]> git.ipfire.org Git - thirdparty/hostap.git/blob - src/ap/ieee802_11.c
projects / thirdparty / hostap.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Make hostapd_drv_send_mlme() more generic
[thirdparty/hostap.git] / src / ap / ieee802_11.c
1 /*
2 * hostapd / IEEE 802.11 Management
3 * Copyright (c) 2002-2017, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "utils/includes.h"
10
11 #ifndef CONFIG_NATIVE_WINDOWS
12
13 #include "utils/common.h"
14 #include "utils/eloop.h"
15 #include "crypto/crypto.h"
16 #include "crypto/sha256.h"
17 #include "crypto/sha384.h"
18 #include "crypto/sha512.h"
19 #include "crypto/random.h"
20 #include "common/ieee802_11_defs.h"
21 #include "common/ieee802_11_common.h"
22 #include "common/wpa_ctrl.h"
23 #include "common/sae.h"
24 #include "common/dpp.h"
25 #include "common/ocv.h"
26 #include "common/wpa_common.h"
27 #include "radius/radius.h"
28 #include "radius/radius_client.h"
29 #include "p2p/p2p.h"
30 #include "wps/wps.h"
31 #include "fst/fst.h"
32 #include "hostapd.h"
33 #include "beacon.h"
34 #include "ieee802_11_auth.h"
35 #include "sta_info.h"
36 #include "ieee802_1x.h"
37 #include "wpa_auth.h"
38 #include "pmksa_cache_auth.h"
39 #include "wmm.h"
40 #include "ap_list.h"
41 #include "accounting.h"
42 #include "ap_config.h"
43 #include "ap_mlme.h"
44 #include "p2p_hostapd.h"
45 #include "ap_drv_ops.h"
46 #include "wnm_ap.h"
47 #include "hw_features.h"
48 #include "ieee802_11.h"
49 #include "dfs.h"
50 #include "mbo_ap.h"
51 #include "rrm.h"
52 #include "taxonomy.h"
53 #include "fils_hlp.h"
54 #include "dpp_hostapd.h"
55 #include "gas_query_ap.h"
56
57
58 #ifdef CONFIG_FILS
59 static struct wpabuf *
60 prepare_auth_resp_fils(struct hostapd_data *hapd,
61 struct sta_info *sta, u16 *resp,
62 struct rsn_pmksa_cache_entry *pmksa,
63 struct wpabuf *erp_resp,
64 const u8 *msk, size_t msk_len,
65 int *is_pub);
66 #endif /* CONFIG_FILS */
67 static void handle_auth(struct hostapd_data *hapd,
68 const struct ieee80211_mgmt *mgmt, size_t len,
69 int rssi, int from_queue);
70
71
72 u8 * hostapd_eid_multi_ap(struct hostapd_data *hapd, u8 *eid)
73 {
74 u8 multi_ap_val = 0;
75
76 if (!hapd->conf->multi_ap)
77 return eid;
78 if (hapd->conf->multi_ap & BACKHAUL_BSS)
79 multi_ap_val |= MULTI_AP_BACKHAUL_BSS;
80 if (hapd->conf->multi_ap & FRONTHAUL_BSS)
81 multi_ap_val |= MULTI_AP_FRONTHAUL_BSS;
82
83 return eid + add_multi_ap_ie(eid, 9, multi_ap_val);
84 }
85
86
87 u8 * hostapd_eid_supp_rates(struct hostapd_data *hapd, u8 *eid)
88 {
89 u8 *pos = eid;
90 int i, num, count;
91
92 if (hapd->iface->current_rates == NULL)
93 return eid;
94
95 *pos++ = WLAN_EID_SUPP_RATES;
96 num = hapd->iface->num_rates;
97 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht)
98 num++;
99 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht)
100 num++;
101 if (hapd->conf->sae_pwe == 1 &&
102 wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt))
103 num++;
104 if (num > 8) {
105 /* rest of the rates are encoded in Extended supported
106 * rates element */
107 num = 8;
108 }
109
110 *pos++ = num;
111 for (i = 0, count = 0; i < hapd->iface->num_rates && count < num;
112 i++) {
113 count++;
114 *pos = hapd->iface->current_rates[i].rate / 5;
115 if (hapd->iface->current_rates[i].flags & HOSTAPD_RATE_BASIC)
116 *pos |= 0x80;
117 pos++;
118 }
119
120 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht && count < 8) {
121 count++;
122 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_HT_PHY;
123 }
124
125 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht && count < 8) {
126 count++;
127 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_VHT_PHY;
128 }
129
130 if (hapd->conf->sae_pwe == 1 &&
131 wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt) &&
132 count < 8) {
133 count++;
134 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_SAE_H2E_ONLY;
135 }
136
137 return pos;
138 }
139
140
141 u8 * hostapd_eid_ext_supp_rates(struct hostapd_data *hapd, u8 *eid)
142 {
143 u8 *pos = eid;
144 int i, num, count;
145
146 if (hapd->iface->current_rates == NULL)
147 return eid;
148
149 num = hapd->iface->num_rates;
150 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht)
151 num++;
152 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht)
153 num++;
154 if (hapd->conf->sae_pwe == 1 &&
155 wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt))
156 num++;
157 if (num <= 8)
158 return eid;
159 num -= 8;
160
161 *pos++ = WLAN_EID_EXT_SUPP_RATES;
162 *pos++ = num;
163 for (i = 0, count = 0; i < hapd->iface->num_rates && count < num + 8;
164 i++) {
165 count++;
166 if (count <= 8)
167 continue; /* already in SuppRates IE */
168 *pos = hapd->iface->current_rates[i].rate / 5;
169 if (hapd->iface->current_rates[i].flags & HOSTAPD_RATE_BASIC)
170 *pos |= 0x80;
171 pos++;
172 }
173
174 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht) {
175 count++;
176 if (count > 8)
177 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_HT_PHY;
178 }
179
180 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht) {
181 count++;
182 if (count > 8)
183 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_VHT_PHY;
184 }
185
186 if (hapd->conf->sae_pwe == 1 &&
187 wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt)) {
188 count++;
189 if (count > 8)
190 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_SAE_H2E_ONLY;
191 }
192
193 return pos;
194 }
195
196
197 u16 hostapd_own_capab_info(struct hostapd_data *hapd)
198 {
199 int capab = WLAN_CAPABILITY_ESS;
200 int privacy;
201 int dfs;
202 int i;
203
204 /* Check if any of configured channels require DFS */
205 dfs = hostapd_is_dfs_required(hapd->iface);
206 if (dfs < 0) {
207 wpa_printf(MSG_WARNING, "Failed to check if DFS is required; ret=%d",
208 dfs);
209 dfs = 0;
210 }
211
212 if (hapd->iface->num_sta_no_short_preamble == 0 &&
213 hapd->iconf->preamble == SHORT_PREAMBLE)
214 capab |= WLAN_CAPABILITY_SHORT_PREAMBLE;
215
216 privacy = hapd->conf->ssid.wep.keys_set;
217
218 if (hapd->conf->ieee802_1x &&
219 (hapd->conf->default_wep_key_len ||
220 hapd->conf->individual_wep_key_len))
221 privacy = 1;
222
223 if (hapd->conf->wpa)
224 privacy = 1;
225
226 #ifdef CONFIG_HS20
227 if (hapd->conf->osen)
228 privacy = 1;
229 #endif /* CONFIG_HS20 */
230
231 if (privacy)
232 capab |= WLAN_CAPABILITY_PRIVACY;
233
234 if (hapd->iface->current_mode &&
235 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G &&
236 hapd->iface->num_sta_no_short_slot_time == 0)
237 capab |= WLAN_CAPABILITY_SHORT_SLOT_TIME;
238
239 /*
240 * Currently, Spectrum Management capability bit is set when directly
241 * requested in configuration by spectrum_mgmt_required or when AP is
242 * running on DFS channel.
243 * TODO: Also consider driver support for TPC to set Spectrum Mgmt bit
244 */
245 if (hapd->iface->current_mode &&
246 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211A &&
247 (hapd->iconf->spectrum_mgmt_required || dfs))
248 capab |= WLAN_CAPABILITY_SPECTRUM_MGMT;
249
250 for (i = 0; i < RRM_CAPABILITIES_IE_LEN; i++) {
251 if (hapd->conf->radio_measurements[i]) {
252 capab |= IEEE80211_CAP_RRM;
253 break;
254 }
255 }
256
257 return capab;
258 }
259
260
261 #ifndef CONFIG_NO_RC4
262 static u16 auth_shared_key(struct hostapd_data *hapd, struct sta_info *sta,
263 u16 auth_transaction, const u8 *challenge,
264 int iswep)
265 {
266 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
267 HOSTAPD_LEVEL_DEBUG,
268 "authentication (shared key, transaction %d)",
269 auth_transaction);
270
271 if (auth_transaction == 1) {
272 if (!sta->challenge) {
273 /* Generate a pseudo-random challenge */
274 u8 key[8];
275
276 sta->challenge = os_zalloc(WLAN_AUTH_CHALLENGE_LEN);
277 if (sta->challenge == NULL)
278 return WLAN_STATUS_UNSPECIFIED_FAILURE;
279
280 if (os_get_random(key, sizeof(key)) < 0) {
281 os_free(sta->challenge);
282 sta->challenge = NULL;
283 return WLAN_STATUS_UNSPECIFIED_FAILURE;
284 }
285
286 rc4_skip(key, sizeof(key), 0,
287 sta->challenge, WLAN_AUTH_CHALLENGE_LEN);
288 }
289 return 0;
290 }
291
292 if (auth_transaction != 3)
293 return WLAN_STATUS_UNSPECIFIED_FAILURE;
294
295 /* Transaction 3 */
296 if (!iswep || !sta->challenge || !challenge ||
297 os_memcmp_const(sta->challenge, challenge,
298 WLAN_AUTH_CHALLENGE_LEN)) {
299 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
300 HOSTAPD_LEVEL_INFO,
301 "shared key authentication - invalid "
302 "challenge-response");
303 return WLAN_STATUS_CHALLENGE_FAIL;
304 }
305
306 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
307 HOSTAPD_LEVEL_DEBUG,
308 "authentication OK (shared key)");
309 sta->flags |= WLAN_STA_AUTH;
310 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
311 os_free(sta->challenge);
312 sta->challenge = NULL;
313
314 return 0;
315 }
316 #endif /* CONFIG_NO_RC4 */
317
318
319 static int send_auth_reply(struct hostapd_data *hapd,
320 const u8 *dst, const u8 *bssid,
321 u16 auth_alg, u16 auth_transaction, u16 resp,
322 const u8 *ies, size_t ies_len, const char *dbg)
323 {
324 struct ieee80211_mgmt *reply;
325 u8 *buf;
326 size_t rlen;
327 int reply_res = WLAN_STATUS_UNSPECIFIED_FAILURE;
328
329 rlen = IEEE80211_HDRLEN + sizeof(reply->u.auth) + ies_len;
330 buf = os_zalloc(rlen);
331 if (buf == NULL)
332 return -1;
333
334 reply = (struct ieee80211_mgmt *) buf;
335 reply->frame_control = IEEE80211_FC(WLAN_FC_TYPE_MGMT,
336 WLAN_FC_STYPE_AUTH);
337 os_memcpy(reply->da, dst, ETH_ALEN);
338 os_memcpy(reply->sa, hapd->own_addr, ETH_ALEN);
339 os_memcpy(reply->bssid, bssid, ETH_ALEN);
340
341 reply->u.auth.auth_alg = host_to_le16(auth_alg);
342 reply->u.auth.auth_transaction = host_to_le16(auth_transaction);
343 reply->u.auth.status_code = host_to_le16(resp);
344
345 if (ies && ies_len)
346 os_memcpy(reply->u.auth.variable, ies, ies_len);
347
348 wpa_printf(MSG_DEBUG, "authentication reply: STA=" MACSTR
349 " auth_alg=%d auth_transaction=%d resp=%d (IE len=%lu) (dbg=%s)",
350 MAC2STR(dst), auth_alg, auth_transaction,
351 resp, (unsigned long) ies_len, dbg);
352 if (hostapd_drv_send_mlme(hapd, reply, rlen, 0, NULL, 0, 0) < 0)
353 wpa_printf(MSG_INFO, "send_auth_reply: send failed");
354 else
355 reply_res = WLAN_STATUS_SUCCESS;
356
357 os_free(buf);
358
359 return reply_res;
360 }
361
362
363 #ifdef CONFIG_IEEE80211R_AP
364 static void handle_auth_ft_finish(void *ctx, const u8 *dst, const u8 *bssid,
365 u16 auth_transaction, u16 status,
366 const u8 *ies, size_t ies_len)
367 {
368 struct hostapd_data *hapd = ctx;
369 struct sta_info *sta;
370 int reply_res;
371
372 reply_res = send_auth_reply(hapd, dst, bssid, WLAN_AUTH_FT,
373 auth_transaction, status, ies, ies_len,
374 "auth-ft-finish");
375
376 sta = ap_get_sta(hapd, dst);
377 if (sta == NULL)
378 return;
379
380 if (sta->added_unassoc && (reply_res != WLAN_STATUS_SUCCESS ||
381 status != WLAN_STATUS_SUCCESS)) {
382 hostapd_drv_sta_remove(hapd, sta->addr);
383 sta->added_unassoc = 0;
384 return;
385 }
386
387 if (status != WLAN_STATUS_SUCCESS)
388 return;
389
390 hostapd_logger(hapd, dst, HOSTAPD_MODULE_IEEE80211,
391 HOSTAPD_LEVEL_DEBUG, "authentication OK (FT)");
392 sta->flags |= WLAN_STA_AUTH;
393 mlme_authenticate_indication(hapd, sta);
394 }
395 #endif /* CONFIG_IEEE80211R_AP */
396
397
398 #ifdef CONFIG_SAE
399
400 static void sae_set_state(struct sta_info *sta, enum sae_state state,
401 const char *reason)
402 {
403 wpa_printf(MSG_DEBUG, "SAE: State %s -> %s for peer " MACSTR " (%s)",
404 sae_state_txt(sta->sae->state), sae_state_txt(state),
405 MAC2STR(sta->addr), reason);
406 sta->sae->state = state;
407 }
408
409
410 static struct wpabuf * auth_build_sae_commit(struct hostapd_data *hapd,
411 struct sta_info *sta, int update,
412 int status_code)
413 {
414 struct wpabuf *buf;
415 const char *password = NULL;
416 struct sae_password_entry *pw;
417 const char *rx_id = NULL;
418 int use_pt = 0;
419 struct sae_pt *pt = NULL;
420
421 if (sta->sae->tmp) {
422 rx_id = sta->sae->tmp->pw_id;
423 use_pt = sta->sae->tmp->h2e;
424 }
425
426 if (status_code == WLAN_STATUS_SUCCESS)
427 use_pt = 0;
428 else if (status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT)
429 use_pt = 1;
430
431 for (pw = hapd->conf->sae_passwords; pw; pw = pw->next) {
432 if (!is_broadcast_ether_addr(pw->peer_addr) &&
433 os_memcmp(pw->peer_addr, sta->addr, ETH_ALEN) != 0)
434 continue;
435 if ((rx_id && !pw->identifier) || (!rx_id && pw->identifier))
436 continue;
437 if (rx_id && pw->identifier &&
438 os_strcmp(rx_id, pw->identifier) != 0)
439 continue;
440 password = pw->password;
441 pt = pw->pt;
442 break;
443 }
444 if (!password) {
445 password = hapd->conf->ssid.wpa_passphrase;
446 pt = hapd->conf->ssid.pt;
447 }
448 if (!password || (use_pt && !pt)) {
449 wpa_printf(MSG_DEBUG, "SAE: No password available");
450 return NULL;
451 }
452
453 if (update && use_pt &&
454 sae_prepare_commit_pt(sta->sae, pt, hapd->own_addr, sta->addr,
455 NULL) < 0)
456 return NULL;
457
458 if (update && !use_pt &&
459 sae_prepare_commit(hapd->own_addr, sta->addr,
460 (u8 *) password, os_strlen(password), rx_id,
461 sta->sae) < 0) {
462 wpa_printf(MSG_DEBUG, "SAE: Could not pick PWE");
463 return NULL;
464 }
465
466 if (pw && pw->vlan_id) {
467 if (!sta->sae->tmp) {
468 wpa_printf(MSG_INFO,
469 "SAE: No temporary data allocated - cannot store VLAN ID");
470 return NULL;
471 }
472 sta->sae->tmp->vlan_id = pw->vlan_id;
473 }
474
475 buf = wpabuf_alloc(SAE_COMMIT_MAX_LEN +
476 (rx_id ? 3 + os_strlen(rx_id) : 0));
477 if (buf == NULL)
478 return NULL;
479 sae_write_commit(sta->sae, buf, sta->sae->tmp ?
480 sta->sae->tmp->anti_clogging_token : NULL, rx_id);
481
482 return buf;
483 }
484
485
486 static struct wpabuf * auth_build_sae_confirm(struct hostapd_data *hapd,
487 struct sta_info *sta)
488 {
489 struct wpabuf *buf;
490
491 buf = wpabuf_alloc(SAE_CONFIRM_MAX_LEN);
492 if (buf == NULL)
493 return NULL;
494
495 sae_write_confirm(sta->sae, buf);
496
497 return buf;
498 }
499
500
501 static int auth_sae_send_commit(struct hostapd_data *hapd,
502 struct sta_info *sta,
503 const u8 *bssid, int update, int status_code)
504 {
505 struct wpabuf *data;
506 int reply_res;
507 u16 status;
508
509 data = auth_build_sae_commit(hapd, sta, update, status_code);
510 if (!data && sta->sae->tmp && sta->sae->tmp->pw_id)
511 return WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER;
512 if (data == NULL)
513 return WLAN_STATUS_UNSPECIFIED_FAILURE;
514
515 status = (sta->sae->tmp && sta->sae->tmp->h2e) ?
516 WLAN_STATUS_SAE_HASH_TO_ELEMENT : WLAN_STATUS_SUCCESS;
517 reply_res = send_auth_reply(hapd, sta->addr, bssid, WLAN_AUTH_SAE, 1,
518 status, wpabuf_head(data),
519 wpabuf_len(data), "sae-send-commit");
520
521 wpabuf_free(data);
522
523 return reply_res;
524 }
525
526
527 static int auth_sae_send_confirm(struct hostapd_data *hapd,
528 struct sta_info *sta,
529 const u8 *bssid)
530 {
531 struct wpabuf *data;
532 int reply_res;
533
534 data = auth_build_sae_confirm(hapd, sta);
535 if (data == NULL)
536 return WLAN_STATUS_UNSPECIFIED_FAILURE;
537
538 reply_res = send_auth_reply(hapd, sta->addr, bssid, WLAN_AUTH_SAE, 2,
539 WLAN_STATUS_SUCCESS, wpabuf_head(data),
540 wpabuf_len(data), "sae-send-confirm");
541
542 wpabuf_free(data);
543
544 return reply_res;
545 }
546
547
548 static int use_sae_anti_clogging(struct hostapd_data *hapd)
549 {
550 struct sta_info *sta;
551 unsigned int open = 0;
552
553 if (hapd->conf->sae_anti_clogging_threshold == 0)
554 return 1;
555
556 for (sta = hapd->sta_list; sta; sta = sta->next) {
557 if (!sta->sae)
558 continue;
559 if (sta->sae->state != SAE_COMMITTED &&
560 sta->sae->state != SAE_CONFIRMED)
561 continue;
562 open++;
563 if (open >= hapd->conf->sae_anti_clogging_threshold)
564 return 1;
565 }
566
567 /* In addition to already existing open SAE sessions, check whether
568 * there are enough pending commit messages in the processing queue to
569 * potentially result in too many open sessions. */
570 if (open + dl_list_len(&hapd->sae_commit_queue) >=
571 hapd->conf->sae_anti_clogging_threshold)
572 return 1;
573
574 return 0;
575 }
576
577
578 static u8 sae_token_hash(struct hostapd_data *hapd, const u8 *addr)
579 {
580 u8 hash[SHA256_MAC_LEN];
581
582 hmac_sha256(hapd->sae_token_key, sizeof(hapd->sae_token_key),
583 addr, ETH_ALEN, hash);
584 return hash[0];
585 }
586
587
588 static int check_sae_token(struct hostapd_data *hapd, const u8 *addr,
589 const u8 *token, size_t token_len)
590 {
591 u8 mac[SHA256_MAC_LEN];
592 const u8 *addrs[2];
593 size_t len[2];
594 u16 token_idx;
595 u8 idx;
596
597 if (token_len != SHA256_MAC_LEN)
598 return -1;
599 idx = sae_token_hash(hapd, addr);
600 token_idx = hapd->sae_pending_token_idx[idx];
601 if (token_idx == 0 || token_idx != WPA_GET_BE16(token)) {
602 wpa_printf(MSG_DEBUG, "SAE: Invalid anti-clogging token from "
603 MACSTR " - token_idx 0x%04x, expected 0x%04x",
604 MAC2STR(addr), WPA_GET_BE16(token), token_idx);
605 return -1;
606 }
607
608 addrs[0] = addr;
609 len[0] = ETH_ALEN;
610 addrs[1] = token;
611 len[1] = 2;
612 if (hmac_sha256_vector(hapd->sae_token_key, sizeof(hapd->sae_token_key),
613 2, addrs, len, mac) < 0 ||
614 os_memcmp_const(token + 2, &mac[2], SHA256_MAC_LEN - 2) != 0)
615 return -1;
616
617 hapd->sae_pending_token_idx[idx] = 0; /* invalidate used token */
618
619 return 0;
620 }
621
622
623 static struct wpabuf * auth_build_token_req(struct hostapd_data *hapd,
624 int group, const u8 *addr)
625 {
626 struct wpabuf *buf;
627 u8 *token;
628 struct os_reltime now;
629 u8 idx[2];
630 const u8 *addrs[2];
631 size_t len[2];
632 u8 p_idx;
633 u16 token_idx;
634
635 os_get_reltime(&now);
636 if (!os_reltime_initialized(&hapd->last_sae_token_key_update) ||
637 os_reltime_expired(&now, &hapd->last_sae_token_key_update, 60) ||
638 hapd->sae_token_idx == 0xffff) {
639 if (random_get_bytes(hapd->sae_token_key,
640 sizeof(hapd->sae_token_key)) < 0)
641 return NULL;
642 wpa_hexdump(MSG_DEBUG, "SAE: Updated token key",
643 hapd->sae_token_key, sizeof(hapd->sae_token_key));
644 hapd->last_sae_token_key_update = now;
645 hapd->sae_token_idx = 0;
646 os_memset(hapd->sae_pending_token_idx, 0,
647 sizeof(hapd->sae_pending_token_idx));
648 }
649
650 buf = wpabuf_alloc(sizeof(le16) + SHA256_MAC_LEN);
651 if (buf == NULL)
652 return NULL;
653
654 wpabuf_put_le16(buf, group); /* Finite Cyclic Group */
655
656 p_idx = sae_token_hash(hapd, addr);
657 token_idx = hapd->sae_pending_token_idx[p_idx];
658 if (!token_idx) {
659 hapd->sae_token_idx++;
660 token_idx = hapd->sae_token_idx;
661 hapd->sae_pending_token_idx[p_idx] = token_idx;
662 }
663 WPA_PUT_BE16(idx, token_idx);
664 token = wpabuf_put(buf, SHA256_MAC_LEN);
665 addrs[0] = addr;
666 len[0] = ETH_ALEN;
667 addrs[1] = idx;
668 len[1] = sizeof(idx);
669 if (hmac_sha256_vector(hapd->sae_token_key, sizeof(hapd->sae_token_key),
670 2, addrs, len, token) < 0) {
671 wpabuf_free(buf);
672 return NULL;
673 }
674 WPA_PUT_BE16(token, token_idx);
675
676 return buf;
677 }
678
679
680 static int sae_check_big_sync(struct hostapd_data *hapd, struct sta_info *sta)
681 {
682 if (sta->sae->sync > hapd->conf->sae_sync) {
683 sae_set_state(sta, SAE_NOTHING, "Sync > dot11RSNASAESync");
684 sta->sae->sync = 0;
685 return -1;
686 }
687 return 0;
688 }
689
690
691 static void auth_sae_retransmit_timer(void *eloop_ctx, void *eloop_data)
692 {
693 struct hostapd_data *hapd = eloop_ctx;
694 struct sta_info *sta = eloop_data;
695 int ret;
696
697 if (sae_check_big_sync(hapd, sta))
698 return;
699 sta->sae->sync++;
700 wpa_printf(MSG_DEBUG, "SAE: Auth SAE retransmit timer for " MACSTR
701 " (sync=%d state=%s)",
702 MAC2STR(sta->addr), sta->sae->sync,
703 sae_state_txt(sta->sae->state));
704
705 switch (sta->sae->state) {
706 case SAE_COMMITTED:
707 ret = auth_sae_send_commit(hapd, sta, hapd->own_addr, 0, -1);
708 eloop_register_timeout(0,
709 hapd->dot11RSNASAERetransPeriod * 1000,
710 auth_sae_retransmit_timer, hapd, sta);
711 break;
712 case SAE_CONFIRMED:
713 ret = auth_sae_send_confirm(hapd, sta, hapd->own_addr);
714 eloop_register_timeout(0,
715 hapd->dot11RSNASAERetransPeriod * 1000,
716 auth_sae_retransmit_timer, hapd, sta);
717 break;
718 default:
719 ret = -1;
720 break;
721 }
722
723 if (ret != WLAN_STATUS_SUCCESS)
724 wpa_printf(MSG_INFO, "SAE: Failed to retransmit: ret=%d", ret);
725 }
726
727
728 void sae_clear_retransmit_timer(struct hostapd_data *hapd, struct sta_info *sta)
729 {
730 eloop_cancel_timeout(auth_sae_retransmit_timer, hapd, sta);
731 }
732
733
734 static void sae_set_retransmit_timer(struct hostapd_data *hapd,
735 struct sta_info *sta)
736 {
737 if (!(hapd->conf->mesh & MESH_ENABLED))
738 return;
739
740 eloop_cancel_timeout(auth_sae_retransmit_timer, hapd, sta);
741 eloop_register_timeout(0, hapd->dot11RSNASAERetransPeriod * 1000,
742 auth_sae_retransmit_timer, hapd, sta);
743 }
744
745
746 static void sae_sme_send_external_auth_status(struct hostapd_data *hapd,
747 struct sta_info *sta, u16 status)
748 {
749 struct external_auth params;
750
751 os_memset(&params, 0, sizeof(params));
752 params.status = status;
753 params.bssid = sta->addr;
754 if (status == WLAN_STATUS_SUCCESS && sta->sae &&
755 !hapd->conf->disable_pmksa_caching)
756 params.pmkid = sta->sae->pmkid;
757
758 hostapd_drv_send_external_auth_status(hapd, &params);
759 }
760
761
762 void sae_accept_sta(struct hostapd_data *hapd, struct sta_info *sta)
763 {
764 #ifndef CONFIG_NO_VLAN
765 struct vlan_description vlan_desc;
766
767 if (sta->sae->tmp && sta->sae->tmp->vlan_id > 0) {
768 wpa_printf(MSG_DEBUG, "SAE: Assign STA " MACSTR
769 " to VLAN ID %d",
770 MAC2STR(sta->addr), sta->sae->tmp->vlan_id);
771
772 os_memset(&vlan_desc, 0, sizeof(vlan_desc));
773 vlan_desc.notempty = 1;
774 vlan_desc.untagged = sta->sae->tmp->vlan_id;
775 if (!hostapd_vlan_valid(hapd->conf->vlan, &vlan_desc)) {
776 wpa_printf(MSG_INFO,
777 "Invalid VLAN ID %d in sae_password",
778 sta->sae->tmp->vlan_id);
779 return;
780 }
781
782 if (ap_sta_set_vlan(hapd, sta, &vlan_desc) < 0 ||
783 ap_sta_bind_vlan(hapd, sta) < 0) {
784 wpa_printf(MSG_INFO,
785 "Failed to assign VLAN ID %d from sae_password to "
786 MACSTR, sta->sae->tmp->vlan_id,
787 MAC2STR(sta->addr));
788 return;
789 }
790 }
791 #endif /* CONFIG_NO_VLAN */
792
793 sta->flags |= WLAN_STA_AUTH;
794 sta->auth_alg = WLAN_AUTH_SAE;
795 mlme_authenticate_indication(hapd, sta);
796 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
797 sae_set_state(sta, SAE_ACCEPTED, "Accept Confirm");
798 wpa_auth_pmksa_add_sae(hapd->wpa_auth, sta->addr,
799 sta->sae->pmk, sta->sae->pmkid);
800 sae_sme_send_external_auth_status(hapd, sta, WLAN_STATUS_SUCCESS);
801 }
802
803
804 static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta,
805 const u8 *bssid, u16 auth_transaction, u16 status_code,
806 int allow_reuse, int *sta_removed)
807 {
808 int ret;
809
810 *sta_removed = 0;
811
812 if (auth_transaction != 1 && auth_transaction != 2)
813 return WLAN_STATUS_UNSPECIFIED_FAILURE;
814
815 wpa_printf(MSG_DEBUG, "SAE: Peer " MACSTR " state=%s auth_trans=%u",
816 MAC2STR(sta->addr), sae_state_txt(sta->sae->state),
817 auth_transaction);
818 switch (sta->sae->state) {
819 case SAE_NOTHING:
820 if (auth_transaction == 1) {
821 if (sta->sae->tmp)
822 sta->sae->tmp->h2e = status_code ==
823 WLAN_STATUS_SAE_HASH_TO_ELEMENT;
824 ret = auth_sae_send_commit(hapd, sta, bssid,
825 !allow_reuse, status_code);
826 if (ret)
827 return ret;
828 sae_set_state(sta, SAE_COMMITTED, "Sent Commit");
829
830 if (sae_process_commit(sta->sae) < 0)
831 return WLAN_STATUS_UNSPECIFIED_FAILURE;
832
833 /*
834 * In mesh case, both Commit and Confirm are sent
835 * immediately. In infrastructure BSS, by default, only
836 * a single Authentication frame (Commit) is expected
837 * from the AP here and the second one (Confirm) will
838 * be sent once the STA has sent its second
839 * Authentication frame (Confirm). This behavior can be
840 * overridden with explicit configuration so that the
841 * infrastructure BSS case sends both frames together.
842 */
843 if ((hapd->conf->mesh & MESH_ENABLED) ||
844 hapd->conf->sae_confirm_immediate) {
845 /*
846 * Send both Commit and Confirm immediately
847 * based on SAE finite state machine
848 * Nothing -> Confirm transition.
849 */
850 ret = auth_sae_send_confirm(hapd, sta, bssid);
851 if (ret)
852 return ret;
853 sae_set_state(sta, SAE_CONFIRMED,
854 "Sent Confirm (mesh)");
855 } else {
856 /*
857 * For infrastructure BSS, send only the Commit
858 * message now to get alternating sequence of
859 * Authentication frames between the AP and STA.
860 * Confirm will be sent in
861 * Committed -> Confirmed/Accepted transition
862 * when receiving Confirm from STA.
863 */
864 }
865 sta->sae->sync = 0;
866 sae_set_retransmit_timer(hapd, sta);
867 } else {
868 hostapd_logger(hapd, sta->addr,
869 HOSTAPD_MODULE_IEEE80211,
870 HOSTAPD_LEVEL_DEBUG,
871 "SAE confirm before commit");
872 }
873 break;
874 case SAE_COMMITTED:
875 sae_clear_retransmit_timer(hapd, sta);
876 if (auth_transaction == 1) {
877 if (sae_process_commit(sta->sae) < 0)
878 return WLAN_STATUS_UNSPECIFIED_FAILURE;
879
880 ret = auth_sae_send_confirm(hapd, sta, bssid);
881 if (ret)
882 return ret;
883 sae_set_state(sta, SAE_CONFIRMED, "Sent Confirm");
884 sta->sae->sync = 0;
885 sae_set_retransmit_timer(hapd, sta);
886 } else if (hapd->conf->mesh & MESH_ENABLED) {
887 /*
888 * In mesh case, follow SAE finite state machine and
889 * send Commit now, if sync count allows.
890 */
891 if (sae_check_big_sync(hapd, sta))
892 return WLAN_STATUS_SUCCESS;
893 sta->sae->sync++;
894
895 ret = auth_sae_send_commit(hapd, sta, bssid, 0,
896 status_code);
897 if (ret)
898 return ret;
899
900 sae_set_retransmit_timer(hapd, sta);
901 } else {
902 /*
903 * For instructure BSS, send the postponed Confirm from
904 * Nothing -> Confirmed transition that was reduced to
905 * Nothing -> Committed above.
906 */
907 ret = auth_sae_send_confirm(hapd, sta, bssid);
908 if (ret)
909 return ret;
910
911 sae_set_state(sta, SAE_CONFIRMED, "Sent Confirm");
912
913 /*
914 * Since this was triggered on Confirm RX, run another
915 * step to get to Accepted without waiting for
916 * additional events.
917 */
918 return sae_sm_step(hapd, sta, bssid, auth_transaction,
919 WLAN_STATUS_SUCCESS, 0, sta_removed);
920 }
921 break;
922 case SAE_CONFIRMED:
923 sae_clear_retransmit_timer(hapd, sta);
924 if (auth_transaction == 1) {
925 if (sae_check_big_sync(hapd, sta))
926 return WLAN_STATUS_SUCCESS;
927 sta->sae->sync++;
928
929 ret = auth_sae_send_commit(hapd, sta, bssid, 1,
930 status_code);
931 if (ret)
932 return ret;
933
934 if (sae_process_commit(sta->sae) < 0)
935 return WLAN_STATUS_UNSPECIFIED_FAILURE;
936
937 ret = auth_sae_send_confirm(hapd, sta, bssid);
938 if (ret)
939 return ret;
940
941 sae_set_retransmit_timer(hapd, sta);
942 } else {
943 sta->sae->send_confirm = 0xffff;
944 sae_accept_sta(hapd, sta);
945 }
946 break;
947 case SAE_ACCEPTED:
948 if (auth_transaction == 1 &&
949 (hapd->conf->mesh & MESH_ENABLED)) {
950 wpa_printf(MSG_DEBUG, "SAE: remove the STA (" MACSTR
951 ") doing reauthentication",
952 MAC2STR(sta->addr));
953 wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr);
954 ap_free_sta(hapd, sta);
955 *sta_removed = 1;
956 } else if (auth_transaction == 1) {
957 wpa_printf(MSG_DEBUG, "SAE: Start reauthentication");
958 ret = auth_sae_send_commit(hapd, sta, bssid, 1,
959 status_code);
960 if (ret)
961 return ret;
962 sae_set_state(sta, SAE_COMMITTED, "Sent Commit");
963
964 if (sae_process_commit(sta->sae) < 0)
965 return WLAN_STATUS_UNSPECIFIED_FAILURE;
966 sta->sae->sync = 0;
967 sae_set_retransmit_timer(hapd, sta);
968 } else {
969 if (sae_check_big_sync(hapd, sta))
970 return WLAN_STATUS_SUCCESS;
971 sta->sae->sync++;
972
973 ret = auth_sae_send_confirm(hapd, sta, bssid);
974 sae_clear_temp_data(sta->sae);
975 if (ret)
976 return ret;
977 }
978 break;
979 default:
980 wpa_printf(MSG_ERROR, "SAE: invalid state %d",
981 sta->sae->state);
982 return WLAN_STATUS_UNSPECIFIED_FAILURE;
983 }
984 return WLAN_STATUS_SUCCESS;
985 }
986
987
988 static void sae_pick_next_group(struct hostapd_data *hapd, struct sta_info *sta)
989 {
990 struct sae_data *sae = sta->sae;
991 int i, *groups = hapd->conf->sae_groups;
992 int default_groups[] = { 19, 0 };
993
994 if (sae->state != SAE_COMMITTED)
995 return;
996
997 wpa_printf(MSG_DEBUG, "SAE: Previously selected group: %d", sae->group);
998
999 if (!groups)
1000 groups = default_groups;
1001 for (i = 0; groups[i] > 0; i++) {
1002 if (sae->group == groups[i])
1003 break;
1004 }
1005
1006 if (groups[i] <= 0) {
1007 wpa_printf(MSG_DEBUG,
1008 "SAE: Previously selected group not found from the current configuration");
1009 return;
1010 }
1011
1012 for (;;) {
1013 i++;
1014 if (groups[i] <= 0) {
1015 wpa_printf(MSG_DEBUG,
1016 "SAE: No alternative group enabled");
1017 return;
1018 }
1019
1020 if (sae_set_group(sae, groups[i]) < 0)
1021 continue;
1022
1023 break;
1024 }
1025 wpa_printf(MSG_DEBUG, "SAE: Selected new group: %d", groups[i]);
1026 }
1027
1028
1029 static int sae_status_success(struct hostapd_data *hapd, u16 status_code)
1030 {
1031 return (hapd->conf->sae_pwe == 0 &&
1032 status_code == WLAN_STATUS_SUCCESS) ||
1033 (hapd->conf->sae_pwe == 1 &&
1034 status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT) ||
1035 (hapd->conf->sae_pwe == 2 &&
1036 (status_code == WLAN_STATUS_SUCCESS ||
1037 status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT));
1038 }
1039
1040
1041 static int sae_is_group_enabled(struct hostapd_data *hapd, int group)
1042 {
1043 int *groups = hapd->conf->sae_groups;
1044 int default_groups[] = { 19, 0 };
1045 int i;
1046
1047 if (!groups)
1048 groups = default_groups;
1049
1050 for (i = 0; groups[i] > 0; i++) {
1051 if (groups[i] == group)
1052 return 1;
1053 }
1054
1055 return 0;
1056 }
1057
1058
1059 static int check_sae_rejected_groups(struct hostapd_data *hapd,
1060 const struct wpabuf *groups)
1061 {
1062 size_t i, count;
1063 const u8 *pos;
1064
1065 if (!groups)
1066 return 0;
1067
1068 pos = wpabuf_head(groups);
1069 count = wpabuf_len(groups) / 2;
1070 for (i = 0; i < count; i++) {
1071 int enabled;
1072 u16 group;
1073
1074 group = WPA_GET_LE16(pos);
1075 pos += 2;
1076 enabled = sae_is_group_enabled(hapd, group);
1077 wpa_printf(MSG_DEBUG, "SAE: Rejected group %u is %s",
1078 group, enabled ? "enabled" : "disabled");
1079 if (enabled)
1080 return 1;
1081 }
1082
1083 return 0;
1084 }
1085
1086
1087 static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta,
1088 const struct ieee80211_mgmt *mgmt, size_t len,
1089 u16 auth_transaction, u16 status_code)
1090 {
1091 int resp = WLAN_STATUS_SUCCESS;
1092 struct wpabuf *data = NULL;
1093 int *groups = hapd->conf->sae_groups;
1094 int default_groups[] = { 19, 0 };
1095 const u8 *pos, *end;
1096 int sta_removed = 0;
1097
1098 if (!groups)
1099 groups = default_groups;
1100
1101 #ifdef CONFIG_TESTING_OPTIONS
1102 if (hapd->conf->sae_reflection_attack && auth_transaction == 1) {
1103 wpa_printf(MSG_DEBUG, "SAE: TESTING - reflection attack");
1104 pos = mgmt->u.auth.variable;
1105 end = ((const u8 *) mgmt) + len;
1106 send_auth_reply(hapd, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
1107 auth_transaction, resp, pos, end - pos,
1108 "auth-sae-reflection-attack");
1109 goto remove_sta;
1110 }
1111
1112 if (hapd->conf->sae_commit_override && auth_transaction == 1) {
1113 wpa_printf(MSG_DEBUG, "SAE: TESTING - commit override");
1114 send_auth_reply(hapd, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
1115 auth_transaction, resp,
1116 wpabuf_head(hapd->conf->sae_commit_override),
1117 wpabuf_len(hapd->conf->sae_commit_override),
1118 "sae-commit-override");
1119 goto remove_sta;
1120 }
1121 #endif /* CONFIG_TESTING_OPTIONS */
1122 if (!sta->sae) {
1123 if (auth_transaction != 1 ||
1124 !sae_status_success(hapd, status_code)) {
1125 wpa_printf(MSG_DEBUG, "SAE: Unexpected Status Code %u",
1126 status_code);
1127 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1128 goto reply;
1129 }
1130 sta->sae = os_zalloc(sizeof(*sta->sae));
1131 if (!sta->sae) {
1132 resp = -1;
1133 goto remove_sta;
1134 }
1135 sae_set_state(sta, SAE_NOTHING, "Init");
1136 sta->sae->sync = 0;
1137 }
1138
1139 if (sta->mesh_sae_pmksa_caching) {
1140 wpa_printf(MSG_DEBUG,
1141 "SAE: Cancel use of mesh PMKSA caching because peer starts SAE authentication");
1142 wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr);
1143 sta->mesh_sae_pmksa_caching = 0;
1144 }
1145
1146 if (auth_transaction == 1) {
1147 const u8 *token = NULL;
1148 size_t token_len = 0;
1149 int allow_reuse = 0;
1150
1151 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1152 HOSTAPD_LEVEL_DEBUG,
1153 "start SAE authentication (RX commit, status=%u (%s))",
1154 status_code, status2str(status_code));
1155
1156 if ((hapd->conf->mesh & MESH_ENABLED) &&
1157 status_code == WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ &&
1158 sta->sae->tmp) {
1159 pos = mgmt->u.auth.variable;
1160 end = ((const u8 *) mgmt) + len;
1161 if (pos + sizeof(le16) > end) {
1162 wpa_printf(MSG_ERROR,
1163 "SAE: Too short anti-clogging token request");
1164 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1165 goto reply;
1166 }
1167 resp = sae_group_allowed(sta->sae, groups,
1168 WPA_GET_LE16(pos));
1169 if (resp != WLAN_STATUS_SUCCESS) {
1170 wpa_printf(MSG_ERROR,
1171 "SAE: Invalid group in anti-clogging token request");
1172 goto reply;
1173 }
1174 pos += sizeof(le16);
1175
1176 wpabuf_free(sta->sae->tmp->anti_clogging_token);
1177 sta->sae->tmp->anti_clogging_token =
1178 wpabuf_alloc_copy(pos, end - pos);
1179 if (sta->sae->tmp->anti_clogging_token == NULL) {
1180 wpa_printf(MSG_ERROR,
1181 "SAE: Failed to alloc for anti-clogging token");
1182 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1183 goto remove_sta;
1184 }
1185
1186 /*
1187 * IEEE Std 802.11-2012, 11.3.8.6.4: If the Status code
1188 * is 76, a new Commit Message shall be constructed
1189 * with the Anti-Clogging Token from the received
1190 * Authentication frame, and the commit-scalar and
1191 * COMMIT-ELEMENT previously sent.
1192 */
1193 resp = auth_sae_send_commit(hapd, sta, mgmt->bssid, 0,
1194 status_code);
1195 if (resp != WLAN_STATUS_SUCCESS) {
1196 wpa_printf(MSG_ERROR,
1197 "SAE: Failed to send commit message");
1198 goto remove_sta;
1199 }
1200 sae_set_state(sta, SAE_COMMITTED,
1201 "Sent Commit (anti-clogging token case in mesh)");
1202 sta->sae->sync = 0;
1203 sae_set_retransmit_timer(hapd, sta);
1204 return;
1205 }
1206
1207 if ((hapd->conf->mesh & MESH_ENABLED) &&
1208 status_code ==
1209 WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED &&
1210 sta->sae->tmp) {
1211 wpa_printf(MSG_DEBUG,
1212 "SAE: Peer did not accept our SAE group");
1213 sae_pick_next_group(hapd, sta);
1214 goto remove_sta;
1215 }
1216
1217 if (!sae_status_success(hapd, status_code))
1218 goto remove_sta;
1219
1220 if (!(hapd->conf->mesh & MESH_ENABLED) &&
1221 sta->sae->state == SAE_COMMITTED) {
1222 /* This is needed in the infrastructure BSS case to
1223 * address a sequence where a STA entry may remain in
1224 * hostapd across two attempts to do SAE authentication
1225 * by the same STA. The second attempt may end up trying
1226 * to use a different group and that would not be
1227 * allowed if we remain in Committed state with the
1228 * previously set parameters. */
1229 pos = mgmt->u.auth.variable;
1230 end = ((const u8 *) mgmt) + len;
1231 if (end - pos >= (int) sizeof(le16) &&
1232 sae_group_allowed(sta->sae, groups,
1233 WPA_GET_LE16(pos)) ==
1234 WLAN_STATUS_SUCCESS) {
1235 /* Do not waste resources deriving the same PWE
1236 * again since the same group is reused. */
1237 sae_set_state(sta, SAE_NOTHING,
1238 "Allow previous PWE to be reused");
1239 allow_reuse = 1;
1240 } else {
1241 sae_set_state(sta, SAE_NOTHING,
1242 "Clear existing state to allow restart");
1243 sae_clear_data(sta->sae);
1244 }
1245 }
1246
1247 resp = sae_parse_commit(sta->sae, mgmt->u.auth.variable,
1248 ((const u8 *) mgmt) + len -
1249 mgmt->u.auth.variable, &token,
1250 &token_len, groups, status_code ==
1251 WLAN_STATUS_SAE_HASH_TO_ELEMENT);
1252 if (resp == SAE_SILENTLY_DISCARD) {
1253 wpa_printf(MSG_DEBUG,
1254 "SAE: Drop commit message from " MACSTR " due to reflection attack",
1255 MAC2STR(sta->addr));
1256 goto remove_sta;
1257 }
1258
1259 if (resp == WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER) {
1260 wpa_msg(hapd->msg_ctx, MSG_INFO,
1261 WPA_EVENT_SAE_UNKNOWN_PASSWORD_IDENTIFIER
1262 MACSTR, MAC2STR(sta->addr));
1263 sae_clear_retransmit_timer(hapd, sta);
1264 sae_set_state(sta, SAE_NOTHING,
1265 "Unknown Password Identifier");
1266 goto remove_sta;
1267 }
1268
1269 if (token && check_sae_token(hapd, sta->addr, token, token_len)
1270 < 0) {
1271 wpa_printf(MSG_DEBUG, "SAE: Drop commit message with "
1272 "incorrect token from " MACSTR,
1273 MAC2STR(sta->addr));
1274 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1275 goto remove_sta;
1276 }
1277
1278 if (resp != WLAN_STATUS_SUCCESS)
1279 goto reply;
1280
1281 if (sta->sae->tmp &&
1282 check_sae_rejected_groups(
1283 hapd, sta->sae->tmp->peer_rejected_groups)) {
1284 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1285 goto reply;
1286 }
1287
1288 if (!token && use_sae_anti_clogging(hapd) && !allow_reuse) {
1289 wpa_printf(MSG_DEBUG,
1290 "SAE: Request anti-clogging token from "
1291 MACSTR, MAC2STR(sta->addr));
1292 data = auth_build_token_req(hapd, sta->sae->group,
1293 sta->addr);
1294 resp = WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ;
1295 if (hapd->conf->mesh & MESH_ENABLED)
1296 sae_set_state(sta, SAE_NOTHING,
1297 "Request anti-clogging token case in mesh");
1298 goto reply;
1299 }
1300
1301 resp = sae_sm_step(hapd, sta, mgmt->bssid, auth_transaction,
1302 status_code, allow_reuse, &sta_removed);
1303 } else if (auth_transaction == 2) {
1304 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1305 HOSTAPD_LEVEL_DEBUG,
1306 "SAE authentication (RX confirm, status=%u (%s))",
1307 status_code, status2str(status_code));
1308 if (status_code != WLAN_STATUS_SUCCESS)
1309 goto remove_sta;
1310 if (sta->sae->state >= SAE_CONFIRMED ||
1311 !(hapd->conf->mesh & MESH_ENABLED)) {
1312 const u8 *var;
1313 size_t var_len;
1314 u16 peer_send_confirm;
1315
1316 var = mgmt->u.auth.variable;
1317 var_len = ((u8 *) mgmt) + len - mgmt->u.auth.variable;
1318 if (var_len < 2) {
1319 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1320 goto reply;
1321 }
1322
1323 peer_send_confirm = WPA_GET_LE16(var);
1324
1325 if (sta->sae->state == SAE_ACCEPTED &&
1326 (peer_send_confirm <= sta->sae->rc ||
1327 peer_send_confirm == 0xffff)) {
1328 wpa_printf(MSG_DEBUG,
1329 "SAE: Silently ignore unexpected Confirm from peer "
1330 MACSTR
1331 " (peer-send-confirm=%u Rc=%u)",
1332 MAC2STR(sta->addr),
1333 peer_send_confirm, sta->sae->rc);
1334 return;
1335 }
1336
1337 if (sae_check_confirm(sta->sae, var, var_len) < 0) {
1338 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1339 goto reply;
1340 }
1341 sta->sae->rc = peer_send_confirm;
1342 }
1343 resp = sae_sm_step(hapd, sta, mgmt->bssid, auth_transaction,
1344 status_code, 0, &sta_removed);
1345 } else {
1346 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1347 HOSTAPD_LEVEL_DEBUG,
1348 "unexpected SAE authentication transaction %u (status=%u (%s))",
1349 auth_transaction, status_code,
1350 status2str(status_code));
1351 if (status_code != WLAN_STATUS_SUCCESS)
1352 goto remove_sta;
1353 resp = WLAN_STATUS_UNKNOWN_AUTH_TRANSACTION;
1354 }
1355
1356 reply:
1357 if (!sta_removed && resp != WLAN_STATUS_SUCCESS) {
1358 pos = mgmt->u.auth.variable;
1359 end = ((const u8 *) mgmt) + len;
1360
1361 /* Copy the Finite Cyclic Group field from the request if we
1362 * rejected it as unsupported group. */
1363 if (resp == WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED &&
1364 !data && end - pos >= 2)
1365 data = wpabuf_alloc_copy(pos, 2);
1366
1367 sae_sme_send_external_auth_status(hapd, sta, resp);
1368 send_auth_reply(hapd, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
1369 auth_transaction, resp,
1370 data ? wpabuf_head(data) : (u8 *) "",
1371 data ? wpabuf_len(data) : 0, "auth-sae");
1372 }
1373
1374 remove_sta:
1375 if (!sta_removed && sta->added_unassoc &&
1376 (resp != WLAN_STATUS_SUCCESS ||
1377 status_code != WLAN_STATUS_SUCCESS)) {
1378 hostapd_drv_sta_remove(hapd, sta->addr);
1379 sta->added_unassoc = 0;
1380 }
1381 wpabuf_free(data);
1382 }
1383
1384
1385 /**
1386 * auth_sae_init_committed - Send COMMIT and start SAE in committed state
1387 * @hapd: BSS data for the device initiating the authentication
1388 * @sta: the peer to which commit authentication frame is sent
1389 *
1390 * This function implements Init event handling (IEEE Std 802.11-2012,
1391 * 11.3.8.6.3) in which initial COMMIT message is sent. Prior to calling, the
1392 * sta->sae structure should be initialized appropriately via a call to
1393 * sae_prepare_commit().
1394 */
1395 int auth_sae_init_committed(struct hostapd_data *hapd, struct sta_info *sta)
1396 {
1397 int ret;
1398
1399 if (!sta->sae || !sta->sae->tmp)
1400 return -1;
1401
1402 if (sta->sae->state != SAE_NOTHING)
1403 return -1;
1404
1405 ret = auth_sae_send_commit(hapd, sta, hapd->own_addr, 0, -1);
1406 if (ret)
1407 return -1;
1408
1409 sae_set_state(sta, SAE_COMMITTED, "Init and sent commit");
1410 sta->sae->sync = 0;
1411 sae_set_retransmit_timer(hapd, sta);
1412
1413 return 0;
1414 }
1415
1416
1417 void auth_sae_process_commit(void *eloop_ctx, void *user_ctx)
1418 {
1419 struct hostapd_data *hapd = eloop_ctx;
1420 struct hostapd_sae_commit_queue *q;
1421 unsigned int queue_len;
1422
1423 q = dl_list_first(&hapd->sae_commit_queue,
1424 struct hostapd_sae_commit_queue, list);
1425 if (!q)
1426 return;
1427 wpa_printf(MSG_DEBUG,
1428 "SAE: Process next available message from queue");
1429 dl_list_del(&q->list);
1430 handle_auth(hapd, (const struct ieee80211_mgmt *) q->msg, q->len,
1431 q->rssi, 1);
1432 os_free(q);
1433
1434 if (eloop_is_timeout_registered(auth_sae_process_commit, hapd, NULL))
1435 return;
1436 queue_len = dl_list_len(&hapd->sae_commit_queue);
1437 eloop_register_timeout(0, queue_len * 10000, auth_sae_process_commit,
1438 hapd, NULL);
1439 }
1440
1441
1442 static void auth_sae_queue(struct hostapd_data *hapd,
1443 const struct ieee80211_mgmt *mgmt, size_t len,
1444 int rssi)
1445 {
1446 struct hostapd_sae_commit_queue *q, *q2;
1447 unsigned int queue_len;
1448 const struct ieee80211_mgmt *mgmt2;
1449
1450 queue_len = dl_list_len(&hapd->sae_commit_queue);
1451 if (queue_len >= 15) {
1452 wpa_printf(MSG_DEBUG,
1453 "SAE: No more room in message queue - drop the new frame from "
1454 MACSTR, MAC2STR(mgmt->sa));
1455 return;
1456 }
1457
1458 wpa_printf(MSG_DEBUG, "SAE: Queue Authentication message from "
1459 MACSTR " for processing (queue_len %u)", MAC2STR(mgmt->sa),
1460 queue_len);
1461 q = os_zalloc(sizeof(*q) + len);
1462 if (!q)
1463 return;
1464 q->rssi = rssi;
1465 q->len = len;
1466 os_memcpy(q->msg, mgmt, len);
1467
1468 /* Check whether there is already a queued Authentication frame from the
1469 * same station with the same transaction number and if so, replace that
1470 * queue entry with the new one. This avoids issues with a peer that
1471 * sends multiple times (e.g., due to frequent SAE retries). There is no
1472 * point in us trying to process the old attempts after a new one has
1473 * obsoleted them. */
1474 dl_list_for_each(q2, &hapd->sae_commit_queue,
1475 struct hostapd_sae_commit_queue, list) {
1476 mgmt2 = (const struct ieee80211_mgmt *) q2->msg;
1477 if (os_memcmp(mgmt->sa, mgmt2->sa, ETH_ALEN) == 0 &&
1478 mgmt->u.auth.auth_transaction ==
1479 mgmt2->u.auth.auth_transaction) {
1480 wpa_printf(MSG_DEBUG,
1481 "SAE: Replace queued message from same STA with same transaction number");
1482 dl_list_add(&q2->list, &q->list);
1483 dl_list_del(&q2->list);
1484 os_free(q2);
1485 goto queued;
1486 }
1487 }
1488
1489 /* No pending identical entry, so add to the end of the queue */
1490 dl_list_add_tail(&hapd->sae_commit_queue, &q->list);
1491
1492 queued:
1493 if (eloop_is_timeout_registered(auth_sae_process_commit, hapd, NULL))
1494 return;
1495 eloop_register_timeout(0, queue_len * 10000, auth_sae_process_commit,
1496 hapd, NULL);
1497 }
1498
1499
1500 static int auth_sae_queued_addr(struct hostapd_data *hapd, const u8 *addr)
1501 {
1502 struct hostapd_sae_commit_queue *q;
1503 const struct ieee80211_mgmt *mgmt;
1504
1505 dl_list_for_each(q, &hapd->sae_commit_queue,
1506 struct hostapd_sae_commit_queue, list) {
1507 mgmt = (const struct ieee80211_mgmt *) q->msg;
1508 if (os_memcmp(addr, mgmt->sa, ETH_ALEN) == 0)
1509 return 1;
1510 }
1511
1512 return 0;
1513 }
1514
1515 #endif /* CONFIG_SAE */
1516
1517
1518 static u16 wpa_res_to_status_code(int res)
1519 {
1520 if (res == WPA_INVALID_GROUP)
1521 return WLAN_STATUS_GROUP_CIPHER_NOT_VALID;
1522 if (res == WPA_INVALID_PAIRWISE)
1523 return WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID;
1524 if (res == WPA_INVALID_AKMP)
1525 return WLAN_STATUS_AKMP_NOT_VALID;
1526 if (res == WPA_ALLOC_FAIL)
1527 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1528 if (res == WPA_MGMT_FRAME_PROTECTION_VIOLATION)
1529 return WLAN_STATUS_ROBUST_MGMT_FRAME_POLICY_VIOLATION;
1530 if (res == WPA_INVALID_MGMT_GROUP_CIPHER)
1531 return WLAN_STATUS_CIPHER_REJECTED_PER_POLICY;
1532 if (res == WPA_INVALID_MDIE)
1533 return WLAN_STATUS_INVALID_MDIE;
1534 if (res == WPA_INVALID_PMKID)
1535 return WLAN_STATUS_INVALID_PMKID;
1536 if (res != WPA_IE_OK)
1537 return WLAN_STATUS_INVALID_IE;
1538 return WLAN_STATUS_SUCCESS;
1539 }
1540
1541
1542 #ifdef CONFIG_FILS
1543
1544 static void handle_auth_fils_finish(struct hostapd_data *hapd,
1545 struct sta_info *sta, u16 resp,
1546 struct wpabuf *data, int pub);
1547
1548 void handle_auth_fils(struct hostapd_data *hapd, struct sta_info *sta,
1549 const u8 *pos, size_t len, u16 auth_alg,
1550 u16 auth_transaction, u16 status_code,
1551 void (*cb)(struct hostapd_data *hapd,
1552 struct sta_info *sta, u16 resp,
1553 struct wpabuf *data, int pub))
1554 {
1555 u16 resp = WLAN_STATUS_SUCCESS;
1556 const u8 *end;
1557 struct ieee802_11_elems elems;
1558 int res;
1559 struct wpa_ie_data rsn;
1560 struct rsn_pmksa_cache_entry *pmksa = NULL;
1561
1562 if (auth_transaction != 1 || status_code != WLAN_STATUS_SUCCESS)
1563 return;
1564
1565 end = pos + len;
1566
1567 wpa_hexdump(MSG_DEBUG, "FILS: Authentication frame fields",
1568 pos, end - pos);
1569
1570 /* TODO: FILS PK */
1571 #ifdef CONFIG_FILS_SK_PFS
1572 if (auth_alg == WLAN_AUTH_FILS_SK_PFS) {
1573 u16 group;
1574 struct wpabuf *pub;
1575 size_t elem_len;
1576
1577 /* Using FILS PFS */
1578
1579 /* Finite Cyclic Group */
1580 if (end - pos < 2) {
1581 wpa_printf(MSG_DEBUG,
1582 "FILS: No room for Finite Cyclic Group");
1583 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1584 goto fail;
1585 }
1586 group = WPA_GET_LE16(pos);
1587 pos += 2;
1588 if (group != hapd->conf->fils_dh_group) {
1589 wpa_printf(MSG_DEBUG,
1590 "FILS: Unsupported Finite Cyclic Group: %u (expected %u)",
1591 group, hapd->conf->fils_dh_group);
1592 resp = WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
1593 goto fail;
1594 }
1595
1596 crypto_ecdh_deinit(sta->fils_ecdh);
1597 sta->fils_ecdh = crypto_ecdh_init(group);
1598 if (!sta->fils_ecdh) {
1599 wpa_printf(MSG_INFO,
1600 "FILS: Could not initialize ECDH with group %d",
1601 group);
1602 resp = WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
1603 goto fail;
1604 }
1605
1606 pub = crypto_ecdh_get_pubkey(sta->fils_ecdh, 1);
1607 if (!pub) {
1608 wpa_printf(MSG_DEBUG,
1609 "FILS: Failed to derive ECDH public key");
1610 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1611 goto fail;
1612 }
1613 elem_len = wpabuf_len(pub);
1614 wpabuf_free(pub);
1615
1616 /* Element */
1617 if ((size_t) (end - pos) < elem_len) {
1618 wpa_printf(MSG_DEBUG, "FILS: No room for Element");
1619 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1620 goto fail;
1621 }
1622
1623 wpabuf_free(sta->fils_g_sta);
1624 sta->fils_g_sta = wpabuf_alloc_copy(pos, elem_len);
1625 wpabuf_clear_free(sta->fils_dh_ss);
1626 sta->fils_dh_ss = crypto_ecdh_set_peerkey(sta->fils_ecdh, 1,
1627 pos, elem_len);
1628 if (!sta->fils_dh_ss) {
1629 wpa_printf(MSG_DEBUG, "FILS: ECDH operation failed");
1630 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1631 goto fail;
1632 }
1633 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: DH_SS", sta->fils_dh_ss);
1634 pos += elem_len;
1635 } else {
1636 crypto_ecdh_deinit(sta->fils_ecdh);
1637 sta->fils_ecdh = NULL;
1638 wpabuf_clear_free(sta->fils_dh_ss);
1639 sta->fils_dh_ss = NULL;
1640 }
1641 #endif /* CONFIG_FILS_SK_PFS */
1642
1643 wpa_hexdump(MSG_DEBUG, "FILS: Remaining IEs", pos, end - pos);
1644 if (ieee802_11_parse_elems(pos, end - pos, &elems, 1) == ParseFailed) {
1645 wpa_printf(MSG_DEBUG, "FILS: Could not parse elements");
1646 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1647 goto fail;
1648 }
1649
1650 /* RSNE */
1651 wpa_hexdump(MSG_DEBUG, "FILS: RSN element",
1652 elems.rsn_ie, elems.rsn_ie_len);
1653 if (!elems.rsn_ie ||
1654 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
1655 &rsn) < 0) {
1656 wpa_printf(MSG_DEBUG, "FILS: No valid RSN element");
1657 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1658 goto fail;
1659 }
1660
1661 if (!sta->wpa_sm)
1662 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, sta->addr,
1663 NULL);
1664 if (!sta->wpa_sm) {
1665 wpa_printf(MSG_DEBUG,
1666 "FILS: Failed to initialize RSN state machine");
1667 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1668 goto fail;
1669 }
1670
1671 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
1672 hapd->iface->freq,
1673 elems.rsn_ie - 2, elems.rsn_ie_len + 2,
1674 elems.rsnxe ? elems.rsnxe - 2 : NULL,
1675 elems.rsnxe ? elems.rsnxe_len + 2 : 0,
1676 elems.mdie, elems.mdie_len, NULL, 0);
1677 resp = wpa_res_to_status_code(res);
1678 if (resp != WLAN_STATUS_SUCCESS)
1679 goto fail;
1680
1681 if (!elems.fils_nonce) {
1682 wpa_printf(MSG_DEBUG, "FILS: No FILS Nonce field");
1683 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1684 goto fail;
1685 }
1686 wpa_hexdump(MSG_DEBUG, "FILS: SNonce", elems.fils_nonce,
1687 FILS_NONCE_LEN);
1688 os_memcpy(sta->fils_snonce, elems.fils_nonce, FILS_NONCE_LEN);
1689
1690 /* PMKID List */
1691 if (rsn.pmkid && rsn.num_pmkid > 0) {
1692 u8 num;
1693 const u8 *pmkid;
1694
1695 wpa_hexdump(MSG_DEBUG, "FILS: PMKID List",
1696 rsn.pmkid, rsn.num_pmkid * PMKID_LEN);
1697
1698 pmkid = rsn.pmkid;
1699 num = rsn.num_pmkid;
1700 while (num) {
1701 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", pmkid, PMKID_LEN);
1702 pmksa = wpa_auth_pmksa_get(hapd->wpa_auth, sta->addr,
1703 pmkid);
1704 if (pmksa)
1705 break;
1706 pmksa = wpa_auth_pmksa_get_fils_cache_id(hapd->wpa_auth,
1707 sta->addr,
1708 pmkid);
1709 if (pmksa)
1710 break;
1711 pmkid += PMKID_LEN;
1712 num--;
1713 }
1714 }
1715 if (pmksa && wpa_auth_sta_key_mgmt(sta->wpa_sm) != pmksa->akmp) {
1716 wpa_printf(MSG_DEBUG,
1717 "FILS: Matching PMKSA cache entry has different AKMP (0x%x != 0x%x) - ignore",
1718 wpa_auth_sta_key_mgmt(sta->wpa_sm), pmksa->akmp);
1719 pmksa = NULL;
1720 }
1721 if (pmksa)
1722 wpa_printf(MSG_DEBUG, "FILS: Found matching PMKSA cache entry");
1723
1724 /* FILS Session */
1725 if (!elems.fils_session) {
1726 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
1727 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1728 goto fail;
1729 }
1730 wpa_hexdump(MSG_DEBUG, "FILS: FILS Session", elems.fils_session,
1731 FILS_SESSION_LEN);
1732 os_memcpy(sta->fils_session, elems.fils_session, FILS_SESSION_LEN);
1733
1734 /* FILS Wrapped Data */
1735 if (elems.fils_wrapped_data) {
1736 wpa_hexdump(MSG_DEBUG, "FILS: Wrapped Data",
1737 elems.fils_wrapped_data,
1738 elems.fils_wrapped_data_len);
1739 if (!pmksa) {
1740 #ifndef CONFIG_NO_RADIUS
1741 if (!sta->eapol_sm) {
1742 sta->eapol_sm =
1743 ieee802_1x_alloc_eapol_sm(hapd, sta);
1744 }
1745 wpa_printf(MSG_DEBUG,
1746 "FILS: Forward EAP-Initiate/Re-auth to authentication server");
1747 ieee802_1x_encapsulate_radius(
1748 hapd, sta, elems.fils_wrapped_data,
1749 elems.fils_wrapped_data_len);
1750 sta->fils_pending_cb = cb;
1751 wpa_printf(MSG_DEBUG,
1752 "FILS: Will send Authentication frame once the response from authentication server is available");
1753 sta->flags |= WLAN_STA_PENDING_FILS_ERP;
1754 /* Calculate pending PMKID here so that we do not need
1755 * to maintain a copy of the EAP-Initiate/Reauth
1756 * message. */
1757 if (fils_pmkid_erp(wpa_auth_sta_key_mgmt(sta->wpa_sm),
1758 elems.fils_wrapped_data,
1759 elems.fils_wrapped_data_len,
1760 sta->fils_erp_pmkid) == 0)
1761 sta->fils_erp_pmkid_set = 1;
1762 return;
1763 #else /* CONFIG_NO_RADIUS */
1764 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1765 goto fail;
1766 #endif /* CONFIG_NO_RADIUS */
1767 }
1768 }
1769
1770 fail:
1771 if (cb) {
1772 struct wpabuf *data;
1773 int pub = 0;
1774
1775 data = prepare_auth_resp_fils(hapd, sta, &resp, pmksa, NULL,
1776 NULL, 0, &pub);
1777 if (!data) {
1778 wpa_printf(MSG_DEBUG,
1779 "%s: prepare_auth_resp_fils() returned failure",
1780 __func__);
1781 }
1782
1783 cb(hapd, sta, resp, data, pub);
1784 }
1785 }
1786
1787
1788 static struct wpabuf *
1789 prepare_auth_resp_fils(struct hostapd_data *hapd,
1790 struct sta_info *sta, u16 *resp,
1791 struct rsn_pmksa_cache_entry *pmksa,
1792 struct wpabuf *erp_resp,
1793 const u8 *msk, size_t msk_len,
1794 int *is_pub)
1795 {
1796 u8 fils_nonce[FILS_NONCE_LEN];
1797 size_t ielen;
1798 struct wpabuf *data = NULL;
1799 const u8 *ie;
1800 u8 *ie_buf = NULL;
1801 const u8 *pmk = NULL;
1802 size_t pmk_len = 0;
1803 u8 pmk_buf[PMK_LEN_MAX];
1804 struct wpabuf *pub = NULL;
1805
1806 if (*resp != WLAN_STATUS_SUCCESS)
1807 goto fail;
1808
1809 ie = wpa_auth_get_wpa_ie(hapd->wpa_auth, &ielen);
1810 if (!ie) {
1811 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1812 goto fail;
1813 }
1814
1815 if (pmksa) {
1816 /* Add PMKID of the selected PMKSA into RSNE */
1817 ie_buf = os_malloc(ielen + 2 + 2 + PMKID_LEN);
1818 if (!ie_buf) {
1819 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1820 goto fail;
1821 }
1822
1823 os_memcpy(ie_buf, ie, ielen);
1824 if (wpa_insert_pmkid(ie_buf, &ielen, pmksa->pmkid) < 0) {
1825 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1826 goto fail;
1827 }
1828 ie = ie_buf;
1829 }
1830
1831 if (random_get_bytes(fils_nonce, FILS_NONCE_LEN) < 0) {
1832 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1833 goto fail;
1834 }
1835 wpa_hexdump(MSG_DEBUG, "RSN: Generated FILS Nonce",
1836 fils_nonce, FILS_NONCE_LEN);
1837
1838 #ifdef CONFIG_FILS_SK_PFS
1839 if (sta->fils_dh_ss && sta->fils_ecdh) {
1840 pub = crypto_ecdh_get_pubkey(sta->fils_ecdh, 1);
1841 if (!pub) {
1842 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1843 goto fail;
1844 }
1845 }
1846 #endif /* CONFIG_FILS_SK_PFS */
1847
1848 data = wpabuf_alloc(1000 + ielen + (pub ? wpabuf_len(pub) : 0));
1849 if (!data) {
1850 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1851 goto fail;
1852 }
1853
1854 /* TODO: FILS PK */
1855 #ifdef CONFIG_FILS_SK_PFS
1856 if (pub) {
1857 /* Finite Cyclic Group */
1858 wpabuf_put_le16(data, hapd->conf->fils_dh_group);
1859
1860 /* Element */
1861 wpabuf_put_buf(data, pub);
1862 }
1863 #endif /* CONFIG_FILS_SK_PFS */
1864
1865 /* RSNE */
1866 wpabuf_put_data(data, ie, ielen);
1867
1868 /* MDE when using FILS+FT (already included in ie,ielen with RSNE) */
1869
1870 #ifdef CONFIG_IEEE80211R_AP
1871 if (wpa_key_mgmt_ft(wpa_auth_sta_key_mgmt(sta->wpa_sm))) {
1872 /* FTE[R1KH-ID,R0KH-ID] when using FILS+FT */
1873 int res;
1874 int use_sha384 = wpa_key_mgmt_sha384(
1875 wpa_auth_sta_key_mgmt(sta->wpa_sm));
1876
1877 res = wpa_auth_write_fte(hapd->wpa_auth, use_sha384,
1878 wpabuf_put(data, 0),
1879 wpabuf_tailroom(data));
1880 if (res < 0) {
1881 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1882 goto fail;
1883 }
1884 wpabuf_put(data, res);
1885 }
1886 #endif /* CONFIG_IEEE80211R_AP */
1887
1888 /* FILS Nonce */
1889 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
1890 wpabuf_put_u8(data, 1 + FILS_NONCE_LEN); /* Length */
1891 /* Element ID Extension */
1892 wpabuf_put_u8(data, WLAN_EID_EXT_FILS_NONCE);
1893 wpabuf_put_data(data, fils_nonce, FILS_NONCE_LEN);
1894
1895 /* FILS Session */
1896 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
1897 wpabuf_put_u8(data, 1 + FILS_SESSION_LEN); /* Length */
1898 /* Element ID Extension */
1899 wpabuf_put_u8(data, WLAN_EID_EXT_FILS_SESSION);
1900 wpabuf_put_data(data, sta->fils_session, FILS_SESSION_LEN);
1901
1902 /* FILS Wrapped Data */
1903 if (!pmksa && erp_resp) {
1904 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
1905 wpabuf_put_u8(data, 1 + wpabuf_len(erp_resp)); /* Length */
1906 /* Element ID Extension */
1907 wpabuf_put_u8(data, WLAN_EID_EXT_FILS_WRAPPED_DATA);
1908 wpabuf_put_buf(data, erp_resp);
1909
1910 if (fils_rmsk_to_pmk(wpa_auth_sta_key_mgmt(sta->wpa_sm),
1911 msk, msk_len, sta->fils_snonce, fils_nonce,
1912 sta->fils_dh_ss ?
1913 wpabuf_head(sta->fils_dh_ss) : NULL,
1914 sta->fils_dh_ss ?
1915 wpabuf_len(sta->fils_dh_ss) : 0,
1916 pmk_buf, &pmk_len)) {
1917 wpa_printf(MSG_DEBUG, "FILS: Failed to derive PMK");
1918 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1919 wpabuf_free(data);
1920 data = NULL;
1921 goto fail;
1922 }
1923 pmk = pmk_buf;
1924
1925 /* Don't use DHss in PTK derivation if PMKSA caching is not
1926 * used. */
1927 wpabuf_clear_free(sta->fils_dh_ss);
1928 sta->fils_dh_ss = NULL;
1929
1930 if (sta->fils_erp_pmkid_set) {
1931 /* TODO: get PMKLifetime from WPA parameters */
1932 unsigned int dot11RSNAConfigPMKLifetime = 43200;
1933 int session_timeout;
1934
1935 session_timeout = dot11RSNAConfigPMKLifetime;
1936 if (sta->session_timeout_set) {
1937 struct os_reltime now, diff;
1938
1939 os_get_reltime(&now);
1940 os_reltime_sub(&sta->session_timeout, &now,
1941 &diff);
1942 session_timeout = diff.sec;
1943 }
1944
1945 sta->fils_erp_pmkid_set = 0;
1946 wpa_auth_add_fils_pmk_pmkid(sta->wpa_sm, pmk, pmk_len,
1947 sta->fils_erp_pmkid);
1948 if (!hapd->conf->disable_pmksa_caching &&
1949 wpa_auth_pmksa_add2(
1950 hapd->wpa_auth, sta->addr,
1951 pmk, pmk_len,
1952 sta->fils_erp_pmkid,
1953 session_timeout,
1954 wpa_auth_sta_key_mgmt(sta->wpa_sm)) < 0) {
1955 wpa_printf(MSG_ERROR,
1956 "FILS: Failed to add PMKSA cache entry based on ERP");
1957 }
1958 }
1959 } else if (pmksa) {
1960 pmk = pmksa->pmk;
1961 pmk_len = pmksa->pmk_len;
1962 }
1963
1964 if (!pmk) {
1965 wpa_printf(MSG_DEBUG, "FILS: No PMK available");
1966 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1967 wpabuf_free(data);
1968 data = NULL;
1969 goto fail;
1970 }
1971
1972 if (fils_auth_pmk_to_ptk(sta->wpa_sm, pmk, pmk_len,
1973 sta->fils_snonce, fils_nonce,
1974 sta->fils_dh_ss ?
1975 wpabuf_head(sta->fils_dh_ss) : NULL,
1976 sta->fils_dh_ss ?
1977 wpabuf_len(sta->fils_dh_ss) : 0,
1978 sta->fils_g_sta, pub) < 0) {
1979 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1980 wpabuf_free(data);
1981 data = NULL;
1982 goto fail;
1983 }
1984
1985 fail:
1986 if (is_pub)
1987 *is_pub = pub != NULL;
1988 os_free(ie_buf);
1989 wpabuf_free(pub);
1990 wpabuf_clear_free(sta->fils_dh_ss);
1991 sta->fils_dh_ss = NULL;
1992 #ifdef CONFIG_FILS_SK_PFS
1993 crypto_ecdh_deinit(sta->fils_ecdh);
1994 sta->fils_ecdh = NULL;
1995 #endif /* CONFIG_FILS_SK_PFS */
1996 return data;
1997 }
1998
1999
2000 static void handle_auth_fils_finish(struct hostapd_data *hapd,
2001 struct sta_info *sta, u16 resp,
2002 struct wpabuf *data, int pub)
2003 {
2004 u16 auth_alg;
2005
2006 auth_alg = (pub ||
2007 resp == WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED) ?
2008 WLAN_AUTH_FILS_SK_PFS : WLAN_AUTH_FILS_SK;
2009 send_auth_reply(hapd, sta->addr, hapd->own_addr, auth_alg, 2, resp,
2010 data ? wpabuf_head(data) : (u8 *) "",
2011 data ? wpabuf_len(data) : 0, "auth-fils-finish");
2012 wpabuf_free(data);
2013
2014 if (resp == WLAN_STATUS_SUCCESS) {
2015 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2016 HOSTAPD_LEVEL_DEBUG,
2017 "authentication OK (FILS)");
2018 sta->flags |= WLAN_STA_AUTH;
2019 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
2020 sta->auth_alg = pub ? WLAN_AUTH_FILS_SK_PFS : WLAN_AUTH_FILS_SK;
2021 mlme_authenticate_indication(hapd, sta);
2022 }
2023 }
2024
2025
2026 void ieee802_11_finish_fils_auth(struct hostapd_data *hapd,
2027 struct sta_info *sta, int success,
2028 struct wpabuf *erp_resp,
2029 const u8 *msk, size_t msk_len)
2030 {
2031 struct wpabuf *data;
2032 int pub = 0;
2033 u16 resp;
2034
2035 sta->flags &= ~WLAN_STA_PENDING_FILS_ERP;
2036
2037 if (!sta->fils_pending_cb)
2038 return;
2039 resp = success ? WLAN_STATUS_SUCCESS : WLAN_STATUS_UNSPECIFIED_FAILURE;
2040 data = prepare_auth_resp_fils(hapd, sta, &resp, NULL, erp_resp,
2041 msk, msk_len, &pub);
2042 if (!data) {
2043 wpa_printf(MSG_DEBUG,
2044 "%s: prepare_auth_resp_fils() returned failure",
2045 __func__);
2046 }
2047 sta->fils_pending_cb(hapd, sta, resp, data, pub);
2048 }
2049
2050 #endif /* CONFIG_FILS */
2051
2052
2053 static int ieee802_11_allowed_address(struct hostapd_data *hapd, const u8 *addr,
2054 const u8 *msg, size_t len,
2055 struct radius_sta *info)
2056 {
2057 int res;
2058
2059 res = hostapd_allowed_address(hapd, addr, msg, len, info, 0);
2060
2061 if (res == HOSTAPD_ACL_REJECT) {
2062 wpa_printf(MSG_DEBUG, "Station " MACSTR
2063 " not allowed to authenticate",
2064 MAC2STR(addr));
2065 return HOSTAPD_ACL_REJECT;
2066 }
2067
2068 if (res == HOSTAPD_ACL_PENDING) {
2069 wpa_printf(MSG_DEBUG, "Authentication frame from " MACSTR
2070 " waiting for an external authentication",
2071 MAC2STR(addr));
2072 /* Authentication code will re-send the authentication frame
2073 * after it has received (and cached) information from the
2074 * external source. */
2075 return HOSTAPD_ACL_PENDING;
2076 }
2077
2078 return res;
2079 }
2080
2081
2082 static int
2083 ieee802_11_set_radius_info(struct hostapd_data *hapd, struct sta_info *sta,
2084 int res, struct radius_sta *info)
2085 {
2086 u32 session_timeout = info->session_timeout;
2087 u32 acct_interim_interval = info->acct_interim_interval;
2088 struct vlan_description *vlan_id = &info->vlan_id;
2089 struct hostapd_sta_wpa_psk_short *psk = info->psk;
2090 char *identity = info->identity;
2091 char *radius_cui = info->radius_cui;
2092
2093 if (vlan_id->notempty &&
2094 !hostapd_vlan_valid(hapd->conf->vlan, vlan_id)) {
2095 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS,
2096 HOSTAPD_LEVEL_INFO,
2097 "Invalid VLAN %d%s received from RADIUS server",
2098 vlan_id->untagged,
2099 vlan_id->tagged[0] ? "+" : "");
2100 return -1;
2101 }
2102 if (ap_sta_set_vlan(hapd, sta, vlan_id) < 0)
2103 return -1;
2104 if (sta->vlan_id)
2105 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS,
2106 HOSTAPD_LEVEL_INFO, "VLAN ID %d", sta->vlan_id);
2107
2108 hostapd_free_psk_list(sta->psk);
2109 if (hapd->conf->wpa_psk_radius != PSK_RADIUS_IGNORED)
2110 hostapd_copy_psk_list(&sta->psk, psk);
2111 else
2112 sta->psk = NULL;
2113
2114 os_free(sta->identity);
2115 if (identity)
2116 sta->identity = os_strdup(identity);
2117 else
2118 sta->identity = NULL;
2119
2120 os_free(sta->radius_cui);
2121 if (radius_cui)
2122 sta->radius_cui = os_strdup(radius_cui);
2123 else
2124 sta->radius_cui = NULL;
2125
2126 if (hapd->conf->acct_interim_interval == 0 && acct_interim_interval)
2127 sta->acct_interim_interval = acct_interim_interval;
2128 if (res == HOSTAPD_ACL_ACCEPT_TIMEOUT) {
2129 sta->session_timeout_set = 1;
2130 os_get_reltime(&sta->session_timeout);
2131 sta->session_timeout.sec += session_timeout;
2132 ap_sta_session_timeout(hapd, sta, session_timeout);
2133 } else {
2134 sta->session_timeout_set = 0;
2135 ap_sta_no_session_timeout(hapd, sta);
2136 }
2137
2138 return 0;
2139 }
2140
2141
2142 static void handle_auth(struct hostapd_data *hapd,
2143 const struct ieee80211_mgmt *mgmt, size_t len,
2144 int rssi, int from_queue)
2145 {
2146 u16 auth_alg, auth_transaction, status_code;
2147 u16 resp = WLAN_STATUS_SUCCESS;
2148 struct sta_info *sta = NULL;
2149 int res, reply_res;
2150 u16 fc;
2151 const u8 *challenge = NULL;
2152 u8 resp_ies[2 + WLAN_AUTH_CHALLENGE_LEN];
2153 size_t resp_ies_len = 0;
2154 u16 seq_ctrl;
2155 struct radius_sta rad_info;
2156
2157 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) {
2158 wpa_printf(MSG_INFO, "handle_auth - too short payload (len=%lu)",
2159 (unsigned long) len);
2160 return;
2161 }
2162
2163 #ifdef CONFIG_TESTING_OPTIONS
2164 if (hapd->iconf->ignore_auth_probability > 0.0 &&
2165 drand48() < hapd->iconf->ignore_auth_probability) {
2166 wpa_printf(MSG_INFO,
2167 "TESTING: ignoring auth frame from " MACSTR,
2168 MAC2STR(mgmt->sa));
2169 return;
2170 }
2171 #endif /* CONFIG_TESTING_OPTIONS */
2172
2173 auth_alg = le_to_host16(mgmt->u.auth.auth_alg);
2174 auth_transaction = le_to_host16(mgmt->u.auth.auth_transaction);
2175 status_code = le_to_host16(mgmt->u.auth.status_code);
2176 fc = le_to_host16(mgmt->frame_control);
2177 seq_ctrl = le_to_host16(mgmt->seq_ctrl);
2178
2179 if (len >= IEEE80211_HDRLEN + sizeof(mgmt->u.auth) +
2180 2 + WLAN_AUTH_CHALLENGE_LEN &&
2181 mgmt->u.auth.variable[0] == WLAN_EID_CHALLENGE &&
2182 mgmt->u.auth.variable[1] == WLAN_AUTH_CHALLENGE_LEN)
2183 challenge = &mgmt->u.auth.variable[2];
2184
2185 wpa_printf(MSG_DEBUG, "authentication: STA=" MACSTR " auth_alg=%d "
2186 "auth_transaction=%d status_code=%d wep=%d%s "
2187 "seq_ctrl=0x%x%s%s",
2188 MAC2STR(mgmt->sa), auth_alg, auth_transaction,
2189 status_code, !!(fc & WLAN_FC_ISWEP),
2190 challenge ? " challenge" : "",
2191 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "",
2192 from_queue ? " (from queue)" : "");
2193
2194 #ifdef CONFIG_NO_RC4
2195 if (auth_alg == WLAN_AUTH_SHARED_KEY) {
2196 wpa_printf(MSG_INFO,
2197 "Unsupported authentication algorithm (%d)",
2198 auth_alg);
2199 resp = WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
2200 goto fail;
2201 }
2202 #endif /* CONFIG_NO_RC4 */
2203
2204 if (hapd->tkip_countermeasures) {
2205 wpa_printf(MSG_DEBUG,
2206 "Ongoing TKIP countermeasures (Michael MIC failure) - reject authentication");
2207 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2208 goto fail;
2209 }
2210
2211 if (!(((hapd->conf->auth_algs & WPA_AUTH_ALG_OPEN) &&
2212 auth_alg == WLAN_AUTH_OPEN) ||
2213 #ifdef CONFIG_IEEE80211R_AP
2214 (hapd->conf->wpa && wpa_key_mgmt_ft(hapd->conf->wpa_key_mgmt) &&
2215 auth_alg == WLAN_AUTH_FT) ||
2216 #endif /* CONFIG_IEEE80211R_AP */
2217 #ifdef CONFIG_SAE
2218 (hapd->conf->wpa && wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt) &&
2219 auth_alg == WLAN_AUTH_SAE) ||
2220 #endif /* CONFIG_SAE */
2221 #ifdef CONFIG_FILS
2222 (hapd->conf->wpa && wpa_key_mgmt_fils(hapd->conf->wpa_key_mgmt) &&
2223 auth_alg == WLAN_AUTH_FILS_SK) ||
2224 (hapd->conf->wpa && wpa_key_mgmt_fils(hapd->conf->wpa_key_mgmt) &&
2225 hapd->conf->fils_dh_group &&
2226 auth_alg == WLAN_AUTH_FILS_SK_PFS) ||
2227 #endif /* CONFIG_FILS */
2228 ((hapd->conf->auth_algs & WPA_AUTH_ALG_SHARED) &&
2229 auth_alg == WLAN_AUTH_SHARED_KEY))) {
2230 wpa_printf(MSG_INFO, "Unsupported authentication algorithm (%d)",
2231 auth_alg);
2232 resp = WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
2233 goto fail;
2234 }
2235
2236 if (!(auth_transaction == 1 || auth_alg == WLAN_AUTH_SAE ||
2237 (auth_alg == WLAN_AUTH_SHARED_KEY && auth_transaction == 3))) {
2238 wpa_printf(MSG_INFO, "Unknown authentication transaction number (%d)",
2239 auth_transaction);
2240 resp = WLAN_STATUS_UNKNOWN_AUTH_TRANSACTION;
2241 goto fail;
2242 }
2243
2244 if (os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
2245 wpa_printf(MSG_INFO, "Station " MACSTR " not allowed to authenticate",
2246 MAC2STR(mgmt->sa));
2247 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2248 goto fail;
2249 }
2250
2251 if (hapd->conf->no_auth_if_seen_on) {
2252 struct hostapd_data *other;
2253
2254 other = sta_track_seen_on(hapd->iface, mgmt->sa,
2255 hapd->conf->no_auth_if_seen_on);
2256 if (other) {
2257 u8 *pos;
2258 u32 info;
2259 u8 op_class, channel, phytype;
2260
2261 wpa_printf(MSG_DEBUG, "%s: Reject authentication from "
2262 MACSTR " since STA has been seen on %s",
2263 hapd->conf->iface, MAC2STR(mgmt->sa),
2264 hapd->conf->no_auth_if_seen_on);
2265
2266 resp = WLAN_STATUS_REJECTED_WITH_SUGGESTED_BSS_TRANSITION;
2267 pos = &resp_ies[0];
2268 *pos++ = WLAN_EID_NEIGHBOR_REPORT;
2269 *pos++ = 13;
2270 os_memcpy(pos, other->own_addr, ETH_ALEN);
2271 pos += ETH_ALEN;
2272 info = 0; /* TODO: BSSID Information */
2273 WPA_PUT_LE32(pos, info);
2274 pos += 4;
2275 if (other->iconf->hw_mode == HOSTAPD_MODE_IEEE80211AD)
2276 phytype = 8; /* dmg */
2277 else if (other->iconf->ieee80211ac)
2278 phytype = 9; /* vht */
2279 else if (other->iconf->ieee80211n)
2280 phytype = 7; /* ht */
2281 else if (other->iconf->hw_mode ==
2282 HOSTAPD_MODE_IEEE80211A)
2283 phytype = 4; /* ofdm */
2284 else if (other->iconf->hw_mode ==
2285 HOSTAPD_MODE_IEEE80211G)
2286 phytype = 6; /* erp */
2287 else
2288 phytype = 5; /* hrdsss */
2289 if (ieee80211_freq_to_channel_ext(
2290 hostapd_hw_get_freq(other,
2291 other->iconf->channel),
2292 other->iconf->secondary_channel,
2293 other->iconf->ieee80211ac,
2294 &op_class, &channel) == NUM_HOSTAPD_MODES) {
2295 op_class = 0;
2296 channel = other->iconf->channel;
2297 }
2298 *pos++ = op_class;
2299 *pos++ = channel;
2300 *pos++ = phytype;
2301 resp_ies_len = pos - &resp_ies[0];
2302 goto fail;
2303 }
2304 }
2305
2306 res = ieee802_11_allowed_address(hapd, mgmt->sa, (const u8 *) mgmt, len,
2307 &rad_info);
2308 if (res == HOSTAPD_ACL_REJECT) {
2309 wpa_msg(hapd->msg_ctx, MSG_DEBUG,
2310 "Ignore Authentication frame from " MACSTR
2311 " due to ACL reject", MAC2STR(mgmt->sa));
2312 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2313 goto fail;
2314 }
2315 if (res == HOSTAPD_ACL_PENDING)
2316 return;
2317
2318 #ifdef CONFIG_SAE
2319 if (auth_alg == WLAN_AUTH_SAE && !from_queue &&
2320 (auth_transaction == 1 ||
2321 (auth_transaction == 2 && auth_sae_queued_addr(hapd, mgmt->sa)))) {
2322 /* Handle SAE Authentication commit message through a queue to
2323 * provide more control for postponing the needed heavy
2324 * processing under a possible DoS attack scenario. In addition,
2325 * queue SAE Authentication confirm message if there happens to
2326 * be a queued commit message from the same peer. This is needed
2327 * to avoid reordering Authentication frames within the same
2328 * SAE exchange. */
2329 auth_sae_queue(hapd, mgmt, len, rssi);
2330 return;
2331 }
2332 #endif /* CONFIG_SAE */
2333
2334 sta = ap_get_sta(hapd, mgmt->sa);
2335 if (sta) {
2336 sta->flags &= ~WLAN_STA_PENDING_FILS_ERP;
2337 sta->ft_over_ds = 0;
2338 if ((fc & WLAN_FC_RETRY) &&
2339 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
2340 sta->last_seq_ctrl == seq_ctrl &&
2341 sta->last_subtype == WLAN_FC_STYPE_AUTH) {
2342 hostapd_logger(hapd, sta->addr,
2343 HOSTAPD_MODULE_IEEE80211,
2344 HOSTAPD_LEVEL_DEBUG,
2345 "Drop repeated authentication frame seq_ctrl=0x%x",
2346 seq_ctrl);
2347 return;
2348 }
2349 #ifdef CONFIG_MESH
2350 if ((hapd->conf->mesh & MESH_ENABLED) &&
2351 sta->plink_state == PLINK_BLOCKED) {
2352 wpa_printf(MSG_DEBUG, "Mesh peer " MACSTR
2353 " is blocked - drop Authentication frame",
2354 MAC2STR(mgmt->sa));
2355 return;
2356 }
2357 #endif /* CONFIG_MESH */
2358 } else {
2359 #ifdef CONFIG_MESH
2360 if (hapd->conf->mesh & MESH_ENABLED) {
2361 /* if the mesh peer is not available, we don't do auth.
2362 */
2363 wpa_printf(MSG_DEBUG, "Mesh peer " MACSTR
2364 " not yet known - drop Authentication frame",
2365 MAC2STR(mgmt->sa));
2366 /*
2367 * Save a copy of the frame so that it can be processed
2368 * if a new peer entry is added shortly after this.
2369 */
2370 wpabuf_free(hapd->mesh_pending_auth);
2371 hapd->mesh_pending_auth = wpabuf_alloc_copy(mgmt, len);
2372 os_get_reltime(&hapd->mesh_pending_auth_time);
2373 return;
2374 }
2375 #endif /* CONFIG_MESH */
2376
2377 sta = ap_sta_add(hapd, mgmt->sa);
2378 if (!sta) {
2379 wpa_printf(MSG_DEBUG, "ap_sta_add() failed");
2380 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
2381 goto fail;
2382 }
2383 }
2384 sta->last_seq_ctrl = seq_ctrl;
2385 sta->last_subtype = WLAN_FC_STYPE_AUTH;
2386 #ifdef CONFIG_MBO
2387 sta->auth_rssi = rssi;
2388 #endif /* CONFIG_MBO */
2389
2390 res = ieee802_11_set_radius_info(hapd, sta, res, &rad_info);
2391 if (res) {
2392 wpa_printf(MSG_DEBUG, "ieee802_11_set_radius_info() failed");
2393 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2394 goto fail;
2395 }
2396
2397 sta->flags &= ~WLAN_STA_PREAUTH;
2398 ieee802_1x_notify_pre_auth(sta->eapol_sm, 0);
2399
2400 /*
2401 * If the driver supports full AP client state, add a station to the
2402 * driver before sending authentication reply to make sure the driver
2403 * has resources, and not to go through the entire authentication and
2404 * association handshake, and fail it at the end.
2405 *
2406 * If this is not the first transaction, in a multi-step authentication
2407 * algorithm, the station already exists in the driver
2408 * (sta->added_unassoc = 1) so skip it.
2409 *
2410 * In mesh mode, the station was already added to the driver when the
2411 * NEW_PEER_CANDIDATE event is received.
2412 *
2413 * If PMF was negotiated for the existing association, skip this to
2414 * avoid dropping the STA entry and the associated keys. This is needed
2415 * to allow the original connection work until the attempt can complete
2416 * (re)association, so that unprotected Authentication frame cannot be
2417 * used to bypass PMF protection.
2418 */
2419 if (FULL_AP_CLIENT_STATE_SUPP(hapd->iface->drv_flags) &&
2420 (!(sta->flags & WLAN_STA_MFP) || !ap_sta_is_authorized(sta)) &&
2421 !(hapd->conf->mesh & MESH_ENABLED) &&
2422 !(sta->added_unassoc)) {
2423 /*
2424 * If a station that is already associated to the AP, is trying
2425 * to authenticate again, remove the STA entry, in order to make
2426 * sure the STA PS state gets cleared and configuration gets
2427 * updated. To handle this, station's added_unassoc flag is
2428 * cleared once the station has completed association.
2429 */
2430 ap_sta_set_authorized(hapd, sta, 0);
2431 hostapd_drv_sta_remove(hapd, sta->addr);
2432 sta->flags &= ~(WLAN_STA_ASSOC | WLAN_STA_AUTH |
2433 WLAN_STA_AUTHORIZED);
2434
2435 if (hostapd_sta_add(hapd, sta->addr, 0, 0,
2436 sta->supported_rates,
2437 sta->supported_rates_len,
2438 0, NULL, NULL, NULL, 0,
2439 sta->flags, 0, 0, 0, 0)) {
2440 hostapd_logger(hapd, sta->addr,
2441 HOSTAPD_MODULE_IEEE80211,
2442 HOSTAPD_LEVEL_NOTICE,
2443 "Could not add STA to kernel driver");
2444 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
2445 goto fail;
2446 }
2447
2448 sta->added_unassoc = 1;
2449 }
2450
2451 switch (auth_alg) {
2452 case WLAN_AUTH_OPEN:
2453 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2454 HOSTAPD_LEVEL_DEBUG,
2455 "authentication OK (open system)");
2456 sta->flags |= WLAN_STA_AUTH;
2457 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
2458 sta->auth_alg = WLAN_AUTH_OPEN;
2459 mlme_authenticate_indication(hapd, sta);
2460 break;
2461 #ifndef CONFIG_NO_RC4
2462 case WLAN_AUTH_SHARED_KEY:
2463 resp = auth_shared_key(hapd, sta, auth_transaction, challenge,
2464 fc & WLAN_FC_ISWEP);
2465 if (resp != 0)
2466 wpa_printf(MSG_DEBUG,
2467 "auth_shared_key() failed: status=%d", resp);
2468 sta->auth_alg = WLAN_AUTH_SHARED_KEY;
2469 mlme_authenticate_indication(hapd, sta);
2470 if (sta->challenge && auth_transaction == 1) {
2471 resp_ies[0] = WLAN_EID_CHALLENGE;
2472 resp_ies[1] = WLAN_AUTH_CHALLENGE_LEN;
2473 os_memcpy(resp_ies + 2, sta->challenge,
2474 WLAN_AUTH_CHALLENGE_LEN);
2475 resp_ies_len = 2 + WLAN_AUTH_CHALLENGE_LEN;
2476 }
2477 break;
2478 #endif /* CONFIG_NO_RC4 */
2479 #ifdef CONFIG_IEEE80211R_AP
2480 case WLAN_AUTH_FT:
2481 sta->auth_alg = WLAN_AUTH_FT;
2482 if (sta->wpa_sm == NULL)
2483 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
2484 sta->addr, NULL);
2485 if (sta->wpa_sm == NULL) {
2486 wpa_printf(MSG_DEBUG, "FT: Failed to initialize WPA "
2487 "state machine");
2488 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2489 goto fail;
2490 }
2491 wpa_ft_process_auth(sta->wpa_sm, mgmt->bssid,
2492 auth_transaction, mgmt->u.auth.variable,
2493 len - IEEE80211_HDRLEN -
2494 sizeof(mgmt->u.auth),
2495 handle_auth_ft_finish, hapd);
2496 /* handle_auth_ft_finish() callback will complete auth. */
2497 return;
2498 #endif /* CONFIG_IEEE80211R_AP */
2499 #ifdef CONFIG_SAE
2500 case WLAN_AUTH_SAE:
2501 #ifdef CONFIG_MESH
2502 if (status_code == WLAN_STATUS_SUCCESS &&
2503 hapd->conf->mesh & MESH_ENABLED) {
2504 if (sta->wpa_sm == NULL)
2505 sta->wpa_sm =
2506 wpa_auth_sta_init(hapd->wpa_auth,
2507 sta->addr, NULL);
2508 if (sta->wpa_sm == NULL) {
2509 wpa_printf(MSG_DEBUG,
2510 "SAE: Failed to initialize WPA state machine");
2511 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2512 goto fail;
2513 }
2514 }
2515 #endif /* CONFIG_MESH */
2516 handle_auth_sae(hapd, sta, mgmt, len, auth_transaction,
2517 status_code);
2518 return;
2519 #endif /* CONFIG_SAE */
2520 #ifdef CONFIG_FILS
2521 case WLAN_AUTH_FILS_SK:
2522 case WLAN_AUTH_FILS_SK_PFS:
2523 handle_auth_fils(hapd, sta, mgmt->u.auth.variable,
2524 len - IEEE80211_HDRLEN - sizeof(mgmt->u.auth),
2525 auth_alg, auth_transaction, status_code,
2526 handle_auth_fils_finish);
2527 return;
2528 #endif /* CONFIG_FILS */
2529 }
2530
2531 fail:
2532 reply_res = send_auth_reply(hapd, mgmt->sa, mgmt->bssid, auth_alg,
2533 auth_transaction + 1, resp, resp_ies,
2534 resp_ies_len, "handle-auth");
2535
2536 if (sta && sta->added_unassoc && (resp != WLAN_STATUS_SUCCESS ||
2537 reply_res != WLAN_STATUS_SUCCESS)) {
2538 hostapd_drv_sta_remove(hapd, sta->addr);
2539 sta->added_unassoc = 0;
2540 }
2541 }
2542
2543
2544 int hostapd_get_aid(struct hostapd_data *hapd, struct sta_info *sta)
2545 {
2546 int i, j = 32, aid;
2547
2548 /* get a unique AID */
2549 if (sta->aid > 0) {
2550 wpa_printf(MSG_DEBUG, " old AID %d", sta->aid);
2551 return 0;
2552 }
2553
2554 if (TEST_FAIL())
2555 return -1;
2556
2557 for (i = 0; i < AID_WORDS; i++) {
2558 if (hapd->sta_aid[i] == (u32) -1)
2559 continue;
2560 for (j = 0; j < 32; j++) {
2561 if (!(hapd->sta_aid[i] & BIT(j)))
2562 break;
2563 }
2564 if (j < 32)
2565 break;
2566 }
2567 if (j == 32)
2568 return -1;
2569 aid = i * 32 + j + 1;
2570 if (aid > 2007)
2571 return -1;
2572
2573 sta->aid = aid;
2574 hapd->sta_aid[i] |= BIT(j);
2575 wpa_printf(MSG_DEBUG, " new AID %d", sta->aid);
2576 return 0;
2577 }
2578
2579
2580 static u16 check_ssid(struct hostapd_data *hapd, struct sta_info *sta,
2581 const u8 *ssid_ie, size_t ssid_ie_len)
2582 {
2583 if (ssid_ie == NULL)
2584 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2585
2586 if (ssid_ie_len != hapd->conf->ssid.ssid_len ||
2587 os_memcmp(ssid_ie, hapd->conf->ssid.ssid, ssid_ie_len) != 0) {
2588 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2589 HOSTAPD_LEVEL_INFO,
2590 "Station tried to associate with unknown SSID "
2591 "'%s'", wpa_ssid_txt(ssid_ie, ssid_ie_len));
2592 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2593 }
2594
2595 return WLAN_STATUS_SUCCESS;
2596 }
2597
2598
2599 static u16 check_wmm(struct hostapd_data *hapd, struct sta_info *sta,
2600 const u8 *wmm_ie, size_t wmm_ie_len)
2601 {
2602 sta->flags &= ~WLAN_STA_WMM;
2603 sta->qosinfo = 0;
2604 if (wmm_ie && hapd->conf->wmm_enabled) {
2605 struct wmm_information_element *wmm;
2606
2607 if (!hostapd_eid_wmm_valid(hapd, wmm_ie, wmm_ie_len)) {
2608 hostapd_logger(hapd, sta->addr,
2609 HOSTAPD_MODULE_WPA,
2610 HOSTAPD_LEVEL_DEBUG,
2611 "invalid WMM element in association "
2612 "request");
2613 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2614 }
2615
2616 sta->flags |= WLAN_STA_WMM;
2617 wmm = (struct wmm_information_element *) wmm_ie;
2618 sta->qosinfo = wmm->qos_info;
2619 }
2620 return WLAN_STATUS_SUCCESS;
2621 }
2622
2623 static u16 check_multi_ap(struct hostapd_data *hapd, struct sta_info *sta,
2624 const u8 *multi_ap_ie, size_t multi_ap_len)
2625 {
2626 u8 multi_ap_value = 0;
2627
2628 sta->flags &= ~WLAN_STA_MULTI_AP;
2629
2630 if (!hapd->conf->multi_ap)
2631 return WLAN_STATUS_SUCCESS;
2632
2633 if (multi_ap_ie) {
2634 const u8 *multi_ap_subelem;
2635
2636 multi_ap_subelem = get_ie(multi_ap_ie + 4,
2637 multi_ap_len - 4,
2638 MULTI_AP_SUB_ELEM_TYPE);
2639 if (multi_ap_subelem && multi_ap_subelem[1] == 1) {
2640 multi_ap_value = multi_ap_subelem[2];
2641 } else {
2642 hostapd_logger(hapd, sta->addr,
2643 HOSTAPD_MODULE_IEEE80211,
2644 HOSTAPD_LEVEL_INFO,
2645 "Multi-AP IE has missing or invalid Multi-AP subelement");
2646 return WLAN_STATUS_INVALID_IE;
2647 }
2648 }
2649
2650 if (multi_ap_value && multi_ap_value != MULTI_AP_BACKHAUL_STA)
2651 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2652 HOSTAPD_LEVEL_INFO,
2653 "Multi-AP IE with unexpected value 0x%02x",
2654 multi_ap_value);
2655
2656 if (!(multi_ap_value & MULTI_AP_BACKHAUL_STA)) {
2657 if (hapd->conf->multi_ap & FRONTHAUL_BSS)
2658 return WLAN_STATUS_SUCCESS;
2659
2660 hostapd_logger(hapd, sta->addr,
2661 HOSTAPD_MODULE_IEEE80211,
2662 HOSTAPD_LEVEL_INFO,
2663 "Non-Multi-AP STA tries to associate with backhaul-only BSS");
2664 return WLAN_STATUS_ASSOC_DENIED_UNSPEC;
2665 }
2666
2667 if (!(hapd->conf->multi_ap & BACKHAUL_BSS))
2668 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2669 HOSTAPD_LEVEL_DEBUG,
2670 "Backhaul STA tries to associate with fronthaul-only BSS");
2671
2672 sta->flags |= WLAN_STA_MULTI_AP;
2673 return WLAN_STATUS_SUCCESS;
2674 }
2675
2676
2677 static u16 copy_supp_rates(struct hostapd_data *hapd, struct sta_info *sta,
2678 struct ieee802_11_elems *elems)
2679 {
2680 /* Supported rates not used in IEEE 802.11ad/DMG */
2681 if (hapd->iface->current_mode &&
2682 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211AD)
2683 return WLAN_STATUS_SUCCESS;
2684
2685 if (!elems->supp_rates) {
2686 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2687 HOSTAPD_LEVEL_DEBUG,
2688 "No supported rates element in AssocReq");
2689 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2690 }
2691
2692 if (elems->supp_rates_len + elems->ext_supp_rates_len >
2693 sizeof(sta->supported_rates)) {
2694 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2695 HOSTAPD_LEVEL_DEBUG,
2696 "Invalid supported rates element length %d+%d",
2697 elems->supp_rates_len,
2698 elems->ext_supp_rates_len);
2699 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2700 }
2701
2702 sta->supported_rates_len = merge_byte_arrays(
2703 sta->supported_rates, sizeof(sta->supported_rates),
2704 elems->supp_rates, elems->supp_rates_len,
2705 elems->ext_supp_rates, elems->ext_supp_rates_len);
2706
2707 return WLAN_STATUS_SUCCESS;
2708 }
2709
2710
2711 static u16 check_ext_capab(struct hostapd_data *hapd, struct sta_info *sta,
2712 const u8 *ext_capab_ie, size_t ext_capab_ie_len)
2713 {
2714 #ifdef CONFIG_INTERWORKING
2715 /* check for QoS Map support */
2716 if (ext_capab_ie_len >= 5) {
2717 if (ext_capab_ie[4] & 0x01)
2718 sta->qos_map_enabled = 1;
2719 }
2720 #endif /* CONFIG_INTERWORKING */
2721
2722 if (ext_capab_ie_len > 0) {
2723 sta->ecsa_supported = !!(ext_capab_ie[0] & BIT(2));
2724 os_free(sta->ext_capability);
2725 sta->ext_capability = os_malloc(1 + ext_capab_ie_len);
2726 if (sta->ext_capability) {
2727 sta->ext_capability[0] = ext_capab_ie_len;
2728 os_memcpy(sta->ext_capability + 1, ext_capab_ie,
2729 ext_capab_ie_len);
2730 }
2731 }
2732
2733 return WLAN_STATUS_SUCCESS;
2734 }
2735
2736
2737 #ifdef CONFIG_OWE
2738
2739 static int owe_group_supported(struct hostapd_data *hapd, u16 group)
2740 {
2741 int i;
2742 int *groups = hapd->conf->owe_groups;
2743
2744 if (group != 19 && group != 20 && group != 21)
2745 return 0;
2746
2747 if (!groups)
2748 return 1;
2749
2750 for (i = 0; groups[i] > 0; i++) {
2751 if (groups[i] == group)
2752 return 1;
2753 }
2754
2755 return 0;
2756 }
2757
2758
2759 static u16 owe_process_assoc_req(struct hostapd_data *hapd,
2760 struct sta_info *sta, const u8 *owe_dh,
2761 u8 owe_dh_len)
2762 {
2763 struct wpabuf *secret, *pub, *hkey;
2764 int res;
2765 u8 prk[SHA512_MAC_LEN], pmkid[SHA512_MAC_LEN];
2766 const char *info = "OWE Key Generation";
2767 const u8 *addr[2];
2768 size_t len[2];
2769 u16 group;
2770 size_t hash_len, prime_len;
2771
2772 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) {
2773 wpa_printf(MSG_DEBUG, "OWE: Using PMKSA caching");
2774 return WLAN_STATUS_SUCCESS;
2775 }
2776
2777 group = WPA_GET_LE16(owe_dh);
2778 if (!owe_group_supported(hapd, group)) {
2779 wpa_printf(MSG_DEBUG, "OWE: Unsupported DH group %u", group);
2780 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
2781 }
2782 if (group == 19)
2783 prime_len = 32;
2784 else if (group == 20)
2785 prime_len = 48;
2786 else if (group == 21)
2787 prime_len = 66;
2788 else
2789 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
2790
2791 crypto_ecdh_deinit(sta->owe_ecdh);
2792 sta->owe_ecdh = crypto_ecdh_init(group);
2793 if (!sta->owe_ecdh)
2794 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
2795 sta->owe_group = group;
2796
2797 secret = crypto_ecdh_set_peerkey(sta->owe_ecdh, 0, owe_dh + 2,
2798 owe_dh_len - 2);
2799 secret = wpabuf_zeropad(secret, prime_len);
2800 if (!secret) {
2801 wpa_printf(MSG_DEBUG, "OWE: Invalid peer DH public key");
2802 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2803 }
2804 wpa_hexdump_buf_key(MSG_DEBUG, "OWE: DH shared secret", secret);
2805
2806 /* prk = HKDF-extract(C | A | group, z) */
2807
2808 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
2809 if (!pub) {
2810 wpabuf_clear_free(secret);
2811 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2812 }
2813
2814 /* PMKID = Truncate-128(Hash(C | A)) */
2815 addr[0] = owe_dh + 2;
2816 len[0] = owe_dh_len - 2;
2817 addr[1] = wpabuf_head(pub);
2818 len[1] = wpabuf_len(pub);
2819 if (group == 19) {
2820 res = sha256_vector(2, addr, len, pmkid);
2821 hash_len = SHA256_MAC_LEN;
2822 } else if (group == 20) {
2823 res = sha384_vector(2, addr, len, pmkid);
2824 hash_len = SHA384_MAC_LEN;
2825 } else if (group == 21) {
2826 res = sha512_vector(2, addr, len, pmkid);
2827 hash_len = SHA512_MAC_LEN;
2828 } else {
2829 wpabuf_free(pub);
2830 wpabuf_clear_free(secret);
2831 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2832 }
2833 pub = wpabuf_zeropad(pub, prime_len);
2834 if (res < 0 || !pub) {
2835 wpabuf_free(pub);
2836 wpabuf_clear_free(secret);
2837 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2838 }
2839
2840 hkey = wpabuf_alloc(owe_dh_len - 2 + wpabuf_len(pub) + 2);
2841 if (!hkey) {
2842 wpabuf_free(pub);
2843 wpabuf_clear_free(secret);
2844 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2845 }
2846
2847 wpabuf_put_data(hkey, owe_dh + 2, owe_dh_len - 2); /* C */
2848 wpabuf_put_buf(hkey, pub); /* A */
2849 wpabuf_free(pub);
2850 wpabuf_put_le16(hkey, group); /* group */
2851 if (group == 19)
2852 res = hmac_sha256(wpabuf_head(hkey), wpabuf_len(hkey),
2853 wpabuf_head(secret), wpabuf_len(secret), prk);
2854 else if (group == 20)
2855 res = hmac_sha384(wpabuf_head(hkey), wpabuf_len(hkey),
2856 wpabuf_head(secret), wpabuf_len(secret), prk);
2857 else if (group == 21)
2858 res = hmac_sha512(wpabuf_head(hkey), wpabuf_len(hkey),
2859 wpabuf_head(secret), wpabuf_len(secret), prk);
2860 wpabuf_clear_free(hkey);
2861 wpabuf_clear_free(secret);
2862 if (res < 0)
2863 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2864
2865 wpa_hexdump_key(MSG_DEBUG, "OWE: prk", prk, hash_len);
2866
2867 /* PMK = HKDF-expand(prk, "OWE Key Generation", n) */
2868
2869 os_free(sta->owe_pmk);
2870 sta->owe_pmk = os_malloc(hash_len);
2871 if (!sta->owe_pmk) {
2872 os_memset(prk, 0, SHA512_MAC_LEN);
2873 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2874 }
2875
2876 if (group == 19)
2877 res = hmac_sha256_kdf(prk, hash_len, NULL, (const u8 *) info,
2878 os_strlen(info), sta->owe_pmk, hash_len);
2879 else if (group == 20)
2880 res = hmac_sha384_kdf(prk, hash_len, NULL, (const u8 *) info,
2881 os_strlen(info), sta->owe_pmk, hash_len);
2882 else if (group == 21)
2883 res = hmac_sha512_kdf(prk, hash_len, NULL, (const u8 *) info,
2884 os_strlen(info), sta->owe_pmk, hash_len);
2885 os_memset(prk, 0, SHA512_MAC_LEN);
2886 if (res < 0) {
2887 os_free(sta->owe_pmk);
2888 sta->owe_pmk = NULL;
2889 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2890 }
2891 sta->owe_pmk_len = hash_len;
2892
2893 wpa_hexdump_key(MSG_DEBUG, "OWE: PMK", sta->owe_pmk, sta->owe_pmk_len);
2894 wpa_hexdump(MSG_DEBUG, "OWE: PMKID", pmkid, PMKID_LEN);
2895 wpa_auth_pmksa_add2(hapd->wpa_auth, sta->addr, sta->owe_pmk,
2896 sta->owe_pmk_len, pmkid, 0, WPA_KEY_MGMT_OWE);
2897
2898 return WLAN_STATUS_SUCCESS;
2899 }
2900
2901
2902 u16 owe_validate_request(struct hostapd_data *hapd, const u8 *peer,
2903 const u8 *rsn_ie, size_t rsn_ie_len,
2904 const u8 *owe_dh, size_t owe_dh_len)
2905 {
2906 struct wpa_ie_data data;
2907 int res;
2908
2909 if (!rsn_ie || rsn_ie_len < 2) {
2910 wpa_printf(MSG_DEBUG, "OWE: Invalid RSNE from " MACSTR,
2911 MAC2STR(peer));
2912 return WLAN_STATUS_INVALID_IE;
2913 }
2914 rsn_ie -= 2;
2915 rsn_ie_len += 2;
2916
2917 res = wpa_parse_wpa_ie_rsn(rsn_ie, rsn_ie_len, &data);
2918 if (res) {
2919 wpa_printf(MSG_DEBUG, "Failed to parse RSNE from " MACSTR
2920 " (res=%d)", MAC2STR(peer), res);
2921 wpa_hexdump(MSG_DEBUG, "RSNE", rsn_ie, rsn_ie_len);
2922 return wpa_res_to_status_code(res);
2923 }
2924 if (!(data.key_mgmt & WPA_KEY_MGMT_OWE)) {
2925 wpa_printf(MSG_DEBUG,
2926 "OWE: Unexpected key mgmt 0x%x from " MACSTR,
2927 (unsigned int) data.key_mgmt, MAC2STR(peer));
2928 return WLAN_STATUS_AKMP_NOT_VALID;
2929 }
2930 if (!owe_dh) {
2931 wpa_printf(MSG_DEBUG,
2932 "OWE: No Diffie-Hellman Parameter element from "
2933 MACSTR, MAC2STR(peer));
2934 return WLAN_STATUS_AKMP_NOT_VALID;
2935 }
2936
2937 return WLAN_STATUS_SUCCESS;
2938 }
2939
2940
2941 u16 owe_process_rsn_ie(struct hostapd_data *hapd,
2942 struct sta_info *sta,
2943 const u8 *rsn_ie, size_t rsn_ie_len,
2944 const u8 *owe_dh, size_t owe_dh_len)
2945 {
2946 u16 status;
2947 u8 *owe_buf, ie[256 * 2];
2948 size_t ie_len = 0;
2949 int res;
2950
2951 if (!rsn_ie || rsn_ie_len < 2) {
2952 wpa_printf(MSG_DEBUG, "OWE: No RSNE in (Re)AssocReq");
2953 status = WLAN_STATUS_INVALID_IE;
2954 goto end;
2955 }
2956
2957 if (!sta->wpa_sm)
2958 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, sta->addr,
2959 NULL);
2960 if (!sta->wpa_sm) {
2961 wpa_printf(MSG_WARNING,
2962 "OWE: Failed to initialize WPA state machine");
2963 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
2964 goto end;
2965 }
2966 rsn_ie -= 2;
2967 rsn_ie_len += 2;
2968 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
2969 hapd->iface->freq, rsn_ie, rsn_ie_len,
2970 NULL, 0, NULL, 0, owe_dh, owe_dh_len);
2971 status = wpa_res_to_status_code(res);
2972 if (status != WLAN_STATUS_SUCCESS)
2973 goto end;
2974 status = owe_process_assoc_req(hapd, sta, owe_dh, owe_dh_len);
2975 if (status != WLAN_STATUS_SUCCESS)
2976 goto end;
2977 owe_buf = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, ie, sizeof(ie),
2978 NULL, 0);
2979 if (!owe_buf) {
2980 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
2981 goto end;
2982 }
2983
2984 if (sta->owe_ecdh) {
2985 struct wpabuf *pub;
2986
2987 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
2988 if (!pub) {
2989 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
2990 goto end;
2991 }
2992
2993 /* OWE Diffie-Hellman Parameter element */
2994 *owe_buf++ = WLAN_EID_EXTENSION; /* Element ID */
2995 *owe_buf++ = 1 + 2 + wpabuf_len(pub); /* Length */
2996 *owe_buf++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension
2997 */
2998 WPA_PUT_LE16(owe_buf, sta->owe_group);
2999 owe_buf += 2;
3000 os_memcpy(owe_buf, wpabuf_head(pub), wpabuf_len(pub));
3001 owe_buf += wpabuf_len(pub);
3002 wpabuf_free(pub);
3003 sta->external_dh_updated = 1;
3004 }
3005 ie_len = owe_buf - ie;
3006
3007 end:
3008 wpa_printf(MSG_DEBUG, "OWE: Update status %d, ie len %d for peer "
3009 MACSTR, status, (unsigned int) ie_len,
3010 MAC2STR(sta->addr));
3011 hostapd_drv_update_dh_ie(hapd, sta->addr, status,
3012 status == WLAN_STATUS_SUCCESS ? ie : NULL,
3013 ie_len);
3014
3015 return status;
3016 }
3017
3018 #endif /* CONFIG_OWE */
3019
3020
3021 static u16 check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta,
3022 const u8 *ies, size_t ies_len, int reassoc)
3023 {
3024 struct ieee802_11_elems elems;
3025 u16 resp;
3026 const u8 *wpa_ie;
3027 size_t wpa_ie_len;
3028 const u8 *p2p_dev_addr = NULL;
3029
3030 if (ieee802_11_parse_elems(ies, ies_len, &elems, 1) == ParseFailed) {
3031 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3032 HOSTAPD_LEVEL_INFO, "Station sent an invalid "
3033 "association request");
3034 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3035 }
3036
3037 resp = check_ssid(hapd, sta, elems.ssid, elems.ssid_len);
3038 if (resp != WLAN_STATUS_SUCCESS)
3039 return resp;
3040 resp = check_wmm(hapd, sta, elems.wmm, elems.wmm_len);
3041 if (resp != WLAN_STATUS_SUCCESS)
3042 return resp;
3043 resp = check_ext_capab(hapd, sta, elems.ext_capab, elems.ext_capab_len);
3044 if (resp != WLAN_STATUS_SUCCESS)
3045 return resp;
3046 resp = copy_supp_rates(hapd, sta, &elems);
3047 if (resp != WLAN_STATUS_SUCCESS)
3048 return resp;
3049
3050 resp = check_multi_ap(hapd, sta, elems.multi_ap, elems.multi_ap_len);
3051 if (resp != WLAN_STATUS_SUCCESS)
3052 return resp;
3053
3054 #ifdef CONFIG_IEEE80211N
3055 resp = copy_sta_ht_capab(hapd, sta, elems.ht_capabilities);
3056 if (resp != WLAN_STATUS_SUCCESS)
3057 return resp;
3058 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht &&
3059 !(sta->flags & WLAN_STA_HT)) {
3060 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3061 HOSTAPD_LEVEL_INFO, "Station does not support "
3062 "mandatory HT PHY - reject association");
3063 return WLAN_STATUS_ASSOC_DENIED_NO_HT;
3064 }
3065 #endif /* CONFIG_IEEE80211N */
3066
3067 #ifdef CONFIG_IEEE80211AC
3068 if (hapd->iconf->ieee80211ac) {
3069 resp = copy_sta_vht_capab(hapd, sta, elems.vht_capabilities);
3070 if (resp != WLAN_STATUS_SUCCESS)
3071 return resp;
3072
3073 resp = set_sta_vht_opmode(hapd, sta, elems.vht_opmode_notif);
3074 if (resp != WLAN_STATUS_SUCCESS)
3075 return resp;
3076 }
3077
3078 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht &&
3079 !(sta->flags & WLAN_STA_VHT)) {
3080 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3081 HOSTAPD_LEVEL_INFO, "Station does not support "
3082 "mandatory VHT PHY - reject association");
3083 return WLAN_STATUS_ASSOC_DENIED_NO_VHT;
3084 }
3085
3086 if (hapd->conf->vendor_vht && !elems.vht_capabilities) {
3087 resp = copy_sta_vendor_vht(hapd, sta, elems.vendor_vht,
3088 elems.vendor_vht_len);
3089 if (resp != WLAN_STATUS_SUCCESS)
3090 return resp;
3091 }
3092 #endif /* CONFIG_IEEE80211AC */
3093 #ifdef CONFIG_IEEE80211AX
3094 if (hapd->iconf->ieee80211ax) {
3095 resp = copy_sta_he_capab(hapd, sta, IEEE80211_MODE_AP,
3096 elems.he_capabilities,
3097 elems.he_capabilities_len);
3098 if (resp != WLAN_STATUS_SUCCESS)
3099 return resp;
3100 }
3101 #endif /* CONFIG_IEEE80211AX */
3102
3103 #ifdef CONFIG_P2P
3104 if (elems.p2p) {
3105 wpabuf_free(sta->p2p_ie);
3106 sta->p2p_ie = ieee802_11_vendor_ie_concat(ies, ies_len,
3107 P2P_IE_VENDOR_TYPE);
3108 if (sta->p2p_ie)
3109 p2p_dev_addr = p2p_get_go_dev_addr(sta->p2p_ie);
3110 } else {
3111 wpabuf_free(sta->p2p_ie);
3112 sta->p2p_ie = NULL;
3113 }
3114 #endif /* CONFIG_P2P */
3115
3116 if ((hapd->conf->wpa & WPA_PROTO_RSN) && elems.rsn_ie) {
3117 wpa_ie = elems.rsn_ie;
3118 wpa_ie_len = elems.rsn_ie_len;
3119 } else if ((hapd->conf->wpa & WPA_PROTO_WPA) &&
3120 elems.wpa_ie) {
3121 wpa_ie = elems.wpa_ie;
3122 wpa_ie_len = elems.wpa_ie_len;
3123 } else {
3124 wpa_ie = NULL;
3125 wpa_ie_len = 0;
3126 }
3127
3128 #ifdef CONFIG_WPS
3129 sta->flags &= ~(WLAN_STA_WPS | WLAN_STA_MAYBE_WPS | WLAN_STA_WPS2);
3130 if (hapd->conf->wps_state && elems.wps_ie) {
3131 wpa_printf(MSG_DEBUG, "STA included WPS IE in (Re)Association "
3132 "Request - assume WPS is used");
3133 sta->flags |= WLAN_STA_WPS;
3134 wpabuf_free(sta->wps_ie);
3135 sta->wps_ie = ieee802_11_vendor_ie_concat(ies, ies_len,
3136 WPS_IE_VENDOR_TYPE);
3137 if (sta->wps_ie && wps_is_20(sta->wps_ie)) {
3138 wpa_printf(MSG_DEBUG, "WPS: STA supports WPS 2.0");
3139 sta->flags |= WLAN_STA_WPS2;
3140 }
3141 wpa_ie = NULL;
3142 wpa_ie_len = 0;
3143 if (sta->wps_ie && wps_validate_assoc_req(sta->wps_ie) < 0) {
3144 wpa_printf(MSG_DEBUG, "WPS: Invalid WPS IE in "
3145 "(Re)Association Request - reject");
3146 return WLAN_STATUS_INVALID_IE;
3147 }
3148 } else if (hapd->conf->wps_state && wpa_ie == NULL) {
3149 wpa_printf(MSG_DEBUG, "STA did not include WPA/RSN IE in "
3150 "(Re)Association Request - possible WPS use");
3151 sta->flags |= WLAN_STA_MAYBE_WPS;
3152 } else
3153 #endif /* CONFIG_WPS */
3154 if (hapd->conf->wpa && wpa_ie == NULL) {
3155 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3156 HOSTAPD_LEVEL_INFO,
3157 "No WPA/RSN IE in association request");
3158 return WLAN_STATUS_INVALID_IE;
3159 }
3160
3161 if (hapd->conf->wpa && wpa_ie) {
3162 int res;
3163 wpa_ie -= 2;
3164 wpa_ie_len += 2;
3165 if (sta->wpa_sm == NULL)
3166 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
3167 sta->addr,
3168 p2p_dev_addr);
3169 if (sta->wpa_sm == NULL) {
3170 wpa_printf(MSG_WARNING, "Failed to initialize WPA "
3171 "state machine");
3172 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3173 }
3174 wpa_auth_set_auth_alg(sta->wpa_sm, sta->auth_alg);
3175 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
3176 hapd->iface->freq,
3177 wpa_ie, wpa_ie_len,
3178 elems.rsnxe ? elems.rsnxe - 2 : NULL,
3179 elems.rsnxe ? elems.rsnxe_len + 2 : 0,
3180 elems.mdie, elems.mdie_len,
3181 elems.owe_dh, elems.owe_dh_len);
3182 resp = wpa_res_to_status_code(res);
3183 if (resp != WLAN_STATUS_SUCCESS)
3184 return resp;
3185 if ((sta->flags & (WLAN_STA_ASSOC | WLAN_STA_MFP)) ==
3186 (WLAN_STA_ASSOC | WLAN_STA_MFP) &&
3187 !sta->sa_query_timed_out &&
3188 sta->sa_query_count > 0)
3189 ap_check_sa_query_timeout(hapd, sta);
3190 if ((sta->flags & (WLAN_STA_ASSOC | WLAN_STA_MFP)) ==
3191 (WLAN_STA_ASSOC | WLAN_STA_MFP) &&
3192 !sta->sa_query_timed_out &&
3193 (!reassoc || sta->auth_alg != WLAN_AUTH_FT)) {
3194 /*
3195 * STA has already been associated with MFP and SA
3196 * Query timeout has not been reached. Reject the
3197 * association attempt temporarily and start SA Query,
3198 * if one is not pending.
3199 */
3200
3201 if (sta->sa_query_count == 0)
3202 ap_sta_start_sa_query(hapd, sta);
3203
3204 return WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY;
3205 }
3206
3207 if (wpa_auth_uses_mfp(sta->wpa_sm))
3208 sta->flags |= WLAN_STA_MFP;
3209 else
3210 sta->flags &= ~WLAN_STA_MFP;
3211
3212 #ifdef CONFIG_IEEE80211R_AP
3213 if (sta->auth_alg == WLAN_AUTH_FT) {
3214 if (!reassoc) {
3215 wpa_printf(MSG_DEBUG, "FT: " MACSTR " tried "
3216 "to use association (not "
3217 "re-association) with FT auth_alg",
3218 MAC2STR(sta->addr));
3219 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3220 }
3221
3222 resp = wpa_ft_validate_reassoc(sta->wpa_sm, ies,
3223 ies_len);
3224 if (resp != WLAN_STATUS_SUCCESS)
3225 return resp;
3226 }
3227 #endif /* CONFIG_IEEE80211R_AP */
3228
3229 #ifdef CONFIG_SAE
3230 if (wpa_auth_uses_sae(sta->wpa_sm) && sta->sae &&
3231 sta->sae->state == SAE_ACCEPTED)
3232 wpa_auth_add_sae_pmkid(sta->wpa_sm, sta->sae->pmkid);
3233
3234 if (wpa_auth_uses_sae(sta->wpa_sm) &&
3235 sta->auth_alg == WLAN_AUTH_OPEN) {
3236 struct rsn_pmksa_cache_entry *sa;
3237 sa = wpa_auth_sta_get_pmksa(sta->wpa_sm);
3238 if (!sa || sa->akmp != WPA_KEY_MGMT_SAE) {
3239 wpa_printf(MSG_DEBUG,
3240 "SAE: No PMKSA cache entry found for "
3241 MACSTR, MAC2STR(sta->addr));
3242 return WLAN_STATUS_INVALID_PMKID;
3243 }
3244 wpa_printf(MSG_DEBUG, "SAE: " MACSTR
3245 " using PMKSA caching", MAC2STR(sta->addr));
3246 } else if (wpa_auth_uses_sae(sta->wpa_sm) &&
3247 sta->auth_alg != WLAN_AUTH_SAE &&
3248 !(sta->auth_alg == WLAN_AUTH_FT &&
3249 wpa_auth_uses_ft_sae(sta->wpa_sm))) {
3250 wpa_printf(MSG_DEBUG, "SAE: " MACSTR " tried to use "
3251 "SAE AKM after non-SAE auth_alg %u",
3252 MAC2STR(sta->addr), sta->auth_alg);
3253 return WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
3254 }
3255
3256 if (hapd->conf->sae_pwe == 2 &&
3257 sta->auth_alg == WLAN_AUTH_SAE &&
3258 sta->sae && sta->sae->tmp && !sta->sae->tmp->h2e &&
3259 elems.rsnxe && elems.rsnxe_len >= 1 &&
3260 (elems.rsnxe[0] & BIT(WLAN_RSNX_CAPAB_SAE_H2E))) {
3261 wpa_printf(MSG_INFO, "SAE: " MACSTR
3262 " indicates support for SAE H2E, but did not use it",
3263 MAC2STR(sta->addr));
3264 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3265 }
3266 #endif /* CONFIG_SAE */
3267
3268 #ifdef CONFIG_OWE
3269 if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) &&
3270 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE &&
3271 elems.owe_dh) {
3272 resp = owe_process_assoc_req(hapd, sta, elems.owe_dh,
3273 elems.owe_dh_len);
3274 if (resp != WLAN_STATUS_SUCCESS)
3275 return resp;
3276 }
3277 #endif /* CONFIG_OWE */
3278
3279 #ifdef CONFIG_DPP2
3280 dpp_pfs_free(sta->dpp_pfs);
3281 sta->dpp_pfs = NULL;
3282
3283 if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_DPP) &&
3284 hapd->conf->dpp_netaccesskey && sta->wpa_sm &&
3285 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_DPP &&
3286 elems.owe_dh) {
3287 sta->dpp_pfs = dpp_pfs_init(
3288 wpabuf_head(hapd->conf->dpp_netaccesskey),
3289 wpabuf_len(hapd->conf->dpp_netaccesskey));
3290 if (!sta->dpp_pfs) {
3291 wpa_printf(MSG_DEBUG,
3292 "DPP: Could not initialize PFS");
3293 /* Try to continue without PFS */
3294 goto pfs_fail;
3295 }
3296
3297 if (dpp_pfs_process(sta->dpp_pfs, elems.owe_dh,
3298 elems.owe_dh_len) < 0) {
3299 dpp_pfs_free(sta->dpp_pfs);
3300 sta->dpp_pfs = NULL;
3301 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3302 }
3303 }
3304
3305 wpa_auth_set_dpp_z(sta->wpa_sm, sta->dpp_pfs ?
3306 sta->dpp_pfs->secret : NULL);
3307 pfs_fail:
3308 #endif /* CONFIG_DPP2 */
3309
3310 #ifdef CONFIG_IEEE80211N
3311 if ((sta->flags & (WLAN_STA_HT | WLAN_STA_VHT)) &&
3312 wpa_auth_get_pairwise(sta->wpa_sm) == WPA_CIPHER_TKIP) {
3313 hostapd_logger(hapd, sta->addr,
3314 HOSTAPD_MODULE_IEEE80211,
3315 HOSTAPD_LEVEL_INFO,
3316 "Station tried to use TKIP with HT "
3317 "association");
3318 return WLAN_STATUS_CIPHER_REJECTED_PER_POLICY;
3319 }
3320 #endif /* CONFIG_IEEE80211N */
3321 #ifdef CONFIG_HS20
3322 } else if (hapd->conf->osen) {
3323 if (elems.osen == NULL) {
3324 hostapd_logger(
3325 hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3326 HOSTAPD_LEVEL_INFO,
3327 "No HS 2.0 OSEN element in association request");
3328 return WLAN_STATUS_INVALID_IE;
3329 }
3330
3331 wpa_printf(MSG_DEBUG, "HS 2.0: OSEN association");
3332 if (sta->wpa_sm == NULL)
3333 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
3334 sta->addr, NULL);
3335 if (sta->wpa_sm == NULL) {
3336 wpa_printf(MSG_WARNING, "Failed to initialize WPA "
3337 "state machine");
3338 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3339 }
3340 if (wpa_validate_osen(hapd->wpa_auth, sta->wpa_sm,
3341 elems.osen - 2, elems.osen_len + 2) < 0)
3342 return WLAN_STATUS_INVALID_IE;
3343 #endif /* CONFIG_HS20 */
3344 } else
3345 wpa_auth_sta_no_wpa(sta->wpa_sm);
3346
3347 #ifdef CONFIG_P2P
3348 p2p_group_notif_assoc(hapd->p2p_group, sta->addr, ies, ies_len);
3349 #endif /* CONFIG_P2P */
3350
3351 #ifdef CONFIG_HS20
3352 wpabuf_free(sta->hs20_ie);
3353 if (elems.hs20 && elems.hs20_len > 4) {
3354 int release;
3355
3356 sta->hs20_ie = wpabuf_alloc_copy(elems.hs20 + 4,
3357 elems.hs20_len - 4);
3358 release = ((elems.hs20[4] >> 4) & 0x0f) + 1;
3359 if (release >= 2 && !wpa_auth_uses_mfp(sta->wpa_sm) &&
3360 hapd->conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
3361 wpa_printf(MSG_DEBUG,
3362 "HS 2.0: PMF not negotiated by release %d station "
3363 MACSTR, release, MAC2STR(sta->addr));
3364 return WLAN_STATUS_ROBUST_MGMT_FRAME_POLICY_VIOLATION;
3365 }
3366 } else {
3367 sta->hs20_ie = NULL;
3368 }
3369
3370 wpabuf_free(sta->roaming_consortium);
3371 if (elems.roaming_cons_sel)
3372 sta->roaming_consortium = wpabuf_alloc_copy(
3373 elems.roaming_cons_sel + 4,
3374 elems.roaming_cons_sel_len - 4);
3375 else
3376 sta->roaming_consortium = NULL;
3377 #endif /* CONFIG_HS20 */
3378
3379 #ifdef CONFIG_FST
3380 wpabuf_free(sta->mb_ies);
3381 if (hapd->iface->fst)
3382 sta->mb_ies = mb_ies_by_info(&elems.mb_ies);
3383 else
3384 sta->mb_ies = NULL;
3385 #endif /* CONFIG_FST */
3386
3387 #ifdef CONFIG_MBO
3388 mbo_ap_check_sta_assoc(hapd, sta, &elems);
3389
3390 if (hapd->conf->mbo_enabled && (hapd->conf->wpa & 2) &&
3391 elems.mbo && sta->cell_capa && !(sta->flags & WLAN_STA_MFP) &&
3392 hapd->conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
3393 wpa_printf(MSG_INFO,
3394 "MBO: Reject WPA2 association without PMF");
3395 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3396 }
3397 #endif /* CONFIG_MBO */
3398
3399 #if defined(CONFIG_FILS) && defined(CONFIG_OCV)
3400 if (wpa_auth_uses_ocv(sta->wpa_sm) &&
3401 (sta->auth_alg == WLAN_AUTH_FILS_SK ||
3402 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
3403 sta->auth_alg == WLAN_AUTH_FILS_PK)) {
3404 struct wpa_channel_info ci;
3405 int tx_chanwidth;
3406 int tx_seg1_idx;
3407
3408 if (hostapd_drv_channel_info(hapd, &ci) != 0) {
3409 wpa_printf(MSG_WARNING,
3410 "Failed to get channel info to validate received OCI in FILS (Re)Association Request frame");
3411 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3412 }
3413
3414 if (get_sta_tx_parameters(sta->wpa_sm,
3415 channel_width_to_int(ci.chanwidth),
3416 ci.seg1_idx, &tx_chanwidth,
3417 &tx_seg1_idx) < 0)
3418 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3419
3420 if (ocv_verify_tx_params(elems.oci, elems.oci_len, &ci,
3421 tx_chanwidth, tx_seg1_idx) != 0) {
3422 wpa_printf(MSG_WARNING, "FILS: %s", ocv_errorstr);
3423 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3424 }
3425 }
3426 #endif /* CONFIG_FILS && CONFIG_OCV */
3427
3428 ap_copy_sta_supp_op_classes(sta, elems.supp_op_classes,
3429 elems.supp_op_classes_len);
3430
3431 if ((sta->capability & WLAN_CAPABILITY_RADIO_MEASUREMENT) &&
3432 elems.rrm_enabled &&
3433 elems.rrm_enabled_len >= sizeof(sta->rrm_enabled_capa))
3434 os_memcpy(sta->rrm_enabled_capa, elems.rrm_enabled,
3435 sizeof(sta->rrm_enabled_capa));
3436
3437 if (elems.power_capab) {
3438 sta->min_tx_power = elems.power_capab[0];
3439 sta->max_tx_power = elems.power_capab[1];
3440 sta->power_capab = 1;
3441 } else {
3442 sta->power_capab = 0;
3443 }
3444
3445 return WLAN_STATUS_SUCCESS;
3446 }
3447
3448
3449 static void send_deauth(struct hostapd_data *hapd, const u8 *addr,
3450 u16 reason_code)
3451 {
3452 int send_len;
3453 struct ieee80211_mgmt reply;
3454
3455 os_memset(&reply, 0, sizeof(reply));
3456 reply.frame_control =
3457 IEEE80211_FC(WLAN_FC_TYPE_MGMT, WLAN_FC_STYPE_DEAUTH);
3458 os_memcpy(reply.da, addr, ETH_ALEN);
3459 os_memcpy(reply.sa, hapd->own_addr, ETH_ALEN);
3460 os_memcpy(reply.bssid, hapd->own_addr, ETH_ALEN);
3461
3462 send_len = IEEE80211_HDRLEN + sizeof(reply.u.deauth);
3463 reply.u.deauth.reason_code = host_to_le16(reason_code);
3464
3465 if (hostapd_drv_send_mlme(hapd, &reply, send_len, 0, NULL, 0, 0) < 0)
3466 wpa_printf(MSG_INFO, "Failed to send deauth: %s",
3467 strerror(errno));
3468 }
3469
3470
3471 static int add_associated_sta(struct hostapd_data *hapd,
3472 struct sta_info *sta, int reassoc)
3473 {
3474 struct ieee80211_ht_capabilities ht_cap;
3475 struct ieee80211_vht_capabilities vht_cap;
3476 struct ieee80211_he_capabilities he_cap;
3477 int set = 1;
3478
3479 /*
3480 * Remove the STA entry to ensure the STA PS state gets cleared and
3481 * configuration gets updated. This is relevant for cases, such as
3482 * FT-over-the-DS, where a station re-associates back to the same AP but
3483 * skips the authentication flow, or if working with a driver that
3484 * does not support full AP client state.
3485 *
3486 * Skip this if the STA has already completed FT reassociation and the
3487 * TK has been configured since the TX/RX PN must not be reset to 0 for
3488 * the same key.
3489 *
3490 * FT-over-the-DS has a special case where the STA entry (and as such,
3491 * the TK) has not yet been configured to the driver depending on which
3492 * driver interface is used. For that case, allow add-STA operation to
3493 * be used (instead of set-STA). This is needed to allow mac80211-based
3494 * drivers to accept the STA parameter configuration. Since this is
3495 * after a new FT-over-DS exchange, a new TK has been derived, so key
3496 * reinstallation is not a concern for this case.
3497 */
3498 wpa_printf(MSG_DEBUG, "Add associated STA " MACSTR
3499 " (added_unassoc=%d auth_alg=%u ft_over_ds=%u reassoc=%d authorized=%d ft_tk=%d fils_tk=%d)",
3500 MAC2STR(sta->addr), sta->added_unassoc, sta->auth_alg,
3501 sta->ft_over_ds, reassoc,
3502 !!(sta->flags & WLAN_STA_AUTHORIZED),
3503 wpa_auth_sta_ft_tk_already_set(sta->wpa_sm),
3504 wpa_auth_sta_fils_tk_already_set(sta->wpa_sm));
3505
3506 if (!sta->added_unassoc &&
3507 (!(sta->flags & WLAN_STA_AUTHORIZED) ||
3508 (reassoc && sta->ft_over_ds && sta->auth_alg == WLAN_AUTH_FT) ||
3509 (!wpa_auth_sta_ft_tk_already_set(sta->wpa_sm) &&
3510 !wpa_auth_sta_fils_tk_already_set(sta->wpa_sm)))) {
3511 hostapd_drv_sta_remove(hapd, sta->addr);
3512 wpa_auth_sm_event(sta->wpa_sm, WPA_DRV_STA_REMOVED);
3513 set = 0;
3514
3515 /* Do not allow the FT-over-DS exception to be used more than
3516 * once per authentication exchange to guarantee a new TK is
3517 * used here */
3518 sta->ft_over_ds = 0;
3519 }
3520
3521 #ifdef CONFIG_IEEE80211N
3522 if (sta->flags & WLAN_STA_HT)
3523 hostapd_get_ht_capab(hapd, sta->ht_capabilities, &ht_cap);
3524 #endif /* CONFIG_IEEE80211N */
3525 #ifdef CONFIG_IEEE80211AC
3526 if (sta->flags & WLAN_STA_VHT)
3527 hostapd_get_vht_capab(hapd, sta->vht_capabilities, &vht_cap);
3528 #endif /* CONFIG_IEEE80211AC */
3529 #ifdef CONFIG_IEEE80211AX
3530 if (sta->flags & WLAN_STA_HE) {
3531 hostapd_get_he_capab(hapd, sta->he_capab, &he_cap,
3532 sta->he_capab_len);
3533 }
3534 #endif /* CONFIG_IEEE80211AX */
3535
3536 /*
3537 * Add the station with forced WLAN_STA_ASSOC flag. The sta->flags
3538 * will be set when the ACK frame for the (Re)Association Response frame
3539 * is processed (TX status driver event).
3540 */
3541 if (hostapd_sta_add(hapd, sta->addr, sta->aid, sta->capability,
3542 sta->supported_rates, sta->supported_rates_len,
3543 sta->listen_interval,
3544 sta->flags & WLAN_STA_HT ? &ht_cap : NULL,
3545 sta->flags & WLAN_STA_VHT ? &vht_cap : NULL,
3546 sta->flags & WLAN_STA_HE ? &he_cap : NULL,
3547 sta->flags & WLAN_STA_HE ? sta->he_capab_len : 0,
3548 sta->flags | WLAN_STA_ASSOC, sta->qosinfo,
3549 sta->vht_opmode, sta->p2p_ie ? 1 : 0,
3550 set)) {
3551 hostapd_logger(hapd, sta->addr,
3552 HOSTAPD_MODULE_IEEE80211, HOSTAPD_LEVEL_NOTICE,
3553 "Could not %s STA to kernel driver",
3554 set ? "set" : "add");
3555
3556 if (sta->added_unassoc) {
3557 hostapd_drv_sta_remove(hapd, sta->addr);
3558 sta->added_unassoc = 0;
3559 }
3560
3561 return -1;
3562 }
3563
3564 sta->added_unassoc = 0;
3565
3566 return 0;
3567 }
3568
3569
3570 static u16 send_assoc_resp(struct hostapd_data *hapd, struct sta_info *sta,
3571 const u8 *addr, u16 status_code, int reassoc,
3572 const u8 *ies, size_t ies_len, int rssi)
3573 {
3574 int send_len;
3575 u8 *buf;
3576 size_t buflen;
3577 struct ieee80211_mgmt *reply;
3578 u8 *p;
3579 u16 res = WLAN_STATUS_SUCCESS;
3580
3581 buflen = sizeof(struct ieee80211_mgmt) + 1024;
3582 #ifdef CONFIG_FILS
3583 if (sta && sta->fils_hlp_resp)
3584 buflen += wpabuf_len(sta->fils_hlp_resp);
3585 if (sta)
3586 buflen += 150;
3587 #endif /* CONFIG_FILS */
3588 #ifdef CONFIG_OWE
3589 if (sta && (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE))
3590 buflen += 150;
3591 #endif /* CONFIG_OWE */
3592 #ifdef CONFIG_DPP2
3593 if (sta && sta->dpp_pfs)
3594 buflen += 5 + sta->dpp_pfs->curve->prime_len;
3595 #endif /* CONFIG_DPP2 */
3596 buf = os_zalloc(buflen);
3597 if (!buf) {
3598 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
3599 goto done;
3600 }
3601 reply = (struct ieee80211_mgmt *) buf;
3602 reply->frame_control =
3603 IEEE80211_FC(WLAN_FC_TYPE_MGMT,
3604 (reassoc ? WLAN_FC_STYPE_REASSOC_RESP :
3605 WLAN_FC_STYPE_ASSOC_RESP));
3606 os_memcpy(reply->da, addr, ETH_ALEN);
3607 os_memcpy(reply->sa, hapd->own_addr, ETH_ALEN);
3608 os_memcpy(reply->bssid, hapd->own_addr, ETH_ALEN);
3609
3610 send_len = IEEE80211_HDRLEN;
3611 send_len += sizeof(reply->u.assoc_resp);
3612 reply->u.assoc_resp.capab_info =
3613 host_to_le16(hostapd_own_capab_info(hapd));
3614 reply->u.assoc_resp.status_code = host_to_le16(status_code);
3615
3616 reply->u.assoc_resp.aid = host_to_le16((sta ? sta->aid : 0) |
3617 BIT(14) | BIT(15));
3618 /* Supported rates */
3619 p = hostapd_eid_supp_rates(hapd, reply->u.assoc_resp.variable);
3620 /* Extended supported rates */
3621 p = hostapd_eid_ext_supp_rates(hapd, p);
3622
3623 #ifdef CONFIG_MBO
3624 if (status_code == WLAN_STATUS_DENIED_POOR_CHANNEL_CONDITIONS &&
3625 rssi != 0) {
3626 int delta = hapd->iconf->rssi_reject_assoc_rssi - rssi;
3627
3628 p = hostapd_eid_mbo_rssi_assoc_rej(hapd, p, buf + buflen - p,
3629 delta);
3630 }
3631 #endif /* CONFIG_MBO */
3632
3633 #ifdef CONFIG_IEEE80211R_AP
3634 if (sta && status_code == WLAN_STATUS_SUCCESS) {
3635 /* IEEE 802.11r: Mobility Domain Information, Fast BSS
3636 * Transition Information, RSN, [RIC Response] */
3637 p = wpa_sm_write_assoc_resp_ies(sta->wpa_sm, p,
3638 buf + buflen - p,
3639 sta->auth_alg, ies, ies_len);
3640 if (!p) {
3641 wpa_printf(MSG_DEBUG,
3642 "FT: Failed to write AssocResp IEs");
3643 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
3644 goto done;
3645 }
3646 }
3647 #endif /* CONFIG_IEEE80211R_AP */
3648 #ifdef CONFIG_FILS
3649 if (sta && status_code == WLAN_STATUS_SUCCESS &&
3650 (sta->auth_alg == WLAN_AUTH_FILS_SK ||
3651 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
3652 sta->auth_alg == WLAN_AUTH_FILS_PK))
3653 p = wpa_auth_write_assoc_resp_fils(sta->wpa_sm, p,
3654 buf + buflen - p,
3655 ies, ies_len);
3656 #endif /* CONFIG_FILS */
3657
3658 #ifdef CONFIG_OWE
3659 if (sta && status_code == WLAN_STATUS_SUCCESS &&
3660 (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE))
3661 p = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, p,
3662 buf + buflen - p,
3663 ies, ies_len);
3664 #endif /* CONFIG_OWE */
3665
3666 if (sta && status_code == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY)
3667 p = hostapd_eid_assoc_comeback_time(hapd, sta, p);
3668
3669 #ifdef CONFIG_IEEE80211N
3670 p = hostapd_eid_ht_capabilities(hapd, p);
3671 p = hostapd_eid_ht_operation(hapd, p);
3672 #endif /* CONFIG_IEEE80211N */
3673
3674 #ifdef CONFIG_IEEE80211AC
3675 if (hapd->iconf->ieee80211ac && !hapd->conf->disable_11ac &&
3676 !is_6ghz_op_class(hapd->iconf->op_class)) {
3677 u32 nsts = 0, sta_nsts;
3678
3679 if (sta && hapd->conf->use_sta_nsts && sta->vht_capabilities) {
3680 struct ieee80211_vht_capabilities *capa;
3681
3682 nsts = (hapd->iface->conf->vht_capab >>
3683 VHT_CAP_BEAMFORMEE_STS_OFFSET) & 7;
3684 capa = sta->vht_capabilities;
3685 sta_nsts = (le_to_host32(capa->vht_capabilities_info) >>
3686 VHT_CAP_BEAMFORMEE_STS_OFFSET) & 7;
3687
3688 if (nsts < sta_nsts)
3689 nsts = 0;
3690 else
3691 nsts = sta_nsts;
3692 }
3693 p = hostapd_eid_vht_capabilities(hapd, p, nsts);
3694 p = hostapd_eid_vht_operation(hapd, p);
3695 }
3696 #endif /* CONFIG_IEEE80211AC */
3697
3698 #ifdef CONFIG_IEEE80211AX
3699 if (hapd->iconf->ieee80211ax) {
3700 p = hostapd_eid_he_capab(hapd, p, IEEE80211_MODE_AP);
3701 p = hostapd_eid_he_operation(hapd, p);
3702 p = hostapd_eid_spatial_reuse(hapd, p);
3703 p = hostapd_eid_he_mu_edca_parameter_set(hapd, p);
3704 }
3705 #endif /* CONFIG_IEEE80211AX */
3706
3707 p = hostapd_eid_ext_capab(hapd, p);
3708 p = hostapd_eid_bss_max_idle_period(hapd, p);
3709 if (sta && sta->qos_map_enabled)
3710 p = hostapd_eid_qos_map_set(hapd, p);
3711
3712 #ifdef CONFIG_FST
3713 if (hapd->iface->fst_ies) {
3714 os_memcpy(p, wpabuf_head(hapd->iface->fst_ies),
3715 wpabuf_len(hapd->iface->fst_ies));
3716 p += wpabuf_len(hapd->iface->fst_ies);
3717 }
3718 #endif /* CONFIG_FST */
3719
3720 p = hostapd_eid_rsnxe(hapd, p, buf + buflen - p);
3721
3722 #ifdef CONFIG_OWE
3723 if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) &&
3724 sta && sta->owe_ecdh && status_code == WLAN_STATUS_SUCCESS &&
3725 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE) {
3726 struct wpabuf *pub;
3727
3728 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
3729 if (!pub) {
3730 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
3731 goto done;
3732 }
3733 /* OWE Diffie-Hellman Parameter element */
3734 *p++ = WLAN_EID_EXTENSION; /* Element ID */
3735 *p++ = 1 + 2 + wpabuf_len(pub); /* Length */
3736 *p++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension */
3737 WPA_PUT_LE16(p, sta->owe_group);
3738 p += 2;
3739 os_memcpy(p, wpabuf_head(pub), wpabuf_len(pub));
3740 p += wpabuf_len(pub);
3741 wpabuf_free(pub);
3742 }
3743 #endif /* CONFIG_OWE */
3744
3745 #ifdef CONFIG_DPP2
3746 if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_DPP) &&
3747 sta && sta->dpp_pfs && status_code == WLAN_STATUS_SUCCESS &&
3748 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_DPP) {
3749 os_memcpy(p, wpabuf_head(sta->dpp_pfs->ie),
3750 wpabuf_len(sta->dpp_pfs->ie));
3751 p += wpabuf_len(sta->dpp_pfs->ie);
3752 }
3753 #endif /* CONFIG_DPP2 */
3754
3755 #ifdef CONFIG_IEEE80211AC
3756 if (sta && hapd->conf->vendor_vht && (sta->flags & WLAN_STA_VENDOR_VHT))
3757 p = hostapd_eid_vendor_vht(hapd, p);
3758 #endif /* CONFIG_IEEE80211AC */
3759
3760 if (sta && (sta->flags & WLAN_STA_WMM))
3761 p = hostapd_eid_wmm(hapd, p);
3762
3763 #ifdef CONFIG_WPS
3764 if (sta &&
3765 ((sta->flags & WLAN_STA_WPS) ||
3766 ((sta->flags & WLAN_STA_MAYBE_WPS) && hapd->conf->wpa))) {
3767 struct wpabuf *wps = wps_build_assoc_resp_ie();
3768 if (wps) {
3769 os_memcpy(p, wpabuf_head(wps), wpabuf_len(wps));
3770 p += wpabuf_len(wps);
3771 wpabuf_free(wps);
3772 }
3773 }
3774 #endif /* CONFIG_WPS */
3775
3776 if (sta && (sta->flags & WLAN_STA_MULTI_AP))
3777 p = hostapd_eid_multi_ap(hapd, p);
3778
3779 #ifdef CONFIG_P2P
3780 if (sta && sta->p2p_ie && hapd->p2p_group) {
3781 struct wpabuf *p2p_resp_ie;
3782 enum p2p_status_code status;
3783 switch (status_code) {
3784 case WLAN_STATUS_SUCCESS:
3785 status = P2P_SC_SUCCESS;
3786 break;
3787 case WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA:
3788 status = P2P_SC_FAIL_LIMIT_REACHED;
3789 break;
3790 default:
3791 status = P2P_SC_FAIL_INVALID_PARAMS;
3792 break;
3793 }
3794 p2p_resp_ie = p2p_group_assoc_resp_ie(hapd->p2p_group, status);
3795 if (p2p_resp_ie) {
3796 os_memcpy(p, wpabuf_head(p2p_resp_ie),
3797 wpabuf_len(p2p_resp_ie));
3798 p += wpabuf_len(p2p_resp_ie);
3799 wpabuf_free(p2p_resp_ie);
3800 }
3801 }
3802 #endif /* CONFIG_P2P */
3803
3804 #ifdef CONFIG_P2P_MANAGER
3805 if (hapd->conf->p2p & P2P_MANAGE)
3806 p = hostapd_eid_p2p_manage(hapd, p);
3807 #endif /* CONFIG_P2P_MANAGER */
3808
3809 p = hostapd_eid_mbo(hapd, p, buf + buflen - p);
3810
3811 if (hapd->conf->assocresp_elements &&
3812 (size_t) (buf + buflen - p) >=
3813 wpabuf_len(hapd->conf->assocresp_elements)) {
3814 os_memcpy(p, wpabuf_head(hapd->conf->assocresp_elements),
3815 wpabuf_len(hapd->conf->assocresp_elements));
3816 p += wpabuf_len(hapd->conf->assocresp_elements);
3817 }
3818
3819 send_len += p - reply->u.assoc_resp.variable;
3820
3821 #ifdef CONFIG_FILS
3822 if (sta &&
3823 (sta->auth_alg == WLAN_AUTH_FILS_SK ||
3824 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
3825 sta->auth_alg == WLAN_AUTH_FILS_PK) &&
3826 status_code == WLAN_STATUS_SUCCESS) {
3827 struct ieee802_11_elems elems;
3828
3829 if (ieee802_11_parse_elems(ies, ies_len, &elems, 0) ==
3830 ParseFailed || !elems.fils_session) {
3831 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
3832 goto done;
3833 }
3834
3835 /* FILS Session */
3836 *p++ = WLAN_EID_EXTENSION; /* Element ID */
3837 *p++ = 1 + FILS_SESSION_LEN; /* Length */
3838 *p++ = WLAN_EID_EXT_FILS_SESSION; /* Element ID Extension */
3839 os_memcpy(p, elems.fils_session, FILS_SESSION_LEN);
3840 send_len += 2 + 1 + FILS_SESSION_LEN;
3841
3842 send_len = fils_encrypt_assoc(sta->wpa_sm, buf, send_len,
3843 buflen, sta->fils_hlp_resp);
3844 if (send_len < 0) {
3845 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
3846 goto done;
3847 }
3848 }
3849 #endif /* CONFIG_FILS */
3850
3851 if (hostapd_drv_send_mlme(hapd, reply, send_len, 0, NULL, 0, 0) < 0) {
3852 wpa_printf(MSG_INFO, "Failed to send assoc resp: %s",
3853 strerror(errno));
3854 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
3855 }
3856
3857 done:
3858 os_free(buf);
3859 return res;
3860 }
3861
3862
3863 #ifdef CONFIG_OWE
3864 u8 * owe_assoc_req_process(struct hostapd_data *hapd, struct sta_info *sta,
3865 const u8 *owe_dh, u8 owe_dh_len,
3866 u8 *owe_buf, size_t owe_buf_len, u16 *reason)
3867 {
3868 #ifdef CONFIG_TESTING_OPTIONS
3869 if (hapd->conf->own_ie_override) {
3870 wpa_printf(MSG_DEBUG, "OWE: Using IE override");
3871 *reason = WLAN_STATUS_SUCCESS;
3872 return wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf,
3873 owe_buf_len, NULL, 0);
3874 }
3875 #endif /* CONFIG_TESTING_OPTIONS */
3876
3877 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) {
3878 wpa_printf(MSG_DEBUG, "OWE: Using PMKSA caching");
3879 owe_buf = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf,
3880 owe_buf_len, NULL, 0);
3881 *reason = WLAN_STATUS_SUCCESS;
3882 return owe_buf;
3883 }
3884
3885 if (sta->owe_pmk && sta->external_dh_updated) {
3886 wpa_printf(MSG_DEBUG, "OWE: Using previously derived PMK");
3887 *reason = WLAN_STATUS_SUCCESS;
3888 return owe_buf;
3889 }
3890
3891 *reason = owe_process_assoc_req(hapd, sta, owe_dh, owe_dh_len);
3892 if (*reason != WLAN_STATUS_SUCCESS)
3893 return NULL;
3894
3895 owe_buf = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf,
3896 owe_buf_len, NULL, 0);
3897
3898 if (sta->owe_ecdh && owe_buf) {
3899 struct wpabuf *pub;
3900
3901 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
3902 if (!pub) {
3903 *reason = WLAN_STATUS_UNSPECIFIED_FAILURE;
3904 return owe_buf;
3905 }
3906
3907 /* OWE Diffie-Hellman Parameter element */
3908 *owe_buf++ = WLAN_EID_EXTENSION; /* Element ID */
3909 *owe_buf++ = 1 + 2 + wpabuf_len(pub); /* Length */
3910 *owe_buf++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension
3911 */
3912 WPA_PUT_LE16(owe_buf, sta->owe_group);
3913 owe_buf += 2;
3914 os_memcpy(owe_buf, wpabuf_head(pub), wpabuf_len(pub));
3915 owe_buf += wpabuf_len(pub);
3916 wpabuf_free(pub);
3917 }
3918
3919 return owe_buf;
3920 }
3921 #endif /* CONFIG_OWE */
3922
3923
3924 #ifdef CONFIG_FILS
3925
3926 void fils_hlp_finish_assoc(struct hostapd_data *hapd, struct sta_info *sta)
3927 {
3928 u16 reply_res;
3929
3930 wpa_printf(MSG_DEBUG, "FILS: Finish association with " MACSTR,
3931 MAC2STR(sta->addr));
3932 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
3933 if (!sta->fils_pending_assoc_req)
3934 return;
3935 reply_res = send_assoc_resp(hapd, sta, sta->addr, WLAN_STATUS_SUCCESS,
3936 sta->fils_pending_assoc_is_reassoc,
3937 sta->fils_pending_assoc_req,
3938 sta->fils_pending_assoc_req_len, 0);
3939 os_free(sta->fils_pending_assoc_req);
3940 sta->fils_pending_assoc_req = NULL;
3941 sta->fils_pending_assoc_req_len = 0;
3942 wpabuf_free(sta->fils_hlp_resp);
3943 sta->fils_hlp_resp = NULL;
3944 wpabuf_free(sta->hlp_dhcp_discover);
3945 sta->hlp_dhcp_discover = NULL;
3946
3947 /*
3948 * Remove the station in case transmission of a success response fails.
3949 * At this point the station was already added associated to the driver.
3950 */
3951 if (reply_res != WLAN_STATUS_SUCCESS)
3952 hostapd_drv_sta_remove(hapd, sta->addr);
3953 }
3954
3955
3956 void fils_hlp_timeout(void *eloop_ctx, void *eloop_data)
3957 {
3958 struct hostapd_data *hapd = eloop_ctx;
3959 struct sta_info *sta = eloop_data;
3960
3961 wpa_printf(MSG_DEBUG,
3962 "FILS: HLP response timeout - continue with association response for "
3963 MACSTR, MAC2STR(sta->addr));
3964 if (sta->fils_drv_assoc_finish)
3965 hostapd_notify_assoc_fils_finish(hapd, sta);
3966 else
3967 fils_hlp_finish_assoc(hapd, sta);
3968 }
3969
3970 #endif /* CONFIG_FILS */
3971
3972
3973 static void handle_assoc(struct hostapd_data *hapd,
3974 const struct ieee80211_mgmt *mgmt, size_t len,
3975 int reassoc, int rssi)
3976 {
3977 u16 capab_info, listen_interval, seq_ctrl, fc;
3978 u16 resp = WLAN_STATUS_SUCCESS, reply_res;
3979 const u8 *pos;
3980 int left, i;
3981 struct sta_info *sta;
3982 u8 *tmp = NULL;
3983 #ifdef CONFIG_FILS
3984 int delay_assoc = 0;
3985 #endif /* CONFIG_FILS */
3986
3987 if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_req) :
3988 sizeof(mgmt->u.assoc_req))) {
3989 wpa_printf(MSG_INFO, "handle_assoc(reassoc=%d) - too short payload (len=%lu)",
3990 reassoc, (unsigned long) len);
3991 return;
3992 }
3993
3994 #ifdef CONFIG_TESTING_OPTIONS
3995 if (reassoc) {
3996 if (hapd->iconf->ignore_reassoc_probability > 0.0 &&
3997 drand48() < hapd->iconf->ignore_reassoc_probability) {
3998 wpa_printf(MSG_INFO,
3999 "TESTING: ignoring reassoc request from "
4000 MACSTR, MAC2STR(mgmt->sa));
4001 return;
4002 }
4003 } else {
4004 if (hapd->iconf->ignore_assoc_probability > 0.0 &&
4005 drand48() < hapd->iconf->ignore_assoc_probability) {
4006 wpa_printf(MSG_INFO,
4007 "TESTING: ignoring assoc request from "
4008 MACSTR, MAC2STR(mgmt->sa));
4009 return;
4010 }
4011 }
4012 #endif /* CONFIG_TESTING_OPTIONS */
4013
4014 fc = le_to_host16(mgmt->frame_control);
4015 seq_ctrl = le_to_host16(mgmt->seq_ctrl);
4016
4017 if (reassoc) {
4018 capab_info = le_to_host16(mgmt->u.reassoc_req.capab_info);
4019 listen_interval = le_to_host16(
4020 mgmt->u.reassoc_req.listen_interval);
4021 wpa_printf(MSG_DEBUG, "reassociation request: STA=" MACSTR
4022 " capab_info=0x%02x listen_interval=%d current_ap="
4023 MACSTR " seq_ctrl=0x%x%s",
4024 MAC2STR(mgmt->sa), capab_info, listen_interval,
4025 MAC2STR(mgmt->u.reassoc_req.current_ap),
4026 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "");
4027 left = len - (IEEE80211_HDRLEN + sizeof(mgmt->u.reassoc_req));
4028 pos = mgmt->u.reassoc_req.variable;
4029 } else {
4030 capab_info = le_to_host16(mgmt->u.assoc_req.capab_info);
4031 listen_interval = le_to_host16(
4032 mgmt->u.assoc_req.listen_interval);
4033 wpa_printf(MSG_DEBUG, "association request: STA=" MACSTR
4034 " capab_info=0x%02x listen_interval=%d "
4035 "seq_ctrl=0x%x%s",
4036 MAC2STR(mgmt->sa), capab_info, listen_interval,
4037 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "");
4038 left = len - (IEEE80211_HDRLEN + sizeof(mgmt->u.assoc_req));
4039 pos = mgmt->u.assoc_req.variable;
4040 }
4041
4042 sta = ap_get_sta(hapd, mgmt->sa);
4043 #ifdef CONFIG_IEEE80211R_AP
4044 if (sta && sta->auth_alg == WLAN_AUTH_FT &&
4045 (sta->flags & WLAN_STA_AUTH) == 0) {
4046 wpa_printf(MSG_DEBUG, "FT: Allow STA " MACSTR " to associate "
4047 "prior to authentication since it is using "
4048 "over-the-DS FT", MAC2STR(mgmt->sa));
4049
4050 /*
4051 * Mark station as authenticated, to avoid adding station
4052 * entry in the driver as associated and not authenticated
4053 */
4054 sta->flags |= WLAN_STA_AUTH;
4055 } else
4056 #endif /* CONFIG_IEEE80211R_AP */
4057 if (sta == NULL || (sta->flags & WLAN_STA_AUTH) == 0) {
4058 if (hapd->iface->current_mode &&
4059 hapd->iface->current_mode->mode ==
4060 HOSTAPD_MODE_IEEE80211AD) {
4061 int acl_res;
4062 struct radius_sta info;
4063
4064 acl_res = ieee802_11_allowed_address(hapd, mgmt->sa,
4065 (const u8 *) mgmt,
4066 len, &info);
4067 if (acl_res == HOSTAPD_ACL_REJECT) {
4068 wpa_msg(hapd->msg_ctx, MSG_DEBUG,
4069 "Ignore Association Request frame from "
4070 MACSTR " due to ACL reject",
4071 MAC2STR(mgmt->sa));
4072 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
4073 goto fail;
4074 }
4075 if (acl_res == HOSTAPD_ACL_PENDING)
4076 return;
4077
4078 /* DMG/IEEE 802.11ad does not use authentication.
4079 * Allocate sta entry upon association. */
4080 sta = ap_sta_add(hapd, mgmt->sa);
4081 if (!sta) {
4082 hostapd_logger(hapd, mgmt->sa,
4083 HOSTAPD_MODULE_IEEE80211,
4084 HOSTAPD_LEVEL_INFO,
4085 "Failed to add STA");
4086 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
4087 goto fail;
4088 }
4089
4090 acl_res = ieee802_11_set_radius_info(
4091 hapd, sta, acl_res, &info);
4092 if (acl_res) {
4093 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
4094 goto fail;
4095 }
4096
4097 hostapd_logger(hapd, sta->addr,
4098 HOSTAPD_MODULE_IEEE80211,
4099 HOSTAPD_LEVEL_DEBUG,
4100 "Skip authentication for DMG/IEEE 802.11ad");
4101 sta->flags |= WLAN_STA_AUTH;
4102 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
4103 sta->auth_alg = WLAN_AUTH_OPEN;
4104 } else {
4105 hostapd_logger(hapd, mgmt->sa,
4106 HOSTAPD_MODULE_IEEE80211,
4107 HOSTAPD_LEVEL_INFO,
4108 "Station tried to associate before authentication (aid=%d flags=0x%x)",
4109 sta ? sta->aid : -1,
4110 sta ? sta->flags : 0);
4111 send_deauth(hapd, mgmt->sa,
4112 WLAN_REASON_CLASS2_FRAME_FROM_NONAUTH_STA);
4113 return;
4114 }
4115 }
4116
4117 if ((fc & WLAN_FC_RETRY) &&
4118 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
4119 sta->last_seq_ctrl == seq_ctrl &&
4120 sta->last_subtype == (reassoc ? WLAN_FC_STYPE_REASSOC_REQ :
4121 WLAN_FC_STYPE_ASSOC_REQ)) {
4122 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4123 HOSTAPD_LEVEL_DEBUG,
4124 "Drop repeated association frame seq_ctrl=0x%x",
4125 seq_ctrl);
4126 return;
4127 }
4128 sta->last_seq_ctrl = seq_ctrl;
4129 sta->last_subtype = reassoc ? WLAN_FC_STYPE_REASSOC_REQ :
4130 WLAN_FC_STYPE_ASSOC_REQ;
4131
4132 if (hapd->tkip_countermeasures) {
4133 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
4134 goto fail;
4135 }
4136
4137 if (listen_interval > hapd->conf->max_listen_interval) {
4138 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
4139 HOSTAPD_LEVEL_DEBUG,
4140 "Too large Listen Interval (%d)",
4141 listen_interval);
4142 resp = WLAN_STATUS_ASSOC_DENIED_LISTEN_INT_TOO_LARGE;
4143 goto fail;
4144 }
4145
4146 #ifdef CONFIG_MBO
4147 if (hapd->conf->mbo_enabled && hapd->mbo_assoc_disallow) {
4148 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
4149 goto fail;
4150 }
4151
4152 if (hapd->iconf->rssi_reject_assoc_rssi && rssi &&
4153 rssi < hapd->iconf->rssi_reject_assoc_rssi &&
4154 (sta->auth_rssi == 0 ||
4155 sta->auth_rssi < hapd->iconf->rssi_reject_assoc_rssi)) {
4156 resp = WLAN_STATUS_DENIED_POOR_CHANNEL_CONDITIONS;
4157 goto fail;
4158 }
4159 #endif /* CONFIG_MBO */
4160
4161 /*
4162 * sta->capability is used in check_assoc_ies() for RRM enabled
4163 * capability element.
4164 */
4165 sta->capability = capab_info;
4166
4167 #ifdef CONFIG_FILS
4168 if (sta->auth_alg == WLAN_AUTH_FILS_SK ||
4169 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
4170 sta->auth_alg == WLAN_AUTH_FILS_PK) {
4171 int res;
4172
4173 /* The end of the payload is encrypted. Need to decrypt it
4174 * before parsing. */
4175
4176 tmp = os_memdup(pos, left);
4177 if (!tmp) {
4178 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
4179 goto fail;
4180 }
4181
4182 res = fils_decrypt_assoc(sta->wpa_sm, sta->fils_session, mgmt,
4183 len, tmp, left);
4184 if (res < 0) {
4185 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
4186 goto fail;
4187 }
4188 pos = tmp;
4189 left = res;
4190 }
4191 #endif /* CONFIG_FILS */
4192
4193 /* followed by SSID and Supported rates; and HT capabilities if 802.11n
4194 * is used */
4195 resp = check_assoc_ies(hapd, sta, pos, left, reassoc);
4196 if (resp != WLAN_STATUS_SUCCESS)
4197 goto fail;
4198
4199 if (hostapd_get_aid(hapd, sta) < 0) {
4200 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
4201 HOSTAPD_LEVEL_INFO, "No room for more AIDs");
4202 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
4203 goto fail;
4204 }
4205
4206 sta->listen_interval = listen_interval;
4207
4208 if (hapd->iface->current_mode &&
4209 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G)
4210 sta->flags |= WLAN_STA_NONERP;
4211 for (i = 0; i < sta->supported_rates_len; i++) {
4212 if ((sta->supported_rates[i] & 0x7f) > 22) {
4213 sta->flags &= ~WLAN_STA_NONERP;
4214 break;
4215 }
4216 }
4217 if (sta->flags & WLAN_STA_NONERP && !sta->nonerp_set) {
4218 sta->nonerp_set = 1;
4219 hapd->iface->num_sta_non_erp++;
4220 if (hapd->iface->num_sta_non_erp == 1)
4221 ieee802_11_set_beacons(hapd->iface);
4222 }
4223
4224 if (!(sta->capability & WLAN_CAPABILITY_SHORT_SLOT_TIME) &&
4225 !sta->no_short_slot_time_set) {
4226 sta->no_short_slot_time_set = 1;
4227 hapd->iface->num_sta_no_short_slot_time++;
4228 if (hapd->iface->current_mode &&
4229 hapd->iface->current_mode->mode ==
4230 HOSTAPD_MODE_IEEE80211G &&
4231 hapd->iface->num_sta_no_short_slot_time == 1)
4232 ieee802_11_set_beacons(hapd->iface);
4233 }
4234
4235 if (sta->capability & WLAN_CAPABILITY_SHORT_PREAMBLE)
4236 sta->flags |= WLAN_STA_SHORT_PREAMBLE;
4237 else
4238 sta->flags &= ~WLAN_STA_SHORT_PREAMBLE;
4239
4240 if (!(sta->capability & WLAN_CAPABILITY_SHORT_PREAMBLE) &&
4241 !sta->no_short_preamble_set) {
4242 sta->no_short_preamble_set = 1;
4243 hapd->iface->num_sta_no_short_preamble++;
4244 if (hapd->iface->current_mode &&
4245 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G
4246 && hapd->iface->num_sta_no_short_preamble == 1)
4247 ieee802_11_set_beacons(hapd->iface);
4248 }
4249
4250 #ifdef CONFIG_IEEE80211N
4251 update_ht_state(hapd, sta);
4252 #endif /* CONFIG_IEEE80211N */
4253
4254 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4255 HOSTAPD_LEVEL_DEBUG,
4256 "association OK (aid %d)", sta->aid);
4257 /* Station will be marked associated, after it acknowledges AssocResp
4258 */
4259 sta->flags |= WLAN_STA_ASSOC_REQ_OK;
4260
4261 if ((sta->flags & WLAN_STA_MFP) && sta->sa_query_timed_out) {
4262 wpa_printf(MSG_DEBUG, "Allowing %sassociation after timed out "
4263 "SA Query procedure", reassoc ? "re" : "");
4264 /* TODO: Send a protected Disassociate frame to the STA using
4265 * the old key and Reason Code "Previous Authentication no
4266 * longer valid". Make sure this is only sent protected since
4267 * unprotected frame would be received by the STA that is now
4268 * trying to associate.
4269 */
4270 }
4271
4272 /* Make sure that the previously registered inactivity timer will not
4273 * remove the STA immediately. */
4274 sta->timeout_next = STA_NULLFUNC;
4275
4276 #ifdef CONFIG_TAXONOMY
4277 taxonomy_sta_info_assoc_req(hapd, sta, pos, left);
4278 #endif /* CONFIG_TAXONOMY */
4279
4280 sta->pending_wds_enable = 0;
4281
4282 #ifdef CONFIG_FILS
4283 if (sta->auth_alg == WLAN_AUTH_FILS_SK ||
4284 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
4285 sta->auth_alg == WLAN_AUTH_FILS_PK) {
4286 if (fils_process_hlp(hapd, sta, pos, left) > 0)
4287 delay_assoc = 1;
4288 }
4289 #endif /* CONFIG_FILS */
4290
4291 fail:
4292
4293 /*
4294 * In case of a successful response, add the station to the driver.
4295 * Otherwise, the kernel may ignore Data frames before we process the
4296 * ACK frame (TX status). In case of a failure, this station will be
4297 * removed.
4298 *
4299 * Note that this is not compliant with the IEEE 802.11 standard that
4300 * states that a non-AP station should transition into the
4301 * authenticated/associated state only after the station acknowledges
4302 * the (Re)Association Response frame. However, still do this as:
4303 *
4304 * 1. In case the station does not acknowledge the (Re)Association
4305 * Response frame, it will be removed.
4306 * 2. Data frames will be dropped in the kernel until the station is
4307 * set into authorized state, and there are no significant known
4308 * issues with processing other non-Data Class 3 frames during this
4309 * window.
4310 */
4311 if (resp == WLAN_STATUS_SUCCESS && sta &&
4312 add_associated_sta(hapd, sta, reassoc))
4313 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
4314
4315 #ifdef CONFIG_FILS
4316 if (sta && delay_assoc && resp == WLAN_STATUS_SUCCESS &&
4317 eloop_is_timeout_registered(fils_hlp_timeout, hapd, sta) &&
4318 sta->fils_pending_assoc_req) {
4319 /* Do not reschedule fils_hlp_timeout in case the station
4320 * retransmits (Re)Association Request frame while waiting for
4321 * the previously started FILS HLP wait, so that the timeout can
4322 * be determined from the first pending attempt. */
4323 wpa_printf(MSG_DEBUG,
4324 "FILS: Continue waiting for HLP processing before sending (Re)Association Response frame to "
4325 MACSTR, MAC2STR(sta->addr));
4326 os_free(tmp);
4327 return;
4328 }
4329 if (sta) {
4330 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
4331 os_free(sta->fils_pending_assoc_req);
4332 sta->fils_pending_assoc_req = NULL;
4333 sta->fils_pending_assoc_req_len = 0;
4334 wpabuf_free(sta->fils_hlp_resp);
4335 sta->fils_hlp_resp = NULL;
4336 }
4337 if (sta && delay_assoc && resp == WLAN_STATUS_SUCCESS) {
4338 sta->fils_pending_assoc_req = tmp;
4339 sta->fils_pending_assoc_req_len = left;
4340 sta->fils_pending_assoc_is_reassoc = reassoc;
4341 sta->fils_drv_assoc_finish = 0;
4342 wpa_printf(MSG_DEBUG,
4343 "FILS: Waiting for HLP processing before sending (Re)Association Response frame to "
4344 MACSTR, MAC2STR(sta->addr));
4345 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
4346 eloop_register_timeout(0, hapd->conf->fils_hlp_wait_time * 1024,
4347 fils_hlp_timeout, hapd, sta);
4348 return;
4349 }
4350 #endif /* CONFIG_FILS */
4351
4352 reply_res = send_assoc_resp(hapd, sta, mgmt->sa, resp, reassoc, pos,
4353 left, rssi);
4354 os_free(tmp);
4355
4356 /*
4357 * Remove the station in case tranmission of a success response fails
4358 * (the STA was added associated to the driver) or if the station was
4359 * previously added unassociated.
4360 */
4361 if (sta && ((reply_res != WLAN_STATUS_SUCCESS &&
4362 resp == WLAN_STATUS_SUCCESS) || sta->added_unassoc)) {
4363 hostapd_drv_sta_remove(hapd, sta->addr);
4364 sta->added_unassoc = 0;
4365 }
4366 }
4367
4368
4369 static void handle_disassoc(struct hostapd_data *hapd,
4370 const struct ieee80211_mgmt *mgmt, size_t len)
4371 {
4372 struct sta_info *sta;
4373
4374 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.disassoc)) {
4375 wpa_printf(MSG_INFO, "handle_disassoc - too short payload (len=%lu)",
4376 (unsigned long) len);
4377 return;
4378 }
4379
4380 wpa_printf(MSG_DEBUG, "disassocation: STA=" MACSTR " reason_code=%d",
4381 MAC2STR(mgmt->sa),
4382 le_to_host16(mgmt->u.disassoc.reason_code));
4383
4384 sta = ap_get_sta(hapd, mgmt->sa);
4385 if (sta == NULL) {
4386 wpa_printf(MSG_INFO, "Station " MACSTR " trying to disassociate, but it is not associated",
4387 MAC2STR(mgmt->sa));
4388 return;
4389 }
4390
4391 ap_sta_set_authorized(hapd, sta, 0);
4392 sta->last_seq_ctrl = WLAN_INVALID_MGMT_SEQ;
4393 sta->flags &= ~(WLAN_STA_ASSOC | WLAN_STA_ASSOC_REQ_OK);
4394 wpa_auth_sm_event(sta->wpa_sm, WPA_DISASSOC);
4395 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4396 HOSTAPD_LEVEL_INFO, "disassociated");
4397 sta->acct_terminate_cause = RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST;
4398 ieee802_1x_notify_port_enabled(sta->eapol_sm, 0);
4399 /* Stop Accounting and IEEE 802.1X sessions, but leave the STA
4400 * authenticated. */
4401 accounting_sta_stop(hapd, sta);
4402 ieee802_1x_free_station(hapd, sta);
4403 if (sta->ipaddr)
4404 hostapd_drv_br_delete_ip_neigh(hapd, 4, (u8 *) &sta->ipaddr);
4405 ap_sta_ip6addr_del(hapd, sta);
4406 hostapd_drv_sta_remove(hapd, sta->addr);
4407 sta->added_unassoc = 0;
4408
4409 if (sta->timeout_next == STA_NULLFUNC ||
4410 sta->timeout_next == STA_DISASSOC) {
4411 sta->timeout_next = STA_DEAUTH;
4412 eloop_cancel_timeout(ap_handle_timer, hapd, sta);
4413 eloop_register_timeout(AP_DEAUTH_DELAY, 0, ap_handle_timer,
4414 hapd, sta);
4415 }
4416
4417 mlme_disassociate_indication(
4418 hapd, sta, le_to_host16(mgmt->u.disassoc.reason_code));
4419
4420 /* DMG/IEEE 802.11ad does not use deauthication. Deallocate sta upon
4421 * disassociation. */
4422 if (hapd->iface->current_mode &&
4423 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211AD) {
4424 sta->flags &= ~WLAN_STA_AUTH;
4425 wpa_auth_sm_event(sta->wpa_sm, WPA_DEAUTH);
4426 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4427 HOSTAPD_LEVEL_DEBUG, "deauthenticated");
4428 ap_free_sta(hapd, sta);
4429 }
4430 }
4431
4432
4433 static void handle_deauth(struct hostapd_data *hapd,
4434 const struct ieee80211_mgmt *mgmt, size_t len)
4435 {
4436 struct sta_info *sta;
4437
4438 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.deauth)) {
4439 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "handle_deauth - too short "
4440 "payload (len=%lu)", (unsigned long) len);
4441 return;
4442 }
4443
4444 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "deauthentication: STA=" MACSTR
4445 " reason_code=%d",
4446 MAC2STR(mgmt->sa), le_to_host16(mgmt->u.deauth.reason_code));
4447
4448 sta = ap_get_sta(hapd, mgmt->sa);
4449 if (sta == NULL) {
4450 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "Station " MACSTR " trying "
4451 "to deauthenticate, but it is not authenticated",
4452 MAC2STR(mgmt->sa));
4453 return;
4454 }
4455
4456 ap_sta_set_authorized(hapd, sta, 0);
4457 sta->last_seq_ctrl = WLAN_INVALID_MGMT_SEQ;
4458 sta->flags &= ~(WLAN_STA_AUTH | WLAN_STA_ASSOC |
4459 WLAN_STA_ASSOC_REQ_OK);
4460 wpa_auth_sm_event(sta->wpa_sm, WPA_DEAUTH);
4461 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4462 HOSTAPD_LEVEL_DEBUG, "deauthenticated");
4463 mlme_deauthenticate_indication(
4464 hapd, sta, le_to_host16(mgmt->u.deauth.reason_code));
4465 sta->acct_terminate_cause = RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST;
4466 ieee802_1x_notify_port_enabled(sta->eapol_sm, 0);
4467 ap_free_sta(hapd, sta);
4468 }
4469
4470
4471 static void handle_beacon(struct hostapd_data *hapd,
4472 const struct ieee80211_mgmt *mgmt, size_t len,
4473 struct hostapd_frame_info *fi)
4474 {
4475 struct ieee802_11_elems elems;
4476
4477 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.beacon)) {
4478 wpa_printf(MSG_INFO, "handle_beacon - too short payload (len=%lu)",
4479 (unsigned long) len);
4480 return;
4481 }
4482
4483 (void) ieee802_11_parse_elems(mgmt->u.beacon.variable,
4484 len - (IEEE80211_HDRLEN +
4485 sizeof(mgmt->u.beacon)), &elems,
4486 0);
4487
4488 ap_list_process_beacon(hapd->iface, mgmt, &elems, fi);
4489 }
4490
4491
4492 static int robust_action_frame(u8 category)
4493 {
4494 return category != WLAN_ACTION_PUBLIC &&
4495 category != WLAN_ACTION_HT;
4496 }
4497
4498
4499 static int handle_action(struct hostapd_data *hapd,
4500 const struct ieee80211_mgmt *mgmt, size_t len,
4501 unsigned int freq)
4502 {
4503 struct sta_info *sta;
4504 u8 *action __maybe_unused;
4505
4506 if (len < IEEE80211_HDRLEN + 2 + 1) {
4507 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
4508 HOSTAPD_LEVEL_DEBUG,
4509 "handle_action - too short payload (len=%lu)",
4510 (unsigned long) len);
4511 return 0;
4512 }
4513
4514 action = (u8 *) &mgmt->u.action.u;
4515 wpa_printf(MSG_DEBUG, "RX_ACTION category %u action %u sa " MACSTR
4516 " da " MACSTR " len %d freq %u",
4517 mgmt->u.action.category, *action,
4518 MAC2STR(mgmt->sa), MAC2STR(mgmt->da), (int) len, freq);
4519
4520 sta = ap_get_sta(hapd, mgmt->sa);
4521
4522 if (mgmt->u.action.category != WLAN_ACTION_PUBLIC &&
4523 (sta == NULL || !(sta->flags & WLAN_STA_ASSOC))) {
4524 wpa_printf(MSG_DEBUG, "IEEE 802.11: Ignored Action "
4525 "frame (category=%u) from unassociated STA " MACSTR,
4526 mgmt->u.action.category, MAC2STR(mgmt->sa));
4527 return 0;
4528 }
4529
4530 if (sta && (sta->flags & WLAN_STA_MFP) &&
4531 !(mgmt->frame_control & host_to_le16(WLAN_FC_ISWEP)) &&
4532 robust_action_frame(mgmt->u.action.category)) {
4533 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
4534 HOSTAPD_LEVEL_DEBUG,
4535 "Dropped unprotected Robust Action frame from "
4536 "an MFP STA");
4537 return 0;
4538 }
4539
4540 if (sta) {
4541 u16 fc = le_to_host16(mgmt->frame_control);
4542 u16 seq_ctrl = le_to_host16(mgmt->seq_ctrl);
4543
4544 if ((fc & WLAN_FC_RETRY) &&
4545 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
4546 sta->last_seq_ctrl == seq_ctrl &&
4547 sta->last_subtype == WLAN_FC_STYPE_ACTION) {
4548 hostapd_logger(hapd, sta->addr,
4549 HOSTAPD_MODULE_IEEE80211,
4550 HOSTAPD_LEVEL_DEBUG,
4551 "Drop repeated action frame seq_ctrl=0x%x",
4552 seq_ctrl);
4553 return 1;
4554 }
4555
4556 sta->last_seq_ctrl = seq_ctrl;
4557 sta->last_subtype = WLAN_FC_STYPE_ACTION;
4558 }
4559
4560 switch (mgmt->u.action.category) {
4561 #ifdef CONFIG_IEEE80211R_AP
4562 case WLAN_ACTION_FT:
4563 if (!sta ||
4564 wpa_ft_action_rx(sta->wpa_sm, (u8 *) &mgmt->u.action,
4565 len - IEEE80211_HDRLEN))
4566 break;
4567 return 1;
4568 #endif /* CONFIG_IEEE80211R_AP */
4569 case WLAN_ACTION_WMM:
4570 hostapd_wmm_action(hapd, mgmt, len);
4571 return 1;
4572 case WLAN_ACTION_SA_QUERY:
4573 ieee802_11_sa_query_action(hapd, mgmt, len);
4574 return 1;
4575 #ifdef CONFIG_WNM_AP
4576 case WLAN_ACTION_WNM:
4577 ieee802_11_rx_wnm_action_ap(hapd, mgmt, len);
4578 return 1;
4579 #endif /* CONFIG_WNM_AP */
4580 #ifdef CONFIG_FST
4581 case WLAN_ACTION_FST:
4582 if (hapd->iface->fst)
4583 fst_rx_action(hapd->iface->fst, mgmt, len);
4584 else
4585 wpa_printf(MSG_DEBUG,
4586 "FST: Ignore FST Action frame - no FST attached");
4587 return 1;
4588 #endif /* CONFIG_FST */
4589 case WLAN_ACTION_PUBLIC:
4590 case WLAN_ACTION_PROTECTED_DUAL:
4591 #ifdef CONFIG_IEEE80211N
4592 if (len >= IEEE80211_HDRLEN + 2 &&
4593 mgmt->u.action.u.public_action.action ==
4594 WLAN_PA_20_40_BSS_COEX) {
4595 hostapd_2040_coex_action(hapd, mgmt, len);
4596 return 1;
4597 }
4598 #endif /* CONFIG_IEEE80211N */
4599 #ifdef CONFIG_DPP
4600 if (len >= IEEE80211_HDRLEN + 6 &&
4601 mgmt->u.action.u.vs_public_action.action ==
4602 WLAN_PA_VENDOR_SPECIFIC &&
4603 WPA_GET_BE24(mgmt->u.action.u.vs_public_action.oui) ==
4604 OUI_WFA &&
4605 mgmt->u.action.u.vs_public_action.variable[0] ==
4606 DPP_OUI_TYPE) {
4607 const u8 *pos, *end;
4608
4609 pos = mgmt->u.action.u.vs_public_action.oui;
4610 end = ((const u8 *) mgmt) + len;
4611 hostapd_dpp_rx_action(hapd, mgmt->sa, pos, end - pos,
4612 freq);
4613 return 1;
4614 }
4615 if (len >= IEEE80211_HDRLEN + 2 &&
4616 (mgmt->u.action.u.public_action.action ==
4617 WLAN_PA_GAS_INITIAL_RESP ||
4618 mgmt->u.action.u.public_action.action ==
4619 WLAN_PA_GAS_COMEBACK_RESP)) {
4620 const u8 *pos, *end;
4621
4622 pos = &mgmt->u.action.u.public_action.action;
4623 end = ((const u8 *) mgmt) + len;
4624 gas_query_ap_rx(hapd->gas, mgmt->sa,
4625 mgmt->u.action.category,
4626 pos, end - pos, hapd->iface->freq);
4627 return 1;
4628 }
4629 #endif /* CONFIG_DPP */
4630 if (hapd->public_action_cb) {
4631 hapd->public_action_cb(hapd->public_action_cb_ctx,
4632 (u8 *) mgmt, len,
4633 hapd->iface->freq);
4634 }
4635 if (hapd->public_action_cb2) {
4636 hapd->public_action_cb2(hapd->public_action_cb2_ctx,
4637 (u8 *) mgmt, len,
4638 hapd->iface->freq);
4639 }
4640 if (hapd->public_action_cb || hapd->public_action_cb2)
4641 return 1;
4642 break;
4643 case WLAN_ACTION_VENDOR_SPECIFIC:
4644 if (hapd->vendor_action_cb) {
4645 if (hapd->vendor_action_cb(hapd->vendor_action_cb_ctx,
4646 (u8 *) mgmt, len,
4647 hapd->iface->freq) == 0)
4648 return 1;
4649 }
4650 break;
4651 case WLAN_ACTION_RADIO_MEASUREMENT:
4652 hostapd_handle_radio_measurement(hapd, (const u8 *) mgmt, len);
4653 return 1;
4654 }
4655
4656 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
4657 HOSTAPD_LEVEL_DEBUG,
4658 "handle_action - unknown action category %d or invalid "
4659 "frame",
4660 mgmt->u.action.category);
4661 if (!is_multicast_ether_addr(mgmt->da) &&
4662 !(mgmt->u.action.category & 0x80) &&
4663 !is_multicast_ether_addr(mgmt->sa)) {
4664 struct ieee80211_mgmt *resp;
4665
4666 /*
4667 * IEEE 802.11-REVma/D9.0 - 7.3.1.11
4668 * Return the Action frame to the source without change
4669 * except that MSB of the Category set to 1.
4670 */
4671 wpa_printf(MSG_DEBUG, "IEEE 802.11: Return unknown Action "
4672 "frame back to sender");
4673 resp = os_memdup(mgmt, len);
4674 if (resp == NULL)
4675 return 0;
4676 os_memcpy(resp->da, resp->sa, ETH_ALEN);
4677 os_memcpy(resp->sa, hapd->own_addr, ETH_ALEN);
4678 os_memcpy(resp->bssid, hapd->own_addr, ETH_ALEN);
4679 resp->u.action.category |= 0x80;
4680
4681 if (hostapd_drv_send_mlme(hapd, resp, len, 0, NULL, 0, 0) < 0) {
4682 wpa_printf(MSG_ERROR, "IEEE 802.11: Failed to send "
4683 "Action frame");
4684 }
4685 os_free(resp);
4686 }
4687
4688 return 1;
4689 }
4690
4691
4692 /**
4693 * ieee802_11_mgmt - process incoming IEEE 802.11 management frames
4694 * @hapd: hostapd BSS data structure (the BSS to which the management frame was
4695 * sent to)
4696 * @buf: management frame data (starting from IEEE 802.11 header)
4697 * @len: length of frame data in octets
4698 * @fi: meta data about received frame (signal level, etc.)
4699 *
4700 * Process all incoming IEEE 802.11 management frames. This will be called for
4701 * each frame received from the kernel driver through wlan#ap interface. In
4702 * addition, it can be called to re-inserted pending frames (e.g., when using
4703 * external RADIUS server as an MAC ACL).
4704 */
4705 int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len,
4706 struct hostapd_frame_info *fi)
4707 {
4708 struct ieee80211_mgmt *mgmt;
4709 u16 fc, stype;
4710 int ret = 0;
4711 unsigned int freq;
4712 int ssi_signal = fi ? fi->ssi_signal : 0;
4713
4714 if (len < 24)
4715 return 0;
4716
4717 if (fi && fi->freq)
4718 freq = fi->freq;
4719 else
4720 freq = hapd->iface->freq;
4721
4722 mgmt = (struct ieee80211_mgmt *) buf;
4723 fc = le_to_host16(mgmt->frame_control);
4724 stype = WLAN_FC_GET_STYPE(fc);
4725
4726 if (is_multicast_ether_addr(mgmt->sa) ||
4727 is_zero_ether_addr(mgmt->sa) ||
4728 os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
4729 /* Do not process any frames with unexpected/invalid SA so that
4730 * we do not add any state for unexpected STA addresses or end
4731 * up sending out frames to unexpected destination. */
4732 wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR
4733 " in received frame - ignore this frame silently",
4734 MAC2STR(mgmt->sa));
4735 return 0;
4736 }
4737
4738 if (stype == WLAN_FC_STYPE_BEACON) {
4739 handle_beacon(hapd, mgmt, len, fi);
4740 return 1;
4741 }
4742
4743 if (!is_broadcast_ether_addr(mgmt->bssid) &&
4744 #ifdef CONFIG_P2P
4745 /* Invitation responses can be sent with the peer MAC as BSSID */
4746 !((hapd->conf->p2p & P2P_GROUP_OWNER) &&
4747 stype == WLAN_FC_STYPE_ACTION) &&
4748 #endif /* CONFIG_P2P */
4749 #ifdef CONFIG_MESH
4750 !(hapd->conf->mesh & MESH_ENABLED) &&
4751 #endif /* CONFIG_MESH */
4752 os_memcmp(mgmt->bssid, hapd->own_addr, ETH_ALEN) != 0) {
4753 wpa_printf(MSG_INFO, "MGMT: BSSID=" MACSTR " not our address",
4754 MAC2STR(mgmt->bssid));
4755 return 0;
4756 }
4757
4758
4759 if (stype == WLAN_FC_STYPE_PROBE_REQ) {
4760 handle_probe_req(hapd, mgmt, len, ssi_signal);
4761 return 1;
4762 }
4763
4764 if ((!is_broadcast_ether_addr(mgmt->da) ||
4765 stype != WLAN_FC_STYPE_ACTION) &&
4766 os_memcmp(mgmt->da, hapd->own_addr, ETH_ALEN) != 0) {
4767 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
4768 HOSTAPD_LEVEL_DEBUG,
4769 "MGMT: DA=" MACSTR " not our address",
4770 MAC2STR(mgmt->da));
4771 return 0;
4772 }
4773
4774 if (hapd->iconf->track_sta_max_num)
4775 sta_track_add(hapd->iface, mgmt->sa, ssi_signal);
4776
4777 switch (stype) {
4778 case WLAN_FC_STYPE_AUTH:
4779 wpa_printf(MSG_DEBUG, "mgmt::auth");
4780 handle_auth(hapd, mgmt, len, ssi_signal, 0);
4781 ret = 1;
4782 break;
4783 case WLAN_FC_STYPE_ASSOC_REQ:
4784 wpa_printf(MSG_DEBUG, "mgmt::assoc_req");
4785 handle_assoc(hapd, mgmt, len, 0, ssi_signal);
4786 ret = 1;
4787 break;
4788 case WLAN_FC_STYPE_REASSOC_REQ:
4789 wpa_printf(MSG_DEBUG, "mgmt::reassoc_req");
4790 handle_assoc(hapd, mgmt, len, 1, ssi_signal);
4791 ret = 1;
4792 break;
4793 case WLAN_FC_STYPE_DISASSOC:
4794 wpa_printf(MSG_DEBUG, "mgmt::disassoc");
4795 handle_disassoc(hapd, mgmt, len);
4796 ret = 1;
4797 break;
4798 case WLAN_FC_STYPE_DEAUTH:
4799 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "mgmt::deauth");
4800 handle_deauth(hapd, mgmt, len);
4801 ret = 1;
4802 break;
4803 case WLAN_FC_STYPE_ACTION:
4804 wpa_printf(MSG_DEBUG, "mgmt::action");
4805 ret = handle_action(hapd, mgmt, len, freq);
4806 break;
4807 default:
4808 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
4809 HOSTAPD_LEVEL_DEBUG,
4810 "unknown mgmt frame subtype %d", stype);
4811 break;
4812 }
4813
4814 return ret;
4815 }
4816
4817
4818 static void handle_auth_cb(struct hostapd_data *hapd,
4819 const struct ieee80211_mgmt *mgmt,
4820 size_t len, int ok)
4821 {
4822 u16 auth_alg, auth_transaction, status_code;
4823 struct sta_info *sta;
4824
4825 sta = ap_get_sta(hapd, mgmt->da);
4826 if (!sta) {
4827 wpa_printf(MSG_DEBUG, "handle_auth_cb: STA " MACSTR
4828 " not found",
4829 MAC2STR(mgmt->da));
4830 return;
4831 }
4832
4833 auth_alg = le_to_host16(mgmt->u.auth.auth_alg);
4834 auth_transaction = le_to_host16(mgmt->u.auth.auth_transaction);
4835 status_code = le_to_host16(mgmt->u.auth.status_code);
4836
4837 if (!ok) {
4838 hostapd_logger(hapd, mgmt->da, HOSTAPD_MODULE_IEEE80211,
4839 HOSTAPD_LEVEL_NOTICE,
4840 "did not acknowledge authentication response");
4841 goto fail;
4842 }
4843
4844 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) {
4845 wpa_printf(MSG_INFO, "handle_auth_cb - too short payload (len=%lu)",
4846 (unsigned long) len);
4847 goto fail;
4848 }
4849
4850 if (status_code == WLAN_STATUS_SUCCESS &&
4851 ((auth_alg == WLAN_AUTH_OPEN && auth_transaction == 2) ||
4852 (auth_alg == WLAN_AUTH_SHARED_KEY && auth_transaction == 4))) {
4853 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4854 HOSTAPD_LEVEL_INFO, "authenticated");
4855 sta->flags |= WLAN_STA_AUTH;
4856 if (sta->added_unassoc)
4857 hostapd_set_sta_flags(hapd, sta);
4858 return;
4859 }
4860
4861 fail:
4862 if (status_code != WLAN_STATUS_SUCCESS && sta->added_unassoc) {
4863 hostapd_drv_sta_remove(hapd, sta->addr);
4864 sta->added_unassoc = 0;
4865 }
4866 }
4867
4868
4869 static void hostapd_set_wds_encryption(struct hostapd_data *hapd,
4870 struct sta_info *sta,
4871 char *ifname_wds)
4872 {
4873 int i;
4874 struct hostapd_ssid *ssid = &hapd->conf->ssid;
4875
4876 if (hapd->conf->ieee802_1x || hapd->conf->wpa)
4877 return;
4878
4879 for (i = 0; i < 4; i++) {
4880 if (ssid->wep.key[i] &&
4881 hostapd_drv_set_key(ifname_wds, hapd, WPA_ALG_WEP, NULL, i,
4882 i == ssid->wep.idx, NULL, 0,
4883 ssid->wep.key[i], ssid->wep.len[i])) {
4884 wpa_printf(MSG_WARNING,
4885 "Could not set WEP keys for WDS interface; %s",
4886 ifname_wds);
4887 break;
4888 }
4889 }
4890 }
4891
4892
4893 static void handle_assoc_cb(struct hostapd_data *hapd,
4894 const struct ieee80211_mgmt *mgmt,
4895 size_t len, int reassoc, int ok)
4896 {
4897 u16 status;
4898 struct sta_info *sta;
4899 int new_assoc = 1;
4900
4901 sta = ap_get_sta(hapd, mgmt->da);
4902 if (!sta) {
4903 wpa_printf(MSG_INFO, "handle_assoc_cb: STA " MACSTR " not found",
4904 MAC2STR(mgmt->da));
4905 return;
4906 }
4907
4908 if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_resp) :
4909 sizeof(mgmt->u.assoc_resp))) {
4910 wpa_printf(MSG_INFO,
4911 "handle_assoc_cb(reassoc=%d) - too short payload (len=%lu)",
4912 reassoc, (unsigned long) len);
4913 hostapd_drv_sta_remove(hapd, sta->addr);
4914 return;
4915 }
4916
4917 if (reassoc)
4918 status = le_to_host16(mgmt->u.reassoc_resp.status_code);
4919 else
4920 status = le_to_host16(mgmt->u.assoc_resp.status_code);
4921
4922 if (!ok) {
4923 hostapd_logger(hapd, mgmt->da, HOSTAPD_MODULE_IEEE80211,
4924 HOSTAPD_LEVEL_DEBUG,
4925 "did not acknowledge association response");
4926 sta->flags &= ~WLAN_STA_ASSOC_REQ_OK;
4927 /* The STA is added only in case of SUCCESS */
4928 if (status == WLAN_STATUS_SUCCESS)
4929 hostapd_drv_sta_remove(hapd, sta->addr);
4930
4931 return;
4932 }
4933
4934 if (status != WLAN_STATUS_SUCCESS)
4935 return;
4936
4937 /* Stop previous accounting session, if one is started, and allocate
4938 * new session id for the new session. */
4939 accounting_sta_stop(hapd, sta);
4940
4941 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4942 HOSTAPD_LEVEL_INFO,
4943 "associated (aid %d)",
4944 sta->aid);
4945
4946 if (sta->flags & WLAN_STA_ASSOC)
4947 new_assoc = 0;
4948 sta->flags |= WLAN_STA_ASSOC;
4949 sta->flags &= ~WLAN_STA_WNM_SLEEP_MODE;
4950 if ((!hapd->conf->ieee802_1x && !hapd->conf->wpa &&
4951 !hapd->conf->osen) ||
4952 sta->auth_alg == WLAN_AUTH_FILS_SK ||
4953 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
4954 sta->auth_alg == WLAN_AUTH_FILS_PK ||
4955 sta->auth_alg == WLAN_AUTH_FT) {
4956 /*
4957 * Open, static WEP, FT protocol, or FILS; no separate
4958 * authorization step.
4959 */
4960 ap_sta_set_authorized(hapd, sta, 1);
4961 }
4962
4963 if (reassoc)
4964 mlme_reassociate_indication(hapd, sta);
4965 else
4966 mlme_associate_indication(hapd, sta);
4967
4968 sta->sa_query_timed_out = 0;
4969
4970 if (sta->eapol_sm == NULL) {
4971 /*
4972 * This STA does not use RADIUS server for EAP authentication,
4973 * so bind it to the selected VLAN interface now, since the
4974 * interface selection is not going to change anymore.
4975 */
4976 if (ap_sta_bind_vlan(hapd, sta) < 0)
4977 return;
4978 } else if (sta->vlan_id) {
4979 /* VLAN ID already set (e.g., by PMKSA caching), so bind STA */
4980 if (ap_sta_bind_vlan(hapd, sta) < 0)
4981 return;
4982 }
4983
4984 hostapd_set_sta_flags(hapd, sta);
4985
4986 if (!(sta->flags & WLAN_STA_WDS) && sta->pending_wds_enable) {
4987 wpa_printf(MSG_DEBUG, "Enable 4-address WDS mode for STA "
4988 MACSTR " based on pending request",
4989 MAC2STR(sta->addr));
4990 sta->pending_wds_enable = 0;
4991 sta->flags |= WLAN_STA_WDS;
4992 }
4993
4994 if (sta->flags & (WLAN_STA_WDS | WLAN_STA_MULTI_AP)) {
4995 int ret;
4996 char ifname_wds[IFNAMSIZ + 1];
4997
4998 wpa_printf(MSG_DEBUG, "Reenable 4-address WDS mode for STA "
4999 MACSTR " (aid %u)",
5000 MAC2STR(sta->addr), sta->aid);
5001 ret = hostapd_set_wds_sta(hapd, ifname_wds, sta->addr,
5002 sta->aid, 1);
5003 if (!ret)
5004 hostapd_set_wds_encryption(hapd, sta, ifname_wds);
5005 }
5006
5007 if (sta->auth_alg == WLAN_AUTH_FT)
5008 wpa_auth_sm_event(sta->wpa_sm, WPA_ASSOC_FT);
5009 else
5010 wpa_auth_sm_event(sta->wpa_sm, WPA_ASSOC);
5011 hapd->new_assoc_sta_cb(hapd, sta, !new_assoc);
5012 ieee802_1x_notify_port_enabled(sta->eapol_sm, 1);
5013
5014 #ifdef CONFIG_FILS
5015 if ((sta->auth_alg == WLAN_AUTH_FILS_SK ||
5016 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
5017 sta->auth_alg == WLAN_AUTH_FILS_PK) &&
5018 fils_set_tk(sta->wpa_sm) < 0) {
5019 wpa_printf(MSG_DEBUG, "FILS: TK configuration failed");
5020 ap_sta_disconnect(hapd, sta, sta->addr,
5021 WLAN_REASON_UNSPECIFIED);
5022 return;
5023 }
5024 #endif /* CONFIG_FILS */
5025
5026 if (sta->pending_eapol_rx) {
5027 struct os_reltime now, age;
5028
5029 os_get_reltime(&now);
5030 os_reltime_sub(&now, &sta->pending_eapol_rx->rx_time, &age);
5031 if (age.sec == 0 && age.usec < 200000) {
5032 wpa_printf(MSG_DEBUG,
5033 "Process pending EAPOL frame that was received from " MACSTR " just before association notification",
5034 MAC2STR(sta->addr));
5035 ieee802_1x_receive(
5036 hapd, mgmt->da,
5037 wpabuf_head(sta->pending_eapol_rx->buf),
5038 wpabuf_len(sta->pending_eapol_rx->buf));
5039 }
5040 wpabuf_free(sta->pending_eapol_rx->buf);
5041 os_free(sta->pending_eapol_rx);
5042 sta->pending_eapol_rx = NULL;
5043 }
5044 }
5045
5046
5047 static void handle_deauth_cb(struct hostapd_data *hapd,
5048 const struct ieee80211_mgmt *mgmt,
5049 size_t len, int ok)
5050 {
5051 struct sta_info *sta;
5052 if (is_multicast_ether_addr(mgmt->da))
5053 return;
5054 sta = ap_get_sta(hapd, mgmt->da);
5055 if (!sta) {
5056 wpa_printf(MSG_DEBUG, "handle_deauth_cb: STA " MACSTR
5057 " not found", MAC2STR(mgmt->da));
5058 return;
5059 }
5060 if (ok)
5061 wpa_printf(MSG_DEBUG, "STA " MACSTR " acknowledged deauth",
5062 MAC2STR(sta->addr));
5063 else
5064 wpa_printf(MSG_DEBUG, "STA " MACSTR " did not acknowledge "
5065 "deauth", MAC2STR(sta->addr));
5066
5067 ap_sta_deauth_cb(hapd, sta);
5068 }
5069
5070
5071 static void handle_disassoc_cb(struct hostapd_data *hapd,
5072 const struct ieee80211_mgmt *mgmt,
5073 size_t len, int ok)
5074 {
5075 struct sta_info *sta;
5076 if (is_multicast_ether_addr(mgmt->da))
5077 return;
5078 sta = ap_get_sta(hapd, mgmt->da);
5079 if (!sta) {
5080 wpa_printf(MSG_DEBUG, "handle_disassoc_cb: STA " MACSTR
5081 " not found", MAC2STR(mgmt->da));
5082 return;
5083 }
5084 if (ok)
5085 wpa_printf(MSG_DEBUG, "STA " MACSTR " acknowledged disassoc",
5086 MAC2STR(sta->addr));
5087 else
5088 wpa_printf(MSG_DEBUG, "STA " MACSTR " did not acknowledge "
5089 "disassoc", MAC2STR(sta->addr));
5090
5091 ap_sta_disassoc_cb(hapd, sta);
5092 }
5093
5094
5095 static void handle_action_cb(struct hostapd_data *hapd,
5096 const struct ieee80211_mgmt *mgmt,
5097 size_t len, int ok)
5098 {
5099 struct sta_info *sta;
5100 const struct rrm_measurement_report_element *report;
5101
5102 if (is_multicast_ether_addr(mgmt->da))
5103 return;
5104 #ifdef CONFIG_DPP
5105 if (len >= IEEE80211_HDRLEN + 6 &&
5106 mgmt->u.action.category == WLAN_ACTION_PUBLIC &&
5107 mgmt->u.action.u.vs_public_action.action ==
5108 WLAN_PA_VENDOR_SPECIFIC &&
5109 WPA_GET_BE24(mgmt->u.action.u.vs_public_action.oui) ==
5110 OUI_WFA &&
5111 mgmt->u.action.u.vs_public_action.variable[0] ==
5112 DPP_OUI_TYPE) {
5113 const u8 *pos, *end;
5114
5115 pos = &mgmt->u.action.u.vs_public_action.variable[1];
5116 end = ((const u8 *) mgmt) + len;
5117 hostapd_dpp_tx_status(hapd, mgmt->da, pos, end - pos, ok);
5118 return;
5119 }
5120 if (len >= IEEE80211_HDRLEN + 2 &&
5121 mgmt->u.action.category == WLAN_ACTION_PUBLIC &&
5122 (mgmt->u.action.u.public_action.action ==
5123 WLAN_PA_GAS_INITIAL_REQ ||
5124 mgmt->u.action.u.public_action.action ==
5125 WLAN_PA_GAS_COMEBACK_REQ)) {
5126 const u8 *pos, *end;
5127
5128 pos = mgmt->u.action.u.public_action.variable;
5129 end = ((const u8 *) mgmt) + len;
5130 gas_query_ap_tx_status(hapd->gas, mgmt->da, pos, end - pos, ok);
5131 return;
5132 }
5133 #endif /* CONFIG_DPP */
5134 sta = ap_get_sta(hapd, mgmt->da);
5135 if (!sta) {
5136 wpa_printf(MSG_DEBUG, "handle_action_cb: STA " MACSTR
5137 " not found", MAC2STR(mgmt->da));
5138 return;
5139 }
5140
5141 if (len < 24 + 5 + sizeof(*report))
5142 return;
5143 report = (const struct rrm_measurement_report_element *)
5144 &mgmt->u.action.u.rrm.variable[2];
5145 if (mgmt->u.action.category == WLAN_ACTION_RADIO_MEASUREMENT &&
5146 mgmt->u.action.u.rrm.action == WLAN_RRM_RADIO_MEASUREMENT_REQUEST &&
5147 report->eid == WLAN_EID_MEASURE_REQUEST &&
5148 report->len >= 3 &&
5149 report->type == MEASURE_TYPE_BEACON)
5150 hostapd_rrm_beacon_req_tx_status(hapd, mgmt, len, ok);
5151 }
5152
5153
5154 /**
5155 * ieee802_11_mgmt_cb - Process management frame TX status callback
5156 * @hapd: hostapd BSS data structure (the BSS from which the management frame
5157 * was sent from)
5158 * @buf: management frame data (starting from IEEE 802.11 header)
5159 * @len: length of frame data in octets
5160 * @stype: management frame subtype from frame control field
5161 * @ok: Whether the frame was ACK'ed
5162 */
5163 void ieee802_11_mgmt_cb(struct hostapd_data *hapd, const u8 *buf, size_t len,
5164 u16 stype, int ok)
5165 {
5166 const struct ieee80211_mgmt *mgmt;
5167 mgmt = (const struct ieee80211_mgmt *) buf;
5168
5169 #ifdef CONFIG_TESTING_OPTIONS
5170 if (hapd->ext_mgmt_frame_handling) {
5171 size_t hex_len = 2 * len + 1;
5172 char *hex = os_malloc(hex_len);
5173
5174 if (hex) {
5175 wpa_snprintf_hex(hex, hex_len, buf, len);
5176 wpa_msg(hapd->msg_ctx, MSG_INFO,
5177 "MGMT-TX-STATUS stype=%u ok=%d buf=%s",
5178 stype, ok, hex);
5179 os_free(hex);
5180 }
5181 return;
5182 }
5183 #endif /* CONFIG_TESTING_OPTIONS */
5184
5185 switch (stype) {
5186 case WLAN_FC_STYPE_AUTH:
5187 wpa_printf(MSG_DEBUG, "mgmt::auth cb");
5188 handle_auth_cb(hapd, mgmt, len, ok);
5189 break;
5190 case WLAN_FC_STYPE_ASSOC_RESP:
5191 wpa_printf(MSG_DEBUG, "mgmt::assoc_resp cb");
5192 handle_assoc_cb(hapd, mgmt, len, 0, ok);
5193 break;
5194 case WLAN_FC_STYPE_REASSOC_RESP:
5195 wpa_printf(MSG_DEBUG, "mgmt::reassoc_resp cb");
5196 handle_assoc_cb(hapd, mgmt, len, 1, ok);
5197 break;
5198 case WLAN_FC_STYPE_PROBE_RESP:
5199 wpa_printf(MSG_EXCESSIVE, "mgmt::proberesp cb ok=%d", ok);
5200 break;
5201 case WLAN_FC_STYPE_DEAUTH:
5202 wpa_printf(MSG_DEBUG, "mgmt::deauth cb");
5203 handle_deauth_cb(hapd, mgmt, len, ok);
5204 break;
5205 case WLAN_FC_STYPE_DISASSOC:
5206 wpa_printf(MSG_DEBUG, "mgmt::disassoc cb");
5207 handle_disassoc_cb(hapd, mgmt, len, ok);
5208 break;
5209 case WLAN_FC_STYPE_ACTION:
5210 wpa_printf(MSG_DEBUG, "mgmt::action cb ok=%d", ok);
5211 handle_action_cb(hapd, mgmt, len, ok);
5212 break;
5213 default:
5214 wpa_printf(MSG_INFO, "unknown mgmt cb frame subtype %d", stype);
5215 break;
5216 }
5217 }
5218
5219
5220 int ieee802_11_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen)
5221 {
5222 /* TODO */
5223 return 0;
5224 }
5225
5226
5227 int ieee802_11_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta,
5228 char *buf, size_t buflen)
5229 {
5230 /* TODO */
5231 return 0;
5232 }
5233
5234
5235 void hostapd_tx_status(struct hostapd_data *hapd, const u8 *addr,
5236 const u8 *buf, size_t len, int ack)
5237 {
5238 struct sta_info *sta;
5239 struct hostapd_iface *iface = hapd->iface;
5240
5241 sta = ap_get_sta(hapd, addr);
5242 if (sta == NULL && iface->num_bss > 1) {
5243 size_t j;
5244 for (j = 0; j < iface->num_bss; j++) {
5245 hapd = iface->bss[j];
5246 sta = ap_get_sta(hapd, addr);
5247 if (sta)
5248 break;
5249 }
5250 }
5251 if (sta == NULL || !(sta->flags & WLAN_STA_ASSOC))
5252 return;
5253 if (sta->flags & WLAN_STA_PENDING_POLL) {
5254 wpa_printf(MSG_DEBUG, "STA " MACSTR " %s pending "
5255 "activity poll", MAC2STR(sta->addr),
5256 ack ? "ACKed" : "did not ACK");
5257 if (ack)
5258 sta->flags &= ~WLAN_STA_PENDING_POLL;
5259 }
5260
5261 ieee802_1x_tx_status(hapd, sta, buf, len, ack);
5262 }
5263
5264
5265 void hostapd_eapol_tx_status(struct hostapd_data *hapd, const u8 *dst,
5266 const u8 *data, size_t len, int ack)
5267 {
5268 struct sta_info *sta;
5269 struct hostapd_iface *iface = hapd->iface;
5270
5271 sta = ap_get_sta(hapd, dst);
5272 if (sta == NULL && iface->num_bss > 1) {
5273 size_t j;
5274 for (j = 0; j < iface->num_bss; j++) {
5275 hapd = iface->bss[j];
5276 sta = ap_get_sta(hapd, dst);
5277 if (sta)
5278 break;
5279 }
5280 }
5281 if (sta == NULL || !(sta->flags & WLAN_STA_ASSOC)) {
5282 wpa_printf(MSG_DEBUG, "Ignore TX status for Data frame to STA "
5283 MACSTR " that is not currently associated",
5284 MAC2STR(dst));
5285 return;
5286 }
5287
5288 ieee802_1x_eapol_tx_status(hapd, sta, data, len, ack);
5289 }
5290
5291
5292 void hostapd_client_poll_ok(struct hostapd_data *hapd, const u8 *addr)
5293 {
5294 struct sta_info *sta;
5295 struct hostapd_iface *iface = hapd->iface;
5296
5297 sta = ap_get_sta(hapd, addr);
5298 if (sta == NULL && iface->num_bss > 1) {
5299 size_t j;
5300 for (j = 0; j < iface->num_bss; j++) {
5301 hapd = iface->bss[j];
5302 sta = ap_get_sta(hapd, addr);
5303 if (sta)
5304 break;
5305 }
5306 }
5307 if (sta == NULL)
5308 return;
5309 wpa_msg(hapd->msg_ctx, MSG_INFO, AP_STA_POLL_OK MACSTR,
5310 MAC2STR(sta->addr));
5311 if (!(sta->flags & WLAN_STA_PENDING_POLL))
5312 return;
5313
5314 wpa_printf(MSG_DEBUG, "STA " MACSTR " ACKed pending "
5315 "activity poll", MAC2STR(sta->addr));
5316 sta->flags &= ~WLAN_STA_PENDING_POLL;
5317 }
5318
5319
5320 void ieee802_11_rx_from_unknown(struct hostapd_data *hapd, const u8 *src,
5321 int wds)
5322 {
5323 struct sta_info *sta;
5324
5325 sta = ap_get_sta(hapd, src);
5326 if (sta &&
5327 ((sta->flags & WLAN_STA_ASSOC) ||
5328 ((sta->flags & WLAN_STA_ASSOC_REQ_OK) && wds))) {
5329 if (!hapd->conf->wds_sta)
5330 return;
5331
5332 if ((sta->flags & (WLAN_STA_ASSOC | WLAN_STA_ASSOC_REQ_OK)) ==
5333 WLAN_STA_ASSOC_REQ_OK) {
5334 wpa_printf(MSG_DEBUG,
5335 "Postpone 4-address WDS mode enabling for STA "
5336 MACSTR " since TX status for AssocResp is not yet known",
5337 MAC2STR(sta->addr));
5338 sta->pending_wds_enable = 1;
5339 return;
5340 }
5341
5342 if (wds && !(sta->flags & WLAN_STA_WDS)) {
5343 int ret;
5344 char ifname_wds[IFNAMSIZ + 1];
5345
5346 wpa_printf(MSG_DEBUG, "Enable 4-address WDS mode for "
5347 "STA " MACSTR " (aid %u)",
5348 MAC2STR(sta->addr), sta->aid);
5349 sta->flags |= WLAN_STA_WDS;
5350 ret = hostapd_set_wds_sta(hapd, ifname_wds,
5351 sta->addr, sta->aid, 1);
5352 if (!ret)
5353 hostapd_set_wds_encryption(hapd, sta,
5354 ifname_wds);
5355 }
5356 return;
5357 }
5358
5359 wpa_printf(MSG_DEBUG, "Data/PS-poll frame from not associated STA "
5360 MACSTR, MAC2STR(src));
5361 if (is_multicast_ether_addr(src) || is_zero_ether_addr(src) ||
5362 os_memcmp(src, hapd->own_addr, ETH_ALEN) == 0) {
5363 /* Broadcast bit set in SA or unexpected SA?! Ignore the frame
5364 * silently. */
5365 return;
5366 }
5367
5368 if (sta && (sta->flags & WLAN_STA_ASSOC_REQ_OK)) {
5369 wpa_printf(MSG_DEBUG, "Association Response to the STA has "
5370 "already been sent, but no TX status yet known - "
5371 "ignore Class 3 frame issue with " MACSTR,
5372 MAC2STR(src));
5373 return;
5374 }
5375
5376 if (sta && (sta->flags & WLAN_STA_AUTH))
5377 hostapd_drv_sta_disassoc(
5378 hapd, src,
5379 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA);
5380 else
5381 hostapd_drv_sta_deauth(
5382 hapd, src,
5383 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA);
5384 }
5385
5386
5387 #endif /* CONFIG_NATIVE_WINDOWS */
Unnamed repository; edit this file 'description' to name the repository.