1 /* 2 * hostapd / IEEE 802.11 Management 3 * Copyright (c) 2002-2017, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "utils/includes.h" 10 11 #ifndef CONFIG_NATIVE_WINDOWS 12 13 #include "utils/common.h" 14 #include "utils/eloop.h" 15 #include "crypto/crypto.h" 16 #include "crypto/sha256.h" 17 #include "crypto/sha384.h" 18 #include "crypto/sha512.h" 19 #include "crypto/random.h" 20 #include "common/ieee802_11_defs.h" 21 #include "common/ieee802_11_common.h" 22 #include "common/wpa_ctrl.h" 23 #include "common/sae.h" 24 #include "common/dpp.h" 25 #include "common/ocv.h" 26 #include "common/wpa_common.h" 27 #include "common/wpa_ctrl.h" 28 #include "common/ptksa_cache.h" 29 #include "radius/radius.h" 30 #include "radius/radius_client.h" 31 #include "p2p/p2p.h" 32 #include "wps/wps.h" 33 #include "fst/fst.h" 34 #include "hostapd.h" 35 #include "beacon.h" 36 #include "ieee802_11_auth.h" 37 #include "sta_info.h" 38 #include "ieee802_1x.h" 39 #include "wpa_auth.h" 40 #include "pmksa_cache_auth.h" 41 #include "wmm.h" 42 #include "ap_list.h" 43 #include "accounting.h" 44 #include "ap_config.h" 45 #include "ap_mlme.h" 46 #include "p2p_hostapd.h" 47 #include "ap_drv_ops.h" 48 #include "wnm_ap.h" 49 #include "hw_features.h" 50 #include "ieee802_11.h" 51 #include "dfs.h" 52 #include "mbo_ap.h" 53 #include "rrm.h" 54 #include "taxonomy.h" 55 #include "fils_hlp.h" 56 #include "dpp_hostapd.h" 57 #include "gas_query_ap.h" 58 #include "comeback_token.h" 59 #include "nan_usd_ap.h" 60 #include "pasn/pasn_common.h" 61 62 63 #ifdef CONFIG_FILS 64 static struct wpabuf * 65 prepare_auth_resp_fils(struct hostapd_data *hapd, 66 struct sta_info *sta, u16 *resp, 67 struct rsn_pmksa_cache_entry *pmksa, 68 struct wpabuf *erp_resp, 69 const u8 *msk, size_t msk_len, 70 int *is_pub); 71 #endif /* CONFIG_FILS */ 72 73 #ifdef CONFIG_PASN 74 #ifdef CONFIG_FILS 75 76 static void pasn_fils_auth_resp(struct hostapd_data *hapd, 77 struct sta_info *sta, u16 status, 78 struct wpabuf *erp_resp, 79 const u8 *msk, size_t msk_len); 80 81 #endif /* CONFIG_FILS */ 82 #endif /* CONFIG_PASN */ 83 84 static void handle_auth(struct hostapd_data *hapd, 85 const struct ieee80211_mgmt *mgmt, size_t len, 86 int rssi, int from_queue); 87 static int add_associated_sta(struct hostapd_data *hapd, 88 struct sta_info *sta, int reassoc); 89 90 91 static u8 * hostapd_eid_multi_ap(struct hostapd_data *hapd, u8 *eid, size_t len) 92 { 93 struct multi_ap_params multi_ap = { 0 }; 94 95 if (!hapd->conf->multi_ap) 96 return eid; 97 98 if (hapd->conf->multi_ap & BACKHAUL_BSS) 99 multi_ap.capability |= MULTI_AP_BACKHAUL_BSS; 100 if (hapd->conf->multi_ap & FRONTHAUL_BSS) 101 multi_ap.capability |= MULTI_AP_FRONTHAUL_BSS; 102 103 if (hapd->conf->multi_ap_client_disallow & 104 PROFILE1_CLIENT_ASSOC_DISALLOW) 105 multi_ap.capability |= 106 MULTI_AP_PROFILE1_BACKHAUL_STA_DISALLOWED; 107 if (hapd->conf->multi_ap_client_disallow & 108 PROFILE2_CLIENT_ASSOC_DISALLOW) 109 multi_ap.capability |= 110 MULTI_AP_PROFILE2_BACKHAUL_STA_DISALLOWED; 111 112 multi_ap.profile = hapd->conf->multi_ap_profile; 113 multi_ap.vlanid = hapd->conf->multi_ap_vlanid; 114 115 return eid + add_multi_ap_ie(eid, len, &multi_ap); 116 } 117 118 119 u8 * hostapd_eid_supp_rates(struct hostapd_data *hapd, u8 *eid) 120 { 121 u8 *pos = eid; 122 int i, num, count; 123 int h2e_required; 124 125 if (hapd->iface->current_rates == NULL) 126 return eid; 127 128 *pos++ = WLAN_EID_SUPP_RATES; 129 num = hapd->iface->num_rates; 130 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht) 131 num++; 132 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht) 133 num++; 134 #ifdef CONFIG_IEEE80211AX 135 if (hapd->iconf->ieee80211ax && hapd->iconf->require_he) 136 num++; 137 #endif /* CONFIG_IEEE80211AX */ 138 h2e_required = (hapd->conf->sae_pwe == SAE_PWE_HASH_TO_ELEMENT || 139 hostapd_sae_pw_id_in_use(hapd->conf) == 2) && 140 hapd->conf->sae_pwe != SAE_PWE_FORCE_HUNT_AND_PECK && 141 wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt); 142 if (h2e_required) 143 num++; 144 if (num > 8) { 145 /* rest of the rates are encoded in Extended supported 146 * rates element */ 147 num = 8; 148 } 149 150 *pos++ = num; 151 for (i = 0, count = 0; i < hapd->iface->num_rates && count < num; 152 i++) { 153 count++; 154 *pos = hapd->iface->current_rates[i].rate / 5; 155 if (hapd->iface->current_rates[i].flags & HOSTAPD_RATE_BASIC) 156 *pos |= 0x80; 157 pos++; 158 } 159 160 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht && count < 8) { 161 count++; 162 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_HT_PHY; 163 } 164 165 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht && count < 8) { 166 count++; 167 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_VHT_PHY; 168 } 169 170 #ifdef CONFIG_IEEE80211AX 171 if (hapd->iconf->ieee80211ax && hapd->iconf->require_he && count < 8) { 172 count++; 173 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_HE_PHY; 174 } 175 #endif /* CONFIG_IEEE80211AX */ 176 177 if (h2e_required && count < 8) { 178 count++; 179 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_SAE_H2E_ONLY; 180 } 181 182 return pos; 183 } 184 185 186 u8 * hostapd_eid_ext_supp_rates(struct hostapd_data *hapd, u8 *eid) 187 { 188 u8 *pos = eid; 189 int i, num, count; 190 int h2e_required; 191 192 hapd->conf->xrates_supported = false; 193 if (hapd->iface->current_rates == NULL) 194 return eid; 195 196 num = hapd->iface->num_rates; 197 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht) 198 num++; 199 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht) 200 num++; 201 #ifdef CONFIG_IEEE80211AX 202 if (hapd->iconf->ieee80211ax && hapd->iconf->require_he) 203 num++; 204 #endif /* CONFIG_IEEE80211AX */ 205 h2e_required = (hapd->conf->sae_pwe == SAE_PWE_HASH_TO_ELEMENT || 206 hostapd_sae_pw_id_in_use(hapd->conf) == 2) && 207 hapd->conf->sae_pwe != SAE_PWE_FORCE_HUNT_AND_PECK && 208 wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt); 209 if (h2e_required) 210 num++; 211 if (num <= 8) 212 return eid; 213 num -= 8; 214 215 *pos++ = WLAN_EID_EXT_SUPP_RATES; 216 *pos++ = num; 217 for (i = 0, count = 0; i < hapd->iface->num_rates && count < num + 8; 218 i++) { 219 count++; 220 if (count <= 8) 221 continue; /* already in SuppRates IE */ 222 *pos = hapd->iface->current_rates[i].rate / 5; 223 if (hapd->iface->current_rates[i].flags & HOSTAPD_RATE_BASIC) 224 *pos |= 0x80; 225 pos++; 226 } 227 228 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht) { 229 count++; 230 if (count > 8) 231 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_HT_PHY; 232 } 233 234 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht) { 235 count++; 236 if (count > 8) 237 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_VHT_PHY; 238 } 239 240 #ifdef CONFIG_IEEE80211AX 241 if (hapd->iconf->ieee80211ax && hapd->iconf->require_he) { 242 count++; 243 if (count > 8) 244 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_HE_PHY; 245 } 246 #endif /* CONFIG_IEEE80211AX */ 247 248 if (h2e_required) { 249 count++; 250 if (count > 8) 251 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_SAE_H2E_ONLY; 252 } 253 254 hapd->conf->xrates_supported = true; 255 return pos; 256 } 257 258 259 u8 * hostapd_eid_rm_enabled_capab(struct hostapd_data *hapd, u8 *eid, 260 size_t len) 261 { 262 size_t i; 263 264 for (i = 0; i < RRM_CAPABILITIES_IE_LEN; i++) { 265 if (hapd->conf->radio_measurements[i]) 266 break; 267 } 268 269 if (i == RRM_CAPABILITIES_IE_LEN || len < 2 + RRM_CAPABILITIES_IE_LEN) 270 return eid; 271 272 *eid++ = WLAN_EID_RRM_ENABLED_CAPABILITIES; 273 *eid++ = RRM_CAPABILITIES_IE_LEN; 274 os_memcpy(eid, hapd->conf->radio_measurements, RRM_CAPABILITIES_IE_LEN); 275 276 return eid + RRM_CAPABILITIES_IE_LEN; 277 } 278 279 280 u16 hostapd_own_capab_info(struct hostapd_data *hapd) 281 { 282 int capab = WLAN_CAPABILITY_ESS; 283 int privacy = 0; 284 int dfs; 285 int i; 286 287 /* Check if any of configured channels require DFS */ 288 dfs = hostapd_is_dfs_required(hapd->iface); 289 if (dfs < 0) { 290 wpa_printf(MSG_WARNING, "Failed to check if DFS is required; ret=%d", 291 dfs); 292 dfs = 0; 293 } 294 295 if (hapd->iface->num_sta_no_short_preamble == 0 && 296 hapd->iconf->preamble == SHORT_PREAMBLE) 297 capab |= WLAN_CAPABILITY_SHORT_PREAMBLE; 298 299 #ifdef CONFIG_WEP 300 privacy = hapd->conf->ssid.wep.keys_set; 301 302 if (hapd->conf->ieee802_1x && 303 (hapd->conf->default_wep_key_len || 304 hapd->conf->individual_wep_key_len)) 305 privacy = 1; 306 #endif /* CONFIG_WEP */ 307 308 if (hapd->conf->wpa) 309 privacy = 1; 310 311 #ifdef CONFIG_HS20 312 if (hapd->conf->osen) 313 privacy = 1; 314 #endif /* CONFIG_HS20 */ 315 316 if (privacy) 317 capab |= WLAN_CAPABILITY_PRIVACY; 318 319 if (hapd->iface->current_mode && 320 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G && 321 hapd->iface->num_sta_no_short_slot_time == 0) 322 capab |= WLAN_CAPABILITY_SHORT_SLOT_TIME; 323 324 /* 325 * Currently, Spectrum Management capability bit is set when directly 326 * requested in configuration by spectrum_mgmt_required or when AP is 327 * running on DFS channel. 328 * TODO: Also consider driver support for TPC to set Spectrum Mgmt bit 329 */ 330 if (hapd->iface->current_mode && 331 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211A && 332 (hapd->iconf->spectrum_mgmt_required || dfs)) 333 capab |= WLAN_CAPABILITY_SPECTRUM_MGMT; 334 335 for (i = 0; i < RRM_CAPABILITIES_IE_LEN; i++) { 336 if (hapd->conf->radio_measurements[i]) { 337 capab |= IEEE80211_CAP_RRM; 338 break; 339 } 340 } 341 342 return capab; 343 } 344 345 346 #ifdef CONFIG_WEP 347 #ifndef CONFIG_NO_RC4 348 static u16 auth_shared_key(struct hostapd_data *hapd, struct sta_info *sta, 349 u16 auth_transaction, const u8 *challenge, 350 int iswep) 351 { 352 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 353 HOSTAPD_LEVEL_DEBUG, 354 "authentication (shared key, transaction %d)", 355 auth_transaction); 356 357 if (auth_transaction == 1) { 358 if (!sta->challenge) { 359 /* Generate a pseudo-random challenge */ 360 u8 key[8]; 361 362 sta->challenge = os_zalloc(WLAN_AUTH_CHALLENGE_LEN); 363 if (sta->challenge == NULL) 364 return WLAN_STATUS_UNSPECIFIED_FAILURE; 365 366 if (os_get_random(key, sizeof(key)) < 0) { 367 os_free(sta->challenge); 368 sta->challenge = NULL; 369 return WLAN_STATUS_UNSPECIFIED_FAILURE; 370 } 371 372 rc4_skip(key, sizeof(key), 0, 373 sta->challenge, WLAN_AUTH_CHALLENGE_LEN); 374 } 375 return 0; 376 } 377 378 if (auth_transaction != 3) 379 return WLAN_STATUS_UNSPECIFIED_FAILURE; 380 381 /* Transaction 3 */ 382 if (!iswep || !sta->challenge || !challenge || 383 os_memcmp_const(sta->challenge, challenge, 384 WLAN_AUTH_CHALLENGE_LEN)) { 385 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 386 HOSTAPD_LEVEL_INFO, 387 "shared key authentication - invalid " 388 "challenge-response"); 389 return WLAN_STATUS_CHALLENGE_FAIL; 390 } 391 392 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 393 HOSTAPD_LEVEL_DEBUG, 394 "authentication OK (shared key)"); 395 sta->flags |= WLAN_STA_AUTH; 396 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH); 397 os_free(sta->challenge); 398 sta->challenge = NULL; 399 400 return 0; 401 } 402 #endif /* CONFIG_NO_RC4 */ 403 #endif /* CONFIG_WEP */ 404 405 406 static int send_auth_reply(struct hostapd_data *hapd, struct sta_info *sta, 407 const u8 *dst, 408 u16 auth_alg, u16 auth_transaction, u16 resp, 409 const u8 *ies, size_t ies_len, const char *dbg) 410 { 411 struct ieee80211_mgmt *reply; 412 u8 *buf; 413 size_t rlen; 414 int reply_res = WLAN_STATUS_UNSPECIFIED_FAILURE; 415 const u8 *sa = hapd->own_addr; 416 struct wpabuf *ml_resp = NULL; 417 418 #ifdef CONFIG_IEEE80211BE 419 if (ap_sta_is_mld(hapd, sta)) { 420 ml_resp = hostapd_ml_auth_resp(hapd); 421 if (!ml_resp) 422 return -1; 423 } 424 #endif /* CONFIG_IEEE80211BE */ 425 426 rlen = IEEE80211_HDRLEN + sizeof(reply->u.auth) + ies_len; 427 if (ml_resp) 428 rlen += wpabuf_len(ml_resp); 429 buf = os_zalloc(rlen); 430 if (!buf) { 431 wpabuf_free(ml_resp); 432 return -1; 433 } 434 435 reply = (struct ieee80211_mgmt *) buf; 436 reply->frame_control = IEEE80211_FC(WLAN_FC_TYPE_MGMT, 437 WLAN_FC_STYPE_AUTH); 438 os_memcpy(reply->da, dst, ETH_ALEN); 439 os_memcpy(reply->sa, sa, ETH_ALEN); 440 os_memcpy(reply->bssid, sa, ETH_ALEN); 441 442 reply->u.auth.auth_alg = host_to_le16(auth_alg); 443 reply->u.auth.auth_transaction = host_to_le16(auth_transaction); 444 reply->u.auth.status_code = host_to_le16(resp); 445 446 if (ies && ies_len) 447 os_memcpy(reply->u.auth.variable, ies, ies_len); 448 449 #ifdef CONFIG_IEEE80211BE 450 if (ml_resp) 451 os_memcpy(reply->u.auth.variable + ies_len, 452 wpabuf_head(ml_resp), wpabuf_len(ml_resp)); 453 454 wpabuf_free(ml_resp); 455 #endif /* CONFIG_IEEE80211BE */ 456 457 wpa_printf(MSG_DEBUG, "authentication reply: STA=" MACSTR 458 " auth_alg=%d auth_transaction=%d resp=%d (IE len=%lu) (dbg=%s)", 459 MAC2STR(dst), auth_alg, auth_transaction, 460 resp, (unsigned long) ies_len, dbg); 461 #ifdef CONFIG_TESTING_OPTIONS 462 #ifdef CONFIG_SAE 463 if (hapd->conf->sae_confirm_immediate == 2 && 464 auth_alg == WLAN_AUTH_SAE) { 465 if (auth_transaction == 1 && sta && 466 (resp == WLAN_STATUS_SUCCESS || 467 resp == WLAN_STATUS_SAE_HASH_TO_ELEMENT || 468 resp == WLAN_STATUS_SAE_PK)) { 469 wpa_printf(MSG_DEBUG, 470 "TESTING: Postpone SAE Commit transmission until Confirm is ready"); 471 os_free(sta->sae_postponed_commit); 472 sta->sae_postponed_commit = buf; 473 sta->sae_postponed_commit_len = rlen; 474 return WLAN_STATUS_SUCCESS; 475 } 476 477 if (auth_transaction == 2 && sta && sta->sae_postponed_commit) { 478 wpa_printf(MSG_DEBUG, 479 "TESTING: Send postponed SAE Commit first, immediately followed by SAE Confirm"); 480 if (hostapd_drv_send_mlme(hapd, 481 sta->sae_postponed_commit, 482 sta->sae_postponed_commit_len, 483 0, NULL, 0, 0) < 0) 484 wpa_printf(MSG_INFO, "send_auth_reply: send failed"); 485 os_free(sta->sae_postponed_commit); 486 sta->sae_postponed_commit = NULL; 487 sta->sae_postponed_commit_len = 0; 488 } 489 } 490 #endif /* CONFIG_SAE */ 491 #endif /* CONFIG_TESTING_OPTIONS */ 492 if (hostapd_drv_send_mlme(hapd, reply, rlen, 0, NULL, 0, 0) < 0) 493 wpa_printf(MSG_INFO, "send_auth_reply: send failed"); 494 else 495 reply_res = WLAN_STATUS_SUCCESS; 496 497 os_free(buf); 498 499 return reply_res; 500 } 501 502 503 #ifdef CONFIG_IEEE80211R_AP 504 static void handle_auth_ft_finish(void *ctx, const u8 *dst, 505 u16 auth_transaction, u16 status, 506 const u8 *ies, size_t ies_len) 507 { 508 struct hostapd_data *hapd = ctx; 509 struct sta_info *sta; 510 int reply_res; 511 512 reply_res = send_auth_reply(hapd, NULL, dst, WLAN_AUTH_FT, 513 auth_transaction, status, ies, ies_len, 514 "auth-ft-finish"); 515 516 sta = ap_get_sta(hapd, dst); 517 if (sta == NULL) 518 return; 519 520 if (sta->added_unassoc && (reply_res != WLAN_STATUS_SUCCESS || 521 status != WLAN_STATUS_SUCCESS)) { 522 hostapd_drv_sta_remove(hapd, sta->addr); 523 sta->added_unassoc = 0; 524 return; 525 } 526 527 if (status != WLAN_STATUS_SUCCESS) 528 return; 529 530 hostapd_logger(hapd, dst, HOSTAPD_MODULE_IEEE80211, 531 HOSTAPD_LEVEL_DEBUG, "authentication OK (FT)"); 532 sta->flags |= WLAN_STA_AUTH; 533 mlme_authenticate_indication(hapd, sta); 534 } 535 #endif /* CONFIG_IEEE80211R_AP */ 536 537 538 #ifdef CONFIG_SAE 539 540 static void sae_set_state(struct sta_info *sta, enum sae_state state, 541 const char *reason) 542 { 543 wpa_printf(MSG_DEBUG, "SAE: State %s -> %s for peer " MACSTR " (%s)", 544 sae_state_txt(sta->sae->state), sae_state_txt(state), 545 MAC2STR(sta->addr), reason); 546 sta->sae->state = state; 547 } 548 549 550 const char * sae_get_password(struct hostapd_data *hapd, 551 struct sta_info *sta, 552 const char *rx_id, 553 struct sae_password_entry **pw_entry, 554 struct sae_pt **s_pt, 555 const struct sae_pk **s_pk) 556 { 557 const char *password = NULL; 558 struct sae_password_entry *pw; 559 struct sae_pt *pt = NULL; 560 const struct sae_pk *pk = NULL; 561 struct hostapd_sta_wpa_psk_short *psk = NULL; 562 563 for (pw = hapd->conf->sae_passwords; pw; pw = pw->next) { 564 if (!is_broadcast_ether_addr(pw->peer_addr) && 565 (!sta || 566 !ether_addr_equal(pw->peer_addr, sta->addr))) 567 continue; 568 if ((rx_id && !pw->identifier) || (!rx_id && pw->identifier)) 569 continue; 570 if (rx_id && pw->identifier && 571 os_strcmp(rx_id, pw->identifier) != 0) 572 continue; 573 password = pw->password; 574 pt = pw->pt; 575 if (!(hapd->conf->mesh & MESH_ENABLED)) 576 pk = pw->pk; 577 break; 578 } 579 if (!password) { 580 password = hapd->conf->ssid.wpa_passphrase; 581 pt = hapd->conf->ssid.pt; 582 } 583 584 if (!password && sta) { 585 for (psk = sta->psk; psk; psk = psk->next) { 586 if (psk->is_passphrase) { 587 password = psk->passphrase; 588 break; 589 } 590 } 591 } 592 593 if (pw_entry) 594 *pw_entry = pw; 595 if (s_pt) 596 *s_pt = pt; 597 if (s_pk) 598 *s_pk = pk; 599 600 return password; 601 } 602 603 604 static struct wpabuf * auth_build_sae_commit(struct hostapd_data *hapd, 605 struct sta_info *sta, int update, 606 int status_code) 607 { 608 struct wpabuf *buf; 609 const char *password = NULL; 610 struct sae_password_entry *pw; 611 const char *rx_id = NULL; 612 int use_pt = 0; 613 struct sae_pt *pt = NULL; 614 const struct sae_pk *pk = NULL; 615 const u8 *own_addr = hapd->own_addr; 616 617 #ifdef CONFIG_IEEE80211BE 618 if (ap_sta_is_mld(hapd, sta)) 619 own_addr = hapd->mld->mld_addr; 620 #endif /* CONFIG_IEEE80211BE */ 621 622 if (sta->sae->tmp) { 623 rx_id = sta->sae->tmp->pw_id; 624 use_pt = sta->sae->h2e; 625 #ifdef CONFIG_SAE_PK 626 os_memcpy(sta->sae->tmp->own_addr, own_addr, ETH_ALEN); 627 os_memcpy(sta->sae->tmp->peer_addr, sta->addr, ETH_ALEN); 628 #endif /* CONFIG_SAE_PK */ 629 } 630 631 if (rx_id && hapd->conf->sae_pwe != SAE_PWE_FORCE_HUNT_AND_PECK) 632 use_pt = 1; 633 else if (status_code == WLAN_STATUS_SUCCESS) 634 use_pt = 0; 635 else if (status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT || 636 status_code == WLAN_STATUS_SAE_PK) 637 use_pt = 1; 638 639 password = sae_get_password(hapd, sta, rx_id, &pw, &pt, &pk); 640 if (!password || (use_pt && !pt)) { 641 wpa_printf(MSG_DEBUG, "SAE: No password available"); 642 return NULL; 643 } 644 645 if (update && use_pt && 646 sae_prepare_commit_pt(sta->sae, pt, own_addr, sta->addr, 647 NULL, pk) < 0) 648 return NULL; 649 650 if (update && !use_pt && 651 sae_prepare_commit(own_addr, sta->addr, 652 (u8 *) password, os_strlen(password), 653 sta->sae) < 0) { 654 wpa_printf(MSG_DEBUG, "SAE: Could not pick PWE"); 655 return NULL; 656 } 657 658 if (pw && pw->vlan_id) { 659 if (!sta->sae->tmp) { 660 wpa_printf(MSG_INFO, 661 "SAE: No temporary data allocated - cannot store VLAN ID"); 662 return NULL; 663 } 664 sta->sae->tmp->vlan_id = pw->vlan_id; 665 } 666 667 buf = wpabuf_alloc(SAE_COMMIT_MAX_LEN + 668 (rx_id ? 3 + os_strlen(rx_id) : 0)); 669 if (buf && 670 sae_write_commit(sta->sae, buf, sta->sae->tmp ? 671 sta->sae->tmp->anti_clogging_token : NULL, 672 rx_id) < 0) { 673 wpabuf_free(buf); 674 buf = NULL; 675 } 676 677 return buf; 678 } 679 680 681 static struct wpabuf * auth_build_sae_confirm(struct hostapd_data *hapd, 682 struct sta_info *sta) 683 { 684 struct wpabuf *buf; 685 686 buf = wpabuf_alloc(SAE_CONFIRM_MAX_LEN); 687 if (buf == NULL) 688 return NULL; 689 690 #ifdef CONFIG_SAE_PK 691 #ifdef CONFIG_TESTING_OPTIONS 692 if (sta->sae->tmp) 693 sta->sae->tmp->omit_pk_elem = hapd->conf->sae_pk_omit; 694 #endif /* CONFIG_TESTING_OPTIONS */ 695 #endif /* CONFIG_SAE_PK */ 696 697 if (sae_write_confirm(sta->sae, buf) < 0) { 698 wpabuf_free(buf); 699 return NULL; 700 } 701 702 return buf; 703 } 704 705 706 static int auth_sae_send_commit(struct hostapd_data *hapd, 707 struct sta_info *sta, 708 int update, int status_code) 709 { 710 struct wpabuf *data; 711 int reply_res; 712 u16 status; 713 714 data = auth_build_sae_commit(hapd, sta, update, status_code); 715 if (!data && sta->sae->tmp && sta->sae->tmp->pw_id) 716 return WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER; 717 if (data == NULL) 718 return WLAN_STATUS_UNSPECIFIED_FAILURE; 719 720 if (sta->sae->tmp && sta->sae->pk) 721 status = WLAN_STATUS_SAE_PK; 722 else if (sta->sae->tmp && sta->sae->h2e) 723 status = WLAN_STATUS_SAE_HASH_TO_ELEMENT; 724 else 725 status = WLAN_STATUS_SUCCESS; 726 #ifdef CONFIG_TESTING_OPTIONS 727 if (hapd->conf->sae_commit_status >= 0 && 728 hapd->conf->sae_commit_status != status) { 729 wpa_printf(MSG_INFO, 730 "TESTING: Override SAE commit status code %u --> %d", 731 status, hapd->conf->sae_commit_status); 732 status = hapd->conf->sae_commit_status; 733 } 734 #endif /* CONFIG_TESTING_OPTIONS */ 735 reply_res = send_auth_reply(hapd, sta, sta->addr, 736 WLAN_AUTH_SAE, 1, 737 status, wpabuf_head(data), 738 wpabuf_len(data), "sae-send-commit"); 739 740 wpabuf_free(data); 741 742 return reply_res; 743 } 744 745 746 static int auth_sae_send_confirm(struct hostapd_data *hapd, 747 struct sta_info *sta) 748 { 749 struct wpabuf *data; 750 int reply_res; 751 752 data = auth_build_sae_confirm(hapd, sta); 753 if (data == NULL) 754 return WLAN_STATUS_UNSPECIFIED_FAILURE; 755 756 reply_res = send_auth_reply(hapd, sta, sta->addr, 757 WLAN_AUTH_SAE, 2, 758 WLAN_STATUS_SUCCESS, wpabuf_head(data), 759 wpabuf_len(data), "sae-send-confirm"); 760 761 wpabuf_free(data); 762 763 return reply_res; 764 } 765 766 #endif /* CONFIG_SAE */ 767 768 769 #if defined(CONFIG_SAE) || defined(CONFIG_PASN) 770 771 static int use_anti_clogging(struct hostapd_data *hapd) 772 { 773 struct sta_info *sta; 774 unsigned int open = 0; 775 776 if (hapd->conf->anti_clogging_threshold == 0) 777 return 1; 778 779 for (sta = hapd->sta_list; sta; sta = sta->next) { 780 #ifdef CONFIG_SAE 781 if (sta->sae && 782 (sta->sae->state == SAE_COMMITTED || 783 sta->sae->state == SAE_CONFIRMED)) 784 open++; 785 #endif /* CONFIG_SAE */ 786 #ifdef CONFIG_PASN 787 if (sta->pasn && sta->pasn->ecdh) 788 open++; 789 #endif /* CONFIG_PASN */ 790 if (open >= hapd->conf->anti_clogging_threshold) 791 return 1; 792 } 793 794 #ifdef CONFIG_SAE 795 /* In addition to already existing open SAE sessions, check whether 796 * there are enough pending commit messages in the processing queue to 797 * potentially result in too many open sessions. */ 798 if (open + dl_list_len(&hapd->sae_commit_queue) >= 799 hapd->conf->anti_clogging_threshold) 800 return 1; 801 #endif /* CONFIG_SAE */ 802 803 return 0; 804 } 805 806 #endif /* defined(CONFIG_SAE) || defined(CONFIG_PASN) */ 807 808 809 #ifdef CONFIG_SAE 810 811 static int sae_check_big_sync(struct hostapd_data *hapd, struct sta_info *sta) 812 { 813 if (sta->sae->sync > hapd->conf->sae_sync) { 814 sae_set_state(sta, SAE_NOTHING, "Sync > dot11RSNASAESync"); 815 sta->sae->sync = 0; 816 if (sta->sae->tmp) { 817 /* Disable this SAE instance for 10 seconds to avoid 818 * unnecessary flood of multiple SAE commits in 819 * unexpected mesh cases. */ 820 if (os_get_reltime(&sta->sae->tmp->disabled_until) == 0) 821 sta->sae->tmp->disabled_until.sec += 10; 822 } 823 return -1; 824 } 825 return 0; 826 } 827 828 829 static bool sae_proto_instance_disabled(struct sta_info *sta) 830 { 831 struct sae_temporary_data *tmp; 832 833 if (!sta->sae) 834 return false; 835 tmp = sta->sae->tmp; 836 if (!tmp) 837 return false; 838 839 if (os_reltime_initialized(&tmp->disabled_until)) { 840 struct os_reltime now; 841 842 os_get_reltime(&now); 843 if (os_reltime_before(&now, &tmp->disabled_until)) 844 return true; 845 } 846 847 return false; 848 } 849 850 851 static void auth_sae_retransmit_timer(void *eloop_ctx, void *eloop_data) 852 { 853 struct hostapd_data *hapd = eloop_ctx; 854 struct sta_info *sta = eloop_data; 855 int ret; 856 857 if (sae_check_big_sync(hapd, sta)) 858 return; 859 sta->sae->sync++; 860 wpa_printf(MSG_DEBUG, "SAE: Auth SAE retransmit timer for " MACSTR 861 " (sync=%d state=%s)", 862 MAC2STR(sta->addr), sta->sae->sync, 863 sae_state_txt(sta->sae->state)); 864 865 switch (sta->sae->state) { 866 case SAE_COMMITTED: 867 ret = auth_sae_send_commit(hapd, sta, 0, -1); 868 eloop_register_timeout(0, 869 hapd->dot11RSNASAERetransPeriod * 1000, 870 auth_sae_retransmit_timer, hapd, sta); 871 break; 872 case SAE_CONFIRMED: 873 ret = auth_sae_send_confirm(hapd, sta); 874 eloop_register_timeout(0, 875 hapd->dot11RSNASAERetransPeriod * 1000, 876 auth_sae_retransmit_timer, hapd, sta); 877 break; 878 default: 879 ret = -1; 880 break; 881 } 882 883 if (ret != WLAN_STATUS_SUCCESS) 884 wpa_printf(MSG_INFO, "SAE: Failed to retransmit: ret=%d", ret); 885 } 886 887 888 void sae_clear_retransmit_timer(struct hostapd_data *hapd, struct sta_info *sta) 889 { 890 eloop_cancel_timeout(auth_sae_retransmit_timer, hapd, sta); 891 } 892 893 894 static void sae_set_retransmit_timer(struct hostapd_data *hapd, 895 struct sta_info *sta) 896 { 897 if (!(hapd->conf->mesh & MESH_ENABLED)) 898 return; 899 900 eloop_cancel_timeout(auth_sae_retransmit_timer, hapd, sta); 901 eloop_register_timeout(0, hapd->dot11RSNASAERetransPeriod * 1000, 902 auth_sae_retransmit_timer, hapd, sta); 903 } 904 905 906 static void sae_sme_send_external_auth_status(struct hostapd_data *hapd, 907 struct sta_info *sta, u16 status) 908 { 909 struct external_auth params; 910 911 os_memset(¶ms, 0, sizeof(params)); 912 params.status = status; 913 914 #ifdef CONFIG_IEEE80211BE 915 if (ap_sta_is_mld(hapd, sta)) 916 params.bssid = 917 sta->mld_info.links[sta->mld_assoc_link_id].peer_addr; 918 #endif /* CONFIG_IEEE80211BE */ 919 if (!params.bssid) 920 params.bssid = sta->addr; 921 922 if (status == WLAN_STATUS_SUCCESS && sta->sae && 923 !hapd->conf->disable_pmksa_caching) 924 params.pmkid = sta->sae->pmkid; 925 926 hostapd_drv_send_external_auth_status(hapd, ¶ms); 927 } 928 929 930 void sae_accept_sta(struct hostapd_data *hapd, struct sta_info *sta) 931 { 932 #ifndef CONFIG_NO_VLAN 933 struct vlan_description vlan_desc; 934 935 if (sta->sae->tmp && sta->sae->tmp->vlan_id > 0) { 936 wpa_printf(MSG_DEBUG, "SAE: Assign STA " MACSTR 937 " to VLAN ID %d", 938 MAC2STR(sta->addr), sta->sae->tmp->vlan_id); 939 940 if (!(hapd->iface->drv_flags & WPA_DRIVER_FLAGS_VLAN_OFFLOAD)) { 941 os_memset(&vlan_desc, 0, sizeof(vlan_desc)); 942 vlan_desc.notempty = 1; 943 vlan_desc.untagged = sta->sae->tmp->vlan_id; 944 if (!hostapd_vlan_valid(hapd->conf->vlan, &vlan_desc)) { 945 wpa_printf(MSG_INFO, 946 "Invalid VLAN ID %d in sae_password", 947 sta->sae->tmp->vlan_id); 948 return; 949 } 950 951 if (ap_sta_set_vlan(hapd, sta, &vlan_desc) < 0 || 952 ap_sta_bind_vlan(hapd, sta) < 0) { 953 wpa_printf(MSG_INFO, 954 "Failed to assign VLAN ID %d from sae_password to " 955 MACSTR, sta->sae->tmp->vlan_id, 956 MAC2STR(sta->addr)); 957 return; 958 } 959 } else { 960 sta->vlan_id = sta->sae->tmp->vlan_id; 961 } 962 } 963 #endif /* CONFIG_NO_VLAN */ 964 965 sta->flags |= WLAN_STA_AUTH; 966 sta->auth_alg = WLAN_AUTH_SAE; 967 mlme_authenticate_indication(hapd, sta); 968 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH); 969 sae_set_state(sta, SAE_ACCEPTED, "Accept Confirm"); 970 crypto_bignum_deinit(sta->sae->peer_commit_scalar_accepted, 0); 971 sta->sae->peer_commit_scalar_accepted = sta->sae->peer_commit_scalar; 972 sta->sae->peer_commit_scalar = NULL; 973 wpa_auth_pmksa_add_sae(hapd->wpa_auth, sta->addr, 974 sta->sae->pmk, sta->sae->pmk_len, 975 sta->sae->pmkid, sta->sae->akmp); 976 sae_sme_send_external_auth_status(hapd, sta, WLAN_STATUS_SUCCESS); 977 } 978 979 980 static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta, 981 u16 auth_transaction, u16 status_code, 982 int allow_reuse, int *sta_removed) 983 { 984 int ret; 985 986 *sta_removed = 0; 987 988 if (auth_transaction != 1 && auth_transaction != 2) 989 return WLAN_STATUS_UNSPECIFIED_FAILURE; 990 991 wpa_printf(MSG_DEBUG, "SAE: Peer " MACSTR " state=%s auth_trans=%u", 992 MAC2STR(sta->addr), sae_state_txt(sta->sae->state), 993 auth_transaction); 994 995 if (auth_transaction == 1 && sae_proto_instance_disabled(sta)) { 996 wpa_printf(MSG_DEBUG, 997 "SAE: Protocol instance temporarily disabled - discard received SAE commit"); 998 return WLAN_STATUS_SUCCESS; 999 } 1000 1001 switch (sta->sae->state) { 1002 case SAE_NOTHING: 1003 if (auth_transaction == 1) { 1004 if (sta->sae->tmp) { 1005 sta->sae->h2e = 1006 (status_code == 1007 WLAN_STATUS_SAE_HASH_TO_ELEMENT || 1008 status_code == WLAN_STATUS_SAE_PK); 1009 sta->sae->pk = 1010 status_code == WLAN_STATUS_SAE_PK; 1011 } 1012 ret = auth_sae_send_commit(hapd, sta, 1013 !allow_reuse, status_code); 1014 if (ret) 1015 return ret; 1016 sae_set_state(sta, SAE_COMMITTED, "Sent Commit"); 1017 1018 if (sae_process_commit(sta->sae) < 0) 1019 return WLAN_STATUS_UNSPECIFIED_FAILURE; 1020 1021 /* 1022 * In mesh case, both Commit and Confirm are sent 1023 * immediately. In infrastructure BSS, by default, only 1024 * a single Authentication frame (Commit) is expected 1025 * from the AP here and the second one (Confirm) will 1026 * be sent once the STA has sent its second 1027 * Authentication frame (Confirm). This behavior can be 1028 * overridden with explicit configuration so that the 1029 * infrastructure BSS case sends both frames together. 1030 */ 1031 if ((hapd->conf->mesh & MESH_ENABLED) || 1032 hapd->conf->sae_confirm_immediate) { 1033 /* 1034 * Send both Commit and Confirm immediately 1035 * based on SAE finite state machine 1036 * Nothing -> Confirm transition. 1037 */ 1038 ret = auth_sae_send_confirm(hapd, sta); 1039 if (ret) 1040 return ret; 1041 sae_set_state(sta, SAE_CONFIRMED, 1042 "Sent Confirm (mesh)"); 1043 } else { 1044 /* 1045 * For infrastructure BSS, send only the Commit 1046 * message now to get alternating sequence of 1047 * Authentication frames between the AP and STA. 1048 * Confirm will be sent in 1049 * Committed -> Confirmed/Accepted transition 1050 * when receiving Confirm from STA. 1051 */ 1052 } 1053 sta->sae->sync = 0; 1054 sae_set_retransmit_timer(hapd, sta); 1055 } else { 1056 hostapd_logger(hapd, sta->addr, 1057 HOSTAPD_MODULE_IEEE80211, 1058 HOSTAPD_LEVEL_DEBUG, 1059 "SAE confirm before commit"); 1060 } 1061 break; 1062 case SAE_COMMITTED: 1063 sae_clear_retransmit_timer(hapd, sta); 1064 if (auth_transaction == 1) { 1065 if (sae_process_commit(sta->sae) < 0) 1066 return WLAN_STATUS_UNSPECIFIED_FAILURE; 1067 1068 ret = auth_sae_send_confirm(hapd, sta); 1069 if (ret) 1070 return ret; 1071 sae_set_state(sta, SAE_CONFIRMED, "Sent Confirm"); 1072 sta->sae->sync = 0; 1073 sae_set_retransmit_timer(hapd, sta); 1074 } else if (hapd->conf->mesh & MESH_ENABLED) { 1075 /* 1076 * In mesh case, follow SAE finite state machine and 1077 * send Commit now, if sync count allows. 1078 */ 1079 if (sae_check_big_sync(hapd, sta)) 1080 return WLAN_STATUS_SUCCESS; 1081 sta->sae->sync++; 1082 1083 ret = auth_sae_send_commit(hapd, sta, 0, status_code); 1084 if (ret) 1085 return ret; 1086 1087 sae_set_retransmit_timer(hapd, sta); 1088 } else { 1089 /* 1090 * For instructure BSS, send the postponed Confirm from 1091 * Nothing -> Confirmed transition that was reduced to 1092 * Nothing -> Committed above. 1093 */ 1094 ret = auth_sae_send_confirm(hapd, sta); 1095 if (ret) 1096 return ret; 1097 1098 sae_set_state(sta, SAE_CONFIRMED, "Sent Confirm"); 1099 1100 /* 1101 * Since this was triggered on Confirm RX, run another 1102 * step to get to Accepted without waiting for 1103 * additional events. 1104 */ 1105 return sae_sm_step(hapd, sta, auth_transaction, 1106 WLAN_STATUS_SUCCESS, 0, sta_removed); 1107 } 1108 break; 1109 case SAE_CONFIRMED: 1110 sae_clear_retransmit_timer(hapd, sta); 1111 if (auth_transaction == 1) { 1112 if (sae_check_big_sync(hapd, sta)) 1113 return WLAN_STATUS_SUCCESS; 1114 sta->sae->sync++; 1115 1116 ret = auth_sae_send_commit(hapd, sta, 1, status_code); 1117 if (ret) 1118 return ret; 1119 1120 if (sae_process_commit(sta->sae) < 0) 1121 return WLAN_STATUS_UNSPECIFIED_FAILURE; 1122 1123 ret = auth_sae_send_confirm(hapd, sta); 1124 if (ret) 1125 return ret; 1126 1127 sae_set_retransmit_timer(hapd, sta); 1128 } else { 1129 sta->sae->send_confirm = 0xffff; 1130 sae_accept_sta(hapd, sta); 1131 } 1132 break; 1133 case SAE_ACCEPTED: 1134 if (auth_transaction == 1 && 1135 (hapd->conf->mesh & MESH_ENABLED)) { 1136 wpa_printf(MSG_DEBUG, "SAE: remove the STA (" MACSTR 1137 ") doing reauthentication", 1138 MAC2STR(sta->addr)); 1139 wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr); 1140 ap_free_sta(hapd, sta); 1141 *sta_removed = 1; 1142 } else if (auth_transaction == 1) { 1143 wpa_printf(MSG_DEBUG, "SAE: Start reauthentication"); 1144 ret = auth_sae_send_commit(hapd, sta, 1, status_code); 1145 if (ret) 1146 return ret; 1147 sae_set_state(sta, SAE_COMMITTED, "Sent Commit"); 1148 1149 if (sae_process_commit(sta->sae) < 0) 1150 return WLAN_STATUS_UNSPECIFIED_FAILURE; 1151 sta->sae->sync = 0; 1152 sae_set_retransmit_timer(hapd, sta); 1153 } else { 1154 if (sae_check_big_sync(hapd, sta)) 1155 return WLAN_STATUS_SUCCESS; 1156 sta->sae->sync++; 1157 1158 ret = auth_sae_send_confirm(hapd, sta); 1159 sae_clear_temp_data(sta->sae); 1160 if (ret) 1161 return ret; 1162 } 1163 break; 1164 default: 1165 wpa_printf(MSG_ERROR, "SAE: invalid state %d", 1166 sta->sae->state); 1167 return WLAN_STATUS_UNSPECIFIED_FAILURE; 1168 } 1169 return WLAN_STATUS_SUCCESS; 1170 } 1171 1172 1173 static void sae_pick_next_group(struct hostapd_data *hapd, struct sta_info *sta) 1174 { 1175 struct sae_data *sae = sta->sae; 1176 int i, *groups = hapd->conf->sae_groups; 1177 int default_groups[] = { 19, 0 }; 1178 1179 if (sae->state != SAE_COMMITTED) 1180 return; 1181 1182 wpa_printf(MSG_DEBUG, "SAE: Previously selected group: %d", sae->group); 1183 1184 if (!groups) 1185 groups = default_groups; 1186 for (i = 0; groups[i] > 0; i++) { 1187 if (sae->group == groups[i]) 1188 break; 1189 } 1190 1191 if (groups[i] <= 0) { 1192 wpa_printf(MSG_DEBUG, 1193 "SAE: Previously selected group not found from the current configuration"); 1194 return; 1195 } 1196 1197 for (;;) { 1198 i++; 1199 if (groups[i] <= 0) { 1200 wpa_printf(MSG_DEBUG, 1201 "SAE: No alternative group enabled"); 1202 return; 1203 } 1204 1205 if (sae_set_group(sae, groups[i]) < 0) 1206 continue; 1207 1208 break; 1209 } 1210 wpa_printf(MSG_DEBUG, "SAE: Selected new group: %d", groups[i]); 1211 } 1212 1213 1214 static int sae_status_success(struct hostapd_data *hapd, u16 status_code) 1215 { 1216 enum sae_pwe sae_pwe = hapd->conf->sae_pwe; 1217 int id_in_use; 1218 bool sae_pk = false; 1219 1220 id_in_use = hostapd_sae_pw_id_in_use(hapd->conf); 1221 if (id_in_use == 2 && sae_pwe != SAE_PWE_FORCE_HUNT_AND_PECK) 1222 sae_pwe = SAE_PWE_HASH_TO_ELEMENT; 1223 else if (id_in_use == 1 && sae_pwe == SAE_PWE_HUNT_AND_PECK) 1224 sae_pwe = SAE_PWE_BOTH; 1225 #ifdef CONFIG_SAE_PK 1226 sae_pk = hostapd_sae_pk_in_use(hapd->conf); 1227 if (sae_pwe == SAE_PWE_HUNT_AND_PECK && sae_pk) 1228 sae_pwe = SAE_PWE_BOTH; 1229 #endif /* CONFIG_SAE_PK */ 1230 if (sae_pwe == SAE_PWE_HUNT_AND_PECK && 1231 (hapd->conf->wpa_key_mgmt & 1232 (WPA_KEY_MGMT_SAE_EXT_KEY | WPA_KEY_MGMT_FT_SAE_EXT_KEY))) 1233 sae_pwe = SAE_PWE_BOTH; 1234 1235 return ((sae_pwe == SAE_PWE_HUNT_AND_PECK || 1236 sae_pwe == SAE_PWE_FORCE_HUNT_AND_PECK) && 1237 status_code == WLAN_STATUS_SUCCESS) || 1238 (sae_pwe == SAE_PWE_HASH_TO_ELEMENT && 1239 (status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT || 1240 (sae_pk && status_code == WLAN_STATUS_SAE_PK))) || 1241 (sae_pwe == SAE_PWE_BOTH && 1242 (status_code == WLAN_STATUS_SUCCESS || 1243 status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT || 1244 (sae_pk && status_code == WLAN_STATUS_SAE_PK))); 1245 } 1246 1247 1248 static int sae_is_group_enabled(struct hostapd_data *hapd, int group) 1249 { 1250 int *groups = hapd->conf->sae_groups; 1251 int default_groups[] = { 19, 0 }; 1252 int i; 1253 1254 if (!groups) 1255 groups = default_groups; 1256 1257 for (i = 0; groups[i] > 0; i++) { 1258 if (groups[i] == group) 1259 return 1; 1260 } 1261 1262 return 0; 1263 } 1264 1265 1266 static int check_sae_rejected_groups(struct hostapd_data *hapd, 1267 struct sae_data *sae) 1268 { 1269 const struct wpabuf *groups; 1270 size_t i, count, len; 1271 const u8 *pos; 1272 1273 if (!sae->tmp) 1274 return 0; 1275 groups = sae->tmp->peer_rejected_groups; 1276 if (!groups) 1277 return 0; 1278 1279 pos = wpabuf_head(groups); 1280 len = wpabuf_len(groups); 1281 if (len & 1) { 1282 wpa_printf(MSG_DEBUG, 1283 "SAE: Invalid length of the Rejected Groups element payload: %zu", 1284 len); 1285 return 1; 1286 } 1287 1288 count = len / 2; 1289 for (i = 0; i < count; i++) { 1290 int enabled; 1291 u16 group; 1292 1293 group = WPA_GET_LE16(pos); 1294 pos += 2; 1295 enabled = sae_is_group_enabled(hapd, group); 1296 wpa_printf(MSG_DEBUG, "SAE: Rejected group %u is %s", 1297 group, enabled ? "enabled" : "disabled"); 1298 if (enabled) 1299 return 1; 1300 } 1301 1302 return 0; 1303 } 1304 1305 1306 static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta, 1307 const struct ieee80211_mgmt *mgmt, size_t len, 1308 u16 auth_transaction, u16 status_code) 1309 { 1310 int resp = WLAN_STATUS_SUCCESS; 1311 struct wpabuf *data = NULL; 1312 int *groups = hapd->conf->sae_groups; 1313 int default_groups[] = { 19, 0 }; 1314 const u8 *pos, *end; 1315 int sta_removed = 0; 1316 bool success_status; 1317 1318 if (!groups) 1319 groups = default_groups; 1320 1321 #ifdef CONFIG_TESTING_OPTIONS 1322 if (hapd->conf->sae_reflection_attack && auth_transaction == 1) { 1323 wpa_printf(MSG_DEBUG, "SAE: TESTING - reflection attack"); 1324 pos = mgmt->u.auth.variable; 1325 end = ((const u8 *) mgmt) + len; 1326 resp = status_code; 1327 send_auth_reply(hapd, sta, sta->addr, 1328 WLAN_AUTH_SAE, 1329 auth_transaction, resp, pos, end - pos, 1330 "auth-sae-reflection-attack"); 1331 goto remove_sta; 1332 } 1333 1334 if (hapd->conf->sae_commit_override && auth_transaction == 1) { 1335 wpa_printf(MSG_DEBUG, "SAE: TESTING - commit override"); 1336 send_auth_reply(hapd, sta, sta->addr, 1337 WLAN_AUTH_SAE, 1338 auth_transaction, resp, 1339 wpabuf_head(hapd->conf->sae_commit_override), 1340 wpabuf_len(hapd->conf->sae_commit_override), 1341 "sae-commit-override"); 1342 goto remove_sta; 1343 } 1344 #endif /* CONFIG_TESTING_OPTIONS */ 1345 if (!sta->sae) { 1346 if (auth_transaction != 1 || 1347 !sae_status_success(hapd, status_code)) { 1348 wpa_printf(MSG_DEBUG, "SAE: Unexpected Status Code %u", 1349 status_code); 1350 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1351 goto reply; 1352 } 1353 sta->sae = os_zalloc(sizeof(*sta->sae)); 1354 if (!sta->sae) { 1355 resp = -1; 1356 goto remove_sta; 1357 } 1358 sae_set_state(sta, SAE_NOTHING, "Init"); 1359 sta->sae->sync = 0; 1360 } 1361 1362 if (sta->mesh_sae_pmksa_caching) { 1363 wpa_printf(MSG_DEBUG, 1364 "SAE: Cancel use of mesh PMKSA caching because peer starts SAE authentication"); 1365 wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr); 1366 sta->mesh_sae_pmksa_caching = 0; 1367 } 1368 1369 if (auth_transaction == 1) { 1370 const u8 *token = NULL; 1371 size_t token_len = 0; 1372 int allow_reuse = 0; 1373 1374 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 1375 HOSTAPD_LEVEL_DEBUG, 1376 "start SAE authentication (RX commit, status=%u (%s))", 1377 status_code, status2str(status_code)); 1378 1379 if ((hapd->conf->mesh & MESH_ENABLED) && 1380 status_code == WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ && 1381 sta->sae->tmp) { 1382 pos = mgmt->u.auth.variable; 1383 end = ((const u8 *) mgmt) + len; 1384 if (pos + sizeof(le16) > end) { 1385 wpa_printf(MSG_ERROR, 1386 "SAE: Too short anti-clogging token request"); 1387 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1388 goto reply; 1389 } 1390 resp = sae_group_allowed(sta->sae, groups, 1391 WPA_GET_LE16(pos)); 1392 if (resp != WLAN_STATUS_SUCCESS) { 1393 wpa_printf(MSG_ERROR, 1394 "SAE: Invalid group in anti-clogging token request"); 1395 goto reply; 1396 } 1397 pos += sizeof(le16); 1398 1399 wpabuf_free(sta->sae->tmp->anti_clogging_token); 1400 sta->sae->tmp->anti_clogging_token = 1401 wpabuf_alloc_copy(pos, end - pos); 1402 if (sta->sae->tmp->anti_clogging_token == NULL) { 1403 wpa_printf(MSG_ERROR, 1404 "SAE: Failed to alloc for anti-clogging token"); 1405 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1406 goto remove_sta; 1407 } 1408 1409 /* 1410 * IEEE Std 802.11-2012, 11.3.8.6.4: If the Status code 1411 * is 76, a new Commit Message shall be constructed 1412 * with the Anti-Clogging Token from the received 1413 * Authentication frame, and the commit-scalar and 1414 * COMMIT-ELEMENT previously sent. 1415 */ 1416 resp = auth_sae_send_commit(hapd, sta, 0, status_code); 1417 if (resp != WLAN_STATUS_SUCCESS) { 1418 wpa_printf(MSG_ERROR, 1419 "SAE: Failed to send commit message"); 1420 goto remove_sta; 1421 } 1422 sae_set_state(sta, SAE_COMMITTED, 1423 "Sent Commit (anti-clogging token case in mesh)"); 1424 sta->sae->sync = 0; 1425 sae_set_retransmit_timer(hapd, sta); 1426 return; 1427 } 1428 1429 if ((hapd->conf->mesh & MESH_ENABLED) && 1430 status_code == 1431 WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED && 1432 sta->sae->tmp) { 1433 wpa_printf(MSG_DEBUG, 1434 "SAE: Peer did not accept our SAE group"); 1435 sae_pick_next_group(hapd, sta); 1436 goto remove_sta; 1437 } 1438 1439 if (!sae_status_success(hapd, status_code)) 1440 goto remove_sta; 1441 1442 if (sae_proto_instance_disabled(sta)) { 1443 wpa_printf(MSG_DEBUG, 1444 "SAE: Protocol instance temporarily disabled - discard received SAE commit"); 1445 return; 1446 } 1447 1448 if (!(hapd->conf->mesh & MESH_ENABLED) && 1449 sta->sae->state == SAE_COMMITTED) { 1450 /* This is needed in the infrastructure BSS case to 1451 * address a sequence where a STA entry may remain in 1452 * hostapd across two attempts to do SAE authentication 1453 * by the same STA. The second attempt may end up trying 1454 * to use a different group and that would not be 1455 * allowed if we remain in Committed state with the 1456 * previously set parameters. */ 1457 pos = mgmt->u.auth.variable; 1458 end = ((const u8 *) mgmt) + len; 1459 if (end - pos >= (int) sizeof(le16) && 1460 sae_group_allowed(sta->sae, groups, 1461 WPA_GET_LE16(pos)) == 1462 WLAN_STATUS_SUCCESS) { 1463 /* Do not waste resources deriving the same PWE 1464 * again since the same group is reused. */ 1465 sae_set_state(sta, SAE_NOTHING, 1466 "Allow previous PWE to be reused"); 1467 allow_reuse = 1; 1468 } else { 1469 sae_set_state(sta, SAE_NOTHING, 1470 "Clear existing state to allow restart"); 1471 sae_clear_data(sta->sae); 1472 } 1473 } 1474 1475 resp = sae_parse_commit(sta->sae, mgmt->u.auth.variable, 1476 ((const u8 *) mgmt) + len - 1477 mgmt->u.auth.variable, &token, 1478 &token_len, groups, status_code == 1479 WLAN_STATUS_SAE_HASH_TO_ELEMENT || 1480 status_code == WLAN_STATUS_SAE_PK, 1481 NULL); 1482 if (resp == SAE_SILENTLY_DISCARD) { 1483 wpa_printf(MSG_DEBUG, 1484 "SAE: Drop commit message from " MACSTR " due to reflection attack", 1485 MAC2STR(sta->addr)); 1486 goto remove_sta; 1487 } 1488 1489 if (resp == WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER) { 1490 wpa_msg(hapd->msg_ctx, MSG_INFO, 1491 WPA_EVENT_SAE_UNKNOWN_PASSWORD_IDENTIFIER 1492 MACSTR, MAC2STR(sta->addr)); 1493 sae_clear_retransmit_timer(hapd, sta); 1494 sae_set_state(sta, SAE_NOTHING, 1495 "Unknown Password Identifier"); 1496 goto remove_sta; 1497 } 1498 1499 if (token && 1500 check_comeback_token(hapd->comeback_key, 1501 hapd->comeback_pending_idx, sta->addr, 1502 token, token_len) 1503 < 0) { 1504 wpa_printf(MSG_DEBUG, "SAE: Drop commit message with " 1505 "incorrect token from " MACSTR, 1506 MAC2STR(sta->addr)); 1507 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1508 goto remove_sta; 1509 } 1510 1511 if (resp != WLAN_STATUS_SUCCESS) 1512 goto reply; 1513 1514 if (check_sae_rejected_groups(hapd, sta->sae)) { 1515 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1516 goto reply; 1517 } 1518 1519 if (!token && use_anti_clogging(hapd) && !allow_reuse) { 1520 int h2e = 0; 1521 1522 wpa_printf(MSG_DEBUG, 1523 "SAE: Request anti-clogging token from " 1524 MACSTR, MAC2STR(sta->addr)); 1525 if (sta->sae->tmp) 1526 h2e = sta->sae->h2e; 1527 if (status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT || 1528 status_code == WLAN_STATUS_SAE_PK) 1529 h2e = 1; 1530 data = auth_build_token_req( 1531 &hapd->last_comeback_key_update, 1532 hapd->comeback_key, 1533 hapd->comeback_idx, 1534 hapd->comeback_pending_idx, 1535 sizeof(hapd->comeback_pending_idx), 1536 sta->sae->group, 1537 sta->addr, h2e); 1538 resp = WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ; 1539 if (hapd->conf->mesh & MESH_ENABLED) 1540 sae_set_state(sta, SAE_NOTHING, 1541 "Request anti-clogging token case in mesh"); 1542 goto reply; 1543 } 1544 1545 resp = sae_sm_step(hapd, sta, auth_transaction, 1546 status_code, allow_reuse, &sta_removed); 1547 } else if (auth_transaction == 2) { 1548 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 1549 HOSTAPD_LEVEL_DEBUG, 1550 "SAE authentication (RX confirm, status=%u (%s))", 1551 status_code, status2str(status_code)); 1552 if (status_code != WLAN_STATUS_SUCCESS) 1553 goto remove_sta; 1554 if (sta->sae->state >= SAE_CONFIRMED || 1555 !(hapd->conf->mesh & MESH_ENABLED)) { 1556 const u8 *var; 1557 size_t var_len; 1558 u16 peer_send_confirm; 1559 1560 var = mgmt->u.auth.variable; 1561 var_len = ((u8 *) mgmt) + len - mgmt->u.auth.variable; 1562 if (var_len < 2) { 1563 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1564 goto reply; 1565 } 1566 1567 peer_send_confirm = WPA_GET_LE16(var); 1568 1569 if (sta->sae->state == SAE_ACCEPTED && 1570 (peer_send_confirm <= sta->sae->rc || 1571 peer_send_confirm == 0xffff)) { 1572 wpa_printf(MSG_DEBUG, 1573 "SAE: Silently ignore unexpected Confirm from peer " 1574 MACSTR 1575 " (peer-send-confirm=%u Rc=%u)", 1576 MAC2STR(sta->addr), 1577 peer_send_confirm, sta->sae->rc); 1578 return; 1579 } 1580 1581 if (sae_check_confirm(sta->sae, var, var_len, 1582 NULL) < 0) { 1583 resp = WLAN_STATUS_CHALLENGE_FAIL; 1584 goto reply; 1585 } 1586 sta->sae->rc = peer_send_confirm; 1587 } 1588 resp = sae_sm_step(hapd, sta, auth_transaction, 1589 status_code, 0, &sta_removed); 1590 } else { 1591 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 1592 HOSTAPD_LEVEL_DEBUG, 1593 "unexpected SAE authentication transaction %u (status=%u (%s))", 1594 auth_transaction, status_code, 1595 status2str(status_code)); 1596 if (status_code != WLAN_STATUS_SUCCESS) 1597 goto remove_sta; 1598 resp = WLAN_STATUS_UNKNOWN_AUTH_TRANSACTION; 1599 } 1600 1601 reply: 1602 if (!sta_removed && resp != WLAN_STATUS_SUCCESS) { 1603 pos = mgmt->u.auth.variable; 1604 end = ((const u8 *) mgmt) + len; 1605 1606 /* Copy the Finite Cyclic Group field from the request if we 1607 * rejected it as unsupported group. */ 1608 if (resp == WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED && 1609 !data && end - pos >= 2) 1610 data = wpabuf_alloc_copy(pos, 2); 1611 1612 sae_sme_send_external_auth_status(hapd, sta, resp); 1613 send_auth_reply(hapd, sta, sta->addr, 1614 WLAN_AUTH_SAE, 1615 auth_transaction, resp, 1616 data ? wpabuf_head(data) : (u8 *) "", 1617 data ? wpabuf_len(data) : 0, "auth-sae"); 1618 if (sta->sae && sta->sae->tmp && sta->sae->tmp->pw_id && 1619 resp == WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER && 1620 auth_transaction == 1) { 1621 wpa_printf(MSG_DEBUG, 1622 "SAE: Clear stored password identifier since this SAE commit was not accepted"); 1623 os_free(sta->sae->tmp->pw_id); 1624 sta->sae->tmp->pw_id = NULL; 1625 } 1626 } 1627 1628 remove_sta: 1629 if (auth_transaction == 1) 1630 success_status = sae_status_success(hapd, status_code); 1631 else 1632 success_status = status_code == WLAN_STATUS_SUCCESS; 1633 if (!sta_removed && sta->added_unassoc && 1634 (resp != WLAN_STATUS_SUCCESS || !success_status)) { 1635 hostapd_drv_sta_remove(hapd, sta->addr); 1636 sta->added_unassoc = 0; 1637 } 1638 wpabuf_free(data); 1639 } 1640 1641 1642 /** 1643 * auth_sae_init_committed - Send COMMIT and start SAE in committed state 1644 * @hapd: BSS data for the device initiating the authentication 1645 * @sta: the peer to which commit authentication frame is sent 1646 * 1647 * This function implements Init event handling (IEEE Std 802.11-2012, 1648 * 11.3.8.6.3) in which initial COMMIT message is sent. Prior to calling, the 1649 * sta->sae structure should be initialized appropriately via a call to 1650 * sae_prepare_commit(). 1651 */ 1652 int auth_sae_init_committed(struct hostapd_data *hapd, struct sta_info *sta) 1653 { 1654 int ret; 1655 1656 if (!sta->sae || !sta->sae->tmp) 1657 return -1; 1658 1659 if (sta->sae->state != SAE_NOTHING) 1660 return -1; 1661 1662 ret = auth_sae_send_commit(hapd, sta, 0, -1); 1663 if (ret) 1664 return -1; 1665 1666 sae_set_state(sta, SAE_COMMITTED, "Init and sent commit"); 1667 sta->sae->sync = 0; 1668 sae_set_retransmit_timer(hapd, sta); 1669 1670 return 0; 1671 } 1672 1673 1674 void auth_sae_process_commit(void *eloop_ctx, void *user_ctx) 1675 { 1676 struct hostapd_data *hapd = eloop_ctx; 1677 struct hostapd_sae_commit_queue *q; 1678 unsigned int queue_len; 1679 1680 q = dl_list_first(&hapd->sae_commit_queue, 1681 struct hostapd_sae_commit_queue, list); 1682 if (!q) 1683 return; 1684 wpa_printf(MSG_DEBUG, 1685 "SAE: Process next available message from queue"); 1686 dl_list_del(&q->list); 1687 handle_auth(hapd, (const struct ieee80211_mgmt *) q->msg, q->len, 1688 q->rssi, 1); 1689 os_free(q); 1690 1691 if (eloop_is_timeout_registered(auth_sae_process_commit, hapd, NULL)) 1692 return; 1693 queue_len = dl_list_len(&hapd->sae_commit_queue); 1694 eloop_register_timeout(0, queue_len * 10000, auth_sae_process_commit, 1695 hapd, NULL); 1696 } 1697 1698 1699 static void auth_sae_queue(struct hostapd_data *hapd, 1700 const struct ieee80211_mgmt *mgmt, size_t len, 1701 int rssi) 1702 { 1703 struct hostapd_sae_commit_queue *q, *q2; 1704 unsigned int queue_len; 1705 const struct ieee80211_mgmt *mgmt2; 1706 1707 queue_len = dl_list_len(&hapd->sae_commit_queue); 1708 if (queue_len >= 15) { 1709 wpa_printf(MSG_DEBUG, 1710 "SAE: No more room in message queue - drop the new frame from " 1711 MACSTR, MAC2STR(mgmt->sa)); 1712 return; 1713 } 1714 1715 wpa_printf(MSG_DEBUG, "SAE: Queue Authentication message from " 1716 MACSTR " for processing (queue_len %u)", MAC2STR(mgmt->sa), 1717 queue_len); 1718 q = os_zalloc(sizeof(*q) + len); 1719 if (!q) 1720 return; 1721 q->rssi = rssi; 1722 q->len = len; 1723 os_memcpy(q->msg, mgmt, len); 1724 1725 /* Check whether there is already a queued Authentication frame from the 1726 * same station with the same transaction number and if so, replace that 1727 * queue entry with the new one. This avoids issues with a peer that 1728 * sends multiple times (e.g., due to frequent SAE retries). There is no 1729 * point in us trying to process the old attempts after a new one has 1730 * obsoleted them. */ 1731 dl_list_for_each(q2, &hapd->sae_commit_queue, 1732 struct hostapd_sae_commit_queue, list) { 1733 mgmt2 = (const struct ieee80211_mgmt *) q2->msg; 1734 if (ether_addr_equal(mgmt->sa, mgmt2->sa) && 1735 mgmt->u.auth.auth_transaction == 1736 mgmt2->u.auth.auth_transaction) { 1737 wpa_printf(MSG_DEBUG, 1738 "SAE: Replace queued message from same STA with same transaction number"); 1739 dl_list_add(&q2->list, &q->list); 1740 dl_list_del(&q2->list); 1741 os_free(q2); 1742 goto queued; 1743 } 1744 } 1745 1746 /* No pending identical entry, so add to the end of the queue */ 1747 dl_list_add_tail(&hapd->sae_commit_queue, &q->list); 1748 1749 queued: 1750 if (eloop_is_timeout_registered(auth_sae_process_commit, hapd, NULL)) 1751 return; 1752 eloop_register_timeout(0, queue_len * 10000, auth_sae_process_commit, 1753 hapd, NULL); 1754 } 1755 1756 1757 static int auth_sae_queued_addr(struct hostapd_data *hapd, const u8 *addr) 1758 { 1759 struct hostapd_sae_commit_queue *q; 1760 const struct ieee80211_mgmt *mgmt; 1761 1762 dl_list_for_each(q, &hapd->sae_commit_queue, 1763 struct hostapd_sae_commit_queue, list) { 1764 mgmt = (const struct ieee80211_mgmt *) q->msg; 1765 if (ether_addr_equal(addr, mgmt->sa)) 1766 return 1; 1767 } 1768 1769 return 0; 1770 } 1771 1772 #endif /* CONFIG_SAE */ 1773 1774 1775 static u16 wpa_res_to_status_code(enum wpa_validate_result res) 1776 { 1777 switch (res) { 1778 case WPA_IE_OK: 1779 return WLAN_STATUS_SUCCESS; 1780 case WPA_INVALID_IE: 1781 return WLAN_STATUS_INVALID_IE; 1782 case WPA_INVALID_GROUP: 1783 return WLAN_STATUS_GROUP_CIPHER_NOT_VALID; 1784 case WPA_INVALID_PAIRWISE: 1785 return WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID; 1786 case WPA_INVALID_AKMP: 1787 return WLAN_STATUS_AKMP_NOT_VALID; 1788 case WPA_NOT_ENABLED: 1789 return WLAN_STATUS_INVALID_IE; 1790 case WPA_ALLOC_FAIL: 1791 return WLAN_STATUS_UNSPECIFIED_FAILURE; 1792 case WPA_MGMT_FRAME_PROTECTION_VIOLATION: 1793 return WLAN_STATUS_ROBUST_MGMT_FRAME_POLICY_VIOLATION; 1794 case WPA_INVALID_MGMT_GROUP_CIPHER: 1795 return WLAN_STATUS_CIPHER_REJECTED_PER_POLICY; 1796 case WPA_INVALID_MDIE: 1797 return WLAN_STATUS_INVALID_MDIE; 1798 case WPA_INVALID_PROTO: 1799 return WLAN_STATUS_INVALID_IE; 1800 case WPA_INVALID_PMKID: 1801 return WLAN_STATUS_INVALID_PMKID; 1802 case WPA_DENIED_OTHER_REASON: 1803 return WLAN_STATUS_ASSOC_DENIED_UNSPEC; 1804 } 1805 return WLAN_STATUS_INVALID_IE; 1806 } 1807 1808 1809 #ifdef CONFIG_FILS 1810 1811 static void handle_auth_fils_finish(struct hostapd_data *hapd, 1812 struct sta_info *sta, u16 resp, 1813 struct wpabuf *data, int pub); 1814 1815 void handle_auth_fils(struct hostapd_data *hapd, struct sta_info *sta, 1816 const u8 *pos, size_t len, u16 auth_alg, 1817 u16 auth_transaction, u16 status_code, 1818 void (*cb)(struct hostapd_data *hapd, 1819 struct sta_info *sta, u16 resp, 1820 struct wpabuf *data, int pub)) 1821 { 1822 u16 resp = WLAN_STATUS_SUCCESS; 1823 const u8 *end; 1824 struct ieee802_11_elems elems; 1825 enum wpa_validate_result res; 1826 struct wpa_ie_data rsn; 1827 struct rsn_pmksa_cache_entry *pmksa = NULL; 1828 1829 if (auth_transaction != 1 || status_code != WLAN_STATUS_SUCCESS) 1830 return; 1831 1832 end = pos + len; 1833 1834 wpa_hexdump(MSG_DEBUG, "FILS: Authentication frame fields", 1835 pos, end - pos); 1836 1837 /* TODO: FILS PK */ 1838 #ifdef CONFIG_FILS_SK_PFS 1839 if (auth_alg == WLAN_AUTH_FILS_SK_PFS) { 1840 u16 group; 1841 struct wpabuf *pub; 1842 size_t elem_len; 1843 1844 /* Using FILS PFS */ 1845 1846 /* Finite Cyclic Group */ 1847 if (end - pos < 2) { 1848 wpa_printf(MSG_DEBUG, 1849 "FILS: No room for Finite Cyclic Group"); 1850 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1851 goto fail; 1852 } 1853 group = WPA_GET_LE16(pos); 1854 pos += 2; 1855 if (group != hapd->conf->fils_dh_group) { 1856 wpa_printf(MSG_DEBUG, 1857 "FILS: Unsupported Finite Cyclic Group: %u (expected %u)", 1858 group, hapd->conf->fils_dh_group); 1859 resp = WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED; 1860 goto fail; 1861 } 1862 1863 crypto_ecdh_deinit(sta->fils_ecdh); 1864 sta->fils_ecdh = crypto_ecdh_init(group); 1865 if (!sta->fils_ecdh) { 1866 wpa_printf(MSG_INFO, 1867 "FILS: Could not initialize ECDH with group %d", 1868 group); 1869 resp = WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED; 1870 goto fail; 1871 } 1872 1873 pub = crypto_ecdh_get_pubkey(sta->fils_ecdh, 1); 1874 if (!pub) { 1875 wpa_printf(MSG_DEBUG, 1876 "FILS: Failed to derive ECDH public key"); 1877 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1878 goto fail; 1879 } 1880 elem_len = wpabuf_len(pub); 1881 wpabuf_free(pub); 1882 1883 /* Element */ 1884 if ((size_t) (end - pos) < elem_len) { 1885 wpa_printf(MSG_DEBUG, "FILS: No room for Element"); 1886 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1887 goto fail; 1888 } 1889 1890 wpabuf_free(sta->fils_g_sta); 1891 sta->fils_g_sta = wpabuf_alloc_copy(pos, elem_len); 1892 wpabuf_clear_free(sta->fils_dh_ss); 1893 sta->fils_dh_ss = crypto_ecdh_set_peerkey(sta->fils_ecdh, 1, 1894 pos, elem_len); 1895 if (!sta->fils_dh_ss) { 1896 wpa_printf(MSG_DEBUG, "FILS: ECDH operation failed"); 1897 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1898 goto fail; 1899 } 1900 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: DH_SS", sta->fils_dh_ss); 1901 pos += elem_len; 1902 } else { 1903 crypto_ecdh_deinit(sta->fils_ecdh); 1904 sta->fils_ecdh = NULL; 1905 wpabuf_clear_free(sta->fils_dh_ss); 1906 sta->fils_dh_ss = NULL; 1907 } 1908 #endif /* CONFIG_FILS_SK_PFS */ 1909 1910 wpa_hexdump(MSG_DEBUG, "FILS: Remaining IEs", pos, end - pos); 1911 if (ieee802_11_parse_elems(pos, end - pos, &elems, 1) == ParseFailed) { 1912 wpa_printf(MSG_DEBUG, "FILS: Could not parse elements"); 1913 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1914 goto fail; 1915 } 1916 1917 /* RSNE */ 1918 wpa_hexdump(MSG_DEBUG, "FILS: RSN element", 1919 elems.rsn_ie, elems.rsn_ie_len); 1920 if (!elems.rsn_ie || 1921 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2, 1922 &rsn) < 0) { 1923 wpa_printf(MSG_DEBUG, "FILS: No valid RSN element"); 1924 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1925 goto fail; 1926 } 1927 1928 if (!sta->wpa_sm) 1929 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, sta->addr, 1930 NULL); 1931 if (!sta->wpa_sm) { 1932 wpa_printf(MSG_DEBUG, 1933 "FILS: Failed to initialize RSN state machine"); 1934 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1935 goto fail; 1936 } 1937 1938 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm, 1939 hapd->iface->freq, 1940 elems.rsn_ie - 2, elems.rsn_ie_len + 2, 1941 elems.rsnxe ? elems.rsnxe - 2 : NULL, 1942 elems.rsnxe ? elems.rsnxe_len + 2 : 0, 1943 elems.mdie, elems.mdie_len, NULL, 0, NULL); 1944 resp = wpa_res_to_status_code(res); 1945 if (resp != WLAN_STATUS_SUCCESS) 1946 goto fail; 1947 1948 if (!elems.fils_nonce) { 1949 wpa_printf(MSG_DEBUG, "FILS: No FILS Nonce field"); 1950 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1951 goto fail; 1952 } 1953 wpa_hexdump(MSG_DEBUG, "FILS: SNonce", elems.fils_nonce, 1954 FILS_NONCE_LEN); 1955 os_memcpy(sta->fils_snonce, elems.fils_nonce, FILS_NONCE_LEN); 1956 1957 /* PMKID List */ 1958 if (rsn.pmkid && rsn.num_pmkid > 0) { 1959 u8 num; 1960 const u8 *pmkid; 1961 1962 wpa_hexdump(MSG_DEBUG, "FILS: PMKID List", 1963 rsn.pmkid, rsn.num_pmkid * PMKID_LEN); 1964 1965 pmkid = rsn.pmkid; 1966 num = rsn.num_pmkid; 1967 while (num) { 1968 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", pmkid, PMKID_LEN); 1969 pmksa = wpa_auth_pmksa_get(hapd->wpa_auth, sta->addr, 1970 pmkid); 1971 if (pmksa) 1972 break; 1973 pmksa = wpa_auth_pmksa_get_fils_cache_id(hapd->wpa_auth, 1974 sta->addr, 1975 pmkid); 1976 if (pmksa) 1977 break; 1978 pmkid += PMKID_LEN; 1979 num--; 1980 } 1981 } 1982 if (pmksa && wpa_auth_sta_key_mgmt(sta->wpa_sm) != pmksa->akmp) { 1983 wpa_printf(MSG_DEBUG, 1984 "FILS: Matching PMKSA cache entry has different AKMP (0x%x != 0x%x) - ignore", 1985 wpa_auth_sta_key_mgmt(sta->wpa_sm), pmksa->akmp); 1986 pmksa = NULL; 1987 } 1988 if (pmksa) 1989 wpa_printf(MSG_DEBUG, "FILS: Found matching PMKSA cache entry"); 1990 1991 /* FILS Session */ 1992 if (!elems.fils_session) { 1993 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element"); 1994 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1995 goto fail; 1996 } 1997 wpa_hexdump(MSG_DEBUG, "FILS: FILS Session", elems.fils_session, 1998 FILS_SESSION_LEN); 1999 os_memcpy(sta->fils_session, elems.fils_session, FILS_SESSION_LEN); 2000 2001 /* Wrapped Data */ 2002 if (elems.wrapped_data) { 2003 wpa_hexdump(MSG_DEBUG, "FILS: Wrapped Data", 2004 elems.wrapped_data, 2005 elems.wrapped_data_len); 2006 if (!pmksa) { 2007 #ifndef CONFIG_NO_RADIUS 2008 if (!sta->eapol_sm) { 2009 sta->eapol_sm = 2010 ieee802_1x_alloc_eapol_sm(hapd, sta); 2011 } 2012 wpa_printf(MSG_DEBUG, 2013 "FILS: Forward EAP-Initiate/Re-auth to authentication server"); 2014 ieee802_1x_encapsulate_radius( 2015 hapd, sta, elems.wrapped_data, 2016 elems.wrapped_data_len); 2017 sta->fils_pending_cb = cb; 2018 wpa_printf(MSG_DEBUG, 2019 "FILS: Will send Authentication frame once the response from authentication server is available"); 2020 sta->flags |= WLAN_STA_PENDING_FILS_ERP; 2021 /* Calculate pending PMKID here so that we do not need 2022 * to maintain a copy of the EAP-Initiate/Reauth 2023 * message. */ 2024 if (fils_pmkid_erp(wpa_auth_sta_key_mgmt(sta->wpa_sm), 2025 elems.wrapped_data, 2026 elems.wrapped_data_len, 2027 sta->fils_erp_pmkid) == 0) 2028 sta->fils_erp_pmkid_set = 1; 2029 return; 2030 #else /* CONFIG_NO_RADIUS */ 2031 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 2032 goto fail; 2033 #endif /* CONFIG_NO_RADIUS */ 2034 } 2035 } 2036 2037 fail: 2038 if (cb) { 2039 struct wpabuf *data; 2040 int pub = 0; 2041 2042 data = prepare_auth_resp_fils(hapd, sta, &resp, pmksa, NULL, 2043 NULL, 0, &pub); 2044 if (!data) { 2045 wpa_printf(MSG_DEBUG, 2046 "%s: prepare_auth_resp_fils() returned failure", 2047 __func__); 2048 } 2049 2050 cb(hapd, sta, resp, data, pub); 2051 } 2052 } 2053 2054 2055 static struct wpabuf * 2056 prepare_auth_resp_fils(struct hostapd_data *hapd, 2057 struct sta_info *sta, u16 *resp, 2058 struct rsn_pmksa_cache_entry *pmksa, 2059 struct wpabuf *erp_resp, 2060 const u8 *msk, size_t msk_len, 2061 int *is_pub) 2062 { 2063 u8 fils_nonce[FILS_NONCE_LEN]; 2064 size_t ielen; 2065 struct wpabuf *data = NULL; 2066 const u8 *ie; 2067 u8 *ie_buf = NULL; 2068 const u8 *pmk = NULL; 2069 size_t pmk_len = 0; 2070 u8 pmk_buf[PMK_LEN_MAX]; 2071 struct wpabuf *pub = NULL; 2072 2073 if (*resp != WLAN_STATUS_SUCCESS) 2074 goto fail; 2075 2076 ie = wpa_auth_get_wpa_ie(hapd->wpa_auth, &ielen); 2077 if (!ie) { 2078 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 2079 goto fail; 2080 } 2081 2082 if (pmksa) { 2083 /* Add PMKID of the selected PMKSA into RSNE */ 2084 ie_buf = os_malloc(ielen + 2 + 2 + PMKID_LEN); 2085 if (!ie_buf) { 2086 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 2087 goto fail; 2088 } 2089 2090 os_memcpy(ie_buf, ie, ielen); 2091 if (wpa_insert_pmkid(ie_buf, &ielen, pmksa->pmkid, true) < 0) { 2092 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 2093 goto fail; 2094 } 2095 ie = ie_buf; 2096 } 2097 2098 if (random_get_bytes(fils_nonce, FILS_NONCE_LEN) < 0) { 2099 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 2100 goto fail; 2101 } 2102 wpa_hexdump(MSG_DEBUG, "RSN: Generated FILS Nonce", 2103 fils_nonce, FILS_NONCE_LEN); 2104 2105 #ifdef CONFIG_FILS_SK_PFS 2106 if (sta->fils_dh_ss && sta->fils_ecdh) { 2107 pub = crypto_ecdh_get_pubkey(sta->fils_ecdh, 1); 2108 if (!pub) { 2109 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 2110 goto fail; 2111 } 2112 } 2113 #endif /* CONFIG_FILS_SK_PFS */ 2114 2115 data = wpabuf_alloc(1000 + ielen + (pub ? wpabuf_len(pub) : 0)); 2116 if (!data) { 2117 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 2118 goto fail; 2119 } 2120 2121 /* TODO: FILS PK */ 2122 #ifdef CONFIG_FILS_SK_PFS 2123 if (pub) { 2124 /* Finite Cyclic Group */ 2125 wpabuf_put_le16(data, hapd->conf->fils_dh_group); 2126 2127 /* Element */ 2128 wpabuf_put_buf(data, pub); 2129 } 2130 #endif /* CONFIG_FILS_SK_PFS */ 2131 2132 /* RSNE */ 2133 wpabuf_put_data(data, ie, ielen); 2134 2135 /* MDE when using FILS+FT (already included in ie,ielen with RSNE) */ 2136 2137 #ifdef CONFIG_IEEE80211R_AP 2138 if (wpa_key_mgmt_ft(wpa_auth_sta_key_mgmt(sta->wpa_sm))) { 2139 /* FTE[R1KH-ID,R0KH-ID] when using FILS+FT */ 2140 int res; 2141 2142 res = wpa_auth_write_fte(hapd->wpa_auth, sta->wpa_sm, 2143 wpabuf_put(data, 0), 2144 wpabuf_tailroom(data)); 2145 if (res < 0) { 2146 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 2147 goto fail; 2148 } 2149 wpabuf_put(data, res); 2150 } 2151 #endif /* CONFIG_IEEE80211R_AP */ 2152 2153 /* FILS Nonce */ 2154 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */ 2155 wpabuf_put_u8(data, 1 + FILS_NONCE_LEN); /* Length */ 2156 /* Element ID Extension */ 2157 wpabuf_put_u8(data, WLAN_EID_EXT_FILS_NONCE); 2158 wpabuf_put_data(data, fils_nonce, FILS_NONCE_LEN); 2159 2160 /* FILS Session */ 2161 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */ 2162 wpabuf_put_u8(data, 1 + FILS_SESSION_LEN); /* Length */ 2163 /* Element ID Extension */ 2164 wpabuf_put_u8(data, WLAN_EID_EXT_FILS_SESSION); 2165 wpabuf_put_data(data, sta->fils_session, FILS_SESSION_LEN); 2166 2167 /* Wrapped Data */ 2168 if (!pmksa && erp_resp) { 2169 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */ 2170 wpabuf_put_u8(data, 1 + wpabuf_len(erp_resp)); /* Length */ 2171 /* Element ID Extension */ 2172 wpabuf_put_u8(data, WLAN_EID_EXT_WRAPPED_DATA); 2173 wpabuf_put_buf(data, erp_resp); 2174 2175 if (fils_rmsk_to_pmk(wpa_auth_sta_key_mgmt(sta->wpa_sm), 2176 msk, msk_len, sta->fils_snonce, fils_nonce, 2177 sta->fils_dh_ss ? 2178 wpabuf_head(sta->fils_dh_ss) : NULL, 2179 sta->fils_dh_ss ? 2180 wpabuf_len(sta->fils_dh_ss) : 0, 2181 pmk_buf, &pmk_len)) { 2182 wpa_printf(MSG_DEBUG, "FILS: Failed to derive PMK"); 2183 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 2184 wpabuf_free(data); 2185 data = NULL; 2186 goto fail; 2187 } 2188 pmk = pmk_buf; 2189 2190 /* Don't use DHss in PTK derivation if PMKSA caching is not 2191 * used. */ 2192 wpabuf_clear_free(sta->fils_dh_ss); 2193 sta->fils_dh_ss = NULL; 2194 2195 if (sta->fils_erp_pmkid_set) { 2196 /* TODO: get PMKLifetime from WPA parameters */ 2197 unsigned int dot11RSNAConfigPMKLifetime = 43200; 2198 int session_timeout; 2199 2200 session_timeout = dot11RSNAConfigPMKLifetime; 2201 if (sta->session_timeout_set) { 2202 struct os_reltime now, diff; 2203 2204 os_get_reltime(&now); 2205 os_reltime_sub(&sta->session_timeout, &now, 2206 &diff); 2207 session_timeout = diff.sec; 2208 } 2209 2210 sta->fils_erp_pmkid_set = 0; 2211 wpa_auth_add_fils_pmk_pmkid(sta->wpa_sm, pmk, pmk_len, 2212 sta->fils_erp_pmkid); 2213 if (!hapd->conf->disable_pmksa_caching && 2214 wpa_auth_pmksa_add2( 2215 hapd->wpa_auth, sta->addr, 2216 pmk, pmk_len, 2217 sta->fils_erp_pmkid, 2218 session_timeout, 2219 wpa_auth_sta_key_mgmt(sta->wpa_sm), 2220 NULL) < 0) { 2221 wpa_printf(MSG_ERROR, 2222 "FILS: Failed to add PMKSA cache entry based on ERP"); 2223 } 2224 } 2225 } else if (pmksa) { 2226 pmk = pmksa->pmk; 2227 pmk_len = pmksa->pmk_len; 2228 } 2229 2230 if (!pmk) { 2231 wpa_printf(MSG_DEBUG, "FILS: No PMK available"); 2232 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 2233 wpabuf_free(data); 2234 data = NULL; 2235 goto fail; 2236 } 2237 2238 if (fils_auth_pmk_to_ptk(sta->wpa_sm, pmk, pmk_len, 2239 sta->fils_snonce, fils_nonce, 2240 sta->fils_dh_ss ? 2241 wpabuf_head(sta->fils_dh_ss) : NULL, 2242 sta->fils_dh_ss ? 2243 wpabuf_len(sta->fils_dh_ss) : 0, 2244 sta->fils_g_sta, pub) < 0) { 2245 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 2246 wpabuf_free(data); 2247 data = NULL; 2248 goto fail; 2249 } 2250 2251 fail: 2252 if (is_pub) 2253 *is_pub = pub != NULL; 2254 os_free(ie_buf); 2255 wpabuf_free(pub); 2256 wpabuf_clear_free(sta->fils_dh_ss); 2257 sta->fils_dh_ss = NULL; 2258 #ifdef CONFIG_FILS_SK_PFS 2259 crypto_ecdh_deinit(sta->fils_ecdh); 2260 sta->fils_ecdh = NULL; 2261 #endif /* CONFIG_FILS_SK_PFS */ 2262 return data; 2263 } 2264 2265 2266 static void handle_auth_fils_finish(struct hostapd_data *hapd, 2267 struct sta_info *sta, u16 resp, 2268 struct wpabuf *data, int pub) 2269 { 2270 u16 auth_alg; 2271 2272 auth_alg = (pub || 2273 resp == WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED) ? 2274 WLAN_AUTH_FILS_SK_PFS : WLAN_AUTH_FILS_SK; 2275 send_auth_reply(hapd, sta, sta->addr, auth_alg, 2, resp, 2276 data ? wpabuf_head(data) : (u8 *) "", 2277 data ? wpabuf_len(data) : 0, "auth-fils-finish"); 2278 wpabuf_free(data); 2279 2280 if (resp == WLAN_STATUS_SUCCESS) { 2281 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 2282 HOSTAPD_LEVEL_DEBUG, 2283 "authentication OK (FILS)"); 2284 sta->flags |= WLAN_STA_AUTH; 2285 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH); 2286 sta->auth_alg = pub ? WLAN_AUTH_FILS_SK_PFS : WLAN_AUTH_FILS_SK; 2287 mlme_authenticate_indication(hapd, sta); 2288 } 2289 } 2290 2291 2292 void ieee802_11_finish_fils_auth(struct hostapd_data *hapd, 2293 struct sta_info *sta, int success, 2294 struct wpabuf *erp_resp, 2295 const u8 *msk, size_t msk_len) 2296 { 2297 u16 resp; 2298 u32 flags = sta->flags; 2299 2300 sta->flags &= ~(WLAN_STA_PENDING_FILS_ERP | 2301 WLAN_STA_PENDING_PASN_FILS_ERP); 2302 2303 resp = success ? WLAN_STATUS_SUCCESS : WLAN_STATUS_UNSPECIFIED_FAILURE; 2304 2305 if (flags & WLAN_STA_PENDING_FILS_ERP) { 2306 struct wpabuf *data; 2307 int pub = 0; 2308 2309 if (!sta->fils_pending_cb) 2310 return; 2311 2312 data = prepare_auth_resp_fils(hapd, sta, &resp, NULL, erp_resp, 2313 msk, msk_len, &pub); 2314 if (!data) { 2315 wpa_printf(MSG_DEBUG, 2316 "%s: prepare_auth_resp_fils() failure", 2317 __func__); 2318 } 2319 sta->fils_pending_cb(hapd, sta, resp, data, pub); 2320 #ifdef CONFIG_PASN 2321 } else if (flags & WLAN_STA_PENDING_PASN_FILS_ERP) { 2322 pasn_fils_auth_resp(hapd, sta, resp, erp_resp, 2323 msk, msk_len); 2324 #endif /* CONFIG_PASN */ 2325 } 2326 } 2327 2328 #endif /* CONFIG_FILS */ 2329 2330 2331 static int ieee802_11_allowed_address(struct hostapd_data *hapd, const u8 *addr, 2332 const u8 *msg, size_t len, 2333 struct radius_sta *info) 2334 { 2335 int res; 2336 2337 res = hostapd_allowed_address(hapd, addr, msg, len, info, 0); 2338 2339 if (res == HOSTAPD_ACL_REJECT) { 2340 wpa_printf(MSG_DEBUG, "Station " MACSTR 2341 " not allowed to authenticate", 2342 MAC2STR(addr)); 2343 return HOSTAPD_ACL_REJECT; 2344 } 2345 2346 if (res == HOSTAPD_ACL_PENDING) { 2347 wpa_printf(MSG_DEBUG, "Authentication frame from " MACSTR 2348 " waiting for an external authentication", 2349 MAC2STR(addr)); 2350 /* Authentication code will re-send the authentication frame 2351 * after it has received (and cached) information from the 2352 * external source. */ 2353 return HOSTAPD_ACL_PENDING; 2354 } 2355 2356 return res; 2357 } 2358 2359 2360 int ieee802_11_set_radius_info(struct hostapd_data *hapd, struct sta_info *sta, 2361 int res, struct radius_sta *info) 2362 { 2363 u32 session_timeout = info->session_timeout; 2364 u32 acct_interim_interval = info->acct_interim_interval; 2365 struct vlan_description *vlan_id = &info->vlan_id; 2366 struct hostapd_sta_wpa_psk_short *psk = info->psk; 2367 char *identity = info->identity; 2368 char *radius_cui = info->radius_cui; 2369 2370 if (vlan_id->notempty && 2371 !hostapd_vlan_valid(hapd->conf->vlan, vlan_id)) { 2372 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS, 2373 HOSTAPD_LEVEL_INFO, 2374 "Invalid VLAN %d%s received from RADIUS server", 2375 vlan_id->untagged, 2376 vlan_id->tagged[0] ? "+" : ""); 2377 return -1; 2378 } 2379 if (ap_sta_set_vlan(hapd, sta, vlan_id) < 0) 2380 return -1; 2381 if (sta->vlan_id) 2382 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS, 2383 HOSTAPD_LEVEL_INFO, "VLAN ID %d", sta->vlan_id); 2384 2385 hostapd_free_psk_list(sta->psk); 2386 if (hapd->conf->wpa_psk_radius != PSK_RADIUS_IGNORED) 2387 hostapd_copy_psk_list(&sta->psk, psk); 2388 else 2389 sta->psk = NULL; 2390 2391 os_free(sta->identity); 2392 if (identity) 2393 sta->identity = os_strdup(identity); 2394 else 2395 sta->identity = NULL; 2396 2397 os_free(sta->radius_cui); 2398 if (radius_cui) 2399 sta->radius_cui = os_strdup(radius_cui); 2400 else 2401 sta->radius_cui = NULL; 2402 2403 if (hapd->conf->acct_interim_interval == 0 && acct_interim_interval) 2404 sta->acct_interim_interval = acct_interim_interval; 2405 if (res == HOSTAPD_ACL_ACCEPT_TIMEOUT) { 2406 sta->session_timeout_set = 1; 2407 os_get_reltime(&sta->session_timeout); 2408 sta->session_timeout.sec += session_timeout; 2409 ap_sta_session_timeout(hapd, sta, session_timeout); 2410 } else { 2411 sta->session_timeout_set = 0; 2412 ap_sta_no_session_timeout(hapd, sta); 2413 } 2414 2415 return 0; 2416 } 2417 2418 2419 #ifdef CONFIG_PASN 2420 #ifdef CONFIG_FILS 2421 2422 static void pasn_fils_auth_resp(struct hostapd_data *hapd, 2423 struct sta_info *sta, u16 status, 2424 struct wpabuf *erp_resp, 2425 const u8 *msk, size_t msk_len) 2426 { 2427 struct pasn_data *pasn = sta->pasn; 2428 struct pasn_fils *fils = &pasn->fils; 2429 u8 pmk[PMK_LEN_MAX]; 2430 size_t pmk_len; 2431 int ret; 2432 2433 wpa_printf(MSG_DEBUG, "PASN: FILS: Handle AS response - status=%u", 2434 status); 2435 2436 if (status != WLAN_STATUS_SUCCESS) 2437 goto fail; 2438 2439 if (!pasn->secret) { 2440 wpa_printf(MSG_DEBUG, "PASN: FILS: Missing secret"); 2441 goto fail; 2442 } 2443 2444 if (random_get_bytes(fils->anonce, FILS_NONCE_LEN) < 0) { 2445 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed to get ANonce"); 2446 goto fail; 2447 } 2448 2449 wpa_hexdump(MSG_DEBUG, "RSN: Generated FILS ANonce", 2450 fils->anonce, FILS_NONCE_LEN); 2451 2452 ret = fils_rmsk_to_pmk(pasn_get_akmp(pasn), msk, msk_len, fils->nonce, 2453 fils->anonce, NULL, 0, pmk, &pmk_len); 2454 if (ret) { 2455 wpa_printf(MSG_DEBUG, "FILS: Failed to derive PMK"); 2456 goto fail; 2457 } 2458 2459 ret = pasn_pmk_to_ptk(pmk, pmk_len, sta->addr, hapd->own_addr, 2460 wpabuf_head(pasn->secret), 2461 wpabuf_len(pasn->secret), 2462 pasn_get_ptk(sta->pasn), pasn_get_akmp(sta->pasn), 2463 pasn_get_cipher(sta->pasn), sta->pasn->kdk_len); 2464 if (ret) { 2465 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed to derive PTK"); 2466 goto fail; 2467 } 2468 2469 if (pasn->secure_ltf) { 2470 ret = wpa_ltf_keyseed(pasn_get_ptk(pasn), pasn_get_akmp(pasn), 2471 pasn_get_cipher(pasn)); 2472 if (ret) { 2473 wpa_printf(MSG_DEBUG, 2474 "PASN: FILS: Failed to derive LTF keyseed"); 2475 goto fail; 2476 } 2477 } 2478 2479 wpa_printf(MSG_DEBUG, "PASN: PTK successfully derived"); 2480 2481 wpabuf_free(pasn->secret); 2482 pasn->secret = NULL; 2483 2484 fils->erp_resp = erp_resp; 2485 ret = handle_auth_pasn_resp(sta->pasn, hapd->own_addr, sta->addr, NULL, 2486 WLAN_STATUS_SUCCESS); 2487 fils->erp_resp = NULL; 2488 2489 if (ret) { 2490 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed to send response"); 2491 goto fail; 2492 } 2493 2494 fils->state = PASN_FILS_STATE_COMPLETE; 2495 return; 2496 fail: 2497 ap_free_sta(hapd, sta); 2498 } 2499 2500 2501 static int pasn_wd_handle_fils(struct hostapd_data *hapd, struct sta_info *sta, 2502 struct wpabuf *wd) 2503 { 2504 #ifdef CONFIG_NO_RADIUS 2505 wpa_printf(MSG_DEBUG, "PASN: FILS: RADIUS is not configured. Fail"); 2506 return -1; 2507 #else /* CONFIG_NO_RADIUS */ 2508 struct pasn_data *pasn = sta->pasn; 2509 struct pasn_fils *fils = &pasn->fils; 2510 struct ieee802_11_elems elems; 2511 struct wpa_ie_data rsne_data; 2512 struct wpabuf *fils_wd; 2513 const u8 *data; 2514 size_t buf_len; 2515 u16 alg, seq, status; 2516 int ret; 2517 2518 if (fils->state != PASN_FILS_STATE_NONE) { 2519 wpa_printf(MSG_DEBUG, "PASN: FILS: Not expecting wrapped data"); 2520 return -1; 2521 } 2522 2523 if (!wd) { 2524 wpa_printf(MSG_DEBUG, "PASN: FILS: No wrapped data"); 2525 return -1; 2526 } 2527 2528 data = wpabuf_head_u8(wd); 2529 buf_len = wpabuf_len(wd); 2530 2531 if (buf_len < 6) { 2532 wpa_printf(MSG_DEBUG, "PASN: FILS: Buffer too short. len=%zu", 2533 buf_len); 2534 return -1; 2535 } 2536 2537 alg = WPA_GET_LE16(data); 2538 seq = WPA_GET_LE16(data + 2); 2539 status = WPA_GET_LE16(data + 4); 2540 2541 wpa_printf(MSG_DEBUG, "PASN: FILS: alg=%u, seq=%u, status=%u", 2542 alg, seq, status); 2543 2544 if (alg != WLAN_AUTH_FILS_SK || seq != 1 || 2545 status != WLAN_STATUS_SUCCESS) { 2546 wpa_printf(MSG_DEBUG, 2547 "PASN: FILS: Dropping peer authentication"); 2548 return -1; 2549 } 2550 2551 data += 6; 2552 buf_len -= 6; 2553 2554 if (ieee802_11_parse_elems(data, buf_len, &elems, 1) == ParseFailed) { 2555 wpa_printf(MSG_DEBUG, "PASN: FILS: Could not parse elements"); 2556 return -1; 2557 } 2558 2559 if (!elems.rsn_ie || !elems.fils_nonce || !elems.fils_nonce || 2560 !elems.wrapped_data || !elems.fils_session) { 2561 wpa_printf(MSG_DEBUG, "PASN: FILS: Missing IEs"); 2562 return -1; 2563 } 2564 2565 ret = wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2, 2566 &rsne_data); 2567 if (ret) { 2568 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed parsing RSNE"); 2569 return -1; 2570 } 2571 2572 ret = wpa_pasn_validate_rsne(&rsne_data); 2573 if (ret) { 2574 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed validating RSNE"); 2575 return -1; 2576 } 2577 2578 if (rsne_data.num_pmkid) { 2579 wpa_printf(MSG_DEBUG, 2580 "PASN: FILS: Not expecting PMKID in RSNE"); 2581 return -1; 2582 } 2583 2584 wpa_hexdump(MSG_DEBUG, "PASN: FILS: Nonce", elems.fils_nonce, 2585 FILS_NONCE_LEN); 2586 os_memcpy(fils->nonce, elems.fils_nonce, FILS_NONCE_LEN); 2587 2588 wpa_hexdump(MSG_DEBUG, "PASN: FILS: Session", elems.fils_session, 2589 FILS_SESSION_LEN); 2590 os_memcpy(fils->session, elems.fils_session, FILS_SESSION_LEN); 2591 2592 fils_wd = ieee802_11_defrag(elems.wrapped_data, elems.wrapped_data_len, 2593 true); 2594 2595 if (!fils_wd) { 2596 wpa_printf(MSG_DEBUG, "PASN: FILS: Missing wrapped data"); 2597 return -1; 2598 } 2599 2600 if (!sta->eapol_sm) 2601 sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta); 2602 2603 wpa_printf(MSG_DEBUG, 2604 "PASN: FILS: Forward EAP-Initiate/Re-auth to AS"); 2605 2606 ieee802_1x_encapsulate_radius(hapd, sta, wpabuf_head(fils_wd), 2607 wpabuf_len(fils_wd)); 2608 2609 sta->flags |= WLAN_STA_PENDING_PASN_FILS_ERP; 2610 2611 fils->state = PASN_FILS_STATE_PENDING_AS; 2612 2613 /* 2614 * Calculate pending PMKID here so that we do not need to maintain a 2615 * copy of the EAP-Initiate/Reautt message. 2616 */ 2617 fils_pmkid_erp(pasn_get_akmp(pasn), 2618 wpabuf_head(fils_wd), wpabuf_len(fils_wd), 2619 fils->erp_pmkid); 2620 2621 wpabuf_free(fils_wd); 2622 return 0; 2623 #endif /* CONFIG_NO_RADIUS */ 2624 } 2625 2626 #endif /* CONFIG_FILS */ 2627 2628 2629 static int hapd_pasn_send_mlme(void *ctx, const u8 *data, size_t data_len, 2630 int noack, unsigned int freq, unsigned int wait) 2631 { 2632 struct hostapd_data *hapd = ctx; 2633 2634 return hostapd_drv_send_mlme(hapd, data, data_len, 0, NULL, 0, 0); 2635 } 2636 2637 2638 static void hapd_initialize_pasn(struct hostapd_data *hapd, 2639 struct sta_info *sta) 2640 { 2641 struct pasn_data *pasn = sta->pasn; 2642 2643 pasn_register_callbacks(pasn, hapd, hapd_pasn_send_mlme, NULL); 2644 pasn_set_bssid(pasn, hapd->own_addr); 2645 pasn_set_own_addr(pasn, hapd->own_addr); 2646 pasn_set_peer_addr(pasn, sta->addr); 2647 pasn_set_wpa_key_mgmt(pasn, hapd->conf->wpa_key_mgmt); 2648 pasn_set_rsn_pairwise(pasn, hapd->conf->rsn_pairwise); 2649 pasn->pasn_groups = hapd->conf->pasn_groups; 2650 pasn->noauth = hapd->conf->pasn_noauth; 2651 if (hapd->iface->drv_flags2 & WPA_DRIVER_FLAGS2_SEC_LTF_AP) 2652 pasn_enable_kdk_derivation(pasn); 2653 2654 #ifdef CONFIG_TESTING_OPTIONS 2655 pasn->corrupt_mic = hapd->conf->pasn_corrupt_mic; 2656 if (hapd->conf->force_kdk_derivation) 2657 pasn_enable_kdk_derivation(pasn); 2658 #endif /* CONFIG_TESTING_OPTIONS */ 2659 pasn->use_anti_clogging = use_anti_clogging(hapd); 2660 pasn_set_password(pasn, sae_get_password(hapd, sta, NULL, NULL, 2661 &pasn->pt, NULL)); 2662 pasn->rsn_ie = wpa_auth_get_wpa_ie(hapd->wpa_auth, &pasn->rsn_ie_len); 2663 pasn_set_rsnxe_ie(pasn, hostapd_wpa_ie(hapd, WLAN_EID_RSNX)); 2664 pasn->disable_pmksa_caching = hapd->conf->disable_pmksa_caching; 2665 pasn_set_responder_pmksa(pasn, 2666 wpa_auth_get_pmksa_cache(hapd->wpa_auth)); 2667 2668 pasn->comeback_after = hapd->conf->pasn_comeback_after; 2669 pasn->comeback_idx = hapd->comeback_idx; 2670 pasn->comeback_key = hapd->comeback_key; 2671 pasn->comeback_pending_idx = hapd->comeback_pending_idx; 2672 } 2673 2674 2675 static int pasn_set_keys_from_cache(struct hostapd_data *hapd, 2676 const u8 *own_addr, const u8 *sta_addr, 2677 int cipher, int akmp) 2678 { 2679 struct ptksa_cache_entry *entry; 2680 2681 entry = ptksa_cache_get(hapd->ptksa, sta_addr, cipher); 2682 if (!entry) { 2683 wpa_printf(MSG_DEBUG, "PASN: peer " MACSTR 2684 " not present in PTKSA cache", MAC2STR(sta_addr)); 2685 return -1; 2686 } 2687 2688 if (!ether_addr_equal(entry->own_addr, own_addr)) { 2689 wpa_printf(MSG_DEBUG, 2690 "PASN: own addr " MACSTR " and PTKSA entry own addr " 2691 MACSTR " differ", 2692 MAC2STR(own_addr), MAC2STR(entry->own_addr)); 2693 return -1; 2694 } 2695 2696 wpa_printf(MSG_DEBUG, "PASN: " MACSTR " present in PTKSA cache", 2697 MAC2STR(sta_addr)); 2698 hostapd_drv_set_secure_ranging_ctx(hapd, own_addr, sta_addr, cipher, 2699 entry->ptk.tk_len, entry->ptk.tk, 2700 entry->ptk.ltf_keyseed_len, 2701 entry->ptk.ltf_keyseed, 0); 2702 2703 return 0; 2704 } 2705 2706 2707 static void hapd_pasn_update_params(struct hostapd_data *hapd, 2708 struct sta_info *sta, 2709 const struct ieee80211_mgmt *mgmt, 2710 size_t len) 2711 { 2712 struct pasn_data *pasn = sta->pasn; 2713 struct ieee802_11_elems elems; 2714 struct wpa_ie_data rsn_data; 2715 #ifdef CONFIG_FILS 2716 struct wpa_pasn_params_data pasn_params; 2717 struct wpabuf *wrapped_data = NULL; 2718 #endif /* CONFIG_FILS */ 2719 int akmp; 2720 2721 if (ieee802_11_parse_elems(mgmt->u.auth.variable, 2722 len - offsetof(struct ieee80211_mgmt, 2723 u.auth.variable), 2724 &elems, 0) == ParseFailed) { 2725 wpa_printf(MSG_DEBUG, 2726 "PASN: Failed parsing Authentication frame"); 2727 return; 2728 } 2729 2730 if (!elems.rsn_ie || 2731 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2, 2732 &rsn_data)) { 2733 wpa_printf(MSG_DEBUG, "PASN: Failed parsing RSNE"); 2734 return; 2735 } 2736 2737 if (!(rsn_data.key_mgmt & pasn->wpa_key_mgmt) || 2738 !(rsn_data.pairwise_cipher & pasn->rsn_pairwise)) { 2739 wpa_printf(MSG_DEBUG, "PASN: Mismatch in AKMP/cipher"); 2740 return; 2741 } 2742 2743 pasn_set_akmp(pasn, rsn_data.key_mgmt); 2744 pasn_set_cipher(pasn, rsn_data.pairwise_cipher); 2745 2746 if (pasn->derive_kdk && 2747 !ieee802_11_rsnx_capab_len(elems.rsnxe, elems.rsnxe_len, 2748 WLAN_RSNX_CAPAB_SECURE_LTF)) 2749 pasn_disable_kdk_derivation(pasn); 2750 #ifdef CONFIG_TESTING_OPTIONS 2751 if (hapd->conf->force_kdk_derivation) 2752 pasn_enable_kdk_derivation(pasn); 2753 #endif /* CONFIG_TESTING_OPTIONS */ 2754 akmp = pasn_get_akmp(pasn); 2755 2756 if (wpa_key_mgmt_ft(akmp) && rsn_data.num_pmkid) { 2757 #ifdef CONFIG_IEEE80211R_AP 2758 pasn->pmk_r1_len = 0; 2759 wpa_ft_fetch_pmk_r1(hapd->wpa_auth, sta->addr, 2760 rsn_data.pmkid, 2761 pasn->pmk_r1, &pasn->pmk_r1_len, NULL, 2762 NULL, NULL, NULL, 2763 NULL, NULL, NULL); 2764 #endif /* CONFIG_IEEE80211R_AP */ 2765 } 2766 #ifdef CONFIG_FILS 2767 if (akmp != WPA_KEY_MGMT_FILS_SHA256 && 2768 akmp != WPA_KEY_MGMT_FILS_SHA384) 2769 return; 2770 if (!elems.pasn_params || 2771 wpa_pasn_parse_parameter_ie(elems.pasn_params - 3, 2772 elems.pasn_params_len + 3, 2773 false, &pasn_params)) { 2774 wpa_printf(MSG_DEBUG, 2775 "PASN: Failed validation of PASN Parameters element"); 2776 return; 2777 } 2778 if (pasn_params.wrapped_data_format != WPA_PASN_WRAPPED_DATA_NO) { 2779 wrapped_data = ieee802_11_defrag(elems.wrapped_data, 2780 elems.wrapped_data_len, true); 2781 if (!wrapped_data) { 2782 wpa_printf(MSG_DEBUG, "PASN: Missing wrapped data"); 2783 return; 2784 } 2785 if (pasn_wd_handle_fils(hapd, sta, wrapped_data)) 2786 wpa_printf(MSG_DEBUG, 2787 "PASN: Failed processing FILS wrapped data"); 2788 else 2789 pasn->fils_wd_valid = true; 2790 } 2791 wpabuf_free(wrapped_data); 2792 #endif /* CONFIG_FILS */ 2793 } 2794 2795 2796 static void handle_auth_pasn(struct hostapd_data *hapd, struct sta_info *sta, 2797 const struct ieee80211_mgmt *mgmt, size_t len, 2798 u16 trans_seq, u16 status) 2799 { 2800 if (hapd->conf->wpa != WPA_PROTO_RSN) { 2801 wpa_printf(MSG_INFO, "PASN: RSN is not configured"); 2802 return; 2803 } 2804 2805 wpa_printf(MSG_INFO, "PASN authentication: sta=" MACSTR, 2806 MAC2STR(sta->addr)); 2807 2808 if (trans_seq == 1) { 2809 if (sta->pasn) { 2810 wpa_printf(MSG_DEBUG, 2811 "PASN: Not expecting transaction == 1"); 2812 return; 2813 } 2814 2815 if (status != WLAN_STATUS_SUCCESS) { 2816 wpa_printf(MSG_DEBUG, 2817 "PASN: Failure status in transaction == 1"); 2818 return; 2819 } 2820 2821 sta->pasn = pasn_data_init(); 2822 if (!sta->pasn) { 2823 wpa_printf(MSG_DEBUG, 2824 "PASN: Failed to allocate PASN context"); 2825 return; 2826 } 2827 2828 hapd_initialize_pasn(hapd, sta); 2829 2830 hapd_pasn_update_params(hapd, sta, mgmt, len); 2831 if (handle_auth_pasn_1(sta->pasn, hapd->own_addr, 2832 sta->addr, mgmt, len) < 0) 2833 ap_free_sta(hapd, sta); 2834 } else if (trans_seq == 3) { 2835 if (!sta->pasn) { 2836 wpa_printf(MSG_DEBUG, 2837 "PASN: Not expecting transaction == 3"); 2838 return; 2839 } 2840 2841 if (status != WLAN_STATUS_SUCCESS) { 2842 wpa_printf(MSG_DEBUG, 2843 "PASN: Failure status in transaction == 3"); 2844 ap_free_sta_pasn(hapd, sta); 2845 return; 2846 } 2847 2848 if (handle_auth_pasn_3(sta->pasn, hapd->own_addr, 2849 sta->addr, mgmt, len) == 0) { 2850 ptksa_cache_add(hapd->ptksa, hapd->own_addr, sta->addr, 2851 pasn_get_cipher(sta->pasn), 43200, 2852 pasn_get_ptk(sta->pasn), NULL, NULL, 2853 pasn_get_akmp(sta->pasn)); 2854 2855 pasn_set_keys_from_cache(hapd, hapd->own_addr, 2856 sta->addr, 2857 pasn_get_cipher(sta->pasn), 2858 pasn_get_akmp(sta->pasn)); 2859 } 2860 ap_free_sta(hapd, sta); 2861 } else { 2862 wpa_printf(MSG_DEBUG, 2863 "PASN: Invalid transaction %u - ignore", trans_seq); 2864 } 2865 } 2866 2867 #endif /* CONFIG_PASN */ 2868 2869 2870 static void handle_auth(struct hostapd_data *hapd, 2871 const struct ieee80211_mgmt *mgmt, size_t len, 2872 int rssi, int from_queue) 2873 { 2874 u16 auth_alg, auth_transaction, status_code; 2875 u16 resp = WLAN_STATUS_SUCCESS; 2876 struct sta_info *sta = NULL; 2877 int res, reply_res; 2878 u16 fc; 2879 const u8 *challenge = NULL; 2880 u8 resp_ies[2 + WLAN_AUTH_CHALLENGE_LEN]; 2881 size_t resp_ies_len = 0; 2882 u16 seq_ctrl; 2883 struct radius_sta rad_info; 2884 const u8 *dst, *sa; 2885 #ifdef CONFIG_IEEE80211BE 2886 bool mld_sta = false; 2887 #endif /* CONFIG_IEEE80211BE */ 2888 2889 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) { 2890 wpa_printf(MSG_INFO, "handle_auth - too short payload (len=%lu)", 2891 (unsigned long) len); 2892 return; 2893 } 2894 2895 #ifdef CONFIG_TESTING_OPTIONS 2896 if (hapd->iconf->ignore_auth_probability > 0.0 && 2897 drand48() < hapd->iconf->ignore_auth_probability) { 2898 wpa_printf(MSG_INFO, 2899 "TESTING: ignoring auth frame from " MACSTR, 2900 MAC2STR(mgmt->sa)); 2901 return; 2902 } 2903 #endif /* CONFIG_TESTING_OPTIONS */ 2904 2905 sa = mgmt->sa; 2906 #ifdef CONFIG_IEEE80211BE 2907 /* 2908 * Handle MLO authentication before the station is added to hostapd and 2909 * the driver so that the station MLD MAC address would be used in both 2910 * hostapd and the driver. 2911 */ 2912 sa = hostapd_process_ml_auth(hapd, mgmt, len); 2913 if (sa) 2914 mld_sta = true; 2915 else 2916 sa = mgmt->sa; 2917 #endif /* CONFIG_IEEE80211BE */ 2918 2919 auth_alg = le_to_host16(mgmt->u.auth.auth_alg); 2920 auth_transaction = le_to_host16(mgmt->u.auth.auth_transaction); 2921 status_code = le_to_host16(mgmt->u.auth.status_code); 2922 fc = le_to_host16(mgmt->frame_control); 2923 seq_ctrl = le_to_host16(mgmt->seq_ctrl); 2924 2925 if (len >= IEEE80211_HDRLEN + sizeof(mgmt->u.auth) + 2926 2 + WLAN_AUTH_CHALLENGE_LEN && 2927 mgmt->u.auth.variable[0] == WLAN_EID_CHALLENGE && 2928 mgmt->u.auth.variable[1] == WLAN_AUTH_CHALLENGE_LEN) 2929 challenge = &mgmt->u.auth.variable[2]; 2930 2931 wpa_printf(MSG_DEBUG, "authentication: STA=" MACSTR " auth_alg=%d " 2932 "auth_transaction=%d status_code=%d wep=%d%s " 2933 "seq_ctrl=0x%x%s%s", 2934 MAC2STR(sa), auth_alg, auth_transaction, 2935 status_code, !!(fc & WLAN_FC_ISWEP), 2936 challenge ? " challenge" : "", 2937 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "", 2938 from_queue ? " (from queue)" : ""); 2939 2940 #ifdef CONFIG_NO_RC4 2941 if (auth_alg == WLAN_AUTH_SHARED_KEY) { 2942 wpa_printf(MSG_INFO, 2943 "Unsupported authentication algorithm (%d)", 2944 auth_alg); 2945 resp = WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG; 2946 goto fail; 2947 } 2948 #endif /* CONFIG_NO_RC4 */ 2949 2950 if (hapd->tkip_countermeasures) { 2951 wpa_printf(MSG_DEBUG, 2952 "Ongoing TKIP countermeasures (Michael MIC failure) - reject authentication"); 2953 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 2954 goto fail; 2955 } 2956 2957 if (!(((hapd->conf->auth_algs & WPA_AUTH_ALG_OPEN) && 2958 auth_alg == WLAN_AUTH_OPEN) || 2959 #ifdef CONFIG_IEEE80211R_AP 2960 (hapd->conf->wpa && wpa_key_mgmt_ft(hapd->conf->wpa_key_mgmt) && 2961 auth_alg == WLAN_AUTH_FT) || 2962 #endif /* CONFIG_IEEE80211R_AP */ 2963 #ifdef CONFIG_SAE 2964 (hapd->conf->wpa && wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt) && 2965 auth_alg == WLAN_AUTH_SAE) || 2966 #endif /* CONFIG_SAE */ 2967 #ifdef CONFIG_FILS 2968 (hapd->conf->wpa && wpa_key_mgmt_fils(hapd->conf->wpa_key_mgmt) && 2969 auth_alg == WLAN_AUTH_FILS_SK) || 2970 (hapd->conf->wpa && wpa_key_mgmt_fils(hapd->conf->wpa_key_mgmt) && 2971 hapd->conf->fils_dh_group && 2972 auth_alg == WLAN_AUTH_FILS_SK_PFS) || 2973 #endif /* CONFIG_FILS */ 2974 #ifdef CONFIG_PASN 2975 (hapd->conf->wpa && 2976 (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_PASN) && 2977 auth_alg == WLAN_AUTH_PASN) || 2978 #endif /* CONFIG_PASN */ 2979 ((hapd->conf->auth_algs & WPA_AUTH_ALG_SHARED) && 2980 auth_alg == WLAN_AUTH_SHARED_KEY))) { 2981 wpa_printf(MSG_INFO, "Unsupported authentication algorithm (%d)", 2982 auth_alg); 2983 resp = WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG; 2984 goto fail; 2985 } 2986 2987 if (!(auth_transaction == 1 || auth_alg == WLAN_AUTH_SAE || 2988 #ifdef CONFIG_PASN 2989 (auth_alg == WLAN_AUTH_PASN && auth_transaction == 3) || 2990 #endif /* CONFIG_PASN */ 2991 (auth_alg == WLAN_AUTH_SHARED_KEY && auth_transaction == 3))) { 2992 wpa_printf(MSG_INFO, "Unknown authentication transaction number (%d)", 2993 auth_transaction); 2994 resp = WLAN_STATUS_UNKNOWN_AUTH_TRANSACTION; 2995 goto fail; 2996 } 2997 2998 if (ether_addr_equal(mgmt->sa, hapd->own_addr)) { 2999 wpa_printf(MSG_INFO, "Station " MACSTR " not allowed to authenticate", 3000 MAC2STR(sa)); 3001 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 3002 goto fail; 3003 } 3004 3005 #ifdef CONFIG_IEEE80211BE 3006 if (mld_sta && 3007 (ether_addr_equal(sa, hapd->own_addr) || 3008 ether_addr_equal(sa, hapd->mld->mld_addr))) { 3009 wpa_printf(MSG_INFO, 3010 "Station " MACSTR " not allowed to authenticate", 3011 MAC2STR(sa)); 3012 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 3013 goto fail; 3014 } 3015 #endif /* CONFIG_IEEE80211BE */ 3016 3017 if (hapd->conf->no_auth_if_seen_on) { 3018 struct hostapd_data *other; 3019 3020 other = sta_track_seen_on(hapd->iface, sa, 3021 hapd->conf->no_auth_if_seen_on); 3022 if (other) { 3023 u8 *pos; 3024 u32 info; 3025 u8 op_class, channel, phytype; 3026 3027 wpa_printf(MSG_DEBUG, "%s: Reject authentication from " 3028 MACSTR " since STA has been seen on %s", 3029 hapd->conf->iface, MAC2STR(sa), 3030 hapd->conf->no_auth_if_seen_on); 3031 3032 resp = WLAN_STATUS_REJECTED_WITH_SUGGESTED_BSS_TRANSITION; 3033 pos = &resp_ies[0]; 3034 *pos++ = WLAN_EID_NEIGHBOR_REPORT; 3035 *pos++ = 13; 3036 os_memcpy(pos, other->own_addr, ETH_ALEN); 3037 pos += ETH_ALEN; 3038 info = 0; /* TODO: BSSID Information */ 3039 WPA_PUT_LE32(pos, info); 3040 pos += 4; 3041 if (other->iconf->hw_mode == HOSTAPD_MODE_IEEE80211AD) 3042 phytype = 8; /* dmg */ 3043 else if (other->iconf->ieee80211ac) 3044 phytype = 9; /* vht */ 3045 else if (other->iconf->ieee80211n) 3046 phytype = 7; /* ht */ 3047 else if (other->iconf->hw_mode == 3048 HOSTAPD_MODE_IEEE80211A) 3049 phytype = 4; /* ofdm */ 3050 else if (other->iconf->hw_mode == 3051 HOSTAPD_MODE_IEEE80211G) 3052 phytype = 6; /* erp */ 3053 else 3054 phytype = 5; /* hrdsss */ 3055 if (ieee80211_freq_to_channel_ext( 3056 hostapd_hw_get_freq(other, 3057 other->iconf->channel), 3058 other->iconf->secondary_channel, 3059 other->iconf->ieee80211ac, 3060 &op_class, &channel) == NUM_HOSTAPD_MODES) { 3061 op_class = 0; 3062 channel = other->iconf->channel; 3063 } 3064 *pos++ = op_class; 3065 *pos++ = channel; 3066 *pos++ = phytype; 3067 resp_ies_len = pos - &resp_ies[0]; 3068 goto fail; 3069 } 3070 } 3071 3072 res = ieee802_11_allowed_address(hapd, sa, (const u8 *) mgmt, len, 3073 &rad_info); 3074 if (res == HOSTAPD_ACL_REJECT) { 3075 wpa_msg(hapd->msg_ctx, MSG_DEBUG, 3076 "Ignore Authentication frame from " MACSTR 3077 " due to ACL reject", MAC2STR(sa)); 3078 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 3079 goto fail; 3080 } 3081 if (res == HOSTAPD_ACL_PENDING) 3082 return; 3083 3084 #ifdef CONFIG_SAE 3085 if (auth_alg == WLAN_AUTH_SAE && !from_queue && 3086 (auth_transaction == 1 || 3087 (auth_transaction == 2 && auth_sae_queued_addr(hapd, sa)))) { 3088 /* Handle SAE Authentication commit message through a queue to 3089 * provide more control for postponing the needed heavy 3090 * processing under a possible DoS attack scenario. In addition, 3091 * queue SAE Authentication confirm message if there happens to 3092 * be a queued commit message from the same peer. This is needed 3093 * to avoid reordering Authentication frames within the same 3094 * SAE exchange. */ 3095 auth_sae_queue(hapd, mgmt, len, rssi); 3096 return; 3097 } 3098 #endif /* CONFIG_SAE */ 3099 3100 sta = ap_get_sta(hapd, sa); 3101 if (sta) { 3102 sta->flags &= ~WLAN_STA_PENDING_FILS_ERP; 3103 sta->ft_over_ds = 0; 3104 if ((fc & WLAN_FC_RETRY) && 3105 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ && 3106 sta->last_seq_ctrl == seq_ctrl && 3107 sta->last_subtype == WLAN_FC_STYPE_AUTH) { 3108 hostapd_logger(hapd, sta->addr, 3109 HOSTAPD_MODULE_IEEE80211, 3110 HOSTAPD_LEVEL_DEBUG, 3111 "Drop repeated authentication frame seq_ctrl=0x%x", 3112 seq_ctrl); 3113 return; 3114 } 3115 #ifdef CONFIG_PASN 3116 if (auth_alg == WLAN_AUTH_PASN && 3117 (sta->flags & WLAN_STA_ASSOC)) { 3118 wpa_printf(MSG_DEBUG, 3119 "PASN: auth: Existing station: " MACSTR, 3120 MAC2STR(sta->addr)); 3121 return; 3122 } 3123 #endif /* CONFIG_PASN */ 3124 } else { 3125 #ifdef CONFIG_MESH 3126 if (hapd->conf->mesh & MESH_ENABLED) { 3127 /* if the mesh peer is not available, we don't do auth. 3128 */ 3129 wpa_printf(MSG_DEBUG, "Mesh peer " MACSTR 3130 " not yet known - drop Authentication frame", 3131 MAC2STR(sa)); 3132 /* 3133 * Save a copy of the frame so that it can be processed 3134 * if a new peer entry is added shortly after this. 3135 */ 3136 wpabuf_free(hapd->mesh_pending_auth); 3137 hapd->mesh_pending_auth = wpabuf_alloc_copy(mgmt, len); 3138 os_get_reltime(&hapd->mesh_pending_auth_time); 3139 return; 3140 } 3141 #endif /* CONFIG_MESH */ 3142 3143 sta = ap_sta_add(hapd, sa); 3144 if (!sta) { 3145 wpa_printf(MSG_DEBUG, "ap_sta_add() failed"); 3146 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA; 3147 goto fail; 3148 } 3149 } 3150 3151 #ifdef CONFIG_IEEE80211BE 3152 /* Set the non-AP MLD information based on the initial Authentication 3153 * frame. Once the STA entry has been added to the driver, the driver 3154 * will translate addresses in the frame and we need to avoid overriding 3155 * peer_addr based on mgmt->sa which would have been translated to the 3156 * MLD MAC address. */ 3157 if (!sta->added_unassoc && auth_transaction == 1) { 3158 ap_sta_free_sta_profile(&sta->mld_info); 3159 os_memset(&sta->mld_info, 0, sizeof(sta->mld_info)); 3160 3161 if (mld_sta) { 3162 u8 link_id = hapd->mld_link_id; 3163 3164 ap_sta_set_mld(sta, true); 3165 sta->mld_assoc_link_id = link_id; 3166 3167 /* 3168 * Set the MLD address as the station address and the 3169 * station addresses. 3170 */ 3171 os_memcpy(sta->mld_info.common_info.mld_addr, sa, 3172 ETH_ALEN); 3173 os_memcpy(sta->mld_info.links[link_id].peer_addr, 3174 mgmt->sa, ETH_ALEN); 3175 os_memcpy(sta->mld_info.links[link_id].local_addr, 3176 hapd->own_addr, ETH_ALEN); 3177 } 3178 } 3179 #endif /* CONFIG_IEEE80211BE */ 3180 3181 sta->last_seq_ctrl = seq_ctrl; 3182 sta->last_subtype = WLAN_FC_STYPE_AUTH; 3183 #ifdef CONFIG_MBO 3184 sta->auth_rssi = rssi; 3185 #endif /* CONFIG_MBO */ 3186 3187 res = ieee802_11_set_radius_info(hapd, sta, res, &rad_info); 3188 if (res) { 3189 wpa_printf(MSG_DEBUG, "ieee802_11_set_radius_info() failed"); 3190 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 3191 goto fail; 3192 } 3193 3194 sta->flags &= ~WLAN_STA_PREAUTH; 3195 ieee802_1x_notify_pre_auth(sta->eapol_sm, 0); 3196 3197 /* 3198 * If the driver supports full AP client state, add a station to the 3199 * driver before sending authentication reply to make sure the driver 3200 * has resources, and not to go through the entire authentication and 3201 * association handshake, and fail it at the end. 3202 * 3203 * If this is not the first transaction, in a multi-step authentication 3204 * algorithm, the station already exists in the driver 3205 * (sta->added_unassoc = 1) so skip it. 3206 * 3207 * In mesh mode, the station was already added to the driver when the 3208 * NEW_PEER_CANDIDATE event is received. 3209 * 3210 * If PMF was negotiated for the existing association, skip this to 3211 * avoid dropping the STA entry and the associated keys. This is needed 3212 * to allow the original connection work until the attempt can complete 3213 * (re)association, so that unprotected Authentication frame cannot be 3214 * used to bypass PMF protection. 3215 * 3216 * PASN authentication does not require adding/removing station to the 3217 * driver so skip this flow in case of PASN authentication. 3218 */ 3219 if (FULL_AP_CLIENT_STATE_SUPP(hapd->iface->drv_flags) && 3220 (!(sta->flags & WLAN_STA_MFP) || !ap_sta_is_authorized(sta)) && 3221 !(hapd->conf->mesh & MESH_ENABLED) && 3222 !(sta->added_unassoc) && auth_alg != WLAN_AUTH_PASN) { 3223 if (ap_sta_re_add(hapd, sta) < 0) { 3224 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA; 3225 goto fail; 3226 } 3227 } 3228 3229 switch (auth_alg) { 3230 case WLAN_AUTH_OPEN: 3231 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 3232 HOSTAPD_LEVEL_DEBUG, 3233 "authentication OK (open system)"); 3234 sta->flags |= WLAN_STA_AUTH; 3235 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH); 3236 sta->auth_alg = WLAN_AUTH_OPEN; 3237 mlme_authenticate_indication(hapd, sta); 3238 break; 3239 #ifdef CONFIG_WEP 3240 #ifndef CONFIG_NO_RC4 3241 case WLAN_AUTH_SHARED_KEY: 3242 resp = auth_shared_key(hapd, sta, auth_transaction, challenge, 3243 fc & WLAN_FC_ISWEP); 3244 if (resp != 0) 3245 wpa_printf(MSG_DEBUG, 3246 "auth_shared_key() failed: status=%d", resp); 3247 sta->auth_alg = WLAN_AUTH_SHARED_KEY; 3248 mlme_authenticate_indication(hapd, sta); 3249 if (sta->challenge && auth_transaction == 1) { 3250 resp_ies[0] = WLAN_EID_CHALLENGE; 3251 resp_ies[1] = WLAN_AUTH_CHALLENGE_LEN; 3252 os_memcpy(resp_ies + 2, sta->challenge, 3253 WLAN_AUTH_CHALLENGE_LEN); 3254 resp_ies_len = 2 + WLAN_AUTH_CHALLENGE_LEN; 3255 } 3256 break; 3257 #endif /* CONFIG_NO_RC4 */ 3258 #endif /* CONFIG_WEP */ 3259 #ifdef CONFIG_IEEE80211R_AP 3260 case WLAN_AUTH_FT: 3261 sta->auth_alg = WLAN_AUTH_FT; 3262 if (sta->wpa_sm == NULL) 3263 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, 3264 sta->addr, NULL); 3265 if (sta->wpa_sm == NULL) { 3266 wpa_printf(MSG_DEBUG, "FT: Failed to initialize WPA " 3267 "state machine"); 3268 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 3269 goto fail; 3270 } 3271 wpa_ft_process_auth(sta->wpa_sm, 3272 auth_transaction, mgmt->u.auth.variable, 3273 len - IEEE80211_HDRLEN - 3274 sizeof(mgmt->u.auth), 3275 handle_auth_ft_finish, hapd); 3276 /* handle_auth_ft_finish() callback will complete auth. */ 3277 return; 3278 #endif /* CONFIG_IEEE80211R_AP */ 3279 #ifdef CONFIG_SAE 3280 case WLAN_AUTH_SAE: 3281 #ifdef CONFIG_MESH 3282 if (status_code == WLAN_STATUS_SUCCESS && 3283 hapd->conf->mesh & MESH_ENABLED) { 3284 if (sta->wpa_sm == NULL) 3285 sta->wpa_sm = 3286 wpa_auth_sta_init(hapd->wpa_auth, 3287 sta->addr, NULL); 3288 if (sta->wpa_sm == NULL) { 3289 wpa_printf(MSG_DEBUG, 3290 "SAE: Failed to initialize WPA state machine"); 3291 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 3292 goto fail; 3293 } 3294 } 3295 #endif /* CONFIG_MESH */ 3296 handle_auth_sae(hapd, sta, mgmt, len, auth_transaction, 3297 status_code); 3298 return; 3299 #endif /* CONFIG_SAE */ 3300 #ifdef CONFIG_FILS 3301 case WLAN_AUTH_FILS_SK: 3302 case WLAN_AUTH_FILS_SK_PFS: 3303 handle_auth_fils(hapd, sta, mgmt->u.auth.variable, 3304 len - IEEE80211_HDRLEN - sizeof(mgmt->u.auth), 3305 auth_alg, auth_transaction, status_code, 3306 handle_auth_fils_finish); 3307 return; 3308 #endif /* CONFIG_FILS */ 3309 #ifdef CONFIG_PASN 3310 case WLAN_AUTH_PASN: 3311 handle_auth_pasn(hapd, sta, mgmt, len, auth_transaction, 3312 status_code); 3313 return; 3314 #endif /* CONFIG_PASN */ 3315 } 3316 3317 fail: 3318 dst = mgmt->sa; 3319 3320 #ifdef CONFIG_IEEE80211BE 3321 if (ap_sta_is_mld(hapd, sta)) 3322 dst = sta->addr; 3323 #endif /* CONFIG_IEEE80211BE */ 3324 3325 reply_res = send_auth_reply(hapd, sta, dst, auth_alg, 3326 auth_alg == WLAN_AUTH_SAE ? 3327 auth_transaction : auth_transaction + 1, 3328 resp, resp_ies, resp_ies_len, 3329 "handle-auth"); 3330 3331 if (sta && sta->added_unassoc && (resp != WLAN_STATUS_SUCCESS || 3332 reply_res != WLAN_STATUS_SUCCESS)) { 3333 hostapd_drv_sta_remove(hapd, sta->addr); 3334 sta->added_unassoc = 0; 3335 } 3336 } 3337 3338 3339 static u8 hostapd_max_bssid_indicator(struct hostapd_data *hapd) 3340 { 3341 size_t num_bss_nontx; 3342 u8 max_bssid_ind = 0; 3343 3344 if (!hapd->iconf->mbssid || hapd->iface->num_bss <= 1) 3345 return 0; 3346 3347 num_bss_nontx = hapd->iface->num_bss - 1; 3348 while (num_bss_nontx > 0) { 3349 max_bssid_ind++; 3350 num_bss_nontx >>= 1; 3351 } 3352 return max_bssid_ind; 3353 } 3354 3355 3356 static u32 hostapd_get_aid_word(struct hostapd_data *hapd, 3357 struct sta_info *sta, int i) 3358 { 3359 #ifdef CONFIG_IEEE80211BE 3360 u32 aid_word = 0; 3361 3362 /* Do not assign an AID that is in use on any of the affiliated links 3363 * when finding an AID for a non-AP MLD. */ 3364 if (hapd->conf->mld_ap && sta->mld_info.mld_sta) { 3365 int j; 3366 3367 for (j = 0; j < MAX_NUM_MLD_LINKS; j++) { 3368 struct hostapd_data *link_bss; 3369 3370 if (!sta->mld_info.links[j].valid) 3371 continue; 3372 3373 link_bss = hostapd_mld_get_link_bss(hapd, j); 3374 if (!link_bss) { 3375 /* This shouldn't happen, just skip */ 3376 wpa_printf(MSG_ERROR, 3377 "MLD: Failed to get link BSS for AID"); 3378 continue; 3379 } 3380 3381 aid_word |= link_bss->sta_aid[i]; 3382 } 3383 3384 return aid_word; 3385 } 3386 #endif /* CONFIG_IEEE80211BE */ 3387 3388 return hapd->sta_aid[i]; 3389 } 3390 3391 3392 int hostapd_get_aid(struct hostapd_data *hapd, struct sta_info *sta) 3393 { 3394 int i, j = 32, aid; 3395 3396 /* Transmitted and non-transmitted BSSIDs share the same AID pool, so 3397 * use the shared storage in the transmitted BSS to find the next 3398 * available value. */ 3399 hapd = hostapd_mbssid_get_tx_bss(hapd); 3400 3401 /* get a unique AID */ 3402 if (sta->aid > 0) { 3403 wpa_printf(MSG_DEBUG, " old AID %d", sta->aid); 3404 return 0; 3405 } 3406 3407 if (TEST_FAIL()) 3408 return -1; 3409 3410 for (i = 0; i < AID_WORDS; i++) { 3411 u32 aid_word = hostapd_get_aid_word(hapd, sta, i); 3412 3413 if (aid_word == (u32) -1) 3414 continue; 3415 for (j = 0; j < 32; j++) { 3416 if (!(aid_word & BIT(j))) 3417 break; 3418 } 3419 if (j < 32) 3420 break; 3421 } 3422 if (j == 32) 3423 return -1; 3424 aid = i * 32 + j + (1 << hostapd_max_bssid_indicator(hapd)); 3425 if (aid > 2007) 3426 return -1; 3427 3428 sta->aid = aid; 3429 hapd->sta_aid[i] |= BIT(j); 3430 wpa_printf(MSG_DEBUG, " new AID %d", sta->aid); 3431 return 0; 3432 } 3433 3434 3435 static u16 check_ssid(struct hostapd_data *hapd, struct sta_info *sta, 3436 const u8 *ssid_ie, size_t ssid_ie_len) 3437 { 3438 if (ssid_ie == NULL) 3439 return WLAN_STATUS_UNSPECIFIED_FAILURE; 3440 3441 if (ssid_ie_len != hapd->conf->ssid.ssid_len || 3442 os_memcmp(ssid_ie, hapd->conf->ssid.ssid, ssid_ie_len) != 0) { 3443 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 3444 HOSTAPD_LEVEL_INFO, 3445 "Station tried to associate with unknown SSID " 3446 "'%s'", wpa_ssid_txt(ssid_ie, ssid_ie_len)); 3447 return WLAN_STATUS_UNSPECIFIED_FAILURE; 3448 } 3449 3450 return WLAN_STATUS_SUCCESS; 3451 } 3452 3453 3454 static u16 check_wmm(struct hostapd_data *hapd, struct sta_info *sta, 3455 const u8 *wmm_ie, size_t wmm_ie_len) 3456 { 3457 sta->flags &= ~WLAN_STA_WMM; 3458 sta->qosinfo = 0; 3459 if (wmm_ie && hapd->conf->wmm_enabled) { 3460 struct wmm_information_element *wmm; 3461 3462 if (!hostapd_eid_wmm_valid(hapd, wmm_ie, wmm_ie_len)) { 3463 hostapd_logger(hapd, sta->addr, 3464 HOSTAPD_MODULE_WPA, 3465 HOSTAPD_LEVEL_DEBUG, 3466 "invalid WMM element in association " 3467 "request"); 3468 return WLAN_STATUS_UNSPECIFIED_FAILURE; 3469 } 3470 3471 sta->flags |= WLAN_STA_WMM; 3472 wmm = (struct wmm_information_element *) wmm_ie; 3473 sta->qosinfo = wmm->qos_info; 3474 } 3475 return WLAN_STATUS_SUCCESS; 3476 } 3477 3478 static u16 check_multi_ap(struct hostapd_data *hapd, struct sta_info *sta, 3479 const u8 *multi_ap_ie, size_t multi_ap_len) 3480 { 3481 struct multi_ap_params multi_ap; 3482 u16 status; 3483 3484 sta->flags &= ~WLAN_STA_MULTI_AP; 3485 3486 if (!hapd->conf->multi_ap) 3487 return WLAN_STATUS_SUCCESS; 3488 3489 if (!multi_ap_ie) { 3490 if (!(hapd->conf->multi_ap & FRONTHAUL_BSS)) { 3491 hostapd_logger(hapd, sta->addr, 3492 HOSTAPD_MODULE_IEEE80211, 3493 HOSTAPD_LEVEL_INFO, 3494 "Non-Multi-AP STA tries to associate with backhaul-only BSS"); 3495 return WLAN_STATUS_ASSOC_DENIED_UNSPEC; 3496 } 3497 3498 return WLAN_STATUS_SUCCESS; 3499 } 3500 3501 status = check_multi_ap_ie(multi_ap_ie + 4, multi_ap_len - 4, 3502 &multi_ap); 3503 if (status != WLAN_STATUS_SUCCESS) 3504 return status; 3505 3506 if (multi_ap.capability && multi_ap.capability != MULTI_AP_BACKHAUL_STA) 3507 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 3508 HOSTAPD_LEVEL_INFO, 3509 "Multi-AP IE with unexpected value 0x%02x", 3510 multi_ap.capability); 3511 3512 if (multi_ap.profile == MULTI_AP_PROFILE_1 && 3513 (hapd->conf->multi_ap_client_disallow & 3514 PROFILE1_CLIENT_ASSOC_DISALLOW)) { 3515 hostapd_logger(hapd, sta->addr, 3516 HOSTAPD_MODULE_IEEE80211, 3517 HOSTAPD_LEVEL_INFO, 3518 "Multi-AP Profile-1 clients not allowed"); 3519 return WLAN_STATUS_ASSOC_DENIED_UNSPEC; 3520 } 3521 3522 if (multi_ap.profile >= MULTI_AP_PROFILE_2 && 3523 (hapd->conf->multi_ap_client_disallow & 3524 PROFILE2_CLIENT_ASSOC_DISALLOW)) { 3525 hostapd_logger(hapd, sta->addr, 3526 HOSTAPD_MODULE_IEEE80211, 3527 HOSTAPD_LEVEL_INFO, 3528 "Multi-AP Profile-2 clients not allowed"); 3529 return WLAN_STATUS_ASSOC_DENIED_UNSPEC; 3530 } 3531 3532 if (!(multi_ap.capability & MULTI_AP_BACKHAUL_STA)) { 3533 if (hapd->conf->multi_ap & FRONTHAUL_BSS) 3534 return WLAN_STATUS_SUCCESS; 3535 3536 hostapd_logger(hapd, sta->addr, 3537 HOSTAPD_MODULE_IEEE80211, 3538 HOSTAPD_LEVEL_INFO, 3539 "Non-Multi-AP STA tries to associate with backhaul-only BSS"); 3540 return WLAN_STATUS_ASSOC_DENIED_UNSPEC; 3541 } 3542 3543 if (!(hapd->conf->multi_ap & BACKHAUL_BSS)) 3544 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 3545 HOSTAPD_LEVEL_DEBUG, 3546 "Backhaul STA tries to associate with fronthaul-only BSS"); 3547 3548 sta->flags |= WLAN_STA_MULTI_AP; 3549 return WLAN_STATUS_SUCCESS; 3550 } 3551 3552 3553 static u16 copy_supp_rates(struct hostapd_data *hapd, struct sta_info *sta, 3554 struct ieee802_11_elems *elems) 3555 { 3556 /* Supported rates not used in IEEE 802.11ad/DMG */ 3557 if (hapd->iface->current_mode && 3558 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211AD) 3559 return WLAN_STATUS_SUCCESS; 3560 3561 if (!elems->supp_rates) { 3562 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 3563 HOSTAPD_LEVEL_DEBUG, 3564 "No supported rates element in AssocReq"); 3565 return WLAN_STATUS_UNSPECIFIED_FAILURE; 3566 } 3567 3568 if (elems->supp_rates_len + elems->ext_supp_rates_len > 3569 sizeof(sta->supported_rates)) { 3570 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 3571 HOSTAPD_LEVEL_DEBUG, 3572 "Invalid supported rates element length %d+%d", 3573 elems->supp_rates_len, 3574 elems->ext_supp_rates_len); 3575 return WLAN_STATUS_UNSPECIFIED_FAILURE; 3576 } 3577 3578 sta->supported_rates_len = merge_byte_arrays( 3579 sta->supported_rates, sizeof(sta->supported_rates), 3580 elems->supp_rates, elems->supp_rates_len, 3581 elems->ext_supp_rates, elems->ext_supp_rates_len); 3582 3583 return WLAN_STATUS_SUCCESS; 3584 } 3585 3586 3587 #ifdef CONFIG_OWE 3588 3589 static int owe_group_supported(struct hostapd_data *hapd, u16 group) 3590 { 3591 int i; 3592 int *groups = hapd->conf->owe_groups; 3593 3594 if (group != 19 && group != 20 && group != 21) 3595 return 0; 3596 3597 if (!groups) 3598 return 1; 3599 3600 for (i = 0; groups[i] > 0; i++) { 3601 if (groups[i] == group) 3602 return 1; 3603 } 3604 3605 return 0; 3606 } 3607 3608 3609 static u16 owe_process_assoc_req(struct hostapd_data *hapd, 3610 struct sta_info *sta, const u8 *owe_dh, 3611 u8 owe_dh_len) 3612 { 3613 struct wpabuf *secret, *pub, *hkey; 3614 int res; 3615 u8 prk[SHA512_MAC_LEN], pmkid[SHA512_MAC_LEN]; 3616 const char *info = "OWE Key Generation"; 3617 const u8 *addr[2]; 3618 size_t len[2]; 3619 u16 group; 3620 size_t hash_len, prime_len; 3621 3622 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) { 3623 wpa_printf(MSG_DEBUG, "OWE: Using PMKSA caching"); 3624 return WLAN_STATUS_SUCCESS; 3625 } 3626 3627 group = WPA_GET_LE16(owe_dh); 3628 if (!owe_group_supported(hapd, group)) { 3629 wpa_printf(MSG_DEBUG, "OWE: Unsupported DH group %u", group); 3630 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED; 3631 } 3632 if (group == 19) 3633 prime_len = 32; 3634 else if (group == 20) 3635 prime_len = 48; 3636 else if (group == 21) 3637 prime_len = 66; 3638 else 3639 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED; 3640 3641 if (sta->owe_group == group && sta->owe_ecdh) { 3642 /* This is a workaround for mac80211 behavior of retransmitting 3643 * the Association Request frames multiple times if the link 3644 * layer retries (i.e., seq# remains same) fail. The mac80211 3645 * initiated retransmission will use a different seq# and as 3646 * such, will go through duplicate detection. If we were to 3647 * change our DH key for that attempt, there would be two 3648 * different DH shared secrets and the STA would likely select 3649 * the wrong one. */ 3650 wpa_printf(MSG_DEBUG, 3651 "OWE: Try to reuse own previous DH key since the STA tried to go through OWE association again"); 3652 } else { 3653 crypto_ecdh_deinit(sta->owe_ecdh); 3654 sta->owe_ecdh = crypto_ecdh_init(group); 3655 } 3656 if (!sta->owe_ecdh) 3657 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED; 3658 sta->owe_group = group; 3659 3660 secret = crypto_ecdh_set_peerkey(sta->owe_ecdh, 0, owe_dh + 2, 3661 owe_dh_len - 2); 3662 secret = wpabuf_zeropad(secret, prime_len); 3663 if (!secret) { 3664 wpa_printf(MSG_DEBUG, "OWE: Invalid peer DH public key"); 3665 return WLAN_STATUS_UNSPECIFIED_FAILURE; 3666 } 3667 wpa_hexdump_buf_key(MSG_DEBUG, "OWE: DH shared secret", secret); 3668 3669 /* prk = HKDF-extract(C | A | group, z) */ 3670 3671 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0); 3672 if (!pub) { 3673 wpabuf_clear_free(secret); 3674 return WLAN_STATUS_UNSPECIFIED_FAILURE; 3675 } 3676 3677 /* PMKID = Truncate-128(Hash(C | A)) */ 3678 addr[0] = owe_dh + 2; 3679 len[0] = owe_dh_len - 2; 3680 addr[1] = wpabuf_head(pub); 3681 len[1] = wpabuf_len(pub); 3682 if (group == 19) { 3683 res = sha256_vector(2, addr, len, pmkid); 3684 hash_len = SHA256_MAC_LEN; 3685 } else if (group == 20) { 3686 res = sha384_vector(2, addr, len, pmkid); 3687 hash_len = SHA384_MAC_LEN; 3688 } else if (group == 21) { 3689 res = sha512_vector(2, addr, len, pmkid); 3690 hash_len = SHA512_MAC_LEN; 3691 } else { 3692 wpabuf_free(pub); 3693 wpabuf_clear_free(secret); 3694 return WLAN_STATUS_UNSPECIFIED_FAILURE; 3695 } 3696 pub = wpabuf_zeropad(pub, prime_len); 3697 if (res < 0 || !pub) { 3698 wpabuf_free(pub); 3699 wpabuf_clear_free(secret); 3700 return WLAN_STATUS_UNSPECIFIED_FAILURE; 3701 } 3702 3703 hkey = wpabuf_alloc(owe_dh_len - 2 + wpabuf_len(pub) + 2); 3704 if (!hkey) { 3705 wpabuf_free(pub); 3706 wpabuf_clear_free(secret); 3707 return WLAN_STATUS_UNSPECIFIED_FAILURE; 3708 } 3709 3710 wpabuf_put_data(hkey, owe_dh + 2, owe_dh_len - 2); /* C */ 3711 wpabuf_put_buf(hkey, pub); /* A */ 3712 wpabuf_free(pub); 3713 wpabuf_put_le16(hkey, group); /* group */ 3714 if (group == 19) 3715 res = hmac_sha256(wpabuf_head(hkey), wpabuf_len(hkey), 3716 wpabuf_head(secret), wpabuf_len(secret), prk); 3717 else if (group == 20) 3718 res = hmac_sha384(wpabuf_head(hkey), wpabuf_len(hkey), 3719 wpabuf_head(secret), wpabuf_len(secret), prk); 3720 else if (group == 21) 3721 res = hmac_sha512(wpabuf_head(hkey), wpabuf_len(hkey), 3722 wpabuf_head(secret), wpabuf_len(secret), prk); 3723 wpabuf_clear_free(hkey); 3724 wpabuf_clear_free(secret); 3725 if (res < 0) 3726 return WLAN_STATUS_UNSPECIFIED_FAILURE; 3727 3728 wpa_hexdump_key(MSG_DEBUG, "OWE: prk", prk, hash_len); 3729 3730 /* PMK = HKDF-expand(prk, "OWE Key Generation", n) */ 3731 3732 os_free(sta->owe_pmk); 3733 sta->owe_pmk = os_malloc(hash_len); 3734 if (!sta->owe_pmk) { 3735 os_memset(prk, 0, SHA512_MAC_LEN); 3736 return WLAN_STATUS_UNSPECIFIED_FAILURE; 3737 } 3738 3739 if (group == 19) 3740 res = hmac_sha256_kdf(prk, hash_len, NULL, (const u8 *) info, 3741 os_strlen(info), sta->owe_pmk, hash_len); 3742 else if (group == 20) 3743 res = hmac_sha384_kdf(prk, hash_len, NULL, (const u8 *) info, 3744 os_strlen(info), sta->owe_pmk, hash_len); 3745 else if (group == 21) 3746 res = hmac_sha512_kdf(prk, hash_len, NULL, (const u8 *) info, 3747 os_strlen(info), sta->owe_pmk, hash_len); 3748 os_memset(prk, 0, SHA512_MAC_LEN); 3749 if (res < 0) { 3750 os_free(sta->owe_pmk); 3751 sta->owe_pmk = NULL; 3752 return WLAN_STATUS_UNSPECIFIED_FAILURE; 3753 } 3754 sta->owe_pmk_len = hash_len; 3755 3756 wpa_hexdump_key(MSG_DEBUG, "OWE: PMK", sta->owe_pmk, sta->owe_pmk_len); 3757 wpa_hexdump(MSG_DEBUG, "OWE: PMKID", pmkid, PMKID_LEN); 3758 wpa_auth_pmksa_add2(hapd->wpa_auth, sta->addr, sta->owe_pmk, 3759 sta->owe_pmk_len, pmkid, 0, WPA_KEY_MGMT_OWE, NULL); 3760 3761 return WLAN_STATUS_SUCCESS; 3762 } 3763 3764 3765 u16 owe_validate_request(struct hostapd_data *hapd, const u8 *peer, 3766 const u8 *rsn_ie, size_t rsn_ie_len, 3767 const u8 *owe_dh, size_t owe_dh_len) 3768 { 3769 struct wpa_ie_data data; 3770 int res; 3771 3772 if (!rsn_ie || rsn_ie_len < 2) { 3773 wpa_printf(MSG_DEBUG, "OWE: Invalid RSNE from " MACSTR, 3774 MAC2STR(peer)); 3775 return WLAN_STATUS_INVALID_IE; 3776 } 3777 rsn_ie -= 2; 3778 rsn_ie_len += 2; 3779 3780 res = wpa_parse_wpa_ie_rsn(rsn_ie, rsn_ie_len, &data); 3781 if (res) { 3782 wpa_printf(MSG_DEBUG, "Failed to parse RSNE from " MACSTR 3783 " (res=%d)", MAC2STR(peer), res); 3784 wpa_hexdump(MSG_DEBUG, "RSNE", rsn_ie, rsn_ie_len); 3785 return wpa_res_to_status_code(res); 3786 } 3787 if (!(data.key_mgmt & WPA_KEY_MGMT_OWE)) { 3788 wpa_printf(MSG_DEBUG, 3789 "OWE: Unexpected key mgmt 0x%x from " MACSTR, 3790 (unsigned int) data.key_mgmt, MAC2STR(peer)); 3791 return WLAN_STATUS_AKMP_NOT_VALID; 3792 } 3793 if (!owe_dh) { 3794 wpa_printf(MSG_DEBUG, 3795 "OWE: No Diffie-Hellman Parameter element from " 3796 MACSTR, MAC2STR(peer)); 3797 return WLAN_STATUS_AKMP_NOT_VALID; 3798 } 3799 3800 return WLAN_STATUS_SUCCESS; 3801 } 3802 3803 3804 u16 owe_process_rsn_ie(struct hostapd_data *hapd, 3805 struct sta_info *sta, 3806 const u8 *rsn_ie, size_t rsn_ie_len, 3807 const u8 *owe_dh, size_t owe_dh_len, 3808 const u8 *link_addr) 3809 { 3810 u16 status; 3811 u8 *owe_buf, ie[256 * 2]; 3812 size_t ie_len = 0; 3813 enum wpa_validate_result res; 3814 3815 if (!rsn_ie || rsn_ie_len < 2) { 3816 wpa_printf(MSG_DEBUG, "OWE: No RSNE in (Re)AssocReq"); 3817 status = WLAN_STATUS_INVALID_IE; 3818 goto end; 3819 } 3820 3821 if (!sta->wpa_sm) 3822 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, sta->addr, 3823 NULL); 3824 if (!sta->wpa_sm) { 3825 wpa_printf(MSG_WARNING, 3826 "OWE: Failed to initialize WPA state machine"); 3827 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 3828 goto end; 3829 } 3830 #ifdef CONFIG_IEEE80211BE 3831 if (ap_sta_is_mld(hapd, sta)) 3832 wpa_auth_set_ml_info(sta->wpa_sm, 3833 sta->mld_assoc_link_id, &sta->mld_info); 3834 #endif /* CONFIG_IEEE80211BE */ 3835 rsn_ie -= 2; 3836 rsn_ie_len += 2; 3837 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm, 3838 hapd->iface->freq, rsn_ie, rsn_ie_len, 3839 NULL, 0, NULL, 0, owe_dh, owe_dh_len, NULL); 3840 status = wpa_res_to_status_code(res); 3841 if (status != WLAN_STATUS_SUCCESS) 3842 goto end; 3843 status = owe_process_assoc_req(hapd, sta, owe_dh, owe_dh_len); 3844 if (status != WLAN_STATUS_SUCCESS) 3845 goto end; 3846 owe_buf = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, ie, sizeof(ie), 3847 NULL, 0); 3848 if (!owe_buf) { 3849 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 3850 goto end; 3851 } 3852 3853 if (sta->owe_ecdh) { 3854 struct wpabuf *pub; 3855 3856 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0); 3857 if (!pub) { 3858 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 3859 goto end; 3860 } 3861 3862 /* OWE Diffie-Hellman Parameter element */ 3863 *owe_buf++ = WLAN_EID_EXTENSION; /* Element ID */ 3864 *owe_buf++ = 1 + 2 + wpabuf_len(pub); /* Length */ 3865 *owe_buf++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension 3866 */ 3867 WPA_PUT_LE16(owe_buf, sta->owe_group); 3868 owe_buf += 2; 3869 os_memcpy(owe_buf, wpabuf_head(pub), wpabuf_len(pub)); 3870 owe_buf += wpabuf_len(pub); 3871 wpabuf_free(pub); 3872 sta->external_dh_updated = 1; 3873 } 3874 ie_len = owe_buf - ie; 3875 3876 end: 3877 wpa_printf(MSG_DEBUG, "OWE: Update status %d, ie len %d for peer " 3878 MACSTR, status, (unsigned int) ie_len, 3879 MAC2STR(link_addr ? link_addr : sta->addr)); 3880 hostapd_drv_update_dh_ie(hapd, link_addr ? link_addr : sta->addr, 3881 status, 3882 status == WLAN_STATUS_SUCCESS ? ie : NULL, 3883 ie_len); 3884 3885 return status; 3886 } 3887 3888 #endif /* CONFIG_OWE */ 3889 3890 3891 static bool check_sa_query(struct hostapd_data *hapd, struct sta_info *sta, 3892 int reassoc) 3893 { 3894 if ((sta->flags & 3895 (WLAN_STA_ASSOC | WLAN_STA_MFP | WLAN_STA_AUTHORIZED)) != 3896 (WLAN_STA_ASSOC | WLAN_STA_MFP | WLAN_STA_AUTHORIZED)) 3897 return false; 3898 3899 if (!sta->sa_query_timed_out && sta->sa_query_count > 0) 3900 ap_check_sa_query_timeout(hapd, sta); 3901 3902 if (!sta->sa_query_timed_out && 3903 (!reassoc || sta->auth_alg != WLAN_AUTH_FT)) { 3904 /* 3905 * STA has already been associated with MFP and SA Query timeout 3906 * has not been reached. Reject the association attempt 3907 * temporarily and start SA Query, if one is not pending. 3908 */ 3909 if (sta->sa_query_count == 0) 3910 ap_sta_start_sa_query(hapd, sta); 3911 3912 return true; 3913 } 3914 3915 return false; 3916 } 3917 3918 3919 static int __check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta, 3920 const u8 *ies, size_t ies_len, 3921 struct ieee802_11_elems *elems, int reassoc, 3922 bool link) 3923 { 3924 int resp; 3925 const u8 *wpa_ie; 3926 size_t wpa_ie_len; 3927 const u8 *p2p_dev_addr = NULL; 3928 struct hostapd_data *assoc_hapd; 3929 struct sta_info *assoc_sta = NULL; 3930 3931 resp = check_ssid(hapd, sta, elems->ssid, elems->ssid_len); 3932 if (resp != WLAN_STATUS_SUCCESS) 3933 return resp; 3934 resp = check_wmm(hapd, sta, elems->wmm, elems->wmm_len); 3935 if (resp != WLAN_STATUS_SUCCESS) 3936 return resp; 3937 resp = check_ext_capab(hapd, sta, elems->ext_capab, 3938 elems->ext_capab_len); 3939 if (resp != WLAN_STATUS_SUCCESS) 3940 return resp; 3941 resp = copy_supp_rates(hapd, sta, elems); 3942 if (resp != WLAN_STATUS_SUCCESS) 3943 return resp; 3944 3945 resp = check_multi_ap(hapd, sta, elems->multi_ap, elems->multi_ap_len); 3946 if (resp != WLAN_STATUS_SUCCESS) 3947 return resp; 3948 3949 resp = copy_sta_ht_capab(hapd, sta, elems->ht_capabilities); 3950 if (resp != WLAN_STATUS_SUCCESS) 3951 return resp; 3952 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht && 3953 !(sta->flags & WLAN_STA_HT)) { 3954 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 3955 HOSTAPD_LEVEL_INFO, "Station does not support " 3956 "mandatory HT PHY - reject association"); 3957 return WLAN_STATUS_ASSOC_DENIED_NO_HT; 3958 } 3959 3960 #ifdef CONFIG_IEEE80211AC 3961 if (hapd->iconf->ieee80211ac) { 3962 resp = copy_sta_vht_capab(hapd, sta, elems->vht_capabilities); 3963 if (resp != WLAN_STATUS_SUCCESS) 3964 return resp; 3965 3966 resp = set_sta_vht_opmode(hapd, sta, elems->opmode_notif); 3967 if (resp != WLAN_STATUS_SUCCESS) 3968 return resp; 3969 } 3970 3971 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht && 3972 !(sta->flags & WLAN_STA_VHT)) { 3973 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 3974 HOSTAPD_LEVEL_INFO, "Station does not support " 3975 "mandatory VHT PHY - reject association"); 3976 return WLAN_STATUS_ASSOC_DENIED_NO_VHT; 3977 } 3978 3979 if (hapd->conf->vendor_vht && !elems->vht_capabilities) { 3980 resp = copy_sta_vendor_vht(hapd, sta, elems->vendor_vht, 3981 elems->vendor_vht_len); 3982 if (resp != WLAN_STATUS_SUCCESS) 3983 return resp; 3984 } 3985 #endif /* CONFIG_IEEE80211AC */ 3986 #ifdef CONFIG_IEEE80211AX 3987 if (hapd->iconf->ieee80211ax && !hapd->conf->disable_11ax) { 3988 resp = copy_sta_he_capab(hapd, sta, IEEE80211_MODE_AP, 3989 elems->he_capabilities, 3990 elems->he_capabilities_len); 3991 if (resp != WLAN_STATUS_SUCCESS) 3992 return resp; 3993 3994 if (hapd->iconf->require_he && !(sta->flags & WLAN_STA_HE)) { 3995 hostapd_logger(hapd, sta->addr, 3996 HOSTAPD_MODULE_IEEE80211, 3997 HOSTAPD_LEVEL_INFO, 3998 "Station does not support mandatory HE PHY - reject association"); 3999 return WLAN_STATUS_DENIED_HE_NOT_SUPPORTED; 4000 } 4001 4002 if (is_6ghz_op_class(hapd->iconf->op_class)) { 4003 if (!(sta->flags & WLAN_STA_HE)) { 4004 hostapd_logger(hapd, sta->addr, 4005 HOSTAPD_MODULE_IEEE80211, 4006 HOSTAPD_LEVEL_INFO, 4007 "Station does not support mandatory HE PHY - reject association"); 4008 return WLAN_STATUS_DENIED_HE_NOT_SUPPORTED; 4009 } 4010 resp = copy_sta_he_6ghz_capab(hapd, sta, 4011 elems->he_6ghz_band_cap); 4012 if (resp != WLAN_STATUS_SUCCESS) 4013 return resp; 4014 } 4015 } 4016 #endif /* CONFIG_IEEE80211AX */ 4017 #ifdef CONFIG_IEEE80211BE 4018 if (hapd->iconf->ieee80211be && !hapd->conf->disable_11be) { 4019 resp = copy_sta_eht_capab(hapd, sta, IEEE80211_MODE_AP, 4020 elems->he_capabilities, 4021 elems->he_capabilities_len, 4022 elems->eht_capabilities, 4023 elems->eht_capabilities_len); 4024 if (resp != WLAN_STATUS_SUCCESS) 4025 return resp; 4026 4027 if (!link) { 4028 resp = hostapd_process_ml_assoc_req(hapd, elems, sta); 4029 if (resp != WLAN_STATUS_SUCCESS) 4030 return resp; 4031 } 4032 } 4033 #endif /* CONFIG_IEEE80211BE */ 4034 4035 #ifdef CONFIG_P2P 4036 if (elems->p2p && ies && ies_len) { 4037 wpabuf_free(sta->p2p_ie); 4038 sta->p2p_ie = ieee802_11_vendor_ie_concat(ies, ies_len, 4039 P2P_IE_VENDOR_TYPE); 4040 if (sta->p2p_ie) 4041 p2p_dev_addr = p2p_get_go_dev_addr(sta->p2p_ie); 4042 } else { 4043 wpabuf_free(sta->p2p_ie); 4044 sta->p2p_ie = NULL; 4045 } 4046 #endif /* CONFIG_P2P */ 4047 4048 if ((hapd->conf->wpa & WPA_PROTO_RSN) && elems->rsn_ie) { 4049 wpa_ie = elems->rsn_ie; 4050 wpa_ie_len = elems->rsn_ie_len; 4051 } else if ((hapd->conf->wpa & WPA_PROTO_WPA) && 4052 elems->wpa_ie) { 4053 wpa_ie = elems->wpa_ie; 4054 wpa_ie_len = elems->wpa_ie_len; 4055 } else { 4056 wpa_ie = NULL; 4057 wpa_ie_len = 0; 4058 } 4059 4060 #ifdef CONFIG_WPS 4061 sta->flags &= ~(WLAN_STA_WPS | WLAN_STA_MAYBE_WPS | WLAN_STA_WPS2); 4062 if (hapd->conf->wps_state && elems->wps_ie && ies && ies_len) { 4063 wpa_printf(MSG_DEBUG, "STA included WPS IE in (Re)Association " 4064 "Request - assume WPS is used"); 4065 sta->flags |= WLAN_STA_WPS; 4066 wpabuf_free(sta->wps_ie); 4067 sta->wps_ie = ieee802_11_vendor_ie_concat(ies, ies_len, 4068 WPS_IE_VENDOR_TYPE); 4069 if (sta->wps_ie && wps_is_20(sta->wps_ie)) { 4070 wpa_printf(MSG_DEBUG, "WPS: STA supports WPS 2.0"); 4071 sta->flags |= WLAN_STA_WPS2; 4072 } 4073 wpa_ie = NULL; 4074 wpa_ie_len = 0; 4075 if (sta->wps_ie && wps_validate_assoc_req(sta->wps_ie) < 0) { 4076 wpa_printf(MSG_DEBUG, "WPS: Invalid WPS IE in " 4077 "(Re)Association Request - reject"); 4078 return WLAN_STATUS_INVALID_IE; 4079 } 4080 } else if (hapd->conf->wps_state && wpa_ie == NULL) { 4081 wpa_printf(MSG_DEBUG, "STA did not include WPA/RSN IE in " 4082 "(Re)Association Request - possible WPS use"); 4083 sta->flags |= WLAN_STA_MAYBE_WPS; 4084 } else 4085 #endif /* CONFIG_WPS */ 4086 if (hapd->conf->wpa && wpa_ie == NULL) { 4087 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 4088 HOSTAPD_LEVEL_INFO, 4089 "No WPA/RSN IE in association request"); 4090 return WLAN_STATUS_INVALID_IE; 4091 } 4092 4093 if (hapd->conf->wpa && wpa_ie) { 4094 enum wpa_validate_result res; 4095 #ifdef CONFIG_IEEE80211BE 4096 struct mld_info *info = &sta->mld_info; 4097 bool init = !sta->wpa_sm; 4098 #endif /* CONFIG_IEEE80211BE */ 4099 4100 wpa_ie -= 2; 4101 wpa_ie_len += 2; 4102 4103 if (!sta->wpa_sm) { 4104 if (!link) 4105 assoc_sta = hostapd_ml_get_assoc_sta( 4106 hapd, sta, &assoc_hapd); 4107 4108 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, 4109 sta->addr, 4110 p2p_dev_addr); 4111 4112 if (!sta->wpa_sm) { 4113 wpa_printf(MSG_WARNING, 4114 "Failed to initialize RSN state machine"); 4115 return WLAN_STATUS_UNSPECIFIED_FAILURE; 4116 } 4117 } 4118 4119 #ifdef CONFIG_IEEE80211BE 4120 if (ap_sta_is_mld(hapd, sta)) { 4121 wpa_printf(MSG_DEBUG, 4122 "MLD: %s ML info in RSN Authenticator", 4123 init ? "Set" : "Reset"); 4124 wpa_auth_set_ml_info(sta->wpa_sm, 4125 sta->mld_assoc_link_id, 4126 info); 4127 } 4128 #endif /* CONFIG_IEEE80211BE */ 4129 4130 wpa_auth_set_auth_alg(sta->wpa_sm, sta->auth_alg); 4131 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm, 4132 hapd->iface->freq, 4133 wpa_ie, wpa_ie_len, 4134 elems->rsnxe ? elems->rsnxe - 2 : 4135 NULL, 4136 elems->rsnxe ? elems->rsnxe_len + 2 : 4137 0, 4138 elems->mdie, elems->mdie_len, 4139 elems->owe_dh, elems->owe_dh_len, 4140 assoc_sta ? assoc_sta->wpa_sm : NULL); 4141 resp = wpa_res_to_status_code(res); 4142 if (resp != WLAN_STATUS_SUCCESS) 4143 return resp; 4144 4145 if (wpa_auth_uses_mfp(sta->wpa_sm)) 4146 sta->flags |= WLAN_STA_MFP; 4147 else 4148 sta->flags &= ~WLAN_STA_MFP; 4149 4150 #ifdef CONFIG_IEEE80211R_AP 4151 if (sta->auth_alg == WLAN_AUTH_FT) { 4152 if (!reassoc) { 4153 wpa_printf(MSG_DEBUG, "FT: " MACSTR " tried " 4154 "to use association (not " 4155 "re-association) with FT auth_alg", 4156 MAC2STR(sta->addr)); 4157 return WLAN_STATUS_UNSPECIFIED_FAILURE; 4158 } 4159 4160 resp = wpa_ft_validate_reassoc(sta->wpa_sm, ies, 4161 ies_len); 4162 if (resp != WLAN_STATUS_SUCCESS) 4163 return resp; 4164 } 4165 #endif /* CONFIG_IEEE80211R_AP */ 4166 4167 if (link) 4168 goto skip_sae_owe; 4169 #ifdef CONFIG_SAE 4170 if (wpa_auth_uses_sae(sta->wpa_sm) && sta->sae && 4171 sta->sae->state == SAE_ACCEPTED) 4172 wpa_auth_add_sae_pmkid(sta->wpa_sm, sta->sae->pmkid); 4173 4174 if (wpa_auth_uses_sae(sta->wpa_sm) && 4175 sta->auth_alg == WLAN_AUTH_OPEN) { 4176 struct rsn_pmksa_cache_entry *sa; 4177 sa = wpa_auth_sta_get_pmksa(sta->wpa_sm); 4178 if (!sa || !wpa_key_mgmt_sae(sa->akmp)) { 4179 wpa_printf(MSG_DEBUG, 4180 "SAE: No PMKSA cache entry found for " 4181 MACSTR, MAC2STR(sta->addr)); 4182 return WLAN_STATUS_INVALID_PMKID; 4183 } 4184 wpa_printf(MSG_DEBUG, "SAE: " MACSTR 4185 " using PMKSA caching", MAC2STR(sta->addr)); 4186 } else if (wpa_auth_uses_sae(sta->wpa_sm) && 4187 sta->auth_alg != WLAN_AUTH_SAE && 4188 !(sta->auth_alg == WLAN_AUTH_FT && 4189 wpa_auth_uses_ft_sae(sta->wpa_sm))) { 4190 wpa_printf(MSG_DEBUG, "SAE: " MACSTR " tried to use " 4191 "SAE AKM after non-SAE auth_alg %u", 4192 MAC2STR(sta->addr), sta->auth_alg); 4193 return WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG; 4194 } 4195 4196 if (hapd->conf->sae_pwe == SAE_PWE_BOTH && 4197 sta->auth_alg == WLAN_AUTH_SAE && 4198 sta->sae && !sta->sae->h2e && 4199 ieee802_11_rsnx_capab_len(elems->rsnxe, elems->rsnxe_len, 4200 WLAN_RSNX_CAPAB_SAE_H2E)) { 4201 wpa_printf(MSG_INFO, "SAE: " MACSTR 4202 " indicates support for SAE H2E, but did not use it", 4203 MAC2STR(sta->addr)); 4204 return WLAN_STATUS_UNSPECIFIED_FAILURE; 4205 } 4206 #endif /* CONFIG_SAE */ 4207 4208 #ifdef CONFIG_OWE 4209 if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) && 4210 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE && 4211 elems->owe_dh) { 4212 resp = owe_process_assoc_req(hapd, sta, elems->owe_dh, 4213 elems->owe_dh_len); 4214 if (resp != WLAN_STATUS_SUCCESS) 4215 return resp; 4216 } 4217 #endif /* CONFIG_OWE */ 4218 skip_sae_owe: 4219 4220 #ifdef CONFIG_DPP2 4221 dpp_pfs_free(sta->dpp_pfs); 4222 sta->dpp_pfs = NULL; 4223 4224 if (DPP_VERSION > 1 && 4225 (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_DPP) && 4226 hapd->conf->dpp_netaccesskey && sta->wpa_sm && 4227 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_DPP && 4228 elems->owe_dh) { 4229 sta->dpp_pfs = dpp_pfs_init( 4230 wpabuf_head(hapd->conf->dpp_netaccesskey), 4231 wpabuf_len(hapd->conf->dpp_netaccesskey)); 4232 if (!sta->dpp_pfs) { 4233 wpa_printf(MSG_DEBUG, 4234 "DPP: Could not initialize PFS"); 4235 /* Try to continue without PFS */ 4236 goto pfs_fail; 4237 } 4238 4239 if (dpp_pfs_process(sta->dpp_pfs, elems->owe_dh, 4240 elems->owe_dh_len) < 0) { 4241 dpp_pfs_free(sta->dpp_pfs); 4242 sta->dpp_pfs = NULL; 4243 return WLAN_STATUS_UNSPECIFIED_FAILURE; 4244 } 4245 } 4246 4247 wpa_auth_set_dpp_z(sta->wpa_sm, sta->dpp_pfs ? 4248 sta->dpp_pfs->secret : NULL); 4249 pfs_fail: 4250 #endif /* CONFIG_DPP2 */ 4251 4252 if ((sta->flags & (WLAN_STA_HT | WLAN_STA_VHT)) && 4253 wpa_auth_get_pairwise(sta->wpa_sm) == WPA_CIPHER_TKIP) { 4254 hostapd_logger(hapd, sta->addr, 4255 HOSTAPD_MODULE_IEEE80211, 4256 HOSTAPD_LEVEL_INFO, 4257 "Station tried to use TKIP with HT " 4258 "association"); 4259 return WLAN_STATUS_CIPHER_REJECTED_PER_POLICY; 4260 } 4261 4262 wpa_auth_set_ssid_protection( 4263 sta->wpa_sm, 4264 hapd->conf->ssid_protection && 4265 ieee802_11_rsnx_capab_len( 4266 elems->rsnxe, elems->rsnxe_len, 4267 WLAN_RSNX_CAPAB_SSID_PROTECTION)); 4268 #ifdef CONFIG_HS20 4269 } else if (hapd->conf->osen) { 4270 if (!elems->osen) { 4271 hostapd_logger( 4272 hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 4273 HOSTAPD_LEVEL_INFO, 4274 "No HS 2.0 OSEN element in association request"); 4275 return WLAN_STATUS_INVALID_IE; 4276 } 4277 4278 wpa_printf(MSG_DEBUG, "HS 2.0: OSEN association"); 4279 if (sta->wpa_sm == NULL) 4280 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, 4281 sta->addr, NULL); 4282 if (sta->wpa_sm == NULL) { 4283 wpa_printf(MSG_WARNING, "Failed to initialize WPA " 4284 "state machine"); 4285 return WLAN_STATUS_UNSPECIFIED_FAILURE; 4286 } 4287 if (wpa_validate_osen(hapd->wpa_auth, sta->wpa_sm, 4288 elems->osen - 2, elems->osen_len + 2) < 0) 4289 return WLAN_STATUS_INVALID_IE; 4290 #endif /* CONFIG_HS20 */ 4291 } else 4292 wpa_auth_sta_no_wpa(sta->wpa_sm); 4293 4294 #ifdef CONFIG_P2P 4295 p2p_group_notif_assoc(hapd->p2p_group, sta->addr, ies, ies_len); 4296 #endif /* CONFIG_P2P */ 4297 4298 #ifdef CONFIG_HS20 4299 wpabuf_free(sta->hs20_ie); 4300 if (elems->hs20 && elems->hs20_len > 4) { 4301 int release; 4302 4303 sta->hs20_ie = wpabuf_alloc_copy(elems->hs20 + 4, 4304 elems->hs20_len - 4); 4305 release = ((elems->hs20[4] >> 4) & 0x0f) + 1; 4306 if (release >= 2 && !wpa_auth_uses_mfp(sta->wpa_sm) && 4307 hapd->conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) { 4308 wpa_printf(MSG_DEBUG, 4309 "HS 2.0: PMF not negotiated by release %d station " 4310 MACSTR, release, MAC2STR(sta->addr)); 4311 return WLAN_STATUS_ROBUST_MGMT_FRAME_POLICY_VIOLATION; 4312 } 4313 } else { 4314 sta->hs20_ie = NULL; 4315 } 4316 4317 wpabuf_free(sta->roaming_consortium); 4318 if (elems->roaming_cons_sel) 4319 sta->roaming_consortium = wpabuf_alloc_copy( 4320 elems->roaming_cons_sel + 4, 4321 elems->roaming_cons_sel_len - 4); 4322 else 4323 sta->roaming_consortium = NULL; 4324 #endif /* CONFIG_HS20 */ 4325 4326 #ifdef CONFIG_FST 4327 wpabuf_free(sta->mb_ies); 4328 if (hapd->iface->fst) 4329 sta->mb_ies = mb_ies_by_info(&elems->mb_ies); 4330 else 4331 sta->mb_ies = NULL; 4332 #endif /* CONFIG_FST */ 4333 4334 #ifdef CONFIG_MBO 4335 mbo_ap_check_sta_assoc(hapd, sta, elems); 4336 4337 if (hapd->conf->mbo_enabled && (hapd->conf->wpa & 2) && 4338 elems->mbo && sta->cell_capa && !(sta->flags & WLAN_STA_MFP) && 4339 hapd->conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) { 4340 wpa_printf(MSG_INFO, 4341 "MBO: Reject WPA2 association without PMF"); 4342 return WLAN_STATUS_UNSPECIFIED_FAILURE; 4343 } 4344 #endif /* CONFIG_MBO */ 4345 4346 #if defined(CONFIG_FILS) && defined(CONFIG_OCV) 4347 if (wpa_auth_uses_ocv(sta->wpa_sm) && 4348 (sta->auth_alg == WLAN_AUTH_FILS_SK || 4349 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS || 4350 sta->auth_alg == WLAN_AUTH_FILS_PK)) { 4351 struct wpa_channel_info ci; 4352 int tx_chanwidth; 4353 int tx_seg1_idx; 4354 enum oci_verify_result res; 4355 4356 if (hostapd_drv_channel_info(hapd, &ci) != 0) { 4357 wpa_printf(MSG_WARNING, 4358 "Failed to get channel info to validate received OCI in FILS (Re)Association Request frame"); 4359 return WLAN_STATUS_UNSPECIFIED_FAILURE; 4360 } 4361 4362 if (get_sta_tx_parameters(sta->wpa_sm, 4363 channel_width_to_int(ci.chanwidth), 4364 ci.seg1_idx, &tx_chanwidth, 4365 &tx_seg1_idx) < 0) 4366 return WLAN_STATUS_UNSPECIFIED_FAILURE; 4367 4368 res = ocv_verify_tx_params(elems->oci, elems->oci_len, &ci, 4369 tx_chanwidth, tx_seg1_idx); 4370 if (wpa_auth_uses_ocv(sta->wpa_sm) == 2 && 4371 res == OCI_NOT_FOUND) { 4372 /* Work around misbehaving STAs */ 4373 wpa_printf(MSG_INFO, 4374 "FILS: Disable OCV with a STA that does not send OCI"); 4375 wpa_auth_set_ocv(sta->wpa_sm, 0); 4376 } else if (res != OCI_SUCCESS) { 4377 wpa_printf(MSG_WARNING, "FILS: OCV failed: %s", 4378 ocv_errorstr); 4379 wpa_msg(hapd->msg_ctx, MSG_INFO, OCV_FAILURE "addr=" 4380 MACSTR " frame=fils-reassoc-req error=%s", 4381 MAC2STR(sta->addr), ocv_errorstr); 4382 return WLAN_STATUS_UNSPECIFIED_FAILURE; 4383 } 4384 } 4385 #endif /* CONFIG_FILS && CONFIG_OCV */ 4386 4387 ap_copy_sta_supp_op_classes(sta, elems->supp_op_classes, 4388 elems->supp_op_classes_len); 4389 4390 if ((sta->capability & WLAN_CAPABILITY_RADIO_MEASUREMENT) && 4391 elems->rrm_enabled && 4392 elems->rrm_enabled_len >= sizeof(sta->rrm_enabled_capa)) 4393 os_memcpy(sta->rrm_enabled_capa, elems->rrm_enabled, 4394 sizeof(sta->rrm_enabled_capa)); 4395 4396 if (elems->power_capab) { 4397 sta->min_tx_power = elems->power_capab[0]; 4398 sta->max_tx_power = elems->power_capab[1]; 4399 sta->power_capab = 1; 4400 } else { 4401 sta->power_capab = 0; 4402 } 4403 4404 if (elems->bss_max_idle_period && 4405 hapd->conf->max_acceptable_idle_period) { 4406 u16 req; 4407 4408 req = WPA_GET_LE16(elems->bss_max_idle_period); 4409 if (req <= hapd->conf->max_acceptable_idle_period) 4410 sta->max_idle_period = req; 4411 else if (hapd->conf->max_acceptable_idle_period > 4412 hapd->conf->ap_max_inactivity) 4413 sta->max_idle_period = 4414 hapd->conf->max_acceptable_idle_period; 4415 } 4416 4417 return WLAN_STATUS_SUCCESS; 4418 } 4419 4420 4421 static int check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta, 4422 const u8 *ies, size_t ies_len, int reassoc) 4423 { 4424 struct ieee802_11_elems elems; 4425 4426 if (ieee802_11_parse_elems(ies, ies_len, &elems, 1) == ParseFailed) { 4427 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 4428 HOSTAPD_LEVEL_INFO, 4429 "Station sent an invalid association request"); 4430 return WLAN_STATUS_UNSPECIFIED_FAILURE; 4431 } 4432 4433 return __check_assoc_ies(hapd, sta, ies, ies_len, &elems, reassoc, 4434 false); 4435 } 4436 4437 4438 #ifdef CONFIG_IEEE80211BE 4439 4440 static void ieee80211_ml_build_assoc_resp(struct hostapd_data *hapd, 4441 struct mld_link_info *link) 4442 { 4443 u8 buf[EHT_ML_MAX_STA_PROF_LEN]; 4444 u8 *p = buf; 4445 size_t buflen = sizeof(buf); 4446 4447 /* Capability Info */ 4448 WPA_PUT_LE16(p, hostapd_own_capab_info(hapd)); 4449 p += 2; 4450 4451 /* Status Code */ 4452 WPA_PUT_LE16(p, link->status); 4453 p += 2; 4454 4455 if (link->status != WLAN_STATUS_SUCCESS) 4456 goto out; 4457 4458 /* AID is not included */ 4459 p = hostapd_eid_supp_rates(hapd, p); 4460 p = hostapd_eid_ext_supp_rates(hapd, p); 4461 p = hostapd_eid_rm_enabled_capab(hapd, p, buf + buflen - p); 4462 p = hostapd_eid_ht_capabilities(hapd, p); 4463 p = hostapd_eid_ht_operation(hapd, p); 4464 4465 if (hapd->iconf->ieee80211ac && !hapd->conf->disable_11ac) { 4466 p = hostapd_eid_vht_capabilities(hapd, p, 0); 4467 p = hostapd_eid_vht_operation(hapd, p); 4468 } 4469 4470 if (hapd->iconf->ieee80211ax && !hapd->conf->disable_11ax) { 4471 p = hostapd_eid_he_capab(hapd, p, IEEE80211_MODE_AP); 4472 p = hostapd_eid_he_operation(hapd, p); 4473 p = hostapd_eid_spatial_reuse(hapd, p); 4474 p = hostapd_eid_he_mu_edca_parameter_set(hapd, p); 4475 p = hostapd_eid_he_6ghz_band_cap(hapd, p); 4476 if (hapd->iconf->ieee80211be && !hapd->conf->disable_11be) { 4477 p = hostapd_eid_eht_capab(hapd, p, IEEE80211_MODE_AP); 4478 p = hostapd_eid_eht_operation(hapd, p); 4479 } 4480 } 4481 4482 p = hostapd_eid_ext_capab(hapd, p, false); 4483 p = hostapd_eid_mbo(hapd, p, buf + buflen - p); 4484 p = hostapd_eid_wmm(hapd, p); 4485 4486 if (hapd->conf->assocresp_elements && 4487 (size_t) (buf + buflen - p) >= 4488 wpabuf_len(hapd->conf->assocresp_elements)) { 4489 os_memcpy(p, wpabuf_head(hapd->conf->assocresp_elements), 4490 wpabuf_len(hapd->conf->assocresp_elements)); 4491 p += wpabuf_len(hapd->conf->assocresp_elements); 4492 } 4493 4494 out: 4495 os_free(link->resp_sta_profile); 4496 link->resp_sta_profile = os_memdup(buf, p - buf); 4497 link->resp_sta_profile_len = link->resp_sta_profile ? p - buf : 0; 4498 } 4499 4500 4501 static int ieee80211_ml_process_link(struct hostapd_data *hapd, 4502 struct sta_info *origin_sta, 4503 struct mld_link_info *link, 4504 const u8 *ies, size_t ies_len, 4505 bool reassoc, bool offload) 4506 { 4507 struct ieee802_11_elems elems; 4508 struct wpabuf *mlbuf = NULL; 4509 struct sta_info *sta = NULL; 4510 u16 status = WLAN_STATUS_SUCCESS; 4511 int i; 4512 4513 wpa_printf(MSG_DEBUG, "MLD: link: link_id=%u, peer=" MACSTR, 4514 hapd->mld_link_id, MAC2STR(link->peer_addr)); 4515 4516 if (ieee802_11_parse_elems(ies, ies_len, &elems, 1) == ParseFailed) { 4517 wpa_printf(MSG_DEBUG, "MLD: link: Element parsing failed"); 4518 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 4519 goto out; 4520 } 4521 4522 sta = ap_get_sta(hapd, origin_sta->addr); 4523 if (sta) { 4524 wpa_printf(MSG_INFO, "MLD: link: Station already exists"); 4525 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 4526 sta = NULL; 4527 goto out; 4528 } 4529 4530 sta = ap_sta_add(hapd, origin_sta->addr); 4531 if (!sta) { 4532 wpa_printf(MSG_DEBUG, "MLD: link: ap_sta_add() failed"); 4533 status = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA; 4534 goto out; 4535 } 4536 4537 mlbuf = ieee802_11_defrag(elems.basic_mle, elems.basic_mle_len, true); 4538 if (!mlbuf) 4539 goto out; 4540 4541 if (ieee802_11_parse_link_assoc_req(ies, ies_len, &elems, mlbuf, 4542 hapd->mld_link_id, true) == 4543 ParseFailed) { 4544 wpa_printf(MSG_DEBUG, 4545 "MLD: link: Failed to parse association request Multi-Link element"); 4546 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 4547 goto out; 4548 } 4549 4550 sta->flags |= origin_sta->flags | WLAN_STA_ASSOC_REQ_OK; 4551 sta->mld_assoc_link_id = origin_sta->mld_assoc_link_id; 4552 4553 status = __check_assoc_ies(hapd, sta, NULL, 0, &elems, reassoc, true); 4554 if (status != WLAN_STATUS_SUCCESS) { 4555 wpa_printf(MSG_DEBUG, "MLD: link: Element check failed"); 4556 goto out; 4557 } 4558 4559 ap_sta_set_mld(sta, true); 4560 4561 os_memcpy(&sta->mld_info, &origin_sta->mld_info, sizeof(sta->mld_info)); 4562 for (i = 0; i < MAX_NUM_MLD_LINKS; i++) { 4563 struct mld_link_info *li = &sta->mld_info.links[i]; 4564 4565 li->resp_sta_profile = NULL; 4566 li->resp_sta_profile_len = 0; 4567 } 4568 4569 if (!offload) { 4570 /* 4571 * Get the AID from the station on which the association was 4572 * performed, and mark it as used. 4573 */ 4574 sta->aid = origin_sta->aid; 4575 if (sta->aid == 0) { 4576 wpa_printf(MSG_DEBUG, "MLD: link: No AID assigned"); 4577 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 4578 goto out; 4579 } 4580 hapd->sta_aid[(sta->aid - 1) / 32] |= BIT((sta->aid - 1) % 32); 4581 sta->listen_interval = origin_sta->listen_interval; 4582 if (update_ht_state(hapd, sta) > 0) 4583 ieee802_11_update_beacons(hapd->iface); 4584 } 4585 4586 /* Maintain state machine reference on all link STAs, this is needed 4587 * during group rekey handling. 4588 */ 4589 wpa_auth_sta_deinit(sta->wpa_sm); 4590 sta->wpa_sm = origin_sta->wpa_sm; 4591 4592 /* 4593 * Do not initialize the EAPOL state machine. 4594 * TODO: Maybe it is needed? 4595 */ 4596 sta->eapol_sm = NULL; 4597 4598 wpa_printf(MSG_DEBUG, "MLD: link=%u, association OK (aid=%u)", 4599 hapd->mld_link_id, sta->aid); 4600 4601 sta->flags |= WLAN_STA_AUTH | WLAN_STA_ASSOC_REQ_OK; 4602 4603 /* TODO: What other processing is required? */ 4604 4605 if (!offload && add_associated_sta(hapd, sta, reassoc)) 4606 status = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA; 4607 out: 4608 wpabuf_free(mlbuf); 4609 link->status = status; 4610 4611 if (!offload) 4612 ieee80211_ml_build_assoc_resp(hapd, link); 4613 4614 wpa_printf(MSG_DEBUG, "MLD: link: status=%u", status); 4615 if (status != WLAN_STATUS_SUCCESS) { 4616 if (sta) 4617 ap_free_sta(hapd, sta); 4618 return -1; 4619 } 4620 4621 return 0; 4622 } 4623 4624 4625 bool hostapd_is_mld_ap(struct hostapd_data *hapd) 4626 { 4627 if (!hapd->conf->mld_ap) 4628 return false; 4629 4630 if (!hapd->iface || !hapd->iface->interfaces || 4631 hapd->iface->interfaces->count <= 1) 4632 return false; 4633 4634 return true; 4635 } 4636 4637 #endif /* CONFIG_IEEE80211BE */ 4638 4639 4640 int hostapd_process_assoc_ml_info(struct hostapd_data *hapd, 4641 struct sta_info *sta, 4642 const u8 *ies, size_t ies_len, 4643 bool reassoc, int tx_link_status, 4644 bool offload) 4645 { 4646 #ifdef CONFIG_IEEE80211BE 4647 unsigned int i; 4648 4649 if (!hostapd_is_mld_ap(hapd)) 4650 return 0; 4651 4652 for (i = 0; i < MAX_NUM_MLD_LINKS; i++) { 4653 struct hostapd_data *bss = NULL; 4654 struct mld_link_info *link = &sta->mld_info.links[i]; 4655 bool link_bss_found = false; 4656 4657 if (!link->valid || i == sta->mld_assoc_link_id) 4658 continue; 4659 4660 for_each_mld_link(bss, hapd) { 4661 if (bss == hapd) 4662 continue; 4663 4664 if (bss->mld_link_id != i) 4665 continue; 4666 4667 link_bss_found = true; 4668 break; 4669 } 4670 4671 if (!link_bss_found || TEST_FAIL()) { 4672 wpa_printf(MSG_DEBUG, 4673 "MLD: No link match for link_id=%u", i); 4674 4675 link->status = WLAN_STATUS_UNSPECIFIED_FAILURE; 4676 if (!offload) 4677 ieee80211_ml_build_assoc_resp(hapd, link); 4678 } else if (tx_link_status != WLAN_STATUS_SUCCESS) { 4679 /* TX link rejected the connection */ 4680 link->status = WLAN_STATUS_DENIED_TX_LINK_NOT_ACCEPTED; 4681 if (!offload) 4682 ieee80211_ml_build_assoc_resp(hapd, link); 4683 } else { 4684 if (ieee80211_ml_process_link(bss, sta, link, 4685 ies, ies_len, reassoc, 4686 offload)) 4687 return -1; 4688 } 4689 } 4690 #endif /* CONFIG_IEEE80211BE */ 4691 4692 return 0; 4693 } 4694 4695 4696 static void send_deauth(struct hostapd_data *hapd, const u8 *addr, 4697 u16 reason_code) 4698 { 4699 int send_len; 4700 struct ieee80211_mgmt reply; 4701 4702 os_memset(&reply, 0, sizeof(reply)); 4703 reply.frame_control = 4704 IEEE80211_FC(WLAN_FC_TYPE_MGMT, WLAN_FC_STYPE_DEAUTH); 4705 os_memcpy(reply.da, addr, ETH_ALEN); 4706 os_memcpy(reply.sa, hapd->own_addr, ETH_ALEN); 4707 os_memcpy(reply.bssid, hapd->own_addr, ETH_ALEN); 4708 4709 send_len = IEEE80211_HDRLEN + sizeof(reply.u.deauth); 4710 reply.u.deauth.reason_code = host_to_le16(reason_code); 4711 4712 if (hostapd_drv_send_mlme(hapd, &reply, send_len, 0, NULL, 0, 0) < 0) 4713 wpa_printf(MSG_INFO, "Failed to send deauth: %s", 4714 strerror(errno)); 4715 } 4716 4717 4718 static int add_associated_sta(struct hostapd_data *hapd, 4719 struct sta_info *sta, int reassoc) 4720 { 4721 struct ieee80211_ht_capabilities ht_cap; 4722 struct ieee80211_vht_capabilities vht_cap; 4723 struct ieee80211_he_capabilities he_cap; 4724 struct ieee80211_eht_capabilities eht_cap; 4725 int set = 1; 4726 const u8 *mld_link_addr = NULL; 4727 bool mld_link_sta = false; 4728 4729 #ifdef CONFIG_IEEE80211BE 4730 if (ap_sta_is_mld(hapd, sta)) { 4731 u8 mld_link_id = hapd->mld_link_id; 4732 4733 mld_link_sta = sta->mld_assoc_link_id != mld_link_id; 4734 mld_link_addr = sta->mld_info.links[mld_link_id].peer_addr; 4735 4736 if (hapd->mld_link_id != sta->mld_assoc_link_id) 4737 set = 0; 4738 } 4739 #endif /* CONFIG_IEEE80211BE */ 4740 4741 /* 4742 * Remove the STA entry to ensure the STA PS state gets cleared and 4743 * configuration gets updated. This is relevant for cases, such as 4744 * FT-over-the-DS, where a station re-associates back to the same AP but 4745 * skips the authentication flow, or if working with a driver that 4746 * does not support full AP client state. 4747 * 4748 * Skip this if the STA has already completed FT reassociation and the 4749 * TK has been configured since the TX/RX PN must not be reset to 0 for 4750 * the same key. 4751 * 4752 * FT-over-the-DS has a special case where the STA entry (and as such, 4753 * the TK) has not yet been configured to the driver depending on which 4754 * driver interface is used. For that case, allow add-STA operation to 4755 * be used (instead of set-STA). This is needed to allow mac80211-based 4756 * drivers to accept the STA parameter configuration. Since this is 4757 * after a new FT-over-DS exchange, a new TK has been derived, so key 4758 * reinstallation is not a concern for this case. 4759 */ 4760 wpa_printf(MSG_DEBUG, "Add associated STA " MACSTR 4761 " (added_unassoc=%d auth_alg=%u ft_over_ds=%u reassoc=%d authorized=%d ft_tk=%d fils_tk=%d)", 4762 MAC2STR(sta->addr), sta->added_unassoc, sta->auth_alg, 4763 sta->ft_over_ds, reassoc, 4764 !!(sta->flags & WLAN_STA_AUTHORIZED), 4765 wpa_auth_sta_ft_tk_already_set(sta->wpa_sm), 4766 wpa_auth_sta_fils_tk_already_set(sta->wpa_sm)); 4767 4768 if (!mld_link_sta && !sta->added_unassoc && 4769 (!(sta->flags & WLAN_STA_AUTHORIZED) || 4770 (reassoc && sta->ft_over_ds && sta->auth_alg == WLAN_AUTH_FT) || 4771 (!wpa_auth_sta_ft_tk_already_set(sta->wpa_sm) && 4772 !wpa_auth_sta_fils_tk_already_set(sta->wpa_sm)))) { 4773 hostapd_drv_sta_remove(hapd, sta->addr); 4774 wpa_auth_sm_event(sta->wpa_sm, WPA_DRV_STA_REMOVED); 4775 set = 0; 4776 4777 /* Do not allow the FT-over-DS exception to be used more than 4778 * once per authentication exchange to guarantee a new TK is 4779 * used here */ 4780 sta->ft_over_ds = 0; 4781 } 4782 4783 if (sta->flags & WLAN_STA_HT) 4784 hostapd_get_ht_capab(hapd, sta->ht_capabilities, &ht_cap); 4785 #ifdef CONFIG_IEEE80211AC 4786 if (sta->flags & WLAN_STA_VHT) 4787 hostapd_get_vht_capab(hapd, sta->vht_capabilities, &vht_cap); 4788 #endif /* CONFIG_IEEE80211AC */ 4789 #ifdef CONFIG_IEEE80211AX 4790 if (sta->flags & WLAN_STA_HE) { 4791 hostapd_get_he_capab(hapd, sta->he_capab, &he_cap, 4792 sta->he_capab_len); 4793 } 4794 #endif /* CONFIG_IEEE80211AX */ 4795 #ifdef CONFIG_IEEE80211BE 4796 if (sta->flags & WLAN_STA_EHT) 4797 hostapd_get_eht_capab(hapd, sta->eht_capab, &eht_cap, 4798 sta->eht_capab_len); 4799 #endif /* CONFIG_IEEE80211BE */ 4800 4801 /* 4802 * Add the station with forced WLAN_STA_ASSOC flag. The sta->flags 4803 * will be set when the ACK frame for the (Re)Association Response frame 4804 * is processed (TX status driver event). 4805 */ 4806 if (hostapd_sta_add(hapd, sta->addr, sta->aid, sta->capability, 4807 sta->supported_rates, sta->supported_rates_len, 4808 sta->listen_interval, 4809 sta->flags & WLAN_STA_HT ? &ht_cap : NULL, 4810 sta->flags & WLAN_STA_VHT ? &vht_cap : NULL, 4811 sta->flags & WLAN_STA_HE ? &he_cap : NULL, 4812 sta->flags & WLAN_STA_HE ? sta->he_capab_len : 0, 4813 sta->flags & WLAN_STA_EHT ? &eht_cap : NULL, 4814 sta->flags & WLAN_STA_EHT ? sta->eht_capab_len : 0, 4815 sta->he_6ghz_capab, 4816 sta->flags | WLAN_STA_ASSOC, sta->qosinfo, 4817 sta->vht_opmode, sta->p2p_ie ? 1 : 0, 4818 set, mld_link_addr, mld_link_sta)) { 4819 hostapd_logger(hapd, sta->addr, 4820 HOSTAPD_MODULE_IEEE80211, HOSTAPD_LEVEL_NOTICE, 4821 "Could not %s STA to kernel driver", 4822 set ? "set" : "add"); 4823 4824 if (sta->added_unassoc) { 4825 hostapd_drv_sta_remove(hapd, sta->addr); 4826 sta->added_unassoc = 0; 4827 } 4828 4829 return -1; 4830 } 4831 4832 sta->added_unassoc = 0; 4833 4834 return 0; 4835 } 4836 4837 4838 static u16 send_assoc_resp(struct hostapd_data *hapd, struct sta_info *sta, 4839 const u8 *addr, u16 status_code, int reassoc, 4840 const u8 *ies, size_t ies_len, int rssi, 4841 int omit_rsnxe, bool allow_mld_addr_trans) 4842 { 4843 int send_len; 4844 u8 *buf; 4845 size_t buflen; 4846 struct ieee80211_mgmt *reply; 4847 u8 *p; 4848 u16 res = WLAN_STATUS_SUCCESS; 4849 4850 buflen = sizeof(struct ieee80211_mgmt) + 1024; 4851 #ifdef CONFIG_FILS 4852 if (sta && sta->fils_hlp_resp) 4853 buflen += wpabuf_len(sta->fils_hlp_resp); 4854 if (sta) 4855 buflen += 150; 4856 #endif /* CONFIG_FILS */ 4857 #ifdef CONFIG_OWE 4858 if (sta && (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE)) 4859 buflen += 150; 4860 #endif /* CONFIG_OWE */ 4861 #ifdef CONFIG_DPP2 4862 if (sta && sta->dpp_pfs) 4863 buflen += 5 + sta->dpp_pfs->curve->prime_len; 4864 #endif /* CONFIG_DPP2 */ 4865 #ifdef CONFIG_IEEE80211BE 4866 if (hapd->iconf->ieee80211be && !hapd->conf->disable_11be) { 4867 buflen += hostapd_eid_eht_capab_len(hapd, IEEE80211_MODE_AP); 4868 buflen += 3 + sizeof(struct ieee80211_eht_operation); 4869 if (hapd->iconf->punct_bitmap) 4870 buflen += EHT_OPER_DISABLED_SUBCHAN_BITMAP_SIZE; 4871 } 4872 #endif /* CONFIG_IEEE80211BE */ 4873 4874 buf = os_zalloc(buflen); 4875 if (!buf) { 4876 res = WLAN_STATUS_UNSPECIFIED_FAILURE; 4877 goto done; 4878 } 4879 reply = (struct ieee80211_mgmt *) buf; 4880 reply->frame_control = 4881 IEEE80211_FC(WLAN_FC_TYPE_MGMT, 4882 (reassoc ? WLAN_FC_STYPE_REASSOC_RESP : 4883 WLAN_FC_STYPE_ASSOC_RESP)); 4884 4885 os_memcpy(reply->da, addr, ETH_ALEN); 4886 os_memcpy(reply->sa, hapd->own_addr, ETH_ALEN); 4887 os_memcpy(reply->bssid, hapd->own_addr, ETH_ALEN); 4888 4889 send_len = IEEE80211_HDRLEN; 4890 send_len += sizeof(reply->u.assoc_resp); 4891 reply->u.assoc_resp.capab_info = 4892 host_to_le16(hostapd_own_capab_info(hapd)); 4893 reply->u.assoc_resp.status_code = host_to_le16(status_code); 4894 4895 reply->u.assoc_resp.aid = host_to_le16((sta ? sta->aid : 0) | 4896 BIT(14) | BIT(15)); 4897 /* Supported rates */ 4898 p = hostapd_eid_supp_rates(hapd, reply->u.assoc_resp.variable); 4899 /* Extended supported rates */ 4900 p = hostapd_eid_ext_supp_rates(hapd, p); 4901 4902 /* Radio measurement capabilities */ 4903 p = hostapd_eid_rm_enabled_capab(hapd, p, buf + buflen - p); 4904 4905 #ifdef CONFIG_MBO 4906 if (status_code == WLAN_STATUS_DENIED_POOR_CHANNEL_CONDITIONS && 4907 rssi != 0) { 4908 int delta = hapd->iconf->rssi_reject_assoc_rssi - rssi; 4909 4910 p = hostapd_eid_mbo_rssi_assoc_rej(hapd, p, buf + buflen - p, 4911 delta); 4912 } 4913 #endif /* CONFIG_MBO */ 4914 4915 #ifdef CONFIG_IEEE80211R_AP 4916 if (sta && status_code == WLAN_STATUS_SUCCESS) { 4917 /* IEEE 802.11r: Mobility Domain Information, Fast BSS 4918 * Transition Information, RSN, [RIC Response] */ 4919 p = wpa_sm_write_assoc_resp_ies(sta->wpa_sm, p, 4920 buf + buflen - p, 4921 sta->auth_alg, ies, ies_len, 4922 omit_rsnxe); 4923 if (!p) { 4924 wpa_printf(MSG_DEBUG, 4925 "FT: Failed to write AssocResp IEs"); 4926 res = WLAN_STATUS_UNSPECIFIED_FAILURE; 4927 goto done; 4928 } 4929 } 4930 #endif /* CONFIG_IEEE80211R_AP */ 4931 #ifdef CONFIG_FILS 4932 if (sta && status_code == WLAN_STATUS_SUCCESS && 4933 (sta->auth_alg == WLAN_AUTH_FILS_SK || 4934 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS || 4935 sta->auth_alg == WLAN_AUTH_FILS_PK)) 4936 p = wpa_auth_write_assoc_resp_fils(sta->wpa_sm, p, 4937 buf + buflen - p, 4938 ies, ies_len); 4939 #endif /* CONFIG_FILS */ 4940 4941 #ifdef CONFIG_OWE 4942 if (sta && status_code == WLAN_STATUS_SUCCESS && 4943 (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE)) 4944 p = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, p, 4945 buf + buflen - p, 4946 ies, ies_len); 4947 #endif /* CONFIG_OWE */ 4948 4949 if (sta && status_code == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY) 4950 p = hostapd_eid_assoc_comeback_time(hapd, sta, p); 4951 4952 p = hostapd_eid_ht_capabilities(hapd, p); 4953 p = hostapd_eid_ht_operation(hapd, p); 4954 4955 #ifdef CONFIG_IEEE80211AC 4956 if (hapd->iconf->ieee80211ac && !hapd->conf->disable_11ac && 4957 !is_6ghz_op_class(hapd->iconf->op_class)) { 4958 u32 nsts = 0, sta_nsts; 4959 4960 if (sta && hapd->conf->use_sta_nsts && sta->vht_capabilities) { 4961 struct ieee80211_vht_capabilities *capa; 4962 4963 nsts = (hapd->iface->conf->vht_capab >> 4964 VHT_CAP_BEAMFORMEE_STS_OFFSET) & 7; 4965 capa = sta->vht_capabilities; 4966 sta_nsts = (le_to_host32(capa->vht_capabilities_info) >> 4967 VHT_CAP_BEAMFORMEE_STS_OFFSET) & 7; 4968 4969 if (nsts < sta_nsts) 4970 nsts = 0; 4971 else 4972 nsts = sta_nsts; 4973 } 4974 p = hostapd_eid_vht_capabilities(hapd, p, nsts); 4975 p = hostapd_eid_vht_operation(hapd, p); 4976 } 4977 #endif /* CONFIG_IEEE80211AC */ 4978 4979 #ifdef CONFIG_IEEE80211AX 4980 if (hapd->iconf->ieee80211ax && !hapd->conf->disable_11ax) { 4981 p = hostapd_eid_he_capab(hapd, p, IEEE80211_MODE_AP); 4982 p = hostapd_eid_he_operation(hapd, p); 4983 p = hostapd_eid_cca(hapd, p); 4984 p = hostapd_eid_spatial_reuse(hapd, p); 4985 p = hostapd_eid_he_mu_edca_parameter_set(hapd, p); 4986 p = hostapd_eid_he_6ghz_band_cap(hapd, p); 4987 } 4988 #endif /* CONFIG_IEEE80211AX */ 4989 4990 p = hostapd_eid_ext_capab(hapd, p, false); 4991 p = hostapd_eid_bss_max_idle_period(hapd, p, sta->max_idle_period); 4992 if (sta && sta->qos_map_enabled) 4993 p = hostapd_eid_qos_map_set(hapd, p); 4994 4995 #ifdef CONFIG_FST 4996 if (hapd->iface->fst_ies) { 4997 os_memcpy(p, wpabuf_head(hapd->iface->fst_ies), 4998 wpabuf_len(hapd->iface->fst_ies)); 4999 p += wpabuf_len(hapd->iface->fst_ies); 5000 } 5001 #endif /* CONFIG_FST */ 5002 5003 #ifdef CONFIG_TESTING_OPTIONS 5004 if (hapd->conf->rsnxe_override_ft && 5005 buf + buflen - p >= 5006 (long int) wpabuf_len(hapd->conf->rsnxe_override_ft) && 5007 sta && sta->auth_alg == WLAN_AUTH_FT) { 5008 wpa_printf(MSG_DEBUG, "TESTING: RSNXE FT override"); 5009 os_memcpy(p, wpabuf_head(hapd->conf->rsnxe_override_ft), 5010 wpabuf_len(hapd->conf->rsnxe_override_ft)); 5011 p += wpabuf_len(hapd->conf->rsnxe_override_ft); 5012 goto rsnxe_done; 5013 } 5014 #endif /* CONFIG_TESTING_OPTIONS */ 5015 if (!omit_rsnxe) 5016 p = hostapd_eid_rsnxe(hapd, p, buf + buflen - p); 5017 #ifdef CONFIG_TESTING_OPTIONS 5018 rsnxe_done: 5019 #endif /* CONFIG_TESTING_OPTIONS */ 5020 5021 #ifdef CONFIG_IEEE80211BE 5022 if (hapd->iconf->ieee80211be && !hapd->conf->disable_11be) { 5023 if (hapd->conf->mld_ap) 5024 p = hostapd_eid_eht_ml_assoc(hapd, sta, p); 5025 p = hostapd_eid_eht_capab(hapd, p, IEEE80211_MODE_AP); 5026 p = hostapd_eid_eht_operation(hapd, p); 5027 } 5028 #endif /* CONFIG_IEEE80211BE */ 5029 5030 #ifdef CONFIG_OWE 5031 if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) && 5032 sta && sta->owe_ecdh && status_code == WLAN_STATUS_SUCCESS && 5033 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE && 5034 !wpa_auth_sta_get_pmksa(sta->wpa_sm)) { 5035 struct wpabuf *pub; 5036 5037 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0); 5038 if (!pub) { 5039 res = WLAN_STATUS_UNSPECIFIED_FAILURE; 5040 goto done; 5041 } 5042 /* OWE Diffie-Hellman Parameter element */ 5043 *p++ = WLAN_EID_EXTENSION; /* Element ID */ 5044 *p++ = 1 + 2 + wpabuf_len(pub); /* Length */ 5045 *p++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension */ 5046 WPA_PUT_LE16(p, sta->owe_group); 5047 p += 2; 5048 os_memcpy(p, wpabuf_head(pub), wpabuf_len(pub)); 5049 p += wpabuf_len(pub); 5050 wpabuf_free(pub); 5051 } 5052 #endif /* CONFIG_OWE */ 5053 5054 #ifdef CONFIG_DPP2 5055 if (DPP_VERSION > 1 && (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_DPP) && 5056 sta && sta->dpp_pfs && status_code == WLAN_STATUS_SUCCESS && 5057 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_DPP) { 5058 os_memcpy(p, wpabuf_head(sta->dpp_pfs->ie), 5059 wpabuf_len(sta->dpp_pfs->ie)); 5060 p += wpabuf_len(sta->dpp_pfs->ie); 5061 } 5062 #endif /* CONFIG_DPP2 */ 5063 5064 #ifdef CONFIG_IEEE80211AC 5065 if (sta && hapd->conf->vendor_vht && (sta->flags & WLAN_STA_VENDOR_VHT)) 5066 p = hostapd_eid_vendor_vht(hapd, p); 5067 #endif /* CONFIG_IEEE80211AC */ 5068 5069 if (sta && (sta->flags & WLAN_STA_WMM)) 5070 p = hostapd_eid_wmm(hapd, p); 5071 5072 #ifdef CONFIG_WPS 5073 if (sta && 5074 ((sta->flags & WLAN_STA_WPS) || 5075 ((sta->flags & WLAN_STA_MAYBE_WPS) && hapd->conf->wpa))) { 5076 struct wpabuf *wps = wps_build_assoc_resp_ie(); 5077 if (wps) { 5078 os_memcpy(p, wpabuf_head(wps), wpabuf_len(wps)); 5079 p += wpabuf_len(wps); 5080 wpabuf_free(wps); 5081 } 5082 } 5083 #endif /* CONFIG_WPS */ 5084 5085 if (sta && (sta->flags & WLAN_STA_MULTI_AP)) 5086 p = hostapd_eid_multi_ap(hapd, p, buf + buflen - p); 5087 5088 #ifdef CONFIG_P2P 5089 if (sta && sta->p2p_ie && hapd->p2p_group) { 5090 struct wpabuf *p2p_resp_ie; 5091 enum p2p_status_code status; 5092 switch (status_code) { 5093 case WLAN_STATUS_SUCCESS: 5094 status = P2P_SC_SUCCESS; 5095 break; 5096 case WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA: 5097 status = P2P_SC_FAIL_LIMIT_REACHED; 5098 break; 5099 default: 5100 status = P2P_SC_FAIL_INVALID_PARAMS; 5101 break; 5102 } 5103 p2p_resp_ie = p2p_group_assoc_resp_ie(hapd->p2p_group, status); 5104 if (p2p_resp_ie) { 5105 os_memcpy(p, wpabuf_head(p2p_resp_ie), 5106 wpabuf_len(p2p_resp_ie)); 5107 p += wpabuf_len(p2p_resp_ie); 5108 wpabuf_free(p2p_resp_ie); 5109 } 5110 } 5111 #endif /* CONFIG_P2P */ 5112 5113 #ifdef CONFIG_P2P_MANAGER 5114 if (hapd->conf->p2p & P2P_MANAGE) 5115 p = hostapd_eid_p2p_manage(hapd, p); 5116 #endif /* CONFIG_P2P_MANAGER */ 5117 5118 p = hostapd_eid_mbo(hapd, p, buf + buflen - p); 5119 5120 if (hapd->conf->assocresp_elements && 5121 (size_t) (buf + buflen - p) >= 5122 wpabuf_len(hapd->conf->assocresp_elements)) { 5123 os_memcpy(p, wpabuf_head(hapd->conf->assocresp_elements), 5124 wpabuf_len(hapd->conf->assocresp_elements)); 5125 p += wpabuf_len(hapd->conf->assocresp_elements); 5126 } 5127 5128 send_len += p - reply->u.assoc_resp.variable; 5129 5130 #ifdef CONFIG_FILS 5131 if (sta && 5132 (sta->auth_alg == WLAN_AUTH_FILS_SK || 5133 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS || 5134 sta->auth_alg == WLAN_AUTH_FILS_PK) && 5135 status_code == WLAN_STATUS_SUCCESS) { 5136 struct ieee802_11_elems elems; 5137 5138 if (ieee802_11_parse_elems(ies, ies_len, &elems, 0) == 5139 ParseFailed || !elems.fils_session) { 5140 res = WLAN_STATUS_UNSPECIFIED_FAILURE; 5141 goto done; 5142 } 5143 5144 /* FILS Session */ 5145 *p++ = WLAN_EID_EXTENSION; /* Element ID */ 5146 *p++ = 1 + FILS_SESSION_LEN; /* Length */ 5147 *p++ = WLAN_EID_EXT_FILS_SESSION; /* Element ID Extension */ 5148 os_memcpy(p, elems.fils_session, FILS_SESSION_LEN); 5149 send_len += 2 + 1 + FILS_SESSION_LEN; 5150 5151 send_len = fils_encrypt_assoc(sta->wpa_sm, buf, send_len, 5152 buflen, sta->fils_hlp_resp); 5153 if (send_len < 0) { 5154 res = WLAN_STATUS_UNSPECIFIED_FAILURE; 5155 goto done; 5156 } 5157 } 5158 #endif /* CONFIG_FILS */ 5159 5160 if (hostapd_drv_send_mlme(hapd, reply, send_len, 0, NULL, 0, 0) < 0) { 5161 wpa_printf(MSG_INFO, "Failed to send assoc resp: %s", 5162 strerror(errno)); 5163 res = WLAN_STATUS_UNSPECIFIED_FAILURE; 5164 } 5165 5166 done: 5167 os_free(buf); 5168 return res; 5169 } 5170 5171 5172 #ifdef CONFIG_OWE 5173 u8 * owe_assoc_req_process(struct hostapd_data *hapd, struct sta_info *sta, 5174 const u8 *owe_dh, u8 owe_dh_len, 5175 u8 *owe_buf, size_t owe_buf_len, u16 *status) 5176 { 5177 #ifdef CONFIG_TESTING_OPTIONS 5178 if (hapd->conf->own_ie_override) { 5179 wpa_printf(MSG_DEBUG, "OWE: Using IE override"); 5180 *status = WLAN_STATUS_SUCCESS; 5181 return wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf, 5182 owe_buf_len, NULL, 0); 5183 } 5184 #endif /* CONFIG_TESTING_OPTIONS */ 5185 5186 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) { 5187 wpa_printf(MSG_DEBUG, "OWE: Using PMKSA caching"); 5188 owe_buf = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf, 5189 owe_buf_len, NULL, 0); 5190 *status = WLAN_STATUS_SUCCESS; 5191 return owe_buf; 5192 } 5193 5194 if (sta->owe_pmk && sta->external_dh_updated) { 5195 wpa_printf(MSG_DEBUG, "OWE: Using previously derived PMK"); 5196 *status = WLAN_STATUS_SUCCESS; 5197 return owe_buf; 5198 } 5199 5200 *status = owe_process_assoc_req(hapd, sta, owe_dh, owe_dh_len); 5201 if (*status != WLAN_STATUS_SUCCESS) 5202 return NULL; 5203 5204 owe_buf = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf, 5205 owe_buf_len, NULL, 0); 5206 5207 if (sta->owe_ecdh && owe_buf) { 5208 struct wpabuf *pub; 5209 5210 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0); 5211 if (!pub) { 5212 *status = WLAN_STATUS_UNSPECIFIED_FAILURE; 5213 return owe_buf; 5214 } 5215 5216 /* OWE Diffie-Hellman Parameter element */ 5217 *owe_buf++ = WLAN_EID_EXTENSION; /* Element ID */ 5218 *owe_buf++ = 1 + 2 + wpabuf_len(pub); /* Length */ 5219 *owe_buf++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension 5220 */ 5221 WPA_PUT_LE16(owe_buf, sta->owe_group); 5222 owe_buf += 2; 5223 os_memcpy(owe_buf, wpabuf_head(pub), wpabuf_len(pub)); 5224 owe_buf += wpabuf_len(pub); 5225 wpabuf_free(pub); 5226 } 5227 5228 return owe_buf; 5229 } 5230 #endif /* CONFIG_OWE */ 5231 5232 5233 #ifdef CONFIG_FILS 5234 5235 void fils_hlp_finish_assoc(struct hostapd_data *hapd, struct sta_info *sta) 5236 { 5237 u16 reply_res; 5238 5239 wpa_printf(MSG_DEBUG, "FILS: Finish association with " MACSTR, 5240 MAC2STR(sta->addr)); 5241 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta); 5242 if (!sta->fils_pending_assoc_req) 5243 return; 5244 reply_res = send_assoc_resp(hapd, sta, sta->addr, WLAN_STATUS_SUCCESS, 5245 sta->fils_pending_assoc_is_reassoc, 5246 sta->fils_pending_assoc_req, 5247 sta->fils_pending_assoc_req_len, 0, 0, 5248 true); 5249 os_free(sta->fils_pending_assoc_req); 5250 sta->fils_pending_assoc_req = NULL; 5251 sta->fils_pending_assoc_req_len = 0; 5252 wpabuf_free(sta->fils_hlp_resp); 5253 sta->fils_hlp_resp = NULL; 5254 wpabuf_free(sta->hlp_dhcp_discover); 5255 sta->hlp_dhcp_discover = NULL; 5256 5257 /* 5258 * Remove the station in case transmission of a success response fails. 5259 * At this point the station was already added associated to the driver. 5260 */ 5261 if (reply_res != WLAN_STATUS_SUCCESS) 5262 hostapd_drv_sta_remove(hapd, sta->addr); 5263 } 5264 5265 5266 void fils_hlp_timeout(void *eloop_ctx, void *eloop_data) 5267 { 5268 struct hostapd_data *hapd = eloop_ctx; 5269 struct sta_info *sta = eloop_data; 5270 5271 wpa_printf(MSG_DEBUG, 5272 "FILS: HLP response timeout - continue with association response for " 5273 MACSTR, MAC2STR(sta->addr)); 5274 if (sta->fils_drv_assoc_finish) 5275 hostapd_notify_assoc_fils_finish(hapd, sta); 5276 else 5277 fils_hlp_finish_assoc(hapd, sta); 5278 } 5279 5280 #endif /* CONFIG_FILS */ 5281 5282 5283 #ifdef CONFIG_IEEE80211BE 5284 static struct sta_info * handle_mlo_translate(struct hostapd_data *hapd, 5285 const struct ieee80211_mgmt *mgmt, 5286 size_t len, bool reassoc, 5287 struct hostapd_data **assoc_hapd) 5288 { 5289 struct sta_info *sta; 5290 struct ieee802_11_elems elems; 5291 u8 mld_addr[ETH_ALEN]; 5292 const u8 *pos; 5293 5294 if (!hapd->iconf->ieee80211be || hapd->conf->disable_11be) 5295 return NULL; 5296 5297 if (reassoc) { 5298 len -= IEEE80211_HDRLEN + sizeof(mgmt->u.reassoc_req); 5299 pos = mgmt->u.reassoc_req.variable; 5300 } else { 5301 len -= IEEE80211_HDRLEN + sizeof(mgmt->u.assoc_req); 5302 pos = mgmt->u.assoc_req.variable; 5303 } 5304 5305 if (ieee802_11_parse_elems(pos, len, &elems, 1) == ParseFailed) 5306 return NULL; 5307 5308 if (hostapd_process_ml_assoc_req_addr(hapd, elems.basic_mle, 5309 elems.basic_mle_len, 5310 mld_addr)) 5311 return NULL; 5312 5313 sta = ap_get_sta(hapd, mld_addr); 5314 if (!sta) 5315 return NULL; 5316 5317 wpa_printf(MSG_DEBUG, "MLD: assoc: mld=" MACSTR ", link=" MACSTR, 5318 MAC2STR(mld_addr), MAC2STR(mgmt->sa)); 5319 5320 return hostapd_ml_get_assoc_sta(hapd, sta, assoc_hapd); 5321 } 5322 #endif /* CONFIG_IEEE80211BE */ 5323 5324 5325 static void handle_assoc(struct hostapd_data *hapd, 5326 const struct ieee80211_mgmt *mgmt, size_t len, 5327 int reassoc, int rssi) 5328 { 5329 u16 capab_info, listen_interval, seq_ctrl, fc; 5330 int resp = WLAN_STATUS_SUCCESS; 5331 u16 reply_res = WLAN_STATUS_UNSPECIFIED_FAILURE; 5332 const u8 *pos; 5333 int left, i; 5334 struct sta_info *sta; 5335 u8 *tmp = NULL; 5336 #ifdef CONFIG_FILS 5337 int delay_assoc = 0; 5338 #endif /* CONFIG_FILS */ 5339 int omit_rsnxe = 0; 5340 bool set_beacon = false; 5341 bool mld_addrs_not_translated = false; 5342 5343 if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_req) : 5344 sizeof(mgmt->u.assoc_req))) { 5345 wpa_printf(MSG_INFO, "handle_assoc(reassoc=%d) - too short payload (len=%lu)", 5346 reassoc, (unsigned long) len); 5347 return; 5348 } 5349 5350 #ifdef CONFIG_TESTING_OPTIONS 5351 if (reassoc) { 5352 if (hapd->iconf->ignore_reassoc_probability > 0.0 && 5353 drand48() < hapd->iconf->ignore_reassoc_probability) { 5354 wpa_printf(MSG_INFO, 5355 "TESTING: ignoring reassoc request from " 5356 MACSTR, MAC2STR(mgmt->sa)); 5357 return; 5358 } 5359 } else { 5360 if (hapd->iconf->ignore_assoc_probability > 0.0 && 5361 drand48() < hapd->iconf->ignore_assoc_probability) { 5362 wpa_printf(MSG_INFO, 5363 "TESTING: ignoring assoc request from " 5364 MACSTR, MAC2STR(mgmt->sa)); 5365 return; 5366 } 5367 } 5368 #endif /* CONFIG_TESTING_OPTIONS */ 5369 5370 fc = le_to_host16(mgmt->frame_control); 5371 seq_ctrl = le_to_host16(mgmt->seq_ctrl); 5372 5373 if (reassoc) { 5374 capab_info = le_to_host16(mgmt->u.reassoc_req.capab_info); 5375 listen_interval = le_to_host16( 5376 mgmt->u.reassoc_req.listen_interval); 5377 wpa_printf(MSG_DEBUG, "reassociation request: STA=" MACSTR 5378 " capab_info=0x%02x listen_interval=%d current_ap=" 5379 MACSTR " seq_ctrl=0x%x%s", 5380 MAC2STR(mgmt->sa), capab_info, listen_interval, 5381 MAC2STR(mgmt->u.reassoc_req.current_ap), 5382 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : ""); 5383 left = len - (IEEE80211_HDRLEN + sizeof(mgmt->u.reassoc_req)); 5384 pos = mgmt->u.reassoc_req.variable; 5385 } else { 5386 capab_info = le_to_host16(mgmt->u.assoc_req.capab_info); 5387 listen_interval = le_to_host16( 5388 mgmt->u.assoc_req.listen_interval); 5389 wpa_printf(MSG_DEBUG, "association request: STA=" MACSTR 5390 " capab_info=0x%02x listen_interval=%d " 5391 "seq_ctrl=0x%x%s", 5392 MAC2STR(mgmt->sa), capab_info, listen_interval, 5393 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : ""); 5394 left = len - (IEEE80211_HDRLEN + sizeof(mgmt->u.assoc_req)); 5395 pos = mgmt->u.assoc_req.variable; 5396 } 5397 5398 sta = ap_get_sta(hapd, mgmt->sa); 5399 5400 #ifdef CONFIG_IEEE80211BE 5401 /* 5402 * It is possible that the association frame is from an associated 5403 * non-AP MLD station, that tries to re-associate using different link 5404 * addresses. In such a case, try to find the station based on the AP 5405 * MLD MAC address. 5406 */ 5407 if (!sta) { 5408 struct hostapd_data *assoc_hapd; 5409 5410 sta = handle_mlo_translate(hapd, mgmt, len, reassoc, 5411 &assoc_hapd); 5412 if (sta) { 5413 wpa_printf(MSG_DEBUG, 5414 "MLD: Switching to assoc hapd/station"); 5415 hapd = assoc_hapd; 5416 mld_addrs_not_translated = true; 5417 } 5418 } 5419 #endif /* CONFIG_IEEE80211BE */ 5420 5421 #ifdef CONFIG_IEEE80211R_AP 5422 if (sta && sta->auth_alg == WLAN_AUTH_FT && 5423 (sta->flags & WLAN_STA_AUTH) == 0) { 5424 wpa_printf(MSG_DEBUG, "FT: Allow STA " MACSTR " to associate " 5425 "prior to authentication since it is using " 5426 "over-the-DS FT", MAC2STR(mgmt->sa)); 5427 5428 /* 5429 * Mark station as authenticated, to avoid adding station 5430 * entry in the driver as associated and not authenticated 5431 */ 5432 sta->flags |= WLAN_STA_AUTH; 5433 } else 5434 #endif /* CONFIG_IEEE80211R_AP */ 5435 if (sta == NULL || (sta->flags & WLAN_STA_AUTH) == 0) { 5436 if (hapd->iface->current_mode && 5437 hapd->iface->current_mode->mode == 5438 HOSTAPD_MODE_IEEE80211AD) { 5439 int acl_res; 5440 struct radius_sta info; 5441 5442 acl_res = ieee802_11_allowed_address(hapd, mgmt->sa, 5443 (const u8 *) mgmt, 5444 len, &info); 5445 if (acl_res == HOSTAPD_ACL_REJECT) { 5446 wpa_msg(hapd->msg_ctx, MSG_DEBUG, 5447 "Ignore Association Request frame from " 5448 MACSTR " due to ACL reject", 5449 MAC2STR(mgmt->sa)); 5450 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 5451 goto fail; 5452 } 5453 if (acl_res == HOSTAPD_ACL_PENDING) 5454 return; 5455 5456 /* DMG/IEEE 802.11ad does not use authentication. 5457 * Allocate sta entry upon association. */ 5458 sta = ap_sta_add(hapd, mgmt->sa); 5459 if (!sta) { 5460 hostapd_logger(hapd, mgmt->sa, 5461 HOSTAPD_MODULE_IEEE80211, 5462 HOSTAPD_LEVEL_INFO, 5463 "Failed to add STA"); 5464 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA; 5465 goto fail; 5466 } 5467 5468 acl_res = ieee802_11_set_radius_info( 5469 hapd, sta, acl_res, &info); 5470 if (acl_res) { 5471 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 5472 goto fail; 5473 } 5474 5475 hostapd_logger(hapd, sta->addr, 5476 HOSTAPD_MODULE_IEEE80211, 5477 HOSTAPD_LEVEL_DEBUG, 5478 "Skip authentication for DMG/IEEE 802.11ad"); 5479 sta->flags |= WLAN_STA_AUTH; 5480 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH); 5481 sta->auth_alg = WLAN_AUTH_OPEN; 5482 } else { 5483 hostapd_logger(hapd, mgmt->sa, 5484 HOSTAPD_MODULE_IEEE80211, 5485 HOSTAPD_LEVEL_INFO, 5486 "Station tried to associate before authentication (aid=%d flags=0x%x)", 5487 sta ? sta->aid : -1, 5488 sta ? sta->flags : 0); 5489 send_deauth(hapd, mgmt->sa, 5490 WLAN_REASON_CLASS2_FRAME_FROM_NONAUTH_STA); 5491 return; 5492 } 5493 } 5494 5495 if ((fc & WLAN_FC_RETRY) && 5496 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ && 5497 sta->last_seq_ctrl == seq_ctrl && 5498 sta->last_subtype == (reassoc ? WLAN_FC_STYPE_REASSOC_REQ : 5499 WLAN_FC_STYPE_ASSOC_REQ)) { 5500 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 5501 HOSTAPD_LEVEL_DEBUG, 5502 "Drop repeated association frame seq_ctrl=0x%x", 5503 seq_ctrl); 5504 return; 5505 } 5506 sta->last_seq_ctrl = seq_ctrl; 5507 sta->last_subtype = reassoc ? WLAN_FC_STYPE_REASSOC_REQ : 5508 WLAN_FC_STYPE_ASSOC_REQ; 5509 5510 if (hapd->tkip_countermeasures) { 5511 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 5512 goto fail; 5513 } 5514 5515 if (listen_interval > hapd->conf->max_listen_interval) { 5516 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211, 5517 HOSTAPD_LEVEL_DEBUG, 5518 "Too large Listen Interval (%d)", 5519 listen_interval); 5520 resp = WLAN_STATUS_ASSOC_DENIED_LISTEN_INT_TOO_LARGE; 5521 goto fail; 5522 } 5523 5524 #ifdef CONFIG_MBO 5525 if (hapd->conf->mbo_enabled && hapd->mbo_assoc_disallow) { 5526 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA; 5527 goto fail; 5528 } 5529 5530 if (hapd->iconf->rssi_reject_assoc_rssi && rssi && 5531 rssi < hapd->iconf->rssi_reject_assoc_rssi && 5532 (sta->auth_rssi == 0 || 5533 sta->auth_rssi < hapd->iconf->rssi_reject_assoc_rssi)) { 5534 resp = WLAN_STATUS_DENIED_POOR_CHANNEL_CONDITIONS; 5535 goto fail; 5536 } 5537 #endif /* CONFIG_MBO */ 5538 5539 if (hapd->conf->wpa && check_sa_query(hapd, sta, reassoc)) { 5540 resp = WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY; 5541 goto fail; 5542 } 5543 5544 /* 5545 * sta->capability is used in check_assoc_ies() for RRM enabled 5546 * capability element. 5547 */ 5548 sta->capability = capab_info; 5549 5550 #ifdef CONFIG_FILS 5551 if (sta->auth_alg == WLAN_AUTH_FILS_SK || 5552 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS || 5553 sta->auth_alg == WLAN_AUTH_FILS_PK) { 5554 int res; 5555 5556 /* The end of the payload is encrypted. Need to decrypt it 5557 * before parsing. */ 5558 5559 tmp = os_memdup(pos, left); 5560 if (!tmp) { 5561 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 5562 goto fail; 5563 } 5564 5565 res = fils_decrypt_assoc(sta->wpa_sm, sta->fils_session, mgmt, 5566 len, tmp, left); 5567 if (res < 0) { 5568 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 5569 goto fail; 5570 } 5571 pos = tmp; 5572 left = res; 5573 } 5574 #endif /* CONFIG_FILS */ 5575 5576 /* followed by SSID and Supported rates; and HT capabilities if 802.11n 5577 * is used */ 5578 resp = check_assoc_ies(hapd, sta, pos, left, reassoc); 5579 if (resp != WLAN_STATUS_SUCCESS) 5580 goto fail; 5581 omit_rsnxe = !get_ie(pos, left, WLAN_EID_RSNX); 5582 5583 if (hostapd_get_aid(hapd, sta) < 0) { 5584 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211, 5585 HOSTAPD_LEVEL_INFO, "No room for more AIDs"); 5586 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA; 5587 goto fail; 5588 } 5589 5590 sta->listen_interval = listen_interval; 5591 5592 if (hapd->iface->current_mode && 5593 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G) 5594 sta->flags |= WLAN_STA_NONERP; 5595 for (i = 0; i < sta->supported_rates_len; i++) { 5596 if ((sta->supported_rates[i] & 0x7f) > 22) { 5597 sta->flags &= ~WLAN_STA_NONERP; 5598 break; 5599 } 5600 } 5601 if (sta->flags & WLAN_STA_NONERP && !sta->nonerp_set) { 5602 sta->nonerp_set = 1; 5603 hapd->iface->num_sta_non_erp++; 5604 if (hapd->iface->num_sta_non_erp == 1) 5605 set_beacon = true; 5606 } 5607 5608 if (!(sta->capability & WLAN_CAPABILITY_SHORT_SLOT_TIME) && 5609 !sta->no_short_slot_time_set) { 5610 sta->no_short_slot_time_set = 1; 5611 hapd->iface->num_sta_no_short_slot_time++; 5612 if (hapd->iface->current_mode && 5613 hapd->iface->current_mode->mode == 5614 HOSTAPD_MODE_IEEE80211G && 5615 hapd->iface->num_sta_no_short_slot_time == 1) 5616 set_beacon = true; 5617 } 5618 5619 if (sta->capability & WLAN_CAPABILITY_SHORT_PREAMBLE) 5620 sta->flags |= WLAN_STA_SHORT_PREAMBLE; 5621 else 5622 sta->flags &= ~WLAN_STA_SHORT_PREAMBLE; 5623 5624 if (!(sta->capability & WLAN_CAPABILITY_SHORT_PREAMBLE) && 5625 !sta->no_short_preamble_set) { 5626 sta->no_short_preamble_set = 1; 5627 hapd->iface->num_sta_no_short_preamble++; 5628 if (hapd->iface->current_mode && 5629 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G 5630 && hapd->iface->num_sta_no_short_preamble == 1) 5631 set_beacon = true; 5632 } 5633 5634 if (update_ht_state(hapd, sta) > 0) 5635 set_beacon = true; 5636 5637 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 5638 HOSTAPD_LEVEL_DEBUG, 5639 "association OK (aid %d)", sta->aid); 5640 /* Station will be marked associated, after it acknowledges AssocResp 5641 */ 5642 sta->flags |= WLAN_STA_ASSOC_REQ_OK; 5643 5644 if ((sta->flags & WLAN_STA_MFP) && sta->sa_query_timed_out) { 5645 wpa_printf(MSG_DEBUG, "Allowing %sassociation after timed out " 5646 "SA Query procedure", reassoc ? "re" : ""); 5647 /* TODO: Send a protected Disassociate frame to the STA using 5648 * the old key and Reason Code "Previous Authentication no 5649 * longer valid". Make sure this is only sent protected since 5650 * unprotected frame would be received by the STA that is now 5651 * trying to associate. 5652 */ 5653 } 5654 5655 /* Make sure that the previously registered inactivity timer will not 5656 * remove the STA immediately. */ 5657 sta->timeout_next = STA_NULLFUNC; 5658 5659 #ifdef CONFIG_TAXONOMY 5660 taxonomy_sta_info_assoc_req(hapd, sta, pos, left); 5661 #endif /* CONFIG_TAXONOMY */ 5662 5663 sta->pending_wds_enable = 0; 5664 5665 #ifdef CONFIG_FILS 5666 if (sta->auth_alg == WLAN_AUTH_FILS_SK || 5667 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS || 5668 sta->auth_alg == WLAN_AUTH_FILS_PK) { 5669 if (fils_process_hlp(hapd, sta, pos, left) > 0) 5670 delay_assoc = 1; 5671 } 5672 #endif /* CONFIG_FILS */ 5673 5674 if (set_beacon) 5675 ieee802_11_update_beacons(hapd->iface); 5676 5677 fail: 5678 5679 /* 5680 * In case of a successful response, add the station to the driver. 5681 * Otherwise, the kernel may ignore Data frames before we process the 5682 * ACK frame (TX status). In case of a failure, this station will be 5683 * removed. 5684 * 5685 * Note that this is not compliant with the IEEE 802.11 standard that 5686 * states that a non-AP station should transition into the 5687 * authenticated/associated state only after the station acknowledges 5688 * the (Re)Association Response frame. However, still do this as: 5689 * 5690 * 1. In case the station does not acknowledge the (Re)Association 5691 * Response frame, it will be removed. 5692 * 2. Data frames will be dropped in the kernel until the station is 5693 * set into authorized state, and there are no significant known 5694 * issues with processing other non-Data Class 3 frames during this 5695 * window. 5696 */ 5697 if (sta) 5698 hostapd_process_assoc_ml_info(hapd, sta, pos, left, reassoc, 5699 resp, false); 5700 5701 if (resp == WLAN_STATUS_SUCCESS && sta && 5702 add_associated_sta(hapd, sta, reassoc)) 5703 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA; 5704 5705 #ifdef CONFIG_FILS 5706 if (sta && delay_assoc && resp == WLAN_STATUS_SUCCESS && 5707 eloop_is_timeout_registered(fils_hlp_timeout, hapd, sta) && 5708 sta->fils_pending_assoc_req) { 5709 /* Do not reschedule fils_hlp_timeout in case the station 5710 * retransmits (Re)Association Request frame while waiting for 5711 * the previously started FILS HLP wait, so that the timeout can 5712 * be determined from the first pending attempt. */ 5713 wpa_printf(MSG_DEBUG, 5714 "FILS: Continue waiting for HLP processing before sending (Re)Association Response frame to " 5715 MACSTR, MAC2STR(sta->addr)); 5716 os_free(tmp); 5717 return; 5718 } 5719 if (sta) { 5720 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta); 5721 os_free(sta->fils_pending_assoc_req); 5722 sta->fils_pending_assoc_req = NULL; 5723 sta->fils_pending_assoc_req_len = 0; 5724 wpabuf_free(sta->fils_hlp_resp); 5725 sta->fils_hlp_resp = NULL; 5726 } 5727 if (sta && delay_assoc && resp == WLAN_STATUS_SUCCESS) { 5728 sta->fils_pending_assoc_req = tmp; 5729 sta->fils_pending_assoc_req_len = left; 5730 sta->fils_pending_assoc_is_reassoc = reassoc; 5731 sta->fils_drv_assoc_finish = 0; 5732 wpa_printf(MSG_DEBUG, 5733 "FILS: Waiting for HLP processing before sending (Re)Association Response frame to " 5734 MACSTR, MAC2STR(sta->addr)); 5735 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta); 5736 eloop_register_timeout(0, hapd->conf->fils_hlp_wait_time * 1024, 5737 fils_hlp_timeout, hapd, sta); 5738 return; 5739 } 5740 #endif /* CONFIG_FILS */ 5741 5742 if (resp >= 0) 5743 reply_res = send_assoc_resp(hapd, 5744 mld_addrs_not_translated ? 5745 NULL : sta, 5746 mgmt->sa, resp, reassoc, 5747 pos, left, rssi, omit_rsnxe, 5748 !mld_addrs_not_translated); 5749 os_free(tmp); 5750 5751 /* 5752 * Remove the station in case transmission of a success response fails 5753 * (the STA was added associated to the driver) or if the station was 5754 * previously added unassociated. 5755 */ 5756 if (sta && ((reply_res != WLAN_STATUS_SUCCESS && 5757 resp == WLAN_STATUS_SUCCESS) || sta->added_unassoc)) { 5758 hostapd_drv_sta_remove(hapd, sta->addr); 5759 sta->added_unassoc = 0; 5760 } 5761 } 5762 5763 5764 static void hostapd_deauth_sta(struct hostapd_data *hapd, 5765 struct sta_info *sta, 5766 const struct ieee80211_mgmt *mgmt) 5767 { 5768 wpa_msg(hapd->msg_ctx, MSG_DEBUG, 5769 "deauthentication: STA=" MACSTR " reason_code=%d", 5770 MAC2STR(mgmt->sa), le_to_host16(mgmt->u.deauth.reason_code)); 5771 5772 ap_sta_set_authorized(hapd, sta, 0); 5773 sta->last_seq_ctrl = WLAN_INVALID_MGMT_SEQ; 5774 sta->flags &= ~(WLAN_STA_AUTH | WLAN_STA_ASSOC | 5775 WLAN_STA_ASSOC_REQ_OK); 5776 hostapd_set_sta_flags(hapd, sta); 5777 wpa_auth_sm_event(sta->wpa_sm, WPA_DEAUTH); 5778 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 5779 HOSTAPD_LEVEL_DEBUG, "deauthenticated"); 5780 mlme_deauthenticate_indication( 5781 hapd, sta, le_to_host16(mgmt->u.deauth.reason_code)); 5782 sta->acct_terminate_cause = RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST; 5783 ieee802_1x_notify_port_enabled(sta->eapol_sm, 0); 5784 ap_free_sta(hapd, sta); 5785 } 5786 5787 5788 static void hostapd_disassoc_sta(struct hostapd_data *hapd, 5789 struct sta_info *sta, 5790 const struct ieee80211_mgmt *mgmt) 5791 { 5792 wpa_msg(hapd->msg_ctx, MSG_DEBUG, 5793 "disassocation: STA=" MACSTR " reason_code=%d", 5794 MAC2STR(mgmt->sa), le_to_host16(mgmt->u.disassoc.reason_code)); 5795 5796 ap_sta_set_authorized(hapd, sta, 0); 5797 sta->last_seq_ctrl = WLAN_INVALID_MGMT_SEQ; 5798 sta->flags &= ~(WLAN_STA_ASSOC | WLAN_STA_ASSOC_REQ_OK); 5799 hostapd_set_sta_flags(hapd, sta); 5800 wpa_auth_sm_event(sta->wpa_sm, WPA_DISASSOC); 5801 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 5802 HOSTAPD_LEVEL_INFO, "disassociated"); 5803 sta->acct_terminate_cause = RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST; 5804 ieee802_1x_notify_port_enabled(sta->eapol_sm, 0); 5805 /* Stop Accounting and IEEE 802.1X sessions, but leave the STA 5806 * authenticated. */ 5807 accounting_sta_stop(hapd, sta); 5808 ieee802_1x_free_station(hapd, sta); 5809 if (sta->ipaddr) 5810 hostapd_drv_br_delete_ip_neigh(hapd, 4, (u8 *) &sta->ipaddr); 5811 ap_sta_ip6addr_del(hapd, sta); 5812 hostapd_drv_sta_remove(hapd, sta->addr); 5813 sta->added_unassoc = 0; 5814 5815 if (sta->timeout_next == STA_NULLFUNC || 5816 sta->timeout_next == STA_DISASSOC) { 5817 sta->timeout_next = STA_DEAUTH; 5818 eloop_cancel_timeout(ap_handle_timer, hapd, sta); 5819 eloop_register_timeout(AP_DEAUTH_DELAY, 0, ap_handle_timer, 5820 hapd, sta); 5821 } 5822 5823 mlme_disassociate_indication( 5824 hapd, sta, le_to_host16(mgmt->u.disassoc.reason_code)); 5825 5826 /* DMG/IEEE 802.11ad does not use deauthication. Deallocate sta upon 5827 * disassociation. */ 5828 if (hapd->iface->current_mode && 5829 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211AD) { 5830 sta->flags &= ~WLAN_STA_AUTH; 5831 wpa_auth_sm_event(sta->wpa_sm, WPA_DEAUTH); 5832 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 5833 HOSTAPD_LEVEL_DEBUG, "deauthenticated"); 5834 ap_free_sta(hapd, sta); 5835 } 5836 } 5837 5838 5839 static bool hostapd_ml_handle_disconnect(struct hostapd_data *hapd, 5840 struct sta_info *sta, 5841 const struct ieee80211_mgmt *mgmt, 5842 bool disassoc) 5843 { 5844 #ifdef CONFIG_IEEE80211BE 5845 struct hostapd_data *assoc_hapd, *tmp_hapd; 5846 struct sta_info *assoc_sta; 5847 struct sta_info *tmp_sta; 5848 5849 if (!hostapd_is_mld_ap(hapd)) 5850 return false; 5851 5852 /* 5853 * Get the station on which the association was performed, as it holds 5854 * the information about all the other links. 5855 */ 5856 assoc_sta = hostapd_ml_get_assoc_sta(hapd, sta, &assoc_hapd); 5857 if (!assoc_sta) 5858 return false; 5859 5860 for_each_mld_link(tmp_hapd, assoc_hapd) { 5861 if (tmp_hapd == assoc_hapd) 5862 continue; 5863 5864 if (!assoc_sta->mld_info.links[tmp_hapd->mld_link_id].valid) 5865 continue; 5866 5867 for (tmp_sta = tmp_hapd->sta_list; tmp_sta; 5868 tmp_sta = tmp_sta->next) { 5869 if (tmp_sta->mld_assoc_link_id != 5870 assoc_sta->mld_assoc_link_id || 5871 tmp_sta->aid != assoc_sta->aid) 5872 continue; 5873 5874 if (!disassoc) 5875 hostapd_deauth_sta(tmp_hapd, tmp_sta, mgmt); 5876 else 5877 hostapd_disassoc_sta(tmp_hapd, tmp_sta, mgmt); 5878 break; 5879 } 5880 } 5881 5882 /* Remove the station on which the association was performed. */ 5883 if (!disassoc) 5884 hostapd_deauth_sta(assoc_hapd, assoc_sta, mgmt); 5885 else 5886 hostapd_disassoc_sta(assoc_hapd, assoc_sta, mgmt); 5887 5888 return true; 5889 #else /* CONFIG_IEEE80211BE */ 5890 return false; 5891 #endif /* CONFIG_IEEE80211BE */ 5892 } 5893 5894 5895 static void handle_disassoc(struct hostapd_data *hapd, 5896 const struct ieee80211_mgmt *mgmt, size_t len) 5897 { 5898 struct sta_info *sta; 5899 5900 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.disassoc)) { 5901 wpa_msg(hapd->msg_ctx, MSG_DEBUG, 5902 "handle_disassoc - too short payload (len=%lu)", 5903 (unsigned long) len); 5904 return; 5905 } 5906 5907 sta = ap_get_sta(hapd, mgmt->sa); 5908 if (!sta) { 5909 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "Station " MACSTR 5910 " trying to disassociate, but it is not associated", 5911 MAC2STR(mgmt->sa)); 5912 return; 5913 } 5914 5915 if (hostapd_ml_handle_disconnect(hapd, sta, mgmt, true)) 5916 return; 5917 5918 hostapd_disassoc_sta(hapd, sta, mgmt); 5919 } 5920 5921 5922 static void handle_deauth(struct hostapd_data *hapd, 5923 const struct ieee80211_mgmt *mgmt, size_t len) 5924 { 5925 struct sta_info *sta; 5926 5927 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.deauth)) { 5928 wpa_msg(hapd->msg_ctx, MSG_DEBUG, 5929 "handle_deauth - too short payload (len=%lu)", 5930 (unsigned long) len); 5931 return; 5932 } 5933 5934 /* Clear the PTKSA cache entries for PASN */ 5935 ptksa_cache_flush(hapd->ptksa, mgmt->sa, WPA_CIPHER_NONE); 5936 5937 sta = ap_get_sta(hapd, mgmt->sa); 5938 if (!sta) { 5939 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "Station " MACSTR 5940 " trying to deauthenticate, but it is not authenticated", 5941 MAC2STR(mgmt->sa)); 5942 return; 5943 } 5944 5945 if (hostapd_ml_handle_disconnect(hapd, sta, mgmt, false)) 5946 return; 5947 5948 hostapd_deauth_sta(hapd, sta, mgmt); 5949 } 5950 5951 5952 static void handle_beacon(struct hostapd_data *hapd, 5953 const struct ieee80211_mgmt *mgmt, size_t len, 5954 struct hostapd_frame_info *fi) 5955 { 5956 struct ieee802_11_elems elems; 5957 5958 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.beacon)) { 5959 wpa_printf(MSG_INFO, "handle_beacon - too short payload (len=%lu)", 5960 (unsigned long) len); 5961 return; 5962 } 5963 5964 (void) ieee802_11_parse_elems(mgmt->u.beacon.variable, 5965 len - (IEEE80211_HDRLEN + 5966 sizeof(mgmt->u.beacon)), &elems, 5967 0); 5968 5969 ap_list_process_beacon(hapd->iface, mgmt, &elems, fi); 5970 } 5971 5972 5973 static int robust_action_frame(u8 category) 5974 { 5975 return category != WLAN_ACTION_PUBLIC && 5976 category != WLAN_ACTION_HT; 5977 } 5978 5979 5980 static int handle_action(struct hostapd_data *hapd, 5981 const struct ieee80211_mgmt *mgmt, size_t len, 5982 unsigned int freq) 5983 { 5984 struct sta_info *sta; 5985 u8 *action __maybe_unused; 5986 5987 if (len < IEEE80211_HDRLEN + 2 + 1) { 5988 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211, 5989 HOSTAPD_LEVEL_DEBUG, 5990 "handle_action - too short payload (len=%lu)", 5991 (unsigned long) len); 5992 return 0; 5993 } 5994 5995 action = (u8 *) &mgmt->u.action.u; 5996 wpa_printf(MSG_DEBUG, "RX_ACTION category %u action %u sa " MACSTR 5997 " da " MACSTR " len %d freq %u", 5998 mgmt->u.action.category, *action, 5999 MAC2STR(mgmt->sa), MAC2STR(mgmt->da), (int) len, freq); 6000 6001 sta = ap_get_sta(hapd, mgmt->sa); 6002 6003 if (mgmt->u.action.category != WLAN_ACTION_PUBLIC && 6004 (sta == NULL || !(sta->flags & WLAN_STA_ASSOC))) { 6005 wpa_printf(MSG_DEBUG, "IEEE 802.11: Ignored Action " 6006 "frame (category=%u) from unassociated STA " MACSTR, 6007 mgmt->u.action.category, MAC2STR(mgmt->sa)); 6008 return 0; 6009 } 6010 6011 if (sta && (sta->flags & WLAN_STA_MFP) && 6012 !(mgmt->frame_control & host_to_le16(WLAN_FC_ISWEP)) && 6013 robust_action_frame(mgmt->u.action.category)) { 6014 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211, 6015 HOSTAPD_LEVEL_DEBUG, 6016 "Dropped unprotected Robust Action frame from " 6017 "an MFP STA"); 6018 return 0; 6019 } 6020 6021 if (sta) { 6022 u16 fc = le_to_host16(mgmt->frame_control); 6023 u16 seq_ctrl = le_to_host16(mgmt->seq_ctrl); 6024 6025 if ((fc & WLAN_FC_RETRY) && 6026 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ && 6027 sta->last_seq_ctrl == seq_ctrl && 6028 sta->last_subtype == WLAN_FC_STYPE_ACTION) { 6029 hostapd_logger(hapd, sta->addr, 6030 HOSTAPD_MODULE_IEEE80211, 6031 HOSTAPD_LEVEL_DEBUG, 6032 "Drop repeated action frame seq_ctrl=0x%x", 6033 seq_ctrl); 6034 return 1; 6035 } 6036 6037 sta->last_seq_ctrl = seq_ctrl; 6038 sta->last_subtype = WLAN_FC_STYPE_ACTION; 6039 } 6040 6041 switch (mgmt->u.action.category) { 6042 #ifdef CONFIG_IEEE80211R_AP 6043 case WLAN_ACTION_FT: 6044 if (!sta || 6045 wpa_ft_action_rx(sta->wpa_sm, (u8 *) &mgmt->u.action, 6046 len - IEEE80211_HDRLEN)) 6047 break; 6048 return 1; 6049 #endif /* CONFIG_IEEE80211R_AP */ 6050 case WLAN_ACTION_WMM: 6051 hostapd_wmm_action(hapd, mgmt, len); 6052 return 1; 6053 case WLAN_ACTION_SA_QUERY: 6054 ieee802_11_sa_query_action(hapd, mgmt, len); 6055 return 1; 6056 #ifdef CONFIG_WNM_AP 6057 case WLAN_ACTION_WNM: 6058 ieee802_11_rx_wnm_action_ap(hapd, mgmt, len); 6059 return 1; 6060 #endif /* CONFIG_WNM_AP */ 6061 #ifdef CONFIG_FST 6062 case WLAN_ACTION_FST: 6063 if (hapd->iface->fst) 6064 fst_rx_action(hapd->iface->fst, mgmt, len); 6065 else 6066 wpa_printf(MSG_DEBUG, 6067 "FST: Ignore FST Action frame - no FST attached"); 6068 return 1; 6069 #endif /* CONFIG_FST */ 6070 case WLAN_ACTION_PUBLIC: 6071 case WLAN_ACTION_PROTECTED_DUAL: 6072 if (len >= IEEE80211_HDRLEN + 2 && 6073 mgmt->u.action.u.public_action.action == 6074 WLAN_PA_20_40_BSS_COEX) { 6075 hostapd_2040_coex_action(hapd, mgmt, len); 6076 return 1; 6077 } 6078 #ifdef CONFIG_DPP 6079 if (len >= IEEE80211_HDRLEN + 6 && 6080 mgmt->u.action.u.vs_public_action.action == 6081 WLAN_PA_VENDOR_SPECIFIC && 6082 WPA_GET_BE24(mgmt->u.action.u.vs_public_action.oui) == 6083 OUI_WFA && 6084 mgmt->u.action.u.vs_public_action.variable[0] == 6085 DPP_OUI_TYPE) { 6086 const u8 *pos, *end; 6087 6088 pos = mgmt->u.action.u.vs_public_action.oui; 6089 end = ((const u8 *) mgmt) + len; 6090 hostapd_dpp_rx_action(hapd, mgmt->sa, pos, end - pos, 6091 freq); 6092 return 1; 6093 } 6094 if (len >= IEEE80211_HDRLEN + 2 && 6095 (mgmt->u.action.u.public_action.action == 6096 WLAN_PA_GAS_INITIAL_RESP || 6097 mgmt->u.action.u.public_action.action == 6098 WLAN_PA_GAS_COMEBACK_RESP)) { 6099 const u8 *pos, *end; 6100 6101 pos = &mgmt->u.action.u.public_action.action; 6102 end = ((const u8 *) mgmt) + len; 6103 if (gas_query_ap_rx(hapd->gas, mgmt->sa, 6104 mgmt->u.action.category, 6105 pos, end - pos, freq) == 0) 6106 return 1; 6107 } 6108 #endif /* CONFIG_DPP */ 6109 #ifdef CONFIG_NAN_USD 6110 if (mgmt->u.action.category == WLAN_ACTION_PUBLIC && 6111 len >= IEEE80211_HDRLEN + 5 && 6112 mgmt->u.action.u.vs_public_action.action == 6113 WLAN_PA_VENDOR_SPECIFIC && 6114 WPA_GET_BE24(mgmt->u.action.u.vs_public_action.oui) == 6115 OUI_WFA && 6116 mgmt->u.action.u.vs_public_action.variable[0] == 6117 NAN_OUI_TYPE) { 6118 const u8 *pos, *end; 6119 6120 pos = mgmt->u.action.u.vs_public_action.variable; 6121 end = ((const u8 *) mgmt) + len; 6122 pos++; 6123 hostapd_nan_usd_rx_sdf(hapd, mgmt->sa, freq, 6124 pos, end - pos); 6125 return 1; 6126 } 6127 #endif /* CONFIG_NAN_USD */ 6128 if (hapd->public_action_cb) { 6129 hapd->public_action_cb(hapd->public_action_cb_ctx, 6130 (u8 *) mgmt, len, freq); 6131 } 6132 if (hapd->public_action_cb2) { 6133 hapd->public_action_cb2(hapd->public_action_cb2_ctx, 6134 (u8 *) mgmt, len, freq); 6135 } 6136 if (hapd->public_action_cb || hapd->public_action_cb2) 6137 return 1; 6138 break; 6139 case WLAN_ACTION_VENDOR_SPECIFIC: 6140 if (hapd->vendor_action_cb) { 6141 if (hapd->vendor_action_cb(hapd->vendor_action_cb_ctx, 6142 (u8 *) mgmt, len, freq) == 0) 6143 return 1; 6144 } 6145 break; 6146 #ifndef CONFIG_NO_RRM 6147 case WLAN_ACTION_RADIO_MEASUREMENT: 6148 hostapd_handle_radio_measurement(hapd, (const u8 *) mgmt, len); 6149 return 1; 6150 #endif /* CONFIG_NO_RRM */ 6151 } 6152 6153 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211, 6154 HOSTAPD_LEVEL_DEBUG, 6155 "handle_action - unknown action category %d or invalid " 6156 "frame", 6157 mgmt->u.action.category); 6158 if (!is_multicast_ether_addr(mgmt->da) && 6159 !(mgmt->u.action.category & 0x80) && 6160 !is_multicast_ether_addr(mgmt->sa)) { 6161 struct ieee80211_mgmt *resp; 6162 6163 /* 6164 * IEEE 802.11-REVma/D9.0 - 7.3.1.11 6165 * Return the Action frame to the source without change 6166 * except that MSB of the Category set to 1. 6167 */ 6168 wpa_printf(MSG_DEBUG, "IEEE 802.11: Return unknown Action " 6169 "frame back to sender"); 6170 resp = os_memdup(mgmt, len); 6171 if (resp == NULL) 6172 return 0; 6173 os_memcpy(resp->da, resp->sa, ETH_ALEN); 6174 os_memcpy(resp->sa, hapd->own_addr, ETH_ALEN); 6175 os_memcpy(resp->bssid, hapd->own_addr, ETH_ALEN); 6176 resp->u.action.category |= 0x80; 6177 6178 if (hostapd_drv_send_mlme(hapd, resp, len, 0, NULL, 0, 0) < 0) { 6179 wpa_printf(MSG_ERROR, "IEEE 802.11: Failed to send " 6180 "Action frame"); 6181 } 6182 os_free(resp); 6183 } 6184 6185 return 1; 6186 } 6187 6188 6189 /** 6190 * notify_mgmt_frame - Notify of Management frames on the control interface 6191 * @hapd: hostapd BSS data structure (the BSS to which the Management frame was 6192 * sent to) 6193 * @buf: Management frame data (starting from the IEEE 802.11 header) 6194 * @len: Length of frame data in octets 6195 * 6196 * Notify the control interface of any received Management frame. 6197 */ 6198 static void notify_mgmt_frame(struct hostapd_data *hapd, const u8 *buf, 6199 size_t len) 6200 { 6201 6202 int hex_len = len * 2 + 1; 6203 char *hex = os_malloc(hex_len); 6204 6205 if (hex) { 6206 wpa_snprintf_hex(hex, hex_len, buf, len); 6207 wpa_msg_ctrl(hapd->msg_ctx, MSG_INFO, 6208 AP_MGMT_FRAME_RECEIVED "buf=%s", hex); 6209 os_free(hex); 6210 } 6211 } 6212 6213 6214 /** 6215 * ieee802_11_mgmt - process incoming IEEE 802.11 management frames 6216 * @hapd: hostapd BSS data structure (the BSS to which the management frame was 6217 * sent to) 6218 * @buf: management frame data (starting from IEEE 802.11 header) 6219 * @len: length of frame data in octets 6220 * @fi: meta data about received frame (signal level, etc.) 6221 * 6222 * Process all incoming IEEE 802.11 management frames. This will be called for 6223 * each frame received from the kernel driver through wlan#ap interface. In 6224 * addition, it can be called to re-inserted pending frames (e.g., when using 6225 * external RADIUS server as an MAC ACL). 6226 */ 6227 int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len, 6228 struct hostapd_frame_info *fi) 6229 { 6230 struct ieee80211_mgmt *mgmt; 6231 u16 fc, stype; 6232 int ret = 0; 6233 unsigned int freq; 6234 int ssi_signal = fi ? fi->ssi_signal : 0; 6235 #ifdef CONFIG_NAN_USD 6236 static const u8 nan_network_id[ETH_ALEN] = 6237 { 0x51, 0x6f, 0x9a, 0x01, 0x00, 0x00 }; 6238 #endif /* CONFIG_NAN_USD */ 6239 6240 if (len < 24) 6241 return 0; 6242 6243 if (fi && fi->freq) 6244 freq = fi->freq; 6245 else 6246 freq = hapd->iface->freq; 6247 6248 mgmt = (struct ieee80211_mgmt *) buf; 6249 fc = le_to_host16(mgmt->frame_control); 6250 stype = WLAN_FC_GET_STYPE(fc); 6251 6252 if (is_multicast_ether_addr(mgmt->sa) || 6253 is_zero_ether_addr(mgmt->sa) || 6254 ether_addr_equal(mgmt->sa, hapd->own_addr)) { 6255 /* Do not process any frames with unexpected/invalid SA so that 6256 * we do not add any state for unexpected STA addresses or end 6257 * up sending out frames to unexpected destination. */ 6258 wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR 6259 " in received frame - ignore this frame silently", 6260 MAC2STR(mgmt->sa)); 6261 return 0; 6262 } 6263 6264 if (stype == WLAN_FC_STYPE_BEACON) { 6265 handle_beacon(hapd, mgmt, len, fi); 6266 return 1; 6267 } 6268 6269 if (!is_broadcast_ether_addr(mgmt->bssid) && 6270 #ifdef CONFIG_P2P 6271 /* Invitation responses can be sent with the peer MAC as BSSID */ 6272 !((hapd->conf->p2p & P2P_GROUP_OWNER) && 6273 stype == WLAN_FC_STYPE_ACTION) && 6274 #endif /* CONFIG_P2P */ 6275 #ifdef CONFIG_MESH 6276 !(hapd->conf->mesh & MESH_ENABLED) && 6277 #endif /* CONFIG_MESH */ 6278 #ifdef CONFIG_IEEE80211BE 6279 !(hapd->conf->mld_ap && 6280 ether_addr_equal(hapd->mld->mld_addr, mgmt->bssid)) && 6281 #endif /* CONFIG_IEEE80211BE */ 6282 !ether_addr_equal(mgmt->bssid, hapd->own_addr)) { 6283 wpa_printf(MSG_INFO, "MGMT: BSSID=" MACSTR " not our address", 6284 MAC2STR(mgmt->bssid)); 6285 return 0; 6286 } 6287 6288 if (hapd->iface->state != HAPD_IFACE_ENABLED) { 6289 wpa_printf(MSG_DEBUG, "MGMT: Ignore management frame while interface is not enabled (SA=" MACSTR " DA=" MACSTR " subtype=%u)", 6290 MAC2STR(mgmt->sa), MAC2STR(mgmt->da), stype); 6291 return 1; 6292 } 6293 6294 if (stype == WLAN_FC_STYPE_PROBE_REQ) { 6295 handle_probe_req(hapd, mgmt, len, ssi_signal); 6296 return 1; 6297 } 6298 6299 if ((!is_broadcast_ether_addr(mgmt->da) || 6300 stype != WLAN_FC_STYPE_ACTION) && 6301 #ifdef CONFIG_IEEE80211BE 6302 !(hapd->conf->mld_ap && 6303 ether_addr_equal(hapd->mld->mld_addr, mgmt->bssid)) && 6304 #endif /* CONFIG_IEEE80211BE */ 6305 #ifdef CONFIG_NAN_USD 6306 !ether_addr_equal(mgmt->da, nan_network_id) && 6307 #endif /* CONFIG_NAN_USD */ 6308 !ether_addr_equal(mgmt->da, hapd->own_addr)) { 6309 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211, 6310 HOSTAPD_LEVEL_DEBUG, 6311 "MGMT: DA=" MACSTR " not our address", 6312 MAC2STR(mgmt->da)); 6313 return 0; 6314 } 6315 6316 if (hapd->iconf->track_sta_max_num) 6317 sta_track_add(hapd->iface, mgmt->sa, ssi_signal); 6318 6319 if (hapd->conf->notify_mgmt_frames) 6320 notify_mgmt_frame(hapd, buf, len); 6321 6322 switch (stype) { 6323 case WLAN_FC_STYPE_AUTH: 6324 wpa_printf(MSG_DEBUG, "mgmt::auth"); 6325 handle_auth(hapd, mgmt, len, ssi_signal, 0); 6326 ret = 1; 6327 break; 6328 case WLAN_FC_STYPE_ASSOC_REQ: 6329 wpa_printf(MSG_DEBUG, "mgmt::assoc_req"); 6330 handle_assoc(hapd, mgmt, len, 0, ssi_signal); 6331 ret = 1; 6332 break; 6333 case WLAN_FC_STYPE_REASSOC_REQ: 6334 wpa_printf(MSG_DEBUG, "mgmt::reassoc_req"); 6335 handle_assoc(hapd, mgmt, len, 1, ssi_signal); 6336 ret = 1; 6337 break; 6338 case WLAN_FC_STYPE_DISASSOC: 6339 wpa_printf(MSG_DEBUG, "mgmt::disassoc"); 6340 handle_disassoc(hapd, mgmt, len); 6341 ret = 1; 6342 break; 6343 case WLAN_FC_STYPE_DEAUTH: 6344 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "mgmt::deauth"); 6345 handle_deauth(hapd, mgmt, len); 6346 ret = 1; 6347 break; 6348 case WLAN_FC_STYPE_ACTION: 6349 wpa_printf(MSG_DEBUG, "mgmt::action"); 6350 ret = handle_action(hapd, mgmt, len, freq); 6351 break; 6352 default: 6353 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211, 6354 HOSTAPD_LEVEL_DEBUG, 6355 "unknown mgmt frame subtype %d", stype); 6356 break; 6357 } 6358 6359 return ret; 6360 } 6361 6362 6363 static void handle_auth_cb(struct hostapd_data *hapd, 6364 const struct ieee80211_mgmt *mgmt, 6365 size_t len, int ok) 6366 { 6367 u16 auth_alg, auth_transaction, status_code; 6368 struct sta_info *sta; 6369 bool success_status; 6370 6371 sta = ap_get_sta(hapd, mgmt->da); 6372 if (!sta) { 6373 wpa_printf(MSG_DEBUG, "handle_auth_cb: STA " MACSTR 6374 " not found", 6375 MAC2STR(mgmt->da)); 6376 return; 6377 } 6378 6379 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) { 6380 wpa_printf(MSG_INFO, "handle_auth_cb - too short payload (len=%lu)", 6381 (unsigned long) len); 6382 auth_alg = 0; 6383 auth_transaction = 0; 6384 status_code = WLAN_STATUS_UNSPECIFIED_FAILURE; 6385 goto fail; 6386 } 6387 6388 auth_alg = le_to_host16(mgmt->u.auth.auth_alg); 6389 auth_transaction = le_to_host16(mgmt->u.auth.auth_transaction); 6390 status_code = le_to_host16(mgmt->u.auth.status_code); 6391 6392 if (!ok) { 6393 hostapd_logger(hapd, mgmt->da, HOSTAPD_MODULE_IEEE80211, 6394 HOSTAPD_LEVEL_NOTICE, 6395 "did not acknowledge authentication response"); 6396 goto fail; 6397 } 6398 6399 if (status_code == WLAN_STATUS_SUCCESS && 6400 ((auth_alg == WLAN_AUTH_OPEN && auth_transaction == 2) || 6401 (auth_alg == WLAN_AUTH_SHARED_KEY && auth_transaction == 4))) { 6402 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 6403 HOSTAPD_LEVEL_INFO, "authenticated"); 6404 sta->flags |= WLAN_STA_AUTH; 6405 if (sta->added_unassoc) 6406 hostapd_set_sta_flags(hapd, sta); 6407 return; 6408 } 6409 6410 fail: 6411 success_status = status_code == WLAN_STATUS_SUCCESS; 6412 #ifdef CONFIG_SAE 6413 if (auth_alg == WLAN_AUTH_SAE && auth_transaction == 1) 6414 success_status = sae_status_success(hapd, status_code); 6415 #endif /* CONFIG_SAE */ 6416 if (!success_status && sta->added_unassoc) { 6417 hostapd_drv_sta_remove(hapd, sta->addr); 6418 sta->added_unassoc = 0; 6419 } 6420 } 6421 6422 6423 static void hostapd_set_wds_encryption(struct hostapd_data *hapd, 6424 struct sta_info *sta, 6425 char *ifname_wds) 6426 { 6427 #ifdef CONFIG_WEP 6428 int i; 6429 struct hostapd_ssid *ssid = &hapd->conf->ssid; 6430 6431 if (hapd->conf->ieee802_1x || hapd->conf->wpa) 6432 return; 6433 6434 for (i = 0; i < 4; i++) { 6435 if (ssid->wep.key[i] && 6436 hostapd_drv_set_key(ifname_wds, hapd, WPA_ALG_WEP, NULL, i, 6437 0, i == ssid->wep.idx, NULL, 0, 6438 ssid->wep.key[i], ssid->wep.len[i], 6439 i == ssid->wep.idx ? 6440 KEY_FLAG_GROUP_RX_TX_DEFAULT : 6441 KEY_FLAG_GROUP_RX_TX)) { 6442 wpa_printf(MSG_WARNING, 6443 "Could not set WEP keys for WDS interface; %s", 6444 ifname_wds); 6445 break; 6446 } 6447 } 6448 #endif /* CONFIG_WEP */ 6449 } 6450 6451 6452 #ifdef CONFIG_IEEE80211BE 6453 static void ieee80211_ml_link_sta_assoc_cb(struct hostapd_data *hapd, 6454 struct sta_info *sta, 6455 struct mld_link_info *link, 6456 bool ok) 6457 { 6458 bool updated = false; 6459 6460 if (!ok) { 6461 hostapd_logger(hapd, link->peer_addr, HOSTAPD_MODULE_IEEE80211, 6462 HOSTAPD_LEVEL_DEBUG, 6463 "did not acknowledge association response"); 6464 sta->flags &= ~WLAN_STA_ASSOC_REQ_OK; 6465 6466 /* The STA is added only in case of SUCCESS */ 6467 if (link->status == WLAN_STATUS_SUCCESS) 6468 hostapd_drv_sta_remove(hapd, sta->addr); 6469 6470 return; 6471 } 6472 6473 if (link->status != WLAN_STATUS_SUCCESS) 6474 return; 6475 6476 sta->flags |= WLAN_STA_ASSOC; 6477 sta->flags &= ~WLAN_STA_WNM_SLEEP_MODE; 6478 6479 if (!hapd->conf->ieee802_1x && !hapd->conf->wpa) 6480 updated = ap_sta_set_authorized_flag(hapd, sta, 1); 6481 6482 hostapd_set_sta_flags(hapd, sta); 6483 if (updated) 6484 ap_sta_set_authorized_event(hapd, sta, 1); 6485 6486 /* 6487 * TODOs: 6488 * - IEEE 802.1X port enablement is not needed as done on the station 6489 * doing the connection. 6490 * - Not handling accounting 6491 * - Need to handle VLAN configuration 6492 */ 6493 } 6494 #endif /* CONFIG_IEEE80211BE */ 6495 6496 6497 static void hostapd_ml_handle_assoc_cb(struct hostapd_data *hapd, 6498 struct sta_info *sta, bool ok) 6499 { 6500 #ifdef CONFIG_IEEE80211BE 6501 struct hostapd_data *tmp_hapd; 6502 6503 if (!hostapd_is_mld_ap(hapd)) 6504 return; 6505 6506 for_each_mld_link(tmp_hapd, hapd) { 6507 struct mld_link_info *link; 6508 struct sta_info *tmp_sta; 6509 6510 if (tmp_hapd == hapd) 6511 continue; 6512 6513 link = &sta->mld_info.links[tmp_hapd->mld_link_id]; 6514 if (!link->valid) 6515 continue; 6516 6517 for (tmp_sta = tmp_hapd->sta_list; tmp_sta; 6518 tmp_sta = tmp_sta->next) { 6519 if (tmp_sta == sta || 6520 tmp_sta->mld_assoc_link_id != 6521 sta->mld_assoc_link_id || 6522 tmp_sta->aid != sta->aid) 6523 continue; 6524 6525 ieee80211_ml_link_sta_assoc_cb(tmp_hapd, tmp_sta, link, 6526 ok); 6527 break; 6528 } 6529 } 6530 #endif /* CONFIG_IEEE80211BE */ 6531 } 6532 6533 6534 static void handle_assoc_cb(struct hostapd_data *hapd, 6535 const struct ieee80211_mgmt *mgmt, 6536 size_t len, int reassoc, int ok) 6537 { 6538 u16 status; 6539 struct sta_info *sta; 6540 int new_assoc = 1; 6541 6542 sta = ap_get_sta(hapd, mgmt->da); 6543 if (!sta) { 6544 wpa_printf(MSG_INFO, "handle_assoc_cb: STA " MACSTR " not found", 6545 MAC2STR(mgmt->da)); 6546 return; 6547 } 6548 6549 #ifdef CONFIG_IEEE80211BE 6550 if (ap_sta_is_mld(hapd, sta) && 6551 hapd->mld_link_id != sta->mld_assoc_link_id) { 6552 /* See ieee80211_ml_link_sta_assoc_cb() for the MLD case */ 6553 wpa_printf(MSG_DEBUG, 6554 "%s: MLD: ignore on link station (%d != %d)", 6555 __func__, hapd->mld_link_id, sta->mld_assoc_link_id); 6556 return; 6557 } 6558 #endif /* CONFIG_IEEE80211BE */ 6559 6560 if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_resp) : 6561 sizeof(mgmt->u.assoc_resp))) { 6562 wpa_printf(MSG_INFO, 6563 "handle_assoc_cb(reassoc=%d) - too short payload (len=%lu)", 6564 reassoc, (unsigned long) len); 6565 hostapd_drv_sta_remove(hapd, sta->addr); 6566 return; 6567 } 6568 6569 if (reassoc) 6570 status = le_to_host16(mgmt->u.reassoc_resp.status_code); 6571 else 6572 status = le_to_host16(mgmt->u.assoc_resp.status_code); 6573 6574 if (!ok) { 6575 hostapd_logger(hapd, mgmt->da, HOSTAPD_MODULE_IEEE80211, 6576 HOSTAPD_LEVEL_DEBUG, 6577 "did not acknowledge association response"); 6578 sta->flags &= ~WLAN_STA_ASSOC_REQ_OK; 6579 /* The STA is added only in case of SUCCESS */ 6580 if (status == WLAN_STATUS_SUCCESS) 6581 hostapd_drv_sta_remove(hapd, sta->addr); 6582 6583 goto handle_ml; 6584 } 6585 6586 if (status != WLAN_STATUS_SUCCESS) 6587 goto handle_ml; 6588 6589 /* Stop previous accounting session, if one is started, and allocate 6590 * new session id for the new session. */ 6591 accounting_sta_stop(hapd, sta); 6592 6593 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 6594 HOSTAPD_LEVEL_INFO, 6595 "associated (aid %d)", 6596 sta->aid); 6597 6598 if (sta->flags & WLAN_STA_ASSOC) 6599 new_assoc = 0; 6600 sta->flags |= WLAN_STA_ASSOC; 6601 sta->flags &= ~WLAN_STA_WNM_SLEEP_MODE; 6602 if ((!hapd->conf->ieee802_1x && !hapd->conf->wpa && 6603 !hapd->conf->osen) || 6604 sta->auth_alg == WLAN_AUTH_FILS_SK || 6605 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS || 6606 sta->auth_alg == WLAN_AUTH_FILS_PK || 6607 sta->auth_alg == WLAN_AUTH_FT) { 6608 /* 6609 * Open, static WEP, FT protocol, or FILS; no separate 6610 * authorization step. 6611 */ 6612 ap_sta_set_authorized(hapd, sta, 1); 6613 } 6614 6615 if (reassoc) 6616 mlme_reassociate_indication(hapd, sta); 6617 else 6618 mlme_associate_indication(hapd, sta); 6619 6620 sta->sa_query_timed_out = 0; 6621 6622 if (sta->eapol_sm == NULL) { 6623 /* 6624 * This STA does not use RADIUS server for EAP authentication, 6625 * so bind it to the selected VLAN interface now, since the 6626 * interface selection is not going to change anymore. 6627 */ 6628 if (ap_sta_bind_vlan(hapd, sta) < 0) 6629 goto handle_ml; 6630 } else if (sta->vlan_id) { 6631 /* VLAN ID already set (e.g., by PMKSA caching), so bind STA */ 6632 if (ap_sta_bind_vlan(hapd, sta) < 0) 6633 goto handle_ml; 6634 } 6635 6636 hostapd_set_sta_flags(hapd, sta); 6637 6638 if (!(sta->flags & WLAN_STA_WDS) && sta->pending_wds_enable) { 6639 wpa_printf(MSG_DEBUG, "Enable 4-address WDS mode for STA " 6640 MACSTR " based on pending request", 6641 MAC2STR(sta->addr)); 6642 sta->pending_wds_enable = 0; 6643 sta->flags |= WLAN_STA_WDS; 6644 } 6645 6646 /* WPS not supported on backhaul BSS. Disable 4addr mode on fronthaul */ 6647 if ((sta->flags & WLAN_STA_WDS) || 6648 (sta->flags & WLAN_STA_MULTI_AP && 6649 (hapd->conf->multi_ap & BACKHAUL_BSS) && 6650 hapd->conf->wds_sta && 6651 !(sta->flags & WLAN_STA_WPS))) { 6652 int ret; 6653 char ifname_wds[IFNAMSIZ + 1]; 6654 6655 wpa_printf(MSG_DEBUG, "Reenable 4-address WDS mode for STA " 6656 MACSTR " (aid %u)", 6657 MAC2STR(sta->addr), sta->aid); 6658 ret = hostapd_set_wds_sta(hapd, ifname_wds, sta->addr, 6659 sta->aid, 1); 6660 if (!ret) 6661 hostapd_set_wds_encryption(hapd, sta, ifname_wds); 6662 } 6663 6664 if (sta->auth_alg == WLAN_AUTH_FT) 6665 wpa_auth_sm_event(sta->wpa_sm, WPA_ASSOC_FT); 6666 else 6667 wpa_auth_sm_event(sta->wpa_sm, WPA_ASSOC); 6668 hapd->new_assoc_sta_cb(hapd, sta, !new_assoc); 6669 ieee802_1x_notify_port_enabled(sta->eapol_sm, 1); 6670 6671 #ifdef CONFIG_FILS 6672 if ((sta->auth_alg == WLAN_AUTH_FILS_SK || 6673 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS || 6674 sta->auth_alg == WLAN_AUTH_FILS_PK) && 6675 fils_set_tk(sta->wpa_sm) < 0) { 6676 wpa_printf(MSG_DEBUG, "FILS: TK configuration failed"); 6677 ap_sta_disconnect(hapd, sta, sta->addr, 6678 WLAN_REASON_UNSPECIFIED); 6679 return; 6680 } 6681 #endif /* CONFIG_FILS */ 6682 6683 if (sta->pending_eapol_rx) { 6684 struct os_reltime now, age; 6685 6686 os_get_reltime(&now); 6687 os_reltime_sub(&now, &sta->pending_eapol_rx->rx_time, &age); 6688 if (age.sec == 0 && age.usec < 200000) { 6689 wpa_printf(MSG_DEBUG, 6690 "Process pending EAPOL frame that was received from " MACSTR " just before association notification", 6691 MAC2STR(sta->addr)); 6692 ieee802_1x_receive( 6693 hapd, mgmt->da, 6694 wpabuf_head(sta->pending_eapol_rx->buf), 6695 wpabuf_len(sta->pending_eapol_rx->buf), 6696 sta->pending_eapol_rx->encrypted); 6697 } 6698 wpabuf_free(sta->pending_eapol_rx->buf); 6699 os_free(sta->pending_eapol_rx); 6700 sta->pending_eapol_rx = NULL; 6701 } 6702 6703 handle_ml: 6704 hostapd_ml_handle_assoc_cb(hapd, sta, ok); 6705 } 6706 6707 6708 static void handle_deauth_cb(struct hostapd_data *hapd, 6709 const struct ieee80211_mgmt *mgmt, 6710 size_t len, int ok) 6711 { 6712 struct sta_info *sta; 6713 if (is_multicast_ether_addr(mgmt->da)) 6714 return; 6715 sta = ap_get_sta(hapd, mgmt->da); 6716 if (!sta) { 6717 wpa_printf(MSG_DEBUG, "handle_deauth_cb: STA " MACSTR 6718 " not found", MAC2STR(mgmt->da)); 6719 return; 6720 } 6721 if (ok) 6722 wpa_printf(MSG_DEBUG, "STA " MACSTR " acknowledged deauth", 6723 MAC2STR(sta->addr)); 6724 else 6725 wpa_printf(MSG_DEBUG, "STA " MACSTR " did not acknowledge " 6726 "deauth", MAC2STR(sta->addr)); 6727 6728 ap_sta_deauth_cb(hapd, sta); 6729 } 6730 6731 6732 static void handle_disassoc_cb(struct hostapd_data *hapd, 6733 const struct ieee80211_mgmt *mgmt, 6734 size_t len, int ok) 6735 { 6736 struct sta_info *sta; 6737 if (is_multicast_ether_addr(mgmt->da)) 6738 return; 6739 sta = ap_get_sta(hapd, mgmt->da); 6740 if (!sta) { 6741 wpa_printf(MSG_DEBUG, "handle_disassoc_cb: STA " MACSTR 6742 " not found", MAC2STR(mgmt->da)); 6743 return; 6744 } 6745 if (ok) 6746 wpa_printf(MSG_DEBUG, "STA " MACSTR " acknowledged disassoc", 6747 MAC2STR(sta->addr)); 6748 else 6749 wpa_printf(MSG_DEBUG, "STA " MACSTR " did not acknowledge " 6750 "disassoc", MAC2STR(sta->addr)); 6751 6752 ap_sta_disassoc_cb(hapd, sta); 6753 } 6754 6755 6756 static void handle_action_cb(struct hostapd_data *hapd, 6757 const struct ieee80211_mgmt *mgmt, 6758 size_t len, int ok) 6759 { 6760 struct sta_info *sta; 6761 #ifndef CONFIG_NO_RRM 6762 const struct rrm_measurement_report_element *report; 6763 #endif /* CONFIG_NO_RRM */ 6764 6765 #ifdef CONFIG_DPP 6766 if (len >= IEEE80211_HDRLEN + 6 && 6767 mgmt->u.action.category == WLAN_ACTION_PUBLIC && 6768 mgmt->u.action.u.vs_public_action.action == 6769 WLAN_PA_VENDOR_SPECIFIC && 6770 WPA_GET_BE24(mgmt->u.action.u.vs_public_action.oui) == 6771 OUI_WFA && 6772 mgmt->u.action.u.vs_public_action.variable[0] == 6773 DPP_OUI_TYPE) { 6774 const u8 *pos, *end; 6775 6776 pos = &mgmt->u.action.u.vs_public_action.variable[1]; 6777 end = ((const u8 *) mgmt) + len; 6778 hostapd_dpp_tx_status(hapd, mgmt->da, pos, end - pos, ok); 6779 return; 6780 } 6781 if (len >= IEEE80211_HDRLEN + 2 && 6782 mgmt->u.action.category == WLAN_ACTION_PUBLIC && 6783 (mgmt->u.action.u.public_action.action == 6784 WLAN_PA_GAS_INITIAL_REQ || 6785 mgmt->u.action.u.public_action.action == 6786 WLAN_PA_GAS_COMEBACK_REQ)) { 6787 const u8 *pos, *end; 6788 6789 pos = mgmt->u.action.u.public_action.variable; 6790 end = ((const u8 *) mgmt) + len; 6791 gas_query_ap_tx_status(hapd->gas, mgmt->da, pos, end - pos, ok); 6792 return; 6793 } 6794 #endif /* CONFIG_DPP */ 6795 if (is_multicast_ether_addr(mgmt->da)) 6796 return; 6797 sta = ap_get_sta(hapd, mgmt->da); 6798 if (!sta) { 6799 wpa_printf(MSG_DEBUG, "handle_action_cb: STA " MACSTR 6800 " not found", MAC2STR(mgmt->da)); 6801 return; 6802 } 6803 6804 #ifdef CONFIG_HS20 6805 if (ok && len >= IEEE80211_HDRLEN + 2 && 6806 mgmt->u.action.category == WLAN_ACTION_WNM && 6807 mgmt->u.action.u.vs_public_action.action == WNM_NOTIFICATION_REQ && 6808 sta->hs20_deauth_on_ack) { 6809 wpa_printf(MSG_DEBUG, "HS 2.0: Deauthenticate STA " MACSTR 6810 " on acknowledging the WNM-Notification", 6811 MAC2STR(sta->addr)); 6812 ap_sta_session_timeout(hapd, sta, 0); 6813 return; 6814 } 6815 #endif /* CONFIG_HS20 */ 6816 6817 #ifndef CONFIG_NO_RRM 6818 if (len < 24 + 5 + sizeof(*report)) 6819 return; 6820 report = (const struct rrm_measurement_report_element *) 6821 &mgmt->u.action.u.rrm.variable[2]; 6822 if (mgmt->u.action.category == WLAN_ACTION_RADIO_MEASUREMENT && 6823 mgmt->u.action.u.rrm.action == WLAN_RRM_RADIO_MEASUREMENT_REQUEST && 6824 report->eid == WLAN_EID_MEASURE_REQUEST && 6825 report->len >= 3 && 6826 report->type == MEASURE_TYPE_BEACON) 6827 hostapd_rrm_beacon_req_tx_status(hapd, mgmt, len, ok); 6828 #endif /* CONFIG_NO_RRM */ 6829 } 6830 6831 6832 /** 6833 * ieee802_11_mgmt_cb - Process management frame TX status callback 6834 * @hapd: hostapd BSS data structure (the BSS from which the management frame 6835 * was sent from) 6836 * @buf: management frame data (starting from IEEE 802.11 header) 6837 * @len: length of frame data in octets 6838 * @stype: management frame subtype from frame control field 6839 * @ok: Whether the frame was ACK'ed 6840 */ 6841 void ieee802_11_mgmt_cb(struct hostapd_data *hapd, const u8 *buf, size_t len, 6842 u16 stype, int ok) 6843 { 6844 const struct ieee80211_mgmt *mgmt; 6845 mgmt = (const struct ieee80211_mgmt *) buf; 6846 6847 #ifdef CONFIG_TESTING_OPTIONS 6848 if (hapd->ext_mgmt_frame_handling) { 6849 size_t hex_len = 2 * len + 1; 6850 char *hex = os_malloc(hex_len); 6851 6852 if (hex) { 6853 wpa_snprintf_hex(hex, hex_len, buf, len); 6854 wpa_msg(hapd->msg_ctx, MSG_INFO, 6855 "MGMT-TX-STATUS stype=%u ok=%d buf=%s", 6856 stype, ok, hex); 6857 os_free(hex); 6858 } 6859 return; 6860 } 6861 #endif /* CONFIG_TESTING_OPTIONS */ 6862 6863 switch (stype) { 6864 case WLAN_FC_STYPE_AUTH: 6865 wpa_printf(MSG_DEBUG, "mgmt::auth cb"); 6866 handle_auth_cb(hapd, mgmt, len, ok); 6867 break; 6868 case WLAN_FC_STYPE_ASSOC_RESP: 6869 wpa_printf(MSG_DEBUG, "mgmt::assoc_resp cb"); 6870 handle_assoc_cb(hapd, mgmt, len, 0, ok); 6871 break; 6872 case WLAN_FC_STYPE_REASSOC_RESP: 6873 wpa_printf(MSG_DEBUG, "mgmt::reassoc_resp cb"); 6874 handle_assoc_cb(hapd, mgmt, len, 1, ok); 6875 break; 6876 case WLAN_FC_STYPE_PROBE_RESP: 6877 wpa_printf(MSG_EXCESSIVE, "mgmt::proberesp cb ok=%d", ok); 6878 break; 6879 case WLAN_FC_STYPE_DEAUTH: 6880 wpa_printf(MSG_DEBUG, "mgmt::deauth cb"); 6881 handle_deauth_cb(hapd, mgmt, len, ok); 6882 break; 6883 case WLAN_FC_STYPE_DISASSOC: 6884 wpa_printf(MSG_DEBUG, "mgmt::disassoc cb"); 6885 handle_disassoc_cb(hapd, mgmt, len, ok); 6886 break; 6887 case WLAN_FC_STYPE_ACTION: 6888 wpa_printf(MSG_DEBUG, "mgmt::action cb ok=%d", ok); 6889 handle_action_cb(hapd, mgmt, len, ok); 6890 break; 6891 default: 6892 wpa_printf(MSG_INFO, "unknown mgmt cb frame subtype %d", stype); 6893 break; 6894 } 6895 } 6896 6897 6898 int ieee802_11_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen) 6899 { 6900 /* TODO */ 6901 return 0; 6902 } 6903 6904 6905 int ieee802_11_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta, 6906 char *buf, size_t buflen) 6907 { 6908 /* TODO */ 6909 return 0; 6910 } 6911 6912 6913 void hostapd_tx_status(struct hostapd_data *hapd, const u8 *addr, 6914 const u8 *buf, size_t len, int ack) 6915 { 6916 struct sta_info *sta; 6917 struct hostapd_iface *iface = hapd->iface; 6918 6919 sta = ap_get_sta(hapd, addr); 6920 if (sta == NULL && iface->num_bss > 1) { 6921 size_t j; 6922 for (j = 0; j < iface->num_bss; j++) { 6923 hapd = iface->bss[j]; 6924 sta = ap_get_sta(hapd, addr); 6925 if (sta) 6926 break; 6927 } 6928 } 6929 if (sta == NULL || !(sta->flags & WLAN_STA_ASSOC)) 6930 return; 6931 if (sta->flags & WLAN_STA_PENDING_POLL) { 6932 wpa_printf(MSG_DEBUG, "STA " MACSTR " %s pending " 6933 "activity poll", MAC2STR(sta->addr), 6934 ack ? "ACKed" : "did not ACK"); 6935 if (ack) 6936 sta->flags &= ~WLAN_STA_PENDING_POLL; 6937 } 6938 6939 ieee802_1x_tx_status(hapd, sta, buf, len, ack); 6940 } 6941 6942 6943 void hostapd_client_poll_ok(struct hostapd_data *hapd, const u8 *addr) 6944 { 6945 struct sta_info *sta; 6946 struct hostapd_iface *iface = hapd->iface; 6947 6948 sta = ap_get_sta(hapd, addr); 6949 if (sta == NULL && iface->num_bss > 1) { 6950 size_t j; 6951 for (j = 0; j < iface->num_bss; j++) { 6952 hapd = iface->bss[j]; 6953 sta = ap_get_sta(hapd, addr); 6954 if (sta) 6955 break; 6956 } 6957 } 6958 if (sta == NULL) 6959 return; 6960 wpa_msg(hapd->msg_ctx, MSG_INFO, AP_STA_POLL_OK MACSTR, 6961 MAC2STR(sta->addr)); 6962 if (!(sta->flags & WLAN_STA_PENDING_POLL)) 6963 return; 6964 6965 wpa_printf(MSG_DEBUG, "STA " MACSTR " ACKed pending " 6966 "activity poll", MAC2STR(sta->addr)); 6967 sta->flags &= ~WLAN_STA_PENDING_POLL; 6968 } 6969 6970 6971 void ieee802_11_rx_from_unknown(struct hostapd_data *hapd, const u8 *src, 6972 int wds) 6973 { 6974 struct sta_info *sta; 6975 6976 sta = ap_get_sta(hapd, src); 6977 if (sta && 6978 ((sta->flags & WLAN_STA_ASSOC) || 6979 ((sta->flags & WLAN_STA_ASSOC_REQ_OK) && wds))) { 6980 if (!hapd->conf->wds_sta) 6981 return; 6982 6983 if ((sta->flags & (WLAN_STA_ASSOC | WLAN_STA_ASSOC_REQ_OK)) == 6984 WLAN_STA_ASSOC_REQ_OK) { 6985 wpa_printf(MSG_DEBUG, 6986 "Postpone 4-address WDS mode enabling for STA " 6987 MACSTR " since TX status for AssocResp is not yet known", 6988 MAC2STR(sta->addr)); 6989 sta->pending_wds_enable = 1; 6990 return; 6991 } 6992 6993 if (wds && !(sta->flags & WLAN_STA_WDS)) { 6994 int ret; 6995 char ifname_wds[IFNAMSIZ + 1]; 6996 6997 wpa_printf(MSG_DEBUG, "Enable 4-address WDS mode for " 6998 "STA " MACSTR " (aid %u)", 6999 MAC2STR(sta->addr), sta->aid); 7000 sta->flags |= WLAN_STA_WDS; 7001 ret = hostapd_set_wds_sta(hapd, ifname_wds, 7002 sta->addr, sta->aid, 1); 7003 if (!ret) 7004 hostapd_set_wds_encryption(hapd, sta, 7005 ifname_wds); 7006 } 7007 return; 7008 } 7009 7010 wpa_printf(MSG_DEBUG, "Data/PS-poll frame from not associated STA " 7011 MACSTR, MAC2STR(src)); 7012 if (is_multicast_ether_addr(src) || is_zero_ether_addr(src) || 7013 ether_addr_equal(src, hapd->own_addr)) { 7014 /* Broadcast bit set in SA or unexpected SA?! Ignore the frame 7015 * silently. */ 7016 return; 7017 } 7018 7019 if (sta && (sta->flags & WLAN_STA_ASSOC_REQ_OK)) { 7020 wpa_printf(MSG_DEBUG, "Association Response to the STA has " 7021 "already been sent, but no TX status yet known - " 7022 "ignore Class 3 frame issue with " MACSTR, 7023 MAC2STR(src)); 7024 return; 7025 } 7026 7027 if (sta && (sta->flags & WLAN_STA_AUTH)) 7028 hostapd_drv_sta_disassoc( 7029 hapd, src, 7030 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA); 7031 else 7032 hostapd_drv_sta_deauth( 7033 hapd, src, 7034 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA); 7035 } 7036 7037 7038 static u8 * hostapd_add_tpe_info(u8 *eid, u8 tx_pwr_count, 7039 enum max_tx_pwr_interpretation tx_pwr_intrpn, 7040 u8 tx_pwr_cat, u8 tx_pwr) 7041 { 7042 int i; 7043 7044 *eid++ = WLAN_EID_TRANSMIT_POWER_ENVELOPE; /* Element ID */ 7045 *eid++ = 2 + tx_pwr_count; /* Length */ 7046 7047 /* 7048 * Transmit Power Information field 7049 * bits 0-2 : Maximum Transmit Power Count 7050 * bits 3-5 : Maximum Transmit Power Interpretation 7051 * bits 6-7 : Maximum Transmit Power Category 7052 */ 7053 *eid++ = tx_pwr_count | (tx_pwr_intrpn << 3) | (tx_pwr_cat << 6); 7054 7055 /* Maximum Transmit Power field */ 7056 for (i = 0; i <= tx_pwr_count; i++) 7057 *eid++ = tx_pwr; 7058 7059 return eid; 7060 } 7061 7062 7063 /* 7064 * TODO: Extract power limits from channel data after 6G regulatory 7065 * support. 7066 */ 7067 #define REG_PSD_MAX_TXPOWER_FOR_DEFAULT_CLIENT (-1) /* dBm/MHz */ 7068 #define REG_PSD_MAX_TXPOWER_FOR_SUBORDINATE_CLIENT 5 /* dBm/MHz */ 7069 7070 u8 * hostapd_eid_txpower_envelope(struct hostapd_data *hapd, u8 *eid) 7071 { 7072 struct hostapd_iface *iface = hapd->iface; 7073 struct hostapd_config *iconf = iface->conf; 7074 struct hostapd_hw_modes *mode = iface->current_mode; 7075 struct hostapd_channel_data *chan; 7076 int dfs, i; 7077 u8 channel, tx_pwr_count, local_pwr_constraint; 7078 int max_tx_power; 7079 u8 tx_pwr; 7080 7081 if (!mode) 7082 return eid; 7083 7084 if (ieee80211_freq_to_chan(iface->freq, &channel) == NUM_HOSTAPD_MODES) 7085 return eid; 7086 7087 for (i = 0; i < mode->num_channels; i++) { 7088 if (mode->channels[i].freq == iface->freq) 7089 break; 7090 } 7091 if (i == mode->num_channels) 7092 return eid; 7093 7094 #ifdef CONFIG_IEEE80211AX 7095 /* IEEE Std 802.11ax-2021, Annex E.2.7 (6 GHz band in the United 7096 * States): An AP that is an Indoor Access Point per regulatory rules 7097 * shall send at least two Transmit Power Envelope elements in Beacon 7098 * and Probe Response frames as follows: 7099 * - Maximum Transmit Power Category subfield = Default; 7100 * Unit interpretation = Regulatory client EIRP PSD 7101 * - Maximum Transmit Power Category subfield = Subordinate Device; 7102 * Unit interpretation = Regulatory client EIRP PSD 7103 */ 7104 if (is_6ghz_op_class(iconf->op_class)) { 7105 enum max_tx_pwr_interpretation tx_pwr_intrpn; 7106 7107 /* Same Maximum Transmit Power for all 20 MHz bands */ 7108 tx_pwr_count = 0; 7109 tx_pwr_intrpn = REGULATORY_CLIENT_EIRP_PSD; 7110 7111 /* Default Transmit Power Envelope for Global Operating Class */ 7112 if (hapd->iconf->reg_def_cli_eirp_psd != -1) 7113 tx_pwr = hapd->iconf->reg_def_cli_eirp_psd; 7114 else 7115 tx_pwr = REG_PSD_MAX_TXPOWER_FOR_DEFAULT_CLIENT * 2; 7116 7117 eid = hostapd_add_tpe_info(eid, tx_pwr_count, tx_pwr_intrpn, 7118 REG_DEFAULT_CLIENT, tx_pwr); 7119 7120 /* Indoor Access Point must include an additional TPE for 7121 * subordinate devices */ 7122 if (he_reg_is_indoor(iconf->he_6ghz_reg_pwr_type)) { 7123 /* TODO: Extract PSD limits from channel data */ 7124 if (hapd->iconf->reg_sub_cli_eirp_psd != -1) 7125 tx_pwr = hapd->iconf->reg_sub_cli_eirp_psd; 7126 else 7127 tx_pwr = REG_PSD_MAX_TXPOWER_FOR_SUBORDINATE_CLIENT * 2; 7128 eid = hostapd_add_tpe_info(eid, tx_pwr_count, 7129 tx_pwr_intrpn, 7130 REG_SUBORDINATE_CLIENT, 7131 tx_pwr); 7132 } 7133 7134 if (iconf->reg_def_cli_eirp != -1 && 7135 he_reg_is_sp(iconf->he_6ghz_reg_pwr_type)) 7136 eid = hostapd_add_tpe_info( 7137 eid, tx_pwr_count, REGULATORY_CLIENT_EIRP, 7138 REG_DEFAULT_CLIENT, 7139 hapd->iconf->reg_def_cli_eirp); 7140 7141 return eid; 7142 } 7143 #endif /* CONFIG_IEEE80211AX */ 7144 7145 switch (hostapd_get_oper_chwidth(iconf)) { 7146 case CONF_OPER_CHWIDTH_USE_HT: 7147 if (iconf->secondary_channel == 0) { 7148 /* Max Transmit Power count = 0 (20 MHz) */ 7149 tx_pwr_count = 0; 7150 } else { 7151 /* Max Transmit Power count = 1 (20, 40 MHz) */ 7152 tx_pwr_count = 1; 7153 } 7154 break; 7155 case CONF_OPER_CHWIDTH_80MHZ: 7156 /* Max Transmit Power count = 2 (20, 40, and 80 MHz) */ 7157 tx_pwr_count = 2; 7158 break; 7159 case CONF_OPER_CHWIDTH_80P80MHZ: 7160 case CONF_OPER_CHWIDTH_160MHZ: 7161 /* Max Transmit Power count = 3 (20, 40, 80, 160/80+80 MHz) */ 7162 tx_pwr_count = 3; 7163 break; 7164 default: 7165 return eid; 7166 } 7167 7168 /* 7169 * Below local_pwr_constraint logic is referred from 7170 * hostapd_eid_pwr_constraint. 7171 * 7172 * Check if DFS is required by regulatory. 7173 */ 7174 dfs = hostapd_is_dfs_required(hapd->iface); 7175 if (dfs < 0) 7176 dfs = 0; 7177 7178 /* 7179 * In order to meet regulations when TPC is not implemented using 7180 * a transmit power that is below the legal maximum (including any 7181 * mitigation factor) should help. In this case, indicate 3 dB below 7182 * maximum allowed transmit power. 7183 */ 7184 if (hapd->iconf->local_pwr_constraint == -1) 7185 local_pwr_constraint = (dfs == 0) ? 0 : 3; 7186 else 7187 local_pwr_constraint = hapd->iconf->local_pwr_constraint; 7188 7189 /* 7190 * A STA that is not an AP shall use a transmit power less than or 7191 * equal to the local maximum transmit power level for the channel. 7192 * The local maximum transmit power can be calculated from the formula: 7193 * local max TX pwr = max TX pwr - local pwr constraint 7194 * Where max TX pwr is maximum transmit power level specified for 7195 * channel in Country element and local pwr constraint is specified 7196 * for channel in this Power Constraint element. 7197 */ 7198 chan = &mode->channels[i]; 7199 max_tx_power = chan->max_tx_power - local_pwr_constraint; 7200 7201 /* 7202 * Local Maximum Transmit power is encoded as two's complement 7203 * with a 0.5 dB step. 7204 */ 7205 max_tx_power *= 2; /* in 0.5 dB steps */ 7206 if (max_tx_power > 127) { 7207 /* 63.5 has special meaning of 63.5 dBm or higher */ 7208 max_tx_power = 127; 7209 } 7210 if (max_tx_power < -128) 7211 max_tx_power = -128; 7212 if (max_tx_power < 0) 7213 tx_pwr = 0x80 + max_tx_power + 128; 7214 else 7215 tx_pwr = max_tx_power; 7216 7217 return hostapd_add_tpe_info(eid, tx_pwr_count, LOCAL_EIRP, 7218 0 /* Reserved for bands other than 6 GHz */, 7219 tx_pwr); 7220 } 7221 7222 7223 u8 * hostapd_eid_wb_chsw_wrapper(struct hostapd_data *hapd, u8 *eid) 7224 { 7225 u8 bw, chan1 = 0, chan2 = 0; 7226 int freq1; 7227 7228 if (!hapd->cs_freq_params.channel || 7229 (!hapd->cs_freq_params.vht_enabled && 7230 !hapd->cs_freq_params.he_enabled && 7231 !hapd->cs_freq_params.eht_enabled)) 7232 return eid; 7233 7234 /* bandwidth: 0: 40, 1: 80, 160, 80+80, 4: 320 as per 7235 * IEEE P802.11-REVme/D4.0, 9.4.2.159 and Table 9-314. */ 7236 switch (hapd->cs_freq_params.bandwidth) { 7237 case 40: 7238 bw = 0; 7239 break; 7240 case 80: 7241 bw = 1; 7242 break; 7243 case 160: 7244 bw = 1; 7245 break; 7246 case 320: 7247 bw = 4; 7248 break; 7249 default: 7250 /* not valid VHT bandwidth or not in CSA */ 7251 return eid; 7252 } 7253 7254 freq1 = hapd->cs_freq_params.center_freq1 ? 7255 hapd->cs_freq_params.center_freq1 : 7256 hapd->cs_freq_params.freq; 7257 if (ieee80211_freq_to_chan(freq1, &chan1) != 7258 HOSTAPD_MODE_IEEE80211A) 7259 return eid; 7260 7261 if (hapd->cs_freq_params.center_freq2 && 7262 ieee80211_freq_to_chan(hapd->cs_freq_params.center_freq2, 7263 &chan2) != HOSTAPD_MODE_IEEE80211A) 7264 return eid; 7265 7266 *eid++ = WLAN_EID_CHANNEL_SWITCH_WRAPPER; 7267 *eid++ = 5; /* Length of Channel Switch Wrapper */ 7268 *eid++ = WLAN_EID_WIDE_BW_CHSWITCH; 7269 *eid++ = 3; /* Length of Wide Bandwidth Channel Switch element */ 7270 *eid++ = bw; /* New Channel Width */ 7271 if (hapd->cs_freq_params.bandwidth == 160) { 7272 /* Update the CCFS0 and CCFS1 values in the element based on 7273 * IEEE P802.11-REVme/D4.0, Table 9-314 */ 7274 7275 /* CCFS1 - The channel center frequency index of the 160 MHz 7276 * channel. */ 7277 chan2 = chan1; 7278 7279 /* CCFS0 - The channel center frequency index of the 80 MHz 7280 * channel segment that contains the primary channel. */ 7281 if (hapd->cs_freq_params.channel < chan1) 7282 chan1 -= 8; 7283 else 7284 chan1 += 8; 7285 } 7286 *eid++ = chan1; /* New Channel Center Frequency Segment 0 */ 7287 *eid++ = chan2; /* New Channel Center Frequency Segment 1 */ 7288 7289 return eid; 7290 } 7291 7292 7293 static size_t hostapd_eid_nr_db_len(struct hostapd_data *hapd, 7294 size_t *current_len) 7295 { 7296 struct hostapd_neighbor_entry *nr; 7297 size_t total_len = 0, len = *current_len; 7298 7299 dl_list_for_each(nr, &hapd->nr_db, struct hostapd_neighbor_entry, 7300 list) { 7301 if (!nr->nr || wpabuf_len(nr->nr) < 12) 7302 continue; 7303 7304 if (nr->short_ssid == hapd->conf->ssid.short_ssid) 7305 continue; 7306 7307 /* Start a new element */ 7308 if (!len || 7309 len + RNR_TBTT_HEADER_LEN + RNR_TBTT_INFO_LEN > 255) { 7310 len = RNR_HEADER_LEN; 7311 total_len += RNR_HEADER_LEN; 7312 } 7313 7314 len += RNR_TBTT_HEADER_LEN + RNR_TBTT_INFO_LEN; 7315 total_len += RNR_TBTT_HEADER_LEN + RNR_TBTT_INFO_LEN; 7316 } 7317 7318 *current_len = len; 7319 return total_len; 7320 } 7321 7322 7323 struct mbssid_ie_profiles { 7324 u8 start; 7325 u8 end; 7326 }; 7327 7328 static bool hostapd_skip_rnr(size_t i, struct mbssid_ie_profiles *skip_profiles, 7329 bool ap_mld, u8 tbtt_info_len, bool mld_update, 7330 struct hostapd_data *reporting_hapd, 7331 struct hostapd_data *bss) 7332 { 7333 if (skip_profiles && 7334 i >= skip_profiles->start && i < skip_profiles->end) 7335 return true; 7336 7337 /* No need to report if length is for normal TBTT and the BSS is 7338 * affiliated with an AP MLD. MLD TBTT will include this. */ 7339 if (tbtt_info_len == RNR_TBTT_INFO_LEN && ap_mld) 7340 return true; 7341 7342 /* No need to report if length is for MLD TBTT and the BSS is not 7343 * affiliated with an aP MLD. Normal TBTT will include this. */ 7344 if (tbtt_info_len == RNR_TBTT_INFO_MLD_LEN && !ap_mld) 7345 return true; 7346 7347 #ifdef CONFIG_IEEE80211BE 7348 /* If building for co-location and they are ML partners, no need to 7349 * include since the ML RNR will carry this. */ 7350 if (!mld_update && hostapd_is_ml_partner(reporting_hapd, bss)) 7351 return true; 7352 7353 /* If building for ML RNR and they are not ML partners, don't include. 7354 */ 7355 if (mld_update && !hostapd_is_ml_partner(reporting_hapd, bss)) 7356 return true; 7357 #endif /* CONFIG_IEEE80211BE */ 7358 7359 return false; 7360 } 7361 7362 7363 static size_t 7364 hostapd_eid_rnr_iface_len(struct hostapd_data *hapd, 7365 struct hostapd_data *reporting_hapd, 7366 size_t *current_len, 7367 struct mbssid_ie_profiles *skip_profiles, 7368 bool mld_update) 7369 { 7370 size_t total_len = 0, len = *current_len; 7371 int tbtt_count, total_tbtt_count = 0; 7372 size_t i, start; 7373 u8 tbtt_info_len = mld_update ? RNR_TBTT_INFO_MLD_LEN : 7374 RNR_TBTT_INFO_LEN; 7375 7376 repeat_rnr_len: 7377 start = 0; 7378 tbtt_count = 0; 7379 7380 while (start < hapd->iface->num_bss) { 7381 if (!len || 7382 len + RNR_TBTT_HEADER_LEN + tbtt_info_len > 255 || 7383 tbtt_count >= RNR_TBTT_INFO_COUNT_MAX) { 7384 len = RNR_HEADER_LEN; 7385 total_len += RNR_HEADER_LEN; 7386 tbtt_count = 0; 7387 } 7388 7389 len += RNR_TBTT_HEADER_LEN; 7390 total_len += RNR_TBTT_HEADER_LEN; 7391 7392 for (i = start; i < hapd->iface->num_bss; i++) { 7393 struct hostapd_data *bss = hapd->iface->bss[i]; 7394 bool ap_mld = false; 7395 7396 if (!bss || !bss->conf || !bss->started) 7397 continue; 7398 7399 #ifdef CONFIG_IEEE80211BE 7400 ap_mld = bss->conf->mld_ap; 7401 #endif /* CONFIG_IEEE80211BE */ 7402 7403 if (bss == reporting_hapd || 7404 bss->conf->ignore_broadcast_ssid) 7405 continue; 7406 7407 if (hostapd_skip_rnr(i, skip_profiles, ap_mld, 7408 tbtt_info_len, mld_update, 7409 reporting_hapd, bss)) 7410 continue; 7411 7412 if (len + tbtt_info_len > 255 || 7413 tbtt_count >= RNR_TBTT_INFO_COUNT_MAX) 7414 break; 7415 7416 len += tbtt_info_len; 7417 total_len += tbtt_info_len; 7418 tbtt_count++; 7419 } 7420 start = i; 7421 } 7422 7423 total_tbtt_count += tbtt_count; 7424 7425 /* If building for co-location, re-build again but this time include 7426 * ML TBTTs. 7427 */ 7428 if (!mld_update && tbtt_info_len == RNR_TBTT_INFO_LEN) { 7429 tbtt_info_len = RNR_TBTT_INFO_MLD_LEN; 7430 7431 /* If no TBTT was found, adjust the len and total_len since it 7432 * would have incremented before we checked all BSSs. */ 7433 if (!tbtt_count) { 7434 len -= RNR_TBTT_HEADER_LEN; 7435 total_len -= RNR_TBTT_HEADER_LEN; 7436 } 7437 7438 goto repeat_rnr_len; 7439 } 7440 7441 /* This is possible when in the re-built case and no suitable TBTT was 7442 * found. Adjust the length accordingly. */ 7443 if (!tbtt_count && total_tbtt_count) { 7444 len -= RNR_TBTT_HEADER_LEN; 7445 total_len -= RNR_TBTT_HEADER_LEN; 7446 } 7447 7448 if (!total_tbtt_count) 7449 total_len = 0; 7450 else 7451 *current_len = len; 7452 7453 return total_len; 7454 } 7455 7456 7457 enum colocation_mode { 7458 NO_COLOCATED_6GHZ, 7459 STANDALONE_6GHZ, 7460 COLOCATED_6GHZ, 7461 COLOCATED_LOWER_BAND, 7462 }; 7463 7464 static enum colocation_mode get_colocation_mode(struct hostapd_data *hapd) 7465 { 7466 u8 i; 7467 bool is_6ghz = is_6ghz_op_class(hapd->iconf->op_class); 7468 7469 if (!hapd->iface || !hapd->iface->interfaces) 7470 return NO_COLOCATED_6GHZ; 7471 7472 if (is_6ghz && hapd->iface->interfaces->count == 1) 7473 return STANDALONE_6GHZ; 7474 7475 for (i = 0; i < hapd->iface->interfaces->count; i++) { 7476 struct hostapd_iface *iface; 7477 bool is_colocated_6ghz; 7478 7479 iface = hapd->iface->interfaces->iface[i]; 7480 if (iface == hapd->iface || !iface || !iface->conf) 7481 continue; 7482 7483 is_colocated_6ghz = is_6ghz_op_class(iface->conf->op_class); 7484 if (!is_6ghz && is_colocated_6ghz) 7485 return COLOCATED_LOWER_BAND; 7486 if (is_6ghz && !is_colocated_6ghz) 7487 return COLOCATED_6GHZ; 7488 } 7489 7490 if (is_6ghz) 7491 return STANDALONE_6GHZ; 7492 7493 return NO_COLOCATED_6GHZ; 7494 } 7495 7496 7497 static size_t hostapd_eid_rnr_colocation_len(struct hostapd_data *hapd, 7498 size_t *current_len) 7499 { 7500 struct hostapd_iface *iface; 7501 size_t len = 0; 7502 size_t i; 7503 7504 if (!hapd->iface || !hapd->iface->interfaces) 7505 return 0; 7506 7507 for (i = 0; i < hapd->iface->interfaces->count; i++) { 7508 iface = hapd->iface->interfaces->iface[i]; 7509 7510 if (!iface || iface == hapd->iface || 7511 iface->state != HAPD_IFACE_ENABLED || 7512 !is_6ghz_op_class(iface->conf->op_class)) 7513 continue; 7514 7515 len += hostapd_eid_rnr_iface_len(iface->bss[0], hapd, 7516 current_len, NULL, false); 7517 } 7518 7519 return len; 7520 } 7521 7522 7523 static size_t hostapd_eid_rnr_mlo_len(struct hostapd_data *hapd, u32 type, 7524 size_t *current_len) 7525 { 7526 size_t len = 0; 7527 #ifdef CONFIG_IEEE80211BE 7528 struct hostapd_iface *iface; 7529 size_t i; 7530 7531 if (!hapd->iface || !hapd->iface->interfaces || !hapd->conf->mld_ap) 7532 return 0; 7533 7534 /* TODO: Allow for FILS/Action as well */ 7535 if (type != WLAN_FC_STYPE_BEACON && type != WLAN_FC_STYPE_PROBE_RESP) 7536 return 0; 7537 7538 for (i = 0; i < hapd->iface->interfaces->count; i++) { 7539 iface = hapd->iface->interfaces->iface[i]; 7540 7541 if (!iface || iface == hapd->iface || 7542 hapd->iface->freq == iface->freq) 7543 continue; 7544 7545 len += hostapd_eid_rnr_iface_len(iface->bss[0], hapd, 7546 current_len, NULL, true); 7547 } 7548 #endif /* CONFIG_IEEE80211BE */ 7549 7550 return len; 7551 } 7552 7553 7554 size_t hostapd_eid_rnr_len(struct hostapd_data *hapd, u32 type, 7555 bool include_mld_params) 7556 { 7557 size_t total_len = 0, current_len = 0; 7558 enum colocation_mode mode = get_colocation_mode(hapd); 7559 7560 switch (type) { 7561 case WLAN_FC_STYPE_BEACON: 7562 if (hapd->conf->rnr) 7563 total_len += hostapd_eid_nr_db_len(hapd, ¤t_len); 7564 /* fallthrough */ 7565 case WLAN_FC_STYPE_PROBE_RESP: 7566 if (mode == COLOCATED_LOWER_BAND) 7567 total_len += 7568 hostapd_eid_rnr_colocation_len(hapd, 7569 ¤t_len); 7570 7571 if (hapd->conf->rnr && hapd->iface->num_bss > 1 && 7572 !hapd->iconf->mbssid) 7573 total_len += hostapd_eid_rnr_iface_len(hapd, hapd, 7574 ¤t_len, 7575 NULL, false); 7576 break; 7577 case WLAN_FC_STYPE_ACTION: 7578 if (hapd->iface->num_bss > 1 && mode == STANDALONE_6GHZ) 7579 total_len += hostapd_eid_rnr_iface_len(hapd, hapd, 7580 ¤t_len, 7581 NULL, false); 7582 break; 7583 } 7584 7585 /* For EMA Beacons, MLD neighbor repoting is added as part of 7586 * MBSSID RNR. */ 7587 if (include_mld_params && 7588 (type != WLAN_FC_STYPE_BEACON || 7589 hapd->iconf->mbssid != ENHANCED_MBSSID_ENABLED)) 7590 total_len += hostapd_eid_rnr_mlo_len(hapd, type, ¤t_len); 7591 7592 return total_len; 7593 } 7594 7595 7596 static u8 * hostapd_eid_nr_db(struct hostapd_data *hapd, u8 *eid, 7597 size_t *current_len) 7598 { 7599 struct hostapd_neighbor_entry *nr; 7600 size_t len = *current_len; 7601 u8 *size_offset = (eid - len) + 1; 7602 7603 dl_list_for_each(nr, &hapd->nr_db, struct hostapd_neighbor_entry, 7604 list) { 7605 if (!nr->nr || wpabuf_len(nr->nr) < 12) 7606 continue; 7607 7608 if (nr->short_ssid == hapd->conf->ssid.short_ssid) 7609 continue; 7610 7611 /* Start a new element */ 7612 if (!len || 7613 len + RNR_TBTT_HEADER_LEN + RNR_TBTT_INFO_LEN > 255) { 7614 *eid++ = WLAN_EID_REDUCED_NEIGHBOR_REPORT; 7615 size_offset = eid++; 7616 len = RNR_HEADER_LEN; 7617 } 7618 7619 /* TBTT Information Header subfield (2 octets) */ 7620 *eid++ = 0; 7621 /* TBTT Information Length */ 7622 *eid++ = RNR_TBTT_INFO_LEN; 7623 /* Operating Class */ 7624 *eid++ = wpabuf_head_u8(nr->nr)[10]; 7625 /* Channel Number */ 7626 *eid++ = wpabuf_head_u8(nr->nr)[11]; 7627 len += RNR_TBTT_HEADER_LEN; 7628 /* TBTT Information Set */ 7629 /* TBTT Information field */ 7630 /* Neighbor AP TBTT Offset */ 7631 *eid++ = RNR_NEIGHBOR_AP_OFFSET_UNKNOWN; 7632 /* BSSID */ 7633 os_memcpy(eid, nr->bssid, ETH_ALEN); 7634 eid += ETH_ALEN; 7635 /* Short SSID */ 7636 os_memcpy(eid, &nr->short_ssid, 4); 7637 eid += 4; 7638 /* BSS parameters */ 7639 *eid++ = nr->bss_parameters; 7640 /* 20 MHz PSD */ 7641 *eid++ = RNR_20_MHZ_PSD_MAX_TXPOWER; 7642 len += RNR_TBTT_INFO_LEN; 7643 *size_offset = (eid - size_offset) - 1; 7644 } 7645 7646 *current_len = len; 7647 return eid; 7648 } 7649 7650 7651 static bool hostapd_eid_rnr_bss(struct hostapd_data *hapd, 7652 struct hostapd_data *reporting_hapd, 7653 struct mbssid_ie_profiles *skip_profiles, 7654 size_t i, u8 *tbtt_count, size_t *len, 7655 u8 **pos, u8 **tbtt_count_pos, u8 tbtt_info_len, 7656 u8 op_class, bool mld_update) 7657 { 7658 struct hostapd_iface *iface = hapd->iface; 7659 struct hostapd_data *bss = iface->bss[i]; 7660 u8 bss_param = 0; 7661 bool ap_mld = false; 7662 u8 *eid = *pos; 7663 7664 #ifdef CONFIG_IEEE80211BE 7665 ap_mld = !!hapd->conf->mld_ap; 7666 #endif /* CONFIG_IEEE80211BE */ 7667 7668 if (!bss || !bss->conf || !bss->started || 7669 bss == reporting_hapd || bss->conf->ignore_broadcast_ssid) 7670 return false; 7671 7672 if (hostapd_skip_rnr(i, skip_profiles, ap_mld, tbtt_info_len, 7673 mld_update, reporting_hapd, bss)) 7674 return false; 7675 7676 if (*len + RNR_TBTT_INFO_LEN > 255 || 7677 *tbtt_count >= RNR_TBTT_INFO_COUNT_MAX) 7678 return true; 7679 7680 if (!(*tbtt_count)) { 7681 /* Add neighbor report header info only if there is at least 7682 * one TBTT info available. */ 7683 *tbtt_count_pos = eid++; 7684 *eid++ = tbtt_info_len; 7685 *eid++ = op_class; 7686 *eid++ = bss->iconf->channel; 7687 *len += RNR_TBTT_HEADER_LEN; 7688 } 7689 7690 *eid++ = RNR_NEIGHBOR_AP_OFFSET_UNKNOWN; 7691 os_memcpy(eid, bss->own_addr, ETH_ALEN); 7692 eid += ETH_ALEN; 7693 os_memcpy(eid, &bss->conf->ssid.short_ssid, 4); 7694 eid += 4; 7695 if (bss->conf->ssid.short_ssid == reporting_hapd->conf->ssid.short_ssid) 7696 bss_param |= RNR_BSS_PARAM_SAME_SSID; 7697 7698 if (iface->conf->mbssid != MBSSID_DISABLED && iface->num_bss > 1) { 7699 bss_param |= RNR_BSS_PARAM_MULTIPLE_BSSID; 7700 if (bss == hostapd_mbssid_get_tx_bss(hapd)) 7701 bss_param |= RNR_BSS_PARAM_TRANSMITTED_BSSID; 7702 } 7703 7704 if (is_6ghz_op_class(hapd->iconf->op_class) && 7705 bss->conf->unsol_bcast_probe_resp_interval) 7706 bss_param |= RNR_BSS_PARAM_UNSOLIC_PROBE_RESP_ACTIVE; 7707 7708 bss_param |= RNR_BSS_PARAM_CO_LOCATED; 7709 7710 *eid++ = bss_param; 7711 *eid++ = RNR_20_MHZ_PSD_MAX_TXPOWER; 7712 7713 #ifdef CONFIG_IEEE80211BE 7714 if (ap_mld) { 7715 u8 param_ch = bss->eht_mld_bss_param_change; 7716 bool is_partner; 7717 7718 /* If BSS is not a partner of the reporting_hapd 7719 * a) MLD ID advertised shall be 255. 7720 * b) Link ID advertised shall be 15. 7721 * c) BPCC advertised shall be 255 */ 7722 is_partner = hostapd_is_ml_partner(bss, reporting_hapd); 7723 /* MLD ID */ 7724 *eid++ = is_partner ? hostapd_get_mld_id(bss) : 0xFF; 7725 /* Link ID (Bit 3 to Bit 0) 7726 * BPCC (Bit 4 to Bit 7) */ 7727 *eid++ = is_partner ? 7728 bss->mld_link_id | ((param_ch & 0xF) << 4) : 7729 (MAX_NUM_MLD_LINKS | 0xF0); 7730 /* BPCC (Bit 3 to Bit 0) */ 7731 *eid = is_partner ? ((param_ch & 0xF0) >> 4) : 0x0F; 7732 #ifdef CONFIG_TESTING_OPTIONS 7733 if (bss->conf->mld_indicate_disabled) 7734 *eid |= RNR_TBTT_INFO_MLD_PARAM2_LINK_DISABLED; 7735 #endif /* CONFIG_TESTING_OPTIONS */ 7736 eid++; 7737 } 7738 #endif /* CONFIG_IEEE80211BE */ 7739 7740 *len += tbtt_info_len; 7741 (*tbtt_count)++; 7742 *pos = eid; 7743 7744 return false; 7745 } 7746 7747 7748 static u8 * hostapd_eid_rnr_iface(struct hostapd_data *hapd, 7749 struct hostapd_data *reporting_hapd, 7750 u8 *eid, size_t *current_len, 7751 struct mbssid_ie_profiles *skip_profiles, 7752 bool mld_update) 7753 { 7754 struct hostapd_iface *iface = hapd->iface; 7755 size_t i, start; 7756 size_t len = *current_len; 7757 u8 *eid_start = eid, *size_offset = (eid - len) + 1; 7758 u8 *tbtt_count_pos = size_offset + 1; 7759 u8 tbtt_count, total_tbtt_count = 0, op_class, channel; 7760 u8 tbtt_info_len = mld_update ? RNR_TBTT_INFO_MLD_LEN : 7761 RNR_TBTT_INFO_LEN; 7762 7763 if (!(iface->drv_flags & WPA_DRIVER_FLAGS_AP_CSA) || !iface->freq) 7764 return eid; 7765 7766 if (ieee80211_freq_to_channel_ext(iface->freq, 7767 hapd->iconf->secondary_channel, 7768 hostapd_get_oper_chwidth(hapd->iconf), 7769 &op_class, &channel) == 7770 NUM_HOSTAPD_MODES) 7771 return eid; 7772 7773 repeat_rnr: 7774 start = 0; 7775 tbtt_count = 0; 7776 while (start < iface->num_bss) { 7777 if (!len || 7778 len + RNR_TBTT_HEADER_LEN + tbtt_info_len > 255 || 7779 tbtt_count >= RNR_TBTT_INFO_COUNT_MAX) { 7780 eid_start = eid; 7781 *eid++ = WLAN_EID_REDUCED_NEIGHBOR_REPORT; 7782 size_offset = eid++; 7783 len = RNR_HEADER_LEN; 7784 tbtt_count = 0; 7785 } 7786 7787 for (i = start; i < iface->num_bss; i++) { 7788 if (hostapd_eid_rnr_bss(hapd, reporting_hapd, 7789 skip_profiles, i, 7790 &tbtt_count, &len, &eid, 7791 &tbtt_count_pos, tbtt_info_len, 7792 op_class, mld_update)) 7793 break; 7794 } 7795 7796 start = i; 7797 7798 if (tbtt_count) { 7799 *tbtt_count_pos = RNR_TBTT_INFO_COUNT(tbtt_count - 1); 7800 *size_offset = (eid - size_offset) - 1; 7801 } 7802 } 7803 7804 total_tbtt_count += tbtt_count; 7805 7806 /* If building for co-location, re-build again but this time include 7807 * ML TBTTs. 7808 */ 7809 if (!mld_update && tbtt_info_len == RNR_TBTT_INFO_LEN) { 7810 tbtt_info_len = RNR_TBTT_INFO_MLD_LEN; 7811 goto repeat_rnr; 7812 } 7813 7814 if (!total_tbtt_count) 7815 return eid_start; 7816 7817 *current_len = len; 7818 return eid; 7819 } 7820 7821 7822 u8 * hostapd_eid_rnr_colocation(struct hostapd_data *hapd, u8 *eid, 7823 size_t *current_len) 7824 { 7825 struct hostapd_iface *iface; 7826 size_t i; 7827 7828 if (!hapd->iface || !hapd->iface->interfaces) 7829 return eid; 7830 7831 for (i = 0; i < hapd->iface->interfaces->count; i++) { 7832 iface = hapd->iface->interfaces->iface[i]; 7833 7834 if (!iface || iface == hapd->iface || 7835 iface->state != HAPD_IFACE_ENABLED || 7836 !is_6ghz_op_class(iface->conf->op_class)) 7837 continue; 7838 7839 eid = hostapd_eid_rnr_iface(iface->bss[0], hapd, eid, 7840 current_len, NULL, false); 7841 } 7842 7843 return eid; 7844 } 7845 7846 7847 u8 * hostapd_eid_rnr_mlo(struct hostapd_data *hapd, u32 type, 7848 u8 *eid, size_t *current_len) 7849 { 7850 #ifdef CONFIG_IEEE80211BE 7851 struct hostapd_iface *iface; 7852 size_t i; 7853 7854 if (!hapd->iface || !hapd->iface->interfaces || !hapd->conf->mld_ap) 7855 return eid; 7856 7857 /* TODO: Allow for FILS/Action as well */ 7858 if (type != WLAN_FC_STYPE_BEACON && type != WLAN_FC_STYPE_PROBE_RESP) 7859 return eid; 7860 7861 for (i = 0; i < hapd->iface->interfaces->count; i++) { 7862 iface = hapd->iface->interfaces->iface[i]; 7863 7864 if (!iface || iface == hapd->iface || 7865 hapd->iface->freq == iface->freq) 7866 continue; 7867 7868 eid = hostapd_eid_rnr_iface(iface->bss[0], hapd, eid, 7869 current_len, NULL, true); 7870 } 7871 #endif /* CONFIG_IEEE80211BE */ 7872 7873 return eid; 7874 } 7875 7876 7877 u8 * hostapd_eid_rnr(struct hostapd_data *hapd, u8 *eid, u32 type, 7878 bool include_mld_params) 7879 { 7880 u8 *eid_start = eid; 7881 size_t current_len = 0; 7882 enum colocation_mode mode = get_colocation_mode(hapd); 7883 7884 switch (type) { 7885 case WLAN_FC_STYPE_BEACON: 7886 if (hapd->conf->rnr) 7887 eid = hostapd_eid_nr_db(hapd, eid, ¤t_len); 7888 /* fallthrough */ 7889 case WLAN_FC_STYPE_PROBE_RESP: 7890 if (mode == COLOCATED_LOWER_BAND) 7891 eid = hostapd_eid_rnr_colocation(hapd, eid, 7892 ¤t_len); 7893 7894 if (hapd->conf->rnr && hapd->iface->num_bss > 1 && 7895 !hapd->iconf->mbssid) 7896 eid = hostapd_eid_rnr_iface(hapd, hapd, eid, 7897 ¤t_len, NULL, false); 7898 break; 7899 case WLAN_FC_STYPE_ACTION: 7900 if (hapd->iface->num_bss > 1 && mode == STANDALONE_6GHZ) 7901 eid = hostapd_eid_rnr_iface(hapd, hapd, eid, 7902 ¤t_len, NULL, false); 7903 break; 7904 default: 7905 return eid_start; 7906 } 7907 7908 /* For EMA Beacons, MLD neighbor repoting is added as part of 7909 * MBSSID RNR. */ 7910 if (include_mld_params && 7911 (type != WLAN_FC_STYPE_BEACON || 7912 hapd->iconf->mbssid != ENHANCED_MBSSID_ENABLED)) 7913 eid = hostapd_eid_rnr_mlo(hapd, type, eid, ¤t_len); 7914 7915 if (eid == eid_start + 2) 7916 return eid_start; 7917 7918 return eid; 7919 } 7920 7921 7922 static bool mbssid_known_bss(unsigned int i, const u8 *known_bss, 7923 size_t known_bss_len) 7924 { 7925 if (!known_bss || known_bss_len <= i / 8) 7926 return false; 7927 known_bss = &known_bss[i / 8]; 7928 return *known_bss & (u8) (BIT(i % 8)); 7929 } 7930 7931 7932 static size_t hostapd_mbssid_ext_capa(struct hostapd_data *bss, 7933 struct hostapd_data *tx_bss, u8 *buf) 7934 { 7935 u8 ext_capa_tx[20], *ext_capa_tx_end, ext_capa[20], *ext_capa_end; 7936 size_t ext_capa_len, ext_capa_tx_len; 7937 7938 ext_capa_tx_end = hostapd_eid_ext_capab(tx_bss, ext_capa_tx, 7939 true); 7940 ext_capa_tx_len = ext_capa_tx_end - ext_capa_tx; 7941 ext_capa_end = hostapd_eid_ext_capab(bss, ext_capa, true); 7942 ext_capa_len = ext_capa_end - ext_capa; 7943 if (ext_capa_tx_len != ext_capa_len || 7944 os_memcmp(ext_capa_tx, ext_capa, ext_capa_len) != 0) { 7945 os_memcpy(buf, ext_capa, ext_capa_len); 7946 return ext_capa_len; 7947 } 7948 7949 return 0; 7950 } 7951 7952 7953 static size_t hostapd_eid_mbssid_elem_len(struct hostapd_data *hapd, 7954 u32 frame_type, size_t *bss_index, 7955 const u8 *known_bss, 7956 size_t known_bss_len) 7957 { 7958 struct hostapd_data *tx_bss = hostapd_mbssid_get_tx_bss(hapd); 7959 size_t len, i; 7960 u8 ext_capa[20]; 7961 7962 /* Element ID: 1 octet 7963 * Length: 1 octet 7964 * MaxBSSID Indicator: 1 octet 7965 * Optional Subelements: vatiable 7966 * 7967 * Total fixed length: 3 octets 7968 * 7969 * 1 octet in len for the MaxBSSID Indicator field. 7970 */ 7971 len = 1; 7972 7973 for (i = *bss_index; i < hapd->iface->num_bss; i++) { 7974 struct hostapd_data *bss = hapd->iface->bss[i]; 7975 const u8 *auth, *rsn = NULL, *rsnx = NULL; 7976 size_t nontx_profile_len, auth_len; 7977 u8 ie_count = 0; 7978 7979 if (!bss || !bss->conf || !bss->started || 7980 mbssid_known_bss(i, known_bss, known_bss_len)) 7981 continue; 7982 7983 /* 7984 * Sublement ID: 1 octet 7985 * Length: 1 octet 7986 * Nontransmitted capabilities: 4 octets 7987 * SSID element: 2 + variable 7988 * Multiple BSSID Index Element: 3 octets (+2 octets in beacons) 7989 * Fixed length = 1 + 1 + 4 + 2 + 3 = 11 7990 */ 7991 nontx_profile_len = 11 + bss->conf->ssid.ssid_len; 7992 7993 if (frame_type == WLAN_FC_STYPE_BEACON) 7994 nontx_profile_len += 2; 7995 7996 auth = wpa_auth_get_wpa_ie(bss->wpa_auth, &auth_len); 7997 if (auth) { 7998 rsn = get_ie(auth, auth_len, WLAN_EID_RSN); 7999 if (rsn) 8000 nontx_profile_len += 2 + rsn[1]; 8001 8002 rsnx = get_ie(auth, auth_len, WLAN_EID_RSNX); 8003 if (rsnx) 8004 nontx_profile_len += 2 + rsnx[1]; 8005 } 8006 8007 nontx_profile_len += hostapd_mbssid_ext_capa(bss, tx_bss, 8008 ext_capa); 8009 8010 if (!rsn && hostapd_wpa_ie(tx_bss, WLAN_EID_RSN)) 8011 ie_count++; 8012 if (!rsnx && hostapd_wpa_ie(tx_bss, WLAN_EID_RSNX)) 8013 ie_count++; 8014 if (bss->conf->xrates_supported) 8015 nontx_profile_len += 8; 8016 else if (hapd->conf->xrates_supported) 8017 ie_count++; 8018 if (ie_count) 8019 nontx_profile_len += 4 + ie_count; 8020 8021 if (len + nontx_profile_len > 255) 8022 break; 8023 8024 len += nontx_profile_len; 8025 } 8026 8027 *bss_index = i; 8028 8029 /* Add 2 octets to get the full size of the element */ 8030 return len + 2; 8031 } 8032 8033 8034 size_t hostapd_eid_mbssid_len(struct hostapd_data *hapd, u32 frame_type, 8035 u8 *elem_count, const u8 *known_bss, 8036 size_t known_bss_len, size_t *rnr_len) 8037 { 8038 size_t len = 0, bss_index = 1; 8039 bool ap_mld = false; 8040 8041 #ifdef CONFIG_IEEE80211BE 8042 ap_mld = hapd->conf->mld_ap; 8043 #endif /* CONFIG_IEEE80211BE */ 8044 8045 if (!hapd->iconf->mbssid || hapd->iface->num_bss <= 1 || 8046 (frame_type != WLAN_FC_STYPE_BEACON && 8047 frame_type != WLAN_FC_STYPE_PROBE_RESP)) 8048 return 0; 8049 8050 if (frame_type == WLAN_FC_STYPE_BEACON) { 8051 if (!elem_count) { 8052 wpa_printf(MSG_INFO, 8053 "MBSSID: Insufficient data for Beacon frames"); 8054 return 0; 8055 } 8056 *elem_count = 0; 8057 } 8058 8059 while (bss_index < hapd->iface->num_bss) { 8060 size_t rnr_count = bss_index; 8061 8062 len += hostapd_eid_mbssid_elem_len(hapd, frame_type, 8063 &bss_index, known_bss, 8064 known_bss_len); 8065 8066 if (frame_type == WLAN_FC_STYPE_BEACON) 8067 *elem_count += 1; 8068 if (hapd->iconf->mbssid == ENHANCED_MBSSID_ENABLED && rnr_len) { 8069 size_t rnr_cur_len = 0; 8070 struct mbssid_ie_profiles skip_profiles = { 8071 rnr_count, bss_index 8072 }; 8073 8074 *rnr_len += hostapd_eid_rnr_iface_len( 8075 hapd, hostapd_mbssid_get_tx_bss(hapd), 8076 &rnr_cur_len, &skip_profiles, ap_mld); 8077 } 8078 } 8079 8080 if (hapd->iconf->mbssid == ENHANCED_MBSSID_ENABLED && rnr_len) 8081 *rnr_len += hostapd_eid_rnr_len(hapd, frame_type, false); 8082 8083 return len; 8084 } 8085 8086 8087 static u8 * hostapd_eid_mbssid_elem(struct hostapd_data *hapd, u8 *eid, u8 *end, 8088 u32 frame_type, u8 max_bssid_indicator, 8089 size_t *bss_index, u8 elem_count, 8090 const u8 *known_bss, size_t known_bss_len) 8091 { 8092 struct hostapd_data *tx_bss = hostapd_mbssid_get_tx_bss(hapd); 8093 size_t i; 8094 u8 *eid_len_offset, *max_bssid_indicator_offset; 8095 8096 *eid++ = WLAN_EID_MULTIPLE_BSSID; 8097 eid_len_offset = eid++; 8098 max_bssid_indicator_offset = eid++; 8099 8100 for (i = *bss_index; i < hapd->iface->num_bss; i++) { 8101 struct hostapd_data *bss = hapd->iface->bss[i]; 8102 struct hostapd_bss_config *conf; 8103 u8 *eid_len_pos, *nontx_bss_start = eid; 8104 const u8 *auth, *rsn = NULL, *rsnx = NULL; 8105 u8 ie_count = 0, non_inherit_ie[3]; 8106 size_t auth_len = 0; 8107 u16 capab_info; 8108 8109 if (!bss || !bss->conf || !bss->started || 8110 mbssid_known_bss(i, known_bss, known_bss_len)) 8111 continue; 8112 conf = bss->conf; 8113 8114 *eid++ = WLAN_MBSSID_SUBELEMENT_NONTRANSMITTED_BSSID_PROFILE; 8115 eid_len_pos = eid++; 8116 8117 capab_info = hostapd_own_capab_info(bss); 8118 *eid++ = WLAN_EID_NONTRANSMITTED_BSSID_CAPA; 8119 *eid++ = sizeof(capab_info); 8120 WPA_PUT_LE16(eid, capab_info); 8121 eid += sizeof(capab_info); 8122 8123 *eid++ = WLAN_EID_SSID; 8124 *eid++ = conf->ssid.ssid_len; 8125 os_memcpy(eid, conf->ssid.ssid, conf->ssid.ssid_len); 8126 eid += conf->ssid.ssid_len; 8127 8128 *eid++ = WLAN_EID_MULTIPLE_BSSID_INDEX; 8129 if (frame_type == WLAN_FC_STYPE_BEACON) { 8130 *eid++ = 3; 8131 *eid++ = i; /* BSSID Index */ 8132 if (hapd->iconf->mbssid == ENHANCED_MBSSID_ENABLED && 8133 (conf->dtim_period % elem_count)) 8134 conf->dtim_period = elem_count; 8135 *eid++ = conf->dtim_period; 8136 /* The driver is expected to update the DTIM Count 8137 * field for each BSS that corresponds to a 8138 * nontransmitted BSSID. The value is initialized to 8139 * 0 here so that the DTIM count would be somewhat 8140 * functional even if the driver were not to update 8141 * this. */ 8142 *eid++ = 0; /* DTIM Count */ 8143 } else { 8144 /* Probe Request frame does not include DTIM Period and 8145 * DTIM Count fields. */ 8146 *eid++ = 1; 8147 *eid++ = i; /* BSSID Index */ 8148 } 8149 8150 auth = wpa_auth_get_wpa_ie(bss->wpa_auth, &auth_len); 8151 if (auth) { 8152 rsn = get_ie(auth, auth_len, WLAN_EID_RSN); 8153 if (rsn) { 8154 os_memcpy(eid, rsn, 2 + rsn[1]); 8155 eid += 2 + rsn[1]; 8156 } 8157 8158 rsnx = get_ie(auth, auth_len, WLAN_EID_RSNX); 8159 if (rsnx) { 8160 os_memcpy(eid, rsnx, 2 + rsnx[1]); 8161 eid += 2 + rsnx[1]; 8162 } 8163 } 8164 8165 eid += hostapd_mbssid_ext_capa(bss, tx_bss, eid); 8166 8167 /* List of Element ID values in increasing order */ 8168 if (!rsn && hostapd_wpa_ie(tx_bss, WLAN_EID_RSN)) 8169 non_inherit_ie[ie_count++] = WLAN_EID_RSN; 8170 if (hapd->conf->xrates_supported && 8171 !bss->conf->xrates_supported) 8172 non_inherit_ie[ie_count++] = WLAN_EID_EXT_SUPP_RATES; 8173 if (!rsnx && hostapd_wpa_ie(tx_bss, WLAN_EID_RSNX)) 8174 non_inherit_ie[ie_count++] = WLAN_EID_RSNX; 8175 if (ie_count) { 8176 *eid++ = WLAN_EID_EXTENSION; 8177 *eid++ = 2 + ie_count + 1; 8178 *eid++ = WLAN_EID_EXT_NON_INHERITANCE; 8179 *eid++ = ie_count; 8180 os_memcpy(eid, non_inherit_ie, ie_count); 8181 eid += ie_count; 8182 *eid++ = 0; /* No Element ID Extension List */ 8183 } 8184 8185 *eid_len_pos = (eid - eid_len_pos) - 1; 8186 8187 if (((eid - eid_len_offset) - 1) > 255) { 8188 eid = nontx_bss_start; 8189 break; 8190 } 8191 } 8192 8193 *bss_index = i; 8194 *max_bssid_indicator_offset = max_bssid_indicator; 8195 if (*max_bssid_indicator_offset < 1) 8196 *max_bssid_indicator_offset = 1; 8197 *eid_len_offset = (eid - eid_len_offset) - 1; 8198 return eid; 8199 } 8200 8201 8202 u8 * hostapd_eid_mbssid(struct hostapd_data *hapd, u8 *eid, u8 *end, 8203 unsigned int frame_stype, u8 elem_count, 8204 u8 **elem_offset, 8205 const u8 *known_bss, size_t known_bss_len, u8 *rnr_eid, 8206 u8 *rnr_count, u8 **rnr_offset, size_t rnr_len) 8207 { 8208 size_t bss_index = 1, cur_len = 0; 8209 u8 elem_index = 0, *rnr_start_eid = rnr_eid; 8210 bool add_rnr, ap_mld = false; 8211 8212 #ifdef CONFIG_IEEE80211BE 8213 ap_mld = hapd->conf->mld_ap; 8214 #endif /* CONFIG_IEEE80211BE */ 8215 8216 if (!hapd->iconf->mbssid || hapd->iface->num_bss <= 1 || 8217 (frame_stype != WLAN_FC_STYPE_BEACON && 8218 frame_stype != WLAN_FC_STYPE_PROBE_RESP)) 8219 return eid; 8220 8221 if (frame_stype == WLAN_FC_STYPE_BEACON && !elem_offset) { 8222 wpa_printf(MSG_INFO, 8223 "MBSSID: Insufficient data for Beacon frames"); 8224 return eid; 8225 } 8226 8227 add_rnr = hapd->iconf->mbssid == ENHANCED_MBSSID_ENABLED && 8228 frame_stype == WLAN_FC_STYPE_BEACON && 8229 rnr_eid && rnr_count && rnr_offset && rnr_len; 8230 8231 while (bss_index < hapd->iface->num_bss) { 8232 unsigned int rnr_start_count = bss_index; 8233 8234 if (frame_stype == WLAN_FC_STYPE_BEACON) { 8235 if (elem_index == elem_count) { 8236 wpa_printf(MSG_WARNING, 8237 "MBSSID: Larger number of elements than there is room in the provided array"); 8238 break; 8239 } 8240 8241 elem_offset[elem_index] = eid; 8242 elem_index = elem_index + 1; 8243 } 8244 eid = hostapd_eid_mbssid_elem(hapd, eid, end, frame_stype, 8245 hostapd_max_bssid_indicator(hapd), 8246 &bss_index, elem_count, 8247 known_bss, known_bss_len); 8248 8249 if (add_rnr) { 8250 struct mbssid_ie_profiles skip_profiles = { 8251 rnr_start_count, bss_index 8252 }; 8253 8254 rnr_offset[*rnr_count] = rnr_eid; 8255 *rnr_count = *rnr_count + 1; 8256 cur_len = 0; 8257 rnr_eid = hostapd_eid_rnr_iface( 8258 hapd, hostapd_mbssid_get_tx_bss(hapd), 8259 rnr_eid, &cur_len, &skip_profiles, ap_mld); 8260 } 8261 } 8262 8263 if (add_rnr && (size_t) (rnr_eid - rnr_start_eid) < rnr_len) { 8264 rnr_offset[*rnr_count] = rnr_eid; 8265 *rnr_count = *rnr_count + 1; 8266 cur_len = 0; 8267 8268 if (hapd->conf->rnr) 8269 rnr_eid = hostapd_eid_nr_db(hapd, rnr_eid, &cur_len); 8270 if (get_colocation_mode(hapd) == COLOCATED_LOWER_BAND) 8271 rnr_eid = hostapd_eid_rnr_colocation(hapd, rnr_eid, 8272 &cur_len); 8273 } 8274 8275 return eid; 8276 } 8277 8278 #endif /* CONFIG_NATIVE_WINDOWS */ 8279