_STATUS_SUCCESS,
3032 sta->fils_pending_assoc_is_reassoc,
3033 sta->fils_pending_assoc_req,
3034 sta->fils_pending_assoc_req_len);
3035 os_free(sta->fils_pending_assoc_req);
3036 sta->fils_pending_assoc_req = NULL;
3037 sta->fils_pending_assoc_req_len = 0;
3038 wpabuf_free(sta->fils_hlp_resp);
3039 sta->fils_hlp_resp = NULL;
3040 wpabuf_free(sta->hlp_dhcp_discover);
3041 sta->hlp_dhcp_discover = NULL;
3042
3043 /*
3044 * Remove the station in case transmission of a success response fails.
3045 * At this point the station was already added associated to the driver.
3046 */
3047 if (reply_res != WLAN_STATUS_SUCCESS)
3048 hostapd_drv_sta_remove(hapd, sta->addr);
3049 }
3050
3051
3052 void fils_hlp_timeout(void *eloop_ctx, void *eloop_data)
3053 {
3054 struct hostapd_data *hapd = eloop_ctx;
3055 struct sta_info *sta = eloop_data;
3056
3057 wpa_printf(MSG_DEBUG,
3058 "FILS: HLP response timeout - continue with association response for "
3059 MACSTR, MAC2STR(sta->addr));
3060 if (sta->fils_drv_assoc_finish)
3061 hostapd_notify_assoc_fils_finish(hapd, sta);
3062 else
3063 fils_hlp_finish_assoc(hapd, sta);
3064 }
3065
3066 #endif /* CONFIG_FILS */
3067
3068
3069 static void handle_assoc(struct hostapd_data *hapd,
3070 const struct ieee80211_mgmt *mgmt, size_t len,
3071 int reassoc)
3072 {
3073 u16 capab_info, listen_interval, seq_ctrl, fc;
3074 u16 resp = WLAN_STATUS_SUCCESS, reply_res;
3075 const u8 *pos;
3076 int left, i;
3077 struct sta_info *sta;
3078 u8 *tmp = NULL;
3079 struct hostapd_sta_wpa_psk_short *psk = NULL;
3080 char *identity = NULL;
3081 char *radius_cui = NULL;
3082 #ifdef CONFIG_FILS
3083 int delay_assoc = 0;
3084 #endif /* CONFIG_FILS */
3085
3086 if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_req) :
3087 sizeof(mgmt->u.assoc_req))) {
3088 wpa_printf(MSG_INFO, "handle_assoc(reassoc=%d) - too short payload (len=%lu)",
3089 reassoc, (unsigned long) len);
3090 return;
3091 }
3092
3093 #ifdef CONFIG_TESTING_OPTIONS
3094 if (reassoc) {
3095 if (hapd->iconf->ignore_reassoc_probability > 0.0 &&
3096 drand48() < hapd->iconf->ignore_reassoc_probability) {
3097 wpa_printf(MSG_INFO,
3098 "TESTING: ignoring reassoc request from "
3099 MACSTR, MAC2STR(mgmt->sa));
3100 return;
3101 }
3102 } else {
3103 if (hapd->iconf->ignore_assoc_probability > 0.0 &&
3104 drand48() < hapd->iconf->ignore_assoc_probability) {
3105 wpa_printf(MSG_INFO,
3106 "TESTING: ignoring assoc request from "
3107 MACSTR, MAC2STR(mgmt->sa));
3108 return;
3109 }
3110 }
3111 #endif /* CONFIG_TESTING_OPTIONS */
3112
3113 fc = le_to_host16(mgmt->frame_control);
3114 seq_ctrl = le_to_host16(mgmt->seq_ctrl);
3115
3116 if (reassoc) {
3117 capab_info = le_to_host16(mgmt->u.reassoc_req.capab_info);
3118 listen_interval = le_to_host16(
3119 mgmt->u.reassoc_req.listen_interval);
3120 wpa_printf(MSG_DEBUG, "reassociation request: STA=" MACSTR
3121 " capab_info=0x%02x listen_interval=%d current_ap="
3122 MACSTR " seq_ctrl=0x%x%s",
3123 MAC2STR(mgmt->sa), capab_info, listen_interval,
3124 MAC2STR(mgmt->u.reassoc_req.current_ap),
3125 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "");
3126 left = len - (IEEE80211_HDRLEN + sizeof(mgmt->u.reassoc_req));
3127 pos = mgmt->u.reassoc_req.variable;
3128 } else {
3129 capab_info = le_to_host16(mgmt->u.assoc_req.capab_info);
3130 listen_interval = le_to_host16(
3131 mgmt->u.assoc_req.listen_interval);
3132 wpa_printf(MSG_DEBUG, "association request: STA=" MACSTR
3133 " capab_info=0x%02x listen_interval=%d "
3134 "seq_ctrl=0x%x%s",
3135 MAC2STR(mgmt->sa), capab_info, listen_interval,
3136 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "");
3137 left = len - (IEEE80211_HDRLEN + sizeof(mgmt->u.assoc_req));
3138 pos = mgmt->u.assoc_req.variable;
3139 }
3140
3141 sta = ap_get_sta(hapd, mgmt->sa);
3142 #ifdef CONFIG_IEEE80211R_AP
3143 if (sta && sta->auth_alg == WLAN_AUTH_FT &&
3144 (sta->flags & WLAN_STA_AUTH) == 0) {
3145 wpa_printf(MSG_DEBUG, "FT: Allow STA " MACSTR " to associate "
3146 "prior to authentication since it is using "
3147 "over-the-DS FT", MAC2STR(mgmt->sa));
3148
3149 /*
3150 * Mark station as authenticated, to avoid adding station
3151 * entry in the driver as associated and not authenticated
3152 */
3153 sta->flags |= WLAN_STA_AUTH;
3154 } else
3155 #endif /* CONFIG_IEEE80211R_AP */
3156 if (sta == NULL || (sta->flags & WLAN_STA_AUTH) == 0) {
3157 if (hapd->iface->current_mode &&
3158 hapd->iface->current_mode->mode ==
3159 HOSTAPD_MODE_IEEE80211AD) {
3160 int acl_res;
3161 u32 session_timeout, acct_interim_interval;
3162 struct vlan_description vlan_id;
3163
3164 acl_res = ieee802_11_allowed_address(
3165 hapd, mgmt->sa, (const u8 *) mgmt, len,
3166 &session_timeout, &acct_interim_interval,
3167 &vlan_id, &psk, &identity, &radius_cui);
3168 if (acl_res == HOSTAPD_ACL_REJECT) {
3169 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3170 goto fail;
3171 }
3172 if (acl_res == HOSTAPD_ACL_PENDING)
3173 return;
3174
3175 /* DMG/IEEE 802.11ad does not use authentication.
3176 * Allocate sta entry upon association. */
3177 sta = ap_sta_add(hapd, mgmt->sa);
3178 if (!sta) {
3179 hostapd_logger(hapd, mgmt->sa,
3180 HOSTAPD_MODULE_IEEE80211,
3181 HOSTAPD_LEVEL_INFO,
3182 "Failed to add STA");
3183 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
3184 goto fail;
3185 }
3186
3187 acl_res = ieee802_11_set_radius_info(
3188 hapd, sta, acl_res, session_timeout,
3189 acct_interim_interval, &vlan_id, &psk,
3190 &identity, &radius_cui);
3191 if (acl_res) {
3192 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3193 goto fail;
3194 }
3195
3196 hostapd_logger(hapd, sta->addr,
3197 HOSTAPD_MODULE_IEEE80211,
3198 HOSTAPD_LEVEL_DEBUG,
3199 "Skip authentication for DMG/IEEE 802.11ad");
3200 sta->flags |= WLAN_STA_AUTH;
3201 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
3202 sta->auth_alg = WLAN_AUTH_OPEN;
3203 } else {
3204 hostapd_logger(hapd, mgmt->sa,
3205 HOSTAPD_MODULE_IEEE80211,
3206 HOSTAPD_LEVEL_INFO,
3207 "Station tried to associate before authentication (aid=%d flags=0x%x)",
3208 sta ? sta->aid : -1,
3209 sta ? sta->flags : 0);
3210 send_deauth(hapd, mgmt->sa,
3211 WLAN_REASON_CLASS2_FRAME_FROM_NONAUTH_STA);
3212 return;
3213 }
3214 }
3215
3216 if ((fc & WLAN_FC_RETRY) &&
3217 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
3218 sta->last_seq_ctrl == seq_ctrl &&
3219 sta->last_subtype == (reassoc ? WLAN_FC_STYPE_REASSOC_REQ :
3220 WLAN_FC_STYPE_ASSOC_REQ)) {
3221 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3222 HOSTAPD_LEVEL_DEBUG,
3223 "Drop repeated association frame seq_ctrl=0x%x",
3224 seq_ctrl);
3225 return;
3226 }
3227 sta->last_seq_ctrl = seq_ctrl;
3228 sta->last_subtype = reassoc ? WLAN_FC_STYPE_REASSOC_REQ :
3229 WLAN_FC_STYPE_ASSOC_REQ;
3230
3231 if (hapd->tkip_countermeasures) {
3232 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3233 goto fail;
3234 }
3235
3236 if (listen_interval > hapd->conf->max_listen_interval) {
3237 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
3238 HOSTAPD_LEVEL_DEBUG,
3239 "Too large Listen Interval (%d)",
3240 listen_interval);
3241 resp = WLAN_STATUS_ASSOC_DENIED_LISTEN_INT_TOO_LARGE;
3242 goto fail;
3243 }
3244
3245 #ifdef CONFIG_MBO
3246 if (hapd->conf->mbo_enabled && hapd->mbo_assoc_disallow) {
3247 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
3248 goto fail;
3249 }
3250 #endif /* CONFIG_MBO */
3251
3252 /*
3253 * sta->capability is used in check_assoc_ies() for RRM enabled
3254 * capability element.
3255 */
3256 sta->capability = capab_info;
3257
3258 #ifdef CONFIG_FILS
3259 if (sta->auth_alg == WLAN_AUTH_FILS_SK ||
3260 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
3261 sta->auth_alg == WLAN_AUTH_FILS_PK) {
3262 int res;
3263
3264 /* The end of the payload is encrypted. Need to decrypt it
3265 * before parsing. */
3266
3267 tmp = os_memdup(pos, left);
3268 if (!tmp) {
3269 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3270 goto fail;
3271 }
3272
3273 res = fils_decrypt_assoc(sta->wpa_sm, sta->fils_session, mgmt,
3274 len, tmp, left);
3275 if (res < 0) {
3276 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3277 goto fail;
3278 }
3279 pos = tmp;
3280 left = res;
3281 }
3282 #endif /* CONFIG_FILS */
3283
3284 /* followed by SSID and Supported rates; and HT capabilities if 802.11n
3285 * is used */
3286 resp = check_assoc_ies(hapd, sta, pos, left, reassoc);
3287 if (resp != WLAN_STATUS_SUCCESS)
3288 goto fail;
3289
3290 if (hostapd_get_aid(hapd, sta) < 0) {
3291 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
3292 HOSTAPD_LEVEL_INFO, "No room for more AIDs");
3293 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
3294 goto fail;
3295 }
3296
3297 sta->listen_interval = listen_interval;
3298
3299 if (hapd->iface->current_mode &&
3300 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G)
3301 sta->flags |= WLAN_STA_NONERP;
3302 for (i = 0; i < sta->supported_rates_len; i++) {
3303 if ((sta->supported_rates[i] & 0x7f) > 22) {
3304 sta->flags &= ~WLAN_STA_NONERP;
3305 break;
3306 }
3307 }
3308 if (sta->flags & WLAN_STA_NONERP && !sta->nonerp_set) {
3309 sta->nonerp_set = 1;
3310 hapd->iface->num_sta_non_erp++;
3311 if (hapd->iface->num_sta_non_erp == 1)
3312 ieee802_11_set_beacons(hapd->iface);
3313 }
3314
3315 if (!(sta->capability & WLAN_CAPABILITY_SHORT_SLOT_TIME) &&
3316 !sta->no_short_slot_time_set) {
3317 sta->no_short_slot_time_set = 1;
3318 hapd->iface->num_sta_no_short_slot_time++;
3319 if (hapd->iface->current_mode &&
3320 hapd->iface->current_mode->mode ==
3321 HOSTAPD_MODE_IEEE80211G &&
3322 hapd->iface->num_sta_no_short_slot_time == 1)
3323 ieee802_11_set_beacons(hapd->iface);
3324 }
3325
3326 if (sta->capability & WLAN_CAPABILITY_SHORT_PREAMBLE)
3327 sta->flags |= WLAN_STA_SHORT_PREAMBLE;
3328 else
3329 sta->flags &= ~WLAN_STA_SHORT_PREAMBLE;
3330
3331 if (!(sta->capability & WLAN_CAPABILITY_SHORT_PREAMBLE) &&
3332 !sta->no_short_preamble_set) {
3333 sta->no_short_preamble_set = 1;
3334 hapd->iface->num_sta_no_short_preamble++;
3335 if (hapd->iface->current_mode &&
3336 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G
3337 && hapd->iface->num_sta_no_short_preamble == 1)
3338 ieee802_11_set_beacons(hapd->iface);
3339 }
3340
3341 #ifdef CONFIG_IEEE80211N
3342 update_ht_state(hapd, sta);
3343 #endif /* CONFIG_IEEE80211N */
3344
3345 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3346 HOSTAPD_LEVEL_DEBUG,
3347 "association OK (aid %d)", sta->aid);
3348 /* Station will be marked associated, after it acknowledges AssocResp
3349 */
3350 sta->flags |= WLAN_STA_ASSOC_REQ_OK;
3351
3352 #ifdef CONFIG_IEEE80211W
3353 if ((sta->flags & WLAN_STA_MFP) && sta->sa_query_timed_out) {
3354 wpa_printf(MSG_DEBUG, "Allowing %sassociation after timed out "
3355 "SA Query procedure", reassoc ? "re" : "");
3356 /* TODO: Send a protected Disassociate frame to the STA using
3357 * the old key and Reason Code "Previous Authentication no
3358 * longer valid". Make sure this is only sent protected since
3359 * unprotected frame would be received by the STA that is now
3360 * trying to associate.
3361 */
3362 }
3363 #endif /* CONFIG_IEEE80211W */
3364
3365 /* Make sure that the previously registered inactivity timer will not
3366 * remove the STA immediately. */
3367 sta->timeout_next = STA_NULLFUNC;
3368
3369 #ifdef CONFIG_TAXONOMY
3370 taxonomy_sta_info_assoc_req(hapd, sta, pos, left);
3371 #endif /* CONFIG_TAXONOMY */
3372
3373 sta->pending_wds_enable = 0;
3374
3375 #ifdef CONFIG_FILS
3376 if (sta->auth_alg == WLAN_AUTH_FILS_SK ||
3377 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
3378 sta->auth_alg == WLAN_AUTH_FILS_PK) {
3379 if (fils_process_hlp(hapd, sta, pos, left) > 0)
3380 delay_assoc = 1;
3381 }
3382 #endif /* CONFIG_FILS */
3383
3384 fail:
3385 os_free(identity);
3386 os_free(radius_cui);
3387 hostapd_free_psk_list(psk);
3388
3389 /*
3390 * In case of a successful response, add the station to the driver.
3391 * Otherwise, the kernel may ignore Data frames before we process the
3392 * ACK frame (TX status). In case of a failure, this station will be
3393 * removed.
3394 *
3395 * Note that this is not compliant with the IEEE 802.11 standard that
3396 * states that a non-AP station should transition into the
3397 * authenticated/associated state only after the station acknowledges
3398 * the (Re)Association Response frame. However, still do this as:
3399 *
3400 * 1. In case the station does not acknowledge the (Re)Association
3401 * Response frame, it will be removed.
3402 * 2. Data frames will be dropped in the kernel until the station is
3403 * set into authorized state, and there are no significant known
3404 * issues with processing other non-Data Class 3 frames during this
3405 * window.
3406 */
3407 if (resp == WLAN_STATUS_SUCCESS && sta && add_associated_sta(hapd, sta))
3408 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
3409
3410 #ifdef CONFIG_FILS
3411 if (sta) {
3412 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
3413 os_free(sta->fils_pending_assoc_req);
3414 sta->fils_pending_assoc_req = NULL;
3415 sta->fils_pending_assoc_req_len = 0;
3416 wpabuf_free(sta->fils_hlp_resp);
3417 sta->fils_hlp_resp = NULL;
3418 }
3419 if (sta && delay_assoc && resp == WLAN_STATUS_SUCCESS) {
3420 sta->fils_pending_assoc_req = tmp;
3421 sta->fils_pending_assoc_req_len = left;
3422 sta->fils_pending_assoc_is_reassoc = reassoc;
3423 sta->fils_drv_assoc_finish = 0;
3424 wpa_printf(MSG_DEBUG,
3425 "FILS: Waiting for HLP processing before sending (Re)Association Response frame to "
3426 MACSTR, MAC2STR(sta->addr));
3427 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
3428 eloop_register_timeout(0, hapd->conf->fils_hlp_wait_time * 1024,
3429 fils_hlp_timeout, hapd, sta);
3430 return;
3431 }
3432 #endif /* CONFIG_FILS */
3433
3434 reply_res = send_assoc_resp(hapd, sta, mgmt->sa, resp, reassoc, pos,
3435 left);
3436 os_free(tmp);
3437
3438 /*
3439 * Remove the station in case tranmission of a success response fails
3440 * (the STA was added associated to the driver) or if the station was
3441 * previously added unassociated.
3442 */
3443 if (sta && ((reply_res != WLAN_STATUS_SUCCESS &&
3444 resp == WLAN_STATUS_SUCCESS) || sta->added_unassoc)) {
3445 hostapd_drv_sta_remove(hapd, sta->addr);
3446 sta->added_unassoc = 0;
3447 }
3448 }
3449
3450
3451 static void handle_disassoc(struct hostapd_data *hapd,
3452 const struct ieee80211_mgmt *mgmt, size_t len)
3453 {
3454 struct sta_info *sta;
3455
3456 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.disassoc)) {
3457 wpa_printf(MSG_INFO, "handle_disassoc - too short payload (len=%lu)",
3458 (unsigned long) len);
3459 return;
3460 }
3461
3462 wpa_printf(MSG_DEBUG, "disassocation: STA=" MACSTR " reason_code=%d",
3463 MAC2STR(mgmt->sa),
3464 le_to_host16(mgmt->u.disassoc.reason_code));
3465
3466 sta = ap_get_sta(hapd, mgmt->sa);
3467 if (sta == NULL) {
3468 wpa_printf(MSG_INFO, "Station " MACSTR " trying to disassociate, but it is not associated",
3469 MAC2STR(mgmt->sa));
3470 return;
3471 }
3472
3473 ap_sta_set_authorized(hapd, sta, 0);
3474 sta->last_seq_ctrl = WLAN_INVALID_MGMT_SEQ;
3475 sta->flags &= ~(WLAN_STA_ASSOC | WLAN_STA_ASSOC_REQ_OK);
3476 wpa_auth_sm_event(sta->wpa_sm, WPA_DISASSOC);
3477 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3478 HOSTAPD_LEVEL_INFO, "disassociated");
3479 sta->acct_terminate_cause = RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST;
3480 ieee802_1x_notify_port_enabled(sta->eapol_sm, 0);
3481 /* Stop Accounting and IEEE 802.1X sessions, but leave the STA
3482 * authenticated. */
3483 accounting_sta_stop(hapd, sta);
3484 ieee802_1x_free_station(hapd, sta);
3485 if (sta->ipaddr)
3486 hostapd_drv_br_delete_ip_neigh(hapd, 4, (u8 *) &sta->ipaddr);
3487 ap_sta_ip6addr_del(hapd, sta);
3488 hostapd_drv_sta_remove(hapd, sta->addr);
3489 sta->added_unassoc = 0;
3490
3491 if (sta->timeout_next == STA_NULLFUNC ||
3492 sta->timeout_next == STA_DISASSOC) {
3493 sta->timeout_next = STA_DEAUTH;
3494 eloop_cancel_timeout(ap_handle_timer, hapd, sta);
3495 eloop_register_timeout(AP_DEAUTH_DELAY, 0, ap_handle_timer,
3496 hapd, sta);
3497 }
3498
3499 mlme_disassociate_indication(
3500 hapd, sta, le_to_host16(mgmt->u.disassoc.reason_code));
3501
3502 /* DMG/IEEE 802.11ad does not use deauthication. Deallocate sta upon
3503 * disassociation. */
3504 if (hapd->iface->current_mode &&
3505 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211AD) {
3506 sta->flags &= ~WLAN_STA_AUTH;
3507 wpa_auth_sm_event(sta->wpa_sm, WPA_DEAUTH);
3508 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3509 HOSTAPD_LEVEL_DEBUG, "deauthenticated");
3510 ap_free_sta(hapd, sta);
3511 }
3512 }
3513
3514
3515 static void handle_deauth(struct hostapd_data *hapd,
3516 const struct ieee80211_mgmt *mgmt, size_t len)
3517 {
3518 struct sta_info *sta;
3519
3520 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.deauth)) {
3521 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "handle_deauth - too short "
3522 "payload (len=%lu)", (unsigned long) len);
3523 return;
3524 }
3525
3526 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "deauthentication: STA=" MACSTR
3527 " reason_code=%d",
3528 MAC2STR(mgmt->sa), le_to_host16(mgmt->u.deauth.reason_code));
3529
3530 sta = ap_get_sta(hapd, mgmt->sa);
3531 if (sta == NULL) {
3532 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "Station " MACSTR " trying "
3533 "to deauthenticate, but it is not authenticated",
3534 MAC2STR(mgmt->sa));
3535 return;
3536 }
3537
3538 ap_sta_set_authorized(hapd, sta, 0);
3539 sta->last_seq_ctrl = WLAN_INVALID_MGMT_SEQ;
3540 sta->flags &= ~(WLAN_STA_AUTH | WLAN_STA_ASSOC |
3541 WLAN_STA_ASSOC_REQ_OK);
3542 wpa_auth_sm_event(sta->wpa_sm, WPA_DEAUTH);
3543 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3544 HOSTAPD_LEVEL_DEBUG, "deauthenticated");
3545 mlme_deauthenticate_indication(
3546 hapd, sta, le_to_host16(mgmt->u.deauth.reason_code));
3547 sta->acct_terminate_cause = RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST;
3548 ieee802_1x_notify_port_enabled(sta->eapol_sm, 0);
3549 ap_free_sta(hapd, sta);
3550 }
3551
3552
3553 static void handle_beacon(struct hostapd_data *hapd,
3554 const struct ieee80211_mgmt *mgmt, size_t len,
3555 struct hostapd_frame_info *fi)
3556 {
3557 struct ieee802_11_elems elems;
3558
3559 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.beacon)) {
3560 wpa_printf(MSG_INFO, "handle_beacon - too short payload (len=%lu)",
3561 (unsigned long) len);
3562 return;
3563 }
3564
3565 (void) ieee802_11_parse_elems(mgmt->u.beacon.variable,
3566 len - (IEEE80211_HDRLEN +
3567 sizeof(mgmt->u.beacon)), &elems,
3568 0);
3569
3570 ap_list_process_beacon(hapd->iface, mgmt, &elems, fi);
3571 }
3572
3573
3574 #ifdef CONFIG_IEEE80211W
3575
3576 static int hostapd_sa_query_action(struct hostapd_data *hapd,
3577 const struct ieee80211_mgmt *mgmt,
3578 size_t len)
3579 {
3580 const u8 *end;
3581
3582 end = mgmt->u.action.u.sa_query_resp.trans_id +
3583 WLAN_SA_QUERY_TR_ID_LEN;
3584 if (((u8 *) mgmt) + len < end) {
3585 wpa_printf(MSG_DEBUG, "IEEE 802.11: Too short SA Query Action "
3586 "frame (len=%lu)", (unsigned long) len);
3587 return 0;
3588 }
3589
3590 ieee802_11_sa_query_action(hapd, mgmt->sa,
3591 mgmt->u.action.u.sa_query_resp.action,
3592 mgmt->u.action.u.sa_query_resp.trans_id);
3593 return 1;
3594 }
3595
3596
3597 static int robust_action_frame(u8 category)
3598 {
3599 return category != WLAN_ACTION_PUBLIC &&
3600 category != WLAN_ACTION_HT;
3601 }
3602 #endif /* CONFIG_IEEE80211W */
3603
3604
3605 static int handle_action(struct hostapd_data *hapd,
3606 const struct ieee80211_mgmt *mgmt, size_t len)
3607 {
3608 struct sta_info *sta;
3609 sta = ap_get_sta(hapd, mgmt->sa);
3610
3611 if (len < IEEE80211_HDRLEN + 1) {
3612 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
3613 HOSTAPD_LEVEL_DEBUG,
3614 "handle_action - too short payload (len=%lu)",
3615 (unsigned long) len);
3616 return 0;
3617 }
3618
3619 if (mgmt->u.action.category != WLAN_ACTION_PUBLIC &&
3620 (sta == NULL || !(sta->flags & WLAN_STA_ASSOC))) {
3621 wpa_printf(MSG_DEBUG, "IEEE 802.11: Ignored Action "
3622 "frame (category=%u) from unassociated STA " MACSTR,
3623 mgmt->u.action.category, MAC2STR(mgmt->sa));
3624 return 0;
3625 }
3626
3627 #ifdef CONFIG_IEEE80211W
3628 if (sta && (sta->flags & WLAN_STA_MFP) &&
3629 !(mgmt->frame_control & host_to_le16(WLAN_FC_ISWEP)) &&
3630 robust_action_frame(mgmt->u.action.category)) {
3631 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
3632 HOSTAPD_LEVEL_DEBUG,
3633 "Dropped unprotected Robust Action frame from "
3634 "an MFP STA");
3635 return 0;
3636 }
3637 #endif /* CONFIG_IEEE80211W */
3638
3639 if (sta) {
3640 u16 fc = le_to_host16(mgmt->frame_control);
3641 u16 seq_ctrl = le_to_host16(mgmt->seq_ctrl);
3642
3643 if ((fc & WLAN_FC_RETRY) &&
3644 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
3645 sta->last_seq_ctrl == seq_ctrl &&
3646 sta->last_subtype == WLAN_FC_STYPE_ACTION) {
3647 hostapd_logger(hapd, sta->addr,
3648 HOSTAPD_MODULE_IEEE80211,
3649 HOSTAPD_LEVEL_DEBUG,
3650 "Drop repeated action frame seq_ctrl=0x%x",
3651 seq_ctrl);
3652 return 1;
3653 }
3654
3655 sta->last_seq_ctrl = seq_ctrl;
3656 sta->last_subtype = WLAN_FC_STYPE_ACTION;
3657 }
3658
3659 switch (mgmt->u.action.category) {
3660 #ifdef CONFIG_IEEE80211R_AP
3661 case WLAN_ACTION_FT:
3662 if (!sta ||
3663 wpa_ft_action_rx(sta->wpa_sm, (u8 *) &mgmt->u.action,
3664 len - IEEE80211_HDRLEN))
3665 break;
3666 return 1;
3667 #endif /* CONFIG_IEEE80211R_AP */
3668 case WLAN_ACTION_WMM:
3669 hostapd_wmm_action(hapd, mgmt, len);
3670 return 1;
3671 #ifdef CONFIG_IEEE80211W
3672 case WLAN_ACTION_SA_QUERY:
3673 return hostapd_sa_query_action(hapd, mgmt, len);
3674 #endif /* CONFIG_IEEE80211W */
3675 #ifdef CONFIG_WNM_AP
3676 case WLAN_ACTION_WNM:
3677 ieee802_11_rx_wnm_action_ap(hapd, mgmt, len);
3678 return 1;
3679 #endif /* CONFIG_WNM_AP */
3680 #ifdef CONFIG_FST
3681 case WLAN_ACTION_FST:
3682 if (hapd->iface->fst)
3683 fst_rx_action(hapd->iface->fst, mgmt, len);
3684 else
3685 wpa_printf(MSG_DEBUG,
3686 "FST: Ignore FST Action frame - no FST attached");
3687 return 1;
3688 #endif /* CONFIG_FST */
3689 case WLAN_ACTION_PUBLIC:
3690 case WLAN_ACTION_PROTECTED_DUAL:
3691 #ifdef CONFIG_IEEE80211N
3692 if (len >= IEEE80211_HDRLEN + 2 &&
3693 mgmt->u.action.u.public_action.action ==
3694 WLAN_PA_20_40_BSS_COEX) {
3695 wpa_printf(MSG_DEBUG,
3696 "HT20/40 coex mgmt frame received from STA "
3697 MACSTR, MAC2STR(mgmt->sa));
3698 hostapd_2040_coex_action(hapd, mgmt, len);
3699 return 1;
3700 }
3701 #endif /* CONFIG_IEEE80211N */
3702 #ifdef CONFIG_DPP
3703 if (len >= IEEE80211_HDRLEN + 6 &&
3704 mgmt->u.action.u.vs_public_action.action ==
3705 WLAN_PA_VENDOR_SPECIFIC &&
3706 WPA_GET_BE24(mgmt->u.action.u.vs_public_action.oui) ==
3707 OUI_WFA &&
3708 mgmt->u.action.u.vs_public_action.variable[0] ==
3709 DPP_OUI_TYPE) {
3710 const u8 *pos, *end;
3711
3712 pos = mgmt->u.action.u.vs_public_action.oui;
3713 end = ((const u8 *) mgmt) + len;
3714 hostapd_dpp_rx_action(hapd, mgmt->sa, pos, end - pos,
3715 hapd->iface->freq);
3716 return 1;
3717 }
3718 if (len >= IEEE80211_HDRLEN + 2 &&
3719 (mgmt->u.action.u.public_action.action ==
3720 WLAN_PA_GAS_INITIAL_RESP ||
3721 mgmt->u.action.u.public_action.action ==
3722 WLAN_PA_GAS_COMEBACK_RESP)) {
3723 const u8 *pos, *end;
3724
3725 pos = &mgmt->u.action.u.public_action.action;
3726 end = ((const u8 *) mgmt) + len;
3727 gas_query_ap_rx(hapd->gas, mgmt->sa,
3728 mgmt->u.action.category,
3729 pos, end - pos, hapd->iface->freq);
3730 return 1;
3731 }
3732 #endif /* CONFIG_DPP */
3733 if (hapd->public_action_cb) {
3734 hapd->public_action_cb(hapd->public_action_cb_ctx,
3735 (u8 *) mgmt, len,
3736 hapd->iface->freq);
3737 }
3738 if (hapd->public_action_cb2) {
3739 hapd->public_action_cb2(hapd->public_action_cb2_ctx,
3740 (u8 *) mgmt, len,
3741 hapd->iface->freq);
3742 }
3743 if (hapd->public_action_cb || hapd->public_action_cb2)
3744 return 1;
3745 break;
3746 case WLAN_ACTION_VENDOR_SPECIFIC:
3747 if (hapd->vendor_action_cb) {
3748 if (hapd->vendor_action_cb(hapd->vendor_action_cb_ctx,
3749 (u8 *) mgmt, len,
3750 hapd->iface->freq) == 0)
3751 return 1;
3752 }
3753 break;
3754 case WLAN_ACTION_RADIO_MEASUREMENT:
3755 hostapd_handle_radio_measurement(hapd, (const u8 *) mgmt, len);
3756 return 1;
3757 }
3758
3759 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
3760 HOSTAPD_LEVEL_DEBUG,
3761 "handle_action - unknown action category %d or invalid "
3762 "frame",
3763 mgmt->u.action.category);
3764 if (!is_multicast_ether_addr(mgmt->da) &&
3765 !(mgmt->u.action.category & 0x80) &&
3766 !is_multicast_ether_addr(mgmt->sa)) {
3767 struct ieee80211_mgmt *resp;
3768
3769 /*
3770 * IEEE 802.11-REVma/D9.0 - 7.3.1.11
3771 * Return the Action frame to the source without change
3772 * except that MSB of the Category set to 1.
3773 */
3774 wpa_printf(MSG_DEBUG, "IEEE 802.11: Return unknown Action "
3775 "frame back to sender");
3776 resp = os_memdup(mgmt, len);
3777 if (resp == NULL)
3778 return 0;
3779 os_memcpy(resp->da, resp->sa, ETH_ALEN);
3780 os_memcpy(resp->sa, hapd->own_addr, ETH_ALEN);
3781 os_memcpy(resp->bssid, hapd->own_addr, ETH_ALEN);
3782 resp->u.action.category |= 0x80;
3783
3784 if (hostapd_drv_send_mlme(hapd, resp, len, 0) < 0) {
3785 wpa_printf(MSG_ERROR, "IEEE 802.11: Failed to send "
3786 "Action frame");
3787 }
3788 os_free(resp);
3789 }
3790
3791 return 1;
3792 }
3793
3794
3795 /**
3796 * ieee802_11_mgmt - process incoming IEEE 802.11 management frames
3797 * @hapd: hostapd BSS data structure (the BSS to which the management frame was
3798 * sent to)
3799 * @buf: management frame data (starting from IEEE 802.11 header)
3800 * @len: length of frame data in octets
3801 * @fi: meta data about received frame (signal level, etc.)
3802 *
3803 * Process all incoming IEEE 802.11 management frames. This will be called for
3804 * each frame received from the kernel driver through wlan#ap interface. In
3805 * addition, it can be called to re-inserted pending frames (e.g., when using
3806 * external RADIUS server as an MAC ACL).
3807 */
3808 int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len,
3809 struct hostapd_frame_info *fi)
3810 {
3811 struct ieee80211_mgmt *mgmt;
3812 u16 fc, stype;
3813 int ret = 0;
3814
3815 if (len < 24)
3816 return 0;
3817
3818 mgmt = (struct ieee80211_mgmt *) buf;
3819 fc = le_to_host16(mgmt->frame_control);
3820 stype = WLAN_FC_GET_STYPE(fc);
3821
3822 if (stype == WLAN_FC_STYPE_BEACON) {
3823 handle_beacon(hapd, mgmt, len, fi);
3824 return 1;
3825 }
3826
3827 if (!is_broadcast_ether_addr(mgmt->bssid) &&
3828 #ifdef CONFIG_P2P
3829 /* Invitation responses can be sent with the peer MAC as BSSID */
3830 !((hapd->conf->p2p & P2P_GROUP_OWNER) &&
3831 stype == WLAN_FC_STYPE_ACTION) &&
3832 #endif /* CONFIG_P2P */
3833 #ifdef CONFIG_MESH
3834 !(hapd->conf->mesh & MESH_ENABLED) &&
3835 #endif /* CONFIG_MESH */
3836 os_memcmp(mgmt->bssid, hapd->own_addr, ETH_ALEN) != 0) {
3837 wpa_printf(MSG_INFO, "MGMT: BSSID=" MACSTR " not our address",
3838 MAC2STR(mgmt->bssid));
3839 return 0;
3840 }
3841
3842
3843 if (stype == WLAN_FC_STYPE_PROBE_REQ) {
3844 handle_probe_req(hapd, mgmt, len, fi->ssi_signal);
3845 return 1;
3846 }
3847
3848 if ((!is_broadcast_ether_addr(mgmt->da) ||
3849 stype != WLAN_FC_STYPE_ACTION) &&
3850 os_memcmp(mgmt->da, hapd->own_addr, ETH_ALEN) != 0) {
3851 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
3852 HOSTAPD_LEVEL_DEBUG,
3853 "MGMT: DA=" MACSTR " not our address",
3854 MAC2STR(mgmt->da));
3855 return 0;
3856 }
3857
3858 if (hapd->iconf->track_sta_max_num)
3859 sta_track_add(hapd->iface, mgmt->sa, fi->ssi_signal);
3860
3861 switch (stype) {
3862 case WLAN_FC_STYPE_AUTH:
3863 wpa_printf(MSG_DEBUG, "mgmt::auth");
3864 handle_auth(hapd, mgmt, len);
3865 ret = 1;
3866 break;
3867 case WLAN_FC_STYPE_ASSOC_REQ:
3868 wpa_printf(MSG_DEBUG, "mgmt::assoc_req");
3869 handle_assoc(hapd, mgmt, len, 0);
3870 ret = 1;
3871 break;
3872 case WLAN_FC_STYPE_REASSOC_REQ:
3873 wpa_printf(MSG_DEBUG, "mgmt::reassoc_req");
3874 handle_assoc(hapd, mgmt, len, 1);
3875 ret = 1;
3876 break;
3877 case WLAN_FC_STYPE_DISASSOC:
3878 wpa_printf(MSG_DEBUG, "mgmt::disassoc");
3879 handle_disassoc(hapd, mgmt, len);
3880 ret = 1;
3881 break;
3882 case WLAN_FC_STYPE_DEAUTH:
3883 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "mgmt::deauth");
3884 handle_deauth(hapd, mgmt, len);
3885 ret = 1;
3886 break;
3887 case WLAN_FC_STYPE_ACTION:
3888 wpa_printf(MSG_DEBUG, "mgmt::action");
3889 ret = handle_action(hapd, mgmt, len);
3890 break;
3891 default:
3892 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
3893 HOSTAPD_LEVEL_DEBUG,
3894 "unknown mgmt frame subtype %d", stype);
3895 break;
3896 }
3897
3898 return ret;
3899 }
3900
3901
3902 static void handle_auth_cb(struct hostapd_data *hapd,
3903 const struct ieee80211_mgmt *mgmt,
3904 size_t len, int ok)
3905 {
3906 u16 auth_alg, auth_transaction, status_code;
3907 struct sta_info *sta;
3908
3909 sta = ap_get_sta(hapd, mgmt->da);
3910 if (!sta) {
3911 wpa_printf(MSG_INFO, "handle_auth_cb: STA " MACSTR " not found",
3912 MAC2STR(mgmt->da));
3913 return;
3914 }
3915
3916 auth_alg = le_to_host16(mgmt->u.auth.auth_alg);
3917 auth_transaction = le_to_host16(mgmt->u.auth.auth_transaction);
3918 status_code = le_to_host16(mgmt->u.auth.status_code);
3919
3920 if (!ok) {
3921 hostapd_logger(hapd, mgmt->da, HOSTAPD_MODULE_IEEE80211,
3922 HOSTAPD_LEVEL_NOTICE,
3923 "did not acknowledge authentication response");
3924 goto fail;
3925 }
3926
3927 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) {
3928 wpa_printf(MSG_INFO, "handle_auth_cb - too short payload (len=%lu)",
3929 (unsigned long) len);
3930 goto fail;
3931 }
3932
3933 if (status_code == WLAN_STATUS_SUCCESS &&
3934 ((auth_alg == WLAN_AUTH_OPEN && auth_transaction == 2) ||
3935 (auth_alg == WLAN_AUTH_SHARED_KEY && auth_transaction == 4))) {
3936 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3937 HOSTAPD_LEVEL_INFO, "authenticated");
3938 sta->flags |= WLAN_STA_AUTH;
3939 if (sta->added_unassoc)
3940 hostapd_set_sta_flags(hapd, sta);
3941 return;
3942 }
3943
3944 fail:
3945 if (status_code != WLAN_STATUS_SUCCESS && sta->added_unassoc) {
3946 hostapd_drv_sta_remove(hapd, sta->addr);
3947 sta->added_unassoc = 0;
3948 }
3949 }
3950
3951
3952 static void hostapd_set_wds_encryption(struct hostapd_data *hapd,
3953 struct sta_info *sta,
3954 char *ifname_wds)
3955 {
3956 int i;
3957 struct hostapd_ssid *ssid = &hapd->conf->ssid;
3958
3959 if (hapd->conf->ieee802_1x || hapd->conf->wpa)
3960 return;
3961
3962 for (i = 0; i < 4; i++) {
3963 if (ssid->wep.key[i] &&
3964 hostapd_drv_set_key(ifname_wds, hapd, WPA_ALG_WEP, NULL, i,
3965 i == ssid->wep.idx, NULL, 0,
3966 ssid->wep.key[i], ssid->wep.len[i])) {
3967 wpa_printf(MSG_WARNING,
3968 "Could not set WEP keys for WDS interface; %s",
3969 ifname_wds);
3970 break;
3971 }
3972 }
3973 }
3974
3975
3976 static void handle_assoc_cb(struct hostapd_data *hapd,
3977 const struct ieee80211_mgmt *mgmt,
3978 size_t len, int reassoc, int ok)
3979 {
3980 u16 status;
3981 struct sta_info *sta;
3982 int new_assoc = 1;
3983
3984 sta = ap_get_sta(hapd, mgmt->da);
3985 if (!sta) {
3986 wpa_printf(MSG_INFO, "handle_assoc_cb: STA " MACSTR " not found",
3987 MAC2STR(mgmt->da));
3988 return;
3989 }
3990
3991 if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_resp) :
3992 sizeof(mgmt->u.assoc_resp))) {
3993 wpa_printf(MSG_INFO,
3994 "handle_assoc_cb(reassoc=%d) - too short payload (len=%lu)",
3995 reassoc, (unsigned long) len);
3996 hostapd_drv_sta_remove(hapd, sta->addr);
3997 return;
3998 }
3999
4000 if (reassoc)
4001 status = le_to_host16(mgmt->u.reassoc_resp.status_code);
4002 else
4003 status = le_to_host16(mgmt->u.assoc_resp.status_code);
4004
4005 if (!ok) {
4006 hostapd_logger(hapd, mgmt->da, HOSTAPD_MODULE_IEEE80211,
4007 HOSTAPD_LEVEL_DEBUG,
4008 "did not acknowledge association response");
4009 sta->flags &= ~WLAN_STA_ASSOC_REQ_OK;
4010 /* The STA is added only in case of SUCCESS */
4011 if (status == WLAN_STATUS_SUCCESS)
4012 hostapd_drv_sta_remove(hapd, sta->addr);
4013
4014 return;
4015 }
4016
4017 if (status != WLAN_STATUS_SUCCESS)
4018 return;
4019
4020 /* Stop previous accounting session, if one is started, and allocate
4021 * new session id for the new session. */
4022 accounting_sta_stop(hapd, sta);
4023
4024 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4025 HOSTAPD_LEVEL_INFO,
4026 "associated (aid %d)",
4027 sta->aid);
4028
4029 if (sta->flags & WLAN_STA_ASSOC)
4030 new_assoc = 0;
4031 sta->flags |= WLAN_STA_ASSOC;
4032 sta->flags &= ~WLAN_STA_WNM_SLEEP_MODE;
4033 if ((!hapd->conf->ieee802_1x && !hapd->conf->wpa &&
4034 !hapd->conf->osen) ||
4035 sta->auth_alg == WLAN_AUTH_FILS_SK ||
4036 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
4037 sta->auth_alg == WLAN_AUTH_FILS_PK ||
4038 sta->auth_alg == WLAN_AUTH_FT) {
4039 /*
4040 * Open, static WEP, FT protocol, or FILS; no separate
4041 * authorization step.
4042 */
4043 ap_sta_set_authorized(hapd, sta, 1);
4044 }
4045
4046 if (reassoc)
4047 mlme_reassociate_indication(hapd, sta);
4048 else
4049 mlme_associate_indication(hapd, sta);
4050
4051 #ifdef CONFIG_IEEE80211W
4052 sta->sa_query_timed_out = 0;
4053 #endif /* CONFIG_IEEE80211W */
4054
4055 if (sta->eapol_sm == NULL) {
4056 /*
4057 * This STA does not use RADIUS server for EAP authentication,
4058 * so bind it to the selected VLAN interface now, since the
4059 * interface selection is not going to change anymore.
4060 */
4061 if (ap_sta_bind_vlan(hapd, sta) < 0)
4062 return;
4063 } else if (sta->vlan_id) {
4064 /* VLAN ID already set (e.g., by PMKSA caching), so bind STA */
4065 if (ap_sta_bind_vlan(hapd, sta) < 0)
4066 return;
4067 }
4068
4069 hostapd_set_sta_flags(hapd, sta);
4070
4071 if (!(sta->flags & WLAN_STA_WDS) && sta->pending_wds_enable) {
4072 wpa_printf(MSG_DEBUG, "Enable 4-address WDS mode for STA "
4073 MACSTR " based on pending request",
4074 MAC2STR(sta->addr));
4075 sta->pending_wds_enable = 0;
4076 sta->flags |= WLAN_STA_WDS;
4077 }
4078
4079 if (sta->flags & WLAN_STA_WDS) {
4080 int ret;
4081 char ifname_wds[IFNAMSIZ + 1];
4082
4083 wpa_printf(MSG_DEBUG, "Reenable 4-address WDS mode for STA "
4084 MACSTR " (aid %u)",
4085 MAC2STR(sta->addr), sta->aid);
4086 ret = hostapd_set_wds_sta(hapd, ifname_wds, sta->addr,
4087 sta->aid, 1);
4088 if (!ret)
4089 hostapd_set_wds_encryption(hapd, sta, ifname_wds);
4090 }
4091
4092 if (sta->auth_alg == WLAN_AUTH_FT)
4093 wpa_auth_sm_event(sta->wpa_sm, WPA_ASSOC_FT);
4094 else
4095 wpa_auth_sm_event(sta->wpa_sm, WPA_ASSOC);
4096 hapd->new_assoc_sta_cb(hapd, sta, !new_assoc);
4097 ieee802_1x_notify_port_enabled(sta->eapol_sm, 1);
4098
4099 #ifdef CONFIG_FILS
4100 if ((sta->auth_alg == WLAN_AUTH_FILS_SK ||
4101 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
4102 sta->auth_alg == WLAN_AUTH_FILS_PK) &&
4103 fils_set_tk(sta->wpa_sm) < 0) {
4104 wpa_printf(MSG_DEBUG, "FILS: TK configuration failed");
4105 ap_sta_disconnect(hapd, sta, sta->addr,
4106 WLAN_REASON_UNSPECIFIED);
4107 return;
4108 }
4109 #endif /* CONFIG_FILS */
4110
4111 if (sta->pending_eapol_rx) {
4112 struct os_reltime now, age;
4113
4114 os_get_reltime(&now);
4115 os_reltime_sub(&now, &sta->pending_eapol_rx->rx_time, &age);
4116 if (age.sec == 0 && age.usec < 200000) {
4117 wpa_printf(MSG_DEBUG,
4118 "Process pending EAPOL frame that was received from " MACSTR " just before association notification",
4119 MAC2STR(sta->addr));
4120 ieee802_1x_receive(
4121 hapd, mgmt->da,
4122 wpabuf_head(sta->pending_eapol_rx->buf),
4123 wpabuf_len(sta->pending_eapol_rx->buf));
4124 }
4125 wpabuf_free(sta->pending_eapol_rx->buf);
4126 os_free(sta->pending_eapol_rx);
4127 sta->pending_eapol_rx = NULL;
4128 }
4129 }
4130
4131
4132 static void handle_deauth_cb(struct hostapd_data *hapd,
4133 const struct ieee80211_mgmt *mgmt,
4134 size_t len, int ok)
4135 {
4136 struct sta_info *sta;
4137 if (is_multicast_ether_addr(mgmt->da))
4138 return;
4139 sta = ap_get_sta(hapd, mgmt->da);
4140 if (!sta) {
4141 wpa_printf(MSG_DEBUG, "handle_deauth_cb: STA " MACSTR
4142 " not found", MAC2STR(mgmt->da));
4143 return;
4144 }
4145 if (ok)
4146 wpa_printf(MSG_DEBUG, "STA " MACSTR " acknowledged deauth",
4147 MAC2STR(sta->addr));
4148 else
4149 wpa_printf(MSG_DEBUG, "STA " MACSTR " did not acknowledge "
4150 "deauth", MAC2STR(sta->addr));
4151
4152 ap_sta_deauth_cb(hapd, sta);
4153 }
4154
4155
4156 static void handle_disassoc_cb(struct hostapd_data *hapd,
4157 const struct ieee80211_mgmt *mgmt,
4158 size_t len, int ok)
4159 {
4160 struct sta_info *sta;
4161 if (is_multicast_ether_addr(mgmt->da))
4162 return;
4163 sta = ap_get_sta(hapd, mgmt->da);
4164 if (!sta) {
4165 wpa_printf(MSG_DEBUG, "handle_disassoc_cb: STA " MACSTR
4166 " not found", MAC2STR(mgmt->da));
4167 return;
4168 }
4169 if (ok)
4170 wpa_printf(MSG_DEBUG, "STA " MACSTR " acknowledged disassoc",
4171 MAC2STR(sta->addr));
4172 else
4173 wpa_printf(MSG_DEBUG, "STA " MACSTR " did not acknowledge "
4174 "disassoc", MAC2STR(sta->addr));
4175
4176 ap_sta_disassoc_cb(hapd, sta);
4177 }
4178
4179
4180 static void handle_action_cb(struct hostapd_data *hapd,
4181 const struct ieee80211_mgmt *mgmt,
4182 size_t len, int ok)
4183 {
4184 struct sta_info *sta;
4185 const struct rrm_measurement_report_element *report;
4186
4187 if (is_multicast_ether_addr(mgmt->da))
4188 return;
4189 #ifdef CONFIG_DPP
4190 if (len >= IEEE80211_HDRLEN + 6 &&
4191 mgmt->u.action.category == WLAN_ACTION_PUBLIC &&
4192 mgmt->u.action.u.vs_public_action.action ==
4193 WLAN_PA_VENDOR_SPECIFIC &&
4194 WPA_GET_BE24(mgmt->u.action.u.vs_public_action.oui) ==
4195 OUI_WFA &&
4196 mgmt->u.action.u.vs_public_action.variable[0] ==
4197 DPP_OUI_TYPE) {
4198 const u8 *pos, *end;
4199
4200 pos = &mgmt->u.action.u.vs_public_action.variable[1];
4201 end = ((const u8 *) mgmt) + len;
4202 hostapd_dpp_tx_status(hapd, mgmt->da, pos, end - pos, ok);
4203 return;
4204 }
4205 if (len >= IEEE80211_HDRLEN + 2 &&
4206 mgmt->u.action.category == WLAN_ACTION_PUBLIC &&
4207 (mgmt->u.action.u.public_action.action ==
4208 WLAN_PA_GAS_INITIAL_REQ ||
4209 mgmt->u.action.u.public_action.action ==
4210 WLAN_PA_GAS_COMEBACK_REQ)) {
4211 const u8 *pos, *end;
4212
4213 pos = mgmt->u.action.u.public_action.variable;
4214 end = ((const u8 *) mgmt) + len;
4215 gas_query_ap_tx_status(hapd->gas, mgmt->da, pos, end - pos, ok);
4216 return;
4217 }
4218 #endif /* CONFIG_DPP */
4219 sta = ap_get_sta(hapd, mgmt->da);
4220 if (!sta) {
4221 wpa_printf(MSG_DEBUG, "handle_action_cb: STA " MACSTR
4222 " not found", MAC2STR(mgmt->da));
4223 return;
4224 }
4225
4226 if (len < 24 + 5 + sizeof(*report))
4227 return;
4228 report = (const struct rrm_measurement_report_element *)
4229 &mgmt->u.action.u.rrm.variable[2];
4230 if (mgmt->u.action.category == WLAN_ACTION_RADIO_MEASUREMENT &&
4231 mgmt->u.action.u.rrm.action == WLAN_RRM_RADIO_MEASUREMENT_REQUEST &&
4232 report->eid == WLAN_EID_MEASURE_REQUEST &&
4233 report->len >= 3 &&
4234 report->type == MEASURE_TYPE_BEACON)
4235 hostapd_rrm_beacon_req_tx_status(hapd, mgmt, len, ok);
4236 }
4237
4238
4239 /**
4240 * ieee802_11_mgmt_cb - Process management frame TX status callback
4241 * @hapd: hostapd BSS data structure (the BSS from which the management frame
4242 * was sent from)
4243 * @buf: management frame data (starting from IEEE 802.11 header)
4244 * @len: length of frame data in octets
4245 * @stype: management frame subtype from frame control field
4246 * @ok: Whether the frame was ACK'ed
4247 */
4248 void ieee802_11_mgmt_cb(struct hostapd_data *hapd, const u8 *buf, size_t len,
4249 u16 stype, int ok)
4250 {
4251 const struct ieee80211_mgmt *mgmt;
4252 mgmt = (const struct ieee80211_mgmt *) buf;
4253
4254 #ifdef CONFIG_TESTING_OPTIONS
4255 if (hapd->ext_mgmt_frame_handling) {
4256 size_t hex_len = 2 * len + 1;
4257 char *hex = os_malloc(hex_len);
4258
4259 if (hex) {
4260 wpa_snprintf_hex(hex, hex_len, buf, len);
4261 wpa_msg(hapd->msg_ctx, MSG_INFO,
4262 "MGMT-TX-STATUS stype=%u ok=%d buf=%s",
4263 stype, ok, hex);
4264 os_free(hex);
4265 }
4266 return;
4267 }
4268 #endif /* CONFIG_TESTING_OPTIONS */
4269
4270 switch (stype) {
4271 case WLAN_FC_STYPE_AUTH:
4272 wpa_printf(MSG_DEBUG, "mgmt::auth cb");
4273 handle_auth_cb(hapd, mgmt, len, ok);
4274 break;
4275 case WLAN_FC_STYPE_ASSOC_RESP:
4276 wpa_printf(MSG_DEBUG, "mgmt::assoc_resp cb");
4277 handle_assoc_cb(hapd, mgmt, len, 0, ok);
4278 break;
4279 case WLAN_FC_STYPE_REASSOC_RESP:
4280 wpa_printf(MSG_DEBUG, "mgmt::reassoc_resp cb");
4281 handle_assoc_cb(hapd, mgmt, len, 1, ok);
4282 break;
4283 case WLAN_FC_STYPE_PROBE_RESP:
4284 wpa_printf(MSG_EXCESSIVE, "mgmt::proberesp cb ok=%d", ok);
4285 break;
4286 case WLAN_FC_STYPE_DEAUTH:
4287 wpa_printf(MSG_DEBUG, "mgmt::deauth cb");
4288 handle_deauth_cb(hapd, mgmt, len, ok);
4289 break;
4290 case WLAN_FC_STYPE_DISASSOC:
4291 wpa_printf(MSG_DEBUG, "mgmt::disassoc cb");
4292 handle_disassoc_cb(hapd, mgmt, len, ok);
4293 break;
4294 case WLAN_FC_STYPE_ACTION:
4295 wpa_printf(MSG_DEBUG, "mgmt::action cb ok=%d", ok);
4296 handle_action_cb(hapd, mgmt, len, ok);
4297 break;
4298 default:
4299 wpa_printf(MSG_INFO, "unknown mgmt cb frame subtype %d", stype);
4300 break;
4301 }
4302 }
4303
4304
4305 int ieee802_11_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen)
4306 {
4307 /* TODO */
4308 return 0;
4309 }
4310
4311
4312 int ieee802_11_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta,
4313 char *buf, size_t buflen)
4314 {
4315 /* TODO */
4316 return 0;
4317 }
4318
4319
4320 void hostapd_tx_status(struct hostapd_data *hapd, const u8 *addr,
4321 const u8 *buf, size_t len, int ack)
4322 {
4323 struct sta_info *sta;
4324 struct hostapd_iface *iface = hapd->iface;
4325
4326 sta = ap_get_sta(hapd, addr);
4327 if (sta == NULL && iface->num_bss > 1) {
4328 size_t j;
4329 for (j = 0; j < iface->num_bss; j++) {
4330 hapd = iface->bss[j];
4331 sta = ap_get_sta(hapd, addr);
4332 if (sta)
4333 break;
4334 }
4335 }
4336 if (sta == NULL || !(sta->flags & WLAN_STA_ASSOC))
4337 return;
4338 if (sta->flags & WLAN_STA_PENDING_POLL) {
4339 wpa_printf(MSG_DEBUG, "STA " MACSTR " %s pending "
4340 "activity poll", MAC2STR(sta->addr),
4341 ack ? "ACKed" : "did not ACK");
4342 if (ack)
4343 sta->flags &= ~WLAN_STA_PENDING_POLL;
4344 }
4345
4346 ieee802_1x_tx_status(hapd, sta, buf, len, ack);
4347 }
4348
4349
4350 void hostapd_eapol_tx_status(struct hostapd_data *hapd, const u8 *dst,
4351 const u8 *data, size_t len, int ack)
4352 {
4353 struct sta_info *sta;
4354 struct hostapd_iface *iface = hapd->iface;
4355
4356 sta = ap_get_sta(hapd, dst);
4357 if (sta == NULL && iface->num_bss > 1) {
4358 size_t j;
4359 for (j = 0; j < iface->num_bss; j++) {
4360 hapd = iface->bss[j];
4361 sta = ap_get_sta(hapd, dst);
4362 if (sta)
4363 break;
4364 }
4365 }
4366 if (sta == NULL || !(sta->flags & WLAN_STA_ASSOC)) {
4367 wpa_printf(MSG_DEBUG, "Ignore TX status for Data frame to STA "
4368 MACSTR " that is not currently associated",
4369 MAC2STR(dst));
4370 return;
4371 }
4372
4373 ieee802_1x_eapol_tx_status(hapd, sta, data, len, ack);
4374 }
4375
4376
4377 void hostapd_client_poll_ok(struct hostapd_data *hapd, const u8 *addr)
4378 {
4379 struct sta_info *sta;
4380 struct hostapd_iface *iface = hapd->iface;
4381
4382 sta = ap_get_sta(hapd, addr);
4383 if (sta == NULL && iface->num_bss > 1) {
4384 size_t j;
4385 for (j = 0; j < iface->num_bss; j++) {
4386 hapd = iface->bss[j];
4387 sta = ap_get_sta(hapd, addr);
4388 if (sta)
4389 break;
4390 }
4391 }
4392 if (sta == NULL)
4393 return;
4394 wpa_msg(hapd->msg_ctx, MSG_INFO, AP_STA_POLL_OK MACSTR,
4395 MAC2STR(sta->addr));
4396 if (!(sta->flags & WLAN_STA_PENDING_POLL))
4397 return;
4398
4399 wpa_printf(MSG_DEBUG, "STA " MACSTR " ACKed pending "
4400 "activity poll", MAC2STR(sta->addr));
4401 sta->flags &= ~WLAN_STA_PENDING_POLL;
4402 }
4403
4404
4405 void ieee802_11_rx_from_unknown(struct hostapd_data *hapd, const u8 *src,
4406 int wds)
4407 {
4408 struct sta_info *sta;
4409
4410 sta = ap_get_sta(hapd, src);
4411 if (sta &&
4412 ((sta->flags & WLAN_STA_ASSOC) ||
4413 ((sta->flags & WLAN_STA_ASSOC_REQ_OK) && wds))) {
4414 if (!hapd->conf->wds_sta)
4415 return;
4416
4417 if ((sta->flags & (WLAN_STA_ASSOC | WLAN_STA_ASSOC_REQ_OK)) ==
4418 WLAN_STA_ASSOC_REQ_OK) {
4419 wpa_printf(MSG_DEBUG,
4420 "Postpone 4-address WDS mode enabling for STA "
4421 MACSTR " since TX status for AssocResp is not yet known",
4422 MAC2STR(sta->addr));
4423 sta->pending_wds_enable = 1;
4424 return;
4425 }
4426
4427 if (wds && !(sta->flags & WLAN_STA_WDS)) {
4428 int ret;
4429 char ifname_wds[IFNAMSIZ + 1];
4430
4431 wpa_printf(MSG_DEBUG, "Enable 4-address WDS mode for "
4432 "STA " MACSTR " (aid %u)",
4433 MAC2STR(sta->addr), sta->aid);
4434 sta->flags |= WLAN_STA_WDS;
4435 ret = hostapd_set_wds_sta(hapd, ifname_wds,
4436 sta->addr, sta->aid, 1);
4437 if (!ret)
4438 hostapd_set_wds_encryption(hapd, sta,
4439 ifname_wds);
4440 }
4441 return;
4442 }
4443
4444 wpa_printf(MSG_DEBUG, "Data/PS-poll frame from not associated STA "
4445 MACSTR, MAC2STR(src));
4446 if (is_multicast_ether_addr(src)) {
4447 /* Broadcast bit set in SA?! Ignore the frame silently. */
4448 return;
4449 }
4450
4451 if (sta && (sta->flags & WLAN_STA_ASSOC_REQ_OK)) {
4452 wpa_printf(MSG_DEBUG, "Association Response to the STA has "
4453 "already been sent, but no TX status yet known - "
4454 "ignore Class 3 frame issue with " MACSTR,
4455 MAC2STR(src));
4456 return;
4457 }
4458
4459 if (sta && (sta->flags & WLAN_STA_AUTH))
4460 hostapd_drv_sta_disassoc(
4461 hapd, src,
4462 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA);
4463 else
4464 hostapd_drv_sta_deauth(
4465 hapd, src,
4466 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA);
4467 }
4468
4469
4470 #endif /* CONFIG_NATIVE_WINDOWS */
Unnamed repository; edit this file 'description' to name the repository.