1 /*
2 * hostapd / IEEE 802.11 Management
3 * Copyright (c) 2002-2017, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "utils/includes.h"
10
11 #ifndef CONFIG_NATIVE_WINDOWS
12
13 #include "utils/common.h"
14 #include "utils/eloop.h"
15 #include "crypto/crypto.h"
16 #include "crypto/sha256.h"
17 #include "crypto/sha384.h"
18 #include "crypto/sha512.h"
19 #include "crypto/random.h"
20 #include "common/ieee802_11_defs.h"
21 #include "common/ieee802_11_common.h"
22 #include "common/wpa_ctrl.h"
23 #include "common/sae.h"
24 #include "common/dpp.h"
25 #include "common/ocv.h"
26 #include "common/wpa_common.h"
27 #include "common/wpa_ctrl.h"
28 #include "common/ptksa_cache.h"
29 #include "radius/radius.h"
30 #include "radius/radius_client.h"
31 #include "p2p/p2p.h"
32 #include "wps/wps.h"
33 #include "fst/fst.h"
34 #include "hostapd.h"
35 #include "beacon.h"
36 #include "ieee802_11_auth.h"
37 #include "sta_info.h"
38 #include "ieee802_1x.h"
39 #include "wpa_auth.h"
40 #include "pmksa_cache_auth.h"
41 #include "wmm.h"
42 #include "ap_list.h"
43 #include "accounting.h"
44 #include "ap_config.h"
45 #include "ap_mlme.h"
46 #include "p2p_hostapd.h"
47 #include "ap_drv_ops.h"
48 #include "wnm_ap.h"
49 #include "hw_features.h"
50 #include "ieee802_11.h"
51 #include "dfs.h"
52 #include "mbo_ap.h"
53 #include "rrm.h"
54 #include "taxonomy.h"
55 #include "fils_hlp.h"
56 #include "dpp_hostapd.h"
57 #include "gas_query_ap.h"
58 #include "comeback_token.h"
59 #include "nan_usd_ap.h"
60 #include "pasn/pasn_common.h"
61
62
63 #ifdef CONFIG_FILS
64 static struct wpabuf *
65 prepare_auth_resp_fils(struct hostapd_data *hapd,
66 struct sta_info *sta, u16 *resp,
67 struct rsn_pmksa_cache_entry *pmksa,
68 struct wpabuf *erp_resp,
69 const u8 *msk, size_t msk_len,
70 int *is_pub);
71 #endif /* CONFIG_FILS */
72
73 #ifdef CONFIG_PASN
74 #ifdef CONFIG_FILS
75
76 static void pasn_fils_auth_resp(struct hostapd_data *hapd,
77 struct sta_info *sta, u16 status,
78 struct wpabuf *erp_resp,
79 const u8 *msk, size_t msk_len);
80
81 #endif /* CONFIG_FILS */
82 #endif /* CONFIG_PASN */
83
84 static void handle_auth(struct hostapd_data *hapd,
85 const struct ieee80211_mgmt *mgmt, size_t len,
86 int rssi, int from_queue);
87 static int add_associated_sta(struct hostapd_data *hapd,
88 struct sta_info *sta, int reassoc);
89
90
hostapd_eid_multi_ap(struct hostapd_data * hapd,u8 * eid,size_t len)91 static u8 * hostapd_eid_multi_ap(struct hostapd_data *hapd, u8 *eid, size_t len)
92 {
93 struct multi_ap_params multi_ap = { 0 };
94
95 if (!hapd->conf->multi_ap)
96 return eid;
97
98 if (hapd->conf->multi_ap & BACKHAUL_BSS)
99 multi_ap.capability |= MULTI_AP_BACKHAUL_BSS;
100 if (hapd->conf->multi_ap & FRONTHAUL_BSS)
101 multi_ap.capability |= MULTI_AP_FRONTHAUL_BSS;
102
103 if (hapd->conf->multi_ap_client_disallow &
104 PROFILE1_CLIENT_ASSOC_DISALLOW)
105 multi_ap.capability |=
106 MULTI_AP_PROFILE1_BACKHAUL_STA_DISALLOWED;
107 if (hapd->conf->multi_ap_client_disallow &
108 PROFILE2_CLIENT_ASSOC_DISALLOW)
109 multi_ap.capability |=
110 MULTI_AP_PROFILE2_BACKHAUL_STA_DISALLOWED;
111
112 multi_ap.profile = hapd->conf->multi_ap_profile;
113 multi_ap.vlanid = hapd->conf->multi_ap_vlanid;
114
115 return eid + add_multi_ap_ie(eid, len, &multi_ap);
116 }
117
118
hostapd_eid_supp_rates(struct hostapd_data * hapd,u8 * eid)119 u8 * hostapd_eid_supp_rates(struct hostapd_data *hapd, u8 *eid)
120 {
121 u8 *pos = eid;
122 int i, num, count;
123 int h2e_required;
124
125 if (hapd->iface->current_rates == NULL)
126 return eid;
127
128 *pos++ = WLAN_EID_SUPP_RATES;
129 num = hapd->iface->num_rates;
130 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht)
131 num++;
132 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht)
133 num++;
134 #ifdef CONFIG_IEEE80211AX
135 if (hapd->iconf->ieee80211ax && hapd->iconf->require_he)
136 num++;
137 #endif /* CONFIG_IEEE80211AX */
138 h2e_required = (hapd->conf->sae_pwe == SAE_PWE_HASH_TO_ELEMENT ||
139 hostapd_sae_pw_id_in_use(hapd->conf) == 2) &&
140 hapd->conf->sae_pwe != SAE_PWE_FORCE_HUNT_AND_PECK &&
141 wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt);
142 if (h2e_required)
143 num++;
144 if (num > 8) {
145 /* rest of the rates are encoded in Extended supported
146 * rates element */
147 num = 8;
148 }
149
150 *pos++ = num;
151 for (i = 0, count = 0; i < hapd->iface->num_rates && count < num;
152 i++) {
153 count++;
154 *pos = hapd->iface->current_rates[i].rate / 5;
155 if (hapd->iface->current_rates[i].flags & HOSTAPD_RATE_BASIC)
156 *pos |= 0x80;
157 pos++;
158 }
159
160 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht && count < 8) {
161 count++;
162 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_HT_PHY;
163 }
164
165 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht && count < 8) {
166 count++;
167 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_VHT_PHY;
168 }
169
170 #ifdef CONFIG_IEEE80211AX
171 if (hapd->iconf->ieee80211ax && hapd->iconf->require_he && count < 8) {
172 count++;
173 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_HE_PHY;
174 }
175 #endif /* CONFIG_IEEE80211AX */
176
177 if (h2e_required && count < 8) {
178 count++;
179 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_SAE_H2E_ONLY;
180 }
181
182 return pos;
183 }
184
185
hostapd_eid_ext_supp_rates(struct hostapd_data * hapd,u8 * eid)186 u8 * hostapd_eid_ext_supp_rates(struct hostapd_data *hapd, u8 *eid)
187 {
188 u8 *pos = eid;
189 int i, num, count;
190 int h2e_required;
191
192 hapd->conf->xrates_supported = false;
193 if (hapd->iface->current_rates == NULL)
194 return eid;
195
196 num = hapd->iface->num_rates;
197 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht)
198 num++;
199 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht)
200 num++;
201 #ifdef CONFIG_IEEE80211AX
202 if (hapd->iconf->ieee80211ax && hapd->iconf->require_he)
203 num++;
204 #endif /* CONFIG_IEEE80211AX */
205 h2e_required = (hapd->conf->sae_pwe == SAE_PWE_HASH_TO_ELEMENT ||
206 hostapd_sae_pw_id_in_use(hapd->conf) == 2) &&
207 hapd->conf->sae_pwe != SAE_PWE_FORCE_HUNT_AND_PECK &&
208 wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt);
209 if (h2e_required)
210 num++;
211 if (num <= 8)
212 return eid;
213 num -= 8;
214
215 *pos++ = WLAN_EID_EXT_SUPP_RATES;
216 *pos++ = num;
217 for (i = 0, count = 0; i < hapd->iface->num_rates && count < num + 8;
218 i++) {
219 count++;
220 if (count <= 8)
221 continue; /* already in SuppRates IE */
222 *pos = hapd->iface->current_rates[i].rate / 5;
223 if (hapd->iface->current_rates[i].flags & HOSTAPD_RATE_BASIC)
224 *pos |= 0x80;
225 pos++;
226 }
227
228 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht) {
229 count++;
230 if (count > 8)
231 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_HT_PHY;
232 }
233
234 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht) {
235 count++;
236 if (count > 8)
237 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_VHT_PHY;
238 }
239
240 #ifdef CONFIG_IEEE80211AX
241 if (hapd->iconf->ieee80211ax && hapd->iconf->require_he) {
242 count++;
243 if (count > 8)
244 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_HE_PHY;
245 }
246 #endif /* CONFIG_IEEE80211AX */
247
248 if (h2e_required) {
249 count++;
250 if (count > 8)
251 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_SAE_H2E_ONLY;
252 }
253
254 hapd->conf->xrates_supported = true;
255 return pos;
256 }
257
258
hostapd_eid_rm_enabled_capab(struct hostapd_data * hapd,u8 * eid,size_t len)259 u8 * hostapd_eid_rm_enabled_capab(struct hostapd_data *hapd, u8 *eid,
260 size_t len)
261 {
262 size_t i;
263
264 for (i = 0; i < RRM_CAPABILITIES_IE_LEN; i++) {
265 if (hapd->conf->radio_measurements[i])
266 break;
267 }
268
269 if (i == RRM_CAPABILITIES_IE_LEN || len < 2 + RRM_CAPABILITIES_IE_LEN)
270 return eid;
271
272 *eid++ = WLAN_EID_RRM_ENABLED_CAPABILITIES;
273 *eid++ = RRM_CAPABILITIES_IE_LEN;
274 os_memcpy(eid, hapd->conf->radio_measurements, RRM_CAPABILITIES_IE_LEN);
275
276 return eid + RRM_CAPABILITIES_IE_LEN;
277 }
278
279
hostapd_own_capab_info(struct hostapd_data * hapd)280 u16 hostapd_own_capab_info(struct hostapd_data *hapd)
281 {
282 int capab = WLAN_CAPABILITY_ESS;
283 int privacy = 0;
284 int dfs;
285 int i;
286
287 /* Check if any of configured channels require DFS */
288 dfs = hostapd_is_dfs_required(hapd->iface);
289 if (dfs < 0) {
290 wpa_printf(MSG_WARNING, "Failed to check if DFS is required; ret=%d",
291 dfs);
292 dfs = 0;
293 }
294
295 if (hapd->iface->num_sta_no_short_preamble == 0 &&
296 hapd->iconf->preamble == SHORT_PREAMBLE)
297 capab |= WLAN_CAPABILITY_SHORT_PREAMBLE;
298
299 #ifdef CONFIG_WEP
300 privacy = hapd->conf->ssid.wep.keys_set;
301
302 if (hapd->conf->ieee802_1x &&
303 (hapd->conf->default_wep_key_len ||
304 hapd->conf->individual_wep_key_len))
305 privacy = 1;
306 #endif /* CONFIG_WEP */
307
308 if (hapd->conf->wpa)
309 privacy = 1;
310
311 #ifdef CONFIG_HS20
312 if (hapd->conf->osen)
313 privacy = 1;
314 #endif /* CONFIG_HS20 */
315
316 if (privacy)
317 capab |= WLAN_CAPABILITY_PRIVACY;
318
319 if (hapd->iface->current_mode &&
320 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G &&
321 hapd->iface->num_sta_no_short_slot_time == 0)
322 capab |= WLAN_CAPABILITY_SHORT_SLOT_TIME;
323
324 /*
325 * Currently, Spectrum Management capability bit is set when directly
326 * requested in configuration by spectrum_mgmt_required or when AP is
327 * running on DFS channel.
328 * TODO: Also consider driver support for TPC to set Spectrum Mgmt bit
329 */
330 if (hapd->iface->current_mode &&
331 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211A &&
332 (hapd->iconf->spectrum_mgmt_required || dfs))
333 capab |= WLAN_CAPABILITY_SPECTRUM_MGMT;
334
335 for (i = 0; i < RRM_CAPABILITIES_IE_LEN; i++) {
336 if (hapd->conf->radio_measurements[i]) {
337 capab |= IEEE80211_CAP_RRM;
338 break;
339 }
340 }
341
342 return capab;
343 }
344
345
346 #ifdef CONFIG_WEP
347 #ifndef CONFIG_NO_RC4
auth_shared_key(struct hostapd_data * hapd,struct sta_info * sta,u16 auth_transaction,const u8 * challenge,int iswep)348 static u16 auth_shared_key(struct hostapd_data *hapd, struct sta_info *sta,
349 u16 auth_transaction, const u8 *challenge,
350 int iswep)
351 {
352 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
353 HOSTAPD_LEVEL_DEBUG,
354 "authentication (shared key, transaction %d)",
355 auth_transaction);
356
357 if (auth_transaction == 1) {
358 if (!sta->challenge) {
359 /* Generate a pseudo-random challenge */
360 u8 key[8];
361
362 sta->challenge = os_zalloc(WLAN_AUTH_CHALLENGE_LEN);
363 if (sta->challenge == NULL)
364 return WLAN_STATUS_UNSPECIFIED_FAILURE;
365
366 if (os_get_random(key, sizeof(key)) < 0) {
367 os_free(sta->challenge);
368 sta->challenge = NULL;
369 return WLAN_STATUS_UNSPECIFIED_FAILURE;
370 }
371
372 rc4_skip(key, sizeof(key), 0,
373 sta->challenge, WLAN_AUTH_CHALLENGE_LEN);
374 }
375 return 0;
376 }
377
378 if (auth_transaction != 3)
379 return WLAN_STATUS_UNSPECIFIED_FAILURE;
380
381 /* Transaction 3 */
382 if (!iswep || !sta->challenge || !challenge ||
383 os_memcmp_const(sta->challenge, challenge,
384 WLAN_AUTH_CHALLENGE_LEN)) {
385 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
386 HOSTAPD_LEVEL_INFO,
387 "shared key authentication - invalid "
388 "challenge-response");
389 return WLAN_STATUS_CHALLENGE_FAIL;
390 }
391
392 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
393 HOSTAPD_LEVEL_DEBUG,
394 "authentication OK (shared key)");
395 sta->flags |= WLAN_STA_AUTH;
396 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
397 os_free(sta->challenge);
398 sta->challenge = NULL;
399
400 return 0;
401 }
402 #endif /* CONFIG_NO_RC4 */
403 #endif /* CONFIG_WEP */
404
405
send_auth_reply(struct hostapd_data * hapd,struct sta_info * sta,const u8 * dst,u16 auth_alg,u16 auth_transaction,u16 resp,const u8 * ies,size_t ies_len,const char * dbg)406 static int send_auth_reply(struct hostapd_data *hapd, struct sta_info *sta,
407 const u8 *dst,
408 u16 auth_alg, u16 auth_transaction, u16 resp,
409 const u8 *ies, size_t ies_len, const char *dbg)
410 {
411 struct ieee80211_mgmt *reply;
412 u8 *buf;
413 size_t rlen;
414 int reply_res = WLAN_STATUS_UNSPECIFIED_FAILURE;
415 const u8 *sa = hapd->own_addr;
416 struct wpabuf *ml_resp = NULL;
417
418 #ifdef CONFIG_IEEE80211BE
419 if (ap_sta_is_mld(hapd, sta)) {
420 ml_resp = hostapd_ml_auth_resp(hapd);
421 if (!ml_resp)
422 return -1;
423 }
424 #endif /* CONFIG_IEEE80211BE */
425
426 rlen = IEEE80211_HDRLEN + sizeof(reply->u.auth) + ies_len;
427 if (ml_resp)
428 rlen += wpabuf_len(ml_resp);
429 buf = os_zalloc(rlen);
430 if (!buf) {
431 wpabuf_free(ml_resp);
432 return -1;
433 }
434
435 reply = (struct ieee80211_mgmt *) buf;
436 reply->frame_control = IEEE80211_FC(WLAN_FC_TYPE_MGMT,
437 WLAN_FC_STYPE_AUTH);
438 os_memcpy(reply->da, dst, ETH_ALEN);
439 os_memcpy(reply->sa, sa, ETH_ALEN);
440 os_memcpy(reply->bssid, sa, ETH_ALEN);
441
442 reply->u.auth.auth_alg = host_to_le16(auth_alg);
443 reply->u.auth.auth_transaction = host_to_le16(auth_transaction);
444 reply->u.auth.status_code = host_to_le16(resp);
445
446 if (ies && ies_len)
447 os_memcpy(reply->u.auth.variable, ies, ies_len);
448
449 #ifdef CONFIG_IEEE80211BE
450 if (ml_resp)
451 os_memcpy(reply->u.auth.variable + ies_len,
452 wpabuf_head(ml_resp), wpabuf_len(ml_resp));
453
454 wpabuf_free(ml_resp);
455 #endif /* CONFIG_IEEE80211BE */
456
457 wpa_printf(MSG_DEBUG, "authentication reply: STA=" MACSTR_SEC
458 " auth_alg=%d auth_transaction=%d resp=%d (IE len=%lu) (dbg=%s)",
459 MAC2STR_SEC(dst), auth_alg, auth_transaction,
460 resp, (unsigned long) ies_len, dbg);
461 #ifdef CONFIG_TESTING_OPTIONS
462 #ifdef CONFIG_SAE
463 if (hapd->conf->sae_confirm_immediate == 2 &&
464 auth_alg == WLAN_AUTH_SAE) {
465 if (auth_transaction == 1 && sta &&
466 (resp == WLAN_STATUS_SUCCESS ||
467 resp == WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
468 resp == WLAN_STATUS_SAE_PK)) {
469 wpa_printf(MSG_DEBUG,
470 "TESTING: Postpone SAE Commit transmission until Confirm is ready");
471 os_free(sta->sae_postponed_commit);
472 sta->sae_postponed_commit = buf;
473 sta->sae_postponed_commit_len = rlen;
474 return WLAN_STATUS_SUCCESS;
475 }
476
477 if (auth_transaction == 2 && sta && sta->sae_postponed_commit) {
478 wpa_printf(MSG_DEBUG,
479 "TESTING: Send postponed SAE Commit first, immediately followed by SAE Confirm");
480 if (hostapd_drv_send_mlme(hapd,
481 sta->sae_postponed_commit,
482 sta->sae_postponed_commit_len,
483 0, NULL, 0, 0) < 0)
484 wpa_printf(MSG_INFO, "send_auth_reply: send failed");
485 os_free(sta->sae_postponed_commit);
486 sta->sae_postponed_commit = NULL;
487 sta->sae_postponed_commit_len = 0;
488 }
489 }
490 #endif /* CONFIG_SAE */
491 #endif /* CONFIG_TESTING_OPTIONS */
492 if (hostapd_drv_send_mlme(hapd, reply, rlen, 0, NULL, 0, 0) < 0)
493 wpa_printf(MSG_INFO, "send_auth_reply: send failed");
494 else
495 reply_res = WLAN_STATUS_SUCCESS;
496
497 os_free(buf);
498
499 return reply_res;
500 }
501
502
503 #ifdef CONFIG_IEEE80211R_AP
handle_auth_ft_finish(void * ctx,const u8 * dst,u16 auth_transaction,u16 status,const u8 * ies,size_t ies_len)504 static void handle_auth_ft_finish(void *ctx, const u8 *dst,
505 u16 auth_transaction, u16 status,
506 const u8 *ies, size_t ies_len)
507 {
508 struct hostapd_data *hapd = ctx;
509 struct sta_info *sta;
510 int reply_res;
511
512 reply_res = send_auth_reply(hapd, NULL, dst, WLAN_AUTH_FT,
513 auth_transaction, status, ies, ies_len,
514 "auth-ft-finish");
515
516 sta = ap_get_sta(hapd, dst);
517 if (sta == NULL)
518 return;
519
520 if (sta->added_unassoc && (reply_res != WLAN_STATUS_SUCCESS ||
521 status != WLAN_STATUS_SUCCESS)) {
522 hostapd_drv_sta_remove(hapd, sta->addr);
523 sta->added_unassoc = 0;
524 return;
525 }
526
527 if (status != WLAN_STATUS_SUCCESS)
528 return;
529
530 hostapd_logger(hapd, dst, HOSTAPD_MODULE_IEEE80211,
531 HOSTAPD_LEVEL_DEBUG, "authentication OK (FT)");
532 sta->flags |= WLAN_STA_AUTH;
533 mlme_authenticate_indication(hapd, sta);
534 }
535 #endif /* CONFIG_IEEE80211R_AP */
536
537
538 #ifdef CONFIG_SAE
539
sae_set_state(struct sta_info * sta,enum sae_state state,const char * reason)540 static void sae_set_state(struct sta_info *sta, enum sae_state state,
541 const char *reason)
542 {
543 wpa_printf(MSG_DEBUG, "SAE: State %s -> %s for peer " MACSTR_SEC " (%s)",
544 sae_state_txt(sta->sae->state), sae_state_txt(state),
545 MAC2STR_SEC(sta->addr), reason);
546 sta->sae->state = state;
547 }
548
549
sae_get_password(struct hostapd_data * hapd,struct sta_info * sta,const char * rx_id,struct sae_password_entry ** pw_entry,struct sae_pt ** s_pt,const struct sae_pk ** s_pk)550 const char * sae_get_password(struct hostapd_data *hapd,
551 struct sta_info *sta,
552 const char *rx_id,
553 struct sae_password_entry **pw_entry,
554 struct sae_pt **s_pt,
555 const struct sae_pk **s_pk)
556 {
557 const char *password = NULL;
558 struct sae_password_entry *pw;
559 struct sae_pt *pt = NULL;
560 const struct sae_pk *pk = NULL;
561 struct hostapd_sta_wpa_psk_short *psk = NULL;
562
563 for (pw = hapd->conf->sae_passwords; pw; pw = pw->next) {
564 if (!is_broadcast_ether_addr(pw->peer_addr) &&
565 (!sta ||
566 !ether_addr_equal(pw->peer_addr, sta->addr)))
567 continue;
568 if ((rx_id && !pw->identifier) || (!rx_id && pw->identifier))
569 continue;
570 if (rx_id && pw->identifier &&
571 os_strcmp(rx_id, pw->identifier) != 0)
572 continue;
573 password = pw->password;
574 pt = pw->pt;
575 if (!(hapd->conf->mesh & MESH_ENABLED))
576 pk = pw->pk;
577 break;
578 }
579 if (!password) {
580 password = hapd->conf->ssid.wpa_passphrase;
581 pt = hapd->conf->ssid.pt;
582 }
583
584 if (!password && sta) {
585 for (psk = sta->psk; psk; psk = psk->next) {
586 if (psk->is_passphrase) {
587 password = psk->passphrase;
588 break;
589 }
590 }
591 }
592
593 if (pw_entry)
594 *pw_entry = pw;
595 if (s_pt)
596 *s_pt = pt;
597 if (s_pk)
598 *s_pk = pk;
599
600 return password;
601 }
602
603
auth_build_sae_commit(struct hostapd_data * hapd,struct sta_info * sta,int update,int status_code)604 static struct wpabuf * auth_build_sae_commit(struct hostapd_data *hapd,
605 struct sta_info *sta, int update,
606 int status_code)
607 {
608 struct wpabuf *buf;
609 const char *password = NULL;
610 struct sae_password_entry *pw;
611 const char *rx_id = NULL;
612 int use_pt = 0;
613 struct sae_pt *pt = NULL;
614 const struct sae_pk *pk = NULL;
615 const u8 *own_addr = hapd->own_addr;
616
617 #ifdef CONFIG_IEEE80211BE
618 if (ap_sta_is_mld(hapd, sta))
619 own_addr = hapd->mld->mld_addr;
620 #endif /* CONFIG_IEEE80211BE */
621
622 if (sta->sae->tmp) {
623 rx_id = sta->sae->tmp->pw_id;
624 use_pt = sta->sae->h2e;
625 #ifdef CONFIG_SAE_PK
626 os_memcpy(sta->sae->tmp->own_addr, own_addr, ETH_ALEN);
627 os_memcpy(sta->sae->tmp->peer_addr, sta->addr, ETH_ALEN);
628 #endif /* CONFIG_SAE_PK */
629 }
630
631 if (rx_id && hapd->conf->sae_pwe != SAE_PWE_FORCE_HUNT_AND_PECK)
632 use_pt = 1;
633 else if (status_code == WLAN_STATUS_SUCCESS)
634 use_pt = 0;
635 else if (status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
636 status_code == WLAN_STATUS_SAE_PK)
637 use_pt = 1;
638
639 password = sae_get_password(hapd, sta, rx_id, &pw, &pt, &pk);
640 if (!password || (use_pt && !pt)) {
641 wpa_printf(MSG_DEBUG, "SAE: No password available");
642 return NULL;
643 }
644
645 if (update && use_pt &&
646 sae_prepare_commit_pt(sta->sae, pt, own_addr, sta->addr,
647 NULL, pk) < 0)
648 return NULL;
649
650 if (update && !use_pt &&
651 sae_prepare_commit(own_addr, sta->addr,
652 (u8 *) password, os_strlen(password),
653 sta->sae) < 0) {
654 wpa_printf(MSG_DEBUG, "SAE: Could not pick PWE");
655 return NULL;
656 }
657
658 if (pw && pw->vlan_id) {
659 if (!sta->sae->tmp) {
660 wpa_printf(MSG_INFO,
661 "SAE: No temporary data allocated - cannot store VLAN ID");
662 return NULL;
663 }
664 sta->sae->tmp->vlan_id = pw->vlan_id;
665 }
666
667 buf = wpabuf_alloc(SAE_COMMIT_MAX_LEN +
668 (rx_id ? 3 + os_strlen(rx_id) : 0));
669 if (buf &&
670 sae_write_commit(sta->sae, buf, sta->sae->tmp ?
671 sta->sae->tmp->anti_clogging_token : NULL,
672 rx_id) < 0) {
673 wpabuf_free(buf);
674 buf = NULL;
675 }
676
677 return buf;
678 }
679
680
auth_build_sae_confirm(struct hostapd_data * hapd,struct sta_info * sta)681 static struct wpabuf * auth_build_sae_confirm(struct hostapd_data *hapd,
682 struct sta_info *sta)
683 {
684 struct wpabuf *buf;
685
686 buf = wpabuf_alloc(SAE_CONFIRM_MAX_LEN);
687 if (buf == NULL)
688 return NULL;
689
690 #ifdef CONFIG_SAE_PK
691 #ifdef CONFIG_TESTING_OPTIONS
692 if (sta->sae->tmp)
693 sta->sae->tmp->omit_pk_elem = hapd->conf->sae_pk_omit;
694 #endif /* CONFIG_TESTING_OPTIONS */
695 #endif /* CONFIG_SAE_PK */
696
697 if (sae_write_confirm(sta->sae, buf) < 0) {
698 wpabuf_free(buf);
699 return NULL;
700 }
701
702 return buf;
703 }
704
705
auth_sae_send_commit(struct hostapd_data * hapd,struct sta_info * sta,int update,int status_code)706 static int auth_sae_send_commit(struct hostapd_data *hapd,
707 struct sta_info *sta,
708 int update, int status_code)
709 {
710 struct wpabuf *data;
711 int reply_res;
712 u16 status;
713
714 data = auth_build_sae_commit(hapd, sta, update, status_code);
715 if (!data && sta->sae->tmp && sta->sae->tmp->pw_id)
716 return WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER;
717 if (data == NULL)
718 return WLAN_STATUS_UNSPECIFIED_FAILURE;
719
720 if (sta->sae->tmp && sta->sae->pk)
721 status = WLAN_STATUS_SAE_PK;
722 else if (sta->sae->tmp && sta->sae->h2e)
723 status = WLAN_STATUS_SAE_HASH_TO_ELEMENT;
724 else
725 status = WLAN_STATUS_SUCCESS;
726 #ifdef CONFIG_TESTING_OPTIONS
727 if (hapd->conf->sae_commit_status >= 0 &&
728 hapd->conf->sae_commit_status != status) {
729 wpa_printf(MSG_INFO,
730 "TESTING: Override SAE commit status code %u --> %d",
731 status, hapd->conf->sae_commit_status);
732 status = hapd->conf->sae_commit_status;
733 }
734 #endif /* CONFIG_TESTING_OPTIONS */
735 reply_res = send_auth_reply(hapd, sta, sta->addr,
736 WLAN_AUTH_SAE, 1,
737 status, wpabuf_head(data),
738 wpabuf_len(data), "sae-send-commit");
739
740 wpabuf_free(data);
741
742 return reply_res;
743 }
744
745
auth_sae_send_confirm(struct hostapd_data * hapd,struct sta_info * sta)746 static int auth_sae_send_confirm(struct hostapd_data *hapd,
747 struct sta_info *sta)
748 {
749 struct wpabuf *data;
750 int reply_res;
751
752 data = auth_build_sae_confirm(hapd, sta);
753 if (data == NULL)
754 return WLAN_STATUS_UNSPECIFIED_FAILURE;
755
756 reply_res = send_auth_reply(hapd, sta, sta->addr,
757 WLAN_AUTH_SAE, 2,
758 WLAN_STATUS_SUCCESS, wpabuf_head(data),
759 wpabuf_len(data), "sae-send-confirm");
760
761 wpabuf_free(data);
762
763 return reply_res;
764 }
765
766 #endif /* CONFIG_SAE */
767
768
769 #if defined(CONFIG_SAE) || defined(CONFIG_PASN)
770
use_anti_clogging(struct hostapd_data * hapd)771 static int use_anti_clogging(struct hostapd_data *hapd)
772 {
773 struct sta_info *sta;
774 unsigned int open = 0;
775
776 if (hapd->conf->anti_clogging_threshold == 0)
777 return 1;
778
779 for (sta = hapd->sta_list; sta; sta = sta->next) {
780 #ifdef CONFIG_SAE
781 if (sta->sae &&
782 (sta->sae->state == SAE_COMMITTED ||
783 sta->sae->state == SAE_CONFIRMED))
784 open++;
785 #endif /* CONFIG_SAE */
786 #ifdef CONFIG_PASN
787 if (sta->pasn && sta->pasn->ecdh)
788 open++;
789 #endif /* CONFIG_PASN */
790 if (open >= hapd->conf->anti_clogging_threshold)
791 return 1;
792 }
793
794 #ifdef CONFIG_SAE
795 /* In addition to already existing open SAE sessions, check whether
796 * there are enough pending commit messages in the processing queue to
797 * potentially result in too many open sessions. */
798 if (open + dl_list_len(&hapd->sae_commit_queue) >=
799 hapd->conf->anti_clogging_threshold)
800 return 1;
801 #endif /* CONFIG_SAE */
802
803 return 0;
804 }
805
806 #endif /* defined(CONFIG_SAE) || defined(CONFIG_PASN) */
807
808
809 #ifdef CONFIG_SAE
810
sae_check_big_sync(struct hostapd_data * hapd,struct sta_info * sta)811 static int sae_check_big_sync(struct hostapd_data *hapd, struct sta_info *sta)
812 {
813 if (sta->sae->sync > hapd->conf->sae_sync) {
814 sae_set_state(sta, SAE_NOTHING, "Sync > dot11RSNASAESync");
815 sta->sae->sync = 0;
816 if (sta->sae->tmp) {
817 /* Disable this SAE instance for 10 seconds to avoid
818 * unnecessary flood of multiple SAE commits in
819 * unexpected mesh cases. */
820 if (os_get_reltime(&sta->sae->tmp->disabled_until) == 0)
821 sta->sae->tmp->disabled_until.sec += 10;
822 }
823 return -1;
824 }
825 return 0;
826 }
827
828
sae_proto_instance_disabled(struct sta_info * sta)829 static bool sae_proto_instance_disabled(struct sta_info *sta)
830 {
831 struct sae_temporary_data *tmp;
832
833 if (!sta->sae)
834 return false;
835 tmp = sta->sae->tmp;
836 if (!tmp)
837 return false;
838
839 if (os_reltime_initialized(&tmp->disabled_until)) {
840 struct os_reltime now;
841
842 os_get_reltime(&now);
843 if (os_reltime_before(&now, &tmp->disabled_until))
844 return true;
845 }
846
847 return false;
848 }
849
850
auth_sae_retransmit_timer(void * eloop_ctx,void * eloop_data)851 static void auth_sae_retransmit_timer(void *eloop_ctx, void *eloop_data)
852 {
853 struct hostapd_data *hapd = eloop_ctx;
854 struct sta_info *sta = eloop_data;
855 int ret;
856
857 if (sae_check_big_sync(hapd, sta))
858 return;
859 sta->sae->sync++;
860 wpa_printf(MSG_DEBUG, "SAE: Auth SAE retransmit timer for " MACSTR_SEC
861 " (sync=%d state=%s)",
862 MAC2STR_SEC(sta->addr), sta->sae->sync,
863 sae_state_txt(sta->sae->state));
864
865 switch (sta->sae->state) {
866 case SAE_COMMITTED:
867 ret = auth_sae_send_commit(hapd, sta, 0, -1);
868 eloop_register_timeout(0,
869 hapd->dot11RSNASAERetransPeriod * 1000,
870 auth_sae_retransmit_timer, hapd, sta);
871 break;
872 case SAE_CONFIRMED:
873 ret = auth_sae_send_confirm(hapd, sta);
874 eloop_register_timeout(0,
875 hapd->dot11RSNASAERetransPeriod * 1000,
876 auth_sae_retransmit_timer, hapd, sta);
877 break;
878 default:
879 ret = -1;
880 break;
881 }
882
883 if (ret != WLAN_STATUS_SUCCESS)
884 wpa_printf(MSG_INFO, "SAE: Failed to retransmit: ret=%d", ret);
885 }
886
887
sae_clear_retransmit_timer(struct hostapd_data * hapd,struct sta_info * sta)888 void sae_clear_retransmit_timer(struct hostapd_data *hapd, struct sta_info *sta)
889 {
890 eloop_cancel_timeout(auth_sae_retransmit_timer, hapd, sta);
891 }
892
893
sae_set_retransmit_timer(struct hostapd_data * hapd,struct sta_info * sta)894 static void sae_set_retransmit_timer(struct hostapd_data *hapd,
895 struct sta_info *sta)
896 {
897 if (!(hapd->conf->mesh & MESH_ENABLED))
898 return;
899
900 eloop_cancel_timeout(auth_sae_retransmit_timer, hapd, sta);
901 eloop_register_timeout(0, hapd->dot11RSNASAERetransPeriod * 1000,
902 auth_sae_retransmit_timer, hapd, sta);
903 }
904
905
sae_sme_send_external_auth_status(struct hostapd_data * hapd,struct sta_info * sta,u16 status)906 static void sae_sme_send_external_auth_status(struct hostapd_data *hapd,
907 struct sta_info *sta, u16 status)
908 {
909 struct external_auth params;
910
911 os_memset(¶ms, 0, sizeof(params));
912 params.status = status;
913
914 #ifdef CONFIG_IEEE80211BE
915 if (ap_sta_is_mld(hapd, sta))
916 params.bssid =
917 sta->mld_info.links[sta->mld_assoc_link_id].peer_addr;
918 #endif /* CONFIG_IEEE80211BE */
919 if (!params.bssid)
920 params.bssid = sta->addr;
921
922 if (status == WLAN_STATUS_SUCCESS && sta->sae &&
923 !hapd->conf->disable_pmksa_caching)
924 params.pmkid = sta->sae->pmkid;
925
926 hostapd_drv_send_external_auth_status(hapd, ¶ms);
927 }
928
929
sae_accept_sta(struct hostapd_data * hapd,struct sta_info * sta)930 void sae_accept_sta(struct hostapd_data *hapd, struct sta_info *sta)
931 {
932 #ifndef CONFIG_NO_VLAN
933 struct vlan_description vlan_desc;
934
935 if (sta->sae->tmp && sta->sae->tmp->vlan_id > 0) {
936 wpa_printf(MSG_DEBUG, "SAE: Assign STA " MACSTR_SEC
937 " to VLAN ID %d",
938 MAC2STR_SEC(sta->addr), sta->sae->tmp->vlan_id);
939
940 if (!(hapd->iface->drv_flags & WPA_DRIVER_FLAGS_VLAN_OFFLOAD)) {
941 os_memset(&vlan_desc, 0, sizeof(vlan_desc));
942 vlan_desc.notempty = 1;
943 vlan_desc.untagged = sta->sae->tmp->vlan_id;
944 if (!hostapd_vlan_valid(hapd->conf->vlan, &vlan_desc)) {
945 wpa_printf(MSG_INFO,
946 "Invalid VLAN ID %d in sae_password",
947 sta->sae->tmp->vlan_id);
948 return;
949 }
950
951 if (ap_sta_set_vlan(hapd, sta, &vlan_desc) < 0 ||
952 ap_sta_bind_vlan(hapd, sta) < 0) {
953 wpa_printf(MSG_INFO,
954 "Failed to assign VLAN ID %d from sae_password to "
955 MACSTR_SEC, sta->sae->tmp->vlan_id,
956 MAC2STR_SEC(sta->addr));
957 return;
958 }
959 } else {
960 sta->vlan_id = sta->sae->tmp->vlan_id;
961 }
962 }
963 #endif /* CONFIG_NO_VLAN */
964
965 sta->flags |= WLAN_STA_AUTH;
966 sta->auth_alg = WLAN_AUTH_SAE;
967 mlme_authenticate_indication(hapd, sta);
968 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
969 sae_set_state(sta, SAE_ACCEPTED, "Accept Confirm");
970 crypto_bignum_deinit(sta->sae->peer_commit_scalar_accepted, 0);
971 sta->sae->peer_commit_scalar_accepted = sta->sae->peer_commit_scalar;
972 sta->sae->peer_commit_scalar = NULL;
973 wpa_auth_pmksa_add_sae(hapd->wpa_auth, sta->addr,
974 sta->sae->pmk, sta->sae->pmk_len,
975 sta->sae->pmkid, sta->sae->akmp);
976 sae_sme_send_external_auth_status(hapd, sta, WLAN_STATUS_SUCCESS);
977 }
978
979
sae_sm_step(struct hostapd_data * hapd,struct sta_info * sta,u16 auth_transaction,u16 status_code,int allow_reuse,int * sta_removed)980 static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta,
981 u16 auth_transaction, u16 status_code,
982 int allow_reuse, int *sta_removed)
983 {
984 int ret;
985
986 *sta_removed = 0;
987
988 if (auth_transaction != 1 && auth_transaction != 2)
989 return WLAN_STATUS_UNSPECIFIED_FAILURE;
990
991 wpa_printf(MSG_DEBUG, "SAE: Peer " MACSTR_SEC " state=%s auth_trans=%u",
992 MAC2STR_SEC(sta->addr), sae_state_txt(sta->sae->state),
993 auth_transaction);
994
995 if (auth_transaction == 1 && sae_proto_instance_disabled(sta)) {
996 wpa_printf(MSG_DEBUG,
997 "SAE: Protocol instance temporarily disabled - discard received SAE commit");
998 return WLAN_STATUS_SUCCESS;
999 }
1000
1001 switch (sta->sae->state) {
1002 case SAE_NOTHING:
1003 if (auth_transaction == 1) {
1004 if (sta->sae->tmp) {
1005 sta->sae->h2e =
1006 (status_code ==
1007 WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
1008 status_code == WLAN_STATUS_SAE_PK);
1009 sta->sae->pk =
1010 status_code == WLAN_STATUS_SAE_PK;
1011 }
1012 ret = auth_sae_send_commit(hapd, sta,
1013 !allow_reuse, status_code);
1014 if (ret)
1015 return ret;
1016 sae_set_state(sta, SAE_COMMITTED, "Sent Commit");
1017
1018 if (sae_process_commit(sta->sae) < 0)
1019 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1020
1021 /*
1022 * In mesh case, both Commit and Confirm are sent
1023 * immediately. In infrastructure BSS, by default, only
1024 * a single Authentication frame (Commit) is expected
1025 * from the AP here and the second one (Confirm) will
1026 * be sent once the STA has sent its second
1027 * Authentication frame (Confirm). This behavior can be
1028 * overridden with explicit configuration so that the
1029 * infrastructure BSS case sends both frames together.
1030 */
1031 if ((hapd->conf->mesh & MESH_ENABLED) ||
1032 hapd->conf->sae_confirm_immediate) {
1033 /*
1034 * Send both Commit and Confirm immediately
1035 * based on SAE finite state machine
1036 * Nothing -> Confirm transition.
1037 */
1038 ret = auth_sae_send_confirm(hapd, sta);
1039 if (ret)
1040 return ret;
1041 sae_set_state(sta, SAE_CONFIRMED,
1042 "Sent Confirm (mesh)");
1043 } else {
1044 /*
1045 * For infrastructure BSS, send only the Commit
1046 * message now to get alternating sequence of
1047 * Authentication frames between the AP and STA.
1048 * Confirm will be sent in
1049 * Committed -> Confirmed/Accepted transition
1050 * when receiving Confirm from STA.
1051 */
1052 }
1053 sta->sae->sync = 0;
1054 sae_set_retransmit_timer(hapd, sta);
1055 } else {
1056 hostapd_logger(hapd, sta->addr,
1057 HOSTAPD_MODULE_IEEE80211,
1058 HOSTAPD_LEVEL_DEBUG,
1059 "SAE confirm before commit");
1060 }
1061 break;
1062 case SAE_COMMITTED:
1063 sae_clear_retransmit_timer(hapd, sta);
1064 if (auth_transaction == 1) {
1065 if (sae_process_commit(sta->sae) < 0)
1066 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1067
1068 ret = auth_sae_send_confirm(hapd, sta);
1069 if (ret)
1070 return ret;
1071 sae_set_state(sta, SAE_CONFIRMED, "Sent Confirm");
1072 sta->sae->sync = 0;
1073 sae_set_retransmit_timer(hapd, sta);
1074 } else if (hapd->conf->mesh & MESH_ENABLED) {
1075 /*
1076 * In mesh case, follow SAE finite state machine and
1077 * send Commit now, if sync count allows.
1078 */
1079 if (sae_check_big_sync(hapd, sta))
1080 return WLAN_STATUS_SUCCESS;
1081 sta->sae->sync++;
1082
1083 ret = auth_sae_send_commit(hapd, sta, 0, status_code);
1084 if (ret)
1085 return ret;
1086
1087 sae_set_retransmit_timer(hapd, sta);
1088 } else {
1089 /*
1090 * For instructure BSS, send the postponed Confirm from
1091 * Nothing -> Confirmed transition that was reduced to
1092 * Nothing -> Committed above.
1093 */
1094 ret = auth_sae_send_confirm(hapd, sta);
1095 if (ret)
1096 return ret;
1097
1098 sae_set_state(sta, SAE_CONFIRMED, "Sent Confirm");
1099
1100 /*
1101 * Since this was triggered on Confirm RX, run another
1102 * step to get to Accepted without waiting for
1103 * additional events.
1104 */
1105 return sae_sm_step(hapd, sta, auth_transaction,
1106 WLAN_STATUS_SUCCESS, 0, sta_removed);
1107 }
1108 break;
1109 case SAE_CONFIRMED:
1110 sae_clear_retransmit_timer(hapd, sta);
1111 if (auth_transaction == 1) {
1112 if (sae_check_big_sync(hapd, sta))
1113 return WLAN_STATUS_SUCCESS;
1114 sta->sae->sync++;
1115
1116 ret = auth_sae_send_commit(hapd, sta, 1, status_code);
1117 if (ret)
1118 return ret;
1119
1120 if (sae_process_commit(sta->sae) < 0)
1121 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1122
1123 ret = auth_sae_send_confirm(hapd, sta);
1124 if (ret)
1125 return ret;
1126
1127 sae_set_retransmit_timer(hapd, sta);
1128 } else {
1129 sta->sae->send_confirm = 0xffff;
1130 sae_accept_sta(hapd, sta);
1131 }
1132 break;
1133 case SAE_ACCEPTED:
1134 if (auth_transaction == 1 &&
1135 (hapd->conf->mesh & MESH_ENABLED)) {
1136 wpa_printf(MSG_DEBUG, "SAE: remove the STA (" MACSTR_SEC
1137 ") doing reauthentication",
1138 MAC2STR_SEC(sta->addr));
1139 wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr);
1140 ap_free_sta(hapd, sta);
1141 *sta_removed = 1;
1142 } else if (auth_transaction == 1) {
1143 wpa_printf(MSG_DEBUG, "SAE: Start reauthentication");
1144 ret = auth_sae_send_commit(hapd, sta, 1, status_code);
1145 if (ret)
1146 return ret;
1147 sae_set_state(sta, SAE_COMMITTED, "Sent Commit");
1148
1149 if (sae_process_commit(sta->sae) < 0)
1150 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1151 sta->sae->sync = 0;
1152 sae_set_retransmit_timer(hapd, sta);
1153 } else {
1154 if (sae_check_big_sync(hapd, sta))
1155 return WLAN_STATUS_SUCCESS;
1156 sta->sae->sync++;
1157
1158 ret = auth_sae_send_confirm(hapd, sta);
1159 sae_clear_temp_data(sta->sae);
1160 if (ret)
1161 return ret;
1162 }
1163 break;
1164 default:
1165 wpa_printf(MSG_ERROR, "SAE: invalid state %d",
1166 sta->sae->state);
1167 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1168 }
1169 return WLAN_STATUS_SUCCESS;
1170 }
1171
1172
sae_pick_next_group(struct hostapd_data * hapd,struct sta_info * sta)1173 static void sae_pick_next_group(struct hostapd_data *hapd, struct sta_info *sta)
1174 {
1175 struct sae_data *sae = sta->sae;
1176 int i, *groups = hapd->conf->sae_groups;
1177 int default_groups[] = { 19, 0 };
1178
1179 if (sae->state != SAE_COMMITTED)
1180 return;
1181
1182 wpa_printf(MSG_DEBUG, "SAE: Previously selected group: %d", sae->group);
1183
1184 if (!groups)
1185 groups = default_groups;
1186 for (i = 0; groups[i] > 0; i++) {
1187 if (sae->group == groups[i])
1188 break;
1189 }
1190
1191 if (groups[i] <= 0) {
1192 wpa_printf(MSG_DEBUG,
1193 "SAE: Previously selected group not found from the current configuration");
1194 return;
1195 }
1196
1197 for (;;) {
1198 i++;
1199 if (groups[i] <= 0) {
1200 wpa_printf(MSG_DEBUG,
1201 "SAE: No alternative group enabled");
1202 return;
1203 }
1204
1205 if (sae_set_group(sae, groups[i]) < 0)
1206 continue;
1207
1208 break;
1209 }
1210 wpa_printf(MSG_DEBUG, "SAE: Selected new group: %d", groups[i]);
1211 }
1212
1213
sae_status_success(struct hostapd_data * hapd,u16 status_code)1214 static int sae_status_success(struct hostapd_data *hapd, u16 status_code)
1215 {
1216 enum sae_pwe sae_pwe = hapd->conf->sae_pwe;
1217 int id_in_use;
1218 bool sae_pk = false;
1219
1220 id_in_use = hostapd_sae_pw_id_in_use(hapd->conf);
1221 if (id_in_use == 2 && sae_pwe != SAE_PWE_FORCE_HUNT_AND_PECK)
1222 sae_pwe = SAE_PWE_HASH_TO_ELEMENT;
1223 else if (id_in_use == 1 && sae_pwe == SAE_PWE_HUNT_AND_PECK)
1224 sae_pwe = SAE_PWE_BOTH;
1225 #ifdef CONFIG_SAE_PK
1226 sae_pk = hostapd_sae_pk_in_use(hapd->conf);
1227 if (sae_pwe == SAE_PWE_HUNT_AND_PECK && sae_pk)
1228 sae_pwe = SAE_PWE_BOTH;
1229 #endif /* CONFIG_SAE_PK */
1230 if (sae_pwe == SAE_PWE_HUNT_AND_PECK &&
1231 (hapd->conf->wpa_key_mgmt &
1232 (WPA_KEY_MGMT_SAE_EXT_KEY | WPA_KEY_MGMT_FT_SAE_EXT_KEY)))
1233 sae_pwe = SAE_PWE_BOTH;
1234
1235 return ((sae_pwe == SAE_PWE_HUNT_AND_PECK ||
1236 sae_pwe == SAE_PWE_FORCE_HUNT_AND_PECK) &&
1237 status_code == WLAN_STATUS_SUCCESS) ||
1238 (sae_pwe == SAE_PWE_HASH_TO_ELEMENT &&
1239 (status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
1240 (sae_pk && status_code == WLAN_STATUS_SAE_PK))) ||
1241 (sae_pwe == SAE_PWE_BOTH &&
1242 (status_code == WLAN_STATUS_SUCCESS ||
1243 status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
1244 (sae_pk && status_code == WLAN_STATUS_SAE_PK)));
1245 }
1246
1247
sae_is_group_enabled(struct hostapd_data * hapd,int group)1248 static int sae_is_group_enabled(struct hostapd_data *hapd, int group)
1249 {
1250 int *groups = hapd->conf->sae_groups;
1251 int default_groups[] = { 19, 0 };
1252 int i;
1253
1254 if (!groups)
1255 groups = default_groups;
1256
1257 for (i = 0; groups[i] > 0; i++) {
1258 if (groups[i] == group)
1259 return 1;
1260 }
1261
1262 return 0;
1263 }
1264
1265
check_sae_rejected_groups(struct hostapd_data * hapd,struct sae_data * sae)1266 static int check_sae_rejected_groups(struct hostapd_data *hapd,
1267 struct sae_data *sae)
1268 {
1269 const struct wpabuf *groups;
1270 size_t i, count, len;
1271 const u8 *pos;
1272
1273 if (!sae->tmp)
1274 return 0;
1275 groups = sae->tmp->peer_rejected_groups;
1276 if (!groups)
1277 return 0;
1278
1279 pos = wpabuf_head(groups);
1280 len = wpabuf_len(groups);
1281 if (len & 1) {
1282 wpa_printf(MSG_DEBUG,
1283 "SAE: Invalid length of the Rejected Groups element payload: %zu",
1284 len);
1285 return 1;
1286 }
1287
1288 count = len / 2;
1289 for (i = 0; i < count; i++) {
1290 int enabled;
1291 u16 group;
1292
1293 group = WPA_GET_LE16(pos);
1294 pos += 2;
1295 enabled = sae_is_group_enabled(hapd, group);
1296 wpa_printf(MSG_DEBUG, "SAE: Rejected group %u is %s",
1297 group, enabled ? "enabled" : "disabled");
1298 if (enabled)
1299 return 1;
1300 }
1301
1302 return 0;
1303 }
1304
1305
handle_auth_sae(struct hostapd_data * hapd,struct sta_info * sta,const struct ieee80211_mgmt * mgmt,size_t len,u16 auth_transaction,u16 status_code)1306 static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta,
1307 const struct ieee80211_mgmt *mgmt, size_t len,
1308 u16 auth_transaction, u16 status_code)
1309 {
1310 int resp = WLAN_STATUS_SUCCESS;
1311 struct wpabuf *data = NULL;
1312 int *groups = hapd->conf->sae_groups;
1313 int default_groups[] = { 19, 0 };
1314 const u8 *pos, *end;
1315 int sta_removed = 0;
1316 bool success_status;
1317
1318 if (!groups)
1319 groups = default_groups;
1320
1321 #ifdef CONFIG_TESTING_OPTIONS
1322 if (hapd->conf->sae_reflection_attack && auth_transaction == 1) {
1323 wpa_printf(MSG_DEBUG, "SAE: TESTING - reflection attack");
1324 pos = mgmt->u.auth.variable;
1325 end = ((const u8 *) mgmt) + len;
1326 resp = status_code;
1327 send_auth_reply(hapd, sta, sta->addr,
1328 WLAN_AUTH_SAE,
1329 auth_transaction, resp, pos, end - pos,
1330 "auth-sae-reflection-attack");
1331 goto remove_sta;
1332 }
1333
1334 if (hapd->conf->sae_commit_override && auth_transaction == 1) {
1335 wpa_printf(MSG_DEBUG, "SAE: TESTING - commit override");
1336 send_auth_reply(hapd, sta, sta->addr,
1337 WLAN_AUTH_SAE,
1338 auth_transaction, resp,
1339 wpabuf_head(hapd->conf->sae_commit_override),
1340 wpabuf_len(hapd->conf->sae_commit_override),
1341 "sae-commit-override");
1342 goto remove_sta;
1343 }
1344 #endif /* CONFIG_TESTING_OPTIONS */
1345 if (!sta->sae) {
1346 if (auth_transaction != 1 ||
1347 !sae_status_success(hapd, status_code)) {
1348 wpa_printf(MSG_DEBUG, "SAE: Unexpected Status Code %u",
1349 status_code);
1350 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1351 goto reply;
1352 }
1353 sta->sae = os_zalloc(sizeof(*sta->sae));
1354 if (!sta->sae) {
1355 resp = -1;
1356 goto remove_sta;
1357 }
1358 sae_set_state(sta, SAE_NOTHING, "Init");
1359 sta->sae->sync = 0;
1360 }
1361
1362 if (sta->mesh_sae_pmksa_caching) {
1363 wpa_printf(MSG_DEBUG,
1364 "SAE: Cancel use of mesh PMKSA caching because peer starts SAE authentication");
1365 wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr);
1366 sta->mesh_sae_pmksa_caching = 0;
1367 }
1368
1369 if (auth_transaction == 1) {
1370 const u8 *token = NULL;
1371 size_t token_len = 0;
1372 int allow_reuse = 0;
1373
1374 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1375 HOSTAPD_LEVEL_DEBUG,
1376 "start SAE authentication (RX commit, status=%u (%s))",
1377 status_code, status2str(status_code));
1378
1379 if ((hapd->conf->mesh & MESH_ENABLED) &&
1380 status_code == WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ &&
1381 sta->sae->tmp) {
1382 pos = mgmt->u.auth.variable;
1383 end = ((const u8 *) mgmt) + len;
1384 if (pos + sizeof(le16) > end) {
1385 wpa_printf(MSG_ERROR,
1386 "SAE: Too short anti-clogging token request");
1387 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1388 goto reply;
1389 }
1390 resp = sae_group_allowed(sta->sae, groups,
1391 WPA_GET_LE16(pos));
1392 if (resp != WLAN_STATUS_SUCCESS) {
1393 wpa_printf(MSG_ERROR,
1394 "SAE: Invalid group in anti-clogging token request");
1395 goto reply;
1396 }
1397 pos += sizeof(le16);
1398
1399 wpabuf_free(sta->sae->tmp->anti_clogging_token);
1400 sta->sae->tmp->anti_clogging_token =
1401 wpabuf_alloc_copy(pos, end - pos);
1402 if (sta->sae->tmp->anti_clogging_token == NULL) {
1403 wpa_printf(MSG_ERROR,
1404 "SAE: Failed to alloc for anti-clogging token");
1405 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1406 goto remove_sta;
1407 }
1408
1409 /*
1410 * IEEE Std 802.11-2012, 11.3.8.6.4: If the Status code
1411 * is 76, a new Commit Message shall be constructed
1412 * with the Anti-Clogging Token from the received
1413 * Authentication frame, and the commit-scalar and
1414 * COMMIT-ELEMENT previously sent.
1415 */
1416 resp = auth_sae_send_commit(hapd, sta, 0, status_code);
1417 if (resp != WLAN_STATUS_SUCCESS) {
1418 wpa_printf(MSG_ERROR,
1419 "SAE: Failed to send commit message");
1420 goto remove_sta;
1421 }
1422 sae_set_state(sta, SAE_COMMITTED,
1423 "Sent Commit (anti-clogging token case in mesh)");
1424 sta->sae->sync = 0;
1425 sae_set_retransmit_timer(hapd, sta);
1426 return;
1427 }
1428
1429 if ((hapd->conf->mesh & MESH_ENABLED) &&
1430 status_code ==
1431 WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED &&
1432 sta->sae->tmp) {
1433 wpa_printf(MSG_DEBUG,
1434 "SAE: Peer did not accept our SAE group");
1435 sae_pick_next_group(hapd, sta);
1436 goto remove_sta;
1437 }
1438
1439 if (!sae_status_success(hapd, status_code))
1440 goto remove_sta;
1441
1442 if (sae_proto_instance_disabled(sta)) {
1443 wpa_printf(MSG_DEBUG,
1444 "SAE: Protocol instance temporarily disabled - discard received SAE commit");
1445 return;
1446 }
1447
1448 if (!(hapd->conf->mesh & MESH_ENABLED) &&
1449 sta->sae->state == SAE_COMMITTED) {
1450 /* This is needed in the infrastructure BSS case to
1451 * address a sequence where a STA entry may remain in
1452 * hostapd across two attempts to do SAE authentication
1453 * by the same STA. The second attempt may end up trying
1454 * to use a different group and that would not be
1455 * allowed if we remain in Committed state with the
1456 * previously set parameters. */
1457 pos = mgmt->u.auth.variable;
1458 end = ((const u8 *) mgmt) + len;
1459 if (end - pos >= (int) sizeof(le16) &&
1460 sae_group_allowed(sta->sae, groups,
1461 WPA_GET_LE16(pos)) ==
1462 WLAN_STATUS_SUCCESS) {
1463 /* Do not waste resources deriving the same PWE
1464 * again since the same group is reused. */
1465 sae_set_state(sta, SAE_NOTHING,
1466 "Allow previous PWE to be reused");
1467 allow_reuse = 1;
1468 } else {
1469 sae_set_state(sta, SAE_NOTHING,
1470 "Clear existing state to allow restart");
1471 sae_clear_data(sta->sae);
1472 }
1473 }
1474
1475 resp = sae_parse_commit(sta->sae, mgmt->u.auth.variable,
1476 ((const u8 *) mgmt) + len -
1477 mgmt->u.auth.variable, &token,
1478 &token_len, groups, status_code ==
1479 WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
1480 status_code == WLAN_STATUS_SAE_PK,
1481 NULL);
1482 if (resp == SAE_SILENTLY_DISCARD) {
1483 wpa_printf(MSG_DEBUG,
1484 "SAE: Drop commit message from " MACSTR_SEC " due to reflection attack",
1485 MAC2STR_SEC(sta->addr));
1486 goto remove_sta;
1487 }
1488
1489 if (resp == WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER) {
1490 wpa_msg(hapd->msg_ctx, MSG_INFO,
1491 WPA_EVENT_SAE_UNKNOWN_PASSWORD_IDENTIFIER
1492 MACSTR, MAC2STR(sta->addr));
1493 sae_clear_retransmit_timer(hapd, sta);
1494 sae_set_state(sta, SAE_NOTHING,
1495 "Unknown Password Identifier");
1496 goto remove_sta;
1497 }
1498
1499 if (token &&
1500 check_comeback_token(hapd->comeback_key,
1501 hapd->comeback_pending_idx, sta->addr,
1502 token, token_len)
1503 < 0) {
1504 wpa_printf(MSG_DEBUG, "SAE: Drop commit message with "
1505 "incorrect token from " MACSTR_SEC,
1506 MAC2STR_SEC(sta->addr));
1507 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1508 goto remove_sta;
1509 }
1510
1511 if (resp != WLAN_STATUS_SUCCESS)
1512 goto reply;
1513
1514 if (check_sae_rejected_groups(hapd, sta->sae)) {
1515 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1516 goto reply;
1517 }
1518
1519 if (!token && use_anti_clogging(hapd) && !allow_reuse) {
1520 int h2e = 0;
1521
1522 wpa_printf(MSG_DEBUG,
1523 "SAE: Request anti-clogging token from "
1524 MACSTR_SEC, MAC2STR_SEC(sta->addr));
1525 if (sta->sae->tmp)
1526 h2e = sta->sae->h2e;
1527 if (status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
1528 status_code == WLAN_STATUS_SAE_PK)
1529 h2e = 1;
1530 data = auth_build_token_req(
1531 &hapd->last_comeback_key_update,
1532 hapd->comeback_key,
1533 hapd->comeback_idx,
1534 hapd->comeback_pending_idx,
1535 sizeof(hapd->comeback_pending_idx),
1536 sta->sae->group,
1537 sta->addr, h2e);
1538 resp = WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ;
1539 if (hapd->conf->mesh & MESH_ENABLED)
1540 sae_set_state(sta, SAE_NOTHING,
1541 "Request anti-clogging token case in mesh");
1542 goto reply;
1543 }
1544
1545 resp = sae_sm_step(hapd, sta, auth_transaction,
1546 status_code, allow_reuse, &sta_removed);
1547 } else if (auth_transaction == 2) {
1548 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1549 HOSTAPD_LEVEL_DEBUG,
1550 "SAE authentication (RX confirm, status=%u (%s))",
1551 status_code, status2str(status_code));
1552 if (status_code != WLAN_STATUS_SUCCESS)
1553 goto remove_sta;
1554 if (sta->sae->state >= SAE_CONFIRMED ||
1555 !(hapd->conf->mesh & MESH_ENABLED)) {
1556 const u8 *var;
1557 size_t var_len;
1558 u16 peer_send_confirm;
1559
1560 var = mgmt->u.auth.variable;
1561 var_len = ((u8 *) mgmt) + len - mgmt->u.auth.variable;
1562 if (var_len < 2) {
1563 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1564 goto reply;
1565 }
1566
1567 peer_send_confirm = WPA_GET_LE16(var);
1568
1569 if (sta->sae->state == SAE_ACCEPTED &&
1570 (peer_send_confirm <= sta->sae->rc ||
1571 peer_send_confirm == 0xffff)) {
1572 wpa_printf(MSG_DEBUG,
1573 "SAE: Silently ignore unexpected Confirm from peer "
1574 MACSTR_SEC
1575 " (peer-send-confirm=%u Rc=%u)",
1576 MAC2STR_SEC(sta->addr),
1577 peer_send_confirm, sta->sae->rc);
1578 return;
1579 }
1580
1581 if (sae_check_confirm(sta->sae, var, var_len,
1582 NULL) < 0) {
1583 resp = WLAN_STATUS_CHALLENGE_FAIL;
1584 goto reply;
1585 }
1586 sta->sae->rc = peer_send_confirm;
1587 }
1588 resp = sae_sm_step(hapd, sta, auth_transaction,
1589 status_code, 0, &sta_removed);
1590 } else {
1591 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1592 HOSTAPD_LEVEL_DEBUG,
1593 "unexpected SAE authentication transaction %u (status=%u (%s))",
1594 auth_transaction, status_code,
1595 status2str(status_code));
1596 if (status_code != WLAN_STATUS_SUCCESS)
1597 goto remove_sta;
1598 resp = WLAN_STATUS_UNKNOWN_AUTH_TRANSACTION;
1599 }
1600
1601 reply:
1602 if (!sta_removed && resp != WLAN_STATUS_SUCCESS) {
1603 pos = mgmt->u.auth.variable;
1604 end = ((const u8 *) mgmt) + len;
1605
1606 /* Copy the Finite Cyclic Group field from the request if we
1607 * rejected it as unsupported group. */
1608 if (resp == WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED &&
1609 !data && end - pos >= 2)
1610 data = wpabuf_alloc_copy(pos, 2);
1611
1612 sae_sme_send_external_auth_status(hapd, sta, resp);
1613 send_auth_reply(hapd, sta, sta->addr,
1614 WLAN_AUTH_SAE,
1615 auth_transaction, resp,
1616 data ? wpabuf_head(data) : (u8 *) "",
1617 data ? wpabuf_len(data) : 0, "auth-sae");
1618 if (sta->sae && sta->sae->tmp && sta->sae->tmp->pw_id &&
1619 resp == WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER &&
1620 auth_transaction == 1) {
1621 wpa_printf(MSG_DEBUG,
1622 "SAE: Clear stored password identifier since this SAE commit was not accepted");
1623 os_free(sta->sae->tmp->pw_id);
1624 sta->sae->tmp->pw_id = NULL;
1625 }
1626 }
1627
1628 remove_sta:
1629 if (auth_transaction == 1)
1630 success_status = sae_status_success(hapd, status_code);
1631 else
1632 success_status = status_code == WLAN_STATUS_SUCCESS;
1633 if (!sta_removed && sta->added_unassoc &&
1634 (resp != WLAN_STATUS_SUCCESS || !success_status)) {
1635 hostapd_drv_sta_remove(hapd, sta->addr);
1636 sta->added_unassoc = 0;
1637 }
1638 wpabuf_free(data);
1639 }
1640
1641
1642 /**
1643 * auth_sae_init_committed - Send COMMIT and start SAE in committed state
1644 * @hapd: BSS data for the device initiating the authentication
1645 * @sta: the peer to which commit authentication frame is sent
1646 *
1647 * This function implements Init event handling (IEEE Std 802.11-2012,
1648 * 11.3.8.6.3) in which initial COMMIT message is sent. Prior to calling, the
1649 * sta->sae structure should be initialized appropriately via a call to
1650 * sae_prepare_commit().
1651 */
auth_sae_init_committed(struct hostapd_data * hapd,struct sta_info * sta)1652 int auth_sae_init_committed(struct hostapd_data *hapd, struct sta_info *sta)
1653 {
1654 int ret;
1655
1656 if (!sta->sae || !sta->sae->tmp)
1657 return -1;
1658
1659 if (sta->sae->state != SAE_NOTHING)
1660 return -1;
1661
1662 ret = auth_sae_send_commit(hapd, sta, 0, -1);
1663 if (ret)
1664 return -1;
1665
1666 sae_set_state(sta, SAE_COMMITTED, "Init and sent commit");
1667 sta->sae->sync = 0;
1668 sae_set_retransmit_timer(hapd, sta);
1669
1670 return 0;
1671 }
1672
1673
auth_sae_process_commit(void * eloop_ctx,void * user_ctx)1674 void auth_sae_process_commit(void *eloop_ctx, void *user_ctx)
1675 {
1676 struct hostapd_data *hapd = eloop_ctx;
1677 struct hostapd_sae_commit_queue *q;
1678 unsigned int queue_len;
1679
1680 q = dl_list_first(&hapd->sae_commit_queue,
1681 struct hostapd_sae_commit_queue, list);
1682 if (!q)
1683 return;
1684 wpa_printf(MSG_DEBUG,
1685 "SAE: Process next available message from queue");
1686 dl_list_del(&q->list);
1687 handle_auth(hapd, (const struct ieee80211_mgmt *) q->msg, q->len,
1688 q->rssi, 1);
1689 os_free(q);
1690
1691 if (eloop_is_timeout_registered(auth_sae_process_commit, hapd, NULL))
1692 return;
1693 queue_len = dl_list_len(&hapd->sae_commit_queue);
1694 eloop_register_timeout(0, queue_len * 10000, auth_sae_process_commit,
1695 hapd, NULL);
1696 }
1697
1698
auth_sae_queue(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int rssi)1699 static void auth_sae_queue(struct hostapd_data *hapd,
1700 const struct ieee80211_mgmt *mgmt, size_t len,
1701 int rssi)
1702 {
1703 struct hostapd_sae_commit_queue *q, *q2;
1704 unsigned int queue_len;
1705 const struct ieee80211_mgmt *mgmt2;
1706
1707 queue_len = dl_list_len(&hapd->sae_commit_queue);
1708 if (queue_len >= 15) {
1709 wpa_printf(MSG_DEBUG,
1710 "SAE: No more room in message queue - drop the new frame from "
1711 MACSTR_SEC, MAC2STR_SEC(mgmt->sa));
1712 return;
1713 }
1714
1715 wpa_printf(MSG_DEBUG, "SAE: Queue Authentication message from "
1716 MACSTR_SEC " for processing (queue_len %u)", MAC2STR_SEC(mgmt->sa),
1717 queue_len);
1718 q = os_zalloc(sizeof(*q) + len);
1719 if (!q)
1720 return;
1721 q->rssi = rssi;
1722 q->len = len;
1723 os_memcpy(q->msg, mgmt, len);
1724
1725 /* Check whether there is already a queued Authentication frame from the
1726 * same station with the same transaction number and if so, replace that
1727 * queue entry with the new one. This avoids issues with a peer that
1728 * sends multiple times (e.g., due to frequent SAE retries). There is no
1729 * point in us trying to process the old attempts after a new one has
1730 * obsoleted them. */
1731 dl_list_for_each(q2, &hapd->sae_commit_queue,
1732 struct hostapd_sae_commit_queue, list) {
1733 mgmt2 = (const struct ieee80211_mgmt *) q2->msg;
1734 if (ether_addr_equal(mgmt->sa, mgmt2->sa) &&
1735 mgmt->u.auth.auth_transaction ==
1736 mgmt2->u.auth.auth_transaction) {
1737 wpa_printf(MSG_DEBUG,
1738 "SAE: Replace queued message from same STA with same transaction number");
1739 dl_list_add(&q2->list, &q->list);
1740 dl_list_del(&q2->list);
1741 os_free(q2);
1742 goto queued;
1743 }
1744 }
1745
1746 /* No pending identical entry, so add to the end of the queue */
1747 dl_list_add_tail(&hapd->sae_commit_queue, &q->list);
1748
1749 queued:
1750 if (eloop_is_timeout_registered(auth_sae_process_commit, hapd, NULL))
1751 return;
1752 eloop_register_timeout(0, queue_len * 10000, auth_sae_process_commit,
1753 hapd, NULL);
1754 }
1755
1756
auth_sae_queued_addr(struct hostapd_data * hapd,const u8 * addr)1757 static int auth_sae_queued_addr(struct hostapd_data *hapd, const u8 *addr)
1758 {
1759 struct hostapd_sae_commit_queue *q;
1760 const struct ieee80211_mgmt *mgmt;
1761
1762 dl_list_for_each(q, &hapd->sae_commit_queue,
1763 struct hostapd_sae_commit_queue, list) {
1764 mgmt = (const struct ieee80211_mgmt *) q->msg;
1765 if (ether_addr_equal(addr, mgmt->sa))
1766 return 1;
1767 }
1768
1769 return 0;
1770 }
1771
1772 #endif /* CONFIG_SAE */
1773
1774
wpa_res_to_status_code(enum wpa_validate_result res)1775 static u16 wpa_res_to_status_code(enum wpa_validate_result res)
1776 {
1777 switch (res) {
1778 case WPA_IE_OK:
1779 return WLAN_STATUS_SUCCESS;
1780 case WPA_INVALID_IE:
1781 return WLAN_STATUS_INVALID_IE;
1782 case WPA_INVALID_GROUP:
1783 return WLAN_STATUS_GROUP_CIPHER_NOT_VALID;
1784 case WPA_INVALID_PAIRWISE:
1785 return WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID;
1786 case WPA_INVALID_AKMP:
1787 return WLAN_STATUS_AKMP_NOT_VALID;
1788 case WPA_NOT_ENABLED:
1789 return WLAN_STATUS_INVALID_IE;
1790 case WPA_ALLOC_FAIL:
1791 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1792 case WPA_MGMT_FRAME_PROTECTION_VIOLATION:
1793 return WLAN_STATUS_ROBUST_MGMT_FRAME_POLICY_VIOLATION;
1794 case WPA_INVALID_MGMT_GROUP_CIPHER:
1795 return WLAN_STATUS_CIPHER_REJECTED_PER_POLICY;
1796 case WPA_INVALID_MDIE:
1797 return WLAN_STATUS_INVALID_MDIE;
1798 case WPA_INVALID_PROTO:
1799 return WLAN_STATUS_INVALID_IE;
1800 case WPA_INVALID_PMKID:
1801 return WLAN_STATUS_INVALID_PMKID;
1802 case WPA_DENIED_OTHER_REASON:
1803 return WLAN_STATUS_ASSOC_DENIED_UNSPEC;
1804 }
1805 return WLAN_STATUS_INVALID_IE;
1806 }
1807
1808
1809 #ifdef CONFIG_FILS
1810
1811 static void handle_auth_fils_finish(struct hostapd_data *hapd,
1812 struct sta_info *sta, u16 resp,
1813 struct wpabuf *data, int pub);
1814
handle_auth_fils(struct hostapd_data * hapd,struct sta_info * sta,const u8 * pos,size_t len,u16 auth_alg,u16 auth_transaction,u16 status_code,void (* cb)(struct hostapd_data * hapd,struct sta_info * sta,u16 resp,struct wpabuf * data,int pub))1815 void handle_auth_fils(struct hostapd_data *hapd, struct sta_info *sta,
1816 const u8 *pos, size_t len, u16 auth_alg,
1817 u16 auth_transaction, u16 status_code,
1818 void (*cb)(struct hostapd_data *hapd,
1819 struct sta_info *sta, u16 resp,
1820 struct wpabuf *data, int pub))
1821 {
1822 u16 resp = WLAN_STATUS_SUCCESS;
1823 const u8 *end;
1824 struct ieee802_11_elems elems;
1825 enum wpa_validate_result res;
1826 struct wpa_ie_data rsn;
1827 struct rsn_pmksa_cache_entry *pmksa = NULL;
1828
1829 if (auth_transaction != 1 || status_code != WLAN_STATUS_SUCCESS)
1830 return;
1831
1832 end = pos + len;
1833
1834 wpa_hexdump(MSG_DEBUG, "FILS: Authentication frame fields",
1835 pos, end - pos);
1836
1837 /* TODO: FILS PK */
1838 #ifdef CONFIG_FILS_SK_PFS
1839 if (auth_alg == WLAN_AUTH_FILS_SK_PFS) {
1840 u16 group;
1841 struct wpabuf *pub;
1842 size_t elem_len;
1843
1844 /* Using FILS PFS */
1845
1846 /* Finite Cyclic Group */
1847 if (end - pos < 2) {
1848 wpa_printf(MSG_DEBUG,
1849 "FILS: No room for Finite Cyclic Group");
1850 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1851 goto fail;
1852 }
1853 group = WPA_GET_LE16(pos);
1854 pos += 2;
1855 if (group != hapd->conf->fils_dh_group) {
1856 wpa_printf(MSG_DEBUG,
1857 "FILS: Unsupported Finite Cyclic Group: %u (expected %u)",
1858 group, hapd->conf->fils_dh_group);
1859 resp = WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
1860 goto fail;
1861 }
1862
1863 crypto_ecdh_deinit(sta->fils_ecdh);
1864 sta->fils_ecdh = crypto_ecdh_init(group);
1865 if (!sta->fils_ecdh) {
1866 wpa_printf(MSG_INFO,
1867 "FILS: Could not initialize ECDH with group %d",
1868 group);
1869 resp = WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
1870 goto fail;
1871 }
1872
1873 pub = crypto_ecdh_get_pubkey(sta->fils_ecdh, 1);
1874 if (!pub) {
1875 wpa_printf(MSG_DEBUG,
1876 "FILS: Failed to derive ECDH public key");
1877 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1878 goto fail;
1879 }
1880 elem_len = wpabuf_len(pub);
1881 wpabuf_free(pub);
1882
1883 /* Element */
1884 if ((size_t) (end - pos) < elem_len) {
1885 wpa_printf(MSG_DEBUG, "FILS: No room for Element");
1886 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1887 goto fail;
1888 }
1889
1890 wpabuf_free(sta->fils_g_sta);
1891 sta->fils_g_sta = wpabuf_alloc_copy(pos, elem_len);
1892 wpabuf_clear_free(sta->fils_dh_ss);
1893 sta->fils_dh_ss = crypto_ecdh_set_peerkey(sta->fils_ecdh, 1,
1894 pos, elem_len);
1895 if (!sta->fils_dh_ss) {
1896 wpa_printf(MSG_DEBUG, "FILS: ECDH operation failed");
1897 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1898 goto fail;
1899 }
1900 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: DH_SS", sta->fils_dh_ss);
1901 pos += elem_len;
1902 } else {
1903 crypto_ecdh_deinit(sta->fils_ecdh);
1904 sta->fils_ecdh = NULL;
1905 wpabuf_clear_free(sta->fils_dh_ss);
1906 sta->fils_dh_ss = NULL;
1907 }
1908 #endif /* CONFIG_FILS_SK_PFS */
1909
1910 wpa_hexdump(MSG_DEBUG, "FILS: Remaining IEs", pos, end - pos);
1911 if (ieee802_11_parse_elems(pos, end - pos, &elems, 1) == ParseFailed) {
1912 wpa_printf(MSG_DEBUG, "FILS: Could not parse elements");
1913 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1914 goto fail;
1915 }
1916
1917 /* RSNE */
1918 wpa_hexdump(MSG_DEBUG, "FILS: RSN element",
1919 elems.rsn_ie, elems.rsn_ie_len);
1920 if (!elems.rsn_ie ||
1921 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
1922 &rsn) < 0) {
1923 wpa_printf(MSG_DEBUG, "FILS: No valid RSN element");
1924 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1925 goto fail;
1926 }
1927
1928 if (!sta->wpa_sm)
1929 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, sta->addr,
1930 NULL);
1931 if (!sta->wpa_sm) {
1932 wpa_printf(MSG_DEBUG,
1933 "FILS: Failed to initialize RSN state machine");
1934 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1935 goto fail;
1936 }
1937
1938 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
1939 hapd->iface->freq,
1940 elems.rsn_ie - 2, elems.rsn_ie_len + 2,
1941 elems.rsnxe ? elems.rsnxe - 2 : NULL,
1942 elems.rsnxe ? elems.rsnxe_len + 2 : 0,
1943 elems.mdie, elems.mdie_len, NULL, 0, NULL);
1944 resp = wpa_res_to_status_code(res);
1945 if (resp != WLAN_STATUS_SUCCESS)
1946 goto fail;
1947
1948 if (!elems.fils_nonce) {
1949 wpa_printf(MSG_DEBUG, "FILS: No FILS Nonce field");
1950 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1951 goto fail;
1952 }
1953 wpa_hexdump(MSG_DEBUG, "FILS: SNonce", elems.fils_nonce,
1954 FILS_NONCE_LEN);
1955 os_memcpy(sta->fils_snonce, elems.fils_nonce, FILS_NONCE_LEN);
1956
1957 /* PMKID List */
1958 if (rsn.pmkid && rsn.num_pmkid > 0) {
1959 u8 num;
1960 const u8 *pmkid;
1961
1962 wpa_hexdump(MSG_DEBUG, "FILS: PMKID List",
1963 rsn.pmkid, rsn.num_pmkid * PMKID_LEN);
1964
1965 pmkid = rsn.pmkid;
1966 num = rsn.num_pmkid;
1967 while (num) {
1968 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", pmkid, PMKID_LEN);
1969 pmksa = wpa_auth_pmksa_get(hapd->wpa_auth, sta->addr,
1970 pmkid);
1971 if (pmksa)
1972 break;
1973 pmksa = wpa_auth_pmksa_get_fils_cache_id(hapd->wpa_auth,
1974 sta->addr,
1975 pmkid);
1976 if (pmksa)
1977 break;
1978 pmkid += PMKID_LEN;
1979 num--;
1980 }
1981 }
1982 if (pmksa && wpa_auth_sta_key_mgmt(sta->wpa_sm) != pmksa->akmp) {
1983 wpa_printf(MSG_DEBUG,
1984 "FILS: Matching PMKSA cache entry has different AKMP (0x%x != 0x%x) - ignore",
1985 wpa_auth_sta_key_mgmt(sta->wpa_sm), pmksa->akmp);
1986 pmksa = NULL;
1987 }
1988 if (pmksa)
1989 wpa_printf(MSG_DEBUG, "FILS: Found matching PMKSA cache entry");
1990
1991 /* FILS Session */
1992 if (!elems.fils_session) {
1993 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
1994 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1995 goto fail;
1996 }
1997 wpa_hexdump(MSG_DEBUG, "FILS: FILS Session", elems.fils_session,
1998 FILS_SESSION_LEN);
1999 os_memcpy(sta->fils_session, elems.fils_session, FILS_SESSION_LEN);
2000
2001 /* Wrapped Data */
2002 if (elems.wrapped_data) {
2003 wpa_hexdump(MSG_DEBUG, "FILS: Wrapped Data",
2004 elems.wrapped_data,
2005 elems.wrapped_data_len);
2006 if (!pmksa) {
2007 #ifndef CONFIG_NO_RADIUS
2008 if (!sta->eapol_sm) {
2009 sta->eapol_sm =
2010 ieee802_1x_alloc_eapol_sm(hapd, sta);
2011 }
2012 wpa_printf(MSG_DEBUG,
2013 "FILS: Forward EAP-Initiate/Re-auth to authentication server");
2014 ieee802_1x_encapsulate_radius(
2015 hapd, sta, elems.wrapped_data,
2016 elems.wrapped_data_len);
2017 sta->fils_pending_cb = cb;
2018 wpa_printf(MSG_DEBUG,
2019 "FILS: Will send Authentication frame once the response from authentication server is available");
2020 sta->flags |= WLAN_STA_PENDING_FILS_ERP;
2021 /* Calculate pending PMKID here so that we do not need
2022 * to maintain a copy of the EAP-Initiate/Reauth
2023 * message. */
2024 if (fils_pmkid_erp(wpa_auth_sta_key_mgmt(sta->wpa_sm),
2025 elems.wrapped_data,
2026 elems.wrapped_data_len,
2027 sta->fils_erp_pmkid) == 0)
2028 sta->fils_erp_pmkid_set = 1;
2029 return;
2030 #else /* CONFIG_NO_RADIUS */
2031 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2032 goto fail;
2033 #endif /* CONFIG_NO_RADIUS */
2034 }
2035 }
2036
2037 fail:
2038 if (cb) {
2039 struct wpabuf *data;
2040 int pub = 0;
2041
2042 data = prepare_auth_resp_fils(hapd, sta, &resp, pmksa, NULL,
2043 NULL, 0, &pub);
2044 if (!data) {
2045 wpa_printf(MSG_DEBUG,
2046 "%s: prepare_auth_resp_fils() returned failure",
2047 __func__);
2048 }
2049
2050 cb(hapd, sta, resp, data, pub);
2051 }
2052 }
2053
2054
2055 static struct wpabuf *
prepare_auth_resp_fils(struct hostapd_data * hapd,struct sta_info * sta,u16 * resp,struct rsn_pmksa_cache_entry * pmksa,struct wpabuf * erp_resp,const u8 * msk,size_t msk_len,int * is_pub)2056 prepare_auth_resp_fils(struct hostapd_data *hapd,
2057 struct sta_info *sta, u16 *resp,
2058 struct rsn_pmksa_cache_entry *pmksa,
2059 struct wpabuf *erp_resp,
2060 const u8 *msk, size_t msk_len,
2061 int *is_pub)
2062 {
2063 u8 fils_nonce[FILS_NONCE_LEN];
2064 size_t ielen;
2065 struct wpabuf *data = NULL;
2066 const u8 *ie;
2067 u8 *ie_buf = NULL;
2068 const u8 *pmk = NULL;
2069 size_t pmk_len = 0;
2070 u8 pmk_buf[PMK_LEN_MAX];
2071 struct wpabuf *pub = NULL;
2072
2073 if (*resp != WLAN_STATUS_SUCCESS)
2074 goto fail;
2075
2076 ie = wpa_auth_get_wpa_ie(hapd->wpa_auth, &ielen);
2077 if (!ie) {
2078 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2079 goto fail;
2080 }
2081
2082 if (pmksa) {
2083 /* Add PMKID of the selected PMKSA into RSNE */
2084 ie_buf = os_malloc(ielen + 2 + 2 + PMKID_LEN);
2085 if (!ie_buf) {
2086 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2087 goto fail;
2088 }
2089
2090 os_memcpy(ie_buf, ie, ielen);
2091 if (wpa_insert_pmkid(ie_buf, &ielen, pmksa->pmkid, true) < 0) {
2092 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2093 goto fail;
2094 }
2095 ie = ie_buf;
2096 }
2097
2098 if (random_get_bytes(fils_nonce, FILS_NONCE_LEN) < 0) {
2099 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2100 goto fail;
2101 }
2102 wpa_hexdump(MSG_DEBUG, "RSN: Generated FILS Nonce",
2103 fils_nonce, FILS_NONCE_LEN);
2104
2105 #ifdef CONFIG_FILS_SK_PFS
2106 if (sta->fils_dh_ss && sta->fils_ecdh) {
2107 pub = crypto_ecdh_get_pubkey(sta->fils_ecdh, 1);
2108 if (!pub) {
2109 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2110 goto fail;
2111 }
2112 }
2113 #endif /* CONFIG_FILS_SK_PFS */
2114
2115 data = wpabuf_alloc(1000 + ielen + (pub ? wpabuf_len(pub) : 0));
2116 if (!data) {
2117 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2118 goto fail;
2119 }
2120
2121 /* TODO: FILS PK */
2122 #ifdef CONFIG_FILS_SK_PFS
2123 if (pub) {
2124 /* Finite Cyclic Group */
2125 wpabuf_put_le16(data, hapd->conf->fils_dh_group);
2126
2127 /* Element */
2128 wpabuf_put_buf(data, pub);
2129 }
2130 #endif /* CONFIG_FILS_SK_PFS */
2131
2132 /* RSNE */
2133 wpabuf_put_data(data, ie, ielen);
2134
2135 /* MDE when using FILS+FT (already included in ie,ielen with RSNE) */
2136
2137 #ifdef CONFIG_IEEE80211R_AP
2138 if (wpa_key_mgmt_ft(wpa_auth_sta_key_mgmt(sta->wpa_sm))) {
2139 /* FTE[R1KH-ID,R0KH-ID] when using FILS+FT */
2140 int res;
2141
2142 res = wpa_auth_write_fte(hapd->wpa_auth, sta->wpa_sm,
2143 wpabuf_put(data, 0),
2144 wpabuf_tailroom(data));
2145 if (res < 0) {
2146 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2147 goto fail;
2148 }
2149 wpabuf_put(data, res);
2150 }
2151 #endif /* CONFIG_IEEE80211R_AP */
2152
2153 /* FILS Nonce */
2154 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
2155 wpabuf_put_u8(data, 1 + FILS_NONCE_LEN); /* Length */
2156 /* Element ID Extension */
2157 wpabuf_put_u8(data, WLAN_EID_EXT_FILS_NONCE);
2158 wpabuf_put_data(data, fils_nonce, FILS_NONCE_LEN);
2159
2160 /* FILS Session */
2161 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
2162 wpabuf_put_u8(data, 1 + FILS_SESSION_LEN); /* Length */
2163 /* Element ID Extension */
2164 wpabuf_put_u8(data, WLAN_EID_EXT_FILS_SESSION);
2165 wpabuf_put_data(data, sta->fils_session, FILS_SESSION_LEN);
2166
2167 /* Wrapped Data */
2168 if (!pmksa && erp_resp) {
2169 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
2170 wpabuf_put_u8(data, 1 + wpabuf_len(erp_resp)); /* Length */
2171 /* Element ID Extension */
2172 wpabuf_put_u8(data, WLAN_EID_EXT_WRAPPED_DATA);
2173 wpabuf_put_buf(data, erp_resp);
2174
2175 if (fils_rmsk_to_pmk(wpa_auth_sta_key_mgmt(sta->wpa_sm),
2176 msk, msk_len, sta->fils_snonce, fils_nonce,
2177 sta->fils_dh_ss ?
2178 wpabuf_head(sta->fils_dh_ss) : NULL,
2179 sta->fils_dh_ss ?
2180 wpabuf_len(sta->fils_dh_ss) : 0,
2181 pmk_buf, &pmk_len)) {
2182 wpa_printf(MSG_DEBUG, "FILS: Failed to derive PMK");
2183 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2184 wpabuf_free(data);
2185 data = NULL;
2186 goto fail;
2187 }
2188 pmk = pmk_buf;
2189
2190 /* Don't use DHss in PTK derivation if PMKSA caching is not
2191 * used. */
2192 wpabuf_clear_free(sta->fils_dh_ss);
2193 sta->fils_dh_ss = NULL;
2194
2195 if (sta->fils_erp_pmkid_set) {
2196 /* TODO: get PMKLifetime from WPA parameters */
2197 unsigned int dot11RSNAConfigPMKLifetime = 43200;
2198 int session_timeout;
2199
2200 session_timeout = dot11RSNAConfigPMKLifetime;
2201 if (sta->session_timeout_set) {
2202 struct os_reltime now, diff;
2203
2204 os_get_reltime(&now);
2205 os_reltime_sub(&sta->session_timeout, &now,
2206 &diff);
2207 session_timeout = diff.sec;
2208 }
2209
2210 sta->fils_erp_pmkid_set = 0;
2211 wpa_auth_add_fils_pmk_pmkid(sta->wpa_sm, pmk, pmk_len,
2212 sta->fils_erp_pmkid);
2213 if (!hapd->conf->disable_pmksa_caching &&
2214 wpa_auth_pmksa_add2(
2215 hapd->wpa_auth, sta->addr,
2216 pmk, pmk_len,
2217 sta->fils_erp_pmkid,
2218 session_timeout,
2219 wpa_auth_sta_key_mgmt(sta->wpa_sm),
2220 NULL) < 0) {
2221 wpa_printf(MSG_ERROR,
2222 "FILS: Failed to add PMKSA cache entry based on ERP");
2223 }
2224 }
2225 } else if (pmksa) {
2226 pmk = pmksa->pmk;
2227 pmk_len = pmksa->pmk_len;
2228 }
2229
2230 if (!pmk) {
2231 wpa_printf(MSG_DEBUG, "FILS: No PMK available");
2232 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2233 wpabuf_free(data);
2234 data = NULL;
2235 goto fail;
2236 }
2237
2238 if (fils_auth_pmk_to_ptk(sta->wpa_sm, pmk, pmk_len,
2239 sta->fils_snonce, fils_nonce,
2240 sta->fils_dh_ss ?
2241 wpabuf_head(sta->fils_dh_ss) : NULL,
2242 sta->fils_dh_ss ?
2243 wpabuf_len(sta->fils_dh_ss) : 0,
2244 sta->fils_g_sta, pub) < 0) {
2245 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2246 wpabuf_free(data);
2247 data = NULL;
2248 goto fail;
2249 }
2250
2251 fail:
2252 if (is_pub)
2253 *is_pub = pub != NULL;
2254 os_free(ie_buf);
2255 wpabuf_free(pub);
2256 wpabuf_clear_free(sta->fils_dh_ss);
2257 sta->fils_dh_ss = NULL;
2258 #ifdef CONFIG_FILS_SK_PFS
2259 crypto_ecdh_deinit(sta->fils_ecdh);
2260 sta->fils_ecdh = NULL;
2261 #endif /* CONFIG_FILS_SK_PFS */
2262 return data;
2263 }
2264
2265
handle_auth_fils_finish(struct hostapd_data * hapd,struct sta_info * sta,u16 resp,struct wpabuf * data,int pub)2266 static void handle_auth_fils_finish(struct hostapd_data *hapd,
2267 struct sta_info *sta, u16 resp,
2268 struct wpabuf *data, int pub)
2269 {
2270 u16 auth_alg;
2271
2272 auth_alg = (pub ||
2273 resp == WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED) ?
2274 WLAN_AUTH_FILS_SK_PFS : WLAN_AUTH_FILS_SK;
2275 send_auth_reply(hapd, sta, sta->addr, auth_alg, 2, resp,
2276 data ? wpabuf_head(data) : (u8 *) "",
2277 data ? wpabuf_len(data) : 0, "auth-fils-finish");
2278 wpabuf_free(data);
2279
2280 if (resp == WLAN_STATUS_SUCCESS) {
2281 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2282 HOSTAPD_LEVEL_DEBUG,
2283 "authentication OK (FILS)");
2284 sta->flags |= WLAN_STA_AUTH;
2285 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
2286 sta->auth_alg = pub ? WLAN_AUTH_FILS_SK_PFS : WLAN_AUTH_FILS_SK;
2287 mlme_authenticate_indication(hapd, sta);
2288 }
2289 }
2290
2291
ieee802_11_finish_fils_auth(struct hostapd_data * hapd,struct sta_info * sta,int success,struct wpabuf * erp_resp,const u8 * msk,size_t msk_len)2292 void ieee802_11_finish_fils_auth(struct hostapd_data *hapd,
2293 struct sta_info *sta, int success,
2294 struct wpabuf *erp_resp,
2295 const u8 *msk, size_t msk_len)
2296 {
2297 u16 resp;
2298 u32 flags = sta->flags;
2299
2300 sta->flags &= ~(WLAN_STA_PENDING_FILS_ERP |
2301 WLAN_STA_PENDING_PASN_FILS_ERP);
2302
2303 resp = success ? WLAN_STATUS_SUCCESS : WLAN_STATUS_UNSPECIFIED_FAILURE;
2304
2305 if (flags & WLAN_STA_PENDING_FILS_ERP) {
2306 struct wpabuf *data;
2307 int pub = 0;
2308
2309 if (!sta->fils_pending_cb)
2310 return;
2311
2312 data = prepare_auth_resp_fils(hapd, sta, &resp, NULL, erp_resp,
2313 msk, msk_len, &pub);
2314 if (!data) {
2315 wpa_printf(MSG_DEBUG,
2316 "%s: prepare_auth_resp_fils() failure",
2317 __func__);
2318 }
2319 sta->fils_pending_cb(hapd, sta, resp, data, pub);
2320 #ifdef CONFIG_PASN
2321 } else if (flags & WLAN_STA_PENDING_PASN_FILS_ERP) {
2322 pasn_fils_auth_resp(hapd, sta, resp, erp_resp,
2323 msk, msk_len);
2324 #endif /* CONFIG_PASN */
2325 }
2326 }
2327
2328 #endif /* CONFIG_FILS */
2329
2330
ieee802_11_allowed_address(struct hostapd_data * hapd,const u8 * addr,const u8 * msg,size_t len,struct radius_sta * info)2331 static int ieee802_11_allowed_address(struct hostapd_data *hapd, const u8 *addr,
2332 const u8 *msg, size_t len,
2333 struct radius_sta *info)
2334 {
2335 int res;
2336
2337 res = hostapd_allowed_address(hapd, addr, msg, len, info, 0);
2338
2339 if (res == HOSTAPD_ACL_REJECT) {
2340 wpa_printf(MSG_DEBUG, "Station " MACSTR_SEC
2341 " not allowed to authenticate",
2342 MAC2STR_SEC(addr));
2343 return HOSTAPD_ACL_REJECT;
2344 }
2345
2346 if (res == HOSTAPD_ACL_PENDING) {
2347 wpa_printf(MSG_DEBUG, "Authentication frame from " MACSTR_SEC
2348 " waiting for an external authentication",
2349 MAC2STR_SEC(addr));
2350 /* Authentication code will re-send the authentication frame
2351 * after it has received (and cached) information from the
2352 * external source. */
2353 return HOSTAPD_ACL_PENDING;
2354 }
2355
2356 return res;
2357 }
2358
2359
ieee802_11_set_radius_info(struct hostapd_data * hapd,struct sta_info * sta,int res,struct radius_sta * info)2360 int ieee802_11_set_radius_info(struct hostapd_data *hapd, struct sta_info *sta,
2361 int res, struct radius_sta *info)
2362 {
2363 u32 session_timeout = info->session_timeout;
2364 u32 acct_interim_interval = info->acct_interim_interval;
2365 struct vlan_description *vlan_id = &info->vlan_id;
2366 struct hostapd_sta_wpa_psk_short *psk = info->psk;
2367 char *identity = info->identity;
2368 char *radius_cui = info->radius_cui;
2369
2370 if (vlan_id->notempty &&
2371 !hostapd_vlan_valid(hapd->conf->vlan, vlan_id)) {
2372 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS,
2373 HOSTAPD_LEVEL_INFO,
2374 "Invalid VLAN %d%s received from RADIUS server",
2375 vlan_id->untagged,
2376 vlan_id->tagged[0] ? "+" : "");
2377 return -1;
2378 }
2379 if (ap_sta_set_vlan(hapd, sta, vlan_id) < 0)
2380 return -1;
2381 if (sta->vlan_id)
2382 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS,
2383 HOSTAPD_LEVEL_INFO, "VLAN ID %d", sta->vlan_id);
2384
2385 hostapd_free_psk_list(sta->psk);
2386 if (hapd->conf->wpa_psk_radius != PSK_RADIUS_IGNORED)
2387 hostapd_copy_psk_list(&sta->psk, psk);
2388 else
2389 sta->psk = NULL;
2390
2391 os_free(sta->identity);
2392 if (identity)
2393 sta->identity = os_strdup(identity);
2394 else
2395 sta->identity = NULL;
2396
2397 os_free(sta->radius_cui);
2398 if (radius_cui)
2399 sta->radius_cui = os_strdup(radius_cui);
2400 else
2401 sta->radius_cui = NULL;
2402
2403 if (hapd->conf->acct_interim_interval == 0 && acct_interim_interval)
2404 sta->acct_interim_interval = acct_interim_interval;
2405 if (res == HOSTAPD_ACL_ACCEPT_TIMEOUT) {
2406 sta->session_timeout_set = 1;
2407 os_get_reltime(&sta->session_timeout);
2408 sta->session_timeout.sec += session_timeout;
2409 ap_sta_session_timeout(hapd, sta, session_timeout);
2410 } else {
2411 sta->session_timeout_set = 0;
2412 ap_sta_no_session_timeout(hapd, sta);
2413 }
2414
2415 return 0;
2416 }
2417
2418
2419 #ifdef CONFIG_PASN
2420 #ifdef CONFIG_FILS
2421
pasn_fils_auth_resp(struct hostapd_data * hapd,struct sta_info * sta,u16 status,struct wpabuf * erp_resp,const u8 * msk,size_t msk_len)2422 static void pasn_fils_auth_resp(struct hostapd_data *hapd,
2423 struct sta_info *sta, u16 status,
2424 struct wpabuf *erp_resp,
2425 const u8 *msk, size_t msk_len)
2426 {
2427 struct pasn_data *pasn = sta->pasn;
2428 struct pasn_fils *fils = &pasn->fils;
2429 u8 pmk[PMK_LEN_MAX];
2430 size_t pmk_len;
2431 int ret;
2432
2433 wpa_printf(MSG_DEBUG, "PASN: FILS: Handle AS response - status=%u",
2434 status);
2435
2436 if (status != WLAN_STATUS_SUCCESS)
2437 goto fail;
2438
2439 if (!pasn->secret) {
2440 wpa_printf(MSG_DEBUG, "PASN: FILS: Missing secret");
2441 goto fail;
2442 }
2443
2444 if (random_get_bytes(fils->anonce, FILS_NONCE_LEN) < 0) {
2445 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed to get ANonce");
2446 goto fail;
2447 }
2448
2449 wpa_hexdump(MSG_DEBUG, "RSN: Generated FILS ANonce",
2450 fils->anonce, FILS_NONCE_LEN);
2451
2452 ret = fils_rmsk_to_pmk(pasn_get_akmp(pasn), msk, msk_len, fils->nonce,
2453 fils->anonce, NULL, 0, pmk, &pmk_len);
2454 if (ret) {
2455 wpa_printf(MSG_DEBUG, "FILS: Failed to derive PMK");
2456 goto fail;
2457 }
2458
2459 ret = pasn_pmk_to_ptk(pmk, pmk_len, sta->addr, hapd->own_addr,
2460 wpabuf_head(pasn->secret),
2461 wpabuf_len(pasn->secret),
2462 pasn_get_ptk(sta->pasn), pasn_get_akmp(sta->pasn),
2463 pasn_get_cipher(sta->pasn), sta->pasn->kdk_len);
2464 if (ret) {
2465 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed to derive PTK");
2466 goto fail;
2467 }
2468
2469 if (pasn->secure_ltf) {
2470 ret = wpa_ltf_keyseed(pasn_get_ptk(pasn), pasn_get_akmp(pasn),
2471 pasn_get_cipher(pasn));
2472 if (ret) {
2473 wpa_printf(MSG_DEBUG,
2474 "PASN: FILS: Failed to derive LTF keyseed");
2475 goto fail;
2476 }
2477 }
2478
2479 wpa_printf(MSG_DEBUG, "PASN: PTK successfully derived");
2480
2481 wpabuf_free(pasn->secret);
2482 pasn->secret = NULL;
2483
2484 fils->erp_resp = erp_resp;
2485 ret = handle_auth_pasn_resp(sta->pasn, hapd->own_addr, sta->addr, NULL,
2486 WLAN_STATUS_SUCCESS);
2487 fils->erp_resp = NULL;
2488
2489 if (ret) {
2490 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed to send response");
2491 goto fail;
2492 }
2493
2494 fils->state = PASN_FILS_STATE_COMPLETE;
2495 return;
2496 fail:
2497 ap_free_sta(hapd, sta);
2498 }
2499
2500
pasn_wd_handle_fils(struct hostapd_data * hapd,struct sta_info * sta,struct wpabuf * wd)2501 static int pasn_wd_handle_fils(struct hostapd_data *hapd, struct sta_info *sta,
2502 struct wpabuf *wd)
2503 {
2504 #ifdef CONFIG_NO_RADIUS
2505 wpa_printf(MSG_DEBUG, "PASN: FILS: RADIUS is not configured. Fail");
2506 return -1;
2507 #else /* CONFIG_NO_RADIUS */
2508 struct pasn_data *pasn = sta->pasn;
2509 struct pasn_fils *fils = &pasn->fils;
2510 struct ieee802_11_elems elems;
2511 struct wpa_ie_data rsne_data;
2512 struct wpabuf *fils_wd;
2513 const u8 *data;
2514 size_t buf_len;
2515 u16 alg, seq, status;
2516 int ret;
2517
2518 if (fils->state != PASN_FILS_STATE_NONE) {
2519 wpa_printf(MSG_DEBUG, "PASN: FILS: Not expecting wrapped data");
2520 return -1;
2521 }
2522
2523 if (!wd) {
2524 wpa_printf(MSG_DEBUG, "PASN: FILS: No wrapped data");
2525 return -1;
2526 }
2527
2528 data = wpabuf_head_u8(wd);
2529 buf_len = wpabuf_len(wd);
2530
2531 if (buf_len < 6) {
2532 wpa_printf(MSG_DEBUG, "PASN: FILS: Buffer too short. len=%zu",
2533 buf_len);
2534 return -1;
2535 }
2536
2537 alg = WPA_GET_LE16(data);
2538 seq = WPA_GET_LE16(data + 2);
2539 status = WPA_GET_LE16(data + 4);
2540
2541 wpa_printf(MSG_DEBUG, "PASN: FILS: alg=%u, seq=%u, status=%u",
2542 alg, seq, status);
2543
2544 if (alg != WLAN_AUTH_FILS_SK || seq != 1 ||
2545 status != WLAN_STATUS_SUCCESS) {
2546 wpa_printf(MSG_DEBUG,
2547 "PASN: FILS: Dropping peer authentication");
2548 return -1;
2549 }
2550
2551 data += 6;
2552 buf_len -= 6;
2553
2554 if (ieee802_11_parse_elems(data, buf_len, &elems, 1) == ParseFailed) {
2555 wpa_printf(MSG_DEBUG, "PASN: FILS: Could not parse elements");
2556 return -1;
2557 }
2558
2559 if (!elems.rsn_ie || !elems.fils_nonce || !elems.fils_nonce ||
2560 !elems.wrapped_data || !elems.fils_session) {
2561 wpa_printf(MSG_DEBUG, "PASN: FILS: Missing IEs");
2562 return -1;
2563 }
2564
2565 ret = wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
2566 &rsne_data);
2567 if (ret) {
2568 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed parsing RSNE");
2569 return -1;
2570 }
2571
2572 ret = wpa_pasn_validate_rsne(&rsne_data);
2573 if (ret) {
2574 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed validating RSNE");
2575 return -1;
2576 }
2577
2578 if (rsne_data.num_pmkid) {
2579 wpa_printf(MSG_DEBUG,
2580 "PASN: FILS: Not expecting PMKID in RSNE");
2581 return -1;
2582 }
2583
2584 wpa_hexdump(MSG_DEBUG, "PASN: FILS: Nonce", elems.fils_nonce,
2585 FILS_NONCE_LEN);
2586 os_memcpy(fils->nonce, elems.fils_nonce, FILS_NONCE_LEN);
2587
2588 wpa_hexdump(MSG_DEBUG, "PASN: FILS: Session", elems.fils_session,
2589 FILS_SESSION_LEN);
2590 os_memcpy(fils->session, elems.fils_session, FILS_SESSION_LEN);
2591
2592 fils_wd = ieee802_11_defrag(elems.wrapped_data, elems.wrapped_data_len,
2593 true);
2594
2595 if (!fils_wd) {
2596 wpa_printf(MSG_DEBUG, "PASN: FILS: Missing wrapped data");
2597 return -1;
2598 }
2599
2600 if (!sta->eapol_sm)
2601 sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta);
2602
2603 wpa_printf(MSG_DEBUG,
2604 "PASN: FILS: Forward EAP-Initiate/Re-auth to AS");
2605
2606 ieee802_1x_encapsulate_radius(hapd, sta, wpabuf_head(fils_wd),
2607 wpabuf_len(fils_wd));
2608
2609 sta->flags |= WLAN_STA_PENDING_PASN_FILS_ERP;
2610
2611 fils->state = PASN_FILS_STATE_PENDING_AS;
2612
2613 /*
2614 * Calculate pending PMKID here so that we do not need to maintain a
2615 * copy of the EAP-Initiate/Reautt message.
2616 */
2617 fils_pmkid_erp(pasn_get_akmp(pasn),
2618 wpabuf_head(fils_wd), wpabuf_len(fils_wd),
2619 fils->erp_pmkid);
2620
2621 wpabuf_free(fils_wd);
2622 return 0;
2623 #endif /* CONFIG_NO_RADIUS */
2624 }
2625
2626 #endif /* CONFIG_FILS */
2627
2628
hapd_pasn_send_mlme(void * ctx,const u8 * data,size_t data_len,int noack,unsigned int freq,unsigned int wait)2629 static int hapd_pasn_send_mlme(void *ctx, const u8 *data, size_t data_len,
2630 int noack, unsigned int freq, unsigned int wait)
2631 {
2632 struct hostapd_data *hapd = ctx;
2633
2634 return hostapd_drv_send_mlme(hapd, data, data_len, 0, NULL, 0, 0);
2635 }
2636
2637
hapd_initialize_pasn(struct hostapd_data * hapd,struct sta_info * sta)2638 static void hapd_initialize_pasn(struct hostapd_data *hapd,
2639 struct sta_info *sta)
2640 {
2641 struct pasn_data *pasn = sta->pasn;
2642
2643 pasn_register_callbacks(pasn, hapd, hapd_pasn_send_mlme, NULL);
2644 pasn_set_bssid(pasn, hapd->own_addr);
2645 pasn_set_own_addr(pasn, hapd->own_addr);
2646 pasn_set_peer_addr(pasn, sta->addr);
2647 pasn_set_wpa_key_mgmt(pasn, hapd->conf->wpa_key_mgmt);
2648 pasn_set_rsn_pairwise(pasn, hapd->conf->rsn_pairwise);
2649 pasn->pasn_groups = hapd->conf->pasn_groups;
2650 pasn->noauth = hapd->conf->pasn_noauth;
2651 if (hapd->iface->drv_flags2 & WPA_DRIVER_FLAGS2_SEC_LTF_AP)
2652 pasn_enable_kdk_derivation(pasn);
2653
2654 #ifdef CONFIG_TESTING_OPTIONS
2655 pasn->corrupt_mic = hapd->conf->pasn_corrupt_mic;
2656 if (hapd->conf->force_kdk_derivation)
2657 pasn_enable_kdk_derivation(pasn);
2658 #endif /* CONFIG_TESTING_OPTIONS */
2659 pasn->use_anti_clogging = use_anti_clogging(hapd);
2660 pasn_set_password(pasn, sae_get_password(hapd, sta, NULL, NULL,
2661 &pasn->pt, NULL));
2662 pasn->rsn_ie = wpa_auth_get_wpa_ie(hapd->wpa_auth, &pasn->rsn_ie_len);
2663 pasn_set_rsnxe_ie(pasn, hostapd_wpa_ie(hapd, WLAN_EID_RSNX));
2664 pasn->disable_pmksa_caching = hapd->conf->disable_pmksa_caching;
2665 pasn_set_responder_pmksa(pasn,
2666 wpa_auth_get_pmksa_cache(hapd->wpa_auth));
2667
2668 pasn->comeback_after = hapd->conf->pasn_comeback_after;
2669 pasn->comeback_idx = hapd->comeback_idx;
2670 pasn->comeback_key = hapd->comeback_key;
2671 pasn->comeback_pending_idx = hapd->comeback_pending_idx;
2672 }
2673
2674
pasn_set_keys_from_cache(struct hostapd_data * hapd,const u8 * own_addr,const u8 * sta_addr,int cipher,int akmp)2675 static int pasn_set_keys_from_cache(struct hostapd_data *hapd,
2676 const u8 *own_addr, const u8 *sta_addr,
2677 int cipher, int akmp)
2678 {
2679 struct ptksa_cache_entry *entry;
2680
2681 entry = ptksa_cache_get(hapd->ptksa, sta_addr, cipher);
2682 if (!entry) {
2683 wpa_printf(MSG_DEBUG, "PASN: peer " MACSTR
2684 " not present in PTKSA cache", MAC2STR(sta_addr));
2685 return -1;
2686 }
2687
2688 if (!ether_addr_equal(entry->own_addr, own_addr)) {
2689 wpa_printf(MSG_DEBUG,
2690 "PASN: own addr " MACSTR " and PTKSA entry own addr "
2691 MACSTR " differ",
2692 MAC2STR(own_addr), MAC2STR(entry->own_addr));
2693 return -1;
2694 }
2695
2696 wpa_printf(MSG_DEBUG, "PASN: " MACSTR " present in PTKSA cache",
2697 MAC2STR(sta_addr));
2698 hostapd_drv_set_secure_ranging_ctx(hapd, own_addr, sta_addr, cipher,
2699 entry->ptk.tk_len, entry->ptk.tk,
2700 entry->ptk.ltf_keyseed_len,
2701 entry->ptk.ltf_keyseed, 0);
2702
2703 return 0;
2704 }
2705
2706
hapd_pasn_update_params(struct hostapd_data * hapd,struct sta_info * sta,const struct ieee80211_mgmt * mgmt,size_t len)2707 static void hapd_pasn_update_params(struct hostapd_data *hapd,
2708 struct sta_info *sta,
2709 const struct ieee80211_mgmt *mgmt,
2710 size_t len)
2711 {
2712 struct pasn_data *pasn = sta->pasn;
2713 struct ieee802_11_elems elems;
2714 struct wpa_ie_data rsn_data;
2715 #ifdef CONFIG_FILS
2716 struct wpa_pasn_params_data pasn_params;
2717 struct wpabuf *wrapped_data = NULL;
2718 #endif /* CONFIG_FILS */
2719 int akmp;
2720
2721 if (ieee802_11_parse_elems(mgmt->u.auth.variable,
2722 len - offsetof(struct ieee80211_mgmt,
2723 u.auth.variable),
2724 &elems, 0) == ParseFailed) {
2725 wpa_printf(MSG_DEBUG,
2726 "PASN: Failed parsing Authentication frame");
2727 return;
2728 }
2729
2730 if (!elems.rsn_ie ||
2731 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
2732 &rsn_data)) {
2733 wpa_printf(MSG_DEBUG, "PASN: Failed parsing RSNE");
2734 return;
2735 }
2736
2737 if (!(rsn_data.key_mgmt & pasn->wpa_key_mgmt) ||
2738 !(rsn_data.pairwise_cipher & pasn->rsn_pairwise)) {
2739 wpa_printf(MSG_DEBUG, "PASN: Mismatch in AKMP/cipher");
2740 return;
2741 }
2742
2743 pasn_set_akmp(pasn, rsn_data.key_mgmt);
2744 pasn_set_cipher(pasn, rsn_data.pairwise_cipher);
2745
2746 if (pasn->derive_kdk &&
2747 !ieee802_11_rsnx_capab_len(elems.rsnxe, elems.rsnxe_len,
2748 WLAN_RSNX_CAPAB_SECURE_LTF))
2749 pasn_disable_kdk_derivation(pasn);
2750 #ifdef CONFIG_TESTING_OPTIONS
2751 if (hapd->conf->force_kdk_derivation)
2752 pasn_enable_kdk_derivation(pasn);
2753 #endif /* CONFIG_TESTING_OPTIONS */
2754 akmp = pasn_get_akmp(pasn);
2755
2756 if (wpa_key_mgmt_ft(akmp) && rsn_data.num_pmkid) {
2757 #ifdef CONFIG_IEEE80211R_AP
2758 pasn->pmk_r1_len = 0;
2759 wpa_ft_fetch_pmk_r1(hapd->wpa_auth, sta->addr,
2760 rsn_data.pmkid,
2761 pasn->pmk_r1, &pasn->pmk_r1_len, NULL,
2762 NULL, NULL, NULL,
2763 NULL, NULL, NULL);
2764 #endif /* CONFIG_IEEE80211R_AP */
2765 }
2766 #ifdef CONFIG_FILS
2767 if (akmp != WPA_KEY_MGMT_FILS_SHA256 &&
2768 akmp != WPA_KEY_MGMT_FILS_SHA384)
2769 return;
2770 if (!elems.pasn_params ||
2771 wpa_pasn_parse_parameter_ie(elems.pasn_params - 3,
2772 elems.pasn_params_len + 3,
2773 false, &pasn_params)) {
2774 wpa_printf(MSG_DEBUG,
2775 "PASN: Failed validation of PASN Parameters element");
2776 return;
2777 }
2778 if (pasn_params.wrapped_data_format != WPA_PASN_WRAPPED_DATA_NO) {
2779 wrapped_data = ieee802_11_defrag(elems.wrapped_data,
2780 elems.wrapped_data_len, true);
2781 if (!wrapped_data) {
2782 wpa_printf(MSG_DEBUG, "PASN: Missing wrapped data");
2783 return;
2784 }
2785 if (pasn_wd_handle_fils(hapd, sta, wrapped_data))
2786 wpa_printf(MSG_DEBUG,
2787 "PASN: Failed processing FILS wrapped data");
2788 else
2789 pasn->fils_wd_valid = true;
2790 }
2791 wpabuf_free(wrapped_data);
2792 #endif /* CONFIG_FILS */
2793 }
2794
2795
handle_auth_pasn(struct hostapd_data * hapd,struct sta_info * sta,const struct ieee80211_mgmt * mgmt,size_t len,u16 trans_seq,u16 status)2796 static void handle_auth_pasn(struct hostapd_data *hapd, struct sta_info *sta,
2797 const struct ieee80211_mgmt *mgmt, size_t len,
2798 u16 trans_seq, u16 status)
2799 {
2800 if (hapd->conf->wpa != WPA_PROTO_RSN) {
2801 wpa_printf(MSG_INFO, "PASN: RSN is not configured");
2802 return;
2803 }
2804
2805 wpa_printf(MSG_INFO, "PASN authentication: sta=" MACSTR_SEC,
2806 MAC2STR_SEC(sta->addr));
2807
2808 if (trans_seq == 1) {
2809 if (sta->pasn) {
2810 wpa_printf(MSG_DEBUG,
2811 "PASN: Not expecting transaction == 1");
2812 return;
2813 }
2814
2815 if (status != WLAN_STATUS_SUCCESS) {
2816 wpa_printf(MSG_DEBUG,
2817 "PASN: Failure status in transaction == 1");
2818 return;
2819 }
2820
2821 sta->pasn = pasn_data_init();
2822 if (!sta->pasn) {
2823 wpa_printf(MSG_DEBUG,
2824 "PASN: Failed to allocate PASN context");
2825 return;
2826 }
2827
2828 hapd_initialize_pasn(hapd, sta);
2829
2830 hapd_pasn_update_params(hapd, sta, mgmt, len);
2831 if (handle_auth_pasn_1(sta->pasn, hapd->own_addr,
2832 sta->addr, mgmt, len) < 0)
2833 ap_free_sta(hapd, sta);
2834 } else if (trans_seq == 3) {
2835 if (!sta->pasn) {
2836 wpa_printf(MSG_DEBUG,
2837 "PASN: Not expecting transaction == 3");
2838 return;
2839 }
2840
2841 if (status != WLAN_STATUS_SUCCESS) {
2842 wpa_printf(MSG_DEBUG,
2843 "PASN: Failure status in transaction == 3");
2844 ap_free_sta_pasn(hapd, sta);
2845 return;
2846 }
2847
2848 if (handle_auth_pasn_3(sta->pasn, hapd->own_addr,
2849 sta->addr, mgmt, len) == 0) {
2850 ptksa_cache_add(hapd->ptksa, hapd->own_addr, sta->addr,
2851 pasn_get_cipher(sta->pasn), 43200,
2852 pasn_get_ptk(sta->pasn), NULL, NULL,
2853 pasn_get_akmp(sta->pasn));
2854
2855 pasn_set_keys_from_cache(hapd, hapd->own_addr,
2856 sta->addr,
2857 pasn_get_cipher(sta->pasn),
2858 pasn_get_akmp(sta->pasn));
2859 }
2860 ap_free_sta(hapd, sta);
2861 } else {
2862 wpa_printf(MSG_DEBUG,
2863 "PASN: Invalid transaction %u - ignore", trans_seq);
2864 }
2865 }
2866
2867 #endif /* CONFIG_PASN */
2868
2869
handle_auth(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int rssi,int from_queue)2870 static void handle_auth(struct hostapd_data *hapd,
2871 const struct ieee80211_mgmt *mgmt, size_t len,
2872 int rssi, int from_queue)
2873 {
2874 u16 auth_alg, auth_transaction, status_code;
2875 u16 resp = WLAN_STATUS_SUCCESS;
2876 struct sta_info *sta = NULL;
2877 int res, reply_res;
2878 u16 fc;
2879 const u8 *challenge = NULL;
2880 u8 resp_ies[2 + WLAN_AUTH_CHALLENGE_LEN];
2881 size_t resp_ies_len = 0;
2882 u16 seq_ctrl;
2883 struct radius_sta rad_info;
2884 const u8 *dst, *sa;
2885 #ifdef CONFIG_IEEE80211BE
2886 bool mld_sta = false;
2887 #endif /* CONFIG_IEEE80211BE */
2888
2889 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) {
2890 wpa_printf(MSG_INFO, "handle_auth - too short payload (len=%lu)",
2891 (unsigned long) len);
2892 return;
2893 }
2894
2895 #ifdef CONFIG_TESTING_OPTIONS
2896 if (hapd->iconf->ignore_auth_probability > 0.0 &&
2897 drand48() < hapd->iconf->ignore_auth_probability) {
2898 wpa_printf(MSG_INFO,
2899 "TESTING: ignoring auth frame from " MACSTR_SEC,
2900 MAC2STR_SEC(mgmt->sa));
2901 return;
2902 }
2903 #endif /* CONFIG_TESTING_OPTIONS */
2904
2905 sa = mgmt->sa;
2906 #ifdef CONFIG_IEEE80211BE
2907 /*
2908 * Handle MLO authentication before the station is added to hostapd and
2909 * the driver so that the station MLD MAC address would be used in both
2910 * hostapd and the driver.
2911 */
2912 sa = hostapd_process_ml_auth(hapd, mgmt, len);
2913 if (sa)
2914 mld_sta = true;
2915 else
2916 sa = mgmt->sa;
2917 #endif /* CONFIG_IEEE80211BE */
2918
2919 auth_alg = le_to_host16(mgmt->u.auth.auth_alg);
2920 auth_transaction = le_to_host16(mgmt->u.auth.auth_transaction);
2921 status_code = le_to_host16(mgmt->u.auth.status_code);
2922 fc = le_to_host16(mgmt->frame_control);
2923 seq_ctrl = le_to_host16(mgmt->seq_ctrl);
2924
2925 if (len >= IEEE80211_HDRLEN + sizeof(mgmt->u.auth) +
2926 2 + WLAN_AUTH_CHALLENGE_LEN &&
2927 mgmt->u.auth.variable[0] == WLAN_EID_CHALLENGE &&
2928 mgmt->u.auth.variable[1] == WLAN_AUTH_CHALLENGE_LEN)
2929 challenge = &mgmt->u.auth.variable[2];
2930
2931 wpa_printf(MSG_DEBUG, "authentication: STA=" MACSTR_SEC " auth_alg=%d "
2932 "auth_transaction=%d status_code=%d wep=%d%s "
2933 "seq_ctrl=0x%x%s%s",
2934 MAC2STR_SEC(sa), auth_alg, auth_transaction,
2935 status_code, !!(fc & WLAN_FC_ISWEP),
2936 challenge ? " challenge" : "",
2937 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "",
2938 from_queue ? " (from queue)" : "");
2939
2940 #ifdef CONFIG_NO_RC4
2941 if (auth_alg == WLAN_AUTH_SHARED_KEY) {
2942 wpa_printf(MSG_INFO,
2943 "Unsupported authentication algorithm (%d)",
2944 auth_alg);
2945 resp = WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
2946 goto fail;
2947 }
2948 #endif /* CONFIG_NO_RC4 */
2949
2950 if (hapd->tkip_countermeasures) {
2951 wpa_printf(MSG_DEBUG,
2952 "Ongoing TKIP countermeasures (Michael MIC failure) - reject authentication");
2953 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2954 goto fail;
2955 }
2956
2957 if (!(((hapd->conf->auth_algs & WPA_AUTH_ALG_OPEN) &&
2958 auth_alg == WLAN_AUTH_OPEN) ||
2959 #ifdef CONFIG_IEEE80211R_AP
2960 (hapd->conf->wpa && wpa_key_mgmt_ft(hapd->conf->wpa_key_mgmt) &&
2961 auth_alg == WLAN_AUTH_FT) ||
2962 #endif /* CONFIG_IEEE80211R_AP */
2963 #ifdef CONFIG_SAE
2964 (hapd->conf->wpa && wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt) &&
2965 auth_alg == WLAN_AUTH_SAE) ||
2966 #endif /* CONFIG_SAE */
2967 #ifdef CONFIG_FILS
2968 (hapd->conf->wpa && wpa_key_mgmt_fils(hapd->conf->wpa_key_mgmt) &&
2969 auth_alg == WLAN_AUTH_FILS_SK) ||
2970 (hapd->conf->wpa && wpa_key_mgmt_fils(hapd->conf->wpa_key_mgmt) &&
2971 hapd->conf->fils_dh_group &&
2972 auth_alg == WLAN_AUTH_FILS_SK_PFS) ||
2973 #endif /* CONFIG_FILS */
2974 #ifdef CONFIG_PASN
2975 (hapd->conf->wpa &&
2976 (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_PASN) &&
2977 auth_alg == WLAN_AUTH_PASN) ||
2978 #endif /* CONFIG_PASN */
2979 ((hapd->conf->auth_algs & WPA_AUTH_ALG_SHARED) &&
2980 auth_alg == WLAN_AUTH_SHARED_KEY))) {
2981 wpa_printf(MSG_INFO, "Unsupported authentication algorithm (%d)",
2982 auth_alg);
2983 resp = WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
2984 goto fail;
2985 }
2986
2987 if (!(auth_transaction == 1 || auth_alg == WLAN_AUTH_SAE ||
2988 #ifdef CONFIG_PASN
2989 (auth_alg == WLAN_AUTH_PASN && auth_transaction == 3) ||
2990 #endif /* CONFIG_PASN */
2991 (auth_alg == WLAN_AUTH_SHARED_KEY && auth_transaction == 3))) {
2992 wpa_printf(MSG_INFO, "Unknown authentication transaction number (%d)",
2993 auth_transaction);
2994 resp = WLAN_STATUS_UNKNOWN_AUTH_TRANSACTION;
2995 goto fail;
2996 }
2997
2998 if (ether_addr_equal(mgmt->sa, hapd->own_addr)) {
2999 wpa_printf(MSG_INFO, "Station " MACSTR_SEC " not allowed to authenticate",
3000 MAC2STR_SEC(sa));
3001 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3002 goto fail;
3003 }
3004
3005 #ifdef CONFIG_IEEE80211BE
3006 if (mld_sta &&
3007 (ether_addr_equal(sa, hapd->own_addr) ||
3008 ether_addr_equal(sa, hapd->mld->mld_addr))) {
3009 wpa_printf(MSG_INFO,
3010 "Station " MACSTR " not allowed to authenticate",
3011 MAC2STR(sa));
3012 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3013 goto fail;
3014 }
3015 #endif /* CONFIG_IEEE80211BE */
3016
3017 if (hapd->conf->no_auth_if_seen_on) {
3018 struct hostapd_data *other;
3019
3020 other = sta_track_seen_on(hapd->iface, sa,
3021 hapd->conf->no_auth_if_seen_on);
3022 if (other) {
3023 u8 *pos;
3024 u32 info;
3025 u8 op_class, channel, phytype;
3026
3027 wpa_printf(MSG_DEBUG, "%s: Reject authentication from "
3028 MACSTR_SEC " since STA has been seen on %s",
3029 hapd->conf->iface, MAC2STR_SEC(sa),
3030 hapd->conf->no_auth_if_seen_on);
3031
3032 resp = WLAN_STATUS_REJECTED_WITH_SUGGESTED_BSS_TRANSITION;
3033 pos = &resp_ies[0];
3034 *pos++ = WLAN_EID_NEIGHBOR_REPORT;
3035 *pos++ = 13;
3036 os_memcpy(pos, other->own_addr, ETH_ALEN);
3037 pos += ETH_ALEN;
3038 info = 0; /* TODO: BSSID Information */
3039 WPA_PUT_LE32(pos, info);
3040 pos += 4;
3041 if (other->iconf->hw_mode == HOSTAPD_MODE_IEEE80211AD)
3042 phytype = 8; /* dmg */
3043 else if (other->iconf->ieee80211ac)
3044 phytype = 9; /* vht */
3045 else if (other->iconf->ieee80211n)
3046 phytype = 7; /* ht */
3047 else if (other->iconf->hw_mode ==
3048 HOSTAPD_MODE_IEEE80211A)
3049 phytype = 4; /* ofdm */
3050 else if (other->iconf->hw_mode ==
3051 HOSTAPD_MODE_IEEE80211G)
3052 phytype = 6; /* erp */
3053 else
3054 phytype = 5; /* hrdsss */
3055 if (ieee80211_freq_to_channel_ext(
3056 hostapd_hw_get_freq(other,
3057 other->iconf->channel),
3058 other->iconf->secondary_channel,
3059 other->iconf->ieee80211ac,
3060 &op_class, &channel) == NUM_HOSTAPD_MODES) {
3061 op_class = 0;
3062 channel = other->iconf->channel;
3063 }
3064 *pos++ = op_class;
3065 *pos++ = channel;
3066 *pos++ = phytype;
3067 resp_ies_len = pos - &resp_ies[0];
3068 goto fail;
3069 }
3070 }
3071
3072 res = ieee802_11_allowed_address(hapd, sa, (const u8 *) mgmt, len,
3073 &rad_info);
3074 if (res == HOSTAPD_ACL_REJECT) {
3075 wpa_msg(hapd->msg_ctx, MSG_DEBUG,
3076 "Ignore Authentication frame from " MACSTR
3077 " due to ACL reject", MAC2STR(sa));
3078 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3079 goto fail;
3080 }
3081 if (res == HOSTAPD_ACL_PENDING)
3082 return;
3083
3084 #ifdef CONFIG_SAE
3085 if (auth_alg == WLAN_AUTH_SAE && !from_queue &&
3086 (auth_transaction == 1 ||
3087 (auth_transaction == 2 && auth_sae_queued_addr(hapd, sa)))) {
3088 /* Handle SAE Authentication commit message through a queue to
3089 * provide more control for postponing the needed heavy
3090 * processing under a possible DoS attack scenario. In addition,
3091 * queue SAE Authentication confirm message if there happens to
3092 * be a queued commit message from the same peer. This is needed
3093 * to avoid reordering Authentication frames within the same
3094 * SAE exchange. */
3095 auth_sae_queue(hapd, mgmt, len, rssi);
3096 return;
3097 }
3098 #endif /* CONFIG_SAE */
3099
3100 sta = ap_get_sta(hapd, sa);
3101 if (sta) {
3102 sta->flags &= ~WLAN_STA_PENDING_FILS_ERP;
3103 sta->ft_over_ds = 0;
3104 if ((fc & WLAN_FC_RETRY) &&
3105 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
3106 sta->last_seq_ctrl == seq_ctrl &&
3107 sta->last_subtype == WLAN_FC_STYPE_AUTH) {
3108 hostapd_logger(hapd, sta->addr,
3109 HOSTAPD_MODULE_IEEE80211,
3110 HOSTAPD_LEVEL_DEBUG,
3111 "Drop repeated authentication frame seq_ctrl=0x%x",
3112 seq_ctrl);
3113 return;
3114 }
3115 #ifdef CONFIG_PASN
3116 if (auth_alg == WLAN_AUTH_PASN &&
3117 (sta->flags & WLAN_STA_ASSOC)) {
3118 wpa_printf(MSG_DEBUG,
3119 "PASN: auth: Existing station: " MACSTR_SEC,
3120 MAC2STR_SEC(sta->addr));
3121 return;
3122 }
3123 #endif /* CONFIG_PASN */
3124 } else {
3125 #ifdef CONFIG_MESH
3126 if (hapd->conf->mesh & MESH_ENABLED) {
3127 /* if the mesh peer is not available, we don't do auth.
3128 */
3129 wpa_printf(MSG_DEBUG, "Mesh peer " MACSTR_SEC
3130 " not yet known - drop Authentication frame",
3131 MAC2STR_SEC(sa));
3132 /*
3133 * Save a copy of the frame so that it can be processed
3134 * if a new peer entry is added shortly after this.
3135 */
3136 wpabuf_free(hapd->mesh_pending_auth);
3137 hapd->mesh_pending_auth = wpabuf_alloc_copy(mgmt, len);
3138 os_get_reltime(&hapd->mesh_pending_auth_time);
3139 return;
3140 }
3141 #endif /* CONFIG_MESH */
3142
3143 sta = ap_sta_add(hapd, sa);
3144 if (!sta) {
3145 wpa_printf(MSG_DEBUG, "ap_sta_add() failed");
3146 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
3147 goto fail;
3148 }
3149 }
3150
3151 #ifdef CONFIG_IEEE80211BE
3152 /* Set the non-AP MLD information based on the initial Authentication
3153 * frame. Once the STA entry has been added to the driver, the driver
3154 * will translate addresses in the frame and we need to avoid overriding
3155 * peer_addr based on mgmt->sa which would have been translated to the
3156 * MLD MAC address. */
3157 if (!sta->added_unassoc && auth_transaction == 1) {
3158 ap_sta_free_sta_profile(&sta->mld_info);
3159 os_memset(&sta->mld_info, 0, sizeof(sta->mld_info));
3160
3161 if (mld_sta) {
3162 u8 link_id = hapd->mld_link_id;
3163
3164 ap_sta_set_mld(sta, true);
3165 sta->mld_assoc_link_id = link_id;
3166
3167 /*
3168 * Set the MLD address as the station address and the
3169 * station addresses.
3170 */
3171 os_memcpy(sta->mld_info.common_info.mld_addr, sa,
3172 ETH_ALEN);
3173 os_memcpy(sta->mld_info.links[link_id].peer_addr,
3174 mgmt->sa, ETH_ALEN);
3175 os_memcpy(sta->mld_info.links[link_id].local_addr,
3176 hapd->own_addr, ETH_ALEN);
3177 }
3178 }
3179 #endif /* CONFIG_IEEE80211BE */
3180
3181 sta->last_seq_ctrl = seq_ctrl;
3182 sta->last_subtype = WLAN_FC_STYPE_AUTH;
3183 #ifdef CONFIG_MBO
3184 sta->auth_rssi = rssi;
3185 #endif /* CONFIG_MBO */
3186
3187 res = ieee802_11_set_radius_info(hapd, sta, res, &rad_info);
3188 if (res) {
3189 wpa_printf(MSG_DEBUG, "ieee802_11_set_radius_info() failed");
3190 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3191 goto fail;
3192 }
3193
3194 sta->flags &= ~WLAN_STA_PREAUTH;
3195 ieee802_1x_notify_pre_auth(sta->eapol_sm, 0);
3196
3197 /*
3198 * If the driver supports full AP client state, add a station to the
3199 * driver before sending authentication reply to make sure the driver
3200 * has resources, and not to go through the entire authentication and
3201 * association handshake, and fail it at the end.
3202 *
3203 * If this is not the first transaction, in a multi-step authentication
3204 * algorithm, the station already exists in the driver
3205 * (sta->added_unassoc = 1) so skip it.
3206 *
3207 * In mesh mode, the station was already added to the driver when the
3208 * NEW_PEER_CANDIDATE event is received.
3209 *
3210 * If PMF was negotiated for the existing association, skip this to
3211 * avoid dropping the STA entry and the associated keys. This is needed
3212 * to allow the original connection work until the attempt can complete
3213 * (re)association, so that unprotected Authentication frame cannot be
3214 * used to bypass PMF protection.
3215 *
3216 * PASN authentication does not require adding/removing station to the
3217 * driver so skip this flow in case of PASN authentication.
3218 */
3219 if (FULL_AP_CLIENT_STATE_SUPP(hapd->iface->drv_flags) &&
3220 (!(sta->flags & WLAN_STA_MFP) || !ap_sta_is_authorized(sta)) &&
3221 !(hapd->conf->mesh & MESH_ENABLED) &&
3222 !(sta->added_unassoc) && auth_alg != WLAN_AUTH_PASN) {
3223 if (ap_sta_re_add(hapd, sta) < 0) {
3224 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
3225 goto fail;
3226 }
3227 }
3228
3229 switch (auth_alg) {
3230 case WLAN_AUTH_OPEN:
3231 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3232 HOSTAPD_LEVEL_DEBUG,
3233 "authentication OK (open system)");
3234 sta->flags |= WLAN_STA_AUTH;
3235 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
3236 sta->auth_alg = WLAN_AUTH_OPEN;
3237 mlme_authenticate_indication(hapd, sta);
3238 break;
3239 #ifdef CONFIG_WEP
3240 #ifndef CONFIG_NO_RC4
3241 case WLAN_AUTH_SHARED_KEY:
3242 resp = auth_shared_key(hapd, sta, auth_transaction, challenge,
3243 fc & WLAN_FC_ISWEP);
3244 if (resp != 0)
3245 wpa_printf(MSG_DEBUG,
3246 "auth_shared_key() failed: status=%d", resp);
3247 sta->auth_alg = WLAN_AUTH_SHARED_KEY;
3248 mlme_authenticate_indication(hapd, sta);
3249 if (sta->challenge && auth_transaction == 1) {
3250 resp_ies[0] = WLAN_EID_CHALLENGE;
3251 resp_ies[1] = WLAN_AUTH_CHALLENGE_LEN;
3252 os_memcpy(resp_ies + 2, sta->challenge,
3253 WLAN_AUTH_CHALLENGE_LEN);
3254 resp_ies_len = 2 + WLAN_AUTH_CHALLENGE_LEN;
3255 }
3256 break;
3257 #endif /* CONFIG_NO_RC4 */
3258 #endif /* CONFIG_WEP */
3259 #ifdef CONFIG_IEEE80211R_AP
3260 case WLAN_AUTH_FT:
3261 sta->auth_alg = WLAN_AUTH_FT;
3262 if (sta->wpa_sm == NULL)
3263 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
3264 sta->addr, NULL);
3265 if (sta->wpa_sm == NULL) {
3266 wpa_printf(MSG_DEBUG, "FT: Failed to initialize WPA "
3267 "state machine");
3268 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3269 goto fail;
3270 }
3271 wpa_ft_process_auth(sta->wpa_sm,
3272 auth_transaction, mgmt->u.auth.variable,
3273 len - IEEE80211_HDRLEN -
3274 sizeof(mgmt->u.auth),
3275 handle_auth_ft_finish, hapd);
3276 /* handle_auth_ft_finish() callback will complete auth. */
3277 return;
3278 #endif /* CONFIG_IEEE80211R_AP */
3279 #ifdef CONFIG_SAE
3280 case WLAN_AUTH_SAE:
3281 #ifdef CONFIG_MESH
3282 if (status_code == WLAN_STATUS_SUCCESS &&
3283 hapd->conf->mesh & MESH_ENABLED) {
3284 if (sta->wpa_sm == NULL)
3285 sta->wpa_sm =
3286 wpa_auth_sta_init(hapd->wpa_auth,
3287 sta->addr, NULL);
3288 if (sta->wpa_sm == NULL) {
3289 wpa_printf(MSG_DEBUG,
3290 "SAE: Failed to initialize WPA state machine");
3291 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3292 goto fail;
3293 }
3294 }
3295 #endif /* CONFIG_MESH */
3296 handle_auth_sae(hapd, sta, mgmt, len, auth_transaction,
3297 status_code);
3298 return;
3299 #endif /* CONFIG_SAE */
3300 #ifdef CONFIG_FILS
3301 case WLAN_AUTH_FILS_SK:
3302 case WLAN_AUTH_FILS_SK_PFS:
3303 handle_auth_fils(hapd, sta, mgmt->u.auth.variable,
3304 len - IEEE80211_HDRLEN - sizeof(mgmt->u.auth),
3305 auth_alg, auth_transaction, status_code,
3306 handle_auth_fils_finish);
3307 return;
3308 #endif /* CONFIG_FILS */
3309 #ifdef CONFIG_PASN
3310 case WLAN_AUTH_PASN:
3311 handle_auth_pasn(hapd, sta, mgmt, len, auth_transaction,
3312 status_code);
3313 return;
3314 #endif /* CONFIG_PASN */
3315 }
3316
3317 fail:
3318 dst = mgmt->sa;
3319
3320 #ifdef CONFIG_IEEE80211BE
3321 if (ap_sta_is_mld(hapd, sta))
3322 dst = sta->addr;
3323 #endif /* CONFIG_IEEE80211BE */
3324
3325 reply_res = send_auth_reply(hapd, sta, dst, auth_alg,
3326 auth_alg == WLAN_AUTH_SAE ?
3327 auth_transaction : auth_transaction + 1,
3328 resp, resp_ies, resp_ies_len,
3329 "handle-auth");
3330
3331 if (sta && sta->added_unassoc && (resp != WLAN_STATUS_SUCCESS ||
3332 reply_res != WLAN_STATUS_SUCCESS)) {
3333 hostapd_drv_sta_remove(hapd, sta->addr);
3334 sta->added_unassoc = 0;
3335 }
3336 }
3337
3338
hostapd_max_bssid_indicator(struct hostapd_data * hapd)3339 static u8 hostapd_max_bssid_indicator(struct hostapd_data *hapd)
3340 {
3341 size_t num_bss_nontx;
3342 u8 max_bssid_ind = 0;
3343
3344 if (!hapd->iconf->mbssid || hapd->iface->num_bss <= 1)
3345 return 0;
3346
3347 num_bss_nontx = hapd->iface->num_bss - 1;
3348 while (num_bss_nontx > 0) {
3349 max_bssid_ind++;
3350 num_bss_nontx >>= 1;
3351 }
3352 return max_bssid_ind;
3353 }
3354
3355
hostapd_get_aid_word(struct hostapd_data * hapd,struct sta_info * sta,int i)3356 static u32 hostapd_get_aid_word(struct hostapd_data *hapd,
3357 struct sta_info *sta, int i)
3358 {
3359 #ifdef CONFIG_IEEE80211BE
3360 u32 aid_word = 0;
3361
3362 /* Do not assign an AID that is in use on any of the affiliated links
3363 * when finding an AID for a non-AP MLD. */
3364 if (hapd->conf->mld_ap && sta->mld_info.mld_sta) {
3365 int j;
3366
3367 for (j = 0; j < MAX_NUM_MLD_LINKS; j++) {
3368 struct hostapd_data *link_bss;
3369
3370 if (!sta->mld_info.links[j].valid)
3371 continue;
3372
3373 link_bss = hostapd_mld_get_link_bss(hapd, j);
3374 if (!link_bss) {
3375 /* This shouldn't happen, just skip */
3376 wpa_printf(MSG_ERROR,
3377 "MLD: Failed to get link BSS for AID");
3378 continue;
3379 }
3380
3381 aid_word |= link_bss->sta_aid[i];
3382 }
3383
3384 return aid_word;
3385 }
3386 #endif /* CONFIG_IEEE80211BE */
3387
3388 return hapd->sta_aid[i];
3389 }
3390
3391
hostapd_get_aid(struct hostapd_data * hapd,struct sta_info * sta)3392 int hostapd_get_aid(struct hostapd_data *hapd, struct sta_info *sta)
3393 {
3394 int i, j = 32, aid;
3395
3396 /* Transmitted and non-transmitted BSSIDs share the same AID pool, so
3397 * use the shared storage in the transmitted BSS to find the next
3398 * available value. */
3399 hapd = hostapd_mbssid_get_tx_bss(hapd);
3400
3401 /* get a unique AID */
3402 if (sta->aid > 0) {
3403 wpa_printf(MSG_DEBUG, " old AID %d", sta->aid);
3404 return 0;
3405 }
3406
3407 if (TEST_FAIL())
3408 return -1;
3409
3410 for (i = 0; i < AID_WORDS; i++) {
3411 u32 aid_word = hostapd_get_aid_word(hapd, sta, i);
3412
3413 if (aid_word == (u32) -1)
3414 continue;
3415 for (j = 0; j < 32; j++) {
3416 if (!(aid_word & BIT(j)))
3417 break;
3418 }
3419 if (j < 32)
3420 break;
3421 }
3422 if (j == 32)
3423 return -1;
3424 aid = i * 32 + j + (1 << hostapd_max_bssid_indicator(hapd));
3425 if (aid > 2007)
3426 return -1;
3427
3428 sta->aid = aid;
3429 hapd->sta_aid[i] |= BIT(j);
3430 wpa_printf(MSG_DEBUG, " new AID %d", sta->aid);
3431 return 0;
3432 }
3433
3434
check_ssid(struct hostapd_data * hapd,struct sta_info * sta,const u8 * ssid_ie,size_t ssid_ie_len)3435 static u16 check_ssid(struct hostapd_data *hapd, struct sta_info *sta,
3436 const u8 *ssid_ie, size_t ssid_ie_len)
3437 {
3438 if (ssid_ie == NULL)
3439 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3440
3441 if (ssid_ie_len != hapd->conf->ssid.ssid_len ||
3442 os_memcmp(ssid_ie, hapd->conf->ssid.ssid, ssid_ie_len) != 0) {
3443 hostapd_logger_only_for_cb(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3444 HOSTAPD_LEVEL_INFO,
3445 "Station tried to associate with unknown SSID "
3446 "'%s'", wpa_ssid_txt(ssid_ie, ssid_ie_len));
3447 wpa_printf(MSG_DEBUG, "hostapd_logger: Station tried to associate with unknown SSID "
3448 "'%s'", anonymize_ssid(wpa_ssid_txt(ssid_ie, ssid_ie_len)));
3449 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3450 }
3451
3452 return WLAN_STATUS_SUCCESS;
3453 }
3454
3455
check_wmm(struct hostapd_data * hapd,struct sta_info * sta,const u8 * wmm_ie,size_t wmm_ie_len)3456 static u16 check_wmm(struct hostapd_data *hapd, struct sta_info *sta,
3457 const u8 *wmm_ie, size_t wmm_ie_len)
3458 {
3459 sta->flags &= ~WLAN_STA_WMM;
3460 sta->qosinfo = 0;
3461 if (wmm_ie && hapd->conf->wmm_enabled) {
3462 struct wmm_information_element *wmm;
3463
3464 if (!hostapd_eid_wmm_valid(hapd, wmm_ie, wmm_ie_len)) {
3465 hostapd_logger(hapd, sta->addr,
3466 HOSTAPD_MODULE_WPA,
3467 HOSTAPD_LEVEL_DEBUG,
3468 "invalid WMM element in association "
3469 "request");
3470 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3471 }
3472
3473 sta->flags |= WLAN_STA_WMM;
3474 wmm = (struct wmm_information_element *) wmm_ie;
3475 sta->qosinfo = wmm->qos_info;
3476 }
3477 return WLAN_STATUS_SUCCESS;
3478 }
3479
check_multi_ap(struct hostapd_data * hapd,struct sta_info * sta,const u8 * multi_ap_ie,size_t multi_ap_len)3480 static u16 check_multi_ap(struct hostapd_data *hapd, struct sta_info *sta,
3481 const u8 *multi_ap_ie, size_t multi_ap_len)
3482 {
3483 struct multi_ap_params multi_ap;
3484 u16 status;
3485
3486 sta->flags &= ~WLAN_STA_MULTI_AP;
3487
3488 if (!hapd->conf->multi_ap)
3489 return WLAN_STATUS_SUCCESS;
3490
3491 if (!multi_ap_ie) {
3492 if (!(hapd->conf->multi_ap & FRONTHAUL_BSS)) {
3493 hostapd_logger(hapd, sta->addr,
3494 HOSTAPD_MODULE_IEEE80211,
3495 HOSTAPD_LEVEL_INFO,
3496 "Non-Multi-AP STA tries to associate with backhaul-only BSS");
3497 return WLAN_STATUS_ASSOC_DENIED_UNSPEC;
3498 }
3499
3500 return WLAN_STATUS_SUCCESS;
3501 }
3502
3503 status = check_multi_ap_ie(multi_ap_ie + 4, multi_ap_len - 4,
3504 &multi_ap);
3505 if (status != WLAN_STATUS_SUCCESS)
3506 return status;
3507
3508 if (multi_ap.capability && multi_ap.capability != MULTI_AP_BACKHAUL_STA)
3509 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3510 HOSTAPD_LEVEL_INFO,
3511 "Multi-AP IE with unexpected value 0x%02x",
3512 multi_ap.capability);
3513
3514 if (multi_ap.profile == MULTI_AP_PROFILE_1 &&
3515 (hapd->conf->multi_ap_client_disallow &
3516 PROFILE1_CLIENT_ASSOC_DISALLOW)) {
3517 hostapd_logger(hapd, sta->addr,
3518 HOSTAPD_MODULE_IEEE80211,
3519 HOSTAPD_LEVEL_INFO,
3520 "Multi-AP Profile-1 clients not allowed");
3521 return WLAN_STATUS_ASSOC_DENIED_UNSPEC;
3522 }
3523
3524 if (multi_ap.profile >= MULTI_AP_PROFILE_2 &&
3525 (hapd->conf->multi_ap_client_disallow &
3526 PROFILE2_CLIENT_ASSOC_DISALLOW)) {
3527 hostapd_logger(hapd, sta->addr,
3528 HOSTAPD_MODULE_IEEE80211,
3529 HOSTAPD_LEVEL_INFO,
3530 "Multi-AP Profile-2 clients not allowed");
3531 return WLAN_STATUS_ASSOC_DENIED_UNSPEC;
3532 }
3533
3534 if (!(multi_ap.capability & MULTI_AP_BACKHAUL_STA)) {
3535 if (hapd->conf->multi_ap & FRONTHAUL_BSS)
3536 return WLAN_STATUS_SUCCESS;
3537
3538 hostapd_logger(hapd, sta->addr,
3539 HOSTAPD_MODULE_IEEE80211,
3540 HOSTAPD_LEVEL_INFO,
3541 "Non-Multi-AP STA tries to associate with backhaul-only BSS");
3542 return WLAN_STATUS_ASSOC_DENIED_UNSPEC;
3543 }
3544
3545 if (!(hapd->conf->multi_ap & BACKHAUL_BSS))
3546 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3547 HOSTAPD_LEVEL_DEBUG,
3548 "Backhaul STA tries to associate with fronthaul-only BSS");
3549
3550 sta->flags |= WLAN_STA_MULTI_AP;
3551 return WLAN_STATUS_SUCCESS;
3552 }
3553
3554
copy_supp_rates(struct hostapd_data * hapd,struct sta_info * sta,struct ieee802_11_elems * elems)3555 static u16 copy_supp_rates(struct hostapd_data *hapd, struct sta_info *sta,
3556 struct ieee802_11_elems *elems)
3557 {
3558 /* Supported rates not used in IEEE 802.11ad/DMG */
3559 if (hapd->iface->current_mode &&
3560 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211AD)
3561 return WLAN_STATUS_SUCCESS;
3562
3563 if (!elems->supp_rates) {
3564 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3565 HOSTAPD_LEVEL_DEBUG,
3566 "No supported rates element in AssocReq");
3567 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3568 }
3569
3570 if (elems->supp_rates_len + elems->ext_supp_rates_len >
3571 sizeof(sta->supported_rates)) {
3572 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3573 HOSTAPD_LEVEL_DEBUG,
3574 "Invalid supported rates element length %d+%d",
3575 elems->supp_rates_len,
3576 elems->ext_supp_rates_len);
3577 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3578 }
3579
3580 sta->supported_rates_len = merge_byte_arrays(
3581 sta->supported_rates, sizeof(sta->supported_rates),
3582 elems->supp_rates, elems->supp_rates_len,
3583 elems->ext_supp_rates, elems->ext_supp_rates_len);
3584
3585 return WLAN_STATUS_SUCCESS;
3586 }
3587
3588
3589 #ifdef CONFIG_OWE
3590
owe_group_supported(struct hostapd_data * hapd,u16 group)3591 static int owe_group_supported(struct hostapd_data *hapd, u16 group)
3592 {
3593 int i;
3594 int *groups = hapd->conf->owe_groups;
3595
3596 if (group != 19 && group != 20 && group != 21)
3597 return 0;
3598
3599 if (!groups)
3600 return 1;
3601
3602 for (i = 0; groups[i] > 0; i++) {
3603 if (groups[i] == group)
3604 return 1;
3605 }
3606
3607 return 0;
3608 }
3609
3610
owe_process_assoc_req(struct hostapd_data * hapd,struct sta_info * sta,const u8 * owe_dh,u8 owe_dh_len)3611 static u16 owe_process_assoc_req(struct hostapd_data *hapd,
3612 struct sta_info *sta, const u8 *owe_dh,
3613 u8 owe_dh_len)
3614 {
3615 struct wpabuf *secret, *pub, *hkey;
3616 int res;
3617 u8 prk[SHA512_MAC_LEN], pmkid[SHA512_MAC_LEN];
3618 const char *info = "OWE Key Generation";
3619 const u8 *addr[2];
3620 size_t len[2];
3621 u16 group;
3622 size_t hash_len, prime_len;
3623
3624 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) {
3625 wpa_printf(MSG_DEBUG, "OWE: Using PMKSA caching");
3626 return WLAN_STATUS_SUCCESS;
3627 }
3628
3629 group = WPA_GET_LE16(owe_dh);
3630 if (!owe_group_supported(hapd, group)) {
3631 wpa_printf(MSG_DEBUG, "OWE: Unsupported DH group %u", group);
3632 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
3633 }
3634 if (group == 19)
3635 prime_len = 32;
3636 else if (group == 20)
3637 prime_len = 48;
3638 else if (group == 21)
3639 prime_len = 66;
3640 else
3641 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
3642
3643 if (sta->owe_group == group && sta->owe_ecdh) {
3644 /* This is a workaround for mac80211 behavior of retransmitting
3645 * the Association Request frames multiple times if the link
3646 * layer retries (i.e., seq# remains same) fail. The mac80211
3647 * initiated retransmission will use a different seq# and as
3648 * such, will go through duplicate detection. If we were to
3649 * change our DH key for that attempt, there would be two
3650 * different DH shared secrets and the STA would likely select
3651 * the wrong one. */
3652 wpa_printf(MSG_DEBUG,
3653 "OWE: Try to reuse own previous DH key since the STA tried to go through OWE association again");
3654 } else {
3655 crypto_ecdh_deinit(sta->owe_ecdh);
3656 sta->owe_ecdh = crypto_ecdh_init(group);
3657 }
3658 if (!sta->owe_ecdh)
3659 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
3660 sta->owe_group = group;
3661
3662 secret = crypto_ecdh_set_peerkey(sta->owe_ecdh, 0, owe_dh + 2,
3663 owe_dh_len - 2);
3664 secret = wpabuf_zeropad(secret, prime_len);
3665 if (!secret) {
3666 wpa_printf(MSG_DEBUG, "OWE: Invalid peer DH public key");
3667 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3668 }
3669 wpa_hexdump_buf_key(MSG_DEBUG, "OWE: DH shared secret", secret);
3670
3671 /* prk = HKDF-extract(C | A | group, z) */
3672
3673 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
3674 if (!pub) {
3675 wpabuf_clear_free(secret);
3676 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3677 }
3678
3679 /* PMKID = Truncate-128(Hash(C | A)) */
3680 addr[0] = owe_dh + 2;
3681 len[0] = owe_dh_len - 2;
3682 addr[1] = wpabuf_head(pub);
3683 len[1] = wpabuf_len(pub);
3684 if (group == 19) {
3685 res = sha256_vector(2, addr, len, pmkid);
3686 hash_len = SHA256_MAC_LEN;
3687 } else if (group == 20) {
3688 res = sha384_vector(2, addr, len, pmkid);
3689 hash_len = SHA384_MAC_LEN;
3690 } else if (group == 21) {
3691 res = sha512_vector(2, addr, len, pmkid);
3692 hash_len = SHA512_MAC_LEN;
3693 } else {
3694 wpabuf_free(pub);
3695 wpabuf_clear_free(secret);
3696 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3697 }
3698 pub = wpabuf_zeropad(pub, prime_len);
3699 if (res < 0 || !pub) {
3700 wpabuf_free(pub);
3701 wpabuf_clear_free(secret);
3702 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3703 }
3704
3705 hkey = wpabuf_alloc(owe_dh_len - 2 + wpabuf_len(pub) + 2);
3706 if (!hkey) {
3707 wpabuf_free(pub);
3708 wpabuf_clear_free(secret);
3709 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3710 }
3711
3712 wpabuf_put_data(hkey, owe_dh + 2, owe_dh_len - 2); /* C */
3713 wpabuf_put_buf(hkey, pub); /* A */
3714 wpabuf_free(pub);
3715 wpabuf_put_le16(hkey, group); /* group */
3716 if (group == 19)
3717 res = hmac_sha256(wpabuf_head(hkey), wpabuf_len(hkey),
3718 wpabuf_head(secret), wpabuf_len(secret), prk);
3719 else if (group == 20)
3720 res = hmac_sha384(wpabuf_head(hkey), wpabuf_len(hkey),
3721 wpabuf_head(secret), wpabuf_len(secret), prk);
3722 else if (group == 21)
3723 res = hmac_sha512(wpabuf_head(hkey), wpabuf_len(hkey),
3724 wpabuf_head(secret), wpabuf_len(secret), prk);
3725 wpabuf_clear_free(hkey);
3726 wpabuf_clear_free(secret);
3727 if (res < 0)
3728 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3729
3730 wpa_hexdump_key(MSG_DEBUG, "OWE: prk", prk, hash_len);
3731
3732 /* PMK = HKDF-expand(prk, "OWE Key Generation", n) */
3733
3734 os_free(sta->owe_pmk);
3735 sta->owe_pmk = os_malloc(hash_len);
3736 if (!sta->owe_pmk) {
3737 os_memset(prk, 0, SHA512_MAC_LEN);
3738 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3739 }
3740
3741 if (group == 19)
3742 res = hmac_sha256_kdf(prk, hash_len, NULL, (const u8 *) info,
3743 os_strlen(info), sta->owe_pmk, hash_len);
3744 else if (group == 20)
3745 res = hmac_sha384_kdf(prk, hash_len, NULL, (const u8 *) info,
3746 os_strlen(info), sta->owe_pmk, hash_len);
3747 else if (group == 21)
3748 res = hmac_sha512_kdf(prk, hash_len, NULL, (const u8 *) info,
3749 os_strlen(info), sta->owe_pmk, hash_len);
3750 os_memset(prk, 0, SHA512_MAC_LEN);
3751 if (res < 0) {
3752 os_free(sta->owe_pmk);
3753 sta->owe_pmk = NULL;
3754 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3755 }
3756 sta->owe_pmk_len = hash_len;
3757
3758 wpa_hexdump_key(MSG_DEBUG, "OWE: PMK", sta->owe_pmk, sta->owe_pmk_len);
3759 wpa_hexdump(MSG_DEBUG, "OWE: PMKID", pmkid, PMKID_LEN);
3760 wpa_auth_pmksa_add2(hapd->wpa_auth, sta->addr, sta->owe_pmk,
3761 sta->owe_pmk_len, pmkid, 0, WPA_KEY_MGMT_OWE, NULL);
3762
3763 return WLAN_STATUS_SUCCESS;
3764 }
3765
3766
owe_validate_request(struct hostapd_data * hapd,const u8 * peer,const u8 * rsn_ie,size_t rsn_ie_len,const u8 * owe_dh,size_t owe_dh_len)3767 u16 owe_validate_request(struct hostapd_data *hapd, const u8 *peer,
3768 const u8 *rsn_ie, size_t rsn_ie_len,
3769 const u8 *owe_dh, size_t owe_dh_len)
3770 {
3771 struct wpa_ie_data data;
3772 int res;
3773
3774 if (!rsn_ie || rsn_ie_len < 2) {
3775 wpa_printf(MSG_DEBUG, "OWE: Invalid RSNE from " MACSTR_SEC,
3776 MAC2STR_SEC(peer));
3777 return WLAN_STATUS_INVALID_IE;
3778 }
3779 rsn_ie -= 2;
3780 rsn_ie_len += 2;
3781
3782 res = wpa_parse_wpa_ie_rsn(rsn_ie, rsn_ie_len, &data);
3783 if (res) {
3784 wpa_printf(MSG_DEBUG, "Failed to parse RSNE from " MACSTR_SEC
3785 " (res=%d)", MAC2STR_SEC(peer), res);
3786 wpa_hexdump(MSG_DEBUG, "RSNE", rsn_ie, rsn_ie_len);
3787 return wpa_res_to_status_code(res);
3788 }
3789 if (!(data.key_mgmt & WPA_KEY_MGMT_OWE)) {
3790 wpa_printf(MSG_DEBUG,
3791 "OWE: Unexpected key mgmt 0x%x from " MACSTR_SEC,
3792 (unsigned int) data.key_mgmt, MAC2STR_SEC(peer));
3793 return WLAN_STATUS_AKMP_NOT_VALID;
3794 }
3795 if (!owe_dh) {
3796 wpa_printf(MSG_DEBUG,
3797 "OWE: No Diffie-Hellman Parameter element from "
3798 MACSTR_SEC, MAC2STR_SEC(peer));
3799 return WLAN_STATUS_AKMP_NOT_VALID;
3800 }
3801
3802 return WLAN_STATUS_SUCCESS;
3803 }
3804
3805
owe_process_rsn_ie(struct hostapd_data * hapd,struct sta_info * sta,const u8 * rsn_ie,size_t rsn_ie_len,const u8 * owe_dh,size_t owe_dh_len,const u8 * link_addr)3806 u16 owe_process_rsn_ie(struct hostapd_data *hapd,
3807 struct sta_info *sta,
3808 const u8 *rsn_ie, size_t rsn_ie_len,
3809 const u8 *owe_dh, size_t owe_dh_len,
3810 const u8 *link_addr)
3811 {
3812 u16 status;
3813 u8 *owe_buf, ie[256 * 2];
3814 size_t ie_len = 0;
3815 enum wpa_validate_result res;
3816
3817 if (!rsn_ie || rsn_ie_len < 2) {
3818 wpa_printf(MSG_DEBUG, "OWE: No RSNE in (Re)AssocReq");
3819 status = WLAN_STATUS_INVALID_IE;
3820 goto end;
3821 }
3822
3823 if (!sta->wpa_sm)
3824 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, sta->addr,
3825 NULL);
3826 if (!sta->wpa_sm) {
3827 wpa_printf(MSG_WARNING,
3828 "OWE: Failed to initialize WPA state machine");
3829 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3830 goto end;
3831 }
3832 #ifdef CONFIG_IEEE80211BE
3833 if (ap_sta_is_mld(hapd, sta))
3834 wpa_auth_set_ml_info(sta->wpa_sm,
3835 sta->mld_assoc_link_id, &sta->mld_info);
3836 #endif /* CONFIG_IEEE80211BE */
3837 rsn_ie -= 2;
3838 rsn_ie_len += 2;
3839 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
3840 hapd->iface->freq, rsn_ie, rsn_ie_len,
3841 NULL, 0, NULL, 0, owe_dh, owe_dh_len, NULL);
3842 status = wpa_res_to_status_code(res);
3843 if (status != WLAN_STATUS_SUCCESS)
3844 goto end;
3845 status = owe_process_assoc_req(hapd, sta, owe_dh, owe_dh_len);
3846 if (status != WLAN_STATUS_SUCCESS)
3847 goto end;
3848 owe_buf = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, ie, sizeof(ie),
3849 NULL, 0);
3850 if (!owe_buf) {
3851 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3852 goto end;
3853 }
3854
3855 if (sta->owe_ecdh) {
3856 struct wpabuf *pub;
3857
3858 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
3859 if (!pub) {
3860 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3861 goto end;
3862 }
3863
3864 /* OWE Diffie-Hellman Parameter element */
3865 *owe_buf++ = WLAN_EID_EXTENSION; /* Element ID */
3866 *owe_buf++ = 1 + 2 + wpabuf_len(pub); /* Length */
3867 *owe_buf++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension
3868 */
3869 WPA_PUT_LE16(owe_buf, sta->owe_group);
3870 owe_buf += 2;
3871 os_memcpy(owe_buf, wpabuf_head(pub), wpabuf_len(pub));
3872 owe_buf += wpabuf_len(pub);
3873 wpabuf_free(pub);
3874 sta->external_dh_updated = 1;
3875 }
3876 ie_len = owe_buf - ie;
3877
3878 end:
3879 wpa_printf(MSG_DEBUG, "OWE: Update status %d, ie len %d for peer "
3880 MACSTR_SEC, status, (unsigned int) ie_len,
3881 MAC2STR_SEC(link_addr ? link_addr : sta->addr));
3882 hostapd_drv_update_dh_ie(hapd, link_addr ? link_addr : sta->addr,
3883 status,
3884 status == WLAN_STATUS_SUCCESS ? ie : NULL,
3885 ie_len);
3886
3887 return status;
3888 }
3889
3890 #endif /* CONFIG_OWE */
3891
3892
check_sa_query(struct hostapd_data * hapd,struct sta_info * sta,int reassoc)3893 static bool check_sa_query(struct hostapd_data *hapd, struct sta_info *sta,
3894 int reassoc)
3895 {
3896 if ((sta->flags &
3897 (WLAN_STA_ASSOC | WLAN_STA_MFP | WLAN_STA_AUTHORIZED)) !=
3898 (WLAN_STA_ASSOC | WLAN_STA_MFP | WLAN_STA_AUTHORIZED))
3899 return false;
3900
3901 if (!sta->sa_query_timed_out && sta->sa_query_count > 0)
3902 ap_check_sa_query_timeout(hapd, sta);
3903
3904 if (!sta->sa_query_timed_out &&
3905 (!reassoc || sta->auth_alg != WLAN_AUTH_FT)) {
3906 /*
3907 * STA has already been associated with MFP and SA Query timeout
3908 * has not been reached. Reject the association attempt
3909 * temporarily and start SA Query, if one is not pending.
3910 */
3911 if (sta->sa_query_count == 0)
3912 ap_sta_start_sa_query(hapd, sta);
3913
3914 return true;
3915 }
3916
3917 return false;
3918 }
3919
3920
__check_assoc_ies(struct hostapd_data * hapd,struct sta_info * sta,const u8 * ies,size_t ies_len,struct ieee802_11_elems * elems,int reassoc,bool link)3921 static int __check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta,
3922 const u8 *ies, size_t ies_len,
3923 struct ieee802_11_elems *elems, int reassoc,
3924 bool link)
3925 {
3926 int resp;
3927 const u8 *wpa_ie;
3928 size_t wpa_ie_len;
3929 const u8 *p2p_dev_addr = NULL;
3930 struct hostapd_data *assoc_hapd;
3931 struct sta_info *assoc_sta = NULL;
3932
3933 resp = check_ssid(hapd, sta, elems->ssid, elems->ssid_len);
3934 if (resp != WLAN_STATUS_SUCCESS)
3935 return resp;
3936 resp = check_wmm(hapd, sta, elems->wmm, elems->wmm_len);
3937 if (resp != WLAN_STATUS_SUCCESS)
3938 return resp;
3939 resp = check_ext_capab(hapd, sta, elems->ext_capab,
3940 elems->ext_capab_len);
3941 if (resp != WLAN_STATUS_SUCCESS)
3942 return resp;
3943 resp = copy_supp_rates(hapd, sta, elems);
3944 if (resp != WLAN_STATUS_SUCCESS)
3945 return resp;
3946
3947 resp = check_multi_ap(hapd, sta, elems->multi_ap, elems->multi_ap_len);
3948 if (resp != WLAN_STATUS_SUCCESS)
3949 return resp;
3950
3951 resp = copy_sta_ht_capab(hapd, sta, elems->ht_capabilities);
3952 if (resp != WLAN_STATUS_SUCCESS)
3953 return resp;
3954 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht &&
3955 !(sta->flags & WLAN_STA_HT)) {
3956 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3957 HOSTAPD_LEVEL_INFO, "Station does not support "
3958 "mandatory HT PHY - reject association");
3959 return WLAN_STATUS_ASSOC_DENIED_NO_HT;
3960 }
3961
3962 #ifdef CONFIG_IEEE80211AC
3963 if (hapd->iconf->ieee80211ac) {
3964 resp = copy_sta_vht_capab(hapd, sta, elems->vht_capabilities);
3965 if (resp != WLAN_STATUS_SUCCESS)
3966 return resp;
3967
3968 resp = set_sta_vht_opmode(hapd, sta, elems->opmode_notif);
3969 if (resp != WLAN_STATUS_SUCCESS)
3970 return resp;
3971 }
3972
3973 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht &&
3974 !(sta->flags & WLAN_STA_VHT)) {
3975 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3976 HOSTAPD_LEVEL_INFO, "Station does not support "
3977 "mandatory VHT PHY - reject association");
3978 return WLAN_STATUS_ASSOC_DENIED_NO_VHT;
3979 }
3980
3981 if (hapd->conf->vendor_vht && !elems->vht_capabilities) {
3982 resp = copy_sta_vendor_vht(hapd, sta, elems->vendor_vht,
3983 elems->vendor_vht_len);
3984 if (resp != WLAN_STATUS_SUCCESS)
3985 return resp;
3986 }
3987 #endif /* CONFIG_IEEE80211AC */
3988 #ifdef CONFIG_IEEE80211AX
3989 if (hapd->iconf->ieee80211ax && !hapd->conf->disable_11ax) {
3990 resp = copy_sta_he_capab(hapd, sta, IEEE80211_MODE_AP,
3991 elems->he_capabilities,
3992 elems->he_capabilities_len);
3993 if (resp != WLAN_STATUS_SUCCESS)
3994 return resp;
3995
3996 if (hapd->iconf->require_he && !(sta->flags & WLAN_STA_HE)) {
3997 hostapd_logger(hapd, sta->addr,
3998 HOSTAPD_MODULE_IEEE80211,
3999 HOSTAPD_LEVEL_INFO,
4000 "Station does not support mandatory HE PHY - reject association");
4001 return WLAN_STATUS_DENIED_HE_NOT_SUPPORTED;
4002 }
4003
4004 if (is_6ghz_op_class(hapd->iconf->op_class)) {
4005 if (!(sta->flags & WLAN_STA_HE)) {
4006 hostapd_logger(hapd, sta->addr,
4007 HOSTAPD_MODULE_IEEE80211,
4008 HOSTAPD_LEVEL_INFO,
4009 "Station does not support mandatory HE PHY - reject association");
4010 return WLAN_STATUS_DENIED_HE_NOT_SUPPORTED;
4011 }
4012 resp = copy_sta_he_6ghz_capab(hapd, sta,
4013 elems->he_6ghz_band_cap);
4014 if (resp != WLAN_STATUS_SUCCESS)
4015 return resp;
4016 }
4017 }
4018 #endif /* CONFIG_IEEE80211AX */
4019 #ifdef CONFIG_IEEE80211BE
4020 if (hapd->iconf->ieee80211be && !hapd->conf->disable_11be) {
4021 resp = copy_sta_eht_capab(hapd, sta, IEEE80211_MODE_AP,
4022 elems->he_capabilities,
4023 elems->he_capabilities_len,
4024 elems->eht_capabilities,
4025 elems->eht_capabilities_len);
4026 if (resp != WLAN_STATUS_SUCCESS)
4027 return resp;
4028
4029 if (!link) {
4030 resp = hostapd_process_ml_assoc_req(hapd, elems, sta);
4031 if (resp != WLAN_STATUS_SUCCESS)
4032 return resp;
4033 }
4034 }
4035 #endif /* CONFIG_IEEE80211BE */
4036
4037 #ifdef CONFIG_P2P
4038 if (elems->p2p && ies && ies_len) {
4039 wpabuf_free(sta->p2p_ie);
4040 sta->p2p_ie = ieee802_11_vendor_ie_concat(ies, ies_len,
4041 P2P_IE_VENDOR_TYPE);
4042 if (sta->p2p_ie)
4043 p2p_dev_addr = p2p_get_go_dev_addr(sta->p2p_ie);
4044 } else {
4045 wpabuf_free(sta->p2p_ie);
4046 sta->p2p_ie = NULL;
4047 }
4048 #endif /* CONFIG_P2P */
4049
4050 if ((hapd->conf->wpa & WPA_PROTO_RSN) && elems->rsn_ie) {
4051 wpa_ie = elems->rsn_ie;
4052 wpa_ie_len = elems->rsn_ie_len;
4053 } else if ((hapd->conf->wpa & WPA_PROTO_WPA) &&
4054 elems->wpa_ie) {
4055 wpa_ie = elems->wpa_ie;
4056 wpa_ie_len = elems->wpa_ie_len;
4057 } else {
4058 wpa_ie = NULL;
4059 wpa_ie_len = 0;
4060 }
4061
4062 #ifdef CONFIG_WPS
4063 sta->flags &= ~(WLAN_STA_WPS | WLAN_STA_MAYBE_WPS | WLAN_STA_WPS2);
4064 if (hapd->conf->wps_state && elems->wps_ie && ies && ies_len) {
4065 wpa_printf(MSG_DEBUG, "STA included WPS IE in (Re)Association "
4066 "Request - assume WPS is used");
4067 sta->flags |= WLAN_STA_WPS;
4068 wpabuf_free(sta->wps_ie);
4069 sta->wps_ie = ieee802_11_vendor_ie_concat(ies, ies_len,
4070 WPS_IE_VENDOR_TYPE);
4071 if (sta->wps_ie && wps_is_20(sta->wps_ie)) {
4072 wpa_printf(MSG_DEBUG, "WPS: STA supports WPS 2.0");
4073 sta->flags |= WLAN_STA_WPS2;
4074 }
4075 wpa_ie = NULL;
4076 wpa_ie_len = 0;
4077 if (sta->wps_ie && wps_validate_assoc_req(sta->wps_ie) < 0) {
4078 wpa_printf(MSG_DEBUG, "WPS: Invalid WPS IE in "
4079 "(Re)Association Request - reject");
4080 return WLAN_STATUS_INVALID_IE;
4081 }
4082 } else if (hapd->conf->wps_state && wpa_ie == NULL) {
4083 wpa_printf(MSG_DEBUG, "STA did not include WPA/RSN IE in "
4084 "(Re)Association Request - possible WPS use");
4085 sta->flags |= WLAN_STA_MAYBE_WPS;
4086 } else
4087 #endif /* CONFIG_WPS */
4088 if (hapd->conf->wpa && wpa_ie == NULL) {
4089 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4090 HOSTAPD_LEVEL_INFO,
4091 "No WPA/RSN IE in association request");
4092 return WLAN_STATUS_INVALID_IE;
4093 }
4094
4095 if (hapd->conf->wpa && wpa_ie) {
4096 enum wpa_validate_result res;
4097 #ifdef CONFIG_IEEE80211BE
4098 struct mld_info *info = &sta->mld_info;
4099 bool init = !sta->wpa_sm;
4100 #endif /* CONFIG_IEEE80211BE */
4101
4102 wpa_ie -= 2;
4103 wpa_ie_len += 2;
4104
4105 if (!sta->wpa_sm) {
4106 if (!link)
4107 assoc_sta = hostapd_ml_get_assoc_sta(
4108 hapd, sta, &assoc_hapd);
4109
4110 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
4111 sta->addr,
4112 p2p_dev_addr);
4113
4114 if (!sta->wpa_sm) {
4115 wpa_printf(MSG_WARNING,
4116 "Failed to initialize RSN state machine");
4117 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4118 }
4119 }
4120
4121 #ifdef CONFIG_IEEE80211BE
4122 if (ap_sta_is_mld(hapd, sta)) {
4123 wpa_printf(MSG_DEBUG,
4124 "MLD: %s ML info in RSN Authenticator",
4125 init ? "Set" : "Reset");
4126 wpa_auth_set_ml_info(sta->wpa_sm,
4127 sta->mld_assoc_link_id,
4128 info);
4129 }
4130 #endif /* CONFIG_IEEE80211BE */
4131
4132 wpa_auth_set_auth_alg(sta->wpa_sm, sta->auth_alg);
4133 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
4134 hapd->iface->freq,
4135 wpa_ie, wpa_ie_len,
4136 elems->rsnxe ? elems->rsnxe - 2 :
4137 NULL,
4138 elems->rsnxe ? elems->rsnxe_len + 2 :
4139 0,
4140 elems->mdie, elems->mdie_len,
4141 elems->owe_dh, elems->owe_dh_len,
4142 assoc_sta ? assoc_sta->wpa_sm : NULL);
4143 resp = wpa_res_to_status_code(res);
4144 if (resp != WLAN_STATUS_SUCCESS)
4145 return resp;
4146
4147 if (wpa_auth_uses_mfp(sta->wpa_sm))
4148 sta->flags |= WLAN_STA_MFP;
4149 else
4150 sta->flags &= ~WLAN_STA_MFP;
4151
4152 #ifdef CONFIG_IEEE80211R_AP
4153 if (sta->auth_alg == WLAN_AUTH_FT) {
4154 if (!reassoc) {
4155 wpa_printf(MSG_DEBUG, "FT: " MACSTR_SEC " tried "
4156 "to use association (not "
4157 "re-association) with FT auth_alg",
4158 MAC2STR_SEC(sta->addr));
4159 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4160 }
4161
4162 resp = wpa_ft_validate_reassoc(sta->wpa_sm, ies,
4163 ies_len);
4164 if (resp != WLAN_STATUS_SUCCESS)
4165 return resp;
4166 }
4167 #endif /* CONFIG_IEEE80211R_AP */
4168
4169 if (link)
4170 goto skip_sae_owe;
4171 #ifdef CONFIG_SAE
4172 if (wpa_auth_uses_sae(sta->wpa_sm) && sta->sae &&
4173 sta->sae->state == SAE_ACCEPTED)
4174 wpa_auth_add_sae_pmkid(sta->wpa_sm, sta->sae->pmkid);
4175
4176 if (wpa_auth_uses_sae(sta->wpa_sm) &&
4177 sta->auth_alg == WLAN_AUTH_OPEN) {
4178 struct rsn_pmksa_cache_entry *sa;
4179 sa = wpa_auth_sta_get_pmksa(sta->wpa_sm);
4180 if (!sa || !wpa_key_mgmt_sae(sa->akmp)) {
4181 wpa_printf(MSG_DEBUG,
4182 "SAE: No PMKSA cache entry found for "
4183 MACSTR_SEC, MAC2STR_SEC(sta->addr));
4184 return WLAN_STATUS_INVALID_PMKID;
4185 }
4186 wpa_printf(MSG_DEBUG, "SAE: " MACSTR_SEC
4187 " using PMKSA caching", MAC2STR_SEC(sta->addr));
4188 } else if (wpa_auth_uses_sae(sta->wpa_sm) &&
4189 sta->auth_alg != WLAN_AUTH_SAE &&
4190 !(sta->auth_alg == WLAN_AUTH_FT &&
4191 wpa_auth_uses_ft_sae(sta->wpa_sm))) {
4192 wpa_printf(MSG_DEBUG, "SAE: " MACSTR_SEC " tried to use "
4193 "SAE AKM after non-SAE auth_alg %u",
4194 MAC2STR_SEC(sta->addr), sta->auth_alg);
4195 return WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
4196 }
4197
4198 if (hapd->conf->sae_pwe == SAE_PWE_BOTH &&
4199 sta->auth_alg == WLAN_AUTH_SAE &&
4200 sta->sae && !sta->sae->h2e &&
4201 ieee802_11_rsnx_capab_len(elems->rsnxe, elems->rsnxe_len,
4202 WLAN_RSNX_CAPAB_SAE_H2E)) {
4203 wpa_printf(MSG_INFO, "SAE: " MACSTR_SEC
4204 " indicates support for SAE H2E, but did not use it",
4205 MAC2STR_SEC(sta->addr));
4206 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4207 }
4208 #endif /* CONFIG_SAE */
4209
4210 #ifdef CONFIG_OWE
4211 if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) &&
4212 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE &&
4213 elems->owe_dh) {
4214 resp = owe_process_assoc_req(hapd, sta, elems->owe_dh,
4215 elems->owe_dh_len);
4216 if (resp != WLAN_STATUS_SUCCESS)
4217 return resp;
4218 }
4219 #endif /* CONFIG_OWE */
4220 skip_sae_owe:
4221
4222 #ifdef CONFIG_DPP2
4223 dpp_pfs_free(sta->dpp_pfs);
4224 sta->dpp_pfs = NULL;
4225
4226 if (DPP_VERSION > 1 &&
4227 (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_DPP) &&
4228 hapd->conf->dpp_netaccesskey && sta->wpa_sm &&
4229 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_DPP &&
4230 elems->owe_dh) {
4231 sta->dpp_pfs = dpp_pfs_init(
4232 wpabuf_head(hapd->conf->dpp_netaccesskey),
4233 wpabuf_len(hapd->conf->dpp_netaccesskey));
4234 if (!sta->dpp_pfs) {
4235 wpa_printf(MSG_DEBUG,
4236 "DPP: Could not initialize PFS");
4237 /* Try to continue without PFS */
4238 goto pfs_fail;
4239 }
4240
4241 if (dpp_pfs_process(sta->dpp_pfs, elems->owe_dh,
4242 elems->owe_dh_len) < 0) {
4243 dpp_pfs_free(sta->dpp_pfs);
4244 sta->dpp_pfs = NULL;
4245 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4246 }
4247 }
4248
4249 wpa_auth_set_dpp_z(sta->wpa_sm, sta->dpp_pfs ?
4250 sta->dpp_pfs->secret : NULL);
4251 pfs_fail:
4252 #endif /* CONFIG_DPP2 */
4253
4254 if ((sta->flags & (WLAN_STA_HT | WLAN_STA_VHT)) &&
4255 wpa_auth_get_pairwise(sta->wpa_sm) == WPA_CIPHER_TKIP) {
4256 hostapd_logger(hapd, sta->addr,
4257 HOSTAPD_MODULE_IEEE80211,
4258 HOSTAPD_LEVEL_INFO,
4259 "Station tried to use TKIP with HT "
4260 "association");
4261 return WLAN_STATUS_CIPHER_REJECTED_PER_POLICY;
4262 }
4263
4264 wpa_auth_set_ssid_protection(
4265 sta->wpa_sm,
4266 hapd->conf->ssid_protection &&
4267 ieee802_11_rsnx_capab_len(
4268 elems->rsnxe, elems->rsnxe_len,
4269 WLAN_RSNX_CAPAB_SSID_PROTECTION));
4270 #ifdef CONFIG_HS20
4271 } else if (hapd->conf->osen) {
4272 if (!elems->osen) {
4273 hostapd_logger(
4274 hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4275 HOSTAPD_LEVEL_INFO,
4276 "No HS 2.0 OSEN element in association request");
4277 return WLAN_STATUS_INVALID_IE;
4278 }
4279
4280 wpa_printf(MSG_DEBUG, "HS 2.0: OSEN association");
4281 if (sta->wpa_sm == NULL)
4282 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
4283 sta->addr, NULL);
4284 if (sta->wpa_sm == NULL) {
4285 wpa_printf(MSG_WARNING, "Failed to initialize WPA "
4286 "state machine");
4287 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4288 }
4289 if (wpa_validate_osen(hapd->wpa_auth, sta->wpa_sm,
4290 elems->osen - 2, elems->osen_len + 2) < 0)
4291 return WLAN_STATUS_INVALID_IE;
4292 #endif /* CONFIG_HS20 */
4293 } else
4294 wpa_auth_sta_no_wpa(sta->wpa_sm);
4295
4296 #ifdef CONFIG_P2P
4297 p2p_group_notif_assoc(hapd->p2p_group, sta->addr, ies, ies_len);
4298 #endif /* CONFIG_P2P */
4299
4300 #ifdef CONFIG_HS20
4301 wpabuf_free(sta->hs20_ie);
4302 if (elems->hs20 && elems->hs20_len > 4) {
4303 int release;
4304
4305 sta->hs20_ie = wpabuf_alloc_copy(elems->hs20 + 4,
4306 elems->hs20_len - 4);
4307 release = ((elems->hs20[4] >> 4) & 0x0f) + 1;
4308 if (release >= 2 && !wpa_auth_uses_mfp(sta->wpa_sm) &&
4309 hapd->conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
4310 wpa_printf(MSG_DEBUG,
4311 "HS 2.0: PMF not negotiated by release %d station "
4312 MACSTR_SEC, release, MAC2STR_SEC(sta->addr));
4313 return WLAN_STATUS_ROBUST_MGMT_FRAME_POLICY_VIOLATION;
4314 }
4315 } else {
4316 sta->hs20_ie = NULL;
4317 }
4318
4319 wpabuf_free(sta->roaming_consortium);
4320 if (elems->roaming_cons_sel)
4321 sta->roaming_consortium = wpabuf_alloc_copy(
4322 elems->roaming_cons_sel + 4,
4323 elems->roaming_cons_sel_len - 4);
4324 else
4325 sta->roaming_consortium = NULL;
4326 #endif /* CONFIG_HS20 */
4327
4328 #ifdef CONFIG_FST
4329 wpabuf_free(sta->mb_ies);
4330 if (hapd->iface->fst)
4331 sta->mb_ies = mb_ies_by_info(&elems->mb_ies);
4332 else
4333 sta->mb_ies = NULL;
4334 #endif /* CONFIG_FST */
4335
4336 #ifdef CONFIG_MBO
4337 mbo_ap_check_sta_assoc(hapd, sta, elems);
4338
4339 if (hapd->conf->mbo_enabled && (hapd->conf->wpa & 2) &&
4340 elems->mbo && sta->cell_capa && !(sta->flags & WLAN_STA_MFP) &&
4341 hapd->conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
4342 wpa_printf(MSG_INFO,
4343 "MBO: Reject WPA2 association without PMF");
4344 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4345 }
4346 #endif /* CONFIG_MBO */
4347
4348 #if defined(CONFIG_FILS) && defined(CONFIG_OCV)
4349 if (wpa_auth_uses_ocv(sta->wpa_sm) &&
4350 (sta->auth_alg == WLAN_AUTH_FILS_SK ||
4351 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
4352 sta->auth_alg == WLAN_AUTH_FILS_PK)) {
4353 struct wpa_channel_info ci;
4354 int tx_chanwidth;
4355 int tx_seg1_idx;
4356 enum oci_verify_result res;
4357
4358 if (hostapd_drv_channel_info(hapd, &ci) != 0) {
4359 wpa_printf(MSG_WARNING,
4360 "Failed to get channel info to validate received OCI in FILS (Re)Association Request frame");
4361 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4362 }
4363
4364 if (get_sta_tx_parameters(sta->wpa_sm,
4365 channel_width_to_int(ci.chanwidth),
4366 ci.seg1_idx, &tx_chanwidth,
4367 &tx_seg1_idx) < 0)
4368 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4369
4370 res = ocv_verify_tx_params(elems->oci, elems->oci_len, &ci,
4371 tx_chanwidth, tx_seg1_idx);
4372 if (wpa_auth_uses_ocv(sta->wpa_sm) == 2 &&
4373 res == OCI_NOT_FOUND) {
4374 /* Work around misbehaving STAs */
4375 wpa_printf(MSG_INFO,
4376 "FILS: Disable OCV with a STA that does not send OCI");
4377 wpa_auth_set_ocv(sta->wpa_sm, 0);
4378 } else if (res != OCI_SUCCESS) {
4379 wpa_printf(MSG_WARNING, "FILS: OCV failed: %s",
4380 ocv_errorstr);
4381 wpa_msg(hapd->msg_ctx, MSG_INFO, OCV_FAILURE "addr="
4382 MACSTR " frame=fils-reassoc-req error=%s",
4383 MAC2STR(sta->addr), ocv_errorstr);
4384 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4385 }
4386 }
4387 #endif /* CONFIG_FILS && CONFIG_OCV */
4388
4389 ap_copy_sta_supp_op_classes(sta, elems->supp_op_classes,
4390 elems->supp_op_classes_len);
4391
4392 if ((sta->capability & WLAN_CAPABILITY_RADIO_MEASUREMENT) &&
4393 elems->rrm_enabled &&
4394 elems->rrm_enabled_len >= sizeof(sta->rrm_enabled_capa))
4395 os_memcpy(sta->rrm_enabled_capa, elems->rrm_enabled,
4396 sizeof(sta->rrm_enabled_capa));
4397
4398 if (elems->power_capab) {
4399 sta->min_tx_power = elems->power_capab[0];
4400 sta->max_tx_power = elems->power_capab[1];
4401 sta->power_capab = 1;
4402 } else {
4403 sta->power_capab = 0;
4404 }
4405
4406 if (elems->bss_max_idle_period &&
4407 hapd->conf->max_acceptable_idle_period) {
4408 u16 req;
4409
4410 req = WPA_GET_LE16(elems->bss_max_idle_period);
4411 if (req <= hapd->conf->max_acceptable_idle_period)
4412 sta->max_idle_period = req;
4413 else if (hapd->conf->max_acceptable_idle_period >
4414 hapd->conf->ap_max_inactivity)
4415 sta->max_idle_period =
4416 hapd->conf->max_acceptable_idle_period;
4417 }
4418
4419 return WLAN_STATUS_SUCCESS;
4420 }
4421
4422
check_assoc_ies(struct hostapd_data * hapd,struct sta_info * sta,const u8 * ies,size_t ies_len,int reassoc)4423 static int check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta,
4424 const u8 *ies, size_t ies_len, int reassoc)
4425 {
4426 struct ieee802_11_elems elems;
4427
4428 if (ieee802_11_parse_elems(ies, ies_len, &elems, 1) == ParseFailed) {
4429 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4430 HOSTAPD_LEVEL_INFO,
4431 "Station sent an invalid association request");
4432 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4433 }
4434
4435 return __check_assoc_ies(hapd, sta, ies, ies_len, &elems, reassoc,
4436 false);
4437 }
4438
4439
4440 #ifdef CONFIG_IEEE80211BE
4441
ieee80211_ml_build_assoc_resp(struct hostapd_data * hapd,struct mld_link_info * link)4442 static void ieee80211_ml_build_assoc_resp(struct hostapd_data *hapd,
4443 struct mld_link_info *link)
4444 {
4445 u8 buf[EHT_ML_MAX_STA_PROF_LEN];
4446 u8 *p = buf;
4447 size_t buflen = sizeof(buf);
4448
4449 /* Capability Info */
4450 WPA_PUT_LE16(p, hostapd_own_capab_info(hapd));
4451 p += 2;
4452
4453 /* Status Code */
4454 WPA_PUT_LE16(p, link->status);
4455 p += 2;
4456
4457 if (link->status != WLAN_STATUS_SUCCESS)
4458 goto out;
4459
4460 /* AID is not included */
4461 p = hostapd_eid_supp_rates(hapd, p);
4462 p = hostapd_eid_ext_supp_rates(hapd, p);
4463 p = hostapd_eid_rm_enabled_capab(hapd, p, buf + buflen - p);
4464 p = hostapd_eid_ht_capabilities(hapd, p);
4465 p = hostapd_eid_ht_operation(hapd, p);
4466
4467 if (hapd->iconf->ieee80211ac && !hapd->conf->disable_11ac) {
4468 p = hostapd_eid_vht_capabilities(hapd, p, 0);
4469 p = hostapd_eid_vht_operation(hapd, p);
4470 }
4471
4472 if (hapd->iconf->ieee80211ax && !hapd->conf->disable_11ax) {
4473 p = hostapd_eid_he_capab(hapd, p, IEEE80211_MODE_AP);
4474 p = hostapd_eid_he_operation(hapd, p);
4475 p = hostapd_eid_spatial_reuse(hapd, p);
4476 p = hostapd_eid_he_mu_edca_parameter_set(hapd, p);
4477 p = hostapd_eid_he_6ghz_band_cap(hapd, p);
4478 if (hapd->iconf->ieee80211be && !hapd->conf->disable_11be) {
4479 p = hostapd_eid_eht_capab(hapd, p, IEEE80211_MODE_AP);
4480 p = hostapd_eid_eht_operation(hapd, p);
4481 }
4482 }
4483
4484 p = hostapd_eid_ext_capab(hapd, p, false);
4485 p = hostapd_eid_mbo(hapd, p, buf + buflen - p);
4486 p = hostapd_eid_wmm(hapd, p);
4487
4488 if (hapd->conf->assocresp_elements &&
4489 (size_t) (buf + buflen - p) >=
4490 wpabuf_len(hapd->conf->assocresp_elements)) {
4491 os_memcpy(p, wpabuf_head(hapd->conf->assocresp_elements),
4492 wpabuf_len(hapd->conf->assocresp_elements));
4493 p += wpabuf_len(hapd->conf->assocresp_elements);
4494 }
4495
4496 out:
4497 os_free(link->resp_sta_profile);
4498 link->resp_sta_profile = os_memdup(buf, p - buf);
4499 link->resp_sta_profile_len = link->resp_sta_profile ? p - buf : 0;
4500 }
4501
4502
ieee80211_ml_process_link(struct hostapd_data * hapd,struct sta_info * origin_sta,struct mld_link_info * link,const u8 * ies,size_t ies_len,bool reassoc,bool offload)4503 static int ieee80211_ml_process_link(struct hostapd_data *hapd,
4504 struct sta_info *origin_sta,
4505 struct mld_link_info *link,
4506 const u8 *ies, size_t ies_len,
4507 bool reassoc, bool offload)
4508 {
4509 struct ieee802_11_elems elems;
4510 struct wpabuf *mlbuf = NULL;
4511 struct sta_info *sta = NULL;
4512 u16 status = WLAN_STATUS_SUCCESS;
4513 int i;
4514
4515 wpa_printf(MSG_DEBUG, "MLD: link: link_id=%u, peer=" MACSTR,
4516 hapd->mld_link_id, MAC2STR(link->peer_addr));
4517
4518 if (ieee802_11_parse_elems(ies, ies_len, &elems, 1) == ParseFailed) {
4519 wpa_printf(MSG_DEBUG, "MLD: link: Element parsing failed");
4520 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
4521 goto out;
4522 }
4523
4524 sta = ap_get_sta(hapd, origin_sta->addr);
4525 if (sta) {
4526 wpa_printf(MSG_INFO, "MLD: link: Station already exists");
4527 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
4528 sta = NULL;
4529 goto out;
4530 }
4531
4532 sta = ap_sta_add(hapd, origin_sta->addr);
4533 if (!sta) {
4534 wpa_printf(MSG_DEBUG, "MLD: link: ap_sta_add() failed");
4535 status = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
4536 goto out;
4537 }
4538
4539 mlbuf = ieee802_11_defrag(elems.basic_mle, elems.basic_mle_len, true);
4540 if (!mlbuf)
4541 goto out;
4542
4543 if (ieee802_11_parse_link_assoc_req(ies, ies_len, &elems, mlbuf,
4544 hapd->mld_link_id, true) ==
4545 ParseFailed) {
4546 wpa_printf(MSG_DEBUG,
4547 "MLD: link: Failed to parse association request Multi-Link element");
4548 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
4549 goto out;
4550 }
4551
4552 sta->flags |= origin_sta->flags | WLAN_STA_ASSOC_REQ_OK;
4553 sta->mld_assoc_link_id = origin_sta->mld_assoc_link_id;
4554
4555 status = __check_assoc_ies(hapd, sta, NULL, 0, &elems, reassoc, true);
4556 if (status != WLAN_STATUS_SUCCESS) {
4557 wpa_printf(MSG_DEBUG, "MLD: link: Element check failed");
4558 goto out;
4559 }
4560
4561 ap_sta_set_mld(sta, true);
4562
4563 os_memcpy(&sta->mld_info, &origin_sta->mld_info, sizeof(sta->mld_info));
4564 for (i = 0; i < MAX_NUM_MLD_LINKS; i++) {
4565 struct mld_link_info *li = &sta->mld_info.links[i];
4566
4567 li->resp_sta_profile = NULL;
4568 li->resp_sta_profile_len = 0;
4569 }
4570
4571 if (!offload) {
4572 /*
4573 * Get the AID from the station on which the association was
4574 * performed, and mark it as used.
4575 */
4576 sta->aid = origin_sta->aid;
4577 if (sta->aid == 0) {
4578 wpa_printf(MSG_DEBUG, "MLD: link: No AID assigned");
4579 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
4580 goto out;
4581 }
4582 hapd->sta_aid[(sta->aid - 1) / 32] |= BIT((sta->aid - 1) % 32);
4583 sta->listen_interval = origin_sta->listen_interval;
4584 if (update_ht_state(hapd, sta) > 0)
4585 ieee802_11_update_beacons(hapd->iface);
4586 }
4587
4588 /* Maintain state machine reference on all link STAs, this is needed
4589 * during group rekey handling.
4590 */
4591 wpa_auth_sta_deinit(sta->wpa_sm);
4592 sta->wpa_sm = origin_sta->wpa_sm;
4593
4594 /*
4595 * Do not initialize the EAPOL state machine.
4596 * TODO: Maybe it is needed?
4597 */
4598 sta->eapol_sm = NULL;
4599
4600 wpa_printf(MSG_DEBUG, "MLD: link=%u, association OK (aid=%u)",
4601 hapd->mld_link_id, sta->aid);
4602
4603 sta->flags |= WLAN_STA_AUTH | WLAN_STA_ASSOC_REQ_OK;
4604
4605 /* TODO: What other processing is required? */
4606
4607 if (!offload && add_associated_sta(hapd, sta, reassoc))
4608 status = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
4609 out:
4610 wpabuf_free(mlbuf);
4611 link->status = status;
4612
4613 if (!offload)
4614 ieee80211_ml_build_assoc_resp(hapd, link);
4615
4616 wpa_printf(MSG_DEBUG, "MLD: link: status=%u", status);
4617 if (status != WLAN_STATUS_SUCCESS) {
4618 if (sta)
4619 ap_free_sta(hapd, sta);
4620 return -1;
4621 }
4622
4623 return 0;
4624 }
4625
4626
hostapd_is_mld_ap(struct hostapd_data * hapd)4627 bool hostapd_is_mld_ap(struct hostapd_data *hapd)
4628 {
4629 if (!hapd->conf->mld_ap)
4630 return false;
4631
4632 if (!hapd->iface || !hapd->iface->interfaces ||
4633 hapd->iface->interfaces->count <= 1)
4634 return false;
4635
4636 return true;
4637 }
4638
4639 #endif /* CONFIG_IEEE80211BE */
4640
4641
hostapd_process_assoc_ml_info(struct hostapd_data * hapd,struct sta_info * sta,const u8 * ies,size_t ies_len,bool reassoc,int tx_link_status,bool offload)4642 int hostapd_process_assoc_ml_info(struct hostapd_data *hapd,
4643 struct sta_info *sta,
4644 const u8 *ies, size_t ies_len,
4645 bool reassoc, int tx_link_status,
4646 bool offload)
4647 {
4648 #ifdef CONFIG_IEEE80211BE
4649 unsigned int i;
4650
4651 if (!hostapd_is_mld_ap(hapd))
4652 return 0;
4653
4654 for (i = 0; i < MAX_NUM_MLD_LINKS; i++) {
4655 struct hostapd_data *bss = NULL;
4656 struct mld_link_info *link = &sta->mld_info.links[i];
4657 bool link_bss_found = false;
4658
4659 if (!link->valid || i == sta->mld_assoc_link_id)
4660 continue;
4661
4662 for_each_mld_link(bss, hapd) {
4663 if (bss == hapd)
4664 continue;
4665
4666 if (bss->mld_link_id != i)
4667 continue;
4668
4669 link_bss_found = true;
4670 break;
4671 }
4672
4673 if (!link_bss_found || TEST_FAIL()) {
4674 wpa_printf(MSG_DEBUG,
4675 "MLD: No link match for link_id=%u", i);
4676
4677 link->status = WLAN_STATUS_UNSPECIFIED_FAILURE;
4678 if (!offload)
4679 ieee80211_ml_build_assoc_resp(hapd, link);
4680 } else if (tx_link_status != WLAN_STATUS_SUCCESS) {
4681 /* TX link rejected the connection */
4682 link->status = WLAN_STATUS_DENIED_TX_LINK_NOT_ACCEPTED;
4683 if (!offload)
4684 ieee80211_ml_build_assoc_resp(hapd, link);
4685 } else {
4686 if (ieee80211_ml_process_link(bss, sta, link,
4687 ies, ies_len, reassoc,
4688 offload))
4689 return -1;
4690 }
4691 }
4692 #endif /* CONFIG_IEEE80211BE */
4693
4694 return 0;
4695 }
4696
4697
send_deauth(struct hostapd_data * hapd,const u8 * addr,u16 reason_code)4698 static void send_deauth(struct hostapd_data *hapd, const u8 *addr,
4699 u16 reason_code)
4700 {
4701 int send_len;
4702 struct ieee80211_mgmt reply;
4703
4704 os_memset(&reply, 0, sizeof(reply));
4705 reply.frame_control =
4706 IEEE80211_FC(WLAN_FC_TYPE_MGMT, WLAN_FC_STYPE_DEAUTH);
4707 os_memcpy(reply.da, addr, ETH_ALEN);
4708 os_memcpy(reply.sa, hapd->own_addr, ETH_ALEN);
4709 os_memcpy(reply.bssid, hapd->own_addr, ETH_ALEN);
4710
4711 send_len = IEEE80211_HDRLEN + sizeof(reply.u.deauth);
4712 reply.u.deauth.reason_code = host_to_le16(reason_code);
4713
4714 if (hostapd_drv_send_mlme(hapd, &reply, send_len, 0, NULL, 0, 0) < 0)
4715 wpa_printf(MSG_INFO, "Failed to send deauth: %s",
4716 strerror(errno));
4717 }
4718
4719
add_associated_sta(struct hostapd_data * hapd,struct sta_info * sta,int reassoc)4720 static int add_associated_sta(struct hostapd_data *hapd,
4721 struct sta_info *sta, int reassoc)
4722 {
4723 struct ieee80211_ht_capabilities ht_cap;
4724 struct ieee80211_vht_capabilities vht_cap;
4725 struct ieee80211_he_capabilities he_cap;
4726 struct ieee80211_eht_capabilities eht_cap;
4727 int set = 1;
4728 const u8 *mld_link_addr = NULL;
4729 bool mld_link_sta = false;
4730
4731 #ifdef CONFIG_IEEE80211BE
4732 if (ap_sta_is_mld(hapd, sta)) {
4733 u8 mld_link_id = hapd->mld_link_id;
4734
4735 mld_link_sta = sta->mld_assoc_link_id != mld_link_id;
4736 mld_link_addr = sta->mld_info.links[mld_link_id].peer_addr;
4737
4738 if (hapd->mld_link_id != sta->mld_assoc_link_id)
4739 set = 0;
4740 }
4741 #endif /* CONFIG_IEEE80211BE */
4742
4743 /*
4744 * Remove the STA entry to ensure the STA PS state gets cleared and
4745 * configuration gets updated. This is relevant for cases, such as
4746 * FT-over-the-DS, where a station re-associates back to the same AP but
4747 * skips the authentication flow, or if working with a driver that
4748 * does not support full AP client state.
4749 *
4750 * Skip this if the STA has already completed FT reassociation and the
4751 * TK has been configured since the TX/RX PN must not be reset to 0 for
4752 * the same key.
4753 *
4754 * FT-over-the-DS has a special case where the STA entry (and as such,
4755 * the TK) has not yet been configured to the driver depending on which
4756 * driver interface is used. For that case, allow add-STA operation to
4757 * be used (instead of set-STA). This is needed to allow mac80211-based
4758 * drivers to accept the STA parameter configuration. Since this is
4759 * after a new FT-over-DS exchange, a new TK has been derived, so key
4760 * reinstallation is not a concern for this case.
4761 */
4762 wpa_printf(MSG_DEBUG, "Add associated STA " MACSTR_SEC
4763 " (added_unassoc=%d auth_alg=%u ft_over_ds=%u reassoc=%d authorized=%d ft_tk=%d fils_tk=%d)",
4764 MAC2STR_SEC(sta->addr), sta->added_unassoc, sta->auth_alg,
4765 sta->ft_over_ds, reassoc,
4766 !!(sta->flags & WLAN_STA_AUTHORIZED),
4767 wpa_auth_sta_ft_tk_already_set(sta->wpa_sm),
4768 wpa_auth_sta_fils_tk_already_set(sta->wpa_sm));
4769
4770 if (!mld_link_sta && !sta->added_unassoc &&
4771 (!(sta->flags & WLAN_STA_AUTHORIZED) ||
4772 (reassoc && sta->ft_over_ds && sta->auth_alg == WLAN_AUTH_FT) ||
4773 (!wpa_auth_sta_ft_tk_already_set(sta->wpa_sm) &&
4774 !wpa_auth_sta_fils_tk_already_set(sta->wpa_sm)))) {
4775 hostapd_drv_sta_remove(hapd, sta->addr);
4776 wpa_auth_sm_event(sta->wpa_sm, WPA_DRV_STA_REMOVED);
4777 set = 0;
4778
4779 /* Do not allow the FT-over-DS exception to be used more than
4780 * once per authentication exchange to guarantee a new TK is
4781 * used here */
4782 sta->ft_over_ds = 0;
4783 }
4784
4785 if (sta->flags & WLAN_STA_HT)
4786 hostapd_get_ht_capab(hapd, sta->ht_capabilities, &ht_cap);
4787 #ifdef CONFIG_IEEE80211AC
4788 if (sta->flags & WLAN_STA_VHT)
4789 hostapd_get_vht_capab(hapd, sta->vht_capabilities, &vht_cap);
4790 #endif /* CONFIG_IEEE80211AC */
4791 #ifdef CONFIG_IEEE80211AX
4792 if (sta->flags & WLAN_STA_HE) {
4793 hostapd_get_he_capab(hapd, sta->he_capab, &he_cap,
4794 sta->he_capab_len);
4795 }
4796 #endif /* CONFIG_IEEE80211AX */
4797 #ifdef CONFIG_IEEE80211BE
4798 if (sta->flags & WLAN_STA_EHT)
4799 hostapd_get_eht_capab(hapd, sta->eht_capab, &eht_cap,
4800 sta->eht_capab_len);
4801 #endif /* CONFIG_IEEE80211BE */
4802
4803 /*
4804 * Add the station with forced WLAN_STA_ASSOC flag. The sta->flags
4805 * will be set when the ACK frame for the (Re)Association Response frame
4806 * is processed (TX status driver event).
4807 */
4808 if (hostapd_sta_add(hapd, sta->addr, sta->aid, sta->capability,
4809 sta->supported_rates, sta->supported_rates_len,
4810 sta->listen_interval,
4811 sta->flags & WLAN_STA_HT ? &ht_cap : NULL,
4812 sta->flags & WLAN_STA_VHT ? &vht_cap : NULL,
4813 sta->flags & WLAN_STA_HE ? &he_cap : NULL,
4814 sta->flags & WLAN_STA_HE ? sta->he_capab_len : 0,
4815 sta->flags & WLAN_STA_EHT ? &eht_cap : NULL,
4816 sta->flags & WLAN_STA_EHT ? sta->eht_capab_len : 0,
4817 sta->he_6ghz_capab,
4818 sta->flags | WLAN_STA_ASSOC, sta->qosinfo,
4819 sta->vht_opmode, sta->p2p_ie ? 1 : 0,
4820 set, mld_link_addr, mld_link_sta)) {
4821 hostapd_logger(hapd, sta->addr,
4822 HOSTAPD_MODULE_IEEE80211, HOSTAPD_LEVEL_NOTICE,
4823 "Could not %s STA to kernel driver",
4824 set ? "set" : "add");
4825
4826 if (sta->added_unassoc) {
4827 hostapd_drv_sta_remove(hapd, sta->addr);
4828 sta->added_unassoc = 0;
4829 }
4830
4831 return -1;
4832 }
4833
4834 sta->added_unassoc = 0;
4835
4836 return 0;
4837 }
4838
4839
send_assoc_resp(struct hostapd_data * hapd,struct sta_info * sta,const u8 * addr,u16 status_code,int reassoc,const u8 * ies,size_t ies_len,int rssi,int omit_rsnxe,bool allow_mld_addr_trans)4840 static u16 send_assoc_resp(struct hostapd_data *hapd, struct sta_info *sta,
4841 const u8 *addr, u16 status_code, int reassoc,
4842 const u8 *ies, size_t ies_len, int rssi,
4843 int omit_rsnxe, bool allow_mld_addr_trans)
4844 {
4845 int send_len;
4846 u8 *buf;
4847 size_t buflen;
4848 struct ieee80211_mgmt *reply;
4849 u8 *p;
4850 u16 res = WLAN_STATUS_SUCCESS;
4851
4852 buflen = sizeof(struct ieee80211_mgmt) + 1024;
4853 #ifdef CONFIG_FILS
4854 if (sta && sta->fils_hlp_resp)
4855 buflen += wpabuf_len(sta->fils_hlp_resp);
4856 if (sta)
4857 buflen += 150;
4858 #endif /* CONFIG_FILS */
4859 #ifdef CONFIG_OWE
4860 if (sta && (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE))
4861 buflen += 150;
4862 #endif /* CONFIG_OWE */
4863 #ifdef CONFIG_DPP2
4864 if (sta && sta->dpp_pfs)
4865 buflen += 5 + sta->dpp_pfs->curve->prime_len;
4866 #endif /* CONFIG_DPP2 */
4867 #ifdef CONFIG_IEEE80211BE
4868 if (hapd->iconf->ieee80211be && !hapd->conf->disable_11be) {
4869 buflen += hostapd_eid_eht_capab_len(hapd, IEEE80211_MODE_AP);
4870 buflen += 3 + sizeof(struct ieee80211_eht_operation);
4871 if (hapd->iconf->punct_bitmap)
4872 buflen += EHT_OPER_DISABLED_SUBCHAN_BITMAP_SIZE;
4873 }
4874 #endif /* CONFIG_IEEE80211BE */
4875
4876 buf = os_zalloc(buflen);
4877 if (!buf) {
4878 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
4879 goto done;
4880 }
4881 reply = (struct ieee80211_mgmt *) buf;
4882 reply->frame_control =
4883 IEEE80211_FC(WLAN_FC_TYPE_MGMT,
4884 (reassoc ? WLAN_FC_STYPE_REASSOC_RESP :
4885 WLAN_FC_STYPE_ASSOC_RESP));
4886
4887 os_memcpy(reply->da, addr, ETH_ALEN);
4888 os_memcpy(reply->sa, hapd->own_addr, ETH_ALEN);
4889 os_memcpy(reply->bssid, hapd->own_addr, ETH_ALEN);
4890
4891 send_len = IEEE80211_HDRLEN;
4892 send_len += sizeof(reply->u.assoc_resp);
4893 reply->u.assoc_resp.capab_info =
4894 host_to_le16(hostapd_own_capab_info(hapd));
4895 reply->u.assoc_resp.status_code = host_to_le16(status_code);
4896
4897 reply->u.assoc_resp.aid = host_to_le16((sta ? sta->aid : 0) |
4898 BIT(14) | BIT(15));
4899 /* Supported rates */
4900 p = hostapd_eid_supp_rates(hapd, reply->u.assoc_resp.variable);
4901 /* Extended supported rates */
4902 p = hostapd_eid_ext_supp_rates(hapd, p);
4903
4904 /* Radio measurement capabilities */
4905 p = hostapd_eid_rm_enabled_capab(hapd, p, buf + buflen - p);
4906
4907 #ifdef CONFIG_MBO
4908 if (status_code == WLAN_STATUS_DENIED_POOR_CHANNEL_CONDITIONS &&
4909 rssi != 0) {
4910 int delta = hapd->iconf->rssi_reject_assoc_rssi - rssi;
4911
4912 p = hostapd_eid_mbo_rssi_assoc_rej(hapd, p, buf + buflen - p,
4913 delta);
4914 }
4915 #endif /* CONFIG_MBO */
4916
4917 #ifdef CONFIG_IEEE80211R_AP
4918 if (sta && status_code == WLAN_STATUS_SUCCESS) {
4919 /* IEEE 802.11r: Mobility Domain Information, Fast BSS
4920 * Transition Information, RSN, [RIC Response] */
4921 p = wpa_sm_write_assoc_resp_ies(sta->wpa_sm, p,
4922 buf + buflen - p,
4923 sta->auth_alg, ies, ies_len,
4924 omit_rsnxe);
4925 if (!p) {
4926 wpa_printf(MSG_DEBUG,
4927 "FT: Failed to write AssocResp IEs");
4928 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
4929 goto done;
4930 }
4931 }
4932 #endif /* CONFIG_IEEE80211R_AP */
4933 #ifdef CONFIG_FILS
4934 if (sta && status_code == WLAN_STATUS_SUCCESS &&
4935 (sta->auth_alg == WLAN_AUTH_FILS_SK ||
4936 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
4937 sta->auth_alg == WLAN_AUTH_FILS_PK))
4938 p = wpa_auth_write_assoc_resp_fils(sta->wpa_sm, p,
4939 buf + buflen - p,
4940 ies, ies_len);
4941 #endif /* CONFIG_FILS */
4942
4943 #ifdef CONFIG_OWE
4944 if (sta && status_code == WLAN_STATUS_SUCCESS &&
4945 (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE))
4946 p = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, p,
4947 buf + buflen - p,
4948 ies, ies_len);
4949 #endif /* CONFIG_OWE */
4950
4951 if (sta && status_code == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY)
4952 p = hostapd_eid_assoc_comeback_time(hapd, sta, p);
4953
4954 p = hostapd_eid_ht_capabilities(hapd, p);
4955 p = hostapd_eid_ht_operation(hapd, p);
4956
4957 #ifdef CONFIG_IEEE80211AC
4958 if (hapd->iconf->ieee80211ac && !hapd->conf->disable_11ac &&
4959 !is_6ghz_op_class(hapd->iconf->op_class)) {
4960 u32 nsts = 0, sta_nsts;
4961
4962 if (sta && hapd->conf->use_sta_nsts && sta->vht_capabilities) {
4963 struct ieee80211_vht_capabilities *capa;
4964
4965 nsts = (hapd->iface->conf->vht_capab >>
4966 VHT_CAP_BEAMFORMEE_STS_OFFSET) & 7;
4967 capa = sta->vht_capabilities;
4968 sta_nsts = (le_to_host32(capa->vht_capabilities_info) >>
4969 VHT_CAP_BEAMFORMEE_STS_OFFSET) & 7;
4970
4971 if (nsts < sta_nsts)
4972 nsts = 0;
4973 else
4974 nsts = sta_nsts;
4975 }
4976 p = hostapd_eid_vht_capabilities(hapd, p, nsts);
4977 p = hostapd_eid_vht_operation(hapd, p);
4978 }
4979 #endif /* CONFIG_IEEE80211AC */
4980
4981 #ifdef CONFIG_IEEE80211AX
4982 if (hapd->iconf->ieee80211ax && !hapd->conf->disable_11ax) {
4983 p = hostapd_eid_he_capab(hapd, p, IEEE80211_MODE_AP);
4984 p = hostapd_eid_he_operation(hapd, p);
4985 p = hostapd_eid_cca(hapd, p);
4986 p = hostapd_eid_spatial_reuse(hapd, p);
4987 p = hostapd_eid_he_mu_edca_parameter_set(hapd, p);
4988 p = hostapd_eid_he_6ghz_band_cap(hapd, p);
4989 }
4990 #endif /* CONFIG_IEEE80211AX */
4991
4992 p = hostapd_eid_ext_capab(hapd, p, false);
4993 p = hostapd_eid_bss_max_idle_period(hapd, p, sta->max_idle_period);
4994 if (sta && sta->qos_map_enabled)
4995 p = hostapd_eid_qos_map_set(hapd, p);
4996
4997 #ifdef CONFIG_FST
4998 if (hapd->iface->fst_ies) {
4999 os_memcpy(p, wpabuf_head(hapd->iface->fst_ies),
5000 wpabuf_len(hapd->iface->fst_ies));
5001 p += wpabuf_len(hapd->iface->fst_ies);
5002 }
5003 #endif /* CONFIG_FST */
5004
5005 #ifdef CONFIG_TESTING_OPTIONS
5006 if (hapd->conf->rsnxe_override_ft &&
5007 buf + buflen - p >=
5008 (long int) wpabuf_len(hapd->conf->rsnxe_override_ft) &&
5009 sta && sta->auth_alg == WLAN_AUTH_FT) {
5010 wpa_printf(MSG_DEBUG, "TESTING: RSNXE FT override");
5011 os_memcpy(p, wpabuf_head(hapd->conf->rsnxe_override_ft),
5012 wpabuf_len(hapd->conf->rsnxe_override_ft));
5013 p += wpabuf_len(hapd->conf->rsnxe_override_ft);
5014 goto rsnxe_done;
5015 }
5016 #endif /* CONFIG_TESTING_OPTIONS */
5017 if (!omit_rsnxe)
5018 p = hostapd_eid_rsnxe(hapd, p, buf + buflen - p);
5019 #ifdef CONFIG_TESTING_OPTIONS
5020 rsnxe_done:
5021 #endif /* CONFIG_TESTING_OPTIONS */
5022
5023 #ifdef CONFIG_IEEE80211BE
5024 if (hapd->iconf->ieee80211be && !hapd->conf->disable_11be) {
5025 if (hapd->conf->mld_ap)
5026 p = hostapd_eid_eht_ml_assoc(hapd, sta, p);
5027 p = hostapd_eid_eht_capab(hapd, p, IEEE80211_MODE_AP);
5028 p = hostapd_eid_eht_operation(hapd, p);
5029 }
5030 #endif /* CONFIG_IEEE80211BE */
5031
5032 #ifdef CONFIG_OWE
5033 if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) &&
5034 sta && sta->owe_ecdh && status_code == WLAN_STATUS_SUCCESS &&
5035 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE &&
5036 !wpa_auth_sta_get_pmksa(sta->wpa_sm)) {
5037 struct wpabuf *pub;
5038
5039 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
5040 if (!pub) {
5041 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
5042 goto done;
5043 }
5044 /* OWE Diffie-Hellman Parameter element */
5045 *p++ = WLAN_EID_EXTENSION; /* Element ID */
5046 *p++ = 1 + 2 + wpabuf_len(pub); /* Length */
5047 *p++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension */
5048 WPA_PUT_LE16(p, sta->owe_group);
5049 p += 2;
5050 os_memcpy(p, wpabuf_head(pub), wpabuf_len(pub));
5051 p += wpabuf_len(pub);
5052 wpabuf_free(pub);
5053 }
5054 #endif /* CONFIG_OWE */
5055
5056 #ifdef CONFIG_DPP2
5057 if (DPP_VERSION > 1 && (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_DPP) &&
5058 sta && sta->dpp_pfs && status_code == WLAN_STATUS_SUCCESS &&
5059 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_DPP) {
5060 os_memcpy(p, wpabuf_head(sta->dpp_pfs->ie),
5061 wpabuf_len(sta->dpp_pfs->ie));
5062 p += wpabuf_len(sta->dpp_pfs->ie);
5063 }
5064 #endif /* CONFIG_DPP2 */
5065
5066 #ifdef CONFIG_IEEE80211AC
5067 if (sta && hapd->conf->vendor_vht && (sta->flags & WLAN_STA_VENDOR_VHT))
5068 p = hostapd_eid_vendor_vht(hapd, p);
5069 #endif /* CONFIG_IEEE80211AC */
5070
5071 if (sta && (sta->flags & WLAN_STA_WMM))
5072 p = hostapd_eid_wmm(hapd, p);
5073
5074 #ifdef CONFIG_WPS
5075 if (sta &&
5076 ((sta->flags & WLAN_STA_WPS) ||
5077 ((sta->flags & WLAN_STA_MAYBE_WPS) && hapd->conf->wpa))) {
5078 struct wpabuf *wps = wps_build_assoc_resp_ie();
5079 if (wps) {
5080 os_memcpy(p, wpabuf_head(wps), wpabuf_len(wps));
5081 p += wpabuf_len(wps);
5082 wpabuf_free(wps);
5083 }
5084 }
5085 #endif /* CONFIG_WPS */
5086
5087 if (sta && (sta->flags & WLAN_STA_MULTI_AP))
5088 p = hostapd_eid_multi_ap(hapd, p, buf + buflen - p);
5089
5090 #ifdef CONFIG_P2P
5091 if (sta && sta->p2p_ie && hapd->p2p_group) {
5092 struct wpabuf *p2p_resp_ie;
5093 enum p2p_status_code status;
5094 switch (status_code) {
5095 case WLAN_STATUS_SUCCESS:
5096 status = P2P_SC_SUCCESS;
5097 break;
5098 case WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA:
5099 status = P2P_SC_FAIL_LIMIT_REACHED;
5100 break;
5101 default:
5102 status = P2P_SC_FAIL_INVALID_PARAMS;
5103 break;
5104 }
5105 p2p_resp_ie = p2p_group_assoc_resp_ie(hapd->p2p_group, status);
5106 if (p2p_resp_ie) {
5107 os_memcpy(p, wpabuf_head(p2p_resp_ie),
5108 wpabuf_len(p2p_resp_ie));
5109 p += wpabuf_len(p2p_resp_ie);
5110 wpabuf_free(p2p_resp_ie);
5111 }
5112 }
5113 #endif /* CONFIG_P2P */
5114
5115 #ifdef CONFIG_P2P_MANAGER
5116 if (hapd->conf->p2p & P2P_MANAGE)
5117 p = hostapd_eid_p2p_manage(hapd, p);
5118 #endif /* CONFIG_P2P_MANAGER */
5119
5120 p = hostapd_eid_mbo(hapd, p, buf + buflen - p);
5121
5122 if (hapd->conf->assocresp_elements &&
5123 (size_t) (buf + buflen - p) >=
5124 wpabuf_len(hapd->conf->assocresp_elements)) {
5125 os_memcpy(p, wpabuf_head(hapd->conf->assocresp_elements),
5126 wpabuf_len(hapd->conf->assocresp_elements));
5127 p += wpabuf_len(hapd->conf->assocresp_elements);
5128 }
5129
5130 send_len += p - reply->u.assoc_resp.variable;
5131
5132 #ifdef CONFIG_FILS
5133 if (sta &&
5134 (sta->auth_alg == WLAN_AUTH_FILS_SK ||
5135 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
5136 sta->auth_alg == WLAN_AUTH_FILS_PK) &&
5137 status_code == WLAN_STATUS_SUCCESS) {
5138 struct ieee802_11_elems elems;
5139
5140 if (ieee802_11_parse_elems(ies, ies_len, &elems, 0) ==
5141 ParseFailed || !elems.fils_session) {
5142 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
5143 goto done;
5144 }
5145
5146 /* FILS Session */
5147 *p++ = WLAN_EID_EXTENSION; /* Element ID */
5148 *p++ = 1 + FILS_SESSION_LEN; /* Length */
5149 *p++ = WLAN_EID_EXT_FILS_SESSION; /* Element ID Extension */
5150 os_memcpy(p, elems.fils_session, FILS_SESSION_LEN);
5151 send_len += 2 + 1 + FILS_SESSION_LEN;
5152
5153 send_len = fils_encrypt_assoc(sta->wpa_sm, buf, send_len,
5154 buflen, sta->fils_hlp_resp);
5155 if (send_len < 0) {
5156 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
5157 goto done;
5158 }
5159 }
5160 #endif /* CONFIG_FILS */
5161
5162 if (hostapd_drv_send_mlme(hapd, reply, send_len, 0, NULL, 0, 0) < 0) {
5163 wpa_printf(MSG_INFO, "Failed to send assoc resp: %s",
5164 strerror(errno));
5165 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
5166 }
5167
5168 done:
5169 os_free(buf);
5170 return res;
5171 }
5172
5173
5174 #ifdef CONFIG_OWE
owe_assoc_req_process(struct hostapd_data * hapd,struct sta_info * sta,const u8 * owe_dh,u8 owe_dh_len,u8 * owe_buf,size_t owe_buf_len,u16 * status)5175 u8 * owe_assoc_req_process(struct hostapd_data *hapd, struct sta_info *sta,
5176 const u8 *owe_dh, u8 owe_dh_len,
5177 u8 *owe_buf, size_t owe_buf_len, u16 *status)
5178 {
5179 #ifdef CONFIG_TESTING_OPTIONS
5180 if (hapd->conf->own_ie_override) {
5181 wpa_printf(MSG_DEBUG, "OWE: Using IE override");
5182 *status = WLAN_STATUS_SUCCESS;
5183 return wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf,
5184 owe_buf_len, NULL, 0);
5185 }
5186 #endif /* CONFIG_TESTING_OPTIONS */
5187
5188 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) {
5189 wpa_printf(MSG_DEBUG, "OWE: Using PMKSA caching");
5190 owe_buf = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf,
5191 owe_buf_len, NULL, 0);
5192 *status = WLAN_STATUS_SUCCESS;
5193 return owe_buf;
5194 }
5195
5196 if (sta->owe_pmk && sta->external_dh_updated) {
5197 wpa_printf(MSG_DEBUG, "OWE: Using previously derived PMK");
5198 *status = WLAN_STATUS_SUCCESS;
5199 return owe_buf;
5200 }
5201
5202 *status = owe_process_assoc_req(hapd, sta, owe_dh, owe_dh_len);
5203 if (*status != WLAN_STATUS_SUCCESS)
5204 return NULL;
5205
5206 owe_buf = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf,
5207 owe_buf_len, NULL, 0);
5208
5209 if (sta->owe_ecdh && owe_buf) {
5210 struct wpabuf *pub;
5211
5212 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
5213 if (!pub) {
5214 *status = WLAN_STATUS_UNSPECIFIED_FAILURE;
5215 return owe_buf;
5216 }
5217
5218 /* OWE Diffie-Hellman Parameter element */
5219 *owe_buf++ = WLAN_EID_EXTENSION; /* Element ID */
5220 *owe_buf++ = 1 + 2 + wpabuf_len(pub); /* Length */
5221 *owe_buf++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension
5222 */
5223 WPA_PUT_LE16(owe_buf, sta->owe_group);
5224 owe_buf += 2;
5225 os_memcpy(owe_buf, wpabuf_head(pub), wpabuf_len(pub));
5226 owe_buf += wpabuf_len(pub);
5227 wpabuf_free(pub);
5228 }
5229
5230 return owe_buf;
5231 }
5232 #endif /* CONFIG_OWE */
5233
5234
5235 #ifdef CONFIG_FILS
5236
fils_hlp_finish_assoc(struct hostapd_data * hapd,struct sta_info * sta)5237 void fils_hlp_finish_assoc(struct hostapd_data *hapd, struct sta_info *sta)
5238 {
5239 u16 reply_res;
5240
5241 wpa_printf(MSG_DEBUG, "FILS: Finish association with " MACSTR_SEC,
5242 MAC2STR_SEC(sta->addr));
5243 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
5244 if (!sta->fils_pending_assoc_req)
5245 return;
5246 reply_res = send_assoc_resp(hapd, sta, sta->addr, WLAN_STATUS_SUCCESS,
5247 sta->fils_pending_assoc_is_reassoc,
5248 sta->fils_pending_assoc_req,
5249 sta->fils_pending_assoc_req_len, 0, 0,
5250 true);
5251 os_free(sta->fils_pending_assoc_req);
5252 sta->fils_pending_assoc_req = NULL;
5253 sta->fils_pending_assoc_req_len = 0;
5254 wpabuf_free(sta->fils_hlp_resp);
5255 sta->fils_hlp_resp = NULL;
5256 wpabuf_free(sta->hlp_dhcp_discover);
5257 sta->hlp_dhcp_discover = NULL;
5258
5259 /*
5260 * Remove the station in case transmission of a success response fails.
5261 * At this point the station was already added associated to the driver.
5262 */
5263 if (reply_res != WLAN_STATUS_SUCCESS)
5264 hostapd_drv_sta_remove(hapd, sta->addr);
5265 }
5266
5267
fils_hlp_timeout(void * eloop_ctx,void * eloop_data)5268 void fils_hlp_timeout(void *eloop_ctx, void *eloop_data)
5269 {
5270 struct hostapd_data *hapd = eloop_ctx;
5271 struct sta_info *sta = eloop_data;
5272
5273 wpa_printf(MSG_DEBUG,
5274 "FILS: HLP response timeout - continue with association response for "
5275 MACSTR_SEC, MAC2STR_SEC(sta->addr));
5276 if (sta->fils_drv_assoc_finish)
5277 hostapd_notify_assoc_fils_finish(hapd, sta);
5278 else
5279 fils_hlp_finish_assoc(hapd, sta);
5280 }
5281
5282 #endif /* CONFIG_FILS */
5283
5284
5285 #ifdef CONFIG_IEEE80211BE
handle_mlo_translate(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,bool reassoc,struct hostapd_data ** assoc_hapd)5286 static struct sta_info * handle_mlo_translate(struct hostapd_data *hapd,
5287 const struct ieee80211_mgmt *mgmt,
5288 size_t len, bool reassoc,
5289 struct hostapd_data **assoc_hapd)
5290 {
5291 struct sta_info *sta;
5292 struct ieee802_11_elems elems;
5293 u8 mld_addr[ETH_ALEN];
5294 const u8 *pos;
5295
5296 if (!hapd->iconf->ieee80211be || hapd->conf->disable_11be)
5297 return NULL;
5298
5299 if (reassoc) {
5300 len -= IEEE80211_HDRLEN + sizeof(mgmt->u.reassoc_req);
5301 pos = mgmt->u.reassoc_req.variable;
5302 } else {
5303 len -= IEEE80211_HDRLEN + sizeof(mgmt->u.assoc_req);
5304 pos = mgmt->u.assoc_req.variable;
5305 }
5306
5307 if (ieee802_11_parse_elems(pos, len, &elems, 1) == ParseFailed)
5308 return NULL;
5309
5310 if (hostapd_process_ml_assoc_req_addr(hapd, elems.basic_mle,
5311 elems.basic_mle_len,
5312 mld_addr))
5313 return NULL;
5314
5315 sta = ap_get_sta(hapd, mld_addr);
5316 if (!sta)
5317 return NULL;
5318
5319 wpa_printf(MSG_DEBUG, "MLD: assoc: mld=" MACSTR ", link=" MACSTR,
5320 MAC2STR(mld_addr), MAC2STR(mgmt->sa));
5321
5322 return hostapd_ml_get_assoc_sta(hapd, sta, assoc_hapd);
5323 }
5324 #endif /* CONFIG_IEEE80211BE */
5325
5326
handle_assoc(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int reassoc,int rssi)5327 static void handle_assoc(struct hostapd_data *hapd,
5328 const struct ieee80211_mgmt *mgmt, size_t len,
5329 int reassoc, int rssi)
5330 {
5331 u16 capab_info, listen_interval, seq_ctrl, fc;
5332 int resp = WLAN_STATUS_SUCCESS;
5333 u16 reply_res = WLAN_STATUS_UNSPECIFIED_FAILURE;
5334 const u8 *pos;
5335 int left, i;
5336 struct sta_info *sta;
5337 u8 *tmp = NULL;
5338 #ifdef CONFIG_FILS
5339 int delay_assoc = 0;
5340 #endif /* CONFIG_FILS */
5341 int omit_rsnxe = 0;
5342 bool set_beacon = false;
5343 bool mld_addrs_not_translated = false;
5344
5345 if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_req) :
5346 sizeof(mgmt->u.assoc_req))) {
5347 wpa_printf(MSG_INFO, "handle_assoc(reassoc=%d) - too short payload (len=%lu)",
5348 reassoc, (unsigned long) len);
5349 return;
5350 }
5351
5352 #ifdef CONFIG_TESTING_OPTIONS
5353 if (reassoc) {
5354 if (hapd->iconf->ignore_reassoc_probability > 0.0 &&
5355 drand48() < hapd->iconf->ignore_reassoc_probability) {
5356 wpa_printf(MSG_INFO,
5357 "TESTING: ignoring reassoc request from "
5358 MACSTR_SEC, MAC2STR_SEC(mgmt->sa));
5359 return;
5360 }
5361 } else {
5362 if (hapd->iconf->ignore_assoc_probability > 0.0 &&
5363 drand48() < hapd->iconf->ignore_assoc_probability) {
5364 wpa_printf(MSG_INFO,
5365 "TESTING: ignoring assoc request from "
5366 MACSTR_SEC, MAC2STR_SEC(mgmt->sa));
5367 return;
5368 }
5369 }
5370 #endif /* CONFIG_TESTING_OPTIONS */
5371
5372 fc = le_to_host16(mgmt->frame_control);
5373 seq_ctrl = le_to_host16(mgmt->seq_ctrl);
5374
5375 if (reassoc) {
5376 capab_info = le_to_host16(mgmt->u.reassoc_req.capab_info);
5377 listen_interval = le_to_host16(
5378 mgmt->u.reassoc_req.listen_interval);
5379 wpa_printf(MSG_DEBUG, "reassociation request: STA=" MACSTR_SEC
5380 " capab_info=0x%02x listen_interval=%d current_ap="
5381 MACSTR_SEC " seq_ctrl=0x%x%s",
5382 MAC2STR_SEC(mgmt->sa), capab_info, listen_interval,
5383 MAC2STR_SEC(mgmt->u.reassoc_req.current_ap),
5384 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "");
5385 left = len - (IEEE80211_HDRLEN + sizeof(mgmt->u.reassoc_req));
5386 pos = mgmt->u.reassoc_req.variable;
5387 } else {
5388 capab_info = le_to_host16(mgmt->u.assoc_req.capab_info);
5389 listen_interval = le_to_host16(
5390 mgmt->u.assoc_req.listen_interval);
5391 wpa_printf(MSG_DEBUG, "association request: STA=" MACSTR_SEC
5392 " capab_info=0x%02x listen_interval=%d "
5393 "seq_ctrl=0x%x%s",
5394 MAC2STR_SEC(mgmt->sa), capab_info, listen_interval,
5395 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "");
5396 left = len - (IEEE80211_HDRLEN + sizeof(mgmt->u.assoc_req));
5397 pos = mgmt->u.assoc_req.variable;
5398 }
5399
5400 sta = ap_get_sta(hapd, mgmt->sa);
5401
5402 #ifdef CONFIG_IEEE80211BE
5403 /*
5404 * It is possible that the association frame is from an associated
5405 * non-AP MLD station, that tries to re-associate using different link
5406 * addresses. In such a case, try to find the station based on the AP
5407 * MLD MAC address.
5408 */
5409 if (!sta) {
5410 struct hostapd_data *assoc_hapd;
5411
5412 sta = handle_mlo_translate(hapd, mgmt, len, reassoc,
5413 &assoc_hapd);
5414 if (sta) {
5415 wpa_printf(MSG_DEBUG,
5416 "MLD: Switching to assoc hapd/station");
5417 hapd = assoc_hapd;
5418 mld_addrs_not_translated = true;
5419 }
5420 }
5421 #endif /* CONFIG_IEEE80211BE */
5422
5423 #ifdef CONFIG_IEEE80211R_AP
5424 if (sta && sta->auth_alg == WLAN_AUTH_FT &&
5425 (sta->flags & WLAN_STA_AUTH) == 0) {
5426 wpa_printf(MSG_DEBUG, "FT: Allow STA " MACSTR_SEC " to associate "
5427 "prior to authentication since it is using "
5428 "over-the-DS FT", MAC2STR_SEC(mgmt->sa));
5429
5430 /*
5431 * Mark station as authenticated, to avoid adding station
5432 * entry in the driver as associated and not authenticated
5433 */
5434 sta->flags |= WLAN_STA_AUTH;
5435 } else
5436 #endif /* CONFIG_IEEE80211R_AP */
5437 if (sta == NULL || (sta->flags & WLAN_STA_AUTH) == 0) {
5438 if (hapd->iface->current_mode &&
5439 hapd->iface->current_mode->mode ==
5440 HOSTAPD_MODE_IEEE80211AD) {
5441 int acl_res;
5442 struct radius_sta info;
5443
5444 acl_res = ieee802_11_allowed_address(hapd, mgmt->sa,
5445 (const u8 *) mgmt,
5446 len, &info);
5447 if (acl_res == HOSTAPD_ACL_REJECT) {
5448 wpa_msg(hapd->msg_ctx, MSG_DEBUG,
5449 "Ignore Association Request frame from "
5450 MACSTR " due to ACL reject",
5451 MAC2STR(mgmt->sa));
5452 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
5453 goto fail;
5454 }
5455 if (acl_res == HOSTAPD_ACL_PENDING)
5456 return;
5457
5458 /* DMG/IEEE 802.11ad does not use authentication.
5459 * Allocate sta entry upon association. */
5460 sta = ap_sta_add(hapd, mgmt->sa);
5461 if (!sta) {
5462 hostapd_logger(hapd, mgmt->sa,
5463 HOSTAPD_MODULE_IEEE80211,
5464 HOSTAPD_LEVEL_INFO,
5465 "Failed to add STA");
5466 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
5467 goto fail;
5468 }
5469
5470 acl_res = ieee802_11_set_radius_info(
5471 hapd, sta, acl_res, &info);
5472 if (acl_res) {
5473 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
5474 goto fail;
5475 }
5476
5477 hostapd_logger(hapd, sta->addr,
5478 HOSTAPD_MODULE_IEEE80211,
5479 HOSTAPD_LEVEL_DEBUG,
5480 "Skip authentication for DMG/IEEE 802.11ad");
5481 sta->flags |= WLAN_STA_AUTH;
5482 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
5483 sta->auth_alg = WLAN_AUTH_OPEN;
5484 } else {
5485 hostapd_logger(hapd, mgmt->sa,
5486 HOSTAPD_MODULE_IEEE80211,
5487 HOSTAPD_LEVEL_INFO,
5488 "Station tried to associate before authentication (aid=%d flags=0x%x)",
5489 sta ? sta->aid : -1,
5490 sta ? sta->flags : 0);
5491 send_deauth(hapd, mgmt->sa,
5492 WLAN_REASON_CLASS2_FRAME_FROM_NONAUTH_STA);
5493 return;
5494 }
5495 }
5496
5497 if ((fc & WLAN_FC_RETRY) &&
5498 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
5499 sta->last_seq_ctrl == seq_ctrl &&
5500 sta->last_subtype == (reassoc ? WLAN_FC_STYPE_REASSOC_REQ :
5501 WLAN_FC_STYPE_ASSOC_REQ)) {
5502 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
5503 HOSTAPD_LEVEL_DEBUG,
5504 "Drop repeated association frame seq_ctrl=0x%x",
5505 seq_ctrl);
5506 return;
5507 }
5508 sta->last_seq_ctrl = seq_ctrl;
5509 sta->last_subtype = reassoc ? WLAN_FC_STYPE_REASSOC_REQ :
5510 WLAN_FC_STYPE_ASSOC_REQ;
5511
5512 if (hapd->tkip_countermeasures) {
5513 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
5514 goto fail;
5515 }
5516
5517 if (listen_interval > hapd->conf->max_listen_interval) {
5518 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
5519 HOSTAPD_LEVEL_DEBUG,
5520 "Too large Listen Interval (%d)",
5521 listen_interval);
5522 resp = WLAN_STATUS_ASSOC_DENIED_LISTEN_INT_TOO_LARGE;
5523 goto fail;
5524 }
5525
5526 #ifdef CONFIG_MBO
5527 if (hapd->conf->mbo_enabled && hapd->mbo_assoc_disallow) {
5528 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
5529 goto fail;
5530 }
5531
5532 if (hapd->iconf->rssi_reject_assoc_rssi && rssi &&
5533 rssi < hapd->iconf->rssi_reject_assoc_rssi &&
5534 (sta->auth_rssi == 0 ||
5535 sta->auth_rssi < hapd->iconf->rssi_reject_assoc_rssi)) {
5536 resp = WLAN_STATUS_DENIED_POOR_CHANNEL_CONDITIONS;
5537 goto fail;
5538 }
5539 #endif /* CONFIG_MBO */
5540
5541 if (hapd->conf->wpa && check_sa_query(hapd, sta, reassoc)) {
5542 resp = WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY;
5543 goto fail;
5544 }
5545
5546 /*
5547 * sta->capability is used in check_assoc_ies() for RRM enabled
5548 * capability element.
5549 */
5550 sta->capability = capab_info;
5551
5552 #ifdef CONFIG_FILS
5553 if (sta->auth_alg == WLAN_AUTH_FILS_SK ||
5554 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
5555 sta->auth_alg == WLAN_AUTH_FILS_PK) {
5556 int res;
5557
5558 /* The end of the payload is encrypted. Need to decrypt it
5559 * before parsing. */
5560
5561 tmp = os_memdup(pos, left);
5562 if (!tmp) {
5563 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
5564 goto fail;
5565 }
5566
5567 res = fils_decrypt_assoc(sta->wpa_sm, sta->fils_session, mgmt,
5568 len, tmp, left);
5569 if (res < 0) {
5570 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
5571 goto fail;
5572 }
5573 pos = tmp;
5574 left = res;
5575 }
5576 #endif /* CONFIG_FILS */
5577
5578 /* followed by SSID and Supported rates; and HT capabilities if 802.11n
5579 * is used */
5580 resp = check_assoc_ies(hapd, sta, pos, left, reassoc);
5581 if (resp != WLAN_STATUS_SUCCESS)
5582 goto fail;
5583 omit_rsnxe = !get_ie(pos, left, WLAN_EID_RSNX);
5584
5585 if (hostapd_get_aid(hapd, sta) < 0) {
5586 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
5587 HOSTAPD_LEVEL_INFO, "No room for more AIDs");
5588 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
5589 goto fail;
5590 }
5591
5592 sta->listen_interval = listen_interval;
5593
5594 if (hapd->iface->current_mode &&
5595 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G)
5596 sta->flags |= WLAN_STA_NONERP;
5597 for (i = 0; i < sta->supported_rates_len; i++) {
5598 if ((sta->supported_rates[i] & 0x7f) > 22) {
5599 sta->flags &= ~WLAN_STA_NONERP;
5600 break;
5601 }
5602 }
5603 if (sta->flags & WLAN_STA_NONERP && !sta->nonerp_set) {
5604 sta->nonerp_set = 1;
5605 hapd->iface->num_sta_non_erp++;
5606 if (hapd->iface->num_sta_non_erp == 1)
5607 set_beacon = true;
5608 }
5609
5610 if (!(sta->capability & WLAN_CAPABILITY_SHORT_SLOT_TIME) &&
5611 !sta->no_short_slot_time_set) {
5612 sta->no_short_slot_time_set = 1;
5613 hapd->iface->num_sta_no_short_slot_time++;
5614 if (hapd->iface->current_mode &&
5615 hapd->iface->current_mode->mode ==
5616 HOSTAPD_MODE_IEEE80211G &&
5617 hapd->iface->num_sta_no_short_slot_time == 1)
5618 set_beacon = true;
5619 }
5620
5621 if (sta->capability & WLAN_CAPABILITY_SHORT_PREAMBLE)
5622 sta->flags |= WLAN_STA_SHORT_PREAMBLE;
5623 else
5624 sta->flags &= ~WLAN_STA_SHORT_PREAMBLE;
5625
5626 if (!(sta->capability & WLAN_CAPABILITY_SHORT_PREAMBLE) &&
5627 !sta->no_short_preamble_set) {
5628 sta->no_short_preamble_set = 1;
5629 hapd->iface->num_sta_no_short_preamble++;
5630 if (hapd->iface->current_mode &&
5631 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G
5632 && hapd->iface->num_sta_no_short_preamble == 1)
5633 set_beacon = true;
5634 }
5635
5636 if (update_ht_state(hapd, sta) > 0)
5637 set_beacon = true;
5638
5639 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
5640 HOSTAPD_LEVEL_DEBUG,
5641 "association OK (aid %d)", sta->aid);
5642 /* Station will be marked associated, after it acknowledges AssocResp
5643 */
5644 sta->flags |= WLAN_STA_ASSOC_REQ_OK;
5645
5646 if ((sta->flags & WLAN_STA_MFP) && sta->sa_query_timed_out) {
5647 wpa_printf(MSG_DEBUG, "Allowing %sassociation after timed out "
5648 "SA Query procedure", reassoc ? "re" : "");
5649 /* TODO: Send a protected Disassociate frame to the STA using
5650 * the old key and Reason Code "Previous Authentication no
5651 * longer valid". Make sure this is only sent protected since
5652 * unprotected frame would be received by the STA that is now
5653 * trying to associate.
5654 */
5655 }
5656
5657 /* Make sure that the previously registered inactivity timer will not
5658 * remove the STA immediately. */
5659 sta->timeout_next = STA_NULLFUNC;
5660
5661 #ifdef CONFIG_TAXONOMY
5662 taxonomy_sta_info_assoc_req(hapd, sta, pos, left);
5663 #endif /* CONFIG_TAXONOMY */
5664
5665 sta->pending_wds_enable = 0;
5666
5667 #ifdef CONFIG_FILS
5668 if (sta->auth_alg == WLAN_AUTH_FILS_SK ||
5669 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
5670 sta->auth_alg == WLAN_AUTH_FILS_PK) {
5671 if (fils_process_hlp(hapd, sta, pos, left) > 0)
5672 delay_assoc = 1;
5673 }
5674 #endif /* CONFIG_FILS */
5675
5676 if (set_beacon)
5677 ieee802_11_update_beacons(hapd->iface);
5678
5679 fail:
5680
5681 /*
5682 * In case of a successful response, add the station to the driver.
5683 * Otherwise, the kernel may ignore Data frames before we process the
5684 * ACK frame (TX status). In case of a failure, this station will be
5685 * removed.
5686 *
5687 * Note that this is not compliant with the IEEE 802.11 standard that
5688 * states that a non-AP station should transition into the
5689 * authenticated/associated state only after the station acknowledges
5690 * the (Re)Association Response frame. However, still do this as:
5691 *
5692 * 1. In case the station does not acknowledge the (Re)Association
5693 * Response frame, it will be removed.
5694 * 2. Data frames will be dropped in the kernel until the station is
5695 * set into authorized state, and there are no significant known
5696 * issues with processing other non-Data Class 3 frames during this
5697 * window.
5698 */
5699 if (sta)
5700 hostapd_process_assoc_ml_info(hapd, sta, pos, left, reassoc,
5701 resp, false);
5702
5703 if (resp == WLAN_STATUS_SUCCESS && sta &&
5704 add_associated_sta(hapd, sta, reassoc))
5705 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
5706
5707 #ifdef CONFIG_FILS
5708 if (sta && delay_assoc && resp == WLAN_STATUS_SUCCESS &&
5709 eloop_is_timeout_registered(fils_hlp_timeout, hapd, sta) &&
5710 sta->fils_pending_assoc_req) {
5711 /* Do not reschedule fils_hlp_timeout in case the station
5712 * retransmits (Re)Association Request frame while waiting for
5713 * the previously started FILS HLP wait, so that the timeout can
5714 * be determined from the first pending attempt. */
5715 wpa_printf(MSG_DEBUG,
5716 "FILS: Continue waiting for HLP processing before sending (Re)Association Response frame to "
5717 MACSTR_SEC, MAC2STR_SEC(sta->addr));
5718 os_free(tmp);
5719 return;
5720 }
5721 if (sta) {
5722 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
5723 os_free(sta->fils_pending_assoc_req);
5724 sta->fils_pending_assoc_req = NULL;
5725 sta->fils_pending_assoc_req_len = 0;
5726 wpabuf_free(sta->fils_hlp_resp);
5727 sta->fils_hlp_resp = NULL;
5728 }
5729 if (sta && delay_assoc && resp == WLAN_STATUS_SUCCESS) {
5730 sta->fils_pending_assoc_req = tmp;
5731 sta->fils_pending_assoc_req_len = left;
5732 sta->fils_pending_assoc_is_reassoc = reassoc;
5733 sta->fils_drv_assoc_finish = 0;
5734 wpa_printf(MSG_DEBUG,
5735 "FILS: Waiting for HLP processing before sending (Re)Association Response frame to "
5736 MACSTR_SEC, MAC2STR_SEC(sta->addr));
5737 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
5738 eloop_register_timeout(0, hapd->conf->fils_hlp_wait_time * 1024,
5739 fils_hlp_timeout, hapd, sta);
5740 return;
5741 }
5742 #endif /* CONFIG_FILS */
5743
5744 if (resp >= 0)
5745 reply_res = send_assoc_resp(hapd,
5746 mld_addrs_not_translated ?
5747 NULL : sta,
5748 mgmt->sa, resp, reassoc,
5749 pos, left, rssi, omit_rsnxe,
5750 !mld_addrs_not_translated);
5751 os_free(tmp);
5752
5753 /*
5754 * Remove the station in case transmission of a success response fails
5755 * (the STA was added associated to the driver) or if the station was
5756 * previously added unassociated.
5757 */
5758 if (sta && ((reply_res != WLAN_STATUS_SUCCESS &&
5759 resp == WLAN_STATUS_SUCCESS) || sta->added_unassoc)) {
5760 hostapd_drv_sta_remove(hapd, sta->addr);
5761 sta->added_unassoc = 0;
5762 }
5763 }
5764
5765
hostapd_deauth_sta(struct hostapd_data * hapd,struct sta_info * sta,const struct ieee80211_mgmt * mgmt)5766 static void hostapd_deauth_sta(struct hostapd_data *hapd,
5767 struct sta_info *sta,
5768 const struct ieee80211_mgmt *mgmt)
5769 {
5770 wpa_msg(hapd->msg_ctx, MSG_DEBUG,
5771 "deauthentication: STA=" MACSTR " reason_code=%d",
5772 MAC2STR(mgmt->sa), le_to_host16(mgmt->u.deauth.reason_code));
5773
5774 ap_sta_set_authorized(hapd, sta, 0);
5775 sta->last_seq_ctrl = WLAN_INVALID_MGMT_SEQ;
5776 sta->flags &= ~(WLAN_STA_AUTH | WLAN_STA_ASSOC |
5777 WLAN_STA_ASSOC_REQ_OK);
5778 hostapd_set_sta_flags(hapd, sta);
5779 wpa_auth_sm_event(sta->wpa_sm, WPA_DEAUTH);
5780 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
5781 HOSTAPD_LEVEL_DEBUG, "deauthenticated");
5782 mlme_deauthenticate_indication(
5783 hapd, sta, le_to_host16(mgmt->u.deauth.reason_code));
5784 sta->acct_terminate_cause = RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST;
5785 ieee802_1x_notify_port_enabled(sta->eapol_sm, 0);
5786 ap_free_sta(hapd, sta);
5787 }
5788
5789
hostapd_disassoc_sta(struct hostapd_data * hapd,struct sta_info * sta,const struct ieee80211_mgmt * mgmt)5790 static void hostapd_disassoc_sta(struct hostapd_data *hapd,
5791 struct sta_info *sta,
5792 const struct ieee80211_mgmt *mgmt)
5793 {
5794 wpa_msg(hapd->msg_ctx, MSG_DEBUG,
5795 "disassocation: STA=" MACSTR " reason_code=%d",
5796 MAC2STR(mgmt->sa), le_to_host16(mgmt->u.disassoc.reason_code));
5797
5798 ap_sta_set_authorized(hapd, sta, 0);
5799 sta->last_seq_ctrl = WLAN_INVALID_MGMT_SEQ;
5800 sta->flags &= ~(WLAN_STA_ASSOC | WLAN_STA_ASSOC_REQ_OK);
5801 hostapd_set_sta_flags(hapd, sta);
5802 wpa_auth_sm_event(sta->wpa_sm, WPA_DISASSOC);
5803 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
5804 HOSTAPD_LEVEL_INFO, "disassociated");
5805 sta->acct_terminate_cause = RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST;
5806 ieee802_1x_notify_port_enabled(sta->eapol_sm, 0);
5807 /* Stop Accounting and IEEE 802.1X sessions, but leave the STA
5808 * authenticated. */
5809 accounting_sta_stop(hapd, sta);
5810 ieee802_1x_free_station(hapd, sta);
5811 if (sta->ipaddr)
5812 hostapd_drv_br_delete_ip_neigh(hapd, 4, (u8 *) &sta->ipaddr);
5813 ap_sta_ip6addr_del(hapd, sta);
5814 hostapd_drv_sta_remove(hapd, sta->addr);
5815 sta->added_unassoc = 0;
5816
5817 if (sta->timeout_next == STA_NULLFUNC ||
5818 sta->timeout_next == STA_DISASSOC) {
5819 sta->timeout_next = STA_DEAUTH;
5820 eloop_cancel_timeout(ap_handle_timer, hapd, sta);
5821 eloop_register_timeout(AP_DEAUTH_DELAY, 0, ap_handle_timer,
5822 hapd, sta);
5823 }
5824
5825 mlme_disassociate_indication(
5826 hapd, sta, le_to_host16(mgmt->u.disassoc.reason_code));
5827
5828 /* DMG/IEEE 802.11ad does not use deauthication. Deallocate sta upon
5829 * disassociation. */
5830 if (hapd->iface->current_mode &&
5831 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211AD) {
5832 sta->flags &= ~WLAN_STA_AUTH;
5833 wpa_auth_sm_event(sta->wpa_sm, WPA_DEAUTH);
5834 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
5835 HOSTAPD_LEVEL_DEBUG, "deauthenticated");
5836 ap_free_sta(hapd, sta);
5837 }
5838 }
5839
5840
hostapd_ml_handle_disconnect(struct hostapd_data * hapd,struct sta_info * sta,const struct ieee80211_mgmt * mgmt,bool disassoc)5841 static bool hostapd_ml_handle_disconnect(struct hostapd_data *hapd,
5842 struct sta_info *sta,
5843 const struct ieee80211_mgmt *mgmt,
5844 bool disassoc)
5845 {
5846 #ifdef CONFIG_IEEE80211BE
5847 struct hostapd_data *assoc_hapd, *tmp_hapd;
5848 struct sta_info *assoc_sta;
5849 struct sta_info *tmp_sta;
5850
5851 if (!hostapd_is_mld_ap(hapd))
5852 return false;
5853
5854 /*
5855 * Get the station on which the association was performed, as it holds
5856 * the information about all the other links.
5857 */
5858 assoc_sta = hostapd_ml_get_assoc_sta(hapd, sta, &assoc_hapd);
5859 if (!assoc_sta)
5860 return false;
5861
5862 for_each_mld_link(tmp_hapd, assoc_hapd) {
5863 if (tmp_hapd == assoc_hapd)
5864 continue;
5865
5866 if (!assoc_sta->mld_info.links[tmp_hapd->mld_link_id].valid)
5867 continue;
5868
5869 for (tmp_sta = tmp_hapd->sta_list; tmp_sta;
5870 tmp_sta = tmp_sta->next) {
5871 if (tmp_sta->mld_assoc_link_id !=
5872 assoc_sta->mld_assoc_link_id ||
5873 tmp_sta->aid != assoc_sta->aid)
5874 continue;
5875
5876 if (!disassoc)
5877 hostapd_deauth_sta(tmp_hapd, tmp_sta, mgmt);
5878 else
5879 hostapd_disassoc_sta(tmp_hapd, tmp_sta, mgmt);
5880 break;
5881 }
5882 }
5883
5884 /* Remove the station on which the association was performed. */
5885 if (!disassoc)
5886 hostapd_deauth_sta(assoc_hapd, assoc_sta, mgmt);
5887 else
5888 hostapd_disassoc_sta(assoc_hapd, assoc_sta, mgmt);
5889
5890 return true;
5891 #else /* CONFIG_IEEE80211BE */
5892 return false;
5893 #endif /* CONFIG_IEEE80211BE */
5894 }
5895
5896
handle_disassoc(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len)5897 static void handle_disassoc(struct hostapd_data *hapd,
5898 const struct ieee80211_mgmt *mgmt, size_t len)
5899 {
5900 struct sta_info *sta;
5901
5902 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.disassoc)) {
5903 wpa_msg(hapd->msg_ctx, MSG_DEBUG,
5904 "handle_disassoc - too short payload (len=%lu)",
5905 (unsigned long) len);
5906 return;
5907 }
5908
5909 sta = ap_get_sta(hapd, mgmt->sa);
5910 if (!sta) {
5911 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "Station " MACSTR_SEC
5912 " trying to disassociate, but it is not associated",
5913 MAC2STR_SEC(mgmt->sa));
5914 return;
5915 }
5916
5917 if (hostapd_ml_handle_disconnect(hapd, sta, mgmt, true))
5918 return;
5919
5920 hostapd_disassoc_sta(hapd, sta, mgmt);
5921 }
5922
5923
handle_deauth(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len)5924 static void handle_deauth(struct hostapd_data *hapd,
5925 const struct ieee80211_mgmt *mgmt, size_t len)
5926 {
5927 struct sta_info *sta;
5928
5929 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.deauth)) {
5930 wpa_msg(hapd->msg_ctx, MSG_DEBUG,
5931 "handle_deauth - too short payload (len=%lu)",
5932 (unsigned long) len);
5933 return;
5934 }
5935
5936 wpa_msg_only_for_cb(hapd->msg_ctx, MSG_DEBUG, "deauthentication: STA=" MACSTR
5937 " reason_code=%d",
5938 MAC2STR(mgmt->sa), le_to_host16(mgmt->u.deauth.reason_code));
5939 wpa_printf(MSG_DEBUG, "deauthentication: STA=" MACSTR_SEC
5940 " reason_code=%d",
5941 MAC2STR_SEC(mgmt->sa), le_to_host16(mgmt->u.deauth.reason_code));
5942
5943 /* Clear the PTKSA cache entries for PASN */
5944 ptksa_cache_flush(hapd->ptksa, mgmt->sa, WPA_CIPHER_NONE);
5945
5946 sta = ap_get_sta(hapd, mgmt->sa);
5947 if (!sta) {
5948 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "Station " MACSTR
5949 " trying to deauthenticate, but it is not authenticated",
5950 MAC2STR(mgmt->sa));
5951 return;
5952 }
5953
5954 if (hostapd_ml_handle_disconnect(hapd, sta, mgmt, false))
5955 return;
5956
5957 hostapd_deauth_sta(hapd, sta, mgmt);
5958 }
5959
5960
handle_beacon(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,struct hostapd_frame_info * fi)5961 static void handle_beacon(struct hostapd_data *hapd,
5962 const struct ieee80211_mgmt *mgmt, size_t len,
5963 struct hostapd_frame_info *fi)
5964 {
5965 struct ieee802_11_elems elems;
5966
5967 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.beacon)) {
5968 wpa_printf(MSG_INFO, "handle_beacon - too short payload (len=%lu)",
5969 (unsigned long) len);
5970 return;
5971 }
5972
5973 (void) ieee802_11_parse_elems(mgmt->u.beacon.variable,
5974 len - (IEEE80211_HDRLEN +
5975 sizeof(mgmt->u.beacon)), &elems,
5976 0);
5977
5978 ap_list_process_beacon(hapd->iface, mgmt, &elems, fi);
5979 }
5980
5981
robust_action_frame(u8 category)5982 static int robust_action_frame(u8 category)
5983 {
5984 return category != WLAN_ACTION_PUBLIC &&
5985 category != WLAN_ACTION_HT;
5986 }
5987
5988
handle_action(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,unsigned int freq)5989 static int handle_action(struct hostapd_data *hapd,
5990 const struct ieee80211_mgmt *mgmt, size_t len,
5991 unsigned int freq)
5992 {
5993 struct sta_info *sta;
5994 u8 *action __maybe_unused;
5995
5996 if (len < IEEE80211_HDRLEN + 2 + 1) {
5997 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
5998 HOSTAPD_LEVEL_DEBUG,
5999 "handle_action - too short payload (len=%lu)",
6000 (unsigned long) len);
6001 return 0;
6002 }
6003
6004 action = (u8 *) &mgmt->u.action.u;
6005 wpa_printf(MSG_DEBUG, "RX_ACTION category %u action %u sa " MACSTR_SEC
6006 " da " MACSTR_SEC " len %d freq %u",
6007 mgmt->u.action.category, *action,
6008 MAC2STR_SEC(mgmt->sa), MAC2STR_SEC(mgmt->da), (int) len, freq);
6009
6010 sta = ap_get_sta(hapd, mgmt->sa);
6011
6012 if (mgmt->u.action.category != WLAN_ACTION_PUBLIC &&
6013 (sta == NULL || !(sta->flags & WLAN_STA_ASSOC))) {
6014 wpa_printf(MSG_DEBUG, "IEEE 802.11: Ignored Action "
6015 "frame (category=%u) from unassociated STA " MACSTR_SEC,
6016 mgmt->u.action.category, MAC2STR_SEC(mgmt->sa));
6017 return 0;
6018 }
6019
6020 if (sta && (sta->flags & WLAN_STA_MFP) &&
6021 !(mgmt->frame_control & host_to_le16(WLAN_FC_ISWEP)) &&
6022 robust_action_frame(mgmt->u.action.category)) {
6023 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
6024 HOSTAPD_LEVEL_DEBUG,
6025 "Dropped unprotected Robust Action frame from "
6026 "an MFP STA");
6027 return 0;
6028 }
6029
6030 if (sta) {
6031 u16 fc = le_to_host16(mgmt->frame_control);
6032 u16 seq_ctrl = le_to_host16(mgmt->seq_ctrl);
6033
6034 if ((fc & WLAN_FC_RETRY) &&
6035 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
6036 sta->last_seq_ctrl == seq_ctrl &&
6037 sta->last_subtype == WLAN_FC_STYPE_ACTION) {
6038 hostapd_logger(hapd, sta->addr,
6039 HOSTAPD_MODULE_IEEE80211,
6040 HOSTAPD_LEVEL_DEBUG,
6041 "Drop repeated action frame seq_ctrl=0x%x",
6042 seq_ctrl);
6043 return 1;
6044 }
6045
6046 sta->last_seq_ctrl = seq_ctrl;
6047 sta->last_subtype = WLAN_FC_STYPE_ACTION;
6048 }
6049
6050 switch (mgmt->u.action.category) {
6051 #ifdef CONFIG_IEEE80211R_AP
6052 case WLAN_ACTION_FT:
6053 if (!sta ||
6054 wpa_ft_action_rx(sta->wpa_sm, (u8 *) &mgmt->u.action,
6055 len - IEEE80211_HDRLEN))
6056 break;
6057 return 1;
6058 #endif /* CONFIG_IEEE80211R_AP */
6059 case WLAN_ACTION_WMM:
6060 hostapd_wmm_action(hapd, mgmt, len);
6061 return 1;
6062 case WLAN_ACTION_SA_QUERY:
6063 ieee802_11_sa_query_action(hapd, mgmt, len);
6064 return 1;
6065 #ifdef CONFIG_WNM_AP
6066 case WLAN_ACTION_WNM:
6067 ieee802_11_rx_wnm_action_ap(hapd, mgmt, len);
6068 return 1;
6069 #endif /* CONFIG_WNM_AP */
6070 #ifdef CONFIG_FST
6071 case WLAN_ACTION_FST:
6072 if (hapd->iface->fst)
6073 fst_rx_action(hapd->iface->fst, mgmt, len);
6074 else
6075 wpa_printf(MSG_DEBUG,
6076 "FST: Ignore FST Action frame - no FST attached");
6077 return 1;
6078 #endif /* CONFIG_FST */
6079 case WLAN_ACTION_PUBLIC:
6080 case WLAN_ACTION_PROTECTED_DUAL:
6081 if (len >= IEEE80211_HDRLEN + 2 &&
6082 mgmt->u.action.u.public_action.action ==
6083 WLAN_PA_20_40_BSS_COEX) {
6084 hostapd_2040_coex_action(hapd, mgmt, len);
6085 return 1;
6086 }
6087 #ifdef CONFIG_DPP
6088 if (len >= IEEE80211_HDRLEN + 6 &&
6089 mgmt->u.action.u.vs_public_action.action ==
6090 WLAN_PA_VENDOR_SPECIFIC &&
6091 WPA_GET_BE24(mgmt->u.action.u.vs_public_action.oui) ==
6092 OUI_WFA &&
6093 mgmt->u.action.u.vs_public_action.variable[0] ==
6094 DPP_OUI_TYPE) {
6095 const u8 *pos, *end;
6096
6097 pos = mgmt->u.action.u.vs_public_action.oui;
6098 end = ((const u8 *) mgmt) + len;
6099 hostapd_dpp_rx_action(hapd, mgmt->sa, pos, end - pos,
6100 freq);
6101 return 1;
6102 }
6103 if (len >= IEEE80211_HDRLEN + 2 &&
6104 (mgmt->u.action.u.public_action.action ==
6105 WLAN_PA_GAS_INITIAL_RESP ||
6106 mgmt->u.action.u.public_action.action ==
6107 WLAN_PA_GAS_COMEBACK_RESP)) {
6108 const u8 *pos, *end;
6109
6110 pos = &mgmt->u.action.u.public_action.action;
6111 end = ((const u8 *) mgmt) + len;
6112 if (gas_query_ap_rx(hapd->gas, mgmt->sa,
6113 mgmt->u.action.category,
6114 pos, end - pos, freq) == 0)
6115 return 1;
6116 }
6117 #endif /* CONFIG_DPP */
6118 #ifdef CONFIG_NAN_USD
6119 if (mgmt->u.action.category == WLAN_ACTION_PUBLIC &&
6120 len >= IEEE80211_HDRLEN + 5 &&
6121 mgmt->u.action.u.vs_public_action.action ==
6122 WLAN_PA_VENDOR_SPECIFIC &&
6123 WPA_GET_BE24(mgmt->u.action.u.vs_public_action.oui) ==
6124 OUI_WFA &&
6125 mgmt->u.action.u.vs_public_action.variable[0] ==
6126 NAN_OUI_TYPE) {
6127 const u8 *pos, *end;
6128
6129 pos = mgmt->u.action.u.vs_public_action.variable;
6130 end = ((const u8 *) mgmt) + len;
6131 pos++;
6132 hostapd_nan_usd_rx_sdf(hapd, mgmt->sa, freq,
6133 pos, end - pos);
6134 return 1;
6135 }
6136 #endif /* CONFIG_NAN_USD */
6137 if (hapd->public_action_cb) {
6138 hapd->public_action_cb(hapd->public_action_cb_ctx,
6139 (u8 *) mgmt, len, freq);
6140 }
6141 if (hapd->public_action_cb2) {
6142 hapd->public_action_cb2(hapd->public_action_cb2_ctx,
6143 (u8 *) mgmt, len, freq);
6144 }
6145 if (hapd->public_action_cb || hapd->public_action_cb2)
6146 return 1;
6147 break;
6148 case WLAN_ACTION_VENDOR_SPECIFIC:
6149 if (hapd->vendor_action_cb) {
6150 if (hapd->vendor_action_cb(hapd->vendor_action_cb_ctx,
6151 (u8 *) mgmt, len, freq) == 0)
6152 return 1;
6153 }
6154 break;
6155 #ifndef CONFIG_NO_RRM
6156 case WLAN_ACTION_RADIO_MEASUREMENT:
6157 hostapd_handle_radio_measurement(hapd, (const u8 *) mgmt, len);
6158 return 1;
6159 #endif /* CONFIG_NO_RRM */
6160 }
6161
6162 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
6163 HOSTAPD_LEVEL_DEBUG,
6164 "handle_action - unknown action category %d or invalid "
6165 "frame",
6166 mgmt->u.action.category);
6167 if (!is_multicast_ether_addr(mgmt->da) &&
6168 !(mgmt->u.action.category & 0x80) &&
6169 !is_multicast_ether_addr(mgmt->sa)) {
6170 struct ieee80211_mgmt *resp;
6171
6172 /*
6173 * IEEE 802.11-REVma/D9.0 - 7.3.1.11
6174 * Return the Action frame to the source without change
6175 * except that MSB of the Category set to 1.
6176 */
6177 wpa_printf(MSG_DEBUG, "IEEE 802.11: Return unknown Action "
6178 "frame back to sender");
6179 resp = os_memdup(mgmt, len);
6180 if (resp == NULL)
6181 return 0;
6182 os_memcpy(resp->da, resp->sa, ETH_ALEN);
6183 os_memcpy(resp->sa, hapd->own_addr, ETH_ALEN);
6184 os_memcpy(resp->bssid, hapd->own_addr, ETH_ALEN);
6185 resp->u.action.category |= 0x80;
6186
6187 if (hostapd_drv_send_mlme(hapd, resp, len, 0, NULL, 0, 0) < 0) {
6188 wpa_printf(MSG_ERROR, "IEEE 802.11: Failed to send "
6189 "Action frame");
6190 }
6191 os_free(resp);
6192 }
6193
6194 return 1;
6195 }
6196
6197
6198 /**
6199 * notify_mgmt_frame - Notify of Management frames on the control interface
6200 * @hapd: hostapd BSS data structure (the BSS to which the Management frame was
6201 * sent to)
6202 * @buf: Management frame data (starting from the IEEE 802.11 header)
6203 * @len: Length of frame data in octets
6204 *
6205 * Notify the control interface of any received Management frame.
6206 */
notify_mgmt_frame(struct hostapd_data * hapd,const u8 * buf,size_t len)6207 static void notify_mgmt_frame(struct hostapd_data *hapd, const u8 *buf,
6208 size_t len)
6209 {
6210
6211 int hex_len = len * 2 + 1;
6212 char *hex = os_malloc(hex_len);
6213
6214 if (hex) {
6215 wpa_snprintf_hex(hex, hex_len, buf, len);
6216 wpa_msg_ctrl(hapd->msg_ctx, MSG_INFO,
6217 AP_MGMT_FRAME_RECEIVED "buf=%s", hex);
6218 os_free(hex);
6219 }
6220 }
6221
6222
6223 /**
6224 * ieee802_11_mgmt - process incoming IEEE 802.11 management frames
6225 * @hapd: hostapd BSS data structure (the BSS to which the management frame was
6226 * sent to)
6227 * @buf: management frame data (starting from IEEE 802.11 header)
6228 * @len: length of frame data in octets
6229 * @fi: meta data about received frame (signal level, etc.)
6230 *
6231 * Process all incoming IEEE 802.11 management frames. This will be called for
6232 * each frame received from the kernel driver through wlan#ap interface. In
6233 * addition, it can be called to re-inserted pending frames (e.g., when using
6234 * external RADIUS server as an MAC ACL).
6235 */
ieee802_11_mgmt(struct hostapd_data * hapd,const u8 * buf,size_t len,struct hostapd_frame_info * fi)6236 int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len,
6237 struct hostapd_frame_info *fi)
6238 {
6239 struct ieee80211_mgmt *mgmt;
6240 u16 fc, stype;
6241 int ret = 0;
6242 unsigned int freq;
6243 int ssi_signal = fi ? fi->ssi_signal : 0;
6244 #ifdef CONFIG_NAN_USD
6245 static const u8 nan_network_id[ETH_ALEN] =
6246 { 0x51, 0x6f, 0x9a, 0x01, 0x00, 0x00 };
6247 #endif /* CONFIG_NAN_USD */
6248
6249 if (len < 24)
6250 return 0;
6251
6252 if (fi && fi->freq)
6253 freq = fi->freq;
6254 else
6255 freq = hapd->iface->freq;
6256
6257 mgmt = (struct ieee80211_mgmt *) buf;
6258 fc = le_to_host16(mgmt->frame_control);
6259 stype = WLAN_FC_GET_STYPE(fc);
6260
6261 if (is_multicast_ether_addr(mgmt->sa) ||
6262 is_zero_ether_addr(mgmt->sa) ||
6263 ether_addr_equal(mgmt->sa, hapd->own_addr)) {
6264 /* Do not process any frames with unexpected/invalid SA so that
6265 * we do not add any state for unexpected STA addresses or end
6266 * up sending out frames to unexpected destination. */
6267 wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR_SEC
6268 " in received frame - ignore this frame silently",
6269 MAC2STR_SEC(mgmt->sa));
6270 return 0;
6271 }
6272
6273 if (stype == WLAN_FC_STYPE_BEACON) {
6274 handle_beacon(hapd, mgmt, len, fi);
6275 return 1;
6276 }
6277
6278 if (!is_broadcast_ether_addr(mgmt->bssid) &&
6279 #ifdef CONFIG_P2P
6280 /* Invitation responses can be sent with the peer MAC as BSSID */
6281 !((hapd->conf->p2p & P2P_GROUP_OWNER) &&
6282 stype == WLAN_FC_STYPE_ACTION) &&
6283 #endif /* CONFIG_P2P */
6284 #ifdef CONFIG_MESH
6285 !(hapd->conf->mesh & MESH_ENABLED) &&
6286 #endif /* CONFIG_MESH */
6287 #ifdef CONFIG_IEEE80211BE
6288 !(hapd->conf->mld_ap &&
6289 ether_addr_equal(hapd->mld->mld_addr, mgmt->bssid)) &&
6290 #endif /* CONFIG_IEEE80211BE */
6291 !ether_addr_equal(mgmt->bssid, hapd->own_addr)) {
6292 wpa_printf(MSG_INFO, "MGMT: BSSID=" MACSTR_SEC " not our address",
6293 MAC2STR_SEC(mgmt->bssid));
6294 return 0;
6295 }
6296
6297 if (hapd->iface->state != HAPD_IFACE_ENABLED) {
6298 wpa_printf(MSG_DEBUG, "MGMT: Ignore management frame while interface is not enabled (SA=" MACSTR_SEC " DA=" MACSTR_SEC " subtype=%u)",
6299 MAC2STR_SEC(mgmt->sa), MAC2STR_SEC(mgmt->da), stype);
6300 return 1;
6301 }
6302
6303 if (stype == WLAN_FC_STYPE_PROBE_REQ) {
6304 handle_probe_req(hapd, mgmt, len, ssi_signal);
6305 return 1;
6306 }
6307
6308 if ((!is_broadcast_ether_addr(mgmt->da) ||
6309 stype != WLAN_FC_STYPE_ACTION) &&
6310 #ifdef CONFIG_IEEE80211BE
6311 !(hapd->conf->mld_ap &&
6312 ether_addr_equal(hapd->mld->mld_addr, mgmt->bssid)) &&
6313 #endif /* CONFIG_IEEE80211BE */
6314 #ifdef CONFIG_NAN_USD
6315 !ether_addr_equal(mgmt->da, nan_network_id) &&
6316 #endif /* CONFIG_NAN_USD */
6317 !ether_addr_equal(mgmt->da, hapd->own_addr)) {
6318 hostapd_logger_only_for_cb(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
6319 HOSTAPD_LEVEL_DEBUG,
6320 "MGMT: DA=" MACSTR " not our address",
6321 MAC2STR(mgmt->da));
6322 wpa_printf(MSG_DEBUG, "MGMT: DA=" MACSTR_SEC " not our address",
6323 MAC2STR_SEC(mgmt->da));
6324 return 0;
6325 }
6326
6327 if (hapd->iconf->track_sta_max_num)
6328 sta_track_add(hapd->iface, mgmt->sa, ssi_signal);
6329
6330 if (hapd->conf->notify_mgmt_frames)
6331 notify_mgmt_frame(hapd, buf, len);
6332
6333 switch (stype) {
6334 case WLAN_FC_STYPE_AUTH:
6335 wpa_printf(MSG_DEBUG, "mgmt::auth");
6336 handle_auth(hapd, mgmt, len, ssi_signal, 0);
6337 ret = 1;
6338 break;
6339 case WLAN_FC_STYPE_ASSOC_REQ:
6340 wpa_printf(MSG_DEBUG, "mgmt::assoc_req");
6341 handle_assoc(hapd, mgmt, len, 0, ssi_signal);
6342 ret = 1;
6343 break;
6344 case WLAN_FC_STYPE_REASSOC_REQ:
6345 wpa_printf(MSG_DEBUG, "mgmt::reassoc_req");
6346 handle_assoc(hapd, mgmt, len, 1, ssi_signal);
6347 ret = 1;
6348 break;
6349 case WLAN_FC_STYPE_DISASSOC:
6350 wpa_printf(MSG_DEBUG, "mgmt::disassoc");
6351 handle_disassoc(hapd, mgmt, len);
6352 ret = 1;
6353 break;
6354 case WLAN_FC_STYPE_DEAUTH:
6355 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "mgmt::deauth");
6356 handle_deauth(hapd, mgmt, len);
6357 ret = 1;
6358 break;
6359 case WLAN_FC_STYPE_ACTION:
6360 wpa_printf(MSG_DEBUG, "mgmt::action");
6361 ret = handle_action(hapd, mgmt, len, freq);
6362 break;
6363 default:
6364 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
6365 HOSTAPD_LEVEL_DEBUG,
6366 "unknown mgmt frame subtype %d", stype);
6367 break;
6368 }
6369
6370 return ret;
6371 }
6372
6373
handle_auth_cb(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int ok)6374 static void handle_auth_cb(struct hostapd_data *hapd,
6375 const struct ieee80211_mgmt *mgmt,
6376 size_t len, int ok)
6377 {
6378 u16 auth_alg, auth_transaction, status_code;
6379 struct sta_info *sta;
6380 bool success_status;
6381
6382 sta = ap_get_sta(hapd, mgmt->da);
6383 if (!sta) {
6384 wpa_printf(MSG_DEBUG, "handle_auth_cb: STA " MACSTR_SEC
6385 " not found",
6386 MAC2STR_SEC(mgmt->da));
6387 return;
6388 }
6389
6390 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) {
6391 wpa_printf(MSG_INFO, "handle_auth_cb - too short payload (len=%lu)",
6392 (unsigned long) len);
6393 auth_alg = 0;
6394 auth_transaction = 0;
6395 status_code = WLAN_STATUS_UNSPECIFIED_FAILURE;
6396 goto fail;
6397 }
6398
6399 auth_alg = le_to_host16(mgmt->u.auth.auth_alg);
6400 auth_transaction = le_to_host16(mgmt->u.auth.auth_transaction);
6401 status_code = le_to_host16(mgmt->u.auth.status_code);
6402
6403 if (!ok) {
6404 hostapd_logger(hapd, mgmt->da, HOSTAPD_MODULE_IEEE80211,
6405 HOSTAPD_LEVEL_NOTICE,
6406 "did not acknowledge authentication response");
6407 goto fail;
6408 }
6409
6410 if (status_code == WLAN_STATUS_SUCCESS &&
6411 ((auth_alg == WLAN_AUTH_OPEN && auth_transaction == 2) ||
6412 (auth_alg == WLAN_AUTH_SHARED_KEY && auth_transaction == 4))) {
6413 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
6414 HOSTAPD_LEVEL_INFO, "authenticated");
6415 sta->flags |= WLAN_STA_AUTH;
6416 if (sta->added_unassoc)
6417 hostapd_set_sta_flags(hapd, sta);
6418 return;
6419 }
6420
6421 fail:
6422 success_status = status_code == WLAN_STATUS_SUCCESS;
6423 #ifdef CONFIG_SAE
6424 if (auth_alg == WLAN_AUTH_SAE && auth_transaction == 1)
6425 success_status = sae_status_success(hapd, status_code);
6426 #endif /* CONFIG_SAE */
6427 if (!success_status && sta->added_unassoc) {
6428 hostapd_drv_sta_remove(hapd, sta->addr);
6429 sta->added_unassoc = 0;
6430 }
6431 }
6432
6433
hostapd_set_wds_encryption(struct hostapd_data * hapd,struct sta_info * sta,char * ifname_wds)6434 static void hostapd_set_wds_encryption(struct hostapd_data *hapd,
6435 struct sta_info *sta,
6436 char *ifname_wds)
6437 {
6438 #ifdef CONFIG_WEP
6439 int i;
6440 struct hostapd_ssid *ssid = &hapd->conf->ssid;
6441
6442 if (hapd->conf->ieee802_1x || hapd->conf->wpa)
6443 return;
6444
6445 for (i = 0; i < 4; i++) {
6446 if (ssid->wep.key[i] &&
6447 hostapd_drv_set_key(ifname_wds, hapd, WPA_ALG_WEP, NULL, i,
6448 0, i == ssid->wep.idx, NULL, 0,
6449 ssid->wep.key[i], ssid->wep.len[i],
6450 i == ssid->wep.idx ?
6451 KEY_FLAG_GROUP_RX_TX_DEFAULT :
6452 KEY_FLAG_GROUP_RX_TX)) {
6453 wpa_printf(MSG_WARNING,
6454 "Could not set WEP keys for WDS interface; %s",
6455 ifname_wds);
6456 break;
6457 }
6458 }
6459 #endif /* CONFIG_WEP */
6460 }
6461
6462
6463 #ifdef CONFIG_IEEE80211BE
ieee80211_ml_link_sta_assoc_cb(struct hostapd_data * hapd,struct sta_info * sta,struct mld_link_info * link,bool ok)6464 static void ieee80211_ml_link_sta_assoc_cb(struct hostapd_data *hapd,
6465 struct sta_info *sta,
6466 struct mld_link_info *link,
6467 bool ok)
6468 {
6469 bool updated = false;
6470
6471 if (!ok) {
6472 hostapd_logger(hapd, link->peer_addr, HOSTAPD_MODULE_IEEE80211,
6473 HOSTAPD_LEVEL_DEBUG,
6474 "did not acknowledge association response");
6475 sta->flags &= ~WLAN_STA_ASSOC_REQ_OK;
6476
6477 /* The STA is added only in case of SUCCESS */
6478 if (link->status == WLAN_STATUS_SUCCESS)
6479 hostapd_drv_sta_remove(hapd, sta->addr);
6480
6481 return;
6482 }
6483
6484 if (link->status != WLAN_STATUS_SUCCESS)
6485 return;
6486
6487 sta->flags |= WLAN_STA_ASSOC;
6488 sta->flags &= ~WLAN_STA_WNM_SLEEP_MODE;
6489
6490 if (!hapd->conf->ieee802_1x && !hapd->conf->wpa)
6491 updated = ap_sta_set_authorized_flag(hapd, sta, 1);
6492
6493 hostapd_set_sta_flags(hapd, sta);
6494 if (updated)
6495 ap_sta_set_authorized_event(hapd, sta, 1);
6496
6497 /*
6498 * TODOs:
6499 * - IEEE 802.1X port enablement is not needed as done on the station
6500 * doing the connection.
6501 * - Not handling accounting
6502 * - Need to handle VLAN configuration
6503 */
6504 }
6505 #endif /* CONFIG_IEEE80211BE */
6506
6507
hostapd_ml_handle_assoc_cb(struct hostapd_data * hapd,struct sta_info * sta,bool ok)6508 static void hostapd_ml_handle_assoc_cb(struct hostapd_data *hapd,
6509 struct sta_info *sta, bool ok)
6510 {
6511 #ifdef CONFIG_IEEE80211BE
6512 struct hostapd_data *tmp_hapd;
6513
6514 if (!hostapd_is_mld_ap(hapd))
6515 return;
6516
6517 for_each_mld_link(tmp_hapd, hapd) {
6518 struct mld_link_info *link;
6519 struct sta_info *tmp_sta;
6520
6521 if (tmp_hapd == hapd)
6522 continue;
6523
6524 link = &sta->mld_info.links[tmp_hapd->mld_link_id];
6525 if (!link->valid)
6526 continue;
6527
6528 for (tmp_sta = tmp_hapd->sta_list; tmp_sta;
6529 tmp_sta = tmp_sta->next) {
6530 if (tmp_sta == sta ||
6531 tmp_sta->mld_assoc_link_id !=
6532 sta->mld_assoc_link_id ||
6533 tmp_sta->aid != sta->aid)
6534 continue;
6535
6536 ieee80211_ml_link_sta_assoc_cb(tmp_hapd, tmp_sta, link,
6537 ok);
6538 break;
6539 }
6540 }
6541 #endif /* CONFIG_IEEE80211BE */
6542 }
6543
6544
handle_assoc_cb(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int reassoc,int ok)6545 static void handle_assoc_cb(struct hostapd_data *hapd,
6546 const struct ieee80211_mgmt *mgmt,
6547 size_t len, int reassoc, int ok)
6548 {
6549 u16 status;
6550 struct sta_info *sta;
6551 int new_assoc = 1;
6552
6553 sta = ap_get_sta(hapd, mgmt->da);
6554 if (!sta) {
6555 wpa_printf(MSG_INFO, "handle_assoc_cb: STA " MACSTR_SEC " not found",
6556 MAC2STR_SEC(mgmt->da));
6557 return;
6558 }
6559
6560 #ifdef CONFIG_IEEE80211BE
6561 if (ap_sta_is_mld(hapd, sta) &&
6562 hapd->mld_link_id != sta->mld_assoc_link_id) {
6563 /* See ieee80211_ml_link_sta_assoc_cb() for the MLD case */
6564 wpa_printf(MSG_DEBUG,
6565 "%s: MLD: ignore on link station (%d != %d)",
6566 __func__, hapd->mld_link_id, sta->mld_assoc_link_id);
6567 return;
6568 }
6569 #endif /* CONFIG_IEEE80211BE */
6570
6571 if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_resp) :
6572 sizeof(mgmt->u.assoc_resp))) {
6573 wpa_printf(MSG_INFO,
6574 "handle_assoc_cb(reassoc=%d) - too short payload (len=%lu)",
6575 reassoc, (unsigned long) len);
6576 hostapd_drv_sta_remove(hapd, sta->addr);
6577 return;
6578 }
6579
6580 if (reassoc)
6581 status = le_to_host16(mgmt->u.reassoc_resp.status_code);
6582 else
6583 status = le_to_host16(mgmt->u.assoc_resp.status_code);
6584
6585 if (!ok) {
6586 hostapd_logger(hapd, mgmt->da, HOSTAPD_MODULE_IEEE80211,
6587 HOSTAPD_LEVEL_DEBUG,
6588 "did not acknowledge association response");
6589 sta->flags &= ~WLAN_STA_ASSOC_REQ_OK;
6590 /* The STA is added only in case of SUCCESS */
6591 if (status == WLAN_STATUS_SUCCESS)
6592 hostapd_drv_sta_remove(hapd, sta->addr);
6593
6594 goto handle_ml;
6595 }
6596
6597 if (status != WLAN_STATUS_SUCCESS)
6598 goto handle_ml;
6599
6600 /* Stop previous accounting session, if one is started, and allocate
6601 * new session id for the new session. */
6602 accounting_sta_stop(hapd, sta);
6603
6604 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
6605 HOSTAPD_LEVEL_INFO,
6606 "associated (aid %d)",
6607 sta->aid);
6608
6609 if (sta->flags & WLAN_STA_ASSOC)
6610 new_assoc = 0;
6611 sta->flags |= WLAN_STA_ASSOC;
6612 sta->flags &= ~WLAN_STA_WNM_SLEEP_MODE;
6613 if ((!hapd->conf->ieee802_1x && !hapd->conf->wpa &&
6614 !hapd->conf->osen) ||
6615 sta->auth_alg == WLAN_AUTH_FILS_SK ||
6616 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
6617 sta->auth_alg == WLAN_AUTH_FILS_PK ||
6618 sta->auth_alg == WLAN_AUTH_FT) {
6619 /*
6620 * Open, static WEP, FT protocol, or FILS; no separate
6621 * authorization step.
6622 */
6623 ap_sta_set_authorized(hapd, sta, 1);
6624 }
6625
6626 if (reassoc)
6627 mlme_reassociate_indication(hapd, sta);
6628 else
6629 mlme_associate_indication(hapd, sta);
6630
6631 sta->sa_query_timed_out = 0;
6632
6633 if (sta->eapol_sm == NULL) {
6634 /*
6635 * This STA does not use RADIUS server for EAP authentication,
6636 * so bind it to the selected VLAN interface now, since the
6637 * interface selection is not going to change anymore.
6638 */
6639 if (ap_sta_bind_vlan(hapd, sta) < 0)
6640 goto handle_ml;
6641 } else if (sta->vlan_id) {
6642 /* VLAN ID already set (e.g., by PMKSA caching), so bind STA */
6643 if (ap_sta_bind_vlan(hapd, sta) < 0)
6644 goto handle_ml;
6645 }
6646
6647 hostapd_set_sta_flags(hapd, sta);
6648
6649 if (!(sta->flags & WLAN_STA_WDS) && sta->pending_wds_enable) {
6650 wpa_printf(MSG_DEBUG, "Enable 4-address WDS mode for STA "
6651 MACSTR_SEC " based on pending request",
6652 MAC2STR_SEC(sta->addr));
6653 sta->pending_wds_enable = 0;
6654 sta->flags |= WLAN_STA_WDS;
6655 }
6656
6657 /* WPS not supported on backhaul BSS. Disable 4addr mode on fronthaul */
6658 if ((sta->flags & WLAN_STA_WDS) ||
6659 (sta->flags & WLAN_STA_MULTI_AP &&
6660 (hapd->conf->multi_ap & BACKHAUL_BSS) &&
6661 hapd->conf->wds_sta &&
6662 !(sta->flags & WLAN_STA_WPS))) {
6663 int ret;
6664 char ifname_wds[IFNAMSIZ + 1];
6665
6666 wpa_printf(MSG_DEBUG, "Reenable 4-address WDS mode for STA "
6667 MACSTR_SEC " (aid %u)",
6668 MAC2STR_SEC(sta->addr), sta->aid);
6669 ret = hostapd_set_wds_sta(hapd, ifname_wds, sta->addr,
6670 sta->aid, 1);
6671 if (!ret)
6672 hostapd_set_wds_encryption(hapd, sta, ifname_wds);
6673 }
6674
6675 if (sta->auth_alg == WLAN_AUTH_FT)
6676 wpa_auth_sm_event(sta->wpa_sm, WPA_ASSOC_FT);
6677 else
6678 wpa_auth_sm_event(sta->wpa_sm, WPA_ASSOC);
6679 hapd->new_assoc_sta_cb(hapd, sta, !new_assoc);
6680 ieee802_1x_notify_port_enabled(sta->eapol_sm, 1);
6681
6682 #ifdef CONFIG_FILS
6683 if ((sta->auth_alg == WLAN_AUTH_FILS_SK ||
6684 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
6685 sta->auth_alg == WLAN_AUTH_FILS_PK) &&
6686 fils_set_tk(sta->wpa_sm) < 0) {
6687 wpa_printf(MSG_DEBUG, "FILS: TK configuration failed");
6688 ap_sta_disconnect(hapd, sta, sta->addr,
6689 WLAN_REASON_UNSPECIFIED);
6690 return;
6691 }
6692 #endif /* CONFIG_FILS */
6693
6694 if (sta->pending_eapol_rx) {
6695 struct os_reltime now, age;
6696
6697 os_get_reltime(&now);
6698 os_reltime_sub(&now, &sta->pending_eapol_rx->rx_time, &age);
6699 if (age.sec == 0 && age.usec < 200000) {
6700 wpa_printf(MSG_DEBUG,
6701 "Process pending EAPOL frame that was received from " MACSTR_SEC " just before association notification",
6702 MAC2STR_SEC(sta->addr));
6703 ieee802_1x_receive(
6704 hapd, mgmt->da,
6705 wpabuf_head(sta->pending_eapol_rx->buf),
6706 wpabuf_len(sta->pending_eapol_rx->buf),
6707 sta->pending_eapol_rx->encrypted);
6708 }
6709 wpabuf_free(sta->pending_eapol_rx->buf);
6710 os_free(sta->pending_eapol_rx);
6711 sta->pending_eapol_rx = NULL;
6712 }
6713
6714 handle_ml:
6715 hostapd_ml_handle_assoc_cb(hapd, sta, ok);
6716 }
6717
6718
handle_deauth_cb(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int ok)6719 static void handle_deauth_cb(struct hostapd_data *hapd,
6720 const struct ieee80211_mgmt *mgmt,
6721 size_t len, int ok)
6722 {
6723 struct sta_info *sta;
6724 if (is_multicast_ether_addr(mgmt->da))
6725 return;
6726 sta = ap_get_sta(hapd, mgmt->da);
6727 if (!sta) {
6728 wpa_printf(MSG_DEBUG, "handle_deauth_cb: STA " MACSTR_SEC
6729 " not found", MAC2STR_SEC(mgmt->da));
6730 return;
6731 }
6732 if (ok)
6733 wpa_printf(MSG_DEBUG, "STA " MACSTR_SEC " acknowledged deauth",
6734 MAC2STR_SEC(sta->addr));
6735 else
6736 wpa_printf(MSG_DEBUG, "STA " MACSTR_SEC " did not acknowledge "
6737 "deauth", MAC2STR_SEC(sta->addr));
6738
6739 ap_sta_deauth_cb(hapd, sta);
6740 }
6741
6742
handle_disassoc_cb(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int ok)6743 static void handle_disassoc_cb(struct hostapd_data *hapd,
6744 const struct ieee80211_mgmt *mgmt,
6745 size_t len, int ok)
6746 {
6747 struct sta_info *sta;
6748 if (is_multicast_ether_addr(mgmt->da))
6749 return;
6750 sta = ap_get_sta(hapd, mgmt->da);
6751 if (!sta) {
6752 wpa_printf(MSG_DEBUG, "handle_disassoc_cb: STA " MACSTR_SEC
6753 " not found", MAC2STR_SEC(mgmt->da));
6754 return;
6755 }
6756 if (ok)
6757 wpa_printf(MSG_DEBUG, "STA " MACSTR_SEC " acknowledged disassoc",
6758 MAC2STR_SEC(sta->addr));
6759 else
6760 wpa_printf(MSG_DEBUG, "STA " MACSTR_SEC " did not acknowledge "
6761 "disassoc", MAC2STR_SEC(sta->addr));
6762
6763 ap_sta_disassoc_cb(hapd, sta);
6764 }
6765
6766
handle_action_cb(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int ok)6767 static void handle_action_cb(struct hostapd_data *hapd,
6768 const struct ieee80211_mgmt *mgmt,
6769 size_t len, int ok)
6770 {
6771 struct sta_info *sta;
6772 #ifndef CONFIG_NO_RRM
6773 const struct rrm_measurement_report_element *report;
6774 #endif /* CONFIG_NO_RRM */
6775
6776 #ifdef CONFIG_DPP
6777 if (len >= IEEE80211_HDRLEN + 6 &&
6778 mgmt->u.action.category == WLAN_ACTION_PUBLIC &&
6779 mgmt->u.action.u.vs_public_action.action ==
6780 WLAN_PA_VENDOR_SPECIFIC &&
6781 WPA_GET_BE24(mgmt->u.action.u.vs_public_action.oui) ==
6782 OUI_WFA &&
6783 mgmt->u.action.u.vs_public_action.variable[0] ==
6784 DPP_OUI_TYPE) {
6785 const u8 *pos, *end;
6786
6787 pos = &mgmt->u.action.u.vs_public_action.variable[1];
6788 end = ((const u8 *) mgmt) + len;
6789 hostapd_dpp_tx_status(hapd, mgmt->da, pos, end - pos, ok);
6790 return;
6791 }
6792 if (len >= IEEE80211_HDRLEN + 2 &&
6793 mgmt->u.action.category == WLAN_ACTION_PUBLIC &&
6794 (mgmt->u.action.u.public_action.action ==
6795 WLAN_PA_GAS_INITIAL_REQ ||
6796 mgmt->u.action.u.public_action.action ==
6797 WLAN_PA_GAS_COMEBACK_REQ)) {
6798 const u8 *pos, *end;
6799
6800 pos = mgmt->u.action.u.public_action.variable;
6801 end = ((const u8 *) mgmt) + len;
6802 gas_query_ap_tx_status(hapd->gas, mgmt->da, pos, end - pos, ok);
6803 return;
6804 }
6805 #endif /* CONFIG_DPP */
6806 if (is_multicast_ether_addr(mgmt->da))
6807 return;
6808 sta = ap_get_sta(hapd, mgmt->da);
6809 if (!sta) {
6810 wpa_printf(MSG_DEBUG, "handle_action_cb: STA " MACSTR_SEC
6811 " not found", MAC2STR_SEC(mgmt->da));
6812 return;
6813 }
6814
6815 #ifdef CONFIG_HS20
6816 if (ok && len >= IEEE80211_HDRLEN + 2 &&
6817 mgmt->u.action.category == WLAN_ACTION_WNM &&
6818 mgmt->u.action.u.vs_public_action.action == WNM_NOTIFICATION_REQ &&
6819 sta->hs20_deauth_on_ack) {
6820 wpa_printf(MSG_DEBUG, "HS 2.0: Deauthenticate STA " MACSTR_SEC
6821 " on acknowledging the WNM-Notification",
6822 MAC2STR_SEC(sta->addr));
6823 ap_sta_session_timeout(hapd, sta, 0);
6824 return;
6825 }
6826 #endif /* CONFIG_HS20 */
6827
6828 #ifndef CONFIG_NO_RRM
6829 if (len < 24 + 5 + sizeof(*report))
6830 return;
6831 report = (const struct rrm_measurement_report_element *)
6832 &mgmt->u.action.u.rrm.variable[2];
6833 if (mgmt->u.action.category == WLAN_ACTION_RADIO_MEASUREMENT &&
6834 mgmt->u.action.u.rrm.action == WLAN_RRM_RADIO_MEASUREMENT_REQUEST &&
6835 report->eid == WLAN_EID_MEASURE_REQUEST &&
6836 report->len >= 3 &&
6837 report->type == MEASURE_TYPE_BEACON)
6838 hostapd_rrm_beacon_req_tx_status(hapd, mgmt, len, ok);
6839 #endif /* CONFIG_NO_RRM */
6840 }
6841
6842
6843 /**
6844 * ieee802_11_mgmt_cb - Process management frame TX status callback
6845 * @hapd: hostapd BSS data structure (the BSS from which the management frame
6846 * was sent from)
6847 * @buf: management frame data (starting from IEEE 802.11 header)
6848 * @len: length of frame data in octets
6849 * @stype: management frame subtype from frame control field
6850 * @ok: Whether the frame was ACK'ed
6851 */
ieee802_11_mgmt_cb(struct hostapd_data * hapd,const u8 * buf,size_t len,u16 stype,int ok)6852 void ieee802_11_mgmt_cb(struct hostapd_data *hapd, const u8 *buf, size_t len,
6853 u16 stype, int ok)
6854 {
6855 const struct ieee80211_mgmt *mgmt;
6856 mgmt = (const struct ieee80211_mgmt *) buf;
6857
6858 #ifdef CONFIG_TESTING_OPTIONS
6859 if (hapd->ext_mgmt_frame_handling) {
6860 size_t hex_len = 2 * len + 1;
6861 char *hex = os_malloc(hex_len);
6862
6863 if (hex) {
6864 wpa_snprintf_hex(hex, hex_len, buf, len);
6865 wpa_msg(hapd->msg_ctx, MSG_INFO,
6866 "MGMT-TX-STATUS stype=%u ok=%d buf=%s",
6867 stype, ok, hex);
6868 os_free(hex);
6869 }
6870 return;
6871 }
6872 #endif /* CONFIG_TESTING_OPTIONS */
6873
6874 switch (stype) {
6875 case WLAN_FC_STYPE_AUTH:
6876 wpa_printf(MSG_DEBUG, "mgmt::auth cb");
6877 handle_auth_cb(hapd, mgmt, len, ok);
6878 break;
6879 case WLAN_FC_STYPE_ASSOC_RESP:
6880 wpa_printf(MSG_DEBUG, "mgmt::assoc_resp cb");
6881 handle_assoc_cb(hapd, mgmt, len, 0, ok);
6882 break;
6883 case WLAN_FC_STYPE_REASSOC_RESP:
6884 wpa_printf(MSG_DEBUG, "mgmt::reassoc_resp cb");
6885 handle_assoc_cb(hapd, mgmt, len, 1, ok);
6886 break;
6887 case WLAN_FC_STYPE_PROBE_RESP:
6888 wpa_printf(MSG_EXCESSIVE, "mgmt::proberesp cb ok=%d", ok);
6889 break;
6890 case WLAN_FC_STYPE_DEAUTH:
6891 wpa_printf(MSG_DEBUG, "mgmt::deauth cb");
6892 handle_deauth_cb(hapd, mgmt, len, ok);
6893 break;
6894 case WLAN_FC_STYPE_DISASSOC:
6895 wpa_printf(MSG_DEBUG, "mgmt::disassoc cb");
6896 handle_disassoc_cb(hapd, mgmt, len, ok);
6897 break;
6898 case WLAN_FC_STYPE_ACTION:
6899 wpa_printf(MSG_DEBUG, "mgmt::action cb ok=%d", ok);
6900 handle_action_cb(hapd, mgmt, len, ok);
6901 break;
6902 default:
6903 wpa_printf(MSG_INFO, "unknown mgmt cb frame subtype %d", stype);
6904 break;
6905 }
6906 }
6907
6908
ieee802_11_get_mib(struct hostapd_data * hapd,char * buf,size_t buflen)6909 int ieee802_11_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen)
6910 {
6911 /* TODO */
6912 return 0;
6913 }
6914
6915
ieee802_11_get_mib_sta(struct hostapd_data * hapd,struct sta_info * sta,char * buf,size_t buflen)6916 int ieee802_11_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta,
6917 char *buf, size_t buflen)
6918 {
6919 /* TODO */
6920 return 0;
6921 }
6922
6923
hostapd_tx_status(struct hostapd_data * hapd,const u8 * addr,const u8 * buf,size_t len,int ack)6924 void hostapd_tx_status(struct hostapd_data *hapd, const u8 *addr,
6925 const u8 *buf, size_t len, int ack)
6926 {
6927 struct sta_info *sta;
6928 struct hostapd_iface *iface = hapd->iface;
6929
6930 sta = ap_get_sta(hapd, addr);
6931 if (sta == NULL && iface->num_bss > 1) {
6932 size_t j;
6933 for (j = 0; j < iface->num_bss; j++) {
6934 hapd = iface->bss[j];
6935 sta = ap_get_sta(hapd, addr);
6936 if (sta)
6937 break;
6938 }
6939 }
6940 if (sta == NULL || !(sta->flags & WLAN_STA_ASSOC))
6941 return;
6942 if (sta->flags & WLAN_STA_PENDING_POLL) {
6943 wpa_printf(MSG_DEBUG, "STA " MACSTR_SEC " %s pending "
6944 "activity poll", MAC2STR_SEC(sta->addr),
6945 ack ? "ACKed" : "did not ACK");
6946 if (ack)
6947 sta->flags &= ~WLAN_STA_PENDING_POLL;
6948 }
6949
6950 ieee802_1x_tx_status(hapd, sta, buf, len, ack);
6951 }
6952
6953
hostapd_client_poll_ok(struct hostapd_data * hapd,const u8 * addr)6954 void hostapd_client_poll_ok(struct hostapd_data *hapd, const u8 *addr)
6955 {
6956 struct sta_info *sta;
6957 struct hostapd_iface *iface = hapd->iface;
6958
6959 sta = ap_get_sta(hapd, addr);
6960 if (sta == NULL && iface->num_bss > 1) {
6961 size_t j;
6962 for (j = 0; j < iface->num_bss; j++) {
6963 hapd = iface->bss[j];
6964 sta = ap_get_sta(hapd, addr);
6965 if (sta)
6966 break;
6967 }
6968 }
6969 if (sta == NULL)
6970 return;
6971 wpa_msg(hapd->msg_ctx, MSG_INFO, AP_STA_POLL_OK MACSTR,
6972 MAC2STR(sta->addr));
6973 if (!(sta->flags & WLAN_STA_PENDING_POLL))
6974 return;
6975
6976 wpa_printf(MSG_DEBUG, "STA " MACSTR_SEC " ACKed pending "
6977 "activity poll", MAC2STR_SEC(sta->addr));
6978 sta->flags &= ~WLAN_STA_PENDING_POLL;
6979 }
6980
6981
ieee802_11_rx_from_unknown(struct hostapd_data * hapd,const u8 * src,int wds)6982 void ieee802_11_rx_from_unknown(struct hostapd_data *hapd, const u8 *src,
6983 int wds)
6984 {
6985 struct sta_info *sta;
6986
6987 sta = ap_get_sta(hapd, src);
6988 if (sta &&
6989 ((sta->flags & WLAN_STA_ASSOC) ||
6990 ((sta->flags & WLAN_STA_ASSOC_REQ_OK) && wds))) {
6991 if (!hapd->conf->wds_sta)
6992 return;
6993
6994 if ((sta->flags & (WLAN_STA_ASSOC | WLAN_STA_ASSOC_REQ_OK)) ==
6995 WLAN_STA_ASSOC_REQ_OK) {
6996 wpa_printf(MSG_DEBUG,
6997 "Postpone 4-address WDS mode enabling for STA "
6998 MACSTR_SEC " since TX status for AssocResp is not yet known",
6999 MAC2STR_SEC(sta->addr));
7000 sta->pending_wds_enable = 1;
7001 return;
7002 }
7003
7004 if (wds && !(sta->flags & WLAN_STA_WDS)) {
7005 int ret;
7006 char ifname_wds[IFNAMSIZ + 1];
7007
7008 wpa_printf(MSG_DEBUG, "Enable 4-address WDS mode for "
7009 "STA " MACSTR_SEC " (aid %u)",
7010 MAC2STR_SEC(sta->addr), sta->aid);
7011 sta->flags |= WLAN_STA_WDS;
7012 ret = hostapd_set_wds_sta(hapd, ifname_wds,
7013 sta->addr, sta->aid, 1);
7014 if (!ret)
7015 hostapd_set_wds_encryption(hapd, sta,
7016 ifname_wds);
7017 }
7018 return;
7019 }
7020
7021 wpa_printf(MSG_DEBUG, "Data/PS-poll frame from not associated STA "
7022 MACSTR_SEC, MAC2STR_SEC(src));
7023 if (is_multicast_ether_addr(src) || is_zero_ether_addr(src) ||
7024 ether_addr_equal(src, hapd->own_addr)) {
7025 /* Broadcast bit set in SA or unexpected SA?! Ignore the frame
7026 * silently. */
7027 return;
7028 }
7029
7030 if (sta && (sta->flags & WLAN_STA_ASSOC_REQ_OK)) {
7031 wpa_printf(MSG_DEBUG, "Association Response to the STA has "
7032 "already been sent, but no TX status yet known - "
7033 "ignore Class 3 frame issue with " MACSTR_SEC,
7034 MAC2STR_SEC(src));
7035 return;
7036 }
7037
7038 if (sta && (sta->flags & WLAN_STA_AUTH))
7039 hostapd_drv_sta_disassoc(
7040 hapd, src,
7041 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA);
7042 else
7043 hostapd_drv_sta_deauth(
7044 hapd, src,
7045 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA);
7046 }
7047
7048
hostapd_add_tpe_info(u8 * eid,u8 tx_pwr_count,enum max_tx_pwr_interpretation tx_pwr_intrpn,u8 tx_pwr_cat,u8 tx_pwr)7049 static u8 * hostapd_add_tpe_info(u8 *eid, u8 tx_pwr_count,
7050 enum max_tx_pwr_interpretation tx_pwr_intrpn,
7051 u8 tx_pwr_cat, u8 tx_pwr)
7052 {
7053 int i;
7054
7055 *eid++ = WLAN_EID_TRANSMIT_POWER_ENVELOPE; /* Element ID */
7056 *eid++ = 2 + tx_pwr_count; /* Length */
7057
7058 /*
7059 * Transmit Power Information field
7060 * bits 0-2 : Maximum Transmit Power Count
7061 * bits 3-5 : Maximum Transmit Power Interpretation
7062 * bits 6-7 : Maximum Transmit Power Category
7063 */
7064 *eid++ = tx_pwr_count | (tx_pwr_intrpn << 3) | (tx_pwr_cat << 6);
7065
7066 /* Maximum Transmit Power field */
7067 for (i = 0; i <= tx_pwr_count; i++)
7068 *eid++ = tx_pwr;
7069
7070 return eid;
7071 }
7072
7073
7074 /*
7075 * TODO: Extract power limits from channel data after 6G regulatory
7076 * support.
7077 */
7078 #define REG_PSD_MAX_TXPOWER_FOR_DEFAULT_CLIENT (-1) /* dBm/MHz */
7079 #define REG_PSD_MAX_TXPOWER_FOR_SUBORDINATE_CLIENT 5 /* dBm/MHz */
7080
hostapd_eid_txpower_envelope(struct hostapd_data * hapd,u8 * eid)7081 u8 * hostapd_eid_txpower_envelope(struct hostapd_data *hapd, u8 *eid)
7082 {
7083 struct hostapd_iface *iface = hapd->iface;
7084 struct hostapd_config *iconf = iface->conf;
7085 struct hostapd_hw_modes *mode = iface->current_mode;
7086 struct hostapd_channel_data *chan;
7087 int dfs, i;
7088 u8 channel, tx_pwr_count, local_pwr_constraint;
7089 int max_tx_power;
7090 u8 tx_pwr;
7091
7092 if (!mode)
7093 return eid;
7094
7095 if (ieee80211_freq_to_chan(iface->freq, &channel) == NUM_HOSTAPD_MODES)
7096 return eid;
7097
7098 for (i = 0; i < mode->num_channels; i++) {
7099 if (mode->channels[i].freq == iface->freq)
7100 break;
7101 }
7102 if (i == mode->num_channels)
7103 return eid;
7104
7105 #ifdef CONFIG_IEEE80211AX
7106 /* IEEE Std 802.11ax-2021, Annex E.2.7 (6 GHz band in the United
7107 * States): An AP that is an Indoor Access Point per regulatory rules
7108 * shall send at least two Transmit Power Envelope elements in Beacon
7109 * and Probe Response frames as follows:
7110 * - Maximum Transmit Power Category subfield = Default;
7111 * Unit interpretation = Regulatory client EIRP PSD
7112 * - Maximum Transmit Power Category subfield = Subordinate Device;
7113 * Unit interpretation = Regulatory client EIRP PSD
7114 */
7115 if (is_6ghz_op_class(iconf->op_class)) {
7116 enum max_tx_pwr_interpretation tx_pwr_intrpn;
7117
7118 /* Same Maximum Transmit Power for all 20 MHz bands */
7119 tx_pwr_count = 0;
7120 tx_pwr_intrpn = REGULATORY_CLIENT_EIRP_PSD;
7121
7122 /* Default Transmit Power Envelope for Global Operating Class */
7123 if (hapd->iconf->reg_def_cli_eirp_psd != -1)
7124 tx_pwr = hapd->iconf->reg_def_cli_eirp_psd;
7125 else
7126 tx_pwr = REG_PSD_MAX_TXPOWER_FOR_DEFAULT_CLIENT * 2;
7127
7128 eid = hostapd_add_tpe_info(eid, tx_pwr_count, tx_pwr_intrpn,
7129 REG_DEFAULT_CLIENT, tx_pwr);
7130
7131 /* Indoor Access Point must include an additional TPE for
7132 * subordinate devices */
7133 if (he_reg_is_indoor(iconf->he_6ghz_reg_pwr_type)) {
7134 /* TODO: Extract PSD limits from channel data */
7135 if (hapd->iconf->reg_sub_cli_eirp_psd != -1)
7136 tx_pwr = hapd->iconf->reg_sub_cli_eirp_psd;
7137 else
7138 tx_pwr = REG_PSD_MAX_TXPOWER_FOR_SUBORDINATE_CLIENT * 2;
7139 eid = hostapd_add_tpe_info(eid, tx_pwr_count,
7140 tx_pwr_intrpn,
7141 REG_SUBORDINATE_CLIENT,
7142 tx_pwr);
7143 }
7144
7145 if (iconf->reg_def_cli_eirp != -1 &&
7146 he_reg_is_sp(iconf->he_6ghz_reg_pwr_type))
7147 eid = hostapd_add_tpe_info(
7148 eid, tx_pwr_count, REGULATORY_CLIENT_EIRP,
7149 REG_DEFAULT_CLIENT,
7150 hapd->iconf->reg_def_cli_eirp);
7151
7152 return eid;
7153 }
7154 #endif /* CONFIG_IEEE80211AX */
7155
7156 switch (hostapd_get_oper_chwidth(iconf)) {
7157 case CONF_OPER_CHWIDTH_USE_HT:
7158 if (iconf->secondary_channel == 0) {
7159 /* Max Transmit Power count = 0 (20 MHz) */
7160 tx_pwr_count = 0;
7161 } else {
7162 /* Max Transmit Power count = 1 (20, 40 MHz) */
7163 tx_pwr_count = 1;
7164 }
7165 break;
7166 case CONF_OPER_CHWIDTH_80MHZ:
7167 /* Max Transmit Power count = 2 (20, 40, and 80 MHz) */
7168 tx_pwr_count = 2;
7169 break;
7170 case CONF_OPER_CHWIDTH_80P80MHZ:
7171 case CONF_OPER_CHWIDTH_160MHZ:
7172 /* Max Transmit Power count = 3 (20, 40, 80, 160/80+80 MHz) */
7173 tx_pwr_count = 3;
7174 break;
7175 default:
7176 return eid;
7177 }
7178
7179 /*
7180 * Below local_pwr_constraint logic is referred from
7181 * hostapd_eid_pwr_constraint.
7182 *
7183 * Check if DFS is required by regulatory.
7184 */
7185 dfs = hostapd_is_dfs_required(hapd->iface);
7186 if (dfs < 0)
7187 dfs = 0;
7188
7189 /*
7190 * In order to meet regulations when TPC is not implemented using
7191 * a transmit power that is below the legal maximum (including any
7192 * mitigation factor) should help. In this case, indicate 3 dB below
7193 * maximum allowed transmit power.
7194 */
7195 if (hapd->iconf->local_pwr_constraint == -1)
7196 local_pwr_constraint = (dfs == 0) ? 0 : 3;
7197 else
7198 local_pwr_constraint = hapd->iconf->local_pwr_constraint;
7199
7200 /*
7201 * A STA that is not an AP shall use a transmit power less than or
7202 * equal to the local maximum transmit power level for the channel.
7203 * The local maximum transmit power can be calculated from the formula:
7204 * local max TX pwr = max TX pwr - local pwr constraint
7205 * Where max TX pwr is maximum transmit power level specified for
7206 * channel in Country element and local pwr constraint is specified
7207 * for channel in this Power Constraint element.
7208 */
7209 chan = &mode->channels[i];
7210 max_tx_power = chan->max_tx_power - local_pwr_constraint;
7211
7212 /*
7213 * Local Maximum Transmit power is encoded as two's complement
7214 * with a 0.5 dB step.
7215 */
7216 max_tx_power *= 2; /* in 0.5 dB steps */
7217 if (max_tx_power > 127) {
7218 /* 63.5 has special meaning of 63.5 dBm or higher */
7219 max_tx_power = 127;
7220 }
7221 if (max_tx_power < -128)
7222 max_tx_power = -128;
7223 if (max_tx_power < 0)
7224 tx_pwr = 0x80 + max_tx_power + 128;
7225 else
7226 tx_pwr = max_tx_power;
7227
7228 return hostapd_add_tpe_info(eid, tx_pwr_count, LOCAL_EIRP,
7229 0 /* Reserved for bands other than 6 GHz */,
7230 tx_pwr);
7231 }
7232
7233
hostapd_eid_wb_chsw_wrapper(struct hostapd_data * hapd,u8 * eid)7234 u8 * hostapd_eid_wb_chsw_wrapper(struct hostapd_data *hapd, u8 *eid)
7235 {
7236 u8 bw, chan1 = 0, chan2 = 0;
7237 int freq1;
7238
7239 if (!hapd->cs_freq_params.channel ||
7240 (!hapd->cs_freq_params.vht_enabled &&
7241 !hapd->cs_freq_params.he_enabled &&
7242 !hapd->cs_freq_params.eht_enabled))
7243 return eid;
7244
7245 /* bandwidth: 0: 40, 1: 80, 160, 80+80, 4: 320 as per
7246 * IEEE P802.11-REVme/D4.0, 9.4.2.159 and Table 9-314. */
7247 switch (hapd->cs_freq_params.bandwidth) {
7248 case 40:
7249 bw = 0;
7250 break;
7251 case 80:
7252 bw = 1;
7253 break;
7254 case 160:
7255 bw = 1;
7256 break;
7257 case 320:
7258 bw = 4;
7259 break;
7260 default:
7261 /* not valid VHT bandwidth or not in CSA */
7262 return eid;
7263 }
7264
7265 freq1 = hapd->cs_freq_params.center_freq1 ?
7266 hapd->cs_freq_params.center_freq1 :
7267 hapd->cs_freq_params.freq;
7268 if (ieee80211_freq_to_chan(freq1, &chan1) !=
7269 HOSTAPD_MODE_IEEE80211A)
7270 return eid;
7271
7272 if (hapd->cs_freq_params.center_freq2 &&
7273 ieee80211_freq_to_chan(hapd->cs_freq_params.center_freq2,
7274 &chan2) != HOSTAPD_MODE_IEEE80211A)
7275 return eid;
7276
7277 *eid++ = WLAN_EID_CHANNEL_SWITCH_WRAPPER;
7278 *eid++ = 5; /* Length of Channel Switch Wrapper */
7279 *eid++ = WLAN_EID_WIDE_BW_CHSWITCH;
7280 *eid++ = 3; /* Length of Wide Bandwidth Channel Switch element */
7281 *eid++ = bw; /* New Channel Width */
7282 if (hapd->cs_freq_params.bandwidth == 160) {
7283 /* Update the CCFS0 and CCFS1 values in the element based on
7284 * IEEE P802.11-REVme/D4.0, Table 9-314 */
7285
7286 /* CCFS1 - The channel center frequency index of the 160 MHz
7287 * channel. */
7288 chan2 = chan1;
7289
7290 /* CCFS0 - The channel center frequency index of the 80 MHz
7291 * channel segment that contains the primary channel. */
7292 if (hapd->cs_freq_params.channel < chan1)
7293 chan1 -= 8;
7294 else
7295 chan1 += 8;
7296 }
7297 *eid++ = chan1; /* New Channel Center Frequency Segment 0 */
7298 *eid++ = chan2; /* New Channel Center Frequency Segment 1 */
7299
7300 return eid;
7301 }
7302
7303
hostapd_eid_nr_db_len(struct hostapd_data * hapd,size_t * current_len)7304 static size_t hostapd_eid_nr_db_len(struct hostapd_data *hapd,
7305 size_t *current_len)
7306 {
7307 struct hostapd_neighbor_entry *nr;
7308 size_t total_len = 0, len = *current_len;
7309
7310 dl_list_for_each(nr, &hapd->nr_db, struct hostapd_neighbor_entry,
7311 list) {
7312 if (!nr->nr || wpabuf_len(nr->nr) < 12)
7313 continue;
7314
7315 if (nr->short_ssid == hapd->conf->ssid.short_ssid)
7316 continue;
7317
7318 /* Start a new element */
7319 if (!len ||
7320 len + RNR_TBTT_HEADER_LEN + RNR_TBTT_INFO_LEN > 255) {
7321 len = RNR_HEADER_LEN;
7322 total_len += RNR_HEADER_LEN;
7323 }
7324
7325 len += RNR_TBTT_HEADER_LEN + RNR_TBTT_INFO_LEN;
7326 total_len += RNR_TBTT_HEADER_LEN + RNR_TBTT_INFO_LEN;
7327 }
7328
7329 *current_len = len;
7330 return total_len;
7331 }
7332
7333
7334 struct mbssid_ie_profiles {
7335 u8 start;
7336 u8 end;
7337 };
7338
hostapd_skip_rnr(size_t i,struct mbssid_ie_profiles * skip_profiles,bool ap_mld,u8 tbtt_info_len,bool mld_update,struct hostapd_data * reporting_hapd,struct hostapd_data * bss)7339 static bool hostapd_skip_rnr(size_t i, struct mbssid_ie_profiles *skip_profiles,
7340 bool ap_mld, u8 tbtt_info_len, bool mld_update,
7341 struct hostapd_data *reporting_hapd,
7342 struct hostapd_data *bss)
7343 {
7344 if (skip_profiles &&
7345 i >= skip_profiles->start && i < skip_profiles->end)
7346 return true;
7347
7348 /* No need to report if length is for normal TBTT and the BSS is
7349 * affiliated with an AP MLD. MLD TBTT will include this. */
7350 if (tbtt_info_len == RNR_TBTT_INFO_LEN && ap_mld)
7351 return true;
7352
7353 /* No need to report if length is for MLD TBTT and the BSS is not
7354 * affiliated with an aP MLD. Normal TBTT will include this. */
7355 if (tbtt_info_len == RNR_TBTT_INFO_MLD_LEN && !ap_mld)
7356 return true;
7357
7358 #ifdef CONFIG_IEEE80211BE
7359 /* If building for co-location and they are ML partners, no need to
7360 * include since the ML RNR will carry this. */
7361 if (!mld_update && hostapd_is_ml_partner(reporting_hapd, bss))
7362 return true;
7363
7364 /* If building for ML RNR and they are not ML partners, don't include.
7365 */
7366 if (mld_update && !hostapd_is_ml_partner(reporting_hapd, bss))
7367 return true;
7368 #endif /* CONFIG_IEEE80211BE */
7369
7370 return false;
7371 }
7372
7373
7374 static size_t
hostapd_eid_rnr_iface_len(struct hostapd_data * hapd,struct hostapd_data * reporting_hapd,size_t * current_len,struct mbssid_ie_profiles * skip_profiles,bool mld_update)7375 hostapd_eid_rnr_iface_len(struct hostapd_data *hapd,
7376 struct hostapd_data *reporting_hapd,
7377 size_t *current_len,
7378 struct mbssid_ie_profiles *skip_profiles,
7379 bool mld_update)
7380 {
7381 size_t total_len = 0, len = *current_len;
7382 int tbtt_count, total_tbtt_count = 0;
7383 size_t i, start;
7384 u8 tbtt_info_len = mld_update ? RNR_TBTT_INFO_MLD_LEN :
7385 RNR_TBTT_INFO_LEN;
7386
7387 repeat_rnr_len:
7388 start = 0;
7389 tbtt_count = 0;
7390
7391 while (start < hapd->iface->num_bss) {
7392 if (!len ||
7393 len + RNR_TBTT_HEADER_LEN + tbtt_info_len > 255 ||
7394 tbtt_count >= RNR_TBTT_INFO_COUNT_MAX) {
7395 len = RNR_HEADER_LEN;
7396 total_len += RNR_HEADER_LEN;
7397 tbtt_count = 0;
7398 }
7399
7400 len += RNR_TBTT_HEADER_LEN;
7401 total_len += RNR_TBTT_HEADER_LEN;
7402
7403 for (i = start; i < hapd->iface->num_bss; i++) {
7404 struct hostapd_data *bss = hapd->iface->bss[i];
7405 bool ap_mld = false;
7406
7407 if (!bss || !bss->conf || !bss->started)
7408 continue;
7409
7410 #ifdef CONFIG_IEEE80211BE
7411 ap_mld = bss->conf->mld_ap;
7412 #endif /* CONFIG_IEEE80211BE */
7413
7414 if (bss == reporting_hapd ||
7415 bss->conf->ignore_broadcast_ssid)
7416 continue;
7417
7418 if (hostapd_skip_rnr(i, skip_profiles, ap_mld,
7419 tbtt_info_len, mld_update,
7420 reporting_hapd, bss))
7421 continue;
7422
7423 if (len + tbtt_info_len > 255 ||
7424 tbtt_count >= RNR_TBTT_INFO_COUNT_MAX)
7425 break;
7426
7427 len += tbtt_info_len;
7428 total_len += tbtt_info_len;
7429 tbtt_count++;
7430 }
7431 start = i;
7432 }
7433
7434 total_tbtt_count += tbtt_count;
7435
7436 /* If building for co-location, re-build again but this time include
7437 * ML TBTTs.
7438 */
7439 if (!mld_update && tbtt_info_len == RNR_TBTT_INFO_LEN) {
7440 tbtt_info_len = RNR_TBTT_INFO_MLD_LEN;
7441
7442 /* If no TBTT was found, adjust the len and total_len since it
7443 * would have incremented before we checked all BSSs. */
7444 if (!tbtt_count) {
7445 len -= RNR_TBTT_HEADER_LEN;
7446 total_len -= RNR_TBTT_HEADER_LEN;
7447 }
7448
7449 goto repeat_rnr_len;
7450 }
7451
7452 /* This is possible when in the re-built case and no suitable TBTT was
7453 * found. Adjust the length accordingly. */
7454 if (!tbtt_count && total_tbtt_count) {
7455 len -= RNR_TBTT_HEADER_LEN;
7456 total_len -= RNR_TBTT_HEADER_LEN;
7457 }
7458
7459 if (!total_tbtt_count)
7460 total_len = 0;
7461 else
7462 *current_len = len;
7463
7464 return total_len;
7465 }
7466
7467
7468 enum colocation_mode {
7469 NO_COLOCATED_6GHZ,
7470 STANDALONE_6GHZ,
7471 COLOCATED_6GHZ,
7472 COLOCATED_LOWER_BAND,
7473 };
7474
get_colocation_mode(struct hostapd_data * hapd)7475 static enum colocation_mode get_colocation_mode(struct hostapd_data *hapd)
7476 {
7477 u8 i;
7478 bool is_6ghz = is_6ghz_op_class(hapd->iconf->op_class);
7479
7480 if (!hapd->iface || !hapd->iface->interfaces)
7481 return NO_COLOCATED_6GHZ;
7482
7483 if (is_6ghz && hapd->iface->interfaces->count == 1)
7484 return STANDALONE_6GHZ;
7485
7486 for (i = 0; i < hapd->iface->interfaces->count; i++) {
7487 struct hostapd_iface *iface;
7488 bool is_colocated_6ghz;
7489
7490 iface = hapd->iface->interfaces->iface[i];
7491 if (iface == hapd->iface || !iface || !iface->conf)
7492 continue;
7493
7494 is_colocated_6ghz = is_6ghz_op_class(iface->conf->op_class);
7495 if (!is_6ghz && is_colocated_6ghz)
7496 return COLOCATED_LOWER_BAND;
7497 if (is_6ghz && !is_colocated_6ghz)
7498 return COLOCATED_6GHZ;
7499 }
7500
7501 if (is_6ghz)
7502 return STANDALONE_6GHZ;
7503
7504 return NO_COLOCATED_6GHZ;
7505 }
7506
7507
hostapd_eid_rnr_colocation_len(struct hostapd_data * hapd,size_t * current_len)7508 static size_t hostapd_eid_rnr_colocation_len(struct hostapd_data *hapd,
7509 size_t *current_len)
7510 {
7511 struct hostapd_iface *iface;
7512 size_t len = 0;
7513 size_t i;
7514
7515 if (!hapd->iface || !hapd->iface->interfaces)
7516 return 0;
7517
7518 for (i = 0; i < hapd->iface->interfaces->count; i++) {
7519 iface = hapd->iface->interfaces->iface[i];
7520
7521 if (!iface || iface == hapd->iface ||
7522 iface->state != HAPD_IFACE_ENABLED ||
7523 !is_6ghz_op_class(iface->conf->op_class))
7524 continue;
7525
7526 len += hostapd_eid_rnr_iface_len(iface->bss[0], hapd,
7527 current_len, NULL, false);
7528 }
7529
7530 return len;
7531 }
7532
7533
hostapd_eid_rnr_mlo_len(struct hostapd_data * hapd,u32 type,size_t * current_len)7534 static size_t hostapd_eid_rnr_mlo_len(struct hostapd_data *hapd, u32 type,
7535 size_t *current_len)
7536 {
7537 size_t len = 0;
7538 #ifdef CONFIG_IEEE80211BE
7539 struct hostapd_iface *iface;
7540 size_t i;
7541
7542 if (!hapd->iface || !hapd->iface->interfaces || !hapd->conf->mld_ap)
7543 return 0;
7544
7545 /* TODO: Allow for FILS/Action as well */
7546 if (type != WLAN_FC_STYPE_BEACON && type != WLAN_FC_STYPE_PROBE_RESP)
7547 return 0;
7548
7549 for (i = 0; i < hapd->iface->interfaces->count; i++) {
7550 iface = hapd->iface->interfaces->iface[i];
7551
7552 if (!iface || iface == hapd->iface ||
7553 hapd->iface->freq == iface->freq)
7554 continue;
7555
7556 len += hostapd_eid_rnr_iface_len(iface->bss[0], hapd,
7557 current_len, NULL, true);
7558 }
7559 #endif /* CONFIG_IEEE80211BE */
7560
7561 return len;
7562 }
7563
7564
hostapd_eid_rnr_len(struct hostapd_data * hapd,u32 type,bool include_mld_params)7565 size_t hostapd_eid_rnr_len(struct hostapd_data *hapd, u32 type,
7566 bool include_mld_params)
7567 {
7568 size_t total_len = 0, current_len = 0;
7569 enum colocation_mode mode = get_colocation_mode(hapd);
7570
7571 switch (type) {
7572 case WLAN_FC_STYPE_BEACON:
7573 if (hapd->conf->rnr)
7574 total_len += hostapd_eid_nr_db_len(hapd, ¤t_len);
7575 /* fallthrough */
7576 case WLAN_FC_STYPE_PROBE_RESP:
7577 if (mode == COLOCATED_LOWER_BAND)
7578 total_len +=
7579 hostapd_eid_rnr_colocation_len(hapd,
7580 ¤t_len);
7581
7582 if (hapd->conf->rnr && hapd->iface->num_bss > 1 &&
7583 !hapd->iconf->mbssid)
7584 total_len += hostapd_eid_rnr_iface_len(hapd, hapd,
7585 ¤t_len,
7586 NULL, false);
7587 break;
7588 case WLAN_FC_STYPE_ACTION:
7589 if (hapd->iface->num_bss > 1 && mode == STANDALONE_6GHZ)
7590 total_len += hostapd_eid_rnr_iface_len(hapd, hapd,
7591 ¤t_len,
7592 NULL, false);
7593 break;
7594 }
7595
7596 /* For EMA Beacons, MLD neighbor repoting is added as part of
7597 * MBSSID RNR. */
7598 if (include_mld_params &&
7599 (type != WLAN_FC_STYPE_BEACON ||
7600 hapd->iconf->mbssid != ENHANCED_MBSSID_ENABLED))
7601 total_len += hostapd_eid_rnr_mlo_len(hapd, type, ¤t_len);
7602
7603 return total_len;
7604 }
7605
7606
hostapd_eid_nr_db(struct hostapd_data * hapd,u8 * eid,size_t * current_len)7607 static u8 * hostapd_eid_nr_db(struct hostapd_data *hapd, u8 *eid,
7608 size_t *current_len)
7609 {
7610 struct hostapd_neighbor_entry *nr;
7611 size_t len = *current_len;
7612 u8 *size_offset = (eid - len) + 1;
7613
7614 dl_list_for_each(nr, &hapd->nr_db, struct hostapd_neighbor_entry,
7615 list) {
7616 if (!nr->nr || wpabuf_len(nr->nr) < 12)
7617 continue;
7618
7619 if (nr->short_ssid == hapd->conf->ssid.short_ssid)
7620 continue;
7621
7622 /* Start a new element */
7623 if (!len ||
7624 len + RNR_TBTT_HEADER_LEN + RNR_TBTT_INFO_LEN > 255) {
7625 *eid++ = WLAN_EID_REDUCED_NEIGHBOR_REPORT;
7626 size_offset = eid++;
7627 len = RNR_HEADER_LEN;
7628 }
7629
7630 /* TBTT Information Header subfield (2 octets) */
7631 *eid++ = 0;
7632 /* TBTT Information Length */
7633 *eid++ = RNR_TBTT_INFO_LEN;
7634 /* Operating Class */
7635 *eid++ = wpabuf_head_u8(nr->nr)[10];
7636 /* Channel Number */
7637 *eid++ = wpabuf_head_u8(nr->nr)[11];
7638 len += RNR_TBTT_HEADER_LEN;
7639 /* TBTT Information Set */
7640 /* TBTT Information field */
7641 /* Neighbor AP TBTT Offset */
7642 *eid++ = RNR_NEIGHBOR_AP_OFFSET_UNKNOWN;
7643 /* BSSID */
7644 os_memcpy(eid, nr->bssid, ETH_ALEN);
7645 eid += ETH_ALEN;
7646 /* Short SSID */
7647 os_memcpy(eid, &nr->short_ssid, 4);
7648 eid += 4;
7649 /* BSS parameters */
7650 *eid++ = nr->bss_parameters;
7651 /* 20 MHz PSD */
7652 *eid++ = RNR_20_MHZ_PSD_MAX_TXPOWER;
7653 len += RNR_TBTT_INFO_LEN;
7654 *size_offset = (eid - size_offset) - 1;
7655 }
7656
7657 *current_len = len;
7658 return eid;
7659 }
7660
7661
hostapd_eid_rnr_bss(struct hostapd_data * hapd,struct hostapd_data * reporting_hapd,struct mbssid_ie_profiles * skip_profiles,size_t i,u8 * tbtt_count,size_t * len,u8 ** pos,u8 ** tbtt_count_pos,u8 tbtt_info_len,u8 op_class,bool mld_update)7662 static bool hostapd_eid_rnr_bss(struct hostapd_data *hapd,
7663 struct hostapd_data *reporting_hapd,
7664 struct mbssid_ie_profiles *skip_profiles,
7665 size_t i, u8 *tbtt_count, size_t *len,
7666 u8 **pos, u8 **tbtt_count_pos, u8 tbtt_info_len,
7667 u8 op_class, bool mld_update)
7668 {
7669 struct hostapd_iface *iface = hapd->iface;
7670 struct hostapd_data *bss = iface->bss[i];
7671 u8 bss_param = 0;
7672 bool ap_mld = false;
7673 u8 *eid = *pos;
7674
7675 #ifdef CONFIG_IEEE80211BE
7676 ap_mld = !!hapd->conf->mld_ap;
7677 #endif /* CONFIG_IEEE80211BE */
7678
7679 if (!bss || !bss->conf || !bss->started ||
7680 bss == reporting_hapd || bss->conf->ignore_broadcast_ssid)
7681 return false;
7682
7683 if (hostapd_skip_rnr(i, skip_profiles, ap_mld, tbtt_info_len,
7684 mld_update, reporting_hapd, bss))
7685 return false;
7686
7687 if (*len + RNR_TBTT_INFO_LEN > 255 ||
7688 *tbtt_count >= RNR_TBTT_INFO_COUNT_MAX)
7689 return true;
7690
7691 if (!(*tbtt_count)) {
7692 /* Add neighbor report header info only if there is at least
7693 * one TBTT info available. */
7694 *tbtt_count_pos = eid++;
7695 *eid++ = tbtt_info_len;
7696 *eid++ = op_class;
7697 *eid++ = bss->iconf->channel;
7698 *len += RNR_TBTT_HEADER_LEN;
7699 }
7700
7701 *eid++ = RNR_NEIGHBOR_AP_OFFSET_UNKNOWN;
7702 os_memcpy(eid, bss->own_addr, ETH_ALEN);
7703 eid += ETH_ALEN;
7704 os_memcpy(eid, &bss->conf->ssid.short_ssid, 4);
7705 eid += 4;
7706 if (bss->conf->ssid.short_ssid == reporting_hapd->conf->ssid.short_ssid)
7707 bss_param |= RNR_BSS_PARAM_SAME_SSID;
7708
7709 if (iface->conf->mbssid != MBSSID_DISABLED && iface->num_bss > 1) {
7710 bss_param |= RNR_BSS_PARAM_MULTIPLE_BSSID;
7711 if (bss == hostapd_mbssid_get_tx_bss(hapd))
7712 bss_param |= RNR_BSS_PARAM_TRANSMITTED_BSSID;
7713 }
7714
7715 if (is_6ghz_op_class(hapd->iconf->op_class) &&
7716 bss->conf->unsol_bcast_probe_resp_interval)
7717 bss_param |= RNR_BSS_PARAM_UNSOLIC_PROBE_RESP_ACTIVE;
7718
7719 bss_param |= RNR_BSS_PARAM_CO_LOCATED;
7720
7721 *eid++ = bss_param;
7722 *eid++ = RNR_20_MHZ_PSD_MAX_TXPOWER;
7723
7724 #ifdef CONFIG_IEEE80211BE
7725 if (ap_mld) {
7726 u8 param_ch = bss->eht_mld_bss_param_change;
7727 bool is_partner;
7728
7729 /* If BSS is not a partner of the reporting_hapd
7730 * a) MLD ID advertised shall be 255.
7731 * b) Link ID advertised shall be 15.
7732 * c) BPCC advertised shall be 255 */
7733 is_partner = hostapd_is_ml_partner(bss, reporting_hapd);
7734 /* MLD ID */
7735 *eid++ = is_partner ? hostapd_get_mld_id(bss) : 0xFF;
7736 /* Link ID (Bit 3 to Bit 0)
7737 * BPCC (Bit 4 to Bit 7) */
7738 *eid++ = is_partner ?
7739 bss->mld_link_id | ((param_ch & 0xF) << 4) :
7740 (MAX_NUM_MLD_LINKS | 0xF0);
7741 /* BPCC (Bit 3 to Bit 0) */
7742 *eid = is_partner ? ((param_ch & 0xF0) >> 4) : 0x0F;
7743 #ifdef CONFIG_TESTING_OPTIONS
7744 if (bss->conf->mld_indicate_disabled)
7745 *eid |= RNR_TBTT_INFO_MLD_PARAM2_LINK_DISABLED;
7746 #endif /* CONFIG_TESTING_OPTIONS */
7747 eid++;
7748 }
7749 #endif /* CONFIG_IEEE80211BE */
7750
7751 *len += tbtt_info_len;
7752 (*tbtt_count)++;
7753 *pos = eid;
7754
7755 return false;
7756 }
7757
7758
hostapd_eid_rnr_iface(struct hostapd_data * hapd,struct hostapd_data * reporting_hapd,u8 * eid,size_t * current_len,struct mbssid_ie_profiles * skip_profiles,bool mld_update)7759 static u8 * hostapd_eid_rnr_iface(struct hostapd_data *hapd,
7760 struct hostapd_data *reporting_hapd,
7761 u8 *eid, size_t *current_len,
7762 struct mbssid_ie_profiles *skip_profiles,
7763 bool mld_update)
7764 {
7765 struct hostapd_iface *iface = hapd->iface;
7766 size_t i, start;
7767 size_t len = *current_len;
7768 u8 *eid_start = eid, *size_offset = (eid - len) + 1;
7769 u8 *tbtt_count_pos = size_offset + 1;
7770 u8 tbtt_count, total_tbtt_count = 0, op_class, channel;
7771 u8 tbtt_info_len = mld_update ? RNR_TBTT_INFO_MLD_LEN :
7772 RNR_TBTT_INFO_LEN;
7773
7774 if (!(iface->drv_flags & WPA_DRIVER_FLAGS_AP_CSA) || !iface->freq)
7775 return eid;
7776
7777 if (ieee80211_freq_to_channel_ext(iface->freq,
7778 hapd->iconf->secondary_channel,
7779 hostapd_get_oper_chwidth(hapd->iconf),
7780 &op_class, &channel) ==
7781 NUM_HOSTAPD_MODES)
7782 return eid;
7783
7784 repeat_rnr:
7785 start = 0;
7786 tbtt_count = 0;
7787 while (start < iface->num_bss) {
7788 if (!len ||
7789 len + RNR_TBTT_HEADER_LEN + tbtt_info_len > 255 ||
7790 tbtt_count >= RNR_TBTT_INFO_COUNT_MAX) {
7791 eid_start = eid;
7792 *eid++ = WLAN_EID_REDUCED_NEIGHBOR_REPORT;
7793 size_offset = eid++;
7794 len = RNR_HEADER_LEN;
7795 tbtt_count = 0;
7796 }
7797
7798 for (i = start; i < iface->num_bss; i++) {
7799 if (hostapd_eid_rnr_bss(hapd, reporting_hapd,
7800 skip_profiles, i,
7801 &tbtt_count, &len, &eid,
7802 &tbtt_count_pos, tbtt_info_len,
7803 op_class, mld_update))
7804 break;
7805 }
7806
7807 start = i;
7808
7809 if (tbtt_count) {
7810 *tbtt_count_pos = RNR_TBTT_INFO_COUNT(tbtt_count - 1);
7811 *size_offset = (eid - size_offset) - 1;
7812 }
7813 }
7814
7815 total_tbtt_count += tbtt_count;
7816
7817 /* If building for co-location, re-build again but this time include
7818 * ML TBTTs.
7819 */
7820 if (!mld_update && tbtt_info_len == RNR_TBTT_INFO_LEN) {
7821 tbtt_info_len = RNR_TBTT_INFO_MLD_LEN;
7822 goto repeat_rnr;
7823 }
7824
7825 if (!total_tbtt_count)
7826 return eid_start;
7827
7828 *current_len = len;
7829 return eid;
7830 }
7831
7832
hostapd_eid_rnr_colocation(struct hostapd_data * hapd,u8 * eid,size_t * current_len)7833 u8 * hostapd_eid_rnr_colocation(struct hostapd_data *hapd, u8 *eid,
7834 size_t *current_len)
7835 {
7836 struct hostapd_iface *iface;
7837 size_t i;
7838
7839 if (!hapd->iface || !hapd->iface->interfaces)
7840 return eid;
7841
7842 for (i = 0; i < hapd->iface->interfaces->count; i++) {
7843 iface = hapd->iface->interfaces->iface[i];
7844
7845 if (!iface || iface == hapd->iface ||
7846 iface->state != HAPD_IFACE_ENABLED ||
7847 !is_6ghz_op_class(iface->conf->op_class))
7848 continue;
7849
7850 eid = hostapd_eid_rnr_iface(iface->bss[0], hapd, eid,
7851 current_len, NULL, false);
7852 }
7853
7854 return eid;
7855 }
7856
7857
hostapd_eid_rnr_mlo(struct hostapd_data * hapd,u32 type,u8 * eid,size_t * current_len)7858 u8 * hostapd_eid_rnr_mlo(struct hostapd_data *hapd, u32 type,
7859 u8 *eid, size_t *current_len)
7860 {
7861 #ifdef CONFIG_IEEE80211BE
7862 struct hostapd_iface *iface;
7863 size_t i;
7864
7865 if (!hapd->iface || !hapd->iface->interfaces || !hapd->conf->mld_ap)
7866 return eid;
7867
7868 /* TODO: Allow for FILS/Action as well */
7869 if (type != WLAN_FC_STYPE_BEACON && type != WLAN_FC_STYPE_PROBE_RESP)
7870 return eid;
7871
7872 for (i = 0; i < hapd->iface->interfaces->count; i++) {
7873 iface = hapd->iface->interfaces->iface[i];
7874
7875 if (!iface || iface == hapd->iface ||
7876 hapd->iface->freq == iface->freq)
7877 continue;
7878
7879 eid = hostapd_eid_rnr_iface(iface->bss[0], hapd, eid,
7880 current_len, NULL, true);
7881 }
7882 #endif /* CONFIG_IEEE80211BE */
7883
7884 return eid;
7885 }
7886
7887
hostapd_eid_rnr(struct hostapd_data * hapd,u8 * eid,u32 type,bool include_mld_params)7888 u8 * hostapd_eid_rnr(struct hostapd_data *hapd, u8 *eid, u32 type,
7889 bool include_mld_params)
7890 {
7891 u8 *eid_start = eid;
7892 size_t current_len = 0;
7893 enum colocation_mode mode = get_colocation_mode(hapd);
7894
7895 switch (type) {
7896 case WLAN_FC_STYPE_BEACON:
7897 if (hapd->conf->rnr)
7898 eid = hostapd_eid_nr_db(hapd, eid, ¤t_len);
7899 /* fallthrough */
7900 case WLAN_FC_STYPE_PROBE_RESP:
7901 if (mode == COLOCATED_LOWER_BAND)
7902 eid = hostapd_eid_rnr_colocation(hapd, eid,
7903 ¤t_len);
7904
7905 if (hapd->conf->rnr && hapd->iface->num_bss > 1 &&
7906 !hapd->iconf->mbssid)
7907 eid = hostapd_eid_rnr_iface(hapd, hapd, eid,
7908 ¤t_len, NULL, false);
7909 break;
7910 case WLAN_FC_STYPE_ACTION:
7911 if (hapd->iface->num_bss > 1 && mode == STANDALONE_6GHZ)
7912 eid = hostapd_eid_rnr_iface(hapd, hapd, eid,
7913 ¤t_len, NULL, false);
7914 break;
7915 default:
7916 return eid_start;
7917 }
7918
7919 /* For EMA Beacons, MLD neighbor repoting is added as part of
7920 * MBSSID RNR. */
7921 if (include_mld_params &&
7922 (type != WLAN_FC_STYPE_BEACON ||
7923 hapd->iconf->mbssid != ENHANCED_MBSSID_ENABLED))
7924 eid = hostapd_eid_rnr_mlo(hapd, type, eid, ¤t_len);
7925
7926 if (eid == eid_start + 2)
7927 return eid_start;
7928
7929 return eid;
7930 }
7931
7932
mbssid_known_bss(unsigned int i,const u8 * known_bss,size_t known_bss_len)7933 static bool mbssid_known_bss(unsigned int i, const u8 *known_bss,
7934 size_t known_bss_len)
7935 {
7936 if (!known_bss || known_bss_len <= i / 8)
7937 return false;
7938 known_bss = &known_bss[i / 8];
7939 return *known_bss & (u8) (BIT(i % 8));
7940 }
7941
7942
hostapd_mbssid_ext_capa(struct hostapd_data * bss,struct hostapd_data * tx_bss,u8 * buf)7943 static size_t hostapd_mbssid_ext_capa(struct hostapd_data *bss,
7944 struct hostapd_data *tx_bss, u8 *buf)
7945 {
7946 u8 ext_capa_tx[20], *ext_capa_tx_end, ext_capa[20], *ext_capa_end;
7947 size_t ext_capa_len, ext_capa_tx_len;
7948
7949 ext_capa_tx_end = hostapd_eid_ext_capab(tx_bss, ext_capa_tx,
7950 true);
7951 ext_capa_tx_len = ext_capa_tx_end - ext_capa_tx;
7952 ext_capa_end = hostapd_eid_ext_capab(bss, ext_capa, true);
7953 ext_capa_len = ext_capa_end - ext_capa;
7954 if (ext_capa_tx_len != ext_capa_len ||
7955 os_memcmp(ext_capa_tx, ext_capa, ext_capa_len) != 0) {
7956 os_memcpy(buf, ext_capa, ext_capa_len);
7957 return ext_capa_len;
7958 }
7959
7960 return 0;
7961 }
7962
7963
hostapd_eid_mbssid_elem_len(struct hostapd_data * hapd,u32 frame_type,size_t * bss_index,const u8 * known_bss,size_t known_bss_len)7964 static size_t hostapd_eid_mbssid_elem_len(struct hostapd_data *hapd,
7965 u32 frame_type, size_t *bss_index,
7966 const u8 *known_bss,
7967 size_t known_bss_len)
7968 {
7969 struct hostapd_data *tx_bss = hostapd_mbssid_get_tx_bss(hapd);
7970 size_t len, i;
7971 u8 ext_capa[20];
7972
7973 /* Element ID: 1 octet
7974 * Length: 1 octet
7975 * MaxBSSID Indicator: 1 octet
7976 * Optional Subelements: vatiable
7977 *
7978 * Total fixed length: 3 octets
7979 *
7980 * 1 octet in len for the MaxBSSID Indicator field.
7981 */
7982 len = 1;
7983
7984 for (i = *bss_index; i < hapd->iface->num_bss; i++) {
7985 struct hostapd_data *bss = hapd->iface->bss[i];
7986 const u8 *auth, *rsn = NULL, *rsnx = NULL;
7987 size_t nontx_profile_len, auth_len;
7988 u8 ie_count = 0;
7989
7990 if (!bss || !bss->conf || !bss->started ||
7991 mbssid_known_bss(i, known_bss, known_bss_len))
7992 continue;
7993
7994 /*
7995 * Sublement ID: 1 octet
7996 * Length: 1 octet
7997 * Nontransmitted capabilities: 4 octets
7998 * SSID element: 2 + variable
7999 * Multiple BSSID Index Element: 3 octets (+2 octets in beacons)
8000 * Fixed length = 1 + 1 + 4 + 2 + 3 = 11
8001 */
8002 nontx_profile_len = 11 + bss->conf->ssid.ssid_len;
8003
8004 if (frame_type == WLAN_FC_STYPE_BEACON)
8005 nontx_profile_len += 2;
8006
8007 auth = wpa_auth_get_wpa_ie(bss->wpa_auth, &auth_len);
8008 if (auth) {
8009 rsn = get_ie(auth, auth_len, WLAN_EID_RSN);
8010 if (rsn)
8011 nontx_profile_len += 2 + rsn[1];
8012
8013 rsnx = get_ie(auth, auth_len, WLAN_EID_RSNX);
8014 if (rsnx)
8015 nontx_profile_len += 2 + rsnx[1];
8016 }
8017
8018 nontx_profile_len += hostapd_mbssid_ext_capa(bss, tx_bss,
8019 ext_capa);
8020
8021 if (!rsn && hostapd_wpa_ie(tx_bss, WLAN_EID_RSN))
8022 ie_count++;
8023 if (!rsnx && hostapd_wpa_ie(tx_bss, WLAN_EID_RSNX))
8024 ie_count++;
8025 if (bss->conf->xrates_supported)
8026 nontx_profile_len += 8;
8027 else if (hapd->conf->xrates_supported)
8028 ie_count++;
8029 if (ie_count)
8030 nontx_profile_len += 4 + ie_count;
8031
8032 if (len + nontx_profile_len > 255)
8033 break;
8034
8035 len += nontx_profile_len;
8036 }
8037
8038 *bss_index = i;
8039
8040 /* Add 2 octets to get the full size of the element */
8041 return len + 2;
8042 }
8043
8044
hostapd_eid_mbssid_len(struct hostapd_data * hapd,u32 frame_type,u8 * elem_count,const u8 * known_bss,size_t known_bss_len,size_t * rnr_len)8045 size_t hostapd_eid_mbssid_len(struct hostapd_data *hapd, u32 frame_type,
8046 u8 *elem_count, const u8 *known_bss,
8047 size_t known_bss_len, size_t *rnr_len)
8048 {
8049 size_t len = 0, bss_index = 1;
8050 bool ap_mld = false;
8051
8052 #ifdef CONFIG_IEEE80211BE
8053 ap_mld = hapd->conf->mld_ap;
8054 #endif /* CONFIG_IEEE80211BE */
8055
8056 if (!hapd->iconf->mbssid || hapd->iface->num_bss <= 1 ||
8057 (frame_type != WLAN_FC_STYPE_BEACON &&
8058 frame_type != WLAN_FC_STYPE_PROBE_RESP))
8059 return 0;
8060
8061 if (frame_type == WLAN_FC_STYPE_BEACON) {
8062 if (!elem_count) {
8063 wpa_printf(MSG_INFO,
8064 "MBSSID: Insufficient data for Beacon frames");
8065 return 0;
8066 }
8067 *elem_count = 0;
8068 }
8069
8070 while (bss_index < hapd->iface->num_bss) {
8071 size_t rnr_count = bss_index;
8072
8073 len += hostapd_eid_mbssid_elem_len(hapd, frame_type,
8074 &bss_index, known_bss,
8075 known_bss_len);
8076
8077 if (frame_type == WLAN_FC_STYPE_BEACON)
8078 *elem_count += 1;
8079 if (hapd->iconf->mbssid == ENHANCED_MBSSID_ENABLED && rnr_len) {
8080 size_t rnr_cur_len = 0;
8081 struct mbssid_ie_profiles skip_profiles = {
8082 rnr_count, bss_index
8083 };
8084
8085 *rnr_len += hostapd_eid_rnr_iface_len(
8086 hapd, hostapd_mbssid_get_tx_bss(hapd),
8087 &rnr_cur_len, &skip_profiles, ap_mld);
8088 }
8089 }
8090
8091 if (hapd->iconf->mbssid == ENHANCED_MBSSID_ENABLED && rnr_len)
8092 *rnr_len += hostapd_eid_rnr_len(hapd, frame_type, false);
8093
8094 return len;
8095 }
8096
8097
hostapd_eid_mbssid_elem(struct hostapd_data * hapd,u8 * eid,u8 * end,u32 frame_type,u8 max_bssid_indicator,size_t * bss_index,u8 elem_count,const u8 * known_bss,size_t known_bss_len)8098 static u8 * hostapd_eid_mbssid_elem(struct hostapd_data *hapd, u8 *eid, u8 *end,
8099 u32 frame_type, u8 max_bssid_indicator,
8100 size_t *bss_index, u8 elem_count,
8101 const u8 *known_bss, size_t known_bss_len)
8102 {
8103 struct hostapd_data *tx_bss = hostapd_mbssid_get_tx_bss(hapd);
8104 size_t i;
8105 u8 *eid_len_offset, *max_bssid_indicator_offset;
8106
8107 *eid++ = WLAN_EID_MULTIPLE_BSSID;
8108 eid_len_offset = eid++;
8109 max_bssid_indicator_offset = eid++;
8110
8111 for (i = *bss_index; i < hapd->iface->num_bss; i++) {
8112 struct hostapd_data *bss = hapd->iface->bss[i];
8113 struct hostapd_bss_config *conf;
8114 u8 *eid_len_pos, *nontx_bss_start = eid;
8115 const u8 *auth, *rsn = NULL, *rsnx = NULL;
8116 u8 ie_count = 0, non_inherit_ie[3];
8117 size_t auth_len = 0;
8118 u16 capab_info;
8119
8120 if (!bss || !bss->conf || !bss->started ||
8121 mbssid_known_bss(i, known_bss, known_bss_len))
8122 continue;
8123 conf = bss->conf;
8124
8125 *eid++ = WLAN_MBSSID_SUBELEMENT_NONTRANSMITTED_BSSID_PROFILE;
8126 eid_len_pos = eid++;
8127
8128 capab_info = hostapd_own_capab_info(bss);
8129 *eid++ = WLAN_EID_NONTRANSMITTED_BSSID_CAPA;
8130 *eid++ = sizeof(capab_info);
8131 WPA_PUT_LE16(eid, capab_info);
8132 eid += sizeof(capab_info);
8133
8134 *eid++ = WLAN_EID_SSID;
8135 *eid++ = conf->ssid.ssid_len;
8136 os_memcpy(eid, conf->ssid.ssid, conf->ssid.ssid_len);
8137 eid += conf->ssid.ssid_len;
8138
8139 *eid++ = WLAN_EID_MULTIPLE_BSSID_INDEX;
8140 if (frame_type == WLAN_FC_STYPE_BEACON) {
8141 *eid++ = 3;
8142 *eid++ = i; /* BSSID Index */
8143 if (hapd->iconf->mbssid == ENHANCED_MBSSID_ENABLED &&
8144 (conf->dtim_period % elem_count))
8145 conf->dtim_period = elem_count;
8146 *eid++ = conf->dtim_period;
8147 /* The driver is expected to update the DTIM Count
8148 * field for each BSS that corresponds to a
8149 * nontransmitted BSSID. The value is initialized to
8150 * 0 here so that the DTIM count would be somewhat
8151 * functional even if the driver were not to update
8152 * this. */
8153 *eid++ = 0; /* DTIM Count */
8154 } else {
8155 /* Probe Request frame does not include DTIM Period and
8156 * DTIM Count fields. */
8157 *eid++ = 1;
8158 *eid++ = i; /* BSSID Index */
8159 }
8160
8161 auth = wpa_auth_get_wpa_ie(bss->wpa_auth, &auth_len);
8162 if (auth) {
8163 rsn = get_ie(auth, auth_len, WLAN_EID_RSN);
8164 if (rsn) {
8165 os_memcpy(eid, rsn, 2 + rsn[1]);
8166 eid += 2 + rsn[1];
8167 }
8168
8169 rsnx = get_ie(auth, auth_len, WLAN_EID_RSNX);
8170 if (rsnx) {
8171 os_memcpy(eid, rsnx, 2 + rsnx[1]);
8172 eid += 2 + rsnx[1];
8173 }
8174 }
8175
8176 eid += hostapd_mbssid_ext_capa(bss, tx_bss, eid);
8177
8178 /* List of Element ID values in increasing order */
8179 if (!rsn && hostapd_wpa_ie(tx_bss, WLAN_EID_RSN))
8180 non_inherit_ie[ie_count++] = WLAN_EID_RSN;
8181 if (hapd->conf->xrates_supported &&
8182 !bss->conf->xrates_supported)
8183 non_inherit_ie[ie_count++] = WLAN_EID_EXT_SUPP_RATES;
8184 if (!rsnx && hostapd_wpa_ie(tx_bss, WLAN_EID_RSNX))
8185 non_inherit_ie[ie_count++] = WLAN_EID_RSNX;
8186 if (ie_count) {
8187 *eid++ = WLAN_EID_EXTENSION;
8188 *eid++ = 2 + ie_count + 1;
8189 *eid++ = WLAN_EID_EXT_NON_INHERITANCE;
8190 *eid++ = ie_count;
8191 os_memcpy(eid, non_inherit_ie, ie_count);
8192 eid += ie_count;
8193 *eid++ = 0; /* No Element ID Extension List */
8194 }
8195
8196 *eid_len_pos = (eid - eid_len_pos) - 1;
8197
8198 if (((eid - eid_len_offset) - 1) > 255) {
8199 eid = nontx_bss_start;
8200 break;
8201 }
8202 }
8203
8204 *bss_index = i;
8205 *max_bssid_indicator_offset = max_bssid_indicator;
8206 if (*max_bssid_indicator_offset < 1)
8207 *max_bssid_indicator_offset = 1;
8208 *eid_len_offset = (eid - eid_len_offset) - 1;
8209 return eid;
8210 }
8211
8212
hostapd_eid_mbssid(struct hostapd_data * hapd,u8 * eid,u8 * end,unsigned int frame_stype,u8 elem_count,u8 ** elem_offset,const u8 * known_bss,size_t known_bss_len,u8 * rnr_eid,u8 * rnr_count,u8 ** rnr_offset,size_t rnr_len)8213 u8 * hostapd_eid_mbssid(struct hostapd_data *hapd, u8 *eid, u8 *end,
8214 unsigned int frame_stype, u8 elem_count,
8215 u8 **elem_offset,
8216 const u8 *known_bss, size_t known_bss_len, u8 *rnr_eid,
8217 u8 *rnr_count, u8 **rnr_offset, size_t rnr_len)
8218 {
8219 size_t bss_index = 1, cur_len = 0;
8220 u8 elem_index = 0, *rnr_start_eid = rnr_eid;
8221 bool add_rnr, ap_mld = false;
8222
8223 #ifdef CONFIG_IEEE80211BE
8224 ap_mld = hapd->conf->mld_ap;
8225 #endif /* CONFIG_IEEE80211BE */
8226
8227 if (!hapd->iconf->mbssid || hapd->iface->num_bss <= 1 ||
8228 (frame_stype != WLAN_FC_STYPE_BEACON &&
8229 frame_stype != WLAN_FC_STYPE_PROBE_RESP))
8230 return eid;
8231
8232 if (frame_stype == WLAN_FC_STYPE_BEACON && !elem_offset) {
8233 wpa_printf(MSG_INFO,
8234 "MBSSID: Insufficient data for Beacon frames");
8235 return eid;
8236 }
8237
8238 add_rnr = hapd->iconf->mbssid == ENHANCED_MBSSID_ENABLED &&
8239 frame_stype == WLAN_FC_STYPE_BEACON &&
8240 rnr_eid && rnr_count && rnr_offset && rnr_len;
8241
8242 while (bss_index < hapd->iface->num_bss) {
8243 unsigned int rnr_start_count = bss_index;
8244
8245 if (frame_stype == WLAN_FC_STYPE_BEACON) {
8246 if (elem_index == elem_count) {
8247 wpa_printf(MSG_WARNING,
8248 "MBSSID: Larger number of elements than there is room in the provided array");
8249 break;
8250 }
8251
8252 elem_offset[elem_index] = eid;
8253 elem_index = elem_index + 1;
8254 }
8255 eid = hostapd_eid_mbssid_elem(hapd, eid, end, frame_stype,
8256 hostapd_max_bssid_indicator(hapd),
8257 &bss_index, elem_count,
8258 known_bss, known_bss_len);
8259
8260 if (add_rnr) {
8261 struct mbssid_ie_profiles skip_profiles = {
8262 rnr_start_count, bss_index
8263 };
8264
8265 rnr_offset[*rnr_count] = rnr_eid;
8266 *rnr_count = *rnr_count + 1;
8267 cur_len = 0;
8268 rnr_eid = hostapd_eid_rnr_iface(
8269 hapd, hostapd_mbssid_get_tx_bss(hapd),
8270 rnr_eid, &cur_len, &skip_profiles, ap_mld);
8271 }
8272 }
8273
8274 if (add_rnr && (size_t) (rnr_eid - rnr_start_eid) < rnr_len) {
8275 rnr_offset[*rnr_count] = rnr_eid;
8276 *rnr_count = *rnr_count + 1;
8277 cur_len = 0;
8278
8279 if (hapd->conf->rnr)
8280 rnr_eid = hostapd_eid_nr_db(hapd, rnr_eid, &cur_len);
8281 if (get_colocation_mode(hapd) == COLOCATED_LOWER_BAND)
8282 rnr_eid = hostapd_eid_rnr_colocation(hapd, rnr_eid,
8283 &cur_len);
8284 }
8285
8286 return eid;
8287 }
8288
8289 #endif /* CONFIG_NATIVE_WINDOWS */
8290