]> git.ipfire.org Git - thirdparty/hostap.git/blob - src/ap/ieee802_11.c
projects / thirdparty / hostap.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Store a copy of Association Request RSNXE in AP mode for later use
[thirdparty/hostap.git] / src / ap / ieee802_11.c
1 /*
2 * hostapd / IEEE 802.11 Management
3 * Copyright (c) 2002-2017, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "utils/includes.h"
10
11 #ifndef CONFIG_NATIVE_WINDOWS
12
13 #include "utils/common.h"
14 #include "utils/eloop.h"
15 #include "crypto/crypto.h"
16 #include "crypto/sha256.h"
17 #include "crypto/sha384.h"
18 #include "crypto/sha512.h"
19 #include "crypto/random.h"
20 #include "common/ieee802_11_defs.h"
21 #include "common/ieee802_11_common.h"
22 #include "common/wpa_ctrl.h"
23 #include "common/sae.h"
24 #include "common/dpp.h"
25 #include "common/ocv.h"
26 #include "common/wpa_common.h"
27 #include "radius/radius.h"
28 #include "radius/radius_client.h"
29 #include "p2p/p2p.h"
30 #include "wps/wps.h"
31 #include "fst/fst.h"
32 #include "hostapd.h"
33 #include "beacon.h"
34 #include "ieee802_11_auth.h"
35 #include "sta_info.h"
36 #include "ieee802_1x.h"
37 #include "wpa_auth.h"
38 #include "pmksa_cache_auth.h"
39 #include "wmm.h"
40 #include "ap_list.h"
41 #include "accounting.h"
42 #include "ap_config.h"
43 #include "ap_mlme.h"
44 #include "p2p_hostapd.h"
45 #include "ap_drv_ops.h"
46 #include "wnm_ap.h"
47 #include "hw_features.h"
48 #include "ieee802_11.h"
49 #include "dfs.h"
50 #include "mbo_ap.h"
51 #include "rrm.h"
52 #include "taxonomy.h"
53 #include "fils_hlp.h"
54 #include "dpp_hostapd.h"
55 #include "gas_query_ap.h"
56
57
58 #ifdef CONFIG_FILS
59 static struct wpabuf *
60 prepare_auth_resp_fils(struct hostapd_data *hapd,
61 struct sta_info *sta, u16 *resp,
62 struct rsn_pmksa_cache_entry *pmksa,
63 struct wpabuf *erp_resp,
64 const u8 *msk, size_t msk_len,
65 int *is_pub);
66 #endif /* CONFIG_FILS */
67 static void handle_auth(struct hostapd_data *hapd,
68 const struct ieee80211_mgmt *mgmt, size_t len,
69 int rssi, int from_queue);
70
71
72 u8 * hostapd_eid_multi_ap(struct hostapd_data *hapd, u8 *eid)
73 {
74 u8 multi_ap_val = 0;
75
76 if (!hapd->conf->multi_ap)
77 return eid;
78 if (hapd->conf->multi_ap & BACKHAUL_BSS)
79 multi_ap_val |= MULTI_AP_BACKHAUL_BSS;
80 if (hapd->conf->multi_ap & FRONTHAUL_BSS)
81 multi_ap_val |= MULTI_AP_FRONTHAUL_BSS;
82
83 return eid + add_multi_ap_ie(eid, 9, multi_ap_val);
84 }
85
86
87 u8 * hostapd_eid_supp_rates(struct hostapd_data *hapd, u8 *eid)
88 {
89 u8 *pos = eid;
90 int i, num, count;
91
92 if (hapd->iface->current_rates == NULL)
93 return eid;
94
95 *pos++ = WLAN_EID_SUPP_RATES;
96 num = hapd->iface->num_rates;
97 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht)
98 num++;
99 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht)
100 num++;
101 if (hapd->conf->sae_pwe == 1)
102 num++;
103 if (num > 8) {
104 /* rest of the rates are encoded in Extended supported
105 * rates element */
106 num = 8;
107 }
108
109 *pos++ = num;
110 for (i = 0, count = 0; i < hapd->iface->num_rates && count < num;
111 i++) {
112 count++;
113 *pos = hapd->iface->current_rates[i].rate / 5;
114 if (hapd->iface->current_rates[i].flags & HOSTAPD_RATE_BASIC)
115 *pos |= 0x80;
116 pos++;
117 }
118
119 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht && count < 8) {
120 count++;
121 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_HT_PHY;
122 }
123
124 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht && count < 8) {
125 count++;
126 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_VHT_PHY;
127 }
128
129 if (hapd->conf->sae_pwe == 1 && count < 8) {
130 count++;
131 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_SAE_H2E_ONLY;
132 }
133
134 return pos;
135 }
136
137
138 u8 * hostapd_eid_ext_supp_rates(struct hostapd_data *hapd, u8 *eid)
139 {
140 u8 *pos = eid;
141 int i, num, count;
142
143 if (hapd->iface->current_rates == NULL)
144 return eid;
145
146 num = hapd->iface->num_rates;
147 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht)
148 num++;
149 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht)
150 num++;
151 if (hapd->conf->sae_pwe == 1)
152 num++;
153 if (num <= 8)
154 return eid;
155 num -= 8;
156
157 *pos++ = WLAN_EID_EXT_SUPP_RATES;
158 *pos++ = num;
159 for (i = 0, count = 0; i < hapd->iface->num_rates && count < num + 8;
160 i++) {
161 count++;
162 if (count <= 8)
163 continue; /* already in SuppRates IE */
164 *pos = hapd->iface->current_rates[i].rate / 5;
165 if (hapd->iface->current_rates[i].flags & HOSTAPD_RATE_BASIC)
166 *pos |= 0x80;
167 pos++;
168 }
169
170 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht) {
171 count++;
172 if (count > 8)
173 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_HT_PHY;
174 }
175
176 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht) {
177 count++;
178 if (count > 8)
179 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_VHT_PHY;
180 }
181
182 if (hapd->conf->sae_pwe == 1) {
183 count++;
184 if (count > 8)
185 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_SAE_H2E_ONLY;
186 }
187
188 return pos;
189 }
190
191
192 u16 hostapd_own_capab_info(struct hostapd_data *hapd)
193 {
194 int capab = WLAN_CAPABILITY_ESS;
195 int privacy;
196 int dfs;
197 int i;
198
199 /* Check if any of configured channels require DFS */
200 dfs = hostapd_is_dfs_required(hapd->iface);
201 if (dfs < 0) {
202 wpa_printf(MSG_WARNING, "Failed to check if DFS is required; ret=%d",
203 dfs);
204 dfs = 0;
205 }
206
207 if (hapd->iface->num_sta_no_short_preamble == 0 &&
208 hapd->iconf->preamble == SHORT_PREAMBLE)
209 capab |= WLAN_CAPABILITY_SHORT_PREAMBLE;
210
211 privacy = hapd->conf->ssid.wep.keys_set;
212
213 if (hapd->conf->ieee802_1x &&
214 (hapd->conf->default_wep_key_len ||
215 hapd->conf->individual_wep_key_len))
216 privacy = 1;
217
218 if (hapd->conf->wpa)
219 privacy = 1;
220
221 #ifdef CONFIG_HS20
222 if (hapd->conf->osen)
223 privacy = 1;
224 #endif /* CONFIG_HS20 */
225
226 if (privacy)
227 capab |= WLAN_CAPABILITY_PRIVACY;
228
229 if (hapd->iface->current_mode &&
230 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G &&
231 hapd->iface->num_sta_no_short_slot_time == 0)
232 capab |= WLAN_CAPABILITY_SHORT_SLOT_TIME;
233
234 /*
235 * Currently, Spectrum Management capability bit is set when directly
236 * requested in configuration by spectrum_mgmt_required or when AP is
237 * running on DFS channel.
238 * TODO: Also consider driver support for TPC to set Spectrum Mgmt bit
239 */
240 if (hapd->iface->current_mode &&
241 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211A &&
242 (hapd->iconf->spectrum_mgmt_required || dfs))
243 capab |= WLAN_CAPABILITY_SPECTRUM_MGMT;
244
245 for (i = 0; i < RRM_CAPABILITIES_IE_LEN; i++) {
246 if (hapd->conf->radio_measurements[i]) {
247 capab |= IEEE80211_CAP_RRM;
248 break;
249 }
250 }
251
252 return capab;
253 }
254
255
256 #ifndef CONFIG_NO_RC4
257 static u16 auth_shared_key(struct hostapd_data *hapd, struct sta_info *sta,
258 u16 auth_transaction, const u8 *challenge,
259 int iswep)
260 {
261 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
262 HOSTAPD_LEVEL_DEBUG,
263 "authentication (shared key, transaction %d)",
264 auth_transaction);
265
266 if (auth_transaction == 1) {
267 if (!sta->challenge) {
268 /* Generate a pseudo-random challenge */
269 u8 key[8];
270
271 sta->challenge = os_zalloc(WLAN_AUTH_CHALLENGE_LEN);
272 if (sta->challenge == NULL)
273 return WLAN_STATUS_UNSPECIFIED_FAILURE;
274
275 if (os_get_random(key, sizeof(key)) < 0) {
276 os_free(sta->challenge);
277 sta->challenge = NULL;
278 return WLAN_STATUS_UNSPECIFIED_FAILURE;
279 }
280
281 rc4_skip(key, sizeof(key), 0,
282 sta->challenge, WLAN_AUTH_CHALLENGE_LEN);
283 }
284 return 0;
285 }
286
287 if (auth_transaction != 3)
288 return WLAN_STATUS_UNSPECIFIED_FAILURE;
289
290 /* Transaction 3 */
291 if (!iswep || !sta->challenge || !challenge ||
292 os_memcmp_const(sta->challenge, challenge,
293 WLAN_AUTH_CHALLENGE_LEN)) {
294 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
295 HOSTAPD_LEVEL_INFO,
296 "shared key authentication - invalid "
297 "challenge-response");
298 return WLAN_STATUS_CHALLENGE_FAIL;
299 }
300
301 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
302 HOSTAPD_LEVEL_DEBUG,
303 "authentication OK (shared key)");
304 sta->flags |= WLAN_STA_AUTH;
305 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
306 os_free(sta->challenge);
307 sta->challenge = NULL;
308
309 return 0;
310 }
311 #endif /* CONFIG_NO_RC4 */
312
313
314 static int send_auth_reply(struct hostapd_data *hapd,
315 const u8 *dst, const u8 *bssid,
316 u16 auth_alg, u16 auth_transaction, u16 resp,
317 const u8 *ies, size_t ies_len, const char *dbg)
318 {
319 struct ieee80211_mgmt *reply;
320 u8 *buf;
321 size_t rlen;
322 int reply_res = WLAN_STATUS_UNSPECIFIED_FAILURE;
323
324 rlen = IEEE80211_HDRLEN + sizeof(reply->u.auth) + ies_len;
325 buf = os_zalloc(rlen);
326 if (buf == NULL)
327 return -1;
328
329 reply = (struct ieee80211_mgmt *) buf;
330 reply->frame_control = IEEE80211_FC(WLAN_FC_TYPE_MGMT,
331 WLAN_FC_STYPE_AUTH);
332 os_memcpy(reply->da, dst, ETH_ALEN);
333 os_memcpy(reply->sa, hapd->own_addr, ETH_ALEN);
334 os_memcpy(reply->bssid, bssid, ETH_ALEN);
335
336 reply->u.auth.auth_alg = host_to_le16(auth_alg);
337 reply->u.auth.auth_transaction = host_to_le16(auth_transaction);
338 reply->u.auth.status_code = host_to_le16(resp);
339
340 if (ies && ies_len)
341 os_memcpy(reply->u.auth.variable, ies, ies_len);
342
343 wpa_printf(MSG_DEBUG, "authentication reply: STA=" MACSTR
344 " auth_alg=%d auth_transaction=%d resp=%d (IE len=%lu) (dbg=%s)",
345 MAC2STR(dst), auth_alg, auth_transaction,
346 resp, (unsigned long) ies_len, dbg);
347 if (hostapd_drv_send_mlme(hapd, reply, rlen, 0) < 0)
348 wpa_printf(MSG_INFO, "send_auth_reply: send failed");
349 else
350 reply_res = WLAN_STATUS_SUCCESS;
351
352 os_free(buf);
353
354 return reply_res;
355 }
356
357
358 #ifdef CONFIG_IEEE80211R_AP
359 static void handle_auth_ft_finish(void *ctx, const u8 *dst, const u8 *bssid,
360 u16 auth_transaction, u16 status,
361 const u8 *ies, size_t ies_len)
362 {
363 struct hostapd_data *hapd = ctx;
364 struct sta_info *sta;
365 int reply_res;
366
367 reply_res = send_auth_reply(hapd, dst, bssid, WLAN_AUTH_FT,
368 auth_transaction, status, ies, ies_len,
369 "auth-ft-finish");
370
371 sta = ap_get_sta(hapd, dst);
372 if (sta == NULL)
373 return;
374
375 if (sta->added_unassoc && (reply_res != WLAN_STATUS_SUCCESS ||
376 status != WLAN_STATUS_SUCCESS)) {
377 hostapd_drv_sta_remove(hapd, sta->addr);
378 sta->added_unassoc = 0;
379 return;
380 }
381
382 if (status != WLAN_STATUS_SUCCESS)
383 return;
384
385 hostapd_logger(hapd, dst, HOSTAPD_MODULE_IEEE80211,
386 HOSTAPD_LEVEL_DEBUG, "authentication OK (FT)");
387 sta->flags |= WLAN_STA_AUTH;
388 mlme_authenticate_indication(hapd, sta);
389 }
390 #endif /* CONFIG_IEEE80211R_AP */
391
392
393 #ifdef CONFIG_SAE
394
395 static void sae_set_state(struct sta_info *sta, enum sae_state state,
396 const char *reason)
397 {
398 wpa_printf(MSG_DEBUG, "SAE: State %s -> %s for peer " MACSTR " (%s)",
399 sae_state_txt(sta->sae->state), sae_state_txt(state),
400 MAC2STR(sta->addr), reason);
401 sta->sae->state = state;
402 }
403
404
405 static struct wpabuf * auth_build_sae_commit(struct hostapd_data *hapd,
406 struct sta_info *sta, int update)
407 {
408 struct wpabuf *buf;
409 const char *password = NULL;
410 struct sae_password_entry *pw;
411 const char *rx_id = NULL;
412 int use_pt = 0;
413 struct sae_pt *pt = NULL;
414
415 if (sta->sae->tmp) {
416 rx_id = sta->sae->tmp->pw_id;
417 use_pt = sta->sae->tmp->h2e;
418 }
419
420 for (pw = hapd->conf->sae_passwords; pw; pw = pw->next) {
421 if (!is_broadcast_ether_addr(pw->peer_addr) &&
422 os_memcmp(pw->peer_addr, sta->addr, ETH_ALEN) != 0)
423 continue;
424 if ((rx_id && !pw->identifier) || (!rx_id && pw->identifier))
425 continue;
426 if (rx_id && pw->identifier &&
427 os_strcmp(rx_id, pw->identifier) != 0)
428 continue;
429 password = pw->password;
430 pt = pw->pt;
431 break;
432 }
433 if (!password) {
434 password = hapd->conf->ssid.wpa_passphrase;
435 pt = hapd->conf->ssid.pt;
436 }
437 if (!password || (use_pt && !pt)) {
438 wpa_printf(MSG_DEBUG, "SAE: No password available");
439 return NULL;
440 }
441
442 if (update && use_pt &&
443 sae_prepare_commit_pt(sta->sae, pt, hapd->own_addr, sta->addr,
444 NULL) < 0)
445 return NULL;
446
447 if (update && !use_pt &&
448 sae_prepare_commit(hapd->own_addr, sta->addr,
449 (u8 *) password, os_strlen(password), rx_id,
450 sta->sae) < 0) {
451 wpa_printf(MSG_DEBUG, "SAE: Could not pick PWE");
452 return NULL;
453 }
454
455 if (pw && pw->vlan_id) {
456 if (!sta->sae->tmp) {
457 wpa_printf(MSG_INFO,
458 "SAE: No temporary data allocated - cannot store VLAN ID");
459 return NULL;
460 }
461 sta->sae->tmp->vlan_id = pw->vlan_id;
462 }
463
464 buf = wpabuf_alloc(SAE_COMMIT_MAX_LEN +
465 (rx_id ? 3 + os_strlen(rx_id) : 0));
466 if (buf == NULL)
467 return NULL;
468 sae_write_commit(sta->sae, buf, sta->sae->tmp ?
469 sta->sae->tmp->anti_clogging_token : NULL, rx_id);
470
471 return buf;
472 }
473
474
475 static struct wpabuf * auth_build_sae_confirm(struct hostapd_data *hapd,
476 struct sta_info *sta)
477 {
478 struct wpabuf *buf;
479
480 buf = wpabuf_alloc(SAE_CONFIRM_MAX_LEN);
481 if (buf == NULL)
482 return NULL;
483
484 sae_write_confirm(sta->sae, buf);
485
486 return buf;
487 }
488
489
490 static int auth_sae_send_commit(struct hostapd_data *hapd,
491 struct sta_info *sta,
492 const u8 *bssid, int update)
493 {
494 struct wpabuf *data;
495 int reply_res;
496 u16 status;
497
498 data = auth_build_sae_commit(hapd, sta, update);
499 if (!data && sta->sae->tmp && sta->sae->tmp->pw_id)
500 return WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER;
501 if (data == NULL)
502 return WLAN_STATUS_UNSPECIFIED_FAILURE;
503
504 status = (sta->sae->tmp && sta->sae->tmp->h2e) ?
505 WLAN_STATUS_SAE_HASH_TO_ELEMENT : WLAN_STATUS_SUCCESS;
506 reply_res = send_auth_reply(hapd, sta->addr, bssid, WLAN_AUTH_SAE, 1,
507 status, wpabuf_head(data),
508 wpabuf_len(data), "sae-send-commit");
509
510 wpabuf_free(data);
511
512 return reply_res;
513 }
514
515
516 static int auth_sae_send_confirm(struct hostapd_data *hapd,
517 struct sta_info *sta,
518 const u8 *bssid)
519 {
520 struct wpabuf *data;
521 int reply_res;
522
523 data = auth_build_sae_confirm(hapd, sta);
524 if (data == NULL)
525 return WLAN_STATUS_UNSPECIFIED_FAILURE;
526
527 reply_res = send_auth_reply(hapd, sta->addr, bssid, WLAN_AUTH_SAE, 2,
528 WLAN_STATUS_SUCCESS, wpabuf_head(data),
529 wpabuf_len(data), "sae-send-confirm");
530
531 wpabuf_free(data);
532
533 return reply_res;
534 }
535
536
537 static int use_sae_anti_clogging(struct hostapd_data *hapd)
538 {
539 struct sta_info *sta;
540 unsigned int open = 0;
541
542 if (hapd->conf->sae_anti_clogging_threshold == 0)
543 return 1;
544
545 for (sta = hapd->sta_list; sta; sta = sta->next) {
546 if (!sta->sae)
547 continue;
548 if (sta->sae->state != SAE_COMMITTED &&
549 sta->sae->state != SAE_CONFIRMED)
550 continue;
551 open++;
552 if (open >= hapd->conf->sae_anti_clogging_threshold)
553 return 1;
554 }
555
556 /* In addition to already existing open SAE sessions, check whether
557 * there are enough pending commit messages in the processing queue to
558 * potentially result in too many open sessions. */
559 if (open + dl_list_len(&hapd->sae_commit_queue) >=
560 hapd->conf->sae_anti_clogging_threshold)
561 return 1;
562
563 return 0;
564 }
565
566
567 static u8 sae_token_hash(struct hostapd_data *hapd, const u8 *addr)
568 {
569 u8 hash[SHA256_MAC_LEN];
570
571 hmac_sha256(hapd->sae_token_key, sizeof(hapd->sae_token_key),
572 addr, ETH_ALEN, hash);
573 return hash[0];
574 }
575
576
577 static int check_sae_token(struct hostapd_data *hapd, const u8 *addr,
578 const u8 *token, size_t token_len)
579 {
580 u8 mac[SHA256_MAC_LEN];
581 const u8 *addrs[2];
582 size_t len[2];
583 u16 token_idx;
584 u8 idx;
585
586 if (token_len != SHA256_MAC_LEN)
587 return -1;
588 idx = sae_token_hash(hapd, addr);
589 token_idx = hapd->sae_pending_token_idx[idx];
590 if (token_idx == 0 || token_idx != WPA_GET_BE16(token)) {
591 wpa_printf(MSG_DEBUG, "SAE: Invalid anti-clogging token from "
592 MACSTR " - token_idx 0x%04x, expected 0x%04x",
593 MAC2STR(addr), WPA_GET_BE16(token), token_idx);
594 return -1;
595 }
596
597 addrs[0] = addr;
598 len[0] = ETH_ALEN;
599 addrs[1] = token;
600 len[1] = 2;
601 if (hmac_sha256_vector(hapd->sae_token_key, sizeof(hapd->sae_token_key),
602 2, addrs, len, mac) < 0 ||
603 os_memcmp_const(token + 2, &mac[2], SHA256_MAC_LEN - 2) != 0)
604 return -1;
605
606 hapd->sae_pending_token_idx[idx] = 0; /* invalidate used token */
607
608 return 0;
609 }
610
611
612 static struct wpabuf * auth_build_token_req(struct hostapd_data *hapd,
613 int group, const u8 *addr)
614 {
615 struct wpabuf *buf;
616 u8 *token;
617 struct os_reltime now;
618 u8 idx[2];
619 const u8 *addrs[2];
620 size_t len[2];
621 u8 p_idx;
622 u16 token_idx;
623
624 os_get_reltime(&now);
625 if (!os_reltime_initialized(&hapd->last_sae_token_key_update) ||
626 os_reltime_expired(&now, &hapd->last_sae_token_key_update, 60) ||
627 hapd->sae_token_idx == 0xffff) {
628 if (random_get_bytes(hapd->sae_token_key,
629 sizeof(hapd->sae_token_key)) < 0)
630 return NULL;
631 wpa_hexdump(MSG_DEBUG, "SAE: Updated token key",
632 hapd->sae_token_key, sizeof(hapd->sae_token_key));
633 hapd->last_sae_token_key_update = now;
634 hapd->sae_token_idx = 0;
635 os_memset(hapd->sae_pending_token_idx, 0,
636 sizeof(hapd->sae_pending_token_idx));
637 }
638
639 buf = wpabuf_alloc(sizeof(le16) + SHA256_MAC_LEN);
640 if (buf == NULL)
641 return NULL;
642
643 wpabuf_put_le16(buf, group); /* Finite Cyclic Group */
644
645 p_idx = sae_token_hash(hapd, addr);
646 token_idx = hapd->sae_pending_token_idx[p_idx];
647 if (!token_idx) {
648 hapd->sae_token_idx++;
649 token_idx = hapd->sae_token_idx;
650 hapd->sae_pending_token_idx[p_idx] = token_idx;
651 }
652 WPA_PUT_BE16(idx, token_idx);
653 token = wpabuf_put(buf, SHA256_MAC_LEN);
654 addrs[0] = addr;
655 len[0] = ETH_ALEN;
656 addrs[1] = idx;
657 len[1] = sizeof(idx);
658 if (hmac_sha256_vector(hapd->sae_token_key, sizeof(hapd->sae_token_key),
659 2, addrs, len, token) < 0) {
660 wpabuf_free(buf);
661 return NULL;
662 }
663 WPA_PUT_BE16(token, token_idx);
664
665 return buf;
666 }
667
668
669 static int sae_check_big_sync(struct hostapd_data *hapd, struct sta_info *sta)
670 {
671 if (sta->sae->sync > hapd->conf->sae_sync) {
672 sae_set_state(sta, SAE_NOTHING, "Sync > dot11RSNASAESync");
673 sta->sae->sync = 0;
674 return -1;
675 }
676 return 0;
677 }
678
679
680 static void auth_sae_retransmit_timer(void *eloop_ctx, void *eloop_data)
681 {
682 struct hostapd_data *hapd = eloop_ctx;
683 struct sta_info *sta = eloop_data;
684 int ret;
685
686 if (sae_check_big_sync(hapd, sta))
687 return;
688 sta->sae->sync++;
689 wpa_printf(MSG_DEBUG, "SAE: Auth SAE retransmit timer for " MACSTR
690 " (sync=%d state=%s)",
691 MAC2STR(sta->addr), sta->sae->sync,
692 sae_state_txt(sta->sae->state));
693
694 switch (sta->sae->state) {
695 case SAE_COMMITTED:
696 ret = auth_sae_send_commit(hapd, sta, hapd->own_addr, 0);
697 eloop_register_timeout(0,
698 hapd->dot11RSNASAERetransPeriod * 1000,
699 auth_sae_retransmit_timer, hapd, sta);
700 break;
701 case SAE_CONFIRMED:
702 ret = auth_sae_send_confirm(hapd, sta, hapd->own_addr);
703 eloop_register_timeout(0,
704 hapd->dot11RSNASAERetransPeriod * 1000,
705 auth_sae_retransmit_timer, hapd, sta);
706 break;
707 default:
708 ret = -1;
709 break;
710 }
711
712 if (ret != WLAN_STATUS_SUCCESS)
713 wpa_printf(MSG_INFO, "SAE: Failed to retransmit: ret=%d", ret);
714 }
715
716
717 void sae_clear_retransmit_timer(struct hostapd_data *hapd, struct sta_info *sta)
718 {
719 eloop_cancel_timeout(auth_sae_retransmit_timer, hapd, sta);
720 }
721
722
723 static void sae_set_retransmit_timer(struct hostapd_data *hapd,
724 struct sta_info *sta)
725 {
726 if (!(hapd->conf->mesh & MESH_ENABLED))
727 return;
728
729 eloop_cancel_timeout(auth_sae_retransmit_timer, hapd, sta);
730 eloop_register_timeout(0, hapd->dot11RSNASAERetransPeriod * 1000,
731 auth_sae_retransmit_timer, hapd, sta);
732 }
733
734
735 static void sae_sme_send_external_auth_status(struct hostapd_data *hapd,
736 struct sta_info *sta, u16 status)
737 {
738 struct external_auth params;
739
740 os_memset(&params, 0, sizeof(params));
741 params.status = status;
742 params.bssid = sta->addr;
743 if (status == WLAN_STATUS_SUCCESS && sta->sae &&
744 !hapd->conf->disable_pmksa_caching)
745 params.pmkid = sta->sae->pmkid;
746
747 hostapd_drv_send_external_auth_status(hapd, &params);
748 }
749
750
751 void sae_accept_sta(struct hostapd_data *hapd, struct sta_info *sta)
752 {
753 #ifndef CONFIG_NO_VLAN
754 struct vlan_description vlan_desc;
755
756 if (sta->sae->tmp && sta->sae->tmp->vlan_id > 0) {
757 wpa_printf(MSG_DEBUG, "SAE: Assign STA " MACSTR
758 " to VLAN ID %d",
759 MAC2STR(sta->addr), sta->sae->tmp->vlan_id);
760
761 os_memset(&vlan_desc, 0, sizeof(vlan_desc));
762 vlan_desc.notempty = 1;
763 vlan_desc.untagged = sta->sae->tmp->vlan_id;
764 if (!hostapd_vlan_valid(hapd->conf->vlan, &vlan_desc)) {
765 wpa_printf(MSG_INFO,
766 "Invalid VLAN ID %d in sae_password",
767 sta->sae->tmp->vlan_id);
768 return;
769 }
770
771 if (ap_sta_set_vlan(hapd, sta, &vlan_desc) < 0 ||
772 ap_sta_bind_vlan(hapd, sta) < 0) {
773 wpa_printf(MSG_INFO,
774 "Failed to assign VLAN ID %d from sae_password to "
775 MACSTR, sta->sae->tmp->vlan_id,
776 MAC2STR(sta->addr));
777 return;
778 }
779 }
780 #endif /* CONFIG_NO_VLAN */
781
782 sta->flags |= WLAN_STA_AUTH;
783 sta->auth_alg = WLAN_AUTH_SAE;
784 mlme_authenticate_indication(hapd, sta);
785 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
786 sae_set_state(sta, SAE_ACCEPTED, "Accept Confirm");
787 wpa_auth_pmksa_add_sae(hapd->wpa_auth, sta->addr,
788 sta->sae->pmk, sta->sae->pmkid);
789 sae_sme_send_external_auth_status(hapd, sta, WLAN_STATUS_SUCCESS);
790 }
791
792
793 static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta,
794 const u8 *bssid, u16 auth_transaction, u16 status_code,
795 int allow_reuse, int *sta_removed)
796 {
797 int ret;
798
799 *sta_removed = 0;
800
801 if (auth_transaction != 1 && auth_transaction != 2)
802 return WLAN_STATUS_UNSPECIFIED_FAILURE;
803
804 wpa_printf(MSG_DEBUG, "SAE: Peer " MACSTR " state=%s auth_trans=%u",
805 MAC2STR(sta->addr), sae_state_txt(sta->sae->state),
806 auth_transaction);
807 switch (sta->sae->state) {
808 case SAE_NOTHING:
809 if (auth_transaction == 1) {
810 if (sta->sae->tmp)
811 sta->sae->tmp->h2e = status_code ==
812 WLAN_STATUS_SAE_HASH_TO_ELEMENT;
813 ret = auth_sae_send_commit(hapd, sta, bssid,
814 !allow_reuse);
815 if (ret)
816 return ret;
817 sae_set_state(sta, SAE_COMMITTED, "Sent Commit");
818
819 if (sae_process_commit(sta->sae) < 0)
820 return WLAN_STATUS_UNSPECIFIED_FAILURE;
821
822 /*
823 * In mesh case, both Commit and Confirm are sent
824 * immediately. In infrastructure BSS, by default, only
825 * a single Authentication frame (Commit) is expected
826 * from the AP here and the second one (Confirm) will
827 * be sent once the STA has sent its second
828 * Authentication frame (Confirm). This behavior can be
829 * overridden with explicit configuration so that the
830 * infrastructure BSS case sends both frames together.
831 */
832 if ((hapd->conf->mesh & MESH_ENABLED) ||
833 hapd->conf->sae_confirm_immediate) {
834 /*
835 * Send both Commit and Confirm immediately
836 * based on SAE finite state machine
837 * Nothing -> Confirm transition.
838 */
839 ret = auth_sae_send_confirm(hapd, sta, bssid);
840 if (ret)
841 return ret;
842 sae_set_state(sta, SAE_CONFIRMED,
843 "Sent Confirm (mesh)");
844 } else {
845 /*
846 * For infrastructure BSS, send only the Commit
847 * message now to get alternating sequence of
848 * Authentication frames between the AP and STA.
849 * Confirm will be sent in
850 * Committed -> Confirmed/Accepted transition
851 * when receiving Confirm from STA.
852 */
853 }
854 sta->sae->sync = 0;
855 sae_set_retransmit_timer(hapd, sta);
856 } else {
857 hostapd_logger(hapd, sta->addr,
858 HOSTAPD_MODULE_IEEE80211,
859 HOSTAPD_LEVEL_DEBUG,
860 "SAE confirm before commit");
861 }
862 break;
863 case SAE_COMMITTED:
864 sae_clear_retransmit_timer(hapd, sta);
865 if (auth_transaction == 1) {
866 if (sae_process_commit(sta->sae) < 0)
867 return WLAN_STATUS_UNSPECIFIED_FAILURE;
868
869 ret = auth_sae_send_confirm(hapd, sta, bssid);
870 if (ret)
871 return ret;
872 sae_set_state(sta, SAE_CONFIRMED, "Sent Confirm");
873 sta->sae->sync = 0;
874 sae_set_retransmit_timer(hapd, sta);
875 } else if (hapd->conf->mesh & MESH_ENABLED) {
876 /*
877 * In mesh case, follow SAE finite state machine and
878 * send Commit now, if sync count allows.
879 */
880 if (sae_check_big_sync(hapd, sta))
881 return WLAN_STATUS_SUCCESS;
882 sta->sae->sync++;
883
884 ret = auth_sae_send_commit(hapd, sta, bssid, 0);
885 if (ret)
886 return ret;
887
888 sae_set_retransmit_timer(hapd, sta);
889 } else {
890 /*
891 * For instructure BSS, send the postponed Confirm from
892 * Nothing -> Confirmed transition that was reduced to
893 * Nothing -> Committed above.
894 */
895 ret = auth_sae_send_confirm(hapd, sta, bssid);
896 if (ret)
897 return ret;
898
899 sae_set_state(sta, SAE_CONFIRMED, "Sent Confirm");
900
901 /*
902 * Since this was triggered on Confirm RX, run another
903 * step to get to Accepted without waiting for
904 * additional events.
905 */
906 return sae_sm_step(hapd, sta, bssid, auth_transaction,
907 WLAN_STATUS_SUCCESS, 0, sta_removed);
908 }
909 break;
910 case SAE_CONFIRMED:
911 sae_clear_retransmit_timer(hapd, sta);
912 if (auth_transaction == 1) {
913 if (sae_check_big_sync(hapd, sta))
914 return WLAN_STATUS_SUCCESS;
915 sta->sae->sync++;
916
917 ret = auth_sae_send_commit(hapd, sta, bssid, 1);
918 if (ret)
919 return ret;
920
921 if (sae_process_commit(sta->sae) < 0)
922 return WLAN_STATUS_UNSPECIFIED_FAILURE;
923
924 ret = auth_sae_send_confirm(hapd, sta, bssid);
925 if (ret)
926 return ret;
927
928 sae_set_retransmit_timer(hapd, sta);
929 } else {
930 sta->sae->send_confirm = 0xffff;
931 sae_accept_sta(hapd, sta);
932 }
933 break;
934 case SAE_ACCEPTED:
935 if (auth_transaction == 1 &&
936 (hapd->conf->mesh & MESH_ENABLED)) {
937 wpa_printf(MSG_DEBUG, "SAE: remove the STA (" MACSTR
938 ") doing reauthentication",
939 MAC2STR(sta->addr));
940 wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr);
941 ap_free_sta(hapd, sta);
942 *sta_removed = 1;
943 } else if (auth_transaction == 1) {
944 wpa_printf(MSG_DEBUG, "SAE: Start reauthentication");
945 ret = auth_sae_send_commit(hapd, sta, bssid, 1);
946 if (ret)
947 return ret;
948 sae_set_state(sta, SAE_COMMITTED, "Sent Commit");
949
950 if (sae_process_commit(sta->sae) < 0)
951 return WLAN_STATUS_UNSPECIFIED_FAILURE;
952 sta->sae->sync = 0;
953 sae_set_retransmit_timer(hapd, sta);
954 } else {
955 if (sae_check_big_sync(hapd, sta))
956 return WLAN_STATUS_SUCCESS;
957 sta->sae->sync++;
958
959 ret = auth_sae_send_confirm(hapd, sta, bssid);
960 sae_clear_temp_data(sta->sae);
961 if (ret)
962 return ret;
963 }
964 break;
965 default:
966 wpa_printf(MSG_ERROR, "SAE: invalid state %d",
967 sta->sae->state);
968 return WLAN_STATUS_UNSPECIFIED_FAILURE;
969 }
970 return WLAN_STATUS_SUCCESS;
971 }
972
973
974 static void sae_pick_next_group(struct hostapd_data *hapd, struct sta_info *sta)
975 {
976 struct sae_data *sae = sta->sae;
977 int i, *groups = hapd->conf->sae_groups;
978 int default_groups[] = { 19, 0 };
979
980 if (sae->state != SAE_COMMITTED)
981 return;
982
983 wpa_printf(MSG_DEBUG, "SAE: Previously selected group: %d", sae->group);
984
985 if (!groups)
986 groups = default_groups;
987 for (i = 0; groups[i] > 0; i++) {
988 if (sae->group == groups[i])
989 break;
990 }
991
992 if (groups[i] <= 0) {
993 wpa_printf(MSG_DEBUG,
994 "SAE: Previously selected group not found from the current configuration");
995 return;
996 }
997
998 for (;;) {
999 i++;
1000 if (groups[i] <= 0) {
1001 wpa_printf(MSG_DEBUG,
1002 "SAE: No alternative group enabled");
1003 return;
1004 }
1005
1006 if (sae_set_group(sae, groups[i]) < 0)
1007 continue;
1008
1009 break;
1010 }
1011 wpa_printf(MSG_DEBUG, "SAE: Selected new group: %d", groups[i]);
1012 }
1013
1014
1015 static int sae_status_success(struct hostapd_data *hapd, u16 status_code)
1016 {
1017 return (hapd->conf->sae_pwe == 0 &&
1018 status_code == WLAN_STATUS_SUCCESS) ||
1019 (hapd->conf->sae_pwe == 1 &&
1020 status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT) ||
1021 (hapd->conf->sae_pwe == 2 &&
1022 (status_code == WLAN_STATUS_SUCCESS ||
1023 status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT));
1024 }
1025
1026
1027 static int sae_is_group_enabled(struct hostapd_data *hapd, int group)
1028 {
1029 int *groups = hapd->conf->sae_groups;
1030 int default_groups[] = { 19, 0 };
1031 int i;
1032
1033 if (!groups)
1034 groups = default_groups;
1035
1036 for (i = 0; groups[i] > 0; i++) {
1037 if (groups[i] == group)
1038 return 1;
1039 }
1040
1041 return 0;
1042 }
1043
1044
1045 static int check_sae_rejected_groups(struct hostapd_data *hapd,
1046 const struct wpabuf *groups)
1047 {
1048 size_t i, count;
1049 const u8 *pos;
1050
1051 if (!groups)
1052 return 0;
1053
1054 pos = wpabuf_head(groups);
1055 count = wpabuf_len(groups) / 2;
1056 for (i = 0; i < count; i++) {
1057 int enabled;
1058 u16 group;
1059
1060 group = WPA_GET_LE16(pos);
1061 pos += 2;
1062 enabled = sae_is_group_enabled(hapd, group);
1063 wpa_printf(MSG_DEBUG, "SAE: Rejected group %u is %s",
1064 group, enabled ? "enabled" : "disabled");
1065 if (enabled)
1066 return 1;
1067 }
1068
1069 return 0;
1070 }
1071
1072
1073 static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta,
1074 const struct ieee80211_mgmt *mgmt, size_t len,
1075 u16 auth_transaction, u16 status_code)
1076 {
1077 int resp = WLAN_STATUS_SUCCESS;
1078 struct wpabuf *data = NULL;
1079 int *groups = hapd->conf->sae_groups;
1080 int default_groups[] = { 19, 0 };
1081 const u8 *pos, *end;
1082 int sta_removed = 0;
1083
1084 if (!groups)
1085 groups = default_groups;
1086
1087 #ifdef CONFIG_TESTING_OPTIONS
1088 if (hapd->conf->sae_reflection_attack && auth_transaction == 1) {
1089 wpa_printf(MSG_DEBUG, "SAE: TESTING - reflection attack");
1090 pos = mgmt->u.auth.variable;
1091 end = ((const u8 *) mgmt) + len;
1092 send_auth_reply(hapd, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
1093 auth_transaction, resp, pos, end - pos,
1094 "auth-sae-reflection-attack");
1095 goto remove_sta;
1096 }
1097
1098 if (hapd->conf->sae_commit_override && auth_transaction == 1) {
1099 wpa_printf(MSG_DEBUG, "SAE: TESTING - commit override");
1100 send_auth_reply(hapd, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
1101 auth_transaction, resp,
1102 wpabuf_head(hapd->conf->sae_commit_override),
1103 wpabuf_len(hapd->conf->sae_commit_override),
1104 "sae-commit-override");
1105 goto remove_sta;
1106 }
1107 #endif /* CONFIG_TESTING_OPTIONS */
1108 if (!sta->sae) {
1109 if (auth_transaction != 1 ||
1110 !sae_status_success(hapd, status_code)) {
1111 resp = -1;
1112 goto remove_sta;
1113 }
1114 sta->sae = os_zalloc(sizeof(*sta->sae));
1115 if (!sta->sae) {
1116 resp = -1;
1117 goto remove_sta;
1118 }
1119 sae_set_state(sta, SAE_NOTHING, "Init");
1120 sta->sae->sync = 0;
1121 }
1122
1123 if (sta->mesh_sae_pmksa_caching) {
1124 wpa_printf(MSG_DEBUG,
1125 "SAE: Cancel use of mesh PMKSA caching because peer starts SAE authentication");
1126 wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr);
1127 sta->mesh_sae_pmksa_caching = 0;
1128 }
1129
1130 if (auth_transaction == 1) {
1131 const u8 *token = NULL;
1132 size_t token_len = 0;
1133 int allow_reuse = 0;
1134
1135 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1136 HOSTAPD_LEVEL_DEBUG,
1137 "start SAE authentication (RX commit, status=%u (%s))",
1138 status_code, status2str(status_code));
1139
1140 if ((hapd->conf->mesh & MESH_ENABLED) &&
1141 status_code == WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ &&
1142 sta->sae->tmp) {
1143 pos = mgmt->u.auth.variable;
1144 end = ((const u8 *) mgmt) + len;
1145 if (pos + sizeof(le16) > end) {
1146 wpa_printf(MSG_ERROR,
1147 "SAE: Too short anti-clogging token request");
1148 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1149 goto reply;
1150 }
1151 resp = sae_group_allowed(sta->sae, groups,
1152 WPA_GET_LE16(pos));
1153 if (resp != WLAN_STATUS_SUCCESS) {
1154 wpa_printf(MSG_ERROR,
1155 "SAE: Invalid group in anti-clogging token request");
1156 goto reply;
1157 }
1158 pos += sizeof(le16);
1159
1160 wpabuf_free(sta->sae->tmp->anti_clogging_token);
1161 sta->sae->tmp->anti_clogging_token =
1162 wpabuf_alloc_copy(pos, end - pos);
1163 if (sta->sae->tmp->anti_clogging_token == NULL) {
1164 wpa_printf(MSG_ERROR,
1165 "SAE: Failed to alloc for anti-clogging token");
1166 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1167 goto remove_sta;
1168 }
1169
1170 /*
1171 * IEEE Std 802.11-2012, 11.3.8.6.4: If the Status code
1172 * is 76, a new Commit Message shall be constructed
1173 * with the Anti-Clogging Token from the received
1174 * Authentication frame, and the commit-scalar and
1175 * COMMIT-ELEMENT previously sent.
1176 */
1177 resp = auth_sae_send_commit(hapd, sta, mgmt->bssid, 0);
1178 if (resp != WLAN_STATUS_SUCCESS) {
1179 wpa_printf(MSG_ERROR,
1180 "SAE: Failed to send commit message");
1181 goto remove_sta;
1182 }
1183 sae_set_state(sta, SAE_COMMITTED,
1184 "Sent Commit (anti-clogging token case in mesh)");
1185 sta->sae->sync = 0;
1186 sae_set_retransmit_timer(hapd, sta);
1187 return;
1188 }
1189
1190 if ((hapd->conf->mesh & MESH_ENABLED) &&
1191 status_code ==
1192 WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED &&
1193 sta->sae->tmp) {
1194 wpa_printf(MSG_DEBUG,
1195 "SAE: Peer did not accept our SAE group");
1196 sae_pick_next_group(hapd, sta);
1197 goto remove_sta;
1198 }
1199
1200 if (!sae_status_success(hapd, status_code))
1201 goto remove_sta;
1202
1203 if (!(hapd->conf->mesh & MESH_ENABLED) &&
1204 sta->sae->state == SAE_COMMITTED) {
1205 /* This is needed in the infrastructure BSS case to
1206 * address a sequence where a STA entry may remain in
1207 * hostapd across two attempts to do SAE authentication
1208 * by the same STA. The second attempt may end up trying
1209 * to use a different group and that would not be
1210 * allowed if we remain in Committed state with the
1211 * previously set parameters. */
1212 pos = mgmt->u.auth.variable;
1213 end = ((const u8 *) mgmt) + len;
1214 if (end - pos >= (int) sizeof(le16) &&
1215 sae_group_allowed(sta->sae, groups,
1216 WPA_GET_LE16(pos)) ==
1217 WLAN_STATUS_SUCCESS) {
1218 /* Do not waste resources deriving the same PWE
1219 * again since the same group is reused. */
1220 sae_set_state(sta, SAE_NOTHING,
1221 "Allow previous PWE to be reused");
1222 allow_reuse = 1;
1223 } else {
1224 sae_set_state(sta, SAE_NOTHING,
1225 "Clear existing state to allow restart");
1226 sae_clear_data(sta->sae);
1227 }
1228 }
1229
1230 resp = sae_parse_commit(sta->sae, mgmt->u.auth.variable,
1231 ((const u8 *) mgmt) + len -
1232 mgmt->u.auth.variable, &token,
1233 &token_len, groups, status_code ==
1234 WLAN_STATUS_SAE_HASH_TO_ELEMENT);
1235 if (resp == SAE_SILENTLY_DISCARD) {
1236 wpa_printf(MSG_DEBUG,
1237 "SAE: Drop commit message from " MACSTR " due to reflection attack",
1238 MAC2STR(sta->addr));
1239 goto remove_sta;
1240 }
1241
1242 if (resp == WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER) {
1243 wpa_msg(hapd->msg_ctx, MSG_INFO,
1244 WPA_EVENT_SAE_UNKNOWN_PASSWORD_IDENTIFIER
1245 MACSTR, MAC2STR(sta->addr));
1246 sae_clear_retransmit_timer(hapd, sta);
1247 sae_set_state(sta, SAE_NOTHING,
1248 "Unknown Password Identifier");
1249 goto remove_sta;
1250 }
1251
1252 if (token && check_sae_token(hapd, sta->addr, token, token_len)
1253 < 0) {
1254 wpa_printf(MSG_DEBUG, "SAE: Drop commit message with "
1255 "incorrect token from " MACSTR,
1256 MAC2STR(sta->addr));
1257 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1258 goto remove_sta;
1259 }
1260
1261 if (resp != WLAN_STATUS_SUCCESS)
1262 goto reply;
1263
1264 if (sta->sae->tmp &&
1265 check_sae_rejected_groups(
1266 hapd, sta->sae->tmp->peer_rejected_groups) < 0) {
1267 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1268 goto remove_sta;
1269 }
1270
1271 if (!token && use_sae_anti_clogging(hapd) && !allow_reuse) {
1272 wpa_printf(MSG_DEBUG,
1273 "SAE: Request anti-clogging token from "
1274 MACSTR, MAC2STR(sta->addr));
1275 data = auth_build_token_req(hapd, sta->sae->group,
1276 sta->addr);
1277 resp = WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ;
1278 if (hapd->conf->mesh & MESH_ENABLED)
1279 sae_set_state(sta, SAE_NOTHING,
1280 "Request anti-clogging token case in mesh");
1281 goto reply;
1282 }
1283
1284 resp = sae_sm_step(hapd, sta, mgmt->bssid, auth_transaction,
1285 status_code, allow_reuse, &sta_removed);
1286 } else if (auth_transaction == 2) {
1287 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1288 HOSTAPD_LEVEL_DEBUG,
1289 "SAE authentication (RX confirm, status=%u (%s))",
1290 status_code, status2str(status_code));
1291 if (status_code != WLAN_STATUS_SUCCESS)
1292 goto remove_sta;
1293 if (sta->sae->state >= SAE_CONFIRMED ||
1294 !(hapd->conf->mesh & MESH_ENABLED)) {
1295 const u8 *var;
1296 size_t var_len;
1297 u16 peer_send_confirm;
1298
1299 var = mgmt->u.auth.variable;
1300 var_len = ((u8 *) mgmt) + len - mgmt->u.auth.variable;
1301 if (var_len < 2) {
1302 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1303 goto reply;
1304 }
1305
1306 peer_send_confirm = WPA_GET_LE16(var);
1307
1308 if (sta->sae->state == SAE_ACCEPTED &&
1309 (peer_send_confirm <= sta->sae->rc ||
1310 peer_send_confirm == 0xffff)) {
1311 wpa_printf(MSG_DEBUG,
1312 "SAE: Silently ignore unexpected Confirm from peer "
1313 MACSTR
1314 " (peer-send-confirm=%u Rc=%u)",
1315 MAC2STR(sta->addr),
1316 peer_send_confirm, sta->sae->rc);
1317 return;
1318 }
1319
1320 if (sae_check_confirm(sta->sae, var, var_len) < 0) {
1321 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1322 goto reply;
1323 }
1324 sta->sae->rc = peer_send_confirm;
1325 }
1326 resp = sae_sm_step(hapd, sta, mgmt->bssid, auth_transaction,
1327 status_code, 0, &sta_removed);
1328 } else {
1329 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1330 HOSTAPD_LEVEL_DEBUG,
1331 "unexpected SAE authentication transaction %u (status=%u (%s))",
1332 auth_transaction, status_code,
1333 status2str(status_code));
1334 if (status_code != WLAN_STATUS_SUCCESS)
1335 goto remove_sta;
1336 resp = WLAN_STATUS_UNKNOWN_AUTH_TRANSACTION;
1337 }
1338
1339 reply:
1340 if (!sta_removed && resp != WLAN_STATUS_SUCCESS) {
1341 pos = mgmt->u.auth.variable;
1342 end = ((const u8 *) mgmt) + len;
1343
1344 /* Copy the Finite Cyclic Group field from the request if we
1345 * rejected it as unsupported group. */
1346 if (resp == WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED &&
1347 !data && end - pos >= 2)
1348 data = wpabuf_alloc_copy(pos, 2);
1349
1350 sae_sme_send_external_auth_status(hapd, sta, resp);
1351 send_auth_reply(hapd, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
1352 auth_transaction, resp,
1353 data ? wpabuf_head(data) : (u8 *) "",
1354 data ? wpabuf_len(data) : 0, "auth-sae");
1355 }
1356
1357 remove_sta:
1358 if (!sta_removed && sta->added_unassoc &&
1359 (resp != WLAN_STATUS_SUCCESS ||
1360 status_code != WLAN_STATUS_SUCCESS)) {
1361 hostapd_drv_sta_remove(hapd, sta->addr);
1362 sta->added_unassoc = 0;
1363 }
1364 wpabuf_free(data);
1365 }
1366
1367
1368 /**
1369 * auth_sae_init_committed - Send COMMIT and start SAE in committed state
1370 * @hapd: BSS data for the device initiating the authentication
1371 * @sta: the peer to which commit authentication frame is sent
1372 *
1373 * This function implements Init event handling (IEEE Std 802.11-2012,
1374 * 11.3.8.6.3) in which initial COMMIT message is sent. Prior to calling, the
1375 * sta->sae structure should be initialized appropriately via a call to
1376 * sae_prepare_commit().
1377 */
1378 int auth_sae_init_committed(struct hostapd_data *hapd, struct sta_info *sta)
1379 {
1380 int ret;
1381
1382 if (!sta->sae || !sta->sae->tmp)
1383 return -1;
1384
1385 if (sta->sae->state != SAE_NOTHING)
1386 return -1;
1387
1388 ret = auth_sae_send_commit(hapd, sta, hapd->own_addr, 0);
1389 if (ret)
1390 return -1;
1391
1392 sae_set_state(sta, SAE_COMMITTED, "Init and sent commit");
1393 sta->sae->sync = 0;
1394 sae_set_retransmit_timer(hapd, sta);
1395
1396 return 0;
1397 }
1398
1399
1400 void auth_sae_process_commit(void *eloop_ctx, void *user_ctx)
1401 {
1402 struct hostapd_data *hapd = eloop_ctx;
1403 struct hostapd_sae_commit_queue *q;
1404 unsigned int queue_len;
1405
1406 q = dl_list_first(&hapd->sae_commit_queue,
1407 struct hostapd_sae_commit_queue, list);
1408 if (!q)
1409 return;
1410 wpa_printf(MSG_DEBUG,
1411 "SAE: Process next available message from queue");
1412 dl_list_del(&q->list);
1413 handle_auth(hapd, (const struct ieee80211_mgmt *) q->msg, q->len,
1414 q->rssi, 1);
1415 os_free(q);
1416
1417 if (eloop_is_timeout_registered(auth_sae_process_commit, hapd, NULL))
1418 return;
1419 queue_len = dl_list_len(&hapd->sae_commit_queue);
1420 eloop_register_timeout(0, queue_len * 10000, auth_sae_process_commit,
1421 hapd, NULL);
1422 }
1423
1424
1425 static void auth_sae_queue(struct hostapd_data *hapd,
1426 const struct ieee80211_mgmt *mgmt, size_t len,
1427 int rssi)
1428 {
1429 struct hostapd_sae_commit_queue *q, *q2;
1430 unsigned int queue_len;
1431 const struct ieee80211_mgmt *mgmt2;
1432
1433 queue_len = dl_list_len(&hapd->sae_commit_queue);
1434 if (queue_len >= 15) {
1435 wpa_printf(MSG_DEBUG,
1436 "SAE: No more room in message queue - drop the new frame from "
1437 MACSTR, MAC2STR(mgmt->sa));
1438 return;
1439 }
1440
1441 wpa_printf(MSG_DEBUG, "SAE: Queue Authentication message from "
1442 MACSTR " for processing (queue_len %u)", MAC2STR(mgmt->sa),
1443 queue_len);
1444 q = os_zalloc(sizeof(*q) + len);
1445 if (!q)
1446 return;
1447 q->rssi = rssi;
1448 q->len = len;
1449 os_memcpy(q->msg, mgmt, len);
1450
1451 /* Check whether there is already a queued Authentication frame from the
1452 * same station with the same transaction number and if so, replace that
1453 * queue entry with the new one. This avoids issues with a peer that
1454 * sends multiple times (e.g., due to frequent SAE retries). There is no
1455 * point in us trying to process the old attempts after a new one has
1456 * obsoleted them. */
1457 dl_list_for_each(q2, &hapd->sae_commit_queue,
1458 struct hostapd_sae_commit_queue, list) {
1459 mgmt2 = (const struct ieee80211_mgmt *) q2->msg;
1460 if (os_memcmp(mgmt->sa, mgmt2->sa, ETH_ALEN) == 0 &&
1461 mgmt->u.auth.auth_transaction ==
1462 mgmt2->u.auth.auth_transaction) {
1463 wpa_printf(MSG_DEBUG,
1464 "SAE: Replace queued message from same STA with same transaction number");
1465 dl_list_add(&q2->list, &q->list);
1466 dl_list_del(&q2->list);
1467 os_free(q2);
1468 goto queued;
1469 }
1470 }
1471
1472 /* No pending identical entry, so add to the end of the queue */
1473 dl_list_add_tail(&hapd->sae_commit_queue, &q->list);
1474
1475 queued:
1476 if (eloop_is_timeout_registered(auth_sae_process_commit, hapd, NULL))
1477 return;
1478 eloop_register_timeout(0, queue_len * 10000, auth_sae_process_commit,
1479 hapd, NULL);
1480 }
1481
1482
1483 static int auth_sae_queued_addr(struct hostapd_data *hapd, const u8 *addr)
1484 {
1485 struct hostapd_sae_commit_queue *q;
1486 const struct ieee80211_mgmt *mgmt;
1487
1488 dl_list_for_each(q, &hapd->sae_commit_queue,
1489 struct hostapd_sae_commit_queue, list) {
1490 mgmt = (const struct ieee80211_mgmt *) q->msg;
1491 if (os_memcmp(addr, mgmt->sa, ETH_ALEN) == 0)
1492 return 1;
1493 }
1494
1495 return 0;
1496 }
1497
1498 #endif /* CONFIG_SAE */
1499
1500
1501 static u16 wpa_res_to_status_code(int res)
1502 {
1503 if (res == WPA_INVALID_GROUP)
1504 return WLAN_STATUS_GROUP_CIPHER_NOT_VALID;
1505 if (res == WPA_INVALID_PAIRWISE)
1506 return WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID;
1507 if (res == WPA_INVALID_AKMP)
1508 return WLAN_STATUS_AKMP_NOT_VALID;
1509 if (res == WPA_ALLOC_FAIL)
1510 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1511 if (res == WPA_MGMT_FRAME_PROTECTION_VIOLATION)
1512 return WLAN_STATUS_ROBUST_MGMT_FRAME_POLICY_VIOLATION;
1513 if (res == WPA_INVALID_MGMT_GROUP_CIPHER)
1514 return WLAN_STATUS_CIPHER_REJECTED_PER_POLICY;
1515 if (res == WPA_INVALID_MDIE)
1516 return WLAN_STATUS_INVALID_MDIE;
1517 if (res == WPA_INVALID_PMKID)
1518 return WLAN_STATUS_INVALID_PMKID;
1519 if (res != WPA_IE_OK)
1520 return WLAN_STATUS_INVALID_IE;
1521 return WLAN_STATUS_SUCCESS;
1522 }
1523
1524
1525 #ifdef CONFIG_FILS
1526
1527 static void handle_auth_fils_finish(struct hostapd_data *hapd,
1528 struct sta_info *sta, u16 resp,
1529 struct wpabuf *data, int pub);
1530
1531 void handle_auth_fils(struct hostapd_data *hapd, struct sta_info *sta,
1532 const u8 *pos, size_t len, u16 auth_alg,
1533 u16 auth_transaction, u16 status_code,
1534 void (*cb)(struct hostapd_data *hapd,
1535 struct sta_info *sta, u16 resp,
1536 struct wpabuf *data, int pub))
1537 {
1538 u16 resp = WLAN_STATUS_SUCCESS;
1539 const u8 *end;
1540 struct ieee802_11_elems elems;
1541 int res;
1542 struct wpa_ie_data rsn;
1543 struct rsn_pmksa_cache_entry *pmksa = NULL;
1544
1545 if (auth_transaction != 1 || status_code != WLAN_STATUS_SUCCESS)
1546 return;
1547
1548 end = pos + len;
1549
1550 wpa_hexdump(MSG_DEBUG, "FILS: Authentication frame fields",
1551 pos, end - pos);
1552
1553 /* TODO: FILS PK */
1554 #ifdef CONFIG_FILS_SK_PFS
1555 if (auth_alg == WLAN_AUTH_FILS_SK_PFS) {
1556 u16 group;
1557 struct wpabuf *pub;
1558 size_t elem_len;
1559
1560 /* Using FILS PFS */
1561
1562 /* Finite Cyclic Group */
1563 if (end - pos < 2) {
1564 wpa_printf(MSG_DEBUG,
1565 "FILS: No room for Finite Cyclic Group");
1566 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1567 goto fail;
1568 }
1569 group = WPA_GET_LE16(pos);
1570 pos += 2;
1571 if (group != hapd->conf->fils_dh_group) {
1572 wpa_printf(MSG_DEBUG,
1573 "FILS: Unsupported Finite Cyclic Group: %u (expected %u)",
1574 group, hapd->conf->fils_dh_group);
1575 resp = WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
1576 goto fail;
1577 }
1578
1579 crypto_ecdh_deinit(sta->fils_ecdh);
1580 sta->fils_ecdh = crypto_ecdh_init(group);
1581 if (!sta->fils_ecdh) {
1582 wpa_printf(MSG_INFO,
1583 "FILS: Could not initialize ECDH with group %d",
1584 group);
1585 resp = WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
1586 goto fail;
1587 }
1588
1589 pub = crypto_ecdh_get_pubkey(sta->fils_ecdh, 1);
1590 if (!pub) {
1591 wpa_printf(MSG_DEBUG,
1592 "FILS: Failed to derive ECDH public key");
1593 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1594 goto fail;
1595 }
1596 elem_len = wpabuf_len(pub);
1597 wpabuf_free(pub);
1598
1599 /* Element */
1600 if ((size_t) (end - pos) < elem_len) {
1601 wpa_printf(MSG_DEBUG, "FILS: No room for Element");
1602 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1603 goto fail;
1604 }
1605
1606 wpabuf_free(sta->fils_g_sta);
1607 sta->fils_g_sta = wpabuf_alloc_copy(pos, elem_len);
1608 wpabuf_clear_free(sta->fils_dh_ss);
1609 sta->fils_dh_ss = crypto_ecdh_set_peerkey(sta->fils_ecdh, 1,
1610 pos, elem_len);
1611 if (!sta->fils_dh_ss) {
1612 wpa_printf(MSG_DEBUG, "FILS: ECDH operation failed");
1613 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1614 goto fail;
1615 }
1616 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: DH_SS", sta->fils_dh_ss);
1617 pos += elem_len;
1618 } else {
1619 crypto_ecdh_deinit(sta->fils_ecdh);
1620 sta->fils_ecdh = NULL;
1621 wpabuf_clear_free(sta->fils_dh_ss);
1622 sta->fils_dh_ss = NULL;
1623 }
1624 #endif /* CONFIG_FILS_SK_PFS */
1625
1626 wpa_hexdump(MSG_DEBUG, "FILS: Remaining IEs", pos, end - pos);
1627 if (ieee802_11_parse_elems(pos, end - pos, &elems, 1) == ParseFailed) {
1628 wpa_printf(MSG_DEBUG, "FILS: Could not parse elements");
1629 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1630 goto fail;
1631 }
1632
1633 /* RSNE */
1634 wpa_hexdump(MSG_DEBUG, "FILS: RSN element",
1635 elems.rsn_ie, elems.rsn_ie_len);
1636 if (!elems.rsn_ie ||
1637 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
1638 &rsn) < 0) {
1639 wpa_printf(MSG_DEBUG, "FILS: No valid RSN element");
1640 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1641 goto fail;
1642 }
1643
1644 if (!sta->wpa_sm)
1645 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, sta->addr,
1646 NULL);
1647 if (!sta->wpa_sm) {
1648 wpa_printf(MSG_DEBUG,
1649 "FILS: Failed to initialize RSN state machine");
1650 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1651 goto fail;
1652 }
1653
1654 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
1655 hapd->iface->freq,
1656 elems.rsn_ie - 2, elems.rsn_ie_len + 2,
1657 elems.rsnxe ? elems.rsnxe - 2 : NULL,
1658 elems.rsnxe ? elems.rsnxe_len + 2 : 0,
1659 elems.mdie, elems.mdie_len, NULL, 0);
1660 resp = wpa_res_to_status_code(res);
1661 if (resp != WLAN_STATUS_SUCCESS)
1662 goto fail;
1663
1664 if (!elems.fils_nonce) {
1665 wpa_printf(MSG_DEBUG, "FILS: No FILS Nonce field");
1666 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1667 goto fail;
1668 }
1669 wpa_hexdump(MSG_DEBUG, "FILS: SNonce", elems.fils_nonce,
1670 FILS_NONCE_LEN);
1671 os_memcpy(sta->fils_snonce, elems.fils_nonce, FILS_NONCE_LEN);
1672
1673 /* PMKID List */
1674 if (rsn.pmkid && rsn.num_pmkid > 0) {
1675 u8 num;
1676 const u8 *pmkid;
1677
1678 wpa_hexdump(MSG_DEBUG, "FILS: PMKID List",
1679 rsn.pmkid, rsn.num_pmkid * PMKID_LEN);
1680
1681 pmkid = rsn.pmkid;
1682 num = rsn.num_pmkid;
1683 while (num) {
1684 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", pmkid, PMKID_LEN);
1685 pmksa = wpa_auth_pmksa_get(hapd->wpa_auth, sta->addr,
1686 pmkid);
1687 if (pmksa)
1688 break;
1689 pmksa = wpa_auth_pmksa_get_fils_cache_id(hapd->wpa_auth,
1690 sta->addr,
1691 pmkid);
1692 if (pmksa)
1693 break;
1694 pmkid += PMKID_LEN;
1695 num--;
1696 }
1697 }
1698 if (pmksa && wpa_auth_sta_key_mgmt(sta->wpa_sm) != pmksa->akmp) {
1699 wpa_printf(MSG_DEBUG,
1700 "FILS: Matching PMKSA cache entry has different AKMP (0x%x != 0x%x) - ignore",
1701 wpa_auth_sta_key_mgmt(sta->wpa_sm), pmksa->akmp);
1702 pmksa = NULL;
1703 }
1704 if (pmksa)
1705 wpa_printf(MSG_DEBUG, "FILS: Found matching PMKSA cache entry");
1706
1707 /* FILS Session */
1708 if (!elems.fils_session) {
1709 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
1710 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1711 goto fail;
1712 }
1713 wpa_hexdump(MSG_DEBUG, "FILS: FILS Session", elems.fils_session,
1714 FILS_SESSION_LEN);
1715 os_memcpy(sta->fils_session, elems.fils_session, FILS_SESSION_LEN);
1716
1717 /* FILS Wrapped Data */
1718 if (elems.fils_wrapped_data) {
1719 wpa_hexdump(MSG_DEBUG, "FILS: Wrapped Data",
1720 elems.fils_wrapped_data,
1721 elems.fils_wrapped_data_len);
1722 if (!pmksa) {
1723 #ifndef CONFIG_NO_RADIUS
1724 if (!sta->eapol_sm) {
1725 sta->eapol_sm =
1726 ieee802_1x_alloc_eapol_sm(hapd, sta);
1727 }
1728 wpa_printf(MSG_DEBUG,
1729 "FILS: Forward EAP-Initiate/Re-auth to authentication server");
1730 ieee802_1x_encapsulate_radius(
1731 hapd, sta, elems.fils_wrapped_data,
1732 elems.fils_wrapped_data_len);
1733 sta->fils_pending_cb = cb;
1734 wpa_printf(MSG_DEBUG,
1735 "FILS: Will send Authentication frame once the response from authentication server is available");
1736 sta->flags |= WLAN_STA_PENDING_FILS_ERP;
1737 /* Calculate pending PMKID here so that we do not need
1738 * to maintain a copy of the EAP-Initiate/Reauth
1739 * message. */
1740 if (fils_pmkid_erp(wpa_auth_sta_key_mgmt(sta->wpa_sm),
1741 elems.fils_wrapped_data,
1742 elems.fils_wrapped_data_len,
1743 sta->fils_erp_pmkid) == 0)
1744 sta->fils_erp_pmkid_set = 1;
1745 return;
1746 #else /* CONFIG_NO_RADIUS */
1747 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1748 goto fail;
1749 #endif /* CONFIG_NO_RADIUS */
1750 }
1751 }
1752
1753 fail:
1754 if (cb) {
1755 struct wpabuf *data;
1756 int pub = 0;
1757
1758 data = prepare_auth_resp_fils(hapd, sta, &resp, pmksa, NULL,
1759 NULL, 0, &pub);
1760 if (!data) {
1761 wpa_printf(MSG_DEBUG,
1762 "%s: prepare_auth_resp_fils() returned failure",
1763 __func__);
1764 }
1765
1766 cb(hapd, sta, resp, data, pub);
1767 }
1768 }
1769
1770
1771 static struct wpabuf *
1772 prepare_auth_resp_fils(struct hostapd_data *hapd,
1773 struct sta_info *sta, u16 *resp,
1774 struct rsn_pmksa_cache_entry *pmksa,
1775 struct wpabuf *erp_resp,
1776 const u8 *msk, size_t msk_len,
1777 int *is_pub)
1778 {
1779 u8 fils_nonce[FILS_NONCE_LEN];
1780 size_t ielen;
1781 struct wpabuf *data = NULL;
1782 const u8 *ie;
1783 u8 *ie_buf = NULL;
1784 const u8 *pmk = NULL;
1785 size_t pmk_len = 0;
1786 u8 pmk_buf[PMK_LEN_MAX];
1787 struct wpabuf *pub = NULL;
1788
1789 if (*resp != WLAN_STATUS_SUCCESS)
1790 goto fail;
1791
1792 ie = wpa_auth_get_wpa_ie(hapd->wpa_auth, &ielen);
1793 if (!ie) {
1794 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1795 goto fail;
1796 }
1797
1798 if (pmksa) {
1799 /* Add PMKID of the selected PMKSA into RSNE */
1800 ie_buf = os_malloc(ielen + 2 + 2 + PMKID_LEN);
1801 if (!ie_buf) {
1802 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1803 goto fail;
1804 }
1805
1806 os_memcpy(ie_buf, ie, ielen);
1807 if (wpa_insert_pmkid(ie_buf, &ielen, pmksa->pmkid) < 0) {
1808 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1809 goto fail;
1810 }
1811 ie = ie_buf;
1812 }
1813
1814 if (random_get_bytes(fils_nonce, FILS_NONCE_LEN) < 0) {
1815 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1816 goto fail;
1817 }
1818 wpa_hexdump(MSG_DEBUG, "RSN: Generated FILS Nonce",
1819 fils_nonce, FILS_NONCE_LEN);
1820
1821 #ifdef CONFIG_FILS_SK_PFS
1822 if (sta->fils_dh_ss && sta->fils_ecdh) {
1823 pub = crypto_ecdh_get_pubkey(sta->fils_ecdh, 1);
1824 if (!pub) {
1825 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1826 goto fail;
1827 }
1828 }
1829 #endif /* CONFIG_FILS_SK_PFS */
1830
1831 data = wpabuf_alloc(1000 + ielen + (pub ? wpabuf_len(pub) : 0));
1832 if (!data) {
1833 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1834 goto fail;
1835 }
1836
1837 /* TODO: FILS PK */
1838 #ifdef CONFIG_FILS_SK_PFS
1839 if (pub) {
1840 /* Finite Cyclic Group */
1841 wpabuf_put_le16(data, hapd->conf->fils_dh_group);
1842
1843 /* Element */
1844 wpabuf_put_buf(data, pub);
1845 }
1846 #endif /* CONFIG_FILS_SK_PFS */
1847
1848 /* RSNE */
1849 wpabuf_put_data(data, ie, ielen);
1850
1851 /* MDE when using FILS+FT (already included in ie,ielen with RSNE) */
1852
1853 #ifdef CONFIG_IEEE80211R_AP
1854 if (wpa_key_mgmt_ft(wpa_auth_sta_key_mgmt(sta->wpa_sm))) {
1855 /* FTE[R1KH-ID,R0KH-ID] when using FILS+FT */
1856 int res;
1857 int use_sha384 = wpa_key_mgmt_sha384(
1858 wpa_auth_sta_key_mgmt(sta->wpa_sm));
1859
1860 res = wpa_auth_write_fte(hapd->wpa_auth, use_sha384,
1861 wpabuf_put(data, 0),
1862 wpabuf_tailroom(data));
1863 if (res < 0) {
1864 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1865 goto fail;
1866 }
1867 wpabuf_put(data, res);
1868 }
1869 #endif /* CONFIG_IEEE80211R_AP */
1870
1871 /* FILS Nonce */
1872 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
1873 wpabuf_put_u8(data, 1 + FILS_NONCE_LEN); /* Length */
1874 /* Element ID Extension */
1875 wpabuf_put_u8(data, WLAN_EID_EXT_FILS_NONCE);
1876 wpabuf_put_data(data, fils_nonce, FILS_NONCE_LEN);
1877
1878 /* FILS Session */
1879 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
1880 wpabuf_put_u8(data, 1 + FILS_SESSION_LEN); /* Length */
1881 /* Element ID Extension */
1882 wpabuf_put_u8(data, WLAN_EID_EXT_FILS_SESSION);
1883 wpabuf_put_data(data, sta->fils_session, FILS_SESSION_LEN);
1884
1885 /* FILS Wrapped Data */
1886 if (!pmksa && erp_resp) {
1887 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
1888 wpabuf_put_u8(data, 1 + wpabuf_len(erp_resp)); /* Length */
1889 /* Element ID Extension */
1890 wpabuf_put_u8(data, WLAN_EID_EXT_FILS_WRAPPED_DATA);
1891 wpabuf_put_buf(data, erp_resp);
1892
1893 if (fils_rmsk_to_pmk(wpa_auth_sta_key_mgmt(sta->wpa_sm),
1894 msk, msk_len, sta->fils_snonce, fils_nonce,
1895 sta->fils_dh_ss ?
1896 wpabuf_head(sta->fils_dh_ss) : NULL,
1897 sta->fils_dh_ss ?
1898 wpabuf_len(sta->fils_dh_ss) : 0,
1899 pmk_buf, &pmk_len)) {
1900 wpa_printf(MSG_DEBUG, "FILS: Failed to derive PMK");
1901 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1902 wpabuf_free(data);
1903 data = NULL;
1904 goto fail;
1905 }
1906 pmk = pmk_buf;
1907
1908 /* Don't use DHss in PTK derivation if PMKSA caching is not
1909 * used. */
1910 wpabuf_clear_free(sta->fils_dh_ss);
1911 sta->fils_dh_ss = NULL;
1912
1913 if (sta->fils_erp_pmkid_set) {
1914 /* TODO: get PMKLifetime from WPA parameters */
1915 unsigned int dot11RSNAConfigPMKLifetime = 43200;
1916 int session_timeout;
1917
1918 session_timeout = dot11RSNAConfigPMKLifetime;
1919 if (sta->session_timeout_set) {
1920 struct os_reltime now, diff;
1921
1922 os_get_reltime(&now);
1923 os_reltime_sub(&sta->session_timeout, &now,
1924 &diff);
1925 session_timeout = diff.sec;
1926 }
1927
1928 sta->fils_erp_pmkid_set = 0;
1929 wpa_auth_add_fils_pmk_pmkid(sta->wpa_sm, pmk, pmk_len,
1930 sta->fils_erp_pmkid);
1931 if (!hapd->conf->disable_pmksa_caching &&
1932 wpa_auth_pmksa_add2(
1933 hapd->wpa_auth, sta->addr,
1934 pmk, pmk_len,
1935 sta->fils_erp_pmkid,
1936 session_timeout,
1937 wpa_auth_sta_key_mgmt(sta->wpa_sm)) < 0) {
1938 wpa_printf(MSG_ERROR,
1939 "FILS: Failed to add PMKSA cache entry based on ERP");
1940 }
1941 }
1942 } else if (pmksa) {
1943 pmk = pmksa->pmk;
1944 pmk_len = pmksa->pmk_len;
1945 }
1946
1947 if (!pmk) {
1948 wpa_printf(MSG_DEBUG, "FILS: No PMK available");
1949 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1950 wpabuf_free(data);
1951 data = NULL;
1952 goto fail;
1953 }
1954
1955 if (fils_auth_pmk_to_ptk(sta->wpa_sm, pmk, pmk_len,
1956 sta->fils_snonce, fils_nonce,
1957 sta->fils_dh_ss ?
1958 wpabuf_head(sta->fils_dh_ss) : NULL,
1959 sta->fils_dh_ss ?
1960 wpabuf_len(sta->fils_dh_ss) : 0,
1961 sta->fils_g_sta, pub) < 0) {
1962 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1963 wpabuf_free(data);
1964 data = NULL;
1965 goto fail;
1966 }
1967
1968 fail:
1969 if (is_pub)
1970 *is_pub = pub != NULL;
1971 os_free(ie_buf);
1972 wpabuf_free(pub);
1973 wpabuf_clear_free(sta->fils_dh_ss);
1974 sta->fils_dh_ss = NULL;
1975 #ifdef CONFIG_FILS_SK_PFS
1976 crypto_ecdh_deinit(sta->fils_ecdh);
1977 sta->fils_ecdh = NULL;
1978 #endif /* CONFIG_FILS_SK_PFS */
1979 return data;
1980 }
1981
1982
1983 static void handle_auth_fils_finish(struct hostapd_data *hapd,
1984 struct sta_info *sta, u16 resp,
1985 struct wpabuf *data, int pub)
1986 {
1987 u16 auth_alg;
1988
1989 auth_alg = (pub ||
1990 resp == WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED) ?
1991 WLAN_AUTH_FILS_SK_PFS : WLAN_AUTH_FILS_SK;
1992 send_auth_reply(hapd, sta->addr, hapd->own_addr, auth_alg, 2, resp,
1993 data ? wpabuf_head(data) : (u8 *) "",
1994 data ? wpabuf_len(data) : 0, "auth-fils-finish");
1995 wpabuf_free(data);
1996
1997 if (resp == WLAN_STATUS_SUCCESS) {
1998 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1999 HOSTAPD_LEVEL_DEBUG,
2000 "authentication OK (FILS)");
2001 sta->flags |= WLAN_STA_AUTH;
2002 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
2003 sta->auth_alg = pub ? WLAN_AUTH_FILS_SK_PFS : WLAN_AUTH_FILS_SK;
2004 mlme_authenticate_indication(hapd, sta);
2005 }
2006 }
2007
2008
2009 void ieee802_11_finish_fils_auth(struct hostapd_data *hapd,
2010 struct sta_info *sta, int success,
2011 struct wpabuf *erp_resp,
2012 const u8 *msk, size_t msk_len)
2013 {
2014 struct wpabuf *data;
2015 int pub = 0;
2016 u16 resp;
2017
2018 sta->flags &= ~WLAN_STA_PENDING_FILS_ERP;
2019
2020 if (!sta->fils_pending_cb)
2021 return;
2022 resp = success ? WLAN_STATUS_SUCCESS : WLAN_STATUS_UNSPECIFIED_FAILURE;
2023 data = prepare_auth_resp_fils(hapd, sta, &resp, NULL, erp_resp,
2024 msk, msk_len, &pub);
2025 if (!data) {
2026 wpa_printf(MSG_DEBUG,
2027 "%s: prepare_auth_resp_fils() returned failure",
2028 __func__);
2029 }
2030 sta->fils_pending_cb(hapd, sta, resp, data, pub);
2031 }
2032
2033 #endif /* CONFIG_FILS */
2034
2035
2036 int
2037 ieee802_11_allowed_address(struct hostapd_data *hapd, const u8 *addr,
2038 const u8 *msg, size_t len, u32 *session_timeout,
2039 u32 *acct_interim_interval,
2040 struct vlan_description *vlan_id,
2041 struct hostapd_sta_wpa_psk_short **psk,
2042 char **identity, char **radius_cui, int is_probe_req)
2043 {
2044 int res;
2045
2046 os_memset(vlan_id, 0, sizeof(*vlan_id));
2047 res = hostapd_allowed_address(hapd, addr, msg, len,
2048 session_timeout, acct_interim_interval,
2049 vlan_id, psk, identity, radius_cui,
2050 is_probe_req);
2051
2052 if (res == HOSTAPD_ACL_REJECT) {
2053 if (!is_probe_req)
2054 wpa_printf(MSG_DEBUG,
2055 "Station " MACSTR
2056 " not allowed to authenticate",
2057 MAC2STR(addr));
2058 return HOSTAPD_ACL_REJECT;
2059 }
2060
2061 if (res == HOSTAPD_ACL_PENDING) {
2062 wpa_printf(MSG_DEBUG, "Authentication frame from " MACSTR
2063 " waiting for an external authentication",
2064 MAC2STR(addr));
2065 /* Authentication code will re-send the authentication frame
2066 * after it has received (and cached) information from the
2067 * external source. */
2068 return HOSTAPD_ACL_PENDING;
2069 }
2070
2071 return res;
2072 }
2073
2074
2075 static int
2076 ieee802_11_set_radius_info(struct hostapd_data *hapd, struct sta_info *sta,
2077 int res, u32 session_timeout,
2078 u32 acct_interim_interval,
2079 struct vlan_description *vlan_id,
2080 struct hostapd_sta_wpa_psk_short **psk,
2081 char **identity, char **radius_cui)
2082 {
2083 if (vlan_id->notempty &&
2084 !hostapd_vlan_valid(hapd->conf->vlan, vlan_id)) {
2085 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS,
2086 HOSTAPD_LEVEL_INFO,
2087 "Invalid VLAN %d%s received from RADIUS server",
2088 vlan_id->untagged,
2089 vlan_id->tagged[0] ? "+" : "");
2090 return -1;
2091 }
2092 if (ap_sta_set_vlan(hapd, sta, vlan_id) < 0)
2093 return -1;
2094 if (sta->vlan_id)
2095 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS,
2096 HOSTAPD_LEVEL_INFO, "VLAN ID %d", sta->vlan_id);
2097
2098 hostapd_free_psk_list(sta->psk);
2099 if (hapd->conf->wpa_psk_radius != PSK_RADIUS_IGNORED) {
2100 sta->psk = *psk;
2101 *psk = NULL;
2102 } else {
2103 sta->psk = NULL;
2104 }
2105
2106 os_free(sta->identity);
2107 sta->identity = *identity;
2108 *identity = NULL;
2109
2110 os_free(sta->radius_cui);
2111 sta->radius_cui = *radius_cui;
2112 *radius_cui = NULL;
2113
2114 if (hapd->conf->acct_interim_interval == 0 && acct_interim_interval)
2115 sta->acct_interim_interval = acct_interim_interval;
2116 if (res == HOSTAPD_ACL_ACCEPT_TIMEOUT) {
2117 sta->session_timeout_set = 1;
2118 os_get_reltime(&sta->session_timeout);
2119 sta->session_timeout.sec += session_timeout;
2120 ap_sta_session_timeout(hapd, sta, session_timeout);
2121 } else {
2122 sta->session_timeout_set = 0;
2123 ap_sta_no_session_timeout(hapd, sta);
2124 }
2125
2126 return 0;
2127 }
2128
2129
2130 static void handle_auth(struct hostapd_data *hapd,
2131 const struct ieee80211_mgmt *mgmt, size_t len,
2132 int rssi, int from_queue)
2133 {
2134 u16 auth_alg, auth_transaction, status_code;
2135 u16 resp = WLAN_STATUS_SUCCESS;
2136 struct sta_info *sta = NULL;
2137 int res, reply_res;
2138 u16 fc;
2139 const u8 *challenge = NULL;
2140 u32 session_timeout, acct_interim_interval;
2141 struct vlan_description vlan_id;
2142 struct hostapd_sta_wpa_psk_short *psk = NULL;
2143 u8 resp_ies[2 + WLAN_AUTH_CHALLENGE_LEN];
2144 size_t resp_ies_len = 0;
2145 char *identity = NULL;
2146 char *radius_cui = NULL;
2147 u16 seq_ctrl;
2148
2149 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) {
2150 wpa_printf(MSG_INFO, "handle_auth - too short payload (len=%lu)",
2151 (unsigned long) len);
2152 return;
2153 }
2154
2155 #ifdef CONFIG_TESTING_OPTIONS
2156 if (hapd->iconf->ignore_auth_probability > 0.0 &&
2157 drand48() < hapd->iconf->ignore_auth_probability) {
2158 wpa_printf(MSG_INFO,
2159 "TESTING: ignoring auth frame from " MACSTR,
2160 MAC2STR(mgmt->sa));
2161 return;
2162 }
2163 #endif /* CONFIG_TESTING_OPTIONS */
2164
2165 auth_alg = le_to_host16(mgmt->u.auth.auth_alg);
2166 auth_transaction = le_to_host16(mgmt->u.auth.auth_transaction);
2167 status_code = le_to_host16(mgmt->u.auth.status_code);
2168 fc = le_to_host16(mgmt->frame_control);
2169 seq_ctrl = le_to_host16(mgmt->seq_ctrl);
2170
2171 if (len >= IEEE80211_HDRLEN + sizeof(mgmt->u.auth) +
2172 2 + WLAN_AUTH_CHALLENGE_LEN &&
2173 mgmt->u.auth.variable[0] == WLAN_EID_CHALLENGE &&
2174 mgmt->u.auth.variable[1] == WLAN_AUTH_CHALLENGE_LEN)
2175 challenge = &mgmt->u.auth.variable[2];
2176
2177 wpa_printf(MSG_DEBUG, "authentication: STA=" MACSTR " auth_alg=%d "
2178 "auth_transaction=%d status_code=%d wep=%d%s "
2179 "seq_ctrl=0x%x%s%s",
2180 MAC2STR(mgmt->sa), auth_alg, auth_transaction,
2181 status_code, !!(fc & WLAN_FC_ISWEP),
2182 challenge ? " challenge" : "",
2183 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "",
2184 from_queue ? " (from queue)" : "");
2185
2186 #ifdef CONFIG_NO_RC4
2187 if (auth_alg == WLAN_AUTH_SHARED_KEY) {
2188 wpa_printf(MSG_INFO,
2189 "Unsupported authentication algorithm (%d)",
2190 auth_alg);
2191 resp = WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
2192 goto fail;
2193 }
2194 #endif /* CONFIG_NO_RC4 */
2195
2196 if (hapd->tkip_countermeasures) {
2197 wpa_printf(MSG_DEBUG,
2198 "Ongoing TKIP countermeasures (Michael MIC failure) - reject authentication");
2199 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2200 goto fail;
2201 }
2202
2203 if (!(((hapd->conf->auth_algs & WPA_AUTH_ALG_OPEN) &&
2204 auth_alg == WLAN_AUTH_OPEN) ||
2205 #ifdef CONFIG_IEEE80211R_AP
2206 (hapd->conf->wpa && wpa_key_mgmt_ft(hapd->conf->wpa_key_mgmt) &&
2207 auth_alg == WLAN_AUTH_FT) ||
2208 #endif /* CONFIG_IEEE80211R_AP */
2209 #ifdef CONFIG_SAE
2210 (hapd->conf->wpa && wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt) &&
2211 auth_alg == WLAN_AUTH_SAE) ||
2212 #endif /* CONFIG_SAE */
2213 #ifdef CONFIG_FILS
2214 (hapd->conf->wpa && wpa_key_mgmt_fils(hapd->conf->wpa_key_mgmt) &&
2215 auth_alg == WLAN_AUTH_FILS_SK) ||
2216 (hapd->conf->wpa && wpa_key_mgmt_fils(hapd->conf->wpa_key_mgmt) &&
2217 hapd->conf->fils_dh_group &&
2218 auth_alg == WLAN_AUTH_FILS_SK_PFS) ||
2219 #endif /* CONFIG_FILS */
2220 ((hapd->conf->auth_algs & WPA_AUTH_ALG_SHARED) &&
2221 auth_alg == WLAN_AUTH_SHARED_KEY))) {
2222 wpa_printf(MSG_INFO, "Unsupported authentication algorithm (%d)",
2223 auth_alg);
2224 resp = WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
2225 goto fail;
2226 }
2227
2228 if (!(auth_transaction == 1 || auth_alg == WLAN_AUTH_SAE ||
2229 (auth_alg == WLAN_AUTH_SHARED_KEY && auth_transaction == 3))) {
2230 wpa_printf(MSG_INFO, "Unknown authentication transaction number (%d)",
2231 auth_transaction);
2232 resp = WLAN_STATUS_UNKNOWN_AUTH_TRANSACTION;
2233 goto fail;
2234 }
2235
2236 if (os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
2237 wpa_printf(MSG_INFO, "Station " MACSTR " not allowed to authenticate",
2238 MAC2STR(mgmt->sa));
2239 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2240 goto fail;
2241 }
2242
2243 if (hapd->conf->no_auth_if_seen_on) {
2244 struct hostapd_data *other;
2245
2246 other = sta_track_seen_on(hapd->iface, mgmt->sa,
2247 hapd->conf->no_auth_if_seen_on);
2248 if (other) {
2249 u8 *pos;
2250 u32 info;
2251 u8 op_class, channel, phytype;
2252
2253 wpa_printf(MSG_DEBUG, "%s: Reject authentication from "
2254 MACSTR " since STA has been seen on %s",
2255 hapd->conf->iface, MAC2STR(mgmt->sa),
2256 hapd->conf->no_auth_if_seen_on);
2257
2258 resp = WLAN_STATUS_REJECTED_WITH_SUGGESTED_BSS_TRANSITION;
2259 pos = &resp_ies[0];
2260 *pos++ = WLAN_EID_NEIGHBOR_REPORT;
2261 *pos++ = 13;
2262 os_memcpy(pos, other->own_addr, ETH_ALEN);
2263 pos += ETH_ALEN;
2264 info = 0; /* TODO: BSSID Information */
2265 WPA_PUT_LE32(pos, info);
2266 pos += 4;
2267 if (other->iconf->hw_mode == HOSTAPD_MODE_IEEE80211AD)
2268 phytype = 8; /* dmg */
2269 else if (other->iconf->ieee80211ac)
2270 phytype = 9; /* vht */
2271 else if (other->iconf->ieee80211n)
2272 phytype = 7; /* ht */
2273 else if (other->iconf->hw_mode ==
2274 HOSTAPD_MODE_IEEE80211A)
2275 phytype = 4; /* ofdm */
2276 else if (other->iconf->hw_mode ==
2277 HOSTAPD_MODE_IEEE80211G)
2278 phytype = 6; /* erp */
2279 else
2280 phytype = 5; /* hrdsss */
2281 if (ieee80211_freq_to_channel_ext(
2282 hostapd_hw_get_freq(other,
2283 other->iconf->channel),
2284 other->iconf->secondary_channel,
2285 other->iconf->ieee80211ac,
2286 &op_class, &channel) == NUM_HOSTAPD_MODES) {
2287 op_class = 0;
2288 channel = other->iconf->channel;
2289 }
2290 *pos++ = op_class;
2291 *pos++ = channel;
2292 *pos++ = phytype;
2293 resp_ies_len = pos - &resp_ies[0];
2294 goto fail;
2295 }
2296 }
2297
2298 res = ieee802_11_allowed_address(
2299 hapd, mgmt->sa, (const u8 *) mgmt, len, &session_timeout,
2300 &acct_interim_interval, &vlan_id, &psk, &identity, &radius_cui,
2301 0);
2302 if (res == HOSTAPD_ACL_REJECT) {
2303 wpa_msg(hapd->msg_ctx, MSG_DEBUG,
2304 "Ignore Authentication frame from " MACSTR
2305 " due to ACL reject", MAC2STR(mgmt->sa));
2306 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2307 goto fail;
2308 }
2309 if (res == HOSTAPD_ACL_PENDING)
2310 return;
2311
2312 #ifdef CONFIG_SAE
2313 if (auth_alg == WLAN_AUTH_SAE && !from_queue &&
2314 (auth_transaction == 1 ||
2315 (auth_transaction == 2 && auth_sae_queued_addr(hapd, mgmt->sa)))) {
2316 /* Handle SAE Authentication commit message through a queue to
2317 * provide more control for postponing the needed heavy
2318 * processing under a possible DoS attack scenario. In addition,
2319 * queue SAE Authentication confirm message if there happens to
2320 * be a queued commit message from the same peer. This is needed
2321 * to avoid reordering Authentication frames within the same
2322 * SAE exchange. */
2323 auth_sae_queue(hapd, mgmt, len, rssi);
2324 return;
2325 }
2326 #endif /* CONFIG_SAE */
2327
2328 sta = ap_get_sta(hapd, mgmt->sa);
2329 if (sta) {
2330 sta->flags &= ~WLAN_STA_PENDING_FILS_ERP;
2331 sta->ft_over_ds = 0;
2332 if ((fc & WLAN_FC_RETRY) &&
2333 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
2334 sta->last_seq_ctrl == seq_ctrl &&
2335 sta->last_subtype == WLAN_FC_STYPE_AUTH) {
2336 hostapd_logger(hapd, sta->addr,
2337 HOSTAPD_MODULE_IEEE80211,
2338 HOSTAPD_LEVEL_DEBUG,
2339 "Drop repeated authentication frame seq_ctrl=0x%x",
2340 seq_ctrl);
2341 return;
2342 }
2343 #ifdef CONFIG_MESH
2344 if ((hapd->conf->mesh & MESH_ENABLED) &&
2345 sta->plink_state == PLINK_BLOCKED) {
2346 wpa_printf(MSG_DEBUG, "Mesh peer " MACSTR
2347 " is blocked - drop Authentication frame",
2348 MAC2STR(mgmt->sa));
2349 return;
2350 }
2351 #endif /* CONFIG_MESH */
2352 } else {
2353 #ifdef CONFIG_MESH
2354 if (hapd->conf->mesh & MESH_ENABLED) {
2355 /* if the mesh peer is not available, we don't do auth.
2356 */
2357 wpa_printf(MSG_DEBUG, "Mesh peer " MACSTR
2358 " not yet known - drop Authentication frame",
2359 MAC2STR(mgmt->sa));
2360 /*
2361 * Save a copy of the frame so that it can be processed
2362 * if a new peer entry is added shortly after this.
2363 */
2364 wpabuf_free(hapd->mesh_pending_auth);
2365 hapd->mesh_pending_auth = wpabuf_alloc_copy(mgmt, len);
2366 os_get_reltime(&hapd->mesh_pending_auth_time);
2367 return;
2368 }
2369 #endif /* CONFIG_MESH */
2370
2371 sta = ap_sta_add(hapd, mgmt->sa);
2372 if (!sta) {
2373 wpa_printf(MSG_DEBUG, "ap_sta_add() failed");
2374 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
2375 goto fail;
2376 }
2377 }
2378 sta->last_seq_ctrl = seq_ctrl;
2379 sta->last_subtype = WLAN_FC_STYPE_AUTH;
2380 #ifdef CONFIG_MBO
2381 sta->auth_rssi = rssi;
2382 #endif /* CONFIG_MBO */
2383
2384 res = ieee802_11_set_radius_info(
2385 hapd, sta, res, session_timeout, acct_interim_interval,
2386 &vlan_id, &psk, &identity, &radius_cui);
2387 if (res) {
2388 wpa_printf(MSG_DEBUG, "ieee802_11_set_radius_info() failed");
2389 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2390 goto fail;
2391 }
2392
2393 sta->flags &= ~WLAN_STA_PREAUTH;
2394 ieee802_1x_notify_pre_auth(sta->eapol_sm, 0);
2395
2396 /*
2397 * If the driver supports full AP client state, add a station to the
2398 * driver before sending authentication reply to make sure the driver
2399 * has resources, and not to go through the entire authentication and
2400 * association handshake, and fail it at the end.
2401 *
2402 * If this is not the first transaction, in a multi-step authentication
2403 * algorithm, the station already exists in the driver
2404 * (sta->added_unassoc = 1) so skip it.
2405 *
2406 * In mesh mode, the station was already added to the driver when the
2407 * NEW_PEER_CANDIDATE event is received.
2408 *
2409 * If PMF was negotiated for the existing association, skip this to
2410 * avoid dropping the STA entry and the associated keys. This is needed
2411 * to allow the original connection work until the attempt can complete
2412 * (re)association, so that unprotected Authentication frame cannot be
2413 * used to bypass PMF protection.
2414 */
2415 if (FULL_AP_CLIENT_STATE_SUPP(hapd->iface->drv_flags) &&
2416 (!(sta->flags & WLAN_STA_MFP) || !ap_sta_is_authorized(sta)) &&
2417 !(hapd->conf->mesh & MESH_ENABLED) &&
2418 !(sta->added_unassoc)) {
2419 /*
2420 * If a station that is already associated to the AP, is trying
2421 * to authenticate again, remove the STA entry, in order to make
2422 * sure the STA PS state gets cleared and configuration gets
2423 * updated. To handle this, station's added_unassoc flag is
2424 * cleared once the station has completed association.
2425 */
2426 ap_sta_set_authorized(hapd, sta, 0);
2427 hostapd_drv_sta_remove(hapd, sta->addr);
2428 sta->flags &= ~(WLAN_STA_ASSOC | WLAN_STA_AUTH |
2429 WLAN_STA_AUTHORIZED);
2430
2431 if (hostapd_sta_add(hapd, sta->addr, 0, 0,
2432 sta->supported_rates,
2433 sta->supported_rates_len,
2434 0, NULL, NULL, NULL, 0,
2435 sta->flags, 0, 0, 0, 0)) {
2436 hostapd_logger(hapd, sta->addr,
2437 HOSTAPD_MODULE_IEEE80211,
2438 HOSTAPD_LEVEL_NOTICE,
2439 "Could not add STA to kernel driver");
2440 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
2441 goto fail;
2442 }
2443
2444 sta->added_unassoc = 1;
2445 }
2446
2447 switch (auth_alg) {
2448 case WLAN_AUTH_OPEN:
2449 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2450 HOSTAPD_LEVEL_DEBUG,
2451 "authentication OK (open system)");
2452 sta->flags |= WLAN_STA_AUTH;
2453 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
2454 sta->auth_alg = WLAN_AUTH_OPEN;
2455 mlme_authenticate_indication(hapd, sta);
2456 break;
2457 #ifndef CONFIG_NO_RC4
2458 case WLAN_AUTH_SHARED_KEY:
2459 resp = auth_shared_key(hapd, sta, auth_transaction, challenge,
2460 fc & WLAN_FC_ISWEP);
2461 if (resp != 0)
2462 wpa_printf(MSG_DEBUG,
2463 "auth_shared_key() failed: status=%d", resp);
2464 sta->auth_alg = WLAN_AUTH_SHARED_KEY;
2465 mlme_authenticate_indication(hapd, sta);
2466 if (sta->challenge && auth_transaction == 1) {
2467 resp_ies[0] = WLAN_EID_CHALLENGE;
2468 resp_ies[1] = WLAN_AUTH_CHALLENGE_LEN;
2469 os_memcpy(resp_ies + 2, sta->challenge,
2470 WLAN_AUTH_CHALLENGE_LEN);
2471 resp_ies_len = 2 + WLAN_AUTH_CHALLENGE_LEN;
2472 }
2473 break;
2474 #endif /* CONFIG_NO_RC4 */
2475 #ifdef CONFIG_IEEE80211R_AP
2476 case WLAN_AUTH_FT:
2477 sta->auth_alg = WLAN_AUTH_FT;
2478 if (sta->wpa_sm == NULL)
2479 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
2480 sta->addr, NULL);
2481 if (sta->wpa_sm == NULL) {
2482 wpa_printf(MSG_DEBUG, "FT: Failed to initialize WPA "
2483 "state machine");
2484 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2485 goto fail;
2486 }
2487 wpa_ft_process_auth(sta->wpa_sm, mgmt->bssid,
2488 auth_transaction, mgmt->u.auth.variable,
2489 len - IEEE80211_HDRLEN -
2490 sizeof(mgmt->u.auth),
2491 handle_auth_ft_finish, hapd);
2492 /* handle_auth_ft_finish() callback will complete auth. */
2493 return;
2494 #endif /* CONFIG_IEEE80211R_AP */
2495 #ifdef CONFIG_SAE
2496 case WLAN_AUTH_SAE:
2497 #ifdef CONFIG_MESH
2498 if (status_code == WLAN_STATUS_SUCCESS &&
2499 hapd->conf->mesh & MESH_ENABLED) {
2500 if (sta->wpa_sm == NULL)
2501 sta->wpa_sm =
2502 wpa_auth_sta_init(hapd->wpa_auth,
2503 sta->addr, NULL);
2504 if (sta->wpa_sm == NULL) {
2505 wpa_printf(MSG_DEBUG,
2506 "SAE: Failed to initialize WPA state machine");
2507 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2508 goto fail;
2509 }
2510 }
2511 #endif /* CONFIG_MESH */
2512 handle_auth_sae(hapd, sta, mgmt, len, auth_transaction,
2513 status_code);
2514 return;
2515 #endif /* CONFIG_SAE */
2516 #ifdef CONFIG_FILS
2517 case WLAN_AUTH_FILS_SK:
2518 case WLAN_AUTH_FILS_SK_PFS:
2519 handle_auth_fils(hapd, sta, mgmt->u.auth.variable,
2520 len - IEEE80211_HDRLEN - sizeof(mgmt->u.auth),
2521 auth_alg, auth_transaction, status_code,
2522 handle_auth_fils_finish);
2523 return;
2524 #endif /* CONFIG_FILS */
2525 }
2526
2527 fail:
2528 os_free(identity);
2529 os_free(radius_cui);
2530 hostapd_free_psk_list(psk);
2531
2532 reply_res = send_auth_reply(hapd, mgmt->sa, mgmt->bssid, auth_alg,
2533 auth_transaction + 1, resp, resp_ies,
2534 resp_ies_len, "handle-auth");
2535
2536 if (sta && sta->added_unassoc && (resp != WLAN_STATUS_SUCCESS ||
2537 reply_res != WLAN_STATUS_SUCCESS)) {
2538 hostapd_drv_sta_remove(hapd, sta->addr);
2539 sta->added_unassoc = 0;
2540 }
2541 }
2542
2543
2544 int hostapd_get_aid(struct hostapd_data *hapd, struct sta_info *sta)
2545 {
2546 int i, j = 32, aid;
2547
2548 /* get a unique AID */
2549 if (sta->aid > 0) {
2550 wpa_printf(MSG_DEBUG, " old AID %d", sta->aid);
2551 return 0;
2552 }
2553
2554 if (TEST_FAIL())
2555 return -1;
2556
2557 for (i = 0; i < AID_WORDS; i++) {
2558 if (hapd->sta_aid[i] == (u32) -1)
2559 continue;
2560 for (j = 0; j < 32; j++) {
2561 if (!(hapd->sta_aid[i] & BIT(j)))
2562 break;
2563 }
2564 if (j < 32)
2565 break;
2566 }
2567 if (j == 32)
2568 return -1;
2569 aid = i * 32 + j + 1;
2570 if (aid > 2007)
2571 return -1;
2572
2573 sta->aid = aid;
2574 hapd->sta_aid[i] |= BIT(j);
2575 wpa_printf(MSG_DEBUG, " new AID %d", sta->aid);
2576 return 0;
2577 }
2578
2579
2580 static u16 check_ssid(struct hostapd_data *hapd, struct sta_info *sta,
2581 const u8 *ssid_ie, size_t ssid_ie_len)
2582 {
2583 if (ssid_ie == NULL)
2584 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2585
2586 if (ssid_ie_len != hapd->conf->ssid.ssid_len ||
2587 os_memcmp(ssid_ie, hapd->conf->ssid.ssid, ssid_ie_len) != 0) {
2588 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2589 HOSTAPD_LEVEL_INFO,
2590 "Station tried to associate with unknown SSID "
2591 "'%s'", wpa_ssid_txt(ssid_ie, ssid_ie_len));
2592 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2593 }
2594
2595 return WLAN_STATUS_SUCCESS;
2596 }
2597
2598
2599 static u16 check_wmm(struct hostapd_data *hapd, struct sta_info *sta,
2600 const u8 *wmm_ie, size_t wmm_ie_len)
2601 {
2602 sta->flags &= ~WLAN_STA_WMM;
2603 sta->qosinfo = 0;
2604 if (wmm_ie && hapd->conf->wmm_enabled) {
2605 struct wmm_information_element *wmm;
2606
2607 if (!hostapd_eid_wmm_valid(hapd, wmm_ie, wmm_ie_len)) {
2608 hostapd_logger(hapd, sta->addr,
2609 HOSTAPD_MODULE_WPA,
2610 HOSTAPD_LEVEL_DEBUG,
2611 "invalid WMM element in association "
2612 "request");
2613 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2614 }
2615
2616 sta->flags |= WLAN_STA_WMM;
2617 wmm = (struct wmm_information_element *) wmm_ie;
2618 sta->qosinfo = wmm->qos_info;
2619 }
2620 return WLAN_STATUS_SUCCESS;
2621 }
2622
2623 static u16 check_multi_ap(struct hostapd_data *hapd, struct sta_info *sta,
2624 const u8 *multi_ap_ie, size_t multi_ap_len)
2625 {
2626 u8 multi_ap_value = 0;
2627
2628 sta->flags &= ~WLAN_STA_MULTI_AP;
2629
2630 if (!hapd->conf->multi_ap)
2631 return WLAN_STATUS_SUCCESS;
2632
2633 if (multi_ap_ie) {
2634 const u8 *multi_ap_subelem;
2635
2636 multi_ap_subelem = get_ie(multi_ap_ie + 4,
2637 multi_ap_len - 4,
2638 MULTI_AP_SUB_ELEM_TYPE);
2639 if (multi_ap_subelem && multi_ap_subelem[1] == 1) {
2640 multi_ap_value = multi_ap_subelem[2];
2641 } else {
2642 hostapd_logger(hapd, sta->addr,
2643 HOSTAPD_MODULE_IEEE80211,
2644 HOSTAPD_LEVEL_INFO,
2645 "Multi-AP IE has missing or invalid Multi-AP subelement");
2646 return WLAN_STATUS_INVALID_IE;
2647 }
2648 }
2649
2650 if (multi_ap_value && multi_ap_value != MULTI_AP_BACKHAUL_STA)
2651 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2652 HOSTAPD_LEVEL_INFO,
2653 "Multi-AP IE with unexpected value 0x%02x",
2654 multi_ap_value);
2655
2656 if (!(multi_ap_value & MULTI_AP_BACKHAUL_STA)) {
2657 if (hapd->conf->multi_ap & FRONTHAUL_BSS)
2658 return WLAN_STATUS_SUCCESS;
2659
2660 hostapd_logger(hapd, sta->addr,
2661 HOSTAPD_MODULE_IEEE80211,
2662 HOSTAPD_LEVEL_INFO,
2663 "Non-Multi-AP STA tries to associate with backhaul-only BSS");
2664 return WLAN_STATUS_ASSOC_DENIED_UNSPEC;
2665 }
2666
2667 if (!(hapd->conf->multi_ap & BACKHAUL_BSS))
2668 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2669 HOSTAPD_LEVEL_DEBUG,
2670 "Backhaul STA tries to associate with fronthaul-only BSS");
2671
2672 sta->flags |= WLAN_STA_MULTI_AP;
2673 return WLAN_STATUS_SUCCESS;
2674 }
2675
2676
2677 static u16 copy_supp_rates(struct hostapd_data *hapd, struct sta_info *sta,
2678 struct ieee802_11_elems *elems)
2679 {
2680 /* Supported rates not used in IEEE 802.11ad/DMG */
2681 if (hapd->iface->current_mode &&
2682 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211AD)
2683 return WLAN_STATUS_SUCCESS;
2684
2685 if (!elems->supp_rates) {
2686 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2687 HOSTAPD_LEVEL_DEBUG,
2688 "No supported rates element in AssocReq");
2689 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2690 }
2691
2692 if (elems->supp_rates_len + elems->ext_supp_rates_len >
2693 sizeof(sta->supported_rates)) {
2694 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2695 HOSTAPD_LEVEL_DEBUG,
2696 "Invalid supported rates element length %d+%d",
2697 elems->supp_rates_len,
2698 elems->ext_supp_rates_len);
2699 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2700 }
2701
2702 sta->supported_rates_len = merge_byte_arrays(
2703 sta->supported_rates, sizeof(sta->supported_rates),
2704 elems->supp_rates, elems->supp_rates_len,
2705 elems->ext_supp_rates, elems->ext_supp_rates_len);
2706
2707 return WLAN_STATUS_SUCCESS;
2708 }
2709
2710
2711 static u16 check_ext_capab(struct hostapd_data *hapd, struct sta_info *sta,
2712 const u8 *ext_capab_ie, size_t ext_capab_ie_len)
2713 {
2714 #ifdef CONFIG_INTERWORKING
2715 /* check for QoS Map support */
2716 if (ext_capab_ie_len >= 5) {
2717 if (ext_capab_ie[4] & 0x01)
2718 sta->qos_map_enabled = 1;
2719 }
2720 #endif /* CONFIG_INTERWORKING */
2721
2722 if (ext_capab_ie_len > 0) {
2723 sta->ecsa_supported = !!(ext_capab_ie[0] & BIT(2));
2724 os_free(sta->ext_capability);
2725 sta->ext_capability = os_malloc(1 + ext_capab_ie_len);
2726 if (sta->ext_capability) {
2727 sta->ext_capability[0] = ext_capab_ie_len;
2728 os_memcpy(sta->ext_capability + 1, ext_capab_ie,
2729 ext_capab_ie_len);
2730 }
2731 }
2732
2733 return WLAN_STATUS_SUCCESS;
2734 }
2735
2736
2737 #ifdef CONFIG_OWE
2738
2739 static int owe_group_supported(struct hostapd_data *hapd, u16 group)
2740 {
2741 int i;
2742 int *groups = hapd->conf->owe_groups;
2743
2744 if (group != 19 && group != 20 && group != 21)
2745 return 0;
2746
2747 if (!groups)
2748 return 1;
2749
2750 for (i = 0; groups[i] > 0; i++) {
2751 if (groups[i] == group)
2752 return 1;
2753 }
2754
2755 return 0;
2756 }
2757
2758
2759 static u16 owe_process_assoc_req(struct hostapd_data *hapd,
2760 struct sta_info *sta, const u8 *owe_dh,
2761 u8 owe_dh_len)
2762 {
2763 struct wpabuf *secret, *pub, *hkey;
2764 int res;
2765 u8 prk[SHA512_MAC_LEN], pmkid[SHA512_MAC_LEN];
2766 const char *info = "OWE Key Generation";
2767 const u8 *addr[2];
2768 size_t len[2];
2769 u16 group;
2770 size_t hash_len, prime_len;
2771
2772 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) {
2773 wpa_printf(MSG_DEBUG, "OWE: Using PMKSA caching");
2774 return WLAN_STATUS_SUCCESS;
2775 }
2776
2777 group = WPA_GET_LE16(owe_dh);
2778 if (!owe_group_supported(hapd, group)) {
2779 wpa_printf(MSG_DEBUG, "OWE: Unsupported DH group %u", group);
2780 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
2781 }
2782 if (group == 19)
2783 prime_len = 32;
2784 else if (group == 20)
2785 prime_len = 48;
2786 else if (group == 21)
2787 prime_len = 66;
2788 else
2789 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
2790
2791 crypto_ecdh_deinit(sta->owe_ecdh);
2792 sta->owe_ecdh = crypto_ecdh_init(group);
2793 if (!sta->owe_ecdh)
2794 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
2795 sta->owe_group = group;
2796
2797 secret = crypto_ecdh_set_peerkey(sta->owe_ecdh, 0, owe_dh + 2,
2798 owe_dh_len - 2);
2799 secret = wpabuf_zeropad(secret, prime_len);
2800 if (!secret) {
2801 wpa_printf(MSG_DEBUG, "OWE: Invalid peer DH public key");
2802 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2803 }
2804 wpa_hexdump_buf_key(MSG_DEBUG, "OWE: DH shared secret", secret);
2805
2806 /* prk = HKDF-extract(C | A | group, z) */
2807
2808 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
2809 if (!pub) {
2810 wpabuf_clear_free(secret);
2811 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2812 }
2813
2814 /* PMKID = Truncate-128(Hash(C | A)) */
2815 addr[0] = owe_dh + 2;
2816 len[0] = owe_dh_len - 2;
2817 addr[1] = wpabuf_head(pub);
2818 len[1] = wpabuf_len(pub);
2819 if (group == 19) {
2820 res = sha256_vector(2, addr, len, pmkid);
2821 hash_len = SHA256_MAC_LEN;
2822 } else if (group == 20) {
2823 res = sha384_vector(2, addr, len, pmkid);
2824 hash_len = SHA384_MAC_LEN;
2825 } else if (group == 21) {
2826 res = sha512_vector(2, addr, len, pmkid);
2827 hash_len = SHA512_MAC_LEN;
2828 } else {
2829 wpabuf_free(pub);
2830 wpabuf_clear_free(secret);
2831 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2832 }
2833 pub = wpabuf_zeropad(pub, prime_len);
2834 if (res < 0 || !pub) {
2835 wpabuf_free(pub);
2836 wpabuf_clear_free(secret);
2837 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2838 }
2839
2840 hkey = wpabuf_alloc(owe_dh_len - 2 + wpabuf_len(pub) + 2);
2841 if (!hkey) {
2842 wpabuf_free(pub);
2843 wpabuf_clear_free(secret);
2844 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2845 }
2846
2847 wpabuf_put_data(hkey, owe_dh + 2, owe_dh_len - 2); /* C */
2848 wpabuf_put_buf(hkey, pub); /* A */
2849 wpabuf_free(pub);
2850 wpabuf_put_le16(hkey, group); /* group */
2851 if (group == 19)
2852 res = hmac_sha256(wpabuf_head(hkey), wpabuf_len(hkey),
2853 wpabuf_head(secret), wpabuf_len(secret), prk);
2854 else if (group == 20)
2855 res = hmac_sha384(wpabuf_head(hkey), wpabuf_len(hkey),
2856 wpabuf_head(secret), wpabuf_len(secret), prk);
2857 else if (group == 21)
2858 res = hmac_sha512(wpabuf_head(hkey), wpabuf_len(hkey),
2859 wpabuf_head(secret), wpabuf_len(secret), prk);
2860 wpabuf_clear_free(hkey);
2861 wpabuf_clear_free(secret);
2862 if (res < 0)
2863 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2864
2865 wpa_hexdump_key(MSG_DEBUG, "OWE: prk", prk, hash_len);
2866
2867 /* PMK = HKDF-expand(prk, "OWE Key Generation", n) */
2868
2869 os_free(sta->owe_pmk);
2870 sta->owe_pmk = os_malloc(hash_len);
2871 if (!sta->owe_pmk) {
2872 os_memset(prk, 0, SHA512_MAC_LEN);
2873 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2874 }
2875
2876 if (group == 19)
2877 res = hmac_sha256_kdf(prk, hash_len, NULL, (const u8 *) info,
2878 os_strlen(info), sta->owe_pmk, hash_len);
2879 else if (group == 20)
2880 res = hmac_sha384_kdf(prk, hash_len, NULL, (const u8 *) info,
2881 os_strlen(info), sta->owe_pmk, hash_len);
2882 else if (group == 21)
2883 res = hmac_sha512_kdf(prk, hash_len, NULL, (const u8 *) info,
2884 os_strlen(info), sta->owe_pmk, hash_len);
2885 os_memset(prk, 0, SHA512_MAC_LEN);
2886 if (res < 0) {
2887 os_free(sta->owe_pmk);
2888 sta->owe_pmk = NULL;
2889 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2890 }
2891 sta->owe_pmk_len = hash_len;
2892
2893 wpa_hexdump_key(MSG_DEBUG, "OWE: PMK", sta->owe_pmk, sta->owe_pmk_len);
2894 wpa_hexdump(MSG_DEBUG, "OWE: PMKID", pmkid, PMKID_LEN);
2895 wpa_auth_pmksa_add2(hapd->wpa_auth, sta->addr, sta->owe_pmk,
2896 sta->owe_pmk_len, pmkid, 0, WPA_KEY_MGMT_OWE);
2897
2898 return WLAN_STATUS_SUCCESS;
2899 }
2900
2901
2902 u16 owe_validate_request(struct hostapd_data *hapd, const u8 *peer,
2903 const u8 *rsn_ie, size_t rsn_ie_len,
2904 const u8 *owe_dh, size_t owe_dh_len)
2905 {
2906 struct wpa_ie_data data;
2907 int res;
2908
2909 if (!rsn_ie || rsn_ie_len < 2) {
2910 wpa_printf(MSG_DEBUG, "OWE: Invalid RSNE from " MACSTR,
2911 MAC2STR(peer));
2912 return WLAN_STATUS_INVALID_IE;
2913 }
2914 rsn_ie -= 2;
2915 rsn_ie_len += 2;
2916
2917 res = wpa_parse_wpa_ie_rsn(rsn_ie, rsn_ie_len, &data);
2918 if (res) {
2919 wpa_printf(MSG_DEBUG, "Failed to parse RSNE from " MACSTR
2920 " (res=%d)", MAC2STR(peer), res);
2921 wpa_hexdump(MSG_DEBUG, "RSNE", rsn_ie, rsn_ie_len);
2922 return wpa_res_to_status_code(res);
2923 }
2924 if (!(data.key_mgmt & WPA_KEY_MGMT_OWE)) {
2925 wpa_printf(MSG_DEBUG,
2926 "OWE: Unexpected key mgmt 0x%x from " MACSTR,
2927 (unsigned int) data.key_mgmt, MAC2STR(peer));
2928 return WLAN_STATUS_AKMP_NOT_VALID;
2929 }
2930 if (!owe_dh) {
2931 wpa_printf(MSG_DEBUG,
2932 "OWE: No Diffie-Hellman Parameter element from "
2933 MACSTR, MAC2STR(peer));
2934 return WLAN_STATUS_AKMP_NOT_VALID;
2935 }
2936
2937 return WLAN_STATUS_SUCCESS;
2938 }
2939
2940
2941 u16 owe_process_rsn_ie(struct hostapd_data *hapd,
2942 struct sta_info *sta,
2943 const u8 *rsn_ie, size_t rsn_ie_len,
2944 const u8 *owe_dh, size_t owe_dh_len)
2945 {
2946 u16 status;
2947 u8 *owe_buf, ie[256 * 2];
2948 size_t ie_len = 0;
2949 int res;
2950
2951 if (!rsn_ie || rsn_ie_len < 2) {
2952 wpa_printf(MSG_DEBUG, "OWE: No RSNE in (Re)AssocReq");
2953 status = WLAN_STATUS_INVALID_IE;
2954 goto end;
2955 }
2956
2957 if (!sta->wpa_sm)
2958 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, sta->addr,
2959 NULL);
2960 if (!sta->wpa_sm) {
2961 wpa_printf(MSG_WARNING,
2962 "OWE: Failed to initialize WPA state machine");
2963 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
2964 goto end;
2965 }
2966 rsn_ie -= 2;
2967 rsn_ie_len += 2;
2968 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
2969 hapd->iface->freq, rsn_ie, rsn_ie_len,
2970 NULL, 0, NULL, 0, owe_dh, owe_dh_len);
2971 status = wpa_res_to_status_code(res);
2972 if (status != WLAN_STATUS_SUCCESS)
2973 goto end;
2974 status = owe_process_assoc_req(hapd, sta, owe_dh, owe_dh_len);
2975 if (status != WLAN_STATUS_SUCCESS)
2976 goto end;
2977 owe_buf = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, ie, sizeof(ie),
2978 NULL, 0);
2979 if (!owe_buf) {
2980 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
2981 goto end;
2982 }
2983
2984 if (sta->owe_ecdh) {
2985 struct wpabuf *pub;
2986
2987 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
2988 if (!pub) {
2989 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
2990 goto end;
2991 }
2992
2993 /* OWE Diffie-Hellman Parameter element */
2994 *owe_buf++ = WLAN_EID_EXTENSION; /* Element ID */
2995 *owe_buf++ = 1 + 2 + wpabuf_len(pub); /* Length */
2996 *owe_buf++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension
2997 */
2998 WPA_PUT_LE16(owe_buf, sta->owe_group);
2999 owe_buf += 2;
3000 os_memcpy(owe_buf, wpabuf_head(pub), wpabuf_len(pub));
3001 owe_buf += wpabuf_len(pub);
3002 wpabuf_free(pub);
3003 sta->external_dh_updated = 1;
3004 }
3005 ie_len = owe_buf - ie;
3006
3007 end:
3008 wpa_printf(MSG_DEBUG, "OWE: Update status %d, ie len %d for peer "
3009 MACSTR, status, (unsigned int) ie_len,
3010 MAC2STR(sta->addr));
3011 hostapd_drv_update_dh_ie(hapd, sta->addr, status,
3012 status == WLAN_STATUS_SUCCESS ? ie : NULL,
3013 ie_len);
3014
3015 return status;
3016 }
3017
3018 #endif /* CONFIG_OWE */
3019
3020
3021 static u16 check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta,
3022 const u8 *ies, size_t ies_len, int reassoc)
3023 {
3024 struct ieee802_11_elems elems;
3025 u16 resp;
3026 const u8 *wpa_ie;
3027 size_t wpa_ie_len;
3028 const u8 *p2p_dev_addr = NULL;
3029
3030 if (ieee802_11_parse_elems(ies, ies_len, &elems, 1) == ParseFailed) {
3031 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3032 HOSTAPD_LEVEL_INFO, "Station sent an invalid "
3033 "association request");
3034 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3035 }
3036
3037 resp = check_ssid(hapd, sta, elems.ssid, elems.ssid_len);
3038 if (resp != WLAN_STATUS_SUCCESS)
3039 return resp;
3040 resp = check_wmm(hapd, sta, elems.wmm, elems.wmm_len);
3041 if (resp != WLAN_STATUS_SUCCESS)
3042 return resp;
3043 resp = check_ext_capab(hapd, sta, elems.ext_capab, elems.ext_capab_len);
3044 if (resp != WLAN_STATUS_SUCCESS)
3045 return resp;
3046 resp = copy_supp_rates(hapd, sta, &elems);
3047 if (resp != WLAN_STATUS_SUCCESS)
3048 return resp;
3049
3050 resp = check_multi_ap(hapd, sta, elems.multi_ap, elems.multi_ap_len);
3051 if (resp != WLAN_STATUS_SUCCESS)
3052 return resp;
3053
3054 #ifdef CONFIG_IEEE80211N
3055 resp = copy_sta_ht_capab(hapd, sta, elems.ht_capabilities);
3056 if (resp != WLAN_STATUS_SUCCESS)
3057 return resp;
3058 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht &&
3059 !(sta->flags & WLAN_STA_HT)) {
3060 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3061 HOSTAPD_LEVEL_INFO, "Station does not support "
3062 "mandatory HT PHY - reject association");
3063 return WLAN_STATUS_ASSOC_DENIED_NO_HT;
3064 }
3065 #endif /* CONFIG_IEEE80211N */
3066
3067 #ifdef CONFIG_IEEE80211AC
3068 if (hapd->iconf->ieee80211ac) {
3069 resp = copy_sta_vht_capab(hapd, sta, elems.vht_capabilities);
3070 if (resp != WLAN_STATUS_SUCCESS)
3071 return resp;
3072
3073 resp = set_sta_vht_opmode(hapd, sta, elems.vht_opmode_notif);
3074 if (resp != WLAN_STATUS_SUCCESS)
3075 return resp;
3076 }
3077
3078 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht &&
3079 !(sta->flags & WLAN_STA_VHT)) {
3080 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3081 HOSTAPD_LEVEL_INFO, "Station does not support "
3082 "mandatory VHT PHY - reject association");
3083 return WLAN_STATUS_ASSOC_DENIED_NO_VHT;
3084 }
3085
3086 if (hapd->conf->vendor_vht && !elems.vht_capabilities) {
3087 resp = copy_sta_vendor_vht(hapd, sta, elems.vendor_vht,
3088 elems.vendor_vht_len);
3089 if (resp != WLAN_STATUS_SUCCESS)
3090 return resp;
3091 }
3092 #endif /* CONFIG_IEEE80211AC */
3093 #ifdef CONFIG_IEEE80211AX
3094 if (hapd->iconf->ieee80211ax) {
3095 resp = copy_sta_he_capab(hapd, sta, IEEE80211_MODE_AP,
3096 elems.he_capabilities,
3097 elems.he_capabilities_len);
3098 if (resp != WLAN_STATUS_SUCCESS)
3099 return resp;
3100 }
3101 #endif /* CONFIG_IEEE80211AX */
3102
3103 #ifdef CONFIG_P2P
3104 if (elems.p2p) {
3105 wpabuf_free(sta->p2p_ie);
3106 sta->p2p_ie = ieee802_11_vendor_ie_concat(ies, ies_len,
3107 P2P_IE_VENDOR_TYPE);
3108 if (sta->p2p_ie)
3109 p2p_dev_addr = p2p_get_go_dev_addr(sta->p2p_ie);
3110 } else {
3111 wpabuf_free(sta->p2p_ie);
3112 sta->p2p_ie = NULL;
3113 }
3114 #endif /* CONFIG_P2P */
3115
3116 if ((hapd->conf->wpa & WPA_PROTO_RSN) && elems.rsn_ie) {
3117 wpa_ie = elems.rsn_ie;
3118 wpa_ie_len = elems.rsn_ie_len;
3119 } else if ((hapd->conf->wpa & WPA_PROTO_WPA) &&
3120 elems.wpa_ie) {
3121 wpa_ie = elems.wpa_ie;
3122 wpa_ie_len = elems.wpa_ie_len;
3123 } else {
3124 wpa_ie = NULL;
3125 wpa_ie_len = 0;
3126 }
3127
3128 #ifdef CONFIG_WPS
3129 sta->flags &= ~(WLAN_STA_WPS | WLAN_STA_MAYBE_WPS | WLAN_STA_WPS2);
3130 if (hapd->conf->wps_state && elems.wps_ie) {
3131 wpa_printf(MSG_DEBUG, "STA included WPS IE in (Re)Association "
3132 "Request - assume WPS is used");
3133 sta->flags |= WLAN_STA_WPS;
3134 wpabuf_free(sta->wps_ie);
3135 sta->wps_ie = ieee802_11_vendor_ie_concat(ies, ies_len,
3136 WPS_IE_VENDOR_TYPE);
3137 if (sta->wps_ie && wps_is_20(sta->wps_ie)) {
3138 wpa_printf(MSG_DEBUG, "WPS: STA supports WPS 2.0");
3139 sta->flags |= WLAN_STA_WPS2;
3140 }
3141 wpa_ie = NULL;
3142 wpa_ie_len = 0;
3143 if (sta->wps_ie && wps_validate_assoc_req(sta->wps_ie) < 0) {
3144 wpa_printf(MSG_DEBUG, "WPS: Invalid WPS IE in "
3145 "(Re)Association Request - reject");
3146 return WLAN_STATUS_INVALID_IE;
3147 }
3148 } else if (hapd->conf->wps_state && wpa_ie == NULL) {
3149 wpa_printf(MSG_DEBUG, "STA did not include WPA/RSN IE in "
3150 "(Re)Association Request - possible WPS use");
3151 sta->flags |= WLAN_STA_MAYBE_WPS;
3152 } else
3153 #endif /* CONFIG_WPS */
3154 if (hapd->conf->wpa && wpa_ie == NULL) {
3155 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3156 HOSTAPD_LEVEL_INFO,
3157 "No WPA/RSN IE in association request");
3158 return WLAN_STATUS_INVALID_IE;
3159 }
3160
3161 if (hapd->conf->wpa && wpa_ie) {
3162 int res;
3163 wpa_ie -= 2;
3164 wpa_ie_len += 2;
3165 if (sta->wpa_sm == NULL)
3166 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
3167 sta->addr,
3168 p2p_dev_addr);
3169 if (sta->wpa_sm == NULL) {
3170 wpa_printf(MSG_WARNING, "Failed to initialize WPA "
3171 "state machine");
3172 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3173 }
3174 wpa_auth_set_auth_alg(sta->wpa_sm, sta->auth_alg);
3175 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
3176 hapd->iface->freq,
3177 wpa_ie, wpa_ie_len,
3178 elems.rsnxe ? elems.rsnxe - 2 : NULL,
3179 elems.rsnxe ? elems.rsnxe_len + 2 : 0,
3180 elems.mdie, elems.mdie_len,
3181 elems.owe_dh, elems.owe_dh_len);
3182 resp = wpa_res_to_status_code(res);
3183 if (resp != WLAN_STATUS_SUCCESS)
3184 return resp;
3185 if ((sta->flags & (WLAN_STA_ASSOC | WLAN_STA_MFP)) ==
3186 (WLAN_STA_ASSOC | WLAN_STA_MFP) &&
3187 !sta->sa_query_timed_out &&
3188 sta->sa_query_count > 0)
3189 ap_check_sa_query_timeout(hapd, sta);
3190 if ((sta->flags & (WLAN_STA_ASSOC | WLAN_STA_MFP)) ==
3191 (WLAN_STA_ASSOC | WLAN_STA_MFP) &&
3192 !sta->sa_query_timed_out &&
3193 (!reassoc || sta->auth_alg != WLAN_AUTH_FT)) {
3194 /*
3195 * STA has already been associated with MFP and SA
3196 * Query timeout has not been reached. Reject the
3197 * association attempt temporarily and start SA Query,
3198 * if one is not pending.
3199 */
3200
3201 if (sta->sa_query_count == 0)
3202 ap_sta_start_sa_query(hapd, sta);
3203
3204 return WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY;
3205 }
3206
3207 if (wpa_auth_uses_mfp(sta->wpa_sm))
3208 sta->flags |= WLAN_STA_MFP;
3209 else
3210 sta->flags &= ~WLAN_STA_MFP;
3211
3212 #ifdef CONFIG_IEEE80211R_AP
3213 if (sta->auth_alg == WLAN_AUTH_FT) {
3214 if (!reassoc) {
3215 wpa_printf(MSG_DEBUG, "FT: " MACSTR " tried "
3216 "to use association (not "
3217 "re-association) with FT auth_alg",
3218 MAC2STR(sta->addr));
3219 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3220 }
3221
3222 resp = wpa_ft_validate_reassoc(sta->wpa_sm, ies,
3223 ies_len);
3224 if (resp != WLAN_STATUS_SUCCESS)
3225 return resp;
3226 }
3227 #endif /* CONFIG_IEEE80211R_AP */
3228
3229 #ifdef CONFIG_SAE
3230 if (wpa_auth_uses_sae(sta->wpa_sm) && sta->sae &&
3231 sta->sae->state == SAE_ACCEPTED)
3232 wpa_auth_add_sae_pmkid(sta->wpa_sm, sta->sae->pmkid);
3233
3234 if (wpa_auth_uses_sae(sta->wpa_sm) &&
3235 sta->auth_alg == WLAN_AUTH_OPEN) {
3236 struct rsn_pmksa_cache_entry *sa;
3237 sa = wpa_auth_sta_get_pmksa(sta->wpa_sm);
3238 if (!sa || sa->akmp != WPA_KEY_MGMT_SAE) {
3239 wpa_printf(MSG_DEBUG,
3240 "SAE: No PMKSA cache entry found for "
3241 MACSTR, MAC2STR(sta->addr));
3242 return WLAN_STATUS_INVALID_PMKID;
3243 }
3244 wpa_printf(MSG_DEBUG, "SAE: " MACSTR
3245 " using PMKSA caching", MAC2STR(sta->addr));
3246 } else if (wpa_auth_uses_sae(sta->wpa_sm) &&
3247 sta->auth_alg != WLAN_AUTH_SAE &&
3248 !(sta->auth_alg == WLAN_AUTH_FT &&
3249 wpa_auth_uses_ft_sae(sta->wpa_sm))) {
3250 wpa_printf(MSG_DEBUG, "SAE: " MACSTR " tried to use "
3251 "SAE AKM after non-SAE auth_alg %u",
3252 MAC2STR(sta->addr), sta->auth_alg);
3253 return WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
3254 }
3255 #endif /* CONFIG_SAE */
3256
3257 #ifdef CONFIG_OWE
3258 if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) &&
3259 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE &&
3260 elems.owe_dh) {
3261 resp = owe_process_assoc_req(hapd, sta, elems.owe_dh,
3262 elems.owe_dh_len);
3263 if (resp != WLAN_STATUS_SUCCESS)
3264 return resp;
3265 }
3266 #endif /* CONFIG_OWE */
3267
3268 #ifdef CONFIG_DPP2
3269 dpp_pfs_free(sta->dpp_pfs);
3270 sta->dpp_pfs = NULL;
3271
3272 if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_DPP) &&
3273 hapd->conf->dpp_netaccesskey && sta->wpa_sm &&
3274 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_DPP &&
3275 elems.owe_dh) {
3276 sta->dpp_pfs = dpp_pfs_init(
3277 wpabuf_head(hapd->conf->dpp_netaccesskey),
3278 wpabuf_len(hapd->conf->dpp_netaccesskey));
3279 if (!sta->dpp_pfs) {
3280 wpa_printf(MSG_DEBUG,
3281 "DPP: Could not initialize PFS");
3282 /* Try to continue without PFS */
3283 goto pfs_fail;
3284 }
3285
3286 if (dpp_pfs_process(sta->dpp_pfs, elems.owe_dh,
3287 elems.owe_dh_len) < 0) {
3288 dpp_pfs_free(sta->dpp_pfs);
3289 sta->dpp_pfs = NULL;
3290 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3291 }
3292 }
3293
3294 wpa_auth_set_dpp_z(sta->wpa_sm, sta->dpp_pfs ?
3295 sta->dpp_pfs->secret : NULL);
3296 pfs_fail:
3297 #endif /* CONFIG_DPP2 */
3298
3299 #ifdef CONFIG_IEEE80211N
3300 if ((sta->flags & (WLAN_STA_HT | WLAN_STA_VHT)) &&
3301 wpa_auth_get_pairwise(sta->wpa_sm) == WPA_CIPHER_TKIP) {
3302 hostapd_logger(hapd, sta->addr,
3303 HOSTAPD_MODULE_IEEE80211,
3304 HOSTAPD_LEVEL_INFO,
3305 "Station tried to use TKIP with HT "
3306 "association");
3307 return WLAN_STATUS_CIPHER_REJECTED_PER_POLICY;
3308 }
3309 #endif /* CONFIG_IEEE80211N */
3310 #ifdef CONFIG_HS20
3311 } else if (hapd->conf->osen) {
3312 if (elems.osen == NULL) {
3313 hostapd_logger(
3314 hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3315 HOSTAPD_LEVEL_INFO,
3316 "No HS 2.0 OSEN element in association request");
3317 return WLAN_STATUS_INVALID_IE;
3318 }
3319
3320 wpa_printf(MSG_DEBUG, "HS 2.0: OSEN association");
3321 if (sta->wpa_sm == NULL)
3322 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
3323 sta->addr, NULL);
3324 if (sta->wpa_sm == NULL) {
3325 wpa_printf(MSG_WARNING, "Failed to initialize WPA "
3326 "state machine");
3327 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3328 }
3329 if (wpa_validate_osen(hapd->wpa_auth, sta->wpa_sm,
3330 elems.osen - 2, elems.osen_len + 2) < 0)
3331 return WLAN_STATUS_INVALID_IE;
3332 #endif /* CONFIG_HS20 */
3333 } else
3334 wpa_auth_sta_no_wpa(sta->wpa_sm);
3335
3336 #ifdef CONFIG_P2P
3337 p2p_group_notif_assoc(hapd->p2p_group, sta->addr, ies, ies_len);
3338 #endif /* CONFIG_P2P */
3339
3340 #ifdef CONFIG_HS20
3341 wpabuf_free(sta->hs20_ie);
3342 if (elems.hs20 && elems.hs20_len > 4) {
3343 int release;
3344
3345 sta->hs20_ie = wpabuf_alloc_copy(elems.hs20 + 4,
3346 elems.hs20_len - 4);
3347 release = ((elems.hs20[4] >> 4) & 0x0f) + 1;
3348 if (release >= 2 && !wpa_auth_uses_mfp(sta->wpa_sm) &&
3349 hapd->conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
3350 wpa_printf(MSG_DEBUG,
3351 "HS 2.0: PMF not negotiated by release %d station "
3352 MACSTR, release, MAC2STR(sta->addr));
3353 return WLAN_STATUS_ROBUST_MGMT_FRAME_POLICY_VIOLATION;
3354 }
3355 } else {
3356 sta->hs20_ie = NULL;
3357 }
3358
3359 wpabuf_free(sta->roaming_consortium);
3360 if (elems.roaming_cons_sel)
3361 sta->roaming_consortium = wpabuf_alloc_copy(
3362 elems.roaming_cons_sel + 4,
3363 elems.roaming_cons_sel_len - 4);
3364 else
3365 sta->roaming_consortium = NULL;
3366 #endif /* CONFIG_HS20 */
3367
3368 #ifdef CONFIG_FST
3369 wpabuf_free(sta->mb_ies);
3370 if (hapd->iface->fst)
3371 sta->mb_ies = mb_ies_by_info(&elems.mb_ies);
3372 else
3373 sta->mb_ies = NULL;
3374 #endif /* CONFIG_FST */
3375
3376 #ifdef CONFIG_MBO
3377 mbo_ap_check_sta_assoc(hapd, sta, &elems);
3378
3379 if (hapd->conf->mbo_enabled && (hapd->conf->wpa & 2) &&
3380 elems.mbo && sta->cell_capa && !(sta->flags & WLAN_STA_MFP) &&
3381 hapd->conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
3382 wpa_printf(MSG_INFO,
3383 "MBO: Reject WPA2 association without PMF");
3384 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3385 }
3386 #endif /* CONFIG_MBO */
3387
3388 #if defined(CONFIG_FILS) && defined(CONFIG_OCV)
3389 if (wpa_auth_uses_ocv(sta->wpa_sm) &&
3390 (sta->auth_alg == WLAN_AUTH_FILS_SK ||
3391 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
3392 sta->auth_alg == WLAN_AUTH_FILS_PK)) {
3393 struct wpa_channel_info ci;
3394 int tx_chanwidth;
3395 int tx_seg1_idx;
3396
3397 if (hostapd_drv_channel_info(hapd, &ci) != 0) {
3398 wpa_printf(MSG_WARNING,
3399 "Failed to get channel info to validate received OCI in FILS (Re)Association Request frame");
3400 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3401 }
3402
3403 if (get_sta_tx_parameters(sta->wpa_sm,
3404 channel_width_to_int(ci.chanwidth),
3405 ci.seg1_idx, &tx_chanwidth,
3406 &tx_seg1_idx) < 0)
3407 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3408
3409 if (ocv_verify_tx_params(elems.oci, elems.oci_len, &ci,
3410 tx_chanwidth, tx_seg1_idx) != 0) {
3411 wpa_printf(MSG_WARNING, "FILS: %s", ocv_errorstr);
3412 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3413 }
3414 }
3415 #endif /* CONFIG_FILS && CONFIG_OCV */
3416
3417 ap_copy_sta_supp_op_classes(sta, elems.supp_op_classes,
3418 elems.supp_op_classes_len);
3419
3420 if ((sta->capability & WLAN_CAPABILITY_RADIO_MEASUREMENT) &&
3421 elems.rrm_enabled &&
3422 elems.rrm_enabled_len >= sizeof(sta->rrm_enabled_capa))
3423 os_memcpy(sta->rrm_enabled_capa, elems.rrm_enabled,
3424 sizeof(sta->rrm_enabled_capa));
3425
3426 if (elems.power_capab) {
3427 sta->min_tx_power = elems.power_capab[0];
3428 sta->max_tx_power = elems.power_capab[1];
3429 sta->power_capab = 1;
3430 } else {
3431 sta->power_capab = 0;
3432 }
3433
3434 return WLAN_STATUS_SUCCESS;
3435 }
3436
3437
3438 static void send_deauth(struct hostapd_data *hapd, const u8 *addr,
3439 u16 reason_code)
3440 {
3441 int send_len;
3442 struct ieee80211_mgmt reply;
3443
3444 os_memset(&reply, 0, sizeof(reply));
3445 reply.frame_control =
3446 IEEE80211_FC(WLAN_FC_TYPE_MGMT, WLAN_FC_STYPE_DEAUTH);
3447 os_memcpy(reply.da, addr, ETH_ALEN);
3448 os_memcpy(reply.sa, hapd->own_addr, ETH_ALEN);
3449 os_memcpy(reply.bssid, hapd->own_addr, ETH_ALEN);
3450
3451 send_len = IEEE80211_HDRLEN + sizeof(reply.u.deauth);
3452 reply.u.deauth.reason_code = host_to_le16(reason_code);
3453
3454 if (hostapd_drv_send_mlme(hapd, &reply, send_len, 0) < 0)
3455 wpa_printf(MSG_INFO, "Failed to send deauth: %s",
3456 strerror(errno));
3457 }
3458
3459
3460 static int add_associated_sta(struct hostapd_data *hapd,
3461 struct sta_info *sta, int reassoc)
3462 {
3463 struct ieee80211_ht_capabilities ht_cap;
3464 struct ieee80211_vht_capabilities vht_cap;
3465 struct ieee80211_he_capabilities he_cap;
3466 int set = 1;
3467
3468 /*
3469 * Remove the STA entry to ensure the STA PS state gets cleared and
3470 * configuration gets updated. This is relevant for cases, such as
3471 * FT-over-the-DS, where a station re-associates back to the same AP but
3472 * skips the authentication flow, or if working with a driver that
3473 * does not support full AP client state.
3474 *
3475 * Skip this if the STA has already completed FT reassociation and the
3476 * TK has been configured since the TX/RX PN must not be reset to 0 for
3477 * the same key.
3478 *
3479 * FT-over-the-DS has a special case where the STA entry (and as such,
3480 * the TK) has not yet been configured to the driver depending on which
3481 * driver interface is used. For that case, allow add-STA operation to
3482 * be used (instead of set-STA). This is needed to allow mac80211-based
3483 * drivers to accept the STA parameter configuration. Since this is
3484 * after a new FT-over-DS exchange, a new TK has been derived, so key
3485 * reinstallation is not a concern for this case.
3486 */
3487 wpa_printf(MSG_DEBUG, "Add associated STA " MACSTR
3488 " (added_unassoc=%d auth_alg=%u ft_over_ds=%u reassoc=%d authorized=%d ft_tk=%d fils_tk=%d)",
3489 MAC2STR(sta->addr), sta->added_unassoc, sta->auth_alg,
3490 sta->ft_over_ds, reassoc,
3491 !!(sta->flags & WLAN_STA_AUTHORIZED),
3492 wpa_auth_sta_ft_tk_already_set(sta->wpa_sm),
3493 wpa_auth_sta_fils_tk_already_set(sta->wpa_sm));
3494
3495 if (!sta->added_unassoc &&
3496 (!(sta->flags & WLAN_STA_AUTHORIZED) ||
3497 (reassoc && sta->ft_over_ds && sta->auth_alg == WLAN_AUTH_FT) ||
3498 (!wpa_auth_sta_ft_tk_already_set(sta->wpa_sm) &&
3499 !wpa_auth_sta_fils_tk_already_set(sta->wpa_sm)))) {
3500 hostapd_drv_sta_remove(hapd, sta->addr);
3501 wpa_auth_sm_event(sta->wpa_sm, WPA_DRV_STA_REMOVED);
3502 set = 0;
3503
3504 /* Do not allow the FT-over-DS exception to be used more than
3505 * once per authentication exchange to guarantee a new TK is
3506 * used here */
3507 sta->ft_over_ds = 0;
3508 }
3509
3510 #ifdef CONFIG_IEEE80211N
3511 if (sta->flags & WLAN_STA_HT)
3512 hostapd_get_ht_capab(hapd, sta->ht_capabilities, &ht_cap);
3513 #endif /* CONFIG_IEEE80211N */
3514 #ifdef CONFIG_IEEE80211AC
3515 if (sta->flags & WLAN_STA_VHT)
3516 hostapd_get_vht_capab(hapd, sta->vht_capabilities, &vht_cap);
3517 #endif /* CONFIG_IEEE80211AC */
3518 #ifdef CONFIG_IEEE80211AX
3519 if (sta->flags & WLAN_STA_HE) {
3520 hostapd_get_he_capab(hapd, sta->he_capab, &he_cap,
3521 sta->he_capab_len);
3522 }
3523 #endif /* CONFIG_IEEE80211AX */
3524
3525 /*
3526 * Add the station with forced WLAN_STA_ASSOC flag. The sta->flags
3527 * will be set when the ACK frame for the (Re)Association Response frame
3528 * is processed (TX status driver event).
3529 */
3530 if (hostapd_sta_add(hapd, sta->addr, sta->aid, sta->capability,
3531 sta->supported_rates, sta->supported_rates_len,
3532 sta->listen_interval,
3533 sta->flags & WLAN_STA_HT ? &ht_cap : NULL,
3534 sta->flags & WLAN_STA_VHT ? &vht_cap : NULL,
3535 sta->flags & WLAN_STA_HE ? &he_cap : NULL,
3536 sta->flags & WLAN_STA_HE ? sta->he_capab_len : 0,
3537 sta->flags | WLAN_STA_ASSOC, sta->qosinfo,
3538 sta->vht_opmode, sta->p2p_ie ? 1 : 0,
3539 set)) {
3540 hostapd_logger(hapd, sta->addr,
3541 HOSTAPD_MODULE_IEEE80211, HOSTAPD_LEVEL_NOTICE,
3542 "Could not %s STA to kernel driver",
3543 set ? "set" : "add");
3544
3545 if (sta->added_unassoc) {
3546 hostapd_drv_sta_remove(hapd, sta->addr);
3547 sta->added_unassoc = 0;
3548 }
3549
3550 return -1;
3551 }
3552
3553 sta->added_unassoc = 0;
3554
3555 return 0;
3556 }
3557
3558
3559 static u16 send_assoc_resp(struct hostapd_data *hapd, struct sta_info *sta,
3560 const u8 *addr, u16 status_code, int reassoc,
3561 const u8 *ies, size_t ies_len, int rssi)
3562 {
3563 int send_len;
3564 u8 *buf;
3565 size_t buflen;
3566 struct ieee80211_mgmt *reply;
3567 u8 *p;
3568 u16 res = WLAN_STATUS_SUCCESS;
3569
3570 buflen = sizeof(struct ieee80211_mgmt) + 1024;
3571 #ifdef CONFIG_FILS
3572 if (sta && sta->fils_hlp_resp)
3573 buflen += wpabuf_len(sta->fils_hlp_resp);
3574 if (sta)
3575 buflen += 150;
3576 #endif /* CONFIG_FILS */
3577 #ifdef CONFIG_OWE
3578 if (sta && (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE))
3579 buflen += 150;
3580 #endif /* CONFIG_OWE */
3581 #ifdef CONFIG_DPP2
3582 if (sta && sta->dpp_pfs)
3583 buflen += 5 + sta->dpp_pfs->curve->prime_len;
3584 #endif /* CONFIG_DPP2 */
3585 buf = os_zalloc(buflen);
3586 if (!buf) {
3587 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
3588 goto done;
3589 }
3590 reply = (struct ieee80211_mgmt *) buf;
3591 reply->frame_control =
3592 IEEE80211_FC(WLAN_FC_TYPE_MGMT,
3593 (reassoc ? WLAN_FC_STYPE_REASSOC_RESP :
3594 WLAN_FC_STYPE_ASSOC_RESP));
3595 os_memcpy(reply->da, addr, ETH_ALEN);
3596 os_memcpy(reply->sa, hapd->own_addr, ETH_ALEN);
3597 os_memcpy(reply->bssid, hapd->own_addr, ETH_ALEN);
3598
3599 send_len = IEEE80211_HDRLEN;
3600 send_len += sizeof(reply->u.assoc_resp);
3601 reply->u.assoc_resp.capab_info =
3602 host_to_le16(hostapd_own_capab_info(hapd));
3603 reply->u.assoc_resp.status_code = host_to_le16(status_code);
3604
3605 reply->u.assoc_resp.aid = host_to_le16((sta ? sta->aid : 0) |
3606 BIT(14) | BIT(15));
3607 /* Supported rates */
3608 p = hostapd_eid_supp_rates(hapd, reply->u.assoc_resp.variable);
3609 /* Extended supported rates */
3610 p = hostapd_eid_ext_supp_rates(hapd, p);
3611
3612 #ifdef CONFIG_MBO
3613 if (status_code == WLAN_STATUS_DENIED_POOR_CHANNEL_CONDITIONS &&
3614 rssi != 0) {
3615 int delta = hapd->iconf->rssi_reject_assoc_rssi - rssi;
3616
3617 p = hostapd_eid_mbo_rssi_assoc_rej(hapd, p, buf + buflen - p,
3618 delta);
3619 }
3620 #endif /* CONFIG_MBO */
3621
3622 #ifdef CONFIG_IEEE80211R_AP
3623 if (sta && status_code == WLAN_STATUS_SUCCESS) {
3624 /* IEEE 802.11r: Mobility Domain Information, Fast BSS
3625 * Transition Information, RSN, [RIC Response] */
3626 p = wpa_sm_write_assoc_resp_ies(sta->wpa_sm, p,
3627 buf + buflen - p,
3628 sta->auth_alg, ies, ies_len);
3629 if (!p) {
3630 wpa_printf(MSG_DEBUG,
3631 "FT: Failed to write AssocResp IEs");
3632 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
3633 goto done;
3634 }
3635 }
3636 #endif /* CONFIG_IEEE80211R_AP */
3637 #ifdef CONFIG_FILS
3638 if (sta && status_code == WLAN_STATUS_SUCCESS &&
3639 (sta->auth_alg == WLAN_AUTH_FILS_SK ||
3640 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
3641 sta->auth_alg == WLAN_AUTH_FILS_PK))
3642 p = wpa_auth_write_assoc_resp_fils(sta->wpa_sm, p,
3643 buf + buflen - p,
3644 ies, ies_len);
3645 #endif /* CONFIG_FILS */
3646
3647 #ifdef CONFIG_OWE
3648 if (sta && status_code == WLAN_STATUS_SUCCESS &&
3649 (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE))
3650 p = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, p,
3651 buf + buflen - p,
3652 ies, ies_len);
3653 #endif /* CONFIG_OWE */
3654
3655 if (sta && status_code == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY)
3656 p = hostapd_eid_assoc_comeback_time(hapd, sta, p);
3657
3658 #ifdef CONFIG_IEEE80211N
3659 p = hostapd_eid_ht_capabilities(hapd, p);
3660 p = hostapd_eid_ht_operation(hapd, p);
3661 #endif /* CONFIG_IEEE80211N */
3662
3663 #ifdef CONFIG_IEEE80211AC
3664 if (hapd->iconf->ieee80211ac && !hapd->conf->disable_11ac &&
3665 !is_6ghz_op_class(hapd->iconf->op_class)) {
3666 u32 nsts = 0, sta_nsts;
3667
3668 if (sta && hapd->conf->use_sta_nsts && sta->vht_capabilities) {
3669 struct ieee80211_vht_capabilities *capa;
3670
3671 nsts = (hapd->iface->conf->vht_capab >>
3672 VHT_CAP_BEAMFORMEE_STS_OFFSET) & 7;
3673 capa = sta->vht_capabilities;
3674 sta_nsts = (le_to_host32(capa->vht_capabilities_info) >>
3675 VHT_CAP_BEAMFORMEE_STS_OFFSET) & 7;
3676
3677 if (nsts < sta_nsts)
3678 nsts = 0;
3679 else
3680 nsts = sta_nsts;
3681 }
3682 p = hostapd_eid_vht_capabilities(hapd, p, nsts);
3683 p = hostapd_eid_vht_operation(hapd, p);
3684 }
3685 #endif /* CONFIG_IEEE80211AC */
3686
3687 #ifdef CONFIG_IEEE80211AX
3688 if (hapd->iconf->ieee80211ax) {
3689 p = hostapd_eid_he_capab(hapd, p, IEEE80211_MODE_AP);
3690 p = hostapd_eid_he_operation(hapd, p);
3691 p = hostapd_eid_spatial_reuse(hapd, p);
3692 p = hostapd_eid_he_mu_edca_parameter_set(hapd, p);
3693 }
3694 #endif /* CONFIG_IEEE80211AX */
3695
3696 p = hostapd_eid_ext_capab(hapd, p);
3697 p = hostapd_eid_bss_max_idle_period(hapd, p);
3698 if (sta && sta->qos_map_enabled)
3699 p = hostapd_eid_qos_map_set(hapd, p);
3700
3701 #ifdef CONFIG_FST
3702 if (hapd->iface->fst_ies) {
3703 os_memcpy(p, wpabuf_head(hapd->iface->fst_ies),
3704 wpabuf_len(hapd->iface->fst_ies));
3705 p += wpabuf_len(hapd->iface->fst_ies);
3706 }
3707 #endif /* CONFIG_FST */
3708
3709 #ifdef CONFIG_OWE
3710 if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) &&
3711 sta && sta->owe_ecdh && status_code == WLAN_STATUS_SUCCESS &&
3712 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE) {
3713 struct wpabuf *pub;
3714
3715 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
3716 if (!pub) {
3717 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
3718 goto done;
3719 }
3720 /* OWE Diffie-Hellman Parameter element */
3721 *p++ = WLAN_EID_EXTENSION; /* Element ID */
3722 *p++ = 1 + 2 + wpabuf_len(pub); /* Length */
3723 *p++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension */
3724 WPA_PUT_LE16(p, sta->owe_group);
3725 p += 2;
3726 os_memcpy(p, wpabuf_head(pub), wpabuf_len(pub));
3727 p += wpabuf_len(pub);
3728 wpabuf_free(pub);
3729 }
3730 #endif /* CONFIG_OWE */
3731
3732 #ifdef CONFIG_DPP2
3733 if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_DPP) &&
3734 sta && sta->dpp_pfs && status_code == WLAN_STATUS_SUCCESS &&
3735 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_DPP) {
3736 os_memcpy(p, wpabuf_head(sta->dpp_pfs->ie),
3737 wpabuf_len(sta->dpp_pfs->ie));
3738 p += wpabuf_len(sta->dpp_pfs->ie);
3739 }
3740 #endif /* CONFIG_DPP2 */
3741
3742 #ifdef CONFIG_IEEE80211AC
3743 if (sta && hapd->conf->vendor_vht && (sta->flags & WLAN_STA_VENDOR_VHT))
3744 p = hostapd_eid_vendor_vht(hapd, p);
3745 #endif /* CONFIG_IEEE80211AC */
3746
3747 if (sta && (sta->flags & WLAN_STA_WMM))
3748 p = hostapd_eid_wmm(hapd, p);
3749
3750 #ifdef CONFIG_WPS
3751 if (sta &&
3752 ((sta->flags & WLAN_STA_WPS) ||
3753 ((sta->flags & WLAN_STA_MAYBE_WPS) && hapd->conf->wpa))) {
3754 struct wpabuf *wps = wps_build_assoc_resp_ie();
3755 if (wps) {
3756 os_memcpy(p, wpabuf_head(wps), wpabuf_len(wps));
3757 p += wpabuf_len(wps);
3758 wpabuf_free(wps);
3759 }
3760 }
3761 #endif /* CONFIG_WPS */
3762
3763 if (sta && (sta->flags & WLAN_STA_MULTI_AP))
3764 p = hostapd_eid_multi_ap(hapd, p);
3765
3766 #ifdef CONFIG_P2P
3767 if (sta && sta->p2p_ie && hapd->p2p_group) {
3768 struct wpabuf *p2p_resp_ie;
3769 enum p2p_status_code status;
3770 switch (status_code) {
3771 case WLAN_STATUS_SUCCESS:
3772 status = P2P_SC_SUCCESS;
3773 break;
3774 case WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA:
3775 status = P2P_SC_FAIL_LIMIT_REACHED;
3776 break;
3777 default:
3778 status = P2P_SC_FAIL_INVALID_PARAMS;
3779 break;
3780 }
3781 p2p_resp_ie = p2p_group_assoc_resp_ie(hapd->p2p_group, status);
3782 if (p2p_resp_ie) {
3783 os_memcpy(p, wpabuf_head(p2p_resp_ie),
3784 wpabuf_len(p2p_resp_ie));
3785 p += wpabuf_len(p2p_resp_ie);
3786 wpabuf_free(p2p_resp_ie);
3787 }
3788 }
3789 #endif /* CONFIG_P2P */
3790
3791 #ifdef CONFIG_P2P_MANAGER
3792 if (hapd->conf->p2p & P2P_MANAGE)
3793 p = hostapd_eid_p2p_manage(hapd, p);
3794 #endif /* CONFIG_P2P_MANAGER */
3795
3796 p = hostapd_eid_mbo(hapd, p, buf + buflen - p);
3797
3798 if (hapd->conf->assocresp_elements &&
3799 (size_t) (buf + buflen - p) >=
3800 wpabuf_len(hapd->conf->assocresp_elements)) {
3801 os_memcpy(p, wpabuf_head(hapd->conf->assocresp_elements),
3802 wpabuf_len(hapd->conf->assocresp_elements));
3803 p += wpabuf_len(hapd->conf->assocresp_elements);
3804 }
3805
3806 send_len += p - reply->u.assoc_resp.variable;
3807
3808 #ifdef CONFIG_FILS
3809 if (sta &&
3810 (sta->auth_alg == WLAN_AUTH_FILS_SK ||
3811 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
3812 sta->auth_alg == WLAN_AUTH_FILS_PK) &&
3813 status_code == WLAN_STATUS_SUCCESS) {
3814 struct ieee802_11_elems elems;
3815
3816 if (ieee802_11_parse_elems(ies, ies_len, &elems, 0) ==
3817 ParseFailed || !elems.fils_session) {
3818 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
3819 goto done;
3820 }
3821
3822 /* FILS Session */
3823 *p++ = WLAN_EID_EXTENSION; /* Element ID */
3824 *p++ = 1 + FILS_SESSION_LEN; /* Length */
3825 *p++ = WLAN_EID_EXT_FILS_SESSION; /* Element ID Extension */
3826 os_memcpy(p, elems.fils_session, FILS_SESSION_LEN);
3827 send_len += 2 + 1 + FILS_SESSION_LEN;
3828
3829 send_len = fils_encrypt_assoc(sta->wpa_sm, buf, send_len,
3830 buflen, sta->fils_hlp_resp);
3831 if (send_len < 0) {
3832 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
3833 goto done;
3834 }
3835 }
3836 #endif /* CONFIG_FILS */
3837
3838 if (hostapd_drv_send_mlme(hapd, reply, send_len, 0) < 0) {
3839 wpa_printf(MSG_INFO, "Failed to send assoc resp: %s",
3840 strerror(errno));
3841 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
3842 }
3843
3844 done:
3845 os_free(buf);
3846 return res;
3847 }
3848
3849
3850 #ifdef CONFIG_OWE
3851 u8 * owe_assoc_req_process(struct hostapd_data *hapd, struct sta_info *sta,
3852 const u8 *owe_dh, u8 owe_dh_len,
3853 u8 *owe_buf, size_t owe_buf_len, u16 *reason)
3854 {
3855 #ifdef CONFIG_TESTING_OPTIONS
3856 if (hapd->conf->own_ie_override) {
3857 wpa_printf(MSG_DEBUG, "OWE: Using IE override");
3858 *reason = WLAN_STATUS_SUCCESS;
3859 return wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf,
3860 owe_buf_len, NULL, 0);
3861 }
3862 #endif /* CONFIG_TESTING_OPTIONS */
3863
3864 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) {
3865 wpa_printf(MSG_DEBUG, "OWE: Using PMKSA caching");
3866 owe_buf = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf,
3867 owe_buf_len, NULL, 0);
3868 *reason = WLAN_STATUS_SUCCESS;
3869 return owe_buf;
3870 }
3871
3872 if (sta->owe_pmk && sta->external_dh_updated) {
3873 wpa_printf(MSG_DEBUG, "OWE: Using previously derived PMK");
3874 *reason = WLAN_STATUS_SUCCESS;
3875 return owe_buf;
3876 }
3877
3878 *reason = owe_process_assoc_req(hapd, sta, owe_dh, owe_dh_len);
3879 if (*reason != WLAN_STATUS_SUCCESS)
3880 return NULL;
3881
3882 owe_buf = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf,
3883 owe_buf_len, NULL, 0);
3884
3885 if (sta->owe_ecdh && owe_buf) {
3886 struct wpabuf *pub;
3887
3888 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
3889 if (!pub) {
3890 *reason = WLAN_STATUS_UNSPECIFIED_FAILURE;
3891 return owe_buf;
3892 }
3893
3894 /* OWE Diffie-Hellman Parameter element */
3895 *owe_buf++ = WLAN_EID_EXTENSION; /* Element ID */
3896 *owe_buf++ = 1 + 2 + wpabuf_len(pub); /* Length */
3897 *owe_buf++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension
3898 */
3899 WPA_PUT_LE16(owe_buf, sta->owe_group);
3900 owe_buf += 2;
3901 os_memcpy(owe_buf, wpabuf_head(pub), wpabuf_len(pub));
3902 owe_buf += wpabuf_len(pub);
3903 wpabuf_free(pub);
3904 }
3905
3906 return owe_buf;
3907 }
3908 #endif /* CONFIG_OWE */
3909
3910
3911 #ifdef CONFIG_FILS
3912
3913 void fils_hlp_finish_assoc(struct hostapd_data *hapd, struct sta_info *sta)
3914 {
3915 u16 reply_res;
3916
3917 wpa_printf(MSG_DEBUG, "FILS: Finish association with " MACSTR,
3918 MAC2STR(sta->addr));
3919 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
3920 if (!sta->fils_pending_assoc_req)
3921 return;
3922 reply_res = send_assoc_resp(hapd, sta, sta->addr, WLAN_STATUS_SUCCESS,
3923 sta->fils_pending_assoc_is_reassoc,
3924 sta->fils_pending_assoc_req,
3925 sta->fils_pending_assoc_req_len, 0);
3926 os_free(sta->fils_pending_assoc_req);
3927 sta->fils_pending_assoc_req = NULL;
3928 sta->fils_pending_assoc_req_len = 0;
3929 wpabuf_free(sta->fils_hlp_resp);
3930 sta->fils_hlp_resp = NULL;
3931 wpabuf_free(sta->hlp_dhcp_discover);
3932 sta->hlp_dhcp_discover = NULL;
3933
3934 /*
3935 * Remove the station in case transmission of a success response fails.
3936 * At this point the station was already added associated to the driver.
3937 */
3938 if (reply_res != WLAN_STATUS_SUCCESS)
3939 hostapd_drv_sta_remove(hapd, sta->addr);
3940 }
3941
3942
3943 void fils_hlp_timeout(void *eloop_ctx, void *eloop_data)
3944 {
3945 struct hostapd_data *hapd = eloop_ctx;
3946 struct sta_info *sta = eloop_data;
3947
3948 wpa_printf(MSG_DEBUG,
3949 "FILS: HLP response timeout - continue with association response for "
3950 MACSTR, MAC2STR(sta->addr));
3951 if (sta->fils_drv_assoc_finish)
3952 hostapd_notify_assoc_fils_finish(hapd, sta);
3953 else
3954 fils_hlp_finish_assoc(hapd, sta);
3955 }
3956
3957 #endif /* CONFIG_FILS */
3958
3959
3960 static void handle_assoc(struct hostapd_data *hapd,
3961 const struct ieee80211_mgmt *mgmt, size_t len,
3962 int reassoc, int rssi)
3963 {
3964 u16 capab_info, listen_interval, seq_ctrl, fc;
3965 u16 resp = WLAN_STATUS_SUCCESS, reply_res;
3966 const u8 *pos;
3967 int left, i;
3968 struct sta_info *sta;
3969 u8 *tmp = NULL;
3970 struct hostapd_sta_wpa_psk_short *psk = NULL;
3971 char *identity = NULL;
3972 char *radius_cui = NULL;
3973 #ifdef CONFIG_FILS
3974 int delay_assoc = 0;
3975 #endif /* CONFIG_FILS */
3976
3977 if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_req) :
3978 sizeof(mgmt->u.assoc_req))) {
3979 wpa_printf(MSG_INFO, "handle_assoc(reassoc=%d) - too short payload (len=%lu)",
3980 reassoc, (unsigned long) len);
3981 return;
3982 }
3983
3984 #ifdef CONFIG_TESTING_OPTIONS
3985 if (reassoc) {
3986 if (hapd->iconf->ignore_reassoc_probability > 0.0 &&
3987 drand48() < hapd->iconf->ignore_reassoc_probability) {
3988 wpa_printf(MSG_INFO,
3989 "TESTING: ignoring reassoc request from "
3990 MACSTR, MAC2STR(mgmt->sa));
3991 return;
3992 }
3993 } else {
3994 if (hapd->iconf->ignore_assoc_probability > 0.0 &&
3995 drand48() < hapd->iconf->ignore_assoc_probability) {
3996 wpa_printf(MSG_INFO,
3997 "TESTING: ignoring assoc request from "
3998 MACSTR, MAC2STR(mgmt->sa));
3999 return;
4000 }
4001 }
4002 #endif /* CONFIG_TESTING_OPTIONS */
4003
4004 fc = le_to_host16(mgmt->frame_control);
4005 seq_ctrl = le_to_host16(mgmt->seq_ctrl);
4006
4007 if (reassoc) {
4008 capab_info = le_to_host16(mgmt->u.reassoc_req.capab_info);
4009 listen_interval = le_to_host16(
4010 mgmt->u.reassoc_req.listen_interval);
4011 wpa_printf(MSG_DEBUG, "reassociation request: STA=" MACSTR
4012 " capab_info=0x%02x listen_interval=%d current_ap="
4013 MACSTR " seq_ctrl=0x%x%s",
4014 MAC2STR(mgmt->sa), capab_info, listen_interval,
4015 MAC2STR(mgmt->u.reassoc_req.current_ap),
4016 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "");
4017 left = len - (IEEE80211_HDRLEN + sizeof(mgmt->u.reassoc_req));
4018 pos = mgmt->u.reassoc_req.variable;
4019 } else {
4020 capab_info = le_to_host16(mgmt->u.assoc_req.capab_info);
4021 listen_interval = le_to_host16(
4022 mgmt->u.assoc_req.listen_interval);
4023 wpa_printf(MSG_DEBUG, "association request: STA=" MACSTR
4024 " capab_info=0x%02x listen_interval=%d "
4025 "seq_ctrl=0x%x%s",
4026 MAC2STR(mgmt->sa), capab_info, listen_interval,
4027 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "");
4028 left = len - (IEEE80211_HDRLEN + sizeof(mgmt->u.assoc_req));
4029 pos = mgmt->u.assoc_req.variable;
4030 }
4031
4032 sta = ap_get_sta(hapd, mgmt->sa);
4033 #ifdef CONFIG_IEEE80211R_AP
4034 if (sta && sta->auth_alg == WLAN_AUTH_FT &&
4035 (sta->flags & WLAN_STA_AUTH) == 0) {
4036 wpa_printf(MSG_DEBUG, "FT: Allow STA " MACSTR " to associate "
4037 "prior to authentication since it is using "
4038 "over-the-DS FT", MAC2STR(mgmt->sa));
4039
4040 /*
4041 * Mark station as authenticated, to avoid adding station
4042 * entry in the driver as associated and not authenticated
4043 */
4044 sta->flags |= WLAN_STA_AUTH;
4045 } else
4046 #endif /* CONFIG_IEEE80211R_AP */
4047 if (sta == NULL || (sta->flags & WLAN_STA_AUTH) == 0) {
4048 if (hapd->iface->current_mode &&
4049 hapd->iface->current_mode->mode ==
4050 HOSTAPD_MODE_IEEE80211AD) {
4051 int acl_res;
4052 u32 session_timeout, acct_interim_interval;
4053 struct vlan_description vlan_id;
4054
4055 acl_res = ieee802_11_allowed_address(
4056 hapd, mgmt->sa, (const u8 *) mgmt, len,
4057 &session_timeout, &acct_interim_interval,
4058 &vlan_id, &psk, &identity, &radius_cui, 0);
4059 if (acl_res == HOSTAPD_ACL_REJECT) {
4060 wpa_msg(hapd->msg_ctx, MSG_DEBUG,
4061 "Ignore Association Request frame from "
4062 MACSTR " due to ACL reject",
4063 MAC2STR(mgmt->sa));
4064 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
4065 goto fail;
4066 }
4067 if (acl_res == HOSTAPD_ACL_PENDING)
4068 return;
4069
4070 /* DMG/IEEE 802.11ad does not use authentication.
4071 * Allocate sta entry upon association. */
4072 sta = ap_sta_add(hapd, mgmt->sa);
4073 if (!sta) {
4074 hostapd_logger(hapd, mgmt->sa,
4075 HOSTAPD_MODULE_IEEE80211,
4076 HOSTAPD_LEVEL_INFO,
4077 "Failed to add STA");
4078 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
4079 goto fail;
4080 }
4081
4082 acl_res = ieee802_11_set_radius_info(
4083 hapd, sta, acl_res, session_timeout,
4084 acct_interim_interval, &vlan_id, &psk,
4085 &identity, &radius_cui);
4086 if (acl_res) {
4087 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
4088 goto fail;
4089 }
4090
4091 hostapd_logger(hapd, sta->addr,
4092 HOSTAPD_MODULE_IEEE80211,
4093 HOSTAPD_LEVEL_DEBUG,
4094 "Skip authentication for DMG/IEEE 802.11ad");
4095 sta->flags |= WLAN_STA_AUTH;
4096 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
4097 sta->auth_alg = WLAN_AUTH_OPEN;
4098 } else {
4099 hostapd_logger(hapd, mgmt->sa,
4100 HOSTAPD_MODULE_IEEE80211,
4101 HOSTAPD_LEVEL_INFO,
4102 "Station tried to associate before authentication (aid=%d flags=0x%x)",
4103 sta ? sta->aid : -1,
4104 sta ? sta->flags : 0);
4105 send_deauth(hapd, mgmt->sa,
4106 WLAN_REASON_CLASS2_FRAME_FROM_NONAUTH_STA);
4107 return;
4108 }
4109 }
4110
4111 if ((fc & WLAN_FC_RETRY) &&
4112 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
4113 sta->last_seq_ctrl == seq_ctrl &&
4114 sta->last_subtype == (reassoc ? WLAN_FC_STYPE_REASSOC_REQ :
4115 WLAN_FC_STYPE_ASSOC_REQ)) {
4116 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4117 HOSTAPD_LEVEL_DEBUG,
4118 "Drop repeated association frame seq_ctrl=0x%x",
4119 seq_ctrl);
4120 return;
4121 }
4122 sta->last_seq_ctrl = seq_ctrl;
4123 sta->last_subtype = reassoc ? WLAN_FC_STYPE_REASSOC_REQ :
4124 WLAN_FC_STYPE_ASSOC_REQ;
4125
4126 if (hapd->tkip_countermeasures) {
4127 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
4128 goto fail;
4129 }
4130
4131 if (listen_interval > hapd->conf->max_listen_interval) {
4132 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
4133 HOSTAPD_LEVEL_DEBUG,
4134 "Too large Listen Interval (%d)",
4135 listen_interval);
4136 resp = WLAN_STATUS_ASSOC_DENIED_LISTEN_INT_TOO_LARGE;
4137 goto fail;
4138 }
4139
4140 #ifdef CONFIG_MBO
4141 if (hapd->conf->mbo_enabled && hapd->mbo_assoc_disallow) {
4142 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
4143 goto fail;
4144 }
4145
4146 if (hapd->iconf->rssi_reject_assoc_rssi && rssi &&
4147 rssi < hapd->iconf->rssi_reject_assoc_rssi &&
4148 (sta->auth_rssi == 0 ||
4149 sta->auth_rssi < hapd->iconf->rssi_reject_assoc_rssi)) {
4150 resp = WLAN_STATUS_DENIED_POOR_CHANNEL_CONDITIONS;
4151 goto fail;
4152 }
4153 #endif /* CONFIG_MBO */
4154
4155 /*
4156 * sta->capability is used in check_assoc_ies() for RRM enabled
4157 * capability element.
4158 */
4159 sta->capability = capab_info;
4160
4161 #ifdef CONFIG_FILS
4162 if (sta->auth_alg == WLAN_AUTH_FILS_SK ||
4163 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
4164 sta->auth_alg == WLAN_AUTH_FILS_PK) {
4165 int res;
4166
4167 /* The end of the payload is encrypted. Need to decrypt it
4168 * before parsing. */
4169
4170 tmp = os_memdup(pos, left);
4171 if (!tmp) {
4172 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
4173 goto fail;
4174 }
4175
4176 res = fils_decrypt_assoc(sta->wpa_sm, sta->fils_session, mgmt,
4177 len, tmp, left);
4178 if (res < 0) {
4179 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
4180 goto fail;
4181 }
4182 pos = tmp;
4183 left = res;
4184 }
4185 #endif /* CONFIG_FILS */
4186
4187 /* followed by SSID and Supported rates; and HT capabilities if 802.11n
4188 * is used */
4189 resp = check_assoc_ies(hapd, sta, pos, left, reassoc);
4190 if (resp != WLAN_STATUS_SUCCESS)
4191 goto fail;
4192
4193 if (hostapd_get_aid(hapd, sta) < 0) {
4194 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
4195 HOSTAPD_LEVEL_INFO, "No room for more AIDs");
4196 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
4197 goto fail;
4198 }
4199
4200 sta->listen_interval = listen_interval;
4201
4202 if (hapd->iface->current_mode &&
4203 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G)
4204 sta->flags |= WLAN_STA_NONERP;
4205 for (i = 0; i < sta->supported_rates_len; i++) {
4206 if ((sta->supported_rates[i] & 0x7f) > 22) {
4207 sta->flags &= ~WLAN_STA_NONERP;
4208 break;
4209 }
4210 }
4211 if (sta->flags & WLAN_STA_NONERP && !sta->nonerp_set) {
4212 sta->nonerp_set = 1;
4213 hapd->iface->num_sta_non_erp++;
4214 if (hapd->iface->num_sta_non_erp == 1)
4215 ieee802_11_set_beacons(hapd->iface);
4216 }
4217
4218 if (!(sta->capability & WLAN_CAPABILITY_SHORT_SLOT_TIME) &&
4219 !sta->no_short_slot_time_set) {
4220 sta->no_short_slot_time_set = 1;
4221 hapd->iface->num_sta_no_short_slot_time++;
4222 if (hapd->iface->current_mode &&
4223 hapd->iface->current_mode->mode ==
4224 HOSTAPD_MODE_IEEE80211G &&
4225 hapd->iface->num_sta_no_short_slot_time == 1)
4226 ieee802_11_set_beacons(hapd->iface);
4227 }
4228
4229 if (sta->capability & WLAN_CAPABILITY_SHORT_PREAMBLE)
4230 sta->flags |= WLAN_STA_SHORT_PREAMBLE;
4231 else
4232 sta->flags &= ~WLAN_STA_SHORT_PREAMBLE;
4233
4234 if (!(sta->capability & WLAN_CAPABILITY_SHORT_PREAMBLE) &&
4235 !sta->no_short_preamble_set) {
4236 sta->no_short_preamble_set = 1;
4237 hapd->iface->num_sta_no_short_preamble++;
4238 if (hapd->iface->current_mode &&
4239 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G
4240 && hapd->iface->num_sta_no_short_preamble == 1)
4241 ieee802_11_set_beacons(hapd->iface);
4242 }
4243
4244 #ifdef CONFIG_IEEE80211N
4245 update_ht_state(hapd, sta);
4246 #endif /* CONFIG_IEEE80211N */
4247
4248 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4249 HOSTAPD_LEVEL_DEBUG,
4250 "association OK (aid %d)", sta->aid);
4251 /* Station will be marked associated, after it acknowledges AssocResp
4252 */
4253 sta->flags |= WLAN_STA_ASSOC_REQ_OK;
4254
4255 if ((sta->flags & WLAN_STA_MFP) && sta->sa_query_timed_out) {
4256 wpa_printf(MSG_DEBUG, "Allowing %sassociation after timed out "
4257 "SA Query procedure", reassoc ? "re" : "");
4258 /* TODO: Send a protected Disassociate frame to the STA using
4259 * the old key and Reason Code "Previous Authentication no
4260 * longer valid". Make sure this is only sent protected since
4261 * unprotected frame would be received by the STA that is now
4262 * trying to associate.
4263 */
4264 }
4265
4266 /* Make sure that the previously registered inactivity timer will not
4267 * remove the STA immediately. */
4268 sta->timeout_next = STA_NULLFUNC;
4269
4270 #ifdef CONFIG_TAXONOMY
4271 taxonomy_sta_info_assoc_req(hapd, sta, pos, left);
4272 #endif /* CONFIG_TAXONOMY */
4273
4274 sta->pending_wds_enable = 0;
4275
4276 #ifdef CONFIG_FILS
4277 if (sta->auth_alg == WLAN_AUTH_FILS_SK ||
4278 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
4279 sta->auth_alg == WLAN_AUTH_FILS_PK) {
4280 if (fils_process_hlp(hapd, sta, pos, left) > 0)
4281 delay_assoc = 1;
4282 }
4283 #endif /* CONFIG_FILS */
4284
4285 fail:
4286 os_free(identity);
4287 os_free(radius_cui);
4288 hostapd_free_psk_list(psk);
4289
4290 /*
4291 * In case of a successful response, add the station to the driver.
4292 * Otherwise, the kernel may ignore Data frames before we process the
4293 * ACK frame (TX status). In case of a failure, this station will be
4294 * removed.
4295 *
4296 * Note that this is not compliant with the IEEE 802.11 standard that
4297 * states that a non-AP station should transition into the
4298 * authenticated/associated state only after the station acknowledges
4299 * the (Re)Association Response frame. However, still do this as:
4300 *
4301 * 1. In case the station does not acknowledge the (Re)Association
4302 * Response frame, it will be removed.
4303 * 2. Data frames will be dropped in the kernel until the station is
4304 * set into authorized state, and there are no significant known
4305 * issues with processing other non-Data Class 3 frames during this
4306 * window.
4307 */
4308 if (resp == WLAN_STATUS_SUCCESS && sta &&
4309 add_associated_sta(hapd, sta, reassoc))
4310 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
4311
4312 #ifdef CONFIG_FILS
4313 if (sta && delay_assoc && resp == WLAN_STATUS_SUCCESS &&
4314 eloop_is_timeout_registered(fils_hlp_timeout, hapd, sta) &&
4315 sta->fils_pending_assoc_req) {
4316 /* Do not reschedule fils_hlp_timeout in case the station
4317 * retransmits (Re)Association Request frame while waiting for
4318 * the previously started FILS HLP wait, so that the timeout can
4319 * be determined from the first pending attempt. */
4320 wpa_printf(MSG_DEBUG,
4321 "FILS: Continue waiting for HLP processing before sending (Re)Association Response frame to "
4322 MACSTR, MAC2STR(sta->addr));
4323 os_free(tmp);
4324 return;
4325 }
4326 if (sta) {
4327 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
4328 os_free(sta->fils_pending_assoc_req);
4329 sta->fils_pending_assoc_req = NULL;
4330 sta->fils_pending_assoc_req_len = 0;
4331 wpabuf_free(sta->fils_hlp_resp);
4332 sta->fils_hlp_resp = NULL;
4333 }
4334 if (sta && delay_assoc && resp == WLAN_STATUS_SUCCESS) {
4335 sta->fils_pending_assoc_req = tmp;
4336 sta->fils_pending_assoc_req_len = left;
4337 sta->fils_pending_assoc_is_reassoc = reassoc;
4338 sta->fils_drv_assoc_finish = 0;
4339 wpa_printf(MSG_DEBUG,
4340 "FILS: Waiting for HLP processing before sending (Re)Association Response frame to "
4341 MACSTR, MAC2STR(sta->addr));
4342 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
4343 eloop_register_timeout(0, hapd->conf->fils_hlp_wait_time * 1024,
4344 fils_hlp_timeout, hapd, sta);
4345 return;
4346 }
4347 #endif /* CONFIG_FILS */
4348
4349 reply_res = send_assoc_resp(hapd, sta, mgmt->sa, resp, reassoc, pos,
4350 left, rssi);
4351 os_free(tmp);
4352
4353 /*
4354 * Remove the station in case tranmission of a success response fails
4355 * (the STA was added associated to the driver) or if the station was
4356 * previously added unassociated.
4357 */
4358 if (sta && ((reply_res != WLAN_STATUS_SUCCESS &&
4359 resp == WLAN_STATUS_SUCCESS) || sta->added_unassoc)) {
4360 hostapd_drv_sta_remove(hapd, sta->addr);
4361 sta->added_unassoc = 0;
4362 }
4363 }
4364
4365
4366 static void handle_disassoc(struct hostapd_data *hapd,
4367 const struct ieee80211_mgmt *mgmt, size_t len)
4368 {
4369 struct sta_info *sta;
4370
4371 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.disassoc)) {
4372 wpa_printf(MSG_INFO, "handle_disassoc - too short payload (len=%lu)",
4373 (unsigned long) len);
4374 return;
4375 }
4376
4377 wpa_printf(MSG_DEBUG, "disassocation: STA=" MACSTR " reason_code=%d",
4378 MAC2STR(mgmt->sa),
4379 le_to_host16(mgmt->u.disassoc.reason_code));
4380
4381 sta = ap_get_sta(hapd, mgmt->sa);
4382 if (sta == NULL) {
4383 wpa_printf(MSG_INFO, "Station " MACSTR " trying to disassociate, but it is not associated",
4384 MAC2STR(mgmt->sa));
4385 return;
4386 }
4387
4388 ap_sta_set_authorized(hapd, sta, 0);
4389 sta->last_seq_ctrl = WLAN_INVALID_MGMT_SEQ;
4390 sta->flags &= ~(WLAN_STA_ASSOC | WLAN_STA_ASSOC_REQ_OK);
4391 wpa_auth_sm_event(sta->wpa_sm, WPA_DISASSOC);
4392 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4393 HOSTAPD_LEVEL_INFO, "disassociated");
4394 sta->acct_terminate_cause = RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST;
4395 ieee802_1x_notify_port_enabled(sta->eapol_sm, 0);
4396 /* Stop Accounting and IEEE 802.1X sessions, but leave the STA
4397 * authenticated. */
4398 accounting_sta_stop(hapd, sta);
4399 ieee802_1x_free_station(hapd, sta);
4400 if (sta->ipaddr)
4401 hostapd_drv_br_delete_ip_neigh(hapd, 4, (u8 *) &sta->ipaddr);
4402 ap_sta_ip6addr_del(hapd, sta);
4403 hostapd_drv_sta_remove(hapd, sta->addr);
4404 sta->added_unassoc = 0;
4405
4406 if (sta->timeout_next == STA_NULLFUNC ||
4407 sta->timeout_next == STA_DISASSOC) {
4408 sta->timeout_next = STA_DEAUTH;
4409 eloop_cancel_timeout(ap_handle_timer, hapd, sta);
4410 eloop_register_timeout(AP_DEAUTH_DELAY, 0, ap_handle_timer,
4411 hapd, sta);
4412 }
4413
4414 mlme_disassociate_indication(
4415 hapd, sta, le_to_host16(mgmt->u.disassoc.reason_code));
4416
4417 /* DMG/IEEE 802.11ad does not use deauthication. Deallocate sta upon
4418 * disassociation. */
4419 if (hapd->iface->current_mode &&
4420 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211AD) {
4421 sta->flags &= ~WLAN_STA_AUTH;
4422 wpa_auth_sm_event(sta->wpa_sm, WPA_DEAUTH);
4423 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4424 HOSTAPD_LEVEL_DEBUG, "deauthenticated");
4425 ap_free_sta(hapd, sta);
4426 }
4427 }
4428
4429
4430 static void handle_deauth(struct hostapd_data *hapd,
4431 const struct ieee80211_mgmt *mgmt, size_t len)
4432 {
4433 struct sta_info *sta;
4434
4435 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.deauth)) {
4436 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "handle_deauth - too short "
4437 "payload (len=%lu)", (unsigned long) len);
4438 return;
4439 }
4440
4441 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "deauthentication: STA=" MACSTR
4442 " reason_code=%d",
4443 MAC2STR(mgmt->sa), le_to_host16(mgmt->u.deauth.reason_code));
4444
4445 sta = ap_get_sta(hapd, mgmt->sa);
4446 if (sta == NULL) {
4447 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "Station " MACSTR " trying "
4448 "to deauthenticate, but it is not authenticated",
4449 MAC2STR(mgmt->sa));
4450 return;
4451 }
4452
4453 ap_sta_set_authorized(hapd, sta, 0);
4454 sta->last_seq_ctrl = WLAN_INVALID_MGMT_SEQ;
4455 sta->flags &= ~(WLAN_STA_AUTH | WLAN_STA_ASSOC |
4456 WLAN_STA_ASSOC_REQ_OK);
4457 wpa_auth_sm_event(sta->wpa_sm, WPA_DEAUTH);
4458 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4459 HOSTAPD_LEVEL_DEBUG, "deauthenticated");
4460 mlme_deauthenticate_indication(
4461 hapd, sta, le_to_host16(mgmt->u.deauth.reason_code));
4462 sta->acct_terminate_cause = RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST;
4463 ieee802_1x_notify_port_enabled(sta->eapol_sm, 0);
4464 ap_free_sta(hapd, sta);
4465 }
4466
4467
4468 static void handle_beacon(struct hostapd_data *hapd,
4469 const struct ieee80211_mgmt *mgmt, size_t len,
4470 struct hostapd_frame_info *fi)
4471 {
4472 struct ieee802_11_elems elems;
4473
4474 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.beacon)) {
4475 wpa_printf(MSG_INFO, "handle_beacon - too short payload (len=%lu)",
4476 (unsigned long) len);
4477 return;
4478 }
4479
4480 (void) ieee802_11_parse_elems(mgmt->u.beacon.variable,
4481 len - (IEEE80211_HDRLEN +
4482 sizeof(mgmt->u.beacon)), &elems,
4483 0);
4484
4485 ap_list_process_beacon(hapd->iface, mgmt, &elems, fi);
4486 }
4487
4488
4489 static int robust_action_frame(u8 category)
4490 {
4491 return category != WLAN_ACTION_PUBLIC &&
4492 category != WLAN_ACTION_HT;
4493 }
4494
4495
4496 static int handle_action(struct hostapd_data *hapd,
4497 const struct ieee80211_mgmt *mgmt, size_t len,
4498 unsigned int freq)
4499 {
4500 struct sta_info *sta;
4501 u8 *action __maybe_unused;
4502
4503 if (len < IEEE80211_HDRLEN + 2 + 1) {
4504 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
4505 HOSTAPD_LEVEL_DEBUG,
4506 "handle_action - too short payload (len=%lu)",
4507 (unsigned long) len);
4508 return 0;
4509 }
4510
4511 action = (u8 *) &mgmt->u.action.u;
4512 wpa_printf(MSG_DEBUG, "RX_ACTION category %u action %u sa " MACSTR
4513 " da " MACSTR " len %d freq %u",
4514 mgmt->u.action.category, *action,
4515 MAC2STR(mgmt->sa), MAC2STR(mgmt->da), (int) len, freq);
4516
4517 sta = ap_get_sta(hapd, mgmt->sa);
4518
4519 if (mgmt->u.action.category != WLAN_ACTION_PUBLIC &&
4520 (sta == NULL || !(sta->flags & WLAN_STA_ASSOC))) {
4521 wpa_printf(MSG_DEBUG, "IEEE 802.11: Ignored Action "
4522 "frame (category=%u) from unassociated STA " MACSTR,
4523 mgmt->u.action.category, MAC2STR(mgmt->sa));
4524 return 0;
4525 }
4526
4527 if (sta && (sta->flags & WLAN_STA_MFP) &&
4528 !(mgmt->frame_control & host_to_le16(WLAN_FC_ISWEP)) &&
4529 robust_action_frame(mgmt->u.action.category)) {
4530 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
4531 HOSTAPD_LEVEL_DEBUG,
4532 "Dropped unprotected Robust Action frame from "
4533 "an MFP STA");
4534 return 0;
4535 }
4536
4537 if (sta) {
4538 u16 fc = le_to_host16(mgmt->frame_control);
4539 u16 seq_ctrl = le_to_host16(mgmt->seq_ctrl);
4540
4541 if ((fc & WLAN_FC_RETRY) &&
4542 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
4543 sta->last_seq_ctrl == seq_ctrl &&
4544 sta->last_subtype == WLAN_FC_STYPE_ACTION) {
4545 hostapd_logger(hapd, sta->addr,
4546 HOSTAPD_MODULE_IEEE80211,
4547 HOSTAPD_LEVEL_DEBUG,
4548 "Drop repeated action frame seq_ctrl=0x%x",
4549 seq_ctrl);
4550 return 1;
4551 }
4552
4553 sta->last_seq_ctrl = seq_ctrl;
4554 sta->last_subtype = WLAN_FC_STYPE_ACTION;
4555 }
4556
4557 switch (mgmt->u.action.category) {
4558 #ifdef CONFIG_IEEE80211R_AP
4559 case WLAN_ACTION_FT:
4560 if (!sta ||
4561 wpa_ft_action_rx(sta->wpa_sm, (u8 *) &mgmt->u.action,
4562 len - IEEE80211_HDRLEN))
4563 break;
4564 return 1;
4565 #endif /* CONFIG_IEEE80211R_AP */
4566 case WLAN_ACTION_WMM:
4567 hostapd_wmm_action(hapd, mgmt, len);
4568 return 1;
4569 case WLAN_ACTION_SA_QUERY:
4570 ieee802_11_sa_query_action(hapd, mgmt, len);
4571 return 1;
4572 #ifdef CONFIG_WNM_AP
4573 case WLAN_ACTION_WNM:
4574 ieee802_11_rx_wnm_action_ap(hapd, mgmt, len);
4575 return 1;
4576 #endif /* CONFIG_WNM_AP */
4577 #ifdef CONFIG_FST
4578 case WLAN_ACTION_FST:
4579 if (hapd->iface->fst)
4580 fst_rx_action(hapd->iface->fst, mgmt, len);
4581 else
4582 wpa_printf(MSG_DEBUG,
4583 "FST: Ignore FST Action frame - no FST attached");
4584 return 1;
4585 #endif /* CONFIG_FST */
4586 case WLAN_ACTION_PUBLIC:
4587 case WLAN_ACTION_PROTECTED_DUAL:
4588 #ifdef CONFIG_IEEE80211N
4589 if (len >= IEEE80211_HDRLEN + 2 &&
4590 mgmt->u.action.u.public_action.action ==
4591 WLAN_PA_20_40_BSS_COEX) {
4592 hostapd_2040_coex_action(hapd, mgmt, len);
4593 return 1;
4594 }
4595 #endif /* CONFIG_IEEE80211N */
4596 #ifdef CONFIG_DPP
4597 if (len >= IEEE80211_HDRLEN + 6 &&
4598 mgmt->u.action.u.vs_public_action.action ==
4599 WLAN_PA_VENDOR_SPECIFIC &&
4600 WPA_GET_BE24(mgmt->u.action.u.vs_public_action.oui) ==
4601 OUI_WFA &&
4602 mgmt->u.action.u.vs_public_action.variable[0] ==
4603 DPP_OUI_TYPE) {
4604 const u8 *pos, *end;
4605
4606 pos = mgmt->u.action.u.vs_public_action.oui;
4607 end = ((const u8 *) mgmt) + len;
4608 hostapd_dpp_rx_action(hapd, mgmt->sa, pos, end - pos,
4609 freq);
4610 return 1;
4611 }
4612 if (len >= IEEE80211_HDRLEN + 2 &&
4613 (mgmt->u.action.u.public_action.action ==
4614 WLAN_PA_GAS_INITIAL_RESP ||
4615 mgmt->u.action.u.public_action.action ==
4616 WLAN_PA_GAS_COMEBACK_RESP)) {
4617 const u8 *pos, *end;
4618
4619 pos = &mgmt->u.action.u.public_action.action;
4620 end = ((const u8 *) mgmt) + len;
4621 gas_query_ap_rx(hapd->gas, mgmt->sa,
4622 mgmt->u.action.category,
4623 pos, end - pos, hapd->iface->freq);
4624 return 1;
4625 }
4626 #endif /* CONFIG_DPP */
4627 if (hapd->public_action_cb) {
4628 hapd->public_action_cb(hapd->public_action_cb_ctx,
4629 (u8 *) mgmt, len,
4630 hapd->iface->freq);
4631 }
4632 if (hapd->public_action_cb2) {
4633 hapd->public_action_cb2(hapd->public_action_cb2_ctx,
4634 (u8 *) mgmt, len,
4635 hapd->iface->freq);
4636 }
4637 if (hapd->public_action_cb || hapd->public_action_cb2)
4638 return 1;
4639 break;
4640 case WLAN_ACTION_VENDOR_SPECIFIC:
4641 if (hapd->vendor_action_cb) {
4642 if (hapd->vendor_action_cb(hapd->vendor_action_cb_ctx,
4643 (u8 *) mgmt, len,
4644 hapd->iface->freq) == 0)
4645 return 1;
4646 }
4647 break;
4648 case WLAN_ACTION_RADIO_MEASUREMENT:
4649 hostapd_handle_radio_measurement(hapd, (const u8 *) mgmt, len);
4650 return 1;
4651 }
4652
4653 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
4654 HOSTAPD_LEVEL_DEBUG,
4655 "handle_action - unknown action category %d or invalid "
4656 "frame",
4657 mgmt->u.action.category);
4658 if (!is_multicast_ether_addr(mgmt->da) &&
4659 !(mgmt->u.action.category & 0x80) &&
4660 !is_multicast_ether_addr(mgmt->sa)) {
4661 struct ieee80211_mgmt *resp;
4662
4663 /*
4664 * IEEE 802.11-REVma/D9.0 - 7.3.1.11
4665 * Return the Action frame to the source without change
4666 * except that MSB of the Category set to 1.
4667 */
4668 wpa_printf(MSG_DEBUG, "IEEE 802.11: Return unknown Action "
4669 "frame back to sender");
4670 resp = os_memdup(mgmt, len);
4671 if (resp == NULL)
4672 return 0;
4673 os_memcpy(resp->da, resp->sa, ETH_ALEN);
4674 os_memcpy(resp->sa, hapd->own_addr, ETH_ALEN);
4675 os_memcpy(resp->bssid, hapd->own_addr, ETH_ALEN);
4676 resp->u.action.category |= 0x80;
4677
4678 if (hostapd_drv_send_mlme(hapd, resp, len, 0) < 0) {
4679 wpa_printf(MSG_ERROR, "IEEE 802.11: Failed to send "
4680 "Action frame");
4681 }
4682 os_free(resp);
4683 }
4684
4685 return 1;
4686 }
4687
4688
4689 /**
4690 * ieee802_11_mgmt - process incoming IEEE 802.11 management frames
4691 * @hapd: hostapd BSS data structure (the BSS to which the management frame was
4692 * sent to)
4693 * @buf: management frame data (starting from IEEE 802.11 header)
4694 * @len: length of frame data in octets
4695 * @fi: meta data about received frame (signal level, etc.)
4696 *
4697 * Process all incoming IEEE 802.11 management frames. This will be called for
4698 * each frame received from the kernel driver through wlan#ap interface. In
4699 * addition, it can be called to re-inserted pending frames (e.g., when using
4700 * external RADIUS server as an MAC ACL).
4701 */
4702 int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len,
4703 struct hostapd_frame_info *fi)
4704 {
4705 struct ieee80211_mgmt *mgmt;
4706 u16 fc, stype;
4707 int ret = 0;
4708 unsigned int freq;
4709 int ssi_signal = fi ? fi->ssi_signal : 0;
4710
4711 if (len < 24)
4712 return 0;
4713
4714 if (fi && fi->freq)
4715 freq = fi->freq;
4716 else
4717 freq = hapd->iface->freq;
4718
4719 mgmt = (struct ieee80211_mgmt *) buf;
4720 fc = le_to_host16(mgmt->frame_control);
4721 stype = WLAN_FC_GET_STYPE(fc);
4722
4723 if (is_multicast_ether_addr(mgmt->sa) ||
4724 is_zero_ether_addr(mgmt->sa) ||
4725 os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
4726 /* Do not process any frames with unexpected/invalid SA so that
4727 * we do not add any state for unexpected STA addresses or end
4728 * up sending out frames to unexpected destination. */
4729 wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR
4730 " in received frame - ignore this frame silently",
4731 MAC2STR(mgmt->sa));
4732 return 0;
4733 }
4734
4735 if (stype == WLAN_FC_STYPE_BEACON) {
4736 handle_beacon(hapd, mgmt, len, fi);
4737 return 1;
4738 }
4739
4740 if (!is_broadcast_ether_addr(mgmt->bssid) &&
4741 #ifdef CONFIG_P2P
4742 /* Invitation responses can be sent with the peer MAC as BSSID */
4743 !((hapd->conf->p2p & P2P_GROUP_OWNER) &&
4744 stype == WLAN_FC_STYPE_ACTION) &&
4745 #endif /* CONFIG_P2P */
4746 #ifdef CONFIG_MESH
4747 !(hapd->conf->mesh & MESH_ENABLED) &&
4748 #endif /* CONFIG_MESH */
4749 os_memcmp(mgmt->bssid, hapd->own_addr, ETH_ALEN) != 0) {
4750 wpa_printf(MSG_INFO, "MGMT: BSSID=" MACSTR " not our address",
4751 MAC2STR(mgmt->bssid));
4752 return 0;
4753 }
4754
4755
4756 if (stype == WLAN_FC_STYPE_PROBE_REQ) {
4757 handle_probe_req(hapd, mgmt, len, ssi_signal);
4758 return 1;
4759 }
4760
4761 if ((!is_broadcast_ether_addr(mgmt->da) ||
4762 stype != WLAN_FC_STYPE_ACTION) &&
4763 os_memcmp(mgmt->da, hapd->own_addr, ETH_ALEN) != 0) {
4764 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
4765 HOSTAPD_LEVEL_DEBUG,
4766 "MGMT: DA=" MACSTR " not our address",
4767 MAC2STR(mgmt->da));
4768 return 0;
4769 }
4770
4771 if (hapd->iconf->track_sta_max_num)
4772 sta_track_add(hapd->iface, mgmt->sa, ssi_signal);
4773
4774 switch (stype) {
4775 case WLAN_FC_STYPE_AUTH:
4776 wpa_printf(MSG_DEBUG, "mgmt::auth");
4777 handle_auth(hapd, mgmt, len, ssi_signal, 0);
4778 ret = 1;
4779 break;
4780 case WLAN_FC_STYPE_ASSOC_REQ:
4781 wpa_printf(MSG_DEBUG, "mgmt::assoc_req");
4782 handle_assoc(hapd, mgmt, len, 0, ssi_signal);
4783 ret = 1;
4784 break;
4785 case WLAN_FC_STYPE_REASSOC_REQ:
4786 wpa_printf(MSG_DEBUG, "mgmt::reassoc_req");
4787 handle_assoc(hapd, mgmt, len, 1, ssi_signal);
4788 ret = 1;
4789 break;
4790 case WLAN_FC_STYPE_DISASSOC:
4791 wpa_printf(MSG_DEBUG, "mgmt::disassoc");
4792 handle_disassoc(hapd, mgmt, len);
4793 ret = 1;
4794 break;
4795 case WLAN_FC_STYPE_DEAUTH:
4796 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "mgmt::deauth");
4797 handle_deauth(hapd, mgmt, len);
4798 ret = 1;
4799 break;
4800 case WLAN_FC_STYPE_ACTION:
4801 wpa_printf(MSG_DEBUG, "mgmt::action");
4802 ret = handle_action(hapd, mgmt, len, freq);
4803 break;
4804 default:
4805 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
4806 HOSTAPD_LEVEL_DEBUG,
4807 "unknown mgmt frame subtype %d", stype);
4808 break;
4809 }
4810
4811 return ret;
4812 }
4813
4814
4815 static void handle_auth_cb(struct hostapd_data *hapd,
4816 const struct ieee80211_mgmt *mgmt,
4817 size_t len, int ok)
4818 {
4819 u16 auth_alg, auth_transaction, status_code;
4820 struct sta_info *sta;
4821
4822 sta = ap_get_sta(hapd, mgmt->da);
4823 if (!sta) {
4824 wpa_printf(MSG_DEBUG, "handle_auth_cb: STA " MACSTR
4825 " not found",
4826 MAC2STR(mgmt->da));
4827 return;
4828 }
4829
4830 auth_alg = le_to_host16(mgmt->u.auth.auth_alg);
4831 auth_transaction = le_to_host16(mgmt->u.auth.auth_transaction);
4832 status_code = le_to_host16(mgmt->u.auth.status_code);
4833
4834 if (!ok) {
4835 hostapd_logger(hapd, mgmt->da, HOSTAPD_MODULE_IEEE80211,
4836 HOSTAPD_LEVEL_NOTICE,
4837 "did not acknowledge authentication response");
4838 goto fail;
4839 }
4840
4841 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) {
4842 wpa_printf(MSG_INFO, "handle_auth_cb - too short payload (len=%lu)",
4843 (unsigned long) len);
4844 goto fail;
4845 }
4846
4847 if (status_code == WLAN_STATUS_SUCCESS &&
4848 ((auth_alg == WLAN_AUTH_OPEN && auth_transaction == 2) ||
4849 (auth_alg == WLAN_AUTH_SHARED_KEY && auth_transaction == 4))) {
4850 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4851 HOSTAPD_LEVEL_INFO, "authenticated");
4852 sta->flags |= WLAN_STA_AUTH;
4853 if (sta->added_unassoc)
4854 hostapd_set_sta_flags(hapd, sta);
4855 return;
4856 }
4857
4858 fail:
4859 if (status_code != WLAN_STATUS_SUCCESS && sta->added_unassoc) {
4860 hostapd_drv_sta_remove(hapd, sta->addr);
4861 sta->added_unassoc = 0;
4862 }
4863 }
4864
4865
4866 static void hostapd_set_wds_encryption(struct hostapd_data *hapd,
4867 struct sta_info *sta,
4868 char *ifname_wds)
4869 {
4870 int i;
4871 struct hostapd_ssid *ssid = &hapd->conf->ssid;
4872
4873 if (hapd->conf->ieee802_1x || hapd->conf->wpa)
4874 return;
4875
4876 for (i = 0; i < 4; i++) {
4877 if (ssid->wep.key[i] &&
4878 hostapd_drv_set_key(ifname_wds, hapd, WPA_ALG_WEP, NULL, i,
4879 i == ssid->wep.idx, NULL, 0,
4880 ssid->wep.key[i], ssid->wep.len[i])) {
4881 wpa_printf(MSG_WARNING,
4882 "Could not set WEP keys for WDS interface; %s",
4883 ifname_wds);
4884 break;
4885 }
4886 }
4887 }
4888
4889
4890 static void handle_assoc_cb(struct hostapd_data *hapd,
4891 const struct ieee80211_mgmt *mgmt,
4892 size_t len, int reassoc, int ok)
4893 {
4894 u16 status;
4895 struct sta_info *sta;
4896 int new_assoc = 1;
4897
4898 sta = ap_get_sta(hapd, mgmt->da);
4899 if (!sta) {
4900 wpa_printf(MSG_INFO, "handle_assoc_cb: STA " MACSTR " not found",
4901 MAC2STR(mgmt->da));
4902 return;
4903 }
4904
4905 if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_resp) :
4906 sizeof(mgmt->u.assoc_resp))) {
4907 wpa_printf(MSG_INFO,
4908 "handle_assoc_cb(reassoc=%d) - too short payload (len=%lu)",
4909 reassoc, (unsigned long) len);
4910 hostapd_drv_sta_remove(hapd, sta->addr);
4911 return;
4912 }
4913
4914 if (reassoc)
4915 status = le_to_host16(mgmt->u.reassoc_resp.status_code);
4916 else
4917 status = le_to_host16(mgmt->u.assoc_resp.status_code);
4918
4919 if (!ok) {
4920 hostapd_logger(hapd, mgmt->da, HOSTAPD_MODULE_IEEE80211,
4921 HOSTAPD_LEVEL_DEBUG,
4922 "did not acknowledge association response");
4923 sta->flags &= ~WLAN_STA_ASSOC_REQ_OK;
4924 /* The STA is added only in case of SUCCESS */
4925 if (status == WLAN_STATUS_SUCCESS)
4926 hostapd_drv_sta_remove(hapd, sta->addr);
4927
4928 return;
4929 }
4930
4931 if (status != WLAN_STATUS_SUCCESS)
4932 return;
4933
4934 /* Stop previous accounting session, if one is started, and allocate
4935 * new session id for the new session. */
4936 accounting_sta_stop(hapd, sta);
4937
4938 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4939 HOSTAPD_LEVEL_INFO,
4940 "associated (aid %d)",
4941 sta->aid);
4942
4943 if (sta->flags & WLAN_STA_ASSOC)
4944 new_assoc = 0;
4945 sta->flags |= WLAN_STA_ASSOC;
4946 sta->flags &= ~WLAN_STA_WNM_SLEEP_MODE;
4947 if ((!hapd->conf->ieee802_1x && !hapd->conf->wpa &&
4948 !hapd->conf->osen) ||
4949 sta->auth_alg == WLAN_AUTH_FILS_SK ||
4950 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
4951 sta->auth_alg == WLAN_AUTH_FILS_PK ||
4952 sta->auth_alg == WLAN_AUTH_FT) {
4953 /*
4954 * Open, static WEP, FT protocol, or FILS; no separate
4955 * authorization step.
4956 */
4957 ap_sta_set_authorized(hapd, sta, 1);
4958 }
4959
4960 if (reassoc)
4961 mlme_reassociate_indication(hapd, sta);
4962 else
4963 mlme_associate_indication(hapd, sta);
4964
4965 sta->sa_query_timed_out = 0;
4966
4967 if (sta->eapol_sm == NULL) {
4968 /*
4969 * This STA does not use RADIUS server for EAP authentication,
4970 * so bind it to the selected VLAN interface now, since the
4971 * interface selection is not going to change anymore.
4972 */
4973 if (ap_sta_bind_vlan(hapd, sta) < 0)
4974 return;
4975 } else if (sta->vlan_id) {
4976 /* VLAN ID already set (e.g., by PMKSA caching), so bind STA */
4977 if (ap_sta_bind_vlan(hapd, sta) < 0)
4978 return;
4979 }
4980
4981 hostapd_set_sta_flags(hapd, sta);
4982
4983 if (!(sta->flags & WLAN_STA_WDS) && sta->pending_wds_enable) {
4984 wpa_printf(MSG_DEBUG, "Enable 4-address WDS mode for STA "
4985 MACSTR " based on pending request",
4986 MAC2STR(sta->addr));
4987 sta->pending_wds_enable = 0;
4988 sta->flags |= WLAN_STA_WDS;
4989 }
4990
4991 if (sta->flags & (WLAN_STA_WDS | WLAN_STA_MULTI_AP)) {
4992 int ret;
4993 char ifname_wds[IFNAMSIZ + 1];
4994
4995 wpa_printf(MSG_DEBUG, "Reenable 4-address WDS mode for STA "
4996 MACSTR " (aid %u)",
4997 MAC2STR(sta->addr), sta->aid);
4998 ret = hostapd_set_wds_sta(hapd, ifname_wds, sta->addr,
4999 sta->aid, 1);
5000 if (!ret)
5001 hostapd_set_wds_encryption(hapd, sta, ifname_wds);
5002 }
5003
5004 if (sta->auth_alg == WLAN_AUTH_FT)
5005 wpa_auth_sm_event(sta->wpa_sm, WPA_ASSOC_FT);
5006 else
5007 wpa_auth_sm_event(sta->wpa_sm, WPA_ASSOC);
5008 hapd->new_assoc_sta_cb(hapd, sta, !new_assoc);
5009 ieee802_1x_notify_port_enabled(sta->eapol_sm, 1);
5010
5011 #ifdef CONFIG_FILS
5012 if ((sta->auth_alg == WLAN_AUTH_FILS_SK ||
5013 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
5014 sta->auth_alg == WLAN_AUTH_FILS_PK) &&
5015 fils_set_tk(sta->wpa_sm) < 0) {
5016 wpa_printf(MSG_DEBUG, "FILS: TK configuration failed");
5017 ap_sta_disconnect(hapd, sta, sta->addr,
5018 WLAN_REASON_UNSPECIFIED);
5019 return;
5020 }
5021 #endif /* CONFIG_FILS */
5022
5023 if (sta->pending_eapol_rx) {
5024 struct os_reltime now, age;
5025
5026 os_get_reltime(&now);
5027 os_reltime_sub(&now, &sta->pending_eapol_rx->rx_time, &age);
5028 if (age.sec == 0 && age.usec < 200000) {
5029 wpa_printf(MSG_DEBUG,
5030 "Process pending EAPOL frame that was received from " MACSTR " just before association notification",
5031 MAC2STR(sta->addr));
5032 ieee802_1x_receive(
5033 hapd, mgmt->da,
5034 wpabuf_head(sta->pending_eapol_rx->buf),
5035 wpabuf_len(sta->pending_eapol_rx->buf));
5036 }
5037 wpabuf_free(sta->pending_eapol_rx->buf);
5038 os_free(sta->pending_eapol_rx);
5039 sta->pending_eapol_rx = NULL;
5040 }
5041 }
5042
5043
5044 static void handle_deauth_cb(struct hostapd_data *hapd,
5045 const struct ieee80211_mgmt *mgmt,
5046 size_t len, int ok)
5047 {
5048 struct sta_info *sta;
5049 if (is_multicast_ether_addr(mgmt->da))
5050 return;
5051 sta = ap_get_sta(hapd, mgmt->da);
5052 if (!sta) {
5053 wpa_printf(MSG_DEBUG, "handle_deauth_cb: STA " MACSTR
5054 " not found", MAC2STR(mgmt->da));
5055 return;
5056 }
5057 if (ok)
5058 wpa_printf(MSG_DEBUG, "STA " MACSTR " acknowledged deauth",
5059 MAC2STR(sta->addr));
5060 else
5061 wpa_printf(MSG_DEBUG, "STA " MACSTR " did not acknowledge "
5062 "deauth", MAC2STR(sta->addr));
5063
5064 ap_sta_deauth_cb(hapd, sta);
5065 }
5066
5067
5068 static void handle_disassoc_cb(struct hostapd_data *hapd,
5069 const struct ieee80211_mgmt *mgmt,
5070 size_t len, int ok)
5071 {
5072 struct sta_info *sta;
5073 if (is_multicast_ether_addr(mgmt->da))
5074 return;
5075 sta = ap_get_sta(hapd, mgmt->da);
5076 if (!sta) {
5077 wpa_printf(MSG_DEBUG, "handle_disassoc_cb: STA " MACSTR
5078 " not found", MAC2STR(mgmt->da));
5079 return;
5080 }
5081 if (ok)
5082 wpa_printf(MSG_DEBUG, "STA " MACSTR " acknowledged disassoc",
5083 MAC2STR(sta->addr));
5084 else
5085 wpa_printf(MSG_DEBUG, "STA " MACSTR " did not acknowledge "
5086 "disassoc", MAC2STR(sta->addr));
5087
5088 ap_sta_disassoc_cb(hapd, sta);
5089 }
5090
5091
5092 static void handle_action_cb(struct hostapd_data *hapd,
5093 const struct ieee80211_mgmt *mgmt,
5094 size_t len, int ok)
5095 {
5096 struct sta_info *sta;
5097 const struct rrm_measurement_report_element *report;
5098
5099 if (is_multicast_ether_addr(mgmt->da))
5100 return;
5101 #ifdef CONFIG_DPP
5102 if (len >= IEEE80211_HDRLEN + 6 &&
5103 mgmt->u.action.category == WLAN_ACTION_PUBLIC &&
5104 mgmt->u.action.u.vs_public_action.action ==
5105 WLAN_PA_VENDOR_SPECIFIC &&
5106 WPA_GET_BE24(mgmt->u.action.u.vs_public_action.oui) ==
5107 OUI_WFA &&
5108 mgmt->u.action.u.vs_public_action.variable[0] ==
5109 DPP_OUI_TYPE) {
5110 const u8 *pos, *end;
5111
5112 pos = &mgmt->u.action.u.vs_public_action.variable[1];
5113 end = ((const u8 *) mgmt) + len;
5114 hostapd_dpp_tx_status(hapd, mgmt->da, pos, end - pos, ok);
5115 return;
5116 }
5117 if (len >= IEEE80211_HDRLEN + 2 &&
5118 mgmt->u.action.category == WLAN_ACTION_PUBLIC &&
5119 (mgmt->u.action.u.public_action.action ==
5120 WLAN_PA_GAS_INITIAL_REQ ||
5121 mgmt->u.action.u.public_action.action ==
5122 WLAN_PA_GAS_COMEBACK_REQ)) {
5123 const u8 *pos, *end;
5124
5125 pos = mgmt->u.action.u.public_action.variable;
5126 end = ((const u8 *) mgmt) + len;
5127 gas_query_ap_tx_status(hapd->gas, mgmt->da, pos, end - pos, ok);
5128 return;
5129 }
5130 #endif /* CONFIG_DPP */
5131 sta = ap_get_sta(hapd, mgmt->da);
5132 if (!sta) {
5133 wpa_printf(MSG_DEBUG, "handle_action_cb: STA " MACSTR
5134 " not found", MAC2STR(mgmt->da));
5135 return;
5136 }
5137
5138 if (len < 24 + 5 + sizeof(*report))
5139 return;
5140 report = (const struct rrm_measurement_report_element *)
5141 &mgmt->u.action.u.rrm.variable[2];
5142 if (mgmt->u.action.category == WLAN_ACTION_RADIO_MEASUREMENT &&
5143 mgmt->u.action.u.rrm.action == WLAN_RRM_RADIO_MEASUREMENT_REQUEST &&
5144 report->eid == WLAN_EID_MEASURE_REQUEST &&
5145 report->len >= 3 &&
5146 report->type == MEASURE_TYPE_BEACON)
5147 hostapd_rrm_beacon_req_tx_status(hapd, mgmt, len, ok);
5148 }
5149
5150
5151 /**
5152 * ieee802_11_mgmt_cb - Process management frame TX status callback
5153 * @hapd: hostapd BSS data structure (the BSS from which the management frame
5154 * was sent from)
5155 * @buf: management frame data (starting from IEEE 802.11 header)
5156 * @len: length of frame data in octets
5157 * @stype: management frame subtype from frame control field
5158 * @ok: Whether the frame was ACK'ed
5159 */
5160 void ieee802_11_mgmt_cb(struct hostapd_data *hapd, const u8 *buf, size_t len,
5161 u16 stype, int ok)
5162 {
5163 const struct ieee80211_mgmt *mgmt;
5164 mgmt = (const struct ieee80211_mgmt *) buf;
5165
5166 #ifdef CONFIG_TESTING_OPTIONS
5167 if (hapd->ext_mgmt_frame_handling) {
5168 size_t hex_len = 2 * len + 1;
5169 char *hex = os_malloc(hex_len);
5170
5171 if (hex) {
5172 wpa_snprintf_hex(hex, hex_len, buf, len);
5173 wpa_msg(hapd->msg_ctx, MSG_INFO,
5174 "MGMT-TX-STATUS stype=%u ok=%d buf=%s",
5175 stype, ok, hex);
5176 os_free(hex);
5177 }
5178 return;
5179 }
5180 #endif /* CONFIG_TESTING_OPTIONS */
5181
5182 switch (stype) {
5183 case WLAN_FC_STYPE_AUTH:
5184 wpa_printf(MSG_DEBUG, "mgmt::auth cb");
5185 handle_auth_cb(hapd, mgmt, len, ok);
5186 break;
5187 case WLAN_FC_STYPE_ASSOC_RESP:
5188 wpa_printf(MSG_DEBUG, "mgmt::assoc_resp cb");
5189 handle_assoc_cb(hapd, mgmt, len, 0, ok);
5190 break;
5191 case WLAN_FC_STYPE_REASSOC_RESP:
5192 wpa_printf(MSG_DEBUG, "mgmt::reassoc_resp cb");
5193 handle_assoc_cb(hapd, mgmt, len, 1, ok);
5194 break;
5195 case WLAN_FC_STYPE_PROBE_RESP:
5196 wpa_printf(MSG_EXCESSIVE, "mgmt::proberesp cb ok=%d", ok);
5197 break;
5198 case WLAN_FC_STYPE_DEAUTH:
5199 wpa_printf(MSG_DEBUG, "mgmt::deauth cb");
5200 handle_deauth_cb(hapd, mgmt, len, ok);
5201 break;
5202 case WLAN_FC_STYPE_DISASSOC:
5203 wpa_printf(MSG_DEBUG, "mgmt::disassoc cb");
5204 handle_disassoc_cb(hapd, mgmt, len, ok);
5205 break;
5206 case WLAN_FC_STYPE_ACTION:
5207 wpa_printf(MSG_DEBUG, "mgmt::action cb ok=%d", ok);
5208 handle_action_cb(hapd, mgmt, len, ok);
5209 break;
5210 default:
5211 wpa_printf(MSG_INFO, "unknown mgmt cb frame subtype %d", stype);
5212 break;
5213 }
5214 }
5215
5216
5217 int ieee802_11_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen)
5218 {
5219 /* TODO */
5220 return 0;
5221 }
5222
5223
5224 int ieee802_11_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta,
5225 char *buf, size_t buflen)
5226 {
5227 /* TODO */
5228 return 0;
5229 }
5230
5231
5232 void hostapd_tx_status(struct hostapd_data *hapd, const u8 *addr,
5233 const u8 *buf, size_t len, int ack)
5234 {
5235 struct sta_info *sta;
5236 struct hostapd_iface *iface = hapd->iface;
5237
5238 sta = ap_get_sta(hapd, addr);
5239 if (sta == NULL && iface->num_bss > 1) {
5240 size_t j;
5241 for (j = 0; j < iface->num_bss; j++) {
5242 hapd = iface->bss[j];
5243 sta = ap_get_sta(hapd, addr);
5244 if (sta)
5245 break;
5246 }
5247 }
5248 if (sta == NULL || !(sta->flags & WLAN_STA_ASSOC))
5249 return;
5250 if (sta->flags & WLAN_STA_PENDING_POLL) {
5251 wpa_printf(MSG_DEBUG, "STA " MACSTR " %s pending "
5252 "activity poll", MAC2STR(sta->addr),
5253 ack ? "ACKed" : "did not ACK");
5254 if (ack)
5255 sta->flags &= ~WLAN_STA_PENDING_POLL;
5256 }
5257
5258 ieee802_1x_tx_status(hapd, sta, buf, len, ack);
5259 }
5260
5261
5262 void hostapd_eapol_tx_status(struct hostapd_data *hapd, const u8 *dst,
5263 const u8 *data, size_t len, int ack)
5264 {
5265 struct sta_info *sta;
5266 struct hostapd_iface *iface = hapd->iface;
5267
5268 sta = ap_get_sta(hapd, dst);
5269 if (sta == NULL && iface->num_bss > 1) {
5270 size_t j;
5271 for (j = 0; j < iface->num_bss; j++) {
5272 hapd = iface->bss[j];
5273 sta = ap_get_sta(hapd, dst);
5274 if (sta)
5275 break;
5276 }
5277 }
5278 if (sta == NULL || !(sta->flags & WLAN_STA_ASSOC)) {
5279 wpa_printf(MSG_DEBUG, "Ignore TX status for Data frame to STA "
5280 MACSTR " that is not currently associated",
5281 MAC2STR(dst));
5282 return;
5283 }
5284
5285 ieee802_1x_eapol_tx_status(hapd, sta, data, len, ack);
5286 }
5287
5288
5289 void hostapd_client_poll_ok(struct hostapd_data *hapd, const u8 *addr)
5290 {
5291 struct sta_info *sta;
5292 struct hostapd_iface *iface = hapd->iface;
5293
5294 sta = ap_get_sta(hapd, addr);
5295 if (sta == NULL && iface->num_bss > 1) {
5296 size_t j;
5297 for (j = 0; j < iface->num_bss; j++) {
5298 hapd = iface->bss[j];
5299 sta = ap_get_sta(hapd, addr);
5300 if (sta)
5301 break;
5302 }
5303 }
5304 if (sta == NULL)
5305 return;
5306 wpa_msg(hapd->msg_ctx, MSG_INFO, AP_STA_POLL_OK MACSTR,
5307 MAC2STR(sta->addr));
5308 if (!(sta->flags & WLAN_STA_PENDING_POLL))
5309 return;
5310
5311 wpa_printf(MSG_DEBUG, "STA " MACSTR " ACKed pending "
5312 "activity poll", MAC2STR(sta->addr));
5313 sta->flags &= ~WLAN_STA_PENDING_POLL;
5314 }
5315
5316
5317 void ieee802_11_rx_from_unknown(struct hostapd_data *hapd, const u8 *src,
5318 int wds)
5319 {
5320 struct sta_info *sta;
5321
5322 sta = ap_get_sta(hapd, src);
5323 if (sta &&
5324 ((sta->flags & WLAN_STA_ASSOC) ||
5325 ((sta->flags & WLAN_STA_ASSOC_REQ_OK) && wds))) {
5326 if (!hapd->conf->wds_sta)
5327 return;
5328
5329 if ((sta->flags & (WLAN_STA_ASSOC | WLAN_STA_ASSOC_REQ_OK)) ==
5330 WLAN_STA_ASSOC_REQ_OK) {
5331 wpa_printf(MSG_DEBUG,
5332 "Postpone 4-address WDS mode enabling for STA "
5333 MACSTR " since TX status for AssocResp is not yet known",
5334 MAC2STR(sta->addr));
5335 sta->pending_wds_enable = 1;
5336 return;
5337 }
5338
5339 if (wds && !(sta->flags & WLAN_STA_WDS)) {
5340 int ret;
5341 char ifname_wds[IFNAMSIZ + 1];
5342
5343 wpa_printf(MSG_DEBUG, "Enable 4-address WDS mode for "
5344 "STA " MACSTR " (aid %u)",
5345 MAC2STR(sta->addr), sta->aid);
5346 sta->flags |= WLAN_STA_WDS;
5347 ret = hostapd_set_wds_sta(hapd, ifname_wds,
5348 sta->addr, sta->aid, 1);
5349 if (!ret)
5350 hostapd_set_wds_encryption(hapd, sta,
5351 ifname_wds);
5352 }
5353 return;
5354 }
5355
5356 wpa_printf(MSG_DEBUG, "Data/PS-poll frame from not associated STA "
5357 MACSTR, MAC2STR(src));
5358 if (is_multicast_ether_addr(src) || is_zero_ether_addr(src) ||
5359 os_memcmp(src, hapd->own_addr, ETH_ALEN) == 0) {
5360 /* Broadcast bit set in SA or unexpected SA?! Ignore the frame
5361 * silently. */
5362 return;
5363 }
5364
5365 if (sta && (sta->flags & WLAN_STA_ASSOC_REQ_OK)) {
5366 wpa_printf(MSG_DEBUG, "Association Response to the STA has "
5367 "already been sent, but no TX status yet known - "
5368 "ignore Class 3 frame issue with " MACSTR,
5369 MAC2STR(src));
5370 return;
5371 }
5372
5373 if (sta && (sta->flags & WLAN_STA_AUTH))
5374 hostapd_drv_sta_disassoc(
5375 hapd, src,
5376 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA);
5377 else
5378 hostapd_drv_sta_deauth(
5379 hapd, src,
5380 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA);
5381 }
5382
5383
5384 #endif /* CONFIG_NATIVE_WINDOWS */
Unnamed repository; edit this file 'description' to name the repository.