]> git.ipfire.org Git - thirdparty/hostap.git/blob - src/ap/ieee802_11.c
projects / thirdparty / hostap.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
SAE: Advertise BSS membership selector for H2E-only case
[thirdparty/hostap.git] / src / ap / ieee802_11.c
1 /*
2 * hostapd / IEEE 802.11 Management
3 * Copyright (c) 2002-2017, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "utils/includes.h"
10
11 #ifndef CONFIG_NATIVE_WINDOWS
12
13 #include "utils/common.h"
14 #include "utils/eloop.h"
15 #include "crypto/crypto.h"
16 #include "crypto/sha256.h"
17 #include "crypto/sha384.h"
18 #include "crypto/sha512.h"
19 #include "crypto/random.h"
20 #include "common/ieee802_11_defs.h"
21 #include "common/ieee802_11_common.h"
22 #include "common/wpa_ctrl.h"
23 #include "common/sae.h"
24 #include "common/dpp.h"
25 #include "common/ocv.h"
26 #include "common/wpa_common.h"
27 #include "radius/radius.h"
28 #include "radius/radius_client.h"
29 #include "p2p/p2p.h"
30 #include "wps/wps.h"
31 #include "fst/fst.h"
32 #include "hostapd.h"
33 #include "beacon.h"
34 #include "ieee802_11_auth.h"
35 #include "sta_info.h"
36 #include "ieee802_1x.h"
37 #include "wpa_auth.h"
38 #include "pmksa_cache_auth.h"
39 #include "wmm.h"
40 #include "ap_list.h"
41 #include "accounting.h"
42 #include "ap_config.h"
43 #include "ap_mlme.h"
44 #include "p2p_hostapd.h"
45 #include "ap_drv_ops.h"
46 #include "wnm_ap.h"
47 #include "hw_features.h"
48 #include "ieee802_11.h"
49 #include "dfs.h"
50 #include "mbo_ap.h"
51 #include "rrm.h"
52 #include "taxonomy.h"
53 #include "fils_hlp.h"
54 #include "dpp_hostapd.h"
55 #include "gas_query_ap.h"
56
57
58 #ifdef CONFIG_FILS
59 static struct wpabuf *
60 prepare_auth_resp_fils(struct hostapd_data *hapd,
61 struct sta_info *sta, u16 *resp,
62 struct rsn_pmksa_cache_entry *pmksa,
63 struct wpabuf *erp_resp,
64 const u8 *msk, size_t msk_len,
65 int *is_pub);
66 #endif /* CONFIG_FILS */
67 static void handle_auth(struct hostapd_data *hapd,
68 const struct ieee80211_mgmt *mgmt, size_t len,
69 int rssi, int from_queue);
70
71
72 u8 * hostapd_eid_multi_ap(struct hostapd_data *hapd, u8 *eid)
73 {
74 u8 multi_ap_val = 0;
75
76 if (!hapd->conf->multi_ap)
77 return eid;
78 if (hapd->conf->multi_ap & BACKHAUL_BSS)
79 multi_ap_val |= MULTI_AP_BACKHAUL_BSS;
80 if (hapd->conf->multi_ap & FRONTHAUL_BSS)
81 multi_ap_val |= MULTI_AP_FRONTHAUL_BSS;
82
83 return eid + add_multi_ap_ie(eid, 9, multi_ap_val);
84 }
85
86
87 u8 * hostapd_eid_supp_rates(struct hostapd_data *hapd, u8 *eid)
88 {
89 u8 *pos = eid;
90 int i, num, count;
91
92 if (hapd->iface->current_rates == NULL)
93 return eid;
94
95 *pos++ = WLAN_EID_SUPP_RATES;
96 num = hapd->iface->num_rates;
97 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht)
98 num++;
99 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht)
100 num++;
101 if (hapd->conf->sae_pwe == 1)
102 num++;
103 if (num > 8) {
104 /* rest of the rates are encoded in Extended supported
105 * rates element */
106 num = 8;
107 }
108
109 *pos++ = num;
110 for (i = 0, count = 0; i < hapd->iface->num_rates && count < num;
111 i++) {
112 count++;
113 *pos = hapd->iface->current_rates[i].rate / 5;
114 if (hapd->iface->current_rates[i].flags & HOSTAPD_RATE_BASIC)
115 *pos |= 0x80;
116 pos++;
117 }
118
119 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht && count < 8) {
120 count++;
121 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_HT_PHY;
122 }
123
124 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht && count < 8) {
125 count++;
126 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_VHT_PHY;
127 }
128
129 if (hapd->conf->sae_pwe == 1 && count < 8) {
130 count++;
131 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_SAE_H2E_ONLY;
132 }
133
134 return pos;
135 }
136
137
138 u8 * hostapd_eid_ext_supp_rates(struct hostapd_data *hapd, u8 *eid)
139 {
140 u8 *pos = eid;
141 int i, num, count;
142
143 if (hapd->iface->current_rates == NULL)
144 return eid;
145
146 num = hapd->iface->num_rates;
147 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht)
148 num++;
149 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht)
150 num++;
151 if (hapd->conf->sae_pwe == 1)
152 num++;
153 if (num <= 8)
154 return eid;
155 num -= 8;
156
157 *pos++ = WLAN_EID_EXT_SUPP_RATES;
158 *pos++ = num;
159 for (i = 0, count = 0; i < hapd->iface->num_rates && count < num + 8;
160 i++) {
161 count++;
162 if (count <= 8)
163 continue; /* already in SuppRates IE */
164 *pos = hapd->iface->current_rates[i].rate / 5;
165 if (hapd->iface->current_rates[i].flags & HOSTAPD_RATE_BASIC)
166 *pos |= 0x80;
167 pos++;
168 }
169
170 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht) {
171 count++;
172 if (count > 8)
173 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_HT_PHY;
174 }
175
176 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht) {
177 count++;
178 if (count > 8)
179 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_VHT_PHY;
180 }
181
182 if (hapd->conf->sae_pwe == 1) {
183 count++;
184 if (count > 8)
185 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_SAE_H2E_ONLY;
186 }
187
188 return pos;
189 }
190
191
192 u16 hostapd_own_capab_info(struct hostapd_data *hapd)
193 {
194 int capab = WLAN_CAPABILITY_ESS;
195 int privacy;
196 int dfs;
197 int i;
198
199 /* Check if any of configured channels require DFS */
200 dfs = hostapd_is_dfs_required(hapd->iface);
201 if (dfs < 0) {
202 wpa_printf(MSG_WARNING, "Failed to check if DFS is required; ret=%d",
203 dfs);
204 dfs = 0;
205 }
206
207 if (hapd->iface->num_sta_no_short_preamble == 0 &&
208 hapd->iconf->preamble == SHORT_PREAMBLE)
209 capab |= WLAN_CAPABILITY_SHORT_PREAMBLE;
210
211 privacy = hapd->conf->ssid.wep.keys_set;
212
213 if (hapd->conf->ieee802_1x &&
214 (hapd->conf->default_wep_key_len ||
215 hapd->conf->individual_wep_key_len))
216 privacy = 1;
217
218 if (hapd->conf->wpa)
219 privacy = 1;
220
221 #ifdef CONFIG_HS20
222 if (hapd->conf->osen)
223 privacy = 1;
224 #endif /* CONFIG_HS20 */
225
226 if (privacy)
227 capab |= WLAN_CAPABILITY_PRIVACY;
228
229 if (hapd->iface->current_mode &&
230 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G &&
231 hapd->iface->num_sta_no_short_slot_time == 0)
232 capab |= WLAN_CAPABILITY_SHORT_SLOT_TIME;
233
234 /*
235 * Currently, Spectrum Management capability bit is set when directly
236 * requested in configuration by spectrum_mgmt_required or when AP is
237 * running on DFS channel.
238 * TODO: Also consider driver support for TPC to set Spectrum Mgmt bit
239 */
240 if (hapd->iface->current_mode &&
241 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211A &&
242 (hapd->iconf->spectrum_mgmt_required || dfs))
243 capab |= WLAN_CAPABILITY_SPECTRUM_MGMT;
244
245 for (i = 0; i < RRM_CAPABILITIES_IE_LEN; i++) {
246 if (hapd->conf->radio_measurements[i]) {
247 capab |= IEEE80211_CAP_RRM;
248 break;
249 }
250 }
251
252 return capab;
253 }
254
255
256 #ifndef CONFIG_NO_RC4
257 static u16 auth_shared_key(struct hostapd_data *hapd, struct sta_info *sta,
258 u16 auth_transaction, const u8 *challenge,
259 int iswep)
260 {
261 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
262 HOSTAPD_LEVEL_DEBUG,
263 "authentication (shared key, transaction %d)",
264 auth_transaction);
265
266 if (auth_transaction == 1) {
267 if (!sta->challenge) {
268 /* Generate a pseudo-random challenge */
269 u8 key[8];
270
271 sta->challenge = os_zalloc(WLAN_AUTH_CHALLENGE_LEN);
272 if (sta->challenge == NULL)
273 return WLAN_STATUS_UNSPECIFIED_FAILURE;
274
275 if (os_get_random(key, sizeof(key)) < 0) {
276 os_free(sta->challenge);
277 sta->challenge = NULL;
278 return WLAN_STATUS_UNSPECIFIED_FAILURE;
279 }
280
281 rc4_skip(key, sizeof(key), 0,
282 sta->challenge, WLAN_AUTH_CHALLENGE_LEN);
283 }
284 return 0;
285 }
286
287 if (auth_transaction != 3)
288 return WLAN_STATUS_UNSPECIFIED_FAILURE;
289
290 /* Transaction 3 */
291 if (!iswep || !sta->challenge || !challenge ||
292 os_memcmp_const(sta->challenge, challenge,
293 WLAN_AUTH_CHALLENGE_LEN)) {
294 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
295 HOSTAPD_LEVEL_INFO,
296 "shared key authentication - invalid "
297 "challenge-response");
298 return WLAN_STATUS_CHALLENGE_FAIL;
299 }
300
301 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
302 HOSTAPD_LEVEL_DEBUG,
303 "authentication OK (shared key)");
304 sta->flags |= WLAN_STA_AUTH;
305 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
306 os_free(sta->challenge);
307 sta->challenge = NULL;
308
309 return 0;
310 }
311 #endif /* CONFIG_NO_RC4 */
312
313
314 static int send_auth_reply(struct hostapd_data *hapd,
315 const u8 *dst, const u8 *bssid,
316 u16 auth_alg, u16 auth_transaction, u16 resp,
317 const u8 *ies, size_t ies_len, const char *dbg)
318 {
319 struct ieee80211_mgmt *reply;
320 u8 *buf;
321 size_t rlen;
322 int reply_res = WLAN_STATUS_UNSPECIFIED_FAILURE;
323
324 rlen = IEEE80211_HDRLEN + sizeof(reply->u.auth) + ies_len;
325 buf = os_zalloc(rlen);
326 if (buf == NULL)
327 return -1;
328
329 reply = (struct ieee80211_mgmt *) buf;
330 reply->frame_control = IEEE80211_FC(WLAN_FC_TYPE_MGMT,
331 WLAN_FC_STYPE_AUTH);
332 os_memcpy(reply->da, dst, ETH_ALEN);
333 os_memcpy(reply->sa, hapd->own_addr, ETH_ALEN);
334 os_memcpy(reply->bssid, bssid, ETH_ALEN);
335
336 reply->u.auth.auth_alg = host_to_le16(auth_alg);
337 reply->u.auth.auth_transaction = host_to_le16(auth_transaction);
338 reply->u.auth.status_code = host_to_le16(resp);
339
340 if (ies && ies_len)
341 os_memcpy(reply->u.auth.variable, ies, ies_len);
342
343 wpa_printf(MSG_DEBUG, "authentication reply: STA=" MACSTR
344 " auth_alg=%d auth_transaction=%d resp=%d (IE len=%lu) (dbg=%s)",
345 MAC2STR(dst), auth_alg, auth_transaction,
346 resp, (unsigned long) ies_len, dbg);
347 if (hostapd_drv_send_mlme(hapd, reply, rlen, 0) < 0)
348 wpa_printf(MSG_INFO, "send_auth_reply: send failed");
349 else
350 reply_res = WLAN_STATUS_SUCCESS;
351
352 os_free(buf);
353
354 return reply_res;
355 }
356
357
358 #ifdef CONFIG_IEEE80211R_AP
359 static void handle_auth_ft_finish(void *ctx, const u8 *dst, const u8 *bssid,
360 u16 auth_transaction, u16 status,
361 const u8 *ies, size_t ies_len)
362 {
363 struct hostapd_data *hapd = ctx;
364 struct sta_info *sta;
365 int reply_res;
366
367 reply_res = send_auth_reply(hapd, dst, bssid, WLAN_AUTH_FT,
368 auth_transaction, status, ies, ies_len,
369 "auth-ft-finish");
370
371 sta = ap_get_sta(hapd, dst);
372 if (sta == NULL)
373 return;
374
375 if (sta->added_unassoc && (reply_res != WLAN_STATUS_SUCCESS ||
376 status != WLAN_STATUS_SUCCESS)) {
377 hostapd_drv_sta_remove(hapd, sta->addr);
378 sta->added_unassoc = 0;
379 return;
380 }
381
382 if (status != WLAN_STATUS_SUCCESS)
383 return;
384
385 hostapd_logger(hapd, dst, HOSTAPD_MODULE_IEEE80211,
386 HOSTAPD_LEVEL_DEBUG, "authentication OK (FT)");
387 sta->flags |= WLAN_STA_AUTH;
388 mlme_authenticate_indication(hapd, sta);
389 }
390 #endif /* CONFIG_IEEE80211R_AP */
391
392
393 #ifdef CONFIG_SAE
394
395 static void sae_set_state(struct sta_info *sta, enum sae_state state,
396 const char *reason)
397 {
398 wpa_printf(MSG_DEBUG, "SAE: State %s -> %s for peer " MACSTR " (%s)",
399 sae_state_txt(sta->sae->state), sae_state_txt(state),
400 MAC2STR(sta->addr), reason);
401 sta->sae->state = state;
402 }
403
404
405 static struct wpabuf * auth_build_sae_commit(struct hostapd_data *hapd,
406 struct sta_info *sta, int update)
407 {
408 struct wpabuf *buf;
409 const char *password = NULL;
410 struct sae_password_entry *pw;
411 const char *rx_id = NULL;
412
413 if (sta->sae->tmp)
414 rx_id = sta->sae->tmp->pw_id;
415
416 for (pw = hapd->conf->sae_passwords; pw; pw = pw->next) {
417 if (!is_broadcast_ether_addr(pw->peer_addr) &&
418 os_memcmp(pw->peer_addr, sta->addr, ETH_ALEN) != 0)
419 continue;
420 if ((rx_id && !pw->identifier) || (!rx_id && pw->identifier))
421 continue;
422 if (rx_id && pw->identifier &&
423 os_strcmp(rx_id, pw->identifier) != 0)
424 continue;
425 password = pw->password;
426 break;
427 }
428 if (!password)
429 password = hapd->conf->ssid.wpa_passphrase;
430 if (!password) {
431 wpa_printf(MSG_DEBUG, "SAE: No password available");
432 return NULL;
433 }
434
435 if (update &&
436 sae_prepare_commit(hapd->own_addr, sta->addr,
437 (u8 *) password, os_strlen(password), rx_id,
438 sta->sae) < 0) {
439 wpa_printf(MSG_DEBUG, "SAE: Could not pick PWE");
440 return NULL;
441 }
442
443 if (pw && pw->vlan_id) {
444 if (!sta->sae->tmp) {
445 wpa_printf(MSG_INFO,
446 "SAE: No temporary data allocated - cannot store VLAN ID");
447 return NULL;
448 }
449 sta->sae->tmp->vlan_id = pw->vlan_id;
450 }
451
452 buf = wpabuf_alloc(SAE_COMMIT_MAX_LEN +
453 (rx_id ? 3 + os_strlen(rx_id) : 0));
454 if (buf == NULL)
455 return NULL;
456 sae_write_commit(sta->sae, buf, sta->sae->tmp ?
457 sta->sae->tmp->anti_clogging_token : NULL, rx_id);
458
459 return buf;
460 }
461
462
463 static struct wpabuf * auth_build_sae_confirm(struct hostapd_data *hapd,
464 struct sta_info *sta)
465 {
466 struct wpabuf *buf;
467
468 buf = wpabuf_alloc(SAE_CONFIRM_MAX_LEN);
469 if (buf == NULL)
470 return NULL;
471
472 sae_write_confirm(sta->sae, buf);
473
474 return buf;
475 }
476
477
478 static int auth_sae_send_commit(struct hostapd_data *hapd,
479 struct sta_info *sta,
480 const u8 *bssid, int update)
481 {
482 struct wpabuf *data;
483 int reply_res;
484
485 data = auth_build_sae_commit(hapd, sta, update);
486 if (!data && sta->sae->tmp && sta->sae->tmp->pw_id)
487 return WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER;
488 if (data == NULL)
489 return WLAN_STATUS_UNSPECIFIED_FAILURE;
490
491 reply_res = send_auth_reply(hapd, sta->addr, bssid, WLAN_AUTH_SAE, 1,
492 WLAN_STATUS_SUCCESS, wpabuf_head(data),
493 wpabuf_len(data), "sae-send-commit");
494
495 wpabuf_free(data);
496
497 return reply_res;
498 }
499
500
501 static int auth_sae_send_confirm(struct hostapd_data *hapd,
502 struct sta_info *sta,
503 const u8 *bssid)
504 {
505 struct wpabuf *data;
506 int reply_res;
507
508 data = auth_build_sae_confirm(hapd, sta);
509 if (data == NULL)
510 return WLAN_STATUS_UNSPECIFIED_FAILURE;
511
512 reply_res = send_auth_reply(hapd, sta->addr, bssid, WLAN_AUTH_SAE, 2,
513 WLAN_STATUS_SUCCESS, wpabuf_head(data),
514 wpabuf_len(data), "sae-send-confirm");
515
516 wpabuf_free(data);
517
518 return reply_res;
519 }
520
521
522 static int use_sae_anti_clogging(struct hostapd_data *hapd)
523 {
524 struct sta_info *sta;
525 unsigned int open = 0;
526
527 if (hapd->conf->sae_anti_clogging_threshold == 0)
528 return 1;
529
530 for (sta = hapd->sta_list; sta; sta = sta->next) {
531 if (!sta->sae)
532 continue;
533 if (sta->sae->state != SAE_COMMITTED &&
534 sta->sae->state != SAE_CONFIRMED)
535 continue;
536 open++;
537 if (open >= hapd->conf->sae_anti_clogging_threshold)
538 return 1;
539 }
540
541 /* In addition to already existing open SAE sessions, check whether
542 * there are enough pending commit messages in the processing queue to
543 * potentially result in too many open sessions. */
544 if (open + dl_list_len(&hapd->sae_commit_queue) >=
545 hapd->conf->sae_anti_clogging_threshold)
546 return 1;
547
548 return 0;
549 }
550
551
552 static u8 sae_token_hash(struct hostapd_data *hapd, const u8 *addr)
553 {
554 u8 hash[SHA256_MAC_LEN];
555
556 hmac_sha256(hapd->sae_token_key, sizeof(hapd->sae_token_key),
557 addr, ETH_ALEN, hash);
558 return hash[0];
559 }
560
561
562 static int check_sae_token(struct hostapd_data *hapd, const u8 *addr,
563 const u8 *token, size_t token_len)
564 {
565 u8 mac[SHA256_MAC_LEN];
566 const u8 *addrs[2];
567 size_t len[2];
568 u16 token_idx;
569 u8 idx;
570
571 if (token_len != SHA256_MAC_LEN)
572 return -1;
573 idx = sae_token_hash(hapd, addr);
574 token_idx = hapd->sae_pending_token_idx[idx];
575 if (token_idx == 0 || token_idx != WPA_GET_BE16(token)) {
576 wpa_printf(MSG_DEBUG, "SAE: Invalid anti-clogging token from "
577 MACSTR " - token_idx 0x%04x, expected 0x%04x",
578 MAC2STR(addr), WPA_GET_BE16(token), token_idx);
579 return -1;
580 }
581
582 addrs[0] = addr;
583 len[0] = ETH_ALEN;
584 addrs[1] = token;
585 len[1] = 2;
586 if (hmac_sha256_vector(hapd->sae_token_key, sizeof(hapd->sae_token_key),
587 2, addrs, len, mac) < 0 ||
588 os_memcmp_const(token + 2, &mac[2], SHA256_MAC_LEN - 2) != 0)
589 return -1;
590
591 hapd->sae_pending_token_idx[idx] = 0; /* invalidate used token */
592
593 return 0;
594 }
595
596
597 static struct wpabuf * auth_build_token_req(struct hostapd_data *hapd,
598 int group, const u8 *addr)
599 {
600 struct wpabuf *buf;
601 u8 *token;
602 struct os_reltime now;
603 u8 idx[2];
604 const u8 *addrs[2];
605 size_t len[2];
606 u8 p_idx;
607 u16 token_idx;
608
609 os_get_reltime(&now);
610 if (!os_reltime_initialized(&hapd->last_sae_token_key_update) ||
611 os_reltime_expired(&now, &hapd->last_sae_token_key_update, 60) ||
612 hapd->sae_token_idx == 0xffff) {
613 if (random_get_bytes(hapd->sae_token_key,
614 sizeof(hapd->sae_token_key)) < 0)
615 return NULL;
616 wpa_hexdump(MSG_DEBUG, "SAE: Updated token key",
617 hapd->sae_token_key, sizeof(hapd->sae_token_key));
618 hapd->last_sae_token_key_update = now;
619 hapd->sae_token_idx = 0;
620 os_memset(hapd->sae_pending_token_idx, 0,
621 sizeof(hapd->sae_pending_token_idx));
622 }
623
624 buf = wpabuf_alloc(sizeof(le16) + SHA256_MAC_LEN);
625 if (buf == NULL)
626 return NULL;
627
628 wpabuf_put_le16(buf, group); /* Finite Cyclic Group */
629
630 p_idx = sae_token_hash(hapd, addr);
631 token_idx = hapd->sae_pending_token_idx[p_idx];
632 if (!token_idx) {
633 hapd->sae_token_idx++;
634 token_idx = hapd->sae_token_idx;
635 hapd->sae_pending_token_idx[p_idx] = token_idx;
636 }
637 WPA_PUT_BE16(idx, token_idx);
638 token = wpabuf_put(buf, SHA256_MAC_LEN);
639 addrs[0] = addr;
640 len[0] = ETH_ALEN;
641 addrs[1] = idx;
642 len[1] = sizeof(idx);
643 if (hmac_sha256_vector(hapd->sae_token_key, sizeof(hapd->sae_token_key),
644 2, addrs, len, token) < 0) {
645 wpabuf_free(buf);
646 return NULL;
647 }
648 WPA_PUT_BE16(token, token_idx);
649
650 return buf;
651 }
652
653
654 static int sae_check_big_sync(struct hostapd_data *hapd, struct sta_info *sta)
655 {
656 if (sta->sae->sync > hapd->conf->sae_sync) {
657 sae_set_state(sta, SAE_NOTHING, "Sync > dot11RSNASAESync");
658 sta->sae->sync = 0;
659 return -1;
660 }
661 return 0;
662 }
663
664
665 static void auth_sae_retransmit_timer(void *eloop_ctx, void *eloop_data)
666 {
667 struct hostapd_data *hapd = eloop_ctx;
668 struct sta_info *sta = eloop_data;
669 int ret;
670
671 if (sae_check_big_sync(hapd, sta))
672 return;
673 sta->sae->sync++;
674 wpa_printf(MSG_DEBUG, "SAE: Auth SAE retransmit timer for " MACSTR
675 " (sync=%d state=%s)",
676 MAC2STR(sta->addr), sta->sae->sync,
677 sae_state_txt(sta->sae->state));
678
679 switch (sta->sae->state) {
680 case SAE_COMMITTED:
681 ret = auth_sae_send_commit(hapd, sta, hapd->own_addr, 0);
682 eloop_register_timeout(0,
683 hapd->dot11RSNASAERetransPeriod * 1000,
684 auth_sae_retransmit_timer, hapd, sta);
685 break;
686 case SAE_CONFIRMED:
687 ret = auth_sae_send_confirm(hapd, sta, hapd->own_addr);
688 eloop_register_timeout(0,
689 hapd->dot11RSNASAERetransPeriod * 1000,
690 auth_sae_retransmit_timer, hapd, sta);
691 break;
692 default:
693 ret = -1;
694 break;
695 }
696
697 if (ret != WLAN_STATUS_SUCCESS)
698 wpa_printf(MSG_INFO, "SAE: Failed to retransmit: ret=%d", ret);
699 }
700
701
702 void sae_clear_retransmit_timer(struct hostapd_data *hapd, struct sta_info *sta)
703 {
704 eloop_cancel_timeout(auth_sae_retransmit_timer, hapd, sta);
705 }
706
707
708 static void sae_set_retransmit_timer(struct hostapd_data *hapd,
709 struct sta_info *sta)
710 {
711 if (!(hapd->conf->mesh & MESH_ENABLED))
712 return;
713
714 eloop_cancel_timeout(auth_sae_retransmit_timer, hapd, sta);
715 eloop_register_timeout(0, hapd->dot11RSNASAERetransPeriod * 1000,
716 auth_sae_retransmit_timer, hapd, sta);
717 }
718
719
720 static void sae_sme_send_external_auth_status(struct hostapd_data *hapd,
721 struct sta_info *sta, u16 status)
722 {
723 struct external_auth params;
724
725 os_memset(&params, 0, sizeof(params));
726 params.status = status;
727 params.bssid = sta->addr;
728 if (status == WLAN_STATUS_SUCCESS && sta->sae &&
729 !hapd->conf->disable_pmksa_caching)
730 params.pmkid = sta->sae->pmkid;
731
732 hostapd_drv_send_external_auth_status(hapd, &params);
733 }
734
735
736 void sae_accept_sta(struct hostapd_data *hapd, struct sta_info *sta)
737 {
738 #ifndef CONFIG_NO_VLAN
739 struct vlan_description vlan_desc;
740
741 if (sta->sae->tmp && sta->sae->tmp->vlan_id > 0) {
742 wpa_printf(MSG_DEBUG, "SAE: Assign STA " MACSTR
743 " to VLAN ID %d",
744 MAC2STR(sta->addr), sta->sae->tmp->vlan_id);
745
746 os_memset(&vlan_desc, 0, sizeof(vlan_desc));
747 vlan_desc.notempty = 1;
748 vlan_desc.untagged = sta->sae->tmp->vlan_id;
749 if (!hostapd_vlan_valid(hapd->conf->vlan, &vlan_desc)) {
750 wpa_printf(MSG_INFO,
751 "Invalid VLAN ID %d in sae_password",
752 sta->sae->tmp->vlan_id);
753 return;
754 }
755
756 if (ap_sta_set_vlan(hapd, sta, &vlan_desc) < 0 ||
757 ap_sta_bind_vlan(hapd, sta) < 0) {
758 wpa_printf(MSG_INFO,
759 "Failed to assign VLAN ID %d from sae_password to "
760 MACSTR, sta->sae->tmp->vlan_id,
761 MAC2STR(sta->addr));
762 return;
763 }
764 }
765 #endif /* CONFIG_NO_VLAN */
766
767 sta->flags |= WLAN_STA_AUTH;
768 sta->auth_alg = WLAN_AUTH_SAE;
769 mlme_authenticate_indication(hapd, sta);
770 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
771 sae_set_state(sta, SAE_ACCEPTED, "Accept Confirm");
772 wpa_auth_pmksa_add_sae(hapd->wpa_auth, sta->addr,
773 sta->sae->pmk, sta->sae->pmkid);
774 sae_sme_send_external_auth_status(hapd, sta, WLAN_STATUS_SUCCESS);
775 }
776
777
778 static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta,
779 const u8 *bssid, u8 auth_transaction, int allow_reuse,
780 int *sta_removed)
781 {
782 int ret;
783
784 *sta_removed = 0;
785
786 if (auth_transaction != 1 && auth_transaction != 2)
787 return WLAN_STATUS_UNSPECIFIED_FAILURE;
788
789 wpa_printf(MSG_DEBUG, "SAE: Peer " MACSTR " state=%s auth_trans=%u",
790 MAC2STR(sta->addr), sae_state_txt(sta->sae->state),
791 auth_transaction);
792 switch (sta->sae->state) {
793 case SAE_NOTHING:
794 if (auth_transaction == 1) {
795 ret = auth_sae_send_commit(hapd, sta, bssid,
796 !allow_reuse);
797 if (ret)
798 return ret;
799 sae_set_state(sta, SAE_COMMITTED, "Sent Commit");
800
801 if (sae_process_commit(sta->sae) < 0)
802 return WLAN_STATUS_UNSPECIFIED_FAILURE;
803
804 /*
805 * In mesh case, both Commit and Confirm are sent
806 * immediately. In infrastructure BSS, by default, only
807 * a single Authentication frame (Commit) is expected
808 * from the AP here and the second one (Confirm) will
809 * be sent once the STA has sent its second
810 * Authentication frame (Confirm). This behavior can be
811 * overridden with explicit configuration so that the
812 * infrastructure BSS case sends both frames together.
813 */
814 if ((hapd->conf->mesh & MESH_ENABLED) ||
815 hapd->conf->sae_confirm_immediate) {
816 /*
817 * Send both Commit and Confirm immediately
818 * based on SAE finite state machine
819 * Nothing -> Confirm transition.
820 */
821 ret = auth_sae_send_confirm(hapd, sta, bssid);
822 if (ret)
823 return ret;
824 sae_set_state(sta, SAE_CONFIRMED,
825 "Sent Confirm (mesh)");
826 } else {
827 /*
828 * For infrastructure BSS, send only the Commit
829 * message now to get alternating sequence of
830 * Authentication frames between the AP and STA.
831 * Confirm will be sent in
832 * Committed -> Confirmed/Accepted transition
833 * when receiving Confirm from STA.
834 */
835 }
836 sta->sae->sync = 0;
837 sae_set_retransmit_timer(hapd, sta);
838 } else {
839 hostapd_logger(hapd, sta->addr,
840 HOSTAPD_MODULE_IEEE80211,
841 HOSTAPD_LEVEL_DEBUG,
842 "SAE confirm before commit");
843 }
844 break;
845 case SAE_COMMITTED:
846 sae_clear_retransmit_timer(hapd, sta);
847 if (auth_transaction == 1) {
848 if (sae_process_commit(sta->sae) < 0)
849 return WLAN_STATUS_UNSPECIFIED_FAILURE;
850
851 ret = auth_sae_send_confirm(hapd, sta, bssid);
852 if (ret)
853 return ret;
854 sae_set_state(sta, SAE_CONFIRMED, "Sent Confirm");
855 sta->sae->sync = 0;
856 sae_set_retransmit_timer(hapd, sta);
857 } else if (hapd->conf->mesh & MESH_ENABLED) {
858 /*
859 * In mesh case, follow SAE finite state machine and
860 * send Commit now, if sync count allows.
861 */
862 if (sae_check_big_sync(hapd, sta))
863 return WLAN_STATUS_SUCCESS;
864 sta->sae->sync++;
865
866 ret = auth_sae_send_commit(hapd, sta, bssid, 0);
867 if (ret)
868 return ret;
869
870 sae_set_retransmit_timer(hapd, sta);
871 } else {
872 /*
873 * For instructure BSS, send the postponed Confirm from
874 * Nothing -> Confirmed transition that was reduced to
875 * Nothing -> Committed above.
876 */
877 ret = auth_sae_send_confirm(hapd, sta, bssid);
878 if (ret)
879 return ret;
880
881 sae_set_state(sta, SAE_CONFIRMED, "Sent Confirm");
882
883 /*
884 * Since this was triggered on Confirm RX, run another
885 * step to get to Accepted without waiting for
886 * additional events.
887 */
888 return sae_sm_step(hapd, sta, bssid, auth_transaction,
889 0, sta_removed);
890 }
891 break;
892 case SAE_CONFIRMED:
893 sae_clear_retransmit_timer(hapd, sta);
894 if (auth_transaction == 1) {
895 if (sae_check_big_sync(hapd, sta))
896 return WLAN_STATUS_SUCCESS;
897 sta->sae->sync++;
898
899 ret = auth_sae_send_commit(hapd, sta, bssid, 1);
900 if (ret)
901 return ret;
902
903 if (sae_process_commit(sta->sae) < 0)
904 return WLAN_STATUS_UNSPECIFIED_FAILURE;
905
906 ret = auth_sae_send_confirm(hapd, sta, bssid);
907 if (ret)
908 return ret;
909
910 sae_set_retransmit_timer(hapd, sta);
911 } else {
912 sta->sae->send_confirm = 0xffff;
913 sae_accept_sta(hapd, sta);
914 }
915 break;
916 case SAE_ACCEPTED:
917 if (auth_transaction == 1 &&
918 (hapd->conf->mesh & MESH_ENABLED)) {
919 wpa_printf(MSG_DEBUG, "SAE: remove the STA (" MACSTR
920 ") doing reauthentication",
921 MAC2STR(sta->addr));
922 wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr);
923 ap_free_sta(hapd, sta);
924 *sta_removed = 1;
925 } else if (auth_transaction == 1) {
926 wpa_printf(MSG_DEBUG, "SAE: Start reauthentication");
927 ret = auth_sae_send_commit(hapd, sta, bssid, 1);
928 if (ret)
929 return ret;
930 sae_set_state(sta, SAE_COMMITTED, "Sent Commit");
931
932 if (sae_process_commit(sta->sae) < 0)
933 return WLAN_STATUS_UNSPECIFIED_FAILURE;
934 sta->sae->sync = 0;
935 sae_set_retransmit_timer(hapd, sta);
936 } else {
937 if (sae_check_big_sync(hapd, sta))
938 return WLAN_STATUS_SUCCESS;
939 sta->sae->sync++;
940
941 ret = auth_sae_send_confirm(hapd, sta, bssid);
942 sae_clear_temp_data(sta->sae);
943 if (ret)
944 return ret;
945 }
946 break;
947 default:
948 wpa_printf(MSG_ERROR, "SAE: invalid state %d",
949 sta->sae->state);
950 return WLAN_STATUS_UNSPECIFIED_FAILURE;
951 }
952 return WLAN_STATUS_SUCCESS;
953 }
954
955
956 static void sae_pick_next_group(struct hostapd_data *hapd, struct sta_info *sta)
957 {
958 struct sae_data *sae = sta->sae;
959 int i, *groups = hapd->conf->sae_groups;
960 int default_groups[] = { 19, 0 };
961
962 if (sae->state != SAE_COMMITTED)
963 return;
964
965 wpa_printf(MSG_DEBUG, "SAE: Previously selected group: %d", sae->group);
966
967 if (!groups)
968 groups = default_groups;
969 for (i = 0; groups[i] > 0; i++) {
970 if (sae->group == groups[i])
971 break;
972 }
973
974 if (groups[i] <= 0) {
975 wpa_printf(MSG_DEBUG,
976 "SAE: Previously selected group not found from the current configuration");
977 return;
978 }
979
980 for (;;) {
981 i++;
982 if (groups[i] <= 0) {
983 wpa_printf(MSG_DEBUG,
984 "SAE: No alternative group enabled");
985 return;
986 }
987
988 if (sae_set_group(sae, groups[i]) < 0)
989 continue;
990
991 break;
992 }
993 wpa_printf(MSG_DEBUG, "SAE: Selected new group: %d", groups[i]);
994 }
995
996
997 static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta,
998 const struct ieee80211_mgmt *mgmt, size_t len,
999 u16 auth_transaction, u16 status_code)
1000 {
1001 int resp = WLAN_STATUS_SUCCESS;
1002 struct wpabuf *data = NULL;
1003 int *groups = hapd->conf->sae_groups;
1004 int default_groups[] = { 19, 0 };
1005 const u8 *pos, *end;
1006 int sta_removed = 0;
1007
1008 if (!groups)
1009 groups = default_groups;
1010
1011 #ifdef CONFIG_TESTING_OPTIONS
1012 if (hapd->conf->sae_reflection_attack && auth_transaction == 1) {
1013 wpa_printf(MSG_DEBUG, "SAE: TESTING - reflection attack");
1014 pos = mgmt->u.auth.variable;
1015 end = ((const u8 *) mgmt) + len;
1016 send_auth_reply(hapd, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
1017 auth_transaction, resp, pos, end - pos,
1018 "auth-sae-reflection-attack");
1019 goto remove_sta;
1020 }
1021
1022 if (hapd->conf->sae_commit_override && auth_transaction == 1) {
1023 wpa_printf(MSG_DEBUG, "SAE: TESTING - commit override");
1024 send_auth_reply(hapd, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
1025 auth_transaction, resp,
1026 wpabuf_head(hapd->conf->sae_commit_override),
1027 wpabuf_len(hapd->conf->sae_commit_override),
1028 "sae-commit-override");
1029 goto remove_sta;
1030 }
1031 #endif /* CONFIG_TESTING_OPTIONS */
1032 if (!sta->sae) {
1033 if (auth_transaction != 1 ||
1034 status_code != WLAN_STATUS_SUCCESS) {
1035 resp = -1;
1036 goto remove_sta;
1037 }
1038 sta->sae = os_zalloc(sizeof(*sta->sae));
1039 if (!sta->sae) {
1040 resp = -1;
1041 goto remove_sta;
1042 }
1043 sae_set_state(sta, SAE_NOTHING, "Init");
1044 sta->sae->sync = 0;
1045 }
1046
1047 if (sta->mesh_sae_pmksa_caching) {
1048 wpa_printf(MSG_DEBUG,
1049 "SAE: Cancel use of mesh PMKSA caching because peer starts SAE authentication");
1050 wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr);
1051 sta->mesh_sae_pmksa_caching = 0;
1052 }
1053
1054 if (auth_transaction == 1) {
1055 const u8 *token = NULL;
1056 size_t token_len = 0;
1057 int allow_reuse = 0;
1058
1059 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1060 HOSTAPD_LEVEL_DEBUG,
1061 "start SAE authentication (RX commit, status=%u (%s))",
1062 status_code, status2str(status_code));
1063
1064 if ((hapd->conf->mesh & MESH_ENABLED) &&
1065 status_code == WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ &&
1066 sta->sae->tmp) {
1067 pos = mgmt->u.auth.variable;
1068 end = ((const u8 *) mgmt) + len;
1069 if (pos + sizeof(le16) > end) {
1070 wpa_printf(MSG_ERROR,
1071 "SAE: Too short anti-clogging token request");
1072 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1073 goto reply;
1074 }
1075 resp = sae_group_allowed(sta->sae, groups,
1076 WPA_GET_LE16(pos));
1077 if (resp != WLAN_STATUS_SUCCESS) {
1078 wpa_printf(MSG_ERROR,
1079 "SAE: Invalid group in anti-clogging token request");
1080 goto reply;
1081 }
1082 pos += sizeof(le16);
1083
1084 wpabuf_free(sta->sae->tmp->anti_clogging_token);
1085 sta->sae->tmp->anti_clogging_token =
1086 wpabuf_alloc_copy(pos, end - pos);
1087 if (sta->sae->tmp->anti_clogging_token == NULL) {
1088 wpa_printf(MSG_ERROR,
1089 "SAE: Failed to alloc for anti-clogging token");
1090 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1091 goto remove_sta;
1092 }
1093
1094 /*
1095 * IEEE Std 802.11-2012, 11.3.8.6.4: If the Status code
1096 * is 76, a new Commit Message shall be constructed
1097 * with the Anti-Clogging Token from the received
1098 * Authentication frame, and the commit-scalar and
1099 * COMMIT-ELEMENT previously sent.
1100 */
1101 resp = auth_sae_send_commit(hapd, sta, mgmt->bssid, 0);
1102 if (resp != WLAN_STATUS_SUCCESS) {
1103 wpa_printf(MSG_ERROR,
1104 "SAE: Failed to send commit message");
1105 goto remove_sta;
1106 }
1107 sae_set_state(sta, SAE_COMMITTED,
1108 "Sent Commit (anti-clogging token case in mesh)");
1109 sta->sae->sync = 0;
1110 sae_set_retransmit_timer(hapd, sta);
1111 return;
1112 }
1113
1114 if ((hapd->conf->mesh & MESH_ENABLED) &&
1115 status_code ==
1116 WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED &&
1117 sta->sae->tmp) {
1118 wpa_printf(MSG_DEBUG,
1119 "SAE: Peer did not accept our SAE group");
1120 sae_pick_next_group(hapd, sta);
1121 goto remove_sta;
1122 }
1123
1124 if (status_code != WLAN_STATUS_SUCCESS)
1125 goto remove_sta;
1126
1127 if (!(hapd->conf->mesh & MESH_ENABLED) &&
1128 sta->sae->state == SAE_COMMITTED) {
1129 /* This is needed in the infrastructure BSS case to
1130 * address a sequence where a STA entry may remain in
1131 * hostapd across two attempts to do SAE authentication
1132 * by the same STA. The second attempt may end up trying
1133 * to use a different group and that would not be
1134 * allowed if we remain in Committed state with the
1135 * previously set parameters. */
1136 pos = mgmt->u.auth.variable;
1137 end = ((const u8 *) mgmt) + len;
1138 if (end - pos >= (int) sizeof(le16) &&
1139 sae_group_allowed(sta->sae, groups,
1140 WPA_GET_LE16(pos)) ==
1141 WLAN_STATUS_SUCCESS) {
1142 /* Do not waste resources deriving the same PWE
1143 * again since the same group is reused. */
1144 sae_set_state(sta, SAE_NOTHING,
1145 "Allow previous PWE to be reused");
1146 allow_reuse = 1;
1147 } else {
1148 sae_set_state(sta, SAE_NOTHING,
1149 "Clear existing state to allow restart");
1150 sae_clear_data(sta->sae);
1151 }
1152 }
1153
1154 resp = sae_parse_commit(sta->sae, mgmt->u.auth.variable,
1155 ((const u8 *) mgmt) + len -
1156 mgmt->u.auth.variable, &token,
1157 &token_len, groups, status_code ==
1158 WLAN_STATUS_SAE_HASH_TO_ELEMENT);
1159 if (resp == SAE_SILENTLY_DISCARD) {
1160 wpa_printf(MSG_DEBUG,
1161 "SAE: Drop commit message from " MACSTR " due to reflection attack",
1162 MAC2STR(sta->addr));
1163 goto remove_sta;
1164 }
1165
1166 if (resp == WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER) {
1167 wpa_msg(hapd->msg_ctx, MSG_INFO,
1168 WPA_EVENT_SAE_UNKNOWN_PASSWORD_IDENTIFIER
1169 MACSTR, MAC2STR(sta->addr));
1170 sae_clear_retransmit_timer(hapd, sta);
1171 sae_set_state(sta, SAE_NOTHING,
1172 "Unknown Password Identifier");
1173 goto remove_sta;
1174 }
1175
1176 if (token && check_sae_token(hapd, sta->addr, token, token_len)
1177 < 0) {
1178 wpa_printf(MSG_DEBUG, "SAE: Drop commit message with "
1179 "incorrect token from " MACSTR,
1180 MAC2STR(sta->addr));
1181 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1182 goto remove_sta;
1183 }
1184
1185 if (resp != WLAN_STATUS_SUCCESS)
1186 goto reply;
1187
1188 if (!token && use_sae_anti_clogging(hapd) && !allow_reuse) {
1189 wpa_printf(MSG_DEBUG,
1190 "SAE: Request anti-clogging token from "
1191 MACSTR, MAC2STR(sta->addr));
1192 data = auth_build_token_req(hapd, sta->sae->group,
1193 sta->addr);
1194 resp = WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ;
1195 if (hapd->conf->mesh & MESH_ENABLED)
1196 sae_set_state(sta, SAE_NOTHING,
1197 "Request anti-clogging token case in mesh");
1198 goto reply;
1199 }
1200
1201 resp = sae_sm_step(hapd, sta, mgmt->bssid, auth_transaction,
1202 allow_reuse, &sta_removed);
1203 } else if (auth_transaction == 2) {
1204 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1205 HOSTAPD_LEVEL_DEBUG,
1206 "SAE authentication (RX confirm, status=%u (%s))",
1207 status_code, status2str(status_code));
1208 if (status_code != WLAN_STATUS_SUCCESS)
1209 goto remove_sta;
1210 if (sta->sae->state >= SAE_CONFIRMED ||
1211 !(hapd->conf->mesh & MESH_ENABLED)) {
1212 const u8 *var;
1213 size_t var_len;
1214 u16 peer_send_confirm;
1215
1216 var = mgmt->u.auth.variable;
1217 var_len = ((u8 *) mgmt) + len - mgmt->u.auth.variable;
1218 if (var_len < 2) {
1219 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1220 goto reply;
1221 }
1222
1223 peer_send_confirm = WPA_GET_LE16(var);
1224
1225 if (sta->sae->state == SAE_ACCEPTED &&
1226 (peer_send_confirm <= sta->sae->rc ||
1227 peer_send_confirm == 0xffff)) {
1228 wpa_printf(MSG_DEBUG,
1229 "SAE: Silently ignore unexpected Confirm from peer "
1230 MACSTR
1231 " (peer-send-confirm=%u Rc=%u)",
1232 MAC2STR(sta->addr),
1233 peer_send_confirm, sta->sae->rc);
1234 return;
1235 }
1236
1237 if (sae_check_confirm(sta->sae, var, var_len) < 0) {
1238 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1239 goto reply;
1240 }
1241 sta->sae->rc = peer_send_confirm;
1242 }
1243 resp = sae_sm_step(hapd, sta, mgmt->bssid, auth_transaction, 0,
1244 &sta_removed);
1245 } else {
1246 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1247 HOSTAPD_LEVEL_DEBUG,
1248 "unexpected SAE authentication transaction %u (status=%u (%s))",
1249 auth_transaction, status_code,
1250 status2str(status_code));
1251 if (status_code != WLAN_STATUS_SUCCESS)
1252 goto remove_sta;
1253 resp = WLAN_STATUS_UNKNOWN_AUTH_TRANSACTION;
1254 }
1255
1256 reply:
1257 if (!sta_removed && resp != WLAN_STATUS_SUCCESS) {
1258 pos = mgmt->u.auth.variable;
1259 end = ((const u8 *) mgmt) + len;
1260
1261 /* Copy the Finite Cyclic Group field from the request if we
1262 * rejected it as unsupported group. */
1263 if (resp == WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED &&
1264 !data && end - pos >= 2)
1265 data = wpabuf_alloc_copy(pos, 2);
1266
1267 sae_sme_send_external_auth_status(hapd, sta, resp);
1268 send_auth_reply(hapd, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
1269 auth_transaction, resp,
1270 data ? wpabuf_head(data) : (u8 *) "",
1271 data ? wpabuf_len(data) : 0, "auth-sae");
1272 }
1273
1274 remove_sta:
1275 if (!sta_removed && sta->added_unassoc &&
1276 (resp != WLAN_STATUS_SUCCESS ||
1277 status_code != WLAN_STATUS_SUCCESS)) {
1278 hostapd_drv_sta_remove(hapd, sta->addr);
1279 sta->added_unassoc = 0;
1280 }
1281 wpabuf_free(data);
1282 }
1283
1284
1285 /**
1286 * auth_sae_init_committed - Send COMMIT and start SAE in committed state
1287 * @hapd: BSS data for the device initiating the authentication
1288 * @sta: the peer to which commit authentication frame is sent
1289 *
1290 * This function implements Init event handling (IEEE Std 802.11-2012,
1291 * 11.3.8.6.3) in which initial COMMIT message is sent. Prior to calling, the
1292 * sta->sae structure should be initialized appropriately via a call to
1293 * sae_prepare_commit().
1294 */
1295 int auth_sae_init_committed(struct hostapd_data *hapd, struct sta_info *sta)
1296 {
1297 int ret;
1298
1299 if (!sta->sae || !sta->sae->tmp)
1300 return -1;
1301
1302 if (sta->sae->state != SAE_NOTHING)
1303 return -1;
1304
1305 ret = auth_sae_send_commit(hapd, sta, hapd->own_addr, 0);
1306 if (ret)
1307 return -1;
1308
1309 sae_set_state(sta, SAE_COMMITTED, "Init and sent commit");
1310 sta->sae->sync = 0;
1311 sae_set_retransmit_timer(hapd, sta);
1312
1313 return 0;
1314 }
1315
1316
1317 void auth_sae_process_commit(void *eloop_ctx, void *user_ctx)
1318 {
1319 struct hostapd_data *hapd = eloop_ctx;
1320 struct hostapd_sae_commit_queue *q;
1321 unsigned int queue_len;
1322
1323 q = dl_list_first(&hapd->sae_commit_queue,
1324 struct hostapd_sae_commit_queue, list);
1325 if (!q)
1326 return;
1327 wpa_printf(MSG_DEBUG,
1328 "SAE: Process next available message from queue");
1329 dl_list_del(&q->list);
1330 handle_auth(hapd, (const struct ieee80211_mgmt *) q->msg, q->len,
1331 q->rssi, 1);
1332 os_free(q);
1333
1334 if (eloop_is_timeout_registered(auth_sae_process_commit, hapd, NULL))
1335 return;
1336 queue_len = dl_list_len(&hapd->sae_commit_queue);
1337 eloop_register_timeout(0, queue_len * 10000, auth_sae_process_commit,
1338 hapd, NULL);
1339 }
1340
1341
1342 static void auth_sae_queue(struct hostapd_data *hapd,
1343 const struct ieee80211_mgmt *mgmt, size_t len,
1344 int rssi)
1345 {
1346 struct hostapd_sae_commit_queue *q, *q2;
1347 unsigned int queue_len;
1348 const struct ieee80211_mgmt *mgmt2;
1349
1350 queue_len = dl_list_len(&hapd->sae_commit_queue);
1351 if (queue_len >= 15) {
1352 wpa_printf(MSG_DEBUG,
1353 "SAE: No more room in message queue - drop the new frame from "
1354 MACSTR, MAC2STR(mgmt->sa));
1355 return;
1356 }
1357
1358 wpa_printf(MSG_DEBUG, "SAE: Queue Authentication message from "
1359 MACSTR " for processing (queue_len %u)", MAC2STR(mgmt->sa),
1360 queue_len);
1361 q = os_zalloc(sizeof(*q) + len);
1362 if (!q)
1363 return;
1364 q->rssi = rssi;
1365 q->len = len;
1366 os_memcpy(q->msg, mgmt, len);
1367
1368 /* Check whether there is already a queued Authentication frame from the
1369 * same station with the same transaction number and if so, replace that
1370 * queue entry with the new one. This avoids issues with a peer that
1371 * sends multiple times (e.g., due to frequent SAE retries). There is no
1372 * point in us trying to process the old attempts after a new one has
1373 * obsoleted them. */
1374 dl_list_for_each(q2, &hapd->sae_commit_queue,
1375 struct hostapd_sae_commit_queue, list) {
1376 mgmt2 = (const struct ieee80211_mgmt *) q2->msg;
1377 if (os_memcmp(mgmt->sa, mgmt2->sa, ETH_ALEN) == 0 &&
1378 mgmt->u.auth.auth_transaction ==
1379 mgmt2->u.auth.auth_transaction) {
1380 wpa_printf(MSG_DEBUG,
1381 "SAE: Replace queued message from same STA with same transaction number");
1382 dl_list_add(&q2->list, &q->list);
1383 dl_list_del(&q2->list);
1384 os_free(q2);
1385 goto queued;
1386 }
1387 }
1388
1389 /* No pending identical entry, so add to the end of the queue */
1390 dl_list_add_tail(&hapd->sae_commit_queue, &q->list);
1391
1392 queued:
1393 if (eloop_is_timeout_registered(auth_sae_process_commit, hapd, NULL))
1394 return;
1395 eloop_register_timeout(0, queue_len * 10000, auth_sae_process_commit,
1396 hapd, NULL);
1397 }
1398
1399
1400 static int auth_sae_queued_addr(struct hostapd_data *hapd, const u8 *addr)
1401 {
1402 struct hostapd_sae_commit_queue *q;
1403 const struct ieee80211_mgmt *mgmt;
1404
1405 dl_list_for_each(q, &hapd->sae_commit_queue,
1406 struct hostapd_sae_commit_queue, list) {
1407 mgmt = (const struct ieee80211_mgmt *) q->msg;
1408 if (os_memcmp(addr, mgmt->sa, ETH_ALEN) == 0)
1409 return 1;
1410 }
1411
1412 return 0;
1413 }
1414
1415 #endif /* CONFIG_SAE */
1416
1417
1418 static u16 wpa_res_to_status_code(int res)
1419 {
1420 if (res == WPA_INVALID_GROUP)
1421 return WLAN_STATUS_GROUP_CIPHER_NOT_VALID;
1422 if (res == WPA_INVALID_PAIRWISE)
1423 return WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID;
1424 if (res == WPA_INVALID_AKMP)
1425 return WLAN_STATUS_AKMP_NOT_VALID;
1426 if (res == WPA_ALLOC_FAIL)
1427 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1428 if (res == WPA_MGMT_FRAME_PROTECTION_VIOLATION)
1429 return WLAN_STATUS_ROBUST_MGMT_FRAME_POLICY_VIOLATION;
1430 if (res == WPA_INVALID_MGMT_GROUP_CIPHER)
1431 return WLAN_STATUS_CIPHER_REJECTED_PER_POLICY;
1432 if (res == WPA_INVALID_MDIE)
1433 return WLAN_STATUS_INVALID_MDIE;
1434 if (res == WPA_INVALID_PMKID)
1435 return WLAN_STATUS_INVALID_PMKID;
1436 if (res != WPA_IE_OK)
1437 return WLAN_STATUS_INVALID_IE;
1438 return WLAN_STATUS_SUCCESS;
1439 }
1440
1441
1442 #ifdef CONFIG_FILS
1443
1444 static void handle_auth_fils_finish(struct hostapd_data *hapd,
1445 struct sta_info *sta, u16 resp,
1446 struct wpabuf *data, int pub);
1447
1448 void handle_auth_fils(struct hostapd_data *hapd, struct sta_info *sta,
1449 const u8 *pos, size_t len, u16 auth_alg,
1450 u16 auth_transaction, u16 status_code,
1451 void (*cb)(struct hostapd_data *hapd,
1452 struct sta_info *sta, u16 resp,
1453 struct wpabuf *data, int pub))
1454 {
1455 u16 resp = WLAN_STATUS_SUCCESS;
1456 const u8 *end;
1457 struct ieee802_11_elems elems;
1458 int res;
1459 struct wpa_ie_data rsn;
1460 struct rsn_pmksa_cache_entry *pmksa = NULL;
1461
1462 if (auth_transaction != 1 || status_code != WLAN_STATUS_SUCCESS)
1463 return;
1464
1465 end = pos + len;
1466
1467 wpa_hexdump(MSG_DEBUG, "FILS: Authentication frame fields",
1468 pos, end - pos);
1469
1470 /* TODO: FILS PK */
1471 #ifdef CONFIG_FILS_SK_PFS
1472 if (auth_alg == WLAN_AUTH_FILS_SK_PFS) {
1473 u16 group;
1474 struct wpabuf *pub;
1475 size_t elem_len;
1476
1477 /* Using FILS PFS */
1478
1479 /* Finite Cyclic Group */
1480 if (end - pos < 2) {
1481 wpa_printf(MSG_DEBUG,
1482 "FILS: No room for Finite Cyclic Group");
1483 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1484 goto fail;
1485 }
1486 group = WPA_GET_LE16(pos);
1487 pos += 2;
1488 if (group != hapd->conf->fils_dh_group) {
1489 wpa_printf(MSG_DEBUG,
1490 "FILS: Unsupported Finite Cyclic Group: %u (expected %u)",
1491 group, hapd->conf->fils_dh_group);
1492 resp = WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
1493 goto fail;
1494 }
1495
1496 crypto_ecdh_deinit(sta->fils_ecdh);
1497 sta->fils_ecdh = crypto_ecdh_init(group);
1498 if (!sta->fils_ecdh) {
1499 wpa_printf(MSG_INFO,
1500 "FILS: Could not initialize ECDH with group %d",
1501 group);
1502 resp = WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
1503 goto fail;
1504 }
1505
1506 pub = crypto_ecdh_get_pubkey(sta->fils_ecdh, 1);
1507 if (!pub) {
1508 wpa_printf(MSG_DEBUG,
1509 "FILS: Failed to derive ECDH public key");
1510 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1511 goto fail;
1512 }
1513 elem_len = wpabuf_len(pub);
1514 wpabuf_free(pub);
1515
1516 /* Element */
1517 if ((size_t) (end - pos) < elem_len) {
1518 wpa_printf(MSG_DEBUG, "FILS: No room for Element");
1519 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1520 goto fail;
1521 }
1522
1523 wpabuf_free(sta->fils_g_sta);
1524 sta->fils_g_sta = wpabuf_alloc_copy(pos, elem_len);
1525 wpabuf_clear_free(sta->fils_dh_ss);
1526 sta->fils_dh_ss = crypto_ecdh_set_peerkey(sta->fils_ecdh, 1,
1527 pos, elem_len);
1528 if (!sta->fils_dh_ss) {
1529 wpa_printf(MSG_DEBUG, "FILS: ECDH operation failed");
1530 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1531 goto fail;
1532 }
1533 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: DH_SS", sta->fils_dh_ss);
1534 pos += elem_len;
1535 } else {
1536 crypto_ecdh_deinit(sta->fils_ecdh);
1537 sta->fils_ecdh = NULL;
1538 wpabuf_clear_free(sta->fils_dh_ss);
1539 sta->fils_dh_ss = NULL;
1540 }
1541 #endif /* CONFIG_FILS_SK_PFS */
1542
1543 wpa_hexdump(MSG_DEBUG, "FILS: Remaining IEs", pos, end - pos);
1544 if (ieee802_11_parse_elems(pos, end - pos, &elems, 1) == ParseFailed) {
1545 wpa_printf(MSG_DEBUG, "FILS: Could not parse elements");
1546 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1547 goto fail;
1548 }
1549
1550 /* RSNE */
1551 wpa_hexdump(MSG_DEBUG, "FILS: RSN element",
1552 elems.rsn_ie, elems.rsn_ie_len);
1553 if (!elems.rsn_ie ||
1554 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
1555 &rsn) < 0) {
1556 wpa_printf(MSG_DEBUG, "FILS: No valid RSN element");
1557 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1558 goto fail;
1559 }
1560
1561 if (!sta->wpa_sm)
1562 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, sta->addr,
1563 NULL);
1564 if (!sta->wpa_sm) {
1565 wpa_printf(MSG_DEBUG,
1566 "FILS: Failed to initialize RSN state machine");
1567 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1568 goto fail;
1569 }
1570
1571 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
1572 hapd->iface->freq,
1573 elems.rsn_ie - 2, elems.rsn_ie_len + 2,
1574 elems.mdie, elems.mdie_len, NULL, 0);
1575 resp = wpa_res_to_status_code(res);
1576 if (resp != WLAN_STATUS_SUCCESS)
1577 goto fail;
1578
1579 if (!elems.fils_nonce) {
1580 wpa_printf(MSG_DEBUG, "FILS: No FILS Nonce field");
1581 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1582 goto fail;
1583 }
1584 wpa_hexdump(MSG_DEBUG, "FILS: SNonce", elems.fils_nonce,
1585 FILS_NONCE_LEN);
1586 os_memcpy(sta->fils_snonce, elems.fils_nonce, FILS_NONCE_LEN);
1587
1588 /* PMKID List */
1589 if (rsn.pmkid && rsn.num_pmkid > 0) {
1590 u8 num;
1591 const u8 *pmkid;
1592
1593 wpa_hexdump(MSG_DEBUG, "FILS: PMKID List",
1594 rsn.pmkid, rsn.num_pmkid * PMKID_LEN);
1595
1596 pmkid = rsn.pmkid;
1597 num = rsn.num_pmkid;
1598 while (num) {
1599 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", pmkid, PMKID_LEN);
1600 pmksa = wpa_auth_pmksa_get(hapd->wpa_auth, sta->addr,
1601 pmkid);
1602 if (pmksa)
1603 break;
1604 pmksa = wpa_auth_pmksa_get_fils_cache_id(hapd->wpa_auth,
1605 sta->addr,
1606 pmkid);
1607 if (pmksa)
1608 break;
1609 pmkid += PMKID_LEN;
1610 num--;
1611 }
1612 }
1613 if (pmksa && wpa_auth_sta_key_mgmt(sta->wpa_sm) != pmksa->akmp) {
1614 wpa_printf(MSG_DEBUG,
1615 "FILS: Matching PMKSA cache entry has different AKMP (0x%x != 0x%x) - ignore",
1616 wpa_auth_sta_key_mgmt(sta->wpa_sm), pmksa->akmp);
1617 pmksa = NULL;
1618 }
1619 if (pmksa)
1620 wpa_printf(MSG_DEBUG, "FILS: Found matching PMKSA cache entry");
1621
1622 /* FILS Session */
1623 if (!elems.fils_session) {
1624 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
1625 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1626 goto fail;
1627 }
1628 wpa_hexdump(MSG_DEBUG, "FILS: FILS Session", elems.fils_session,
1629 FILS_SESSION_LEN);
1630 os_memcpy(sta->fils_session, elems.fils_session, FILS_SESSION_LEN);
1631
1632 /* FILS Wrapped Data */
1633 if (elems.fils_wrapped_data) {
1634 wpa_hexdump(MSG_DEBUG, "FILS: Wrapped Data",
1635 elems.fils_wrapped_data,
1636 elems.fils_wrapped_data_len);
1637 if (!pmksa) {
1638 #ifndef CONFIG_NO_RADIUS
1639 if (!sta->eapol_sm) {
1640 sta->eapol_sm =
1641 ieee802_1x_alloc_eapol_sm(hapd, sta);
1642 }
1643 wpa_printf(MSG_DEBUG,
1644 "FILS: Forward EAP-Initiate/Re-auth to authentication server");
1645 ieee802_1x_encapsulate_radius(
1646 hapd, sta, elems.fils_wrapped_data,
1647 elems.fils_wrapped_data_len);
1648 sta->fils_pending_cb = cb;
1649 wpa_printf(MSG_DEBUG,
1650 "FILS: Will send Authentication frame once the response from authentication server is available");
1651 sta->flags |= WLAN_STA_PENDING_FILS_ERP;
1652 /* Calculate pending PMKID here so that we do not need
1653 * to maintain a copy of the EAP-Initiate/Reauth
1654 * message. */
1655 if (fils_pmkid_erp(wpa_auth_sta_key_mgmt(sta->wpa_sm),
1656 elems.fils_wrapped_data,
1657 elems.fils_wrapped_data_len,
1658 sta->fils_erp_pmkid) == 0)
1659 sta->fils_erp_pmkid_set = 1;
1660 return;
1661 #else /* CONFIG_NO_RADIUS */
1662 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1663 goto fail;
1664 #endif /* CONFIG_NO_RADIUS */
1665 }
1666 }
1667
1668 fail:
1669 if (cb) {
1670 struct wpabuf *data;
1671 int pub = 0;
1672
1673 data = prepare_auth_resp_fils(hapd, sta, &resp, pmksa, NULL,
1674 NULL, 0, &pub);
1675 if (!data) {
1676 wpa_printf(MSG_DEBUG,
1677 "%s: prepare_auth_resp_fils() returned failure",
1678 __func__);
1679 }
1680
1681 cb(hapd, sta, resp, data, pub);
1682 }
1683 }
1684
1685
1686 static struct wpabuf *
1687 prepare_auth_resp_fils(struct hostapd_data *hapd,
1688 struct sta_info *sta, u16 *resp,
1689 struct rsn_pmksa_cache_entry *pmksa,
1690 struct wpabuf *erp_resp,
1691 const u8 *msk, size_t msk_len,
1692 int *is_pub)
1693 {
1694 u8 fils_nonce[FILS_NONCE_LEN];
1695 size_t ielen;
1696 struct wpabuf *data = NULL;
1697 const u8 *ie;
1698 u8 *ie_buf = NULL;
1699 const u8 *pmk = NULL;
1700 size_t pmk_len = 0;
1701 u8 pmk_buf[PMK_LEN_MAX];
1702 struct wpabuf *pub = NULL;
1703
1704 if (*resp != WLAN_STATUS_SUCCESS)
1705 goto fail;
1706
1707 ie = wpa_auth_get_wpa_ie(hapd->wpa_auth, &ielen);
1708 if (!ie) {
1709 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1710 goto fail;
1711 }
1712
1713 if (pmksa) {
1714 /* Add PMKID of the selected PMKSA into RSNE */
1715 ie_buf = os_malloc(ielen + 2 + 2 + PMKID_LEN);
1716 if (!ie_buf) {
1717 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1718 goto fail;
1719 }
1720
1721 os_memcpy(ie_buf, ie, ielen);
1722 if (wpa_insert_pmkid(ie_buf, &ielen, pmksa->pmkid) < 0) {
1723 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1724 goto fail;
1725 }
1726 ie = ie_buf;
1727 }
1728
1729 if (random_get_bytes(fils_nonce, FILS_NONCE_LEN) < 0) {
1730 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1731 goto fail;
1732 }
1733 wpa_hexdump(MSG_DEBUG, "RSN: Generated FILS Nonce",
1734 fils_nonce, FILS_NONCE_LEN);
1735
1736 #ifdef CONFIG_FILS_SK_PFS
1737 if (sta->fils_dh_ss && sta->fils_ecdh) {
1738 pub = crypto_ecdh_get_pubkey(sta->fils_ecdh, 1);
1739 if (!pub) {
1740 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1741 goto fail;
1742 }
1743 }
1744 #endif /* CONFIG_FILS_SK_PFS */
1745
1746 data = wpabuf_alloc(1000 + ielen + (pub ? wpabuf_len(pub) : 0));
1747 if (!data) {
1748 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1749 goto fail;
1750 }
1751
1752 /* TODO: FILS PK */
1753 #ifdef CONFIG_FILS_SK_PFS
1754 if (pub) {
1755 /* Finite Cyclic Group */
1756 wpabuf_put_le16(data, hapd->conf->fils_dh_group);
1757
1758 /* Element */
1759 wpabuf_put_buf(data, pub);
1760 }
1761 #endif /* CONFIG_FILS_SK_PFS */
1762
1763 /* RSNE */
1764 wpabuf_put_data(data, ie, ielen);
1765
1766 /* MDE when using FILS+FT (already included in ie,ielen with RSNE) */
1767
1768 #ifdef CONFIG_IEEE80211R_AP
1769 if (wpa_key_mgmt_ft(wpa_auth_sta_key_mgmt(sta->wpa_sm))) {
1770 /* FTE[R1KH-ID,R0KH-ID] when using FILS+FT */
1771 int res;
1772 int use_sha384 = wpa_key_mgmt_sha384(
1773 wpa_auth_sta_key_mgmt(sta->wpa_sm));
1774
1775 res = wpa_auth_write_fte(hapd->wpa_auth, use_sha384,
1776 wpabuf_put(data, 0),
1777 wpabuf_tailroom(data));
1778 if (res < 0) {
1779 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1780 goto fail;
1781 }
1782 wpabuf_put(data, res);
1783 }
1784 #endif /* CONFIG_IEEE80211R_AP */
1785
1786 /* FILS Nonce */
1787 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
1788 wpabuf_put_u8(data, 1 + FILS_NONCE_LEN); /* Length */
1789 /* Element ID Extension */
1790 wpabuf_put_u8(data, WLAN_EID_EXT_FILS_NONCE);
1791 wpabuf_put_data(data, fils_nonce, FILS_NONCE_LEN);
1792
1793 /* FILS Session */
1794 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
1795 wpabuf_put_u8(data, 1 + FILS_SESSION_LEN); /* Length */
1796 /* Element ID Extension */
1797 wpabuf_put_u8(data, WLAN_EID_EXT_FILS_SESSION);
1798 wpabuf_put_data(data, sta->fils_session, FILS_SESSION_LEN);
1799
1800 /* FILS Wrapped Data */
1801 if (!pmksa && erp_resp) {
1802 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
1803 wpabuf_put_u8(data, 1 + wpabuf_len(erp_resp)); /* Length */
1804 /* Element ID Extension */
1805 wpabuf_put_u8(data, WLAN_EID_EXT_FILS_WRAPPED_DATA);
1806 wpabuf_put_buf(data, erp_resp);
1807
1808 if (fils_rmsk_to_pmk(wpa_auth_sta_key_mgmt(sta->wpa_sm),
1809 msk, msk_len, sta->fils_snonce, fils_nonce,
1810 sta->fils_dh_ss ?
1811 wpabuf_head(sta->fils_dh_ss) : NULL,
1812 sta->fils_dh_ss ?
1813 wpabuf_len(sta->fils_dh_ss) : 0,
1814 pmk_buf, &pmk_len)) {
1815 wpa_printf(MSG_DEBUG, "FILS: Failed to derive PMK");
1816 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1817 wpabuf_free(data);
1818 data = NULL;
1819 goto fail;
1820 }
1821 pmk = pmk_buf;
1822
1823 /* Don't use DHss in PTK derivation if PMKSA caching is not
1824 * used. */
1825 wpabuf_clear_free(sta->fils_dh_ss);
1826 sta->fils_dh_ss = NULL;
1827
1828 if (sta->fils_erp_pmkid_set) {
1829 /* TODO: get PMKLifetime from WPA parameters */
1830 unsigned int dot11RSNAConfigPMKLifetime = 43200;
1831 int session_timeout;
1832
1833 session_timeout = dot11RSNAConfigPMKLifetime;
1834 if (sta->session_timeout_set) {
1835 struct os_reltime now, diff;
1836
1837 os_get_reltime(&now);
1838 os_reltime_sub(&sta->session_timeout, &now,
1839 &diff);
1840 session_timeout = diff.sec;
1841 }
1842
1843 sta->fils_erp_pmkid_set = 0;
1844 wpa_auth_add_fils_pmk_pmkid(sta->wpa_sm, pmk, pmk_len,
1845 sta->fils_erp_pmkid);
1846 if (!hapd->conf->disable_pmksa_caching &&
1847 wpa_auth_pmksa_add2(
1848 hapd->wpa_auth, sta->addr,
1849 pmk, pmk_len,
1850 sta->fils_erp_pmkid,
1851 session_timeout,
1852 wpa_auth_sta_key_mgmt(sta->wpa_sm)) < 0) {
1853 wpa_printf(MSG_ERROR,
1854 "FILS: Failed to add PMKSA cache entry based on ERP");
1855 }
1856 }
1857 } else if (pmksa) {
1858 pmk = pmksa->pmk;
1859 pmk_len = pmksa->pmk_len;
1860 }
1861
1862 if (!pmk) {
1863 wpa_printf(MSG_DEBUG, "FILS: No PMK available");
1864 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1865 wpabuf_free(data);
1866 data = NULL;
1867 goto fail;
1868 }
1869
1870 if (fils_auth_pmk_to_ptk(sta->wpa_sm, pmk, pmk_len,
1871 sta->fils_snonce, fils_nonce,
1872 sta->fils_dh_ss ?
1873 wpabuf_head(sta->fils_dh_ss) : NULL,
1874 sta->fils_dh_ss ?
1875 wpabuf_len(sta->fils_dh_ss) : 0,
1876 sta->fils_g_sta, pub) < 0) {
1877 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1878 wpabuf_free(data);
1879 data = NULL;
1880 goto fail;
1881 }
1882
1883 fail:
1884 if (is_pub)
1885 *is_pub = pub != NULL;
1886 os_free(ie_buf);
1887 wpabuf_free(pub);
1888 wpabuf_clear_free(sta->fils_dh_ss);
1889 sta->fils_dh_ss = NULL;
1890 #ifdef CONFIG_FILS_SK_PFS
1891 crypto_ecdh_deinit(sta->fils_ecdh);
1892 sta->fils_ecdh = NULL;
1893 #endif /* CONFIG_FILS_SK_PFS */
1894 return data;
1895 }
1896
1897
1898 static void handle_auth_fils_finish(struct hostapd_data *hapd,
1899 struct sta_info *sta, u16 resp,
1900 struct wpabuf *data, int pub)
1901 {
1902 u16 auth_alg;
1903
1904 auth_alg = (pub ||
1905 resp == WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED) ?
1906 WLAN_AUTH_FILS_SK_PFS : WLAN_AUTH_FILS_SK;
1907 send_auth_reply(hapd, sta->addr, hapd->own_addr, auth_alg, 2, resp,
1908 data ? wpabuf_head(data) : (u8 *) "",
1909 data ? wpabuf_len(data) : 0, "auth-fils-finish");
1910 wpabuf_free(data);
1911
1912 if (resp == WLAN_STATUS_SUCCESS) {
1913 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1914 HOSTAPD_LEVEL_DEBUG,
1915 "authentication OK (FILS)");
1916 sta->flags |= WLAN_STA_AUTH;
1917 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
1918 sta->auth_alg = pub ? WLAN_AUTH_FILS_SK_PFS : WLAN_AUTH_FILS_SK;
1919 mlme_authenticate_indication(hapd, sta);
1920 }
1921 }
1922
1923
1924 void ieee802_11_finish_fils_auth(struct hostapd_data *hapd,
1925 struct sta_info *sta, int success,
1926 struct wpabuf *erp_resp,
1927 const u8 *msk, size_t msk_len)
1928 {
1929 struct wpabuf *data;
1930 int pub = 0;
1931 u16 resp;
1932
1933 sta->flags &= ~WLAN_STA_PENDING_FILS_ERP;
1934
1935 if (!sta->fils_pending_cb)
1936 return;
1937 resp = success ? WLAN_STATUS_SUCCESS : WLAN_STATUS_UNSPECIFIED_FAILURE;
1938 data = prepare_auth_resp_fils(hapd, sta, &resp, NULL, erp_resp,
1939 msk, msk_len, &pub);
1940 if (!data) {
1941 wpa_printf(MSG_DEBUG,
1942 "%s: prepare_auth_resp_fils() returned failure",
1943 __func__);
1944 }
1945 sta->fils_pending_cb(hapd, sta, resp, data, pub);
1946 }
1947
1948 #endif /* CONFIG_FILS */
1949
1950
1951 int
1952 ieee802_11_allowed_address(struct hostapd_data *hapd, const u8 *addr,
1953 const u8 *msg, size_t len, u32 *session_timeout,
1954 u32 *acct_interim_interval,
1955 struct vlan_description *vlan_id,
1956 struct hostapd_sta_wpa_psk_short **psk,
1957 char **identity, char **radius_cui, int is_probe_req)
1958 {
1959 int res;
1960
1961 os_memset(vlan_id, 0, sizeof(*vlan_id));
1962 res = hostapd_allowed_address(hapd, addr, msg, len,
1963 session_timeout, acct_interim_interval,
1964 vlan_id, psk, identity, radius_cui,
1965 is_probe_req);
1966
1967 if (res == HOSTAPD_ACL_REJECT) {
1968 if (!is_probe_req)
1969 wpa_printf(MSG_DEBUG,
1970 "Station " MACSTR
1971 " not allowed to authenticate",
1972 MAC2STR(addr));
1973 return HOSTAPD_ACL_REJECT;
1974 }
1975
1976 if (res == HOSTAPD_ACL_PENDING) {
1977 wpa_printf(MSG_DEBUG, "Authentication frame from " MACSTR
1978 " waiting for an external authentication",
1979 MAC2STR(addr));
1980 /* Authentication code will re-send the authentication frame
1981 * after it has received (and cached) information from the
1982 * external source. */
1983 return HOSTAPD_ACL_PENDING;
1984 }
1985
1986 return res;
1987 }
1988
1989
1990 static int
1991 ieee802_11_set_radius_info(struct hostapd_data *hapd, struct sta_info *sta,
1992 int res, u32 session_timeout,
1993 u32 acct_interim_interval,
1994 struct vlan_description *vlan_id,
1995 struct hostapd_sta_wpa_psk_short **psk,
1996 char **identity, char **radius_cui)
1997 {
1998 if (vlan_id->notempty &&
1999 !hostapd_vlan_valid(hapd->conf->vlan, vlan_id)) {
2000 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS,
2001 HOSTAPD_LEVEL_INFO,
2002 "Invalid VLAN %d%s received from RADIUS server",
2003 vlan_id->untagged,
2004 vlan_id->tagged[0] ? "+" : "");
2005 return -1;
2006 }
2007 if (ap_sta_set_vlan(hapd, sta, vlan_id) < 0)
2008 return -1;
2009 if (sta->vlan_id)
2010 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS,
2011 HOSTAPD_LEVEL_INFO, "VLAN ID %d", sta->vlan_id);
2012
2013 hostapd_free_psk_list(sta->psk);
2014 if (hapd->conf->wpa_psk_radius != PSK_RADIUS_IGNORED) {
2015 sta->psk = *psk;
2016 *psk = NULL;
2017 } else {
2018 sta->psk = NULL;
2019 }
2020
2021 os_free(sta->identity);
2022 sta->identity = *identity;
2023 *identity = NULL;
2024
2025 os_free(sta->radius_cui);
2026 sta->radius_cui = *radius_cui;
2027 *radius_cui = NULL;
2028
2029 if (hapd->conf->acct_interim_interval == 0 && acct_interim_interval)
2030 sta->acct_interim_interval = acct_interim_interval;
2031 if (res == HOSTAPD_ACL_ACCEPT_TIMEOUT) {
2032 sta->session_timeout_set = 1;
2033 os_get_reltime(&sta->session_timeout);
2034 sta->session_timeout.sec += session_timeout;
2035 ap_sta_session_timeout(hapd, sta, session_timeout);
2036 } else {
2037 sta->session_timeout_set = 0;
2038 ap_sta_no_session_timeout(hapd, sta);
2039 }
2040
2041 return 0;
2042 }
2043
2044
2045 static void handle_auth(struct hostapd_data *hapd,
2046 const struct ieee80211_mgmt *mgmt, size_t len,
2047 int rssi, int from_queue)
2048 {
2049 u16 auth_alg, auth_transaction, status_code;
2050 u16 resp = WLAN_STATUS_SUCCESS;
2051 struct sta_info *sta = NULL;
2052 int res, reply_res;
2053 u16 fc;
2054 const u8 *challenge = NULL;
2055 u32 session_timeout, acct_interim_interval;
2056 struct vlan_description vlan_id;
2057 struct hostapd_sta_wpa_psk_short *psk = NULL;
2058 u8 resp_ies[2 + WLAN_AUTH_CHALLENGE_LEN];
2059 size_t resp_ies_len = 0;
2060 char *identity = NULL;
2061 char *radius_cui = NULL;
2062 u16 seq_ctrl;
2063
2064 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) {
2065 wpa_printf(MSG_INFO, "handle_auth - too short payload (len=%lu)",
2066 (unsigned long) len);
2067 return;
2068 }
2069
2070 #ifdef CONFIG_TESTING_OPTIONS
2071 if (hapd->iconf->ignore_auth_probability > 0.0 &&
2072 drand48() < hapd->iconf->ignore_auth_probability) {
2073 wpa_printf(MSG_INFO,
2074 "TESTING: ignoring auth frame from " MACSTR,
2075 MAC2STR(mgmt->sa));
2076 return;
2077 }
2078 #endif /* CONFIG_TESTING_OPTIONS */
2079
2080 auth_alg = le_to_host16(mgmt->u.auth.auth_alg);
2081 auth_transaction = le_to_host16(mgmt->u.auth.auth_transaction);
2082 status_code = le_to_host16(mgmt->u.auth.status_code);
2083 fc = le_to_host16(mgmt->frame_control);
2084 seq_ctrl = le_to_host16(mgmt->seq_ctrl);
2085
2086 if (len >= IEEE80211_HDRLEN + sizeof(mgmt->u.auth) +
2087 2 + WLAN_AUTH_CHALLENGE_LEN &&
2088 mgmt->u.auth.variable[0] == WLAN_EID_CHALLENGE &&
2089 mgmt->u.auth.variable[1] == WLAN_AUTH_CHALLENGE_LEN)
2090 challenge = &mgmt->u.auth.variable[2];
2091
2092 wpa_printf(MSG_DEBUG, "authentication: STA=" MACSTR " auth_alg=%d "
2093 "auth_transaction=%d status_code=%d wep=%d%s "
2094 "seq_ctrl=0x%x%s%s",
2095 MAC2STR(mgmt->sa), auth_alg, auth_transaction,
2096 status_code, !!(fc & WLAN_FC_ISWEP),
2097 challenge ? " challenge" : "",
2098 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "",
2099 from_queue ? " (from queue)" : "");
2100
2101 #ifdef CONFIG_NO_RC4
2102 if (auth_alg == WLAN_AUTH_SHARED_KEY) {
2103 wpa_printf(MSG_INFO,
2104 "Unsupported authentication algorithm (%d)",
2105 auth_alg);
2106 resp = WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
2107 goto fail;
2108 }
2109 #endif /* CONFIG_NO_RC4 */
2110
2111 if (hapd->tkip_countermeasures) {
2112 wpa_printf(MSG_DEBUG,
2113 "Ongoing TKIP countermeasures (Michael MIC failure) - reject authentication");
2114 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2115 goto fail;
2116 }
2117
2118 if (!(((hapd->conf->auth_algs & WPA_AUTH_ALG_OPEN) &&
2119 auth_alg == WLAN_AUTH_OPEN) ||
2120 #ifdef CONFIG_IEEE80211R_AP
2121 (hapd->conf->wpa && wpa_key_mgmt_ft(hapd->conf->wpa_key_mgmt) &&
2122 auth_alg == WLAN_AUTH_FT) ||
2123 #endif /* CONFIG_IEEE80211R_AP */
2124 #ifdef CONFIG_SAE
2125 (hapd->conf->wpa && wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt) &&
2126 auth_alg == WLAN_AUTH_SAE) ||
2127 #endif /* CONFIG_SAE */
2128 #ifdef CONFIG_FILS
2129 (hapd->conf->wpa && wpa_key_mgmt_fils(hapd->conf->wpa_key_mgmt) &&
2130 auth_alg == WLAN_AUTH_FILS_SK) ||
2131 (hapd->conf->wpa && wpa_key_mgmt_fils(hapd->conf->wpa_key_mgmt) &&
2132 hapd->conf->fils_dh_group &&
2133 auth_alg == WLAN_AUTH_FILS_SK_PFS) ||
2134 #endif /* CONFIG_FILS */
2135 ((hapd->conf->auth_algs & WPA_AUTH_ALG_SHARED) &&
2136 auth_alg == WLAN_AUTH_SHARED_KEY))) {
2137 wpa_printf(MSG_INFO, "Unsupported authentication algorithm (%d)",
2138 auth_alg);
2139 resp = WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
2140 goto fail;
2141 }
2142
2143 if (!(auth_transaction == 1 || auth_alg == WLAN_AUTH_SAE ||
2144 (auth_alg == WLAN_AUTH_SHARED_KEY && auth_transaction == 3))) {
2145 wpa_printf(MSG_INFO, "Unknown authentication transaction number (%d)",
2146 auth_transaction);
2147 resp = WLAN_STATUS_UNKNOWN_AUTH_TRANSACTION;
2148 goto fail;
2149 }
2150
2151 if (os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
2152 wpa_printf(MSG_INFO, "Station " MACSTR " not allowed to authenticate",
2153 MAC2STR(mgmt->sa));
2154 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2155 goto fail;
2156 }
2157
2158 if (hapd->conf->no_auth_if_seen_on) {
2159 struct hostapd_data *other;
2160
2161 other = sta_track_seen_on(hapd->iface, mgmt->sa,
2162 hapd->conf->no_auth_if_seen_on);
2163 if (other) {
2164 u8 *pos;
2165 u32 info;
2166 u8 op_class, channel, phytype;
2167
2168 wpa_printf(MSG_DEBUG, "%s: Reject authentication from "
2169 MACSTR " since STA has been seen on %s",
2170 hapd->conf->iface, MAC2STR(mgmt->sa),
2171 hapd->conf->no_auth_if_seen_on);
2172
2173 resp = WLAN_STATUS_REJECTED_WITH_SUGGESTED_BSS_TRANSITION;
2174 pos = &resp_ies[0];
2175 *pos++ = WLAN_EID_NEIGHBOR_REPORT;
2176 *pos++ = 13;
2177 os_memcpy(pos, other->own_addr, ETH_ALEN);
2178 pos += ETH_ALEN;
2179 info = 0; /* TODO: BSSID Information */
2180 WPA_PUT_LE32(pos, info);
2181 pos += 4;
2182 if (other->iconf->hw_mode == HOSTAPD_MODE_IEEE80211AD)
2183 phytype = 8; /* dmg */
2184 else if (other->iconf->ieee80211ac)
2185 phytype = 9; /* vht */
2186 else if (other->iconf->ieee80211n)
2187 phytype = 7; /* ht */
2188 else if (other->iconf->hw_mode ==
2189 HOSTAPD_MODE_IEEE80211A)
2190 phytype = 4; /* ofdm */
2191 else if (other->iconf->hw_mode ==
2192 HOSTAPD_MODE_IEEE80211G)
2193 phytype = 6; /* erp */
2194 else
2195 phytype = 5; /* hrdsss */
2196 if (ieee80211_freq_to_channel_ext(
2197 hostapd_hw_get_freq(other,
2198 other->iconf->channel),
2199 other->iconf->secondary_channel,
2200 other->iconf->ieee80211ac,
2201 &op_class, &channel) == NUM_HOSTAPD_MODES) {
2202 op_class = 0;
2203 channel = other->iconf->channel;
2204 }
2205 *pos++ = op_class;
2206 *pos++ = channel;
2207 *pos++ = phytype;
2208 resp_ies_len = pos - &resp_ies[0];
2209 goto fail;
2210 }
2211 }
2212
2213 res = ieee802_11_allowed_address(
2214 hapd, mgmt->sa, (const u8 *) mgmt, len, &session_timeout,
2215 &acct_interim_interval, &vlan_id, &psk, &identity, &radius_cui,
2216 0);
2217 if (res == HOSTAPD_ACL_REJECT) {
2218 wpa_msg(hapd->msg_ctx, MSG_DEBUG,
2219 "Ignore Authentication frame from " MACSTR
2220 " due to ACL reject", MAC2STR(mgmt->sa));
2221 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2222 goto fail;
2223 }
2224 if (res == HOSTAPD_ACL_PENDING)
2225 return;
2226
2227 #ifdef CONFIG_SAE
2228 if (auth_alg == WLAN_AUTH_SAE && !from_queue &&
2229 (auth_transaction == 1 ||
2230 (auth_transaction == 2 && auth_sae_queued_addr(hapd, mgmt->sa)))) {
2231 /* Handle SAE Authentication commit message through a queue to
2232 * provide more control for postponing the needed heavy
2233 * processing under a possible DoS attack scenario. In addition,
2234 * queue SAE Authentication confirm message if there happens to
2235 * be a queued commit message from the same peer. This is needed
2236 * to avoid reordering Authentication frames within the same
2237 * SAE exchange. */
2238 auth_sae_queue(hapd, mgmt, len, rssi);
2239 return;
2240 }
2241 #endif /* CONFIG_SAE */
2242
2243 sta = ap_get_sta(hapd, mgmt->sa);
2244 if (sta) {
2245 sta->flags &= ~WLAN_STA_PENDING_FILS_ERP;
2246 sta->ft_over_ds = 0;
2247 if ((fc & WLAN_FC_RETRY) &&
2248 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
2249 sta->last_seq_ctrl == seq_ctrl &&
2250 sta->last_subtype == WLAN_FC_STYPE_AUTH) {
2251 hostapd_logger(hapd, sta->addr,
2252 HOSTAPD_MODULE_IEEE80211,
2253 HOSTAPD_LEVEL_DEBUG,
2254 "Drop repeated authentication frame seq_ctrl=0x%x",
2255 seq_ctrl);
2256 return;
2257 }
2258 #ifdef CONFIG_MESH
2259 if ((hapd->conf->mesh & MESH_ENABLED) &&
2260 sta->plink_state == PLINK_BLOCKED) {
2261 wpa_printf(MSG_DEBUG, "Mesh peer " MACSTR
2262 " is blocked - drop Authentication frame",
2263 MAC2STR(mgmt->sa));
2264 return;
2265 }
2266 #endif /* CONFIG_MESH */
2267 } else {
2268 #ifdef CONFIG_MESH
2269 if (hapd->conf->mesh & MESH_ENABLED) {
2270 /* if the mesh peer is not available, we don't do auth.
2271 */
2272 wpa_printf(MSG_DEBUG, "Mesh peer " MACSTR
2273 " not yet known - drop Authentication frame",
2274 MAC2STR(mgmt->sa));
2275 /*
2276 * Save a copy of the frame so that it can be processed
2277 * if a new peer entry is added shortly after this.
2278 */
2279 wpabuf_free(hapd->mesh_pending_auth);
2280 hapd->mesh_pending_auth = wpabuf_alloc_copy(mgmt, len);
2281 os_get_reltime(&hapd->mesh_pending_auth_time);
2282 return;
2283 }
2284 #endif /* CONFIG_MESH */
2285
2286 sta = ap_sta_add(hapd, mgmt->sa);
2287 if (!sta) {
2288 wpa_printf(MSG_DEBUG, "ap_sta_add() failed");
2289 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
2290 goto fail;
2291 }
2292 }
2293 sta->last_seq_ctrl = seq_ctrl;
2294 sta->last_subtype = WLAN_FC_STYPE_AUTH;
2295 #ifdef CONFIG_MBO
2296 sta->auth_rssi = rssi;
2297 #endif /* CONFIG_MBO */
2298
2299 res = ieee802_11_set_radius_info(
2300 hapd, sta, res, session_timeout, acct_interim_interval,
2301 &vlan_id, &psk, &identity, &radius_cui);
2302 if (res) {
2303 wpa_printf(MSG_DEBUG, "ieee802_11_set_radius_info() failed");
2304 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2305 goto fail;
2306 }
2307
2308 sta->flags &= ~WLAN_STA_PREAUTH;
2309 ieee802_1x_notify_pre_auth(sta->eapol_sm, 0);
2310
2311 /*
2312 * If the driver supports full AP client state, add a station to the
2313 * driver before sending authentication reply to make sure the driver
2314 * has resources, and not to go through the entire authentication and
2315 * association handshake, and fail it at the end.
2316 *
2317 * If this is not the first transaction, in a multi-step authentication
2318 * algorithm, the station already exists in the driver
2319 * (sta->added_unassoc = 1) so skip it.
2320 *
2321 * In mesh mode, the station was already added to the driver when the
2322 * NEW_PEER_CANDIDATE event is received.
2323 *
2324 * If PMF was negotiated for the existing association, skip this to
2325 * avoid dropping the STA entry and the associated keys. This is needed
2326 * to allow the original connection work until the attempt can complete
2327 * (re)association, so that unprotected Authentication frame cannot be
2328 * used to bypass PMF protection.
2329 */
2330 if (FULL_AP_CLIENT_STATE_SUPP(hapd->iface->drv_flags) &&
2331 (!(sta->flags & WLAN_STA_MFP) || !ap_sta_is_authorized(sta)) &&
2332 !(hapd->conf->mesh & MESH_ENABLED) &&
2333 !(sta->added_unassoc)) {
2334 /*
2335 * If a station that is already associated to the AP, is trying
2336 * to authenticate again, remove the STA entry, in order to make
2337 * sure the STA PS state gets cleared and configuration gets
2338 * updated. To handle this, station's added_unassoc flag is
2339 * cleared once the station has completed association.
2340 */
2341 ap_sta_set_authorized(hapd, sta, 0);
2342 hostapd_drv_sta_remove(hapd, sta->addr);
2343 sta->flags &= ~(WLAN_STA_ASSOC | WLAN_STA_AUTH |
2344 WLAN_STA_AUTHORIZED);
2345
2346 if (hostapd_sta_add(hapd, sta->addr, 0, 0,
2347 sta->supported_rates,
2348 sta->supported_rates_len,
2349 0, NULL, NULL, NULL, 0,
2350 sta->flags, 0, 0, 0, 0)) {
2351 hostapd_logger(hapd, sta->addr,
2352 HOSTAPD_MODULE_IEEE80211,
2353 HOSTAPD_LEVEL_NOTICE,
2354 "Could not add STA to kernel driver");
2355 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
2356 goto fail;
2357 }
2358
2359 sta->added_unassoc = 1;
2360 }
2361
2362 switch (auth_alg) {
2363 case WLAN_AUTH_OPEN:
2364 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2365 HOSTAPD_LEVEL_DEBUG,
2366 "authentication OK (open system)");
2367 sta->flags |= WLAN_STA_AUTH;
2368 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
2369 sta->auth_alg = WLAN_AUTH_OPEN;
2370 mlme_authenticate_indication(hapd, sta);
2371 break;
2372 #ifndef CONFIG_NO_RC4
2373 case WLAN_AUTH_SHARED_KEY:
2374 resp = auth_shared_key(hapd, sta, auth_transaction, challenge,
2375 fc & WLAN_FC_ISWEP);
2376 if (resp != 0)
2377 wpa_printf(MSG_DEBUG,
2378 "auth_shared_key() failed: status=%d", resp);
2379 sta->auth_alg = WLAN_AUTH_SHARED_KEY;
2380 mlme_authenticate_indication(hapd, sta);
2381 if (sta->challenge && auth_transaction == 1) {
2382 resp_ies[0] = WLAN_EID_CHALLENGE;
2383 resp_ies[1] = WLAN_AUTH_CHALLENGE_LEN;
2384 os_memcpy(resp_ies + 2, sta->challenge,
2385 WLAN_AUTH_CHALLENGE_LEN);
2386 resp_ies_len = 2 + WLAN_AUTH_CHALLENGE_LEN;
2387 }
2388 break;
2389 #endif /* CONFIG_NO_RC4 */
2390 #ifdef CONFIG_IEEE80211R_AP
2391 case WLAN_AUTH_FT:
2392 sta->auth_alg = WLAN_AUTH_FT;
2393 if (sta->wpa_sm == NULL)
2394 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
2395 sta->addr, NULL);
2396 if (sta->wpa_sm == NULL) {
2397 wpa_printf(MSG_DEBUG, "FT: Failed to initialize WPA "
2398 "state machine");
2399 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2400 goto fail;
2401 }
2402 wpa_ft_process_auth(sta->wpa_sm, mgmt->bssid,
2403 auth_transaction, mgmt->u.auth.variable,
2404 len - IEEE80211_HDRLEN -
2405 sizeof(mgmt->u.auth),
2406 handle_auth_ft_finish, hapd);
2407 /* handle_auth_ft_finish() callback will complete auth. */
2408 return;
2409 #endif /* CONFIG_IEEE80211R_AP */
2410 #ifdef CONFIG_SAE
2411 case WLAN_AUTH_SAE:
2412 #ifdef CONFIG_MESH
2413 if (status_code == WLAN_STATUS_SUCCESS &&
2414 hapd->conf->mesh & MESH_ENABLED) {
2415 if (sta->wpa_sm == NULL)
2416 sta->wpa_sm =
2417 wpa_auth_sta_init(hapd->wpa_auth,
2418 sta->addr, NULL);
2419 if (sta->wpa_sm == NULL) {
2420 wpa_printf(MSG_DEBUG,
2421 "SAE: Failed to initialize WPA state machine");
2422 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2423 goto fail;
2424 }
2425 }
2426 #endif /* CONFIG_MESH */
2427 handle_auth_sae(hapd, sta, mgmt, len, auth_transaction,
2428 status_code);
2429 return;
2430 #endif /* CONFIG_SAE */
2431 #ifdef CONFIG_FILS
2432 case WLAN_AUTH_FILS_SK:
2433 case WLAN_AUTH_FILS_SK_PFS:
2434 handle_auth_fils(hapd, sta, mgmt->u.auth.variable,
2435 len - IEEE80211_HDRLEN - sizeof(mgmt->u.auth),
2436 auth_alg, auth_transaction, status_code,
2437 handle_auth_fils_finish);
2438 return;
2439 #endif /* CONFIG_FILS */
2440 }
2441
2442 fail:
2443 os_free(identity);
2444 os_free(radius_cui);
2445 hostapd_free_psk_list(psk);
2446
2447 reply_res = send_auth_reply(hapd, mgmt->sa, mgmt->bssid, auth_alg,
2448 auth_transaction + 1, resp, resp_ies,
2449 resp_ies_len, "handle-auth");
2450
2451 if (sta && sta->added_unassoc && (resp != WLAN_STATUS_SUCCESS ||
2452 reply_res != WLAN_STATUS_SUCCESS)) {
2453 hostapd_drv_sta_remove(hapd, sta->addr);
2454 sta->added_unassoc = 0;
2455 }
2456 }
2457
2458
2459 int hostapd_get_aid(struct hostapd_data *hapd, struct sta_info *sta)
2460 {
2461 int i, j = 32, aid;
2462
2463 /* get a unique AID */
2464 if (sta->aid > 0) {
2465 wpa_printf(MSG_DEBUG, " old AID %d", sta->aid);
2466 return 0;
2467 }
2468
2469 if (TEST_FAIL())
2470 return -1;
2471
2472 for (i = 0; i < AID_WORDS; i++) {
2473 if (hapd->sta_aid[i] == (u32) -1)
2474 continue;
2475 for (j = 0; j < 32; j++) {
2476 if (!(hapd->sta_aid[i] & BIT(j)))
2477 break;
2478 }
2479 if (j < 32)
2480 break;
2481 }
2482 if (j == 32)
2483 return -1;
2484 aid = i * 32 + j + 1;
2485 if (aid > 2007)
2486 return -1;
2487
2488 sta->aid = aid;
2489 hapd->sta_aid[i] |= BIT(j);
2490 wpa_printf(MSG_DEBUG, " new AID %d", sta->aid);
2491 return 0;
2492 }
2493
2494
2495 static u16 check_ssid(struct hostapd_data *hapd, struct sta_info *sta,
2496 const u8 *ssid_ie, size_t ssid_ie_len)
2497 {
2498 if (ssid_ie == NULL)
2499 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2500
2501 if (ssid_ie_len != hapd->conf->ssid.ssid_len ||
2502 os_memcmp(ssid_ie, hapd->conf->ssid.ssid, ssid_ie_len) != 0) {
2503 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2504 HOSTAPD_LEVEL_INFO,
2505 "Station tried to associate with unknown SSID "
2506 "'%s'", wpa_ssid_txt(ssid_ie, ssid_ie_len));
2507 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2508 }
2509
2510 return WLAN_STATUS_SUCCESS;
2511 }
2512
2513
2514 static u16 check_wmm(struct hostapd_data *hapd, struct sta_info *sta,
2515 const u8 *wmm_ie, size_t wmm_ie_len)
2516 {
2517 sta->flags &= ~WLAN_STA_WMM;
2518 sta->qosinfo = 0;
2519 if (wmm_ie && hapd->conf->wmm_enabled) {
2520 struct wmm_information_element *wmm;
2521
2522 if (!hostapd_eid_wmm_valid(hapd, wmm_ie, wmm_ie_len)) {
2523 hostapd_logger(hapd, sta->addr,
2524 HOSTAPD_MODULE_WPA,
2525 HOSTAPD_LEVEL_DEBUG,
2526 "invalid WMM element in association "
2527 "request");
2528 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2529 }
2530
2531 sta->flags |= WLAN_STA_WMM;
2532 wmm = (struct wmm_information_element *) wmm_ie;
2533 sta->qosinfo = wmm->qos_info;
2534 }
2535 return WLAN_STATUS_SUCCESS;
2536 }
2537
2538 static u16 check_multi_ap(struct hostapd_data *hapd, struct sta_info *sta,
2539 const u8 *multi_ap_ie, size_t multi_ap_len)
2540 {
2541 u8 multi_ap_value = 0;
2542
2543 sta->flags &= ~WLAN_STA_MULTI_AP;
2544
2545 if (!hapd->conf->multi_ap)
2546 return WLAN_STATUS_SUCCESS;
2547
2548 if (multi_ap_ie) {
2549 const u8 *multi_ap_subelem;
2550
2551 multi_ap_subelem = get_ie(multi_ap_ie + 4,
2552 multi_ap_len - 4,
2553 MULTI_AP_SUB_ELEM_TYPE);
2554 if (multi_ap_subelem && multi_ap_subelem[1] == 1) {
2555 multi_ap_value = multi_ap_subelem[2];
2556 } else {
2557 hostapd_logger(hapd, sta->addr,
2558 HOSTAPD_MODULE_IEEE80211,
2559 HOSTAPD_LEVEL_INFO,
2560 "Multi-AP IE has missing or invalid Multi-AP subelement");
2561 return WLAN_STATUS_INVALID_IE;
2562 }
2563 }
2564
2565 if (multi_ap_value && multi_ap_value != MULTI_AP_BACKHAUL_STA)
2566 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2567 HOSTAPD_LEVEL_INFO,
2568 "Multi-AP IE with unexpected value 0x%02x",
2569 multi_ap_value);
2570
2571 if (!(multi_ap_value & MULTI_AP_BACKHAUL_STA)) {
2572 if (hapd->conf->multi_ap & FRONTHAUL_BSS)
2573 return WLAN_STATUS_SUCCESS;
2574
2575 hostapd_logger(hapd, sta->addr,
2576 HOSTAPD_MODULE_IEEE80211,
2577 HOSTAPD_LEVEL_INFO,
2578 "Non-Multi-AP STA tries to associate with backhaul-only BSS");
2579 return WLAN_STATUS_ASSOC_DENIED_UNSPEC;
2580 }
2581
2582 if (!(hapd->conf->multi_ap & BACKHAUL_BSS))
2583 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2584 HOSTAPD_LEVEL_DEBUG,
2585 "Backhaul STA tries to associate with fronthaul-only BSS");
2586
2587 sta->flags |= WLAN_STA_MULTI_AP;
2588 return WLAN_STATUS_SUCCESS;
2589 }
2590
2591
2592 static u16 copy_supp_rates(struct hostapd_data *hapd, struct sta_info *sta,
2593 struct ieee802_11_elems *elems)
2594 {
2595 /* Supported rates not used in IEEE 802.11ad/DMG */
2596 if (hapd->iface->current_mode &&
2597 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211AD)
2598 return WLAN_STATUS_SUCCESS;
2599
2600 if (!elems->supp_rates) {
2601 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2602 HOSTAPD_LEVEL_DEBUG,
2603 "No supported rates element in AssocReq");
2604 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2605 }
2606
2607 if (elems->supp_rates_len + elems->ext_supp_rates_len >
2608 sizeof(sta->supported_rates)) {
2609 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2610 HOSTAPD_LEVEL_DEBUG,
2611 "Invalid supported rates element length %d+%d",
2612 elems->supp_rates_len,
2613 elems->ext_supp_rates_len);
2614 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2615 }
2616
2617 sta->supported_rates_len = merge_byte_arrays(
2618 sta->supported_rates, sizeof(sta->supported_rates),
2619 elems->supp_rates, elems->supp_rates_len,
2620 elems->ext_supp_rates, elems->ext_supp_rates_len);
2621
2622 return WLAN_STATUS_SUCCESS;
2623 }
2624
2625
2626 static u16 check_ext_capab(struct hostapd_data *hapd, struct sta_info *sta,
2627 const u8 *ext_capab_ie, size_t ext_capab_ie_len)
2628 {
2629 #ifdef CONFIG_INTERWORKING
2630 /* check for QoS Map support */
2631 if (ext_capab_ie_len >= 5) {
2632 if (ext_capab_ie[4] & 0x01)
2633 sta->qos_map_enabled = 1;
2634 }
2635 #endif /* CONFIG_INTERWORKING */
2636
2637 if (ext_capab_ie_len > 0) {
2638 sta->ecsa_supported = !!(ext_capab_ie[0] & BIT(2));
2639 os_free(sta->ext_capability);
2640 sta->ext_capability = os_malloc(1 + ext_capab_ie_len);
2641 if (sta->ext_capability) {
2642 sta->ext_capability[0] = ext_capab_ie_len;
2643 os_memcpy(sta->ext_capability + 1, ext_capab_ie,
2644 ext_capab_ie_len);
2645 }
2646 }
2647
2648 return WLAN_STATUS_SUCCESS;
2649 }
2650
2651
2652 #ifdef CONFIG_OWE
2653
2654 static int owe_group_supported(struct hostapd_data *hapd, u16 group)
2655 {
2656 int i;
2657 int *groups = hapd->conf->owe_groups;
2658
2659 if (group != 19 && group != 20 && group != 21)
2660 return 0;
2661
2662 if (!groups)
2663 return 1;
2664
2665 for (i = 0; groups[i] > 0; i++) {
2666 if (groups[i] == group)
2667 return 1;
2668 }
2669
2670 return 0;
2671 }
2672
2673
2674 static u16 owe_process_assoc_req(struct hostapd_data *hapd,
2675 struct sta_info *sta, const u8 *owe_dh,
2676 u8 owe_dh_len)
2677 {
2678 struct wpabuf *secret, *pub, *hkey;
2679 int res;
2680 u8 prk[SHA512_MAC_LEN], pmkid[SHA512_MAC_LEN];
2681 const char *info = "OWE Key Generation";
2682 const u8 *addr[2];
2683 size_t len[2];
2684 u16 group;
2685 size_t hash_len, prime_len;
2686
2687 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) {
2688 wpa_printf(MSG_DEBUG, "OWE: Using PMKSA caching");
2689 return WLAN_STATUS_SUCCESS;
2690 }
2691
2692 group = WPA_GET_LE16(owe_dh);
2693 if (!owe_group_supported(hapd, group)) {
2694 wpa_printf(MSG_DEBUG, "OWE: Unsupported DH group %u", group);
2695 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
2696 }
2697 if (group == 19)
2698 prime_len = 32;
2699 else if (group == 20)
2700 prime_len = 48;
2701 else if (group == 21)
2702 prime_len = 66;
2703 else
2704 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
2705
2706 crypto_ecdh_deinit(sta->owe_ecdh);
2707 sta->owe_ecdh = crypto_ecdh_init(group);
2708 if (!sta->owe_ecdh)
2709 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
2710 sta->owe_group = group;
2711
2712 secret = crypto_ecdh_set_peerkey(sta->owe_ecdh, 0, owe_dh + 2,
2713 owe_dh_len - 2);
2714 secret = wpabuf_zeropad(secret, prime_len);
2715 if (!secret) {
2716 wpa_printf(MSG_DEBUG, "OWE: Invalid peer DH public key");
2717 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2718 }
2719 wpa_hexdump_buf_key(MSG_DEBUG, "OWE: DH shared secret", secret);
2720
2721 /* prk = HKDF-extract(C | A | group, z) */
2722
2723 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
2724 if (!pub) {
2725 wpabuf_clear_free(secret);
2726 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2727 }
2728
2729 /* PMKID = Truncate-128(Hash(C | A)) */
2730 addr[0] = owe_dh + 2;
2731 len[0] = owe_dh_len - 2;
2732 addr[1] = wpabuf_head(pub);
2733 len[1] = wpabuf_len(pub);
2734 if (group == 19) {
2735 res = sha256_vector(2, addr, len, pmkid);
2736 hash_len = SHA256_MAC_LEN;
2737 } else if (group == 20) {
2738 res = sha384_vector(2, addr, len, pmkid);
2739 hash_len = SHA384_MAC_LEN;
2740 } else if (group == 21) {
2741 res = sha512_vector(2, addr, len, pmkid);
2742 hash_len = SHA512_MAC_LEN;
2743 } else {
2744 wpabuf_free(pub);
2745 wpabuf_clear_free(secret);
2746 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2747 }
2748 pub = wpabuf_zeropad(pub, prime_len);
2749 if (res < 0 || !pub) {
2750 wpabuf_free(pub);
2751 wpabuf_clear_free(secret);
2752 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2753 }
2754
2755 hkey = wpabuf_alloc(owe_dh_len - 2 + wpabuf_len(pub) + 2);
2756 if (!hkey) {
2757 wpabuf_free(pub);
2758 wpabuf_clear_free(secret);
2759 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2760 }
2761
2762 wpabuf_put_data(hkey, owe_dh + 2, owe_dh_len - 2); /* C */
2763 wpabuf_put_buf(hkey, pub); /* A */
2764 wpabuf_free(pub);
2765 wpabuf_put_le16(hkey, group); /* group */
2766 if (group == 19)
2767 res = hmac_sha256(wpabuf_head(hkey), wpabuf_len(hkey),
2768 wpabuf_head(secret), wpabuf_len(secret), prk);
2769 else if (group == 20)
2770 res = hmac_sha384(wpabuf_head(hkey), wpabuf_len(hkey),
2771 wpabuf_head(secret), wpabuf_len(secret), prk);
2772 else if (group == 21)
2773 res = hmac_sha512(wpabuf_head(hkey), wpabuf_len(hkey),
2774 wpabuf_head(secret), wpabuf_len(secret), prk);
2775 wpabuf_clear_free(hkey);
2776 wpabuf_clear_free(secret);
2777 if (res < 0)
2778 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2779
2780 wpa_hexdump_key(MSG_DEBUG, "OWE: prk", prk, hash_len);
2781
2782 /* PMK = HKDF-expand(prk, "OWE Key Generation", n) */
2783
2784 os_free(sta->owe_pmk);
2785 sta->owe_pmk = os_malloc(hash_len);
2786 if (!sta->owe_pmk) {
2787 os_memset(prk, 0, SHA512_MAC_LEN);
2788 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2789 }
2790
2791 if (group == 19)
2792 res = hmac_sha256_kdf(prk, hash_len, NULL, (const u8 *) info,
2793 os_strlen(info), sta->owe_pmk, hash_len);
2794 else if (group == 20)
2795 res = hmac_sha384_kdf(prk, hash_len, NULL, (const u8 *) info,
2796 os_strlen(info), sta->owe_pmk, hash_len);
2797 else if (group == 21)
2798 res = hmac_sha512_kdf(prk, hash_len, NULL, (const u8 *) info,
2799 os_strlen(info), sta->owe_pmk, hash_len);
2800 os_memset(prk, 0, SHA512_MAC_LEN);
2801 if (res < 0) {
2802 os_free(sta->owe_pmk);
2803 sta->owe_pmk = NULL;
2804 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2805 }
2806 sta->owe_pmk_len = hash_len;
2807
2808 wpa_hexdump_key(MSG_DEBUG, "OWE: PMK", sta->owe_pmk, sta->owe_pmk_len);
2809 wpa_hexdump(MSG_DEBUG, "OWE: PMKID", pmkid, PMKID_LEN);
2810 wpa_auth_pmksa_add2(hapd->wpa_auth, sta->addr, sta->owe_pmk,
2811 sta->owe_pmk_len, pmkid, 0, WPA_KEY_MGMT_OWE);
2812
2813 return WLAN_STATUS_SUCCESS;
2814 }
2815
2816
2817 u16 owe_validate_request(struct hostapd_data *hapd, const u8 *peer,
2818 const u8 *rsn_ie, size_t rsn_ie_len,
2819 const u8 *owe_dh, size_t owe_dh_len)
2820 {
2821 struct wpa_ie_data data;
2822 int res;
2823
2824 if (!rsn_ie || rsn_ie_len < 2) {
2825 wpa_printf(MSG_DEBUG, "OWE: Invalid RSNE from " MACSTR,
2826 MAC2STR(peer));
2827 return WLAN_STATUS_INVALID_IE;
2828 }
2829 rsn_ie -= 2;
2830 rsn_ie_len += 2;
2831
2832 res = wpa_parse_wpa_ie_rsn(rsn_ie, rsn_ie_len, &data);
2833 if (res) {
2834 wpa_printf(MSG_DEBUG, "Failed to parse RSNE from " MACSTR
2835 " (res=%d)", MAC2STR(peer), res);
2836 wpa_hexdump(MSG_DEBUG, "RSNE", rsn_ie, rsn_ie_len);
2837 return wpa_res_to_status_code(res);
2838 }
2839 if (!(data.key_mgmt & WPA_KEY_MGMT_OWE)) {
2840 wpa_printf(MSG_DEBUG,
2841 "OWE: Unexpected key mgmt 0x%x from " MACSTR,
2842 (unsigned int) data.key_mgmt, MAC2STR(peer));
2843 return WLAN_STATUS_AKMP_NOT_VALID;
2844 }
2845 if (!owe_dh) {
2846 wpa_printf(MSG_DEBUG,
2847 "OWE: No Diffie-Hellman Parameter element from "
2848 MACSTR, MAC2STR(peer));
2849 return WLAN_STATUS_AKMP_NOT_VALID;
2850 }
2851
2852 return WLAN_STATUS_SUCCESS;
2853 }
2854
2855
2856 u16 owe_process_rsn_ie(struct hostapd_data *hapd,
2857 struct sta_info *sta,
2858 const u8 *rsn_ie, size_t rsn_ie_len,
2859 const u8 *owe_dh, size_t owe_dh_len)
2860 {
2861 u16 status;
2862 u8 *owe_buf, ie[256 * 2];
2863 size_t ie_len = 0;
2864 int res;
2865
2866 if (!rsn_ie || rsn_ie_len < 2) {
2867 wpa_printf(MSG_DEBUG, "OWE: No RSNE in (Re)AssocReq");
2868 status = WLAN_STATUS_INVALID_IE;
2869 goto end;
2870 }
2871
2872 if (!sta->wpa_sm)
2873 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, sta->addr,
2874 NULL);
2875 if (!sta->wpa_sm) {
2876 wpa_printf(MSG_WARNING,
2877 "OWE: Failed to initialize WPA state machine");
2878 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
2879 goto end;
2880 }
2881 rsn_ie -= 2;
2882 rsn_ie_len += 2;
2883 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
2884 hapd->iface->freq, rsn_ie, rsn_ie_len,
2885 NULL, 0, owe_dh, owe_dh_len);
2886 status = wpa_res_to_status_code(res);
2887 if (status != WLAN_STATUS_SUCCESS)
2888 goto end;
2889 status = owe_process_assoc_req(hapd, sta, owe_dh, owe_dh_len);
2890 if (status != WLAN_STATUS_SUCCESS)
2891 goto end;
2892 owe_buf = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, ie, sizeof(ie),
2893 NULL, 0);
2894 if (!owe_buf) {
2895 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
2896 goto end;
2897 }
2898
2899 if (sta->owe_ecdh) {
2900 struct wpabuf *pub;
2901
2902 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
2903 if (!pub) {
2904 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
2905 goto end;
2906 }
2907
2908 /* OWE Diffie-Hellman Parameter element */
2909 *owe_buf++ = WLAN_EID_EXTENSION; /* Element ID */
2910 *owe_buf++ = 1 + 2 + wpabuf_len(pub); /* Length */
2911 *owe_buf++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension
2912 */
2913 WPA_PUT_LE16(owe_buf, sta->owe_group);
2914 owe_buf += 2;
2915 os_memcpy(owe_buf, wpabuf_head(pub), wpabuf_len(pub));
2916 owe_buf += wpabuf_len(pub);
2917 wpabuf_free(pub);
2918 sta->external_dh_updated = 1;
2919 }
2920 ie_len = owe_buf - ie;
2921
2922 end:
2923 wpa_printf(MSG_DEBUG, "OWE: Update status %d, ie len %d for peer "
2924 MACSTR, status, (unsigned int) ie_len,
2925 MAC2STR(sta->addr));
2926 hostapd_drv_update_dh_ie(hapd, sta->addr, status,
2927 status == WLAN_STATUS_SUCCESS ? ie : NULL,
2928 ie_len);
2929
2930 return status;
2931 }
2932
2933 #endif /* CONFIG_OWE */
2934
2935
2936 static u16 check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta,
2937 const u8 *ies, size_t ies_len, int reassoc)
2938 {
2939 struct ieee802_11_elems elems;
2940 u16 resp;
2941 const u8 *wpa_ie;
2942 size_t wpa_ie_len;
2943 const u8 *p2p_dev_addr = NULL;
2944
2945 if (ieee802_11_parse_elems(ies, ies_len, &elems, 1) == ParseFailed) {
2946 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2947 HOSTAPD_LEVEL_INFO, "Station sent an invalid "
2948 "association request");
2949 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2950 }
2951
2952 resp = check_ssid(hapd, sta, elems.ssid, elems.ssid_len);
2953 if (resp != WLAN_STATUS_SUCCESS)
2954 return resp;
2955 resp = check_wmm(hapd, sta, elems.wmm, elems.wmm_len);
2956 if (resp != WLAN_STATUS_SUCCESS)
2957 return resp;
2958 resp = check_ext_capab(hapd, sta, elems.ext_capab, elems.ext_capab_len);
2959 if (resp != WLAN_STATUS_SUCCESS)
2960 return resp;
2961 resp = copy_supp_rates(hapd, sta, &elems);
2962 if (resp != WLAN_STATUS_SUCCESS)
2963 return resp;
2964
2965 resp = check_multi_ap(hapd, sta, elems.multi_ap, elems.multi_ap_len);
2966 if (resp != WLAN_STATUS_SUCCESS)
2967 return resp;
2968
2969 #ifdef CONFIG_IEEE80211N
2970 resp = copy_sta_ht_capab(hapd, sta, elems.ht_capabilities);
2971 if (resp != WLAN_STATUS_SUCCESS)
2972 return resp;
2973 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht &&
2974 !(sta->flags & WLAN_STA_HT)) {
2975 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2976 HOSTAPD_LEVEL_INFO, "Station does not support "
2977 "mandatory HT PHY - reject association");
2978 return WLAN_STATUS_ASSOC_DENIED_NO_HT;
2979 }
2980 #endif /* CONFIG_IEEE80211N */
2981
2982 #ifdef CONFIG_IEEE80211AC
2983 if (hapd->iconf->ieee80211ac) {
2984 resp = copy_sta_vht_capab(hapd, sta, elems.vht_capabilities);
2985 if (resp != WLAN_STATUS_SUCCESS)
2986 return resp;
2987
2988 resp = set_sta_vht_opmode(hapd, sta, elems.vht_opmode_notif);
2989 if (resp != WLAN_STATUS_SUCCESS)
2990 return resp;
2991 }
2992
2993 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht &&
2994 !(sta->flags & WLAN_STA_VHT)) {
2995 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2996 HOSTAPD_LEVEL_INFO, "Station does not support "
2997 "mandatory VHT PHY - reject association");
2998 return WLAN_STATUS_ASSOC_DENIED_NO_VHT;
2999 }
3000
3001 if (hapd->conf->vendor_vht && !elems.vht_capabilities) {
3002 resp = copy_sta_vendor_vht(hapd, sta, elems.vendor_vht,
3003 elems.vendor_vht_len);
3004 if (resp != WLAN_STATUS_SUCCESS)
3005 return resp;
3006 }
3007 #endif /* CONFIG_IEEE80211AC */
3008 #ifdef CONFIG_IEEE80211AX
3009 if (hapd->iconf->ieee80211ax) {
3010 resp = copy_sta_he_capab(hapd, sta, IEEE80211_MODE_AP,
3011 elems.he_capabilities,
3012 elems.he_capabilities_len);
3013 if (resp != WLAN_STATUS_SUCCESS)
3014 return resp;
3015 }
3016 #endif /* CONFIG_IEEE80211AX */
3017
3018 #ifdef CONFIG_P2P
3019 if (elems.p2p) {
3020 wpabuf_free(sta->p2p_ie);
3021 sta->p2p_ie = ieee802_11_vendor_ie_concat(ies, ies_len,
3022 P2P_IE_VENDOR_TYPE);
3023 if (sta->p2p_ie)
3024 p2p_dev_addr = p2p_get_go_dev_addr(sta->p2p_ie);
3025 } else {
3026 wpabuf_free(sta->p2p_ie);
3027 sta->p2p_ie = NULL;
3028 }
3029 #endif /* CONFIG_P2P */
3030
3031 if ((hapd->conf->wpa & WPA_PROTO_RSN) && elems.rsn_ie) {
3032 wpa_ie = elems.rsn_ie;
3033 wpa_ie_len = elems.rsn_ie_len;
3034 } else if ((hapd->conf->wpa & WPA_PROTO_WPA) &&
3035 elems.wpa_ie) {
3036 wpa_ie = elems.wpa_ie;
3037 wpa_ie_len = elems.wpa_ie_len;
3038 } else {
3039 wpa_ie = NULL;
3040 wpa_ie_len = 0;
3041 }
3042
3043 #ifdef CONFIG_WPS
3044 sta->flags &= ~(WLAN_STA_WPS | WLAN_STA_MAYBE_WPS | WLAN_STA_WPS2);
3045 if (hapd->conf->wps_state && elems.wps_ie) {
3046 wpa_printf(MSG_DEBUG, "STA included WPS IE in (Re)Association "
3047 "Request - assume WPS is used");
3048 sta->flags |= WLAN_STA_WPS;
3049 wpabuf_free(sta->wps_ie);
3050 sta->wps_ie = ieee802_11_vendor_ie_concat(ies, ies_len,
3051 WPS_IE_VENDOR_TYPE);
3052 if (sta->wps_ie && wps_is_20(sta->wps_ie)) {
3053 wpa_printf(MSG_DEBUG, "WPS: STA supports WPS 2.0");
3054 sta->flags |= WLAN_STA_WPS2;
3055 }
3056 wpa_ie = NULL;
3057 wpa_ie_len = 0;
3058 if (sta->wps_ie && wps_validate_assoc_req(sta->wps_ie) < 0) {
3059 wpa_printf(MSG_DEBUG, "WPS: Invalid WPS IE in "
3060 "(Re)Association Request - reject");
3061 return WLAN_STATUS_INVALID_IE;
3062 }
3063 } else if (hapd->conf->wps_state && wpa_ie == NULL) {
3064 wpa_printf(MSG_DEBUG, "STA did not include WPA/RSN IE in "
3065 "(Re)Association Request - possible WPS use");
3066 sta->flags |= WLAN_STA_MAYBE_WPS;
3067 } else
3068 #endif /* CONFIG_WPS */
3069 if (hapd->conf->wpa && wpa_ie == NULL) {
3070 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3071 HOSTAPD_LEVEL_INFO,
3072 "No WPA/RSN IE in association request");
3073 return WLAN_STATUS_INVALID_IE;
3074 }
3075
3076 if (hapd->conf->wpa && wpa_ie) {
3077 int res;
3078 wpa_ie -= 2;
3079 wpa_ie_len += 2;
3080 if (sta->wpa_sm == NULL)
3081 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
3082 sta->addr,
3083 p2p_dev_addr);
3084 if (sta->wpa_sm == NULL) {
3085 wpa_printf(MSG_WARNING, "Failed to initialize WPA "
3086 "state machine");
3087 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3088 }
3089 wpa_auth_set_auth_alg(sta->wpa_sm, sta->auth_alg);
3090 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
3091 hapd->iface->freq,
3092 wpa_ie, wpa_ie_len,
3093 elems.mdie, elems.mdie_len,
3094 elems.owe_dh, elems.owe_dh_len);
3095 resp = wpa_res_to_status_code(res);
3096 if (resp != WLAN_STATUS_SUCCESS)
3097 return resp;
3098 if ((sta->flags & (WLAN_STA_ASSOC | WLAN_STA_MFP)) ==
3099 (WLAN_STA_ASSOC | WLAN_STA_MFP) &&
3100 !sta->sa_query_timed_out &&
3101 sta->sa_query_count > 0)
3102 ap_check_sa_query_timeout(hapd, sta);
3103 if ((sta->flags & (WLAN_STA_ASSOC | WLAN_STA_MFP)) ==
3104 (WLAN_STA_ASSOC | WLAN_STA_MFP) &&
3105 !sta->sa_query_timed_out &&
3106 (!reassoc || sta->auth_alg != WLAN_AUTH_FT)) {
3107 /*
3108 * STA has already been associated with MFP and SA
3109 * Query timeout has not been reached. Reject the
3110 * association attempt temporarily and start SA Query,
3111 * if one is not pending.
3112 */
3113
3114 if (sta->sa_query_count == 0)
3115 ap_sta_start_sa_query(hapd, sta);
3116
3117 return WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY;
3118 }
3119
3120 if (wpa_auth_uses_mfp(sta->wpa_sm))
3121 sta->flags |= WLAN_STA_MFP;
3122 else
3123 sta->flags &= ~WLAN_STA_MFP;
3124
3125 #ifdef CONFIG_IEEE80211R_AP
3126 if (sta->auth_alg == WLAN_AUTH_FT) {
3127 if (!reassoc) {
3128 wpa_printf(MSG_DEBUG, "FT: " MACSTR " tried "
3129 "to use association (not "
3130 "re-association) with FT auth_alg",
3131 MAC2STR(sta->addr));
3132 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3133 }
3134
3135 resp = wpa_ft_validate_reassoc(sta->wpa_sm, ies,
3136 ies_len);
3137 if (resp != WLAN_STATUS_SUCCESS)
3138 return resp;
3139 }
3140 #endif /* CONFIG_IEEE80211R_AP */
3141
3142 #ifdef CONFIG_SAE
3143 if (wpa_auth_uses_sae(sta->wpa_sm) && sta->sae &&
3144 sta->sae->state == SAE_ACCEPTED)
3145 wpa_auth_add_sae_pmkid(sta->wpa_sm, sta->sae->pmkid);
3146
3147 if (wpa_auth_uses_sae(sta->wpa_sm) &&
3148 sta->auth_alg == WLAN_AUTH_OPEN) {
3149 struct rsn_pmksa_cache_entry *sa;
3150 sa = wpa_auth_sta_get_pmksa(sta->wpa_sm);
3151 if (!sa || sa->akmp != WPA_KEY_MGMT_SAE) {
3152 wpa_printf(MSG_DEBUG,
3153 "SAE: No PMKSA cache entry found for "
3154 MACSTR, MAC2STR(sta->addr));
3155 return WLAN_STATUS_INVALID_PMKID;
3156 }
3157 wpa_printf(MSG_DEBUG, "SAE: " MACSTR
3158 " using PMKSA caching", MAC2STR(sta->addr));
3159 } else if (wpa_auth_uses_sae(sta->wpa_sm) &&
3160 sta->auth_alg != WLAN_AUTH_SAE &&
3161 !(sta->auth_alg == WLAN_AUTH_FT &&
3162 wpa_auth_uses_ft_sae(sta->wpa_sm))) {
3163 wpa_printf(MSG_DEBUG, "SAE: " MACSTR " tried to use "
3164 "SAE AKM after non-SAE auth_alg %u",
3165 MAC2STR(sta->addr), sta->auth_alg);
3166 return WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
3167 }
3168 #endif /* CONFIG_SAE */
3169
3170 #ifdef CONFIG_OWE
3171 if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) &&
3172 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE &&
3173 elems.owe_dh) {
3174 resp = owe_process_assoc_req(hapd, sta, elems.owe_dh,
3175 elems.owe_dh_len);
3176 if (resp != WLAN_STATUS_SUCCESS)
3177 return resp;
3178 }
3179 #endif /* CONFIG_OWE */
3180
3181 #ifdef CONFIG_DPP2
3182 dpp_pfs_free(sta->dpp_pfs);
3183 sta->dpp_pfs = NULL;
3184
3185 if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_DPP) &&
3186 hapd->conf->dpp_netaccesskey && sta->wpa_sm &&
3187 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_DPP &&
3188 elems.owe_dh) {
3189 sta->dpp_pfs = dpp_pfs_init(
3190 wpabuf_head(hapd->conf->dpp_netaccesskey),
3191 wpabuf_len(hapd->conf->dpp_netaccesskey));
3192 if (!sta->dpp_pfs) {
3193 wpa_printf(MSG_DEBUG,
3194 "DPP: Could not initialize PFS");
3195 /* Try to continue without PFS */
3196 goto pfs_fail;
3197 }
3198
3199 if (dpp_pfs_process(sta->dpp_pfs, elems.owe_dh,
3200 elems.owe_dh_len) < 0) {
3201 dpp_pfs_free(sta->dpp_pfs);
3202 sta->dpp_pfs = NULL;
3203 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3204 }
3205 }
3206
3207 wpa_auth_set_dpp_z(sta->wpa_sm, sta->dpp_pfs ?
3208 sta->dpp_pfs->secret : NULL);
3209 pfs_fail:
3210 #endif /* CONFIG_DPP2 */
3211
3212 #ifdef CONFIG_IEEE80211N
3213 if ((sta->flags & (WLAN_STA_HT | WLAN_STA_VHT)) &&
3214 wpa_auth_get_pairwise(sta->wpa_sm) == WPA_CIPHER_TKIP) {
3215 hostapd_logger(hapd, sta->addr,
3216 HOSTAPD_MODULE_IEEE80211,
3217 HOSTAPD_LEVEL_INFO,
3218 "Station tried to use TKIP with HT "
3219 "association");
3220 return WLAN_STATUS_CIPHER_REJECTED_PER_POLICY;
3221 }
3222 #endif /* CONFIG_IEEE80211N */
3223 #ifdef CONFIG_HS20
3224 } else if (hapd->conf->osen) {
3225 if (elems.osen == NULL) {
3226 hostapd_logger(
3227 hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3228 HOSTAPD_LEVEL_INFO,
3229 "No HS 2.0 OSEN element in association request");
3230 return WLAN_STATUS_INVALID_IE;
3231 }
3232
3233 wpa_printf(MSG_DEBUG, "HS 2.0: OSEN association");
3234 if (sta->wpa_sm == NULL)
3235 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
3236 sta->addr, NULL);
3237 if (sta->wpa_sm == NULL) {
3238 wpa_printf(MSG_WARNING, "Failed to initialize WPA "
3239 "state machine");
3240 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3241 }
3242 if (wpa_validate_osen(hapd->wpa_auth, sta->wpa_sm,
3243 elems.osen - 2, elems.osen_len + 2) < 0)
3244 return WLAN_STATUS_INVALID_IE;
3245 #endif /* CONFIG_HS20 */
3246 } else
3247 wpa_auth_sta_no_wpa(sta->wpa_sm);
3248
3249 #ifdef CONFIG_P2P
3250 p2p_group_notif_assoc(hapd->p2p_group, sta->addr, ies, ies_len);
3251 #endif /* CONFIG_P2P */
3252
3253 #ifdef CONFIG_HS20
3254 wpabuf_free(sta->hs20_ie);
3255 if (elems.hs20 && elems.hs20_len > 4) {
3256 int release;
3257
3258 sta->hs20_ie = wpabuf_alloc_copy(elems.hs20 + 4,
3259 elems.hs20_len - 4);
3260 release = ((elems.hs20[4] >> 4) & 0x0f) + 1;
3261 if (release >= 2 && !wpa_auth_uses_mfp(sta->wpa_sm) &&
3262 hapd->conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
3263 wpa_printf(MSG_DEBUG,
3264 "HS 2.0: PMF not negotiated by release %d station "
3265 MACSTR, release, MAC2STR(sta->addr));
3266 return WLAN_STATUS_ROBUST_MGMT_FRAME_POLICY_VIOLATION;
3267 }
3268 } else {
3269 sta->hs20_ie = NULL;
3270 }
3271
3272 wpabuf_free(sta->roaming_consortium);
3273 if (elems.roaming_cons_sel)
3274 sta->roaming_consortium = wpabuf_alloc_copy(
3275 elems.roaming_cons_sel + 4,
3276 elems.roaming_cons_sel_len - 4);
3277 else
3278 sta->roaming_consortium = NULL;
3279 #endif /* CONFIG_HS20 */
3280
3281 #ifdef CONFIG_FST
3282 wpabuf_free(sta->mb_ies);
3283 if (hapd->iface->fst)
3284 sta->mb_ies = mb_ies_by_info(&elems.mb_ies);
3285 else
3286 sta->mb_ies = NULL;
3287 #endif /* CONFIG_FST */
3288
3289 #ifdef CONFIG_MBO
3290 mbo_ap_check_sta_assoc(hapd, sta, &elems);
3291
3292 if (hapd->conf->mbo_enabled && (hapd->conf->wpa & 2) &&
3293 elems.mbo && sta->cell_capa && !(sta->flags & WLAN_STA_MFP) &&
3294 hapd->conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
3295 wpa_printf(MSG_INFO,
3296 "MBO: Reject WPA2 association without PMF");
3297 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3298 }
3299 #endif /* CONFIG_MBO */
3300
3301 #if defined(CONFIG_FILS) && defined(CONFIG_OCV)
3302 if (wpa_auth_uses_ocv(sta->wpa_sm) &&
3303 (sta->auth_alg == WLAN_AUTH_FILS_SK ||
3304 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
3305 sta->auth_alg == WLAN_AUTH_FILS_PK)) {
3306 struct wpa_channel_info ci;
3307 int tx_chanwidth;
3308 int tx_seg1_idx;
3309
3310 if (hostapd_drv_channel_info(hapd, &ci) != 0) {
3311 wpa_printf(MSG_WARNING,
3312 "Failed to get channel info to validate received OCI in FILS (Re)Association Request frame");
3313 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3314 }
3315
3316 if (get_sta_tx_parameters(sta->wpa_sm,
3317 channel_width_to_int(ci.chanwidth),
3318 ci.seg1_idx, &tx_chanwidth,
3319 &tx_seg1_idx) < 0)
3320 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3321
3322 if (ocv_verify_tx_params(elems.oci, elems.oci_len, &ci,
3323 tx_chanwidth, tx_seg1_idx) != 0) {
3324 wpa_printf(MSG_WARNING, "FILS: %s", ocv_errorstr);
3325 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3326 }
3327 }
3328 #endif /* CONFIG_FILS && CONFIG_OCV */
3329
3330 ap_copy_sta_supp_op_classes(sta, elems.supp_op_classes,
3331 elems.supp_op_classes_len);
3332
3333 if ((sta->capability & WLAN_CAPABILITY_RADIO_MEASUREMENT) &&
3334 elems.rrm_enabled &&
3335 elems.rrm_enabled_len >= sizeof(sta->rrm_enabled_capa))
3336 os_memcpy(sta->rrm_enabled_capa, elems.rrm_enabled,
3337 sizeof(sta->rrm_enabled_capa));
3338
3339 if (elems.power_capab) {
3340 sta->min_tx_power = elems.power_capab[0];
3341 sta->max_tx_power = elems.power_capab[1];
3342 sta->power_capab = 1;
3343 } else {
3344 sta->power_capab = 0;
3345 }
3346
3347 return WLAN_STATUS_SUCCESS;
3348 }
3349
3350
3351 static void send_deauth(struct hostapd_data *hapd, const u8 *addr,
3352 u16 reason_code)
3353 {
3354 int send_len;
3355 struct ieee80211_mgmt reply;
3356
3357 os_memset(&reply, 0, sizeof(reply));
3358 reply.frame_control =
3359 IEEE80211_FC(WLAN_FC_TYPE_MGMT, WLAN_FC_STYPE_DEAUTH);
3360 os_memcpy(reply.da, addr, ETH_ALEN);
3361 os_memcpy(reply.sa, hapd->own_addr, ETH_ALEN);
3362 os_memcpy(reply.bssid, hapd->own_addr, ETH_ALEN);
3363
3364 send_len = IEEE80211_HDRLEN + sizeof(reply.u.deauth);
3365 reply.u.deauth.reason_code = host_to_le16(reason_code);
3366
3367 if (hostapd_drv_send_mlme(hapd, &reply, send_len, 0) < 0)
3368 wpa_printf(MSG_INFO, "Failed to send deauth: %s",
3369 strerror(errno));
3370 }
3371
3372
3373 static int add_associated_sta(struct hostapd_data *hapd,
3374 struct sta_info *sta, int reassoc)
3375 {
3376 struct ieee80211_ht_capabilities ht_cap;
3377 struct ieee80211_vht_capabilities vht_cap;
3378 struct ieee80211_he_capabilities he_cap;
3379 int set = 1;
3380
3381 /*
3382 * Remove the STA entry to ensure the STA PS state gets cleared and
3383 * configuration gets updated. This is relevant for cases, such as
3384 * FT-over-the-DS, where a station re-associates back to the same AP but
3385 * skips the authentication flow, or if working with a driver that
3386 * does not support full AP client state.
3387 *
3388 * Skip this if the STA has already completed FT reassociation and the
3389 * TK has been configured since the TX/RX PN must not be reset to 0 for
3390 * the same key.
3391 *
3392 * FT-over-the-DS has a special case where the STA entry (and as such,
3393 * the TK) has not yet been configured to the driver depending on which
3394 * driver interface is used. For that case, allow add-STA operation to
3395 * be used (instead of set-STA). This is needed to allow mac80211-based
3396 * drivers to accept the STA parameter configuration. Since this is
3397 * after a new FT-over-DS exchange, a new TK has been derived, so key
3398 * reinstallation is not a concern for this case.
3399 */
3400 wpa_printf(MSG_DEBUG, "Add associated STA " MACSTR
3401 " (added_unassoc=%d auth_alg=%u ft_over_ds=%u reassoc=%d authorized=%d ft_tk=%d fils_tk=%d)",
3402 MAC2STR(sta->addr), sta->added_unassoc, sta->auth_alg,
3403 sta->ft_over_ds, reassoc,
3404 !!(sta->flags & WLAN_STA_AUTHORIZED),
3405 wpa_auth_sta_ft_tk_already_set(sta->wpa_sm),
3406 wpa_auth_sta_fils_tk_already_set(sta->wpa_sm));
3407
3408 if (!sta->added_unassoc &&
3409 (!(sta->flags & WLAN_STA_AUTHORIZED) ||
3410 (reassoc && sta->ft_over_ds && sta->auth_alg == WLAN_AUTH_FT) ||
3411 (!wpa_auth_sta_ft_tk_already_set(sta->wpa_sm) &&
3412 !wpa_auth_sta_fils_tk_already_set(sta->wpa_sm)))) {
3413 hostapd_drv_sta_remove(hapd, sta->addr);
3414 wpa_auth_sm_event(sta->wpa_sm, WPA_DRV_STA_REMOVED);
3415 set = 0;
3416
3417 /* Do not allow the FT-over-DS exception to be used more than
3418 * once per authentication exchange to guarantee a new TK is
3419 * used here */
3420 sta->ft_over_ds = 0;
3421 }
3422
3423 #ifdef CONFIG_IEEE80211N
3424 if (sta->flags & WLAN_STA_HT)
3425 hostapd_get_ht_capab(hapd, sta->ht_capabilities, &ht_cap);
3426 #endif /* CONFIG_IEEE80211N */
3427 #ifdef CONFIG_IEEE80211AC
3428 if (sta->flags & WLAN_STA_VHT)
3429 hostapd_get_vht_capab(hapd, sta->vht_capabilities, &vht_cap);
3430 #endif /* CONFIG_IEEE80211AC */
3431 #ifdef CONFIG_IEEE80211AX
3432 if (sta->flags & WLAN_STA_HE) {
3433 hostapd_get_he_capab(hapd, sta->he_capab, &he_cap,
3434 sta->he_capab_len);
3435 }
3436 #endif /* CONFIG_IEEE80211AX */
3437
3438 /*
3439 * Add the station with forced WLAN_STA_ASSOC flag. The sta->flags
3440 * will be set when the ACK frame for the (Re)Association Response frame
3441 * is processed (TX status driver event).
3442 */
3443 if (hostapd_sta_add(hapd, sta->addr, sta->aid, sta->capability,
3444 sta->supported_rates, sta->supported_rates_len,
3445 sta->listen_interval,
3446 sta->flags & WLAN_STA_HT ? &ht_cap : NULL,
3447 sta->flags & WLAN_STA_VHT ? &vht_cap : NULL,
3448 sta->flags & WLAN_STA_HE ? &he_cap : NULL,
3449 sta->flags & WLAN_STA_HE ? sta->he_capab_len : 0,
3450 sta->flags | WLAN_STA_ASSOC, sta->qosinfo,
3451 sta->vht_opmode, sta->p2p_ie ? 1 : 0,
3452 set)) {
3453 hostapd_logger(hapd, sta->addr,
3454 HOSTAPD_MODULE_IEEE80211, HOSTAPD_LEVEL_NOTICE,
3455 "Could not %s STA to kernel driver",
3456 set ? "set" : "add");
3457
3458 if (sta->added_unassoc) {
3459 hostapd_drv_sta_remove(hapd, sta->addr);
3460 sta->added_unassoc = 0;
3461 }
3462
3463 return -1;
3464 }
3465
3466 sta->added_unassoc = 0;
3467
3468 return 0;
3469 }
3470
3471
3472 static u16 send_assoc_resp(struct hostapd_data *hapd, struct sta_info *sta,
3473 const u8 *addr, u16 status_code, int reassoc,
3474 const u8 *ies, size_t ies_len, int rssi)
3475 {
3476 int send_len;
3477 u8 *buf;
3478 size_t buflen;
3479 struct ieee80211_mgmt *reply;
3480 u8 *p;
3481 u16 res = WLAN_STATUS_SUCCESS;
3482
3483 buflen = sizeof(struct ieee80211_mgmt) + 1024;
3484 #ifdef CONFIG_FILS
3485 if (sta && sta->fils_hlp_resp)
3486 buflen += wpabuf_len(sta->fils_hlp_resp);
3487 if (sta)
3488 buflen += 150;
3489 #endif /* CONFIG_FILS */
3490 #ifdef CONFIG_OWE
3491 if (sta && (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE))
3492 buflen += 150;
3493 #endif /* CONFIG_OWE */
3494 #ifdef CONFIG_DPP2
3495 if (sta && sta->dpp_pfs)
3496 buflen += 5 + sta->dpp_pfs->curve->prime_len;
3497 #endif /* CONFIG_DPP2 */
3498 buf = os_zalloc(buflen);
3499 if (!buf) {
3500 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
3501 goto done;
3502 }
3503 reply = (struct ieee80211_mgmt *) buf;
3504 reply->frame_control =
3505 IEEE80211_FC(WLAN_FC_TYPE_MGMT,
3506 (reassoc ? WLAN_FC_STYPE_REASSOC_RESP :
3507 WLAN_FC_STYPE_ASSOC_RESP));
3508 os_memcpy(reply->da, addr, ETH_ALEN);
3509 os_memcpy(reply->sa, hapd->own_addr, ETH_ALEN);
3510 os_memcpy(reply->bssid, hapd->own_addr, ETH_ALEN);
3511
3512 send_len = IEEE80211_HDRLEN;
3513 send_len += sizeof(reply->u.assoc_resp);
3514 reply->u.assoc_resp.capab_info =
3515 host_to_le16(hostapd_own_capab_info(hapd));
3516 reply->u.assoc_resp.status_code = host_to_le16(status_code);
3517
3518 reply->u.assoc_resp.aid = host_to_le16((sta ? sta->aid : 0) |
3519 BIT(14) | BIT(15));
3520 /* Supported rates */
3521 p = hostapd_eid_supp_rates(hapd, reply->u.assoc_resp.variable);
3522 /* Extended supported rates */
3523 p = hostapd_eid_ext_supp_rates(hapd, p);
3524
3525 #ifdef CONFIG_MBO
3526 if (status_code == WLAN_STATUS_DENIED_POOR_CHANNEL_CONDITIONS &&
3527 rssi != 0) {
3528 int delta = hapd->iconf->rssi_reject_assoc_rssi - rssi;
3529
3530 p = hostapd_eid_mbo_rssi_assoc_rej(hapd, p, buf + buflen - p,
3531 delta);
3532 }
3533 #endif /* CONFIG_MBO */
3534
3535 #ifdef CONFIG_IEEE80211R_AP
3536 if (sta && status_code == WLAN_STATUS_SUCCESS) {
3537 /* IEEE 802.11r: Mobility Domain Information, Fast BSS
3538 * Transition Information, RSN, [RIC Response] */
3539 p = wpa_sm_write_assoc_resp_ies(sta->wpa_sm, p,
3540 buf + buflen - p,
3541 sta->auth_alg, ies, ies_len);
3542 if (!p) {
3543 wpa_printf(MSG_DEBUG,
3544 "FT: Failed to write AssocResp IEs");
3545 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
3546 goto done;
3547 }
3548 }
3549 #endif /* CONFIG_IEEE80211R_AP */
3550 #ifdef CONFIG_FILS
3551 if (sta && status_code == WLAN_STATUS_SUCCESS &&
3552 (sta->auth_alg == WLAN_AUTH_FILS_SK ||
3553 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
3554 sta->auth_alg == WLAN_AUTH_FILS_PK))
3555 p = wpa_auth_write_assoc_resp_fils(sta->wpa_sm, p,
3556 buf + buflen - p,
3557 ies, ies_len);
3558 #endif /* CONFIG_FILS */
3559
3560 #ifdef CONFIG_OWE
3561 if (sta && status_code == WLAN_STATUS_SUCCESS &&
3562 (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE))
3563 p = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, p,
3564 buf + buflen - p,
3565 ies, ies_len);
3566 #endif /* CONFIG_OWE */
3567
3568 if (sta && status_code == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY)
3569 p = hostapd_eid_assoc_comeback_time(hapd, sta, p);
3570
3571 #ifdef CONFIG_IEEE80211N
3572 p = hostapd_eid_ht_capabilities(hapd, p);
3573 p = hostapd_eid_ht_operation(hapd, p);
3574 #endif /* CONFIG_IEEE80211N */
3575
3576 #ifdef CONFIG_IEEE80211AC
3577 if (hapd->iconf->ieee80211ac && !hapd->conf->disable_11ac) {
3578 u32 nsts = 0, sta_nsts;
3579
3580 if (sta && hapd->conf->use_sta_nsts && sta->vht_capabilities) {
3581 struct ieee80211_vht_capabilities *capa;
3582
3583 nsts = (hapd->iface->conf->vht_capab >>
3584 VHT_CAP_BEAMFORMEE_STS_OFFSET) & 7;
3585 capa = sta->vht_capabilities;
3586 sta_nsts = (le_to_host32(capa->vht_capabilities_info) >>
3587 VHT_CAP_BEAMFORMEE_STS_OFFSET) & 7;
3588
3589 if (nsts < sta_nsts)
3590 nsts = 0;
3591 else
3592 nsts = sta_nsts;
3593 }
3594 p = hostapd_eid_vht_capabilities(hapd, p, nsts);
3595 p = hostapd_eid_vht_operation(hapd, p);
3596 }
3597 #endif /* CONFIG_IEEE80211AC */
3598
3599 #ifdef CONFIG_IEEE80211AX
3600 if (hapd->iconf->ieee80211ax) {
3601 p = hostapd_eid_he_capab(hapd, p, IEEE80211_MODE_AP);
3602 p = hostapd_eid_he_operation(hapd, p);
3603 p = hostapd_eid_spatial_reuse(hapd, p);
3604 p = hostapd_eid_he_mu_edca_parameter_set(hapd, p);
3605 }
3606 #endif /* CONFIG_IEEE80211AX */
3607
3608 p = hostapd_eid_ext_capab(hapd, p);
3609 p = hostapd_eid_bss_max_idle_period(hapd, p);
3610 if (sta && sta->qos_map_enabled)
3611 p = hostapd_eid_qos_map_set(hapd, p);
3612
3613 #ifdef CONFIG_FST
3614 if (hapd->iface->fst_ies) {
3615 os_memcpy(p, wpabuf_head(hapd->iface->fst_ies),
3616 wpabuf_len(hapd->iface->fst_ies));
3617 p += wpabuf_len(hapd->iface->fst_ies);
3618 }
3619 #endif /* CONFIG_FST */
3620
3621 #ifdef CONFIG_OWE
3622 if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) &&
3623 sta && sta->owe_ecdh && status_code == WLAN_STATUS_SUCCESS &&
3624 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE) {
3625 struct wpabuf *pub;
3626
3627 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
3628 if (!pub) {
3629 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
3630 goto done;
3631 }
3632 /* OWE Diffie-Hellman Parameter element */
3633 *p++ = WLAN_EID_EXTENSION; /* Element ID */
3634 *p++ = 1 + 2 + wpabuf_len(pub); /* Length */
3635 *p++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension */
3636 WPA_PUT_LE16(p, sta->owe_group);
3637 p += 2;
3638 os_memcpy(p, wpabuf_head(pub), wpabuf_len(pub));
3639 p += wpabuf_len(pub);
3640 wpabuf_free(pub);
3641 }
3642 #endif /* CONFIG_OWE */
3643
3644 #ifdef CONFIG_DPP2
3645 if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_DPP) &&
3646 sta && sta->dpp_pfs && status_code == WLAN_STATUS_SUCCESS &&
3647 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_DPP) {
3648 os_memcpy(p, wpabuf_head(sta->dpp_pfs->ie),
3649 wpabuf_len(sta->dpp_pfs->ie));
3650 p += wpabuf_len(sta->dpp_pfs->ie);
3651 }
3652 #endif /* CONFIG_DPP2 */
3653
3654 #ifdef CONFIG_IEEE80211AC
3655 if (sta && hapd->conf->vendor_vht && (sta->flags & WLAN_STA_VENDOR_VHT))
3656 p = hostapd_eid_vendor_vht(hapd, p);
3657 #endif /* CONFIG_IEEE80211AC */
3658
3659 if (sta && (sta->flags & WLAN_STA_WMM))
3660 p = hostapd_eid_wmm(hapd, p);
3661
3662 #ifdef CONFIG_WPS
3663 if (sta &&
3664 ((sta->flags & WLAN_STA_WPS) ||
3665 ((sta->flags & WLAN_STA_MAYBE_WPS) && hapd->conf->wpa))) {
3666 struct wpabuf *wps = wps_build_assoc_resp_ie();
3667 if (wps) {
3668 os_memcpy(p, wpabuf_head(wps), wpabuf_len(wps));
3669 p += wpabuf_len(wps);
3670 wpabuf_free(wps);
3671 }
3672 }
3673 #endif /* CONFIG_WPS */
3674
3675 if (sta && (sta->flags & WLAN_STA_MULTI_AP))
3676 p = hostapd_eid_multi_ap(hapd, p);
3677
3678 #ifdef CONFIG_P2P
3679 if (sta && sta->p2p_ie && hapd->p2p_group) {
3680 struct wpabuf *p2p_resp_ie;
3681 enum p2p_status_code status;
3682 switch (status_code) {
3683 case WLAN_STATUS_SUCCESS:
3684 status = P2P_SC_SUCCESS;
3685 break;
3686 case WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA:
3687 status = P2P_SC_FAIL_LIMIT_REACHED;
3688 break;
3689 default:
3690 status = P2P_SC_FAIL_INVALID_PARAMS;
3691 break;
3692 }
3693 p2p_resp_ie = p2p_group_assoc_resp_ie(hapd->p2p_group, status);
3694 if (p2p_resp_ie) {
3695 os_memcpy(p, wpabuf_head(p2p_resp_ie),
3696 wpabuf_len(p2p_resp_ie));
3697 p += wpabuf_len(p2p_resp_ie);
3698 wpabuf_free(p2p_resp_ie);
3699 }
3700 }
3701 #endif /* CONFIG_P2P */
3702
3703 #ifdef CONFIG_P2P_MANAGER
3704 if (hapd->conf->p2p & P2P_MANAGE)
3705 p = hostapd_eid_p2p_manage(hapd, p);
3706 #endif /* CONFIG_P2P_MANAGER */
3707
3708 p = hostapd_eid_mbo(hapd, p, buf + buflen - p);
3709
3710 if (hapd->conf->assocresp_elements &&
3711 (size_t) (buf + buflen - p) >=
3712 wpabuf_len(hapd->conf->assocresp_elements)) {
3713 os_memcpy(p, wpabuf_head(hapd->conf->assocresp_elements),
3714 wpabuf_len(hapd->conf->assocresp_elements));
3715 p += wpabuf_len(hapd->conf->assocresp_elements);
3716 }
3717
3718 send_len += p - reply->u.assoc_resp.variable;
3719
3720 #ifdef CONFIG_FILS
3721 if (sta &&
3722 (sta->auth_alg == WLAN_AUTH_FILS_SK ||
3723 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
3724 sta->auth_alg == WLAN_AUTH_FILS_PK) &&
3725 status_code == WLAN_STATUS_SUCCESS) {
3726 struct ieee802_11_elems elems;
3727
3728 if (ieee802_11_parse_elems(ies, ies_len, &elems, 0) ==
3729 ParseFailed || !elems.fils_session) {
3730 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
3731 goto done;
3732 }
3733
3734 /* FILS Session */
3735 *p++ = WLAN_EID_EXTENSION; /* Element ID */
3736 *p++ = 1 + FILS_SESSION_LEN; /* Length */
3737 *p++ = WLAN_EID_EXT_FILS_SESSION; /* Element ID Extension */
3738 os_memcpy(p, elems.fils_session, FILS_SESSION_LEN);
3739 send_len += 2 + 1 + FILS_SESSION_LEN;
3740
3741 send_len = fils_encrypt_assoc(sta->wpa_sm, buf, send_len,
3742 buflen, sta->fils_hlp_resp);
3743 if (send_len < 0) {
3744 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
3745 goto done;
3746 }
3747 }
3748 #endif /* CONFIG_FILS */
3749
3750 if (hostapd_drv_send_mlme(hapd, reply, send_len, 0) < 0) {
3751 wpa_printf(MSG_INFO, "Failed to send assoc resp: %s",
3752 strerror(errno));
3753 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
3754 }
3755
3756 done:
3757 os_free(buf);
3758 return res;
3759 }
3760
3761
3762 #ifdef CONFIG_OWE
3763 u8 * owe_assoc_req_process(struct hostapd_data *hapd, struct sta_info *sta,
3764 const u8 *owe_dh, u8 owe_dh_len,
3765 u8 *owe_buf, size_t owe_buf_len, u16 *reason)
3766 {
3767 #ifdef CONFIG_TESTING_OPTIONS
3768 if (hapd->conf->own_ie_override) {
3769 wpa_printf(MSG_DEBUG, "OWE: Using IE override");
3770 *reason = WLAN_STATUS_SUCCESS;
3771 return wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf,
3772 owe_buf_len, NULL, 0);
3773 }
3774 #endif /* CONFIG_TESTING_OPTIONS */
3775
3776 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) {
3777 wpa_printf(MSG_DEBUG, "OWE: Using PMKSA caching");
3778 owe_buf = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf,
3779 owe_buf_len, NULL, 0);
3780 *reason = WLAN_STATUS_SUCCESS;
3781 return owe_buf;
3782 }
3783
3784 if (sta->owe_pmk && sta->external_dh_updated) {
3785 wpa_printf(MSG_DEBUG, "OWE: Using previously derived PMK");
3786 *reason = WLAN_STATUS_SUCCESS;
3787 return owe_buf;
3788 }
3789
3790 *reason = owe_process_assoc_req(hapd, sta, owe_dh, owe_dh_len);
3791 if (*reason != WLAN_STATUS_SUCCESS)
3792 return NULL;
3793
3794 owe_buf = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf,
3795 owe_buf_len, NULL, 0);
3796
3797 if (sta->owe_ecdh && owe_buf) {
3798 struct wpabuf *pub;
3799
3800 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
3801 if (!pub) {
3802 *reason = WLAN_STATUS_UNSPECIFIED_FAILURE;
3803 return owe_buf;
3804 }
3805
3806 /* OWE Diffie-Hellman Parameter element */
3807 *owe_buf++ = WLAN_EID_EXTENSION; /* Element ID */
3808 *owe_buf++ = 1 + 2 + wpabuf_len(pub); /* Length */
3809 *owe_buf++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension
3810 */
3811 WPA_PUT_LE16(owe_buf, sta->owe_group);
3812 owe_buf += 2;
3813 os_memcpy(owe_buf, wpabuf_head(pub), wpabuf_len(pub));
3814 owe_buf += wpabuf_len(pub);
3815 wpabuf_free(pub);
3816 }
3817
3818 return owe_buf;
3819 }
3820 #endif /* CONFIG_OWE */
3821
3822
3823 #ifdef CONFIG_FILS
3824
3825 void fils_hlp_finish_assoc(struct hostapd_data *hapd, struct sta_info *sta)
3826 {
3827 u16 reply_res;
3828
3829 wpa_printf(MSG_DEBUG, "FILS: Finish association with " MACSTR,
3830 MAC2STR(sta->addr));
3831 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
3832 if (!sta->fils_pending_assoc_req)
3833 return;
3834 reply_res = send_assoc_resp(hapd, sta, sta->addr, WLAN_STATUS_SUCCESS,
3835 sta->fils_pending_assoc_is_reassoc,
3836 sta->fils_pending_assoc_req,
3837 sta->fils_pending_assoc_req_len, 0);
3838 os_free(sta->fils_pending_assoc_req);
3839 sta->fils_pending_assoc_req = NULL;
3840 sta->fils_pending_assoc_req_len = 0;
3841 wpabuf_free(sta->fils_hlp_resp);
3842 sta->fils_hlp_resp = NULL;
3843 wpabuf_free(sta->hlp_dhcp_discover);
3844 sta->hlp_dhcp_discover = NULL;
3845
3846 /*
3847 * Remove the station in case transmission of a success response fails.
3848 * At this point the station was already added associated to the driver.
3849 */
3850 if (reply_res != WLAN_STATUS_SUCCESS)
3851 hostapd_drv_sta_remove(hapd, sta->addr);
3852 }
3853
3854
3855 void fils_hlp_timeout(void *eloop_ctx, void *eloop_data)
3856 {
3857 struct hostapd_data *hapd = eloop_ctx;
3858 struct sta_info *sta = eloop_data;
3859
3860 wpa_printf(MSG_DEBUG,
3861 "FILS: HLP response timeout - continue with association response for "
3862 MACSTR, MAC2STR(sta->addr));
3863 if (sta->fils_drv_assoc_finish)
3864 hostapd_notify_assoc_fils_finish(hapd, sta);
3865 else
3866 fils_hlp_finish_assoc(hapd, sta);
3867 }
3868
3869 #endif /* CONFIG_FILS */
3870
3871
3872 static void handle_assoc(struct hostapd_data *hapd,
3873 const struct ieee80211_mgmt *mgmt, size_t len,
3874 int reassoc, int rssi)
3875 {
3876 u16 capab_info, listen_interval, seq_ctrl, fc;
3877 u16 resp = WLAN_STATUS_SUCCESS, reply_res;
3878 const u8 *pos;
3879 int left, i;
3880 struct sta_info *sta;
3881 u8 *tmp = NULL;
3882 struct hostapd_sta_wpa_psk_short *psk = NULL;
3883 char *identity = NULL;
3884 char *radius_cui = NULL;
3885 #ifdef CONFIG_FILS
3886 int delay_assoc = 0;
3887 #endif /* CONFIG_FILS */
3888
3889 if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_req) :
3890 sizeof(mgmt->u.assoc_req))) {
3891 wpa_printf(MSG_INFO, "handle_assoc(reassoc=%d) - too short payload (len=%lu)",
3892 reassoc, (unsigned long) len);
3893 return;
3894 }
3895
3896 #ifdef CONFIG_TESTING_OPTIONS
3897 if (reassoc) {
3898 if (hapd->iconf->ignore_reassoc_probability > 0.0 &&
3899 drand48() < hapd->iconf->ignore_reassoc_probability) {
3900 wpa_printf(MSG_INFO,
3901 "TESTING: ignoring reassoc request from "
3902 MACSTR, MAC2STR(mgmt->sa));
3903 return;
3904 }
3905 } else {
3906 if (hapd->iconf->ignore_assoc_probability > 0.0 &&
3907 drand48() < hapd->iconf->ignore_assoc_probability) {
3908 wpa_printf(MSG_INFO,
3909 "TESTING: ignoring assoc request from "
3910 MACSTR, MAC2STR(mgmt->sa));
3911 return;
3912 }
3913 }
3914 #endif /* CONFIG_TESTING_OPTIONS */
3915
3916 fc = le_to_host16(mgmt->frame_control);
3917 seq_ctrl = le_to_host16(mgmt->seq_ctrl);
3918
3919 if (reassoc) {
3920 capab_info = le_to_host16(mgmt->u.reassoc_req.capab_info);
3921 listen_interval = le_to_host16(
3922 mgmt->u.reassoc_req.listen_interval);
3923 wpa_printf(MSG_DEBUG, "reassociation request: STA=" MACSTR
3924 " capab_info=0x%02x listen_interval=%d current_ap="
3925 MACSTR " seq_ctrl=0x%x%s",
3926 MAC2STR(mgmt->sa), capab_info, listen_interval,
3927 MAC2STR(mgmt->u.reassoc_req.current_ap),
3928 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "");
3929 left = len - (IEEE80211_HDRLEN + sizeof(mgmt->u.reassoc_req));
3930 pos = mgmt->u.reassoc_req.variable;
3931 } else {
3932 capab_info = le_to_host16(mgmt->u.assoc_req.capab_info);
3933 listen_interval = le_to_host16(
3934 mgmt->u.assoc_req.listen_interval);
3935 wpa_printf(MSG_DEBUG, "association request: STA=" MACSTR
3936 " capab_info=0x%02x listen_interval=%d "
3937 "seq_ctrl=0x%x%s",
3938 MAC2STR(mgmt->sa), capab_info, listen_interval,
3939 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "");
3940 left = len - (IEEE80211_HDRLEN + sizeof(mgmt->u.assoc_req));
3941 pos = mgmt->u.assoc_req.variable;
3942 }
3943
3944 sta = ap_get_sta(hapd, mgmt->sa);
3945 #ifdef CONFIG_IEEE80211R_AP
3946 if (sta && sta->auth_alg == WLAN_AUTH_FT &&
3947 (sta->flags & WLAN_STA_AUTH) == 0) {
3948 wpa_printf(MSG_DEBUG, "FT: Allow STA " MACSTR " to associate "
3949 "prior to authentication since it is using "
3950 "over-the-DS FT", MAC2STR(mgmt->sa));
3951
3952 /*
3953 * Mark station as authenticated, to avoid adding station
3954 * entry in the driver as associated and not authenticated
3955 */
3956 sta->flags |= WLAN_STA_AUTH;
3957 } else
3958 #endif /* CONFIG_IEEE80211R_AP */
3959 if (sta == NULL || (sta->flags & WLAN_STA_AUTH) == 0) {
3960 if (hapd->iface->current_mode &&
3961 hapd->iface->current_mode->mode ==
3962 HOSTAPD_MODE_IEEE80211AD) {
3963 int acl_res;
3964 u32 session_timeout, acct_interim_interval;
3965 struct vlan_description vlan_id;
3966
3967 acl_res = ieee802_11_allowed_address(
3968 hapd, mgmt->sa, (const u8 *) mgmt, len,
3969 &session_timeout, &acct_interim_interval,
3970 &vlan_id, &psk, &identity, &radius_cui, 0);
3971 if (acl_res == HOSTAPD_ACL_REJECT) {
3972 wpa_msg(hapd->msg_ctx, MSG_DEBUG,
3973 "Ignore Association Request frame from "
3974 MACSTR " due to ACL reject",
3975 MAC2STR(mgmt->sa));
3976 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3977 goto fail;
3978 }
3979 if (acl_res == HOSTAPD_ACL_PENDING)
3980 return;
3981
3982 /* DMG/IEEE 802.11ad does not use authentication.
3983 * Allocate sta entry upon association. */
3984 sta = ap_sta_add(hapd, mgmt->sa);
3985 if (!sta) {
3986 hostapd_logger(hapd, mgmt->sa,
3987 HOSTAPD_MODULE_IEEE80211,
3988 HOSTAPD_LEVEL_INFO,
3989 "Failed to add STA");
3990 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
3991 goto fail;
3992 }
3993
3994 acl_res = ieee802_11_set_radius_info(
3995 hapd, sta, acl_res, session_timeout,
3996 acct_interim_interval, &vlan_id, &psk,
3997 &identity, &radius_cui);
3998 if (acl_res) {
3999 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
4000 goto fail;
4001 }
4002
4003 hostapd_logger(hapd, sta->addr,
4004 HOSTAPD_MODULE_IEEE80211,
4005 HOSTAPD_LEVEL_DEBUG,
4006 "Skip authentication for DMG/IEEE 802.11ad");
4007 sta->flags |= WLAN_STA_AUTH;
4008 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
4009 sta->auth_alg = WLAN_AUTH_OPEN;
4010 } else {
4011 hostapd_logger(hapd, mgmt->sa,
4012 HOSTAPD_MODULE_IEEE80211,
4013 HOSTAPD_LEVEL_INFO,
4014 "Station tried to associate before authentication (aid=%d flags=0x%x)",
4015 sta ? sta->aid : -1,
4016 sta ? sta->flags : 0);
4017 send_deauth(hapd, mgmt->sa,
4018 WLAN_REASON_CLASS2_FRAME_FROM_NONAUTH_STA);
4019 return;
4020 }
4021 }
4022
4023 if ((fc & WLAN_FC_RETRY) &&
4024 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
4025 sta->last_seq_ctrl == seq_ctrl &&
4026 sta->last_subtype == (reassoc ? WLAN_FC_STYPE_REASSOC_REQ :
4027 WLAN_FC_STYPE_ASSOC_REQ)) {
4028 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4029 HOSTAPD_LEVEL_DEBUG,
4030 "Drop repeated association frame seq_ctrl=0x%x",
4031 seq_ctrl);
4032 return;
4033 }
4034 sta->last_seq_ctrl = seq_ctrl;
4035 sta->last_subtype = reassoc ? WLAN_FC_STYPE_REASSOC_REQ :
4036 WLAN_FC_STYPE_ASSOC_REQ;
4037
4038 if (hapd->tkip_countermeasures) {
4039 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
4040 goto fail;
4041 }
4042
4043 if (listen_interval > hapd->conf->max_listen_interval) {
4044 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
4045 HOSTAPD_LEVEL_DEBUG,
4046 "Too large Listen Interval (%d)",
4047 listen_interval);
4048 resp = WLAN_STATUS_ASSOC_DENIED_LISTEN_INT_TOO_LARGE;
4049 goto fail;
4050 }
4051
4052 #ifdef CONFIG_MBO
4053 if (hapd->conf->mbo_enabled && hapd->mbo_assoc_disallow) {
4054 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
4055 goto fail;
4056 }
4057
4058 if (hapd->iconf->rssi_reject_assoc_rssi && rssi &&
4059 rssi < hapd->iconf->rssi_reject_assoc_rssi &&
4060 (sta->auth_rssi == 0 ||
4061 sta->auth_rssi < hapd->iconf->rssi_reject_assoc_rssi)) {
4062 resp = WLAN_STATUS_DENIED_POOR_CHANNEL_CONDITIONS;
4063 goto fail;
4064 }
4065 #endif /* CONFIG_MBO */
4066
4067 /*
4068 * sta->capability is used in check_assoc_ies() for RRM enabled
4069 * capability element.
4070 */
4071 sta->capability = capab_info;
4072
4073 #ifdef CONFIG_FILS
4074 if (sta->auth_alg == WLAN_AUTH_FILS_SK ||
4075 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
4076 sta->auth_alg == WLAN_AUTH_FILS_PK) {
4077 int res;
4078
4079 /* The end of the payload is encrypted. Need to decrypt it
4080 * before parsing. */
4081
4082 tmp = os_memdup(pos, left);
4083 if (!tmp) {
4084 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
4085 goto fail;
4086 }
4087
4088 res = fils_decrypt_assoc(sta->wpa_sm, sta->fils_session, mgmt,
4089 len, tmp, left);
4090 if (res < 0) {
4091 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
4092 goto fail;
4093 }
4094 pos = tmp;
4095 left = res;
4096 }
4097 #endif /* CONFIG_FILS */
4098
4099 /* followed by SSID and Supported rates; and HT capabilities if 802.11n
4100 * is used */
4101 resp = check_assoc_ies(hapd, sta, pos, left, reassoc);
4102 if (resp != WLAN_STATUS_SUCCESS)
4103 goto fail;
4104
4105 if (hostapd_get_aid(hapd, sta) < 0) {
4106 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
4107 HOSTAPD_LEVEL_INFO, "No room for more AIDs");
4108 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
4109 goto fail;
4110 }
4111
4112 sta->listen_interval = listen_interval;
4113
4114 if (hapd->iface->current_mode &&
4115 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G)
4116 sta->flags |= WLAN_STA_NONERP;
4117 for (i = 0; i < sta->supported_rates_len; i++) {
4118 if ((sta->supported_rates[i] & 0x7f) > 22) {
4119 sta->flags &= ~WLAN_STA_NONERP;
4120 break;
4121 }
4122 }
4123 if (sta->flags & WLAN_STA_NONERP && !sta->nonerp_set) {
4124 sta->nonerp_set = 1;
4125 hapd->iface->num_sta_non_erp++;
4126 if (hapd->iface->num_sta_non_erp == 1)
4127 ieee802_11_set_beacons(hapd->iface);
4128 }
4129
4130 if (!(sta->capability & WLAN_CAPABILITY_SHORT_SLOT_TIME) &&
4131 !sta->no_short_slot_time_set) {
4132 sta->no_short_slot_time_set = 1;
4133 hapd->iface->num_sta_no_short_slot_time++;
4134 if (hapd->iface->current_mode &&
4135 hapd->iface->current_mode->mode ==
4136 HOSTAPD_MODE_IEEE80211G &&
4137 hapd->iface->num_sta_no_short_slot_time == 1)
4138 ieee802_11_set_beacons(hapd->iface);
4139 }
4140
4141 if (sta->capability & WLAN_CAPABILITY_SHORT_PREAMBLE)
4142 sta->flags |= WLAN_STA_SHORT_PREAMBLE;
4143 else
4144 sta->flags &= ~WLAN_STA_SHORT_PREAMBLE;
4145
4146 if (!(sta->capability & WLAN_CAPABILITY_SHORT_PREAMBLE) &&
4147 !sta->no_short_preamble_set) {
4148 sta->no_short_preamble_set = 1;
4149 hapd->iface->num_sta_no_short_preamble++;
4150 if (hapd->iface->current_mode &&
4151 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G
4152 && hapd->iface->num_sta_no_short_preamble == 1)
4153 ieee802_11_set_beacons(hapd->iface);
4154 }
4155
4156 #ifdef CONFIG_IEEE80211N
4157 update_ht_state(hapd, sta);
4158 #endif /* CONFIG_IEEE80211N */
4159
4160 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4161 HOSTAPD_LEVEL_DEBUG,
4162 "association OK (aid %d)", sta->aid);
4163 /* Station will be marked associated, after it acknowledges AssocResp
4164 */
4165 sta->flags |= WLAN_STA_ASSOC_REQ_OK;
4166
4167 if ((sta->flags & WLAN_STA_MFP) && sta->sa_query_timed_out) {
4168 wpa_printf(MSG_DEBUG, "Allowing %sassociation after timed out "
4169 "SA Query procedure", reassoc ? "re" : "");
4170 /* TODO: Send a protected Disassociate frame to the STA using
4171 * the old key and Reason Code "Previous Authentication no
4172 * longer valid". Make sure this is only sent protected since
4173 * unprotected frame would be received by the STA that is now
4174 * trying to associate.
4175 */
4176 }
4177
4178 /* Make sure that the previously registered inactivity timer will not
4179 * remove the STA immediately. */
4180 sta->timeout_next = STA_NULLFUNC;
4181
4182 #ifdef CONFIG_TAXONOMY
4183 taxonomy_sta_info_assoc_req(hapd, sta, pos, left);
4184 #endif /* CONFIG_TAXONOMY */
4185
4186 sta->pending_wds_enable = 0;
4187
4188 #ifdef CONFIG_FILS
4189 if (sta->auth_alg == WLAN_AUTH_FILS_SK ||
4190 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
4191 sta->auth_alg == WLAN_AUTH_FILS_PK) {
4192 if (fils_process_hlp(hapd, sta, pos, left) > 0)
4193 delay_assoc = 1;
4194 }
4195 #endif /* CONFIG_FILS */
4196
4197 fail:
4198 os_free(identity);
4199 os_free(radius_cui);
4200 hostapd_free_psk_list(psk);
4201
4202 /*
4203 * In case of a successful response, add the station to the driver.
4204 * Otherwise, the kernel may ignore Data frames before we process the
4205 * ACK frame (TX status). In case of a failure, this station will be
4206 * removed.
4207 *
4208 * Note that this is not compliant with the IEEE 802.11 standard that
4209 * states that a non-AP station should transition into the
4210 * authenticated/associated state only after the station acknowledges
4211 * the (Re)Association Response frame. However, still do this as:
4212 *
4213 * 1. In case the station does not acknowledge the (Re)Association
4214 * Response frame, it will be removed.
4215 * 2. Data frames will be dropped in the kernel until the station is
4216 * set into authorized state, and there are no significant known
4217 * issues with processing other non-Data Class 3 frames during this
4218 * window.
4219 */
4220 if (resp == WLAN_STATUS_SUCCESS && sta &&
4221 add_associated_sta(hapd, sta, reassoc))
4222 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
4223
4224 #ifdef CONFIG_FILS
4225 if (sta && delay_assoc && resp == WLAN_STATUS_SUCCESS &&
4226 eloop_is_timeout_registered(fils_hlp_timeout, hapd, sta) &&
4227 sta->fils_pending_assoc_req) {
4228 /* Do not reschedule fils_hlp_timeout in case the station
4229 * retransmits (Re)Association Request frame while waiting for
4230 * the previously started FILS HLP wait, so that the timeout can
4231 * be determined from the first pending attempt. */
4232 wpa_printf(MSG_DEBUG,
4233 "FILS: Continue waiting for HLP processing before sending (Re)Association Response frame to "
4234 MACSTR, MAC2STR(sta->addr));
4235 os_free(tmp);
4236 return;
4237 }
4238 if (sta) {
4239 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
4240 os_free(sta->fils_pending_assoc_req);
4241 sta->fils_pending_assoc_req = NULL;
4242 sta->fils_pending_assoc_req_len = 0;
4243 wpabuf_free(sta->fils_hlp_resp);
4244 sta->fils_hlp_resp = NULL;
4245 }
4246 if (sta && delay_assoc && resp == WLAN_STATUS_SUCCESS) {
4247 sta->fils_pending_assoc_req = tmp;
4248 sta->fils_pending_assoc_req_len = left;
4249 sta->fils_pending_assoc_is_reassoc = reassoc;
4250 sta->fils_drv_assoc_finish = 0;
4251 wpa_printf(MSG_DEBUG,
4252 "FILS: Waiting for HLP processing before sending (Re)Association Response frame to "
4253 MACSTR, MAC2STR(sta->addr));
4254 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
4255 eloop_register_timeout(0, hapd->conf->fils_hlp_wait_time * 1024,
4256 fils_hlp_timeout, hapd, sta);
4257 return;
4258 }
4259 #endif /* CONFIG_FILS */
4260
4261 reply_res = send_assoc_resp(hapd, sta, mgmt->sa, resp, reassoc, pos,
4262 left, rssi);
4263 os_free(tmp);
4264
4265 /*
4266 * Remove the station in case tranmission of a success response fails
4267 * (the STA was added associated to the driver) or if the station was
4268 * previously added unassociated.
4269 */
4270 if (sta && ((reply_res != WLAN_STATUS_SUCCESS &&
4271 resp == WLAN_STATUS_SUCCESS) || sta->added_unassoc)) {
4272 hostapd_drv_sta_remove(hapd, sta->addr);
4273 sta->added_unassoc = 0;
4274 }
4275 }
4276
4277
4278 static void handle_disassoc(struct hostapd_data *hapd,
4279 const struct ieee80211_mgmt *mgmt, size_t len)
4280 {
4281 struct sta_info *sta;
4282
4283 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.disassoc)) {
4284 wpa_printf(MSG_INFO, "handle_disassoc - too short payload (len=%lu)",
4285 (unsigned long) len);
4286 return;
4287 }
4288
4289 wpa_printf(MSG_DEBUG, "disassocation: STA=" MACSTR " reason_code=%d",
4290 MAC2STR(mgmt->sa),
4291 le_to_host16(mgmt->u.disassoc.reason_code));
4292
4293 sta = ap_get_sta(hapd, mgmt->sa);
4294 if (sta == NULL) {
4295 wpa_printf(MSG_INFO, "Station " MACSTR " trying to disassociate, but it is not associated",
4296 MAC2STR(mgmt->sa));
4297 return;
4298 }
4299
4300 ap_sta_set_authorized(hapd, sta, 0);
4301 sta->last_seq_ctrl = WLAN_INVALID_MGMT_SEQ;
4302 sta->flags &= ~(WLAN_STA_ASSOC | WLAN_STA_ASSOC_REQ_OK);
4303 wpa_auth_sm_event(sta->wpa_sm, WPA_DISASSOC);
4304 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4305 HOSTAPD_LEVEL_INFO, "disassociated");
4306 sta->acct_terminate_cause = RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST;
4307 ieee802_1x_notify_port_enabled(sta->eapol_sm, 0);
4308 /* Stop Accounting and IEEE 802.1X sessions, but leave the STA
4309 * authenticated. */
4310 accounting_sta_stop(hapd, sta);
4311 ieee802_1x_free_station(hapd, sta);
4312 if (sta->ipaddr)
4313 hostapd_drv_br_delete_ip_neigh(hapd, 4, (u8 *) &sta->ipaddr);
4314 ap_sta_ip6addr_del(hapd, sta);
4315 hostapd_drv_sta_remove(hapd, sta->addr);
4316 sta->added_unassoc = 0;
4317
4318 if (sta->timeout_next == STA_NULLFUNC ||
4319 sta->timeout_next == STA_DISASSOC) {
4320 sta->timeout_next = STA_DEAUTH;
4321 eloop_cancel_timeout(ap_handle_timer, hapd, sta);
4322 eloop_register_timeout(AP_DEAUTH_DELAY, 0, ap_handle_timer,
4323 hapd, sta);
4324 }
4325
4326 mlme_disassociate_indication(
4327 hapd, sta, le_to_host16(mgmt->u.disassoc.reason_code));
4328
4329 /* DMG/IEEE 802.11ad does not use deauthication. Deallocate sta upon
4330 * disassociation. */
4331 if (hapd->iface->current_mode &&
4332 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211AD) {
4333 sta->flags &= ~WLAN_STA_AUTH;
4334 wpa_auth_sm_event(sta->wpa_sm, WPA_DEAUTH);
4335 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4336 HOSTAPD_LEVEL_DEBUG, "deauthenticated");
4337 ap_free_sta(hapd, sta);
4338 }
4339 }
4340
4341
4342 static void handle_deauth(struct hostapd_data *hapd,
4343 const struct ieee80211_mgmt *mgmt, size_t len)
4344 {
4345 struct sta_info *sta;
4346
4347 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.deauth)) {
4348 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "handle_deauth - too short "
4349 "payload (len=%lu)", (unsigned long) len);
4350 return;
4351 }
4352
4353 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "deauthentication: STA=" MACSTR
4354 " reason_code=%d",
4355 MAC2STR(mgmt->sa), le_to_host16(mgmt->u.deauth.reason_code));
4356
4357 sta = ap_get_sta(hapd, mgmt->sa);
4358 if (sta == NULL) {
4359 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "Station " MACSTR " trying "
4360 "to deauthenticate, but it is not authenticated",
4361 MAC2STR(mgmt->sa));
4362 return;
4363 }
4364
4365 ap_sta_set_authorized(hapd, sta, 0);
4366 sta->last_seq_ctrl = WLAN_INVALID_MGMT_SEQ;
4367 sta->flags &= ~(WLAN_STA_AUTH | WLAN_STA_ASSOC |
4368 WLAN_STA_ASSOC_REQ_OK);
4369 wpa_auth_sm_event(sta->wpa_sm, WPA_DEAUTH);
4370 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4371 HOSTAPD_LEVEL_DEBUG, "deauthenticated");
4372 mlme_deauthenticate_indication(
4373 hapd, sta, le_to_host16(mgmt->u.deauth.reason_code));
4374 sta->acct_terminate_cause = RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST;
4375 ieee802_1x_notify_port_enabled(sta->eapol_sm, 0);
4376 ap_free_sta(hapd, sta);
4377 }
4378
4379
4380 static void handle_beacon(struct hostapd_data *hapd,
4381 const struct ieee80211_mgmt *mgmt, size_t len,
4382 struct hostapd_frame_info *fi)
4383 {
4384 struct ieee802_11_elems elems;
4385
4386 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.beacon)) {
4387 wpa_printf(MSG_INFO, "handle_beacon - too short payload (len=%lu)",
4388 (unsigned long) len);
4389 return;
4390 }
4391
4392 (void) ieee802_11_parse_elems(mgmt->u.beacon.variable,
4393 len - (IEEE80211_HDRLEN +
4394 sizeof(mgmt->u.beacon)), &elems,
4395 0);
4396
4397 ap_list_process_beacon(hapd->iface, mgmt, &elems, fi);
4398 }
4399
4400
4401 static int robust_action_frame(u8 category)
4402 {
4403 return category != WLAN_ACTION_PUBLIC &&
4404 category != WLAN_ACTION_HT;
4405 }
4406
4407
4408 static int handle_action(struct hostapd_data *hapd,
4409 const struct ieee80211_mgmt *mgmt, size_t len,
4410 unsigned int freq)
4411 {
4412 struct sta_info *sta;
4413 u8 *action __maybe_unused;
4414
4415 if (len < IEEE80211_HDRLEN + 2 + 1) {
4416 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
4417 HOSTAPD_LEVEL_DEBUG,
4418 "handle_action - too short payload (len=%lu)",
4419 (unsigned long) len);
4420 return 0;
4421 }
4422
4423 action = (u8 *) &mgmt->u.action.u;
4424 wpa_printf(MSG_DEBUG, "RX_ACTION category %u action %u sa " MACSTR
4425 " da " MACSTR " len %d freq %u",
4426 mgmt->u.action.category, *action,
4427 MAC2STR(mgmt->sa), MAC2STR(mgmt->da), (int) len, freq);
4428
4429 sta = ap_get_sta(hapd, mgmt->sa);
4430
4431 if (mgmt->u.action.category != WLAN_ACTION_PUBLIC &&
4432 (sta == NULL || !(sta->flags & WLAN_STA_ASSOC))) {
4433 wpa_printf(MSG_DEBUG, "IEEE 802.11: Ignored Action "
4434 "frame (category=%u) from unassociated STA " MACSTR,
4435 mgmt->u.action.category, MAC2STR(mgmt->sa));
4436 return 0;
4437 }
4438
4439 if (sta && (sta->flags & WLAN_STA_MFP) &&
4440 !(mgmt->frame_control & host_to_le16(WLAN_FC_ISWEP)) &&
4441 robust_action_frame(mgmt->u.action.category)) {
4442 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
4443 HOSTAPD_LEVEL_DEBUG,
4444 "Dropped unprotected Robust Action frame from "
4445 "an MFP STA");
4446 return 0;
4447 }
4448
4449 if (sta) {
4450 u16 fc = le_to_host16(mgmt->frame_control);
4451 u16 seq_ctrl = le_to_host16(mgmt->seq_ctrl);
4452
4453 if ((fc & WLAN_FC_RETRY) &&
4454 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
4455 sta->last_seq_ctrl == seq_ctrl &&
4456 sta->last_subtype == WLAN_FC_STYPE_ACTION) {
4457 hostapd_logger(hapd, sta->addr,
4458 HOSTAPD_MODULE_IEEE80211,
4459 HOSTAPD_LEVEL_DEBUG,
4460 "Drop repeated action frame seq_ctrl=0x%x",
4461 seq_ctrl);
4462 return 1;
4463 }
4464
4465 sta->last_seq_ctrl = seq_ctrl;
4466 sta->last_subtype = WLAN_FC_STYPE_ACTION;
4467 }
4468
4469 switch (mgmt->u.action.category) {
4470 #ifdef CONFIG_IEEE80211R_AP
4471 case WLAN_ACTION_FT:
4472 if (!sta ||
4473 wpa_ft_action_rx(sta->wpa_sm, (u8 *) &mgmt->u.action,
4474 len - IEEE80211_HDRLEN))
4475 break;
4476 return 1;
4477 #endif /* CONFIG_IEEE80211R_AP */
4478 case WLAN_ACTION_WMM:
4479 hostapd_wmm_action(hapd, mgmt, len);
4480 return 1;
4481 case WLAN_ACTION_SA_QUERY:
4482 ieee802_11_sa_query_action(hapd, mgmt, len);
4483 return 1;
4484 #ifdef CONFIG_WNM_AP
4485 case WLAN_ACTION_WNM:
4486 ieee802_11_rx_wnm_action_ap(hapd, mgmt, len);
4487 return 1;
4488 #endif /* CONFIG_WNM_AP */
4489 #ifdef CONFIG_FST
4490 case WLAN_ACTION_FST:
4491 if (hapd->iface->fst)
4492 fst_rx_action(hapd->iface->fst, mgmt, len);
4493 else
4494 wpa_printf(MSG_DEBUG,
4495 "FST: Ignore FST Action frame - no FST attached");
4496 return 1;
4497 #endif /* CONFIG_FST */
4498 case WLAN_ACTION_PUBLIC:
4499 case WLAN_ACTION_PROTECTED_DUAL:
4500 #ifdef CONFIG_IEEE80211N
4501 if (len >= IEEE80211_HDRLEN + 2 &&
4502 mgmt->u.action.u.public_action.action ==
4503 WLAN_PA_20_40_BSS_COEX) {
4504 hostapd_2040_coex_action(hapd, mgmt, len);
4505 return 1;
4506 }
4507 #endif /* CONFIG_IEEE80211N */
4508 #ifdef CONFIG_DPP
4509 if (len >= IEEE80211_HDRLEN + 6 &&
4510 mgmt->u.action.u.vs_public_action.action ==
4511 WLAN_PA_VENDOR_SPECIFIC &&
4512 WPA_GET_BE24(mgmt->u.action.u.vs_public_action.oui) ==
4513 OUI_WFA &&
4514 mgmt->u.action.u.vs_public_action.variable[0] ==
4515 DPP_OUI_TYPE) {
4516 const u8 *pos, *end;
4517
4518 pos = mgmt->u.action.u.vs_public_action.oui;
4519 end = ((const u8 *) mgmt) + len;
4520 hostapd_dpp_rx_action(hapd, mgmt->sa, pos, end - pos,
4521 freq);
4522 return 1;
4523 }
4524 if (len >= IEEE80211_HDRLEN + 2 &&
4525 (mgmt->u.action.u.public_action.action ==
4526 WLAN_PA_GAS_INITIAL_RESP ||
4527 mgmt->u.action.u.public_action.action ==
4528 WLAN_PA_GAS_COMEBACK_RESP)) {
4529 const u8 *pos, *end;
4530
4531 pos = &mgmt->u.action.u.public_action.action;
4532 end = ((const u8 *) mgmt) + len;
4533 gas_query_ap_rx(hapd->gas, mgmt->sa,
4534 mgmt->u.action.category,
4535 pos, end - pos, hapd->iface->freq);
4536 return 1;
4537 }
4538 #endif /* CONFIG_DPP */
4539 if (hapd->public_action_cb) {
4540 hapd->public_action_cb(hapd->public_action_cb_ctx,
4541 (u8 *) mgmt, len,
4542 hapd->iface->freq);
4543 }
4544 if (hapd->public_action_cb2) {
4545 hapd->public_action_cb2(hapd->public_action_cb2_ctx,
4546 (u8 *) mgmt, len,
4547 hapd->iface->freq);
4548 }
4549 if (hapd->public_action_cb || hapd->public_action_cb2)
4550 return 1;
4551 break;
4552 case WLAN_ACTION_VENDOR_SPECIFIC:
4553 if (hapd->vendor_action_cb) {
4554 if (hapd->vendor_action_cb(hapd->vendor_action_cb_ctx,
4555 (u8 *) mgmt, len,
4556 hapd->iface->freq) == 0)
4557 return 1;
4558 }
4559 break;
4560 case WLAN_ACTION_RADIO_MEASUREMENT:
4561 hostapd_handle_radio_measurement(hapd, (const u8 *) mgmt, len);
4562 return 1;
4563 }
4564
4565 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
4566 HOSTAPD_LEVEL_DEBUG,
4567 "handle_action - unknown action category %d or invalid "
4568 "frame",
4569 mgmt->u.action.category);
4570 if (!is_multicast_ether_addr(mgmt->da) &&
4571 !(mgmt->u.action.category & 0x80) &&
4572 !is_multicast_ether_addr(mgmt->sa)) {
4573 struct ieee80211_mgmt *resp;
4574
4575 /*
4576 * IEEE 802.11-REVma/D9.0 - 7.3.1.11
4577 * Return the Action frame to the source without change
4578 * except that MSB of the Category set to 1.
4579 */
4580 wpa_printf(MSG_DEBUG, "IEEE 802.11: Return unknown Action "
4581 "frame back to sender");
4582 resp = os_memdup(mgmt, len);
4583 if (resp == NULL)
4584 return 0;
4585 os_memcpy(resp->da, resp->sa, ETH_ALEN);
4586 os_memcpy(resp->sa, hapd->own_addr, ETH_ALEN);
4587 os_memcpy(resp->bssid, hapd->own_addr, ETH_ALEN);
4588 resp->u.action.category |= 0x80;
4589
4590 if (hostapd_drv_send_mlme(hapd, resp, len, 0) < 0) {
4591 wpa_printf(MSG_ERROR, "IEEE 802.11: Failed to send "
4592 "Action frame");
4593 }
4594 os_free(resp);
4595 }
4596
4597 return 1;
4598 }
4599
4600
4601 /**
4602 * ieee802_11_mgmt - process incoming IEEE 802.11 management frames
4603 * @hapd: hostapd BSS data structure (the BSS to which the management frame was
4604 * sent to)
4605 * @buf: management frame data (starting from IEEE 802.11 header)
4606 * @len: length of frame data in octets
4607 * @fi: meta data about received frame (signal level, etc.)
4608 *
4609 * Process all incoming IEEE 802.11 management frames. This will be called for
4610 * each frame received from the kernel driver through wlan#ap interface. In
4611 * addition, it can be called to re-inserted pending frames (e.g., when using
4612 * external RADIUS server as an MAC ACL).
4613 */
4614 int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len,
4615 struct hostapd_frame_info *fi)
4616 {
4617 struct ieee80211_mgmt *mgmt;
4618 u16 fc, stype;
4619 int ret = 0;
4620 unsigned int freq;
4621 int ssi_signal = fi ? fi->ssi_signal : 0;
4622
4623 if (len < 24)
4624 return 0;
4625
4626 if (fi && fi->freq)
4627 freq = fi->freq;
4628 else
4629 freq = hapd->iface->freq;
4630
4631 mgmt = (struct ieee80211_mgmt *) buf;
4632 fc = le_to_host16(mgmt->frame_control);
4633 stype = WLAN_FC_GET_STYPE(fc);
4634
4635 if (is_multicast_ether_addr(mgmt->sa) ||
4636 is_zero_ether_addr(mgmt->sa) ||
4637 os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
4638 /* Do not process any frames with unexpected/invalid SA so that
4639 * we do not add any state for unexpected STA addresses or end
4640 * up sending out frames to unexpected destination. */
4641 wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR
4642 " in received frame - ignore this frame silently",
4643 MAC2STR(mgmt->sa));
4644 return 0;
4645 }
4646
4647 if (stype == WLAN_FC_STYPE_BEACON) {
4648 handle_beacon(hapd, mgmt, len, fi);
4649 return 1;
4650 }
4651
4652 if (!is_broadcast_ether_addr(mgmt->bssid) &&
4653 #ifdef CONFIG_P2P
4654 /* Invitation responses can be sent with the peer MAC as BSSID */
4655 !((hapd->conf->p2p & P2P_GROUP_OWNER) &&
4656 stype == WLAN_FC_STYPE_ACTION) &&
4657 #endif /* CONFIG_P2P */
4658 #ifdef CONFIG_MESH
4659 !(hapd->conf->mesh & MESH_ENABLED) &&
4660 #endif /* CONFIG_MESH */
4661 os_memcmp(mgmt->bssid, hapd->own_addr, ETH_ALEN) != 0) {
4662 wpa_printf(MSG_INFO, "MGMT: BSSID=" MACSTR " not our address",
4663 MAC2STR(mgmt->bssid));
4664 return 0;
4665 }
4666
4667
4668 if (stype == WLAN_FC_STYPE_PROBE_REQ) {
4669 handle_probe_req(hapd, mgmt, len, ssi_signal);
4670 return 1;
4671 }
4672
4673 if ((!is_broadcast_ether_addr(mgmt->da) ||
4674 stype != WLAN_FC_STYPE_ACTION) &&
4675 os_memcmp(mgmt->da, hapd->own_addr, ETH_ALEN) != 0) {
4676 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
4677 HOSTAPD_LEVEL_DEBUG,
4678 "MGMT: DA=" MACSTR " not our address",
4679 MAC2STR(mgmt->da));
4680 return 0;
4681 }
4682
4683 if (hapd->iconf->track_sta_max_num)
4684 sta_track_add(hapd->iface, mgmt->sa, ssi_signal);
4685
4686 switch (stype) {
4687 case WLAN_FC_STYPE_AUTH:
4688 wpa_printf(MSG_DEBUG, "mgmt::auth");
4689 handle_auth(hapd, mgmt, len, ssi_signal, 0);
4690 ret = 1;
4691 break;
4692 case WLAN_FC_STYPE_ASSOC_REQ:
4693 wpa_printf(MSG_DEBUG, "mgmt::assoc_req");
4694 handle_assoc(hapd, mgmt, len, 0, ssi_signal);
4695 ret = 1;
4696 break;
4697 case WLAN_FC_STYPE_REASSOC_REQ:
4698 wpa_printf(MSG_DEBUG, "mgmt::reassoc_req");
4699 handle_assoc(hapd, mgmt, len, 1, ssi_signal);
4700 ret = 1;
4701 break;
4702 case WLAN_FC_STYPE_DISASSOC:
4703 wpa_printf(MSG_DEBUG, "mgmt::disassoc");
4704 handle_disassoc(hapd, mgmt, len);
4705 ret = 1;
4706 break;
4707 case WLAN_FC_STYPE_DEAUTH:
4708 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "mgmt::deauth");
4709 handle_deauth(hapd, mgmt, len);
4710 ret = 1;
4711 break;
4712 case WLAN_FC_STYPE_ACTION:
4713 wpa_printf(MSG_DEBUG, "mgmt::action");
4714 ret = handle_action(hapd, mgmt, len, freq);
4715 break;
4716 default:
4717 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
4718 HOSTAPD_LEVEL_DEBUG,
4719 "unknown mgmt frame subtype %d", stype);
4720 break;
4721 }
4722
4723 return ret;
4724 }
4725
4726
4727 static void handle_auth_cb(struct hostapd_data *hapd,
4728 const struct ieee80211_mgmt *mgmt,
4729 size_t len, int ok)
4730 {
4731 u16 auth_alg, auth_transaction, status_code;
4732 struct sta_info *sta;
4733
4734 sta = ap_get_sta(hapd, mgmt->da);
4735 if (!sta) {
4736 wpa_printf(MSG_DEBUG, "handle_auth_cb: STA " MACSTR
4737 " not found",
4738 MAC2STR(mgmt->da));
4739 return;
4740 }
4741
4742 auth_alg = le_to_host16(mgmt->u.auth.auth_alg);
4743 auth_transaction = le_to_host16(mgmt->u.auth.auth_transaction);
4744 status_code = le_to_host16(mgmt->u.auth.status_code);
4745
4746 if (!ok) {
4747 hostapd_logger(hapd, mgmt->da, HOSTAPD_MODULE_IEEE80211,
4748 HOSTAPD_LEVEL_NOTICE,
4749 "did not acknowledge authentication response");
4750 goto fail;
4751 }
4752
4753 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) {
4754 wpa_printf(MSG_INFO, "handle_auth_cb - too short payload (len=%lu)",
4755 (unsigned long) len);
4756 goto fail;
4757 }
4758
4759 if (status_code == WLAN_STATUS_SUCCESS &&
4760 ((auth_alg == WLAN_AUTH_OPEN && auth_transaction == 2) ||
4761 (auth_alg == WLAN_AUTH_SHARED_KEY && auth_transaction == 4))) {
4762 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4763 HOSTAPD_LEVEL_INFO, "authenticated");
4764 sta->flags |= WLAN_STA_AUTH;
4765 if (sta->added_unassoc)
4766 hostapd_set_sta_flags(hapd, sta);
4767 return;
4768 }
4769
4770 fail:
4771 if (status_code != WLAN_STATUS_SUCCESS && sta->added_unassoc) {
4772 hostapd_drv_sta_remove(hapd, sta->addr);
4773 sta->added_unassoc = 0;
4774 }
4775 }
4776
4777
4778 static void hostapd_set_wds_encryption(struct hostapd_data *hapd,
4779 struct sta_info *sta,
4780 char *ifname_wds)
4781 {
4782 int i;
4783 struct hostapd_ssid *ssid = &hapd->conf->ssid;
4784
4785 if (hapd->conf->ieee802_1x || hapd->conf->wpa)
4786 return;
4787
4788 for (i = 0; i < 4; i++) {
4789 if (ssid->wep.key[i] &&
4790 hostapd_drv_set_key(ifname_wds, hapd, WPA_ALG_WEP, NULL, i,
4791 i == ssid->wep.idx, NULL, 0,
4792 ssid->wep.key[i], ssid->wep.len[i])) {
4793 wpa_printf(MSG_WARNING,
4794 "Could not set WEP keys for WDS interface; %s",
4795 ifname_wds);
4796 break;
4797 }
4798 }
4799 }
4800
4801
4802 static void handle_assoc_cb(struct hostapd_data *hapd,
4803 const struct ieee80211_mgmt *mgmt,
4804 size_t len, int reassoc, int ok)
4805 {
4806 u16 status;
4807 struct sta_info *sta;
4808 int new_assoc = 1;
4809
4810 sta = ap_get_sta(hapd, mgmt->da);
4811 if (!sta) {
4812 wpa_printf(MSG_INFO, "handle_assoc_cb: STA " MACSTR " not found",
4813 MAC2STR(mgmt->da));
4814 return;
4815 }
4816
4817 if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_resp) :
4818 sizeof(mgmt->u.assoc_resp))) {
4819 wpa_printf(MSG_INFO,
4820 "handle_assoc_cb(reassoc=%d) - too short payload (len=%lu)",
4821 reassoc, (unsigned long) len);
4822 hostapd_drv_sta_remove(hapd, sta->addr);
4823 return;
4824 }
4825
4826 if (reassoc)
4827 status = le_to_host16(mgmt->u.reassoc_resp.status_code);
4828 else
4829 status = le_to_host16(mgmt->u.assoc_resp.status_code);
4830
4831 if (!ok) {
4832 hostapd_logger(hapd, mgmt->da, HOSTAPD_MODULE_IEEE80211,
4833 HOSTAPD_LEVEL_DEBUG,
4834 "did not acknowledge association response");
4835 sta->flags &= ~WLAN_STA_ASSOC_REQ_OK;
4836 /* The STA is added only in case of SUCCESS */
4837 if (status == WLAN_STATUS_SUCCESS)
4838 hostapd_drv_sta_remove(hapd, sta->addr);
4839
4840 return;
4841 }
4842
4843 if (status != WLAN_STATUS_SUCCESS)
4844 return;
4845
4846 /* Stop previous accounting session, if one is started, and allocate
4847 * new session id for the new session. */
4848 accounting_sta_stop(hapd, sta);
4849
4850 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4851 HOSTAPD_LEVEL_INFO,
4852 "associated (aid %d)",
4853 sta->aid);
4854
4855 if (sta->flags & WLAN_STA_ASSOC)
4856 new_assoc = 0;
4857 sta->flags |= WLAN_STA_ASSOC;
4858 sta->flags &= ~WLAN_STA_WNM_SLEEP_MODE;
4859 if ((!hapd->conf->ieee802_1x && !hapd->conf->wpa &&
4860 !hapd->conf->osen) ||
4861 sta->auth_alg == WLAN_AUTH_FILS_SK ||
4862 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
4863 sta->auth_alg == WLAN_AUTH_FILS_PK ||
4864 sta->auth_alg == WLAN_AUTH_FT) {
4865 /*
4866 * Open, static WEP, FT protocol, or FILS; no separate
4867 * authorization step.
4868 */
4869 ap_sta_set_authorized(hapd, sta, 1);
4870 }
4871
4872 if (reassoc)
4873 mlme_reassociate_indication(hapd, sta);
4874 else
4875 mlme_associate_indication(hapd, sta);
4876
4877 sta->sa_query_timed_out = 0;
4878
4879 if (sta->eapol_sm == NULL) {
4880 /*
4881 * This STA does not use RADIUS server for EAP authentication,
4882 * so bind it to the selected VLAN interface now, since the
4883 * interface selection is not going to change anymore.
4884 */
4885 if (ap_sta_bind_vlan(hapd, sta) < 0)
4886 return;
4887 } else if (sta->vlan_id) {
4888 /* VLAN ID already set (e.g., by PMKSA caching), so bind STA */
4889 if (ap_sta_bind_vlan(hapd, sta) < 0)
4890 return;
4891 }
4892
4893 hostapd_set_sta_flags(hapd, sta);
4894
4895 if (!(sta->flags & WLAN_STA_WDS) && sta->pending_wds_enable) {
4896 wpa_printf(MSG_DEBUG, "Enable 4-address WDS mode for STA "
4897 MACSTR " based on pending request",
4898 MAC2STR(sta->addr));
4899 sta->pending_wds_enable = 0;
4900 sta->flags |= WLAN_STA_WDS;
4901 }
4902
4903 if (sta->flags & (WLAN_STA_WDS | WLAN_STA_MULTI_AP)) {
4904 int ret;
4905 char ifname_wds[IFNAMSIZ + 1];
4906
4907 wpa_printf(MSG_DEBUG, "Reenable 4-address WDS mode for STA "
4908 MACSTR " (aid %u)",
4909 MAC2STR(sta->addr), sta->aid);
4910 ret = hostapd_set_wds_sta(hapd, ifname_wds, sta->addr,
4911 sta->aid, 1);
4912 if (!ret)
4913 hostapd_set_wds_encryption(hapd, sta, ifname_wds);
4914 }
4915
4916 if (sta->auth_alg == WLAN_AUTH_FT)
4917 wpa_auth_sm_event(sta->wpa_sm, WPA_ASSOC_FT);
4918 else
4919 wpa_auth_sm_event(sta->wpa_sm, WPA_ASSOC);
4920 hapd->new_assoc_sta_cb(hapd, sta, !new_assoc);
4921 ieee802_1x_notify_port_enabled(sta->eapol_sm, 1);
4922
4923 #ifdef CONFIG_FILS
4924 if ((sta->auth_alg == WLAN_AUTH_FILS_SK ||
4925 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
4926 sta->auth_alg == WLAN_AUTH_FILS_PK) &&
4927 fils_set_tk(sta->wpa_sm) < 0) {
4928 wpa_printf(MSG_DEBUG, "FILS: TK configuration failed");
4929 ap_sta_disconnect(hapd, sta, sta->addr,
4930 WLAN_REASON_UNSPECIFIED);
4931 return;
4932 }
4933 #endif /* CONFIG_FILS */
4934
4935 if (sta->pending_eapol_rx) {
4936 struct os_reltime now, age;
4937
4938 os_get_reltime(&now);
4939 os_reltime_sub(&now, &sta->pending_eapol_rx->rx_time, &age);
4940 if (age.sec == 0 && age.usec < 200000) {
4941 wpa_printf(MSG_DEBUG,
4942 "Process pending EAPOL frame that was received from " MACSTR " just before association notification",
4943 MAC2STR(sta->addr));
4944 ieee802_1x_receive(
4945 hapd, mgmt->da,
4946 wpabuf_head(sta->pending_eapol_rx->buf),
4947 wpabuf_len(sta->pending_eapol_rx->buf));
4948 }
4949 wpabuf_free(sta->pending_eapol_rx->buf);
4950 os_free(sta->pending_eapol_rx);
4951 sta->pending_eapol_rx = NULL;
4952 }
4953 }
4954
4955
4956 static void handle_deauth_cb(struct hostapd_data *hapd,
4957 const struct ieee80211_mgmt *mgmt,
4958 size_t len, int ok)
4959 {
4960 struct sta_info *sta;
4961 if (is_multicast_ether_addr(mgmt->da))
4962 return;
4963 sta = ap_get_sta(hapd, mgmt->da);
4964 if (!sta) {
4965 wpa_printf(MSG_DEBUG, "handle_deauth_cb: STA " MACSTR
4966 " not found", MAC2STR(mgmt->da));
4967 return;
4968 }
4969 if (ok)
4970 wpa_printf(MSG_DEBUG, "STA " MACSTR " acknowledged deauth",
4971 MAC2STR(sta->addr));
4972 else
4973 wpa_printf(MSG_DEBUG, "STA " MACSTR " did not acknowledge "
4974 "deauth", MAC2STR(sta->addr));
4975
4976 ap_sta_deauth_cb(hapd, sta);
4977 }
4978
4979
4980 static void handle_disassoc_cb(struct hostapd_data *hapd,
4981 const struct ieee80211_mgmt *mgmt,
4982 size_t len, int ok)
4983 {
4984 struct sta_info *sta;
4985 if (is_multicast_ether_addr(mgmt->da))
4986 return;
4987 sta = ap_get_sta(hapd, mgmt->da);
4988 if (!sta) {
4989 wpa_printf(MSG_DEBUG, "handle_disassoc_cb: STA " MACSTR
4990 " not found", MAC2STR(mgmt->da));
4991 return;
4992 }
4993 if (ok)
4994 wpa_printf(MSG_DEBUG, "STA " MACSTR " acknowledged disassoc",
4995 MAC2STR(sta->addr));
4996 else
4997 wpa_printf(MSG_DEBUG, "STA " MACSTR " did not acknowledge "
4998 "disassoc", MAC2STR(sta->addr));
4999
5000 ap_sta_disassoc_cb(hapd, sta);
5001 }
5002
5003
5004 static void handle_action_cb(struct hostapd_data *hapd,
5005 const struct ieee80211_mgmt *mgmt,
5006 size_t len, int ok)
5007 {
5008 struct sta_info *sta;
5009 const struct rrm_measurement_report_element *report;
5010
5011 if (is_multicast_ether_addr(mgmt->da))
5012 return;
5013 #ifdef CONFIG_DPP
5014 if (len >= IEEE80211_HDRLEN + 6 &&
5015 mgmt->u.action.category == WLAN_ACTION_PUBLIC &&
5016 mgmt->u.action.u.vs_public_action.action ==
5017 WLAN_PA_VENDOR_SPECIFIC &&
5018 WPA_GET_BE24(mgmt->u.action.u.vs_public_action.oui) ==
5019 OUI_WFA &&
5020 mgmt->u.action.u.vs_public_action.variable[0] ==
5021 DPP_OUI_TYPE) {
5022 const u8 *pos, *end;
5023
5024 pos = &mgmt->u.action.u.vs_public_action.variable[1];
5025 end = ((const u8 *) mgmt) + len;
5026 hostapd_dpp_tx_status(hapd, mgmt->da, pos, end - pos, ok);
5027 return;
5028 }
5029 if (len >= IEEE80211_HDRLEN + 2 &&
5030 mgmt->u.action.category == WLAN_ACTION_PUBLIC &&
5031 (mgmt->u.action.u.public_action.action ==
5032 WLAN_PA_GAS_INITIAL_REQ ||
5033 mgmt->u.action.u.public_action.action ==
5034 WLAN_PA_GAS_COMEBACK_REQ)) {
5035 const u8 *pos, *end;
5036
5037 pos = mgmt->u.action.u.public_action.variable;
5038 end = ((const u8 *) mgmt) + len;
5039 gas_query_ap_tx_status(hapd->gas, mgmt->da, pos, end - pos, ok);
5040 return;
5041 }
5042 #endif /* CONFIG_DPP */
5043 sta = ap_get_sta(hapd, mgmt->da);
5044 if (!sta) {
5045 wpa_printf(MSG_DEBUG, "handle_action_cb: STA " MACSTR
5046 " not found", MAC2STR(mgmt->da));
5047 return;
5048 }
5049
5050 if (len < 24 + 5 + sizeof(*report))
5051 return;
5052 report = (const struct rrm_measurement_report_element *)
5053 &mgmt->u.action.u.rrm.variable[2];
5054 if (mgmt->u.action.category == WLAN_ACTION_RADIO_MEASUREMENT &&
5055 mgmt->u.action.u.rrm.action == WLAN_RRM_RADIO_MEASUREMENT_REQUEST &&
5056 report->eid == WLAN_EID_MEASURE_REQUEST &&
5057 report->len >= 3 &&
5058 report->type == MEASURE_TYPE_BEACON)
5059 hostapd_rrm_beacon_req_tx_status(hapd, mgmt, len, ok);
5060 }
5061
5062
5063 /**
5064 * ieee802_11_mgmt_cb - Process management frame TX status callback
5065 * @hapd: hostapd BSS data structure (the BSS from which the management frame
5066 * was sent from)
5067 * @buf: management frame data (starting from IEEE 802.11 header)
5068 * @len: length of frame data in octets
5069 * @stype: management frame subtype from frame control field
5070 * @ok: Whether the frame was ACK'ed
5071 */
5072 void ieee802_11_mgmt_cb(struct hostapd_data *hapd, const u8 *buf, size_t len,
5073 u16 stype, int ok)
5074 {
5075 const struct ieee80211_mgmt *mgmt;
5076 mgmt = (const struct ieee80211_mgmt *) buf;
5077
5078 #ifdef CONFIG_TESTING_OPTIONS
5079 if (hapd->ext_mgmt_frame_handling) {
5080 size_t hex_len = 2 * len + 1;
5081 char *hex = os_malloc(hex_len);
5082
5083 if (hex) {
5084 wpa_snprintf_hex(hex, hex_len, buf, len);
5085 wpa_msg(hapd->msg_ctx, MSG_INFO,
5086 "MGMT-TX-STATUS stype=%u ok=%d buf=%s",
5087 stype, ok, hex);
5088 os_free(hex);
5089 }
5090 return;
5091 }
5092 #endif /* CONFIG_TESTING_OPTIONS */
5093
5094 switch (stype) {
5095 case WLAN_FC_STYPE_AUTH:
5096 wpa_printf(MSG_DEBUG, "mgmt::auth cb");
5097 handle_auth_cb(hapd, mgmt, len, ok);
5098 break;
5099 case WLAN_FC_STYPE_ASSOC_RESP:
5100 wpa_printf(MSG_DEBUG, "mgmt::assoc_resp cb");
5101 handle_assoc_cb(hapd, mgmt, len, 0, ok);
5102 break;
5103 case WLAN_FC_STYPE_REASSOC_RESP:
5104 wpa_printf(MSG_DEBUG, "mgmt::reassoc_resp cb");
5105 handle_assoc_cb(hapd, mgmt, len, 1, ok);
5106 break;
5107 case WLAN_FC_STYPE_PROBE_RESP:
5108 wpa_printf(MSG_EXCESSIVE, "mgmt::proberesp cb ok=%d", ok);
5109 break;
5110 case WLAN_FC_STYPE_DEAUTH:
5111 wpa_printf(MSG_DEBUG, "mgmt::deauth cb");
5112 handle_deauth_cb(hapd, mgmt, len, ok);
5113 break;
5114 case WLAN_FC_STYPE_DISASSOC:
5115 wpa_printf(MSG_DEBUG, "mgmt::disassoc cb");
5116 handle_disassoc_cb(hapd, mgmt, len, ok);
5117 break;
5118 case WLAN_FC_STYPE_ACTION:
5119 wpa_printf(MSG_DEBUG, "mgmt::action cb ok=%d", ok);
5120 handle_action_cb(hapd, mgmt, len, ok);
5121 break;
5122 default:
5123 wpa_printf(MSG_INFO, "unknown mgmt cb frame subtype %d", stype);
5124 break;
5125 }
5126 }
5127
5128
5129 int ieee802_11_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen)
5130 {
5131 /* TODO */
5132 return 0;
5133 }
5134
5135
5136 int ieee802_11_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta,
5137 char *buf, size_t buflen)
5138 {
5139 /* TODO */
5140 return 0;
5141 }
5142
5143
5144 void hostapd_tx_status(struct hostapd_data *hapd, const u8 *addr,
5145 const u8 *buf, size_t len, int ack)
5146 {
5147 struct sta_info *sta;
5148 struct hostapd_iface *iface = hapd->iface;
5149
5150 sta = ap_get_sta(hapd, addr);
5151 if (sta == NULL && iface->num_bss > 1) {
5152 size_t j;
5153 for (j = 0; j < iface->num_bss; j++) {
5154 hapd = iface->bss[j];
5155 sta = ap_get_sta(hapd, addr);
5156 if (sta)
5157 break;
5158 }
5159 }
5160 if (sta == NULL || !(sta->flags & WLAN_STA_ASSOC))
5161 return;
5162 if (sta->flags & WLAN_STA_PENDING_POLL) {
5163 wpa_printf(MSG_DEBUG, "STA " MACSTR " %s pending "
5164 "activity poll", MAC2STR(sta->addr),
5165 ack ? "ACKed" : "did not ACK");
5166 if (ack)
5167 sta->flags &= ~WLAN_STA_PENDING_POLL;
5168 }
5169
5170 ieee802_1x_tx_status(hapd, sta, buf, len, ack);
5171 }
5172
5173
5174 void hostapd_eapol_tx_status(struct hostapd_data *hapd, const u8 *dst,
5175 const u8 *data, size_t len, int ack)
5176 {
5177 struct sta_info *sta;
5178 struct hostapd_iface *iface = hapd->iface;
5179
5180 sta = ap_get_sta(hapd, dst);
5181 if (sta == NULL && iface->num_bss > 1) {
5182 size_t j;
5183 for (j = 0; j < iface->num_bss; j++) {
5184 hapd = iface->bss[j];
5185 sta = ap_get_sta(hapd, dst);
5186 if (sta)
5187 break;
5188 }
5189 }
5190 if (sta == NULL || !(sta->flags & WLAN_STA_ASSOC)) {
5191 wpa_printf(MSG_DEBUG, "Ignore TX status for Data frame to STA "
5192 MACSTR " that is not currently associated",
5193 MAC2STR(dst));
5194 return;
5195 }
5196
5197 ieee802_1x_eapol_tx_status(hapd, sta, data, len, ack);
5198 }
5199
5200
5201 void hostapd_client_poll_ok(struct hostapd_data *hapd, const u8 *addr)
5202 {
5203 struct sta_info *sta;
5204 struct hostapd_iface *iface = hapd->iface;
5205
5206 sta = ap_get_sta(hapd, addr);
5207 if (sta == NULL && iface->num_bss > 1) {
5208 size_t j;
5209 for (j = 0; j < iface->num_bss; j++) {
5210 hapd = iface->bss[j];
5211 sta = ap_get_sta(hapd, addr);
5212 if (sta)
5213 break;
5214 }
5215 }
5216 if (sta == NULL)
5217 return;
5218 wpa_msg(hapd->msg_ctx, MSG_INFO, AP_STA_POLL_OK MACSTR,
5219 MAC2STR(sta->addr));
5220 if (!(sta->flags & WLAN_STA_PENDING_POLL))
5221 return;
5222
5223 wpa_printf(MSG_DEBUG, "STA " MACSTR " ACKed pending "
5224 "activity poll", MAC2STR(sta->addr));
5225 sta->flags &= ~WLAN_STA_PENDING_POLL;
5226 }
5227
5228
5229 void ieee802_11_rx_from_unknown(struct hostapd_data *hapd, const u8 *src,
5230 int wds)
5231 {
5232 struct sta_info *sta;
5233
5234 sta = ap_get_sta(hapd, src);
5235 if (sta &&
5236 ((sta->flags & WLAN_STA_ASSOC) ||
5237 ((sta->flags & WLAN_STA_ASSOC_REQ_OK) && wds))) {
5238 if (!hapd->conf->wds_sta)
5239 return;
5240
5241 if ((sta->flags & (WLAN_STA_ASSOC | WLAN_STA_ASSOC_REQ_OK)) ==
5242 WLAN_STA_ASSOC_REQ_OK) {
5243 wpa_printf(MSG_DEBUG,
5244 "Postpone 4-address WDS mode enabling for STA "
5245 MACSTR " since TX status for AssocResp is not yet known",
5246 MAC2STR(sta->addr));
5247 sta->pending_wds_enable = 1;
5248 return;
5249 }
5250
5251 if (wds && !(sta->flags & WLAN_STA_WDS)) {
5252 int ret;
5253 char ifname_wds[IFNAMSIZ + 1];
5254
5255 wpa_printf(MSG_DEBUG, "Enable 4-address WDS mode for "
5256 "STA " MACSTR " (aid %u)",
5257 MAC2STR(sta->addr), sta->aid);
5258 sta->flags |= WLAN_STA_WDS;
5259 ret = hostapd_set_wds_sta(hapd, ifname_wds,
5260 sta->addr, sta->aid, 1);
5261 if (!ret)
5262 hostapd_set_wds_encryption(hapd, sta,
5263 ifname_wds);
5264 }
5265 return;
5266 }
5267
5268 wpa_printf(MSG_DEBUG, "Data/PS-poll frame from not associated STA "
5269 MACSTR, MAC2STR(src));
5270 if (is_multicast_ether_addr(src) || is_zero_ether_addr(src) ||
5271 os_memcmp(src, hapd->own_addr, ETH_ALEN) == 0) {
5272 /* Broadcast bit set in SA or unexpected SA?! Ignore the frame
5273 * silently. */
5274 return;
5275 }
5276
5277 if (sta && (sta->flags & WLAN_STA_ASSOC_REQ_OK)) {
5278 wpa_printf(MSG_DEBUG, "Association Response to the STA has "
5279 "already been sent, but no TX status yet known - "
5280 "ignore Class 3 frame issue with " MACSTR,
5281 MAC2STR(src));
5282 return;
5283 }
5284
5285 if (sta && (sta->flags & WLAN_STA_AUTH))
5286 hostapd_drv_sta_disassoc(
5287 hapd, src,
5288 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA);
5289 else
5290 hostapd_drv_sta_deauth(
5291 hapd, src,
5292 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA);
5293 }
5294
5295
5296 #endif /* CONFIG_NATIVE_WINDOWS */
Unnamed repository; edit this file 'description' to name the repository.