1 /*
2 * hostapd / IEEE 802.11 Management
3 * Copyright (c) 2002-2017, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "utils/includes.h"
10
11 #ifndef CONFIG_NATIVE_WINDOWS
12
13 #include "utils/common.h"
14 #include "utils/eloop.h"
15 #include "crypto/crypto.h"
16 #include "crypto/sha256.h"
17 #include "crypto/sha384.h"
18 #include "crypto/sha512.h"
19 #include "crypto/random.h"
20 #include "common/ieee802_11_defs.h"
21 #include "common/ieee802_11_common.h"
22 #include "common/wpa_ctrl.h"
23 #include "common/sae.h"
24 #include "common/dpp.h"
25 #include "common/ocv.h"
26 #include "common/wpa_common.h"
27 #include "radius/radius.h"
28 #include "radius/radius_client.h"
29 #include "p2p/p2p.h"
30 #include "wps/wps.h"
31 #include "fst/fst.h"
32 #include "hostapd.h"
33 #include "beacon.h"
34 #include "ieee802_11_auth.h"
35 #include "sta_info.h"
36 #include "ieee802_1x.h"
37 #include "wpa_auth.h"
38 #include "pmksa_cache_auth.h"
39 #include "wmm.h"
40 #include "ap_list.h"
41 #include "accounting.h"
42 #include "ap_config.h"
43 #include "ap_mlme.h"
44 #include "p2p_hostapd.h"
45 #include "ap_drv_ops.h"
46 #include "wnm_ap.h"
47 #include "hw_features.h"
48 #include "ieee802_11.h"
49 #include "dfs.h"
50 #include "mbo_ap.h"
51 #include "rrm.h"
52 #include "taxonomy.h"
53 #include "fils_hlp.h"
54 #include "dpp_hostapd.h"
55 #include "gas_query_ap.h"
56
57
58 #ifdef CONFIG_FILS
59 static struct wpabuf *
60 prepare_auth_resp_fils(struct hostapd_data *hapd,
61 struct sta_info *sta, u16 *resp,
62 struct rsn_pmksa_cache_entry *pmksa,
63 struct wpabuf *erp_resp,
64 const u8 *msk, size_t msk_len,
65 int *is_pub);
66 #endif /* CONFIG_FILS */
67 static void handle_auth(struct hostapd_data *hapd,
68 const struct ieee80211_mgmt *mgmt, size_t len,
69 int rssi, int from_queue);
70
71
hostapd_eid_multi_ap(struct hostapd_data * hapd,u8 * eid)72 u8 * hostapd_eid_multi_ap(struct hostapd_data *hapd, u8 *eid)
73 {
74 u8 multi_ap_val = 0;
75
76 if (!hapd->conf->multi_ap)
77 return eid;
78 if (hapd->conf->multi_ap & BACKHAUL_BSS)
79 multi_ap_val |= MULTI_AP_BACKHAUL_BSS;
80 if (hapd->conf->multi_ap & FRONTHAUL_BSS)
81 multi_ap_val |= MULTI_AP_FRONTHAUL_BSS;
82
83 return eid + add_multi_ap_ie(eid, 9, multi_ap_val);
84 }
85
86
hostapd_eid_supp_rates(struct hostapd_data * hapd,u8 * eid)87 u8 * hostapd_eid_supp_rates(struct hostapd_data *hapd, u8 *eid)
88 {
89 u8 *pos = eid;
90 int i, num, count;
91 int h2e_required;
92
93 if (hapd->iface->current_rates == NULL)
94 return eid;
95
96 *pos++ = WLAN_EID_SUPP_RATES;
97 num = hapd->iface->num_rates;
98 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht)
99 num++;
100 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht)
101 num++;
102 h2e_required = (hapd->conf->sae_pwe == 1 ||
103 hostapd_sae_pw_id_in_use(hapd->conf) == 2) &&
104 hapd->conf->sae_pwe != 3 &&
105 wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt);
106 if (h2e_required)
107 num++;
108 if (num > 8) {
109 /* rest of the rates are encoded in Extended supported
110 * rates element */
111 num = 8;
112 }
113
114 *pos++ = num;
115 for (i = 0, count = 0; i < hapd->iface->num_rates && count < num;
116 i++) {
117 count++;
118 *pos = hapd->iface->current_rates[i].rate / 5;
119 if (hapd->iface->current_rates[i].flags & HOSTAPD_RATE_BASIC)
120 *pos |= 0x80;
121 pos++;
122 }
123
124 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht && count < 8) {
125 count++;
126 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_HT_PHY;
127 }
128
129 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht && count < 8) {
130 count++;
131 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_VHT_PHY;
132 }
133
134 if (h2e_required && count < 8) {
135 count++;
136 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_SAE_H2E_ONLY;
137 }
138
139 return pos;
140 }
141
142
hostapd_eid_ext_supp_rates(struct hostapd_data * hapd,u8 * eid)143 u8 * hostapd_eid_ext_supp_rates(struct hostapd_data *hapd, u8 *eid)
144 {
145 u8 *pos = eid;
146 int i, num, count;
147 int h2e_required;
148
149 if (hapd->iface->current_rates == NULL)
150 return eid;
151
152 num = hapd->iface->num_rates;
153 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht)
154 num++;
155 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht)
156 num++;
157 h2e_required = (hapd->conf->sae_pwe == 1 ||
158 hostapd_sae_pw_id_in_use(hapd->conf) == 2) &&
159 hapd->conf->sae_pwe != 3 &&
160 wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt);
161 if (h2e_required)
162 num++;
163 if (num <= 8)
164 return eid;
165 num -= 8;
166
167 *pos++ = WLAN_EID_EXT_SUPP_RATES;
168 *pos++ = num;
169 for (i = 0, count = 0; i < hapd->iface->num_rates && count < num + 8;
170 i++) {
171 count++;
172 if (count <= 8)
173 continue; /* already in SuppRates IE */
174 *pos = hapd->iface->current_rates[i].rate / 5;
175 if (hapd->iface->current_rates[i].flags & HOSTAPD_RATE_BASIC)
176 *pos |= 0x80;
177 pos++;
178 }
179
180 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht) {
181 count++;
182 if (count > 8)
183 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_HT_PHY;
184 }
185
186 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht) {
187 count++;
188 if (count > 8)
189 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_VHT_PHY;
190 }
191
192 if (h2e_required) {
193 count++;
194 if (count > 8)
195 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_SAE_H2E_ONLY;
196 }
197
198 return pos;
199 }
200
201
hostapd_eid_rm_enabled_capab(struct hostapd_data * hapd,u8 * eid,size_t len)202 u8 * hostapd_eid_rm_enabled_capab(struct hostapd_data *hapd, u8 *eid,
203 size_t len)
204 {
205 size_t i;
206
207 for (i = 0; i < RRM_CAPABILITIES_IE_LEN; i++) {
208 if (hapd->conf->radio_measurements[i])
209 break;
210 }
211
212 if (i == RRM_CAPABILITIES_IE_LEN || len < 2 + RRM_CAPABILITIES_IE_LEN)
213 return eid;
214
215 *eid++ = WLAN_EID_RRM_ENABLED_CAPABILITIES;
216 *eid++ = RRM_CAPABILITIES_IE_LEN;
217 os_memcpy(eid, hapd->conf->radio_measurements, RRM_CAPABILITIES_IE_LEN);
218
219 return eid + RRM_CAPABILITIES_IE_LEN;
220 }
221
222
hostapd_own_capab_info(struct hostapd_data * hapd)223 u16 hostapd_own_capab_info(struct hostapd_data *hapd)
224 {
225 int capab = WLAN_CAPABILITY_ESS;
226 int privacy = 0;
227 int dfs;
228 int i;
229
230 /* Check if any of configured channels require DFS */
231 dfs = hostapd_is_dfs_required(hapd->iface);
232 if (dfs < 0) {
233 wpa_printf(MSG_WARNING, "Failed to check if DFS is required; ret=%d",
234 dfs);
235 dfs = 0;
236 }
237
238 if (hapd->iface->num_sta_no_short_preamble == 0 &&
239 hapd->iconf->preamble == SHORT_PREAMBLE)
240 capab |= WLAN_CAPABILITY_SHORT_PREAMBLE;
241
242 #ifdef CONFIG_WEP
243 privacy = hapd->conf->ssid.wep.keys_set;
244
245 if (hapd->conf->ieee802_1x &&
246 (hapd->conf->default_wep_key_len ||
247 hapd->conf->individual_wep_key_len))
248 privacy = 1;
249 #endif /* CONFIG_WEP */
250
251 if (hapd->conf->wpa)
252 privacy = 1;
253
254 #ifdef CONFIG_HS20
255 if (hapd->conf->osen)
256 privacy = 1;
257 #endif /* CONFIG_HS20 */
258
259 if (privacy)
260 capab |= WLAN_CAPABILITY_PRIVACY;
261
262 if (hapd->iface->current_mode &&
263 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G &&
264 hapd->iface->num_sta_no_short_slot_time == 0)
265 capab |= WLAN_CAPABILITY_SHORT_SLOT_TIME;
266
267 /*
268 * Currently, Spectrum Management capability bit is set when directly
269 * requested in configuration by spectrum_mgmt_required or when AP is
270 * running on DFS channel.
271 * TODO: Also consider driver support for TPC to set Spectrum Mgmt bit
272 */
273 if (hapd->iface->current_mode &&
274 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211A &&
275 (hapd->iconf->spectrum_mgmt_required || dfs))
276 capab |= WLAN_CAPABILITY_SPECTRUM_MGMT;
277
278 for (i = 0; i < RRM_CAPABILITIES_IE_LEN; i++) {
279 if (hapd->conf->radio_measurements[i]) {
280 capab |= IEEE80211_CAP_RRM;
281 break;
282 }
283 }
284
285 return capab;
286 }
287
288
289 #ifdef CONFIG_WEP
290 #ifndef CONFIG_NO_RC4
auth_shared_key(struct hostapd_data * hapd,struct sta_info * sta,u16 auth_transaction,const u8 * challenge,int iswep)291 static u16 auth_shared_key(struct hostapd_data *hapd, struct sta_info *sta,
292 u16 auth_transaction, const u8 *challenge,
293 int iswep)
294 {
295 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
296 HOSTAPD_LEVEL_DEBUG,
297 "authentication (shared key, transaction %d)",
298 auth_transaction);
299
300 if (auth_transaction == 1) {
301 if (!sta->challenge) {
302 /* Generate a pseudo-random challenge */
303 u8 key[8];
304
305 sta->challenge = os_zalloc(WLAN_AUTH_CHALLENGE_LEN);
306 if (sta->challenge == NULL)
307 return WLAN_STATUS_UNSPECIFIED_FAILURE;
308
309 if (os_get_random(key, sizeof(key)) < 0) {
310 os_free(sta->challenge);
311 sta->challenge = NULL;
312 return WLAN_STATUS_UNSPECIFIED_FAILURE;
313 }
314
315 rc4_skip(key, sizeof(key), 0,
316 sta->challenge, WLAN_AUTH_CHALLENGE_LEN);
317 }
318 return 0;
319 }
320
321 if (auth_transaction != 3)
322 return WLAN_STATUS_UNSPECIFIED_FAILURE;
323
324 /* Transaction 3 */
325 if (!iswep || !sta->challenge || !challenge ||
326 os_memcmp_const(sta->challenge, challenge,
327 WLAN_AUTH_CHALLENGE_LEN)) {
328 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
329 HOSTAPD_LEVEL_INFO,
330 "shared key authentication - invalid "
331 "challenge-response");
332 return WLAN_STATUS_CHALLENGE_FAIL;
333 }
334
335 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
336 HOSTAPD_LEVEL_DEBUG,
337 "authentication OK (shared key)");
338 sta->flags |= WLAN_STA_AUTH;
339 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
340 os_free(sta->challenge);
341 sta->challenge = NULL;
342
343 return 0;
344 }
345 #endif /* CONFIG_NO_RC4 */
346 #endif /* CONFIG_WEP */
347
348
send_auth_reply(struct hostapd_data * hapd,struct sta_info * sta,const u8 * dst,const u8 * bssid,u16 auth_alg,u16 auth_transaction,u16 resp,const u8 * ies,size_t ies_len,const char * dbg)349 static int send_auth_reply(struct hostapd_data *hapd, struct sta_info *sta,
350 const u8 *dst, const u8 *bssid,
351 u16 auth_alg, u16 auth_transaction, u16 resp,
352 const u8 *ies, size_t ies_len, const char *dbg)
353 {
354 struct ieee80211_mgmt *reply;
355 u8 *buf;
356 size_t rlen;
357 int reply_res = WLAN_STATUS_UNSPECIFIED_FAILURE;
358
359 rlen = IEEE80211_HDRLEN + sizeof(reply->u.auth) + ies_len;
360 buf = os_zalloc(rlen);
361 if (buf == NULL)
362 return -1;
363
364 reply = (struct ieee80211_mgmt *) buf;
365 reply->frame_control = IEEE80211_FC(WLAN_FC_TYPE_MGMT,
366 WLAN_FC_STYPE_AUTH);
367 os_memcpy(reply->da, dst, ETH_ALEN);
368 os_memcpy(reply->sa, hapd->own_addr, ETH_ALEN);
369 os_memcpy(reply->bssid, bssid, ETH_ALEN);
370
371 reply->u.auth.auth_alg = host_to_le16(auth_alg);
372 reply->u.auth.auth_transaction = host_to_le16(auth_transaction);
373 reply->u.auth.status_code = host_to_le16(resp);
374
375 if (ies && ies_len)
376 os_memcpy(reply->u.auth.variable, ies, ies_len);
377
378 wpa_printf(MSG_DEBUG, "authentication reply: STA=" MACSTR
379 " auth_alg=%d auth_transaction=%d resp=%d (IE len=%lu) (dbg=%s)",
380 MAC2STR(dst), auth_alg, auth_transaction,
381 resp, (unsigned long) ies_len, dbg);
382 #ifdef CONFIG_TESTING_OPTIONS
383 #ifdef CONFIG_SAE
384 if (hapd->conf->sae_confirm_immediate == 2 &&
385 auth_alg == WLAN_AUTH_SAE) {
386 if (auth_transaction == 1 && sta &&
387 (resp == WLAN_STATUS_SUCCESS ||
388 resp == WLAN_STATUS_SAE_HASH_TO_ELEMENT)) {
389 wpa_printf(MSG_DEBUG,
390 "TESTING: Postpone SAE Commit transmission until Confirm is ready");
391 os_free(sta->sae_postponed_commit);
392 sta->sae_postponed_commit = buf;
393 sta->sae_postponed_commit_len = rlen;
394 return WLAN_STATUS_SUCCESS;
395 }
396
397 if (auth_transaction == 2 && sta && sta->sae_postponed_commit) {
398 wpa_printf(MSG_DEBUG,
399 "TESTING: Send postponed SAE Commit first, immediately followed by SAE Confirm");
400 if (hostapd_drv_send_mlme(hapd,
401 sta->sae_postponed_commit,
402 sta->sae_postponed_commit_len,
403 0, NULL, 0, 0) < 0)
404 wpa_printf(MSG_INFO, "send_auth_reply: send failed");
405 os_free(sta->sae_postponed_commit);
406 sta->sae_postponed_commit = NULL;
407 sta->sae_postponed_commit_len = 0;
408 }
409 }
410 #endif /* CONFIG_SAE */
411 #endif /* CONFIG_TESTING_OPTIONS */
412 if (hostapd_drv_send_mlme(hapd, reply, rlen, 0, NULL, 0, 0) < 0)
413 wpa_printf(MSG_INFO, "send_auth_reply: send failed");
414 else
415 reply_res = WLAN_STATUS_SUCCESS;
416
417 os_free(buf);
418
419 return reply_res;
420 }
421
422
423 #ifdef CONFIG_IEEE80211R_AP
handle_auth_ft_finish(void * ctx,const u8 * dst,const u8 * bssid,u16 auth_transaction,u16 status,const u8 * ies,size_t ies_len)424 static void handle_auth_ft_finish(void *ctx, const u8 *dst, const u8 *bssid,
425 u16 auth_transaction, u16 status,
426 const u8 *ies, size_t ies_len)
427 {
428 struct hostapd_data *hapd = ctx;
429 struct sta_info *sta;
430 int reply_res;
431
432 reply_res = send_auth_reply(hapd, NULL, dst, bssid, WLAN_AUTH_FT,
433 auth_transaction, status, ies, ies_len,
434 "auth-ft-finish");
435
436 sta = ap_get_sta(hapd, dst);
437 if (sta == NULL)
438 return;
439
440 if (sta->added_unassoc && (reply_res != WLAN_STATUS_SUCCESS ||
441 status != WLAN_STATUS_SUCCESS)) {
442 hostapd_drv_sta_remove(hapd, sta->addr);
443 sta->added_unassoc = 0;
444 return;
445 }
446
447 if (status != WLAN_STATUS_SUCCESS)
448 return;
449
450 hostapd_logger(hapd, dst, HOSTAPD_MODULE_IEEE80211,
451 HOSTAPD_LEVEL_DEBUG, "authentication OK (FT)");
452 sta->flags |= WLAN_STA_AUTH;
453 mlme_authenticate_indication(hapd, sta);
454 }
455 #endif /* CONFIG_IEEE80211R_AP */
456
457
458 #ifdef CONFIG_SAE
459
sae_set_state(struct sta_info * sta,enum sae_state state,const char * reason)460 static void sae_set_state(struct sta_info *sta, enum sae_state state,
461 const char *reason)
462 {
463 wpa_printf(MSG_DEBUG, "SAE: State %s -> %s for peer " MACSTR " (%s)",
464 sae_state_txt(sta->sae->state), sae_state_txt(state),
465 MAC2STR(sta->addr), reason);
466 sta->sae->state = state;
467 }
468
469
auth_build_sae_commit(struct hostapd_data * hapd,struct sta_info * sta,int update,int status_code)470 static struct wpabuf * auth_build_sae_commit(struct hostapd_data *hapd,
471 struct sta_info *sta, int update,
472 int status_code)
473 {
474 struct wpabuf *buf;
475 const char *password = NULL;
476 struct sae_password_entry *pw;
477 const char *rx_id = NULL;
478 int use_pt = 0;
479 struct sae_pt *pt = NULL;
480
481 if (sta->sae->tmp) {
482 rx_id = sta->sae->tmp->pw_id;
483 use_pt = sta->sae->tmp->h2e;
484 }
485
486 if (rx_id && hapd->conf->sae_pwe != 3)
487 use_pt = 1;
488 else if (status_code == WLAN_STATUS_SUCCESS)
489 use_pt = 0;
490 else if (status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT)
491 use_pt = 1;
492
493 for (pw = hapd->conf->sae_passwords; pw; pw = pw->next) {
494 if (!is_broadcast_ether_addr(pw->peer_addr) &&
495 os_memcmp(pw->peer_addr, sta->addr, ETH_ALEN) != 0)
496 continue;
497 if ((rx_id && !pw->identifier) || (!rx_id && pw->identifier))
498 continue;
499 if (rx_id && pw->identifier &&
500 os_strcmp(rx_id, pw->identifier) != 0)
501 continue;
502 password = pw->password;
503 pt = pw->pt;
504 break;
505 }
506 if (!password) {
507 password = hapd->conf->ssid.wpa_passphrase;
508 pt = hapd->conf->ssid.pt;
509 }
510 if (!password || (use_pt && !pt)) {
511 wpa_printf(MSG_DEBUG, "SAE: No password available");
512 return NULL;
513 }
514
515 if (update && use_pt &&
516 sae_prepare_commit_pt(sta->sae, pt, hapd->own_addr, sta->addr,
517 NULL) < 0)
518 return NULL;
519
520 if (update && !use_pt &&
521 sae_prepare_commit(hapd->own_addr, sta->addr,
522 (u8 *) password, os_strlen(password), rx_id,
523 sta->sae) < 0) {
524 wpa_printf(MSG_DEBUG, "SAE: Could not pick PWE");
525 return NULL;
526 }
527
528 if (pw && pw->vlan_id) {
529 if (!sta->sae->tmp) {
530 wpa_printf(MSG_INFO,
531 "SAE: No temporary data allocated - cannot store VLAN ID");
532 return NULL;
533 }
534 sta->sae->tmp->vlan_id = pw->vlan_id;
535 }
536
537 buf = wpabuf_alloc(SAE_COMMIT_MAX_LEN +
538 (rx_id ? 3 + os_strlen(rx_id) : 0));
539 if (buf &&
540 sae_write_commit(sta->sae, buf, sta->sae->tmp ?
541 sta->sae->tmp->anti_clogging_token : NULL,
542 rx_id) < 0) {
543 wpabuf_free(buf);
544 buf = NULL;
545 }
546
547 return buf;
548 }
549
550
auth_build_sae_confirm(struct hostapd_data * hapd,struct sta_info * sta)551 static struct wpabuf * auth_build_sae_confirm(struct hostapd_data *hapd,
552 struct sta_info *sta)
553 {
554 struct wpabuf *buf;
555
556 buf = wpabuf_alloc(SAE_CONFIRM_MAX_LEN);
557 if (buf == NULL)
558 return NULL;
559
560 sae_write_confirm(sta->sae, buf);
561
562 return buf;
563 }
564
565
auth_sae_send_commit(struct hostapd_data * hapd,struct sta_info * sta,const u8 * bssid,int update,int status_code)566 static int auth_sae_send_commit(struct hostapd_data *hapd,
567 struct sta_info *sta,
568 const u8 *bssid, int update, int status_code)
569 {
570 struct wpabuf *data;
571 int reply_res;
572 u16 status;
573
574 data = auth_build_sae_commit(hapd, sta, update, status_code);
575 if (!data && sta->sae->tmp && sta->sae->tmp->pw_id)
576 return WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER;
577 if (data == NULL)
578 return WLAN_STATUS_UNSPECIFIED_FAILURE;
579
580 status = (sta->sae->tmp && sta->sae->tmp->h2e) ?
581 WLAN_STATUS_SAE_HASH_TO_ELEMENT : WLAN_STATUS_SUCCESS;
582 reply_res = send_auth_reply(hapd, sta, sta->addr, bssid,
583 WLAN_AUTH_SAE, 1,
584 status, wpabuf_head(data),
585 wpabuf_len(data), "sae-send-commit");
586
587 wpabuf_free(data);
588
589 return reply_res;
590 }
591
592
auth_sae_send_confirm(struct hostapd_data * hapd,struct sta_info * sta,const u8 * bssid)593 static int auth_sae_send_confirm(struct hostapd_data *hapd,
594 struct sta_info *sta,
595 const u8 *bssid)
596 {
597 struct wpabuf *data;
598 int reply_res;
599
600 data = auth_build_sae_confirm(hapd, sta);
601 if (data == NULL)
602 return WLAN_STATUS_UNSPECIFIED_FAILURE;
603
604 reply_res = send_auth_reply(hapd, sta, sta->addr, bssid,
605 WLAN_AUTH_SAE, 2,
606 WLAN_STATUS_SUCCESS, wpabuf_head(data),
607 wpabuf_len(data), "sae-send-confirm");
608
609 wpabuf_free(data);
610
611 return reply_res;
612 }
613
614
use_sae_anti_clogging(struct hostapd_data * hapd)615 static int use_sae_anti_clogging(struct hostapd_data *hapd)
616 {
617 struct sta_info *sta;
618 unsigned int open = 0;
619
620 if (hapd->conf->sae_anti_clogging_threshold == 0)
621 return 1;
622
623 for (sta = hapd->sta_list; sta; sta = sta->next) {
624 if (!sta->sae)
625 continue;
626 if (sta->sae->state != SAE_COMMITTED &&
627 sta->sae->state != SAE_CONFIRMED)
628 continue;
629 open++;
630 if (open >= hapd->conf->sae_anti_clogging_threshold)
631 return 1;
632 }
633
634 /* In addition to already existing open SAE sessions, check whether
635 * there are enough pending commit messages in the processing queue to
636 * potentially result in too many open sessions. */
637 if (open + dl_list_len(&hapd->sae_commit_queue) >=
638 hapd->conf->sae_anti_clogging_threshold)
639 return 1;
640
641 return 0;
642 }
643
644
sae_token_hash(struct hostapd_data * hapd,const u8 * addr,u8 * idx)645 static int sae_token_hash(struct hostapd_data *hapd, const u8 *addr, u8 *idx)
646 {
647 u8 hash[SHA256_MAC_LEN];
648
649 if (hmac_sha256(hapd->sae_token_key, sizeof(hapd->sae_token_key),
650 addr, ETH_ALEN, hash) < 0)
651 return -1;
652 *idx = hash[0];
653 return 0;
654 }
655
656
check_sae_token(struct hostapd_data * hapd,const u8 * addr,const u8 * token,size_t token_len)657 static int check_sae_token(struct hostapd_data *hapd, const u8 *addr,
658 const u8 *token, size_t token_len)
659 {
660 u8 mac[SHA256_MAC_LEN];
661 const u8 *addrs[2];
662 size_t len[2];
663 u16 token_idx;
664 u8 idx;
665
666 if (token_len != SHA256_MAC_LEN || sae_token_hash(hapd, addr, &idx) < 0)
667 return -1;
668 token_idx = hapd->sae_pending_token_idx[idx];
669 if (token_idx == 0 || token_idx != WPA_GET_BE16(token)) {
670 wpa_printf(MSG_DEBUG, "SAE: Invalid anti-clogging token from "
671 MACSTR " - token_idx 0x%04x, expected 0x%04x",
672 MAC2STR(addr), WPA_GET_BE16(token), token_idx);
673 return -1;
674 }
675
676 addrs[0] = addr;
677 len[0] = ETH_ALEN;
678 addrs[1] = token;
679 len[1] = 2;
680 if (hmac_sha256_vector(hapd->sae_token_key, sizeof(hapd->sae_token_key),
681 2, addrs, len, mac) < 0 ||
682 os_memcmp_const(token + 2, &mac[2], SHA256_MAC_LEN - 2) != 0)
683 return -1;
684
685 hapd->sae_pending_token_idx[idx] = 0; /* invalidate used token */
686
687 return 0;
688 }
689
690
auth_build_token_req(struct hostapd_data * hapd,int group,const u8 * addr,int h2e)691 static struct wpabuf * auth_build_token_req(struct hostapd_data *hapd,
692 int group, const u8 *addr, int h2e)
693 {
694 struct wpabuf *buf;
695 u8 *token;
696 struct os_reltime now;
697 u8 idx[2];
698 const u8 *addrs[2];
699 size_t len[2];
700 u8 p_idx;
701 u16 token_idx;
702
703 os_get_reltime(&now);
704 if (!os_reltime_initialized(&hapd->last_sae_token_key_update) ||
705 os_reltime_expired(&now, &hapd->last_sae_token_key_update, 60) ||
706 hapd->sae_token_idx == 0xffff) {
707 if (random_get_bytes(hapd->sae_token_key,
708 sizeof(hapd->sae_token_key)) < 0)
709 return NULL;
710 wpa_hexdump(MSG_DEBUG, "SAE: Updated token key",
711 hapd->sae_token_key, sizeof(hapd->sae_token_key));
712 hapd->last_sae_token_key_update = now;
713 hapd->sae_token_idx = 0;
714 os_memset(hapd->sae_pending_token_idx, 0,
715 sizeof(hapd->sae_pending_token_idx));
716 }
717
718 buf = wpabuf_alloc(sizeof(le16) + 3 + SHA256_MAC_LEN);
719 if (buf == NULL)
720 return NULL;
721
722 wpabuf_put_le16(buf, group); /* Finite Cyclic Group */
723
724 if (h2e) {
725 /* Encapsulate Anti-clogging Token field in a container IE */
726 wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
727 wpabuf_put_u8(buf, 1 + SHA256_MAC_LEN);
728 wpabuf_put_u8(buf, WLAN_EID_EXT_ANTI_CLOGGING_TOKEN);
729 }
730
731 if (sae_token_hash(hapd, addr, &p_idx) < 0) {
732 wpabuf_free(buf);
733 return NULL;
734 }
735 token_idx = hapd->sae_pending_token_idx[p_idx];
736 if (!token_idx) {
737 hapd->sae_token_idx++;
738 token_idx = hapd->sae_token_idx;
739 hapd->sae_pending_token_idx[p_idx] = token_idx;
740 }
741 WPA_PUT_BE16(idx, token_idx);
742 token = wpabuf_put(buf, SHA256_MAC_LEN);
743 addrs[0] = addr;
744 len[0] = ETH_ALEN;
745 addrs[1] = idx;
746 len[1] = sizeof(idx);
747 if (hmac_sha256_vector(hapd->sae_token_key, sizeof(hapd->sae_token_key),
748 2, addrs, len, token) < 0) {
749 wpabuf_free(buf);
750 return NULL;
751 }
752 WPA_PUT_BE16(token, token_idx);
753
754 return buf;
755 }
756
757
sae_check_big_sync(struct hostapd_data * hapd,struct sta_info * sta)758 static int sae_check_big_sync(struct hostapd_data *hapd, struct sta_info *sta)
759 {
760 if (sta->sae->sync > hapd->conf->sae_sync) {
761 sae_set_state(sta, SAE_NOTHING, "Sync > dot11RSNASAESync");
762 sta->sae->sync = 0;
763 return -1;
764 }
765 return 0;
766 }
767
768
auth_sae_retransmit_timer(void * eloop_ctx,void * eloop_data)769 static void auth_sae_retransmit_timer(void *eloop_ctx, void *eloop_data)
770 {
771 struct hostapd_data *hapd = eloop_ctx;
772 struct sta_info *sta = eloop_data;
773 int ret;
774
775 if (sae_check_big_sync(hapd, sta))
776 return;
777 sta->sae->sync++;
778 wpa_printf(MSG_DEBUG, "SAE: Auth SAE retransmit timer for " MACSTR
779 " (sync=%d state=%s)",
780 MAC2STR(sta->addr), sta->sae->sync,
781 sae_state_txt(sta->sae->state));
782
783 switch (sta->sae->state) {
784 case SAE_COMMITTED:
785 ret = auth_sae_send_commit(hapd, sta, hapd->own_addr, 0, -1);
786 eloop_register_timeout(0,
787 hapd->dot11RSNASAERetransPeriod * 1000,
788 auth_sae_retransmit_timer, hapd, sta);
789 break;
790 case SAE_CONFIRMED:
791 ret = auth_sae_send_confirm(hapd, sta, hapd->own_addr);
792 eloop_register_timeout(0,
793 hapd->dot11RSNASAERetransPeriod * 1000,
794 auth_sae_retransmit_timer, hapd, sta);
795 break;
796 default:
797 ret = -1;
798 break;
799 }
800
801 if (ret != WLAN_STATUS_SUCCESS)
802 wpa_printf(MSG_INFO, "SAE: Failed to retransmit: ret=%d", ret);
803 }
804
805
sae_clear_retransmit_timer(struct hostapd_data * hapd,struct sta_info * sta)806 void sae_clear_retransmit_timer(struct hostapd_data *hapd, struct sta_info *sta)
807 {
808 eloop_cancel_timeout(auth_sae_retransmit_timer, hapd, sta);
809 }
810
811
sae_set_retransmit_timer(struct hostapd_data * hapd,struct sta_info * sta)812 static void sae_set_retransmit_timer(struct hostapd_data *hapd,
813 struct sta_info *sta)
814 {
815 if (!(hapd->conf->mesh & MESH_ENABLED))
816 return;
817
818 eloop_cancel_timeout(auth_sae_retransmit_timer, hapd, sta);
819 eloop_register_timeout(0, hapd->dot11RSNASAERetransPeriod * 1000,
820 auth_sae_retransmit_timer, hapd, sta);
821 }
822
823
sae_sme_send_external_auth_status(struct hostapd_data * hapd,struct sta_info * sta,u16 status)824 static void sae_sme_send_external_auth_status(struct hostapd_data *hapd,
825 struct sta_info *sta, u16 status)
826 {
827 struct external_auth params;
828
829 os_memset(¶ms, 0, sizeof(params));
830 params.status = status;
831 params.bssid = sta->addr;
832 if (status == WLAN_STATUS_SUCCESS && sta->sae &&
833 !hapd->conf->disable_pmksa_caching)
834 params.pmkid = sta->sae->pmkid;
835
836 hostapd_drv_send_external_auth_status(hapd, ¶ms);
837 }
838
839
sae_accept_sta(struct hostapd_data * hapd,struct sta_info * sta)840 void sae_accept_sta(struct hostapd_data *hapd, struct sta_info *sta)
841 {
842 #ifndef CONFIG_NO_VLAN
843 struct vlan_description vlan_desc;
844
845 if (sta->sae->tmp && sta->sae->tmp->vlan_id > 0) {
846 wpa_printf(MSG_DEBUG, "SAE: Assign STA " MACSTR
847 " to VLAN ID %d",
848 MAC2STR(sta->addr), sta->sae->tmp->vlan_id);
849
850 os_memset(&vlan_desc, 0, sizeof(vlan_desc));
851 vlan_desc.notempty = 1;
852 vlan_desc.untagged = sta->sae->tmp->vlan_id;
853 if (!hostapd_vlan_valid(hapd->conf->vlan, &vlan_desc)) {
854 wpa_printf(MSG_INFO,
855 "Invalid VLAN ID %d in sae_password",
856 sta->sae->tmp->vlan_id);
857 return;
858 }
859
860 if (ap_sta_set_vlan(hapd, sta, &vlan_desc) < 0 ||
861 ap_sta_bind_vlan(hapd, sta) < 0) {
862 wpa_printf(MSG_INFO,
863 "Failed to assign VLAN ID %d from sae_password to "
864 MACSTR, sta->sae->tmp->vlan_id,
865 MAC2STR(sta->addr));
866 return;
867 }
868 }
869 #endif /* CONFIG_NO_VLAN */
870
871 sta->flags |= WLAN_STA_AUTH;
872 sta->auth_alg = WLAN_AUTH_SAE;
873 mlme_authenticate_indication(hapd, sta);
874 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
875 sae_set_state(sta, SAE_ACCEPTED, "Accept Confirm");
876 crypto_bignum_deinit(sta->sae->peer_commit_scalar_accepted, 0);
877 sta->sae->peer_commit_scalar_accepted = sta->sae->peer_commit_scalar;
878 sta->sae->peer_commit_scalar = NULL;
879 wpa_auth_pmksa_add_sae(hapd->wpa_auth, sta->addr,
880 sta->sae->pmk, sta->sae->pmkid);
881 sae_sme_send_external_auth_status(hapd, sta, WLAN_STATUS_SUCCESS);
882 }
883
884
sae_sm_step(struct hostapd_data * hapd,struct sta_info * sta,const u8 * bssid,u16 auth_transaction,u16 status_code,int allow_reuse,int * sta_removed)885 static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta,
886 const u8 *bssid, u16 auth_transaction, u16 status_code,
887 int allow_reuse, int *sta_removed)
888 {
889 int ret;
890
891 *sta_removed = 0;
892
893 if (auth_transaction != 1 && auth_transaction != 2)
894 return WLAN_STATUS_UNSPECIFIED_FAILURE;
895
896 wpa_printf(MSG_DEBUG, "SAE: Peer " MACSTR " state=%s auth_trans=%u",
897 MAC2STR(sta->addr), sae_state_txt(sta->sae->state),
898 auth_transaction);
899 switch (sta->sae->state) {
900 case SAE_NOTHING:
901 if (auth_transaction == 1) {
902 if (sta->sae->tmp)
903 sta->sae->tmp->h2e = status_code ==
904 WLAN_STATUS_SAE_HASH_TO_ELEMENT;
905 ret = auth_sae_send_commit(hapd, sta, bssid,
906 !allow_reuse, status_code);
907 if (ret)
908 return ret;
909 sae_set_state(sta, SAE_COMMITTED, "Sent Commit");
910
911 if (sae_process_commit(sta->sae) < 0)
912 return WLAN_STATUS_UNSPECIFIED_FAILURE;
913
914 /*
915 * In mesh case, both Commit and Confirm are sent
916 * immediately. In infrastructure BSS, by default, only
917 * a single Authentication frame (Commit) is expected
918 * from the AP here and the second one (Confirm) will
919 * be sent once the STA has sent its second
920 * Authentication frame (Confirm). This behavior can be
921 * overridden with explicit configuration so that the
922 * infrastructure BSS case sends both frames together.
923 */
924 if ((hapd->conf->mesh & MESH_ENABLED) ||
925 hapd->conf->sae_confirm_immediate) {
926 /*
927 * Send both Commit and Confirm immediately
928 * based on SAE finite state machine
929 * Nothing -> Confirm transition.
930 */
931 ret = auth_sae_send_confirm(hapd, sta, bssid);
932 if (ret)
933 return ret;
934 sae_set_state(sta, SAE_CONFIRMED,
935 "Sent Confirm (mesh)");
936 } else {
937 /*
938 * For infrastructure BSS, send only the Commit
939 * message now to get alternating sequence of
940 * Authentication frames between the AP and STA.
941 * Confirm will be sent in
942 * Committed -> Confirmed/Accepted transition
943 * when receiving Confirm from STA.
944 */
945 }
946 sta->sae->sync = 0;
947 sae_set_retransmit_timer(hapd, sta);
948 } else {
949 hostapd_logger(hapd, sta->addr,
950 HOSTAPD_MODULE_IEEE80211,
951 HOSTAPD_LEVEL_DEBUG,
952 "SAE confirm before commit");
953 }
954 break;
955 case SAE_COMMITTED:
956 sae_clear_retransmit_timer(hapd, sta);
957 if (auth_transaction == 1) {
958 if (sae_process_commit(sta->sae) < 0)
959 return WLAN_STATUS_UNSPECIFIED_FAILURE;
960
961 ret = auth_sae_send_confirm(hapd, sta, bssid);
962 if (ret)
963 return ret;
964 sae_set_state(sta, SAE_CONFIRMED, "Sent Confirm");
965 sta->sae->sync = 0;
966 sae_set_retransmit_timer(hapd, sta);
967 } else if (hapd->conf->mesh & MESH_ENABLED) {
968 /*
969 * In mesh case, follow SAE finite state machine and
970 * send Commit now, if sync count allows.
971 */
972 if (sae_check_big_sync(hapd, sta))
973 return WLAN_STATUS_SUCCESS;
974 sta->sae->sync++;
975
976 ret = auth_sae_send_commit(hapd, sta, bssid, 0,
977 status_code);
978 if (ret)
979 return ret;
980
981 sae_set_retransmit_timer(hapd, sta);
982 } else {
983 /*
984 * For instructure BSS, send the postponed Confirm from
985 * Nothing -> Confirmed transition that was reduced to
986 * Nothing -> Committed above.
987 */
988 ret = auth_sae_send_confirm(hapd, sta, bssid);
989 if (ret)
990 return ret;
991
992 sae_set_state(sta, SAE_CONFIRMED, "Sent Confirm");
993
994 /*
995 * Since this was triggered on Confirm RX, run another
996 * step to get to Accepted without waiting for
997 * additional events.
998 */
999 return sae_sm_step(hapd, sta, bssid, auth_transaction,
1000 WLAN_STATUS_SUCCESS, 0, sta_removed);
1001 }
1002 break;
1003 case SAE_CONFIRMED:
1004 sae_clear_retransmit_timer(hapd, sta);
1005 if (auth_transaction == 1) {
1006 if (sae_check_big_sync(hapd, sta))
1007 return WLAN_STATUS_SUCCESS;
1008 sta->sae->sync++;
1009
1010 ret = auth_sae_send_commit(hapd, sta, bssid, 1,
1011 status_code);
1012 if (ret)
1013 return ret;
1014
1015 if (sae_process_commit(sta->sae) < 0)
1016 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1017
1018 ret = auth_sae_send_confirm(hapd, sta, bssid);
1019 if (ret)
1020 return ret;
1021
1022 sae_set_retransmit_timer(hapd, sta);
1023 } else {
1024 sta->sae->send_confirm = 0xffff;
1025 sae_accept_sta(hapd, sta);
1026 }
1027 break;
1028 case SAE_ACCEPTED:
1029 if (auth_transaction == 1 &&
1030 (hapd->conf->mesh & MESH_ENABLED)) {
1031 wpa_printf(MSG_DEBUG, "SAE: remove the STA (" MACSTR
1032 ") doing reauthentication",
1033 MAC2STR(sta->addr));
1034 wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr);
1035 ap_free_sta(hapd, sta);
1036 *sta_removed = 1;
1037 } else if (auth_transaction == 1) {
1038 wpa_printf(MSG_DEBUG, "SAE: Start reauthentication");
1039 ret = auth_sae_send_commit(hapd, sta, bssid, 1,
1040 status_code);
1041 if (ret)
1042 return ret;
1043 sae_set_state(sta, SAE_COMMITTED, "Sent Commit");
1044
1045 if (sae_process_commit(sta->sae) < 0)
1046 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1047 sta->sae->sync = 0;
1048 sae_set_retransmit_timer(hapd, sta);
1049 } else {
1050 if (sae_check_big_sync(hapd, sta))
1051 return WLAN_STATUS_SUCCESS;
1052 sta->sae->sync++;
1053
1054 ret = auth_sae_send_confirm(hapd, sta, bssid);
1055 sae_clear_temp_data(sta->sae);
1056 if (ret)
1057 return ret;
1058 }
1059 break;
1060 default:
1061 wpa_printf(MSG_ERROR, "SAE: invalid state %d",
1062 sta->sae->state);
1063 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1064 }
1065 return WLAN_STATUS_SUCCESS;
1066 }
1067
1068
sae_pick_next_group(struct hostapd_data * hapd,struct sta_info * sta)1069 static void sae_pick_next_group(struct hostapd_data *hapd, struct sta_info *sta)
1070 {
1071 struct sae_data *sae = sta->sae;
1072 int i, *groups = hapd->conf->sae_groups;
1073 int default_groups[] = { 19, 0 };
1074
1075 if (sae->state != SAE_COMMITTED)
1076 return;
1077
1078 wpa_printf(MSG_DEBUG, "SAE: Previously selected group: %d", sae->group);
1079
1080 if (!groups)
1081 groups = default_groups;
1082 for (i = 0; groups[i] > 0; i++) {
1083 if (sae->group == groups[i])
1084 break;
1085 }
1086
1087 if (groups[i] <= 0) {
1088 wpa_printf(MSG_DEBUG,
1089 "SAE: Previously selected group not found from the current configuration");
1090 return;
1091 }
1092
1093 for (;;) {
1094 i++;
1095 if (groups[i] <= 0) {
1096 wpa_printf(MSG_DEBUG,
1097 "SAE: No alternative group enabled");
1098 return;
1099 }
1100
1101 if (sae_set_group(sae, groups[i]) < 0)
1102 continue;
1103
1104 break;
1105 }
1106 wpa_printf(MSG_DEBUG, "SAE: Selected new group: %d", groups[i]);
1107 }
1108
1109
sae_status_success(struct hostapd_data * hapd,u16 status_code)1110 static int sae_status_success(struct hostapd_data *hapd, u16 status_code)
1111 {
1112 int sae_pwe = hapd->conf->sae_pwe;
1113 int id_in_use;
1114
1115 id_in_use = hostapd_sae_pw_id_in_use(hapd->conf);
1116 if (id_in_use == 2 && sae_pwe != 3)
1117 sae_pwe = 1;
1118 else if (id_in_use == 1 && sae_pwe == 0)
1119 sae_pwe = 2;
1120
1121 return ((sae_pwe == 0 || sae_pwe == 3) &&
1122 status_code == WLAN_STATUS_SUCCESS) ||
1123 (sae_pwe == 1 &&
1124 status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT) ||
1125 (sae_pwe == 2 &&
1126 (status_code == WLAN_STATUS_SUCCESS ||
1127 status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT));
1128 }
1129
1130
sae_is_group_enabled(struct hostapd_data * hapd,int group)1131 static int sae_is_group_enabled(struct hostapd_data *hapd, int group)
1132 {
1133 int *groups = hapd->conf->sae_groups;
1134 int default_groups[] = { 19, 0 };
1135 int i;
1136
1137 if (!groups)
1138 groups = default_groups;
1139
1140 for (i = 0; groups[i] > 0; i++) {
1141 if (groups[i] == group)
1142 return 1;
1143 }
1144
1145 return 0;
1146 }
1147
1148
check_sae_rejected_groups(struct hostapd_data * hapd,const struct wpabuf * groups)1149 static int check_sae_rejected_groups(struct hostapd_data *hapd,
1150 const struct wpabuf *groups)
1151 {
1152 size_t i, count;
1153 const u8 *pos;
1154
1155 if (!groups)
1156 return 0;
1157
1158 pos = wpabuf_head(groups);
1159 count = wpabuf_len(groups) / 2;
1160 for (i = 0; i < count; i++) {
1161 int enabled;
1162 u16 group;
1163
1164 group = WPA_GET_LE16(pos);
1165 pos += 2;
1166 enabled = sae_is_group_enabled(hapd, group);
1167 wpa_printf(MSG_DEBUG, "SAE: Rejected group %u is %s",
1168 group, enabled ? "enabled" : "disabled");
1169 if (enabled)
1170 return 1;
1171 }
1172
1173 return 0;
1174 }
1175
1176
handle_auth_sae(struct hostapd_data * hapd,struct sta_info * sta,const struct ieee80211_mgmt * mgmt,size_t len,u16 auth_transaction,u16 status_code)1177 static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta,
1178 const struct ieee80211_mgmt *mgmt, size_t len,
1179 u16 auth_transaction, u16 status_code)
1180 {
1181 int resp = WLAN_STATUS_SUCCESS;
1182 struct wpabuf *data = NULL;
1183 int *groups = hapd->conf->sae_groups;
1184 int default_groups[] = { 19, 0 };
1185 const u8 *pos, *end;
1186 int sta_removed = 0;
1187
1188 if (!groups)
1189 groups = default_groups;
1190
1191 #ifdef CONFIG_TESTING_OPTIONS
1192 if (hapd->conf->sae_reflection_attack && auth_transaction == 1) {
1193 wpa_printf(MSG_DEBUG, "SAE: TESTING - reflection attack");
1194 pos = mgmt->u.auth.variable;
1195 end = ((const u8 *) mgmt) + len;
1196 send_auth_reply(hapd, sta, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
1197 auth_transaction, resp, pos, end - pos,
1198 "auth-sae-reflection-attack");
1199 goto remove_sta;
1200 }
1201
1202 if (hapd->conf->sae_commit_override && auth_transaction == 1) {
1203 wpa_printf(MSG_DEBUG, "SAE: TESTING - commit override");
1204 send_auth_reply(hapd, sta, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
1205 auth_transaction, resp,
1206 wpabuf_head(hapd->conf->sae_commit_override),
1207 wpabuf_len(hapd->conf->sae_commit_override),
1208 "sae-commit-override");
1209 goto remove_sta;
1210 }
1211 #endif /* CONFIG_TESTING_OPTIONS */
1212 if (!sta->sae) {
1213 if (auth_transaction != 1 ||
1214 !sae_status_success(hapd, status_code)) {
1215 wpa_printf(MSG_DEBUG, "SAE: Unexpected Status Code %u",
1216 status_code);
1217 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1218 goto reply;
1219 }
1220 sta->sae = os_zalloc(sizeof(*sta->sae));
1221 if (!sta->sae) {
1222 resp = -1;
1223 goto remove_sta;
1224 }
1225 sae_set_state(sta, SAE_NOTHING, "Init");
1226 sta->sae->sync = 0;
1227 }
1228
1229 if (sta->mesh_sae_pmksa_caching) {
1230 wpa_printf(MSG_DEBUG,
1231 "SAE: Cancel use of mesh PMKSA caching because peer starts SAE authentication");
1232 wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr);
1233 sta->mesh_sae_pmksa_caching = 0;
1234 }
1235
1236 if (auth_transaction == 1) {
1237 const u8 *token = NULL;
1238 size_t token_len = 0;
1239 int allow_reuse = 0;
1240
1241 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1242 HOSTAPD_LEVEL_DEBUG,
1243 "start SAE authentication (RX commit, status=%u (%s))",
1244 status_code, status2str(status_code));
1245
1246 if ((hapd->conf->mesh & MESH_ENABLED) &&
1247 status_code == WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ &&
1248 sta->sae->tmp) {
1249 pos = mgmt->u.auth.variable;
1250 end = ((const u8 *) mgmt) + len;
1251 if (pos + sizeof(le16) > end) {
1252 wpa_printf(MSG_ERROR,
1253 "SAE: Too short anti-clogging token request");
1254 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1255 goto reply;
1256 }
1257 resp = sae_group_allowed(sta->sae, groups,
1258 WPA_GET_LE16(pos));
1259 if (resp != WLAN_STATUS_SUCCESS) {
1260 wpa_printf(MSG_ERROR,
1261 "SAE: Invalid group in anti-clogging token request");
1262 goto reply;
1263 }
1264 pos += sizeof(le16);
1265
1266 wpabuf_free(sta->sae->tmp->anti_clogging_token);
1267 sta->sae->tmp->anti_clogging_token =
1268 wpabuf_alloc_copy(pos, end - pos);
1269 if (sta->sae->tmp->anti_clogging_token == NULL) {
1270 wpa_printf(MSG_ERROR,
1271 "SAE: Failed to alloc for anti-clogging token");
1272 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1273 goto remove_sta;
1274 }
1275
1276 /*
1277 * IEEE Std 802.11-2012, 11.3.8.6.4: If the Status code
1278 * is 76, a new Commit Message shall be constructed
1279 * with the Anti-Clogging Token from the received
1280 * Authentication frame, and the commit-scalar and
1281 * COMMIT-ELEMENT previously sent.
1282 */
1283 resp = auth_sae_send_commit(hapd, sta, mgmt->bssid, 0,
1284 status_code);
1285 if (resp != WLAN_STATUS_SUCCESS) {
1286 wpa_printf(MSG_ERROR,
1287 "SAE: Failed to send commit message");
1288 goto remove_sta;
1289 }
1290 sae_set_state(sta, SAE_COMMITTED,
1291 "Sent Commit (anti-clogging token case in mesh)");
1292 sta->sae->sync = 0;
1293 sae_set_retransmit_timer(hapd, sta);
1294 return;
1295 }
1296
1297 if ((hapd->conf->mesh & MESH_ENABLED) &&
1298 status_code ==
1299 WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED &&
1300 sta->sae->tmp) {
1301 wpa_printf(MSG_DEBUG,
1302 "SAE: Peer did not accept our SAE group");
1303 sae_pick_next_group(hapd, sta);
1304 goto remove_sta;
1305 }
1306
1307 if (!sae_status_success(hapd, status_code))
1308 goto remove_sta;
1309
1310 if (!(hapd->conf->mesh & MESH_ENABLED) &&
1311 sta->sae->state == SAE_COMMITTED) {
1312 /* This is needed in the infrastructure BSS case to
1313 * address a sequence where a STA entry may remain in
1314 * hostapd across two attempts to do SAE authentication
1315 * by the same STA. The second attempt may end up trying
1316 * to use a different group and that would not be
1317 * allowed if we remain in Committed state with the
1318 * previously set parameters. */
1319 pos = mgmt->u.auth.variable;
1320 end = ((const u8 *) mgmt) + len;
1321 if (end - pos >= (int) sizeof(le16) &&
1322 sae_group_allowed(sta->sae, groups,
1323 WPA_GET_LE16(pos)) ==
1324 WLAN_STATUS_SUCCESS) {
1325 /* Do not waste resources deriving the same PWE
1326 * again since the same group is reused. */
1327 sae_set_state(sta, SAE_NOTHING,
1328 "Allow previous PWE to be reused");
1329 allow_reuse = 1;
1330 } else {
1331 sae_set_state(sta, SAE_NOTHING,
1332 "Clear existing state to allow restart");
1333 sae_clear_data(sta->sae);
1334 }
1335 }
1336
1337 resp = sae_parse_commit(sta->sae, mgmt->u.auth.variable,
1338 ((const u8 *) mgmt) + len -
1339 mgmt->u.auth.variable, &token,
1340 &token_len, groups, status_code ==
1341 WLAN_STATUS_SAE_HASH_TO_ELEMENT);
1342 if (resp == SAE_SILENTLY_DISCARD) {
1343 wpa_printf(MSG_DEBUG,
1344 "SAE: Drop commit message from " MACSTR " due to reflection attack",
1345 MAC2STR(sta->addr));
1346 goto remove_sta;
1347 }
1348
1349 if (resp == WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER) {
1350 wpa_msg(hapd->msg_ctx, MSG_INFO,
1351 WPA_EVENT_SAE_UNKNOWN_PASSWORD_IDENTIFIER
1352 MACSTR, MAC2STR(sta->addr));
1353 sae_clear_retransmit_timer(hapd, sta);
1354 sae_set_state(sta, SAE_NOTHING,
1355 "Unknown Password Identifier");
1356 goto remove_sta;
1357 }
1358
1359 if (token && check_sae_token(hapd, sta->addr, token, token_len)
1360 < 0) {
1361 wpa_printf(MSG_DEBUG, "SAE: Drop commit message with "
1362 "incorrect token from " MACSTR,
1363 MAC2STR(sta->addr));
1364 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1365 goto remove_sta;
1366 }
1367
1368 if (resp != WLAN_STATUS_SUCCESS)
1369 goto reply;
1370
1371 if (sta->sae->tmp &&
1372 check_sae_rejected_groups(
1373 hapd, sta->sae->tmp->peer_rejected_groups)) {
1374 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1375 goto reply;
1376 }
1377
1378 if (!token && use_sae_anti_clogging(hapd) && !allow_reuse) {
1379 int h2e = 0;
1380
1381 wpa_printf(MSG_DEBUG,
1382 "SAE: Request anti-clogging token from "
1383 MACSTR, MAC2STR(sta->addr));
1384 if (sta->sae->tmp)
1385 h2e = sta->sae->tmp->h2e;
1386 if (status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT)
1387 h2e = 1;
1388 data = auth_build_token_req(hapd, sta->sae->group,
1389 sta->addr, h2e);
1390 resp = WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ;
1391 if (hapd->conf->mesh & MESH_ENABLED)
1392 sae_set_state(sta, SAE_NOTHING,
1393 "Request anti-clogging token case in mesh");
1394 goto reply;
1395 }
1396
1397 resp = sae_sm_step(hapd, sta, mgmt->bssid, auth_transaction,
1398 status_code, allow_reuse, &sta_removed);
1399 } else if (auth_transaction == 2) {
1400 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1401 HOSTAPD_LEVEL_DEBUG,
1402 "SAE authentication (RX confirm, status=%u (%s))",
1403 status_code, status2str(status_code));
1404 if (status_code != WLAN_STATUS_SUCCESS)
1405 goto remove_sta;
1406 if (sta->sae->state >= SAE_CONFIRMED ||
1407 !(hapd->conf->mesh & MESH_ENABLED)) {
1408 const u8 *var;
1409 size_t var_len;
1410 u16 peer_send_confirm;
1411
1412 var = mgmt->u.auth.variable;
1413 var_len = ((u8 *) mgmt) + len - mgmt->u.auth.variable;
1414 if (var_len < 2) {
1415 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1416 goto reply;
1417 }
1418
1419 peer_send_confirm = WPA_GET_LE16(var);
1420
1421 if (sta->sae->state == SAE_ACCEPTED &&
1422 (peer_send_confirm <= sta->sae->rc ||
1423 peer_send_confirm == 0xffff)) {
1424 wpa_printf(MSG_DEBUG,
1425 "SAE: Silently ignore unexpected Confirm from peer "
1426 MACSTR
1427 " (peer-send-confirm=%u Rc=%u)",
1428 MAC2STR(sta->addr),
1429 peer_send_confirm, sta->sae->rc);
1430 return;
1431 }
1432
1433 if (sae_check_confirm(sta->sae, var, var_len) < 0) {
1434 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1435 goto reply;
1436 }
1437 sta->sae->rc = peer_send_confirm;
1438 }
1439 resp = sae_sm_step(hapd, sta, mgmt->bssid, auth_transaction,
1440 status_code, 0, &sta_removed);
1441 } else {
1442 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1443 HOSTAPD_LEVEL_DEBUG,
1444 "unexpected SAE authentication transaction %u (status=%u (%s))",
1445 auth_transaction, status_code,
1446 status2str(status_code));
1447 if (status_code != WLAN_STATUS_SUCCESS)
1448 goto remove_sta;
1449 resp = WLAN_STATUS_UNKNOWN_AUTH_TRANSACTION;
1450 }
1451
1452 reply:
1453 if (!sta_removed && resp != WLAN_STATUS_SUCCESS) {
1454 pos = mgmt->u.auth.variable;
1455 end = ((const u8 *) mgmt) + len;
1456
1457 /* Copy the Finite Cyclic Group field from the request if we
1458 * rejected it as unsupported group. */
1459 if (resp == WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED &&
1460 !data && end - pos >= 2)
1461 data = wpabuf_alloc_copy(pos, 2);
1462
1463 sae_sme_send_external_auth_status(hapd, sta, resp);
1464 send_auth_reply(hapd, sta, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
1465 auth_transaction, resp,
1466 data ? wpabuf_head(data) : (u8 *) "",
1467 data ? wpabuf_len(data) : 0, "auth-sae");
1468 }
1469
1470 remove_sta:
1471 if (!sta_removed && sta->added_unassoc &&
1472 (resp != WLAN_STATUS_SUCCESS ||
1473 status_code != WLAN_STATUS_SUCCESS)) {
1474 hostapd_drv_sta_remove(hapd, sta->addr);
1475 sta->added_unassoc = 0;
1476 }
1477 wpabuf_free(data);
1478 }
1479
1480
1481 /**
1482 * auth_sae_init_committed - Send COMMIT and start SAE in committed state
1483 * @hapd: BSS data for the device initiating the authentication
1484 * @sta: the peer to which commit authentication frame is sent
1485 *
1486 * This function implements Init event handling (IEEE Std 802.11-2012,
1487 * 11.3.8.6.3) in which initial COMMIT message is sent. Prior to calling, the
1488 * sta->sae structure should be initialized appropriately via a call to
1489 * sae_prepare_commit().
1490 */
auth_sae_init_committed(struct hostapd_data * hapd,struct sta_info * sta)1491 int auth_sae_init_committed(struct hostapd_data *hapd, struct sta_info *sta)
1492 {
1493 int ret;
1494
1495 if (!sta->sae || !sta->sae->tmp)
1496 return -1;
1497
1498 if (sta->sae->state != SAE_NOTHING)
1499 return -1;
1500
1501 ret = auth_sae_send_commit(hapd, sta, hapd->own_addr, 0, -1);
1502 if (ret)
1503 return -1;
1504
1505 sae_set_state(sta, SAE_COMMITTED, "Init and sent commit");
1506 sta->sae->sync = 0;
1507 sae_set_retransmit_timer(hapd, sta);
1508
1509 return 0;
1510 }
1511
1512
auth_sae_process_commit(void * eloop_ctx,void * user_ctx)1513 void auth_sae_process_commit(void *eloop_ctx, void *user_ctx)
1514 {
1515 struct hostapd_data *hapd = eloop_ctx;
1516 struct hostapd_sae_commit_queue *q;
1517 unsigned int queue_len;
1518
1519 q = dl_list_first(&hapd->sae_commit_queue,
1520 struct hostapd_sae_commit_queue, list);
1521 if (!q)
1522 return;
1523 wpa_printf(MSG_DEBUG,
1524 "SAE: Process next available message from queue");
1525 dl_list_del(&q->list);
1526 handle_auth(hapd, (const struct ieee80211_mgmt *) q->msg, q->len,
1527 q->rssi, 1);
1528 os_free(q);
1529
1530 if (eloop_is_timeout_registered(auth_sae_process_commit, hapd, NULL))
1531 return;
1532 queue_len = dl_list_len(&hapd->sae_commit_queue);
1533 eloop_register_timeout(0, queue_len * 10000, auth_sae_process_commit,
1534 hapd, NULL);
1535 }
1536
1537
auth_sae_queue(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int rssi)1538 static void auth_sae_queue(struct hostapd_data *hapd,
1539 const struct ieee80211_mgmt *mgmt, size_t len,
1540 int rssi)
1541 {
1542 struct hostapd_sae_commit_queue *q, *q2;
1543 unsigned int queue_len;
1544 const struct ieee80211_mgmt *mgmt2;
1545
1546 queue_len = dl_list_len(&hapd->sae_commit_queue);
1547 if (queue_len >= 15) {
1548 wpa_printf(MSG_DEBUG,
1549 "SAE: No more room in message queue - drop the new frame from "
1550 MACSTR, MAC2STR(mgmt->sa));
1551 return;
1552 }
1553
1554 wpa_printf(MSG_DEBUG, "SAE: Queue Authentication message from "
1555 MACSTR " for processing (queue_len %u)", MAC2STR(mgmt->sa),
1556 queue_len);
1557 q = os_zalloc(sizeof(*q) + len);
1558 if (!q)
1559 return;
1560 q->rssi = rssi;
1561 q->len = len;
1562 os_memcpy(q->msg, mgmt, len);
1563
1564 /* Check whether there is already a queued Authentication frame from the
1565 * same station with the same transaction number and if so, replace that
1566 * queue entry with the new one. This avoids issues with a peer that
1567 * sends multiple times (e.g., due to frequent SAE retries). There is no
1568 * point in us trying to process the old attempts after a new one has
1569 * obsoleted them. */
1570 dl_list_for_each(q2, &hapd->sae_commit_queue,
1571 struct hostapd_sae_commit_queue, list) {
1572 mgmt2 = (const struct ieee80211_mgmt *) q2->msg;
1573 if (os_memcmp(mgmt->sa, mgmt2->sa, ETH_ALEN) == 0 &&
1574 mgmt->u.auth.auth_transaction ==
1575 mgmt2->u.auth.auth_transaction) {
1576 wpa_printf(MSG_DEBUG,
1577 "SAE: Replace queued message from same STA with same transaction number");
1578 dl_list_add(&q2->list, &q->list);
1579 dl_list_del(&q2->list);
1580 os_free(q2);
1581 goto queued;
1582 }
1583 }
1584
1585 /* No pending identical entry, so add to the end of the queue */
1586 dl_list_add_tail(&hapd->sae_commit_queue, &q->list);
1587
1588 queued:
1589 if (eloop_is_timeout_registered(auth_sae_process_commit, hapd, NULL))
1590 return;
1591 eloop_register_timeout(0, queue_len * 10000, auth_sae_process_commit,
1592 hapd, NULL);
1593 }
1594
1595
auth_sae_queued_addr(struct hostapd_data * hapd,const u8 * addr)1596 static int auth_sae_queued_addr(struct hostapd_data *hapd, const u8 *addr)
1597 {
1598 struct hostapd_sae_commit_queue *q;
1599 const struct ieee80211_mgmt *mgmt;
1600
1601 dl_list_for_each(q, &hapd->sae_commit_queue,
1602 struct hostapd_sae_commit_queue, list) {
1603 mgmt = (const struct ieee80211_mgmt *) q->msg;
1604 if (os_memcmp(addr, mgmt->sa, ETH_ALEN) == 0)
1605 return 1;
1606 }
1607
1608 return 0;
1609 }
1610
1611 #endif /* CONFIG_SAE */
1612
1613
wpa_res_to_status_code(enum wpa_validate_result res)1614 static u16 wpa_res_to_status_code(enum wpa_validate_result res)
1615 {
1616 switch (res) {
1617 case WPA_IE_OK:
1618 return WLAN_STATUS_SUCCESS;
1619 case WPA_INVALID_IE:
1620 return WLAN_STATUS_INVALID_IE;
1621 case WPA_INVALID_GROUP:
1622 return WLAN_STATUS_GROUP_CIPHER_NOT_VALID;
1623 case WPA_INVALID_PAIRWISE:
1624 return WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID;
1625 case WPA_INVALID_AKMP:
1626 return WLAN_STATUS_AKMP_NOT_VALID;
1627 case WPA_NOT_ENABLED:
1628 return WLAN_STATUS_INVALID_IE;
1629 case WPA_ALLOC_FAIL:
1630 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1631 case WPA_MGMT_FRAME_PROTECTION_VIOLATION:
1632 return WLAN_STATUS_ROBUST_MGMT_FRAME_POLICY_VIOLATION;
1633 case WPA_INVALID_MGMT_GROUP_CIPHER:
1634 return WLAN_STATUS_CIPHER_REJECTED_PER_POLICY;
1635 case WPA_INVALID_MDIE:
1636 return WLAN_STATUS_INVALID_MDIE;
1637 case WPA_INVALID_PROTO:
1638 return WLAN_STATUS_INVALID_IE;
1639 case WPA_INVALID_PMKID:
1640 return WLAN_STATUS_INVALID_PMKID;
1641 case WPA_DENIED_OTHER_REASON:
1642 return WLAN_STATUS_ASSOC_DENIED_UNSPEC;
1643 }
1644 return WLAN_STATUS_INVALID_IE;
1645 }
1646
1647
1648 #ifdef CONFIG_FILS
1649
1650 static void handle_auth_fils_finish(struct hostapd_data *hapd,
1651 struct sta_info *sta, u16 resp,
1652 struct wpabuf *data, int pub);
1653
handle_auth_fils(struct hostapd_data * hapd,struct sta_info * sta,const u8 * pos,size_t len,u16 auth_alg,u16 auth_transaction,u16 status_code,void (* cb)(struct hostapd_data * hapd,struct sta_info * sta,u16 resp,struct wpabuf * data,int pub))1654 void handle_auth_fils(struct hostapd_data *hapd, struct sta_info *sta,
1655 const u8 *pos, size_t len, u16 auth_alg,
1656 u16 auth_transaction, u16 status_code,
1657 void (*cb)(struct hostapd_data *hapd,
1658 struct sta_info *sta, u16 resp,
1659 struct wpabuf *data, int pub))
1660 {
1661 u16 resp = WLAN_STATUS_SUCCESS;
1662 const u8 *end;
1663 struct ieee802_11_elems elems;
1664 enum wpa_validate_result res;
1665 struct wpa_ie_data rsn;
1666 struct rsn_pmksa_cache_entry *pmksa = NULL;
1667
1668 if (auth_transaction != 1 || status_code != WLAN_STATUS_SUCCESS)
1669 return;
1670
1671 end = pos + len;
1672
1673 wpa_hexdump(MSG_DEBUG, "FILS: Authentication frame fields",
1674 pos, end - pos);
1675
1676 /* TODO: FILS PK */
1677 #ifdef CONFIG_FILS_SK_PFS
1678 if (auth_alg == WLAN_AUTH_FILS_SK_PFS) {
1679 u16 group;
1680 struct wpabuf *pub;
1681 size_t elem_len;
1682
1683 /* Using FILS PFS */
1684
1685 /* Finite Cyclic Group */
1686 if (end - pos < 2) {
1687 wpa_printf(MSG_DEBUG,
1688 "FILS: No room for Finite Cyclic Group");
1689 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1690 goto fail;
1691 }
1692 group = WPA_GET_LE16(pos);
1693 pos += 2;
1694 if (group != hapd->conf->fils_dh_group) {
1695 wpa_printf(MSG_DEBUG,
1696 "FILS: Unsupported Finite Cyclic Group: %u (expected %u)",
1697 group, hapd->conf->fils_dh_group);
1698 resp = WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
1699 goto fail;
1700 }
1701
1702 crypto_ecdh_deinit(sta->fils_ecdh);
1703 sta->fils_ecdh = crypto_ecdh_init(group);
1704 if (!sta->fils_ecdh) {
1705 wpa_printf(MSG_INFO,
1706 "FILS: Could not initialize ECDH with group %d",
1707 group);
1708 resp = WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
1709 goto fail;
1710 }
1711
1712 pub = crypto_ecdh_get_pubkey(sta->fils_ecdh, 1);
1713 if (!pub) {
1714 wpa_printf(MSG_DEBUG,
1715 "FILS: Failed to derive ECDH public key");
1716 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1717 goto fail;
1718 }
1719 elem_len = wpabuf_len(pub);
1720 wpabuf_free(pub);
1721
1722 /* Element */
1723 if ((size_t) (end - pos) < elem_len) {
1724 wpa_printf(MSG_DEBUG, "FILS: No room for Element");
1725 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1726 goto fail;
1727 }
1728
1729 wpabuf_free(sta->fils_g_sta);
1730 sta->fils_g_sta = wpabuf_alloc_copy(pos, elem_len);
1731 wpabuf_clear_free(sta->fils_dh_ss);
1732 sta->fils_dh_ss = crypto_ecdh_set_peerkey(sta->fils_ecdh, 1,
1733 pos, elem_len);
1734 if (!sta->fils_dh_ss) {
1735 wpa_printf(MSG_DEBUG, "FILS: ECDH operation failed");
1736 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1737 goto fail;
1738 }
1739 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: DH_SS", sta->fils_dh_ss);
1740 pos += elem_len;
1741 } else {
1742 crypto_ecdh_deinit(sta->fils_ecdh);
1743 sta->fils_ecdh = NULL;
1744 wpabuf_clear_free(sta->fils_dh_ss);
1745 sta->fils_dh_ss = NULL;
1746 }
1747 #endif /* CONFIG_FILS_SK_PFS */
1748
1749 wpa_hexdump(MSG_DEBUG, "FILS: Remaining IEs", pos, end - pos);
1750 if (ieee802_11_parse_elems(pos, end - pos, &elems, 1) == ParseFailed) {
1751 wpa_printf(MSG_DEBUG, "FILS: Could not parse elements");
1752 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1753 goto fail;
1754 }
1755
1756 /* RSNE */
1757 wpa_hexdump(MSG_DEBUG, "FILS: RSN element",
1758 elems.rsn_ie, elems.rsn_ie_len);
1759 if (!elems.rsn_ie ||
1760 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
1761 &rsn) < 0) {
1762 wpa_printf(MSG_DEBUG, "FILS: No valid RSN element");
1763 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1764 goto fail;
1765 }
1766
1767 if (!sta->wpa_sm)
1768 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, sta->addr,
1769 NULL);
1770 if (!sta->wpa_sm) {
1771 wpa_printf(MSG_DEBUG,
1772 "FILS: Failed to initialize RSN state machine");
1773 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1774 goto fail;
1775 }
1776
1777 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
1778 hapd->iface->freq,
1779 elems.rsn_ie - 2, elems.rsn_ie_len + 2,
1780 elems.rsnxe ? elems.rsnxe - 2 : NULL,
1781 elems.rsnxe ? elems.rsnxe_len + 2 : 0,
1782 elems.mdie, elems.mdie_len, NULL, 0);
1783 resp = wpa_res_to_status_code(res);
1784 if (resp != WLAN_STATUS_SUCCESS)
1785 goto fail;
1786
1787 if (!elems.fils_nonce) {
1788 wpa_printf(MSG_DEBUG, "FILS: No FILS Nonce field");
1789 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1790 goto fail;
1791 }
1792 wpa_hexdump(MSG_DEBUG, "FILS: SNonce", elems.fils_nonce,
1793 FILS_NONCE_LEN);
1794 os_memcpy(sta->fils_snonce, elems.fils_nonce, FILS_NONCE_LEN);
1795
1796 /* PMKID List */
1797 if (rsn.pmkid && rsn.num_pmkid > 0) {
1798 u8 num;
1799 const u8 *pmkid;
1800
1801 wpa_hexdump(MSG_DEBUG, "FILS: PMKID List",
1802 rsn.pmkid, rsn.num_pmkid * PMKID_LEN);
1803
1804 pmkid = rsn.pmkid;
1805 num = rsn.num_pmkid;
1806 while (num) {
1807 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", pmkid, PMKID_LEN);
1808 pmksa = wpa_auth_pmksa_get(hapd->wpa_auth, sta->addr,
1809 pmkid);
1810 if (pmksa)
1811 break;
1812 pmksa = wpa_auth_pmksa_get_fils_cache_id(hapd->wpa_auth,
1813 sta->addr,
1814 pmkid);
1815 if (pmksa)
1816 break;
1817 pmkid += PMKID_LEN;
1818 num--;
1819 }
1820 }
1821 if (pmksa && wpa_auth_sta_key_mgmt(sta->wpa_sm) != pmksa->akmp) {
1822 wpa_printf(MSG_DEBUG,
1823 "FILS: Matching PMKSA cache entry has different AKMP (0x%x != 0x%x) - ignore",
1824 wpa_auth_sta_key_mgmt(sta->wpa_sm), pmksa->akmp);
1825 pmksa = NULL;
1826 }
1827 if (pmksa)
1828 wpa_printf(MSG_DEBUG, "FILS: Found matching PMKSA cache entry");
1829
1830 /* FILS Session */
1831 if (!elems.fils_session) {
1832 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
1833 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1834 goto fail;
1835 }
1836 wpa_hexdump(MSG_DEBUG, "FILS: FILS Session", elems.fils_session,
1837 FILS_SESSION_LEN);
1838 os_memcpy(sta->fils_session, elems.fils_session, FILS_SESSION_LEN);
1839
1840 /* Wrapped Data */
1841 if (elems.wrapped_data) {
1842 wpa_hexdump(MSG_DEBUG, "FILS: Wrapped Data",
1843 elems.wrapped_data,
1844 elems.wrapped_data_len);
1845 if (!pmksa) {
1846 #ifndef CONFIG_NO_RADIUS
1847 if (!sta->eapol_sm) {
1848 sta->eapol_sm =
1849 ieee802_1x_alloc_eapol_sm(hapd, sta);
1850 }
1851 wpa_printf(MSG_DEBUG,
1852 "FILS: Forward EAP-Initiate/Re-auth to authentication server");
1853 ieee802_1x_encapsulate_radius(
1854 hapd, sta, elems.wrapped_data,
1855 elems.wrapped_data_len);
1856 sta->fils_pending_cb = cb;
1857 wpa_printf(MSG_DEBUG,
1858 "FILS: Will send Authentication frame once the response from authentication server is available");
1859 sta->flags |= WLAN_STA_PENDING_FILS_ERP;
1860 /* Calculate pending PMKID here so that we do not need
1861 * to maintain a copy of the EAP-Initiate/Reauth
1862 * message. */
1863 if (fils_pmkid_erp(wpa_auth_sta_key_mgmt(sta->wpa_sm),
1864 elems.wrapped_data,
1865 elems.wrapped_data_len,
1866 sta->fils_erp_pmkid) == 0)
1867 sta->fils_erp_pmkid_set = 1;
1868 return;
1869 #else /* CONFIG_NO_RADIUS */
1870 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1871 goto fail;
1872 #endif /* CONFIG_NO_RADIUS */
1873 }
1874 }
1875
1876 fail:
1877 if (cb) {
1878 struct wpabuf *data;
1879 int pub = 0;
1880
1881 data = prepare_auth_resp_fils(hapd, sta, &resp, pmksa, NULL,
1882 NULL, 0, &pub);
1883 if (!data) {
1884 wpa_printf(MSG_DEBUG,
1885 "%s: prepare_auth_resp_fils() returned failure",
1886 __func__);
1887 }
1888
1889 cb(hapd, sta, resp, data, pub);
1890 }
1891 }
1892
1893
1894 static struct wpabuf *
prepare_auth_resp_fils(struct hostapd_data * hapd,struct sta_info * sta,u16 * resp,struct rsn_pmksa_cache_entry * pmksa,struct wpabuf * erp_resp,const u8 * msk,size_t msk_len,int * is_pub)1895 prepare_auth_resp_fils(struct hostapd_data *hapd,
1896 struct sta_info *sta, u16 *resp,
1897 struct rsn_pmksa_cache_entry *pmksa,
1898 struct wpabuf *erp_resp,
1899 const u8 *msk, size_t msk_len,
1900 int *is_pub)
1901 {
1902 u8 fils_nonce[FILS_NONCE_LEN];
1903 size_t ielen;
1904 struct wpabuf *data = NULL;
1905 const u8 *ie;
1906 u8 *ie_buf = NULL;
1907 const u8 *pmk = NULL;
1908 size_t pmk_len = 0;
1909 u8 pmk_buf[PMK_LEN_MAX];
1910 struct wpabuf *pub = NULL;
1911
1912 if (*resp != WLAN_STATUS_SUCCESS)
1913 goto fail;
1914
1915 ie = wpa_auth_get_wpa_ie(hapd->wpa_auth, &ielen);
1916 if (!ie) {
1917 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1918 goto fail;
1919 }
1920
1921 if (pmksa) {
1922 /* Add PMKID of the selected PMKSA into RSNE */
1923 ie_buf = os_malloc(ielen + 2 + 2 + PMKID_LEN);
1924 if (!ie_buf) {
1925 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1926 goto fail;
1927 }
1928
1929 os_memcpy(ie_buf, ie, ielen);
1930 if (wpa_insert_pmkid(ie_buf, &ielen, pmksa->pmkid) < 0) {
1931 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1932 goto fail;
1933 }
1934 ie = ie_buf;
1935 }
1936
1937 if (random_get_bytes(fils_nonce, FILS_NONCE_LEN) < 0) {
1938 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1939 goto fail;
1940 }
1941 wpa_hexdump(MSG_DEBUG, "RSN: Generated FILS Nonce",
1942 fils_nonce, FILS_NONCE_LEN);
1943
1944 #ifdef CONFIG_FILS_SK_PFS
1945 if (sta->fils_dh_ss && sta->fils_ecdh) {
1946 pub = crypto_ecdh_get_pubkey(sta->fils_ecdh, 1);
1947 if (!pub) {
1948 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1949 goto fail;
1950 }
1951 }
1952 #endif /* CONFIG_FILS_SK_PFS */
1953
1954 data = wpabuf_alloc(1000 + ielen + (pub ? wpabuf_len(pub) : 0));
1955 if (!data) {
1956 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1957 goto fail;
1958 }
1959
1960 /* TODO: FILS PK */
1961 #ifdef CONFIG_FILS_SK_PFS
1962 if (pub) {
1963 /* Finite Cyclic Group */
1964 wpabuf_put_le16(data, hapd->conf->fils_dh_group);
1965
1966 /* Element */
1967 wpabuf_put_buf(data, pub);
1968 }
1969 #endif /* CONFIG_FILS_SK_PFS */
1970
1971 /* RSNE */
1972 wpabuf_put_data(data, ie, ielen);
1973
1974 /* MDE when using FILS+FT (already included in ie,ielen with RSNE) */
1975
1976 #ifdef CONFIG_IEEE80211R_AP
1977 if (wpa_key_mgmt_ft(wpa_auth_sta_key_mgmt(sta->wpa_sm))) {
1978 /* FTE[R1KH-ID,R0KH-ID] when using FILS+FT */
1979 int res;
1980 int use_sha384 = wpa_key_mgmt_sha384(
1981 wpa_auth_sta_key_mgmt(sta->wpa_sm));
1982
1983 res = wpa_auth_write_fte(hapd->wpa_auth, use_sha384,
1984 wpabuf_put(data, 0),
1985 wpabuf_tailroom(data));
1986 if (res < 0) {
1987 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1988 goto fail;
1989 }
1990 wpabuf_put(data, res);
1991 }
1992 #endif /* CONFIG_IEEE80211R_AP */
1993
1994 /* FILS Nonce */
1995 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
1996 wpabuf_put_u8(data, 1 + FILS_NONCE_LEN); /* Length */
1997 /* Element ID Extension */
1998 wpabuf_put_u8(data, WLAN_EID_EXT_FILS_NONCE);
1999 wpabuf_put_data(data, fils_nonce, FILS_NONCE_LEN);
2000
2001 /* FILS Session */
2002 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
2003 wpabuf_put_u8(data, 1 + FILS_SESSION_LEN); /* Length */
2004 /* Element ID Extension */
2005 wpabuf_put_u8(data, WLAN_EID_EXT_FILS_SESSION);
2006 wpabuf_put_data(data, sta->fils_session, FILS_SESSION_LEN);
2007
2008 /* Wrapped Data */
2009 if (!pmksa && erp_resp) {
2010 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
2011 wpabuf_put_u8(data, 1 + wpabuf_len(erp_resp)); /* Length */
2012 /* Element ID Extension */
2013 wpabuf_put_u8(data, WLAN_EID_EXT_WRAPPED_DATA);
2014 wpabuf_put_buf(data, erp_resp);
2015
2016 if (fils_rmsk_to_pmk(wpa_auth_sta_key_mgmt(sta->wpa_sm),
2017 msk, msk_len, sta->fils_snonce, fils_nonce,
2018 sta->fils_dh_ss ?
2019 wpabuf_head(sta->fils_dh_ss) : NULL,
2020 sta->fils_dh_ss ?
2021 wpabuf_len(sta->fils_dh_ss) : 0,
2022 pmk_buf, &pmk_len)) {
2023 wpa_printf(MSG_DEBUG, "FILS: Failed to derive PMK");
2024 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2025 wpabuf_free(data);
2026 data = NULL;
2027 goto fail;
2028 }
2029 pmk = pmk_buf;
2030
2031 /* Don't use DHss in PTK derivation if PMKSA caching is not
2032 * used. */
2033 wpabuf_clear_free(sta->fils_dh_ss);
2034 sta->fils_dh_ss = NULL;
2035
2036 if (sta->fils_erp_pmkid_set) {
2037 /* TODO: get PMKLifetime from WPA parameters */
2038 unsigned int dot11RSNAConfigPMKLifetime = 43200;
2039 int session_timeout;
2040
2041 session_timeout = dot11RSNAConfigPMKLifetime;
2042 if (sta->session_timeout_set) {
2043 struct os_reltime now, diff;
2044
2045 os_get_reltime(&now);
2046 os_reltime_sub(&sta->session_timeout, &now,
2047 &diff);
2048 session_timeout = diff.sec;
2049 }
2050
2051 sta->fils_erp_pmkid_set = 0;
2052 wpa_auth_add_fils_pmk_pmkid(sta->wpa_sm, pmk, pmk_len,
2053 sta->fils_erp_pmkid);
2054 if (!hapd->conf->disable_pmksa_caching &&
2055 wpa_auth_pmksa_add2(
2056 hapd->wpa_auth, sta->addr,
2057 pmk, pmk_len,
2058 sta->fils_erp_pmkid,
2059 session_timeout,
2060 wpa_auth_sta_key_mgmt(sta->wpa_sm)) < 0) {
2061 wpa_printf(MSG_ERROR,
2062 "FILS: Failed to add PMKSA cache entry based on ERP");
2063 }
2064 }
2065 } else if (pmksa) {
2066 pmk = pmksa->pmk;
2067 pmk_len = pmksa->pmk_len;
2068 }
2069
2070 if (!pmk) {
2071 wpa_printf(MSG_DEBUG, "FILS: No PMK available");
2072 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2073 wpabuf_free(data);
2074 data = NULL;
2075 goto fail;
2076 }
2077
2078 if (fils_auth_pmk_to_ptk(sta->wpa_sm, pmk, pmk_len,
2079 sta->fils_snonce, fils_nonce,
2080 sta->fils_dh_ss ?
2081 wpabuf_head(sta->fils_dh_ss) : NULL,
2082 sta->fils_dh_ss ?
2083 wpabuf_len(sta->fils_dh_ss) : 0,
2084 sta->fils_g_sta, pub) < 0) {
2085 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2086 wpabuf_free(data);
2087 data = NULL;
2088 goto fail;
2089 }
2090
2091 fail:
2092 if (is_pub)
2093 *is_pub = pub != NULL;
2094 os_free(ie_buf);
2095 wpabuf_free(pub);
2096 wpabuf_clear_free(sta->fils_dh_ss);
2097 sta->fils_dh_ss = NULL;
2098 #ifdef CONFIG_FILS_SK_PFS
2099 crypto_ecdh_deinit(sta->fils_ecdh);
2100 sta->fils_ecdh = NULL;
2101 #endif /* CONFIG_FILS_SK_PFS */
2102 return data;
2103 }
2104
2105
handle_auth_fils_finish(struct hostapd_data * hapd,struct sta_info * sta,u16 resp,struct wpabuf * data,int pub)2106 static void handle_auth_fils_finish(struct hostapd_data *hapd,
2107 struct sta_info *sta, u16 resp,
2108 struct wpabuf *data, int pub)
2109 {
2110 u16 auth_alg;
2111
2112 auth_alg = (pub ||
2113 resp == WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED) ?
2114 WLAN_AUTH_FILS_SK_PFS : WLAN_AUTH_FILS_SK;
2115 send_auth_reply(hapd, sta, sta->addr, hapd->own_addr, auth_alg, 2, resp,
2116 data ? wpabuf_head(data) : (u8 *) "",
2117 data ? wpabuf_len(data) : 0, "auth-fils-finish");
2118 wpabuf_free(data);
2119
2120 if (resp == WLAN_STATUS_SUCCESS) {
2121 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2122 HOSTAPD_LEVEL_DEBUG,
2123 "authentication OK (FILS)");
2124 sta->flags |= WLAN_STA_AUTH;
2125 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
2126 sta->auth_alg = pub ? WLAN_AUTH_FILS_SK_PFS : WLAN_AUTH_FILS_SK;
2127 mlme_authenticate_indication(hapd, sta);
2128 }
2129 }
2130
2131
ieee802_11_finish_fils_auth(struct hostapd_data * hapd,struct sta_info * sta,int success,struct wpabuf * erp_resp,const u8 * msk,size_t msk_len)2132 void ieee802_11_finish_fils_auth(struct hostapd_data *hapd,
2133 struct sta_info *sta, int success,
2134 struct wpabuf *erp_resp,
2135 const u8 *msk, size_t msk_len)
2136 {
2137 struct wpabuf *data;
2138 int pub = 0;
2139 u16 resp;
2140
2141 sta->flags &= ~WLAN_STA_PENDING_FILS_ERP;
2142
2143 if (!sta->fils_pending_cb)
2144 return;
2145 resp = success ? WLAN_STATUS_SUCCESS : WLAN_STATUS_UNSPECIFIED_FAILURE;
2146 data = prepare_auth_resp_fils(hapd, sta, &resp, NULL, erp_resp,
2147 msk, msk_len, &pub);
2148 if (!data) {
2149 wpa_printf(MSG_DEBUG,
2150 "%s: prepare_auth_resp_fils() returned failure",
2151 __func__);
2152 }
2153 sta->fils_pending_cb(hapd, sta, resp, data, pub);
2154 }
2155
2156 #endif /* CONFIG_FILS */
2157
2158
ieee802_11_allowed_address(struct hostapd_data * hapd,const u8 * addr,const u8 * msg,size_t len,struct radius_sta * info)2159 static int ieee802_11_allowed_address(struct hostapd_data *hapd, const u8 *addr,
2160 const u8 *msg, size_t len,
2161 struct radius_sta *info)
2162 {
2163 int res;
2164
2165 res = hostapd_allowed_address(hapd, addr, msg, len, info, 0);
2166
2167 if (res == HOSTAPD_ACL_REJECT) {
2168 wpa_printf(MSG_DEBUG, "Station " MACSTR
2169 " not allowed to authenticate",
2170 MAC2STR(addr));
2171 return HOSTAPD_ACL_REJECT;
2172 }
2173
2174 if (res == HOSTAPD_ACL_PENDING) {
2175 wpa_printf(MSG_DEBUG, "Authentication frame from " MACSTR
2176 " waiting for an external authentication",
2177 MAC2STR(addr));
2178 /* Authentication code will re-send the authentication frame
2179 * after it has received (and cached) information from the
2180 * external source. */
2181 return HOSTAPD_ACL_PENDING;
2182 }
2183
2184 return res;
2185 }
2186
2187
2188 static int
ieee802_11_set_radius_info(struct hostapd_data * hapd,struct sta_info * sta,int res,struct radius_sta * info)2189 ieee802_11_set_radius_info(struct hostapd_data *hapd, struct sta_info *sta,
2190 int res, struct radius_sta *info)
2191 {
2192 u32 session_timeout = info->session_timeout;
2193 u32 acct_interim_interval = info->acct_interim_interval;
2194 struct vlan_description *vlan_id = &info->vlan_id;
2195 struct hostapd_sta_wpa_psk_short *psk = info->psk;
2196 char *identity = info->identity;
2197 char *radius_cui = info->radius_cui;
2198
2199 if (vlan_id->notempty &&
2200 !hostapd_vlan_valid(hapd->conf->vlan, vlan_id)) {
2201 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS,
2202 HOSTAPD_LEVEL_INFO,
2203 "Invalid VLAN %d%s received from RADIUS server",
2204 vlan_id->untagged,
2205 vlan_id->tagged[0] ? "+" : "");
2206 return -1;
2207 }
2208 if (ap_sta_set_vlan(hapd, sta, vlan_id) < 0)
2209 return -1;
2210 if (sta->vlan_id)
2211 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS,
2212 HOSTAPD_LEVEL_INFO, "VLAN ID %d", sta->vlan_id);
2213
2214 hostapd_free_psk_list(sta->psk);
2215 if (hapd->conf->wpa_psk_radius != PSK_RADIUS_IGNORED)
2216 hostapd_copy_psk_list(&sta->psk, psk);
2217 else
2218 sta->psk = NULL;
2219
2220 os_free(sta->identity);
2221 if (identity)
2222 sta->identity = os_strdup(identity);
2223 else
2224 sta->identity = NULL;
2225
2226 os_free(sta->radius_cui);
2227 if (radius_cui)
2228 sta->radius_cui = os_strdup(radius_cui);
2229 else
2230 sta->radius_cui = NULL;
2231
2232 if (hapd->conf->acct_interim_interval == 0 && acct_interim_interval)
2233 sta->acct_interim_interval = acct_interim_interval;
2234 if (res == HOSTAPD_ACL_ACCEPT_TIMEOUT) {
2235 sta->session_timeout_set = 1;
2236 os_get_reltime(&sta->session_timeout);
2237 sta->session_timeout.sec += session_timeout;
2238 ap_sta_session_timeout(hapd, sta, session_timeout);
2239 } else {
2240 sta->session_timeout_set = 0;
2241 ap_sta_no_session_timeout(hapd, sta);
2242 }
2243
2244 return 0;
2245 }
2246
2247
handle_auth(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int rssi,int from_queue)2248 static void handle_auth(struct hostapd_data *hapd,
2249 const struct ieee80211_mgmt *mgmt, size_t len,
2250 int rssi, int from_queue)
2251 {
2252 u16 auth_alg, auth_transaction, status_code;
2253 u16 resp = WLAN_STATUS_SUCCESS;
2254 struct sta_info *sta = NULL;
2255 int res, reply_res;
2256 u16 fc;
2257 const u8 *challenge = NULL;
2258 u8 resp_ies[2 + WLAN_AUTH_CHALLENGE_LEN];
2259 size_t resp_ies_len = 0;
2260 u16 seq_ctrl;
2261 struct radius_sta rad_info;
2262
2263 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) {
2264 wpa_printf(MSG_INFO, "handle_auth - too short payload (len=%lu)",
2265 (unsigned long) len);
2266 return;
2267 }
2268
2269 #ifdef CONFIG_TESTING_OPTIONS
2270 if (hapd->iconf->ignore_auth_probability > 0.0 &&
2271 drand48() < hapd->iconf->ignore_auth_probability) {
2272 wpa_printf(MSG_INFO,
2273 "TESTING: ignoring auth frame from " MACSTR,
2274 MAC2STR(mgmt->sa));
2275 return;
2276 }
2277 #endif /* CONFIG_TESTING_OPTIONS */
2278
2279 auth_alg = le_to_host16(mgmt->u.auth.auth_alg);
2280 auth_transaction = le_to_host16(mgmt->u.auth.auth_transaction);
2281 status_code = le_to_host16(mgmt->u.auth.status_code);
2282 fc = le_to_host16(mgmt->frame_control);
2283 seq_ctrl = le_to_host16(mgmt->seq_ctrl);
2284
2285 if (len >= IEEE80211_HDRLEN + sizeof(mgmt->u.auth) +
2286 2 + WLAN_AUTH_CHALLENGE_LEN &&
2287 mgmt->u.auth.variable[0] == WLAN_EID_CHALLENGE &&
2288 mgmt->u.auth.variable[1] == WLAN_AUTH_CHALLENGE_LEN)
2289 challenge = &mgmt->u.auth.variable[2];
2290
2291 wpa_printf(MSG_DEBUG, "authentication: STA=" MACSTR " auth_alg=%d "
2292 "auth_transaction=%d status_code=%d wep=%d%s "
2293 "seq_ctrl=0x%x%s%s",
2294 MAC2STR(mgmt->sa), auth_alg, auth_transaction,
2295 status_code, !!(fc & WLAN_FC_ISWEP),
2296 challenge ? " challenge" : "",
2297 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "",
2298 from_queue ? " (from queue)" : "");
2299
2300 #ifdef CONFIG_NO_RC4
2301 if (auth_alg == WLAN_AUTH_SHARED_KEY) {
2302 wpa_printf(MSG_INFO,
2303 "Unsupported authentication algorithm (%d)",
2304 auth_alg);
2305 resp = WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
2306 goto fail;
2307 }
2308 #endif /* CONFIG_NO_RC4 */
2309
2310 if (hapd->tkip_countermeasures) {
2311 wpa_printf(MSG_DEBUG,
2312 "Ongoing TKIP countermeasures (Michael MIC failure) - reject authentication");
2313 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2314 goto fail;
2315 }
2316
2317 if (!(((hapd->conf->auth_algs & WPA_AUTH_ALG_OPEN) &&
2318 auth_alg == WLAN_AUTH_OPEN) ||
2319 #ifdef CONFIG_IEEE80211R_AP
2320 (hapd->conf->wpa && wpa_key_mgmt_ft(hapd->conf->wpa_key_mgmt) &&
2321 auth_alg == WLAN_AUTH_FT) ||
2322 #endif /* CONFIG_IEEE80211R_AP */
2323 #ifdef CONFIG_SAE
2324 (hapd->conf->wpa && wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt) &&
2325 auth_alg == WLAN_AUTH_SAE) ||
2326 #endif /* CONFIG_SAE */
2327 #ifdef CONFIG_FILS
2328 (hapd->conf->wpa && wpa_key_mgmt_fils(hapd->conf->wpa_key_mgmt) &&
2329 auth_alg == WLAN_AUTH_FILS_SK) ||
2330 (hapd->conf->wpa && wpa_key_mgmt_fils(hapd->conf->wpa_key_mgmt) &&
2331 hapd->conf->fils_dh_group &&
2332 auth_alg == WLAN_AUTH_FILS_SK_PFS) ||
2333 #endif /* CONFIG_FILS */
2334 ((hapd->conf->auth_algs & WPA_AUTH_ALG_SHARED) &&
2335 auth_alg == WLAN_AUTH_SHARED_KEY))) {
2336 wpa_printf(MSG_INFO, "Unsupported authentication algorithm (%d)",
2337 auth_alg);
2338 resp = WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
2339 goto fail;
2340 }
2341
2342 if (!(auth_transaction == 1 || auth_alg == WLAN_AUTH_SAE ||
2343 (auth_alg == WLAN_AUTH_SHARED_KEY && auth_transaction == 3))) {
2344 wpa_printf(MSG_INFO, "Unknown authentication transaction number (%d)",
2345 auth_transaction);
2346 resp = WLAN_STATUS_UNKNOWN_AUTH_TRANSACTION;
2347 goto fail;
2348 }
2349
2350 if (os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
2351 wpa_printf(MSG_INFO, "Station " MACSTR " not allowed to authenticate",
2352 MAC2STR(mgmt->sa));
2353 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2354 goto fail;
2355 }
2356
2357 if (hapd->conf->no_auth_if_seen_on) {
2358 struct hostapd_data *other;
2359
2360 other = sta_track_seen_on(hapd->iface, mgmt->sa,
2361 hapd->conf->no_auth_if_seen_on);
2362 if (other) {
2363 u8 *pos;
2364 u32 info;
2365 u8 op_class, channel, phytype;
2366
2367 wpa_printf(MSG_DEBUG, "%s: Reject authentication from "
2368 MACSTR " since STA has been seen on %s",
2369 hapd->conf->iface, MAC2STR(mgmt->sa),
2370 hapd->conf->no_auth_if_seen_on);
2371
2372 resp = WLAN_STATUS_REJECTED_WITH_SUGGESTED_BSS_TRANSITION;
2373 pos = &resp_ies[0];
2374 *pos++ = WLAN_EID_NEIGHBOR_REPORT;
2375 *pos++ = 13;
2376 os_memcpy(pos, other->own_addr, ETH_ALEN);
2377 pos += ETH_ALEN;
2378 info = 0; /* TODO: BSSID Information */
2379 WPA_PUT_LE32(pos, info);
2380 pos += 4;
2381 if (other->iconf->hw_mode == HOSTAPD_MODE_IEEE80211AD)
2382 phytype = 8; /* dmg */
2383 else if (other->iconf->ieee80211ac)
2384 phytype = 9; /* vht */
2385 else if (other->iconf->ieee80211n)
2386 phytype = 7; /* ht */
2387 else if (other->iconf->hw_mode ==
2388 HOSTAPD_MODE_IEEE80211A)
2389 phytype = 4; /* ofdm */
2390 else if (other->iconf->hw_mode ==
2391 HOSTAPD_MODE_IEEE80211G)
2392 phytype = 6; /* erp */
2393 else
2394 phytype = 5; /* hrdsss */
2395 if (ieee80211_freq_to_channel_ext(
2396 hostapd_hw_get_freq(other,
2397 other->iconf->channel),
2398 other->iconf->secondary_channel,
2399 other->iconf->ieee80211ac,
2400 &op_class, &channel) == NUM_HOSTAPD_MODES) {
2401 op_class = 0;
2402 channel = other->iconf->channel;
2403 }
2404 *pos++ = op_class;
2405 *pos++ = channel;
2406 *pos++ = phytype;
2407 resp_ies_len = pos - &resp_ies[0];
2408 goto fail;
2409 }
2410 }
2411
2412 res = ieee802_11_allowed_address(hapd, mgmt->sa, (const u8 *) mgmt, len,
2413 &rad_info);
2414 if (res == HOSTAPD_ACL_REJECT) {
2415 wpa_msg(hapd->msg_ctx, MSG_DEBUG,
2416 "Ignore Authentication frame from " MACSTR
2417 " due to ACL reject", MAC2STR(mgmt->sa));
2418 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2419 goto fail;
2420 }
2421 if (res == HOSTAPD_ACL_PENDING)
2422 return;
2423
2424 #ifdef CONFIG_SAE
2425 if (auth_alg == WLAN_AUTH_SAE && !from_queue &&
2426 (auth_transaction == 1 ||
2427 (auth_transaction == 2 && auth_sae_queued_addr(hapd, mgmt->sa)))) {
2428 /* Handle SAE Authentication commit message through a queue to
2429 * provide more control for postponing the needed heavy
2430 * processing under a possible DoS attack scenario. In addition,
2431 * queue SAE Authentication confirm message if there happens to
2432 * be a queued commit message from the same peer. This is needed
2433 * to avoid reordering Authentication frames within the same
2434 * SAE exchange. */
2435 auth_sae_queue(hapd, mgmt, len, rssi);
2436 return;
2437 }
2438 #endif /* CONFIG_SAE */
2439
2440 sta = ap_get_sta(hapd, mgmt->sa);
2441 if (sta) {
2442 sta->flags &= ~WLAN_STA_PENDING_FILS_ERP;
2443 sta->ft_over_ds = 0;
2444 if ((fc & WLAN_FC_RETRY) &&
2445 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
2446 sta->last_seq_ctrl == seq_ctrl &&
2447 sta->last_subtype == WLAN_FC_STYPE_AUTH) {
2448 hostapd_logger(hapd, sta->addr,
2449 HOSTAPD_MODULE_IEEE80211,
2450 HOSTAPD_LEVEL_DEBUG,
2451 "Drop repeated authentication frame seq_ctrl=0x%x",
2452 seq_ctrl);
2453 return;
2454 }
2455 #ifdef CONFIG_MESH
2456 if ((hapd->conf->mesh & MESH_ENABLED) &&
2457 sta->plink_state == PLINK_BLOCKED) {
2458 wpa_printf(MSG_DEBUG, "Mesh peer " MACSTR
2459 " is blocked - drop Authentication frame",
2460 MAC2STR(mgmt->sa));
2461 return;
2462 }
2463 #endif /* CONFIG_MESH */
2464 } else {
2465 #ifdef CONFIG_MESH
2466 if (hapd->conf->mesh & MESH_ENABLED) {
2467 /* if the mesh peer is not available, we don't do auth.
2468 */
2469 wpa_printf(MSG_DEBUG, "Mesh peer " MACSTR
2470 " not yet known - drop Authentication frame",
2471 MAC2STR(mgmt->sa));
2472 /*
2473 * Save a copy of the frame so that it can be processed
2474 * if a new peer entry is added shortly after this.
2475 */
2476 wpabuf_free(hapd->mesh_pending_auth);
2477 hapd->mesh_pending_auth = wpabuf_alloc_copy(mgmt, len);
2478 os_get_reltime(&hapd->mesh_pending_auth_time);
2479 return;
2480 }
2481 #endif /* CONFIG_MESH */
2482
2483 sta = ap_sta_add(hapd, mgmt->sa);
2484 if (!sta) {
2485 wpa_printf(MSG_DEBUG, "ap_sta_add() failed");
2486 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
2487 goto fail;
2488 }
2489 }
2490 sta->last_seq_ctrl = seq_ctrl;
2491 sta->last_subtype = WLAN_FC_STYPE_AUTH;
2492 #ifdef CONFIG_MBO
2493 sta->auth_rssi = rssi;
2494 #endif /* CONFIG_MBO */
2495
2496 res = ieee802_11_set_radius_info(hapd, sta, res, &rad_info);
2497 if (res) {
2498 wpa_printf(MSG_DEBUG, "ieee802_11_set_radius_info() failed");
2499 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2500 goto fail;
2501 }
2502
2503 sta->flags &= ~WLAN_STA_PREAUTH;
2504 ieee802_1x_notify_pre_auth(sta->eapol_sm, 0);
2505
2506 /*
2507 * If the driver supports full AP client state, add a station to the
2508 * driver before sending authentication reply to make sure the driver
2509 * has resources, and not to go through the entire authentication and
2510 * association handshake, and fail it at the end.
2511 *
2512 * If this is not the first transaction, in a multi-step authentication
2513 * algorithm, the station already exists in the driver
2514 * (sta->added_unassoc = 1) so skip it.
2515 *
2516 * In mesh mode, the station was already added to the driver when the
2517 * NEW_PEER_CANDIDATE event is received.
2518 *
2519 * If PMF was negotiated for the existing association, skip this to
2520 * avoid dropping the STA entry and the associated keys. This is needed
2521 * to allow the original connection work until the attempt can complete
2522 * (re)association, so that unprotected Authentication frame cannot be
2523 * used to bypass PMF protection.
2524 */
2525 if (FULL_AP_CLIENT_STATE_SUPP(hapd->iface->drv_flags) &&
2526 (!(sta->flags & WLAN_STA_MFP) || !ap_sta_is_authorized(sta)) &&
2527 !(hapd->conf->mesh & MESH_ENABLED) &&
2528 !(sta->added_unassoc)) {
2529 if (ap_sta_re_add(hapd, sta) < 0) {
2530 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
2531 goto fail;
2532 }
2533 }
2534
2535 switch (auth_alg) {
2536 case WLAN_AUTH_OPEN:
2537 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2538 HOSTAPD_LEVEL_DEBUG,
2539 "authentication OK (open system)");
2540 sta->flags |= WLAN_STA_AUTH;
2541 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
2542 sta->auth_alg = WLAN_AUTH_OPEN;
2543 mlme_authenticate_indication(hapd, sta);
2544 break;
2545 #ifdef CONFIG_WEP
2546 #ifndef CONFIG_NO_RC4
2547 case WLAN_AUTH_SHARED_KEY:
2548 resp = auth_shared_key(hapd, sta, auth_transaction, challenge,
2549 fc & WLAN_FC_ISWEP);
2550 if (resp != 0)
2551 wpa_printf(MSG_DEBUG,
2552 "auth_shared_key() failed: status=%d", resp);
2553 sta->auth_alg = WLAN_AUTH_SHARED_KEY;
2554 mlme_authenticate_indication(hapd, sta);
2555 if (sta->challenge && auth_transaction == 1) {
2556 resp_ies[0] = WLAN_EID_CHALLENGE;
2557 resp_ies[1] = WLAN_AUTH_CHALLENGE_LEN;
2558 os_memcpy(resp_ies + 2, sta->challenge,
2559 WLAN_AUTH_CHALLENGE_LEN);
2560 resp_ies_len = 2 + WLAN_AUTH_CHALLENGE_LEN;
2561 }
2562 break;
2563 #endif /* CONFIG_NO_RC4 */
2564 #endif /* CONFIG_WEP */
2565 #ifdef CONFIG_IEEE80211R_AP
2566 case WLAN_AUTH_FT:
2567 sta->auth_alg = WLAN_AUTH_FT;
2568 if (sta->wpa_sm == NULL)
2569 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
2570 sta->addr, NULL);
2571 if (sta->wpa_sm == NULL) {
2572 wpa_printf(MSG_DEBUG, "FT: Failed to initialize WPA "
2573 "state machine");
2574 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2575 goto fail;
2576 }
2577 wpa_ft_process_auth(sta->wpa_sm, mgmt->bssid,
2578 auth_transaction, mgmt->u.auth.variable,
2579 len - IEEE80211_HDRLEN -
2580 sizeof(mgmt->u.auth),
2581 handle_auth_ft_finish, hapd);
2582 /* handle_auth_ft_finish() callback will complete auth. */
2583 return;
2584 #endif /* CONFIG_IEEE80211R_AP */
2585 #ifdef CONFIG_SAE
2586 case WLAN_AUTH_SAE:
2587 #ifdef CONFIG_MESH
2588 if (status_code == WLAN_STATUS_SUCCESS &&
2589 hapd->conf->mesh & MESH_ENABLED) {
2590 if (sta->wpa_sm == NULL)
2591 sta->wpa_sm =
2592 wpa_auth_sta_init(hapd->wpa_auth,
2593 sta->addr, NULL);
2594 if (sta->wpa_sm == NULL) {
2595 wpa_printf(MSG_DEBUG,
2596 "SAE: Failed to initialize WPA state machine");
2597 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2598 goto fail;
2599 }
2600 }
2601 #endif /* CONFIG_MESH */
2602 handle_auth_sae(hapd, sta, mgmt, len, auth_transaction,
2603 status_code);
2604 return;
2605 #endif /* CONFIG_SAE */
2606 #ifdef CONFIG_FILS
2607 case WLAN_AUTH_FILS_SK:
2608 case WLAN_AUTH_FILS_SK_PFS:
2609 handle_auth_fils(hapd, sta, mgmt->u.auth.variable,
2610 len - IEEE80211_HDRLEN - sizeof(mgmt->u.auth),
2611 auth_alg, auth_transaction, status_code,
2612 handle_auth_fils_finish);
2613 return;
2614 #endif /* CONFIG_FILS */
2615 }
2616
2617 fail:
2618 reply_res = send_auth_reply(hapd, sta, mgmt->sa, mgmt->bssid, auth_alg,
2619 auth_transaction + 1, resp, resp_ies,
2620 resp_ies_len, "handle-auth");
2621
2622 if (sta && sta->added_unassoc && (resp != WLAN_STATUS_SUCCESS ||
2623 reply_res != WLAN_STATUS_SUCCESS)) {
2624 hostapd_drv_sta_remove(hapd, sta->addr);
2625 sta->added_unassoc = 0;
2626 }
2627 }
2628
2629
hostapd_get_aid(struct hostapd_data * hapd,struct sta_info * sta)2630 int hostapd_get_aid(struct hostapd_data *hapd, struct sta_info *sta)
2631 {
2632 int i, j = 32, aid;
2633
2634 /* get a unique AID */
2635 if (sta->aid > 0) {
2636 wpa_printf(MSG_DEBUG, " old AID %d", sta->aid);
2637 return 0;
2638 }
2639
2640 if (TEST_FAIL())
2641 return -1;
2642
2643 for (i = 0; i < AID_WORDS; i++) {
2644 if (hapd->sta_aid[i] == (u32) -1)
2645 continue;
2646 for (j = 0; j < 32; j++) {
2647 if (!(hapd->sta_aid[i] & BIT(j)))
2648 break;
2649 }
2650 if (j < 32)
2651 break;
2652 }
2653 if (j == 32)
2654 return -1;
2655 aid = i * 32 + j + 1;
2656 if (aid > 2007)
2657 return -1;
2658
2659 sta->aid = aid;
2660 hapd->sta_aid[i] |= BIT(j);
2661 wpa_printf(MSG_DEBUG, " new AID %d", sta->aid);
2662 return 0;
2663 }
2664
2665
check_ssid(struct hostapd_data * hapd,struct sta_info * sta,const u8 * ssid_ie,size_t ssid_ie_len)2666 static u16 check_ssid(struct hostapd_data *hapd, struct sta_info *sta,
2667 const u8 *ssid_ie, size_t ssid_ie_len)
2668 {
2669 if (ssid_ie == NULL)
2670 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2671
2672 if (ssid_ie_len != hapd->conf->ssid.ssid_len ||
2673 os_memcmp(ssid_ie, hapd->conf->ssid.ssid, ssid_ie_len) != 0) {
2674 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2675 HOSTAPD_LEVEL_INFO,
2676 "Station tried to associate with unknown SSID "
2677 "'%s'", wpa_ssid_txt(ssid_ie, ssid_ie_len));
2678 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2679 }
2680
2681 return WLAN_STATUS_SUCCESS;
2682 }
2683
2684
check_wmm(struct hostapd_data * hapd,struct sta_info * sta,const u8 * wmm_ie,size_t wmm_ie_len)2685 static u16 check_wmm(struct hostapd_data *hapd, struct sta_info *sta,
2686 const u8 *wmm_ie, size_t wmm_ie_len)
2687 {
2688 sta->flags &= ~WLAN_STA_WMM;
2689 sta->qosinfo = 0;
2690 if (wmm_ie && hapd->conf->wmm_enabled) {
2691 struct wmm_information_element *wmm;
2692
2693 if (!hostapd_eid_wmm_valid(hapd, wmm_ie, wmm_ie_len)) {
2694 hostapd_logger(hapd, sta->addr,
2695 HOSTAPD_MODULE_WPA,
2696 HOSTAPD_LEVEL_DEBUG,
2697 "invalid WMM element in association "
2698 "request");
2699 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2700 }
2701
2702 sta->flags |= WLAN_STA_WMM;
2703 wmm = (struct wmm_information_element *) wmm_ie;
2704 sta->qosinfo = wmm->qos_info;
2705 }
2706 return WLAN_STATUS_SUCCESS;
2707 }
2708
check_multi_ap(struct hostapd_data * hapd,struct sta_info * sta,const u8 * multi_ap_ie,size_t multi_ap_len)2709 static u16 check_multi_ap(struct hostapd_data *hapd, struct sta_info *sta,
2710 const u8 *multi_ap_ie, size_t multi_ap_len)
2711 {
2712 u8 multi_ap_value = 0;
2713
2714 sta->flags &= ~WLAN_STA_MULTI_AP;
2715
2716 if (!hapd->conf->multi_ap)
2717 return WLAN_STATUS_SUCCESS;
2718
2719 if (multi_ap_ie) {
2720 const u8 *multi_ap_subelem;
2721
2722 multi_ap_subelem = get_ie(multi_ap_ie + 4,
2723 multi_ap_len - 4,
2724 MULTI_AP_SUB_ELEM_TYPE);
2725 if (multi_ap_subelem && multi_ap_subelem[1] == 1) {
2726 multi_ap_value = multi_ap_subelem[2];
2727 } else {
2728 hostapd_logger(hapd, sta->addr,
2729 HOSTAPD_MODULE_IEEE80211,
2730 HOSTAPD_LEVEL_INFO,
2731 "Multi-AP IE has missing or invalid Multi-AP subelement");
2732 return WLAN_STATUS_INVALID_IE;
2733 }
2734 }
2735
2736 if (multi_ap_value && multi_ap_value != MULTI_AP_BACKHAUL_STA)
2737 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2738 HOSTAPD_LEVEL_INFO,
2739 "Multi-AP IE with unexpected value 0x%02x",
2740 multi_ap_value);
2741
2742 if (!(multi_ap_value & MULTI_AP_BACKHAUL_STA)) {
2743 if (hapd->conf->multi_ap & FRONTHAUL_BSS)
2744 return WLAN_STATUS_SUCCESS;
2745
2746 hostapd_logger(hapd, sta->addr,
2747 HOSTAPD_MODULE_IEEE80211,
2748 HOSTAPD_LEVEL_INFO,
2749 "Non-Multi-AP STA tries to associate with backhaul-only BSS");
2750 return WLAN_STATUS_ASSOC_DENIED_UNSPEC;
2751 }
2752
2753 if (!(hapd->conf->multi_ap & BACKHAUL_BSS))
2754 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2755 HOSTAPD_LEVEL_DEBUG,
2756 "Backhaul STA tries to associate with fronthaul-only BSS");
2757
2758 sta->flags |= WLAN_STA_MULTI_AP;
2759 return WLAN_STATUS_SUCCESS;
2760 }
2761
2762
copy_supp_rates(struct hostapd_data * hapd,struct sta_info * sta,struct ieee802_11_elems * elems)2763 static u16 copy_supp_rates(struct hostapd_data *hapd, struct sta_info *sta,
2764 struct ieee802_11_elems *elems)
2765 {
2766 /* Supported rates not used in IEEE 802.11ad/DMG */
2767 if (hapd->iface->current_mode &&
2768 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211AD)
2769 return WLAN_STATUS_SUCCESS;
2770
2771 if (!elems->supp_rates) {
2772 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2773 HOSTAPD_LEVEL_DEBUG,
2774 "No supported rates element in AssocReq");
2775 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2776 }
2777
2778 if (elems->supp_rates_len + elems->ext_supp_rates_len >
2779 sizeof(sta->supported_rates)) {
2780 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2781 HOSTAPD_LEVEL_DEBUG,
2782 "Invalid supported rates element length %d+%d",
2783 elems->supp_rates_len,
2784 elems->ext_supp_rates_len);
2785 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2786 }
2787
2788 sta->supported_rates_len = merge_byte_arrays(
2789 sta->supported_rates, sizeof(sta->supported_rates),
2790 elems->supp_rates, elems->supp_rates_len,
2791 elems->ext_supp_rates, elems->ext_supp_rates_len);
2792
2793 return WLAN_STATUS_SUCCESS;
2794 }
2795
2796
check_ext_capab(struct hostapd_data * hapd,struct sta_info * sta,const u8 * ext_capab_ie,size_t ext_capab_ie_len)2797 static u16 check_ext_capab(struct hostapd_data *hapd, struct sta_info *sta,
2798 const u8 *ext_capab_ie, size_t ext_capab_ie_len)
2799 {
2800 #ifdef CONFIG_INTERWORKING
2801 /* check for QoS Map support */
2802 if (ext_capab_ie_len >= 5) {
2803 if (ext_capab_ie[4] & 0x01)
2804 sta->qos_map_enabled = 1;
2805 }
2806 #endif /* CONFIG_INTERWORKING */
2807
2808 if (ext_capab_ie_len > 0) {
2809 sta->ecsa_supported = !!(ext_capab_ie[0] & BIT(2));
2810 os_free(sta->ext_capability);
2811 sta->ext_capability = os_malloc(1 + ext_capab_ie_len);
2812 if (sta->ext_capability) {
2813 sta->ext_capability[0] = ext_capab_ie_len;
2814 os_memcpy(sta->ext_capability + 1, ext_capab_ie,
2815 ext_capab_ie_len);
2816 }
2817 }
2818
2819 return WLAN_STATUS_SUCCESS;
2820 }
2821
2822
2823 #ifdef CONFIG_OWE
2824
owe_group_supported(struct hostapd_data * hapd,u16 group)2825 static int owe_group_supported(struct hostapd_data *hapd, u16 group)
2826 {
2827 int i;
2828 int *groups = hapd->conf->owe_groups;
2829
2830 if (group != 19 && group != 20 && group != 21)
2831 return 0;
2832
2833 if (!groups)
2834 return 1;
2835
2836 for (i = 0; groups[i] > 0; i++) {
2837 if (groups[i] == group)
2838 return 1;
2839 }
2840
2841 return 0;
2842 }
2843
2844
owe_process_assoc_req(struct hostapd_data * hapd,struct sta_info * sta,const u8 * owe_dh,u8 owe_dh_len)2845 static u16 owe_process_assoc_req(struct hostapd_data *hapd,
2846 struct sta_info *sta, const u8 *owe_dh,
2847 u8 owe_dh_len)
2848 {
2849 struct wpabuf *secret, *pub, *hkey;
2850 int res;
2851 u8 prk[SHA512_MAC_LEN], pmkid[SHA512_MAC_LEN];
2852 const char *info = "OWE Key Generation";
2853 const u8 *addr[2];
2854 size_t len[2];
2855 u16 group;
2856 size_t hash_len, prime_len;
2857
2858 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) {
2859 wpa_printf(MSG_DEBUG, "OWE: Using PMKSA caching");
2860 return WLAN_STATUS_SUCCESS;
2861 }
2862
2863 group = WPA_GET_LE16(owe_dh);
2864 if (!owe_group_supported(hapd, group)) {
2865 wpa_printf(MSG_DEBUG, "OWE: Unsupported DH group %u", group);
2866 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
2867 }
2868 if (group == 19)
2869 prime_len = 32;
2870 else if (group == 20)
2871 prime_len = 48;
2872 else if (group == 21)
2873 prime_len = 66;
2874 else
2875 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
2876
2877 crypto_ecdh_deinit(sta->owe_ecdh);
2878 sta->owe_ecdh = crypto_ecdh_init(group);
2879 if (!sta->owe_ecdh)
2880 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
2881 sta->owe_group = group;
2882
2883 secret = crypto_ecdh_set_peerkey(sta->owe_ecdh, 0, owe_dh + 2,
2884 owe_dh_len - 2);
2885 secret = wpabuf_zeropad(secret, prime_len);
2886 if (!secret) {
2887 wpa_printf(MSG_DEBUG, "OWE: Invalid peer DH public key");
2888 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2889 }
2890 wpa_hexdump_buf_key(MSG_DEBUG, "OWE: DH shared secret", secret);
2891
2892 /* prk = HKDF-extract(C | A | group, z) */
2893
2894 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
2895 if (!pub) {
2896 wpabuf_clear_free(secret);
2897 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2898 }
2899
2900 /* PMKID = Truncate-128(Hash(C | A)) */
2901 addr[0] = owe_dh + 2;
2902 len[0] = owe_dh_len - 2;
2903 addr[1] = wpabuf_head(pub);
2904 len[1] = wpabuf_len(pub);
2905 if (group == 19) {
2906 res = sha256_vector(2, addr, len, pmkid);
2907 hash_len = SHA256_MAC_LEN;
2908 } else if (group == 20) {
2909 res = sha384_vector(2, addr, len, pmkid);
2910 hash_len = SHA384_MAC_LEN;
2911 } else if (group == 21) {
2912 res = sha512_vector(2, addr, len, pmkid);
2913 hash_len = SHA512_MAC_LEN;
2914 } else {
2915 wpabuf_free(pub);
2916 wpabuf_clear_free(secret);
2917 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2918 }
2919 pub = wpabuf_zeropad(pub, prime_len);
2920 if (res < 0 || !pub) {
2921 wpabuf_free(pub);
2922 wpabuf_clear_free(secret);
2923 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2924 }
2925
2926 hkey = wpabuf_alloc(owe_dh_len - 2 + wpabuf_len(pub) + 2);
2927 if (!hkey) {
2928 wpabuf_free(pub);
2929 wpabuf_clear_free(secret);
2930 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2931 }
2932
2933 wpabuf_put_data(hkey, owe_dh + 2, owe_dh_len - 2); /* C */
2934 wpabuf_put_buf(hkey, pub); /* A */
2935 wpabuf_free(pub);
2936 wpabuf_put_le16(hkey, group); /* group */
2937 if (group == 19)
2938 res = hmac_sha256(wpabuf_head(hkey), wpabuf_len(hkey),
2939 wpabuf_head(secret), wpabuf_len(secret), prk);
2940 else if (group == 20)
2941 res = hmac_sha384(wpabuf_head(hkey), wpabuf_len(hkey),
2942 wpabuf_head(secret), wpabuf_len(secret), prk);
2943 else if (group == 21)
2944 res = hmac_sha512(wpabuf_head(hkey), wpabuf_len(hkey),
2945 wpabuf_head(secret), wpabuf_len(secret), prk);
2946 wpabuf_clear_free(hkey);
2947 wpabuf_clear_free(secret);
2948 if (res < 0)
2949 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2950
2951 wpa_hexdump_key(MSG_DEBUG, "OWE: prk", prk, hash_len);
2952
2953 /* PMK = HKDF-expand(prk, "OWE Key Generation", n) */
2954
2955 os_free(sta->owe_pmk);
2956 sta->owe_pmk = os_malloc(hash_len);
2957 if (!sta->owe_pmk) {
2958 os_memset(prk, 0, SHA512_MAC_LEN);
2959 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2960 }
2961
2962 if (group == 19)
2963 res = hmac_sha256_kdf(prk, hash_len, NULL, (const u8 *) info,
2964 os_strlen(info), sta->owe_pmk, hash_len);
2965 else if (group == 20)
2966 res = hmac_sha384_kdf(prk, hash_len, NULL, (const u8 *) info,
2967 os_strlen(info), sta->owe_pmk, hash_len);
2968 else if (group == 21)
2969 res = hmac_sha512_kdf(prk, hash_len, NULL, (const u8 *) info,
2970 os_strlen(info), sta->owe_pmk, hash_len);
2971 os_memset(prk, 0, SHA512_MAC_LEN);
2972 if (res < 0) {
2973 os_free(sta->owe_pmk);
2974 sta->owe_pmk = NULL;
2975 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2976 }
2977 sta->owe_pmk_len = hash_len;
2978
2979 wpa_hexdump_key(MSG_DEBUG, "OWE: PMK", sta->owe_pmk, sta->owe_pmk_len);
2980 wpa_hexdump(MSG_DEBUG, "OWE: PMKID", pmkid, PMKID_LEN);
2981 wpa_auth_pmksa_add2(hapd->wpa_auth, sta->addr, sta->owe_pmk,
2982 sta->owe_pmk_len, pmkid, 0, WPA_KEY_MGMT_OWE);
2983
2984 return WLAN_STATUS_SUCCESS;
2985 }
2986
2987
owe_validate_request(struct hostapd_data * hapd,const u8 * peer,const u8 * rsn_ie,size_t rsn_ie_len,const u8 * owe_dh,size_t owe_dh_len)2988 u16 owe_validate_request(struct hostapd_data *hapd, const u8 *peer,
2989 const u8 *rsn_ie, size_t rsn_ie_len,
2990 const u8 *owe_dh, size_t owe_dh_len)
2991 {
2992 struct wpa_ie_data data;
2993 int res;
2994
2995 if (!rsn_ie || rsn_ie_len < 2) {
2996 wpa_printf(MSG_DEBUG, "OWE: Invalid RSNE from " MACSTR,
2997 MAC2STR(peer));
2998 return WLAN_STATUS_INVALID_IE;
2999 }
3000 rsn_ie -= 2;
3001 rsn_ie_len += 2;
3002
3003 res = wpa_parse_wpa_ie_rsn(rsn_ie, rsn_ie_len, &data);
3004 if (res) {
3005 wpa_printf(MSG_DEBUG, "Failed to parse RSNE from " MACSTR
3006 " (res=%d)", MAC2STR(peer), res);
3007 wpa_hexdump(MSG_DEBUG, "RSNE", rsn_ie, rsn_ie_len);
3008 return wpa_res_to_status_code(res);
3009 }
3010 if (!(data.key_mgmt & WPA_KEY_MGMT_OWE)) {
3011 wpa_printf(MSG_DEBUG,
3012 "OWE: Unexpected key mgmt 0x%x from " MACSTR,
3013 (unsigned int) data.key_mgmt, MAC2STR(peer));
3014 return WLAN_STATUS_AKMP_NOT_VALID;
3015 }
3016 if (!owe_dh) {
3017 wpa_printf(MSG_DEBUG,
3018 "OWE: No Diffie-Hellman Parameter element from "
3019 MACSTR, MAC2STR(peer));
3020 return WLAN_STATUS_AKMP_NOT_VALID;
3021 }
3022
3023 return WLAN_STATUS_SUCCESS;
3024 }
3025
3026
owe_process_rsn_ie(struct hostapd_data * hapd,struct sta_info * sta,const u8 * rsn_ie,size_t rsn_ie_len,const u8 * owe_dh,size_t owe_dh_len)3027 u16 owe_process_rsn_ie(struct hostapd_data *hapd,
3028 struct sta_info *sta,
3029 const u8 *rsn_ie, size_t rsn_ie_len,
3030 const u8 *owe_dh, size_t owe_dh_len)
3031 {
3032 u16 status;
3033 u8 *owe_buf, ie[256 * 2];
3034 size_t ie_len = 0;
3035 enum wpa_validate_result res;
3036
3037 if (!rsn_ie || rsn_ie_len < 2) {
3038 wpa_printf(MSG_DEBUG, "OWE: No RSNE in (Re)AssocReq");
3039 status = WLAN_STATUS_INVALID_IE;
3040 goto end;
3041 }
3042
3043 if (!sta->wpa_sm)
3044 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, sta->addr,
3045 NULL);
3046 if (!sta->wpa_sm) {
3047 wpa_printf(MSG_WARNING,
3048 "OWE: Failed to initialize WPA state machine");
3049 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3050 goto end;
3051 }
3052 rsn_ie -= 2;
3053 rsn_ie_len += 2;
3054 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
3055 hapd->iface->freq, rsn_ie, rsn_ie_len,
3056 NULL, 0, NULL, 0, owe_dh, owe_dh_len);
3057 status = wpa_res_to_status_code(res);
3058 if (status != WLAN_STATUS_SUCCESS)
3059 goto end;
3060 status = owe_process_assoc_req(hapd, sta, owe_dh, owe_dh_len);
3061 if (status != WLAN_STATUS_SUCCESS)
3062 goto end;
3063 owe_buf = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, ie, sizeof(ie),
3064 NULL, 0);
3065 if (!owe_buf) {
3066 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3067 goto end;
3068 }
3069
3070 if (sta->owe_ecdh) {
3071 struct wpabuf *pub;
3072
3073 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
3074 if (!pub) {
3075 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3076 goto end;
3077 }
3078
3079 /* OWE Diffie-Hellman Parameter element */
3080 *owe_buf++ = WLAN_EID_EXTENSION; /* Element ID */
3081 *owe_buf++ = 1 + 2 + wpabuf_len(pub); /* Length */
3082 *owe_buf++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension
3083 */
3084 WPA_PUT_LE16(owe_buf, sta->owe_group);
3085 owe_buf += 2;
3086 os_memcpy(owe_buf, wpabuf_head(pub), wpabuf_len(pub));
3087 owe_buf += wpabuf_len(pub);
3088 wpabuf_free(pub);
3089 sta->external_dh_updated = 1;
3090 }
3091 ie_len = owe_buf - ie;
3092
3093 end:
3094 wpa_printf(MSG_DEBUG, "OWE: Update status %d, ie len %d for peer "
3095 MACSTR, status, (unsigned int) ie_len,
3096 MAC2STR(sta->addr));
3097 hostapd_drv_update_dh_ie(hapd, sta->addr, status,
3098 status == WLAN_STATUS_SUCCESS ? ie : NULL,
3099 ie_len);
3100
3101 return status;
3102 }
3103
3104 #endif /* CONFIG_OWE */
3105
3106
check_assoc_ies(struct hostapd_data * hapd,struct sta_info * sta,const u8 * ies,size_t ies_len,int reassoc)3107 static int check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta,
3108 const u8 *ies, size_t ies_len, int reassoc)
3109 {
3110 struct ieee802_11_elems elems;
3111 int resp;
3112 const u8 *wpa_ie;
3113 size_t wpa_ie_len;
3114 const u8 *p2p_dev_addr = NULL;
3115
3116 if (ieee802_11_parse_elems(ies, ies_len, &elems, 1) == ParseFailed) {
3117 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3118 HOSTAPD_LEVEL_INFO, "Station sent an invalid "
3119 "association request");
3120 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3121 }
3122
3123 resp = check_ssid(hapd, sta, elems.ssid, elems.ssid_len);
3124 if (resp != WLAN_STATUS_SUCCESS)
3125 return resp;
3126 resp = check_wmm(hapd, sta, elems.wmm, elems.wmm_len);
3127 if (resp != WLAN_STATUS_SUCCESS)
3128 return resp;
3129 resp = check_ext_capab(hapd, sta, elems.ext_capab, elems.ext_capab_len);
3130 if (resp != WLAN_STATUS_SUCCESS)
3131 return resp;
3132 resp = copy_supp_rates(hapd, sta, &elems);
3133 if (resp != WLAN_STATUS_SUCCESS)
3134 return resp;
3135
3136 resp = check_multi_ap(hapd, sta, elems.multi_ap, elems.multi_ap_len);
3137 if (resp != WLAN_STATUS_SUCCESS)
3138 return resp;
3139
3140 resp = copy_sta_ht_capab(hapd, sta, elems.ht_capabilities);
3141 if (resp != WLAN_STATUS_SUCCESS)
3142 return resp;
3143 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht &&
3144 !(sta->flags & WLAN_STA_HT)) {
3145 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3146 HOSTAPD_LEVEL_INFO, "Station does not support "
3147 "mandatory HT PHY - reject association");
3148 return WLAN_STATUS_ASSOC_DENIED_NO_HT;
3149 }
3150
3151 #ifdef CONFIG_IEEE80211AC
3152 if (hapd->iconf->ieee80211ac) {
3153 resp = copy_sta_vht_capab(hapd, sta, elems.vht_capabilities);
3154 if (resp != WLAN_STATUS_SUCCESS)
3155 return resp;
3156
3157 resp = set_sta_vht_opmode(hapd, sta, elems.vht_opmode_notif);
3158 if (resp != WLAN_STATUS_SUCCESS)
3159 return resp;
3160 }
3161
3162 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht &&
3163 !(sta->flags & WLAN_STA_VHT)) {
3164 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3165 HOSTAPD_LEVEL_INFO, "Station does not support "
3166 "mandatory VHT PHY - reject association");
3167 return WLAN_STATUS_ASSOC_DENIED_NO_VHT;
3168 }
3169
3170 if (hapd->conf->vendor_vht && !elems.vht_capabilities) {
3171 resp = copy_sta_vendor_vht(hapd, sta, elems.vendor_vht,
3172 elems.vendor_vht_len);
3173 if (resp != WLAN_STATUS_SUCCESS)
3174 return resp;
3175 }
3176 #endif /* CONFIG_IEEE80211AC */
3177 #ifdef CONFIG_IEEE80211AX
3178 if (hapd->iconf->ieee80211ax) {
3179 resp = copy_sta_he_capab(hapd, sta, IEEE80211_MODE_AP,
3180 elems.he_capabilities,
3181 elems.he_capabilities_len);
3182 if (resp != WLAN_STATUS_SUCCESS)
3183 return resp;
3184 if (is_6ghz_op_class(hapd->iconf->op_class)) {
3185 resp = copy_sta_he_6ghz_capab(hapd, sta,
3186 elems.he_6ghz_band_cap);
3187 if (resp != WLAN_STATUS_SUCCESS)
3188 return resp;
3189 }
3190 }
3191 #endif /* CONFIG_IEEE80211AX */
3192
3193 #ifdef CONFIG_P2P
3194 if (elems.p2p) {
3195 wpabuf_free(sta->p2p_ie);
3196 sta->p2p_ie = ieee802_11_vendor_ie_concat(ies, ies_len,
3197 P2P_IE_VENDOR_TYPE);
3198 if (sta->p2p_ie)
3199 p2p_dev_addr = p2p_get_go_dev_addr(sta->p2p_ie);
3200 } else {
3201 wpabuf_free(sta->p2p_ie);
3202 sta->p2p_ie = NULL;
3203 }
3204 #endif /* CONFIG_P2P */
3205
3206 if ((hapd->conf->wpa & WPA_PROTO_RSN) && elems.rsn_ie) {
3207 wpa_ie = elems.rsn_ie;
3208 wpa_ie_len = elems.rsn_ie_len;
3209 } else if ((hapd->conf->wpa & WPA_PROTO_WPA) &&
3210 elems.wpa_ie) {
3211 wpa_ie = elems.wpa_ie;
3212 wpa_ie_len = elems.wpa_ie_len;
3213 } else {
3214 wpa_ie = NULL;
3215 wpa_ie_len = 0;
3216 }
3217
3218 #ifdef CONFIG_WPS
3219 sta->flags &= ~(WLAN_STA_WPS | WLAN_STA_MAYBE_WPS | WLAN_STA_WPS2);
3220 if (hapd->conf->wps_state && elems.wps_ie) {
3221 wpa_printf(MSG_DEBUG, "STA included WPS IE in (Re)Association "
3222 "Request - assume WPS is used");
3223 sta->flags |= WLAN_STA_WPS;
3224 wpabuf_free(sta->wps_ie);
3225 sta->wps_ie = ieee802_11_vendor_ie_concat(ies, ies_len,
3226 WPS_IE_VENDOR_TYPE);
3227 if (sta->wps_ie && wps_is_20(sta->wps_ie)) {
3228 wpa_printf(MSG_DEBUG, "WPS: STA supports WPS 2.0");
3229 sta->flags |= WLAN_STA_WPS2;
3230 }
3231 wpa_ie = NULL;
3232 wpa_ie_len = 0;
3233 if (sta->wps_ie && wps_validate_assoc_req(sta->wps_ie) < 0) {
3234 wpa_printf(MSG_DEBUG, "WPS: Invalid WPS IE in "
3235 "(Re)Association Request - reject");
3236 return WLAN_STATUS_INVALID_IE;
3237 }
3238 } else if (hapd->conf->wps_state && wpa_ie == NULL) {
3239 wpa_printf(MSG_DEBUG, "STA did not include WPA/RSN IE in "
3240 "(Re)Association Request - possible WPS use");
3241 sta->flags |= WLAN_STA_MAYBE_WPS;
3242 } else
3243 #endif /* CONFIG_WPS */
3244 if (hapd->conf->wpa && wpa_ie == NULL) {
3245 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3246 HOSTAPD_LEVEL_INFO,
3247 "No WPA/RSN IE in association request");
3248 return WLAN_STATUS_INVALID_IE;
3249 }
3250
3251 if (hapd->conf->wpa && wpa_ie) {
3252 enum wpa_validate_result res;
3253
3254 wpa_ie -= 2;
3255 wpa_ie_len += 2;
3256 if (sta->wpa_sm == NULL)
3257 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
3258 sta->addr,
3259 p2p_dev_addr);
3260 if (sta->wpa_sm == NULL) {
3261 wpa_printf(MSG_WARNING, "Failed to initialize WPA "
3262 "state machine");
3263 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3264 }
3265 wpa_auth_set_auth_alg(sta->wpa_sm, sta->auth_alg);
3266 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
3267 hapd->iface->freq,
3268 wpa_ie, wpa_ie_len,
3269 elems.rsnxe ? elems.rsnxe - 2 : NULL,
3270 elems.rsnxe ? elems.rsnxe_len + 2 : 0,
3271 elems.mdie, elems.mdie_len,
3272 elems.owe_dh, elems.owe_dh_len);
3273 resp = wpa_res_to_status_code(res);
3274 if (resp != WLAN_STATUS_SUCCESS)
3275 return resp;
3276 if ((sta->flags & (WLAN_STA_ASSOC | WLAN_STA_MFP)) ==
3277 (WLAN_STA_ASSOC | WLAN_STA_MFP) &&
3278 !sta->sa_query_timed_out &&
3279 sta->sa_query_count > 0)
3280 ap_check_sa_query_timeout(hapd, sta);
3281 if ((sta->flags & (WLAN_STA_ASSOC | WLAN_STA_MFP)) ==
3282 (WLAN_STA_ASSOC | WLAN_STA_MFP) &&
3283 !sta->sa_query_timed_out &&
3284 (!reassoc || sta->auth_alg != WLAN_AUTH_FT)) {
3285 /*
3286 * STA has already been associated with MFP and SA
3287 * Query timeout has not been reached. Reject the
3288 * association attempt temporarily and start SA Query,
3289 * if one is not pending.
3290 */
3291
3292 if (sta->sa_query_count == 0)
3293 ap_sta_start_sa_query(hapd, sta);
3294
3295 return WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY;
3296 }
3297
3298 if (wpa_auth_uses_mfp(sta->wpa_sm))
3299 sta->flags |= WLAN_STA_MFP;
3300 else
3301 sta->flags &= ~WLAN_STA_MFP;
3302
3303 #ifdef CONFIG_IEEE80211R_AP
3304 if (sta->auth_alg == WLAN_AUTH_FT) {
3305 if (!reassoc) {
3306 wpa_printf(MSG_DEBUG, "FT: " MACSTR " tried "
3307 "to use association (not "
3308 "re-association) with FT auth_alg",
3309 MAC2STR(sta->addr));
3310 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3311 }
3312
3313 resp = wpa_ft_validate_reassoc(sta->wpa_sm, ies,
3314 ies_len);
3315 if (resp != WLAN_STATUS_SUCCESS)
3316 return resp;
3317 }
3318 #endif /* CONFIG_IEEE80211R_AP */
3319
3320 #ifdef CONFIG_SAE
3321 if (wpa_auth_uses_sae(sta->wpa_sm) && sta->sae &&
3322 sta->sae->state == SAE_ACCEPTED)
3323 wpa_auth_add_sae_pmkid(sta->wpa_sm, sta->sae->pmkid);
3324
3325 if (wpa_auth_uses_sae(sta->wpa_sm) &&
3326 sta->auth_alg == WLAN_AUTH_OPEN) {
3327 struct rsn_pmksa_cache_entry *sa;
3328 sa = wpa_auth_sta_get_pmksa(sta->wpa_sm);
3329 if (!sa || sa->akmp != WPA_KEY_MGMT_SAE) {
3330 wpa_printf(MSG_DEBUG,
3331 "SAE: No PMKSA cache entry found for "
3332 MACSTR, MAC2STR(sta->addr));
3333 return WLAN_STATUS_INVALID_PMKID;
3334 }
3335 wpa_printf(MSG_DEBUG, "SAE: " MACSTR
3336 " using PMKSA caching", MAC2STR(sta->addr));
3337 } else if (wpa_auth_uses_sae(sta->wpa_sm) &&
3338 sta->auth_alg != WLAN_AUTH_SAE &&
3339 !(sta->auth_alg == WLAN_AUTH_FT &&
3340 wpa_auth_uses_ft_sae(sta->wpa_sm))) {
3341 wpa_printf(MSG_DEBUG, "SAE: " MACSTR " tried to use "
3342 "SAE AKM after non-SAE auth_alg %u",
3343 MAC2STR(sta->addr), sta->auth_alg);
3344 return WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
3345 }
3346
3347 if (hapd->conf->sae_pwe == 2 &&
3348 sta->auth_alg == WLAN_AUTH_SAE &&
3349 sta->sae && sta->sae->tmp && !sta->sae->tmp->h2e &&
3350 elems.rsnxe && elems.rsnxe_len >= 1 &&
3351 (elems.rsnxe[0] & BIT(WLAN_RSNX_CAPAB_SAE_H2E))) {
3352 wpa_printf(MSG_INFO, "SAE: " MACSTR
3353 " indicates support for SAE H2E, but did not use it",
3354 MAC2STR(sta->addr));
3355 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3356 }
3357 #endif /* CONFIG_SAE */
3358
3359 #ifdef CONFIG_OWE
3360 if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) &&
3361 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE &&
3362 elems.owe_dh) {
3363 resp = owe_process_assoc_req(hapd, sta, elems.owe_dh,
3364 elems.owe_dh_len);
3365 if (resp != WLAN_STATUS_SUCCESS)
3366 return resp;
3367 }
3368 #endif /* CONFIG_OWE */
3369
3370 #ifdef CONFIG_DPP2
3371 dpp_pfs_free(sta->dpp_pfs);
3372 sta->dpp_pfs = NULL;
3373
3374 if (DPP_VERSION > 1 &&
3375 (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_DPP) &&
3376 hapd->conf->dpp_netaccesskey && sta->wpa_sm &&
3377 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_DPP &&
3378 elems.owe_dh) {
3379 sta->dpp_pfs = dpp_pfs_init(
3380 wpabuf_head(hapd->conf->dpp_netaccesskey),
3381 wpabuf_len(hapd->conf->dpp_netaccesskey));
3382 if (!sta->dpp_pfs) {
3383 wpa_printf(MSG_DEBUG,
3384 "DPP: Could not initialize PFS");
3385 /* Try to continue without PFS */
3386 goto pfs_fail;
3387 }
3388
3389 if (dpp_pfs_process(sta->dpp_pfs, elems.owe_dh,
3390 elems.owe_dh_len) < 0) {
3391 dpp_pfs_free(sta->dpp_pfs);
3392 sta->dpp_pfs = NULL;
3393 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3394 }
3395 }
3396
3397 wpa_auth_set_dpp_z(sta->wpa_sm, sta->dpp_pfs ?
3398 sta->dpp_pfs->secret : NULL);
3399 pfs_fail:
3400 #endif /* CONFIG_DPP2 */
3401
3402 if ((sta->flags & (WLAN_STA_HT | WLAN_STA_VHT)) &&
3403 wpa_auth_get_pairwise(sta->wpa_sm) == WPA_CIPHER_TKIP) {
3404 hostapd_logger(hapd, sta->addr,
3405 HOSTAPD_MODULE_IEEE80211,
3406 HOSTAPD_LEVEL_INFO,
3407 "Station tried to use TKIP with HT "
3408 "association");
3409 return WLAN_STATUS_CIPHER_REJECTED_PER_POLICY;
3410 }
3411 #ifdef CONFIG_HS20
3412 } else if (hapd->conf->osen) {
3413 if (elems.osen == NULL) {
3414 hostapd_logger(
3415 hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3416 HOSTAPD_LEVEL_INFO,
3417 "No HS 2.0 OSEN element in association request");
3418 return WLAN_STATUS_INVALID_IE;
3419 }
3420
3421 wpa_printf(MSG_DEBUG, "HS 2.0: OSEN association");
3422 if (sta->wpa_sm == NULL)
3423 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
3424 sta->addr, NULL);
3425 if (sta->wpa_sm == NULL) {
3426 wpa_printf(MSG_WARNING, "Failed to initialize WPA "
3427 "state machine");
3428 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3429 }
3430 if (wpa_validate_osen(hapd->wpa_auth, sta->wpa_sm,
3431 elems.osen - 2, elems.osen_len + 2) < 0)
3432 return WLAN_STATUS_INVALID_IE;
3433 #endif /* CONFIG_HS20 */
3434 } else
3435 wpa_auth_sta_no_wpa(sta->wpa_sm);
3436
3437 #ifdef CONFIG_P2P
3438 p2p_group_notif_assoc(hapd->p2p_group, sta->addr, ies, ies_len);
3439 #endif /* CONFIG_P2P */
3440
3441 #ifdef CONFIG_HS20
3442 wpabuf_free(sta->hs20_ie);
3443 if (elems.hs20 && elems.hs20_len > 4) {
3444 int release;
3445
3446 sta->hs20_ie = wpabuf_alloc_copy(elems.hs20 + 4,
3447 elems.hs20_len - 4);
3448 release = ((elems.hs20[4] >> 4) & 0x0f) + 1;
3449 if (release >= 2 && !wpa_auth_uses_mfp(sta->wpa_sm) &&
3450 hapd->conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
3451 wpa_printf(MSG_DEBUG,
3452 "HS 2.0: PMF not negotiated by release %d station "
3453 MACSTR, release, MAC2STR(sta->addr));
3454 return WLAN_STATUS_ROBUST_MGMT_FRAME_POLICY_VIOLATION;
3455 }
3456 } else {
3457 sta->hs20_ie = NULL;
3458 }
3459
3460 wpabuf_free(sta->roaming_consortium);
3461 if (elems.roaming_cons_sel)
3462 sta->roaming_consortium = wpabuf_alloc_copy(
3463 elems.roaming_cons_sel + 4,
3464 elems.roaming_cons_sel_len - 4);
3465 else
3466 sta->roaming_consortium = NULL;
3467 #endif /* CONFIG_HS20 */
3468
3469 #ifdef CONFIG_FST
3470 wpabuf_free(sta->mb_ies);
3471 if (hapd->iface->fst)
3472 sta->mb_ies = mb_ies_by_info(&elems.mb_ies);
3473 else
3474 sta->mb_ies = NULL;
3475 #endif /* CONFIG_FST */
3476
3477 #ifdef CONFIG_MBO
3478 mbo_ap_check_sta_assoc(hapd, sta, &elems);
3479
3480 if (hapd->conf->mbo_enabled && (hapd->conf->wpa & 2) &&
3481 elems.mbo && sta->cell_capa && !(sta->flags & WLAN_STA_MFP) &&
3482 hapd->conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
3483 wpa_printf(MSG_INFO,
3484 "MBO: Reject WPA2 association without PMF");
3485 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3486 }
3487 #endif /* CONFIG_MBO */
3488
3489 #if defined(CONFIG_FILS) && defined(CONFIG_OCV)
3490 if (wpa_auth_uses_ocv(sta->wpa_sm) &&
3491 (sta->auth_alg == WLAN_AUTH_FILS_SK ||
3492 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
3493 sta->auth_alg == WLAN_AUTH_FILS_PK)) {
3494 struct wpa_channel_info ci;
3495 int tx_chanwidth;
3496 int tx_seg1_idx;
3497
3498 if (hostapd_drv_channel_info(hapd, &ci) != 0) {
3499 wpa_printf(MSG_WARNING,
3500 "Failed to get channel info to validate received OCI in FILS (Re)Association Request frame");
3501 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3502 }
3503
3504 if (get_sta_tx_parameters(sta->wpa_sm,
3505 channel_width_to_int(ci.chanwidth),
3506 ci.seg1_idx, &tx_chanwidth,
3507 &tx_seg1_idx) < 0)
3508 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3509
3510 if (ocv_verify_tx_params(elems.oci, elems.oci_len, &ci,
3511 tx_chanwidth, tx_seg1_idx) != 0) {
3512 wpa_printf(MSG_WARNING, "FILS: %s", ocv_errorstr);
3513 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3514 }
3515 }
3516 #endif /* CONFIG_FILS && CONFIG_OCV */
3517
3518 ap_copy_sta_supp_op_classes(sta, elems.supp_op_classes,
3519 elems.supp_op_classes_len);
3520
3521 if ((sta->capability & WLAN_CAPABILITY_RADIO_MEASUREMENT) &&
3522 elems.rrm_enabled &&
3523 elems.rrm_enabled_len >= sizeof(sta->rrm_enabled_capa))
3524 os_memcpy(sta->rrm_enabled_capa, elems.rrm_enabled,
3525 sizeof(sta->rrm_enabled_capa));
3526
3527 if (elems.power_capab) {
3528 sta->min_tx_power = elems.power_capab[0];
3529 sta->max_tx_power = elems.power_capab[1];
3530 sta->power_capab = 1;
3531 } else {
3532 sta->power_capab = 0;
3533 }
3534
3535 return WLAN_STATUS_SUCCESS;
3536 }
3537
3538
send_deauth(struct hostapd_data * hapd,const u8 * addr,u16 reason_code)3539 static void send_deauth(struct hostapd_data *hapd, const u8 *addr,
3540 u16 reason_code)
3541 {
3542 int send_len;
3543 struct ieee80211_mgmt reply;
3544
3545 os_memset(&reply, 0, sizeof(reply));
3546 reply.frame_control =
3547 IEEE80211_FC(WLAN_FC_TYPE_MGMT, WLAN_FC_STYPE_DEAUTH);
3548 os_memcpy(reply.da, addr, ETH_ALEN);
3549 os_memcpy(reply.sa, hapd->own_addr, ETH_ALEN);
3550 os_memcpy(reply.bssid, hapd->own_addr, ETH_ALEN);
3551
3552 send_len = IEEE80211_HDRLEN + sizeof(reply.u.deauth);
3553 reply.u.deauth.reason_code = host_to_le16(reason_code);
3554
3555 if (hostapd_drv_send_mlme(hapd, &reply, send_len, 0, NULL, 0, 0) < 0)
3556 wpa_printf(MSG_INFO, "Failed to send deauth: %s",
3557 strerror(errno));
3558 }
3559
3560
add_associated_sta(struct hostapd_data * hapd,struct sta_info * sta,int reassoc)3561 static int add_associated_sta(struct hostapd_data *hapd,
3562 struct sta_info *sta, int reassoc)
3563 {
3564 struct ieee80211_ht_capabilities ht_cap;
3565 struct ieee80211_vht_capabilities vht_cap;
3566 struct ieee80211_he_capabilities he_cap;
3567 int set = 1;
3568
3569 /*
3570 * Remove the STA entry to ensure the STA PS state gets cleared and
3571 * configuration gets updated. This is relevant for cases, such as
3572 * FT-over-the-DS, where a station re-associates back to the same AP but
3573 * skips the authentication flow, or if working with a driver that
3574 * does not support full AP client state.
3575 *
3576 * Skip this if the STA has already completed FT reassociation and the
3577 * TK has been configured since the TX/RX PN must not be reset to 0 for
3578 * the same key.
3579 *
3580 * FT-over-the-DS has a special case where the STA entry (and as such,
3581 * the TK) has not yet been configured to the driver depending on which
3582 * driver interface is used. For that case, allow add-STA operation to
3583 * be used (instead of set-STA). This is needed to allow mac80211-based
3584 * drivers to accept the STA parameter configuration. Since this is
3585 * after a new FT-over-DS exchange, a new TK has been derived, so key
3586 * reinstallation is not a concern for this case.
3587 */
3588 wpa_printf(MSG_DEBUG, "Add associated STA " MACSTR
3589 " (added_unassoc=%d auth_alg=%u ft_over_ds=%u reassoc=%d authorized=%d ft_tk=%d fils_tk=%d)",
3590 MAC2STR(sta->addr), sta->added_unassoc, sta->auth_alg,
3591 sta->ft_over_ds, reassoc,
3592 !!(sta->flags & WLAN_STA_AUTHORIZED),
3593 wpa_auth_sta_ft_tk_already_set(sta->wpa_sm),
3594 wpa_auth_sta_fils_tk_already_set(sta->wpa_sm));
3595
3596 if (!sta->added_unassoc &&
3597 (!(sta->flags & WLAN_STA_AUTHORIZED) ||
3598 (reassoc && sta->ft_over_ds && sta->auth_alg == WLAN_AUTH_FT) ||
3599 (!wpa_auth_sta_ft_tk_already_set(sta->wpa_sm) &&
3600 !wpa_auth_sta_fils_tk_already_set(sta->wpa_sm)))) {
3601 hostapd_drv_sta_remove(hapd, sta->addr);
3602 wpa_auth_sm_event(sta->wpa_sm, WPA_DRV_STA_REMOVED);
3603 set = 0;
3604
3605 /* Do not allow the FT-over-DS exception to be used more than
3606 * once per authentication exchange to guarantee a new TK is
3607 * used here */
3608 sta->ft_over_ds = 0;
3609 }
3610
3611 if (sta->flags & WLAN_STA_HT)
3612 hostapd_get_ht_capab(hapd, sta->ht_capabilities, &ht_cap);
3613 #ifdef CONFIG_IEEE80211AC
3614 if (sta->flags & WLAN_STA_VHT)
3615 hostapd_get_vht_capab(hapd, sta->vht_capabilities, &vht_cap);
3616 #endif /* CONFIG_IEEE80211AC */
3617 #ifdef CONFIG_IEEE80211AX
3618 if (sta->flags & WLAN_STA_HE) {
3619 hostapd_get_he_capab(hapd, sta->he_capab, &he_cap,
3620 sta->he_capab_len);
3621 }
3622 #endif /* CONFIG_IEEE80211AX */
3623
3624 /*
3625 * Add the station with forced WLAN_STA_ASSOC flag. The sta->flags
3626 * will be set when the ACK frame for the (Re)Association Response frame
3627 * is processed (TX status driver event).
3628 */
3629 if (hostapd_sta_add(hapd, sta->addr, sta->aid, sta->capability,
3630 sta->supported_rates, sta->supported_rates_len,
3631 sta->listen_interval,
3632 sta->flags & WLAN_STA_HT ? &ht_cap : NULL,
3633 sta->flags & WLAN_STA_VHT ? &vht_cap : NULL,
3634 sta->flags & WLAN_STA_HE ? &he_cap : NULL,
3635 sta->flags & WLAN_STA_HE ? sta->he_capab_len : 0,
3636 sta->he_6ghz_capab,
3637 sta->flags | WLAN_STA_ASSOC, sta->qosinfo,
3638 sta->vht_opmode, sta->p2p_ie ? 1 : 0,
3639 set)) {
3640 hostapd_logger(hapd, sta->addr,
3641 HOSTAPD_MODULE_IEEE80211, HOSTAPD_LEVEL_NOTICE,
3642 "Could not %s STA to kernel driver",
3643 set ? "set" : "add");
3644
3645 if (sta->added_unassoc) {
3646 hostapd_drv_sta_remove(hapd, sta->addr);
3647 sta->added_unassoc = 0;
3648 }
3649
3650 return -1;
3651 }
3652
3653 sta->added_unassoc = 0;
3654
3655 return 0;
3656 }
3657
3658
send_assoc_resp(struct hostapd_data * hapd,struct sta_info * sta,const u8 * addr,u16 status_code,int reassoc,const u8 * ies,size_t ies_len,int rssi,int omit_rsnxe)3659 static u16 send_assoc_resp(struct hostapd_data *hapd, struct sta_info *sta,
3660 const u8 *addr, u16 status_code, int reassoc,
3661 const u8 *ies, size_t ies_len, int rssi,
3662 int omit_rsnxe)
3663 {
3664 int send_len;
3665 u8 *buf;
3666 size_t buflen;
3667 struct ieee80211_mgmt *reply;
3668 u8 *p;
3669 u16 res = WLAN_STATUS_SUCCESS;
3670
3671 buflen = sizeof(struct ieee80211_mgmt) + 1024;
3672 #ifdef CONFIG_FILS
3673 if (sta && sta->fils_hlp_resp)
3674 buflen += wpabuf_len(sta->fils_hlp_resp);
3675 if (sta)
3676 buflen += 150;
3677 #endif /* CONFIG_FILS */
3678 #ifdef CONFIG_OWE
3679 if (sta && (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE))
3680 buflen += 150;
3681 #endif /* CONFIG_OWE */
3682 #ifdef CONFIG_DPP2
3683 if (sta && sta->dpp_pfs)
3684 buflen += 5 + sta->dpp_pfs->curve->prime_len;
3685 #endif /* CONFIG_DPP2 */
3686 buf = os_zalloc(buflen);
3687 if (!buf) {
3688 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
3689 goto done;
3690 }
3691 reply = (struct ieee80211_mgmt *) buf;
3692 reply->frame_control =
3693 IEEE80211_FC(WLAN_FC_TYPE_MGMT,
3694 (reassoc ? WLAN_FC_STYPE_REASSOC_RESP :
3695 WLAN_FC_STYPE_ASSOC_RESP));
3696 os_memcpy(reply->da, addr, ETH_ALEN);
3697 os_memcpy(reply->sa, hapd->own_addr, ETH_ALEN);
3698 os_memcpy(reply->bssid, hapd->own_addr, ETH_ALEN);
3699
3700 send_len = IEEE80211_HDRLEN;
3701 send_len += sizeof(reply->u.assoc_resp);
3702 reply->u.assoc_resp.capab_info =
3703 host_to_le16(hostapd_own_capab_info(hapd));
3704 reply->u.assoc_resp.status_code = host_to_le16(status_code);
3705
3706 reply->u.assoc_resp.aid = host_to_le16((sta ? sta->aid : 0) |
3707 BIT(14) | BIT(15));
3708 /* Supported rates */
3709 p = hostapd_eid_supp_rates(hapd, reply->u.assoc_resp.variable);
3710 /* Extended supported rates */
3711 p = hostapd_eid_ext_supp_rates(hapd, p);
3712
3713 /* Radio measurement capabilities */
3714 p = hostapd_eid_rm_enabled_capab(hapd, p, buf + buflen - p);
3715
3716 #ifdef CONFIG_MBO
3717 if (status_code == WLAN_STATUS_DENIED_POOR_CHANNEL_CONDITIONS &&
3718 rssi != 0) {
3719 int delta = hapd->iconf->rssi_reject_assoc_rssi - rssi;
3720
3721 p = hostapd_eid_mbo_rssi_assoc_rej(hapd, p, buf + buflen - p,
3722 delta);
3723 }
3724 #endif /* CONFIG_MBO */
3725
3726 #ifdef CONFIG_IEEE80211R_AP
3727 if (sta && status_code == WLAN_STATUS_SUCCESS) {
3728 /* IEEE 802.11r: Mobility Domain Information, Fast BSS
3729 * Transition Information, RSN, [RIC Response] */
3730 p = wpa_sm_write_assoc_resp_ies(sta->wpa_sm, p,
3731 buf + buflen - p,
3732 sta->auth_alg, ies, ies_len,
3733 omit_rsnxe);
3734 if (!p) {
3735 wpa_printf(MSG_DEBUG,
3736 "FT: Failed to write AssocResp IEs");
3737 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
3738 goto done;
3739 }
3740 }
3741 #endif /* CONFIG_IEEE80211R_AP */
3742 #ifdef CONFIG_FILS
3743 if (sta && status_code == WLAN_STATUS_SUCCESS &&
3744 (sta->auth_alg == WLAN_AUTH_FILS_SK ||
3745 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
3746 sta->auth_alg == WLAN_AUTH_FILS_PK))
3747 p = wpa_auth_write_assoc_resp_fils(sta->wpa_sm, p,
3748 buf + buflen - p,
3749 ies, ies_len);
3750 #endif /* CONFIG_FILS */
3751
3752 #ifdef CONFIG_OWE
3753 if (sta && status_code == WLAN_STATUS_SUCCESS &&
3754 (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE))
3755 p = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, p,
3756 buf + buflen - p,
3757 ies, ies_len);
3758 #endif /* CONFIG_OWE */
3759
3760 if (sta && status_code == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY)
3761 p = hostapd_eid_assoc_comeback_time(hapd, sta, p);
3762
3763 p = hostapd_eid_ht_capabilities(hapd, p);
3764 p = hostapd_eid_ht_operation(hapd, p);
3765
3766 #ifdef CONFIG_IEEE80211AC
3767 if (hapd->iconf->ieee80211ac && !hapd->conf->disable_11ac &&
3768 !is_6ghz_op_class(hapd->iconf->op_class)) {
3769 u32 nsts = 0, sta_nsts;
3770
3771 if (sta && hapd->conf->use_sta_nsts && sta->vht_capabilities) {
3772 struct ieee80211_vht_capabilities *capa;
3773
3774 nsts = (hapd->iface->conf->vht_capab >>
3775 VHT_CAP_BEAMFORMEE_STS_OFFSET) & 7;
3776 capa = sta->vht_capabilities;
3777 sta_nsts = (le_to_host32(capa->vht_capabilities_info) >>
3778 VHT_CAP_BEAMFORMEE_STS_OFFSET) & 7;
3779
3780 if (nsts < sta_nsts)
3781 nsts = 0;
3782 else
3783 nsts = sta_nsts;
3784 }
3785 p = hostapd_eid_vht_capabilities(hapd, p, nsts);
3786 p = hostapd_eid_vht_operation(hapd, p);
3787 }
3788 #endif /* CONFIG_IEEE80211AC */
3789
3790 #ifdef CONFIG_IEEE80211AX
3791 if (hapd->iconf->ieee80211ax) {
3792 p = hostapd_eid_he_capab(hapd, p, IEEE80211_MODE_AP);
3793 p = hostapd_eid_he_operation(hapd, p);
3794 p = hostapd_eid_spatial_reuse(hapd, p);
3795 p = hostapd_eid_he_mu_edca_parameter_set(hapd, p);
3796 p = hostapd_eid_he_6ghz_band_cap(hapd, p);
3797 }
3798 #endif /* CONFIG_IEEE80211AX */
3799
3800 p = hostapd_eid_ext_capab(hapd, p);
3801 p = hostapd_eid_bss_max_idle_period(hapd, p);
3802 if (sta && sta->qos_map_enabled)
3803 p = hostapd_eid_qos_map_set(hapd, p);
3804
3805 #ifdef CONFIG_FST
3806 if (hapd->iface->fst_ies) {
3807 os_memcpy(p, wpabuf_head(hapd->iface->fst_ies),
3808 wpabuf_len(hapd->iface->fst_ies));
3809 p += wpabuf_len(hapd->iface->fst_ies);
3810 }
3811 #endif /* CONFIG_FST */
3812
3813 #ifdef CONFIG_TESTING_OPTIONS
3814 if (hapd->conf->rsnxe_override_ft &&
3815 buf + buflen - p >=
3816 (long int) wpabuf_len(hapd->conf->rsnxe_override_ft) &&
3817 sta && sta->auth_alg == WLAN_AUTH_FT) {
3818 wpa_printf(MSG_DEBUG, "TESTING: RSNXE FT override");
3819 os_memcpy(p, wpabuf_head(hapd->conf->rsnxe_override_ft),
3820 wpabuf_len(hapd->conf->rsnxe_override_ft));
3821 p += wpabuf_len(hapd->conf->rsnxe_override_ft);
3822 goto rsnxe_done;
3823 }
3824 #endif /* CONFIG_TESTING_OPTIONS */
3825 if (!omit_rsnxe)
3826 p = hostapd_eid_rsnxe(hapd, p, buf + buflen - p);
3827 #ifdef CONFIG_TESTING_OPTIONS
3828 rsnxe_done:
3829 #endif /* CONFIG_TESTING_OPTIONS */
3830
3831 #ifdef CONFIG_OWE
3832 if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) &&
3833 sta && sta->owe_ecdh && status_code == WLAN_STATUS_SUCCESS &&
3834 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE) {
3835 struct wpabuf *pub;
3836
3837 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
3838 if (!pub) {
3839 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
3840 goto done;
3841 }
3842 /* OWE Diffie-Hellman Parameter element */
3843 *p++ = WLAN_EID_EXTENSION; /* Element ID */
3844 *p++ = 1 + 2 + wpabuf_len(pub); /* Length */
3845 *p++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension */
3846 WPA_PUT_LE16(p, sta->owe_group);
3847 p += 2;
3848 os_memcpy(p, wpabuf_head(pub), wpabuf_len(pub));
3849 p += wpabuf_len(pub);
3850 wpabuf_free(pub);
3851 }
3852 #endif /* CONFIG_OWE */
3853
3854 #ifdef CONFIG_DPP2
3855 if (DPP_VERSION > 1 && (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_DPP) &&
3856 sta && sta->dpp_pfs && status_code == WLAN_STATUS_SUCCESS &&
3857 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_DPP) {
3858 os_memcpy(p, wpabuf_head(sta->dpp_pfs->ie),
3859 wpabuf_len(sta->dpp_pfs->ie));
3860 p += wpabuf_len(sta->dpp_pfs->ie);
3861 }
3862 #endif /* CONFIG_DPP2 */
3863
3864 #ifdef CONFIG_IEEE80211AC
3865 if (sta && hapd->conf->vendor_vht && (sta->flags & WLAN_STA_VENDOR_VHT))
3866 p = hostapd_eid_vendor_vht(hapd, p);
3867 #endif /* CONFIG_IEEE80211AC */
3868
3869 if (sta && (sta->flags & WLAN_STA_WMM))
3870 p = hostapd_eid_wmm(hapd, p);
3871
3872 #ifdef CONFIG_WPS
3873 if (sta &&
3874 ((sta->flags & WLAN_STA_WPS) ||
3875 ((sta->flags & WLAN_STA_MAYBE_WPS) && hapd->conf->wpa))) {
3876 struct wpabuf *wps = wps_build_assoc_resp_ie();
3877 if (wps) {
3878 os_memcpy(p, wpabuf_head(wps), wpabuf_len(wps));
3879 p += wpabuf_len(wps);
3880 wpabuf_free(wps);
3881 }
3882 }
3883 #endif /* CONFIG_WPS */
3884
3885 if (sta && (sta->flags & WLAN_STA_MULTI_AP))
3886 p = hostapd_eid_multi_ap(hapd, p);
3887
3888 #ifdef CONFIG_P2P
3889 if (sta && sta->p2p_ie && hapd->p2p_group) {
3890 struct wpabuf *p2p_resp_ie;
3891 enum p2p_status_code status;
3892 switch (status_code) {
3893 case WLAN_STATUS_SUCCESS:
3894 status = P2P_SC_SUCCESS;
3895 break;
3896 case WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA:
3897 status = P2P_SC_FAIL_LIMIT_REACHED;
3898 break;
3899 default:
3900 status = P2P_SC_FAIL_INVALID_PARAMS;
3901 break;
3902 }
3903 p2p_resp_ie = p2p_group_assoc_resp_ie(hapd->p2p_group, status);
3904 if (p2p_resp_ie) {
3905 os_memcpy(p, wpabuf_head(p2p_resp_ie),
3906 wpabuf_len(p2p_resp_ie));
3907 p += wpabuf_len(p2p_resp_ie);
3908 wpabuf_free(p2p_resp_ie);
3909 }
3910 }
3911 #endif /* CONFIG_P2P */
3912
3913 #ifdef CONFIG_P2P_MANAGER
3914 if (hapd->conf->p2p & P2P_MANAGE)
3915 p = hostapd_eid_p2p_manage(hapd, p);
3916 #endif /* CONFIG_P2P_MANAGER */
3917
3918 p = hostapd_eid_mbo(hapd, p, buf + buflen - p);
3919
3920 if (hapd->conf->assocresp_elements &&
3921 (size_t) (buf + buflen - p) >=
3922 wpabuf_len(hapd->conf->assocresp_elements)) {
3923 os_memcpy(p, wpabuf_head(hapd->conf->assocresp_elements),
3924 wpabuf_len(hapd->conf->assocresp_elements));
3925 p += wpabuf_len(hapd->conf->assocresp_elements);
3926 }
3927
3928 send_len += p - reply->u.assoc_resp.variable;
3929
3930 #ifdef CONFIG_FILS
3931 if (sta &&
3932 (sta->auth_alg == WLAN_AUTH_FILS_SK ||
3933 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
3934 sta->auth_alg == WLAN_AUTH_FILS_PK) &&
3935 status_code == WLAN_STATUS_SUCCESS) {
3936 struct ieee802_11_elems elems;
3937
3938 if (ieee802_11_parse_elems(ies, ies_len, &elems, 0) ==
3939 ParseFailed || !elems.fils_session) {
3940 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
3941 goto done;
3942 }
3943
3944 /* FILS Session */
3945 *p++ = WLAN_EID_EXTENSION; /* Element ID */
3946 *p++ = 1 + FILS_SESSION_LEN; /* Length */
3947 *p++ = WLAN_EID_EXT_FILS_SESSION; /* Element ID Extension */
3948 os_memcpy(p, elems.fils_session, FILS_SESSION_LEN);
3949 send_len += 2 + 1 + FILS_SESSION_LEN;
3950
3951 send_len = fils_encrypt_assoc(sta->wpa_sm, buf, send_len,
3952 buflen, sta->fils_hlp_resp);
3953 if (send_len < 0) {
3954 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
3955 goto done;
3956 }
3957 }
3958 #endif /* CONFIG_FILS */
3959
3960 if (hostapd_drv_send_mlme(hapd, reply, send_len, 0, NULL, 0, 0) < 0) {
3961 wpa_printf(MSG_INFO, "Failed to send assoc resp: %s",
3962 strerror(errno));
3963 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
3964 }
3965
3966 done:
3967 os_free(buf);
3968 return res;
3969 }
3970
3971
3972 #ifdef CONFIG_OWE
owe_assoc_req_process(struct hostapd_data * hapd,struct sta_info * sta,const u8 * owe_dh,u8 owe_dh_len,u8 * owe_buf,size_t owe_buf_len,u16 * status)3973 u8 * owe_assoc_req_process(struct hostapd_data *hapd, struct sta_info *sta,
3974 const u8 *owe_dh, u8 owe_dh_len,
3975 u8 *owe_buf, size_t owe_buf_len, u16 *status)
3976 {
3977 #ifdef CONFIG_TESTING_OPTIONS
3978 if (hapd->conf->own_ie_override) {
3979 wpa_printf(MSG_DEBUG, "OWE: Using IE override");
3980 *status = WLAN_STATUS_SUCCESS;
3981 return wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf,
3982 owe_buf_len, NULL, 0);
3983 }
3984 #endif /* CONFIG_TESTING_OPTIONS */
3985
3986 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) {
3987 wpa_printf(MSG_DEBUG, "OWE: Using PMKSA caching");
3988 owe_buf = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf,
3989 owe_buf_len, NULL, 0);
3990 *status = WLAN_STATUS_SUCCESS;
3991 return owe_buf;
3992 }
3993
3994 if (sta->owe_pmk && sta->external_dh_updated) {
3995 wpa_printf(MSG_DEBUG, "OWE: Using previously derived PMK");
3996 *status = WLAN_STATUS_SUCCESS;
3997 return owe_buf;
3998 }
3999
4000 *status = owe_process_assoc_req(hapd, sta, owe_dh, owe_dh_len);
4001 if (*status != WLAN_STATUS_SUCCESS)
4002 return NULL;
4003
4004 owe_buf = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf,
4005 owe_buf_len, NULL, 0);
4006
4007 if (sta->owe_ecdh && owe_buf) {
4008 struct wpabuf *pub;
4009
4010 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
4011 if (!pub) {
4012 *status = WLAN_STATUS_UNSPECIFIED_FAILURE;
4013 return owe_buf;
4014 }
4015
4016 /* OWE Diffie-Hellman Parameter element */
4017 *owe_buf++ = WLAN_EID_EXTENSION; /* Element ID */
4018 *owe_buf++ = 1 + 2 + wpabuf_len(pub); /* Length */
4019 *owe_buf++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension
4020 */
4021 WPA_PUT_LE16(owe_buf, sta->owe_group);
4022 owe_buf += 2;
4023 os_memcpy(owe_buf, wpabuf_head(pub), wpabuf_len(pub));
4024 owe_buf += wpabuf_len(pub);
4025 wpabuf_free(pub);
4026 }
4027
4028 return owe_buf;
4029 }
4030 #endif /* CONFIG_OWE */
4031
4032
4033 #ifdef CONFIG_FILS
4034
fils_hlp_finish_assoc(struct hostapd_data * hapd,struct sta_info * sta)4035 void fils_hlp_finish_assoc(struct hostapd_data *hapd, struct sta_info *sta)
4036 {
4037 u16 reply_res;
4038
4039 wpa_printf(MSG_DEBUG, "FILS: Finish association with " MACSTR,
4040 MAC2STR(sta->addr));
4041 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
4042 if (!sta->fils_pending_assoc_req)
4043 return;
4044 reply_res = send_assoc_resp(hapd, sta, sta->addr, WLAN_STATUS_SUCCESS,
4045 sta->fils_pending_assoc_is_reassoc,
4046 sta->fils_pending_assoc_req,
4047 sta->fils_pending_assoc_req_len, 0, 0);
4048 os_free(sta->fils_pending_assoc_req);
4049 sta->fils_pending_assoc_req = NULL;
4050 sta->fils_pending_assoc_req_len = 0;
4051 wpabuf_free(sta->fils_hlp_resp);
4052 sta->fils_hlp_resp = NULL;
4053 wpabuf_free(sta->hlp_dhcp_discover);
4054 sta->hlp_dhcp_discover = NULL;
4055
4056 /*
4057 * Remove the station in case transmission of a success response fails.
4058 * At this point the station was already added associated to the driver.
4059 */
4060 if (reply_res != WLAN_STATUS_SUCCESS)
4061 hostapd_drv_sta_remove(hapd, sta->addr);
4062 }
4063
4064
fils_hlp_timeout(void * eloop_ctx,void * eloop_data)4065 void fils_hlp_timeout(void *eloop_ctx, void *eloop_data)
4066 {
4067 struct hostapd_data *hapd = eloop_ctx;
4068 struct sta_info *sta = eloop_data;
4069
4070 wpa_printf(MSG_DEBUG,
4071 "FILS: HLP response timeout - continue with association response for "
4072 MACSTR, MAC2STR(sta->addr));
4073 if (sta->fils_drv_assoc_finish)
4074 hostapd_notify_assoc_fils_finish(hapd, sta);
4075 else
4076 fils_hlp_finish_assoc(hapd, sta);
4077 }
4078
4079 #endif /* CONFIG_FILS */
4080
4081
handle_assoc(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int reassoc,int rssi)4082 static void handle_assoc(struct hostapd_data *hapd,
4083 const struct ieee80211_mgmt *mgmt, size_t len,
4084 int reassoc, int rssi)
4085 {
4086 u16 capab_info, listen_interval, seq_ctrl, fc;
4087 int resp = WLAN_STATUS_SUCCESS;
4088 u16 reply_res;
4089 const u8 *pos;
4090 int left, i;
4091 struct sta_info *sta;
4092 u8 *tmp = NULL;
4093 #ifdef CONFIG_FILS
4094 int delay_assoc = 0;
4095 #endif /* CONFIG_FILS */
4096 int omit_rsnxe = 0;
4097
4098 if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_req) :
4099 sizeof(mgmt->u.assoc_req))) {
4100 wpa_printf(MSG_INFO, "handle_assoc(reassoc=%d) - too short payload (len=%lu)",
4101 reassoc, (unsigned long) len);
4102 return;
4103 }
4104
4105 #ifdef CONFIG_TESTING_OPTIONS
4106 if (reassoc) {
4107 if (hapd->iconf->ignore_reassoc_probability > 0.0 &&
4108 drand48() < hapd->iconf->ignore_reassoc_probability) {
4109 wpa_printf(MSG_INFO,
4110 "TESTING: ignoring reassoc request from "
4111 MACSTR, MAC2STR(mgmt->sa));
4112 return;
4113 }
4114 } else {
4115 if (hapd->iconf->ignore_assoc_probability > 0.0 &&
4116 drand48() < hapd->iconf->ignore_assoc_probability) {
4117 wpa_printf(MSG_INFO,
4118 "TESTING: ignoring assoc request from "
4119 MACSTR, MAC2STR(mgmt->sa));
4120 return;
4121 }
4122 }
4123 #endif /* CONFIG_TESTING_OPTIONS */
4124
4125 fc = le_to_host16(mgmt->frame_control);
4126 seq_ctrl = le_to_host16(mgmt->seq_ctrl);
4127
4128 if (reassoc) {
4129 capab_info = le_to_host16(mgmt->u.reassoc_req.capab_info);
4130 listen_interval = le_to_host16(
4131 mgmt->u.reassoc_req.listen_interval);
4132 wpa_printf(MSG_DEBUG, "reassociation request: STA=" MACSTR
4133 " capab_info=0x%02x listen_interval=%d current_ap="
4134 MACSTR " seq_ctrl=0x%x%s",
4135 MAC2STR(mgmt->sa), capab_info, listen_interval,
4136 MAC2STR(mgmt->u.reassoc_req.current_ap),
4137 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "");
4138 left = len - (IEEE80211_HDRLEN + sizeof(mgmt->u.reassoc_req));
4139 pos = mgmt->u.reassoc_req.variable;
4140 } else {
4141 capab_info = le_to_host16(mgmt->u.assoc_req.capab_info);
4142 listen_interval = le_to_host16(
4143 mgmt->u.assoc_req.listen_interval);
4144 wpa_printf(MSG_DEBUG, "association request: STA=" MACSTR
4145 " capab_info=0x%02x listen_interval=%d "
4146 "seq_ctrl=0x%x%s",
4147 MAC2STR(mgmt->sa), capab_info, listen_interval,
4148 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "");
4149 left = len - (IEEE80211_HDRLEN + sizeof(mgmt->u.assoc_req));
4150 pos = mgmt->u.assoc_req.variable;
4151 }
4152
4153 sta = ap_get_sta(hapd, mgmt->sa);
4154 #ifdef CONFIG_IEEE80211R_AP
4155 if (sta && sta->auth_alg == WLAN_AUTH_FT &&
4156 (sta->flags & WLAN_STA_AUTH) == 0) {
4157 wpa_printf(MSG_DEBUG, "FT: Allow STA " MACSTR " to associate "
4158 "prior to authentication since it is using "
4159 "over-the-DS FT", MAC2STR(mgmt->sa));
4160
4161 /*
4162 * Mark station as authenticated, to avoid adding station
4163 * entry in the driver as associated and not authenticated
4164 */
4165 sta->flags |= WLAN_STA_AUTH;
4166 } else
4167 #endif /* CONFIG_IEEE80211R_AP */
4168 if (sta == NULL || (sta->flags & WLAN_STA_AUTH) == 0) {
4169 if (hapd->iface->current_mode &&
4170 hapd->iface->current_mode->mode ==
4171 HOSTAPD_MODE_IEEE80211AD) {
4172 int acl_res;
4173 struct radius_sta info;
4174
4175 acl_res = ieee802_11_allowed_address(hapd, mgmt->sa,
4176 (const u8 *) mgmt,
4177 len, &info);
4178 if (acl_res == HOSTAPD_ACL_REJECT) {
4179 wpa_msg(hapd->msg_ctx, MSG_DEBUG,
4180 "Ignore Association Request frame from "
4181 MACSTR " due to ACL reject",
4182 MAC2STR(mgmt->sa));
4183 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
4184 goto fail;
4185 }
4186 if (acl_res == HOSTAPD_ACL_PENDING)
4187 return;
4188
4189 /* DMG/IEEE 802.11ad does not use authentication.
4190 * Allocate sta entry upon association. */
4191 sta = ap_sta_add(hapd, mgmt->sa);
4192 if (!sta) {
4193 hostapd_logger(hapd, mgmt->sa,
4194 HOSTAPD_MODULE_IEEE80211,
4195 HOSTAPD_LEVEL_INFO,
4196 "Failed to add STA");
4197 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
4198 goto fail;
4199 }
4200
4201 acl_res = ieee802_11_set_radius_info(
4202 hapd, sta, acl_res, &info);
4203 if (acl_res) {
4204 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
4205 goto fail;
4206 }
4207
4208 hostapd_logger(hapd, sta->addr,
4209 HOSTAPD_MODULE_IEEE80211,
4210 HOSTAPD_LEVEL_DEBUG,
4211 "Skip authentication for DMG/IEEE 802.11ad");
4212 sta->flags |= WLAN_STA_AUTH;
4213 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
4214 sta->auth_alg = WLAN_AUTH_OPEN;
4215 } else {
4216 hostapd_logger(hapd, mgmt->sa,
4217 HOSTAPD_MODULE_IEEE80211,
4218 HOSTAPD_LEVEL_INFO,
4219 "Station tried to associate before authentication (aid=%d flags=0x%x)",
4220 sta ? sta->aid : -1,
4221 sta ? sta->flags : 0);
4222 send_deauth(hapd, mgmt->sa,
4223 WLAN_REASON_CLASS2_FRAME_FROM_NONAUTH_STA);
4224 return;
4225 }
4226 }
4227
4228 if ((fc & WLAN_FC_RETRY) &&
4229 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
4230 sta->last_seq_ctrl == seq_ctrl &&
4231 sta->last_subtype == (reassoc ? WLAN_FC_STYPE_REASSOC_REQ :
4232 WLAN_FC_STYPE_ASSOC_REQ)) {
4233 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4234 HOSTAPD_LEVEL_DEBUG,
4235 "Drop repeated association frame seq_ctrl=0x%x",
4236 seq_ctrl);
4237 return;
4238 }
4239 sta->last_seq_ctrl = seq_ctrl;
4240 sta->last_subtype = reassoc ? WLAN_FC_STYPE_REASSOC_REQ :
4241 WLAN_FC_STYPE_ASSOC_REQ;
4242
4243 if (hapd->tkip_countermeasures) {
4244 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
4245 goto fail;
4246 }
4247
4248 if (listen_interval > hapd->conf->max_listen_interval) {
4249 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
4250 HOSTAPD_LEVEL_DEBUG,
4251 "Too large Listen Interval (%d)",
4252 listen_interval);
4253 resp = WLAN_STATUS_ASSOC_DENIED_LISTEN_INT_TOO_LARGE;
4254 goto fail;
4255 }
4256
4257 #ifdef CONFIG_MBO
4258 if (hapd->conf->mbo_enabled && hapd->mbo_assoc_disallow) {
4259 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
4260 goto fail;
4261 }
4262
4263 if (hapd->iconf->rssi_reject_assoc_rssi && rssi &&
4264 rssi < hapd->iconf->rssi_reject_assoc_rssi &&
4265 (sta->auth_rssi == 0 ||
4266 sta->auth_rssi < hapd->iconf->rssi_reject_assoc_rssi)) {
4267 resp = WLAN_STATUS_DENIED_POOR_CHANNEL_CONDITIONS;
4268 goto fail;
4269 }
4270 #endif /* CONFIG_MBO */
4271
4272 /*
4273 * sta->capability is used in check_assoc_ies() for RRM enabled
4274 * capability element.
4275 */
4276 sta->capability = capab_info;
4277
4278 #ifdef CONFIG_FILS
4279 if (sta->auth_alg == WLAN_AUTH_FILS_SK ||
4280 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
4281 sta->auth_alg == WLAN_AUTH_FILS_PK) {
4282 int res;
4283
4284 /* The end of the payload is encrypted. Need to decrypt it
4285 * before parsing. */
4286
4287 tmp = os_memdup(pos, left);
4288 if (!tmp) {
4289 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
4290 goto fail;
4291 }
4292
4293 res = fils_decrypt_assoc(sta->wpa_sm, sta->fils_session, mgmt,
4294 len, tmp, left);
4295 if (res < 0) {
4296 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
4297 goto fail;
4298 }
4299 pos = tmp;
4300 left = res;
4301 }
4302 #endif /* CONFIG_FILS */
4303
4304 /* followed by SSID and Supported rates; and HT capabilities if 802.11n
4305 * is used */
4306 resp = check_assoc_ies(hapd, sta, pos, left, reassoc);
4307 if (resp != WLAN_STATUS_SUCCESS)
4308 goto fail;
4309 omit_rsnxe = !get_ie(pos, left, WLAN_EID_RSNX);
4310
4311 if (hostapd_get_aid(hapd, sta) < 0) {
4312 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
4313 HOSTAPD_LEVEL_INFO, "No room for more AIDs");
4314 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
4315 goto fail;
4316 }
4317
4318 sta->listen_interval = listen_interval;
4319
4320 if (hapd->iface->current_mode &&
4321 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G)
4322 sta->flags |= WLAN_STA_NONERP;
4323 for (i = 0; i < sta->supported_rates_len; i++) {
4324 if ((sta->supported_rates[i] & 0x7f) > 22) {
4325 sta->flags &= ~WLAN_STA_NONERP;
4326 break;
4327 }
4328 }
4329 if (sta->flags & WLAN_STA_NONERP && !sta->nonerp_set) {
4330 sta->nonerp_set = 1;
4331 hapd->iface->num_sta_non_erp++;
4332 if (hapd->iface->num_sta_non_erp == 1)
4333 ieee802_11_set_beacons(hapd->iface);
4334 }
4335
4336 if (!(sta->capability & WLAN_CAPABILITY_SHORT_SLOT_TIME) &&
4337 !sta->no_short_slot_time_set) {
4338 sta->no_short_slot_time_set = 1;
4339 hapd->iface->num_sta_no_short_slot_time++;
4340 if (hapd->iface->current_mode &&
4341 hapd->iface->current_mode->mode ==
4342 HOSTAPD_MODE_IEEE80211G &&
4343 hapd->iface->num_sta_no_short_slot_time == 1)
4344 ieee802_11_set_beacons(hapd->iface);
4345 }
4346
4347 if (sta->capability & WLAN_CAPABILITY_SHORT_PREAMBLE)
4348 sta->flags |= WLAN_STA_SHORT_PREAMBLE;
4349 else
4350 sta->flags &= ~WLAN_STA_SHORT_PREAMBLE;
4351
4352 if (!(sta->capability & WLAN_CAPABILITY_SHORT_PREAMBLE) &&
4353 !sta->no_short_preamble_set) {
4354 sta->no_short_preamble_set = 1;
4355 hapd->iface->num_sta_no_short_preamble++;
4356 if (hapd->iface->current_mode &&
4357 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G
4358 && hapd->iface->num_sta_no_short_preamble == 1)
4359 ieee802_11_set_beacons(hapd->iface);
4360 }
4361
4362 update_ht_state(hapd, sta);
4363
4364 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4365 HOSTAPD_LEVEL_DEBUG,
4366 "association OK (aid %d)", sta->aid);
4367 /* Station will be marked associated, after it acknowledges AssocResp
4368 */
4369 sta->flags |= WLAN_STA_ASSOC_REQ_OK;
4370
4371 if ((sta->flags & WLAN_STA_MFP) && sta->sa_query_timed_out) {
4372 wpa_printf(MSG_DEBUG, "Allowing %sassociation after timed out "
4373 "SA Query procedure", reassoc ? "re" : "");
4374 /* TODO: Send a protected Disassociate frame to the STA using
4375 * the old key and Reason Code "Previous Authentication no
4376 * longer valid". Make sure this is only sent protected since
4377 * unprotected frame would be received by the STA that is now
4378 * trying to associate.
4379 */
4380 }
4381
4382 /* Make sure that the previously registered inactivity timer will not
4383 * remove the STA immediately. */
4384 sta->timeout_next = STA_NULLFUNC;
4385
4386 #ifdef CONFIG_TAXONOMY
4387 taxonomy_sta_info_assoc_req(hapd, sta, pos, left);
4388 #endif /* CONFIG_TAXONOMY */
4389
4390 sta->pending_wds_enable = 0;
4391
4392 #ifdef CONFIG_FILS
4393 if (sta->auth_alg == WLAN_AUTH_FILS_SK ||
4394 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
4395 sta->auth_alg == WLAN_AUTH_FILS_PK) {
4396 if (fils_process_hlp(hapd, sta, pos, left) > 0)
4397 delay_assoc = 1;
4398 }
4399 #endif /* CONFIG_FILS */
4400
4401 fail:
4402
4403 /*
4404 * In case of a successful response, add the station to the driver.
4405 * Otherwise, the kernel may ignore Data frames before we process the
4406 * ACK frame (TX status). In case of a failure, this station will be
4407 * removed.
4408 *
4409 * Note that this is not compliant with the IEEE 802.11 standard that
4410 * states that a non-AP station should transition into the
4411 * authenticated/associated state only after the station acknowledges
4412 * the (Re)Association Response frame. However, still do this as:
4413 *
4414 * 1. In case the station does not acknowledge the (Re)Association
4415 * Response frame, it will be removed.
4416 * 2. Data frames will be dropped in the kernel until the station is
4417 * set into authorized state, and there are no significant known
4418 * issues with processing other non-Data Class 3 frames during this
4419 * window.
4420 */
4421 if (resp == WLAN_STATUS_SUCCESS && sta &&
4422 add_associated_sta(hapd, sta, reassoc))
4423 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
4424
4425 #ifdef CONFIG_FILS
4426 if (sta && delay_assoc && resp == WLAN_STATUS_SUCCESS &&
4427 eloop_is_timeout_registered(fils_hlp_timeout, hapd, sta) &&
4428 sta->fils_pending_assoc_req) {
4429 /* Do not reschedule fils_hlp_timeout in case the station
4430 * retransmits (Re)Association Request frame while waiting for
4431 * the previously started FILS HLP wait, so that the timeout can
4432 * be determined from the first pending attempt. */
4433 wpa_printf(MSG_DEBUG,
4434 "FILS: Continue waiting for HLP processing before sending (Re)Association Response frame to "
4435 MACSTR, MAC2STR(sta->addr));
4436 os_free(tmp);
4437 return;
4438 }
4439 if (sta) {
4440 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
4441 os_free(sta->fils_pending_assoc_req);
4442 sta->fils_pending_assoc_req = NULL;
4443 sta->fils_pending_assoc_req_len = 0;
4444 wpabuf_free(sta->fils_hlp_resp);
4445 sta->fils_hlp_resp = NULL;
4446 }
4447 if (sta && delay_assoc && resp == WLAN_STATUS_SUCCESS) {
4448 sta->fils_pending_assoc_req = tmp;
4449 sta->fils_pending_assoc_req_len = left;
4450 sta->fils_pending_assoc_is_reassoc = reassoc;
4451 sta->fils_drv_assoc_finish = 0;
4452 wpa_printf(MSG_DEBUG,
4453 "FILS: Waiting for HLP processing before sending (Re)Association Response frame to "
4454 MACSTR, MAC2STR(sta->addr));
4455 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
4456 eloop_register_timeout(0, hapd->conf->fils_hlp_wait_time * 1024,
4457 fils_hlp_timeout, hapd, sta);
4458 return;
4459 }
4460 #endif /* CONFIG_FILS */
4461
4462 if (resp >= 0)
4463 reply_res = send_assoc_resp(hapd, sta, mgmt->sa, resp, reassoc,
4464 pos, left, rssi, omit_rsnxe);
4465 os_free(tmp);
4466
4467 /*
4468 * Remove the station in case tranmission of a success response fails
4469 * (the STA was added associated to the driver) or if the station was
4470 * previously added unassociated.
4471 */
4472 if (sta && ((reply_res != WLAN_STATUS_SUCCESS &&
4473 resp == WLAN_STATUS_SUCCESS) || sta->added_unassoc)) {
4474 hostapd_drv_sta_remove(hapd, sta->addr);
4475 sta->added_unassoc = 0;
4476 }
4477 }
4478
4479
handle_disassoc(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len)4480 static void handle_disassoc(struct hostapd_data *hapd,
4481 const struct ieee80211_mgmt *mgmt, size_t len)
4482 {
4483 struct sta_info *sta;
4484
4485 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.disassoc)) {
4486 wpa_printf(MSG_INFO, "handle_disassoc - too short payload (len=%lu)",
4487 (unsigned long) len);
4488 return;
4489 }
4490
4491 wpa_printf(MSG_DEBUG, "disassocation: STA=" MACSTR " reason_code=%d",
4492 MAC2STR(mgmt->sa),
4493 le_to_host16(mgmt->u.disassoc.reason_code));
4494
4495 sta = ap_get_sta(hapd, mgmt->sa);
4496 if (sta == NULL) {
4497 wpa_printf(MSG_INFO, "Station " MACSTR " trying to disassociate, but it is not associated",
4498 MAC2STR(mgmt->sa));
4499 return;
4500 }
4501
4502 ap_sta_set_authorized(hapd, sta, 0);
4503 sta->last_seq_ctrl = WLAN_INVALID_MGMT_SEQ;
4504 sta->flags &= ~(WLAN_STA_ASSOC | WLAN_STA_ASSOC_REQ_OK);
4505 hostapd_set_sta_flags(hapd, sta);
4506 wpa_auth_sm_event(sta->wpa_sm, WPA_DISASSOC);
4507 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4508 HOSTAPD_LEVEL_INFO, "disassociated");
4509 sta->acct_terminate_cause = RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST;
4510 ieee802_1x_notify_port_enabled(sta->eapol_sm, 0);
4511 /* Stop Accounting and IEEE 802.1X sessions, but leave the STA
4512 * authenticated. */
4513 accounting_sta_stop(hapd, sta);
4514 ieee802_1x_free_station(hapd, sta);
4515 if (sta->ipaddr)
4516 hostapd_drv_br_delete_ip_neigh(hapd, 4, (u8 *) &sta->ipaddr);
4517 ap_sta_ip6addr_del(hapd, sta);
4518 hostapd_drv_sta_remove(hapd, sta->addr);
4519 sta->added_unassoc = 0;
4520
4521 if (sta->timeout_next == STA_NULLFUNC ||
4522 sta->timeout_next == STA_DISASSOC) {
4523 sta->timeout_next = STA_DEAUTH;
4524 eloop_cancel_timeout(ap_handle_timer, hapd, sta);
4525 eloop_register_timeout(AP_DEAUTH_DELAY, 0, ap_handle_timer,
4526 hapd, sta);
4527 }
4528
4529 mlme_disassociate_indication(
4530 hapd, sta, le_to_host16(mgmt->u.disassoc.reason_code));
4531
4532 /* DMG/IEEE 802.11ad does not use deauthication. Deallocate sta upon
4533 * disassociation. */
4534 if (hapd->iface->current_mode &&
4535 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211AD) {
4536 sta->flags &= ~WLAN_STA_AUTH;
4537 wpa_auth_sm_event(sta->wpa_sm, WPA_DEAUTH);
4538 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4539 HOSTAPD_LEVEL_DEBUG, "deauthenticated");
4540 ap_free_sta(hapd, sta);
4541 }
4542 }
4543
4544
handle_deauth(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len)4545 static void handle_deauth(struct hostapd_data *hapd,
4546 const struct ieee80211_mgmt *mgmt, size_t len)
4547 {
4548 struct sta_info *sta;
4549
4550 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.deauth)) {
4551 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "handle_deauth - too short "
4552 "payload (len=%lu)", (unsigned long) len);
4553 return;
4554 }
4555
4556 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "deauthentication: STA=" MACSTR
4557 " reason_code=%d",
4558 MAC2STR(mgmt->sa), le_to_host16(mgmt->u.deauth.reason_code));
4559
4560 sta = ap_get_sta(hapd, mgmt->sa);
4561 if (sta == NULL) {
4562 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "Station " MACSTR " trying "
4563 "to deauthenticate, but it is not authenticated",
4564 MAC2STR(mgmt->sa));
4565 return;
4566 }
4567
4568 ap_sta_set_authorized(hapd, sta, 0);
4569 sta->last_seq_ctrl = WLAN_INVALID_MGMT_SEQ;
4570 sta->flags &= ~(WLAN_STA_AUTH | WLAN_STA_ASSOC |
4571 WLAN_STA_ASSOC_REQ_OK);
4572 hostapd_set_sta_flags(hapd, sta);
4573 wpa_auth_sm_event(sta->wpa_sm, WPA_DEAUTH);
4574 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4575 HOSTAPD_LEVEL_DEBUG, "deauthenticated");
4576 mlme_deauthenticate_indication(
4577 hapd, sta, le_to_host16(mgmt->u.deauth.reason_code));
4578 sta->acct_terminate_cause = RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST;
4579 ieee802_1x_notify_port_enabled(sta->eapol_sm, 0);
4580 ap_free_sta(hapd, sta);
4581 }
4582
4583
handle_beacon(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,struct hostapd_frame_info * fi)4584 static void handle_beacon(struct hostapd_data *hapd,
4585 const struct ieee80211_mgmt *mgmt, size_t len,
4586 struct hostapd_frame_info *fi)
4587 {
4588 struct ieee802_11_elems elems;
4589
4590 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.beacon)) {
4591 wpa_printf(MSG_INFO, "handle_beacon - too short payload (len=%lu)",
4592 (unsigned long) len);
4593 return;
4594 }
4595
4596 (void) ieee802_11_parse_elems(mgmt->u.beacon.variable,
4597 len - (IEEE80211_HDRLEN +
4598 sizeof(mgmt->u.beacon)), &elems,
4599 0);
4600
4601 ap_list_process_beacon(hapd->iface, mgmt, &elems, fi);
4602 }
4603
4604
robust_action_frame(u8 category)4605 static int robust_action_frame(u8 category)
4606 {
4607 return category != WLAN_ACTION_PUBLIC &&
4608 category != WLAN_ACTION_HT;
4609 }
4610
4611
handle_action(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,unsigned int freq)4612 static int handle_action(struct hostapd_data *hapd,
4613 const struct ieee80211_mgmt *mgmt, size_t len,
4614 unsigned int freq)
4615 {
4616 struct sta_info *sta;
4617 u8 *action __maybe_unused;
4618
4619 if (len < IEEE80211_HDRLEN + 2 + 1) {
4620 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
4621 HOSTAPD_LEVEL_DEBUG,
4622 "handle_action - too short payload (len=%lu)",
4623 (unsigned long) len);
4624 return 0;
4625 }
4626
4627 action = (u8 *) &mgmt->u.action.u;
4628 wpa_printf(MSG_DEBUG, "RX_ACTION category %u action %u sa " MACSTR
4629 " da " MACSTR " len %d freq %u",
4630 mgmt->u.action.category, *action,
4631 MAC2STR(mgmt->sa), MAC2STR(mgmt->da), (int) len, freq);
4632
4633 sta = ap_get_sta(hapd, mgmt->sa);
4634
4635 if (mgmt->u.action.category != WLAN_ACTION_PUBLIC &&
4636 (sta == NULL || !(sta->flags & WLAN_STA_ASSOC))) {
4637 wpa_printf(MSG_DEBUG, "IEEE 802.11: Ignored Action "
4638 "frame (category=%u) from unassociated STA " MACSTR,
4639 mgmt->u.action.category, MAC2STR(mgmt->sa));
4640 return 0;
4641 }
4642
4643 if (sta && (sta->flags & WLAN_STA_MFP) &&
4644 !(mgmt->frame_control & host_to_le16(WLAN_FC_ISWEP)) &&
4645 robust_action_frame(mgmt->u.action.category)) {
4646 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
4647 HOSTAPD_LEVEL_DEBUG,
4648 "Dropped unprotected Robust Action frame from "
4649 "an MFP STA");
4650 return 0;
4651 }
4652
4653 if (sta) {
4654 u16 fc = le_to_host16(mgmt->frame_control);
4655 u16 seq_ctrl = le_to_host16(mgmt->seq_ctrl);
4656
4657 if ((fc & WLAN_FC_RETRY) &&
4658 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
4659 sta->last_seq_ctrl == seq_ctrl &&
4660 sta->last_subtype == WLAN_FC_STYPE_ACTION) {
4661 hostapd_logger(hapd, sta->addr,
4662 HOSTAPD_MODULE_IEEE80211,
4663 HOSTAPD_LEVEL_DEBUG,
4664 "Drop repeated action frame seq_ctrl=0x%x",
4665 seq_ctrl);
4666 return 1;
4667 }
4668
4669 sta->last_seq_ctrl = seq_ctrl;
4670 sta->last_subtype = WLAN_FC_STYPE_ACTION;
4671 }
4672
4673 switch (mgmt->u.action.category) {
4674 #ifdef CONFIG_IEEE80211R_AP
4675 case WLAN_ACTION_FT:
4676 if (!sta ||
4677 wpa_ft_action_rx(sta->wpa_sm, (u8 *) &mgmt->u.action,
4678 len - IEEE80211_HDRLEN))
4679 break;
4680 return 1;
4681 #endif /* CONFIG_IEEE80211R_AP */
4682 case WLAN_ACTION_WMM:
4683 hostapd_wmm_action(hapd, mgmt, len);
4684 return 1;
4685 case WLAN_ACTION_SA_QUERY:
4686 ieee802_11_sa_query_action(hapd, mgmt, len);
4687 return 1;
4688 #ifdef CONFIG_WNM_AP
4689 case WLAN_ACTION_WNM:
4690 ieee802_11_rx_wnm_action_ap(hapd, mgmt, len);
4691 return 1;
4692 #endif /* CONFIG_WNM_AP */
4693 #ifdef CONFIG_FST
4694 case WLAN_ACTION_FST:
4695 if (hapd->iface->fst)
4696 fst_rx_action(hapd->iface->fst, mgmt, len);
4697 else
4698 wpa_printf(MSG_DEBUG,
4699 "FST: Ignore FST Action frame - no FST attached");
4700 return 1;
4701 #endif /* CONFIG_FST */
4702 case WLAN_ACTION_PUBLIC:
4703 case WLAN_ACTION_PROTECTED_DUAL:
4704 if (len >= IEEE80211_HDRLEN + 2 &&
4705 mgmt->u.action.u.public_action.action ==
4706 WLAN_PA_20_40_BSS_COEX) {
4707 hostapd_2040_coex_action(hapd, mgmt, len);
4708 return 1;
4709 }
4710 #ifdef CONFIG_DPP
4711 if (len >= IEEE80211_HDRLEN + 6 &&
4712 mgmt->u.action.u.vs_public_action.action ==
4713 WLAN_PA_VENDOR_SPECIFIC &&
4714 WPA_GET_BE24(mgmt->u.action.u.vs_public_action.oui) ==
4715 OUI_WFA &&
4716 mgmt->u.action.u.vs_public_action.variable[0] ==
4717 DPP_OUI_TYPE) {
4718 const u8 *pos, *end;
4719
4720 pos = mgmt->u.action.u.vs_public_action.oui;
4721 end = ((const u8 *) mgmt) + len;
4722 hostapd_dpp_rx_action(hapd, mgmt->sa, pos, end - pos,
4723 freq);
4724 return 1;
4725 }
4726 if (len >= IEEE80211_HDRLEN + 2 &&
4727 (mgmt->u.action.u.public_action.action ==
4728 WLAN_PA_GAS_INITIAL_RESP ||
4729 mgmt->u.action.u.public_action.action ==
4730 WLAN_PA_GAS_COMEBACK_RESP)) {
4731 const u8 *pos, *end;
4732
4733 pos = &mgmt->u.action.u.public_action.action;
4734 end = ((const u8 *) mgmt) + len;
4735 gas_query_ap_rx(hapd->gas, mgmt->sa,
4736 mgmt->u.action.category,
4737 pos, end - pos, hapd->iface->freq);
4738 return 1;
4739 }
4740 #endif /* CONFIG_DPP */
4741 if (hapd->public_action_cb) {
4742 hapd->public_action_cb(hapd->public_action_cb_ctx,
4743 (u8 *) mgmt, len,
4744 hapd->iface->freq);
4745 }
4746 if (hapd->public_action_cb2) {
4747 hapd->public_action_cb2(hapd->public_action_cb2_ctx,
4748 (u8 *) mgmt, len,
4749 hapd->iface->freq);
4750 }
4751 if (hapd->public_action_cb || hapd->public_action_cb2)
4752 return 1;
4753 break;
4754 case WLAN_ACTION_VENDOR_SPECIFIC:
4755 if (hapd->vendor_action_cb) {
4756 if (hapd->vendor_action_cb(hapd->vendor_action_cb_ctx,
4757 (u8 *) mgmt, len,
4758 hapd->iface->freq) == 0)
4759 return 1;
4760 }
4761 break;
4762 case WLAN_ACTION_RADIO_MEASUREMENT:
4763 hostapd_handle_radio_measurement(hapd, (const u8 *) mgmt, len);
4764 return 1;
4765 }
4766
4767 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
4768 HOSTAPD_LEVEL_DEBUG,
4769 "handle_action - unknown action category %d or invalid "
4770 "frame",
4771 mgmt->u.action.category);
4772 if (!is_multicast_ether_addr(mgmt->da) &&
4773 !(mgmt->u.action.category & 0x80) &&
4774 !is_multicast_ether_addr(mgmt->sa)) {
4775 struct ieee80211_mgmt *resp;
4776
4777 /*
4778 * IEEE 802.11-REVma/D9.0 - 7.3.1.11
4779 * Return the Action frame to the source without change
4780 * except that MSB of the Category set to 1.
4781 */
4782 wpa_printf(MSG_DEBUG, "IEEE 802.11: Return unknown Action "
4783 "frame back to sender");
4784 resp = os_memdup(mgmt, len);
4785 if (resp == NULL)
4786 return 0;
4787 os_memcpy(resp->da, resp->sa, ETH_ALEN);
4788 os_memcpy(resp->sa, hapd->own_addr, ETH_ALEN);
4789 os_memcpy(resp->bssid, hapd->own_addr, ETH_ALEN);
4790 resp->u.action.category |= 0x80;
4791
4792 if (hostapd_drv_send_mlme(hapd, resp, len, 0, NULL, 0, 0) < 0) {
4793 wpa_printf(MSG_ERROR, "IEEE 802.11: Failed to send "
4794 "Action frame");
4795 }
4796 os_free(resp);
4797 }
4798
4799 return 1;
4800 }
4801
4802
4803 /**
4804 * ieee802_11_mgmt - process incoming IEEE 802.11 management frames
4805 * @hapd: hostapd BSS data structure (the BSS to which the management frame was
4806 * sent to)
4807 * @buf: management frame data (starting from IEEE 802.11 header)
4808 * @len: length of frame data in octets
4809 * @fi: meta data about received frame (signal level, etc.)
4810 *
4811 * Process all incoming IEEE 802.11 management frames. This will be called for
4812 * each frame received from the kernel driver through wlan#ap interface. In
4813 * addition, it can be called to re-inserted pending frames (e.g., when using
4814 * external RADIUS server as an MAC ACL).
4815 */
ieee802_11_mgmt(struct hostapd_data * hapd,const u8 * buf,size_t len,struct hostapd_frame_info * fi)4816 int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len,
4817 struct hostapd_frame_info *fi)
4818 {
4819 struct ieee80211_mgmt *mgmt;
4820 u16 fc, stype;
4821 int ret = 0;
4822 unsigned int freq;
4823 int ssi_signal = fi ? fi->ssi_signal : 0;
4824
4825 if (len < 24)
4826 return 0;
4827
4828 if (fi && fi->freq)
4829 freq = fi->freq;
4830 else
4831 freq = hapd->iface->freq;
4832
4833 mgmt = (struct ieee80211_mgmt *) buf;
4834 fc = le_to_host16(mgmt->frame_control);
4835 stype = WLAN_FC_GET_STYPE(fc);
4836
4837 if (is_multicast_ether_addr(mgmt->sa) ||
4838 is_zero_ether_addr(mgmt->sa) ||
4839 os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
4840 /* Do not process any frames with unexpected/invalid SA so that
4841 * we do not add any state for unexpected STA addresses or end
4842 * up sending out frames to unexpected destination. */
4843 wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR
4844 " in received frame - ignore this frame silently",
4845 MAC2STR(mgmt->sa));
4846 return 0;
4847 }
4848
4849 if (stype == WLAN_FC_STYPE_BEACON) {
4850 handle_beacon(hapd, mgmt, len, fi);
4851 return 1;
4852 }
4853
4854 if (!is_broadcast_ether_addr(mgmt->bssid) &&
4855 #ifdef CONFIG_P2P
4856 /* Invitation responses can be sent with the peer MAC as BSSID */
4857 !((hapd->conf->p2p & P2P_GROUP_OWNER) &&
4858 stype == WLAN_FC_STYPE_ACTION) &&
4859 #endif /* CONFIG_P2P */
4860 #ifdef CONFIG_MESH
4861 !(hapd->conf->mesh & MESH_ENABLED) &&
4862 #endif /* CONFIG_MESH */
4863 os_memcmp(mgmt->bssid, hapd->own_addr, ETH_ALEN) != 0) {
4864 wpa_printf(MSG_INFO, "MGMT: BSSID=" MACSTR " not our address",
4865 MAC2STR(mgmt->bssid));
4866 return 0;
4867 }
4868
4869 if (hapd->iface->state != HAPD_IFACE_ENABLED) {
4870 wpa_printf(MSG_DEBUG, "MGMT: Ignore management frame while interface is not enabled (SA=" MACSTR " DA=" MACSTR " subtype=%u)",
4871 MAC2STR(mgmt->sa), MAC2STR(mgmt->da), stype);
4872 return 1;
4873 }
4874
4875 if (stype == WLAN_FC_STYPE_PROBE_REQ) {
4876 handle_probe_req(hapd, mgmt, len, ssi_signal);
4877 return 1;
4878 }
4879
4880 if ((!is_broadcast_ether_addr(mgmt->da) ||
4881 stype != WLAN_FC_STYPE_ACTION) &&
4882 os_memcmp(mgmt->da, hapd->own_addr, ETH_ALEN) != 0) {
4883 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
4884 HOSTAPD_LEVEL_DEBUG,
4885 "MGMT: DA=" MACSTR " not our address",
4886 MAC2STR(mgmt->da));
4887 return 0;
4888 }
4889
4890 if (hapd->iconf->track_sta_max_num)
4891 sta_track_add(hapd->iface, mgmt->sa, ssi_signal);
4892
4893 switch (stype) {
4894 case WLAN_FC_STYPE_AUTH:
4895 wpa_printf(MSG_DEBUG, "mgmt::auth");
4896 handle_auth(hapd, mgmt, len, ssi_signal, 0);
4897 ret = 1;
4898 break;
4899 case WLAN_FC_STYPE_ASSOC_REQ:
4900 wpa_printf(MSG_DEBUG, "mgmt::assoc_req");
4901 handle_assoc(hapd, mgmt, len, 0, ssi_signal);
4902 ret = 1;
4903 break;
4904 case WLAN_FC_STYPE_REASSOC_REQ:
4905 wpa_printf(MSG_DEBUG, "mgmt::reassoc_req");
4906 handle_assoc(hapd, mgmt, len, 1, ssi_signal);
4907 ret = 1;
4908 break;
4909 case WLAN_FC_STYPE_DISASSOC:
4910 wpa_printf(MSG_DEBUG, "mgmt::disassoc");
4911 handle_disassoc(hapd, mgmt, len);
4912 ret = 1;
4913 break;
4914 case WLAN_FC_STYPE_DEAUTH:
4915 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "mgmt::deauth");
4916 handle_deauth(hapd, mgmt, len);
4917 ret = 1;
4918 break;
4919 case WLAN_FC_STYPE_ACTION:
4920 wpa_printf(MSG_DEBUG, "mgmt::action");
4921 ret = handle_action(hapd, mgmt, len, freq);
4922 break;
4923 default:
4924 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
4925 HOSTAPD_LEVEL_DEBUG,
4926 "unknown mgmt frame subtype %d", stype);
4927 break;
4928 }
4929
4930 return ret;
4931 }
4932
4933
handle_auth_cb(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int ok)4934 static void handle_auth_cb(struct hostapd_data *hapd,
4935 const struct ieee80211_mgmt *mgmt,
4936 size_t len, int ok)
4937 {
4938 u16 auth_alg, auth_transaction, status_code;
4939 struct sta_info *sta;
4940
4941 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) {
4942 wpa_printf(MSG_INFO, "handle_auth_cb - too short payload (len=%lu)",
4943 (unsigned long) len);
4944
4945 /*
4946 * Initialize status_code here because we are not able to read
4947 * it from the short payload.
4948 */
4949 status_code = WLAN_STATUS_UNSPECIFIED_FAILURE;
4950 goto fail;
4951 }
4952
4953 sta = ap_get_sta(hapd, mgmt->da);
4954 if (!sta) {
4955 wpa_printf(MSG_DEBUG, "handle_auth_cb: STA " MACSTR
4956 " not found",
4957 MAC2STR(mgmt->da));
4958 return;
4959 }
4960
4961 auth_alg = le_to_host16(mgmt->u.auth.auth_alg);
4962 auth_transaction = le_to_host16(mgmt->u.auth.auth_transaction);
4963 status_code = le_to_host16(mgmt->u.auth.status_code);
4964
4965 if (!ok) {
4966 hostapd_logger(hapd, mgmt->da, HOSTAPD_MODULE_IEEE80211,
4967 HOSTAPD_LEVEL_NOTICE,
4968 "did not acknowledge authentication response");
4969 goto fail;
4970 }
4971
4972 if (status_code == WLAN_STATUS_SUCCESS &&
4973 ((auth_alg == WLAN_AUTH_OPEN && auth_transaction == 2) ||
4974 (auth_alg == WLAN_AUTH_SHARED_KEY && auth_transaction == 4))) {
4975 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4976 HOSTAPD_LEVEL_INFO, "authenticated");
4977 sta->flags |= WLAN_STA_AUTH;
4978 if (sta->added_unassoc)
4979 hostapd_set_sta_flags(hapd, sta);
4980 return;
4981 }
4982
4983 fail:
4984 if (status_code != WLAN_STATUS_SUCCESS && sta->added_unassoc) {
4985 hostapd_drv_sta_remove(hapd, sta->addr);
4986 sta->added_unassoc = 0;
4987 }
4988 }
4989
4990
hostapd_set_wds_encryption(struct hostapd_data * hapd,struct sta_info * sta,char * ifname_wds)4991 static void hostapd_set_wds_encryption(struct hostapd_data *hapd,
4992 struct sta_info *sta,
4993 char *ifname_wds)
4994 {
4995 #ifdef CONFIG_WEP
4996 int i;
4997 struct hostapd_ssid *ssid = &hapd->conf->ssid;
4998
4999 if (hapd->conf->ieee802_1x || hapd->conf->wpa)
5000 return;
5001
5002 for (i = 0; i < 4; i++) {
5003 if (ssid->wep.key[i] &&
5004 hostapd_drv_set_key(ifname_wds, hapd, WPA_ALG_WEP, NULL, i,
5005 0, i == ssid->wep.idx, NULL, 0,
5006 ssid->wep.key[i], ssid->wep.len[i],
5007 i == ssid->wep.idx ?
5008 KEY_FLAG_GROUP_RX_TX_DEFAULT :
5009 KEY_FLAG_GROUP_RX_TX)) {
5010 wpa_printf(MSG_WARNING,
5011 "Could not set WEP keys for WDS interface; %s",
5012 ifname_wds);
5013 break;
5014 }
5015 }
5016 #endif /* CONFIG_WEP */
5017 }
5018
5019
handle_assoc_cb(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int reassoc,int ok)5020 static void handle_assoc_cb(struct hostapd_data *hapd,
5021 const struct ieee80211_mgmt *mgmt,
5022 size_t len, int reassoc, int ok)
5023 {
5024 u16 status;
5025 struct sta_info *sta;
5026 int new_assoc = 1;
5027
5028 sta = ap_get_sta(hapd, mgmt->da);
5029 if (!sta) {
5030 wpa_printf(MSG_INFO, "handle_assoc_cb: STA " MACSTR " not found",
5031 MAC2STR(mgmt->da));
5032 return;
5033 }
5034
5035 if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_resp) :
5036 sizeof(mgmt->u.assoc_resp))) {
5037 wpa_printf(MSG_INFO,
5038 "handle_assoc_cb(reassoc=%d) - too short payload (len=%lu)",
5039 reassoc, (unsigned long) len);
5040 hostapd_drv_sta_remove(hapd, sta->addr);
5041 return;
5042 }
5043
5044 if (reassoc)
5045 status = le_to_host16(mgmt->u.reassoc_resp.status_code);
5046 else
5047 status = le_to_host16(mgmt->u.assoc_resp.status_code);
5048
5049 if (!ok) {
5050 hostapd_logger(hapd, mgmt->da, HOSTAPD_MODULE_IEEE80211,
5051 HOSTAPD_LEVEL_DEBUG,
5052 "did not acknowledge association response");
5053 sta->flags &= ~WLAN_STA_ASSOC_REQ_OK;
5054 /* The STA is added only in case of SUCCESS */
5055 if (status == WLAN_STATUS_SUCCESS)
5056 hostapd_drv_sta_remove(hapd, sta->addr);
5057
5058 return;
5059 }
5060
5061 if (status != WLAN_STATUS_SUCCESS)
5062 return;
5063
5064 /* Stop previous accounting session, if one is started, and allocate
5065 * new session id for the new session. */
5066 accounting_sta_stop(hapd, sta);
5067
5068 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
5069 HOSTAPD_LEVEL_INFO,
5070 "associated (aid %d)",
5071 sta->aid);
5072
5073 if (sta->flags & WLAN_STA_ASSOC)
5074 new_assoc = 0;
5075 sta->flags |= WLAN_STA_ASSOC;
5076 sta->flags &= ~WLAN_STA_WNM_SLEEP_MODE;
5077 if ((!hapd->conf->ieee802_1x && !hapd->conf->wpa &&
5078 !hapd->conf->osen) ||
5079 sta->auth_alg == WLAN_AUTH_FILS_SK ||
5080 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
5081 sta->auth_alg == WLAN_AUTH_FILS_PK ||
5082 sta->auth_alg == WLAN_AUTH_FT) {
5083 /*
5084 * Open, static WEP, FT protocol, or FILS; no separate
5085 * authorization step.
5086 */
5087 ap_sta_set_authorized(hapd, sta, 1);
5088 }
5089
5090 if (reassoc)
5091 mlme_reassociate_indication(hapd, sta);
5092 else
5093 mlme_associate_indication(hapd, sta);
5094
5095 sta->sa_query_timed_out = 0;
5096
5097 if (sta->eapol_sm == NULL) {
5098 /*
5099 * This STA does not use RADIUS server for EAP authentication,
5100 * so bind it to the selected VLAN interface now, since the
5101 * interface selection is not going to change anymore.
5102 */
5103 if (ap_sta_bind_vlan(hapd, sta) < 0)
5104 return;
5105 } else if (sta->vlan_id) {
5106 /* VLAN ID already set (e.g., by PMKSA caching), so bind STA */
5107 if (ap_sta_bind_vlan(hapd, sta) < 0)
5108 return;
5109 }
5110
5111 hostapd_set_sta_flags(hapd, sta);
5112
5113 if (!(sta->flags & WLAN_STA_WDS) && sta->pending_wds_enable) {
5114 wpa_printf(MSG_DEBUG, "Enable 4-address WDS mode for STA "
5115 MACSTR " based on pending request",
5116 MAC2STR(sta->addr));
5117 sta->pending_wds_enable = 0;
5118 sta->flags |= WLAN_STA_WDS;
5119 }
5120
5121 if (sta->flags & (WLAN_STA_WDS | WLAN_STA_MULTI_AP)) {
5122 int ret;
5123 char ifname_wds[IFNAMSIZ + 1];
5124
5125 wpa_printf(MSG_DEBUG, "Reenable 4-address WDS mode for STA "
5126 MACSTR " (aid %u)",
5127 MAC2STR(sta->addr), sta->aid);
5128 ret = hostapd_set_wds_sta(hapd, ifname_wds, sta->addr,
5129 sta->aid, 1);
5130 if (!ret)
5131 hostapd_set_wds_encryption(hapd, sta, ifname_wds);
5132 }
5133
5134 if (sta->auth_alg == WLAN_AUTH_FT)
5135 wpa_auth_sm_event(sta->wpa_sm, WPA_ASSOC_FT);
5136 else
5137 wpa_auth_sm_event(sta->wpa_sm, WPA_ASSOC);
5138 hapd->new_assoc_sta_cb(hapd, sta, !new_assoc);
5139 ieee802_1x_notify_port_enabled(sta->eapol_sm, 1);
5140
5141 #ifdef CONFIG_FILS
5142 if ((sta->auth_alg == WLAN_AUTH_FILS_SK ||
5143 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
5144 sta->auth_alg == WLAN_AUTH_FILS_PK) &&
5145 fils_set_tk(sta->wpa_sm) < 0) {
5146 wpa_printf(MSG_DEBUG, "FILS: TK configuration failed");
5147 ap_sta_disconnect(hapd, sta, sta->addr,
5148 WLAN_REASON_UNSPECIFIED);
5149 return;
5150 }
5151 #endif /* CONFIG_FILS */
5152
5153 if (sta->pending_eapol_rx) {
5154 struct os_reltime now, age;
5155
5156 os_get_reltime(&now);
5157 os_reltime_sub(&now, &sta->pending_eapol_rx->rx_time, &age);
5158 if (age.sec == 0 && age.usec < 200000) {
5159 wpa_printf(MSG_DEBUG,
5160 "Process pending EAPOL frame that was received from " MACSTR " just before association notification",
5161 MAC2STR(sta->addr));
5162 ieee802_1x_receive(
5163 hapd, mgmt->da,
5164 wpabuf_head(sta->pending_eapol_rx->buf),
5165 wpabuf_len(sta->pending_eapol_rx->buf));
5166 }
5167 wpabuf_free(sta->pending_eapol_rx->buf);
5168 os_free(sta->pending_eapol_rx);
5169 sta->pending_eapol_rx = NULL;
5170 }
5171 }
5172
5173
handle_deauth_cb(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int ok)5174 static void handle_deauth_cb(struct hostapd_data *hapd,
5175 const struct ieee80211_mgmt *mgmt,
5176 size_t len, int ok)
5177 {
5178 struct sta_info *sta;
5179 if (is_multicast_ether_addr(mgmt->da))
5180 return;
5181 sta = ap_get_sta(hapd, mgmt->da);
5182 if (!sta) {
5183 wpa_printf(MSG_DEBUG, "handle_deauth_cb: STA " MACSTR
5184 " not found", MAC2STR(mgmt->da));
5185 return;
5186 }
5187 if (ok)
5188 wpa_printf(MSG_DEBUG, "STA " MACSTR " acknowledged deauth",
5189 MAC2STR(sta->addr));
5190 else
5191 wpa_printf(MSG_DEBUG, "STA " MACSTR " did not acknowledge "
5192 "deauth", MAC2STR(sta->addr));
5193
5194 ap_sta_deauth_cb(hapd, sta);
5195 }
5196
5197
handle_disassoc_cb(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int ok)5198 static void handle_disassoc_cb(struct hostapd_data *hapd,
5199 const struct ieee80211_mgmt *mgmt,
5200 size_t len, int ok)
5201 {
5202 struct sta_info *sta;
5203 if (is_multicast_ether_addr(mgmt->da))
5204 return;
5205 sta = ap_get_sta(hapd, mgmt->da);
5206 if (!sta) {
5207 wpa_printf(MSG_DEBUG, "handle_disassoc_cb: STA " MACSTR
5208 " not found", MAC2STR(mgmt->da));
5209 return;
5210 }
5211 if (ok)
5212 wpa_printf(MSG_DEBUG, "STA " MACSTR " acknowledged disassoc",
5213 MAC2STR(sta->addr));
5214 else
5215 wpa_printf(MSG_DEBUG, "STA " MACSTR " did not acknowledge "
5216 "disassoc", MAC2STR(sta->addr));
5217
5218 ap_sta_disassoc_cb(hapd, sta);
5219 }
5220
5221
handle_action_cb(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int ok)5222 static void handle_action_cb(struct hostapd_data *hapd,
5223 const struct ieee80211_mgmt *mgmt,
5224 size_t len, int ok)
5225 {
5226 struct sta_info *sta;
5227 const struct rrm_measurement_report_element *report;
5228
5229 if (is_multicast_ether_addr(mgmt->da))
5230 return;
5231 #ifdef CONFIG_DPP
5232 if (len >= IEEE80211_HDRLEN + 6 &&
5233 mgmt->u.action.category == WLAN_ACTION_PUBLIC &&
5234 mgmt->u.action.u.vs_public_action.action ==
5235 WLAN_PA_VENDOR_SPECIFIC &&
5236 WPA_GET_BE24(mgmt->u.action.u.vs_public_action.oui) ==
5237 OUI_WFA &&
5238 mgmt->u.action.u.vs_public_action.variable[0] ==
5239 DPP_OUI_TYPE) {
5240 const u8 *pos, *end;
5241
5242 pos = &mgmt->u.action.u.vs_public_action.variable[1];
5243 end = ((const u8 *) mgmt) + len;
5244 hostapd_dpp_tx_status(hapd, mgmt->da, pos, end - pos, ok);
5245 return;
5246 }
5247 if (len >= IEEE80211_HDRLEN + 2 &&
5248 mgmt->u.action.category == WLAN_ACTION_PUBLIC &&
5249 (mgmt->u.action.u.public_action.action ==
5250 WLAN_PA_GAS_INITIAL_REQ ||
5251 mgmt->u.action.u.public_action.action ==
5252 WLAN_PA_GAS_COMEBACK_REQ)) {
5253 const u8 *pos, *end;
5254
5255 pos = mgmt->u.action.u.public_action.variable;
5256 end = ((const u8 *) mgmt) + len;
5257 gas_query_ap_tx_status(hapd->gas, mgmt->da, pos, end - pos, ok);
5258 return;
5259 }
5260 #endif /* CONFIG_DPP */
5261 sta = ap_get_sta(hapd, mgmt->da);
5262 if (!sta) {
5263 wpa_printf(MSG_DEBUG, "handle_action_cb: STA " MACSTR
5264 " not found", MAC2STR(mgmt->da));
5265 return;
5266 }
5267
5268 if (len < 24 + 5 + sizeof(*report))
5269 return;
5270 report = (const struct rrm_measurement_report_element *)
5271 &mgmt->u.action.u.rrm.variable[2];
5272 if (mgmt->u.action.category == WLAN_ACTION_RADIO_MEASUREMENT &&
5273 mgmt->u.action.u.rrm.action == WLAN_RRM_RADIO_MEASUREMENT_REQUEST &&
5274 report->eid == WLAN_EID_MEASURE_REQUEST &&
5275 report->len >= 3 &&
5276 report->type == MEASURE_TYPE_BEACON)
5277 hostapd_rrm_beacon_req_tx_status(hapd, mgmt, len, ok);
5278 }
5279
5280
5281 /**
5282 * ieee802_11_mgmt_cb - Process management frame TX status callback
5283 * @hapd: hostapd BSS data structure (the BSS from which the management frame
5284 * was sent from)
5285 * @buf: management frame data (starting from IEEE 802.11 header)
5286 * @len: length of frame data in octets
5287 * @stype: management frame subtype from frame control field
5288 * @ok: Whether the frame was ACK'ed
5289 */
ieee802_11_mgmt_cb(struct hostapd_data * hapd,const u8 * buf,size_t len,u16 stype,int ok)5290 void ieee802_11_mgmt_cb(struct hostapd_data *hapd, const u8 *buf, size_t len,
5291 u16 stype, int ok)
5292 {
5293 const struct ieee80211_mgmt *mgmt;
5294 mgmt = (const struct ieee80211_mgmt *) buf;
5295
5296 #ifdef CONFIG_TESTING_OPTIONS
5297 if (hapd->ext_mgmt_frame_handling) {
5298 size_t hex_len = 2 * len + 1;
5299 char *hex = os_malloc(hex_len);
5300
5301 if (hex) {
5302 wpa_snprintf_hex(hex, hex_len, buf, len);
5303 wpa_msg(hapd->msg_ctx, MSG_INFO,
5304 "MGMT-TX-STATUS stype=%u ok=%d buf=%s",
5305 stype, ok, hex);
5306 os_free(hex);
5307 }
5308 return;
5309 }
5310 #endif /* CONFIG_TESTING_OPTIONS */
5311
5312 switch (stype) {
5313 case WLAN_FC_STYPE_AUTH:
5314 wpa_printf(MSG_DEBUG, "mgmt::auth cb");
5315 handle_auth_cb(hapd, mgmt, len, ok);
5316 break;
5317 case WLAN_FC_STYPE_ASSOC_RESP:
5318 wpa_printf(MSG_DEBUG, "mgmt::assoc_resp cb");
5319 handle_assoc_cb(hapd, mgmt, len, 0, ok);
5320 break;
5321 case WLAN_FC_STYPE_REASSOC_RESP:
5322 wpa_printf(MSG_DEBUG, "mgmt::reassoc_resp cb");
5323 handle_assoc_cb(hapd, mgmt, len, 1, ok);
5324 break;
5325 case WLAN_FC_STYPE_PROBE_RESP:
5326 wpa_printf(MSG_EXCESSIVE, "mgmt::proberesp cb ok=%d", ok);
5327 break;
5328 case WLAN_FC_STYPE_DEAUTH:
5329 wpa_printf(MSG_DEBUG, "mgmt::deauth cb");
5330 handle_deauth_cb(hapd, mgmt, len, ok);
5331 break;
5332 case WLAN_FC_STYPE_DISASSOC:
5333 wpa_printf(MSG_DEBUG, "mgmt::disassoc cb");
5334 handle_disassoc_cb(hapd, mgmt, len, ok);
5335 break;
5336 case WLAN_FC_STYPE_ACTION:
5337 wpa_printf(MSG_DEBUG, "mgmt::action cb ok=%d", ok);
5338 handle_action_cb(hapd, mgmt, len, ok);
5339 break;
5340 default:
5341 wpa_printf(MSG_INFO, "unknown mgmt cb frame subtype %d", stype);
5342 break;
5343 }
5344 }
5345
5346
ieee802_11_get_mib(struct hostapd_data * hapd,char * buf,size_t buflen)5347 int ieee802_11_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen)
5348 {
5349 /* TODO */
5350 return 0;
5351 }
5352
5353
ieee802_11_get_mib_sta(struct hostapd_data * hapd,struct sta_info * sta,char * buf,size_t buflen)5354 int ieee802_11_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta,
5355 char *buf, size_t buflen)
5356 {
5357 /* TODO */
5358 return 0;
5359 }
5360
5361
hostapd_tx_status(struct hostapd_data * hapd,const u8 * addr,const u8 * buf,size_t len,int ack)5362 void hostapd_tx_status(struct hostapd_data *hapd, const u8 *addr,
5363 const u8 *buf, size_t len, int ack)
5364 {
5365 struct sta_info *sta;
5366 struct hostapd_iface *iface = hapd->iface;
5367
5368 sta = ap_get_sta(hapd, addr);
5369 if (sta == NULL && iface->num_bss > 1) {
5370 size_t j;
5371 for (j = 0; j < iface->num_bss; j++) {
5372 hapd = iface->bss[j];
5373 sta = ap_get_sta(hapd, addr);
5374 if (sta)
5375 break;
5376 }
5377 }
5378 if (sta == NULL || !(sta->flags & WLAN_STA_ASSOC))
5379 return;
5380 if (sta->flags & WLAN_STA_PENDING_POLL) {
5381 wpa_printf(MSG_DEBUG, "STA " MACSTR " %s pending "
5382 "activity poll", MAC2STR(sta->addr),
5383 ack ? "ACKed" : "did not ACK");
5384 if (ack)
5385 sta->flags &= ~WLAN_STA_PENDING_POLL;
5386 }
5387
5388 ieee802_1x_tx_status(hapd, sta, buf, len, ack);
5389 }
5390
5391
hostapd_eapol_tx_status(struct hostapd_data * hapd,const u8 * dst,const u8 * data,size_t len,int ack)5392 void hostapd_eapol_tx_status(struct hostapd_data *hapd, const u8 *dst,
5393 const u8 *data, size_t len, int ack)
5394 {
5395 struct sta_info *sta;
5396 struct hostapd_iface *iface = hapd->iface;
5397
5398 sta = ap_get_sta(hapd, dst);
5399 if (sta == NULL && iface->num_bss > 1) {
5400 size_t j;
5401 for (j = 0; j < iface->num_bss; j++) {
5402 hapd = iface->bss[j];
5403 sta = ap_get_sta(hapd, dst);
5404 if (sta)
5405 break;
5406 }
5407 }
5408 if (sta == NULL || !(sta->flags & WLAN_STA_ASSOC)) {
5409 wpa_printf(MSG_DEBUG, "Ignore TX status for Data frame to STA "
5410 MACSTR " that is not currently associated",
5411 MAC2STR(dst));
5412 return;
5413 }
5414
5415 ieee802_1x_eapol_tx_status(hapd, sta, data, len, ack);
5416 }
5417
5418
hostapd_client_poll_ok(struct hostapd_data * hapd,const u8 * addr)5419 void hostapd_client_poll_ok(struct hostapd_data *hapd, const u8 *addr)
5420 {
5421 struct sta_info *sta;
5422 struct hostapd_iface *iface = hapd->iface;
5423
5424 sta = ap_get_sta(hapd, addr);
5425 if (sta == NULL && iface->num_bss > 1) {
5426 size_t j;
5427 for (j = 0; j < iface->num_bss; j++) {
5428 hapd = iface->bss[j];
5429 sta = ap_get_sta(hapd, addr);
5430 if (sta)
5431 break;
5432 }
5433 }
5434 if (sta == NULL)
5435 return;
5436 wpa_msg(hapd->msg_ctx, MSG_INFO, AP_STA_POLL_OK MACSTR,
5437 MAC2STR(sta->addr));
5438 if (!(sta->flags & WLAN_STA_PENDING_POLL))
5439 return;
5440
5441 wpa_printf(MSG_DEBUG, "STA " MACSTR " ACKed pending "
5442 "activity poll", MAC2STR(sta->addr));
5443 sta->flags &= ~WLAN_STA_PENDING_POLL;
5444 }
5445
5446
ieee802_11_rx_from_unknown(struct hostapd_data * hapd,const u8 * src,int wds)5447 void ieee802_11_rx_from_unknown(struct hostapd_data *hapd, const u8 *src,
5448 int wds)
5449 {
5450 struct sta_info *sta;
5451
5452 sta = ap_get_sta(hapd, src);
5453 if (sta &&
5454 ((sta->flags & WLAN_STA_ASSOC) ||
5455 ((sta->flags & WLAN_STA_ASSOC_REQ_OK) && wds))) {
5456 if (!hapd->conf->wds_sta)
5457 return;
5458
5459 if ((sta->flags & (WLAN_STA_ASSOC | WLAN_STA_ASSOC_REQ_OK)) ==
5460 WLAN_STA_ASSOC_REQ_OK) {
5461 wpa_printf(MSG_DEBUG,
5462 "Postpone 4-address WDS mode enabling for STA "
5463 MACSTR " since TX status for AssocResp is not yet known",
5464 MAC2STR(sta->addr));
5465 sta->pending_wds_enable = 1;
5466 return;
5467 }
5468
5469 if (wds && !(sta->flags & WLAN_STA_WDS)) {
5470 int ret;
5471 char ifname_wds[IFNAMSIZ + 1];
5472
5473 wpa_printf(MSG_DEBUG, "Enable 4-address WDS mode for "
5474 "STA " MACSTR " (aid %u)",
5475 MAC2STR(sta->addr), sta->aid);
5476 sta->flags |= WLAN_STA_WDS;
5477 ret = hostapd_set_wds_sta(hapd, ifname_wds,
5478 sta->addr, sta->aid, 1);
5479 if (!ret)
5480 hostapd_set_wds_encryption(hapd, sta,
5481 ifname_wds);
5482 }
5483 return;
5484 }
5485
5486 wpa_printf(MSG_DEBUG, "Data/PS-poll frame from not associated STA "
5487 MACSTR, MAC2STR(src));
5488 if (is_multicast_ether_addr(src) || is_zero_ether_addr(src) ||
5489 os_memcmp(src, hapd->own_addr, ETH_ALEN) == 0) {
5490 /* Broadcast bit set in SA or unexpected SA?! Ignore the frame
5491 * silently. */
5492 return;
5493 }
5494
5495 if (sta && (sta->flags & WLAN_STA_ASSOC_REQ_OK)) {
5496 wpa_printf(MSG_DEBUG, "Association Response to the STA has "
5497 "already been sent, but no TX status yet known - "
5498 "ignore Class 3 frame issue with " MACSTR,
5499 MAC2STR(src));
5500 return;
5501 }
5502
5503 if (sta && (sta->flags & WLAN_STA_AUTH))
5504 hostapd_drv_sta_disassoc(
5505 hapd, src,
5506 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA);
5507 else
5508 hostapd_drv_sta_deauth(
5509 hapd, src,
5510 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA);
5511 }
5512
5513
5514 #endif /* CONFIG_NATIVE_WINDOWS */
5515