1 /*
2 * hostapd / IEEE 802.11 Management
3 * Copyright (c) 2002-2017, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "utils/includes.h"
10
11 #ifndef CONFIG_NATIVE_WINDOWS
12
13 #include "utils/common.h"
14 #include "utils/eloop.h"
15 #include "crypto/crypto.h"
16 #include "crypto/sha256.h"
17 #include "crypto/sha384.h"
18 #include "crypto/sha512.h"
19 #include "crypto/random.h"
20 #include "common/ieee802_11_defs.h"
21 #include "common/ieee802_11_common.h"
22 #include "common/wpa_ctrl.h"
23 #include "common/sae.h"
24 #include "common/dpp.h"
25 #include "common/ocv.h"
26 #include "radius/radius.h"
27 #include "radius/radius_client.h"
28 #include "p2p/p2p.h"
29 #include "wps/wps.h"
30 #include "fst/fst.h"
31 #include "hostapd.h"
32 #include "beacon.h"
33 #include "ieee802_11_auth.h"
34 #include "sta_info.h"
35 #include "ieee802_1x.h"
36 #include "wpa_auth.h"
37 #include "pmksa_cache_auth.h"
38 #include "wmm.h"
39 #include "ap_list.h"
40 #include "accounting.h"
41 #include "ap_config.h"
42 #include "ap_mlme.h"
43 #include "p2p_hostapd.h"
44 #include "ap_drv_ops.h"
45 #include "wnm_ap.h"
46 #include "hw_features.h"
47 #include "ieee802_11.h"
48 #include "dfs.h"
49 #include "mbo_ap.h"
50 #include "rrm.h"
51 #include "taxonomy.h"
52 #include "fils_hlp.h"
53 #include "dpp_hostapd.h"
54 #include "gas_query_ap.h"
55
56
57 #ifdef CONFIG_FILS
58 static struct wpabuf *
59 prepare_auth_resp_fils(struct hostapd_data *hapd,
60 struct sta_info *sta, u16 *resp,
61 struct rsn_pmksa_cache_entry *pmksa,
62 struct wpabuf *erp_resp,
63 const u8 *msk, size_t msk_len,
64 int *is_pub);
65 #endif /* CONFIG_FILS */
66 static void handle_auth(struct hostapd_data *hapd,
67 const struct ieee80211_mgmt *mgmt, size_t len,
68 int rssi, int from_queue);
69
70
hostapd_eid_multi_ap(struct hostapd_data * hapd,u8 * eid)71 u8 * hostapd_eid_multi_ap(struct hostapd_data *hapd, u8 *eid)
72 {
73 u8 multi_ap_val = 0;
74
75 if (!hapd->conf->multi_ap)
76 return eid;
77 if (hapd->conf->multi_ap & BACKHAUL_BSS)
78 multi_ap_val |= MULTI_AP_BACKHAUL_BSS;
79 if (hapd->conf->multi_ap & FRONTHAUL_BSS)
80 multi_ap_val |= MULTI_AP_FRONTHAUL_BSS;
81
82 return eid + add_multi_ap_ie(eid, 9, multi_ap_val);
83 }
84
85
hostapd_eid_supp_rates(struct hostapd_data * hapd,u8 * eid)86 u8 * hostapd_eid_supp_rates(struct hostapd_data *hapd, u8 *eid)
87 {
88 u8 *pos = eid;
89 int i, num, count;
90
91 if (hapd->iface->current_rates == NULL)
92 return eid;
93
94 *pos++ = WLAN_EID_SUPP_RATES;
95 num = hapd->iface->num_rates;
96 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht)
97 num++;
98 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht)
99 num++;
100 if (num > 8) {
101 /* rest of the rates are encoded in Extended supported
102 * rates element */
103 num = 8;
104 }
105
106 *pos++ = num;
107 for (i = 0, count = 0; i < hapd->iface->num_rates && count < num;
108 i++) {
109 count++;
110 *pos = hapd->iface->current_rates[i].rate / 5;
111 if (hapd->iface->current_rates[i].flags & HOSTAPD_RATE_BASIC)
112 *pos |= 0x80;
113 pos++;
114 }
115
116 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht && count < 8) {
117 count++;
118 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_HT_PHY;
119 }
120
121 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht && count < 8) {
122 count++;
123 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_VHT_PHY;
124 }
125
126 return pos;
127 }
128
129
hostapd_eid_ext_supp_rates(struct hostapd_data * hapd,u8 * eid)130 u8 * hostapd_eid_ext_supp_rates(struct hostapd_data *hapd, u8 *eid)
131 {
132 u8 *pos = eid;
133 int i, num, count;
134
135 if (hapd->iface->current_rates == NULL)
136 return eid;
137
138 num = hapd->iface->num_rates;
139 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht)
140 num++;
141 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht)
142 num++;
143 if (num <= 8)
144 return eid;
145 num -= 8;
146
147 *pos++ = WLAN_EID_EXT_SUPP_RATES;
148 *pos++ = num;
149 for (i = 0, count = 0; i < hapd->iface->num_rates && count < num + 8;
150 i++) {
151 count++;
152 if (count <= 8)
153 continue; /* already in SuppRates IE */
154 *pos = hapd->iface->current_rates[i].rate / 5;
155 if (hapd->iface->current_rates[i].flags & HOSTAPD_RATE_BASIC)
156 *pos |= 0x80;
157 pos++;
158 }
159
160 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht) {
161 count++;
162 if (count > 8)
163 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_HT_PHY;
164 }
165
166 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht) {
167 count++;
168 if (count > 8)
169 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_VHT_PHY;
170 }
171
172 return pos;
173 }
174
175
hostapd_own_capab_info(struct hostapd_data * hapd)176 u16 hostapd_own_capab_info(struct hostapd_data *hapd)
177 {
178 int capab = WLAN_CAPABILITY_ESS;
179 int privacy;
180 int dfs;
181 int i;
182
183 /* Check if any of configured channels require DFS */
184 dfs = hostapd_is_dfs_required(hapd->iface);
185 if (dfs < 0) {
186 wpa_printf(MSG_WARNING, "Failed to check if DFS is required; ret=%d",
187 dfs);
188 dfs = 0;
189 }
190
191 if (hapd->iface->num_sta_no_short_preamble == 0 &&
192 hapd->iconf->preamble == SHORT_PREAMBLE)
193 capab |= WLAN_CAPABILITY_SHORT_PREAMBLE;
194
195 privacy = hapd->conf->ssid.wep.keys_set;
196
197 if (hapd->conf->ieee802_1x &&
198 (hapd->conf->default_wep_key_len ||
199 hapd->conf->individual_wep_key_len))
200 privacy = 1;
201
202 if (hapd->conf->wpa)
203 privacy = 1;
204
205 #ifdef CONFIG_HS20
206 if (hapd->conf->osen)
207 privacy = 1;
208 #endif /* CONFIG_HS20 */
209
210 if (privacy)
211 capab |= WLAN_CAPABILITY_PRIVACY;
212
213 if (hapd->iface->current_mode &&
214 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G &&
215 hapd->iface->num_sta_no_short_slot_time == 0)
216 capab |= WLAN_CAPABILITY_SHORT_SLOT_TIME;
217
218 /*
219 * Currently, Spectrum Management capability bit is set when directly
220 * requested in configuration by spectrum_mgmt_required or when AP is
221 * running on DFS channel.
222 * TODO: Also consider driver support for TPC to set Spectrum Mgmt bit
223 */
224 if (hapd->iface->current_mode &&
225 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211A &&
226 (hapd->iconf->spectrum_mgmt_required || dfs))
227 capab |= WLAN_CAPABILITY_SPECTRUM_MGMT;
228
229 for (i = 0; i < RRM_CAPABILITIES_IE_LEN; i++) {
230 if (hapd->conf->radio_measurements[i]) {
231 capab |= IEEE80211_CAP_RRM;
232 break;
233 }
234 }
235
236 return capab;
237 }
238
239
240 #ifndef CONFIG_NO_RC4
auth_shared_key(struct hostapd_data * hapd,struct sta_info * sta,u16 auth_transaction,const u8 * challenge,int iswep)241 static u16 auth_shared_key(struct hostapd_data *hapd, struct sta_info *sta,
242 u16 auth_transaction, const u8 *challenge,
243 int iswep)
244 {
245 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
246 HOSTAPD_LEVEL_DEBUG,
247 "authentication (shared key, transaction %d)",
248 auth_transaction);
249
250 if (auth_transaction == 1) {
251 if (!sta->challenge) {
252 /* Generate a pseudo-random challenge */
253 u8 key[8];
254
255 sta->challenge = os_zalloc(WLAN_AUTH_CHALLENGE_LEN);
256 if (sta->challenge == NULL)
257 return WLAN_STATUS_UNSPECIFIED_FAILURE;
258
259 if (os_get_random(key, sizeof(key)) < 0) {
260 os_free(sta->challenge);
261 sta->challenge = NULL;
262 return WLAN_STATUS_UNSPECIFIED_FAILURE;
263 }
264
265 rc4_skip(key, sizeof(key), 0,
266 sta->challenge, WLAN_AUTH_CHALLENGE_LEN);
267 }
268 return 0;
269 }
270
271 if (auth_transaction != 3)
272 return WLAN_STATUS_UNSPECIFIED_FAILURE;
273
274 /* Transaction 3 */
275 if (!iswep || !sta->challenge || !challenge ||
276 os_memcmp_const(sta->challenge, challenge,
277 WLAN_AUTH_CHALLENGE_LEN)) {
278 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
279 HOSTAPD_LEVEL_INFO,
280 "shared key authentication - invalid "
281 "challenge-response");
282 return WLAN_STATUS_CHALLENGE_FAIL;
283 }
284
285 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
286 HOSTAPD_LEVEL_DEBUG,
287 "authentication OK (shared key)");
288 sta->flags |= WLAN_STA_AUTH;
289 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
290 os_free(sta->challenge);
291 sta->challenge = NULL;
292
293 return 0;
294 }
295 #endif /* CONFIG_NO_RC4 */
296
297
send_auth_reply(struct hostapd_data * hapd,const u8 * dst,const u8 * bssid,u16 auth_alg,u16 auth_transaction,u16 resp,const u8 * ies,size_t ies_len,const char * dbg)298 static int send_auth_reply(struct hostapd_data *hapd,
299 const u8 *dst, const u8 *bssid,
300 u16 auth_alg, u16 auth_transaction, u16 resp,
301 const u8 *ies, size_t ies_len, const char *dbg)
302 {
303 struct ieee80211_mgmt *reply;
304 u8 *buf;
305 size_t rlen;
306 int reply_res = WLAN_STATUS_UNSPECIFIED_FAILURE;
307
308 rlen = IEEE80211_HDRLEN + sizeof(reply->u.auth) + ies_len;
309 buf = os_zalloc(rlen);
310 if (buf == NULL)
311 return -1;
312
313 reply = (struct ieee80211_mgmt *) buf;
314 reply->frame_control = IEEE80211_FC(WLAN_FC_TYPE_MGMT,
315 WLAN_FC_STYPE_AUTH);
316 os_memcpy(reply->da, dst, ETH_ALEN);
317 os_memcpy(reply->sa, hapd->own_addr, ETH_ALEN);
318 os_memcpy(reply->bssid, bssid, ETH_ALEN);
319
320 reply->u.auth.auth_alg = host_to_le16(auth_alg);
321 reply->u.auth.auth_transaction = host_to_le16(auth_transaction);
322 reply->u.auth.status_code = host_to_le16(resp);
323
324 if (ies && ies_len)
325 os_memcpy(reply->u.auth.variable, ies, ies_len);
326
327 wpa_printf(MSG_DEBUG, "authentication reply: STA=" MACSTR
328 " auth_alg=%d auth_transaction=%d resp=%d (IE len=%lu) (dbg=%s)",
329 MAC2STR(dst), auth_alg, auth_transaction,
330 resp, (unsigned long) ies_len, dbg);
331 if (hostapd_drv_send_mlme(hapd, reply, rlen, 0) < 0)
332 wpa_printf(MSG_INFO, "send_auth_reply: send failed");
333 else
334 reply_res = WLAN_STATUS_SUCCESS;
335
336 os_free(buf);
337
338 return reply_res;
339 }
340
341
342 #ifdef CONFIG_IEEE80211R_AP
handle_auth_ft_finish(void * ctx,const u8 * dst,const u8 * bssid,u16 auth_transaction,u16 status,const u8 * ies,size_t ies_len)343 static void handle_auth_ft_finish(void *ctx, const u8 *dst, const u8 *bssid,
344 u16 auth_transaction, u16 status,
345 const u8 *ies, size_t ies_len)
346 {
347 struct hostapd_data *hapd = ctx;
348 struct sta_info *sta;
349 int reply_res;
350
351 reply_res = send_auth_reply(hapd, dst, bssid, WLAN_AUTH_FT,
352 auth_transaction, status, ies, ies_len,
353 "auth-ft-finish");
354
355 sta = ap_get_sta(hapd, dst);
356 if (sta == NULL)
357 return;
358
359 if (sta->added_unassoc && (reply_res != WLAN_STATUS_SUCCESS ||
360 status != WLAN_STATUS_SUCCESS)) {
361 hostapd_drv_sta_remove(hapd, sta->addr);
362 sta->added_unassoc = 0;
363 return;
364 }
365
366 if (status != WLAN_STATUS_SUCCESS)
367 return;
368
369 hostapd_logger(hapd, dst, HOSTAPD_MODULE_IEEE80211,
370 HOSTAPD_LEVEL_DEBUG, "authentication OK (FT)");
371 sta->flags |= WLAN_STA_AUTH;
372 mlme_authenticate_indication(hapd, sta);
373 }
374 #endif /* CONFIG_IEEE80211R_AP */
375
376
377 #ifdef CONFIG_SAE
378
sae_set_state(struct sta_info * sta,enum sae_state state,const char * reason)379 static void sae_set_state(struct sta_info *sta, enum sae_state state,
380 const char *reason)
381 {
382 wpa_printf(MSG_DEBUG, "SAE: State %s -> %s for peer " MACSTR " (%s)",
383 sae_state_txt(sta->sae->state), sae_state_txt(state),
384 MAC2STR(sta->addr), reason);
385 sta->sae->state = state;
386 }
387
388
auth_build_sae_commit(struct hostapd_data * hapd,struct sta_info * sta,int update)389 static struct wpabuf * auth_build_sae_commit(struct hostapd_data *hapd,
390 struct sta_info *sta, int update)
391 {
392 struct wpabuf *buf;
393 const char *password = NULL;
394 struct sae_password_entry *pw;
395 const char *rx_id = NULL;
396
397 if (sta->sae->tmp)
398 rx_id = sta->sae->tmp->pw_id;
399
400 for (pw = hapd->conf->sae_passwords; pw; pw = pw->next) {
401 if (!is_broadcast_ether_addr(pw->peer_addr) &&
402 os_memcmp(pw->peer_addr, sta->addr, ETH_ALEN) != 0)
403 continue;
404 if ((rx_id && !pw->identifier) || (!rx_id && pw->identifier))
405 continue;
406 if (rx_id && pw->identifier &&
407 os_strcmp(rx_id, pw->identifier) != 0)
408 continue;
409 password = pw->password;
410 break;
411 }
412 if (!password)
413 password = hapd->conf->ssid.wpa_passphrase;
414 if (!password) {
415 wpa_printf(MSG_DEBUG, "SAE: No password available");
416 return NULL;
417 }
418
419 if (update &&
420 sae_prepare_commit(hapd->own_addr, sta->addr,
421 (u8 *) password, os_strlen(password), rx_id,
422 sta->sae) < 0) {
423 wpa_printf(MSG_DEBUG, "SAE: Could not pick PWE");
424 return NULL;
425 }
426
427 if (pw && pw->vlan_id) {
428 if (!sta->sae->tmp) {
429 wpa_printf(MSG_INFO,
430 "SAE: No temporary data allocated - cannot store VLAN ID");
431 return NULL;
432 }
433 sta->sae->tmp->vlan_id = pw->vlan_id;
434 }
435
436 buf = wpabuf_alloc(SAE_COMMIT_MAX_LEN +
437 (rx_id ? 3 + os_strlen(rx_id) : 0));
438 if (buf == NULL)
439 return NULL;
440 sae_write_commit(sta->sae, buf, sta->sae->tmp ?
441 sta->sae->tmp->anti_clogging_token : NULL, rx_id);
442
443 return buf;
444 }
445
446
auth_build_sae_confirm(struct hostapd_data * hapd,struct sta_info * sta)447 static struct wpabuf * auth_build_sae_confirm(struct hostapd_data *hapd,
448 struct sta_info *sta)
449 {
450 struct wpabuf *buf;
451
452 buf = wpabuf_alloc(SAE_CONFIRM_MAX_LEN);
453 if (buf == NULL)
454 return NULL;
455
456 sae_write_confirm(sta->sae, buf);
457
458 return buf;
459 }
460
461
auth_sae_send_commit(struct hostapd_data * hapd,struct sta_info * sta,const u8 * bssid,int update)462 static int auth_sae_send_commit(struct hostapd_data *hapd,
463 struct sta_info *sta,
464 const u8 *bssid, int update)
465 {
466 struct wpabuf *data;
467 int reply_res;
468
469 data = auth_build_sae_commit(hapd, sta, update);
470 if (!data && sta->sae->tmp && sta->sae->tmp->pw_id)
471 return WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER;
472 if (data == NULL)
473 return WLAN_STATUS_UNSPECIFIED_FAILURE;
474
475 reply_res = send_auth_reply(hapd, sta->addr, bssid, WLAN_AUTH_SAE, 1,
476 WLAN_STATUS_SUCCESS, wpabuf_head(data),
477 wpabuf_len(data), "sae-send-commit");
478
479 wpabuf_free(data);
480
481 return reply_res;
482 }
483
484
auth_sae_send_confirm(struct hostapd_data * hapd,struct sta_info * sta,const u8 * bssid)485 static int auth_sae_send_confirm(struct hostapd_data *hapd,
486 struct sta_info *sta,
487 const u8 *bssid)
488 {
489 struct wpabuf *data;
490 int reply_res;
491
492 data = auth_build_sae_confirm(hapd, sta);
493 if (data == NULL)
494 return WLAN_STATUS_UNSPECIFIED_FAILURE;
495
496 reply_res = send_auth_reply(hapd, sta->addr, bssid, WLAN_AUTH_SAE, 2,
497 WLAN_STATUS_SUCCESS, wpabuf_head(data),
498 wpabuf_len(data), "sae-send-confirm");
499
500 wpabuf_free(data);
501
502 return reply_res;
503 }
504
505
use_sae_anti_clogging(struct hostapd_data * hapd)506 static int use_sae_anti_clogging(struct hostapd_data *hapd)
507 {
508 struct sta_info *sta;
509 unsigned int open = 0;
510
511 if (hapd->conf->sae_anti_clogging_threshold == 0)
512 return 1;
513
514 for (sta = hapd->sta_list; sta; sta = sta->next) {
515 if (!sta->sae)
516 continue;
517 if (sta->sae->state != SAE_COMMITTED &&
518 sta->sae->state != SAE_CONFIRMED)
519 continue;
520 open++;
521 if (open >= hapd->conf->sae_anti_clogging_threshold)
522 return 1;
523 }
524
525 /* In addition to already existing open SAE sessions, check whether
526 * there are enough pending commit messages in the processing queue to
527 * potentially result in too many open sessions. */
528 if (open + dl_list_len(&hapd->sae_commit_queue) >=
529 hapd->conf->sae_anti_clogging_threshold)
530 return 1;
531
532 return 0;
533 }
534
535
sae_token_hash(struct hostapd_data * hapd,const u8 * addr)536 static u8 sae_token_hash(struct hostapd_data *hapd, const u8 *addr)
537 {
538 u8 hash[SHA256_MAC_LEN];
539
540 hmac_sha256(hapd->sae_token_key, sizeof(hapd->sae_token_key),
541 addr, ETH_ALEN, hash);
542 return hash[0];
543 }
544
545
check_sae_token(struct hostapd_data * hapd,const u8 * addr,const u8 * token,size_t token_len)546 static int check_sae_token(struct hostapd_data *hapd, const u8 *addr,
547 const u8 *token, size_t token_len)
548 {
549 u8 mac[SHA256_MAC_LEN];
550 const u8 *addrs[2];
551 size_t len[2];
552 u16 token_idx;
553 u8 idx;
554
555 if (token_len != SHA256_MAC_LEN)
556 return -1;
557 idx = sae_token_hash(hapd, addr);
558 token_idx = hapd->sae_pending_token_idx[idx];
559 if (token_idx == 0 || token_idx != WPA_GET_BE16(token)) {
560 wpa_printf(MSG_DEBUG, "SAE: Invalid anti-clogging token from "
561 MACSTR " - token_idx 0x%04x, expected 0x%04x",
562 MAC2STR(addr), WPA_GET_BE16(token), token_idx);
563 return -1;
564 }
565
566 addrs[0] = addr;
567 len[0] = ETH_ALEN;
568 addrs[1] = token;
569 len[1] = 2;
570 if (hmac_sha256_vector(hapd->sae_token_key, sizeof(hapd->sae_token_key),
571 2, addrs, len, mac) < 0 ||
572 os_memcmp_const(token + 2, &mac[2], SHA256_MAC_LEN - 2) != 0)
573 return -1;
574
575 hapd->sae_pending_token_idx[idx] = 0; /* invalidate used token */
576
577 return 0;
578 }
579
580
auth_build_token_req(struct hostapd_data * hapd,int group,const u8 * addr)581 static struct wpabuf * auth_build_token_req(struct hostapd_data *hapd,
582 int group, const u8 *addr)
583 {
584 struct wpabuf *buf;
585 u8 *token;
586 struct os_reltime now;
587 u8 idx[2];
588 const u8 *addrs[2];
589 size_t len[2];
590 u8 p_idx;
591 u16 token_idx;
592
593 os_get_reltime(&now);
594 if (!os_reltime_initialized(&hapd->last_sae_token_key_update) ||
595 os_reltime_expired(&now, &hapd->last_sae_token_key_update, 60) ||
596 hapd->sae_token_idx == 0xffff) {
597 if (random_get_bytes(hapd->sae_token_key,
598 sizeof(hapd->sae_token_key)) < 0)
599 return NULL;
600 wpa_hexdump(MSG_DEBUG, "SAE: Updated token key",
601 hapd->sae_token_key, sizeof(hapd->sae_token_key));
602 hapd->last_sae_token_key_update = now;
603 hapd->sae_token_idx = 0;
604 os_memset(hapd->sae_pending_token_idx, 0,
605 sizeof(hapd->sae_pending_token_idx));
606 }
607
608 buf = wpabuf_alloc(sizeof(le16) + SHA256_MAC_LEN);
609 if (buf == NULL)
610 return NULL;
611
612 wpabuf_put_le16(buf, group); /* Finite Cyclic Group */
613
614 p_idx = sae_token_hash(hapd, addr);
615 token_idx = hapd->sae_pending_token_idx[p_idx];
616 if (!token_idx) {
617 hapd->sae_token_idx++;
618 token_idx = hapd->sae_token_idx;
619 hapd->sae_pending_token_idx[p_idx] = token_idx;
620 }
621 WPA_PUT_BE16(idx, token_idx);
622 token = wpabuf_put(buf, SHA256_MAC_LEN);
623 addrs[0] = addr;
624 len[0] = ETH_ALEN;
625 addrs[1] = idx;
626 len[1] = sizeof(idx);
627 if (hmac_sha256_vector(hapd->sae_token_key, sizeof(hapd->sae_token_key),
628 2, addrs, len, token) < 0) {
629 wpabuf_free(buf);
630 return NULL;
631 }
632 WPA_PUT_BE16(token, token_idx);
633
634 return buf;
635 }
636
637
sae_check_big_sync(struct hostapd_data * hapd,struct sta_info * sta)638 static int sae_check_big_sync(struct hostapd_data *hapd, struct sta_info *sta)
639 {
640 if (sta->sae->sync > hapd->conf->sae_sync) {
641 sae_set_state(sta, SAE_NOTHING, "Sync > dot11RSNASAESync");
642 sta->sae->sync = 0;
643 return -1;
644 }
645 return 0;
646 }
647
648
auth_sae_retransmit_timer(void * eloop_ctx,void * eloop_data)649 static void auth_sae_retransmit_timer(void *eloop_ctx, void *eloop_data)
650 {
651 struct hostapd_data *hapd = eloop_ctx;
652 struct sta_info *sta = eloop_data;
653 int ret;
654
655 if (sae_check_big_sync(hapd, sta))
656 return;
657 sta->sae->sync++;
658 wpa_printf(MSG_DEBUG, "SAE: Auth SAE retransmit timer for " MACSTR
659 " (sync=%d state=%s)",
660 MAC2STR(sta->addr), sta->sae->sync,
661 sae_state_txt(sta->sae->state));
662
663 switch (sta->sae->state) {
664 case SAE_COMMITTED:
665 ret = auth_sae_send_commit(hapd, sta, hapd->own_addr, 0);
666 eloop_register_timeout(0,
667 hapd->dot11RSNASAERetransPeriod * 1000,
668 auth_sae_retransmit_timer, hapd, sta);
669 break;
670 case SAE_CONFIRMED:
671 ret = auth_sae_send_confirm(hapd, sta, hapd->own_addr);
672 eloop_register_timeout(0,
673 hapd->dot11RSNASAERetransPeriod * 1000,
674 auth_sae_retransmit_timer, hapd, sta);
675 break;
676 default:
677 ret = -1;
678 break;
679 }
680
681 if (ret != WLAN_STATUS_SUCCESS)
682 wpa_printf(MSG_INFO, "SAE: Failed to retransmit: ret=%d", ret);
683 }
684
685
sae_clear_retransmit_timer(struct hostapd_data * hapd,struct sta_info * sta)686 void sae_clear_retransmit_timer(struct hostapd_data *hapd, struct sta_info *sta)
687 {
688 eloop_cancel_timeout(auth_sae_retransmit_timer, hapd, sta);
689 }
690
691
sae_set_retransmit_timer(struct hostapd_data * hapd,struct sta_info * sta)692 static void sae_set_retransmit_timer(struct hostapd_data *hapd,
693 struct sta_info *sta)
694 {
695 if (!(hapd->conf->mesh & MESH_ENABLED))
696 return;
697
698 eloop_cancel_timeout(auth_sae_retransmit_timer, hapd, sta);
699 eloop_register_timeout(0, hapd->dot11RSNASAERetransPeriod * 1000,
700 auth_sae_retransmit_timer, hapd, sta);
701 }
702
703
sae_sme_send_external_auth_status(struct hostapd_data * hapd,struct sta_info * sta,u16 status)704 static void sae_sme_send_external_auth_status(struct hostapd_data *hapd,
705 struct sta_info *sta, u16 status)
706 {
707 struct external_auth params;
708
709 os_memset(¶ms, 0, sizeof(params));
710 params.status = status;
711 params.bssid = sta->addr;
712 if (status == WLAN_STATUS_SUCCESS && sta->sae)
713 params.pmkid = sta->sae->pmkid;
714
715 hostapd_drv_send_external_auth_status(hapd, ¶ms);
716 }
717
718
sae_accept_sta(struct hostapd_data * hapd,struct sta_info * sta)719 void sae_accept_sta(struct hostapd_data *hapd, struct sta_info *sta)
720 {
721 #ifndef CONFIG_NO_VLAN
722 struct vlan_description vlan_desc;
723
724 if (sta->sae->tmp && sta->sae->tmp->vlan_id > 0) {
725 wpa_printf(MSG_DEBUG, "SAE: Assign STA " MACSTR
726 " to VLAN ID %d",
727 MAC2STR(sta->addr), sta->sae->tmp->vlan_id);
728
729 os_memset(&vlan_desc, 0, sizeof(vlan_desc));
730 vlan_desc.notempty = 1;
731 vlan_desc.untagged = sta->sae->tmp->vlan_id;
732 if (!hostapd_vlan_valid(hapd->conf->vlan, &vlan_desc)) {
733 wpa_printf(MSG_INFO,
734 "Invalid VLAN ID %d in sae_password",
735 sta->sae->tmp->vlan_id);
736 return;
737 }
738
739 if (ap_sta_set_vlan(hapd, sta, &vlan_desc) < 0 ||
740 ap_sta_bind_vlan(hapd, sta) < 0) {
741 wpa_printf(MSG_INFO,
742 "Failed to assign VLAN ID %d from sae_password to "
743 MACSTR, sta->sae->tmp->vlan_id,
744 MAC2STR(sta->addr));
745 return;
746 }
747 }
748 #endif /* CONFIG_NO_VLAN */
749
750 sta->flags |= WLAN_STA_AUTH;
751 sta->auth_alg = WLAN_AUTH_SAE;
752 mlme_authenticate_indication(hapd, sta);
753 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
754 sae_set_state(sta, SAE_ACCEPTED, "Accept Confirm");
755 wpa_auth_pmksa_add_sae(hapd->wpa_auth, sta->addr,
756 sta->sae->pmk, sta->sae->pmkid);
757 sae_sme_send_external_auth_status(hapd, sta, WLAN_STATUS_SUCCESS);
758 }
759
760
sae_sm_step(struct hostapd_data * hapd,struct sta_info * sta,const u8 * bssid,u8 auth_transaction,int allow_reuse,int * sta_removed)761 static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta,
762 const u8 *bssid, u8 auth_transaction, int allow_reuse,
763 int *sta_removed)
764 {
765 int ret;
766
767 *sta_removed = 0;
768
769 if (auth_transaction != 1 && auth_transaction != 2)
770 return WLAN_STATUS_UNSPECIFIED_FAILURE;
771
772 wpa_printf(MSG_DEBUG, "SAE: Peer " MACSTR " state=%s auth_trans=%u",
773 MAC2STR(sta->addr), sae_state_txt(sta->sae->state),
774 auth_transaction);
775 switch (sta->sae->state) {
776 case SAE_NOTHING:
777 if (auth_transaction == 1) {
778 ret = auth_sae_send_commit(hapd, sta, bssid,
779 !allow_reuse);
780 if (ret)
781 return ret;
782 sae_set_state(sta, SAE_COMMITTED, "Sent Commit");
783
784 if (sae_process_commit(sta->sae) < 0)
785 return WLAN_STATUS_UNSPECIFIED_FAILURE;
786
787 /*
788 * In mesh case, both Commit and Confirm can be sent
789 * immediately. In infrastructure BSS, only a single
790 * Authentication frame (Commit) is expected from the AP
791 * here and the second one (Confirm) will be sent once
792 * the STA has sent its second Authentication frame
793 * (Confirm).
794 */
795 if (hapd->conf->mesh & MESH_ENABLED) {
796 /*
797 * Send both Commit and Confirm immediately
798 * based on SAE finite state machine
799 * Nothing -> Confirm transition.
800 */
801 ret = auth_sae_send_confirm(hapd, sta, bssid);
802 if (ret)
803 return ret;
804 sae_set_state(sta, SAE_CONFIRMED,
805 "Sent Confirm (mesh)");
806 } else {
807 /*
808 * For infrastructure BSS, send only the Commit
809 * message now to get alternating sequence of
810 * Authentication frames between the AP and STA.
811 * Confirm will be sent in
812 * Committed -> Confirmed/Accepted transition
813 * when receiving Confirm from STA.
814 */
815 }
816 sta->sae->sync = 0;
817 sae_set_retransmit_timer(hapd, sta);
818 } else {
819 hostapd_logger(hapd, sta->addr,
820 HOSTAPD_MODULE_IEEE80211,
821 HOSTAPD_LEVEL_DEBUG,
822 "SAE confirm before commit");
823 }
824 break;
825 case SAE_COMMITTED:
826 sae_clear_retransmit_timer(hapd, sta);
827 if (auth_transaction == 1) {
828 if (sae_process_commit(sta->sae) < 0)
829 return WLAN_STATUS_UNSPECIFIED_FAILURE;
830
831 ret = auth_sae_send_confirm(hapd, sta, bssid);
832 if (ret)
833 return ret;
834 sae_set_state(sta, SAE_CONFIRMED, "Sent Confirm");
835 sta->sae->sync = 0;
836 sae_set_retransmit_timer(hapd, sta);
837 } else if (hapd->conf->mesh & MESH_ENABLED) {
838 /*
839 * In mesh case, follow SAE finite state machine and
840 * send Commit now, if sync count allows.
841 */
842 if (sae_check_big_sync(hapd, sta))
843 return WLAN_STATUS_SUCCESS;
844 sta->sae->sync++;
845
846 ret = auth_sae_send_commit(hapd, sta, bssid, 0);
847 if (ret)
848 return ret;
849
850 sae_set_retransmit_timer(hapd, sta);
851 } else {
852 /*
853 * For instructure BSS, send the postponed Confirm from
854 * Nothing -> Confirmed transition that was reduced to
855 * Nothing -> Committed above.
856 */
857 ret = auth_sae_send_confirm(hapd, sta, bssid);
858 if (ret)
859 return ret;
860
861 sae_set_state(sta, SAE_CONFIRMED, "Sent Confirm");
862
863 /*
864 * Since this was triggered on Confirm RX, run another
865 * step to get to Accepted without waiting for
866 * additional events.
867 */
868 return sae_sm_step(hapd, sta, bssid, auth_transaction,
869 0, sta_removed);
870 }
871 break;
872 case SAE_CONFIRMED:
873 sae_clear_retransmit_timer(hapd, sta);
874 if (auth_transaction == 1) {
875 if (sae_check_big_sync(hapd, sta))
876 return WLAN_STATUS_SUCCESS;
877 sta->sae->sync++;
878
879 ret = auth_sae_send_commit(hapd, sta, bssid, 1);
880 if (ret)
881 return ret;
882
883 if (sae_process_commit(sta->sae) < 0)
884 return WLAN_STATUS_UNSPECIFIED_FAILURE;
885
886 ret = auth_sae_send_confirm(hapd, sta, bssid);
887 if (ret)
888 return ret;
889
890 sae_set_retransmit_timer(hapd, sta);
891 } else {
892 sta->sae->send_confirm = 0xffff;
893 sae_accept_sta(hapd, sta);
894 }
895 break;
896 case SAE_ACCEPTED:
897 if (auth_transaction == 1 &&
898 (hapd->conf->mesh & MESH_ENABLED)) {
899 wpa_printf(MSG_DEBUG, "SAE: remove the STA (" MACSTR
900 ") doing reauthentication",
901 MAC2STR(sta->addr));
902 wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr);
903 ap_free_sta(hapd, sta);
904 *sta_removed = 1;
905 } else if (auth_transaction == 1) {
906 wpa_printf(MSG_DEBUG, "SAE: Start reauthentication");
907 ret = auth_sae_send_commit(hapd, sta, bssid, 1);
908 if (ret)
909 return ret;
910 sae_set_state(sta, SAE_COMMITTED, "Sent Commit");
911
912 if (sae_process_commit(sta->sae) < 0)
913 return WLAN_STATUS_UNSPECIFIED_FAILURE;
914 sta->sae->sync = 0;
915 sae_set_retransmit_timer(hapd, sta);
916 } else {
917 if (sae_check_big_sync(hapd, sta))
918 return WLAN_STATUS_SUCCESS;
919 sta->sae->sync++;
920
921 ret = auth_sae_send_confirm(hapd, sta, bssid);
922 sae_clear_temp_data(sta->sae);
923 if (ret)
924 return ret;
925 }
926 break;
927 default:
928 wpa_printf(MSG_ERROR, "SAE: invalid state %d",
929 sta->sae->state);
930 return WLAN_STATUS_UNSPECIFIED_FAILURE;
931 }
932 return WLAN_STATUS_SUCCESS;
933 }
934
935
sae_pick_next_group(struct hostapd_data * hapd,struct sta_info * sta)936 static void sae_pick_next_group(struct hostapd_data *hapd, struct sta_info *sta)
937 {
938 struct sae_data *sae = sta->sae;
939 int i, *groups = hapd->conf->sae_groups;
940 int default_groups[] = { 19, 0 };
941
942 if (sae->state != SAE_COMMITTED)
943 return;
944
945 wpa_printf(MSG_DEBUG, "SAE: Previously selected group: %d", sae->group);
946
947 if (!groups)
948 groups = default_groups;
949 for (i = 0; groups[i] > 0; i++) {
950 if (sae->group == groups[i])
951 break;
952 }
953
954 if (groups[i] <= 0) {
955 wpa_printf(MSG_DEBUG,
956 "SAE: Previously selected group not found from the current configuration");
957 return;
958 }
959
960 for (;;) {
961 i++;
962 if (groups[i] <= 0) {
963 wpa_printf(MSG_DEBUG,
964 "SAE: No alternative group enabled");
965 return;
966 }
967
968 if (sae_set_group(sae, groups[i]) < 0)
969 continue;
970
971 break;
972 }
973 wpa_printf(MSG_DEBUG, "SAE: Selected new group: %d", groups[i]);
974 }
975
976
handle_auth_sae(struct hostapd_data * hapd,struct sta_info * sta,const struct ieee80211_mgmt * mgmt,size_t len,u16 auth_transaction,u16 status_code)977 static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta,
978 const struct ieee80211_mgmt *mgmt, size_t len,
979 u16 auth_transaction, u16 status_code)
980 {
981 int resp = WLAN_STATUS_SUCCESS;
982 struct wpabuf *data = NULL;
983 int *groups = hapd->conf->sae_groups;
984 int default_groups[] = { 19, 0 };
985 const u8 *pos, *end;
986 int sta_removed = 0;
987
988 if (!groups)
989 groups = default_groups;
990
991 #ifdef CONFIG_TESTING_OPTIONS
992 if (hapd->conf->sae_reflection_attack && auth_transaction == 1) {
993 wpa_printf(MSG_DEBUG, "SAE: TESTING - reflection attack");
994 pos = mgmt->u.auth.variable;
995 end = ((const u8 *) mgmt) + len;
996 send_auth_reply(hapd, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
997 auth_transaction, resp, pos, end - pos,
998 "auth-sae-reflection-attack");
999 goto remove_sta;
1000 }
1001
1002 if (hapd->conf->sae_commit_override && auth_transaction == 1) {
1003 wpa_printf(MSG_DEBUG, "SAE: TESTING - commit override");
1004 send_auth_reply(hapd, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
1005 auth_transaction, resp,
1006 wpabuf_head(hapd->conf->sae_commit_override),
1007 wpabuf_len(hapd->conf->sae_commit_override),
1008 "sae-commit-override");
1009 goto remove_sta;
1010 }
1011 #endif /* CONFIG_TESTING_OPTIONS */
1012 if (!sta->sae) {
1013 if (auth_transaction != 1 ||
1014 status_code != WLAN_STATUS_SUCCESS) {
1015 resp = -1;
1016 goto remove_sta;
1017 }
1018 sta->sae = os_zalloc(sizeof(*sta->sae));
1019 if (!sta->sae) {
1020 resp = -1;
1021 goto remove_sta;
1022 }
1023 sae_set_state(sta, SAE_NOTHING, "Init");
1024 sta->sae->sync = 0;
1025 }
1026
1027 if (sta->mesh_sae_pmksa_caching) {
1028 wpa_printf(MSG_DEBUG,
1029 "SAE: Cancel use of mesh PMKSA caching because peer starts SAE authentication");
1030 wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr);
1031 sta->mesh_sae_pmksa_caching = 0;
1032 }
1033
1034 if (auth_transaction == 1) {
1035 const u8 *token = NULL;
1036 size_t token_len = 0;
1037 int allow_reuse = 0;
1038
1039 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1040 HOSTAPD_LEVEL_DEBUG,
1041 "start SAE authentication (RX commit, status=%u)",
1042 status_code);
1043
1044 if ((hapd->conf->mesh & MESH_ENABLED) &&
1045 status_code == WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ &&
1046 sta->sae->tmp) {
1047 pos = mgmt->u.auth.variable;
1048 end = ((const u8 *) mgmt) + len;
1049 if (pos + sizeof(le16) > end) {
1050 wpa_printf(MSG_ERROR,
1051 "SAE: Too short anti-clogging token request");
1052 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1053 goto reply;
1054 }
1055 resp = sae_group_allowed(sta->sae, groups,
1056 WPA_GET_LE16(pos));
1057 if (resp != WLAN_STATUS_SUCCESS) {
1058 wpa_printf(MSG_ERROR,
1059 "SAE: Invalid group in anti-clogging token request");
1060 goto reply;
1061 }
1062 pos += sizeof(le16);
1063
1064 wpabuf_free(sta->sae->tmp->anti_clogging_token);
1065 sta->sae->tmp->anti_clogging_token =
1066 wpabuf_alloc_copy(pos, end - pos);
1067 if (sta->sae->tmp->anti_clogging_token == NULL) {
1068 wpa_printf(MSG_ERROR,
1069 "SAE: Failed to alloc for anti-clogging token");
1070 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1071 goto remove_sta;
1072 }
1073
1074 /*
1075 * IEEE Std 802.11-2012, 11.3.8.6.4: If the Status code
1076 * is 76, a new Commit Message shall be constructed
1077 * with the Anti-Clogging Token from the received
1078 * Authentication frame, and the commit-scalar and
1079 * COMMIT-ELEMENT previously sent.
1080 */
1081 resp = auth_sae_send_commit(hapd, sta, mgmt->bssid, 0);
1082 if (resp != WLAN_STATUS_SUCCESS) {
1083 wpa_printf(MSG_ERROR,
1084 "SAE: Failed to send commit message");
1085 goto remove_sta;
1086 }
1087 sae_set_state(sta, SAE_COMMITTED,
1088 "Sent Commit (anti-clogging token case in mesh)");
1089 sta->sae->sync = 0;
1090 sae_set_retransmit_timer(hapd, sta);
1091 return;
1092 }
1093
1094 if ((hapd->conf->mesh & MESH_ENABLED) &&
1095 status_code ==
1096 WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED &&
1097 sta->sae->tmp) {
1098 wpa_printf(MSG_DEBUG,
1099 "SAE: Peer did not accept our SAE group");
1100 sae_pick_next_group(hapd, sta);
1101 goto remove_sta;
1102 }
1103
1104 if (status_code != WLAN_STATUS_SUCCESS)
1105 goto remove_sta;
1106
1107 if (!(hapd->conf->mesh & MESH_ENABLED) &&
1108 sta->sae->state == SAE_COMMITTED) {
1109 /* This is needed in the infrastructure BSS case to
1110 * address a sequence where a STA entry may remain in
1111 * hostapd across two attempts to do SAE authentication
1112 * by the same STA. The second attempt may end up trying
1113 * to use a different group and that would not be
1114 * allowed if we remain in Committed state with the
1115 * previously set parameters. */
1116 pos = mgmt->u.auth.variable;
1117 end = ((const u8 *) mgmt) + len;
1118 if (end - pos >= (int) sizeof(le16) &&
1119 sae_group_allowed(sta->sae, groups,
1120 WPA_GET_LE16(pos)) ==
1121 WLAN_STATUS_SUCCESS) {
1122 /* Do not waste resources deriving the same PWE
1123 * again since the same group is reused. */
1124 sae_set_state(sta, SAE_NOTHING,
1125 "Allow previous PWE to be reused");
1126 allow_reuse = 1;
1127 } else {
1128 sae_set_state(sta, SAE_NOTHING,
1129 "Clear existing state to allow restart");
1130 sae_clear_data(sta->sae);
1131 }
1132 }
1133
1134 resp = sae_parse_commit(sta->sae, mgmt->u.auth.variable,
1135 ((const u8 *) mgmt) + len -
1136 mgmt->u.auth.variable, &token,
1137 &token_len, groups);
1138 if (resp == SAE_SILENTLY_DISCARD) {
1139 wpa_printf(MSG_DEBUG,
1140 "SAE: Drop commit message from " MACSTR " due to reflection attack",
1141 MAC2STR(sta->addr));
1142 goto remove_sta;
1143 }
1144
1145 if (resp == WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER) {
1146 wpa_msg(hapd->msg_ctx, MSG_INFO,
1147 WPA_EVENT_SAE_UNKNOWN_PASSWORD_IDENTIFIER
1148 MACSTR, MAC2STR(sta->addr));
1149 sae_clear_retransmit_timer(hapd, sta);
1150 sae_set_state(sta, SAE_NOTHING,
1151 "Unknown Password Identifier");
1152 goto remove_sta;
1153 }
1154
1155 if (token && check_sae_token(hapd, sta->addr, token, token_len)
1156 < 0) {
1157 wpa_printf(MSG_DEBUG, "SAE: Drop commit message with "
1158 "incorrect token from " MACSTR,
1159 MAC2STR(sta->addr));
1160 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1161 goto remove_sta;
1162 }
1163
1164 if (resp != WLAN_STATUS_SUCCESS)
1165 goto reply;
1166
1167 if (!token && use_sae_anti_clogging(hapd) && !allow_reuse) {
1168 wpa_printf(MSG_DEBUG,
1169 "SAE: Request anti-clogging token from "
1170 MACSTR, MAC2STR(sta->addr));
1171 data = auth_build_token_req(hapd, sta->sae->group,
1172 sta->addr);
1173 resp = WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ;
1174 if (hapd->conf->mesh & MESH_ENABLED)
1175 sae_set_state(sta, SAE_NOTHING,
1176 "Request anti-clogging token case in mesh");
1177 goto reply;
1178 }
1179
1180 resp = sae_sm_step(hapd, sta, mgmt->bssid, auth_transaction,
1181 allow_reuse, &sta_removed);
1182 } else if (auth_transaction == 2) {
1183 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1184 HOSTAPD_LEVEL_DEBUG,
1185 "SAE authentication (RX confirm, status=%u)",
1186 status_code);
1187 if (status_code != WLAN_STATUS_SUCCESS)
1188 goto remove_sta;
1189 if (sta->sae->state >= SAE_CONFIRMED ||
1190 !(hapd->conf->mesh & MESH_ENABLED)) {
1191 const u8 *var;
1192 size_t var_len;
1193 u16 peer_send_confirm;
1194
1195 var = mgmt->u.auth.variable;
1196 var_len = ((u8 *) mgmt) + len - mgmt->u.auth.variable;
1197 if (var_len < 2) {
1198 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1199 goto reply;
1200 }
1201
1202 peer_send_confirm = WPA_GET_LE16(var);
1203
1204 if (sta->sae->state == SAE_ACCEPTED &&
1205 (peer_send_confirm <= sta->sae->rc ||
1206 peer_send_confirm == 0xffff)) {
1207 wpa_printf(MSG_DEBUG,
1208 "SAE: Silently ignore unexpected Confirm from peer "
1209 MACSTR
1210 " (peer-send-confirm=%u Rc=%u)",
1211 MAC2STR(sta->addr),
1212 peer_send_confirm, sta->sae->rc);
1213 return;
1214 }
1215
1216 if (sae_check_confirm(sta->sae, var, var_len) < 0) {
1217 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1218 goto reply;
1219 }
1220 sta->sae->rc = peer_send_confirm;
1221 }
1222 resp = sae_sm_step(hapd, sta, mgmt->bssid, auth_transaction, 0,
1223 &sta_removed);
1224 } else {
1225 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1226 HOSTAPD_LEVEL_DEBUG,
1227 "unexpected SAE authentication transaction %u (status=%u)",
1228 auth_transaction, status_code);
1229 if (status_code != WLAN_STATUS_SUCCESS)
1230 goto remove_sta;
1231 resp = WLAN_STATUS_UNKNOWN_AUTH_TRANSACTION;
1232 }
1233
1234 reply:
1235 if (!sta_removed && resp != WLAN_STATUS_SUCCESS) {
1236 pos = mgmt->u.auth.variable;
1237 end = ((const u8 *) mgmt) + len;
1238
1239 /* Copy the Finite Cyclic Group field from the request if we
1240 * rejected it as unsupported group. */
1241 if (resp == WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED &&
1242 !data && end - pos >= 2)
1243 data = wpabuf_alloc_copy(pos, 2);
1244
1245 sae_sme_send_external_auth_status(hapd, sta, resp);
1246 send_auth_reply(hapd, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
1247 auth_transaction, resp,
1248 data ? wpabuf_head(data) : (u8 *) "",
1249 data ? wpabuf_len(data) : 0, "auth-sae");
1250 }
1251
1252 remove_sta:
1253 if (!sta_removed && sta->added_unassoc &&
1254 (resp != WLAN_STATUS_SUCCESS ||
1255 status_code != WLAN_STATUS_SUCCESS)) {
1256 hostapd_drv_sta_remove(hapd, sta->addr);
1257 sta->added_unassoc = 0;
1258 }
1259 wpabuf_free(data);
1260 }
1261
1262
1263 /**
1264 * auth_sae_init_committed - Send COMMIT and start SAE in committed state
1265 * @hapd: BSS data for the device initiating the authentication
1266 * @sta: the peer to which commit authentication frame is sent
1267 *
1268 * This function implements Init event handling (IEEE Std 802.11-2012,
1269 * 11.3.8.6.3) in which initial COMMIT message is sent. Prior to calling, the
1270 * sta->sae structure should be initialized appropriately via a call to
1271 * sae_prepare_commit().
1272 */
auth_sae_init_committed(struct hostapd_data * hapd,struct sta_info * sta)1273 int auth_sae_init_committed(struct hostapd_data *hapd, struct sta_info *sta)
1274 {
1275 int ret;
1276
1277 if (!sta->sae || !sta->sae->tmp)
1278 return -1;
1279
1280 if (sta->sae->state != SAE_NOTHING)
1281 return -1;
1282
1283 ret = auth_sae_send_commit(hapd, sta, hapd->own_addr, 0);
1284 if (ret)
1285 return -1;
1286
1287 sae_set_state(sta, SAE_COMMITTED, "Init and sent commit");
1288 sta->sae->sync = 0;
1289 sae_set_retransmit_timer(hapd, sta);
1290
1291 return 0;
1292 }
1293
1294
auth_sae_process_commit(void * eloop_ctx,void * user_ctx)1295 void auth_sae_process_commit(void *eloop_ctx, void *user_ctx)
1296 {
1297 struct hostapd_data *hapd = eloop_ctx;
1298 struct hostapd_sae_commit_queue *q;
1299 unsigned int queue_len;
1300
1301 q = dl_list_first(&hapd->sae_commit_queue,
1302 struct hostapd_sae_commit_queue, list);
1303 if (!q)
1304 return;
1305 wpa_printf(MSG_DEBUG,
1306 "SAE: Process next available message from queue");
1307 dl_list_del(&q->list);
1308 handle_auth(hapd, (const struct ieee80211_mgmt *) q->msg, q->len,
1309 q->rssi, 1);
1310 os_free(q);
1311
1312 if (eloop_is_timeout_registered(auth_sae_process_commit, hapd, NULL))
1313 return;
1314 queue_len = dl_list_len(&hapd->sae_commit_queue);
1315 eloop_register_timeout(0, queue_len * 10000, auth_sae_process_commit,
1316 hapd, NULL);
1317 }
1318
1319
auth_sae_queue(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int rssi)1320 static void auth_sae_queue(struct hostapd_data *hapd,
1321 const struct ieee80211_mgmt *mgmt, size_t len,
1322 int rssi)
1323 {
1324 struct hostapd_sae_commit_queue *q, *q2;
1325 unsigned int queue_len;
1326 const struct ieee80211_mgmt *mgmt2;
1327
1328 queue_len = dl_list_len(&hapd->sae_commit_queue);
1329 if (queue_len >= 15) {
1330 wpa_printf(MSG_DEBUG,
1331 "SAE: No more room in message queue - drop the new frame from "
1332 MACSTR, MAC2STR(mgmt->sa));
1333 return;
1334 }
1335
1336 wpa_printf(MSG_DEBUG, "SAE: Queue Authentication message from "
1337 MACSTR " for processing (queue_len %u)", MAC2STR(mgmt->sa),
1338 queue_len);
1339 q = os_zalloc(sizeof(*q) + len);
1340 if (!q)
1341 return;
1342 q->rssi = rssi;
1343 q->len = len;
1344 os_memcpy(q->msg, mgmt, len);
1345
1346 /* Check whether there is already a queued Authentication frame from the
1347 * same station with the same transaction number and if so, replace that
1348 * queue entry with the new one. This avoids issues with a peer that
1349 * sends multiple times (e.g., due to frequent SAE retries). There is no
1350 * point in us trying to process the old attempts after a new one has
1351 * obsoleted them. */
1352 dl_list_for_each(q2, &hapd->sae_commit_queue,
1353 struct hostapd_sae_commit_queue, list) {
1354 mgmt2 = (const struct ieee80211_mgmt *) q2->msg;
1355 if (os_memcmp(mgmt->sa, mgmt2->sa, ETH_ALEN) == 0 &&
1356 mgmt->u.auth.auth_transaction ==
1357 mgmt2->u.auth.auth_transaction) {
1358 wpa_printf(MSG_DEBUG,
1359 "SAE: Replace queued message from same STA with same transaction number");
1360 dl_list_add(&q2->list, &q->list);
1361 dl_list_del(&q2->list);
1362 os_free(q2);
1363 goto queued;
1364 }
1365 }
1366
1367 /* No pending identical entry, so add to the end of the queue */
1368 dl_list_add_tail(&hapd->sae_commit_queue, &q->list);
1369
1370 queued:
1371 if (eloop_is_timeout_registered(auth_sae_process_commit, hapd, NULL))
1372 return;
1373 eloop_register_timeout(0, queue_len * 10000, auth_sae_process_commit,
1374 hapd, NULL);
1375 }
1376
1377
auth_sae_queued_addr(struct hostapd_data * hapd,const u8 * addr)1378 static int auth_sae_queued_addr(struct hostapd_data *hapd, const u8 *addr)
1379 {
1380 struct hostapd_sae_commit_queue *q;
1381 const struct ieee80211_mgmt *mgmt;
1382
1383 dl_list_for_each(q, &hapd->sae_commit_queue,
1384 struct hostapd_sae_commit_queue, list) {
1385 mgmt = (const struct ieee80211_mgmt *) q->msg;
1386 if (os_memcmp(addr, mgmt->sa, ETH_ALEN) == 0)
1387 return 1;
1388 }
1389
1390 return 0;
1391 }
1392
1393 #endif /* CONFIG_SAE */
1394
1395
wpa_res_to_status_code(int res)1396 static u16 wpa_res_to_status_code(int res)
1397 {
1398 if (res == WPA_INVALID_GROUP)
1399 return WLAN_STATUS_GROUP_CIPHER_NOT_VALID;
1400 if (res == WPA_INVALID_PAIRWISE)
1401 return WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID;
1402 if (res == WPA_INVALID_AKMP)
1403 return WLAN_STATUS_AKMP_NOT_VALID;
1404 if (res == WPA_ALLOC_FAIL)
1405 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1406 #ifdef CONFIG_IEEE80211W
1407 if (res == WPA_MGMT_FRAME_PROTECTION_VIOLATION)
1408 return WLAN_STATUS_ROBUST_MGMT_FRAME_POLICY_VIOLATION;
1409 if (res == WPA_INVALID_MGMT_GROUP_CIPHER)
1410 return WLAN_STATUS_CIPHER_REJECTED_PER_POLICY;
1411 #endif /* CONFIG_IEEE80211W */
1412 if (res == WPA_INVALID_MDIE)
1413 return WLAN_STATUS_INVALID_MDIE;
1414 if (res == WPA_INVALID_PMKID)
1415 return WLAN_STATUS_INVALID_PMKID;
1416 if (res != WPA_IE_OK)
1417 return WLAN_STATUS_INVALID_IE;
1418 return WLAN_STATUS_SUCCESS;
1419 }
1420
1421
1422 #ifdef CONFIG_FILS
1423
1424 static void handle_auth_fils_finish(struct hostapd_data *hapd,
1425 struct sta_info *sta, u16 resp,
1426 struct wpabuf *data, int pub);
1427
handle_auth_fils(struct hostapd_data * hapd,struct sta_info * sta,const u8 * pos,size_t len,u16 auth_alg,u16 auth_transaction,u16 status_code,void (* cb)(struct hostapd_data * hapd,struct sta_info * sta,u16 resp,struct wpabuf * data,int pub))1428 void handle_auth_fils(struct hostapd_data *hapd, struct sta_info *sta,
1429 const u8 *pos, size_t len, u16 auth_alg,
1430 u16 auth_transaction, u16 status_code,
1431 void (*cb)(struct hostapd_data *hapd,
1432 struct sta_info *sta, u16 resp,
1433 struct wpabuf *data, int pub))
1434 {
1435 u16 resp = WLAN_STATUS_SUCCESS;
1436 const u8 *end;
1437 struct ieee802_11_elems elems;
1438 int res;
1439 struct wpa_ie_data rsn;
1440 struct rsn_pmksa_cache_entry *pmksa = NULL;
1441
1442 if (auth_transaction != 1 || status_code != WLAN_STATUS_SUCCESS)
1443 return;
1444
1445 end = pos + len;
1446
1447 wpa_hexdump(MSG_DEBUG, "FILS: Authentication frame fields",
1448 pos, end - pos);
1449
1450 /* TODO: FILS PK */
1451 #ifdef CONFIG_FILS_SK_PFS
1452 if (auth_alg == WLAN_AUTH_FILS_SK_PFS) {
1453 u16 group;
1454 struct wpabuf *pub;
1455 size_t elem_len;
1456
1457 /* Using FILS PFS */
1458
1459 /* Finite Cyclic Group */
1460 if (end - pos < 2) {
1461 wpa_printf(MSG_DEBUG,
1462 "FILS: No room for Finite Cyclic Group");
1463 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1464 goto fail;
1465 }
1466 group = WPA_GET_LE16(pos);
1467 pos += 2;
1468 if (group != hapd->conf->fils_dh_group) {
1469 wpa_printf(MSG_DEBUG,
1470 "FILS: Unsupported Finite Cyclic Group: %u (expected %u)",
1471 group, hapd->conf->fils_dh_group);
1472 resp = WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
1473 goto fail;
1474 }
1475
1476 crypto_ecdh_deinit(sta->fils_ecdh);
1477 sta->fils_ecdh = crypto_ecdh_init(group);
1478 if (!sta->fils_ecdh) {
1479 wpa_printf(MSG_INFO,
1480 "FILS: Could not initialize ECDH with group %d",
1481 group);
1482 resp = WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
1483 goto fail;
1484 }
1485
1486 pub = crypto_ecdh_get_pubkey(sta->fils_ecdh, 1);
1487 if (!pub) {
1488 wpa_printf(MSG_DEBUG,
1489 "FILS: Failed to derive ECDH public key");
1490 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1491 goto fail;
1492 }
1493 elem_len = wpabuf_len(pub);
1494 wpabuf_free(pub);
1495
1496 /* Element */
1497 if ((size_t) (end - pos) < elem_len) {
1498 wpa_printf(MSG_DEBUG, "FILS: No room for Element");
1499 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1500 goto fail;
1501 }
1502
1503 wpabuf_free(sta->fils_g_sta);
1504 sta->fils_g_sta = wpabuf_alloc_copy(pos, elem_len);
1505 wpabuf_clear_free(sta->fils_dh_ss);
1506 sta->fils_dh_ss = crypto_ecdh_set_peerkey(sta->fils_ecdh, 1,
1507 pos, elem_len);
1508 if (!sta->fils_dh_ss) {
1509 wpa_printf(MSG_DEBUG, "FILS: ECDH operation failed");
1510 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1511 goto fail;
1512 }
1513 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: DH_SS", sta->fils_dh_ss);
1514 pos += elem_len;
1515 } else {
1516 crypto_ecdh_deinit(sta->fils_ecdh);
1517 sta->fils_ecdh = NULL;
1518 wpabuf_clear_free(sta->fils_dh_ss);
1519 sta->fils_dh_ss = NULL;
1520 }
1521 #endif /* CONFIG_FILS_SK_PFS */
1522
1523 wpa_hexdump(MSG_DEBUG, "FILS: Remaining IEs", pos, end - pos);
1524 if (ieee802_11_parse_elems(pos, end - pos, &elems, 1) == ParseFailed) {
1525 wpa_printf(MSG_DEBUG, "FILS: Could not parse elements");
1526 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1527 goto fail;
1528 }
1529
1530 /* RSNE */
1531 wpa_hexdump(MSG_DEBUG, "FILS: RSN element",
1532 elems.rsn_ie, elems.rsn_ie_len);
1533 if (!elems.rsn_ie ||
1534 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
1535 &rsn) < 0) {
1536 wpa_printf(MSG_DEBUG, "FILS: No valid RSN element");
1537 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1538 goto fail;
1539 }
1540
1541 if (!sta->wpa_sm)
1542 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, sta->addr,
1543 NULL);
1544 if (!sta->wpa_sm) {
1545 wpa_printf(MSG_DEBUG,
1546 "FILS: Failed to initialize RSN state machine");
1547 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1548 goto fail;
1549 }
1550
1551 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
1552 hapd->iface->freq,
1553 elems.rsn_ie - 2, elems.rsn_ie_len + 2,
1554 elems.mdie, elems.mdie_len, NULL, 0);
1555 resp = wpa_res_to_status_code(res);
1556 if (resp != WLAN_STATUS_SUCCESS)
1557 goto fail;
1558
1559 if (!elems.fils_nonce) {
1560 wpa_printf(MSG_DEBUG, "FILS: No FILS Nonce field");
1561 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1562 goto fail;
1563 }
1564 wpa_hexdump(MSG_DEBUG, "FILS: SNonce", elems.fils_nonce,
1565 FILS_NONCE_LEN);
1566 os_memcpy(sta->fils_snonce, elems.fils_nonce, FILS_NONCE_LEN);
1567
1568 /* PMKID List */
1569 if (rsn.pmkid && rsn.num_pmkid > 0) {
1570 u8 num;
1571 const u8 *pmkid;
1572
1573 wpa_hexdump(MSG_DEBUG, "FILS: PMKID List",
1574 rsn.pmkid, rsn.num_pmkid * PMKID_LEN);
1575
1576 pmkid = rsn.pmkid;
1577 num = rsn.num_pmkid;
1578 while (num) {
1579 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", pmkid, PMKID_LEN);
1580 pmksa = wpa_auth_pmksa_get(hapd->wpa_auth, sta->addr,
1581 pmkid);
1582 if (pmksa)
1583 break;
1584 pmksa = wpa_auth_pmksa_get_fils_cache_id(hapd->wpa_auth,
1585 sta->addr,
1586 pmkid);
1587 if (pmksa)
1588 break;
1589 pmkid += PMKID_LEN;
1590 num--;
1591 }
1592 }
1593 if (pmksa && wpa_auth_sta_key_mgmt(sta->wpa_sm) != pmksa->akmp) {
1594 wpa_printf(MSG_DEBUG,
1595 "FILS: Matching PMKSA cache entry has different AKMP (0x%x != 0x%x) - ignore",
1596 wpa_auth_sta_key_mgmt(sta->wpa_sm), pmksa->akmp);
1597 pmksa = NULL;
1598 }
1599 if (pmksa)
1600 wpa_printf(MSG_DEBUG, "FILS: Found matching PMKSA cache entry");
1601
1602 /* FILS Session */
1603 if (!elems.fils_session) {
1604 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
1605 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1606 goto fail;
1607 }
1608 wpa_hexdump(MSG_DEBUG, "FILS: FILS Session", elems.fils_session,
1609 FILS_SESSION_LEN);
1610 os_memcpy(sta->fils_session, elems.fils_session, FILS_SESSION_LEN);
1611
1612 /* FILS Wrapped Data */
1613 if (elems.fils_wrapped_data) {
1614 wpa_hexdump(MSG_DEBUG, "FILS: Wrapped Data",
1615 elems.fils_wrapped_data,
1616 elems.fils_wrapped_data_len);
1617 if (!pmksa) {
1618 #ifndef CONFIG_NO_RADIUS
1619 if (!sta->eapol_sm) {
1620 sta->eapol_sm =
1621 ieee802_1x_alloc_eapol_sm(hapd, sta);
1622 }
1623 wpa_printf(MSG_DEBUG,
1624 "FILS: Forward EAP-Initiate/Re-auth to authentication server");
1625 ieee802_1x_encapsulate_radius(
1626 hapd, sta, elems.fils_wrapped_data,
1627 elems.fils_wrapped_data_len);
1628 sta->fils_pending_cb = cb;
1629 wpa_printf(MSG_DEBUG,
1630 "FILS: Will send Authentication frame once the response from authentication server is available");
1631 sta->flags |= WLAN_STA_PENDING_FILS_ERP;
1632 /* Calculate pending PMKID here so that we do not need
1633 * to maintain a copy of the EAP-Initiate/Reauth
1634 * message. */
1635 if (fils_pmkid_erp(wpa_auth_sta_key_mgmt(sta->wpa_sm),
1636 elems.fils_wrapped_data,
1637 elems.fils_wrapped_data_len,
1638 sta->fils_erp_pmkid) == 0)
1639 sta->fils_erp_pmkid_set = 1;
1640 return;
1641 #else /* CONFIG_NO_RADIUS */
1642 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1643 goto fail;
1644 #endif /* CONFIG_NO_RADIUS */
1645 }
1646 }
1647
1648 fail:
1649 if (cb) {
1650 struct wpabuf *data;
1651 int pub = 0;
1652
1653 data = prepare_auth_resp_fils(hapd, sta, &resp, pmksa, NULL,
1654 NULL, 0, &pub);
1655 if (!data) {
1656 wpa_printf(MSG_DEBUG,
1657 "%s: prepare_auth_resp_fils() returned failure",
1658 __func__);
1659 }
1660
1661 cb(hapd, sta, resp, data, pub);
1662 }
1663 }
1664
1665
1666 static struct wpabuf *
prepare_auth_resp_fils(struct hostapd_data * hapd,struct sta_info * sta,u16 * resp,struct rsn_pmksa_cache_entry * pmksa,struct wpabuf * erp_resp,const u8 * msk,size_t msk_len,int * is_pub)1667 prepare_auth_resp_fils(struct hostapd_data *hapd,
1668 struct sta_info *sta, u16 *resp,
1669 struct rsn_pmksa_cache_entry *pmksa,
1670 struct wpabuf *erp_resp,
1671 const u8 *msk, size_t msk_len,
1672 int *is_pub)
1673 {
1674 u8 fils_nonce[FILS_NONCE_LEN];
1675 size_t ielen;
1676 struct wpabuf *data = NULL;
1677 const u8 *ie;
1678 u8 *ie_buf = NULL;
1679 const u8 *pmk = NULL;
1680 size_t pmk_len = 0;
1681 u8 pmk_buf[PMK_LEN_MAX];
1682 struct wpabuf *pub = NULL;
1683
1684 if (*resp != WLAN_STATUS_SUCCESS)
1685 goto fail;
1686
1687 ie = wpa_auth_get_wpa_ie(hapd->wpa_auth, &ielen);
1688 if (!ie) {
1689 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1690 goto fail;
1691 }
1692
1693 if (pmksa) {
1694 /* Add PMKID of the selected PMKSA into RSNE */
1695 ie_buf = os_malloc(ielen + 2 + 2 + PMKID_LEN);
1696 if (!ie_buf) {
1697 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1698 goto fail;
1699 }
1700
1701 os_memcpy(ie_buf, ie, ielen);
1702 if (wpa_insert_pmkid(ie_buf, &ielen, pmksa->pmkid) < 0) {
1703 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1704 goto fail;
1705 }
1706 ie = ie_buf;
1707 }
1708
1709 if (random_get_bytes(fils_nonce, FILS_NONCE_LEN) < 0) {
1710 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1711 goto fail;
1712 }
1713 wpa_hexdump(MSG_DEBUG, "RSN: Generated FILS Nonce",
1714 fils_nonce, FILS_NONCE_LEN);
1715
1716 #ifdef CONFIG_FILS_SK_PFS
1717 if (sta->fils_dh_ss && sta->fils_ecdh) {
1718 pub = crypto_ecdh_get_pubkey(sta->fils_ecdh, 1);
1719 if (!pub) {
1720 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1721 goto fail;
1722 }
1723 }
1724 #endif /* CONFIG_FILS_SK_PFS */
1725
1726 data = wpabuf_alloc(1000 + ielen + (pub ? wpabuf_len(pub) : 0));
1727 if (!data) {
1728 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1729 goto fail;
1730 }
1731
1732 /* TODO: FILS PK */
1733 #ifdef CONFIG_FILS_SK_PFS
1734 if (pub) {
1735 /* Finite Cyclic Group */
1736 wpabuf_put_le16(data, hapd->conf->fils_dh_group);
1737
1738 /* Element */
1739 wpabuf_put_buf(data, pub);
1740 }
1741 #endif /* CONFIG_FILS_SK_PFS */
1742
1743 /* RSNE */
1744 wpabuf_put_data(data, ie, ielen);
1745
1746 /* MDE when using FILS+FT (already included in ie,ielen with RSNE) */
1747
1748 #ifdef CONFIG_IEEE80211R_AP
1749 if (wpa_key_mgmt_ft(wpa_auth_sta_key_mgmt(sta->wpa_sm))) {
1750 /* FTE[R1KH-ID,R0KH-ID] when using FILS+FT */
1751 int res;
1752 int use_sha384 = wpa_key_mgmt_sha384(
1753 wpa_auth_sta_key_mgmt(sta->wpa_sm));
1754
1755 res = wpa_auth_write_fte(hapd->wpa_auth, use_sha384,
1756 wpabuf_put(data, 0),
1757 wpabuf_tailroom(data));
1758 if (res < 0) {
1759 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1760 goto fail;
1761 }
1762 wpabuf_put(data, res);
1763 }
1764 #endif /* CONFIG_IEEE80211R_AP */
1765
1766 /* FILS Nonce */
1767 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
1768 wpabuf_put_u8(data, 1 + FILS_NONCE_LEN); /* Length */
1769 /* Element ID Extension */
1770 wpabuf_put_u8(data, WLAN_EID_EXT_FILS_NONCE);
1771 wpabuf_put_data(data, fils_nonce, FILS_NONCE_LEN);
1772
1773 /* FILS Session */
1774 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
1775 wpabuf_put_u8(data, 1 + FILS_SESSION_LEN); /* Length */
1776 /* Element ID Extension */
1777 wpabuf_put_u8(data, WLAN_EID_EXT_FILS_SESSION);
1778 wpabuf_put_data(data, sta->fils_session, FILS_SESSION_LEN);
1779
1780 /* FILS Wrapped Data */
1781 if (!pmksa && erp_resp) {
1782 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
1783 wpabuf_put_u8(data, 1 + wpabuf_len(erp_resp)); /* Length */
1784 /* Element ID Extension */
1785 wpabuf_put_u8(data, WLAN_EID_EXT_FILS_WRAPPED_DATA);
1786 wpabuf_put_buf(data, erp_resp);
1787
1788 if (fils_rmsk_to_pmk(wpa_auth_sta_key_mgmt(sta->wpa_sm),
1789 msk, msk_len, sta->fils_snonce, fils_nonce,
1790 sta->fils_dh_ss ?
1791 wpabuf_head(sta->fils_dh_ss) : NULL,
1792 sta->fils_dh_ss ?
1793 wpabuf_len(sta->fils_dh_ss) : 0,
1794 pmk_buf, &pmk_len)) {
1795 wpa_printf(MSG_DEBUG, "FILS: Failed to derive PMK");
1796 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1797 wpabuf_free(data);
1798 data = NULL;
1799 goto fail;
1800 }
1801 pmk = pmk_buf;
1802
1803 /* Don't use DHss in PTK derivation if PMKSA caching is not
1804 * used. */
1805 wpabuf_clear_free(sta->fils_dh_ss);
1806 sta->fils_dh_ss = NULL;
1807
1808 if (sta->fils_erp_pmkid_set) {
1809 /* TODO: get PMKLifetime from WPA parameters */
1810 unsigned int dot11RSNAConfigPMKLifetime = 43200;
1811 int session_timeout;
1812
1813 session_timeout = dot11RSNAConfigPMKLifetime;
1814 if (sta->session_timeout_set) {
1815 struct os_reltime now, diff;
1816
1817 os_get_reltime(&now);
1818 os_reltime_sub(&sta->session_timeout, &now,
1819 &diff);
1820 session_timeout = diff.sec;
1821 }
1822
1823 sta->fils_erp_pmkid_set = 0;
1824 if (!hapd->conf->disable_pmksa_caching &&
1825 wpa_auth_pmksa_add2(
1826 hapd->wpa_auth, sta->addr,
1827 pmk, pmk_len,
1828 sta->fils_erp_pmkid,
1829 session_timeout,
1830 wpa_auth_sta_key_mgmt(sta->wpa_sm)) < 0) {
1831 wpa_printf(MSG_ERROR,
1832 "FILS: Failed to add PMKSA cache entry based on ERP");
1833 }
1834 }
1835 } else if (pmksa) {
1836 pmk = pmksa->pmk;
1837 pmk_len = pmksa->pmk_len;
1838 }
1839
1840 if (!pmk) {
1841 wpa_printf(MSG_DEBUG, "FILS: No PMK available");
1842 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1843 wpabuf_free(data);
1844 data = NULL;
1845 goto fail;
1846 }
1847
1848 if (fils_auth_pmk_to_ptk(sta->wpa_sm, pmk, pmk_len,
1849 sta->fils_snonce, fils_nonce,
1850 sta->fils_dh_ss ?
1851 wpabuf_head(sta->fils_dh_ss) : NULL,
1852 sta->fils_dh_ss ?
1853 wpabuf_len(sta->fils_dh_ss) : 0,
1854 sta->fils_g_sta, pub) < 0) {
1855 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1856 wpabuf_free(data);
1857 data = NULL;
1858 goto fail;
1859 }
1860
1861 fail:
1862 if (is_pub)
1863 *is_pub = pub != NULL;
1864 os_free(ie_buf);
1865 wpabuf_free(pub);
1866 wpabuf_clear_free(sta->fils_dh_ss);
1867 sta->fils_dh_ss = NULL;
1868 #ifdef CONFIG_FILS_SK_PFS
1869 crypto_ecdh_deinit(sta->fils_ecdh);
1870 sta->fils_ecdh = NULL;
1871 #endif /* CONFIG_FILS_SK_PFS */
1872 return data;
1873 }
1874
1875
handle_auth_fils_finish(struct hostapd_data * hapd,struct sta_info * sta,u16 resp,struct wpabuf * data,int pub)1876 static void handle_auth_fils_finish(struct hostapd_data *hapd,
1877 struct sta_info *sta, u16 resp,
1878 struct wpabuf *data, int pub)
1879 {
1880 u16 auth_alg;
1881
1882 auth_alg = (pub ||
1883 resp == WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED) ?
1884 WLAN_AUTH_FILS_SK_PFS : WLAN_AUTH_FILS_SK;
1885 send_auth_reply(hapd, sta->addr, hapd->own_addr, auth_alg, 2, resp,
1886 data ? wpabuf_head(data) : (u8 *) "",
1887 data ? wpabuf_len(data) : 0, "auth-fils-finish");
1888 wpabuf_free(data);
1889
1890 if (resp == WLAN_STATUS_SUCCESS) {
1891 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1892 HOSTAPD_LEVEL_DEBUG,
1893 "authentication OK (FILS)");
1894 sta->flags |= WLAN_STA_AUTH;
1895 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
1896 sta->auth_alg = pub ? WLAN_AUTH_FILS_SK_PFS : WLAN_AUTH_FILS_SK;
1897 mlme_authenticate_indication(hapd, sta);
1898 }
1899 }
1900
1901
ieee802_11_finish_fils_auth(struct hostapd_data * hapd,struct sta_info * sta,int success,struct wpabuf * erp_resp,const u8 * msk,size_t msk_len)1902 void ieee802_11_finish_fils_auth(struct hostapd_data *hapd,
1903 struct sta_info *sta, int success,
1904 struct wpabuf *erp_resp,
1905 const u8 *msk, size_t msk_len)
1906 {
1907 struct wpabuf *data;
1908 int pub = 0;
1909 u16 resp;
1910
1911 sta->flags &= ~WLAN_STA_PENDING_FILS_ERP;
1912
1913 if (!sta->fils_pending_cb)
1914 return;
1915 resp = success ? WLAN_STATUS_SUCCESS : WLAN_STATUS_UNSPECIFIED_FAILURE;
1916 data = prepare_auth_resp_fils(hapd, sta, &resp, NULL, erp_resp,
1917 msk, msk_len, &pub);
1918 if (!data) {
1919 wpa_printf(MSG_DEBUG,
1920 "%s: prepare_auth_resp_fils() returned failure",
1921 __func__);
1922 }
1923 sta->fils_pending_cb(hapd, sta, resp, data, pub);
1924 }
1925
1926 #endif /* CONFIG_FILS */
1927
1928
1929 int
ieee802_11_allowed_address(struct hostapd_data * hapd,const u8 * addr,const u8 * msg,size_t len,u32 * session_timeout,u32 * acct_interim_interval,struct vlan_description * vlan_id,struct hostapd_sta_wpa_psk_short ** psk,char ** identity,char ** radius_cui,int is_probe_req)1930 ieee802_11_allowed_address(struct hostapd_data *hapd, const u8 *addr,
1931 const u8 *msg, size_t len, u32 *session_timeout,
1932 u32 *acct_interim_interval,
1933 struct vlan_description *vlan_id,
1934 struct hostapd_sta_wpa_psk_short **psk,
1935 char **identity, char **radius_cui, int is_probe_req)
1936 {
1937 int res;
1938
1939 os_memset(vlan_id, 0, sizeof(*vlan_id));
1940 res = hostapd_allowed_address(hapd, addr, msg, len,
1941 session_timeout, acct_interim_interval,
1942 vlan_id, psk, identity, radius_cui,
1943 is_probe_req);
1944
1945 if (res == HOSTAPD_ACL_REJECT) {
1946 if (!is_probe_req)
1947 wpa_printf(MSG_DEBUG,
1948 "Station " MACSTR
1949 " not allowed to authenticate",
1950 MAC2STR(addr));
1951 return HOSTAPD_ACL_REJECT;
1952 }
1953
1954 if (res == HOSTAPD_ACL_PENDING) {
1955 wpa_printf(MSG_DEBUG, "Authentication frame from " MACSTR
1956 " waiting for an external authentication",
1957 MAC2STR(addr));
1958 /* Authentication code will re-send the authentication frame
1959 * after it has received (and cached) information from the
1960 * external source. */
1961 return HOSTAPD_ACL_PENDING;
1962 }
1963
1964 return res;
1965 }
1966
1967
1968 static int
ieee802_11_set_radius_info(struct hostapd_data * hapd,struct sta_info * sta,int res,u32 session_timeout,u32 acct_interim_interval,struct vlan_description * vlan_id,struct hostapd_sta_wpa_psk_short ** psk,char ** identity,char ** radius_cui)1969 ieee802_11_set_radius_info(struct hostapd_data *hapd, struct sta_info *sta,
1970 int res, u32 session_timeout,
1971 u32 acct_interim_interval,
1972 struct vlan_description *vlan_id,
1973 struct hostapd_sta_wpa_psk_short **psk,
1974 char **identity, char **radius_cui)
1975 {
1976 if (vlan_id->notempty &&
1977 !hostapd_vlan_valid(hapd->conf->vlan, vlan_id)) {
1978 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS,
1979 HOSTAPD_LEVEL_INFO,
1980 "Invalid VLAN %d%s received from RADIUS server",
1981 vlan_id->untagged,
1982 vlan_id->tagged[0] ? "+" : "");
1983 return -1;
1984 }
1985 if (ap_sta_set_vlan(hapd, sta, vlan_id) < 0)
1986 return -1;
1987 if (sta->vlan_id)
1988 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS,
1989 HOSTAPD_LEVEL_INFO, "VLAN ID %d", sta->vlan_id);
1990
1991 hostapd_free_psk_list(sta->psk);
1992 if (hapd->conf->wpa_psk_radius != PSK_RADIUS_IGNORED) {
1993 sta->psk = *psk;
1994 *psk = NULL;
1995 } else {
1996 sta->psk = NULL;
1997 }
1998
1999 os_free(sta->identity);
2000 sta->identity = *identity;
2001 *identity = NULL;
2002
2003 os_free(sta->radius_cui);
2004 sta->radius_cui = *radius_cui;
2005 *radius_cui = NULL;
2006
2007 if (hapd->conf->acct_interim_interval == 0 && acct_interim_interval)
2008 sta->acct_interim_interval = acct_interim_interval;
2009 if (res == HOSTAPD_ACL_ACCEPT_TIMEOUT) {
2010 sta->session_timeout_set = 1;
2011 os_get_reltime(&sta->session_timeout);
2012 sta->session_timeout.sec += session_timeout;
2013 ap_sta_session_timeout(hapd, sta, session_timeout);
2014 } else {
2015 sta->session_timeout_set = 0;
2016 ap_sta_no_session_timeout(hapd, sta);
2017 }
2018
2019 return 0;
2020 }
2021
2022
handle_auth(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int rssi,int from_queue)2023 static void handle_auth(struct hostapd_data *hapd,
2024 const struct ieee80211_mgmt *mgmt, size_t len,
2025 int rssi, int from_queue)
2026 {
2027 u16 auth_alg, auth_transaction, status_code;
2028 u16 resp = WLAN_STATUS_SUCCESS;
2029 struct sta_info *sta = NULL;
2030 int res, reply_res;
2031 u16 fc;
2032 const u8 *challenge = NULL;
2033 u32 session_timeout, acct_interim_interval;
2034 struct vlan_description vlan_id;
2035 struct hostapd_sta_wpa_psk_short *psk = NULL;
2036 u8 resp_ies[2 + WLAN_AUTH_CHALLENGE_LEN];
2037 size_t resp_ies_len = 0;
2038 char *identity = NULL;
2039 char *radius_cui = NULL;
2040 u16 seq_ctrl;
2041
2042 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) {
2043 wpa_printf(MSG_INFO, "handle_auth - too short payload (len=%lu)",
2044 (unsigned long) len);
2045 return;
2046 }
2047
2048 #ifdef CONFIG_TESTING_OPTIONS
2049 if (hapd->iconf->ignore_auth_probability > 0.0 &&
2050 drand48() < hapd->iconf->ignore_auth_probability) {
2051 wpa_printf(MSG_INFO,
2052 "TESTING: ignoring auth frame from " MACSTR,
2053 MAC2STR(mgmt->sa));
2054 return;
2055 }
2056 #endif /* CONFIG_TESTING_OPTIONS */
2057
2058 auth_alg = le_to_host16(mgmt->u.auth.auth_alg);
2059 auth_transaction = le_to_host16(mgmt->u.auth.auth_transaction);
2060 status_code = le_to_host16(mgmt->u.auth.status_code);
2061 fc = le_to_host16(mgmt->frame_control);
2062 seq_ctrl = le_to_host16(mgmt->seq_ctrl);
2063
2064 if (len >= IEEE80211_HDRLEN + sizeof(mgmt->u.auth) +
2065 2 + WLAN_AUTH_CHALLENGE_LEN &&
2066 mgmt->u.auth.variable[0] == WLAN_EID_CHALLENGE &&
2067 mgmt->u.auth.variable[1] == WLAN_AUTH_CHALLENGE_LEN)
2068 challenge = &mgmt->u.auth.variable[2];
2069
2070 wpa_printf(MSG_DEBUG, "authentication: STA=" MACSTR " auth_alg=%d "
2071 "auth_transaction=%d status_code=%d wep=%d%s "
2072 "seq_ctrl=0x%x%s%s",
2073 MAC2STR(mgmt->sa), auth_alg, auth_transaction,
2074 status_code, !!(fc & WLAN_FC_ISWEP),
2075 challenge ? " challenge" : "",
2076 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "",
2077 from_queue ? " (from queue)" : "");
2078
2079 #ifdef CONFIG_NO_RC4
2080 if (auth_alg == WLAN_AUTH_SHARED_KEY) {
2081 wpa_printf(MSG_INFO,
2082 "Unsupported authentication algorithm (%d)",
2083 auth_alg);
2084 resp = WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
2085 goto fail;
2086 }
2087 #endif /* CONFIG_NO_RC4 */
2088
2089 if (hapd->tkip_countermeasures) {
2090 wpa_printf(MSG_DEBUG,
2091 "Ongoing TKIP countermeasures (Michael MIC failure) - reject authentication");
2092 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2093 goto fail;
2094 }
2095
2096 if (!(((hapd->conf->auth_algs & WPA_AUTH_ALG_OPEN) &&
2097 auth_alg == WLAN_AUTH_OPEN) ||
2098 #ifdef CONFIG_IEEE80211R_AP
2099 (hapd->conf->wpa && wpa_key_mgmt_ft(hapd->conf->wpa_key_mgmt) &&
2100 auth_alg == WLAN_AUTH_FT) ||
2101 #endif /* CONFIG_IEEE80211R_AP */
2102 #ifdef CONFIG_SAE
2103 (hapd->conf->wpa && wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt) &&
2104 auth_alg == WLAN_AUTH_SAE) ||
2105 #endif /* CONFIG_SAE */
2106 #ifdef CONFIG_FILS
2107 (hapd->conf->wpa && wpa_key_mgmt_fils(hapd->conf->wpa_key_mgmt) &&
2108 auth_alg == WLAN_AUTH_FILS_SK) ||
2109 (hapd->conf->wpa && wpa_key_mgmt_fils(hapd->conf->wpa_key_mgmt) &&
2110 hapd->conf->fils_dh_group &&
2111 auth_alg == WLAN_AUTH_FILS_SK_PFS) ||
2112 #endif /* CONFIG_FILS */
2113 ((hapd->conf->auth_algs & WPA_AUTH_ALG_SHARED) &&
2114 auth_alg == WLAN_AUTH_SHARED_KEY))) {
2115 wpa_printf(MSG_INFO, "Unsupported authentication algorithm (%d)",
2116 auth_alg);
2117 resp = WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
2118 goto fail;
2119 }
2120
2121 if (!(auth_transaction == 1 || auth_alg == WLAN_AUTH_SAE ||
2122 (auth_alg == WLAN_AUTH_SHARED_KEY && auth_transaction == 3))) {
2123 wpa_printf(MSG_INFO, "Unknown authentication transaction number (%d)",
2124 auth_transaction);
2125 resp = WLAN_STATUS_UNKNOWN_AUTH_TRANSACTION;
2126 goto fail;
2127 }
2128
2129 if (os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
2130 wpa_printf(MSG_INFO, "Station " MACSTR " not allowed to authenticate",
2131 MAC2STR(mgmt->sa));
2132 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2133 goto fail;
2134 }
2135
2136 if (hapd->conf->no_auth_if_seen_on) {
2137 struct hostapd_data *other;
2138
2139 other = sta_track_seen_on(hapd->iface, mgmt->sa,
2140 hapd->conf->no_auth_if_seen_on);
2141 if (other) {
2142 u8 *pos;
2143 u32 info;
2144 u8 op_class, channel, phytype;
2145
2146 wpa_printf(MSG_DEBUG, "%s: Reject authentication from "
2147 MACSTR " since STA has been seen on %s",
2148 hapd->conf->iface, MAC2STR(mgmt->sa),
2149 hapd->conf->no_auth_if_seen_on);
2150
2151 resp = WLAN_STATUS_REJECTED_WITH_SUGGESTED_BSS_TRANSITION;
2152 pos = &resp_ies[0];
2153 *pos++ = WLAN_EID_NEIGHBOR_REPORT;
2154 *pos++ = 13;
2155 os_memcpy(pos, other->own_addr, ETH_ALEN);
2156 pos += ETH_ALEN;
2157 info = 0; /* TODO: BSSID Information */
2158 WPA_PUT_LE32(pos, info);
2159 pos += 4;
2160 if (other->iconf->hw_mode == HOSTAPD_MODE_IEEE80211AD)
2161 phytype = 8; /* dmg */
2162 else if (other->iconf->ieee80211ac)
2163 phytype = 9; /* vht */
2164 else if (other->iconf->ieee80211n)
2165 phytype = 7; /* ht */
2166 else if (other->iconf->hw_mode ==
2167 HOSTAPD_MODE_IEEE80211A)
2168 phytype = 4; /* ofdm */
2169 else if (other->iconf->hw_mode ==
2170 HOSTAPD_MODE_IEEE80211G)
2171 phytype = 6; /* erp */
2172 else
2173 phytype = 5; /* hrdsss */
2174 if (ieee80211_freq_to_channel_ext(
2175 hostapd_hw_get_freq(other,
2176 other->iconf->channel),
2177 other->iconf->secondary_channel,
2178 other->iconf->ieee80211ac,
2179 &op_class, &channel) == NUM_HOSTAPD_MODES) {
2180 op_class = 0;
2181 channel = other->iconf->channel;
2182 }
2183 *pos++ = op_class;
2184 *pos++ = channel;
2185 *pos++ = phytype;
2186 resp_ies_len = pos - &resp_ies[0];
2187 goto fail;
2188 }
2189 }
2190
2191 res = ieee802_11_allowed_address(
2192 hapd, mgmt->sa, (const u8 *) mgmt, len, &session_timeout,
2193 &acct_interim_interval, &vlan_id, &psk, &identity, &radius_cui,
2194 0);
2195 if (res == HOSTAPD_ACL_REJECT) {
2196 wpa_msg(hapd->msg_ctx, MSG_DEBUG,
2197 "Ignore Authentication frame from " MACSTR
2198 " due to ACL reject", MAC2STR(mgmt->sa));
2199 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2200 goto fail;
2201 }
2202 if (res == HOSTAPD_ACL_PENDING)
2203 return;
2204
2205 #ifdef CONFIG_SAE
2206 if (auth_alg == WLAN_AUTH_SAE && !from_queue &&
2207 (auth_transaction == 1 ||
2208 (auth_transaction == 2 && auth_sae_queued_addr(hapd, mgmt->sa)))) {
2209 /* Handle SAE Authentication commit message through a queue to
2210 * provide more control for postponing the needed heavy
2211 * processing under a possible DoS attack scenario. In addition,
2212 * queue SAE Authentication confirm message if there happens to
2213 * be a queued commit message from the same peer. This is needed
2214 * to avoid reordering Authentication frames within the same
2215 * SAE exchange. */
2216 auth_sae_queue(hapd, mgmt, len, rssi);
2217 return;
2218 }
2219 #endif /* CONFIG_SAE */
2220
2221 sta = ap_get_sta(hapd, mgmt->sa);
2222 if (sta) {
2223 sta->flags &= ~WLAN_STA_PENDING_FILS_ERP;
2224 sta->ft_over_ds = 0;
2225 if ((fc & WLAN_FC_RETRY) &&
2226 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
2227 sta->last_seq_ctrl == seq_ctrl &&
2228 sta->last_subtype == WLAN_FC_STYPE_AUTH) {
2229 hostapd_logger(hapd, sta->addr,
2230 HOSTAPD_MODULE_IEEE80211,
2231 HOSTAPD_LEVEL_DEBUG,
2232 "Drop repeated authentication frame seq_ctrl=0x%x",
2233 seq_ctrl);
2234 return;
2235 }
2236 #ifdef CONFIG_MESH
2237 if ((hapd->conf->mesh & MESH_ENABLED) &&
2238 sta->plink_state == PLINK_BLOCKED) {
2239 wpa_printf(MSG_DEBUG, "Mesh peer " MACSTR
2240 " is blocked - drop Authentication frame",
2241 MAC2STR(mgmt->sa));
2242 return;
2243 }
2244 #endif /* CONFIG_MESH */
2245 } else {
2246 #ifdef CONFIG_MESH
2247 if (hapd->conf->mesh & MESH_ENABLED) {
2248 /* if the mesh peer is not available, we don't do auth.
2249 */
2250 wpa_printf(MSG_DEBUG, "Mesh peer " MACSTR
2251 " not yet known - drop Authentication frame",
2252 MAC2STR(mgmt->sa));
2253 /*
2254 * Save a copy of the frame so that it can be processed
2255 * if a new peer entry is added shortly after this.
2256 */
2257 wpabuf_free(hapd->mesh_pending_auth);
2258 hapd->mesh_pending_auth = wpabuf_alloc_copy(mgmt, len);
2259 os_get_reltime(&hapd->mesh_pending_auth_time);
2260 return;
2261 }
2262 #endif /* CONFIG_MESH */
2263
2264 sta = ap_sta_add(hapd, mgmt->sa);
2265 if (!sta) {
2266 wpa_printf(MSG_DEBUG, "ap_sta_add() failed");
2267 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
2268 goto fail;
2269 }
2270 }
2271 sta->last_seq_ctrl = seq_ctrl;
2272 sta->last_subtype = WLAN_FC_STYPE_AUTH;
2273 #ifdef CONFIG_MBO
2274 sta->auth_rssi = rssi;
2275 #endif /* CONFIG_MBO */
2276
2277 res = ieee802_11_set_radius_info(
2278 hapd, sta, res, session_timeout, acct_interim_interval,
2279 &vlan_id, &psk, &identity, &radius_cui);
2280 if (res) {
2281 wpa_printf(MSG_DEBUG, "ieee802_11_set_radius_info() failed");
2282 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2283 goto fail;
2284 }
2285
2286 sta->flags &= ~WLAN_STA_PREAUTH;
2287 ieee802_1x_notify_pre_auth(sta->eapol_sm, 0);
2288
2289 /*
2290 * If the driver supports full AP client state, add a station to the
2291 * driver before sending authentication reply to make sure the driver
2292 * has resources, and not to go through the entire authentication and
2293 * association handshake, and fail it at the end.
2294 *
2295 * If this is not the first transaction, in a multi-step authentication
2296 * algorithm, the station already exists in the driver
2297 * (sta->added_unassoc = 1) so skip it.
2298 *
2299 * In mesh mode, the station was already added to the driver when the
2300 * NEW_PEER_CANDIDATE event is received.
2301 *
2302 * If PMF was negotiated for the existing association, skip this to
2303 * avoid dropping the STA entry and the associated keys. This is needed
2304 * to allow the original connection work until the attempt can complete
2305 * (re)association, so that unprotected Authentication frame cannot be
2306 * used to bypass PMF protection.
2307 */
2308 if (FULL_AP_CLIENT_STATE_SUPP(hapd->iface->drv_flags) &&
2309 (!(sta->flags & WLAN_STA_MFP) || !ap_sta_is_authorized(sta)) &&
2310 !(hapd->conf->mesh & MESH_ENABLED) &&
2311 !(sta->added_unassoc)) {
2312 /*
2313 * If a station that is already associated to the AP, is trying
2314 * to authenticate again, remove the STA entry, in order to make
2315 * sure the STA PS state gets cleared and configuration gets
2316 * updated. To handle this, station's added_unassoc flag is
2317 * cleared once the station has completed association.
2318 */
2319 ap_sta_set_authorized(hapd, sta, 0);
2320 hostapd_drv_sta_remove(hapd, sta->addr);
2321 sta->flags &= ~(WLAN_STA_ASSOC | WLAN_STA_AUTH |
2322 WLAN_STA_AUTHORIZED);
2323
2324 if (hostapd_sta_add(hapd, sta->addr, 0, 0, NULL, 0, 0,
2325 NULL, NULL, sta->flags, 0, 0, 0, 0)) {
2326 hostapd_logger(hapd, sta->addr,
2327 HOSTAPD_MODULE_IEEE80211,
2328 HOSTAPD_LEVEL_NOTICE,
2329 "Could not add STA to kernel driver");
2330 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
2331 goto fail;
2332 }
2333
2334 sta->added_unassoc = 1;
2335 }
2336
2337 switch (auth_alg) {
2338 case WLAN_AUTH_OPEN:
2339 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2340 HOSTAPD_LEVEL_DEBUG,
2341 "authentication OK (open system)");
2342 sta->flags |= WLAN_STA_AUTH;
2343 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
2344 sta->auth_alg = WLAN_AUTH_OPEN;
2345 mlme_authenticate_indication(hapd, sta);
2346 break;
2347 #ifndef CONFIG_NO_RC4
2348 case WLAN_AUTH_SHARED_KEY:
2349 resp = auth_shared_key(hapd, sta, auth_transaction, challenge,
2350 fc & WLAN_FC_ISWEP);
2351 if (resp != 0)
2352 wpa_printf(MSG_DEBUG,
2353 "auth_shared_key() failed: status=%d", resp);
2354 sta->auth_alg = WLAN_AUTH_SHARED_KEY;
2355 mlme_authenticate_indication(hapd, sta);
2356 if (sta->challenge && auth_transaction == 1) {
2357 resp_ies[0] = WLAN_EID_CHALLENGE;
2358 resp_ies[1] = WLAN_AUTH_CHALLENGE_LEN;
2359 os_memcpy(resp_ies + 2, sta->challenge,
2360 WLAN_AUTH_CHALLENGE_LEN);
2361 resp_ies_len = 2 + WLAN_AUTH_CHALLENGE_LEN;
2362 }
2363 break;
2364 #endif /* CONFIG_NO_RC4 */
2365 #ifdef CONFIG_IEEE80211R_AP
2366 case WLAN_AUTH_FT:
2367 sta->auth_alg = WLAN_AUTH_FT;
2368 if (sta->wpa_sm == NULL)
2369 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
2370 sta->addr, NULL);
2371 if (sta->wpa_sm == NULL) {
2372 wpa_printf(MSG_DEBUG, "FT: Failed to initialize WPA "
2373 "state machine");
2374 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2375 goto fail;
2376 }
2377 wpa_ft_process_auth(sta->wpa_sm, mgmt->bssid,
2378 auth_transaction, mgmt->u.auth.variable,
2379 len - IEEE80211_HDRLEN -
2380 sizeof(mgmt->u.auth),
2381 handle_auth_ft_finish, hapd);
2382 /* handle_auth_ft_finish() callback will complete auth. */
2383 return;
2384 #endif /* CONFIG_IEEE80211R_AP */
2385 #ifdef CONFIG_SAE
2386 case WLAN_AUTH_SAE:
2387 #ifdef CONFIG_MESH
2388 if (status_code == WLAN_STATUS_SUCCESS &&
2389 hapd->conf->mesh & MESH_ENABLED) {
2390 if (sta->wpa_sm == NULL)
2391 sta->wpa_sm =
2392 wpa_auth_sta_init(hapd->wpa_auth,
2393 sta->addr, NULL);
2394 if (sta->wpa_sm == NULL) {
2395 wpa_printf(MSG_DEBUG,
2396 "SAE: Failed to initialize WPA state machine");
2397 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2398 goto fail;
2399 }
2400 }
2401 #endif /* CONFIG_MESH */
2402 handle_auth_sae(hapd, sta, mgmt, len, auth_transaction,
2403 status_code);
2404 return;
2405 #endif /* CONFIG_SAE */
2406 #ifdef CONFIG_FILS
2407 case WLAN_AUTH_FILS_SK:
2408 case WLAN_AUTH_FILS_SK_PFS:
2409 handle_auth_fils(hapd, sta, mgmt->u.auth.variable,
2410 len - IEEE80211_HDRLEN - sizeof(mgmt->u.auth),
2411 auth_alg, auth_transaction, status_code,
2412 handle_auth_fils_finish);
2413 return;
2414 #endif /* CONFIG_FILS */
2415 }
2416
2417 fail:
2418 os_free(identity);
2419 os_free(radius_cui);
2420 hostapd_free_psk_list(psk);
2421
2422 reply_res = send_auth_reply(hapd, mgmt->sa, mgmt->bssid, auth_alg,
2423 auth_transaction + 1, resp, resp_ies,
2424 resp_ies_len, "handle-auth");
2425
2426 if (sta && sta->added_unassoc && (resp != WLAN_STATUS_SUCCESS ||
2427 reply_res != WLAN_STATUS_SUCCESS)) {
2428 hostapd_drv_sta_remove(hapd, sta->addr);
2429 sta->added_unassoc = 0;
2430 }
2431 }
2432
2433
hostapd_get_aid(struct hostapd_data * hapd,struct sta_info * sta)2434 int hostapd_get_aid(struct hostapd_data *hapd, struct sta_info *sta)
2435 {
2436 int i, j = 32, aid;
2437
2438 /* get a unique AID */
2439 if (sta->aid > 0) {
2440 wpa_printf(MSG_DEBUG, " old AID %d", sta->aid);
2441 return 0;
2442 }
2443
2444 if (TEST_FAIL())
2445 return -1;
2446
2447 for (i = 0; i < AID_WORDS; i++) {
2448 if (hapd->sta_aid[i] == (u32) -1)
2449 continue;
2450 for (j = 0; j < 32; j++) {
2451 if (!(hapd->sta_aid[i] & BIT(j)))
2452 break;
2453 }
2454 if (j < 32)
2455 break;
2456 }
2457 if (j == 32)
2458 return -1;
2459 aid = i * 32 + j + 1;
2460 if (aid > 2007)
2461 return -1;
2462
2463 sta->aid = aid;
2464 hapd->sta_aid[i] |= BIT(j);
2465 wpa_printf(MSG_DEBUG, " new AID %d", sta->aid);
2466 return 0;
2467 }
2468
2469
check_ssid(struct hostapd_data * hapd,struct sta_info * sta,const u8 * ssid_ie,size_t ssid_ie_len)2470 static u16 check_ssid(struct hostapd_data *hapd, struct sta_info *sta,
2471 const u8 *ssid_ie, size_t ssid_ie_len)
2472 {
2473 if (ssid_ie == NULL)
2474 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2475
2476 if (ssid_ie_len != hapd->conf->ssid.ssid_len ||
2477 os_memcmp(ssid_ie, hapd->conf->ssid.ssid, ssid_ie_len) != 0) {
2478 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2479 HOSTAPD_LEVEL_INFO,
2480 "Station tried to associate with unknown SSID "
2481 "'%s'", wpa_ssid_txt(ssid_ie, ssid_ie_len));
2482 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2483 }
2484
2485 return WLAN_STATUS_SUCCESS;
2486 }
2487
2488
check_wmm(struct hostapd_data * hapd,struct sta_info * sta,const u8 * wmm_ie,size_t wmm_ie_len)2489 static u16 check_wmm(struct hostapd_data *hapd, struct sta_info *sta,
2490 const u8 *wmm_ie, size_t wmm_ie_len)
2491 {
2492 sta->flags &= ~WLAN_STA_WMM;
2493 sta->qosinfo = 0;
2494 if (wmm_ie && hapd->conf->wmm_enabled) {
2495 struct wmm_information_element *wmm;
2496
2497 if (!hostapd_eid_wmm_valid(hapd, wmm_ie, wmm_ie_len)) {
2498 hostapd_logger(hapd, sta->addr,
2499 HOSTAPD_MODULE_WPA,
2500 HOSTAPD_LEVEL_DEBUG,
2501 "invalid WMM element in association "
2502 "request");
2503 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2504 }
2505
2506 sta->flags |= WLAN_STA_WMM;
2507 wmm = (struct wmm_information_element *) wmm_ie;
2508 sta->qosinfo = wmm->qos_info;
2509 }
2510 return WLAN_STATUS_SUCCESS;
2511 }
2512
check_multi_ap(struct hostapd_data * hapd,struct sta_info * sta,const u8 * multi_ap_ie,size_t multi_ap_len)2513 static u16 check_multi_ap(struct hostapd_data *hapd, struct sta_info *sta,
2514 const u8 *multi_ap_ie, size_t multi_ap_len)
2515 {
2516 u8 multi_ap_value = 0;
2517
2518 sta->flags &= ~WLAN_STA_MULTI_AP;
2519
2520 if (!hapd->conf->multi_ap)
2521 return WLAN_STATUS_SUCCESS;
2522
2523 if (multi_ap_ie) {
2524 const u8 *multi_ap_subelem;
2525
2526 multi_ap_subelem = get_ie(multi_ap_ie + 4,
2527 multi_ap_len - 4,
2528 MULTI_AP_SUB_ELEM_TYPE);
2529 if (multi_ap_subelem && multi_ap_subelem[1] == 1) {
2530 multi_ap_value = multi_ap_subelem[2];
2531 } else {
2532 hostapd_logger(hapd, sta->addr,
2533 HOSTAPD_MODULE_IEEE80211,
2534 HOSTAPD_LEVEL_INFO,
2535 "Multi-AP IE has missing or invalid Multi-AP subelement");
2536 return WLAN_STATUS_INVALID_IE;
2537 }
2538 }
2539
2540 if (multi_ap_value && multi_ap_value != MULTI_AP_BACKHAUL_STA)
2541 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2542 HOSTAPD_LEVEL_INFO,
2543 "Multi-AP IE with unexpected value 0x%02x",
2544 multi_ap_value);
2545
2546 if (!(multi_ap_value & MULTI_AP_BACKHAUL_STA)) {
2547 if (hapd->conf->multi_ap & FRONTHAUL_BSS)
2548 return WLAN_STATUS_SUCCESS;
2549
2550 hostapd_logger(hapd, sta->addr,
2551 HOSTAPD_MODULE_IEEE80211,
2552 HOSTAPD_LEVEL_INFO,
2553 "Non-Multi-AP STA tries to associate with backhaul-only BSS");
2554 return WLAN_STATUS_ASSOC_DENIED_UNSPEC;
2555 }
2556
2557 if (!(hapd->conf->multi_ap & BACKHAUL_BSS))
2558 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2559 HOSTAPD_LEVEL_DEBUG,
2560 "Backhaul STA tries to associate with fronthaul-only BSS");
2561
2562 sta->flags |= WLAN_STA_MULTI_AP;
2563 return WLAN_STATUS_SUCCESS;
2564 }
2565
2566
copy_supp_rates(struct hostapd_data * hapd,struct sta_info * sta,struct ieee802_11_elems * elems)2567 static u16 copy_supp_rates(struct hostapd_data *hapd, struct sta_info *sta,
2568 struct ieee802_11_elems *elems)
2569 {
2570 /* Supported rates not used in IEEE 802.11ad/DMG */
2571 if (hapd->iface->current_mode &&
2572 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211AD)
2573 return WLAN_STATUS_SUCCESS;
2574
2575 if (!elems->supp_rates) {
2576 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2577 HOSTAPD_LEVEL_DEBUG,
2578 "No supported rates element in AssocReq");
2579 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2580 }
2581
2582 if (elems->supp_rates_len + elems->ext_supp_rates_len >
2583 sizeof(sta->supported_rates)) {
2584 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2585 HOSTAPD_LEVEL_DEBUG,
2586 "Invalid supported rates element length %d+%d",
2587 elems->supp_rates_len,
2588 elems->ext_supp_rates_len);
2589 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2590 }
2591
2592 sta->supported_rates_len = merge_byte_arrays(
2593 sta->supported_rates, sizeof(sta->supported_rates),
2594 elems->supp_rates, elems->supp_rates_len,
2595 elems->ext_supp_rates, elems->ext_supp_rates_len);
2596
2597 return WLAN_STATUS_SUCCESS;
2598 }
2599
2600
check_ext_capab(struct hostapd_data * hapd,struct sta_info * sta,const u8 * ext_capab_ie,size_t ext_capab_ie_len)2601 static u16 check_ext_capab(struct hostapd_data *hapd, struct sta_info *sta,
2602 const u8 *ext_capab_ie, size_t ext_capab_ie_len)
2603 {
2604 #ifdef CONFIG_INTERWORKING
2605 /* check for QoS Map support */
2606 if (ext_capab_ie_len >= 5) {
2607 if (ext_capab_ie[4] & 0x01)
2608 sta->qos_map_enabled = 1;
2609 }
2610 #endif /* CONFIG_INTERWORKING */
2611
2612 if (ext_capab_ie_len > 0) {
2613 sta->ecsa_supported = !!(ext_capab_ie[0] & BIT(2));
2614 os_free(sta->ext_capability);
2615 sta->ext_capability = os_malloc(1 + ext_capab_ie_len);
2616 if (sta->ext_capability) {
2617 sta->ext_capability[0] = ext_capab_ie_len;
2618 os_memcpy(sta->ext_capability + 1, ext_capab_ie,
2619 ext_capab_ie_len);
2620 }
2621 }
2622
2623 return WLAN_STATUS_SUCCESS;
2624 }
2625
2626
2627 #ifdef CONFIG_OWE
2628
owe_group_supported(struct hostapd_data * hapd,u16 group)2629 static int owe_group_supported(struct hostapd_data *hapd, u16 group)
2630 {
2631 int i;
2632 int *groups = hapd->conf->owe_groups;
2633
2634 if (group != 19 && group != 20 && group != 21)
2635 return 0;
2636
2637 if (!groups)
2638 return 1;
2639
2640 for (i = 0; groups[i] > 0; i++) {
2641 if (groups[i] == group)
2642 return 1;
2643 }
2644
2645 return 0;
2646 }
2647
2648
owe_process_assoc_req(struct hostapd_data * hapd,struct sta_info * sta,const u8 * owe_dh,u8 owe_dh_len)2649 static u16 owe_process_assoc_req(struct hostapd_data *hapd,
2650 struct sta_info *sta, const u8 *owe_dh,
2651 u8 owe_dh_len)
2652 {
2653 struct wpabuf *secret, *pub, *hkey;
2654 int res;
2655 u8 prk[SHA512_MAC_LEN], pmkid[SHA512_MAC_LEN];
2656 const char *info = "OWE Key Generation";
2657 const u8 *addr[2];
2658 size_t len[2];
2659 u16 group;
2660 size_t hash_len, prime_len;
2661
2662 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) {
2663 wpa_printf(MSG_DEBUG, "OWE: Using PMKSA caching");
2664 return WLAN_STATUS_SUCCESS;
2665 }
2666
2667 group = WPA_GET_LE16(owe_dh);
2668 if (!owe_group_supported(hapd, group)) {
2669 wpa_printf(MSG_DEBUG, "OWE: Unsupported DH group %u", group);
2670 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
2671 }
2672 if (group == 19)
2673 prime_len = 32;
2674 else if (group == 20)
2675 prime_len = 48;
2676 else if (group == 21)
2677 prime_len = 66;
2678 else
2679 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
2680
2681 crypto_ecdh_deinit(sta->owe_ecdh);
2682 sta->owe_ecdh = crypto_ecdh_init(group);
2683 if (!sta->owe_ecdh)
2684 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
2685 sta->owe_group = group;
2686
2687 secret = crypto_ecdh_set_peerkey(sta->owe_ecdh, 0, owe_dh + 2,
2688 owe_dh_len - 2);
2689 secret = wpabuf_zeropad(secret, prime_len);
2690 if (!secret) {
2691 wpa_printf(MSG_DEBUG, "OWE: Invalid peer DH public key");
2692 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2693 }
2694 wpa_hexdump_buf_key(MSG_DEBUG, "OWE: DH shared secret", secret);
2695
2696 /* prk = HKDF-extract(C | A | group, z) */
2697
2698 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
2699 if (!pub) {
2700 wpabuf_clear_free(secret);
2701 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2702 }
2703
2704 /* PMKID = Truncate-128(Hash(C | A)) */
2705 addr[0] = owe_dh + 2;
2706 len[0] = owe_dh_len - 2;
2707 addr[1] = wpabuf_head(pub);
2708 len[1] = wpabuf_len(pub);
2709 if (group == 19) {
2710 res = sha256_vector(2, addr, len, pmkid);
2711 hash_len = SHA256_MAC_LEN;
2712 } else if (group == 20) {
2713 res = sha384_vector(2, addr, len, pmkid);
2714 hash_len = SHA384_MAC_LEN;
2715 } else if (group == 21) {
2716 res = sha512_vector(2, addr, len, pmkid);
2717 hash_len = SHA512_MAC_LEN;
2718 } else {
2719 wpabuf_free(pub);
2720 wpabuf_clear_free(secret);
2721 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2722 }
2723 pub = wpabuf_zeropad(pub, prime_len);
2724 if (res < 0 || !pub) {
2725 wpabuf_free(pub);
2726 wpabuf_clear_free(secret);
2727 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2728 }
2729
2730 hkey = wpabuf_alloc(owe_dh_len - 2 + wpabuf_len(pub) + 2);
2731 if (!hkey) {
2732 wpabuf_free(pub);
2733 wpabuf_clear_free(secret);
2734 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2735 }
2736
2737 wpabuf_put_data(hkey, owe_dh + 2, owe_dh_len - 2); /* C */
2738 wpabuf_put_buf(hkey, pub); /* A */
2739 wpabuf_free(pub);
2740 wpabuf_put_le16(hkey, group); /* group */
2741 if (group == 19)
2742 res = hmac_sha256(wpabuf_head(hkey), wpabuf_len(hkey),
2743 wpabuf_head(secret), wpabuf_len(secret), prk);
2744 else if (group == 20)
2745 res = hmac_sha384(wpabuf_head(hkey), wpabuf_len(hkey),
2746 wpabuf_head(secret), wpabuf_len(secret), prk);
2747 else if (group == 21)
2748 res = hmac_sha512(wpabuf_head(hkey), wpabuf_len(hkey),
2749 wpabuf_head(secret), wpabuf_len(secret), prk);
2750 wpabuf_clear_free(hkey);
2751 wpabuf_clear_free(secret);
2752 if (res < 0)
2753 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2754
2755 wpa_hexdump_key(MSG_DEBUG, "OWE: prk", prk, hash_len);
2756
2757 /* PMK = HKDF-expand(prk, "OWE Key Generation", n) */
2758
2759 os_free(sta->owe_pmk);
2760 sta->owe_pmk = os_malloc(hash_len);
2761 if (!sta->owe_pmk) {
2762 os_memset(prk, 0, SHA512_MAC_LEN);
2763 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2764 }
2765
2766 if (group == 19)
2767 res = hmac_sha256_kdf(prk, hash_len, NULL, (const u8 *) info,
2768 os_strlen(info), sta->owe_pmk, hash_len);
2769 else if (group == 20)
2770 res = hmac_sha384_kdf(prk, hash_len, NULL, (const u8 *) info,
2771 os_strlen(info), sta->owe_pmk, hash_len);
2772 else if (group == 21)
2773 res = hmac_sha512_kdf(prk, hash_len, NULL, (const u8 *) info,
2774 os_strlen(info), sta->owe_pmk, hash_len);
2775 os_memset(prk, 0, SHA512_MAC_LEN);
2776 if (res < 0) {
2777 os_free(sta->owe_pmk);
2778 sta->owe_pmk = NULL;
2779 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2780 }
2781 sta->owe_pmk_len = hash_len;
2782
2783 wpa_hexdump_key(MSG_DEBUG, "OWE: PMK", sta->owe_pmk, sta->owe_pmk_len);
2784 wpa_hexdump(MSG_DEBUG, "OWE: PMKID", pmkid, PMKID_LEN);
2785 wpa_auth_pmksa_add2(hapd->wpa_auth, sta->addr, sta->owe_pmk,
2786 sta->owe_pmk_len, pmkid, 0, WPA_KEY_MGMT_OWE);
2787
2788 return WLAN_STATUS_SUCCESS;
2789 }
2790
2791 #endif /* CONFIG_OWE */
2792
2793
check_assoc_ies(struct hostapd_data * hapd,struct sta_info * sta,const u8 * ies,size_t ies_len,int reassoc)2794 static u16 check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta,
2795 const u8 *ies, size_t ies_len, int reassoc)
2796 {
2797 struct ieee802_11_elems elems;
2798 u16 resp;
2799 const u8 *wpa_ie;
2800 size_t wpa_ie_len;
2801 const u8 *p2p_dev_addr = NULL;
2802
2803 if (ieee802_11_parse_elems(ies, ies_len, &elems, 1) == ParseFailed) {
2804 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2805 HOSTAPD_LEVEL_INFO, "Station sent an invalid "
2806 "association request");
2807 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2808 }
2809
2810 resp = check_ssid(hapd, sta, elems.ssid, elems.ssid_len);
2811 if (resp != WLAN_STATUS_SUCCESS)
2812 return resp;
2813 resp = check_wmm(hapd, sta, elems.wmm, elems.wmm_len);
2814 if (resp != WLAN_STATUS_SUCCESS)
2815 return resp;
2816 resp = check_ext_capab(hapd, sta, elems.ext_capab, elems.ext_capab_len);
2817 if (resp != WLAN_STATUS_SUCCESS)
2818 return resp;
2819 resp = copy_supp_rates(hapd, sta, &elems);
2820 if (resp != WLAN_STATUS_SUCCESS)
2821 return resp;
2822
2823 resp = check_multi_ap(hapd, sta, elems.multi_ap, elems.multi_ap_len);
2824 if (resp != WLAN_STATUS_SUCCESS)
2825 return resp;
2826
2827 #ifdef CONFIG_IEEE80211N
2828 resp = copy_sta_ht_capab(hapd, sta, elems.ht_capabilities);
2829 if (resp != WLAN_STATUS_SUCCESS)
2830 return resp;
2831 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht &&
2832 !(sta->flags & WLAN_STA_HT)) {
2833 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2834 HOSTAPD_LEVEL_INFO, "Station does not support "
2835 "mandatory HT PHY - reject association");
2836 return WLAN_STATUS_ASSOC_DENIED_NO_HT;
2837 }
2838 #endif /* CONFIG_IEEE80211N */
2839
2840 #ifdef CONFIG_IEEE80211AC
2841 if (hapd->iconf->ieee80211ac) {
2842 resp = copy_sta_vht_capab(hapd, sta, elems.vht_capabilities);
2843 if (resp != WLAN_STATUS_SUCCESS)
2844 return resp;
2845
2846 resp = copy_sta_vht_oper(hapd, sta, elems.vht_operation);
2847 if (resp != WLAN_STATUS_SUCCESS)
2848 return resp;
2849
2850 resp = set_sta_vht_opmode(hapd, sta, elems.vht_opmode_notif);
2851 if (resp != WLAN_STATUS_SUCCESS)
2852 return resp;
2853 }
2854
2855 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht &&
2856 !(sta->flags & WLAN_STA_VHT)) {
2857 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2858 HOSTAPD_LEVEL_INFO, "Station does not support "
2859 "mandatory VHT PHY - reject association");
2860 return WLAN_STATUS_ASSOC_DENIED_NO_VHT;
2861 }
2862
2863 if (hapd->conf->vendor_vht && !elems.vht_capabilities) {
2864 resp = copy_sta_vendor_vht(hapd, sta, elems.vendor_vht,
2865 elems.vendor_vht_len);
2866 if (resp != WLAN_STATUS_SUCCESS)
2867 return resp;
2868 }
2869 #endif /* CONFIG_IEEE80211AC */
2870
2871 #ifdef CONFIG_P2P
2872 if (elems.p2p) {
2873 wpabuf_free(sta->p2p_ie);
2874 sta->p2p_ie = ieee802_11_vendor_ie_concat(ies, ies_len,
2875 P2P_IE_VENDOR_TYPE);
2876 if (sta->p2p_ie)
2877 p2p_dev_addr = p2p_get_go_dev_addr(sta->p2p_ie);
2878 } else {
2879 wpabuf_free(sta->p2p_ie);
2880 sta->p2p_ie = NULL;
2881 }
2882 #endif /* CONFIG_P2P */
2883
2884 if ((hapd->conf->wpa & WPA_PROTO_RSN) && elems.rsn_ie) {
2885 wpa_ie = elems.rsn_ie;
2886 wpa_ie_len = elems.rsn_ie_len;
2887 } else if ((hapd->conf->wpa & WPA_PROTO_WPA) &&
2888 elems.wpa_ie) {
2889 wpa_ie = elems.wpa_ie;
2890 wpa_ie_len = elems.wpa_ie_len;
2891 } else {
2892 wpa_ie = NULL;
2893 wpa_ie_len = 0;
2894 }
2895
2896 #ifdef CONFIG_WPS
2897 sta->flags &= ~(WLAN_STA_WPS | WLAN_STA_MAYBE_WPS | WLAN_STA_WPS2);
2898 if (hapd->conf->wps_state && elems.wps_ie) {
2899 wpa_printf(MSG_DEBUG, "STA included WPS IE in (Re)Association "
2900 "Request - assume WPS is used");
2901 sta->flags |= WLAN_STA_WPS;
2902 wpabuf_free(sta->wps_ie);
2903 sta->wps_ie = ieee802_11_vendor_ie_concat(ies, ies_len,
2904 WPS_IE_VENDOR_TYPE);
2905 if (sta->wps_ie && wps_is_20(sta->wps_ie)) {
2906 wpa_printf(MSG_DEBUG, "WPS: STA supports WPS 2.0");
2907 sta->flags |= WLAN_STA_WPS2;
2908 }
2909 wpa_ie = NULL;
2910 wpa_ie_len = 0;
2911 if (sta->wps_ie && wps_validate_assoc_req(sta->wps_ie) < 0) {
2912 wpa_printf(MSG_DEBUG, "WPS: Invalid WPS IE in "
2913 "(Re)Association Request - reject");
2914 return WLAN_STATUS_INVALID_IE;
2915 }
2916 } else if (hapd->conf->wps_state && wpa_ie == NULL) {
2917 wpa_printf(MSG_DEBUG, "STA did not include WPA/RSN IE in "
2918 "(Re)Association Request - possible WPS use");
2919 sta->flags |= WLAN_STA_MAYBE_WPS;
2920 } else
2921 #endif /* CONFIG_WPS */
2922 if (hapd->conf->wpa && wpa_ie == NULL) {
2923 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2924 HOSTAPD_LEVEL_INFO,
2925 "No WPA/RSN IE in association request");
2926 return WLAN_STATUS_INVALID_IE;
2927 }
2928
2929 if (hapd->conf->wpa && wpa_ie) {
2930 int res;
2931 wpa_ie -= 2;
2932 wpa_ie_len += 2;
2933 if (sta->wpa_sm == NULL)
2934 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
2935 sta->addr,
2936 p2p_dev_addr);
2937 if (sta->wpa_sm == NULL) {
2938 wpa_printf(MSG_WARNING, "Failed to initialize WPA "
2939 "state machine");
2940 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2941 }
2942 wpa_auth_set_auth_alg(sta->wpa_sm, sta->auth_alg);
2943 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
2944 hapd->iface->freq,
2945 wpa_ie, wpa_ie_len,
2946 elems.mdie, elems.mdie_len,
2947 elems.owe_dh, elems.owe_dh_len);
2948 resp = wpa_res_to_status_code(res);
2949 if (resp != WLAN_STATUS_SUCCESS)
2950 return resp;
2951 #ifdef CONFIG_IEEE80211W
2952 if ((sta->flags & (WLAN_STA_ASSOC | WLAN_STA_MFP)) ==
2953 (WLAN_STA_ASSOC | WLAN_STA_MFP) &&
2954 !sta->sa_query_timed_out &&
2955 sta->sa_query_count > 0)
2956 ap_check_sa_query_timeout(hapd, sta);
2957 if ((sta->flags & (WLAN_STA_ASSOC | WLAN_STA_MFP)) ==
2958 (WLAN_STA_ASSOC | WLAN_STA_MFP) &&
2959 !sta->sa_query_timed_out &&
2960 (!reassoc || sta->auth_alg != WLAN_AUTH_FT)) {
2961 /*
2962 * STA has already been associated with MFP and SA
2963 * Query timeout has not been reached. Reject the
2964 * association attempt temporarily and start SA Query,
2965 * if one is not pending.
2966 */
2967
2968 if (sta->sa_query_count == 0)
2969 ap_sta_start_sa_query(hapd, sta);
2970
2971 return WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY;
2972 }
2973
2974 if (wpa_auth_uses_mfp(sta->wpa_sm))
2975 sta->flags |= WLAN_STA_MFP;
2976 else
2977 sta->flags &= ~WLAN_STA_MFP;
2978 #endif /* CONFIG_IEEE80211W */
2979
2980 #ifdef CONFIG_IEEE80211R_AP
2981 if (sta->auth_alg == WLAN_AUTH_FT) {
2982 if (!reassoc) {
2983 wpa_printf(MSG_DEBUG, "FT: " MACSTR " tried "
2984 "to use association (not "
2985 "re-association) with FT auth_alg",
2986 MAC2STR(sta->addr));
2987 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2988 }
2989
2990 resp = wpa_ft_validate_reassoc(sta->wpa_sm, ies,
2991 ies_len);
2992 if (resp != WLAN_STATUS_SUCCESS)
2993 return resp;
2994 }
2995 #endif /* CONFIG_IEEE80211R_AP */
2996
2997 #ifdef CONFIG_SAE
2998 if (wpa_auth_uses_sae(sta->wpa_sm) && sta->sae &&
2999 sta->sae->state == SAE_ACCEPTED)
3000 wpa_auth_add_sae_pmkid(sta->wpa_sm, sta->sae->pmkid);
3001
3002 if (wpa_auth_uses_sae(sta->wpa_sm) &&
3003 sta->auth_alg == WLAN_AUTH_OPEN) {
3004 struct rsn_pmksa_cache_entry *sa;
3005 sa = wpa_auth_sta_get_pmksa(sta->wpa_sm);
3006 if (!sa || sa->akmp != WPA_KEY_MGMT_SAE) {
3007 wpa_printf(MSG_DEBUG,
3008 "SAE: No PMKSA cache entry found for "
3009 MACSTR, MAC2STR(sta->addr));
3010 return WLAN_STATUS_INVALID_PMKID;
3011 }
3012 wpa_printf(MSG_DEBUG, "SAE: " MACSTR
3013 " using PMKSA caching", MAC2STR(sta->addr));
3014 } else if (wpa_auth_uses_sae(sta->wpa_sm) &&
3015 sta->auth_alg != WLAN_AUTH_SAE &&
3016 !(sta->auth_alg == WLAN_AUTH_FT &&
3017 wpa_auth_uses_ft_sae(sta->wpa_sm))) {
3018 wpa_printf(MSG_DEBUG, "SAE: " MACSTR " tried to use "
3019 "SAE AKM after non-SAE auth_alg %u",
3020 MAC2STR(sta->addr), sta->auth_alg);
3021 return WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
3022 }
3023 #endif /* CONFIG_SAE */
3024
3025 #ifdef CONFIG_OWE
3026 if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) &&
3027 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE &&
3028 elems.owe_dh) {
3029 resp = owe_process_assoc_req(hapd, sta, elems.owe_dh,
3030 elems.owe_dh_len);
3031 if (resp != WLAN_STATUS_SUCCESS)
3032 return resp;
3033 }
3034 #endif /* CONFIG_OWE */
3035
3036 #ifdef CONFIG_DPP2
3037 dpp_pfs_free(sta->dpp_pfs);
3038 sta->dpp_pfs = NULL;
3039
3040 if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_DPP) &&
3041 hapd->conf->dpp_netaccesskey && sta->wpa_sm &&
3042 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_DPP &&
3043 elems.owe_dh) {
3044 sta->dpp_pfs = dpp_pfs_init(
3045 wpabuf_head(hapd->conf->dpp_netaccesskey),
3046 wpabuf_len(hapd->conf->dpp_netaccesskey));
3047 if (!sta->dpp_pfs) {
3048 wpa_printf(MSG_DEBUG,
3049 "DPP: Could not initialize PFS");
3050 /* Try to continue without PFS */
3051 goto pfs_fail;
3052 }
3053
3054 if (dpp_pfs_process(sta->dpp_pfs, elems.owe_dh,
3055 elems.owe_dh_len) < 0) {
3056 dpp_pfs_free(sta->dpp_pfs);
3057 sta->dpp_pfs = NULL;
3058 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3059 }
3060 }
3061
3062 wpa_auth_set_dpp_z(sta->wpa_sm, sta->dpp_pfs ?
3063 sta->dpp_pfs->secret : NULL);
3064 pfs_fail:
3065 #endif /* CONFIG_DPP2 */
3066
3067 #ifdef CONFIG_IEEE80211N
3068 if ((sta->flags & (WLAN_STA_HT | WLAN_STA_VHT)) &&
3069 wpa_auth_get_pairwise(sta->wpa_sm) == WPA_CIPHER_TKIP) {
3070 hostapd_logger(hapd, sta->addr,
3071 HOSTAPD_MODULE_IEEE80211,
3072 HOSTAPD_LEVEL_INFO,
3073 "Station tried to use TKIP with HT "
3074 "association");
3075 return WLAN_STATUS_CIPHER_REJECTED_PER_POLICY;
3076 }
3077 #endif /* CONFIG_IEEE80211N */
3078 #ifdef CONFIG_HS20
3079 } else if (hapd->conf->osen) {
3080 if (elems.osen == NULL) {
3081 hostapd_logger(
3082 hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3083 HOSTAPD_LEVEL_INFO,
3084 "No HS 2.0 OSEN element in association request");
3085 return WLAN_STATUS_INVALID_IE;
3086 }
3087
3088 wpa_printf(MSG_DEBUG, "HS 2.0: OSEN association");
3089 if (sta->wpa_sm == NULL)
3090 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
3091 sta->addr, NULL);
3092 if (sta->wpa_sm == NULL) {
3093 wpa_printf(MSG_WARNING, "Failed to initialize WPA "
3094 "state machine");
3095 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3096 }
3097 if (wpa_validate_osen(hapd->wpa_auth, sta->wpa_sm,
3098 elems.osen - 2, elems.osen_len + 2) < 0)
3099 return WLAN_STATUS_INVALID_IE;
3100 #endif /* CONFIG_HS20 */
3101 } else
3102 wpa_auth_sta_no_wpa(sta->wpa_sm);
3103
3104 #ifdef CONFIG_P2P
3105 p2p_group_notif_assoc(hapd->p2p_group, sta->addr, ies, ies_len);
3106 #endif /* CONFIG_P2P */
3107
3108 #ifdef CONFIG_HS20
3109 wpabuf_free(sta->hs20_ie);
3110 if (elems.hs20 && elems.hs20_len > 4) {
3111 int release;
3112
3113 sta->hs20_ie = wpabuf_alloc_copy(elems.hs20 + 4,
3114 elems.hs20_len - 4);
3115 release = ((elems.hs20[4] >> 4) & 0x0f) + 1;
3116 if (release >= 2 && !wpa_auth_uses_mfp(sta->wpa_sm)) {
3117 wpa_printf(MSG_DEBUG,
3118 "HS 2.0: PMF not negotiated by release %d station "
3119 MACSTR, release, MAC2STR(sta->addr));
3120 return WLAN_STATUS_ROBUST_MGMT_FRAME_POLICY_VIOLATION;
3121 }
3122 } else {
3123 sta->hs20_ie = NULL;
3124 }
3125
3126 wpabuf_free(sta->roaming_consortium);
3127 if (elems.roaming_cons_sel)
3128 sta->roaming_consortium = wpabuf_alloc_copy(
3129 elems.roaming_cons_sel + 4,
3130 elems.roaming_cons_sel_len - 4);
3131 else
3132 sta->roaming_consortium = NULL;
3133 #endif /* CONFIG_HS20 */
3134
3135 #ifdef CONFIG_FST
3136 wpabuf_free(sta->mb_ies);
3137 if (hapd->iface->fst)
3138 sta->mb_ies = mb_ies_by_info(&elems.mb_ies);
3139 else
3140 sta->mb_ies = NULL;
3141 #endif /* CONFIG_FST */
3142
3143 #ifdef CONFIG_MBO
3144 mbo_ap_check_sta_assoc(hapd, sta, &elems);
3145
3146 if (hapd->conf->mbo_enabled && (hapd->conf->wpa & 2) &&
3147 elems.mbo && sta->cell_capa && !(sta->flags & WLAN_STA_MFP) &&
3148 hapd->conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
3149 wpa_printf(MSG_INFO,
3150 "MBO: Reject WPA2 association without PMF");
3151 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3152 }
3153 #endif /* CONFIG_MBO */
3154
3155 #if defined(CONFIG_FILS) && defined(CONFIG_OCV)
3156 if (wpa_auth_uses_ocv(sta->wpa_sm) &&
3157 (sta->auth_alg == WLAN_AUTH_FILS_SK ||
3158 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
3159 sta->auth_alg == WLAN_AUTH_FILS_PK)) {
3160 struct wpa_channel_info ci;
3161 int tx_chanwidth;
3162 int tx_seg1_idx;
3163
3164 if (hostapd_drv_channel_info(hapd, &ci) != 0) {
3165 wpa_printf(MSG_WARNING,
3166 "Failed to get channel info to validate received OCI in FILS (Re)Association Request frame");
3167 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3168 }
3169
3170 if (get_sta_tx_parameters(sta->wpa_sm,
3171 channel_width_to_int(ci.chanwidth),
3172 ci.seg1_idx, &tx_chanwidth,
3173 &tx_seg1_idx) < 0)
3174 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3175
3176 if (ocv_verify_tx_params(elems.oci, elems.oci_len, &ci,
3177 tx_chanwidth, tx_seg1_idx) != 0) {
3178 wpa_printf(MSG_WARNING, "FILS: %s", ocv_errorstr);
3179 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3180 }
3181 }
3182 #endif /* CONFIG_FILS && CONFIG_OCV */
3183
3184 ap_copy_sta_supp_op_classes(sta, elems.supp_op_classes,
3185 elems.supp_op_classes_len);
3186
3187 if ((sta->capability & WLAN_CAPABILITY_RADIO_MEASUREMENT) &&
3188 elems.rrm_enabled &&
3189 elems.rrm_enabled_len >= sizeof(sta->rrm_enabled_capa))
3190 os_memcpy(sta->rrm_enabled_capa, elems.rrm_enabled,
3191 sizeof(sta->rrm_enabled_capa));
3192
3193 if (elems.power_capab) {
3194 sta->min_tx_power = elems.power_capab[0];
3195 sta->max_tx_power = elems.power_capab[1];
3196 sta->power_capab = 1;
3197 } else {
3198 sta->power_capab = 0;
3199 }
3200
3201 return WLAN_STATUS_SUCCESS;
3202 }
3203
3204
send_deauth(struct hostapd_data * hapd,const u8 * addr,u16 reason_code)3205 static void send_deauth(struct hostapd_data *hapd, const u8 *addr,
3206 u16 reason_code)
3207 {
3208 int send_len;
3209 struct ieee80211_mgmt reply;
3210
3211 os_memset(&reply, 0, sizeof(reply));
3212 reply.frame_control =
3213 IEEE80211_FC(WLAN_FC_TYPE_MGMT, WLAN_FC_STYPE_DEAUTH);
3214 os_memcpy(reply.da, addr, ETH_ALEN);
3215 os_memcpy(reply.sa, hapd->own_addr, ETH_ALEN);
3216 os_memcpy(reply.bssid, hapd->own_addr, ETH_ALEN);
3217
3218 send_len = IEEE80211_HDRLEN + sizeof(reply.u.deauth);
3219 reply.u.deauth.reason_code = host_to_le16(reason_code);
3220
3221 if (hostapd_drv_send_mlme(hapd, &reply, send_len, 0) < 0)
3222 wpa_printf(MSG_INFO, "Failed to send deauth: %s",
3223 strerror(errno));
3224 }
3225
3226
add_associated_sta(struct hostapd_data * hapd,struct sta_info * sta,int reassoc)3227 static int add_associated_sta(struct hostapd_data *hapd,
3228 struct sta_info *sta, int reassoc)
3229 {
3230 struct ieee80211_ht_capabilities ht_cap;
3231 struct ieee80211_vht_capabilities vht_cap;
3232 int set = 1;
3233
3234 /*
3235 * Remove the STA entry to ensure the STA PS state gets cleared and
3236 * configuration gets updated. This is relevant for cases, such as
3237 * FT-over-the-DS, where a station re-associates back to the same AP but
3238 * skips the authentication flow, or if working with a driver that
3239 * does not support full AP client state.
3240 *
3241 * Skip this if the STA has already completed FT reassociation and the
3242 * TK has been configured since the TX/RX PN must not be reset to 0 for
3243 * the same key.
3244 *
3245 * FT-over-the-DS has a special case where the STA entry (and as such,
3246 * the TK) has not yet been configured to the driver depending on which
3247 * driver interface is used. For that case, allow add-STA operation to
3248 * be used (instead of set-STA). This is needed to allow mac80211-based
3249 * drivers to accept the STA parameter configuration. Since this is
3250 * after a new FT-over-DS exchange, a new TK has been derived, so key
3251 * reinstallation is not a concern for this case.
3252 */
3253 wpa_printf(MSG_DEBUG, "Add associated STA " MACSTR
3254 " (added_unassoc=%d auth_alg=%u ft_over_ds=%u reassoc=%d authorized=%d ft_tk=%d fils_tk=%d)",
3255 MAC2STR(sta->addr), sta->added_unassoc, sta->auth_alg,
3256 sta->ft_over_ds, reassoc,
3257 !!(sta->flags & WLAN_STA_AUTHORIZED),
3258 wpa_auth_sta_ft_tk_already_set(sta->wpa_sm),
3259 wpa_auth_sta_fils_tk_already_set(sta->wpa_sm));
3260
3261 if (!sta->added_unassoc &&
3262 (!(sta->flags & WLAN_STA_AUTHORIZED) ||
3263 (reassoc && sta->ft_over_ds && sta->auth_alg == WLAN_AUTH_FT) ||
3264 (!wpa_auth_sta_ft_tk_already_set(sta->wpa_sm) &&
3265 !wpa_auth_sta_fils_tk_already_set(sta->wpa_sm)))) {
3266 hostapd_drv_sta_remove(hapd, sta->addr);
3267 wpa_auth_sm_event(sta->wpa_sm, WPA_DRV_STA_REMOVED);
3268 set = 0;
3269
3270 /* Do not allow the FT-over-DS exception to be used more than
3271 * once per authentication exchange to guarantee a new TK is
3272 * used here */
3273 sta->ft_over_ds = 0;
3274 }
3275
3276 #ifdef CONFIG_IEEE80211N
3277 if (sta->flags & WLAN_STA_HT)
3278 hostapd_get_ht_capab(hapd, sta->ht_capabilities, &ht_cap);
3279 #endif /* CONFIG_IEEE80211N */
3280 #ifdef CONFIG_IEEE80211AC
3281 if (sta->flags & WLAN_STA_VHT)
3282 hostapd_get_vht_capab(hapd, sta->vht_capabilities, &vht_cap);
3283 #endif /* CONFIG_IEEE80211AC */
3284
3285 /*
3286 * Add the station with forced WLAN_STA_ASSOC flag. The sta->flags
3287 * will be set when the ACK frame for the (Re)Association Response frame
3288 * is processed (TX status driver event).
3289 */
3290 if (hostapd_sta_add(hapd, sta->addr, sta->aid, sta->capability,
3291 sta->supported_rates, sta->supported_rates_len,
3292 sta->listen_interval,
3293 sta->flags & WLAN_STA_HT ? &ht_cap : NULL,
3294 sta->flags & WLAN_STA_VHT ? &vht_cap : NULL,
3295 sta->flags | WLAN_STA_ASSOC, sta->qosinfo,
3296 sta->vht_opmode, sta->p2p_ie ? 1 : 0,
3297 set)) {
3298 hostapd_logger(hapd, sta->addr,
3299 HOSTAPD_MODULE_IEEE80211, HOSTAPD_LEVEL_NOTICE,
3300 "Could not %s STA to kernel driver",
3301 set ? "set" : "add");
3302
3303 if (sta->added_unassoc) {
3304 hostapd_drv_sta_remove(hapd, sta->addr);
3305 sta->added_unassoc = 0;
3306 }
3307
3308 return -1;
3309 }
3310
3311 sta->added_unassoc = 0;
3312
3313 return 0;
3314 }
3315
3316
send_assoc_resp(struct hostapd_data * hapd,struct sta_info * sta,const u8 * addr,u16 status_code,int reassoc,const u8 * ies,size_t ies_len,int rssi)3317 static u16 send_assoc_resp(struct hostapd_data *hapd, struct sta_info *sta,
3318 const u8 *addr, u16 status_code, int reassoc,
3319 const u8 *ies, size_t ies_len, int rssi)
3320 {
3321 int send_len;
3322 u8 *buf;
3323 size_t buflen;
3324 struct ieee80211_mgmt *reply;
3325 u8 *p;
3326 u16 res = WLAN_STATUS_SUCCESS;
3327
3328 buflen = sizeof(struct ieee80211_mgmt) + 1024;
3329 #ifdef CONFIG_FILS
3330 if (sta && sta->fils_hlp_resp)
3331 buflen += wpabuf_len(sta->fils_hlp_resp);
3332 #endif /* CONFIG_FILS */
3333 #ifdef CONFIG_OWE
3334 if (sta && (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE))
3335 buflen += 150;
3336 #endif /* CONFIG_OWE */
3337 #ifdef CONFIG_DPP2
3338 if (sta && sta->dpp_pfs)
3339 buflen += 5 + sta->dpp_pfs->curve->prime_len;
3340 #endif /* CONFIG_DPP2 */
3341 buf = os_zalloc(buflen);
3342 if (!buf) {
3343 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
3344 goto done;
3345 }
3346 reply = (struct ieee80211_mgmt *) buf;
3347 reply->frame_control =
3348 IEEE80211_FC(WLAN_FC_TYPE_MGMT,
3349 (reassoc ? WLAN_FC_STYPE_REASSOC_RESP :
3350 WLAN_FC_STYPE_ASSOC_RESP));
3351 os_memcpy(reply->da, addr, ETH_ALEN);
3352 os_memcpy(reply->sa, hapd->own_addr, ETH_ALEN);
3353 os_memcpy(reply->bssid, hapd->own_addr, ETH_ALEN);
3354
3355 send_len = IEEE80211_HDRLEN;
3356 send_len += sizeof(reply->u.assoc_resp);
3357 reply->u.assoc_resp.capab_info =
3358 host_to_le16(hostapd_own_capab_info(hapd));
3359 reply->u.assoc_resp.status_code = host_to_le16(status_code);
3360
3361 reply->u.assoc_resp.aid = host_to_le16((sta ? sta->aid : 0) |
3362 BIT(14) | BIT(15));
3363 /* Supported rates */
3364 p = hostapd_eid_supp_rates(hapd, reply->u.assoc_resp.variable);
3365 /* Extended supported rates */
3366 p = hostapd_eid_ext_supp_rates(hapd, p);
3367
3368 #ifdef CONFIG_MBO
3369 if (status_code == WLAN_STATUS_DENIED_POOR_CHANNEL_CONDITIONS &&
3370 rssi != 0) {
3371 int delta = hapd->iconf->rssi_reject_assoc_rssi - rssi;
3372
3373 p = hostapd_eid_mbo_rssi_assoc_rej(hapd, p, buf + buflen - p,
3374 delta);
3375 }
3376 #endif /* CONFIG_MBO */
3377
3378 #ifdef CONFIG_IEEE80211R_AP
3379 if (sta && status_code == WLAN_STATUS_SUCCESS) {
3380 /* IEEE 802.11r: Mobility Domain Information, Fast BSS
3381 * Transition Information, RSN, [RIC Response] */
3382 p = wpa_sm_write_assoc_resp_ies(sta->wpa_sm, p,
3383 buf + buflen - p,
3384 sta->auth_alg, ies, ies_len);
3385 if (!p) {
3386 wpa_printf(MSG_DEBUG,
3387 "FT: Failed to write AssocResp IEs");
3388 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
3389 goto done;
3390 }
3391 }
3392 #endif /* CONFIG_IEEE80211R_AP */
3393
3394 #ifdef CONFIG_OWE
3395 if (sta && status_code == WLAN_STATUS_SUCCESS &&
3396 (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE))
3397 p = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, p,
3398 buf + buflen - p,
3399 ies, ies_len);
3400 #endif /* CONFIG_OWE */
3401
3402 #ifdef CONFIG_IEEE80211W
3403 if (sta && status_code == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY)
3404 p = hostapd_eid_assoc_comeback_time(hapd, sta, p);
3405 #endif /* CONFIG_IEEE80211W */
3406
3407 #ifdef CONFIG_IEEE80211N
3408 p = hostapd_eid_ht_capabilities(hapd, p);
3409 p = hostapd_eid_ht_operation(hapd, p);
3410 #endif /* CONFIG_IEEE80211N */
3411
3412 #ifdef CONFIG_IEEE80211AC
3413 if (hapd->iconf->ieee80211ac && !hapd->conf->disable_11ac) {
3414 u32 nsts = 0, sta_nsts;
3415
3416 if (sta && hapd->conf->use_sta_nsts && sta->vht_capabilities) {
3417 struct ieee80211_vht_capabilities *capa;
3418
3419 nsts = (hapd->iface->conf->vht_capab >>
3420 VHT_CAP_BEAMFORMEE_STS_OFFSET) & 7;
3421 capa = sta->vht_capabilities;
3422 sta_nsts = (le_to_host32(capa->vht_capabilities_info) >>
3423 VHT_CAP_BEAMFORMEE_STS_OFFSET) & 7;
3424
3425 if (nsts < sta_nsts)
3426 nsts = 0;
3427 else
3428 nsts = sta_nsts;
3429 }
3430 p = hostapd_eid_vht_capabilities(hapd, p, nsts);
3431 p = hostapd_eid_vht_operation(hapd, p);
3432 }
3433 #endif /* CONFIG_IEEE80211AC */
3434
3435 p = hostapd_eid_ext_capab(hapd, p);
3436 p = hostapd_eid_bss_max_idle_period(hapd, p);
3437 if (sta && sta->qos_map_enabled)
3438 p = hostapd_eid_qos_map_set(hapd, p);
3439
3440 #ifdef CONFIG_FST
3441 if (hapd->iface->fst_ies) {
3442 os_memcpy(p, wpabuf_head(hapd->iface->fst_ies),
3443 wpabuf_len(hapd->iface->fst_ies));
3444 p += wpabuf_len(hapd->iface->fst_ies);
3445 }
3446 #endif /* CONFIG_FST */
3447
3448 #ifdef CONFIG_OWE
3449 if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) &&
3450 sta && sta->owe_ecdh && status_code == WLAN_STATUS_SUCCESS &&
3451 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE) {
3452 struct wpabuf *pub;
3453
3454 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
3455 if (!pub) {
3456 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
3457 goto done;
3458 }
3459 /* OWE Diffie-Hellman Parameter element */
3460 *p++ = WLAN_EID_EXTENSION; /* Element ID */
3461 *p++ = 1 + 2 + wpabuf_len(pub); /* Length */
3462 *p++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension */
3463 WPA_PUT_LE16(p, sta->owe_group);
3464 p += 2;
3465 os_memcpy(p, wpabuf_head(pub), wpabuf_len(pub));
3466 p += wpabuf_len(pub);
3467 wpabuf_free(pub);
3468 }
3469 #endif /* CONFIG_OWE */
3470
3471 #ifdef CONFIG_DPP2
3472 if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_DPP) &&
3473 sta && sta->dpp_pfs && status_code == WLAN_STATUS_SUCCESS &&
3474 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_DPP) {
3475 os_memcpy(p, wpabuf_head(sta->dpp_pfs->ie),
3476 wpabuf_len(sta->dpp_pfs->ie));
3477 p += wpabuf_len(sta->dpp_pfs->ie);
3478 }
3479 #endif /* CONFIG_DPP2 */
3480
3481 #ifdef CONFIG_IEEE80211AC
3482 if (sta && hapd->conf->vendor_vht && (sta->flags & WLAN_STA_VENDOR_VHT))
3483 p = hostapd_eid_vendor_vht(hapd, p);
3484 #endif /* CONFIG_IEEE80211AC */
3485
3486 if (sta && (sta->flags & WLAN_STA_WMM))
3487 p = hostapd_eid_wmm(hapd, p);
3488
3489 #ifdef CONFIG_WPS
3490 if (sta &&
3491 ((sta->flags & WLAN_STA_WPS) ||
3492 ((sta->flags & WLAN_STA_MAYBE_WPS) && hapd->conf->wpa))) {
3493 struct wpabuf *wps = wps_build_assoc_resp_ie();
3494 if (wps) {
3495 os_memcpy(p, wpabuf_head(wps), wpabuf_len(wps));
3496 p += wpabuf_len(wps);
3497 wpabuf_free(wps);
3498 }
3499 }
3500 #endif /* CONFIG_WPS */
3501
3502 if (sta && (sta->flags & WLAN_STA_MULTI_AP))
3503 p = hostapd_eid_multi_ap(hapd, p);
3504
3505 #ifdef CONFIG_P2P
3506 if (sta && sta->p2p_ie && hapd->p2p_group) {
3507 struct wpabuf *p2p_resp_ie;
3508 enum p2p_status_code status;
3509 switch (status_code) {
3510 case WLAN_STATUS_SUCCESS:
3511 status = P2P_SC_SUCCESS;
3512 break;
3513 case WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA:
3514 status = P2P_SC_FAIL_LIMIT_REACHED;
3515 break;
3516 default:
3517 status = P2P_SC_FAIL_INVALID_PARAMS;
3518 break;
3519 }
3520 p2p_resp_ie = p2p_group_assoc_resp_ie(hapd->p2p_group, status);
3521 if (p2p_resp_ie) {
3522 os_memcpy(p, wpabuf_head(p2p_resp_ie),
3523 wpabuf_len(p2p_resp_ie));
3524 p += wpabuf_len(p2p_resp_ie);
3525 wpabuf_free(p2p_resp_ie);
3526 }
3527 }
3528 #endif /* CONFIG_P2P */
3529
3530 #ifdef CONFIG_P2P_MANAGER
3531 if (hapd->conf->p2p & P2P_MANAGE)
3532 p = hostapd_eid_p2p_manage(hapd, p);
3533 #endif /* CONFIG_P2P_MANAGER */
3534
3535 p = hostapd_eid_mbo(hapd, p, buf + buflen - p);
3536
3537 if (hapd->conf->assocresp_elements &&
3538 (size_t) (buf + buflen - p) >=
3539 wpabuf_len(hapd->conf->assocresp_elements)) {
3540 os_memcpy(p, wpabuf_head(hapd->conf->assocresp_elements),
3541 wpabuf_len(hapd->conf->assocresp_elements));
3542 p += wpabuf_len(hapd->conf->assocresp_elements);
3543 }
3544
3545 send_len += p - reply->u.assoc_resp.variable;
3546
3547 #ifdef CONFIG_FILS
3548 if (sta &&
3549 (sta->auth_alg == WLAN_AUTH_FILS_SK ||
3550 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
3551 sta->auth_alg == WLAN_AUTH_FILS_PK) &&
3552 status_code == WLAN_STATUS_SUCCESS) {
3553 struct ieee802_11_elems elems;
3554
3555 if (ieee802_11_parse_elems(ies, ies_len, &elems, 0) ==
3556 ParseFailed || !elems.fils_session) {
3557 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
3558 goto done;
3559 }
3560
3561 /* FILS Session */
3562 *p++ = WLAN_EID_EXTENSION; /* Element ID */
3563 *p++ = 1 + FILS_SESSION_LEN; /* Length */
3564 *p++ = WLAN_EID_EXT_FILS_SESSION; /* Element ID Extension */
3565 os_memcpy(p, elems.fils_session, FILS_SESSION_LEN);
3566 send_len += 2 + 1 + FILS_SESSION_LEN;
3567
3568 send_len = fils_encrypt_assoc(sta->wpa_sm, buf, send_len,
3569 buflen, sta->fils_hlp_resp);
3570 if (send_len < 0) {
3571 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
3572 goto done;
3573 }
3574 }
3575 #endif /* CONFIG_FILS */
3576
3577 if (hostapd_drv_send_mlme(hapd, reply, send_len, 0) < 0) {
3578 wpa_printf(MSG_INFO, "Failed to send assoc resp: %s",
3579 strerror(errno));
3580 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
3581 }
3582
3583 done:
3584 os_free(buf);
3585 return res;
3586 }
3587
3588
3589 #ifdef CONFIG_OWE
owe_assoc_req_process(struct hostapd_data * hapd,struct sta_info * sta,const u8 * owe_dh,u8 owe_dh_len,u8 * owe_buf,size_t owe_buf_len,u16 * reason)3590 u8 * owe_assoc_req_process(struct hostapd_data *hapd, struct sta_info *sta,
3591 const u8 *owe_dh, u8 owe_dh_len,
3592 u8 *owe_buf, size_t owe_buf_len, u16 *reason)
3593 {
3594 #ifdef CONFIG_TESTING_OPTIONS
3595 if (hapd->conf->own_ie_override) {
3596 wpa_printf(MSG_DEBUG, "OWE: Using IE override");
3597 *reason = WLAN_STATUS_SUCCESS;
3598 return wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf,
3599 owe_buf_len, NULL, 0);
3600 }
3601 #endif /* CONFIG_TESTING_OPTIONS */
3602
3603 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) {
3604 wpa_printf(MSG_DEBUG, "OWE: Using PMKSA caching");
3605 owe_buf = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf,
3606 owe_buf_len, NULL, 0);
3607 *reason = WLAN_STATUS_SUCCESS;
3608 return owe_buf;
3609 }
3610
3611 *reason = owe_process_assoc_req(hapd, sta, owe_dh, owe_dh_len);
3612 if (*reason != WLAN_STATUS_SUCCESS)
3613 return NULL;
3614
3615 owe_buf = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf,
3616 owe_buf_len, NULL, 0);
3617
3618 if (sta->owe_ecdh && owe_buf) {
3619 struct wpabuf *pub;
3620
3621 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
3622 if (!pub) {
3623 *reason = WLAN_STATUS_UNSPECIFIED_FAILURE;
3624 return owe_buf;
3625 }
3626
3627 /* OWE Diffie-Hellman Parameter element */
3628 *owe_buf++ = WLAN_EID_EXTENSION; /* Element ID */
3629 *owe_buf++ = 1 + 2 + wpabuf_len(pub); /* Length */
3630 *owe_buf++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension
3631 */
3632 WPA_PUT_LE16(owe_buf, sta->owe_group);
3633 owe_buf += 2;
3634 os_memcpy(owe_buf, wpabuf_head(pub), wpabuf_len(pub));
3635 owe_buf += wpabuf_len(pub);
3636 wpabuf_free(pub);
3637 }
3638
3639 return owe_buf;
3640 }
3641 #endif /* CONFIG_OWE */
3642
3643
3644 #ifdef CONFIG_FILS
3645
fils_hlp_finish_assoc(struct hostapd_data * hapd,struct sta_info * sta)3646 void fils_hlp_finish_assoc(struct hostapd_data *hapd, struct sta_info *sta)
3647 {
3648 u16 reply_res;
3649
3650 wpa_printf(MSG_DEBUG, "FILS: Finish association with " MACSTR,
3651 MAC2STR(sta->addr));
3652 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
3653 if (!sta->fils_pending_assoc_req)
3654 return;
3655 reply_res = send_assoc_resp(hapd, sta, sta->addr, WLAN_STATUS_SUCCESS,
3656 sta->fils_pending_assoc_is_reassoc,
3657 sta->fils_pending_assoc_req,
3658 sta->fils_pending_assoc_req_len, 0);
3659 os_free(sta->fils_pending_assoc_req);
3660 sta->fils_pending_assoc_req = NULL;
3661 sta->fils_pending_assoc_req_len = 0;
3662 wpabuf_free(sta->fils_hlp_resp);
3663 sta->fils_hlp_resp = NULL;
3664 wpabuf_free(sta->hlp_dhcp_discover);
3665 sta->hlp_dhcp_discover = NULL;
3666
3667 /*
3668 * Remove the station in case transmission of a success response fails.
3669 * At this point the station was already added associated to the driver.
3670 */
3671 if (reply_res != WLAN_STATUS_SUCCESS)
3672 hostapd_drv_sta_remove(hapd, sta->addr);
3673 }
3674
3675
fils_hlp_timeout(void * eloop_ctx,void * eloop_data)3676 void fils_hlp_timeout(void *eloop_ctx, void *eloop_data)
3677 {
3678 struct hostapd_data *hapd = eloop_ctx;
3679 struct sta_info *sta = eloop_data;
3680
3681 wpa_printf(MSG_DEBUG,
3682 "FILS: HLP response timeout - continue with association response for "
3683 MACSTR, MAC2STR(sta->addr));
3684 if (sta->fils_drv_assoc_finish)
3685 hostapd_notify_assoc_fils_finish(hapd, sta);
3686 else
3687 fils_hlp_finish_assoc(hapd, sta);
3688 }
3689
3690 #endif /* CONFIG_FILS */
3691
3692
handle_assoc(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int reassoc,int rssi)3693 static void handle_assoc(struct hostapd_data *hapd,
3694 const struct ieee80211_mgmt *mgmt, size_t len,
3695 int reassoc, int rssi)
3696 {
3697 u16 capab_info, listen_interval, seq_ctrl, fc;
3698 u16 resp = WLAN_STATUS_SUCCESS, reply_res;
3699 const u8 *pos;
3700 int left, i;
3701 struct sta_info *sta;
3702 u8 *tmp = NULL;
3703 struct hostapd_sta_wpa_psk_short *psk = NULL;
3704 char *identity = NULL;
3705 char *radius_cui = NULL;
3706 #ifdef CONFIG_FILS
3707 int delay_assoc = 0;
3708 #endif /* CONFIG_FILS */
3709
3710 if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_req) :
3711 sizeof(mgmt->u.assoc_req))) {
3712 wpa_printf(MSG_INFO, "handle_assoc(reassoc=%d) - too short payload (len=%lu)",
3713 reassoc, (unsigned long) len);
3714 return;
3715 }
3716
3717 #ifdef CONFIG_TESTING_OPTIONS
3718 if (reassoc) {
3719 if (hapd->iconf->ignore_reassoc_probability > 0.0 &&
3720 drand48() < hapd->iconf->ignore_reassoc_probability) {
3721 wpa_printf(MSG_INFO,
3722 "TESTING: ignoring reassoc request from "
3723 MACSTR, MAC2STR(mgmt->sa));
3724 return;
3725 }
3726 } else {
3727 if (hapd->iconf->ignore_assoc_probability > 0.0 &&
3728 drand48() < hapd->iconf->ignore_assoc_probability) {
3729 wpa_printf(MSG_INFO,
3730 "TESTING: ignoring assoc request from "
3731 MACSTR, MAC2STR(mgmt->sa));
3732 return;
3733 }
3734 }
3735 #endif /* CONFIG_TESTING_OPTIONS */
3736
3737 fc = le_to_host16(mgmt->frame_control);
3738 seq_ctrl = le_to_host16(mgmt->seq_ctrl);
3739
3740 if (reassoc) {
3741 capab_info = le_to_host16(mgmt->u.reassoc_req.capab_info);
3742 listen_interval = le_to_host16(
3743 mgmt->u.reassoc_req.listen_interval);
3744 wpa_printf(MSG_DEBUG, "reassociation request: STA=" MACSTR
3745 " capab_info=0x%02x listen_interval=%d current_ap="
3746 MACSTR " seq_ctrl=0x%x%s",
3747 MAC2STR(mgmt->sa), capab_info, listen_interval,
3748 MAC2STR(mgmt->u.reassoc_req.current_ap),
3749 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "");
3750 left = len - (IEEE80211_HDRLEN + sizeof(mgmt->u.reassoc_req));
3751 pos = mgmt->u.reassoc_req.variable;
3752 } else {
3753 capab_info = le_to_host16(mgmt->u.assoc_req.capab_info);
3754 listen_interval = le_to_host16(
3755 mgmt->u.assoc_req.listen_interval);
3756 wpa_printf(MSG_DEBUG, "association request: STA=" MACSTR
3757 " capab_info=0x%02x listen_interval=%d "
3758 "seq_ctrl=0x%x%s",
3759 MAC2STR(mgmt->sa), capab_info, listen_interval,
3760 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "");
3761 left = len - (IEEE80211_HDRLEN + sizeof(mgmt->u.assoc_req));
3762 pos = mgmt->u.assoc_req.variable;
3763 }
3764
3765 sta = ap_get_sta(hapd, mgmt->sa);
3766 #ifdef CONFIG_IEEE80211R_AP
3767 if (sta && sta->auth_alg == WLAN_AUTH_FT &&
3768 (sta->flags & WLAN_STA_AUTH) == 0) {
3769 wpa_printf(MSG_DEBUG, "FT: Allow STA " MACSTR " to associate "
3770 "prior to authentication since it is using "
3771 "over-the-DS FT", MAC2STR(mgmt->sa));
3772
3773 /*
3774 * Mark station as authenticated, to avoid adding station
3775 * entry in the driver as associated and not authenticated
3776 */
3777 sta->flags |= WLAN_STA_AUTH;
3778 } else
3779 #endif /* CONFIG_IEEE80211R_AP */
3780 if (sta == NULL || (sta->flags & WLAN_STA_AUTH) == 0) {
3781 if (hapd->iface->current_mode &&
3782 hapd->iface->current_mode->mode ==
3783 HOSTAPD_MODE_IEEE80211AD) {
3784 int acl_res;
3785 u32 session_timeout, acct_interim_interval;
3786 struct vlan_description vlan_id;
3787
3788 acl_res = ieee802_11_allowed_address(
3789 hapd, mgmt->sa, (const u8 *) mgmt, len,
3790 &session_timeout, &acct_interim_interval,
3791 &vlan_id, &psk, &identity, &radius_cui, 0);
3792 if (acl_res == HOSTAPD_ACL_REJECT) {
3793 wpa_msg(hapd->msg_ctx, MSG_DEBUG,
3794 "Ignore Association Request frame from "
3795 MACSTR " due to ACL reject",
3796 MAC2STR(mgmt->sa));
3797 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3798 goto fail;
3799 }
3800 if (acl_res == HOSTAPD_ACL_PENDING)
3801 return;
3802
3803 /* DMG/IEEE 802.11ad does not use authentication.
3804 * Allocate sta entry upon association. */
3805 sta = ap_sta_add(hapd, mgmt->sa);
3806 if (!sta) {
3807 hostapd_logger(hapd, mgmt->sa,
3808 HOSTAPD_MODULE_IEEE80211,
3809 HOSTAPD_LEVEL_INFO,
3810 "Failed to add STA");
3811 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
3812 goto fail;
3813 }
3814
3815 acl_res = ieee802_11_set_radius_info(
3816 hapd, sta, acl_res, session_timeout,
3817 acct_interim_interval, &vlan_id, &psk,
3818 &identity, &radius_cui);
3819 if (acl_res) {
3820 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3821 goto fail;
3822 }
3823
3824 hostapd_logger(hapd, sta->addr,
3825 HOSTAPD_MODULE_IEEE80211,
3826 HOSTAPD_LEVEL_DEBUG,
3827 "Skip authentication for DMG/IEEE 802.11ad");
3828 sta->flags |= WLAN_STA_AUTH;
3829 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
3830 sta->auth_alg = WLAN_AUTH_OPEN;
3831 } else {
3832 hostapd_logger(hapd, mgmt->sa,
3833 HOSTAPD_MODULE_IEEE80211,
3834 HOSTAPD_LEVEL_INFO,
3835 "Station tried to associate before authentication (aid=%d flags=0x%x)",
3836 sta ? sta->aid : -1,
3837 sta ? sta->flags : 0);
3838 send_deauth(hapd, mgmt->sa,
3839 WLAN_REASON_CLASS2_FRAME_FROM_NONAUTH_STA);
3840 return;
3841 }
3842 }
3843
3844 if ((fc & WLAN_FC_RETRY) &&
3845 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
3846 sta->last_seq_ctrl == seq_ctrl &&
3847 sta->last_subtype == (reassoc ? WLAN_FC_STYPE_REASSOC_REQ :
3848 WLAN_FC_STYPE_ASSOC_REQ)) {
3849 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3850 HOSTAPD_LEVEL_DEBUG,
3851 "Drop repeated association frame seq_ctrl=0x%x",
3852 seq_ctrl);
3853 return;
3854 }
3855 sta->last_seq_ctrl = seq_ctrl;
3856 sta->last_subtype = reassoc ? WLAN_FC_STYPE_REASSOC_REQ :
3857 WLAN_FC_STYPE_ASSOC_REQ;
3858
3859 if (hapd->tkip_countermeasures) {
3860 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3861 goto fail;
3862 }
3863
3864 if (listen_interval > hapd->conf->max_listen_interval) {
3865 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
3866 HOSTAPD_LEVEL_DEBUG,
3867 "Too large Listen Interval (%d)",
3868 listen_interval);
3869 resp = WLAN_STATUS_ASSOC_DENIED_LISTEN_INT_TOO_LARGE;
3870 goto fail;
3871 }
3872
3873 #ifdef CONFIG_MBO
3874 if (hapd->conf->mbo_enabled && hapd->mbo_assoc_disallow) {
3875 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
3876 goto fail;
3877 }
3878
3879 if (hapd->iconf->rssi_reject_assoc_rssi && rssi &&
3880 rssi < hapd->iconf->rssi_reject_assoc_rssi &&
3881 (sta->auth_rssi == 0 ||
3882 sta->auth_rssi < hapd->iconf->rssi_reject_assoc_rssi)) {
3883 resp = WLAN_STATUS_DENIED_POOR_CHANNEL_CONDITIONS;
3884 goto fail;
3885 }
3886 #endif /* CONFIG_MBO */
3887
3888 /*
3889 * sta->capability is used in check_assoc_ies() for RRM enabled
3890 * capability element.
3891 */
3892 sta->capability = capab_info;
3893
3894 #ifdef CONFIG_FILS
3895 if (sta->auth_alg == WLAN_AUTH_FILS_SK ||
3896 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
3897 sta->auth_alg == WLAN_AUTH_FILS_PK) {
3898 int res;
3899
3900 /* The end of the payload is encrypted. Need to decrypt it
3901 * before parsing. */
3902
3903 tmp = os_memdup(pos, left);
3904 if (!tmp) {
3905 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3906 goto fail;
3907 }
3908
3909 res = fils_decrypt_assoc(sta->wpa_sm, sta->fils_session, mgmt,
3910 len, tmp, left);
3911 if (res < 0) {
3912 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3913 goto fail;
3914 }
3915 pos = tmp;
3916 left = res;
3917 }
3918 #endif /* CONFIG_FILS */
3919
3920 /* followed by SSID and Supported rates; and HT capabilities if 802.11n
3921 * is used */
3922 resp = check_assoc_ies(hapd, sta, pos, left, reassoc);
3923 if (resp != WLAN_STATUS_SUCCESS)
3924 goto fail;
3925
3926 if (hostapd_get_aid(hapd, sta) < 0) {
3927 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
3928 HOSTAPD_LEVEL_INFO, "No room for more AIDs");
3929 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
3930 goto fail;
3931 }
3932
3933 sta->listen_interval = listen_interval;
3934
3935 if (hapd->iface->current_mode &&
3936 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G)
3937 sta->flags |= WLAN_STA_NONERP;
3938 for (i = 0; i < sta->supported_rates_len; i++) {
3939 if ((sta->supported_rates[i] & 0x7f) > 22) {
3940 sta->flags &= ~WLAN_STA_NONERP;
3941 break;
3942 }
3943 }
3944 if (sta->flags & WLAN_STA_NONERP && !sta->nonerp_set) {
3945 sta->nonerp_set = 1;
3946 hapd->iface->num_sta_non_erp++;
3947 if (hapd->iface->num_sta_non_erp == 1)
3948 ieee802_11_set_beacons(hapd->iface);
3949 }
3950
3951 if (!(sta->capability & WLAN_CAPABILITY_SHORT_SLOT_TIME) &&
3952 !sta->no_short_slot_time_set) {
3953 sta->no_short_slot_time_set = 1;
3954 hapd->iface->num_sta_no_short_slot_time++;
3955 if (hapd->iface->current_mode &&
3956 hapd->iface->current_mode->mode ==
3957 HOSTAPD_MODE_IEEE80211G &&
3958 hapd->iface->num_sta_no_short_slot_time == 1)
3959 ieee802_11_set_beacons(hapd->iface);
3960 }
3961
3962 if (sta->capability & WLAN_CAPABILITY_SHORT_PREAMBLE)
3963 sta->flags |= WLAN_STA_SHORT_PREAMBLE;
3964 else
3965 sta->flags &= ~WLAN_STA_SHORT_PREAMBLE;
3966
3967 if (!(sta->capability & WLAN_CAPABILITY_SHORT_PREAMBLE) &&
3968 !sta->no_short_preamble_set) {
3969 sta->no_short_preamble_set = 1;
3970 hapd->iface->num_sta_no_short_preamble++;
3971 if (hapd->iface->current_mode &&
3972 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G
3973 && hapd->iface->num_sta_no_short_preamble == 1)
3974 ieee802_11_set_beacons(hapd->iface);
3975 }
3976
3977 #ifdef CONFIG_IEEE80211N
3978 update_ht_state(hapd, sta);
3979 #endif /* CONFIG_IEEE80211N */
3980
3981 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3982 HOSTAPD_LEVEL_DEBUG,
3983 "association OK (aid %d)", sta->aid);
3984 /* Station will be marked associated, after it acknowledges AssocResp
3985 */
3986 sta->flags |= WLAN_STA_ASSOC_REQ_OK;
3987
3988 #ifdef CONFIG_IEEE80211W
3989 if ((sta->flags & WLAN_STA_MFP) && sta->sa_query_timed_out) {
3990 wpa_printf(MSG_DEBUG, "Allowing %sassociation after timed out "
3991 "SA Query procedure", reassoc ? "re" : "");
3992 /* TODO: Send a protected Disassociate frame to the STA using
3993 * the old key and Reason Code "Previous Authentication no
3994 * longer valid". Make sure this is only sent protected since
3995 * unprotected frame would be received by the STA that is now
3996 * trying to associate.
3997 */
3998 }
3999 #endif /* CONFIG_IEEE80211W */
4000
4001 /* Make sure that the previously registered inactivity timer will not
4002 * remove the STA immediately. */
4003 sta->timeout_next = STA_NULLFUNC;
4004
4005 #ifdef CONFIG_TAXONOMY
4006 taxonomy_sta_info_assoc_req(hapd, sta, pos, left);
4007 #endif /* CONFIG_TAXONOMY */
4008
4009 sta->pending_wds_enable = 0;
4010
4011 #ifdef CONFIG_FILS
4012 if (sta->auth_alg == WLAN_AUTH_FILS_SK ||
4013 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
4014 sta->auth_alg == WLAN_AUTH_FILS_PK) {
4015 if (fils_process_hlp(hapd, sta, pos, left) > 0)
4016 delay_assoc = 1;
4017 }
4018 #endif /* CONFIG_FILS */
4019
4020 fail:
4021 os_free(identity);
4022 os_free(radius_cui);
4023 hostapd_free_psk_list(psk);
4024
4025 /*
4026 * In case of a successful response, add the station to the driver.
4027 * Otherwise, the kernel may ignore Data frames before we process the
4028 * ACK frame (TX status). In case of a failure, this station will be
4029 * removed.
4030 *
4031 * Note that this is not compliant with the IEEE 802.11 standard that
4032 * states that a non-AP station should transition into the
4033 * authenticated/associated state only after the station acknowledges
4034 * the (Re)Association Response frame. However, still do this as:
4035 *
4036 * 1. In case the station does not acknowledge the (Re)Association
4037 * Response frame, it will be removed.
4038 * 2. Data frames will be dropped in the kernel until the station is
4039 * set into authorized state, and there are no significant known
4040 * issues with processing other non-Data Class 3 frames during this
4041 * window.
4042 */
4043 if (resp == WLAN_STATUS_SUCCESS && sta &&
4044 add_associated_sta(hapd, sta, reassoc))
4045 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
4046
4047 #ifdef CONFIG_FILS
4048 if (sta && delay_assoc && resp == WLAN_STATUS_SUCCESS &&
4049 eloop_is_timeout_registered(fils_hlp_timeout, hapd, sta) &&
4050 sta->fils_pending_assoc_req) {
4051 /* Do not reschedule fils_hlp_timeout in case the station
4052 * retransmits (Re)Association Request frame while waiting for
4053 * the previously started FILS HLP wait, so that the timeout can
4054 * be determined from the first pending attempt. */
4055 wpa_printf(MSG_DEBUG,
4056 "FILS: Continue waiting for HLP processing before sending (Re)Association Response frame to "
4057 MACSTR, MAC2STR(sta->addr));
4058 os_free(tmp);
4059 return;
4060 }
4061 if (sta) {
4062 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
4063 os_free(sta->fils_pending_assoc_req);
4064 sta->fils_pending_assoc_req = NULL;
4065 sta->fils_pending_assoc_req_len = 0;
4066 wpabuf_free(sta->fils_hlp_resp);
4067 sta->fils_hlp_resp = NULL;
4068 }
4069 if (sta && delay_assoc && resp == WLAN_STATUS_SUCCESS) {
4070 sta->fils_pending_assoc_req = tmp;
4071 sta->fils_pending_assoc_req_len = left;
4072 sta->fils_pending_assoc_is_reassoc = reassoc;
4073 sta->fils_drv_assoc_finish = 0;
4074 wpa_printf(MSG_DEBUG,
4075 "FILS: Waiting for HLP processing before sending (Re)Association Response frame to "
4076 MACSTR, MAC2STR(sta->addr));
4077 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
4078 eloop_register_timeout(0, hapd->conf->fils_hlp_wait_time * 1024,
4079 fils_hlp_timeout, hapd, sta);
4080 return;
4081 }
4082 #endif /* CONFIG_FILS */
4083
4084 reply_res = send_assoc_resp(hapd, sta, mgmt->sa, resp, reassoc, pos,
4085 left, rssi);
4086 os_free(tmp);
4087
4088 /*
4089 * Remove the station in case tranmission of a success response fails
4090 * (the STA was added associated to the driver) or if the station was
4091 * previously added unassociated.
4092 */
4093 if (sta && ((reply_res != WLAN_STATUS_SUCCESS &&
4094 resp == WLAN_STATUS_SUCCESS) || sta->added_unassoc)) {
4095 hostapd_drv_sta_remove(hapd, sta->addr);
4096 sta->added_unassoc = 0;
4097 }
4098 }
4099
4100
handle_disassoc(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len)4101 static void handle_disassoc(struct hostapd_data *hapd,
4102 const struct ieee80211_mgmt *mgmt, size_t len)
4103 {
4104 struct sta_info *sta;
4105
4106 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.disassoc)) {
4107 wpa_printf(MSG_INFO, "handle_disassoc - too short payload (len=%lu)",
4108 (unsigned long) len);
4109 return;
4110 }
4111
4112 wpa_printf(MSG_DEBUG, "disassocation: STA=" MACSTR " reason_code=%d",
4113 MAC2STR(mgmt->sa),
4114 le_to_host16(mgmt->u.disassoc.reason_code));
4115
4116 sta = ap_get_sta(hapd, mgmt->sa);
4117 if (sta == NULL) {
4118 wpa_printf(MSG_INFO, "Station " MACSTR " trying to disassociate, but it is not associated",
4119 MAC2STR(mgmt->sa));
4120 return;
4121 }
4122
4123 ap_sta_set_authorized(hapd, sta, 0);
4124 sta->last_seq_ctrl = WLAN_INVALID_MGMT_SEQ;
4125 sta->flags &= ~(WLAN_STA_ASSOC | WLAN_STA_ASSOC_REQ_OK);
4126 wpa_auth_sm_event(sta->wpa_sm, WPA_DISASSOC);
4127 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4128 HOSTAPD_LEVEL_INFO, "disassociated");
4129 sta->acct_terminate_cause = RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST;
4130 ieee802_1x_notify_port_enabled(sta->eapol_sm, 0);
4131 /* Stop Accounting and IEEE 802.1X sessions, but leave the STA
4132 * authenticated. */
4133 accounting_sta_stop(hapd, sta);
4134 ieee802_1x_free_station(hapd, sta);
4135 if (sta->ipaddr)
4136 hostapd_drv_br_delete_ip_neigh(hapd, 4, (u8 *) &sta->ipaddr);
4137 ap_sta_ip6addr_del(hapd, sta);
4138 hostapd_drv_sta_remove(hapd, sta->addr);
4139 sta->added_unassoc = 0;
4140
4141 if (sta->timeout_next == STA_NULLFUNC ||
4142 sta->timeout_next == STA_DISASSOC) {
4143 sta->timeout_next = STA_DEAUTH;
4144 eloop_cancel_timeout(ap_handle_timer, hapd, sta);
4145 eloop_register_timeout(AP_DEAUTH_DELAY, 0, ap_handle_timer,
4146 hapd, sta);
4147 }
4148
4149 mlme_disassociate_indication(
4150 hapd, sta, le_to_host16(mgmt->u.disassoc.reason_code));
4151
4152 /* DMG/IEEE 802.11ad does not use deauthication. Deallocate sta upon
4153 * disassociation. */
4154 if (hapd->iface->current_mode &&
4155 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211AD) {
4156 sta->flags &= ~WLAN_STA_AUTH;
4157 wpa_auth_sm_event(sta->wpa_sm, WPA_DEAUTH);
4158 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4159 HOSTAPD_LEVEL_DEBUG, "deauthenticated");
4160 ap_free_sta(hapd, sta);
4161 }
4162 }
4163
4164
handle_deauth(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len)4165 static void handle_deauth(struct hostapd_data *hapd,
4166 const struct ieee80211_mgmt *mgmt, size_t len)
4167 {
4168 struct sta_info *sta;
4169
4170 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.deauth)) {
4171 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "handle_deauth - too short "
4172 "payload (len=%lu)", (unsigned long) len);
4173 return;
4174 }
4175
4176 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "deauthentication: STA=" MACSTR
4177 " reason_code=%d",
4178 MAC2STR(mgmt->sa), le_to_host16(mgmt->u.deauth.reason_code));
4179
4180 sta = ap_get_sta(hapd, mgmt->sa);
4181 if (sta == NULL) {
4182 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "Station " MACSTR " trying "
4183 "to deauthenticate, but it is not authenticated",
4184 MAC2STR(mgmt->sa));
4185 return;
4186 }
4187
4188 ap_sta_set_authorized(hapd, sta, 0);
4189 sta->last_seq_ctrl = WLAN_INVALID_MGMT_SEQ;
4190 sta->flags &= ~(WLAN_STA_AUTH | WLAN_STA_ASSOC |
4191 WLAN_STA_ASSOC_REQ_OK);
4192 wpa_auth_sm_event(sta->wpa_sm, WPA_DEAUTH);
4193 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4194 HOSTAPD_LEVEL_DEBUG, "deauthenticated");
4195 mlme_deauthenticate_indication(
4196 hapd, sta, le_to_host16(mgmt->u.deauth.reason_code));
4197 sta->acct_terminate_cause = RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST;
4198 ieee802_1x_notify_port_enabled(sta->eapol_sm, 0);
4199 ap_free_sta(hapd, sta);
4200 }
4201
4202
handle_beacon(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,struct hostapd_frame_info * fi)4203 static void handle_beacon(struct hostapd_data *hapd,
4204 const struct ieee80211_mgmt *mgmt, size_t len,
4205 struct hostapd_frame_info *fi)
4206 {
4207 struct ieee802_11_elems elems;
4208
4209 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.beacon)) {
4210 wpa_printf(MSG_INFO, "handle_beacon - too short payload (len=%lu)",
4211 (unsigned long) len);
4212 return;
4213 }
4214
4215 (void) ieee802_11_parse_elems(mgmt->u.beacon.variable,
4216 len - (IEEE80211_HDRLEN +
4217 sizeof(mgmt->u.beacon)), &elems,
4218 0);
4219
4220 ap_list_process_beacon(hapd->iface, mgmt, &elems, fi);
4221 }
4222
4223
4224 #ifdef CONFIG_IEEE80211W
robust_action_frame(u8 category)4225 static int robust_action_frame(u8 category)
4226 {
4227 return category != WLAN_ACTION_PUBLIC &&
4228 category != WLAN_ACTION_HT;
4229 }
4230 #endif /* CONFIG_IEEE80211W */
4231
4232
handle_action(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,unsigned int freq)4233 static int handle_action(struct hostapd_data *hapd,
4234 const struct ieee80211_mgmt *mgmt, size_t len,
4235 unsigned int freq)
4236 {
4237 struct sta_info *sta;
4238 u8 *action __maybe_unused;
4239
4240 if (len < IEEE80211_HDRLEN + 2 + 1) {
4241 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
4242 HOSTAPD_LEVEL_DEBUG,
4243 "handle_action - too short payload (len=%lu)",
4244 (unsigned long) len);
4245 return 0;
4246 }
4247
4248 action = (u8 *) &mgmt->u.action.u;
4249 wpa_printf(MSG_DEBUG, "RX_ACTION category %u action %u sa " MACSTR
4250 " da " MACSTR " len %d freq %u",
4251 mgmt->u.action.category, *action,
4252 MAC2STR(mgmt->sa), MAC2STR(mgmt->da), (int) len, freq);
4253
4254 sta = ap_get_sta(hapd, mgmt->sa);
4255
4256 if (mgmt->u.action.category != WLAN_ACTION_PUBLIC &&
4257 (sta == NULL || !(sta->flags & WLAN_STA_ASSOC))) {
4258 wpa_printf(MSG_DEBUG, "IEEE 802.11: Ignored Action "
4259 "frame (category=%u) from unassociated STA " MACSTR,
4260 mgmt->u.action.category, MAC2STR(mgmt->sa));
4261 return 0;
4262 }
4263
4264 #ifdef CONFIG_IEEE80211W
4265 if (sta && (sta->flags & WLAN_STA_MFP) &&
4266 !(mgmt->frame_control & host_to_le16(WLAN_FC_ISWEP)) &&
4267 robust_action_frame(mgmt->u.action.category)) {
4268 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
4269 HOSTAPD_LEVEL_DEBUG,
4270 "Dropped unprotected Robust Action frame from "
4271 "an MFP STA");
4272 return 0;
4273 }
4274 #endif /* CONFIG_IEEE80211W */
4275
4276 if (sta) {
4277 u16 fc = le_to_host16(mgmt->frame_control);
4278 u16 seq_ctrl = le_to_host16(mgmt->seq_ctrl);
4279
4280 if ((fc & WLAN_FC_RETRY) &&
4281 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
4282 sta->last_seq_ctrl == seq_ctrl &&
4283 sta->last_subtype == WLAN_FC_STYPE_ACTION) {
4284 hostapd_logger(hapd, sta->addr,
4285 HOSTAPD_MODULE_IEEE80211,
4286 HOSTAPD_LEVEL_DEBUG,
4287 "Drop repeated action frame seq_ctrl=0x%x",
4288 seq_ctrl);
4289 return 1;
4290 }
4291
4292 sta->last_seq_ctrl = seq_ctrl;
4293 sta->last_subtype = WLAN_FC_STYPE_ACTION;
4294 }
4295
4296 switch (mgmt->u.action.category) {
4297 #ifdef CONFIG_IEEE80211R_AP
4298 case WLAN_ACTION_FT:
4299 if (!sta ||
4300 wpa_ft_action_rx(sta->wpa_sm, (u8 *) &mgmt->u.action,
4301 len - IEEE80211_HDRLEN))
4302 break;
4303 return 1;
4304 #endif /* CONFIG_IEEE80211R_AP */
4305 case WLAN_ACTION_WMM:
4306 hostapd_wmm_action(hapd, mgmt, len);
4307 return 1;
4308 #ifdef CONFIG_IEEE80211W
4309 case WLAN_ACTION_SA_QUERY:
4310 ieee802_11_sa_query_action(hapd, mgmt, len);
4311 return 1;
4312 #endif /* CONFIG_IEEE80211W */
4313 #ifdef CONFIG_WNM_AP
4314 case WLAN_ACTION_WNM:
4315 ieee802_11_rx_wnm_action_ap(hapd, mgmt, len);
4316 return 1;
4317 #endif /* CONFIG_WNM_AP */
4318 #ifdef CONFIG_FST
4319 case WLAN_ACTION_FST:
4320 if (hapd->iface->fst)
4321 fst_rx_action(hapd->iface->fst, mgmt, len);
4322 else
4323 wpa_printf(MSG_DEBUG,
4324 "FST: Ignore FST Action frame - no FST attached");
4325 return 1;
4326 #endif /* CONFIG_FST */
4327 case WLAN_ACTION_PUBLIC:
4328 case WLAN_ACTION_PROTECTED_DUAL:
4329 #ifdef CONFIG_IEEE80211N
4330 if (len >= IEEE80211_HDRLEN + 2 &&
4331 mgmt->u.action.u.public_action.action ==
4332 WLAN_PA_20_40_BSS_COEX) {
4333 hostapd_2040_coex_action(hapd, mgmt, len);
4334 return 1;
4335 }
4336 #endif /* CONFIG_IEEE80211N */
4337 #ifdef CONFIG_DPP
4338 if (len >= IEEE80211_HDRLEN + 6 &&
4339 mgmt->u.action.u.vs_public_action.action ==
4340 WLAN_PA_VENDOR_SPECIFIC &&
4341 WPA_GET_BE24(mgmt->u.action.u.vs_public_action.oui) ==
4342 OUI_WFA &&
4343 mgmt->u.action.u.vs_public_action.variable[0] ==
4344 DPP_OUI_TYPE) {
4345 const u8 *pos, *end;
4346
4347 pos = mgmt->u.action.u.vs_public_action.oui;
4348 end = ((const u8 *) mgmt) + len;
4349 hostapd_dpp_rx_action(hapd, mgmt->sa, pos, end - pos,
4350 freq);
4351 return 1;
4352 }
4353 if (len >= IEEE80211_HDRLEN + 2 &&
4354 (mgmt->u.action.u.public_action.action ==
4355 WLAN_PA_GAS_INITIAL_RESP ||
4356 mgmt->u.action.u.public_action.action ==
4357 WLAN_PA_GAS_COMEBACK_RESP)) {
4358 const u8 *pos, *end;
4359
4360 pos = &mgmt->u.action.u.public_action.action;
4361 end = ((const u8 *) mgmt) + len;
4362 gas_query_ap_rx(hapd->gas, mgmt->sa,
4363 mgmt->u.action.category,
4364 pos, end - pos, hapd->iface->freq);
4365 return 1;
4366 }
4367 #endif /* CONFIG_DPP */
4368 if (hapd->public_action_cb) {
4369 hapd->public_action_cb(hapd->public_action_cb_ctx,
4370 (u8 *) mgmt, len,
4371 hapd->iface->freq);
4372 }
4373 if (hapd->public_action_cb2) {
4374 hapd->public_action_cb2(hapd->public_action_cb2_ctx,
4375 (u8 *) mgmt, len,
4376 hapd->iface->freq);
4377 }
4378 if (hapd->public_action_cb || hapd->public_action_cb2)
4379 return 1;
4380 break;
4381 case WLAN_ACTION_VENDOR_SPECIFIC:
4382 if (hapd->vendor_action_cb) {
4383 if (hapd->vendor_action_cb(hapd->vendor_action_cb_ctx,
4384 (u8 *) mgmt, len,
4385 hapd->iface->freq) == 0)
4386 return 1;
4387 }
4388 break;
4389 case WLAN_ACTION_RADIO_MEASUREMENT:
4390 hostapd_handle_radio_measurement(hapd, (const u8 *) mgmt, len);
4391 return 1;
4392 }
4393
4394 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
4395 HOSTAPD_LEVEL_DEBUG,
4396 "handle_action - unknown action category %d or invalid "
4397 "frame",
4398 mgmt->u.action.category);
4399 if (!is_multicast_ether_addr(mgmt->da) &&
4400 !(mgmt->u.action.category & 0x80) &&
4401 !is_multicast_ether_addr(mgmt->sa)) {
4402 struct ieee80211_mgmt *resp;
4403
4404 /*
4405 * IEEE 802.11-REVma/D9.0 - 7.3.1.11
4406 * Return the Action frame to the source without change
4407 * except that MSB of the Category set to 1.
4408 */
4409 wpa_printf(MSG_DEBUG, "IEEE 802.11: Return unknown Action "
4410 "frame back to sender");
4411 resp = os_memdup(mgmt, len);
4412 if (resp == NULL)
4413 return 0;
4414 os_memcpy(resp->da, resp->sa, ETH_ALEN);
4415 os_memcpy(resp->sa, hapd->own_addr, ETH_ALEN);
4416 os_memcpy(resp->bssid, hapd->own_addr, ETH_ALEN);
4417 resp->u.action.category |= 0x80;
4418
4419 if (hostapd_drv_send_mlme(hapd, resp, len, 0) < 0) {
4420 wpa_printf(MSG_ERROR, "IEEE 802.11: Failed to send "
4421 "Action frame");
4422 }
4423 os_free(resp);
4424 }
4425
4426 return 1;
4427 }
4428
4429
4430 /**
4431 * ieee802_11_mgmt - process incoming IEEE 802.11 management frames
4432 * @hapd: hostapd BSS data structure (the BSS to which the management frame was
4433 * sent to)
4434 * @buf: management frame data (starting from IEEE 802.11 header)
4435 * @len: length of frame data in octets
4436 * @fi: meta data about received frame (signal level, etc.)
4437 *
4438 * Process all incoming IEEE 802.11 management frames. This will be called for
4439 * each frame received from the kernel driver through wlan#ap interface. In
4440 * addition, it can be called to re-inserted pending frames (e.g., when using
4441 * external RADIUS server as an MAC ACL).
4442 */
ieee802_11_mgmt(struct hostapd_data * hapd,const u8 * buf,size_t len,struct hostapd_frame_info * fi)4443 int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len,
4444 struct hostapd_frame_info *fi)
4445 {
4446 struct ieee80211_mgmt *mgmt;
4447 u16 fc, stype;
4448 int ret = 0;
4449 unsigned int freq;
4450 int ssi_signal = fi ? fi->ssi_signal : 0;
4451
4452 if (len < 24)
4453 return 0;
4454
4455 if (fi && fi->freq)
4456 freq = fi->freq;
4457 else
4458 freq = hapd->iface->freq;
4459
4460 mgmt = (struct ieee80211_mgmt *) buf;
4461 fc = le_to_host16(mgmt->frame_control);
4462 stype = WLAN_FC_GET_STYPE(fc);
4463
4464 if (stype == WLAN_FC_STYPE_BEACON) {
4465 handle_beacon(hapd, mgmt, len, fi);
4466 return 1;
4467 }
4468
4469 if (!is_broadcast_ether_addr(mgmt->bssid) &&
4470 #ifdef CONFIG_P2P
4471 /* Invitation responses can be sent with the peer MAC as BSSID */
4472 !((hapd->conf->p2p & P2P_GROUP_OWNER) &&
4473 stype == WLAN_FC_STYPE_ACTION) &&
4474 #endif /* CONFIG_P2P */
4475 #ifdef CONFIG_MESH
4476 !(hapd->conf->mesh & MESH_ENABLED) &&
4477 #endif /* CONFIG_MESH */
4478 os_memcmp(mgmt->bssid, hapd->own_addr, ETH_ALEN) != 0) {
4479 wpa_printf(MSG_INFO, "MGMT: BSSID=" MACSTR " not our address",
4480 MAC2STR(mgmt->bssid));
4481 return 0;
4482 }
4483
4484
4485 if (stype == WLAN_FC_STYPE_PROBE_REQ) {
4486 handle_probe_req(hapd, mgmt, len, ssi_signal);
4487 return 1;
4488 }
4489
4490 if ((!is_broadcast_ether_addr(mgmt->da) ||
4491 stype != WLAN_FC_STYPE_ACTION) &&
4492 os_memcmp(mgmt->da, hapd->own_addr, ETH_ALEN) != 0) {
4493 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
4494 HOSTAPD_LEVEL_DEBUG,
4495 "MGMT: DA=" MACSTR " not our address",
4496 MAC2STR(mgmt->da));
4497 return 0;
4498 }
4499
4500 if (hapd->iconf->track_sta_max_num)
4501 sta_track_add(hapd->iface, mgmt->sa, ssi_signal);
4502
4503 switch (stype) {
4504 case WLAN_FC_STYPE_AUTH:
4505 wpa_printf(MSG_DEBUG, "mgmt::auth");
4506 handle_auth(hapd, mgmt, len, ssi_signal, 0);
4507 ret = 1;
4508 break;
4509 case WLAN_FC_STYPE_ASSOC_REQ:
4510 wpa_printf(MSG_DEBUG, "mgmt::assoc_req");
4511 handle_assoc(hapd, mgmt, len, 0, ssi_signal);
4512 ret = 1;
4513 break;
4514 case WLAN_FC_STYPE_REASSOC_REQ:
4515 wpa_printf(MSG_DEBUG, "mgmt::reassoc_req");
4516 handle_assoc(hapd, mgmt, len, 1, ssi_signal);
4517 ret = 1;
4518 break;
4519 case WLAN_FC_STYPE_DISASSOC:
4520 wpa_printf(MSG_DEBUG, "mgmt::disassoc");
4521 handle_disassoc(hapd, mgmt, len);
4522 ret = 1;
4523 break;
4524 case WLAN_FC_STYPE_DEAUTH:
4525 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "mgmt::deauth");
4526 handle_deauth(hapd, mgmt, len);
4527 ret = 1;
4528 break;
4529 case WLAN_FC_STYPE_ACTION:
4530 wpa_printf(MSG_DEBUG, "mgmt::action");
4531 ret = handle_action(hapd, mgmt, len, freq);
4532 break;
4533 default:
4534 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
4535 HOSTAPD_LEVEL_DEBUG,
4536 "unknown mgmt frame subtype %d", stype);
4537 break;
4538 }
4539
4540 return ret;
4541 }
4542
4543
handle_auth_cb(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int ok)4544 static void handle_auth_cb(struct hostapd_data *hapd,
4545 const struct ieee80211_mgmt *mgmt,
4546 size_t len, int ok)
4547 {
4548 u16 auth_alg, auth_transaction, status_code;
4549 struct sta_info *sta;
4550
4551 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) {
4552 wpa_printf(MSG_INFO, "handle_auth_cb - too short payload (len=%lu)",
4553 (unsigned long) len);
4554
4555 /*
4556 * Initialize status_code here because we are not able to read
4557 * it from the short payload.
4558 */
4559 status_code = WLAN_STATUS_UNSPECIFIED_FAILURE;
4560 goto fail;
4561 }
4562
4563 sta = ap_get_sta(hapd, mgmt->da);
4564 if (!sta) {
4565 wpa_printf(MSG_DEBUG, "handle_auth_cb: STA " MACSTR
4566 " not found",
4567 MAC2STR(mgmt->da));
4568 return;
4569 }
4570
4571 auth_alg = le_to_host16(mgmt->u.auth.auth_alg);
4572 auth_transaction = le_to_host16(mgmt->u.auth.auth_transaction);
4573 status_code = le_to_host16(mgmt->u.auth.status_code);
4574
4575 if (!ok) {
4576 hostapd_logger(hapd, mgmt->da, HOSTAPD_MODULE_IEEE80211,
4577 HOSTAPD_LEVEL_NOTICE,
4578 "did not acknowledge authentication response");
4579 goto fail;
4580 }
4581
4582 if (status_code == WLAN_STATUS_SUCCESS &&
4583 ((auth_alg == WLAN_AUTH_OPEN && auth_transaction == 2) ||
4584 (auth_alg == WLAN_AUTH_SHARED_KEY && auth_transaction == 4))) {
4585 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4586 HOSTAPD_LEVEL_INFO, "authenticated");
4587 sta->flags |= WLAN_STA_AUTH;
4588 if (sta->added_unassoc)
4589 hostapd_set_sta_flags(hapd, sta);
4590 return;
4591 }
4592
4593 fail:
4594 if (status_code != WLAN_STATUS_SUCCESS && sta->added_unassoc) {
4595 hostapd_drv_sta_remove(hapd, sta->addr);
4596 sta->added_unassoc = 0;
4597 }
4598 }
4599
4600
hostapd_set_wds_encryption(struct hostapd_data * hapd,struct sta_info * sta,char * ifname_wds)4601 static void hostapd_set_wds_encryption(struct hostapd_data *hapd,
4602 struct sta_info *sta,
4603 char *ifname_wds)
4604 {
4605 int i;
4606 struct hostapd_ssid *ssid = &hapd->conf->ssid;
4607
4608 if (hapd->conf->ieee802_1x || hapd->conf->wpa)
4609 return;
4610
4611 for (i = 0; i < 4; i++) {
4612 if (ssid->wep.key[i] &&
4613 hostapd_drv_set_key(ifname_wds, hapd, WPA_ALG_WEP, NULL, i,
4614 i == ssid->wep.idx, NULL, 0,
4615 ssid->wep.key[i], ssid->wep.len[i])) {
4616 wpa_printf(MSG_WARNING,
4617 "Could not set WEP keys for WDS interface; %s",
4618 ifname_wds);
4619 break;
4620 }
4621 }
4622 }
4623
4624
handle_assoc_cb(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int reassoc,int ok)4625 static void handle_assoc_cb(struct hostapd_data *hapd,
4626 const struct ieee80211_mgmt *mgmt,
4627 size_t len, int reassoc, int ok)
4628 {
4629 u16 status;
4630 struct sta_info *sta;
4631 int new_assoc = 1;
4632
4633 sta = ap_get_sta(hapd, mgmt->da);
4634 if (!sta) {
4635 wpa_printf(MSG_INFO, "handle_assoc_cb: STA " MACSTR " not found",
4636 MAC2STR(mgmt->da));
4637 return;
4638 }
4639
4640 if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_resp) :
4641 sizeof(mgmt->u.assoc_resp))) {
4642 wpa_printf(MSG_INFO,
4643 "handle_assoc_cb(reassoc=%d) - too short payload (len=%lu)",
4644 reassoc, (unsigned long) len);
4645 hostapd_drv_sta_remove(hapd, sta->addr);
4646 return;
4647 }
4648
4649 if (reassoc)
4650 status = le_to_host16(mgmt->u.reassoc_resp.status_code);
4651 else
4652 status = le_to_host16(mgmt->u.assoc_resp.status_code);
4653
4654 if (!ok) {
4655 hostapd_logger(hapd, mgmt->da, HOSTAPD_MODULE_IEEE80211,
4656 HOSTAPD_LEVEL_DEBUG,
4657 "did not acknowledge association response");
4658 sta->flags &= ~WLAN_STA_ASSOC_REQ_OK;
4659 /* The STA is added only in case of SUCCESS */
4660 if (status == WLAN_STATUS_SUCCESS)
4661 hostapd_drv_sta_remove(hapd, sta->addr);
4662
4663 return;
4664 }
4665
4666 if (status != WLAN_STATUS_SUCCESS)
4667 return;
4668
4669 /* Stop previous accounting session, if one is started, and allocate
4670 * new session id for the new session. */
4671 accounting_sta_stop(hapd, sta);
4672
4673 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4674 HOSTAPD_LEVEL_INFO,
4675 "associated (aid %d)",
4676 sta->aid);
4677
4678 if (sta->flags & WLAN_STA_ASSOC)
4679 new_assoc = 0;
4680 sta->flags |= WLAN_STA_ASSOC;
4681 sta->flags &= ~WLAN_STA_WNM_SLEEP_MODE;
4682 if ((!hapd->conf->ieee802_1x && !hapd->conf->wpa &&
4683 !hapd->conf->osen) ||
4684 sta->auth_alg == WLAN_AUTH_FILS_SK ||
4685 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
4686 sta->auth_alg == WLAN_AUTH_FILS_PK ||
4687 sta->auth_alg == WLAN_AUTH_FT) {
4688 /*
4689 * Open, static WEP, FT protocol, or FILS; no separate
4690 * authorization step.
4691 */
4692 ap_sta_set_authorized(hapd, sta, 1);
4693 }
4694
4695 if (reassoc)
4696 mlme_reassociate_indication(hapd, sta);
4697 else
4698 mlme_associate_indication(hapd, sta);
4699
4700 #ifdef CONFIG_IEEE80211W
4701 sta->sa_query_timed_out = 0;
4702 #endif /* CONFIG_IEEE80211W */
4703
4704 if (sta->eapol_sm == NULL) {
4705 /*
4706 * This STA does not use RADIUS server for EAP authentication,
4707 * so bind it to the selected VLAN interface now, since the
4708 * interface selection is not going to change anymore.
4709 */
4710 if (ap_sta_bind_vlan(hapd, sta) < 0)
4711 return;
4712 } else if (sta->vlan_id) {
4713 /* VLAN ID already set (e.g., by PMKSA caching), so bind STA */
4714 if (ap_sta_bind_vlan(hapd, sta) < 0)
4715 return;
4716 }
4717
4718 hostapd_set_sta_flags(hapd, sta);
4719
4720 if (!(sta->flags & WLAN_STA_WDS) && sta->pending_wds_enable) {
4721 wpa_printf(MSG_DEBUG, "Enable 4-address WDS mode for STA "
4722 MACSTR " based on pending request",
4723 MAC2STR(sta->addr));
4724 sta->pending_wds_enable = 0;
4725 sta->flags |= WLAN_STA_WDS;
4726 }
4727
4728 if (sta->flags & (WLAN_STA_WDS | WLAN_STA_MULTI_AP)) {
4729 int ret;
4730 char ifname_wds[IFNAMSIZ + 1];
4731
4732 wpa_printf(MSG_DEBUG, "Reenable 4-address WDS mode for STA "
4733 MACSTR " (aid %u)",
4734 MAC2STR(sta->addr), sta->aid);
4735 ret = hostapd_set_wds_sta(hapd, ifname_wds, sta->addr,
4736 sta->aid, 1);
4737 if (!ret)
4738 hostapd_set_wds_encryption(hapd, sta, ifname_wds);
4739 }
4740
4741 if (sta->auth_alg == WLAN_AUTH_FT)
4742 wpa_auth_sm_event(sta->wpa_sm, WPA_ASSOC_FT);
4743 else
4744 wpa_auth_sm_event(sta->wpa_sm, WPA_ASSOC);
4745 hapd->new_assoc_sta_cb(hapd, sta, !new_assoc);
4746 ieee802_1x_notify_port_enabled(sta->eapol_sm, 1);
4747
4748 #ifdef CONFIG_FILS
4749 if ((sta->auth_alg == WLAN_AUTH_FILS_SK ||
4750 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
4751 sta->auth_alg == WLAN_AUTH_FILS_PK) &&
4752 fils_set_tk(sta->wpa_sm) < 0) {
4753 wpa_printf(MSG_DEBUG, "FILS: TK configuration failed");
4754 ap_sta_disconnect(hapd, sta, sta->addr,
4755 WLAN_REASON_UNSPECIFIED);
4756 return;
4757 }
4758 #endif /* CONFIG_FILS */
4759
4760 if (sta->pending_eapol_rx) {
4761 struct os_reltime now, age;
4762
4763 os_get_reltime(&now);
4764 os_reltime_sub(&now, &sta->pending_eapol_rx->rx_time, &age);
4765 if (age.sec == 0 && age.usec < 200000) {
4766 wpa_printf(MSG_DEBUG,
4767 "Process pending EAPOL frame that was received from " MACSTR " just before association notification",
4768 MAC2STR(sta->addr));
4769 ieee802_1x_receive(
4770 hapd, mgmt->da,
4771 wpabuf_head(sta->pending_eapol_rx->buf),
4772 wpabuf_len(sta->pending_eapol_rx->buf));
4773 }
4774 wpabuf_free(sta->pending_eapol_rx->buf);
4775 os_free(sta->pending_eapol_rx);
4776 sta->pending_eapol_rx = NULL;
4777 }
4778 }
4779
4780
handle_deauth_cb(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int ok)4781 static void handle_deauth_cb(struct hostapd_data *hapd,
4782 const struct ieee80211_mgmt *mgmt,
4783 size_t len, int ok)
4784 {
4785 struct sta_info *sta;
4786 if (is_multicast_ether_addr(mgmt->da))
4787 return;
4788 sta = ap_get_sta(hapd, mgmt->da);
4789 if (!sta) {
4790 wpa_printf(MSG_DEBUG, "handle_deauth_cb: STA " MACSTR
4791 " not found", MAC2STR(mgmt->da));
4792 return;
4793 }
4794 if (ok)
4795 wpa_printf(MSG_DEBUG, "STA " MACSTR " acknowledged deauth",
4796 MAC2STR(sta->addr));
4797 else
4798 wpa_printf(MSG_DEBUG, "STA " MACSTR " did not acknowledge "
4799 "deauth", MAC2STR(sta->addr));
4800
4801 ap_sta_deauth_cb(hapd, sta);
4802 }
4803
4804
handle_disassoc_cb(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int ok)4805 static void handle_disassoc_cb(struct hostapd_data *hapd,
4806 const struct ieee80211_mgmt *mgmt,
4807 size_t len, int ok)
4808 {
4809 struct sta_info *sta;
4810 if (is_multicast_ether_addr(mgmt->da))
4811 return;
4812 sta = ap_get_sta(hapd, mgmt->da);
4813 if (!sta) {
4814 wpa_printf(MSG_DEBUG, "handle_disassoc_cb: STA " MACSTR
4815 " not found", MAC2STR(mgmt->da));
4816 return;
4817 }
4818 if (ok)
4819 wpa_printf(MSG_DEBUG, "STA " MACSTR " acknowledged disassoc",
4820 MAC2STR(sta->addr));
4821 else
4822 wpa_printf(MSG_DEBUG, "STA " MACSTR " did not acknowledge "
4823 "disassoc", MAC2STR(sta->addr));
4824
4825 ap_sta_disassoc_cb(hapd, sta);
4826 }
4827
4828
handle_action_cb(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int ok)4829 static void handle_action_cb(struct hostapd_data *hapd,
4830 const struct ieee80211_mgmt *mgmt,
4831 size_t len, int ok)
4832 {
4833 struct sta_info *sta;
4834 const struct rrm_measurement_report_element *report;
4835
4836 if (is_multicast_ether_addr(mgmt->da))
4837 return;
4838 #ifdef CONFIG_DPP
4839 if (len >= IEEE80211_HDRLEN + 6 &&
4840 mgmt->u.action.category == WLAN_ACTION_PUBLIC &&
4841 mgmt->u.action.u.vs_public_action.action ==
4842 WLAN_PA_VENDOR_SPECIFIC &&
4843 WPA_GET_BE24(mgmt->u.action.u.vs_public_action.oui) ==
4844 OUI_WFA &&
4845 mgmt->u.action.u.vs_public_action.variable[0] ==
4846 DPP_OUI_TYPE) {
4847 const u8 *pos, *end;
4848
4849 pos = &mgmt->u.action.u.vs_public_action.variable[1];
4850 end = ((const u8 *) mgmt) + len;
4851 hostapd_dpp_tx_status(hapd, mgmt->da, pos, end - pos, ok);
4852 return;
4853 }
4854 if (len >= IEEE80211_HDRLEN + 2 &&
4855 mgmt->u.action.category == WLAN_ACTION_PUBLIC &&
4856 (mgmt->u.action.u.public_action.action ==
4857 WLAN_PA_GAS_INITIAL_REQ ||
4858 mgmt->u.action.u.public_action.action ==
4859 WLAN_PA_GAS_COMEBACK_REQ)) {
4860 const u8 *pos, *end;
4861
4862 pos = mgmt->u.action.u.public_action.variable;
4863 end = ((const u8 *) mgmt) + len;
4864 gas_query_ap_tx_status(hapd->gas, mgmt->da, pos, end - pos, ok);
4865 return;
4866 }
4867 #endif /* CONFIG_DPP */
4868 sta = ap_get_sta(hapd, mgmt->da);
4869 if (!sta) {
4870 wpa_printf(MSG_DEBUG, "handle_action_cb: STA " MACSTR
4871 " not found", MAC2STR(mgmt->da));
4872 return;
4873 }
4874
4875 if (len < 24 + 5 + sizeof(*report))
4876 return;
4877 report = (const struct rrm_measurement_report_element *)
4878 &mgmt->u.action.u.rrm.variable[2];
4879 if (mgmt->u.action.category == WLAN_ACTION_RADIO_MEASUREMENT &&
4880 mgmt->u.action.u.rrm.action == WLAN_RRM_RADIO_MEASUREMENT_REQUEST &&
4881 report->eid == WLAN_EID_MEASURE_REQUEST &&
4882 report->len >= 3 &&
4883 report->type == MEASURE_TYPE_BEACON)
4884 hostapd_rrm_beacon_req_tx_status(hapd, mgmt, len, ok);
4885 }
4886
4887
4888 /**
4889 * ieee802_11_mgmt_cb - Process management frame TX status callback
4890 * @hapd: hostapd BSS data structure (the BSS from which the management frame
4891 * was sent from)
4892 * @buf: management frame data (starting from IEEE 802.11 header)
4893 * @len: length of frame data in octets
4894 * @stype: management frame subtype from frame control field
4895 * @ok: Whether the frame was ACK'ed
4896 */
ieee802_11_mgmt_cb(struct hostapd_data * hapd,const u8 * buf,size_t len,u16 stype,int ok)4897 void ieee802_11_mgmt_cb(struct hostapd_data *hapd, const u8 *buf, size_t len,
4898 u16 stype, int ok)
4899 {
4900 const struct ieee80211_mgmt *mgmt;
4901 mgmt = (const struct ieee80211_mgmt *) buf;
4902
4903 #ifdef CONFIG_TESTING_OPTIONS
4904 if (hapd->ext_mgmt_frame_handling) {
4905 size_t hex_len = 2 * len + 1;
4906 char *hex = os_malloc(hex_len);
4907
4908 if (hex) {
4909 wpa_snprintf_hex(hex, hex_len, buf, len);
4910 wpa_msg(hapd->msg_ctx, MSG_INFO,
4911 "MGMT-TX-STATUS stype=%u ok=%d buf=%s",
4912 stype, ok, hex);
4913 os_free(hex);
4914 }
4915 return;
4916 }
4917 #endif /* CONFIG_TESTING_OPTIONS */
4918
4919 switch (stype) {
4920 case WLAN_FC_STYPE_AUTH:
4921 wpa_printf(MSG_DEBUG, "mgmt::auth cb");
4922 handle_auth_cb(hapd, mgmt, len, ok);
4923 break;
4924 case WLAN_FC_STYPE_ASSOC_RESP:
4925 wpa_printf(MSG_DEBUG, "mgmt::assoc_resp cb");
4926 handle_assoc_cb(hapd, mgmt, len, 0, ok);
4927 break;
4928 case WLAN_FC_STYPE_REASSOC_RESP:
4929 wpa_printf(MSG_DEBUG, "mgmt::reassoc_resp cb");
4930 handle_assoc_cb(hapd, mgmt, len, 1, ok);
4931 break;
4932 case WLAN_FC_STYPE_PROBE_RESP:
4933 wpa_printf(MSG_EXCESSIVE, "mgmt::proberesp cb ok=%d", ok);
4934 break;
4935 case WLAN_FC_STYPE_DEAUTH:
4936 wpa_printf(MSG_DEBUG, "mgmt::deauth cb");
4937 handle_deauth_cb(hapd, mgmt, len, ok);
4938 break;
4939 case WLAN_FC_STYPE_DISASSOC:
4940 wpa_printf(MSG_DEBUG, "mgmt::disassoc cb");
4941 handle_disassoc_cb(hapd, mgmt, len, ok);
4942 break;
4943 case WLAN_FC_STYPE_ACTION:
4944 wpa_printf(MSG_DEBUG, "mgmt::action cb ok=%d", ok);
4945 handle_action_cb(hapd, mgmt, len, ok);
4946 break;
4947 default:
4948 wpa_printf(MSG_INFO, "unknown mgmt cb frame subtype %d", stype);
4949 break;
4950 }
4951 }
4952
4953
ieee802_11_get_mib(struct hostapd_data * hapd,char * buf,size_t buflen)4954 int ieee802_11_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen)
4955 {
4956 /* TODO */
4957 return 0;
4958 }
4959
4960
ieee802_11_get_mib_sta(struct hostapd_data * hapd,struct sta_info * sta,char * buf,size_t buflen)4961 int ieee802_11_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta,
4962 char *buf, size_t buflen)
4963 {
4964 /* TODO */
4965 return 0;
4966 }
4967
4968
hostapd_tx_status(struct hostapd_data * hapd,const u8 * addr,const u8 * buf,size_t len,int ack)4969 void hostapd_tx_status(struct hostapd_data *hapd, const u8 *addr,
4970 const u8 *buf, size_t len, int ack)
4971 {
4972 struct sta_info *sta;
4973 struct hostapd_iface *iface = hapd->iface;
4974
4975 sta = ap_get_sta(hapd, addr);
4976 if (sta == NULL && iface->num_bss > 1) {
4977 size_t j;
4978 for (j = 0; j < iface->num_bss; j++) {
4979 hapd = iface->bss[j];
4980 sta = ap_get_sta(hapd, addr);
4981 if (sta)
4982 break;
4983 }
4984 }
4985 if (sta == NULL || !(sta->flags & WLAN_STA_ASSOC))
4986 return;
4987 if (sta->flags & WLAN_STA_PENDING_POLL) {
4988 wpa_printf(MSG_DEBUG, "STA " MACSTR " %s pending "
4989 "activity poll", MAC2STR(sta->addr),
4990 ack ? "ACKed" : "did not ACK");
4991 if (ack)
4992 sta->flags &= ~WLAN_STA_PENDING_POLL;
4993 }
4994
4995 ieee802_1x_tx_status(hapd, sta, buf, len, ack);
4996 }
4997
4998
hostapd_eapol_tx_status(struct hostapd_data * hapd,const u8 * dst,const u8 * data,size_t len,int ack)4999 void hostapd_eapol_tx_status(struct hostapd_data *hapd, const u8 *dst,
5000 const u8 *data, size_t len, int ack)
5001 {
5002 struct sta_info *sta;
5003 struct hostapd_iface *iface = hapd->iface;
5004
5005 sta = ap_get_sta(hapd, dst);
5006 if (sta == NULL && iface->num_bss > 1) {
5007 size_t j;
5008 for (j = 0; j < iface->num_bss; j++) {
5009 hapd = iface->bss[j];
5010 sta = ap_get_sta(hapd, dst);
5011 if (sta)
5012 break;
5013 }
5014 }
5015 if (sta == NULL || !(sta->flags & WLAN_STA_ASSOC)) {
5016 wpa_printf(MSG_DEBUG, "Ignore TX status for Data frame to STA "
5017 MACSTR " that is not currently associated",
5018 MAC2STR(dst));
5019 return;
5020 }
5021
5022 ieee802_1x_eapol_tx_status(hapd, sta, data, len, ack);
5023 }
5024
5025
hostapd_client_poll_ok(struct hostapd_data * hapd,const u8 * addr)5026 void hostapd_client_poll_ok(struct hostapd_data *hapd, const u8 *addr)
5027 {
5028 struct sta_info *sta;
5029 struct hostapd_iface *iface = hapd->iface;
5030
5031 sta = ap_get_sta(hapd, addr);
5032 if (sta == NULL && iface->num_bss > 1) {
5033 size_t j;
5034 for (j = 0; j < iface->num_bss; j++) {
5035 hapd = iface->bss[j];
5036 sta = ap_get_sta(hapd, addr);
5037 if (sta)
5038 break;
5039 }
5040 }
5041 if (sta == NULL)
5042 return;
5043 wpa_msg(hapd->msg_ctx, MSG_INFO, AP_STA_POLL_OK MACSTR,
5044 MAC2STR(sta->addr));
5045 if (!(sta->flags & WLAN_STA_PENDING_POLL))
5046 return;
5047
5048 wpa_printf(MSG_DEBUG, "STA " MACSTR " ACKed pending "
5049 "activity poll", MAC2STR(sta->addr));
5050 sta->flags &= ~WLAN_STA_PENDING_POLL;
5051 }
5052
5053
ieee802_11_rx_from_unknown(struct hostapd_data * hapd,const u8 * src,int wds)5054 void ieee802_11_rx_from_unknown(struct hostapd_data *hapd, const u8 *src,
5055 int wds)
5056 {
5057 struct sta_info *sta;
5058
5059 sta = ap_get_sta(hapd, src);
5060 if (sta &&
5061 ((sta->flags & WLAN_STA_ASSOC) ||
5062 ((sta->flags & WLAN_STA_ASSOC_REQ_OK) && wds))) {
5063 if (!hapd->conf->wds_sta)
5064 return;
5065
5066 if ((sta->flags & (WLAN_STA_ASSOC | WLAN_STA_ASSOC_REQ_OK)) ==
5067 WLAN_STA_ASSOC_REQ_OK) {
5068 wpa_printf(MSG_DEBUG,
5069 "Postpone 4-address WDS mode enabling for STA "
5070 MACSTR " since TX status for AssocResp is not yet known",
5071 MAC2STR(sta->addr));
5072 sta->pending_wds_enable = 1;
5073 return;
5074 }
5075
5076 if (wds && !(sta->flags & WLAN_STA_WDS)) {
5077 int ret;
5078 char ifname_wds[IFNAMSIZ + 1];
5079
5080 wpa_printf(MSG_DEBUG, "Enable 4-address WDS mode for "
5081 "STA " MACSTR " (aid %u)",
5082 MAC2STR(sta->addr), sta->aid);
5083 sta->flags |= WLAN_STA_WDS;
5084 ret = hostapd_set_wds_sta(hapd, ifname_wds,
5085 sta->addr, sta->aid, 1);
5086 if (!ret)
5087 hostapd_set_wds_encryption(hapd, sta,
5088 ifname_wds);
5089 }
5090 return;
5091 }
5092
5093 wpa_printf(MSG_DEBUG, "Data/PS-poll frame from not associated STA "
5094 MACSTR, MAC2STR(src));
5095 if (is_multicast_ether_addr(src)) {
5096 /* Broadcast bit set in SA?! Ignore the frame silently. */
5097 return;
5098 }
5099
5100 if (sta && (sta->flags & WLAN_STA_ASSOC_REQ_OK)) {
5101 wpa_printf(MSG_DEBUG, "Association Response to the STA has "
5102 "already been sent, but no TX status yet known - "
5103 "ignore Class 3 frame issue with " MACSTR,
5104 MAC2STR(src));
5105 return;
5106 }
5107
5108 if (sta && (sta->flags & WLAN_STA_AUTH))
5109 hostapd_drv_sta_disassoc(
5110 hapd, src,
5111 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA);
5112 else
5113 hostapd_drv_sta_deauth(
5114 hapd, src,
5115 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA);
5116 }
5117
5118
5119 #endif /* CONFIG_NATIVE_WINDOWS */
5120