• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * hostapd / IEEE 802.11 Management
3  * Copyright (c) 2002-2017, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "utils/includes.h"
10 
11 #ifndef CONFIG_NATIVE_WINDOWS
12 
13 #include "utils/common.h"
14 #include "utils/eloop.h"
15 #include "crypto/crypto.h"
16 #include "crypto/sha256.h"
17 #include "crypto/sha384.h"
18 #include "crypto/sha512.h"
19 #include "crypto/random.h"
20 #include "common/ieee802_11_defs.h"
21 #include "common/ieee802_11_common.h"
22 #include "common/wpa_ctrl.h"
23 #include "common/sae.h"
24 #include "common/dpp.h"
25 #include "common/ocv.h"
26 #include "radius/radius.h"
27 #include "radius/radius_client.h"
28 #include "p2p/p2p.h"
29 #include "wps/wps.h"
30 #include "fst/fst.h"
31 #include "hostapd.h"
32 #include "beacon.h"
33 #include "ieee802_11_auth.h"
34 #include "sta_info.h"
35 #include "ieee802_1x.h"
36 #include "wpa_auth.h"
37 #include "pmksa_cache_auth.h"
38 #include "wmm.h"
39 #include "ap_list.h"
40 #include "accounting.h"
41 #include "ap_config.h"
42 #include "ap_mlme.h"
43 #include "p2p_hostapd.h"
44 #include "ap_drv_ops.h"
45 #include "wnm_ap.h"
46 #include "hw_features.h"
47 #include "ieee802_11.h"
48 #include "dfs.h"
49 #include "mbo_ap.h"
50 #include "rrm.h"
51 #include "taxonomy.h"
52 #include "fils_hlp.h"
53 #include "dpp_hostapd.h"
54 #include "gas_query_ap.h"
55 
56 
57 #ifdef CONFIG_FILS
58 static struct wpabuf *
59 prepare_auth_resp_fils(struct hostapd_data *hapd,
60 		       struct sta_info *sta, u16 *resp,
61 		       struct rsn_pmksa_cache_entry *pmksa,
62 		       struct wpabuf *erp_resp,
63 		       const u8 *msk, size_t msk_len,
64 		       int *is_pub);
65 #endif /* CONFIG_FILS */
66 static void handle_auth(struct hostapd_data *hapd,
67 			const struct ieee80211_mgmt *mgmt, size_t len,
68 			int rssi, int from_queue);
69 
70 
hostapd_eid_multi_ap(struct hostapd_data * hapd,u8 * eid)71 u8 * hostapd_eid_multi_ap(struct hostapd_data *hapd, u8 *eid)
72 {
73 	u8 multi_ap_val = 0;
74 
75 	if (!hapd->conf->multi_ap)
76 		return eid;
77 	if (hapd->conf->multi_ap & BACKHAUL_BSS)
78 		multi_ap_val |= MULTI_AP_BACKHAUL_BSS;
79 	if (hapd->conf->multi_ap & FRONTHAUL_BSS)
80 		multi_ap_val |= MULTI_AP_FRONTHAUL_BSS;
81 
82 	return eid + add_multi_ap_ie(eid, 9, multi_ap_val);
83 }
84 
85 
hostapd_eid_supp_rates(struct hostapd_data * hapd,u8 * eid)86 u8 * hostapd_eid_supp_rates(struct hostapd_data *hapd, u8 *eid)
87 {
88 	u8 *pos = eid;
89 	int i, num, count;
90 
91 	if (hapd->iface->current_rates == NULL)
92 		return eid;
93 
94 	*pos++ = WLAN_EID_SUPP_RATES;
95 	num = hapd->iface->num_rates;
96 	if (hapd->iconf->ieee80211n && hapd->iconf->require_ht)
97 		num++;
98 	if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht)
99 		num++;
100 	if (num > 8) {
101 		/* rest of the rates are encoded in Extended supported
102 		 * rates element */
103 		num = 8;
104 	}
105 
106 	*pos++ = num;
107 	for (i = 0, count = 0; i < hapd->iface->num_rates && count < num;
108 	     i++) {
109 		count++;
110 		*pos = hapd->iface->current_rates[i].rate / 5;
111 		if (hapd->iface->current_rates[i].flags & HOSTAPD_RATE_BASIC)
112 			*pos |= 0x80;
113 		pos++;
114 	}
115 
116 	if (hapd->iconf->ieee80211n && hapd->iconf->require_ht && count < 8) {
117 		count++;
118 		*pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_HT_PHY;
119 	}
120 
121 	if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht && count < 8) {
122 		count++;
123 		*pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_VHT_PHY;
124 	}
125 
126 	return pos;
127 }
128 
129 
hostapd_eid_ext_supp_rates(struct hostapd_data * hapd,u8 * eid)130 u8 * hostapd_eid_ext_supp_rates(struct hostapd_data *hapd, u8 *eid)
131 {
132 	u8 *pos = eid;
133 	int i, num, count;
134 
135 	if (hapd->iface->current_rates == NULL)
136 		return eid;
137 
138 	num = hapd->iface->num_rates;
139 	if (hapd->iconf->ieee80211n && hapd->iconf->require_ht)
140 		num++;
141 	if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht)
142 		num++;
143 	if (num <= 8)
144 		return eid;
145 	num -= 8;
146 
147 	*pos++ = WLAN_EID_EXT_SUPP_RATES;
148 	*pos++ = num;
149 	for (i = 0, count = 0; i < hapd->iface->num_rates && count < num + 8;
150 	     i++) {
151 		count++;
152 		if (count <= 8)
153 			continue; /* already in SuppRates IE */
154 		*pos = hapd->iface->current_rates[i].rate / 5;
155 		if (hapd->iface->current_rates[i].flags & HOSTAPD_RATE_BASIC)
156 			*pos |= 0x80;
157 		pos++;
158 	}
159 
160 	if (hapd->iconf->ieee80211n && hapd->iconf->require_ht) {
161 		count++;
162 		if (count > 8)
163 			*pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_HT_PHY;
164 	}
165 
166 	if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht) {
167 		count++;
168 		if (count > 8)
169 			*pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_VHT_PHY;
170 	}
171 
172 	return pos;
173 }
174 
175 
hostapd_own_capab_info(struct hostapd_data * hapd)176 u16 hostapd_own_capab_info(struct hostapd_data *hapd)
177 {
178 	int capab = WLAN_CAPABILITY_ESS;
179 	int privacy;
180 	int dfs;
181 	int i;
182 
183 	/* Check if any of configured channels require DFS */
184 	dfs = hostapd_is_dfs_required(hapd->iface);
185 	if (dfs < 0) {
186 		wpa_printf(MSG_WARNING, "Failed to check if DFS is required; ret=%d",
187 			   dfs);
188 		dfs = 0;
189 	}
190 
191 	if (hapd->iface->num_sta_no_short_preamble == 0 &&
192 	    hapd->iconf->preamble == SHORT_PREAMBLE)
193 		capab |= WLAN_CAPABILITY_SHORT_PREAMBLE;
194 
195 	privacy = hapd->conf->ssid.wep.keys_set;
196 
197 	if (hapd->conf->ieee802_1x &&
198 	    (hapd->conf->default_wep_key_len ||
199 	     hapd->conf->individual_wep_key_len))
200 		privacy = 1;
201 
202 	if (hapd->conf->wpa)
203 		privacy = 1;
204 
205 #ifdef CONFIG_HS20
206 	if (hapd->conf->osen)
207 		privacy = 1;
208 #endif /* CONFIG_HS20 */
209 
210 	if (privacy)
211 		capab |= WLAN_CAPABILITY_PRIVACY;
212 
213 	if (hapd->iface->current_mode &&
214 	    hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G &&
215 	    hapd->iface->num_sta_no_short_slot_time == 0)
216 		capab |= WLAN_CAPABILITY_SHORT_SLOT_TIME;
217 
218 	/*
219 	 * Currently, Spectrum Management capability bit is set when directly
220 	 * requested in configuration by spectrum_mgmt_required or when AP is
221 	 * running on DFS channel.
222 	 * TODO: Also consider driver support for TPC to set Spectrum Mgmt bit
223 	 */
224 	if (hapd->iface->current_mode &&
225 	    hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211A &&
226 	    (hapd->iconf->spectrum_mgmt_required || dfs))
227 		capab |= WLAN_CAPABILITY_SPECTRUM_MGMT;
228 
229 	for (i = 0; i < RRM_CAPABILITIES_IE_LEN; i++) {
230 		if (hapd->conf->radio_measurements[i]) {
231 			capab |= IEEE80211_CAP_RRM;
232 			break;
233 		}
234 	}
235 
236 	return capab;
237 }
238 
239 
240 #ifndef CONFIG_NO_RC4
auth_shared_key(struct hostapd_data * hapd,struct sta_info * sta,u16 auth_transaction,const u8 * challenge,int iswep)241 static u16 auth_shared_key(struct hostapd_data *hapd, struct sta_info *sta,
242 			   u16 auth_transaction, const u8 *challenge,
243 			   int iswep)
244 {
245 	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
246 		       HOSTAPD_LEVEL_DEBUG,
247 		       "authentication (shared key, transaction %d)",
248 		       auth_transaction);
249 
250 	if (auth_transaction == 1) {
251 		if (!sta->challenge) {
252 			/* Generate a pseudo-random challenge */
253 			u8 key[8];
254 
255 			sta->challenge = os_zalloc(WLAN_AUTH_CHALLENGE_LEN);
256 			if (sta->challenge == NULL)
257 				return WLAN_STATUS_UNSPECIFIED_FAILURE;
258 
259 			if (os_get_random(key, sizeof(key)) < 0) {
260 				os_free(sta->challenge);
261 				sta->challenge = NULL;
262 				return WLAN_STATUS_UNSPECIFIED_FAILURE;
263 			}
264 
265 			rc4_skip(key, sizeof(key), 0,
266 				 sta->challenge, WLAN_AUTH_CHALLENGE_LEN);
267 		}
268 		return 0;
269 	}
270 
271 	if (auth_transaction != 3)
272 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
273 
274 	/* Transaction 3 */
275 	if (!iswep || !sta->challenge || !challenge ||
276 	    os_memcmp_const(sta->challenge, challenge,
277 			    WLAN_AUTH_CHALLENGE_LEN)) {
278 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
279 			       HOSTAPD_LEVEL_INFO,
280 			       "shared key authentication - invalid "
281 			       "challenge-response");
282 		return WLAN_STATUS_CHALLENGE_FAIL;
283 	}
284 
285 	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
286 		       HOSTAPD_LEVEL_DEBUG,
287 		       "authentication OK (shared key)");
288 	sta->flags |= WLAN_STA_AUTH;
289 	wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
290 	os_free(sta->challenge);
291 	sta->challenge = NULL;
292 
293 	return 0;
294 }
295 #endif /* CONFIG_NO_RC4 */
296 
297 
send_auth_reply(struct hostapd_data * hapd,const u8 * dst,const u8 * bssid,u16 auth_alg,u16 auth_transaction,u16 resp,const u8 * ies,size_t ies_len,const char * dbg)298 static int send_auth_reply(struct hostapd_data *hapd,
299 			   const u8 *dst, const u8 *bssid,
300 			   u16 auth_alg, u16 auth_transaction, u16 resp,
301 			   const u8 *ies, size_t ies_len, const char *dbg)
302 {
303 	struct ieee80211_mgmt *reply;
304 	u8 *buf;
305 	size_t rlen;
306 	int reply_res = WLAN_STATUS_UNSPECIFIED_FAILURE;
307 
308 	rlen = IEEE80211_HDRLEN + sizeof(reply->u.auth) + ies_len;
309 	buf = os_zalloc(rlen);
310 	if (buf == NULL)
311 		return -1;
312 
313 	reply = (struct ieee80211_mgmt *) buf;
314 	reply->frame_control = IEEE80211_FC(WLAN_FC_TYPE_MGMT,
315 					    WLAN_FC_STYPE_AUTH);
316 	os_memcpy(reply->da, dst, ETH_ALEN);
317 	os_memcpy(reply->sa, hapd->own_addr, ETH_ALEN);
318 	os_memcpy(reply->bssid, bssid, ETH_ALEN);
319 
320 	reply->u.auth.auth_alg = host_to_le16(auth_alg);
321 	reply->u.auth.auth_transaction = host_to_le16(auth_transaction);
322 	reply->u.auth.status_code = host_to_le16(resp);
323 
324 	if (ies && ies_len)
325 		os_memcpy(reply->u.auth.variable, ies, ies_len);
326 
327 	wpa_printf(MSG_DEBUG, "authentication reply: STA=" MACSTR
328 		   " auth_alg=%d auth_transaction=%d resp=%d (IE len=%lu) (dbg=%s)",
329 		   MAC2STR(dst), auth_alg, auth_transaction,
330 		   resp, (unsigned long) ies_len, dbg);
331 	if (hostapd_drv_send_mlme(hapd, reply, rlen, 0) < 0)
332 		wpa_printf(MSG_INFO, "send_auth_reply: send failed");
333 	else
334 		reply_res = WLAN_STATUS_SUCCESS;
335 
336 	os_free(buf);
337 
338 	return reply_res;
339 }
340 
341 
342 #ifdef CONFIG_IEEE80211R_AP
handle_auth_ft_finish(void * ctx,const u8 * dst,const u8 * bssid,u16 auth_transaction,u16 status,const u8 * ies,size_t ies_len)343 static void handle_auth_ft_finish(void *ctx, const u8 *dst, const u8 *bssid,
344 				  u16 auth_transaction, u16 status,
345 				  const u8 *ies, size_t ies_len)
346 {
347 	struct hostapd_data *hapd = ctx;
348 	struct sta_info *sta;
349 	int reply_res;
350 
351 	reply_res = send_auth_reply(hapd, dst, bssid, WLAN_AUTH_FT,
352 				    auth_transaction, status, ies, ies_len,
353 				    "auth-ft-finish");
354 
355 	sta = ap_get_sta(hapd, dst);
356 	if (sta == NULL)
357 		return;
358 
359 	if (sta->added_unassoc && (reply_res != WLAN_STATUS_SUCCESS ||
360 				   status != WLAN_STATUS_SUCCESS)) {
361 		hostapd_drv_sta_remove(hapd, sta->addr);
362 		sta->added_unassoc = 0;
363 		return;
364 	}
365 
366 	if (status != WLAN_STATUS_SUCCESS)
367 		return;
368 
369 	hostapd_logger(hapd, dst, HOSTAPD_MODULE_IEEE80211,
370 		       HOSTAPD_LEVEL_DEBUG, "authentication OK (FT)");
371 	sta->flags |= WLAN_STA_AUTH;
372 	mlme_authenticate_indication(hapd, sta);
373 }
374 #endif /* CONFIG_IEEE80211R_AP */
375 
376 
377 #ifdef CONFIG_SAE
378 
sae_set_state(struct sta_info * sta,enum sae_state state,const char * reason)379 static void sae_set_state(struct sta_info *sta, enum sae_state state,
380 			  const char *reason)
381 {
382 	wpa_printf(MSG_DEBUG, "SAE: State %s -> %s for peer " MACSTR " (%s)",
383 		   sae_state_txt(sta->sae->state), sae_state_txt(state),
384 		   MAC2STR(sta->addr), reason);
385 	sta->sae->state = state;
386 }
387 
388 
auth_build_sae_commit(struct hostapd_data * hapd,struct sta_info * sta,int update)389 static struct wpabuf * auth_build_sae_commit(struct hostapd_data *hapd,
390 					     struct sta_info *sta, int update)
391 {
392 	struct wpabuf *buf;
393 	const char *password = NULL;
394 	struct sae_password_entry *pw;
395 	const char *rx_id = NULL;
396 
397 	if (sta->sae->tmp)
398 		rx_id = sta->sae->tmp->pw_id;
399 
400 	for (pw = hapd->conf->sae_passwords; pw; pw = pw->next) {
401 		if (!is_broadcast_ether_addr(pw->peer_addr) &&
402 		    os_memcmp(pw->peer_addr, sta->addr, ETH_ALEN) != 0)
403 			continue;
404 		if ((rx_id && !pw->identifier) || (!rx_id && pw->identifier))
405 			continue;
406 		if (rx_id && pw->identifier &&
407 		    os_strcmp(rx_id, pw->identifier) != 0)
408 			continue;
409 		password = pw->password;
410 		break;
411 	}
412 	if (!password)
413 		password = hapd->conf->ssid.wpa_passphrase;
414 	if (!password) {
415 		wpa_printf(MSG_DEBUG, "SAE: No password available");
416 		return NULL;
417 	}
418 
419 	if (update &&
420 	    sae_prepare_commit(hapd->own_addr, sta->addr,
421 			       (u8 *) password, os_strlen(password), rx_id,
422 			       sta->sae) < 0) {
423 		wpa_printf(MSG_DEBUG, "SAE: Could not pick PWE");
424 		return NULL;
425 	}
426 
427 	if (pw && pw->vlan_id) {
428 		if (!sta->sae->tmp) {
429 			wpa_printf(MSG_INFO,
430 				   "SAE: No temporary data allocated - cannot store VLAN ID");
431 			return NULL;
432 		}
433 		sta->sae->tmp->vlan_id = pw->vlan_id;
434 	}
435 
436 	buf = wpabuf_alloc(SAE_COMMIT_MAX_LEN +
437 			   (rx_id ? 3 + os_strlen(rx_id) : 0));
438 	if (buf == NULL)
439 		return NULL;
440 	sae_write_commit(sta->sae, buf, sta->sae->tmp ?
441 			 sta->sae->tmp->anti_clogging_token : NULL, rx_id);
442 
443 	return buf;
444 }
445 
446 
auth_build_sae_confirm(struct hostapd_data * hapd,struct sta_info * sta)447 static struct wpabuf * auth_build_sae_confirm(struct hostapd_data *hapd,
448 					      struct sta_info *sta)
449 {
450 	struct wpabuf *buf;
451 
452 	buf = wpabuf_alloc(SAE_CONFIRM_MAX_LEN);
453 	if (buf == NULL)
454 		return NULL;
455 
456 	sae_write_confirm(sta->sae, buf);
457 
458 	return buf;
459 }
460 
461 
auth_sae_send_commit(struct hostapd_data * hapd,struct sta_info * sta,const u8 * bssid,int update)462 static int auth_sae_send_commit(struct hostapd_data *hapd,
463 				struct sta_info *sta,
464 				const u8 *bssid, int update)
465 {
466 	struct wpabuf *data;
467 	int reply_res;
468 
469 	data = auth_build_sae_commit(hapd, sta, update);
470 	if (!data && sta->sae->tmp && sta->sae->tmp->pw_id)
471 		return WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER;
472 	if (data == NULL)
473 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
474 
475 	reply_res = send_auth_reply(hapd, sta->addr, bssid, WLAN_AUTH_SAE, 1,
476 				    WLAN_STATUS_SUCCESS, wpabuf_head(data),
477 				    wpabuf_len(data), "sae-send-commit");
478 
479 	wpabuf_free(data);
480 
481 	return reply_res;
482 }
483 
484 
auth_sae_send_confirm(struct hostapd_data * hapd,struct sta_info * sta,const u8 * bssid)485 static int auth_sae_send_confirm(struct hostapd_data *hapd,
486 				 struct sta_info *sta,
487 				 const u8 *bssid)
488 {
489 	struct wpabuf *data;
490 	int reply_res;
491 
492 	data = auth_build_sae_confirm(hapd, sta);
493 	if (data == NULL)
494 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
495 
496 	reply_res = send_auth_reply(hapd, sta->addr, bssid, WLAN_AUTH_SAE, 2,
497 				    WLAN_STATUS_SUCCESS, wpabuf_head(data),
498 				    wpabuf_len(data), "sae-send-confirm");
499 
500 	wpabuf_free(data);
501 
502 	return reply_res;
503 }
504 
505 
use_sae_anti_clogging(struct hostapd_data * hapd)506 static int use_sae_anti_clogging(struct hostapd_data *hapd)
507 {
508 	struct sta_info *sta;
509 	unsigned int open = 0;
510 
511 	if (hapd->conf->sae_anti_clogging_threshold == 0)
512 		return 1;
513 
514 	for (sta = hapd->sta_list; sta; sta = sta->next) {
515 		if (!sta->sae)
516 			continue;
517 		if (sta->sae->state != SAE_COMMITTED &&
518 		    sta->sae->state != SAE_CONFIRMED)
519 			continue;
520 		open++;
521 		if (open >= hapd->conf->sae_anti_clogging_threshold)
522 			return 1;
523 	}
524 
525 	/* In addition to already existing open SAE sessions, check whether
526 	 * there are enough pending commit messages in the processing queue to
527 	 * potentially result in too many open sessions. */
528 	if (open + dl_list_len(&hapd->sae_commit_queue) >=
529 	    hapd->conf->sae_anti_clogging_threshold)
530 		return 1;
531 
532 	return 0;
533 }
534 
535 
sae_token_hash(struct hostapd_data * hapd,const u8 * addr)536 static u8 sae_token_hash(struct hostapd_data *hapd, const u8 *addr)
537 {
538 	u8 hash[SHA256_MAC_LEN];
539 
540 	hmac_sha256(hapd->sae_token_key, sizeof(hapd->sae_token_key),
541 		    addr, ETH_ALEN, hash);
542 	return hash[0];
543 }
544 
545 
check_sae_token(struct hostapd_data * hapd,const u8 * addr,const u8 * token,size_t token_len)546 static int check_sae_token(struct hostapd_data *hapd, const u8 *addr,
547 			   const u8 *token, size_t token_len)
548 {
549 	u8 mac[SHA256_MAC_LEN];
550 	const u8 *addrs[2];
551 	size_t len[2];
552 	u16 token_idx;
553 	u8 idx;
554 
555 	if (token_len != SHA256_MAC_LEN)
556 		return -1;
557 	idx = sae_token_hash(hapd, addr);
558 	token_idx = hapd->sae_pending_token_idx[idx];
559 	if (token_idx == 0 || token_idx != WPA_GET_BE16(token)) {
560 		wpa_printf(MSG_DEBUG, "SAE: Invalid anti-clogging token from "
561 			   MACSTR " - token_idx 0x%04x, expected 0x%04x",
562 			   MAC2STR(addr), WPA_GET_BE16(token), token_idx);
563 		return -1;
564 	}
565 
566 	addrs[0] = addr;
567 	len[0] = ETH_ALEN;
568 	addrs[1] = token;
569 	len[1] = 2;
570 	if (hmac_sha256_vector(hapd->sae_token_key, sizeof(hapd->sae_token_key),
571 			       2, addrs, len, mac) < 0 ||
572 	    os_memcmp_const(token + 2, &mac[2], SHA256_MAC_LEN - 2) != 0)
573 		return -1;
574 
575 	hapd->sae_pending_token_idx[idx] = 0; /* invalidate used token */
576 
577 	return 0;
578 }
579 
580 
auth_build_token_req(struct hostapd_data * hapd,int group,const u8 * addr)581 static struct wpabuf * auth_build_token_req(struct hostapd_data *hapd,
582 					    int group, const u8 *addr)
583 {
584 	struct wpabuf *buf;
585 	u8 *token;
586 	struct os_reltime now;
587 	u8 idx[2];
588 	const u8 *addrs[2];
589 	size_t len[2];
590 	u8 p_idx;
591 	u16 token_idx;
592 
593 	os_get_reltime(&now);
594 	if (!os_reltime_initialized(&hapd->last_sae_token_key_update) ||
595 	    os_reltime_expired(&now, &hapd->last_sae_token_key_update, 60) ||
596 	    hapd->sae_token_idx == 0xffff) {
597 		if (random_get_bytes(hapd->sae_token_key,
598 				     sizeof(hapd->sae_token_key)) < 0)
599 			return NULL;
600 		wpa_hexdump(MSG_DEBUG, "SAE: Updated token key",
601 			    hapd->sae_token_key, sizeof(hapd->sae_token_key));
602 		hapd->last_sae_token_key_update = now;
603 		hapd->sae_token_idx = 0;
604 		os_memset(hapd->sae_pending_token_idx, 0,
605 			  sizeof(hapd->sae_pending_token_idx));
606 	}
607 
608 	buf = wpabuf_alloc(sizeof(le16) + SHA256_MAC_LEN);
609 	if (buf == NULL)
610 		return NULL;
611 
612 	wpabuf_put_le16(buf, group); /* Finite Cyclic Group */
613 
614 	p_idx = sae_token_hash(hapd, addr);
615 	token_idx = hapd->sae_pending_token_idx[p_idx];
616 	if (!token_idx) {
617 		hapd->sae_token_idx++;
618 		token_idx = hapd->sae_token_idx;
619 		hapd->sae_pending_token_idx[p_idx] = token_idx;
620 	}
621 	WPA_PUT_BE16(idx, token_idx);
622 	token = wpabuf_put(buf, SHA256_MAC_LEN);
623 	addrs[0] = addr;
624 	len[0] = ETH_ALEN;
625 	addrs[1] = idx;
626 	len[1] = sizeof(idx);
627 	if (hmac_sha256_vector(hapd->sae_token_key, sizeof(hapd->sae_token_key),
628 			       2, addrs, len, token) < 0) {
629 		wpabuf_free(buf);
630 		return NULL;
631 	}
632 	WPA_PUT_BE16(token, token_idx);
633 
634 	return buf;
635 }
636 
637 
sae_check_big_sync(struct hostapd_data * hapd,struct sta_info * sta)638 static int sae_check_big_sync(struct hostapd_data *hapd, struct sta_info *sta)
639 {
640 	if (sta->sae->sync > hapd->conf->sae_sync) {
641 		sae_set_state(sta, SAE_NOTHING, "Sync > dot11RSNASAESync");
642 		sta->sae->sync = 0;
643 		return -1;
644 	}
645 	return 0;
646 }
647 
648 
auth_sae_retransmit_timer(void * eloop_ctx,void * eloop_data)649 static void auth_sae_retransmit_timer(void *eloop_ctx, void *eloop_data)
650 {
651 	struct hostapd_data *hapd = eloop_ctx;
652 	struct sta_info *sta = eloop_data;
653 	int ret;
654 
655 	if (sae_check_big_sync(hapd, sta))
656 		return;
657 	sta->sae->sync++;
658 	wpa_printf(MSG_DEBUG, "SAE: Auth SAE retransmit timer for " MACSTR
659 		   " (sync=%d state=%s)",
660 		   MAC2STR(sta->addr), sta->sae->sync,
661 		   sae_state_txt(sta->sae->state));
662 
663 	switch (sta->sae->state) {
664 	case SAE_COMMITTED:
665 		ret = auth_sae_send_commit(hapd, sta, hapd->own_addr, 0);
666 		eloop_register_timeout(0,
667 				       hapd->dot11RSNASAERetransPeriod * 1000,
668 				       auth_sae_retransmit_timer, hapd, sta);
669 		break;
670 	case SAE_CONFIRMED:
671 		ret = auth_sae_send_confirm(hapd, sta, hapd->own_addr);
672 		eloop_register_timeout(0,
673 				       hapd->dot11RSNASAERetransPeriod * 1000,
674 				       auth_sae_retransmit_timer, hapd, sta);
675 		break;
676 	default:
677 		ret = -1;
678 		break;
679 	}
680 
681 	if (ret != WLAN_STATUS_SUCCESS)
682 		wpa_printf(MSG_INFO, "SAE: Failed to retransmit: ret=%d", ret);
683 }
684 
685 
sae_clear_retransmit_timer(struct hostapd_data * hapd,struct sta_info * sta)686 void sae_clear_retransmit_timer(struct hostapd_data *hapd, struct sta_info *sta)
687 {
688 	eloop_cancel_timeout(auth_sae_retransmit_timer, hapd, sta);
689 }
690 
691 
sae_set_retransmit_timer(struct hostapd_data * hapd,struct sta_info * sta)692 static void sae_set_retransmit_timer(struct hostapd_data *hapd,
693 				     struct sta_info *sta)
694 {
695 	if (!(hapd->conf->mesh & MESH_ENABLED))
696 		return;
697 
698 	eloop_cancel_timeout(auth_sae_retransmit_timer, hapd, sta);
699 	eloop_register_timeout(0, hapd->dot11RSNASAERetransPeriod * 1000,
700 			       auth_sae_retransmit_timer, hapd, sta);
701 }
702 
703 
sae_sme_send_external_auth_status(struct hostapd_data * hapd,struct sta_info * sta,u16 status)704 static void sae_sme_send_external_auth_status(struct hostapd_data *hapd,
705 					      struct sta_info *sta, u16 status)
706 {
707 	struct external_auth params;
708 
709 	os_memset(&params, 0, sizeof(params));
710 	params.status = status;
711 	params.bssid = sta->addr;
712 	if (status == WLAN_STATUS_SUCCESS && sta->sae)
713 		params.pmkid = sta->sae->pmkid;
714 
715 	hostapd_drv_send_external_auth_status(hapd, &params);
716 }
717 
718 
sae_accept_sta(struct hostapd_data * hapd,struct sta_info * sta)719 void sae_accept_sta(struct hostapd_data *hapd, struct sta_info *sta)
720 {
721 #ifndef CONFIG_NO_VLAN
722 	struct vlan_description vlan_desc;
723 
724 	if (sta->sae->tmp && sta->sae->tmp->vlan_id > 0) {
725 		wpa_printf(MSG_DEBUG, "SAE: Assign STA " MACSTR
726 			   " to VLAN ID %d",
727 			   MAC2STR(sta->addr), sta->sae->tmp->vlan_id);
728 
729 		os_memset(&vlan_desc, 0, sizeof(vlan_desc));
730 		vlan_desc.notempty = 1;
731 		vlan_desc.untagged = sta->sae->tmp->vlan_id;
732 		if (!hostapd_vlan_valid(hapd->conf->vlan, &vlan_desc)) {
733 			wpa_printf(MSG_INFO,
734 				   "Invalid VLAN ID %d in sae_password",
735 				   sta->sae->tmp->vlan_id);
736 			return;
737 		}
738 
739 		if (ap_sta_set_vlan(hapd, sta, &vlan_desc) < 0 ||
740 		    ap_sta_bind_vlan(hapd, sta) < 0) {
741 			wpa_printf(MSG_INFO,
742 				   "Failed to assign VLAN ID %d from sae_password to "
743 				   MACSTR, sta->sae->tmp->vlan_id,
744 				   MAC2STR(sta->addr));
745 			return;
746 		}
747 	}
748 #endif /* CONFIG_NO_VLAN */
749 
750 	sta->flags |= WLAN_STA_AUTH;
751 	sta->auth_alg = WLAN_AUTH_SAE;
752 	mlme_authenticate_indication(hapd, sta);
753 	wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
754 	sae_set_state(sta, SAE_ACCEPTED, "Accept Confirm");
755 	wpa_auth_pmksa_add_sae(hapd->wpa_auth, sta->addr,
756 			       sta->sae->pmk, sta->sae->pmkid);
757 	sae_sme_send_external_auth_status(hapd, sta, WLAN_STATUS_SUCCESS);
758 }
759 
760 
sae_sm_step(struct hostapd_data * hapd,struct sta_info * sta,const u8 * bssid,u8 auth_transaction,int allow_reuse,int * sta_removed)761 static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta,
762 		       const u8 *bssid, u8 auth_transaction, int allow_reuse,
763 		       int *sta_removed)
764 {
765 	int ret;
766 
767 	*sta_removed = 0;
768 
769 	if (auth_transaction != 1 && auth_transaction != 2)
770 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
771 
772 	wpa_printf(MSG_DEBUG, "SAE: Peer " MACSTR " state=%s auth_trans=%u",
773 		   MAC2STR(sta->addr), sae_state_txt(sta->sae->state),
774 		   auth_transaction);
775 	switch (sta->sae->state) {
776 	case SAE_NOTHING:
777 		if (auth_transaction == 1) {
778 			ret = auth_sae_send_commit(hapd, sta, bssid,
779 						   !allow_reuse);
780 			if (ret)
781 				return ret;
782 			sae_set_state(sta, SAE_COMMITTED, "Sent Commit");
783 
784 			if (sae_process_commit(sta->sae) < 0)
785 				return WLAN_STATUS_UNSPECIFIED_FAILURE;
786 
787 			/*
788 			 * In mesh case, both Commit and Confirm can be sent
789 			 * immediately. In infrastructure BSS, only a single
790 			 * Authentication frame (Commit) is expected from the AP
791 			 * here and the second one (Confirm) will be sent once
792 			 * the STA has sent its second Authentication frame
793 			 * (Confirm).
794 			 */
795 			if (hapd->conf->mesh & MESH_ENABLED) {
796 				/*
797 				 * Send both Commit and Confirm immediately
798 				 * based on SAE finite state machine
799 				 * Nothing -> Confirm transition.
800 				 */
801 				ret = auth_sae_send_confirm(hapd, sta, bssid);
802 				if (ret)
803 					return ret;
804 				sae_set_state(sta, SAE_CONFIRMED,
805 					      "Sent Confirm (mesh)");
806 			} else {
807 				/*
808 				 * For infrastructure BSS, send only the Commit
809 				 * message now to get alternating sequence of
810 				 * Authentication frames between the AP and STA.
811 				 * Confirm will be sent in
812 				 * Committed -> Confirmed/Accepted transition
813 				 * when receiving Confirm from STA.
814 				 */
815 			}
816 			sta->sae->sync = 0;
817 			sae_set_retransmit_timer(hapd, sta);
818 		} else {
819 			hostapd_logger(hapd, sta->addr,
820 				       HOSTAPD_MODULE_IEEE80211,
821 				       HOSTAPD_LEVEL_DEBUG,
822 				       "SAE confirm before commit");
823 		}
824 		break;
825 	case SAE_COMMITTED:
826 		sae_clear_retransmit_timer(hapd, sta);
827 		if (auth_transaction == 1) {
828 			if (sae_process_commit(sta->sae) < 0)
829 				return WLAN_STATUS_UNSPECIFIED_FAILURE;
830 
831 			ret = auth_sae_send_confirm(hapd, sta, bssid);
832 			if (ret)
833 				return ret;
834 			sae_set_state(sta, SAE_CONFIRMED, "Sent Confirm");
835 			sta->sae->sync = 0;
836 			sae_set_retransmit_timer(hapd, sta);
837 		} else if (hapd->conf->mesh & MESH_ENABLED) {
838 			/*
839 			 * In mesh case, follow SAE finite state machine and
840 			 * send Commit now, if sync count allows.
841 			 */
842 			if (sae_check_big_sync(hapd, sta))
843 				return WLAN_STATUS_SUCCESS;
844 			sta->sae->sync++;
845 
846 			ret = auth_sae_send_commit(hapd, sta, bssid, 0);
847 			if (ret)
848 				return ret;
849 
850 			sae_set_retransmit_timer(hapd, sta);
851 		} else {
852 			/*
853 			 * For instructure BSS, send the postponed Confirm from
854 			 * Nothing -> Confirmed transition that was reduced to
855 			 * Nothing -> Committed above.
856 			 */
857 			ret = auth_sae_send_confirm(hapd, sta, bssid);
858 			if (ret)
859 				return ret;
860 
861 			sae_set_state(sta, SAE_CONFIRMED, "Sent Confirm");
862 
863 			/*
864 			 * Since this was triggered on Confirm RX, run another
865 			 * step to get to Accepted without waiting for
866 			 * additional events.
867 			 */
868 			return sae_sm_step(hapd, sta, bssid, auth_transaction,
869 					   0, sta_removed);
870 		}
871 		break;
872 	case SAE_CONFIRMED:
873 		sae_clear_retransmit_timer(hapd, sta);
874 		if (auth_transaction == 1) {
875 			if (sae_check_big_sync(hapd, sta))
876 				return WLAN_STATUS_SUCCESS;
877 			sta->sae->sync++;
878 
879 			ret = auth_sae_send_commit(hapd, sta, bssid, 1);
880 			if (ret)
881 				return ret;
882 
883 			if (sae_process_commit(sta->sae) < 0)
884 				return WLAN_STATUS_UNSPECIFIED_FAILURE;
885 
886 			ret = auth_sae_send_confirm(hapd, sta, bssid);
887 			if (ret)
888 				return ret;
889 
890 			sae_set_retransmit_timer(hapd, sta);
891 		} else {
892 			sta->sae->send_confirm = 0xffff;
893 			sae_accept_sta(hapd, sta);
894 		}
895 		break;
896 	case SAE_ACCEPTED:
897 		if (auth_transaction == 1 &&
898 		    (hapd->conf->mesh & MESH_ENABLED)) {
899 			wpa_printf(MSG_DEBUG, "SAE: remove the STA (" MACSTR
900 				   ") doing reauthentication",
901 				   MAC2STR(sta->addr));
902 			wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr);
903 			ap_free_sta(hapd, sta);
904 			*sta_removed = 1;
905 		} else if (auth_transaction == 1) {
906 			wpa_printf(MSG_DEBUG, "SAE: Start reauthentication");
907 			ret = auth_sae_send_commit(hapd, sta, bssid, 1);
908 			if (ret)
909 				return ret;
910 			sae_set_state(sta, SAE_COMMITTED, "Sent Commit");
911 
912 			if (sae_process_commit(sta->sae) < 0)
913 				return WLAN_STATUS_UNSPECIFIED_FAILURE;
914 			sta->sae->sync = 0;
915 			sae_set_retransmit_timer(hapd, sta);
916 		} else {
917 			if (sae_check_big_sync(hapd, sta))
918 				return WLAN_STATUS_SUCCESS;
919 			sta->sae->sync++;
920 
921 			ret = auth_sae_send_confirm(hapd, sta, bssid);
922 			sae_clear_temp_data(sta->sae);
923 			if (ret)
924 				return ret;
925 		}
926 		break;
927 	default:
928 		wpa_printf(MSG_ERROR, "SAE: invalid state %d",
929 			   sta->sae->state);
930 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
931 	}
932 	return WLAN_STATUS_SUCCESS;
933 }
934 
935 
sae_pick_next_group(struct hostapd_data * hapd,struct sta_info * sta)936 static void sae_pick_next_group(struct hostapd_data *hapd, struct sta_info *sta)
937 {
938 	struct sae_data *sae = sta->sae;
939 	int i, *groups = hapd->conf->sae_groups;
940 	int default_groups[] = { 19, 0 };
941 
942 	if (sae->state != SAE_COMMITTED)
943 		return;
944 
945 	wpa_printf(MSG_DEBUG, "SAE: Previously selected group: %d", sae->group);
946 
947 	if (!groups)
948 		groups = default_groups;
949 	for (i = 0; groups[i] > 0; i++) {
950 		if (sae->group == groups[i])
951 			break;
952 	}
953 
954 	if (groups[i] <= 0) {
955 		wpa_printf(MSG_DEBUG,
956 			   "SAE: Previously selected group not found from the current configuration");
957 		return;
958 	}
959 
960 	for (;;) {
961 		i++;
962 		if (groups[i] <= 0) {
963 			wpa_printf(MSG_DEBUG,
964 				   "SAE: No alternative group enabled");
965 			return;
966 		}
967 
968 		if (sae_set_group(sae, groups[i]) < 0)
969 			continue;
970 
971 		break;
972 	}
973 	wpa_printf(MSG_DEBUG, "SAE: Selected new group: %d", groups[i]);
974 }
975 
976 
handle_auth_sae(struct hostapd_data * hapd,struct sta_info * sta,const struct ieee80211_mgmt * mgmt,size_t len,u16 auth_transaction,u16 status_code)977 static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta,
978 			    const struct ieee80211_mgmt *mgmt, size_t len,
979 			    u16 auth_transaction, u16 status_code)
980 {
981 	int resp = WLAN_STATUS_SUCCESS;
982 	struct wpabuf *data = NULL;
983 	int *groups = hapd->conf->sae_groups;
984 	int default_groups[] = { 19, 0 };
985 	const u8 *pos, *end;
986 	int sta_removed = 0;
987 
988 	if (!groups)
989 		groups = default_groups;
990 
991 #ifdef CONFIG_TESTING_OPTIONS
992 	if (hapd->conf->sae_reflection_attack && auth_transaction == 1) {
993 		wpa_printf(MSG_DEBUG, "SAE: TESTING - reflection attack");
994 		pos = mgmt->u.auth.variable;
995 		end = ((const u8 *) mgmt) + len;
996 		send_auth_reply(hapd, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
997 				auth_transaction, resp, pos, end - pos,
998 				"auth-sae-reflection-attack");
999 		goto remove_sta;
1000 	}
1001 
1002 	if (hapd->conf->sae_commit_override && auth_transaction == 1) {
1003 		wpa_printf(MSG_DEBUG, "SAE: TESTING - commit override");
1004 		send_auth_reply(hapd, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
1005 				auth_transaction, resp,
1006 				wpabuf_head(hapd->conf->sae_commit_override),
1007 				wpabuf_len(hapd->conf->sae_commit_override),
1008 				"sae-commit-override");
1009 		goto remove_sta;
1010 	}
1011 #endif /* CONFIG_TESTING_OPTIONS */
1012 	if (!sta->sae) {
1013 		if (auth_transaction != 1 ||
1014 		    status_code != WLAN_STATUS_SUCCESS) {
1015 			resp = -1;
1016 			goto remove_sta;
1017 		}
1018 		sta->sae = os_zalloc(sizeof(*sta->sae));
1019 		if (!sta->sae) {
1020 			resp = -1;
1021 			goto remove_sta;
1022 		}
1023 		sae_set_state(sta, SAE_NOTHING, "Init");
1024 		sta->sae->sync = 0;
1025 	}
1026 
1027 	if (sta->mesh_sae_pmksa_caching) {
1028 		wpa_printf(MSG_DEBUG,
1029 			   "SAE: Cancel use of mesh PMKSA caching because peer starts SAE authentication");
1030 		wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr);
1031 		sta->mesh_sae_pmksa_caching = 0;
1032 	}
1033 
1034 	if (auth_transaction == 1) {
1035 		const u8 *token = NULL;
1036 		size_t token_len = 0;
1037 		int allow_reuse = 0;
1038 
1039 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1040 			       HOSTAPD_LEVEL_DEBUG,
1041 			       "start SAE authentication (RX commit, status=%u)",
1042 			       status_code);
1043 
1044 		if ((hapd->conf->mesh & MESH_ENABLED) &&
1045 		    status_code == WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ &&
1046 		    sta->sae->tmp) {
1047 			pos = mgmt->u.auth.variable;
1048 			end = ((const u8 *) mgmt) + len;
1049 			if (pos + sizeof(le16) > end) {
1050 				wpa_printf(MSG_ERROR,
1051 					   "SAE: Too short anti-clogging token request");
1052 				resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1053 				goto reply;
1054 			}
1055 			resp = sae_group_allowed(sta->sae, groups,
1056 						 WPA_GET_LE16(pos));
1057 			if (resp != WLAN_STATUS_SUCCESS) {
1058 				wpa_printf(MSG_ERROR,
1059 					   "SAE: Invalid group in anti-clogging token request");
1060 				goto reply;
1061 			}
1062 			pos += sizeof(le16);
1063 
1064 			wpabuf_free(sta->sae->tmp->anti_clogging_token);
1065 			sta->sae->tmp->anti_clogging_token =
1066 				wpabuf_alloc_copy(pos, end - pos);
1067 			if (sta->sae->tmp->anti_clogging_token == NULL) {
1068 				wpa_printf(MSG_ERROR,
1069 					   "SAE: Failed to alloc for anti-clogging token");
1070 				resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1071 				goto remove_sta;
1072 			}
1073 
1074 			/*
1075 			 * IEEE Std 802.11-2012, 11.3.8.6.4: If the Status code
1076 			 * is 76, a new Commit Message shall be constructed
1077 			 * with the Anti-Clogging Token from the received
1078 			 * Authentication frame, and the commit-scalar and
1079 			 * COMMIT-ELEMENT previously sent.
1080 			 */
1081 			resp = auth_sae_send_commit(hapd, sta, mgmt->bssid, 0);
1082 			if (resp != WLAN_STATUS_SUCCESS) {
1083 				wpa_printf(MSG_ERROR,
1084 					   "SAE: Failed to send commit message");
1085 				goto remove_sta;
1086 			}
1087 			sae_set_state(sta, SAE_COMMITTED,
1088 				      "Sent Commit (anti-clogging token case in mesh)");
1089 			sta->sae->sync = 0;
1090 			sae_set_retransmit_timer(hapd, sta);
1091 			return;
1092 		}
1093 
1094 		if ((hapd->conf->mesh & MESH_ENABLED) &&
1095 		    status_code ==
1096 		    WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED &&
1097 		    sta->sae->tmp) {
1098 			wpa_printf(MSG_DEBUG,
1099 				   "SAE: Peer did not accept our SAE group");
1100 			sae_pick_next_group(hapd, sta);
1101 			goto remove_sta;
1102 		}
1103 
1104 		if (status_code != WLAN_STATUS_SUCCESS)
1105 			goto remove_sta;
1106 
1107 		if (!(hapd->conf->mesh & MESH_ENABLED) &&
1108 		    sta->sae->state == SAE_COMMITTED) {
1109 			/* This is needed in the infrastructure BSS case to
1110 			 * address a sequence where a STA entry may remain in
1111 			 * hostapd across two attempts to do SAE authentication
1112 			 * by the same STA. The second attempt may end up trying
1113 			 * to use a different group and that would not be
1114 			 * allowed if we remain in Committed state with the
1115 			 * previously set parameters. */
1116 			pos = mgmt->u.auth.variable;
1117 			end = ((const u8 *) mgmt) + len;
1118 			if (end - pos >= (int) sizeof(le16) &&
1119 			    sae_group_allowed(sta->sae, groups,
1120 					      WPA_GET_LE16(pos)) ==
1121 			    WLAN_STATUS_SUCCESS) {
1122 				/* Do not waste resources deriving the same PWE
1123 				 * again since the same group is reused. */
1124 				sae_set_state(sta, SAE_NOTHING,
1125 					      "Allow previous PWE to be reused");
1126 				allow_reuse = 1;
1127 			} else {
1128 				sae_set_state(sta, SAE_NOTHING,
1129 					      "Clear existing state to allow restart");
1130 				sae_clear_data(sta->sae);
1131 			}
1132 		}
1133 
1134 		resp = sae_parse_commit(sta->sae, mgmt->u.auth.variable,
1135 					((const u8 *) mgmt) + len -
1136 					mgmt->u.auth.variable, &token,
1137 					&token_len, groups);
1138 		if (resp == SAE_SILENTLY_DISCARD) {
1139 			wpa_printf(MSG_DEBUG,
1140 				   "SAE: Drop commit message from " MACSTR " due to reflection attack",
1141 				   MAC2STR(sta->addr));
1142 			goto remove_sta;
1143 		}
1144 
1145 		if (resp == WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER) {
1146 			wpa_msg(hapd->msg_ctx, MSG_INFO,
1147 				WPA_EVENT_SAE_UNKNOWN_PASSWORD_IDENTIFIER
1148 				MACSTR, MAC2STR(sta->addr));
1149 			sae_clear_retransmit_timer(hapd, sta);
1150 			sae_set_state(sta, SAE_NOTHING,
1151 				      "Unknown Password Identifier");
1152 			goto remove_sta;
1153 		}
1154 
1155 		if (token && check_sae_token(hapd, sta->addr, token, token_len)
1156 		    < 0) {
1157 			wpa_printf(MSG_DEBUG, "SAE: Drop commit message with "
1158 				   "incorrect token from " MACSTR,
1159 				   MAC2STR(sta->addr));
1160 			resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1161 			goto remove_sta;
1162 		}
1163 
1164 		if (resp != WLAN_STATUS_SUCCESS)
1165 			goto reply;
1166 
1167 		if (!token && use_sae_anti_clogging(hapd) && !allow_reuse) {
1168 			wpa_printf(MSG_DEBUG,
1169 				   "SAE: Request anti-clogging token from "
1170 				   MACSTR, MAC2STR(sta->addr));
1171 			data = auth_build_token_req(hapd, sta->sae->group,
1172 						    sta->addr);
1173 			resp = WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ;
1174 			if (hapd->conf->mesh & MESH_ENABLED)
1175 				sae_set_state(sta, SAE_NOTHING,
1176 					      "Request anti-clogging token case in mesh");
1177 			goto reply;
1178 		}
1179 
1180 		resp = sae_sm_step(hapd, sta, mgmt->bssid, auth_transaction,
1181 				   allow_reuse, &sta_removed);
1182 	} else if (auth_transaction == 2) {
1183 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1184 			       HOSTAPD_LEVEL_DEBUG,
1185 			       "SAE authentication (RX confirm, status=%u)",
1186 			       status_code);
1187 		if (status_code != WLAN_STATUS_SUCCESS)
1188 			goto remove_sta;
1189 		if (sta->sae->state >= SAE_CONFIRMED ||
1190 		    !(hapd->conf->mesh & MESH_ENABLED)) {
1191 			const u8 *var;
1192 			size_t var_len;
1193 			u16 peer_send_confirm;
1194 
1195 			var = mgmt->u.auth.variable;
1196 			var_len = ((u8 *) mgmt) + len - mgmt->u.auth.variable;
1197 			if (var_len < 2) {
1198 				resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1199 				goto reply;
1200 			}
1201 
1202 			peer_send_confirm = WPA_GET_LE16(var);
1203 
1204 			if (sta->sae->state == SAE_ACCEPTED &&
1205 			    (peer_send_confirm <= sta->sae->rc ||
1206 			     peer_send_confirm == 0xffff)) {
1207 				wpa_printf(MSG_DEBUG,
1208 					   "SAE: Silently ignore unexpected Confirm from peer "
1209 					   MACSTR
1210 					   " (peer-send-confirm=%u Rc=%u)",
1211 					   MAC2STR(sta->addr),
1212 					   peer_send_confirm, sta->sae->rc);
1213 				return;
1214 			}
1215 
1216 			if (sae_check_confirm(sta->sae, var, var_len) < 0) {
1217 				resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1218 				goto reply;
1219 			}
1220 			sta->sae->rc = peer_send_confirm;
1221 		}
1222 		resp = sae_sm_step(hapd, sta, mgmt->bssid, auth_transaction, 0,
1223 			&sta_removed);
1224 	} else {
1225 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1226 			       HOSTAPD_LEVEL_DEBUG,
1227 			       "unexpected SAE authentication transaction %u (status=%u)",
1228 			       auth_transaction, status_code);
1229 		if (status_code != WLAN_STATUS_SUCCESS)
1230 			goto remove_sta;
1231 		resp = WLAN_STATUS_UNKNOWN_AUTH_TRANSACTION;
1232 	}
1233 
1234 reply:
1235 	if (!sta_removed && resp != WLAN_STATUS_SUCCESS) {
1236 		pos = mgmt->u.auth.variable;
1237 		end = ((const u8 *) mgmt) + len;
1238 
1239 		/* Copy the Finite Cyclic Group field from the request if we
1240 		 * rejected it as unsupported group. */
1241 		if (resp == WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED &&
1242 		    !data && end - pos >= 2)
1243 			data = wpabuf_alloc_copy(pos, 2);
1244 
1245 		sae_sme_send_external_auth_status(hapd, sta, resp);
1246 		send_auth_reply(hapd, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
1247 				auth_transaction, resp,
1248 				data ? wpabuf_head(data) : (u8 *) "",
1249 				data ? wpabuf_len(data) : 0, "auth-sae");
1250 	}
1251 
1252 remove_sta:
1253 	if (!sta_removed && sta->added_unassoc &&
1254 	    (resp != WLAN_STATUS_SUCCESS ||
1255 	     status_code != WLAN_STATUS_SUCCESS)) {
1256 		hostapd_drv_sta_remove(hapd, sta->addr);
1257 		sta->added_unassoc = 0;
1258 	}
1259 	wpabuf_free(data);
1260 }
1261 
1262 
1263 /**
1264  * auth_sae_init_committed - Send COMMIT and start SAE in committed state
1265  * @hapd: BSS data for the device initiating the authentication
1266  * @sta: the peer to which commit authentication frame is sent
1267  *
1268  * This function implements Init event handling (IEEE Std 802.11-2012,
1269  * 11.3.8.6.3) in which initial COMMIT message is sent. Prior to calling, the
1270  * sta->sae structure should be initialized appropriately via a call to
1271  * sae_prepare_commit().
1272  */
auth_sae_init_committed(struct hostapd_data * hapd,struct sta_info * sta)1273 int auth_sae_init_committed(struct hostapd_data *hapd, struct sta_info *sta)
1274 {
1275 	int ret;
1276 
1277 	if (!sta->sae || !sta->sae->tmp)
1278 		return -1;
1279 
1280 	if (sta->sae->state != SAE_NOTHING)
1281 		return -1;
1282 
1283 	ret = auth_sae_send_commit(hapd, sta, hapd->own_addr, 0);
1284 	if (ret)
1285 		return -1;
1286 
1287 	sae_set_state(sta, SAE_COMMITTED, "Init and sent commit");
1288 	sta->sae->sync = 0;
1289 	sae_set_retransmit_timer(hapd, sta);
1290 
1291 	return 0;
1292 }
1293 
1294 
auth_sae_process_commit(void * eloop_ctx,void * user_ctx)1295 void auth_sae_process_commit(void *eloop_ctx, void *user_ctx)
1296 {
1297 	struct hostapd_data *hapd = eloop_ctx;
1298 	struct hostapd_sae_commit_queue *q;
1299 	unsigned int queue_len;
1300 
1301 	q = dl_list_first(&hapd->sae_commit_queue,
1302 			  struct hostapd_sae_commit_queue, list);
1303 	if (!q)
1304 		return;
1305 	wpa_printf(MSG_DEBUG,
1306 		   "SAE: Process next available message from queue");
1307 	dl_list_del(&q->list);
1308 	handle_auth(hapd, (const struct ieee80211_mgmt *) q->msg, q->len,
1309 		    q->rssi, 1);
1310 	os_free(q);
1311 
1312 	if (eloop_is_timeout_registered(auth_sae_process_commit, hapd, NULL))
1313 		return;
1314 	queue_len = dl_list_len(&hapd->sae_commit_queue);
1315 	eloop_register_timeout(0, queue_len * 10000, auth_sae_process_commit,
1316 			       hapd, NULL);
1317 }
1318 
1319 
auth_sae_queue(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int rssi)1320 static void auth_sae_queue(struct hostapd_data *hapd,
1321 			   const struct ieee80211_mgmt *mgmt, size_t len,
1322 			   int rssi)
1323 {
1324 	struct hostapd_sae_commit_queue *q, *q2;
1325 	unsigned int queue_len;
1326 	const struct ieee80211_mgmt *mgmt2;
1327 
1328 	queue_len = dl_list_len(&hapd->sae_commit_queue);
1329 	if (queue_len >= 15) {
1330 		wpa_printf(MSG_DEBUG,
1331 			   "SAE: No more room in message queue - drop the new frame from "
1332 			   MACSTR, MAC2STR(mgmt->sa));
1333 		return;
1334 	}
1335 
1336 	wpa_printf(MSG_DEBUG, "SAE: Queue Authentication message from "
1337 		   MACSTR " for processing (queue_len %u)", MAC2STR(mgmt->sa),
1338 		   queue_len);
1339 	q = os_zalloc(sizeof(*q) + len);
1340 	if (!q)
1341 		return;
1342 	q->rssi = rssi;
1343 	q->len = len;
1344 	os_memcpy(q->msg, mgmt, len);
1345 
1346 	/* Check whether there is already a queued Authentication frame from the
1347 	 * same station with the same transaction number and if so, replace that
1348 	 * queue entry with the new one. This avoids issues with a peer that
1349 	 * sends multiple times (e.g., due to frequent SAE retries). There is no
1350 	 * point in us trying to process the old attempts after a new one has
1351 	 * obsoleted them. */
1352 	dl_list_for_each(q2, &hapd->sae_commit_queue,
1353 			 struct hostapd_sae_commit_queue, list) {
1354 		mgmt2 = (const struct ieee80211_mgmt *) q2->msg;
1355 		if (os_memcmp(mgmt->sa, mgmt2->sa, ETH_ALEN) == 0 &&
1356 		    mgmt->u.auth.auth_transaction ==
1357 		    mgmt2->u.auth.auth_transaction) {
1358 			wpa_printf(MSG_DEBUG,
1359 				   "SAE: Replace queued message from same STA with same transaction number");
1360 			dl_list_add(&q2->list, &q->list);
1361 			dl_list_del(&q2->list);
1362 			os_free(q2);
1363 			goto queued;
1364 		}
1365 	}
1366 
1367 	/* No pending identical entry, so add to the end of the queue */
1368 	dl_list_add_tail(&hapd->sae_commit_queue, &q->list);
1369 
1370 queued:
1371 	if (eloop_is_timeout_registered(auth_sae_process_commit, hapd, NULL))
1372 		return;
1373 	eloop_register_timeout(0, queue_len * 10000, auth_sae_process_commit,
1374 			       hapd, NULL);
1375 }
1376 
1377 
auth_sae_queued_addr(struct hostapd_data * hapd,const u8 * addr)1378 static int auth_sae_queued_addr(struct hostapd_data *hapd, const u8 *addr)
1379 {
1380 	struct hostapd_sae_commit_queue *q;
1381 	const struct ieee80211_mgmt *mgmt;
1382 
1383 	dl_list_for_each(q, &hapd->sae_commit_queue,
1384 			 struct hostapd_sae_commit_queue, list) {
1385 		mgmt = (const struct ieee80211_mgmt *) q->msg;
1386 		if (os_memcmp(addr, mgmt->sa, ETH_ALEN) == 0)
1387 			return 1;
1388 	}
1389 
1390 	return 0;
1391 }
1392 
1393 #endif /* CONFIG_SAE */
1394 
1395 
wpa_res_to_status_code(int res)1396 static u16 wpa_res_to_status_code(int res)
1397 {
1398 	if (res == WPA_INVALID_GROUP)
1399 		return WLAN_STATUS_GROUP_CIPHER_NOT_VALID;
1400 	if (res == WPA_INVALID_PAIRWISE)
1401 		return WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID;
1402 	if (res == WPA_INVALID_AKMP)
1403 		return WLAN_STATUS_AKMP_NOT_VALID;
1404 	if (res == WPA_ALLOC_FAIL)
1405 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
1406 #ifdef CONFIG_IEEE80211W
1407 	if (res == WPA_MGMT_FRAME_PROTECTION_VIOLATION)
1408 		return WLAN_STATUS_ROBUST_MGMT_FRAME_POLICY_VIOLATION;
1409 	if (res == WPA_INVALID_MGMT_GROUP_CIPHER)
1410 		return WLAN_STATUS_CIPHER_REJECTED_PER_POLICY;
1411 #endif /* CONFIG_IEEE80211W */
1412 	if (res == WPA_INVALID_MDIE)
1413 		return WLAN_STATUS_INVALID_MDIE;
1414 	if (res == WPA_INVALID_PMKID)
1415 		return WLAN_STATUS_INVALID_PMKID;
1416 	if (res != WPA_IE_OK)
1417 		return WLAN_STATUS_INVALID_IE;
1418 	return WLAN_STATUS_SUCCESS;
1419 }
1420 
1421 
1422 #ifdef CONFIG_FILS
1423 
1424 static void handle_auth_fils_finish(struct hostapd_data *hapd,
1425 				    struct sta_info *sta, u16 resp,
1426 				    struct wpabuf *data, int pub);
1427 
handle_auth_fils(struct hostapd_data * hapd,struct sta_info * sta,const u8 * pos,size_t len,u16 auth_alg,u16 auth_transaction,u16 status_code,void (* cb)(struct hostapd_data * hapd,struct sta_info * sta,u16 resp,struct wpabuf * data,int pub))1428 void handle_auth_fils(struct hostapd_data *hapd, struct sta_info *sta,
1429 		      const u8 *pos, size_t len, u16 auth_alg,
1430 		      u16 auth_transaction, u16 status_code,
1431 		      void (*cb)(struct hostapd_data *hapd,
1432 				 struct sta_info *sta, u16 resp,
1433 				 struct wpabuf *data, int pub))
1434 {
1435 	u16 resp = WLAN_STATUS_SUCCESS;
1436 	const u8 *end;
1437 	struct ieee802_11_elems elems;
1438 	int res;
1439 	struct wpa_ie_data rsn;
1440 	struct rsn_pmksa_cache_entry *pmksa = NULL;
1441 
1442 	if (auth_transaction != 1 || status_code != WLAN_STATUS_SUCCESS)
1443 		return;
1444 
1445 	end = pos + len;
1446 
1447 	wpa_hexdump(MSG_DEBUG, "FILS: Authentication frame fields",
1448 		    pos, end - pos);
1449 
1450 	/* TODO: FILS PK */
1451 #ifdef CONFIG_FILS_SK_PFS
1452 	if (auth_alg == WLAN_AUTH_FILS_SK_PFS) {
1453 		u16 group;
1454 		struct wpabuf *pub;
1455 		size_t elem_len;
1456 
1457 		/* Using FILS PFS */
1458 
1459 		/* Finite Cyclic Group */
1460 		if (end - pos < 2) {
1461 			wpa_printf(MSG_DEBUG,
1462 				   "FILS: No room for Finite Cyclic Group");
1463 			resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1464 			goto fail;
1465 		}
1466 		group = WPA_GET_LE16(pos);
1467 		pos += 2;
1468 		if (group != hapd->conf->fils_dh_group) {
1469 			wpa_printf(MSG_DEBUG,
1470 				   "FILS: Unsupported Finite Cyclic Group: %u (expected %u)",
1471 				   group, hapd->conf->fils_dh_group);
1472 			resp = WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
1473 			goto fail;
1474 		}
1475 
1476 		crypto_ecdh_deinit(sta->fils_ecdh);
1477 		sta->fils_ecdh = crypto_ecdh_init(group);
1478 		if (!sta->fils_ecdh) {
1479 			wpa_printf(MSG_INFO,
1480 				   "FILS: Could not initialize ECDH with group %d",
1481 				   group);
1482 			resp = WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
1483 			goto fail;
1484 		}
1485 
1486 		pub = crypto_ecdh_get_pubkey(sta->fils_ecdh, 1);
1487 		if (!pub) {
1488 			wpa_printf(MSG_DEBUG,
1489 				   "FILS: Failed to derive ECDH public key");
1490 			resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1491 			goto fail;
1492 		}
1493 		elem_len = wpabuf_len(pub);
1494 		wpabuf_free(pub);
1495 
1496 		/* Element */
1497 		if ((size_t) (end - pos) < elem_len) {
1498 			wpa_printf(MSG_DEBUG, "FILS: No room for Element");
1499 			resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1500 			goto fail;
1501 		}
1502 
1503 		wpabuf_free(sta->fils_g_sta);
1504 		sta->fils_g_sta = wpabuf_alloc_copy(pos, elem_len);
1505 		wpabuf_clear_free(sta->fils_dh_ss);
1506 		sta->fils_dh_ss = crypto_ecdh_set_peerkey(sta->fils_ecdh, 1,
1507 							  pos, elem_len);
1508 		if (!sta->fils_dh_ss) {
1509 			wpa_printf(MSG_DEBUG, "FILS: ECDH operation failed");
1510 			resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1511 			goto fail;
1512 		}
1513 		wpa_hexdump_buf_key(MSG_DEBUG, "FILS: DH_SS", sta->fils_dh_ss);
1514 		pos += elem_len;
1515 	} else {
1516 		crypto_ecdh_deinit(sta->fils_ecdh);
1517 		sta->fils_ecdh = NULL;
1518 		wpabuf_clear_free(sta->fils_dh_ss);
1519 		sta->fils_dh_ss = NULL;
1520 	}
1521 #endif /* CONFIG_FILS_SK_PFS */
1522 
1523 	wpa_hexdump(MSG_DEBUG, "FILS: Remaining IEs", pos, end - pos);
1524 	if (ieee802_11_parse_elems(pos, end - pos, &elems, 1) == ParseFailed) {
1525 		wpa_printf(MSG_DEBUG, "FILS: Could not parse elements");
1526 		resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1527 		goto fail;
1528 	}
1529 
1530 	/* RSNE */
1531 	wpa_hexdump(MSG_DEBUG, "FILS: RSN element",
1532 		    elems.rsn_ie, elems.rsn_ie_len);
1533 	if (!elems.rsn_ie ||
1534 	    wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
1535 				 &rsn) < 0) {
1536 		wpa_printf(MSG_DEBUG, "FILS: No valid RSN element");
1537 		resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1538 		goto fail;
1539 	}
1540 
1541 	if (!sta->wpa_sm)
1542 		sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, sta->addr,
1543 						NULL);
1544 	if (!sta->wpa_sm) {
1545 		wpa_printf(MSG_DEBUG,
1546 			   "FILS: Failed to initialize RSN state machine");
1547 		resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1548 		goto fail;
1549 	}
1550 
1551 	res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
1552 				  hapd->iface->freq,
1553 				  elems.rsn_ie - 2, elems.rsn_ie_len + 2,
1554 				  elems.mdie, elems.mdie_len, NULL, 0);
1555 	resp = wpa_res_to_status_code(res);
1556 	if (resp != WLAN_STATUS_SUCCESS)
1557 		goto fail;
1558 
1559 	if (!elems.fils_nonce) {
1560 		wpa_printf(MSG_DEBUG, "FILS: No FILS Nonce field");
1561 		resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1562 		goto fail;
1563 	}
1564 	wpa_hexdump(MSG_DEBUG, "FILS: SNonce", elems.fils_nonce,
1565 		    FILS_NONCE_LEN);
1566 	os_memcpy(sta->fils_snonce, elems.fils_nonce, FILS_NONCE_LEN);
1567 
1568 	/* PMKID List */
1569 	if (rsn.pmkid && rsn.num_pmkid > 0) {
1570 		u8 num;
1571 		const u8 *pmkid;
1572 
1573 		wpa_hexdump(MSG_DEBUG, "FILS: PMKID List",
1574 			    rsn.pmkid, rsn.num_pmkid * PMKID_LEN);
1575 
1576 		pmkid = rsn.pmkid;
1577 		num = rsn.num_pmkid;
1578 		while (num) {
1579 			wpa_hexdump(MSG_DEBUG, "FILS: PMKID", pmkid, PMKID_LEN);
1580 			pmksa = wpa_auth_pmksa_get(hapd->wpa_auth, sta->addr,
1581 						   pmkid);
1582 			if (pmksa)
1583 				break;
1584 			pmksa = wpa_auth_pmksa_get_fils_cache_id(hapd->wpa_auth,
1585 								 sta->addr,
1586 								 pmkid);
1587 			if (pmksa)
1588 				break;
1589 			pmkid += PMKID_LEN;
1590 			num--;
1591 		}
1592 	}
1593 	if (pmksa && wpa_auth_sta_key_mgmt(sta->wpa_sm) != pmksa->akmp) {
1594 		wpa_printf(MSG_DEBUG,
1595 			   "FILS: Matching PMKSA cache entry has different AKMP (0x%x != 0x%x) - ignore",
1596 			   wpa_auth_sta_key_mgmt(sta->wpa_sm), pmksa->akmp);
1597 		pmksa = NULL;
1598 	}
1599 	if (pmksa)
1600 		wpa_printf(MSG_DEBUG, "FILS: Found matching PMKSA cache entry");
1601 
1602 	/* FILS Session */
1603 	if (!elems.fils_session) {
1604 		wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
1605 		resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1606 		goto fail;
1607 	}
1608 	wpa_hexdump(MSG_DEBUG, "FILS: FILS Session", elems.fils_session,
1609 		    FILS_SESSION_LEN);
1610 	os_memcpy(sta->fils_session, elems.fils_session, FILS_SESSION_LEN);
1611 
1612 	/* FILS Wrapped Data */
1613 	if (elems.fils_wrapped_data) {
1614 		wpa_hexdump(MSG_DEBUG, "FILS: Wrapped Data",
1615 			    elems.fils_wrapped_data,
1616 			    elems.fils_wrapped_data_len);
1617 		if (!pmksa) {
1618 #ifndef CONFIG_NO_RADIUS
1619 			if (!sta->eapol_sm) {
1620 				sta->eapol_sm =
1621 					ieee802_1x_alloc_eapol_sm(hapd, sta);
1622 			}
1623 			wpa_printf(MSG_DEBUG,
1624 				   "FILS: Forward EAP-Initiate/Re-auth to authentication server");
1625 			ieee802_1x_encapsulate_radius(
1626 				hapd, sta, elems.fils_wrapped_data,
1627 				elems.fils_wrapped_data_len);
1628 			sta->fils_pending_cb = cb;
1629 			wpa_printf(MSG_DEBUG,
1630 				   "FILS: Will send Authentication frame once the response from authentication server is available");
1631 			sta->flags |= WLAN_STA_PENDING_FILS_ERP;
1632 			/* Calculate pending PMKID here so that we do not need
1633 			 * to maintain a copy of the EAP-Initiate/Reauth
1634 			 * message. */
1635 			if (fils_pmkid_erp(wpa_auth_sta_key_mgmt(sta->wpa_sm),
1636 					   elems.fils_wrapped_data,
1637 					   elems.fils_wrapped_data_len,
1638 					   sta->fils_erp_pmkid) == 0)
1639 				sta->fils_erp_pmkid_set = 1;
1640 			return;
1641 #else /* CONFIG_NO_RADIUS */
1642 			resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1643 			goto fail;
1644 #endif /* CONFIG_NO_RADIUS */
1645 		}
1646 	}
1647 
1648 fail:
1649 	if (cb) {
1650 		struct wpabuf *data;
1651 		int pub = 0;
1652 
1653 		data = prepare_auth_resp_fils(hapd, sta, &resp, pmksa, NULL,
1654 					      NULL, 0, &pub);
1655 		if (!data) {
1656 			wpa_printf(MSG_DEBUG,
1657 				   "%s: prepare_auth_resp_fils() returned failure",
1658 				   __func__);
1659 		}
1660 
1661 		cb(hapd, sta, resp, data, pub);
1662 	}
1663 }
1664 
1665 
1666 static struct wpabuf *
prepare_auth_resp_fils(struct hostapd_data * hapd,struct sta_info * sta,u16 * resp,struct rsn_pmksa_cache_entry * pmksa,struct wpabuf * erp_resp,const u8 * msk,size_t msk_len,int * is_pub)1667 prepare_auth_resp_fils(struct hostapd_data *hapd,
1668 		       struct sta_info *sta, u16 *resp,
1669 		       struct rsn_pmksa_cache_entry *pmksa,
1670 		       struct wpabuf *erp_resp,
1671 		       const u8 *msk, size_t msk_len,
1672 		       int *is_pub)
1673 {
1674 	u8 fils_nonce[FILS_NONCE_LEN];
1675 	size_t ielen;
1676 	struct wpabuf *data = NULL;
1677 	const u8 *ie;
1678 	u8 *ie_buf = NULL;
1679 	const u8 *pmk = NULL;
1680 	size_t pmk_len = 0;
1681 	u8 pmk_buf[PMK_LEN_MAX];
1682 	struct wpabuf *pub = NULL;
1683 
1684 	if (*resp != WLAN_STATUS_SUCCESS)
1685 		goto fail;
1686 
1687 	ie = wpa_auth_get_wpa_ie(hapd->wpa_auth, &ielen);
1688 	if (!ie) {
1689 		*resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1690 		goto fail;
1691 	}
1692 
1693 	if (pmksa) {
1694 		/* Add PMKID of the selected PMKSA into RSNE */
1695 		ie_buf = os_malloc(ielen + 2 + 2 + PMKID_LEN);
1696 		if (!ie_buf) {
1697 			*resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1698 			goto fail;
1699 		}
1700 
1701 		os_memcpy(ie_buf, ie, ielen);
1702 		if (wpa_insert_pmkid(ie_buf, &ielen, pmksa->pmkid) < 0) {
1703 			*resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1704 			goto fail;
1705 		}
1706 		ie = ie_buf;
1707 	}
1708 
1709 	if (random_get_bytes(fils_nonce, FILS_NONCE_LEN) < 0) {
1710 		*resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1711 		goto fail;
1712 	}
1713 	wpa_hexdump(MSG_DEBUG, "RSN: Generated FILS Nonce",
1714 		    fils_nonce, FILS_NONCE_LEN);
1715 
1716 #ifdef CONFIG_FILS_SK_PFS
1717 	if (sta->fils_dh_ss && sta->fils_ecdh) {
1718 		pub = crypto_ecdh_get_pubkey(sta->fils_ecdh, 1);
1719 		if (!pub) {
1720 			*resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1721 			goto fail;
1722 		}
1723 	}
1724 #endif /* CONFIG_FILS_SK_PFS */
1725 
1726 	data = wpabuf_alloc(1000 + ielen + (pub ? wpabuf_len(pub) : 0));
1727 	if (!data) {
1728 		*resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1729 		goto fail;
1730 	}
1731 
1732 	/* TODO: FILS PK */
1733 #ifdef CONFIG_FILS_SK_PFS
1734 	if (pub) {
1735 		/* Finite Cyclic Group */
1736 		wpabuf_put_le16(data, hapd->conf->fils_dh_group);
1737 
1738 		/* Element */
1739 		wpabuf_put_buf(data, pub);
1740 	}
1741 #endif /* CONFIG_FILS_SK_PFS */
1742 
1743 	/* RSNE */
1744 	wpabuf_put_data(data, ie, ielen);
1745 
1746 	/* MDE when using FILS+FT (already included in ie,ielen with RSNE) */
1747 
1748 #ifdef CONFIG_IEEE80211R_AP
1749 	if (wpa_key_mgmt_ft(wpa_auth_sta_key_mgmt(sta->wpa_sm))) {
1750 		/* FTE[R1KH-ID,R0KH-ID] when using FILS+FT */
1751 		int res;
1752 		int use_sha384 = wpa_key_mgmt_sha384(
1753 			wpa_auth_sta_key_mgmt(sta->wpa_sm));
1754 
1755 		res = wpa_auth_write_fte(hapd->wpa_auth, use_sha384,
1756 					 wpabuf_put(data, 0),
1757 					 wpabuf_tailroom(data));
1758 		if (res < 0) {
1759 			*resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1760 			goto fail;
1761 		}
1762 		wpabuf_put(data, res);
1763 	}
1764 #endif /* CONFIG_IEEE80211R_AP */
1765 
1766 	/* FILS Nonce */
1767 	wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
1768 	wpabuf_put_u8(data, 1 + FILS_NONCE_LEN); /* Length */
1769 	/* Element ID Extension */
1770 	wpabuf_put_u8(data, WLAN_EID_EXT_FILS_NONCE);
1771 	wpabuf_put_data(data, fils_nonce, FILS_NONCE_LEN);
1772 
1773 	/* FILS Session */
1774 	wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
1775 	wpabuf_put_u8(data, 1 + FILS_SESSION_LEN); /* Length */
1776 	/* Element ID Extension */
1777 	wpabuf_put_u8(data, WLAN_EID_EXT_FILS_SESSION);
1778 	wpabuf_put_data(data, sta->fils_session, FILS_SESSION_LEN);
1779 
1780 	/* FILS Wrapped Data */
1781 	if (!pmksa && erp_resp) {
1782 		wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
1783 		wpabuf_put_u8(data, 1 + wpabuf_len(erp_resp)); /* Length */
1784 		/* Element ID Extension */
1785 		wpabuf_put_u8(data, WLAN_EID_EXT_FILS_WRAPPED_DATA);
1786 		wpabuf_put_buf(data, erp_resp);
1787 
1788 		if (fils_rmsk_to_pmk(wpa_auth_sta_key_mgmt(sta->wpa_sm),
1789 				     msk, msk_len, sta->fils_snonce, fils_nonce,
1790 				     sta->fils_dh_ss ?
1791 				     wpabuf_head(sta->fils_dh_ss) : NULL,
1792 				     sta->fils_dh_ss ?
1793 				     wpabuf_len(sta->fils_dh_ss) : 0,
1794 				     pmk_buf, &pmk_len)) {
1795 			wpa_printf(MSG_DEBUG, "FILS: Failed to derive PMK");
1796 			*resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1797 			wpabuf_free(data);
1798 			data = NULL;
1799 			goto fail;
1800 		}
1801 		pmk = pmk_buf;
1802 
1803 		/* Don't use DHss in PTK derivation if PMKSA caching is not
1804 		 * used. */
1805 		wpabuf_clear_free(sta->fils_dh_ss);
1806 		sta->fils_dh_ss = NULL;
1807 
1808 		if (sta->fils_erp_pmkid_set) {
1809 			/* TODO: get PMKLifetime from WPA parameters */
1810 			unsigned int dot11RSNAConfigPMKLifetime = 43200;
1811 			int session_timeout;
1812 
1813 			session_timeout = dot11RSNAConfigPMKLifetime;
1814 			if (sta->session_timeout_set) {
1815 				struct os_reltime now, diff;
1816 
1817 				os_get_reltime(&now);
1818 				os_reltime_sub(&sta->session_timeout, &now,
1819 					       &diff);
1820 				session_timeout = diff.sec;
1821 			}
1822 
1823 			sta->fils_erp_pmkid_set = 0;
1824 			if (!hapd->conf->disable_pmksa_caching &&
1825 			    wpa_auth_pmksa_add2(
1826 				    hapd->wpa_auth, sta->addr,
1827 				    pmk, pmk_len,
1828 				    sta->fils_erp_pmkid,
1829 				    session_timeout,
1830 				    wpa_auth_sta_key_mgmt(sta->wpa_sm)) < 0) {
1831 				wpa_printf(MSG_ERROR,
1832 					   "FILS: Failed to add PMKSA cache entry based on ERP");
1833 			}
1834 		}
1835 	} else if (pmksa) {
1836 		pmk = pmksa->pmk;
1837 		pmk_len = pmksa->pmk_len;
1838 	}
1839 
1840 	if (!pmk) {
1841 		wpa_printf(MSG_DEBUG, "FILS: No PMK available");
1842 		*resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1843 		wpabuf_free(data);
1844 		data = NULL;
1845 		goto fail;
1846 	}
1847 
1848 	if (fils_auth_pmk_to_ptk(sta->wpa_sm, pmk, pmk_len,
1849 				 sta->fils_snonce, fils_nonce,
1850 				 sta->fils_dh_ss ?
1851 				 wpabuf_head(sta->fils_dh_ss) : NULL,
1852 				 sta->fils_dh_ss ?
1853 				 wpabuf_len(sta->fils_dh_ss) : 0,
1854 				 sta->fils_g_sta, pub) < 0) {
1855 		*resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1856 		wpabuf_free(data);
1857 		data = NULL;
1858 		goto fail;
1859 	}
1860 
1861 fail:
1862 	if (is_pub)
1863 		*is_pub = pub != NULL;
1864 	os_free(ie_buf);
1865 	wpabuf_free(pub);
1866 	wpabuf_clear_free(sta->fils_dh_ss);
1867 	sta->fils_dh_ss = NULL;
1868 #ifdef CONFIG_FILS_SK_PFS
1869 	crypto_ecdh_deinit(sta->fils_ecdh);
1870 	sta->fils_ecdh = NULL;
1871 #endif /* CONFIG_FILS_SK_PFS */
1872 	return data;
1873 }
1874 
1875 
handle_auth_fils_finish(struct hostapd_data * hapd,struct sta_info * sta,u16 resp,struct wpabuf * data,int pub)1876 static void handle_auth_fils_finish(struct hostapd_data *hapd,
1877 				    struct sta_info *sta, u16 resp,
1878 				    struct wpabuf *data, int pub)
1879 {
1880 	u16 auth_alg;
1881 
1882 	auth_alg = (pub ||
1883 		    resp == WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED) ?
1884 		WLAN_AUTH_FILS_SK_PFS : WLAN_AUTH_FILS_SK;
1885 	send_auth_reply(hapd, sta->addr, hapd->own_addr, auth_alg, 2, resp,
1886 			data ? wpabuf_head(data) : (u8 *) "",
1887 			data ? wpabuf_len(data) : 0, "auth-fils-finish");
1888 	wpabuf_free(data);
1889 
1890 	if (resp == WLAN_STATUS_SUCCESS) {
1891 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1892 			       HOSTAPD_LEVEL_DEBUG,
1893 			       "authentication OK (FILS)");
1894 		sta->flags |= WLAN_STA_AUTH;
1895 		wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
1896 		sta->auth_alg = pub ? WLAN_AUTH_FILS_SK_PFS : WLAN_AUTH_FILS_SK;
1897 		mlme_authenticate_indication(hapd, sta);
1898 	}
1899 }
1900 
1901 
ieee802_11_finish_fils_auth(struct hostapd_data * hapd,struct sta_info * sta,int success,struct wpabuf * erp_resp,const u8 * msk,size_t msk_len)1902 void ieee802_11_finish_fils_auth(struct hostapd_data *hapd,
1903 				 struct sta_info *sta, int success,
1904 				 struct wpabuf *erp_resp,
1905 				 const u8 *msk, size_t msk_len)
1906 {
1907 	struct wpabuf *data;
1908 	int pub = 0;
1909 	u16 resp;
1910 
1911 	sta->flags &= ~WLAN_STA_PENDING_FILS_ERP;
1912 
1913 	if (!sta->fils_pending_cb)
1914 		return;
1915 	resp = success ? WLAN_STATUS_SUCCESS : WLAN_STATUS_UNSPECIFIED_FAILURE;
1916 	data = prepare_auth_resp_fils(hapd, sta, &resp, NULL, erp_resp,
1917 				      msk, msk_len, &pub);
1918 	if (!data) {
1919 		wpa_printf(MSG_DEBUG,
1920 			   "%s: prepare_auth_resp_fils() returned failure",
1921 			   __func__);
1922 	}
1923 	sta->fils_pending_cb(hapd, sta, resp, data, pub);
1924 }
1925 
1926 #endif /* CONFIG_FILS */
1927 
1928 
1929 int
ieee802_11_allowed_address(struct hostapd_data * hapd,const u8 * addr,const u8 * msg,size_t len,u32 * session_timeout,u32 * acct_interim_interval,struct vlan_description * vlan_id,struct hostapd_sta_wpa_psk_short ** psk,char ** identity,char ** radius_cui,int is_probe_req)1930 ieee802_11_allowed_address(struct hostapd_data *hapd, const u8 *addr,
1931 			   const u8 *msg, size_t len, u32 *session_timeout,
1932 			   u32 *acct_interim_interval,
1933 			   struct vlan_description *vlan_id,
1934 			   struct hostapd_sta_wpa_psk_short **psk,
1935 			   char **identity, char **radius_cui, int is_probe_req)
1936 {
1937 	int res;
1938 
1939 	os_memset(vlan_id, 0, sizeof(*vlan_id));
1940 	res = hostapd_allowed_address(hapd, addr, msg, len,
1941 				      session_timeout, acct_interim_interval,
1942 				      vlan_id, psk, identity, radius_cui,
1943 				      is_probe_req);
1944 
1945 	if (res == HOSTAPD_ACL_REJECT) {
1946 		if (!is_probe_req)
1947 			wpa_printf(MSG_DEBUG,
1948 				   "Station " MACSTR
1949 				   " not allowed to authenticate",
1950 				   MAC2STR(addr));
1951 		return HOSTAPD_ACL_REJECT;
1952 	}
1953 
1954 	if (res == HOSTAPD_ACL_PENDING) {
1955 		wpa_printf(MSG_DEBUG, "Authentication frame from " MACSTR
1956 			   " waiting for an external authentication",
1957 			   MAC2STR(addr));
1958 		/* Authentication code will re-send the authentication frame
1959 		 * after it has received (and cached) information from the
1960 		 * external source. */
1961 		return HOSTAPD_ACL_PENDING;
1962 	}
1963 
1964 	return res;
1965 }
1966 
1967 
1968 static int
ieee802_11_set_radius_info(struct hostapd_data * hapd,struct sta_info * sta,int res,u32 session_timeout,u32 acct_interim_interval,struct vlan_description * vlan_id,struct hostapd_sta_wpa_psk_short ** psk,char ** identity,char ** radius_cui)1969 ieee802_11_set_radius_info(struct hostapd_data *hapd, struct sta_info *sta,
1970 			   int res, u32 session_timeout,
1971 			   u32 acct_interim_interval,
1972 			   struct vlan_description *vlan_id,
1973 			   struct hostapd_sta_wpa_psk_short **psk,
1974 			   char **identity, char **radius_cui)
1975 {
1976 	if (vlan_id->notempty &&
1977 	    !hostapd_vlan_valid(hapd->conf->vlan, vlan_id)) {
1978 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS,
1979 			       HOSTAPD_LEVEL_INFO,
1980 			       "Invalid VLAN %d%s received from RADIUS server",
1981 			       vlan_id->untagged,
1982 			       vlan_id->tagged[0] ? "+" : "");
1983 		return -1;
1984 	}
1985 	if (ap_sta_set_vlan(hapd, sta, vlan_id) < 0)
1986 		return -1;
1987 	if (sta->vlan_id)
1988 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS,
1989 			       HOSTAPD_LEVEL_INFO, "VLAN ID %d", sta->vlan_id);
1990 
1991 	hostapd_free_psk_list(sta->psk);
1992 	if (hapd->conf->wpa_psk_radius != PSK_RADIUS_IGNORED) {
1993 		sta->psk = *psk;
1994 		*psk = NULL;
1995 	} else {
1996 		sta->psk = NULL;
1997 	}
1998 
1999 	os_free(sta->identity);
2000 	sta->identity = *identity;
2001 	*identity = NULL;
2002 
2003 	os_free(sta->radius_cui);
2004 	sta->radius_cui = *radius_cui;
2005 	*radius_cui = NULL;
2006 
2007 	if (hapd->conf->acct_interim_interval == 0 && acct_interim_interval)
2008 		sta->acct_interim_interval = acct_interim_interval;
2009 	if (res == HOSTAPD_ACL_ACCEPT_TIMEOUT) {
2010 		sta->session_timeout_set = 1;
2011 		os_get_reltime(&sta->session_timeout);
2012 		sta->session_timeout.sec += session_timeout;
2013 		ap_sta_session_timeout(hapd, sta, session_timeout);
2014 	} else {
2015 		sta->session_timeout_set = 0;
2016 		ap_sta_no_session_timeout(hapd, sta);
2017 	}
2018 
2019 	return 0;
2020 }
2021 
2022 
handle_auth(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int rssi,int from_queue)2023 static void handle_auth(struct hostapd_data *hapd,
2024 			const struct ieee80211_mgmt *mgmt, size_t len,
2025 			int rssi, int from_queue)
2026 {
2027 	u16 auth_alg, auth_transaction, status_code;
2028 	u16 resp = WLAN_STATUS_SUCCESS;
2029 	struct sta_info *sta = NULL;
2030 	int res, reply_res;
2031 	u16 fc;
2032 	const u8 *challenge = NULL;
2033 	u32 session_timeout, acct_interim_interval;
2034 	struct vlan_description vlan_id;
2035 	struct hostapd_sta_wpa_psk_short *psk = NULL;
2036 	u8 resp_ies[2 + WLAN_AUTH_CHALLENGE_LEN];
2037 	size_t resp_ies_len = 0;
2038 	char *identity = NULL;
2039 	char *radius_cui = NULL;
2040 	u16 seq_ctrl;
2041 
2042 	if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) {
2043 		wpa_printf(MSG_INFO, "handle_auth - too short payload (len=%lu)",
2044 			   (unsigned long) len);
2045 		return;
2046 	}
2047 
2048 #ifdef CONFIG_TESTING_OPTIONS
2049 	if (hapd->iconf->ignore_auth_probability > 0.0 &&
2050 	    drand48() < hapd->iconf->ignore_auth_probability) {
2051 		wpa_printf(MSG_INFO,
2052 			   "TESTING: ignoring auth frame from " MACSTR,
2053 			   MAC2STR(mgmt->sa));
2054 		return;
2055 	}
2056 #endif /* CONFIG_TESTING_OPTIONS */
2057 
2058 	auth_alg = le_to_host16(mgmt->u.auth.auth_alg);
2059 	auth_transaction = le_to_host16(mgmt->u.auth.auth_transaction);
2060 	status_code = le_to_host16(mgmt->u.auth.status_code);
2061 	fc = le_to_host16(mgmt->frame_control);
2062 	seq_ctrl = le_to_host16(mgmt->seq_ctrl);
2063 
2064 	if (len >= IEEE80211_HDRLEN + sizeof(mgmt->u.auth) +
2065 	    2 + WLAN_AUTH_CHALLENGE_LEN &&
2066 	    mgmt->u.auth.variable[0] == WLAN_EID_CHALLENGE &&
2067 	    mgmt->u.auth.variable[1] == WLAN_AUTH_CHALLENGE_LEN)
2068 		challenge = &mgmt->u.auth.variable[2];
2069 
2070 	wpa_printf(MSG_DEBUG, "authentication: STA=" MACSTR " auth_alg=%d "
2071 		   "auth_transaction=%d status_code=%d wep=%d%s "
2072 		   "seq_ctrl=0x%x%s%s",
2073 		   MAC2STR(mgmt->sa), auth_alg, auth_transaction,
2074 		   status_code, !!(fc & WLAN_FC_ISWEP),
2075 		   challenge ? " challenge" : "",
2076 		   seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "",
2077 		   from_queue ? " (from queue)" : "");
2078 
2079 #ifdef CONFIG_NO_RC4
2080 	if (auth_alg == WLAN_AUTH_SHARED_KEY) {
2081 		wpa_printf(MSG_INFO,
2082 			   "Unsupported authentication algorithm (%d)",
2083 			   auth_alg);
2084 		resp = WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
2085 		goto fail;
2086 	}
2087 #endif /* CONFIG_NO_RC4 */
2088 
2089 	if (hapd->tkip_countermeasures) {
2090 		wpa_printf(MSG_DEBUG,
2091 			   "Ongoing TKIP countermeasures (Michael MIC failure) - reject authentication");
2092 		resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2093 		goto fail;
2094 	}
2095 
2096 	if (!(((hapd->conf->auth_algs & WPA_AUTH_ALG_OPEN) &&
2097 	       auth_alg == WLAN_AUTH_OPEN) ||
2098 #ifdef CONFIG_IEEE80211R_AP
2099 	      (hapd->conf->wpa && wpa_key_mgmt_ft(hapd->conf->wpa_key_mgmt) &&
2100 	       auth_alg == WLAN_AUTH_FT) ||
2101 #endif /* CONFIG_IEEE80211R_AP */
2102 #ifdef CONFIG_SAE
2103 	      (hapd->conf->wpa && wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt) &&
2104 	       auth_alg == WLAN_AUTH_SAE) ||
2105 #endif /* CONFIG_SAE */
2106 #ifdef CONFIG_FILS
2107 	      (hapd->conf->wpa && wpa_key_mgmt_fils(hapd->conf->wpa_key_mgmt) &&
2108 	       auth_alg == WLAN_AUTH_FILS_SK) ||
2109 	      (hapd->conf->wpa && wpa_key_mgmt_fils(hapd->conf->wpa_key_mgmt) &&
2110 	       hapd->conf->fils_dh_group &&
2111 	       auth_alg == WLAN_AUTH_FILS_SK_PFS) ||
2112 #endif /* CONFIG_FILS */
2113 	      ((hapd->conf->auth_algs & WPA_AUTH_ALG_SHARED) &&
2114 	       auth_alg == WLAN_AUTH_SHARED_KEY))) {
2115 		wpa_printf(MSG_INFO, "Unsupported authentication algorithm (%d)",
2116 			   auth_alg);
2117 		resp = WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
2118 		goto fail;
2119 	}
2120 
2121 	if (!(auth_transaction == 1 || auth_alg == WLAN_AUTH_SAE ||
2122 	      (auth_alg == WLAN_AUTH_SHARED_KEY && auth_transaction == 3))) {
2123 		wpa_printf(MSG_INFO, "Unknown authentication transaction number (%d)",
2124 			   auth_transaction);
2125 		resp = WLAN_STATUS_UNKNOWN_AUTH_TRANSACTION;
2126 		goto fail;
2127 	}
2128 
2129 	if (os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
2130 		wpa_printf(MSG_INFO, "Station " MACSTR " not allowed to authenticate",
2131 			   MAC2STR(mgmt->sa));
2132 		resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2133 		goto fail;
2134 	}
2135 
2136 	if (hapd->conf->no_auth_if_seen_on) {
2137 		struct hostapd_data *other;
2138 
2139 		other = sta_track_seen_on(hapd->iface, mgmt->sa,
2140 					  hapd->conf->no_auth_if_seen_on);
2141 		if (other) {
2142 			u8 *pos;
2143 			u32 info;
2144 			u8 op_class, channel, phytype;
2145 
2146 			wpa_printf(MSG_DEBUG, "%s: Reject authentication from "
2147 				   MACSTR " since STA has been seen on %s",
2148 				   hapd->conf->iface, MAC2STR(mgmt->sa),
2149 				   hapd->conf->no_auth_if_seen_on);
2150 
2151 			resp = WLAN_STATUS_REJECTED_WITH_SUGGESTED_BSS_TRANSITION;
2152 			pos = &resp_ies[0];
2153 			*pos++ = WLAN_EID_NEIGHBOR_REPORT;
2154 			*pos++ = 13;
2155 			os_memcpy(pos, other->own_addr, ETH_ALEN);
2156 			pos += ETH_ALEN;
2157 			info = 0; /* TODO: BSSID Information */
2158 			WPA_PUT_LE32(pos, info);
2159 			pos += 4;
2160 			if (other->iconf->hw_mode == HOSTAPD_MODE_IEEE80211AD)
2161 				phytype = 8; /* dmg */
2162 			else if (other->iconf->ieee80211ac)
2163 				phytype = 9; /* vht */
2164 			else if (other->iconf->ieee80211n)
2165 				phytype = 7; /* ht */
2166 			else if (other->iconf->hw_mode ==
2167 				 HOSTAPD_MODE_IEEE80211A)
2168 				phytype = 4; /* ofdm */
2169 			else if (other->iconf->hw_mode ==
2170 				 HOSTAPD_MODE_IEEE80211G)
2171 				phytype = 6; /* erp */
2172 			else
2173 				phytype = 5; /* hrdsss */
2174 			if (ieee80211_freq_to_channel_ext(
2175 				    hostapd_hw_get_freq(other,
2176 							other->iconf->channel),
2177 				    other->iconf->secondary_channel,
2178 				    other->iconf->ieee80211ac,
2179 				    &op_class, &channel) == NUM_HOSTAPD_MODES) {
2180 				op_class = 0;
2181 				channel = other->iconf->channel;
2182 			}
2183 			*pos++ = op_class;
2184 			*pos++ = channel;
2185 			*pos++ = phytype;
2186 			resp_ies_len = pos - &resp_ies[0];
2187 			goto fail;
2188 		}
2189 	}
2190 
2191 	res = ieee802_11_allowed_address(
2192 		hapd, mgmt->sa, (const u8 *) mgmt, len, &session_timeout,
2193 		&acct_interim_interval, &vlan_id, &psk, &identity, &radius_cui,
2194 		0);
2195 	if (res == HOSTAPD_ACL_REJECT) {
2196 		wpa_msg(hapd->msg_ctx, MSG_DEBUG,
2197 			"Ignore Authentication frame from " MACSTR
2198 			" due to ACL reject", MAC2STR(mgmt->sa));
2199 		resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2200 		goto fail;
2201 	}
2202 	if (res == HOSTAPD_ACL_PENDING)
2203 		return;
2204 
2205 #ifdef CONFIG_SAE
2206 	if (auth_alg == WLAN_AUTH_SAE && !from_queue &&
2207 	    (auth_transaction == 1 ||
2208 	     (auth_transaction == 2 && auth_sae_queued_addr(hapd, mgmt->sa)))) {
2209 		/* Handle SAE Authentication commit message through a queue to
2210 		 * provide more control for postponing the needed heavy
2211 		 * processing under a possible DoS attack scenario. In addition,
2212 		 * queue SAE Authentication confirm message if there happens to
2213 		 * be a queued commit message from the same peer. This is needed
2214 		 * to avoid reordering Authentication frames within the same
2215 		 * SAE exchange. */
2216 		auth_sae_queue(hapd, mgmt, len, rssi);
2217 		return;
2218 	}
2219 #endif /* CONFIG_SAE */
2220 
2221 	sta = ap_get_sta(hapd, mgmt->sa);
2222 	if (sta) {
2223 		sta->flags &= ~WLAN_STA_PENDING_FILS_ERP;
2224 		sta->ft_over_ds = 0;
2225 		if ((fc & WLAN_FC_RETRY) &&
2226 		    sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
2227 		    sta->last_seq_ctrl == seq_ctrl &&
2228 		    sta->last_subtype == WLAN_FC_STYPE_AUTH) {
2229 			hostapd_logger(hapd, sta->addr,
2230 				       HOSTAPD_MODULE_IEEE80211,
2231 				       HOSTAPD_LEVEL_DEBUG,
2232 				       "Drop repeated authentication frame seq_ctrl=0x%x",
2233 				       seq_ctrl);
2234 			return;
2235 		}
2236 #ifdef CONFIG_MESH
2237 		if ((hapd->conf->mesh & MESH_ENABLED) &&
2238 		    sta->plink_state == PLINK_BLOCKED) {
2239 			wpa_printf(MSG_DEBUG, "Mesh peer " MACSTR
2240 				   " is blocked - drop Authentication frame",
2241 				   MAC2STR(mgmt->sa));
2242 			return;
2243 		}
2244 #endif /* CONFIG_MESH */
2245 	} else {
2246 #ifdef CONFIG_MESH
2247 		if (hapd->conf->mesh & MESH_ENABLED) {
2248 			/* if the mesh peer is not available, we don't do auth.
2249 			 */
2250 			wpa_printf(MSG_DEBUG, "Mesh peer " MACSTR
2251 				   " not yet known - drop Authentication frame",
2252 				   MAC2STR(mgmt->sa));
2253 			/*
2254 			 * Save a copy of the frame so that it can be processed
2255 			 * if a new peer entry is added shortly after this.
2256 			 */
2257 			wpabuf_free(hapd->mesh_pending_auth);
2258 			hapd->mesh_pending_auth = wpabuf_alloc_copy(mgmt, len);
2259 			os_get_reltime(&hapd->mesh_pending_auth_time);
2260 			return;
2261 		}
2262 #endif /* CONFIG_MESH */
2263 
2264 		sta = ap_sta_add(hapd, mgmt->sa);
2265 		if (!sta) {
2266 			wpa_printf(MSG_DEBUG, "ap_sta_add() failed");
2267 			resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
2268 			goto fail;
2269 		}
2270 	}
2271 	sta->last_seq_ctrl = seq_ctrl;
2272 	sta->last_subtype = WLAN_FC_STYPE_AUTH;
2273 #ifdef CONFIG_MBO
2274 	sta->auth_rssi = rssi;
2275 #endif /* CONFIG_MBO */
2276 
2277 	res = ieee802_11_set_radius_info(
2278 		hapd, sta, res, session_timeout, acct_interim_interval,
2279 		&vlan_id, &psk, &identity, &radius_cui);
2280 	if (res) {
2281 		wpa_printf(MSG_DEBUG, "ieee802_11_set_radius_info() failed");
2282 		resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2283 		goto fail;
2284 	}
2285 
2286 	sta->flags &= ~WLAN_STA_PREAUTH;
2287 	ieee802_1x_notify_pre_auth(sta->eapol_sm, 0);
2288 
2289 	/*
2290 	 * If the driver supports full AP client state, add a station to the
2291 	 * driver before sending authentication reply to make sure the driver
2292 	 * has resources, and not to go through the entire authentication and
2293 	 * association handshake, and fail it at the end.
2294 	 *
2295 	 * If this is not the first transaction, in a multi-step authentication
2296 	 * algorithm, the station already exists in the driver
2297 	 * (sta->added_unassoc = 1) so skip it.
2298 	 *
2299 	 * In mesh mode, the station was already added to the driver when the
2300 	 * NEW_PEER_CANDIDATE event is received.
2301 	 *
2302 	 * If PMF was negotiated for the existing association, skip this to
2303 	 * avoid dropping the STA entry and the associated keys. This is needed
2304 	 * to allow the original connection work until the attempt can complete
2305 	 * (re)association, so that unprotected Authentication frame cannot be
2306 	 * used to bypass PMF protection.
2307 	 */
2308 	if (FULL_AP_CLIENT_STATE_SUPP(hapd->iface->drv_flags) &&
2309 	    (!(sta->flags & WLAN_STA_MFP) || !ap_sta_is_authorized(sta)) &&
2310 	    !(hapd->conf->mesh & MESH_ENABLED) &&
2311 	    !(sta->added_unassoc)) {
2312 		/*
2313 		 * If a station that is already associated to the AP, is trying
2314 		 * to authenticate again, remove the STA entry, in order to make
2315 		 * sure the STA PS state gets cleared and configuration gets
2316 		 * updated. To handle this, station's added_unassoc flag is
2317 		 * cleared once the station has completed association.
2318 		 */
2319 		ap_sta_set_authorized(hapd, sta, 0);
2320 		hostapd_drv_sta_remove(hapd, sta->addr);
2321 		sta->flags &= ~(WLAN_STA_ASSOC | WLAN_STA_AUTH |
2322 				WLAN_STA_AUTHORIZED);
2323 
2324 		if (hostapd_sta_add(hapd, sta->addr, 0, 0, NULL, 0, 0,
2325 				    NULL, NULL, sta->flags, 0, 0, 0, 0)) {
2326 			hostapd_logger(hapd, sta->addr,
2327 				       HOSTAPD_MODULE_IEEE80211,
2328 				       HOSTAPD_LEVEL_NOTICE,
2329 				       "Could not add STA to kernel driver");
2330 			resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
2331 			goto fail;
2332 		}
2333 
2334 		sta->added_unassoc = 1;
2335 	}
2336 
2337 	switch (auth_alg) {
2338 	case WLAN_AUTH_OPEN:
2339 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2340 			       HOSTAPD_LEVEL_DEBUG,
2341 			       "authentication OK (open system)");
2342 		sta->flags |= WLAN_STA_AUTH;
2343 		wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
2344 		sta->auth_alg = WLAN_AUTH_OPEN;
2345 		mlme_authenticate_indication(hapd, sta);
2346 		break;
2347 #ifndef CONFIG_NO_RC4
2348 	case WLAN_AUTH_SHARED_KEY:
2349 		resp = auth_shared_key(hapd, sta, auth_transaction, challenge,
2350 				       fc & WLAN_FC_ISWEP);
2351 		if (resp != 0)
2352 			wpa_printf(MSG_DEBUG,
2353 				   "auth_shared_key() failed: status=%d", resp);
2354 		sta->auth_alg = WLAN_AUTH_SHARED_KEY;
2355 		mlme_authenticate_indication(hapd, sta);
2356 		if (sta->challenge && auth_transaction == 1) {
2357 			resp_ies[0] = WLAN_EID_CHALLENGE;
2358 			resp_ies[1] = WLAN_AUTH_CHALLENGE_LEN;
2359 			os_memcpy(resp_ies + 2, sta->challenge,
2360 				  WLAN_AUTH_CHALLENGE_LEN);
2361 			resp_ies_len = 2 + WLAN_AUTH_CHALLENGE_LEN;
2362 		}
2363 		break;
2364 #endif /* CONFIG_NO_RC4 */
2365 #ifdef CONFIG_IEEE80211R_AP
2366 	case WLAN_AUTH_FT:
2367 		sta->auth_alg = WLAN_AUTH_FT;
2368 		if (sta->wpa_sm == NULL)
2369 			sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
2370 							sta->addr, NULL);
2371 		if (sta->wpa_sm == NULL) {
2372 			wpa_printf(MSG_DEBUG, "FT: Failed to initialize WPA "
2373 				   "state machine");
2374 			resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2375 			goto fail;
2376 		}
2377 		wpa_ft_process_auth(sta->wpa_sm, mgmt->bssid,
2378 				    auth_transaction, mgmt->u.auth.variable,
2379 				    len - IEEE80211_HDRLEN -
2380 				    sizeof(mgmt->u.auth),
2381 				    handle_auth_ft_finish, hapd);
2382 		/* handle_auth_ft_finish() callback will complete auth. */
2383 		return;
2384 #endif /* CONFIG_IEEE80211R_AP */
2385 #ifdef CONFIG_SAE
2386 	case WLAN_AUTH_SAE:
2387 #ifdef CONFIG_MESH
2388 		if (status_code == WLAN_STATUS_SUCCESS &&
2389 		    hapd->conf->mesh & MESH_ENABLED) {
2390 			if (sta->wpa_sm == NULL)
2391 				sta->wpa_sm =
2392 					wpa_auth_sta_init(hapd->wpa_auth,
2393 							  sta->addr, NULL);
2394 			if (sta->wpa_sm == NULL) {
2395 				wpa_printf(MSG_DEBUG,
2396 					   "SAE: Failed to initialize WPA state machine");
2397 				resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2398 				goto fail;
2399 			}
2400 		}
2401 #endif /* CONFIG_MESH */
2402 		handle_auth_sae(hapd, sta, mgmt, len, auth_transaction,
2403 				status_code);
2404 		return;
2405 #endif /* CONFIG_SAE */
2406 #ifdef CONFIG_FILS
2407 	case WLAN_AUTH_FILS_SK:
2408 	case WLAN_AUTH_FILS_SK_PFS:
2409 		handle_auth_fils(hapd, sta, mgmt->u.auth.variable,
2410 				 len - IEEE80211_HDRLEN - sizeof(mgmt->u.auth),
2411 				 auth_alg, auth_transaction, status_code,
2412 				 handle_auth_fils_finish);
2413 		return;
2414 #endif /* CONFIG_FILS */
2415 	}
2416 
2417  fail:
2418 	os_free(identity);
2419 	os_free(radius_cui);
2420 	hostapd_free_psk_list(psk);
2421 
2422 	reply_res = send_auth_reply(hapd, mgmt->sa, mgmt->bssid, auth_alg,
2423 				    auth_transaction + 1, resp, resp_ies,
2424 				    resp_ies_len, "handle-auth");
2425 
2426 	if (sta && sta->added_unassoc && (resp != WLAN_STATUS_SUCCESS ||
2427 					  reply_res != WLAN_STATUS_SUCCESS)) {
2428 		hostapd_drv_sta_remove(hapd, sta->addr);
2429 		sta->added_unassoc = 0;
2430 	}
2431 }
2432 
2433 
hostapd_get_aid(struct hostapd_data * hapd,struct sta_info * sta)2434 int hostapd_get_aid(struct hostapd_data *hapd, struct sta_info *sta)
2435 {
2436 	int i, j = 32, aid;
2437 
2438 	/* get a unique AID */
2439 	if (sta->aid > 0) {
2440 		wpa_printf(MSG_DEBUG, "  old AID %d", sta->aid);
2441 		return 0;
2442 	}
2443 
2444 	if (TEST_FAIL())
2445 		return -1;
2446 
2447 	for (i = 0; i < AID_WORDS; i++) {
2448 		if (hapd->sta_aid[i] == (u32) -1)
2449 			continue;
2450 		for (j = 0; j < 32; j++) {
2451 			if (!(hapd->sta_aid[i] & BIT(j)))
2452 				break;
2453 		}
2454 		if (j < 32)
2455 			break;
2456 	}
2457 	if (j == 32)
2458 		return -1;
2459 	aid = i * 32 + j + 1;
2460 	if (aid > 2007)
2461 		return -1;
2462 
2463 	sta->aid = aid;
2464 	hapd->sta_aid[i] |= BIT(j);
2465 	wpa_printf(MSG_DEBUG, "  new AID %d", sta->aid);
2466 	return 0;
2467 }
2468 
2469 
check_ssid(struct hostapd_data * hapd,struct sta_info * sta,const u8 * ssid_ie,size_t ssid_ie_len)2470 static u16 check_ssid(struct hostapd_data *hapd, struct sta_info *sta,
2471 		      const u8 *ssid_ie, size_t ssid_ie_len)
2472 {
2473 	if (ssid_ie == NULL)
2474 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
2475 
2476 	if (ssid_ie_len != hapd->conf->ssid.ssid_len ||
2477 	    os_memcmp(ssid_ie, hapd->conf->ssid.ssid, ssid_ie_len) != 0) {
2478 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2479 			       HOSTAPD_LEVEL_INFO,
2480 			       "Station tried to associate with unknown SSID "
2481 			       "'%s'", wpa_ssid_txt(ssid_ie, ssid_ie_len));
2482 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
2483 	}
2484 
2485 	return WLAN_STATUS_SUCCESS;
2486 }
2487 
2488 
check_wmm(struct hostapd_data * hapd,struct sta_info * sta,const u8 * wmm_ie,size_t wmm_ie_len)2489 static u16 check_wmm(struct hostapd_data *hapd, struct sta_info *sta,
2490 		     const u8 *wmm_ie, size_t wmm_ie_len)
2491 {
2492 	sta->flags &= ~WLAN_STA_WMM;
2493 	sta->qosinfo = 0;
2494 	if (wmm_ie && hapd->conf->wmm_enabled) {
2495 		struct wmm_information_element *wmm;
2496 
2497 		if (!hostapd_eid_wmm_valid(hapd, wmm_ie, wmm_ie_len)) {
2498 			hostapd_logger(hapd, sta->addr,
2499 				       HOSTAPD_MODULE_WPA,
2500 				       HOSTAPD_LEVEL_DEBUG,
2501 				       "invalid WMM element in association "
2502 				       "request");
2503 			return WLAN_STATUS_UNSPECIFIED_FAILURE;
2504 		}
2505 
2506 		sta->flags |= WLAN_STA_WMM;
2507 		wmm = (struct wmm_information_element *) wmm_ie;
2508 		sta->qosinfo = wmm->qos_info;
2509 	}
2510 	return WLAN_STATUS_SUCCESS;
2511 }
2512 
check_multi_ap(struct hostapd_data * hapd,struct sta_info * sta,const u8 * multi_ap_ie,size_t multi_ap_len)2513 static u16 check_multi_ap(struct hostapd_data *hapd, struct sta_info *sta,
2514 			  const u8 *multi_ap_ie, size_t multi_ap_len)
2515 {
2516 	u8 multi_ap_value = 0;
2517 
2518 	sta->flags &= ~WLAN_STA_MULTI_AP;
2519 
2520 	if (!hapd->conf->multi_ap)
2521 		return WLAN_STATUS_SUCCESS;
2522 
2523 	if (multi_ap_ie) {
2524 		const u8 *multi_ap_subelem;
2525 
2526 		multi_ap_subelem = get_ie(multi_ap_ie + 4,
2527 					  multi_ap_len - 4,
2528 					  MULTI_AP_SUB_ELEM_TYPE);
2529 		if (multi_ap_subelem && multi_ap_subelem[1] == 1) {
2530 			multi_ap_value = multi_ap_subelem[2];
2531 		} else {
2532 			hostapd_logger(hapd, sta->addr,
2533 				       HOSTAPD_MODULE_IEEE80211,
2534 				       HOSTAPD_LEVEL_INFO,
2535 				       "Multi-AP IE has missing or invalid Multi-AP subelement");
2536 			return WLAN_STATUS_INVALID_IE;
2537 		}
2538 	}
2539 
2540 	if (multi_ap_value && multi_ap_value != MULTI_AP_BACKHAUL_STA)
2541 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2542 			       HOSTAPD_LEVEL_INFO,
2543 			       "Multi-AP IE with unexpected value 0x%02x",
2544 			       multi_ap_value);
2545 
2546 	if (!(multi_ap_value & MULTI_AP_BACKHAUL_STA)) {
2547 		if (hapd->conf->multi_ap & FRONTHAUL_BSS)
2548 			return WLAN_STATUS_SUCCESS;
2549 
2550 		hostapd_logger(hapd, sta->addr,
2551 			       HOSTAPD_MODULE_IEEE80211,
2552 			       HOSTAPD_LEVEL_INFO,
2553 			       "Non-Multi-AP STA tries to associate with backhaul-only BSS");
2554 		return WLAN_STATUS_ASSOC_DENIED_UNSPEC;
2555 	}
2556 
2557 	if (!(hapd->conf->multi_ap & BACKHAUL_BSS))
2558 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2559 			       HOSTAPD_LEVEL_DEBUG,
2560 			       "Backhaul STA tries to associate with fronthaul-only BSS");
2561 
2562 	sta->flags |= WLAN_STA_MULTI_AP;
2563 	return WLAN_STATUS_SUCCESS;
2564 }
2565 
2566 
copy_supp_rates(struct hostapd_data * hapd,struct sta_info * sta,struct ieee802_11_elems * elems)2567 static u16 copy_supp_rates(struct hostapd_data *hapd, struct sta_info *sta,
2568 			   struct ieee802_11_elems *elems)
2569 {
2570 	/* Supported rates not used in IEEE 802.11ad/DMG */
2571 	if (hapd->iface->current_mode &&
2572 	    hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211AD)
2573 		return WLAN_STATUS_SUCCESS;
2574 
2575 	if (!elems->supp_rates) {
2576 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2577 			       HOSTAPD_LEVEL_DEBUG,
2578 			       "No supported rates element in AssocReq");
2579 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
2580 	}
2581 
2582 	if (elems->supp_rates_len + elems->ext_supp_rates_len >
2583 	    sizeof(sta->supported_rates)) {
2584 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2585 			       HOSTAPD_LEVEL_DEBUG,
2586 			       "Invalid supported rates element length %d+%d",
2587 			       elems->supp_rates_len,
2588 			       elems->ext_supp_rates_len);
2589 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
2590 	}
2591 
2592 	sta->supported_rates_len = merge_byte_arrays(
2593 		sta->supported_rates, sizeof(sta->supported_rates),
2594 		elems->supp_rates, elems->supp_rates_len,
2595 		elems->ext_supp_rates, elems->ext_supp_rates_len);
2596 
2597 	return WLAN_STATUS_SUCCESS;
2598 }
2599 
2600 
check_ext_capab(struct hostapd_data * hapd,struct sta_info * sta,const u8 * ext_capab_ie,size_t ext_capab_ie_len)2601 static u16 check_ext_capab(struct hostapd_data *hapd, struct sta_info *sta,
2602 			   const u8 *ext_capab_ie, size_t ext_capab_ie_len)
2603 {
2604 #ifdef CONFIG_INTERWORKING
2605 	/* check for QoS Map support */
2606 	if (ext_capab_ie_len >= 5) {
2607 		if (ext_capab_ie[4] & 0x01)
2608 			sta->qos_map_enabled = 1;
2609 	}
2610 #endif /* CONFIG_INTERWORKING */
2611 
2612 	if (ext_capab_ie_len > 0) {
2613 		sta->ecsa_supported = !!(ext_capab_ie[0] & BIT(2));
2614 		os_free(sta->ext_capability);
2615 		sta->ext_capability = os_malloc(1 + ext_capab_ie_len);
2616 		if (sta->ext_capability) {
2617 			sta->ext_capability[0] = ext_capab_ie_len;
2618 			os_memcpy(sta->ext_capability + 1, ext_capab_ie,
2619 				  ext_capab_ie_len);
2620 		}
2621 	}
2622 
2623 	return WLAN_STATUS_SUCCESS;
2624 }
2625 
2626 
2627 #ifdef CONFIG_OWE
2628 
owe_group_supported(struct hostapd_data * hapd,u16 group)2629 static int owe_group_supported(struct hostapd_data *hapd, u16 group)
2630 {
2631 	int i;
2632 	int *groups = hapd->conf->owe_groups;
2633 
2634 	if (group != 19 && group != 20 && group != 21)
2635 		return 0;
2636 
2637 	if (!groups)
2638 		return 1;
2639 
2640 	for (i = 0; groups[i] > 0; i++) {
2641 		if (groups[i] == group)
2642 			return 1;
2643 	}
2644 
2645 	return 0;
2646 }
2647 
2648 
owe_process_assoc_req(struct hostapd_data * hapd,struct sta_info * sta,const u8 * owe_dh,u8 owe_dh_len)2649 static u16 owe_process_assoc_req(struct hostapd_data *hapd,
2650 				 struct sta_info *sta, const u8 *owe_dh,
2651 				 u8 owe_dh_len)
2652 {
2653 	struct wpabuf *secret, *pub, *hkey;
2654 	int res;
2655 	u8 prk[SHA512_MAC_LEN], pmkid[SHA512_MAC_LEN];
2656 	const char *info = "OWE Key Generation";
2657 	const u8 *addr[2];
2658 	size_t len[2];
2659 	u16 group;
2660 	size_t hash_len, prime_len;
2661 
2662 	if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) {
2663 		wpa_printf(MSG_DEBUG, "OWE: Using PMKSA caching");
2664 		return WLAN_STATUS_SUCCESS;
2665 	}
2666 
2667 	group = WPA_GET_LE16(owe_dh);
2668 	if (!owe_group_supported(hapd, group)) {
2669 		wpa_printf(MSG_DEBUG, "OWE: Unsupported DH group %u", group);
2670 		return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
2671 	}
2672 	if (group == 19)
2673 		prime_len = 32;
2674 	else if (group == 20)
2675 		prime_len = 48;
2676 	else if (group == 21)
2677 		prime_len = 66;
2678 	else
2679 		return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
2680 
2681 	crypto_ecdh_deinit(sta->owe_ecdh);
2682 	sta->owe_ecdh = crypto_ecdh_init(group);
2683 	if (!sta->owe_ecdh)
2684 		return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
2685 	sta->owe_group = group;
2686 
2687 	secret = crypto_ecdh_set_peerkey(sta->owe_ecdh, 0, owe_dh + 2,
2688 					 owe_dh_len - 2);
2689 	secret = wpabuf_zeropad(secret, prime_len);
2690 	if (!secret) {
2691 		wpa_printf(MSG_DEBUG, "OWE: Invalid peer DH public key");
2692 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
2693 	}
2694 	wpa_hexdump_buf_key(MSG_DEBUG, "OWE: DH shared secret", secret);
2695 
2696 	/* prk = HKDF-extract(C | A | group, z) */
2697 
2698 	pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
2699 	if (!pub) {
2700 		wpabuf_clear_free(secret);
2701 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
2702 	}
2703 
2704 	/* PMKID = Truncate-128(Hash(C | A)) */
2705 	addr[0] = owe_dh + 2;
2706 	len[0] = owe_dh_len - 2;
2707 	addr[1] = wpabuf_head(pub);
2708 	len[1] = wpabuf_len(pub);
2709 	if (group == 19) {
2710 		res = sha256_vector(2, addr, len, pmkid);
2711 		hash_len = SHA256_MAC_LEN;
2712 	} else if (group == 20) {
2713 		res = sha384_vector(2, addr, len, pmkid);
2714 		hash_len = SHA384_MAC_LEN;
2715 	} else if (group == 21) {
2716 		res = sha512_vector(2, addr, len, pmkid);
2717 		hash_len = SHA512_MAC_LEN;
2718 	} else {
2719 		wpabuf_free(pub);
2720 		wpabuf_clear_free(secret);
2721 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
2722 	}
2723 	pub = wpabuf_zeropad(pub, prime_len);
2724 	if (res < 0 || !pub) {
2725 		wpabuf_free(pub);
2726 		wpabuf_clear_free(secret);
2727 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
2728 	}
2729 
2730 	hkey = wpabuf_alloc(owe_dh_len - 2 + wpabuf_len(pub) + 2);
2731 	if (!hkey) {
2732 		wpabuf_free(pub);
2733 		wpabuf_clear_free(secret);
2734 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
2735 	}
2736 
2737 	wpabuf_put_data(hkey, owe_dh + 2, owe_dh_len - 2); /* C */
2738 	wpabuf_put_buf(hkey, pub); /* A */
2739 	wpabuf_free(pub);
2740 	wpabuf_put_le16(hkey, group); /* group */
2741 	if (group == 19)
2742 		res = hmac_sha256(wpabuf_head(hkey), wpabuf_len(hkey),
2743 				  wpabuf_head(secret), wpabuf_len(secret), prk);
2744 	else if (group == 20)
2745 		res = hmac_sha384(wpabuf_head(hkey), wpabuf_len(hkey),
2746 				  wpabuf_head(secret), wpabuf_len(secret), prk);
2747 	else if (group == 21)
2748 		res = hmac_sha512(wpabuf_head(hkey), wpabuf_len(hkey),
2749 				  wpabuf_head(secret), wpabuf_len(secret), prk);
2750 	wpabuf_clear_free(hkey);
2751 	wpabuf_clear_free(secret);
2752 	if (res < 0)
2753 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
2754 
2755 	wpa_hexdump_key(MSG_DEBUG, "OWE: prk", prk, hash_len);
2756 
2757 	/* PMK = HKDF-expand(prk, "OWE Key Generation", n) */
2758 
2759 	os_free(sta->owe_pmk);
2760 	sta->owe_pmk = os_malloc(hash_len);
2761 	if (!sta->owe_pmk) {
2762 		os_memset(prk, 0, SHA512_MAC_LEN);
2763 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
2764 	}
2765 
2766 	if (group == 19)
2767 		res = hmac_sha256_kdf(prk, hash_len, NULL, (const u8 *) info,
2768 				      os_strlen(info), sta->owe_pmk, hash_len);
2769 	else if (group == 20)
2770 		res = hmac_sha384_kdf(prk, hash_len, NULL, (const u8 *) info,
2771 				      os_strlen(info), sta->owe_pmk, hash_len);
2772 	else if (group == 21)
2773 		res = hmac_sha512_kdf(prk, hash_len, NULL, (const u8 *) info,
2774 				      os_strlen(info), sta->owe_pmk, hash_len);
2775 	os_memset(prk, 0, SHA512_MAC_LEN);
2776 	if (res < 0) {
2777 		os_free(sta->owe_pmk);
2778 		sta->owe_pmk = NULL;
2779 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
2780 	}
2781 	sta->owe_pmk_len = hash_len;
2782 
2783 	wpa_hexdump_key(MSG_DEBUG, "OWE: PMK", sta->owe_pmk, sta->owe_pmk_len);
2784 	wpa_hexdump(MSG_DEBUG, "OWE: PMKID", pmkid, PMKID_LEN);
2785 	wpa_auth_pmksa_add2(hapd->wpa_auth, sta->addr, sta->owe_pmk,
2786 			    sta->owe_pmk_len, pmkid, 0, WPA_KEY_MGMT_OWE);
2787 
2788 	return WLAN_STATUS_SUCCESS;
2789 }
2790 
2791 #endif /* CONFIG_OWE */
2792 
2793 
check_assoc_ies(struct hostapd_data * hapd,struct sta_info * sta,const u8 * ies,size_t ies_len,int reassoc)2794 static u16 check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta,
2795 			   const u8 *ies, size_t ies_len, int reassoc)
2796 {
2797 	struct ieee802_11_elems elems;
2798 	u16 resp;
2799 	const u8 *wpa_ie;
2800 	size_t wpa_ie_len;
2801 	const u8 *p2p_dev_addr = NULL;
2802 
2803 	if (ieee802_11_parse_elems(ies, ies_len, &elems, 1) == ParseFailed) {
2804 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2805 			       HOSTAPD_LEVEL_INFO, "Station sent an invalid "
2806 			       "association request");
2807 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
2808 	}
2809 
2810 	resp = check_ssid(hapd, sta, elems.ssid, elems.ssid_len);
2811 	if (resp != WLAN_STATUS_SUCCESS)
2812 		return resp;
2813 	resp = check_wmm(hapd, sta, elems.wmm, elems.wmm_len);
2814 	if (resp != WLAN_STATUS_SUCCESS)
2815 		return resp;
2816 	resp = check_ext_capab(hapd, sta, elems.ext_capab, elems.ext_capab_len);
2817 	if (resp != WLAN_STATUS_SUCCESS)
2818 		return resp;
2819 	resp = copy_supp_rates(hapd, sta, &elems);
2820 	if (resp != WLAN_STATUS_SUCCESS)
2821 		return resp;
2822 
2823 	resp = check_multi_ap(hapd, sta, elems.multi_ap, elems.multi_ap_len);
2824 	if (resp != WLAN_STATUS_SUCCESS)
2825 		return resp;
2826 
2827 #ifdef CONFIG_IEEE80211N
2828 	resp = copy_sta_ht_capab(hapd, sta, elems.ht_capabilities);
2829 	if (resp != WLAN_STATUS_SUCCESS)
2830 		return resp;
2831 	if (hapd->iconf->ieee80211n && hapd->iconf->require_ht &&
2832 	    !(sta->flags & WLAN_STA_HT)) {
2833 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2834 			       HOSTAPD_LEVEL_INFO, "Station does not support "
2835 			       "mandatory HT PHY - reject association");
2836 		return WLAN_STATUS_ASSOC_DENIED_NO_HT;
2837 	}
2838 #endif /* CONFIG_IEEE80211N */
2839 
2840 #ifdef CONFIG_IEEE80211AC
2841 	if (hapd->iconf->ieee80211ac) {
2842 		resp = copy_sta_vht_capab(hapd, sta, elems.vht_capabilities);
2843 		if (resp != WLAN_STATUS_SUCCESS)
2844 			return resp;
2845 
2846 		resp = copy_sta_vht_oper(hapd, sta, elems.vht_operation);
2847 		if (resp != WLAN_STATUS_SUCCESS)
2848 			return resp;
2849 
2850 		resp = set_sta_vht_opmode(hapd, sta, elems.vht_opmode_notif);
2851 		if (resp != WLAN_STATUS_SUCCESS)
2852 			return resp;
2853 	}
2854 
2855 	if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht &&
2856 	    !(sta->flags & WLAN_STA_VHT)) {
2857 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2858 			       HOSTAPD_LEVEL_INFO, "Station does not support "
2859 			       "mandatory VHT PHY - reject association");
2860 		return WLAN_STATUS_ASSOC_DENIED_NO_VHT;
2861 	}
2862 
2863 	if (hapd->conf->vendor_vht && !elems.vht_capabilities) {
2864 		resp = copy_sta_vendor_vht(hapd, sta, elems.vendor_vht,
2865 					   elems.vendor_vht_len);
2866 		if (resp != WLAN_STATUS_SUCCESS)
2867 			return resp;
2868 	}
2869 #endif /* CONFIG_IEEE80211AC */
2870 
2871 #ifdef CONFIG_P2P
2872 	if (elems.p2p) {
2873 		wpabuf_free(sta->p2p_ie);
2874 		sta->p2p_ie = ieee802_11_vendor_ie_concat(ies, ies_len,
2875 							  P2P_IE_VENDOR_TYPE);
2876 		if (sta->p2p_ie)
2877 			p2p_dev_addr = p2p_get_go_dev_addr(sta->p2p_ie);
2878 	} else {
2879 		wpabuf_free(sta->p2p_ie);
2880 		sta->p2p_ie = NULL;
2881 	}
2882 #endif /* CONFIG_P2P */
2883 
2884 	if ((hapd->conf->wpa & WPA_PROTO_RSN) && elems.rsn_ie) {
2885 		wpa_ie = elems.rsn_ie;
2886 		wpa_ie_len = elems.rsn_ie_len;
2887 	} else if ((hapd->conf->wpa & WPA_PROTO_WPA) &&
2888 		   elems.wpa_ie) {
2889 		wpa_ie = elems.wpa_ie;
2890 		wpa_ie_len = elems.wpa_ie_len;
2891 	} else {
2892 		wpa_ie = NULL;
2893 		wpa_ie_len = 0;
2894 	}
2895 
2896 #ifdef CONFIG_WPS
2897 	sta->flags &= ~(WLAN_STA_WPS | WLAN_STA_MAYBE_WPS | WLAN_STA_WPS2);
2898 	if (hapd->conf->wps_state && elems.wps_ie) {
2899 		wpa_printf(MSG_DEBUG, "STA included WPS IE in (Re)Association "
2900 			   "Request - assume WPS is used");
2901 		sta->flags |= WLAN_STA_WPS;
2902 		wpabuf_free(sta->wps_ie);
2903 		sta->wps_ie = ieee802_11_vendor_ie_concat(ies, ies_len,
2904 							  WPS_IE_VENDOR_TYPE);
2905 		if (sta->wps_ie && wps_is_20(sta->wps_ie)) {
2906 			wpa_printf(MSG_DEBUG, "WPS: STA supports WPS 2.0");
2907 			sta->flags |= WLAN_STA_WPS2;
2908 		}
2909 		wpa_ie = NULL;
2910 		wpa_ie_len = 0;
2911 		if (sta->wps_ie && wps_validate_assoc_req(sta->wps_ie) < 0) {
2912 			wpa_printf(MSG_DEBUG, "WPS: Invalid WPS IE in "
2913 				   "(Re)Association Request - reject");
2914 			return WLAN_STATUS_INVALID_IE;
2915 		}
2916 	} else if (hapd->conf->wps_state && wpa_ie == NULL) {
2917 		wpa_printf(MSG_DEBUG, "STA did not include WPA/RSN IE in "
2918 			   "(Re)Association Request - possible WPS use");
2919 		sta->flags |= WLAN_STA_MAYBE_WPS;
2920 	} else
2921 #endif /* CONFIG_WPS */
2922 	if (hapd->conf->wpa && wpa_ie == NULL) {
2923 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2924 			       HOSTAPD_LEVEL_INFO,
2925 			       "No WPA/RSN IE in association request");
2926 		return WLAN_STATUS_INVALID_IE;
2927 	}
2928 
2929 	if (hapd->conf->wpa && wpa_ie) {
2930 		int res;
2931 		wpa_ie -= 2;
2932 		wpa_ie_len += 2;
2933 		if (sta->wpa_sm == NULL)
2934 			sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
2935 							sta->addr,
2936 							p2p_dev_addr);
2937 		if (sta->wpa_sm == NULL) {
2938 			wpa_printf(MSG_WARNING, "Failed to initialize WPA "
2939 				   "state machine");
2940 			return WLAN_STATUS_UNSPECIFIED_FAILURE;
2941 		}
2942 		wpa_auth_set_auth_alg(sta->wpa_sm, sta->auth_alg);
2943 		res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
2944 					  hapd->iface->freq,
2945 					  wpa_ie, wpa_ie_len,
2946 					  elems.mdie, elems.mdie_len,
2947 					  elems.owe_dh, elems.owe_dh_len);
2948 		resp = wpa_res_to_status_code(res);
2949 		if (resp != WLAN_STATUS_SUCCESS)
2950 			return resp;
2951 #ifdef CONFIG_IEEE80211W
2952 		if ((sta->flags & (WLAN_STA_ASSOC | WLAN_STA_MFP)) ==
2953 		    (WLAN_STA_ASSOC | WLAN_STA_MFP) &&
2954 		    !sta->sa_query_timed_out &&
2955 		    sta->sa_query_count > 0)
2956 			ap_check_sa_query_timeout(hapd, sta);
2957 		if ((sta->flags & (WLAN_STA_ASSOC | WLAN_STA_MFP)) ==
2958 		    (WLAN_STA_ASSOC | WLAN_STA_MFP) &&
2959 		    !sta->sa_query_timed_out &&
2960 		    (!reassoc || sta->auth_alg != WLAN_AUTH_FT)) {
2961 			/*
2962 			 * STA has already been associated with MFP and SA
2963 			 * Query timeout has not been reached. Reject the
2964 			 * association attempt temporarily and start SA Query,
2965 			 * if one is not pending.
2966 			 */
2967 
2968 			if (sta->sa_query_count == 0)
2969 				ap_sta_start_sa_query(hapd, sta);
2970 
2971 			return WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY;
2972 		}
2973 
2974 		if (wpa_auth_uses_mfp(sta->wpa_sm))
2975 			sta->flags |= WLAN_STA_MFP;
2976 		else
2977 			sta->flags &= ~WLAN_STA_MFP;
2978 #endif /* CONFIG_IEEE80211W */
2979 
2980 #ifdef CONFIG_IEEE80211R_AP
2981 		if (sta->auth_alg == WLAN_AUTH_FT) {
2982 			if (!reassoc) {
2983 				wpa_printf(MSG_DEBUG, "FT: " MACSTR " tried "
2984 					   "to use association (not "
2985 					   "re-association) with FT auth_alg",
2986 					   MAC2STR(sta->addr));
2987 				return WLAN_STATUS_UNSPECIFIED_FAILURE;
2988 			}
2989 
2990 			resp = wpa_ft_validate_reassoc(sta->wpa_sm, ies,
2991 						       ies_len);
2992 			if (resp != WLAN_STATUS_SUCCESS)
2993 				return resp;
2994 		}
2995 #endif /* CONFIG_IEEE80211R_AP */
2996 
2997 #ifdef CONFIG_SAE
2998 		if (wpa_auth_uses_sae(sta->wpa_sm) && sta->sae &&
2999 		    sta->sae->state == SAE_ACCEPTED)
3000 			wpa_auth_add_sae_pmkid(sta->wpa_sm, sta->sae->pmkid);
3001 
3002 		if (wpa_auth_uses_sae(sta->wpa_sm) &&
3003 		    sta->auth_alg == WLAN_AUTH_OPEN) {
3004 			struct rsn_pmksa_cache_entry *sa;
3005 			sa = wpa_auth_sta_get_pmksa(sta->wpa_sm);
3006 			if (!sa || sa->akmp != WPA_KEY_MGMT_SAE) {
3007 				wpa_printf(MSG_DEBUG,
3008 					   "SAE: No PMKSA cache entry found for "
3009 					   MACSTR, MAC2STR(sta->addr));
3010 				return WLAN_STATUS_INVALID_PMKID;
3011 			}
3012 			wpa_printf(MSG_DEBUG, "SAE: " MACSTR
3013 				   " using PMKSA caching", MAC2STR(sta->addr));
3014 		} else if (wpa_auth_uses_sae(sta->wpa_sm) &&
3015 			   sta->auth_alg != WLAN_AUTH_SAE &&
3016 			   !(sta->auth_alg == WLAN_AUTH_FT &&
3017 			     wpa_auth_uses_ft_sae(sta->wpa_sm))) {
3018 			wpa_printf(MSG_DEBUG, "SAE: " MACSTR " tried to use "
3019 				   "SAE AKM after non-SAE auth_alg %u",
3020 				   MAC2STR(sta->addr), sta->auth_alg);
3021 			return WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
3022 		}
3023 #endif /* CONFIG_SAE */
3024 
3025 #ifdef CONFIG_OWE
3026 		if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) &&
3027 		    wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE &&
3028 		    elems.owe_dh) {
3029 			resp = owe_process_assoc_req(hapd, sta, elems.owe_dh,
3030 						     elems.owe_dh_len);
3031 			if (resp != WLAN_STATUS_SUCCESS)
3032 				return resp;
3033 		}
3034 #endif /* CONFIG_OWE */
3035 
3036 #ifdef CONFIG_DPP2
3037 		dpp_pfs_free(sta->dpp_pfs);
3038 		sta->dpp_pfs = NULL;
3039 
3040 		if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_DPP) &&
3041 		    hapd->conf->dpp_netaccesskey && sta->wpa_sm &&
3042 		    wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_DPP &&
3043 		    elems.owe_dh) {
3044 			sta->dpp_pfs = dpp_pfs_init(
3045 				wpabuf_head(hapd->conf->dpp_netaccesskey),
3046 				wpabuf_len(hapd->conf->dpp_netaccesskey));
3047 			if (!sta->dpp_pfs) {
3048 				wpa_printf(MSG_DEBUG,
3049 					   "DPP: Could not initialize PFS");
3050 				/* Try to continue without PFS */
3051 				goto pfs_fail;
3052 			}
3053 
3054 			if (dpp_pfs_process(sta->dpp_pfs, elems.owe_dh,
3055 					    elems.owe_dh_len) < 0) {
3056 				dpp_pfs_free(sta->dpp_pfs);
3057 				sta->dpp_pfs = NULL;
3058 				return WLAN_STATUS_UNSPECIFIED_FAILURE;
3059 			}
3060 		}
3061 
3062 		wpa_auth_set_dpp_z(sta->wpa_sm, sta->dpp_pfs ?
3063 				   sta->dpp_pfs->secret : NULL);
3064 	pfs_fail:
3065 #endif /* CONFIG_DPP2 */
3066 
3067 #ifdef CONFIG_IEEE80211N
3068 		if ((sta->flags & (WLAN_STA_HT | WLAN_STA_VHT)) &&
3069 		    wpa_auth_get_pairwise(sta->wpa_sm) == WPA_CIPHER_TKIP) {
3070 			hostapd_logger(hapd, sta->addr,
3071 				       HOSTAPD_MODULE_IEEE80211,
3072 				       HOSTAPD_LEVEL_INFO,
3073 				       "Station tried to use TKIP with HT "
3074 				       "association");
3075 			return WLAN_STATUS_CIPHER_REJECTED_PER_POLICY;
3076 		}
3077 #endif /* CONFIG_IEEE80211N */
3078 #ifdef CONFIG_HS20
3079 	} else if (hapd->conf->osen) {
3080 		if (elems.osen == NULL) {
3081 			hostapd_logger(
3082 				hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3083 				HOSTAPD_LEVEL_INFO,
3084 				"No HS 2.0 OSEN element in association request");
3085 			return WLAN_STATUS_INVALID_IE;
3086 		}
3087 
3088 		wpa_printf(MSG_DEBUG, "HS 2.0: OSEN association");
3089 		if (sta->wpa_sm == NULL)
3090 			sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
3091 							sta->addr, NULL);
3092 		if (sta->wpa_sm == NULL) {
3093 			wpa_printf(MSG_WARNING, "Failed to initialize WPA "
3094 				   "state machine");
3095 			return WLAN_STATUS_UNSPECIFIED_FAILURE;
3096 		}
3097 		if (wpa_validate_osen(hapd->wpa_auth, sta->wpa_sm,
3098 				      elems.osen - 2, elems.osen_len + 2) < 0)
3099 			return WLAN_STATUS_INVALID_IE;
3100 #endif /* CONFIG_HS20 */
3101 	} else
3102 		wpa_auth_sta_no_wpa(sta->wpa_sm);
3103 
3104 #ifdef CONFIG_P2P
3105 	p2p_group_notif_assoc(hapd->p2p_group, sta->addr, ies, ies_len);
3106 #endif /* CONFIG_P2P */
3107 
3108 #ifdef CONFIG_HS20
3109 	wpabuf_free(sta->hs20_ie);
3110 	if (elems.hs20 && elems.hs20_len > 4) {
3111 		int release;
3112 
3113 		sta->hs20_ie = wpabuf_alloc_copy(elems.hs20 + 4,
3114 						 elems.hs20_len - 4);
3115 		release = ((elems.hs20[4] >> 4) & 0x0f) + 1;
3116 		if (release >= 2 && !wpa_auth_uses_mfp(sta->wpa_sm)) {
3117 			wpa_printf(MSG_DEBUG,
3118 				   "HS 2.0: PMF not negotiated by release %d station "
3119 				   MACSTR, release, MAC2STR(sta->addr));
3120 			return WLAN_STATUS_ROBUST_MGMT_FRAME_POLICY_VIOLATION;
3121 		}
3122 	} else {
3123 		sta->hs20_ie = NULL;
3124 	}
3125 
3126 	wpabuf_free(sta->roaming_consortium);
3127 	if (elems.roaming_cons_sel)
3128 		sta->roaming_consortium = wpabuf_alloc_copy(
3129 			elems.roaming_cons_sel + 4,
3130 			elems.roaming_cons_sel_len - 4);
3131 	else
3132 		sta->roaming_consortium = NULL;
3133 #endif /* CONFIG_HS20 */
3134 
3135 #ifdef CONFIG_FST
3136 	wpabuf_free(sta->mb_ies);
3137 	if (hapd->iface->fst)
3138 		sta->mb_ies = mb_ies_by_info(&elems.mb_ies);
3139 	else
3140 		sta->mb_ies = NULL;
3141 #endif /* CONFIG_FST */
3142 
3143 #ifdef CONFIG_MBO
3144 	mbo_ap_check_sta_assoc(hapd, sta, &elems);
3145 
3146 	if (hapd->conf->mbo_enabled && (hapd->conf->wpa & 2) &&
3147 	    elems.mbo && sta->cell_capa && !(sta->flags & WLAN_STA_MFP) &&
3148 	    hapd->conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
3149 		wpa_printf(MSG_INFO,
3150 			   "MBO: Reject WPA2 association without PMF");
3151 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
3152 	}
3153 #endif /* CONFIG_MBO */
3154 
3155 #if defined(CONFIG_FILS) && defined(CONFIG_OCV)
3156 	if (wpa_auth_uses_ocv(sta->wpa_sm) &&
3157 	    (sta->auth_alg == WLAN_AUTH_FILS_SK ||
3158 	     sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
3159 	     sta->auth_alg == WLAN_AUTH_FILS_PK)) {
3160 		struct wpa_channel_info ci;
3161 		int tx_chanwidth;
3162 		int tx_seg1_idx;
3163 
3164 		if (hostapd_drv_channel_info(hapd, &ci) != 0) {
3165 			wpa_printf(MSG_WARNING,
3166 				   "Failed to get channel info to validate received OCI in FILS (Re)Association Request frame");
3167 			return WLAN_STATUS_UNSPECIFIED_FAILURE;
3168 		}
3169 
3170 		if (get_sta_tx_parameters(sta->wpa_sm,
3171 					  channel_width_to_int(ci.chanwidth),
3172 					  ci.seg1_idx, &tx_chanwidth,
3173 					  &tx_seg1_idx) < 0)
3174 			return WLAN_STATUS_UNSPECIFIED_FAILURE;
3175 
3176 		if (ocv_verify_tx_params(elems.oci, elems.oci_len, &ci,
3177 					 tx_chanwidth, tx_seg1_idx) != 0) {
3178 			wpa_printf(MSG_WARNING, "FILS: %s", ocv_errorstr);
3179 			return WLAN_STATUS_UNSPECIFIED_FAILURE;
3180 		}
3181 	}
3182 #endif /* CONFIG_FILS && CONFIG_OCV */
3183 
3184 	ap_copy_sta_supp_op_classes(sta, elems.supp_op_classes,
3185 				    elems.supp_op_classes_len);
3186 
3187 	if ((sta->capability & WLAN_CAPABILITY_RADIO_MEASUREMENT) &&
3188 	    elems.rrm_enabled &&
3189 	    elems.rrm_enabled_len >= sizeof(sta->rrm_enabled_capa))
3190 		os_memcpy(sta->rrm_enabled_capa, elems.rrm_enabled,
3191 			  sizeof(sta->rrm_enabled_capa));
3192 
3193 	if (elems.power_capab) {
3194 		sta->min_tx_power = elems.power_capab[0];
3195 		sta->max_tx_power = elems.power_capab[1];
3196 		sta->power_capab = 1;
3197 	} else {
3198 		sta->power_capab = 0;
3199 	}
3200 
3201 	return WLAN_STATUS_SUCCESS;
3202 }
3203 
3204 
send_deauth(struct hostapd_data * hapd,const u8 * addr,u16 reason_code)3205 static void send_deauth(struct hostapd_data *hapd, const u8 *addr,
3206 			u16 reason_code)
3207 {
3208 	int send_len;
3209 	struct ieee80211_mgmt reply;
3210 
3211 	os_memset(&reply, 0, sizeof(reply));
3212 	reply.frame_control =
3213 		IEEE80211_FC(WLAN_FC_TYPE_MGMT, WLAN_FC_STYPE_DEAUTH);
3214 	os_memcpy(reply.da, addr, ETH_ALEN);
3215 	os_memcpy(reply.sa, hapd->own_addr, ETH_ALEN);
3216 	os_memcpy(reply.bssid, hapd->own_addr, ETH_ALEN);
3217 
3218 	send_len = IEEE80211_HDRLEN + sizeof(reply.u.deauth);
3219 	reply.u.deauth.reason_code = host_to_le16(reason_code);
3220 
3221 	if (hostapd_drv_send_mlme(hapd, &reply, send_len, 0) < 0)
3222 		wpa_printf(MSG_INFO, "Failed to send deauth: %s",
3223 			   strerror(errno));
3224 }
3225 
3226 
add_associated_sta(struct hostapd_data * hapd,struct sta_info * sta,int reassoc)3227 static int add_associated_sta(struct hostapd_data *hapd,
3228 			      struct sta_info *sta, int reassoc)
3229 {
3230 	struct ieee80211_ht_capabilities ht_cap;
3231 	struct ieee80211_vht_capabilities vht_cap;
3232 	int set = 1;
3233 
3234 	/*
3235 	 * Remove the STA entry to ensure the STA PS state gets cleared and
3236 	 * configuration gets updated. This is relevant for cases, such as
3237 	 * FT-over-the-DS, where a station re-associates back to the same AP but
3238 	 * skips the authentication flow, or if working with a driver that
3239 	 * does not support full AP client state.
3240 	 *
3241 	 * Skip this if the STA has already completed FT reassociation and the
3242 	 * TK has been configured since the TX/RX PN must not be reset to 0 for
3243 	 * the same key.
3244 	 *
3245 	 * FT-over-the-DS has a special case where the STA entry (and as such,
3246 	 * the TK) has not yet been configured to the driver depending on which
3247 	 * driver interface is used. For that case, allow add-STA operation to
3248 	 * be used (instead of set-STA). This is needed to allow mac80211-based
3249 	 * drivers to accept the STA parameter configuration. Since this is
3250 	 * after a new FT-over-DS exchange, a new TK has been derived, so key
3251 	 * reinstallation is not a concern for this case.
3252 	 */
3253 	wpa_printf(MSG_DEBUG, "Add associated STA " MACSTR
3254 		   " (added_unassoc=%d auth_alg=%u ft_over_ds=%u reassoc=%d authorized=%d ft_tk=%d fils_tk=%d)",
3255 		   MAC2STR(sta->addr), sta->added_unassoc, sta->auth_alg,
3256 		   sta->ft_over_ds, reassoc,
3257 		   !!(sta->flags & WLAN_STA_AUTHORIZED),
3258 		   wpa_auth_sta_ft_tk_already_set(sta->wpa_sm),
3259 		   wpa_auth_sta_fils_tk_already_set(sta->wpa_sm));
3260 
3261 	if (!sta->added_unassoc &&
3262 	    (!(sta->flags & WLAN_STA_AUTHORIZED) ||
3263 	     (reassoc && sta->ft_over_ds && sta->auth_alg == WLAN_AUTH_FT) ||
3264 	     (!wpa_auth_sta_ft_tk_already_set(sta->wpa_sm) &&
3265 	      !wpa_auth_sta_fils_tk_already_set(sta->wpa_sm)))) {
3266 		hostapd_drv_sta_remove(hapd, sta->addr);
3267 		wpa_auth_sm_event(sta->wpa_sm, WPA_DRV_STA_REMOVED);
3268 		set = 0;
3269 
3270 		 /* Do not allow the FT-over-DS exception to be used more than
3271 		  * once per authentication exchange to guarantee a new TK is
3272 		  * used here */
3273 		sta->ft_over_ds = 0;
3274 	}
3275 
3276 #ifdef CONFIG_IEEE80211N
3277 	if (sta->flags & WLAN_STA_HT)
3278 		hostapd_get_ht_capab(hapd, sta->ht_capabilities, &ht_cap);
3279 #endif /* CONFIG_IEEE80211N */
3280 #ifdef CONFIG_IEEE80211AC
3281 	if (sta->flags & WLAN_STA_VHT)
3282 		hostapd_get_vht_capab(hapd, sta->vht_capabilities, &vht_cap);
3283 #endif /* CONFIG_IEEE80211AC */
3284 
3285 	/*
3286 	 * Add the station with forced WLAN_STA_ASSOC flag. The sta->flags
3287 	 * will be set when the ACK frame for the (Re)Association Response frame
3288 	 * is processed (TX status driver event).
3289 	 */
3290 	if (hostapd_sta_add(hapd, sta->addr, sta->aid, sta->capability,
3291 			    sta->supported_rates, sta->supported_rates_len,
3292 			    sta->listen_interval,
3293 			    sta->flags & WLAN_STA_HT ? &ht_cap : NULL,
3294 			    sta->flags & WLAN_STA_VHT ? &vht_cap : NULL,
3295 			    sta->flags | WLAN_STA_ASSOC, sta->qosinfo,
3296 			    sta->vht_opmode, sta->p2p_ie ? 1 : 0,
3297 			    set)) {
3298 		hostapd_logger(hapd, sta->addr,
3299 			       HOSTAPD_MODULE_IEEE80211, HOSTAPD_LEVEL_NOTICE,
3300 			       "Could not %s STA to kernel driver",
3301 			       set ? "set" : "add");
3302 
3303 		if (sta->added_unassoc) {
3304 			hostapd_drv_sta_remove(hapd, sta->addr);
3305 			sta->added_unassoc = 0;
3306 		}
3307 
3308 		return -1;
3309 	}
3310 
3311 	sta->added_unassoc = 0;
3312 
3313 	return 0;
3314 }
3315 
3316 
send_assoc_resp(struct hostapd_data * hapd,struct sta_info * sta,const u8 * addr,u16 status_code,int reassoc,const u8 * ies,size_t ies_len,int rssi)3317 static u16 send_assoc_resp(struct hostapd_data *hapd, struct sta_info *sta,
3318 			   const u8 *addr, u16 status_code, int reassoc,
3319 			   const u8 *ies, size_t ies_len, int rssi)
3320 {
3321 	int send_len;
3322 	u8 *buf;
3323 	size_t buflen;
3324 	struct ieee80211_mgmt *reply;
3325 	u8 *p;
3326 	u16 res = WLAN_STATUS_SUCCESS;
3327 
3328 	buflen = sizeof(struct ieee80211_mgmt) + 1024;
3329 #ifdef CONFIG_FILS
3330 	if (sta && sta->fils_hlp_resp)
3331 		buflen += wpabuf_len(sta->fils_hlp_resp);
3332 #endif /* CONFIG_FILS */
3333 #ifdef CONFIG_OWE
3334 	if (sta && (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE))
3335 		buflen += 150;
3336 #endif /* CONFIG_OWE */
3337 #ifdef CONFIG_DPP2
3338 	if (sta && sta->dpp_pfs)
3339 		buflen += 5 + sta->dpp_pfs->curve->prime_len;
3340 #endif /* CONFIG_DPP2 */
3341 	buf = os_zalloc(buflen);
3342 	if (!buf) {
3343 		res = WLAN_STATUS_UNSPECIFIED_FAILURE;
3344 		goto done;
3345 	}
3346 	reply = (struct ieee80211_mgmt *) buf;
3347 	reply->frame_control =
3348 		IEEE80211_FC(WLAN_FC_TYPE_MGMT,
3349 			     (reassoc ? WLAN_FC_STYPE_REASSOC_RESP :
3350 			      WLAN_FC_STYPE_ASSOC_RESP));
3351 	os_memcpy(reply->da, addr, ETH_ALEN);
3352 	os_memcpy(reply->sa, hapd->own_addr, ETH_ALEN);
3353 	os_memcpy(reply->bssid, hapd->own_addr, ETH_ALEN);
3354 
3355 	send_len = IEEE80211_HDRLEN;
3356 	send_len += sizeof(reply->u.assoc_resp);
3357 	reply->u.assoc_resp.capab_info =
3358 		host_to_le16(hostapd_own_capab_info(hapd));
3359 	reply->u.assoc_resp.status_code = host_to_le16(status_code);
3360 
3361 	reply->u.assoc_resp.aid = host_to_le16((sta ? sta->aid : 0) |
3362 					       BIT(14) | BIT(15));
3363 	/* Supported rates */
3364 	p = hostapd_eid_supp_rates(hapd, reply->u.assoc_resp.variable);
3365 	/* Extended supported rates */
3366 	p = hostapd_eid_ext_supp_rates(hapd, p);
3367 
3368 #ifdef CONFIG_MBO
3369 	if (status_code == WLAN_STATUS_DENIED_POOR_CHANNEL_CONDITIONS &&
3370 	    rssi != 0) {
3371 		int delta = hapd->iconf->rssi_reject_assoc_rssi - rssi;
3372 
3373 		p = hostapd_eid_mbo_rssi_assoc_rej(hapd, p, buf + buflen - p,
3374 						   delta);
3375 	}
3376 #endif /* CONFIG_MBO */
3377 
3378 #ifdef CONFIG_IEEE80211R_AP
3379 	if (sta && status_code == WLAN_STATUS_SUCCESS) {
3380 		/* IEEE 802.11r: Mobility Domain Information, Fast BSS
3381 		 * Transition Information, RSN, [RIC Response] */
3382 		p = wpa_sm_write_assoc_resp_ies(sta->wpa_sm, p,
3383 						buf + buflen - p,
3384 						sta->auth_alg, ies, ies_len);
3385 		if (!p) {
3386 			wpa_printf(MSG_DEBUG,
3387 				   "FT: Failed to write AssocResp IEs");
3388 			res = WLAN_STATUS_UNSPECIFIED_FAILURE;
3389 			goto done;
3390 		}
3391 	}
3392 #endif /* CONFIG_IEEE80211R_AP */
3393 
3394 #ifdef CONFIG_OWE
3395 	if (sta && status_code == WLAN_STATUS_SUCCESS &&
3396 	    (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE))
3397 		p = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, p,
3398 						  buf + buflen - p,
3399 						  ies, ies_len);
3400 #endif /* CONFIG_OWE */
3401 
3402 #ifdef CONFIG_IEEE80211W
3403 	if (sta && status_code == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY)
3404 		p = hostapd_eid_assoc_comeback_time(hapd, sta, p);
3405 #endif /* CONFIG_IEEE80211W */
3406 
3407 #ifdef CONFIG_IEEE80211N
3408 	p = hostapd_eid_ht_capabilities(hapd, p);
3409 	p = hostapd_eid_ht_operation(hapd, p);
3410 #endif /* CONFIG_IEEE80211N */
3411 
3412 #ifdef CONFIG_IEEE80211AC
3413 	if (hapd->iconf->ieee80211ac && !hapd->conf->disable_11ac) {
3414 		u32 nsts = 0, sta_nsts;
3415 
3416 		if (sta && hapd->conf->use_sta_nsts && sta->vht_capabilities) {
3417 			struct ieee80211_vht_capabilities *capa;
3418 
3419 			nsts = (hapd->iface->conf->vht_capab >>
3420 				VHT_CAP_BEAMFORMEE_STS_OFFSET) & 7;
3421 			capa = sta->vht_capabilities;
3422 			sta_nsts = (le_to_host32(capa->vht_capabilities_info) >>
3423 				    VHT_CAP_BEAMFORMEE_STS_OFFSET) & 7;
3424 
3425 			if (nsts < sta_nsts)
3426 				nsts = 0;
3427 			else
3428 				nsts = sta_nsts;
3429 		}
3430 		p = hostapd_eid_vht_capabilities(hapd, p, nsts);
3431 		p = hostapd_eid_vht_operation(hapd, p);
3432 	}
3433 #endif /* CONFIG_IEEE80211AC */
3434 
3435 	p = hostapd_eid_ext_capab(hapd, p);
3436 	p = hostapd_eid_bss_max_idle_period(hapd, p);
3437 	if (sta && sta->qos_map_enabled)
3438 		p = hostapd_eid_qos_map_set(hapd, p);
3439 
3440 #ifdef CONFIG_FST
3441 	if (hapd->iface->fst_ies) {
3442 		os_memcpy(p, wpabuf_head(hapd->iface->fst_ies),
3443 			  wpabuf_len(hapd->iface->fst_ies));
3444 		p += wpabuf_len(hapd->iface->fst_ies);
3445 	}
3446 #endif /* CONFIG_FST */
3447 
3448 #ifdef CONFIG_OWE
3449 	if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) &&
3450 	    sta && sta->owe_ecdh && status_code == WLAN_STATUS_SUCCESS &&
3451 	    wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE) {
3452 		struct wpabuf *pub;
3453 
3454 		pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
3455 		if (!pub) {
3456 			res = WLAN_STATUS_UNSPECIFIED_FAILURE;
3457 			goto done;
3458 		}
3459 		/* OWE Diffie-Hellman Parameter element */
3460 		*p++ = WLAN_EID_EXTENSION; /* Element ID */
3461 		*p++ = 1 + 2 + wpabuf_len(pub); /* Length */
3462 		*p++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension */
3463 		WPA_PUT_LE16(p, sta->owe_group);
3464 		p += 2;
3465 		os_memcpy(p, wpabuf_head(pub), wpabuf_len(pub));
3466 		p += wpabuf_len(pub);
3467 		wpabuf_free(pub);
3468 	}
3469 #endif /* CONFIG_OWE */
3470 
3471 #ifdef CONFIG_DPP2
3472 	if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_DPP) &&
3473 	    sta && sta->dpp_pfs && status_code == WLAN_STATUS_SUCCESS &&
3474 	    wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_DPP) {
3475 		os_memcpy(p, wpabuf_head(sta->dpp_pfs->ie),
3476 			  wpabuf_len(sta->dpp_pfs->ie));
3477 		p += wpabuf_len(sta->dpp_pfs->ie);
3478 	}
3479 #endif /* CONFIG_DPP2 */
3480 
3481 #ifdef CONFIG_IEEE80211AC
3482 	if (sta && hapd->conf->vendor_vht && (sta->flags & WLAN_STA_VENDOR_VHT))
3483 		p = hostapd_eid_vendor_vht(hapd, p);
3484 #endif /* CONFIG_IEEE80211AC */
3485 
3486 	if (sta && (sta->flags & WLAN_STA_WMM))
3487 		p = hostapd_eid_wmm(hapd, p);
3488 
3489 #ifdef CONFIG_WPS
3490 	if (sta &&
3491 	    ((sta->flags & WLAN_STA_WPS) ||
3492 	     ((sta->flags & WLAN_STA_MAYBE_WPS) && hapd->conf->wpa))) {
3493 		struct wpabuf *wps = wps_build_assoc_resp_ie();
3494 		if (wps) {
3495 			os_memcpy(p, wpabuf_head(wps), wpabuf_len(wps));
3496 			p += wpabuf_len(wps);
3497 			wpabuf_free(wps);
3498 		}
3499 	}
3500 #endif /* CONFIG_WPS */
3501 
3502 	if (sta && (sta->flags & WLAN_STA_MULTI_AP))
3503 		p = hostapd_eid_multi_ap(hapd, p);
3504 
3505 #ifdef CONFIG_P2P
3506 	if (sta && sta->p2p_ie && hapd->p2p_group) {
3507 		struct wpabuf *p2p_resp_ie;
3508 		enum p2p_status_code status;
3509 		switch (status_code) {
3510 		case WLAN_STATUS_SUCCESS:
3511 			status = P2P_SC_SUCCESS;
3512 			break;
3513 		case WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA:
3514 			status = P2P_SC_FAIL_LIMIT_REACHED;
3515 			break;
3516 		default:
3517 			status = P2P_SC_FAIL_INVALID_PARAMS;
3518 			break;
3519 		}
3520 		p2p_resp_ie = p2p_group_assoc_resp_ie(hapd->p2p_group, status);
3521 		if (p2p_resp_ie) {
3522 			os_memcpy(p, wpabuf_head(p2p_resp_ie),
3523 				  wpabuf_len(p2p_resp_ie));
3524 			p += wpabuf_len(p2p_resp_ie);
3525 			wpabuf_free(p2p_resp_ie);
3526 		}
3527 	}
3528 #endif /* CONFIG_P2P */
3529 
3530 #ifdef CONFIG_P2P_MANAGER
3531 	if (hapd->conf->p2p & P2P_MANAGE)
3532 		p = hostapd_eid_p2p_manage(hapd, p);
3533 #endif /* CONFIG_P2P_MANAGER */
3534 
3535 	p = hostapd_eid_mbo(hapd, p, buf + buflen - p);
3536 
3537 	if (hapd->conf->assocresp_elements &&
3538 	    (size_t) (buf + buflen - p) >=
3539 	    wpabuf_len(hapd->conf->assocresp_elements)) {
3540 		os_memcpy(p, wpabuf_head(hapd->conf->assocresp_elements),
3541 			  wpabuf_len(hapd->conf->assocresp_elements));
3542 		p += wpabuf_len(hapd->conf->assocresp_elements);
3543 	}
3544 
3545 	send_len += p - reply->u.assoc_resp.variable;
3546 
3547 #ifdef CONFIG_FILS
3548 	if (sta &&
3549 	    (sta->auth_alg == WLAN_AUTH_FILS_SK ||
3550 	     sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
3551 	     sta->auth_alg == WLAN_AUTH_FILS_PK) &&
3552 	    status_code == WLAN_STATUS_SUCCESS) {
3553 		struct ieee802_11_elems elems;
3554 
3555 		if (ieee802_11_parse_elems(ies, ies_len, &elems, 0) ==
3556 		    ParseFailed || !elems.fils_session) {
3557 			res = WLAN_STATUS_UNSPECIFIED_FAILURE;
3558 			goto done;
3559 		}
3560 
3561 		/* FILS Session */
3562 		*p++ = WLAN_EID_EXTENSION; /* Element ID */
3563 		*p++ = 1 + FILS_SESSION_LEN; /* Length */
3564 		*p++ = WLAN_EID_EXT_FILS_SESSION; /* Element ID Extension */
3565 		os_memcpy(p, elems.fils_session, FILS_SESSION_LEN);
3566 		send_len += 2 + 1 + FILS_SESSION_LEN;
3567 
3568 		send_len = fils_encrypt_assoc(sta->wpa_sm, buf, send_len,
3569 					      buflen, sta->fils_hlp_resp);
3570 		if (send_len < 0) {
3571 			res = WLAN_STATUS_UNSPECIFIED_FAILURE;
3572 			goto done;
3573 		}
3574 	}
3575 #endif /* CONFIG_FILS */
3576 
3577 	if (hostapd_drv_send_mlme(hapd, reply, send_len, 0) < 0) {
3578 		wpa_printf(MSG_INFO, "Failed to send assoc resp: %s",
3579 			   strerror(errno));
3580 		res = WLAN_STATUS_UNSPECIFIED_FAILURE;
3581 	}
3582 
3583 done:
3584 	os_free(buf);
3585 	return res;
3586 }
3587 
3588 
3589 #ifdef CONFIG_OWE
owe_assoc_req_process(struct hostapd_data * hapd,struct sta_info * sta,const u8 * owe_dh,u8 owe_dh_len,u8 * owe_buf,size_t owe_buf_len,u16 * reason)3590 u8 * owe_assoc_req_process(struct hostapd_data *hapd, struct sta_info *sta,
3591 			   const u8 *owe_dh, u8 owe_dh_len,
3592 			   u8 *owe_buf, size_t owe_buf_len, u16 *reason)
3593 {
3594 #ifdef CONFIG_TESTING_OPTIONS
3595 	if (hapd->conf->own_ie_override) {
3596 		wpa_printf(MSG_DEBUG, "OWE: Using IE override");
3597 		*reason = WLAN_STATUS_SUCCESS;
3598 		return wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf,
3599 						     owe_buf_len, NULL, 0);
3600 	}
3601 #endif /* CONFIG_TESTING_OPTIONS */
3602 
3603 	if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) {
3604 		wpa_printf(MSG_DEBUG, "OWE: Using PMKSA caching");
3605 		owe_buf = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf,
3606 							owe_buf_len, NULL, 0);
3607 		*reason = WLAN_STATUS_SUCCESS;
3608 		return owe_buf;
3609 	}
3610 
3611 	*reason = owe_process_assoc_req(hapd, sta, owe_dh, owe_dh_len);
3612 	if (*reason != WLAN_STATUS_SUCCESS)
3613 		return NULL;
3614 
3615 	owe_buf = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf,
3616 						owe_buf_len, NULL, 0);
3617 
3618 	if (sta->owe_ecdh && owe_buf) {
3619 		struct wpabuf *pub;
3620 
3621 		pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
3622 		if (!pub) {
3623 			*reason = WLAN_STATUS_UNSPECIFIED_FAILURE;
3624 			return owe_buf;
3625 		}
3626 
3627 		/* OWE Diffie-Hellman Parameter element */
3628 		*owe_buf++ = WLAN_EID_EXTENSION; /* Element ID */
3629 		*owe_buf++ = 1 + 2 + wpabuf_len(pub); /* Length */
3630 		*owe_buf++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension
3631 							 */
3632 		WPA_PUT_LE16(owe_buf, sta->owe_group);
3633 		owe_buf += 2;
3634 		os_memcpy(owe_buf, wpabuf_head(pub), wpabuf_len(pub));
3635 		owe_buf += wpabuf_len(pub);
3636 		wpabuf_free(pub);
3637 	}
3638 
3639 	return owe_buf;
3640 }
3641 #endif /* CONFIG_OWE */
3642 
3643 
3644 #ifdef CONFIG_FILS
3645 
fils_hlp_finish_assoc(struct hostapd_data * hapd,struct sta_info * sta)3646 void fils_hlp_finish_assoc(struct hostapd_data *hapd, struct sta_info *sta)
3647 {
3648 	u16 reply_res;
3649 
3650 	wpa_printf(MSG_DEBUG, "FILS: Finish association with " MACSTR,
3651 		   MAC2STR(sta->addr));
3652 	eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
3653 	if (!sta->fils_pending_assoc_req)
3654 		return;
3655 	reply_res = send_assoc_resp(hapd, sta, sta->addr, WLAN_STATUS_SUCCESS,
3656 				    sta->fils_pending_assoc_is_reassoc,
3657 				    sta->fils_pending_assoc_req,
3658 				    sta->fils_pending_assoc_req_len, 0);
3659 	os_free(sta->fils_pending_assoc_req);
3660 	sta->fils_pending_assoc_req = NULL;
3661 	sta->fils_pending_assoc_req_len = 0;
3662 	wpabuf_free(sta->fils_hlp_resp);
3663 	sta->fils_hlp_resp = NULL;
3664 	wpabuf_free(sta->hlp_dhcp_discover);
3665 	sta->hlp_dhcp_discover = NULL;
3666 
3667 	/*
3668 	 * Remove the station in case transmission of a success response fails.
3669 	 * At this point the station was already added associated to the driver.
3670 	 */
3671 	if (reply_res != WLAN_STATUS_SUCCESS)
3672 		hostapd_drv_sta_remove(hapd, sta->addr);
3673 }
3674 
3675 
fils_hlp_timeout(void * eloop_ctx,void * eloop_data)3676 void fils_hlp_timeout(void *eloop_ctx, void *eloop_data)
3677 {
3678 	struct hostapd_data *hapd = eloop_ctx;
3679 	struct sta_info *sta = eloop_data;
3680 
3681 	wpa_printf(MSG_DEBUG,
3682 		   "FILS: HLP response timeout - continue with association response for "
3683 		   MACSTR, MAC2STR(sta->addr));
3684 	if (sta->fils_drv_assoc_finish)
3685 		hostapd_notify_assoc_fils_finish(hapd, sta);
3686 	else
3687 		fils_hlp_finish_assoc(hapd, sta);
3688 }
3689 
3690 #endif /* CONFIG_FILS */
3691 
3692 
handle_assoc(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int reassoc,int rssi)3693 static void handle_assoc(struct hostapd_data *hapd,
3694 			 const struct ieee80211_mgmt *mgmt, size_t len,
3695 			 int reassoc, int rssi)
3696 {
3697 	u16 capab_info, listen_interval, seq_ctrl, fc;
3698 	u16 resp = WLAN_STATUS_SUCCESS, reply_res;
3699 	const u8 *pos;
3700 	int left, i;
3701 	struct sta_info *sta;
3702 	u8 *tmp = NULL;
3703 	struct hostapd_sta_wpa_psk_short *psk = NULL;
3704 	char *identity = NULL;
3705 	char *radius_cui = NULL;
3706 #ifdef CONFIG_FILS
3707 	int delay_assoc = 0;
3708 #endif /* CONFIG_FILS */
3709 
3710 	if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_req) :
3711 				      sizeof(mgmt->u.assoc_req))) {
3712 		wpa_printf(MSG_INFO, "handle_assoc(reassoc=%d) - too short payload (len=%lu)",
3713 			   reassoc, (unsigned long) len);
3714 		return;
3715 	}
3716 
3717 #ifdef CONFIG_TESTING_OPTIONS
3718 	if (reassoc) {
3719 		if (hapd->iconf->ignore_reassoc_probability > 0.0 &&
3720 		    drand48() < hapd->iconf->ignore_reassoc_probability) {
3721 			wpa_printf(MSG_INFO,
3722 				   "TESTING: ignoring reassoc request from "
3723 				   MACSTR, MAC2STR(mgmt->sa));
3724 			return;
3725 		}
3726 	} else {
3727 		if (hapd->iconf->ignore_assoc_probability > 0.0 &&
3728 		    drand48() < hapd->iconf->ignore_assoc_probability) {
3729 			wpa_printf(MSG_INFO,
3730 				   "TESTING: ignoring assoc request from "
3731 				   MACSTR, MAC2STR(mgmt->sa));
3732 			return;
3733 		}
3734 	}
3735 #endif /* CONFIG_TESTING_OPTIONS */
3736 
3737 	fc = le_to_host16(mgmt->frame_control);
3738 	seq_ctrl = le_to_host16(mgmt->seq_ctrl);
3739 
3740 	if (reassoc) {
3741 		capab_info = le_to_host16(mgmt->u.reassoc_req.capab_info);
3742 		listen_interval = le_to_host16(
3743 			mgmt->u.reassoc_req.listen_interval);
3744 		wpa_printf(MSG_DEBUG, "reassociation request: STA=" MACSTR
3745 			   " capab_info=0x%02x listen_interval=%d current_ap="
3746 			   MACSTR " seq_ctrl=0x%x%s",
3747 			   MAC2STR(mgmt->sa), capab_info, listen_interval,
3748 			   MAC2STR(mgmt->u.reassoc_req.current_ap),
3749 			   seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "");
3750 		left = len - (IEEE80211_HDRLEN + sizeof(mgmt->u.reassoc_req));
3751 		pos = mgmt->u.reassoc_req.variable;
3752 	} else {
3753 		capab_info = le_to_host16(mgmt->u.assoc_req.capab_info);
3754 		listen_interval = le_to_host16(
3755 			mgmt->u.assoc_req.listen_interval);
3756 		wpa_printf(MSG_DEBUG, "association request: STA=" MACSTR
3757 			   " capab_info=0x%02x listen_interval=%d "
3758 			   "seq_ctrl=0x%x%s",
3759 			   MAC2STR(mgmt->sa), capab_info, listen_interval,
3760 			   seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "");
3761 		left = len - (IEEE80211_HDRLEN + sizeof(mgmt->u.assoc_req));
3762 		pos = mgmt->u.assoc_req.variable;
3763 	}
3764 
3765 	sta = ap_get_sta(hapd, mgmt->sa);
3766 #ifdef CONFIG_IEEE80211R_AP
3767 	if (sta && sta->auth_alg == WLAN_AUTH_FT &&
3768 	    (sta->flags & WLAN_STA_AUTH) == 0) {
3769 		wpa_printf(MSG_DEBUG, "FT: Allow STA " MACSTR " to associate "
3770 			   "prior to authentication since it is using "
3771 			   "over-the-DS FT", MAC2STR(mgmt->sa));
3772 
3773 		/*
3774 		 * Mark station as authenticated, to avoid adding station
3775 		 * entry in the driver as associated and not authenticated
3776 		 */
3777 		sta->flags |= WLAN_STA_AUTH;
3778 	} else
3779 #endif /* CONFIG_IEEE80211R_AP */
3780 	if (sta == NULL || (sta->flags & WLAN_STA_AUTH) == 0) {
3781 		if (hapd->iface->current_mode &&
3782 		    hapd->iface->current_mode->mode ==
3783 			HOSTAPD_MODE_IEEE80211AD) {
3784 			int acl_res;
3785 			u32 session_timeout, acct_interim_interval;
3786 			struct vlan_description vlan_id;
3787 
3788 			acl_res = ieee802_11_allowed_address(
3789 				hapd, mgmt->sa, (const u8 *) mgmt, len,
3790 				&session_timeout, &acct_interim_interval,
3791 				&vlan_id, &psk, &identity, &radius_cui, 0);
3792 			if (acl_res == HOSTAPD_ACL_REJECT) {
3793 				wpa_msg(hapd->msg_ctx, MSG_DEBUG,
3794 					"Ignore Association Request frame from "
3795 					MACSTR " due to ACL reject",
3796 					MAC2STR(mgmt->sa));
3797 				resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3798 				goto fail;
3799 			}
3800 			if (acl_res == HOSTAPD_ACL_PENDING)
3801 				return;
3802 
3803 			/* DMG/IEEE 802.11ad does not use authentication.
3804 			 * Allocate sta entry upon association. */
3805 			sta = ap_sta_add(hapd, mgmt->sa);
3806 			if (!sta) {
3807 				hostapd_logger(hapd, mgmt->sa,
3808 					       HOSTAPD_MODULE_IEEE80211,
3809 					       HOSTAPD_LEVEL_INFO,
3810 					       "Failed to add STA");
3811 				resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
3812 				goto fail;
3813 			}
3814 
3815 			acl_res = ieee802_11_set_radius_info(
3816 				hapd, sta, acl_res, session_timeout,
3817 				acct_interim_interval, &vlan_id, &psk,
3818 				&identity, &radius_cui);
3819 			if (acl_res) {
3820 				resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3821 				goto fail;
3822 			}
3823 
3824 			hostapd_logger(hapd, sta->addr,
3825 				       HOSTAPD_MODULE_IEEE80211,
3826 				       HOSTAPD_LEVEL_DEBUG,
3827 				       "Skip authentication for DMG/IEEE 802.11ad");
3828 			sta->flags |= WLAN_STA_AUTH;
3829 			wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
3830 			sta->auth_alg = WLAN_AUTH_OPEN;
3831 		} else {
3832 			hostapd_logger(hapd, mgmt->sa,
3833 				       HOSTAPD_MODULE_IEEE80211,
3834 				       HOSTAPD_LEVEL_INFO,
3835 				       "Station tried to associate before authentication (aid=%d flags=0x%x)",
3836 				       sta ? sta->aid : -1,
3837 				       sta ? sta->flags : 0);
3838 			send_deauth(hapd, mgmt->sa,
3839 				    WLAN_REASON_CLASS2_FRAME_FROM_NONAUTH_STA);
3840 			return;
3841 		}
3842 	}
3843 
3844 	if ((fc & WLAN_FC_RETRY) &&
3845 	    sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
3846 	    sta->last_seq_ctrl == seq_ctrl &&
3847 	    sta->last_subtype == (reassoc ? WLAN_FC_STYPE_REASSOC_REQ :
3848 				  WLAN_FC_STYPE_ASSOC_REQ)) {
3849 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3850 			       HOSTAPD_LEVEL_DEBUG,
3851 			       "Drop repeated association frame seq_ctrl=0x%x",
3852 			       seq_ctrl);
3853 		return;
3854 	}
3855 	sta->last_seq_ctrl = seq_ctrl;
3856 	sta->last_subtype = reassoc ? WLAN_FC_STYPE_REASSOC_REQ :
3857 		WLAN_FC_STYPE_ASSOC_REQ;
3858 
3859 	if (hapd->tkip_countermeasures) {
3860 		resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3861 		goto fail;
3862 	}
3863 
3864 	if (listen_interval > hapd->conf->max_listen_interval) {
3865 		hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
3866 			       HOSTAPD_LEVEL_DEBUG,
3867 			       "Too large Listen Interval (%d)",
3868 			       listen_interval);
3869 		resp = WLAN_STATUS_ASSOC_DENIED_LISTEN_INT_TOO_LARGE;
3870 		goto fail;
3871 	}
3872 
3873 #ifdef CONFIG_MBO
3874 	if (hapd->conf->mbo_enabled && hapd->mbo_assoc_disallow) {
3875 		resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
3876 		goto fail;
3877 	}
3878 
3879 	if (hapd->iconf->rssi_reject_assoc_rssi && rssi &&
3880 	    rssi < hapd->iconf->rssi_reject_assoc_rssi &&
3881 	    (sta->auth_rssi == 0 ||
3882 	     sta->auth_rssi < hapd->iconf->rssi_reject_assoc_rssi)) {
3883 		resp = WLAN_STATUS_DENIED_POOR_CHANNEL_CONDITIONS;
3884 		goto fail;
3885 	}
3886 #endif /* CONFIG_MBO */
3887 
3888 	/*
3889 	 * sta->capability is used in check_assoc_ies() for RRM enabled
3890 	 * capability element.
3891 	 */
3892 	sta->capability = capab_info;
3893 
3894 #ifdef CONFIG_FILS
3895 	if (sta->auth_alg == WLAN_AUTH_FILS_SK ||
3896 	    sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
3897 	    sta->auth_alg == WLAN_AUTH_FILS_PK) {
3898 		int res;
3899 
3900 		/* The end of the payload is encrypted. Need to decrypt it
3901 		 * before parsing. */
3902 
3903 		tmp = os_memdup(pos, left);
3904 		if (!tmp) {
3905 			resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3906 			goto fail;
3907 		}
3908 
3909 		res = fils_decrypt_assoc(sta->wpa_sm, sta->fils_session, mgmt,
3910 					 len, tmp, left);
3911 		if (res < 0) {
3912 			resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3913 			goto fail;
3914 		}
3915 		pos = tmp;
3916 		left = res;
3917 	}
3918 #endif /* CONFIG_FILS */
3919 
3920 	/* followed by SSID and Supported rates; and HT capabilities if 802.11n
3921 	 * is used */
3922 	resp = check_assoc_ies(hapd, sta, pos, left, reassoc);
3923 	if (resp != WLAN_STATUS_SUCCESS)
3924 		goto fail;
3925 
3926 	if (hostapd_get_aid(hapd, sta) < 0) {
3927 		hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
3928 			       HOSTAPD_LEVEL_INFO, "No room for more AIDs");
3929 		resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
3930 		goto fail;
3931 	}
3932 
3933 	sta->listen_interval = listen_interval;
3934 
3935 	if (hapd->iface->current_mode &&
3936 	    hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G)
3937 		sta->flags |= WLAN_STA_NONERP;
3938 	for (i = 0; i < sta->supported_rates_len; i++) {
3939 		if ((sta->supported_rates[i] & 0x7f) > 22) {
3940 			sta->flags &= ~WLAN_STA_NONERP;
3941 			break;
3942 		}
3943 	}
3944 	if (sta->flags & WLAN_STA_NONERP && !sta->nonerp_set) {
3945 		sta->nonerp_set = 1;
3946 		hapd->iface->num_sta_non_erp++;
3947 		if (hapd->iface->num_sta_non_erp == 1)
3948 			ieee802_11_set_beacons(hapd->iface);
3949 	}
3950 
3951 	if (!(sta->capability & WLAN_CAPABILITY_SHORT_SLOT_TIME) &&
3952 	    !sta->no_short_slot_time_set) {
3953 		sta->no_short_slot_time_set = 1;
3954 		hapd->iface->num_sta_no_short_slot_time++;
3955 		if (hapd->iface->current_mode &&
3956 		    hapd->iface->current_mode->mode ==
3957 		    HOSTAPD_MODE_IEEE80211G &&
3958 		    hapd->iface->num_sta_no_short_slot_time == 1)
3959 			ieee802_11_set_beacons(hapd->iface);
3960 	}
3961 
3962 	if (sta->capability & WLAN_CAPABILITY_SHORT_PREAMBLE)
3963 		sta->flags |= WLAN_STA_SHORT_PREAMBLE;
3964 	else
3965 		sta->flags &= ~WLAN_STA_SHORT_PREAMBLE;
3966 
3967 	if (!(sta->capability & WLAN_CAPABILITY_SHORT_PREAMBLE) &&
3968 	    !sta->no_short_preamble_set) {
3969 		sta->no_short_preamble_set = 1;
3970 		hapd->iface->num_sta_no_short_preamble++;
3971 		if (hapd->iface->current_mode &&
3972 		    hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G
3973 		    && hapd->iface->num_sta_no_short_preamble == 1)
3974 			ieee802_11_set_beacons(hapd->iface);
3975 	}
3976 
3977 #ifdef CONFIG_IEEE80211N
3978 	update_ht_state(hapd, sta);
3979 #endif /* CONFIG_IEEE80211N */
3980 
3981 	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3982 		       HOSTAPD_LEVEL_DEBUG,
3983 		       "association OK (aid %d)", sta->aid);
3984 	/* Station will be marked associated, after it acknowledges AssocResp
3985 	 */
3986 	sta->flags |= WLAN_STA_ASSOC_REQ_OK;
3987 
3988 #ifdef CONFIG_IEEE80211W
3989 	if ((sta->flags & WLAN_STA_MFP) && sta->sa_query_timed_out) {
3990 		wpa_printf(MSG_DEBUG, "Allowing %sassociation after timed out "
3991 			   "SA Query procedure", reassoc ? "re" : "");
3992 		/* TODO: Send a protected Disassociate frame to the STA using
3993 		 * the old key and Reason Code "Previous Authentication no
3994 		 * longer valid". Make sure this is only sent protected since
3995 		 * unprotected frame would be received by the STA that is now
3996 		 * trying to associate.
3997 		 */
3998 	}
3999 #endif /* CONFIG_IEEE80211W */
4000 
4001 	/* Make sure that the previously registered inactivity timer will not
4002 	 * remove the STA immediately. */
4003 	sta->timeout_next = STA_NULLFUNC;
4004 
4005 #ifdef CONFIG_TAXONOMY
4006 	taxonomy_sta_info_assoc_req(hapd, sta, pos, left);
4007 #endif /* CONFIG_TAXONOMY */
4008 
4009 	sta->pending_wds_enable = 0;
4010 
4011 #ifdef CONFIG_FILS
4012 	if (sta->auth_alg == WLAN_AUTH_FILS_SK ||
4013 	    sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
4014 	    sta->auth_alg == WLAN_AUTH_FILS_PK) {
4015 		if (fils_process_hlp(hapd, sta, pos, left) > 0)
4016 			delay_assoc = 1;
4017 	}
4018 #endif /* CONFIG_FILS */
4019 
4020  fail:
4021 	os_free(identity);
4022 	os_free(radius_cui);
4023 	hostapd_free_psk_list(psk);
4024 
4025 	/*
4026 	 * In case of a successful response, add the station to the driver.
4027 	 * Otherwise, the kernel may ignore Data frames before we process the
4028 	 * ACK frame (TX status). In case of a failure, this station will be
4029 	 * removed.
4030 	 *
4031 	 * Note that this is not compliant with the IEEE 802.11 standard that
4032 	 * states that a non-AP station should transition into the
4033 	 * authenticated/associated state only after the station acknowledges
4034 	 * the (Re)Association Response frame. However, still do this as:
4035 	 *
4036 	 * 1. In case the station does not acknowledge the (Re)Association
4037 	 *    Response frame, it will be removed.
4038 	 * 2. Data frames will be dropped in the kernel until the station is
4039 	 *    set into authorized state, and there are no significant known
4040 	 *    issues with processing other non-Data Class 3 frames during this
4041 	 *    window.
4042 	 */
4043 	if (resp == WLAN_STATUS_SUCCESS && sta &&
4044 	    add_associated_sta(hapd, sta, reassoc))
4045 		resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
4046 
4047 #ifdef CONFIG_FILS
4048 	if (sta && delay_assoc && resp == WLAN_STATUS_SUCCESS &&
4049 	    eloop_is_timeout_registered(fils_hlp_timeout, hapd, sta) &&
4050 	    sta->fils_pending_assoc_req) {
4051 		/* Do not reschedule fils_hlp_timeout in case the station
4052 		 * retransmits (Re)Association Request frame while waiting for
4053 		 * the previously started FILS HLP wait, so that the timeout can
4054 		 * be determined from the first pending attempt. */
4055 		wpa_printf(MSG_DEBUG,
4056 			   "FILS: Continue waiting for HLP processing before sending (Re)Association Response frame to "
4057 			   MACSTR, MAC2STR(sta->addr));
4058 		os_free(tmp);
4059 		return;
4060 	}
4061 	if (sta) {
4062 		eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
4063 		os_free(sta->fils_pending_assoc_req);
4064 		sta->fils_pending_assoc_req = NULL;
4065 		sta->fils_pending_assoc_req_len = 0;
4066 		wpabuf_free(sta->fils_hlp_resp);
4067 		sta->fils_hlp_resp = NULL;
4068 	}
4069 	if (sta && delay_assoc && resp == WLAN_STATUS_SUCCESS) {
4070 		sta->fils_pending_assoc_req = tmp;
4071 		sta->fils_pending_assoc_req_len = left;
4072 		sta->fils_pending_assoc_is_reassoc = reassoc;
4073 		sta->fils_drv_assoc_finish = 0;
4074 		wpa_printf(MSG_DEBUG,
4075 			   "FILS: Waiting for HLP processing before sending (Re)Association Response frame to "
4076 			   MACSTR, MAC2STR(sta->addr));
4077 		eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
4078 		eloop_register_timeout(0, hapd->conf->fils_hlp_wait_time * 1024,
4079 				       fils_hlp_timeout, hapd, sta);
4080 		return;
4081 	}
4082 #endif /* CONFIG_FILS */
4083 
4084 	reply_res = send_assoc_resp(hapd, sta, mgmt->sa, resp, reassoc, pos,
4085 				    left, rssi);
4086 	os_free(tmp);
4087 
4088 	/*
4089 	 * Remove the station in case tranmission of a success response fails
4090 	 * (the STA was added associated to the driver) or if the station was
4091 	 * previously added unassociated.
4092 	 */
4093 	if (sta && ((reply_res != WLAN_STATUS_SUCCESS &&
4094 		     resp == WLAN_STATUS_SUCCESS) || sta->added_unassoc)) {
4095 		hostapd_drv_sta_remove(hapd, sta->addr);
4096 		sta->added_unassoc = 0;
4097 	}
4098 }
4099 
4100 
handle_disassoc(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len)4101 static void handle_disassoc(struct hostapd_data *hapd,
4102 			    const struct ieee80211_mgmt *mgmt, size_t len)
4103 {
4104 	struct sta_info *sta;
4105 
4106 	if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.disassoc)) {
4107 		wpa_printf(MSG_INFO, "handle_disassoc - too short payload (len=%lu)",
4108 			   (unsigned long) len);
4109 		return;
4110 	}
4111 
4112 	wpa_printf(MSG_DEBUG, "disassocation: STA=" MACSTR " reason_code=%d",
4113 		   MAC2STR(mgmt->sa),
4114 		   le_to_host16(mgmt->u.disassoc.reason_code));
4115 
4116 	sta = ap_get_sta(hapd, mgmt->sa);
4117 	if (sta == NULL) {
4118 		wpa_printf(MSG_INFO, "Station " MACSTR " trying to disassociate, but it is not associated",
4119 			   MAC2STR(mgmt->sa));
4120 		return;
4121 	}
4122 
4123 	ap_sta_set_authorized(hapd, sta, 0);
4124 	sta->last_seq_ctrl = WLAN_INVALID_MGMT_SEQ;
4125 	sta->flags &= ~(WLAN_STA_ASSOC | WLAN_STA_ASSOC_REQ_OK);
4126 	wpa_auth_sm_event(sta->wpa_sm, WPA_DISASSOC);
4127 	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4128 		       HOSTAPD_LEVEL_INFO, "disassociated");
4129 	sta->acct_terminate_cause = RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST;
4130 	ieee802_1x_notify_port_enabled(sta->eapol_sm, 0);
4131 	/* Stop Accounting and IEEE 802.1X sessions, but leave the STA
4132 	 * authenticated. */
4133 	accounting_sta_stop(hapd, sta);
4134 	ieee802_1x_free_station(hapd, sta);
4135 	if (sta->ipaddr)
4136 		hostapd_drv_br_delete_ip_neigh(hapd, 4, (u8 *) &sta->ipaddr);
4137 	ap_sta_ip6addr_del(hapd, sta);
4138 	hostapd_drv_sta_remove(hapd, sta->addr);
4139 	sta->added_unassoc = 0;
4140 
4141 	if (sta->timeout_next == STA_NULLFUNC ||
4142 	    sta->timeout_next == STA_DISASSOC) {
4143 		sta->timeout_next = STA_DEAUTH;
4144 		eloop_cancel_timeout(ap_handle_timer, hapd, sta);
4145 		eloop_register_timeout(AP_DEAUTH_DELAY, 0, ap_handle_timer,
4146 				       hapd, sta);
4147 	}
4148 
4149 	mlme_disassociate_indication(
4150 		hapd, sta, le_to_host16(mgmt->u.disassoc.reason_code));
4151 
4152 	/* DMG/IEEE 802.11ad does not use deauthication. Deallocate sta upon
4153 	 * disassociation. */
4154 	if (hapd->iface->current_mode &&
4155 	    hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211AD) {
4156 		sta->flags &= ~WLAN_STA_AUTH;
4157 		wpa_auth_sm_event(sta->wpa_sm, WPA_DEAUTH);
4158 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4159 			       HOSTAPD_LEVEL_DEBUG, "deauthenticated");
4160 		ap_free_sta(hapd, sta);
4161 	}
4162 }
4163 
4164 
handle_deauth(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len)4165 static void handle_deauth(struct hostapd_data *hapd,
4166 			  const struct ieee80211_mgmt *mgmt, size_t len)
4167 {
4168 	struct sta_info *sta;
4169 
4170 	if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.deauth)) {
4171 		wpa_msg(hapd->msg_ctx, MSG_DEBUG, "handle_deauth - too short "
4172 			"payload (len=%lu)", (unsigned long) len);
4173 		return;
4174 	}
4175 
4176 	wpa_msg(hapd->msg_ctx, MSG_DEBUG, "deauthentication: STA=" MACSTR
4177 		" reason_code=%d",
4178 		MAC2STR(mgmt->sa), le_to_host16(mgmt->u.deauth.reason_code));
4179 
4180 	sta = ap_get_sta(hapd, mgmt->sa);
4181 	if (sta == NULL) {
4182 		wpa_msg(hapd->msg_ctx, MSG_DEBUG, "Station " MACSTR " trying "
4183 			"to deauthenticate, but it is not authenticated",
4184 			MAC2STR(mgmt->sa));
4185 		return;
4186 	}
4187 
4188 	ap_sta_set_authorized(hapd, sta, 0);
4189 	sta->last_seq_ctrl = WLAN_INVALID_MGMT_SEQ;
4190 	sta->flags &= ~(WLAN_STA_AUTH | WLAN_STA_ASSOC |
4191 			WLAN_STA_ASSOC_REQ_OK);
4192 	wpa_auth_sm_event(sta->wpa_sm, WPA_DEAUTH);
4193 	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4194 		       HOSTAPD_LEVEL_DEBUG, "deauthenticated");
4195 	mlme_deauthenticate_indication(
4196 		hapd, sta, le_to_host16(mgmt->u.deauth.reason_code));
4197 	sta->acct_terminate_cause = RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST;
4198 	ieee802_1x_notify_port_enabled(sta->eapol_sm, 0);
4199 	ap_free_sta(hapd, sta);
4200 }
4201 
4202 
handle_beacon(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,struct hostapd_frame_info * fi)4203 static void handle_beacon(struct hostapd_data *hapd,
4204 			  const struct ieee80211_mgmt *mgmt, size_t len,
4205 			  struct hostapd_frame_info *fi)
4206 {
4207 	struct ieee802_11_elems elems;
4208 
4209 	if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.beacon)) {
4210 		wpa_printf(MSG_INFO, "handle_beacon - too short payload (len=%lu)",
4211 			   (unsigned long) len);
4212 		return;
4213 	}
4214 
4215 	(void) ieee802_11_parse_elems(mgmt->u.beacon.variable,
4216 				      len - (IEEE80211_HDRLEN +
4217 					     sizeof(mgmt->u.beacon)), &elems,
4218 				      0);
4219 
4220 	ap_list_process_beacon(hapd->iface, mgmt, &elems, fi);
4221 }
4222 
4223 
4224 #ifdef CONFIG_IEEE80211W
robust_action_frame(u8 category)4225 static int robust_action_frame(u8 category)
4226 {
4227 	return category != WLAN_ACTION_PUBLIC &&
4228 		category != WLAN_ACTION_HT;
4229 }
4230 #endif /* CONFIG_IEEE80211W */
4231 
4232 
handle_action(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,unsigned int freq)4233 static int handle_action(struct hostapd_data *hapd,
4234 			 const struct ieee80211_mgmt *mgmt, size_t len,
4235 			 unsigned int freq)
4236 {
4237 	struct sta_info *sta;
4238 	u8 *action __maybe_unused;
4239 
4240 	if (len < IEEE80211_HDRLEN + 2 + 1) {
4241 		hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
4242 			       HOSTAPD_LEVEL_DEBUG,
4243 			       "handle_action - too short payload (len=%lu)",
4244 			       (unsigned long) len);
4245 		return 0;
4246 	}
4247 
4248 	action = (u8 *) &mgmt->u.action.u;
4249 	wpa_printf(MSG_DEBUG, "RX_ACTION category %u action %u sa " MACSTR
4250 		   " da " MACSTR " len %d freq %u",
4251 		   mgmt->u.action.category, *action,
4252 		   MAC2STR(mgmt->sa), MAC2STR(mgmt->da), (int) len, freq);
4253 
4254 	sta = ap_get_sta(hapd, mgmt->sa);
4255 
4256 	if (mgmt->u.action.category != WLAN_ACTION_PUBLIC &&
4257 	    (sta == NULL || !(sta->flags & WLAN_STA_ASSOC))) {
4258 		wpa_printf(MSG_DEBUG, "IEEE 802.11: Ignored Action "
4259 			   "frame (category=%u) from unassociated STA " MACSTR,
4260 			   mgmt->u.action.category, MAC2STR(mgmt->sa));
4261 		return 0;
4262 	}
4263 
4264 #ifdef CONFIG_IEEE80211W
4265 	if (sta && (sta->flags & WLAN_STA_MFP) &&
4266 	    !(mgmt->frame_control & host_to_le16(WLAN_FC_ISWEP)) &&
4267 	    robust_action_frame(mgmt->u.action.category)) {
4268 		hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
4269 			       HOSTAPD_LEVEL_DEBUG,
4270 			       "Dropped unprotected Robust Action frame from "
4271 			       "an MFP STA");
4272 		return 0;
4273 	}
4274 #endif /* CONFIG_IEEE80211W */
4275 
4276 	if (sta) {
4277 		u16 fc = le_to_host16(mgmt->frame_control);
4278 		u16 seq_ctrl = le_to_host16(mgmt->seq_ctrl);
4279 
4280 		if ((fc & WLAN_FC_RETRY) &&
4281 		    sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
4282 		    sta->last_seq_ctrl == seq_ctrl &&
4283 		    sta->last_subtype == WLAN_FC_STYPE_ACTION) {
4284 			hostapd_logger(hapd, sta->addr,
4285 				       HOSTAPD_MODULE_IEEE80211,
4286 				       HOSTAPD_LEVEL_DEBUG,
4287 				       "Drop repeated action frame seq_ctrl=0x%x",
4288 				       seq_ctrl);
4289 			return 1;
4290 		}
4291 
4292 		sta->last_seq_ctrl = seq_ctrl;
4293 		sta->last_subtype = WLAN_FC_STYPE_ACTION;
4294 	}
4295 
4296 	switch (mgmt->u.action.category) {
4297 #ifdef CONFIG_IEEE80211R_AP
4298 	case WLAN_ACTION_FT:
4299 		if (!sta ||
4300 		    wpa_ft_action_rx(sta->wpa_sm, (u8 *) &mgmt->u.action,
4301 				     len - IEEE80211_HDRLEN))
4302 			break;
4303 		return 1;
4304 #endif /* CONFIG_IEEE80211R_AP */
4305 	case WLAN_ACTION_WMM:
4306 		hostapd_wmm_action(hapd, mgmt, len);
4307 		return 1;
4308 #ifdef CONFIG_IEEE80211W
4309 	case WLAN_ACTION_SA_QUERY:
4310 		ieee802_11_sa_query_action(hapd, mgmt, len);
4311 		return 1;
4312 #endif /* CONFIG_IEEE80211W */
4313 #ifdef CONFIG_WNM_AP
4314 	case WLAN_ACTION_WNM:
4315 		ieee802_11_rx_wnm_action_ap(hapd, mgmt, len);
4316 		return 1;
4317 #endif /* CONFIG_WNM_AP */
4318 #ifdef CONFIG_FST
4319 	case WLAN_ACTION_FST:
4320 		if (hapd->iface->fst)
4321 			fst_rx_action(hapd->iface->fst, mgmt, len);
4322 		else
4323 			wpa_printf(MSG_DEBUG,
4324 				   "FST: Ignore FST Action frame - no FST attached");
4325 		return 1;
4326 #endif /* CONFIG_FST */
4327 	case WLAN_ACTION_PUBLIC:
4328 	case WLAN_ACTION_PROTECTED_DUAL:
4329 #ifdef CONFIG_IEEE80211N
4330 		if (len >= IEEE80211_HDRLEN + 2 &&
4331 		    mgmt->u.action.u.public_action.action ==
4332 		    WLAN_PA_20_40_BSS_COEX) {
4333 			hostapd_2040_coex_action(hapd, mgmt, len);
4334 			return 1;
4335 		}
4336 #endif /* CONFIG_IEEE80211N */
4337 #ifdef CONFIG_DPP
4338 		if (len >= IEEE80211_HDRLEN + 6 &&
4339 		    mgmt->u.action.u.vs_public_action.action ==
4340 		    WLAN_PA_VENDOR_SPECIFIC &&
4341 		    WPA_GET_BE24(mgmt->u.action.u.vs_public_action.oui) ==
4342 		    OUI_WFA &&
4343 		    mgmt->u.action.u.vs_public_action.variable[0] ==
4344 		    DPP_OUI_TYPE) {
4345 			const u8 *pos, *end;
4346 
4347 			pos = mgmt->u.action.u.vs_public_action.oui;
4348 			end = ((const u8 *) mgmt) + len;
4349 			hostapd_dpp_rx_action(hapd, mgmt->sa, pos, end - pos,
4350 					      freq);
4351 			return 1;
4352 		}
4353 		if (len >= IEEE80211_HDRLEN + 2 &&
4354 		    (mgmt->u.action.u.public_action.action ==
4355 		     WLAN_PA_GAS_INITIAL_RESP ||
4356 		     mgmt->u.action.u.public_action.action ==
4357 		     WLAN_PA_GAS_COMEBACK_RESP)) {
4358 			const u8 *pos, *end;
4359 
4360 			pos = &mgmt->u.action.u.public_action.action;
4361 			end = ((const u8 *) mgmt) + len;
4362 			gas_query_ap_rx(hapd->gas, mgmt->sa,
4363 					mgmt->u.action.category,
4364 					pos, end - pos, hapd->iface->freq);
4365 			return 1;
4366 		}
4367 #endif /* CONFIG_DPP */
4368 		if (hapd->public_action_cb) {
4369 			hapd->public_action_cb(hapd->public_action_cb_ctx,
4370 					       (u8 *) mgmt, len,
4371 					       hapd->iface->freq);
4372 		}
4373 		if (hapd->public_action_cb2) {
4374 			hapd->public_action_cb2(hapd->public_action_cb2_ctx,
4375 						(u8 *) mgmt, len,
4376 						hapd->iface->freq);
4377 		}
4378 		if (hapd->public_action_cb || hapd->public_action_cb2)
4379 			return 1;
4380 		break;
4381 	case WLAN_ACTION_VENDOR_SPECIFIC:
4382 		if (hapd->vendor_action_cb) {
4383 			if (hapd->vendor_action_cb(hapd->vendor_action_cb_ctx,
4384 						   (u8 *) mgmt, len,
4385 						   hapd->iface->freq) == 0)
4386 				return 1;
4387 		}
4388 		break;
4389 	case WLAN_ACTION_RADIO_MEASUREMENT:
4390 		hostapd_handle_radio_measurement(hapd, (const u8 *) mgmt, len);
4391 		return 1;
4392 	}
4393 
4394 	hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
4395 		       HOSTAPD_LEVEL_DEBUG,
4396 		       "handle_action - unknown action category %d or invalid "
4397 		       "frame",
4398 		       mgmt->u.action.category);
4399 	if (!is_multicast_ether_addr(mgmt->da) &&
4400 	    !(mgmt->u.action.category & 0x80) &&
4401 	    !is_multicast_ether_addr(mgmt->sa)) {
4402 		struct ieee80211_mgmt *resp;
4403 
4404 		/*
4405 		 * IEEE 802.11-REVma/D9.0 - 7.3.1.11
4406 		 * Return the Action frame to the source without change
4407 		 * except that MSB of the Category set to 1.
4408 		 */
4409 		wpa_printf(MSG_DEBUG, "IEEE 802.11: Return unknown Action "
4410 			   "frame back to sender");
4411 		resp = os_memdup(mgmt, len);
4412 		if (resp == NULL)
4413 			return 0;
4414 		os_memcpy(resp->da, resp->sa, ETH_ALEN);
4415 		os_memcpy(resp->sa, hapd->own_addr, ETH_ALEN);
4416 		os_memcpy(resp->bssid, hapd->own_addr, ETH_ALEN);
4417 		resp->u.action.category |= 0x80;
4418 
4419 		if (hostapd_drv_send_mlme(hapd, resp, len, 0) < 0) {
4420 			wpa_printf(MSG_ERROR, "IEEE 802.11: Failed to send "
4421 				   "Action frame");
4422 		}
4423 		os_free(resp);
4424 	}
4425 
4426 	return 1;
4427 }
4428 
4429 
4430 /**
4431  * ieee802_11_mgmt - process incoming IEEE 802.11 management frames
4432  * @hapd: hostapd BSS data structure (the BSS to which the management frame was
4433  * sent to)
4434  * @buf: management frame data (starting from IEEE 802.11 header)
4435  * @len: length of frame data in octets
4436  * @fi: meta data about received frame (signal level, etc.)
4437  *
4438  * Process all incoming IEEE 802.11 management frames. This will be called for
4439  * each frame received from the kernel driver through wlan#ap interface. In
4440  * addition, it can be called to re-inserted pending frames (e.g., when using
4441  * external RADIUS server as an MAC ACL).
4442  */
ieee802_11_mgmt(struct hostapd_data * hapd,const u8 * buf,size_t len,struct hostapd_frame_info * fi)4443 int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len,
4444 		    struct hostapd_frame_info *fi)
4445 {
4446 	struct ieee80211_mgmt *mgmt;
4447 	u16 fc, stype;
4448 	int ret = 0;
4449 	unsigned int freq;
4450 	int ssi_signal = fi ? fi->ssi_signal : 0;
4451 
4452 	if (len < 24)
4453 		return 0;
4454 
4455 	if (fi && fi->freq)
4456 		freq = fi->freq;
4457 	else
4458 		freq = hapd->iface->freq;
4459 
4460 	mgmt = (struct ieee80211_mgmt *) buf;
4461 	fc = le_to_host16(mgmt->frame_control);
4462 	stype = WLAN_FC_GET_STYPE(fc);
4463 
4464 	if (stype == WLAN_FC_STYPE_BEACON) {
4465 		handle_beacon(hapd, mgmt, len, fi);
4466 		return 1;
4467 	}
4468 
4469 	if (!is_broadcast_ether_addr(mgmt->bssid) &&
4470 #ifdef CONFIG_P2P
4471 	    /* Invitation responses can be sent with the peer MAC as BSSID */
4472 	    !((hapd->conf->p2p & P2P_GROUP_OWNER) &&
4473 	      stype == WLAN_FC_STYPE_ACTION) &&
4474 #endif /* CONFIG_P2P */
4475 #ifdef CONFIG_MESH
4476 	    !(hapd->conf->mesh & MESH_ENABLED) &&
4477 #endif /* CONFIG_MESH */
4478 	    os_memcmp(mgmt->bssid, hapd->own_addr, ETH_ALEN) != 0) {
4479 		wpa_printf(MSG_INFO, "MGMT: BSSID=" MACSTR " not our address",
4480 			   MAC2STR(mgmt->bssid));
4481 		return 0;
4482 	}
4483 
4484 
4485 	if (stype == WLAN_FC_STYPE_PROBE_REQ) {
4486 		handle_probe_req(hapd, mgmt, len, ssi_signal);
4487 		return 1;
4488 	}
4489 
4490 	if ((!is_broadcast_ether_addr(mgmt->da) ||
4491 	     stype != WLAN_FC_STYPE_ACTION) &&
4492 	    os_memcmp(mgmt->da, hapd->own_addr, ETH_ALEN) != 0) {
4493 		hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
4494 			       HOSTAPD_LEVEL_DEBUG,
4495 			       "MGMT: DA=" MACSTR " not our address",
4496 			       MAC2STR(mgmt->da));
4497 		return 0;
4498 	}
4499 
4500 	if (hapd->iconf->track_sta_max_num)
4501 		sta_track_add(hapd->iface, mgmt->sa, ssi_signal);
4502 
4503 	switch (stype) {
4504 	case WLAN_FC_STYPE_AUTH:
4505 		wpa_printf(MSG_DEBUG, "mgmt::auth");
4506 		handle_auth(hapd, mgmt, len, ssi_signal, 0);
4507 		ret = 1;
4508 		break;
4509 	case WLAN_FC_STYPE_ASSOC_REQ:
4510 		wpa_printf(MSG_DEBUG, "mgmt::assoc_req");
4511 		handle_assoc(hapd, mgmt, len, 0, ssi_signal);
4512 		ret = 1;
4513 		break;
4514 	case WLAN_FC_STYPE_REASSOC_REQ:
4515 		wpa_printf(MSG_DEBUG, "mgmt::reassoc_req");
4516 		handle_assoc(hapd, mgmt, len, 1, ssi_signal);
4517 		ret = 1;
4518 		break;
4519 	case WLAN_FC_STYPE_DISASSOC:
4520 		wpa_printf(MSG_DEBUG, "mgmt::disassoc");
4521 		handle_disassoc(hapd, mgmt, len);
4522 		ret = 1;
4523 		break;
4524 	case WLAN_FC_STYPE_DEAUTH:
4525 		wpa_msg(hapd->msg_ctx, MSG_DEBUG, "mgmt::deauth");
4526 		handle_deauth(hapd, mgmt, len);
4527 		ret = 1;
4528 		break;
4529 	case WLAN_FC_STYPE_ACTION:
4530 		wpa_printf(MSG_DEBUG, "mgmt::action");
4531 		ret = handle_action(hapd, mgmt, len, freq);
4532 		break;
4533 	default:
4534 		hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
4535 			       HOSTAPD_LEVEL_DEBUG,
4536 			       "unknown mgmt frame subtype %d", stype);
4537 		break;
4538 	}
4539 
4540 	return ret;
4541 }
4542 
4543 
handle_auth_cb(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int ok)4544 static void handle_auth_cb(struct hostapd_data *hapd,
4545 			   const struct ieee80211_mgmt *mgmt,
4546 			   size_t len, int ok)
4547 {
4548 	u16 auth_alg, auth_transaction, status_code;
4549 	struct sta_info *sta;
4550 
4551 	if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) {
4552 		wpa_printf(MSG_INFO, "handle_auth_cb - too short payload (len=%lu)",
4553 			   (unsigned long) len);
4554 
4555 		/*
4556 		 * Initialize status_code here because we are not able to read
4557 		 * it from the short payload.
4558 		 */
4559 		status_code = WLAN_STATUS_UNSPECIFIED_FAILURE;
4560 		goto fail;
4561 	}
4562 
4563 	sta = ap_get_sta(hapd, mgmt->da);
4564 	if (!sta) {
4565 		wpa_printf(MSG_DEBUG, "handle_auth_cb: STA " MACSTR
4566 			   " not found",
4567 			   MAC2STR(mgmt->da));
4568 		return;
4569 	}
4570 
4571 	auth_alg = le_to_host16(mgmt->u.auth.auth_alg);
4572 	auth_transaction = le_to_host16(mgmt->u.auth.auth_transaction);
4573 	status_code = le_to_host16(mgmt->u.auth.status_code);
4574 
4575 	if (!ok) {
4576 		hostapd_logger(hapd, mgmt->da, HOSTAPD_MODULE_IEEE80211,
4577 			       HOSTAPD_LEVEL_NOTICE,
4578 			       "did not acknowledge authentication response");
4579 		goto fail;
4580 	}
4581 
4582 	if (status_code == WLAN_STATUS_SUCCESS &&
4583 	    ((auth_alg == WLAN_AUTH_OPEN && auth_transaction == 2) ||
4584 	     (auth_alg == WLAN_AUTH_SHARED_KEY && auth_transaction == 4))) {
4585 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4586 			       HOSTAPD_LEVEL_INFO, "authenticated");
4587 		sta->flags |= WLAN_STA_AUTH;
4588 		if (sta->added_unassoc)
4589 			hostapd_set_sta_flags(hapd, sta);
4590 		return;
4591 	}
4592 
4593 fail:
4594 	if (status_code != WLAN_STATUS_SUCCESS && sta->added_unassoc) {
4595 		hostapd_drv_sta_remove(hapd, sta->addr);
4596 		sta->added_unassoc = 0;
4597 	}
4598 }
4599 
4600 
hostapd_set_wds_encryption(struct hostapd_data * hapd,struct sta_info * sta,char * ifname_wds)4601 static void hostapd_set_wds_encryption(struct hostapd_data *hapd,
4602 				       struct sta_info *sta,
4603 				       char *ifname_wds)
4604 {
4605 	int i;
4606 	struct hostapd_ssid *ssid = &hapd->conf->ssid;
4607 
4608 	if (hapd->conf->ieee802_1x || hapd->conf->wpa)
4609 		return;
4610 
4611 	for (i = 0; i < 4; i++) {
4612 		if (ssid->wep.key[i] &&
4613 		    hostapd_drv_set_key(ifname_wds, hapd, WPA_ALG_WEP, NULL, i,
4614 					i == ssid->wep.idx, NULL, 0,
4615 					ssid->wep.key[i], ssid->wep.len[i])) {
4616 			wpa_printf(MSG_WARNING,
4617 				   "Could not set WEP keys for WDS interface; %s",
4618 				   ifname_wds);
4619 			break;
4620 		}
4621 	}
4622 }
4623 
4624 
handle_assoc_cb(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int reassoc,int ok)4625 static void handle_assoc_cb(struct hostapd_data *hapd,
4626 			    const struct ieee80211_mgmt *mgmt,
4627 			    size_t len, int reassoc, int ok)
4628 {
4629 	u16 status;
4630 	struct sta_info *sta;
4631 	int new_assoc = 1;
4632 
4633 	sta = ap_get_sta(hapd, mgmt->da);
4634 	if (!sta) {
4635 		wpa_printf(MSG_INFO, "handle_assoc_cb: STA " MACSTR " not found",
4636 			   MAC2STR(mgmt->da));
4637 		return;
4638 	}
4639 
4640 	if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_resp) :
4641 				      sizeof(mgmt->u.assoc_resp))) {
4642 		wpa_printf(MSG_INFO,
4643 			   "handle_assoc_cb(reassoc=%d) - too short payload (len=%lu)",
4644 			   reassoc, (unsigned long) len);
4645 		hostapd_drv_sta_remove(hapd, sta->addr);
4646 		return;
4647 	}
4648 
4649 	if (reassoc)
4650 		status = le_to_host16(mgmt->u.reassoc_resp.status_code);
4651 	else
4652 		status = le_to_host16(mgmt->u.assoc_resp.status_code);
4653 
4654 	if (!ok) {
4655 		hostapd_logger(hapd, mgmt->da, HOSTAPD_MODULE_IEEE80211,
4656 			       HOSTAPD_LEVEL_DEBUG,
4657 			       "did not acknowledge association response");
4658 		sta->flags &= ~WLAN_STA_ASSOC_REQ_OK;
4659 		/* The STA is added only in case of SUCCESS */
4660 		if (status == WLAN_STATUS_SUCCESS)
4661 			hostapd_drv_sta_remove(hapd, sta->addr);
4662 
4663 		return;
4664 	}
4665 
4666 	if (status != WLAN_STATUS_SUCCESS)
4667 		return;
4668 
4669 	/* Stop previous accounting session, if one is started, and allocate
4670 	 * new session id for the new session. */
4671 	accounting_sta_stop(hapd, sta);
4672 
4673 	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4674 		       HOSTAPD_LEVEL_INFO,
4675 		       "associated (aid %d)",
4676 		       sta->aid);
4677 
4678 	if (sta->flags & WLAN_STA_ASSOC)
4679 		new_assoc = 0;
4680 	sta->flags |= WLAN_STA_ASSOC;
4681 	sta->flags &= ~WLAN_STA_WNM_SLEEP_MODE;
4682 	if ((!hapd->conf->ieee802_1x && !hapd->conf->wpa &&
4683 	     !hapd->conf->osen) ||
4684 	    sta->auth_alg == WLAN_AUTH_FILS_SK ||
4685 	    sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
4686 	    sta->auth_alg == WLAN_AUTH_FILS_PK ||
4687 	    sta->auth_alg == WLAN_AUTH_FT) {
4688 		/*
4689 		 * Open, static WEP, FT protocol, or FILS; no separate
4690 		 * authorization step.
4691 		 */
4692 		ap_sta_set_authorized(hapd, sta, 1);
4693 	}
4694 
4695 	if (reassoc)
4696 		mlme_reassociate_indication(hapd, sta);
4697 	else
4698 		mlme_associate_indication(hapd, sta);
4699 
4700 #ifdef CONFIG_IEEE80211W
4701 	sta->sa_query_timed_out = 0;
4702 #endif /* CONFIG_IEEE80211W */
4703 
4704 	if (sta->eapol_sm == NULL) {
4705 		/*
4706 		 * This STA does not use RADIUS server for EAP authentication,
4707 		 * so bind it to the selected VLAN interface now, since the
4708 		 * interface selection is not going to change anymore.
4709 		 */
4710 		if (ap_sta_bind_vlan(hapd, sta) < 0)
4711 			return;
4712 	} else if (sta->vlan_id) {
4713 		/* VLAN ID already set (e.g., by PMKSA caching), so bind STA */
4714 		if (ap_sta_bind_vlan(hapd, sta) < 0)
4715 			return;
4716 	}
4717 
4718 	hostapd_set_sta_flags(hapd, sta);
4719 
4720 	if (!(sta->flags & WLAN_STA_WDS) && sta->pending_wds_enable) {
4721 		wpa_printf(MSG_DEBUG, "Enable 4-address WDS mode for STA "
4722 			   MACSTR " based on pending request",
4723 			   MAC2STR(sta->addr));
4724 		sta->pending_wds_enable = 0;
4725 		sta->flags |= WLAN_STA_WDS;
4726 	}
4727 
4728 	if (sta->flags & (WLAN_STA_WDS | WLAN_STA_MULTI_AP)) {
4729 		int ret;
4730 		char ifname_wds[IFNAMSIZ + 1];
4731 
4732 		wpa_printf(MSG_DEBUG, "Reenable 4-address WDS mode for STA "
4733 			   MACSTR " (aid %u)",
4734 			   MAC2STR(sta->addr), sta->aid);
4735 		ret = hostapd_set_wds_sta(hapd, ifname_wds, sta->addr,
4736 					  sta->aid, 1);
4737 		if (!ret)
4738 			hostapd_set_wds_encryption(hapd, sta, ifname_wds);
4739 	}
4740 
4741 	if (sta->auth_alg == WLAN_AUTH_FT)
4742 		wpa_auth_sm_event(sta->wpa_sm, WPA_ASSOC_FT);
4743 	else
4744 		wpa_auth_sm_event(sta->wpa_sm, WPA_ASSOC);
4745 	hapd->new_assoc_sta_cb(hapd, sta, !new_assoc);
4746 	ieee802_1x_notify_port_enabled(sta->eapol_sm, 1);
4747 
4748 #ifdef CONFIG_FILS
4749 	if ((sta->auth_alg == WLAN_AUTH_FILS_SK ||
4750 	     sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
4751 	     sta->auth_alg == WLAN_AUTH_FILS_PK) &&
4752 	    fils_set_tk(sta->wpa_sm) < 0) {
4753 		wpa_printf(MSG_DEBUG, "FILS: TK configuration failed");
4754 		ap_sta_disconnect(hapd, sta, sta->addr,
4755 				  WLAN_REASON_UNSPECIFIED);
4756 		return;
4757 	}
4758 #endif /* CONFIG_FILS */
4759 
4760 	if (sta->pending_eapol_rx) {
4761 		struct os_reltime now, age;
4762 
4763 		os_get_reltime(&now);
4764 		os_reltime_sub(&now, &sta->pending_eapol_rx->rx_time, &age);
4765 		if (age.sec == 0 && age.usec < 200000) {
4766 			wpa_printf(MSG_DEBUG,
4767 				   "Process pending EAPOL frame that was received from " MACSTR " just before association notification",
4768 				   MAC2STR(sta->addr));
4769 			ieee802_1x_receive(
4770 				hapd, mgmt->da,
4771 				wpabuf_head(sta->pending_eapol_rx->buf),
4772 				wpabuf_len(sta->pending_eapol_rx->buf));
4773 		}
4774 		wpabuf_free(sta->pending_eapol_rx->buf);
4775 		os_free(sta->pending_eapol_rx);
4776 		sta->pending_eapol_rx = NULL;
4777 	}
4778 }
4779 
4780 
handle_deauth_cb(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int ok)4781 static void handle_deauth_cb(struct hostapd_data *hapd,
4782 			     const struct ieee80211_mgmt *mgmt,
4783 			     size_t len, int ok)
4784 {
4785 	struct sta_info *sta;
4786 	if (is_multicast_ether_addr(mgmt->da))
4787 		return;
4788 	sta = ap_get_sta(hapd, mgmt->da);
4789 	if (!sta) {
4790 		wpa_printf(MSG_DEBUG, "handle_deauth_cb: STA " MACSTR
4791 			   " not found", MAC2STR(mgmt->da));
4792 		return;
4793 	}
4794 	if (ok)
4795 		wpa_printf(MSG_DEBUG, "STA " MACSTR " acknowledged deauth",
4796 			   MAC2STR(sta->addr));
4797 	else
4798 		wpa_printf(MSG_DEBUG, "STA " MACSTR " did not acknowledge "
4799 			   "deauth", MAC2STR(sta->addr));
4800 
4801 	ap_sta_deauth_cb(hapd, sta);
4802 }
4803 
4804 
handle_disassoc_cb(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int ok)4805 static void handle_disassoc_cb(struct hostapd_data *hapd,
4806 			       const struct ieee80211_mgmt *mgmt,
4807 			       size_t len, int ok)
4808 {
4809 	struct sta_info *sta;
4810 	if (is_multicast_ether_addr(mgmt->da))
4811 		return;
4812 	sta = ap_get_sta(hapd, mgmt->da);
4813 	if (!sta) {
4814 		wpa_printf(MSG_DEBUG, "handle_disassoc_cb: STA " MACSTR
4815 			   " not found", MAC2STR(mgmt->da));
4816 		return;
4817 	}
4818 	if (ok)
4819 		wpa_printf(MSG_DEBUG, "STA " MACSTR " acknowledged disassoc",
4820 			   MAC2STR(sta->addr));
4821 	else
4822 		wpa_printf(MSG_DEBUG, "STA " MACSTR " did not acknowledge "
4823 			   "disassoc", MAC2STR(sta->addr));
4824 
4825 	ap_sta_disassoc_cb(hapd, sta);
4826 }
4827 
4828 
handle_action_cb(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int ok)4829 static void handle_action_cb(struct hostapd_data *hapd,
4830 			     const struct ieee80211_mgmt *mgmt,
4831 			     size_t len, int ok)
4832 {
4833 	struct sta_info *sta;
4834 	const struct rrm_measurement_report_element *report;
4835 
4836 	if (is_multicast_ether_addr(mgmt->da))
4837 		return;
4838 #ifdef CONFIG_DPP
4839 	if (len >= IEEE80211_HDRLEN + 6 &&
4840 	    mgmt->u.action.category == WLAN_ACTION_PUBLIC &&
4841 	    mgmt->u.action.u.vs_public_action.action ==
4842 	    WLAN_PA_VENDOR_SPECIFIC &&
4843 	    WPA_GET_BE24(mgmt->u.action.u.vs_public_action.oui) ==
4844 	    OUI_WFA &&
4845 	    mgmt->u.action.u.vs_public_action.variable[0] ==
4846 	    DPP_OUI_TYPE) {
4847 		const u8 *pos, *end;
4848 
4849 		pos = &mgmt->u.action.u.vs_public_action.variable[1];
4850 		end = ((const u8 *) mgmt) + len;
4851 		hostapd_dpp_tx_status(hapd, mgmt->da, pos, end - pos, ok);
4852 		return;
4853 	}
4854 	if (len >= IEEE80211_HDRLEN + 2 &&
4855 	    mgmt->u.action.category == WLAN_ACTION_PUBLIC &&
4856 	    (mgmt->u.action.u.public_action.action ==
4857 	     WLAN_PA_GAS_INITIAL_REQ ||
4858 	     mgmt->u.action.u.public_action.action ==
4859 	     WLAN_PA_GAS_COMEBACK_REQ)) {
4860 		const u8 *pos, *end;
4861 
4862 		pos = mgmt->u.action.u.public_action.variable;
4863 		end = ((const u8 *) mgmt) + len;
4864 		gas_query_ap_tx_status(hapd->gas, mgmt->da, pos, end - pos, ok);
4865 		return;
4866 	}
4867 #endif /* CONFIG_DPP */
4868 	sta = ap_get_sta(hapd, mgmt->da);
4869 	if (!sta) {
4870 		wpa_printf(MSG_DEBUG, "handle_action_cb: STA " MACSTR
4871 			   " not found", MAC2STR(mgmt->da));
4872 		return;
4873 	}
4874 
4875 	if (len < 24 + 5 + sizeof(*report))
4876 		return;
4877 	report = (const struct rrm_measurement_report_element *)
4878 		&mgmt->u.action.u.rrm.variable[2];
4879 	if (mgmt->u.action.category == WLAN_ACTION_RADIO_MEASUREMENT &&
4880 	    mgmt->u.action.u.rrm.action == WLAN_RRM_RADIO_MEASUREMENT_REQUEST &&
4881 	    report->eid == WLAN_EID_MEASURE_REQUEST &&
4882 	    report->len >= 3 &&
4883 	    report->type == MEASURE_TYPE_BEACON)
4884 		hostapd_rrm_beacon_req_tx_status(hapd, mgmt, len, ok);
4885 }
4886 
4887 
4888 /**
4889  * ieee802_11_mgmt_cb - Process management frame TX status callback
4890  * @hapd: hostapd BSS data structure (the BSS from which the management frame
4891  * was sent from)
4892  * @buf: management frame data (starting from IEEE 802.11 header)
4893  * @len: length of frame data in octets
4894  * @stype: management frame subtype from frame control field
4895  * @ok: Whether the frame was ACK'ed
4896  */
ieee802_11_mgmt_cb(struct hostapd_data * hapd,const u8 * buf,size_t len,u16 stype,int ok)4897 void ieee802_11_mgmt_cb(struct hostapd_data *hapd, const u8 *buf, size_t len,
4898 			u16 stype, int ok)
4899 {
4900 	const struct ieee80211_mgmt *mgmt;
4901 	mgmt = (const struct ieee80211_mgmt *) buf;
4902 
4903 #ifdef CONFIG_TESTING_OPTIONS
4904 	if (hapd->ext_mgmt_frame_handling) {
4905 		size_t hex_len = 2 * len + 1;
4906 		char *hex = os_malloc(hex_len);
4907 
4908 		if (hex) {
4909 			wpa_snprintf_hex(hex, hex_len, buf, len);
4910 			wpa_msg(hapd->msg_ctx, MSG_INFO,
4911 				"MGMT-TX-STATUS stype=%u ok=%d buf=%s",
4912 				stype, ok, hex);
4913 			os_free(hex);
4914 		}
4915 		return;
4916 	}
4917 #endif /* CONFIG_TESTING_OPTIONS */
4918 
4919 	switch (stype) {
4920 	case WLAN_FC_STYPE_AUTH:
4921 		wpa_printf(MSG_DEBUG, "mgmt::auth cb");
4922 		handle_auth_cb(hapd, mgmt, len, ok);
4923 		break;
4924 	case WLAN_FC_STYPE_ASSOC_RESP:
4925 		wpa_printf(MSG_DEBUG, "mgmt::assoc_resp cb");
4926 		handle_assoc_cb(hapd, mgmt, len, 0, ok);
4927 		break;
4928 	case WLAN_FC_STYPE_REASSOC_RESP:
4929 		wpa_printf(MSG_DEBUG, "mgmt::reassoc_resp cb");
4930 		handle_assoc_cb(hapd, mgmt, len, 1, ok);
4931 		break;
4932 	case WLAN_FC_STYPE_PROBE_RESP:
4933 		wpa_printf(MSG_EXCESSIVE, "mgmt::proberesp cb ok=%d", ok);
4934 		break;
4935 	case WLAN_FC_STYPE_DEAUTH:
4936 		wpa_printf(MSG_DEBUG, "mgmt::deauth cb");
4937 		handle_deauth_cb(hapd, mgmt, len, ok);
4938 		break;
4939 	case WLAN_FC_STYPE_DISASSOC:
4940 		wpa_printf(MSG_DEBUG, "mgmt::disassoc cb");
4941 		handle_disassoc_cb(hapd, mgmt, len, ok);
4942 		break;
4943 	case WLAN_FC_STYPE_ACTION:
4944 		wpa_printf(MSG_DEBUG, "mgmt::action cb ok=%d", ok);
4945 		handle_action_cb(hapd, mgmt, len, ok);
4946 		break;
4947 	default:
4948 		wpa_printf(MSG_INFO, "unknown mgmt cb frame subtype %d", stype);
4949 		break;
4950 	}
4951 }
4952 
4953 
ieee802_11_get_mib(struct hostapd_data * hapd,char * buf,size_t buflen)4954 int ieee802_11_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen)
4955 {
4956 	/* TODO */
4957 	return 0;
4958 }
4959 
4960 
ieee802_11_get_mib_sta(struct hostapd_data * hapd,struct sta_info * sta,char * buf,size_t buflen)4961 int ieee802_11_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta,
4962 			   char *buf, size_t buflen)
4963 {
4964 	/* TODO */
4965 	return 0;
4966 }
4967 
4968 
hostapd_tx_status(struct hostapd_data * hapd,const u8 * addr,const u8 * buf,size_t len,int ack)4969 void hostapd_tx_status(struct hostapd_data *hapd, const u8 *addr,
4970 		       const u8 *buf, size_t len, int ack)
4971 {
4972 	struct sta_info *sta;
4973 	struct hostapd_iface *iface = hapd->iface;
4974 
4975 	sta = ap_get_sta(hapd, addr);
4976 	if (sta == NULL && iface->num_bss > 1) {
4977 		size_t j;
4978 		for (j = 0; j < iface->num_bss; j++) {
4979 			hapd = iface->bss[j];
4980 			sta = ap_get_sta(hapd, addr);
4981 			if (sta)
4982 				break;
4983 		}
4984 	}
4985 	if (sta == NULL || !(sta->flags & WLAN_STA_ASSOC))
4986 		return;
4987 	if (sta->flags & WLAN_STA_PENDING_POLL) {
4988 		wpa_printf(MSG_DEBUG, "STA " MACSTR " %s pending "
4989 			   "activity poll", MAC2STR(sta->addr),
4990 			   ack ? "ACKed" : "did not ACK");
4991 		if (ack)
4992 			sta->flags &= ~WLAN_STA_PENDING_POLL;
4993 	}
4994 
4995 	ieee802_1x_tx_status(hapd, sta, buf, len, ack);
4996 }
4997 
4998 
hostapd_eapol_tx_status(struct hostapd_data * hapd,const u8 * dst,const u8 * data,size_t len,int ack)4999 void hostapd_eapol_tx_status(struct hostapd_data *hapd, const u8 *dst,
5000 			     const u8 *data, size_t len, int ack)
5001 {
5002 	struct sta_info *sta;
5003 	struct hostapd_iface *iface = hapd->iface;
5004 
5005 	sta = ap_get_sta(hapd, dst);
5006 	if (sta == NULL && iface->num_bss > 1) {
5007 		size_t j;
5008 		for (j = 0; j < iface->num_bss; j++) {
5009 			hapd = iface->bss[j];
5010 			sta = ap_get_sta(hapd, dst);
5011 			if (sta)
5012 				break;
5013 		}
5014 	}
5015 	if (sta == NULL || !(sta->flags & WLAN_STA_ASSOC)) {
5016 		wpa_printf(MSG_DEBUG, "Ignore TX status for Data frame to STA "
5017 			   MACSTR " that is not currently associated",
5018 			   MAC2STR(dst));
5019 		return;
5020 	}
5021 
5022 	ieee802_1x_eapol_tx_status(hapd, sta, data, len, ack);
5023 }
5024 
5025 
hostapd_client_poll_ok(struct hostapd_data * hapd,const u8 * addr)5026 void hostapd_client_poll_ok(struct hostapd_data *hapd, const u8 *addr)
5027 {
5028 	struct sta_info *sta;
5029 	struct hostapd_iface *iface = hapd->iface;
5030 
5031 	sta = ap_get_sta(hapd, addr);
5032 	if (sta == NULL && iface->num_bss > 1) {
5033 		size_t j;
5034 		for (j = 0; j < iface->num_bss; j++) {
5035 			hapd = iface->bss[j];
5036 			sta = ap_get_sta(hapd, addr);
5037 			if (sta)
5038 				break;
5039 		}
5040 	}
5041 	if (sta == NULL)
5042 		return;
5043 	wpa_msg(hapd->msg_ctx, MSG_INFO, AP_STA_POLL_OK MACSTR,
5044 		MAC2STR(sta->addr));
5045 	if (!(sta->flags & WLAN_STA_PENDING_POLL))
5046 		return;
5047 
5048 	wpa_printf(MSG_DEBUG, "STA " MACSTR " ACKed pending "
5049 		   "activity poll", MAC2STR(sta->addr));
5050 	sta->flags &= ~WLAN_STA_PENDING_POLL;
5051 }
5052 
5053 
ieee802_11_rx_from_unknown(struct hostapd_data * hapd,const u8 * src,int wds)5054 void ieee802_11_rx_from_unknown(struct hostapd_data *hapd, const u8 *src,
5055 				int wds)
5056 {
5057 	struct sta_info *sta;
5058 
5059 	sta = ap_get_sta(hapd, src);
5060 	if (sta &&
5061 	    ((sta->flags & WLAN_STA_ASSOC) ||
5062 	     ((sta->flags & WLAN_STA_ASSOC_REQ_OK) && wds))) {
5063 		if (!hapd->conf->wds_sta)
5064 			return;
5065 
5066 		if ((sta->flags & (WLAN_STA_ASSOC | WLAN_STA_ASSOC_REQ_OK)) ==
5067 		    WLAN_STA_ASSOC_REQ_OK) {
5068 			wpa_printf(MSG_DEBUG,
5069 				   "Postpone 4-address WDS mode enabling for STA "
5070 				   MACSTR " since TX status for AssocResp is not yet known",
5071 				   MAC2STR(sta->addr));
5072 			sta->pending_wds_enable = 1;
5073 			return;
5074 		}
5075 
5076 		if (wds && !(sta->flags & WLAN_STA_WDS)) {
5077 			int ret;
5078 			char ifname_wds[IFNAMSIZ + 1];
5079 
5080 			wpa_printf(MSG_DEBUG, "Enable 4-address WDS mode for "
5081 				   "STA " MACSTR " (aid %u)",
5082 				   MAC2STR(sta->addr), sta->aid);
5083 			sta->flags |= WLAN_STA_WDS;
5084 			ret = hostapd_set_wds_sta(hapd, ifname_wds,
5085 						  sta->addr, sta->aid, 1);
5086 			if (!ret)
5087 				hostapd_set_wds_encryption(hapd, sta,
5088 							   ifname_wds);
5089 		}
5090 		return;
5091 	}
5092 
5093 	wpa_printf(MSG_DEBUG, "Data/PS-poll frame from not associated STA "
5094 		   MACSTR, MAC2STR(src));
5095 	if (is_multicast_ether_addr(src)) {
5096 		/* Broadcast bit set in SA?! Ignore the frame silently. */
5097 		return;
5098 	}
5099 
5100 	if (sta && (sta->flags & WLAN_STA_ASSOC_REQ_OK)) {
5101 		wpa_printf(MSG_DEBUG, "Association Response to the STA has "
5102 			   "already been sent, but no TX status yet known - "
5103 			   "ignore Class 3 frame issue with " MACSTR,
5104 			   MAC2STR(src));
5105 		return;
5106 	}
5107 
5108 	if (sta && (sta->flags & WLAN_STA_AUTH))
5109 		hostapd_drv_sta_disassoc(
5110 			hapd, src,
5111 			WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA);
5112 	else
5113 		hostapd_drv_sta_deauth(
5114 			hapd, src,
5115 			WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA);
5116 }
5117 
5118 
5119 #endif /* CONFIG_NATIVE_WINDOWS */
5120