1 /*
2 * hostapd / IEEE 802.11 Management
3 * Copyright (c) 2002-2017, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "utils/includes.h"
10
11 #ifndef CONFIG_NATIVE_WINDOWS
12
13 #include "utils/common.h"
14 #include "utils/eloop.h"
15 #include "crypto/crypto.h"
16 #include "crypto/sha256.h"
17 #include "crypto/sha384.h"
18 #include "crypto/sha512.h"
19 #include "crypto/random.h"
20 #include "common/ieee802_11_defs.h"
21 #include "common/ieee802_11_common.h"
22 #include "common/wpa_ctrl.h"
23 #include "common/sae.h"
24 #include "common/dpp.h"
25 #include "common/ocv.h"
26 #include "common/wpa_common.h"
27 #include "common/wpa_ctrl.h"
28 #include "common/ptksa_cache.h"
29 #include "radius/radius.h"
30 #include "radius/radius_client.h"
31 #include "p2p/p2p.h"
32 #include "wps/wps.h"
33 #include "fst/fst.h"
34 #include "hostapd.h"
35 #include "beacon.h"
36 #include "ieee802_11_auth.h"
37 #include "sta_info.h"
38 #include "ieee802_1x.h"
39 #include "wpa_auth.h"
40 #include "pmksa_cache_auth.h"
41 #include "wmm.h"
42 #include "ap_list.h"
43 #include "accounting.h"
44 #include "ap_config.h"
45 #include "ap_mlme.h"
46 #include "p2p_hostapd.h"
47 #include "ap_drv_ops.h"
48 #include "wnm_ap.h"
49 #include "hw_features.h"
50 #include "ieee802_11.h"
51 #include "dfs.h"
52 #include "mbo_ap.h"
53 #include "rrm.h"
54 #include "taxonomy.h"
55 #include "fils_hlp.h"
56 #include "dpp_hostapd.h"
57 #include "gas_query_ap.h"
58
59
60 #ifdef CONFIG_FILS
61 static struct wpabuf *
62 prepare_auth_resp_fils(struct hostapd_data *hapd,
63 struct sta_info *sta, u16 *resp,
64 struct rsn_pmksa_cache_entry *pmksa,
65 struct wpabuf *erp_resp,
66 const u8 *msk, size_t msk_len,
67 int *is_pub);
68 #endif /* CONFIG_FILS */
69
70 #ifdef CONFIG_PASN
71
72 static int handle_auth_pasn_resp(struct hostapd_data *hapd,
73 struct sta_info *sta,
74 struct rsn_pmksa_cache_entry *pmksa,
75 u16 status);
76 #ifdef CONFIG_FILS
77
78 static void pasn_fils_auth_resp(struct hostapd_data *hapd,
79 struct sta_info *sta, u16 status,
80 struct wpabuf *erp_resp,
81 const u8 *msk, size_t msk_len);
82
83 #endif /* CONFIG_FILS */
84 #endif /* CONFIG_PASN */
85
86 static void handle_auth(struct hostapd_data *hapd,
87 const struct ieee80211_mgmt *mgmt, size_t len,
88 int rssi, int from_queue);
89
90
hostapd_eid_multi_ap(struct hostapd_data * hapd,u8 * eid)91 u8 * hostapd_eid_multi_ap(struct hostapd_data *hapd, u8 *eid)
92 {
93 u8 multi_ap_val = 0;
94
95 if (!hapd->conf->multi_ap)
96 return eid;
97 if (hapd->conf->multi_ap & BACKHAUL_BSS)
98 multi_ap_val |= MULTI_AP_BACKHAUL_BSS;
99 if (hapd->conf->multi_ap & FRONTHAUL_BSS)
100 multi_ap_val |= MULTI_AP_FRONTHAUL_BSS;
101
102 return eid + add_multi_ap_ie(eid, 9, multi_ap_val);
103 }
104
105
hostapd_eid_supp_rates(struct hostapd_data * hapd,u8 * eid)106 u8 * hostapd_eid_supp_rates(struct hostapd_data *hapd, u8 *eid)
107 {
108 u8 *pos = eid;
109 int i, num, count;
110 int h2e_required;
111
112 if (hapd->iface->current_rates == NULL)
113 return eid;
114
115 *pos++ = WLAN_EID_SUPP_RATES;
116 num = hapd->iface->num_rates;
117 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht)
118 num++;
119 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht)
120 num++;
121 h2e_required = (hapd->conf->sae_pwe == 1 ||
122 hostapd_sae_pw_id_in_use(hapd->conf) == 2) &&
123 hapd->conf->sae_pwe != 3 &&
124 wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt);
125 if (h2e_required)
126 num++;
127 if (num > 8) {
128 /* rest of the rates are encoded in Extended supported
129 * rates element */
130 num = 8;
131 }
132
133 *pos++ = num;
134 for (i = 0, count = 0; i < hapd->iface->num_rates && count < num;
135 i++) {
136 count++;
137 *pos = hapd->iface->current_rates[i].rate / 5;
138 if (hapd->iface->current_rates[i].flags & HOSTAPD_RATE_BASIC)
139 *pos |= 0x80;
140 pos++;
141 }
142
143 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht && count < 8) {
144 count++;
145 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_HT_PHY;
146 }
147
148 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht && count < 8) {
149 count++;
150 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_VHT_PHY;
151 }
152
153 if (h2e_required && count < 8) {
154 count++;
155 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_SAE_H2E_ONLY;
156 }
157
158 return pos;
159 }
160
161
hostapd_eid_ext_supp_rates(struct hostapd_data * hapd,u8 * eid)162 u8 * hostapd_eid_ext_supp_rates(struct hostapd_data *hapd, u8 *eid)
163 {
164 u8 *pos = eid;
165 int i, num, count;
166 int h2e_required;
167
168 if (hapd->iface->current_rates == NULL)
169 return eid;
170
171 num = hapd->iface->num_rates;
172 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht)
173 num++;
174 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht)
175 num++;
176 h2e_required = (hapd->conf->sae_pwe == 1 ||
177 hostapd_sae_pw_id_in_use(hapd->conf) == 2) &&
178 hapd->conf->sae_pwe != 3 &&
179 wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt);
180 if (h2e_required)
181 num++;
182 if (num <= 8)
183 return eid;
184 num -= 8;
185
186 *pos++ = WLAN_EID_EXT_SUPP_RATES;
187 *pos++ = num;
188 for (i = 0, count = 0; i < hapd->iface->num_rates && count < num + 8;
189 i++) {
190 count++;
191 if (count <= 8)
192 continue; /* already in SuppRates IE */
193 *pos = hapd->iface->current_rates[i].rate / 5;
194 if (hapd->iface->current_rates[i].flags & HOSTAPD_RATE_BASIC)
195 *pos |= 0x80;
196 pos++;
197 }
198
199 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht) {
200 count++;
201 if (count > 8)
202 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_HT_PHY;
203 }
204
205 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht) {
206 count++;
207 if (count > 8)
208 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_VHT_PHY;
209 }
210
211 if (h2e_required) {
212 count++;
213 if (count > 8)
214 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_SAE_H2E_ONLY;
215 }
216
217 return pos;
218 }
219
220
hostapd_eid_rm_enabled_capab(struct hostapd_data * hapd,u8 * eid,size_t len)221 u8 * hostapd_eid_rm_enabled_capab(struct hostapd_data *hapd, u8 *eid,
222 size_t len)
223 {
224 size_t i;
225
226 for (i = 0; i < RRM_CAPABILITIES_IE_LEN; i++) {
227 if (hapd->conf->radio_measurements[i])
228 break;
229 }
230
231 if (i == RRM_CAPABILITIES_IE_LEN || len < 2 + RRM_CAPABILITIES_IE_LEN)
232 return eid;
233
234 *eid++ = WLAN_EID_RRM_ENABLED_CAPABILITIES;
235 *eid++ = RRM_CAPABILITIES_IE_LEN;
236 os_memcpy(eid, hapd->conf->radio_measurements, RRM_CAPABILITIES_IE_LEN);
237
238 return eid + RRM_CAPABILITIES_IE_LEN;
239 }
240
241
hostapd_own_capab_info(struct hostapd_data * hapd)242 u16 hostapd_own_capab_info(struct hostapd_data *hapd)
243 {
244 int capab = WLAN_CAPABILITY_ESS;
245 int privacy = 0;
246 int dfs;
247 int i;
248
249 /* Check if any of configured channels require DFS */
250 dfs = hostapd_is_dfs_required(hapd->iface);
251 if (dfs < 0) {
252 wpa_printf(MSG_WARNING, "Failed to check if DFS is required; ret=%d",
253 dfs);
254 dfs = 0;
255 }
256
257 if (hapd->iface->num_sta_no_short_preamble == 0 &&
258 hapd->iconf->preamble == SHORT_PREAMBLE)
259 capab |= WLAN_CAPABILITY_SHORT_PREAMBLE;
260
261 #ifdef CONFIG_WEP
262 privacy = hapd->conf->ssid.wep.keys_set;
263
264 if (hapd->conf->ieee802_1x &&
265 (hapd->conf->default_wep_key_len ||
266 hapd->conf->individual_wep_key_len))
267 privacy = 1;
268 #endif /* CONFIG_WEP */
269
270 if (hapd->conf->wpa)
271 privacy = 1;
272
273 #ifdef CONFIG_HS20
274 if (hapd->conf->osen)
275 privacy = 1;
276 #endif /* CONFIG_HS20 */
277
278 if (privacy)
279 capab |= WLAN_CAPABILITY_PRIVACY;
280
281 if (hapd->iface->current_mode &&
282 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G &&
283 hapd->iface->num_sta_no_short_slot_time == 0)
284 capab |= WLAN_CAPABILITY_SHORT_SLOT_TIME;
285
286 /*
287 * Currently, Spectrum Management capability bit is set when directly
288 * requested in configuration by spectrum_mgmt_required or when AP is
289 * running on DFS channel.
290 * TODO: Also consider driver support for TPC to set Spectrum Mgmt bit
291 */
292 if (hapd->iface->current_mode &&
293 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211A &&
294 (hapd->iconf->spectrum_mgmt_required || dfs))
295 capab |= WLAN_CAPABILITY_SPECTRUM_MGMT;
296
297 for (i = 0; i < RRM_CAPABILITIES_IE_LEN; i++) {
298 if (hapd->conf->radio_measurements[i]) {
299 capab |= IEEE80211_CAP_RRM;
300 break;
301 }
302 }
303
304 return capab;
305 }
306
307
308 #ifdef CONFIG_WEP
309 #ifndef CONFIG_NO_RC4
auth_shared_key(struct hostapd_data * hapd,struct sta_info * sta,u16 auth_transaction,const u8 * challenge,int iswep)310 static u16 auth_shared_key(struct hostapd_data *hapd, struct sta_info *sta,
311 u16 auth_transaction, const u8 *challenge,
312 int iswep)
313 {
314 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
315 HOSTAPD_LEVEL_DEBUG,
316 "authentication (shared key, transaction %d)",
317 auth_transaction);
318
319 if (auth_transaction == 1) {
320 if (!sta->challenge) {
321 /* Generate a pseudo-random challenge */
322 u8 key[8];
323
324 sta->challenge = os_zalloc(WLAN_AUTH_CHALLENGE_LEN);
325 if (sta->challenge == NULL)
326 return WLAN_STATUS_UNSPECIFIED_FAILURE;
327
328 if (os_get_random(key, sizeof(key)) < 0) {
329 os_free(sta->challenge);
330 sta->challenge = NULL;
331 return WLAN_STATUS_UNSPECIFIED_FAILURE;
332 }
333
334 rc4_skip(key, sizeof(key), 0,
335 sta->challenge, WLAN_AUTH_CHALLENGE_LEN);
336 }
337 return 0;
338 }
339
340 if (auth_transaction != 3)
341 return WLAN_STATUS_UNSPECIFIED_FAILURE;
342
343 /* Transaction 3 */
344 if (!iswep || !sta->challenge || !challenge ||
345 os_memcmp_const(sta->challenge, challenge,
346 WLAN_AUTH_CHALLENGE_LEN)) {
347 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
348 HOSTAPD_LEVEL_INFO,
349 "shared key authentication - invalid "
350 "challenge-response");
351 return WLAN_STATUS_CHALLENGE_FAIL;
352 }
353
354 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
355 HOSTAPD_LEVEL_DEBUG,
356 "authentication OK (shared key)");
357 sta->flags |= WLAN_STA_AUTH;
358 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
359 os_free(sta->challenge);
360 sta->challenge = NULL;
361
362 return 0;
363 }
364 #endif /* CONFIG_NO_RC4 */
365 #endif /* CONFIG_WEP */
366
367
send_auth_reply(struct hostapd_data * hapd,struct sta_info * sta,const u8 * dst,const u8 * bssid,u16 auth_alg,u16 auth_transaction,u16 resp,const u8 * ies,size_t ies_len,const char * dbg)368 static int send_auth_reply(struct hostapd_data *hapd, struct sta_info *sta,
369 const u8 *dst, const u8 *bssid,
370 u16 auth_alg, u16 auth_transaction, u16 resp,
371 const u8 *ies, size_t ies_len, const char *dbg)
372 {
373 struct ieee80211_mgmt *reply;
374 u8 *buf;
375 size_t rlen;
376 int reply_res = WLAN_STATUS_UNSPECIFIED_FAILURE;
377
378 rlen = IEEE80211_HDRLEN + sizeof(reply->u.auth) + ies_len;
379 buf = os_zalloc(rlen);
380 if (buf == NULL)
381 return -1;
382
383 reply = (struct ieee80211_mgmt *) buf;
384 reply->frame_control = IEEE80211_FC(WLAN_FC_TYPE_MGMT,
385 WLAN_FC_STYPE_AUTH);
386 os_memcpy(reply->da, dst, ETH_ALEN);
387 os_memcpy(reply->sa, hapd->own_addr, ETH_ALEN);
388 os_memcpy(reply->bssid, bssid, ETH_ALEN);
389
390 reply->u.auth.auth_alg = host_to_le16(auth_alg);
391 reply->u.auth.auth_transaction = host_to_le16(auth_transaction);
392 reply->u.auth.status_code = host_to_le16(resp);
393
394 if (ies && ies_len)
395 os_memcpy(reply->u.auth.variable, ies, ies_len);
396
397 wpa_printf(MSG_DEBUG, "authentication reply: STA=" MACSTR
398 " auth_alg=%d auth_transaction=%d resp=%d (IE len=%lu) (dbg=%s)",
399 MAC2STR(dst), auth_alg, auth_transaction,
400 resp, (unsigned long) ies_len, dbg);
401 #ifdef CONFIG_TESTING_OPTIONS
402 #ifdef CONFIG_SAE
403 if (hapd->conf->sae_confirm_immediate == 2 &&
404 auth_alg == WLAN_AUTH_SAE) {
405 if (auth_transaction == 1 && sta &&
406 (resp == WLAN_STATUS_SUCCESS ||
407 resp == WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
408 resp == WLAN_STATUS_SAE_PK)) {
409 wpa_printf(MSG_DEBUG,
410 "TESTING: Postpone SAE Commit transmission until Confirm is ready");
411 os_free(sta->sae_postponed_commit);
412 sta->sae_postponed_commit = buf;
413 sta->sae_postponed_commit_len = rlen;
414 return WLAN_STATUS_SUCCESS;
415 }
416
417 if (auth_transaction == 2 && sta && sta->sae_postponed_commit) {
418 wpa_printf(MSG_DEBUG,
419 "TESTING: Send postponed SAE Commit first, immediately followed by SAE Confirm");
420 if (hostapd_drv_send_mlme(hapd,
421 sta->sae_postponed_commit,
422 sta->sae_postponed_commit_len,
423 0, NULL, 0, 0) < 0)
424 wpa_printf(MSG_INFO, "send_auth_reply: send failed");
425 os_free(sta->sae_postponed_commit);
426 sta->sae_postponed_commit = NULL;
427 sta->sae_postponed_commit_len = 0;
428 }
429 }
430 #endif /* CONFIG_SAE */
431 #endif /* CONFIG_TESTING_OPTIONS */
432 if (hostapd_drv_send_mlme(hapd, reply, rlen, 0, NULL, 0, 0) < 0)
433 wpa_printf(MSG_INFO, "send_auth_reply: send failed");
434 else
435 reply_res = WLAN_STATUS_SUCCESS;
436
437 os_free(buf);
438
439 return reply_res;
440 }
441
442
443 #ifdef CONFIG_IEEE80211R_AP
handle_auth_ft_finish(void * ctx,const u8 * dst,const u8 * bssid,u16 auth_transaction,u16 status,const u8 * ies,size_t ies_len)444 static void handle_auth_ft_finish(void *ctx, const u8 *dst, const u8 *bssid,
445 u16 auth_transaction, u16 status,
446 const u8 *ies, size_t ies_len)
447 {
448 struct hostapd_data *hapd = ctx;
449 struct sta_info *sta;
450 int reply_res;
451
452 reply_res = send_auth_reply(hapd, NULL, dst, bssid, WLAN_AUTH_FT,
453 auth_transaction, status, ies, ies_len,
454 "auth-ft-finish");
455
456 sta = ap_get_sta(hapd, dst);
457 if (sta == NULL)
458 return;
459
460 if (sta->added_unassoc && (reply_res != WLAN_STATUS_SUCCESS ||
461 status != WLAN_STATUS_SUCCESS)) {
462 hostapd_drv_sta_remove(hapd, sta->addr);
463 sta->added_unassoc = 0;
464 return;
465 }
466
467 if (status != WLAN_STATUS_SUCCESS)
468 return;
469
470 hostapd_logger(hapd, dst, HOSTAPD_MODULE_IEEE80211,
471 HOSTAPD_LEVEL_DEBUG, "authentication OK (FT)");
472 sta->flags |= WLAN_STA_AUTH;
473 mlme_authenticate_indication(hapd, sta);
474 }
475 #endif /* CONFIG_IEEE80211R_AP */
476
477
478 #ifdef CONFIG_SAE
479
sae_set_state(struct sta_info * sta,enum sae_state state,const char * reason)480 static void sae_set_state(struct sta_info *sta, enum sae_state state,
481 const char *reason)
482 {
483 wpa_printf(MSG_DEBUG, "SAE: State %s -> %s for peer " MACSTR " (%s)",
484 sae_state_txt(sta->sae->state), sae_state_txt(state),
485 MAC2STR(sta->addr), reason);
486 sta->sae->state = state;
487 }
488
489
sae_get_password(struct hostapd_data * hapd,struct sta_info * sta,const char * rx_id,struct sae_password_entry ** pw_entry,struct sae_pt ** s_pt,const struct sae_pk ** s_pk)490 static const char * sae_get_password(struct hostapd_data *hapd,
491 struct sta_info *sta,
492 const char *rx_id,
493 struct sae_password_entry **pw_entry,
494 struct sae_pt **s_pt,
495 const struct sae_pk **s_pk)
496 {
497 const char *password = NULL;
498 struct sae_password_entry *pw;
499 struct sae_pt *pt = NULL;
500 const struct sae_pk *pk = NULL;
501
502 for (pw = hapd->conf->sae_passwords; pw; pw = pw->next) {
503 if (!is_broadcast_ether_addr(pw->peer_addr) &&
504 os_memcmp(pw->peer_addr, sta->addr, ETH_ALEN) != 0)
505 continue;
506 if ((rx_id && !pw->identifier) || (!rx_id && pw->identifier))
507 continue;
508 if (rx_id && pw->identifier &&
509 os_strcmp(rx_id, pw->identifier) != 0)
510 continue;
511 password = pw->password;
512 pt = pw->pt;
513 if (!(hapd->conf->mesh & MESH_ENABLED))
514 pk = pw->pk;
515 break;
516 }
517 if (!password) {
518 password = hapd->conf->ssid.wpa_passphrase;
519 pt = hapd->conf->ssid.pt;
520 }
521
522 if (pw_entry)
523 *pw_entry = pw;
524 if (s_pt)
525 *s_pt = pt;
526 if (s_pk)
527 *s_pk = pk;
528
529 return password;
530 }
531
532
auth_build_sae_commit(struct hostapd_data * hapd,struct sta_info * sta,int update,int status_code)533 static struct wpabuf * auth_build_sae_commit(struct hostapd_data *hapd,
534 struct sta_info *sta, int update,
535 int status_code)
536 {
537 struct wpabuf *buf;
538 const char *password = NULL;
539 struct sae_password_entry *pw;
540 const char *rx_id = NULL;
541 int use_pt = 0;
542 struct sae_pt *pt = NULL;
543 const struct sae_pk *pk = NULL;
544
545 if (sta->sae->tmp) {
546 rx_id = sta->sae->tmp->pw_id;
547 use_pt = sta->sae->h2e;
548 #ifdef CONFIG_SAE_PK
549 os_memcpy(sta->sae->tmp->own_addr, hapd->own_addr, ETH_ALEN);
550 os_memcpy(sta->sae->tmp->peer_addr, sta->addr, ETH_ALEN);
551 #endif /* CONFIG_SAE_PK */
552 }
553
554 if (rx_id && hapd->conf->sae_pwe != 3)
555 use_pt = 1;
556 else if (status_code == WLAN_STATUS_SUCCESS)
557 use_pt = 0;
558 else if (status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
559 status_code == WLAN_STATUS_SAE_PK)
560 use_pt = 1;
561
562 password = sae_get_password(hapd, sta, rx_id, &pw, &pt, &pk);
563 if (!password || (use_pt && !pt)) {
564 wpa_printf(MSG_DEBUG, "SAE: No password available");
565 return NULL;
566 }
567
568 if (update && use_pt &&
569 sae_prepare_commit_pt(sta->sae, pt, hapd->own_addr, sta->addr,
570 NULL, pk) < 0)
571 return NULL;
572
573 if (update && !use_pt &&
574 sae_prepare_commit(hapd->own_addr, sta->addr,
575 (u8 *) password, os_strlen(password), rx_id,
576 sta->sae) < 0) {
577 wpa_printf(MSG_DEBUG, "SAE: Could not pick PWE");
578 return NULL;
579 }
580
581 if (pw && pw->vlan_id) {
582 if (!sta->sae->tmp) {
583 wpa_printf(MSG_INFO,
584 "SAE: No temporary data allocated - cannot store VLAN ID");
585 return NULL;
586 }
587 sta->sae->tmp->vlan_id = pw->vlan_id;
588 }
589
590 buf = wpabuf_alloc(SAE_COMMIT_MAX_LEN +
591 (rx_id ? 3 + os_strlen(rx_id) : 0));
592 if (buf &&
593 sae_write_commit(sta->sae, buf, sta->sae->tmp ?
594 sta->sae->tmp->anti_clogging_token : NULL,
595 rx_id) < 0) {
596 wpabuf_free(buf);
597 buf = NULL;
598 }
599
600 return buf;
601 }
602
603
auth_build_sae_confirm(struct hostapd_data * hapd,struct sta_info * sta)604 static struct wpabuf * auth_build_sae_confirm(struct hostapd_data *hapd,
605 struct sta_info *sta)
606 {
607 struct wpabuf *buf;
608
609 buf = wpabuf_alloc(SAE_CONFIRM_MAX_LEN);
610 if (buf == NULL)
611 return NULL;
612
613 #ifdef CONFIG_SAE_PK
614 #ifdef CONFIG_TESTING_OPTIONS
615 if (sta->sae->tmp)
616 sta->sae->tmp->omit_pk_elem = hapd->conf->sae_pk_omit;
617 #endif /* CONFIG_TESTING_OPTIONS */
618 #endif /* CONFIG_SAE_PK */
619
620 if (sae_write_confirm(sta->sae, buf) < 0) {
621 wpabuf_free(buf);
622 return NULL;
623 }
624
625 return buf;
626 }
627
628
auth_sae_send_commit(struct hostapd_data * hapd,struct sta_info * sta,const u8 * bssid,int update,int status_code)629 static int auth_sae_send_commit(struct hostapd_data *hapd,
630 struct sta_info *sta,
631 const u8 *bssid, int update, int status_code)
632 {
633 struct wpabuf *data;
634 int reply_res;
635 u16 status;
636
637 data = auth_build_sae_commit(hapd, sta, update, status_code);
638 if (!data && sta->sae->tmp && sta->sae->tmp->pw_id)
639 return WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER;
640 if (data == NULL)
641 return WLAN_STATUS_UNSPECIFIED_FAILURE;
642
643 if (sta->sae->tmp && sta->sae->pk)
644 status = WLAN_STATUS_SAE_PK;
645 else if (sta->sae->tmp && sta->sae->h2e)
646 status = WLAN_STATUS_SAE_HASH_TO_ELEMENT;
647 else
648 status = WLAN_STATUS_SUCCESS;
649 #ifdef CONFIG_TESTING_OPTIONS
650 if (hapd->conf->sae_commit_status >= 0 &&
651 hapd->conf->sae_commit_status != status) {
652 wpa_printf(MSG_INFO,
653 "TESTING: Override SAE commit status code %u --> %d",
654 status, hapd->conf->sae_commit_status);
655 status = hapd->conf->sae_commit_status;
656 }
657 #endif /* CONFIG_TESTING_OPTIONS */
658 reply_res = send_auth_reply(hapd, sta, sta->addr, bssid,
659 WLAN_AUTH_SAE, 1,
660 status, wpabuf_head(data),
661 wpabuf_len(data), "sae-send-commit");
662
663 wpabuf_free(data);
664
665 return reply_res;
666 }
667
668
auth_sae_send_confirm(struct hostapd_data * hapd,struct sta_info * sta,const u8 * bssid)669 static int auth_sae_send_confirm(struct hostapd_data *hapd,
670 struct sta_info *sta,
671 const u8 *bssid)
672 {
673 struct wpabuf *data;
674 int reply_res;
675
676 data = auth_build_sae_confirm(hapd, sta);
677 if (data == NULL)
678 return WLAN_STATUS_UNSPECIFIED_FAILURE;
679
680 reply_res = send_auth_reply(hapd, sta, sta->addr, bssid,
681 WLAN_AUTH_SAE, 2,
682 WLAN_STATUS_SUCCESS, wpabuf_head(data),
683 wpabuf_len(data), "sae-send-confirm");
684
685 wpabuf_free(data);
686
687 return reply_res;
688 }
689
690
use_sae_anti_clogging(struct hostapd_data * hapd)691 static int use_sae_anti_clogging(struct hostapd_data *hapd)
692 {
693 struct sta_info *sta;
694 unsigned int open = 0;
695
696 if (hapd->conf->sae_anti_clogging_threshold == 0)
697 return 1;
698
699 for (sta = hapd->sta_list; sta; sta = sta->next) {
700 if (!sta->sae)
701 continue;
702 if (sta->sae->state != SAE_COMMITTED &&
703 sta->sae->state != SAE_CONFIRMED)
704 continue;
705 open++;
706 if (open >= hapd->conf->sae_anti_clogging_threshold)
707 return 1;
708 }
709
710 /* In addition to already existing open SAE sessions, check whether
711 * there are enough pending commit messages in the processing queue to
712 * potentially result in too many open sessions. */
713 if (open + dl_list_len(&hapd->sae_commit_queue) >=
714 hapd->conf->sae_anti_clogging_threshold)
715 return 1;
716
717 return 0;
718 }
719
720
sae_token_hash(struct hostapd_data * hapd,const u8 * addr,u8 * idx)721 static int sae_token_hash(struct hostapd_data *hapd, const u8 *addr, u8 *idx)
722 {
723 u8 hash[SHA256_MAC_LEN];
724
725 if (hmac_sha256(hapd->sae_token_key, sizeof(hapd->sae_token_key),
726 addr, ETH_ALEN, hash) < 0)
727 return -1;
728 *idx = hash[0];
729 return 0;
730 }
731
732
check_sae_token(struct hostapd_data * hapd,const u8 * addr,const u8 * token,size_t token_len)733 static int check_sae_token(struct hostapd_data *hapd, const u8 *addr,
734 const u8 *token, size_t token_len)
735 {
736 u8 mac[SHA256_MAC_LEN];
737 const u8 *addrs[2];
738 size_t len[2];
739 u16 token_idx;
740 u8 idx;
741
742 if (token_len != SHA256_MAC_LEN || sae_token_hash(hapd, addr, &idx) < 0)
743 return -1;
744 token_idx = hapd->sae_pending_token_idx[idx];
745 if (token_idx == 0 || token_idx != WPA_GET_BE16(token)) {
746 wpa_printf(MSG_DEBUG, "SAE: Invalid anti-clogging token from "
747 MACSTR " - token_idx 0x%04x, expected 0x%04x",
748 MAC2STR(addr), WPA_GET_BE16(token), token_idx);
749 return -1;
750 }
751
752 addrs[0] = addr;
753 len[0] = ETH_ALEN;
754 addrs[1] = token;
755 len[1] = 2;
756 if (hmac_sha256_vector(hapd->sae_token_key, sizeof(hapd->sae_token_key),
757 2, addrs, len, mac) < 0 ||
758 os_memcmp_const(token + 2, &mac[2], SHA256_MAC_LEN - 2) != 0)
759 return -1;
760
761 hapd->sae_pending_token_idx[idx] = 0; /* invalidate used token */
762
763 return 0;
764 }
765
766
auth_build_token_req(struct hostapd_data * hapd,int group,const u8 * addr,int h2e)767 static struct wpabuf * auth_build_token_req(struct hostapd_data *hapd,
768 int group, const u8 *addr, int h2e)
769 {
770 struct wpabuf *buf;
771 u8 *token;
772 struct os_reltime now;
773 u8 idx[2];
774 const u8 *addrs[2];
775 size_t len[2];
776 u8 p_idx;
777 u16 token_idx;
778
779 os_get_reltime(&now);
780 if (!os_reltime_initialized(&hapd->last_sae_token_key_update) ||
781 os_reltime_expired(&now, &hapd->last_sae_token_key_update, 60) ||
782 hapd->sae_token_idx == 0xffff) {
783 if (random_get_bytes(hapd->sae_token_key,
784 sizeof(hapd->sae_token_key)) < 0)
785 return NULL;
786 wpa_hexdump(MSG_DEBUG, "SAE: Updated token key",
787 hapd->sae_token_key, sizeof(hapd->sae_token_key));
788 hapd->last_sae_token_key_update = now;
789 hapd->sae_token_idx = 0;
790 os_memset(hapd->sae_pending_token_idx, 0,
791 sizeof(hapd->sae_pending_token_idx));
792 }
793
794 buf = wpabuf_alloc(sizeof(le16) + 3 + SHA256_MAC_LEN);
795 if (buf == NULL)
796 return NULL;
797
798 wpabuf_put_le16(buf, group); /* Finite Cyclic Group */
799
800 if (h2e) {
801 /* Encapsulate Anti-clogging Token field in a container IE */
802 wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
803 wpabuf_put_u8(buf, 1 + SHA256_MAC_LEN);
804 wpabuf_put_u8(buf, WLAN_EID_EXT_ANTI_CLOGGING_TOKEN);
805 }
806
807 if (sae_token_hash(hapd, addr, &p_idx) < 0) {
808 wpabuf_free(buf);
809 return NULL;
810 }
811 token_idx = hapd->sae_pending_token_idx[p_idx];
812 if (!token_idx) {
813 hapd->sae_token_idx++;
814 token_idx = hapd->sae_token_idx;
815 hapd->sae_pending_token_idx[p_idx] = token_idx;
816 }
817 WPA_PUT_BE16(idx, token_idx);
818 token = wpabuf_put(buf, SHA256_MAC_LEN);
819 addrs[0] = addr;
820 len[0] = ETH_ALEN;
821 addrs[1] = idx;
822 len[1] = sizeof(idx);
823 if (hmac_sha256_vector(hapd->sae_token_key, sizeof(hapd->sae_token_key),
824 2, addrs, len, token) < 0) {
825 wpabuf_free(buf);
826 return NULL;
827 }
828 WPA_PUT_BE16(token, token_idx);
829
830 return buf;
831 }
832
833
sae_check_big_sync(struct hostapd_data * hapd,struct sta_info * sta)834 static int sae_check_big_sync(struct hostapd_data *hapd, struct sta_info *sta)
835 {
836 if (sta->sae->sync > hapd->conf->sae_sync) {
837 sae_set_state(sta, SAE_NOTHING, "Sync > dot11RSNASAESync");
838 sta->sae->sync = 0;
839 return -1;
840 }
841 return 0;
842 }
843
844
auth_sae_retransmit_timer(void * eloop_ctx,void * eloop_data)845 static void auth_sae_retransmit_timer(void *eloop_ctx, void *eloop_data)
846 {
847 struct hostapd_data *hapd = eloop_ctx;
848 struct sta_info *sta = eloop_data;
849 int ret;
850
851 if (sae_check_big_sync(hapd, sta))
852 return;
853 sta->sae->sync++;
854 wpa_printf(MSG_DEBUG, "SAE: Auth SAE retransmit timer for " MACSTR
855 " (sync=%d state=%s)",
856 MAC2STR(sta->addr), sta->sae->sync,
857 sae_state_txt(sta->sae->state));
858
859 switch (sta->sae->state) {
860 case SAE_COMMITTED:
861 ret = auth_sae_send_commit(hapd, sta, hapd->own_addr, 0, -1);
862 eloop_register_timeout(0,
863 hapd->dot11RSNASAERetransPeriod * 1000,
864 auth_sae_retransmit_timer, hapd, sta);
865 break;
866 case SAE_CONFIRMED:
867 ret = auth_sae_send_confirm(hapd, sta, hapd->own_addr);
868 eloop_register_timeout(0,
869 hapd->dot11RSNASAERetransPeriod * 1000,
870 auth_sae_retransmit_timer, hapd, sta);
871 break;
872 default:
873 ret = -1;
874 break;
875 }
876
877 if (ret != WLAN_STATUS_SUCCESS)
878 wpa_printf(MSG_INFO, "SAE: Failed to retransmit: ret=%d", ret);
879 }
880
881
sae_clear_retransmit_timer(struct hostapd_data * hapd,struct sta_info * sta)882 void sae_clear_retransmit_timer(struct hostapd_data *hapd, struct sta_info *sta)
883 {
884 eloop_cancel_timeout(auth_sae_retransmit_timer, hapd, sta);
885 }
886
887
sae_set_retransmit_timer(struct hostapd_data * hapd,struct sta_info * sta)888 static void sae_set_retransmit_timer(struct hostapd_data *hapd,
889 struct sta_info *sta)
890 {
891 if (!(hapd->conf->mesh & MESH_ENABLED))
892 return;
893
894 eloop_cancel_timeout(auth_sae_retransmit_timer, hapd, sta);
895 eloop_register_timeout(0, hapd->dot11RSNASAERetransPeriod * 1000,
896 auth_sae_retransmit_timer, hapd, sta);
897 }
898
899
sae_sme_send_external_auth_status(struct hostapd_data * hapd,struct sta_info * sta,u16 status)900 static void sae_sme_send_external_auth_status(struct hostapd_data *hapd,
901 struct sta_info *sta, u16 status)
902 {
903 struct external_auth params;
904
905 os_memset(¶ms, 0, sizeof(params));
906 params.status = status;
907 params.bssid = sta->addr;
908 if (status == WLAN_STATUS_SUCCESS && sta->sae &&
909 !hapd->conf->disable_pmksa_caching)
910 params.pmkid = sta->sae->pmkid;
911
912 hostapd_drv_send_external_auth_status(hapd, ¶ms);
913 }
914
915
sae_accept_sta(struct hostapd_data * hapd,struct sta_info * sta)916 void sae_accept_sta(struct hostapd_data *hapd, struct sta_info *sta)
917 {
918 #ifndef CONFIG_NO_VLAN
919 struct vlan_description vlan_desc;
920
921 if (sta->sae->tmp && sta->sae->tmp->vlan_id > 0) {
922 wpa_printf(MSG_DEBUG, "SAE: Assign STA " MACSTR
923 " to VLAN ID %d",
924 MAC2STR(sta->addr), sta->sae->tmp->vlan_id);
925
926 os_memset(&vlan_desc, 0, sizeof(vlan_desc));
927 vlan_desc.notempty = 1;
928 vlan_desc.untagged = sta->sae->tmp->vlan_id;
929 if (!hostapd_vlan_valid(hapd->conf->vlan, &vlan_desc)) {
930 wpa_printf(MSG_INFO,
931 "Invalid VLAN ID %d in sae_password",
932 sta->sae->tmp->vlan_id);
933 return;
934 }
935
936 if (ap_sta_set_vlan(hapd, sta, &vlan_desc) < 0 ||
937 ap_sta_bind_vlan(hapd, sta) < 0) {
938 wpa_printf(MSG_INFO,
939 "Failed to assign VLAN ID %d from sae_password to "
940 MACSTR, sta->sae->tmp->vlan_id,
941 MAC2STR(sta->addr));
942 return;
943 }
944 }
945 #endif /* CONFIG_NO_VLAN */
946
947 sta->flags |= WLAN_STA_AUTH;
948 sta->auth_alg = WLAN_AUTH_SAE;
949 mlme_authenticate_indication(hapd, sta);
950 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
951 sae_set_state(sta, SAE_ACCEPTED, "Accept Confirm");
952 crypto_bignum_deinit(sta->sae->peer_commit_scalar_accepted, 0);
953 sta->sae->peer_commit_scalar_accepted = sta->sae->peer_commit_scalar;
954 sta->sae->peer_commit_scalar = NULL;
955 wpa_auth_pmksa_add_sae(hapd->wpa_auth, sta->addr,
956 sta->sae->pmk, sta->sae->pmkid);
957 sae_sme_send_external_auth_status(hapd, sta, WLAN_STATUS_SUCCESS);
958 }
959
960
sae_sm_step(struct hostapd_data * hapd,struct sta_info * sta,const u8 * bssid,u16 auth_transaction,u16 status_code,int allow_reuse,int * sta_removed)961 static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta,
962 const u8 *bssid, u16 auth_transaction, u16 status_code,
963 int allow_reuse, int *sta_removed)
964 {
965 int ret;
966
967 *sta_removed = 0;
968
969 if (auth_transaction != 1 && auth_transaction != 2)
970 return WLAN_STATUS_UNSPECIFIED_FAILURE;
971
972 wpa_printf(MSG_DEBUG, "SAE: Peer " MACSTR " state=%s auth_trans=%u",
973 MAC2STR(sta->addr), sae_state_txt(sta->sae->state),
974 auth_transaction);
975 switch (sta->sae->state) {
976 case SAE_NOTHING:
977 if (auth_transaction == 1) {
978 if (sta->sae->tmp) {
979 sta->sae->h2e =
980 (status_code ==
981 WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
982 status_code == WLAN_STATUS_SAE_PK);
983 sta->sae->pk =
984 status_code == WLAN_STATUS_SAE_PK;
985 }
986 ret = auth_sae_send_commit(hapd, sta, bssid,
987 !allow_reuse, status_code);
988 if (ret)
989 return ret;
990 sae_set_state(sta, SAE_COMMITTED, "Sent Commit");
991
992 if (sae_process_commit(sta->sae) < 0)
993 return WLAN_STATUS_UNSPECIFIED_FAILURE;
994
995 /*
996 * In mesh case, both Commit and Confirm are sent
997 * immediately. In infrastructure BSS, by default, only
998 * a single Authentication frame (Commit) is expected
999 * from the AP here and the second one (Confirm) will
1000 * be sent once the STA has sent its second
1001 * Authentication frame (Confirm). This behavior can be
1002 * overridden with explicit configuration so that the
1003 * infrastructure BSS case sends both frames together.
1004 */
1005 if ((hapd->conf->mesh & MESH_ENABLED) ||
1006 hapd->conf->sae_confirm_immediate) {
1007 /*
1008 * Send both Commit and Confirm immediately
1009 * based on SAE finite state machine
1010 * Nothing -> Confirm transition.
1011 */
1012 ret = auth_sae_send_confirm(hapd, sta, bssid);
1013 if (ret)
1014 return ret;
1015 sae_set_state(sta, SAE_CONFIRMED,
1016 "Sent Confirm (mesh)");
1017 } else {
1018 /*
1019 * For infrastructure BSS, send only the Commit
1020 * message now to get alternating sequence of
1021 * Authentication frames between the AP and STA.
1022 * Confirm will be sent in
1023 * Committed -> Confirmed/Accepted transition
1024 * when receiving Confirm from STA.
1025 */
1026 }
1027 sta->sae->sync = 0;
1028 sae_set_retransmit_timer(hapd, sta);
1029 } else {
1030 hostapd_logger(hapd, sta->addr,
1031 HOSTAPD_MODULE_IEEE80211,
1032 HOSTAPD_LEVEL_DEBUG,
1033 "SAE confirm before commit");
1034 }
1035 break;
1036 case SAE_COMMITTED:
1037 sae_clear_retransmit_timer(hapd, sta);
1038 if (auth_transaction == 1) {
1039 if (sae_process_commit(sta->sae) < 0)
1040 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1041
1042 ret = auth_sae_send_confirm(hapd, sta, bssid);
1043 if (ret)
1044 return ret;
1045 sae_set_state(sta, SAE_CONFIRMED, "Sent Confirm");
1046 sta->sae->sync = 0;
1047 sae_set_retransmit_timer(hapd, sta);
1048 } else if (hapd->conf->mesh & MESH_ENABLED) {
1049 /*
1050 * In mesh case, follow SAE finite state machine and
1051 * send Commit now, if sync count allows.
1052 */
1053 if (sae_check_big_sync(hapd, sta))
1054 return WLAN_STATUS_SUCCESS;
1055 sta->sae->sync++;
1056
1057 ret = auth_sae_send_commit(hapd, sta, bssid, 0,
1058 status_code);
1059 if (ret)
1060 return ret;
1061
1062 sae_set_retransmit_timer(hapd, sta);
1063 } else {
1064 /*
1065 * For instructure BSS, send the postponed Confirm from
1066 * Nothing -> Confirmed transition that was reduced to
1067 * Nothing -> Committed above.
1068 */
1069 ret = auth_sae_send_confirm(hapd, sta, bssid);
1070 if (ret)
1071 return ret;
1072
1073 sae_set_state(sta, SAE_CONFIRMED, "Sent Confirm");
1074
1075 /*
1076 * Since this was triggered on Confirm RX, run another
1077 * step to get to Accepted without waiting for
1078 * additional events.
1079 */
1080 return sae_sm_step(hapd, sta, bssid, auth_transaction,
1081 WLAN_STATUS_SUCCESS, 0, sta_removed);
1082 }
1083 break;
1084 case SAE_CONFIRMED:
1085 sae_clear_retransmit_timer(hapd, sta);
1086 if (auth_transaction == 1) {
1087 if (sae_check_big_sync(hapd, sta))
1088 return WLAN_STATUS_SUCCESS;
1089 sta->sae->sync++;
1090
1091 ret = auth_sae_send_commit(hapd, sta, bssid, 1,
1092 status_code);
1093 if (ret)
1094 return ret;
1095
1096 if (sae_process_commit(sta->sae) < 0)
1097 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1098
1099 ret = auth_sae_send_confirm(hapd, sta, bssid);
1100 if (ret)
1101 return ret;
1102
1103 sae_set_retransmit_timer(hapd, sta);
1104 } else {
1105 sta->sae->send_confirm = 0xffff;
1106 sae_accept_sta(hapd, sta);
1107 }
1108 break;
1109 case SAE_ACCEPTED:
1110 if (auth_transaction == 1 &&
1111 (hapd->conf->mesh & MESH_ENABLED)) {
1112 wpa_printf(MSG_DEBUG, "SAE: remove the STA (" MACSTR
1113 ") doing reauthentication",
1114 MAC2STR(sta->addr));
1115 wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr);
1116 ap_free_sta(hapd, sta);
1117 *sta_removed = 1;
1118 } else if (auth_transaction == 1) {
1119 wpa_printf(MSG_DEBUG, "SAE: Start reauthentication");
1120 ret = auth_sae_send_commit(hapd, sta, bssid, 1,
1121 status_code);
1122 if (ret)
1123 return ret;
1124 sae_set_state(sta, SAE_COMMITTED, "Sent Commit");
1125
1126 if (sae_process_commit(sta->sae) < 0)
1127 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1128 sta->sae->sync = 0;
1129 sae_set_retransmit_timer(hapd, sta);
1130 } else {
1131 if (sae_check_big_sync(hapd, sta))
1132 return WLAN_STATUS_SUCCESS;
1133 sta->sae->sync++;
1134
1135 ret = auth_sae_send_confirm(hapd, sta, bssid);
1136 sae_clear_temp_data(sta->sae);
1137 if (ret)
1138 return ret;
1139 }
1140 break;
1141 default:
1142 wpa_printf(MSG_ERROR, "SAE: invalid state %d",
1143 sta->sae->state);
1144 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1145 }
1146 return WLAN_STATUS_SUCCESS;
1147 }
1148
1149
sae_pick_next_group(struct hostapd_data * hapd,struct sta_info * sta)1150 static void sae_pick_next_group(struct hostapd_data *hapd, struct sta_info *sta)
1151 {
1152 struct sae_data *sae = sta->sae;
1153 int i, *groups = hapd->conf->sae_groups;
1154 int default_groups[] = { 19, 0 };
1155
1156 if (sae->state != SAE_COMMITTED)
1157 return;
1158
1159 wpa_printf(MSG_DEBUG, "SAE: Previously selected group: %d", sae->group);
1160
1161 if (!groups)
1162 groups = default_groups;
1163 for (i = 0; groups[i] > 0; i++) {
1164 if (sae->group == groups[i])
1165 break;
1166 }
1167
1168 if (groups[i] <= 0) {
1169 wpa_printf(MSG_DEBUG,
1170 "SAE: Previously selected group not found from the current configuration");
1171 return;
1172 }
1173
1174 for (;;) {
1175 i++;
1176 if (groups[i] <= 0) {
1177 wpa_printf(MSG_DEBUG,
1178 "SAE: No alternative group enabled");
1179 return;
1180 }
1181
1182 if (sae_set_group(sae, groups[i]) < 0)
1183 continue;
1184
1185 break;
1186 }
1187 wpa_printf(MSG_DEBUG, "SAE: Selected new group: %d", groups[i]);
1188 }
1189
1190
sae_status_success(struct hostapd_data * hapd,u16 status_code)1191 static int sae_status_success(struct hostapd_data *hapd, u16 status_code)
1192 {
1193 int sae_pwe = hapd->conf->sae_pwe;
1194 int id_in_use;
1195 bool sae_pk = false;
1196
1197 id_in_use = hostapd_sae_pw_id_in_use(hapd->conf);
1198 if (id_in_use == 2 && sae_pwe != 3)
1199 sae_pwe = 1;
1200 else if (id_in_use == 1 && sae_pwe == 0)
1201 sae_pwe = 2;
1202 #ifdef CONFIG_SAE_PK
1203 sae_pk = hostapd_sae_pk_in_use(hapd->conf);
1204 if (sae_pwe == 0 && sae_pk)
1205 sae_pwe = 2;
1206 #endif /* CONFIG_SAE_PK */
1207
1208 return ((sae_pwe == 0 || sae_pwe == 3) &&
1209 status_code == WLAN_STATUS_SUCCESS) ||
1210 (sae_pwe == 1 &&
1211 (status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
1212 (sae_pk && status_code == WLAN_STATUS_SAE_PK))) ||
1213 (sae_pwe == 2 &&
1214 (status_code == WLAN_STATUS_SUCCESS ||
1215 status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
1216 (sae_pk && status_code == WLAN_STATUS_SAE_PK)));
1217 }
1218
1219
sae_is_group_enabled(struct hostapd_data * hapd,int group)1220 static int sae_is_group_enabled(struct hostapd_data *hapd, int group)
1221 {
1222 int *groups = hapd->conf->sae_groups;
1223 int default_groups[] = { 19, 0 };
1224 int i;
1225
1226 if (!groups)
1227 groups = default_groups;
1228
1229 for (i = 0; groups[i] > 0; i++) {
1230 if (groups[i] == group)
1231 return 1;
1232 }
1233
1234 return 0;
1235 }
1236
1237
check_sae_rejected_groups(struct hostapd_data * hapd,struct sae_data * sae)1238 static int check_sae_rejected_groups(struct hostapd_data *hapd,
1239 struct sae_data *sae)
1240 {
1241 const struct wpabuf *groups;
1242 size_t i, count;
1243 const u8 *pos;
1244
1245 if (!sae->tmp)
1246 return 0;
1247 groups = sae->tmp->peer_rejected_groups;
1248 if (!groups)
1249 return 0;
1250
1251 pos = wpabuf_head(groups);
1252 count = wpabuf_len(groups) / 2;
1253 for (i = 0; i < count; i++) {
1254 int enabled;
1255 u16 group;
1256
1257 group = WPA_GET_LE16(pos);
1258 pos += 2;
1259 enabled = sae_is_group_enabled(hapd, group);
1260 wpa_printf(MSG_DEBUG, "SAE: Rejected group %u is %s",
1261 group, enabled ? "enabled" : "disabled");
1262 if (enabled)
1263 return 1;
1264 }
1265
1266 return 0;
1267 }
1268
1269
handle_auth_sae(struct hostapd_data * hapd,struct sta_info * sta,const struct ieee80211_mgmt * mgmt,size_t len,u16 auth_transaction,u16 status_code)1270 static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta,
1271 const struct ieee80211_mgmt *mgmt, size_t len,
1272 u16 auth_transaction, u16 status_code)
1273 {
1274 int resp = WLAN_STATUS_SUCCESS;
1275 struct wpabuf *data = NULL;
1276 int *groups = hapd->conf->sae_groups;
1277 int default_groups[] = { 19, 0 };
1278 const u8 *pos, *end;
1279 int sta_removed = 0;
1280 bool success_status;
1281
1282 if (!groups)
1283 groups = default_groups;
1284
1285 #ifdef CONFIG_TESTING_OPTIONS
1286 if (hapd->conf->sae_reflection_attack && auth_transaction == 1) {
1287 wpa_printf(MSG_DEBUG, "SAE: TESTING - reflection attack");
1288 pos = mgmt->u.auth.variable;
1289 end = ((const u8 *) mgmt) + len;
1290 resp = status_code;
1291 send_auth_reply(hapd, sta, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
1292 auth_transaction, resp, pos, end - pos,
1293 "auth-sae-reflection-attack");
1294 goto remove_sta;
1295 }
1296
1297 if (hapd->conf->sae_commit_override && auth_transaction == 1) {
1298 wpa_printf(MSG_DEBUG, "SAE: TESTING - commit override");
1299 send_auth_reply(hapd, sta, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
1300 auth_transaction, resp,
1301 wpabuf_head(hapd->conf->sae_commit_override),
1302 wpabuf_len(hapd->conf->sae_commit_override),
1303 "sae-commit-override");
1304 goto remove_sta;
1305 }
1306 #endif /* CONFIG_TESTING_OPTIONS */
1307 if (!sta->sae) {
1308 if (auth_transaction != 1 ||
1309 !sae_status_success(hapd, status_code)) {
1310 wpa_printf(MSG_DEBUG, "SAE: Unexpected Status Code %u",
1311 status_code);
1312 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1313 goto reply;
1314 }
1315 sta->sae = os_zalloc(sizeof(*sta->sae));
1316 if (!sta->sae) {
1317 resp = -1;
1318 goto remove_sta;
1319 }
1320 sae_set_state(sta, SAE_NOTHING, "Init");
1321 sta->sae->sync = 0;
1322 }
1323
1324 if (sta->mesh_sae_pmksa_caching) {
1325 wpa_printf(MSG_DEBUG,
1326 "SAE: Cancel use of mesh PMKSA caching because peer starts SAE authentication");
1327 wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr);
1328 sta->mesh_sae_pmksa_caching = 0;
1329 }
1330
1331 if (auth_transaction == 1) {
1332 const u8 *token = NULL;
1333 size_t token_len = 0;
1334 int allow_reuse = 0;
1335
1336 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1337 HOSTAPD_LEVEL_DEBUG,
1338 "start SAE authentication (RX commit, status=%u (%s))",
1339 status_code, status2str(status_code));
1340
1341 if ((hapd->conf->mesh & MESH_ENABLED) &&
1342 status_code == WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ &&
1343 sta->sae->tmp) {
1344 pos = mgmt->u.auth.variable;
1345 end = ((const u8 *) mgmt) + len;
1346 if (pos + sizeof(le16) > end) {
1347 wpa_printf(MSG_ERROR,
1348 "SAE: Too short anti-clogging token request");
1349 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1350 goto reply;
1351 }
1352 resp = sae_group_allowed(sta->sae, groups,
1353 WPA_GET_LE16(pos));
1354 if (resp != WLAN_STATUS_SUCCESS) {
1355 wpa_printf(MSG_ERROR,
1356 "SAE: Invalid group in anti-clogging token request");
1357 goto reply;
1358 }
1359 pos += sizeof(le16);
1360
1361 wpabuf_free(sta->sae->tmp->anti_clogging_token);
1362 sta->sae->tmp->anti_clogging_token =
1363 wpabuf_alloc_copy(pos, end - pos);
1364 if (sta->sae->tmp->anti_clogging_token == NULL) {
1365 wpa_printf(MSG_ERROR,
1366 "SAE: Failed to alloc for anti-clogging token");
1367 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1368 goto remove_sta;
1369 }
1370
1371 /*
1372 * IEEE Std 802.11-2012, 11.3.8.6.4: If the Status code
1373 * is 76, a new Commit Message shall be constructed
1374 * with the Anti-Clogging Token from the received
1375 * Authentication frame, and the commit-scalar and
1376 * COMMIT-ELEMENT previously sent.
1377 */
1378 resp = auth_sae_send_commit(hapd, sta, mgmt->bssid, 0,
1379 status_code);
1380 if (resp != WLAN_STATUS_SUCCESS) {
1381 wpa_printf(MSG_ERROR,
1382 "SAE: Failed to send commit message");
1383 goto remove_sta;
1384 }
1385 sae_set_state(sta, SAE_COMMITTED,
1386 "Sent Commit (anti-clogging token case in mesh)");
1387 sta->sae->sync = 0;
1388 sae_set_retransmit_timer(hapd, sta);
1389 return;
1390 }
1391
1392 if ((hapd->conf->mesh & MESH_ENABLED) &&
1393 status_code ==
1394 WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED &&
1395 sta->sae->tmp) {
1396 wpa_printf(MSG_DEBUG,
1397 "SAE: Peer did not accept our SAE group");
1398 sae_pick_next_group(hapd, sta);
1399 goto remove_sta;
1400 }
1401
1402 if (!sae_status_success(hapd, status_code))
1403 goto remove_sta;
1404
1405 if (!(hapd->conf->mesh & MESH_ENABLED) &&
1406 sta->sae->state == SAE_COMMITTED) {
1407 /* This is needed in the infrastructure BSS case to
1408 * address a sequence where a STA entry may remain in
1409 * hostapd across two attempts to do SAE authentication
1410 * by the same STA. The second attempt may end up trying
1411 * to use a different group and that would not be
1412 * allowed if we remain in Committed state with the
1413 * previously set parameters. */
1414 pos = mgmt->u.auth.variable;
1415 end = ((const u8 *) mgmt) + len;
1416 if (end - pos >= (int) sizeof(le16) &&
1417 sae_group_allowed(sta->sae, groups,
1418 WPA_GET_LE16(pos)) ==
1419 WLAN_STATUS_SUCCESS) {
1420 /* Do not waste resources deriving the same PWE
1421 * again since the same group is reused. */
1422 sae_set_state(sta, SAE_NOTHING,
1423 "Allow previous PWE to be reused");
1424 allow_reuse = 1;
1425 } else {
1426 sae_set_state(sta, SAE_NOTHING,
1427 "Clear existing state to allow restart");
1428 sae_clear_data(sta->sae);
1429 }
1430 }
1431
1432 resp = sae_parse_commit(sta->sae, mgmt->u.auth.variable,
1433 ((const u8 *) mgmt) + len -
1434 mgmt->u.auth.variable, &token,
1435 &token_len, groups, status_code ==
1436 WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
1437 status_code == WLAN_STATUS_SAE_PK);
1438 if (resp == SAE_SILENTLY_DISCARD) {
1439 wpa_printf(MSG_DEBUG,
1440 "SAE: Drop commit message from " MACSTR " due to reflection attack",
1441 MAC2STR(sta->addr));
1442 goto remove_sta;
1443 }
1444
1445 if (resp == WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER) {
1446 wpa_msg(hapd->msg_ctx, MSG_INFO,
1447 WPA_EVENT_SAE_UNKNOWN_PASSWORD_IDENTIFIER
1448 MACSTR, MAC2STR(sta->addr));
1449 sae_clear_retransmit_timer(hapd, sta);
1450 sae_set_state(sta, SAE_NOTHING,
1451 "Unknown Password Identifier");
1452 goto remove_sta;
1453 }
1454
1455 if (token && check_sae_token(hapd, sta->addr, token, token_len)
1456 < 0) {
1457 wpa_printf(MSG_DEBUG, "SAE: Drop commit message with "
1458 "incorrect token from " MACSTR,
1459 MAC2STR(sta->addr));
1460 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1461 goto remove_sta;
1462 }
1463
1464 if (resp != WLAN_STATUS_SUCCESS)
1465 goto reply;
1466
1467 if (check_sae_rejected_groups(hapd, sta->sae)) {
1468 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1469 goto reply;
1470 }
1471
1472 if (!token && use_sae_anti_clogging(hapd) && !allow_reuse) {
1473 int h2e = 0;
1474
1475 wpa_printf(MSG_DEBUG,
1476 "SAE: Request anti-clogging token from "
1477 MACSTR, MAC2STR(sta->addr));
1478 if (sta->sae->tmp)
1479 h2e = sta->sae->h2e;
1480 if (status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
1481 status_code == WLAN_STATUS_SAE_PK)
1482 h2e = 1;
1483 data = auth_build_token_req(hapd, sta->sae->group,
1484 sta->addr, h2e);
1485 resp = WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ;
1486 if (hapd->conf->mesh & MESH_ENABLED)
1487 sae_set_state(sta, SAE_NOTHING,
1488 "Request anti-clogging token case in mesh");
1489 goto reply;
1490 }
1491
1492 resp = sae_sm_step(hapd, sta, mgmt->bssid, auth_transaction,
1493 status_code, allow_reuse, &sta_removed);
1494 } else if (auth_transaction == 2) {
1495 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1496 HOSTAPD_LEVEL_DEBUG,
1497 "SAE authentication (RX confirm, status=%u (%s))",
1498 status_code, status2str(status_code));
1499 if (status_code != WLAN_STATUS_SUCCESS)
1500 goto remove_sta;
1501 if (sta->sae->state >= SAE_CONFIRMED ||
1502 !(hapd->conf->mesh & MESH_ENABLED)) {
1503 const u8 *var;
1504 size_t var_len;
1505 u16 peer_send_confirm;
1506
1507 var = mgmt->u.auth.variable;
1508 var_len = ((u8 *) mgmt) + len - mgmt->u.auth.variable;
1509 if (var_len < 2) {
1510 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1511 goto reply;
1512 }
1513
1514 peer_send_confirm = WPA_GET_LE16(var);
1515
1516 if (sta->sae->state == SAE_ACCEPTED &&
1517 (peer_send_confirm <= sta->sae->rc ||
1518 peer_send_confirm == 0xffff)) {
1519 wpa_printf(MSG_DEBUG,
1520 "SAE: Silently ignore unexpected Confirm from peer "
1521 MACSTR
1522 " (peer-send-confirm=%u Rc=%u)",
1523 MAC2STR(sta->addr),
1524 peer_send_confirm, sta->sae->rc);
1525 return;
1526 }
1527
1528 if (sae_check_confirm(sta->sae, var, var_len) < 0) {
1529 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1530 goto reply;
1531 }
1532 sta->sae->rc = peer_send_confirm;
1533 }
1534 resp = sae_sm_step(hapd, sta, mgmt->bssid, auth_transaction,
1535 status_code, 0, &sta_removed);
1536 } else {
1537 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1538 HOSTAPD_LEVEL_DEBUG,
1539 "unexpected SAE authentication transaction %u (status=%u (%s))",
1540 auth_transaction, status_code,
1541 status2str(status_code));
1542 if (status_code != WLAN_STATUS_SUCCESS)
1543 goto remove_sta;
1544 resp = WLAN_STATUS_UNKNOWN_AUTH_TRANSACTION;
1545 }
1546
1547 reply:
1548 if (!sta_removed && resp != WLAN_STATUS_SUCCESS) {
1549 pos = mgmt->u.auth.variable;
1550 end = ((const u8 *) mgmt) + len;
1551
1552 /* Copy the Finite Cyclic Group field from the request if we
1553 * rejected it as unsupported group. */
1554 if (resp == WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED &&
1555 !data && end - pos >= 2)
1556 data = wpabuf_alloc_copy(pos, 2);
1557
1558 sae_sme_send_external_auth_status(hapd, sta, resp);
1559 send_auth_reply(hapd, sta, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
1560 auth_transaction, resp,
1561 data ? wpabuf_head(data) : (u8 *) "",
1562 data ? wpabuf_len(data) : 0, "auth-sae");
1563 }
1564
1565 remove_sta:
1566 if (auth_transaction == 1)
1567 success_status = sae_status_success(hapd, status_code);
1568 else
1569 success_status = status_code == WLAN_STATUS_SUCCESS;
1570 if (!sta_removed && sta->added_unassoc &&
1571 (resp != WLAN_STATUS_SUCCESS || !success_status)) {
1572 hostapd_drv_sta_remove(hapd, sta->addr);
1573 sta->added_unassoc = 0;
1574 }
1575 wpabuf_free(data);
1576 }
1577
1578
1579 /**
1580 * auth_sae_init_committed - Send COMMIT and start SAE in committed state
1581 * @hapd: BSS data for the device initiating the authentication
1582 * @sta: the peer to which commit authentication frame is sent
1583 *
1584 * This function implements Init event handling (IEEE Std 802.11-2012,
1585 * 11.3.8.6.3) in which initial COMMIT message is sent. Prior to calling, the
1586 * sta->sae structure should be initialized appropriately via a call to
1587 * sae_prepare_commit().
1588 */
auth_sae_init_committed(struct hostapd_data * hapd,struct sta_info * sta)1589 int auth_sae_init_committed(struct hostapd_data *hapd, struct sta_info *sta)
1590 {
1591 int ret;
1592
1593 if (!sta->sae || !sta->sae->tmp)
1594 return -1;
1595
1596 if (sta->sae->state != SAE_NOTHING)
1597 return -1;
1598
1599 ret = auth_sae_send_commit(hapd, sta, hapd->own_addr, 0, -1);
1600 if (ret)
1601 return -1;
1602
1603 sae_set_state(sta, SAE_COMMITTED, "Init and sent commit");
1604 sta->sae->sync = 0;
1605 sae_set_retransmit_timer(hapd, sta);
1606
1607 return 0;
1608 }
1609
1610
auth_sae_process_commit(void * eloop_ctx,void * user_ctx)1611 void auth_sae_process_commit(void *eloop_ctx, void *user_ctx)
1612 {
1613 struct hostapd_data *hapd = eloop_ctx;
1614 struct hostapd_sae_commit_queue *q;
1615 unsigned int queue_len;
1616
1617 q = dl_list_first(&hapd->sae_commit_queue,
1618 struct hostapd_sae_commit_queue, list);
1619 if (!q)
1620 return;
1621 wpa_printf(MSG_DEBUG,
1622 "SAE: Process next available message from queue");
1623 dl_list_del(&q->list);
1624 handle_auth(hapd, (const struct ieee80211_mgmt *) q->msg, q->len,
1625 q->rssi, 1);
1626 os_free(q);
1627
1628 if (eloop_is_timeout_registered(auth_sae_process_commit, hapd, NULL))
1629 return;
1630 queue_len = dl_list_len(&hapd->sae_commit_queue);
1631 eloop_register_timeout(0, queue_len * 10000, auth_sae_process_commit,
1632 hapd, NULL);
1633 }
1634
1635
auth_sae_queue(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int rssi)1636 static void auth_sae_queue(struct hostapd_data *hapd,
1637 const struct ieee80211_mgmt *mgmt, size_t len,
1638 int rssi)
1639 {
1640 struct hostapd_sae_commit_queue *q, *q2;
1641 unsigned int queue_len;
1642 const struct ieee80211_mgmt *mgmt2;
1643
1644 queue_len = dl_list_len(&hapd->sae_commit_queue);
1645 if (queue_len >= 15) {
1646 wpa_printf(MSG_DEBUG,
1647 "SAE: No more room in message queue - drop the new frame from "
1648 MACSTR, MAC2STR(mgmt->sa));
1649 return;
1650 }
1651
1652 wpa_printf(MSG_DEBUG, "SAE: Queue Authentication message from "
1653 MACSTR " for processing (queue_len %u)", MAC2STR(mgmt->sa),
1654 queue_len);
1655 q = os_zalloc(sizeof(*q) + len);
1656 if (!q)
1657 return;
1658 q->rssi = rssi;
1659 q->len = len;
1660 os_memcpy(q->msg, mgmt, len);
1661
1662 /* Check whether there is already a queued Authentication frame from the
1663 * same station with the same transaction number and if so, replace that
1664 * queue entry with the new one. This avoids issues with a peer that
1665 * sends multiple times (e.g., due to frequent SAE retries). There is no
1666 * point in us trying to process the old attempts after a new one has
1667 * obsoleted them. */
1668 dl_list_for_each(q2, &hapd->sae_commit_queue,
1669 struct hostapd_sae_commit_queue, list) {
1670 mgmt2 = (const struct ieee80211_mgmt *) q2->msg;
1671 if (os_memcmp(mgmt->sa, mgmt2->sa, ETH_ALEN) == 0 &&
1672 mgmt->u.auth.auth_transaction ==
1673 mgmt2->u.auth.auth_transaction) {
1674 wpa_printf(MSG_DEBUG,
1675 "SAE: Replace queued message from same STA with same transaction number");
1676 dl_list_add(&q2->list, &q->list);
1677 dl_list_del(&q2->list);
1678 os_free(q2);
1679 goto queued;
1680 }
1681 }
1682
1683 /* No pending identical entry, so add to the end of the queue */
1684 dl_list_add_tail(&hapd->sae_commit_queue, &q->list);
1685
1686 queued:
1687 if (eloop_is_timeout_registered(auth_sae_process_commit, hapd, NULL))
1688 return;
1689 eloop_register_timeout(0, queue_len * 10000, auth_sae_process_commit,
1690 hapd, NULL);
1691 }
1692
1693
auth_sae_queued_addr(struct hostapd_data * hapd,const u8 * addr)1694 static int auth_sae_queued_addr(struct hostapd_data *hapd, const u8 *addr)
1695 {
1696 struct hostapd_sae_commit_queue *q;
1697 const struct ieee80211_mgmt *mgmt;
1698
1699 dl_list_for_each(q, &hapd->sae_commit_queue,
1700 struct hostapd_sae_commit_queue, list) {
1701 mgmt = (const struct ieee80211_mgmt *) q->msg;
1702 if (os_memcmp(addr, mgmt->sa, ETH_ALEN) == 0)
1703 return 1;
1704 }
1705
1706 return 0;
1707 }
1708
1709 #endif /* CONFIG_SAE */
1710
1711
wpa_res_to_status_code(enum wpa_validate_result res)1712 static u16 wpa_res_to_status_code(enum wpa_validate_result res)
1713 {
1714 switch (res) {
1715 case WPA_IE_OK:
1716 return WLAN_STATUS_SUCCESS;
1717 case WPA_INVALID_IE:
1718 return WLAN_STATUS_INVALID_IE;
1719 case WPA_INVALID_GROUP:
1720 return WLAN_STATUS_GROUP_CIPHER_NOT_VALID;
1721 case WPA_INVALID_PAIRWISE:
1722 return WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID;
1723 case WPA_INVALID_AKMP:
1724 return WLAN_STATUS_AKMP_NOT_VALID;
1725 case WPA_NOT_ENABLED:
1726 return WLAN_STATUS_INVALID_IE;
1727 case WPA_ALLOC_FAIL:
1728 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1729 case WPA_MGMT_FRAME_PROTECTION_VIOLATION:
1730 return WLAN_STATUS_ROBUST_MGMT_FRAME_POLICY_VIOLATION;
1731 case WPA_INVALID_MGMT_GROUP_CIPHER:
1732 return WLAN_STATUS_CIPHER_REJECTED_PER_POLICY;
1733 case WPA_INVALID_MDIE:
1734 return WLAN_STATUS_INVALID_MDIE;
1735 case WPA_INVALID_PROTO:
1736 return WLAN_STATUS_INVALID_IE;
1737 case WPA_INVALID_PMKID:
1738 return WLAN_STATUS_INVALID_PMKID;
1739 case WPA_DENIED_OTHER_REASON:
1740 return WLAN_STATUS_ASSOC_DENIED_UNSPEC;
1741 }
1742 return WLAN_STATUS_INVALID_IE;
1743 }
1744
1745
1746 #ifdef CONFIG_FILS
1747
1748 static void handle_auth_fils_finish(struct hostapd_data *hapd,
1749 struct sta_info *sta, u16 resp,
1750 struct wpabuf *data, int pub);
1751
handle_auth_fils(struct hostapd_data * hapd,struct sta_info * sta,const u8 * pos,size_t len,u16 auth_alg,u16 auth_transaction,u16 status_code,void (* cb)(struct hostapd_data * hapd,struct sta_info * sta,u16 resp,struct wpabuf * data,int pub))1752 void handle_auth_fils(struct hostapd_data *hapd, struct sta_info *sta,
1753 const u8 *pos, size_t len, u16 auth_alg,
1754 u16 auth_transaction, u16 status_code,
1755 void (*cb)(struct hostapd_data *hapd,
1756 struct sta_info *sta, u16 resp,
1757 struct wpabuf *data, int pub))
1758 {
1759 u16 resp = WLAN_STATUS_SUCCESS;
1760 const u8 *end;
1761 struct ieee802_11_elems elems;
1762 enum wpa_validate_result res;
1763 struct wpa_ie_data rsn;
1764 struct rsn_pmksa_cache_entry *pmksa = NULL;
1765
1766 if (auth_transaction != 1 || status_code != WLAN_STATUS_SUCCESS)
1767 return;
1768
1769 end = pos + len;
1770
1771 wpa_hexdump(MSG_DEBUG, "FILS: Authentication frame fields",
1772 pos, end - pos);
1773
1774 /* TODO: FILS PK */
1775 #ifdef CONFIG_FILS_SK_PFS
1776 if (auth_alg == WLAN_AUTH_FILS_SK_PFS) {
1777 u16 group;
1778 struct wpabuf *pub;
1779 size_t elem_len;
1780
1781 /* Using FILS PFS */
1782
1783 /* Finite Cyclic Group */
1784 if (end - pos < 2) {
1785 wpa_printf(MSG_DEBUG,
1786 "FILS: No room for Finite Cyclic Group");
1787 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1788 goto fail;
1789 }
1790 group = WPA_GET_LE16(pos);
1791 pos += 2;
1792 if (group != hapd->conf->fils_dh_group) {
1793 wpa_printf(MSG_DEBUG,
1794 "FILS: Unsupported Finite Cyclic Group: %u (expected %u)",
1795 group, hapd->conf->fils_dh_group);
1796 resp = WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
1797 goto fail;
1798 }
1799
1800 crypto_ecdh_deinit(sta->fils_ecdh);
1801 sta->fils_ecdh = crypto_ecdh_init(group);
1802 if (!sta->fils_ecdh) {
1803 wpa_printf(MSG_INFO,
1804 "FILS: Could not initialize ECDH with group %d",
1805 group);
1806 resp = WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
1807 goto fail;
1808 }
1809
1810 pub = crypto_ecdh_get_pubkey(sta->fils_ecdh, 1);
1811 if (!pub) {
1812 wpa_printf(MSG_DEBUG,
1813 "FILS: Failed to derive ECDH public key");
1814 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1815 goto fail;
1816 }
1817 elem_len = wpabuf_len(pub);
1818 wpabuf_free(pub);
1819
1820 /* Element */
1821 if ((size_t) (end - pos) < elem_len) {
1822 wpa_printf(MSG_DEBUG, "FILS: No room for Element");
1823 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1824 goto fail;
1825 }
1826
1827 wpabuf_free(sta->fils_g_sta);
1828 sta->fils_g_sta = wpabuf_alloc_copy(pos, elem_len);
1829 wpabuf_clear_free(sta->fils_dh_ss);
1830 sta->fils_dh_ss = crypto_ecdh_set_peerkey(sta->fils_ecdh, 1,
1831 pos, elem_len);
1832 if (!sta->fils_dh_ss) {
1833 wpa_printf(MSG_DEBUG, "FILS: ECDH operation failed");
1834 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1835 goto fail;
1836 }
1837 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: DH_SS", sta->fils_dh_ss);
1838 pos += elem_len;
1839 } else {
1840 crypto_ecdh_deinit(sta->fils_ecdh);
1841 sta->fils_ecdh = NULL;
1842 wpabuf_clear_free(sta->fils_dh_ss);
1843 sta->fils_dh_ss = NULL;
1844 }
1845 #endif /* CONFIG_FILS_SK_PFS */
1846
1847 wpa_hexdump(MSG_DEBUG, "FILS: Remaining IEs", pos, end - pos);
1848 if (ieee802_11_parse_elems(pos, end - pos, &elems, 1) == ParseFailed) {
1849 wpa_printf(MSG_DEBUG, "FILS: Could not parse elements");
1850 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1851 goto fail;
1852 }
1853
1854 /* RSNE */
1855 wpa_hexdump(MSG_DEBUG, "FILS: RSN element",
1856 elems.rsn_ie, elems.rsn_ie_len);
1857 if (!elems.rsn_ie ||
1858 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
1859 &rsn) < 0) {
1860 wpa_printf(MSG_DEBUG, "FILS: No valid RSN element");
1861 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1862 goto fail;
1863 }
1864
1865 if (!sta->wpa_sm)
1866 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, sta->addr,
1867 NULL);
1868 if (!sta->wpa_sm) {
1869 wpa_printf(MSG_DEBUG,
1870 "FILS: Failed to initialize RSN state machine");
1871 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1872 goto fail;
1873 }
1874
1875 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
1876 hapd->iface->freq,
1877 elems.rsn_ie - 2, elems.rsn_ie_len + 2,
1878 elems.rsnxe ? elems.rsnxe - 2 : NULL,
1879 elems.rsnxe ? elems.rsnxe_len + 2 : 0,
1880 elems.mdie, elems.mdie_len, NULL, 0);
1881 resp = wpa_res_to_status_code(res);
1882 if (resp != WLAN_STATUS_SUCCESS)
1883 goto fail;
1884
1885 if (!elems.fils_nonce) {
1886 wpa_printf(MSG_DEBUG, "FILS: No FILS Nonce field");
1887 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1888 goto fail;
1889 }
1890 wpa_hexdump(MSG_DEBUG, "FILS: SNonce", elems.fils_nonce,
1891 FILS_NONCE_LEN);
1892 os_memcpy(sta->fils_snonce, elems.fils_nonce, FILS_NONCE_LEN);
1893
1894 /* PMKID List */
1895 if (rsn.pmkid && rsn.num_pmkid > 0) {
1896 u8 num;
1897 const u8 *pmkid;
1898
1899 wpa_hexdump(MSG_DEBUG, "FILS: PMKID List",
1900 rsn.pmkid, rsn.num_pmkid * PMKID_LEN);
1901
1902 pmkid = rsn.pmkid;
1903 num = rsn.num_pmkid;
1904 while (num) {
1905 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", pmkid, PMKID_LEN);
1906 pmksa = wpa_auth_pmksa_get(hapd->wpa_auth, sta->addr,
1907 pmkid);
1908 if (pmksa)
1909 break;
1910 pmksa = wpa_auth_pmksa_get_fils_cache_id(hapd->wpa_auth,
1911 sta->addr,
1912 pmkid);
1913 if (pmksa)
1914 break;
1915 pmkid += PMKID_LEN;
1916 num--;
1917 }
1918 }
1919 if (pmksa && wpa_auth_sta_key_mgmt(sta->wpa_sm) != pmksa->akmp) {
1920 wpa_printf(MSG_DEBUG,
1921 "FILS: Matching PMKSA cache entry has different AKMP (0x%x != 0x%x) - ignore",
1922 wpa_auth_sta_key_mgmt(sta->wpa_sm), pmksa->akmp);
1923 pmksa = NULL;
1924 }
1925 if (pmksa)
1926 wpa_printf(MSG_DEBUG, "FILS: Found matching PMKSA cache entry");
1927
1928 /* FILS Session */
1929 if (!elems.fils_session) {
1930 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
1931 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1932 goto fail;
1933 }
1934 wpa_hexdump(MSG_DEBUG, "FILS: FILS Session", elems.fils_session,
1935 FILS_SESSION_LEN);
1936 os_memcpy(sta->fils_session, elems.fils_session, FILS_SESSION_LEN);
1937
1938 /* Wrapped Data */
1939 if (elems.wrapped_data) {
1940 wpa_hexdump(MSG_DEBUG, "FILS: Wrapped Data",
1941 elems.wrapped_data,
1942 elems.wrapped_data_len);
1943 if (!pmksa) {
1944 #ifndef CONFIG_NO_RADIUS
1945 if (!sta->eapol_sm) {
1946 sta->eapol_sm =
1947 ieee802_1x_alloc_eapol_sm(hapd, sta);
1948 }
1949 wpa_printf(MSG_DEBUG,
1950 "FILS: Forward EAP-Initiate/Re-auth to authentication server");
1951 ieee802_1x_encapsulate_radius(
1952 hapd, sta, elems.wrapped_data,
1953 elems.wrapped_data_len);
1954 sta->fils_pending_cb = cb;
1955 wpa_printf(MSG_DEBUG,
1956 "FILS: Will send Authentication frame once the response from authentication server is available");
1957 sta->flags |= WLAN_STA_PENDING_FILS_ERP;
1958 /* Calculate pending PMKID here so that we do not need
1959 * to maintain a copy of the EAP-Initiate/Reauth
1960 * message. */
1961 if (fils_pmkid_erp(wpa_auth_sta_key_mgmt(sta->wpa_sm),
1962 elems.wrapped_data,
1963 elems.wrapped_data_len,
1964 sta->fils_erp_pmkid) == 0)
1965 sta->fils_erp_pmkid_set = 1;
1966 return;
1967 #else /* CONFIG_NO_RADIUS */
1968 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1969 goto fail;
1970 #endif /* CONFIG_NO_RADIUS */
1971 }
1972 }
1973
1974 fail:
1975 if (cb) {
1976 struct wpabuf *data;
1977 int pub = 0;
1978
1979 data = prepare_auth_resp_fils(hapd, sta, &resp, pmksa, NULL,
1980 NULL, 0, &pub);
1981 if (!data) {
1982 wpa_printf(MSG_DEBUG,
1983 "%s: prepare_auth_resp_fils() returned failure",
1984 __func__);
1985 }
1986
1987 cb(hapd, sta, resp, data, pub);
1988 }
1989 }
1990
1991
1992 static struct wpabuf *
prepare_auth_resp_fils(struct hostapd_data * hapd,struct sta_info * sta,u16 * resp,struct rsn_pmksa_cache_entry * pmksa,struct wpabuf * erp_resp,const u8 * msk,size_t msk_len,int * is_pub)1993 prepare_auth_resp_fils(struct hostapd_data *hapd,
1994 struct sta_info *sta, u16 *resp,
1995 struct rsn_pmksa_cache_entry *pmksa,
1996 struct wpabuf *erp_resp,
1997 const u8 *msk, size_t msk_len,
1998 int *is_pub)
1999 {
2000 u8 fils_nonce[FILS_NONCE_LEN];
2001 size_t ielen;
2002 struct wpabuf *data = NULL;
2003 const u8 *ie;
2004 u8 *ie_buf = NULL;
2005 const u8 *pmk = NULL;
2006 size_t pmk_len = 0;
2007 u8 pmk_buf[PMK_LEN_MAX];
2008 struct wpabuf *pub = NULL;
2009
2010 if (*resp != WLAN_STATUS_SUCCESS)
2011 goto fail;
2012
2013 ie = wpa_auth_get_wpa_ie(hapd->wpa_auth, &ielen);
2014 if (!ie) {
2015 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2016 goto fail;
2017 }
2018
2019 if (pmksa) {
2020 /* Add PMKID of the selected PMKSA into RSNE */
2021 ie_buf = os_malloc(ielen + 2 + 2 + PMKID_LEN);
2022 if (!ie_buf) {
2023 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2024 goto fail;
2025 }
2026
2027 os_memcpy(ie_buf, ie, ielen);
2028 if (wpa_insert_pmkid(ie_buf, &ielen, pmksa->pmkid) < 0) {
2029 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2030 goto fail;
2031 }
2032 ie = ie_buf;
2033 }
2034
2035 if (random_get_bytes(fils_nonce, FILS_NONCE_LEN) < 0) {
2036 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2037 goto fail;
2038 }
2039 wpa_hexdump(MSG_DEBUG, "RSN: Generated FILS Nonce",
2040 fils_nonce, FILS_NONCE_LEN);
2041
2042 #ifdef CONFIG_FILS_SK_PFS
2043 if (sta->fils_dh_ss && sta->fils_ecdh) {
2044 pub = crypto_ecdh_get_pubkey(sta->fils_ecdh, 1);
2045 if (!pub) {
2046 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2047 goto fail;
2048 }
2049 }
2050 #endif /* CONFIG_FILS_SK_PFS */
2051
2052 data = wpabuf_alloc(1000 + ielen + (pub ? wpabuf_len(pub) : 0));
2053 if (!data) {
2054 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2055 goto fail;
2056 }
2057
2058 /* TODO: FILS PK */
2059 #ifdef CONFIG_FILS_SK_PFS
2060 if (pub) {
2061 /* Finite Cyclic Group */
2062 wpabuf_put_le16(data, hapd->conf->fils_dh_group);
2063
2064 /* Element */
2065 wpabuf_put_buf(data, pub);
2066 }
2067 #endif /* CONFIG_FILS_SK_PFS */
2068
2069 /* RSNE */
2070 wpabuf_put_data(data, ie, ielen);
2071
2072 /* MDE when using FILS+FT (already included in ie,ielen with RSNE) */
2073
2074 #ifdef CONFIG_IEEE80211R_AP
2075 if (wpa_key_mgmt_ft(wpa_auth_sta_key_mgmt(sta->wpa_sm))) {
2076 /* FTE[R1KH-ID,R0KH-ID] when using FILS+FT */
2077 int res;
2078 int use_sha384 = wpa_key_mgmt_sha384(
2079 wpa_auth_sta_key_mgmt(sta->wpa_sm));
2080
2081 res = wpa_auth_write_fte(hapd->wpa_auth, use_sha384,
2082 wpabuf_put(data, 0),
2083 wpabuf_tailroom(data));
2084 if (res < 0) {
2085 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2086 goto fail;
2087 }
2088 wpabuf_put(data, res);
2089 }
2090 #endif /* CONFIG_IEEE80211R_AP */
2091
2092 /* FILS Nonce */
2093 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
2094 wpabuf_put_u8(data, 1 + FILS_NONCE_LEN); /* Length */
2095 /* Element ID Extension */
2096 wpabuf_put_u8(data, WLAN_EID_EXT_FILS_NONCE);
2097 wpabuf_put_data(data, fils_nonce, FILS_NONCE_LEN);
2098
2099 /* FILS Session */
2100 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
2101 wpabuf_put_u8(data, 1 + FILS_SESSION_LEN); /* Length */
2102 /* Element ID Extension */
2103 wpabuf_put_u8(data, WLAN_EID_EXT_FILS_SESSION);
2104 wpabuf_put_data(data, sta->fils_session, FILS_SESSION_LEN);
2105
2106 /* Wrapped Data */
2107 if (!pmksa && erp_resp) {
2108 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
2109 wpabuf_put_u8(data, 1 + wpabuf_len(erp_resp)); /* Length */
2110 /* Element ID Extension */
2111 wpabuf_put_u8(data, WLAN_EID_EXT_WRAPPED_DATA);
2112 wpabuf_put_buf(data, erp_resp);
2113
2114 if (fils_rmsk_to_pmk(wpa_auth_sta_key_mgmt(sta->wpa_sm),
2115 msk, msk_len, sta->fils_snonce, fils_nonce,
2116 sta->fils_dh_ss ?
2117 wpabuf_head(sta->fils_dh_ss) : NULL,
2118 sta->fils_dh_ss ?
2119 wpabuf_len(sta->fils_dh_ss) : 0,
2120 pmk_buf, &pmk_len)) {
2121 wpa_printf(MSG_DEBUG, "FILS: Failed to derive PMK");
2122 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2123 wpabuf_free(data);
2124 data = NULL;
2125 goto fail;
2126 }
2127 pmk = pmk_buf;
2128
2129 /* Don't use DHss in PTK derivation if PMKSA caching is not
2130 * used. */
2131 wpabuf_clear_free(sta->fils_dh_ss);
2132 sta->fils_dh_ss = NULL;
2133
2134 if (sta->fils_erp_pmkid_set) {
2135 /* TODO: get PMKLifetime from WPA parameters */
2136 unsigned int dot11RSNAConfigPMKLifetime = 43200;
2137 int session_timeout;
2138
2139 session_timeout = dot11RSNAConfigPMKLifetime;
2140 if (sta->session_timeout_set) {
2141 struct os_reltime now, diff;
2142
2143 os_get_reltime(&now);
2144 os_reltime_sub(&sta->session_timeout, &now,
2145 &diff);
2146 session_timeout = diff.sec;
2147 }
2148
2149 sta->fils_erp_pmkid_set = 0;
2150 wpa_auth_add_fils_pmk_pmkid(sta->wpa_sm, pmk, pmk_len,
2151 sta->fils_erp_pmkid);
2152 if (!hapd->conf->disable_pmksa_caching &&
2153 wpa_auth_pmksa_add2(
2154 hapd->wpa_auth, sta->addr,
2155 pmk, pmk_len,
2156 sta->fils_erp_pmkid,
2157 session_timeout,
2158 wpa_auth_sta_key_mgmt(sta->wpa_sm)) < 0) {
2159 wpa_printf(MSG_ERROR,
2160 "FILS: Failed to add PMKSA cache entry based on ERP");
2161 }
2162 }
2163 } else if (pmksa) {
2164 pmk = pmksa->pmk;
2165 pmk_len = pmksa->pmk_len;
2166 }
2167
2168 if (!pmk) {
2169 wpa_printf(MSG_DEBUG, "FILS: No PMK available");
2170 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2171 wpabuf_free(data);
2172 data = NULL;
2173 goto fail;
2174 }
2175
2176 if (fils_auth_pmk_to_ptk(sta->wpa_sm, pmk, pmk_len,
2177 sta->fils_snonce, fils_nonce,
2178 sta->fils_dh_ss ?
2179 wpabuf_head(sta->fils_dh_ss) : NULL,
2180 sta->fils_dh_ss ?
2181 wpabuf_len(sta->fils_dh_ss) : 0,
2182 sta->fils_g_sta, pub) < 0) {
2183 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2184 wpabuf_free(data);
2185 data = NULL;
2186 goto fail;
2187 }
2188
2189 fail:
2190 if (is_pub)
2191 *is_pub = pub != NULL;
2192 os_free(ie_buf);
2193 wpabuf_free(pub);
2194 wpabuf_clear_free(sta->fils_dh_ss);
2195 sta->fils_dh_ss = NULL;
2196 #ifdef CONFIG_FILS_SK_PFS
2197 crypto_ecdh_deinit(sta->fils_ecdh);
2198 sta->fils_ecdh = NULL;
2199 #endif /* CONFIG_FILS_SK_PFS */
2200 return data;
2201 }
2202
2203
handle_auth_fils_finish(struct hostapd_data * hapd,struct sta_info * sta,u16 resp,struct wpabuf * data,int pub)2204 static void handle_auth_fils_finish(struct hostapd_data *hapd,
2205 struct sta_info *sta, u16 resp,
2206 struct wpabuf *data, int pub)
2207 {
2208 u16 auth_alg;
2209
2210 auth_alg = (pub ||
2211 resp == WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED) ?
2212 WLAN_AUTH_FILS_SK_PFS : WLAN_AUTH_FILS_SK;
2213 send_auth_reply(hapd, sta, sta->addr, hapd->own_addr, auth_alg, 2, resp,
2214 data ? wpabuf_head(data) : (u8 *) "",
2215 data ? wpabuf_len(data) : 0, "auth-fils-finish");
2216 wpabuf_free(data);
2217
2218 if (resp == WLAN_STATUS_SUCCESS) {
2219 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2220 HOSTAPD_LEVEL_DEBUG,
2221 "authentication OK (FILS)");
2222 sta->flags |= WLAN_STA_AUTH;
2223 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
2224 sta->auth_alg = pub ? WLAN_AUTH_FILS_SK_PFS : WLAN_AUTH_FILS_SK;
2225 mlme_authenticate_indication(hapd, sta);
2226 }
2227 }
2228
2229
ieee802_11_finish_fils_auth(struct hostapd_data * hapd,struct sta_info * sta,int success,struct wpabuf * erp_resp,const u8 * msk,size_t msk_len)2230 void ieee802_11_finish_fils_auth(struct hostapd_data *hapd,
2231 struct sta_info *sta, int success,
2232 struct wpabuf *erp_resp,
2233 const u8 *msk, size_t msk_len)
2234 {
2235 u16 resp;
2236 u32 flags = sta->flags;
2237
2238 sta->flags &= ~(WLAN_STA_PENDING_FILS_ERP |
2239 WLAN_STA_PENDING_PASN_FILS_ERP);
2240
2241 resp = success ? WLAN_STATUS_SUCCESS : WLAN_STATUS_UNSPECIFIED_FAILURE;
2242
2243 if (flags & WLAN_STA_PENDING_FILS_ERP) {
2244 struct wpabuf *data;
2245 int pub = 0;
2246
2247 if (!sta->fils_pending_cb)
2248 return;
2249
2250 data = prepare_auth_resp_fils(hapd, sta, &resp, NULL, erp_resp,
2251 msk, msk_len, &pub);
2252 if (!data) {
2253 wpa_printf(MSG_DEBUG,
2254 "%s: prepare_auth_resp_fils() failure",
2255 __func__);
2256 }
2257 sta->fils_pending_cb(hapd, sta, resp, data, pub);
2258 #ifdef CONFIG_PASN
2259 } else if (flags & WLAN_STA_PENDING_PASN_FILS_ERP) {
2260 pasn_fils_auth_resp(hapd, sta, resp, erp_resp,
2261 msk, msk_len);
2262 #endif /* CONFIG_PASN */
2263 }
2264 }
2265
2266 #endif /* CONFIG_FILS */
2267
2268
ieee802_11_allowed_address(struct hostapd_data * hapd,const u8 * addr,const u8 * msg,size_t len,struct radius_sta * info)2269 static int ieee802_11_allowed_address(struct hostapd_data *hapd, const u8 *addr,
2270 const u8 *msg, size_t len,
2271 struct radius_sta *info)
2272 {
2273 int res;
2274
2275 res = hostapd_allowed_address(hapd, addr, msg, len, info, 0);
2276
2277 if (res == HOSTAPD_ACL_REJECT) {
2278 wpa_printf(MSG_DEBUG, "Station " MACSTR
2279 " not allowed to authenticate",
2280 MAC2STR(addr));
2281 return HOSTAPD_ACL_REJECT;
2282 }
2283
2284 if (res == HOSTAPD_ACL_PENDING) {
2285 wpa_printf(MSG_DEBUG, "Authentication frame from " MACSTR
2286 " waiting for an external authentication",
2287 MAC2STR(addr));
2288 /* Authentication code will re-send the authentication frame
2289 * after it has received (and cached) information from the
2290 * external source. */
2291 return HOSTAPD_ACL_PENDING;
2292 }
2293
2294 return res;
2295 }
2296
2297
2298 static int
ieee802_11_set_radius_info(struct hostapd_data * hapd,struct sta_info * sta,int res,struct radius_sta * info)2299 ieee802_11_set_radius_info(struct hostapd_data *hapd, struct sta_info *sta,
2300 int res, struct radius_sta *info)
2301 {
2302 u32 session_timeout = info->session_timeout;
2303 u32 acct_interim_interval = info->acct_interim_interval;
2304 struct vlan_description *vlan_id = &info->vlan_id;
2305 struct hostapd_sta_wpa_psk_short *psk = info->psk;
2306 char *identity = info->identity;
2307 char *radius_cui = info->radius_cui;
2308
2309 if (vlan_id->notempty &&
2310 !hostapd_vlan_valid(hapd->conf->vlan, vlan_id)) {
2311 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS,
2312 HOSTAPD_LEVEL_INFO,
2313 "Invalid VLAN %d%s received from RADIUS server",
2314 vlan_id->untagged,
2315 vlan_id->tagged[0] ? "+" : "");
2316 return -1;
2317 }
2318 if (ap_sta_set_vlan(hapd, sta, vlan_id) < 0)
2319 return -1;
2320 if (sta->vlan_id)
2321 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS,
2322 HOSTAPD_LEVEL_INFO, "VLAN ID %d", sta->vlan_id);
2323
2324 hostapd_free_psk_list(sta->psk);
2325 if (hapd->conf->wpa_psk_radius != PSK_RADIUS_IGNORED)
2326 hostapd_copy_psk_list(&sta->psk, psk);
2327 else
2328 sta->psk = NULL;
2329
2330 os_free(sta->identity);
2331 if (identity)
2332 sta->identity = os_strdup(identity);
2333 else
2334 sta->identity = NULL;
2335
2336 os_free(sta->radius_cui);
2337 if (radius_cui)
2338 sta->radius_cui = os_strdup(radius_cui);
2339 else
2340 sta->radius_cui = NULL;
2341
2342 if (hapd->conf->acct_interim_interval == 0 && acct_interim_interval)
2343 sta->acct_interim_interval = acct_interim_interval;
2344 if (res == HOSTAPD_ACL_ACCEPT_TIMEOUT) {
2345 sta->session_timeout_set = 1;
2346 os_get_reltime(&sta->session_timeout);
2347 sta->session_timeout.sec += session_timeout;
2348 ap_sta_session_timeout(hapd, sta, session_timeout);
2349 } else {
2350 sta->session_timeout_set = 0;
2351 ap_sta_no_session_timeout(hapd, sta);
2352 }
2353
2354 return 0;
2355 }
2356
2357
2358 #ifdef CONFIG_PASN
2359 #ifdef CONFIG_SAE
2360
pasn_wd_handle_sae_commit(struct hostapd_data * hapd,struct sta_info * sta,struct wpabuf * wd)2361 static int pasn_wd_handle_sae_commit(struct hostapd_data *hapd,
2362 struct sta_info *sta,
2363 struct wpabuf *wd)
2364 {
2365 struct pasn_data *pasn = sta->pasn;
2366 const char *password = NULL;
2367 const u8 *data;
2368 size_t buf_len;
2369 u16 res, alg, seq, status;
2370 int groups[] = { pasn->group, 0 };
2371 int ret;
2372
2373 if (!wd)
2374 return -1;
2375
2376 data = wpabuf_head_u8(wd);
2377 buf_len = wpabuf_len(wd);
2378
2379 if (buf_len < 6) {
2380 wpa_printf(MSG_DEBUG, "PASN: SAE buffer too short. len=%lu",
2381 buf_len);
2382 return -1;
2383 }
2384
2385 alg = WPA_GET_LE16(data);
2386 seq = WPA_GET_LE16(data + 2);
2387 status = WPA_GET_LE16(data + 4);
2388
2389 wpa_printf(MSG_DEBUG, "PASN: SAE commit: alg=%u, seq=%u, status=%u",
2390 alg, seq, status);
2391
2392 /* TODO: SAE H2E */
2393 if (alg != WLAN_AUTH_SAE || seq != 1 || status != WLAN_STATUS_SUCCESS) {
2394 wpa_printf(MSG_DEBUG, "PASN: Dropping peer SAE commit");
2395 return -1;
2396 }
2397
2398 sae_clear_data(&pasn->sae);
2399 pasn->sae.state = SAE_NOTHING;
2400
2401 ret = sae_set_group(&pasn->sae, pasn->group);
2402 if (ret) {
2403 wpa_printf(MSG_DEBUG, "PASN: Failed to set SAE group");
2404 return -1;
2405 }
2406
2407 password = sae_get_password(hapd, sta, NULL, NULL, NULL, NULL);
2408 if (!password) {
2409 wpa_printf(MSG_DEBUG, "PASN: No SAE password found");
2410 return -1;
2411 }
2412
2413 ret = sae_prepare_commit(hapd->own_addr, sta->addr,
2414 (const u8 *) password, os_strlen(password), 0,
2415 &pasn->sae);
2416 if (ret) {
2417 wpa_printf(MSG_DEBUG, "PASN: Failed to prepare SAE commit");
2418 return -1;
2419 }
2420
2421 res = sae_parse_commit(&pasn->sae, data + 6, buf_len - 6, NULL, 0,
2422 groups, 0);
2423 if (res != WLAN_STATUS_SUCCESS) {
2424 wpa_printf(MSG_DEBUG, "PASN: Failed parsing SAE commit");
2425 return -1;
2426 }
2427
2428 /* Process the commit message and derive the PMK */
2429 ret = sae_process_commit(&pasn->sae);
2430 if (ret) {
2431 wpa_printf(MSG_DEBUG, "SAE: Failed to process peer commit");
2432 return -1;
2433 }
2434
2435 pasn->sae.state = SAE_COMMITTED;
2436
2437 return 0;
2438 }
2439
2440
pasn_wd_handle_sae_confirm(struct hostapd_data * hapd,struct sta_info * sta,struct wpabuf * wd)2441 static int pasn_wd_handle_sae_confirm(struct hostapd_data *hapd,
2442 struct sta_info *sta,
2443 struct wpabuf *wd)
2444 {
2445 struct pasn_data *pasn = sta->pasn;
2446 const u8 *data;
2447 size_t buf_len;
2448 u16 res, alg, seq, status;
2449
2450 if (!wd)
2451 return -1;
2452
2453 data = wpabuf_head_u8(wd);
2454 buf_len = wpabuf_len(wd);
2455
2456 if (buf_len < 6) {
2457 wpa_printf(MSG_DEBUG, "PASN: SAE buffer too short. len=%lu",
2458 buf_len);
2459 return -1;
2460 }
2461
2462 alg = WPA_GET_LE16(data);
2463 seq = WPA_GET_LE16(data + 2);
2464 status = WPA_GET_LE16(data + 4);
2465
2466 wpa_printf(MSG_DEBUG, "PASN: SAE confirm: alg=%u, seq=%u, status=%u",
2467 alg, seq, status);
2468
2469 if (alg != WLAN_AUTH_SAE || seq != 2 || status != WLAN_STATUS_SUCCESS) {
2470 wpa_printf(MSG_DEBUG, "PASN: Dropping peer SAE confirm");
2471 return -1;
2472 }
2473
2474 res = sae_check_confirm(&pasn->sae, data + 6, buf_len - 6);
2475 if (res != WLAN_STATUS_SUCCESS) {
2476 wpa_printf(MSG_DEBUG, "PASN: SAE failed checking confirm");
2477 return -1;
2478 }
2479
2480 pasn->sae.state = SAE_ACCEPTED;
2481
2482 /*
2483 * TODO: Based on on IEEE P802.11az/D2.6, the PMKSA derived with
2484 * PASN/SAE should only be allowed with future PASN only. For now do not
2485 * restrict this only for PASN.
2486 */
2487 wpa_auth_pmksa_add_sae(hapd->wpa_auth, sta->addr,
2488 pasn->sae.pmk, pasn->sae.pmkid);
2489 return 0;
2490 }
2491
2492
pasn_get_sae_wd(struct hostapd_data * hapd,struct sta_info * sta)2493 static struct wpabuf * pasn_get_sae_wd(struct hostapd_data *hapd,
2494 struct sta_info *sta)
2495 {
2496 struct pasn_data *pasn = sta->pasn;
2497 struct wpabuf *buf = NULL;
2498 u8 *len_ptr;
2499 size_t len;
2500
2501 /* Need to add the entire Authentication frame body */
2502 buf = wpabuf_alloc(8 + SAE_COMMIT_MAX_LEN + 8 + SAE_CONFIRM_MAX_LEN);
2503 if (!buf) {
2504 wpa_printf(MSG_DEBUG, "PASN: Failed to allocate SAE buffer");
2505 return NULL;
2506 }
2507
2508 /* Need to add the entire authentication frame body for the commit */
2509 len_ptr = wpabuf_put(buf, 2);
2510 wpabuf_put_le16(buf, WLAN_AUTH_SAE);
2511 wpabuf_put_le16(buf, 1);
2512 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
2513
2514 /* Write the actual commit and update the length accordingly */
2515 sae_write_commit(&pasn->sae, buf, NULL, 0);
2516 len = wpabuf_len(buf);
2517 WPA_PUT_LE16(len_ptr, len - 2);
2518
2519 /* Need to add the entire Authentication frame body for the confirm */
2520 len_ptr = wpabuf_put(buf, 2);
2521 wpabuf_put_le16(buf, WLAN_AUTH_SAE);
2522 wpabuf_put_le16(buf, 2);
2523 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
2524
2525 sae_write_confirm(&pasn->sae, buf);
2526 WPA_PUT_LE16(len_ptr, wpabuf_len(buf) - len - 2);
2527
2528 pasn->sae.state = SAE_CONFIRMED;
2529
2530 return buf;
2531 }
2532
2533 #endif /* CONFIG_SAE */
2534
2535
2536 #ifdef CONFIG_FILS
2537
pasn_get_fils_wd(struct hostapd_data * hapd,struct sta_info * sta)2538 static struct wpabuf * pasn_get_fils_wd(struct hostapd_data *hapd,
2539 struct sta_info *sta)
2540 {
2541 struct pasn_data *pasn = sta->pasn;
2542 struct pasn_fils_data *fils = &pasn->fils;
2543 struct wpabuf *buf = NULL;
2544
2545 if (!fils->erp_resp) {
2546 wpa_printf(MSG_DEBUG, "PASN: FILS: Missing erp_resp");
2547 return NULL;
2548 }
2549
2550 buf = wpabuf_alloc(1500);
2551 if (!buf)
2552 return NULL;
2553
2554 /* Add the authentication algorithm */
2555 wpabuf_put_le16(buf, WLAN_AUTH_FILS_SK);
2556
2557 /* Authentication Transaction seq# */
2558 wpabuf_put_le16(buf, 2);
2559
2560 /* Status Code */
2561 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
2562
2563 /* Own RSNE */
2564 wpa_pasn_add_rsne(buf, NULL, pasn->akmp, pasn->cipher);
2565
2566 /* FILS Nonce */
2567 wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
2568 wpabuf_put_u8(buf, 1 + FILS_NONCE_LEN);
2569 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_NONCE);
2570 wpabuf_put_data(buf, fils->anonce, FILS_NONCE_LEN);
2571
2572 /* FILS Session */
2573 wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
2574 wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN);
2575 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION);
2576 wpabuf_put_data(buf, fils->session, FILS_SESSION_LEN);
2577
2578 /* Wrapped Data */
2579 wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
2580 wpabuf_put_u8(buf, 1 + wpabuf_len(fils->erp_resp));
2581 wpabuf_put_u8(buf, WLAN_EID_EXT_WRAPPED_DATA);
2582 wpabuf_put_buf(buf, fils->erp_resp);
2583
2584 return buf;
2585 }
2586
2587
pasn_fils_auth_resp(struct hostapd_data * hapd,struct sta_info * sta,u16 status,struct wpabuf * erp_resp,const u8 * msk,size_t msk_len)2588 static void pasn_fils_auth_resp(struct hostapd_data *hapd,
2589 struct sta_info *sta, u16 status,
2590 struct wpabuf *erp_resp,
2591 const u8 *msk, size_t msk_len)
2592 {
2593 struct pasn_data *pasn = sta->pasn;
2594 struct pasn_fils_data *fils = &pasn->fils;
2595 u8 pmk[PMK_LEN_MAX];
2596 size_t pmk_len;
2597 int ret;
2598
2599 wpa_printf(MSG_DEBUG, "PASN: FILS: Handle AS response - status=%u",
2600 status);
2601
2602 if (status != WLAN_STATUS_SUCCESS)
2603 goto fail;
2604
2605 if (!pasn->secret) {
2606 wpa_printf(MSG_DEBUG, "PASN: FILS: Missing secret");
2607 goto fail;
2608 }
2609
2610 if (random_get_bytes(fils->anonce, FILS_NONCE_LEN) < 0) {
2611 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed to get ANonce");
2612 goto fail;
2613 }
2614
2615 wpa_hexdump(MSG_DEBUG, "RSN: Generated FILS ANonce",
2616 fils->anonce, FILS_NONCE_LEN);
2617
2618 ret = fils_rmsk_to_pmk(pasn->akmp, msk, msk_len, fils->nonce,
2619 fils->anonce, NULL, 0, pmk, &pmk_len);
2620 if (ret) {
2621 wpa_printf(MSG_DEBUG, "FILS: Failed to derive PMK");
2622 goto fail;
2623 }
2624
2625 ret = pasn_pmk_to_ptk(pmk, pmk_len, sta->addr, hapd->own_addr,
2626 wpabuf_head(pasn->secret),
2627 wpabuf_len(pasn->secret),
2628 &sta->pasn->ptk, sta->pasn->akmp,
2629 sta->pasn->cipher, WPA_KDK_MAX_LEN);
2630 if (ret) {
2631 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed to derive PTK");
2632 goto fail;
2633 }
2634
2635 wpa_printf(MSG_DEBUG, "PASN: PTK successfully derived");
2636
2637 wpabuf_free(pasn->secret);
2638 pasn->secret = NULL;
2639
2640 fils->erp_resp = erp_resp;
2641 ret = handle_auth_pasn_resp(hapd, sta, NULL, WLAN_STATUS_SUCCESS);
2642 fils->erp_resp = NULL;
2643
2644 if (ret) {
2645 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed to send response");
2646 goto fail;
2647 }
2648
2649 fils->state = PASN_FILS_STATE_COMPLETE;
2650 return;
2651 fail:
2652 ap_free_sta(hapd, sta);
2653 }
2654
2655
pasn_wd_handle_fils(struct hostapd_data * hapd,struct sta_info * sta,struct wpabuf * wd)2656 static int pasn_wd_handle_fils(struct hostapd_data *hapd, struct sta_info *sta,
2657 struct wpabuf *wd)
2658 {
2659 struct pasn_data *pasn = sta->pasn;
2660 struct pasn_fils_data *fils = &pasn->fils;
2661 struct ieee802_11_elems elems;
2662 struct wpa_ie_data rsne_data;
2663 struct wpabuf *fils_wd;
2664 const u8 *data;
2665 size_t buf_len;
2666 u16 alg, seq, status;
2667 int ret;
2668
2669 if (fils->state != PASN_FILS_STATE_NONE) {
2670 wpa_printf(MSG_DEBUG, "PASN: FILS: Not expecting wrapped data");
2671 return -1;
2672 }
2673
2674 if (!wd) {
2675 wpa_printf(MSG_DEBUG, "PASN: FILS: No wrapped data");
2676 return -1;
2677 }
2678
2679 data = wpabuf_head_u8(wd);
2680 buf_len = wpabuf_len(wd);
2681
2682 if (buf_len < 6) {
2683 wpa_printf(MSG_DEBUG, "PASN: FILS: Buffer too short. len=%lu",
2684 buf_len);
2685 return -1;
2686 }
2687
2688 alg = WPA_GET_LE16(data);
2689 seq = WPA_GET_LE16(data + 2);
2690 status = WPA_GET_LE16(data + 4);
2691
2692 wpa_printf(MSG_DEBUG, "PASN: FILS: alg=%u, seq=%u, status=%u",
2693 alg, seq, status);
2694
2695 if (alg != WLAN_AUTH_FILS_SK || seq != 1 ||
2696 status != WLAN_STATUS_SUCCESS) {
2697 wpa_printf(MSG_DEBUG,
2698 "PASN: FILS: Dropping peer authentication");
2699 return -1;
2700 }
2701
2702 data += 6;
2703 buf_len -= 6;
2704
2705 if (ieee802_11_parse_elems(data, buf_len, &elems, 1) == ParseFailed) {
2706 wpa_printf(MSG_DEBUG, "PASN: FILS: Could not parse elements");
2707 return -1;
2708 }
2709
2710 if (!elems.rsn_ie || !elems.fils_nonce || !elems.fils_nonce ||
2711 !elems.wrapped_data) {
2712 wpa_printf(MSG_DEBUG, "PASN: FILS: Missing IEs");
2713 return -1;
2714 }
2715
2716 ret = wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
2717 &rsne_data);
2718 if (ret) {
2719 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed parsing RNSE");
2720 return -1;
2721 }
2722
2723 ret = wpa_pasn_validate_rsne(&rsne_data);
2724 if (ret) {
2725 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed validating RSNE");
2726 return -1;
2727 }
2728
2729 if (rsne_data.num_pmkid) {
2730 wpa_printf(MSG_DEBUG,
2731 "PASN: FILS: Not expecting PMKID in RSNE");
2732 return -1;
2733 }
2734
2735 wpa_hexdump(MSG_DEBUG, "PASN: FILS: Nonce", elems.fils_nonce,
2736 FILS_NONCE_LEN);
2737 os_memcpy(fils->nonce, elems.fils_nonce, FILS_NONCE_LEN);
2738
2739 wpa_hexdump(MSG_DEBUG, "PASN: FILS: Session", elems.fils_session,
2740 FILS_SESSION_LEN);
2741 os_memcpy(fils->session, elems.fils_session, FILS_SESSION_LEN);
2742
2743 #ifdef CONFIG_NO_RADIUS
2744 wpa_printf(MSG_DEBUG, "PASN: FILS: RADIUS is not configured. Fail");
2745 return -1;
2746 #endif /* CONFIG_NO_RADIUS */
2747
2748 fils_wd = ieee802_11_defrag(&elems, WLAN_EID_EXTENSION,
2749 WLAN_EID_EXT_WRAPPED_DATA);
2750
2751 if (!fils_wd) {
2752 wpa_printf(MSG_DEBUG, "PASN: FILS: Missing wrapped data");
2753 return -1;
2754 }
2755
2756 if (!sta->eapol_sm)
2757 sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta);
2758
2759 wpa_printf(MSG_DEBUG,
2760 "PASN: FILS: Forward EAP-Initiate/Re-auth to AS");
2761
2762 ieee802_1x_encapsulate_radius(hapd, sta, wpabuf_head(fils_wd),
2763 wpabuf_len(fils_wd));
2764
2765 sta->flags |= WLAN_STA_PENDING_PASN_FILS_ERP;
2766
2767 fils->state = PASN_FILS_STATE_PENDING_AS;
2768
2769 /*
2770 * Calculate pending PMKID here so that we do not need to maintain a
2771 * copy of the EAP-Initiate/Reautt message.
2772 */
2773 fils_pmkid_erp(pasn->akmp, wpabuf_head(fils_wd), wpabuf_len(fils_wd),
2774 fils->erp_pmkid);
2775
2776 wpabuf_free(fils_wd);
2777 return 0;
2778 }
2779
2780 #endif /* CONFIG_FILS */
2781
2782
pasn_get_wrapped_data(struct hostapd_data * hapd,struct sta_info * sta)2783 static struct wpabuf * pasn_get_wrapped_data(struct hostapd_data *hapd,
2784 struct sta_info *sta)
2785 {
2786 switch (sta->pasn->akmp) {
2787 case WPA_KEY_MGMT_PASN:
2788 /* no wrapped data */
2789 return NULL;
2790 case WPA_KEY_MGMT_SAE:
2791 #ifdef CONFIG_SAE
2792 return pasn_get_sae_wd(hapd, sta);
2793 #else /* CONFIG_SAE */
2794 wpa_printf(MSG_ERROR,
2795 "PASN: SAE: Cannot derive wrapped data");
2796 return NULL;
2797 #endif /* CONFIG_SAE */
2798 case WPA_KEY_MGMT_FILS_SHA256:
2799 case WPA_KEY_MGMT_FILS_SHA384:
2800 #ifdef CONFIG_FILS
2801 return pasn_get_fils_wd(hapd, sta);
2802 #endif /* CONFIG_FILS */
2803 /* fall through */
2804 case WPA_KEY_MGMT_FT_PSK:
2805 case WPA_KEY_MGMT_FT_IEEE8021X:
2806 case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
2807 default:
2808 wpa_printf(MSG_ERROR,
2809 "PASN: TODO: Wrapped data for akmp=0x%x",
2810 sta->pasn->akmp);
2811 return NULL;
2812 }
2813 }
2814
2815
2816 static int
pasn_derive_keys(struct hostapd_data * hapd,struct sta_info * sta,const u8 * cached_pmk,size_t cached_pmk_len,struct wpa_pasn_params_data * pasn_data,struct wpabuf * wrapped_data,struct wpabuf * secret)2817 pasn_derive_keys(struct hostapd_data *hapd, struct sta_info *sta,
2818 const u8 *cached_pmk, size_t cached_pmk_len,
2819 struct wpa_pasn_params_data *pasn_data,
2820 struct wpabuf *wrapped_data,
2821 struct wpabuf *secret)
2822 {
2823 static const u8 pasn_default_pmk[] = {'P', 'M', 'K', 'z'};
2824 u8 pmk[PMK_LEN_MAX];
2825 u8 pmk_len;
2826 int ret;
2827
2828 os_memset(pmk, 0, sizeof(pmk));
2829 pmk_len = 0;
2830
2831 if (!cached_pmk || !cached_pmk_len)
2832 wpa_printf(MSG_DEBUG, "PASN: No valid PMKSA entry");
2833
2834 if (sta->pasn->akmp == WPA_KEY_MGMT_PASN) {
2835 wpa_printf(MSG_DEBUG, "PASN: Using default PMK");
2836
2837 pmk_len = WPA_PASN_PMK_LEN;
2838 os_memcpy(pmk, pasn_default_pmk, sizeof(pasn_default_pmk));
2839 } else if (cached_pmk && cached_pmk_len) {
2840 wpa_printf(MSG_DEBUG, "PASN: Using PMKSA entry");
2841
2842 pmk_len = cached_pmk_len;
2843 os_memcpy(pmk, cached_pmk, cached_pmk_len);
2844 } else {
2845 switch (sta->pasn->akmp) {
2846 #ifdef CONFIG_SAE
2847 case WPA_KEY_MGMT_SAE:
2848 if (sta->pasn->sae.state == SAE_COMMITTED) {
2849 pmk_len = PMK_LEN;
2850 os_memcpy(pmk, sta->pasn->sae.pmk, PMK_LEN);
2851 break;
2852 }
2853 #endif /* CONFIG_SAE */
2854 /* fall through */
2855 default:
2856 /* TODO: Derive PMK based on wrapped data */
2857 wpa_printf(MSG_DEBUG,
2858 "PASN: Missing PMK derivation");
2859 return -1;
2860 }
2861 }
2862
2863 ret = pasn_pmk_to_ptk(pmk, pmk_len, sta->addr, hapd->own_addr,
2864 wpabuf_head(secret), wpabuf_len(secret),
2865 &sta->pasn->ptk, sta->pasn->akmp,
2866 sta->pasn->cipher, WPA_KDK_MAX_LEN);
2867 if (ret) {
2868 wpa_printf(MSG_DEBUG, "PASN: Failed to derive PTK");
2869 return -1;
2870 }
2871
2872 wpa_printf(MSG_DEBUG, "PASN: PTK successfully derived");
2873 return 0;
2874 }
2875
2876
handle_auth_pasn_resp(struct hostapd_data * hapd,struct sta_info * sta,struct rsn_pmksa_cache_entry * pmksa,u16 status)2877 static int handle_auth_pasn_resp(struct hostapd_data *hapd,
2878 struct sta_info *sta,
2879 struct rsn_pmksa_cache_entry *pmksa,
2880 u16 status)
2881 {
2882 struct wpabuf *buf, *pubkey = NULL, *wrapped_data_buf = NULL;
2883 u8 mic[WPA_PASN_MAX_MIC_LEN];
2884 u8 mic_len, frame_len, data_len;
2885 u8 *ptr;
2886 const u8 *frame, *data, *rsn_ie, *rsnxe_ie;
2887 u8 *data_buf = NULL;
2888 size_t rsn_ie_len;
2889 int ret;
2890
2891 wpa_printf(MSG_DEBUG, "PASN: Building frame 2: status=%u", status);
2892
2893 buf = wpabuf_alloc(1500);
2894 if (!buf)
2895 goto fail;
2896
2897 wpa_pasn_build_auth_header(buf, hapd->own_addr, hapd->own_addr,
2898 sta->addr, 2, status);
2899
2900 if (status != WLAN_STATUS_SUCCESS)
2901 goto done;
2902
2903 if (wpa_pasn_add_rsne(buf, pmksa ? pmksa->pmkid : NULL,
2904 sta->pasn->akmp, sta->pasn->cipher) < 0)
2905 goto fail;
2906
2907 /* No need to derive PMK if PMKSA is given */
2908 if (!pmksa)
2909 wrapped_data_buf = pasn_get_wrapped_data(hapd, sta);
2910 else
2911 sta->pasn->wrapped_data_format = WPA_PASN_WRAPPED_DATA_NO;
2912
2913 /* Get public key */
2914 pubkey = crypto_ecdh_get_pubkey(sta->pasn->ecdh, 0);
2915 pubkey = wpabuf_zeropad(pubkey,
2916 crypto_ecdh_prime_len(sta->pasn->ecdh));
2917 if (!pubkey) {
2918 wpa_printf(MSG_DEBUG, "PASN: Failed to get pubkey");
2919 goto fail;
2920 }
2921
2922 wpa_pasn_add_parameter_ie(buf, sta->pasn->group,
2923 sta->pasn->wrapped_data_format,
2924 pubkey, NULL, 0);
2925
2926 if (wpa_pasn_add_wrapped_data(buf, wrapped_data_buf) < 0)
2927 goto fail;
2928
2929 wpabuf_free(wrapped_data_buf);
2930 wrapped_data_buf = NULL;
2931 wpabuf_free(pubkey);
2932 pubkey = NULL;
2933
2934 /* Add RSNXE if needed */
2935 rsnxe_ie = hostapd_wpa_ie(hapd, WLAN_EID_RSNX);
2936 if (rsnxe_ie)
2937 wpabuf_put_data(buf, rsnxe_ie, 2 + rsnxe_ie[1]);
2938
2939 /* Add the mic */
2940 mic_len = pasn_mic_len(sta->pasn->akmp, sta->pasn->cipher);
2941 wpabuf_put_u8(buf, WLAN_EID_MIC);
2942 wpabuf_put_u8(buf, mic_len);
2943 ptr = wpabuf_put(buf, mic_len);
2944
2945 os_memset(ptr, 0, mic_len);
2946
2947 frame = wpabuf_head_u8(buf) + IEEE80211_HDRLEN;
2948 frame_len = wpabuf_len(buf) - IEEE80211_HDRLEN;
2949
2950 rsn_ie = wpa_auth_get_wpa_ie(hapd->wpa_auth, &rsn_ie_len);
2951 if (!rsn_ie || !rsn_ie_len)
2952 goto fail;
2953
2954 /*
2955 * Note: wpa_auth_get_wpa_ie() might return not only the RSNE but also
2956 * MDE, etc. Thus, do not use the returned length but instead use the
2957 * length specified in the IE header.
2958 */
2959 data_len = rsn_ie[1] + 2;
2960 if (rsnxe_ie) {
2961 data_buf = os_zalloc(rsn_ie[1] + 2 + rsnxe_ie[1] + 2);
2962 if (!data_buf)
2963 goto fail;
2964
2965 os_memcpy(data_buf, rsn_ie, rsn_ie[1] + 2);
2966 os_memcpy(data_buf + rsn_ie[1] + 2, rsnxe_ie, rsnxe_ie[1] + 2);
2967 data_len += rsnxe_ie[1] + 2;
2968 data = data_buf;
2969 } else {
2970 data = rsn_ie;
2971 }
2972
2973 ret = pasn_mic(sta->pasn->ptk.kck, sta->pasn->akmp, sta->pasn->cipher,
2974 hapd->own_addr, sta->addr, data, data_len,
2975 frame, frame_len, mic);
2976 os_free(data_buf);
2977 if (ret) {
2978 wpa_printf(MSG_DEBUG, "PASN: Frame 3: Failed MIC calculation");
2979 goto fail;
2980 }
2981
2982 os_memcpy(ptr, mic, mic_len);
2983
2984 done:
2985 wpa_printf(MSG_DEBUG,
2986 "PASN: Building frame 2: success; resp STA=" MACSTR,
2987 MAC2STR(sta->addr));
2988
2989 ret = hostapd_drv_send_mlme(hapd, wpabuf_head(buf), wpabuf_len(buf), 0,
2990 NULL, 0, 0);
2991 if (ret)
2992 wpa_printf(MSG_INFO, "send_auth_reply: Send failed");
2993
2994 wpabuf_free(buf);
2995 return ret;
2996 fail:
2997 wpabuf_free(wrapped_data_buf);
2998 wpabuf_free(pubkey);
2999 wpabuf_free(buf);
3000 return -1;
3001 }
3002
3003
handle_auth_pasn_1(struct hostapd_data * hapd,struct sta_info * sta,const struct ieee80211_mgmt * mgmt,size_t len)3004 static void handle_auth_pasn_1(struct hostapd_data *hapd, struct sta_info *sta,
3005 const struct ieee80211_mgmt *mgmt, size_t len)
3006 {
3007 struct ieee802_11_elems elems;
3008 struct wpa_ie_data rsn_data;
3009 struct wpa_pasn_params_data pasn_params;
3010 struct rsn_pmksa_cache_entry *pmksa = NULL;
3011 const u8 *cached_pmk = NULL;
3012 size_t cached_pmk_len = 0;
3013 #ifdef CONFIG_IEEE80211R_AP
3014 u8 pmk_r1[PMK_LEN_MAX];
3015 size_t pmk_r1_len;
3016 #endif /* CONFIG_IEEE80211R_AP */
3017 struct wpabuf *wrapped_data = NULL, *secret = NULL;
3018 const int *groups = hapd->conf->pasn_groups;
3019 static const int default_groups[] = { 19, 0 };
3020 u16 status = WLAN_STATUS_SUCCESS;
3021 int ret;
3022 bool derive_keys;
3023 u32 i;
3024
3025 if (!groups)
3026 groups = default_groups;
3027
3028 if (ieee802_11_parse_elems(mgmt->u.auth.variable,
3029 len - offsetof(struct ieee80211_mgmt,
3030 u.auth.variable),
3031 &elems, 0) == ParseFailed) {
3032 wpa_printf(MSG_DEBUG,
3033 "PASN: Failed parsing Authentication frame");
3034 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3035 goto send_resp;
3036 }
3037
3038 ret = wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
3039 &rsn_data);
3040 if (ret) {
3041 wpa_printf(MSG_DEBUG, "PASN: Failed parsing RNSE");
3042 status = WLAN_STATUS_INVALID_RSNIE;
3043 goto send_resp;
3044 }
3045
3046 ret = wpa_pasn_validate_rsne(&rsn_data);
3047 if (ret) {
3048 wpa_printf(MSG_DEBUG, "PASN: Failed validating RSNE");
3049 status = WLAN_STATUS_INVALID_RSNIE;
3050 goto send_resp;
3051 }
3052
3053 if (!(rsn_data.key_mgmt & hapd->conf->wpa_key_mgmt) ||
3054 !(rsn_data.pairwise_cipher & hapd->conf->rsn_pairwise)) {
3055 wpa_printf(MSG_DEBUG, "PASN: Mismatch in AKMP/cipher");
3056 status = WLAN_STATUS_INVALID_RSNIE;
3057 goto send_resp;
3058 }
3059
3060 sta->pasn->akmp = rsn_data.key_mgmt;
3061 sta->pasn->cipher = rsn_data.pairwise_cipher;
3062
3063 if (!elems.pasn_params || !elems.pasn_params_len) {
3064 wpa_printf(MSG_DEBUG,
3065 "PASN: No PASN Parameters element found");
3066 status = WLAN_STATUS_INVALID_PARAMETERS;
3067 goto send_resp;
3068 }
3069
3070 ret = wpa_pasn_parse_parameter_ie(elems.pasn_params - 3,
3071 elems.pasn_params_len + 3,
3072 false, &pasn_params);
3073 if (ret) {
3074 wpa_printf(MSG_DEBUG,
3075 "PASN: Failed validation of PASN Parameters IE");
3076 status = WLAN_STATUS_INVALID_PARAMETERS;
3077 goto send_resp;
3078 }
3079
3080 for (i = 0; groups[i] > 0 && groups[i] != pasn_params.group; i++)
3081 ;
3082
3083 if (!pasn_params.group || groups[i] != pasn_params.group) {
3084 wpa_printf(MSG_DEBUG, "PASN: Requested group=%hu not allowed",
3085 pasn_params.group);
3086 status = WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
3087 goto send_resp;
3088 }
3089
3090 if (!pasn_params.pubkey || !pasn_params.pubkey_len) {
3091 wpa_printf(MSG_DEBUG, "PASN: Invalid public key");
3092 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3093 goto send_resp;
3094 }
3095
3096 sta->pasn->ecdh = crypto_ecdh_init(pasn_params.group);
3097 if (!sta->pasn->ecdh) {
3098 wpa_printf(MSG_DEBUG, "PASN: Failed to init ECDH");
3099 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3100 goto send_resp;
3101 }
3102
3103 sta->pasn->group = pasn_params.group;
3104
3105 secret = crypto_ecdh_set_peerkey(sta->pasn->ecdh, 0,
3106 pasn_params.pubkey,
3107 pasn_params.pubkey_len);
3108 if (!secret) {
3109 wpa_printf(MSG_DEBUG, "PASN: Failed to derive shared secret");
3110 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3111 goto send_resp;
3112 }
3113
3114 derive_keys = true;
3115 if (pasn_params.wrapped_data_format != WPA_PASN_WRAPPED_DATA_NO) {
3116 wrapped_data = ieee802_11_defrag(&elems,
3117 WLAN_EID_EXTENSION,
3118 WLAN_EID_EXT_WRAPPED_DATA);
3119 if (!wrapped_data) {
3120 wpa_printf(MSG_DEBUG, "PASN: Missing wrapped data");
3121 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3122 goto send_resp;
3123 }
3124
3125 #ifdef CONFIG_SAE
3126 if (sta->pasn->akmp == WPA_KEY_MGMT_SAE) {
3127 ret = pasn_wd_handle_sae_commit(hapd, sta,
3128 wrapped_data);
3129 if (ret) {
3130 wpa_printf(MSG_DEBUG,
3131 "PASN: Failed processing SAE commit");
3132 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3133 goto send_resp;
3134 }
3135 }
3136 #endif /* CONFIG_SAE */
3137 #ifdef CONFIG_FILS
3138 if (sta->pasn->akmp == WPA_KEY_MGMT_FILS_SHA256 ||
3139 sta->pasn->akmp == WPA_KEY_MGMT_FILS_SHA384) {
3140 ret = pasn_wd_handle_fils(hapd, sta, wrapped_data);
3141 if (ret) {
3142 wpa_printf(MSG_DEBUG,
3143 "PASN: Failed processing FILS wrapped data");
3144 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3145 goto send_resp;
3146 }
3147
3148 wpa_printf(MSG_DEBUG,
3149 "PASN: FILS: Pending AS response");
3150
3151 /*
3152 * With PASN/FILS, keys can be derived only after a
3153 * response from the AS is processed.
3154 */
3155 derive_keys = false;
3156 }
3157 #endif /* CONFIG_FILS */
3158 }
3159
3160 sta->pasn->wrapped_data_format = pasn_params.wrapped_data_format;
3161
3162 ret = pasn_auth_frame_hash(sta->pasn->akmp, sta->pasn->cipher,
3163 ((const u8 *) mgmt) + IEEE80211_HDRLEN,
3164 len - IEEE80211_HDRLEN, sta->pasn->hash);
3165 if (ret) {
3166 wpa_printf(MSG_DEBUG, "PASN: Failed to compute hash");
3167 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3168 goto send_resp;
3169 }
3170
3171 if (!derive_keys) {
3172 wpa_printf(MSG_DEBUG, "PASN: Storing secret");
3173 sta->pasn->secret = secret;
3174 wpabuf_free(wrapped_data);
3175 return;
3176 }
3177
3178 if (rsn_data.num_pmkid) {
3179 if (wpa_key_mgmt_ft(sta->pasn->akmp)) {
3180 #ifdef CONFIG_IEEE80211R_AP
3181 wpa_printf(MSG_DEBUG, "PASN: FT: Fetch PMK-R1");
3182
3183 ret = wpa_ft_fetch_pmk_r1(hapd->wpa_auth, sta->addr,
3184 rsn_data.pmkid,
3185 pmk_r1, &pmk_r1_len, NULL,
3186 NULL, NULL, NULL,
3187 NULL, NULL, NULL);
3188 if (ret) {
3189 wpa_printf(MSG_DEBUG,
3190 "PASN: FT: Failed getting PMK-R1");
3191 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3192 goto send_resp;
3193 }
3194 cached_pmk = pmk_r1;
3195 cached_pmk_len = pmk_r1_len;
3196 #else /* CONFIG_IEEE80211R_AP */
3197 wpa_printf(MSG_DEBUG, "PASN: FT: Not supported");
3198 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3199 goto send_resp;
3200 #endif /* CONFIG_IEEE80211R_AP */
3201 } else {
3202 wpa_printf(MSG_DEBUG, "PASN: Try to find PMKSA entry");
3203
3204 pmksa = wpa_auth_pmksa_get(hapd->wpa_auth, sta->addr,
3205 rsn_data.pmkid);
3206 if (pmksa) {
3207 cached_pmk = pmksa->pmk;
3208 cached_pmk_len = pmksa->pmk_len;
3209 }
3210 }
3211 } else {
3212 wpa_printf(MSG_DEBUG, "PASN: No PMKID specified");
3213 }
3214
3215 ret = pasn_derive_keys(hapd, sta, cached_pmk, cached_pmk_len,
3216 &pasn_params, wrapped_data, secret);
3217 if (ret) {
3218 wpa_printf(MSG_DEBUG, "PASN: Failed to derive keys");
3219 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3220 goto send_resp;
3221 }
3222
3223 ret = pasn_auth_frame_hash(sta->pasn->akmp, sta->pasn->cipher,
3224 ((const u8 *) mgmt) + IEEE80211_HDRLEN,
3225 len - IEEE80211_HDRLEN, sta->pasn->hash);
3226 if (ret) {
3227 wpa_printf(MSG_DEBUG, "PASN: Failed to compute hash");
3228 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3229 }
3230
3231 send_resp:
3232 ret = handle_auth_pasn_resp(hapd, sta, pmksa, status);
3233 if (ret) {
3234 wpa_printf(MSG_DEBUG, "PASN: Failed to send response");
3235 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3236 } else {
3237 wpa_printf(MSG_DEBUG,
3238 "PASN: Success handling transaction == 1");
3239 }
3240
3241 wpabuf_free(secret);
3242 wpabuf_free(wrapped_data);
3243
3244 if (status != WLAN_STATUS_SUCCESS)
3245 ap_free_sta(hapd, sta);
3246 }
3247
3248
handle_auth_pasn_3(struct hostapd_data * hapd,struct sta_info * sta,const struct ieee80211_mgmt * mgmt,size_t len)3249 static void handle_auth_pasn_3(struct hostapd_data *hapd, struct sta_info *sta,
3250 const struct ieee80211_mgmt *mgmt, size_t len)
3251 {
3252 struct ieee802_11_elems elems;
3253 struct wpa_pasn_params_data pasn_params;
3254 struct wpabuf *wrapped_data = NULL;
3255 u8 mic[WPA_PASN_MAX_MIC_LEN], out_mic[WPA_PASN_MAX_MIC_LEN];
3256 u8 mic_len;
3257 int ret;
3258
3259 if (ieee802_11_parse_elems(mgmt->u.auth.variable,
3260 len - offsetof(struct ieee80211_mgmt,
3261 u.auth.variable),
3262 &elems, 0) == ParseFailed) {
3263 wpa_printf(MSG_DEBUG,
3264 "PASN: Failed parsing Authentication frame");
3265 goto fail;
3266 }
3267
3268 /* Check that the MIC IE exists. Save it and zero out the memory. */
3269 mic_len = pasn_mic_len(sta->pasn->akmp, sta->pasn->cipher);
3270 if (!elems.mic || elems.mic_len != mic_len) {
3271 wpa_printf(MSG_DEBUG,
3272 "PASN: Invalid MIC. Expecting len=%u", mic_len);
3273 goto fail;
3274 } else {
3275 os_memcpy(mic, elems.mic, mic_len);
3276 /* TODO: Clean this up.. Should not modify received frame
3277 * buffer. */
3278 os_memset((u8 *) elems.mic, 0, mic_len);
3279 }
3280
3281 if (!elems.pasn_params || !elems.pasn_params_len) {
3282 wpa_printf(MSG_DEBUG,
3283 "PASN: No PASN Parameters element found");
3284 goto fail;
3285 }
3286
3287 ret = wpa_pasn_parse_parameter_ie(elems.pasn_params - 3,
3288 elems.pasn_params_len + 3,
3289 false, &pasn_params);
3290 if (ret) {
3291 wpa_printf(MSG_DEBUG,
3292 "PASN: Failed validation of PASN Parameters IE");
3293 goto fail;
3294 }
3295
3296 if (pasn_params.pubkey || pasn_params.pubkey_len) {
3297 wpa_printf(MSG_DEBUG,
3298 "PASN: Public key should not be included");
3299 goto fail;
3300 }
3301
3302 /* Verify the MIC */
3303 ret = pasn_mic(sta->pasn->ptk.kck, sta->pasn->akmp, sta->pasn->cipher,
3304 sta->addr, hapd->own_addr,
3305 sta->pasn->hash, mic_len * 2,
3306 (u8 *) &mgmt->u.auth,
3307 len - offsetof(struct ieee80211_mgmt, u.auth),
3308 out_mic);
3309
3310 wpa_hexdump_key(MSG_DEBUG, "PASN: Frame MIC", mic, mic_len);
3311 if (ret || os_memcmp(mic, out_mic, mic_len) != 0) {
3312 wpa_printf(MSG_DEBUG, "PASN: Failed MIC verification");
3313 goto fail;
3314 }
3315
3316 if (pasn_params.wrapped_data_format != WPA_PASN_WRAPPED_DATA_NO) {
3317 wrapped_data = ieee802_11_defrag(&elems,
3318 WLAN_EID_EXTENSION,
3319 WLAN_EID_EXT_WRAPPED_DATA);
3320
3321 if (!wrapped_data) {
3322 wpa_printf(MSG_DEBUG, "PASN: Missing wrapped data");
3323 goto fail;
3324 }
3325
3326 #ifdef CONFIG_SAE
3327 if (sta->pasn->akmp == WPA_KEY_MGMT_SAE) {
3328 ret = pasn_wd_handle_sae_confirm(hapd, sta,
3329 wrapped_data);
3330 if (ret) {
3331 wpa_printf(MSG_DEBUG,
3332 "PASN: Failed processing SAE confirm");
3333 wpabuf_free(wrapped_data);
3334 goto fail;
3335 }
3336 }
3337 #endif /* CONFIG_SAE */
3338 #ifdef CONFIG_FILS
3339 if (sta->pasn->akmp == WPA_KEY_MGMT_FILS_SHA256 ||
3340 sta->pasn->akmp == WPA_KEY_MGMT_FILS_SHA384) {
3341 if (wrapped_data) {
3342 wpa_printf(MSG_DEBUG,
3343 "PASN: FILS: Ignore wrapped data");
3344 }
3345 }
3346 #endif /* CONFIG_FILS */
3347 wpabuf_free(wrapped_data);
3348 }
3349
3350 wpa_printf(MSG_INFO,
3351 "PASN: Success handling transaction == 3. Store PTK");
3352
3353 ptksa_cache_add(hapd->ptksa, sta->addr, sta->pasn->cipher, 43200,
3354 &sta->pasn->ptk);
3355 fail:
3356 ap_free_sta(hapd, sta);
3357 }
3358
3359
handle_auth_pasn(struct hostapd_data * hapd,struct sta_info * sta,const struct ieee80211_mgmt * mgmt,size_t len,u16 trans_seq,u16 status)3360 static void handle_auth_pasn(struct hostapd_data *hapd, struct sta_info *sta,
3361 const struct ieee80211_mgmt *mgmt, size_t len,
3362 u16 trans_seq, u16 status)
3363 {
3364 if (hapd->conf->wpa != WPA_PROTO_RSN) {
3365 wpa_printf(MSG_INFO, "PASN: RSN is not configured");
3366 return;
3367 }
3368
3369 wpa_printf(MSG_INFO, "PASN authentication: sta=" MACSTR,
3370 MAC2STR(sta->addr));
3371
3372 if (trans_seq == 1) {
3373 if (sta->pasn) {
3374 wpa_printf(MSG_DEBUG,
3375 "PASN: Not expecting transaction == 1");
3376 return;
3377 }
3378
3379 if (status != WLAN_STATUS_SUCCESS) {
3380 wpa_printf(MSG_DEBUG,
3381 "PASN: Failure status in transaction == 1");
3382 return;
3383 }
3384
3385 sta->pasn = os_zalloc(sizeof(*sta->pasn));
3386 if (!sta->pasn) {
3387 wpa_printf(MSG_DEBUG,
3388 "PASN: Failed to allocate PASN context");
3389 return;
3390 }
3391
3392 handle_auth_pasn_1(hapd, sta, mgmt, len);
3393 } else if (trans_seq == 3) {
3394 if (!sta->pasn) {
3395 wpa_printf(MSG_DEBUG,
3396 "PASN: Not expecting transaction == 3");
3397 return;
3398 }
3399
3400 if (status != WLAN_STATUS_SUCCESS) {
3401 wpa_printf(MSG_DEBUG,
3402 "PASN: Failure status in transaction == 3");
3403 ap_free_sta_pasn(hapd, sta);
3404 return;
3405 }
3406
3407 handle_auth_pasn_3(hapd, sta, mgmt, len);
3408 } else {
3409 wpa_printf(MSG_DEBUG,
3410 "PASN: Invalid transaction %u - ignore", trans_seq);
3411 }
3412 }
3413
3414 #endif /* CONFIG_PASN */
3415
3416
handle_auth(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int rssi,int from_queue)3417 static void handle_auth(struct hostapd_data *hapd,
3418 const struct ieee80211_mgmt *mgmt, size_t len,
3419 int rssi, int from_queue)
3420 {
3421 u16 auth_alg, auth_transaction, status_code;
3422 u16 resp = WLAN_STATUS_SUCCESS;
3423 struct sta_info *sta = NULL;
3424 int res, reply_res;
3425 u16 fc;
3426 const u8 *challenge = NULL;
3427 u8 resp_ies[2 + WLAN_AUTH_CHALLENGE_LEN];
3428 size_t resp_ies_len = 0;
3429 u16 seq_ctrl;
3430 struct radius_sta rad_info;
3431
3432 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) {
3433 wpa_printf(MSG_INFO, "handle_auth - too short payload (len=%lu)",
3434 (unsigned long) len);
3435 return;
3436 }
3437
3438 #ifdef CONFIG_TESTING_OPTIONS
3439 if (hapd->iconf->ignore_auth_probability > 0.0 &&
3440 drand48() < hapd->iconf->ignore_auth_probability) {
3441 wpa_printf(MSG_INFO,
3442 "TESTING: ignoring auth frame from " MACSTR,
3443 MAC2STR(mgmt->sa));
3444 return;
3445 }
3446 #endif /* CONFIG_TESTING_OPTIONS */
3447
3448 auth_alg = le_to_host16(mgmt->u.auth.auth_alg);
3449 auth_transaction = le_to_host16(mgmt->u.auth.auth_transaction);
3450 status_code = le_to_host16(mgmt->u.auth.status_code);
3451 fc = le_to_host16(mgmt->frame_control);
3452 seq_ctrl = le_to_host16(mgmt->seq_ctrl);
3453
3454 if (len >= IEEE80211_HDRLEN + sizeof(mgmt->u.auth) +
3455 2 + WLAN_AUTH_CHALLENGE_LEN &&
3456 mgmt->u.auth.variable[0] == WLAN_EID_CHALLENGE &&
3457 mgmt->u.auth.variable[1] == WLAN_AUTH_CHALLENGE_LEN)
3458 challenge = &mgmt->u.auth.variable[2];
3459
3460 wpa_printf(MSG_DEBUG, "authentication: STA=" MACSTR " auth_alg=%d "
3461 "auth_transaction=%d status_code=%d wep=%d%s "
3462 "seq_ctrl=0x%x%s%s",
3463 MAC2STR(mgmt->sa), auth_alg, auth_transaction,
3464 status_code, !!(fc & WLAN_FC_ISWEP),
3465 challenge ? " challenge" : "",
3466 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "",
3467 from_queue ? " (from queue)" : "");
3468
3469 #ifdef CONFIG_NO_RC4
3470 if (auth_alg == WLAN_AUTH_SHARED_KEY) {
3471 wpa_printf(MSG_INFO,
3472 "Unsupported authentication algorithm (%d)",
3473 auth_alg);
3474 resp = WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
3475 goto fail;
3476 }
3477 #endif /* CONFIG_NO_RC4 */
3478
3479 if (hapd->tkip_countermeasures) {
3480 wpa_printf(MSG_DEBUG,
3481 "Ongoing TKIP countermeasures (Michael MIC failure) - reject authentication");
3482 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3483 goto fail;
3484 }
3485
3486 if (!(((hapd->conf->auth_algs & WPA_AUTH_ALG_OPEN) &&
3487 auth_alg == WLAN_AUTH_OPEN) ||
3488 #ifdef CONFIG_IEEE80211R_AP
3489 (hapd->conf->wpa && wpa_key_mgmt_ft(hapd->conf->wpa_key_mgmt) &&
3490 auth_alg == WLAN_AUTH_FT) ||
3491 #endif /* CONFIG_IEEE80211R_AP */
3492 #ifdef CONFIG_SAE
3493 (hapd->conf->wpa && wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt) &&
3494 auth_alg == WLAN_AUTH_SAE) ||
3495 #endif /* CONFIG_SAE */
3496 #ifdef CONFIG_FILS
3497 (hapd->conf->wpa && wpa_key_mgmt_fils(hapd->conf->wpa_key_mgmt) &&
3498 auth_alg == WLAN_AUTH_FILS_SK) ||
3499 (hapd->conf->wpa && wpa_key_mgmt_fils(hapd->conf->wpa_key_mgmt) &&
3500 hapd->conf->fils_dh_group &&
3501 auth_alg == WLAN_AUTH_FILS_SK_PFS) ||
3502 #endif /* CONFIG_FILS */
3503 #ifdef CONFIG_PASN
3504 (hapd->conf->wpa &&
3505 (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_PASN) &&
3506 auth_alg == WLAN_AUTH_PASN) ||
3507 #endif /* CONFIG_PASN */
3508 ((hapd->conf->auth_algs & WPA_AUTH_ALG_SHARED) &&
3509 auth_alg == WLAN_AUTH_SHARED_KEY))) {
3510 wpa_printf(MSG_INFO, "Unsupported authentication algorithm (%d)",
3511 auth_alg);
3512 resp = WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
3513 goto fail;
3514 }
3515
3516 if (!(auth_transaction == 1 || auth_alg == WLAN_AUTH_SAE ||
3517 #ifdef CONFIG_PASN
3518 (auth_alg == WLAN_AUTH_PASN && auth_transaction == 3) ||
3519 #endif /* CONFIG_PASN */
3520 (auth_alg == WLAN_AUTH_SHARED_KEY && auth_transaction == 3))) {
3521 wpa_printf(MSG_INFO, "Unknown authentication transaction number (%d)",
3522 auth_transaction);
3523 resp = WLAN_STATUS_UNKNOWN_AUTH_TRANSACTION;
3524 goto fail;
3525 }
3526
3527 if (os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
3528 wpa_printf(MSG_INFO, "Station " MACSTR " not allowed to authenticate",
3529 MAC2STR(mgmt->sa));
3530 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3531 goto fail;
3532 }
3533
3534 if (hapd->conf->no_auth_if_seen_on) {
3535 struct hostapd_data *other;
3536
3537 other = sta_track_seen_on(hapd->iface, mgmt->sa,
3538 hapd->conf->no_auth_if_seen_on);
3539 if (other) {
3540 u8 *pos;
3541 u32 info;
3542 u8 op_class, channel, phytype;
3543
3544 wpa_printf(MSG_DEBUG, "%s: Reject authentication from "
3545 MACSTR " since STA has been seen on %s",
3546 hapd->conf->iface, MAC2STR(mgmt->sa),
3547 hapd->conf->no_auth_if_seen_on);
3548
3549 resp = WLAN_STATUS_REJECTED_WITH_SUGGESTED_BSS_TRANSITION;
3550 pos = &resp_ies[0];
3551 *pos++ = WLAN_EID_NEIGHBOR_REPORT;
3552 *pos++ = 13;
3553 os_memcpy(pos, other->own_addr, ETH_ALEN);
3554 pos += ETH_ALEN;
3555 info = 0; /* TODO: BSSID Information */
3556 WPA_PUT_LE32(pos, info);
3557 pos += 4;
3558 if (other->iconf->hw_mode == HOSTAPD_MODE_IEEE80211AD)
3559 phytype = 8; /* dmg */
3560 else if (other->iconf->ieee80211ac)
3561 phytype = 9; /* vht */
3562 else if (other->iconf->ieee80211n)
3563 phytype = 7; /* ht */
3564 else if (other->iconf->hw_mode ==
3565 HOSTAPD_MODE_IEEE80211A)
3566 phytype = 4; /* ofdm */
3567 else if (other->iconf->hw_mode ==
3568 HOSTAPD_MODE_IEEE80211G)
3569 phytype = 6; /* erp */
3570 else
3571 phytype = 5; /* hrdsss */
3572 if (ieee80211_freq_to_channel_ext(
3573 hostapd_hw_get_freq(other,
3574 other->iconf->channel),
3575 other->iconf->secondary_channel,
3576 other->iconf->ieee80211ac,
3577 &op_class, &channel) == NUM_HOSTAPD_MODES) {
3578 op_class = 0;
3579 channel = other->iconf->channel;
3580 }
3581 *pos++ = op_class;
3582 *pos++ = channel;
3583 *pos++ = phytype;
3584 resp_ies_len = pos - &resp_ies[0];
3585 goto fail;
3586 }
3587 }
3588
3589 res = ieee802_11_allowed_address(hapd, mgmt->sa, (const u8 *) mgmt, len,
3590 &rad_info);
3591 if (res == HOSTAPD_ACL_REJECT) {
3592 wpa_msg(hapd->msg_ctx, MSG_DEBUG,
3593 "Ignore Authentication frame from " MACSTR
3594 " due to ACL reject", MAC2STR(mgmt->sa));
3595 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3596 goto fail;
3597 }
3598 if (res == HOSTAPD_ACL_PENDING)
3599 return;
3600
3601 #ifdef CONFIG_SAE
3602 if (auth_alg == WLAN_AUTH_SAE && !from_queue &&
3603 (auth_transaction == 1 ||
3604 (auth_transaction == 2 && auth_sae_queued_addr(hapd, mgmt->sa)))) {
3605 /* Handle SAE Authentication commit message through a queue to
3606 * provide more control for postponing the needed heavy
3607 * processing under a possible DoS attack scenario. In addition,
3608 * queue SAE Authentication confirm message if there happens to
3609 * be a queued commit message from the same peer. This is needed
3610 * to avoid reordering Authentication frames within the same
3611 * SAE exchange. */
3612 auth_sae_queue(hapd, mgmt, len, rssi);
3613 return;
3614 }
3615 #endif /* CONFIG_SAE */
3616
3617 sta = ap_get_sta(hapd, mgmt->sa);
3618 if (sta) {
3619 sta->flags &= ~WLAN_STA_PENDING_FILS_ERP;
3620 sta->ft_over_ds = 0;
3621 if ((fc & WLAN_FC_RETRY) &&
3622 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
3623 sta->last_seq_ctrl == seq_ctrl &&
3624 sta->last_subtype == WLAN_FC_STYPE_AUTH) {
3625 hostapd_logger(hapd, sta->addr,
3626 HOSTAPD_MODULE_IEEE80211,
3627 HOSTAPD_LEVEL_DEBUG,
3628 "Drop repeated authentication frame seq_ctrl=0x%x",
3629 seq_ctrl);
3630 return;
3631 }
3632 #ifdef CONFIG_MESH
3633 if ((hapd->conf->mesh & MESH_ENABLED) &&
3634 sta->plink_state == PLINK_BLOCKED) {
3635 wpa_printf(MSG_DEBUG, "Mesh peer " MACSTR
3636 " is blocked - drop Authentication frame",
3637 MAC2STR(mgmt->sa));
3638 return;
3639 }
3640 #endif /* CONFIG_MESH */
3641 #ifdef CONFIG_PASN
3642 if (auth_alg == WLAN_AUTH_PASN &&
3643 (sta->flags & WLAN_STA_ASSOC)) {
3644 wpa_printf(MSG_DEBUG,
3645 "PASN: auth: Existing station: " MACSTR,
3646 MAC2STR(sta->addr));
3647 return;
3648 }
3649 #endif /* CONFIG_PASN */
3650 } else {
3651 #ifdef CONFIG_MESH
3652 if (hapd->conf->mesh & MESH_ENABLED) {
3653 /* if the mesh peer is not available, we don't do auth.
3654 */
3655 wpa_printf(MSG_DEBUG, "Mesh peer " MACSTR
3656 " not yet known - drop Authentication frame",
3657 MAC2STR(mgmt->sa));
3658 /*
3659 * Save a copy of the frame so that it can be processed
3660 * if a new peer entry is added shortly after this.
3661 */
3662 wpabuf_free(hapd->mesh_pending_auth);
3663 hapd->mesh_pending_auth = wpabuf_alloc_copy(mgmt, len);
3664 os_get_reltime(&hapd->mesh_pending_auth_time);
3665 return;
3666 }
3667 #endif /* CONFIG_MESH */
3668
3669 sta = ap_sta_add(hapd, mgmt->sa);
3670 if (!sta) {
3671 wpa_printf(MSG_DEBUG, "ap_sta_add() failed");
3672 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
3673 goto fail;
3674 }
3675 }
3676 sta->last_seq_ctrl = seq_ctrl;
3677 sta->last_subtype = WLAN_FC_STYPE_AUTH;
3678 #ifdef CONFIG_MBO
3679 sta->auth_rssi = rssi;
3680 #endif /* CONFIG_MBO */
3681
3682 res = ieee802_11_set_radius_info(hapd, sta, res, &rad_info);
3683 if (res) {
3684 wpa_printf(MSG_DEBUG, "ieee802_11_set_radius_info() failed");
3685 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3686 goto fail;
3687 }
3688
3689 sta->flags &= ~WLAN_STA_PREAUTH;
3690 ieee802_1x_notify_pre_auth(sta->eapol_sm, 0);
3691
3692 /*
3693 * If the driver supports full AP client state, add a station to the
3694 * driver before sending authentication reply to make sure the driver
3695 * has resources, and not to go through the entire authentication and
3696 * association handshake, and fail it at the end.
3697 *
3698 * If this is not the first transaction, in a multi-step authentication
3699 * algorithm, the station already exists in the driver
3700 * (sta->added_unassoc = 1) so skip it.
3701 *
3702 * In mesh mode, the station was already added to the driver when the
3703 * NEW_PEER_CANDIDATE event is received.
3704 *
3705 * If PMF was negotiated for the existing association, skip this to
3706 * avoid dropping the STA entry and the associated keys. This is needed
3707 * to allow the original connection work until the attempt can complete
3708 * (re)association, so that unprotected Authentication frame cannot be
3709 * used to bypass PMF protection.
3710 *
3711 * PASN authentication does not require adding/removing station to the
3712 * driver so skip this flow in case of PASN authentication.
3713 */
3714 if (FULL_AP_CLIENT_STATE_SUPP(hapd->iface->drv_flags) &&
3715 (!(sta->flags & WLAN_STA_MFP) || !ap_sta_is_authorized(sta)) &&
3716 !(hapd->conf->mesh & MESH_ENABLED) &&
3717 !(sta->added_unassoc) && auth_alg != WLAN_AUTH_PASN) {
3718 if (ap_sta_re_add(hapd, sta) < 0) {
3719 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
3720 goto fail;
3721 }
3722 }
3723
3724 switch (auth_alg) {
3725 case WLAN_AUTH_OPEN:
3726 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3727 HOSTAPD_LEVEL_DEBUG,
3728 "authentication OK (open system)");
3729 sta->flags |= WLAN_STA_AUTH;
3730 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
3731 sta->auth_alg = WLAN_AUTH_OPEN;
3732 mlme_authenticate_indication(hapd, sta);
3733 break;
3734 #ifdef CONFIG_WEP
3735 #ifndef CONFIG_NO_RC4
3736 case WLAN_AUTH_SHARED_KEY:
3737 resp = auth_shared_key(hapd, sta, auth_transaction, challenge,
3738 fc & WLAN_FC_ISWEP);
3739 if (resp != 0)
3740 wpa_printf(MSG_DEBUG,
3741 "auth_shared_key() failed: status=%d", resp);
3742 sta->auth_alg = WLAN_AUTH_SHARED_KEY;
3743 mlme_authenticate_indication(hapd, sta);
3744 if (sta->challenge && auth_transaction == 1) {
3745 resp_ies[0] = WLAN_EID_CHALLENGE;
3746 resp_ies[1] = WLAN_AUTH_CHALLENGE_LEN;
3747 os_memcpy(resp_ies + 2, sta->challenge,
3748 WLAN_AUTH_CHALLENGE_LEN);
3749 resp_ies_len = 2 + WLAN_AUTH_CHALLENGE_LEN;
3750 }
3751 break;
3752 #endif /* CONFIG_NO_RC4 */
3753 #endif /* CONFIG_WEP */
3754 #ifdef CONFIG_IEEE80211R_AP
3755 case WLAN_AUTH_FT:
3756 sta->auth_alg = WLAN_AUTH_FT;
3757 if (sta->wpa_sm == NULL)
3758 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
3759 sta->addr, NULL);
3760 if (sta->wpa_sm == NULL) {
3761 wpa_printf(MSG_DEBUG, "FT: Failed to initialize WPA "
3762 "state machine");
3763 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3764 goto fail;
3765 }
3766 wpa_ft_process_auth(sta->wpa_sm, mgmt->bssid,
3767 auth_transaction, mgmt->u.auth.variable,
3768 len - IEEE80211_HDRLEN -
3769 sizeof(mgmt->u.auth),
3770 handle_auth_ft_finish, hapd);
3771 /* handle_auth_ft_finish() callback will complete auth. */
3772 return;
3773 #endif /* CONFIG_IEEE80211R_AP */
3774 #ifdef CONFIG_SAE
3775 case WLAN_AUTH_SAE:
3776 #ifdef CONFIG_MESH
3777 if (status_code == WLAN_STATUS_SUCCESS &&
3778 hapd->conf->mesh & MESH_ENABLED) {
3779 if (sta->wpa_sm == NULL)
3780 sta->wpa_sm =
3781 wpa_auth_sta_init(hapd->wpa_auth,
3782 sta->addr, NULL);
3783 if (sta->wpa_sm == NULL) {
3784 wpa_printf(MSG_DEBUG,
3785 "SAE: Failed to initialize WPA state machine");
3786 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3787 goto fail;
3788 }
3789 }
3790 #endif /* CONFIG_MESH */
3791 handle_auth_sae(hapd, sta, mgmt, len, auth_transaction,
3792 status_code);
3793 return;
3794 #endif /* CONFIG_SAE */
3795 #ifdef CONFIG_FILS
3796 case WLAN_AUTH_FILS_SK:
3797 case WLAN_AUTH_FILS_SK_PFS:
3798 handle_auth_fils(hapd, sta, mgmt->u.auth.variable,
3799 len - IEEE80211_HDRLEN - sizeof(mgmt->u.auth),
3800 auth_alg, auth_transaction, status_code,
3801 handle_auth_fils_finish);
3802 return;
3803 #endif /* CONFIG_FILS */
3804 #ifdef CONFIG_PASN
3805 case WLAN_AUTH_PASN:
3806 handle_auth_pasn(hapd, sta, mgmt, len, auth_transaction,
3807 status_code);
3808 return;
3809 #endif /* CONFIG_PASN */
3810 }
3811
3812 fail:
3813 reply_res = send_auth_reply(hapd, sta, mgmt->sa, mgmt->bssid, auth_alg,
3814 auth_transaction + 1, resp, resp_ies,
3815 resp_ies_len, "handle-auth");
3816
3817 if (sta && sta->added_unassoc && (resp != WLAN_STATUS_SUCCESS ||
3818 reply_res != WLAN_STATUS_SUCCESS)) {
3819 hostapd_drv_sta_remove(hapd, sta->addr);
3820 sta->added_unassoc = 0;
3821 }
3822 }
3823
3824
hostapd_get_aid(struct hostapd_data * hapd,struct sta_info * sta)3825 int hostapd_get_aid(struct hostapd_data *hapd, struct sta_info *sta)
3826 {
3827 int i, j = 32, aid;
3828
3829 /* get a unique AID */
3830 if (sta->aid > 0) {
3831 wpa_printf(MSG_DEBUG, " old AID %d", sta->aid);
3832 return 0;
3833 }
3834
3835 if (TEST_FAIL())
3836 return -1;
3837
3838 for (i = 0; i < AID_WORDS; i++) {
3839 if (hapd->sta_aid[i] == (u32) -1)
3840 continue;
3841 for (j = 0; j < 32; j++) {
3842 if (!(hapd->sta_aid[i] & BIT(j)))
3843 break;
3844 }
3845 if (j < 32)
3846 break;
3847 }
3848 if (j == 32)
3849 return -1;
3850 aid = i * 32 + j + 1;
3851 if (aid > 2007)
3852 return -1;
3853
3854 sta->aid = aid;
3855 hapd->sta_aid[i] |= BIT(j);
3856 wpa_printf(MSG_DEBUG, " new AID %d", sta->aid);
3857 return 0;
3858 }
3859
3860
check_ssid(struct hostapd_data * hapd,struct sta_info * sta,const u8 * ssid_ie,size_t ssid_ie_len)3861 static u16 check_ssid(struct hostapd_data *hapd, struct sta_info *sta,
3862 const u8 *ssid_ie, size_t ssid_ie_len)
3863 {
3864 if (ssid_ie == NULL)
3865 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3866
3867 if (ssid_ie_len != hapd->conf->ssid.ssid_len ||
3868 os_memcmp(ssid_ie, hapd->conf->ssid.ssid, ssid_ie_len) != 0) {
3869 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3870 HOSTAPD_LEVEL_INFO,
3871 "Station tried to associate with unknown SSID "
3872 "'%s'", wpa_ssid_txt(ssid_ie, ssid_ie_len));
3873 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3874 }
3875
3876 return WLAN_STATUS_SUCCESS;
3877 }
3878
3879
check_wmm(struct hostapd_data * hapd,struct sta_info * sta,const u8 * wmm_ie,size_t wmm_ie_len)3880 static u16 check_wmm(struct hostapd_data *hapd, struct sta_info *sta,
3881 const u8 *wmm_ie, size_t wmm_ie_len)
3882 {
3883 sta->flags &= ~WLAN_STA_WMM;
3884 sta->qosinfo = 0;
3885 if (wmm_ie && hapd->conf->wmm_enabled) {
3886 struct wmm_information_element *wmm;
3887
3888 if (!hostapd_eid_wmm_valid(hapd, wmm_ie, wmm_ie_len)) {
3889 hostapd_logger(hapd, sta->addr,
3890 HOSTAPD_MODULE_WPA,
3891 HOSTAPD_LEVEL_DEBUG,
3892 "invalid WMM element in association "
3893 "request");
3894 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3895 }
3896
3897 sta->flags |= WLAN_STA_WMM;
3898 wmm = (struct wmm_information_element *) wmm_ie;
3899 sta->qosinfo = wmm->qos_info;
3900 }
3901 return WLAN_STATUS_SUCCESS;
3902 }
3903
check_multi_ap(struct hostapd_data * hapd,struct sta_info * sta,const u8 * multi_ap_ie,size_t multi_ap_len)3904 static u16 check_multi_ap(struct hostapd_data *hapd, struct sta_info *sta,
3905 const u8 *multi_ap_ie, size_t multi_ap_len)
3906 {
3907 u8 multi_ap_value = 0;
3908
3909 sta->flags &= ~WLAN_STA_MULTI_AP;
3910
3911 if (!hapd->conf->multi_ap)
3912 return WLAN_STATUS_SUCCESS;
3913
3914 if (multi_ap_ie) {
3915 const u8 *multi_ap_subelem;
3916
3917 multi_ap_subelem = get_ie(multi_ap_ie + 4,
3918 multi_ap_len - 4,
3919 MULTI_AP_SUB_ELEM_TYPE);
3920 if (multi_ap_subelem && multi_ap_subelem[1] == 1) {
3921 multi_ap_value = multi_ap_subelem[2];
3922 } else {
3923 hostapd_logger(hapd, sta->addr,
3924 HOSTAPD_MODULE_IEEE80211,
3925 HOSTAPD_LEVEL_INFO,
3926 "Multi-AP IE has missing or invalid Multi-AP subelement");
3927 return WLAN_STATUS_INVALID_IE;
3928 }
3929 }
3930
3931 if (multi_ap_value && multi_ap_value != MULTI_AP_BACKHAUL_STA)
3932 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3933 HOSTAPD_LEVEL_INFO,
3934 "Multi-AP IE with unexpected value 0x%02x",
3935 multi_ap_value);
3936
3937 if (!(multi_ap_value & MULTI_AP_BACKHAUL_STA)) {
3938 if (hapd->conf->multi_ap & FRONTHAUL_BSS)
3939 return WLAN_STATUS_SUCCESS;
3940
3941 hostapd_logger(hapd, sta->addr,
3942 HOSTAPD_MODULE_IEEE80211,
3943 HOSTAPD_LEVEL_INFO,
3944 "Non-Multi-AP STA tries to associate with backhaul-only BSS");
3945 return WLAN_STATUS_ASSOC_DENIED_UNSPEC;
3946 }
3947
3948 if (!(hapd->conf->multi_ap & BACKHAUL_BSS))
3949 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3950 HOSTAPD_LEVEL_DEBUG,
3951 "Backhaul STA tries to associate with fronthaul-only BSS");
3952
3953 sta->flags |= WLAN_STA_MULTI_AP;
3954 return WLAN_STATUS_SUCCESS;
3955 }
3956
3957
copy_supp_rates(struct hostapd_data * hapd,struct sta_info * sta,struct ieee802_11_elems * elems)3958 static u16 copy_supp_rates(struct hostapd_data *hapd, struct sta_info *sta,
3959 struct ieee802_11_elems *elems)
3960 {
3961 /* Supported rates not used in IEEE 802.11ad/DMG */
3962 if (hapd->iface->current_mode &&
3963 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211AD)
3964 return WLAN_STATUS_SUCCESS;
3965
3966 if (!elems->supp_rates) {
3967 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3968 HOSTAPD_LEVEL_DEBUG,
3969 "No supported rates element in AssocReq");
3970 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3971 }
3972
3973 if (elems->supp_rates_len + elems->ext_supp_rates_len >
3974 sizeof(sta->supported_rates)) {
3975 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3976 HOSTAPD_LEVEL_DEBUG,
3977 "Invalid supported rates element length %d+%d",
3978 elems->supp_rates_len,
3979 elems->ext_supp_rates_len);
3980 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3981 }
3982
3983 sta->supported_rates_len = merge_byte_arrays(
3984 sta->supported_rates, sizeof(sta->supported_rates),
3985 elems->supp_rates, elems->supp_rates_len,
3986 elems->ext_supp_rates, elems->ext_supp_rates_len);
3987
3988 return WLAN_STATUS_SUCCESS;
3989 }
3990
3991
check_ext_capab(struct hostapd_data * hapd,struct sta_info * sta,const u8 * ext_capab_ie,size_t ext_capab_ie_len)3992 static u16 check_ext_capab(struct hostapd_data *hapd, struct sta_info *sta,
3993 const u8 *ext_capab_ie, size_t ext_capab_ie_len)
3994 {
3995 #ifdef CONFIG_INTERWORKING
3996 /* check for QoS Map support */
3997 if (ext_capab_ie_len >= 5) {
3998 if (ext_capab_ie[4] & 0x01)
3999 sta->qos_map_enabled = 1;
4000 }
4001 #endif /* CONFIG_INTERWORKING */
4002
4003 if (ext_capab_ie_len > 0) {
4004 sta->ecsa_supported = !!(ext_capab_ie[0] & BIT(2));
4005 os_free(sta->ext_capability);
4006 sta->ext_capability = os_malloc(1 + ext_capab_ie_len);
4007 if (sta->ext_capability) {
4008 sta->ext_capability[0] = ext_capab_ie_len;
4009 os_memcpy(sta->ext_capability + 1, ext_capab_ie,
4010 ext_capab_ie_len);
4011 }
4012 }
4013
4014 return WLAN_STATUS_SUCCESS;
4015 }
4016
4017
4018 #ifdef CONFIG_OWE
4019
owe_group_supported(struct hostapd_data * hapd,u16 group)4020 static int owe_group_supported(struct hostapd_data *hapd, u16 group)
4021 {
4022 int i;
4023 int *groups = hapd->conf->owe_groups;
4024
4025 if (group != 19 && group != 20 && group != 21)
4026 return 0;
4027
4028 if (!groups)
4029 return 1;
4030
4031 for (i = 0; groups[i] > 0; i++) {
4032 if (groups[i] == group)
4033 return 1;
4034 }
4035
4036 return 0;
4037 }
4038
4039
owe_process_assoc_req(struct hostapd_data * hapd,struct sta_info * sta,const u8 * owe_dh,u8 owe_dh_len)4040 static u16 owe_process_assoc_req(struct hostapd_data *hapd,
4041 struct sta_info *sta, const u8 *owe_dh,
4042 u8 owe_dh_len)
4043 {
4044 struct wpabuf *secret, *pub, *hkey;
4045 int res;
4046 u8 prk[SHA512_MAC_LEN], pmkid[SHA512_MAC_LEN];
4047 const char *info = "OWE Key Generation";
4048 const u8 *addr[2];
4049 size_t len[2];
4050 u16 group;
4051 size_t hash_len, prime_len;
4052
4053 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) {
4054 wpa_printf(MSG_DEBUG, "OWE: Using PMKSA caching");
4055 return WLAN_STATUS_SUCCESS;
4056 }
4057
4058 group = WPA_GET_LE16(owe_dh);
4059 if (!owe_group_supported(hapd, group)) {
4060 wpa_printf(MSG_DEBUG, "OWE: Unsupported DH group %u", group);
4061 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
4062 }
4063 if (group == 19)
4064 prime_len = 32;
4065 else if (group == 20)
4066 prime_len = 48;
4067 else if (group == 21)
4068 prime_len = 66;
4069 else
4070 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
4071
4072 crypto_ecdh_deinit(sta->owe_ecdh);
4073 sta->owe_ecdh = crypto_ecdh_init(group);
4074 if (!sta->owe_ecdh)
4075 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
4076 sta->owe_group = group;
4077
4078 secret = crypto_ecdh_set_peerkey(sta->owe_ecdh, 0, owe_dh + 2,
4079 owe_dh_len - 2);
4080 secret = wpabuf_zeropad(secret, prime_len);
4081 if (!secret) {
4082 wpa_printf(MSG_DEBUG, "OWE: Invalid peer DH public key");
4083 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4084 }
4085 wpa_hexdump_buf_key(MSG_DEBUG, "OWE: DH shared secret", secret);
4086
4087 /* prk = HKDF-extract(C | A | group, z) */
4088
4089 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
4090 if (!pub) {
4091 wpabuf_clear_free(secret);
4092 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4093 }
4094
4095 /* PMKID = Truncate-128(Hash(C | A)) */
4096 addr[0] = owe_dh + 2;
4097 len[0] = owe_dh_len - 2;
4098 addr[1] = wpabuf_head(pub);
4099 len[1] = wpabuf_len(pub);
4100 if (group == 19) {
4101 res = sha256_vector(2, addr, len, pmkid);
4102 hash_len = SHA256_MAC_LEN;
4103 } else if (group == 20) {
4104 res = sha384_vector(2, addr, len, pmkid);
4105 hash_len = SHA384_MAC_LEN;
4106 } else if (group == 21) {
4107 res = sha512_vector(2, addr, len, pmkid);
4108 hash_len = SHA512_MAC_LEN;
4109 } else {
4110 wpabuf_free(pub);
4111 wpabuf_clear_free(secret);
4112 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4113 }
4114 pub = wpabuf_zeropad(pub, prime_len);
4115 if (res < 0 || !pub) {
4116 wpabuf_free(pub);
4117 wpabuf_clear_free(secret);
4118 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4119 }
4120
4121 hkey = wpabuf_alloc(owe_dh_len - 2 + wpabuf_len(pub) + 2);
4122 if (!hkey) {
4123 wpabuf_free(pub);
4124 wpabuf_clear_free(secret);
4125 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4126 }
4127
4128 wpabuf_put_data(hkey, owe_dh + 2, owe_dh_len - 2); /* C */
4129 wpabuf_put_buf(hkey, pub); /* A */
4130 wpabuf_free(pub);
4131 wpabuf_put_le16(hkey, group); /* group */
4132 if (group == 19)
4133 res = hmac_sha256(wpabuf_head(hkey), wpabuf_len(hkey),
4134 wpabuf_head(secret), wpabuf_len(secret), prk);
4135 else if (group == 20)
4136 res = hmac_sha384(wpabuf_head(hkey), wpabuf_len(hkey),
4137 wpabuf_head(secret), wpabuf_len(secret), prk);
4138 else if (group == 21)
4139 res = hmac_sha512(wpabuf_head(hkey), wpabuf_len(hkey),
4140 wpabuf_head(secret), wpabuf_len(secret), prk);
4141 wpabuf_clear_free(hkey);
4142 wpabuf_clear_free(secret);
4143 if (res < 0)
4144 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4145
4146 wpa_hexdump_key(MSG_DEBUG, "OWE: prk", prk, hash_len);
4147
4148 /* PMK = HKDF-expand(prk, "OWE Key Generation", n) */
4149
4150 os_free(sta->owe_pmk);
4151 sta->owe_pmk = os_malloc(hash_len);
4152 if (!sta->owe_pmk) {
4153 os_memset(prk, 0, SHA512_MAC_LEN);
4154 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4155 }
4156
4157 if (group == 19)
4158 res = hmac_sha256_kdf(prk, hash_len, NULL, (const u8 *) info,
4159 os_strlen(info), sta->owe_pmk, hash_len);
4160 else if (group == 20)
4161 res = hmac_sha384_kdf(prk, hash_len, NULL, (const u8 *) info,
4162 os_strlen(info), sta->owe_pmk, hash_len);
4163 else if (group == 21)
4164 res = hmac_sha512_kdf(prk, hash_len, NULL, (const u8 *) info,
4165 os_strlen(info), sta->owe_pmk, hash_len);
4166 os_memset(prk, 0, SHA512_MAC_LEN);
4167 if (res < 0) {
4168 os_free(sta->owe_pmk);
4169 sta->owe_pmk = NULL;
4170 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4171 }
4172 sta->owe_pmk_len = hash_len;
4173
4174 wpa_hexdump_key(MSG_DEBUG, "OWE: PMK", sta->owe_pmk, sta->owe_pmk_len);
4175 wpa_hexdump(MSG_DEBUG, "OWE: PMKID", pmkid, PMKID_LEN);
4176 wpa_auth_pmksa_add2(hapd->wpa_auth, sta->addr, sta->owe_pmk,
4177 sta->owe_pmk_len, pmkid, 0, WPA_KEY_MGMT_OWE);
4178
4179 return WLAN_STATUS_SUCCESS;
4180 }
4181
4182
owe_validate_request(struct hostapd_data * hapd,const u8 * peer,const u8 * rsn_ie,size_t rsn_ie_len,const u8 * owe_dh,size_t owe_dh_len)4183 u16 owe_validate_request(struct hostapd_data *hapd, const u8 *peer,
4184 const u8 *rsn_ie, size_t rsn_ie_len,
4185 const u8 *owe_dh, size_t owe_dh_len)
4186 {
4187 struct wpa_ie_data data;
4188 int res;
4189
4190 if (!rsn_ie || rsn_ie_len < 2) {
4191 wpa_printf(MSG_DEBUG, "OWE: Invalid RSNE from " MACSTR,
4192 MAC2STR(peer));
4193 return WLAN_STATUS_INVALID_IE;
4194 }
4195 rsn_ie -= 2;
4196 rsn_ie_len += 2;
4197
4198 res = wpa_parse_wpa_ie_rsn(rsn_ie, rsn_ie_len, &data);
4199 if (res) {
4200 wpa_printf(MSG_DEBUG, "Failed to parse RSNE from " MACSTR
4201 " (res=%d)", MAC2STR(peer), res);
4202 wpa_hexdump(MSG_DEBUG, "RSNE", rsn_ie, rsn_ie_len);
4203 return wpa_res_to_status_code(res);
4204 }
4205 if (!(data.key_mgmt & WPA_KEY_MGMT_OWE)) {
4206 wpa_printf(MSG_DEBUG,
4207 "OWE: Unexpected key mgmt 0x%x from " MACSTR,
4208 (unsigned int) data.key_mgmt, MAC2STR(peer));
4209 return WLAN_STATUS_AKMP_NOT_VALID;
4210 }
4211 if (!owe_dh) {
4212 wpa_printf(MSG_DEBUG,
4213 "OWE: No Diffie-Hellman Parameter element from "
4214 MACSTR, MAC2STR(peer));
4215 return WLAN_STATUS_AKMP_NOT_VALID;
4216 }
4217
4218 return WLAN_STATUS_SUCCESS;
4219 }
4220
4221
owe_process_rsn_ie(struct hostapd_data * hapd,struct sta_info * sta,const u8 * rsn_ie,size_t rsn_ie_len,const u8 * owe_dh,size_t owe_dh_len)4222 u16 owe_process_rsn_ie(struct hostapd_data *hapd,
4223 struct sta_info *sta,
4224 const u8 *rsn_ie, size_t rsn_ie_len,
4225 const u8 *owe_dh, size_t owe_dh_len)
4226 {
4227 u16 status;
4228 u8 *owe_buf, ie[256 * 2];
4229 size_t ie_len = 0;
4230 enum wpa_validate_result res;
4231
4232 if (!rsn_ie || rsn_ie_len < 2) {
4233 wpa_printf(MSG_DEBUG, "OWE: No RSNE in (Re)AssocReq");
4234 status = WLAN_STATUS_INVALID_IE;
4235 goto end;
4236 }
4237
4238 if (!sta->wpa_sm)
4239 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, sta->addr,
4240 NULL);
4241 if (!sta->wpa_sm) {
4242 wpa_printf(MSG_WARNING,
4243 "OWE: Failed to initialize WPA state machine");
4244 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
4245 goto end;
4246 }
4247 rsn_ie -= 2;
4248 rsn_ie_len += 2;
4249 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
4250 hapd->iface->freq, rsn_ie, rsn_ie_len,
4251 NULL, 0, NULL, 0, owe_dh, owe_dh_len);
4252 status = wpa_res_to_status_code(res);
4253 if (status != WLAN_STATUS_SUCCESS)
4254 goto end;
4255 status = owe_process_assoc_req(hapd, sta, owe_dh, owe_dh_len);
4256 if (status != WLAN_STATUS_SUCCESS)
4257 goto end;
4258 owe_buf = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, ie, sizeof(ie),
4259 NULL, 0);
4260 if (!owe_buf) {
4261 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
4262 goto end;
4263 }
4264
4265 if (sta->owe_ecdh) {
4266 struct wpabuf *pub;
4267
4268 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
4269 if (!pub) {
4270 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
4271 goto end;
4272 }
4273
4274 /* OWE Diffie-Hellman Parameter element */
4275 *owe_buf++ = WLAN_EID_EXTENSION; /* Element ID */
4276 *owe_buf++ = 1 + 2 + wpabuf_len(pub); /* Length */
4277 *owe_buf++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension
4278 */
4279 WPA_PUT_LE16(owe_buf, sta->owe_group);
4280 owe_buf += 2;
4281 os_memcpy(owe_buf, wpabuf_head(pub), wpabuf_len(pub));
4282 owe_buf += wpabuf_len(pub);
4283 wpabuf_free(pub);
4284 sta->external_dh_updated = 1;
4285 }
4286 ie_len = owe_buf - ie;
4287
4288 end:
4289 wpa_printf(MSG_DEBUG, "OWE: Update status %d, ie len %d for peer "
4290 MACSTR, status, (unsigned int) ie_len,
4291 MAC2STR(sta->addr));
4292 hostapd_drv_update_dh_ie(hapd, sta->addr, status,
4293 status == WLAN_STATUS_SUCCESS ? ie : NULL,
4294 ie_len);
4295
4296 return status;
4297 }
4298
4299 #endif /* CONFIG_OWE */
4300
4301
check_sa_query(struct hostapd_data * hapd,struct sta_info * sta,int reassoc)4302 static bool check_sa_query(struct hostapd_data *hapd, struct sta_info *sta,
4303 int reassoc)
4304 {
4305 if ((sta->flags &
4306 (WLAN_STA_ASSOC | WLAN_STA_MFP | WLAN_STA_AUTHORIZED)) !=
4307 (WLAN_STA_ASSOC | WLAN_STA_MFP | WLAN_STA_AUTHORIZED))
4308 return false;
4309
4310 if (!sta->sa_query_timed_out && sta->sa_query_count > 0)
4311 ap_check_sa_query_timeout(hapd, sta);
4312
4313 if (!sta->sa_query_timed_out &&
4314 (!reassoc || sta->auth_alg != WLAN_AUTH_FT)) {
4315 /*
4316 * STA has already been associated with MFP and SA Query timeout
4317 * has not been reached. Reject the association attempt
4318 * temporarily and start SA Query, if one is not pending.
4319 */
4320 if (sta->sa_query_count == 0)
4321 ap_sta_start_sa_query(hapd, sta);
4322
4323 return true;
4324 }
4325
4326 return false;
4327 }
4328
4329
check_assoc_ies(struct hostapd_data * hapd,struct sta_info * sta,const u8 * ies,size_t ies_len,int reassoc)4330 static int check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta,
4331 const u8 *ies, size_t ies_len, int reassoc)
4332 {
4333 struct ieee802_11_elems elems;
4334 int resp;
4335 const u8 *wpa_ie;
4336 size_t wpa_ie_len;
4337 const u8 *p2p_dev_addr = NULL;
4338
4339 if (ieee802_11_parse_elems(ies, ies_len, &elems, 1) == ParseFailed) {
4340 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4341 HOSTAPD_LEVEL_INFO, "Station sent an invalid "
4342 "association request");
4343 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4344 }
4345
4346 resp = check_ssid(hapd, sta, elems.ssid, elems.ssid_len);
4347 if (resp != WLAN_STATUS_SUCCESS)
4348 return resp;
4349 resp = check_wmm(hapd, sta, elems.wmm, elems.wmm_len);
4350 if (resp != WLAN_STATUS_SUCCESS)
4351 return resp;
4352 resp = check_ext_capab(hapd, sta, elems.ext_capab, elems.ext_capab_len);
4353 if (resp != WLAN_STATUS_SUCCESS)
4354 return resp;
4355 resp = copy_supp_rates(hapd, sta, &elems);
4356 if (resp != WLAN_STATUS_SUCCESS)
4357 return resp;
4358
4359 resp = check_multi_ap(hapd, sta, elems.multi_ap, elems.multi_ap_len);
4360 if (resp != WLAN_STATUS_SUCCESS)
4361 return resp;
4362
4363 resp = copy_sta_ht_capab(hapd, sta, elems.ht_capabilities);
4364 if (resp != WLAN_STATUS_SUCCESS)
4365 return resp;
4366 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht &&
4367 !(sta->flags & WLAN_STA_HT)) {
4368 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4369 HOSTAPD_LEVEL_INFO, "Station does not support "
4370 "mandatory HT PHY - reject association");
4371 return WLAN_STATUS_ASSOC_DENIED_NO_HT;
4372 }
4373
4374 #ifdef CONFIG_IEEE80211AC
4375 if (hapd->iconf->ieee80211ac) {
4376 resp = copy_sta_vht_capab(hapd, sta, elems.vht_capabilities);
4377 if (resp != WLAN_STATUS_SUCCESS)
4378 return resp;
4379
4380 resp = set_sta_vht_opmode(hapd, sta, elems.vht_opmode_notif);
4381 if (resp != WLAN_STATUS_SUCCESS)
4382 return resp;
4383 }
4384
4385 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht &&
4386 !(sta->flags & WLAN_STA_VHT)) {
4387 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4388 HOSTAPD_LEVEL_INFO, "Station does not support "
4389 "mandatory VHT PHY - reject association");
4390 return WLAN_STATUS_ASSOC_DENIED_NO_VHT;
4391 }
4392
4393 if (hapd->conf->vendor_vht && !elems.vht_capabilities) {
4394 resp = copy_sta_vendor_vht(hapd, sta, elems.vendor_vht,
4395 elems.vendor_vht_len);
4396 if (resp != WLAN_STATUS_SUCCESS)
4397 return resp;
4398 }
4399 #endif /* CONFIG_IEEE80211AC */
4400 #ifdef CONFIG_IEEE80211AX
4401 if (hapd->iconf->ieee80211ax && !hapd->conf->disable_11ax) {
4402 resp = copy_sta_he_capab(hapd, sta, IEEE80211_MODE_AP,
4403 elems.he_capabilities,
4404 elems.he_capabilities_len);
4405 if (resp != WLAN_STATUS_SUCCESS)
4406 return resp;
4407 if (is_6ghz_op_class(hapd->iconf->op_class)) {
4408 if (!(sta->flags & WLAN_STA_HE)) {
4409 hostapd_logger(hapd, sta->addr,
4410 HOSTAPD_MODULE_IEEE80211,
4411 HOSTAPD_LEVEL_INFO,
4412 "Station does not support mandatory HE PHY - reject association");
4413 return WLAN_STATUS_DENIED_HE_NOT_SUPPORTED;
4414 }
4415 resp = copy_sta_he_6ghz_capab(hapd, sta,
4416 elems.he_6ghz_band_cap);
4417 if (resp != WLAN_STATUS_SUCCESS)
4418 return resp;
4419 }
4420 }
4421 #endif /* CONFIG_IEEE80211AX */
4422
4423 #ifdef CONFIG_P2P
4424 if (elems.p2p) {
4425 wpabuf_free(sta->p2p_ie);
4426 sta->p2p_ie = ieee802_11_vendor_ie_concat(ies, ies_len,
4427 P2P_IE_VENDOR_TYPE);
4428 if (sta->p2p_ie)
4429 p2p_dev_addr = p2p_get_go_dev_addr(sta->p2p_ie);
4430 } else {
4431 wpabuf_free(sta->p2p_ie);
4432 sta->p2p_ie = NULL;
4433 }
4434 #endif /* CONFIG_P2P */
4435
4436 if ((hapd->conf->wpa & WPA_PROTO_RSN) && elems.rsn_ie) {
4437 wpa_ie = elems.rsn_ie;
4438 wpa_ie_len = elems.rsn_ie_len;
4439 } else if ((hapd->conf->wpa & WPA_PROTO_WPA) &&
4440 elems.wpa_ie) {
4441 wpa_ie = elems.wpa_ie;
4442 wpa_ie_len = elems.wpa_ie_len;
4443 } else {
4444 wpa_ie = NULL;
4445 wpa_ie_len = 0;
4446 }
4447
4448 #ifdef CONFIG_WPS
4449 sta->flags &= ~(WLAN_STA_WPS | WLAN_STA_MAYBE_WPS | WLAN_STA_WPS2);
4450 if (hapd->conf->wps_state && elems.wps_ie) {
4451 wpa_printf(MSG_DEBUG, "STA included WPS IE in (Re)Association "
4452 "Request - assume WPS is used");
4453 if (check_sa_query(hapd, sta, reassoc))
4454 return WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY;
4455 sta->flags |= WLAN_STA_WPS;
4456 wpabuf_free(sta->wps_ie);
4457 sta->wps_ie = ieee802_11_vendor_ie_concat(ies, ies_len,
4458 WPS_IE_VENDOR_TYPE);
4459 if (sta->wps_ie && wps_is_20(sta->wps_ie)) {
4460 wpa_printf(MSG_DEBUG, "WPS: STA supports WPS 2.0");
4461 sta->flags |= WLAN_STA_WPS2;
4462 }
4463 wpa_ie = NULL;
4464 wpa_ie_len = 0;
4465 if (sta->wps_ie && wps_validate_assoc_req(sta->wps_ie) < 0) {
4466 wpa_printf(MSG_DEBUG, "WPS: Invalid WPS IE in "
4467 "(Re)Association Request - reject");
4468 return WLAN_STATUS_INVALID_IE;
4469 }
4470 } else if (hapd->conf->wps_state && wpa_ie == NULL) {
4471 wpa_printf(MSG_DEBUG, "STA did not include WPA/RSN IE in "
4472 "(Re)Association Request - possible WPS use");
4473 sta->flags |= WLAN_STA_MAYBE_WPS;
4474 } else
4475 #endif /* CONFIG_WPS */
4476 if (hapd->conf->wpa && wpa_ie == NULL) {
4477 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4478 HOSTAPD_LEVEL_INFO,
4479 "No WPA/RSN IE in association request");
4480 return WLAN_STATUS_INVALID_IE;
4481 }
4482
4483 if (hapd->conf->wpa && wpa_ie) {
4484 enum wpa_validate_result res;
4485
4486 wpa_ie -= 2;
4487 wpa_ie_len += 2;
4488 if (sta->wpa_sm == NULL)
4489 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
4490 sta->addr,
4491 p2p_dev_addr);
4492 if (sta->wpa_sm == NULL) {
4493 wpa_printf(MSG_WARNING, "Failed to initialize WPA "
4494 "state machine");
4495 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4496 }
4497 wpa_auth_set_auth_alg(sta->wpa_sm, sta->auth_alg);
4498 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
4499 hapd->iface->freq,
4500 wpa_ie, wpa_ie_len,
4501 elems.rsnxe ? elems.rsnxe - 2 : NULL,
4502 elems.rsnxe ? elems.rsnxe_len + 2 : 0,
4503 elems.mdie, elems.mdie_len,
4504 elems.owe_dh, elems.owe_dh_len);
4505 resp = wpa_res_to_status_code(res);
4506 if (resp != WLAN_STATUS_SUCCESS)
4507 return resp;
4508
4509 if (check_sa_query(hapd, sta, reassoc))
4510 return WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY;
4511
4512 if (wpa_auth_uses_mfp(sta->wpa_sm))
4513 sta->flags |= WLAN_STA_MFP;
4514 else
4515 sta->flags &= ~WLAN_STA_MFP;
4516
4517 #ifdef CONFIG_IEEE80211R_AP
4518 if (sta->auth_alg == WLAN_AUTH_FT) {
4519 if (!reassoc) {
4520 wpa_printf(MSG_DEBUG, "FT: " MACSTR " tried "
4521 "to use association (not "
4522 "re-association) with FT auth_alg",
4523 MAC2STR(sta->addr));
4524 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4525 }
4526
4527 resp = wpa_ft_validate_reassoc(sta->wpa_sm, ies,
4528 ies_len);
4529 if (resp != WLAN_STATUS_SUCCESS)
4530 return resp;
4531 }
4532 #endif /* CONFIG_IEEE80211R_AP */
4533
4534 #ifdef CONFIG_SAE
4535 if (wpa_auth_uses_sae(sta->wpa_sm) && sta->sae &&
4536 sta->sae->state == SAE_ACCEPTED)
4537 wpa_auth_add_sae_pmkid(sta->wpa_sm, sta->sae->pmkid);
4538
4539 if (wpa_auth_uses_sae(sta->wpa_sm) &&
4540 sta->auth_alg == WLAN_AUTH_OPEN) {
4541 struct rsn_pmksa_cache_entry *sa;
4542 sa = wpa_auth_sta_get_pmksa(sta->wpa_sm);
4543 if (!sa || sa->akmp != WPA_KEY_MGMT_SAE) {
4544 wpa_printf(MSG_DEBUG,
4545 "SAE: No PMKSA cache entry found for "
4546 MACSTR, MAC2STR(sta->addr));
4547 return WLAN_STATUS_INVALID_PMKID;
4548 }
4549 wpa_printf(MSG_DEBUG, "SAE: " MACSTR
4550 " using PMKSA caching", MAC2STR(sta->addr));
4551 } else if (wpa_auth_uses_sae(sta->wpa_sm) &&
4552 sta->auth_alg != WLAN_AUTH_SAE &&
4553 !(sta->auth_alg == WLAN_AUTH_FT &&
4554 wpa_auth_uses_ft_sae(sta->wpa_sm))) {
4555 wpa_printf(MSG_DEBUG, "SAE: " MACSTR " tried to use "
4556 "SAE AKM after non-SAE auth_alg %u",
4557 MAC2STR(sta->addr), sta->auth_alg);
4558 return WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
4559 }
4560
4561 if (hapd->conf->sae_pwe == 2 &&
4562 sta->auth_alg == WLAN_AUTH_SAE &&
4563 sta->sae && !sta->sae->h2e &&
4564 elems.rsnxe && elems.rsnxe_len >= 1 &&
4565 (elems.rsnxe[0] & BIT(WLAN_RSNX_CAPAB_SAE_H2E))) {
4566 wpa_printf(MSG_INFO, "SAE: " MACSTR
4567 " indicates support for SAE H2E, but did not use it",
4568 MAC2STR(sta->addr));
4569 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4570 }
4571 #endif /* CONFIG_SAE */
4572
4573 #ifdef CONFIG_OWE
4574 if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) &&
4575 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE &&
4576 elems.owe_dh) {
4577 resp = owe_process_assoc_req(hapd, sta, elems.owe_dh,
4578 elems.owe_dh_len);
4579 if (resp != WLAN_STATUS_SUCCESS)
4580 return resp;
4581 }
4582 #endif /* CONFIG_OWE */
4583
4584 #ifdef CONFIG_DPP2
4585 dpp_pfs_free(sta->dpp_pfs);
4586 sta->dpp_pfs = NULL;
4587
4588 if (DPP_VERSION > 1 &&
4589 (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_DPP) &&
4590 hapd->conf->dpp_netaccesskey && sta->wpa_sm &&
4591 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_DPP &&
4592 elems.owe_dh) {
4593 sta->dpp_pfs = dpp_pfs_init(
4594 wpabuf_head(hapd->conf->dpp_netaccesskey),
4595 wpabuf_len(hapd->conf->dpp_netaccesskey));
4596 if (!sta->dpp_pfs) {
4597 wpa_printf(MSG_DEBUG,
4598 "DPP: Could not initialize PFS");
4599 /* Try to continue without PFS */
4600 goto pfs_fail;
4601 }
4602
4603 if (dpp_pfs_process(sta->dpp_pfs, elems.owe_dh,
4604 elems.owe_dh_len) < 0) {
4605 dpp_pfs_free(sta->dpp_pfs);
4606 sta->dpp_pfs = NULL;
4607 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4608 }
4609 }
4610
4611 wpa_auth_set_dpp_z(sta->wpa_sm, sta->dpp_pfs ?
4612 sta->dpp_pfs->secret : NULL);
4613 pfs_fail:
4614 #endif /* CONFIG_DPP2 */
4615
4616 if ((sta->flags & (WLAN_STA_HT | WLAN_STA_VHT)) &&
4617 wpa_auth_get_pairwise(sta->wpa_sm) == WPA_CIPHER_TKIP) {
4618 hostapd_logger(hapd, sta->addr,
4619 HOSTAPD_MODULE_IEEE80211,
4620 HOSTAPD_LEVEL_INFO,
4621 "Station tried to use TKIP with HT "
4622 "association");
4623 return WLAN_STATUS_CIPHER_REJECTED_PER_POLICY;
4624 }
4625 #ifdef CONFIG_HS20
4626 } else if (hapd->conf->osen) {
4627 if (elems.osen == NULL) {
4628 hostapd_logger(
4629 hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4630 HOSTAPD_LEVEL_INFO,
4631 "No HS 2.0 OSEN element in association request");
4632 return WLAN_STATUS_INVALID_IE;
4633 }
4634
4635 wpa_printf(MSG_DEBUG, "HS 2.0: OSEN association");
4636 if (sta->wpa_sm == NULL)
4637 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
4638 sta->addr, NULL);
4639 if (sta->wpa_sm == NULL) {
4640 wpa_printf(MSG_WARNING, "Failed to initialize WPA "
4641 "state machine");
4642 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4643 }
4644 if (wpa_validate_osen(hapd->wpa_auth, sta->wpa_sm,
4645 elems.osen - 2, elems.osen_len + 2) < 0)
4646 return WLAN_STATUS_INVALID_IE;
4647 #endif /* CONFIG_HS20 */
4648 } else
4649 wpa_auth_sta_no_wpa(sta->wpa_sm);
4650
4651 #ifdef CONFIG_P2P
4652 p2p_group_notif_assoc(hapd->p2p_group, sta->addr, ies, ies_len);
4653 #endif /* CONFIG_P2P */
4654
4655 #ifdef CONFIG_HS20
4656 wpabuf_free(sta->hs20_ie);
4657 if (elems.hs20 && elems.hs20_len > 4) {
4658 int release;
4659
4660 sta->hs20_ie = wpabuf_alloc_copy(elems.hs20 + 4,
4661 elems.hs20_len - 4);
4662 release = ((elems.hs20[4] >> 4) & 0x0f) + 1;
4663 if (release >= 2 && !wpa_auth_uses_mfp(sta->wpa_sm) &&
4664 hapd->conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
4665 wpa_printf(MSG_DEBUG,
4666 "HS 2.0: PMF not negotiated by release %d station "
4667 MACSTR, release, MAC2STR(sta->addr));
4668 return WLAN_STATUS_ROBUST_MGMT_FRAME_POLICY_VIOLATION;
4669 }
4670 } else {
4671 sta->hs20_ie = NULL;
4672 }
4673
4674 wpabuf_free(sta->roaming_consortium);
4675 if (elems.roaming_cons_sel)
4676 sta->roaming_consortium = wpabuf_alloc_copy(
4677 elems.roaming_cons_sel + 4,
4678 elems.roaming_cons_sel_len - 4);
4679 else
4680 sta->roaming_consortium = NULL;
4681 #endif /* CONFIG_HS20 */
4682
4683 #ifdef CONFIG_FST
4684 wpabuf_free(sta->mb_ies);
4685 if (hapd->iface->fst)
4686 sta->mb_ies = mb_ies_by_info(&elems.mb_ies);
4687 else
4688 sta->mb_ies = NULL;
4689 #endif /* CONFIG_FST */
4690
4691 #ifdef CONFIG_MBO
4692 mbo_ap_check_sta_assoc(hapd, sta, &elems);
4693
4694 if (hapd->conf->mbo_enabled && (hapd->conf->wpa & 2) &&
4695 elems.mbo && sta->cell_capa && !(sta->flags & WLAN_STA_MFP) &&
4696 hapd->conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
4697 wpa_printf(MSG_INFO,
4698 "MBO: Reject WPA2 association without PMF");
4699 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4700 }
4701 #endif /* CONFIG_MBO */
4702
4703 #if defined(CONFIG_FILS) && defined(CONFIG_OCV)
4704 if (wpa_auth_uses_ocv(sta->wpa_sm) &&
4705 (sta->auth_alg == WLAN_AUTH_FILS_SK ||
4706 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
4707 sta->auth_alg == WLAN_AUTH_FILS_PK)) {
4708 struct wpa_channel_info ci;
4709 int tx_chanwidth;
4710 int tx_seg1_idx;
4711 enum oci_verify_result res;
4712
4713 if (hostapd_drv_channel_info(hapd, &ci) != 0) {
4714 wpa_printf(MSG_WARNING,
4715 "Failed to get channel info to validate received OCI in FILS (Re)Association Request frame");
4716 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4717 }
4718
4719 if (get_sta_tx_parameters(sta->wpa_sm,
4720 channel_width_to_int(ci.chanwidth),
4721 ci.seg1_idx, &tx_chanwidth,
4722 &tx_seg1_idx) < 0)
4723 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4724
4725 res = ocv_verify_tx_params(elems.oci, elems.oci_len, &ci,
4726 tx_chanwidth, tx_seg1_idx);
4727 if (wpa_auth_uses_ocv(sta->wpa_sm) == 2 &&
4728 res == OCI_NOT_FOUND) {
4729 /* Work around misbehaving STAs */
4730 wpa_printf(MSG_INFO,
4731 "FILS: Disable OCV with a STA that does not send OCI");
4732 wpa_auth_set_ocv(sta->wpa_sm, 0);
4733 } else if (res != OCI_SUCCESS) {
4734 wpa_printf(MSG_WARNING, "FILS: OCV failed: %s",
4735 ocv_errorstr);
4736 wpa_msg(hapd->msg_ctx, MSG_INFO, OCV_FAILURE "addr="
4737 MACSTR " frame=fils-reassoc-req error=%s",
4738 MAC2STR(sta->addr), ocv_errorstr);
4739 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4740 }
4741 }
4742 #endif /* CONFIG_FILS && CONFIG_OCV */
4743
4744 ap_copy_sta_supp_op_classes(sta, elems.supp_op_classes,
4745 elems.supp_op_classes_len);
4746
4747 if ((sta->capability & WLAN_CAPABILITY_RADIO_MEASUREMENT) &&
4748 elems.rrm_enabled &&
4749 elems.rrm_enabled_len >= sizeof(sta->rrm_enabled_capa))
4750 os_memcpy(sta->rrm_enabled_capa, elems.rrm_enabled,
4751 sizeof(sta->rrm_enabled_capa));
4752
4753 if (elems.power_capab) {
4754 sta->min_tx_power = elems.power_capab[0];
4755 sta->max_tx_power = elems.power_capab[1];
4756 sta->power_capab = 1;
4757 } else {
4758 sta->power_capab = 0;
4759 }
4760
4761 return WLAN_STATUS_SUCCESS;
4762 }
4763
4764
send_deauth(struct hostapd_data * hapd,const u8 * addr,u16 reason_code)4765 static void send_deauth(struct hostapd_data *hapd, const u8 *addr,
4766 u16 reason_code)
4767 {
4768 int send_len;
4769 struct ieee80211_mgmt reply;
4770
4771 os_memset(&reply, 0, sizeof(reply));
4772 reply.frame_control =
4773 IEEE80211_FC(WLAN_FC_TYPE_MGMT, WLAN_FC_STYPE_DEAUTH);
4774 os_memcpy(reply.da, addr, ETH_ALEN);
4775 os_memcpy(reply.sa, hapd->own_addr, ETH_ALEN);
4776 os_memcpy(reply.bssid, hapd->own_addr, ETH_ALEN);
4777
4778 send_len = IEEE80211_HDRLEN + sizeof(reply.u.deauth);
4779 reply.u.deauth.reason_code = host_to_le16(reason_code);
4780
4781 if (hostapd_drv_send_mlme(hapd, &reply, send_len, 0, NULL, 0, 0) < 0)
4782 wpa_printf(MSG_INFO, "Failed to send deauth: %s",
4783 strerror(errno));
4784 }
4785
4786
add_associated_sta(struct hostapd_data * hapd,struct sta_info * sta,int reassoc)4787 static int add_associated_sta(struct hostapd_data *hapd,
4788 struct sta_info *sta, int reassoc)
4789 {
4790 struct ieee80211_ht_capabilities ht_cap;
4791 struct ieee80211_vht_capabilities vht_cap;
4792 struct ieee80211_he_capabilities he_cap;
4793 int set = 1;
4794
4795 /*
4796 * Remove the STA entry to ensure the STA PS state gets cleared and
4797 * configuration gets updated. This is relevant for cases, such as
4798 * FT-over-the-DS, where a station re-associates back to the same AP but
4799 * skips the authentication flow, or if working with a driver that
4800 * does not support full AP client state.
4801 *
4802 * Skip this if the STA has already completed FT reassociation and the
4803 * TK has been configured since the TX/RX PN must not be reset to 0 for
4804 * the same key.
4805 *
4806 * FT-over-the-DS has a special case where the STA entry (and as such,
4807 * the TK) has not yet been configured to the driver depending on which
4808 * driver interface is used. For that case, allow add-STA operation to
4809 * be used (instead of set-STA). This is needed to allow mac80211-based
4810 * drivers to accept the STA parameter configuration. Since this is
4811 * after a new FT-over-DS exchange, a new TK has been derived, so key
4812 * reinstallation is not a concern for this case.
4813 */
4814 wpa_printf(MSG_DEBUG, "Add associated STA " MACSTR
4815 " (added_unassoc=%d auth_alg=%u ft_over_ds=%u reassoc=%d authorized=%d ft_tk=%d fils_tk=%d)",
4816 MAC2STR(sta->addr), sta->added_unassoc, sta->auth_alg,
4817 sta->ft_over_ds, reassoc,
4818 !!(sta->flags & WLAN_STA_AUTHORIZED),
4819 wpa_auth_sta_ft_tk_already_set(sta->wpa_sm),
4820 wpa_auth_sta_fils_tk_already_set(sta->wpa_sm));
4821
4822 if (!sta->added_unassoc &&
4823 (!(sta->flags & WLAN_STA_AUTHORIZED) ||
4824 (reassoc && sta->ft_over_ds && sta->auth_alg == WLAN_AUTH_FT) ||
4825 (!wpa_auth_sta_ft_tk_already_set(sta->wpa_sm) &&
4826 !wpa_auth_sta_fils_tk_already_set(sta->wpa_sm)))) {
4827 hostapd_drv_sta_remove(hapd, sta->addr);
4828 wpa_auth_sm_event(sta->wpa_sm, WPA_DRV_STA_REMOVED);
4829 set = 0;
4830
4831 /* Do not allow the FT-over-DS exception to be used more than
4832 * once per authentication exchange to guarantee a new TK is
4833 * used here */
4834 sta->ft_over_ds = 0;
4835 }
4836
4837 if (sta->flags & WLAN_STA_HT)
4838 hostapd_get_ht_capab(hapd, sta->ht_capabilities, &ht_cap);
4839 #ifdef CONFIG_IEEE80211AC
4840 if (sta->flags & WLAN_STA_VHT)
4841 hostapd_get_vht_capab(hapd, sta->vht_capabilities, &vht_cap);
4842 #endif /* CONFIG_IEEE80211AC */
4843 #ifdef CONFIG_IEEE80211AX
4844 if (sta->flags & WLAN_STA_HE) {
4845 hostapd_get_he_capab(hapd, sta->he_capab, &he_cap,
4846 sta->he_capab_len);
4847 }
4848 #endif /* CONFIG_IEEE80211AX */
4849
4850 /*
4851 * Add the station with forced WLAN_STA_ASSOC flag. The sta->flags
4852 * will be set when the ACK frame for the (Re)Association Response frame
4853 * is processed (TX status driver event).
4854 */
4855 if (hostapd_sta_add(hapd, sta->addr, sta->aid, sta->capability,
4856 sta->supported_rates, sta->supported_rates_len,
4857 sta->listen_interval,
4858 sta->flags & WLAN_STA_HT ? &ht_cap : NULL,
4859 sta->flags & WLAN_STA_VHT ? &vht_cap : NULL,
4860 sta->flags & WLAN_STA_HE ? &he_cap : NULL,
4861 sta->flags & WLAN_STA_HE ? sta->he_capab_len : 0,
4862 sta->he_6ghz_capab,
4863 sta->flags | WLAN_STA_ASSOC, sta->qosinfo,
4864 sta->vht_opmode, sta->p2p_ie ? 1 : 0,
4865 set)) {
4866 hostapd_logger(hapd, sta->addr,
4867 HOSTAPD_MODULE_IEEE80211, HOSTAPD_LEVEL_NOTICE,
4868 "Could not %s STA to kernel driver",
4869 set ? "set" : "add");
4870
4871 if (sta->added_unassoc) {
4872 hostapd_drv_sta_remove(hapd, sta->addr);
4873 sta->added_unassoc = 0;
4874 }
4875
4876 return -1;
4877 }
4878
4879 sta->added_unassoc = 0;
4880
4881 return 0;
4882 }
4883
4884
send_assoc_resp(struct hostapd_data * hapd,struct sta_info * sta,const u8 * addr,u16 status_code,int reassoc,const u8 * ies,size_t ies_len,int rssi,int omit_rsnxe)4885 static u16 send_assoc_resp(struct hostapd_data *hapd, struct sta_info *sta,
4886 const u8 *addr, u16 status_code, int reassoc,
4887 const u8 *ies, size_t ies_len, int rssi,
4888 int omit_rsnxe)
4889 {
4890 int send_len;
4891 u8 *buf;
4892 size_t buflen;
4893 struct ieee80211_mgmt *reply;
4894 u8 *p;
4895 u16 res = WLAN_STATUS_SUCCESS;
4896
4897 buflen = sizeof(struct ieee80211_mgmt) + 1024;
4898 #ifdef CONFIG_FILS
4899 if (sta && sta->fils_hlp_resp)
4900 buflen += wpabuf_len(sta->fils_hlp_resp);
4901 if (sta)
4902 buflen += 150;
4903 #endif /* CONFIG_FILS */
4904 #ifdef CONFIG_OWE
4905 if (sta && (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE))
4906 buflen += 150;
4907 #endif /* CONFIG_OWE */
4908 #ifdef CONFIG_DPP2
4909 if (sta && sta->dpp_pfs)
4910 buflen += 5 + sta->dpp_pfs->curve->prime_len;
4911 #endif /* CONFIG_DPP2 */
4912 buf = os_zalloc(buflen);
4913 if (!buf) {
4914 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
4915 goto done;
4916 }
4917 reply = (struct ieee80211_mgmt *) buf;
4918 reply->frame_control =
4919 IEEE80211_FC(WLAN_FC_TYPE_MGMT,
4920 (reassoc ? WLAN_FC_STYPE_REASSOC_RESP :
4921 WLAN_FC_STYPE_ASSOC_RESP));
4922 os_memcpy(reply->da, addr, ETH_ALEN);
4923 os_memcpy(reply->sa, hapd->own_addr, ETH_ALEN);
4924 os_memcpy(reply->bssid, hapd->own_addr, ETH_ALEN);
4925
4926 send_len = IEEE80211_HDRLEN;
4927 send_len += sizeof(reply->u.assoc_resp);
4928 reply->u.assoc_resp.capab_info =
4929 host_to_le16(hostapd_own_capab_info(hapd));
4930 reply->u.assoc_resp.status_code = host_to_le16(status_code);
4931
4932 reply->u.assoc_resp.aid = host_to_le16((sta ? sta->aid : 0) |
4933 BIT(14) | BIT(15));
4934 /* Supported rates */
4935 p = hostapd_eid_supp_rates(hapd, reply->u.assoc_resp.variable);
4936 /* Extended supported rates */
4937 p = hostapd_eid_ext_supp_rates(hapd, p);
4938
4939 /* Radio measurement capabilities */
4940 p = hostapd_eid_rm_enabled_capab(hapd, p, buf + buflen - p);
4941
4942 #ifdef CONFIG_MBO
4943 if (status_code == WLAN_STATUS_DENIED_POOR_CHANNEL_CONDITIONS &&
4944 rssi != 0) {
4945 int delta = hapd->iconf->rssi_reject_assoc_rssi - rssi;
4946
4947 p = hostapd_eid_mbo_rssi_assoc_rej(hapd, p, buf + buflen - p,
4948 delta);
4949 }
4950 #endif /* CONFIG_MBO */
4951
4952 #ifdef CONFIG_IEEE80211R_AP
4953 if (sta && status_code == WLAN_STATUS_SUCCESS) {
4954 /* IEEE 802.11r: Mobility Domain Information, Fast BSS
4955 * Transition Information, RSN, [RIC Response] */
4956 p = wpa_sm_write_assoc_resp_ies(sta->wpa_sm, p,
4957 buf + buflen - p,
4958 sta->auth_alg, ies, ies_len,
4959 omit_rsnxe);
4960 if (!p) {
4961 wpa_printf(MSG_DEBUG,
4962 "FT: Failed to write AssocResp IEs");
4963 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
4964 goto done;
4965 }
4966 }
4967 #endif /* CONFIG_IEEE80211R_AP */
4968 #ifdef CONFIG_FILS
4969 if (sta && status_code == WLAN_STATUS_SUCCESS &&
4970 (sta->auth_alg == WLAN_AUTH_FILS_SK ||
4971 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
4972 sta->auth_alg == WLAN_AUTH_FILS_PK))
4973 p = wpa_auth_write_assoc_resp_fils(sta->wpa_sm, p,
4974 buf + buflen - p,
4975 ies, ies_len);
4976 #endif /* CONFIG_FILS */
4977
4978 #ifdef CONFIG_OWE
4979 if (sta && status_code == WLAN_STATUS_SUCCESS &&
4980 (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE))
4981 p = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, p,
4982 buf + buflen - p,
4983 ies, ies_len);
4984 #endif /* CONFIG_OWE */
4985
4986 if (sta && status_code == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY)
4987 p = hostapd_eid_assoc_comeback_time(hapd, sta, p);
4988
4989 p = hostapd_eid_ht_capabilities(hapd, p);
4990 p = hostapd_eid_ht_operation(hapd, p);
4991
4992 #ifdef CONFIG_IEEE80211AC
4993 if (hapd->iconf->ieee80211ac && !hapd->conf->disable_11ac &&
4994 !is_6ghz_op_class(hapd->iconf->op_class)) {
4995 u32 nsts = 0, sta_nsts;
4996
4997 if (sta && hapd->conf->use_sta_nsts && sta->vht_capabilities) {
4998 struct ieee80211_vht_capabilities *capa;
4999
5000 nsts = (hapd->iface->conf->vht_capab >>
5001 VHT_CAP_BEAMFORMEE_STS_OFFSET) & 7;
5002 capa = sta->vht_capabilities;
5003 sta_nsts = (le_to_host32(capa->vht_capabilities_info) >>
5004 VHT_CAP_BEAMFORMEE_STS_OFFSET) & 7;
5005
5006 if (nsts < sta_nsts)
5007 nsts = 0;
5008 else
5009 nsts = sta_nsts;
5010 }
5011 p = hostapd_eid_vht_capabilities(hapd, p, nsts);
5012 p = hostapd_eid_vht_operation(hapd, p);
5013 }
5014 #endif /* CONFIG_IEEE80211AC */
5015
5016 #ifdef CONFIG_IEEE80211AX
5017 if (hapd->iconf->ieee80211ax && !hapd->conf->disable_11ax) {
5018 p = hostapd_eid_he_capab(hapd, p, IEEE80211_MODE_AP);
5019 p = hostapd_eid_he_operation(hapd, p);
5020 p = hostapd_eid_spatial_reuse(hapd, p);
5021 p = hostapd_eid_he_mu_edca_parameter_set(hapd, p);
5022 p = hostapd_eid_he_6ghz_band_cap(hapd, p);
5023 }
5024 #endif /* CONFIG_IEEE80211AX */
5025
5026 p = hostapd_eid_ext_capab(hapd, p);
5027 p = hostapd_eid_bss_max_idle_period(hapd, p);
5028 if (sta && sta->qos_map_enabled)
5029 p = hostapd_eid_qos_map_set(hapd, p);
5030
5031 #ifdef CONFIG_FST
5032 if (hapd->iface->fst_ies) {
5033 os_memcpy(p, wpabuf_head(hapd->iface->fst_ies),
5034 wpabuf_len(hapd->iface->fst_ies));
5035 p += wpabuf_len(hapd->iface->fst_ies);
5036 }
5037 #endif /* CONFIG_FST */
5038
5039 #ifdef CONFIG_TESTING_OPTIONS
5040 if (hapd->conf->rsnxe_override_ft &&
5041 buf + buflen - p >=
5042 (long int) wpabuf_len(hapd->conf->rsnxe_override_ft) &&
5043 sta && sta->auth_alg == WLAN_AUTH_FT) {
5044 wpa_printf(MSG_DEBUG, "TESTING: RSNXE FT override");
5045 os_memcpy(p, wpabuf_head(hapd->conf->rsnxe_override_ft),
5046 wpabuf_len(hapd->conf->rsnxe_override_ft));
5047 p += wpabuf_len(hapd->conf->rsnxe_override_ft);
5048 goto rsnxe_done;
5049 }
5050 #endif /* CONFIG_TESTING_OPTIONS */
5051 if (!omit_rsnxe)
5052 p = hostapd_eid_rsnxe(hapd, p, buf + buflen - p);
5053 #ifdef CONFIG_TESTING_OPTIONS
5054 rsnxe_done:
5055 #endif /* CONFIG_TESTING_OPTIONS */
5056
5057 #ifdef CONFIG_OWE
5058 if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) &&
5059 sta && sta->owe_ecdh && status_code == WLAN_STATUS_SUCCESS &&
5060 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE &&
5061 !wpa_auth_sta_get_pmksa(sta->wpa_sm)) {
5062 struct wpabuf *pub;
5063
5064 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
5065 if (!pub) {
5066 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
5067 goto done;
5068 }
5069 /* OWE Diffie-Hellman Parameter element */
5070 *p++ = WLAN_EID_EXTENSION; /* Element ID */
5071 *p++ = 1 + 2 + wpabuf_len(pub); /* Length */
5072 *p++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension */
5073 WPA_PUT_LE16(p, sta->owe_group);
5074 p += 2;
5075 os_memcpy(p, wpabuf_head(pub), wpabuf_len(pub));
5076 p += wpabuf_len(pub);
5077 wpabuf_free(pub);
5078 }
5079 #endif /* CONFIG_OWE */
5080
5081 #ifdef CONFIG_DPP2
5082 if (DPP_VERSION > 1 && (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_DPP) &&
5083 sta && sta->dpp_pfs && status_code == WLAN_STATUS_SUCCESS &&
5084 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_DPP) {
5085 os_memcpy(p, wpabuf_head(sta->dpp_pfs->ie),
5086 wpabuf_len(sta->dpp_pfs->ie));
5087 p += wpabuf_len(sta->dpp_pfs->ie);
5088 }
5089 #endif /* CONFIG_DPP2 */
5090
5091 #ifdef CONFIG_IEEE80211AC
5092 if (sta && hapd->conf->vendor_vht && (sta->flags & WLAN_STA_VENDOR_VHT))
5093 p = hostapd_eid_vendor_vht(hapd, p);
5094 #endif /* CONFIG_IEEE80211AC */
5095
5096 if (sta && (sta->flags & WLAN_STA_WMM))
5097 p = hostapd_eid_wmm(hapd, p);
5098
5099 #ifdef CONFIG_WPS
5100 if (sta &&
5101 ((sta->flags & WLAN_STA_WPS) ||
5102 ((sta->flags & WLAN_STA_MAYBE_WPS) && hapd->conf->wpa))) {
5103 struct wpabuf *wps = wps_build_assoc_resp_ie();
5104 if (wps) {
5105 os_memcpy(p, wpabuf_head(wps), wpabuf_len(wps));
5106 p += wpabuf_len(wps);
5107 wpabuf_free(wps);
5108 }
5109 }
5110 #endif /* CONFIG_WPS */
5111
5112 if (sta && (sta->flags & WLAN_STA_MULTI_AP))
5113 p = hostapd_eid_multi_ap(hapd, p);
5114
5115 #ifdef CONFIG_P2P
5116 if (sta && sta->p2p_ie && hapd->p2p_group) {
5117 struct wpabuf *p2p_resp_ie;
5118 enum p2p_status_code status;
5119 switch (status_code) {
5120 case WLAN_STATUS_SUCCESS:
5121 status = P2P_SC_SUCCESS;
5122 break;
5123 case WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA:
5124 status = P2P_SC_FAIL_LIMIT_REACHED;
5125 break;
5126 default:
5127 status = P2P_SC_FAIL_INVALID_PARAMS;
5128 break;
5129 }
5130 p2p_resp_ie = p2p_group_assoc_resp_ie(hapd->p2p_group, status);
5131 if (p2p_resp_ie) {
5132 os_memcpy(p, wpabuf_head(p2p_resp_ie),
5133 wpabuf_len(p2p_resp_ie));
5134 p += wpabuf_len(p2p_resp_ie);
5135 wpabuf_free(p2p_resp_ie);
5136 }
5137 }
5138 #endif /* CONFIG_P2P */
5139
5140 #ifdef CONFIG_P2P_MANAGER
5141 if (hapd->conf->p2p & P2P_MANAGE)
5142 p = hostapd_eid_p2p_manage(hapd, p);
5143 #endif /* CONFIG_P2P_MANAGER */
5144
5145 p = hostapd_eid_mbo(hapd, p, buf + buflen - p);
5146
5147 if (hapd->conf->assocresp_elements &&
5148 (size_t) (buf + buflen - p) >=
5149 wpabuf_len(hapd->conf->assocresp_elements)) {
5150 os_memcpy(p, wpabuf_head(hapd->conf->assocresp_elements),
5151 wpabuf_len(hapd->conf->assocresp_elements));
5152 p += wpabuf_len(hapd->conf->assocresp_elements);
5153 }
5154
5155 send_len += p - reply->u.assoc_resp.variable;
5156
5157 #ifdef CONFIG_FILS
5158 if (sta &&
5159 (sta->auth_alg == WLAN_AUTH_FILS_SK ||
5160 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
5161 sta->auth_alg == WLAN_AUTH_FILS_PK) &&
5162 status_code == WLAN_STATUS_SUCCESS) {
5163 struct ieee802_11_elems elems;
5164
5165 if (ieee802_11_parse_elems(ies, ies_len, &elems, 0) ==
5166 ParseFailed || !elems.fils_session) {
5167 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
5168 goto done;
5169 }
5170
5171 /* FILS Session */
5172 *p++ = WLAN_EID_EXTENSION; /* Element ID */
5173 *p++ = 1 + FILS_SESSION_LEN; /* Length */
5174 *p++ = WLAN_EID_EXT_FILS_SESSION; /* Element ID Extension */
5175 os_memcpy(p, elems.fils_session, FILS_SESSION_LEN);
5176 send_len += 2 + 1 + FILS_SESSION_LEN;
5177
5178 send_len = fils_encrypt_assoc(sta->wpa_sm, buf, send_len,
5179 buflen, sta->fils_hlp_resp);
5180 if (send_len < 0) {
5181 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
5182 goto done;
5183 }
5184 }
5185 #endif /* CONFIG_FILS */
5186
5187 if (hostapd_drv_send_mlme(hapd, reply, send_len, 0, NULL, 0, 0) < 0) {
5188 wpa_printf(MSG_INFO, "Failed to send assoc resp: %s",
5189 strerror(errno));
5190 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
5191 }
5192
5193 done:
5194 os_free(buf);
5195 return res;
5196 }
5197
5198
5199 #ifdef CONFIG_OWE
owe_assoc_req_process(struct hostapd_data * hapd,struct sta_info * sta,const u8 * owe_dh,u8 owe_dh_len,u8 * owe_buf,size_t owe_buf_len,u16 * status)5200 u8 * owe_assoc_req_process(struct hostapd_data *hapd, struct sta_info *sta,
5201 const u8 *owe_dh, u8 owe_dh_len,
5202 u8 *owe_buf, size_t owe_buf_len, u16 *status)
5203 {
5204 #ifdef CONFIG_TESTING_OPTIONS
5205 if (hapd->conf->own_ie_override) {
5206 wpa_printf(MSG_DEBUG, "OWE: Using IE override");
5207 *status = WLAN_STATUS_SUCCESS;
5208 return wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf,
5209 owe_buf_len, NULL, 0);
5210 }
5211 #endif /* CONFIG_TESTING_OPTIONS */
5212
5213 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) {
5214 wpa_printf(MSG_DEBUG, "OWE: Using PMKSA caching");
5215 owe_buf = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf,
5216 owe_buf_len, NULL, 0);
5217 *status = WLAN_STATUS_SUCCESS;
5218 return owe_buf;
5219 }
5220
5221 if (sta->owe_pmk && sta->external_dh_updated) {
5222 wpa_printf(MSG_DEBUG, "OWE: Using previously derived PMK");
5223 *status = WLAN_STATUS_SUCCESS;
5224 return owe_buf;
5225 }
5226
5227 *status = owe_process_assoc_req(hapd, sta, owe_dh, owe_dh_len);
5228 if (*status != WLAN_STATUS_SUCCESS)
5229 return NULL;
5230
5231 owe_buf = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf,
5232 owe_buf_len, NULL, 0);
5233
5234 if (sta->owe_ecdh && owe_buf) {
5235 struct wpabuf *pub;
5236
5237 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
5238 if (!pub) {
5239 *status = WLAN_STATUS_UNSPECIFIED_FAILURE;
5240 return owe_buf;
5241 }
5242
5243 /* OWE Diffie-Hellman Parameter element */
5244 *owe_buf++ = WLAN_EID_EXTENSION; /* Element ID */
5245 *owe_buf++ = 1 + 2 + wpabuf_len(pub); /* Length */
5246 *owe_buf++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension
5247 */
5248 WPA_PUT_LE16(owe_buf, sta->owe_group);
5249 owe_buf += 2;
5250 os_memcpy(owe_buf, wpabuf_head(pub), wpabuf_len(pub));
5251 owe_buf += wpabuf_len(pub);
5252 wpabuf_free(pub);
5253 }
5254
5255 return owe_buf;
5256 }
5257 #endif /* CONFIG_OWE */
5258
5259
5260 #ifdef CONFIG_FILS
5261
fils_hlp_finish_assoc(struct hostapd_data * hapd,struct sta_info * sta)5262 void fils_hlp_finish_assoc(struct hostapd_data *hapd, struct sta_info *sta)
5263 {
5264 u16 reply_res;
5265
5266 wpa_printf(MSG_DEBUG, "FILS: Finish association with " MACSTR,
5267 MAC2STR(sta->addr));
5268 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
5269 if (!sta->fils_pending_assoc_req)
5270 return;
5271 reply_res = send_assoc_resp(hapd, sta, sta->addr, WLAN_STATUS_SUCCESS,
5272 sta->fils_pending_assoc_is_reassoc,
5273 sta->fils_pending_assoc_req,
5274 sta->fils_pending_assoc_req_len, 0, 0);
5275 os_free(sta->fils_pending_assoc_req);
5276 sta->fils_pending_assoc_req = NULL;
5277 sta->fils_pending_assoc_req_len = 0;
5278 wpabuf_free(sta->fils_hlp_resp);
5279 sta->fils_hlp_resp = NULL;
5280 wpabuf_free(sta->hlp_dhcp_discover);
5281 sta->hlp_dhcp_discover = NULL;
5282
5283 /*
5284 * Remove the station in case transmission of a success response fails.
5285 * At this point the station was already added associated to the driver.
5286 */
5287 if (reply_res != WLAN_STATUS_SUCCESS)
5288 hostapd_drv_sta_remove(hapd, sta->addr);
5289 }
5290
5291
fils_hlp_timeout(void * eloop_ctx,void * eloop_data)5292 void fils_hlp_timeout(void *eloop_ctx, void *eloop_data)
5293 {
5294 struct hostapd_data *hapd = eloop_ctx;
5295 struct sta_info *sta = eloop_data;
5296
5297 wpa_printf(MSG_DEBUG,
5298 "FILS: HLP response timeout - continue with association response for "
5299 MACSTR, MAC2STR(sta->addr));
5300 if (sta->fils_drv_assoc_finish)
5301 hostapd_notify_assoc_fils_finish(hapd, sta);
5302 else
5303 fils_hlp_finish_assoc(hapd, sta);
5304 }
5305
5306 #endif /* CONFIG_FILS */
5307
5308
handle_assoc(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int reassoc,int rssi)5309 static void handle_assoc(struct hostapd_data *hapd,
5310 const struct ieee80211_mgmt *mgmt, size_t len,
5311 int reassoc, int rssi)
5312 {
5313 u16 capab_info, listen_interval, seq_ctrl, fc;
5314 int resp = WLAN_STATUS_SUCCESS;
5315 u16 reply_res = WLAN_STATUS_UNSPECIFIED_FAILURE;
5316 const u8 *pos;
5317 int left, i;
5318 struct sta_info *sta;
5319 u8 *tmp = NULL;
5320 #ifdef CONFIG_FILS
5321 int delay_assoc = 0;
5322 #endif /* CONFIG_FILS */
5323 int omit_rsnxe = 0;
5324
5325 if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_req) :
5326 sizeof(mgmt->u.assoc_req))) {
5327 wpa_printf(MSG_INFO, "handle_assoc(reassoc=%d) - too short payload (len=%lu)",
5328 reassoc, (unsigned long) len);
5329 return;
5330 }
5331
5332 #ifdef CONFIG_TESTING_OPTIONS
5333 if (reassoc) {
5334 if (hapd->iconf->ignore_reassoc_probability > 0.0 &&
5335 drand48() < hapd->iconf->ignore_reassoc_probability) {
5336 wpa_printf(MSG_INFO,
5337 "TESTING: ignoring reassoc request from "
5338 MACSTR, MAC2STR(mgmt->sa));
5339 return;
5340 }
5341 } else {
5342 if (hapd->iconf->ignore_assoc_probability > 0.0 &&
5343 drand48() < hapd->iconf->ignore_assoc_probability) {
5344 wpa_printf(MSG_INFO,
5345 "TESTING: ignoring assoc request from "
5346 MACSTR, MAC2STR(mgmt->sa));
5347 return;
5348 }
5349 }
5350 #endif /* CONFIG_TESTING_OPTIONS */
5351
5352 fc = le_to_host16(mgmt->frame_control);
5353 seq_ctrl = le_to_host16(mgmt->seq_ctrl);
5354
5355 if (reassoc) {
5356 capab_info = le_to_host16(mgmt->u.reassoc_req.capab_info);
5357 listen_interval = le_to_host16(
5358 mgmt->u.reassoc_req.listen_interval);
5359 wpa_printf(MSG_DEBUG, "reassociation request: STA=" MACSTR
5360 " capab_info=0x%02x listen_interval=%d current_ap="
5361 MACSTR " seq_ctrl=0x%x%s",
5362 MAC2STR(mgmt->sa), capab_info, listen_interval,
5363 MAC2STR(mgmt->u.reassoc_req.current_ap),
5364 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "");
5365 left = len - (IEEE80211_HDRLEN + sizeof(mgmt->u.reassoc_req));
5366 pos = mgmt->u.reassoc_req.variable;
5367 } else {
5368 capab_info = le_to_host16(mgmt->u.assoc_req.capab_info);
5369 listen_interval = le_to_host16(
5370 mgmt->u.assoc_req.listen_interval);
5371 wpa_printf(MSG_DEBUG, "association request: STA=" MACSTR
5372 " capab_info=0x%02x listen_interval=%d "
5373 "seq_ctrl=0x%x%s",
5374 MAC2STR(mgmt->sa), capab_info, listen_interval,
5375 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "");
5376 left = len - (IEEE80211_HDRLEN + sizeof(mgmt->u.assoc_req));
5377 pos = mgmt->u.assoc_req.variable;
5378 }
5379
5380 sta = ap_get_sta(hapd, mgmt->sa);
5381 #ifdef CONFIG_IEEE80211R_AP
5382 if (sta && sta->auth_alg == WLAN_AUTH_FT &&
5383 (sta->flags & WLAN_STA_AUTH) == 0) {
5384 wpa_printf(MSG_DEBUG, "FT: Allow STA " MACSTR " to associate "
5385 "prior to authentication since it is using "
5386 "over-the-DS FT", MAC2STR(mgmt->sa));
5387
5388 /*
5389 * Mark station as authenticated, to avoid adding station
5390 * entry in the driver as associated and not authenticated
5391 */
5392 sta->flags |= WLAN_STA_AUTH;
5393 } else
5394 #endif /* CONFIG_IEEE80211R_AP */
5395 if (sta == NULL || (sta->flags & WLAN_STA_AUTH) == 0) {
5396 if (hapd->iface->current_mode &&
5397 hapd->iface->current_mode->mode ==
5398 HOSTAPD_MODE_IEEE80211AD) {
5399 int acl_res;
5400 struct radius_sta info;
5401
5402 acl_res = ieee802_11_allowed_address(hapd, mgmt->sa,
5403 (const u8 *) mgmt,
5404 len, &info);
5405 if (acl_res == HOSTAPD_ACL_REJECT) {
5406 wpa_msg(hapd->msg_ctx, MSG_DEBUG,
5407 "Ignore Association Request frame from "
5408 MACSTR " due to ACL reject",
5409 MAC2STR(mgmt->sa));
5410 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
5411 goto fail;
5412 }
5413 if (acl_res == HOSTAPD_ACL_PENDING)
5414 return;
5415
5416 /* DMG/IEEE 802.11ad does not use authentication.
5417 * Allocate sta entry upon association. */
5418 sta = ap_sta_add(hapd, mgmt->sa);
5419 if (!sta) {
5420 hostapd_logger(hapd, mgmt->sa,
5421 HOSTAPD_MODULE_IEEE80211,
5422 HOSTAPD_LEVEL_INFO,
5423 "Failed to add STA");
5424 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
5425 goto fail;
5426 }
5427
5428 acl_res = ieee802_11_set_radius_info(
5429 hapd, sta, acl_res, &info);
5430 if (acl_res) {
5431 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
5432 goto fail;
5433 }
5434
5435 hostapd_logger(hapd, sta->addr,
5436 HOSTAPD_MODULE_IEEE80211,
5437 HOSTAPD_LEVEL_DEBUG,
5438 "Skip authentication for DMG/IEEE 802.11ad");
5439 sta->flags |= WLAN_STA_AUTH;
5440 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
5441 sta->auth_alg = WLAN_AUTH_OPEN;
5442 } else {
5443 hostapd_logger(hapd, mgmt->sa,
5444 HOSTAPD_MODULE_IEEE80211,
5445 HOSTAPD_LEVEL_INFO,
5446 "Station tried to associate before authentication (aid=%d flags=0x%x)",
5447 sta ? sta->aid : -1,
5448 sta ? sta->flags : 0);
5449 send_deauth(hapd, mgmt->sa,
5450 WLAN_REASON_CLASS2_FRAME_FROM_NONAUTH_STA);
5451 return;
5452 }
5453 }
5454
5455 if ((fc & WLAN_FC_RETRY) &&
5456 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
5457 sta->last_seq_ctrl == seq_ctrl &&
5458 sta->last_subtype == (reassoc ? WLAN_FC_STYPE_REASSOC_REQ :
5459 WLAN_FC_STYPE_ASSOC_REQ)) {
5460 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
5461 HOSTAPD_LEVEL_DEBUG,
5462 "Drop repeated association frame seq_ctrl=0x%x",
5463 seq_ctrl);
5464 return;
5465 }
5466 sta->last_seq_ctrl = seq_ctrl;
5467 sta->last_subtype = reassoc ? WLAN_FC_STYPE_REASSOC_REQ :
5468 WLAN_FC_STYPE_ASSOC_REQ;
5469
5470 if (hapd->tkip_countermeasures) {
5471 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
5472 goto fail;
5473 }
5474
5475 if (listen_interval > hapd->conf->max_listen_interval) {
5476 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
5477 HOSTAPD_LEVEL_DEBUG,
5478 "Too large Listen Interval (%d)",
5479 listen_interval);
5480 resp = WLAN_STATUS_ASSOC_DENIED_LISTEN_INT_TOO_LARGE;
5481 goto fail;
5482 }
5483
5484 #ifdef CONFIG_MBO
5485 if (hapd->conf->mbo_enabled && hapd->mbo_assoc_disallow) {
5486 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
5487 goto fail;
5488 }
5489
5490 if (hapd->iconf->rssi_reject_assoc_rssi && rssi &&
5491 rssi < hapd->iconf->rssi_reject_assoc_rssi &&
5492 (sta->auth_rssi == 0 ||
5493 sta->auth_rssi < hapd->iconf->rssi_reject_assoc_rssi)) {
5494 resp = WLAN_STATUS_DENIED_POOR_CHANNEL_CONDITIONS;
5495 goto fail;
5496 }
5497 #endif /* CONFIG_MBO */
5498
5499 /*
5500 * sta->capability is used in check_assoc_ies() for RRM enabled
5501 * capability element.
5502 */
5503 sta->capability = capab_info;
5504
5505 #ifdef CONFIG_FILS
5506 if (sta->auth_alg == WLAN_AUTH_FILS_SK ||
5507 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
5508 sta->auth_alg == WLAN_AUTH_FILS_PK) {
5509 int res;
5510
5511 /* The end of the payload is encrypted. Need to decrypt it
5512 * before parsing. */
5513
5514 tmp = os_memdup(pos, left);
5515 if (!tmp) {
5516 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
5517 goto fail;
5518 }
5519
5520 res = fils_decrypt_assoc(sta->wpa_sm, sta->fils_session, mgmt,
5521 len, tmp, left);
5522 if (res < 0) {
5523 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
5524 goto fail;
5525 }
5526 pos = tmp;
5527 left = res;
5528 }
5529 #endif /* CONFIG_FILS */
5530
5531 /* followed by SSID and Supported rates; and HT capabilities if 802.11n
5532 * is used */
5533 resp = check_assoc_ies(hapd, sta, pos, left, reassoc);
5534 if (resp != WLAN_STATUS_SUCCESS)
5535 goto fail;
5536 omit_rsnxe = !get_ie(pos, left, WLAN_EID_RSNX);
5537
5538 if (hostapd_get_aid(hapd, sta) < 0) {
5539 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
5540 HOSTAPD_LEVEL_INFO, "No room for more AIDs");
5541 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
5542 goto fail;
5543 }
5544
5545 sta->listen_interval = listen_interval;
5546
5547 if (hapd->iface->current_mode &&
5548 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G)
5549 sta->flags |= WLAN_STA_NONERP;
5550 for (i = 0; i < sta->supported_rates_len; i++) {
5551 if ((sta->supported_rates[i] & 0x7f) > 22) {
5552 sta->flags &= ~WLAN_STA_NONERP;
5553 break;
5554 }
5555 }
5556 if (sta->flags & WLAN_STA_NONERP && !sta->nonerp_set) {
5557 sta->nonerp_set = 1;
5558 hapd->iface->num_sta_non_erp++;
5559 if (hapd->iface->num_sta_non_erp == 1)
5560 ieee802_11_set_beacons(hapd->iface);
5561 }
5562
5563 if (!(sta->capability & WLAN_CAPABILITY_SHORT_SLOT_TIME) &&
5564 !sta->no_short_slot_time_set) {
5565 sta->no_short_slot_time_set = 1;
5566 hapd->iface->num_sta_no_short_slot_time++;
5567 if (hapd->iface->current_mode &&
5568 hapd->iface->current_mode->mode ==
5569 HOSTAPD_MODE_IEEE80211G &&
5570 hapd->iface->num_sta_no_short_slot_time == 1)
5571 ieee802_11_set_beacons(hapd->iface);
5572 }
5573
5574 if (sta->capability & WLAN_CAPABILITY_SHORT_PREAMBLE)
5575 sta->flags |= WLAN_STA_SHORT_PREAMBLE;
5576 else
5577 sta->flags &= ~WLAN_STA_SHORT_PREAMBLE;
5578
5579 if (!(sta->capability & WLAN_CAPABILITY_SHORT_PREAMBLE) &&
5580 !sta->no_short_preamble_set) {
5581 sta->no_short_preamble_set = 1;
5582 hapd->iface->num_sta_no_short_preamble++;
5583 if (hapd->iface->current_mode &&
5584 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G
5585 && hapd->iface->num_sta_no_short_preamble == 1)
5586 ieee802_11_set_beacons(hapd->iface);
5587 }
5588
5589 update_ht_state(hapd, sta);
5590
5591 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
5592 HOSTAPD_LEVEL_DEBUG,
5593 "association OK (aid %d)", sta->aid);
5594 /* Station will be marked associated, after it acknowledges AssocResp
5595 */
5596 sta->flags |= WLAN_STA_ASSOC_REQ_OK;
5597
5598 if ((sta->flags & WLAN_STA_MFP) && sta->sa_query_timed_out) {
5599 wpa_printf(MSG_DEBUG, "Allowing %sassociation after timed out "
5600 "SA Query procedure", reassoc ? "re" : "");
5601 /* TODO: Send a protected Disassociate frame to the STA using
5602 * the old key and Reason Code "Previous Authentication no
5603 * longer valid". Make sure this is only sent protected since
5604 * unprotected frame would be received by the STA that is now
5605 * trying to associate.
5606 */
5607 }
5608
5609 /* Make sure that the previously registered inactivity timer will not
5610 * remove the STA immediately. */
5611 sta->timeout_next = STA_NULLFUNC;
5612
5613 #ifdef CONFIG_TAXONOMY
5614 taxonomy_sta_info_assoc_req(hapd, sta, pos, left);
5615 #endif /* CONFIG_TAXONOMY */
5616
5617 sta->pending_wds_enable = 0;
5618
5619 #ifdef CONFIG_FILS
5620 if (sta->auth_alg == WLAN_AUTH_FILS_SK ||
5621 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
5622 sta->auth_alg == WLAN_AUTH_FILS_PK) {
5623 if (fils_process_hlp(hapd, sta, pos, left) > 0)
5624 delay_assoc = 1;
5625 }
5626 #endif /* CONFIG_FILS */
5627
5628 fail:
5629
5630 /*
5631 * In case of a successful response, add the station to the driver.
5632 * Otherwise, the kernel may ignore Data frames before we process the
5633 * ACK frame (TX status). In case of a failure, this station will be
5634 * removed.
5635 *
5636 * Note that this is not compliant with the IEEE 802.11 standard that
5637 * states that a non-AP station should transition into the
5638 * authenticated/associated state only after the station acknowledges
5639 * the (Re)Association Response frame. However, still do this as:
5640 *
5641 * 1. In case the station does not acknowledge the (Re)Association
5642 * Response frame, it will be removed.
5643 * 2. Data frames will be dropped in the kernel until the station is
5644 * set into authorized state, and there are no significant known
5645 * issues with processing other non-Data Class 3 frames during this
5646 * window.
5647 */
5648 if (resp == WLAN_STATUS_SUCCESS && sta &&
5649 add_associated_sta(hapd, sta, reassoc))
5650 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
5651
5652 #ifdef CONFIG_FILS
5653 if (sta && delay_assoc && resp == WLAN_STATUS_SUCCESS &&
5654 eloop_is_timeout_registered(fils_hlp_timeout, hapd, sta) &&
5655 sta->fils_pending_assoc_req) {
5656 /* Do not reschedule fils_hlp_timeout in case the station
5657 * retransmits (Re)Association Request frame while waiting for
5658 * the previously started FILS HLP wait, so that the timeout can
5659 * be determined from the first pending attempt. */
5660 wpa_printf(MSG_DEBUG,
5661 "FILS: Continue waiting for HLP processing before sending (Re)Association Response frame to "
5662 MACSTR, MAC2STR(sta->addr));
5663 os_free(tmp);
5664 return;
5665 }
5666 if (sta) {
5667 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
5668 os_free(sta->fils_pending_assoc_req);
5669 sta->fils_pending_assoc_req = NULL;
5670 sta->fils_pending_assoc_req_len = 0;
5671 wpabuf_free(sta->fils_hlp_resp);
5672 sta->fils_hlp_resp = NULL;
5673 }
5674 if (sta && delay_assoc && resp == WLAN_STATUS_SUCCESS) {
5675 sta->fils_pending_assoc_req = tmp;
5676 sta->fils_pending_assoc_req_len = left;
5677 sta->fils_pending_assoc_is_reassoc = reassoc;
5678 sta->fils_drv_assoc_finish = 0;
5679 wpa_printf(MSG_DEBUG,
5680 "FILS: Waiting for HLP processing before sending (Re)Association Response frame to "
5681 MACSTR, MAC2STR(sta->addr));
5682 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
5683 eloop_register_timeout(0, hapd->conf->fils_hlp_wait_time * 1024,
5684 fils_hlp_timeout, hapd, sta);
5685 return;
5686 }
5687 #endif /* CONFIG_FILS */
5688
5689 if (resp >= 0)
5690 reply_res = send_assoc_resp(hapd, sta, mgmt->sa, resp, reassoc,
5691 pos, left, rssi, omit_rsnxe);
5692 os_free(tmp);
5693
5694 /*
5695 * Remove the station in case transmission of a success response fails
5696 * (the STA was added associated to the driver) or if the station was
5697 * previously added unassociated.
5698 */
5699 if (sta && ((reply_res != WLAN_STATUS_SUCCESS &&
5700 resp == WLAN_STATUS_SUCCESS) || sta->added_unassoc)) {
5701 hostapd_drv_sta_remove(hapd, sta->addr);
5702 sta->added_unassoc = 0;
5703 }
5704 }
5705
5706
handle_disassoc(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len)5707 static void handle_disassoc(struct hostapd_data *hapd,
5708 const struct ieee80211_mgmt *mgmt, size_t len)
5709 {
5710 struct sta_info *sta;
5711
5712 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.disassoc)) {
5713 wpa_printf(MSG_INFO, "handle_disassoc - too short payload (len=%lu)",
5714 (unsigned long) len);
5715 return;
5716 }
5717
5718 wpa_printf(MSG_DEBUG, "disassocation: STA=" MACSTR " reason_code=%d",
5719 MAC2STR(mgmt->sa),
5720 le_to_host16(mgmt->u.disassoc.reason_code));
5721
5722 sta = ap_get_sta(hapd, mgmt->sa);
5723 if (sta == NULL) {
5724 wpa_printf(MSG_INFO, "Station " MACSTR " trying to disassociate, but it is not associated",
5725 MAC2STR(mgmt->sa));
5726 return;
5727 }
5728
5729 ap_sta_set_authorized(hapd, sta, 0);
5730 sta->last_seq_ctrl = WLAN_INVALID_MGMT_SEQ;
5731 sta->flags &= ~(WLAN_STA_ASSOC | WLAN_STA_ASSOC_REQ_OK);
5732 hostapd_set_sta_flags(hapd, sta);
5733 wpa_auth_sm_event(sta->wpa_sm, WPA_DISASSOC);
5734 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
5735 HOSTAPD_LEVEL_INFO, "disassociated");
5736 sta->acct_terminate_cause = RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST;
5737 ieee802_1x_notify_port_enabled(sta->eapol_sm, 0);
5738 /* Stop Accounting and IEEE 802.1X sessions, but leave the STA
5739 * authenticated. */
5740 accounting_sta_stop(hapd, sta);
5741 ieee802_1x_free_station(hapd, sta);
5742 if (sta->ipaddr)
5743 hostapd_drv_br_delete_ip_neigh(hapd, 4, (u8 *) &sta->ipaddr);
5744 ap_sta_ip6addr_del(hapd, sta);
5745 hostapd_drv_sta_remove(hapd, sta->addr);
5746 sta->added_unassoc = 0;
5747
5748 if (sta->timeout_next == STA_NULLFUNC ||
5749 sta->timeout_next == STA_DISASSOC) {
5750 sta->timeout_next = STA_DEAUTH;
5751 eloop_cancel_timeout(ap_handle_timer, hapd, sta);
5752 eloop_register_timeout(AP_DEAUTH_DELAY, 0, ap_handle_timer,
5753 hapd, sta);
5754 }
5755
5756 mlme_disassociate_indication(
5757 hapd, sta, le_to_host16(mgmt->u.disassoc.reason_code));
5758
5759 /* DMG/IEEE 802.11ad does not use deauthication. Deallocate sta upon
5760 * disassociation. */
5761 if (hapd->iface->current_mode &&
5762 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211AD) {
5763 sta->flags &= ~WLAN_STA_AUTH;
5764 wpa_auth_sm_event(sta->wpa_sm, WPA_DEAUTH);
5765 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
5766 HOSTAPD_LEVEL_DEBUG, "deauthenticated");
5767 ap_free_sta(hapd, sta);
5768 }
5769 }
5770
5771
handle_deauth(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len)5772 static void handle_deauth(struct hostapd_data *hapd,
5773 const struct ieee80211_mgmt *mgmt, size_t len)
5774 {
5775 struct sta_info *sta;
5776
5777 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.deauth)) {
5778 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "handle_deauth - too short "
5779 "payload (len=%lu)", (unsigned long) len);
5780 return;
5781 }
5782
5783 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "deauthentication: STA=" MACSTR
5784 " reason_code=%d",
5785 MAC2STR(mgmt->sa), le_to_host16(mgmt->u.deauth.reason_code));
5786
5787 sta = ap_get_sta(hapd, mgmt->sa);
5788 if (sta == NULL) {
5789 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "Station " MACSTR " trying "
5790 "to deauthenticate, but it is not authenticated",
5791 MAC2STR(mgmt->sa));
5792 return;
5793 }
5794
5795 ap_sta_set_authorized(hapd, sta, 0);
5796 sta->last_seq_ctrl = WLAN_INVALID_MGMT_SEQ;
5797 sta->flags &= ~(WLAN_STA_AUTH | WLAN_STA_ASSOC |
5798 WLAN_STA_ASSOC_REQ_OK);
5799 hostapd_set_sta_flags(hapd, sta);
5800 wpa_auth_sm_event(sta->wpa_sm, WPA_DEAUTH);
5801 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
5802 HOSTAPD_LEVEL_DEBUG, "deauthenticated");
5803 mlme_deauthenticate_indication(
5804 hapd, sta, le_to_host16(mgmt->u.deauth.reason_code));
5805 sta->acct_terminate_cause = RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST;
5806 ieee802_1x_notify_port_enabled(sta->eapol_sm, 0);
5807 ap_free_sta(hapd, sta);
5808 }
5809
5810
handle_beacon(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,struct hostapd_frame_info * fi)5811 static void handle_beacon(struct hostapd_data *hapd,
5812 const struct ieee80211_mgmt *mgmt, size_t len,
5813 struct hostapd_frame_info *fi)
5814 {
5815 struct ieee802_11_elems elems;
5816
5817 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.beacon)) {
5818 wpa_printf(MSG_INFO, "handle_beacon - too short payload (len=%lu)",
5819 (unsigned long) len);
5820 return;
5821 }
5822
5823 (void) ieee802_11_parse_elems(mgmt->u.beacon.variable,
5824 len - (IEEE80211_HDRLEN +
5825 sizeof(mgmt->u.beacon)), &elems,
5826 0);
5827
5828 ap_list_process_beacon(hapd->iface, mgmt, &elems, fi);
5829 }
5830
5831
robust_action_frame(u8 category)5832 static int robust_action_frame(u8 category)
5833 {
5834 return category != WLAN_ACTION_PUBLIC &&
5835 category != WLAN_ACTION_HT;
5836 }
5837
5838
handle_action(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,unsigned int freq)5839 static int handle_action(struct hostapd_data *hapd,
5840 const struct ieee80211_mgmt *mgmt, size_t len,
5841 unsigned int freq)
5842 {
5843 struct sta_info *sta;
5844 u8 *action __maybe_unused;
5845
5846 if (len < IEEE80211_HDRLEN + 2 + 1) {
5847 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
5848 HOSTAPD_LEVEL_DEBUG,
5849 "handle_action - too short payload (len=%lu)",
5850 (unsigned long) len);
5851 return 0;
5852 }
5853
5854 action = (u8 *) &mgmt->u.action.u;
5855 wpa_printf(MSG_DEBUG, "RX_ACTION category %u action %u sa " MACSTR
5856 " da " MACSTR " len %d freq %u",
5857 mgmt->u.action.category, *action,
5858 MAC2STR(mgmt->sa), MAC2STR(mgmt->da), (int) len, freq);
5859
5860 sta = ap_get_sta(hapd, mgmt->sa);
5861
5862 if (mgmt->u.action.category != WLAN_ACTION_PUBLIC &&
5863 (sta == NULL || !(sta->flags & WLAN_STA_ASSOC))) {
5864 wpa_printf(MSG_DEBUG, "IEEE 802.11: Ignored Action "
5865 "frame (category=%u) from unassociated STA " MACSTR,
5866 mgmt->u.action.category, MAC2STR(mgmt->sa));
5867 return 0;
5868 }
5869
5870 if (sta && (sta->flags & WLAN_STA_MFP) &&
5871 !(mgmt->frame_control & host_to_le16(WLAN_FC_ISWEP)) &&
5872 robust_action_frame(mgmt->u.action.category)) {
5873 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
5874 HOSTAPD_LEVEL_DEBUG,
5875 "Dropped unprotected Robust Action frame from "
5876 "an MFP STA");
5877 return 0;
5878 }
5879
5880 if (sta) {
5881 u16 fc = le_to_host16(mgmt->frame_control);
5882 u16 seq_ctrl = le_to_host16(mgmt->seq_ctrl);
5883
5884 if ((fc & WLAN_FC_RETRY) &&
5885 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
5886 sta->last_seq_ctrl == seq_ctrl &&
5887 sta->last_subtype == WLAN_FC_STYPE_ACTION) {
5888 hostapd_logger(hapd, sta->addr,
5889 HOSTAPD_MODULE_IEEE80211,
5890 HOSTAPD_LEVEL_DEBUG,
5891 "Drop repeated action frame seq_ctrl=0x%x",
5892 seq_ctrl);
5893 return 1;
5894 }
5895
5896 sta->last_seq_ctrl = seq_ctrl;
5897 sta->last_subtype = WLAN_FC_STYPE_ACTION;
5898 }
5899
5900 switch (mgmt->u.action.category) {
5901 #ifdef CONFIG_IEEE80211R_AP
5902 case WLAN_ACTION_FT:
5903 if (!sta ||
5904 wpa_ft_action_rx(sta->wpa_sm, (u8 *) &mgmt->u.action,
5905 len - IEEE80211_HDRLEN))
5906 break;
5907 return 1;
5908 #endif /* CONFIG_IEEE80211R_AP */
5909 case WLAN_ACTION_WMM:
5910 hostapd_wmm_action(hapd, mgmt, len);
5911 return 1;
5912 case WLAN_ACTION_SA_QUERY:
5913 ieee802_11_sa_query_action(hapd, mgmt, len);
5914 return 1;
5915 #ifdef CONFIG_WNM_AP
5916 case WLAN_ACTION_WNM:
5917 ieee802_11_rx_wnm_action_ap(hapd, mgmt, len);
5918 return 1;
5919 #endif /* CONFIG_WNM_AP */
5920 #ifdef CONFIG_FST
5921 case WLAN_ACTION_FST:
5922 if (hapd->iface->fst)
5923 fst_rx_action(hapd->iface->fst, mgmt, len);
5924 else
5925 wpa_printf(MSG_DEBUG,
5926 "FST: Ignore FST Action frame - no FST attached");
5927 return 1;
5928 #endif /* CONFIG_FST */
5929 case WLAN_ACTION_PUBLIC:
5930 case WLAN_ACTION_PROTECTED_DUAL:
5931 if (len >= IEEE80211_HDRLEN + 2 &&
5932 mgmt->u.action.u.public_action.action ==
5933 WLAN_PA_20_40_BSS_COEX) {
5934 hostapd_2040_coex_action(hapd, mgmt, len);
5935 return 1;
5936 }
5937 #ifdef CONFIG_DPP
5938 if (len >= IEEE80211_HDRLEN + 6 &&
5939 mgmt->u.action.u.vs_public_action.action ==
5940 WLAN_PA_VENDOR_SPECIFIC &&
5941 WPA_GET_BE24(mgmt->u.action.u.vs_public_action.oui) ==
5942 OUI_WFA &&
5943 mgmt->u.action.u.vs_public_action.variable[0] ==
5944 DPP_OUI_TYPE) {
5945 const u8 *pos, *end;
5946
5947 pos = mgmt->u.action.u.vs_public_action.oui;
5948 end = ((const u8 *) mgmt) + len;
5949 hostapd_dpp_rx_action(hapd, mgmt->sa, pos, end - pos,
5950 freq);
5951 return 1;
5952 }
5953 if (len >= IEEE80211_HDRLEN + 2 &&
5954 (mgmt->u.action.u.public_action.action ==
5955 WLAN_PA_GAS_INITIAL_RESP ||
5956 mgmt->u.action.u.public_action.action ==
5957 WLAN_PA_GAS_COMEBACK_RESP)) {
5958 const u8 *pos, *end;
5959
5960 pos = &mgmt->u.action.u.public_action.action;
5961 end = ((const u8 *) mgmt) + len;
5962 gas_query_ap_rx(hapd->gas, mgmt->sa,
5963 mgmt->u.action.category,
5964 pos, end - pos, hapd->iface->freq);
5965 return 1;
5966 }
5967 #endif /* CONFIG_DPP */
5968 if (hapd->public_action_cb) {
5969 hapd->public_action_cb(hapd->public_action_cb_ctx,
5970 (u8 *) mgmt, len,
5971 hapd->iface->freq);
5972 }
5973 if (hapd->public_action_cb2) {
5974 hapd->public_action_cb2(hapd->public_action_cb2_ctx,
5975 (u8 *) mgmt, len,
5976 hapd->iface->freq);
5977 }
5978 if (hapd->public_action_cb || hapd->public_action_cb2)
5979 return 1;
5980 break;
5981 case WLAN_ACTION_VENDOR_SPECIFIC:
5982 if (hapd->vendor_action_cb) {
5983 if (hapd->vendor_action_cb(hapd->vendor_action_cb_ctx,
5984 (u8 *) mgmt, len,
5985 hapd->iface->freq) == 0)
5986 return 1;
5987 }
5988 break;
5989 case WLAN_ACTION_RADIO_MEASUREMENT:
5990 hostapd_handle_radio_measurement(hapd, (const u8 *) mgmt, len);
5991 return 1;
5992 }
5993
5994 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
5995 HOSTAPD_LEVEL_DEBUG,
5996 "handle_action - unknown action category %d or invalid "
5997 "frame",
5998 mgmt->u.action.category);
5999 if (!is_multicast_ether_addr(mgmt->da) &&
6000 !(mgmt->u.action.category & 0x80) &&
6001 !is_multicast_ether_addr(mgmt->sa)) {
6002 struct ieee80211_mgmt *resp;
6003
6004 /*
6005 * IEEE 802.11-REVma/D9.0 - 7.3.1.11
6006 * Return the Action frame to the source without change
6007 * except that MSB of the Category set to 1.
6008 */
6009 wpa_printf(MSG_DEBUG, "IEEE 802.11: Return unknown Action "
6010 "frame back to sender");
6011 resp = os_memdup(mgmt, len);
6012 if (resp == NULL)
6013 return 0;
6014 os_memcpy(resp->da, resp->sa, ETH_ALEN);
6015 os_memcpy(resp->sa, hapd->own_addr, ETH_ALEN);
6016 os_memcpy(resp->bssid, hapd->own_addr, ETH_ALEN);
6017 resp->u.action.category |= 0x80;
6018
6019 if (hostapd_drv_send_mlme(hapd, resp, len, 0, NULL, 0, 0) < 0) {
6020 wpa_printf(MSG_ERROR, "IEEE 802.11: Failed to send "
6021 "Action frame");
6022 }
6023 os_free(resp);
6024 }
6025
6026 return 1;
6027 }
6028
6029
6030 /**
6031 * notify_mgmt_frame - Notify of Management frames on the control interface
6032 * @hapd: hostapd BSS data structure (the BSS to which the Management frame was
6033 * sent to)
6034 * @buf: Management frame data (starting from the IEEE 802.11 header)
6035 * @len: Length of frame data in octets
6036 *
6037 * Notify the control interface of any received Management frame.
6038 */
notify_mgmt_frame(struct hostapd_data * hapd,const u8 * buf,size_t len)6039 static void notify_mgmt_frame(struct hostapd_data *hapd, const u8 *buf,
6040 size_t len)
6041 {
6042
6043 int hex_len = len * 2 + 1;
6044 char *hex = os_malloc(hex_len);
6045
6046 if (hex) {
6047 wpa_snprintf_hex(hex, hex_len, buf, len);
6048 wpa_msg_ctrl(hapd->msg_ctx, MSG_INFO,
6049 AP_MGMT_FRAME_RECEIVED "buf=%s", hex);
6050 os_free(hex);
6051 }
6052 }
6053
6054
6055 /**
6056 * ieee802_11_mgmt - process incoming IEEE 802.11 management frames
6057 * @hapd: hostapd BSS data structure (the BSS to which the management frame was
6058 * sent to)
6059 * @buf: management frame data (starting from IEEE 802.11 header)
6060 * @len: length of frame data in octets
6061 * @fi: meta data about received frame (signal level, etc.)
6062 *
6063 * Process all incoming IEEE 802.11 management frames. This will be called for
6064 * each frame received from the kernel driver through wlan#ap interface. In
6065 * addition, it can be called to re-inserted pending frames (e.g., when using
6066 * external RADIUS server as an MAC ACL).
6067 */
ieee802_11_mgmt(struct hostapd_data * hapd,const u8 * buf,size_t len,struct hostapd_frame_info * fi)6068 int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len,
6069 struct hostapd_frame_info *fi)
6070 {
6071 struct ieee80211_mgmt *mgmt;
6072 u16 fc, stype;
6073 int ret = 0;
6074 unsigned int freq;
6075 int ssi_signal = fi ? fi->ssi_signal : 0;
6076
6077 if (len < 24)
6078 return 0;
6079
6080 if (fi && fi->freq)
6081 freq = fi->freq;
6082 else
6083 freq = hapd->iface->freq;
6084
6085 mgmt = (struct ieee80211_mgmt *) buf;
6086 fc = le_to_host16(mgmt->frame_control);
6087 stype = WLAN_FC_GET_STYPE(fc);
6088
6089 if (is_multicast_ether_addr(mgmt->sa) ||
6090 is_zero_ether_addr(mgmt->sa) ||
6091 os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
6092 /* Do not process any frames with unexpected/invalid SA so that
6093 * we do not add any state for unexpected STA addresses or end
6094 * up sending out frames to unexpected destination. */
6095 wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR
6096 " in received frame - ignore this frame silently",
6097 MAC2STR(mgmt->sa));
6098 return 0;
6099 }
6100
6101 if (stype == WLAN_FC_STYPE_BEACON) {
6102 handle_beacon(hapd, mgmt, len, fi);
6103 return 1;
6104 }
6105
6106 if (!is_broadcast_ether_addr(mgmt->bssid) &&
6107 #ifdef CONFIG_P2P
6108 /* Invitation responses can be sent with the peer MAC as BSSID */
6109 !((hapd->conf->p2p & P2P_GROUP_OWNER) &&
6110 stype == WLAN_FC_STYPE_ACTION) &&
6111 #endif /* CONFIG_P2P */
6112 #ifdef CONFIG_MESH
6113 !(hapd->conf->mesh & MESH_ENABLED) &&
6114 #endif /* CONFIG_MESH */
6115 os_memcmp(mgmt->bssid, hapd->own_addr, ETH_ALEN) != 0) {
6116 wpa_printf(MSG_INFO, "MGMT: BSSID=" MACSTR " not our address",
6117 MAC2STR(mgmt->bssid));
6118 return 0;
6119 }
6120
6121 if (hapd->iface->state != HAPD_IFACE_ENABLED) {
6122 wpa_printf(MSG_DEBUG, "MGMT: Ignore management frame while interface is not enabled (SA=" MACSTR " DA=" MACSTR " subtype=%u)",
6123 MAC2STR(mgmt->sa), MAC2STR(mgmt->da), stype);
6124 return 1;
6125 }
6126
6127 if (stype == WLAN_FC_STYPE_PROBE_REQ) {
6128 handle_probe_req(hapd, mgmt, len, ssi_signal);
6129 return 1;
6130 }
6131
6132 if ((!is_broadcast_ether_addr(mgmt->da) ||
6133 stype != WLAN_FC_STYPE_ACTION) &&
6134 os_memcmp(mgmt->da, hapd->own_addr, ETH_ALEN) != 0) {
6135 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
6136 HOSTAPD_LEVEL_DEBUG,
6137 "MGMT: DA=" MACSTR " not our address",
6138 MAC2STR(mgmt->da));
6139 return 0;
6140 }
6141
6142 if (hapd->iconf->track_sta_max_num)
6143 sta_track_add(hapd->iface, mgmt->sa, ssi_signal);
6144
6145 if (hapd->conf->notify_mgmt_frames)
6146 notify_mgmt_frame(hapd, buf, len);
6147
6148 switch (stype) {
6149 case WLAN_FC_STYPE_AUTH:
6150 wpa_printf(MSG_DEBUG, "mgmt::auth");
6151 handle_auth(hapd, mgmt, len, ssi_signal, 0);
6152 ret = 1;
6153 break;
6154 case WLAN_FC_STYPE_ASSOC_REQ:
6155 wpa_printf(MSG_DEBUG, "mgmt::assoc_req");
6156 handle_assoc(hapd, mgmt, len, 0, ssi_signal);
6157 ret = 1;
6158 break;
6159 case WLAN_FC_STYPE_REASSOC_REQ:
6160 wpa_printf(MSG_DEBUG, "mgmt::reassoc_req");
6161 handle_assoc(hapd, mgmt, len, 1, ssi_signal);
6162 ret = 1;
6163 break;
6164 case WLAN_FC_STYPE_DISASSOC:
6165 wpa_printf(MSG_DEBUG, "mgmt::disassoc");
6166 handle_disassoc(hapd, mgmt, len);
6167 ret = 1;
6168 break;
6169 case WLAN_FC_STYPE_DEAUTH:
6170 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "mgmt::deauth");
6171 handle_deauth(hapd, mgmt, len);
6172 ret = 1;
6173 break;
6174 case WLAN_FC_STYPE_ACTION:
6175 wpa_printf(MSG_DEBUG, "mgmt::action");
6176 ret = handle_action(hapd, mgmt, len, freq);
6177 break;
6178 default:
6179 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
6180 HOSTAPD_LEVEL_DEBUG,
6181 "unknown mgmt frame subtype %d", stype);
6182 break;
6183 }
6184
6185 return ret;
6186 }
6187
6188
handle_auth_cb(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int ok)6189 static void handle_auth_cb(struct hostapd_data *hapd,
6190 const struct ieee80211_mgmt *mgmt,
6191 size_t len, int ok)
6192 {
6193 u16 auth_alg, auth_transaction, status_code;
6194 struct sta_info *sta;
6195 bool success_status;
6196
6197 sta = ap_get_sta(hapd, mgmt->da);
6198 if (!sta) {
6199 wpa_printf(MSG_DEBUG, "handle_auth_cb: STA " MACSTR
6200 " not found",
6201 MAC2STR(mgmt->da));
6202 return;
6203 }
6204
6205 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) {
6206 wpa_printf(MSG_INFO, "handle_auth_cb - too short payload (len=%lu)",
6207 (unsigned long) len);
6208 auth_alg = 0;
6209 auth_transaction = 0;
6210 status_code = WLAN_STATUS_UNSPECIFIED_FAILURE;
6211 goto fail;
6212 }
6213
6214 auth_alg = le_to_host16(mgmt->u.auth.auth_alg);
6215 auth_transaction = le_to_host16(mgmt->u.auth.auth_transaction);
6216 status_code = le_to_host16(mgmt->u.auth.status_code);
6217
6218 if (!ok) {
6219 hostapd_logger(hapd, mgmt->da, HOSTAPD_MODULE_IEEE80211,
6220 HOSTAPD_LEVEL_NOTICE,
6221 "did not acknowledge authentication response");
6222 goto fail;
6223 }
6224
6225 if (status_code == WLAN_STATUS_SUCCESS &&
6226 ((auth_alg == WLAN_AUTH_OPEN && auth_transaction == 2) ||
6227 (auth_alg == WLAN_AUTH_SHARED_KEY && auth_transaction == 4))) {
6228 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
6229 HOSTAPD_LEVEL_INFO, "authenticated");
6230 sta->flags |= WLAN_STA_AUTH;
6231 if (sta->added_unassoc)
6232 hostapd_set_sta_flags(hapd, sta);
6233 return;
6234 }
6235
6236 fail:
6237 success_status = status_code == WLAN_STATUS_SUCCESS;
6238 #ifdef CONFIG_SAE
6239 if (auth_alg == WLAN_AUTH_SAE && auth_transaction == 1)
6240 success_status = sae_status_success(hapd, status_code);
6241 #endif /* CONFIG_SAE */
6242 if (!success_status && sta->added_unassoc) {
6243 hostapd_drv_sta_remove(hapd, sta->addr);
6244 sta->added_unassoc = 0;
6245 }
6246 }
6247
6248
hostapd_set_wds_encryption(struct hostapd_data * hapd,struct sta_info * sta,char * ifname_wds)6249 static void hostapd_set_wds_encryption(struct hostapd_data *hapd,
6250 struct sta_info *sta,
6251 char *ifname_wds)
6252 {
6253 #ifdef CONFIG_WEP
6254 int i;
6255 struct hostapd_ssid *ssid = &hapd->conf->ssid;
6256
6257 if (hapd->conf->ieee802_1x || hapd->conf->wpa)
6258 return;
6259
6260 for (i = 0; i < 4; i++) {
6261 if (ssid->wep.key[i] &&
6262 hostapd_drv_set_key(ifname_wds, hapd, WPA_ALG_WEP, NULL, i,
6263 0, i == ssid->wep.idx, NULL, 0,
6264 ssid->wep.key[i], ssid->wep.len[i],
6265 i == ssid->wep.idx ?
6266 KEY_FLAG_GROUP_RX_TX_DEFAULT :
6267 KEY_FLAG_GROUP_RX_TX)) {
6268 wpa_printf(MSG_WARNING,
6269 "Could not set WEP keys for WDS interface; %s",
6270 ifname_wds);
6271 break;
6272 }
6273 }
6274 #endif /* CONFIG_WEP */
6275 }
6276
6277
handle_assoc_cb(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int reassoc,int ok)6278 static void handle_assoc_cb(struct hostapd_data *hapd,
6279 const struct ieee80211_mgmt *mgmt,
6280 size_t len, int reassoc, int ok)
6281 {
6282 u16 status;
6283 struct sta_info *sta;
6284 int new_assoc = 1;
6285
6286 sta = ap_get_sta(hapd, mgmt->da);
6287 if (!sta) {
6288 wpa_printf(MSG_INFO, "handle_assoc_cb: STA " MACSTR " not found",
6289 MAC2STR(mgmt->da));
6290 return;
6291 }
6292
6293 if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_resp) :
6294 sizeof(mgmt->u.assoc_resp))) {
6295 wpa_printf(MSG_INFO,
6296 "handle_assoc_cb(reassoc=%d) - too short payload (len=%lu)",
6297 reassoc, (unsigned long) len);
6298 hostapd_drv_sta_remove(hapd, sta->addr);
6299 return;
6300 }
6301
6302 if (reassoc)
6303 status = le_to_host16(mgmt->u.reassoc_resp.status_code);
6304 else
6305 status = le_to_host16(mgmt->u.assoc_resp.status_code);
6306
6307 if (!ok) {
6308 hostapd_logger(hapd, mgmt->da, HOSTAPD_MODULE_IEEE80211,
6309 HOSTAPD_LEVEL_DEBUG,
6310 "did not acknowledge association response");
6311 sta->flags &= ~WLAN_STA_ASSOC_REQ_OK;
6312 /* The STA is added only in case of SUCCESS */
6313 if (status == WLAN_STATUS_SUCCESS)
6314 hostapd_drv_sta_remove(hapd, sta->addr);
6315
6316 return;
6317 }
6318
6319 if (status != WLAN_STATUS_SUCCESS)
6320 return;
6321
6322 /* Stop previous accounting session, if one is started, and allocate
6323 * new session id for the new session. */
6324 accounting_sta_stop(hapd, sta);
6325
6326 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
6327 HOSTAPD_LEVEL_INFO,
6328 "associated (aid %d)",
6329 sta->aid);
6330
6331 if (sta->flags & WLAN_STA_ASSOC)
6332 new_assoc = 0;
6333 sta->flags |= WLAN_STA_ASSOC;
6334 sta->flags &= ~WLAN_STA_WNM_SLEEP_MODE;
6335 if ((!hapd->conf->ieee802_1x && !hapd->conf->wpa &&
6336 !hapd->conf->osen) ||
6337 sta->auth_alg == WLAN_AUTH_FILS_SK ||
6338 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
6339 sta->auth_alg == WLAN_AUTH_FILS_PK ||
6340 sta->auth_alg == WLAN_AUTH_FT) {
6341 /*
6342 * Open, static WEP, FT protocol, or FILS; no separate
6343 * authorization step.
6344 */
6345 ap_sta_set_authorized(hapd, sta, 1);
6346 }
6347
6348 if (reassoc)
6349 mlme_reassociate_indication(hapd, sta);
6350 else
6351 mlme_associate_indication(hapd, sta);
6352
6353 sta->sa_query_timed_out = 0;
6354
6355 if (sta->eapol_sm == NULL) {
6356 /*
6357 * This STA does not use RADIUS server for EAP authentication,
6358 * so bind it to the selected VLAN interface now, since the
6359 * interface selection is not going to change anymore.
6360 */
6361 if (ap_sta_bind_vlan(hapd, sta) < 0)
6362 return;
6363 } else if (sta->vlan_id) {
6364 /* VLAN ID already set (e.g., by PMKSA caching), so bind STA */
6365 if (ap_sta_bind_vlan(hapd, sta) < 0)
6366 return;
6367 }
6368
6369 hostapd_set_sta_flags(hapd, sta);
6370
6371 if (!(sta->flags & WLAN_STA_WDS) && sta->pending_wds_enable) {
6372 wpa_printf(MSG_DEBUG, "Enable 4-address WDS mode for STA "
6373 MACSTR " based on pending request",
6374 MAC2STR(sta->addr));
6375 sta->pending_wds_enable = 0;
6376 sta->flags |= WLAN_STA_WDS;
6377 }
6378
6379 if (sta->flags & (WLAN_STA_WDS | WLAN_STA_MULTI_AP)) {
6380 int ret;
6381 char ifname_wds[IFNAMSIZ + 1];
6382
6383 wpa_printf(MSG_DEBUG, "Reenable 4-address WDS mode for STA "
6384 MACSTR " (aid %u)",
6385 MAC2STR(sta->addr), sta->aid);
6386 ret = hostapd_set_wds_sta(hapd, ifname_wds, sta->addr,
6387 sta->aid, 1);
6388 if (!ret)
6389 hostapd_set_wds_encryption(hapd, sta, ifname_wds);
6390 }
6391
6392 if (sta->auth_alg == WLAN_AUTH_FT)
6393 wpa_auth_sm_event(sta->wpa_sm, WPA_ASSOC_FT);
6394 else
6395 wpa_auth_sm_event(sta->wpa_sm, WPA_ASSOC);
6396 hapd->new_assoc_sta_cb(hapd, sta, !new_assoc);
6397 ieee802_1x_notify_port_enabled(sta->eapol_sm, 1);
6398
6399 #ifdef CONFIG_FILS
6400 if ((sta->auth_alg == WLAN_AUTH_FILS_SK ||
6401 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
6402 sta->auth_alg == WLAN_AUTH_FILS_PK) &&
6403 fils_set_tk(sta->wpa_sm) < 0) {
6404 wpa_printf(MSG_DEBUG, "FILS: TK configuration failed");
6405 ap_sta_disconnect(hapd, sta, sta->addr,
6406 WLAN_REASON_UNSPECIFIED);
6407 return;
6408 }
6409 #endif /* CONFIG_FILS */
6410
6411 if (sta->pending_eapol_rx) {
6412 struct os_reltime now, age;
6413
6414 os_get_reltime(&now);
6415 os_reltime_sub(&now, &sta->pending_eapol_rx->rx_time, &age);
6416 if (age.sec == 0 && age.usec < 200000) {
6417 wpa_printf(MSG_DEBUG,
6418 "Process pending EAPOL frame that was received from " MACSTR " just before association notification",
6419 MAC2STR(sta->addr));
6420 ieee802_1x_receive(
6421 hapd, mgmt->da,
6422 wpabuf_head(sta->pending_eapol_rx->buf),
6423 wpabuf_len(sta->pending_eapol_rx->buf));
6424 }
6425 wpabuf_free(sta->pending_eapol_rx->buf);
6426 os_free(sta->pending_eapol_rx);
6427 sta->pending_eapol_rx = NULL;
6428 }
6429 }
6430
6431
handle_deauth_cb(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int ok)6432 static void handle_deauth_cb(struct hostapd_data *hapd,
6433 const struct ieee80211_mgmt *mgmt,
6434 size_t len, int ok)
6435 {
6436 struct sta_info *sta;
6437 if (is_multicast_ether_addr(mgmt->da))
6438 return;
6439 sta = ap_get_sta(hapd, mgmt->da);
6440 if (!sta) {
6441 wpa_printf(MSG_DEBUG, "handle_deauth_cb: STA " MACSTR
6442 " not found", MAC2STR(mgmt->da));
6443 return;
6444 }
6445 if (ok)
6446 wpa_printf(MSG_DEBUG, "STA " MACSTR " acknowledged deauth",
6447 MAC2STR(sta->addr));
6448 else
6449 wpa_printf(MSG_DEBUG, "STA " MACSTR " did not acknowledge "
6450 "deauth", MAC2STR(sta->addr));
6451
6452 ap_sta_deauth_cb(hapd, sta);
6453 }
6454
6455
handle_disassoc_cb(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int ok)6456 static void handle_disassoc_cb(struct hostapd_data *hapd,
6457 const struct ieee80211_mgmt *mgmt,
6458 size_t len, int ok)
6459 {
6460 struct sta_info *sta;
6461 if (is_multicast_ether_addr(mgmt->da))
6462 return;
6463 sta = ap_get_sta(hapd, mgmt->da);
6464 if (!sta) {
6465 wpa_printf(MSG_DEBUG, "handle_disassoc_cb: STA " MACSTR
6466 " not found", MAC2STR(mgmt->da));
6467 return;
6468 }
6469 if (ok)
6470 wpa_printf(MSG_DEBUG, "STA " MACSTR " acknowledged disassoc",
6471 MAC2STR(sta->addr));
6472 else
6473 wpa_printf(MSG_DEBUG, "STA " MACSTR " did not acknowledge "
6474 "disassoc", MAC2STR(sta->addr));
6475
6476 ap_sta_disassoc_cb(hapd, sta);
6477 }
6478
6479
handle_action_cb(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int ok)6480 static void handle_action_cb(struct hostapd_data *hapd,
6481 const struct ieee80211_mgmt *mgmt,
6482 size_t len, int ok)
6483 {
6484 struct sta_info *sta;
6485 const struct rrm_measurement_report_element *report;
6486
6487 if (is_multicast_ether_addr(mgmt->da))
6488 return;
6489 #ifdef CONFIG_DPP
6490 if (len >= IEEE80211_HDRLEN + 6 &&
6491 mgmt->u.action.category == WLAN_ACTION_PUBLIC &&
6492 mgmt->u.action.u.vs_public_action.action ==
6493 WLAN_PA_VENDOR_SPECIFIC &&
6494 WPA_GET_BE24(mgmt->u.action.u.vs_public_action.oui) ==
6495 OUI_WFA &&
6496 mgmt->u.action.u.vs_public_action.variable[0] ==
6497 DPP_OUI_TYPE) {
6498 const u8 *pos, *end;
6499
6500 pos = &mgmt->u.action.u.vs_public_action.variable[1];
6501 end = ((const u8 *) mgmt) + len;
6502 hostapd_dpp_tx_status(hapd, mgmt->da, pos, end - pos, ok);
6503 return;
6504 }
6505 if (len >= IEEE80211_HDRLEN + 2 &&
6506 mgmt->u.action.category == WLAN_ACTION_PUBLIC &&
6507 (mgmt->u.action.u.public_action.action ==
6508 WLAN_PA_GAS_INITIAL_REQ ||
6509 mgmt->u.action.u.public_action.action ==
6510 WLAN_PA_GAS_COMEBACK_REQ)) {
6511 const u8 *pos, *end;
6512
6513 pos = mgmt->u.action.u.public_action.variable;
6514 end = ((const u8 *) mgmt) + len;
6515 gas_query_ap_tx_status(hapd->gas, mgmt->da, pos, end - pos, ok);
6516 return;
6517 }
6518 #endif /* CONFIG_DPP */
6519 sta = ap_get_sta(hapd, mgmt->da);
6520 if (!sta) {
6521 wpa_printf(MSG_DEBUG, "handle_action_cb: STA " MACSTR
6522 " not found", MAC2STR(mgmt->da));
6523 return;
6524 }
6525
6526 if (len < 24 + 5 + sizeof(*report))
6527 return;
6528 report = (const struct rrm_measurement_report_element *)
6529 &mgmt->u.action.u.rrm.variable[2];
6530 if (mgmt->u.action.category == WLAN_ACTION_RADIO_MEASUREMENT &&
6531 mgmt->u.action.u.rrm.action == WLAN_RRM_RADIO_MEASUREMENT_REQUEST &&
6532 report->eid == WLAN_EID_MEASURE_REQUEST &&
6533 report->len >= 3 &&
6534 report->type == MEASURE_TYPE_BEACON)
6535 hostapd_rrm_beacon_req_tx_status(hapd, mgmt, len, ok);
6536 }
6537
6538
6539 /**
6540 * ieee802_11_mgmt_cb - Process management frame TX status callback
6541 * @hapd: hostapd BSS data structure (the BSS from which the management frame
6542 * was sent from)
6543 * @buf: management frame data (starting from IEEE 802.11 header)
6544 * @len: length of frame data in octets
6545 * @stype: management frame subtype from frame control field
6546 * @ok: Whether the frame was ACK'ed
6547 */
ieee802_11_mgmt_cb(struct hostapd_data * hapd,const u8 * buf,size_t len,u16 stype,int ok)6548 void ieee802_11_mgmt_cb(struct hostapd_data *hapd, const u8 *buf, size_t len,
6549 u16 stype, int ok)
6550 {
6551 const struct ieee80211_mgmt *mgmt;
6552 mgmt = (const struct ieee80211_mgmt *) buf;
6553
6554 #ifdef CONFIG_TESTING_OPTIONS
6555 if (hapd->ext_mgmt_frame_handling) {
6556 size_t hex_len = 2 * len + 1;
6557 char *hex = os_malloc(hex_len);
6558
6559 if (hex) {
6560 wpa_snprintf_hex(hex, hex_len, buf, len);
6561 wpa_msg(hapd->msg_ctx, MSG_INFO,
6562 "MGMT-TX-STATUS stype=%u ok=%d buf=%s",
6563 stype, ok, hex);
6564 os_free(hex);
6565 }
6566 return;
6567 }
6568 #endif /* CONFIG_TESTING_OPTIONS */
6569
6570 switch (stype) {
6571 case WLAN_FC_STYPE_AUTH:
6572 wpa_printf(MSG_DEBUG, "mgmt::auth cb");
6573 handle_auth_cb(hapd, mgmt, len, ok);
6574 break;
6575 case WLAN_FC_STYPE_ASSOC_RESP:
6576 wpa_printf(MSG_DEBUG, "mgmt::assoc_resp cb");
6577 handle_assoc_cb(hapd, mgmt, len, 0, ok);
6578 break;
6579 case WLAN_FC_STYPE_REASSOC_RESP:
6580 wpa_printf(MSG_DEBUG, "mgmt::reassoc_resp cb");
6581 handle_assoc_cb(hapd, mgmt, len, 1, ok);
6582 break;
6583 case WLAN_FC_STYPE_PROBE_RESP:
6584 wpa_printf(MSG_EXCESSIVE, "mgmt::proberesp cb ok=%d", ok);
6585 break;
6586 case WLAN_FC_STYPE_DEAUTH:
6587 wpa_printf(MSG_DEBUG, "mgmt::deauth cb");
6588 handle_deauth_cb(hapd, mgmt, len, ok);
6589 break;
6590 case WLAN_FC_STYPE_DISASSOC:
6591 wpa_printf(MSG_DEBUG, "mgmt::disassoc cb");
6592 handle_disassoc_cb(hapd, mgmt, len, ok);
6593 break;
6594 case WLAN_FC_STYPE_ACTION:
6595 wpa_printf(MSG_DEBUG, "mgmt::action cb ok=%d", ok);
6596 handle_action_cb(hapd, mgmt, len, ok);
6597 break;
6598 default:
6599 wpa_printf(MSG_INFO, "unknown mgmt cb frame subtype %d", stype);
6600 break;
6601 }
6602 }
6603
6604
ieee802_11_get_mib(struct hostapd_data * hapd,char * buf,size_t buflen)6605 int ieee802_11_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen)
6606 {
6607 /* TODO */
6608 return 0;
6609 }
6610
6611
ieee802_11_get_mib_sta(struct hostapd_data * hapd,struct sta_info * sta,char * buf,size_t buflen)6612 int ieee802_11_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta,
6613 char *buf, size_t buflen)
6614 {
6615 /* TODO */
6616 return 0;
6617 }
6618
6619
hostapd_tx_status(struct hostapd_data * hapd,const u8 * addr,const u8 * buf,size_t len,int ack)6620 void hostapd_tx_status(struct hostapd_data *hapd, const u8 *addr,
6621 const u8 *buf, size_t len, int ack)
6622 {
6623 struct sta_info *sta;
6624 struct hostapd_iface *iface = hapd->iface;
6625
6626 sta = ap_get_sta(hapd, addr);
6627 if (sta == NULL && iface->num_bss > 1) {
6628 size_t j;
6629 for (j = 0; j < iface->num_bss; j++) {
6630 hapd = iface->bss[j];
6631 sta = ap_get_sta(hapd, addr);
6632 if (sta)
6633 break;
6634 }
6635 }
6636 if (sta == NULL || !(sta->flags & WLAN_STA_ASSOC))
6637 return;
6638 if (sta->flags & WLAN_STA_PENDING_POLL) {
6639 wpa_printf(MSG_DEBUG, "STA " MACSTR " %s pending "
6640 "activity poll", MAC2STR(sta->addr),
6641 ack ? "ACKed" : "did not ACK");
6642 if (ack)
6643 sta->flags &= ~WLAN_STA_PENDING_POLL;
6644 }
6645
6646 ieee802_1x_tx_status(hapd, sta, buf, len, ack);
6647 }
6648
6649
hostapd_eapol_tx_status(struct hostapd_data * hapd,const u8 * dst,const u8 * data,size_t len,int ack)6650 void hostapd_eapol_tx_status(struct hostapd_data *hapd, const u8 *dst,
6651 const u8 *data, size_t len, int ack)
6652 {
6653 struct sta_info *sta;
6654 struct hostapd_iface *iface = hapd->iface;
6655
6656 sta = ap_get_sta(hapd, dst);
6657 if (sta == NULL && iface->num_bss > 1) {
6658 size_t j;
6659 for (j = 0; j < iface->num_bss; j++) {
6660 hapd = iface->bss[j];
6661 sta = ap_get_sta(hapd, dst);
6662 if (sta)
6663 break;
6664 }
6665 }
6666 if (sta == NULL || !(sta->flags & WLAN_STA_ASSOC)) {
6667 wpa_printf(MSG_DEBUG, "Ignore TX status for Data frame to STA "
6668 MACSTR " that is not currently associated",
6669 MAC2STR(dst));
6670 return;
6671 }
6672
6673 ieee802_1x_eapol_tx_status(hapd, sta, data, len, ack);
6674 }
6675
6676
hostapd_client_poll_ok(struct hostapd_data * hapd,const u8 * addr)6677 void hostapd_client_poll_ok(struct hostapd_data *hapd, const u8 *addr)
6678 {
6679 struct sta_info *sta;
6680 struct hostapd_iface *iface = hapd->iface;
6681
6682 sta = ap_get_sta(hapd, addr);
6683 if (sta == NULL && iface->num_bss > 1) {
6684 size_t j;
6685 for (j = 0; j < iface->num_bss; j++) {
6686 hapd = iface->bss[j];
6687 sta = ap_get_sta(hapd, addr);
6688 if (sta)
6689 break;
6690 }
6691 }
6692 if (sta == NULL)
6693 return;
6694 wpa_msg(hapd->msg_ctx, MSG_INFO, AP_STA_POLL_OK MACSTR,
6695 MAC2STR(sta->addr));
6696 if (!(sta->flags & WLAN_STA_PENDING_POLL))
6697 return;
6698
6699 wpa_printf(MSG_DEBUG, "STA " MACSTR " ACKed pending "
6700 "activity poll", MAC2STR(sta->addr));
6701 sta->flags &= ~WLAN_STA_PENDING_POLL;
6702 }
6703
6704
ieee802_11_rx_from_unknown(struct hostapd_data * hapd,const u8 * src,int wds)6705 void ieee802_11_rx_from_unknown(struct hostapd_data *hapd, const u8 *src,
6706 int wds)
6707 {
6708 struct sta_info *sta;
6709
6710 sta = ap_get_sta(hapd, src);
6711 if (sta &&
6712 ((sta->flags & WLAN_STA_ASSOC) ||
6713 ((sta->flags & WLAN_STA_ASSOC_REQ_OK) && wds))) {
6714 if (!hapd->conf->wds_sta)
6715 return;
6716
6717 if ((sta->flags & (WLAN_STA_ASSOC | WLAN_STA_ASSOC_REQ_OK)) ==
6718 WLAN_STA_ASSOC_REQ_OK) {
6719 wpa_printf(MSG_DEBUG,
6720 "Postpone 4-address WDS mode enabling for STA "
6721 MACSTR " since TX status for AssocResp is not yet known",
6722 MAC2STR(sta->addr));
6723 sta->pending_wds_enable = 1;
6724 return;
6725 }
6726
6727 if (wds && !(sta->flags & WLAN_STA_WDS)) {
6728 int ret;
6729 char ifname_wds[IFNAMSIZ + 1];
6730
6731 wpa_printf(MSG_DEBUG, "Enable 4-address WDS mode for "
6732 "STA " MACSTR " (aid %u)",
6733 MAC2STR(sta->addr), sta->aid);
6734 sta->flags |= WLAN_STA_WDS;
6735 ret = hostapd_set_wds_sta(hapd, ifname_wds,
6736 sta->addr, sta->aid, 1);
6737 if (!ret)
6738 hostapd_set_wds_encryption(hapd, sta,
6739 ifname_wds);
6740 }
6741 return;
6742 }
6743
6744 wpa_printf(MSG_DEBUG, "Data/PS-poll frame from not associated STA "
6745 MACSTR, MAC2STR(src));
6746 if (is_multicast_ether_addr(src) || is_zero_ether_addr(src) ||
6747 os_memcmp(src, hapd->own_addr, ETH_ALEN) == 0) {
6748 /* Broadcast bit set in SA or unexpected SA?! Ignore the frame
6749 * silently. */
6750 return;
6751 }
6752
6753 if (sta && (sta->flags & WLAN_STA_ASSOC_REQ_OK)) {
6754 wpa_printf(MSG_DEBUG, "Association Response to the STA has "
6755 "already been sent, but no TX status yet known - "
6756 "ignore Class 3 frame issue with " MACSTR,
6757 MAC2STR(src));
6758 return;
6759 }
6760
6761 if (sta && (sta->flags & WLAN_STA_AUTH))
6762 hostapd_drv_sta_disassoc(
6763 hapd, src,
6764 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA);
6765 else
6766 hostapd_drv_sta_deauth(
6767 hapd, src,
6768 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA);
6769 }
6770
6771
hostapd_eid_txpower_envelope(struct hostapd_data * hapd,u8 * eid)6772 u8 * hostapd_eid_txpower_envelope(struct hostapd_data *hapd, u8 *eid)
6773 {
6774 struct hostapd_iface *iface = hapd->iface;
6775 struct hostapd_config *iconf = iface->conf;
6776 struct hostapd_hw_modes *mode = iface->current_mode;
6777 struct hostapd_channel_data *chan;
6778 int dfs, i;
6779 u8 channel, tx_pwr_count, local_pwr_constraint;
6780 int max_tx_power;
6781 u8 tx_pwr;
6782
6783 if (!mode)
6784 return eid;
6785
6786 if (ieee80211_freq_to_chan(iface->freq, &channel) == NUM_HOSTAPD_MODES)
6787 return eid;
6788
6789 for (i = 0; i < mode->num_channels; i++) {
6790 if (mode->channels[i].freq == iface->freq)
6791 break;
6792 }
6793 if (i == mode->num_channels)
6794 return eid;
6795
6796 switch (hostapd_get_oper_chwidth(iconf)) {
6797 case CHANWIDTH_USE_HT:
6798 if (iconf->secondary_channel == 0) {
6799 /* Max Transmit Power count = 0 (20 MHz) */
6800 tx_pwr_count = 0;
6801 } else {
6802 /* Max Transmit Power count = 1 (20, 40 MHz) */
6803 tx_pwr_count = 1;
6804 }
6805 break;
6806 case CHANWIDTH_80MHZ:
6807 /* Max Transmit Power count = 2 (20, 40, and 80 MHz) */
6808 tx_pwr_count = 2;
6809 break;
6810 case CHANWIDTH_80P80MHZ:
6811 case CHANWIDTH_160MHZ:
6812 /* Max Transmit Power count = 3 (20, 40, 80, 160/80+80 MHz) */
6813 tx_pwr_count = 3;
6814 break;
6815 default:
6816 return eid;
6817 }
6818
6819 /*
6820 * Below local_pwr_constraint logic is referred from
6821 * hostapd_eid_pwr_constraint.
6822 *
6823 * Check if DFS is required by regulatory.
6824 */
6825 dfs = hostapd_is_dfs_required(hapd->iface);
6826 if (dfs < 0)
6827 dfs = 0;
6828
6829 /*
6830 * In order to meet regulations when TPC is not implemented using
6831 * a transmit power that is below the legal maximum (including any
6832 * mitigation factor) should help. In this case, indicate 3 dB below
6833 * maximum allowed transmit power.
6834 */
6835 if (hapd->iconf->local_pwr_constraint == -1)
6836 local_pwr_constraint = (dfs == 0) ? 0 : 3;
6837 else
6838 local_pwr_constraint = hapd->iconf->local_pwr_constraint;
6839
6840 /*
6841 * A STA that is not an AP shall use a transmit power less than or
6842 * equal to the local maximum transmit power level for the channel.
6843 * The local maximum transmit power can be calculated from the formula:
6844 * local max TX pwr = max TX pwr - local pwr constraint
6845 * Where max TX pwr is maximum transmit power level specified for
6846 * channel in Country element and local pwr constraint is specified
6847 * for channel in this Power Constraint element.
6848 */
6849 chan = &mode->channels[i];
6850 max_tx_power = chan->max_tx_power - local_pwr_constraint;
6851
6852 /*
6853 * Local Maximum Transmit power is encoded as two's complement
6854 * with a 0.5 dB step.
6855 */
6856 max_tx_power *= 2; /* in 0.5 dB steps */
6857 if (max_tx_power > 127) {
6858 /* 63.5 has special meaning of 63.5 dBm or higher */
6859 max_tx_power = 127;
6860 }
6861 if (max_tx_power < -128)
6862 max_tx_power = -128;
6863 if (max_tx_power < 0)
6864 tx_pwr = 0x80 + max_tx_power + 128;
6865 else
6866 tx_pwr = max_tx_power;
6867
6868 *eid++ = WLAN_EID_TRANSMIT_POWER_ENVELOPE;
6869 *eid++ = 2 + tx_pwr_count;
6870
6871 /*
6872 * Max Transmit Power count and
6873 * Max Transmit Power units = 0 (EIRP)
6874 */
6875 *eid++ = tx_pwr_count;
6876
6877 for (i = 0; i <= tx_pwr_count; i++)
6878 *eid++ = tx_pwr;
6879
6880 return eid;
6881 }
6882
6883
hostapd_eid_wb_chsw_wrapper(struct hostapd_data * hapd,u8 * eid)6884 u8 * hostapd_eid_wb_chsw_wrapper(struct hostapd_data *hapd, u8 *eid)
6885 {
6886 u8 bw, chan1, chan2 = 0;
6887 int freq1;
6888
6889 if (!hapd->cs_freq_params.channel ||
6890 (!hapd->cs_freq_params.vht_enabled &&
6891 !hapd->cs_freq_params.he_enabled))
6892 return eid;
6893
6894 /* bandwidth: 0: 40, 1: 80, 2: 160, 3: 80+80 */
6895 switch (hapd->cs_freq_params.bandwidth) {
6896 case 40:
6897 bw = 0;
6898 break;
6899 case 80:
6900 /* check if it's 80+80 */
6901 if (!hapd->cs_freq_params.center_freq2)
6902 bw = 1;
6903 else
6904 bw = 3;
6905 break;
6906 case 160:
6907 bw = 2;
6908 break;
6909 default:
6910 /* not valid VHT bandwidth or not in CSA */
6911 return eid;
6912 }
6913
6914 freq1 = hapd->cs_freq_params.center_freq1 ?
6915 hapd->cs_freq_params.center_freq1 :
6916 hapd->cs_freq_params.freq;
6917 if (ieee80211_freq_to_chan(freq1, &chan1) !=
6918 HOSTAPD_MODE_IEEE80211A)
6919 return eid;
6920
6921 if (hapd->cs_freq_params.center_freq2 &&
6922 ieee80211_freq_to_chan(hapd->cs_freq_params.center_freq2,
6923 &chan2) != HOSTAPD_MODE_IEEE80211A)
6924 return eid;
6925
6926 *eid++ = WLAN_EID_VHT_CHANNEL_SWITCH_WRAPPER;
6927 *eid++ = 5; /* Length of Channel Switch Wrapper */
6928 *eid++ = WLAN_EID_VHT_WIDE_BW_CHSWITCH;
6929 *eid++ = 3; /* Length of Wide Bandwidth Channel Switch element */
6930 *eid++ = bw; /* New Channel Width */
6931 *eid++ = chan1; /* New Channel Center Frequency Segment 0 */
6932 *eid++ = chan2; /* New Channel Center Frequency Segment 1 */
6933
6934 return eid;
6935 }
6936
6937 #endif /* CONFIG_NATIVE_WINDOWS */
6938