1 /*
2 * hostapd / IEEE 802.11 Management
3 * Copyright (c) 2002-2017, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "utils/includes.h"
10
11 #ifndef CONFIG_NATIVE_WINDOWS
12
13 #include "utils/common.h"
14 #include "utils/eloop.h"
15 #include "crypto/crypto.h"
16 #include "crypto/sha256.h"
17 #include "crypto/sha384.h"
18 #include "crypto/sha512.h"
19 #include "crypto/random.h"
20 #include "common/ieee802_11_defs.h"
21 #include "common/ieee802_11_common.h"
22 #include "common/wpa_ctrl.h"
23 #include "common/sae.h"
24 #include "common/dpp.h"
25 #include "common/ocv.h"
26 #include "common/wpa_common.h"
27 #include "common/wpa_ctrl.h"
28 #include "common/ptksa_cache.h"
29 #include "radius/radius.h"
30 #include "radius/radius_client.h"
31 #include "p2p/p2p.h"
32 #include "wps/wps.h"
33 #include "fst/fst.h"
34 #include "hostapd.h"
35 #include "beacon.h"
36 #include "ieee802_11_auth.h"
37 #include "sta_info.h"
38 #include "ieee802_1x.h"
39 #include "wpa_auth.h"
40 #include "pmksa_cache_auth.h"
41 #include "wmm.h"
42 #include "ap_list.h"
43 #include "accounting.h"
44 #include "ap_config.h"
45 #include "ap_mlme.h"
46 #include "p2p_hostapd.h"
47 #include "ap_drv_ops.h"
48 #include "wnm_ap.h"
49 #include "hw_features.h"
50 #include "ieee802_11.h"
51 #include "dfs.h"
52 #include "mbo_ap.h"
53 #include "rrm.h"
54 #include "taxonomy.h"
55 #include "fils_hlp.h"
56 #include "dpp_hostapd.h"
57 #include "gas_query_ap.h"
58
59
60 #ifdef CONFIG_FILS
61 static struct wpabuf *
62 prepare_auth_resp_fils(struct hostapd_data *hapd,
63 struct sta_info *sta, u16 *resp,
64 struct rsn_pmksa_cache_entry *pmksa,
65 struct wpabuf *erp_resp,
66 const u8 *msk, size_t msk_len,
67 int *is_pub);
68 #endif /* CONFIG_FILS */
69
70 #ifdef CONFIG_PASN
71
72 static int handle_auth_pasn_resp(struct hostapd_data *hapd,
73 struct sta_info *sta,
74 struct rsn_pmksa_cache_entry *pmksa,
75 u16 status);
76 #ifdef CONFIG_FILS
77
78 static void pasn_fils_auth_resp(struct hostapd_data *hapd,
79 struct sta_info *sta, u16 status,
80 struct wpabuf *erp_resp,
81 const u8 *msk, size_t msk_len);
82
83 #endif /* CONFIG_FILS */
84 #endif /* CONFIG_PASN */
85
86 static void handle_auth(struct hostapd_data *hapd,
87 const struct ieee80211_mgmt *mgmt, size_t len,
88 int rssi, int from_queue);
89
90
hostapd_eid_multi_ap(struct hostapd_data * hapd,u8 * eid)91 u8 * hostapd_eid_multi_ap(struct hostapd_data *hapd, u8 *eid)
92 {
93 u8 multi_ap_val = 0;
94
95 if (!hapd->conf->multi_ap)
96 return eid;
97 if (hapd->conf->multi_ap & BACKHAUL_BSS)
98 multi_ap_val |= MULTI_AP_BACKHAUL_BSS;
99 if (hapd->conf->multi_ap & FRONTHAUL_BSS)
100 multi_ap_val |= MULTI_AP_FRONTHAUL_BSS;
101
102 return eid + add_multi_ap_ie(eid, 9, multi_ap_val);
103 }
104
105
hostapd_eid_supp_rates(struct hostapd_data * hapd,u8 * eid)106 u8 * hostapd_eid_supp_rates(struct hostapd_data *hapd, u8 *eid)
107 {
108 u8 *pos = eid;
109 int i, num, count;
110 int h2e_required;
111
112 if (hapd->iface->current_rates == NULL)
113 return eid;
114
115 *pos++ = WLAN_EID_SUPP_RATES;
116 num = hapd->iface->num_rates;
117 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht)
118 num++;
119 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht)
120 num++;
121 h2e_required = (hapd->conf->sae_pwe == 1 ||
122 hostapd_sae_pw_id_in_use(hapd->conf) == 2) &&
123 hapd->conf->sae_pwe != 3 &&
124 wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt);
125 if (h2e_required)
126 num++;
127 if (num > 8) {
128 /* rest of the rates are encoded in Extended supported
129 * rates element */
130 num = 8;
131 }
132
133 *pos++ = num;
134 for (i = 0, count = 0; i < hapd->iface->num_rates && count < num;
135 i++) {
136 count++;
137 *pos = hapd->iface->current_rates[i].rate / 5;
138 if (hapd->iface->current_rates[i].flags & HOSTAPD_RATE_BASIC)
139 *pos |= 0x80;
140 pos++;
141 }
142
143 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht && count < 8) {
144 count++;
145 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_HT_PHY;
146 }
147
148 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht && count < 8) {
149 count++;
150 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_VHT_PHY;
151 }
152
153 if (h2e_required && count < 8) {
154 count++;
155 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_SAE_H2E_ONLY;
156 }
157
158 return pos;
159 }
160
161
hostapd_eid_ext_supp_rates(struct hostapd_data * hapd,u8 * eid)162 u8 * hostapd_eid_ext_supp_rates(struct hostapd_data *hapd, u8 *eid)
163 {
164 u8 *pos = eid;
165 int i, num, count;
166 int h2e_required;
167
168 if (hapd->iface->current_rates == NULL)
169 return eid;
170
171 num = hapd->iface->num_rates;
172 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht)
173 num++;
174 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht)
175 num++;
176 h2e_required = (hapd->conf->sae_pwe == 1 ||
177 hostapd_sae_pw_id_in_use(hapd->conf) == 2) &&
178 hapd->conf->sae_pwe != 3 &&
179 wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt);
180 if (h2e_required)
181 num++;
182 if (num <= 8)
183 return eid;
184 num -= 8;
185
186 *pos++ = WLAN_EID_EXT_SUPP_RATES;
187 *pos++ = num;
188 for (i = 0, count = 0; i < hapd->iface->num_rates && count < num + 8;
189 i++) {
190 count++;
191 if (count <= 8)
192 continue; /* already in SuppRates IE */
193 *pos = hapd->iface->current_rates[i].rate / 5;
194 if (hapd->iface->current_rates[i].flags & HOSTAPD_RATE_BASIC)
195 *pos |= 0x80;
196 pos++;
197 }
198
199 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht) {
200 count++;
201 if (count > 8)
202 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_HT_PHY;
203 }
204
205 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht) {
206 count++;
207 if (count > 8)
208 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_VHT_PHY;
209 }
210
211 if (h2e_required) {
212 count++;
213 if (count > 8)
214 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_SAE_H2E_ONLY;
215 }
216
217 return pos;
218 }
219
220
hostapd_eid_rm_enabled_capab(struct hostapd_data * hapd,u8 * eid,size_t len)221 u8 * hostapd_eid_rm_enabled_capab(struct hostapd_data *hapd, u8 *eid,
222 size_t len)
223 {
224 size_t i;
225
226 for (i = 0; i < RRM_CAPABILITIES_IE_LEN; i++) {
227 if (hapd->conf->radio_measurements[i])
228 break;
229 }
230
231 if (i == RRM_CAPABILITIES_IE_LEN || len < 2 + RRM_CAPABILITIES_IE_LEN)
232 return eid;
233
234 *eid++ = WLAN_EID_RRM_ENABLED_CAPABILITIES;
235 *eid++ = RRM_CAPABILITIES_IE_LEN;
236 os_memcpy(eid, hapd->conf->radio_measurements, RRM_CAPABILITIES_IE_LEN);
237
238 return eid + RRM_CAPABILITIES_IE_LEN;
239 }
240
241
hostapd_own_capab_info(struct hostapd_data * hapd)242 u16 hostapd_own_capab_info(struct hostapd_data *hapd)
243 {
244 int capab = WLAN_CAPABILITY_ESS;
245 int privacy = 0;
246 int dfs;
247 int i;
248
249 /* Check if any of configured channels require DFS */
250 dfs = hostapd_is_dfs_required(hapd->iface);
251 if (dfs < 0) {
252 wpa_printf(MSG_WARNING, "Failed to check if DFS is required; ret=%d",
253 dfs);
254 dfs = 0;
255 }
256
257 if (hapd->iface->num_sta_no_short_preamble == 0 &&
258 hapd->iconf->preamble == SHORT_PREAMBLE)
259 capab |= WLAN_CAPABILITY_SHORT_PREAMBLE;
260
261 #ifdef CONFIG_WEP
262 privacy = hapd->conf->ssid.wep.keys_set;
263
264 if (hapd->conf->ieee802_1x &&
265 (hapd->conf->default_wep_key_len ||
266 hapd->conf->individual_wep_key_len))
267 privacy = 1;
268 #endif /* CONFIG_WEP */
269
270 if (hapd->conf->wpa)
271 privacy = 1;
272
273 #ifdef CONFIG_HS20
274 if (hapd->conf->osen)
275 privacy = 1;
276 #endif /* CONFIG_HS20 */
277
278 if (privacy)
279 capab |= WLAN_CAPABILITY_PRIVACY;
280
281 if (hapd->iface->current_mode &&
282 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G &&
283 hapd->iface->num_sta_no_short_slot_time == 0)
284 capab |= WLAN_CAPABILITY_SHORT_SLOT_TIME;
285
286 /*
287 * Currently, Spectrum Management capability bit is set when directly
288 * requested in configuration by spectrum_mgmt_required or when AP is
289 * running on DFS channel.
290 * TODO: Also consider driver support for TPC to set Spectrum Mgmt bit
291 */
292 if (hapd->iface->current_mode &&
293 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211A &&
294 (hapd->iconf->spectrum_mgmt_required || dfs))
295 capab |= WLAN_CAPABILITY_SPECTRUM_MGMT;
296
297 for (i = 0; i < RRM_CAPABILITIES_IE_LEN; i++) {
298 if (hapd->conf->radio_measurements[i]) {
299 capab |= IEEE80211_CAP_RRM;
300 break;
301 }
302 }
303
304 return capab;
305 }
306
307
308 #ifdef CONFIG_WEP
309 #ifndef CONFIG_NO_RC4
auth_shared_key(struct hostapd_data * hapd,struct sta_info * sta,u16 auth_transaction,const u8 * challenge,int iswep)310 static u16 auth_shared_key(struct hostapd_data *hapd, struct sta_info *sta,
311 u16 auth_transaction, const u8 *challenge,
312 int iswep)
313 {
314 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
315 HOSTAPD_LEVEL_DEBUG,
316 "authentication (shared key, transaction %d)",
317 auth_transaction);
318
319 if (auth_transaction == 1) {
320 if (!sta->challenge) {
321 /* Generate a pseudo-random challenge */
322 u8 key[8];
323
324 sta->challenge = os_zalloc(WLAN_AUTH_CHALLENGE_LEN);
325 if (sta->challenge == NULL)
326 return WLAN_STATUS_UNSPECIFIED_FAILURE;
327
328 if (os_get_random(key, sizeof(key)) < 0) {
329 os_free(sta->challenge);
330 sta->challenge = NULL;
331 return WLAN_STATUS_UNSPECIFIED_FAILURE;
332 }
333
334 rc4_skip(key, sizeof(key), 0,
335 sta->challenge, WLAN_AUTH_CHALLENGE_LEN);
336 }
337 return 0;
338 }
339
340 if (auth_transaction != 3)
341 return WLAN_STATUS_UNSPECIFIED_FAILURE;
342
343 /* Transaction 3 */
344 if (!iswep || !sta->challenge || !challenge ||
345 os_memcmp_const(sta->challenge, challenge,
346 WLAN_AUTH_CHALLENGE_LEN)) {
347 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
348 HOSTAPD_LEVEL_INFO,
349 "shared key authentication - invalid "
350 "challenge-response");
351 return WLAN_STATUS_CHALLENGE_FAIL;
352 }
353
354 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
355 HOSTAPD_LEVEL_DEBUG,
356 "authentication OK (shared key)");
357 sta->flags |= WLAN_STA_AUTH;
358 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
359 os_free(sta->challenge);
360 sta->challenge = NULL;
361
362 return 0;
363 }
364 #endif /* CONFIG_NO_RC4 */
365 #endif /* CONFIG_WEP */
366
367
send_auth_reply(struct hostapd_data * hapd,struct sta_info * sta,const u8 * dst,const u8 * bssid,u16 auth_alg,u16 auth_transaction,u16 resp,const u8 * ies,size_t ies_len,const char * dbg)368 static int send_auth_reply(struct hostapd_data *hapd, struct sta_info *sta,
369 const u8 *dst, const u8 *bssid,
370 u16 auth_alg, u16 auth_transaction, u16 resp,
371 const u8 *ies, size_t ies_len, const char *dbg)
372 {
373 struct ieee80211_mgmt *reply;
374 u8 *buf;
375 size_t rlen;
376 int reply_res = WLAN_STATUS_UNSPECIFIED_FAILURE;
377
378 rlen = IEEE80211_HDRLEN + sizeof(reply->u.auth) + ies_len;
379 buf = os_zalloc(rlen);
380 if (buf == NULL)
381 return -1;
382
383 reply = (struct ieee80211_mgmt *) buf;
384 reply->frame_control = IEEE80211_FC(WLAN_FC_TYPE_MGMT,
385 WLAN_FC_STYPE_AUTH);
386 os_memcpy(reply->da, dst, ETH_ALEN);
387 os_memcpy(reply->sa, hapd->own_addr, ETH_ALEN);
388 os_memcpy(reply->bssid, bssid, ETH_ALEN);
389
390 reply->u.auth.auth_alg = host_to_le16(auth_alg);
391 reply->u.auth.auth_transaction = host_to_le16(auth_transaction);
392 reply->u.auth.status_code = host_to_le16(resp);
393
394 if (ies && ies_len)
395 os_memcpy(reply->u.auth.variable, ies, ies_len);
396
397 wpa_printf(MSG_DEBUG, "authentication reply: STA=" MACSTR_SEC
398 " auth_alg=%d auth_transaction=%d resp=%d (IE len=%lu) (dbg=%s)",
399 MAC2STR_SEC(dst), auth_alg, auth_transaction,
400 resp, (unsigned long) ies_len, dbg);
401 #ifdef CONFIG_TESTING_OPTIONS
402 #ifdef CONFIG_SAE
403 if (hapd->conf->sae_confirm_immediate == 2 &&
404 auth_alg == WLAN_AUTH_SAE) {
405 if (auth_transaction == 1 && sta &&
406 (resp == WLAN_STATUS_SUCCESS ||
407 resp == WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
408 resp == WLAN_STATUS_SAE_PK)) {
409 wpa_printf(MSG_DEBUG,
410 "TESTING: Postpone SAE Commit transmission until Confirm is ready");
411 os_free(sta->sae_postponed_commit);
412 sta->sae_postponed_commit = buf;
413 sta->sae_postponed_commit_len = rlen;
414 return WLAN_STATUS_SUCCESS;
415 }
416
417 if (auth_transaction == 2 && sta && sta->sae_postponed_commit) {
418 wpa_printf(MSG_DEBUG,
419 "TESTING: Send postponed SAE Commit first, immediately followed by SAE Confirm");
420 if (hostapd_drv_send_mlme(hapd,
421 sta->sae_postponed_commit,
422 sta->sae_postponed_commit_len,
423 0, NULL, 0, 0) < 0)
424 wpa_printf(MSG_INFO, "send_auth_reply: send failed");
425 os_free(sta->sae_postponed_commit);
426 sta->sae_postponed_commit = NULL;
427 sta->sae_postponed_commit_len = 0;
428 }
429 }
430 #endif /* CONFIG_SAE */
431 #endif /* CONFIG_TESTING_OPTIONS */
432 if (hostapd_drv_send_mlme(hapd, reply, rlen, 0, NULL, 0, 0) < 0)
433 wpa_printf(MSG_INFO, "send_auth_reply: send failed");
434 else
435 reply_res = WLAN_STATUS_SUCCESS;
436
437 os_free(buf);
438
439 return reply_res;
440 }
441
442
443 #ifdef CONFIG_IEEE80211R_AP
handle_auth_ft_finish(void * ctx,const u8 * dst,const u8 * bssid,u16 auth_transaction,u16 status,const u8 * ies,size_t ies_len)444 static void handle_auth_ft_finish(void *ctx, const u8 *dst, const u8 *bssid,
445 u16 auth_transaction, u16 status,
446 const u8 *ies, size_t ies_len)
447 {
448 struct hostapd_data *hapd = ctx;
449 struct sta_info *sta;
450 int reply_res;
451
452 reply_res = send_auth_reply(hapd, NULL, dst, bssid, WLAN_AUTH_FT,
453 auth_transaction, status, ies, ies_len,
454 "auth-ft-finish");
455
456 sta = ap_get_sta(hapd, dst);
457 if (sta == NULL)
458 return;
459
460 if (sta->added_unassoc && (reply_res != WLAN_STATUS_SUCCESS ||
461 status != WLAN_STATUS_SUCCESS)) {
462 hostapd_drv_sta_remove(hapd, sta->addr);
463 sta->added_unassoc = 0;
464 return;
465 }
466
467 if (status != WLAN_STATUS_SUCCESS)
468 return;
469
470 hostapd_logger(hapd, dst, HOSTAPD_MODULE_IEEE80211,
471 HOSTAPD_LEVEL_DEBUG, "authentication OK (FT)");
472 sta->flags |= WLAN_STA_AUTH;
473 mlme_authenticate_indication(hapd, sta);
474 }
475 #endif /* CONFIG_IEEE80211R_AP */
476
477
478 #ifdef CONFIG_SAE
479
sae_set_state(struct sta_info * sta,enum sae_state state,const char * reason)480 static void sae_set_state(struct sta_info *sta, enum sae_state state,
481 const char *reason)
482 {
483 wpa_printf(MSG_DEBUG, "SAE: State %s -> %s for peer " MACSTR_SEC " (%s)",
484 sae_state_txt(sta->sae->state), sae_state_txt(state),
485 MAC2STR_SEC(sta->addr), reason);
486 sta->sae->state = state;
487 }
488
489
sae_get_password(struct hostapd_data * hapd,struct sta_info * sta,const char * rx_id,struct sae_password_entry ** pw_entry,struct sae_pt ** s_pt,const struct sae_pk ** s_pk)490 static const char * sae_get_password(struct hostapd_data *hapd,
491 struct sta_info *sta,
492 const char *rx_id,
493 struct sae_password_entry **pw_entry,
494 struct sae_pt **s_pt,
495 const struct sae_pk **s_pk)
496 {
497 const char *password = NULL;
498 struct sae_password_entry *pw;
499 struct sae_pt *pt = NULL;
500 const struct sae_pk *pk = NULL;
501
502 for (pw = hapd->conf->sae_passwords; pw; pw = pw->next) {
503 if (!is_broadcast_ether_addr(pw->peer_addr) &&
504 os_memcmp(pw->peer_addr, sta->addr, ETH_ALEN) != 0)
505 continue;
506 if ((rx_id && !pw->identifier) || (!rx_id && pw->identifier))
507 continue;
508 if (rx_id && pw->identifier &&
509 os_strcmp(rx_id, pw->identifier) != 0)
510 continue;
511 password = pw->password;
512 pt = pw->pt;
513 if (!(hapd->conf->mesh & MESH_ENABLED))
514 pk = pw->pk;
515 break;
516 }
517 if (!password) {
518 password = hapd->conf->ssid.wpa_passphrase;
519 pt = hapd->conf->ssid.pt;
520 }
521
522 if (pw_entry)
523 *pw_entry = pw;
524 if (s_pt)
525 *s_pt = pt;
526 if (s_pk)
527 *s_pk = pk;
528
529 return password;
530 }
531
532
auth_build_sae_commit(struct hostapd_data * hapd,struct sta_info * sta,int update,int status_code)533 static struct wpabuf * auth_build_sae_commit(struct hostapd_data *hapd,
534 struct sta_info *sta, int update,
535 int status_code)
536 {
537 struct wpabuf *buf;
538 const char *password = NULL;
539 struct sae_password_entry *pw;
540 const char *rx_id = NULL;
541 int use_pt = 0;
542 struct sae_pt *pt = NULL;
543 const struct sae_pk *pk = NULL;
544
545 if (sta->sae->tmp) {
546 rx_id = sta->sae->tmp->pw_id;
547 use_pt = sta->sae->h2e;
548 #ifdef CONFIG_SAE_PK
549 os_memcpy(sta->sae->tmp->own_addr, hapd->own_addr, ETH_ALEN);
550 os_memcpy(sta->sae->tmp->peer_addr, sta->addr, ETH_ALEN);
551 #endif /* CONFIG_SAE_PK */
552 }
553
554 if (rx_id && hapd->conf->sae_pwe != 3)
555 use_pt = 1;
556 else if (status_code == WLAN_STATUS_SUCCESS)
557 use_pt = 0;
558 else if (status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
559 status_code == WLAN_STATUS_SAE_PK)
560 use_pt = 1;
561
562 password = sae_get_password(hapd, sta, rx_id, &pw, &pt, &pk);
563 if (!password || (use_pt && !pt)) {
564 wpa_printf(MSG_DEBUG, "SAE: No password available");
565 return NULL;
566 }
567
568 if (update && use_pt &&
569 sae_prepare_commit_pt(sta->sae, pt, hapd->own_addr, sta->addr,
570 NULL, pk) < 0)
571 return NULL;
572
573 if (update && !use_pt &&
574 sae_prepare_commit(hapd->own_addr, sta->addr,
575 (u8 *) password, os_strlen(password),
576 sta->sae) < 0) {
577 wpa_printf(MSG_DEBUG, "SAE: Could not pick PWE");
578 return NULL;
579 }
580
581 if (pw && pw->vlan_id) {
582 if (!sta->sae->tmp) {
583 wpa_printf(MSG_INFO,
584 "SAE: No temporary data allocated - cannot store VLAN ID");
585 return NULL;
586 }
587 sta->sae->tmp->vlan_id = pw->vlan_id;
588 }
589
590 buf = wpabuf_alloc(SAE_COMMIT_MAX_LEN +
591 (rx_id ? 3 + os_strlen(rx_id) : 0));
592 if (buf &&
593 sae_write_commit(sta->sae, buf, sta->sae->tmp ?
594 sta->sae->tmp->anti_clogging_token : NULL,
595 rx_id) < 0) {
596 wpabuf_free(buf);
597 buf = NULL;
598 }
599
600 return buf;
601 }
602
603
auth_build_sae_confirm(struct hostapd_data * hapd,struct sta_info * sta)604 static struct wpabuf * auth_build_sae_confirm(struct hostapd_data *hapd,
605 struct sta_info *sta)
606 {
607 struct wpabuf *buf;
608
609 buf = wpabuf_alloc(SAE_CONFIRM_MAX_LEN);
610 if (buf == NULL)
611 return NULL;
612
613 #ifdef CONFIG_SAE_PK
614 #ifdef CONFIG_TESTING_OPTIONS
615 if (sta->sae->tmp)
616 sta->sae->tmp->omit_pk_elem = hapd->conf->sae_pk_omit;
617 #endif /* CONFIG_TESTING_OPTIONS */
618 #endif /* CONFIG_SAE_PK */
619
620 if (sae_write_confirm(sta->sae, buf) < 0) {
621 wpabuf_free(buf);
622 return NULL;
623 }
624
625 return buf;
626 }
627
628
auth_sae_send_commit(struct hostapd_data * hapd,struct sta_info * sta,const u8 * bssid,int update,int status_code)629 static int auth_sae_send_commit(struct hostapd_data *hapd,
630 struct sta_info *sta,
631 const u8 *bssid, int update, int status_code)
632 {
633 struct wpabuf *data;
634 int reply_res;
635 u16 status;
636
637 data = auth_build_sae_commit(hapd, sta, update, status_code);
638 if (!data && sta->sae->tmp && sta->sae->tmp->pw_id)
639 return WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER;
640 if (data == NULL)
641 return WLAN_STATUS_UNSPECIFIED_FAILURE;
642
643 if (sta->sae->tmp && sta->sae->pk)
644 status = WLAN_STATUS_SAE_PK;
645 else if (sta->sae->tmp && sta->sae->h2e)
646 status = WLAN_STATUS_SAE_HASH_TO_ELEMENT;
647 else
648 status = WLAN_STATUS_SUCCESS;
649 #ifdef CONFIG_TESTING_OPTIONS
650 if (hapd->conf->sae_commit_status >= 0 &&
651 hapd->conf->sae_commit_status != status) {
652 wpa_printf(MSG_INFO,
653 "TESTING: Override SAE commit status code %u --> %d",
654 status, hapd->conf->sae_commit_status);
655 status = hapd->conf->sae_commit_status;
656 }
657 #endif /* CONFIG_TESTING_OPTIONS */
658 reply_res = send_auth_reply(hapd, sta, sta->addr, bssid,
659 WLAN_AUTH_SAE, 1,
660 status, wpabuf_head(data),
661 wpabuf_len(data), "sae-send-commit");
662
663 wpabuf_free(data);
664
665 return reply_res;
666 }
667
668
auth_sae_send_confirm(struct hostapd_data * hapd,struct sta_info * sta,const u8 * bssid)669 static int auth_sae_send_confirm(struct hostapd_data *hapd,
670 struct sta_info *sta,
671 const u8 *bssid)
672 {
673 struct wpabuf *data;
674 int reply_res;
675
676 data = auth_build_sae_confirm(hapd, sta);
677 if (data == NULL)
678 return WLAN_STATUS_UNSPECIFIED_FAILURE;
679
680 reply_res = send_auth_reply(hapd, sta, sta->addr, bssid,
681 WLAN_AUTH_SAE, 2,
682 WLAN_STATUS_SUCCESS, wpabuf_head(data),
683 wpabuf_len(data), "sae-send-confirm");
684
685 wpabuf_free(data);
686
687 return reply_res;
688 }
689
690 #endif /* CONFIG_SAE */
691
692
693 #if defined(CONFIG_SAE) || defined(CONFIG_PASN)
694
use_anti_clogging(struct hostapd_data * hapd)695 static int use_anti_clogging(struct hostapd_data *hapd)
696 {
697 struct sta_info *sta;
698 unsigned int open = 0;
699
700 if (hapd->conf->anti_clogging_threshold == 0)
701 return 1;
702
703 for (sta = hapd->sta_list; sta; sta = sta->next) {
704 #ifdef CONFIG_SAE
705 if (sta->sae &&
706 (sta->sae->state == SAE_COMMITTED ||
707 sta->sae->state == SAE_CONFIRMED))
708 open++;
709 #endif /* CONFIG_SAE */
710 #ifdef CONFIG_PASN
711 if (sta->pasn && sta->pasn->ecdh)
712 open++;
713 #endif /* CONFIG_PASN */
714 if (open >= hapd->conf->anti_clogging_threshold)
715 return 1;
716 }
717
718 #ifdef CONFIG_SAE
719 /* In addition to already existing open SAE sessions, check whether
720 * there are enough pending commit messages in the processing queue to
721 * potentially result in too many open sessions. */
722 if (open + dl_list_len(&hapd->sae_commit_queue) >=
723 hapd->conf->anti_clogging_threshold)
724 return 1;
725 #endif /* CONFIG_SAE */
726
727 return 0;
728 }
729
730
comeback_token_hash(struct hostapd_data * hapd,const u8 * addr,u8 * idx)731 static int comeback_token_hash(struct hostapd_data *hapd, const u8 *addr,
732 u8 *idx)
733 {
734 u8 hash[SHA256_MAC_LEN];
735
736 if (hmac_sha256(hapd->comeback_key, sizeof(hapd->comeback_key),
737 addr, ETH_ALEN, hash) < 0)
738 return -1;
739 *idx = hash[0];
740 return 0;
741 }
742
743
check_comeback_token(struct hostapd_data * hapd,const u8 * addr,const u8 * token,size_t token_len)744 static int check_comeback_token(struct hostapd_data *hapd, const u8 *addr,
745 const u8 *token, size_t token_len)
746 {
747 u8 mac[SHA256_MAC_LEN];
748 const u8 *addrs[2];
749 size_t len[2];
750 u16 token_idx;
751 u8 idx;
752
753 if (token_len != SHA256_MAC_LEN ||
754 comeback_token_hash(hapd, addr, &idx) < 0)
755 return -1;
756 token_idx = hapd->comeback_pending_idx[idx];
757 if (token_idx == 0 || token_idx != WPA_GET_BE16(token)) {
758 wpa_printf(MSG_DEBUG,
759 "Comeback: Invalid anti-clogging token from "
760 MACSTR_SEC " - token_idx 0x%04x, expected 0x%04x",
761 MAC2STR_SEC(addr), WPA_GET_BE16(token), token_idx);
762 return -1;
763 }
764
765 addrs[0] = addr;
766 len[0] = ETH_ALEN;
767 addrs[1] = token;
768 len[1] = 2;
769 if (hmac_sha256_vector(hapd->comeback_key, sizeof(hapd->comeback_key),
770 2, addrs, len, mac) < 0 ||
771 os_memcmp_const(token + 2, &mac[2], SHA256_MAC_LEN - 2) != 0)
772 return -1;
773
774 hapd->comeback_pending_idx[idx] = 0; /* invalidate used token */
775
776 return 0;
777 }
778
779
auth_build_token_req(struct hostapd_data * hapd,int group,const u8 * addr,int h2e)780 static struct wpabuf * auth_build_token_req(struct hostapd_data *hapd,
781 int group, const u8 *addr, int h2e)
782 {
783 struct wpabuf *buf;
784 u8 *token;
785 struct os_reltime now;
786 u8 idx[2];
787 const u8 *addrs[2];
788 size_t len[2];
789 u8 p_idx;
790 u16 token_idx;
791
792 os_get_reltime(&now);
793 if (!os_reltime_initialized(&hapd->last_comeback_key_update) ||
794 os_reltime_expired(&now, &hapd->last_comeback_key_update, 60) ||
795 hapd->comeback_idx == 0xffff) {
796 if (random_get_bytes(hapd->comeback_key,
797 sizeof(hapd->comeback_key)) < 0)
798 return NULL;
799 wpa_hexdump(MSG_DEBUG, "Comeback: Updated token key",
800 hapd->comeback_key, sizeof(hapd->comeback_key));
801 hapd->last_comeback_key_update = now;
802 hapd->comeback_idx = 0;
803 os_memset(hapd->comeback_pending_idx, 0,
804 sizeof(hapd->comeback_pending_idx));
805 }
806
807 buf = wpabuf_alloc(sizeof(le16) + 3 + SHA256_MAC_LEN);
808 if (buf == NULL)
809 return NULL;
810
811 if (group)
812 wpabuf_put_le16(buf, group); /* Finite Cyclic Group */
813
814 if (h2e) {
815 /* Encapsulate Anti-clogging Token field in a container IE */
816 wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
817 wpabuf_put_u8(buf, 1 + SHA256_MAC_LEN);
818 wpabuf_put_u8(buf, WLAN_EID_EXT_ANTI_CLOGGING_TOKEN);
819 }
820
821 if (comeback_token_hash(hapd, addr, &p_idx) < 0) {
822 wpabuf_free(buf);
823 return NULL;
824 }
825
826 token_idx = hapd->comeback_pending_idx[p_idx];
827 if (!token_idx) {
828 hapd->comeback_idx++;
829 token_idx = hapd->comeback_idx;
830 hapd->comeback_pending_idx[p_idx] = token_idx;
831 }
832 WPA_PUT_BE16(idx, token_idx);
833 token = wpabuf_put(buf, SHA256_MAC_LEN);
834 addrs[0] = addr;
835 len[0] = ETH_ALEN;
836 addrs[1] = idx;
837 len[1] = sizeof(idx);
838 if (hmac_sha256_vector(hapd->comeback_key, sizeof(hapd->comeback_key),
839 2, addrs, len, token) < 0) {
840 wpabuf_free(buf);
841 return NULL;
842 }
843 WPA_PUT_BE16(token, token_idx);
844
845 return buf;
846 }
847
848 #endif /* defined(CONFIG_SAE) || defined(CONFIG_PASN) */
849
850
851 #ifdef CONFIG_SAE
852
sae_check_big_sync(struct hostapd_data * hapd,struct sta_info * sta)853 static int sae_check_big_sync(struct hostapd_data *hapd, struct sta_info *sta)
854 {
855 if (sta->sae->sync > hapd->conf->sae_sync) {
856 sae_set_state(sta, SAE_NOTHING, "Sync > dot11RSNASAESync");
857 sta->sae->sync = 0;
858 return -1;
859 }
860 return 0;
861 }
862
863
auth_sae_retransmit_timer(void * eloop_ctx,void * eloop_data)864 static void auth_sae_retransmit_timer(void *eloop_ctx, void *eloop_data)
865 {
866 struct hostapd_data *hapd = eloop_ctx;
867 struct sta_info *sta = eloop_data;
868 int ret;
869
870 if (sae_check_big_sync(hapd, sta))
871 return;
872 sta->sae->sync++;
873 wpa_printf(MSG_DEBUG, "SAE: Auth SAE retransmit timer for " MACSTR_SEC
874 " (sync=%d state=%s)",
875 MAC2STR_SEC(sta->addr), sta->sae->sync,
876 sae_state_txt(sta->sae->state));
877
878 switch (sta->sae->state) {
879 case SAE_COMMITTED:
880 ret = auth_sae_send_commit(hapd, sta, hapd->own_addr, 0, -1);
881 eloop_register_timeout(0,
882 hapd->dot11RSNASAERetransPeriod * 1000,
883 auth_sae_retransmit_timer, hapd, sta);
884 break;
885 case SAE_CONFIRMED:
886 ret = auth_sae_send_confirm(hapd, sta, hapd->own_addr);
887 eloop_register_timeout(0,
888 hapd->dot11RSNASAERetransPeriod * 1000,
889 auth_sae_retransmit_timer, hapd, sta);
890 break;
891 default:
892 ret = -1;
893 break;
894 }
895
896 if (ret != WLAN_STATUS_SUCCESS)
897 wpa_printf(MSG_INFO, "SAE: Failed to retransmit: ret=%d", ret);
898 }
899
900
sae_clear_retransmit_timer(struct hostapd_data * hapd,struct sta_info * sta)901 void sae_clear_retransmit_timer(struct hostapd_data *hapd, struct sta_info *sta)
902 {
903 eloop_cancel_timeout(auth_sae_retransmit_timer, hapd, sta);
904 }
905
906
sae_set_retransmit_timer(struct hostapd_data * hapd,struct sta_info * sta)907 static void sae_set_retransmit_timer(struct hostapd_data *hapd,
908 struct sta_info *sta)
909 {
910 if (!(hapd->conf->mesh & MESH_ENABLED))
911 return;
912
913 eloop_cancel_timeout(auth_sae_retransmit_timer, hapd, sta);
914 eloop_register_timeout(0, hapd->dot11RSNASAERetransPeriod * 1000,
915 auth_sae_retransmit_timer, hapd, sta);
916 }
917
918
sae_sme_send_external_auth_status(struct hostapd_data * hapd,struct sta_info * sta,u16 status)919 static void sae_sme_send_external_auth_status(struct hostapd_data *hapd,
920 struct sta_info *sta, u16 status)
921 {
922 struct external_auth params;
923
924 os_memset(¶ms, 0, sizeof(params));
925 params.status = status;
926 params.bssid = sta->addr;
927 if (status == WLAN_STATUS_SUCCESS && sta->sae &&
928 !hapd->conf->disable_pmksa_caching)
929 params.pmkid = sta->sae->pmkid;
930
931 hostapd_drv_send_external_auth_status(hapd, ¶ms);
932 }
933
934
sae_accept_sta(struct hostapd_data * hapd,struct sta_info * sta)935 void sae_accept_sta(struct hostapd_data *hapd, struct sta_info *sta)
936 {
937 #ifndef CONFIG_NO_VLAN
938 struct vlan_description vlan_desc;
939
940 if (sta->sae->tmp && sta->sae->tmp->vlan_id > 0) {
941 wpa_printf(MSG_DEBUG, "SAE: Assign STA " MACSTR_SEC
942 " to VLAN ID %d",
943 MAC2STR_SEC(sta->addr), sta->sae->tmp->vlan_id);
944
945 os_memset(&vlan_desc, 0, sizeof(vlan_desc));
946 vlan_desc.notempty = 1;
947 vlan_desc.untagged = sta->sae->tmp->vlan_id;
948 if (!hostapd_vlan_valid(hapd->conf->vlan, &vlan_desc)) {
949 wpa_printf(MSG_INFO,
950 "Invalid VLAN ID %d in sae_password",
951 sta->sae->tmp->vlan_id);
952 return;
953 }
954
955 if (ap_sta_set_vlan(hapd, sta, &vlan_desc) < 0 ||
956 ap_sta_bind_vlan(hapd, sta) < 0) {
957 wpa_printf(MSG_INFO,
958 "Failed to assign VLAN ID %d from sae_password to "
959 MACSTR_SEC, sta->sae->tmp->vlan_id,
960 MAC2STR_SEC(sta->addr));
961 return;
962 }
963 }
964 #endif /* CONFIG_NO_VLAN */
965
966 sta->flags |= WLAN_STA_AUTH;
967 sta->auth_alg = WLAN_AUTH_SAE;
968 mlme_authenticate_indication(hapd, sta);
969 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
970 sae_set_state(sta, SAE_ACCEPTED, "Accept Confirm");
971 crypto_bignum_deinit(sta->sae->peer_commit_scalar_accepted, 0);
972 sta->sae->peer_commit_scalar_accepted = sta->sae->peer_commit_scalar;
973 sta->sae->peer_commit_scalar = NULL;
974 wpa_auth_pmksa_add_sae(hapd->wpa_auth, sta->addr,
975 sta->sae->pmk, sta->sae->pmkid);
976 sae_sme_send_external_auth_status(hapd, sta, WLAN_STATUS_SUCCESS);
977 }
978
979
sae_sm_step(struct hostapd_data * hapd,struct sta_info * sta,const u8 * bssid,u16 auth_transaction,u16 status_code,int allow_reuse,int * sta_removed)980 static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta,
981 const u8 *bssid, u16 auth_transaction, u16 status_code,
982 int allow_reuse, int *sta_removed)
983 {
984 int ret;
985
986 *sta_removed = 0;
987
988 if (auth_transaction != 1 && auth_transaction != 2)
989 return WLAN_STATUS_UNSPECIFIED_FAILURE;
990
991 wpa_printf(MSG_DEBUG, "SAE: Peer " MACSTR_SEC " state=%s auth_trans=%u",
992 MAC2STR_SEC(sta->addr), sae_state_txt(sta->sae->state),
993 auth_transaction);
994 switch (sta->sae->state) {
995 case SAE_NOTHING:
996 if (auth_transaction == 1) {
997 if (sta->sae->tmp) {
998 sta->sae->h2e =
999 (status_code ==
1000 WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
1001 status_code == WLAN_STATUS_SAE_PK);
1002 sta->sae->pk =
1003 status_code == WLAN_STATUS_SAE_PK;
1004 }
1005 ret = auth_sae_send_commit(hapd, sta, bssid,
1006 !allow_reuse, status_code);
1007 if (ret)
1008 return ret;
1009 sae_set_state(sta, SAE_COMMITTED, "Sent Commit");
1010
1011 if (sae_process_commit(sta->sae) < 0)
1012 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1013
1014 /*
1015 * In mesh case, both Commit and Confirm are sent
1016 * immediately. In infrastructure BSS, by default, only
1017 * a single Authentication frame (Commit) is expected
1018 * from the AP here and the second one (Confirm) will
1019 * be sent once the STA has sent its second
1020 * Authentication frame (Confirm). This behavior can be
1021 * overridden with explicit configuration so that the
1022 * infrastructure BSS case sends both frames together.
1023 */
1024 if ((hapd->conf->mesh & MESH_ENABLED) ||
1025 hapd->conf->sae_confirm_immediate) {
1026 /*
1027 * Send both Commit and Confirm immediately
1028 * based on SAE finite state machine
1029 * Nothing -> Confirm transition.
1030 */
1031 ret = auth_sae_send_confirm(hapd, sta, bssid);
1032 if (ret)
1033 return ret;
1034 sae_set_state(sta, SAE_CONFIRMED,
1035 "Sent Confirm (mesh)");
1036 } else {
1037 /*
1038 * For infrastructure BSS, send only the Commit
1039 * message now to get alternating sequence of
1040 * Authentication frames between the AP and STA.
1041 * Confirm will be sent in
1042 * Committed -> Confirmed/Accepted transition
1043 * when receiving Confirm from STA.
1044 */
1045 }
1046 sta->sae->sync = 0;
1047 sae_set_retransmit_timer(hapd, sta);
1048 } else {
1049 hostapd_logger(hapd, sta->addr,
1050 HOSTAPD_MODULE_IEEE80211,
1051 HOSTAPD_LEVEL_DEBUG,
1052 "SAE confirm before commit");
1053 }
1054 break;
1055 case SAE_COMMITTED:
1056 sae_clear_retransmit_timer(hapd, sta);
1057 if (auth_transaction == 1) {
1058 if (sae_process_commit(sta->sae) < 0)
1059 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1060
1061 ret = auth_sae_send_confirm(hapd, sta, bssid);
1062 if (ret)
1063 return ret;
1064 sae_set_state(sta, SAE_CONFIRMED, "Sent Confirm");
1065 sta->sae->sync = 0;
1066 sae_set_retransmit_timer(hapd, sta);
1067 } else if (hapd->conf->mesh & MESH_ENABLED) {
1068 /*
1069 * In mesh case, follow SAE finite state machine and
1070 * send Commit now, if sync count allows.
1071 */
1072 if (sae_check_big_sync(hapd, sta))
1073 return WLAN_STATUS_SUCCESS;
1074 sta->sae->sync++;
1075
1076 ret = auth_sae_send_commit(hapd, sta, bssid, 0,
1077 status_code);
1078 if (ret)
1079 return ret;
1080
1081 sae_set_retransmit_timer(hapd, sta);
1082 } else {
1083 /*
1084 * For instructure BSS, send the postponed Confirm from
1085 * Nothing -> Confirmed transition that was reduced to
1086 * Nothing -> Committed above.
1087 */
1088 ret = auth_sae_send_confirm(hapd, sta, bssid);
1089 if (ret)
1090 return ret;
1091
1092 sae_set_state(sta, SAE_CONFIRMED, "Sent Confirm");
1093
1094 /*
1095 * Since this was triggered on Confirm RX, run another
1096 * step to get to Accepted without waiting for
1097 * additional events.
1098 */
1099 return sae_sm_step(hapd, sta, bssid, auth_transaction,
1100 WLAN_STATUS_SUCCESS, 0, sta_removed);
1101 }
1102 break;
1103 case SAE_CONFIRMED:
1104 sae_clear_retransmit_timer(hapd, sta);
1105 if (auth_transaction == 1) {
1106 if (sae_check_big_sync(hapd, sta))
1107 return WLAN_STATUS_SUCCESS;
1108 sta->sae->sync++;
1109
1110 ret = auth_sae_send_commit(hapd, sta, bssid, 1,
1111 status_code);
1112 if (ret)
1113 return ret;
1114
1115 if (sae_process_commit(sta->sae) < 0)
1116 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1117
1118 ret = auth_sae_send_confirm(hapd, sta, bssid);
1119 if (ret)
1120 return ret;
1121
1122 sae_set_retransmit_timer(hapd, sta);
1123 } else {
1124 sta->sae->send_confirm = 0xffff;
1125 sae_accept_sta(hapd, sta);
1126 }
1127 break;
1128 case SAE_ACCEPTED:
1129 if (auth_transaction == 1 &&
1130 (hapd->conf->mesh & MESH_ENABLED)) {
1131 wpa_printf(MSG_DEBUG, "SAE: remove the STA (" MACSTR_SEC
1132 ") doing reauthentication",
1133 MAC2STR_SEC(sta->addr));
1134 wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr);
1135 ap_free_sta(hapd, sta);
1136 *sta_removed = 1;
1137 } else if (auth_transaction == 1) {
1138 wpa_printf(MSG_DEBUG, "SAE: Start reauthentication");
1139 ret = auth_sae_send_commit(hapd, sta, bssid, 1,
1140 status_code);
1141 if (ret)
1142 return ret;
1143 sae_set_state(sta, SAE_COMMITTED, "Sent Commit");
1144
1145 if (sae_process_commit(sta->sae) < 0)
1146 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1147 sta->sae->sync = 0;
1148 sae_set_retransmit_timer(hapd, sta);
1149 } else {
1150 if (sae_check_big_sync(hapd, sta))
1151 return WLAN_STATUS_SUCCESS;
1152 sta->sae->sync++;
1153
1154 ret = auth_sae_send_confirm(hapd, sta, bssid);
1155 sae_clear_temp_data(sta->sae);
1156 if (ret)
1157 return ret;
1158 }
1159 break;
1160 default:
1161 wpa_printf(MSG_ERROR, "SAE: invalid state %d",
1162 sta->sae->state);
1163 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1164 }
1165 return WLAN_STATUS_SUCCESS;
1166 }
1167
1168
sae_pick_next_group(struct hostapd_data * hapd,struct sta_info * sta)1169 static void sae_pick_next_group(struct hostapd_data *hapd, struct sta_info *sta)
1170 {
1171 struct sae_data *sae = sta->sae;
1172 int i, *groups = hapd->conf->sae_groups;
1173 int default_groups[] = { 19, 0 };
1174
1175 if (sae->state != SAE_COMMITTED)
1176 return;
1177
1178 wpa_printf(MSG_DEBUG, "SAE: Previously selected group: %d", sae->group);
1179
1180 if (!groups)
1181 groups = default_groups;
1182 for (i = 0; groups[i] > 0; i++) {
1183 if (sae->group == groups[i])
1184 break;
1185 }
1186
1187 if (groups[i] <= 0) {
1188 wpa_printf(MSG_DEBUG,
1189 "SAE: Previously selected group not found from the current configuration");
1190 return;
1191 }
1192
1193 for (;;) {
1194 i++;
1195 if (groups[i] <= 0) {
1196 wpa_printf(MSG_DEBUG,
1197 "SAE: No alternative group enabled");
1198 return;
1199 }
1200
1201 if (sae_set_group(sae, groups[i]) < 0)
1202 continue;
1203
1204 break;
1205 }
1206 wpa_printf(MSG_DEBUG, "SAE: Selected new group: %d", groups[i]);
1207 }
1208
1209
sae_status_success(struct hostapd_data * hapd,u16 status_code)1210 static int sae_status_success(struct hostapd_data *hapd, u16 status_code)
1211 {
1212 int sae_pwe = hapd->conf->sae_pwe;
1213 int id_in_use;
1214 bool sae_pk = false;
1215
1216 id_in_use = hostapd_sae_pw_id_in_use(hapd->conf);
1217 if (id_in_use == 2 && sae_pwe != 3)
1218 sae_pwe = 1;
1219 else if (id_in_use == 1 && sae_pwe == 0)
1220 sae_pwe = 2;
1221 #ifdef CONFIG_SAE_PK
1222 sae_pk = hostapd_sae_pk_in_use(hapd->conf);
1223 if (sae_pwe == 0 && sae_pk)
1224 sae_pwe = 2;
1225 #endif /* CONFIG_SAE_PK */
1226
1227 return ((sae_pwe == 0 || sae_pwe == 3) &&
1228 status_code == WLAN_STATUS_SUCCESS) ||
1229 (sae_pwe == 1 &&
1230 (status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
1231 (sae_pk && status_code == WLAN_STATUS_SAE_PK))) ||
1232 (sae_pwe == 2 &&
1233 (status_code == WLAN_STATUS_SUCCESS ||
1234 status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
1235 (sae_pk && status_code == WLAN_STATUS_SAE_PK)));
1236 }
1237
1238
sae_is_group_enabled(struct hostapd_data * hapd,int group)1239 static int sae_is_group_enabled(struct hostapd_data *hapd, int group)
1240 {
1241 int *groups = hapd->conf->sae_groups;
1242 int default_groups[] = { 19, 0 };
1243 int i;
1244
1245 if (!groups)
1246 groups = default_groups;
1247
1248 for (i = 0; groups[i] > 0; i++) {
1249 if (groups[i] == group)
1250 return 1;
1251 }
1252
1253 return 0;
1254 }
1255
1256
check_sae_rejected_groups(struct hostapd_data * hapd,struct sae_data * sae)1257 static int check_sae_rejected_groups(struct hostapd_data *hapd,
1258 struct sae_data *sae)
1259 {
1260 const struct wpabuf *groups;
1261 size_t i, count;
1262 const u8 *pos;
1263
1264 if (!sae->tmp)
1265 return 0;
1266 groups = sae->tmp->peer_rejected_groups;
1267 if (!groups)
1268 return 0;
1269
1270 pos = wpabuf_head(groups);
1271 count = wpabuf_len(groups) / 2;
1272 for (i = 0; i < count; i++) {
1273 int enabled;
1274 u16 group;
1275
1276 group = WPA_GET_LE16(pos);
1277 pos += 2;
1278 enabled = sae_is_group_enabled(hapd, group);
1279 wpa_printf(MSG_DEBUG, "SAE: Rejected group %u is %s",
1280 group, enabled ? "enabled" : "disabled");
1281 if (enabled)
1282 return 1;
1283 }
1284
1285 return 0;
1286 }
1287
1288
handle_auth_sae(struct hostapd_data * hapd,struct sta_info * sta,const struct ieee80211_mgmt * mgmt,size_t len,u16 auth_transaction,u16 status_code)1289 static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta,
1290 const struct ieee80211_mgmt *mgmt, size_t len,
1291 u16 auth_transaction, u16 status_code)
1292 {
1293 int resp = WLAN_STATUS_SUCCESS;
1294 struct wpabuf *data = NULL;
1295 int *groups = hapd->conf->sae_groups;
1296 int default_groups[] = { 19, 0 };
1297 const u8 *pos, *end;
1298 int sta_removed = 0;
1299 bool success_status;
1300
1301 if (!groups)
1302 groups = default_groups;
1303
1304 #ifdef CONFIG_TESTING_OPTIONS
1305 if (hapd->conf->sae_reflection_attack && auth_transaction == 1) {
1306 wpa_printf(MSG_DEBUG, "SAE: TESTING - reflection attack");
1307 pos = mgmt->u.auth.variable;
1308 end = ((const u8 *) mgmt) + len;
1309 resp = status_code;
1310 send_auth_reply(hapd, sta, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
1311 auth_transaction, resp, pos, end - pos,
1312 "auth-sae-reflection-attack");
1313 goto remove_sta;
1314 }
1315
1316 if (hapd->conf->sae_commit_override && auth_transaction == 1) {
1317 wpa_printf(MSG_DEBUG, "SAE: TESTING - commit override");
1318 send_auth_reply(hapd, sta, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
1319 auth_transaction, resp,
1320 wpabuf_head(hapd->conf->sae_commit_override),
1321 wpabuf_len(hapd->conf->sae_commit_override),
1322 "sae-commit-override");
1323 goto remove_sta;
1324 }
1325 #endif /* CONFIG_TESTING_OPTIONS */
1326 if (!sta->sae) {
1327 if (auth_transaction != 1 ||
1328 !sae_status_success(hapd, status_code)) {
1329 wpa_printf(MSG_DEBUG, "SAE: Unexpected Status Code %u",
1330 status_code);
1331 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1332 goto reply;
1333 }
1334 sta->sae = os_zalloc(sizeof(*sta->sae));
1335 if (!sta->sae) {
1336 resp = -1;
1337 goto remove_sta;
1338 }
1339 sae_set_state(sta, SAE_NOTHING, "Init");
1340 sta->sae->sync = 0;
1341 }
1342
1343 if (sta->mesh_sae_pmksa_caching) {
1344 wpa_printf(MSG_DEBUG,
1345 "SAE: Cancel use of mesh PMKSA caching because peer starts SAE authentication");
1346 wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr);
1347 sta->mesh_sae_pmksa_caching = 0;
1348 }
1349
1350 if (auth_transaction == 1) {
1351 const u8 *token = NULL;
1352 size_t token_len = 0;
1353 int allow_reuse = 0;
1354
1355 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1356 HOSTAPD_LEVEL_DEBUG,
1357 "start SAE authentication (RX commit, status=%u (%s))",
1358 status_code, status2str(status_code));
1359
1360 if ((hapd->conf->mesh & MESH_ENABLED) &&
1361 status_code == WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ &&
1362 sta->sae->tmp) {
1363 pos = mgmt->u.auth.variable;
1364 end = ((const u8 *) mgmt) + len;
1365 if (pos + sizeof(le16) > end) {
1366 wpa_printf(MSG_ERROR,
1367 "SAE: Too short anti-clogging token request");
1368 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1369 goto reply;
1370 }
1371 resp = sae_group_allowed(sta->sae, groups,
1372 WPA_GET_LE16(pos));
1373 if (resp != WLAN_STATUS_SUCCESS) {
1374 wpa_printf(MSG_ERROR,
1375 "SAE: Invalid group in anti-clogging token request");
1376 goto reply;
1377 }
1378 pos += sizeof(le16);
1379
1380 wpabuf_free(sta->sae->tmp->anti_clogging_token);
1381 sta->sae->tmp->anti_clogging_token =
1382 wpabuf_alloc_copy(pos, end - pos);
1383 if (sta->sae->tmp->anti_clogging_token == NULL) {
1384 wpa_printf(MSG_ERROR,
1385 "SAE: Failed to alloc for anti-clogging token");
1386 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1387 goto remove_sta;
1388 }
1389
1390 /*
1391 * IEEE Std 802.11-2012, 11.3.8.6.4: If the Status code
1392 * is 76, a new Commit Message shall be constructed
1393 * with the Anti-Clogging Token from the received
1394 * Authentication frame, and the commit-scalar and
1395 * COMMIT-ELEMENT previously sent.
1396 */
1397 resp = auth_sae_send_commit(hapd, sta, mgmt->bssid, 0,
1398 status_code);
1399 if (resp != WLAN_STATUS_SUCCESS) {
1400 wpa_printf(MSG_ERROR,
1401 "SAE: Failed to send commit message");
1402 goto remove_sta;
1403 }
1404 sae_set_state(sta, SAE_COMMITTED,
1405 "Sent Commit (anti-clogging token case in mesh)");
1406 sta->sae->sync = 0;
1407 sae_set_retransmit_timer(hapd, sta);
1408 return;
1409 }
1410
1411 if ((hapd->conf->mesh & MESH_ENABLED) &&
1412 status_code ==
1413 WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED &&
1414 sta->sae->tmp) {
1415 wpa_printf(MSG_DEBUG,
1416 "SAE: Peer did not accept our SAE group");
1417 sae_pick_next_group(hapd, sta);
1418 goto remove_sta;
1419 }
1420
1421 if (!sae_status_success(hapd, status_code))
1422 goto remove_sta;
1423
1424 if (!(hapd->conf->mesh & MESH_ENABLED) &&
1425 sta->sae->state == SAE_COMMITTED) {
1426 /* This is needed in the infrastructure BSS case to
1427 * address a sequence where a STA entry may remain in
1428 * hostapd across two attempts to do SAE authentication
1429 * by the same STA. The second attempt may end up trying
1430 * to use a different group and that would not be
1431 * allowed if we remain in Committed state with the
1432 * previously set parameters. */
1433 pos = mgmt->u.auth.variable;
1434 end = ((const u8 *) mgmt) + len;
1435 if (end - pos >= (int) sizeof(le16) &&
1436 sae_group_allowed(sta->sae, groups,
1437 WPA_GET_LE16(pos)) ==
1438 WLAN_STATUS_SUCCESS) {
1439 /* Do not waste resources deriving the same PWE
1440 * again since the same group is reused. */
1441 sae_set_state(sta, SAE_NOTHING,
1442 "Allow previous PWE to be reused");
1443 allow_reuse = 1;
1444 } else {
1445 sae_set_state(sta, SAE_NOTHING,
1446 "Clear existing state to allow restart");
1447 sae_clear_data(sta->sae);
1448 }
1449 }
1450
1451 resp = sae_parse_commit(sta->sae, mgmt->u.auth.variable,
1452 ((const u8 *) mgmt) + len -
1453 mgmt->u.auth.variable, &token,
1454 &token_len, groups, status_code ==
1455 WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
1456 status_code == WLAN_STATUS_SAE_PK);
1457 if (resp == SAE_SILENTLY_DISCARD) {
1458 wpa_printf(MSG_DEBUG,
1459 "SAE: Drop commit message from " MACSTR_SEC " due to reflection attack",
1460 MAC2STR_SEC(sta->addr));
1461 goto remove_sta;
1462 }
1463
1464 if (resp == WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER) {
1465 wpa_msg(hapd->msg_ctx, MSG_INFO,
1466 WPA_EVENT_SAE_UNKNOWN_PASSWORD_IDENTIFIER
1467 MACSTR, MAC2STR(sta->addr));
1468 sae_clear_retransmit_timer(hapd, sta);
1469 sae_set_state(sta, SAE_NOTHING,
1470 "Unknown Password Identifier");
1471 goto remove_sta;
1472 }
1473
1474 if (token &&
1475 check_comeback_token(hapd, sta->addr, token, token_len)
1476 < 0) {
1477 wpa_printf(MSG_DEBUG, "SAE: Drop commit message with "
1478 "incorrect token from " MACSTR_SEC,
1479 MAC2STR_SEC(sta->addr));
1480 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1481 goto remove_sta;
1482 }
1483
1484 if (resp != WLAN_STATUS_SUCCESS)
1485 goto reply;
1486
1487 if (check_sae_rejected_groups(hapd, sta->sae)) {
1488 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1489 goto reply;
1490 }
1491
1492 if (!token && use_anti_clogging(hapd) && !allow_reuse) {
1493 int h2e = 0;
1494
1495 wpa_printf(MSG_DEBUG,
1496 "SAE: Request anti-clogging token from "
1497 MACSTR_SEC, MAC2STR_SEC(sta->addr));
1498 if (sta->sae->tmp)
1499 h2e = sta->sae->h2e;
1500 if (status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
1501 status_code == WLAN_STATUS_SAE_PK)
1502 h2e = 1;
1503 data = auth_build_token_req(hapd, sta->sae->group,
1504 sta->addr, h2e);
1505 resp = WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ;
1506 if (hapd->conf->mesh & MESH_ENABLED)
1507 sae_set_state(sta, SAE_NOTHING,
1508 "Request anti-clogging token case in mesh");
1509 goto reply;
1510 }
1511
1512 resp = sae_sm_step(hapd, sta, mgmt->bssid, auth_transaction,
1513 status_code, allow_reuse, &sta_removed);
1514 } else if (auth_transaction == 2) {
1515 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1516 HOSTAPD_LEVEL_DEBUG,
1517 "SAE authentication (RX confirm, status=%u (%s))",
1518 status_code, status2str(status_code));
1519 if (status_code != WLAN_STATUS_SUCCESS)
1520 goto remove_sta;
1521 if (sta->sae->state >= SAE_CONFIRMED ||
1522 !(hapd->conf->mesh & MESH_ENABLED)) {
1523 const u8 *var;
1524 size_t var_len;
1525 u16 peer_send_confirm;
1526
1527 var = mgmt->u.auth.variable;
1528 var_len = ((u8 *) mgmt) + len - mgmt->u.auth.variable;
1529 if (var_len < 2) {
1530 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1531 goto reply;
1532 }
1533
1534 peer_send_confirm = WPA_GET_LE16(var);
1535
1536 if (sta->sae->state == SAE_ACCEPTED &&
1537 (peer_send_confirm <= sta->sae->rc ||
1538 peer_send_confirm == 0xffff)) {
1539 wpa_printf(MSG_DEBUG,
1540 "SAE: Silently ignore unexpected Confirm from peer "
1541 MACSTR_SEC
1542 " (peer-send-confirm=%u Rc=%u)",
1543 MAC2STR_SEC(sta->addr),
1544 peer_send_confirm, sta->sae->rc);
1545 return;
1546 }
1547
1548 if (sae_check_confirm(sta->sae, var, var_len) < 0) {
1549 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1550 goto reply;
1551 }
1552 sta->sae->rc = peer_send_confirm;
1553 }
1554 resp = sae_sm_step(hapd, sta, mgmt->bssid, auth_transaction,
1555 status_code, 0, &sta_removed);
1556 } else {
1557 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1558 HOSTAPD_LEVEL_DEBUG,
1559 "unexpected SAE authentication transaction %u (status=%u (%s))",
1560 auth_transaction, status_code,
1561 status2str(status_code));
1562 if (status_code != WLAN_STATUS_SUCCESS)
1563 goto remove_sta;
1564 resp = WLAN_STATUS_UNKNOWN_AUTH_TRANSACTION;
1565 }
1566
1567 reply:
1568 if (!sta_removed && resp != WLAN_STATUS_SUCCESS) {
1569 pos = mgmt->u.auth.variable;
1570 end = ((const u8 *) mgmt) + len;
1571
1572 /* Copy the Finite Cyclic Group field from the request if we
1573 * rejected it as unsupported group. */
1574 if (resp == WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED &&
1575 !data && end - pos >= 2)
1576 data = wpabuf_alloc_copy(pos, 2);
1577
1578 sae_sme_send_external_auth_status(hapd, sta, resp);
1579 send_auth_reply(hapd, sta, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
1580 auth_transaction, resp,
1581 data ? wpabuf_head(data) : (u8 *) "",
1582 data ? wpabuf_len(data) : 0, "auth-sae");
1583 }
1584
1585 remove_sta:
1586 if (auth_transaction == 1)
1587 success_status = sae_status_success(hapd, status_code);
1588 else
1589 success_status = status_code == WLAN_STATUS_SUCCESS;
1590 if (!sta_removed && sta->added_unassoc &&
1591 (resp != WLAN_STATUS_SUCCESS || !success_status)) {
1592 hostapd_drv_sta_remove(hapd, sta->addr);
1593 sta->added_unassoc = 0;
1594 }
1595 wpabuf_free(data);
1596 }
1597
1598
1599 /**
1600 * auth_sae_init_committed - Send COMMIT and start SAE in committed state
1601 * @hapd: BSS data for the device initiating the authentication
1602 * @sta: the peer to which commit authentication frame is sent
1603 *
1604 * This function implements Init event handling (IEEE Std 802.11-2012,
1605 * 11.3.8.6.3) in which initial COMMIT message is sent. Prior to calling, the
1606 * sta->sae structure should be initialized appropriately via a call to
1607 * sae_prepare_commit().
1608 */
auth_sae_init_committed(struct hostapd_data * hapd,struct sta_info * sta)1609 int auth_sae_init_committed(struct hostapd_data *hapd, struct sta_info *sta)
1610 {
1611 int ret;
1612
1613 if (!sta->sae || !sta->sae->tmp)
1614 return -1;
1615
1616 if (sta->sae->state != SAE_NOTHING)
1617 return -1;
1618
1619 ret = auth_sae_send_commit(hapd, sta, hapd->own_addr, 0, -1);
1620 if (ret)
1621 return -1;
1622
1623 sae_set_state(sta, SAE_COMMITTED, "Init and sent commit");
1624 sta->sae->sync = 0;
1625 sae_set_retransmit_timer(hapd, sta);
1626
1627 return 0;
1628 }
1629
1630
auth_sae_process_commit(void * eloop_ctx,void * user_ctx)1631 void auth_sae_process_commit(void *eloop_ctx, void *user_ctx)
1632 {
1633 struct hostapd_data *hapd = eloop_ctx;
1634 struct hostapd_sae_commit_queue *q;
1635 unsigned int queue_len;
1636
1637 q = dl_list_first(&hapd->sae_commit_queue,
1638 struct hostapd_sae_commit_queue, list);
1639 if (!q)
1640 return;
1641 wpa_printf(MSG_DEBUG,
1642 "SAE: Process next available message from queue");
1643 dl_list_del(&q->list);
1644 handle_auth(hapd, (const struct ieee80211_mgmt *) q->msg, q->len,
1645 q->rssi, 1);
1646 os_free(q);
1647
1648 if (eloop_is_timeout_registered(auth_sae_process_commit, hapd, NULL))
1649 return;
1650 queue_len = dl_list_len(&hapd->sae_commit_queue);
1651 eloop_register_timeout(0, queue_len * 10000, auth_sae_process_commit,
1652 hapd, NULL);
1653 }
1654
1655
auth_sae_queue(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int rssi)1656 static void auth_sae_queue(struct hostapd_data *hapd,
1657 const struct ieee80211_mgmt *mgmt, size_t len,
1658 int rssi)
1659 {
1660 struct hostapd_sae_commit_queue *q, *q2;
1661 unsigned int queue_len;
1662 const struct ieee80211_mgmt *mgmt2;
1663
1664 queue_len = dl_list_len(&hapd->sae_commit_queue);
1665 if (queue_len >= 15) {
1666 wpa_printf(MSG_DEBUG,
1667 "SAE: No more room in message queue - drop the new frame from "
1668 MACSTR_SEC, MAC2STR_SEC(mgmt->sa));
1669 return;
1670 }
1671
1672 wpa_printf(MSG_DEBUG, "SAE: Queue Authentication message from "
1673 MACSTR_SEC " for processing (queue_len %u)", MAC2STR_SEC(mgmt->sa),
1674 queue_len);
1675 q = os_zalloc(sizeof(*q) + len);
1676 if (!q)
1677 return;
1678 q->rssi = rssi;
1679 q->len = len;
1680 os_memcpy(q->msg, mgmt, len);
1681
1682 /* Check whether there is already a queued Authentication frame from the
1683 * same station with the same transaction number and if so, replace that
1684 * queue entry with the new one. This avoids issues with a peer that
1685 * sends multiple times (e.g., due to frequent SAE retries). There is no
1686 * point in us trying to process the old attempts after a new one has
1687 * obsoleted them. */
1688 dl_list_for_each(q2, &hapd->sae_commit_queue,
1689 struct hostapd_sae_commit_queue, list) {
1690 mgmt2 = (const struct ieee80211_mgmt *) q2->msg;
1691 if (os_memcmp(mgmt->sa, mgmt2->sa, ETH_ALEN) == 0 &&
1692 mgmt->u.auth.auth_transaction ==
1693 mgmt2->u.auth.auth_transaction) {
1694 wpa_printf(MSG_DEBUG,
1695 "SAE: Replace queued message from same STA with same transaction number");
1696 dl_list_add(&q2->list, &q->list);
1697 dl_list_del(&q2->list);
1698 os_free(q2);
1699 goto queued;
1700 }
1701 }
1702
1703 /* No pending identical entry, so add to the end of the queue */
1704 dl_list_add_tail(&hapd->sae_commit_queue, &q->list);
1705
1706 queued:
1707 if (eloop_is_timeout_registered(auth_sae_process_commit, hapd, NULL))
1708 return;
1709 eloop_register_timeout(0, queue_len * 10000, auth_sae_process_commit,
1710 hapd, NULL);
1711 }
1712
1713
auth_sae_queued_addr(struct hostapd_data * hapd,const u8 * addr)1714 static int auth_sae_queued_addr(struct hostapd_data *hapd, const u8 *addr)
1715 {
1716 struct hostapd_sae_commit_queue *q;
1717 const struct ieee80211_mgmt *mgmt;
1718
1719 dl_list_for_each(q, &hapd->sae_commit_queue,
1720 struct hostapd_sae_commit_queue, list) {
1721 mgmt = (const struct ieee80211_mgmt *) q->msg;
1722 if (os_memcmp(addr, mgmt->sa, ETH_ALEN) == 0)
1723 return 1;
1724 }
1725
1726 return 0;
1727 }
1728
1729 #endif /* CONFIG_SAE */
1730
1731
wpa_res_to_status_code(enum wpa_validate_result res)1732 static u16 wpa_res_to_status_code(enum wpa_validate_result res)
1733 {
1734 switch (res) {
1735 case WPA_IE_OK:
1736 return WLAN_STATUS_SUCCESS;
1737 case WPA_INVALID_IE:
1738 return WLAN_STATUS_INVALID_IE;
1739 case WPA_INVALID_GROUP:
1740 return WLAN_STATUS_GROUP_CIPHER_NOT_VALID;
1741 case WPA_INVALID_PAIRWISE:
1742 return WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID;
1743 case WPA_INVALID_AKMP:
1744 return WLAN_STATUS_AKMP_NOT_VALID;
1745 case WPA_NOT_ENABLED:
1746 return WLAN_STATUS_INVALID_IE;
1747 case WPA_ALLOC_FAIL:
1748 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1749 case WPA_MGMT_FRAME_PROTECTION_VIOLATION:
1750 return WLAN_STATUS_ROBUST_MGMT_FRAME_POLICY_VIOLATION;
1751 case WPA_INVALID_MGMT_GROUP_CIPHER:
1752 return WLAN_STATUS_CIPHER_REJECTED_PER_POLICY;
1753 case WPA_INVALID_MDIE:
1754 return WLAN_STATUS_INVALID_MDIE;
1755 case WPA_INVALID_PROTO:
1756 return WLAN_STATUS_INVALID_IE;
1757 case WPA_INVALID_PMKID:
1758 return WLAN_STATUS_INVALID_PMKID;
1759 case WPA_DENIED_OTHER_REASON:
1760 return WLAN_STATUS_ASSOC_DENIED_UNSPEC;
1761 }
1762 return WLAN_STATUS_INVALID_IE;
1763 }
1764
1765
1766 #ifdef CONFIG_FILS
1767
1768 static void handle_auth_fils_finish(struct hostapd_data *hapd,
1769 struct sta_info *sta, u16 resp,
1770 struct wpabuf *data, int pub);
1771
handle_auth_fils(struct hostapd_data * hapd,struct sta_info * sta,const u8 * pos,size_t len,u16 auth_alg,u16 auth_transaction,u16 status_code,void (* cb)(struct hostapd_data * hapd,struct sta_info * sta,u16 resp,struct wpabuf * data,int pub))1772 void handle_auth_fils(struct hostapd_data *hapd, struct sta_info *sta,
1773 const u8 *pos, size_t len, u16 auth_alg,
1774 u16 auth_transaction, u16 status_code,
1775 void (*cb)(struct hostapd_data *hapd,
1776 struct sta_info *sta, u16 resp,
1777 struct wpabuf *data, int pub))
1778 {
1779 u16 resp = WLAN_STATUS_SUCCESS;
1780 const u8 *end;
1781 struct ieee802_11_elems elems;
1782 enum wpa_validate_result res;
1783 struct wpa_ie_data rsn;
1784 struct rsn_pmksa_cache_entry *pmksa = NULL;
1785
1786 if (auth_transaction != 1 || status_code != WLAN_STATUS_SUCCESS)
1787 return;
1788
1789 end = pos + len;
1790
1791 wpa_hexdump(MSG_DEBUG, "FILS: Authentication frame fields",
1792 pos, end - pos);
1793
1794 /* TODO: FILS PK */
1795 #ifdef CONFIG_FILS_SK_PFS
1796 if (auth_alg == WLAN_AUTH_FILS_SK_PFS) {
1797 u16 group;
1798 struct wpabuf *pub;
1799 size_t elem_len;
1800
1801 /* Using FILS PFS */
1802
1803 /* Finite Cyclic Group */
1804 if (end - pos < 2) {
1805 wpa_printf(MSG_DEBUG,
1806 "FILS: No room for Finite Cyclic Group");
1807 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1808 goto fail;
1809 }
1810 group = WPA_GET_LE16(pos);
1811 pos += 2;
1812 if (group != hapd->conf->fils_dh_group) {
1813 wpa_printf(MSG_DEBUG,
1814 "FILS: Unsupported Finite Cyclic Group: %u (expected %u)",
1815 group, hapd->conf->fils_dh_group);
1816 resp = WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
1817 goto fail;
1818 }
1819
1820 crypto_ecdh_deinit(sta->fils_ecdh);
1821 sta->fils_ecdh = crypto_ecdh_init(group);
1822 if (!sta->fils_ecdh) {
1823 wpa_printf(MSG_INFO,
1824 "FILS: Could not initialize ECDH with group %d",
1825 group);
1826 resp = WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
1827 goto fail;
1828 }
1829
1830 pub = crypto_ecdh_get_pubkey(sta->fils_ecdh, 1);
1831 if (!pub) {
1832 wpa_printf(MSG_DEBUG,
1833 "FILS: Failed to derive ECDH public key");
1834 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1835 goto fail;
1836 }
1837 elem_len = wpabuf_len(pub);
1838 wpabuf_free(pub);
1839
1840 /* Element */
1841 if ((size_t) (end - pos) < elem_len) {
1842 wpa_printf(MSG_DEBUG, "FILS: No room for Element");
1843 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1844 goto fail;
1845 }
1846
1847 wpabuf_free(sta->fils_g_sta);
1848 sta->fils_g_sta = wpabuf_alloc_copy(pos, elem_len);
1849 wpabuf_clear_free(sta->fils_dh_ss);
1850 sta->fils_dh_ss = crypto_ecdh_set_peerkey(sta->fils_ecdh, 1,
1851 pos, elem_len);
1852 if (!sta->fils_dh_ss) {
1853 wpa_printf(MSG_DEBUG, "FILS: ECDH operation failed");
1854 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1855 goto fail;
1856 }
1857 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: DH_SS", sta->fils_dh_ss);
1858 pos += elem_len;
1859 } else {
1860 crypto_ecdh_deinit(sta->fils_ecdh);
1861 sta->fils_ecdh = NULL;
1862 wpabuf_clear_free(sta->fils_dh_ss);
1863 sta->fils_dh_ss = NULL;
1864 }
1865 #endif /* CONFIG_FILS_SK_PFS */
1866
1867 wpa_hexdump(MSG_DEBUG, "FILS: Remaining IEs", pos, end - pos);
1868 if (ieee802_11_parse_elems(pos, end - pos, &elems, 1) == ParseFailed) {
1869 wpa_printf(MSG_DEBUG, "FILS: Could not parse elements");
1870 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1871 goto fail;
1872 }
1873
1874 /* RSNE */
1875 wpa_hexdump(MSG_DEBUG, "FILS: RSN element",
1876 elems.rsn_ie, elems.rsn_ie_len);
1877 if (!elems.rsn_ie ||
1878 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
1879 &rsn) < 0) {
1880 wpa_printf(MSG_DEBUG, "FILS: No valid RSN element");
1881 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1882 goto fail;
1883 }
1884
1885 if (!sta->wpa_sm)
1886 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, sta->addr,
1887 NULL);
1888 if (!sta->wpa_sm) {
1889 wpa_printf(MSG_DEBUG,
1890 "FILS: Failed to initialize RSN state machine");
1891 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1892 goto fail;
1893 }
1894
1895 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
1896 hapd->iface->freq,
1897 elems.rsn_ie - 2, elems.rsn_ie_len + 2,
1898 elems.rsnxe ? elems.rsnxe - 2 : NULL,
1899 elems.rsnxe ? elems.rsnxe_len + 2 : 0,
1900 elems.mdie, elems.mdie_len, NULL, 0);
1901 resp = wpa_res_to_status_code(res);
1902 if (resp != WLAN_STATUS_SUCCESS)
1903 goto fail;
1904
1905 if (!elems.fils_nonce) {
1906 wpa_printf(MSG_DEBUG, "FILS: No FILS Nonce field");
1907 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1908 goto fail;
1909 }
1910 wpa_hexdump(MSG_DEBUG, "FILS: SNonce", elems.fils_nonce,
1911 FILS_NONCE_LEN);
1912 os_memcpy(sta->fils_snonce, elems.fils_nonce, FILS_NONCE_LEN);
1913
1914 /* PMKID List */
1915 if (rsn.pmkid && rsn.num_pmkid > 0) {
1916 u8 num;
1917 const u8 *pmkid;
1918
1919 wpa_hexdump(MSG_DEBUG, "FILS: PMKID List",
1920 rsn.pmkid, rsn.num_pmkid * PMKID_LEN);
1921
1922 pmkid = rsn.pmkid;
1923 num = rsn.num_pmkid;
1924 while (num) {
1925 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", pmkid, PMKID_LEN);
1926 pmksa = wpa_auth_pmksa_get(hapd->wpa_auth, sta->addr,
1927 pmkid);
1928 if (pmksa)
1929 break;
1930 pmksa = wpa_auth_pmksa_get_fils_cache_id(hapd->wpa_auth,
1931 sta->addr,
1932 pmkid);
1933 if (pmksa)
1934 break;
1935 pmkid += PMKID_LEN;
1936 num--;
1937 }
1938 }
1939 if (pmksa && wpa_auth_sta_key_mgmt(sta->wpa_sm) != pmksa->akmp) {
1940 wpa_printf(MSG_DEBUG,
1941 "FILS: Matching PMKSA cache entry has different AKMP (0x%x != 0x%x) - ignore",
1942 wpa_auth_sta_key_mgmt(sta->wpa_sm), pmksa->akmp);
1943 pmksa = NULL;
1944 }
1945 if (pmksa)
1946 wpa_printf(MSG_DEBUG, "FILS: Found matching PMKSA cache entry");
1947
1948 /* FILS Session */
1949 if (!elems.fils_session) {
1950 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
1951 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1952 goto fail;
1953 }
1954 wpa_hexdump(MSG_DEBUG, "FILS: FILS Session", elems.fils_session,
1955 FILS_SESSION_LEN);
1956 os_memcpy(sta->fils_session, elems.fils_session, FILS_SESSION_LEN);
1957
1958 /* Wrapped Data */
1959 if (elems.wrapped_data) {
1960 wpa_hexdump(MSG_DEBUG, "FILS: Wrapped Data",
1961 elems.wrapped_data,
1962 elems.wrapped_data_len);
1963 if (!pmksa) {
1964 #ifndef CONFIG_NO_RADIUS
1965 if (!sta->eapol_sm) {
1966 sta->eapol_sm =
1967 ieee802_1x_alloc_eapol_sm(hapd, sta);
1968 }
1969 wpa_printf(MSG_DEBUG,
1970 "FILS: Forward EAP-Initiate/Re-auth to authentication server");
1971 ieee802_1x_encapsulate_radius(
1972 hapd, sta, elems.wrapped_data,
1973 elems.wrapped_data_len);
1974 sta->fils_pending_cb = cb;
1975 wpa_printf(MSG_DEBUG,
1976 "FILS: Will send Authentication frame once the response from authentication server is available");
1977 sta->flags |= WLAN_STA_PENDING_FILS_ERP;
1978 /* Calculate pending PMKID here so that we do not need
1979 * to maintain a copy of the EAP-Initiate/Reauth
1980 * message. */
1981 if (fils_pmkid_erp(wpa_auth_sta_key_mgmt(sta->wpa_sm),
1982 elems.wrapped_data,
1983 elems.wrapped_data_len,
1984 sta->fils_erp_pmkid) == 0)
1985 sta->fils_erp_pmkid_set = 1;
1986 return;
1987 #else /* CONFIG_NO_RADIUS */
1988 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1989 goto fail;
1990 #endif /* CONFIG_NO_RADIUS */
1991 }
1992 }
1993
1994 fail:
1995 if (cb) {
1996 struct wpabuf *data;
1997 int pub = 0;
1998
1999 data = prepare_auth_resp_fils(hapd, sta, &resp, pmksa, NULL,
2000 NULL, 0, &pub);
2001 if (!data) {
2002 wpa_printf(MSG_DEBUG,
2003 "%s: prepare_auth_resp_fils() returned failure",
2004 __func__);
2005 }
2006
2007 cb(hapd, sta, resp, data, pub);
2008 }
2009 }
2010
2011
2012 static struct wpabuf *
prepare_auth_resp_fils(struct hostapd_data * hapd,struct sta_info * sta,u16 * resp,struct rsn_pmksa_cache_entry * pmksa,struct wpabuf * erp_resp,const u8 * msk,size_t msk_len,int * is_pub)2013 prepare_auth_resp_fils(struct hostapd_data *hapd,
2014 struct sta_info *sta, u16 *resp,
2015 struct rsn_pmksa_cache_entry *pmksa,
2016 struct wpabuf *erp_resp,
2017 const u8 *msk, size_t msk_len,
2018 int *is_pub)
2019 {
2020 u8 fils_nonce[FILS_NONCE_LEN];
2021 size_t ielen;
2022 struct wpabuf *data = NULL;
2023 const u8 *ie;
2024 u8 *ie_buf = NULL;
2025 const u8 *pmk = NULL;
2026 size_t pmk_len = 0;
2027 u8 pmk_buf[PMK_LEN_MAX];
2028 struct wpabuf *pub = NULL;
2029
2030 if (*resp != WLAN_STATUS_SUCCESS)
2031 goto fail;
2032
2033 ie = wpa_auth_get_wpa_ie(hapd->wpa_auth, &ielen);
2034 if (!ie) {
2035 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2036 goto fail;
2037 }
2038
2039 if (pmksa) {
2040 /* Add PMKID of the selected PMKSA into RSNE */
2041 ie_buf = os_malloc(ielen + 2 + 2 + PMKID_LEN);
2042 if (!ie_buf) {
2043 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2044 goto fail;
2045 }
2046
2047 os_memcpy(ie_buf, ie, ielen);
2048 if (wpa_insert_pmkid(ie_buf, &ielen, pmksa->pmkid) < 0) {
2049 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2050 goto fail;
2051 }
2052 ie = ie_buf;
2053 }
2054
2055 if (random_get_bytes(fils_nonce, FILS_NONCE_LEN) < 0) {
2056 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2057 goto fail;
2058 }
2059 wpa_hexdump(MSG_DEBUG, "RSN: Generated FILS Nonce",
2060 fils_nonce, FILS_NONCE_LEN);
2061
2062 #ifdef CONFIG_FILS_SK_PFS
2063 if (sta->fils_dh_ss && sta->fils_ecdh) {
2064 pub = crypto_ecdh_get_pubkey(sta->fils_ecdh, 1);
2065 if (!pub) {
2066 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2067 goto fail;
2068 }
2069 }
2070 #endif /* CONFIG_FILS_SK_PFS */
2071
2072 data = wpabuf_alloc(1000 + ielen + (pub ? wpabuf_len(pub) : 0));
2073 if (!data) {
2074 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2075 goto fail;
2076 }
2077
2078 /* TODO: FILS PK */
2079 #ifdef CONFIG_FILS_SK_PFS
2080 if (pub) {
2081 /* Finite Cyclic Group */
2082 wpabuf_put_le16(data, hapd->conf->fils_dh_group);
2083
2084 /* Element */
2085 wpabuf_put_buf(data, pub);
2086 }
2087 #endif /* CONFIG_FILS_SK_PFS */
2088
2089 /* RSNE */
2090 wpabuf_put_data(data, ie, ielen);
2091
2092 /* MDE when using FILS+FT (already included in ie,ielen with RSNE) */
2093
2094 #ifdef CONFIG_IEEE80211R_AP
2095 if (wpa_key_mgmt_ft(wpa_auth_sta_key_mgmt(sta->wpa_sm))) {
2096 /* FTE[R1KH-ID,R0KH-ID] when using FILS+FT */
2097 int res;
2098 int use_sha384 = wpa_key_mgmt_sha384(
2099 wpa_auth_sta_key_mgmt(sta->wpa_sm));
2100
2101 res = wpa_auth_write_fte(hapd->wpa_auth, use_sha384,
2102 wpabuf_put(data, 0),
2103 wpabuf_tailroom(data));
2104 if (res < 0) {
2105 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2106 goto fail;
2107 }
2108 wpabuf_put(data, res);
2109 }
2110 #endif /* CONFIG_IEEE80211R_AP */
2111
2112 /* FILS Nonce */
2113 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
2114 wpabuf_put_u8(data, 1 + FILS_NONCE_LEN); /* Length */
2115 /* Element ID Extension */
2116 wpabuf_put_u8(data, WLAN_EID_EXT_FILS_NONCE);
2117 wpabuf_put_data(data, fils_nonce, FILS_NONCE_LEN);
2118
2119 /* FILS Session */
2120 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
2121 wpabuf_put_u8(data, 1 + FILS_SESSION_LEN); /* Length */
2122 /* Element ID Extension */
2123 wpabuf_put_u8(data, WLAN_EID_EXT_FILS_SESSION);
2124 wpabuf_put_data(data, sta->fils_session, FILS_SESSION_LEN);
2125
2126 /* Wrapped Data */
2127 if (!pmksa && erp_resp) {
2128 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
2129 wpabuf_put_u8(data, 1 + wpabuf_len(erp_resp)); /* Length */
2130 /* Element ID Extension */
2131 wpabuf_put_u8(data, WLAN_EID_EXT_WRAPPED_DATA);
2132 wpabuf_put_buf(data, erp_resp);
2133
2134 if (fils_rmsk_to_pmk(wpa_auth_sta_key_mgmt(sta->wpa_sm),
2135 msk, msk_len, sta->fils_snonce, fils_nonce,
2136 sta->fils_dh_ss ?
2137 wpabuf_head(sta->fils_dh_ss) : NULL,
2138 sta->fils_dh_ss ?
2139 wpabuf_len(sta->fils_dh_ss) : 0,
2140 pmk_buf, &pmk_len)) {
2141 wpa_printf(MSG_DEBUG, "FILS: Failed to derive PMK");
2142 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2143 wpabuf_free(data);
2144 data = NULL;
2145 goto fail;
2146 }
2147 pmk = pmk_buf;
2148
2149 /* Don't use DHss in PTK derivation if PMKSA caching is not
2150 * used. */
2151 wpabuf_clear_free(sta->fils_dh_ss);
2152 sta->fils_dh_ss = NULL;
2153
2154 if (sta->fils_erp_pmkid_set) {
2155 /* TODO: get PMKLifetime from WPA parameters */
2156 unsigned int dot11RSNAConfigPMKLifetime = 43200;
2157 int session_timeout;
2158
2159 session_timeout = dot11RSNAConfigPMKLifetime;
2160 if (sta->session_timeout_set) {
2161 struct os_reltime now, diff;
2162
2163 os_get_reltime(&now);
2164 os_reltime_sub(&sta->session_timeout, &now,
2165 &diff);
2166 session_timeout = diff.sec;
2167 }
2168
2169 sta->fils_erp_pmkid_set = 0;
2170 wpa_auth_add_fils_pmk_pmkid(sta->wpa_sm, pmk, pmk_len,
2171 sta->fils_erp_pmkid);
2172 if (!hapd->conf->disable_pmksa_caching &&
2173 wpa_auth_pmksa_add2(
2174 hapd->wpa_auth, sta->addr,
2175 pmk, pmk_len,
2176 sta->fils_erp_pmkid,
2177 session_timeout,
2178 wpa_auth_sta_key_mgmt(sta->wpa_sm)) < 0) {
2179 wpa_printf(MSG_ERROR,
2180 "FILS: Failed to add PMKSA cache entry based on ERP");
2181 }
2182 }
2183 } else if (pmksa) {
2184 pmk = pmksa->pmk;
2185 pmk_len = pmksa->pmk_len;
2186 }
2187
2188 if (!pmk) {
2189 wpa_printf(MSG_DEBUG, "FILS: No PMK available");
2190 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2191 wpabuf_free(data);
2192 data = NULL;
2193 goto fail;
2194 }
2195
2196 if (fils_auth_pmk_to_ptk(sta->wpa_sm, pmk, pmk_len,
2197 sta->fils_snonce, fils_nonce,
2198 sta->fils_dh_ss ?
2199 wpabuf_head(sta->fils_dh_ss) : NULL,
2200 sta->fils_dh_ss ?
2201 wpabuf_len(sta->fils_dh_ss) : 0,
2202 sta->fils_g_sta, pub) < 0) {
2203 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2204 wpabuf_free(data);
2205 data = NULL;
2206 goto fail;
2207 }
2208
2209 fail:
2210 if (is_pub)
2211 *is_pub = pub != NULL;
2212 os_free(ie_buf);
2213 wpabuf_free(pub);
2214 wpabuf_clear_free(sta->fils_dh_ss);
2215 sta->fils_dh_ss = NULL;
2216 #ifdef CONFIG_FILS_SK_PFS
2217 crypto_ecdh_deinit(sta->fils_ecdh);
2218 sta->fils_ecdh = NULL;
2219 #endif /* CONFIG_FILS_SK_PFS */
2220 return data;
2221 }
2222
2223
handle_auth_fils_finish(struct hostapd_data * hapd,struct sta_info * sta,u16 resp,struct wpabuf * data,int pub)2224 static void handle_auth_fils_finish(struct hostapd_data *hapd,
2225 struct sta_info *sta, u16 resp,
2226 struct wpabuf *data, int pub)
2227 {
2228 u16 auth_alg;
2229
2230 auth_alg = (pub ||
2231 resp == WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED) ?
2232 WLAN_AUTH_FILS_SK_PFS : WLAN_AUTH_FILS_SK;
2233 send_auth_reply(hapd, sta, sta->addr, hapd->own_addr, auth_alg, 2, resp,
2234 data ? wpabuf_head(data) : (u8 *) "",
2235 data ? wpabuf_len(data) : 0, "auth-fils-finish");
2236 wpabuf_free(data);
2237
2238 if (resp == WLAN_STATUS_SUCCESS) {
2239 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2240 HOSTAPD_LEVEL_DEBUG,
2241 "authentication OK (FILS)");
2242 sta->flags |= WLAN_STA_AUTH;
2243 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
2244 sta->auth_alg = pub ? WLAN_AUTH_FILS_SK_PFS : WLAN_AUTH_FILS_SK;
2245 mlme_authenticate_indication(hapd, sta);
2246 }
2247 }
2248
2249
ieee802_11_finish_fils_auth(struct hostapd_data * hapd,struct sta_info * sta,int success,struct wpabuf * erp_resp,const u8 * msk,size_t msk_len)2250 void ieee802_11_finish_fils_auth(struct hostapd_data *hapd,
2251 struct sta_info *sta, int success,
2252 struct wpabuf *erp_resp,
2253 const u8 *msk, size_t msk_len)
2254 {
2255 u16 resp;
2256 u32 flags = sta->flags;
2257
2258 sta->flags &= ~(WLAN_STA_PENDING_FILS_ERP |
2259 WLAN_STA_PENDING_PASN_FILS_ERP);
2260
2261 resp = success ? WLAN_STATUS_SUCCESS : WLAN_STATUS_UNSPECIFIED_FAILURE;
2262
2263 if (flags & WLAN_STA_PENDING_FILS_ERP) {
2264 struct wpabuf *data;
2265 int pub = 0;
2266
2267 if (!sta->fils_pending_cb)
2268 return;
2269
2270 data = prepare_auth_resp_fils(hapd, sta, &resp, NULL, erp_resp,
2271 msk, msk_len, &pub);
2272 if (!data) {
2273 wpa_printf(MSG_DEBUG,
2274 "%s: prepare_auth_resp_fils() failure",
2275 __func__);
2276 }
2277 sta->fils_pending_cb(hapd, sta, resp, data, pub);
2278 #ifdef CONFIG_PASN
2279 } else if (flags & WLAN_STA_PENDING_PASN_FILS_ERP) {
2280 pasn_fils_auth_resp(hapd, sta, resp, erp_resp,
2281 msk, msk_len);
2282 #endif /* CONFIG_PASN */
2283 }
2284 }
2285
2286 #endif /* CONFIG_FILS */
2287
2288
ieee802_11_allowed_address(struct hostapd_data * hapd,const u8 * addr,const u8 * msg,size_t len,struct radius_sta * info)2289 static int ieee802_11_allowed_address(struct hostapd_data *hapd, const u8 *addr,
2290 const u8 *msg, size_t len,
2291 struct radius_sta *info)
2292 {
2293 int res;
2294
2295 res = hostapd_allowed_address(hapd, addr, msg, len, info, 0);
2296
2297 if (res == HOSTAPD_ACL_REJECT) {
2298 wpa_printf(MSG_DEBUG, "Station " MACSTR_SEC
2299 " not allowed to authenticate",
2300 MAC2STR_SEC(addr));
2301 return HOSTAPD_ACL_REJECT;
2302 }
2303
2304 if (res == HOSTAPD_ACL_PENDING) {
2305 wpa_printf(MSG_DEBUG, "Authentication frame from " MACSTR_SEC
2306 " waiting for an external authentication",
2307 MAC2STR_SEC(addr));
2308 /* Authentication code will re-send the authentication frame
2309 * after it has received (and cached) information from the
2310 * external source. */
2311 return HOSTAPD_ACL_PENDING;
2312 }
2313
2314 return res;
2315 }
2316
2317
2318 static int
ieee802_11_set_radius_info(struct hostapd_data * hapd,struct sta_info * sta,int res,struct radius_sta * info)2319 ieee802_11_set_radius_info(struct hostapd_data *hapd, struct sta_info *sta,
2320 int res, struct radius_sta *info)
2321 {
2322 u32 session_timeout = info->session_timeout;
2323 u32 acct_interim_interval = info->acct_interim_interval;
2324 struct vlan_description *vlan_id = &info->vlan_id;
2325 struct hostapd_sta_wpa_psk_short *psk = info->psk;
2326 char *identity = info->identity;
2327 char *radius_cui = info->radius_cui;
2328
2329 if (vlan_id->notempty &&
2330 !hostapd_vlan_valid(hapd->conf->vlan, vlan_id)) {
2331 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS,
2332 HOSTAPD_LEVEL_INFO,
2333 "Invalid VLAN %d%s received from RADIUS server",
2334 vlan_id->untagged,
2335 vlan_id->tagged[0] ? "+" : "");
2336 return -1;
2337 }
2338 if (ap_sta_set_vlan(hapd, sta, vlan_id) < 0)
2339 return -1;
2340 if (sta->vlan_id)
2341 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS,
2342 HOSTAPD_LEVEL_INFO, "VLAN ID %d", sta->vlan_id);
2343
2344 hostapd_free_psk_list(sta->psk);
2345 if (hapd->conf->wpa_psk_radius != PSK_RADIUS_IGNORED)
2346 hostapd_copy_psk_list(&sta->psk, psk);
2347 else
2348 sta->psk = NULL;
2349
2350 os_free(sta->identity);
2351 if (identity)
2352 sta->identity = os_strdup(identity);
2353 else
2354 sta->identity = NULL;
2355
2356 os_free(sta->radius_cui);
2357 if (radius_cui)
2358 sta->radius_cui = os_strdup(radius_cui);
2359 else
2360 sta->radius_cui = NULL;
2361
2362 if (hapd->conf->acct_interim_interval == 0 && acct_interim_interval)
2363 sta->acct_interim_interval = acct_interim_interval;
2364 if (res == HOSTAPD_ACL_ACCEPT_TIMEOUT) {
2365 sta->session_timeout_set = 1;
2366 os_get_reltime(&sta->session_timeout);
2367 sta->session_timeout.sec += session_timeout;
2368 ap_sta_session_timeout(hapd, sta, session_timeout);
2369 } else {
2370 sta->session_timeout_set = 0;
2371 ap_sta_no_session_timeout(hapd, sta);
2372 }
2373
2374 return 0;
2375 }
2376
2377
2378 #ifdef CONFIG_PASN
2379 #ifdef CONFIG_SAE
2380
pasn_wd_handle_sae_commit(struct hostapd_data * hapd,struct sta_info * sta,struct wpabuf * wd)2381 static int pasn_wd_handle_sae_commit(struct hostapd_data *hapd,
2382 struct sta_info *sta,
2383 struct wpabuf *wd)
2384 {
2385 struct pasn_data *pasn = sta->pasn;
2386 const char *password;
2387 const u8 *data;
2388 size_t buf_len;
2389 u16 res, alg, seq, status;
2390 int groups[] = { pasn->group, 0 };
2391 struct sae_pt *pt = NULL;
2392 int ret;
2393
2394 if (!wd)
2395 return -1;
2396
2397 data = wpabuf_head_u8(wd);
2398 buf_len = wpabuf_len(wd);
2399
2400 if (buf_len < 6) {
2401 wpa_printf(MSG_DEBUG, "PASN: SAE buffer too short. len=%zu",
2402 buf_len);
2403 return -1;
2404 }
2405
2406 alg = WPA_GET_LE16(data);
2407 seq = WPA_GET_LE16(data + 2);
2408 status = WPA_GET_LE16(data + 4);
2409
2410 wpa_printf(MSG_DEBUG, "PASN: SAE commit: alg=%u, seq=%u, status=%u",
2411 alg, seq, status);
2412
2413 if (alg != WLAN_AUTH_SAE || seq != 1 ||
2414 status != WLAN_STATUS_SAE_HASH_TO_ELEMENT) {
2415 wpa_printf(MSG_DEBUG, "PASN: Dropping peer SAE commit");
2416 return -1;
2417 }
2418
2419 sae_clear_data(&pasn->sae);
2420 pasn->sae.state = SAE_NOTHING;
2421
2422 ret = sae_set_group(&pasn->sae, pasn->group);
2423 if (ret) {
2424 wpa_printf(MSG_DEBUG, "PASN: Failed to set SAE group");
2425 return -1;
2426 }
2427
2428 password = sae_get_password(hapd, sta, NULL, NULL, &pt, NULL);
2429 if (!password || !pt) {
2430 wpa_printf(MSG_DEBUG, "PASN: No SAE PT found");
2431 return -1;
2432 }
2433
2434 ret = sae_prepare_commit_pt(&pasn->sae, pt, hapd->own_addr, sta->addr,
2435 NULL, NULL);
2436 if (ret) {
2437 wpa_printf(MSG_DEBUG, "PASN: Failed to prepare SAE commit");
2438 return -1;
2439 }
2440
2441 res = sae_parse_commit(&pasn->sae, data + 6, buf_len - 6, NULL, 0,
2442 groups, 0);
2443 if (res != WLAN_STATUS_SUCCESS) {
2444 wpa_printf(MSG_DEBUG, "PASN: Failed parsing SAE commit");
2445 return -1;
2446 }
2447
2448 /* Process the commit message and derive the PMK */
2449 ret = sae_process_commit(&pasn->sae);
2450 if (ret) {
2451 wpa_printf(MSG_DEBUG, "SAE: Failed to process peer commit");
2452 return -1;
2453 }
2454
2455 pasn->sae.state = SAE_COMMITTED;
2456
2457 return 0;
2458 }
2459
2460
pasn_wd_handle_sae_confirm(struct hostapd_data * hapd,struct sta_info * sta,struct wpabuf * wd)2461 static int pasn_wd_handle_sae_confirm(struct hostapd_data *hapd,
2462 struct sta_info *sta,
2463 struct wpabuf *wd)
2464 {
2465 struct pasn_data *pasn = sta->pasn;
2466 const u8 *data;
2467 size_t buf_len;
2468 u16 res, alg, seq, status;
2469
2470 if (!wd)
2471 return -1;
2472
2473 data = wpabuf_head_u8(wd);
2474 buf_len = wpabuf_len(wd);
2475
2476 if (buf_len < 6) {
2477 wpa_printf(MSG_DEBUG, "PASN: SAE buffer too short. len=%zu",
2478 buf_len);
2479 return -1;
2480 }
2481
2482 alg = WPA_GET_LE16(data);
2483 seq = WPA_GET_LE16(data + 2);
2484 status = WPA_GET_LE16(data + 4);
2485
2486 wpa_printf(MSG_DEBUG, "PASN: SAE confirm: alg=%u, seq=%u, status=%u",
2487 alg, seq, status);
2488
2489 if (alg != WLAN_AUTH_SAE || seq != 2 || status != WLAN_STATUS_SUCCESS) {
2490 wpa_printf(MSG_DEBUG, "PASN: Dropping peer SAE confirm");
2491 return -1;
2492 }
2493
2494 res = sae_check_confirm(&pasn->sae, data + 6, buf_len - 6);
2495 if (res != WLAN_STATUS_SUCCESS) {
2496 wpa_printf(MSG_DEBUG, "PASN: SAE failed checking confirm");
2497 return -1;
2498 }
2499
2500 pasn->sae.state = SAE_ACCEPTED;
2501
2502 /*
2503 * TODO: Based on on IEEE P802.11az/D2.6, the PMKSA derived with
2504 * PASN/SAE should only be allowed with future PASN only. For now do not
2505 * restrict this only for PASN.
2506 */
2507 wpa_auth_pmksa_add_sae(hapd->wpa_auth, sta->addr,
2508 pasn->sae.pmk, pasn->sae.pmkid);
2509 return 0;
2510 }
2511
2512
pasn_get_sae_wd(struct hostapd_data * hapd,struct sta_info * sta)2513 static struct wpabuf * pasn_get_sae_wd(struct hostapd_data *hapd,
2514 struct sta_info *sta)
2515 {
2516 struct pasn_data *pasn = sta->pasn;
2517 struct wpabuf *buf = NULL;
2518 u8 *len_ptr;
2519 size_t len;
2520
2521 /* Need to add the entire Authentication frame body */
2522 buf = wpabuf_alloc(8 + SAE_COMMIT_MAX_LEN + 8 + SAE_CONFIRM_MAX_LEN);
2523 if (!buf) {
2524 wpa_printf(MSG_DEBUG, "PASN: Failed to allocate SAE buffer");
2525 return NULL;
2526 }
2527
2528 /* Need to add the entire authentication frame body for the commit */
2529 len_ptr = wpabuf_put(buf, 2);
2530 wpabuf_put_le16(buf, WLAN_AUTH_SAE);
2531 wpabuf_put_le16(buf, 1);
2532 wpabuf_put_le16(buf, WLAN_STATUS_SAE_HASH_TO_ELEMENT);
2533
2534 /* Write the actual commit and update the length accordingly */
2535 sae_write_commit(&pasn->sae, buf, NULL, 0);
2536 len = wpabuf_len(buf);
2537 WPA_PUT_LE16(len_ptr, len - 2);
2538
2539 /* Need to add the entire Authentication frame body for the confirm */
2540 len_ptr = wpabuf_put(buf, 2);
2541 wpabuf_put_le16(buf, WLAN_AUTH_SAE);
2542 wpabuf_put_le16(buf, 2);
2543 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
2544
2545 sae_write_confirm(&pasn->sae, buf);
2546 WPA_PUT_LE16(len_ptr, wpabuf_len(buf) - len - 2);
2547
2548 pasn->sae.state = SAE_CONFIRMED;
2549
2550 return buf;
2551 }
2552
2553 #endif /* CONFIG_SAE */
2554
2555
2556 #ifdef CONFIG_FILS
2557
pasn_get_fils_wd(struct hostapd_data * hapd,struct sta_info * sta)2558 static struct wpabuf * pasn_get_fils_wd(struct hostapd_data *hapd,
2559 struct sta_info *sta)
2560 {
2561 struct pasn_data *pasn = sta->pasn;
2562 struct pasn_fils_data *fils = &pasn->fils;
2563 struct wpabuf *buf = NULL;
2564
2565 if (!fils->erp_resp) {
2566 wpa_printf(MSG_DEBUG, "PASN: FILS: Missing erp_resp");
2567 return NULL;
2568 }
2569
2570 buf = wpabuf_alloc(1500);
2571 if (!buf)
2572 return NULL;
2573
2574 /* Add the authentication algorithm */
2575 wpabuf_put_le16(buf, WLAN_AUTH_FILS_SK);
2576
2577 /* Authentication Transaction seq# */
2578 wpabuf_put_le16(buf, 2);
2579
2580 /* Status Code */
2581 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
2582
2583 /* Own RSNE */
2584 wpa_pasn_add_rsne(buf, NULL, pasn->akmp, pasn->cipher);
2585
2586 /* FILS Nonce */
2587 wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
2588 wpabuf_put_u8(buf, 1 + FILS_NONCE_LEN);
2589 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_NONCE);
2590 wpabuf_put_data(buf, fils->anonce, FILS_NONCE_LEN);
2591
2592 /* FILS Session */
2593 wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
2594 wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN);
2595 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION);
2596 wpabuf_put_data(buf, fils->session, FILS_SESSION_LEN);
2597
2598 /* Wrapped Data */
2599 wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
2600 wpabuf_put_u8(buf, 1 + wpabuf_len(fils->erp_resp));
2601 wpabuf_put_u8(buf, WLAN_EID_EXT_WRAPPED_DATA);
2602 wpabuf_put_buf(buf, fils->erp_resp);
2603
2604 return buf;
2605 }
2606
2607
pasn_fils_auth_resp(struct hostapd_data * hapd,struct sta_info * sta,u16 status,struct wpabuf * erp_resp,const u8 * msk,size_t msk_len)2608 static void pasn_fils_auth_resp(struct hostapd_data *hapd,
2609 struct sta_info *sta, u16 status,
2610 struct wpabuf *erp_resp,
2611 const u8 *msk, size_t msk_len)
2612 {
2613 struct pasn_data *pasn = sta->pasn;
2614 struct pasn_fils_data *fils = &pasn->fils;
2615 u8 pmk[PMK_LEN_MAX];
2616 size_t pmk_len;
2617 int ret;
2618
2619 wpa_printf(MSG_DEBUG, "PASN: FILS: Handle AS response - status=%u",
2620 status);
2621
2622 if (status != WLAN_STATUS_SUCCESS)
2623 goto fail;
2624
2625 if (!pasn->secret) {
2626 wpa_printf(MSG_DEBUG, "PASN: FILS: Missing secret");
2627 goto fail;
2628 }
2629
2630 if (random_get_bytes(fils->anonce, FILS_NONCE_LEN) < 0) {
2631 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed to get ANonce");
2632 goto fail;
2633 }
2634
2635 wpa_hexdump(MSG_DEBUG, "RSN: Generated FILS ANonce",
2636 fils->anonce, FILS_NONCE_LEN);
2637
2638 ret = fils_rmsk_to_pmk(pasn->akmp, msk, msk_len, fils->nonce,
2639 fils->anonce, NULL, 0, pmk, &pmk_len);
2640 if (ret) {
2641 wpa_printf(MSG_DEBUG, "FILS: Failed to derive PMK");
2642 goto fail;
2643 }
2644
2645 ret = pasn_pmk_to_ptk(pmk, pmk_len, sta->addr, hapd->own_addr,
2646 wpabuf_head(pasn->secret),
2647 wpabuf_len(pasn->secret),
2648 &sta->pasn->ptk, sta->pasn->akmp,
2649 sta->pasn->cipher, sta->pasn->kdk_len);
2650 if (ret) {
2651 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed to derive PTK");
2652 goto fail;
2653 }
2654
2655 wpa_printf(MSG_DEBUG, "PASN: PTK successfully derived");
2656
2657 wpabuf_free(pasn->secret);
2658 pasn->secret = NULL;
2659
2660 fils->erp_resp = erp_resp;
2661 ret = handle_auth_pasn_resp(hapd, sta, NULL, WLAN_STATUS_SUCCESS);
2662 fils->erp_resp = NULL;
2663
2664 if (ret) {
2665 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed to send response");
2666 goto fail;
2667 }
2668
2669 fils->state = PASN_FILS_STATE_COMPLETE;
2670 return;
2671 fail:
2672 ap_free_sta(hapd, sta);
2673 }
2674
2675
pasn_wd_handle_fils(struct hostapd_data * hapd,struct sta_info * sta,struct wpabuf * wd)2676 static int pasn_wd_handle_fils(struct hostapd_data *hapd, struct sta_info *sta,
2677 struct wpabuf *wd)
2678 {
2679 #ifdef CONFIG_NO_RADIUS
2680 wpa_printf(MSG_DEBUG, "PASN: FILS: RADIUS is not configured. Fail");
2681 return -1;
2682 #else /* CONFIG_NO_RADIUS */
2683 struct pasn_data *pasn = sta->pasn;
2684 struct pasn_fils_data *fils = &pasn->fils;
2685 struct ieee802_11_elems elems;
2686 struct wpa_ie_data rsne_data;
2687 struct wpabuf *fils_wd;
2688 const u8 *data;
2689 size_t buf_len;
2690 u16 alg, seq, status;
2691 int ret;
2692
2693 if (fils->state != PASN_FILS_STATE_NONE) {
2694 wpa_printf(MSG_DEBUG, "PASN: FILS: Not expecting wrapped data");
2695 return -1;
2696 }
2697
2698 if (!wd) {
2699 wpa_printf(MSG_DEBUG, "PASN: FILS: No wrapped data");
2700 return -1;
2701 }
2702
2703 data = wpabuf_head_u8(wd);
2704 buf_len = wpabuf_len(wd);
2705
2706 if (buf_len < 6) {
2707 wpa_printf(MSG_DEBUG, "PASN: FILS: Buffer too short. len=%zu",
2708 buf_len);
2709 return -1;
2710 }
2711
2712 alg = WPA_GET_LE16(data);
2713 seq = WPA_GET_LE16(data + 2);
2714 status = WPA_GET_LE16(data + 4);
2715
2716 wpa_printf(MSG_DEBUG, "PASN: FILS: alg=%u, seq=%u, status=%u",
2717 alg, seq, status);
2718
2719 if (alg != WLAN_AUTH_FILS_SK || seq != 1 ||
2720 status != WLAN_STATUS_SUCCESS) {
2721 wpa_printf(MSG_DEBUG,
2722 "PASN: FILS: Dropping peer authentication");
2723 return -1;
2724 }
2725
2726 data += 6;
2727 buf_len -= 6;
2728
2729 if (ieee802_11_parse_elems(data, buf_len, &elems, 1) == ParseFailed) {
2730 wpa_printf(MSG_DEBUG, "PASN: FILS: Could not parse elements");
2731 return -1;
2732 }
2733
2734 if (!elems.rsn_ie || !elems.fils_nonce || !elems.fils_nonce ||
2735 !elems.wrapped_data) {
2736 wpa_printf(MSG_DEBUG, "PASN: FILS: Missing IEs");
2737 return -1;
2738 }
2739
2740 ret = wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
2741 &rsne_data);
2742 if (ret) {
2743 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed parsing RNSE");
2744 return -1;
2745 }
2746
2747 ret = wpa_pasn_validate_rsne(&rsne_data);
2748 if (ret) {
2749 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed validating RSNE");
2750 return -1;
2751 }
2752
2753 if (rsne_data.num_pmkid) {
2754 wpa_printf(MSG_DEBUG,
2755 "PASN: FILS: Not expecting PMKID in RSNE");
2756 return -1;
2757 }
2758
2759 wpa_hexdump(MSG_DEBUG, "PASN: FILS: Nonce", elems.fils_nonce,
2760 FILS_NONCE_LEN);
2761 os_memcpy(fils->nonce, elems.fils_nonce, FILS_NONCE_LEN);
2762
2763 wpa_hexdump(MSG_DEBUG, "PASN: FILS: Session", elems.fils_session,
2764 FILS_SESSION_LEN);
2765 os_memcpy(fils->session, elems.fils_session, FILS_SESSION_LEN);
2766
2767 fils_wd = ieee802_11_defrag(&elems, WLAN_EID_EXTENSION,
2768 WLAN_EID_EXT_WRAPPED_DATA);
2769
2770 if (!fils_wd) {
2771 wpa_printf(MSG_DEBUG, "PASN: FILS: Missing wrapped data");
2772 return -1;
2773 }
2774
2775 if (!sta->eapol_sm)
2776 sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta);
2777
2778 wpa_printf(MSG_DEBUG,
2779 "PASN: FILS: Forward EAP-Initiate/Re-auth to AS");
2780
2781 ieee802_1x_encapsulate_radius(hapd, sta, wpabuf_head(fils_wd),
2782 wpabuf_len(fils_wd));
2783
2784 sta->flags |= WLAN_STA_PENDING_PASN_FILS_ERP;
2785
2786 fils->state = PASN_FILS_STATE_PENDING_AS;
2787
2788 /*
2789 * Calculate pending PMKID here so that we do not need to maintain a
2790 * copy of the EAP-Initiate/Reautt message.
2791 */
2792 fils_pmkid_erp(pasn->akmp, wpabuf_head(fils_wd), wpabuf_len(fils_wd),
2793 fils->erp_pmkid);
2794
2795 wpabuf_free(fils_wd);
2796 return 0;
2797 #endif /* CONFIG_NO_RADIUS */
2798 }
2799
2800 #endif /* CONFIG_FILS */
2801
2802
pasn_get_wrapped_data(struct hostapd_data * hapd,struct sta_info * sta)2803 static struct wpabuf * pasn_get_wrapped_data(struct hostapd_data *hapd,
2804 struct sta_info *sta)
2805 {
2806 switch (sta->pasn->akmp) {
2807 case WPA_KEY_MGMT_PASN:
2808 /* no wrapped data */
2809 return NULL;
2810 case WPA_KEY_MGMT_SAE:
2811 #ifdef CONFIG_SAE
2812 return pasn_get_sae_wd(hapd, sta);
2813 #else /* CONFIG_SAE */
2814 wpa_printf(MSG_ERROR,
2815 "PASN: SAE: Cannot derive wrapped data");
2816 return NULL;
2817 #endif /* CONFIG_SAE */
2818 case WPA_KEY_MGMT_FILS_SHA256:
2819 case WPA_KEY_MGMT_FILS_SHA384:
2820 #ifdef CONFIG_FILS
2821 return pasn_get_fils_wd(hapd, sta);
2822 #endif /* CONFIG_FILS */
2823 /* fall through */
2824 case WPA_KEY_MGMT_FT_PSK:
2825 case WPA_KEY_MGMT_FT_IEEE8021X:
2826 case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
2827 default:
2828 wpa_printf(MSG_ERROR,
2829 "PASN: TODO: Wrapped data for akmp=0x%x",
2830 sta->pasn->akmp);
2831 return NULL;
2832 }
2833 }
2834
2835
2836 static int
pasn_derive_keys(struct hostapd_data * hapd,struct sta_info * sta,const u8 * cached_pmk,size_t cached_pmk_len,struct wpa_pasn_params_data * pasn_data,struct wpabuf * wrapped_data,struct wpabuf * secret)2837 pasn_derive_keys(struct hostapd_data *hapd, struct sta_info *sta,
2838 const u8 *cached_pmk, size_t cached_pmk_len,
2839 struct wpa_pasn_params_data *pasn_data,
2840 struct wpabuf *wrapped_data,
2841 struct wpabuf *secret)
2842 {
2843 static const u8 pasn_default_pmk[] = {'P', 'M', 'K', 'z'};
2844 u8 pmk[PMK_LEN_MAX];
2845 u8 pmk_len;
2846 int ret;
2847
2848 os_memset(pmk, 0, sizeof(pmk));
2849 pmk_len = 0;
2850
2851 if (!cached_pmk || !cached_pmk_len)
2852 wpa_printf(MSG_DEBUG, "PASN: No valid PMKSA entry");
2853
2854 if (sta->pasn->akmp == WPA_KEY_MGMT_PASN) {
2855 wpa_printf(MSG_DEBUG, "PASN: Using default PMK");
2856
2857 pmk_len = WPA_PASN_PMK_LEN;
2858 os_memcpy(pmk, pasn_default_pmk, sizeof(pasn_default_pmk));
2859 } else if (cached_pmk && cached_pmk_len) {
2860 wpa_printf(MSG_DEBUG, "PASN: Using PMKSA entry");
2861
2862 pmk_len = cached_pmk_len;
2863 os_memcpy(pmk, cached_pmk, cached_pmk_len);
2864 } else {
2865 switch (sta->pasn->akmp) {
2866 #ifdef CONFIG_SAE
2867 case WPA_KEY_MGMT_SAE:
2868 if (sta->pasn->sae.state == SAE_COMMITTED) {
2869 pmk_len = PMK_LEN;
2870 os_memcpy(pmk, sta->pasn->sae.pmk, PMK_LEN);
2871 break;
2872 }
2873 #endif /* CONFIG_SAE */
2874 /* fall through */
2875 default:
2876 /* TODO: Derive PMK based on wrapped data */
2877 wpa_printf(MSG_DEBUG,
2878 "PASN: Missing PMK derivation");
2879 return -1;
2880 }
2881 }
2882
2883 ret = pasn_pmk_to_ptk(pmk, pmk_len, sta->addr, hapd->own_addr,
2884 wpabuf_head(secret), wpabuf_len(secret),
2885 &sta->pasn->ptk, sta->pasn->akmp,
2886 sta->pasn->cipher, sta->pasn->kdk_len);
2887 if (ret) {
2888 wpa_printf(MSG_DEBUG, "PASN: Failed to derive PTK");
2889 return -1;
2890 }
2891
2892 wpa_printf(MSG_DEBUG, "PASN: PTK successfully derived");
2893 return 0;
2894 }
2895
2896
handle_auth_pasn_comeback(struct hostapd_data * hapd,struct sta_info * sta,u16 group)2897 static void handle_auth_pasn_comeback(struct hostapd_data *hapd,
2898 struct sta_info *sta, u16 group)
2899 {
2900 struct wpabuf *buf, *comeback;
2901 int ret;
2902
2903 wpa_printf(MSG_DEBUG,
2904 "PASN: Building comeback frame 2. Comeback after=%u",
2905 hapd->conf->pasn_comeback_after);
2906
2907 buf = wpabuf_alloc(1500);
2908 if (!buf)
2909 return;
2910
2911 wpa_pasn_build_auth_header(buf, hapd->own_addr, hapd->own_addr,
2912 sta->addr, 2,
2913 WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY);
2914
2915 /*
2916 * Do not include the group as a part of the token since it is not going
2917 * to be used.
2918 */
2919 comeback = auth_build_token_req(hapd, 0, sta->addr, 0);
2920 if (!comeback) {
2921 wpa_printf(MSG_DEBUG,
2922 "PASN: Failed sending auth with comeback");
2923 wpabuf_free(buf);
2924 return;
2925 }
2926
2927 wpa_pasn_add_parameter_ie(buf, group,
2928 WPA_PASN_WRAPPED_DATA_NO,
2929 NULL, 0, comeback,
2930 hapd->conf->pasn_comeback_after);
2931 wpabuf_free(comeback);
2932
2933 wpa_printf(MSG_DEBUG,
2934 "PASN: comeback: STA=" MACSTR_SEC, MAC2STR_SEC(sta->addr));
2935
2936 ret = hostapd_drv_send_mlme(hapd, wpabuf_head(buf), wpabuf_len(buf), 0,
2937 NULL, 0, 0);
2938 if (ret)
2939 wpa_printf(MSG_INFO, "PASN: Failed to send comeback frame 2");
2940
2941 wpabuf_free(buf);
2942 }
2943
2944
handle_auth_pasn_resp(struct hostapd_data * hapd,struct sta_info * sta,struct rsn_pmksa_cache_entry * pmksa,u16 status)2945 static int handle_auth_pasn_resp(struct hostapd_data *hapd,
2946 struct sta_info *sta,
2947 struct rsn_pmksa_cache_entry *pmksa,
2948 u16 status)
2949 {
2950 struct wpabuf *buf, *pubkey = NULL, *wrapped_data_buf = NULL;
2951 u8 mic[WPA_PASN_MAX_MIC_LEN];
2952 u8 mic_len;
2953 u8 *ptr;
2954 const u8 *frame, *data, *rsn_ie, *rsnxe_ie;
2955 u8 *data_buf = NULL;
2956 size_t rsn_ie_len, frame_len, data_len;
2957 int ret;
2958 const u8 *pmkid = NULL;
2959
2960 wpa_printf(MSG_DEBUG, "PASN: Building frame 2: status=%u", status);
2961
2962 buf = wpabuf_alloc(1500);
2963 if (!buf)
2964 goto fail;
2965
2966 wpa_pasn_build_auth_header(buf, hapd->own_addr, hapd->own_addr,
2967 sta->addr, 2, status);
2968
2969 if (status != WLAN_STATUS_SUCCESS)
2970 goto done;
2971
2972 if (pmksa) {
2973 pmkid = pmksa->pmkid;
2974 #ifdef CONFIG_SAE
2975 } else if (sta->pasn->akmp == WPA_KEY_MGMT_SAE) {
2976 wpa_printf(MSG_DEBUG, "PASN: Use SAE PMKID");
2977 pmkid = sta->pasn->sae.pmkid;
2978 #endif /* CONFIG_SAE */
2979 #ifdef CONFIG_FILS
2980 } else if (sta->pasn->akmp == WPA_KEY_MGMT_FILS_SHA256 ||
2981 sta->pasn->akmp == WPA_KEY_MGMT_FILS_SHA384) {
2982 wpa_printf(MSG_DEBUG, "PASN: Use FILS ERP PMKID");
2983 pmkid = sta->pasn->fils.erp_pmkid;
2984 #endif /* CONFIG_FILS */
2985 }
2986
2987 if (wpa_pasn_add_rsne(buf, pmkid,
2988 sta->pasn->akmp, sta->pasn->cipher) < 0)
2989 goto fail;
2990
2991 /* No need to derive PMK if PMKSA is given */
2992 if (!pmksa)
2993 wrapped_data_buf = pasn_get_wrapped_data(hapd, sta);
2994 else
2995 sta->pasn->wrapped_data_format = WPA_PASN_WRAPPED_DATA_NO;
2996
2997 /* Get public key */
2998 pubkey = crypto_ecdh_get_pubkey(sta->pasn->ecdh, 0);
2999 pubkey = wpabuf_zeropad(pubkey,
3000 crypto_ecdh_prime_len(sta->pasn->ecdh));
3001 if (!pubkey) {
3002 wpa_printf(MSG_DEBUG, "PASN: Failed to get pubkey");
3003 goto fail;
3004 }
3005
3006 wpa_pasn_add_parameter_ie(buf, sta->pasn->group,
3007 sta->pasn->wrapped_data_format,
3008 pubkey, true, NULL, 0);
3009
3010 if (wpa_pasn_add_wrapped_data(buf, wrapped_data_buf) < 0)
3011 goto fail;
3012
3013 wpabuf_free(wrapped_data_buf);
3014 wrapped_data_buf = NULL;
3015 wpabuf_free(pubkey);
3016 pubkey = NULL;
3017
3018 /* Add RSNXE if needed */
3019 rsnxe_ie = hostapd_wpa_ie(hapd, WLAN_EID_RSNX);
3020 if (rsnxe_ie)
3021 wpabuf_put_data(buf, rsnxe_ie, 2 + rsnxe_ie[1]);
3022
3023 /* Add the mic */
3024 mic_len = pasn_mic_len(sta->pasn->akmp, sta->pasn->cipher);
3025 wpabuf_put_u8(buf, WLAN_EID_MIC);
3026 wpabuf_put_u8(buf, mic_len);
3027 ptr = wpabuf_put(buf, mic_len);
3028
3029 os_memset(ptr, 0, mic_len);
3030
3031 frame = wpabuf_head_u8(buf) + IEEE80211_HDRLEN;
3032 frame_len = wpabuf_len(buf) - IEEE80211_HDRLEN;
3033
3034 rsn_ie = wpa_auth_get_wpa_ie(hapd->wpa_auth, &rsn_ie_len);
3035 if (!rsn_ie || !rsn_ie_len)
3036 goto fail;
3037
3038 /*
3039 * Note: wpa_auth_get_wpa_ie() might return not only the RSNE but also
3040 * MDE, etc. Thus, do not use the returned length but instead use the
3041 * length specified in the IE header.
3042 */
3043 data_len = rsn_ie[1] + 2;
3044 if (rsnxe_ie) {
3045 data_buf = os_zalloc(rsn_ie[1] + 2 + rsnxe_ie[1] + 2);
3046 if (!data_buf)
3047 goto fail;
3048
3049 os_memcpy(data_buf, rsn_ie, rsn_ie[1] + 2);
3050 os_memcpy(data_buf + rsn_ie[1] + 2, rsnxe_ie, rsnxe_ie[1] + 2);
3051 data_len += rsnxe_ie[1] + 2;
3052 data = data_buf;
3053 } else {
3054 data = rsn_ie;
3055 }
3056
3057 ret = pasn_mic(sta->pasn->ptk.kck, sta->pasn->akmp, sta->pasn->cipher,
3058 hapd->own_addr, sta->addr, data, data_len,
3059 frame, frame_len, mic);
3060 os_free(data_buf);
3061 if (ret) {
3062 wpa_printf(MSG_DEBUG, "PASN: Frame 3: Failed MIC calculation");
3063 goto fail;
3064 }
3065
3066 #ifdef CONFIG_TESTING_OPTIONS
3067 if (hapd->conf->pasn_corrupt_mic) {
3068 wpa_printf(MSG_DEBUG, "PASN: frame 2: Corrupt MIC");
3069 mic[0] = ~mic[0];
3070 }
3071 #endif /* CONFIG_TESTING_OPTIONS */
3072
3073 os_memcpy(ptr, mic, mic_len);
3074
3075 done:
3076 wpa_printf(MSG_DEBUG,
3077 "PASN: Building frame 2: success; resp STA=" MACSTR_SEC,
3078 MAC2STR_SEC(sta->addr));
3079
3080 ret = hostapd_drv_send_mlme(hapd, wpabuf_head(buf), wpabuf_len(buf), 0,
3081 NULL, 0, 0);
3082 if (ret)
3083 wpa_printf(MSG_INFO, "send_auth_reply: Send failed");
3084
3085 wpabuf_free(buf);
3086 return ret;
3087 fail:
3088 wpabuf_free(wrapped_data_buf);
3089 wpabuf_free(pubkey);
3090 wpabuf_free(buf);
3091 return -1;
3092 }
3093
3094
handle_auth_pasn_1(struct hostapd_data * hapd,struct sta_info * sta,const struct ieee80211_mgmt * mgmt,size_t len)3095 static void handle_auth_pasn_1(struct hostapd_data *hapd, struct sta_info *sta,
3096 const struct ieee80211_mgmt *mgmt, size_t len)
3097 {
3098 struct ieee802_11_elems elems;
3099 struct wpa_ie_data rsn_data;
3100 struct wpa_pasn_params_data pasn_params;
3101 struct rsn_pmksa_cache_entry *pmksa = NULL;
3102 const u8 *cached_pmk = NULL;
3103 size_t cached_pmk_len = 0;
3104 #ifdef CONFIG_IEEE80211R_AP
3105 u8 pmk_r1[PMK_LEN_MAX];
3106 size_t pmk_r1_len;
3107 #endif /* CONFIG_IEEE80211R_AP */
3108 struct wpabuf *wrapped_data = NULL, *secret = NULL;
3109 const int *groups = hapd->conf->pasn_groups;
3110 static const int default_groups[] = { 19, 0 };
3111 u16 status = WLAN_STATUS_SUCCESS;
3112 int ret, inc_y;
3113 bool derive_keys;
3114 u32 i;
3115
3116 if (!groups)
3117 groups = default_groups;
3118
3119 if (ieee802_11_parse_elems(mgmt->u.auth.variable,
3120 len - offsetof(struct ieee80211_mgmt,
3121 u.auth.variable),
3122 &elems, 0) == ParseFailed) {
3123 wpa_printf(MSG_DEBUG,
3124 "PASN: Failed parsing Authentication frame");
3125 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3126 goto send_resp;
3127 }
3128
3129 ret = wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
3130 &rsn_data);
3131 if (ret) {
3132 wpa_printf(MSG_DEBUG, "PASN: Failed parsing RNSE");
3133 status = WLAN_STATUS_INVALID_RSNIE;
3134 goto send_resp;
3135 }
3136
3137 ret = wpa_pasn_validate_rsne(&rsn_data);
3138 if (ret) {
3139 wpa_printf(MSG_DEBUG, "PASN: Failed validating RSNE");
3140 status = WLAN_STATUS_INVALID_RSNIE;
3141 goto send_resp;
3142 }
3143
3144 if (!(rsn_data.key_mgmt & hapd->conf->wpa_key_mgmt) ||
3145 !(rsn_data.pairwise_cipher & hapd->conf->rsn_pairwise)) {
3146 wpa_printf(MSG_DEBUG, "PASN: Mismatch in AKMP/cipher");
3147 status = WLAN_STATUS_INVALID_RSNIE;
3148 goto send_resp;
3149 }
3150
3151 sta->pasn->akmp = rsn_data.key_mgmt;
3152 sta->pasn->cipher = rsn_data.pairwise_cipher;
3153
3154 if (hapd->conf->force_kdk_derivation ||
3155 ((hapd->iface->drv_flags2 & WPA_DRIVER_FLAGS2_SEC_LTF) &&
3156 ieee802_11_rsnx_capab_len(elems.rsnxe, elems.rsnxe_len,
3157 WLAN_RSNX_CAPAB_SECURE_LTF)))
3158 sta->pasn->kdk_len = WPA_KDK_MAX_LEN;
3159 else
3160 sta->pasn->kdk_len = 0;
3161 wpa_printf(MSG_DEBUG, "PASN: kdk_len=%zu", sta->pasn->kdk_len);
3162
3163 if (!elems.pasn_params || !elems.pasn_params_len) {
3164 wpa_printf(MSG_DEBUG,
3165 "PASN: No PASN Parameters element found");
3166 status = WLAN_STATUS_INVALID_PARAMETERS;
3167 goto send_resp;
3168 }
3169
3170 ret = wpa_pasn_parse_parameter_ie(elems.pasn_params - 3,
3171 elems.pasn_params_len + 3,
3172 false, &pasn_params);
3173 if (ret) {
3174 wpa_printf(MSG_DEBUG,
3175 "PASN: Failed validation of PASN Parameters IE");
3176 status = WLAN_STATUS_INVALID_PARAMETERS;
3177 goto send_resp;
3178 }
3179
3180 for (i = 0; groups[i] > 0 && groups[i] != pasn_params.group; i++)
3181 ;
3182
3183 if (!pasn_params.group || groups[i] != pasn_params.group) {
3184 wpa_printf(MSG_DEBUG, "PASN: Requested group=%hu not allowed",
3185 pasn_params.group);
3186 status = WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
3187 goto send_resp;
3188 }
3189
3190 if (!pasn_params.pubkey || !pasn_params.pubkey_len) {
3191 wpa_printf(MSG_DEBUG, "PASN: Invalid public key");
3192 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3193 goto send_resp;
3194 }
3195
3196 if (pasn_params.comeback) {
3197 wpa_printf(MSG_DEBUG, "PASN: Checking peer comeback token");
3198
3199 ret = check_comeback_token(hapd, sta->addr,
3200 pasn_params.comeback,
3201 pasn_params.comeback_len);
3202
3203 if (ret) {
3204 wpa_printf(MSG_DEBUG, "PASN: Invalid comeback token");
3205 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3206 goto send_resp;
3207 }
3208 } else if (use_anti_clogging(hapd)) {
3209 wpa_printf(MSG_DEBUG, "PASN: Respond with comeback");
3210 handle_auth_pasn_comeback(hapd, sta, pasn_params.group);
3211 ap_free_sta(hapd, sta);
3212 return;
3213 }
3214
3215 sta->pasn->ecdh = crypto_ecdh_init(pasn_params.group);
3216 if (!sta->pasn->ecdh) {
3217 wpa_printf(MSG_DEBUG, "PASN: Failed to init ECDH");
3218 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3219 goto send_resp;
3220 }
3221
3222 sta->pasn->group = pasn_params.group;
3223
3224 if (pasn_params.pubkey[0] == WPA_PASN_PUBKEY_UNCOMPRESSED) {
3225 inc_y = 1;
3226 } else if (pasn_params.pubkey[0] == WPA_PASN_PUBKEY_COMPRESSED_0 ||
3227 pasn_params.pubkey[0] == WPA_PASN_PUBKEY_COMPRESSED_1) {
3228 inc_y = 0;
3229 } else {
3230 wpa_printf(MSG_DEBUG,
3231 "PASN: Invalid first octet in pubkey=0x%x",
3232 pasn_params.pubkey[0]);
3233 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3234 goto send_resp;
3235 }
3236
3237 secret = crypto_ecdh_set_peerkey(sta->pasn->ecdh, inc_y,
3238 pasn_params.pubkey + 1,
3239 pasn_params.pubkey_len - 1);
3240 if (!secret) {
3241 wpa_printf(MSG_DEBUG, "PASN: Failed to derive shared secret");
3242 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3243 goto send_resp;
3244 }
3245
3246 derive_keys = true;
3247 if (pasn_params.wrapped_data_format != WPA_PASN_WRAPPED_DATA_NO) {
3248 wrapped_data = ieee802_11_defrag(&elems,
3249 WLAN_EID_EXTENSION,
3250 WLAN_EID_EXT_WRAPPED_DATA);
3251 if (!wrapped_data) {
3252 wpa_printf(MSG_DEBUG, "PASN: Missing wrapped data");
3253 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3254 goto send_resp;
3255 }
3256
3257 #ifdef CONFIG_SAE
3258 if (sta->pasn->akmp == WPA_KEY_MGMT_SAE) {
3259 ret = pasn_wd_handle_sae_commit(hapd, sta,
3260 wrapped_data);
3261 if (ret) {
3262 wpa_printf(MSG_DEBUG,
3263 "PASN: Failed processing SAE commit");
3264 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3265 goto send_resp;
3266 }
3267 }
3268 #endif /* CONFIG_SAE */
3269 #ifdef CONFIG_FILS
3270 if (sta->pasn->akmp == WPA_KEY_MGMT_FILS_SHA256 ||
3271 sta->pasn->akmp == WPA_KEY_MGMT_FILS_SHA384) {
3272 ret = pasn_wd_handle_fils(hapd, sta, wrapped_data);
3273 if (ret) {
3274 wpa_printf(MSG_DEBUG,
3275 "PASN: Failed processing FILS wrapped data");
3276 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3277 goto send_resp;
3278 }
3279
3280 wpa_printf(MSG_DEBUG,
3281 "PASN: FILS: Pending AS response");
3282
3283 /*
3284 * With PASN/FILS, keys can be derived only after a
3285 * response from the AS is processed.
3286 */
3287 derive_keys = false;
3288 }
3289 #endif /* CONFIG_FILS */
3290 }
3291
3292 sta->pasn->wrapped_data_format = pasn_params.wrapped_data_format;
3293
3294 ret = pasn_auth_frame_hash(sta->pasn->akmp, sta->pasn->cipher,
3295 ((const u8 *) mgmt) + IEEE80211_HDRLEN,
3296 len - IEEE80211_HDRLEN, sta->pasn->hash);
3297 if (ret) {
3298 wpa_printf(MSG_DEBUG, "PASN: Failed to compute hash");
3299 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3300 goto send_resp;
3301 }
3302
3303 if (!derive_keys) {
3304 wpa_printf(MSG_DEBUG, "PASN: Storing secret");
3305 sta->pasn->secret = secret;
3306 wpabuf_free(wrapped_data);
3307 return;
3308 }
3309
3310 if (rsn_data.num_pmkid) {
3311 if (wpa_key_mgmt_ft(sta->pasn->akmp)) {
3312 #ifdef CONFIG_IEEE80211R_AP
3313 wpa_printf(MSG_DEBUG, "PASN: FT: Fetch PMK-R1");
3314
3315 ret = wpa_ft_fetch_pmk_r1(hapd->wpa_auth, sta->addr,
3316 rsn_data.pmkid,
3317 pmk_r1, &pmk_r1_len, NULL,
3318 NULL, NULL, NULL,
3319 NULL, NULL, NULL);
3320 if (ret) {
3321 wpa_printf(MSG_DEBUG,
3322 "PASN: FT: Failed getting PMK-R1");
3323 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3324 goto send_resp;
3325 }
3326 cached_pmk = pmk_r1;
3327 cached_pmk_len = pmk_r1_len;
3328 #else /* CONFIG_IEEE80211R_AP */
3329 wpa_printf(MSG_DEBUG, "PASN: FT: Not supported");
3330 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3331 goto send_resp;
3332 #endif /* CONFIG_IEEE80211R_AP */
3333 } else {
3334 wpa_printf(MSG_DEBUG, "PASN: Try to find PMKSA entry");
3335
3336 pmksa = wpa_auth_pmksa_get(hapd->wpa_auth, sta->addr,
3337 rsn_data.pmkid);
3338 if (pmksa) {
3339 cached_pmk = pmksa->pmk;
3340 cached_pmk_len = pmksa->pmk_len;
3341 }
3342 }
3343 } else {
3344 wpa_printf(MSG_DEBUG, "PASN: No PMKID specified");
3345 }
3346
3347 ret = pasn_derive_keys(hapd, sta, cached_pmk, cached_pmk_len,
3348 &pasn_params, wrapped_data, secret);
3349 if (ret) {
3350 wpa_printf(MSG_DEBUG, "PASN: Failed to derive keys");
3351 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3352 goto send_resp;
3353 }
3354
3355 ret = pasn_auth_frame_hash(sta->pasn->akmp, sta->pasn->cipher,
3356 ((const u8 *) mgmt) + IEEE80211_HDRLEN,
3357 len - IEEE80211_HDRLEN, sta->pasn->hash);
3358 if (ret) {
3359 wpa_printf(MSG_DEBUG, "PASN: Failed to compute hash");
3360 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3361 }
3362
3363 send_resp:
3364 ret = handle_auth_pasn_resp(hapd, sta, pmksa, status);
3365 if (ret) {
3366 wpa_printf(MSG_DEBUG, "PASN: Failed to send response");
3367 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3368 } else {
3369 wpa_printf(MSG_DEBUG,
3370 "PASN: Success handling transaction == 1");
3371 }
3372
3373 wpabuf_free(secret);
3374 wpabuf_free(wrapped_data);
3375
3376 if (status != WLAN_STATUS_SUCCESS)
3377 ap_free_sta(hapd, sta);
3378 }
3379
3380
handle_auth_pasn_3(struct hostapd_data * hapd,struct sta_info * sta,const struct ieee80211_mgmt * mgmt,size_t len)3381 static void handle_auth_pasn_3(struct hostapd_data *hapd, struct sta_info *sta,
3382 const struct ieee80211_mgmt *mgmt, size_t len)
3383 {
3384 struct ieee802_11_elems elems;
3385 struct wpa_pasn_params_data pasn_params;
3386 struct wpabuf *wrapped_data = NULL;
3387 u8 mic[WPA_PASN_MAX_MIC_LEN], out_mic[WPA_PASN_MAX_MIC_LEN];
3388 u8 mic_len;
3389 int ret;
3390
3391 if (ieee802_11_parse_elems(mgmt->u.auth.variable,
3392 len - offsetof(struct ieee80211_mgmt,
3393 u.auth.variable),
3394 &elems, 0) == ParseFailed) {
3395 wpa_printf(MSG_DEBUG,
3396 "PASN: Failed parsing Authentication frame");
3397 goto fail;
3398 }
3399
3400 /* Check that the MIC IE exists. Save it and zero out the memory. */
3401 mic_len = pasn_mic_len(sta->pasn->akmp, sta->pasn->cipher);
3402 if (!elems.mic || elems.mic_len != mic_len) {
3403 wpa_printf(MSG_DEBUG,
3404 "PASN: Invalid MIC. Expecting len=%u", mic_len);
3405 goto fail;
3406 } else {
3407 os_memcpy(mic, elems.mic, mic_len);
3408 /* TODO: Clean this up.. Should not modify received frame
3409 * buffer. */
3410 os_memset((u8 *) elems.mic, 0, mic_len);
3411 }
3412
3413 if (!elems.pasn_params || !elems.pasn_params_len) {
3414 wpa_printf(MSG_DEBUG,
3415 "PASN: No PASN Parameters element found");
3416 goto fail;
3417 }
3418
3419 ret = wpa_pasn_parse_parameter_ie(elems.pasn_params - 3,
3420 elems.pasn_params_len + 3,
3421 false, &pasn_params);
3422 if (ret) {
3423 wpa_printf(MSG_DEBUG,
3424 "PASN: Failed validation of PASN Parameters IE");
3425 goto fail;
3426 }
3427
3428 if (pasn_params.pubkey || pasn_params.pubkey_len) {
3429 wpa_printf(MSG_DEBUG,
3430 "PASN: Public key should not be included");
3431 goto fail;
3432 }
3433
3434 /* Verify the MIC */
3435 ret = pasn_mic(sta->pasn->ptk.kck, sta->pasn->akmp, sta->pasn->cipher,
3436 sta->addr, hapd->own_addr,
3437 sta->pasn->hash, mic_len * 2,
3438 (u8 *) &mgmt->u.auth,
3439 len - offsetof(struct ieee80211_mgmt, u.auth),
3440 out_mic);
3441
3442 wpa_hexdump_key(MSG_DEBUG, "PASN: Frame MIC", mic, mic_len);
3443 if (ret || os_memcmp(mic, out_mic, mic_len) != 0) {
3444 wpa_printf(MSG_DEBUG, "PASN: Failed MIC verification");
3445 goto fail;
3446 }
3447
3448 if (pasn_params.wrapped_data_format != WPA_PASN_WRAPPED_DATA_NO) {
3449 wrapped_data = ieee802_11_defrag(&elems,
3450 WLAN_EID_EXTENSION,
3451 WLAN_EID_EXT_WRAPPED_DATA);
3452
3453 if (!wrapped_data) {
3454 wpa_printf(MSG_DEBUG, "PASN: Missing wrapped data");
3455 goto fail;
3456 }
3457
3458 #ifdef CONFIG_SAE
3459 if (sta->pasn->akmp == WPA_KEY_MGMT_SAE) {
3460 ret = pasn_wd_handle_sae_confirm(hapd, sta,
3461 wrapped_data);
3462 if (ret) {
3463 wpa_printf(MSG_DEBUG,
3464 "PASN: Failed processing SAE confirm");
3465 wpabuf_free(wrapped_data);
3466 goto fail;
3467 }
3468 }
3469 #endif /* CONFIG_SAE */
3470 #ifdef CONFIG_FILS
3471 if (sta->pasn->akmp == WPA_KEY_MGMT_FILS_SHA256 ||
3472 sta->pasn->akmp == WPA_KEY_MGMT_FILS_SHA384) {
3473 if (wrapped_data) {
3474 wpa_printf(MSG_DEBUG,
3475 "PASN: FILS: Ignore wrapped data");
3476 }
3477 }
3478 #endif /* CONFIG_FILS */
3479 wpabuf_free(wrapped_data);
3480 }
3481
3482 wpa_printf(MSG_INFO,
3483 "PASN: Success handling transaction == 3. Store PTK");
3484
3485 ptksa_cache_add(hapd->ptksa, sta->addr, sta->pasn->cipher, 43200,
3486 &sta->pasn->ptk);
3487 fail:
3488 ap_free_sta(hapd, sta);
3489 }
3490
3491
handle_auth_pasn(struct hostapd_data * hapd,struct sta_info * sta,const struct ieee80211_mgmt * mgmt,size_t len,u16 trans_seq,u16 status)3492 static void handle_auth_pasn(struct hostapd_data *hapd, struct sta_info *sta,
3493 const struct ieee80211_mgmt *mgmt, size_t len,
3494 u16 trans_seq, u16 status)
3495 {
3496 if (hapd->conf->wpa != WPA_PROTO_RSN) {
3497 wpa_printf(MSG_INFO, "PASN: RSN is not configured");
3498 return;
3499 }
3500
3501 wpa_printf(MSG_INFO, "PASN authentication: sta=" MACSTR_SEC,
3502 MAC2STR_SEC(sta->addr));
3503
3504 if (trans_seq == 1) {
3505 if (sta->pasn) {
3506 wpa_printf(MSG_DEBUG,
3507 "PASN: Not expecting transaction == 1");
3508 return;
3509 }
3510
3511 if (status != WLAN_STATUS_SUCCESS) {
3512 wpa_printf(MSG_DEBUG,
3513 "PASN: Failure status in transaction == 1");
3514 return;
3515 }
3516
3517 sta->pasn = os_zalloc(sizeof(*sta->pasn));
3518 if (!sta->pasn) {
3519 wpa_printf(MSG_DEBUG,
3520 "PASN: Failed to allocate PASN context");
3521 return;
3522 }
3523
3524 handle_auth_pasn_1(hapd, sta, mgmt, len);
3525 } else if (trans_seq == 3) {
3526 if (!sta->pasn) {
3527 wpa_printf(MSG_DEBUG,
3528 "PASN: Not expecting transaction == 3");
3529 return;
3530 }
3531
3532 if (status != WLAN_STATUS_SUCCESS) {
3533 wpa_printf(MSG_DEBUG,
3534 "PASN: Failure status in transaction == 3");
3535 ap_free_sta_pasn(hapd, sta);
3536 return;
3537 }
3538
3539 handle_auth_pasn_3(hapd, sta, mgmt, len);
3540 } else {
3541 wpa_printf(MSG_DEBUG,
3542 "PASN: Invalid transaction %u - ignore", trans_seq);
3543 }
3544 }
3545
3546 #endif /* CONFIG_PASN */
3547
3548
handle_auth(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int rssi,int from_queue)3549 static void handle_auth(struct hostapd_data *hapd,
3550 const struct ieee80211_mgmt *mgmt, size_t len,
3551 int rssi, int from_queue)
3552 {
3553 u16 auth_alg, auth_transaction, status_code;
3554 u16 resp = WLAN_STATUS_SUCCESS;
3555 struct sta_info *sta = NULL;
3556 int res, reply_res;
3557 u16 fc;
3558 const u8 *challenge = NULL;
3559 u8 resp_ies[2 + WLAN_AUTH_CHALLENGE_LEN];
3560 size_t resp_ies_len = 0;
3561 u16 seq_ctrl;
3562 struct radius_sta rad_info;
3563
3564 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) {
3565 wpa_printf(MSG_INFO, "handle_auth - too short payload (len=%lu)",
3566 (unsigned long) len);
3567 return;
3568 }
3569
3570 #ifdef CONFIG_TESTING_OPTIONS
3571 if (hapd->iconf->ignore_auth_probability > 0.0 &&
3572 drand48() < hapd->iconf->ignore_auth_probability) {
3573 wpa_printf(MSG_INFO,
3574 "TESTING: ignoring auth frame from " MACSTR_SEC,
3575 MAC2STR_SEC(mgmt->sa));
3576 return;
3577 }
3578 #endif /* CONFIG_TESTING_OPTIONS */
3579
3580 auth_alg = le_to_host16(mgmt->u.auth.auth_alg);
3581 auth_transaction = le_to_host16(mgmt->u.auth.auth_transaction);
3582 status_code = le_to_host16(mgmt->u.auth.status_code);
3583 fc = le_to_host16(mgmt->frame_control);
3584 seq_ctrl = le_to_host16(mgmt->seq_ctrl);
3585
3586 if (len >= IEEE80211_HDRLEN + sizeof(mgmt->u.auth) +
3587 2 + WLAN_AUTH_CHALLENGE_LEN &&
3588 mgmt->u.auth.variable[0] == WLAN_EID_CHALLENGE &&
3589 mgmt->u.auth.variable[1] == WLAN_AUTH_CHALLENGE_LEN)
3590 challenge = &mgmt->u.auth.variable[2];
3591
3592 wpa_printf(MSG_DEBUG, "authentication: STA=" MACSTR_SEC " auth_alg=%d "
3593 "auth_transaction=%d status_code=%d wep=%d%s "
3594 "seq_ctrl=0x%x%s%s",
3595 MAC2STR_SEC(mgmt->sa), auth_alg, auth_transaction,
3596 status_code, !!(fc & WLAN_FC_ISWEP),
3597 challenge ? " challenge" : "",
3598 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "",
3599 from_queue ? " (from queue)" : "");
3600
3601 #ifdef CONFIG_NO_RC4
3602 if (auth_alg == WLAN_AUTH_SHARED_KEY) {
3603 wpa_printf(MSG_INFO,
3604 "Unsupported authentication algorithm (%d)",
3605 auth_alg);
3606 resp = WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
3607 goto fail;
3608 }
3609 #endif /* CONFIG_NO_RC4 */
3610
3611 if (hapd->tkip_countermeasures) {
3612 wpa_printf(MSG_DEBUG,
3613 "Ongoing TKIP countermeasures (Michael MIC failure) - reject authentication");
3614 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3615 goto fail;
3616 }
3617
3618 if (!(((hapd->conf->auth_algs & WPA_AUTH_ALG_OPEN) &&
3619 auth_alg == WLAN_AUTH_OPEN) ||
3620 #ifdef CONFIG_IEEE80211R_AP
3621 (hapd->conf->wpa && wpa_key_mgmt_ft(hapd->conf->wpa_key_mgmt) &&
3622 auth_alg == WLAN_AUTH_FT) ||
3623 #endif /* CONFIG_IEEE80211R_AP */
3624 #ifdef CONFIG_SAE
3625 (hapd->conf->wpa && wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt) &&
3626 auth_alg == WLAN_AUTH_SAE) ||
3627 #endif /* CONFIG_SAE */
3628 #ifdef CONFIG_FILS
3629 (hapd->conf->wpa && wpa_key_mgmt_fils(hapd->conf->wpa_key_mgmt) &&
3630 auth_alg == WLAN_AUTH_FILS_SK) ||
3631 (hapd->conf->wpa && wpa_key_mgmt_fils(hapd->conf->wpa_key_mgmt) &&
3632 hapd->conf->fils_dh_group &&
3633 auth_alg == WLAN_AUTH_FILS_SK_PFS) ||
3634 #endif /* CONFIG_FILS */
3635 #ifdef CONFIG_PASN
3636 (hapd->conf->wpa &&
3637 (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_PASN) &&
3638 auth_alg == WLAN_AUTH_PASN) ||
3639 #endif /* CONFIG_PASN */
3640 ((hapd->conf->auth_algs & WPA_AUTH_ALG_SHARED) &&
3641 auth_alg == WLAN_AUTH_SHARED_KEY))) {
3642 wpa_printf(MSG_INFO, "Unsupported authentication algorithm (%d)",
3643 auth_alg);
3644 resp = WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
3645 goto fail;
3646 }
3647
3648 if (!(auth_transaction == 1 || auth_alg == WLAN_AUTH_SAE ||
3649 #ifdef CONFIG_PASN
3650 (auth_alg == WLAN_AUTH_PASN && auth_transaction == 3) ||
3651 #endif /* CONFIG_PASN */
3652 (auth_alg == WLAN_AUTH_SHARED_KEY && auth_transaction == 3))) {
3653 wpa_printf(MSG_INFO, "Unknown authentication transaction number (%d)",
3654 auth_transaction);
3655 resp = WLAN_STATUS_UNKNOWN_AUTH_TRANSACTION;
3656 goto fail;
3657 }
3658
3659 if (os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
3660 wpa_printf(MSG_INFO, "Station " MACSTR_SEC " not allowed to authenticate",
3661 MAC2STR_SEC(mgmt->sa));
3662 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3663 goto fail;
3664 }
3665
3666 if (hapd->conf->no_auth_if_seen_on) {
3667 struct hostapd_data *other;
3668
3669 other = sta_track_seen_on(hapd->iface, mgmt->sa,
3670 hapd->conf->no_auth_if_seen_on);
3671 if (other) {
3672 u8 *pos;
3673 u32 info;
3674 u8 op_class, channel, phytype;
3675
3676 wpa_printf(MSG_DEBUG, "%s: Reject authentication from "
3677 MACSTR_SEC " since STA has been seen on %s",
3678 hapd->conf->iface, MAC2STR_SEC(mgmt->sa),
3679 hapd->conf->no_auth_if_seen_on);
3680
3681 resp = WLAN_STATUS_REJECTED_WITH_SUGGESTED_BSS_TRANSITION;
3682 pos = &resp_ies[0];
3683 *pos++ = WLAN_EID_NEIGHBOR_REPORT;
3684 *pos++ = 13;
3685 os_memcpy(pos, other->own_addr, ETH_ALEN);
3686 pos += ETH_ALEN;
3687 info = 0; /* TODO: BSSID Information */
3688 WPA_PUT_LE32(pos, info);
3689 pos += 4;
3690 if (other->iconf->hw_mode == HOSTAPD_MODE_IEEE80211AD)
3691 phytype = 8; /* dmg */
3692 else if (other->iconf->ieee80211ac)
3693 phytype = 9; /* vht */
3694 else if (other->iconf->ieee80211n)
3695 phytype = 7; /* ht */
3696 else if (other->iconf->hw_mode ==
3697 HOSTAPD_MODE_IEEE80211A)
3698 phytype = 4; /* ofdm */
3699 else if (other->iconf->hw_mode ==
3700 HOSTAPD_MODE_IEEE80211G)
3701 phytype = 6; /* erp */
3702 else
3703 phytype = 5; /* hrdsss */
3704 if (ieee80211_freq_to_channel_ext(
3705 hostapd_hw_get_freq(other,
3706 other->iconf->channel),
3707 other->iconf->secondary_channel,
3708 other->iconf->ieee80211ac,
3709 &op_class, &channel) == NUM_HOSTAPD_MODES) {
3710 op_class = 0;
3711 channel = other->iconf->channel;
3712 }
3713 *pos++ = op_class;
3714 *pos++ = channel;
3715 *pos++ = phytype;
3716 resp_ies_len = pos - &resp_ies[0];
3717 goto fail;
3718 }
3719 }
3720
3721 res = ieee802_11_allowed_address(hapd, mgmt->sa, (const u8 *) mgmt, len,
3722 &rad_info);
3723 if (res == HOSTAPD_ACL_REJECT) {
3724 wpa_msg(hapd->msg_ctx, MSG_DEBUG,
3725 "Ignore Authentication frame from " MACSTR
3726 " due to ACL reject", MAC2STR(mgmt->sa));
3727 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3728 goto fail;
3729 }
3730 if (res == HOSTAPD_ACL_PENDING)
3731 return;
3732
3733 #ifdef CONFIG_SAE
3734 if (auth_alg == WLAN_AUTH_SAE && !from_queue &&
3735 (auth_transaction == 1 ||
3736 (auth_transaction == 2 && auth_sae_queued_addr(hapd, mgmt->sa)))) {
3737 /* Handle SAE Authentication commit message through a queue to
3738 * provide more control for postponing the needed heavy
3739 * processing under a possible DoS attack scenario. In addition,
3740 * queue SAE Authentication confirm message if there happens to
3741 * be a queued commit message from the same peer. This is needed
3742 * to avoid reordering Authentication frames within the same
3743 * SAE exchange. */
3744 auth_sae_queue(hapd, mgmt, len, rssi);
3745 return;
3746 }
3747 #endif /* CONFIG_SAE */
3748
3749 sta = ap_get_sta(hapd, mgmt->sa);
3750 if (sta) {
3751 sta->flags &= ~WLAN_STA_PENDING_FILS_ERP;
3752 sta->ft_over_ds = 0;
3753 if ((fc & WLAN_FC_RETRY) &&
3754 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
3755 sta->last_seq_ctrl == seq_ctrl &&
3756 sta->last_subtype == WLAN_FC_STYPE_AUTH) {
3757 hostapd_logger(hapd, sta->addr,
3758 HOSTAPD_MODULE_IEEE80211,
3759 HOSTAPD_LEVEL_DEBUG,
3760 "Drop repeated authentication frame seq_ctrl=0x%x",
3761 seq_ctrl);
3762 return;
3763 }
3764 #ifdef CONFIG_MESH
3765 if ((hapd->conf->mesh & MESH_ENABLED) &&
3766 sta->plink_state == PLINK_BLOCKED) {
3767 wpa_printf(MSG_DEBUG, "Mesh peer " MACSTR_SEC
3768 " is blocked - drop Authentication frame",
3769 MAC2STR_SEC(mgmt->sa));
3770 return;
3771 }
3772 #endif /* CONFIG_MESH */
3773 #ifdef CONFIG_PASN
3774 if (auth_alg == WLAN_AUTH_PASN &&
3775 (sta->flags & WLAN_STA_ASSOC)) {
3776 wpa_printf(MSG_DEBUG,
3777 "PASN: auth: Existing station: " MACSTR_SEC,
3778 MAC2STR_SEC(sta->addr));
3779 return;
3780 }
3781 #endif /* CONFIG_PASN */
3782 } else {
3783 #ifdef CONFIG_MESH
3784 if (hapd->conf->mesh & MESH_ENABLED) {
3785 /* if the mesh peer is not available, we don't do auth.
3786 */
3787 wpa_printf(MSG_DEBUG, "Mesh peer " MACSTR_SEC
3788 " not yet known - drop Authentication frame",
3789 MAC2STR_SEC(mgmt->sa));
3790 /*
3791 * Save a copy of the frame so that it can be processed
3792 * if a new peer entry is added shortly after this.
3793 */
3794 wpabuf_free(hapd->mesh_pending_auth);
3795 hapd->mesh_pending_auth = wpabuf_alloc_copy(mgmt, len);
3796 os_get_reltime(&hapd->mesh_pending_auth_time);
3797 return;
3798 }
3799 #endif /* CONFIG_MESH */
3800
3801 sta = ap_sta_add(hapd, mgmt->sa);
3802 if (!sta) {
3803 wpa_printf(MSG_DEBUG, "ap_sta_add() failed");
3804 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
3805 goto fail;
3806 }
3807 }
3808 sta->last_seq_ctrl = seq_ctrl;
3809 sta->last_subtype = WLAN_FC_STYPE_AUTH;
3810 #ifdef CONFIG_MBO
3811 sta->auth_rssi = rssi;
3812 #endif /* CONFIG_MBO */
3813
3814 res = ieee802_11_set_radius_info(hapd, sta, res, &rad_info);
3815 if (res) {
3816 wpa_printf(MSG_DEBUG, "ieee802_11_set_radius_info() failed");
3817 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3818 goto fail;
3819 }
3820
3821 sta->flags &= ~WLAN_STA_PREAUTH;
3822 ieee802_1x_notify_pre_auth(sta->eapol_sm, 0);
3823
3824 /*
3825 * If the driver supports full AP client state, add a station to the
3826 * driver before sending authentication reply to make sure the driver
3827 * has resources, and not to go through the entire authentication and
3828 * association handshake, and fail it at the end.
3829 *
3830 * If this is not the first transaction, in a multi-step authentication
3831 * algorithm, the station already exists in the driver
3832 * (sta->added_unassoc = 1) so skip it.
3833 *
3834 * In mesh mode, the station was already added to the driver when the
3835 * NEW_PEER_CANDIDATE event is received.
3836 *
3837 * If PMF was negotiated for the existing association, skip this to
3838 * avoid dropping the STA entry and the associated keys. This is needed
3839 * to allow the original connection work until the attempt can complete
3840 * (re)association, so that unprotected Authentication frame cannot be
3841 * used to bypass PMF protection.
3842 *
3843 * PASN authentication does not require adding/removing station to the
3844 * driver so skip this flow in case of PASN authentication.
3845 */
3846 if (FULL_AP_CLIENT_STATE_SUPP(hapd->iface->drv_flags) &&
3847 (!(sta->flags & WLAN_STA_MFP) || !ap_sta_is_authorized(sta)) &&
3848 !(hapd->conf->mesh & MESH_ENABLED) &&
3849 !(sta->added_unassoc) && auth_alg != WLAN_AUTH_PASN) {
3850 if (ap_sta_re_add(hapd, sta) < 0) {
3851 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
3852 goto fail;
3853 }
3854 }
3855
3856 switch (auth_alg) {
3857 case WLAN_AUTH_OPEN:
3858 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3859 HOSTAPD_LEVEL_DEBUG,
3860 "authentication OK (open system)");
3861 sta->flags |= WLAN_STA_AUTH;
3862 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
3863 sta->auth_alg = WLAN_AUTH_OPEN;
3864 mlme_authenticate_indication(hapd, sta);
3865 break;
3866 #ifdef CONFIG_WEP
3867 #ifndef CONFIG_NO_RC4
3868 case WLAN_AUTH_SHARED_KEY:
3869 resp = auth_shared_key(hapd, sta, auth_transaction, challenge,
3870 fc & WLAN_FC_ISWEP);
3871 if (resp != 0)
3872 wpa_printf(MSG_DEBUG,
3873 "auth_shared_key() failed: status=%d", resp);
3874 sta->auth_alg = WLAN_AUTH_SHARED_KEY;
3875 mlme_authenticate_indication(hapd, sta);
3876 if (sta->challenge && auth_transaction == 1) {
3877 resp_ies[0] = WLAN_EID_CHALLENGE;
3878 resp_ies[1] = WLAN_AUTH_CHALLENGE_LEN;
3879 os_memcpy(resp_ies + 2, sta->challenge,
3880 WLAN_AUTH_CHALLENGE_LEN);
3881 resp_ies_len = 2 + WLAN_AUTH_CHALLENGE_LEN;
3882 }
3883 break;
3884 #endif /* CONFIG_NO_RC4 */
3885 #endif /* CONFIG_WEP */
3886 #ifdef CONFIG_IEEE80211R_AP
3887 case WLAN_AUTH_FT:
3888 sta->auth_alg = WLAN_AUTH_FT;
3889 if (sta->wpa_sm == NULL)
3890 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
3891 sta->addr, NULL);
3892 if (sta->wpa_sm == NULL) {
3893 wpa_printf(MSG_DEBUG, "FT: Failed to initialize WPA "
3894 "state machine");
3895 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3896 goto fail;
3897 }
3898 wpa_ft_process_auth(sta->wpa_sm, mgmt->bssid,
3899 auth_transaction, mgmt->u.auth.variable,
3900 len - IEEE80211_HDRLEN -
3901 sizeof(mgmt->u.auth),
3902 handle_auth_ft_finish, hapd);
3903 /* handle_auth_ft_finish() callback will complete auth. */
3904 return;
3905 #endif /* CONFIG_IEEE80211R_AP */
3906 #ifdef CONFIG_SAE
3907 case WLAN_AUTH_SAE:
3908 #ifdef CONFIG_MESH
3909 if (status_code == WLAN_STATUS_SUCCESS &&
3910 hapd->conf->mesh & MESH_ENABLED) {
3911 if (sta->wpa_sm == NULL)
3912 sta->wpa_sm =
3913 wpa_auth_sta_init(hapd->wpa_auth,
3914 sta->addr, NULL);
3915 if (sta->wpa_sm == NULL) {
3916 wpa_printf(MSG_DEBUG,
3917 "SAE: Failed to initialize WPA state machine");
3918 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3919 goto fail;
3920 }
3921 }
3922 #endif /* CONFIG_MESH */
3923 handle_auth_sae(hapd, sta, mgmt, len, auth_transaction,
3924 status_code);
3925 return;
3926 #endif /* CONFIG_SAE */
3927 #ifdef CONFIG_FILS
3928 case WLAN_AUTH_FILS_SK:
3929 case WLAN_AUTH_FILS_SK_PFS:
3930 handle_auth_fils(hapd, sta, mgmt->u.auth.variable,
3931 len - IEEE80211_HDRLEN - sizeof(mgmt->u.auth),
3932 auth_alg, auth_transaction, status_code,
3933 handle_auth_fils_finish);
3934 return;
3935 #endif /* CONFIG_FILS */
3936 #ifdef CONFIG_PASN
3937 case WLAN_AUTH_PASN:
3938 handle_auth_pasn(hapd, sta, mgmt, len, auth_transaction,
3939 status_code);
3940 return;
3941 #endif /* CONFIG_PASN */
3942 }
3943
3944 fail:
3945 reply_res = send_auth_reply(hapd, sta, mgmt->sa, mgmt->bssid, auth_alg,
3946 auth_alg == WLAN_AUTH_SAE ?
3947 auth_transaction : auth_transaction + 1,
3948 resp, resp_ies, resp_ies_len,
3949 "handle-auth");
3950
3951 if (sta && sta->added_unassoc && (resp != WLAN_STATUS_SUCCESS ||
3952 reply_res != WLAN_STATUS_SUCCESS)) {
3953 hostapd_drv_sta_remove(hapd, sta->addr);
3954 sta->added_unassoc = 0;
3955 }
3956 }
3957
3958
hostapd_get_aid(struct hostapd_data * hapd,struct sta_info * sta)3959 int hostapd_get_aid(struct hostapd_data *hapd, struct sta_info *sta)
3960 {
3961 int i, j = 32, aid;
3962
3963 /* get a unique AID */
3964 if (sta->aid > 0) {
3965 wpa_printf(MSG_DEBUG, " old AID %d", sta->aid);
3966 return 0;
3967 }
3968
3969 if (TEST_FAIL())
3970 return -1;
3971
3972 for (i = 0; i < AID_WORDS; i++) {
3973 if (hapd->sta_aid[i] == (u32) -1)
3974 continue;
3975 for (j = 0; j < 32; j++) {
3976 if (!(hapd->sta_aid[i] & BIT(j)))
3977 break;
3978 }
3979 if (j < 32)
3980 break;
3981 }
3982 if (j == 32)
3983 return -1;
3984 aid = i * 32 + j + 1;
3985 if (aid > 2007)
3986 return -1;
3987
3988 sta->aid = aid;
3989 hapd->sta_aid[i] |= BIT(j);
3990 wpa_printf(MSG_DEBUG, " new AID %d", sta->aid);
3991 return 0;
3992 }
3993
3994
check_ssid(struct hostapd_data * hapd,struct sta_info * sta,const u8 * ssid_ie,size_t ssid_ie_len)3995 static u16 check_ssid(struct hostapd_data *hapd, struct sta_info *sta,
3996 const u8 *ssid_ie, size_t ssid_ie_len)
3997 {
3998 if (ssid_ie == NULL)
3999 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4000
4001 if (ssid_ie_len != hapd->conf->ssid.ssid_len ||
4002 os_memcmp(ssid_ie, hapd->conf->ssid.ssid, ssid_ie_len) != 0) {
4003 hostapd_logger_only_for_cb(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4004 HOSTAPD_LEVEL_INFO,
4005 "Station tried to associate with unknown SSID "
4006 "'%s'", wpa_ssid_txt(ssid_ie, ssid_ie_len));
4007 wpa_printf(MSG_DEBUG, "hostapd_logger: Station tried to associate with unknown SSID "
4008 "'%s'", anonymize_ssid(wpa_ssid_txt(ssid_ie, ssid_ie_len)));
4009 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4010 }
4011
4012 return WLAN_STATUS_SUCCESS;
4013 }
4014
4015
check_wmm(struct hostapd_data * hapd,struct sta_info * sta,const u8 * wmm_ie,size_t wmm_ie_len)4016 static u16 check_wmm(struct hostapd_data *hapd, struct sta_info *sta,
4017 const u8 *wmm_ie, size_t wmm_ie_len)
4018 {
4019 sta->flags &= ~WLAN_STA_WMM;
4020 sta->qosinfo = 0;
4021 if (wmm_ie && hapd->conf->wmm_enabled) {
4022 struct wmm_information_element *wmm;
4023
4024 if (!hostapd_eid_wmm_valid(hapd, wmm_ie, wmm_ie_len)) {
4025 hostapd_logger(hapd, sta->addr,
4026 HOSTAPD_MODULE_WPA,
4027 HOSTAPD_LEVEL_DEBUG,
4028 "invalid WMM element in association "
4029 "request");
4030 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4031 }
4032
4033 sta->flags |= WLAN_STA_WMM;
4034 wmm = (struct wmm_information_element *) wmm_ie;
4035 sta->qosinfo = wmm->qos_info;
4036 }
4037 return WLAN_STATUS_SUCCESS;
4038 }
4039
check_multi_ap(struct hostapd_data * hapd,struct sta_info * sta,const u8 * multi_ap_ie,size_t multi_ap_len)4040 static u16 check_multi_ap(struct hostapd_data *hapd, struct sta_info *sta,
4041 const u8 *multi_ap_ie, size_t multi_ap_len)
4042 {
4043 u8 multi_ap_value = 0;
4044
4045 sta->flags &= ~WLAN_STA_MULTI_AP;
4046
4047 if (!hapd->conf->multi_ap)
4048 return WLAN_STATUS_SUCCESS;
4049
4050 if (multi_ap_ie) {
4051 const u8 *multi_ap_subelem;
4052
4053 multi_ap_subelem = get_ie(multi_ap_ie + 4,
4054 multi_ap_len - 4,
4055 MULTI_AP_SUB_ELEM_TYPE);
4056 if (multi_ap_subelem && multi_ap_subelem[1] == 1) {
4057 multi_ap_value = multi_ap_subelem[2];
4058 } else {
4059 hostapd_logger(hapd, sta->addr,
4060 HOSTAPD_MODULE_IEEE80211,
4061 HOSTAPD_LEVEL_INFO,
4062 "Multi-AP IE has missing or invalid Multi-AP subelement");
4063 return WLAN_STATUS_INVALID_IE;
4064 }
4065 }
4066
4067 if (multi_ap_value && multi_ap_value != MULTI_AP_BACKHAUL_STA)
4068 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4069 HOSTAPD_LEVEL_INFO,
4070 "Multi-AP IE with unexpected value 0x%02x",
4071 multi_ap_value);
4072
4073 if (!(multi_ap_value & MULTI_AP_BACKHAUL_STA)) {
4074 if (hapd->conf->multi_ap & FRONTHAUL_BSS)
4075 return WLAN_STATUS_SUCCESS;
4076
4077 hostapd_logger(hapd, sta->addr,
4078 HOSTAPD_MODULE_IEEE80211,
4079 HOSTAPD_LEVEL_INFO,
4080 "Non-Multi-AP STA tries to associate with backhaul-only BSS");
4081 return WLAN_STATUS_ASSOC_DENIED_UNSPEC;
4082 }
4083
4084 if (!(hapd->conf->multi_ap & BACKHAUL_BSS))
4085 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4086 HOSTAPD_LEVEL_DEBUG,
4087 "Backhaul STA tries to associate with fronthaul-only BSS");
4088
4089 sta->flags |= WLAN_STA_MULTI_AP;
4090 return WLAN_STATUS_SUCCESS;
4091 }
4092
4093
copy_supp_rates(struct hostapd_data * hapd,struct sta_info * sta,struct ieee802_11_elems * elems)4094 static u16 copy_supp_rates(struct hostapd_data *hapd, struct sta_info *sta,
4095 struct ieee802_11_elems *elems)
4096 {
4097 /* Supported rates not used in IEEE 802.11ad/DMG */
4098 if (hapd->iface->current_mode &&
4099 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211AD)
4100 return WLAN_STATUS_SUCCESS;
4101
4102 if (!elems->supp_rates) {
4103 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4104 HOSTAPD_LEVEL_DEBUG,
4105 "No supported rates element in AssocReq");
4106 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4107 }
4108
4109 if (elems->supp_rates_len + elems->ext_supp_rates_len >
4110 sizeof(sta->supported_rates)) {
4111 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4112 HOSTAPD_LEVEL_DEBUG,
4113 "Invalid supported rates element length %d+%d",
4114 elems->supp_rates_len,
4115 elems->ext_supp_rates_len);
4116 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4117 }
4118
4119 sta->supported_rates_len = merge_byte_arrays(
4120 sta->supported_rates, sizeof(sta->supported_rates),
4121 elems->supp_rates, elems->supp_rates_len,
4122 elems->ext_supp_rates, elems->ext_supp_rates_len);
4123
4124 return WLAN_STATUS_SUCCESS;
4125 }
4126
4127
check_ext_capab(struct hostapd_data * hapd,struct sta_info * sta,const u8 * ext_capab_ie,size_t ext_capab_ie_len)4128 static u16 check_ext_capab(struct hostapd_data *hapd, struct sta_info *sta,
4129 const u8 *ext_capab_ie, size_t ext_capab_ie_len)
4130 {
4131 #ifdef CONFIG_INTERWORKING
4132 /* check for QoS Map support */
4133 if (ext_capab_ie_len >= 5) {
4134 if (ext_capab_ie[4] & 0x01)
4135 sta->qos_map_enabled = 1;
4136 }
4137 #endif /* CONFIG_INTERWORKING */
4138
4139 if (ext_capab_ie_len > 0) {
4140 sta->ecsa_supported = !!(ext_capab_ie[0] & BIT(2));
4141 os_free(sta->ext_capability);
4142 sta->ext_capability = os_malloc(1 + ext_capab_ie_len);
4143 if (sta->ext_capability) {
4144 sta->ext_capability[0] = ext_capab_ie_len;
4145 os_memcpy(sta->ext_capability + 1, ext_capab_ie,
4146 ext_capab_ie_len);
4147 }
4148 }
4149
4150 return WLAN_STATUS_SUCCESS;
4151 }
4152
4153
4154 #ifdef CONFIG_OWE
4155
owe_group_supported(struct hostapd_data * hapd,u16 group)4156 static int owe_group_supported(struct hostapd_data *hapd, u16 group)
4157 {
4158 int i;
4159 int *groups = hapd->conf->owe_groups;
4160
4161 if (group != 19 && group != 20 && group != 21)
4162 return 0;
4163
4164 if (!groups)
4165 return 1;
4166
4167 for (i = 0; groups[i] > 0; i++) {
4168 if (groups[i] == group)
4169 return 1;
4170 }
4171
4172 return 0;
4173 }
4174
4175
owe_process_assoc_req(struct hostapd_data * hapd,struct sta_info * sta,const u8 * owe_dh,u8 owe_dh_len)4176 static u16 owe_process_assoc_req(struct hostapd_data *hapd,
4177 struct sta_info *sta, const u8 *owe_dh,
4178 u8 owe_dh_len)
4179 {
4180 struct wpabuf *secret, *pub, *hkey;
4181 int res;
4182 u8 prk[SHA512_MAC_LEN], pmkid[SHA512_MAC_LEN];
4183 const char *info = "OWE Key Generation";
4184 const u8 *addr[2];
4185 size_t len[2];
4186 u16 group;
4187 size_t hash_len, prime_len;
4188
4189 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) {
4190 wpa_printf(MSG_DEBUG, "OWE: Using PMKSA caching");
4191 return WLAN_STATUS_SUCCESS;
4192 }
4193
4194 group = WPA_GET_LE16(owe_dh);
4195 if (!owe_group_supported(hapd, group)) {
4196 wpa_printf(MSG_DEBUG, "OWE: Unsupported DH group %u", group);
4197 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
4198 }
4199 if (group == 19)
4200 prime_len = 32;
4201 else if (group == 20)
4202 prime_len = 48;
4203 else if (group == 21)
4204 prime_len = 66;
4205 else
4206 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
4207
4208 crypto_ecdh_deinit(sta->owe_ecdh);
4209 sta->owe_ecdh = crypto_ecdh_init(group);
4210 if (!sta->owe_ecdh)
4211 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
4212 sta->owe_group = group;
4213
4214 secret = crypto_ecdh_set_peerkey(sta->owe_ecdh, 0, owe_dh + 2,
4215 owe_dh_len - 2);
4216 secret = wpabuf_zeropad(secret, prime_len);
4217 if (!secret) {
4218 wpa_printf(MSG_DEBUG, "OWE: Invalid peer DH public key");
4219 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4220 }
4221 wpa_hexdump_buf_key(MSG_DEBUG, "OWE: DH shared secret", secret);
4222
4223 /* prk = HKDF-extract(C | A | group, z) */
4224
4225 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
4226 if (!pub) {
4227 wpabuf_clear_free(secret);
4228 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4229 }
4230
4231 /* PMKID = Truncate-128(Hash(C | A)) */
4232 addr[0] = owe_dh + 2;
4233 len[0] = owe_dh_len - 2;
4234 addr[1] = wpabuf_head(pub);
4235 len[1] = wpabuf_len(pub);
4236 if (group == 19) {
4237 res = sha256_vector(2, addr, len, pmkid);
4238 hash_len = SHA256_MAC_LEN;
4239 } else if (group == 20) {
4240 res = sha384_vector(2, addr, len, pmkid);
4241 hash_len = SHA384_MAC_LEN;
4242 } else if (group == 21) {
4243 res = sha512_vector(2, addr, len, pmkid);
4244 hash_len = SHA512_MAC_LEN;
4245 } else {
4246 wpabuf_free(pub);
4247 wpabuf_clear_free(secret);
4248 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4249 }
4250 pub = wpabuf_zeropad(pub, prime_len);
4251 if (res < 0 || !pub) {
4252 wpabuf_free(pub);
4253 wpabuf_clear_free(secret);
4254 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4255 }
4256
4257 hkey = wpabuf_alloc(owe_dh_len - 2 + wpabuf_len(pub) + 2);
4258 if (!hkey) {
4259 wpabuf_free(pub);
4260 wpabuf_clear_free(secret);
4261 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4262 }
4263
4264 wpabuf_put_data(hkey, owe_dh + 2, owe_dh_len - 2); /* C */
4265 wpabuf_put_buf(hkey, pub); /* A */
4266 wpabuf_free(pub);
4267 wpabuf_put_le16(hkey, group); /* group */
4268 if (group == 19)
4269 res = hmac_sha256(wpabuf_head(hkey), wpabuf_len(hkey),
4270 wpabuf_head(secret), wpabuf_len(secret), prk);
4271 else if (group == 20)
4272 res = hmac_sha384(wpabuf_head(hkey), wpabuf_len(hkey),
4273 wpabuf_head(secret), wpabuf_len(secret), prk);
4274 else if (group == 21)
4275 res = hmac_sha512(wpabuf_head(hkey), wpabuf_len(hkey),
4276 wpabuf_head(secret), wpabuf_len(secret), prk);
4277 wpabuf_clear_free(hkey);
4278 wpabuf_clear_free(secret);
4279 if (res < 0)
4280 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4281
4282 wpa_hexdump_key(MSG_DEBUG, "OWE: prk", prk, hash_len);
4283
4284 /* PMK = HKDF-expand(prk, "OWE Key Generation", n) */
4285
4286 os_free(sta->owe_pmk);
4287 sta->owe_pmk = os_malloc(hash_len);
4288 if (!sta->owe_pmk) {
4289 os_memset(prk, 0, SHA512_MAC_LEN);
4290 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4291 }
4292
4293 if (group == 19)
4294 res = hmac_sha256_kdf(prk, hash_len, NULL, (const u8 *) info,
4295 os_strlen(info), sta->owe_pmk, hash_len);
4296 else if (group == 20)
4297 res = hmac_sha384_kdf(prk, hash_len, NULL, (const u8 *) info,
4298 os_strlen(info), sta->owe_pmk, hash_len);
4299 else if (group == 21)
4300 res = hmac_sha512_kdf(prk, hash_len, NULL, (const u8 *) info,
4301 os_strlen(info), sta->owe_pmk, hash_len);
4302 os_memset(prk, 0, SHA512_MAC_LEN);
4303 if (res < 0) {
4304 os_free(sta->owe_pmk);
4305 sta->owe_pmk = NULL;
4306 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4307 }
4308 sta->owe_pmk_len = hash_len;
4309
4310 wpa_hexdump_key(MSG_DEBUG, "OWE: PMK", sta->owe_pmk, sta->owe_pmk_len);
4311 wpa_hexdump(MSG_DEBUG, "OWE: PMKID", pmkid, PMKID_LEN);
4312 wpa_auth_pmksa_add2(hapd->wpa_auth, sta->addr, sta->owe_pmk,
4313 sta->owe_pmk_len, pmkid, 0, WPA_KEY_MGMT_OWE);
4314
4315 return WLAN_STATUS_SUCCESS;
4316 }
4317
4318
owe_validate_request(struct hostapd_data * hapd,const u8 * peer,const u8 * rsn_ie,size_t rsn_ie_len,const u8 * owe_dh,size_t owe_dh_len)4319 u16 owe_validate_request(struct hostapd_data *hapd, const u8 *peer,
4320 const u8 *rsn_ie, size_t rsn_ie_len,
4321 const u8 *owe_dh, size_t owe_dh_len)
4322 {
4323 struct wpa_ie_data data;
4324 int res;
4325
4326 if (!rsn_ie || rsn_ie_len < 2) {
4327 wpa_printf(MSG_DEBUG, "OWE: Invalid RSNE from " MACSTR_SEC,
4328 MAC2STR_SEC(peer));
4329 return WLAN_STATUS_INVALID_IE;
4330 }
4331 rsn_ie -= 2;
4332 rsn_ie_len += 2;
4333
4334 res = wpa_parse_wpa_ie_rsn(rsn_ie, rsn_ie_len, &data);
4335 if (res) {
4336 wpa_printf(MSG_DEBUG, "Failed to parse RSNE from " MACSTR_SEC
4337 " (res=%d)", MAC2STR_SEC(peer), res);
4338 wpa_hexdump(MSG_DEBUG, "RSNE", rsn_ie, rsn_ie_len);
4339 return wpa_res_to_status_code(res);
4340 }
4341 if (!(data.key_mgmt & WPA_KEY_MGMT_OWE)) {
4342 wpa_printf(MSG_DEBUG,
4343 "OWE: Unexpected key mgmt 0x%x from " MACSTR_SEC,
4344 (unsigned int) data.key_mgmt, MAC2STR_SEC(peer));
4345 return WLAN_STATUS_AKMP_NOT_VALID;
4346 }
4347 if (!owe_dh) {
4348 wpa_printf(MSG_DEBUG,
4349 "OWE: No Diffie-Hellman Parameter element from "
4350 MACSTR_SEC, MAC2STR_SEC(peer));
4351 return WLAN_STATUS_AKMP_NOT_VALID;
4352 }
4353
4354 return WLAN_STATUS_SUCCESS;
4355 }
4356
4357
owe_process_rsn_ie(struct hostapd_data * hapd,struct sta_info * sta,const u8 * rsn_ie,size_t rsn_ie_len,const u8 * owe_dh,size_t owe_dh_len)4358 u16 owe_process_rsn_ie(struct hostapd_data *hapd,
4359 struct sta_info *sta,
4360 const u8 *rsn_ie, size_t rsn_ie_len,
4361 const u8 *owe_dh, size_t owe_dh_len)
4362 {
4363 u16 status;
4364 u8 *owe_buf, ie[256 * 2];
4365 size_t ie_len = 0;
4366 enum wpa_validate_result res;
4367
4368 if (!rsn_ie || rsn_ie_len < 2) {
4369 wpa_printf(MSG_DEBUG, "OWE: No RSNE in (Re)AssocReq");
4370 status = WLAN_STATUS_INVALID_IE;
4371 goto end;
4372 }
4373
4374 if (!sta->wpa_sm)
4375 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, sta->addr,
4376 NULL);
4377 if (!sta->wpa_sm) {
4378 wpa_printf(MSG_WARNING,
4379 "OWE: Failed to initialize WPA state machine");
4380 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
4381 goto end;
4382 }
4383 rsn_ie -= 2;
4384 rsn_ie_len += 2;
4385 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
4386 hapd->iface->freq, rsn_ie, rsn_ie_len,
4387 NULL, 0, NULL, 0, owe_dh, owe_dh_len);
4388 status = wpa_res_to_status_code(res);
4389 if (status != WLAN_STATUS_SUCCESS)
4390 goto end;
4391 status = owe_process_assoc_req(hapd, sta, owe_dh, owe_dh_len);
4392 if (status != WLAN_STATUS_SUCCESS)
4393 goto end;
4394 owe_buf = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, ie, sizeof(ie),
4395 NULL, 0);
4396 if (!owe_buf) {
4397 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
4398 goto end;
4399 }
4400
4401 if (sta->owe_ecdh) {
4402 struct wpabuf *pub;
4403
4404 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
4405 if (!pub) {
4406 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
4407 goto end;
4408 }
4409
4410 /* OWE Diffie-Hellman Parameter element */
4411 *owe_buf++ = WLAN_EID_EXTENSION; /* Element ID */
4412 *owe_buf++ = 1 + 2 + wpabuf_len(pub); /* Length */
4413 *owe_buf++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension
4414 */
4415 WPA_PUT_LE16(owe_buf, sta->owe_group);
4416 owe_buf += 2;
4417 os_memcpy(owe_buf, wpabuf_head(pub), wpabuf_len(pub));
4418 owe_buf += wpabuf_len(pub);
4419 wpabuf_free(pub);
4420 sta->external_dh_updated = 1;
4421 }
4422 ie_len = owe_buf - ie;
4423
4424 end:
4425 wpa_printf(MSG_DEBUG, "OWE: Update status %d, ie len %d for peer "
4426 MACSTR_SEC, status, (unsigned int) ie_len,
4427 MAC2STR_SEC(sta->addr));
4428 hostapd_drv_update_dh_ie(hapd, sta->addr, status,
4429 status == WLAN_STATUS_SUCCESS ? ie : NULL,
4430 ie_len);
4431
4432 return status;
4433 }
4434
4435 #endif /* CONFIG_OWE */
4436
4437
check_sa_query(struct hostapd_data * hapd,struct sta_info * sta,int reassoc)4438 static bool check_sa_query(struct hostapd_data *hapd, struct sta_info *sta,
4439 int reassoc)
4440 {
4441 if ((sta->flags &
4442 (WLAN_STA_ASSOC | WLAN_STA_MFP | WLAN_STA_AUTHORIZED)) !=
4443 (WLAN_STA_ASSOC | WLAN_STA_MFP | WLAN_STA_AUTHORIZED))
4444 return false;
4445
4446 if (!sta->sa_query_timed_out && sta->sa_query_count > 0)
4447 ap_check_sa_query_timeout(hapd, sta);
4448
4449 if (!sta->sa_query_timed_out &&
4450 (!reassoc || sta->auth_alg != WLAN_AUTH_FT)) {
4451 /*
4452 * STA has already been associated with MFP and SA Query timeout
4453 * has not been reached. Reject the association attempt
4454 * temporarily and start SA Query, if one is not pending.
4455 */
4456 if (sta->sa_query_count == 0)
4457 ap_sta_start_sa_query(hapd, sta);
4458
4459 return true;
4460 }
4461
4462 return false;
4463 }
4464
4465
check_assoc_ies(struct hostapd_data * hapd,struct sta_info * sta,const u8 * ies,size_t ies_len,int reassoc)4466 static int check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta,
4467 const u8 *ies, size_t ies_len, int reassoc)
4468 {
4469 struct ieee802_11_elems elems;
4470 int resp;
4471 const u8 *wpa_ie;
4472 size_t wpa_ie_len;
4473 const u8 *p2p_dev_addr = NULL;
4474
4475 if (ieee802_11_parse_elems(ies, ies_len, &elems, 1) == ParseFailed) {
4476 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4477 HOSTAPD_LEVEL_INFO, "Station sent an invalid "
4478 "association request");
4479 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4480 }
4481
4482 resp = check_ssid(hapd, sta, elems.ssid, elems.ssid_len);
4483 if (resp != WLAN_STATUS_SUCCESS)
4484 return resp;
4485 resp = check_wmm(hapd, sta, elems.wmm, elems.wmm_len);
4486 if (resp != WLAN_STATUS_SUCCESS)
4487 return resp;
4488 resp = check_ext_capab(hapd, sta, elems.ext_capab, elems.ext_capab_len);
4489 if (resp != WLAN_STATUS_SUCCESS)
4490 return resp;
4491 resp = copy_supp_rates(hapd, sta, &elems);
4492 if (resp != WLAN_STATUS_SUCCESS)
4493 return resp;
4494
4495 resp = check_multi_ap(hapd, sta, elems.multi_ap, elems.multi_ap_len);
4496 if (resp != WLAN_STATUS_SUCCESS)
4497 return resp;
4498
4499 resp = copy_sta_ht_capab(hapd, sta, elems.ht_capabilities);
4500 if (resp != WLAN_STATUS_SUCCESS)
4501 return resp;
4502 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht &&
4503 !(sta->flags & WLAN_STA_HT)) {
4504 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4505 HOSTAPD_LEVEL_INFO, "Station does not support "
4506 "mandatory HT PHY - reject association");
4507 return WLAN_STATUS_ASSOC_DENIED_NO_HT;
4508 }
4509
4510 #ifdef CONFIG_IEEE80211AC
4511 if (hapd->iconf->ieee80211ac) {
4512 resp = copy_sta_vht_capab(hapd, sta, elems.vht_capabilities);
4513 if (resp != WLAN_STATUS_SUCCESS)
4514 return resp;
4515
4516 resp = set_sta_vht_opmode(hapd, sta, elems.vht_opmode_notif);
4517 if (resp != WLAN_STATUS_SUCCESS)
4518 return resp;
4519 }
4520
4521 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht &&
4522 !(sta->flags & WLAN_STA_VHT)) {
4523 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4524 HOSTAPD_LEVEL_INFO, "Station does not support "
4525 "mandatory VHT PHY - reject association");
4526 return WLAN_STATUS_ASSOC_DENIED_NO_VHT;
4527 }
4528
4529 if (hapd->conf->vendor_vht && !elems.vht_capabilities) {
4530 resp = copy_sta_vendor_vht(hapd, sta, elems.vendor_vht,
4531 elems.vendor_vht_len);
4532 if (resp != WLAN_STATUS_SUCCESS)
4533 return resp;
4534 }
4535 #endif /* CONFIG_IEEE80211AC */
4536 #ifdef CONFIG_IEEE80211AX
4537 if (hapd->iconf->ieee80211ax && !hapd->conf->disable_11ax) {
4538 resp = copy_sta_he_capab(hapd, sta, IEEE80211_MODE_AP,
4539 elems.he_capabilities,
4540 elems.he_capabilities_len);
4541 if (resp != WLAN_STATUS_SUCCESS)
4542 return resp;
4543 if (is_6ghz_op_class(hapd->iconf->op_class)) {
4544 if (!(sta->flags & WLAN_STA_HE)) {
4545 hostapd_logger(hapd, sta->addr,
4546 HOSTAPD_MODULE_IEEE80211,
4547 HOSTAPD_LEVEL_INFO,
4548 "Station does not support mandatory HE PHY - reject association");
4549 return WLAN_STATUS_DENIED_HE_NOT_SUPPORTED;
4550 }
4551 resp = copy_sta_he_6ghz_capab(hapd, sta,
4552 elems.he_6ghz_band_cap);
4553 if (resp != WLAN_STATUS_SUCCESS)
4554 return resp;
4555 }
4556 }
4557 #endif /* CONFIG_IEEE80211AX */
4558
4559 #ifdef CONFIG_P2P
4560 if (elems.p2p) {
4561 wpabuf_free(sta->p2p_ie);
4562 sta->p2p_ie = ieee802_11_vendor_ie_concat(ies, ies_len,
4563 P2P_IE_VENDOR_TYPE);
4564 if (sta->p2p_ie)
4565 p2p_dev_addr = p2p_get_go_dev_addr(sta->p2p_ie);
4566 } else {
4567 wpabuf_free(sta->p2p_ie);
4568 sta->p2p_ie = NULL;
4569 }
4570 #endif /* CONFIG_P2P */
4571
4572 if ((hapd->conf->wpa & WPA_PROTO_RSN) && elems.rsn_ie) {
4573 wpa_ie = elems.rsn_ie;
4574 wpa_ie_len = elems.rsn_ie_len;
4575 } else if ((hapd->conf->wpa & WPA_PROTO_WPA) &&
4576 elems.wpa_ie) {
4577 wpa_ie = elems.wpa_ie;
4578 wpa_ie_len = elems.wpa_ie_len;
4579 } else {
4580 wpa_ie = NULL;
4581 wpa_ie_len = 0;
4582 }
4583
4584 #ifdef CONFIG_WPS
4585 sta->flags &= ~(WLAN_STA_WPS | WLAN_STA_MAYBE_WPS | WLAN_STA_WPS2);
4586 if (hapd->conf->wps_state && elems.wps_ie) {
4587 wpa_printf(MSG_DEBUG, "STA included WPS IE in (Re)Association "
4588 "Request - assume WPS is used");
4589 if (check_sa_query(hapd, sta, reassoc))
4590 return WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY;
4591 sta->flags |= WLAN_STA_WPS;
4592 wpabuf_free(sta->wps_ie);
4593 sta->wps_ie = ieee802_11_vendor_ie_concat(ies, ies_len,
4594 WPS_IE_VENDOR_TYPE);
4595 if (sta->wps_ie && wps_is_20(sta->wps_ie)) {
4596 wpa_printf(MSG_DEBUG, "WPS: STA supports WPS 2.0");
4597 sta->flags |= WLAN_STA_WPS2;
4598 }
4599 wpa_ie = NULL;
4600 wpa_ie_len = 0;
4601 if (sta->wps_ie && wps_validate_assoc_req(sta->wps_ie) < 0) {
4602 wpa_printf(MSG_DEBUG, "WPS: Invalid WPS IE in "
4603 "(Re)Association Request - reject");
4604 return WLAN_STATUS_INVALID_IE;
4605 }
4606 } else if (hapd->conf->wps_state && wpa_ie == NULL) {
4607 wpa_printf(MSG_DEBUG, "STA did not include WPA/RSN IE in "
4608 "(Re)Association Request - possible WPS use");
4609 sta->flags |= WLAN_STA_MAYBE_WPS;
4610 } else
4611 #endif /* CONFIG_WPS */
4612 if (hapd->conf->wpa && wpa_ie == NULL) {
4613 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4614 HOSTAPD_LEVEL_INFO,
4615 "No WPA/RSN IE in association request");
4616 return WLAN_STATUS_INVALID_IE;
4617 }
4618
4619 if (hapd->conf->wpa && wpa_ie) {
4620 enum wpa_validate_result res;
4621
4622 wpa_ie -= 2;
4623 wpa_ie_len += 2;
4624 if (sta->wpa_sm == NULL)
4625 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
4626 sta->addr,
4627 p2p_dev_addr);
4628 if (sta->wpa_sm == NULL) {
4629 wpa_printf(MSG_WARNING, "Failed to initialize WPA "
4630 "state machine");
4631 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4632 }
4633 wpa_auth_set_auth_alg(sta->wpa_sm, sta->auth_alg);
4634 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
4635 hapd->iface->freq,
4636 wpa_ie, wpa_ie_len,
4637 elems.rsnxe ? elems.rsnxe - 2 : NULL,
4638 elems.rsnxe ? elems.rsnxe_len + 2 : 0,
4639 elems.mdie, elems.mdie_len,
4640 elems.owe_dh, elems.owe_dh_len);
4641 resp = wpa_res_to_status_code(res);
4642 if (resp != WLAN_STATUS_SUCCESS)
4643 return resp;
4644
4645 if (check_sa_query(hapd, sta, reassoc))
4646 return WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY;
4647
4648 if (wpa_auth_uses_mfp(sta->wpa_sm))
4649 sta->flags |= WLAN_STA_MFP;
4650 else
4651 sta->flags &= ~WLAN_STA_MFP;
4652
4653 #ifdef CONFIG_IEEE80211R_AP
4654 if (sta->auth_alg == WLAN_AUTH_FT) {
4655 if (!reassoc) {
4656 wpa_printf(MSG_DEBUG, "FT: " MACSTR_SEC " tried "
4657 "to use association (not "
4658 "re-association) with FT auth_alg",
4659 MAC2STR_SEC(sta->addr));
4660 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4661 }
4662
4663 resp = wpa_ft_validate_reassoc(sta->wpa_sm, ies,
4664 ies_len);
4665 if (resp != WLAN_STATUS_SUCCESS)
4666 return resp;
4667 }
4668 #endif /* CONFIG_IEEE80211R_AP */
4669
4670 #ifdef CONFIG_SAE
4671 if (wpa_auth_uses_sae(sta->wpa_sm) && sta->sae &&
4672 sta->sae->state == SAE_ACCEPTED)
4673 wpa_auth_add_sae_pmkid(sta->wpa_sm, sta->sae->pmkid);
4674
4675 if (wpa_auth_uses_sae(sta->wpa_sm) &&
4676 sta->auth_alg == WLAN_AUTH_OPEN) {
4677 struct rsn_pmksa_cache_entry *sa;
4678 sa = wpa_auth_sta_get_pmksa(sta->wpa_sm);
4679 if (!sa || sa->akmp != WPA_KEY_MGMT_SAE) {
4680 wpa_printf(MSG_DEBUG,
4681 "SAE: No PMKSA cache entry found for "
4682 MACSTR_SEC, MAC2STR_SEC(sta->addr));
4683 return WLAN_STATUS_INVALID_PMKID;
4684 }
4685 wpa_printf(MSG_DEBUG, "SAE: " MACSTR_SEC
4686 " using PMKSA caching", MAC2STR_SEC(sta->addr));
4687 } else if (wpa_auth_uses_sae(sta->wpa_sm) &&
4688 sta->auth_alg != WLAN_AUTH_SAE &&
4689 !(sta->auth_alg == WLAN_AUTH_FT &&
4690 wpa_auth_uses_ft_sae(sta->wpa_sm))) {
4691 wpa_printf(MSG_DEBUG, "SAE: " MACSTR_SEC " tried to use "
4692 "SAE AKM after non-SAE auth_alg %u",
4693 MAC2STR_SEC(sta->addr), sta->auth_alg);
4694 return WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
4695 }
4696
4697 if (hapd->conf->sae_pwe == 2 &&
4698 sta->auth_alg == WLAN_AUTH_SAE &&
4699 sta->sae && !sta->sae->h2e &&
4700 ieee802_11_rsnx_capab_len(elems.rsnxe, elems.rsnxe_len,
4701 WLAN_RSNX_CAPAB_SAE_H2E)) {
4702 wpa_printf(MSG_INFO, "SAE: " MACSTR_SEC
4703 " indicates support for SAE H2E, but did not use it",
4704 MAC2STR_SEC(sta->addr));
4705 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4706 }
4707 #endif /* CONFIG_SAE */
4708
4709 #ifdef CONFIG_OWE
4710 if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) &&
4711 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE &&
4712 elems.owe_dh) {
4713 resp = owe_process_assoc_req(hapd, sta, elems.owe_dh,
4714 elems.owe_dh_len);
4715 if (resp != WLAN_STATUS_SUCCESS)
4716 return resp;
4717 }
4718 #endif /* CONFIG_OWE */
4719
4720 #ifdef CONFIG_DPP2
4721 dpp_pfs_free(sta->dpp_pfs);
4722 sta->dpp_pfs = NULL;
4723
4724 if (DPP_VERSION > 1 &&
4725 (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_DPP) &&
4726 hapd->conf->dpp_netaccesskey && sta->wpa_sm &&
4727 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_DPP &&
4728 elems.owe_dh) {
4729 sta->dpp_pfs = dpp_pfs_init(
4730 wpabuf_head(hapd->conf->dpp_netaccesskey),
4731 wpabuf_len(hapd->conf->dpp_netaccesskey));
4732 if (!sta->dpp_pfs) {
4733 wpa_printf(MSG_DEBUG,
4734 "DPP: Could not initialize PFS");
4735 /* Try to continue without PFS */
4736 goto pfs_fail;
4737 }
4738
4739 if (dpp_pfs_process(sta->dpp_pfs, elems.owe_dh,
4740 elems.owe_dh_len) < 0) {
4741 dpp_pfs_free(sta->dpp_pfs);
4742 sta->dpp_pfs = NULL;
4743 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4744 }
4745 }
4746
4747 wpa_auth_set_dpp_z(sta->wpa_sm, sta->dpp_pfs ?
4748 sta->dpp_pfs->secret : NULL);
4749 pfs_fail:
4750 #endif /* CONFIG_DPP2 */
4751
4752 if ((sta->flags & (WLAN_STA_HT | WLAN_STA_VHT)) &&
4753 wpa_auth_get_pairwise(sta->wpa_sm) == WPA_CIPHER_TKIP) {
4754 hostapd_logger(hapd, sta->addr,
4755 HOSTAPD_MODULE_IEEE80211,
4756 HOSTAPD_LEVEL_INFO,
4757 "Station tried to use TKIP with HT "
4758 "association");
4759 return WLAN_STATUS_CIPHER_REJECTED_PER_POLICY;
4760 }
4761 #ifdef CONFIG_HS20
4762 } else if (hapd->conf->osen) {
4763 if (elems.osen == NULL) {
4764 hostapd_logger(
4765 hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4766 HOSTAPD_LEVEL_INFO,
4767 "No HS 2.0 OSEN element in association request");
4768 return WLAN_STATUS_INVALID_IE;
4769 }
4770
4771 wpa_printf(MSG_DEBUG, "HS 2.0: OSEN association");
4772 if (sta->wpa_sm == NULL)
4773 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
4774 sta->addr, NULL);
4775 if (sta->wpa_sm == NULL) {
4776 wpa_printf(MSG_WARNING, "Failed to initialize WPA "
4777 "state machine");
4778 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4779 }
4780 if (wpa_validate_osen(hapd->wpa_auth, sta->wpa_sm,
4781 elems.osen - 2, elems.osen_len + 2) < 0)
4782 return WLAN_STATUS_INVALID_IE;
4783 #endif /* CONFIG_HS20 */
4784 } else
4785 wpa_auth_sta_no_wpa(sta->wpa_sm);
4786
4787 #ifdef CONFIG_P2P
4788 p2p_group_notif_assoc(hapd->p2p_group, sta->addr, ies, ies_len);
4789 #endif /* CONFIG_P2P */
4790
4791 #ifdef CONFIG_HS20
4792 wpabuf_free(sta->hs20_ie);
4793 if (elems.hs20 && elems.hs20_len > 4) {
4794 int release;
4795
4796 sta->hs20_ie = wpabuf_alloc_copy(elems.hs20 + 4,
4797 elems.hs20_len - 4);
4798 release = ((elems.hs20[4] >> 4) & 0x0f) + 1;
4799 if (release >= 2 && !wpa_auth_uses_mfp(sta->wpa_sm) &&
4800 hapd->conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
4801 wpa_printf(MSG_DEBUG,
4802 "HS 2.0: PMF not negotiated by release %d station "
4803 MACSTR_SEC, release, MAC2STR_SEC(sta->addr));
4804 return WLAN_STATUS_ROBUST_MGMT_FRAME_POLICY_VIOLATION;
4805 }
4806 } else {
4807 sta->hs20_ie = NULL;
4808 }
4809
4810 wpabuf_free(sta->roaming_consortium);
4811 if (elems.roaming_cons_sel)
4812 sta->roaming_consortium = wpabuf_alloc_copy(
4813 elems.roaming_cons_sel + 4,
4814 elems.roaming_cons_sel_len - 4);
4815 else
4816 sta->roaming_consortium = NULL;
4817 #endif /* CONFIG_HS20 */
4818
4819 #ifdef CONFIG_FST
4820 wpabuf_free(sta->mb_ies);
4821 if (hapd->iface->fst)
4822 sta->mb_ies = mb_ies_by_info(&elems.mb_ies);
4823 else
4824 sta->mb_ies = NULL;
4825 #endif /* CONFIG_FST */
4826
4827 #ifdef CONFIG_MBO
4828 mbo_ap_check_sta_assoc(hapd, sta, &elems);
4829
4830 if (hapd->conf->mbo_enabled && (hapd->conf->wpa & 2) &&
4831 elems.mbo && sta->cell_capa && !(sta->flags & WLAN_STA_MFP) &&
4832 hapd->conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
4833 wpa_printf(MSG_INFO,
4834 "MBO: Reject WPA2 association without PMF");
4835 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4836 }
4837 #endif /* CONFIG_MBO */
4838
4839 #if defined(CONFIG_FILS) && defined(CONFIG_OCV)
4840 if (wpa_auth_uses_ocv(sta->wpa_sm) &&
4841 (sta->auth_alg == WLAN_AUTH_FILS_SK ||
4842 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
4843 sta->auth_alg == WLAN_AUTH_FILS_PK)) {
4844 struct wpa_channel_info ci;
4845 int tx_chanwidth;
4846 int tx_seg1_idx;
4847 enum oci_verify_result res;
4848
4849 if (hostapd_drv_channel_info(hapd, &ci) != 0) {
4850 wpa_printf(MSG_WARNING,
4851 "Failed to get channel info to validate received OCI in FILS (Re)Association Request frame");
4852 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4853 }
4854
4855 if (get_sta_tx_parameters(sta->wpa_sm,
4856 channel_width_to_int(ci.chanwidth),
4857 ci.seg1_idx, &tx_chanwidth,
4858 &tx_seg1_idx) < 0)
4859 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4860
4861 res = ocv_verify_tx_params(elems.oci, elems.oci_len, &ci,
4862 tx_chanwidth, tx_seg1_idx);
4863 if (wpa_auth_uses_ocv(sta->wpa_sm) == 2 &&
4864 res == OCI_NOT_FOUND) {
4865 /* Work around misbehaving STAs */
4866 wpa_printf(MSG_INFO,
4867 "FILS: Disable OCV with a STA that does not send OCI");
4868 wpa_auth_set_ocv(sta->wpa_sm, 0);
4869 } else if (res != OCI_SUCCESS) {
4870 wpa_printf(MSG_WARNING, "FILS: OCV failed: %s",
4871 ocv_errorstr);
4872 wpa_msg(hapd->msg_ctx, MSG_INFO, OCV_FAILURE "addr="
4873 MACSTR " frame=fils-reassoc-req error=%s",
4874 MAC2STR(sta->addr), ocv_errorstr);
4875 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4876 }
4877 }
4878 #endif /* CONFIG_FILS && CONFIG_OCV */
4879
4880 ap_copy_sta_supp_op_classes(sta, elems.supp_op_classes,
4881 elems.supp_op_classes_len);
4882
4883 if ((sta->capability & WLAN_CAPABILITY_RADIO_MEASUREMENT) &&
4884 elems.rrm_enabled &&
4885 elems.rrm_enabled_len >= sizeof(sta->rrm_enabled_capa))
4886 os_memcpy(sta->rrm_enabled_capa, elems.rrm_enabled,
4887 sizeof(sta->rrm_enabled_capa));
4888
4889 if (elems.power_capab) {
4890 sta->min_tx_power = elems.power_capab[0];
4891 sta->max_tx_power = elems.power_capab[1];
4892 sta->power_capab = 1;
4893 } else {
4894 sta->power_capab = 0;
4895 }
4896
4897 return WLAN_STATUS_SUCCESS;
4898 }
4899
4900
send_deauth(struct hostapd_data * hapd,const u8 * addr,u16 reason_code)4901 static void send_deauth(struct hostapd_data *hapd, const u8 *addr,
4902 u16 reason_code)
4903 {
4904 int send_len;
4905 struct ieee80211_mgmt reply;
4906
4907 os_memset(&reply, 0, sizeof(reply));
4908 reply.frame_control =
4909 IEEE80211_FC(WLAN_FC_TYPE_MGMT, WLAN_FC_STYPE_DEAUTH);
4910 os_memcpy(reply.da, addr, ETH_ALEN);
4911 os_memcpy(reply.sa, hapd->own_addr, ETH_ALEN);
4912 os_memcpy(reply.bssid, hapd->own_addr, ETH_ALEN);
4913
4914 send_len = IEEE80211_HDRLEN + sizeof(reply.u.deauth);
4915 reply.u.deauth.reason_code = host_to_le16(reason_code);
4916
4917 if (hostapd_drv_send_mlme(hapd, &reply, send_len, 0, NULL, 0, 0) < 0)
4918 wpa_printf(MSG_INFO, "Failed to send deauth: %s",
4919 strerror(errno));
4920 }
4921
4922
add_associated_sta(struct hostapd_data * hapd,struct sta_info * sta,int reassoc)4923 static int add_associated_sta(struct hostapd_data *hapd,
4924 struct sta_info *sta, int reassoc)
4925 {
4926 struct ieee80211_ht_capabilities ht_cap;
4927 struct ieee80211_vht_capabilities vht_cap;
4928 struct ieee80211_he_capabilities he_cap;
4929 int set = 1;
4930
4931 /*
4932 * Remove the STA entry to ensure the STA PS state gets cleared and
4933 * configuration gets updated. This is relevant for cases, such as
4934 * FT-over-the-DS, where a station re-associates back to the same AP but
4935 * skips the authentication flow, or if working with a driver that
4936 * does not support full AP client state.
4937 *
4938 * Skip this if the STA has already completed FT reassociation and the
4939 * TK has been configured since the TX/RX PN must not be reset to 0 for
4940 * the same key.
4941 *
4942 * FT-over-the-DS has a special case where the STA entry (and as such,
4943 * the TK) has not yet been configured to the driver depending on which
4944 * driver interface is used. For that case, allow add-STA operation to
4945 * be used (instead of set-STA). This is needed to allow mac80211-based
4946 * drivers to accept the STA parameter configuration. Since this is
4947 * after a new FT-over-DS exchange, a new TK has been derived, so key
4948 * reinstallation is not a concern for this case.
4949 */
4950 wpa_printf(MSG_DEBUG, "Add associated STA " MACSTR_SEC
4951 " (added_unassoc=%d auth_alg=%u ft_over_ds=%u reassoc=%d authorized=%d ft_tk=%d fils_tk=%d)",
4952 MAC2STR_SEC(sta->addr), sta->added_unassoc, sta->auth_alg,
4953 sta->ft_over_ds, reassoc,
4954 !!(sta->flags & WLAN_STA_AUTHORIZED),
4955 wpa_auth_sta_ft_tk_already_set(sta->wpa_sm),
4956 wpa_auth_sta_fils_tk_already_set(sta->wpa_sm));
4957
4958 if (!sta->added_unassoc &&
4959 (!(sta->flags & WLAN_STA_AUTHORIZED) ||
4960 (reassoc && sta->ft_over_ds && sta->auth_alg == WLAN_AUTH_FT) ||
4961 (!wpa_auth_sta_ft_tk_already_set(sta->wpa_sm) &&
4962 !wpa_auth_sta_fils_tk_already_set(sta->wpa_sm)))) {
4963 hostapd_drv_sta_remove(hapd, sta->addr);
4964 wpa_auth_sm_event(sta->wpa_sm, WPA_DRV_STA_REMOVED);
4965 set = 0;
4966
4967 /* Do not allow the FT-over-DS exception to be used more than
4968 * once per authentication exchange to guarantee a new TK is
4969 * used here */
4970 sta->ft_over_ds = 0;
4971 }
4972
4973 if (sta->flags & WLAN_STA_HT)
4974 hostapd_get_ht_capab(hapd, sta->ht_capabilities, &ht_cap);
4975 #ifdef CONFIG_IEEE80211AC
4976 if (sta->flags & WLAN_STA_VHT)
4977 hostapd_get_vht_capab(hapd, sta->vht_capabilities, &vht_cap);
4978 #endif /* CONFIG_IEEE80211AC */
4979 #ifdef CONFIG_IEEE80211AX
4980 if (sta->flags & WLAN_STA_HE) {
4981 hostapd_get_he_capab(hapd, sta->he_capab, &he_cap,
4982 sta->he_capab_len);
4983 }
4984 #endif /* CONFIG_IEEE80211AX */
4985
4986 /*
4987 * Add the station with forced WLAN_STA_ASSOC flag. The sta->flags
4988 * will be set when the ACK frame for the (Re)Association Response frame
4989 * is processed (TX status driver event).
4990 */
4991 if (hostapd_sta_add(hapd, sta->addr, sta->aid, sta->capability,
4992 sta->supported_rates, sta->supported_rates_len,
4993 sta->listen_interval,
4994 sta->flags & WLAN_STA_HT ? &ht_cap : NULL,
4995 sta->flags & WLAN_STA_VHT ? &vht_cap : NULL,
4996 sta->flags & WLAN_STA_HE ? &he_cap : NULL,
4997 sta->flags & WLAN_STA_HE ? sta->he_capab_len : 0,
4998 sta->he_6ghz_capab,
4999 sta->flags | WLAN_STA_ASSOC, sta->qosinfo,
5000 sta->vht_opmode, sta->p2p_ie ? 1 : 0,
5001 set)) {
5002 hostapd_logger(hapd, sta->addr,
5003 HOSTAPD_MODULE_IEEE80211, HOSTAPD_LEVEL_NOTICE,
5004 "Could not %s STA to kernel driver",
5005 set ? "set" : "add");
5006
5007 if (sta->added_unassoc) {
5008 hostapd_drv_sta_remove(hapd, sta->addr);
5009 sta->added_unassoc = 0;
5010 }
5011
5012 return -1;
5013 }
5014
5015 sta->added_unassoc = 0;
5016
5017 return 0;
5018 }
5019
5020
send_assoc_resp(struct hostapd_data * hapd,struct sta_info * sta,const u8 * addr,u16 status_code,int reassoc,const u8 * ies,size_t ies_len,int rssi,int omit_rsnxe)5021 static u16 send_assoc_resp(struct hostapd_data *hapd, struct sta_info *sta,
5022 const u8 *addr, u16 status_code, int reassoc,
5023 const u8 *ies, size_t ies_len, int rssi,
5024 int omit_rsnxe)
5025 {
5026 int send_len;
5027 u8 *buf;
5028 size_t buflen;
5029 struct ieee80211_mgmt *reply;
5030 u8 *p;
5031 u16 res = WLAN_STATUS_SUCCESS;
5032
5033 buflen = sizeof(struct ieee80211_mgmt) + 1024;
5034 #ifdef CONFIG_FILS
5035 if (sta && sta->fils_hlp_resp)
5036 buflen += wpabuf_len(sta->fils_hlp_resp);
5037 if (sta)
5038 buflen += 150;
5039 #endif /* CONFIG_FILS */
5040 #ifdef CONFIG_OWE
5041 if (sta && (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE))
5042 buflen += 150;
5043 #endif /* CONFIG_OWE */
5044 #ifdef CONFIG_DPP2
5045 if (sta && sta->dpp_pfs)
5046 buflen += 5 + sta->dpp_pfs->curve->prime_len;
5047 #endif /* CONFIG_DPP2 */
5048 buf = os_zalloc(buflen);
5049 if (!buf) {
5050 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
5051 goto done;
5052 }
5053 reply = (struct ieee80211_mgmt *) buf;
5054 reply->frame_control =
5055 IEEE80211_FC(WLAN_FC_TYPE_MGMT,
5056 (reassoc ? WLAN_FC_STYPE_REASSOC_RESP :
5057 WLAN_FC_STYPE_ASSOC_RESP));
5058 os_memcpy(reply->da, addr, ETH_ALEN);
5059 os_memcpy(reply->sa, hapd->own_addr, ETH_ALEN);
5060 os_memcpy(reply->bssid, hapd->own_addr, ETH_ALEN);
5061
5062 send_len = IEEE80211_HDRLEN;
5063 send_len += sizeof(reply->u.assoc_resp);
5064 reply->u.assoc_resp.capab_info =
5065 host_to_le16(hostapd_own_capab_info(hapd));
5066 reply->u.assoc_resp.status_code = host_to_le16(status_code);
5067
5068 reply->u.assoc_resp.aid = host_to_le16((sta ? sta->aid : 0) |
5069 BIT(14) | BIT(15));
5070 /* Supported rates */
5071 p = hostapd_eid_supp_rates(hapd, reply->u.assoc_resp.variable);
5072 /* Extended supported rates */
5073 p = hostapd_eid_ext_supp_rates(hapd, p);
5074
5075 /* Radio measurement capabilities */
5076 p = hostapd_eid_rm_enabled_capab(hapd, p, buf + buflen - p);
5077
5078 #ifdef CONFIG_MBO
5079 if (status_code == WLAN_STATUS_DENIED_POOR_CHANNEL_CONDITIONS &&
5080 rssi != 0) {
5081 int delta = hapd->iconf->rssi_reject_assoc_rssi - rssi;
5082
5083 p = hostapd_eid_mbo_rssi_assoc_rej(hapd, p, buf + buflen - p,
5084 delta);
5085 }
5086 #endif /* CONFIG_MBO */
5087
5088 #ifdef CONFIG_IEEE80211R_AP
5089 if (sta && status_code == WLAN_STATUS_SUCCESS) {
5090 /* IEEE 802.11r: Mobility Domain Information, Fast BSS
5091 * Transition Information, RSN, [RIC Response] */
5092 p = wpa_sm_write_assoc_resp_ies(sta->wpa_sm, p,
5093 buf + buflen - p,
5094 sta->auth_alg, ies, ies_len,
5095 omit_rsnxe);
5096 if (!p) {
5097 wpa_printf(MSG_DEBUG,
5098 "FT: Failed to write AssocResp IEs");
5099 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
5100 goto done;
5101 }
5102 }
5103 #endif /* CONFIG_IEEE80211R_AP */
5104 #ifdef CONFIG_FILS
5105 if (sta && status_code == WLAN_STATUS_SUCCESS &&
5106 (sta->auth_alg == WLAN_AUTH_FILS_SK ||
5107 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
5108 sta->auth_alg == WLAN_AUTH_FILS_PK))
5109 p = wpa_auth_write_assoc_resp_fils(sta->wpa_sm, p,
5110 buf + buflen - p,
5111 ies, ies_len);
5112 #endif /* CONFIG_FILS */
5113
5114 #ifdef CONFIG_OWE
5115 if (sta && status_code == WLAN_STATUS_SUCCESS &&
5116 (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE))
5117 p = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, p,
5118 buf + buflen - p,
5119 ies, ies_len);
5120 #endif /* CONFIG_OWE */
5121
5122 if (sta && status_code == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY)
5123 p = hostapd_eid_assoc_comeback_time(hapd, sta, p);
5124
5125 p = hostapd_eid_ht_capabilities(hapd, p);
5126 p = hostapd_eid_ht_operation(hapd, p);
5127
5128 #ifdef CONFIG_IEEE80211AC
5129 if (hapd->iconf->ieee80211ac && !hapd->conf->disable_11ac &&
5130 !is_6ghz_op_class(hapd->iconf->op_class)) {
5131 u32 nsts = 0, sta_nsts;
5132
5133 if (sta && hapd->conf->use_sta_nsts && sta->vht_capabilities) {
5134 struct ieee80211_vht_capabilities *capa;
5135
5136 nsts = (hapd->iface->conf->vht_capab >>
5137 VHT_CAP_BEAMFORMEE_STS_OFFSET) & 7;
5138 capa = sta->vht_capabilities;
5139 sta_nsts = (le_to_host32(capa->vht_capabilities_info) >>
5140 VHT_CAP_BEAMFORMEE_STS_OFFSET) & 7;
5141
5142 if (nsts < sta_nsts)
5143 nsts = 0;
5144 else
5145 nsts = sta_nsts;
5146 }
5147 p = hostapd_eid_vht_capabilities(hapd, p, nsts);
5148 p = hostapd_eid_vht_operation(hapd, p);
5149 }
5150 #endif /* CONFIG_IEEE80211AC */
5151
5152 #ifdef CONFIG_IEEE80211AX
5153 if (hapd->iconf->ieee80211ax && !hapd->conf->disable_11ax) {
5154 p = hostapd_eid_he_capab(hapd, p, IEEE80211_MODE_AP);
5155 p = hostapd_eid_he_operation(hapd, p);
5156 p = hostapd_eid_spatial_reuse(hapd, p);
5157 p = hostapd_eid_he_mu_edca_parameter_set(hapd, p);
5158 p = hostapd_eid_he_6ghz_band_cap(hapd, p);
5159 }
5160 #endif /* CONFIG_IEEE80211AX */
5161
5162 p = hostapd_eid_ext_capab(hapd, p);
5163 p = hostapd_eid_bss_max_idle_period(hapd, p);
5164 if (sta && sta->qos_map_enabled)
5165 p = hostapd_eid_qos_map_set(hapd, p);
5166
5167 #ifdef CONFIG_FST
5168 if (hapd->iface->fst_ies) {
5169 os_memcpy(p, wpabuf_head(hapd->iface->fst_ies),
5170 wpabuf_len(hapd->iface->fst_ies));
5171 p += wpabuf_len(hapd->iface->fst_ies);
5172 }
5173 #endif /* CONFIG_FST */
5174
5175 #ifdef CONFIG_TESTING_OPTIONS
5176 if (hapd->conf->rsnxe_override_ft &&
5177 buf + buflen - p >=
5178 (long int) wpabuf_len(hapd->conf->rsnxe_override_ft) &&
5179 sta && sta->auth_alg == WLAN_AUTH_FT) {
5180 wpa_printf(MSG_DEBUG, "TESTING: RSNXE FT override");
5181 os_memcpy(p, wpabuf_head(hapd->conf->rsnxe_override_ft),
5182 wpabuf_len(hapd->conf->rsnxe_override_ft));
5183 p += wpabuf_len(hapd->conf->rsnxe_override_ft);
5184 goto rsnxe_done;
5185 }
5186 #endif /* CONFIG_TESTING_OPTIONS */
5187 if (!omit_rsnxe)
5188 p = hostapd_eid_rsnxe(hapd, p, buf + buflen - p);
5189 #ifdef CONFIG_TESTING_OPTIONS
5190 rsnxe_done:
5191 #endif /* CONFIG_TESTING_OPTIONS */
5192
5193 #ifdef CONFIG_OWE
5194 if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) &&
5195 sta && sta->owe_ecdh && status_code == WLAN_STATUS_SUCCESS &&
5196 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE &&
5197 !wpa_auth_sta_get_pmksa(sta->wpa_sm)) {
5198 struct wpabuf *pub;
5199
5200 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
5201 if (!pub) {
5202 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
5203 goto done;
5204 }
5205 /* OWE Diffie-Hellman Parameter element */
5206 *p++ = WLAN_EID_EXTENSION; /* Element ID */
5207 *p++ = 1 + 2 + wpabuf_len(pub); /* Length */
5208 *p++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension */
5209 WPA_PUT_LE16(p, sta->owe_group);
5210 p += 2;
5211 os_memcpy(p, wpabuf_head(pub), wpabuf_len(pub));
5212 p += wpabuf_len(pub);
5213 wpabuf_free(pub);
5214 }
5215 #endif /* CONFIG_OWE */
5216
5217 #ifdef CONFIG_DPP2
5218 if (DPP_VERSION > 1 && (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_DPP) &&
5219 sta && sta->dpp_pfs && status_code == WLAN_STATUS_SUCCESS &&
5220 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_DPP) {
5221 os_memcpy(p, wpabuf_head(sta->dpp_pfs->ie),
5222 wpabuf_len(sta->dpp_pfs->ie));
5223 p += wpabuf_len(sta->dpp_pfs->ie);
5224 }
5225 #endif /* CONFIG_DPP2 */
5226
5227 #ifdef CONFIG_IEEE80211AC
5228 if (sta && hapd->conf->vendor_vht && (sta->flags & WLAN_STA_VENDOR_VHT))
5229 p = hostapd_eid_vendor_vht(hapd, p);
5230 #endif /* CONFIG_IEEE80211AC */
5231
5232 if (sta && (sta->flags & WLAN_STA_WMM))
5233 p = hostapd_eid_wmm(hapd, p);
5234
5235 #ifdef CONFIG_WPS
5236 if (sta &&
5237 ((sta->flags & WLAN_STA_WPS) ||
5238 ((sta->flags & WLAN_STA_MAYBE_WPS) && hapd->conf->wpa))) {
5239 struct wpabuf *wps = wps_build_assoc_resp_ie();
5240 if (wps) {
5241 os_memcpy(p, wpabuf_head(wps), wpabuf_len(wps));
5242 p += wpabuf_len(wps);
5243 wpabuf_free(wps);
5244 }
5245 }
5246 #endif /* CONFIG_WPS */
5247
5248 if (sta && (sta->flags & WLAN_STA_MULTI_AP))
5249 p = hostapd_eid_multi_ap(hapd, p);
5250
5251 #ifdef CONFIG_P2P
5252 if (sta && sta->p2p_ie && hapd->p2p_group) {
5253 struct wpabuf *p2p_resp_ie;
5254 enum p2p_status_code status;
5255 switch (status_code) {
5256 case WLAN_STATUS_SUCCESS:
5257 status = P2P_SC_SUCCESS;
5258 break;
5259 case WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA:
5260 status = P2P_SC_FAIL_LIMIT_REACHED;
5261 break;
5262 default:
5263 status = P2P_SC_FAIL_INVALID_PARAMS;
5264 break;
5265 }
5266 p2p_resp_ie = p2p_group_assoc_resp_ie(hapd->p2p_group, status);
5267 if (p2p_resp_ie) {
5268 os_memcpy(p, wpabuf_head(p2p_resp_ie),
5269 wpabuf_len(p2p_resp_ie));
5270 p += wpabuf_len(p2p_resp_ie);
5271 wpabuf_free(p2p_resp_ie);
5272 }
5273 }
5274 #endif /* CONFIG_P2P */
5275
5276 #ifdef CONFIG_P2P_MANAGER
5277 if (hapd->conf->p2p & P2P_MANAGE)
5278 p = hostapd_eid_p2p_manage(hapd, p);
5279 #endif /* CONFIG_P2P_MANAGER */
5280
5281 p = hostapd_eid_mbo(hapd, p, buf + buflen - p);
5282
5283 if (hapd->conf->assocresp_elements &&
5284 (size_t) (buf + buflen - p) >=
5285 wpabuf_len(hapd->conf->assocresp_elements)) {
5286 os_memcpy(p, wpabuf_head(hapd->conf->assocresp_elements),
5287 wpabuf_len(hapd->conf->assocresp_elements));
5288 p += wpabuf_len(hapd->conf->assocresp_elements);
5289 }
5290
5291 send_len += p - reply->u.assoc_resp.variable;
5292
5293 #ifdef CONFIG_FILS
5294 if (sta &&
5295 (sta->auth_alg == WLAN_AUTH_FILS_SK ||
5296 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
5297 sta->auth_alg == WLAN_AUTH_FILS_PK) &&
5298 status_code == WLAN_STATUS_SUCCESS) {
5299 struct ieee802_11_elems elems;
5300
5301 if (ieee802_11_parse_elems(ies, ies_len, &elems, 0) ==
5302 ParseFailed || !elems.fils_session) {
5303 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
5304 goto done;
5305 }
5306
5307 /* FILS Session */
5308 *p++ = WLAN_EID_EXTENSION; /* Element ID */
5309 *p++ = 1 + FILS_SESSION_LEN; /* Length */
5310 *p++ = WLAN_EID_EXT_FILS_SESSION; /* Element ID Extension */
5311 os_memcpy(p, elems.fils_session, FILS_SESSION_LEN);
5312 send_len += 2 + 1 + FILS_SESSION_LEN;
5313
5314 send_len = fils_encrypt_assoc(sta->wpa_sm, buf, send_len,
5315 buflen, sta->fils_hlp_resp);
5316 if (send_len < 0) {
5317 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
5318 goto done;
5319 }
5320 }
5321 #endif /* CONFIG_FILS */
5322
5323 if (hostapd_drv_send_mlme(hapd, reply, send_len, 0, NULL, 0, 0) < 0) {
5324 wpa_printf(MSG_INFO, "Failed to send assoc resp: %s",
5325 strerror(errno));
5326 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
5327 }
5328
5329 done:
5330 os_free(buf);
5331 return res;
5332 }
5333
5334
5335 #ifdef CONFIG_OWE
owe_assoc_req_process(struct hostapd_data * hapd,struct sta_info * sta,const u8 * owe_dh,u8 owe_dh_len,u8 * owe_buf,size_t owe_buf_len,u16 * status)5336 u8 * owe_assoc_req_process(struct hostapd_data *hapd, struct sta_info *sta,
5337 const u8 *owe_dh, u8 owe_dh_len,
5338 u8 *owe_buf, size_t owe_buf_len, u16 *status)
5339 {
5340 #ifdef CONFIG_TESTING_OPTIONS
5341 if (hapd->conf->own_ie_override) {
5342 wpa_printf(MSG_DEBUG, "OWE: Using IE override");
5343 *status = WLAN_STATUS_SUCCESS;
5344 return wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf,
5345 owe_buf_len, NULL, 0);
5346 }
5347 #endif /* CONFIG_TESTING_OPTIONS */
5348
5349 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) {
5350 wpa_printf(MSG_DEBUG, "OWE: Using PMKSA caching");
5351 owe_buf = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf,
5352 owe_buf_len, NULL, 0);
5353 *status = WLAN_STATUS_SUCCESS;
5354 return owe_buf;
5355 }
5356
5357 if (sta->owe_pmk && sta->external_dh_updated) {
5358 wpa_printf(MSG_DEBUG, "OWE: Using previously derived PMK");
5359 *status = WLAN_STATUS_SUCCESS;
5360 return owe_buf;
5361 }
5362
5363 *status = owe_process_assoc_req(hapd, sta, owe_dh, owe_dh_len);
5364 if (*status != WLAN_STATUS_SUCCESS)
5365 return NULL;
5366
5367 owe_buf = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf,
5368 owe_buf_len, NULL, 0);
5369
5370 if (sta->owe_ecdh && owe_buf) {
5371 struct wpabuf *pub;
5372
5373 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
5374 if (!pub) {
5375 *status = WLAN_STATUS_UNSPECIFIED_FAILURE;
5376 return owe_buf;
5377 }
5378
5379 /* OWE Diffie-Hellman Parameter element */
5380 *owe_buf++ = WLAN_EID_EXTENSION; /* Element ID */
5381 *owe_buf++ = 1 + 2 + wpabuf_len(pub); /* Length */
5382 *owe_buf++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension
5383 */
5384 WPA_PUT_LE16(owe_buf, sta->owe_group);
5385 owe_buf += 2;
5386 os_memcpy(owe_buf, wpabuf_head(pub), wpabuf_len(pub));
5387 owe_buf += wpabuf_len(pub);
5388 wpabuf_free(pub);
5389 }
5390
5391 return owe_buf;
5392 }
5393 #endif /* CONFIG_OWE */
5394
5395
5396 #ifdef CONFIG_FILS
5397
fils_hlp_finish_assoc(struct hostapd_data * hapd,struct sta_info * sta)5398 void fils_hlp_finish_assoc(struct hostapd_data *hapd, struct sta_info *sta)
5399 {
5400 u16 reply_res;
5401
5402 wpa_printf(MSG_DEBUG, "FILS: Finish association with " MACSTR_SEC,
5403 MAC2STR_SEC(sta->addr));
5404 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
5405 if (!sta->fils_pending_assoc_req)
5406 return;
5407 reply_res = send_assoc_resp(hapd, sta, sta->addr, WLAN_STATUS_SUCCESS,
5408 sta->fils_pending_assoc_is_reassoc,
5409 sta->fils_pending_assoc_req,
5410 sta->fils_pending_assoc_req_len, 0, 0);
5411 os_free(sta->fils_pending_assoc_req);
5412 sta->fils_pending_assoc_req = NULL;
5413 sta->fils_pending_assoc_req_len = 0;
5414 wpabuf_free(sta->fils_hlp_resp);
5415 sta->fils_hlp_resp = NULL;
5416 wpabuf_free(sta->hlp_dhcp_discover);
5417 sta->hlp_dhcp_discover = NULL;
5418
5419 /*
5420 * Remove the station in case transmission of a success response fails.
5421 * At this point the station was already added associated to the driver.
5422 */
5423 if (reply_res != WLAN_STATUS_SUCCESS)
5424 hostapd_drv_sta_remove(hapd, sta->addr);
5425 }
5426
5427
fils_hlp_timeout(void * eloop_ctx,void * eloop_data)5428 void fils_hlp_timeout(void *eloop_ctx, void *eloop_data)
5429 {
5430 struct hostapd_data *hapd = eloop_ctx;
5431 struct sta_info *sta = eloop_data;
5432
5433 wpa_printf(MSG_DEBUG,
5434 "FILS: HLP response timeout - continue with association response for "
5435 MACSTR_SEC, MAC2STR_SEC(sta->addr));
5436 if (sta->fils_drv_assoc_finish)
5437 hostapd_notify_assoc_fils_finish(hapd, sta);
5438 else
5439 fils_hlp_finish_assoc(hapd, sta);
5440 }
5441
5442 #endif /* CONFIG_FILS */
5443
5444
handle_assoc(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int reassoc,int rssi)5445 static void handle_assoc(struct hostapd_data *hapd,
5446 const struct ieee80211_mgmt *mgmt, size_t len,
5447 int reassoc, int rssi)
5448 {
5449 u16 capab_info, listen_interval, seq_ctrl, fc;
5450 int resp = WLAN_STATUS_SUCCESS;
5451 u16 reply_res = WLAN_STATUS_UNSPECIFIED_FAILURE;
5452 const u8 *pos;
5453 int left, i;
5454 struct sta_info *sta;
5455 u8 *tmp = NULL;
5456 #ifdef CONFIG_FILS
5457 int delay_assoc = 0;
5458 #endif /* CONFIG_FILS */
5459 int omit_rsnxe = 0;
5460
5461 if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_req) :
5462 sizeof(mgmt->u.assoc_req))) {
5463 wpa_printf(MSG_INFO, "handle_assoc(reassoc=%d) - too short payload (len=%lu)",
5464 reassoc, (unsigned long) len);
5465 return;
5466 }
5467
5468 #ifdef CONFIG_TESTING_OPTIONS
5469 if (reassoc) {
5470 if (hapd->iconf->ignore_reassoc_probability > 0.0 &&
5471 drand48() < hapd->iconf->ignore_reassoc_probability) {
5472 wpa_printf(MSG_INFO,
5473 "TESTING: ignoring reassoc request from "
5474 MACSTR_SEC, MAC2STR_SEC(mgmt->sa));
5475 return;
5476 }
5477 } else {
5478 if (hapd->iconf->ignore_assoc_probability > 0.0 &&
5479 drand48() < hapd->iconf->ignore_assoc_probability) {
5480 wpa_printf(MSG_INFO,
5481 "TESTING: ignoring assoc request from "
5482 MACSTR_SEC, MAC2STR_SEC(mgmt->sa));
5483 return;
5484 }
5485 }
5486 #endif /* CONFIG_TESTING_OPTIONS */
5487
5488 fc = le_to_host16(mgmt->frame_control);
5489 seq_ctrl = le_to_host16(mgmt->seq_ctrl);
5490
5491 if (reassoc) {
5492 capab_info = le_to_host16(mgmt->u.reassoc_req.capab_info);
5493 listen_interval = le_to_host16(
5494 mgmt->u.reassoc_req.listen_interval);
5495 wpa_printf(MSG_DEBUG, "reassociation request: STA=" MACSTR_SEC
5496 " capab_info=0x%02x listen_interval=%d current_ap="
5497 MACSTR_SEC " seq_ctrl=0x%x%s",
5498 MAC2STR_SEC(mgmt->sa), capab_info, listen_interval,
5499 MAC2STR_SEC(mgmt->u.reassoc_req.current_ap),
5500 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "");
5501 left = len - (IEEE80211_HDRLEN + sizeof(mgmt->u.reassoc_req));
5502 pos = mgmt->u.reassoc_req.variable;
5503 } else {
5504 capab_info = le_to_host16(mgmt->u.assoc_req.capab_info);
5505 listen_interval = le_to_host16(
5506 mgmt->u.assoc_req.listen_interval);
5507 wpa_printf(MSG_DEBUG, "association request: STA=" MACSTR_SEC
5508 " capab_info=0x%02x listen_interval=%d "
5509 "seq_ctrl=0x%x%s",
5510 MAC2STR_SEC(mgmt->sa), capab_info, listen_interval,
5511 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "");
5512 left = len - (IEEE80211_HDRLEN + sizeof(mgmt->u.assoc_req));
5513 pos = mgmt->u.assoc_req.variable;
5514 }
5515
5516 sta = ap_get_sta(hapd, mgmt->sa);
5517 #ifdef CONFIG_IEEE80211R_AP
5518 if (sta && sta->auth_alg == WLAN_AUTH_FT &&
5519 (sta->flags & WLAN_STA_AUTH) == 0) {
5520 wpa_printf(MSG_DEBUG, "FT: Allow STA " MACSTR_SEC " to associate "
5521 "prior to authentication since it is using "
5522 "over-the-DS FT", MAC2STR_SEC(mgmt->sa));
5523
5524 /*
5525 * Mark station as authenticated, to avoid adding station
5526 * entry in the driver as associated and not authenticated
5527 */
5528 sta->flags |= WLAN_STA_AUTH;
5529 } else
5530 #endif /* CONFIG_IEEE80211R_AP */
5531 if (sta == NULL || (sta->flags & WLAN_STA_AUTH) == 0) {
5532 if (hapd->iface->current_mode &&
5533 hapd->iface->current_mode->mode ==
5534 HOSTAPD_MODE_IEEE80211AD) {
5535 int acl_res;
5536 struct radius_sta info;
5537
5538 acl_res = ieee802_11_allowed_address(hapd, mgmt->sa,
5539 (const u8 *) mgmt,
5540 len, &info);
5541 if (acl_res == HOSTAPD_ACL_REJECT) {
5542 wpa_msg(hapd->msg_ctx, MSG_DEBUG,
5543 "Ignore Association Request frame from "
5544 MACSTR " due to ACL reject",
5545 MAC2STR(mgmt->sa));
5546 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
5547 goto fail;
5548 }
5549 if (acl_res == HOSTAPD_ACL_PENDING)
5550 return;
5551
5552 /* DMG/IEEE 802.11ad does not use authentication.
5553 * Allocate sta entry upon association. */
5554 sta = ap_sta_add(hapd, mgmt->sa);
5555 if (!sta) {
5556 hostapd_logger(hapd, mgmt->sa,
5557 HOSTAPD_MODULE_IEEE80211,
5558 HOSTAPD_LEVEL_INFO,
5559 "Failed to add STA");
5560 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
5561 goto fail;
5562 }
5563
5564 acl_res = ieee802_11_set_radius_info(
5565 hapd, sta, acl_res, &info);
5566 if (acl_res) {
5567 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
5568 goto fail;
5569 }
5570
5571 hostapd_logger(hapd, sta->addr,
5572 HOSTAPD_MODULE_IEEE80211,
5573 HOSTAPD_LEVEL_DEBUG,
5574 "Skip authentication for DMG/IEEE 802.11ad");
5575 sta->flags |= WLAN_STA_AUTH;
5576 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
5577 sta->auth_alg = WLAN_AUTH_OPEN;
5578 } else {
5579 hostapd_logger(hapd, mgmt->sa,
5580 HOSTAPD_MODULE_IEEE80211,
5581 HOSTAPD_LEVEL_INFO,
5582 "Station tried to associate before authentication (aid=%d flags=0x%x)",
5583 sta ? sta->aid : -1,
5584 sta ? sta->flags : 0);
5585 send_deauth(hapd, mgmt->sa,
5586 WLAN_REASON_CLASS2_FRAME_FROM_NONAUTH_STA);
5587 return;
5588 }
5589 }
5590
5591 if ((fc & WLAN_FC_RETRY) &&
5592 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
5593 sta->last_seq_ctrl == seq_ctrl &&
5594 sta->last_subtype == (reassoc ? WLAN_FC_STYPE_REASSOC_REQ :
5595 WLAN_FC_STYPE_ASSOC_REQ)) {
5596 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
5597 HOSTAPD_LEVEL_DEBUG,
5598 "Drop repeated association frame seq_ctrl=0x%x",
5599 seq_ctrl);
5600 return;
5601 }
5602 sta->last_seq_ctrl = seq_ctrl;
5603 sta->last_subtype = reassoc ? WLAN_FC_STYPE_REASSOC_REQ :
5604 WLAN_FC_STYPE_ASSOC_REQ;
5605
5606 if (hapd->tkip_countermeasures) {
5607 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
5608 goto fail;
5609 }
5610
5611 if (listen_interval > hapd->conf->max_listen_interval) {
5612 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
5613 HOSTAPD_LEVEL_DEBUG,
5614 "Too large Listen Interval (%d)",
5615 listen_interval);
5616 resp = WLAN_STATUS_ASSOC_DENIED_LISTEN_INT_TOO_LARGE;
5617 goto fail;
5618 }
5619
5620 #ifdef CONFIG_MBO
5621 if (hapd->conf->mbo_enabled && hapd->mbo_assoc_disallow) {
5622 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
5623 goto fail;
5624 }
5625
5626 if (hapd->iconf->rssi_reject_assoc_rssi && rssi &&
5627 rssi < hapd->iconf->rssi_reject_assoc_rssi &&
5628 (sta->auth_rssi == 0 ||
5629 sta->auth_rssi < hapd->iconf->rssi_reject_assoc_rssi)) {
5630 resp = WLAN_STATUS_DENIED_POOR_CHANNEL_CONDITIONS;
5631 goto fail;
5632 }
5633 #endif /* CONFIG_MBO */
5634
5635 /*
5636 * sta->capability is used in check_assoc_ies() for RRM enabled
5637 * capability element.
5638 */
5639 sta->capability = capab_info;
5640
5641 #ifdef CONFIG_FILS
5642 if (sta->auth_alg == WLAN_AUTH_FILS_SK ||
5643 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
5644 sta->auth_alg == WLAN_AUTH_FILS_PK) {
5645 int res;
5646
5647 /* The end of the payload is encrypted. Need to decrypt it
5648 * before parsing. */
5649
5650 tmp = os_memdup(pos, left);
5651 if (!tmp) {
5652 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
5653 goto fail;
5654 }
5655
5656 res = fils_decrypt_assoc(sta->wpa_sm, sta->fils_session, mgmt,
5657 len, tmp, left);
5658 if (res < 0) {
5659 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
5660 goto fail;
5661 }
5662 pos = tmp;
5663 left = res;
5664 }
5665 #endif /* CONFIG_FILS */
5666
5667 /* followed by SSID and Supported rates; and HT capabilities if 802.11n
5668 * is used */
5669 resp = check_assoc_ies(hapd, sta, pos, left, reassoc);
5670 if (resp != WLAN_STATUS_SUCCESS)
5671 goto fail;
5672 omit_rsnxe = !get_ie(pos, left, WLAN_EID_RSNX);
5673
5674 if (hostapd_get_aid(hapd, sta) < 0) {
5675 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
5676 HOSTAPD_LEVEL_INFO, "No room for more AIDs");
5677 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
5678 goto fail;
5679 }
5680
5681 sta->listen_interval = listen_interval;
5682
5683 if (hapd->iface->current_mode &&
5684 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G)
5685 sta->flags |= WLAN_STA_NONERP;
5686 for (i = 0; i < sta->supported_rates_len; i++) {
5687 if ((sta->supported_rates[i] & 0x7f) > 22) {
5688 sta->flags &= ~WLAN_STA_NONERP;
5689 break;
5690 }
5691 }
5692 if (sta->flags & WLAN_STA_NONERP && !sta->nonerp_set) {
5693 sta->nonerp_set = 1;
5694 hapd->iface->num_sta_non_erp++;
5695 if (hapd->iface->num_sta_non_erp == 1)
5696 ieee802_11_set_beacons(hapd->iface);
5697 }
5698
5699 if (!(sta->capability & WLAN_CAPABILITY_SHORT_SLOT_TIME) &&
5700 !sta->no_short_slot_time_set) {
5701 sta->no_short_slot_time_set = 1;
5702 hapd->iface->num_sta_no_short_slot_time++;
5703 if (hapd->iface->current_mode &&
5704 hapd->iface->current_mode->mode ==
5705 HOSTAPD_MODE_IEEE80211G &&
5706 hapd->iface->num_sta_no_short_slot_time == 1)
5707 ieee802_11_set_beacons(hapd->iface);
5708 }
5709
5710 if (sta->capability & WLAN_CAPABILITY_SHORT_PREAMBLE)
5711 sta->flags |= WLAN_STA_SHORT_PREAMBLE;
5712 else
5713 sta->flags &= ~WLAN_STA_SHORT_PREAMBLE;
5714
5715 if (!(sta->capability & WLAN_CAPABILITY_SHORT_PREAMBLE) &&
5716 !sta->no_short_preamble_set) {
5717 sta->no_short_preamble_set = 1;
5718 hapd->iface->num_sta_no_short_preamble++;
5719 if (hapd->iface->current_mode &&
5720 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G
5721 && hapd->iface->num_sta_no_short_preamble == 1)
5722 ieee802_11_set_beacons(hapd->iface);
5723 }
5724
5725 update_ht_state(hapd, sta);
5726
5727 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
5728 HOSTAPD_LEVEL_DEBUG,
5729 "association OK (aid %d)", sta->aid);
5730 /* Station will be marked associated, after it acknowledges AssocResp
5731 */
5732 sta->flags |= WLAN_STA_ASSOC_REQ_OK;
5733
5734 if ((sta->flags & WLAN_STA_MFP) && sta->sa_query_timed_out) {
5735 wpa_printf(MSG_DEBUG, "Allowing %sassociation after timed out "
5736 "SA Query procedure", reassoc ? "re" : "");
5737 /* TODO: Send a protected Disassociate frame to the STA using
5738 * the old key and Reason Code "Previous Authentication no
5739 * longer valid". Make sure this is only sent protected since
5740 * unprotected frame would be received by the STA that is now
5741 * trying to associate.
5742 */
5743 }
5744
5745 /* Make sure that the previously registered inactivity timer will not
5746 * remove the STA immediately. */
5747 sta->timeout_next = STA_NULLFUNC;
5748
5749 #ifdef CONFIG_TAXONOMY
5750 taxonomy_sta_info_assoc_req(hapd, sta, pos, left);
5751 #endif /* CONFIG_TAXONOMY */
5752
5753 sta->pending_wds_enable = 0;
5754
5755 #ifdef CONFIG_FILS
5756 if (sta->auth_alg == WLAN_AUTH_FILS_SK ||
5757 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
5758 sta->auth_alg == WLAN_AUTH_FILS_PK) {
5759 if (fils_process_hlp(hapd, sta, pos, left) > 0)
5760 delay_assoc = 1;
5761 }
5762 #endif /* CONFIG_FILS */
5763
5764 fail:
5765
5766 /*
5767 * In case of a successful response, add the station to the driver.
5768 * Otherwise, the kernel may ignore Data frames before we process the
5769 * ACK frame (TX status). In case of a failure, this station will be
5770 * removed.
5771 *
5772 * Note that this is not compliant with the IEEE 802.11 standard that
5773 * states that a non-AP station should transition into the
5774 * authenticated/associated state only after the station acknowledges
5775 * the (Re)Association Response frame. However, still do this as:
5776 *
5777 * 1. In case the station does not acknowledge the (Re)Association
5778 * Response frame, it will be removed.
5779 * 2. Data frames will be dropped in the kernel until the station is
5780 * set into authorized state, and there are no significant known
5781 * issues with processing other non-Data Class 3 frames during this
5782 * window.
5783 */
5784 if (resp == WLAN_STATUS_SUCCESS && sta &&
5785 add_associated_sta(hapd, sta, reassoc))
5786 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
5787
5788 #ifdef CONFIG_FILS
5789 if (sta && delay_assoc && resp == WLAN_STATUS_SUCCESS &&
5790 eloop_is_timeout_registered(fils_hlp_timeout, hapd, sta) &&
5791 sta->fils_pending_assoc_req) {
5792 /* Do not reschedule fils_hlp_timeout in case the station
5793 * retransmits (Re)Association Request frame while waiting for
5794 * the previously started FILS HLP wait, so that the timeout can
5795 * be determined from the first pending attempt. */
5796 wpa_printf(MSG_DEBUG,
5797 "FILS: Continue waiting for HLP processing before sending (Re)Association Response frame to "
5798 MACSTR_SEC, MAC2STR_SEC(sta->addr));
5799 os_free(tmp);
5800 return;
5801 }
5802 if (sta) {
5803 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
5804 os_free(sta->fils_pending_assoc_req);
5805 sta->fils_pending_assoc_req = NULL;
5806 sta->fils_pending_assoc_req_len = 0;
5807 wpabuf_free(sta->fils_hlp_resp);
5808 sta->fils_hlp_resp = NULL;
5809 }
5810 if (sta && delay_assoc && resp == WLAN_STATUS_SUCCESS) {
5811 sta->fils_pending_assoc_req = tmp;
5812 sta->fils_pending_assoc_req_len = left;
5813 sta->fils_pending_assoc_is_reassoc = reassoc;
5814 sta->fils_drv_assoc_finish = 0;
5815 wpa_printf(MSG_DEBUG,
5816 "FILS: Waiting for HLP processing before sending (Re)Association Response frame to "
5817 MACSTR_SEC, MAC2STR_SEC(sta->addr));
5818 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
5819 eloop_register_timeout(0, hapd->conf->fils_hlp_wait_time * 1024,
5820 fils_hlp_timeout, hapd, sta);
5821 return;
5822 }
5823 #endif /* CONFIG_FILS */
5824
5825 if (resp >= 0)
5826 reply_res = send_assoc_resp(hapd, sta, mgmt->sa, resp, reassoc,
5827 pos, left, rssi, omit_rsnxe);
5828 os_free(tmp);
5829
5830 /*
5831 * Remove the station in case transmission of a success response fails
5832 * (the STA was added associated to the driver) or if the station was
5833 * previously added unassociated.
5834 */
5835 if (sta && ((reply_res != WLAN_STATUS_SUCCESS &&
5836 resp == WLAN_STATUS_SUCCESS) || sta->added_unassoc)) {
5837 hostapd_drv_sta_remove(hapd, sta->addr);
5838 sta->added_unassoc = 0;
5839 }
5840 }
5841
5842
handle_disassoc(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len)5843 static void handle_disassoc(struct hostapd_data *hapd,
5844 const struct ieee80211_mgmt *mgmt, size_t len)
5845 {
5846 struct sta_info *sta;
5847
5848 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.disassoc)) {
5849 wpa_printf(MSG_INFO, "handle_disassoc - too short payload (len=%lu)",
5850 (unsigned long) len);
5851 return;
5852 }
5853
5854 wpa_printf(MSG_DEBUG, "disassocation: STA=" MACSTR_SEC " reason_code=%d",
5855 MAC2STR_SEC(mgmt->sa),
5856 le_to_host16(mgmt->u.disassoc.reason_code));
5857
5858 sta = ap_get_sta(hapd, mgmt->sa);
5859 if (sta == NULL) {
5860 wpa_printf(MSG_INFO, "Station " MACSTR_SEC " trying to disassociate, but it is not associated",
5861 MAC2STR_SEC(mgmt->sa));
5862 return;
5863 }
5864
5865 ap_sta_set_authorized(hapd, sta, 0);
5866 sta->last_seq_ctrl = WLAN_INVALID_MGMT_SEQ;
5867 sta->flags &= ~(WLAN_STA_ASSOC | WLAN_STA_ASSOC_REQ_OK);
5868 hostapd_set_sta_flags(hapd, sta);
5869 wpa_auth_sm_event(sta->wpa_sm, WPA_DISASSOC);
5870 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
5871 HOSTAPD_LEVEL_INFO, "disassociated");
5872 sta->acct_terminate_cause = RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST;
5873 ieee802_1x_notify_port_enabled(sta->eapol_sm, 0);
5874 /* Stop Accounting and IEEE 802.1X sessions, but leave the STA
5875 * authenticated. */
5876 accounting_sta_stop(hapd, sta);
5877 ieee802_1x_free_station(hapd, sta);
5878 if (sta->ipaddr)
5879 hostapd_drv_br_delete_ip_neigh(hapd, 4, (u8 *) &sta->ipaddr);
5880 ap_sta_ip6addr_del(hapd, sta);
5881 hostapd_drv_sta_remove(hapd, sta->addr);
5882 sta->added_unassoc = 0;
5883
5884 if (sta->timeout_next == STA_NULLFUNC ||
5885 sta->timeout_next == STA_DISASSOC) {
5886 sta->timeout_next = STA_DEAUTH;
5887 eloop_cancel_timeout(ap_handle_timer, hapd, sta);
5888 eloop_register_timeout(AP_DEAUTH_DELAY, 0, ap_handle_timer,
5889 hapd, sta);
5890 }
5891
5892 mlme_disassociate_indication(
5893 hapd, sta, le_to_host16(mgmt->u.disassoc.reason_code));
5894
5895 /* DMG/IEEE 802.11ad does not use deauthication. Deallocate sta upon
5896 * disassociation. */
5897 if (hapd->iface->current_mode &&
5898 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211AD) {
5899 sta->flags &= ~WLAN_STA_AUTH;
5900 wpa_auth_sm_event(sta->wpa_sm, WPA_DEAUTH);
5901 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
5902 HOSTAPD_LEVEL_DEBUG, "deauthenticated");
5903 ap_free_sta(hapd, sta);
5904 }
5905 }
5906
5907
handle_deauth(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len)5908 static void handle_deauth(struct hostapd_data *hapd,
5909 const struct ieee80211_mgmt *mgmt, size_t len)
5910 {
5911 struct sta_info *sta;
5912
5913 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.deauth)) {
5914 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "handle_deauth - too short "
5915 "payload (len=%lu)", (unsigned long) len);
5916 return;
5917 }
5918
5919 wpa_msg_only_for_cb(hapd->msg_ctx, MSG_DEBUG, "deauthentication: STA=" MACSTR
5920 " reason_code=%d",
5921 MAC2STR(mgmt->sa), le_to_host16(mgmt->u.deauth.reason_code));
5922 wpa_printf(MSG_DEBUG, "deauthentication: STA=" MACSTR_SEC
5923 " reason_code=%d",
5924 MAC2STR_SEC(mgmt->sa), le_to_host16(mgmt->u.deauth.reason_code));
5925
5926 /* Clear the PTKSA cache entries for PASN */
5927 ptksa_cache_flush(hapd->ptksa, mgmt->sa, WPA_CIPHER_NONE);
5928
5929 sta = ap_get_sta(hapd, mgmt->sa);
5930 if (sta == NULL) {
5931 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "Station " MACSTR " trying "
5932 "to deauthenticate, but it is not authenticated",
5933 MAC2STR(mgmt->sa));
5934 return;
5935 }
5936
5937 ap_sta_set_authorized(hapd, sta, 0);
5938 sta->last_seq_ctrl = WLAN_INVALID_MGMT_SEQ;
5939 sta->flags &= ~(WLAN_STA_AUTH | WLAN_STA_ASSOC |
5940 WLAN_STA_ASSOC_REQ_OK);
5941 hostapd_set_sta_flags(hapd, sta);
5942 wpa_auth_sm_event(sta->wpa_sm, WPA_DEAUTH);
5943 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
5944 HOSTAPD_LEVEL_DEBUG, "deauthenticated");
5945 mlme_deauthenticate_indication(
5946 hapd, sta, le_to_host16(mgmt->u.deauth.reason_code));
5947 sta->acct_terminate_cause = RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST;
5948 ieee802_1x_notify_port_enabled(sta->eapol_sm, 0);
5949 ap_free_sta(hapd, sta);
5950 }
5951
5952
handle_beacon(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,struct hostapd_frame_info * fi)5953 static void handle_beacon(struct hostapd_data *hapd,
5954 const struct ieee80211_mgmt *mgmt, size_t len,
5955 struct hostapd_frame_info *fi)
5956 {
5957 struct ieee802_11_elems elems;
5958
5959 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.beacon)) {
5960 wpa_printf(MSG_INFO, "handle_beacon - too short payload (len=%lu)",
5961 (unsigned long) len);
5962 return;
5963 }
5964
5965 (void) ieee802_11_parse_elems(mgmt->u.beacon.variable,
5966 len - (IEEE80211_HDRLEN +
5967 sizeof(mgmt->u.beacon)), &elems,
5968 0);
5969
5970 ap_list_process_beacon(hapd->iface, mgmt, &elems, fi);
5971 }
5972
5973
robust_action_frame(u8 category)5974 static int robust_action_frame(u8 category)
5975 {
5976 return category != WLAN_ACTION_PUBLIC &&
5977 category != WLAN_ACTION_HT;
5978 }
5979
5980
handle_action(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,unsigned int freq)5981 static int handle_action(struct hostapd_data *hapd,
5982 const struct ieee80211_mgmt *mgmt, size_t len,
5983 unsigned int freq)
5984 {
5985 struct sta_info *sta;
5986 u8 *action __maybe_unused;
5987
5988 if (len < IEEE80211_HDRLEN + 2 + 1) {
5989 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
5990 HOSTAPD_LEVEL_DEBUG,
5991 "handle_action - too short payload (len=%lu)",
5992 (unsigned long) len);
5993 return 0;
5994 }
5995
5996 action = (u8 *) &mgmt->u.action.u;
5997 wpa_printf(MSG_DEBUG, "RX_ACTION category %u action %u sa " MACSTR_SEC
5998 " da " MACSTR_SEC " len %d freq %u",
5999 mgmt->u.action.category, *action,
6000 MAC2STR_SEC(mgmt->sa), MAC2STR_SEC(mgmt->da), (int) len, freq);
6001
6002 sta = ap_get_sta(hapd, mgmt->sa);
6003
6004 if (mgmt->u.action.category != WLAN_ACTION_PUBLIC &&
6005 (sta == NULL || !(sta->flags & WLAN_STA_ASSOC))) {
6006 wpa_printf(MSG_DEBUG, "IEEE 802.11: Ignored Action "
6007 "frame (category=%u) from unassociated STA " MACSTR_SEC,
6008 mgmt->u.action.category, MAC2STR_SEC(mgmt->sa));
6009 return 0;
6010 }
6011
6012 if (sta && (sta->flags & WLAN_STA_MFP) &&
6013 !(mgmt->frame_control & host_to_le16(WLAN_FC_ISWEP)) &&
6014 robust_action_frame(mgmt->u.action.category)) {
6015 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
6016 HOSTAPD_LEVEL_DEBUG,
6017 "Dropped unprotected Robust Action frame from "
6018 "an MFP STA");
6019 return 0;
6020 }
6021
6022 if (sta) {
6023 u16 fc = le_to_host16(mgmt->frame_control);
6024 u16 seq_ctrl = le_to_host16(mgmt->seq_ctrl);
6025
6026 if ((fc & WLAN_FC_RETRY) &&
6027 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
6028 sta->last_seq_ctrl == seq_ctrl &&
6029 sta->last_subtype == WLAN_FC_STYPE_ACTION) {
6030 hostapd_logger(hapd, sta->addr,
6031 HOSTAPD_MODULE_IEEE80211,
6032 HOSTAPD_LEVEL_DEBUG,
6033 "Drop repeated action frame seq_ctrl=0x%x",
6034 seq_ctrl);
6035 return 1;
6036 }
6037
6038 sta->last_seq_ctrl = seq_ctrl;
6039 sta->last_subtype = WLAN_FC_STYPE_ACTION;
6040 }
6041
6042 switch (mgmt->u.action.category) {
6043 #ifdef CONFIG_IEEE80211R_AP
6044 case WLAN_ACTION_FT:
6045 if (!sta ||
6046 wpa_ft_action_rx(sta->wpa_sm, (u8 *) &mgmt->u.action,
6047 len - IEEE80211_HDRLEN))
6048 break;
6049 return 1;
6050 #endif /* CONFIG_IEEE80211R_AP */
6051 case WLAN_ACTION_WMM:
6052 hostapd_wmm_action(hapd, mgmt, len);
6053 return 1;
6054 case WLAN_ACTION_SA_QUERY:
6055 ieee802_11_sa_query_action(hapd, mgmt, len);
6056 return 1;
6057 #ifdef CONFIG_WNM_AP
6058 case WLAN_ACTION_WNM:
6059 ieee802_11_rx_wnm_action_ap(hapd, mgmt, len);
6060 return 1;
6061 #endif /* CONFIG_WNM_AP */
6062 #ifdef CONFIG_FST
6063 case WLAN_ACTION_FST:
6064 if (hapd->iface->fst)
6065 fst_rx_action(hapd->iface->fst, mgmt, len);
6066 else
6067 wpa_printf(MSG_DEBUG,
6068 "FST: Ignore FST Action frame - no FST attached");
6069 return 1;
6070 #endif /* CONFIG_FST */
6071 case WLAN_ACTION_PUBLIC:
6072 case WLAN_ACTION_PROTECTED_DUAL:
6073 if (len >= IEEE80211_HDRLEN + 2 &&
6074 mgmt->u.action.u.public_action.action ==
6075 WLAN_PA_20_40_BSS_COEX) {
6076 hostapd_2040_coex_action(hapd, mgmt, len);
6077 return 1;
6078 }
6079 #ifdef CONFIG_DPP
6080 if (len >= IEEE80211_HDRLEN + 6 &&
6081 mgmt->u.action.u.vs_public_action.action ==
6082 WLAN_PA_VENDOR_SPECIFIC &&
6083 WPA_GET_BE24(mgmt->u.action.u.vs_public_action.oui) ==
6084 OUI_WFA &&
6085 mgmt->u.action.u.vs_public_action.variable[0] ==
6086 DPP_OUI_TYPE) {
6087 const u8 *pos, *end;
6088
6089 pos = mgmt->u.action.u.vs_public_action.oui;
6090 end = ((const u8 *) mgmt) + len;
6091 hostapd_dpp_rx_action(hapd, mgmt->sa, pos, end - pos,
6092 freq);
6093 return 1;
6094 }
6095 if (len >= IEEE80211_HDRLEN + 2 &&
6096 (mgmt->u.action.u.public_action.action ==
6097 WLAN_PA_GAS_INITIAL_RESP ||
6098 mgmt->u.action.u.public_action.action ==
6099 WLAN_PA_GAS_COMEBACK_RESP)) {
6100 const u8 *pos, *end;
6101
6102 pos = &mgmt->u.action.u.public_action.action;
6103 end = ((const u8 *) mgmt) + len;
6104 gas_query_ap_rx(hapd->gas, mgmt->sa,
6105 mgmt->u.action.category,
6106 pos, end - pos, hapd->iface->freq);
6107 return 1;
6108 }
6109 #endif /* CONFIG_DPP */
6110 if (hapd->public_action_cb) {
6111 hapd->public_action_cb(hapd->public_action_cb_ctx,
6112 (u8 *) mgmt, len,
6113 hapd->iface->freq);
6114 }
6115 if (hapd->public_action_cb2) {
6116 hapd->public_action_cb2(hapd->public_action_cb2_ctx,
6117 (u8 *) mgmt, len,
6118 hapd->iface->freq);
6119 }
6120 if (hapd->public_action_cb || hapd->public_action_cb2)
6121 return 1;
6122 break;
6123 case WLAN_ACTION_VENDOR_SPECIFIC:
6124 if (hapd->vendor_action_cb) {
6125 if (hapd->vendor_action_cb(hapd->vendor_action_cb_ctx,
6126 (u8 *) mgmt, len,
6127 hapd->iface->freq) == 0)
6128 return 1;
6129 }
6130 break;
6131 case WLAN_ACTION_RADIO_MEASUREMENT:
6132 hostapd_handle_radio_measurement(hapd, (const u8 *) mgmt, len);
6133 return 1;
6134 }
6135
6136 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
6137 HOSTAPD_LEVEL_DEBUG,
6138 "handle_action - unknown action category %d or invalid "
6139 "frame",
6140 mgmt->u.action.category);
6141 if (!is_multicast_ether_addr(mgmt->da) &&
6142 !(mgmt->u.action.category & 0x80) &&
6143 !is_multicast_ether_addr(mgmt->sa)) {
6144 struct ieee80211_mgmt *resp;
6145
6146 /*
6147 * IEEE 802.11-REVma/D9.0 - 7.3.1.11
6148 * Return the Action frame to the source without change
6149 * except that MSB of the Category set to 1.
6150 */
6151 wpa_printf(MSG_DEBUG, "IEEE 802.11: Return unknown Action "
6152 "frame back to sender");
6153 resp = os_memdup(mgmt, len);
6154 if (resp == NULL)
6155 return 0;
6156 os_memcpy(resp->da, resp->sa, ETH_ALEN);
6157 os_memcpy(resp->sa, hapd->own_addr, ETH_ALEN);
6158 os_memcpy(resp->bssid, hapd->own_addr, ETH_ALEN);
6159 resp->u.action.category |= 0x80;
6160
6161 if (hostapd_drv_send_mlme(hapd, resp, len, 0, NULL, 0, 0) < 0) {
6162 wpa_printf(MSG_ERROR, "IEEE 802.11: Failed to send "
6163 "Action frame");
6164 }
6165 os_free(resp);
6166 }
6167
6168 return 1;
6169 }
6170
6171
6172 /**
6173 * notify_mgmt_frame - Notify of Management frames on the control interface
6174 * @hapd: hostapd BSS data structure (the BSS to which the Management frame was
6175 * sent to)
6176 * @buf: Management frame data (starting from the IEEE 802.11 header)
6177 * @len: Length of frame data in octets
6178 *
6179 * Notify the control interface of any received Management frame.
6180 */
notify_mgmt_frame(struct hostapd_data * hapd,const u8 * buf,size_t len)6181 static void notify_mgmt_frame(struct hostapd_data *hapd, const u8 *buf,
6182 size_t len)
6183 {
6184
6185 int hex_len = len * 2 + 1;
6186 char *hex = os_malloc(hex_len);
6187
6188 if (hex) {
6189 wpa_snprintf_hex(hex, hex_len, buf, len);
6190 wpa_msg_ctrl(hapd->msg_ctx, MSG_INFO,
6191 AP_MGMT_FRAME_RECEIVED "buf=%s", hex);
6192 os_free(hex);
6193 }
6194 }
6195
6196
6197 /**
6198 * ieee802_11_mgmt - process incoming IEEE 802.11 management frames
6199 * @hapd: hostapd BSS data structure (the BSS to which the management frame was
6200 * sent to)
6201 * @buf: management frame data (starting from IEEE 802.11 header)
6202 * @len: length of frame data in octets
6203 * @fi: meta data about received frame (signal level, etc.)
6204 *
6205 * Process all incoming IEEE 802.11 management frames. This will be called for
6206 * each frame received from the kernel driver through wlan#ap interface. In
6207 * addition, it can be called to re-inserted pending frames (e.g., when using
6208 * external RADIUS server as an MAC ACL).
6209 */
ieee802_11_mgmt(struct hostapd_data * hapd,const u8 * buf,size_t len,struct hostapd_frame_info * fi)6210 int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len,
6211 struct hostapd_frame_info *fi)
6212 {
6213 struct ieee80211_mgmt *mgmt;
6214 u16 fc, stype;
6215 int ret = 0;
6216 unsigned int freq;
6217 int ssi_signal = fi ? fi->ssi_signal : 0;
6218
6219 if (len < 24)
6220 return 0;
6221
6222 if (fi && fi->freq)
6223 freq = fi->freq;
6224 else
6225 freq = hapd->iface->freq;
6226
6227 mgmt = (struct ieee80211_mgmt *) buf;
6228 fc = le_to_host16(mgmt->frame_control);
6229 stype = WLAN_FC_GET_STYPE(fc);
6230
6231 if (is_multicast_ether_addr(mgmt->sa) ||
6232 is_zero_ether_addr(mgmt->sa) ||
6233 os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
6234 /* Do not process any frames with unexpected/invalid SA so that
6235 * we do not add any state for unexpected STA addresses or end
6236 * up sending out frames to unexpected destination. */
6237 wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR_SEC
6238 " in received frame - ignore this frame silently",
6239 MAC2STR_SEC(mgmt->sa));
6240 return 0;
6241 }
6242
6243 if (stype == WLAN_FC_STYPE_BEACON) {
6244 handle_beacon(hapd, mgmt, len, fi);
6245 return 1;
6246 }
6247
6248 if (!is_broadcast_ether_addr(mgmt->bssid) &&
6249 #ifdef CONFIG_P2P
6250 /* Invitation responses can be sent with the peer MAC as BSSID */
6251 !((hapd->conf->p2p & P2P_GROUP_OWNER) &&
6252 stype == WLAN_FC_STYPE_ACTION) &&
6253 #endif /* CONFIG_P2P */
6254 #ifdef CONFIG_MESH
6255 !(hapd->conf->mesh & MESH_ENABLED) &&
6256 #endif /* CONFIG_MESH */
6257 os_memcmp(mgmt->bssid, hapd->own_addr, ETH_ALEN) != 0) {
6258 wpa_printf(MSG_INFO, "MGMT: BSSID=" MACSTR_SEC " not our address",
6259 MAC2STR_SEC(mgmt->bssid));
6260 return 0;
6261 }
6262
6263 if (hapd->iface->state != HAPD_IFACE_ENABLED) {
6264 wpa_printf(MSG_DEBUG, "MGMT: Ignore management frame while interface is not enabled (SA=" MACSTR_SEC " DA=" MACSTR_SEC " subtype=%u)",
6265 MAC2STR_SEC(mgmt->sa), MAC2STR_SEC(mgmt->da), stype);
6266 return 1;
6267 }
6268
6269 if (stype == WLAN_FC_STYPE_PROBE_REQ) {
6270 handle_probe_req(hapd, mgmt, len, ssi_signal);
6271 return 1;
6272 }
6273
6274 if ((!is_broadcast_ether_addr(mgmt->da) ||
6275 stype != WLAN_FC_STYPE_ACTION) &&
6276 os_memcmp(mgmt->da, hapd->own_addr, ETH_ALEN) != 0) {
6277 hostapd_logger_only_for_cb(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
6278 HOSTAPD_LEVEL_DEBUG,
6279 "MGMT: DA=" MACSTR " not our address",
6280 MAC2STR(mgmt->da));
6281 wpa_printf(MSG_DEBUG, "MGMT: DA=" MACSTR_SEC " not our address",
6282 MAC2STR_SEC(mgmt->da));
6283 return 0;
6284 }
6285
6286 if (hapd->iconf->track_sta_max_num)
6287 sta_track_add(hapd->iface, mgmt->sa, ssi_signal);
6288
6289 if (hapd->conf->notify_mgmt_frames)
6290 notify_mgmt_frame(hapd, buf, len);
6291
6292 switch (stype) {
6293 case WLAN_FC_STYPE_AUTH:
6294 wpa_printf(MSG_DEBUG, "mgmt::auth");
6295 handle_auth(hapd, mgmt, len, ssi_signal, 0);
6296 ret = 1;
6297 break;
6298 case WLAN_FC_STYPE_ASSOC_REQ:
6299 wpa_printf(MSG_DEBUG, "mgmt::assoc_req");
6300 handle_assoc(hapd, mgmt, len, 0, ssi_signal);
6301 ret = 1;
6302 break;
6303 case WLAN_FC_STYPE_REASSOC_REQ:
6304 wpa_printf(MSG_DEBUG, "mgmt::reassoc_req");
6305 handle_assoc(hapd, mgmt, len, 1, ssi_signal);
6306 ret = 1;
6307 break;
6308 case WLAN_FC_STYPE_DISASSOC:
6309 wpa_printf(MSG_DEBUG, "mgmt::disassoc");
6310 handle_disassoc(hapd, mgmt, len);
6311 ret = 1;
6312 break;
6313 case WLAN_FC_STYPE_DEAUTH:
6314 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "mgmt::deauth");
6315 handle_deauth(hapd, mgmt, len);
6316 ret = 1;
6317 break;
6318 case WLAN_FC_STYPE_ACTION:
6319 wpa_printf(MSG_DEBUG, "mgmt::action");
6320 ret = handle_action(hapd, mgmt, len, freq);
6321 break;
6322 default:
6323 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
6324 HOSTAPD_LEVEL_DEBUG,
6325 "unknown mgmt frame subtype %d", stype);
6326 break;
6327 }
6328
6329 return ret;
6330 }
6331
6332
handle_auth_cb(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int ok)6333 static void handle_auth_cb(struct hostapd_data *hapd,
6334 const struct ieee80211_mgmt *mgmt,
6335 size_t len, int ok)
6336 {
6337 u16 auth_alg, auth_transaction, status_code;
6338 struct sta_info *sta;
6339 bool success_status;
6340
6341 sta = ap_get_sta(hapd, mgmt->da);
6342 if (!sta) {
6343 wpa_printf(MSG_DEBUG, "handle_auth_cb: STA " MACSTR_SEC
6344 " not found",
6345 MAC2STR_SEC(mgmt->da));
6346 return;
6347 }
6348
6349 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) {
6350 wpa_printf(MSG_INFO, "handle_auth_cb - too short payload (len=%lu)",
6351 (unsigned long) len);
6352 auth_alg = 0;
6353 auth_transaction = 0;
6354 status_code = WLAN_STATUS_UNSPECIFIED_FAILURE;
6355 goto fail;
6356 }
6357
6358 auth_alg = le_to_host16(mgmt->u.auth.auth_alg);
6359 auth_transaction = le_to_host16(mgmt->u.auth.auth_transaction);
6360 status_code = le_to_host16(mgmt->u.auth.status_code);
6361
6362 if (!ok) {
6363 hostapd_logger(hapd, mgmt->da, HOSTAPD_MODULE_IEEE80211,
6364 HOSTAPD_LEVEL_NOTICE,
6365 "did not acknowledge authentication response");
6366 goto fail;
6367 }
6368
6369 if (status_code == WLAN_STATUS_SUCCESS &&
6370 ((auth_alg == WLAN_AUTH_OPEN && auth_transaction == 2) ||
6371 (auth_alg == WLAN_AUTH_SHARED_KEY && auth_transaction == 4))) {
6372 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
6373 HOSTAPD_LEVEL_INFO, "authenticated");
6374 sta->flags |= WLAN_STA_AUTH;
6375 if (sta->added_unassoc)
6376 hostapd_set_sta_flags(hapd, sta);
6377 return;
6378 }
6379
6380 fail:
6381 success_status = status_code == WLAN_STATUS_SUCCESS;
6382 #ifdef CONFIG_SAE
6383 if (auth_alg == WLAN_AUTH_SAE && auth_transaction == 1)
6384 success_status = sae_status_success(hapd, status_code);
6385 #endif /* CONFIG_SAE */
6386 if (!success_status && sta->added_unassoc) {
6387 hostapd_drv_sta_remove(hapd, sta->addr);
6388 sta->added_unassoc = 0;
6389 }
6390 }
6391
6392
hostapd_set_wds_encryption(struct hostapd_data * hapd,struct sta_info * sta,char * ifname_wds)6393 static void hostapd_set_wds_encryption(struct hostapd_data *hapd,
6394 struct sta_info *sta,
6395 char *ifname_wds)
6396 {
6397 #ifdef CONFIG_WEP
6398 int i;
6399 struct hostapd_ssid *ssid = &hapd->conf->ssid;
6400
6401 if (hapd->conf->ieee802_1x || hapd->conf->wpa)
6402 return;
6403
6404 for (i = 0; i < 4; i++) {
6405 if (ssid->wep.key[i] &&
6406 hostapd_drv_set_key(ifname_wds, hapd, WPA_ALG_WEP, NULL, i,
6407 0, i == ssid->wep.idx, NULL, 0,
6408 ssid->wep.key[i], ssid->wep.len[i],
6409 i == ssid->wep.idx ?
6410 KEY_FLAG_GROUP_RX_TX_DEFAULT :
6411 KEY_FLAG_GROUP_RX_TX)) {
6412 wpa_printf(MSG_WARNING,
6413 "Could not set WEP keys for WDS interface; %s",
6414 ifname_wds);
6415 break;
6416 }
6417 }
6418 #endif /* CONFIG_WEP */
6419 }
6420
6421
handle_assoc_cb(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int reassoc,int ok)6422 static void handle_assoc_cb(struct hostapd_data *hapd,
6423 const struct ieee80211_mgmt *mgmt,
6424 size_t len, int reassoc, int ok)
6425 {
6426 u16 status;
6427 struct sta_info *sta;
6428 int new_assoc = 1;
6429
6430 sta = ap_get_sta(hapd, mgmt->da);
6431 if (!sta) {
6432 wpa_printf(MSG_INFO, "handle_assoc_cb: STA " MACSTR_SEC " not found",
6433 MAC2STR_SEC(mgmt->da));
6434 return;
6435 }
6436
6437 if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_resp) :
6438 sizeof(mgmt->u.assoc_resp))) {
6439 wpa_printf(MSG_INFO,
6440 "handle_assoc_cb(reassoc=%d) - too short payload (len=%lu)",
6441 reassoc, (unsigned long) len);
6442 hostapd_drv_sta_remove(hapd, sta->addr);
6443 return;
6444 }
6445
6446 if (reassoc)
6447 status = le_to_host16(mgmt->u.reassoc_resp.status_code);
6448 else
6449 status = le_to_host16(mgmt->u.assoc_resp.status_code);
6450
6451 if (!ok) {
6452 hostapd_logger(hapd, mgmt->da, HOSTAPD_MODULE_IEEE80211,
6453 HOSTAPD_LEVEL_DEBUG,
6454 "did not acknowledge association response");
6455 sta->flags &= ~WLAN_STA_ASSOC_REQ_OK;
6456 /* The STA is added only in case of SUCCESS */
6457 if (status == WLAN_STATUS_SUCCESS)
6458 hostapd_drv_sta_remove(hapd, sta->addr);
6459
6460 return;
6461 }
6462
6463 if (status != WLAN_STATUS_SUCCESS)
6464 return;
6465
6466 /* Stop previous accounting session, if one is started, and allocate
6467 * new session id for the new session. */
6468 accounting_sta_stop(hapd, sta);
6469
6470 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
6471 HOSTAPD_LEVEL_INFO,
6472 "associated (aid %d)",
6473 sta->aid);
6474
6475 if (sta->flags & WLAN_STA_ASSOC)
6476 new_assoc = 0;
6477 sta->flags |= WLAN_STA_ASSOC;
6478 sta->flags &= ~WLAN_STA_WNM_SLEEP_MODE;
6479 if ((!hapd->conf->ieee802_1x && !hapd->conf->wpa &&
6480 !hapd->conf->osen) ||
6481 sta->auth_alg == WLAN_AUTH_FILS_SK ||
6482 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
6483 sta->auth_alg == WLAN_AUTH_FILS_PK ||
6484 sta->auth_alg == WLAN_AUTH_FT) {
6485 /*
6486 * Open, static WEP, FT protocol, or FILS; no separate
6487 * authorization step.
6488 */
6489 ap_sta_set_authorized(hapd, sta, 1);
6490 }
6491
6492 if (reassoc)
6493 mlme_reassociate_indication(hapd, sta);
6494 else
6495 mlme_associate_indication(hapd, sta);
6496
6497 sta->sa_query_timed_out = 0;
6498
6499 if (sta->eapol_sm == NULL) {
6500 /*
6501 * This STA does not use RADIUS server for EAP authentication,
6502 * so bind it to the selected VLAN interface now, since the
6503 * interface selection is not going to change anymore.
6504 */
6505 if (ap_sta_bind_vlan(hapd, sta) < 0)
6506 return;
6507 } else if (sta->vlan_id) {
6508 /* VLAN ID already set (e.g., by PMKSA caching), so bind STA */
6509 if (ap_sta_bind_vlan(hapd, sta) < 0)
6510 return;
6511 }
6512
6513 hostapd_set_sta_flags(hapd, sta);
6514
6515 if (!(sta->flags & WLAN_STA_WDS) && sta->pending_wds_enable) {
6516 wpa_printf(MSG_DEBUG, "Enable 4-address WDS mode for STA "
6517 MACSTR_SEC " based on pending request",
6518 MAC2STR_SEC(sta->addr));
6519 sta->pending_wds_enable = 0;
6520 sta->flags |= WLAN_STA_WDS;
6521 }
6522
6523 if (sta->flags & (WLAN_STA_WDS | WLAN_STA_MULTI_AP)) {
6524 int ret;
6525 char ifname_wds[IFNAMSIZ + 1];
6526
6527 wpa_printf(MSG_DEBUG, "Reenable 4-address WDS mode for STA "
6528 MACSTR_SEC " (aid %u)",
6529 MAC2STR_SEC(sta->addr), sta->aid);
6530 ret = hostapd_set_wds_sta(hapd, ifname_wds, sta->addr,
6531 sta->aid, 1);
6532 if (!ret)
6533 hostapd_set_wds_encryption(hapd, sta, ifname_wds);
6534 }
6535
6536 if (sta->auth_alg == WLAN_AUTH_FT)
6537 wpa_auth_sm_event(sta->wpa_sm, WPA_ASSOC_FT);
6538 else
6539 wpa_auth_sm_event(sta->wpa_sm, WPA_ASSOC);
6540 hapd->new_assoc_sta_cb(hapd, sta, !new_assoc);
6541 ieee802_1x_notify_port_enabled(sta->eapol_sm, 1);
6542
6543 #ifdef CONFIG_FILS
6544 if ((sta->auth_alg == WLAN_AUTH_FILS_SK ||
6545 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
6546 sta->auth_alg == WLAN_AUTH_FILS_PK) &&
6547 fils_set_tk(sta->wpa_sm) < 0) {
6548 wpa_printf(MSG_DEBUG, "FILS: TK configuration failed");
6549 ap_sta_disconnect(hapd, sta, sta->addr,
6550 WLAN_REASON_UNSPECIFIED);
6551 return;
6552 }
6553 #endif /* CONFIG_FILS */
6554
6555 if (sta->pending_eapol_rx) {
6556 struct os_reltime now, age;
6557
6558 os_get_reltime(&now);
6559 os_reltime_sub(&now, &sta->pending_eapol_rx->rx_time, &age);
6560 if (age.sec == 0 && age.usec < 200000) {
6561 wpa_printf(MSG_DEBUG,
6562 "Process pending EAPOL frame that was received from " MACSTR_SEC " just before association notification",
6563 MAC2STR_SEC(sta->addr));
6564 ieee802_1x_receive(
6565 hapd, mgmt->da,
6566 wpabuf_head(sta->pending_eapol_rx->buf),
6567 wpabuf_len(sta->pending_eapol_rx->buf));
6568 }
6569 wpabuf_free(sta->pending_eapol_rx->buf);
6570 os_free(sta->pending_eapol_rx);
6571 sta->pending_eapol_rx = NULL;
6572 }
6573 }
6574
6575
handle_deauth_cb(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int ok)6576 static void handle_deauth_cb(struct hostapd_data *hapd,
6577 const struct ieee80211_mgmt *mgmt,
6578 size_t len, int ok)
6579 {
6580 struct sta_info *sta;
6581 if (is_multicast_ether_addr(mgmt->da))
6582 return;
6583 sta = ap_get_sta(hapd, mgmt->da);
6584 if (!sta) {
6585 wpa_printf(MSG_DEBUG, "handle_deauth_cb: STA " MACSTR_SEC
6586 " not found", MAC2STR_SEC(mgmt->da));
6587 return;
6588 }
6589 if (ok)
6590 wpa_printf(MSG_DEBUG, "STA " MACSTR_SEC " acknowledged deauth",
6591 MAC2STR_SEC(sta->addr));
6592 else
6593 wpa_printf(MSG_DEBUG, "STA " MACSTR_SEC " did not acknowledge "
6594 "deauth", MAC2STR_SEC(sta->addr));
6595
6596 ap_sta_deauth_cb(hapd, sta);
6597 }
6598
6599
handle_disassoc_cb(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int ok)6600 static void handle_disassoc_cb(struct hostapd_data *hapd,
6601 const struct ieee80211_mgmt *mgmt,
6602 size_t len, int ok)
6603 {
6604 struct sta_info *sta;
6605 if (is_multicast_ether_addr(mgmt->da))
6606 return;
6607 sta = ap_get_sta(hapd, mgmt->da);
6608 if (!sta) {
6609 wpa_printf(MSG_DEBUG, "handle_disassoc_cb: STA " MACSTR_SEC
6610 " not found", MAC2STR_SEC(mgmt->da));
6611 return;
6612 }
6613 if (ok)
6614 wpa_printf(MSG_DEBUG, "STA " MACSTR_SEC " acknowledged disassoc",
6615 MAC2STR_SEC(sta->addr));
6616 else
6617 wpa_printf(MSG_DEBUG, "STA " MACSTR_SEC " did not acknowledge "
6618 "disassoc", MAC2STR_SEC(sta->addr));
6619
6620 ap_sta_disassoc_cb(hapd, sta);
6621 }
6622
6623
handle_action_cb(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int ok)6624 static void handle_action_cb(struct hostapd_data *hapd,
6625 const struct ieee80211_mgmt *mgmt,
6626 size_t len, int ok)
6627 {
6628 struct sta_info *sta;
6629 const struct rrm_measurement_report_element *report;
6630
6631 if (is_multicast_ether_addr(mgmt->da))
6632 return;
6633 #ifdef CONFIG_DPP
6634 if (len >= IEEE80211_HDRLEN + 6 &&
6635 mgmt->u.action.category == WLAN_ACTION_PUBLIC &&
6636 mgmt->u.action.u.vs_public_action.action ==
6637 WLAN_PA_VENDOR_SPECIFIC &&
6638 WPA_GET_BE24(mgmt->u.action.u.vs_public_action.oui) ==
6639 OUI_WFA &&
6640 mgmt->u.action.u.vs_public_action.variable[0] ==
6641 DPP_OUI_TYPE) {
6642 const u8 *pos, *end;
6643
6644 pos = &mgmt->u.action.u.vs_public_action.variable[1];
6645 end = ((const u8 *) mgmt) + len;
6646 hostapd_dpp_tx_status(hapd, mgmt->da, pos, end - pos, ok);
6647 return;
6648 }
6649 if (len >= IEEE80211_HDRLEN + 2 &&
6650 mgmt->u.action.category == WLAN_ACTION_PUBLIC &&
6651 (mgmt->u.action.u.public_action.action ==
6652 WLAN_PA_GAS_INITIAL_REQ ||
6653 mgmt->u.action.u.public_action.action ==
6654 WLAN_PA_GAS_COMEBACK_REQ)) {
6655 const u8 *pos, *end;
6656
6657 pos = mgmt->u.action.u.public_action.variable;
6658 end = ((const u8 *) mgmt) + len;
6659 gas_query_ap_tx_status(hapd->gas, mgmt->da, pos, end - pos, ok);
6660 return;
6661 }
6662 #endif /* CONFIG_DPP */
6663 sta = ap_get_sta(hapd, mgmt->da);
6664 if (!sta) {
6665 wpa_printf(MSG_DEBUG, "handle_action_cb: STA " MACSTR_SEC
6666 " not found", MAC2STR_SEC(mgmt->da));
6667 return;
6668 }
6669
6670 if (len < 24 + 5 + sizeof(*report))
6671 return;
6672 report = (const struct rrm_measurement_report_element *)
6673 &mgmt->u.action.u.rrm.variable[2];
6674 if (mgmt->u.action.category == WLAN_ACTION_RADIO_MEASUREMENT &&
6675 mgmt->u.action.u.rrm.action == WLAN_RRM_RADIO_MEASUREMENT_REQUEST &&
6676 report->eid == WLAN_EID_MEASURE_REQUEST &&
6677 report->len >= 3 &&
6678 report->type == MEASURE_TYPE_BEACON)
6679 hostapd_rrm_beacon_req_tx_status(hapd, mgmt, len, ok);
6680 }
6681
6682
6683 /**
6684 * ieee802_11_mgmt_cb - Process management frame TX status callback
6685 * @hapd: hostapd BSS data structure (the BSS from which the management frame
6686 * was sent from)
6687 * @buf: management frame data (starting from IEEE 802.11 header)
6688 * @len: length of frame data in octets
6689 * @stype: management frame subtype from frame control field
6690 * @ok: Whether the frame was ACK'ed
6691 */
ieee802_11_mgmt_cb(struct hostapd_data * hapd,const u8 * buf,size_t len,u16 stype,int ok)6692 void ieee802_11_mgmt_cb(struct hostapd_data *hapd, const u8 *buf, size_t len,
6693 u16 stype, int ok)
6694 {
6695 const struct ieee80211_mgmt *mgmt;
6696 mgmt = (const struct ieee80211_mgmt *) buf;
6697
6698 #ifdef CONFIG_TESTING_OPTIONS
6699 if (hapd->ext_mgmt_frame_handling) {
6700 size_t hex_len = 2 * len + 1;
6701 char *hex = os_malloc(hex_len);
6702
6703 if (hex) {
6704 wpa_snprintf_hex(hex, hex_len, buf, len);
6705 wpa_msg(hapd->msg_ctx, MSG_INFO,
6706 "MGMT-TX-STATUS stype=%u ok=%d buf=%s",
6707 stype, ok, hex);
6708 os_free(hex);
6709 }
6710 return;
6711 }
6712 #endif /* CONFIG_TESTING_OPTIONS */
6713
6714 switch (stype) {
6715 case WLAN_FC_STYPE_AUTH:
6716 wpa_printf(MSG_DEBUG, "mgmt::auth cb");
6717 handle_auth_cb(hapd, mgmt, len, ok);
6718 break;
6719 case WLAN_FC_STYPE_ASSOC_RESP:
6720 wpa_printf(MSG_DEBUG, "mgmt::assoc_resp cb");
6721 handle_assoc_cb(hapd, mgmt, len, 0, ok);
6722 break;
6723 case WLAN_FC_STYPE_REASSOC_RESP:
6724 wpa_printf(MSG_DEBUG, "mgmt::reassoc_resp cb");
6725 handle_assoc_cb(hapd, mgmt, len, 1, ok);
6726 break;
6727 case WLAN_FC_STYPE_PROBE_RESP:
6728 wpa_printf(MSG_EXCESSIVE, "mgmt::proberesp cb ok=%d", ok);
6729 break;
6730 case WLAN_FC_STYPE_DEAUTH:
6731 wpa_printf(MSG_DEBUG, "mgmt::deauth cb");
6732 handle_deauth_cb(hapd, mgmt, len, ok);
6733 break;
6734 case WLAN_FC_STYPE_DISASSOC:
6735 wpa_printf(MSG_DEBUG, "mgmt::disassoc cb");
6736 handle_disassoc_cb(hapd, mgmt, len, ok);
6737 break;
6738 case WLAN_FC_STYPE_ACTION:
6739 wpa_printf(MSG_DEBUG, "mgmt::action cb ok=%d", ok);
6740 handle_action_cb(hapd, mgmt, len, ok);
6741 break;
6742 default:
6743 wpa_printf(MSG_INFO, "unknown mgmt cb frame subtype %d", stype);
6744 break;
6745 }
6746 }
6747
6748
ieee802_11_get_mib(struct hostapd_data * hapd,char * buf,size_t buflen)6749 int ieee802_11_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen)
6750 {
6751 /* TODO */
6752 return 0;
6753 }
6754
6755
ieee802_11_get_mib_sta(struct hostapd_data * hapd,struct sta_info * sta,char * buf,size_t buflen)6756 int ieee802_11_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta,
6757 char *buf, size_t buflen)
6758 {
6759 /* TODO */
6760 return 0;
6761 }
6762
6763
hostapd_tx_status(struct hostapd_data * hapd,const u8 * addr,const u8 * buf,size_t len,int ack)6764 void hostapd_tx_status(struct hostapd_data *hapd, const u8 *addr,
6765 const u8 *buf, size_t len, int ack)
6766 {
6767 struct sta_info *sta;
6768 struct hostapd_iface *iface = hapd->iface;
6769
6770 sta = ap_get_sta(hapd, addr);
6771 if (sta == NULL && iface->num_bss > 1) {
6772 size_t j;
6773 for (j = 0; j < iface->num_bss; j++) {
6774 hapd = iface->bss[j];
6775 sta = ap_get_sta(hapd, addr);
6776 if (sta)
6777 break;
6778 }
6779 }
6780 if (sta == NULL || !(sta->flags & WLAN_STA_ASSOC))
6781 return;
6782 if (sta->flags & WLAN_STA_PENDING_POLL) {
6783 wpa_printf(MSG_DEBUG, "STA " MACSTR_SEC " %s pending "
6784 "activity poll", MAC2STR_SEC(sta->addr),
6785 ack ? "ACKed" : "did not ACK");
6786 if (ack)
6787 sta->flags &= ~WLAN_STA_PENDING_POLL;
6788 }
6789
6790 ieee802_1x_tx_status(hapd, sta, buf, len, ack);
6791 }
6792
6793
hostapd_eapol_tx_status(struct hostapd_data * hapd,const u8 * dst,const u8 * data,size_t len,int ack)6794 void hostapd_eapol_tx_status(struct hostapd_data *hapd, const u8 *dst,
6795 const u8 *data, size_t len, int ack)
6796 {
6797 struct sta_info *sta;
6798 struct hostapd_iface *iface = hapd->iface;
6799
6800 sta = ap_get_sta(hapd, dst);
6801 if (sta == NULL && iface->num_bss > 1) {
6802 size_t j;
6803 for (j = 0; j < iface->num_bss; j++) {
6804 hapd = iface->bss[j];
6805 sta = ap_get_sta(hapd, dst);
6806 if (sta)
6807 break;
6808 }
6809 }
6810 if (sta == NULL || !(sta->flags & WLAN_STA_ASSOC)) {
6811 wpa_printf(MSG_DEBUG, "Ignore TX status for Data frame to STA "
6812 MACSTR_SEC " that is not currently associated",
6813 MAC2STR_SEC(dst));
6814 return;
6815 }
6816
6817 ieee802_1x_eapol_tx_status(hapd, sta, data, len, ack);
6818 }
6819
6820
hostapd_client_poll_ok(struct hostapd_data * hapd,const u8 * addr)6821 void hostapd_client_poll_ok(struct hostapd_data *hapd, const u8 *addr)
6822 {
6823 struct sta_info *sta;
6824 struct hostapd_iface *iface = hapd->iface;
6825
6826 sta = ap_get_sta(hapd, addr);
6827 if (sta == NULL && iface->num_bss > 1) {
6828 size_t j;
6829 for (j = 0; j < iface->num_bss; j++) {
6830 hapd = iface->bss[j];
6831 sta = ap_get_sta(hapd, addr);
6832 if (sta)
6833 break;
6834 }
6835 }
6836 if (sta == NULL)
6837 return;
6838 wpa_msg(hapd->msg_ctx, MSG_INFO, AP_STA_POLL_OK MACSTR,
6839 MAC2STR(sta->addr));
6840 if (!(sta->flags & WLAN_STA_PENDING_POLL))
6841 return;
6842
6843 wpa_printf(MSG_DEBUG, "STA " MACSTR_SEC " ACKed pending "
6844 "activity poll", MAC2STR_SEC(sta->addr));
6845 sta->flags &= ~WLAN_STA_PENDING_POLL;
6846 }
6847
6848
ieee802_11_rx_from_unknown(struct hostapd_data * hapd,const u8 * src,int wds)6849 void ieee802_11_rx_from_unknown(struct hostapd_data *hapd, const u8 *src,
6850 int wds)
6851 {
6852 struct sta_info *sta;
6853
6854 sta = ap_get_sta(hapd, src);
6855 if (sta &&
6856 ((sta->flags & WLAN_STA_ASSOC) ||
6857 ((sta->flags & WLAN_STA_ASSOC_REQ_OK) && wds))) {
6858 if (!hapd->conf->wds_sta)
6859 return;
6860
6861 if ((sta->flags & (WLAN_STA_ASSOC | WLAN_STA_ASSOC_REQ_OK)) ==
6862 WLAN_STA_ASSOC_REQ_OK) {
6863 wpa_printf(MSG_DEBUG,
6864 "Postpone 4-address WDS mode enabling for STA "
6865 MACSTR_SEC " since TX status for AssocResp is not yet known",
6866 MAC2STR_SEC(sta->addr));
6867 sta->pending_wds_enable = 1;
6868 return;
6869 }
6870
6871 if (wds && !(sta->flags & WLAN_STA_WDS)) {
6872 int ret;
6873 char ifname_wds[IFNAMSIZ + 1];
6874
6875 wpa_printf(MSG_DEBUG, "Enable 4-address WDS mode for "
6876 "STA " MACSTR_SEC " (aid %u)",
6877 MAC2STR_SEC(sta->addr), sta->aid);
6878 sta->flags |= WLAN_STA_WDS;
6879 ret = hostapd_set_wds_sta(hapd, ifname_wds,
6880 sta->addr, sta->aid, 1);
6881 if (!ret)
6882 hostapd_set_wds_encryption(hapd, sta,
6883 ifname_wds);
6884 }
6885 return;
6886 }
6887
6888 wpa_printf(MSG_DEBUG, "Data/PS-poll frame from not associated STA "
6889 MACSTR_SEC, MAC2STR_SEC(src));
6890 if (is_multicast_ether_addr(src) || is_zero_ether_addr(src) ||
6891 os_memcmp(src, hapd->own_addr, ETH_ALEN) == 0) {
6892 /* Broadcast bit set in SA or unexpected SA?! Ignore the frame
6893 * silently. */
6894 return;
6895 }
6896
6897 if (sta && (sta->flags & WLAN_STA_ASSOC_REQ_OK)) {
6898 wpa_printf(MSG_DEBUG, "Association Response to the STA has "
6899 "already been sent, but no TX status yet known - "
6900 "ignore Class 3 frame issue with " MACSTR_SEC,
6901 MAC2STR_SEC(src));
6902 return;
6903 }
6904
6905 if (sta && (sta->flags & WLAN_STA_AUTH))
6906 hostapd_drv_sta_disassoc(
6907 hapd, src,
6908 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA);
6909 else
6910 hostapd_drv_sta_deauth(
6911 hapd, src,
6912 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA);
6913 }
6914
6915
hostapd_eid_txpower_envelope(struct hostapd_data * hapd,u8 * eid)6916 u8 * hostapd_eid_txpower_envelope(struct hostapd_data *hapd, u8 *eid)
6917 {
6918 struct hostapd_iface *iface = hapd->iface;
6919 struct hostapd_config *iconf = iface->conf;
6920 struct hostapd_hw_modes *mode = iface->current_mode;
6921 struct hostapd_channel_data *chan;
6922 int dfs, i;
6923 u8 channel, tx_pwr_count, local_pwr_constraint;
6924 int max_tx_power;
6925 u8 tx_pwr;
6926
6927 if (!mode)
6928 return eid;
6929
6930 if (ieee80211_freq_to_chan(iface->freq, &channel) == NUM_HOSTAPD_MODES)
6931 return eid;
6932
6933 for (i = 0; i < mode->num_channels; i++) {
6934 if (mode->channels[i].freq == iface->freq)
6935 break;
6936 }
6937 if (i == mode->num_channels)
6938 return eid;
6939
6940 switch (hostapd_get_oper_chwidth(iconf)) {
6941 case CHANWIDTH_USE_HT:
6942 if (iconf->secondary_channel == 0) {
6943 /* Max Transmit Power count = 0 (20 MHz) */
6944 tx_pwr_count = 0;
6945 } else {
6946 /* Max Transmit Power count = 1 (20, 40 MHz) */
6947 tx_pwr_count = 1;
6948 }
6949 break;
6950 case CHANWIDTH_80MHZ:
6951 /* Max Transmit Power count = 2 (20, 40, and 80 MHz) */
6952 tx_pwr_count = 2;
6953 break;
6954 case CHANWIDTH_80P80MHZ:
6955 case CHANWIDTH_160MHZ:
6956 /* Max Transmit Power count = 3 (20, 40, 80, 160/80+80 MHz) */
6957 tx_pwr_count = 3;
6958 break;
6959 default:
6960 return eid;
6961 }
6962
6963 /*
6964 * Below local_pwr_constraint logic is referred from
6965 * hostapd_eid_pwr_constraint.
6966 *
6967 * Check if DFS is required by regulatory.
6968 */
6969 dfs = hostapd_is_dfs_required(hapd->iface);
6970 if (dfs < 0)
6971 dfs = 0;
6972
6973 /*
6974 * In order to meet regulations when TPC is not implemented using
6975 * a transmit power that is below the legal maximum (including any
6976 * mitigation factor) should help. In this case, indicate 3 dB below
6977 * maximum allowed transmit power.
6978 */
6979 if (hapd->iconf->local_pwr_constraint == -1)
6980 local_pwr_constraint = (dfs == 0) ? 0 : 3;
6981 else
6982 local_pwr_constraint = hapd->iconf->local_pwr_constraint;
6983
6984 /*
6985 * A STA that is not an AP shall use a transmit power less than or
6986 * equal to the local maximum transmit power level for the channel.
6987 * The local maximum transmit power can be calculated from the formula:
6988 * local max TX pwr = max TX pwr - local pwr constraint
6989 * Where max TX pwr is maximum transmit power level specified for
6990 * channel in Country element and local pwr constraint is specified
6991 * for channel in this Power Constraint element.
6992 */
6993 chan = &mode->channels[i];
6994 max_tx_power = chan->max_tx_power - local_pwr_constraint;
6995
6996 /*
6997 * Local Maximum Transmit power is encoded as two's complement
6998 * with a 0.5 dB step.
6999 */
7000 max_tx_power *= 2; /* in 0.5 dB steps */
7001 if (max_tx_power > 127) {
7002 /* 63.5 has special meaning of 63.5 dBm or higher */
7003 max_tx_power = 127;
7004 }
7005 if (max_tx_power < -128)
7006 max_tx_power = -128;
7007 if (max_tx_power < 0)
7008 tx_pwr = 0x80 + max_tx_power + 128;
7009 else
7010 tx_pwr = max_tx_power;
7011
7012 *eid++ = WLAN_EID_TRANSMIT_POWER_ENVELOPE;
7013 *eid++ = 2 + tx_pwr_count;
7014
7015 /*
7016 * Max Transmit Power count and
7017 * Max Transmit Power units = 0 (EIRP)
7018 */
7019 *eid++ = tx_pwr_count;
7020
7021 for (i = 0; i <= tx_pwr_count; i++)
7022 *eid++ = tx_pwr;
7023
7024 return eid;
7025 }
7026
7027
hostapd_eid_wb_chsw_wrapper(struct hostapd_data * hapd,u8 * eid)7028 u8 * hostapd_eid_wb_chsw_wrapper(struct hostapd_data *hapd, u8 *eid)
7029 {
7030 u8 bw, chan1, chan2 = 0;
7031 int freq1;
7032
7033 if (!hapd->cs_freq_params.channel ||
7034 (!hapd->cs_freq_params.vht_enabled &&
7035 !hapd->cs_freq_params.he_enabled))
7036 return eid;
7037
7038 /* bandwidth: 0: 40, 1: 80, 2: 160, 3: 80+80 */
7039 switch (hapd->cs_freq_params.bandwidth) {
7040 case 40:
7041 bw = 0;
7042 break;
7043 case 80:
7044 /* check if it's 80+80 */
7045 if (!hapd->cs_freq_params.center_freq2)
7046 bw = 1;
7047 else
7048 bw = 3;
7049 break;
7050 case 160:
7051 bw = 2;
7052 break;
7053 default:
7054 /* not valid VHT bandwidth or not in CSA */
7055 return eid;
7056 }
7057
7058 freq1 = hapd->cs_freq_params.center_freq1 ?
7059 hapd->cs_freq_params.center_freq1 :
7060 hapd->cs_freq_params.freq;
7061 if (ieee80211_freq_to_chan(freq1, &chan1) !=
7062 HOSTAPD_MODE_IEEE80211A)
7063 return eid;
7064
7065 if (hapd->cs_freq_params.center_freq2 &&
7066 ieee80211_freq_to_chan(hapd->cs_freq_params.center_freq2,
7067 &chan2) != HOSTAPD_MODE_IEEE80211A)
7068 return eid;
7069
7070 *eid++ = WLAN_EID_VHT_CHANNEL_SWITCH_WRAPPER;
7071 *eid++ = 5; /* Length of Channel Switch Wrapper */
7072 *eid++ = WLAN_EID_VHT_WIDE_BW_CHSWITCH;
7073 *eid++ = 3; /* Length of Wide Bandwidth Channel Switch element */
7074 *eid++ = bw; /* New Channel Width */
7075 *eid++ = chan1; /* New Channel Center Frequency Segment 0 */
7076 *eid++ = chan2; /* New Channel Center Frequency Segment 1 */
7077
7078 return eid;
7079 }
7080
7081
hostapd_eid_nr_db_len(struct hostapd_data * hapd,size_t * current_len)7082 static size_t hostapd_eid_nr_db_len(struct hostapd_data *hapd,
7083 size_t *current_len)
7084 {
7085 struct hostapd_neighbor_entry *nr;
7086 size_t total_len = 0, len = *current_len;
7087
7088 dl_list_for_each(nr, &hapd->nr_db, struct hostapd_neighbor_entry,
7089 list) {
7090 if (!nr->nr || wpabuf_len(nr->nr) < 12)
7091 continue;
7092
7093 if (nr->short_ssid == hapd->conf->ssid.short_ssid)
7094 continue;
7095
7096 /* Start a new element */
7097 if (!len ||
7098 len + RNR_TBTT_HEADER_LEN + RNR_TBTT_INFO_LEN > 255) {
7099 len = RNR_HEADER_LEN;
7100 total_len += RNR_HEADER_LEN;
7101 }
7102
7103 len += RNR_TBTT_HEADER_LEN + RNR_TBTT_INFO_LEN;
7104 total_len += RNR_TBTT_HEADER_LEN + RNR_TBTT_INFO_LEN;
7105 }
7106
7107 *current_len = len;
7108 return total_len;
7109 }
7110
7111
hostapd_eid_rnr_iface_len(struct hostapd_data * hapd,struct hostapd_data * reporting_hapd,size_t * current_len)7112 static size_t hostapd_eid_rnr_iface_len(struct hostapd_data *hapd,
7113 struct hostapd_data *reporting_hapd,
7114 size_t *current_len)
7115 {
7116 size_t total_len = 0, len = *current_len;
7117 int tbtt_count = 0;
7118 size_t i, start = 0;
7119
7120 while (start < hapd->iface->num_bss) {
7121 if (!len ||
7122 len + RNR_TBTT_HEADER_LEN + RNR_TBTT_INFO_LEN > 255) {
7123 len = RNR_HEADER_LEN;
7124 total_len += RNR_HEADER_LEN;
7125 }
7126
7127 len += RNR_TBTT_HEADER_LEN;
7128 total_len += RNR_TBTT_HEADER_LEN;
7129
7130 for (i = start; i < hapd->iface->num_bss; i++) {
7131 struct hostapd_data *bss = hapd->iface->bss[i];
7132
7133 if (!bss || !bss->conf || !bss->started)
7134 continue;
7135
7136 if (bss == reporting_hapd ||
7137 bss->conf->ignore_broadcast_ssid)
7138 continue;
7139
7140 if (len + RNR_TBTT_INFO_LEN > 255 ||
7141 tbtt_count >= RNR_TBTT_INFO_COUNT_MAX)
7142 break;
7143
7144 len += RNR_TBTT_INFO_LEN;
7145 total_len += RNR_TBTT_INFO_LEN;
7146 tbtt_count++;
7147 }
7148 start = i;
7149 }
7150
7151 if (!tbtt_count)
7152 total_len = 0;
7153 else
7154 *current_len = len;
7155
7156 return total_len;
7157 }
7158
7159
7160 enum colocation_mode {
7161 NO_COLOCATED_6GHZ,
7162 STANDALONE_6GHZ,
7163 COLOCATED_6GHZ,
7164 COLOCATED_LOWER_BAND,
7165 };
7166
get_colocation_mode(struct hostapd_data * hapd)7167 static enum colocation_mode get_colocation_mode(struct hostapd_data *hapd)
7168 {
7169 u8 i;
7170 bool is_6ghz = is_6ghz_op_class(hapd->iconf->op_class);
7171
7172 if (!hapd->iface || !hapd->iface->interfaces)
7173 return NO_COLOCATED_6GHZ;
7174
7175 if (is_6ghz && hapd->iface->interfaces->count == 1)
7176 return STANDALONE_6GHZ;
7177
7178 for (i = 0; i < hapd->iface->interfaces->count; i++) {
7179 struct hostapd_iface *iface;
7180 bool is_colocated_6ghz;
7181
7182 iface = hapd->iface->interfaces->iface[i];
7183 if (iface == hapd->iface || !iface || !iface->conf)
7184 continue;
7185
7186 is_colocated_6ghz = is_6ghz_op_class(iface->conf->op_class);
7187 if (!is_6ghz && is_colocated_6ghz)
7188 return COLOCATED_LOWER_BAND;
7189 if (is_6ghz && !is_colocated_6ghz)
7190 return COLOCATED_6GHZ;
7191 }
7192
7193 if (is_6ghz)
7194 return STANDALONE_6GHZ;
7195
7196 return NO_COLOCATED_6GHZ;
7197 }
7198
7199
hostapd_eid_rnr_colocation_len(struct hostapd_data * hapd,size_t * current_len)7200 static size_t hostapd_eid_rnr_colocation_len(struct hostapd_data *hapd,
7201 size_t *current_len)
7202 {
7203 struct hostapd_iface *iface;
7204 size_t len = 0;
7205 size_t i;
7206
7207 if (!hapd->iface || !hapd->iface->interfaces)
7208 return 0;
7209
7210 for (i = 0; i < hapd->iface->interfaces->count; i++) {
7211 iface = hapd->iface->interfaces->iface[i];
7212
7213 if (iface == hapd->iface ||
7214 !is_6ghz_op_class(iface->conf->op_class))
7215 continue;
7216
7217 len += hostapd_eid_rnr_iface_len(iface->bss[0], hapd,
7218 current_len);
7219 }
7220
7221 return len;
7222 }
7223
7224
hostapd_eid_rnr_len(struct hostapd_data * hapd,u32 type)7225 size_t hostapd_eid_rnr_len(struct hostapd_data *hapd, u32 type)
7226 {
7227 size_t total_len = 0, current_len = 0;
7228 enum colocation_mode mode = get_colocation_mode(hapd);
7229
7230 switch (type) {
7231 case WLAN_FC_STYPE_BEACON:
7232 if (hapd->conf->rnr)
7233 total_len += hostapd_eid_nr_db_len(hapd, ¤t_len);
7234 /* fallthrough */
7235
7236 case WLAN_FC_STYPE_PROBE_RESP:
7237 if (mode == COLOCATED_LOWER_BAND)
7238 total_len += hostapd_eid_rnr_colocation_len(
7239 hapd, ¤t_len);
7240
7241 if (hapd->conf->rnr && hapd->iface->num_bss > 1)
7242 total_len += hostapd_eid_rnr_iface_len(hapd, hapd,
7243 ¤t_len);
7244 break;
7245
7246 case WLAN_FC_STYPE_ACTION:
7247 if (hapd->iface->num_bss > 1 && mode == STANDALONE_6GHZ)
7248 total_len += hostapd_eid_rnr_iface_len(hapd, hapd,
7249 ¤t_len);
7250 break;
7251
7252 default:
7253 break;
7254 }
7255
7256 return total_len;
7257 }
7258
7259
hostapd_eid_nr_db(struct hostapd_data * hapd,u8 * eid,size_t * current_len)7260 static u8 * hostapd_eid_nr_db(struct hostapd_data *hapd, u8 *eid,
7261 size_t *current_len)
7262 {
7263 struct hostapd_neighbor_entry *nr;
7264 size_t len = *current_len;
7265 u8 *size_offset = (eid - len) + 1;
7266
7267 dl_list_for_each(nr, &hapd->nr_db, struct hostapd_neighbor_entry,
7268 list) {
7269 if (!nr->nr || wpabuf_len(nr->nr) < 12)
7270 continue;
7271
7272 if (nr->short_ssid == hapd->conf->ssid.short_ssid)
7273 continue;
7274
7275 /* Start a new element */
7276 if (!len ||
7277 len + RNR_TBTT_HEADER_LEN + RNR_TBTT_INFO_LEN > 255) {
7278 *eid++ = WLAN_EID_REDUCED_NEIGHBOR_REPORT;
7279 size_offset = eid++;
7280 len = RNR_HEADER_LEN;
7281 }
7282
7283 /* TBTT Information Header subfield (2 octets) */
7284 *eid++ = 0;
7285 /* TBTT Information Length */
7286 *eid++ = RNR_TBTT_INFO_LEN;
7287 /* Operating Class */
7288 *eid++ = wpabuf_head_u8(nr->nr)[10];
7289 /* Channel Number */
7290 *eid++ = wpabuf_head_u8(nr->nr)[11];
7291 len += RNR_TBTT_HEADER_LEN;
7292 /* TBTT Information Set */
7293 /* TBTT Information field */
7294 /* Neighbor AP TBTT Offset */
7295 *eid++ = RNR_NEIGHBOR_AP_OFFSET_UNKNOWN;
7296 /* BSSID */
7297 os_memcpy(eid, nr->bssid, ETH_ALEN);
7298 eid += ETH_ALEN;
7299 /* Short SSID */
7300 os_memcpy(eid, &nr->short_ssid, 4);
7301 eid += 4;
7302 /* BSS parameters */
7303 *eid++ = nr->bss_parameters;
7304 /* 20 MHz PSD */
7305 *eid++ = RNR_20_MHZ_PSD_MAX_TXPOWER - 1;
7306 len += RNR_TBTT_INFO_LEN;
7307 *size_offset = (eid - size_offset) - 1;
7308 }
7309
7310 *current_len = len;
7311 return eid;
7312 }
7313
7314
hostapd_eid_rnr_iface(struct hostapd_data * hapd,struct hostapd_data * reporting_hapd,u8 * eid,size_t * current_len)7315 static u8 * hostapd_eid_rnr_iface(struct hostapd_data *hapd,
7316 struct hostapd_data *reporting_hapd,
7317 u8 *eid, size_t *current_len)
7318 {
7319 struct hostapd_data *bss;
7320 struct hostapd_iface *iface = hapd->iface;
7321 size_t i, start = 0;
7322 size_t len = *current_len;
7323 u8 *tbtt_count_pos, *eid_start = eid, *size_offset = (eid - len) + 1;
7324 u8 tbtt_count = 0, op_class, channel, bss_param;
7325
7326 if (!(iface->drv_flags & WPA_DRIVER_FLAGS_AP_CSA) || !iface->freq)
7327 return eid;
7328
7329 if (ieee80211_freq_to_channel_ext(iface->freq,
7330 hapd->iconf->secondary_channel,
7331 hostapd_get_oper_chwidth(hapd->iconf),
7332 &op_class, &channel) ==
7333 NUM_HOSTAPD_MODES)
7334 return eid;
7335
7336 while (start < iface->num_bss) {
7337 if (!len ||
7338 len + RNR_TBTT_HEADER_LEN + RNR_TBTT_INFO_LEN > 255) {
7339 eid_start = eid;
7340 *eid++ = WLAN_EID_REDUCED_NEIGHBOR_REPORT;
7341 size_offset = eid++;
7342 len = RNR_HEADER_LEN;
7343 tbtt_count = 0;
7344 }
7345
7346 tbtt_count_pos = eid++;
7347 *eid++ = RNR_TBTT_INFO_LEN;
7348 *eid++ = op_class;
7349 *eid++ = hapd->iconf->channel;
7350 len += RNR_TBTT_HEADER_LEN;
7351
7352 for (i = start; i < iface->num_bss; i++) {
7353 bss_param = 0;
7354 bss = iface->bss[i];
7355 if (!bss || !bss->conf || !bss->started)
7356 continue;
7357
7358 if (bss == reporting_hapd ||
7359 bss->conf->ignore_broadcast_ssid)
7360 continue;
7361
7362 if (len + RNR_TBTT_INFO_LEN > 255 ||
7363 tbtt_count >= RNR_TBTT_INFO_COUNT_MAX)
7364 break;
7365
7366 *eid++ = RNR_NEIGHBOR_AP_OFFSET_UNKNOWN;
7367 os_memcpy(eid, bss->conf->bssid, ETH_ALEN);
7368 eid += ETH_ALEN;
7369 os_memcpy(eid, &bss->conf->ssid.short_ssid, 4);
7370 eid += 4;
7371 if (bss->conf->ssid.short_ssid ==
7372 reporting_hapd->conf->ssid.short_ssid)
7373 bss_param |= RNR_BSS_PARAM_SAME_SSID;
7374
7375 if (is_6ghz_op_class(hapd->iconf->op_class) &&
7376 bss->conf->unsol_bcast_probe_resp_interval)
7377 bss_param |=
7378 RNR_BSS_PARAM_UNSOLIC_PROBE_RESP_ACTIVE;
7379
7380 bss_param |= RNR_BSS_PARAM_CO_LOCATED;
7381
7382 *eid++ = bss_param;
7383 *eid++ = RNR_20_MHZ_PSD_MAX_TXPOWER - 1;
7384 len += RNR_TBTT_INFO_LEN;
7385 tbtt_count += 1;
7386 }
7387
7388 start = i;
7389 *tbtt_count_pos = RNR_TBTT_INFO_COUNT(tbtt_count - 1);
7390 *size_offset = (eid - size_offset) - 1;
7391 }
7392
7393 if (tbtt_count == 0)
7394 return eid_start;
7395
7396 *current_len = len;
7397 return eid;
7398 }
7399
7400
hostapd_eid_rnr_colocation(struct hostapd_data * hapd,u8 * eid,size_t * current_len)7401 static u8 * hostapd_eid_rnr_colocation(struct hostapd_data *hapd, u8 *eid,
7402 size_t *current_len)
7403 {
7404 struct hostapd_iface *iface;
7405 size_t i;
7406
7407 if (!hapd->iface || !hapd->iface->interfaces)
7408 return eid;
7409
7410 for (i = 0; i < hapd->iface->interfaces->count; i++) {
7411 iface = hapd->iface->interfaces->iface[i];
7412
7413 if (iface == hapd->iface ||
7414 !is_6ghz_op_class(iface->conf->op_class))
7415 continue;
7416
7417 eid = hostapd_eid_rnr_iface(iface->bss[0], hapd, eid,
7418 current_len);
7419 }
7420
7421 return eid;
7422 }
7423
7424
hostapd_eid_rnr(struct hostapd_data * hapd,u8 * eid,u32 type)7425 u8 * hostapd_eid_rnr(struct hostapd_data *hapd, u8 *eid, u32 type)
7426 {
7427 u8 *eid_start = eid;
7428 size_t current_len = 0;
7429 enum colocation_mode mode = get_colocation_mode(hapd);
7430
7431 switch (type) {
7432 case WLAN_FC_STYPE_BEACON:
7433 if (hapd->conf->rnr)
7434 eid = hostapd_eid_nr_db(hapd, eid, ¤t_len);
7435 /* fallthrough */
7436
7437 case WLAN_FC_STYPE_PROBE_RESP:
7438 if (mode == COLOCATED_LOWER_BAND)
7439 eid = hostapd_eid_rnr_colocation(hapd, eid,
7440 ¤t_len);
7441
7442 if (hapd->conf->rnr && hapd->iface->num_bss > 1)
7443 eid = hostapd_eid_rnr_iface(hapd, hapd, eid,
7444 ¤t_len);
7445 break;
7446
7447 case WLAN_FC_STYPE_ACTION:
7448 if (hapd->iface->num_bss > 1 && mode == STANDALONE_6GHZ)
7449 eid = hostapd_eid_rnr_iface(hapd, hapd, eid,
7450 ¤t_len);
7451 break;
7452
7453 default:
7454 return eid_start;
7455 }
7456
7457 if (eid == eid_start + 2)
7458 return eid_start;
7459
7460 return eid;
7461 }
7462
7463 #endif /* CONFIG_NATIVE_WINDOWS */
7464