]> git.ipfire.org Git - thirdparty/hostap.git/blob - src/ap/ieee802_11.c
projects / thirdparty / hostap.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Use secondary channel provided by ACS for HT40 if valid
[thirdparty/hostap.git] / src / ap / ieee802_11.c
1 /*
2 * hostapd / IEEE 802.11 Management
3 * Copyright (c) 2002-2017, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "utils/includes.h"
10
11 #ifndef CONFIG_NATIVE_WINDOWS
12
13 #include "utils/common.h"
14 #include "utils/eloop.h"
15 #include "crypto/crypto.h"
16 #include "crypto/sha256.h"
17 #include "crypto/sha384.h"
18 #include "crypto/sha512.h"
19 #include "crypto/random.h"
20 #include "common/ieee802_11_defs.h"
21 #include "common/ieee802_11_common.h"
22 #include "common/wpa_ctrl.h"
23 #include "common/sae.h"
24 #include "common/dpp.h"
25 #include "common/ocv.h"
26 #include "common/wpa_common.h"
27 #include "radius/radius.h"
28 #include "radius/radius_client.h"
29 #include "p2p/p2p.h"
30 #include "wps/wps.h"
31 #include "fst/fst.h"
32 #include "hostapd.h"
33 #include "beacon.h"
34 #include "ieee802_11_auth.h"
35 #include "sta_info.h"
36 #include "ieee802_1x.h"
37 #include "wpa_auth.h"
38 #include "pmksa_cache_auth.h"
39 #include "wmm.h"
40 #include "ap_list.h"
41 #include "accounting.h"
42 #include "ap_config.h"
43 #include "ap_mlme.h"
44 #include "p2p_hostapd.h"
45 #include "ap_drv_ops.h"
46 #include "wnm_ap.h"
47 #include "hw_features.h"
48 #include "ieee802_11.h"
49 #include "dfs.h"
50 #include "mbo_ap.h"
51 #include "rrm.h"
52 #include "taxonomy.h"
53 #include "fils_hlp.h"
54 #include "dpp_hostapd.h"
55 #include "gas_query_ap.h"
56
57
58 #ifdef CONFIG_FILS
59 static struct wpabuf *
60 prepare_auth_resp_fils(struct hostapd_data *hapd,
61 struct sta_info *sta, u16 *resp,
62 struct rsn_pmksa_cache_entry *pmksa,
63 struct wpabuf *erp_resp,
64 const u8 *msk, size_t msk_len,
65 int *is_pub);
66 #endif /* CONFIG_FILS */
67 static void handle_auth(struct hostapd_data *hapd,
68 const struct ieee80211_mgmt *mgmt, size_t len,
69 int rssi, int from_queue);
70
71
72 u8 * hostapd_eid_multi_ap(struct hostapd_data *hapd, u8 *eid)
73 {
74 u8 multi_ap_val = 0;
75
76 if (!hapd->conf->multi_ap)
77 return eid;
78 if (hapd->conf->multi_ap & BACKHAUL_BSS)
79 multi_ap_val |= MULTI_AP_BACKHAUL_BSS;
80 if (hapd->conf->multi_ap & FRONTHAUL_BSS)
81 multi_ap_val |= MULTI_AP_FRONTHAUL_BSS;
82
83 return eid + add_multi_ap_ie(eid, 9, multi_ap_val);
84 }
85
86
87 u8 * hostapd_eid_supp_rates(struct hostapd_data *hapd, u8 *eid)
88 {
89 u8 *pos = eid;
90 int i, num, count;
91 int h2e_required;
92
93 if (hapd->iface->current_rates == NULL)
94 return eid;
95
96 *pos++ = WLAN_EID_SUPP_RATES;
97 num = hapd->iface->num_rates;
98 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht)
99 num++;
100 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht)
101 num++;
102 h2e_required = (hapd->conf->sae_pwe == 1 ||
103 hostapd_sae_pw_id_in_use(hapd->conf) == 2) &&
104 wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt);
105 if (h2e_required)
106 num++;
107 if (num > 8) {
108 /* rest of the rates are encoded in Extended supported
109 * rates element */
110 num = 8;
111 }
112
113 *pos++ = num;
114 for (i = 0, count = 0; i < hapd->iface->num_rates && count < num;
115 i++) {
116 count++;
117 *pos = hapd->iface->current_rates[i].rate / 5;
118 if (hapd->iface->current_rates[i].flags & HOSTAPD_RATE_BASIC)
119 *pos |= 0x80;
120 pos++;
121 }
122
123 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht && count < 8) {
124 count++;
125 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_HT_PHY;
126 }
127
128 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht && count < 8) {
129 count++;
130 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_VHT_PHY;
131 }
132
133 if (h2e_required && count < 8) {
134 count++;
135 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_SAE_H2E_ONLY;
136 }
137
138 return pos;
139 }
140
141
142 u8 * hostapd_eid_ext_supp_rates(struct hostapd_data *hapd, u8 *eid)
143 {
144 u8 *pos = eid;
145 int i, num, count;
146 int h2e_required;
147
148 if (hapd->iface->current_rates == NULL)
149 return eid;
150
151 num = hapd->iface->num_rates;
152 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht)
153 num++;
154 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht)
155 num++;
156 h2e_required = (hapd->conf->sae_pwe == 1 ||
157 hostapd_sae_pw_id_in_use(hapd->conf) == 2) &&
158 wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt);
159 if (h2e_required)
160 num++;
161 if (num <= 8)
162 return eid;
163 num -= 8;
164
165 *pos++ = WLAN_EID_EXT_SUPP_RATES;
166 *pos++ = num;
167 for (i = 0, count = 0; i < hapd->iface->num_rates && count < num + 8;
168 i++) {
169 count++;
170 if (count <= 8)
171 continue; /* already in SuppRates IE */
172 *pos = hapd->iface->current_rates[i].rate / 5;
173 if (hapd->iface->current_rates[i].flags & HOSTAPD_RATE_BASIC)
174 *pos |= 0x80;
175 pos++;
176 }
177
178 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht) {
179 count++;
180 if (count > 8)
181 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_HT_PHY;
182 }
183
184 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht) {
185 count++;
186 if (count > 8)
187 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_VHT_PHY;
188 }
189
190 if (h2e_required) {
191 count++;
192 if (count > 8)
193 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_SAE_H2E_ONLY;
194 }
195
196 return pos;
197 }
198
199
200 u16 hostapd_own_capab_info(struct hostapd_data *hapd)
201 {
202 int capab = WLAN_CAPABILITY_ESS;
203 int privacy;
204 int dfs;
205 int i;
206
207 /* Check if any of configured channels require DFS */
208 dfs = hostapd_is_dfs_required(hapd->iface);
209 if (dfs < 0) {
210 wpa_printf(MSG_WARNING, "Failed to check if DFS is required; ret=%d",
211 dfs);
212 dfs = 0;
213 }
214
215 if (hapd->iface->num_sta_no_short_preamble == 0 &&
216 hapd->iconf->preamble == SHORT_PREAMBLE)
217 capab |= WLAN_CAPABILITY_SHORT_PREAMBLE;
218
219 privacy = hapd->conf->ssid.wep.keys_set;
220
221 if (hapd->conf->ieee802_1x &&
222 (hapd->conf->default_wep_key_len ||
223 hapd->conf->individual_wep_key_len))
224 privacy = 1;
225
226 if (hapd->conf->wpa)
227 privacy = 1;
228
229 #ifdef CONFIG_HS20
230 if (hapd->conf->osen)
231 privacy = 1;
232 #endif /* CONFIG_HS20 */
233
234 if (privacy)
235 capab |= WLAN_CAPABILITY_PRIVACY;
236
237 if (hapd->iface->current_mode &&
238 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G &&
239 hapd->iface->num_sta_no_short_slot_time == 0)
240 capab |= WLAN_CAPABILITY_SHORT_SLOT_TIME;
241
242 /*
243 * Currently, Spectrum Management capability bit is set when directly
244 * requested in configuration by spectrum_mgmt_required or when AP is
245 * running on DFS channel.
246 * TODO: Also consider driver support for TPC to set Spectrum Mgmt bit
247 */
248 if (hapd->iface->current_mode &&
249 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211A &&
250 (hapd->iconf->spectrum_mgmt_required || dfs))
251 capab |= WLAN_CAPABILITY_SPECTRUM_MGMT;
252
253 for (i = 0; i < RRM_CAPABILITIES_IE_LEN; i++) {
254 if (hapd->conf->radio_measurements[i]) {
255 capab |= IEEE80211_CAP_RRM;
256 break;
257 }
258 }
259
260 return capab;
261 }
262
263
264 #ifndef CONFIG_NO_RC4
265 static u16 auth_shared_key(struct hostapd_data *hapd, struct sta_info *sta,
266 u16 auth_transaction, const u8 *challenge,
267 int iswep)
268 {
269 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
270 HOSTAPD_LEVEL_DEBUG,
271 "authentication (shared key, transaction %d)",
272 auth_transaction);
273
274 if (auth_transaction == 1) {
275 if (!sta->challenge) {
276 /* Generate a pseudo-random challenge */
277 u8 key[8];
278
279 sta->challenge = os_zalloc(WLAN_AUTH_CHALLENGE_LEN);
280 if (sta->challenge == NULL)
281 return WLAN_STATUS_UNSPECIFIED_FAILURE;
282
283 if (os_get_random(key, sizeof(key)) < 0) {
284 os_free(sta->challenge);
285 sta->challenge = NULL;
286 return WLAN_STATUS_UNSPECIFIED_FAILURE;
287 }
288
289 rc4_skip(key, sizeof(key), 0,
290 sta->challenge, WLAN_AUTH_CHALLENGE_LEN);
291 }
292 return 0;
293 }
294
295 if (auth_transaction != 3)
296 return WLAN_STATUS_UNSPECIFIED_FAILURE;
297
298 /* Transaction 3 */
299 if (!iswep || !sta->challenge || !challenge ||
300 os_memcmp_const(sta->challenge, challenge,
301 WLAN_AUTH_CHALLENGE_LEN)) {
302 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
303 HOSTAPD_LEVEL_INFO,
304 "shared key authentication - invalid "
305 "challenge-response");
306 return WLAN_STATUS_CHALLENGE_FAIL;
307 }
308
309 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
310 HOSTAPD_LEVEL_DEBUG,
311 "authentication OK (shared key)");
312 sta->flags |= WLAN_STA_AUTH;
313 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
314 os_free(sta->challenge);
315 sta->challenge = NULL;
316
317 return 0;
318 }
319 #endif /* CONFIG_NO_RC4 */
320
321
322 static int send_auth_reply(struct hostapd_data *hapd, struct sta_info *sta,
323 const u8 *dst, const u8 *bssid,
324 u16 auth_alg, u16 auth_transaction, u16 resp,
325 const u8 *ies, size_t ies_len, const char *dbg)
326 {
327 struct ieee80211_mgmt *reply;
328 u8 *buf;
329 size_t rlen;
330 int reply_res = WLAN_STATUS_UNSPECIFIED_FAILURE;
331
332 rlen = IEEE80211_HDRLEN + sizeof(reply->u.auth) + ies_len;
333 buf = os_zalloc(rlen);
334 if (buf == NULL)
335 return -1;
336
337 reply = (struct ieee80211_mgmt *) buf;
338 reply->frame_control = IEEE80211_FC(WLAN_FC_TYPE_MGMT,
339 WLAN_FC_STYPE_AUTH);
340 os_memcpy(reply->da, dst, ETH_ALEN);
341 os_memcpy(reply->sa, hapd->own_addr, ETH_ALEN);
342 os_memcpy(reply->bssid, bssid, ETH_ALEN);
343
344 reply->u.auth.auth_alg = host_to_le16(auth_alg);
345 reply->u.auth.auth_transaction = host_to_le16(auth_transaction);
346 reply->u.auth.status_code = host_to_le16(resp);
347
348 if (ies && ies_len)
349 os_memcpy(reply->u.auth.variable, ies, ies_len);
350
351 wpa_printf(MSG_DEBUG, "authentication reply: STA=" MACSTR
352 " auth_alg=%d auth_transaction=%d resp=%d (IE len=%lu) (dbg=%s)",
353 MAC2STR(dst), auth_alg, auth_transaction,
354 resp, (unsigned long) ies_len, dbg);
355 #ifdef CONFIG_TESTING_OPTIONS
356 #ifdef CONFIG_SAE
357 if (hapd->conf->sae_confirm_immediate == 2 &&
358 auth_alg == WLAN_AUTH_SAE) {
359 if (auth_transaction == 1 &&
360 (resp == WLAN_STATUS_SUCCESS ||
361 resp == WLAN_STATUS_SAE_HASH_TO_ELEMENT)) {
362 wpa_printf(MSG_DEBUG,
363 "TESTING: Postpone SAE Commit transmission until Confirm is ready");
364 os_free(sta->sae_postponed_commit);
365 sta->sae_postponed_commit = buf;
366 sta->sae_postponed_commit_len = rlen;
367 return WLAN_STATUS_SUCCESS;
368 }
369
370 if (auth_transaction == 2 && sta && sta->sae_postponed_commit) {
371 wpa_printf(MSG_DEBUG,
372 "TESTING: Send postponed SAE Commit first, immediately followed by SAE Confirm");
373 if (hostapd_drv_send_mlme(hapd,
374 sta->sae_postponed_commit,
375 sta->sae_postponed_commit_len,
376 0, NULL, 0, 0) < 0)
377 wpa_printf(MSG_INFO, "send_auth_reply: send failed");
378 os_free(sta->sae_postponed_commit);
379 sta->sae_postponed_commit = NULL;
380 sta->sae_postponed_commit_len = 0;
381 }
382 }
383 #endif /* CONFIG_SAE */
384 #endif /* CONFIG_TESTING_OPTIONS */
385 if (hostapd_drv_send_mlme(hapd, reply, rlen, 0, NULL, 0, 0) < 0)
386 wpa_printf(MSG_INFO, "send_auth_reply: send failed");
387 else
388 reply_res = WLAN_STATUS_SUCCESS;
389
390 os_free(buf);
391
392 return reply_res;
393 }
394
395
396 #ifdef CONFIG_IEEE80211R_AP
397 static void handle_auth_ft_finish(void *ctx, const u8 *dst, const u8 *bssid,
398 u16 auth_transaction, u16 status,
399 const u8 *ies, size_t ies_len)
400 {
401 struct hostapd_data *hapd = ctx;
402 struct sta_info *sta;
403 int reply_res;
404
405 reply_res = send_auth_reply(hapd, NULL, dst, bssid, WLAN_AUTH_FT,
406 auth_transaction, status, ies, ies_len,
407 "auth-ft-finish");
408
409 sta = ap_get_sta(hapd, dst);
410 if (sta == NULL)
411 return;
412
413 if (sta->added_unassoc && (reply_res != WLAN_STATUS_SUCCESS ||
414 status != WLAN_STATUS_SUCCESS)) {
415 hostapd_drv_sta_remove(hapd, sta->addr);
416 sta->added_unassoc = 0;
417 return;
418 }
419
420 if (status != WLAN_STATUS_SUCCESS)
421 return;
422
423 hostapd_logger(hapd, dst, HOSTAPD_MODULE_IEEE80211,
424 HOSTAPD_LEVEL_DEBUG, "authentication OK (FT)");
425 sta->flags |= WLAN_STA_AUTH;
426 mlme_authenticate_indication(hapd, sta);
427 }
428 #endif /* CONFIG_IEEE80211R_AP */
429
430
431 #ifdef CONFIG_SAE
432
433 static void sae_set_state(struct sta_info *sta, enum sae_state state,
434 const char *reason)
435 {
436 wpa_printf(MSG_DEBUG, "SAE: State %s -> %s for peer " MACSTR " (%s)",
437 sae_state_txt(sta->sae->state), sae_state_txt(state),
438 MAC2STR(sta->addr), reason);
439 sta->sae->state = state;
440 }
441
442
443 static struct wpabuf * auth_build_sae_commit(struct hostapd_data *hapd,
444 struct sta_info *sta, int update,
445 int status_code)
446 {
447 struct wpabuf *buf;
448 const char *password = NULL;
449 struct sae_password_entry *pw;
450 const char *rx_id = NULL;
451 int use_pt = 0;
452 struct sae_pt *pt = NULL;
453
454 if (sta->sae->tmp) {
455 rx_id = sta->sae->tmp->pw_id;
456 use_pt = sta->sae->tmp->h2e;
457 }
458
459 if (rx_id)
460 use_pt = 1;
461 else if (status_code == WLAN_STATUS_SUCCESS)
462 use_pt = 0;
463 else if (status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT)
464 use_pt = 1;
465
466 for (pw = hapd->conf->sae_passwords; pw; pw = pw->next) {
467 if (!is_broadcast_ether_addr(pw->peer_addr) &&
468 os_memcmp(pw->peer_addr, sta->addr, ETH_ALEN) != 0)
469 continue;
470 if ((rx_id && !pw->identifier) || (!rx_id && pw->identifier))
471 continue;
472 if (rx_id && pw->identifier &&
473 os_strcmp(rx_id, pw->identifier) != 0)
474 continue;
475 password = pw->password;
476 pt = pw->pt;
477 break;
478 }
479 if (!password) {
480 password = hapd->conf->ssid.wpa_passphrase;
481 pt = hapd->conf->ssid.pt;
482 }
483 if (!password || (use_pt && !pt)) {
484 wpa_printf(MSG_DEBUG, "SAE: No password available");
485 return NULL;
486 }
487
488 if (update && use_pt &&
489 sae_prepare_commit_pt(sta->sae, pt, hapd->own_addr, sta->addr,
490 NULL) < 0)
491 return NULL;
492
493 if (update && !use_pt &&
494 sae_prepare_commit(hapd->own_addr, sta->addr,
495 (u8 *) password, os_strlen(password), rx_id,
496 sta->sae) < 0) {
497 wpa_printf(MSG_DEBUG, "SAE: Could not pick PWE");
498 return NULL;
499 }
500
501 if (pw && pw->vlan_id) {
502 if (!sta->sae->tmp) {
503 wpa_printf(MSG_INFO,
504 "SAE: No temporary data allocated - cannot store VLAN ID");
505 return NULL;
506 }
507 sta->sae->tmp->vlan_id = pw->vlan_id;
508 }
509
510 buf = wpabuf_alloc(SAE_COMMIT_MAX_LEN +
511 (rx_id ? 3 + os_strlen(rx_id) : 0));
512 if (buf == NULL)
513 return NULL;
514 sae_write_commit(sta->sae, buf, sta->sae->tmp ?
515 sta->sae->tmp->anti_clogging_token : NULL, rx_id);
516
517 return buf;
518 }
519
520
521 static struct wpabuf * auth_build_sae_confirm(struct hostapd_data *hapd,
522 struct sta_info *sta)
523 {
524 struct wpabuf *buf;
525
526 buf = wpabuf_alloc(SAE_CONFIRM_MAX_LEN);
527 if (buf == NULL)
528 return NULL;
529
530 sae_write_confirm(sta->sae, buf);
531
532 return buf;
533 }
534
535
536 static int auth_sae_send_commit(struct hostapd_data *hapd,
537 struct sta_info *sta,
538 const u8 *bssid, int update, int status_code)
539 {
540 struct wpabuf *data;
541 int reply_res;
542 u16 status;
543
544 data = auth_build_sae_commit(hapd, sta, update, status_code);
545 if (!data && sta->sae->tmp && sta->sae->tmp->pw_id)
546 return WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER;
547 if (data == NULL)
548 return WLAN_STATUS_UNSPECIFIED_FAILURE;
549
550 status = (sta->sae->tmp && sta->sae->tmp->h2e) ?
551 WLAN_STATUS_SAE_HASH_TO_ELEMENT : WLAN_STATUS_SUCCESS;
552 reply_res = send_auth_reply(hapd, sta, sta->addr, bssid,
553 WLAN_AUTH_SAE, 1,
554 status, wpabuf_head(data),
555 wpabuf_len(data), "sae-send-commit");
556
557 wpabuf_free(data);
558
559 return reply_res;
560 }
561
562
563 static int auth_sae_send_confirm(struct hostapd_data *hapd,
564 struct sta_info *sta,
565 const u8 *bssid)
566 {
567 struct wpabuf *data;
568 int reply_res;
569
570 data = auth_build_sae_confirm(hapd, sta);
571 if (data == NULL)
572 return WLAN_STATUS_UNSPECIFIED_FAILURE;
573
574 reply_res = send_auth_reply(hapd, sta, sta->addr, bssid,
575 WLAN_AUTH_SAE, 2,
576 WLAN_STATUS_SUCCESS, wpabuf_head(data),
577 wpabuf_len(data), "sae-send-confirm");
578
579 wpabuf_free(data);
580
581 return reply_res;
582 }
583
584
585 static int use_sae_anti_clogging(struct hostapd_data *hapd)
586 {
587 struct sta_info *sta;
588 unsigned int open = 0;
589
590 if (hapd->conf->sae_anti_clogging_threshold == 0)
591 return 1;
592
593 for (sta = hapd->sta_list; sta; sta = sta->next) {
594 if (!sta->sae)
595 continue;
596 if (sta->sae->state != SAE_COMMITTED &&
597 sta->sae->state != SAE_CONFIRMED)
598 continue;
599 open++;
600 if (open >= hapd->conf->sae_anti_clogging_threshold)
601 return 1;
602 }
603
604 /* In addition to already existing open SAE sessions, check whether
605 * there are enough pending commit messages in the processing queue to
606 * potentially result in too many open sessions. */
607 if (open + dl_list_len(&hapd->sae_commit_queue) >=
608 hapd->conf->sae_anti_clogging_threshold)
609 return 1;
610
611 return 0;
612 }
613
614
615 static u8 sae_token_hash(struct hostapd_data *hapd, const u8 *addr)
616 {
617 u8 hash[SHA256_MAC_LEN];
618
619 hmac_sha256(hapd->sae_token_key, sizeof(hapd->sae_token_key),
620 addr, ETH_ALEN, hash);
621 return hash[0];
622 }
623
624
625 static int check_sae_token(struct hostapd_data *hapd, const u8 *addr,
626 const u8 *token, size_t token_len)
627 {
628 u8 mac[SHA256_MAC_LEN];
629 const u8 *addrs[2];
630 size_t len[2];
631 u16 token_idx;
632 u8 idx;
633
634 if (token_len != SHA256_MAC_LEN)
635 return -1;
636 idx = sae_token_hash(hapd, addr);
637 token_idx = hapd->sae_pending_token_idx[idx];
638 if (token_idx == 0 || token_idx != WPA_GET_BE16(token)) {
639 wpa_printf(MSG_DEBUG, "SAE: Invalid anti-clogging token from "
640 MACSTR " - token_idx 0x%04x, expected 0x%04x",
641 MAC2STR(addr), WPA_GET_BE16(token), token_idx);
642 return -1;
643 }
644
645 addrs[0] = addr;
646 len[0] = ETH_ALEN;
647 addrs[1] = token;
648 len[1] = 2;
649 if (hmac_sha256_vector(hapd->sae_token_key, sizeof(hapd->sae_token_key),
650 2, addrs, len, mac) < 0 ||
651 os_memcmp_const(token + 2, &mac[2], SHA256_MAC_LEN - 2) != 0)
652 return -1;
653
654 hapd->sae_pending_token_idx[idx] = 0; /* invalidate used token */
655
656 return 0;
657 }
658
659
660 static struct wpabuf * auth_build_token_req(struct hostapd_data *hapd,
661 int group, const u8 *addr, int h2e)
662 {
663 struct wpabuf *buf;
664 u8 *token;
665 struct os_reltime now;
666 u8 idx[2];
667 const u8 *addrs[2];
668 size_t len[2];
669 u8 p_idx;
670 u16 token_idx;
671
672 os_get_reltime(&now);
673 if (!os_reltime_initialized(&hapd->last_sae_token_key_update) ||
674 os_reltime_expired(&now, &hapd->last_sae_token_key_update, 60) ||
675 hapd->sae_token_idx == 0xffff) {
676 if (random_get_bytes(hapd->sae_token_key,
677 sizeof(hapd->sae_token_key)) < 0)
678 return NULL;
679 wpa_hexdump(MSG_DEBUG, "SAE: Updated token key",
680 hapd->sae_token_key, sizeof(hapd->sae_token_key));
681 hapd->last_sae_token_key_update = now;
682 hapd->sae_token_idx = 0;
683 os_memset(hapd->sae_pending_token_idx, 0,
684 sizeof(hapd->sae_pending_token_idx));
685 }
686
687 buf = wpabuf_alloc(sizeof(le16) + 3 + SHA256_MAC_LEN);
688 if (buf == NULL)
689 return NULL;
690
691 wpabuf_put_le16(buf, group); /* Finite Cyclic Group */
692
693 if (h2e) {
694 /* Encapsulate Anti-clogging Token field in a container IE */
695 wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
696 wpabuf_put_u8(buf, 1 + SHA256_MAC_LEN);
697 wpabuf_put_u8(buf, WLAN_EID_EXT_ANTI_CLOGGING_TOKEN);
698 }
699
700 p_idx = sae_token_hash(hapd, addr);
701 token_idx = hapd->sae_pending_token_idx[p_idx];
702 if (!token_idx) {
703 hapd->sae_token_idx++;
704 token_idx = hapd->sae_token_idx;
705 hapd->sae_pending_token_idx[p_idx] = token_idx;
706 }
707 WPA_PUT_BE16(idx, token_idx);
708 token = wpabuf_put(buf, SHA256_MAC_LEN);
709 addrs[0] = addr;
710 len[0] = ETH_ALEN;
711 addrs[1] = idx;
712 len[1] = sizeof(idx);
713 if (hmac_sha256_vector(hapd->sae_token_key, sizeof(hapd->sae_token_key),
714 2, addrs, len, token) < 0) {
715 wpabuf_free(buf);
716 return NULL;
717 }
718 WPA_PUT_BE16(token, token_idx);
719
720 return buf;
721 }
722
723
724 static int sae_check_big_sync(struct hostapd_data *hapd, struct sta_info *sta)
725 {
726 if (sta->sae->sync > hapd->conf->sae_sync) {
727 sae_set_state(sta, SAE_NOTHING, "Sync > dot11RSNASAESync");
728 sta->sae->sync = 0;
729 return -1;
730 }
731 return 0;
732 }
733
734
735 static void auth_sae_retransmit_timer(void *eloop_ctx, void *eloop_data)
736 {
737 struct hostapd_data *hapd = eloop_ctx;
738 struct sta_info *sta = eloop_data;
739 int ret;
740
741 if (sae_check_big_sync(hapd, sta))
742 return;
743 sta->sae->sync++;
744 wpa_printf(MSG_DEBUG, "SAE: Auth SAE retransmit timer for " MACSTR
745 " (sync=%d state=%s)",
746 MAC2STR(sta->addr), sta->sae->sync,
747 sae_state_txt(sta->sae->state));
748
749 switch (sta->sae->state) {
750 case SAE_COMMITTED:
751 ret = auth_sae_send_commit(hapd, sta, hapd->own_addr, 0, -1);
752 eloop_register_timeout(0,
753 hapd->dot11RSNASAERetransPeriod * 1000,
754 auth_sae_retransmit_timer, hapd, sta);
755 break;
756 case SAE_CONFIRMED:
757 ret = auth_sae_send_confirm(hapd, sta, hapd->own_addr);
758 eloop_register_timeout(0,
759 hapd->dot11RSNASAERetransPeriod * 1000,
760 auth_sae_retransmit_timer, hapd, sta);
761 break;
762 default:
763 ret = -1;
764 break;
765 }
766
767 if (ret != WLAN_STATUS_SUCCESS)
768 wpa_printf(MSG_INFO, "SAE: Failed to retransmit: ret=%d", ret);
769 }
770
771
772 void sae_clear_retransmit_timer(struct hostapd_data *hapd, struct sta_info *sta)
773 {
774 eloop_cancel_timeout(auth_sae_retransmit_timer, hapd, sta);
775 }
776
777
778 static void sae_set_retransmit_timer(struct hostapd_data *hapd,
779 struct sta_info *sta)
780 {
781 if (!(hapd->conf->mesh & MESH_ENABLED))
782 return;
783
784 eloop_cancel_timeout(auth_sae_retransmit_timer, hapd, sta);
785 eloop_register_timeout(0, hapd->dot11RSNASAERetransPeriod * 1000,
786 auth_sae_retransmit_timer, hapd, sta);
787 }
788
789
790 static void sae_sme_send_external_auth_status(struct hostapd_data *hapd,
791 struct sta_info *sta, u16 status)
792 {
793 struct external_auth params;
794
795 os_memset(&params, 0, sizeof(params));
796 params.status = status;
797 params.bssid = sta->addr;
798 if (status == WLAN_STATUS_SUCCESS && sta->sae &&
799 !hapd->conf->disable_pmksa_caching)
800 params.pmkid = sta->sae->pmkid;
801
802 hostapd_drv_send_external_auth_status(hapd, &params);
803 }
804
805
806 void sae_accept_sta(struct hostapd_data *hapd, struct sta_info *sta)
807 {
808 #ifndef CONFIG_NO_VLAN
809 struct vlan_description vlan_desc;
810
811 if (sta->sae->tmp && sta->sae->tmp->vlan_id > 0) {
812 wpa_printf(MSG_DEBUG, "SAE: Assign STA " MACSTR
813 " to VLAN ID %d",
814 MAC2STR(sta->addr), sta->sae->tmp->vlan_id);
815
816 os_memset(&vlan_desc, 0, sizeof(vlan_desc));
817 vlan_desc.notempty = 1;
818 vlan_desc.untagged = sta->sae->tmp->vlan_id;
819 if (!hostapd_vlan_valid(hapd->conf->vlan, &vlan_desc)) {
820 wpa_printf(MSG_INFO,
821 "Invalid VLAN ID %d in sae_password",
822 sta->sae->tmp->vlan_id);
823 return;
824 }
825
826 if (ap_sta_set_vlan(hapd, sta, &vlan_desc) < 0 ||
827 ap_sta_bind_vlan(hapd, sta) < 0) {
828 wpa_printf(MSG_INFO,
829 "Failed to assign VLAN ID %d from sae_password to "
830 MACSTR, sta->sae->tmp->vlan_id,
831 MAC2STR(sta->addr));
832 return;
833 }
834 }
835 #endif /* CONFIG_NO_VLAN */
836
837 sta->flags |= WLAN_STA_AUTH;
838 sta->auth_alg = WLAN_AUTH_SAE;
839 mlme_authenticate_indication(hapd, sta);
840 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
841 sae_set_state(sta, SAE_ACCEPTED, "Accept Confirm");
842 wpa_auth_pmksa_add_sae(hapd->wpa_auth, sta->addr,
843 sta->sae->pmk, sta->sae->pmkid);
844 sae_sme_send_external_auth_status(hapd, sta, WLAN_STATUS_SUCCESS);
845 }
846
847
848 static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta,
849 const u8 *bssid, u16 auth_transaction, u16 status_code,
850 int allow_reuse, int *sta_removed)
851 {
852 int ret;
853
854 *sta_removed = 0;
855
856 if (auth_transaction != 1 && auth_transaction != 2)
857 return WLAN_STATUS_UNSPECIFIED_FAILURE;
858
859 wpa_printf(MSG_DEBUG, "SAE: Peer " MACSTR " state=%s auth_trans=%u",
860 MAC2STR(sta->addr), sae_state_txt(sta->sae->state),
861 auth_transaction);
862 switch (sta->sae->state) {
863 case SAE_NOTHING:
864 if (auth_transaction == 1) {
865 if (sta->sae->tmp)
866 sta->sae->tmp->h2e = status_code ==
867 WLAN_STATUS_SAE_HASH_TO_ELEMENT;
868 ret = auth_sae_send_commit(hapd, sta, bssid,
869 !allow_reuse, status_code);
870 if (ret)
871 return ret;
872 sae_set_state(sta, SAE_COMMITTED, "Sent Commit");
873
874 if (sae_process_commit(sta->sae) < 0)
875 return WLAN_STATUS_UNSPECIFIED_FAILURE;
876
877 /*
878 * In mesh case, both Commit and Confirm are sent
879 * immediately. In infrastructure BSS, by default, only
880 * a single Authentication frame (Commit) is expected
881 * from the AP here and the second one (Confirm) will
882 * be sent once the STA has sent its second
883 * Authentication frame (Confirm). This behavior can be
884 * overridden with explicit configuration so that the
885 * infrastructure BSS case sends both frames together.
886 */
887 if ((hapd->conf->mesh & MESH_ENABLED) ||
888 hapd->conf->sae_confirm_immediate) {
889 /*
890 * Send both Commit and Confirm immediately
891 * based on SAE finite state machine
892 * Nothing -> Confirm transition.
893 */
894 ret = auth_sae_send_confirm(hapd, sta, bssid);
895 if (ret)
896 return ret;
897 sae_set_state(sta, SAE_CONFIRMED,
898 "Sent Confirm (mesh)");
899 } else {
900 /*
901 * For infrastructure BSS, send only the Commit
902 * message now to get alternating sequence of
903 * Authentication frames between the AP and STA.
904 * Confirm will be sent in
905 * Committed -> Confirmed/Accepted transition
906 * when receiving Confirm from STA.
907 */
908 }
909 sta->sae->sync = 0;
910 sae_set_retransmit_timer(hapd, sta);
911 } else {
912 hostapd_logger(hapd, sta->addr,
913 HOSTAPD_MODULE_IEEE80211,
914 HOSTAPD_LEVEL_DEBUG,
915 "SAE confirm before commit");
916 }
917 break;
918 case SAE_COMMITTED:
919 sae_clear_retransmit_timer(hapd, sta);
920 if (auth_transaction == 1) {
921 if (sae_process_commit(sta->sae) < 0)
922 return WLAN_STATUS_UNSPECIFIED_FAILURE;
923
924 ret = auth_sae_send_confirm(hapd, sta, bssid);
925 if (ret)
926 return ret;
927 sae_set_state(sta, SAE_CONFIRMED, "Sent Confirm");
928 sta->sae->sync = 0;
929 sae_set_retransmit_timer(hapd, sta);
930 } else if (hapd->conf->mesh & MESH_ENABLED) {
931 /*
932 * In mesh case, follow SAE finite state machine and
933 * send Commit now, if sync count allows.
934 */
935 if (sae_check_big_sync(hapd, sta))
936 return WLAN_STATUS_SUCCESS;
937 sta->sae->sync++;
938
939 ret = auth_sae_send_commit(hapd, sta, bssid, 0,
940 status_code);
941 if (ret)
942 return ret;
943
944 sae_set_retransmit_timer(hapd, sta);
945 } else {
946 /*
947 * For instructure BSS, send the postponed Confirm from
948 * Nothing -> Confirmed transition that was reduced to
949 * Nothing -> Committed above.
950 */
951 ret = auth_sae_send_confirm(hapd, sta, bssid);
952 if (ret)
953 return ret;
954
955 sae_set_state(sta, SAE_CONFIRMED, "Sent Confirm");
956
957 /*
958 * Since this was triggered on Confirm RX, run another
959 * step to get to Accepted without waiting for
960 * additional events.
961 */
962 return sae_sm_step(hapd, sta, bssid, auth_transaction,
963 WLAN_STATUS_SUCCESS, 0, sta_removed);
964 }
965 break;
966 case SAE_CONFIRMED:
967 sae_clear_retransmit_timer(hapd, sta);
968 if (auth_transaction == 1) {
969 if (sae_check_big_sync(hapd, sta))
970 return WLAN_STATUS_SUCCESS;
971 sta->sae->sync++;
972
973 ret = auth_sae_send_commit(hapd, sta, bssid, 1,
974 status_code);
975 if (ret)
976 return ret;
977
978 if (sae_process_commit(sta->sae) < 0)
979 return WLAN_STATUS_UNSPECIFIED_FAILURE;
980
981 ret = auth_sae_send_confirm(hapd, sta, bssid);
982 if (ret)
983 return ret;
984
985 sae_set_retransmit_timer(hapd, sta);
986 } else {
987 sta->sae->send_confirm = 0xffff;
988 sae_accept_sta(hapd, sta);
989 }
990 break;
991 case SAE_ACCEPTED:
992 if (auth_transaction == 1 &&
993 (hapd->conf->mesh & MESH_ENABLED)) {
994 wpa_printf(MSG_DEBUG, "SAE: remove the STA (" MACSTR
995 ") doing reauthentication",
996 MAC2STR(sta->addr));
997 wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr);
998 ap_free_sta(hapd, sta);
999 *sta_removed = 1;
1000 } else if (auth_transaction == 1) {
1001 wpa_printf(MSG_DEBUG, "SAE: Start reauthentication");
1002 ret = auth_sae_send_commit(hapd, sta, bssid, 1,
1003 status_code);
1004 if (ret)
1005 return ret;
1006 sae_set_state(sta, SAE_COMMITTED, "Sent Commit");
1007
1008 if (sae_process_commit(sta->sae) < 0)
1009 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1010 sta->sae->sync = 0;
1011 sae_set_retransmit_timer(hapd, sta);
1012 } else {
1013 if (sae_check_big_sync(hapd, sta))
1014 return WLAN_STATUS_SUCCESS;
1015 sta->sae->sync++;
1016
1017 ret = auth_sae_send_confirm(hapd, sta, bssid);
1018 sae_clear_temp_data(sta->sae);
1019 if (ret)
1020 return ret;
1021 }
1022 break;
1023 default:
1024 wpa_printf(MSG_ERROR, "SAE: invalid state %d",
1025 sta->sae->state);
1026 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1027 }
1028 return WLAN_STATUS_SUCCESS;
1029 }
1030
1031
1032 static void sae_pick_next_group(struct hostapd_data *hapd, struct sta_info *sta)
1033 {
1034 struct sae_data *sae = sta->sae;
1035 int i, *groups = hapd->conf->sae_groups;
1036 int default_groups[] = { 19, 0 };
1037
1038 if (sae->state != SAE_COMMITTED)
1039 return;
1040
1041 wpa_printf(MSG_DEBUG, "SAE: Previously selected group: %d", sae->group);
1042
1043 if (!groups)
1044 groups = default_groups;
1045 for (i = 0; groups[i] > 0; i++) {
1046 if (sae->group == groups[i])
1047 break;
1048 }
1049
1050 if (groups[i] <= 0) {
1051 wpa_printf(MSG_DEBUG,
1052 "SAE: Previously selected group not found from the current configuration");
1053 return;
1054 }
1055
1056 for (;;) {
1057 i++;
1058 if (groups[i] <= 0) {
1059 wpa_printf(MSG_DEBUG,
1060 "SAE: No alternative group enabled");
1061 return;
1062 }
1063
1064 if (sae_set_group(sae, groups[i]) < 0)
1065 continue;
1066
1067 break;
1068 }
1069 wpa_printf(MSG_DEBUG, "SAE: Selected new group: %d", groups[i]);
1070 }
1071
1072
1073 static int sae_status_success(struct hostapd_data *hapd, u16 status_code)
1074 {
1075 int sae_pwe = hapd->conf->sae_pwe;
1076 int id_in_use;
1077
1078 id_in_use = hostapd_sae_pw_id_in_use(hapd->conf);
1079 if (id_in_use == 2)
1080 sae_pwe = 1;
1081 else if (id_in_use == 1 && sae_pwe == 0)
1082 sae_pwe = 2;
1083
1084 return (sae_pwe == 0 &&
1085 status_code == WLAN_STATUS_SUCCESS) ||
1086 (sae_pwe == 1 &&
1087 status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT) ||
1088 (sae_pwe == 2 &&
1089 (status_code == WLAN_STATUS_SUCCESS ||
1090 status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT));
1091 }
1092
1093
1094 static int sae_is_group_enabled(struct hostapd_data *hapd, int group)
1095 {
1096 int *groups = hapd->conf->sae_groups;
1097 int default_groups[] = { 19, 0 };
1098 int i;
1099
1100 if (!groups)
1101 groups = default_groups;
1102
1103 for (i = 0; groups[i] > 0; i++) {
1104 if (groups[i] == group)
1105 return 1;
1106 }
1107
1108 return 0;
1109 }
1110
1111
1112 static int check_sae_rejected_groups(struct hostapd_data *hapd,
1113 const struct wpabuf *groups)
1114 {
1115 size_t i, count;
1116 const u8 *pos;
1117
1118 if (!groups)
1119 return 0;
1120
1121 pos = wpabuf_head(groups);
1122 count = wpabuf_len(groups) / 2;
1123 for (i = 0; i < count; i++) {
1124 int enabled;
1125 u16 group;
1126
1127 group = WPA_GET_LE16(pos);
1128 pos += 2;
1129 enabled = sae_is_group_enabled(hapd, group);
1130 wpa_printf(MSG_DEBUG, "SAE: Rejected group %u is %s",
1131 group, enabled ? "enabled" : "disabled");
1132 if (enabled)
1133 return 1;
1134 }
1135
1136 return 0;
1137 }
1138
1139
1140 static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta,
1141 const struct ieee80211_mgmt *mgmt, size_t len,
1142 u16 auth_transaction, u16 status_code)
1143 {
1144 int resp = WLAN_STATUS_SUCCESS;
1145 struct wpabuf *data = NULL;
1146 int *groups = hapd->conf->sae_groups;
1147 int default_groups[] = { 19, 0 };
1148 const u8 *pos, *end;
1149 int sta_removed = 0;
1150
1151 if (!groups)
1152 groups = default_groups;
1153
1154 #ifdef CONFIG_TESTING_OPTIONS
1155 if (hapd->conf->sae_reflection_attack && auth_transaction == 1) {
1156 wpa_printf(MSG_DEBUG, "SAE: TESTING - reflection attack");
1157 pos = mgmt->u.auth.variable;
1158 end = ((const u8 *) mgmt) + len;
1159 send_auth_reply(hapd, sta, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
1160 auth_transaction, resp, pos, end - pos,
1161 "auth-sae-reflection-attack");
1162 goto remove_sta;
1163 }
1164
1165 if (hapd->conf->sae_commit_override && auth_transaction == 1) {
1166 wpa_printf(MSG_DEBUG, "SAE: TESTING - commit override");
1167 send_auth_reply(hapd, sta, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
1168 auth_transaction, resp,
1169 wpabuf_head(hapd->conf->sae_commit_override),
1170 wpabuf_len(hapd->conf->sae_commit_override),
1171 "sae-commit-override");
1172 goto remove_sta;
1173 }
1174 #endif /* CONFIG_TESTING_OPTIONS */
1175 if (!sta->sae) {
1176 if (auth_transaction != 1 ||
1177 !sae_status_success(hapd, status_code)) {
1178 wpa_printf(MSG_DEBUG, "SAE: Unexpected Status Code %u",
1179 status_code);
1180 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1181 goto reply;
1182 }
1183 sta->sae = os_zalloc(sizeof(*sta->sae));
1184 if (!sta->sae) {
1185 resp = -1;
1186 goto remove_sta;
1187 }
1188 sae_set_state(sta, SAE_NOTHING, "Init");
1189 sta->sae->sync = 0;
1190 }
1191
1192 if (sta->mesh_sae_pmksa_caching) {
1193 wpa_printf(MSG_DEBUG,
1194 "SAE: Cancel use of mesh PMKSA caching because peer starts SAE authentication");
1195 wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr);
1196 sta->mesh_sae_pmksa_caching = 0;
1197 }
1198
1199 if (auth_transaction == 1) {
1200 const u8 *token = NULL;
1201 size_t token_len = 0;
1202 int allow_reuse = 0;
1203
1204 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1205 HOSTAPD_LEVEL_DEBUG,
1206 "start SAE authentication (RX commit, status=%u (%s))",
1207 status_code, status2str(status_code));
1208
1209 if ((hapd->conf->mesh & MESH_ENABLED) &&
1210 status_code == WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ &&
1211 sta->sae->tmp) {
1212 pos = mgmt->u.auth.variable;
1213 end = ((const u8 *) mgmt) + len;
1214 if (pos + sizeof(le16) > end) {
1215 wpa_printf(MSG_ERROR,
1216 "SAE: Too short anti-clogging token request");
1217 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1218 goto reply;
1219 }
1220 resp = sae_group_allowed(sta->sae, groups,
1221 WPA_GET_LE16(pos));
1222 if (resp != WLAN_STATUS_SUCCESS) {
1223 wpa_printf(MSG_ERROR,
1224 "SAE: Invalid group in anti-clogging token request");
1225 goto reply;
1226 }
1227 pos += sizeof(le16);
1228
1229 wpabuf_free(sta->sae->tmp->anti_clogging_token);
1230 sta->sae->tmp->anti_clogging_token =
1231 wpabuf_alloc_copy(pos, end - pos);
1232 if (sta->sae->tmp->anti_clogging_token == NULL) {
1233 wpa_printf(MSG_ERROR,
1234 "SAE: Failed to alloc for anti-clogging token");
1235 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1236 goto remove_sta;
1237 }
1238
1239 /*
1240 * IEEE Std 802.11-2012, 11.3.8.6.4: If the Status code
1241 * is 76, a new Commit Message shall be constructed
1242 * with the Anti-Clogging Token from the received
1243 * Authentication frame, and the commit-scalar and
1244 * COMMIT-ELEMENT previously sent.
1245 */
1246 resp = auth_sae_send_commit(hapd, sta, mgmt->bssid, 0,
1247 status_code);
1248 if (resp != WLAN_STATUS_SUCCESS) {
1249 wpa_printf(MSG_ERROR,
1250 "SAE: Failed to send commit message");
1251 goto remove_sta;
1252 }
1253 sae_set_state(sta, SAE_COMMITTED,
1254 "Sent Commit (anti-clogging token case in mesh)");
1255 sta->sae->sync = 0;
1256 sae_set_retransmit_timer(hapd, sta);
1257 return;
1258 }
1259
1260 if ((hapd->conf->mesh & MESH_ENABLED) &&
1261 status_code ==
1262 WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED &&
1263 sta->sae->tmp) {
1264 wpa_printf(MSG_DEBUG,
1265 "SAE: Peer did not accept our SAE group");
1266 sae_pick_next_group(hapd, sta);
1267 goto remove_sta;
1268 }
1269
1270 if (!sae_status_success(hapd, status_code))
1271 goto remove_sta;
1272
1273 if (!(hapd->conf->mesh & MESH_ENABLED) &&
1274 sta->sae->state == SAE_COMMITTED) {
1275 /* This is needed in the infrastructure BSS case to
1276 * address a sequence where a STA entry may remain in
1277 * hostapd across two attempts to do SAE authentication
1278 * by the same STA. The second attempt may end up trying
1279 * to use a different group and that would not be
1280 * allowed if we remain in Committed state with the
1281 * previously set parameters. */
1282 pos = mgmt->u.auth.variable;
1283 end = ((const u8 *) mgmt) + len;
1284 if (end - pos >= (int) sizeof(le16) &&
1285 sae_group_allowed(sta->sae, groups,
1286 WPA_GET_LE16(pos)) ==
1287 WLAN_STATUS_SUCCESS) {
1288 /* Do not waste resources deriving the same PWE
1289 * again since the same group is reused. */
1290 sae_set_state(sta, SAE_NOTHING,
1291 "Allow previous PWE to be reused");
1292 allow_reuse = 1;
1293 } else {
1294 sae_set_state(sta, SAE_NOTHING,
1295 "Clear existing state to allow restart");
1296 sae_clear_data(sta->sae);
1297 }
1298 }
1299
1300 resp = sae_parse_commit(sta->sae, mgmt->u.auth.variable,
1301 ((const u8 *) mgmt) + len -
1302 mgmt->u.auth.variable, &token,
1303 &token_len, groups, status_code ==
1304 WLAN_STATUS_SAE_HASH_TO_ELEMENT);
1305 if (resp == SAE_SILENTLY_DISCARD) {
1306 wpa_printf(MSG_DEBUG,
1307 "SAE: Drop commit message from " MACSTR " due to reflection attack",
1308 MAC2STR(sta->addr));
1309 goto remove_sta;
1310 }
1311
1312 if (resp == WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER) {
1313 wpa_msg(hapd->msg_ctx, MSG_INFO,
1314 WPA_EVENT_SAE_UNKNOWN_PASSWORD_IDENTIFIER
1315 MACSTR, MAC2STR(sta->addr));
1316 sae_clear_retransmit_timer(hapd, sta);
1317 sae_set_state(sta, SAE_NOTHING,
1318 "Unknown Password Identifier");
1319 goto remove_sta;
1320 }
1321
1322 if (token && check_sae_token(hapd, sta->addr, token, token_len)
1323 < 0) {
1324 wpa_printf(MSG_DEBUG, "SAE: Drop commit message with "
1325 "incorrect token from " MACSTR,
1326 MAC2STR(sta->addr));
1327 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1328 goto remove_sta;
1329 }
1330
1331 if (resp != WLAN_STATUS_SUCCESS)
1332 goto reply;
1333
1334 if (sta->sae->tmp &&
1335 check_sae_rejected_groups(
1336 hapd, sta->sae->tmp->peer_rejected_groups)) {
1337 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1338 goto reply;
1339 }
1340
1341 if (!token && use_sae_anti_clogging(hapd) && !allow_reuse) {
1342 int h2e = 0;
1343
1344 wpa_printf(MSG_DEBUG,
1345 "SAE: Request anti-clogging token from "
1346 MACSTR, MAC2STR(sta->addr));
1347 if (sta->sae->tmp)
1348 h2e = sta->sae->tmp->h2e;
1349 if (status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT)
1350 h2e = 1;
1351 data = auth_build_token_req(hapd, sta->sae->group,
1352 sta->addr, h2e);
1353 resp = WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ;
1354 if (hapd->conf->mesh & MESH_ENABLED)
1355 sae_set_state(sta, SAE_NOTHING,
1356 "Request anti-clogging token case in mesh");
1357 goto reply;
1358 }
1359
1360 resp = sae_sm_step(hapd, sta, mgmt->bssid, auth_transaction,
1361 status_code, allow_reuse, &sta_removed);
1362 } else if (auth_transaction == 2) {
1363 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1364 HOSTAPD_LEVEL_DEBUG,
1365 "SAE authentication (RX confirm, status=%u (%s))",
1366 status_code, status2str(status_code));
1367 if (status_code != WLAN_STATUS_SUCCESS)
1368 goto remove_sta;
1369 if (sta->sae->state >= SAE_CONFIRMED ||
1370 !(hapd->conf->mesh & MESH_ENABLED)) {
1371 const u8 *var;
1372 size_t var_len;
1373 u16 peer_send_confirm;
1374
1375 var = mgmt->u.auth.variable;
1376 var_len = ((u8 *) mgmt) + len - mgmt->u.auth.variable;
1377 if (var_len < 2) {
1378 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1379 goto reply;
1380 }
1381
1382 peer_send_confirm = WPA_GET_LE16(var);
1383
1384 if (sta->sae->state == SAE_ACCEPTED &&
1385 (peer_send_confirm <= sta->sae->rc ||
1386 peer_send_confirm == 0xffff)) {
1387 wpa_printf(MSG_DEBUG,
1388 "SAE: Silently ignore unexpected Confirm from peer "
1389 MACSTR
1390 " (peer-send-confirm=%u Rc=%u)",
1391 MAC2STR(sta->addr),
1392 peer_send_confirm, sta->sae->rc);
1393 return;
1394 }
1395
1396 if (sae_check_confirm(sta->sae, var, var_len) < 0) {
1397 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1398 goto reply;
1399 }
1400 sta->sae->rc = peer_send_confirm;
1401 }
1402 resp = sae_sm_step(hapd, sta, mgmt->bssid, auth_transaction,
1403 status_code, 0, &sta_removed);
1404 } else {
1405 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1406 HOSTAPD_LEVEL_DEBUG,
1407 "unexpected SAE authentication transaction %u (status=%u (%s))",
1408 auth_transaction, status_code,
1409 status2str(status_code));
1410 if (status_code != WLAN_STATUS_SUCCESS)
1411 goto remove_sta;
1412 resp = WLAN_STATUS_UNKNOWN_AUTH_TRANSACTION;
1413 }
1414
1415 reply:
1416 if (!sta_removed && resp != WLAN_STATUS_SUCCESS) {
1417 pos = mgmt->u.auth.variable;
1418 end = ((const u8 *) mgmt) + len;
1419
1420 /* Copy the Finite Cyclic Group field from the request if we
1421 * rejected it as unsupported group. */
1422 if (resp == WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED &&
1423 !data && end - pos >= 2)
1424 data = wpabuf_alloc_copy(pos, 2);
1425
1426 sae_sme_send_external_auth_status(hapd, sta, resp);
1427 send_auth_reply(hapd, sta, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
1428 auth_transaction, resp,
1429 data ? wpabuf_head(data) : (u8 *) "",
1430 data ? wpabuf_len(data) : 0, "auth-sae");
1431 }
1432
1433 remove_sta:
1434 if (!sta_removed && sta->added_unassoc &&
1435 (resp != WLAN_STATUS_SUCCESS ||
1436 status_code != WLAN_STATUS_SUCCESS)) {
1437 hostapd_drv_sta_remove(hapd, sta->addr);
1438 sta->added_unassoc = 0;
1439 }
1440 wpabuf_free(data);
1441 }
1442
1443
1444 /**
1445 * auth_sae_init_committed - Send COMMIT and start SAE in committed state
1446 * @hapd: BSS data for the device initiating the authentication
1447 * @sta: the peer to which commit authentication frame is sent
1448 *
1449 * This function implements Init event handling (IEEE Std 802.11-2012,
1450 * 11.3.8.6.3) in which initial COMMIT message is sent. Prior to calling, the
1451 * sta->sae structure should be initialized appropriately via a call to
1452 * sae_prepare_commit().
1453 */
1454 int auth_sae_init_committed(struct hostapd_data *hapd, struct sta_info *sta)
1455 {
1456 int ret;
1457
1458 if (!sta->sae || !sta->sae->tmp)
1459 return -1;
1460
1461 if (sta->sae->state != SAE_NOTHING)
1462 return -1;
1463
1464 ret = auth_sae_send_commit(hapd, sta, hapd->own_addr, 0, -1);
1465 if (ret)
1466 return -1;
1467
1468 sae_set_state(sta, SAE_COMMITTED, "Init and sent commit");
1469 sta->sae->sync = 0;
1470 sae_set_retransmit_timer(hapd, sta);
1471
1472 return 0;
1473 }
1474
1475
1476 void auth_sae_process_commit(void *eloop_ctx, void *user_ctx)
1477 {
1478 struct hostapd_data *hapd = eloop_ctx;
1479 struct hostapd_sae_commit_queue *q;
1480 unsigned int queue_len;
1481
1482 q = dl_list_first(&hapd->sae_commit_queue,
1483 struct hostapd_sae_commit_queue, list);
1484 if (!q)
1485 return;
1486 wpa_printf(MSG_DEBUG,
1487 "SAE: Process next available message from queue");
1488 dl_list_del(&q->list);
1489 handle_auth(hapd, (const struct ieee80211_mgmt *) q->msg, q->len,
1490 q->rssi, 1);
1491 os_free(q);
1492
1493 if (eloop_is_timeout_registered(auth_sae_process_commit, hapd, NULL))
1494 return;
1495 queue_len = dl_list_len(&hapd->sae_commit_queue);
1496 eloop_register_timeout(0, queue_len * 10000, auth_sae_process_commit,
1497 hapd, NULL);
1498 }
1499
1500
1501 static void auth_sae_queue(struct hostapd_data *hapd,
1502 const struct ieee80211_mgmt *mgmt, size_t len,
1503 int rssi)
1504 {
1505 struct hostapd_sae_commit_queue *q, *q2;
1506 unsigned int queue_len;
1507 const struct ieee80211_mgmt *mgmt2;
1508
1509 queue_len = dl_list_len(&hapd->sae_commit_queue);
1510 if (queue_len >= 15) {
1511 wpa_printf(MSG_DEBUG,
1512 "SAE: No more room in message queue - drop the new frame from "
1513 MACSTR, MAC2STR(mgmt->sa));
1514 return;
1515 }
1516
1517 wpa_printf(MSG_DEBUG, "SAE: Queue Authentication message from "
1518 MACSTR " for processing (queue_len %u)", MAC2STR(mgmt->sa),
1519 queue_len);
1520 q = os_zalloc(sizeof(*q) + len);
1521 if (!q)
1522 return;
1523 q->rssi = rssi;
1524 q->len = len;
1525 os_memcpy(q->msg, mgmt, len);
1526
1527 /* Check whether there is already a queued Authentication frame from the
1528 * same station with the same transaction number and if so, replace that
1529 * queue entry with the new one. This avoids issues with a peer that
1530 * sends multiple times (e.g., due to frequent SAE retries). There is no
1531 * point in us trying to process the old attempts after a new one has
1532 * obsoleted them. */
1533 dl_list_for_each(q2, &hapd->sae_commit_queue,
1534 struct hostapd_sae_commit_queue, list) {
1535 mgmt2 = (const struct ieee80211_mgmt *) q2->msg;
1536 if (os_memcmp(mgmt->sa, mgmt2->sa, ETH_ALEN) == 0 &&
1537 mgmt->u.auth.auth_transaction ==
1538 mgmt2->u.auth.auth_transaction) {
1539 wpa_printf(MSG_DEBUG,
1540 "SAE: Replace queued message from same STA with same transaction number");
1541 dl_list_add(&q2->list, &q->list);
1542 dl_list_del(&q2->list);
1543 os_free(q2);
1544 goto queued;
1545 }
1546 }
1547
1548 /* No pending identical entry, so add to the end of the queue */
1549 dl_list_add_tail(&hapd->sae_commit_queue, &q->list);
1550
1551 queued:
1552 if (eloop_is_timeout_registered(auth_sae_process_commit, hapd, NULL))
1553 return;
1554 eloop_register_timeout(0, queue_len * 10000, auth_sae_process_commit,
1555 hapd, NULL);
1556 }
1557
1558
1559 static int auth_sae_queued_addr(struct hostapd_data *hapd, const u8 *addr)
1560 {
1561 struct hostapd_sae_commit_queue *q;
1562 const struct ieee80211_mgmt *mgmt;
1563
1564 dl_list_for_each(q, &hapd->sae_commit_queue,
1565 struct hostapd_sae_commit_queue, list) {
1566 mgmt = (const struct ieee80211_mgmt *) q->msg;
1567 if (os_memcmp(addr, mgmt->sa, ETH_ALEN) == 0)
1568 return 1;
1569 }
1570
1571 return 0;
1572 }
1573
1574 #endif /* CONFIG_SAE */
1575
1576
1577 static u16 wpa_res_to_status_code(int res)
1578 {
1579 if (res == WPA_INVALID_GROUP)
1580 return WLAN_STATUS_GROUP_CIPHER_NOT_VALID;
1581 if (res == WPA_INVALID_PAIRWISE)
1582 return WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID;
1583 if (res == WPA_INVALID_AKMP)
1584 return WLAN_STATUS_AKMP_NOT_VALID;
1585 if (res == WPA_ALLOC_FAIL)
1586 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1587 if (res == WPA_MGMT_FRAME_PROTECTION_VIOLATION)
1588 return WLAN_STATUS_ROBUST_MGMT_FRAME_POLICY_VIOLATION;
1589 if (res == WPA_INVALID_MGMT_GROUP_CIPHER)
1590 return WLAN_STATUS_CIPHER_REJECTED_PER_POLICY;
1591 if (res == WPA_INVALID_MDIE)
1592 return WLAN_STATUS_INVALID_MDIE;
1593 if (res == WPA_INVALID_PMKID)
1594 return WLAN_STATUS_INVALID_PMKID;
1595 if (res != WPA_IE_OK)
1596 return WLAN_STATUS_INVALID_IE;
1597 return WLAN_STATUS_SUCCESS;
1598 }
1599
1600
1601 #ifdef CONFIG_FILS
1602
1603 static void handle_auth_fils_finish(struct hostapd_data *hapd,
1604 struct sta_info *sta, u16 resp,
1605 struct wpabuf *data, int pub);
1606
1607 void handle_auth_fils(struct hostapd_data *hapd, struct sta_info *sta,
1608 const u8 *pos, size_t len, u16 auth_alg,
1609 u16 auth_transaction, u16 status_code,
1610 void (*cb)(struct hostapd_data *hapd,
1611 struct sta_info *sta, u16 resp,
1612 struct wpabuf *data, int pub))
1613 {
1614 u16 resp = WLAN_STATUS_SUCCESS;
1615 const u8 *end;
1616 struct ieee802_11_elems elems;
1617 int res;
1618 struct wpa_ie_data rsn;
1619 struct rsn_pmksa_cache_entry *pmksa = NULL;
1620
1621 if (auth_transaction != 1 || status_code != WLAN_STATUS_SUCCESS)
1622 return;
1623
1624 end = pos + len;
1625
1626 wpa_hexdump(MSG_DEBUG, "FILS: Authentication frame fields",
1627 pos, end - pos);
1628
1629 /* TODO: FILS PK */
1630 #ifdef CONFIG_FILS_SK_PFS
1631 if (auth_alg == WLAN_AUTH_FILS_SK_PFS) {
1632 u16 group;
1633 struct wpabuf *pub;
1634 size_t elem_len;
1635
1636 /* Using FILS PFS */
1637
1638 /* Finite Cyclic Group */
1639 if (end - pos < 2) {
1640 wpa_printf(MSG_DEBUG,
1641 "FILS: No room for Finite Cyclic Group");
1642 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1643 goto fail;
1644 }
1645 group = WPA_GET_LE16(pos);
1646 pos += 2;
1647 if (group != hapd->conf->fils_dh_group) {
1648 wpa_printf(MSG_DEBUG,
1649 "FILS: Unsupported Finite Cyclic Group: %u (expected %u)",
1650 group, hapd->conf->fils_dh_group);
1651 resp = WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
1652 goto fail;
1653 }
1654
1655 crypto_ecdh_deinit(sta->fils_ecdh);
1656 sta->fils_ecdh = crypto_ecdh_init(group);
1657 if (!sta->fils_ecdh) {
1658 wpa_printf(MSG_INFO,
1659 "FILS: Could not initialize ECDH with group %d",
1660 group);
1661 resp = WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
1662 goto fail;
1663 }
1664
1665 pub = crypto_ecdh_get_pubkey(sta->fils_ecdh, 1);
1666 if (!pub) {
1667 wpa_printf(MSG_DEBUG,
1668 "FILS: Failed to derive ECDH public key");
1669 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1670 goto fail;
1671 }
1672 elem_len = wpabuf_len(pub);
1673 wpabuf_free(pub);
1674
1675 /* Element */
1676 if ((size_t) (end - pos) < elem_len) {
1677 wpa_printf(MSG_DEBUG, "FILS: No room for Element");
1678 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1679 goto fail;
1680 }
1681
1682 wpabuf_free(sta->fils_g_sta);
1683 sta->fils_g_sta = wpabuf_alloc_copy(pos, elem_len);
1684 wpabuf_clear_free(sta->fils_dh_ss);
1685 sta->fils_dh_ss = crypto_ecdh_set_peerkey(sta->fils_ecdh, 1,
1686 pos, elem_len);
1687 if (!sta->fils_dh_ss) {
1688 wpa_printf(MSG_DEBUG, "FILS: ECDH operation failed");
1689 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1690 goto fail;
1691 }
1692 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: DH_SS", sta->fils_dh_ss);
1693 pos += elem_len;
1694 } else {
1695 crypto_ecdh_deinit(sta->fils_ecdh);
1696 sta->fils_ecdh = NULL;
1697 wpabuf_clear_free(sta->fils_dh_ss);
1698 sta->fils_dh_ss = NULL;
1699 }
1700 #endif /* CONFIG_FILS_SK_PFS */
1701
1702 wpa_hexdump(MSG_DEBUG, "FILS: Remaining IEs", pos, end - pos);
1703 if (ieee802_11_parse_elems(pos, end - pos, &elems, 1) == ParseFailed) {
1704 wpa_printf(MSG_DEBUG, "FILS: Could not parse elements");
1705 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1706 goto fail;
1707 }
1708
1709 /* RSNE */
1710 wpa_hexdump(MSG_DEBUG, "FILS: RSN element",
1711 elems.rsn_ie, elems.rsn_ie_len);
1712 if (!elems.rsn_ie ||
1713 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
1714 &rsn) < 0) {
1715 wpa_printf(MSG_DEBUG, "FILS: No valid RSN element");
1716 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1717 goto fail;
1718 }
1719
1720 if (!sta->wpa_sm)
1721 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, sta->addr,
1722 NULL);
1723 if (!sta->wpa_sm) {
1724 wpa_printf(MSG_DEBUG,
1725 "FILS: Failed to initialize RSN state machine");
1726 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1727 goto fail;
1728 }
1729
1730 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
1731 hapd->iface->freq,
1732 elems.rsn_ie - 2, elems.rsn_ie_len + 2,
1733 elems.rsnxe ? elems.rsnxe - 2 : NULL,
1734 elems.rsnxe ? elems.rsnxe_len + 2 : 0,
1735 elems.mdie, elems.mdie_len, NULL, 0);
1736 resp = wpa_res_to_status_code(res);
1737 if (resp != WLAN_STATUS_SUCCESS)
1738 goto fail;
1739
1740 if (!elems.fils_nonce) {
1741 wpa_printf(MSG_DEBUG, "FILS: No FILS Nonce field");
1742 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1743 goto fail;
1744 }
1745 wpa_hexdump(MSG_DEBUG, "FILS: SNonce", elems.fils_nonce,
1746 FILS_NONCE_LEN);
1747 os_memcpy(sta->fils_snonce, elems.fils_nonce, FILS_NONCE_LEN);
1748
1749 /* PMKID List */
1750 if (rsn.pmkid && rsn.num_pmkid > 0) {
1751 u8 num;
1752 const u8 *pmkid;
1753
1754 wpa_hexdump(MSG_DEBUG, "FILS: PMKID List",
1755 rsn.pmkid, rsn.num_pmkid * PMKID_LEN);
1756
1757 pmkid = rsn.pmkid;
1758 num = rsn.num_pmkid;
1759 while (num) {
1760 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", pmkid, PMKID_LEN);
1761 pmksa = wpa_auth_pmksa_get(hapd->wpa_auth, sta->addr,
1762 pmkid);
1763 if (pmksa)
1764 break;
1765 pmksa = wpa_auth_pmksa_get_fils_cache_id(hapd->wpa_auth,
1766 sta->addr,
1767 pmkid);
1768 if (pmksa)
1769 break;
1770 pmkid += PMKID_LEN;
1771 num--;
1772 }
1773 }
1774 if (pmksa && wpa_auth_sta_key_mgmt(sta->wpa_sm) != pmksa->akmp) {
1775 wpa_printf(MSG_DEBUG,
1776 "FILS: Matching PMKSA cache entry has different AKMP (0x%x != 0x%x) - ignore",
1777 wpa_auth_sta_key_mgmt(sta->wpa_sm), pmksa->akmp);
1778 pmksa = NULL;
1779 }
1780 if (pmksa)
1781 wpa_printf(MSG_DEBUG, "FILS: Found matching PMKSA cache entry");
1782
1783 /* FILS Session */
1784 if (!elems.fils_session) {
1785 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
1786 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1787 goto fail;
1788 }
1789 wpa_hexdump(MSG_DEBUG, "FILS: FILS Session", elems.fils_session,
1790 FILS_SESSION_LEN);
1791 os_memcpy(sta->fils_session, elems.fils_session, FILS_SESSION_LEN);
1792
1793 /* FILS Wrapped Data */
1794 if (elems.fils_wrapped_data) {
1795 wpa_hexdump(MSG_DEBUG, "FILS: Wrapped Data",
1796 elems.fils_wrapped_data,
1797 elems.fils_wrapped_data_len);
1798 if (!pmksa) {
1799 #ifndef CONFIG_NO_RADIUS
1800 if (!sta->eapol_sm) {
1801 sta->eapol_sm =
1802 ieee802_1x_alloc_eapol_sm(hapd, sta);
1803 }
1804 wpa_printf(MSG_DEBUG,
1805 "FILS: Forward EAP-Initiate/Re-auth to authentication server");
1806 ieee802_1x_encapsulate_radius(
1807 hapd, sta, elems.fils_wrapped_data,
1808 elems.fils_wrapped_data_len);
1809 sta->fils_pending_cb = cb;
1810 wpa_printf(MSG_DEBUG,
1811 "FILS: Will send Authentication frame once the response from authentication server is available");
1812 sta->flags |= WLAN_STA_PENDING_FILS_ERP;
1813 /* Calculate pending PMKID here so that we do not need
1814 * to maintain a copy of the EAP-Initiate/Reauth
1815 * message. */
1816 if (fils_pmkid_erp(wpa_auth_sta_key_mgmt(sta->wpa_sm),
1817 elems.fils_wrapped_data,
1818 elems.fils_wrapped_data_len,
1819 sta->fils_erp_pmkid) == 0)
1820 sta->fils_erp_pmkid_set = 1;
1821 return;
1822 #else /* CONFIG_NO_RADIUS */
1823 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1824 goto fail;
1825 #endif /* CONFIG_NO_RADIUS */
1826 }
1827 }
1828
1829 fail:
1830 if (cb) {
1831 struct wpabuf *data;
1832 int pub = 0;
1833
1834 data = prepare_auth_resp_fils(hapd, sta, &resp, pmksa, NULL,
1835 NULL, 0, &pub);
1836 if (!data) {
1837 wpa_printf(MSG_DEBUG,
1838 "%s: prepare_auth_resp_fils() returned failure",
1839 __func__);
1840 }
1841
1842 cb(hapd, sta, resp, data, pub);
1843 }
1844 }
1845
1846
1847 static struct wpabuf *
1848 prepare_auth_resp_fils(struct hostapd_data *hapd,
1849 struct sta_info *sta, u16 *resp,
1850 struct rsn_pmksa_cache_entry *pmksa,
1851 struct wpabuf *erp_resp,
1852 const u8 *msk, size_t msk_len,
1853 int *is_pub)
1854 {
1855 u8 fils_nonce[FILS_NONCE_LEN];
1856 size_t ielen;
1857 struct wpabuf *data = NULL;
1858 const u8 *ie;
1859 u8 *ie_buf = NULL;
1860 const u8 *pmk = NULL;
1861 size_t pmk_len = 0;
1862 u8 pmk_buf[PMK_LEN_MAX];
1863 struct wpabuf *pub = NULL;
1864
1865 if (*resp != WLAN_STATUS_SUCCESS)
1866 goto fail;
1867
1868 ie = wpa_auth_get_wpa_ie(hapd->wpa_auth, &ielen);
1869 if (!ie) {
1870 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1871 goto fail;
1872 }
1873
1874 if (pmksa) {
1875 /* Add PMKID of the selected PMKSA into RSNE */
1876 ie_buf = os_malloc(ielen + 2 + 2 + PMKID_LEN);
1877 if (!ie_buf) {
1878 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1879 goto fail;
1880 }
1881
1882 os_memcpy(ie_buf, ie, ielen);
1883 if (wpa_insert_pmkid(ie_buf, &ielen, pmksa->pmkid) < 0) {
1884 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1885 goto fail;
1886 }
1887 ie = ie_buf;
1888 }
1889
1890 if (random_get_bytes(fils_nonce, FILS_NONCE_LEN) < 0) {
1891 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1892 goto fail;
1893 }
1894 wpa_hexdump(MSG_DEBUG, "RSN: Generated FILS Nonce",
1895 fils_nonce, FILS_NONCE_LEN);
1896
1897 #ifdef CONFIG_FILS_SK_PFS
1898 if (sta->fils_dh_ss && sta->fils_ecdh) {
1899 pub = crypto_ecdh_get_pubkey(sta->fils_ecdh, 1);
1900 if (!pub) {
1901 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1902 goto fail;
1903 }
1904 }
1905 #endif /* CONFIG_FILS_SK_PFS */
1906
1907 data = wpabuf_alloc(1000 + ielen + (pub ? wpabuf_len(pub) : 0));
1908 if (!data) {
1909 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1910 goto fail;
1911 }
1912
1913 /* TODO: FILS PK */
1914 #ifdef CONFIG_FILS_SK_PFS
1915 if (pub) {
1916 /* Finite Cyclic Group */
1917 wpabuf_put_le16(data, hapd->conf->fils_dh_group);
1918
1919 /* Element */
1920 wpabuf_put_buf(data, pub);
1921 }
1922 #endif /* CONFIG_FILS_SK_PFS */
1923
1924 /* RSNE */
1925 wpabuf_put_data(data, ie, ielen);
1926
1927 /* MDE when using FILS+FT (already included in ie,ielen with RSNE) */
1928
1929 #ifdef CONFIG_IEEE80211R_AP
1930 if (wpa_key_mgmt_ft(wpa_auth_sta_key_mgmt(sta->wpa_sm))) {
1931 /* FTE[R1KH-ID,R0KH-ID] when using FILS+FT */
1932 int res;
1933 int use_sha384 = wpa_key_mgmt_sha384(
1934 wpa_auth_sta_key_mgmt(sta->wpa_sm));
1935
1936 res = wpa_auth_write_fte(hapd->wpa_auth, use_sha384,
1937 wpabuf_put(data, 0),
1938 wpabuf_tailroom(data));
1939 if (res < 0) {
1940 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1941 goto fail;
1942 }
1943 wpabuf_put(data, res);
1944 }
1945 #endif /* CONFIG_IEEE80211R_AP */
1946
1947 /* FILS Nonce */
1948 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
1949 wpabuf_put_u8(data, 1 + FILS_NONCE_LEN); /* Length */
1950 /* Element ID Extension */
1951 wpabuf_put_u8(data, WLAN_EID_EXT_FILS_NONCE);
1952 wpabuf_put_data(data, fils_nonce, FILS_NONCE_LEN);
1953
1954 /* FILS Session */
1955 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
1956 wpabuf_put_u8(data, 1 + FILS_SESSION_LEN); /* Length */
1957 /* Element ID Extension */
1958 wpabuf_put_u8(data, WLAN_EID_EXT_FILS_SESSION);
1959 wpabuf_put_data(data, sta->fils_session, FILS_SESSION_LEN);
1960
1961 /* FILS Wrapped Data */
1962 if (!pmksa && erp_resp) {
1963 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
1964 wpabuf_put_u8(data, 1 + wpabuf_len(erp_resp)); /* Length */
1965 /* Element ID Extension */
1966 wpabuf_put_u8(data, WLAN_EID_EXT_FILS_WRAPPED_DATA);
1967 wpabuf_put_buf(data, erp_resp);
1968
1969 if (fils_rmsk_to_pmk(wpa_auth_sta_key_mgmt(sta->wpa_sm),
1970 msk, msk_len, sta->fils_snonce, fils_nonce,
1971 sta->fils_dh_ss ?
1972 wpabuf_head(sta->fils_dh_ss) : NULL,
1973 sta->fils_dh_ss ?
1974 wpabuf_len(sta->fils_dh_ss) : 0,
1975 pmk_buf, &pmk_len)) {
1976 wpa_printf(MSG_DEBUG, "FILS: Failed to derive PMK");
1977 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1978 wpabuf_free(data);
1979 data = NULL;
1980 goto fail;
1981 }
1982 pmk = pmk_buf;
1983
1984 /* Don't use DHss in PTK derivation if PMKSA caching is not
1985 * used. */
1986 wpabuf_clear_free(sta->fils_dh_ss);
1987 sta->fils_dh_ss = NULL;
1988
1989 if (sta->fils_erp_pmkid_set) {
1990 /* TODO: get PMKLifetime from WPA parameters */
1991 unsigned int dot11RSNAConfigPMKLifetime = 43200;
1992 int session_timeout;
1993
1994 session_timeout = dot11RSNAConfigPMKLifetime;
1995 if (sta->session_timeout_set) {
1996 struct os_reltime now, diff;
1997
1998 os_get_reltime(&now);
1999 os_reltime_sub(&sta->session_timeout, &now,
2000 &diff);
2001 session_timeout = diff.sec;
2002 }
2003
2004 sta->fils_erp_pmkid_set = 0;
2005 wpa_auth_add_fils_pmk_pmkid(sta->wpa_sm, pmk, pmk_len,
2006 sta->fils_erp_pmkid);
2007 if (!hapd->conf->disable_pmksa_caching &&
2008 wpa_auth_pmksa_add2(
2009 hapd->wpa_auth, sta->addr,
2010 pmk, pmk_len,
2011 sta->fils_erp_pmkid,
2012 session_timeout,
2013 wpa_auth_sta_key_mgmt(sta->wpa_sm)) < 0) {
2014 wpa_printf(MSG_ERROR,
2015 "FILS: Failed to add PMKSA cache entry based on ERP");
2016 }
2017 }
2018 } else if (pmksa) {
2019 pmk = pmksa->pmk;
2020 pmk_len = pmksa->pmk_len;
2021 }
2022
2023 if (!pmk) {
2024 wpa_printf(MSG_DEBUG, "FILS: No PMK available");
2025 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2026 wpabuf_free(data);
2027 data = NULL;
2028 goto fail;
2029 }
2030
2031 if (fils_auth_pmk_to_ptk(sta->wpa_sm, pmk, pmk_len,
2032 sta->fils_snonce, fils_nonce,
2033 sta->fils_dh_ss ?
2034 wpabuf_head(sta->fils_dh_ss) : NULL,
2035 sta->fils_dh_ss ?
2036 wpabuf_len(sta->fils_dh_ss) : 0,
2037 sta->fils_g_sta, pub) < 0) {
2038 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2039 wpabuf_free(data);
2040 data = NULL;
2041 goto fail;
2042 }
2043
2044 fail:
2045 if (is_pub)
2046 *is_pub = pub != NULL;
2047 os_free(ie_buf);
2048 wpabuf_free(pub);
2049 wpabuf_clear_free(sta->fils_dh_ss);
2050 sta->fils_dh_ss = NULL;
2051 #ifdef CONFIG_FILS_SK_PFS
2052 crypto_ecdh_deinit(sta->fils_ecdh);
2053 sta->fils_ecdh = NULL;
2054 #endif /* CONFIG_FILS_SK_PFS */
2055 return data;
2056 }
2057
2058
2059 static void handle_auth_fils_finish(struct hostapd_data *hapd,
2060 struct sta_info *sta, u16 resp,
2061 struct wpabuf *data, int pub)
2062 {
2063 u16 auth_alg;
2064
2065 auth_alg = (pub ||
2066 resp == WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED) ?
2067 WLAN_AUTH_FILS_SK_PFS : WLAN_AUTH_FILS_SK;
2068 send_auth_reply(hapd, sta, sta->addr, hapd->own_addr, auth_alg, 2, resp,
2069 data ? wpabuf_head(data) : (u8 *) "",
2070 data ? wpabuf_len(data) : 0, "auth-fils-finish");
2071 wpabuf_free(data);
2072
2073 if (resp == WLAN_STATUS_SUCCESS) {
2074 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2075 HOSTAPD_LEVEL_DEBUG,
2076 "authentication OK (FILS)");
2077 sta->flags |= WLAN_STA_AUTH;
2078 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
2079 sta->auth_alg = pub ? WLAN_AUTH_FILS_SK_PFS : WLAN_AUTH_FILS_SK;
2080 mlme_authenticate_indication(hapd, sta);
2081 }
2082 }
2083
2084
2085 void ieee802_11_finish_fils_auth(struct hostapd_data *hapd,
2086 struct sta_info *sta, int success,
2087 struct wpabuf *erp_resp,
2088 const u8 *msk, size_t msk_len)
2089 {
2090 struct wpabuf *data;
2091 int pub = 0;
2092 u16 resp;
2093
2094 sta->flags &= ~WLAN_STA_PENDING_FILS_ERP;
2095
2096 if (!sta->fils_pending_cb)
2097 return;
2098 resp = success ? WLAN_STATUS_SUCCESS : WLAN_STATUS_UNSPECIFIED_FAILURE;
2099 data = prepare_auth_resp_fils(hapd, sta, &resp, NULL, erp_resp,
2100 msk, msk_len, &pub);
2101 if (!data) {
2102 wpa_printf(MSG_DEBUG,
2103 "%s: prepare_auth_resp_fils() returned failure",
2104 __func__);
2105 }
2106 sta->fils_pending_cb(hapd, sta, resp, data, pub);
2107 }
2108
2109 #endif /* CONFIG_FILS */
2110
2111
2112 static int ieee802_11_allowed_address(struct hostapd_data *hapd, const u8 *addr,
2113 const u8 *msg, size_t len,
2114 struct radius_sta *info)
2115 {
2116 int res;
2117
2118 res = hostapd_allowed_address(hapd, addr, msg, len, info, 0);
2119
2120 if (res == HOSTAPD_ACL_REJECT) {
2121 wpa_printf(MSG_DEBUG, "Station " MACSTR
2122 " not allowed to authenticate",
2123 MAC2STR(addr));
2124 return HOSTAPD_ACL_REJECT;
2125 }
2126
2127 if (res == HOSTAPD_ACL_PENDING) {
2128 wpa_printf(MSG_DEBUG, "Authentication frame from " MACSTR
2129 " waiting for an external authentication",
2130 MAC2STR(addr));
2131 /* Authentication code will re-send the authentication frame
2132 * after it has received (and cached) information from the
2133 * external source. */
2134 return HOSTAPD_ACL_PENDING;
2135 }
2136
2137 return res;
2138 }
2139
2140
2141 static int
2142 ieee802_11_set_radius_info(struct hostapd_data *hapd, struct sta_info *sta,
2143 int res, struct radius_sta *info)
2144 {
2145 u32 session_timeout = info->session_timeout;
2146 u32 acct_interim_interval = info->acct_interim_interval;
2147 struct vlan_description *vlan_id = &info->vlan_id;
2148 struct hostapd_sta_wpa_psk_short *psk = info->psk;
2149 char *identity = info->identity;
2150 char *radius_cui = info->radius_cui;
2151
2152 if (vlan_id->notempty &&
2153 !hostapd_vlan_valid(hapd->conf->vlan, vlan_id)) {
2154 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS,
2155 HOSTAPD_LEVEL_INFO,
2156 "Invalid VLAN %d%s received from RADIUS server",
2157 vlan_id->untagged,
2158 vlan_id->tagged[0] ? "+" : "");
2159 return -1;
2160 }
2161 if (ap_sta_set_vlan(hapd, sta, vlan_id) < 0)
2162 return -1;
2163 if (sta->vlan_id)
2164 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS,
2165 HOSTAPD_LEVEL_INFO, "VLAN ID %d", sta->vlan_id);
2166
2167 hostapd_free_psk_list(sta->psk);
2168 if (hapd->conf->wpa_psk_radius != PSK_RADIUS_IGNORED)
2169 hostapd_copy_psk_list(&sta->psk, psk);
2170 else
2171 sta->psk = NULL;
2172
2173 os_free(sta->identity);
2174 if (identity)
2175 sta->identity = os_strdup(identity);
2176 else
2177 sta->identity = NULL;
2178
2179 os_free(sta->radius_cui);
2180 if (radius_cui)
2181 sta->radius_cui = os_strdup(radius_cui);
2182 else
2183 sta->radius_cui = NULL;
2184
2185 if (hapd->conf->acct_interim_interval == 0 && acct_interim_interval)
2186 sta->acct_interim_interval = acct_interim_interval;
2187 if (res == HOSTAPD_ACL_ACCEPT_TIMEOUT) {
2188 sta->session_timeout_set = 1;
2189 os_get_reltime(&sta->session_timeout);
2190 sta->session_timeout.sec += session_timeout;
2191 ap_sta_session_timeout(hapd, sta, session_timeout);
2192 } else {
2193 sta->session_timeout_set = 0;
2194 ap_sta_no_session_timeout(hapd, sta);
2195 }
2196
2197 return 0;
2198 }
2199
2200
2201 static void handle_auth(struct hostapd_data *hapd,
2202 const struct ieee80211_mgmt *mgmt, size_t len,
2203 int rssi, int from_queue)
2204 {
2205 u16 auth_alg, auth_transaction, status_code;
2206 u16 resp = WLAN_STATUS_SUCCESS;
2207 struct sta_info *sta = NULL;
2208 int res, reply_res;
2209 u16 fc;
2210 const u8 *challenge = NULL;
2211 u8 resp_ies[2 + WLAN_AUTH_CHALLENGE_LEN];
2212 size_t resp_ies_len = 0;
2213 u16 seq_ctrl;
2214 struct radius_sta rad_info;
2215
2216 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) {
2217 wpa_printf(MSG_INFO, "handle_auth - too short payload (len=%lu)",
2218 (unsigned long) len);
2219 return;
2220 }
2221
2222 #ifdef CONFIG_TESTING_OPTIONS
2223 if (hapd->iconf->ignore_auth_probability > 0.0 &&
2224 drand48() < hapd->iconf->ignore_auth_probability) {
2225 wpa_printf(MSG_INFO,
2226 "TESTING: ignoring auth frame from " MACSTR,
2227 MAC2STR(mgmt->sa));
2228 return;
2229 }
2230 #endif /* CONFIG_TESTING_OPTIONS */
2231
2232 auth_alg = le_to_host16(mgmt->u.auth.auth_alg);
2233 auth_transaction = le_to_host16(mgmt->u.auth.auth_transaction);
2234 status_code = le_to_host16(mgmt->u.auth.status_code);
2235 fc = le_to_host16(mgmt->frame_control);
2236 seq_ctrl = le_to_host16(mgmt->seq_ctrl);
2237
2238 if (len >= IEEE80211_HDRLEN + sizeof(mgmt->u.auth) +
2239 2 + WLAN_AUTH_CHALLENGE_LEN &&
2240 mgmt->u.auth.variable[0] == WLAN_EID_CHALLENGE &&
2241 mgmt->u.auth.variable[1] == WLAN_AUTH_CHALLENGE_LEN)
2242 challenge = &mgmt->u.auth.variable[2];
2243
2244 wpa_printf(MSG_DEBUG, "authentication: STA=" MACSTR " auth_alg=%d "
2245 "auth_transaction=%d status_code=%d wep=%d%s "
2246 "seq_ctrl=0x%x%s%s",
2247 MAC2STR(mgmt->sa), auth_alg, auth_transaction,
2248 status_code, !!(fc & WLAN_FC_ISWEP),
2249 challenge ? " challenge" : "",
2250 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "",
2251 from_queue ? " (from queue)" : "");
2252
2253 #ifdef CONFIG_NO_RC4
2254 if (auth_alg == WLAN_AUTH_SHARED_KEY) {
2255 wpa_printf(MSG_INFO,
2256 "Unsupported authentication algorithm (%d)",
2257 auth_alg);
2258 resp = WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
2259 goto fail;
2260 }
2261 #endif /* CONFIG_NO_RC4 */
2262
2263 if (hapd->tkip_countermeasures) {
2264 wpa_printf(MSG_DEBUG,
2265 "Ongoing TKIP countermeasures (Michael MIC failure) - reject authentication");
2266 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2267 goto fail;
2268 }
2269
2270 if (!(((hapd->conf->auth_algs & WPA_AUTH_ALG_OPEN) &&
2271 auth_alg == WLAN_AUTH_OPEN) ||
2272 #ifdef CONFIG_IEEE80211R_AP
2273 (hapd->conf->wpa && wpa_key_mgmt_ft(hapd->conf->wpa_key_mgmt) &&
2274 auth_alg == WLAN_AUTH_FT) ||
2275 #endif /* CONFIG_IEEE80211R_AP */
2276 #ifdef CONFIG_SAE
2277 (hapd->conf->wpa && wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt) &&
2278 auth_alg == WLAN_AUTH_SAE) ||
2279 #endif /* CONFIG_SAE */
2280 #ifdef CONFIG_FILS
2281 (hapd->conf->wpa && wpa_key_mgmt_fils(hapd->conf->wpa_key_mgmt) &&
2282 auth_alg == WLAN_AUTH_FILS_SK) ||
2283 (hapd->conf->wpa && wpa_key_mgmt_fils(hapd->conf->wpa_key_mgmt) &&
2284 hapd->conf->fils_dh_group &&
2285 auth_alg == WLAN_AUTH_FILS_SK_PFS) ||
2286 #endif /* CONFIG_FILS */
2287 ((hapd->conf->auth_algs & WPA_AUTH_ALG_SHARED) &&
2288 auth_alg == WLAN_AUTH_SHARED_KEY))) {
2289 wpa_printf(MSG_INFO, "Unsupported authentication algorithm (%d)",
2290 auth_alg);
2291 resp = WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
2292 goto fail;
2293 }
2294
2295 if (!(auth_transaction == 1 || auth_alg == WLAN_AUTH_SAE ||
2296 (auth_alg == WLAN_AUTH_SHARED_KEY && auth_transaction == 3))) {
2297 wpa_printf(MSG_INFO, "Unknown authentication transaction number (%d)",
2298 auth_transaction);
2299 resp = WLAN_STATUS_UNKNOWN_AUTH_TRANSACTION;
2300 goto fail;
2301 }
2302
2303 if (os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
2304 wpa_printf(MSG_INFO, "Station " MACSTR " not allowed to authenticate",
2305 MAC2STR(mgmt->sa));
2306 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2307 goto fail;
2308 }
2309
2310 if (hapd->conf->no_auth_if_seen_on) {
2311 struct hostapd_data *other;
2312
2313 other = sta_track_seen_on(hapd->iface, mgmt->sa,
2314 hapd->conf->no_auth_if_seen_on);
2315 if (other) {
2316 u8 *pos;
2317 u32 info;
2318 u8 op_class, channel, phytype;
2319
2320 wpa_printf(MSG_DEBUG, "%s: Reject authentication from "
2321 MACSTR " since STA has been seen on %s",
2322 hapd->conf->iface, MAC2STR(mgmt->sa),
2323 hapd->conf->no_auth_if_seen_on);
2324
2325 resp = WLAN_STATUS_REJECTED_WITH_SUGGESTED_BSS_TRANSITION;
2326 pos = &resp_ies[0];
2327 *pos++ = WLAN_EID_NEIGHBOR_REPORT;
2328 *pos++ = 13;
2329 os_memcpy(pos, other->own_addr, ETH_ALEN);
2330 pos += ETH_ALEN;
2331 info = 0; /* TODO: BSSID Information */
2332 WPA_PUT_LE32(pos, info);
2333 pos += 4;
2334 if (other->iconf->hw_mode == HOSTAPD_MODE_IEEE80211AD)
2335 phytype = 8; /* dmg */
2336 else if (other->iconf->ieee80211ac)
2337 phytype = 9; /* vht */
2338 else if (other->iconf->ieee80211n)
2339 phytype = 7; /* ht */
2340 else if (other->iconf->hw_mode ==
2341 HOSTAPD_MODE_IEEE80211A)
2342 phytype = 4; /* ofdm */
2343 else if (other->iconf->hw_mode ==
2344 HOSTAPD_MODE_IEEE80211G)
2345 phytype = 6; /* erp */
2346 else
2347 phytype = 5; /* hrdsss */
2348 if (ieee80211_freq_to_channel_ext(
2349 hostapd_hw_get_freq(other,
2350 other->iconf->channel),
2351 other->iconf->secondary_channel,
2352 other->iconf->ieee80211ac,
2353 &op_class, &channel) == NUM_HOSTAPD_MODES) {
2354 op_class = 0;
2355 channel = other->iconf->channel;
2356 }
2357 *pos++ = op_class;
2358 *pos++ = channel;
2359 *pos++ = phytype;
2360 resp_ies_len = pos - &resp_ies[0];
2361 goto fail;
2362 }
2363 }
2364
2365 res = ieee802_11_allowed_address(hapd, mgmt->sa, (const u8 *) mgmt, len,
2366 &rad_info);
2367 if (res == HOSTAPD_ACL_REJECT) {
2368 wpa_msg(hapd->msg_ctx, MSG_DEBUG,
2369 "Ignore Authentication frame from " MACSTR
2370 " due to ACL reject", MAC2STR(mgmt->sa));
2371 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2372 goto fail;
2373 }
2374 if (res == HOSTAPD_ACL_PENDING)
2375 return;
2376
2377 #ifdef CONFIG_SAE
2378 if (auth_alg == WLAN_AUTH_SAE && !from_queue &&
2379 (auth_transaction == 1 ||
2380 (auth_transaction == 2 && auth_sae_queued_addr(hapd, mgmt->sa)))) {
2381 /* Handle SAE Authentication commit message through a queue to
2382 * provide more control for postponing the needed heavy
2383 * processing under a possible DoS attack scenario. In addition,
2384 * queue SAE Authentication confirm message if there happens to
2385 * be a queued commit message from the same peer. This is needed
2386 * to avoid reordering Authentication frames within the same
2387 * SAE exchange. */
2388 auth_sae_queue(hapd, mgmt, len, rssi);
2389 return;
2390 }
2391 #endif /* CONFIG_SAE */
2392
2393 sta = ap_get_sta(hapd, mgmt->sa);
2394 if (sta) {
2395 sta->flags &= ~WLAN_STA_PENDING_FILS_ERP;
2396 sta->ft_over_ds = 0;
2397 if ((fc & WLAN_FC_RETRY) &&
2398 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
2399 sta->last_seq_ctrl == seq_ctrl &&
2400 sta->last_subtype == WLAN_FC_STYPE_AUTH) {
2401 hostapd_logger(hapd, sta->addr,
2402 HOSTAPD_MODULE_IEEE80211,
2403 HOSTAPD_LEVEL_DEBUG,
2404 "Drop repeated authentication frame seq_ctrl=0x%x",
2405 seq_ctrl);
2406 return;
2407 }
2408 #ifdef CONFIG_MESH
2409 if ((hapd->conf->mesh & MESH_ENABLED) &&
2410 sta->plink_state == PLINK_BLOCKED) {
2411 wpa_printf(MSG_DEBUG, "Mesh peer " MACSTR
2412 " is blocked - drop Authentication frame",
2413 MAC2STR(mgmt->sa));
2414 return;
2415 }
2416 #endif /* CONFIG_MESH */
2417 } else {
2418 #ifdef CONFIG_MESH
2419 if (hapd->conf->mesh & MESH_ENABLED) {
2420 /* if the mesh peer is not available, we don't do auth.
2421 */
2422 wpa_printf(MSG_DEBUG, "Mesh peer " MACSTR
2423 " not yet known - drop Authentication frame",
2424 MAC2STR(mgmt->sa));
2425 /*
2426 * Save a copy of the frame so that it can be processed
2427 * if a new peer entry is added shortly after this.
2428 */
2429 wpabuf_free(hapd->mesh_pending_auth);
2430 hapd->mesh_pending_auth = wpabuf_alloc_copy(mgmt, len);
2431 os_get_reltime(&hapd->mesh_pending_auth_time);
2432 return;
2433 }
2434 #endif /* CONFIG_MESH */
2435
2436 sta = ap_sta_add(hapd, mgmt->sa);
2437 if (!sta) {
2438 wpa_printf(MSG_DEBUG, "ap_sta_add() failed");
2439 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
2440 goto fail;
2441 }
2442 }
2443 sta->last_seq_ctrl = seq_ctrl;
2444 sta->last_subtype = WLAN_FC_STYPE_AUTH;
2445 #ifdef CONFIG_MBO
2446 sta->auth_rssi = rssi;
2447 #endif /* CONFIG_MBO */
2448
2449 res = ieee802_11_set_radius_info(hapd, sta, res, &rad_info);
2450 if (res) {
2451 wpa_printf(MSG_DEBUG, "ieee802_11_set_radius_info() failed");
2452 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2453 goto fail;
2454 }
2455
2456 sta->flags &= ~WLAN_STA_PREAUTH;
2457 ieee802_1x_notify_pre_auth(sta->eapol_sm, 0);
2458
2459 /*
2460 * If the driver supports full AP client state, add a station to the
2461 * driver before sending authentication reply to make sure the driver
2462 * has resources, and not to go through the entire authentication and
2463 * association handshake, and fail it at the end.
2464 *
2465 * If this is not the first transaction, in a multi-step authentication
2466 * algorithm, the station already exists in the driver
2467 * (sta->added_unassoc = 1) so skip it.
2468 *
2469 * In mesh mode, the station was already added to the driver when the
2470 * NEW_PEER_CANDIDATE event is received.
2471 *
2472 * If PMF was negotiated for the existing association, skip this to
2473 * avoid dropping the STA entry and the associated keys. This is needed
2474 * to allow the original connection work until the attempt can complete
2475 * (re)association, so that unprotected Authentication frame cannot be
2476 * used to bypass PMF protection.
2477 */
2478 if (FULL_AP_CLIENT_STATE_SUPP(hapd->iface->drv_flags) &&
2479 (!(sta->flags & WLAN_STA_MFP) || !ap_sta_is_authorized(sta)) &&
2480 !(hapd->conf->mesh & MESH_ENABLED) &&
2481 !(sta->added_unassoc)) {
2482 /*
2483 * If a station that is already associated to the AP, is trying
2484 * to authenticate again, remove the STA entry, in order to make
2485 * sure the STA PS state gets cleared and configuration gets
2486 * updated. To handle this, station's added_unassoc flag is
2487 * cleared once the station has completed association.
2488 */
2489 ap_sta_set_authorized(hapd, sta, 0);
2490 hostapd_drv_sta_remove(hapd, sta->addr);
2491 sta->flags &= ~(WLAN_STA_ASSOC | WLAN_STA_AUTH |
2492 WLAN_STA_AUTHORIZED);
2493
2494 if (hostapd_sta_add(hapd, sta->addr, 0, 0,
2495 sta->supported_rates,
2496 sta->supported_rates_len,
2497 0, NULL, NULL, NULL, 0,
2498 sta->flags, 0, 0, 0, 0)) {
2499 hostapd_logger(hapd, sta->addr,
2500 HOSTAPD_MODULE_IEEE80211,
2501 HOSTAPD_LEVEL_NOTICE,
2502 "Could not add STA to kernel driver");
2503 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
2504 goto fail;
2505 }
2506
2507 sta->added_unassoc = 1;
2508 }
2509
2510 switch (auth_alg) {
2511 case WLAN_AUTH_OPEN:
2512 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2513 HOSTAPD_LEVEL_DEBUG,
2514 "authentication OK (open system)");
2515 sta->flags |= WLAN_STA_AUTH;
2516 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
2517 sta->auth_alg = WLAN_AUTH_OPEN;
2518 mlme_authenticate_indication(hapd, sta);
2519 break;
2520 #ifndef CONFIG_NO_RC4
2521 case WLAN_AUTH_SHARED_KEY:
2522 resp = auth_shared_key(hapd, sta, auth_transaction, challenge,
2523 fc & WLAN_FC_ISWEP);
2524 if (resp != 0)
2525 wpa_printf(MSG_DEBUG,
2526 "auth_shared_key() failed: status=%d", resp);
2527 sta->auth_alg = WLAN_AUTH_SHARED_KEY;
2528 mlme_authenticate_indication(hapd, sta);
2529 if (sta->challenge && auth_transaction == 1) {
2530 resp_ies[0] = WLAN_EID_CHALLENGE;
2531 resp_ies[1] = WLAN_AUTH_CHALLENGE_LEN;
2532 os_memcpy(resp_ies + 2, sta->challenge,
2533 WLAN_AUTH_CHALLENGE_LEN);
2534 resp_ies_len = 2 + WLAN_AUTH_CHALLENGE_LEN;
2535 }
2536 break;
2537 #endif /* CONFIG_NO_RC4 */
2538 #ifdef CONFIG_IEEE80211R_AP
2539 case WLAN_AUTH_FT:
2540 sta->auth_alg = WLAN_AUTH_FT;
2541 if (sta->wpa_sm == NULL)
2542 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
2543 sta->addr, NULL);
2544 if (sta->wpa_sm == NULL) {
2545 wpa_printf(MSG_DEBUG, "FT: Failed to initialize WPA "
2546 "state machine");
2547 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2548 goto fail;
2549 }
2550 wpa_ft_process_auth(sta->wpa_sm, mgmt->bssid,
2551 auth_transaction, mgmt->u.auth.variable,
2552 len - IEEE80211_HDRLEN -
2553 sizeof(mgmt->u.auth),
2554 handle_auth_ft_finish, hapd);
2555 /* handle_auth_ft_finish() callback will complete auth. */
2556 return;
2557 #endif /* CONFIG_IEEE80211R_AP */
2558 #ifdef CONFIG_SAE
2559 case WLAN_AUTH_SAE:
2560 #ifdef CONFIG_MESH
2561 if (status_code == WLAN_STATUS_SUCCESS &&
2562 hapd->conf->mesh & MESH_ENABLED) {
2563 if (sta->wpa_sm == NULL)
2564 sta->wpa_sm =
2565 wpa_auth_sta_init(hapd->wpa_auth,
2566 sta->addr, NULL);
2567 if (sta->wpa_sm == NULL) {
2568 wpa_printf(MSG_DEBUG,
2569 "SAE: Failed to initialize WPA state machine");
2570 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2571 goto fail;
2572 }
2573 }
2574 #endif /* CONFIG_MESH */
2575 handle_auth_sae(hapd, sta, mgmt, len, auth_transaction,
2576 status_code);
2577 return;
2578 #endif /* CONFIG_SAE */
2579 #ifdef CONFIG_FILS
2580 case WLAN_AUTH_FILS_SK:
2581 case WLAN_AUTH_FILS_SK_PFS:
2582 handle_auth_fils(hapd, sta, mgmt->u.auth.variable,
2583 len - IEEE80211_HDRLEN - sizeof(mgmt->u.auth),
2584 auth_alg, auth_transaction, status_code,
2585 handle_auth_fils_finish);
2586 return;
2587 #endif /* CONFIG_FILS */
2588 }
2589
2590 fail:
2591 reply_res = send_auth_reply(hapd, sta, mgmt->sa, mgmt->bssid, auth_alg,
2592 auth_transaction + 1, resp, resp_ies,
2593 resp_ies_len, "handle-auth");
2594
2595 if (sta && sta->added_unassoc && (resp != WLAN_STATUS_SUCCESS ||
2596 reply_res != WLAN_STATUS_SUCCESS)) {
2597 hostapd_drv_sta_remove(hapd, sta->addr);
2598 sta->added_unassoc = 0;
2599 }
2600 }
2601
2602
2603 int hostapd_get_aid(struct hostapd_data *hapd, struct sta_info *sta)
2604 {
2605 int i, j = 32, aid;
2606
2607 /* get a unique AID */
2608 if (sta->aid > 0) {
2609 wpa_printf(MSG_DEBUG, " old AID %d", sta->aid);
2610 return 0;
2611 }
2612
2613 if (TEST_FAIL())
2614 return -1;
2615
2616 for (i = 0; i < AID_WORDS; i++) {
2617 if (hapd->sta_aid[i] == (u32) -1)
2618 continue;
2619 for (j = 0; j < 32; j++) {
2620 if (!(hapd->sta_aid[i] & BIT(j)))
2621 break;
2622 }
2623 if (j < 32)
2624 break;
2625 }
2626 if (j == 32)
2627 return -1;
2628 aid = i * 32 + j + 1;
2629 if (aid > 2007)
2630 return -1;
2631
2632 sta->aid = aid;
2633 hapd->sta_aid[i] |= BIT(j);
2634 wpa_printf(MSG_DEBUG, " new AID %d", sta->aid);
2635 return 0;
2636 }
2637
2638
2639 static u16 check_ssid(struct hostapd_data *hapd, struct sta_info *sta,
2640 const u8 *ssid_ie, size_t ssid_ie_len)
2641 {
2642 if (ssid_ie == NULL)
2643 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2644
2645 if (ssid_ie_len != hapd->conf->ssid.ssid_len ||
2646 os_memcmp(ssid_ie, hapd->conf->ssid.ssid, ssid_ie_len) != 0) {
2647 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2648 HOSTAPD_LEVEL_INFO,
2649 "Station tried to associate with unknown SSID "
2650 "'%s'", wpa_ssid_txt(ssid_ie, ssid_ie_len));
2651 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2652 }
2653
2654 return WLAN_STATUS_SUCCESS;
2655 }
2656
2657
2658 static u16 check_wmm(struct hostapd_data *hapd, struct sta_info *sta,
2659 const u8 *wmm_ie, size_t wmm_ie_len)
2660 {
2661 sta->flags &= ~WLAN_STA_WMM;
2662 sta->qosinfo = 0;
2663 if (wmm_ie && hapd->conf->wmm_enabled) {
2664 struct wmm_information_element *wmm;
2665
2666 if (!hostapd_eid_wmm_valid(hapd, wmm_ie, wmm_ie_len)) {
2667 hostapd_logger(hapd, sta->addr,
2668 HOSTAPD_MODULE_WPA,
2669 HOSTAPD_LEVEL_DEBUG,
2670 "invalid WMM element in association "
2671 "request");
2672 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2673 }
2674
2675 sta->flags |= WLAN_STA_WMM;
2676 wmm = (struct wmm_information_element *) wmm_ie;
2677 sta->qosinfo = wmm->qos_info;
2678 }
2679 return WLAN_STATUS_SUCCESS;
2680 }
2681
2682 static u16 check_multi_ap(struct hostapd_data *hapd, struct sta_info *sta,
2683 const u8 *multi_ap_ie, size_t multi_ap_len)
2684 {
2685 u8 multi_ap_value = 0;
2686
2687 sta->flags &= ~WLAN_STA_MULTI_AP;
2688
2689 if (!hapd->conf->multi_ap)
2690 return WLAN_STATUS_SUCCESS;
2691
2692 if (multi_ap_ie) {
2693 const u8 *multi_ap_subelem;
2694
2695 multi_ap_subelem = get_ie(multi_ap_ie + 4,
2696 multi_ap_len - 4,
2697 MULTI_AP_SUB_ELEM_TYPE);
2698 if (multi_ap_subelem && multi_ap_subelem[1] == 1) {
2699 multi_ap_value = multi_ap_subelem[2];
2700 } else {
2701 hostapd_logger(hapd, sta->addr,
2702 HOSTAPD_MODULE_IEEE80211,
2703 HOSTAPD_LEVEL_INFO,
2704 "Multi-AP IE has missing or invalid Multi-AP subelement");
2705 return WLAN_STATUS_INVALID_IE;
2706 }
2707 }
2708
2709 if (multi_ap_value && multi_ap_value != MULTI_AP_BACKHAUL_STA)
2710 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2711 HOSTAPD_LEVEL_INFO,
2712 "Multi-AP IE with unexpected value 0x%02x",
2713 multi_ap_value);
2714
2715 if (!(multi_ap_value & MULTI_AP_BACKHAUL_STA)) {
2716 if (hapd->conf->multi_ap & FRONTHAUL_BSS)
2717 return WLAN_STATUS_SUCCESS;
2718
2719 hostapd_logger(hapd, sta->addr,
2720 HOSTAPD_MODULE_IEEE80211,
2721 HOSTAPD_LEVEL_INFO,
2722 "Non-Multi-AP STA tries to associate with backhaul-only BSS");
2723 return WLAN_STATUS_ASSOC_DENIED_UNSPEC;
2724 }
2725
2726 if (!(hapd->conf->multi_ap & BACKHAUL_BSS))
2727 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2728 HOSTAPD_LEVEL_DEBUG,
2729 "Backhaul STA tries to associate with fronthaul-only BSS");
2730
2731 sta->flags |= WLAN_STA_MULTI_AP;
2732 return WLAN_STATUS_SUCCESS;
2733 }
2734
2735
2736 static u16 copy_supp_rates(struct hostapd_data *hapd, struct sta_info *sta,
2737 struct ieee802_11_elems *elems)
2738 {
2739 /* Supported rates not used in IEEE 802.11ad/DMG */
2740 if (hapd->iface->current_mode &&
2741 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211AD)
2742 return WLAN_STATUS_SUCCESS;
2743
2744 if (!elems->supp_rates) {
2745 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2746 HOSTAPD_LEVEL_DEBUG,
2747 "No supported rates element in AssocReq");
2748 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2749 }
2750
2751 if (elems->supp_rates_len + elems->ext_supp_rates_len >
2752 sizeof(sta->supported_rates)) {
2753 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2754 HOSTAPD_LEVEL_DEBUG,
2755 "Invalid supported rates element length %d+%d",
2756 elems->supp_rates_len,
2757 elems->ext_supp_rates_len);
2758 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2759 }
2760
2761 sta->supported_rates_len = merge_byte_arrays(
2762 sta->supported_rates, sizeof(sta->supported_rates),
2763 elems->supp_rates, elems->supp_rates_len,
2764 elems->ext_supp_rates, elems->ext_supp_rates_len);
2765
2766 return WLAN_STATUS_SUCCESS;
2767 }
2768
2769
2770 static u16 check_ext_capab(struct hostapd_data *hapd, struct sta_info *sta,
2771 const u8 *ext_capab_ie, size_t ext_capab_ie_len)
2772 {
2773 #ifdef CONFIG_INTERWORKING
2774 /* check for QoS Map support */
2775 if (ext_capab_ie_len >= 5) {
2776 if (ext_capab_ie[4] & 0x01)
2777 sta->qos_map_enabled = 1;
2778 }
2779 #endif /* CONFIG_INTERWORKING */
2780
2781 if (ext_capab_ie_len > 0) {
2782 sta->ecsa_supported = !!(ext_capab_ie[0] & BIT(2));
2783 os_free(sta->ext_capability);
2784 sta->ext_capability = os_malloc(1 + ext_capab_ie_len);
2785 if (sta->ext_capability) {
2786 sta->ext_capability[0] = ext_capab_ie_len;
2787 os_memcpy(sta->ext_capability + 1, ext_capab_ie,
2788 ext_capab_ie_len);
2789 }
2790 }
2791
2792 return WLAN_STATUS_SUCCESS;
2793 }
2794
2795
2796 #ifdef CONFIG_OWE
2797
2798 static int owe_group_supported(struct hostapd_data *hapd, u16 group)
2799 {
2800 int i;
2801 int *groups = hapd->conf->owe_groups;
2802
2803 if (group != 19 && group != 20 && group != 21)
2804 return 0;
2805
2806 if (!groups)
2807 return 1;
2808
2809 for (i = 0; groups[i] > 0; i++) {
2810 if (groups[i] == group)
2811 return 1;
2812 }
2813
2814 return 0;
2815 }
2816
2817
2818 static u16 owe_process_assoc_req(struct hostapd_data *hapd,
2819 struct sta_info *sta, const u8 *owe_dh,
2820 u8 owe_dh_len)
2821 {
2822 struct wpabuf *secret, *pub, *hkey;
2823 int res;
2824 u8 prk[SHA512_MAC_LEN], pmkid[SHA512_MAC_LEN];
2825 const char *info = "OWE Key Generation";
2826 const u8 *addr[2];
2827 size_t len[2];
2828 u16 group;
2829 size_t hash_len, prime_len;
2830
2831 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) {
2832 wpa_printf(MSG_DEBUG, "OWE: Using PMKSA caching");
2833 return WLAN_STATUS_SUCCESS;
2834 }
2835
2836 group = WPA_GET_LE16(owe_dh);
2837 if (!owe_group_supported(hapd, group)) {
2838 wpa_printf(MSG_DEBUG, "OWE: Unsupported DH group %u", group);
2839 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
2840 }
2841 if (group == 19)
2842 prime_len = 32;
2843 else if (group == 20)
2844 prime_len = 48;
2845 else if (group == 21)
2846 prime_len = 66;
2847 else
2848 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
2849
2850 crypto_ecdh_deinit(sta->owe_ecdh);
2851 sta->owe_ecdh = crypto_ecdh_init(group);
2852 if (!sta->owe_ecdh)
2853 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
2854 sta->owe_group = group;
2855
2856 secret = crypto_ecdh_set_peerkey(sta->owe_ecdh, 0, owe_dh + 2,
2857 owe_dh_len - 2);
2858 secret = wpabuf_zeropad(secret, prime_len);
2859 if (!secret) {
2860 wpa_printf(MSG_DEBUG, "OWE: Invalid peer DH public key");
2861 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2862 }
2863 wpa_hexdump_buf_key(MSG_DEBUG, "OWE: DH shared secret", secret);
2864
2865 /* prk = HKDF-extract(C | A | group, z) */
2866
2867 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
2868 if (!pub) {
2869 wpabuf_clear_free(secret);
2870 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2871 }
2872
2873 /* PMKID = Truncate-128(Hash(C | A)) */
2874 addr[0] = owe_dh + 2;
2875 len[0] = owe_dh_len - 2;
2876 addr[1] = wpabuf_head(pub);
2877 len[1] = wpabuf_len(pub);
2878 if (group == 19) {
2879 res = sha256_vector(2, addr, len, pmkid);
2880 hash_len = SHA256_MAC_LEN;
2881 } else if (group == 20) {
2882 res = sha384_vector(2, addr, len, pmkid);
2883 hash_len = SHA384_MAC_LEN;
2884 } else if (group == 21) {
2885 res = sha512_vector(2, addr, len, pmkid);
2886 hash_len = SHA512_MAC_LEN;
2887 } else {
2888 wpabuf_free(pub);
2889 wpabuf_clear_free(secret);
2890 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2891 }
2892 pub = wpabuf_zeropad(pub, prime_len);
2893 if (res < 0 || !pub) {
2894 wpabuf_free(pub);
2895 wpabuf_clear_free(secret);
2896 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2897 }
2898
2899 hkey = wpabuf_alloc(owe_dh_len - 2 + wpabuf_len(pub) + 2);
2900 if (!hkey) {
2901 wpabuf_free(pub);
2902 wpabuf_clear_free(secret);
2903 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2904 }
2905
2906 wpabuf_put_data(hkey, owe_dh + 2, owe_dh_len - 2); /* C */
2907 wpabuf_put_buf(hkey, pub); /* A */
2908 wpabuf_free(pub);
2909 wpabuf_put_le16(hkey, group); /* group */
2910 if (group == 19)
2911 res = hmac_sha256(wpabuf_head(hkey), wpabuf_len(hkey),
2912 wpabuf_head(secret), wpabuf_len(secret), prk);
2913 else if (group == 20)
2914 res = hmac_sha384(wpabuf_head(hkey), wpabuf_len(hkey),
2915 wpabuf_head(secret), wpabuf_len(secret), prk);
2916 else if (group == 21)
2917 res = hmac_sha512(wpabuf_head(hkey), wpabuf_len(hkey),
2918 wpabuf_head(secret), wpabuf_len(secret), prk);
2919 wpabuf_clear_free(hkey);
2920 wpabuf_clear_free(secret);
2921 if (res < 0)
2922 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2923
2924 wpa_hexdump_key(MSG_DEBUG, "OWE: prk", prk, hash_len);
2925
2926 /* PMK = HKDF-expand(prk, "OWE Key Generation", n) */
2927
2928 os_free(sta->owe_pmk);
2929 sta->owe_pmk = os_malloc(hash_len);
2930 if (!sta->owe_pmk) {
2931 os_memset(prk, 0, SHA512_MAC_LEN);
2932 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2933 }
2934
2935 if (group == 19)
2936 res = hmac_sha256_kdf(prk, hash_len, NULL, (const u8 *) info,
2937 os_strlen(info), sta->owe_pmk, hash_len);
2938 else if (group == 20)
2939 res = hmac_sha384_kdf(prk, hash_len, NULL, (const u8 *) info,
2940 os_strlen(info), sta->owe_pmk, hash_len);
2941 else if (group == 21)
2942 res = hmac_sha512_kdf(prk, hash_len, NULL, (const u8 *) info,
2943 os_strlen(info), sta->owe_pmk, hash_len);
2944 os_memset(prk, 0, SHA512_MAC_LEN);
2945 if (res < 0) {
2946 os_free(sta->owe_pmk);
2947 sta->owe_pmk = NULL;
2948 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2949 }
2950 sta->owe_pmk_len = hash_len;
2951
2952 wpa_hexdump_key(MSG_DEBUG, "OWE: PMK", sta->owe_pmk, sta->owe_pmk_len);
2953 wpa_hexdump(MSG_DEBUG, "OWE: PMKID", pmkid, PMKID_LEN);
2954 wpa_auth_pmksa_add2(hapd->wpa_auth, sta->addr, sta->owe_pmk,
2955 sta->owe_pmk_len, pmkid, 0, WPA_KEY_MGMT_OWE);
2956
2957 return WLAN_STATUS_SUCCESS;
2958 }
2959
2960
2961 u16 owe_validate_request(struct hostapd_data *hapd, const u8 *peer,
2962 const u8 *rsn_ie, size_t rsn_ie_len,
2963 const u8 *owe_dh, size_t owe_dh_len)
2964 {
2965 struct wpa_ie_data data;
2966 int res;
2967
2968 if (!rsn_ie || rsn_ie_len < 2) {
2969 wpa_printf(MSG_DEBUG, "OWE: Invalid RSNE from " MACSTR,
2970 MAC2STR(peer));
2971 return WLAN_STATUS_INVALID_IE;
2972 }
2973 rsn_ie -= 2;
2974 rsn_ie_len += 2;
2975
2976 res = wpa_parse_wpa_ie_rsn(rsn_ie, rsn_ie_len, &data);
2977 if (res) {
2978 wpa_printf(MSG_DEBUG, "Failed to parse RSNE from " MACSTR
2979 " (res=%d)", MAC2STR(peer), res);
2980 wpa_hexdump(MSG_DEBUG, "RSNE", rsn_ie, rsn_ie_len);
2981 return wpa_res_to_status_code(res);
2982 }
2983 if (!(data.key_mgmt & WPA_KEY_MGMT_OWE)) {
2984 wpa_printf(MSG_DEBUG,
2985 "OWE: Unexpected key mgmt 0x%x from " MACSTR,
2986 (unsigned int) data.key_mgmt, MAC2STR(peer));
2987 return WLAN_STATUS_AKMP_NOT_VALID;
2988 }
2989 if (!owe_dh) {
2990 wpa_printf(MSG_DEBUG,
2991 "OWE: No Diffie-Hellman Parameter element from "
2992 MACSTR, MAC2STR(peer));
2993 return WLAN_STATUS_AKMP_NOT_VALID;
2994 }
2995
2996 return WLAN_STATUS_SUCCESS;
2997 }
2998
2999
3000 u16 owe_process_rsn_ie(struct hostapd_data *hapd,
3001 struct sta_info *sta,
3002 const u8 *rsn_ie, size_t rsn_ie_len,
3003 const u8 *owe_dh, size_t owe_dh_len)
3004 {
3005 u16 status;
3006 u8 *owe_buf, ie[256 * 2];
3007 size_t ie_len = 0;
3008 int res;
3009
3010 if (!rsn_ie || rsn_ie_len < 2) {
3011 wpa_printf(MSG_DEBUG, "OWE: No RSNE in (Re)AssocReq");
3012 status = WLAN_STATUS_INVALID_IE;
3013 goto end;
3014 }
3015
3016 if (!sta->wpa_sm)
3017 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, sta->addr,
3018 NULL);
3019 if (!sta->wpa_sm) {
3020 wpa_printf(MSG_WARNING,
3021 "OWE: Failed to initialize WPA state machine");
3022 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3023 goto end;
3024 }
3025 rsn_ie -= 2;
3026 rsn_ie_len += 2;
3027 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
3028 hapd->iface->freq, rsn_ie, rsn_ie_len,
3029 NULL, 0, NULL, 0, owe_dh, owe_dh_len);
3030 status = wpa_res_to_status_code(res);
3031 if (status != WLAN_STATUS_SUCCESS)
3032 goto end;
3033 status = owe_process_assoc_req(hapd, sta, owe_dh, owe_dh_len);
3034 if (status != WLAN_STATUS_SUCCESS)
3035 goto end;
3036 owe_buf = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, ie, sizeof(ie),
3037 NULL, 0);
3038 if (!owe_buf) {
3039 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3040 goto end;
3041 }
3042
3043 if (sta->owe_ecdh) {
3044 struct wpabuf *pub;
3045
3046 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
3047 if (!pub) {
3048 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3049 goto end;
3050 }
3051
3052 /* OWE Diffie-Hellman Parameter element */
3053 *owe_buf++ = WLAN_EID_EXTENSION; /* Element ID */
3054 *owe_buf++ = 1 + 2 + wpabuf_len(pub); /* Length */
3055 *owe_buf++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension
3056 */
3057 WPA_PUT_LE16(owe_buf, sta->owe_group);
3058 owe_buf += 2;
3059 os_memcpy(owe_buf, wpabuf_head(pub), wpabuf_len(pub));
3060 owe_buf += wpabuf_len(pub);
3061 wpabuf_free(pub);
3062 sta->external_dh_updated = 1;
3063 }
3064 ie_len = owe_buf - ie;
3065
3066 end:
3067 wpa_printf(MSG_DEBUG, "OWE: Update status %d, ie len %d for peer "
3068 MACSTR, status, (unsigned int) ie_len,
3069 MAC2STR(sta->addr));
3070 hostapd_drv_update_dh_ie(hapd, sta->addr, status,
3071 status == WLAN_STATUS_SUCCESS ? ie : NULL,
3072 ie_len);
3073
3074 return status;
3075 }
3076
3077 #endif /* CONFIG_OWE */
3078
3079
3080 static u16 check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta,
3081 const u8 *ies, size_t ies_len, int reassoc)
3082 {
3083 struct ieee802_11_elems elems;
3084 u16 resp;
3085 const u8 *wpa_ie;
3086 size_t wpa_ie_len;
3087 const u8 *p2p_dev_addr = NULL;
3088
3089 if (ieee802_11_parse_elems(ies, ies_len, &elems, 1) == ParseFailed) {
3090 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3091 HOSTAPD_LEVEL_INFO, "Station sent an invalid "
3092 "association request");
3093 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3094 }
3095
3096 resp = check_ssid(hapd, sta, elems.ssid, elems.ssid_len);
3097 if (resp != WLAN_STATUS_SUCCESS)
3098 return resp;
3099 resp = check_wmm(hapd, sta, elems.wmm, elems.wmm_len);
3100 if (resp != WLAN_STATUS_SUCCESS)
3101 return resp;
3102 resp = check_ext_capab(hapd, sta, elems.ext_capab, elems.ext_capab_len);
3103 if (resp != WLAN_STATUS_SUCCESS)
3104 return resp;
3105 resp = copy_supp_rates(hapd, sta, &elems);
3106 if (resp != WLAN_STATUS_SUCCESS)
3107 return resp;
3108
3109 resp = check_multi_ap(hapd, sta, elems.multi_ap, elems.multi_ap_len);
3110 if (resp != WLAN_STATUS_SUCCESS)
3111 return resp;
3112
3113 #ifdef CONFIG_IEEE80211N
3114 resp = copy_sta_ht_capab(hapd, sta, elems.ht_capabilities);
3115 if (resp != WLAN_STATUS_SUCCESS)
3116 return resp;
3117 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht &&
3118 !(sta->flags & WLAN_STA_HT)) {
3119 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3120 HOSTAPD_LEVEL_INFO, "Station does not support "
3121 "mandatory HT PHY - reject association");
3122 return WLAN_STATUS_ASSOC_DENIED_NO_HT;
3123 }
3124 #endif /* CONFIG_IEEE80211N */
3125
3126 #ifdef CONFIG_IEEE80211AC
3127 if (hapd->iconf->ieee80211ac) {
3128 resp = copy_sta_vht_capab(hapd, sta, elems.vht_capabilities);
3129 if (resp != WLAN_STATUS_SUCCESS)
3130 return resp;
3131
3132 resp = set_sta_vht_opmode(hapd, sta, elems.vht_opmode_notif);
3133 if (resp != WLAN_STATUS_SUCCESS)
3134 return resp;
3135 }
3136
3137 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht &&
3138 !(sta->flags & WLAN_STA_VHT)) {
3139 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3140 HOSTAPD_LEVEL_INFO, "Station does not support "
3141 "mandatory VHT PHY - reject association");
3142 return WLAN_STATUS_ASSOC_DENIED_NO_VHT;
3143 }
3144
3145 if (hapd->conf->vendor_vht && !elems.vht_capabilities) {
3146 resp = copy_sta_vendor_vht(hapd, sta, elems.vendor_vht,
3147 elems.vendor_vht_len);
3148 if (resp != WLAN_STATUS_SUCCESS)
3149 return resp;
3150 }
3151 #endif /* CONFIG_IEEE80211AC */
3152 #ifdef CONFIG_IEEE80211AX
3153 if (hapd->iconf->ieee80211ax) {
3154 resp = copy_sta_he_capab(hapd, sta, IEEE80211_MODE_AP,
3155 elems.he_capabilities,
3156 elems.he_capabilities_len);
3157 if (resp != WLAN_STATUS_SUCCESS)
3158 return resp;
3159 }
3160 #endif /* CONFIG_IEEE80211AX */
3161
3162 #ifdef CONFIG_P2P
3163 if (elems.p2p) {
3164 wpabuf_free(sta->p2p_ie);
3165 sta->p2p_ie = ieee802_11_vendor_ie_concat(ies, ies_len,
3166 P2P_IE_VENDOR_TYPE);
3167 if (sta->p2p_ie)
3168 p2p_dev_addr = p2p_get_go_dev_addr(sta->p2p_ie);
3169 } else {
3170 wpabuf_free(sta->p2p_ie);
3171 sta->p2p_ie = NULL;
3172 }
3173 #endif /* CONFIG_P2P */
3174
3175 if ((hapd->conf->wpa & WPA_PROTO_RSN) && elems.rsn_ie) {
3176 wpa_ie = elems.rsn_ie;
3177 wpa_ie_len = elems.rsn_ie_len;
3178 } else if ((hapd->conf->wpa & WPA_PROTO_WPA) &&
3179 elems.wpa_ie) {
3180 wpa_ie = elems.wpa_ie;
3181 wpa_ie_len = elems.wpa_ie_len;
3182 } else {
3183 wpa_ie = NULL;
3184 wpa_ie_len = 0;
3185 }
3186
3187 #ifdef CONFIG_WPS
3188 sta->flags &= ~(WLAN_STA_WPS | WLAN_STA_MAYBE_WPS | WLAN_STA_WPS2);
3189 if (hapd->conf->wps_state && elems.wps_ie) {
3190 wpa_printf(MSG_DEBUG, "STA included WPS IE in (Re)Association "
3191 "Request - assume WPS is used");
3192 sta->flags |= WLAN_STA_WPS;
3193 wpabuf_free(sta->wps_ie);
3194 sta->wps_ie = ieee802_11_vendor_ie_concat(ies, ies_len,
3195 WPS_IE_VENDOR_TYPE);
3196 if (sta->wps_ie && wps_is_20(sta->wps_ie)) {
3197 wpa_printf(MSG_DEBUG, "WPS: STA supports WPS 2.0");
3198 sta->flags |= WLAN_STA_WPS2;
3199 }
3200 wpa_ie = NULL;
3201 wpa_ie_len = 0;
3202 if (sta->wps_ie && wps_validate_assoc_req(sta->wps_ie) < 0) {
3203 wpa_printf(MSG_DEBUG, "WPS: Invalid WPS IE in "
3204 "(Re)Association Request - reject");
3205 return WLAN_STATUS_INVALID_IE;
3206 }
3207 } else if (hapd->conf->wps_state && wpa_ie == NULL) {
3208 wpa_printf(MSG_DEBUG, "STA did not include WPA/RSN IE in "
3209 "(Re)Association Request - possible WPS use");
3210 sta->flags |= WLAN_STA_MAYBE_WPS;
3211 } else
3212 #endif /* CONFIG_WPS */
3213 if (hapd->conf->wpa && wpa_ie == NULL) {
3214 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3215 HOSTAPD_LEVEL_INFO,
3216 "No WPA/RSN IE in association request");
3217 return WLAN_STATUS_INVALID_IE;
3218 }
3219
3220 if (hapd->conf->wpa && wpa_ie) {
3221 int res;
3222 wpa_ie -= 2;
3223 wpa_ie_len += 2;
3224 if (sta->wpa_sm == NULL)
3225 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
3226 sta->addr,
3227 p2p_dev_addr);
3228 if (sta->wpa_sm == NULL) {
3229 wpa_printf(MSG_WARNING, "Failed to initialize WPA "
3230 "state machine");
3231 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3232 }
3233 wpa_auth_set_auth_alg(sta->wpa_sm, sta->auth_alg);
3234 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
3235 hapd->iface->freq,
3236 wpa_ie, wpa_ie_len,
3237 elems.rsnxe ? elems.rsnxe - 2 : NULL,
3238 elems.rsnxe ? elems.rsnxe_len + 2 : 0,
3239 elems.mdie, elems.mdie_len,
3240 elems.owe_dh, elems.owe_dh_len);
3241 resp = wpa_res_to_status_code(res);
3242 if (resp != WLAN_STATUS_SUCCESS)
3243 return resp;
3244 if ((sta->flags & (WLAN_STA_ASSOC | WLAN_STA_MFP)) ==
3245 (WLAN_STA_ASSOC | WLAN_STA_MFP) &&
3246 !sta->sa_query_timed_out &&
3247 sta->sa_query_count > 0)
3248 ap_check_sa_query_timeout(hapd, sta);
3249 if ((sta->flags & (WLAN_STA_ASSOC | WLAN_STA_MFP)) ==
3250 (WLAN_STA_ASSOC | WLAN_STA_MFP) &&
3251 !sta->sa_query_timed_out &&
3252 (!reassoc || sta->auth_alg != WLAN_AUTH_FT)) {
3253 /*
3254 * STA has already been associated with MFP and SA
3255 * Query timeout has not been reached. Reject the
3256 * association attempt temporarily and start SA Query,
3257 * if one is not pending.
3258 */
3259
3260 if (sta->sa_query_count == 0)
3261 ap_sta_start_sa_query(hapd, sta);
3262
3263 return WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY;
3264 }
3265
3266 if (wpa_auth_uses_mfp(sta->wpa_sm))
3267 sta->flags |= WLAN_STA_MFP;
3268 else
3269 sta->flags &= ~WLAN_STA_MFP;
3270
3271 #ifdef CONFIG_IEEE80211R_AP
3272 if (sta->auth_alg == WLAN_AUTH_FT) {
3273 if (!reassoc) {
3274 wpa_printf(MSG_DEBUG, "FT: " MACSTR " tried "
3275 "to use association (not "
3276 "re-association) with FT auth_alg",
3277 MAC2STR(sta->addr));
3278 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3279 }
3280
3281 resp = wpa_ft_validate_reassoc(sta->wpa_sm, ies,
3282 ies_len);
3283 if (resp != WLAN_STATUS_SUCCESS)
3284 return resp;
3285 }
3286 #endif /* CONFIG_IEEE80211R_AP */
3287
3288 #ifdef CONFIG_SAE
3289 if (wpa_auth_uses_sae(sta->wpa_sm) && sta->sae &&
3290 sta->sae->state == SAE_ACCEPTED)
3291 wpa_auth_add_sae_pmkid(sta->wpa_sm, sta->sae->pmkid);
3292
3293 if (wpa_auth_uses_sae(sta->wpa_sm) &&
3294 sta->auth_alg == WLAN_AUTH_OPEN) {
3295 struct rsn_pmksa_cache_entry *sa;
3296 sa = wpa_auth_sta_get_pmksa(sta->wpa_sm);
3297 if (!sa || sa->akmp != WPA_KEY_MGMT_SAE) {
3298 wpa_printf(MSG_DEBUG,
3299 "SAE: No PMKSA cache entry found for "
3300 MACSTR, MAC2STR(sta->addr));
3301 return WLAN_STATUS_INVALID_PMKID;
3302 }
3303 wpa_printf(MSG_DEBUG, "SAE: " MACSTR
3304 " using PMKSA caching", MAC2STR(sta->addr));
3305 } else if (wpa_auth_uses_sae(sta->wpa_sm) &&
3306 sta->auth_alg != WLAN_AUTH_SAE &&
3307 !(sta->auth_alg == WLAN_AUTH_FT &&
3308 wpa_auth_uses_ft_sae(sta->wpa_sm))) {
3309 wpa_printf(MSG_DEBUG, "SAE: " MACSTR " tried to use "
3310 "SAE AKM after non-SAE auth_alg %u",
3311 MAC2STR(sta->addr), sta->auth_alg);
3312 return WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
3313 }
3314
3315 if (hapd->conf->sae_pwe == 2 &&
3316 sta->auth_alg == WLAN_AUTH_SAE &&
3317 sta->sae && sta->sae->tmp && !sta->sae->tmp->h2e &&
3318 elems.rsnxe && elems.rsnxe_len >= 1 &&
3319 (elems.rsnxe[0] & BIT(WLAN_RSNX_CAPAB_SAE_H2E))) {
3320 wpa_printf(MSG_INFO, "SAE: " MACSTR
3321 " indicates support for SAE H2E, but did not use it",
3322 MAC2STR(sta->addr));
3323 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3324 }
3325 #endif /* CONFIG_SAE */
3326
3327 #ifdef CONFIG_OWE
3328 if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) &&
3329 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE &&
3330 elems.owe_dh) {
3331 resp = owe_process_assoc_req(hapd, sta, elems.owe_dh,
3332 elems.owe_dh_len);
3333 if (resp != WLAN_STATUS_SUCCESS)
3334 return resp;
3335 }
3336 #endif /* CONFIG_OWE */
3337
3338 #ifdef CONFIG_DPP2
3339 dpp_pfs_free(sta->dpp_pfs);
3340 sta->dpp_pfs = NULL;
3341
3342 if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_DPP) &&
3343 hapd->conf->dpp_netaccesskey && sta->wpa_sm &&
3344 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_DPP &&
3345 elems.owe_dh) {
3346 sta->dpp_pfs = dpp_pfs_init(
3347 wpabuf_head(hapd->conf->dpp_netaccesskey),
3348 wpabuf_len(hapd->conf->dpp_netaccesskey));
3349 if (!sta->dpp_pfs) {
3350 wpa_printf(MSG_DEBUG,
3351 "DPP: Could not initialize PFS");
3352 /* Try to continue without PFS */
3353 goto pfs_fail;
3354 }
3355
3356 if (dpp_pfs_process(sta->dpp_pfs, elems.owe_dh,
3357 elems.owe_dh_len) < 0) {
3358 dpp_pfs_free(sta->dpp_pfs);
3359 sta->dpp_pfs = NULL;
3360 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3361 }
3362 }
3363
3364 wpa_auth_set_dpp_z(sta->wpa_sm, sta->dpp_pfs ?
3365 sta->dpp_pfs->secret : NULL);
3366 pfs_fail:
3367 #endif /* CONFIG_DPP2 */
3368
3369 #ifdef CONFIG_IEEE80211N
3370 if ((sta->flags & (WLAN_STA_HT | WLAN_STA_VHT)) &&
3371 wpa_auth_get_pairwise(sta->wpa_sm) == WPA_CIPHER_TKIP) {
3372 hostapd_logger(hapd, sta->addr,
3373 HOSTAPD_MODULE_IEEE80211,
3374 HOSTAPD_LEVEL_INFO,
3375 "Station tried to use TKIP with HT "
3376 "association");
3377 return WLAN_STATUS_CIPHER_REJECTED_PER_POLICY;
3378 }
3379 #endif /* CONFIG_IEEE80211N */
3380 #ifdef CONFIG_HS20
3381 } else if (hapd->conf->osen) {
3382 if (elems.osen == NULL) {
3383 hostapd_logger(
3384 hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3385 HOSTAPD_LEVEL_INFO,
3386 "No HS 2.0 OSEN element in association request");
3387 return WLAN_STATUS_INVALID_IE;
3388 }
3389
3390 wpa_printf(MSG_DEBUG, "HS 2.0: OSEN association");
3391 if (sta->wpa_sm == NULL)
3392 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
3393 sta->addr, NULL);
3394 if (sta->wpa_sm == NULL) {
3395 wpa_printf(MSG_WARNING, "Failed to initialize WPA "
3396 "state machine");
3397 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3398 }
3399 if (wpa_validate_osen(hapd->wpa_auth, sta->wpa_sm,
3400 elems.osen - 2, elems.osen_len + 2) < 0)
3401 return WLAN_STATUS_INVALID_IE;
3402 #endif /* CONFIG_HS20 */
3403 } else
3404 wpa_auth_sta_no_wpa(sta->wpa_sm);
3405
3406 #ifdef CONFIG_P2P
3407 p2p_group_notif_assoc(hapd->p2p_group, sta->addr, ies, ies_len);
3408 #endif /* CONFIG_P2P */
3409
3410 #ifdef CONFIG_HS20
3411 wpabuf_free(sta->hs20_ie);
3412 if (elems.hs20 && elems.hs20_len > 4) {
3413 int release;
3414
3415 sta->hs20_ie = wpabuf_alloc_copy(elems.hs20 + 4,
3416 elems.hs20_len - 4);
3417 release = ((elems.hs20[4] >> 4) & 0x0f) + 1;
3418 if (release >= 2 && !wpa_auth_uses_mfp(sta->wpa_sm) &&
3419 hapd->conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
3420 wpa_printf(MSG_DEBUG,
3421 "HS 2.0: PMF not negotiated by release %d station "
3422 MACSTR, release, MAC2STR(sta->addr));
3423 return WLAN_STATUS_ROBUST_MGMT_FRAME_POLICY_VIOLATION;
3424 }
3425 } else {
3426 sta->hs20_ie = NULL;
3427 }
3428
3429 wpabuf_free(sta->roaming_consortium);
3430 if (elems.roaming_cons_sel)
3431 sta->roaming_consortium = wpabuf_alloc_copy(
3432 elems.roaming_cons_sel + 4,
3433 elems.roaming_cons_sel_len - 4);
3434 else
3435 sta->roaming_consortium = NULL;
3436 #endif /* CONFIG_HS20 */
3437
3438 #ifdef CONFIG_FST
3439 wpabuf_free(sta->mb_ies);
3440 if (hapd->iface->fst)
3441 sta->mb_ies = mb_ies_by_info(&elems.mb_ies);
3442 else
3443 sta->mb_ies = NULL;
3444 #endif /* CONFIG_FST */
3445
3446 #ifdef CONFIG_MBO
3447 mbo_ap_check_sta_assoc(hapd, sta, &elems);
3448
3449 if (hapd->conf->mbo_enabled && (hapd->conf->wpa & 2) &&
3450 elems.mbo && sta->cell_capa && !(sta->flags & WLAN_STA_MFP) &&
3451 hapd->conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
3452 wpa_printf(MSG_INFO,
3453 "MBO: Reject WPA2 association without PMF");
3454 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3455 }
3456 #endif /* CONFIG_MBO */
3457
3458 #if defined(CONFIG_FILS) && defined(CONFIG_OCV)
3459 if (wpa_auth_uses_ocv(sta->wpa_sm) &&
3460 (sta->auth_alg == WLAN_AUTH_FILS_SK ||
3461 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
3462 sta->auth_alg == WLAN_AUTH_FILS_PK)) {
3463 struct wpa_channel_info ci;
3464 int tx_chanwidth;
3465 int tx_seg1_idx;
3466
3467 if (hostapd_drv_channel_info(hapd, &ci) != 0) {
3468 wpa_printf(MSG_WARNING,
3469 "Failed to get channel info to validate received OCI in FILS (Re)Association Request frame");
3470 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3471 }
3472
3473 if (get_sta_tx_parameters(sta->wpa_sm,
3474 channel_width_to_int(ci.chanwidth),
3475 ci.seg1_idx, &tx_chanwidth,
3476 &tx_seg1_idx) < 0)
3477 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3478
3479 if (ocv_verify_tx_params(elems.oci, elems.oci_len, &ci,
3480 tx_chanwidth, tx_seg1_idx) != 0) {
3481 wpa_printf(MSG_WARNING, "FILS: %s", ocv_errorstr);
3482 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3483 }
3484 }
3485 #endif /* CONFIG_FILS && CONFIG_OCV */
3486
3487 ap_copy_sta_supp_op_classes(sta, elems.supp_op_classes,
3488 elems.supp_op_classes_len);
3489
3490 if ((sta->capability & WLAN_CAPABILITY_RADIO_MEASUREMENT) &&
3491 elems.rrm_enabled &&
3492 elems.rrm_enabled_len >= sizeof(sta->rrm_enabled_capa))
3493 os_memcpy(sta->rrm_enabled_capa, elems.rrm_enabled,
3494 sizeof(sta->rrm_enabled_capa));
3495
3496 if (elems.power_capab) {
3497 sta->min_tx_power = elems.power_capab[0];
3498 sta->max_tx_power = elems.power_capab[1];
3499 sta->power_capab = 1;
3500 } else {
3501 sta->power_capab = 0;
3502 }
3503
3504 return WLAN_STATUS_SUCCESS;
3505 }
3506
3507
3508 static void send_deauth(struct hostapd_data *hapd, const u8 *addr,
3509 u16 reason_code)
3510 {
3511 int send_len;
3512 struct ieee80211_mgmt reply;
3513
3514 os_memset(&reply, 0, sizeof(reply));
3515 reply.frame_control =
3516 IEEE80211_FC(WLAN_FC_TYPE_MGMT, WLAN_FC_STYPE_DEAUTH);
3517 os_memcpy(reply.da, addr, ETH_ALEN);
3518 os_memcpy(reply.sa, hapd->own_addr, ETH_ALEN);
3519 os_memcpy(reply.bssid, hapd->own_addr, ETH_ALEN);
3520
3521 send_len = IEEE80211_HDRLEN + sizeof(reply.u.deauth);
3522 reply.u.deauth.reason_code = host_to_le16(reason_code);
3523
3524 if (hostapd_drv_send_mlme(hapd, &reply, send_len, 0, NULL, 0, 0) < 0)
3525 wpa_printf(MSG_INFO, "Failed to send deauth: %s",
3526 strerror(errno));
3527 }
3528
3529
3530 static int add_associated_sta(struct hostapd_data *hapd,
3531 struct sta_info *sta, int reassoc)
3532 {
3533 struct ieee80211_ht_capabilities ht_cap;
3534 struct ieee80211_vht_capabilities vht_cap;
3535 struct ieee80211_he_capabilities he_cap;
3536 int set = 1;
3537
3538 /*
3539 * Remove the STA entry to ensure the STA PS state gets cleared and
3540 * configuration gets updated. This is relevant for cases, such as
3541 * FT-over-the-DS, where a station re-associates back to the same AP but
3542 * skips the authentication flow, or if working with a driver that
3543 * does not support full AP client state.
3544 *
3545 * Skip this if the STA has already completed FT reassociation and the
3546 * TK has been configured since the TX/RX PN must not be reset to 0 for
3547 * the same key.
3548 *
3549 * FT-over-the-DS has a special case where the STA entry (and as such,
3550 * the TK) has not yet been configured to the driver depending on which
3551 * driver interface is used. For that case, allow add-STA operation to
3552 * be used (instead of set-STA). This is needed to allow mac80211-based
3553 * drivers to accept the STA parameter configuration. Since this is
3554 * after a new FT-over-DS exchange, a new TK has been derived, so key
3555 * reinstallation is not a concern for this case.
3556 */
3557 wpa_printf(MSG_DEBUG, "Add associated STA " MACSTR
3558 " (added_unassoc=%d auth_alg=%u ft_over_ds=%u reassoc=%d authorized=%d ft_tk=%d fils_tk=%d)",
3559 MAC2STR(sta->addr), sta->added_unassoc, sta->auth_alg,
3560 sta->ft_over_ds, reassoc,
3561 !!(sta->flags & WLAN_STA_AUTHORIZED),
3562 wpa_auth_sta_ft_tk_already_set(sta->wpa_sm),
3563 wpa_auth_sta_fils_tk_already_set(sta->wpa_sm));
3564
3565 if (!sta->added_unassoc &&
3566 (!(sta->flags & WLAN_STA_AUTHORIZED) ||
3567 (reassoc && sta->ft_over_ds && sta->auth_alg == WLAN_AUTH_FT) ||
3568 (!wpa_auth_sta_ft_tk_already_set(sta->wpa_sm) &&
3569 !wpa_auth_sta_fils_tk_already_set(sta->wpa_sm)))) {
3570 hostapd_drv_sta_remove(hapd, sta->addr);
3571 wpa_auth_sm_event(sta->wpa_sm, WPA_DRV_STA_REMOVED);
3572 set = 0;
3573
3574 /* Do not allow the FT-over-DS exception to be used more than
3575 * once per authentication exchange to guarantee a new TK is
3576 * used here */
3577 sta->ft_over_ds = 0;
3578 }
3579
3580 #ifdef CONFIG_IEEE80211N
3581 if (sta->flags & WLAN_STA_HT)
3582 hostapd_get_ht_capab(hapd, sta->ht_capabilities, &ht_cap);
3583 #endif /* CONFIG_IEEE80211N */
3584 #ifdef CONFIG_IEEE80211AC
3585 if (sta->flags & WLAN_STA_VHT)
3586 hostapd_get_vht_capab(hapd, sta->vht_capabilities, &vht_cap);
3587 #endif /* CONFIG_IEEE80211AC */
3588 #ifdef CONFIG_IEEE80211AX
3589 if (sta->flags & WLAN_STA_HE) {
3590 hostapd_get_he_capab(hapd, sta->he_capab, &he_cap,
3591 sta->he_capab_len);
3592 }
3593 #endif /* CONFIG_IEEE80211AX */
3594
3595 /*
3596 * Add the station with forced WLAN_STA_ASSOC flag. The sta->flags
3597 * will be set when the ACK frame for the (Re)Association Response frame
3598 * is processed (TX status driver event).
3599 */
3600 if (hostapd_sta_add(hapd, sta->addr, sta->aid, sta->capability,
3601 sta->supported_rates, sta->supported_rates_len,
3602 sta->listen_interval,
3603 sta->flags & WLAN_STA_HT ? &ht_cap : NULL,
3604 sta->flags & WLAN_STA_VHT ? &vht_cap : NULL,
3605 sta->flags & WLAN_STA_HE ? &he_cap : NULL,
3606 sta->flags & WLAN_STA_HE ? sta->he_capab_len : 0,
3607 sta->flags | WLAN_STA_ASSOC, sta->qosinfo,
3608 sta->vht_opmode, sta->p2p_ie ? 1 : 0,
3609 set)) {
3610 hostapd_logger(hapd, sta->addr,
3611 HOSTAPD_MODULE_IEEE80211, HOSTAPD_LEVEL_NOTICE,
3612 "Could not %s STA to kernel driver",
3613 set ? "set" : "add");
3614
3615 if (sta->added_unassoc) {
3616 hostapd_drv_sta_remove(hapd, sta->addr);
3617 sta->added_unassoc = 0;
3618 }
3619
3620 return -1;
3621 }
3622
3623 sta->added_unassoc = 0;
3624
3625 return 0;
3626 }
3627
3628
3629 static u16 send_assoc_resp(struct hostapd_data *hapd, struct sta_info *sta,
3630 const u8 *addr, u16 status_code, int reassoc,
3631 const u8 *ies, size_t ies_len, int rssi)
3632 {
3633 int send_len;
3634 u8 *buf;
3635 size_t buflen;
3636 struct ieee80211_mgmt *reply;
3637 u8 *p;
3638 u16 res = WLAN_STATUS_SUCCESS;
3639
3640 buflen = sizeof(struct ieee80211_mgmt) + 1024;
3641 #ifdef CONFIG_FILS
3642 if (sta && sta->fils_hlp_resp)
3643 buflen += wpabuf_len(sta->fils_hlp_resp);
3644 if (sta)
3645 buflen += 150;
3646 #endif /* CONFIG_FILS */
3647 #ifdef CONFIG_OWE
3648 if (sta && (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE))
3649 buflen += 150;
3650 #endif /* CONFIG_OWE */
3651 #ifdef CONFIG_DPP2
3652 if (sta && sta->dpp_pfs)
3653 buflen += 5 + sta->dpp_pfs->curve->prime_len;
3654 #endif /* CONFIG_DPP2 */
3655 buf = os_zalloc(buflen);
3656 if (!buf) {
3657 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
3658 goto done;
3659 }
3660 reply = (struct ieee80211_mgmt *) buf;
3661 reply->frame_control =
3662 IEEE80211_FC(WLAN_FC_TYPE_MGMT,
3663 (reassoc ? WLAN_FC_STYPE_REASSOC_RESP :
3664 WLAN_FC_STYPE_ASSOC_RESP));
3665 os_memcpy(reply->da, addr, ETH_ALEN);
3666 os_memcpy(reply->sa, hapd->own_addr, ETH_ALEN);
3667 os_memcpy(reply->bssid, hapd->own_addr, ETH_ALEN);
3668
3669 send_len = IEEE80211_HDRLEN;
3670 send_len += sizeof(reply->u.assoc_resp);
3671 reply->u.assoc_resp.capab_info =
3672 host_to_le16(hostapd_own_capab_info(hapd));
3673 reply->u.assoc_resp.status_code = host_to_le16(status_code);
3674
3675 reply->u.assoc_resp.aid = host_to_le16((sta ? sta->aid : 0) |
3676 BIT(14) | BIT(15));
3677 /* Supported rates */
3678 p = hostapd_eid_supp_rates(hapd, reply->u.assoc_resp.variable);
3679 /* Extended supported rates */
3680 p = hostapd_eid_ext_supp_rates(hapd, p);
3681
3682 #ifdef CONFIG_MBO
3683 if (status_code == WLAN_STATUS_DENIED_POOR_CHANNEL_CONDITIONS &&
3684 rssi != 0) {
3685 int delta = hapd->iconf->rssi_reject_assoc_rssi - rssi;
3686
3687 p = hostapd_eid_mbo_rssi_assoc_rej(hapd, p, buf + buflen - p,
3688 delta);
3689 }
3690 #endif /* CONFIG_MBO */
3691
3692 #ifdef CONFIG_IEEE80211R_AP
3693 if (sta && status_code == WLAN_STATUS_SUCCESS) {
3694 /* IEEE 802.11r: Mobility Domain Information, Fast BSS
3695 * Transition Information, RSN, [RIC Response] */
3696 p = wpa_sm_write_assoc_resp_ies(sta->wpa_sm, p,
3697 buf + buflen - p,
3698 sta->auth_alg, ies, ies_len);
3699 if (!p) {
3700 wpa_printf(MSG_DEBUG,
3701 "FT: Failed to write AssocResp IEs");
3702 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
3703 goto done;
3704 }
3705 }
3706 #endif /* CONFIG_IEEE80211R_AP */
3707 #ifdef CONFIG_FILS
3708 if (sta && status_code == WLAN_STATUS_SUCCESS &&
3709 (sta->auth_alg == WLAN_AUTH_FILS_SK ||
3710 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
3711 sta->auth_alg == WLAN_AUTH_FILS_PK))
3712 p = wpa_auth_write_assoc_resp_fils(sta->wpa_sm, p,
3713 buf + buflen - p,
3714 ies, ies_len);
3715 #endif /* CONFIG_FILS */
3716
3717 #ifdef CONFIG_OWE
3718 if (sta && status_code == WLAN_STATUS_SUCCESS &&
3719 (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE))
3720 p = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, p,
3721 buf + buflen - p,
3722 ies, ies_len);
3723 #endif /* CONFIG_OWE */
3724
3725 if (sta && status_code == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY)
3726 p = hostapd_eid_assoc_comeback_time(hapd, sta, p);
3727
3728 #ifdef CONFIG_IEEE80211N
3729 p = hostapd_eid_ht_capabilities(hapd, p);
3730 p = hostapd_eid_ht_operation(hapd, p);
3731 #endif /* CONFIG_IEEE80211N */
3732
3733 #ifdef CONFIG_IEEE80211AC
3734 if (hapd->iconf->ieee80211ac && !hapd->conf->disable_11ac &&
3735 !is_6ghz_op_class(hapd->iconf->op_class)) {
3736 u32 nsts = 0, sta_nsts;
3737
3738 if (sta && hapd->conf->use_sta_nsts && sta->vht_capabilities) {
3739 struct ieee80211_vht_capabilities *capa;
3740
3741 nsts = (hapd->iface->conf->vht_capab >>
3742 VHT_CAP_BEAMFORMEE_STS_OFFSET) & 7;
3743 capa = sta->vht_capabilities;
3744 sta_nsts = (le_to_host32(capa->vht_capabilities_info) >>
3745 VHT_CAP_BEAMFORMEE_STS_OFFSET) & 7;
3746
3747 if (nsts < sta_nsts)
3748 nsts = 0;
3749 else
3750 nsts = sta_nsts;
3751 }
3752 p = hostapd_eid_vht_capabilities(hapd, p, nsts);
3753 p = hostapd_eid_vht_operation(hapd, p);
3754 }
3755 #endif /* CONFIG_IEEE80211AC */
3756
3757 #ifdef CONFIG_IEEE80211AX
3758 if (hapd->iconf->ieee80211ax) {
3759 p = hostapd_eid_he_capab(hapd, p, IEEE80211_MODE_AP);
3760 p = hostapd_eid_he_operation(hapd, p);
3761 p = hostapd_eid_spatial_reuse(hapd, p);
3762 p = hostapd_eid_he_mu_edca_parameter_set(hapd, p);
3763 }
3764 #endif /* CONFIG_IEEE80211AX */
3765
3766 p = hostapd_eid_ext_capab(hapd, p);
3767 p = hostapd_eid_bss_max_idle_period(hapd, p);
3768 if (sta && sta->qos_map_enabled)
3769 p = hostapd_eid_qos_map_set(hapd, p);
3770
3771 #ifdef CONFIG_FST
3772 if (hapd->iface->fst_ies) {
3773 os_memcpy(p, wpabuf_head(hapd->iface->fst_ies),
3774 wpabuf_len(hapd->iface->fst_ies));
3775 p += wpabuf_len(hapd->iface->fst_ies);
3776 }
3777 #endif /* CONFIG_FST */
3778
3779 p = hostapd_eid_rsnxe(hapd, p, buf + buflen - p);
3780
3781 #ifdef CONFIG_OWE
3782 if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) &&
3783 sta && sta->owe_ecdh && status_code == WLAN_STATUS_SUCCESS &&
3784 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE) {
3785 struct wpabuf *pub;
3786
3787 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
3788 if (!pub) {
3789 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
3790 goto done;
3791 }
3792 /* OWE Diffie-Hellman Parameter element */
3793 *p++ = WLAN_EID_EXTENSION; /* Element ID */
3794 *p++ = 1 + 2 + wpabuf_len(pub); /* Length */
3795 *p++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension */
3796 WPA_PUT_LE16(p, sta->owe_group);
3797 p += 2;
3798 os_memcpy(p, wpabuf_head(pub), wpabuf_len(pub));
3799 p += wpabuf_len(pub);
3800 wpabuf_free(pub);
3801 }
3802 #endif /* CONFIG_OWE */
3803
3804 #ifdef CONFIG_DPP2
3805 if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_DPP) &&
3806 sta && sta->dpp_pfs && status_code == WLAN_STATUS_SUCCESS &&
3807 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_DPP) {
3808 os_memcpy(p, wpabuf_head(sta->dpp_pfs->ie),
3809 wpabuf_len(sta->dpp_pfs->ie));
3810 p += wpabuf_len(sta->dpp_pfs->ie);
3811 }
3812 #endif /* CONFIG_DPP2 */
3813
3814 #ifdef CONFIG_IEEE80211AC
3815 if (sta && hapd->conf->vendor_vht && (sta->flags & WLAN_STA_VENDOR_VHT))
3816 p = hostapd_eid_vendor_vht(hapd, p);
3817 #endif /* CONFIG_IEEE80211AC */
3818
3819 if (sta && (sta->flags & WLAN_STA_WMM))
3820 p = hostapd_eid_wmm(hapd, p);
3821
3822 #ifdef CONFIG_WPS
3823 if (sta &&
3824 ((sta->flags & WLAN_STA_WPS) ||
3825 ((sta->flags & WLAN_STA_MAYBE_WPS) && hapd->conf->wpa))) {
3826 struct wpabuf *wps = wps_build_assoc_resp_ie();
3827 if (wps) {
3828 os_memcpy(p, wpabuf_head(wps), wpabuf_len(wps));
3829 p += wpabuf_len(wps);
3830 wpabuf_free(wps);
3831 }
3832 }
3833 #endif /* CONFIG_WPS */
3834
3835 if (sta && (sta->flags & WLAN_STA_MULTI_AP))
3836 p = hostapd_eid_multi_ap(hapd, p);
3837
3838 #ifdef CONFIG_P2P
3839 if (sta && sta->p2p_ie && hapd->p2p_group) {
3840 struct wpabuf *p2p_resp_ie;
3841 enum p2p_status_code status;
3842 switch (status_code) {
3843 case WLAN_STATUS_SUCCESS:
3844 status = P2P_SC_SUCCESS;
3845 break;
3846 case WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA:
3847 status = P2P_SC_FAIL_LIMIT_REACHED;
3848 break;
3849 default:
3850 status = P2P_SC_FAIL_INVALID_PARAMS;
3851 break;
3852 }
3853 p2p_resp_ie = p2p_group_assoc_resp_ie(hapd->p2p_group, status);
3854 if (p2p_resp_ie) {
3855 os_memcpy(p, wpabuf_head(p2p_resp_ie),
3856 wpabuf_len(p2p_resp_ie));
3857 p += wpabuf_len(p2p_resp_ie);
3858 wpabuf_free(p2p_resp_ie);
3859 }
3860 }
3861 #endif /* CONFIG_P2P */
3862
3863 #ifdef CONFIG_P2P_MANAGER
3864 if (hapd->conf->p2p & P2P_MANAGE)
3865 p = hostapd_eid_p2p_manage(hapd, p);
3866 #endif /* CONFIG_P2P_MANAGER */
3867
3868 p = hostapd_eid_mbo(hapd, p, buf + buflen - p);
3869
3870 if (hapd->conf->assocresp_elements &&
3871 (size_t) (buf + buflen - p) >=
3872 wpabuf_len(hapd->conf->assocresp_elements)) {
3873 os_memcpy(p, wpabuf_head(hapd->conf->assocresp_elements),
3874 wpabuf_len(hapd->conf->assocresp_elements));
3875 p += wpabuf_len(hapd->conf->assocresp_elements);
3876 }
3877
3878 send_len += p - reply->u.assoc_resp.variable;
3879
3880 #ifdef CONFIG_FILS
3881 if (sta &&
3882 (sta->auth_alg == WLAN_AUTH_FILS_SK ||
3883 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
3884 sta->auth_alg == WLAN_AUTH_FILS_PK) &&
3885 status_code == WLAN_STATUS_SUCCESS) {
3886 struct ieee802_11_elems elems;
3887
3888 if (ieee802_11_parse_elems(ies, ies_len, &elems, 0) ==
3889 ParseFailed || !elems.fils_session) {
3890 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
3891 goto done;
3892 }
3893
3894 /* FILS Session */
3895 *p++ = WLAN_EID_EXTENSION; /* Element ID */
3896 *p++ = 1 + FILS_SESSION_LEN; /* Length */
3897 *p++ = WLAN_EID_EXT_FILS_SESSION; /* Element ID Extension */
3898 os_memcpy(p, elems.fils_session, FILS_SESSION_LEN);
3899 send_len += 2 + 1 + FILS_SESSION_LEN;
3900
3901 send_len = fils_encrypt_assoc(sta->wpa_sm, buf, send_len,
3902 buflen, sta->fils_hlp_resp);
3903 if (send_len < 0) {
3904 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
3905 goto done;
3906 }
3907 }
3908 #endif /* CONFIG_FILS */
3909
3910 if (hostapd_drv_send_mlme(hapd, reply, send_len, 0, NULL, 0, 0) < 0) {
3911 wpa_printf(MSG_INFO, "Failed to send assoc resp: %s",
3912 strerror(errno));
3913 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
3914 }
3915
3916 done:
3917 os_free(buf);
3918 return res;
3919 }
3920
3921
3922 #ifdef CONFIG_OWE
3923 u8 * owe_assoc_req_process(struct hostapd_data *hapd, struct sta_info *sta,
3924 const u8 *owe_dh, u8 owe_dh_len,
3925 u8 *owe_buf, size_t owe_buf_len, u16 *reason)
3926 {
3927 #ifdef CONFIG_TESTING_OPTIONS
3928 if (hapd->conf->own_ie_override) {
3929 wpa_printf(MSG_DEBUG, "OWE: Using IE override");
3930 *reason = WLAN_STATUS_SUCCESS;
3931 return wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf,
3932 owe_buf_len, NULL, 0);
3933 }
3934 #endif /* CONFIG_TESTING_OPTIONS */
3935
3936 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) {
3937 wpa_printf(MSG_DEBUG, "OWE: Using PMKSA caching");
3938 owe_buf = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf,
3939 owe_buf_len, NULL, 0);
3940 *reason = WLAN_STATUS_SUCCESS;
3941 return owe_buf;
3942 }
3943
3944 if (sta->owe_pmk && sta->external_dh_updated) {
3945 wpa_printf(MSG_DEBUG, "OWE: Using previously derived PMK");
3946 *reason = WLAN_STATUS_SUCCESS;
3947 return owe_buf;
3948 }
3949
3950 *reason = owe_process_assoc_req(hapd, sta, owe_dh, owe_dh_len);
3951 if (*reason != WLAN_STATUS_SUCCESS)
3952 return NULL;
3953
3954 owe_buf = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf,
3955 owe_buf_len, NULL, 0);
3956
3957 if (sta->owe_ecdh && owe_buf) {
3958 struct wpabuf *pub;
3959
3960 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
3961 if (!pub) {
3962 *reason = WLAN_STATUS_UNSPECIFIED_FAILURE;
3963 return owe_buf;
3964 }
3965
3966 /* OWE Diffie-Hellman Parameter element */
3967 *owe_buf++ = WLAN_EID_EXTENSION; /* Element ID */
3968 *owe_buf++ = 1 + 2 + wpabuf_len(pub); /* Length */
3969 *owe_buf++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension
3970 */
3971 WPA_PUT_LE16(owe_buf, sta->owe_group);
3972 owe_buf += 2;
3973 os_memcpy(owe_buf, wpabuf_head(pub), wpabuf_len(pub));
3974 owe_buf += wpabuf_len(pub);
3975 wpabuf_free(pub);
3976 }
3977
3978 return owe_buf;
3979 }
3980 #endif /* CONFIG_OWE */
3981
3982
3983 #ifdef CONFIG_FILS
3984
3985 void fils_hlp_finish_assoc(struct hostapd_data *hapd, struct sta_info *sta)
3986 {
3987 u16 reply_res;
3988
3989 wpa_printf(MSG_DEBUG, "FILS: Finish association with " MACSTR,
3990 MAC2STR(sta->addr));
3991 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
3992 if (!sta->fils_pending_assoc_req)
3993 return;
3994 reply_res = send_assoc_resp(hapd, sta, sta->addr, WLAN_STATUS_SUCCESS,
3995 sta->fils_pending_assoc_is_reassoc,
3996 sta->fils_pending_assoc_req,
3997 sta->fils_pending_assoc_req_len, 0);
3998 os_free(sta->fils_pending_assoc_req);
3999 sta->fils_pending_assoc_req = NULL;
4000 sta->fils_pending_assoc_req_len = 0;
4001 wpabuf_free(sta->fils_hlp_resp);
4002 sta->fils_hlp_resp = NULL;
4003 wpabuf_free(sta->hlp_dhcp_discover);
4004 sta->hlp_dhcp_discover = NULL;
4005
4006 /*
4007 * Remove the station in case transmission of a success response fails.
4008 * At this point the station was already added associated to the driver.
4009 */
4010 if (reply_res != WLAN_STATUS_SUCCESS)
4011 hostapd_drv_sta_remove(hapd, sta->addr);
4012 }
4013
4014
4015 void fils_hlp_timeout(void *eloop_ctx, void *eloop_data)
4016 {
4017 struct hostapd_data *hapd = eloop_ctx;
4018 struct sta_info *sta = eloop_data;
4019
4020 wpa_printf(MSG_DEBUG,
4021 "FILS: HLP response timeout - continue with association response for "
4022 MACSTR, MAC2STR(sta->addr));
4023 if (sta->fils_drv_assoc_finish)
4024 hostapd_notify_assoc_fils_finish(hapd, sta);
4025 else
4026 fils_hlp_finish_assoc(hapd, sta);
4027 }
4028
4029 #endif /* CONFIG_FILS */
4030
4031
4032 static void handle_assoc(struct hostapd_data *hapd,
4033 const struct ieee80211_mgmt *mgmt, size_t len,
4034 int reassoc, int rssi)
4035 {
4036 u16 capab_info, listen_interval, seq_ctrl, fc;
4037 u16 resp = WLAN_STATUS_SUCCESS, reply_res;
4038 const u8 *pos;
4039 int left, i;
4040 struct sta_info *sta;
4041 u8 *tmp = NULL;
4042 #ifdef CONFIG_FILS
4043 int delay_assoc = 0;
4044 #endif /* CONFIG_FILS */
4045
4046 if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_req) :
4047 sizeof(mgmt->u.assoc_req))) {
4048 wpa_printf(MSG_INFO, "handle_assoc(reassoc=%d) - too short payload (len=%lu)",
4049 reassoc, (unsigned long) len);
4050 return;
4051 }
4052
4053 #ifdef CONFIG_TESTING_OPTIONS
4054 if (reassoc) {
4055 if (hapd->iconf->ignore_reassoc_probability > 0.0 &&
4056 drand48() < hapd->iconf->ignore_reassoc_probability) {
4057 wpa_printf(MSG_INFO,
4058 "TESTING: ignoring reassoc request from "
4059 MACSTR, MAC2STR(mgmt->sa));
4060 return;
4061 }
4062 } else {
4063 if (hapd->iconf->ignore_assoc_probability > 0.0 &&
4064 drand48() < hapd->iconf->ignore_assoc_probability) {
4065 wpa_printf(MSG_INFO,
4066 "TESTING: ignoring assoc request from "
4067 MACSTR, MAC2STR(mgmt->sa));
4068 return;
4069 }
4070 }
4071 #endif /* CONFIG_TESTING_OPTIONS */
4072
4073 fc = le_to_host16(mgmt->frame_control);
4074 seq_ctrl = le_to_host16(mgmt->seq_ctrl);
4075
4076 if (reassoc) {
4077 capab_info = le_to_host16(mgmt->u.reassoc_req.capab_info);
4078 listen_interval = le_to_host16(
4079 mgmt->u.reassoc_req.listen_interval);
4080 wpa_printf(MSG_DEBUG, "reassociation request: STA=" MACSTR
4081 " capab_info=0x%02x listen_interval=%d current_ap="
4082 MACSTR " seq_ctrl=0x%x%s",
4083 MAC2STR(mgmt->sa), capab_info, listen_interval,
4084 MAC2STR(mgmt->u.reassoc_req.current_ap),
4085 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "");
4086 left = len - (IEEE80211_HDRLEN + sizeof(mgmt->u.reassoc_req));
4087 pos = mgmt->u.reassoc_req.variable;
4088 } else {
4089 capab_info = le_to_host16(mgmt->u.assoc_req.capab_info);
4090 listen_interval = le_to_host16(
4091 mgmt->u.assoc_req.listen_interval);
4092 wpa_printf(MSG_DEBUG, "association request: STA=" MACSTR
4093 " capab_info=0x%02x listen_interval=%d "
4094 "seq_ctrl=0x%x%s",
4095 MAC2STR(mgmt->sa), capab_info, listen_interval,
4096 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "");
4097 left = len - (IEEE80211_HDRLEN + sizeof(mgmt->u.assoc_req));
4098 pos = mgmt->u.assoc_req.variable;
4099 }
4100
4101 sta = ap_get_sta(hapd, mgmt->sa);
4102 #ifdef CONFIG_IEEE80211R_AP
4103 if (sta && sta->auth_alg == WLAN_AUTH_FT &&
4104 (sta->flags & WLAN_STA_AUTH) == 0) {
4105 wpa_printf(MSG_DEBUG, "FT: Allow STA " MACSTR " to associate "
4106 "prior to authentication since it is using "
4107 "over-the-DS FT", MAC2STR(mgmt->sa));
4108
4109 /*
4110 * Mark station as authenticated, to avoid adding station
4111 * entry in the driver as associated and not authenticated
4112 */
4113 sta->flags |= WLAN_STA_AUTH;
4114 } else
4115 #endif /* CONFIG_IEEE80211R_AP */
4116 if (sta == NULL || (sta->flags & WLAN_STA_AUTH) == 0) {
4117 if (hapd->iface->current_mode &&
4118 hapd->iface->current_mode->mode ==
4119 HOSTAPD_MODE_IEEE80211AD) {
4120 int acl_res;
4121 struct radius_sta info;
4122
4123 acl_res = ieee802_11_allowed_address(hapd, mgmt->sa,
4124 (const u8 *) mgmt,
4125 len, &info);
4126 if (acl_res == HOSTAPD_ACL_REJECT) {
4127 wpa_msg(hapd->msg_ctx, MSG_DEBUG,
4128 "Ignore Association Request frame from "
4129 MACSTR " due to ACL reject",
4130 MAC2STR(mgmt->sa));
4131 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
4132 goto fail;
4133 }
4134 if (acl_res == HOSTAPD_ACL_PENDING)
4135 return;
4136
4137 /* DMG/IEEE 802.11ad does not use authentication.
4138 * Allocate sta entry upon association. */
4139 sta = ap_sta_add(hapd, mgmt->sa);
4140 if (!sta) {
4141 hostapd_logger(hapd, mgmt->sa,
4142 HOSTAPD_MODULE_IEEE80211,
4143 HOSTAPD_LEVEL_INFO,
4144 "Failed to add STA");
4145 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
4146 goto fail;
4147 }
4148
4149 acl_res = ieee802_11_set_radius_info(
4150 hapd, sta, acl_res, &info);
4151 if (acl_res) {
4152 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
4153 goto fail;
4154 }
4155
4156 hostapd_logger(hapd, sta->addr,
4157 HOSTAPD_MODULE_IEEE80211,
4158 HOSTAPD_LEVEL_DEBUG,
4159 "Skip authentication for DMG/IEEE 802.11ad");
4160 sta->flags |= WLAN_STA_AUTH;
4161 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
4162 sta->auth_alg = WLAN_AUTH_OPEN;
4163 } else {
4164 hostapd_logger(hapd, mgmt->sa,
4165 HOSTAPD_MODULE_IEEE80211,
4166 HOSTAPD_LEVEL_INFO,
4167 "Station tried to associate before authentication (aid=%d flags=0x%x)",
4168 sta ? sta->aid : -1,
4169 sta ? sta->flags : 0);
4170 send_deauth(hapd, mgmt->sa,
4171 WLAN_REASON_CLASS2_FRAME_FROM_NONAUTH_STA);
4172 return;
4173 }
4174 }
4175
4176 if ((fc & WLAN_FC_RETRY) &&
4177 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
4178 sta->last_seq_ctrl == seq_ctrl &&
4179 sta->last_subtype == (reassoc ? WLAN_FC_STYPE_REASSOC_REQ :
4180 WLAN_FC_STYPE_ASSOC_REQ)) {
4181 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4182 HOSTAPD_LEVEL_DEBUG,
4183 "Drop repeated association frame seq_ctrl=0x%x",
4184 seq_ctrl);
4185 return;
4186 }
4187 sta->last_seq_ctrl = seq_ctrl;
4188 sta->last_subtype = reassoc ? WLAN_FC_STYPE_REASSOC_REQ :
4189 WLAN_FC_STYPE_ASSOC_REQ;
4190
4191 if (hapd->tkip_countermeasures) {
4192 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
4193 goto fail;
4194 }
4195
4196 if (listen_interval > hapd->conf->max_listen_interval) {
4197 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
4198 HOSTAPD_LEVEL_DEBUG,
4199 "Too large Listen Interval (%d)",
4200 listen_interval);
4201 resp = WLAN_STATUS_ASSOC_DENIED_LISTEN_INT_TOO_LARGE;
4202 goto fail;
4203 }
4204
4205 #ifdef CONFIG_MBO
4206 if (hapd->conf->mbo_enabled && hapd->mbo_assoc_disallow) {
4207 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
4208 goto fail;
4209 }
4210
4211 if (hapd->iconf->rssi_reject_assoc_rssi && rssi &&
4212 rssi < hapd->iconf->rssi_reject_assoc_rssi &&
4213 (sta->auth_rssi == 0 ||
4214 sta->auth_rssi < hapd->iconf->rssi_reject_assoc_rssi)) {
4215 resp = WLAN_STATUS_DENIED_POOR_CHANNEL_CONDITIONS;
4216 goto fail;
4217 }
4218 #endif /* CONFIG_MBO */
4219
4220 /*
4221 * sta->capability is used in check_assoc_ies() for RRM enabled
4222 * capability element.
4223 */
4224 sta->capability = capab_info;
4225
4226 #ifdef CONFIG_FILS
4227 if (sta->auth_alg == WLAN_AUTH_FILS_SK ||
4228 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
4229 sta->auth_alg == WLAN_AUTH_FILS_PK) {
4230 int res;
4231
4232 /* The end of the payload is encrypted. Need to decrypt it
4233 * before parsing. */
4234
4235 tmp = os_memdup(pos, left);
4236 if (!tmp) {
4237 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
4238 goto fail;
4239 }
4240
4241 res = fils_decrypt_assoc(sta->wpa_sm, sta->fils_session, mgmt,
4242 len, tmp, left);
4243 if (res < 0) {
4244 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
4245 goto fail;
4246 }
4247 pos = tmp;
4248 left = res;
4249 }
4250 #endif /* CONFIG_FILS */
4251
4252 /* followed by SSID and Supported rates; and HT capabilities if 802.11n
4253 * is used */
4254 resp = check_assoc_ies(hapd, sta, pos, left, reassoc);
4255 if (resp != WLAN_STATUS_SUCCESS)
4256 goto fail;
4257
4258 if (hostapd_get_aid(hapd, sta) < 0) {
4259 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
4260 HOSTAPD_LEVEL_INFO, "No room for more AIDs");
4261 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
4262 goto fail;
4263 }
4264
4265 sta->listen_interval = listen_interval;
4266
4267 if (hapd->iface->current_mode &&
4268 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G)
4269 sta->flags |= WLAN_STA_NONERP;
4270 for (i = 0; i < sta->supported_rates_len; i++) {
4271 if ((sta->supported_rates[i] & 0x7f) > 22) {
4272 sta->flags &= ~WLAN_STA_NONERP;
4273 break;
4274 }
4275 }
4276 if (sta->flags & WLAN_STA_NONERP && !sta->nonerp_set) {
4277 sta->nonerp_set = 1;
4278 hapd->iface->num_sta_non_erp++;
4279 if (hapd->iface->num_sta_non_erp == 1)
4280 ieee802_11_set_beacons(hapd->iface);
4281 }
4282
4283 if (!(sta->capability & WLAN_CAPABILITY_SHORT_SLOT_TIME) &&
4284 !sta->no_short_slot_time_set) {
4285 sta->no_short_slot_time_set = 1;
4286 hapd->iface->num_sta_no_short_slot_time++;
4287 if (hapd->iface->current_mode &&
4288 hapd->iface->current_mode->mode ==
4289 HOSTAPD_MODE_IEEE80211G &&
4290 hapd->iface->num_sta_no_short_slot_time == 1)
4291 ieee802_11_set_beacons(hapd->iface);
4292 }
4293
4294 if (sta->capability & WLAN_CAPABILITY_SHORT_PREAMBLE)
4295 sta->flags |= WLAN_STA_SHORT_PREAMBLE;
4296 else
4297 sta->flags &= ~WLAN_STA_SHORT_PREAMBLE;
4298
4299 if (!(sta->capability & WLAN_CAPABILITY_SHORT_PREAMBLE) &&
4300 !sta->no_short_preamble_set) {
4301 sta->no_short_preamble_set = 1;
4302 hapd->iface->num_sta_no_short_preamble++;
4303 if (hapd->iface->current_mode &&
4304 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G
4305 && hapd->iface->num_sta_no_short_preamble == 1)
4306 ieee802_11_set_beacons(hapd->iface);
4307 }
4308
4309 #ifdef CONFIG_IEEE80211N
4310 update_ht_state(hapd, sta);
4311 #endif /* CONFIG_IEEE80211N */
4312
4313 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4314 HOSTAPD_LEVEL_DEBUG,
4315 "association OK (aid %d)", sta->aid);
4316 /* Station will be marked associated, after it acknowledges AssocResp
4317 */
4318 sta->flags |= WLAN_STA_ASSOC_REQ_OK;
4319
4320 if ((sta->flags & WLAN_STA_MFP) && sta->sa_query_timed_out) {
4321 wpa_printf(MSG_DEBUG, "Allowing %sassociation after timed out "
4322 "SA Query procedure", reassoc ? "re" : "");
4323 /* TODO: Send a protected Disassociate frame to the STA using
4324 * the old key and Reason Code "Previous Authentication no
4325 * longer valid". Make sure this is only sent protected since
4326 * unprotected frame would be received by the STA that is now
4327 * trying to associate.
4328 */
4329 }
4330
4331 /* Make sure that the previously registered inactivity timer will not
4332 * remove the STA immediately. */
4333 sta->timeout_next = STA_NULLFUNC;
4334
4335 #ifdef CONFIG_TAXONOMY
4336 taxonomy_sta_info_assoc_req(hapd, sta, pos, left);
4337 #endif /* CONFIG_TAXONOMY */
4338
4339 sta->pending_wds_enable = 0;
4340
4341 #ifdef CONFIG_FILS
4342 if (sta->auth_alg == WLAN_AUTH_FILS_SK ||
4343 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
4344 sta->auth_alg == WLAN_AUTH_FILS_PK) {
4345 if (fils_process_hlp(hapd, sta, pos, left) > 0)
4346 delay_assoc = 1;
4347 }
4348 #endif /* CONFIG_FILS */
4349
4350 fail:
4351
4352 /*
4353 * In case of a successful response, add the station to the driver.
4354 * Otherwise, the kernel may ignore Data frames before we process the
4355 * ACK frame (TX status). In case of a failure, this station will be
4356 * removed.
4357 *
4358 * Note that this is not compliant with the IEEE 802.11 standard that
4359 * states that a non-AP station should transition into the
4360 * authenticated/associated state only after the station acknowledges
4361 * the (Re)Association Response frame. However, still do this as:
4362 *
4363 * 1. In case the station does not acknowledge the (Re)Association
4364 * Response frame, it will be removed.
4365 * 2. Data frames will be dropped in the kernel until the station is
4366 * set into authorized state, and there are no significant known
4367 * issues with processing other non-Data Class 3 frames during this
4368 * window.
4369 */
4370 if (resp == WLAN_STATUS_SUCCESS && sta &&
4371 add_associated_sta(hapd, sta, reassoc))
4372 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
4373
4374 #ifdef CONFIG_FILS
4375 if (sta && delay_assoc && resp == WLAN_STATUS_SUCCESS &&
4376 eloop_is_timeout_registered(fils_hlp_timeout, hapd, sta) &&
4377 sta->fils_pending_assoc_req) {
4378 /* Do not reschedule fils_hlp_timeout in case the station
4379 * retransmits (Re)Association Request frame while waiting for
4380 * the previously started FILS HLP wait, so that the timeout can
4381 * be determined from the first pending attempt. */
4382 wpa_printf(MSG_DEBUG,
4383 "FILS: Continue waiting for HLP processing before sending (Re)Association Response frame to "
4384 MACSTR, MAC2STR(sta->addr));
4385 os_free(tmp);
4386 return;
4387 }
4388 if (sta) {
4389 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
4390 os_free(sta->fils_pending_assoc_req);
4391 sta->fils_pending_assoc_req = NULL;
4392 sta->fils_pending_assoc_req_len = 0;
4393 wpabuf_free(sta->fils_hlp_resp);
4394 sta->fils_hlp_resp = NULL;
4395 }
4396 if (sta && delay_assoc && resp == WLAN_STATUS_SUCCESS) {
4397 sta->fils_pending_assoc_req = tmp;
4398 sta->fils_pending_assoc_req_len = left;
4399 sta->fils_pending_assoc_is_reassoc = reassoc;
4400 sta->fils_drv_assoc_finish = 0;
4401 wpa_printf(MSG_DEBUG,
4402 "FILS: Waiting for HLP processing before sending (Re)Association Response frame to "
4403 MACSTR, MAC2STR(sta->addr));
4404 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
4405 eloop_register_timeout(0, hapd->conf->fils_hlp_wait_time * 1024,
4406 fils_hlp_timeout, hapd, sta);
4407 return;
4408 }
4409 #endif /* CONFIG_FILS */
4410
4411 reply_res = send_assoc_resp(hapd, sta, mgmt->sa, resp, reassoc, pos,
4412 left, rssi);
4413 os_free(tmp);
4414
4415 /*
4416 * Remove the station in case tranmission of a success response fails
4417 * (the STA was added associated to the driver) or if the station was
4418 * previously added unassociated.
4419 */
4420 if (sta && ((reply_res != WLAN_STATUS_SUCCESS &&
4421 resp == WLAN_STATUS_SUCCESS) || sta->added_unassoc)) {
4422 hostapd_drv_sta_remove(hapd, sta->addr);
4423 sta->added_unassoc = 0;
4424 }
4425 }
4426
4427
4428 static void handle_disassoc(struct hostapd_data *hapd,
4429 const struct ieee80211_mgmt *mgmt, size_t len)
4430 {
4431 struct sta_info *sta;
4432
4433 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.disassoc)) {
4434 wpa_printf(MSG_INFO, "handle_disassoc - too short payload (len=%lu)",
4435 (unsigned long) len);
4436 return;
4437 }
4438
4439 wpa_printf(MSG_DEBUG, "disassocation: STA=" MACSTR " reason_code=%d",
4440 MAC2STR(mgmt->sa),
4441 le_to_host16(mgmt->u.disassoc.reason_code));
4442
4443 sta = ap_get_sta(hapd, mgmt->sa);
4444 if (sta == NULL) {
4445 wpa_printf(MSG_INFO, "Station " MACSTR " trying to disassociate, but it is not associated",
4446 MAC2STR(mgmt->sa));
4447 return;
4448 }
4449
4450 ap_sta_set_authorized(hapd, sta, 0);
4451 sta->last_seq_ctrl = WLAN_INVALID_MGMT_SEQ;
4452 sta->flags &= ~(WLAN_STA_ASSOC | WLAN_STA_ASSOC_REQ_OK);
4453 wpa_auth_sm_event(sta->wpa_sm, WPA_DISASSOC);
4454 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4455 HOSTAPD_LEVEL_INFO, "disassociated");
4456 sta->acct_terminate_cause = RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST;
4457 ieee802_1x_notify_port_enabled(sta->eapol_sm, 0);
4458 /* Stop Accounting and IEEE 802.1X sessions, but leave the STA
4459 * authenticated. */
4460 accounting_sta_stop(hapd, sta);
4461 ieee802_1x_free_station(hapd, sta);
4462 if (sta->ipaddr)
4463 hostapd_drv_br_delete_ip_neigh(hapd, 4, (u8 *) &sta->ipaddr);
4464 ap_sta_ip6addr_del(hapd, sta);
4465 hostapd_drv_sta_remove(hapd, sta->addr);
4466 sta->added_unassoc = 0;
4467
4468 if (sta->timeout_next == STA_NULLFUNC ||
4469 sta->timeout_next == STA_DISASSOC) {
4470 sta->timeout_next = STA_DEAUTH;
4471 eloop_cancel_timeout(ap_handle_timer, hapd, sta);
4472 eloop_register_timeout(AP_DEAUTH_DELAY, 0, ap_handle_timer,
4473 hapd, sta);
4474 }
4475
4476 mlme_disassociate_indication(
4477 hapd, sta, le_to_host16(mgmt->u.disassoc.reason_code));
4478
4479 /* DMG/IEEE 802.11ad does not use deauthication. Deallocate sta upon
4480 * disassociation. */
4481 if (hapd->iface->current_mode &&
4482 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211AD) {
4483 sta->flags &= ~WLAN_STA_AUTH;
4484 wpa_auth_sm_event(sta->wpa_sm, WPA_DEAUTH);
4485 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4486 HOSTAPD_LEVEL_DEBUG, "deauthenticated");
4487 ap_free_sta(hapd, sta);
4488 }
4489 }
4490
4491
4492 static void handle_deauth(struct hostapd_data *hapd,
4493 const struct ieee80211_mgmt *mgmt, size_t len)
4494 {
4495 struct sta_info *sta;
4496
4497 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.deauth)) {
4498 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "handle_deauth - too short "
4499 "payload (len=%lu)", (unsigned long) len);
4500 return;
4501 }
4502
4503 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "deauthentication: STA=" MACSTR
4504 " reason_code=%d",
4505 MAC2STR(mgmt->sa), le_to_host16(mgmt->u.deauth.reason_code));
4506
4507 sta = ap_get_sta(hapd, mgmt->sa);
4508 if (sta == NULL) {
4509 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "Station " MACSTR " trying "
4510 "to deauthenticate, but it is not authenticated",
4511 MAC2STR(mgmt->sa));
4512 return;
4513 }
4514
4515 ap_sta_set_authorized(hapd, sta, 0);
4516 sta->last_seq_ctrl = WLAN_INVALID_MGMT_SEQ;
4517 sta->flags &= ~(WLAN_STA_AUTH | WLAN_STA_ASSOC |
4518 WLAN_STA_ASSOC_REQ_OK);
4519 wpa_auth_sm_event(sta->wpa_sm, WPA_DEAUTH);
4520 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4521 HOSTAPD_LEVEL_DEBUG, "deauthenticated");
4522 mlme_deauthenticate_indication(
4523 hapd, sta, le_to_host16(mgmt->u.deauth.reason_code));
4524 sta->acct_terminate_cause = RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST;
4525 ieee802_1x_notify_port_enabled(sta->eapol_sm, 0);
4526 ap_free_sta(hapd, sta);
4527 }
4528
4529
4530 static void handle_beacon(struct hostapd_data *hapd,
4531 const struct ieee80211_mgmt *mgmt, size_t len,
4532 struct hostapd_frame_info *fi)
4533 {
4534 struct ieee802_11_elems elems;
4535
4536 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.beacon)) {
4537 wpa_printf(MSG_INFO, "handle_beacon - too short payload (len=%lu)",
4538 (unsigned long) len);
4539 return;
4540 }
4541
4542 (void) ieee802_11_parse_elems(mgmt->u.beacon.variable,
4543 len - (IEEE80211_HDRLEN +
4544 sizeof(mgmt->u.beacon)), &elems,
4545 0);
4546
4547 ap_list_process_beacon(hapd->iface, mgmt, &elems, fi);
4548 }
4549
4550
4551 static int robust_action_frame(u8 category)
4552 {
4553 return category != WLAN_ACTION_PUBLIC &&
4554 category != WLAN_ACTION_HT;
4555 }
4556
4557
4558 static int handle_action(struct hostapd_data *hapd,
4559 const struct ieee80211_mgmt *mgmt, size_t len,
4560 unsigned int freq)
4561 {
4562 struct sta_info *sta;
4563 u8 *action __maybe_unused;
4564
4565 if (len < IEEE80211_HDRLEN + 2 + 1) {
4566 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
4567 HOSTAPD_LEVEL_DEBUG,
4568 "handle_action - too short payload (len=%lu)",
4569 (unsigned long) len);
4570 return 0;
4571 }
4572
4573 action = (u8 *) &mgmt->u.action.u;
4574 wpa_printf(MSG_DEBUG, "RX_ACTION category %u action %u sa " MACSTR
4575 " da " MACSTR " len %d freq %u",
4576 mgmt->u.action.category, *action,
4577 MAC2STR(mgmt->sa), MAC2STR(mgmt->da), (int) len, freq);
4578
4579 sta = ap_get_sta(hapd, mgmt->sa);
4580
4581 if (mgmt->u.action.category != WLAN_ACTION_PUBLIC &&
4582 (sta == NULL || !(sta->flags & WLAN_STA_ASSOC))) {
4583 wpa_printf(MSG_DEBUG, "IEEE 802.11: Ignored Action "
4584 "frame (category=%u) from unassociated STA " MACSTR,
4585 mgmt->u.action.category, MAC2STR(mgmt->sa));
4586 return 0;
4587 }
4588
4589 if (sta && (sta->flags & WLAN_STA_MFP) &&
4590 !(mgmt->frame_control & host_to_le16(WLAN_FC_ISWEP)) &&
4591 robust_action_frame(mgmt->u.action.category)) {
4592 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
4593 HOSTAPD_LEVEL_DEBUG,
4594 "Dropped unprotected Robust Action frame from "
4595 "an MFP STA");
4596 return 0;
4597 }
4598
4599 if (sta) {
4600 u16 fc = le_to_host16(mgmt->frame_control);
4601 u16 seq_ctrl = le_to_host16(mgmt->seq_ctrl);
4602
4603 if ((fc & WLAN_FC_RETRY) &&
4604 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
4605 sta->last_seq_ctrl == seq_ctrl &&
4606 sta->last_subtype == WLAN_FC_STYPE_ACTION) {
4607 hostapd_logger(hapd, sta->addr,
4608 HOSTAPD_MODULE_IEEE80211,
4609 HOSTAPD_LEVEL_DEBUG,
4610 "Drop repeated action frame seq_ctrl=0x%x",
4611 seq_ctrl);
4612 return 1;
4613 }
4614
4615 sta->last_seq_ctrl = seq_ctrl;
4616 sta->last_subtype = WLAN_FC_STYPE_ACTION;
4617 }
4618
4619 switch (mgmt->u.action.category) {
4620 #ifdef CONFIG_IEEE80211R_AP
4621 case WLAN_ACTION_FT:
4622 if (!sta ||
4623 wpa_ft_action_rx(sta->wpa_sm, (u8 *) &mgmt->u.action,
4624 len - IEEE80211_HDRLEN))
4625 break;
4626 return 1;
4627 #endif /* CONFIG_IEEE80211R_AP */
4628 case WLAN_ACTION_WMM:
4629 hostapd_wmm_action(hapd, mgmt, len);
4630 return 1;
4631 case WLAN_ACTION_SA_QUERY:
4632 ieee802_11_sa_query_action(hapd, mgmt, len);
4633 return 1;
4634 #ifdef CONFIG_WNM_AP
4635 case WLAN_ACTION_WNM:
4636 ieee802_11_rx_wnm_action_ap(hapd, mgmt, len);
4637 return 1;
4638 #endif /* CONFIG_WNM_AP */
4639 #ifdef CONFIG_FST
4640 case WLAN_ACTION_FST:
4641 if (hapd->iface->fst)
4642 fst_rx_action(hapd->iface->fst, mgmt, len);
4643 else
4644 wpa_printf(MSG_DEBUG,
4645 "FST: Ignore FST Action frame - no FST attached");
4646 return 1;
4647 #endif /* CONFIG_FST */
4648 case WLAN_ACTION_PUBLIC:
4649 case WLAN_ACTION_PROTECTED_DUAL:
4650 #ifdef CONFIG_IEEE80211N
4651 if (len >= IEEE80211_HDRLEN + 2 &&
4652 mgmt->u.action.u.public_action.action ==
4653 WLAN_PA_20_40_BSS_COEX) {
4654 hostapd_2040_coex_action(hapd, mgmt, len);
4655 return 1;
4656 }
4657 #endif /* CONFIG_IEEE80211N */
4658 #ifdef CONFIG_DPP
4659 if (len >= IEEE80211_HDRLEN + 6 &&
4660 mgmt->u.action.u.vs_public_action.action ==
4661 WLAN_PA_VENDOR_SPECIFIC &&
4662 WPA_GET_BE24(mgmt->u.action.u.vs_public_action.oui) ==
4663 OUI_WFA &&
4664 mgmt->u.action.u.vs_public_action.variable[0] ==
4665 DPP_OUI_TYPE) {
4666 const u8 *pos, *end;
4667
4668 pos = mgmt->u.action.u.vs_public_action.oui;
4669 end = ((const u8 *) mgmt) + len;
4670 hostapd_dpp_rx_action(hapd, mgmt->sa, pos, end - pos,
4671 freq);
4672 return 1;
4673 }
4674 if (len >= IEEE80211_HDRLEN + 2 &&
4675 (mgmt->u.action.u.public_action.action ==
4676 WLAN_PA_GAS_INITIAL_RESP ||
4677 mgmt->u.action.u.public_action.action ==
4678 WLAN_PA_GAS_COMEBACK_RESP)) {
4679 const u8 *pos, *end;
4680
4681 pos = &mgmt->u.action.u.public_action.action;
4682 end = ((const u8 *) mgmt) + len;
4683 gas_query_ap_rx(hapd->gas, mgmt->sa,
4684 mgmt->u.action.category,
4685 pos, end - pos, hapd->iface->freq);
4686 return 1;
4687 }
4688 #endif /* CONFIG_DPP */
4689 if (hapd->public_action_cb) {
4690 hapd->public_action_cb(hapd->public_action_cb_ctx,
4691 (u8 *) mgmt, len,
4692 hapd->iface->freq);
4693 }
4694 if (hapd->public_action_cb2) {
4695 hapd->public_action_cb2(hapd->public_action_cb2_ctx,
4696 (u8 *) mgmt, len,
4697 hapd->iface->freq);
4698 }
4699 if (hapd->public_action_cb || hapd->public_action_cb2)
4700 return 1;
4701 break;
4702 case WLAN_ACTION_VENDOR_SPECIFIC:
4703 if (hapd->vendor_action_cb) {
4704 if (hapd->vendor_action_cb(hapd->vendor_action_cb_ctx,
4705 (u8 *) mgmt, len,
4706 hapd->iface->freq) == 0)
4707 return 1;
4708 }
4709 break;
4710 case WLAN_ACTION_RADIO_MEASUREMENT:
4711 hostapd_handle_radio_measurement(hapd, (const u8 *) mgmt, len);
4712 return 1;
4713 }
4714
4715 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
4716 HOSTAPD_LEVEL_DEBUG,
4717 "handle_action - unknown action category %d or invalid "
4718 "frame",
4719 mgmt->u.action.category);
4720 if (!is_multicast_ether_addr(mgmt->da) &&
4721 !(mgmt->u.action.category & 0x80) &&
4722 !is_multicast_ether_addr(mgmt->sa)) {
4723 struct ieee80211_mgmt *resp;
4724
4725 /*
4726 * IEEE 802.11-REVma/D9.0 - 7.3.1.11
4727 * Return the Action frame to the source without change
4728 * except that MSB of the Category set to 1.
4729 */
4730 wpa_printf(MSG_DEBUG, "IEEE 802.11: Return unknown Action "
4731 "frame back to sender");
4732 resp = os_memdup(mgmt, len);
4733 if (resp == NULL)
4734 return 0;
4735 os_memcpy(resp->da, resp->sa, ETH_ALEN);
4736 os_memcpy(resp->sa, hapd->own_addr, ETH_ALEN);
4737 os_memcpy(resp->bssid, hapd->own_addr, ETH_ALEN);
4738 resp->u.action.category |= 0x80;
4739
4740 if (hostapd_drv_send_mlme(hapd, resp, len, 0, NULL, 0, 0) < 0) {
4741 wpa_printf(MSG_ERROR, "IEEE 802.11: Failed to send "
4742 "Action frame");
4743 }
4744 os_free(resp);
4745 }
4746
4747 return 1;
4748 }
4749
4750
4751 /**
4752 * ieee802_11_mgmt - process incoming IEEE 802.11 management frames
4753 * @hapd: hostapd BSS data structure (the BSS to which the management frame was
4754 * sent to)
4755 * @buf: management frame data (starting from IEEE 802.11 header)
4756 * @len: length of frame data in octets
4757 * @fi: meta data about received frame (signal level, etc.)
4758 *
4759 * Process all incoming IEEE 802.11 management frames. This will be called for
4760 * each frame received from the kernel driver through wlan#ap interface. In
4761 * addition, it can be called to re-inserted pending frames (e.g., when using
4762 * external RADIUS server as an MAC ACL).
4763 */
4764 int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len,
4765 struct hostapd_frame_info *fi)
4766 {
4767 struct ieee80211_mgmt *mgmt;
4768 u16 fc, stype;
4769 int ret = 0;
4770 unsigned int freq;
4771 int ssi_signal = fi ? fi->ssi_signal : 0;
4772
4773 if (len < 24)
4774 return 0;
4775
4776 if (fi && fi->freq)
4777 freq = fi->freq;
4778 else
4779 freq = hapd->iface->freq;
4780
4781 mgmt = (struct ieee80211_mgmt *) buf;
4782 fc = le_to_host16(mgmt->frame_control);
4783 stype = WLAN_FC_GET_STYPE(fc);
4784
4785 if (is_multicast_ether_addr(mgmt->sa) ||
4786 is_zero_ether_addr(mgmt->sa) ||
4787 os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
4788 /* Do not process any frames with unexpected/invalid SA so that
4789 * we do not add any state for unexpected STA addresses or end
4790 * up sending out frames to unexpected destination. */
4791 wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR
4792 " in received frame - ignore this frame silently",
4793 MAC2STR(mgmt->sa));
4794 return 0;
4795 }
4796
4797 if (stype == WLAN_FC_STYPE_BEACON) {
4798 handle_beacon(hapd, mgmt, len, fi);
4799 return 1;
4800 }
4801
4802 if (!is_broadcast_ether_addr(mgmt->bssid) &&
4803 #ifdef CONFIG_P2P
4804 /* Invitation responses can be sent with the peer MAC as BSSID */
4805 !((hapd->conf->p2p & P2P_GROUP_OWNER) &&
4806 stype == WLAN_FC_STYPE_ACTION) &&
4807 #endif /* CONFIG_P2P */
4808 #ifdef CONFIG_MESH
4809 !(hapd->conf->mesh & MESH_ENABLED) &&
4810 #endif /* CONFIG_MESH */
4811 os_memcmp(mgmt->bssid, hapd->own_addr, ETH_ALEN) != 0) {
4812 wpa_printf(MSG_INFO, "MGMT: BSSID=" MACSTR " not our address",
4813 MAC2STR(mgmt->bssid));
4814 return 0;
4815 }
4816
4817
4818 if (stype == WLAN_FC_STYPE_PROBE_REQ) {
4819 handle_probe_req(hapd, mgmt, len, ssi_signal);
4820 return 1;
4821 }
4822
4823 if ((!is_broadcast_ether_addr(mgmt->da) ||
4824 stype != WLAN_FC_STYPE_ACTION) &&
4825 os_memcmp(mgmt->da, hapd->own_addr, ETH_ALEN) != 0) {
4826 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
4827 HOSTAPD_LEVEL_DEBUG,
4828 "MGMT: DA=" MACSTR " not our address",
4829 MAC2STR(mgmt->da));
4830 return 0;
4831 }
4832
4833 if (hapd->iconf->track_sta_max_num)
4834 sta_track_add(hapd->iface, mgmt->sa, ssi_signal);
4835
4836 switch (stype) {
4837 case WLAN_FC_STYPE_AUTH:
4838 wpa_printf(MSG_DEBUG, "mgmt::auth");
4839 handle_auth(hapd, mgmt, len, ssi_signal, 0);
4840 ret = 1;
4841 break;
4842 case WLAN_FC_STYPE_ASSOC_REQ:
4843 wpa_printf(MSG_DEBUG, "mgmt::assoc_req");
4844 handle_assoc(hapd, mgmt, len, 0, ssi_signal);
4845 ret = 1;
4846 break;
4847 case WLAN_FC_STYPE_REASSOC_REQ:
4848 wpa_printf(MSG_DEBUG, "mgmt::reassoc_req");
4849 handle_assoc(hapd, mgmt, len, 1, ssi_signal);
4850 ret = 1;
4851 break;
4852 case WLAN_FC_STYPE_DISASSOC:
4853 wpa_printf(MSG_DEBUG, "mgmt::disassoc");
4854 handle_disassoc(hapd, mgmt, len);
4855 ret = 1;
4856 break;
4857 case WLAN_FC_STYPE_DEAUTH:
4858 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "mgmt::deauth");
4859 handle_deauth(hapd, mgmt, len);
4860 ret = 1;
4861 break;
4862 case WLAN_FC_STYPE_ACTION:
4863 wpa_printf(MSG_DEBUG, "mgmt::action");
4864 ret = handle_action(hapd, mgmt, len, freq);
4865 break;
4866 default:
4867 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
4868 HOSTAPD_LEVEL_DEBUG,
4869 "unknown mgmt frame subtype %d", stype);
4870 break;
4871 }
4872
4873 return ret;
4874 }
4875
4876
4877 static void handle_auth_cb(struct hostapd_data *hapd,
4878 const struct ieee80211_mgmt *mgmt,
4879 size_t len, int ok)
4880 {
4881 u16 auth_alg, auth_transaction, status_code;
4882 struct sta_info *sta;
4883
4884 sta = ap_get_sta(hapd, mgmt->da);
4885 if (!sta) {
4886 wpa_printf(MSG_DEBUG, "handle_auth_cb: STA " MACSTR
4887 " not found",
4888 MAC2STR(mgmt->da));
4889 return;
4890 }
4891
4892 auth_alg = le_to_host16(mgmt->u.auth.auth_alg);
4893 auth_transaction = le_to_host16(mgmt->u.auth.auth_transaction);
4894 status_code = le_to_host16(mgmt->u.auth.status_code);
4895
4896 if (!ok) {
4897 hostapd_logger(hapd, mgmt->da, HOSTAPD_MODULE_IEEE80211,
4898 HOSTAPD_LEVEL_NOTICE,
4899 "did not acknowledge authentication response");
4900 goto fail;
4901 }
4902
4903 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) {
4904 wpa_printf(MSG_INFO, "handle_auth_cb - too short payload (len=%lu)",
4905 (unsigned long) len);
4906 goto fail;
4907 }
4908
4909 if (status_code == WLAN_STATUS_SUCCESS &&
4910 ((auth_alg == WLAN_AUTH_OPEN && auth_transaction == 2) ||
4911 (auth_alg == WLAN_AUTH_SHARED_KEY && auth_transaction == 4))) {
4912 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4913 HOSTAPD_LEVEL_INFO, "authenticated");
4914 sta->flags |= WLAN_STA_AUTH;
4915 if (sta->added_unassoc)
4916 hostapd_set_sta_flags(hapd, sta);
4917 return;
4918 }
4919
4920 fail:
4921 if (status_code != WLAN_STATUS_SUCCESS && sta->added_unassoc) {
4922 hostapd_drv_sta_remove(hapd, sta->addr);
4923 sta->added_unassoc = 0;
4924 }
4925 }
4926
4927
4928 static void hostapd_set_wds_encryption(struct hostapd_data *hapd,
4929 struct sta_info *sta,
4930 char *ifname_wds)
4931 {
4932 int i;
4933 struct hostapd_ssid *ssid = &hapd->conf->ssid;
4934
4935 if (hapd->conf->ieee802_1x || hapd->conf->wpa)
4936 return;
4937
4938 for (i = 0; i < 4; i++) {
4939 if (ssid->wep.key[i] &&
4940 hostapd_drv_set_key(ifname_wds, hapd, WPA_ALG_WEP, NULL, i,
4941 0, i == ssid->wep.idx, NULL, 0,
4942 ssid->wep.key[i], ssid->wep.len[i],
4943 i == ssid->wep.idx ?
4944 KEY_FLAG_GROUP_RX_TX_DEFAULT :
4945 KEY_FLAG_GROUP_RX_TX)) {
4946 wpa_printf(MSG_WARNING,
4947 "Could not set WEP keys for WDS interface; %s",
4948 ifname_wds);
4949 break;
4950 }
4951 }
4952 }
4953
4954
4955 static void handle_assoc_cb(struct hostapd_data *hapd,
4956 const struct ieee80211_mgmt *mgmt,
4957 size_t len, int reassoc, int ok)
4958 {
4959 u16 status;
4960 struct sta_info *sta;
4961 int new_assoc = 1;
4962
4963 sta = ap_get_sta(hapd, mgmt->da);
4964 if (!sta) {
4965 wpa_printf(MSG_INFO, "handle_assoc_cb: STA " MACSTR " not found",
4966 MAC2STR(mgmt->da));
4967 return;
4968 }
4969
4970 if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_resp) :
4971 sizeof(mgmt->u.assoc_resp))) {
4972 wpa_printf(MSG_INFO,
4973 "handle_assoc_cb(reassoc=%d) - too short payload (len=%lu)",
4974 reassoc, (unsigned long) len);
4975 hostapd_drv_sta_remove(hapd, sta->addr);
4976 return;
4977 }
4978
4979 if (reassoc)
4980 status = le_to_host16(mgmt->u.reassoc_resp.status_code);
4981 else
4982 status = le_to_host16(mgmt->u.assoc_resp.status_code);
4983
4984 if (!ok) {
4985 hostapd_logger(hapd, mgmt->da, HOSTAPD_MODULE_IEEE80211,
4986 HOSTAPD_LEVEL_DEBUG,
4987 "did not acknowledge association response");
4988 sta->flags &= ~WLAN_STA_ASSOC_REQ_OK;
4989 /* The STA is added only in case of SUCCESS */
4990 if (status == WLAN_STATUS_SUCCESS)
4991 hostapd_drv_sta_remove(hapd, sta->addr);
4992
4993 return;
4994 }
4995
4996 if (status != WLAN_STATUS_SUCCESS)
4997 return;
4998
4999 /* Stop previous accounting session, if one is started, and allocate
5000 * new session id for the new session. */
5001 accounting_sta_stop(hapd, sta);
5002
5003 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
5004 HOSTAPD_LEVEL_INFO,
5005 "associated (aid %d)",
5006 sta->aid);
5007
5008 if (sta->flags & WLAN_STA_ASSOC)
5009 new_assoc = 0;
5010 sta->flags |= WLAN_STA_ASSOC;
5011 sta->flags &= ~WLAN_STA_WNM_SLEEP_MODE;
5012 if ((!hapd->conf->ieee802_1x && !hapd->conf->wpa &&
5013 !hapd->conf->osen) ||
5014 sta->auth_alg == WLAN_AUTH_FILS_SK ||
5015 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
5016 sta->auth_alg == WLAN_AUTH_FILS_PK ||
5017 sta->auth_alg == WLAN_AUTH_FT) {
5018 /*
5019 * Open, static WEP, FT protocol, or FILS; no separate
5020 * authorization step.
5021 */
5022 ap_sta_set_authorized(hapd, sta, 1);
5023 }
5024
5025 if (reassoc)
5026 mlme_reassociate_indication(hapd, sta);
5027 else
5028 mlme_associate_indication(hapd, sta);
5029
5030 sta->sa_query_timed_out = 0;
5031
5032 if (sta->eapol_sm == NULL) {
5033 /*
5034 * This STA does not use RADIUS server for EAP authentication,
5035 * so bind it to the selected VLAN interface now, since the
5036 * interface selection is not going to change anymore.
5037 */
5038 if (ap_sta_bind_vlan(hapd, sta) < 0)
5039 return;
5040 } else if (sta->vlan_id) {
5041 /* VLAN ID already set (e.g., by PMKSA caching), so bind STA */
5042 if (ap_sta_bind_vlan(hapd, sta) < 0)
5043 return;
5044 }
5045
5046 hostapd_set_sta_flags(hapd, sta);
5047
5048 if (!(sta->flags & WLAN_STA_WDS) && sta->pending_wds_enable) {
5049 wpa_printf(MSG_DEBUG, "Enable 4-address WDS mode for STA "
5050 MACSTR " based on pending request",
5051 MAC2STR(sta->addr));
5052 sta->pending_wds_enable = 0;
5053 sta->flags |= WLAN_STA_WDS;
5054 }
5055
5056 if (sta->flags & (WLAN_STA_WDS | WLAN_STA_MULTI_AP)) {
5057 int ret;
5058 char ifname_wds[IFNAMSIZ + 1];
5059
5060 wpa_printf(MSG_DEBUG, "Reenable 4-address WDS mode for STA "
5061 MACSTR " (aid %u)",
5062 MAC2STR(sta->addr), sta->aid);
5063 ret = hostapd_set_wds_sta(hapd, ifname_wds, sta->addr,
5064 sta->aid, 1);
5065 if (!ret)
5066 hostapd_set_wds_encryption(hapd, sta, ifname_wds);
5067 }
5068
5069 if (sta->auth_alg == WLAN_AUTH_FT)
5070 wpa_auth_sm_event(sta->wpa_sm, WPA_ASSOC_FT);
5071 else
5072 wpa_auth_sm_event(sta->wpa_sm, WPA_ASSOC);
5073 hapd->new_assoc_sta_cb(hapd, sta, !new_assoc);
5074 ieee802_1x_notify_port_enabled(sta->eapol_sm, 1);
5075
5076 #ifdef CONFIG_FILS
5077 if ((sta->auth_alg == WLAN_AUTH_FILS_SK ||
5078 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
5079 sta->auth_alg == WLAN_AUTH_FILS_PK) &&
5080 fils_set_tk(sta->wpa_sm) < 0) {
5081 wpa_printf(MSG_DEBUG, "FILS: TK configuration failed");
5082 ap_sta_disconnect(hapd, sta, sta->addr,
5083 WLAN_REASON_UNSPECIFIED);
5084 return;
5085 }
5086 #endif /* CONFIG_FILS */
5087
5088 if (sta->pending_eapol_rx) {
5089 struct os_reltime now, age;
5090
5091 os_get_reltime(&now);
5092 os_reltime_sub(&now, &sta->pending_eapol_rx->rx_time, &age);
5093 if (age.sec == 0 && age.usec < 200000) {
5094 wpa_printf(MSG_DEBUG,
5095 "Process pending EAPOL frame that was received from " MACSTR " just before association notification",
5096 MAC2STR(sta->addr));
5097 ieee802_1x_receive(
5098 hapd, mgmt->da,
5099 wpabuf_head(sta->pending_eapol_rx->buf),
5100 wpabuf_len(sta->pending_eapol_rx->buf));
5101 }
5102 wpabuf_free(sta->pending_eapol_rx->buf);
5103 os_free(sta->pending_eapol_rx);
5104 sta->pending_eapol_rx = NULL;
5105 }
5106 }
5107
5108
5109 static void handle_deauth_cb(struct hostapd_data *hapd,
5110 const struct ieee80211_mgmt *mgmt,
5111 size_t len, int ok)
5112 {
5113 struct sta_info *sta;
5114 if (is_multicast_ether_addr(mgmt->da))
5115 return;
5116 sta = ap_get_sta(hapd, mgmt->da);
5117 if (!sta) {
5118 wpa_printf(MSG_DEBUG, "handle_deauth_cb: STA " MACSTR
5119 " not found", MAC2STR(mgmt->da));
5120 return;
5121 }
5122 if (ok)
5123 wpa_printf(MSG_DEBUG, "STA " MACSTR " acknowledged deauth",
5124 MAC2STR(sta->addr));
5125 else
5126 wpa_printf(MSG_DEBUG, "STA " MACSTR " did not acknowledge "
5127 "deauth", MAC2STR(sta->addr));
5128
5129 ap_sta_deauth_cb(hapd, sta);
5130 }
5131
5132
5133 static void handle_disassoc_cb(struct hostapd_data *hapd,
5134 const struct ieee80211_mgmt *mgmt,
5135 size_t len, int ok)
5136 {
5137 struct sta_info *sta;
5138 if (is_multicast_ether_addr(mgmt->da))
5139 return;
5140 sta = ap_get_sta(hapd, mgmt->da);
5141 if (!sta) {
5142 wpa_printf(MSG_DEBUG, "handle_disassoc_cb: STA " MACSTR
5143 " not found", MAC2STR(mgmt->da));
5144 return;
5145 }
5146 if (ok)
5147 wpa_printf(MSG_DEBUG, "STA " MACSTR " acknowledged disassoc",
5148 MAC2STR(sta->addr));
5149 else
5150 wpa_printf(MSG_DEBUG, "STA " MACSTR " did not acknowledge "
5151 "disassoc", MAC2STR(sta->addr));
5152
5153 ap_sta_disassoc_cb(hapd, sta);
5154 }
5155
5156
5157 static void handle_action_cb(struct hostapd_data *hapd,
5158 const struct ieee80211_mgmt *mgmt,
5159 size_t len, int ok)
5160 {
5161 struct sta_info *sta;
5162 const struct rrm_measurement_report_element *report;
5163
5164 if (is_multicast_ether_addr(mgmt->da))
5165 return;
5166 #ifdef CONFIG_DPP
5167 if (len >= IEEE80211_HDRLEN + 6 &&
5168 mgmt->u.action.category == WLAN_ACTION_PUBLIC &&
5169 mgmt->u.action.u.vs_public_action.action ==
5170 WLAN_PA_VENDOR_SPECIFIC &&
5171 WPA_GET_BE24(mgmt->u.action.u.vs_public_action.oui) ==
5172 OUI_WFA &&
5173 mgmt->u.action.u.vs_public_action.variable[0] ==
5174 DPP_OUI_TYPE) {
5175 const u8 *pos, *end;
5176
5177 pos = &mgmt->u.action.u.vs_public_action.variable[1];
5178 end = ((const u8 *) mgmt) + len;
5179 hostapd_dpp_tx_status(hapd, mgmt->da, pos, end - pos, ok);
5180 return;
5181 }
5182 if (len >= IEEE80211_HDRLEN + 2 &&
5183 mgmt->u.action.category == WLAN_ACTION_PUBLIC &&
5184 (mgmt->u.action.u.public_action.action ==
5185 WLAN_PA_GAS_INITIAL_REQ ||
5186 mgmt->u.action.u.public_action.action ==
5187 WLAN_PA_GAS_COMEBACK_REQ)) {
5188 const u8 *pos, *end;
5189
5190 pos = mgmt->u.action.u.public_action.variable;
5191 end = ((const u8 *) mgmt) + len;
5192 gas_query_ap_tx_status(hapd->gas, mgmt->da, pos, end - pos, ok);
5193 return;
5194 }
5195 #endif /* CONFIG_DPP */
5196 sta = ap_get_sta(hapd, mgmt->da);
5197 if (!sta) {
5198 wpa_printf(MSG_DEBUG, "handle_action_cb: STA " MACSTR
5199 " not found", MAC2STR(mgmt->da));
5200 return;
5201 }
5202
5203 if (len < 24 + 5 + sizeof(*report))
5204 return;
5205 report = (const struct rrm_measurement_report_element *)
5206 &mgmt->u.action.u.rrm.variable[2];
5207 if (mgmt->u.action.category == WLAN_ACTION_RADIO_MEASUREMENT &&
5208 mgmt->u.action.u.rrm.action == WLAN_RRM_RADIO_MEASUREMENT_REQUEST &&
5209 report->eid == WLAN_EID_MEASURE_REQUEST &&
5210 report->len >= 3 &&
5211 report->type == MEASURE_TYPE_BEACON)
5212 hostapd_rrm_beacon_req_tx_status(hapd, mgmt, len, ok);
5213 }
5214
5215
5216 /**
5217 * ieee802_11_mgmt_cb - Process management frame TX status callback
5218 * @hapd: hostapd BSS data structure (the BSS from which the management frame
5219 * was sent from)
5220 * @buf: management frame data (starting from IEEE 802.11 header)
5221 * @len: length of frame data in octets
5222 * @stype: management frame subtype from frame control field
5223 * @ok: Whether the frame was ACK'ed
5224 */
5225 void ieee802_11_mgmt_cb(struct hostapd_data *hapd, const u8 *buf, size_t len,
5226 u16 stype, int ok)
5227 {
5228 const struct ieee80211_mgmt *mgmt;
5229 mgmt = (const struct ieee80211_mgmt *) buf;
5230
5231 #ifdef CONFIG_TESTING_OPTIONS
5232 if (hapd->ext_mgmt_frame_handling) {
5233 size_t hex_len = 2 * len + 1;
5234 char *hex = os_malloc(hex_len);
5235
5236 if (hex) {
5237 wpa_snprintf_hex(hex, hex_len, buf, len);
5238 wpa_msg(hapd->msg_ctx, MSG_INFO,
5239 "MGMT-TX-STATUS stype=%u ok=%d buf=%s",
5240 stype, ok, hex);
5241 os_free(hex);
5242 }
5243 return;
5244 }
5245 #endif /* CONFIG_TESTING_OPTIONS */
5246
5247 switch (stype) {
5248 case WLAN_FC_STYPE_AUTH:
5249 wpa_printf(MSG_DEBUG, "mgmt::auth cb");
5250 handle_auth_cb(hapd, mgmt, len, ok);
5251 break;
5252 case WLAN_FC_STYPE_ASSOC_RESP:
5253 wpa_printf(MSG_DEBUG, "mgmt::assoc_resp cb");
5254 handle_assoc_cb(hapd, mgmt, len, 0, ok);
5255 break;
5256 case WLAN_FC_STYPE_REASSOC_RESP:
5257 wpa_printf(MSG_DEBUG, "mgmt::reassoc_resp cb");
5258 handle_assoc_cb(hapd, mgmt, len, 1, ok);
5259 break;
5260 case WLAN_FC_STYPE_PROBE_RESP:
5261 wpa_printf(MSG_EXCESSIVE, "mgmt::proberesp cb ok=%d", ok);
5262 break;
5263 case WLAN_FC_STYPE_DEAUTH:
5264 wpa_printf(MSG_DEBUG, "mgmt::deauth cb");
5265 handle_deauth_cb(hapd, mgmt, len, ok);
5266 break;
5267 case WLAN_FC_STYPE_DISASSOC:
5268 wpa_printf(MSG_DEBUG, "mgmt::disassoc cb");
5269 handle_disassoc_cb(hapd, mgmt, len, ok);
5270 break;
5271 case WLAN_FC_STYPE_ACTION:
5272 wpa_printf(MSG_DEBUG, "mgmt::action cb ok=%d", ok);
5273 handle_action_cb(hapd, mgmt, len, ok);
5274 break;
5275 default:
5276 wpa_printf(MSG_INFO, "unknown mgmt cb frame subtype %d", stype);
5277 break;
5278 }
5279 }
5280
5281
5282 int ieee802_11_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen)
5283 {
5284 /* TODO */
5285 return 0;
5286 }
5287
5288
5289 int ieee802_11_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta,
5290 char *buf, size_t buflen)
5291 {
5292 /* TODO */
5293 return 0;
5294 }
5295
5296
5297 void hostapd_tx_status(struct hostapd_data *hapd, const u8 *addr,
5298 const u8 *buf, size_t len, int ack)
5299 {
5300 struct sta_info *sta;
5301 struct hostapd_iface *iface = hapd->iface;
5302
5303 sta = ap_get_sta(hapd, addr);
5304 if (sta == NULL && iface->num_bss > 1) {
5305 size_t j;
5306 for (j = 0; j < iface->num_bss; j++) {
5307 hapd = iface->bss[j];
5308 sta = ap_get_sta(hapd, addr);
5309 if (sta)
5310 break;
5311 }
5312 }
5313 if (sta == NULL || !(sta->flags & WLAN_STA_ASSOC))
5314 return;
5315 if (sta->flags & WLAN_STA_PENDING_POLL) {
5316 wpa_printf(MSG_DEBUG, "STA " MACSTR " %s pending "
5317 "activity poll", MAC2STR(sta->addr),
5318 ack ? "ACKed" : "did not ACK");
5319 if (ack)
5320 sta->flags &= ~WLAN_STA_PENDING_POLL;
5321 }
5322
5323 ieee802_1x_tx_status(hapd, sta, buf, len, ack);
5324 }
5325
5326
5327 void hostapd_eapol_tx_status(struct hostapd_data *hapd, const u8 *dst,
5328 const u8 *data, size_t len, int ack)
5329 {
5330 struct sta_info *sta;
5331 struct hostapd_iface *iface = hapd->iface;
5332
5333 sta = ap_get_sta(hapd, dst);
5334 if (sta == NULL && iface->num_bss > 1) {
5335 size_t j;
5336 for (j = 0; j < iface->num_bss; j++) {
5337 hapd = iface->bss[j];
5338 sta = ap_get_sta(hapd, dst);
5339 if (sta)
5340 break;
5341 }
5342 }
5343 if (sta == NULL || !(sta->flags & WLAN_STA_ASSOC)) {
5344 wpa_printf(MSG_DEBUG, "Ignore TX status for Data frame to STA "
5345 MACSTR " that is not currently associated",
5346 MAC2STR(dst));
5347 return;
5348 }
5349
5350 ieee802_1x_eapol_tx_status(hapd, sta, data, len, ack);
5351 }
5352
5353
5354 void hostapd_client_poll_ok(struct hostapd_data *hapd, const u8 *addr)
5355 {
5356 struct sta_info *sta;
5357 struct hostapd_iface *iface = hapd->iface;
5358
5359 sta = ap_get_sta(hapd, addr);
5360 if (sta == NULL && iface->num_bss > 1) {
5361 size_t j;
5362 for (j = 0; j < iface->num_bss; j++) {
5363 hapd = iface->bss[j];
5364 sta = ap_get_sta(hapd, addr);
5365 if (sta)
5366 break;
5367 }
5368 }
5369 if (sta == NULL)
5370 return;
5371 wpa_msg(hapd->msg_ctx, MSG_INFO, AP_STA_POLL_OK MACSTR,
5372 MAC2STR(sta->addr));
5373 if (!(sta->flags & WLAN_STA_PENDING_POLL))
5374 return;
5375
5376 wpa_printf(MSG_DEBUG, "STA " MACSTR " ACKed pending "
5377 "activity poll", MAC2STR(sta->addr));
5378 sta->flags &= ~WLAN_STA_PENDING_POLL;
5379 }
5380
5381
5382 void ieee802_11_rx_from_unknown(struct hostapd_data *hapd, const u8 *src,
5383 int wds)
5384 {
5385 struct sta_info *sta;
5386
5387 sta = ap_get_sta(hapd, src);
5388 if (sta &&
5389 ((sta->flags & WLAN_STA_ASSOC) ||
5390 ((sta->flags & WLAN_STA_ASSOC_REQ_OK) && wds))) {
5391 if (!hapd->conf->wds_sta)
5392 return;
5393
5394 if ((sta->flags & (WLAN_STA_ASSOC | WLAN_STA_ASSOC_REQ_OK)) ==
5395 WLAN_STA_ASSOC_REQ_OK) {
5396 wpa_printf(MSG_DEBUG,
5397 "Postpone 4-address WDS mode enabling for STA "
5398 MACSTR " since TX status for AssocResp is not yet known",
5399 MAC2STR(sta->addr));
5400 sta->pending_wds_enable = 1;
5401 return;
5402 }
5403
5404 if (wds && !(sta->flags & WLAN_STA_WDS)) {
5405 int ret;
5406 char ifname_wds[IFNAMSIZ + 1];
5407
5408 wpa_printf(MSG_DEBUG, "Enable 4-address WDS mode for "
5409 "STA " MACSTR " (aid %u)",
5410 MAC2STR(sta->addr), sta->aid);
5411 sta->flags |= WLAN_STA_WDS;
5412 ret = hostapd_set_wds_sta(hapd, ifname_wds,
5413 sta->addr, sta->aid, 1);
5414 if (!ret)
5415 hostapd_set_wds_encryption(hapd, sta,
5416 ifname_wds);
5417 }
5418 return;
5419 }
5420
5421 wpa_printf(MSG_DEBUG, "Data/PS-poll frame from not associated STA "
5422 MACSTR, MAC2STR(src));
5423 if (is_multicast_ether_addr(src) || is_zero_ether_addr(src) ||
5424 os_memcmp(src, hapd->own_addr, ETH_ALEN) == 0) {
5425 /* Broadcast bit set in SA or unexpected SA?! Ignore the frame
5426 * silently. */
5427 return;
5428 }
5429
5430 if (sta && (sta->flags & WLAN_STA_ASSOC_REQ_OK)) {
5431 wpa_printf(MSG_DEBUG, "Association Response to the STA has "
5432 "already been sent, but no TX status yet known - "
5433 "ignore Class 3 frame issue with " MACSTR,
5434 MAC2STR(src));
5435 return;
5436 }
5437
5438 if (sta && (sta->flags & WLAN_STA_AUTH))
5439 hostapd_drv_sta_disassoc(
5440 hapd, src,
5441 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA);
5442 else
5443 hostapd_drv_sta_deauth(
5444 hapd, src,
5445 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA);
5446 }
5447
5448
5449 #endif /* CONFIG_NATIVE_WINDOWS */
Unnamed repository; edit this file 'description' to name the repository.