]> git.ipfire.org Git - thirdparty/hostap.git/blob - src/ap/ieee802_11.c
projects / thirdparty / hostap.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
SAE: Set special Sc value when moving to Accepted state
[thirdparty/hostap.git] / src / ap / ieee802_11.c
1 /*
2 * hostapd / IEEE 802.11 Management
3 * Copyright (c) 2002-2017, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "utils/includes.h"
10
11 #ifndef CONFIG_NATIVE_WINDOWS
12
13 #include "utils/common.h"
14 #include "utils/eloop.h"
15 #include "crypto/crypto.h"
16 #include "crypto/sha256.h"
17 #include "crypto/sha384.h"
18 #include "crypto/sha512.h"
19 #include "crypto/random.h"
20 #include "common/ieee802_11_defs.h"
21 #include "common/ieee802_11_common.h"
22 #include "common/wpa_ctrl.h"
23 #include "common/sae.h"
24 #include "radius/radius.h"
25 #include "radius/radius_client.h"
26 #include "p2p/p2p.h"
27 #include "wps/wps.h"
28 #include "fst/fst.h"
29 #include "hostapd.h"
30 #include "beacon.h"
31 #include "ieee802_11_auth.h"
32 #include "sta_info.h"
33 #include "ieee802_1x.h"
34 #include "wpa_auth.h"
35 #include "pmksa_cache_auth.h"
36 #include "wmm.h"
37 #include "ap_list.h"
38 #include "accounting.h"
39 #include "ap_config.h"
40 #include "ap_mlme.h"
41 #include "p2p_hostapd.h"
42 #include "ap_drv_ops.h"
43 #include "wnm_ap.h"
44 #include "hw_features.h"
45 #include "ieee802_11.h"
46 #include "dfs.h"
47 #include "mbo_ap.h"
48 #include "rrm.h"
49 #include "taxonomy.h"
50 #include "fils_hlp.h"
51 #include "dpp_hostapd.h"
52 #include "gas_query_ap.h"
53
54
55 #ifdef CONFIG_FILS
56 static struct wpabuf *
57 prepare_auth_resp_fils(struct hostapd_data *hapd,
58 struct sta_info *sta, u16 *resp,
59 struct rsn_pmksa_cache_entry *pmksa,
60 struct wpabuf *erp_resp,
61 const u8 *msk, size_t msk_len,
62 int *is_pub);
63 #endif /* CONFIG_FILS */
64
65 u8 * hostapd_eid_supp_rates(struct hostapd_data *hapd, u8 *eid)
66 {
67 u8 *pos = eid;
68 int i, num, count;
69
70 if (hapd->iface->current_rates == NULL)
71 return eid;
72
73 *pos++ = WLAN_EID_SUPP_RATES;
74 num = hapd->iface->num_rates;
75 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht)
76 num++;
77 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht)
78 num++;
79 if (num > 8) {
80 /* rest of the rates are encoded in Extended supported
81 * rates element */
82 num = 8;
83 }
84
85 *pos++ = num;
86 for (i = 0, count = 0; i < hapd->iface->num_rates && count < num;
87 i++) {
88 count++;
89 *pos = hapd->iface->current_rates[i].rate / 5;
90 if (hapd->iface->current_rates[i].flags & HOSTAPD_RATE_BASIC)
91 *pos |= 0x80;
92 pos++;
93 }
94
95 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht && count < 8) {
96 count++;
97 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_HT_PHY;
98 }
99
100 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht && count < 8) {
101 count++;
102 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_VHT_PHY;
103 }
104
105 return pos;
106 }
107
108
109 u8 * hostapd_eid_ext_supp_rates(struct hostapd_data *hapd, u8 *eid)
110 {
111 u8 *pos = eid;
112 int i, num, count;
113
114 if (hapd->iface->current_rates == NULL)
115 return eid;
116
117 num = hapd->iface->num_rates;
118 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht)
119 num++;
120 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht)
121 num++;
122 if (num <= 8)
123 return eid;
124 num -= 8;
125
126 *pos++ = WLAN_EID_EXT_SUPP_RATES;
127 *pos++ = num;
128 for (i = 0, count = 0; i < hapd->iface->num_rates && count < num + 8;
129 i++) {
130 count++;
131 if (count <= 8)
132 continue; /* already in SuppRates IE */
133 *pos = hapd->iface->current_rates[i].rate / 5;
134 if (hapd->iface->current_rates[i].flags & HOSTAPD_RATE_BASIC)
135 *pos |= 0x80;
136 pos++;
137 }
138
139 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht) {
140 count++;
141 if (count > 8)
142 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_HT_PHY;
143 }
144
145 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht) {
146 count++;
147 if (count > 8)
148 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_VHT_PHY;
149 }
150
151 return pos;
152 }
153
154
155 u16 hostapd_own_capab_info(struct hostapd_data *hapd)
156 {
157 int capab = WLAN_CAPABILITY_ESS;
158 int privacy;
159 int dfs;
160 int i;
161
162 /* Check if any of configured channels require DFS */
163 dfs = hostapd_is_dfs_required(hapd->iface);
164 if (dfs < 0) {
165 wpa_printf(MSG_WARNING, "Failed to check if DFS is required; ret=%d",
166 dfs);
167 dfs = 0;
168 }
169
170 if (hapd->iface->num_sta_no_short_preamble == 0 &&
171 hapd->iconf->preamble == SHORT_PREAMBLE)
172 capab |= WLAN_CAPABILITY_SHORT_PREAMBLE;
173
174 privacy = hapd->conf->ssid.wep.keys_set;
175
176 if (hapd->conf->ieee802_1x &&
177 (hapd->conf->default_wep_key_len ||
178 hapd->conf->individual_wep_key_len))
179 privacy = 1;
180
181 if (hapd->conf->wpa)
182 privacy = 1;
183
184 #ifdef CONFIG_HS20
185 if (hapd->conf->osen)
186 privacy = 1;
187 #endif /* CONFIG_HS20 */
188
189 if (privacy)
190 capab |= WLAN_CAPABILITY_PRIVACY;
191
192 if (hapd->iface->current_mode &&
193 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G &&
194 hapd->iface->num_sta_no_short_slot_time == 0)
195 capab |= WLAN_CAPABILITY_SHORT_SLOT_TIME;
196
197 /*
198 * Currently, Spectrum Management capability bit is set when directly
199 * requested in configuration by spectrum_mgmt_required or when AP is
200 * running on DFS channel.
201 * TODO: Also consider driver support for TPC to set Spectrum Mgmt bit
202 */
203 if (hapd->iface->current_mode &&
204 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211A &&
205 (hapd->iconf->spectrum_mgmt_required || dfs))
206 capab |= WLAN_CAPABILITY_SPECTRUM_MGMT;
207
208 for (i = 0; i < RRM_CAPABILITIES_IE_LEN; i++) {
209 if (hapd->conf->radio_measurements[i]) {
210 capab |= IEEE80211_CAP_RRM;
211 break;
212 }
213 }
214
215 return capab;
216 }
217
218
219 #ifndef CONFIG_NO_RC4
220 static u16 auth_shared_key(struct hostapd_data *hapd, struct sta_info *sta,
221 u16 auth_transaction, const u8 *challenge,
222 int iswep)
223 {
224 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
225 HOSTAPD_LEVEL_DEBUG,
226 "authentication (shared key, transaction %d)",
227 auth_transaction);
228
229 if (auth_transaction == 1) {
230 if (!sta->challenge) {
231 /* Generate a pseudo-random challenge */
232 u8 key[8];
233
234 sta->challenge = os_zalloc(WLAN_AUTH_CHALLENGE_LEN);
235 if (sta->challenge == NULL)
236 return WLAN_STATUS_UNSPECIFIED_FAILURE;
237
238 if (os_get_random(key, sizeof(key)) < 0) {
239 os_free(sta->challenge);
240 sta->challenge = NULL;
241 return WLAN_STATUS_UNSPECIFIED_FAILURE;
242 }
243
244 rc4_skip(key, sizeof(key), 0,
245 sta->challenge, WLAN_AUTH_CHALLENGE_LEN);
246 }
247 return 0;
248 }
249
250 if (auth_transaction != 3)
251 return WLAN_STATUS_UNSPECIFIED_FAILURE;
252
253 /* Transaction 3 */
254 if (!iswep || !sta->challenge || !challenge ||
255 os_memcmp_const(sta->challenge, challenge,
256 WLAN_AUTH_CHALLENGE_LEN)) {
257 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
258 HOSTAPD_LEVEL_INFO,
259 "shared key authentication - invalid "
260 "challenge-response");
261 return WLAN_STATUS_CHALLENGE_FAIL;
262 }
263
264 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
265 HOSTAPD_LEVEL_DEBUG,
266 "authentication OK (shared key)");
267 sta->flags |= WLAN_STA_AUTH;
268 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
269 os_free(sta->challenge);
270 sta->challenge = NULL;
271
272 return 0;
273 }
274 #endif /* CONFIG_NO_RC4 */
275
276
277 static int send_auth_reply(struct hostapd_data *hapd,
278 const u8 *dst, const u8 *bssid,
279 u16 auth_alg, u16 auth_transaction, u16 resp,
280 const u8 *ies, size_t ies_len)
281 {
282 struct ieee80211_mgmt *reply;
283 u8 *buf;
284 size_t rlen;
285 int reply_res = WLAN_STATUS_UNSPECIFIED_FAILURE;
286
287 rlen = IEEE80211_HDRLEN + sizeof(reply->u.auth) + ies_len;
288 buf = os_zalloc(rlen);
289 if (buf == NULL)
290 return -1;
291
292 reply = (struct ieee80211_mgmt *) buf;
293 reply->frame_control = IEEE80211_FC(WLAN_FC_TYPE_MGMT,
294 WLAN_FC_STYPE_AUTH);
295 os_memcpy(reply->da, dst, ETH_ALEN);
296 os_memcpy(reply->sa, hapd->own_addr, ETH_ALEN);
297 os_memcpy(reply->bssid, bssid, ETH_ALEN);
298
299 reply->u.auth.auth_alg = host_to_le16(auth_alg);
300 reply->u.auth.auth_transaction = host_to_le16(auth_transaction);
301 reply->u.auth.status_code = host_to_le16(resp);
302
303 if (ies && ies_len)
304 os_memcpy(reply->u.auth.variable, ies, ies_len);
305
306 wpa_printf(MSG_DEBUG, "authentication reply: STA=" MACSTR
307 " auth_alg=%d auth_transaction=%d resp=%d (IE len=%lu)",
308 MAC2STR(dst), auth_alg, auth_transaction,
309 resp, (unsigned long) ies_len);
310 if (hostapd_drv_send_mlme(hapd, reply, rlen, 0) < 0)
311 wpa_printf(MSG_INFO, "send_auth_reply: send failed");
312 else
313 reply_res = WLAN_STATUS_SUCCESS;
314
315 os_free(buf);
316
317 return reply_res;
318 }
319
320
321 #ifdef CONFIG_IEEE80211R_AP
322 static void handle_auth_ft_finish(void *ctx, const u8 *dst, const u8 *bssid,
323 u16 auth_transaction, u16 status,
324 const u8 *ies, size_t ies_len)
325 {
326 struct hostapd_data *hapd = ctx;
327 struct sta_info *sta;
328 int reply_res;
329
330 reply_res = send_auth_reply(hapd, dst, bssid, WLAN_AUTH_FT,
331 auth_transaction, status, ies, ies_len);
332
333 sta = ap_get_sta(hapd, dst);
334 if (sta == NULL)
335 return;
336
337 if (sta->added_unassoc && (reply_res != WLAN_STATUS_SUCCESS ||
338 status != WLAN_STATUS_SUCCESS)) {
339 hostapd_drv_sta_remove(hapd, sta->addr);
340 sta->added_unassoc = 0;
341 return;
342 }
343
344 if (status != WLAN_STATUS_SUCCESS)
345 return;
346
347 hostapd_logger(hapd, dst, HOSTAPD_MODULE_IEEE80211,
348 HOSTAPD_LEVEL_DEBUG, "authentication OK (FT)");
349 sta->flags |= WLAN_STA_AUTH;
350 mlme_authenticate_indication(hapd, sta);
351 }
352 #endif /* CONFIG_IEEE80211R_AP */
353
354
355 #ifdef CONFIG_SAE
356
357 static void sae_set_state(struct sta_info *sta, enum sae_state state,
358 const char *reason)
359 {
360 wpa_printf(MSG_DEBUG, "SAE: State %s -> %s for peer " MACSTR " (%s)",
361 sae_state_txt(sta->sae->state), sae_state_txt(state),
362 MAC2STR(sta->addr), reason);
363 sta->sae->state = state;
364 }
365
366
367 static struct wpabuf * auth_build_sae_commit(struct hostapd_data *hapd,
368 struct sta_info *sta, int update)
369 {
370 struct wpabuf *buf;
371 const char *password;
372
373 password = hapd->conf->sae_password;
374 if (!password)
375 password = hapd->conf->ssid.wpa_passphrase;
376 if (!password) {
377 wpa_printf(MSG_DEBUG, "SAE: No password available");
378 return NULL;
379 }
380
381 if (update &&
382 sae_prepare_commit(hapd->own_addr, sta->addr,
383 (u8 *) password, os_strlen(password),
384 sta->sae) < 0) {
385 wpa_printf(MSG_DEBUG, "SAE: Could not pick PWE");
386 return NULL;
387 }
388
389 buf = wpabuf_alloc(SAE_COMMIT_MAX_LEN);
390 if (buf == NULL)
391 return NULL;
392 sae_write_commit(sta->sae, buf, sta->sae->tmp ?
393 sta->sae->tmp->anti_clogging_token : NULL);
394
395 return buf;
396 }
397
398
399 static struct wpabuf * auth_build_sae_confirm(struct hostapd_data *hapd,
400 struct sta_info *sta)
401 {
402 struct wpabuf *buf;
403
404 buf = wpabuf_alloc(SAE_CONFIRM_MAX_LEN);
405 if (buf == NULL)
406 return NULL;
407
408 sae_write_confirm(sta->sae, buf);
409
410 return buf;
411 }
412
413
414 static int auth_sae_send_commit(struct hostapd_data *hapd,
415 struct sta_info *sta,
416 const u8 *bssid, int update)
417 {
418 struct wpabuf *data;
419 int reply_res;
420
421 data = auth_build_sae_commit(hapd, sta, update);
422 if (data == NULL)
423 return WLAN_STATUS_UNSPECIFIED_FAILURE;
424
425 reply_res = send_auth_reply(hapd, sta->addr, bssid, WLAN_AUTH_SAE, 1,
426 WLAN_STATUS_SUCCESS, wpabuf_head(data),
427 wpabuf_len(data));
428
429 wpabuf_free(data);
430
431 return reply_res;
432 }
433
434
435 static int auth_sae_send_confirm(struct hostapd_data *hapd,
436 struct sta_info *sta,
437 const u8 *bssid)
438 {
439 struct wpabuf *data;
440 int reply_res;
441
442 data = auth_build_sae_confirm(hapd, sta);
443 if (data == NULL)
444 return WLAN_STATUS_UNSPECIFIED_FAILURE;
445
446 reply_res = send_auth_reply(hapd, sta->addr, bssid, WLAN_AUTH_SAE, 2,
447 WLAN_STATUS_SUCCESS, wpabuf_head(data),
448 wpabuf_len(data));
449
450 wpabuf_free(data);
451
452 return reply_res;
453 }
454
455
456 static int use_sae_anti_clogging(struct hostapd_data *hapd)
457 {
458 struct sta_info *sta;
459 unsigned int open = 0;
460
461 if (hapd->conf->sae_anti_clogging_threshold == 0)
462 return 1;
463
464 for (sta = hapd->sta_list; sta; sta = sta->next) {
465 if (!sta->sae)
466 continue;
467 if (sta->sae->state != SAE_COMMITTED &&
468 sta->sae->state != SAE_CONFIRMED)
469 continue;
470 open++;
471 if (open >= hapd->conf->sae_anti_clogging_threshold)
472 return 1;
473 }
474
475 return 0;
476 }
477
478
479 static int check_sae_token(struct hostapd_data *hapd, const u8 *addr,
480 const u8 *token, size_t token_len)
481 {
482 u8 mac[SHA256_MAC_LEN];
483
484 if (token_len != SHA256_MAC_LEN)
485 return -1;
486 if (hmac_sha256(hapd->sae_token_key, sizeof(hapd->sae_token_key),
487 addr, ETH_ALEN, mac) < 0 ||
488 os_memcmp_const(token, mac, SHA256_MAC_LEN) != 0)
489 return -1;
490
491 return 0;
492 }
493
494
495 static struct wpabuf * auth_build_token_req(struct hostapd_data *hapd,
496 int group, const u8 *addr)
497 {
498 struct wpabuf *buf;
499 u8 *token;
500 struct os_reltime now;
501
502 os_get_reltime(&now);
503 if (!os_reltime_initialized(&hapd->last_sae_token_key_update) ||
504 os_reltime_expired(&now, &hapd->last_sae_token_key_update, 60)) {
505 if (random_get_bytes(hapd->sae_token_key,
506 sizeof(hapd->sae_token_key)) < 0)
507 return NULL;
508 wpa_hexdump(MSG_DEBUG, "SAE: Updated token key",
509 hapd->sae_token_key, sizeof(hapd->sae_token_key));
510 hapd->last_sae_token_key_update = now;
511 }
512
513 buf = wpabuf_alloc(sizeof(le16) + SHA256_MAC_LEN);
514 if (buf == NULL)
515 return NULL;
516
517 wpabuf_put_le16(buf, group); /* Finite Cyclic Group */
518
519 token = wpabuf_put(buf, SHA256_MAC_LEN);
520 hmac_sha256(hapd->sae_token_key, sizeof(hapd->sae_token_key),
521 addr, ETH_ALEN, token);
522
523 return buf;
524 }
525
526
527 static int sae_check_big_sync(struct hostapd_data *hapd, struct sta_info *sta)
528 {
529 if (sta->sae->sync > hapd->conf->sae_sync) {
530 sae_set_state(sta, SAE_NOTHING, "Sync > dot11RSNASAESync");
531 sta->sae->sync = 0;
532 return -1;
533 }
534 return 0;
535 }
536
537
538 static void auth_sae_retransmit_timer(void *eloop_ctx, void *eloop_data)
539 {
540 struct hostapd_data *hapd = eloop_ctx;
541 struct sta_info *sta = eloop_data;
542 int ret;
543
544 if (sae_check_big_sync(hapd, sta))
545 return;
546 sta->sae->sync++;
547 wpa_printf(MSG_DEBUG, "SAE: Auth SAE retransmit timer for " MACSTR
548 " (sync=%d state=%s)",
549 MAC2STR(sta->addr), sta->sae->sync,
550 sae_state_txt(sta->sae->state));
551
552 switch (sta->sae->state) {
553 case SAE_COMMITTED:
554 ret = auth_sae_send_commit(hapd, sta, hapd->own_addr, 0);
555 eloop_register_timeout(0,
556 hapd->dot11RSNASAERetransPeriod * 1000,
557 auth_sae_retransmit_timer, hapd, sta);
558 break;
559 case SAE_CONFIRMED:
560 ret = auth_sae_send_confirm(hapd, sta, hapd->own_addr);
561 eloop_register_timeout(0,
562 hapd->dot11RSNASAERetransPeriod * 1000,
563 auth_sae_retransmit_timer, hapd, sta);
564 break;
565 default:
566 ret = -1;
567 break;
568 }
569
570 if (ret != WLAN_STATUS_SUCCESS)
571 wpa_printf(MSG_INFO, "SAE: Failed to retransmit: ret=%d", ret);
572 }
573
574
575 void sae_clear_retransmit_timer(struct hostapd_data *hapd, struct sta_info *sta)
576 {
577 eloop_cancel_timeout(auth_sae_retransmit_timer, hapd, sta);
578 }
579
580
581 static void sae_set_retransmit_timer(struct hostapd_data *hapd,
582 struct sta_info *sta)
583 {
584 if (!(hapd->conf->mesh & MESH_ENABLED))
585 return;
586
587 eloop_cancel_timeout(auth_sae_retransmit_timer, hapd, sta);
588 eloop_register_timeout(0, hapd->dot11RSNASAERetransPeriod * 1000,
589 auth_sae_retransmit_timer, hapd, sta);
590 }
591
592
593 void sae_accept_sta(struct hostapd_data *hapd, struct sta_info *sta)
594 {
595 sta->flags |= WLAN_STA_AUTH;
596 sta->auth_alg = WLAN_AUTH_SAE;
597 mlme_authenticate_indication(hapd, sta);
598 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
599 sae_set_state(sta, SAE_ACCEPTED, "Accept Confirm");
600 wpa_auth_pmksa_add_sae(hapd->wpa_auth, sta->addr,
601 sta->sae->pmk, sta->sae->pmkid);
602 }
603
604
605 static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta,
606 const u8 *bssid, u8 auth_transaction)
607 {
608 int ret;
609
610 if (auth_transaction != 1 && auth_transaction != 2)
611 return WLAN_STATUS_UNSPECIFIED_FAILURE;
612
613 wpa_printf(MSG_DEBUG, "SAE: Peer " MACSTR " state=%s auth_trans=%u",
614 MAC2STR(sta->addr), sae_state_txt(sta->sae->state),
615 auth_transaction);
616 switch (sta->sae->state) {
617 case SAE_NOTHING:
618 if (auth_transaction == 1) {
619 ret = auth_sae_send_commit(hapd, sta, bssid, 1);
620 if (ret)
621 return ret;
622 sae_set_state(sta, SAE_COMMITTED, "Sent Commit");
623
624 if (sae_process_commit(sta->sae) < 0)
625 return WLAN_STATUS_UNSPECIFIED_FAILURE;
626
627 /*
628 * In mesh case, both Commit and Confirm can be sent
629 * immediately. In infrastructure BSS, only a single
630 * Authentication frame (Commit) is expected from the AP
631 * here and the second one (Confirm) will be sent once
632 * the STA has sent its second Authentication frame
633 * (Confirm).
634 */
635 if (hapd->conf->mesh & MESH_ENABLED) {
636 /*
637 * Send both Commit and Confirm immediately
638 * based on SAE finite state machine
639 * Nothing -> Confirm transition.
640 */
641 ret = auth_sae_send_confirm(hapd, sta, bssid);
642 if (ret)
643 return ret;
644 sae_set_state(sta, SAE_CONFIRMED,
645 "Sent Confirm (mesh)");
646 } else {
647 /*
648 * For infrastructure BSS, send only the Commit
649 * message now to get alternating sequence of
650 * Authentication frames between the AP and STA.
651 * Confirm will be sent in
652 * Committed -> Confirmed/Accepted transition
653 * when receiving Confirm from STA.
654 */
655 }
656 sta->sae->sync = 0;
657 sae_set_retransmit_timer(hapd, sta);
658 } else {
659 hostapd_logger(hapd, sta->addr,
660 HOSTAPD_MODULE_IEEE80211,
661 HOSTAPD_LEVEL_DEBUG,
662 "SAE confirm before commit");
663 }
664 break;
665 case SAE_COMMITTED:
666 sae_clear_retransmit_timer(hapd, sta);
667 if (auth_transaction == 1) {
668 if (sae_process_commit(sta->sae) < 0)
669 return WLAN_STATUS_UNSPECIFIED_FAILURE;
670
671 ret = auth_sae_send_confirm(hapd, sta, bssid);
672 if (ret)
673 return ret;
674 sae_set_state(sta, SAE_CONFIRMED, "Sent Confirm");
675 sta->sae->sync = 0;
676 sae_set_retransmit_timer(hapd, sta);
677 } else if (hapd->conf->mesh & MESH_ENABLED) {
678 /*
679 * In mesh case, follow SAE finite state machine and
680 * send Commit now, if sync count allows.
681 */
682 if (sae_check_big_sync(hapd, sta))
683 return WLAN_STATUS_SUCCESS;
684 sta->sae->sync++;
685
686 ret = auth_sae_send_commit(hapd, sta, bssid, 0);
687 if (ret)
688 return ret;
689
690 sae_set_retransmit_timer(hapd, sta);
691 } else {
692 /*
693 * For instructure BSS, send the postponed Confirm from
694 * Nothing -> Confirmed transition that was reduced to
695 * Nothing -> Committed above.
696 */
697 ret = auth_sae_send_confirm(hapd, sta, bssid);
698 if (ret)
699 return ret;
700
701 sae_set_state(sta, SAE_CONFIRMED, "Sent Confirm");
702
703 /*
704 * Since this was triggered on Confirm RX, run another
705 * step to get to Accepted without waiting for
706 * additional events.
707 */
708 return sae_sm_step(hapd, sta, bssid, auth_transaction);
709 }
710 break;
711 case SAE_CONFIRMED:
712 sae_clear_retransmit_timer(hapd, sta);
713 if (auth_transaction == 1) {
714 if (sae_check_big_sync(hapd, sta))
715 return WLAN_STATUS_SUCCESS;
716 sta->sae->sync++;
717
718 ret = auth_sae_send_commit(hapd, sta, bssid, 1);
719 if (ret)
720 return ret;
721
722 if (sae_process_commit(sta->sae) < 0)
723 return WLAN_STATUS_UNSPECIFIED_FAILURE;
724
725 ret = auth_sae_send_confirm(hapd, sta, bssid);
726 if (ret)
727 return ret;
728
729 sae_set_retransmit_timer(hapd, sta);
730 } else {
731 sta->sae->send_confirm = 0xffff;
732 sae_accept_sta(hapd, sta);
733 }
734 break;
735 case SAE_ACCEPTED:
736 if (auth_transaction == 1) {
737 wpa_printf(MSG_DEBUG, "SAE: remove the STA (" MACSTR
738 ") doing reauthentication",
739 MAC2STR(sta->addr));
740 ap_free_sta(hapd, sta);
741 wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr);
742 } else {
743 if (sae_check_big_sync(hapd, sta))
744 return WLAN_STATUS_SUCCESS;
745 sta->sae->sync++;
746
747 ret = auth_sae_send_confirm(hapd, sta, bssid);
748 sae_clear_temp_data(sta->sae);
749 if (ret)
750 return ret;
751 }
752 break;
753 default:
754 wpa_printf(MSG_ERROR, "SAE: invalid state %d",
755 sta->sae->state);
756 return WLAN_STATUS_UNSPECIFIED_FAILURE;
757 }
758 return WLAN_STATUS_SUCCESS;
759 }
760
761
762 static void sae_pick_next_group(struct hostapd_data *hapd, struct sta_info *sta)
763 {
764 struct sae_data *sae = sta->sae;
765 int i, *groups = hapd->conf->sae_groups;
766
767 if (sae->state != SAE_COMMITTED)
768 return;
769
770 wpa_printf(MSG_DEBUG, "SAE: Previously selected group: %d", sae->group);
771
772 for (i = 0; groups && groups[i] > 0; i++) {
773 if (sae->group == groups[i])
774 break;
775 }
776
777 if (!groups || groups[i] <= 0) {
778 wpa_printf(MSG_DEBUG,
779 "SAE: Previously selected group not found from the current configuration");
780 return;
781 }
782
783 for (;;) {
784 i++;
785 if (groups[i] <= 0) {
786 wpa_printf(MSG_DEBUG,
787 "SAE: No alternative group enabled");
788 return;
789 }
790
791 if (sae_set_group(sae, groups[i]) < 0)
792 continue;
793
794 break;
795 }
796 wpa_printf(MSG_DEBUG, "SAE: Selected new group: %d", groups[i]);
797 }
798
799
800 static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta,
801 const struct ieee80211_mgmt *mgmt, size_t len,
802 u16 auth_transaction, u16 status_code)
803 {
804 int resp = WLAN_STATUS_SUCCESS;
805 struct wpabuf *data = NULL;
806
807 #ifdef CONFIG_TESTING_OPTIONS
808 if (hapd->conf->sae_reflection_attack && auth_transaction == 1) {
809 const u8 *pos, *end;
810
811 wpa_printf(MSG_DEBUG, "SAE: TESTING - reflection attack");
812 pos = mgmt->u.auth.variable;
813 end = ((const u8 *) mgmt) + len;
814 send_auth_reply(hapd, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
815 auth_transaction, resp, pos, end - pos);
816 goto remove_sta;
817 }
818
819 if (hapd->conf->sae_commit_override && auth_transaction == 1) {
820 wpa_printf(MSG_DEBUG, "SAE: TESTING - commit override");
821 send_auth_reply(hapd, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
822 auth_transaction, resp,
823 wpabuf_head(hapd->conf->sae_commit_override),
824 wpabuf_len(hapd->conf->sae_commit_override));
825 goto remove_sta;
826 }
827 #endif /* CONFIG_TESTING_OPTIONS */
828 if (!sta->sae) {
829 if (auth_transaction != 1 ||
830 status_code != WLAN_STATUS_SUCCESS) {
831 resp = -1;
832 goto remove_sta;
833 }
834 sta->sae = os_zalloc(sizeof(*sta->sae));
835 if (!sta->sae) {
836 resp = -1;
837 goto remove_sta;
838 }
839 sae_set_state(sta, SAE_NOTHING, "Init");
840 sta->sae->sync = 0;
841 }
842
843 if (sta->mesh_sae_pmksa_caching) {
844 wpa_printf(MSG_DEBUG,
845 "SAE: Cancel use of mesh PMKSA caching because peer starts SAE authentication");
846 wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr);
847 sta->mesh_sae_pmksa_caching = 0;
848 }
849
850 if (auth_transaction == 1) {
851 const u8 *token = NULL, *pos, *end;
852 size_t token_len = 0;
853 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
854 HOSTAPD_LEVEL_DEBUG,
855 "start SAE authentication (RX commit, status=%u)",
856 status_code);
857
858 if ((hapd->conf->mesh & MESH_ENABLED) &&
859 status_code == WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ &&
860 sta->sae->tmp) {
861 pos = mgmt->u.auth.variable;
862 end = ((const u8 *) mgmt) + len;
863 if (pos + sizeof(le16) > end) {
864 wpa_printf(MSG_ERROR,
865 "SAE: Too short anti-clogging token request");
866 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
867 goto reply;
868 }
869 resp = sae_group_allowed(sta->sae,
870 hapd->conf->sae_groups,
871 WPA_GET_LE16(pos));
872 if (resp != WLAN_STATUS_SUCCESS) {
873 wpa_printf(MSG_ERROR,
874 "SAE: Invalid group in anti-clogging token request");
875 goto reply;
876 }
877 pos += sizeof(le16);
878
879 wpabuf_free(sta->sae->tmp->anti_clogging_token);
880 sta->sae->tmp->anti_clogging_token =
881 wpabuf_alloc_copy(pos, end - pos);
882 if (sta->sae->tmp->anti_clogging_token == NULL) {
883 wpa_printf(MSG_ERROR,
884 "SAE: Failed to alloc for anti-clogging token");
885 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
886 goto remove_sta;
887 }
888
889 /*
890 * IEEE Std 802.11-2012, 11.3.8.6.4: If the Status code
891 * is 76, a new Commit Message shall be constructed
892 * with the Anti-Clogging Token from the received
893 * Authentication frame, and the commit-scalar and
894 * COMMIT-ELEMENT previously sent.
895 */
896 resp = auth_sae_send_commit(hapd, sta, mgmt->bssid, 0);
897 if (resp != WLAN_STATUS_SUCCESS) {
898 wpa_printf(MSG_ERROR,
899 "SAE: Failed to send commit message");
900 goto remove_sta;
901 }
902 sae_set_state(sta, SAE_COMMITTED,
903 "Sent Commit (anti-clogging token case in mesh)");
904 sta->sae->sync = 0;
905 sae_set_retransmit_timer(hapd, sta);
906 return;
907 }
908
909 if ((hapd->conf->mesh & MESH_ENABLED) &&
910 status_code ==
911 WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED &&
912 sta->sae->tmp) {
913 wpa_printf(MSG_DEBUG,
914 "SAE: Peer did not accept our SAE group");
915 sae_pick_next_group(hapd, sta);
916 goto remove_sta;
917 }
918
919 if (status_code != WLAN_STATUS_SUCCESS)
920 goto remove_sta;
921
922 resp = sae_parse_commit(sta->sae, mgmt->u.auth.variable,
923 ((const u8 *) mgmt) + len -
924 mgmt->u.auth.variable, &token,
925 &token_len, hapd->conf->sae_groups);
926 if (resp == SAE_SILENTLY_DISCARD) {
927 wpa_printf(MSG_DEBUG,
928 "SAE: Drop commit message from " MACSTR " due to reflection attack",
929 MAC2STR(sta->addr));
930 goto remove_sta;
931 }
932 if (token && check_sae_token(hapd, sta->addr, token, token_len)
933 < 0) {
934 wpa_printf(MSG_DEBUG, "SAE: Drop commit message with "
935 "incorrect token from " MACSTR,
936 MAC2STR(sta->addr));
937 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
938 goto remove_sta;
939 }
940
941 if (resp != WLAN_STATUS_SUCCESS)
942 goto reply;
943
944 if (!token && use_sae_anti_clogging(hapd)) {
945 wpa_printf(MSG_DEBUG,
946 "SAE: Request anti-clogging token from "
947 MACSTR, MAC2STR(sta->addr));
948 data = auth_build_token_req(hapd, sta->sae->group,
949 sta->addr);
950 resp = WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ;
951 if (hapd->conf->mesh & MESH_ENABLED)
952 sae_set_state(sta, SAE_NOTHING,
953 "Request anti-clogging token case in mesh");
954 goto reply;
955 }
956
957 resp = sae_sm_step(hapd, sta, mgmt->bssid, auth_transaction);
958 } else if (auth_transaction == 2) {
959 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
960 HOSTAPD_LEVEL_DEBUG,
961 "SAE authentication (RX confirm, status=%u)",
962 status_code);
963 if (status_code != WLAN_STATUS_SUCCESS)
964 goto remove_sta;
965 if (sta->sae->state >= SAE_CONFIRMED ||
966 !(hapd->conf->mesh & MESH_ENABLED)) {
967 const u8 *var;
968 size_t var_len;
969 u16 peer_send_confirm;
970
971 var = mgmt->u.auth.variable;
972 var_len = ((u8 *) mgmt) + len - mgmt->u.auth.variable;
973 if (var_len < 2) {
974 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
975 goto reply;
976 }
977
978 peer_send_confirm = WPA_GET_LE16(var);
979
980 if (sta->sae->state == SAE_ACCEPTED &&
981 (peer_send_confirm <= sta->sae->rc ||
982 peer_send_confirm == 0xffff)) {
983 wpa_printf(MSG_DEBUG,
984 "SAE: Silently ignore unexpected Confirm from peer "
985 MACSTR
986 " (peer-send-confirm=%u Rc=%u)",
987 MAC2STR(sta->addr),
988 peer_send_confirm, sta->sae->rc);
989 return;
990 }
991
992 if (sae_check_confirm(sta->sae, var, var_len) < 0) {
993 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
994 goto reply;
995 }
996 sta->sae->rc = peer_send_confirm;
997 }
998 resp = sae_sm_step(hapd, sta, mgmt->bssid, auth_transaction);
999 } else {
1000 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1001 HOSTAPD_LEVEL_DEBUG,
1002 "unexpected SAE authentication transaction %u (status=%u)",
1003 auth_transaction, status_code);
1004 if (status_code != WLAN_STATUS_SUCCESS)
1005 goto remove_sta;
1006 resp = WLAN_STATUS_UNKNOWN_AUTH_TRANSACTION;
1007 }
1008
1009 reply:
1010 if (resp != WLAN_STATUS_SUCCESS) {
1011 send_auth_reply(hapd, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
1012 auth_transaction, resp,
1013 data ? wpabuf_head(data) : (u8 *) "",
1014 data ? wpabuf_len(data) : 0);
1015 }
1016
1017 remove_sta:
1018 if (sta->added_unassoc && (resp != WLAN_STATUS_SUCCESS ||
1019 status_code != WLAN_STATUS_SUCCESS)) {
1020 hostapd_drv_sta_remove(hapd, sta->addr);
1021 sta->added_unassoc = 0;
1022 }
1023 wpabuf_free(data);
1024 }
1025
1026
1027 /**
1028 * auth_sae_init_committed - Send COMMIT and start SAE in committed state
1029 * @hapd: BSS data for the device initiating the authentication
1030 * @sta: the peer to which commit authentication frame is sent
1031 *
1032 * This function implements Init event handling (IEEE Std 802.11-2012,
1033 * 11.3.8.6.3) in which initial COMMIT message is sent. Prior to calling, the
1034 * sta->sae structure should be initialized appropriately via a call to
1035 * sae_prepare_commit().
1036 */
1037 int auth_sae_init_committed(struct hostapd_data *hapd, struct sta_info *sta)
1038 {
1039 int ret;
1040
1041 if (!sta->sae || !sta->sae->tmp)
1042 return -1;
1043
1044 if (sta->sae->state != SAE_NOTHING)
1045 return -1;
1046
1047 ret = auth_sae_send_commit(hapd, sta, hapd->own_addr, 0);
1048 if (ret)
1049 return -1;
1050
1051 sae_set_state(sta, SAE_COMMITTED, "Init and sent commit");
1052 sta->sae->sync = 0;
1053 sae_set_retransmit_timer(hapd, sta);
1054
1055 return 0;
1056 }
1057
1058 #endif /* CONFIG_SAE */
1059
1060
1061 static u16 wpa_res_to_status_code(int res)
1062 {
1063 if (res == WPA_INVALID_GROUP)
1064 return WLAN_STATUS_GROUP_CIPHER_NOT_VALID;
1065 if (res == WPA_INVALID_PAIRWISE)
1066 return WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID;
1067 if (res == WPA_INVALID_AKMP)
1068 return WLAN_STATUS_AKMP_NOT_VALID;
1069 if (res == WPA_ALLOC_FAIL)
1070 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1071 #ifdef CONFIG_IEEE80211W
1072 if (res == WPA_MGMT_FRAME_PROTECTION_VIOLATION)
1073 return WLAN_STATUS_ROBUST_MGMT_FRAME_POLICY_VIOLATION;
1074 if (res == WPA_INVALID_MGMT_GROUP_CIPHER)
1075 return WLAN_STATUS_ROBUST_MGMT_FRAME_POLICY_VIOLATION;
1076 #endif /* CONFIG_IEEE80211W */
1077 if (res == WPA_INVALID_MDIE)
1078 return WLAN_STATUS_INVALID_MDIE;
1079 if (res == WPA_INVALID_PMKID)
1080 return WLAN_STATUS_INVALID_PMKID;
1081 if (res != WPA_IE_OK)
1082 return WLAN_STATUS_INVALID_IE;
1083 return WLAN_STATUS_SUCCESS;
1084 }
1085
1086
1087 #ifdef CONFIG_FILS
1088
1089 static void handle_auth_fils_finish(struct hostapd_data *hapd,
1090 struct sta_info *sta, u16 resp,
1091 struct wpabuf *data, int pub);
1092
1093 void handle_auth_fils(struct hostapd_data *hapd, struct sta_info *sta,
1094 const u8 *pos, size_t len, u16 auth_alg,
1095 u16 auth_transaction, u16 status_code,
1096 void (*cb)(struct hostapd_data *hapd,
1097 struct sta_info *sta, u16 resp,
1098 struct wpabuf *data, int pub))
1099 {
1100 u16 resp = WLAN_STATUS_SUCCESS;
1101 const u8 *end;
1102 struct ieee802_11_elems elems;
1103 int res;
1104 struct wpa_ie_data rsn;
1105 struct rsn_pmksa_cache_entry *pmksa = NULL;
1106
1107 if (auth_transaction != 1 || status_code != WLAN_STATUS_SUCCESS)
1108 return;
1109
1110 end = pos + len;
1111
1112 wpa_hexdump(MSG_DEBUG, "FILS: Authentication frame fields",
1113 pos, end - pos);
1114
1115 /* TODO: FILS PK */
1116 #ifdef CONFIG_FILS_SK_PFS
1117 if (auth_alg == WLAN_AUTH_FILS_SK_PFS) {
1118 u16 group;
1119 struct wpabuf *pub;
1120 size_t elem_len;
1121
1122 /* Using FILS PFS */
1123
1124 /* Finite Cyclic Group */
1125 if (end - pos < 2) {
1126 wpa_printf(MSG_DEBUG,
1127 "FILS: No room for Finite Cyclic Group");
1128 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1129 goto fail;
1130 }
1131 group = WPA_GET_LE16(pos);
1132 pos += 2;
1133 if (group != hapd->conf->fils_dh_group) {
1134 wpa_printf(MSG_DEBUG,
1135 "FILS: Unsupported Finite Cyclic Group: %u (expected %u)",
1136 group, hapd->conf->fils_dh_group);
1137 resp = WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
1138 goto fail;
1139 }
1140
1141 crypto_ecdh_deinit(sta->fils_ecdh);
1142 sta->fils_ecdh = crypto_ecdh_init(group);
1143 if (!sta->fils_ecdh) {
1144 wpa_printf(MSG_INFO,
1145 "FILS: Could not initialize ECDH with group %d",
1146 group);
1147 resp = WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
1148 goto fail;
1149 }
1150
1151 pub = crypto_ecdh_get_pubkey(sta->fils_ecdh, 1);
1152 if (!pub) {
1153 wpa_printf(MSG_DEBUG,
1154 "FILS: Failed to derive ECDH public key");
1155 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1156 goto fail;
1157 }
1158 elem_len = wpabuf_len(pub);
1159 wpabuf_free(pub);
1160
1161 /* Element */
1162 if ((size_t) (end - pos) < elem_len) {
1163 wpa_printf(MSG_DEBUG, "FILS: No room for Element");
1164 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1165 goto fail;
1166 }
1167
1168 wpabuf_free(sta->fils_g_sta);
1169 sta->fils_g_sta = wpabuf_alloc_copy(pos, elem_len);
1170 wpabuf_clear_free(sta->fils_dh_ss);
1171 sta->fils_dh_ss = crypto_ecdh_set_peerkey(sta->fils_ecdh, 1,
1172 pos, elem_len);
1173 if (!sta->fils_dh_ss) {
1174 wpa_printf(MSG_DEBUG, "FILS: ECDH operation failed");
1175 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1176 goto fail;
1177 }
1178 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: DH_SS", sta->fils_dh_ss);
1179 pos += elem_len;
1180 } else {
1181 crypto_ecdh_deinit(sta->fils_ecdh);
1182 sta->fils_ecdh = NULL;
1183 wpabuf_clear_free(sta->fils_dh_ss);
1184 sta->fils_dh_ss = NULL;
1185 }
1186 #endif /* CONFIG_FILS_SK_PFS */
1187
1188 wpa_hexdump(MSG_DEBUG, "FILS: Remaining IEs", pos, end - pos);
1189 if (ieee802_11_parse_elems(pos, end - pos, &elems, 1) == ParseFailed) {
1190 wpa_printf(MSG_DEBUG, "FILS: Could not parse elements");
1191 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1192 goto fail;
1193 }
1194
1195 /* RSNE */
1196 wpa_hexdump(MSG_DEBUG, "FILS: RSN element",
1197 elems.rsn_ie, elems.rsn_ie_len);
1198 if (!elems.rsn_ie ||
1199 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
1200 &rsn) < 0) {
1201 wpa_printf(MSG_DEBUG, "FILS: No valid RSN element");
1202 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1203 goto fail;
1204 }
1205
1206 if (!sta->wpa_sm)
1207 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, sta->addr,
1208 NULL);
1209 if (!sta->wpa_sm) {
1210 wpa_printf(MSG_DEBUG,
1211 "FILS: Failed to initialize RSN state machine");
1212 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1213 goto fail;
1214 }
1215
1216 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
1217 elems.rsn_ie - 2, elems.rsn_ie_len + 2,
1218 elems.mdie, elems.mdie_len, NULL, 0);
1219 resp = wpa_res_to_status_code(res);
1220 if (resp != WLAN_STATUS_SUCCESS)
1221 goto fail;
1222
1223 if (!elems.fils_nonce) {
1224 wpa_printf(MSG_DEBUG, "FILS: No FILS Nonce field");
1225 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1226 goto fail;
1227 }
1228 wpa_hexdump(MSG_DEBUG, "FILS: SNonce", elems.fils_nonce,
1229 FILS_NONCE_LEN);
1230 os_memcpy(sta->fils_snonce, elems.fils_nonce, FILS_NONCE_LEN);
1231
1232 /* PMKID List */
1233 if (rsn.pmkid && rsn.num_pmkid > 0) {
1234 u8 num;
1235 const u8 *pmkid;
1236
1237 wpa_hexdump(MSG_DEBUG, "FILS: PMKID List",
1238 rsn.pmkid, rsn.num_pmkid * PMKID_LEN);
1239
1240 pmkid = rsn.pmkid;
1241 num = rsn.num_pmkid;
1242 while (num) {
1243 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", pmkid, PMKID_LEN);
1244 pmksa = wpa_auth_pmksa_get(hapd->wpa_auth, sta->addr,
1245 pmkid);
1246 if (pmksa)
1247 break;
1248 pmksa = wpa_auth_pmksa_get_fils_cache_id(hapd->wpa_auth,
1249 sta->addr,
1250 pmkid);
1251 if (pmksa)
1252 break;
1253 pmkid += PMKID_LEN;
1254 num--;
1255 }
1256 }
1257 if (pmksa && wpa_auth_sta_key_mgmt(sta->wpa_sm) != pmksa->akmp) {
1258 wpa_printf(MSG_DEBUG,
1259 "FILS: Matching PMKSA cache entry has different AKMP (0x%x != 0x%x) - ignore",
1260 wpa_auth_sta_key_mgmt(sta->wpa_sm), pmksa->akmp);
1261 pmksa = NULL;
1262 }
1263 if (pmksa)
1264 wpa_printf(MSG_DEBUG, "FILS: Found matching PMKSA cache entry");
1265
1266 /* FILS Session */
1267 if (!elems.fils_session) {
1268 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
1269 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1270 goto fail;
1271 }
1272 wpa_hexdump(MSG_DEBUG, "FILS: FILS Session", elems.fils_session,
1273 FILS_SESSION_LEN);
1274 os_memcpy(sta->fils_session, elems.fils_session, FILS_SESSION_LEN);
1275
1276 /* FILS Wrapped Data */
1277 if (elems.fils_wrapped_data) {
1278 wpa_hexdump(MSG_DEBUG, "FILS: Wrapped Data",
1279 elems.fils_wrapped_data,
1280 elems.fils_wrapped_data_len);
1281 if (!pmksa) {
1282 #ifndef CONFIG_NO_RADIUS
1283 if (!sta->eapol_sm) {
1284 sta->eapol_sm =
1285 ieee802_1x_alloc_eapol_sm(hapd, sta);
1286 }
1287 wpa_printf(MSG_DEBUG,
1288 "FILS: Forward EAP-Initiate/Re-auth to authentication server");
1289 ieee802_1x_encapsulate_radius(
1290 hapd, sta, elems.fils_wrapped_data,
1291 elems.fils_wrapped_data_len);
1292 sta->fils_pending_cb = cb;
1293 wpa_printf(MSG_DEBUG,
1294 "FILS: Will send Authentication frame once the response from authentication server is available");
1295 sta->flags |= WLAN_STA_PENDING_FILS_ERP;
1296 /* Calculate pending PMKID here so that we do not need
1297 * to maintain a copy of the EAP-Initiate/Reauth
1298 * message. */
1299 if (fils_pmkid_erp(wpa_auth_sta_key_mgmt(sta->wpa_sm),
1300 elems.fils_wrapped_data,
1301 elems.fils_wrapped_data_len,
1302 sta->fils_erp_pmkid) == 0)
1303 sta->fils_erp_pmkid_set = 1;
1304 return;
1305 #else /* CONFIG_NO_RADIUS */
1306 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1307 goto fail;
1308 #endif /* CONFIG_NO_RADIUS */
1309 }
1310 }
1311
1312 fail:
1313 if (cb) {
1314 struct wpabuf *data;
1315 int pub = 0;
1316
1317 data = prepare_auth_resp_fils(hapd, sta, &resp, pmksa, NULL,
1318 NULL, 0, &pub);
1319 if (!data) {
1320 wpa_printf(MSG_DEBUG,
1321 "%s: prepare_auth_resp_fils() returned failure",
1322 __func__);
1323 }
1324
1325 cb(hapd, sta, resp, data, pub);
1326 }
1327 }
1328
1329
1330 static struct wpabuf *
1331 prepare_auth_resp_fils(struct hostapd_data *hapd,
1332 struct sta_info *sta, u16 *resp,
1333 struct rsn_pmksa_cache_entry *pmksa,
1334 struct wpabuf *erp_resp,
1335 const u8 *msk, size_t msk_len,
1336 int *is_pub)
1337 {
1338 u8 fils_nonce[FILS_NONCE_LEN];
1339 size_t ielen;
1340 struct wpabuf *data = NULL;
1341 const u8 *ie;
1342 u8 *ie_buf = NULL;
1343 const u8 *pmk = NULL;
1344 size_t pmk_len = 0;
1345 u8 pmk_buf[PMK_LEN_MAX];
1346 struct wpabuf *pub = NULL;
1347
1348 if (*resp != WLAN_STATUS_SUCCESS)
1349 goto fail;
1350
1351 ie = wpa_auth_get_wpa_ie(hapd->wpa_auth, &ielen);
1352 if (!ie) {
1353 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1354 goto fail;
1355 }
1356
1357 if (pmksa) {
1358 /* Add PMKID of the selected PMKSA into RSNE */
1359 ie_buf = os_malloc(ielen + 2 + 2 + PMKID_LEN);
1360 if (!ie_buf) {
1361 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1362 goto fail;
1363 }
1364
1365 os_memcpy(ie_buf, ie, ielen);
1366 if (wpa_insert_pmkid(ie_buf, &ielen, pmksa->pmkid) < 0) {
1367 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1368 goto fail;
1369 }
1370 ie = ie_buf;
1371 }
1372
1373 if (random_get_bytes(fils_nonce, FILS_NONCE_LEN) < 0) {
1374 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1375 goto fail;
1376 }
1377 wpa_hexdump(MSG_DEBUG, "RSN: Generated FILS Nonce",
1378 fils_nonce, FILS_NONCE_LEN);
1379
1380 #ifdef CONFIG_FILS_SK_PFS
1381 if (sta->fils_dh_ss && sta->fils_ecdh) {
1382 pub = crypto_ecdh_get_pubkey(sta->fils_ecdh, 1);
1383 if (!pub) {
1384 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1385 goto fail;
1386 }
1387 }
1388 #endif /* CONFIG_FILS_SK_PFS */
1389
1390 data = wpabuf_alloc(1000 + ielen + (pub ? wpabuf_len(pub) : 0));
1391 if (!data) {
1392 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1393 goto fail;
1394 }
1395
1396 /* TODO: FILS PK */
1397 #ifdef CONFIG_FILS_SK_PFS
1398 if (pub) {
1399 /* Finite Cyclic Group */
1400 wpabuf_put_le16(data, hapd->conf->fils_dh_group);
1401
1402 /* Element */
1403 wpabuf_put_buf(data, pub);
1404 }
1405 #endif /* CONFIG_FILS_SK_PFS */
1406
1407 /* RSNE */
1408 wpabuf_put_data(data, ie, ielen);
1409
1410 /* MDE when using FILS+FT (already included in ie,ielen with RSNE) */
1411
1412 #ifdef CONFIG_IEEE80211R_AP
1413 if (wpa_key_mgmt_ft(wpa_auth_sta_key_mgmt(sta->wpa_sm))) {
1414 /* FTE[R1KH-ID,R0KH-ID] when using FILS+FT */
1415 int res;
1416
1417 res = wpa_auth_write_fte(hapd->wpa_auth, wpabuf_put(data, 0),
1418 wpabuf_tailroom(data));
1419 if (res < 0) {
1420 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1421 goto fail;
1422 }
1423 wpabuf_put(data, res);
1424 }
1425 #endif /* CONFIG_IEEE80211R_AP */
1426
1427 /* FILS Nonce */
1428 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
1429 wpabuf_put_u8(data, 1 + FILS_NONCE_LEN); /* Length */
1430 /* Element ID Extension */
1431 wpabuf_put_u8(data, WLAN_EID_EXT_FILS_NONCE);
1432 wpabuf_put_data(data, fils_nonce, FILS_NONCE_LEN);
1433
1434 /* FILS Session */
1435 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
1436 wpabuf_put_u8(data, 1 + FILS_SESSION_LEN); /* Length */
1437 /* Element ID Extension */
1438 wpabuf_put_u8(data, WLAN_EID_EXT_FILS_SESSION);
1439 wpabuf_put_data(data, sta->fils_session, FILS_SESSION_LEN);
1440
1441 /* FILS Wrapped Data */
1442 if (!pmksa && erp_resp) {
1443 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
1444 wpabuf_put_u8(data, 1 + wpabuf_len(erp_resp)); /* Length */
1445 /* Element ID Extension */
1446 wpabuf_put_u8(data, WLAN_EID_EXT_FILS_WRAPPED_DATA);
1447 wpabuf_put_buf(data, erp_resp);
1448
1449 if (fils_rmsk_to_pmk(wpa_auth_sta_key_mgmt(sta->wpa_sm),
1450 msk, msk_len, sta->fils_snonce, fils_nonce,
1451 sta->fils_dh_ss ?
1452 wpabuf_head(sta->fils_dh_ss) : NULL,
1453 sta->fils_dh_ss ?
1454 wpabuf_len(sta->fils_dh_ss) : 0,
1455 pmk_buf, &pmk_len)) {
1456 wpa_printf(MSG_DEBUG, "FILS: Failed to derive PMK");
1457 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1458 wpabuf_free(data);
1459 data = NULL;
1460 goto fail;
1461 }
1462 pmk = pmk_buf;
1463
1464 /* Don't use DHss in PTK derivation if PMKSA caching is not
1465 * used. */
1466 wpabuf_clear_free(sta->fils_dh_ss);
1467 sta->fils_dh_ss = NULL;
1468
1469 if (sta->fils_erp_pmkid_set) {
1470 /* TODO: get PMKLifetime from WPA parameters */
1471 unsigned int dot11RSNAConfigPMKLifetime = 43200;
1472
1473 sta->fils_erp_pmkid_set = 0;
1474 if (wpa_auth_pmksa_add2(
1475 hapd->wpa_auth, sta->addr,
1476 pmk, pmk_len,
1477 sta->fils_erp_pmkid,
1478 sta->session_timeout_set ?
1479 sta->session_timeout :
1480 dot11RSNAConfigPMKLifetime,
1481 wpa_auth_sta_key_mgmt(sta->wpa_sm)) < 0) {
1482 wpa_printf(MSG_ERROR,
1483 "FILS: Failed to add PMKSA cache entry based on ERP");
1484 }
1485 }
1486 } else if (pmksa) {
1487 pmk = pmksa->pmk;
1488 pmk_len = pmksa->pmk_len;
1489 }
1490
1491 if (!pmk) {
1492 wpa_printf(MSG_DEBUG, "FILS: No PMK available");
1493 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1494 wpabuf_free(data);
1495 data = NULL;
1496 goto fail;
1497 }
1498
1499 if (fils_auth_pmk_to_ptk(sta->wpa_sm, pmk, pmk_len,
1500 sta->fils_snonce, fils_nonce,
1501 sta->fils_dh_ss ?
1502 wpabuf_head(sta->fils_dh_ss) : NULL,
1503 sta->fils_dh_ss ?
1504 wpabuf_len(sta->fils_dh_ss) : 0,
1505 sta->fils_g_sta, pub) < 0) {
1506 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1507 wpabuf_free(data);
1508 data = NULL;
1509 goto fail;
1510 }
1511
1512 fail:
1513 if (is_pub)
1514 *is_pub = pub != NULL;
1515 os_free(ie_buf);
1516 wpabuf_free(pub);
1517 wpabuf_clear_free(sta->fils_dh_ss);
1518 sta->fils_dh_ss = NULL;
1519 #ifdef CONFIG_FILS_SK_PFS
1520 crypto_ecdh_deinit(sta->fils_ecdh);
1521 sta->fils_ecdh = NULL;
1522 #endif /* CONFIG_FILS_SK_PFS */
1523 return data;
1524 }
1525
1526
1527 static void handle_auth_fils_finish(struct hostapd_data *hapd,
1528 struct sta_info *sta, u16 resp,
1529 struct wpabuf *data, int pub)
1530 {
1531 u16 auth_alg;
1532
1533 auth_alg = (pub ||
1534 resp == WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED) ?
1535 WLAN_AUTH_FILS_SK_PFS : WLAN_AUTH_FILS_SK;
1536 send_auth_reply(hapd, sta->addr, hapd->own_addr, auth_alg, 2, resp,
1537 data ? wpabuf_head(data) : (u8 *) "",
1538 data ? wpabuf_len(data) : 0);
1539 wpabuf_free(data);
1540
1541 if (resp == WLAN_STATUS_SUCCESS) {
1542 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1543 HOSTAPD_LEVEL_DEBUG,
1544 "authentication OK (FILS)");
1545 sta->flags |= WLAN_STA_AUTH;
1546 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
1547 sta->auth_alg = pub ? WLAN_AUTH_FILS_SK_PFS : WLAN_AUTH_FILS_SK;
1548 mlme_authenticate_indication(hapd, sta);
1549 }
1550 }
1551
1552
1553 void ieee802_11_finish_fils_auth(struct hostapd_data *hapd,
1554 struct sta_info *sta, int success,
1555 struct wpabuf *erp_resp,
1556 const u8 *msk, size_t msk_len)
1557 {
1558 struct wpabuf *data;
1559 int pub = 0;
1560 u16 resp;
1561
1562 sta->flags &= ~WLAN_STA_PENDING_FILS_ERP;
1563
1564 if (!sta->fils_pending_cb)
1565 return;
1566 resp = success ? WLAN_STATUS_SUCCESS : WLAN_STATUS_UNSPECIFIED_FAILURE;
1567 data = prepare_auth_resp_fils(hapd, sta, &resp, NULL, erp_resp,
1568 msk, msk_len, &pub);
1569 if (!data) {
1570 wpa_printf(MSG_DEBUG,
1571 "%s: prepare_auth_resp_fils() returned failure",
1572 __func__);
1573 }
1574 sta->fils_pending_cb(hapd, sta, resp, data, pub);
1575 }
1576
1577 #endif /* CONFIG_FILS */
1578
1579
1580 static int
1581 ieee802_11_allowed_address(struct hostapd_data *hapd, const u8 *addr,
1582 const u8 *msg, size_t len, u32 *session_timeout,
1583 u32 *acct_interim_interval,
1584 struct vlan_description *vlan_id,
1585 struct hostapd_sta_wpa_psk_short **psk,
1586 char **identity, char **radius_cui)
1587 {
1588 int res;
1589
1590 os_memset(vlan_id, 0, sizeof(*vlan_id));
1591 res = hostapd_allowed_address(hapd, addr, msg, len,
1592 session_timeout, acct_interim_interval,
1593 vlan_id, psk, identity, radius_cui);
1594
1595 if (res == HOSTAPD_ACL_REJECT) {
1596 wpa_printf(MSG_INFO,
1597 "Station " MACSTR " not allowed to authenticate",
1598 MAC2STR(addr));
1599 return HOSTAPD_ACL_REJECT;
1600 }
1601
1602 if (res == HOSTAPD_ACL_PENDING) {
1603 wpa_printf(MSG_DEBUG, "Authentication frame from " MACSTR
1604 " waiting for an external authentication",
1605 MAC2STR(addr));
1606 /* Authentication code will re-send the authentication frame
1607 * after it has received (and cached) information from the
1608 * external source. */
1609 return HOSTAPD_ACL_PENDING;
1610 }
1611
1612 return res;
1613 }
1614
1615
1616 static int
1617 ieee802_11_set_radius_info(struct hostapd_data *hapd, struct sta_info *sta,
1618 int res, u32 session_timeout,
1619 u32 acct_interim_interval,
1620 struct vlan_description *vlan_id,
1621 struct hostapd_sta_wpa_psk_short **psk,
1622 char **identity, char **radius_cui)
1623 {
1624 if (vlan_id->notempty &&
1625 !hostapd_vlan_valid(hapd->conf->vlan, vlan_id)) {
1626 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS,
1627 HOSTAPD_LEVEL_INFO,
1628 "Invalid VLAN %d%s received from RADIUS server",
1629 vlan_id->untagged,
1630 vlan_id->tagged[0] ? "+" : "");
1631 return -1;
1632 }
1633 if (ap_sta_set_vlan(hapd, sta, vlan_id) < 0)
1634 return -1;
1635 if (sta->vlan_id)
1636 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS,
1637 HOSTAPD_LEVEL_INFO, "VLAN ID %d", sta->vlan_id);
1638
1639 hostapd_free_psk_list(sta->psk);
1640 if (hapd->conf->wpa_psk_radius != PSK_RADIUS_IGNORED) {
1641 sta->psk = *psk;
1642 *psk = NULL;
1643 } else {
1644 sta->psk = NULL;
1645 }
1646
1647 sta->identity = *identity;
1648 *identity = NULL;
1649 sta->radius_cui = *radius_cui;
1650 *radius_cui = NULL;
1651
1652 if (hapd->conf->acct_interim_interval == 0 && acct_interim_interval)
1653 sta->acct_interim_interval = acct_interim_interval;
1654 if (res == HOSTAPD_ACL_ACCEPT_TIMEOUT)
1655 ap_sta_session_timeout(hapd, sta, session_timeout);
1656 else
1657 ap_sta_no_session_timeout(hapd, sta);
1658
1659 return 0;
1660 }
1661
1662
1663 static void handle_auth(struct hostapd_data *hapd,
1664 const struct ieee80211_mgmt *mgmt, size_t len)
1665 {
1666 u16 auth_alg, auth_transaction, status_code;
1667 u16 resp = WLAN_STATUS_SUCCESS;
1668 struct sta_info *sta = NULL;
1669 int res, reply_res;
1670 u16 fc;
1671 const u8 *challenge = NULL;
1672 u32 session_timeout, acct_interim_interval;
1673 struct vlan_description vlan_id;
1674 struct hostapd_sta_wpa_psk_short *psk = NULL;
1675 u8 resp_ies[2 + WLAN_AUTH_CHALLENGE_LEN];
1676 size_t resp_ies_len = 0;
1677 char *identity = NULL;
1678 char *radius_cui = NULL;
1679 u16 seq_ctrl;
1680
1681 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) {
1682 wpa_printf(MSG_INFO, "handle_auth - too short payload (len=%lu)",
1683 (unsigned long) len);
1684 return;
1685 }
1686
1687 #ifdef CONFIG_TESTING_OPTIONS
1688 if (hapd->iconf->ignore_auth_probability > 0.0 &&
1689 drand48() < hapd->iconf->ignore_auth_probability) {
1690 wpa_printf(MSG_INFO,
1691 "TESTING: ignoring auth frame from " MACSTR,
1692 MAC2STR(mgmt->sa));
1693 return;
1694 }
1695 #endif /* CONFIG_TESTING_OPTIONS */
1696
1697 auth_alg = le_to_host16(mgmt->u.auth.auth_alg);
1698 auth_transaction = le_to_host16(mgmt->u.auth.auth_transaction);
1699 status_code = le_to_host16(mgmt->u.auth.status_code);
1700 fc = le_to_host16(mgmt->frame_control);
1701 seq_ctrl = le_to_host16(mgmt->seq_ctrl);
1702
1703 if (len >= IEEE80211_HDRLEN + sizeof(mgmt->u.auth) +
1704 2 + WLAN_AUTH_CHALLENGE_LEN &&
1705 mgmt->u.auth.variable[0] == WLAN_EID_CHALLENGE &&
1706 mgmt->u.auth.variable[1] == WLAN_AUTH_CHALLENGE_LEN)
1707 challenge = &mgmt->u.auth.variable[2];
1708
1709 wpa_printf(MSG_DEBUG, "authentication: STA=" MACSTR " auth_alg=%d "
1710 "auth_transaction=%d status_code=%d wep=%d%s "
1711 "seq_ctrl=0x%x%s",
1712 MAC2STR(mgmt->sa), auth_alg, auth_transaction,
1713 status_code, !!(fc & WLAN_FC_ISWEP),
1714 challenge ? " challenge" : "",
1715 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "");
1716
1717 #ifdef CONFIG_NO_RC4
1718 if (auth_alg == WLAN_AUTH_SHARED_KEY) {
1719 wpa_printf(MSG_INFO,
1720 "Unsupported authentication algorithm (%d)",
1721 auth_alg);
1722 resp = WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
1723 goto fail;
1724 }
1725 #endif /* CONFIG_NO_RC4 */
1726
1727 if (hapd->tkip_countermeasures) {
1728 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1729 goto fail;
1730 }
1731
1732 if (!(((hapd->conf->auth_algs & WPA_AUTH_ALG_OPEN) &&
1733 auth_alg == WLAN_AUTH_OPEN) ||
1734 #ifdef CONFIG_IEEE80211R_AP
1735 (hapd->conf->wpa && wpa_key_mgmt_ft(hapd->conf->wpa_key_mgmt) &&
1736 auth_alg == WLAN_AUTH_FT) ||
1737 #endif /* CONFIG_IEEE80211R_AP */
1738 #ifdef CONFIG_SAE
1739 (hapd->conf->wpa && wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt) &&
1740 auth_alg == WLAN_AUTH_SAE) ||
1741 #endif /* CONFIG_SAE */
1742 #ifdef CONFIG_FILS
1743 (hapd->conf->wpa && wpa_key_mgmt_fils(hapd->conf->wpa_key_mgmt) &&
1744 auth_alg == WLAN_AUTH_FILS_SK) ||
1745 (hapd->conf->wpa && wpa_key_mgmt_fils(hapd->conf->wpa_key_mgmt) &&
1746 hapd->conf->fils_dh_group &&
1747 auth_alg == WLAN_AUTH_FILS_SK_PFS) ||
1748 #endif /* CONFIG_FILS */
1749 ((hapd->conf->auth_algs & WPA_AUTH_ALG_SHARED) &&
1750 auth_alg == WLAN_AUTH_SHARED_KEY))) {
1751 wpa_printf(MSG_INFO, "Unsupported authentication algorithm (%d)",
1752 auth_alg);
1753 resp = WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
1754 goto fail;
1755 }
1756
1757 if (!(auth_transaction == 1 || auth_alg == WLAN_AUTH_SAE ||
1758 (auth_alg == WLAN_AUTH_SHARED_KEY && auth_transaction == 3))) {
1759 wpa_printf(MSG_INFO, "Unknown authentication transaction number (%d)",
1760 auth_transaction);
1761 resp = WLAN_STATUS_UNKNOWN_AUTH_TRANSACTION;
1762 goto fail;
1763 }
1764
1765 if (os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
1766 wpa_printf(MSG_INFO, "Station " MACSTR " not allowed to authenticate",
1767 MAC2STR(mgmt->sa));
1768 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1769 goto fail;
1770 }
1771
1772 if (hapd->conf->no_auth_if_seen_on) {
1773 struct hostapd_data *other;
1774
1775 other = sta_track_seen_on(hapd->iface, mgmt->sa,
1776 hapd->conf->no_auth_if_seen_on);
1777 if (other) {
1778 u8 *pos;
1779 u32 info;
1780 u8 op_class, channel, phytype;
1781
1782 wpa_printf(MSG_DEBUG, "%s: Reject authentication from "
1783 MACSTR " since STA has been seen on %s",
1784 hapd->conf->iface, MAC2STR(mgmt->sa),
1785 hapd->conf->no_auth_if_seen_on);
1786
1787 resp = WLAN_STATUS_REJECTED_WITH_SUGGESTED_BSS_TRANSITION;
1788 pos = &resp_ies[0];
1789 *pos++ = WLAN_EID_NEIGHBOR_REPORT;
1790 *pos++ = 13;
1791 os_memcpy(pos, other->own_addr, ETH_ALEN);
1792 pos += ETH_ALEN;
1793 info = 0; /* TODO: BSSID Information */
1794 WPA_PUT_LE32(pos, info);
1795 pos += 4;
1796 if (other->iconf->hw_mode == HOSTAPD_MODE_IEEE80211AD)
1797 phytype = 8; /* dmg */
1798 else if (other->iconf->ieee80211ac)
1799 phytype = 9; /* vht */
1800 else if (other->iconf->ieee80211n)
1801 phytype = 7; /* ht */
1802 else if (other->iconf->hw_mode ==
1803 HOSTAPD_MODE_IEEE80211A)
1804 phytype = 4; /* ofdm */
1805 else if (other->iconf->hw_mode ==
1806 HOSTAPD_MODE_IEEE80211G)
1807 phytype = 6; /* erp */
1808 else
1809 phytype = 5; /* hrdsss */
1810 if (ieee80211_freq_to_channel_ext(
1811 hostapd_hw_get_freq(other,
1812 other->iconf->channel),
1813 other->iconf->secondary_channel,
1814 other->iconf->ieee80211ac,
1815 &op_class, &channel) == NUM_HOSTAPD_MODES) {
1816 op_class = 0;
1817 channel = other->iconf->channel;
1818 }
1819 *pos++ = op_class;
1820 *pos++ = channel;
1821 *pos++ = phytype;
1822 resp_ies_len = pos - &resp_ies[0];
1823 goto fail;
1824 }
1825 }
1826
1827 res = ieee802_11_allowed_address(
1828 hapd, mgmt->sa, (const u8 *) mgmt, len, &session_timeout,
1829 &acct_interim_interval, &vlan_id, &psk, &identity, &radius_cui);
1830 if (res == HOSTAPD_ACL_REJECT) {
1831 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1832 goto fail;
1833 }
1834 if (res == HOSTAPD_ACL_PENDING)
1835 return;
1836
1837 sta = ap_get_sta(hapd, mgmt->sa);
1838 if (sta) {
1839 sta->flags &= ~WLAN_STA_PENDING_FILS_ERP;
1840 if ((fc & WLAN_FC_RETRY) &&
1841 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
1842 sta->last_seq_ctrl == seq_ctrl &&
1843 sta->last_subtype == WLAN_FC_STYPE_AUTH) {
1844 hostapd_logger(hapd, sta->addr,
1845 HOSTAPD_MODULE_IEEE80211,
1846 HOSTAPD_LEVEL_DEBUG,
1847 "Drop repeated authentication frame seq_ctrl=0x%x",
1848 seq_ctrl);
1849 return;
1850 }
1851 #ifdef CONFIG_MESH
1852 if ((hapd->conf->mesh & MESH_ENABLED) &&
1853 sta->plink_state == PLINK_BLOCKED) {
1854 wpa_printf(MSG_DEBUG, "Mesh peer " MACSTR
1855 " is blocked - drop Authentication frame",
1856 MAC2STR(mgmt->sa));
1857 return;
1858 }
1859 #endif /* CONFIG_MESH */
1860 } else {
1861 #ifdef CONFIG_MESH
1862 if (hapd->conf->mesh & MESH_ENABLED) {
1863 /* if the mesh peer is not available, we don't do auth.
1864 */
1865 wpa_printf(MSG_DEBUG, "Mesh peer " MACSTR
1866 " not yet known - drop Authentication frame",
1867 MAC2STR(mgmt->sa));
1868 /*
1869 * Save a copy of the frame so that it can be processed
1870 * if a new peer entry is added shortly after this.
1871 */
1872 wpabuf_free(hapd->mesh_pending_auth);
1873 hapd->mesh_pending_auth = wpabuf_alloc_copy(mgmt, len);
1874 os_get_reltime(&hapd->mesh_pending_auth_time);
1875 return;
1876 }
1877 #endif /* CONFIG_MESH */
1878
1879 sta = ap_sta_add(hapd, mgmt->sa);
1880 if (!sta) {
1881 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
1882 goto fail;
1883 }
1884 }
1885 sta->last_seq_ctrl = seq_ctrl;
1886 sta->last_subtype = WLAN_FC_STYPE_AUTH;
1887
1888 res = ieee802_11_set_radius_info(
1889 hapd, sta, res, session_timeout, acct_interim_interval,
1890 &vlan_id, &psk, &identity, &radius_cui);
1891 if (res) {
1892 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1893 goto fail;
1894 }
1895
1896 sta->flags &= ~WLAN_STA_PREAUTH;
1897 ieee802_1x_notify_pre_auth(sta->eapol_sm, 0);
1898
1899 /*
1900 * If the driver supports full AP client state, add a station to the
1901 * driver before sending authentication reply to make sure the driver
1902 * has resources, and not to go through the entire authentication and
1903 * association handshake, and fail it at the end.
1904 *
1905 * If this is not the first transaction, in a multi-step authentication
1906 * algorithm, the station already exists in the driver
1907 * (sta->added_unassoc = 1) so skip it.
1908 *
1909 * In mesh mode, the station was already added to the driver when the
1910 * NEW_PEER_CANDIDATE event is received.
1911 *
1912 * If PMF was negotiated for the existing association, skip this to
1913 * avoid dropping the STA entry and the associated keys. This is needed
1914 * to allow the original connection work until the attempt can complete
1915 * (re)association, so that unprotected Authentication frame cannot be
1916 * used to bypass PMF protection.
1917 */
1918 if (FULL_AP_CLIENT_STATE_SUPP(hapd->iface->drv_flags) &&
1919 (!(sta->flags & WLAN_STA_MFP) || !ap_sta_is_authorized(sta)) &&
1920 !(hapd->conf->mesh & MESH_ENABLED) &&
1921 !(sta->added_unassoc)) {
1922 /*
1923 * If a station that is already associated to the AP, is trying
1924 * to authenticate again, remove the STA entry, in order to make
1925 * sure the STA PS state gets cleared and configuration gets
1926 * updated. To handle this, station's added_unassoc flag is
1927 * cleared once the station has completed association.
1928 */
1929 hostapd_drv_sta_remove(hapd, sta->addr);
1930 sta->flags &= ~(WLAN_STA_ASSOC | WLAN_STA_AUTH |
1931 WLAN_STA_AUTHORIZED);
1932
1933 if (hostapd_sta_add(hapd, sta->addr, 0, 0, NULL, 0, 0,
1934 NULL, NULL, sta->flags, 0, 0, 0, 0)) {
1935 hostapd_logger(hapd, sta->addr,
1936 HOSTAPD_MODULE_IEEE80211,
1937 HOSTAPD_LEVEL_NOTICE,
1938 "Could not add STA to kernel driver");
1939 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
1940 goto fail;
1941 }
1942
1943 sta->added_unassoc = 1;
1944 }
1945
1946 switch (auth_alg) {
1947 case WLAN_AUTH_OPEN:
1948 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1949 HOSTAPD_LEVEL_DEBUG,
1950 "authentication OK (open system)");
1951 sta->flags |= WLAN_STA_AUTH;
1952 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
1953 sta->auth_alg = WLAN_AUTH_OPEN;
1954 mlme_authenticate_indication(hapd, sta);
1955 break;
1956 #ifndef CONFIG_NO_RC4
1957 case WLAN_AUTH_SHARED_KEY:
1958 resp = auth_shared_key(hapd, sta, auth_transaction, challenge,
1959 fc & WLAN_FC_ISWEP);
1960 sta->auth_alg = WLAN_AUTH_SHARED_KEY;
1961 mlme_authenticate_indication(hapd, sta);
1962 if (sta->challenge && auth_transaction == 1) {
1963 resp_ies[0] = WLAN_EID_CHALLENGE;
1964 resp_ies[1] = WLAN_AUTH_CHALLENGE_LEN;
1965 os_memcpy(resp_ies + 2, sta->challenge,
1966 WLAN_AUTH_CHALLENGE_LEN);
1967 resp_ies_len = 2 + WLAN_AUTH_CHALLENGE_LEN;
1968 }
1969 break;
1970 #endif /* CONFIG_NO_RC4 */
1971 #ifdef CONFIG_IEEE80211R_AP
1972 case WLAN_AUTH_FT:
1973 sta->auth_alg = WLAN_AUTH_FT;
1974 if (sta->wpa_sm == NULL)
1975 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
1976 sta->addr, NULL);
1977 if (sta->wpa_sm == NULL) {
1978 wpa_printf(MSG_DEBUG, "FT: Failed to initialize WPA "
1979 "state machine");
1980 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1981 goto fail;
1982 }
1983 wpa_ft_process_auth(sta->wpa_sm, mgmt->bssid,
1984 auth_transaction, mgmt->u.auth.variable,
1985 len - IEEE80211_HDRLEN -
1986 sizeof(mgmt->u.auth),
1987 handle_auth_ft_finish, hapd);
1988 /* handle_auth_ft_finish() callback will complete auth. */
1989 return;
1990 #endif /* CONFIG_IEEE80211R_AP */
1991 #ifdef CONFIG_SAE
1992 case WLAN_AUTH_SAE:
1993 #ifdef CONFIG_MESH
1994 if (status_code == WLAN_STATUS_SUCCESS &&
1995 hapd->conf->mesh & MESH_ENABLED) {
1996 if (sta->wpa_sm == NULL)
1997 sta->wpa_sm =
1998 wpa_auth_sta_init(hapd->wpa_auth,
1999 sta->addr, NULL);
2000 if (sta->wpa_sm == NULL) {
2001 wpa_printf(MSG_DEBUG,
2002 "SAE: Failed to initialize WPA state machine");
2003 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2004 goto fail;
2005 }
2006 }
2007 #endif /* CONFIG_MESH */
2008 handle_auth_sae(hapd, sta, mgmt, len, auth_transaction,
2009 status_code);
2010 return;
2011 #endif /* CONFIG_SAE */
2012 #ifdef CONFIG_FILS
2013 case WLAN_AUTH_FILS_SK:
2014 case WLAN_AUTH_FILS_SK_PFS:
2015 handle_auth_fils(hapd, sta, mgmt->u.auth.variable,
2016 len - IEEE80211_HDRLEN - sizeof(mgmt->u.auth),
2017 auth_alg, auth_transaction, status_code,
2018 handle_auth_fils_finish);
2019 return;
2020 #endif /* CONFIG_FILS */
2021 }
2022
2023 fail:
2024 os_free(identity);
2025 os_free(radius_cui);
2026 hostapd_free_psk_list(psk);
2027
2028 reply_res = send_auth_reply(hapd, mgmt->sa, mgmt->bssid, auth_alg,
2029 auth_transaction + 1, resp, resp_ies,
2030 resp_ies_len);
2031
2032 if (sta && sta->added_unassoc && (resp != WLAN_STATUS_SUCCESS ||
2033 reply_res != WLAN_STATUS_SUCCESS)) {
2034 hostapd_drv_sta_remove(hapd, sta->addr);
2035 sta->added_unassoc = 0;
2036 }
2037 }
2038
2039
2040 int hostapd_get_aid(struct hostapd_data *hapd, struct sta_info *sta)
2041 {
2042 int i, j = 32, aid;
2043
2044 /* get a unique AID */
2045 if (sta->aid > 0) {
2046 wpa_printf(MSG_DEBUG, " old AID %d", sta->aid);
2047 return 0;
2048 }
2049
2050 if (TEST_FAIL())
2051 return -1;
2052
2053 for (i = 0; i < AID_WORDS; i++) {
2054 if (hapd->sta_aid[i] == (u32) -1)
2055 continue;
2056 for (j = 0; j < 32; j++) {
2057 if (!(hapd->sta_aid[i] & BIT(j)))
2058 break;
2059 }
2060 if (j < 32)
2061 break;
2062 }
2063 if (j == 32)
2064 return -1;
2065 aid = i * 32 + j + 1;
2066 if (aid > 2007)
2067 return -1;
2068
2069 sta->aid = aid;
2070 hapd->sta_aid[i] |= BIT(j);
2071 wpa_printf(MSG_DEBUG, " new AID %d", sta->aid);
2072 return 0;
2073 }
2074
2075
2076 static u16 check_ssid(struct hostapd_data *hapd, struct sta_info *sta,
2077 const u8 *ssid_ie, size_t ssid_ie_len)
2078 {
2079 if (ssid_ie == NULL)
2080 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2081
2082 if (ssid_ie_len != hapd->conf->ssid.ssid_len ||
2083 os_memcmp(ssid_ie, hapd->conf->ssid.ssid, ssid_ie_len) != 0) {
2084 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2085 HOSTAPD_LEVEL_INFO,
2086 "Station tried to associate with unknown SSID "
2087 "'%s'", wpa_ssid_txt(ssid_ie, ssid_ie_len));
2088 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2089 }
2090
2091 return WLAN_STATUS_SUCCESS;
2092 }
2093
2094
2095 static u16 check_wmm(struct hostapd_data *hapd, struct sta_info *sta,
2096 const u8 *wmm_ie, size_t wmm_ie_len)
2097 {
2098 sta->flags &= ~WLAN_STA_WMM;
2099 sta->qosinfo = 0;
2100 if (wmm_ie && hapd->conf->wmm_enabled) {
2101 struct wmm_information_element *wmm;
2102
2103 if (!hostapd_eid_wmm_valid(hapd, wmm_ie, wmm_ie_len)) {
2104 hostapd_logger(hapd, sta->addr,
2105 HOSTAPD_MODULE_WPA,
2106 HOSTAPD_LEVEL_DEBUG,
2107 "invalid WMM element in association "
2108 "request");
2109 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2110 }
2111
2112 sta->flags |= WLAN_STA_WMM;
2113 wmm = (struct wmm_information_element *) wmm_ie;
2114 sta->qosinfo = wmm->qos_info;
2115 }
2116 return WLAN_STATUS_SUCCESS;
2117 }
2118
2119
2120 static u16 copy_supp_rates(struct hostapd_data *hapd, struct sta_info *sta,
2121 struct ieee802_11_elems *elems)
2122 {
2123 /* Supported rates not used in IEEE 802.11ad/DMG */
2124 if (hapd->iface->current_mode &&
2125 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211AD)
2126 return WLAN_STATUS_SUCCESS;
2127
2128 if (!elems->supp_rates) {
2129 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2130 HOSTAPD_LEVEL_DEBUG,
2131 "No supported rates element in AssocReq");
2132 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2133 }
2134
2135 if (elems->supp_rates_len + elems->ext_supp_rates_len >
2136 sizeof(sta->supported_rates)) {
2137 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2138 HOSTAPD_LEVEL_DEBUG,
2139 "Invalid supported rates element length %d+%d",
2140 elems->supp_rates_len,
2141 elems->ext_supp_rates_len);
2142 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2143 }
2144
2145 sta->supported_rates_len = merge_byte_arrays(
2146 sta->supported_rates, sizeof(sta->supported_rates),
2147 elems->supp_rates, elems->supp_rates_len,
2148 elems->ext_supp_rates, elems->ext_supp_rates_len);
2149
2150 return WLAN_STATUS_SUCCESS;
2151 }
2152
2153
2154 static u16 check_ext_capab(struct hostapd_data *hapd, struct sta_info *sta,
2155 const u8 *ext_capab_ie, size_t ext_capab_ie_len)
2156 {
2157 #ifdef CONFIG_INTERWORKING
2158 /* check for QoS Map support */
2159 if (ext_capab_ie_len >= 5) {
2160 if (ext_capab_ie[4] & 0x01)
2161 sta->qos_map_enabled = 1;
2162 }
2163 #endif /* CONFIG_INTERWORKING */
2164
2165 if (ext_capab_ie_len > 0) {
2166 sta->ecsa_supported = !!(ext_capab_ie[0] & BIT(2));
2167 os_free(sta->ext_capability);
2168 sta->ext_capability = os_malloc(1 + ext_capab_ie_len);
2169 if (sta->ext_capability) {
2170 sta->ext_capability[0] = ext_capab_ie_len;
2171 os_memcpy(sta->ext_capability + 1, ext_capab_ie,
2172 ext_capab_ie_len);
2173 }
2174 }
2175
2176 return WLAN_STATUS_SUCCESS;
2177 }
2178
2179
2180 #ifdef CONFIG_OWE
2181
2182 static int owe_group_supported(struct hostapd_data *hapd, u16 group)
2183 {
2184 int i;
2185 int *groups = hapd->conf->owe_groups;
2186
2187 if (group != 19 && group != 20 && group != 21)
2188 return 0;
2189
2190 if (!groups)
2191 return 1;
2192
2193 for (i = 0; groups[i] > 0; i++) {
2194 if (groups[i] == group)
2195 return 1;
2196 }
2197
2198 return 0;
2199 }
2200
2201
2202 static u16 owe_process_assoc_req(struct hostapd_data *hapd,
2203 struct sta_info *sta, const u8 *owe_dh,
2204 u8 owe_dh_len)
2205 {
2206 struct wpabuf *secret, *pub, *hkey;
2207 int res;
2208 u8 prk[SHA512_MAC_LEN], pmkid[SHA512_MAC_LEN];
2209 const char *info = "OWE Key Generation";
2210 const u8 *addr[2];
2211 size_t len[2];
2212 u16 group;
2213 size_t hash_len, prime_len;
2214
2215 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) {
2216 wpa_printf(MSG_DEBUG, "OWE: Using PMKSA caching");
2217 return WLAN_STATUS_SUCCESS;
2218 }
2219
2220 group = WPA_GET_LE16(owe_dh);
2221 if (!owe_group_supported(hapd, group)) {
2222 wpa_printf(MSG_DEBUG, "OWE: Unsupported DH group %u", group);
2223 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
2224 }
2225 if (group == 19)
2226 prime_len = 32;
2227 else if (group == 20)
2228 prime_len = 48;
2229 else if (group == 21)
2230 prime_len = 66;
2231 else
2232 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
2233
2234 crypto_ecdh_deinit(sta->owe_ecdh);
2235 sta->owe_ecdh = crypto_ecdh_init(group);
2236 if (!sta->owe_ecdh)
2237 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
2238 sta->owe_group = group;
2239
2240 secret = crypto_ecdh_set_peerkey(sta->owe_ecdh, 0, owe_dh + 2,
2241 owe_dh_len - 2);
2242 secret = wpabuf_zeropad(secret, prime_len);
2243 if (!secret) {
2244 wpa_printf(MSG_DEBUG, "OWE: Invalid peer DH public key");
2245 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2246 }
2247 wpa_hexdump_buf_key(MSG_DEBUG, "OWE: DH shared secret", secret);
2248
2249 /* prk = HKDF-extract(C | A | group, z) */
2250
2251 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
2252 if (!pub) {
2253 wpabuf_clear_free(secret);
2254 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2255 }
2256
2257 /* PMKID = Truncate-128(Hash(C | A)) */
2258 addr[0] = owe_dh + 2;
2259 len[0] = owe_dh_len - 2;
2260 addr[1] = wpabuf_head(pub);
2261 len[1] = wpabuf_len(pub);
2262 if (group == 19) {
2263 res = sha256_vector(2, addr, len, pmkid);
2264 hash_len = SHA256_MAC_LEN;
2265 } else if (group == 20) {
2266 res = sha384_vector(2, addr, len, pmkid);
2267 hash_len = SHA384_MAC_LEN;
2268 } else if (group == 21) {
2269 res = sha512_vector(2, addr, len, pmkid);
2270 hash_len = SHA512_MAC_LEN;
2271 } else {
2272 wpabuf_free(pub);
2273 wpabuf_clear_free(secret);
2274 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2275 }
2276 pub = wpabuf_zeropad(pub, prime_len);
2277 if (res < 0 || !pub) {
2278 wpabuf_free(pub);
2279 wpabuf_clear_free(secret);
2280 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2281 }
2282
2283 hkey = wpabuf_alloc(owe_dh_len - 2 + wpabuf_len(pub) + 2);
2284 if (!hkey) {
2285 wpabuf_free(pub);
2286 wpabuf_clear_free(secret);
2287 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2288 }
2289
2290 wpabuf_put_data(hkey, owe_dh + 2, owe_dh_len - 2); /* C */
2291 wpabuf_put_buf(hkey, pub); /* A */
2292 wpabuf_free(pub);
2293 wpabuf_put_le16(hkey, group); /* group */
2294 if (group == 19)
2295 res = hmac_sha256(wpabuf_head(hkey), wpabuf_len(hkey),
2296 wpabuf_head(secret), wpabuf_len(secret), prk);
2297 else if (group == 20)
2298 res = hmac_sha384(wpabuf_head(hkey), wpabuf_len(hkey),
2299 wpabuf_head(secret), wpabuf_len(secret), prk);
2300 else if (group == 21)
2301 res = hmac_sha512(wpabuf_head(hkey), wpabuf_len(hkey),
2302 wpabuf_head(secret), wpabuf_len(secret), prk);
2303 wpabuf_clear_free(hkey);
2304 wpabuf_clear_free(secret);
2305 if (res < 0)
2306 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2307
2308 wpa_hexdump_key(MSG_DEBUG, "OWE: prk", prk, hash_len);
2309
2310 /* PMK = HKDF-expand(prk, "OWE Key Generation", n) */
2311
2312 os_free(sta->owe_pmk);
2313 sta->owe_pmk = os_malloc(hash_len);
2314 if (!sta->owe_pmk) {
2315 os_memset(prk, 0, SHA512_MAC_LEN);
2316 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2317 }
2318
2319 if (group == 19)
2320 res = hmac_sha256_kdf(prk, hash_len, NULL, (const u8 *) info,
2321 os_strlen(info), sta->owe_pmk, hash_len);
2322 else if (group == 20)
2323 res = hmac_sha384_kdf(prk, hash_len, NULL, (const u8 *) info,
2324 os_strlen(info), sta->owe_pmk, hash_len);
2325 else if (group == 21)
2326 res = hmac_sha512_kdf(prk, hash_len, NULL, (const u8 *) info,
2327 os_strlen(info), sta->owe_pmk, hash_len);
2328 os_memset(prk, 0, SHA512_MAC_LEN);
2329 if (res < 0) {
2330 os_free(sta->owe_pmk);
2331 sta->owe_pmk = NULL;
2332 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2333 }
2334 sta->owe_pmk_len = hash_len;
2335
2336 wpa_hexdump_key(MSG_DEBUG, "OWE: PMK", sta->owe_pmk, sta->owe_pmk_len);
2337 wpa_hexdump(MSG_DEBUG, "OWE: PMKID", pmkid, PMKID_LEN);
2338 wpa_auth_pmksa_add2(hapd->wpa_auth, sta->addr, sta->owe_pmk,
2339 sta->owe_pmk_len, pmkid, 0, WPA_KEY_MGMT_OWE);
2340
2341 return WLAN_STATUS_SUCCESS;
2342 }
2343
2344 #endif /* CONFIG_OWE */
2345
2346
2347 static u16 check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta,
2348 const u8 *ies, size_t ies_len, int reassoc)
2349 {
2350 struct ieee802_11_elems elems;
2351 u16 resp;
2352 const u8 *wpa_ie;
2353 size_t wpa_ie_len;
2354 const u8 *p2p_dev_addr = NULL;
2355
2356 if (ieee802_11_parse_elems(ies, ies_len, &elems, 1) == ParseFailed) {
2357 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2358 HOSTAPD_LEVEL_INFO, "Station sent an invalid "
2359 "association request");
2360 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2361 }
2362
2363 resp = check_ssid(hapd, sta, elems.ssid, elems.ssid_len);
2364 if (resp != WLAN_STATUS_SUCCESS)
2365 return resp;
2366 resp = check_wmm(hapd, sta, elems.wmm, elems.wmm_len);
2367 if (resp != WLAN_STATUS_SUCCESS)
2368 return resp;
2369 resp = check_ext_capab(hapd, sta, elems.ext_capab, elems.ext_capab_len);
2370 if (resp != WLAN_STATUS_SUCCESS)
2371 return resp;
2372 resp = copy_supp_rates(hapd, sta, &elems);
2373 if (resp != WLAN_STATUS_SUCCESS)
2374 return resp;
2375 #ifdef CONFIG_IEEE80211N
2376 resp = copy_sta_ht_capab(hapd, sta, elems.ht_capabilities);
2377 if (resp != WLAN_STATUS_SUCCESS)
2378 return resp;
2379 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht &&
2380 !(sta->flags & WLAN_STA_HT)) {
2381 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2382 HOSTAPD_LEVEL_INFO, "Station does not support "
2383 "mandatory HT PHY - reject association");
2384 return WLAN_STATUS_ASSOC_DENIED_NO_HT;
2385 }
2386 #endif /* CONFIG_IEEE80211N */
2387
2388 #ifdef CONFIG_IEEE80211AC
2389 if (hapd->iconf->ieee80211ac) {
2390 resp = copy_sta_vht_capab(hapd, sta, elems.vht_capabilities);
2391 if (resp != WLAN_STATUS_SUCCESS)
2392 return resp;
2393
2394 resp = set_sta_vht_opmode(hapd, sta, elems.vht_opmode_notif);
2395 if (resp != WLAN_STATUS_SUCCESS)
2396 return resp;
2397 }
2398
2399 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht &&
2400 !(sta->flags & WLAN_STA_VHT)) {
2401 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2402 HOSTAPD_LEVEL_INFO, "Station does not support "
2403 "mandatory VHT PHY - reject association");
2404 return WLAN_STATUS_ASSOC_DENIED_NO_VHT;
2405 }
2406
2407 if (hapd->conf->vendor_vht && !elems.vht_capabilities) {
2408 resp = copy_sta_vendor_vht(hapd, sta, elems.vendor_vht,
2409 elems.vendor_vht_len);
2410 if (resp != WLAN_STATUS_SUCCESS)
2411 return resp;
2412 }
2413 #endif /* CONFIG_IEEE80211AC */
2414
2415 #ifdef CONFIG_P2P
2416 if (elems.p2p) {
2417 wpabuf_free(sta->p2p_ie);
2418 sta->p2p_ie = ieee802_11_vendor_ie_concat(ies, ies_len,
2419 P2P_IE_VENDOR_TYPE);
2420 if (sta->p2p_ie)
2421 p2p_dev_addr = p2p_get_go_dev_addr(sta->p2p_ie);
2422 } else {
2423 wpabuf_free(sta->p2p_ie);
2424 sta->p2p_ie = NULL;
2425 }
2426 #endif /* CONFIG_P2P */
2427
2428 if ((hapd->conf->wpa & WPA_PROTO_RSN) && elems.rsn_ie) {
2429 wpa_ie = elems.rsn_ie;
2430 wpa_ie_len = elems.rsn_ie_len;
2431 } else if ((hapd->conf->wpa & WPA_PROTO_WPA) &&
2432 elems.wpa_ie) {
2433 wpa_ie = elems.wpa_ie;
2434 wpa_ie_len = elems.wpa_ie_len;
2435 } else {
2436 wpa_ie = NULL;
2437 wpa_ie_len = 0;
2438 }
2439
2440 #ifdef CONFIG_WPS
2441 sta->flags &= ~(WLAN_STA_WPS | WLAN_STA_MAYBE_WPS | WLAN_STA_WPS2);
2442 if (hapd->conf->wps_state && elems.wps_ie) {
2443 wpa_printf(MSG_DEBUG, "STA included WPS IE in (Re)Association "
2444 "Request - assume WPS is used");
2445 sta->flags |= WLAN_STA_WPS;
2446 wpabuf_free(sta->wps_ie);
2447 sta->wps_ie = ieee802_11_vendor_ie_concat(ies, ies_len,
2448 WPS_IE_VENDOR_TYPE);
2449 if (sta->wps_ie && wps_is_20(sta->wps_ie)) {
2450 wpa_printf(MSG_DEBUG, "WPS: STA supports WPS 2.0");
2451 sta->flags |= WLAN_STA_WPS2;
2452 }
2453 wpa_ie = NULL;
2454 wpa_ie_len = 0;
2455 if (sta->wps_ie && wps_validate_assoc_req(sta->wps_ie) < 0) {
2456 wpa_printf(MSG_DEBUG, "WPS: Invalid WPS IE in "
2457 "(Re)Association Request - reject");
2458 return WLAN_STATUS_INVALID_IE;
2459 }
2460 } else if (hapd->conf->wps_state && wpa_ie == NULL) {
2461 wpa_printf(MSG_DEBUG, "STA did not include WPA/RSN IE in "
2462 "(Re)Association Request - possible WPS use");
2463 sta->flags |= WLAN_STA_MAYBE_WPS;
2464 } else
2465 #endif /* CONFIG_WPS */
2466 if (hapd->conf->wpa && wpa_ie == NULL) {
2467 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2468 HOSTAPD_LEVEL_INFO,
2469 "No WPA/RSN IE in association request");
2470 return WLAN_STATUS_INVALID_IE;
2471 }
2472
2473 if (hapd->conf->wpa && wpa_ie) {
2474 int res;
2475 wpa_ie -= 2;
2476 wpa_ie_len += 2;
2477 if (sta->wpa_sm == NULL)
2478 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
2479 sta->addr,
2480 p2p_dev_addr);
2481 if (sta->wpa_sm == NULL) {
2482 wpa_printf(MSG_WARNING, "Failed to initialize WPA "
2483 "state machine");
2484 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2485 }
2486 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
2487 wpa_ie, wpa_ie_len,
2488 elems.mdie, elems.mdie_len,
2489 elems.owe_dh, elems.owe_dh_len);
2490 resp = wpa_res_to_status_code(res);
2491 if (resp != WLAN_STATUS_SUCCESS)
2492 return resp;
2493 #ifdef CONFIG_IEEE80211W
2494 if ((sta->flags & WLAN_STA_MFP) && !sta->sa_query_timed_out &&
2495 sta->sa_query_count > 0)
2496 ap_check_sa_query_timeout(hapd, sta);
2497 if ((sta->flags & WLAN_STA_MFP) && !sta->sa_query_timed_out &&
2498 (!reassoc || sta->auth_alg != WLAN_AUTH_FT)) {
2499 /*
2500 * STA has already been associated with MFP and SA
2501 * Query timeout has not been reached. Reject the
2502 * association attempt temporarily and start SA Query,
2503 * if one is not pending.
2504 */
2505
2506 if (sta->sa_query_count == 0)
2507 ap_sta_start_sa_query(hapd, sta);
2508
2509 return WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY;
2510 }
2511
2512 if (wpa_auth_uses_mfp(sta->wpa_sm))
2513 sta->flags |= WLAN_STA_MFP;
2514 else
2515 sta->flags &= ~WLAN_STA_MFP;
2516 #endif /* CONFIG_IEEE80211W */
2517
2518 #ifdef CONFIG_IEEE80211R_AP
2519 if (sta->auth_alg == WLAN_AUTH_FT) {
2520 if (!reassoc) {
2521 wpa_printf(MSG_DEBUG, "FT: " MACSTR " tried "
2522 "to use association (not "
2523 "re-association) with FT auth_alg",
2524 MAC2STR(sta->addr));
2525 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2526 }
2527
2528 resp = wpa_ft_validate_reassoc(sta->wpa_sm, ies,
2529 ies_len);
2530 if (resp != WLAN_STATUS_SUCCESS)
2531 return resp;
2532 }
2533 #endif /* CONFIG_IEEE80211R_AP */
2534
2535 #ifdef CONFIG_SAE
2536 if (wpa_auth_uses_sae(sta->wpa_sm) &&
2537 sta->auth_alg == WLAN_AUTH_OPEN) {
2538 struct rsn_pmksa_cache_entry *sa;
2539 sa = wpa_auth_sta_get_pmksa(sta->wpa_sm);
2540 if (!sa || sa->akmp != WPA_KEY_MGMT_SAE) {
2541 wpa_printf(MSG_DEBUG,
2542 "SAE: No PMKSA cache entry found for "
2543 MACSTR, MAC2STR(sta->addr));
2544 return WLAN_STATUS_INVALID_PMKID;
2545 }
2546 wpa_printf(MSG_DEBUG, "SAE: " MACSTR
2547 " using PMKSA caching", MAC2STR(sta->addr));
2548 } else if (wpa_auth_uses_sae(sta->wpa_sm) &&
2549 sta->auth_alg != WLAN_AUTH_SAE &&
2550 !(sta->auth_alg == WLAN_AUTH_FT &&
2551 wpa_auth_uses_ft_sae(sta->wpa_sm))) {
2552 wpa_printf(MSG_DEBUG, "SAE: " MACSTR " tried to use "
2553 "SAE AKM after non-SAE auth_alg %u",
2554 MAC2STR(sta->addr), sta->auth_alg);
2555 return WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
2556 }
2557 #endif /* CONFIG_SAE */
2558
2559 #ifdef CONFIG_OWE
2560 if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) &&
2561 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE &&
2562 elems.owe_dh) {
2563 resp = owe_process_assoc_req(hapd, sta, elems.owe_dh,
2564 elems.owe_dh_len);
2565 if (resp != WLAN_STATUS_SUCCESS)
2566 return resp;
2567 }
2568 #endif /* CONFIG_OWE */
2569
2570 #ifdef CONFIG_IEEE80211N
2571 if ((sta->flags & (WLAN_STA_HT | WLAN_STA_VHT)) &&
2572 wpa_auth_get_pairwise(sta->wpa_sm) == WPA_CIPHER_TKIP) {
2573 hostapd_logger(hapd, sta->addr,
2574 HOSTAPD_MODULE_IEEE80211,
2575 HOSTAPD_LEVEL_INFO,
2576 "Station tried to use TKIP with HT "
2577 "association");
2578 return WLAN_STATUS_CIPHER_REJECTED_PER_POLICY;
2579 }
2580 #endif /* CONFIG_IEEE80211N */
2581 #ifdef CONFIG_HS20
2582 } else if (hapd->conf->osen) {
2583 if (elems.osen == NULL) {
2584 hostapd_logger(
2585 hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2586 HOSTAPD_LEVEL_INFO,
2587 "No HS 2.0 OSEN element in association request");
2588 return WLAN_STATUS_INVALID_IE;
2589 }
2590
2591 wpa_printf(MSG_DEBUG, "HS 2.0: OSEN association");
2592 if (sta->wpa_sm == NULL)
2593 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
2594 sta->addr, NULL);
2595 if (sta->wpa_sm == NULL) {
2596 wpa_printf(MSG_WARNING, "Failed to initialize WPA "
2597 "state machine");
2598 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2599 }
2600 if (wpa_validate_osen(hapd->wpa_auth, sta->wpa_sm,
2601 elems.osen - 2, elems.osen_len + 2) < 0)
2602 return WLAN_STATUS_INVALID_IE;
2603 #endif /* CONFIG_HS20 */
2604 } else
2605 wpa_auth_sta_no_wpa(sta->wpa_sm);
2606
2607 #ifdef CONFIG_P2P
2608 p2p_group_notif_assoc(hapd->p2p_group, sta->addr, ies, ies_len);
2609 #endif /* CONFIG_P2P */
2610
2611 #ifdef CONFIG_HS20
2612 wpabuf_free(sta->hs20_ie);
2613 if (elems.hs20 && elems.hs20_len > 4) {
2614 sta->hs20_ie = wpabuf_alloc_copy(elems.hs20 + 4,
2615 elems.hs20_len - 4);
2616 } else
2617 sta->hs20_ie = NULL;
2618 #endif /* CONFIG_HS20 */
2619
2620 #ifdef CONFIG_FST
2621 wpabuf_free(sta->mb_ies);
2622 if (hapd->iface->fst)
2623 sta->mb_ies = mb_ies_by_info(&elems.mb_ies);
2624 else
2625 sta->mb_ies = NULL;
2626 #endif /* CONFIG_FST */
2627
2628 #ifdef CONFIG_MBO
2629 mbo_ap_check_sta_assoc(hapd, sta, &elems);
2630
2631 if (hapd->conf->mbo_enabled && (hapd->conf->wpa & 2) &&
2632 elems.mbo && sta->cell_capa && !(sta->flags & WLAN_STA_MFP) &&
2633 hapd->conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
2634 wpa_printf(MSG_INFO,
2635 "MBO: Reject WPA2 association without PMF");
2636 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2637 }
2638 #endif /* CONFIG_MBO */
2639
2640 ap_copy_sta_supp_op_classes(sta, elems.supp_op_classes,
2641 elems.supp_op_classes_len);
2642
2643 if ((sta->capability & WLAN_CAPABILITY_RADIO_MEASUREMENT) &&
2644 elems.rrm_enabled &&
2645 elems.rrm_enabled_len >= sizeof(sta->rrm_enabled_capa))
2646 os_memcpy(sta->rrm_enabled_capa, elems.rrm_enabled,
2647 sizeof(sta->rrm_enabled_capa));
2648
2649 if (elems.power_capab) {
2650 sta->min_tx_power = elems.power_capab[0];
2651 sta->max_tx_power = elems.power_capab[1];
2652 sta->power_capab = 1;
2653 } else {
2654 sta->power_capab = 0;
2655 }
2656
2657 return WLAN_STATUS_SUCCESS;
2658 }
2659
2660
2661 static void send_deauth(struct hostapd_data *hapd, const u8 *addr,
2662 u16 reason_code)
2663 {
2664 int send_len;
2665 struct ieee80211_mgmt reply;
2666
2667 os_memset(&reply, 0, sizeof(reply));
2668 reply.frame_control =
2669 IEEE80211_FC(WLAN_FC_TYPE_MGMT, WLAN_FC_STYPE_DEAUTH);
2670 os_memcpy(reply.da, addr, ETH_ALEN);
2671 os_memcpy(reply.sa, hapd->own_addr, ETH_ALEN);
2672 os_memcpy(reply.bssid, hapd->own_addr, ETH_ALEN);
2673
2674 send_len = IEEE80211_HDRLEN + sizeof(reply.u.deauth);
2675 reply.u.deauth.reason_code = host_to_le16(reason_code);
2676
2677 if (hostapd_drv_send_mlme(hapd, &reply, send_len, 0) < 0)
2678 wpa_printf(MSG_INFO, "Failed to send deauth: %s",
2679 strerror(errno));
2680 }
2681
2682
2683 static int add_associated_sta(struct hostapd_data *hapd,
2684 struct sta_info *sta)
2685 {
2686 struct ieee80211_ht_capabilities ht_cap;
2687 struct ieee80211_vht_capabilities vht_cap;
2688 int set = 1;
2689
2690 /*
2691 * Remove the STA entry to ensure the STA PS state gets cleared and
2692 * configuration gets updated. This is relevant for cases, such as
2693 * FT-over-the-DS, where a station re-associates back to the same AP but
2694 * skips the authentication flow, or if working with a driver that
2695 * does not support full AP client state.
2696 *
2697 * Skip this if the STA has already completed FT reassociation and the
2698 * TK has been configured since the TX/RX PN must not be reset to 0 for
2699 * the same key.
2700 */
2701 if (!sta->added_unassoc &&
2702 (!(sta->flags & WLAN_STA_AUTHORIZED) ||
2703 (!wpa_auth_sta_ft_tk_already_set(sta->wpa_sm) &&
2704 !wpa_auth_sta_fils_tk_already_set(sta->wpa_sm)))) {
2705 hostapd_drv_sta_remove(hapd, sta->addr);
2706 wpa_auth_sm_event(sta->wpa_sm, WPA_DRV_STA_REMOVED);
2707 set = 0;
2708 }
2709
2710 #ifdef CONFIG_IEEE80211N
2711 if (sta->flags & WLAN_STA_HT)
2712 hostapd_get_ht_capab(hapd, sta->ht_capabilities, &ht_cap);
2713 #endif /* CONFIG_IEEE80211N */
2714 #ifdef CONFIG_IEEE80211AC
2715 if (sta->flags & WLAN_STA_VHT)
2716 hostapd_get_vht_capab(hapd, sta->vht_capabilities, &vht_cap);
2717 #endif /* CONFIG_IEEE80211AC */
2718
2719 /*
2720 * Add the station with forced WLAN_STA_ASSOC flag. The sta->flags
2721 * will be set when the ACK frame for the (Re)Association Response frame
2722 * is processed (TX status driver event).
2723 */
2724 if (hostapd_sta_add(hapd, sta->addr, sta->aid, sta->capability,
2725 sta->supported_rates, sta->supported_rates_len,
2726 sta->listen_interval,
2727 sta->flags & WLAN_STA_HT ? &ht_cap : NULL,
2728 sta->flags & WLAN_STA_VHT ? &vht_cap : NULL,
2729 sta->flags | WLAN_STA_ASSOC, sta->qosinfo,
2730 sta->vht_opmode, sta->p2p_ie ? 1 : 0,
2731 set)) {
2732 hostapd_logger(hapd, sta->addr,
2733 HOSTAPD_MODULE_IEEE80211, HOSTAPD_LEVEL_NOTICE,
2734 "Could not %s STA to kernel driver",
2735 set ? "set" : "add");
2736
2737 if (sta->added_unassoc) {
2738 hostapd_drv_sta_remove(hapd, sta->addr);
2739 sta->added_unassoc = 0;
2740 }
2741
2742 return -1;
2743 }
2744
2745 sta->added_unassoc = 0;
2746
2747 return 0;
2748 }
2749
2750
2751 static u16 send_assoc_resp(struct hostapd_data *hapd, struct sta_info *sta,
2752 const u8 *addr, u16 status_code, int reassoc,
2753 const u8 *ies, size_t ies_len)
2754 {
2755 int send_len;
2756 u8 *buf;
2757 size_t buflen;
2758 struct ieee80211_mgmt *reply;
2759 u8 *p;
2760 u16 res = WLAN_STATUS_SUCCESS;
2761
2762 buflen = sizeof(struct ieee80211_mgmt) + 1024;
2763 #ifdef CONFIG_FILS
2764 if (sta && sta->fils_hlp_resp)
2765 buflen += wpabuf_len(sta->fils_hlp_resp);
2766 #endif /* CONFIG_FILS */
2767 #ifdef CONFIG_OWE
2768 if (sta && (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE))
2769 buflen += 150;
2770 #endif /* CONFIG_OWE */
2771 buf = os_zalloc(buflen);
2772 if (!buf) {
2773 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
2774 goto done;
2775 }
2776 reply = (struct ieee80211_mgmt *) buf;
2777 reply->frame_control =
2778 IEEE80211_FC(WLAN_FC_TYPE_MGMT,
2779 (reassoc ? WLAN_FC_STYPE_REASSOC_RESP :
2780 WLAN_FC_STYPE_ASSOC_RESP));
2781 os_memcpy(reply->da, addr, ETH_ALEN);
2782 os_memcpy(reply->sa, hapd->own_addr, ETH_ALEN);
2783 os_memcpy(reply->bssid, hapd->own_addr, ETH_ALEN);
2784
2785 send_len = IEEE80211_HDRLEN;
2786 send_len += sizeof(reply->u.assoc_resp);
2787 reply->u.assoc_resp.capab_info =
2788 host_to_le16(hostapd_own_capab_info(hapd));
2789 reply->u.assoc_resp.status_code = host_to_le16(status_code);
2790
2791 reply->u.assoc_resp.aid = host_to_le16((sta ? sta->aid : 0) |
2792 BIT(14) | BIT(15));
2793 /* Supported rates */
2794 p = hostapd_eid_supp_rates(hapd, reply->u.assoc_resp.variable);
2795 /* Extended supported rates */
2796 p = hostapd_eid_ext_supp_rates(hapd, p);
2797
2798 #ifdef CONFIG_IEEE80211R_AP
2799 if (sta && status_code == WLAN_STATUS_SUCCESS) {
2800 /* IEEE 802.11r: Mobility Domain Information, Fast BSS
2801 * Transition Information, RSN, [RIC Response] */
2802 p = wpa_sm_write_assoc_resp_ies(sta->wpa_sm, p,
2803 buf + buflen - p,
2804 sta->auth_alg, ies, ies_len);
2805 }
2806 #endif /* CONFIG_IEEE80211R_AP */
2807
2808 #ifdef CONFIG_OWE
2809 if (sta && (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE))
2810 p = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, p,
2811 buf + buflen - p,
2812 ies, ies_len);
2813 #endif /* CONFIG_OWE */
2814
2815 #ifdef CONFIG_IEEE80211W
2816 if (sta && status_code == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY)
2817 p = hostapd_eid_assoc_comeback_time(hapd, sta, p);
2818 #endif /* CONFIG_IEEE80211W */
2819
2820 #ifdef CONFIG_IEEE80211N
2821 p = hostapd_eid_ht_capabilities(hapd, p);
2822 p = hostapd_eid_ht_operation(hapd, p);
2823 #endif /* CONFIG_IEEE80211N */
2824
2825 #ifdef CONFIG_IEEE80211AC
2826 if (hapd->iconf->ieee80211ac && !hapd->conf->disable_11ac) {
2827 u32 nsts = 0, sta_nsts;
2828
2829 if (sta && hapd->conf->use_sta_nsts && sta->vht_capabilities) {
2830 struct ieee80211_vht_capabilities *capa;
2831
2832 nsts = (hapd->iface->conf->vht_capab >>
2833 VHT_CAP_BEAMFORMEE_STS_OFFSET) & 7;
2834 capa = sta->vht_capabilities;
2835 sta_nsts = (le_to_host32(capa->vht_capabilities_info) >>
2836 VHT_CAP_BEAMFORMEE_STS_OFFSET) & 7;
2837
2838 if (nsts < sta_nsts)
2839 nsts = 0;
2840 else
2841 nsts = sta_nsts;
2842 }
2843 p = hostapd_eid_vht_capabilities(hapd, p, nsts);
2844 p = hostapd_eid_vht_operation(hapd, p);
2845 }
2846 #endif /* CONFIG_IEEE80211AC */
2847
2848 p = hostapd_eid_ext_capab(hapd, p);
2849 p = hostapd_eid_bss_max_idle_period(hapd, p);
2850 if (sta && sta->qos_map_enabled)
2851 p = hostapd_eid_qos_map_set(hapd, p);
2852
2853 #ifdef CONFIG_FST
2854 if (hapd->iface->fst_ies) {
2855 os_memcpy(p, wpabuf_head(hapd->iface->fst_ies),
2856 wpabuf_len(hapd->iface->fst_ies));
2857 p += wpabuf_len(hapd->iface->fst_ies);
2858 }
2859 #endif /* CONFIG_FST */
2860
2861 #ifdef CONFIG_IEEE80211AC
2862 if (sta && hapd->conf->vendor_vht && (sta->flags & WLAN_STA_VENDOR_VHT))
2863 p = hostapd_eid_vendor_vht(hapd, p);
2864 #endif /* CONFIG_IEEE80211AC */
2865
2866 if (sta && (sta->flags & WLAN_STA_WMM))
2867 p = hostapd_eid_wmm(hapd, p);
2868
2869 #ifdef CONFIG_WPS
2870 if (sta &&
2871 ((sta->flags & WLAN_STA_WPS) ||
2872 ((sta->flags & WLAN_STA_MAYBE_WPS) && hapd->conf->wpa))) {
2873 struct wpabuf *wps = wps_build_assoc_resp_ie();
2874 if (wps) {
2875 os_memcpy(p, wpabuf_head(wps), wpabuf_len(wps));
2876 p += wpabuf_len(wps);
2877 wpabuf_free(wps);
2878 }
2879 }
2880 #endif /* CONFIG_WPS */
2881
2882 #ifdef CONFIG_P2P
2883 if (sta && sta->p2p_ie && hapd->p2p_group) {
2884 struct wpabuf *p2p_resp_ie;
2885 enum p2p_status_code status;
2886 switch (status_code) {
2887 case WLAN_STATUS_SUCCESS:
2888 status = P2P_SC_SUCCESS;
2889 break;
2890 case WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA:
2891 status = P2P_SC_FAIL_LIMIT_REACHED;
2892 break;
2893 default:
2894 status = P2P_SC_FAIL_INVALID_PARAMS;
2895 break;
2896 }
2897 p2p_resp_ie = p2p_group_assoc_resp_ie(hapd->p2p_group, status);
2898 if (p2p_resp_ie) {
2899 os_memcpy(p, wpabuf_head(p2p_resp_ie),
2900 wpabuf_len(p2p_resp_ie));
2901 p += wpabuf_len(p2p_resp_ie);
2902 wpabuf_free(p2p_resp_ie);
2903 }
2904 }
2905 #endif /* CONFIG_P2P */
2906
2907 #ifdef CONFIG_P2P_MANAGER
2908 if (hapd->conf->p2p & P2P_MANAGE)
2909 p = hostapd_eid_p2p_manage(hapd, p);
2910 #endif /* CONFIG_P2P_MANAGER */
2911
2912 p = hostapd_eid_mbo(hapd, p, buf + buflen - p);
2913
2914 if (hapd->conf->assocresp_elements &&
2915 (size_t) (buf + buflen - p) >=
2916 wpabuf_len(hapd->conf->assocresp_elements)) {
2917 os_memcpy(p, wpabuf_head(hapd->conf->assocresp_elements),
2918 wpabuf_len(hapd->conf->assocresp_elements));
2919 p += wpabuf_len(hapd->conf->assocresp_elements);
2920 }
2921
2922 send_len += p - reply->u.assoc_resp.variable;
2923
2924 #ifdef CONFIG_FILS
2925 if (sta &&
2926 (sta->auth_alg == WLAN_AUTH_FILS_SK ||
2927 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
2928 sta->auth_alg == WLAN_AUTH_FILS_PK) &&
2929 status_code == WLAN_STATUS_SUCCESS) {
2930 struct ieee802_11_elems elems;
2931
2932 if (ieee802_11_parse_elems(ies, ies_len, &elems, 0) ==
2933 ParseFailed || !elems.fils_session) {
2934 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
2935 goto done;
2936 }
2937
2938 /* FILS Session */
2939 *p++ = WLAN_EID_EXTENSION; /* Element ID */
2940 *p++ = 1 + FILS_SESSION_LEN; /* Length */
2941 *p++ = WLAN_EID_EXT_FILS_SESSION; /* Element ID Extension */
2942 os_memcpy(p, elems.fils_session, FILS_SESSION_LEN);
2943 send_len += 2 + 1 + FILS_SESSION_LEN;
2944
2945 send_len = fils_encrypt_assoc(sta->wpa_sm, buf, send_len,
2946 buflen, sta->fils_hlp_resp);
2947 if (send_len < 0) {
2948 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
2949 goto done;
2950 }
2951 }
2952 #endif /* CONFIG_FILS */
2953
2954 #ifdef CONFIG_OWE
2955 if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) &&
2956 sta && sta->owe_ecdh &&
2957 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE) {
2958 struct wpabuf *pub;
2959
2960 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
2961 if (!pub) {
2962 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
2963 goto done;
2964 }
2965 /* OWE Diffie-Hellman Parameter element */
2966 *p++ = WLAN_EID_EXTENSION; /* Element ID */
2967 *p++ = 1 + 2 + wpabuf_len(pub); /* Length */
2968 *p++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension */
2969 WPA_PUT_LE16(p, sta->owe_group);
2970 p += 2;
2971 os_memcpy(p, wpabuf_head(pub), wpabuf_len(pub));
2972 p += wpabuf_len(pub);
2973 send_len += 3 + 2 + wpabuf_len(pub);
2974 wpabuf_free(pub);
2975 }
2976 #endif /* CONFIG_OWE */
2977
2978 if (hostapd_drv_send_mlme(hapd, reply, send_len, 0) < 0) {
2979 wpa_printf(MSG_INFO, "Failed to send assoc resp: %s",
2980 strerror(errno));
2981 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
2982 }
2983
2984 done:
2985 os_free(buf);
2986 return res;
2987 }
2988
2989
2990 #ifdef CONFIG_OWE
2991 u8 * owe_auth_req_process(struct hostapd_data *hapd, struct sta_info *sta,
2992 const u8 *owe_dh, u8 owe_dh_len,
2993 u8 *owe_buf, u16 *reason)
2994 {
2995 struct wpabuf *pub;
2996
2997 *reason = owe_process_assoc_req(hapd, sta, owe_dh, owe_dh_len);
2998 if (*reason != WLAN_STATUS_SUCCESS)
2999 return NULL;
3000 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
3001 if (!pub) {
3002 *reason = WLAN_STATUS_UNSPECIFIED_FAILURE;
3003 return NULL;
3004 }
3005
3006 /* OWE Diffie-Hellman Parameter element */
3007 *owe_buf++ = WLAN_EID_EXTENSION; /* Element ID */
3008 *owe_buf++ = 1 + 2 + wpabuf_len(pub); /* Length */
3009 *owe_buf++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension */
3010 WPA_PUT_LE16(owe_buf, OWE_DH_GROUP);
3011 owe_buf += 2;
3012 os_memcpy(owe_buf, wpabuf_head(pub), wpabuf_len(pub));
3013 owe_buf += wpabuf_len(pub);
3014 wpabuf_free(pub);
3015 *reason = WLAN_STATUS_SUCCESS;
3016 return owe_buf;
3017 }
3018 #endif /* CONFIG_OWE */
3019
3020
3021 #ifdef CONFIG_FILS
3022
3023 void fils_hlp_finish_assoc(struct hostapd_data *hapd, struct sta_info *sta)
3024 {
3025 u16 reply_res;
3026
3027 wpa_printf(MSG_DEBUG, "FILS: Finish association with " MACSTR,
3028 MAC2STR(sta->addr));
3029 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
3030 if (!sta->fils_pending_assoc_req)
3031 return;
3032 reply_res = send_assoc_resp(hapd, sta, sta->addr, WLAN_STATUS_SUCCESS,
3033 sta->fils_pending_assoc_is_reassoc,
3034 sta->fils_pending_assoc_req,
3035 sta->fils_pending_assoc_req_len);
3036 os_free(sta->fils_pending_assoc_req);
3037 sta->fils_pending_assoc_req = NULL;
3038 sta->fils_pending_assoc_req_len = 0;
3039 wpabuf_free(sta->fils_hlp_resp);
3040 sta->fils_hlp_resp = NULL;
3041 wpabuf_free(sta->hlp_dhcp_discover);
3042 sta->hlp_dhcp_discover = NULL;
3043
3044 /*
3045 * Remove the station in case transmission of a success response fails.
3046 * At this point the station was already added associated to the driver.
3047 */
3048 if (reply_res != WLAN_STATUS_SUCCESS)
3049 hostapd_drv_sta_remove(hapd, sta->addr);
3050 }
3051
3052
3053 void fils_hlp_timeout(void *eloop_ctx, void *eloop_data)
3054 {
3055 struct hostapd_data *hapd = eloop_ctx;
3056 struct sta_info *sta = eloop_data;
3057
3058 wpa_printf(MSG_DEBUG,
3059 "FILS: HLP response timeout - continue with association response for "
3060 MACSTR, MAC2STR(sta->addr));
3061 if (sta->fils_drv_assoc_finish)
3062 hostapd_notify_assoc_fils_finish(hapd, sta);
3063 else
3064 fils_hlp_finish_assoc(hapd, sta);
3065 }
3066
3067 #endif /* CONFIG_FILS */
3068
3069
3070 static void handle_assoc(struct hostapd_data *hapd,
3071 const struct ieee80211_mgmt *mgmt, size_t len,
3072 int reassoc)
3073 {
3074 u16 capab_info, listen_interval, seq_ctrl, fc;
3075 u16 resp = WLAN_STATUS_SUCCESS, reply_res;
3076 const u8 *pos;
3077 int left, i;
3078 struct sta_info *sta;
3079 u8 *tmp = NULL;
3080 struct hostapd_sta_wpa_psk_short *psk = NULL;
3081 char *identity = NULL;
3082 char *radius_cui = NULL;
3083 #ifdef CONFIG_FILS
3084 int delay_assoc = 0;
3085 #endif /* CONFIG_FILS */
3086
3087 if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_req) :
3088 sizeof(mgmt->u.assoc_req))) {
3089 wpa_printf(MSG_INFO, "handle_assoc(reassoc=%d) - too short payload (len=%lu)",
3090 reassoc, (unsigned long) len);
3091 return;
3092 }
3093
3094 #ifdef CONFIG_TESTING_OPTIONS
3095 if (reassoc) {
3096 if (hapd->iconf->ignore_reassoc_probability > 0.0 &&
3097 drand48() < hapd->iconf->ignore_reassoc_probability) {
3098 wpa_printf(MSG_INFO,
3099 "TESTING: ignoring reassoc request from "
3100 MACSTR, MAC2STR(mgmt->sa));
3101 return;
3102 }
3103 } else {
3104 if (hapd->iconf->ignore_assoc_probability > 0.0 &&
3105 drand48() < hapd->iconf->ignore_assoc_probability) {
3106 wpa_printf(MSG_INFO,
3107 "TESTING: ignoring assoc request from "
3108 MACSTR, MAC2STR(mgmt->sa));
3109 return;
3110 }
3111 }
3112 #endif /* CONFIG_TESTING_OPTIONS */
3113
3114 fc = le_to_host16(mgmt->frame_control);
3115 seq_ctrl = le_to_host16(mgmt->seq_ctrl);
3116
3117 if (reassoc) {
3118 capab_info = le_to_host16(mgmt->u.reassoc_req.capab_info);
3119 listen_interval = le_to_host16(
3120 mgmt->u.reassoc_req.listen_interval);
3121 wpa_printf(MSG_DEBUG, "reassociation request: STA=" MACSTR
3122 " capab_info=0x%02x listen_interval=%d current_ap="
3123 MACSTR " seq_ctrl=0x%x%s",
3124 MAC2STR(mgmt->sa), capab_info, listen_interval,
3125 MAC2STR(mgmt->u.reassoc_req.current_ap),
3126 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "");
3127 left = len - (IEEE80211_HDRLEN + sizeof(mgmt->u.reassoc_req));
3128 pos = mgmt->u.reassoc_req.variable;
3129 } else {
3130 capab_info = le_to_host16(mgmt->u.assoc_req.capab_info);
3131 listen_interval = le_to_host16(
3132 mgmt->u.assoc_req.listen_interval);
3133 wpa_printf(MSG_DEBUG, "association request: STA=" MACSTR
3134 " capab_info=0x%02x listen_interval=%d "
3135 "seq_ctrl=0x%x%s",
3136 MAC2STR(mgmt->sa), capab_info, listen_interval,
3137 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "");
3138 left = len - (IEEE80211_HDRLEN + sizeof(mgmt->u.assoc_req));
3139 pos = mgmt->u.assoc_req.variable;
3140 }
3141
3142 sta = ap_get_sta(hapd, mgmt->sa);
3143 #ifdef CONFIG_IEEE80211R_AP
3144 if (sta && sta->auth_alg == WLAN_AUTH_FT &&
3145 (sta->flags & WLAN_STA_AUTH) == 0) {
3146 wpa_printf(MSG_DEBUG, "FT: Allow STA " MACSTR " to associate "
3147 "prior to authentication since it is using "
3148 "over-the-DS FT", MAC2STR(mgmt->sa));
3149
3150 /*
3151 * Mark station as authenticated, to avoid adding station
3152 * entry in the driver as associated and not authenticated
3153 */
3154 sta->flags |= WLAN_STA_AUTH;
3155 } else
3156 #endif /* CONFIG_IEEE80211R_AP */
3157 if (sta == NULL || (sta->flags & WLAN_STA_AUTH) == 0) {
3158 if (hapd->iface->current_mode &&
3159 hapd->iface->current_mode->mode ==
3160 HOSTAPD_MODE_IEEE80211AD) {
3161 int acl_res;
3162 u32 session_timeout, acct_interim_interval;
3163 struct vlan_description vlan_id;
3164
3165 acl_res = ieee802_11_allowed_address(
3166 hapd, mgmt->sa, (const u8 *) mgmt, len,
3167 &session_timeout, &acct_interim_interval,
3168 &vlan_id, &psk, &identity, &radius_cui);
3169 if (acl_res == HOSTAPD_ACL_REJECT) {
3170 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3171 goto fail;
3172 }
3173 if (acl_res == HOSTAPD_ACL_PENDING)
3174 return;
3175
3176 /* DMG/IEEE 802.11ad does not use authentication.
3177 * Allocate sta entry upon association. */
3178 sta = ap_sta_add(hapd, mgmt->sa);
3179 if (!sta) {
3180 hostapd_logger(hapd, mgmt->sa,
3181 HOSTAPD_MODULE_IEEE80211,
3182 HOSTAPD_LEVEL_INFO,
3183 "Failed to add STA");
3184 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
3185 goto fail;
3186 }
3187
3188 acl_res = ieee802_11_set_radius_info(
3189 hapd, sta, acl_res, session_timeout,
3190 acct_interim_interval, &vlan_id, &psk,
3191 &identity, &radius_cui);
3192 if (acl_res) {
3193 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3194 goto fail;
3195 }
3196
3197 hostapd_logger(hapd, sta->addr,
3198 HOSTAPD_MODULE_IEEE80211,
3199 HOSTAPD_LEVEL_DEBUG,
3200 "Skip authentication for DMG/IEEE 802.11ad");
3201 sta->flags |= WLAN_STA_AUTH;
3202 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
3203 sta->auth_alg = WLAN_AUTH_OPEN;
3204 } else {
3205 hostapd_logger(hapd, mgmt->sa,
3206 HOSTAPD_MODULE_IEEE80211,
3207 HOSTAPD_LEVEL_INFO,
3208 "Station tried to associate before authentication (aid=%d flags=0x%x)",
3209 sta ? sta->aid : -1,
3210 sta ? sta->flags : 0);
3211 send_deauth(hapd, mgmt->sa,
3212 WLAN_REASON_CLASS2_FRAME_FROM_NONAUTH_STA);
3213 return;
3214 }
3215 }
3216
3217 if ((fc & WLAN_FC_RETRY) &&
3218 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
3219 sta->last_seq_ctrl == seq_ctrl &&
3220 sta->last_subtype == (reassoc ? WLAN_FC_STYPE_REASSOC_REQ :
3221 WLAN_FC_STYPE_ASSOC_REQ)) {
3222 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3223 HOSTAPD_LEVEL_DEBUG,
3224 "Drop repeated association frame seq_ctrl=0x%x",
3225 seq_ctrl);
3226 return;
3227 }
3228 sta->last_seq_ctrl = seq_ctrl;
3229 sta->last_subtype = reassoc ? WLAN_FC_STYPE_REASSOC_REQ :
3230 WLAN_FC_STYPE_ASSOC_REQ;
3231
3232 if (hapd->tkip_countermeasures) {
3233 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3234 goto fail;
3235 }
3236
3237 if (listen_interval > hapd->conf->max_listen_interval) {
3238 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
3239 HOSTAPD_LEVEL_DEBUG,
3240 "Too large Listen Interval (%d)",
3241 listen_interval);
3242 resp = WLAN_STATUS_ASSOC_DENIED_LISTEN_INT_TOO_LARGE;
3243 goto fail;
3244 }
3245
3246 #ifdef CONFIG_MBO
3247 if (hapd->conf->mbo_enabled && hapd->mbo_assoc_disallow) {
3248 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
3249 goto fail;
3250 }
3251 #endif /* CONFIG_MBO */
3252
3253 /*
3254 * sta->capability is used in check_assoc_ies() for RRM enabled
3255 * capability element.
3256 */
3257 sta->capability = capab_info;
3258
3259 #ifdef CONFIG_FILS
3260 if (sta->auth_alg == WLAN_AUTH_FILS_SK ||
3261 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
3262 sta->auth_alg == WLAN_AUTH_FILS_PK) {
3263 int res;
3264
3265 /* The end of the payload is encrypted. Need to decrypt it
3266 * before parsing. */
3267
3268 tmp = os_memdup(pos, left);
3269 if (!tmp) {
3270 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3271 goto fail;
3272 }
3273
3274 res = fils_decrypt_assoc(sta->wpa_sm, sta->fils_session, mgmt,
3275 len, tmp, left);
3276 if (res < 0) {
3277 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3278 goto fail;
3279 }
3280 pos = tmp;
3281 left = res;
3282 }
3283 #endif /* CONFIG_FILS */
3284
3285 /* followed by SSID and Supported rates; and HT capabilities if 802.11n
3286 * is used */
3287 resp = check_assoc_ies(hapd, sta, pos, left, reassoc);
3288 if (resp != WLAN_STATUS_SUCCESS)
3289 goto fail;
3290
3291 if (hostapd_get_aid(hapd, sta) < 0) {
3292 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
3293 HOSTAPD_LEVEL_INFO, "No room for more AIDs");
3294 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
3295 goto fail;
3296 }
3297
3298 sta->listen_interval = listen_interval;
3299
3300 if (hapd->iface->current_mode &&
3301 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G)
3302 sta->flags |= WLAN_STA_NONERP;
3303 for (i = 0; i < sta->supported_rates_len; i++) {
3304 if ((sta->supported_rates[i] & 0x7f) > 22) {
3305 sta->flags &= ~WLAN_STA_NONERP;
3306 break;
3307 }
3308 }
3309 if (sta->flags & WLAN_STA_NONERP && !sta->nonerp_set) {
3310 sta->nonerp_set = 1;
3311 hapd->iface->num_sta_non_erp++;
3312 if (hapd->iface->num_sta_non_erp == 1)
3313 ieee802_11_set_beacons(hapd->iface);
3314 }
3315
3316 if (!(sta->capability & WLAN_CAPABILITY_SHORT_SLOT_TIME) &&
3317 !sta->no_short_slot_time_set) {
3318 sta->no_short_slot_time_set = 1;
3319 hapd->iface->num_sta_no_short_slot_time++;
3320 if (hapd->iface->current_mode &&
3321 hapd->iface->current_mode->mode ==
3322 HOSTAPD_MODE_IEEE80211G &&
3323 hapd->iface->num_sta_no_short_slot_time == 1)
3324 ieee802_11_set_beacons(hapd->iface);
3325 }
3326
3327 if (sta->capability & WLAN_CAPABILITY_SHORT_PREAMBLE)
3328 sta->flags |= WLAN_STA_SHORT_PREAMBLE;
3329 else
3330 sta->flags &= ~WLAN_STA_SHORT_PREAMBLE;
3331
3332 if (!(sta->capability & WLAN_CAPABILITY_SHORT_PREAMBLE) &&
3333 !sta->no_short_preamble_set) {
3334 sta->no_short_preamble_set = 1;
3335 hapd->iface->num_sta_no_short_preamble++;
3336 if (hapd->iface->current_mode &&
3337 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G
3338 && hapd->iface->num_sta_no_short_preamble == 1)
3339 ieee802_11_set_beacons(hapd->iface);
3340 }
3341
3342 #ifdef CONFIG_IEEE80211N
3343 update_ht_state(hapd, sta);
3344 #endif /* CONFIG_IEEE80211N */
3345
3346 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3347 HOSTAPD_LEVEL_DEBUG,
3348 "association OK (aid %d)", sta->aid);
3349 /* Station will be marked associated, after it acknowledges AssocResp
3350 */
3351 sta->flags |= WLAN_STA_ASSOC_REQ_OK;
3352
3353 #ifdef CONFIG_IEEE80211W
3354 if ((sta->flags & WLAN_STA_MFP) && sta->sa_query_timed_out) {
3355 wpa_printf(MSG_DEBUG, "Allowing %sassociation after timed out "
3356 "SA Query procedure", reassoc ? "re" : "");
3357 /* TODO: Send a protected Disassociate frame to the STA using
3358 * the old key and Reason Code "Previous Authentication no
3359 * longer valid". Make sure this is only sent protected since
3360 * unprotected frame would be received by the STA that is now
3361 * trying to associate.
3362 */
3363 }
3364 #endif /* CONFIG_IEEE80211W */
3365
3366 /* Make sure that the previously registered inactivity timer will not
3367 * remove the STA immediately. */
3368 sta->timeout_next = STA_NULLFUNC;
3369
3370 #ifdef CONFIG_TAXONOMY
3371 taxonomy_sta_info_assoc_req(hapd, sta, pos, left);
3372 #endif /* CONFIG_TAXONOMY */
3373
3374 sta->pending_wds_enable = 0;
3375
3376 #ifdef CONFIG_FILS
3377 if (sta->auth_alg == WLAN_AUTH_FILS_SK ||
3378 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
3379 sta->auth_alg == WLAN_AUTH_FILS_PK) {
3380 if (fils_process_hlp(hapd, sta, pos, left) > 0)
3381 delay_assoc = 1;
3382 }
3383 #endif /* CONFIG_FILS */
3384
3385 fail:
3386 os_free(identity);
3387 os_free(radius_cui);
3388 hostapd_free_psk_list(psk);
3389
3390 /*
3391 * In case of a successful response, add the station to the driver.
3392 * Otherwise, the kernel may ignore Data frames before we process the
3393 * ACK frame (TX status). In case of a failure, this station will be
3394 * removed.
3395 *
3396 * Note that this is not compliant with the IEEE 802.11 standard that
3397 * states that a non-AP station should transition into the
3398 * authenticated/associated state only after the station acknowledges
3399 * the (Re)Association Response frame. However, still do this as:
3400 *
3401 * 1. In case the station does not acknowledge the (Re)Association
3402 * Response frame, it will be removed.
3403 * 2. Data frames will be dropped in the kernel until the station is
3404 * set into authorized state, and there are no significant known
3405 * issues with processing other non-Data Class 3 frames during this
3406 * window.
3407 */
3408 if (resp == WLAN_STATUS_SUCCESS && sta && add_associated_sta(hapd, sta))
3409 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
3410
3411 #ifdef CONFIG_FILS
3412 if (sta) {
3413 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
3414 os_free(sta->fils_pending_assoc_req);
3415 sta->fils_pending_assoc_req = NULL;
3416 sta->fils_pending_assoc_req_len = 0;
3417 wpabuf_free(sta->fils_hlp_resp);
3418 sta->fils_hlp_resp = NULL;
3419 }
3420 if (sta && delay_assoc && resp == WLAN_STATUS_SUCCESS) {
3421 sta->fils_pending_assoc_req = tmp;
3422 sta->fils_pending_assoc_req_len = left;
3423 sta->fils_pending_assoc_is_reassoc = reassoc;
3424 sta->fils_drv_assoc_finish = 0;
3425 wpa_printf(MSG_DEBUG,
3426 "FILS: Waiting for HLP processing before sending (Re)Association Response frame to "
3427 MACSTR, MAC2STR(sta->addr));
3428 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
3429 eloop_register_timeout(0, hapd->conf->fils_hlp_wait_time * 1024,
3430 fils_hlp_timeout, hapd, sta);
3431 return;
3432 }
3433 #endif /* CONFIG_FILS */
3434
3435 reply_res = send_assoc_resp(hapd, sta, mgmt->sa, resp, reassoc, pos,
3436 left);
3437 os_free(tmp);
3438
3439 /*
3440 * Remove the station in case tranmission of a success response fails
3441 * (the STA was added associated to the driver) or if the station was
3442 * previously added unassociated.
3443 */
3444 if (sta && ((reply_res != WLAN_STATUS_SUCCESS &&
3445 resp == WLAN_STATUS_SUCCESS) || sta->added_unassoc)) {
3446 hostapd_drv_sta_remove(hapd, sta->addr);
3447 sta->added_unassoc = 0;
3448 }
3449 }
3450
3451
3452 static void handle_disassoc(struct hostapd_data *hapd,
3453 const struct ieee80211_mgmt *mgmt, size_t len)
3454 {
3455 struct sta_info *sta;
3456
3457 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.disassoc)) {
3458 wpa_printf(MSG_INFO, "handle_disassoc - too short payload (len=%lu)",
3459 (unsigned long) len);
3460 return;
3461 }
3462
3463 wpa_printf(MSG_DEBUG, "disassocation: STA=" MACSTR " reason_code=%d",
3464 MAC2STR(mgmt->sa),
3465 le_to_host16(mgmt->u.disassoc.reason_code));
3466
3467 sta = ap_get_sta(hapd, mgmt->sa);
3468 if (sta == NULL) {
3469 wpa_printf(MSG_INFO, "Station " MACSTR " trying to disassociate, but it is not associated",
3470 MAC2STR(mgmt->sa));
3471 return;
3472 }
3473
3474 ap_sta_set_authorized(hapd, sta, 0);
3475 sta->last_seq_ctrl = WLAN_INVALID_MGMT_SEQ;
3476 sta->flags &= ~(WLAN_STA_ASSOC | WLAN_STA_ASSOC_REQ_OK);
3477 wpa_auth_sm_event(sta->wpa_sm, WPA_DISASSOC);
3478 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3479 HOSTAPD_LEVEL_INFO, "disassociated");
3480 sta->acct_terminate_cause = RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST;
3481 ieee802_1x_notify_port_enabled(sta->eapol_sm, 0);
3482 /* Stop Accounting and IEEE 802.1X sessions, but leave the STA
3483 * authenticated. */
3484 accounting_sta_stop(hapd, sta);
3485 ieee802_1x_free_station(hapd, sta);
3486 if (sta->ipaddr)
3487 hostapd_drv_br_delete_ip_neigh(hapd, 4, (u8 *) &sta->ipaddr);
3488 ap_sta_ip6addr_del(hapd, sta);
3489 hostapd_drv_sta_remove(hapd, sta->addr);
3490 sta->added_unassoc = 0;
3491
3492 if (sta->timeout_next == STA_NULLFUNC ||
3493 sta->timeout_next == STA_DISASSOC) {
3494 sta->timeout_next = STA_DEAUTH;
3495 eloop_cancel_timeout(ap_handle_timer, hapd, sta);
3496 eloop_register_timeout(AP_DEAUTH_DELAY, 0, ap_handle_timer,
3497 hapd, sta);
3498 }
3499
3500 mlme_disassociate_indication(
3501 hapd, sta, le_to_host16(mgmt->u.disassoc.reason_code));
3502
3503 /* DMG/IEEE 802.11ad does not use deauthication. Deallocate sta upon
3504 * disassociation. */
3505 if (hapd->iface->current_mode &&
3506 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211AD) {
3507 sta->flags &= ~WLAN_STA_AUTH;
3508 wpa_auth_sm_event(sta->wpa_sm, WPA_DEAUTH);
3509 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3510 HOSTAPD_LEVEL_DEBUG, "deauthenticated");
3511 ap_free_sta(hapd, sta);
3512 }
3513 }
3514
3515
3516 static void handle_deauth(struct hostapd_data *hapd,
3517 const struct ieee80211_mgmt *mgmt, size_t len)
3518 {
3519 struct sta_info *sta;
3520
3521 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.deauth)) {
3522 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "handle_deauth - too short "
3523 "payload (len=%lu)", (unsigned long) len);
3524 return;
3525 }
3526
3527 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "deauthentication: STA=" MACSTR
3528 " reason_code=%d",
3529 MAC2STR(mgmt->sa), le_to_host16(mgmt->u.deauth.reason_code));
3530
3531 sta = ap_get_sta(hapd, mgmt->sa);
3532 if (sta == NULL) {
3533 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "Station " MACSTR " trying "
3534 "to deauthenticate, but it is not authenticated",
3535 MAC2STR(mgmt->sa));
3536 return;
3537 }
3538
3539 ap_sta_set_authorized(hapd, sta, 0);
3540 sta->last_seq_ctrl = WLAN_INVALID_MGMT_SEQ;
3541 sta->flags &= ~(WLAN_STA_AUTH | WLAN_STA_ASSOC |
3542 WLAN_STA_ASSOC_REQ_OK);
3543 wpa_auth_sm_event(sta->wpa_sm, WPA_DEAUTH);
3544 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3545 HOSTAPD_LEVEL_DEBUG, "deauthenticated");
3546 mlme_deauthenticate_indication(
3547 hapd, sta, le_to_host16(mgmt->u.deauth.reason_code));
3548 sta->acct_terminate_cause = RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST;
3549 ieee802_1x_notify_port_enabled(sta->eapol_sm, 0);
3550 ap_free_sta(hapd, sta);
3551 }
3552
3553
3554 static void handle_beacon(struct hostapd_data *hapd,
3555 const struct ieee80211_mgmt *mgmt, size_t len,
3556 struct hostapd_frame_info *fi)
3557 {
3558 struct ieee802_11_elems elems;
3559
3560 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.beacon)) {
3561 wpa_printf(MSG_INFO, "handle_beacon - too short payload (len=%lu)",
3562 (unsigned long) len);
3563 return;
3564 }
3565
3566 (void) ieee802_11_parse_elems(mgmt->u.beacon.variable,
3567 len - (IEEE80211_HDRLEN +
3568 sizeof(mgmt->u.beacon)), &elems,
3569 0);
3570
3571 ap_list_process_beacon(hapd->iface, mgmt, &elems, fi);
3572 }
3573
3574
3575 #ifdef CONFIG_IEEE80211W
3576
3577 static int hostapd_sa_query_action(struct hostapd_data *hapd,
3578 const struct ieee80211_mgmt *mgmt,
3579 size_t len)
3580 {
3581 const u8 *end;
3582
3583 end = mgmt->u.action.u.sa_query_resp.trans_id +
3584 WLAN_SA_QUERY_TR_ID_LEN;
3585 if (((u8 *) mgmt) + len < end) {
3586 wpa_printf(MSG_DEBUG, "IEEE 802.11: Too short SA Query Action "
3587 "frame (len=%lu)", (unsigned long) len);
3588 return 0;
3589 }
3590
3591 ieee802_11_sa_query_action(hapd, mgmt->sa,
3592 mgmt->u.action.u.sa_query_resp.action,
3593 mgmt->u.action.u.sa_query_resp.trans_id);
3594 return 1;
3595 }
3596
3597
3598 static int robust_action_frame(u8 category)
3599 {
3600 return category != WLAN_ACTION_PUBLIC &&
3601 category != WLAN_ACTION_HT;
3602 }
3603 #endif /* CONFIG_IEEE80211W */
3604
3605
3606 static int handle_action(struct hostapd_data *hapd,
3607 const struct ieee80211_mgmt *mgmt, size_t len)
3608 {
3609 struct sta_info *sta;
3610 sta = ap_get_sta(hapd, mgmt->sa);
3611
3612 if (len < IEEE80211_HDRLEN + 1) {
3613 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
3614 HOSTAPD_LEVEL_DEBUG,
3615 "handle_action - too short payload (len=%lu)",
3616 (unsigned long) len);
3617 return 0;
3618 }
3619
3620 if (mgmt->u.action.category != WLAN_ACTION_PUBLIC &&
3621 (sta == NULL || !(sta->flags & WLAN_STA_ASSOC))) {
3622 wpa_printf(MSG_DEBUG, "IEEE 802.11: Ignored Action "
3623 "frame (category=%u) from unassociated STA " MACSTR,
3624 mgmt->u.action.category, MAC2STR(mgmt->sa));
3625 return 0;
3626 }
3627
3628 #ifdef CONFIG_IEEE80211W
3629 if (sta && (sta->flags & WLAN_STA_MFP) &&
3630 !(mgmt->frame_control & host_to_le16(WLAN_FC_ISWEP)) &&
3631 robust_action_frame(mgmt->u.action.category)) {
3632 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
3633 HOSTAPD_LEVEL_DEBUG,
3634 "Dropped unprotected Robust Action frame from "
3635 "an MFP STA");
3636 return 0;
3637 }
3638 #endif /* CONFIG_IEEE80211W */
3639
3640 if (sta) {
3641 u16 fc = le_to_host16(mgmt->frame_control);
3642 u16 seq_ctrl = le_to_host16(mgmt->seq_ctrl);
3643
3644 if ((fc & WLAN_FC_RETRY) &&
3645 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
3646 sta->last_seq_ctrl == seq_ctrl &&
3647 sta->last_subtype == WLAN_FC_STYPE_ACTION) {
3648 hostapd_logger(hapd, sta->addr,
3649 HOSTAPD_MODULE_IEEE80211,
3650 HOSTAPD_LEVEL_DEBUG,
3651 "Drop repeated action frame seq_ctrl=0x%x",
3652 seq_ctrl);
3653 return 1;
3654 }
3655
3656 sta->last_seq_ctrl = seq_ctrl;
3657 sta->last_subtype = WLAN_FC_STYPE_ACTION;
3658 }
3659
3660 switch (mgmt->u.action.category) {
3661 #ifdef CONFIG_IEEE80211R_AP
3662 case WLAN_ACTION_FT:
3663 if (!sta ||
3664 wpa_ft_action_rx(sta->wpa_sm, (u8 *) &mgmt->u.action,
3665 len - IEEE80211_HDRLEN))
3666 break;
3667 return 1;
3668 #endif /* CONFIG_IEEE80211R_AP */
3669 case WLAN_ACTION_WMM:
3670 hostapd_wmm_action(hapd, mgmt, len);
3671 return 1;
3672 #ifdef CONFIG_IEEE80211W
3673 case WLAN_ACTION_SA_QUERY:
3674 return hostapd_sa_query_action(hapd, mgmt, len);
3675 #endif /* CONFIG_IEEE80211W */
3676 #ifdef CONFIG_WNM_AP
3677 case WLAN_ACTION_WNM:
3678 ieee802_11_rx_wnm_action_ap(hapd, mgmt, len);
3679 return 1;
3680 #endif /* CONFIG_WNM_AP */
3681 #ifdef CONFIG_FST
3682 case WLAN_ACTION_FST:
3683 if (hapd->iface->fst)
3684 fst_rx_action(hapd->iface->fst, mgmt, len);
3685 else
3686 wpa_printf(MSG_DEBUG,
3687 "FST: Ignore FST Action frame - no FST attached");
3688 return 1;
3689 #endif /* CONFIG_FST */
3690 case WLAN_ACTION_PUBLIC:
3691 case WLAN_ACTION_PROTECTED_DUAL:
3692 #ifdef CONFIG_IEEE80211N
3693 if (len >= IEEE80211_HDRLEN + 2 &&
3694 mgmt->u.action.u.public_action.action ==
3695 WLAN_PA_20_40_BSS_COEX) {
3696 wpa_printf(MSG_DEBUG,
3697 "HT20/40 coex mgmt frame received from STA "
3698 MACSTR, MAC2STR(mgmt->sa));
3699 hostapd_2040_coex_action(hapd, mgmt, len);
3700 return 1;
3701 }
3702 #endif /* CONFIG_IEEE80211N */
3703 #ifdef CONFIG_DPP
3704 if (len >= IEEE80211_HDRLEN + 6 &&
3705 mgmt->u.action.u.vs_public_action.action ==
3706 WLAN_PA_VENDOR_SPECIFIC &&
3707 WPA_GET_BE24(mgmt->u.action.u.vs_public_action.oui) ==
3708 OUI_WFA &&
3709 mgmt->u.action.u.vs_public_action.variable[0] ==
3710 DPP_OUI_TYPE) {
3711 const u8 *pos, *end;
3712
3713 pos = mgmt->u.action.u.vs_public_action.oui;
3714 end = ((const u8 *) mgmt) + len;
3715 hostapd_dpp_rx_action(hapd, mgmt->sa, pos, end - pos,
3716 hapd->iface->freq);
3717 return 1;
3718 }
3719 if (len >= IEEE80211_HDRLEN + 2 &&
3720 (mgmt->u.action.u.public_action.action ==
3721 WLAN_PA_GAS_INITIAL_RESP ||
3722 mgmt->u.action.u.public_action.action ==
3723 WLAN_PA_GAS_COMEBACK_RESP)) {
3724 const u8 *pos, *end;
3725
3726 pos = &mgmt->u.action.u.public_action.action;
3727 end = ((const u8 *) mgmt) + len;
3728 gas_query_ap_rx(hapd->gas, mgmt->sa,
3729 mgmt->u.action.category,
3730 pos, end - pos, hapd->iface->freq);
3731 return 1;
3732 }
3733 #endif /* CONFIG_DPP */
3734 if (hapd->public_action_cb) {
3735 hapd->public_action_cb(hapd->public_action_cb_ctx,
3736 (u8 *) mgmt, len,
3737 hapd->iface->freq);
3738 }
3739 if (hapd->public_action_cb2) {
3740 hapd->public_action_cb2(hapd->public_action_cb2_ctx,
3741 (u8 *) mgmt, len,
3742 hapd->iface->freq);
3743 }
3744 if (hapd->public_action_cb || hapd->public_action_cb2)
3745 return 1;
3746 break;
3747 case WLAN_ACTION_VENDOR_SPECIFIC:
3748 if (hapd->vendor_action_cb) {
3749 if (hapd->vendor_action_cb(hapd->vendor_action_cb_ctx,
3750 (u8 *) mgmt, len,
3751 hapd->iface->freq) == 0)
3752 return 1;
3753 }
3754 break;
3755 case WLAN_ACTION_RADIO_MEASUREMENT:
3756 hostapd_handle_radio_measurement(hapd, (const u8 *) mgmt, len);
3757 return 1;
3758 }
3759
3760 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
3761 HOSTAPD_LEVEL_DEBUG,
3762 "handle_action - unknown action category %d or invalid "
3763 "frame",
3764 mgmt->u.action.category);
3765 if (!is_multicast_ether_addr(mgmt->da) &&
3766 !(mgmt->u.action.category & 0x80) &&
3767 !is_multicast_ether_addr(mgmt->sa)) {
3768 struct ieee80211_mgmt *resp;
3769
3770 /*
3771 * IEEE 802.11-REVma/D9.0 - 7.3.1.11
3772 * Return the Action frame to the source without change
3773 * except that MSB of the Category set to 1.
3774 */
3775 wpa_printf(MSG_DEBUG, "IEEE 802.11: Return unknown Action "
3776 "frame back to sender");
3777 resp = os_memdup(mgmt, len);
3778 if (resp == NULL)
3779 return 0;
3780 os_memcpy(resp->da, resp->sa, ETH_ALEN);
3781 os_memcpy(resp->sa, hapd->own_addr, ETH_ALEN);
3782 os_memcpy(resp->bssid, hapd->own_addr, ETH_ALEN);
3783 resp->u.action.category |= 0x80;
3784
3785 if (hostapd_drv_send_mlme(hapd, resp, len, 0) < 0) {
3786 wpa_printf(MSG_ERROR, "IEEE 802.11: Failed to send "
3787 "Action frame");
3788 }
3789 os_free(resp);
3790 }
3791
3792 return 1;
3793 }
3794
3795
3796 /**
3797 * ieee802_11_mgmt - process incoming IEEE 802.11 management frames
3798 * @hapd: hostapd BSS data structure (the BSS to which the management frame was
3799 * sent to)
3800 * @buf: management frame data (starting from IEEE 802.11 header)
3801 * @len: length of frame data in octets
3802 * @fi: meta data about received frame (signal level, etc.)
3803 *
3804 * Process all incoming IEEE 802.11 management frames. This will be called for
3805 * each frame received from the kernel driver through wlan#ap interface. In
3806 * addition, it can be called to re-inserted pending frames (e.g., when using
3807 * external RADIUS server as an MAC ACL).
3808 */
3809 int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len,
3810 struct hostapd_frame_info *fi)
3811 {
3812 struct ieee80211_mgmt *mgmt;
3813 u16 fc, stype;
3814 int ret = 0;
3815
3816 if (len < 24)
3817 return 0;
3818
3819 mgmt = (struct ieee80211_mgmt *) buf;
3820 fc = le_to_host16(mgmt->frame_control);
3821 stype = WLAN_FC_GET_STYPE(fc);
3822
3823 if (stype == WLAN_FC_STYPE_BEACON) {
3824 handle_beacon(hapd, mgmt, len, fi);
3825 return 1;
3826 }
3827
3828 if (!is_broadcast_ether_addr(mgmt->bssid) &&
3829 #ifdef CONFIG_P2P
3830 /* Invitation responses can be sent with the peer MAC as BSSID */
3831 !((hapd->conf->p2p & P2P_GROUP_OWNER) &&
3832 stype == WLAN_FC_STYPE_ACTION) &&
3833 #endif /* CONFIG_P2P */
3834 #ifdef CONFIG_MESH
3835 !(hapd->conf->mesh & MESH_ENABLED) &&
3836 #endif /* CONFIG_MESH */
3837 os_memcmp(mgmt->bssid, hapd->own_addr, ETH_ALEN) != 0) {
3838 wpa_printf(MSG_INFO, "MGMT: BSSID=" MACSTR " not our address",
3839 MAC2STR(mgmt->bssid));
3840 return 0;
3841 }
3842
3843
3844 if (stype == WLAN_FC_STYPE_PROBE_REQ) {
3845 handle_probe_req(hapd, mgmt, len, fi->ssi_signal);
3846 return 1;
3847 }
3848
3849 if ((!is_broadcast_ether_addr(mgmt->da) ||
3850 stype != WLAN_FC_STYPE_ACTION) &&
3851 os_memcmp(mgmt->da, hapd->own_addr, ETH_ALEN) != 0) {
3852 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
3853 HOSTAPD_LEVEL_DEBUG,
3854 "MGMT: DA=" MACSTR " not our address",
3855 MAC2STR(mgmt->da));
3856 return 0;
3857 }
3858
3859 if (hapd->iconf->track_sta_max_num)
3860 sta_track_add(hapd->iface, mgmt->sa, fi->ssi_signal);
3861
3862 switch (stype) {
3863 case WLAN_FC_STYPE_AUTH:
3864 wpa_printf(MSG_DEBUG, "mgmt::auth");
3865 handle_auth(hapd, mgmt, len);
3866 ret = 1;
3867 break;
3868 case WLAN_FC_STYPE_ASSOC_REQ:
3869 wpa_printf(MSG_DEBUG, "mgmt::assoc_req");
3870 handle_assoc(hapd, mgmt, len, 0);
3871 ret = 1;
3872 break;
3873 case WLAN_FC_STYPE_REASSOC_REQ:
3874 wpa_printf(MSG_DEBUG, "mgmt::reassoc_req");
3875 handle_assoc(hapd, mgmt, len, 1);
3876 ret = 1;
3877 break;
3878 case WLAN_FC_STYPE_DISASSOC:
3879 wpa_printf(MSG_DEBUG, "mgmt::disassoc");
3880 handle_disassoc(hapd, mgmt, len);
3881 ret = 1;
3882 break;
3883 case WLAN_FC_STYPE_DEAUTH:
3884 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "mgmt::deauth");
3885 handle_deauth(hapd, mgmt, len);
3886 ret = 1;
3887 break;
3888 case WLAN_FC_STYPE_ACTION:
3889 wpa_printf(MSG_DEBUG, "mgmt::action");
3890 ret = handle_action(hapd, mgmt, len);
3891 break;
3892 default:
3893 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
3894 HOSTAPD_LEVEL_DEBUG,
3895 "unknown mgmt frame subtype %d", stype);
3896 break;
3897 }
3898
3899 return ret;
3900 }
3901
3902
3903 static void handle_auth_cb(struct hostapd_data *hapd,
3904 const struct ieee80211_mgmt *mgmt,
3905 size_t len, int ok)
3906 {
3907 u16 auth_alg, auth_transaction, status_code;
3908 struct sta_info *sta;
3909
3910 sta = ap_get_sta(hapd, mgmt->da);
3911 if (!sta) {
3912 wpa_printf(MSG_INFO, "handle_auth_cb: STA " MACSTR " not found",
3913 MAC2STR(mgmt->da));
3914 return;
3915 }
3916
3917 auth_alg = le_to_host16(mgmt->u.auth.auth_alg);
3918 auth_transaction = le_to_host16(mgmt->u.auth.auth_transaction);
3919 status_code = le_to_host16(mgmt->u.auth.status_code);
3920
3921 if (!ok) {
3922 hostapd_logger(hapd, mgmt->da, HOSTAPD_MODULE_IEEE80211,
3923 HOSTAPD_LEVEL_NOTICE,
3924 "did not acknowledge authentication response");
3925 goto fail;
3926 }
3927
3928 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) {
3929 wpa_printf(MSG_INFO, "handle_auth_cb - too short payload (len=%lu)",
3930 (unsigned long) len);
3931 goto fail;
3932 }
3933
3934 if (status_code == WLAN_STATUS_SUCCESS &&
3935 ((auth_alg == WLAN_AUTH_OPEN && auth_transaction == 2) ||
3936 (auth_alg == WLAN_AUTH_SHARED_KEY && auth_transaction == 4))) {
3937 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3938 HOSTAPD_LEVEL_INFO, "authenticated");
3939 sta->flags |= WLAN_STA_AUTH;
3940 if (sta->added_unassoc)
3941 hostapd_set_sta_flags(hapd, sta);
3942 return;
3943 }
3944
3945 fail:
3946 if (status_code != WLAN_STATUS_SUCCESS && sta->added_unassoc) {
3947 hostapd_drv_sta_remove(hapd, sta->addr);
3948 sta->added_unassoc = 0;
3949 }
3950 }
3951
3952
3953 static void hostapd_set_wds_encryption(struct hostapd_data *hapd,
3954 struct sta_info *sta,
3955 char *ifname_wds)
3956 {
3957 int i;
3958 struct hostapd_ssid *ssid = &hapd->conf->ssid;
3959
3960 if (hapd->conf->ieee802_1x || hapd->conf->wpa)
3961 return;
3962
3963 for (i = 0; i < 4; i++) {
3964 if (ssid->wep.key[i] &&
3965 hostapd_drv_set_key(ifname_wds, hapd, WPA_ALG_WEP, NULL, i,
3966 i == ssid->wep.idx, NULL, 0,
3967 ssid->wep.key[i], ssid->wep.len[i])) {
3968 wpa_printf(MSG_WARNING,
3969 "Could not set WEP keys for WDS interface; %s",
3970 ifname_wds);
3971 break;
3972 }
3973 }
3974 }
3975
3976
3977 static void handle_assoc_cb(struct hostapd_data *hapd,
3978 const struct ieee80211_mgmt *mgmt,
3979 size_t len, int reassoc, int ok)
3980 {
3981 u16 status;
3982 struct sta_info *sta;
3983 int new_assoc = 1;
3984
3985 sta = ap_get_sta(hapd, mgmt->da);
3986 if (!sta) {
3987 wpa_printf(MSG_INFO, "handle_assoc_cb: STA " MACSTR " not found",
3988 MAC2STR(mgmt->da));
3989 return;
3990 }
3991
3992 if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_resp) :
3993 sizeof(mgmt->u.assoc_resp))) {
3994 wpa_printf(MSG_INFO,
3995 "handle_assoc_cb(reassoc=%d) - too short payload (len=%lu)",
3996 reassoc, (unsigned long) len);
3997 hostapd_drv_sta_remove(hapd, sta->addr);
3998 return;
3999 }
4000
4001 if (reassoc)
4002 status = le_to_host16(mgmt->u.reassoc_resp.status_code);
4003 else
4004 status = le_to_host16(mgmt->u.assoc_resp.status_code);
4005
4006 if (!ok) {
4007 hostapd_logger(hapd, mgmt->da, HOSTAPD_MODULE_IEEE80211,
4008 HOSTAPD_LEVEL_DEBUG,
4009 "did not acknowledge association response");
4010 sta->flags &= ~WLAN_STA_ASSOC_REQ_OK;
4011 /* The STA is added only in case of SUCCESS */
4012 if (status == WLAN_STATUS_SUCCESS)
4013 hostapd_drv_sta_remove(hapd, sta->addr);
4014
4015 return;
4016 }
4017
4018 if (status != WLAN_STATUS_SUCCESS)
4019 return;
4020
4021 /* Stop previous accounting session, if one is started, and allocate
4022 * new session id for the new session. */
4023 accounting_sta_stop(hapd, sta);
4024
4025 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4026 HOSTAPD_LEVEL_INFO,
4027 "associated (aid %d)",
4028 sta->aid);
4029
4030 if (sta->flags & WLAN_STA_ASSOC)
4031 new_assoc = 0;
4032 sta->flags |= WLAN_STA_ASSOC;
4033 sta->flags &= ~WLAN_STA_WNM_SLEEP_MODE;
4034 if ((!hapd->conf->ieee802_1x && !hapd->conf->wpa &&
4035 !hapd->conf->osen) ||
4036 sta->auth_alg == WLAN_AUTH_FILS_SK ||
4037 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
4038 sta->auth_alg == WLAN_AUTH_FILS_PK ||
4039 sta->auth_alg == WLAN_AUTH_FT) {
4040 /*
4041 * Open, static WEP, FT protocol, or FILS; no separate
4042 * authorization step.
4043 */
4044 ap_sta_set_authorized(hapd, sta, 1);
4045 }
4046
4047 if (reassoc)
4048 mlme_reassociate_indication(hapd, sta);
4049 else
4050 mlme_associate_indication(hapd, sta);
4051
4052 #ifdef CONFIG_IEEE80211W
4053 sta->sa_query_timed_out = 0;
4054 #endif /* CONFIG_IEEE80211W */
4055
4056 if (sta->eapol_sm == NULL) {
4057 /*
4058 * This STA does not use RADIUS server for EAP authentication,
4059 * so bind it to the selected VLAN interface now, since the
4060 * interface selection is not going to change anymore.
4061 */
4062 if (ap_sta_bind_vlan(hapd, sta) < 0)
4063 return;
4064 } else if (sta->vlan_id) {
4065 /* VLAN ID already set (e.g., by PMKSA caching), so bind STA */
4066 if (ap_sta_bind_vlan(hapd, sta) < 0)
4067 return;
4068 }
4069
4070 hostapd_set_sta_flags(hapd, sta);
4071
4072 if (!(sta->flags & WLAN_STA_WDS) && sta->pending_wds_enable) {
4073 wpa_printf(MSG_DEBUG, "Enable 4-address WDS mode for STA "
4074 MACSTR " based on pending request",
4075 MAC2STR(sta->addr));
4076 sta->pending_wds_enable = 0;
4077 sta->flags |= WLAN_STA_WDS;
4078 }
4079
4080 if (sta->flags & WLAN_STA_WDS) {
4081 int ret;
4082 char ifname_wds[IFNAMSIZ + 1];
4083
4084 wpa_printf(MSG_DEBUG, "Reenable 4-address WDS mode for STA "
4085 MACSTR " (aid %u)",
4086 MAC2STR(sta->addr), sta->aid);
4087 ret = hostapd_set_wds_sta(hapd, ifname_wds, sta->addr,
4088 sta->aid, 1);
4089 if (!ret)
4090 hostapd_set_wds_encryption(hapd, sta, ifname_wds);
4091 }
4092
4093 if (sta->auth_alg == WLAN_AUTH_FT)
4094 wpa_auth_sm_event(sta->wpa_sm, WPA_ASSOC_FT);
4095 else
4096 wpa_auth_sm_event(sta->wpa_sm, WPA_ASSOC);
4097 hapd->new_assoc_sta_cb(hapd, sta, !new_assoc);
4098 ieee802_1x_notify_port_enabled(sta->eapol_sm, 1);
4099
4100 #ifdef CONFIG_FILS
4101 if ((sta->auth_alg == WLAN_AUTH_FILS_SK ||
4102 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
4103 sta->auth_alg == WLAN_AUTH_FILS_PK) &&
4104 fils_set_tk(sta->wpa_sm) < 0) {
4105 wpa_printf(MSG_DEBUG, "FILS: TK configuration failed");
4106 ap_sta_disconnect(hapd, sta, sta->addr,
4107 WLAN_REASON_UNSPECIFIED);
4108 return;
4109 }
4110 #endif /* CONFIG_FILS */
4111
4112 if (sta->pending_eapol_rx) {
4113 struct os_reltime now, age;
4114
4115 os_get_reltime(&now);
4116 os_reltime_sub(&now, &sta->pending_eapol_rx->rx_time, &age);
4117 if (age.sec == 0 && age.usec < 200000) {
4118 wpa_printf(MSG_DEBUG,
4119 "Process pending EAPOL frame that was received from " MACSTR " just before association notification",
4120 MAC2STR(sta->addr));
4121 ieee802_1x_receive(
4122 hapd, mgmt->da,
4123 wpabuf_head(sta->pending_eapol_rx->buf),
4124 wpabuf_len(sta->pending_eapol_rx->buf));
4125 }
4126 wpabuf_free(sta->pending_eapol_rx->buf);
4127 os_free(sta->pending_eapol_rx);
4128 sta->pending_eapol_rx = NULL;
4129 }
4130 }
4131
4132
4133 static void handle_deauth_cb(struct hostapd_data *hapd,
4134 const struct ieee80211_mgmt *mgmt,
4135 size_t len, int ok)
4136 {
4137 struct sta_info *sta;
4138 if (is_multicast_ether_addr(mgmt->da))
4139 return;
4140 sta = ap_get_sta(hapd, mgmt->da);
4141 if (!sta) {
4142 wpa_printf(MSG_DEBUG, "handle_deauth_cb: STA " MACSTR
4143 " not found", MAC2STR(mgmt->da));
4144 return;
4145 }
4146 if (ok)
4147 wpa_printf(MSG_DEBUG, "STA " MACSTR " acknowledged deauth",
4148 MAC2STR(sta->addr));
4149 else
4150 wpa_printf(MSG_DEBUG, "STA " MACSTR " did not acknowledge "
4151 "deauth", MAC2STR(sta->addr));
4152
4153 ap_sta_deauth_cb(hapd, sta);
4154 }
4155
4156
4157 static void handle_disassoc_cb(struct hostapd_data *hapd,
4158 const struct ieee80211_mgmt *mgmt,
4159 size_t len, int ok)
4160 {
4161 struct sta_info *sta;
4162 if (is_multicast_ether_addr(mgmt->da))
4163 return;
4164 sta = ap_get_sta(hapd, mgmt->da);
4165 if (!sta) {
4166 wpa_printf(MSG_DEBUG, "handle_disassoc_cb: STA " MACSTR
4167 " not found", MAC2STR(mgmt->da));
4168 return;
4169 }
4170 if (ok)
4171 wpa_printf(MSG_DEBUG, "STA " MACSTR " acknowledged disassoc",
4172 MAC2STR(sta->addr));
4173 else
4174 wpa_printf(MSG_DEBUG, "STA " MACSTR " did not acknowledge "
4175 "disassoc", MAC2STR(sta->addr));
4176
4177 ap_sta_disassoc_cb(hapd, sta);
4178 }
4179
4180
4181 static void handle_action_cb(struct hostapd_data *hapd,
4182 const struct ieee80211_mgmt *mgmt,
4183 size_t len, int ok)
4184 {
4185 struct sta_info *sta;
4186 const struct rrm_measurement_report_element *report;
4187
4188 if (is_multicast_ether_addr(mgmt->da))
4189 return;
4190 #ifdef CONFIG_DPP
4191 if (len >= IEEE80211_HDRLEN + 6 &&
4192 mgmt->u.action.category == WLAN_ACTION_PUBLIC &&
4193 mgmt->u.action.u.vs_public_action.action ==
4194 WLAN_PA_VENDOR_SPECIFIC &&
4195 WPA_GET_BE24(mgmt->u.action.u.vs_public_action.oui) ==
4196 OUI_WFA &&
4197 mgmt->u.action.u.vs_public_action.variable[0] ==
4198 DPP_OUI_TYPE) {
4199 const u8 *pos, *end;
4200
4201 pos = &mgmt->u.action.u.vs_public_action.variable[1];
4202 end = ((const u8 *) mgmt) + len;
4203 hostapd_dpp_tx_status(hapd, mgmt->da, pos, end - pos, ok);
4204 return;
4205 }
4206 if (len >= IEEE80211_HDRLEN + 2 &&
4207 mgmt->u.action.category == WLAN_ACTION_PUBLIC &&
4208 (mgmt->u.action.u.public_action.action ==
4209 WLAN_PA_GAS_INITIAL_REQ ||
4210 mgmt->u.action.u.public_action.action ==
4211 WLAN_PA_GAS_COMEBACK_REQ)) {
4212 const u8 *pos, *end;
4213
4214 pos = mgmt->u.action.u.public_action.variable;
4215 end = ((const u8 *) mgmt) + len;
4216 gas_query_ap_tx_status(hapd->gas, mgmt->da, pos, end - pos, ok);
4217 return;
4218 }
4219 #endif /* CONFIG_DPP */
4220 sta = ap_get_sta(hapd, mgmt->da);
4221 if (!sta) {
4222 wpa_printf(MSG_DEBUG, "handle_action_cb: STA " MACSTR
4223 " not found", MAC2STR(mgmt->da));
4224 return;
4225 }
4226
4227 if (len < 24 + 5 + sizeof(*report))
4228 return;
4229 report = (const struct rrm_measurement_report_element *)
4230 &mgmt->u.action.u.rrm.variable[2];
4231 if (mgmt->u.action.category == WLAN_ACTION_RADIO_MEASUREMENT &&
4232 mgmt->u.action.u.rrm.action == WLAN_RRM_RADIO_MEASUREMENT_REQUEST &&
4233 report->eid == WLAN_EID_MEASURE_REQUEST &&
4234 report->len >= 3 &&
4235 report->type == MEASURE_TYPE_BEACON)
4236 hostapd_rrm_beacon_req_tx_status(hapd, mgmt, len, ok);
4237 }
4238
4239
4240 /**
4241 * ieee802_11_mgmt_cb - Process management frame TX status callback
4242 * @hapd: hostapd BSS data structure (the BSS from which the management frame
4243 * was sent from)
4244 * @buf: management frame data (starting from IEEE 802.11 header)
4245 * @len: length of frame data in octets
4246 * @stype: management frame subtype from frame control field
4247 * @ok: Whether the frame was ACK'ed
4248 */
4249 void ieee802_11_mgmt_cb(struct hostapd_data *hapd, const u8 *buf, size_t len,
4250 u16 stype, int ok)
4251 {
4252 const struct ieee80211_mgmt *mgmt;
4253 mgmt = (const struct ieee80211_mgmt *) buf;
4254
4255 #ifdef CONFIG_TESTING_OPTIONS
4256 if (hapd->ext_mgmt_frame_handling) {
4257 size_t hex_len = 2 * len + 1;
4258 char *hex = os_malloc(hex_len);
4259
4260 if (hex) {
4261 wpa_snprintf_hex(hex, hex_len, buf, len);
4262 wpa_msg(hapd->msg_ctx, MSG_INFO,
4263 "MGMT-TX-STATUS stype=%u ok=%d buf=%s",
4264 stype, ok, hex);
4265 os_free(hex);
4266 }
4267 return;
4268 }
4269 #endif /* CONFIG_TESTING_OPTIONS */
4270
4271 switch (stype) {
4272 case WLAN_FC_STYPE_AUTH:
4273 wpa_printf(MSG_DEBUG, "mgmt::auth cb");
4274 handle_auth_cb(hapd, mgmt, len, ok);
4275 break;
4276 case WLAN_FC_STYPE_ASSOC_RESP:
4277 wpa_printf(MSG_DEBUG, "mgmt::assoc_resp cb");
4278 handle_assoc_cb(hapd, mgmt, len, 0, ok);
4279 break;
4280 case WLAN_FC_STYPE_REASSOC_RESP:
4281 wpa_printf(MSG_DEBUG, "mgmt::reassoc_resp cb");
4282 handle_assoc_cb(hapd, mgmt, len, 1, ok);
4283 break;
4284 case WLAN_FC_STYPE_PROBE_RESP:
4285 wpa_printf(MSG_EXCESSIVE, "mgmt::proberesp cb ok=%d", ok);
4286 break;
4287 case WLAN_FC_STYPE_DEAUTH:
4288 wpa_printf(MSG_DEBUG, "mgmt::deauth cb");
4289 handle_deauth_cb(hapd, mgmt, len, ok);
4290 break;
4291 case WLAN_FC_STYPE_DISASSOC:
4292 wpa_printf(MSG_DEBUG, "mgmt::disassoc cb");
4293 handle_disassoc_cb(hapd, mgmt, len, ok);
4294 break;
4295 case WLAN_FC_STYPE_ACTION:
4296 wpa_printf(MSG_DEBUG, "mgmt::action cb ok=%d", ok);
4297 handle_action_cb(hapd, mgmt, len, ok);
4298 break;
4299 default:
4300 wpa_printf(MSG_INFO, "unknown mgmt cb frame subtype %d", stype);
4301 break;
4302 }
4303 }
4304
4305
4306 int ieee802_11_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen)
4307 {
4308 /* TODO */
4309 return 0;
4310 }
4311
4312
4313 int ieee802_11_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta,
4314 char *buf, size_t buflen)
4315 {
4316 /* TODO */
4317 return 0;
4318 }
4319
4320
4321 void hostapd_tx_status(struct hostapd_data *hapd, const u8 *addr,
4322 const u8 *buf, size_t len, int ack)
4323 {
4324 struct sta_info *sta;
4325 struct hostapd_iface *iface = hapd->iface;
4326
4327 sta = ap_get_sta(hapd, addr);
4328 if (sta == NULL && iface->num_bss > 1) {
4329 size_t j;
4330 for (j = 0; j < iface->num_bss; j++) {
4331 hapd = iface->bss[j];
4332 sta = ap_get_sta(hapd, addr);
4333 if (sta)
4334 break;
4335 }
4336 }
4337 if (sta == NULL || !(sta->flags & WLAN_STA_ASSOC))
4338 return;
4339 if (sta->flags & WLAN_STA_PENDING_POLL) {
4340 wpa_printf(MSG_DEBUG, "STA " MACSTR " %s pending "
4341 "activity poll", MAC2STR(sta->addr),
4342 ack ? "ACKed" : "did not ACK");
4343 if (ack)
4344 sta->flags &= ~WLAN_STA_PENDING_POLL;
4345 }
4346
4347 ieee802_1x_tx_status(hapd, sta, buf, len, ack);
4348 }
4349
4350
4351 void hostapd_eapol_tx_status(struct hostapd_data *hapd, const u8 *dst,
4352 const u8 *data, size_t len, int ack)
4353 {
4354 struct sta_info *sta;
4355 struct hostapd_iface *iface = hapd->iface;
4356
4357 sta = ap_get_sta(hapd, dst);
4358 if (sta == NULL && iface->num_bss > 1) {
4359 size_t j;
4360 for (j = 0; j < iface->num_bss; j++) {
4361 hapd = iface->bss[j];
4362 sta = ap_get_sta(hapd, dst);
4363 if (sta)
4364 break;
4365 }
4366 }
4367 if (sta == NULL || !(sta->flags & WLAN_STA_ASSOC)) {
4368 wpa_printf(MSG_DEBUG, "Ignore TX status for Data frame to STA "
4369 MACSTR " that is not currently associated",
4370 MAC2STR(dst));
4371 return;
4372 }
4373
4374 ieee802_1x_eapol_tx_status(hapd, sta, data, len, ack);
4375 }
4376
4377
4378 void hostapd_client_poll_ok(struct hostapd_data *hapd, const u8 *addr)
4379 {
4380 struct sta_info *sta;
4381 struct hostapd_iface *iface = hapd->iface;
4382
4383 sta = ap_get_sta(hapd, addr);
4384 if (sta == NULL && iface->num_bss > 1) {
4385 size_t j;
4386 for (j = 0; j < iface->num_bss; j++) {
4387 hapd = iface->bss[j];
4388 sta = ap_get_sta(hapd, addr);
4389 if (sta)
4390 break;
4391 }
4392 }
4393 if (sta == NULL)
4394 return;
4395 wpa_msg(hapd->msg_ctx, MSG_INFO, AP_STA_POLL_OK MACSTR,
4396 MAC2STR(sta->addr));
4397 if (!(sta->flags & WLAN_STA_PENDING_POLL))
4398 return;
4399
4400 wpa_printf(MSG_DEBUG, "STA " MACSTR " ACKed pending "
4401 "activity poll", MAC2STR(sta->addr));
4402 sta->flags &= ~WLAN_STA_PENDING_POLL;
4403 }
4404
4405
4406 void ieee802_11_rx_from_unknown(struct hostapd_data *hapd, const u8 *src,
4407 int wds)
4408 {
4409 struct sta_info *sta;
4410
4411 sta = ap_get_sta(hapd, src);
4412 if (sta &&
4413 ((sta->flags & WLAN_STA_ASSOC) ||
4414 ((sta->flags & WLAN_STA_ASSOC_REQ_OK) && wds))) {
4415 if (!hapd->conf->wds_sta)
4416 return;
4417
4418 if ((sta->flags & (WLAN_STA_ASSOC | WLAN_STA_ASSOC_REQ_OK)) ==
4419 WLAN_STA_ASSOC_REQ_OK) {
4420 wpa_printf(MSG_DEBUG,
4421 "Postpone 4-address WDS mode enabling for STA "
4422 MACSTR " since TX status for AssocResp is not yet known",
4423 MAC2STR(sta->addr));
4424 sta->pending_wds_enable = 1;
4425 return;
4426 }
4427
4428 if (wds && !(sta->flags & WLAN_STA_WDS)) {
4429 int ret;
4430 char ifname_wds[IFNAMSIZ + 1];
4431
4432 wpa_printf(MSG_DEBUG, "Enable 4-address WDS mode for "
4433 "STA " MACSTR " (aid %u)",
4434 MAC2STR(sta->addr), sta->aid);
4435 sta->flags |= WLAN_STA_WDS;
4436 ret = hostapd_set_wds_sta(hapd, ifname_wds,
4437 sta->addr, sta->aid, 1);
4438 if (!ret)
4439 hostapd_set_wds_encryption(hapd, sta,
4440 ifname_wds);
4441 }
4442 return;
4443 }
4444
4445 wpa_printf(MSG_DEBUG, "Data/PS-poll frame from not associated STA "
4446 MACSTR, MAC2STR(src));
4447 if (is_multicast_ether_addr(src)) {
4448 /* Broadcast bit set in SA?! Ignore the frame silently. */
4449 return;
4450 }
4451
4452 if (sta && (sta->flags & WLAN_STA_ASSOC_REQ_OK)) {
4453 wpa_printf(MSG_DEBUG, "Association Response to the STA has "
4454 "already been sent, but no TX status yet known - "
4455 "ignore Class 3 frame issue with " MACSTR,
4456 MAC2STR(src));
4457 return;
4458 }
4459
4460 if (sta && (sta->flags & WLAN_STA_AUTH))
4461 hostapd_drv_sta_disassoc(
4462 hapd, src,
4463 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA);
4464 else
4465 hostapd_drv_sta_deauth(
4466 hapd, src,
4467 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA);
4468 }
4469
4470
4471 #endif /* CONFIG_NATIVE_WINDOWS */
Unnamed repository; edit this file 'description' to name the repository.