xref: /freebsd/contrib/wpa/src/ap/ieee802_11.c (revision 8aac90f18aef7c9eea906c3ff9a001ca7b94f375)
1 /*
2  * hostapd / IEEE 802.11 Management
3  * Copyright (c) 2002-2017, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "utils/includes.h"
10 
11 #ifndef CONFIG_NATIVE_WINDOWS
12 
13 #include "utils/common.h"
14 #include "utils/eloop.h"
15 #include "crypto/crypto.h"
16 #include "crypto/sha256.h"
17 #include "crypto/sha384.h"
18 #include "crypto/sha512.h"
19 #include "crypto/random.h"
20 #include "common/ieee802_11_defs.h"
21 #include "common/ieee802_11_common.h"
22 #include "common/wpa_ctrl.h"
23 #include "common/sae.h"
24 #include "common/dpp.h"
25 #include "common/ocv.h"
26 #include "common/wpa_common.h"
27 #include "common/wpa_ctrl.h"
28 #include "common/ptksa_cache.h"
29 #include "radius/radius.h"
30 #include "radius/radius_client.h"
31 #include "p2p/p2p.h"
32 #include "wps/wps.h"
33 #include "fst/fst.h"
34 #include "hostapd.h"
35 #include "beacon.h"
36 #include "ieee802_11_auth.h"
37 #include "sta_info.h"
38 #include "ieee802_1x.h"
39 #include "wpa_auth.h"
40 #include "pmksa_cache_auth.h"
41 #include "wmm.h"
42 #include "ap_list.h"
43 #include "accounting.h"
44 #include "ap_config.h"
45 #include "ap_mlme.h"
46 #include "p2p_hostapd.h"
47 #include "ap_drv_ops.h"
48 #include "wnm_ap.h"
49 #include "hw_features.h"
50 #include "ieee802_11.h"
51 #include "dfs.h"
52 #include "mbo_ap.h"
53 #include "rrm.h"
54 #include "taxonomy.h"
55 #include "fils_hlp.h"
56 #include "dpp_hostapd.h"
57 #include "gas_query_ap.h"
58 
59 
60 #ifdef CONFIG_FILS
61 static struct wpabuf *
62 prepare_auth_resp_fils(struct hostapd_data *hapd,
63 		       struct sta_info *sta, u16 *resp,
64 		       struct rsn_pmksa_cache_entry *pmksa,
65 		       struct wpabuf *erp_resp,
66 		       const u8 *msk, size_t msk_len,
67 		       int *is_pub);
68 #endif /* CONFIG_FILS */
69 
70 #ifdef CONFIG_PASN
71 
72 static int handle_auth_pasn_resp(struct hostapd_data *hapd,
73 				 struct sta_info *sta,
74 				 struct rsn_pmksa_cache_entry *pmksa,
75 				 u16 status);
76 #ifdef CONFIG_FILS
77 
78 static void pasn_fils_auth_resp(struct hostapd_data *hapd,
79 				struct sta_info *sta, u16 status,
80 				struct wpabuf *erp_resp,
81 				const u8 *msk, size_t msk_len);
82 
83 #endif /* CONFIG_FILS */
84 #endif /* CONFIG_PASN */
85 
86 static void handle_auth(struct hostapd_data *hapd,
87 			const struct ieee80211_mgmt *mgmt, size_t len,
88 			int rssi, int from_queue);
89 
90 
91 u8 * hostapd_eid_multi_ap(struct hostapd_data *hapd, u8 *eid)
92 {
93 	u8 multi_ap_val = 0;
94 
95 	if (!hapd->conf->multi_ap)
96 		return eid;
97 	if (hapd->conf->multi_ap & BACKHAUL_BSS)
98 		multi_ap_val |= MULTI_AP_BACKHAUL_BSS;
99 	if (hapd->conf->multi_ap & FRONTHAUL_BSS)
100 		multi_ap_val |= MULTI_AP_FRONTHAUL_BSS;
101 
102 	return eid + add_multi_ap_ie(eid, 9, multi_ap_val);
103 }
104 
105 
106 u8 * hostapd_eid_supp_rates(struct hostapd_data *hapd, u8 *eid)
107 {
108 	u8 *pos = eid;
109 	int i, num, count;
110 	int h2e_required;
111 
112 	if (hapd->iface->current_rates == NULL)
113 		return eid;
114 
115 	*pos++ = WLAN_EID_SUPP_RATES;
116 	num = hapd->iface->num_rates;
117 	if (hapd->iconf->ieee80211n && hapd->iconf->require_ht)
118 		num++;
119 	if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht)
120 		num++;
121 	h2e_required = (hapd->conf->sae_pwe == 1 ||
122 			hostapd_sae_pw_id_in_use(hapd->conf) == 2) &&
123 		hapd->conf->sae_pwe != 3 &&
124 		wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt);
125 	if (h2e_required)
126 		num++;
127 	if (num > 8) {
128 		/* rest of the rates are encoded in Extended supported
129 		 * rates element */
130 		num = 8;
131 	}
132 
133 	*pos++ = num;
134 	for (i = 0, count = 0; i < hapd->iface->num_rates && count < num;
135 	     i++) {
136 		count++;
137 		*pos = hapd->iface->current_rates[i].rate / 5;
138 		if (hapd->iface->current_rates[i].flags & HOSTAPD_RATE_BASIC)
139 			*pos |= 0x80;
140 		pos++;
141 	}
142 
143 	if (hapd->iconf->ieee80211n && hapd->iconf->require_ht && count < 8) {
144 		count++;
145 		*pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_HT_PHY;
146 	}
147 
148 	if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht && count < 8) {
149 		count++;
150 		*pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_VHT_PHY;
151 	}
152 
153 	if (h2e_required && count < 8) {
154 		count++;
155 		*pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_SAE_H2E_ONLY;
156 	}
157 
158 	return pos;
159 }
160 
161 
162 u8 * hostapd_eid_ext_supp_rates(struct hostapd_data *hapd, u8 *eid)
163 {
164 	u8 *pos = eid;
165 	int i, num, count;
166 	int h2e_required;
167 
168 	if (hapd->iface->current_rates == NULL)
169 		return eid;
170 
171 	num = hapd->iface->num_rates;
172 	if (hapd->iconf->ieee80211n && hapd->iconf->require_ht)
173 		num++;
174 	if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht)
175 		num++;
176 	h2e_required = (hapd->conf->sae_pwe == 1 ||
177 			hostapd_sae_pw_id_in_use(hapd->conf) == 2) &&
178 		hapd->conf->sae_pwe != 3 &&
179 		wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt);
180 	if (h2e_required)
181 		num++;
182 	if (num <= 8)
183 		return eid;
184 	num -= 8;
185 
186 	*pos++ = WLAN_EID_EXT_SUPP_RATES;
187 	*pos++ = num;
188 	for (i = 0, count = 0; i < hapd->iface->num_rates && count < num + 8;
189 	     i++) {
190 		count++;
191 		if (count <= 8)
192 			continue; /* already in SuppRates IE */
193 		*pos = hapd->iface->current_rates[i].rate / 5;
194 		if (hapd->iface->current_rates[i].flags & HOSTAPD_RATE_BASIC)
195 			*pos |= 0x80;
196 		pos++;
197 	}
198 
199 	if (hapd->iconf->ieee80211n && hapd->iconf->require_ht) {
200 		count++;
201 		if (count > 8)
202 			*pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_HT_PHY;
203 	}
204 
205 	if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht) {
206 		count++;
207 		if (count > 8)
208 			*pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_VHT_PHY;
209 	}
210 
211 	if (h2e_required) {
212 		count++;
213 		if (count > 8)
214 			*pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_SAE_H2E_ONLY;
215 	}
216 
217 	return pos;
218 }
219 
220 
221 u8 * hostapd_eid_rm_enabled_capab(struct hostapd_data *hapd, u8 *eid,
222 				  size_t len)
223 {
224 	size_t i;
225 
226 	for (i = 0; i < RRM_CAPABILITIES_IE_LEN; i++) {
227 		if (hapd->conf->radio_measurements[i])
228 			break;
229 	}
230 
231 	if (i == RRM_CAPABILITIES_IE_LEN || len < 2 + RRM_CAPABILITIES_IE_LEN)
232 		return eid;
233 
234 	*eid++ = WLAN_EID_RRM_ENABLED_CAPABILITIES;
235 	*eid++ = RRM_CAPABILITIES_IE_LEN;
236 	os_memcpy(eid, hapd->conf->radio_measurements, RRM_CAPABILITIES_IE_LEN);
237 
238 	return eid + RRM_CAPABILITIES_IE_LEN;
239 }
240 
241 
242 u16 hostapd_own_capab_info(struct hostapd_data *hapd)
243 {
244 	int capab = WLAN_CAPABILITY_ESS;
245 	int privacy = 0;
246 	int dfs;
247 	int i;
248 
249 	/* Check if any of configured channels require DFS */
250 	dfs = hostapd_is_dfs_required(hapd->iface);
251 	if (dfs < 0) {
252 		wpa_printf(MSG_WARNING, "Failed to check if DFS is required; ret=%d",
253 			   dfs);
254 		dfs = 0;
255 	}
256 
257 	if (hapd->iface->num_sta_no_short_preamble == 0 &&
258 	    hapd->iconf->preamble == SHORT_PREAMBLE)
259 		capab |= WLAN_CAPABILITY_SHORT_PREAMBLE;
260 
261 #ifdef CONFIG_WEP
262 	privacy = hapd->conf->ssid.wep.keys_set;
263 
264 	if (hapd->conf->ieee802_1x &&
265 	    (hapd->conf->default_wep_key_len ||
266 	     hapd->conf->individual_wep_key_len))
267 		privacy = 1;
268 #endif /* CONFIG_WEP */
269 
270 	if (hapd->conf->wpa)
271 		privacy = 1;
272 
273 #ifdef CONFIG_HS20
274 	if (hapd->conf->osen)
275 		privacy = 1;
276 #endif /* CONFIG_HS20 */
277 
278 	if (privacy)
279 		capab |= WLAN_CAPABILITY_PRIVACY;
280 
281 	if (hapd->iface->current_mode &&
282 	    hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G &&
283 	    hapd->iface->num_sta_no_short_slot_time == 0)
284 		capab |= WLAN_CAPABILITY_SHORT_SLOT_TIME;
285 
286 	/*
287 	 * Currently, Spectrum Management capability bit is set when directly
288 	 * requested in configuration by spectrum_mgmt_required or when AP is
289 	 * running on DFS channel.
290 	 * TODO: Also consider driver support for TPC to set Spectrum Mgmt bit
291 	 */
292 	if (hapd->iface->current_mode &&
293 	    hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211A &&
294 	    (hapd->iconf->spectrum_mgmt_required || dfs))
295 		capab |= WLAN_CAPABILITY_SPECTRUM_MGMT;
296 
297 	for (i = 0; i < RRM_CAPABILITIES_IE_LEN; i++) {
298 		if (hapd->conf->radio_measurements[i]) {
299 			capab |= IEEE80211_CAP_RRM;
300 			break;
301 		}
302 	}
303 
304 	return capab;
305 }
306 
307 
308 #ifdef CONFIG_WEP
309 #ifndef CONFIG_NO_RC4
310 static u16 auth_shared_key(struct hostapd_data *hapd, struct sta_info *sta,
311 			   u16 auth_transaction, const u8 *challenge,
312 			   int iswep)
313 {
314 	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
315 		       HOSTAPD_LEVEL_DEBUG,
316 		       "authentication (shared key, transaction %d)",
317 		       auth_transaction);
318 
319 	if (auth_transaction == 1) {
320 		if (!sta->challenge) {
321 			/* Generate a pseudo-random challenge */
322 			u8 key[8];
323 
324 			sta->challenge = os_zalloc(WLAN_AUTH_CHALLENGE_LEN);
325 			if (sta->challenge == NULL)
326 				return WLAN_STATUS_UNSPECIFIED_FAILURE;
327 
328 			if (os_get_random(key, sizeof(key)) < 0) {
329 				os_free(sta->challenge);
330 				sta->challenge = NULL;
331 				return WLAN_STATUS_UNSPECIFIED_FAILURE;
332 			}
333 
334 			rc4_skip(key, sizeof(key), 0,
335 				 sta->challenge, WLAN_AUTH_CHALLENGE_LEN);
336 		}
337 		return 0;
338 	}
339 
340 	if (auth_transaction != 3)
341 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
342 
343 	/* Transaction 3 */
344 	if (!iswep || !sta->challenge || !challenge ||
345 	    os_memcmp_const(sta->challenge, challenge,
346 			    WLAN_AUTH_CHALLENGE_LEN)) {
347 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
348 			       HOSTAPD_LEVEL_INFO,
349 			       "shared key authentication - invalid "
350 			       "challenge-response");
351 		return WLAN_STATUS_CHALLENGE_FAIL;
352 	}
353 
354 	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
355 		       HOSTAPD_LEVEL_DEBUG,
356 		       "authentication OK (shared key)");
357 	sta->flags |= WLAN_STA_AUTH;
358 	wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
359 	os_free(sta->challenge);
360 	sta->challenge = NULL;
361 
362 	return 0;
363 }
364 #endif /* CONFIG_NO_RC4 */
365 #endif /* CONFIG_WEP */
366 
367 
368 static int send_auth_reply(struct hostapd_data *hapd, struct sta_info *sta,
369 			   const u8 *dst, const u8 *bssid,
370 			   u16 auth_alg, u16 auth_transaction, u16 resp,
371 			   const u8 *ies, size_t ies_len, const char *dbg)
372 {
373 	struct ieee80211_mgmt *reply;
374 	u8 *buf;
375 	size_t rlen;
376 	int reply_res = WLAN_STATUS_UNSPECIFIED_FAILURE;
377 
378 	rlen = IEEE80211_HDRLEN + sizeof(reply->u.auth) + ies_len;
379 	buf = os_zalloc(rlen);
380 	if (buf == NULL)
381 		return -1;
382 
383 	reply = (struct ieee80211_mgmt *) buf;
384 	reply->frame_control = IEEE80211_FC(WLAN_FC_TYPE_MGMT,
385 					    WLAN_FC_STYPE_AUTH);
386 	os_memcpy(reply->da, dst, ETH_ALEN);
387 	os_memcpy(reply->sa, hapd->own_addr, ETH_ALEN);
388 	os_memcpy(reply->bssid, bssid, ETH_ALEN);
389 
390 	reply->u.auth.auth_alg = host_to_le16(auth_alg);
391 	reply->u.auth.auth_transaction = host_to_le16(auth_transaction);
392 	reply->u.auth.status_code = host_to_le16(resp);
393 
394 	if (ies && ies_len)
395 		os_memcpy(reply->u.auth.variable, ies, ies_len);
396 
397 	wpa_printf(MSG_DEBUG, "authentication reply: STA=" MACSTR
398 		   " auth_alg=%d auth_transaction=%d resp=%d (IE len=%lu) (dbg=%s)",
399 		   MAC2STR(dst), auth_alg, auth_transaction,
400 		   resp, (unsigned long) ies_len, dbg);
401 #ifdef CONFIG_TESTING_OPTIONS
402 #ifdef CONFIG_SAE
403 	if (hapd->conf->sae_confirm_immediate == 2 &&
404 	    auth_alg == WLAN_AUTH_SAE) {
405 		if (auth_transaction == 1 && sta &&
406 		    (resp == WLAN_STATUS_SUCCESS ||
407 		     resp == WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
408 		     resp == WLAN_STATUS_SAE_PK)) {
409 			wpa_printf(MSG_DEBUG,
410 				   "TESTING: Postpone SAE Commit transmission until Confirm is ready");
411 			os_free(sta->sae_postponed_commit);
412 			sta->sae_postponed_commit = buf;
413 			sta->sae_postponed_commit_len = rlen;
414 			return WLAN_STATUS_SUCCESS;
415 		}
416 
417 		if (auth_transaction == 2 && sta && sta->sae_postponed_commit) {
418 			wpa_printf(MSG_DEBUG,
419 				   "TESTING: Send postponed SAE Commit first, immediately followed by SAE Confirm");
420 			if (hostapd_drv_send_mlme(hapd,
421 						  sta->sae_postponed_commit,
422 						  sta->sae_postponed_commit_len,
423 						  0, NULL, 0, 0) < 0)
424 				wpa_printf(MSG_INFO, "send_auth_reply: send failed");
425 			os_free(sta->sae_postponed_commit);
426 			sta->sae_postponed_commit = NULL;
427 			sta->sae_postponed_commit_len = 0;
428 		}
429 	}
430 #endif /* CONFIG_SAE */
431 #endif /* CONFIG_TESTING_OPTIONS */
432 	if (hostapd_drv_send_mlme(hapd, reply, rlen, 0, NULL, 0, 0) < 0)
433 		wpa_printf(MSG_INFO, "send_auth_reply: send failed");
434 	else
435 		reply_res = WLAN_STATUS_SUCCESS;
436 
437 	os_free(buf);
438 
439 	return reply_res;
440 }
441 
442 
443 #ifdef CONFIG_IEEE80211R_AP
444 static void handle_auth_ft_finish(void *ctx, const u8 *dst, const u8 *bssid,
445 				  u16 auth_transaction, u16 status,
446 				  const u8 *ies, size_t ies_len)
447 {
448 	struct hostapd_data *hapd = ctx;
449 	struct sta_info *sta;
450 	int reply_res;
451 
452 	reply_res = send_auth_reply(hapd, NULL, dst, bssid, WLAN_AUTH_FT,
453 				    auth_transaction, status, ies, ies_len,
454 				    "auth-ft-finish");
455 
456 	sta = ap_get_sta(hapd, dst);
457 	if (sta == NULL)
458 		return;
459 
460 	if (sta->added_unassoc && (reply_res != WLAN_STATUS_SUCCESS ||
461 				   status != WLAN_STATUS_SUCCESS)) {
462 		hostapd_drv_sta_remove(hapd, sta->addr);
463 		sta->added_unassoc = 0;
464 		return;
465 	}
466 
467 	if (status != WLAN_STATUS_SUCCESS)
468 		return;
469 
470 	hostapd_logger(hapd, dst, HOSTAPD_MODULE_IEEE80211,
471 		       HOSTAPD_LEVEL_DEBUG, "authentication OK (FT)");
472 	sta->flags |= WLAN_STA_AUTH;
473 	mlme_authenticate_indication(hapd, sta);
474 }
475 #endif /* CONFIG_IEEE80211R_AP */
476 
477 
478 #ifdef CONFIG_SAE
479 
480 static void sae_set_state(struct sta_info *sta, enum sae_state state,
481 			  const char *reason)
482 {
483 	wpa_printf(MSG_DEBUG, "SAE: State %s -> %s for peer " MACSTR " (%s)",
484 		   sae_state_txt(sta->sae->state), sae_state_txt(state),
485 		   MAC2STR(sta->addr), reason);
486 	sta->sae->state = state;
487 }
488 
489 
490 static const char * sae_get_password(struct hostapd_data *hapd,
491 				     struct sta_info *sta,
492 				     const char *rx_id,
493 				     struct sae_password_entry **pw_entry,
494 				     struct sae_pt **s_pt,
495 				     const struct sae_pk **s_pk)
496 {
497 	const char *password = NULL;
498 	struct sae_password_entry *pw;
499 	struct sae_pt *pt = NULL;
500 	const struct sae_pk *pk = NULL;
501 
502 	for (pw = hapd->conf->sae_passwords; pw; pw = pw->next) {
503 		if (!is_broadcast_ether_addr(pw->peer_addr) &&
504 		    os_memcmp(pw->peer_addr, sta->addr, ETH_ALEN) != 0)
505 			continue;
506 		if ((rx_id && !pw->identifier) || (!rx_id && pw->identifier))
507 			continue;
508 		if (rx_id && pw->identifier &&
509 		    os_strcmp(rx_id, pw->identifier) != 0)
510 			continue;
511 		password = pw->password;
512 		pt = pw->pt;
513 		if (!(hapd->conf->mesh & MESH_ENABLED))
514 			pk = pw->pk;
515 		break;
516 	}
517 	if (!password) {
518 		password = hapd->conf->ssid.wpa_passphrase;
519 		pt = hapd->conf->ssid.pt;
520 	}
521 
522 	if (pw_entry)
523 		*pw_entry = pw;
524 	if (s_pt)
525 		*s_pt = pt;
526 	if (s_pk)
527 		*s_pk = pk;
528 
529 	return password;
530 }
531 
532 
533 static struct wpabuf * auth_build_sae_commit(struct hostapd_data *hapd,
534 					     struct sta_info *sta, int update,
535 					     int status_code)
536 {
537 	struct wpabuf *buf;
538 	const char *password = NULL;
539 	struct sae_password_entry *pw;
540 	const char *rx_id = NULL;
541 	int use_pt = 0;
542 	struct sae_pt *pt = NULL;
543 	const struct sae_pk *pk = NULL;
544 
545 	if (sta->sae->tmp) {
546 		rx_id = sta->sae->tmp->pw_id;
547 		use_pt = sta->sae->h2e;
548 #ifdef CONFIG_SAE_PK
549 		os_memcpy(sta->sae->tmp->own_addr, hapd->own_addr, ETH_ALEN);
550 		os_memcpy(sta->sae->tmp->peer_addr, sta->addr, ETH_ALEN);
551 #endif /* CONFIG_SAE_PK */
552 	}
553 
554 	if (rx_id && hapd->conf->sae_pwe != 3)
555 		use_pt = 1;
556 	else if (status_code == WLAN_STATUS_SUCCESS)
557 		use_pt = 0;
558 	else if (status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
559 		 status_code == WLAN_STATUS_SAE_PK)
560 		use_pt = 1;
561 
562 	password = sae_get_password(hapd, sta, rx_id, &pw, &pt, &pk);
563 	if (!password || (use_pt && !pt)) {
564 		wpa_printf(MSG_DEBUG, "SAE: No password available");
565 		return NULL;
566 	}
567 
568 	if (update && use_pt &&
569 	    sae_prepare_commit_pt(sta->sae, pt, hapd->own_addr, sta->addr,
570 				  NULL, pk) < 0)
571 		return NULL;
572 
573 	if (update && !use_pt &&
574 	    sae_prepare_commit(hapd->own_addr, sta->addr,
575 			       (u8 *) password, os_strlen(password),
576 			       sta->sae) < 0) {
577 		wpa_printf(MSG_DEBUG, "SAE: Could not pick PWE");
578 		return NULL;
579 	}
580 
581 	if (pw && pw->vlan_id) {
582 		if (!sta->sae->tmp) {
583 			wpa_printf(MSG_INFO,
584 				   "SAE: No temporary data allocated - cannot store VLAN ID");
585 			return NULL;
586 		}
587 		sta->sae->tmp->vlan_id = pw->vlan_id;
588 	}
589 
590 	buf = wpabuf_alloc(SAE_COMMIT_MAX_LEN +
591 			   (rx_id ? 3 + os_strlen(rx_id) : 0));
592 	if (buf &&
593 	    sae_write_commit(sta->sae, buf, sta->sae->tmp ?
594 			     sta->sae->tmp->anti_clogging_token : NULL,
595 			     rx_id) < 0) {
596 		wpabuf_free(buf);
597 		buf = NULL;
598 	}
599 
600 	return buf;
601 }
602 
603 
604 static struct wpabuf * auth_build_sae_confirm(struct hostapd_data *hapd,
605 					      struct sta_info *sta)
606 {
607 	struct wpabuf *buf;
608 
609 	buf = wpabuf_alloc(SAE_CONFIRM_MAX_LEN);
610 	if (buf == NULL)
611 		return NULL;
612 
613 #ifdef CONFIG_SAE_PK
614 #ifdef CONFIG_TESTING_OPTIONS
615 	if (sta->sae->tmp)
616 		sta->sae->tmp->omit_pk_elem = hapd->conf->sae_pk_omit;
617 #endif /* CONFIG_TESTING_OPTIONS */
618 #endif /* CONFIG_SAE_PK */
619 
620 	if (sae_write_confirm(sta->sae, buf) < 0) {
621 		wpabuf_free(buf);
622 		return NULL;
623 	}
624 
625 	return buf;
626 }
627 
628 
629 static int auth_sae_send_commit(struct hostapd_data *hapd,
630 				struct sta_info *sta,
631 				const u8 *bssid, int update, int status_code)
632 {
633 	struct wpabuf *data;
634 	int reply_res;
635 	u16 status;
636 
637 	data = auth_build_sae_commit(hapd, sta, update, status_code);
638 	if (!data && sta->sae->tmp && sta->sae->tmp->pw_id)
639 		return WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER;
640 	if (data == NULL)
641 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
642 
643 	if (sta->sae->tmp && sta->sae->pk)
644 		status = WLAN_STATUS_SAE_PK;
645 	else if (sta->sae->tmp && sta->sae->h2e)
646 		status = WLAN_STATUS_SAE_HASH_TO_ELEMENT;
647 	else
648 		status = WLAN_STATUS_SUCCESS;
649 #ifdef CONFIG_TESTING_OPTIONS
650 	if (hapd->conf->sae_commit_status >= 0 &&
651 	    hapd->conf->sae_commit_status != status) {
652 		wpa_printf(MSG_INFO,
653 			   "TESTING: Override SAE commit status code %u --> %d",
654 			   status, hapd->conf->sae_commit_status);
655 		status = hapd->conf->sae_commit_status;
656 	}
657 #endif /* CONFIG_TESTING_OPTIONS */
658 	reply_res = send_auth_reply(hapd, sta, sta->addr, bssid,
659 				    WLAN_AUTH_SAE, 1,
660 				    status, wpabuf_head(data),
661 				    wpabuf_len(data), "sae-send-commit");
662 
663 	wpabuf_free(data);
664 
665 	return reply_res;
666 }
667 
668 
669 static int auth_sae_send_confirm(struct hostapd_data *hapd,
670 				 struct sta_info *sta,
671 				 const u8 *bssid)
672 {
673 	struct wpabuf *data;
674 	int reply_res;
675 
676 	data = auth_build_sae_confirm(hapd, sta);
677 	if (data == NULL)
678 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
679 
680 	reply_res = send_auth_reply(hapd, sta, sta->addr, bssid,
681 				    WLAN_AUTH_SAE, 2,
682 				    WLAN_STATUS_SUCCESS, wpabuf_head(data),
683 				    wpabuf_len(data), "sae-send-confirm");
684 
685 	wpabuf_free(data);
686 
687 	return reply_res;
688 }
689 
690 #endif /* CONFIG_SAE */
691 
692 
693 #if defined(CONFIG_SAE) || defined(CONFIG_PASN)
694 
695 static int use_anti_clogging(struct hostapd_data *hapd)
696 {
697 	struct sta_info *sta;
698 	unsigned int open = 0;
699 
700 	if (hapd->conf->anti_clogging_threshold == 0)
701 		return 1;
702 
703 	for (sta = hapd->sta_list; sta; sta = sta->next) {
704 #ifdef CONFIG_SAE
705 		if (sta->sae &&
706 		    (sta->sae->state == SAE_COMMITTED ||
707 		     sta->sae->state == SAE_CONFIRMED))
708 			open++;
709 #endif /* CONFIG_SAE */
710 #ifdef CONFIG_PASN
711 		if (sta->pasn && sta->pasn->ecdh)
712 			open++;
713 #endif /* CONFIG_PASN */
714 		if (open >= hapd->conf->anti_clogging_threshold)
715 			return 1;
716 	}
717 
718 #ifdef CONFIG_SAE
719 	/* In addition to already existing open SAE sessions, check whether
720 	 * there are enough pending commit messages in the processing queue to
721 	 * potentially result in too many open sessions. */
722 	if (open + dl_list_len(&hapd->sae_commit_queue) >=
723 	    hapd->conf->anti_clogging_threshold)
724 		return 1;
725 #endif /* CONFIG_SAE */
726 
727 	return 0;
728 }
729 
730 
731 static int comeback_token_hash(struct hostapd_data *hapd, const u8 *addr,
732 			       u8 *idx)
733 {
734 	u8 hash[SHA256_MAC_LEN];
735 
736 	if (hmac_sha256(hapd->comeback_key, sizeof(hapd->comeback_key),
737 			addr, ETH_ALEN, hash) < 0)
738 		return -1;
739 	*idx = hash[0];
740 	return 0;
741 }
742 
743 
744 static int check_comeback_token(struct hostapd_data *hapd, const u8 *addr,
745 				const u8 *token, size_t token_len)
746 {
747 	u8 mac[SHA256_MAC_LEN];
748 	const u8 *addrs[2];
749 	size_t len[2];
750 	u16 token_idx;
751 	u8 idx;
752 
753 	if (token_len != SHA256_MAC_LEN ||
754 	    comeback_token_hash(hapd, addr, &idx) < 0)
755 		return -1;
756 	token_idx = hapd->comeback_pending_idx[idx];
757 	if (token_idx == 0 || token_idx != WPA_GET_BE16(token)) {
758 		wpa_printf(MSG_DEBUG,
759 			   "Comeback: Invalid anti-clogging token from "
760 			   MACSTR " - token_idx 0x%04x, expected 0x%04x",
761 			   MAC2STR(addr), WPA_GET_BE16(token), token_idx);
762 		return -1;
763 	}
764 
765 	addrs[0] = addr;
766 	len[0] = ETH_ALEN;
767 	addrs[1] = token;
768 	len[1] = 2;
769 	if (hmac_sha256_vector(hapd->comeback_key, sizeof(hapd->comeback_key),
770 			       2, addrs, len, mac) < 0 ||
771 	    os_memcmp_const(token + 2, &mac[2], SHA256_MAC_LEN - 2) != 0)
772 		return -1;
773 
774 	hapd->comeback_pending_idx[idx] = 0; /* invalidate used token */
775 
776 	return 0;
777 }
778 
779 
780 static struct wpabuf * auth_build_token_req(struct hostapd_data *hapd,
781 					    int group, const u8 *addr, int h2e)
782 {
783 	struct wpabuf *buf;
784 	u8 *token;
785 	struct os_reltime now;
786 	u8 idx[2];
787 	const u8 *addrs[2];
788 	size_t len[2];
789 	u8 p_idx;
790 	u16 token_idx;
791 
792 	os_get_reltime(&now);
793 	if (!os_reltime_initialized(&hapd->last_comeback_key_update) ||
794 	    os_reltime_expired(&now, &hapd->last_comeback_key_update, 60) ||
795 	    hapd->comeback_idx == 0xffff) {
796 		if (random_get_bytes(hapd->comeback_key,
797 				     sizeof(hapd->comeback_key)) < 0)
798 			return NULL;
799 		wpa_hexdump(MSG_DEBUG, "Comeback: Updated token key",
800 			    hapd->comeback_key, sizeof(hapd->comeback_key));
801 		hapd->last_comeback_key_update = now;
802 		hapd->comeback_idx = 0;
803 		os_memset(hapd->comeback_pending_idx, 0,
804 			  sizeof(hapd->comeback_pending_idx));
805 	}
806 
807 	buf = wpabuf_alloc(sizeof(le16) + 3 + SHA256_MAC_LEN);
808 	if (buf == NULL)
809 		return NULL;
810 
811 	if (group)
812 		wpabuf_put_le16(buf, group); /* Finite Cyclic Group */
813 
814 	if (h2e) {
815 		/* Encapsulate Anti-clogging Token field in a container IE */
816 		wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
817 		wpabuf_put_u8(buf, 1 + SHA256_MAC_LEN);
818 		wpabuf_put_u8(buf, WLAN_EID_EXT_ANTI_CLOGGING_TOKEN);
819 	}
820 
821 	if (comeback_token_hash(hapd, addr, &p_idx) < 0) {
822 		wpabuf_free(buf);
823 		return NULL;
824 	}
825 
826 	token_idx = hapd->comeback_pending_idx[p_idx];
827 	if (!token_idx) {
828 		hapd->comeback_idx++;
829 		token_idx = hapd->comeback_idx;
830 		hapd->comeback_pending_idx[p_idx] = token_idx;
831 	}
832 	WPA_PUT_BE16(idx, token_idx);
833 	token = wpabuf_put(buf, SHA256_MAC_LEN);
834 	addrs[0] = addr;
835 	len[0] = ETH_ALEN;
836 	addrs[1] = idx;
837 	len[1] = sizeof(idx);
838 	if (hmac_sha256_vector(hapd->comeback_key, sizeof(hapd->comeback_key),
839 			       2, addrs, len, token) < 0) {
840 		wpabuf_free(buf);
841 		return NULL;
842 	}
843 	WPA_PUT_BE16(token, token_idx);
844 
845 	return buf;
846 }
847 
848 #endif /* defined(CONFIG_SAE) || defined(CONFIG_PASN) */
849 
850 
851 #ifdef CONFIG_SAE
852 
853 static int sae_check_big_sync(struct hostapd_data *hapd, struct sta_info *sta)
854 {
855 	if (sta->sae->sync > hapd->conf->sae_sync) {
856 		sae_set_state(sta, SAE_NOTHING, "Sync > dot11RSNASAESync");
857 		sta->sae->sync = 0;
858 		return -1;
859 	}
860 	return 0;
861 }
862 
863 
864 static void auth_sae_retransmit_timer(void *eloop_ctx, void *eloop_data)
865 {
866 	struct hostapd_data *hapd = eloop_ctx;
867 	struct sta_info *sta = eloop_data;
868 	int ret;
869 
870 	if (sae_check_big_sync(hapd, sta))
871 		return;
872 	sta->sae->sync++;
873 	wpa_printf(MSG_DEBUG, "SAE: Auth SAE retransmit timer for " MACSTR
874 		   " (sync=%d state=%s)",
875 		   MAC2STR(sta->addr), sta->sae->sync,
876 		   sae_state_txt(sta->sae->state));
877 
878 	switch (sta->sae->state) {
879 	case SAE_COMMITTED:
880 		ret = auth_sae_send_commit(hapd, sta, hapd->own_addr, 0, -1);
881 		eloop_register_timeout(0,
882 				       hapd->dot11RSNASAERetransPeriod * 1000,
883 				       auth_sae_retransmit_timer, hapd, sta);
884 		break;
885 	case SAE_CONFIRMED:
886 		ret = auth_sae_send_confirm(hapd, sta, hapd->own_addr);
887 		eloop_register_timeout(0,
888 				       hapd->dot11RSNASAERetransPeriod * 1000,
889 				       auth_sae_retransmit_timer, hapd, sta);
890 		break;
891 	default:
892 		ret = -1;
893 		break;
894 	}
895 
896 	if (ret != WLAN_STATUS_SUCCESS)
897 		wpa_printf(MSG_INFO, "SAE: Failed to retransmit: ret=%d", ret);
898 }
899 
900 
901 void sae_clear_retransmit_timer(struct hostapd_data *hapd, struct sta_info *sta)
902 {
903 	eloop_cancel_timeout(auth_sae_retransmit_timer, hapd, sta);
904 }
905 
906 
907 static void sae_set_retransmit_timer(struct hostapd_data *hapd,
908 				     struct sta_info *sta)
909 {
910 	if (!(hapd->conf->mesh & MESH_ENABLED))
911 		return;
912 
913 	eloop_cancel_timeout(auth_sae_retransmit_timer, hapd, sta);
914 	eloop_register_timeout(0, hapd->dot11RSNASAERetransPeriod * 1000,
915 			       auth_sae_retransmit_timer, hapd, sta);
916 }
917 
918 
919 static void sae_sme_send_external_auth_status(struct hostapd_data *hapd,
920 					      struct sta_info *sta, u16 status)
921 {
922 	struct external_auth params;
923 
924 	os_memset(&params, 0, sizeof(params));
925 	params.status = status;
926 	params.bssid = sta->addr;
927 	if (status == WLAN_STATUS_SUCCESS && sta->sae &&
928 	    !hapd->conf->disable_pmksa_caching)
929 		params.pmkid = sta->sae->pmkid;
930 
931 	hostapd_drv_send_external_auth_status(hapd, &params);
932 }
933 
934 
935 void sae_accept_sta(struct hostapd_data *hapd, struct sta_info *sta)
936 {
937 #ifndef CONFIG_NO_VLAN
938 	struct vlan_description vlan_desc;
939 
940 	if (sta->sae->tmp && sta->sae->tmp->vlan_id > 0) {
941 		wpa_printf(MSG_DEBUG, "SAE: Assign STA " MACSTR
942 			   " to VLAN ID %d",
943 			   MAC2STR(sta->addr), sta->sae->tmp->vlan_id);
944 
945 		os_memset(&vlan_desc, 0, sizeof(vlan_desc));
946 		vlan_desc.notempty = 1;
947 		vlan_desc.untagged = sta->sae->tmp->vlan_id;
948 		if (!hostapd_vlan_valid(hapd->conf->vlan, &vlan_desc)) {
949 			wpa_printf(MSG_INFO,
950 				   "Invalid VLAN ID %d in sae_password",
951 				   sta->sae->tmp->vlan_id);
952 			return;
953 		}
954 
955 		if (ap_sta_set_vlan(hapd, sta, &vlan_desc) < 0 ||
956 		    ap_sta_bind_vlan(hapd, sta) < 0) {
957 			wpa_printf(MSG_INFO,
958 				   "Failed to assign VLAN ID %d from sae_password to "
959 				   MACSTR, sta->sae->tmp->vlan_id,
960 				   MAC2STR(sta->addr));
961 			return;
962 		}
963 	}
964 #endif /* CONFIG_NO_VLAN */
965 
966 	sta->flags |= WLAN_STA_AUTH;
967 	sta->auth_alg = WLAN_AUTH_SAE;
968 	mlme_authenticate_indication(hapd, sta);
969 	wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
970 	sae_set_state(sta, SAE_ACCEPTED, "Accept Confirm");
971 	crypto_bignum_deinit(sta->sae->peer_commit_scalar_accepted, 0);
972 	sta->sae->peer_commit_scalar_accepted = sta->sae->peer_commit_scalar;
973 	sta->sae->peer_commit_scalar = NULL;
974 	wpa_auth_pmksa_add_sae(hapd->wpa_auth, sta->addr,
975 			       sta->sae->pmk, sta->sae->pmkid);
976 	sae_sme_send_external_auth_status(hapd, sta, WLAN_STATUS_SUCCESS);
977 }
978 
979 
980 static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta,
981 		       const u8 *bssid, u16 auth_transaction, u16 status_code,
982 		       int allow_reuse, int *sta_removed)
983 {
984 	int ret;
985 
986 	*sta_removed = 0;
987 
988 	if (auth_transaction != 1 && auth_transaction != 2)
989 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
990 
991 	wpa_printf(MSG_DEBUG, "SAE: Peer " MACSTR " state=%s auth_trans=%u",
992 		   MAC2STR(sta->addr), sae_state_txt(sta->sae->state),
993 		   auth_transaction);
994 	switch (sta->sae->state) {
995 	case SAE_NOTHING:
996 		if (auth_transaction == 1) {
997 			if (sta->sae->tmp) {
998 				sta->sae->h2e =
999 					(status_code ==
1000 					 WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
1001 					 status_code == WLAN_STATUS_SAE_PK);
1002 				sta->sae->pk =
1003 					status_code == WLAN_STATUS_SAE_PK;
1004 			}
1005 			ret = auth_sae_send_commit(hapd, sta, bssid,
1006 						   !allow_reuse, status_code);
1007 			if (ret)
1008 				return ret;
1009 			sae_set_state(sta, SAE_COMMITTED, "Sent Commit");
1010 
1011 			if (sae_process_commit(sta->sae) < 0)
1012 				return WLAN_STATUS_UNSPECIFIED_FAILURE;
1013 
1014 			/*
1015 			 * In mesh case, both Commit and Confirm are sent
1016 			 * immediately. In infrastructure BSS, by default, only
1017 			 * a single Authentication frame (Commit) is expected
1018 			 * from the AP here and the second one (Confirm) will
1019 			 * be sent once the STA has sent its second
1020 			 * Authentication frame (Confirm). This behavior can be
1021 			 * overridden with explicit configuration so that the
1022 			 * infrastructure BSS case sends both frames together.
1023 			 */
1024 			if ((hapd->conf->mesh & MESH_ENABLED) ||
1025 			    hapd->conf->sae_confirm_immediate) {
1026 				/*
1027 				 * Send both Commit and Confirm immediately
1028 				 * based on SAE finite state machine
1029 				 * Nothing -> Confirm transition.
1030 				 */
1031 				ret = auth_sae_send_confirm(hapd, sta, bssid);
1032 				if (ret)
1033 					return ret;
1034 				sae_set_state(sta, SAE_CONFIRMED,
1035 					      "Sent Confirm (mesh)");
1036 			} else {
1037 				/*
1038 				 * For infrastructure BSS, send only the Commit
1039 				 * message now to get alternating sequence of
1040 				 * Authentication frames between the AP and STA.
1041 				 * Confirm will be sent in
1042 				 * Committed -> Confirmed/Accepted transition
1043 				 * when receiving Confirm from STA.
1044 				 */
1045 			}
1046 			sta->sae->sync = 0;
1047 			sae_set_retransmit_timer(hapd, sta);
1048 		} else {
1049 			hostapd_logger(hapd, sta->addr,
1050 				       HOSTAPD_MODULE_IEEE80211,
1051 				       HOSTAPD_LEVEL_DEBUG,
1052 				       "SAE confirm before commit");
1053 		}
1054 		break;
1055 	case SAE_COMMITTED:
1056 		sae_clear_retransmit_timer(hapd, sta);
1057 		if (auth_transaction == 1) {
1058 			if (sae_process_commit(sta->sae) < 0)
1059 				return WLAN_STATUS_UNSPECIFIED_FAILURE;
1060 
1061 			ret = auth_sae_send_confirm(hapd, sta, bssid);
1062 			if (ret)
1063 				return ret;
1064 			sae_set_state(sta, SAE_CONFIRMED, "Sent Confirm");
1065 			sta->sae->sync = 0;
1066 			sae_set_retransmit_timer(hapd, sta);
1067 		} else if (hapd->conf->mesh & MESH_ENABLED) {
1068 			/*
1069 			 * In mesh case, follow SAE finite state machine and
1070 			 * send Commit now, if sync count allows.
1071 			 */
1072 			if (sae_check_big_sync(hapd, sta))
1073 				return WLAN_STATUS_SUCCESS;
1074 			sta->sae->sync++;
1075 
1076 			ret = auth_sae_send_commit(hapd, sta, bssid, 0,
1077 						   status_code);
1078 			if (ret)
1079 				return ret;
1080 
1081 			sae_set_retransmit_timer(hapd, sta);
1082 		} else {
1083 			/*
1084 			 * For instructure BSS, send the postponed Confirm from
1085 			 * Nothing -> Confirmed transition that was reduced to
1086 			 * Nothing -> Committed above.
1087 			 */
1088 			ret = auth_sae_send_confirm(hapd, sta, bssid);
1089 			if (ret)
1090 				return ret;
1091 
1092 			sae_set_state(sta, SAE_CONFIRMED, "Sent Confirm");
1093 
1094 			/*
1095 			 * Since this was triggered on Confirm RX, run another
1096 			 * step to get to Accepted without waiting for
1097 			 * additional events.
1098 			 */
1099 			return sae_sm_step(hapd, sta, bssid, auth_transaction,
1100 					   WLAN_STATUS_SUCCESS, 0, sta_removed);
1101 		}
1102 		break;
1103 	case SAE_CONFIRMED:
1104 		sae_clear_retransmit_timer(hapd, sta);
1105 		if (auth_transaction == 1) {
1106 			if (sae_check_big_sync(hapd, sta))
1107 				return WLAN_STATUS_SUCCESS;
1108 			sta->sae->sync++;
1109 
1110 			ret = auth_sae_send_commit(hapd, sta, bssid, 1,
1111 						   status_code);
1112 			if (ret)
1113 				return ret;
1114 
1115 			if (sae_process_commit(sta->sae) < 0)
1116 				return WLAN_STATUS_UNSPECIFIED_FAILURE;
1117 
1118 			ret = auth_sae_send_confirm(hapd, sta, bssid);
1119 			if (ret)
1120 				return ret;
1121 
1122 			sae_set_retransmit_timer(hapd, sta);
1123 		} else {
1124 			sta->sae->send_confirm = 0xffff;
1125 			sae_accept_sta(hapd, sta);
1126 		}
1127 		break;
1128 	case SAE_ACCEPTED:
1129 		if (auth_transaction == 1 &&
1130 		    (hapd->conf->mesh & MESH_ENABLED)) {
1131 			wpa_printf(MSG_DEBUG, "SAE: remove the STA (" MACSTR
1132 				   ") doing reauthentication",
1133 				   MAC2STR(sta->addr));
1134 			wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr);
1135 			ap_free_sta(hapd, sta);
1136 			*sta_removed = 1;
1137 		} else if (auth_transaction == 1) {
1138 			wpa_printf(MSG_DEBUG, "SAE: Start reauthentication");
1139 			ret = auth_sae_send_commit(hapd, sta, bssid, 1,
1140 						   status_code);
1141 			if (ret)
1142 				return ret;
1143 			sae_set_state(sta, SAE_COMMITTED, "Sent Commit");
1144 
1145 			if (sae_process_commit(sta->sae) < 0)
1146 				return WLAN_STATUS_UNSPECIFIED_FAILURE;
1147 			sta->sae->sync = 0;
1148 			sae_set_retransmit_timer(hapd, sta);
1149 		} else {
1150 			if (sae_check_big_sync(hapd, sta))
1151 				return WLAN_STATUS_SUCCESS;
1152 			sta->sae->sync++;
1153 
1154 			ret = auth_sae_send_confirm(hapd, sta, bssid);
1155 			sae_clear_temp_data(sta->sae);
1156 			if (ret)
1157 				return ret;
1158 		}
1159 		break;
1160 	default:
1161 		wpa_printf(MSG_ERROR, "SAE: invalid state %d",
1162 			   sta->sae->state);
1163 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
1164 	}
1165 	return WLAN_STATUS_SUCCESS;
1166 }
1167 
1168 
1169 static void sae_pick_next_group(struct hostapd_data *hapd, struct sta_info *sta)
1170 {
1171 	struct sae_data *sae = sta->sae;
1172 	int i, *groups = hapd->conf->sae_groups;
1173 	int default_groups[] = { 19, 0 };
1174 
1175 	if (sae->state != SAE_COMMITTED)
1176 		return;
1177 
1178 	wpa_printf(MSG_DEBUG, "SAE: Previously selected group: %d", sae->group);
1179 
1180 	if (!groups)
1181 		groups = default_groups;
1182 	for (i = 0; groups[i] > 0; i++) {
1183 		if (sae->group == groups[i])
1184 			break;
1185 	}
1186 
1187 	if (groups[i] <= 0) {
1188 		wpa_printf(MSG_DEBUG,
1189 			   "SAE: Previously selected group not found from the current configuration");
1190 		return;
1191 	}
1192 
1193 	for (;;) {
1194 		i++;
1195 		if (groups[i] <= 0) {
1196 			wpa_printf(MSG_DEBUG,
1197 				   "SAE: No alternative group enabled");
1198 			return;
1199 		}
1200 
1201 		if (sae_set_group(sae, groups[i]) < 0)
1202 			continue;
1203 
1204 		break;
1205 	}
1206 	wpa_printf(MSG_DEBUG, "SAE: Selected new group: %d", groups[i]);
1207 }
1208 
1209 
1210 static int sae_status_success(struct hostapd_data *hapd, u16 status_code)
1211 {
1212 	int sae_pwe = hapd->conf->sae_pwe;
1213 	int id_in_use;
1214 	bool sae_pk = false;
1215 
1216 	id_in_use = hostapd_sae_pw_id_in_use(hapd->conf);
1217 	if (id_in_use == 2 && sae_pwe != 3)
1218 		sae_pwe = 1;
1219 	else if (id_in_use == 1 && sae_pwe == 0)
1220 		sae_pwe = 2;
1221 #ifdef CONFIG_SAE_PK
1222 	sae_pk = hostapd_sae_pk_in_use(hapd->conf);
1223 	if (sae_pwe == 0 && sae_pk)
1224 		sae_pwe = 2;
1225 #endif /* CONFIG_SAE_PK */
1226 
1227 	return ((sae_pwe == 0 || sae_pwe == 3) &&
1228 		status_code == WLAN_STATUS_SUCCESS) ||
1229 		(sae_pwe == 1 &&
1230 		 (status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
1231 		  (sae_pk && status_code == WLAN_STATUS_SAE_PK))) ||
1232 		(sae_pwe == 2 &&
1233 		 (status_code == WLAN_STATUS_SUCCESS ||
1234 		  status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
1235 		  (sae_pk && status_code == WLAN_STATUS_SAE_PK)));
1236 }
1237 
1238 
1239 static int sae_is_group_enabled(struct hostapd_data *hapd, int group)
1240 {
1241 	int *groups = hapd->conf->sae_groups;
1242 	int default_groups[] = { 19, 0 };
1243 	int i;
1244 
1245 	if (!groups)
1246 		groups = default_groups;
1247 
1248 	for (i = 0; groups[i] > 0; i++) {
1249 		if (groups[i] == group)
1250 			return 1;
1251 	}
1252 
1253 	return 0;
1254 }
1255 
1256 
1257 static int check_sae_rejected_groups(struct hostapd_data *hapd,
1258 				     struct sae_data *sae)
1259 {
1260 	const struct wpabuf *groups;
1261 	size_t i, count;
1262 	const u8 *pos;
1263 
1264 	if (!sae->tmp)
1265 		return 0;
1266 	groups = sae->tmp->peer_rejected_groups;
1267 	if (!groups)
1268 		return 0;
1269 
1270 	pos = wpabuf_head(groups);
1271 	count = wpabuf_len(groups) / 2;
1272 	for (i = 0; i < count; i++) {
1273 		int enabled;
1274 		u16 group;
1275 
1276 		group = WPA_GET_LE16(pos);
1277 		pos += 2;
1278 		enabled = sae_is_group_enabled(hapd, group);
1279 		wpa_printf(MSG_DEBUG, "SAE: Rejected group %u is %s",
1280 			   group, enabled ? "enabled" : "disabled");
1281 		if (enabled)
1282 			return 1;
1283 	}
1284 
1285 	return 0;
1286 }
1287 
1288 
1289 static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta,
1290 			    const struct ieee80211_mgmt *mgmt, size_t len,
1291 			    u16 auth_transaction, u16 status_code)
1292 {
1293 	int resp = WLAN_STATUS_SUCCESS;
1294 	struct wpabuf *data = NULL;
1295 	int *groups = hapd->conf->sae_groups;
1296 	int default_groups[] = { 19, 0 };
1297 	const u8 *pos, *end;
1298 	int sta_removed = 0;
1299 	bool success_status;
1300 
1301 	if (!groups)
1302 		groups = default_groups;
1303 
1304 #ifdef CONFIG_TESTING_OPTIONS
1305 	if (hapd->conf->sae_reflection_attack && auth_transaction == 1) {
1306 		wpa_printf(MSG_DEBUG, "SAE: TESTING - reflection attack");
1307 		pos = mgmt->u.auth.variable;
1308 		end = ((const u8 *) mgmt) + len;
1309 		resp = status_code;
1310 		send_auth_reply(hapd, sta, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
1311 				auth_transaction, resp, pos, end - pos,
1312 				"auth-sae-reflection-attack");
1313 		goto remove_sta;
1314 	}
1315 
1316 	if (hapd->conf->sae_commit_override && auth_transaction == 1) {
1317 		wpa_printf(MSG_DEBUG, "SAE: TESTING - commit override");
1318 		send_auth_reply(hapd, sta, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
1319 				auth_transaction, resp,
1320 				wpabuf_head(hapd->conf->sae_commit_override),
1321 				wpabuf_len(hapd->conf->sae_commit_override),
1322 				"sae-commit-override");
1323 		goto remove_sta;
1324 	}
1325 #endif /* CONFIG_TESTING_OPTIONS */
1326 	if (!sta->sae) {
1327 		if (auth_transaction != 1 ||
1328 		    !sae_status_success(hapd, status_code)) {
1329 			wpa_printf(MSG_DEBUG, "SAE: Unexpected Status Code %u",
1330 				   status_code);
1331 			resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1332 			goto reply;
1333 		}
1334 		sta->sae = os_zalloc(sizeof(*sta->sae));
1335 		if (!sta->sae) {
1336 			resp = -1;
1337 			goto remove_sta;
1338 		}
1339 		sae_set_state(sta, SAE_NOTHING, "Init");
1340 		sta->sae->sync = 0;
1341 	}
1342 
1343 	if (sta->mesh_sae_pmksa_caching) {
1344 		wpa_printf(MSG_DEBUG,
1345 			   "SAE: Cancel use of mesh PMKSA caching because peer starts SAE authentication");
1346 		wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr);
1347 		sta->mesh_sae_pmksa_caching = 0;
1348 	}
1349 
1350 	if (auth_transaction == 1) {
1351 		const u8 *token = NULL;
1352 		size_t token_len = 0;
1353 		int allow_reuse = 0;
1354 
1355 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1356 			       HOSTAPD_LEVEL_DEBUG,
1357 			       "start SAE authentication (RX commit, status=%u (%s))",
1358 			       status_code, status2str(status_code));
1359 
1360 		if ((hapd->conf->mesh & MESH_ENABLED) &&
1361 		    status_code == WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ &&
1362 		    sta->sae->tmp) {
1363 			pos = mgmt->u.auth.variable;
1364 			end = ((const u8 *) mgmt) + len;
1365 			if (pos + sizeof(le16) > end) {
1366 				wpa_printf(MSG_ERROR,
1367 					   "SAE: Too short anti-clogging token request");
1368 				resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1369 				goto reply;
1370 			}
1371 			resp = sae_group_allowed(sta->sae, groups,
1372 						 WPA_GET_LE16(pos));
1373 			if (resp != WLAN_STATUS_SUCCESS) {
1374 				wpa_printf(MSG_ERROR,
1375 					   "SAE: Invalid group in anti-clogging token request");
1376 				goto reply;
1377 			}
1378 			pos += sizeof(le16);
1379 
1380 			wpabuf_free(sta->sae->tmp->anti_clogging_token);
1381 			sta->sae->tmp->anti_clogging_token =
1382 				wpabuf_alloc_copy(pos, end - pos);
1383 			if (sta->sae->tmp->anti_clogging_token == NULL) {
1384 				wpa_printf(MSG_ERROR,
1385 					   "SAE: Failed to alloc for anti-clogging token");
1386 				resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1387 				goto remove_sta;
1388 			}
1389 
1390 			/*
1391 			 * IEEE Std 802.11-2012, 11.3.8.6.4: If the Status code
1392 			 * is 76, a new Commit Message shall be constructed
1393 			 * with the Anti-Clogging Token from the received
1394 			 * Authentication frame, and the commit-scalar and
1395 			 * COMMIT-ELEMENT previously sent.
1396 			 */
1397 			resp = auth_sae_send_commit(hapd, sta, mgmt->bssid, 0,
1398 						    status_code);
1399 			if (resp != WLAN_STATUS_SUCCESS) {
1400 				wpa_printf(MSG_ERROR,
1401 					   "SAE: Failed to send commit message");
1402 				goto remove_sta;
1403 			}
1404 			sae_set_state(sta, SAE_COMMITTED,
1405 				      "Sent Commit (anti-clogging token case in mesh)");
1406 			sta->sae->sync = 0;
1407 			sae_set_retransmit_timer(hapd, sta);
1408 			return;
1409 		}
1410 
1411 		if ((hapd->conf->mesh & MESH_ENABLED) &&
1412 		    status_code ==
1413 		    WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED &&
1414 		    sta->sae->tmp) {
1415 			wpa_printf(MSG_DEBUG,
1416 				   "SAE: Peer did not accept our SAE group");
1417 			sae_pick_next_group(hapd, sta);
1418 			goto remove_sta;
1419 		}
1420 
1421 		if (!sae_status_success(hapd, status_code))
1422 			goto remove_sta;
1423 
1424 		if (!(hapd->conf->mesh & MESH_ENABLED) &&
1425 		    sta->sae->state == SAE_COMMITTED) {
1426 			/* This is needed in the infrastructure BSS case to
1427 			 * address a sequence where a STA entry may remain in
1428 			 * hostapd across two attempts to do SAE authentication
1429 			 * by the same STA. The second attempt may end up trying
1430 			 * to use a different group and that would not be
1431 			 * allowed if we remain in Committed state with the
1432 			 * previously set parameters. */
1433 			pos = mgmt->u.auth.variable;
1434 			end = ((const u8 *) mgmt) + len;
1435 			if (end - pos >= (int) sizeof(le16) &&
1436 			    sae_group_allowed(sta->sae, groups,
1437 					      WPA_GET_LE16(pos)) ==
1438 			    WLAN_STATUS_SUCCESS) {
1439 				/* Do not waste resources deriving the same PWE
1440 				 * again since the same group is reused. */
1441 				sae_set_state(sta, SAE_NOTHING,
1442 					      "Allow previous PWE to be reused");
1443 				allow_reuse = 1;
1444 			} else {
1445 				sae_set_state(sta, SAE_NOTHING,
1446 					      "Clear existing state to allow restart");
1447 				sae_clear_data(sta->sae);
1448 			}
1449 		}
1450 
1451 		resp = sae_parse_commit(sta->sae, mgmt->u.auth.variable,
1452 					((const u8 *) mgmt) + len -
1453 					mgmt->u.auth.variable, &token,
1454 					&token_len, groups, status_code ==
1455 					WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
1456 					status_code == WLAN_STATUS_SAE_PK);
1457 		if (resp == SAE_SILENTLY_DISCARD) {
1458 			wpa_printf(MSG_DEBUG,
1459 				   "SAE: Drop commit message from " MACSTR " due to reflection attack",
1460 				   MAC2STR(sta->addr));
1461 			goto remove_sta;
1462 		}
1463 
1464 		if (resp == WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER) {
1465 			wpa_msg(hapd->msg_ctx, MSG_INFO,
1466 				WPA_EVENT_SAE_UNKNOWN_PASSWORD_IDENTIFIER
1467 				MACSTR, MAC2STR(sta->addr));
1468 			sae_clear_retransmit_timer(hapd, sta);
1469 			sae_set_state(sta, SAE_NOTHING,
1470 				      "Unknown Password Identifier");
1471 			goto remove_sta;
1472 		}
1473 
1474 		if (token &&
1475 		    check_comeback_token(hapd, sta->addr, token, token_len)
1476 		    < 0) {
1477 			wpa_printf(MSG_DEBUG, "SAE: Drop commit message with "
1478 				   "incorrect token from " MACSTR,
1479 				   MAC2STR(sta->addr));
1480 			resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1481 			goto remove_sta;
1482 		}
1483 
1484 		if (resp != WLAN_STATUS_SUCCESS)
1485 			goto reply;
1486 
1487 		if (check_sae_rejected_groups(hapd, sta->sae)) {
1488 			resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1489 			goto reply;
1490 		}
1491 
1492 		if (!token && use_anti_clogging(hapd) && !allow_reuse) {
1493 			int h2e = 0;
1494 
1495 			wpa_printf(MSG_DEBUG,
1496 				   "SAE: Request anti-clogging token from "
1497 				   MACSTR, MAC2STR(sta->addr));
1498 			if (sta->sae->tmp)
1499 				h2e = sta->sae->h2e;
1500 			if (status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
1501 			    status_code == WLAN_STATUS_SAE_PK)
1502 				h2e = 1;
1503 			data = auth_build_token_req(hapd, sta->sae->group,
1504 						    sta->addr, h2e);
1505 			resp = WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ;
1506 			if (hapd->conf->mesh & MESH_ENABLED)
1507 				sae_set_state(sta, SAE_NOTHING,
1508 					      "Request anti-clogging token case in mesh");
1509 			goto reply;
1510 		}
1511 
1512 		resp = sae_sm_step(hapd, sta, mgmt->bssid, auth_transaction,
1513 				   status_code, allow_reuse, &sta_removed);
1514 	} else if (auth_transaction == 2) {
1515 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1516 			       HOSTAPD_LEVEL_DEBUG,
1517 			       "SAE authentication (RX confirm, status=%u (%s))",
1518 			       status_code, status2str(status_code));
1519 		if (status_code != WLAN_STATUS_SUCCESS)
1520 			goto remove_sta;
1521 		if (sta->sae->state >= SAE_CONFIRMED ||
1522 		    !(hapd->conf->mesh & MESH_ENABLED)) {
1523 			const u8 *var;
1524 			size_t var_len;
1525 			u16 peer_send_confirm;
1526 
1527 			var = mgmt->u.auth.variable;
1528 			var_len = ((u8 *) mgmt) + len - mgmt->u.auth.variable;
1529 			if (var_len < 2) {
1530 				resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1531 				goto reply;
1532 			}
1533 
1534 			peer_send_confirm = WPA_GET_LE16(var);
1535 
1536 			if (sta->sae->state == SAE_ACCEPTED &&
1537 			    (peer_send_confirm <= sta->sae->rc ||
1538 			     peer_send_confirm == 0xffff)) {
1539 				wpa_printf(MSG_DEBUG,
1540 					   "SAE: Silently ignore unexpected Confirm from peer "
1541 					   MACSTR
1542 					   " (peer-send-confirm=%u Rc=%u)",
1543 					   MAC2STR(sta->addr),
1544 					   peer_send_confirm, sta->sae->rc);
1545 				return;
1546 			}
1547 
1548 			if (sae_check_confirm(sta->sae, var, var_len) < 0) {
1549 				resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1550 				goto reply;
1551 			}
1552 			sta->sae->rc = peer_send_confirm;
1553 		}
1554 		resp = sae_sm_step(hapd, sta, mgmt->bssid, auth_transaction,
1555 				   status_code, 0, &sta_removed);
1556 	} else {
1557 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1558 			       HOSTAPD_LEVEL_DEBUG,
1559 			       "unexpected SAE authentication transaction %u (status=%u (%s))",
1560 			       auth_transaction, status_code,
1561 			       status2str(status_code));
1562 		if (status_code != WLAN_STATUS_SUCCESS)
1563 			goto remove_sta;
1564 		resp = WLAN_STATUS_UNKNOWN_AUTH_TRANSACTION;
1565 	}
1566 
1567 reply:
1568 	if (!sta_removed && resp != WLAN_STATUS_SUCCESS) {
1569 		pos = mgmt->u.auth.variable;
1570 		end = ((const u8 *) mgmt) + len;
1571 
1572 		/* Copy the Finite Cyclic Group field from the request if we
1573 		 * rejected it as unsupported group. */
1574 		if (resp == WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED &&
1575 		    !data && end - pos >= 2)
1576 			data = wpabuf_alloc_copy(pos, 2);
1577 
1578 		sae_sme_send_external_auth_status(hapd, sta, resp);
1579 		send_auth_reply(hapd, sta, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
1580 				auth_transaction, resp,
1581 				data ? wpabuf_head(data) : (u8 *) "",
1582 				data ? wpabuf_len(data) : 0, "auth-sae");
1583 	}
1584 
1585 remove_sta:
1586 	if (auth_transaction == 1)
1587 		success_status = sae_status_success(hapd, status_code);
1588 	else
1589 		success_status = status_code == WLAN_STATUS_SUCCESS;
1590 	if (!sta_removed && sta->added_unassoc &&
1591 	    (resp != WLAN_STATUS_SUCCESS || !success_status)) {
1592 		hostapd_drv_sta_remove(hapd, sta->addr);
1593 		sta->added_unassoc = 0;
1594 	}
1595 	wpabuf_free(data);
1596 }
1597 
1598 
1599 /**
1600  * auth_sae_init_committed - Send COMMIT and start SAE in committed state
1601  * @hapd: BSS data for the device initiating the authentication
1602  * @sta: the peer to which commit authentication frame is sent
1603  *
1604  * This function implements Init event handling (IEEE Std 802.11-2012,
1605  * 11.3.8.6.3) in which initial COMMIT message is sent. Prior to calling, the
1606  * sta->sae structure should be initialized appropriately via a call to
1607  * sae_prepare_commit().
1608  */
1609 int auth_sae_init_committed(struct hostapd_data *hapd, struct sta_info *sta)
1610 {
1611 	int ret;
1612 
1613 	if (!sta->sae || !sta->sae->tmp)
1614 		return -1;
1615 
1616 	if (sta->sae->state != SAE_NOTHING)
1617 		return -1;
1618 
1619 	ret = auth_sae_send_commit(hapd, sta, hapd->own_addr, 0, -1);
1620 	if (ret)
1621 		return -1;
1622 
1623 	sae_set_state(sta, SAE_COMMITTED, "Init and sent commit");
1624 	sta->sae->sync = 0;
1625 	sae_set_retransmit_timer(hapd, sta);
1626 
1627 	return 0;
1628 }
1629 
1630 
1631 void auth_sae_process_commit(void *eloop_ctx, void *user_ctx)
1632 {
1633 	struct hostapd_data *hapd = eloop_ctx;
1634 	struct hostapd_sae_commit_queue *q;
1635 	unsigned int queue_len;
1636 
1637 	q = dl_list_first(&hapd->sae_commit_queue,
1638 			  struct hostapd_sae_commit_queue, list);
1639 	if (!q)
1640 		return;
1641 	wpa_printf(MSG_DEBUG,
1642 		   "SAE: Process next available message from queue");
1643 	dl_list_del(&q->list);
1644 	handle_auth(hapd, (const struct ieee80211_mgmt *) q->msg, q->len,
1645 		    q->rssi, 1);
1646 	os_free(q);
1647 
1648 	if (eloop_is_timeout_registered(auth_sae_process_commit, hapd, NULL))
1649 		return;
1650 	queue_len = dl_list_len(&hapd->sae_commit_queue);
1651 	eloop_register_timeout(0, queue_len * 10000, auth_sae_process_commit,
1652 			       hapd, NULL);
1653 }
1654 
1655 
1656 static void auth_sae_queue(struct hostapd_data *hapd,
1657 			   const struct ieee80211_mgmt *mgmt, size_t len,
1658 			   int rssi)
1659 {
1660 	struct hostapd_sae_commit_queue *q, *q2;
1661 	unsigned int queue_len;
1662 	const struct ieee80211_mgmt *mgmt2;
1663 
1664 	queue_len = dl_list_len(&hapd->sae_commit_queue);
1665 	if (queue_len >= 15) {
1666 		wpa_printf(MSG_DEBUG,
1667 			   "SAE: No more room in message queue - drop the new frame from "
1668 			   MACSTR, MAC2STR(mgmt->sa));
1669 		return;
1670 	}
1671 
1672 	wpa_printf(MSG_DEBUG, "SAE: Queue Authentication message from "
1673 		   MACSTR " for processing (queue_len %u)", MAC2STR(mgmt->sa),
1674 		   queue_len);
1675 	q = os_zalloc(sizeof(*q) + len);
1676 	if (!q)
1677 		return;
1678 	q->rssi = rssi;
1679 	q->len = len;
1680 	os_memcpy(q->msg, mgmt, len);
1681 
1682 	/* Check whether there is already a queued Authentication frame from the
1683 	 * same station with the same transaction number and if so, replace that
1684 	 * queue entry with the new one. This avoids issues with a peer that
1685 	 * sends multiple times (e.g., due to frequent SAE retries). There is no
1686 	 * point in us trying to process the old attempts after a new one has
1687 	 * obsoleted them. */
1688 	dl_list_for_each(q2, &hapd->sae_commit_queue,
1689 			 struct hostapd_sae_commit_queue, list) {
1690 		mgmt2 = (const struct ieee80211_mgmt *) q2->msg;
1691 		if (os_memcmp(mgmt->sa, mgmt2->sa, ETH_ALEN) == 0 &&
1692 		    mgmt->u.auth.auth_transaction ==
1693 		    mgmt2->u.auth.auth_transaction) {
1694 			wpa_printf(MSG_DEBUG,
1695 				   "SAE: Replace queued message from same STA with same transaction number");
1696 			dl_list_add(&q2->list, &q->list);
1697 			dl_list_del(&q2->list);
1698 			os_free(q2);
1699 			goto queued;
1700 		}
1701 	}
1702 
1703 	/* No pending identical entry, so add to the end of the queue */
1704 	dl_list_add_tail(&hapd->sae_commit_queue, &q->list);
1705 
1706 queued:
1707 	if (eloop_is_timeout_registered(auth_sae_process_commit, hapd, NULL))
1708 		return;
1709 	eloop_register_timeout(0, queue_len * 10000, auth_sae_process_commit,
1710 			       hapd, NULL);
1711 }
1712 
1713 
1714 static int auth_sae_queued_addr(struct hostapd_data *hapd, const u8 *addr)
1715 {
1716 	struct hostapd_sae_commit_queue *q;
1717 	const struct ieee80211_mgmt *mgmt;
1718 
1719 	dl_list_for_each(q, &hapd->sae_commit_queue,
1720 			 struct hostapd_sae_commit_queue, list) {
1721 		mgmt = (const struct ieee80211_mgmt *) q->msg;
1722 		if (os_memcmp(addr, mgmt->sa, ETH_ALEN) == 0)
1723 			return 1;
1724 	}
1725 
1726 	return 0;
1727 }
1728 
1729 #endif /* CONFIG_SAE */
1730 
1731 
1732 static u16 wpa_res_to_status_code(enum wpa_validate_result res)
1733 {
1734 	switch (res) {
1735 	case WPA_IE_OK:
1736 		return WLAN_STATUS_SUCCESS;
1737 	case WPA_INVALID_IE:
1738 		return WLAN_STATUS_INVALID_IE;
1739 	case WPA_INVALID_GROUP:
1740 		return WLAN_STATUS_GROUP_CIPHER_NOT_VALID;
1741 	case WPA_INVALID_PAIRWISE:
1742 		return WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID;
1743 	case WPA_INVALID_AKMP:
1744 		return WLAN_STATUS_AKMP_NOT_VALID;
1745 	case WPA_NOT_ENABLED:
1746 		return WLAN_STATUS_INVALID_IE;
1747 	case WPA_ALLOC_FAIL:
1748 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
1749 	case WPA_MGMT_FRAME_PROTECTION_VIOLATION:
1750 		return WLAN_STATUS_ROBUST_MGMT_FRAME_POLICY_VIOLATION;
1751 	case WPA_INVALID_MGMT_GROUP_CIPHER:
1752 		return WLAN_STATUS_CIPHER_REJECTED_PER_POLICY;
1753 	case WPA_INVALID_MDIE:
1754 		return WLAN_STATUS_INVALID_MDIE;
1755 	case WPA_INVALID_PROTO:
1756 		return WLAN_STATUS_INVALID_IE;
1757 	case WPA_INVALID_PMKID:
1758 		return WLAN_STATUS_INVALID_PMKID;
1759 	case WPA_DENIED_OTHER_REASON:
1760 		return WLAN_STATUS_ASSOC_DENIED_UNSPEC;
1761 	}
1762 	return WLAN_STATUS_INVALID_IE;
1763 }
1764 
1765 
1766 #ifdef CONFIG_FILS
1767 
1768 static void handle_auth_fils_finish(struct hostapd_data *hapd,
1769 				    struct sta_info *sta, u16 resp,
1770 				    struct wpabuf *data, int pub);
1771 
1772 void handle_auth_fils(struct hostapd_data *hapd, struct sta_info *sta,
1773 		      const u8 *pos, size_t len, u16 auth_alg,
1774 		      u16 auth_transaction, u16 status_code,
1775 		      void (*cb)(struct hostapd_data *hapd,
1776 				 struct sta_info *sta, u16 resp,
1777 				 struct wpabuf *data, int pub))
1778 {
1779 	u16 resp = WLAN_STATUS_SUCCESS;
1780 	const u8 *end;
1781 	struct ieee802_11_elems elems;
1782 	enum wpa_validate_result res;
1783 	struct wpa_ie_data rsn;
1784 	struct rsn_pmksa_cache_entry *pmksa = NULL;
1785 
1786 	if (auth_transaction != 1 || status_code != WLAN_STATUS_SUCCESS)
1787 		return;
1788 
1789 	end = pos + len;
1790 
1791 	wpa_hexdump(MSG_DEBUG, "FILS: Authentication frame fields",
1792 		    pos, end - pos);
1793 
1794 	/* TODO: FILS PK */
1795 #ifdef CONFIG_FILS_SK_PFS
1796 	if (auth_alg == WLAN_AUTH_FILS_SK_PFS) {
1797 		u16 group;
1798 		struct wpabuf *pub;
1799 		size_t elem_len;
1800 
1801 		/* Using FILS PFS */
1802 
1803 		/* Finite Cyclic Group */
1804 		if (end - pos < 2) {
1805 			wpa_printf(MSG_DEBUG,
1806 				   "FILS: No room for Finite Cyclic Group");
1807 			resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1808 			goto fail;
1809 		}
1810 		group = WPA_GET_LE16(pos);
1811 		pos += 2;
1812 		if (group != hapd->conf->fils_dh_group) {
1813 			wpa_printf(MSG_DEBUG,
1814 				   "FILS: Unsupported Finite Cyclic Group: %u (expected %u)",
1815 				   group, hapd->conf->fils_dh_group);
1816 			resp = WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
1817 			goto fail;
1818 		}
1819 
1820 		crypto_ecdh_deinit(sta->fils_ecdh);
1821 		sta->fils_ecdh = crypto_ecdh_init(group);
1822 		if (!sta->fils_ecdh) {
1823 			wpa_printf(MSG_INFO,
1824 				   "FILS: Could not initialize ECDH with group %d",
1825 				   group);
1826 			resp = WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
1827 			goto fail;
1828 		}
1829 
1830 		pub = crypto_ecdh_get_pubkey(sta->fils_ecdh, 1);
1831 		if (!pub) {
1832 			wpa_printf(MSG_DEBUG,
1833 				   "FILS: Failed to derive ECDH public key");
1834 			resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1835 			goto fail;
1836 		}
1837 		elem_len = wpabuf_len(pub);
1838 		wpabuf_free(pub);
1839 
1840 		/* Element */
1841 		if ((size_t) (end - pos) < elem_len) {
1842 			wpa_printf(MSG_DEBUG, "FILS: No room for Element");
1843 			resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1844 			goto fail;
1845 		}
1846 
1847 		wpabuf_free(sta->fils_g_sta);
1848 		sta->fils_g_sta = wpabuf_alloc_copy(pos, elem_len);
1849 		wpabuf_clear_free(sta->fils_dh_ss);
1850 		sta->fils_dh_ss = crypto_ecdh_set_peerkey(sta->fils_ecdh, 1,
1851 							  pos, elem_len);
1852 		if (!sta->fils_dh_ss) {
1853 			wpa_printf(MSG_DEBUG, "FILS: ECDH operation failed");
1854 			resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1855 			goto fail;
1856 		}
1857 		wpa_hexdump_buf_key(MSG_DEBUG, "FILS: DH_SS", sta->fils_dh_ss);
1858 		pos += elem_len;
1859 	} else {
1860 		crypto_ecdh_deinit(sta->fils_ecdh);
1861 		sta->fils_ecdh = NULL;
1862 		wpabuf_clear_free(sta->fils_dh_ss);
1863 		sta->fils_dh_ss = NULL;
1864 	}
1865 #endif /* CONFIG_FILS_SK_PFS */
1866 
1867 	wpa_hexdump(MSG_DEBUG, "FILS: Remaining IEs", pos, end - pos);
1868 	if (ieee802_11_parse_elems(pos, end - pos, &elems, 1) == ParseFailed) {
1869 		wpa_printf(MSG_DEBUG, "FILS: Could not parse elements");
1870 		resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1871 		goto fail;
1872 	}
1873 
1874 	/* RSNE */
1875 	wpa_hexdump(MSG_DEBUG, "FILS: RSN element",
1876 		    elems.rsn_ie, elems.rsn_ie_len);
1877 	if (!elems.rsn_ie ||
1878 	    wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
1879 				 &rsn) < 0) {
1880 		wpa_printf(MSG_DEBUG, "FILS: No valid RSN element");
1881 		resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1882 		goto fail;
1883 	}
1884 
1885 	if (!sta->wpa_sm)
1886 		sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, sta->addr,
1887 						NULL);
1888 	if (!sta->wpa_sm) {
1889 		wpa_printf(MSG_DEBUG,
1890 			   "FILS: Failed to initialize RSN state machine");
1891 		resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1892 		goto fail;
1893 	}
1894 
1895 	res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
1896 				  hapd->iface->freq,
1897 				  elems.rsn_ie - 2, elems.rsn_ie_len + 2,
1898 				  elems.rsnxe ? elems.rsnxe - 2 : NULL,
1899 				  elems.rsnxe ? elems.rsnxe_len + 2 : 0,
1900 				  elems.mdie, elems.mdie_len, NULL, 0);
1901 	resp = wpa_res_to_status_code(res);
1902 	if (resp != WLAN_STATUS_SUCCESS)
1903 		goto fail;
1904 
1905 	if (!elems.fils_nonce) {
1906 		wpa_printf(MSG_DEBUG, "FILS: No FILS Nonce field");
1907 		resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1908 		goto fail;
1909 	}
1910 	wpa_hexdump(MSG_DEBUG, "FILS: SNonce", elems.fils_nonce,
1911 		    FILS_NONCE_LEN);
1912 	os_memcpy(sta->fils_snonce, elems.fils_nonce, FILS_NONCE_LEN);
1913 
1914 	/* PMKID List */
1915 	if (rsn.pmkid && rsn.num_pmkid > 0) {
1916 		u8 num;
1917 		const u8 *pmkid;
1918 
1919 		wpa_hexdump(MSG_DEBUG, "FILS: PMKID List",
1920 			    rsn.pmkid, rsn.num_pmkid * PMKID_LEN);
1921 
1922 		pmkid = rsn.pmkid;
1923 		num = rsn.num_pmkid;
1924 		while (num) {
1925 			wpa_hexdump(MSG_DEBUG, "FILS: PMKID", pmkid, PMKID_LEN);
1926 			pmksa = wpa_auth_pmksa_get(hapd->wpa_auth, sta->addr,
1927 						   pmkid);
1928 			if (pmksa)
1929 				break;
1930 			pmksa = wpa_auth_pmksa_get_fils_cache_id(hapd->wpa_auth,
1931 								 sta->addr,
1932 								 pmkid);
1933 			if (pmksa)
1934 				break;
1935 			pmkid += PMKID_LEN;
1936 			num--;
1937 		}
1938 	}
1939 	if (pmksa && wpa_auth_sta_key_mgmt(sta->wpa_sm) != pmksa->akmp) {
1940 		wpa_printf(MSG_DEBUG,
1941 			   "FILS: Matching PMKSA cache entry has different AKMP (0x%x != 0x%x) - ignore",
1942 			   wpa_auth_sta_key_mgmt(sta->wpa_sm), pmksa->akmp);
1943 		pmksa = NULL;
1944 	}
1945 	if (pmksa)
1946 		wpa_printf(MSG_DEBUG, "FILS: Found matching PMKSA cache entry");
1947 
1948 	/* FILS Session */
1949 	if (!elems.fils_session) {
1950 		wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
1951 		resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1952 		goto fail;
1953 	}
1954 	wpa_hexdump(MSG_DEBUG, "FILS: FILS Session", elems.fils_session,
1955 		    FILS_SESSION_LEN);
1956 	os_memcpy(sta->fils_session, elems.fils_session, FILS_SESSION_LEN);
1957 
1958 	/* Wrapped Data */
1959 	if (elems.wrapped_data) {
1960 		wpa_hexdump(MSG_DEBUG, "FILS: Wrapped Data",
1961 			    elems.wrapped_data,
1962 			    elems.wrapped_data_len);
1963 		if (!pmksa) {
1964 #ifndef CONFIG_NO_RADIUS
1965 			if (!sta->eapol_sm) {
1966 				sta->eapol_sm =
1967 					ieee802_1x_alloc_eapol_sm(hapd, sta);
1968 			}
1969 			wpa_printf(MSG_DEBUG,
1970 				   "FILS: Forward EAP-Initiate/Re-auth to authentication server");
1971 			ieee802_1x_encapsulate_radius(
1972 				hapd, sta, elems.wrapped_data,
1973 				elems.wrapped_data_len);
1974 			sta->fils_pending_cb = cb;
1975 			wpa_printf(MSG_DEBUG,
1976 				   "FILS: Will send Authentication frame once the response from authentication server is available");
1977 			sta->flags |= WLAN_STA_PENDING_FILS_ERP;
1978 			/* Calculate pending PMKID here so that we do not need
1979 			 * to maintain a copy of the EAP-Initiate/Reauth
1980 			 * message. */
1981 			if (fils_pmkid_erp(wpa_auth_sta_key_mgmt(sta->wpa_sm),
1982 					   elems.wrapped_data,
1983 					   elems.wrapped_data_len,
1984 					   sta->fils_erp_pmkid) == 0)
1985 				sta->fils_erp_pmkid_set = 1;
1986 			return;
1987 #else /* CONFIG_NO_RADIUS */
1988 			resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1989 			goto fail;
1990 #endif /* CONFIG_NO_RADIUS */
1991 		}
1992 	}
1993 
1994 fail:
1995 	if (cb) {
1996 		struct wpabuf *data;
1997 		int pub = 0;
1998 
1999 		data = prepare_auth_resp_fils(hapd, sta, &resp, pmksa, NULL,
2000 					      NULL, 0, &pub);
2001 		if (!data) {
2002 			wpa_printf(MSG_DEBUG,
2003 				   "%s: prepare_auth_resp_fils() returned failure",
2004 				   __func__);
2005 		}
2006 
2007 		cb(hapd, sta, resp, data, pub);
2008 	}
2009 }
2010 
2011 
2012 static struct wpabuf *
2013 prepare_auth_resp_fils(struct hostapd_data *hapd,
2014 		       struct sta_info *sta, u16 *resp,
2015 		       struct rsn_pmksa_cache_entry *pmksa,
2016 		       struct wpabuf *erp_resp,
2017 		       const u8 *msk, size_t msk_len,
2018 		       int *is_pub)
2019 {
2020 	u8 fils_nonce[FILS_NONCE_LEN];
2021 	size_t ielen;
2022 	struct wpabuf *data = NULL;
2023 	const u8 *ie;
2024 	u8 *ie_buf = NULL;
2025 	const u8 *pmk = NULL;
2026 	size_t pmk_len = 0;
2027 	u8 pmk_buf[PMK_LEN_MAX];
2028 	struct wpabuf *pub = NULL;
2029 
2030 	if (*resp != WLAN_STATUS_SUCCESS)
2031 		goto fail;
2032 
2033 	ie = wpa_auth_get_wpa_ie(hapd->wpa_auth, &ielen);
2034 	if (!ie) {
2035 		*resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2036 		goto fail;
2037 	}
2038 
2039 	if (pmksa) {
2040 		/* Add PMKID of the selected PMKSA into RSNE */
2041 		ie_buf = os_malloc(ielen + 2 + 2 + PMKID_LEN);
2042 		if (!ie_buf) {
2043 			*resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2044 			goto fail;
2045 		}
2046 
2047 		os_memcpy(ie_buf, ie, ielen);
2048 		if (wpa_insert_pmkid(ie_buf, &ielen, pmksa->pmkid) < 0) {
2049 			*resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2050 			goto fail;
2051 		}
2052 		ie = ie_buf;
2053 	}
2054 
2055 	if (random_get_bytes(fils_nonce, FILS_NONCE_LEN) < 0) {
2056 		*resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2057 		goto fail;
2058 	}
2059 	wpa_hexdump(MSG_DEBUG, "RSN: Generated FILS Nonce",
2060 		    fils_nonce, FILS_NONCE_LEN);
2061 
2062 #ifdef CONFIG_FILS_SK_PFS
2063 	if (sta->fils_dh_ss && sta->fils_ecdh) {
2064 		pub = crypto_ecdh_get_pubkey(sta->fils_ecdh, 1);
2065 		if (!pub) {
2066 			*resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2067 			goto fail;
2068 		}
2069 	}
2070 #endif /* CONFIG_FILS_SK_PFS */
2071 
2072 	data = wpabuf_alloc(1000 + ielen + (pub ? wpabuf_len(pub) : 0));
2073 	if (!data) {
2074 		*resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2075 		goto fail;
2076 	}
2077 
2078 	/* TODO: FILS PK */
2079 #ifdef CONFIG_FILS_SK_PFS
2080 	if (pub) {
2081 		/* Finite Cyclic Group */
2082 		wpabuf_put_le16(data, hapd->conf->fils_dh_group);
2083 
2084 		/* Element */
2085 		wpabuf_put_buf(data, pub);
2086 	}
2087 #endif /* CONFIG_FILS_SK_PFS */
2088 
2089 	/* RSNE */
2090 	wpabuf_put_data(data, ie, ielen);
2091 
2092 	/* MDE when using FILS+FT (already included in ie,ielen with RSNE) */
2093 
2094 #ifdef CONFIG_IEEE80211R_AP
2095 	if (wpa_key_mgmt_ft(wpa_auth_sta_key_mgmt(sta->wpa_sm))) {
2096 		/* FTE[R1KH-ID,R0KH-ID] when using FILS+FT */
2097 		int res;
2098 		int use_sha384 = wpa_key_mgmt_sha384(
2099 			wpa_auth_sta_key_mgmt(sta->wpa_sm));
2100 
2101 		res = wpa_auth_write_fte(hapd->wpa_auth, use_sha384,
2102 					 wpabuf_put(data, 0),
2103 					 wpabuf_tailroom(data));
2104 		if (res < 0) {
2105 			*resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2106 			goto fail;
2107 		}
2108 		wpabuf_put(data, res);
2109 	}
2110 #endif /* CONFIG_IEEE80211R_AP */
2111 
2112 	/* FILS Nonce */
2113 	wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
2114 	wpabuf_put_u8(data, 1 + FILS_NONCE_LEN); /* Length */
2115 	/* Element ID Extension */
2116 	wpabuf_put_u8(data, WLAN_EID_EXT_FILS_NONCE);
2117 	wpabuf_put_data(data, fils_nonce, FILS_NONCE_LEN);
2118 
2119 	/* FILS Session */
2120 	wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
2121 	wpabuf_put_u8(data, 1 + FILS_SESSION_LEN); /* Length */
2122 	/* Element ID Extension */
2123 	wpabuf_put_u8(data, WLAN_EID_EXT_FILS_SESSION);
2124 	wpabuf_put_data(data, sta->fils_session, FILS_SESSION_LEN);
2125 
2126 	/* Wrapped Data */
2127 	if (!pmksa && erp_resp) {
2128 		wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
2129 		wpabuf_put_u8(data, 1 + wpabuf_len(erp_resp)); /* Length */
2130 		/* Element ID Extension */
2131 		wpabuf_put_u8(data, WLAN_EID_EXT_WRAPPED_DATA);
2132 		wpabuf_put_buf(data, erp_resp);
2133 
2134 		if (fils_rmsk_to_pmk(wpa_auth_sta_key_mgmt(sta->wpa_sm),
2135 				     msk, msk_len, sta->fils_snonce, fils_nonce,
2136 				     sta->fils_dh_ss ?
2137 				     wpabuf_head(sta->fils_dh_ss) : NULL,
2138 				     sta->fils_dh_ss ?
2139 				     wpabuf_len(sta->fils_dh_ss) : 0,
2140 				     pmk_buf, &pmk_len)) {
2141 			wpa_printf(MSG_DEBUG, "FILS: Failed to derive PMK");
2142 			*resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2143 			wpabuf_free(data);
2144 			data = NULL;
2145 			goto fail;
2146 		}
2147 		pmk = pmk_buf;
2148 
2149 		/* Don't use DHss in PTK derivation if PMKSA caching is not
2150 		 * used. */
2151 		wpabuf_clear_free(sta->fils_dh_ss);
2152 		sta->fils_dh_ss = NULL;
2153 
2154 		if (sta->fils_erp_pmkid_set) {
2155 			/* TODO: get PMKLifetime from WPA parameters */
2156 			unsigned int dot11RSNAConfigPMKLifetime = 43200;
2157 			int session_timeout;
2158 
2159 			session_timeout = dot11RSNAConfigPMKLifetime;
2160 			if (sta->session_timeout_set) {
2161 				struct os_reltime now, diff;
2162 
2163 				os_get_reltime(&now);
2164 				os_reltime_sub(&sta->session_timeout, &now,
2165 					       &diff);
2166 				session_timeout = diff.sec;
2167 			}
2168 
2169 			sta->fils_erp_pmkid_set = 0;
2170 			wpa_auth_add_fils_pmk_pmkid(sta->wpa_sm, pmk, pmk_len,
2171 						    sta->fils_erp_pmkid);
2172 			if (!hapd->conf->disable_pmksa_caching &&
2173 			    wpa_auth_pmksa_add2(
2174 				    hapd->wpa_auth, sta->addr,
2175 				    pmk, pmk_len,
2176 				    sta->fils_erp_pmkid,
2177 				    session_timeout,
2178 				    wpa_auth_sta_key_mgmt(sta->wpa_sm)) < 0) {
2179 				wpa_printf(MSG_ERROR,
2180 					   "FILS: Failed to add PMKSA cache entry based on ERP");
2181 			}
2182 		}
2183 	} else if (pmksa) {
2184 		pmk = pmksa->pmk;
2185 		pmk_len = pmksa->pmk_len;
2186 	}
2187 
2188 	if (!pmk) {
2189 		wpa_printf(MSG_DEBUG, "FILS: No PMK available");
2190 		*resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2191 		wpabuf_free(data);
2192 		data = NULL;
2193 		goto fail;
2194 	}
2195 
2196 	if (fils_auth_pmk_to_ptk(sta->wpa_sm, pmk, pmk_len,
2197 				 sta->fils_snonce, fils_nonce,
2198 				 sta->fils_dh_ss ?
2199 				 wpabuf_head(sta->fils_dh_ss) : NULL,
2200 				 sta->fils_dh_ss ?
2201 				 wpabuf_len(sta->fils_dh_ss) : 0,
2202 				 sta->fils_g_sta, pub) < 0) {
2203 		*resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2204 		wpabuf_free(data);
2205 		data = NULL;
2206 		goto fail;
2207 	}
2208 
2209 fail:
2210 	if (is_pub)
2211 		*is_pub = pub != NULL;
2212 	os_free(ie_buf);
2213 	wpabuf_free(pub);
2214 	wpabuf_clear_free(sta->fils_dh_ss);
2215 	sta->fils_dh_ss = NULL;
2216 #ifdef CONFIG_FILS_SK_PFS
2217 	crypto_ecdh_deinit(sta->fils_ecdh);
2218 	sta->fils_ecdh = NULL;
2219 #endif /* CONFIG_FILS_SK_PFS */
2220 	return data;
2221 }
2222 
2223 
2224 static void handle_auth_fils_finish(struct hostapd_data *hapd,
2225 				    struct sta_info *sta, u16 resp,
2226 				    struct wpabuf *data, int pub)
2227 {
2228 	u16 auth_alg;
2229 
2230 	auth_alg = (pub ||
2231 		    resp == WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED) ?
2232 		WLAN_AUTH_FILS_SK_PFS : WLAN_AUTH_FILS_SK;
2233 	send_auth_reply(hapd, sta, sta->addr, hapd->own_addr, auth_alg, 2, resp,
2234 			data ? wpabuf_head(data) : (u8 *) "",
2235 			data ? wpabuf_len(data) : 0, "auth-fils-finish");
2236 	wpabuf_free(data);
2237 
2238 	if (resp == WLAN_STATUS_SUCCESS) {
2239 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2240 			       HOSTAPD_LEVEL_DEBUG,
2241 			       "authentication OK (FILS)");
2242 		sta->flags |= WLAN_STA_AUTH;
2243 		wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
2244 		sta->auth_alg = pub ? WLAN_AUTH_FILS_SK_PFS : WLAN_AUTH_FILS_SK;
2245 		mlme_authenticate_indication(hapd, sta);
2246 	}
2247 }
2248 
2249 
2250 void ieee802_11_finish_fils_auth(struct hostapd_data *hapd,
2251 				 struct sta_info *sta, int success,
2252 				 struct wpabuf *erp_resp,
2253 				 const u8 *msk, size_t msk_len)
2254 {
2255 	u16 resp;
2256 	u32 flags = sta->flags;
2257 
2258 	sta->flags &= ~(WLAN_STA_PENDING_FILS_ERP |
2259 			WLAN_STA_PENDING_PASN_FILS_ERP);
2260 
2261 	resp = success ? WLAN_STATUS_SUCCESS : WLAN_STATUS_UNSPECIFIED_FAILURE;
2262 
2263 	if (flags & WLAN_STA_PENDING_FILS_ERP) {
2264 		struct wpabuf *data;
2265 		int pub = 0;
2266 
2267 		if (!sta->fils_pending_cb)
2268 			return;
2269 
2270 		data = prepare_auth_resp_fils(hapd, sta, &resp, NULL, erp_resp,
2271 					      msk, msk_len, &pub);
2272 		if (!data) {
2273 			wpa_printf(MSG_DEBUG,
2274 				   "%s: prepare_auth_resp_fils() failure",
2275 				   __func__);
2276 		}
2277 		sta->fils_pending_cb(hapd, sta, resp, data, pub);
2278 #ifdef CONFIG_PASN
2279 	} else if (flags & WLAN_STA_PENDING_PASN_FILS_ERP) {
2280 		pasn_fils_auth_resp(hapd, sta, resp, erp_resp,
2281 				    msk, msk_len);
2282 #endif /* CONFIG_PASN */
2283 	}
2284 }
2285 
2286 #endif /* CONFIG_FILS */
2287 
2288 
2289 static int ieee802_11_allowed_address(struct hostapd_data *hapd, const u8 *addr,
2290 				      const u8 *msg, size_t len,
2291 				      struct radius_sta *info)
2292 {
2293 	int res;
2294 
2295 	res = hostapd_allowed_address(hapd, addr, msg, len, info, 0);
2296 
2297 	if (res == HOSTAPD_ACL_REJECT) {
2298 		wpa_printf(MSG_DEBUG, "Station " MACSTR
2299 			   " not allowed to authenticate",
2300 			   MAC2STR(addr));
2301 		return HOSTAPD_ACL_REJECT;
2302 	}
2303 
2304 	if (res == HOSTAPD_ACL_PENDING) {
2305 		wpa_printf(MSG_DEBUG, "Authentication frame from " MACSTR
2306 			   " waiting for an external authentication",
2307 			   MAC2STR(addr));
2308 		/* Authentication code will re-send the authentication frame
2309 		 * after it has received (and cached) information from the
2310 		 * external source. */
2311 		return HOSTAPD_ACL_PENDING;
2312 	}
2313 
2314 	return res;
2315 }
2316 
2317 
2318 static int
2319 ieee802_11_set_radius_info(struct hostapd_data *hapd, struct sta_info *sta,
2320 			   int res, struct radius_sta *info)
2321 {
2322 	u32 session_timeout = info->session_timeout;
2323 	u32 acct_interim_interval = info->acct_interim_interval;
2324 	struct vlan_description *vlan_id = &info->vlan_id;
2325 	struct hostapd_sta_wpa_psk_short *psk = info->psk;
2326 	char *identity = info->identity;
2327 	char *radius_cui = info->radius_cui;
2328 
2329 	if (vlan_id->notempty &&
2330 	    !hostapd_vlan_valid(hapd->conf->vlan, vlan_id)) {
2331 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS,
2332 			       HOSTAPD_LEVEL_INFO,
2333 			       "Invalid VLAN %d%s received from RADIUS server",
2334 			       vlan_id->untagged,
2335 			       vlan_id->tagged[0] ? "+" : "");
2336 		return -1;
2337 	}
2338 	if (ap_sta_set_vlan(hapd, sta, vlan_id) < 0)
2339 		return -1;
2340 	if (sta->vlan_id)
2341 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS,
2342 			       HOSTAPD_LEVEL_INFO, "VLAN ID %d", sta->vlan_id);
2343 
2344 	hostapd_free_psk_list(sta->psk);
2345 	if (hapd->conf->wpa_psk_radius != PSK_RADIUS_IGNORED)
2346 		hostapd_copy_psk_list(&sta->psk, psk);
2347 	else
2348 		sta->psk = NULL;
2349 
2350 	os_free(sta->identity);
2351 	if (identity)
2352 		sta->identity = os_strdup(identity);
2353 	else
2354 		sta->identity = NULL;
2355 
2356 	os_free(sta->radius_cui);
2357 	if (radius_cui)
2358 		sta->radius_cui = os_strdup(radius_cui);
2359 	else
2360 		sta->radius_cui = NULL;
2361 
2362 	if (hapd->conf->acct_interim_interval == 0 && acct_interim_interval)
2363 		sta->acct_interim_interval = acct_interim_interval;
2364 	if (res == HOSTAPD_ACL_ACCEPT_TIMEOUT) {
2365 		sta->session_timeout_set = 1;
2366 		os_get_reltime(&sta->session_timeout);
2367 		sta->session_timeout.sec += session_timeout;
2368 		ap_sta_session_timeout(hapd, sta, session_timeout);
2369 	} else {
2370 		sta->session_timeout_set = 0;
2371 		ap_sta_no_session_timeout(hapd, sta);
2372 	}
2373 
2374 	return 0;
2375 }
2376 
2377 
2378 #ifdef CONFIG_PASN
2379 #ifdef CONFIG_SAE
2380 
2381 static int pasn_wd_handle_sae_commit(struct hostapd_data *hapd,
2382 				     struct sta_info *sta,
2383 				     struct wpabuf *wd)
2384 {
2385 	struct pasn_data *pasn = sta->pasn;
2386 	const char *password;
2387 	const u8 *data;
2388 	size_t buf_len;
2389 	u16 res, alg, seq, status;
2390 	int groups[] = { pasn->group, 0 };
2391 	struct sae_pt *pt = NULL;
2392 	int ret;
2393 
2394 	if (!wd)
2395 		return -1;
2396 
2397 	data = wpabuf_head_u8(wd);
2398 	buf_len = wpabuf_len(wd);
2399 
2400 	if (buf_len < 6) {
2401 		wpa_printf(MSG_DEBUG, "PASN: SAE buffer too short. len=%zu",
2402 			   buf_len);
2403 		return -1;
2404 	}
2405 
2406 	alg = WPA_GET_LE16(data);
2407 	seq = WPA_GET_LE16(data + 2);
2408 	status = WPA_GET_LE16(data + 4);
2409 
2410 	wpa_printf(MSG_DEBUG, "PASN: SAE commit: alg=%u, seq=%u, status=%u",
2411 		   alg, seq, status);
2412 
2413 	if (alg != WLAN_AUTH_SAE || seq != 1 ||
2414 	    status != WLAN_STATUS_SAE_HASH_TO_ELEMENT) {
2415 		wpa_printf(MSG_DEBUG, "PASN: Dropping peer SAE commit");
2416 		return -1;
2417 	}
2418 
2419 	sae_clear_data(&pasn->sae);
2420 	pasn->sae.state = SAE_NOTHING;
2421 
2422 	ret = sae_set_group(&pasn->sae, pasn->group);
2423 	if (ret) {
2424 		wpa_printf(MSG_DEBUG, "PASN: Failed to set SAE group");
2425 		return -1;
2426 	}
2427 
2428 	password = sae_get_password(hapd, sta, NULL, NULL, &pt, NULL);
2429 	if (!password || !pt) {
2430 		wpa_printf(MSG_DEBUG, "PASN: No SAE PT found");
2431 		return -1;
2432 	}
2433 
2434 	ret = sae_prepare_commit_pt(&pasn->sae, pt, hapd->own_addr, sta->addr,
2435 				    NULL, NULL);
2436 	if (ret) {
2437 		wpa_printf(MSG_DEBUG, "PASN: Failed to prepare SAE commit");
2438 		return -1;
2439 	}
2440 
2441 	res = sae_parse_commit(&pasn->sae, data + 6, buf_len - 6, NULL, 0,
2442 			       groups, 0);
2443 	if (res != WLAN_STATUS_SUCCESS) {
2444 		wpa_printf(MSG_DEBUG, "PASN: Failed parsing SAE commit");
2445 		return -1;
2446 	}
2447 
2448 	/* Process the commit message and derive the PMK */
2449 	ret = sae_process_commit(&pasn->sae);
2450 	if (ret) {
2451 		wpa_printf(MSG_DEBUG, "SAE: Failed to process peer commit");
2452 		return -1;
2453 	}
2454 
2455 	pasn->sae.state = SAE_COMMITTED;
2456 
2457 	return 0;
2458 }
2459 
2460 
2461 static int pasn_wd_handle_sae_confirm(struct hostapd_data *hapd,
2462 				      struct sta_info *sta,
2463 				      struct wpabuf *wd)
2464 {
2465 	struct pasn_data *pasn = sta->pasn;
2466 	const u8 *data;
2467 	size_t buf_len;
2468 	u16 res, alg, seq, status;
2469 
2470 	if (!wd)
2471 		return -1;
2472 
2473 	data = wpabuf_head_u8(wd);
2474 	buf_len = wpabuf_len(wd);
2475 
2476 	if (buf_len < 6) {
2477 		wpa_printf(MSG_DEBUG, "PASN: SAE buffer too short. len=%zu",
2478 			   buf_len);
2479 		return -1;
2480 	}
2481 
2482 	alg = WPA_GET_LE16(data);
2483 	seq = WPA_GET_LE16(data + 2);
2484 	status = WPA_GET_LE16(data + 4);
2485 
2486 	wpa_printf(MSG_DEBUG, "PASN: SAE confirm: alg=%u, seq=%u, status=%u",
2487 		   alg, seq, status);
2488 
2489 	if (alg != WLAN_AUTH_SAE || seq != 2 || status != WLAN_STATUS_SUCCESS) {
2490 		wpa_printf(MSG_DEBUG, "PASN: Dropping peer SAE confirm");
2491 		return -1;
2492 	}
2493 
2494 	res = sae_check_confirm(&pasn->sae, data + 6, buf_len - 6);
2495 	if (res != WLAN_STATUS_SUCCESS) {
2496 		wpa_printf(MSG_DEBUG, "PASN: SAE failed checking confirm");
2497 		return -1;
2498 	}
2499 
2500 	pasn->sae.state = SAE_ACCEPTED;
2501 
2502 	/*
2503 	 * TODO: Based on on IEEE P802.11az/D2.6, the PMKSA derived with
2504 	 * PASN/SAE should only be allowed with future PASN only. For now do not
2505 	 * restrict this only for PASN.
2506 	 */
2507 	wpa_auth_pmksa_add_sae(hapd->wpa_auth, sta->addr,
2508 			       pasn->sae.pmk, pasn->sae.pmkid);
2509 	return 0;
2510 }
2511 
2512 
2513 static struct wpabuf * pasn_get_sae_wd(struct hostapd_data *hapd,
2514 				       struct sta_info *sta)
2515 {
2516 	struct pasn_data *pasn = sta->pasn;
2517 	struct wpabuf *buf = NULL;
2518 	u8 *len_ptr;
2519 	size_t len;
2520 
2521 	/* Need to add the entire Authentication frame body */
2522 	buf = wpabuf_alloc(8 + SAE_COMMIT_MAX_LEN + 8 + SAE_CONFIRM_MAX_LEN);
2523 	if (!buf) {
2524 		wpa_printf(MSG_DEBUG, "PASN: Failed to allocate SAE buffer");
2525 		return NULL;
2526 	}
2527 
2528 	/* Need to add the entire authentication frame body for the commit */
2529 	len_ptr = wpabuf_put(buf, 2);
2530 	wpabuf_put_le16(buf, WLAN_AUTH_SAE);
2531 	wpabuf_put_le16(buf, 1);
2532 	wpabuf_put_le16(buf, WLAN_STATUS_SAE_HASH_TO_ELEMENT);
2533 
2534 	/* Write the actual commit and update the length accordingly */
2535 	sae_write_commit(&pasn->sae, buf, NULL, 0);
2536 	len = wpabuf_len(buf);
2537 	WPA_PUT_LE16(len_ptr, len - 2);
2538 
2539 	/* Need to add the entire Authentication frame body for the confirm */
2540 	len_ptr = wpabuf_put(buf, 2);
2541 	wpabuf_put_le16(buf, WLAN_AUTH_SAE);
2542 	wpabuf_put_le16(buf, 2);
2543 	wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
2544 
2545 	sae_write_confirm(&pasn->sae, buf);
2546 	WPA_PUT_LE16(len_ptr, wpabuf_len(buf) - len - 2);
2547 
2548 	pasn->sae.state = SAE_CONFIRMED;
2549 
2550 	return buf;
2551 }
2552 
2553 #endif /* CONFIG_SAE */
2554 
2555 
2556 #ifdef CONFIG_FILS
2557 
2558 static struct wpabuf * pasn_get_fils_wd(struct hostapd_data *hapd,
2559 					struct sta_info *sta)
2560 {
2561 	struct pasn_data *pasn = sta->pasn;
2562 	struct pasn_fils_data *fils = &pasn->fils;
2563 	struct wpabuf *buf = NULL;
2564 
2565 	if (!fils->erp_resp) {
2566 		wpa_printf(MSG_DEBUG, "PASN: FILS: Missing erp_resp");
2567 		return NULL;
2568 	}
2569 
2570 	buf = wpabuf_alloc(1500);
2571 	if (!buf)
2572 		return NULL;
2573 
2574 	/* Add the authentication algorithm */
2575 	wpabuf_put_le16(buf, WLAN_AUTH_FILS_SK);
2576 
2577 	/* Authentication Transaction seq# */
2578 	wpabuf_put_le16(buf, 2);
2579 
2580 	/* Status Code */
2581 	wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
2582 
2583 	/* Own RSNE */
2584 	wpa_pasn_add_rsne(buf, NULL, pasn->akmp, pasn->cipher);
2585 
2586 	/* FILS Nonce */
2587 	wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
2588 	wpabuf_put_u8(buf, 1 + FILS_NONCE_LEN);
2589 	wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_NONCE);
2590 	wpabuf_put_data(buf, fils->anonce, FILS_NONCE_LEN);
2591 
2592 	/* FILS Session */
2593 	wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
2594 	wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN);
2595 	wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION);
2596 	wpabuf_put_data(buf, fils->session, FILS_SESSION_LEN);
2597 
2598 	/* Wrapped Data */
2599 	wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
2600 	wpabuf_put_u8(buf, 1 + wpabuf_len(fils->erp_resp));
2601 	wpabuf_put_u8(buf, WLAN_EID_EXT_WRAPPED_DATA);
2602 	wpabuf_put_buf(buf, fils->erp_resp);
2603 
2604 	return buf;
2605 }
2606 
2607 
2608 static void pasn_fils_auth_resp(struct hostapd_data *hapd,
2609 				struct sta_info *sta, u16 status,
2610 				struct wpabuf *erp_resp,
2611 				const u8 *msk, size_t msk_len)
2612 {
2613 	struct pasn_data *pasn = sta->pasn;
2614 	struct pasn_fils_data *fils = &pasn->fils;
2615 	u8 pmk[PMK_LEN_MAX];
2616 	size_t pmk_len;
2617 	int ret;
2618 
2619 	wpa_printf(MSG_DEBUG, "PASN: FILS: Handle AS response - status=%u",
2620 		   status);
2621 
2622 	if (status != WLAN_STATUS_SUCCESS)
2623 		goto fail;
2624 
2625 	if (!pasn->secret) {
2626 		wpa_printf(MSG_DEBUG, "PASN: FILS: Missing secret");
2627 		goto fail;
2628 	}
2629 
2630 	if (random_get_bytes(fils->anonce, FILS_NONCE_LEN) < 0) {
2631 		wpa_printf(MSG_DEBUG, "PASN: FILS: Failed to get ANonce");
2632 		goto fail;
2633 	}
2634 
2635 	wpa_hexdump(MSG_DEBUG, "RSN: Generated FILS ANonce",
2636 		    fils->anonce, FILS_NONCE_LEN);
2637 
2638 	ret = fils_rmsk_to_pmk(pasn->akmp, msk, msk_len, fils->nonce,
2639 			       fils->anonce, NULL, 0, pmk, &pmk_len);
2640 	if (ret) {
2641 		wpa_printf(MSG_DEBUG, "FILS: Failed to derive PMK");
2642 		goto fail;
2643 	}
2644 
2645 	ret = pasn_pmk_to_ptk(pmk, pmk_len, sta->addr, hapd->own_addr,
2646 			      wpabuf_head(pasn->secret),
2647 			      wpabuf_len(pasn->secret),
2648 			      &sta->pasn->ptk, sta->pasn->akmp,
2649 			      sta->pasn->cipher, sta->pasn->kdk_len);
2650 	if (ret) {
2651 		wpa_printf(MSG_DEBUG, "PASN: FILS: Failed to derive PTK");
2652 		goto fail;
2653 	}
2654 
2655 	wpa_printf(MSG_DEBUG, "PASN: PTK successfully derived");
2656 
2657 	wpabuf_free(pasn->secret);
2658 	pasn->secret = NULL;
2659 
2660 	fils->erp_resp = erp_resp;
2661 	ret = handle_auth_pasn_resp(hapd, sta, NULL, WLAN_STATUS_SUCCESS);
2662 	fils->erp_resp = NULL;
2663 
2664 	if (ret) {
2665 		wpa_printf(MSG_DEBUG, "PASN: FILS: Failed to send response");
2666 		goto fail;
2667 	}
2668 
2669 	fils->state = PASN_FILS_STATE_COMPLETE;
2670 	return;
2671 fail:
2672 	ap_free_sta(hapd, sta);
2673 }
2674 
2675 
2676 static int pasn_wd_handle_fils(struct hostapd_data *hapd, struct sta_info *sta,
2677 			       struct wpabuf *wd)
2678 {
2679 #ifdef CONFIG_NO_RADIUS
2680 	wpa_printf(MSG_DEBUG, "PASN: FILS: RADIUS is not configured. Fail");
2681 	return -1;
2682 #else /* CONFIG_NO_RADIUS */
2683 	struct pasn_data *pasn = sta->pasn;
2684 	struct pasn_fils_data *fils = &pasn->fils;
2685 	struct ieee802_11_elems elems;
2686 	struct wpa_ie_data rsne_data;
2687 	struct wpabuf *fils_wd;
2688 	const u8 *data;
2689 	size_t buf_len;
2690 	u16 alg, seq, status;
2691 	int ret;
2692 
2693 	if (fils->state != PASN_FILS_STATE_NONE) {
2694 		wpa_printf(MSG_DEBUG, "PASN: FILS: Not expecting wrapped data");
2695 		return -1;
2696 	}
2697 
2698 	if (!wd) {
2699 		wpa_printf(MSG_DEBUG, "PASN: FILS: No wrapped data");
2700 		return -1;
2701 	}
2702 
2703 	data = wpabuf_head_u8(wd);
2704 	buf_len = wpabuf_len(wd);
2705 
2706 	if (buf_len < 6) {
2707 		wpa_printf(MSG_DEBUG, "PASN: FILS: Buffer too short. len=%zu",
2708 			   buf_len);
2709 		return -1;
2710 	}
2711 
2712 	alg = WPA_GET_LE16(data);
2713 	seq = WPA_GET_LE16(data + 2);
2714 	status = WPA_GET_LE16(data + 4);
2715 
2716 	wpa_printf(MSG_DEBUG, "PASN: FILS: alg=%u, seq=%u, status=%u",
2717 		   alg, seq, status);
2718 
2719 	if (alg != WLAN_AUTH_FILS_SK || seq != 1 ||
2720 	    status != WLAN_STATUS_SUCCESS) {
2721 		wpa_printf(MSG_DEBUG,
2722 			   "PASN: FILS: Dropping peer authentication");
2723 		return -1;
2724 	}
2725 
2726 	data += 6;
2727 	buf_len -= 6;
2728 
2729 	if (ieee802_11_parse_elems(data, buf_len, &elems, 1) == ParseFailed) {
2730 		wpa_printf(MSG_DEBUG, "PASN: FILS: Could not parse elements");
2731 		return -1;
2732 	}
2733 
2734 	if (!elems.rsn_ie || !elems.fils_nonce || !elems.fils_nonce ||
2735 	    !elems.wrapped_data) {
2736 		wpa_printf(MSG_DEBUG, "PASN: FILS: Missing IEs");
2737 		return -1;
2738 	}
2739 
2740 	ret = wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
2741 				   &rsne_data);
2742 	if (ret) {
2743 		wpa_printf(MSG_DEBUG, "PASN: FILS: Failed parsing RNSE");
2744 		return -1;
2745 	}
2746 
2747 	ret = wpa_pasn_validate_rsne(&rsne_data);
2748 	if (ret) {
2749 		wpa_printf(MSG_DEBUG, "PASN: FILS: Failed validating RSNE");
2750 		return -1;
2751 	}
2752 
2753 	if (rsne_data.num_pmkid) {
2754 		wpa_printf(MSG_DEBUG,
2755 			   "PASN: FILS: Not expecting PMKID in RSNE");
2756 		return -1;
2757 	}
2758 
2759 	wpa_hexdump(MSG_DEBUG, "PASN: FILS: Nonce", elems.fils_nonce,
2760 		    FILS_NONCE_LEN);
2761 	os_memcpy(fils->nonce, elems.fils_nonce, FILS_NONCE_LEN);
2762 
2763 	wpa_hexdump(MSG_DEBUG, "PASN: FILS: Session", elems.fils_session,
2764 		    FILS_SESSION_LEN);
2765 	os_memcpy(fils->session, elems.fils_session, FILS_SESSION_LEN);
2766 
2767 	fils_wd = ieee802_11_defrag(&elems, WLAN_EID_EXTENSION,
2768 				    WLAN_EID_EXT_WRAPPED_DATA);
2769 
2770 	if (!fils_wd) {
2771 		wpa_printf(MSG_DEBUG, "PASN: FILS: Missing wrapped data");
2772 		return -1;
2773 	}
2774 
2775 	if (!sta->eapol_sm)
2776 		sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta);
2777 
2778 	wpa_printf(MSG_DEBUG,
2779 		   "PASN: FILS: Forward EAP-Initiate/Re-auth to AS");
2780 
2781 	ieee802_1x_encapsulate_radius(hapd, sta, wpabuf_head(fils_wd),
2782 				      wpabuf_len(fils_wd));
2783 
2784 	sta->flags |= WLAN_STA_PENDING_PASN_FILS_ERP;
2785 
2786 	fils->state = PASN_FILS_STATE_PENDING_AS;
2787 
2788 	/*
2789 	 * Calculate pending PMKID here so that we do not need to maintain a
2790 	 * copy of the EAP-Initiate/Reautt message.
2791 	 */
2792 	fils_pmkid_erp(pasn->akmp, wpabuf_head(fils_wd), wpabuf_len(fils_wd),
2793 		       fils->erp_pmkid);
2794 
2795 	wpabuf_free(fils_wd);
2796 	return 0;
2797 #endif /* CONFIG_NO_RADIUS */
2798 }
2799 
2800 #endif /* CONFIG_FILS */
2801 
2802 
2803 static struct wpabuf * pasn_get_wrapped_data(struct hostapd_data *hapd,
2804 					     struct sta_info *sta)
2805 {
2806 	switch (sta->pasn->akmp) {
2807 	case WPA_KEY_MGMT_PASN:
2808 		/* no wrapped data */
2809 		return NULL;
2810 	case WPA_KEY_MGMT_SAE:
2811 #ifdef CONFIG_SAE
2812 		return pasn_get_sae_wd(hapd, sta);
2813 #else /* CONFIG_SAE */
2814 		wpa_printf(MSG_ERROR,
2815 			   "PASN: SAE: Cannot derive wrapped data");
2816 		return NULL;
2817 #endif /* CONFIG_SAE */
2818 	case WPA_KEY_MGMT_FILS_SHA256:
2819 	case WPA_KEY_MGMT_FILS_SHA384:
2820 #ifdef CONFIG_FILS
2821 		return pasn_get_fils_wd(hapd, sta);
2822 #endif /* CONFIG_FILS */
2823 		/* fall through */
2824 	case WPA_KEY_MGMT_FT_PSK:
2825 	case WPA_KEY_MGMT_FT_IEEE8021X:
2826 	case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
2827 	default:
2828 		wpa_printf(MSG_ERROR,
2829 			   "PASN: TODO: Wrapped data for akmp=0x%x",
2830 			   sta->pasn->akmp);
2831 		return NULL;
2832 	}
2833 }
2834 
2835 
2836 static int
2837 pasn_derive_keys(struct hostapd_data *hapd, struct sta_info *sta,
2838 		 const u8 *cached_pmk, size_t cached_pmk_len,
2839 		 struct wpa_pasn_params_data *pasn_data,
2840 		 struct wpabuf *wrapped_data,
2841 		 struct wpabuf *secret)
2842 {
2843 	static const u8 pasn_default_pmk[] = {'P', 'M', 'K', 'z'};
2844 	u8 pmk[PMK_LEN_MAX];
2845 	u8 pmk_len;
2846 	int ret;
2847 
2848 	os_memset(pmk, 0, sizeof(pmk));
2849 	pmk_len = 0;
2850 
2851 	if (!cached_pmk || !cached_pmk_len)
2852 		wpa_printf(MSG_DEBUG, "PASN: No valid PMKSA entry");
2853 
2854 	if (sta->pasn->akmp == WPA_KEY_MGMT_PASN) {
2855 		wpa_printf(MSG_DEBUG, "PASN: Using default PMK");
2856 
2857 		pmk_len = WPA_PASN_PMK_LEN;
2858 		os_memcpy(pmk, pasn_default_pmk, sizeof(pasn_default_pmk));
2859 	} else if (cached_pmk && cached_pmk_len) {
2860 		wpa_printf(MSG_DEBUG, "PASN: Using PMKSA entry");
2861 
2862 		pmk_len = cached_pmk_len;
2863 		os_memcpy(pmk, cached_pmk, cached_pmk_len);
2864 	} else {
2865 		switch (sta->pasn->akmp) {
2866 #ifdef CONFIG_SAE
2867 		case WPA_KEY_MGMT_SAE:
2868 			if (sta->pasn->sae.state == SAE_COMMITTED) {
2869 				pmk_len = PMK_LEN;
2870 				os_memcpy(pmk, sta->pasn->sae.pmk, PMK_LEN);
2871 				break;
2872 			}
2873 #endif /* CONFIG_SAE */
2874 			/* fall through */
2875 		default:
2876 			/* TODO: Derive PMK based on wrapped data */
2877 			wpa_printf(MSG_DEBUG,
2878 				   "PASN: Missing PMK derivation");
2879 			return -1;
2880 		}
2881 	}
2882 
2883 	ret = pasn_pmk_to_ptk(pmk, pmk_len, sta->addr, hapd->own_addr,
2884 			      wpabuf_head(secret), wpabuf_len(secret),
2885 			      &sta->pasn->ptk, sta->pasn->akmp,
2886 			      sta->pasn->cipher, sta->pasn->kdk_len);
2887 	if (ret) {
2888 		wpa_printf(MSG_DEBUG, "PASN: Failed to derive PTK");
2889 		return -1;
2890 	}
2891 
2892 	wpa_printf(MSG_DEBUG, "PASN: PTK successfully derived");
2893 	return 0;
2894 }
2895 
2896 
2897 static void handle_auth_pasn_comeback(struct hostapd_data *hapd,
2898 				      struct sta_info *sta, u16 group)
2899 {
2900 	struct wpabuf *buf, *comeback;
2901 	int ret;
2902 
2903 	wpa_printf(MSG_DEBUG,
2904 		   "PASN: Building comeback frame 2. Comeback after=%u",
2905 		   hapd->conf->pasn_comeback_after);
2906 
2907 	buf = wpabuf_alloc(1500);
2908 	if (!buf)
2909 		return;
2910 
2911 	wpa_pasn_build_auth_header(buf, hapd->own_addr, hapd->own_addr,
2912 				   sta->addr, 2,
2913 				   WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY);
2914 
2915 	/*
2916 	 * Do not include the group as a part of the token since it is not going
2917 	 * to be used.
2918 	 */
2919 	comeback = auth_build_token_req(hapd, 0, sta->addr, 0);
2920 	if (!comeback) {
2921 		wpa_printf(MSG_DEBUG,
2922 			   "PASN: Failed sending auth with comeback");
2923 		wpabuf_free(buf);
2924 		return;
2925 	}
2926 
2927 	wpa_pasn_add_parameter_ie(buf, group,
2928 				  WPA_PASN_WRAPPED_DATA_NO,
2929 				  NULL, 0, comeback,
2930 				  hapd->conf->pasn_comeback_after);
2931 	wpabuf_free(comeback);
2932 
2933 	wpa_printf(MSG_DEBUG,
2934 		   "PASN: comeback: STA=" MACSTR, MAC2STR(sta->addr));
2935 
2936 	ret = hostapd_drv_send_mlme(hapd, wpabuf_head(buf), wpabuf_len(buf), 0,
2937 				    NULL, 0, 0);
2938 	if (ret)
2939 		wpa_printf(MSG_INFO, "PASN: Failed to send comeback frame 2");
2940 
2941 	wpabuf_free(buf);
2942 }
2943 
2944 
2945 static int handle_auth_pasn_resp(struct hostapd_data *hapd,
2946 				 struct sta_info *sta,
2947 				 struct rsn_pmksa_cache_entry *pmksa,
2948 				 u16 status)
2949 {
2950 	struct wpabuf *buf, *pubkey = NULL, *wrapped_data_buf = NULL;
2951 	u8 mic[WPA_PASN_MAX_MIC_LEN];
2952 	u8 mic_len;
2953 	u8 *ptr;
2954 	const u8 *frame, *data, *rsn_ie, *rsnxe_ie;
2955 	u8 *data_buf = NULL;
2956 	size_t rsn_ie_len, frame_len, data_len;
2957 	int ret;
2958 	const u8 *pmkid = NULL;
2959 
2960 	wpa_printf(MSG_DEBUG, "PASN: Building frame 2: status=%u", status);
2961 
2962 	buf = wpabuf_alloc(1500);
2963 	if (!buf)
2964 		goto fail;
2965 
2966 	wpa_pasn_build_auth_header(buf, hapd->own_addr, hapd->own_addr,
2967 				   sta->addr, 2, status);
2968 
2969 	if (status != WLAN_STATUS_SUCCESS)
2970 		goto done;
2971 
2972 	if (pmksa) {
2973 		pmkid = pmksa->pmkid;
2974 #ifdef CONFIG_SAE
2975 	} else if (sta->pasn->akmp == WPA_KEY_MGMT_SAE) {
2976 		wpa_printf(MSG_DEBUG, "PASN: Use SAE PMKID");
2977 		pmkid = sta->pasn->sae.pmkid;
2978 #endif /* CONFIG_SAE */
2979 #ifdef CONFIG_FILS
2980 	} else if (sta->pasn->akmp == WPA_KEY_MGMT_FILS_SHA256 ||
2981 		   sta->pasn->akmp == WPA_KEY_MGMT_FILS_SHA384) {
2982 		wpa_printf(MSG_DEBUG, "PASN: Use FILS ERP PMKID");
2983 		pmkid = sta->pasn->fils.erp_pmkid;
2984 #endif /* CONFIG_FILS */
2985 	}
2986 
2987 	if (wpa_pasn_add_rsne(buf, pmkid,
2988 			      sta->pasn->akmp, sta->pasn->cipher) < 0)
2989 		goto fail;
2990 
2991 	/* No need to derive PMK if PMKSA is given */
2992 	if (!pmksa)
2993 		wrapped_data_buf = pasn_get_wrapped_data(hapd, sta);
2994 	else
2995 		sta->pasn->wrapped_data_format = WPA_PASN_WRAPPED_DATA_NO;
2996 
2997 	/* Get public key */
2998 	pubkey = crypto_ecdh_get_pubkey(sta->pasn->ecdh, 0);
2999 	pubkey = wpabuf_zeropad(pubkey,
3000 				crypto_ecdh_prime_len(sta->pasn->ecdh));
3001 	if (!pubkey) {
3002 		wpa_printf(MSG_DEBUG, "PASN: Failed to get pubkey");
3003 		goto fail;
3004 	}
3005 
3006 	wpa_pasn_add_parameter_ie(buf, sta->pasn->group,
3007 				  sta->pasn->wrapped_data_format,
3008 				  pubkey, true, NULL, 0);
3009 
3010 	if (wpa_pasn_add_wrapped_data(buf, wrapped_data_buf) < 0)
3011 		goto fail;
3012 
3013 	wpabuf_free(wrapped_data_buf);
3014 	wrapped_data_buf = NULL;
3015 	wpabuf_free(pubkey);
3016 	pubkey = NULL;
3017 
3018 	/* Add RSNXE if needed */
3019 	rsnxe_ie = hostapd_wpa_ie(hapd, WLAN_EID_RSNX);
3020 	if (rsnxe_ie)
3021 		wpabuf_put_data(buf, rsnxe_ie, 2 + rsnxe_ie[1]);
3022 
3023 	/* Add the mic */
3024 	mic_len = pasn_mic_len(sta->pasn->akmp, sta->pasn->cipher);
3025 	wpabuf_put_u8(buf, WLAN_EID_MIC);
3026 	wpabuf_put_u8(buf, mic_len);
3027 	ptr = wpabuf_put(buf, mic_len);
3028 
3029 	os_memset(ptr, 0, mic_len);
3030 
3031 	frame = wpabuf_head_u8(buf) + IEEE80211_HDRLEN;
3032 	frame_len = wpabuf_len(buf) - IEEE80211_HDRLEN;
3033 
3034 	rsn_ie = wpa_auth_get_wpa_ie(hapd->wpa_auth, &rsn_ie_len);
3035 	if (!rsn_ie || !rsn_ie_len)
3036 		goto fail;
3037 
3038 	/*
3039 	 * Note: wpa_auth_get_wpa_ie() might return not only the RSNE but also
3040 	 * MDE, etc. Thus, do not use the returned length but instead use the
3041 	 * length specified in the IE header.
3042 	 */
3043 	data_len = rsn_ie[1] + 2;
3044 	if (rsnxe_ie) {
3045 		data_buf = os_zalloc(rsn_ie[1] + 2 + rsnxe_ie[1] + 2);
3046 		if (!data_buf)
3047 			goto fail;
3048 
3049 		os_memcpy(data_buf, rsn_ie, rsn_ie[1] + 2);
3050 		os_memcpy(data_buf + rsn_ie[1] + 2, rsnxe_ie, rsnxe_ie[1] + 2);
3051 		data_len += rsnxe_ie[1] + 2;
3052 		data = data_buf;
3053 	} else {
3054 		data = rsn_ie;
3055 	}
3056 
3057 	ret = pasn_mic(sta->pasn->ptk.kck, sta->pasn->akmp, sta->pasn->cipher,
3058 		       hapd->own_addr, sta->addr, data, data_len,
3059 		       frame, frame_len, mic);
3060 	os_free(data_buf);
3061 	if (ret) {
3062 		wpa_printf(MSG_DEBUG, "PASN: Frame 3: Failed MIC calculation");
3063 		goto fail;
3064 	}
3065 
3066 #ifdef CONFIG_TESTING_OPTIONS
3067 	if (hapd->conf->pasn_corrupt_mic) {
3068 		wpa_printf(MSG_DEBUG, "PASN: frame 2: Corrupt MIC");
3069 		mic[0] = ~mic[0];
3070 	}
3071 #endif /* CONFIG_TESTING_OPTIONS */
3072 
3073 	os_memcpy(ptr, mic, mic_len);
3074 
3075 done:
3076 	wpa_printf(MSG_DEBUG,
3077 		   "PASN: Building frame 2: success; resp STA=" MACSTR,
3078 		   MAC2STR(sta->addr));
3079 
3080 	ret = hostapd_drv_send_mlme(hapd, wpabuf_head(buf), wpabuf_len(buf), 0,
3081 				    NULL, 0, 0);
3082 	if (ret)
3083 		wpa_printf(MSG_INFO, "send_auth_reply: Send failed");
3084 
3085 	wpabuf_free(buf);
3086 	return ret;
3087 fail:
3088 	wpabuf_free(wrapped_data_buf);
3089 	wpabuf_free(pubkey);
3090 	wpabuf_free(buf);
3091 	return -1;
3092 }
3093 
3094 
3095 static void handle_auth_pasn_1(struct hostapd_data *hapd, struct sta_info *sta,
3096 			       const struct ieee80211_mgmt *mgmt, size_t len)
3097 {
3098 	struct ieee802_11_elems elems;
3099 	struct wpa_ie_data rsn_data;
3100 	struct wpa_pasn_params_data pasn_params;
3101 	struct rsn_pmksa_cache_entry *pmksa = NULL;
3102 	const u8 *cached_pmk = NULL;
3103 	size_t cached_pmk_len = 0;
3104 #ifdef CONFIG_IEEE80211R_AP
3105 	u8 pmk_r1[PMK_LEN_MAX];
3106 	size_t pmk_r1_len;
3107 #endif /* CONFIG_IEEE80211R_AP */
3108 	struct wpabuf *wrapped_data = NULL, *secret = NULL;
3109 	const int *groups = hapd->conf->pasn_groups;
3110 	static const int default_groups[] = { 19, 0 };
3111 	u16 status = WLAN_STATUS_SUCCESS;
3112 	int ret, inc_y;
3113 	bool derive_keys;
3114 	u32 i;
3115 
3116 	if (!groups)
3117 		groups = default_groups;
3118 
3119 	if (ieee802_11_parse_elems(mgmt->u.auth.variable,
3120 				   len - offsetof(struct ieee80211_mgmt,
3121 						  u.auth.variable),
3122 				   &elems, 0) == ParseFailed) {
3123 		wpa_printf(MSG_DEBUG,
3124 			   "PASN: Failed parsing Authentication frame");
3125 		status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3126 		goto send_resp;
3127 	}
3128 
3129 	ret = wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
3130 				   &rsn_data);
3131 	if (ret) {
3132 		wpa_printf(MSG_DEBUG, "PASN: Failed parsing RNSE");
3133 		status = WLAN_STATUS_INVALID_RSNIE;
3134 		goto send_resp;
3135 	}
3136 
3137 	ret = wpa_pasn_validate_rsne(&rsn_data);
3138 	if (ret) {
3139 		wpa_printf(MSG_DEBUG, "PASN: Failed validating RSNE");
3140 		status = WLAN_STATUS_INVALID_RSNIE;
3141 		goto send_resp;
3142 	}
3143 
3144 	if (!(rsn_data.key_mgmt & hapd->conf->wpa_key_mgmt) ||
3145 	    !(rsn_data.pairwise_cipher & hapd->conf->rsn_pairwise)) {
3146 		wpa_printf(MSG_DEBUG, "PASN: Mismatch in AKMP/cipher");
3147 		status = WLAN_STATUS_INVALID_RSNIE;
3148 		goto send_resp;
3149 	}
3150 
3151 	sta->pasn->akmp = rsn_data.key_mgmt;
3152 	sta->pasn->cipher = rsn_data.pairwise_cipher;
3153 
3154 	if (hapd->conf->force_kdk_derivation ||
3155 	    ((hapd->iface->drv_flags2 & WPA_DRIVER_FLAGS2_SEC_LTF) &&
3156 	     ieee802_11_rsnx_capab_len(elems.rsnxe, elems.rsnxe_len,
3157 				       WLAN_RSNX_CAPAB_SECURE_LTF)))
3158 		sta->pasn->kdk_len = WPA_KDK_MAX_LEN;
3159 	else
3160 		sta->pasn->kdk_len = 0;
3161 	wpa_printf(MSG_DEBUG, "PASN: kdk_len=%zu", sta->pasn->kdk_len);
3162 
3163 	if (!elems.pasn_params || !elems.pasn_params_len) {
3164 		wpa_printf(MSG_DEBUG,
3165 			   "PASN: No PASN Parameters element found");
3166 		status = WLAN_STATUS_INVALID_PARAMETERS;
3167 		goto send_resp;
3168 	}
3169 
3170 	ret = wpa_pasn_parse_parameter_ie(elems.pasn_params - 3,
3171 					  elems.pasn_params_len + 3,
3172 					  false, &pasn_params);
3173 	if (ret) {
3174 		wpa_printf(MSG_DEBUG,
3175 			   "PASN: Failed validation of PASN Parameters IE");
3176 		status = WLAN_STATUS_INVALID_PARAMETERS;
3177 		goto send_resp;
3178 	}
3179 
3180 	for (i = 0; groups[i] > 0 && groups[i] != pasn_params.group; i++)
3181 		;
3182 
3183 	if (!pasn_params.group || groups[i] != pasn_params.group) {
3184 		wpa_printf(MSG_DEBUG, "PASN: Requested group=%hu not allowed",
3185 			   pasn_params.group);
3186 		status = WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
3187 		goto send_resp;
3188 	}
3189 
3190 	if (!pasn_params.pubkey || !pasn_params.pubkey_len) {
3191 		wpa_printf(MSG_DEBUG, "PASN: Invalid public key");
3192 		status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3193 		goto send_resp;
3194 	}
3195 
3196 	if (pasn_params.comeback) {
3197 		wpa_printf(MSG_DEBUG, "PASN: Checking peer comeback token");
3198 
3199 		ret = check_comeback_token(hapd, sta->addr,
3200 					   pasn_params.comeback,
3201 					   pasn_params.comeback_len);
3202 
3203 		if (ret) {
3204 			wpa_printf(MSG_DEBUG, "PASN: Invalid comeback token");
3205 			status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3206 			goto send_resp;
3207 		}
3208 	} else if (use_anti_clogging(hapd)) {
3209 		wpa_printf(MSG_DEBUG, "PASN: Respond with comeback");
3210 		handle_auth_pasn_comeback(hapd, sta, pasn_params.group);
3211 		ap_free_sta(hapd, sta);
3212 		return;
3213 	}
3214 
3215 	sta->pasn->ecdh = crypto_ecdh_init(pasn_params.group);
3216 	if (!sta->pasn->ecdh) {
3217 		wpa_printf(MSG_DEBUG, "PASN: Failed to init ECDH");
3218 		status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3219 		goto send_resp;
3220 	}
3221 
3222 	sta->pasn->group = pasn_params.group;
3223 
3224 	if (pasn_params.pubkey[0] == WPA_PASN_PUBKEY_UNCOMPRESSED) {
3225 		inc_y = 1;
3226 	} else if (pasn_params.pubkey[0] == WPA_PASN_PUBKEY_COMPRESSED_0 ||
3227 		   pasn_params.pubkey[0] == WPA_PASN_PUBKEY_COMPRESSED_1) {
3228 		inc_y = 0;
3229 	} else {
3230 		wpa_printf(MSG_DEBUG,
3231 			   "PASN: Invalid first octet in pubkey=0x%x",
3232 			   pasn_params.pubkey[0]);
3233 		status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3234 		goto send_resp;
3235 	}
3236 
3237 	secret = crypto_ecdh_set_peerkey(sta->pasn->ecdh, inc_y,
3238 					 pasn_params.pubkey + 1,
3239 					 pasn_params.pubkey_len - 1);
3240 	if (!secret) {
3241 		wpa_printf(MSG_DEBUG, "PASN: Failed to derive shared secret");
3242 		status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3243 		goto send_resp;
3244 	}
3245 
3246 	derive_keys = true;
3247 	if (pasn_params.wrapped_data_format != WPA_PASN_WRAPPED_DATA_NO) {
3248 		wrapped_data = ieee802_11_defrag(&elems,
3249 						 WLAN_EID_EXTENSION,
3250 						 WLAN_EID_EXT_WRAPPED_DATA);
3251 		if (!wrapped_data) {
3252 			wpa_printf(MSG_DEBUG, "PASN: Missing wrapped data");
3253 			status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3254 			goto send_resp;
3255 		}
3256 
3257 #ifdef CONFIG_SAE
3258 		if (sta->pasn->akmp == WPA_KEY_MGMT_SAE) {
3259 			ret = pasn_wd_handle_sae_commit(hapd, sta,
3260 							wrapped_data);
3261 			if (ret) {
3262 				wpa_printf(MSG_DEBUG,
3263 					   "PASN: Failed processing SAE commit");
3264 				status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3265 				goto send_resp;
3266 			}
3267 		}
3268 #endif /* CONFIG_SAE */
3269 #ifdef CONFIG_FILS
3270 		if (sta->pasn->akmp == WPA_KEY_MGMT_FILS_SHA256 ||
3271 		    sta->pasn->akmp == WPA_KEY_MGMT_FILS_SHA384) {
3272 			ret = pasn_wd_handle_fils(hapd, sta, wrapped_data);
3273 			if (ret) {
3274 				wpa_printf(MSG_DEBUG,
3275 					   "PASN: Failed processing FILS wrapped data");
3276 				status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3277 				goto send_resp;
3278 			}
3279 
3280 			wpa_printf(MSG_DEBUG,
3281 				   "PASN: FILS: Pending AS response");
3282 
3283 			/*
3284 			 * With PASN/FILS, keys can be derived only after a
3285 			 * response from the AS is processed.
3286 			 */
3287 			derive_keys = false;
3288 		}
3289 #endif /* CONFIG_FILS */
3290 	}
3291 
3292 	sta->pasn->wrapped_data_format = pasn_params.wrapped_data_format;
3293 
3294 	ret = pasn_auth_frame_hash(sta->pasn->akmp, sta->pasn->cipher,
3295 				   ((const u8 *) mgmt) + IEEE80211_HDRLEN,
3296 				   len - IEEE80211_HDRLEN, sta->pasn->hash);
3297 	if (ret) {
3298 		wpa_printf(MSG_DEBUG, "PASN: Failed to compute hash");
3299 		status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3300 		goto send_resp;
3301 	}
3302 
3303 	if (!derive_keys) {
3304 		wpa_printf(MSG_DEBUG, "PASN: Storing secret");
3305 		sta->pasn->secret = secret;
3306 		wpabuf_free(wrapped_data);
3307 		return;
3308 	}
3309 
3310 	if (rsn_data.num_pmkid) {
3311 		if (wpa_key_mgmt_ft(sta->pasn->akmp)) {
3312 #ifdef CONFIG_IEEE80211R_AP
3313 			wpa_printf(MSG_DEBUG, "PASN: FT: Fetch PMK-R1");
3314 
3315 			ret = wpa_ft_fetch_pmk_r1(hapd->wpa_auth, sta->addr,
3316 						  rsn_data.pmkid,
3317 						  pmk_r1, &pmk_r1_len, NULL,
3318 						  NULL, NULL, NULL,
3319 						  NULL, NULL, NULL);
3320 			if (ret) {
3321 				wpa_printf(MSG_DEBUG,
3322 					   "PASN: FT: Failed getting PMK-R1");
3323 				status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3324 				goto send_resp;
3325 			}
3326 			cached_pmk = pmk_r1;
3327 			cached_pmk_len = pmk_r1_len;
3328 #else /* CONFIG_IEEE80211R_AP */
3329 			wpa_printf(MSG_DEBUG, "PASN: FT: Not supported");
3330 			status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3331 			goto send_resp;
3332 #endif /* CONFIG_IEEE80211R_AP */
3333 		} else {
3334 			wpa_printf(MSG_DEBUG, "PASN: Try to find PMKSA entry");
3335 
3336 			pmksa = wpa_auth_pmksa_get(hapd->wpa_auth, sta->addr,
3337 						   rsn_data.pmkid);
3338 			if (pmksa) {
3339 				cached_pmk = pmksa->pmk;
3340 				cached_pmk_len = pmksa->pmk_len;
3341 			}
3342 		}
3343 	} else {
3344 		wpa_printf(MSG_DEBUG, "PASN: No PMKID specified");
3345 	}
3346 
3347 	ret = pasn_derive_keys(hapd, sta, cached_pmk, cached_pmk_len,
3348 			       &pasn_params, wrapped_data, secret);
3349 	if (ret) {
3350 		wpa_printf(MSG_DEBUG, "PASN: Failed to derive keys");
3351 		status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3352 		goto send_resp;
3353 	}
3354 
3355 	ret = pasn_auth_frame_hash(sta->pasn->akmp, sta->pasn->cipher,
3356 				   ((const u8 *) mgmt) + IEEE80211_HDRLEN,
3357 				   len - IEEE80211_HDRLEN, sta->pasn->hash);
3358 	if (ret) {
3359 		wpa_printf(MSG_DEBUG, "PASN: Failed to compute hash");
3360 		status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3361 	}
3362 
3363 send_resp:
3364 	ret = handle_auth_pasn_resp(hapd, sta, pmksa, status);
3365 	if (ret) {
3366 		wpa_printf(MSG_DEBUG, "PASN: Failed to send response");
3367 		status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3368 	} else {
3369 		wpa_printf(MSG_DEBUG,
3370 			   "PASN: Success handling transaction == 1");
3371 	}
3372 
3373 	wpabuf_free(secret);
3374 	wpabuf_free(wrapped_data);
3375 
3376 	if (status != WLAN_STATUS_SUCCESS)
3377 		ap_free_sta(hapd, sta);
3378 }
3379 
3380 
3381 static void handle_auth_pasn_3(struct hostapd_data *hapd, struct sta_info *sta,
3382 			       const struct ieee80211_mgmt *mgmt, size_t len)
3383 {
3384 	struct ieee802_11_elems elems;
3385 	struct wpa_pasn_params_data pasn_params;
3386 	struct wpabuf *wrapped_data = NULL;
3387 	u8 mic[WPA_PASN_MAX_MIC_LEN], out_mic[WPA_PASN_MAX_MIC_LEN];
3388 	u8 mic_len;
3389 	int ret;
3390 
3391 	if (ieee802_11_parse_elems(mgmt->u.auth.variable,
3392 				   len - offsetof(struct ieee80211_mgmt,
3393 						  u.auth.variable),
3394 				   &elems, 0) == ParseFailed) {
3395 		wpa_printf(MSG_DEBUG,
3396 			   "PASN: Failed parsing Authentication frame");
3397 		goto fail;
3398 	}
3399 
3400 	/* Check that the MIC IE exists. Save it and zero out the memory. */
3401 	mic_len = pasn_mic_len(sta->pasn->akmp, sta->pasn->cipher);
3402 	if (!elems.mic || elems.mic_len != mic_len) {
3403 		wpa_printf(MSG_DEBUG,
3404 			   "PASN: Invalid MIC. Expecting len=%u", mic_len);
3405 		goto fail;
3406 	} else {
3407 		os_memcpy(mic, elems.mic, mic_len);
3408 		/* TODO: Clean this up.. Should not modify received frame
3409 		 * buffer. */
3410 		os_memset((u8 *) elems.mic, 0, mic_len);
3411 	}
3412 
3413 	if (!elems.pasn_params || !elems.pasn_params_len) {
3414 		wpa_printf(MSG_DEBUG,
3415 			   "PASN: No PASN Parameters element found");
3416 		goto fail;
3417 	}
3418 
3419 	ret = wpa_pasn_parse_parameter_ie(elems.pasn_params - 3,
3420 					  elems.pasn_params_len + 3,
3421 					  false, &pasn_params);
3422 	if (ret) {
3423 		wpa_printf(MSG_DEBUG,
3424 			   "PASN: Failed validation of PASN Parameters IE");
3425 		goto fail;
3426 	}
3427 
3428 	if (pasn_params.pubkey || pasn_params.pubkey_len) {
3429 		wpa_printf(MSG_DEBUG,
3430 			   "PASN: Public key should not be included");
3431 		goto fail;
3432 	}
3433 
3434 	/* Verify the MIC */
3435 	ret = pasn_mic(sta->pasn->ptk.kck, sta->pasn->akmp, sta->pasn->cipher,
3436 		       sta->addr, hapd->own_addr,
3437 		       sta->pasn->hash, mic_len * 2,
3438 		       (u8 *) &mgmt->u.auth,
3439 		       len - offsetof(struct ieee80211_mgmt, u.auth),
3440 		       out_mic);
3441 
3442 	wpa_hexdump_key(MSG_DEBUG, "PASN: Frame MIC", mic, mic_len);
3443 	if (ret || os_memcmp(mic, out_mic, mic_len) != 0) {
3444 		wpa_printf(MSG_DEBUG, "PASN: Failed MIC verification");
3445 		goto fail;
3446 	}
3447 
3448 	if (pasn_params.wrapped_data_format != WPA_PASN_WRAPPED_DATA_NO) {
3449 		wrapped_data = ieee802_11_defrag(&elems,
3450 						 WLAN_EID_EXTENSION,
3451 						 WLAN_EID_EXT_WRAPPED_DATA);
3452 
3453 		if (!wrapped_data) {
3454 			wpa_printf(MSG_DEBUG, "PASN: Missing wrapped data");
3455 			goto fail;
3456 		}
3457 
3458 #ifdef CONFIG_SAE
3459 		if (sta->pasn->akmp == WPA_KEY_MGMT_SAE) {
3460 			ret = pasn_wd_handle_sae_confirm(hapd, sta,
3461 							 wrapped_data);
3462 			if (ret) {
3463 				wpa_printf(MSG_DEBUG,
3464 					   "PASN: Failed processing SAE confirm");
3465 				wpabuf_free(wrapped_data);
3466 				goto fail;
3467 			}
3468 		}
3469 #endif /* CONFIG_SAE */
3470 #ifdef CONFIG_FILS
3471 		if (sta->pasn->akmp == WPA_KEY_MGMT_FILS_SHA256 ||
3472 		    sta->pasn->akmp == WPA_KEY_MGMT_FILS_SHA384) {
3473 			if (wrapped_data) {
3474 				wpa_printf(MSG_DEBUG,
3475 					   "PASN: FILS: Ignore wrapped data");
3476 			}
3477 		}
3478 #endif /* CONFIG_FILS */
3479 		wpabuf_free(wrapped_data);
3480 	}
3481 
3482 	wpa_printf(MSG_INFO,
3483 		   "PASN: Success handling transaction == 3. Store PTK");
3484 
3485 	ptksa_cache_add(hapd->ptksa, sta->addr, sta->pasn->cipher, 43200,
3486 			&sta->pasn->ptk);
3487 fail:
3488 	ap_free_sta(hapd, sta);
3489 }
3490 
3491 
3492 static void handle_auth_pasn(struct hostapd_data *hapd, struct sta_info *sta,
3493 			     const struct ieee80211_mgmt *mgmt, size_t len,
3494 			     u16 trans_seq, u16 status)
3495 {
3496 	if (hapd->conf->wpa != WPA_PROTO_RSN) {
3497 		wpa_printf(MSG_INFO, "PASN: RSN is not configured");
3498 		return;
3499 	}
3500 
3501 	wpa_printf(MSG_INFO, "PASN authentication: sta=" MACSTR,
3502 		   MAC2STR(sta->addr));
3503 
3504 	if (trans_seq == 1) {
3505 		if (sta->pasn) {
3506 			wpa_printf(MSG_DEBUG,
3507 				   "PASN: Not expecting transaction == 1");
3508 			return;
3509 		}
3510 
3511 		if (status != WLAN_STATUS_SUCCESS) {
3512 			wpa_printf(MSG_DEBUG,
3513 				   "PASN: Failure status in transaction == 1");
3514 			return;
3515 		}
3516 
3517 		sta->pasn = os_zalloc(sizeof(*sta->pasn));
3518 		if (!sta->pasn) {
3519 			wpa_printf(MSG_DEBUG,
3520 				   "PASN: Failed to allocate PASN context");
3521 			return;
3522 		}
3523 
3524 		handle_auth_pasn_1(hapd, sta, mgmt, len);
3525 	} else if (trans_seq == 3) {
3526 		if (!sta->pasn) {
3527 			wpa_printf(MSG_DEBUG,
3528 				   "PASN: Not expecting transaction == 3");
3529 			return;
3530 		}
3531 
3532 		if (status != WLAN_STATUS_SUCCESS) {
3533 			wpa_printf(MSG_DEBUG,
3534 				   "PASN: Failure status in transaction == 3");
3535 			ap_free_sta_pasn(hapd, sta);
3536 			return;
3537 		}
3538 
3539 		handle_auth_pasn_3(hapd, sta, mgmt, len);
3540 	} else {
3541 		wpa_printf(MSG_DEBUG,
3542 			   "PASN: Invalid transaction %u - ignore", trans_seq);
3543 	}
3544 }
3545 
3546 #endif /* CONFIG_PASN */
3547 
3548 
3549 static void handle_auth(struct hostapd_data *hapd,
3550 			const struct ieee80211_mgmt *mgmt, size_t len,
3551 			int rssi, int from_queue)
3552 {
3553 	u16 auth_alg, auth_transaction, status_code;
3554 	u16 resp = WLAN_STATUS_SUCCESS;
3555 	struct sta_info *sta = NULL;
3556 	int res, reply_res;
3557 	u16 fc;
3558 	const u8 *challenge = NULL;
3559 	u8 resp_ies[2 + WLAN_AUTH_CHALLENGE_LEN];
3560 	size_t resp_ies_len = 0;
3561 	u16 seq_ctrl;
3562 	struct radius_sta rad_info;
3563 
3564 	if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) {
3565 		wpa_printf(MSG_INFO, "handle_auth - too short payload (len=%lu)",
3566 			   (unsigned long) len);
3567 		return;
3568 	}
3569 
3570 #ifdef CONFIG_TESTING_OPTIONS
3571 	if (hapd->iconf->ignore_auth_probability > 0.0 &&
3572 	    drand48() < hapd->iconf->ignore_auth_probability) {
3573 		wpa_printf(MSG_INFO,
3574 			   "TESTING: ignoring auth frame from " MACSTR,
3575 			   MAC2STR(mgmt->sa));
3576 		return;
3577 	}
3578 #endif /* CONFIG_TESTING_OPTIONS */
3579 
3580 	auth_alg = le_to_host16(mgmt->u.auth.auth_alg);
3581 	auth_transaction = le_to_host16(mgmt->u.auth.auth_transaction);
3582 	status_code = le_to_host16(mgmt->u.auth.status_code);
3583 	fc = le_to_host16(mgmt->frame_control);
3584 	seq_ctrl = le_to_host16(mgmt->seq_ctrl);
3585 
3586 	if (len >= IEEE80211_HDRLEN + sizeof(mgmt->u.auth) +
3587 	    2 + WLAN_AUTH_CHALLENGE_LEN &&
3588 	    mgmt->u.auth.variable[0] == WLAN_EID_CHALLENGE &&
3589 	    mgmt->u.auth.variable[1] == WLAN_AUTH_CHALLENGE_LEN)
3590 		challenge = &mgmt->u.auth.variable[2];
3591 
3592 	wpa_printf(MSG_DEBUG, "authentication: STA=" MACSTR " auth_alg=%d "
3593 		   "auth_transaction=%d status_code=%d wep=%d%s "
3594 		   "seq_ctrl=0x%x%s%s",
3595 		   MAC2STR(mgmt->sa), auth_alg, auth_transaction,
3596 		   status_code, !!(fc & WLAN_FC_ISWEP),
3597 		   challenge ? " challenge" : "",
3598 		   seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "",
3599 		   from_queue ? " (from queue)" : "");
3600 
3601 #ifdef CONFIG_NO_RC4
3602 	if (auth_alg == WLAN_AUTH_SHARED_KEY) {
3603 		wpa_printf(MSG_INFO,
3604 			   "Unsupported authentication algorithm (%d)",
3605 			   auth_alg);
3606 		resp = WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
3607 		goto fail;
3608 	}
3609 #endif /* CONFIG_NO_RC4 */
3610 
3611 	if (hapd->tkip_countermeasures) {
3612 		wpa_printf(MSG_DEBUG,
3613 			   "Ongoing TKIP countermeasures (Michael MIC failure) - reject authentication");
3614 		resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3615 		goto fail;
3616 	}
3617 
3618 	if (!(((hapd->conf->auth_algs & WPA_AUTH_ALG_OPEN) &&
3619 	       auth_alg == WLAN_AUTH_OPEN) ||
3620 #ifdef CONFIG_IEEE80211R_AP
3621 	      (hapd->conf->wpa && wpa_key_mgmt_ft(hapd->conf->wpa_key_mgmt) &&
3622 	       auth_alg == WLAN_AUTH_FT) ||
3623 #endif /* CONFIG_IEEE80211R_AP */
3624 #ifdef CONFIG_SAE
3625 	      (hapd->conf->wpa && wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt) &&
3626 	       auth_alg == WLAN_AUTH_SAE) ||
3627 #endif /* CONFIG_SAE */
3628 #ifdef CONFIG_FILS
3629 	      (hapd->conf->wpa && wpa_key_mgmt_fils(hapd->conf->wpa_key_mgmt) &&
3630 	       auth_alg == WLAN_AUTH_FILS_SK) ||
3631 	      (hapd->conf->wpa && wpa_key_mgmt_fils(hapd->conf->wpa_key_mgmt) &&
3632 	       hapd->conf->fils_dh_group &&
3633 	       auth_alg == WLAN_AUTH_FILS_SK_PFS) ||
3634 #endif /* CONFIG_FILS */
3635 #ifdef CONFIG_PASN
3636 	      (hapd->conf->wpa &&
3637 	       (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_PASN) &&
3638 	       auth_alg == WLAN_AUTH_PASN) ||
3639 #endif /* CONFIG_PASN */
3640 	      ((hapd->conf->auth_algs & WPA_AUTH_ALG_SHARED) &&
3641 	       auth_alg == WLAN_AUTH_SHARED_KEY))) {
3642 		wpa_printf(MSG_INFO, "Unsupported authentication algorithm (%d)",
3643 			   auth_alg);
3644 		resp = WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
3645 		goto fail;
3646 	}
3647 
3648 	if (!(auth_transaction == 1 || auth_alg == WLAN_AUTH_SAE ||
3649 #ifdef CONFIG_PASN
3650 	      (auth_alg == WLAN_AUTH_PASN && auth_transaction == 3) ||
3651 #endif /* CONFIG_PASN */
3652 	      (auth_alg == WLAN_AUTH_SHARED_KEY && auth_transaction == 3))) {
3653 		wpa_printf(MSG_INFO, "Unknown authentication transaction number (%d)",
3654 			   auth_transaction);
3655 		resp = WLAN_STATUS_UNKNOWN_AUTH_TRANSACTION;
3656 		goto fail;
3657 	}
3658 
3659 	if (os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
3660 		wpa_printf(MSG_INFO, "Station " MACSTR " not allowed to authenticate",
3661 			   MAC2STR(mgmt->sa));
3662 		resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3663 		goto fail;
3664 	}
3665 
3666 	if (hapd->conf->no_auth_if_seen_on) {
3667 		struct hostapd_data *other;
3668 
3669 		other = sta_track_seen_on(hapd->iface, mgmt->sa,
3670 					  hapd->conf->no_auth_if_seen_on);
3671 		if (other) {
3672 			u8 *pos;
3673 			u32 info;
3674 			u8 op_class, channel, phytype;
3675 
3676 			wpa_printf(MSG_DEBUG, "%s: Reject authentication from "
3677 				   MACSTR " since STA has been seen on %s",
3678 				   hapd->conf->iface, MAC2STR(mgmt->sa),
3679 				   hapd->conf->no_auth_if_seen_on);
3680 
3681 			resp = WLAN_STATUS_REJECTED_WITH_SUGGESTED_BSS_TRANSITION;
3682 			pos = &resp_ies[0];
3683 			*pos++ = WLAN_EID_NEIGHBOR_REPORT;
3684 			*pos++ = 13;
3685 			os_memcpy(pos, other->own_addr, ETH_ALEN);
3686 			pos += ETH_ALEN;
3687 			info = 0; /* TODO: BSSID Information */
3688 			WPA_PUT_LE32(pos, info);
3689 			pos += 4;
3690 			if (other->iconf->hw_mode == HOSTAPD_MODE_IEEE80211AD)
3691 				phytype = 8; /* dmg */
3692 			else if (other->iconf->ieee80211ac)
3693 				phytype = 9; /* vht */
3694 			else if (other->iconf->ieee80211n)
3695 				phytype = 7; /* ht */
3696 			else if (other->iconf->hw_mode ==
3697 				 HOSTAPD_MODE_IEEE80211A)
3698 				phytype = 4; /* ofdm */
3699 			else if (other->iconf->hw_mode ==
3700 				 HOSTAPD_MODE_IEEE80211G)
3701 				phytype = 6; /* erp */
3702 			else
3703 				phytype = 5; /* hrdsss */
3704 			if (ieee80211_freq_to_channel_ext(
3705 				    hostapd_hw_get_freq(other,
3706 							other->iconf->channel),
3707 				    other->iconf->secondary_channel,
3708 				    other->iconf->ieee80211ac,
3709 				    &op_class, &channel) == NUM_HOSTAPD_MODES) {
3710 				op_class = 0;
3711 				channel = other->iconf->channel;
3712 			}
3713 			*pos++ = op_class;
3714 			*pos++ = channel;
3715 			*pos++ = phytype;
3716 			resp_ies_len = pos - &resp_ies[0];
3717 			goto fail;
3718 		}
3719 	}
3720 
3721 	res = ieee802_11_allowed_address(hapd, mgmt->sa, (const u8 *) mgmt, len,
3722 					 &rad_info);
3723 	if (res == HOSTAPD_ACL_REJECT) {
3724 		wpa_msg(hapd->msg_ctx, MSG_DEBUG,
3725 			"Ignore Authentication frame from " MACSTR
3726 			" due to ACL reject", MAC2STR(mgmt->sa));
3727 		resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3728 		goto fail;
3729 	}
3730 	if (res == HOSTAPD_ACL_PENDING)
3731 		return;
3732 
3733 #ifdef CONFIG_SAE
3734 	if (auth_alg == WLAN_AUTH_SAE && !from_queue &&
3735 	    (auth_transaction == 1 ||
3736 	     (auth_transaction == 2 && auth_sae_queued_addr(hapd, mgmt->sa)))) {
3737 		/* Handle SAE Authentication commit message through a queue to
3738 		 * provide more control for postponing the needed heavy
3739 		 * processing under a possible DoS attack scenario. In addition,
3740 		 * queue SAE Authentication confirm message if there happens to
3741 		 * be a queued commit message from the same peer. This is needed
3742 		 * to avoid reordering Authentication frames within the same
3743 		 * SAE exchange. */
3744 		auth_sae_queue(hapd, mgmt, len, rssi);
3745 		return;
3746 	}
3747 #endif /* CONFIG_SAE */
3748 
3749 	sta = ap_get_sta(hapd, mgmt->sa);
3750 	if (sta) {
3751 		sta->flags &= ~WLAN_STA_PENDING_FILS_ERP;
3752 		sta->ft_over_ds = 0;
3753 		if ((fc & WLAN_FC_RETRY) &&
3754 		    sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
3755 		    sta->last_seq_ctrl == seq_ctrl &&
3756 		    sta->last_subtype == WLAN_FC_STYPE_AUTH) {
3757 			hostapd_logger(hapd, sta->addr,
3758 				       HOSTAPD_MODULE_IEEE80211,
3759 				       HOSTAPD_LEVEL_DEBUG,
3760 				       "Drop repeated authentication frame seq_ctrl=0x%x",
3761 				       seq_ctrl);
3762 			return;
3763 		}
3764 #ifdef CONFIG_MESH
3765 		if ((hapd->conf->mesh & MESH_ENABLED) &&
3766 		    sta->plink_state == PLINK_BLOCKED) {
3767 			wpa_printf(MSG_DEBUG, "Mesh peer " MACSTR
3768 				   " is blocked - drop Authentication frame",
3769 				   MAC2STR(mgmt->sa));
3770 			return;
3771 		}
3772 #endif /* CONFIG_MESH */
3773 #ifdef CONFIG_PASN
3774 		if (auth_alg == WLAN_AUTH_PASN &&
3775 		    (sta->flags & WLAN_STA_ASSOC)) {
3776 			wpa_printf(MSG_DEBUG,
3777 				   "PASN: auth: Existing station: " MACSTR,
3778 				   MAC2STR(sta->addr));
3779 			return;
3780 		}
3781 #endif /* CONFIG_PASN */
3782 	} else {
3783 #ifdef CONFIG_MESH
3784 		if (hapd->conf->mesh & MESH_ENABLED) {
3785 			/* if the mesh peer is not available, we don't do auth.
3786 			 */
3787 			wpa_printf(MSG_DEBUG, "Mesh peer " MACSTR
3788 				   " not yet known - drop Authentication frame",
3789 				   MAC2STR(mgmt->sa));
3790 			/*
3791 			 * Save a copy of the frame so that it can be processed
3792 			 * if a new peer entry is added shortly after this.
3793 			 */
3794 			wpabuf_free(hapd->mesh_pending_auth);
3795 			hapd->mesh_pending_auth = wpabuf_alloc_copy(mgmt, len);
3796 			os_get_reltime(&hapd->mesh_pending_auth_time);
3797 			return;
3798 		}
3799 #endif /* CONFIG_MESH */
3800 
3801 		sta = ap_sta_add(hapd, mgmt->sa);
3802 		if (!sta) {
3803 			wpa_printf(MSG_DEBUG, "ap_sta_add() failed");
3804 			resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
3805 			goto fail;
3806 		}
3807 	}
3808 	sta->last_seq_ctrl = seq_ctrl;
3809 	sta->last_subtype = WLAN_FC_STYPE_AUTH;
3810 #ifdef CONFIG_MBO
3811 	sta->auth_rssi = rssi;
3812 #endif /* CONFIG_MBO */
3813 
3814 	res = ieee802_11_set_radius_info(hapd, sta, res, &rad_info);
3815 	if (res) {
3816 		wpa_printf(MSG_DEBUG, "ieee802_11_set_radius_info() failed");
3817 		resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3818 		goto fail;
3819 	}
3820 
3821 	sta->flags &= ~WLAN_STA_PREAUTH;
3822 	ieee802_1x_notify_pre_auth(sta->eapol_sm, 0);
3823 
3824 	/*
3825 	 * If the driver supports full AP client state, add a station to the
3826 	 * driver before sending authentication reply to make sure the driver
3827 	 * has resources, and not to go through the entire authentication and
3828 	 * association handshake, and fail it at the end.
3829 	 *
3830 	 * If this is not the first transaction, in a multi-step authentication
3831 	 * algorithm, the station already exists in the driver
3832 	 * (sta->added_unassoc = 1) so skip it.
3833 	 *
3834 	 * In mesh mode, the station was already added to the driver when the
3835 	 * NEW_PEER_CANDIDATE event is received.
3836 	 *
3837 	 * If PMF was negotiated for the existing association, skip this to
3838 	 * avoid dropping the STA entry and the associated keys. This is needed
3839 	 * to allow the original connection work until the attempt can complete
3840 	 * (re)association, so that unprotected Authentication frame cannot be
3841 	 * used to bypass PMF protection.
3842 	 *
3843 	 * PASN authentication does not require adding/removing station to the
3844 	 * driver so skip this flow in case of PASN authentication.
3845 	 */
3846 	if (FULL_AP_CLIENT_STATE_SUPP(hapd->iface->drv_flags) &&
3847 	    (!(sta->flags & WLAN_STA_MFP) || !ap_sta_is_authorized(sta)) &&
3848 	    !(hapd->conf->mesh & MESH_ENABLED) &&
3849 	    !(sta->added_unassoc) && auth_alg != WLAN_AUTH_PASN) {
3850 		if (ap_sta_re_add(hapd, sta) < 0) {
3851 			resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
3852 			goto fail;
3853 		}
3854 	}
3855 
3856 	switch (auth_alg) {
3857 	case WLAN_AUTH_OPEN:
3858 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3859 			       HOSTAPD_LEVEL_DEBUG,
3860 			       "authentication OK (open system)");
3861 		sta->flags |= WLAN_STA_AUTH;
3862 		wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
3863 		sta->auth_alg = WLAN_AUTH_OPEN;
3864 		mlme_authenticate_indication(hapd, sta);
3865 		break;
3866 #ifdef CONFIG_WEP
3867 #ifndef CONFIG_NO_RC4
3868 	case WLAN_AUTH_SHARED_KEY:
3869 		resp = auth_shared_key(hapd, sta, auth_transaction, challenge,
3870 				       fc & WLAN_FC_ISWEP);
3871 		if (resp != 0)
3872 			wpa_printf(MSG_DEBUG,
3873 				   "auth_shared_key() failed: status=%d", resp);
3874 		sta->auth_alg = WLAN_AUTH_SHARED_KEY;
3875 		mlme_authenticate_indication(hapd, sta);
3876 		if (sta->challenge && auth_transaction == 1) {
3877 			resp_ies[0] = WLAN_EID_CHALLENGE;
3878 			resp_ies[1] = WLAN_AUTH_CHALLENGE_LEN;
3879 			os_memcpy(resp_ies + 2, sta->challenge,
3880 				  WLAN_AUTH_CHALLENGE_LEN);
3881 			resp_ies_len = 2 + WLAN_AUTH_CHALLENGE_LEN;
3882 		}
3883 		break;
3884 #endif /* CONFIG_NO_RC4 */
3885 #endif /* CONFIG_WEP */
3886 #ifdef CONFIG_IEEE80211R_AP
3887 	case WLAN_AUTH_FT:
3888 		sta->auth_alg = WLAN_AUTH_FT;
3889 		if (sta->wpa_sm == NULL)
3890 			sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
3891 							sta->addr, NULL);
3892 		if (sta->wpa_sm == NULL) {
3893 			wpa_printf(MSG_DEBUG, "FT: Failed to initialize WPA "
3894 				   "state machine");
3895 			resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3896 			goto fail;
3897 		}
3898 		wpa_ft_process_auth(sta->wpa_sm, mgmt->bssid,
3899 				    auth_transaction, mgmt->u.auth.variable,
3900 				    len - IEEE80211_HDRLEN -
3901 				    sizeof(mgmt->u.auth),
3902 				    handle_auth_ft_finish, hapd);
3903 		/* handle_auth_ft_finish() callback will complete auth. */
3904 		return;
3905 #endif /* CONFIG_IEEE80211R_AP */
3906 #ifdef CONFIG_SAE
3907 	case WLAN_AUTH_SAE:
3908 #ifdef CONFIG_MESH
3909 		if (status_code == WLAN_STATUS_SUCCESS &&
3910 		    hapd->conf->mesh & MESH_ENABLED) {
3911 			if (sta->wpa_sm == NULL)
3912 				sta->wpa_sm =
3913 					wpa_auth_sta_init(hapd->wpa_auth,
3914 							  sta->addr, NULL);
3915 			if (sta->wpa_sm == NULL) {
3916 				wpa_printf(MSG_DEBUG,
3917 					   "SAE: Failed to initialize WPA state machine");
3918 				resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3919 				goto fail;
3920 			}
3921 		}
3922 #endif /* CONFIG_MESH */
3923 		handle_auth_sae(hapd, sta, mgmt, len, auth_transaction,
3924 				status_code);
3925 		return;
3926 #endif /* CONFIG_SAE */
3927 #ifdef CONFIG_FILS
3928 	case WLAN_AUTH_FILS_SK:
3929 	case WLAN_AUTH_FILS_SK_PFS:
3930 		handle_auth_fils(hapd, sta, mgmt->u.auth.variable,
3931 				 len - IEEE80211_HDRLEN - sizeof(mgmt->u.auth),
3932 				 auth_alg, auth_transaction, status_code,
3933 				 handle_auth_fils_finish);
3934 		return;
3935 #endif /* CONFIG_FILS */
3936 #ifdef CONFIG_PASN
3937 	case WLAN_AUTH_PASN:
3938 		handle_auth_pasn(hapd, sta, mgmt, len, auth_transaction,
3939 				 status_code);
3940 		return;
3941 #endif /* CONFIG_PASN */
3942 	}
3943 
3944  fail:
3945 	reply_res = send_auth_reply(hapd, sta, mgmt->sa, mgmt->bssid, auth_alg,
3946 				    auth_alg == WLAN_AUTH_SAE ?
3947 				    auth_transaction : auth_transaction + 1,
3948 				    resp, resp_ies, resp_ies_len,
3949 				    "handle-auth");
3950 
3951 	if (sta && sta->added_unassoc && (resp != WLAN_STATUS_SUCCESS ||
3952 					  reply_res != WLAN_STATUS_SUCCESS)) {
3953 		hostapd_drv_sta_remove(hapd, sta->addr);
3954 		sta->added_unassoc = 0;
3955 	}
3956 }
3957 
3958 
3959 int hostapd_get_aid(struct hostapd_data *hapd, struct sta_info *sta)
3960 {
3961 	int i, j = 32, aid;
3962 
3963 	/* get a unique AID */
3964 	if (sta->aid > 0) {
3965 		wpa_printf(MSG_DEBUG, "  old AID %d", sta->aid);
3966 		return 0;
3967 	}
3968 
3969 	if (TEST_FAIL())
3970 		return -1;
3971 
3972 	for (i = 0; i < AID_WORDS; i++) {
3973 		if (hapd->sta_aid[i] == (u32) -1)
3974 			continue;
3975 		for (j = 0; j < 32; j++) {
3976 			if (!(hapd->sta_aid[i] & BIT(j)))
3977 				break;
3978 		}
3979 		if (j < 32)
3980 			break;
3981 	}
3982 	if (j == 32)
3983 		return -1;
3984 	aid = i * 32 + j + 1;
3985 	if (aid > 2007)
3986 		return -1;
3987 
3988 	sta->aid = aid;
3989 	hapd->sta_aid[i] |= BIT(j);
3990 	wpa_printf(MSG_DEBUG, "  new AID %d", sta->aid);
3991 	return 0;
3992 }
3993 
3994 
3995 static u16 check_ssid(struct hostapd_data *hapd, struct sta_info *sta,
3996 		      const u8 *ssid_ie, size_t ssid_ie_len)
3997 {
3998 	if (ssid_ie == NULL)
3999 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
4000 
4001 	if (ssid_ie_len != hapd->conf->ssid.ssid_len ||
4002 	    os_memcmp(ssid_ie, hapd->conf->ssid.ssid, ssid_ie_len) != 0) {
4003 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4004 			       HOSTAPD_LEVEL_INFO,
4005 			       "Station tried to associate with unknown SSID "
4006 			       "'%s'", wpa_ssid_txt(ssid_ie, ssid_ie_len));
4007 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
4008 	}
4009 
4010 	return WLAN_STATUS_SUCCESS;
4011 }
4012 
4013 
4014 static u16 check_wmm(struct hostapd_data *hapd, struct sta_info *sta,
4015 		     const u8 *wmm_ie, size_t wmm_ie_len)
4016 {
4017 	sta->flags &= ~WLAN_STA_WMM;
4018 	sta->qosinfo = 0;
4019 	if (wmm_ie && hapd->conf->wmm_enabled) {
4020 		struct wmm_information_element *wmm;
4021 
4022 		if (!hostapd_eid_wmm_valid(hapd, wmm_ie, wmm_ie_len)) {
4023 			hostapd_logger(hapd, sta->addr,
4024 				       HOSTAPD_MODULE_WPA,
4025 				       HOSTAPD_LEVEL_DEBUG,
4026 				       "invalid WMM element in association "
4027 				       "request");
4028 			return WLAN_STATUS_UNSPECIFIED_FAILURE;
4029 		}
4030 
4031 		sta->flags |= WLAN_STA_WMM;
4032 		wmm = (struct wmm_information_element *) wmm_ie;
4033 		sta->qosinfo = wmm->qos_info;
4034 	}
4035 	return WLAN_STATUS_SUCCESS;
4036 }
4037 
4038 static u16 check_multi_ap(struct hostapd_data *hapd, struct sta_info *sta,
4039 			  const u8 *multi_ap_ie, size_t multi_ap_len)
4040 {
4041 	u8 multi_ap_value = 0;
4042 
4043 	sta->flags &= ~WLAN_STA_MULTI_AP;
4044 
4045 	if (!hapd->conf->multi_ap)
4046 		return WLAN_STATUS_SUCCESS;
4047 
4048 	if (multi_ap_ie) {
4049 		const u8 *multi_ap_subelem;
4050 
4051 		multi_ap_subelem = get_ie(multi_ap_ie + 4,
4052 					  multi_ap_len - 4,
4053 					  MULTI_AP_SUB_ELEM_TYPE);
4054 		if (multi_ap_subelem && multi_ap_subelem[1] == 1) {
4055 			multi_ap_value = multi_ap_subelem[2];
4056 		} else {
4057 			hostapd_logger(hapd, sta->addr,
4058 				       HOSTAPD_MODULE_IEEE80211,
4059 				       HOSTAPD_LEVEL_INFO,
4060 				       "Multi-AP IE has missing or invalid Multi-AP subelement");
4061 			return WLAN_STATUS_INVALID_IE;
4062 		}
4063 	}
4064 
4065 	if (multi_ap_value && multi_ap_value != MULTI_AP_BACKHAUL_STA)
4066 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4067 			       HOSTAPD_LEVEL_INFO,
4068 			       "Multi-AP IE with unexpected value 0x%02x",
4069 			       multi_ap_value);
4070 
4071 	if (!(multi_ap_value & MULTI_AP_BACKHAUL_STA)) {
4072 		if (hapd->conf->multi_ap & FRONTHAUL_BSS)
4073 			return WLAN_STATUS_SUCCESS;
4074 
4075 		hostapd_logger(hapd, sta->addr,
4076 			       HOSTAPD_MODULE_IEEE80211,
4077 			       HOSTAPD_LEVEL_INFO,
4078 			       "Non-Multi-AP STA tries to associate with backhaul-only BSS");
4079 		return WLAN_STATUS_ASSOC_DENIED_UNSPEC;
4080 	}
4081 
4082 	if (!(hapd->conf->multi_ap & BACKHAUL_BSS))
4083 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4084 			       HOSTAPD_LEVEL_DEBUG,
4085 			       "Backhaul STA tries to associate with fronthaul-only BSS");
4086 
4087 	sta->flags |= WLAN_STA_MULTI_AP;
4088 	return WLAN_STATUS_SUCCESS;
4089 }
4090 
4091 
4092 static u16 copy_supp_rates(struct hostapd_data *hapd, struct sta_info *sta,
4093 			   struct ieee802_11_elems *elems)
4094 {
4095 	/* Supported rates not used in IEEE 802.11ad/DMG */
4096 	if (hapd->iface->current_mode &&
4097 	    hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211AD)
4098 		return WLAN_STATUS_SUCCESS;
4099 
4100 	if (!elems->supp_rates) {
4101 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4102 			       HOSTAPD_LEVEL_DEBUG,
4103 			       "No supported rates element in AssocReq");
4104 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
4105 	}
4106 
4107 	if (elems->supp_rates_len + elems->ext_supp_rates_len >
4108 	    sizeof(sta->supported_rates)) {
4109 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4110 			       HOSTAPD_LEVEL_DEBUG,
4111 			       "Invalid supported rates element length %d+%d",
4112 			       elems->supp_rates_len,
4113 			       elems->ext_supp_rates_len);
4114 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
4115 	}
4116 
4117 	sta->supported_rates_len = merge_byte_arrays(
4118 		sta->supported_rates, sizeof(sta->supported_rates),
4119 		elems->supp_rates, elems->supp_rates_len,
4120 		elems->ext_supp_rates, elems->ext_supp_rates_len);
4121 
4122 	return WLAN_STATUS_SUCCESS;
4123 }
4124 
4125 
4126 static u16 check_ext_capab(struct hostapd_data *hapd, struct sta_info *sta,
4127 			   const u8 *ext_capab_ie, size_t ext_capab_ie_len)
4128 {
4129 #ifdef CONFIG_INTERWORKING
4130 	/* check for QoS Map support */
4131 	if (ext_capab_ie_len >= 5) {
4132 		if (ext_capab_ie[4] & 0x01)
4133 			sta->qos_map_enabled = 1;
4134 	}
4135 #endif /* CONFIG_INTERWORKING */
4136 
4137 	if (ext_capab_ie_len > 0) {
4138 		sta->ecsa_supported = !!(ext_capab_ie[0] & BIT(2));
4139 		os_free(sta->ext_capability);
4140 		sta->ext_capability = os_malloc(1 + ext_capab_ie_len);
4141 		if (sta->ext_capability) {
4142 			sta->ext_capability[0] = ext_capab_ie_len;
4143 			os_memcpy(sta->ext_capability + 1, ext_capab_ie,
4144 				  ext_capab_ie_len);
4145 		}
4146 	}
4147 
4148 	return WLAN_STATUS_SUCCESS;
4149 }
4150 
4151 
4152 #ifdef CONFIG_OWE
4153 
4154 static int owe_group_supported(struct hostapd_data *hapd, u16 group)
4155 {
4156 	int i;
4157 	int *groups = hapd->conf->owe_groups;
4158 
4159 	if (group != 19 && group != 20 && group != 21)
4160 		return 0;
4161 
4162 	if (!groups)
4163 		return 1;
4164 
4165 	for (i = 0; groups[i] > 0; i++) {
4166 		if (groups[i] == group)
4167 			return 1;
4168 	}
4169 
4170 	return 0;
4171 }
4172 
4173 
4174 static u16 owe_process_assoc_req(struct hostapd_data *hapd,
4175 				 struct sta_info *sta, const u8 *owe_dh,
4176 				 u8 owe_dh_len)
4177 {
4178 	struct wpabuf *secret, *pub, *hkey;
4179 	int res;
4180 	u8 prk[SHA512_MAC_LEN], pmkid[SHA512_MAC_LEN];
4181 	const char *info = "OWE Key Generation";
4182 	const u8 *addr[2];
4183 	size_t len[2];
4184 	u16 group;
4185 	size_t hash_len, prime_len;
4186 
4187 	if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) {
4188 		wpa_printf(MSG_DEBUG, "OWE: Using PMKSA caching");
4189 		return WLAN_STATUS_SUCCESS;
4190 	}
4191 
4192 	group = WPA_GET_LE16(owe_dh);
4193 	if (!owe_group_supported(hapd, group)) {
4194 		wpa_printf(MSG_DEBUG, "OWE: Unsupported DH group %u", group);
4195 		return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
4196 	}
4197 	if (group == 19)
4198 		prime_len = 32;
4199 	else if (group == 20)
4200 		prime_len = 48;
4201 	else if (group == 21)
4202 		prime_len = 66;
4203 	else
4204 		return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
4205 
4206 	crypto_ecdh_deinit(sta->owe_ecdh);
4207 	sta->owe_ecdh = crypto_ecdh_init(group);
4208 	if (!sta->owe_ecdh)
4209 		return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
4210 	sta->owe_group = group;
4211 
4212 	secret = crypto_ecdh_set_peerkey(sta->owe_ecdh, 0, owe_dh + 2,
4213 					 owe_dh_len - 2);
4214 	secret = wpabuf_zeropad(secret, prime_len);
4215 	if (!secret) {
4216 		wpa_printf(MSG_DEBUG, "OWE: Invalid peer DH public key");
4217 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
4218 	}
4219 	wpa_hexdump_buf_key(MSG_DEBUG, "OWE: DH shared secret", secret);
4220 
4221 	/* prk = HKDF-extract(C | A | group, z) */
4222 
4223 	pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
4224 	if (!pub) {
4225 		wpabuf_clear_free(secret);
4226 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
4227 	}
4228 
4229 	/* PMKID = Truncate-128(Hash(C | A)) */
4230 	addr[0] = owe_dh + 2;
4231 	len[0] = owe_dh_len - 2;
4232 	addr[1] = wpabuf_head(pub);
4233 	len[1] = wpabuf_len(pub);
4234 	if (group == 19) {
4235 		res = sha256_vector(2, addr, len, pmkid);
4236 		hash_len = SHA256_MAC_LEN;
4237 	} else if (group == 20) {
4238 		res = sha384_vector(2, addr, len, pmkid);
4239 		hash_len = SHA384_MAC_LEN;
4240 	} else if (group == 21) {
4241 		res = sha512_vector(2, addr, len, pmkid);
4242 		hash_len = SHA512_MAC_LEN;
4243 	} else {
4244 		wpabuf_free(pub);
4245 		wpabuf_clear_free(secret);
4246 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
4247 	}
4248 	pub = wpabuf_zeropad(pub, prime_len);
4249 	if (res < 0 || !pub) {
4250 		wpabuf_free(pub);
4251 		wpabuf_clear_free(secret);
4252 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
4253 	}
4254 
4255 	hkey = wpabuf_alloc(owe_dh_len - 2 + wpabuf_len(pub) + 2);
4256 	if (!hkey) {
4257 		wpabuf_free(pub);
4258 		wpabuf_clear_free(secret);
4259 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
4260 	}
4261 
4262 	wpabuf_put_data(hkey, owe_dh + 2, owe_dh_len - 2); /* C */
4263 	wpabuf_put_buf(hkey, pub); /* A */
4264 	wpabuf_free(pub);
4265 	wpabuf_put_le16(hkey, group); /* group */
4266 	if (group == 19)
4267 		res = hmac_sha256(wpabuf_head(hkey), wpabuf_len(hkey),
4268 				  wpabuf_head(secret), wpabuf_len(secret), prk);
4269 	else if (group == 20)
4270 		res = hmac_sha384(wpabuf_head(hkey), wpabuf_len(hkey),
4271 				  wpabuf_head(secret), wpabuf_len(secret), prk);
4272 	else if (group == 21)
4273 		res = hmac_sha512(wpabuf_head(hkey), wpabuf_len(hkey),
4274 				  wpabuf_head(secret), wpabuf_len(secret), prk);
4275 	wpabuf_clear_free(hkey);
4276 	wpabuf_clear_free(secret);
4277 	if (res < 0)
4278 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
4279 
4280 	wpa_hexdump_key(MSG_DEBUG, "OWE: prk", prk, hash_len);
4281 
4282 	/* PMK = HKDF-expand(prk, "OWE Key Generation", n) */
4283 
4284 	os_free(sta->owe_pmk);
4285 	sta->owe_pmk = os_malloc(hash_len);
4286 	if (!sta->owe_pmk) {
4287 		os_memset(prk, 0, SHA512_MAC_LEN);
4288 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
4289 	}
4290 
4291 	if (group == 19)
4292 		res = hmac_sha256_kdf(prk, hash_len, NULL, (const u8 *) info,
4293 				      os_strlen(info), sta->owe_pmk, hash_len);
4294 	else if (group == 20)
4295 		res = hmac_sha384_kdf(prk, hash_len, NULL, (const u8 *) info,
4296 				      os_strlen(info), sta->owe_pmk, hash_len);
4297 	else if (group == 21)
4298 		res = hmac_sha512_kdf(prk, hash_len, NULL, (const u8 *) info,
4299 				      os_strlen(info), sta->owe_pmk, hash_len);
4300 	os_memset(prk, 0, SHA512_MAC_LEN);
4301 	if (res < 0) {
4302 		os_free(sta->owe_pmk);
4303 		sta->owe_pmk = NULL;
4304 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
4305 	}
4306 	sta->owe_pmk_len = hash_len;
4307 
4308 	wpa_hexdump_key(MSG_DEBUG, "OWE: PMK", sta->owe_pmk, sta->owe_pmk_len);
4309 	wpa_hexdump(MSG_DEBUG, "OWE: PMKID", pmkid, PMKID_LEN);
4310 	wpa_auth_pmksa_add2(hapd->wpa_auth, sta->addr, sta->owe_pmk,
4311 			    sta->owe_pmk_len, pmkid, 0, WPA_KEY_MGMT_OWE);
4312 
4313 	return WLAN_STATUS_SUCCESS;
4314 }
4315 
4316 
4317 u16 owe_validate_request(struct hostapd_data *hapd, const u8 *peer,
4318 			 const u8 *rsn_ie, size_t rsn_ie_len,
4319 			 const u8 *owe_dh, size_t owe_dh_len)
4320 {
4321 	struct wpa_ie_data data;
4322 	int res;
4323 
4324 	if (!rsn_ie || rsn_ie_len < 2) {
4325 		wpa_printf(MSG_DEBUG, "OWE: Invalid RSNE from " MACSTR,
4326 			   MAC2STR(peer));
4327 		return WLAN_STATUS_INVALID_IE;
4328 	}
4329 	rsn_ie -= 2;
4330 	rsn_ie_len += 2;
4331 
4332 	res = wpa_parse_wpa_ie_rsn(rsn_ie, rsn_ie_len, &data);
4333 	if (res) {
4334 		wpa_printf(MSG_DEBUG, "Failed to parse RSNE from " MACSTR
4335 			   " (res=%d)", MAC2STR(peer), res);
4336 		wpa_hexdump(MSG_DEBUG, "RSNE", rsn_ie, rsn_ie_len);
4337 		return wpa_res_to_status_code(res);
4338 	}
4339 	if (!(data.key_mgmt & WPA_KEY_MGMT_OWE)) {
4340 		wpa_printf(MSG_DEBUG,
4341 			   "OWE: Unexpected key mgmt 0x%x from " MACSTR,
4342 			   (unsigned int) data.key_mgmt, MAC2STR(peer));
4343 		return WLAN_STATUS_AKMP_NOT_VALID;
4344 	}
4345 	if (!owe_dh) {
4346 		wpa_printf(MSG_DEBUG,
4347 			   "OWE: No Diffie-Hellman Parameter element from "
4348 			   MACSTR, MAC2STR(peer));
4349 		return WLAN_STATUS_AKMP_NOT_VALID;
4350 	}
4351 
4352 	return WLAN_STATUS_SUCCESS;
4353 }
4354 
4355 
4356 u16 owe_process_rsn_ie(struct hostapd_data *hapd,
4357 		       struct sta_info *sta,
4358 		       const u8 *rsn_ie, size_t rsn_ie_len,
4359 		       const u8 *owe_dh, size_t owe_dh_len)
4360 {
4361 	u16 status;
4362 	u8 *owe_buf, ie[256 * 2];
4363 	size_t ie_len = 0;
4364 	enum wpa_validate_result res;
4365 
4366 	if (!rsn_ie || rsn_ie_len < 2) {
4367 		wpa_printf(MSG_DEBUG, "OWE: No RSNE in (Re)AssocReq");
4368 		status = WLAN_STATUS_INVALID_IE;
4369 		goto end;
4370 	}
4371 
4372 	if (!sta->wpa_sm)
4373 		sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,	sta->addr,
4374 						NULL);
4375 	if (!sta->wpa_sm) {
4376 		wpa_printf(MSG_WARNING,
4377 			   "OWE: Failed to initialize WPA state machine");
4378 		status = WLAN_STATUS_UNSPECIFIED_FAILURE;
4379 		goto end;
4380 	}
4381 	rsn_ie -= 2;
4382 	rsn_ie_len += 2;
4383 	res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
4384 				  hapd->iface->freq, rsn_ie, rsn_ie_len,
4385 				  NULL, 0, NULL, 0, owe_dh, owe_dh_len);
4386 	status = wpa_res_to_status_code(res);
4387 	if (status != WLAN_STATUS_SUCCESS)
4388 		goto end;
4389 	status = owe_process_assoc_req(hapd, sta, owe_dh, owe_dh_len);
4390 	if (status != WLAN_STATUS_SUCCESS)
4391 		goto end;
4392 	owe_buf = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, ie, sizeof(ie),
4393 						NULL, 0);
4394 	if (!owe_buf) {
4395 		status = WLAN_STATUS_UNSPECIFIED_FAILURE;
4396 		goto end;
4397 	}
4398 
4399 	if (sta->owe_ecdh) {
4400 		struct wpabuf *pub;
4401 
4402 		pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
4403 		if (!pub) {
4404 			status = WLAN_STATUS_UNSPECIFIED_FAILURE;
4405 			goto end;
4406 		}
4407 
4408 		/* OWE Diffie-Hellman Parameter element */
4409 		*owe_buf++ = WLAN_EID_EXTENSION; /* Element ID */
4410 		*owe_buf++ = 1 + 2 + wpabuf_len(pub); /* Length */
4411 		*owe_buf++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension
4412 							 */
4413 		WPA_PUT_LE16(owe_buf, sta->owe_group);
4414 		owe_buf += 2;
4415 		os_memcpy(owe_buf, wpabuf_head(pub), wpabuf_len(pub));
4416 		owe_buf += wpabuf_len(pub);
4417 		wpabuf_free(pub);
4418 		sta->external_dh_updated = 1;
4419 	}
4420 	ie_len = owe_buf - ie;
4421 
4422 end:
4423 	wpa_printf(MSG_DEBUG, "OWE: Update status %d, ie len %d for peer "
4424 			      MACSTR, status, (unsigned int) ie_len,
4425 			      MAC2STR(sta->addr));
4426 	hostapd_drv_update_dh_ie(hapd, sta->addr, status,
4427 				 status == WLAN_STATUS_SUCCESS ? ie : NULL,
4428 				 ie_len);
4429 
4430 	return status;
4431 }
4432 
4433 #endif /* CONFIG_OWE */
4434 
4435 
4436 static bool check_sa_query(struct hostapd_data *hapd, struct sta_info *sta,
4437 			   int reassoc)
4438 {
4439 	if ((sta->flags &
4440 	     (WLAN_STA_ASSOC | WLAN_STA_MFP | WLAN_STA_AUTHORIZED)) !=
4441 	    (WLAN_STA_ASSOC | WLAN_STA_MFP | WLAN_STA_AUTHORIZED))
4442 		return false;
4443 
4444 	if (!sta->sa_query_timed_out && sta->sa_query_count > 0)
4445 		ap_check_sa_query_timeout(hapd, sta);
4446 
4447 	if (!sta->sa_query_timed_out &&
4448 	    (!reassoc || sta->auth_alg != WLAN_AUTH_FT)) {
4449 		/*
4450 		 * STA has already been associated with MFP and SA Query timeout
4451 		 * has not been reached. Reject the association attempt
4452 		 * temporarily and start SA Query, if one is not pending.
4453 		 */
4454 		if (sta->sa_query_count == 0)
4455 			ap_sta_start_sa_query(hapd, sta);
4456 
4457 		return true;
4458 	}
4459 
4460 	return false;
4461 }
4462 
4463 
4464 static int check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta,
4465 			   const u8 *ies, size_t ies_len, int reassoc)
4466 {
4467 	struct ieee802_11_elems elems;
4468 	int resp;
4469 	const u8 *wpa_ie;
4470 	size_t wpa_ie_len;
4471 	const u8 *p2p_dev_addr = NULL;
4472 
4473 	if (ieee802_11_parse_elems(ies, ies_len, &elems, 1) == ParseFailed) {
4474 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4475 			       HOSTAPD_LEVEL_INFO, "Station sent an invalid "
4476 			       "association request");
4477 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
4478 	}
4479 
4480 	resp = check_ssid(hapd, sta, elems.ssid, elems.ssid_len);
4481 	if (resp != WLAN_STATUS_SUCCESS)
4482 		return resp;
4483 	resp = check_wmm(hapd, sta, elems.wmm, elems.wmm_len);
4484 	if (resp != WLAN_STATUS_SUCCESS)
4485 		return resp;
4486 	resp = check_ext_capab(hapd, sta, elems.ext_capab, elems.ext_capab_len);
4487 	if (resp != WLAN_STATUS_SUCCESS)
4488 		return resp;
4489 	resp = copy_supp_rates(hapd, sta, &elems);
4490 	if (resp != WLAN_STATUS_SUCCESS)
4491 		return resp;
4492 
4493 	resp = check_multi_ap(hapd, sta, elems.multi_ap, elems.multi_ap_len);
4494 	if (resp != WLAN_STATUS_SUCCESS)
4495 		return resp;
4496 
4497 	resp = copy_sta_ht_capab(hapd, sta, elems.ht_capabilities);
4498 	if (resp != WLAN_STATUS_SUCCESS)
4499 		return resp;
4500 	if (hapd->iconf->ieee80211n && hapd->iconf->require_ht &&
4501 	    !(sta->flags & WLAN_STA_HT)) {
4502 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4503 			       HOSTAPD_LEVEL_INFO, "Station does not support "
4504 			       "mandatory HT PHY - reject association");
4505 		return WLAN_STATUS_ASSOC_DENIED_NO_HT;
4506 	}
4507 
4508 #ifdef CONFIG_IEEE80211AC
4509 	if (hapd->iconf->ieee80211ac) {
4510 		resp = copy_sta_vht_capab(hapd, sta, elems.vht_capabilities);
4511 		if (resp != WLAN_STATUS_SUCCESS)
4512 			return resp;
4513 
4514 		resp = set_sta_vht_opmode(hapd, sta, elems.vht_opmode_notif);
4515 		if (resp != WLAN_STATUS_SUCCESS)
4516 			return resp;
4517 	}
4518 
4519 	if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht &&
4520 	    !(sta->flags & WLAN_STA_VHT)) {
4521 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4522 			       HOSTAPD_LEVEL_INFO, "Station does not support "
4523 			       "mandatory VHT PHY - reject association");
4524 		return WLAN_STATUS_ASSOC_DENIED_NO_VHT;
4525 	}
4526 
4527 	if (hapd->conf->vendor_vht && !elems.vht_capabilities) {
4528 		resp = copy_sta_vendor_vht(hapd, sta, elems.vendor_vht,
4529 					   elems.vendor_vht_len);
4530 		if (resp != WLAN_STATUS_SUCCESS)
4531 			return resp;
4532 	}
4533 #endif /* CONFIG_IEEE80211AC */
4534 #ifdef CONFIG_IEEE80211AX
4535 	if (hapd->iconf->ieee80211ax && !hapd->conf->disable_11ax) {
4536 		resp = copy_sta_he_capab(hapd, sta, IEEE80211_MODE_AP,
4537 					 elems.he_capabilities,
4538 					 elems.he_capabilities_len);
4539 		if (resp != WLAN_STATUS_SUCCESS)
4540 			return resp;
4541 		if (is_6ghz_op_class(hapd->iconf->op_class)) {
4542 			if (!(sta->flags & WLAN_STA_HE)) {
4543 				hostapd_logger(hapd, sta->addr,
4544 					       HOSTAPD_MODULE_IEEE80211,
4545 					       HOSTAPD_LEVEL_INFO,
4546 					       "Station does not support mandatory HE PHY - reject association");
4547 				return WLAN_STATUS_DENIED_HE_NOT_SUPPORTED;
4548 			}
4549 			resp = copy_sta_he_6ghz_capab(hapd, sta,
4550 						      elems.he_6ghz_band_cap);
4551 			if (resp != WLAN_STATUS_SUCCESS)
4552 				return resp;
4553 		}
4554 	}
4555 #endif /* CONFIG_IEEE80211AX */
4556 
4557 #ifdef CONFIG_P2P
4558 	if (elems.p2p) {
4559 		wpabuf_free(sta->p2p_ie);
4560 		sta->p2p_ie = ieee802_11_vendor_ie_concat(ies, ies_len,
4561 							  P2P_IE_VENDOR_TYPE);
4562 		if (sta->p2p_ie)
4563 			p2p_dev_addr = p2p_get_go_dev_addr(sta->p2p_ie);
4564 	} else {
4565 		wpabuf_free(sta->p2p_ie);
4566 		sta->p2p_ie = NULL;
4567 	}
4568 #endif /* CONFIG_P2P */
4569 
4570 	if ((hapd->conf->wpa & WPA_PROTO_RSN) && elems.rsn_ie) {
4571 		wpa_ie = elems.rsn_ie;
4572 		wpa_ie_len = elems.rsn_ie_len;
4573 	} else if ((hapd->conf->wpa & WPA_PROTO_WPA) &&
4574 		   elems.wpa_ie) {
4575 		wpa_ie = elems.wpa_ie;
4576 		wpa_ie_len = elems.wpa_ie_len;
4577 	} else {
4578 		wpa_ie = NULL;
4579 		wpa_ie_len = 0;
4580 	}
4581 
4582 #ifdef CONFIG_WPS
4583 	sta->flags &= ~(WLAN_STA_WPS | WLAN_STA_MAYBE_WPS | WLAN_STA_WPS2);
4584 	if (hapd->conf->wps_state && elems.wps_ie) {
4585 		wpa_printf(MSG_DEBUG, "STA included WPS IE in (Re)Association "
4586 			   "Request - assume WPS is used");
4587 		if (check_sa_query(hapd, sta, reassoc))
4588 			return WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY;
4589 		sta->flags |= WLAN_STA_WPS;
4590 		wpabuf_free(sta->wps_ie);
4591 		sta->wps_ie = ieee802_11_vendor_ie_concat(ies, ies_len,
4592 							  WPS_IE_VENDOR_TYPE);
4593 		if (sta->wps_ie && wps_is_20(sta->wps_ie)) {
4594 			wpa_printf(MSG_DEBUG, "WPS: STA supports WPS 2.0");
4595 			sta->flags |= WLAN_STA_WPS2;
4596 		}
4597 		wpa_ie = NULL;
4598 		wpa_ie_len = 0;
4599 		if (sta->wps_ie && wps_validate_assoc_req(sta->wps_ie) < 0) {
4600 			wpa_printf(MSG_DEBUG, "WPS: Invalid WPS IE in "
4601 				   "(Re)Association Request - reject");
4602 			return WLAN_STATUS_INVALID_IE;
4603 		}
4604 	} else if (hapd->conf->wps_state && wpa_ie == NULL) {
4605 		wpa_printf(MSG_DEBUG, "STA did not include WPA/RSN IE in "
4606 			   "(Re)Association Request - possible WPS use");
4607 		sta->flags |= WLAN_STA_MAYBE_WPS;
4608 	} else
4609 #endif /* CONFIG_WPS */
4610 	if (hapd->conf->wpa && wpa_ie == NULL) {
4611 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4612 			       HOSTAPD_LEVEL_INFO,
4613 			       "No WPA/RSN IE in association request");
4614 		return WLAN_STATUS_INVALID_IE;
4615 	}
4616 
4617 	if (hapd->conf->wpa && wpa_ie) {
4618 		enum wpa_validate_result res;
4619 
4620 		wpa_ie -= 2;
4621 		wpa_ie_len += 2;
4622 		if (sta->wpa_sm == NULL)
4623 			sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
4624 							sta->addr,
4625 							p2p_dev_addr);
4626 		if (sta->wpa_sm == NULL) {
4627 			wpa_printf(MSG_WARNING, "Failed to initialize WPA "
4628 				   "state machine");
4629 			return WLAN_STATUS_UNSPECIFIED_FAILURE;
4630 		}
4631 		wpa_auth_set_auth_alg(sta->wpa_sm, sta->auth_alg);
4632 		res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
4633 					  hapd->iface->freq,
4634 					  wpa_ie, wpa_ie_len,
4635 					  elems.rsnxe ? elems.rsnxe - 2 : NULL,
4636 					  elems.rsnxe ? elems.rsnxe_len + 2 : 0,
4637 					  elems.mdie, elems.mdie_len,
4638 					  elems.owe_dh, elems.owe_dh_len);
4639 		resp = wpa_res_to_status_code(res);
4640 		if (resp != WLAN_STATUS_SUCCESS)
4641 			return resp;
4642 
4643 		if (check_sa_query(hapd, sta, reassoc))
4644 			return WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY;
4645 
4646 		if (wpa_auth_uses_mfp(sta->wpa_sm))
4647 			sta->flags |= WLAN_STA_MFP;
4648 		else
4649 			sta->flags &= ~WLAN_STA_MFP;
4650 
4651 #ifdef CONFIG_IEEE80211R_AP
4652 		if (sta->auth_alg == WLAN_AUTH_FT) {
4653 			if (!reassoc) {
4654 				wpa_printf(MSG_DEBUG, "FT: " MACSTR " tried "
4655 					   "to use association (not "
4656 					   "re-association) with FT auth_alg",
4657 					   MAC2STR(sta->addr));
4658 				return WLAN_STATUS_UNSPECIFIED_FAILURE;
4659 			}
4660 
4661 			resp = wpa_ft_validate_reassoc(sta->wpa_sm, ies,
4662 						       ies_len);
4663 			if (resp != WLAN_STATUS_SUCCESS)
4664 				return resp;
4665 		}
4666 #endif /* CONFIG_IEEE80211R_AP */
4667 
4668 #ifdef CONFIG_SAE
4669 		if (wpa_auth_uses_sae(sta->wpa_sm) && sta->sae &&
4670 		    sta->sae->state == SAE_ACCEPTED)
4671 			wpa_auth_add_sae_pmkid(sta->wpa_sm, sta->sae->pmkid);
4672 
4673 		if (wpa_auth_uses_sae(sta->wpa_sm) &&
4674 		    sta->auth_alg == WLAN_AUTH_OPEN) {
4675 			struct rsn_pmksa_cache_entry *sa;
4676 			sa = wpa_auth_sta_get_pmksa(sta->wpa_sm);
4677 			if (!sa || sa->akmp != WPA_KEY_MGMT_SAE) {
4678 				wpa_printf(MSG_DEBUG,
4679 					   "SAE: No PMKSA cache entry found for "
4680 					   MACSTR, MAC2STR(sta->addr));
4681 				return WLAN_STATUS_INVALID_PMKID;
4682 			}
4683 			wpa_printf(MSG_DEBUG, "SAE: " MACSTR
4684 				   " using PMKSA caching", MAC2STR(sta->addr));
4685 		} else if (wpa_auth_uses_sae(sta->wpa_sm) &&
4686 			   sta->auth_alg != WLAN_AUTH_SAE &&
4687 			   !(sta->auth_alg == WLAN_AUTH_FT &&
4688 			     wpa_auth_uses_ft_sae(sta->wpa_sm))) {
4689 			wpa_printf(MSG_DEBUG, "SAE: " MACSTR " tried to use "
4690 				   "SAE AKM after non-SAE auth_alg %u",
4691 				   MAC2STR(sta->addr), sta->auth_alg);
4692 			return WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
4693 		}
4694 
4695 		if (hapd->conf->sae_pwe == 2 &&
4696 		    sta->auth_alg == WLAN_AUTH_SAE &&
4697 		    sta->sae && !sta->sae->h2e &&
4698 		    ieee802_11_rsnx_capab_len(elems.rsnxe, elems.rsnxe_len,
4699 					      WLAN_RSNX_CAPAB_SAE_H2E)) {
4700 			wpa_printf(MSG_INFO, "SAE: " MACSTR
4701 				   " indicates support for SAE H2E, but did not use it",
4702 				   MAC2STR(sta->addr));
4703 			return WLAN_STATUS_UNSPECIFIED_FAILURE;
4704 		}
4705 #endif /* CONFIG_SAE */
4706 
4707 #ifdef CONFIG_OWE
4708 		if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) &&
4709 		    wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE &&
4710 		    elems.owe_dh) {
4711 			resp = owe_process_assoc_req(hapd, sta, elems.owe_dh,
4712 						     elems.owe_dh_len);
4713 			if (resp != WLAN_STATUS_SUCCESS)
4714 				return resp;
4715 		}
4716 #endif /* CONFIG_OWE */
4717 
4718 #ifdef CONFIG_DPP2
4719 		dpp_pfs_free(sta->dpp_pfs);
4720 		sta->dpp_pfs = NULL;
4721 
4722 		if (DPP_VERSION > 1 &&
4723 		    (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_DPP) &&
4724 		    hapd->conf->dpp_netaccesskey && sta->wpa_sm &&
4725 		    wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_DPP &&
4726 		    elems.owe_dh) {
4727 			sta->dpp_pfs = dpp_pfs_init(
4728 				wpabuf_head(hapd->conf->dpp_netaccesskey),
4729 				wpabuf_len(hapd->conf->dpp_netaccesskey));
4730 			if (!sta->dpp_pfs) {
4731 				wpa_printf(MSG_DEBUG,
4732 					   "DPP: Could not initialize PFS");
4733 				/* Try to continue without PFS */
4734 				goto pfs_fail;
4735 			}
4736 
4737 			if (dpp_pfs_process(sta->dpp_pfs, elems.owe_dh,
4738 					    elems.owe_dh_len) < 0) {
4739 				dpp_pfs_free(sta->dpp_pfs);
4740 				sta->dpp_pfs = NULL;
4741 				return WLAN_STATUS_UNSPECIFIED_FAILURE;
4742 			}
4743 		}
4744 
4745 		wpa_auth_set_dpp_z(sta->wpa_sm, sta->dpp_pfs ?
4746 				   sta->dpp_pfs->secret : NULL);
4747 	pfs_fail:
4748 #endif /* CONFIG_DPP2 */
4749 
4750 		if ((sta->flags & (WLAN_STA_HT | WLAN_STA_VHT)) &&
4751 		    wpa_auth_get_pairwise(sta->wpa_sm) == WPA_CIPHER_TKIP) {
4752 			hostapd_logger(hapd, sta->addr,
4753 				       HOSTAPD_MODULE_IEEE80211,
4754 				       HOSTAPD_LEVEL_INFO,
4755 				       "Station tried to use TKIP with HT "
4756 				       "association");
4757 			return WLAN_STATUS_CIPHER_REJECTED_PER_POLICY;
4758 		}
4759 #ifdef CONFIG_HS20
4760 	} else if (hapd->conf->osen) {
4761 		if (elems.osen == NULL) {
4762 			hostapd_logger(
4763 				hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4764 				HOSTAPD_LEVEL_INFO,
4765 				"No HS 2.0 OSEN element in association request");
4766 			return WLAN_STATUS_INVALID_IE;
4767 		}
4768 
4769 		wpa_printf(MSG_DEBUG, "HS 2.0: OSEN association");
4770 		if (sta->wpa_sm == NULL)
4771 			sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
4772 							sta->addr, NULL);
4773 		if (sta->wpa_sm == NULL) {
4774 			wpa_printf(MSG_WARNING, "Failed to initialize WPA "
4775 				   "state machine");
4776 			return WLAN_STATUS_UNSPECIFIED_FAILURE;
4777 		}
4778 		if (wpa_validate_osen(hapd->wpa_auth, sta->wpa_sm,
4779 				      elems.osen - 2, elems.osen_len + 2) < 0)
4780 			return WLAN_STATUS_INVALID_IE;
4781 #endif /* CONFIG_HS20 */
4782 	} else
4783 		wpa_auth_sta_no_wpa(sta->wpa_sm);
4784 
4785 #ifdef CONFIG_P2P
4786 	p2p_group_notif_assoc(hapd->p2p_group, sta->addr, ies, ies_len);
4787 #endif /* CONFIG_P2P */
4788 
4789 #ifdef CONFIG_HS20
4790 	wpabuf_free(sta->hs20_ie);
4791 	if (elems.hs20 && elems.hs20_len > 4) {
4792 		int release;
4793 
4794 		sta->hs20_ie = wpabuf_alloc_copy(elems.hs20 + 4,
4795 						 elems.hs20_len - 4);
4796 		release = ((elems.hs20[4] >> 4) & 0x0f) + 1;
4797 		if (release >= 2 && !wpa_auth_uses_mfp(sta->wpa_sm) &&
4798 		    hapd->conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
4799 			wpa_printf(MSG_DEBUG,
4800 				   "HS 2.0: PMF not negotiated by release %d station "
4801 				   MACSTR, release, MAC2STR(sta->addr));
4802 			return WLAN_STATUS_ROBUST_MGMT_FRAME_POLICY_VIOLATION;
4803 		}
4804 	} else {
4805 		sta->hs20_ie = NULL;
4806 	}
4807 
4808 	wpabuf_free(sta->roaming_consortium);
4809 	if (elems.roaming_cons_sel)
4810 		sta->roaming_consortium = wpabuf_alloc_copy(
4811 			elems.roaming_cons_sel + 4,
4812 			elems.roaming_cons_sel_len - 4);
4813 	else
4814 		sta->roaming_consortium = NULL;
4815 #endif /* CONFIG_HS20 */
4816 
4817 #ifdef CONFIG_FST
4818 	wpabuf_free(sta->mb_ies);
4819 	if (hapd->iface->fst)
4820 		sta->mb_ies = mb_ies_by_info(&elems.mb_ies);
4821 	else
4822 		sta->mb_ies = NULL;
4823 #endif /* CONFIG_FST */
4824 
4825 #ifdef CONFIG_MBO
4826 	mbo_ap_check_sta_assoc(hapd, sta, &elems);
4827 
4828 	if (hapd->conf->mbo_enabled && (hapd->conf->wpa & 2) &&
4829 	    elems.mbo && sta->cell_capa && !(sta->flags & WLAN_STA_MFP) &&
4830 	    hapd->conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
4831 		wpa_printf(MSG_INFO,
4832 			   "MBO: Reject WPA2 association without PMF");
4833 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
4834 	}
4835 #endif /* CONFIG_MBO */
4836 
4837 #if defined(CONFIG_FILS) && defined(CONFIG_OCV)
4838 	if (wpa_auth_uses_ocv(sta->wpa_sm) &&
4839 	    (sta->auth_alg == WLAN_AUTH_FILS_SK ||
4840 	     sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
4841 	     sta->auth_alg == WLAN_AUTH_FILS_PK)) {
4842 		struct wpa_channel_info ci;
4843 		int tx_chanwidth;
4844 		int tx_seg1_idx;
4845 		enum oci_verify_result res;
4846 
4847 		if (hostapd_drv_channel_info(hapd, &ci) != 0) {
4848 			wpa_printf(MSG_WARNING,
4849 				   "Failed to get channel info to validate received OCI in FILS (Re)Association Request frame");
4850 			return WLAN_STATUS_UNSPECIFIED_FAILURE;
4851 		}
4852 
4853 		if (get_sta_tx_parameters(sta->wpa_sm,
4854 					  channel_width_to_int(ci.chanwidth),
4855 					  ci.seg1_idx, &tx_chanwidth,
4856 					  &tx_seg1_idx) < 0)
4857 			return WLAN_STATUS_UNSPECIFIED_FAILURE;
4858 
4859 		res = ocv_verify_tx_params(elems.oci, elems.oci_len, &ci,
4860 					   tx_chanwidth, tx_seg1_idx);
4861 		if (wpa_auth_uses_ocv(sta->wpa_sm) == 2 &&
4862 		    res == OCI_NOT_FOUND) {
4863 			/* Work around misbehaving STAs */
4864 			wpa_printf(MSG_INFO,
4865 				   "FILS: Disable OCV with a STA that does not send OCI");
4866 			wpa_auth_set_ocv(sta->wpa_sm, 0);
4867 		} else if (res != OCI_SUCCESS) {
4868 			wpa_printf(MSG_WARNING, "FILS: OCV failed: %s",
4869 				   ocv_errorstr);
4870 			wpa_msg(hapd->msg_ctx, MSG_INFO, OCV_FAILURE "addr="
4871 				MACSTR " frame=fils-reassoc-req error=%s",
4872 				MAC2STR(sta->addr), ocv_errorstr);
4873 			return WLAN_STATUS_UNSPECIFIED_FAILURE;
4874 		}
4875 	}
4876 #endif /* CONFIG_FILS && CONFIG_OCV */
4877 
4878 	ap_copy_sta_supp_op_classes(sta, elems.supp_op_classes,
4879 				    elems.supp_op_classes_len);
4880 
4881 	if ((sta->capability & WLAN_CAPABILITY_RADIO_MEASUREMENT) &&
4882 	    elems.rrm_enabled &&
4883 	    elems.rrm_enabled_len >= sizeof(sta->rrm_enabled_capa))
4884 		os_memcpy(sta->rrm_enabled_capa, elems.rrm_enabled,
4885 			  sizeof(sta->rrm_enabled_capa));
4886 
4887 	if (elems.power_capab) {
4888 		sta->min_tx_power = elems.power_capab[0];
4889 		sta->max_tx_power = elems.power_capab[1];
4890 		sta->power_capab = 1;
4891 	} else {
4892 		sta->power_capab = 0;
4893 	}
4894 
4895 	return WLAN_STATUS_SUCCESS;
4896 }
4897 
4898 
4899 static void send_deauth(struct hostapd_data *hapd, const u8 *addr,
4900 			u16 reason_code)
4901 {
4902 	int send_len;
4903 	struct ieee80211_mgmt reply;
4904 
4905 	os_memset(&reply, 0, sizeof(reply));
4906 	reply.frame_control =
4907 		IEEE80211_FC(WLAN_FC_TYPE_MGMT, WLAN_FC_STYPE_DEAUTH);
4908 	os_memcpy(reply.da, addr, ETH_ALEN);
4909 	os_memcpy(reply.sa, hapd->own_addr, ETH_ALEN);
4910 	os_memcpy(reply.bssid, hapd->own_addr, ETH_ALEN);
4911 
4912 	send_len = IEEE80211_HDRLEN + sizeof(reply.u.deauth);
4913 	reply.u.deauth.reason_code = host_to_le16(reason_code);
4914 
4915 	if (hostapd_drv_send_mlme(hapd, &reply, send_len, 0, NULL, 0, 0) < 0)
4916 		wpa_printf(MSG_INFO, "Failed to send deauth: %s",
4917 			   strerror(errno));
4918 }
4919 
4920 
4921 static int add_associated_sta(struct hostapd_data *hapd,
4922 			      struct sta_info *sta, int reassoc)
4923 {
4924 	struct ieee80211_ht_capabilities ht_cap;
4925 	struct ieee80211_vht_capabilities vht_cap;
4926 	struct ieee80211_he_capabilities he_cap;
4927 	int set = 1;
4928 
4929 	/*
4930 	 * Remove the STA entry to ensure the STA PS state gets cleared and
4931 	 * configuration gets updated. This is relevant for cases, such as
4932 	 * FT-over-the-DS, where a station re-associates back to the same AP but
4933 	 * skips the authentication flow, or if working with a driver that
4934 	 * does not support full AP client state.
4935 	 *
4936 	 * Skip this if the STA has already completed FT reassociation and the
4937 	 * TK has been configured since the TX/RX PN must not be reset to 0 for
4938 	 * the same key.
4939 	 *
4940 	 * FT-over-the-DS has a special case where the STA entry (and as such,
4941 	 * the TK) has not yet been configured to the driver depending on which
4942 	 * driver interface is used. For that case, allow add-STA operation to
4943 	 * be used (instead of set-STA). This is needed to allow mac80211-based
4944 	 * drivers to accept the STA parameter configuration. Since this is
4945 	 * after a new FT-over-DS exchange, a new TK has been derived, so key
4946 	 * reinstallation is not a concern for this case.
4947 	 */
4948 	wpa_printf(MSG_DEBUG, "Add associated STA " MACSTR
4949 		   " (added_unassoc=%d auth_alg=%u ft_over_ds=%u reassoc=%d authorized=%d ft_tk=%d fils_tk=%d)",
4950 		   MAC2STR(sta->addr), sta->added_unassoc, sta->auth_alg,
4951 		   sta->ft_over_ds, reassoc,
4952 		   !!(sta->flags & WLAN_STA_AUTHORIZED),
4953 		   wpa_auth_sta_ft_tk_already_set(sta->wpa_sm),
4954 		   wpa_auth_sta_fils_tk_already_set(sta->wpa_sm));
4955 
4956 	if (!sta->added_unassoc &&
4957 	    (!(sta->flags & WLAN_STA_AUTHORIZED) ||
4958 	     (reassoc && sta->ft_over_ds && sta->auth_alg == WLAN_AUTH_FT) ||
4959 	     (!wpa_auth_sta_ft_tk_already_set(sta->wpa_sm) &&
4960 	      !wpa_auth_sta_fils_tk_already_set(sta->wpa_sm)))) {
4961 		hostapd_drv_sta_remove(hapd, sta->addr);
4962 		wpa_auth_sm_event(sta->wpa_sm, WPA_DRV_STA_REMOVED);
4963 		set = 0;
4964 
4965 		 /* Do not allow the FT-over-DS exception to be used more than
4966 		  * once per authentication exchange to guarantee a new TK is
4967 		  * used here */
4968 		sta->ft_over_ds = 0;
4969 	}
4970 
4971 	if (sta->flags & WLAN_STA_HT)
4972 		hostapd_get_ht_capab(hapd, sta->ht_capabilities, &ht_cap);
4973 #ifdef CONFIG_IEEE80211AC
4974 	if (sta->flags & WLAN_STA_VHT)
4975 		hostapd_get_vht_capab(hapd, sta->vht_capabilities, &vht_cap);
4976 #endif /* CONFIG_IEEE80211AC */
4977 #ifdef CONFIG_IEEE80211AX
4978 	if (sta->flags & WLAN_STA_HE) {
4979 		hostapd_get_he_capab(hapd, sta->he_capab, &he_cap,
4980 				     sta->he_capab_len);
4981 	}
4982 #endif /* CONFIG_IEEE80211AX */
4983 
4984 	/*
4985 	 * Add the station with forced WLAN_STA_ASSOC flag. The sta->flags
4986 	 * will be set when the ACK frame for the (Re)Association Response frame
4987 	 * is processed (TX status driver event).
4988 	 */
4989 	if (hostapd_sta_add(hapd, sta->addr, sta->aid, sta->capability,
4990 			    sta->supported_rates, sta->supported_rates_len,
4991 			    sta->listen_interval,
4992 			    sta->flags & WLAN_STA_HT ? &ht_cap : NULL,
4993 			    sta->flags & WLAN_STA_VHT ? &vht_cap : NULL,
4994 			    sta->flags & WLAN_STA_HE ? &he_cap : NULL,
4995 			    sta->flags & WLAN_STA_HE ? sta->he_capab_len : 0,
4996 			    sta->he_6ghz_capab,
4997 			    sta->flags | WLAN_STA_ASSOC, sta->qosinfo,
4998 			    sta->vht_opmode, sta->p2p_ie ? 1 : 0,
4999 			    set)) {
5000 		hostapd_logger(hapd, sta->addr,
5001 			       HOSTAPD_MODULE_IEEE80211, HOSTAPD_LEVEL_NOTICE,
5002 			       "Could not %s STA to kernel driver",
5003 			       set ? "set" : "add");
5004 
5005 		if (sta->added_unassoc) {
5006 			hostapd_drv_sta_remove(hapd, sta->addr);
5007 			sta->added_unassoc = 0;
5008 		}
5009 
5010 		return -1;
5011 	}
5012 
5013 	sta->added_unassoc = 0;
5014 
5015 	return 0;
5016 }
5017 
5018 
5019 static u16 send_assoc_resp(struct hostapd_data *hapd, struct sta_info *sta,
5020 			   const u8 *addr, u16 status_code, int reassoc,
5021 			   const u8 *ies, size_t ies_len, int rssi,
5022 			   int omit_rsnxe)
5023 {
5024 	int send_len;
5025 	u8 *buf;
5026 	size_t buflen;
5027 	struct ieee80211_mgmt *reply;
5028 	u8 *p;
5029 	u16 res = WLAN_STATUS_SUCCESS;
5030 
5031 	buflen = sizeof(struct ieee80211_mgmt) + 1024;
5032 #ifdef CONFIG_FILS
5033 	if (sta && sta->fils_hlp_resp)
5034 		buflen += wpabuf_len(sta->fils_hlp_resp);
5035 	if (sta)
5036 		buflen += 150;
5037 #endif /* CONFIG_FILS */
5038 #ifdef CONFIG_OWE
5039 	if (sta && (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE))
5040 		buflen += 150;
5041 #endif /* CONFIG_OWE */
5042 #ifdef CONFIG_DPP2
5043 	if (sta && sta->dpp_pfs)
5044 		buflen += 5 + sta->dpp_pfs->curve->prime_len;
5045 #endif /* CONFIG_DPP2 */
5046 	buf = os_zalloc(buflen);
5047 	if (!buf) {
5048 		res = WLAN_STATUS_UNSPECIFIED_FAILURE;
5049 		goto done;
5050 	}
5051 	reply = (struct ieee80211_mgmt *) buf;
5052 	reply->frame_control =
5053 		IEEE80211_FC(WLAN_FC_TYPE_MGMT,
5054 			     (reassoc ? WLAN_FC_STYPE_REASSOC_RESP :
5055 			      WLAN_FC_STYPE_ASSOC_RESP));
5056 	os_memcpy(reply->da, addr, ETH_ALEN);
5057 	os_memcpy(reply->sa, hapd->own_addr, ETH_ALEN);
5058 	os_memcpy(reply->bssid, hapd->own_addr, ETH_ALEN);
5059 
5060 	send_len = IEEE80211_HDRLEN;
5061 	send_len += sizeof(reply->u.assoc_resp);
5062 	reply->u.assoc_resp.capab_info =
5063 		host_to_le16(hostapd_own_capab_info(hapd));
5064 	reply->u.assoc_resp.status_code = host_to_le16(status_code);
5065 
5066 	reply->u.assoc_resp.aid = host_to_le16((sta ? sta->aid : 0) |
5067 					       BIT(14) | BIT(15));
5068 	/* Supported rates */
5069 	p = hostapd_eid_supp_rates(hapd, reply->u.assoc_resp.variable);
5070 	/* Extended supported rates */
5071 	p = hostapd_eid_ext_supp_rates(hapd, p);
5072 
5073 	/* Radio measurement capabilities */
5074 	p = hostapd_eid_rm_enabled_capab(hapd, p, buf + buflen - p);
5075 
5076 #ifdef CONFIG_MBO
5077 	if (status_code == WLAN_STATUS_DENIED_POOR_CHANNEL_CONDITIONS &&
5078 	    rssi != 0) {
5079 		int delta = hapd->iconf->rssi_reject_assoc_rssi - rssi;
5080 
5081 		p = hostapd_eid_mbo_rssi_assoc_rej(hapd, p, buf + buflen - p,
5082 						   delta);
5083 	}
5084 #endif /* CONFIG_MBO */
5085 
5086 #ifdef CONFIG_IEEE80211R_AP
5087 	if (sta && status_code == WLAN_STATUS_SUCCESS) {
5088 		/* IEEE 802.11r: Mobility Domain Information, Fast BSS
5089 		 * Transition Information, RSN, [RIC Response] */
5090 		p = wpa_sm_write_assoc_resp_ies(sta->wpa_sm, p,
5091 						buf + buflen - p,
5092 						sta->auth_alg, ies, ies_len,
5093 						omit_rsnxe);
5094 		if (!p) {
5095 			wpa_printf(MSG_DEBUG,
5096 				   "FT: Failed to write AssocResp IEs");
5097 			res = WLAN_STATUS_UNSPECIFIED_FAILURE;
5098 			goto done;
5099 		}
5100 	}
5101 #endif /* CONFIG_IEEE80211R_AP */
5102 #ifdef CONFIG_FILS
5103 	if (sta && status_code == WLAN_STATUS_SUCCESS &&
5104 	    (sta->auth_alg == WLAN_AUTH_FILS_SK ||
5105 	     sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
5106 	     sta->auth_alg == WLAN_AUTH_FILS_PK))
5107 		p = wpa_auth_write_assoc_resp_fils(sta->wpa_sm, p,
5108 						   buf + buflen - p,
5109 						   ies, ies_len);
5110 #endif /* CONFIG_FILS */
5111 
5112 #ifdef CONFIG_OWE
5113 	if (sta && status_code == WLAN_STATUS_SUCCESS &&
5114 	    (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE))
5115 		p = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, p,
5116 						  buf + buflen - p,
5117 						  ies, ies_len);
5118 #endif /* CONFIG_OWE */
5119 
5120 	if (sta && status_code == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY)
5121 		p = hostapd_eid_assoc_comeback_time(hapd, sta, p);
5122 
5123 	p = hostapd_eid_ht_capabilities(hapd, p);
5124 	p = hostapd_eid_ht_operation(hapd, p);
5125 
5126 #ifdef CONFIG_IEEE80211AC
5127 	if (hapd->iconf->ieee80211ac && !hapd->conf->disable_11ac &&
5128 	    !is_6ghz_op_class(hapd->iconf->op_class)) {
5129 		u32 nsts = 0, sta_nsts;
5130 
5131 		if (sta && hapd->conf->use_sta_nsts && sta->vht_capabilities) {
5132 			struct ieee80211_vht_capabilities *capa;
5133 
5134 			nsts = (hapd->iface->conf->vht_capab >>
5135 				VHT_CAP_BEAMFORMEE_STS_OFFSET) & 7;
5136 			capa = sta->vht_capabilities;
5137 			sta_nsts = (le_to_host32(capa->vht_capabilities_info) >>
5138 				    VHT_CAP_BEAMFORMEE_STS_OFFSET) & 7;
5139 
5140 			if (nsts < sta_nsts)
5141 				nsts = 0;
5142 			else
5143 				nsts = sta_nsts;
5144 		}
5145 		p = hostapd_eid_vht_capabilities(hapd, p, nsts);
5146 		p = hostapd_eid_vht_operation(hapd, p);
5147 	}
5148 #endif /* CONFIG_IEEE80211AC */
5149 
5150 #ifdef CONFIG_IEEE80211AX
5151 	if (hapd->iconf->ieee80211ax && !hapd->conf->disable_11ax) {
5152 		p = hostapd_eid_he_capab(hapd, p, IEEE80211_MODE_AP);
5153 		p = hostapd_eid_he_operation(hapd, p);
5154 		p = hostapd_eid_spatial_reuse(hapd, p);
5155 		p = hostapd_eid_he_mu_edca_parameter_set(hapd, p);
5156 		p = hostapd_eid_he_6ghz_band_cap(hapd, p);
5157 	}
5158 #endif /* CONFIG_IEEE80211AX */
5159 
5160 	p = hostapd_eid_ext_capab(hapd, p);
5161 	p = hostapd_eid_bss_max_idle_period(hapd, p);
5162 	if (sta && sta->qos_map_enabled)
5163 		p = hostapd_eid_qos_map_set(hapd, p);
5164 
5165 #ifdef CONFIG_FST
5166 	if (hapd->iface->fst_ies) {
5167 		os_memcpy(p, wpabuf_head(hapd->iface->fst_ies),
5168 			  wpabuf_len(hapd->iface->fst_ies));
5169 		p += wpabuf_len(hapd->iface->fst_ies);
5170 	}
5171 #endif /* CONFIG_FST */
5172 
5173 #ifdef CONFIG_TESTING_OPTIONS
5174 	if (hapd->conf->rsnxe_override_ft &&
5175 	    buf + buflen - p >=
5176 	    (long int) wpabuf_len(hapd->conf->rsnxe_override_ft) &&
5177 	    sta && sta->auth_alg == WLAN_AUTH_FT) {
5178 		wpa_printf(MSG_DEBUG, "TESTING: RSNXE FT override");
5179 		os_memcpy(p, wpabuf_head(hapd->conf->rsnxe_override_ft),
5180 			  wpabuf_len(hapd->conf->rsnxe_override_ft));
5181 		p += wpabuf_len(hapd->conf->rsnxe_override_ft);
5182 		goto rsnxe_done;
5183 	}
5184 #endif /* CONFIG_TESTING_OPTIONS */
5185 	if (!omit_rsnxe)
5186 		p = hostapd_eid_rsnxe(hapd, p, buf + buflen - p);
5187 #ifdef CONFIG_TESTING_OPTIONS
5188 rsnxe_done:
5189 #endif /* CONFIG_TESTING_OPTIONS */
5190 
5191 #ifdef CONFIG_OWE
5192 	if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) &&
5193 	    sta && sta->owe_ecdh && status_code == WLAN_STATUS_SUCCESS &&
5194 	    wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE &&
5195 	    !wpa_auth_sta_get_pmksa(sta->wpa_sm)) {
5196 		struct wpabuf *pub;
5197 
5198 		pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
5199 		if (!pub) {
5200 			res = WLAN_STATUS_UNSPECIFIED_FAILURE;
5201 			goto done;
5202 		}
5203 		/* OWE Diffie-Hellman Parameter element */
5204 		*p++ = WLAN_EID_EXTENSION; /* Element ID */
5205 		*p++ = 1 + 2 + wpabuf_len(pub); /* Length */
5206 		*p++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension */
5207 		WPA_PUT_LE16(p, sta->owe_group);
5208 		p += 2;
5209 		os_memcpy(p, wpabuf_head(pub), wpabuf_len(pub));
5210 		p += wpabuf_len(pub);
5211 		wpabuf_free(pub);
5212 	}
5213 #endif /* CONFIG_OWE */
5214 
5215 #ifdef CONFIG_DPP2
5216 	if (DPP_VERSION > 1 && (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_DPP) &&
5217 	    sta && sta->dpp_pfs && status_code == WLAN_STATUS_SUCCESS &&
5218 	    wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_DPP) {
5219 		os_memcpy(p, wpabuf_head(sta->dpp_pfs->ie),
5220 			  wpabuf_len(sta->dpp_pfs->ie));
5221 		p += wpabuf_len(sta->dpp_pfs->ie);
5222 	}
5223 #endif /* CONFIG_DPP2 */
5224 
5225 #ifdef CONFIG_IEEE80211AC
5226 	if (sta && hapd->conf->vendor_vht && (sta->flags & WLAN_STA_VENDOR_VHT))
5227 		p = hostapd_eid_vendor_vht(hapd, p);
5228 #endif /* CONFIG_IEEE80211AC */
5229 
5230 	if (sta && (sta->flags & WLAN_STA_WMM))
5231 		p = hostapd_eid_wmm(hapd, p);
5232 
5233 #ifdef CONFIG_WPS
5234 	if (sta &&
5235 	    ((sta->flags & WLAN_STA_WPS) ||
5236 	     ((sta->flags & WLAN_STA_MAYBE_WPS) && hapd->conf->wpa))) {
5237 		struct wpabuf *wps = wps_build_assoc_resp_ie();
5238 		if (wps) {
5239 			os_memcpy(p, wpabuf_head(wps), wpabuf_len(wps));
5240 			p += wpabuf_len(wps);
5241 			wpabuf_free(wps);
5242 		}
5243 	}
5244 #endif /* CONFIG_WPS */
5245 
5246 	if (sta && (sta->flags & WLAN_STA_MULTI_AP))
5247 		p = hostapd_eid_multi_ap(hapd, p);
5248 
5249 #ifdef CONFIG_P2P
5250 	if (sta && sta->p2p_ie && hapd->p2p_group) {
5251 		struct wpabuf *p2p_resp_ie;
5252 		enum p2p_status_code status;
5253 		switch (status_code) {
5254 		case WLAN_STATUS_SUCCESS:
5255 			status = P2P_SC_SUCCESS;
5256 			break;
5257 		case WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA:
5258 			status = P2P_SC_FAIL_LIMIT_REACHED;
5259 			break;
5260 		default:
5261 			status = P2P_SC_FAIL_INVALID_PARAMS;
5262 			break;
5263 		}
5264 		p2p_resp_ie = p2p_group_assoc_resp_ie(hapd->p2p_group, status);
5265 		if (p2p_resp_ie) {
5266 			os_memcpy(p, wpabuf_head(p2p_resp_ie),
5267 				  wpabuf_len(p2p_resp_ie));
5268 			p += wpabuf_len(p2p_resp_ie);
5269 			wpabuf_free(p2p_resp_ie);
5270 		}
5271 	}
5272 #endif /* CONFIG_P2P */
5273 
5274 #ifdef CONFIG_P2P_MANAGER
5275 	if (hapd->conf->p2p & P2P_MANAGE)
5276 		p = hostapd_eid_p2p_manage(hapd, p);
5277 #endif /* CONFIG_P2P_MANAGER */
5278 
5279 	p = hostapd_eid_mbo(hapd, p, buf + buflen - p);
5280 
5281 	if (hapd->conf->assocresp_elements &&
5282 	    (size_t) (buf + buflen - p) >=
5283 	    wpabuf_len(hapd->conf->assocresp_elements)) {
5284 		os_memcpy(p, wpabuf_head(hapd->conf->assocresp_elements),
5285 			  wpabuf_len(hapd->conf->assocresp_elements));
5286 		p += wpabuf_len(hapd->conf->assocresp_elements);
5287 	}
5288 
5289 	send_len += p - reply->u.assoc_resp.variable;
5290 
5291 #ifdef CONFIG_FILS
5292 	if (sta &&
5293 	    (sta->auth_alg == WLAN_AUTH_FILS_SK ||
5294 	     sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
5295 	     sta->auth_alg == WLAN_AUTH_FILS_PK) &&
5296 	    status_code == WLAN_STATUS_SUCCESS) {
5297 		struct ieee802_11_elems elems;
5298 
5299 		if (ieee802_11_parse_elems(ies, ies_len, &elems, 0) ==
5300 		    ParseFailed || !elems.fils_session) {
5301 			res = WLAN_STATUS_UNSPECIFIED_FAILURE;
5302 			goto done;
5303 		}
5304 
5305 		/* FILS Session */
5306 		*p++ = WLAN_EID_EXTENSION; /* Element ID */
5307 		*p++ = 1 + FILS_SESSION_LEN; /* Length */
5308 		*p++ = WLAN_EID_EXT_FILS_SESSION; /* Element ID Extension */
5309 		os_memcpy(p, elems.fils_session, FILS_SESSION_LEN);
5310 		send_len += 2 + 1 + FILS_SESSION_LEN;
5311 
5312 		send_len = fils_encrypt_assoc(sta->wpa_sm, buf, send_len,
5313 					      buflen, sta->fils_hlp_resp);
5314 		if (send_len < 0) {
5315 			res = WLAN_STATUS_UNSPECIFIED_FAILURE;
5316 			goto done;
5317 		}
5318 	}
5319 #endif /* CONFIG_FILS */
5320 
5321 	if (hostapd_drv_send_mlme(hapd, reply, send_len, 0, NULL, 0, 0) < 0) {
5322 		wpa_printf(MSG_INFO, "Failed to send assoc resp: %s",
5323 			   strerror(errno));
5324 		res = WLAN_STATUS_UNSPECIFIED_FAILURE;
5325 	}
5326 
5327 done:
5328 	os_free(buf);
5329 	return res;
5330 }
5331 
5332 
5333 #ifdef CONFIG_OWE
5334 u8 * owe_assoc_req_process(struct hostapd_data *hapd, struct sta_info *sta,
5335 			   const u8 *owe_dh, u8 owe_dh_len,
5336 			   u8 *owe_buf, size_t owe_buf_len, u16 *status)
5337 {
5338 #ifdef CONFIG_TESTING_OPTIONS
5339 	if (hapd->conf->own_ie_override) {
5340 		wpa_printf(MSG_DEBUG, "OWE: Using IE override");
5341 		*status = WLAN_STATUS_SUCCESS;
5342 		return wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf,
5343 						     owe_buf_len, NULL, 0);
5344 	}
5345 #endif /* CONFIG_TESTING_OPTIONS */
5346 
5347 	if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) {
5348 		wpa_printf(MSG_DEBUG, "OWE: Using PMKSA caching");
5349 		owe_buf = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf,
5350 							owe_buf_len, NULL, 0);
5351 		*status = WLAN_STATUS_SUCCESS;
5352 		return owe_buf;
5353 	}
5354 
5355 	if (sta->owe_pmk && sta->external_dh_updated) {
5356 		wpa_printf(MSG_DEBUG, "OWE: Using previously derived PMK");
5357 		*status = WLAN_STATUS_SUCCESS;
5358 		return owe_buf;
5359 	}
5360 
5361 	*status = owe_process_assoc_req(hapd, sta, owe_dh, owe_dh_len);
5362 	if (*status != WLAN_STATUS_SUCCESS)
5363 		return NULL;
5364 
5365 	owe_buf = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf,
5366 						owe_buf_len, NULL, 0);
5367 
5368 	if (sta->owe_ecdh && owe_buf) {
5369 		struct wpabuf *pub;
5370 
5371 		pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
5372 		if (!pub) {
5373 			*status = WLAN_STATUS_UNSPECIFIED_FAILURE;
5374 			return owe_buf;
5375 		}
5376 
5377 		/* OWE Diffie-Hellman Parameter element */
5378 		*owe_buf++ = WLAN_EID_EXTENSION; /* Element ID */
5379 		*owe_buf++ = 1 + 2 + wpabuf_len(pub); /* Length */
5380 		*owe_buf++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension
5381 							 */
5382 		WPA_PUT_LE16(owe_buf, sta->owe_group);
5383 		owe_buf += 2;
5384 		os_memcpy(owe_buf, wpabuf_head(pub), wpabuf_len(pub));
5385 		owe_buf += wpabuf_len(pub);
5386 		wpabuf_free(pub);
5387 	}
5388 
5389 	return owe_buf;
5390 }
5391 #endif /* CONFIG_OWE */
5392 
5393 
5394 #ifdef CONFIG_FILS
5395 
5396 void fils_hlp_finish_assoc(struct hostapd_data *hapd, struct sta_info *sta)
5397 {
5398 	u16 reply_res;
5399 
5400 	wpa_printf(MSG_DEBUG, "FILS: Finish association with " MACSTR,
5401 		   MAC2STR(sta->addr));
5402 	eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
5403 	if (!sta->fils_pending_assoc_req)
5404 		return;
5405 	reply_res = send_assoc_resp(hapd, sta, sta->addr, WLAN_STATUS_SUCCESS,
5406 				    sta->fils_pending_assoc_is_reassoc,
5407 				    sta->fils_pending_assoc_req,
5408 				    sta->fils_pending_assoc_req_len, 0, 0);
5409 	os_free(sta->fils_pending_assoc_req);
5410 	sta->fils_pending_assoc_req = NULL;
5411 	sta->fils_pending_assoc_req_len = 0;
5412 	wpabuf_free(sta->fils_hlp_resp);
5413 	sta->fils_hlp_resp = NULL;
5414 	wpabuf_free(sta->hlp_dhcp_discover);
5415 	sta->hlp_dhcp_discover = NULL;
5416 
5417 	/*
5418 	 * Remove the station in case transmission of a success response fails.
5419 	 * At this point the station was already added associated to the driver.
5420 	 */
5421 	if (reply_res != WLAN_STATUS_SUCCESS)
5422 		hostapd_drv_sta_remove(hapd, sta->addr);
5423 }
5424 
5425 
5426 void fils_hlp_timeout(void *eloop_ctx, void *eloop_data)
5427 {
5428 	struct hostapd_data *hapd = eloop_ctx;
5429 	struct sta_info *sta = eloop_data;
5430 
5431 	wpa_printf(MSG_DEBUG,
5432 		   "FILS: HLP response timeout - continue with association response for "
5433 		   MACSTR, MAC2STR(sta->addr));
5434 	if (sta->fils_drv_assoc_finish)
5435 		hostapd_notify_assoc_fils_finish(hapd, sta);
5436 	else
5437 		fils_hlp_finish_assoc(hapd, sta);
5438 }
5439 
5440 #endif /* CONFIG_FILS */
5441 
5442 
5443 static void handle_assoc(struct hostapd_data *hapd,
5444 			 const struct ieee80211_mgmt *mgmt, size_t len,
5445 			 int reassoc, int rssi)
5446 {
5447 	u16 capab_info, listen_interval, seq_ctrl, fc;
5448 	int resp = WLAN_STATUS_SUCCESS;
5449 	u16 reply_res = WLAN_STATUS_UNSPECIFIED_FAILURE;
5450 	const u8 *pos;
5451 	int left, i;
5452 	struct sta_info *sta;
5453 	u8 *tmp = NULL;
5454 #ifdef CONFIG_FILS
5455 	int delay_assoc = 0;
5456 #endif /* CONFIG_FILS */
5457 	int omit_rsnxe = 0;
5458 
5459 	if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_req) :
5460 				      sizeof(mgmt->u.assoc_req))) {
5461 		wpa_printf(MSG_INFO, "handle_assoc(reassoc=%d) - too short payload (len=%lu)",
5462 			   reassoc, (unsigned long) len);
5463 		return;
5464 	}
5465 
5466 #ifdef CONFIG_TESTING_OPTIONS
5467 	if (reassoc) {
5468 		if (hapd->iconf->ignore_reassoc_probability > 0.0 &&
5469 		    drand48() < hapd->iconf->ignore_reassoc_probability) {
5470 			wpa_printf(MSG_INFO,
5471 				   "TESTING: ignoring reassoc request from "
5472 				   MACSTR, MAC2STR(mgmt->sa));
5473 			return;
5474 		}
5475 	} else {
5476 		if (hapd->iconf->ignore_assoc_probability > 0.0 &&
5477 		    drand48() < hapd->iconf->ignore_assoc_probability) {
5478 			wpa_printf(MSG_INFO,
5479 				   "TESTING: ignoring assoc request from "
5480 				   MACSTR, MAC2STR(mgmt->sa));
5481 			return;
5482 		}
5483 	}
5484 #endif /* CONFIG_TESTING_OPTIONS */
5485 
5486 	fc = le_to_host16(mgmt->frame_control);
5487 	seq_ctrl = le_to_host16(mgmt->seq_ctrl);
5488 
5489 	if (reassoc) {
5490 		capab_info = le_to_host16(mgmt->u.reassoc_req.capab_info);
5491 		listen_interval = le_to_host16(
5492 			mgmt->u.reassoc_req.listen_interval);
5493 		wpa_printf(MSG_DEBUG, "reassociation request: STA=" MACSTR
5494 			   " capab_info=0x%02x listen_interval=%d current_ap="
5495 			   MACSTR " seq_ctrl=0x%x%s",
5496 			   MAC2STR(mgmt->sa), capab_info, listen_interval,
5497 			   MAC2STR(mgmt->u.reassoc_req.current_ap),
5498 			   seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "");
5499 		left = len - (IEEE80211_HDRLEN + sizeof(mgmt->u.reassoc_req));
5500 		pos = mgmt->u.reassoc_req.variable;
5501 	} else {
5502 		capab_info = le_to_host16(mgmt->u.assoc_req.capab_info);
5503 		listen_interval = le_to_host16(
5504 			mgmt->u.assoc_req.listen_interval);
5505 		wpa_printf(MSG_DEBUG, "association request: STA=" MACSTR
5506 			   " capab_info=0x%02x listen_interval=%d "
5507 			   "seq_ctrl=0x%x%s",
5508 			   MAC2STR(mgmt->sa), capab_info, listen_interval,
5509 			   seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "");
5510 		left = len - (IEEE80211_HDRLEN + sizeof(mgmt->u.assoc_req));
5511 		pos = mgmt->u.assoc_req.variable;
5512 	}
5513 
5514 	sta = ap_get_sta(hapd, mgmt->sa);
5515 #ifdef CONFIG_IEEE80211R_AP
5516 	if (sta && sta->auth_alg == WLAN_AUTH_FT &&
5517 	    (sta->flags & WLAN_STA_AUTH) == 0) {
5518 		wpa_printf(MSG_DEBUG, "FT: Allow STA " MACSTR " to associate "
5519 			   "prior to authentication since it is using "
5520 			   "over-the-DS FT", MAC2STR(mgmt->sa));
5521 
5522 		/*
5523 		 * Mark station as authenticated, to avoid adding station
5524 		 * entry in the driver as associated and not authenticated
5525 		 */
5526 		sta->flags |= WLAN_STA_AUTH;
5527 	} else
5528 #endif /* CONFIG_IEEE80211R_AP */
5529 	if (sta == NULL || (sta->flags & WLAN_STA_AUTH) == 0) {
5530 		if (hapd->iface->current_mode &&
5531 		    hapd->iface->current_mode->mode ==
5532 			HOSTAPD_MODE_IEEE80211AD) {
5533 			int acl_res;
5534 			struct radius_sta info;
5535 
5536 			acl_res = ieee802_11_allowed_address(hapd, mgmt->sa,
5537 							     (const u8 *) mgmt,
5538 							     len, &info);
5539 			if (acl_res == HOSTAPD_ACL_REJECT) {
5540 				wpa_msg(hapd->msg_ctx, MSG_DEBUG,
5541 					"Ignore Association Request frame from "
5542 					MACSTR " due to ACL reject",
5543 					MAC2STR(mgmt->sa));
5544 				resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
5545 				goto fail;
5546 			}
5547 			if (acl_res == HOSTAPD_ACL_PENDING)
5548 				return;
5549 
5550 			/* DMG/IEEE 802.11ad does not use authentication.
5551 			 * Allocate sta entry upon association. */
5552 			sta = ap_sta_add(hapd, mgmt->sa);
5553 			if (!sta) {
5554 				hostapd_logger(hapd, mgmt->sa,
5555 					       HOSTAPD_MODULE_IEEE80211,
5556 					       HOSTAPD_LEVEL_INFO,
5557 					       "Failed to add STA");
5558 				resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
5559 				goto fail;
5560 			}
5561 
5562 			acl_res = ieee802_11_set_radius_info(
5563 				hapd, sta, acl_res, &info);
5564 			if (acl_res) {
5565 				resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
5566 				goto fail;
5567 			}
5568 
5569 			hostapd_logger(hapd, sta->addr,
5570 				       HOSTAPD_MODULE_IEEE80211,
5571 				       HOSTAPD_LEVEL_DEBUG,
5572 				       "Skip authentication for DMG/IEEE 802.11ad");
5573 			sta->flags |= WLAN_STA_AUTH;
5574 			wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
5575 			sta->auth_alg = WLAN_AUTH_OPEN;
5576 		} else {
5577 			hostapd_logger(hapd, mgmt->sa,
5578 				       HOSTAPD_MODULE_IEEE80211,
5579 				       HOSTAPD_LEVEL_INFO,
5580 				       "Station tried to associate before authentication (aid=%d flags=0x%x)",
5581 				       sta ? sta->aid : -1,
5582 				       sta ? sta->flags : 0);
5583 			send_deauth(hapd, mgmt->sa,
5584 				    WLAN_REASON_CLASS2_FRAME_FROM_NONAUTH_STA);
5585 			return;
5586 		}
5587 	}
5588 
5589 	if ((fc & WLAN_FC_RETRY) &&
5590 	    sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
5591 	    sta->last_seq_ctrl == seq_ctrl &&
5592 	    sta->last_subtype == (reassoc ? WLAN_FC_STYPE_REASSOC_REQ :
5593 				  WLAN_FC_STYPE_ASSOC_REQ)) {
5594 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
5595 			       HOSTAPD_LEVEL_DEBUG,
5596 			       "Drop repeated association frame seq_ctrl=0x%x",
5597 			       seq_ctrl);
5598 		return;
5599 	}
5600 	sta->last_seq_ctrl = seq_ctrl;
5601 	sta->last_subtype = reassoc ? WLAN_FC_STYPE_REASSOC_REQ :
5602 		WLAN_FC_STYPE_ASSOC_REQ;
5603 
5604 	if (hapd->tkip_countermeasures) {
5605 		resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
5606 		goto fail;
5607 	}
5608 
5609 	if (listen_interval > hapd->conf->max_listen_interval) {
5610 		hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
5611 			       HOSTAPD_LEVEL_DEBUG,
5612 			       "Too large Listen Interval (%d)",
5613 			       listen_interval);
5614 		resp = WLAN_STATUS_ASSOC_DENIED_LISTEN_INT_TOO_LARGE;
5615 		goto fail;
5616 	}
5617 
5618 #ifdef CONFIG_MBO
5619 	if (hapd->conf->mbo_enabled && hapd->mbo_assoc_disallow) {
5620 		resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
5621 		goto fail;
5622 	}
5623 
5624 	if (hapd->iconf->rssi_reject_assoc_rssi && rssi &&
5625 	    rssi < hapd->iconf->rssi_reject_assoc_rssi &&
5626 	    (sta->auth_rssi == 0 ||
5627 	     sta->auth_rssi < hapd->iconf->rssi_reject_assoc_rssi)) {
5628 		resp = WLAN_STATUS_DENIED_POOR_CHANNEL_CONDITIONS;
5629 		goto fail;
5630 	}
5631 #endif /* CONFIG_MBO */
5632 
5633 	/*
5634 	 * sta->capability is used in check_assoc_ies() for RRM enabled
5635 	 * capability element.
5636 	 */
5637 	sta->capability = capab_info;
5638 
5639 #ifdef CONFIG_FILS
5640 	if (sta->auth_alg == WLAN_AUTH_FILS_SK ||
5641 	    sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
5642 	    sta->auth_alg == WLAN_AUTH_FILS_PK) {
5643 		int res;
5644 
5645 		/* The end of the payload is encrypted. Need to decrypt it
5646 		 * before parsing. */
5647 
5648 		tmp = os_memdup(pos, left);
5649 		if (!tmp) {
5650 			resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
5651 			goto fail;
5652 		}
5653 
5654 		res = fils_decrypt_assoc(sta->wpa_sm, sta->fils_session, mgmt,
5655 					 len, tmp, left);
5656 		if (res < 0) {
5657 			resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
5658 			goto fail;
5659 		}
5660 		pos = tmp;
5661 		left = res;
5662 	}
5663 #endif /* CONFIG_FILS */
5664 
5665 	/* followed by SSID and Supported rates; and HT capabilities if 802.11n
5666 	 * is used */
5667 	resp = check_assoc_ies(hapd, sta, pos, left, reassoc);
5668 	if (resp != WLAN_STATUS_SUCCESS)
5669 		goto fail;
5670 	omit_rsnxe = !get_ie(pos, left, WLAN_EID_RSNX);
5671 
5672 	if (hostapd_get_aid(hapd, sta) < 0) {
5673 		hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
5674 			       HOSTAPD_LEVEL_INFO, "No room for more AIDs");
5675 		resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
5676 		goto fail;
5677 	}
5678 
5679 	sta->listen_interval = listen_interval;
5680 
5681 	if (hapd->iface->current_mode &&
5682 	    hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G)
5683 		sta->flags |= WLAN_STA_NONERP;
5684 	for (i = 0; i < sta->supported_rates_len; i++) {
5685 		if ((sta->supported_rates[i] & 0x7f) > 22) {
5686 			sta->flags &= ~WLAN_STA_NONERP;
5687 			break;
5688 		}
5689 	}
5690 	if (sta->flags & WLAN_STA_NONERP && !sta->nonerp_set) {
5691 		sta->nonerp_set = 1;
5692 		hapd->iface->num_sta_non_erp++;
5693 		if (hapd->iface->num_sta_non_erp == 1)
5694 			ieee802_11_set_beacons(hapd->iface);
5695 	}
5696 
5697 	if (!(sta->capability & WLAN_CAPABILITY_SHORT_SLOT_TIME) &&
5698 	    !sta->no_short_slot_time_set) {
5699 		sta->no_short_slot_time_set = 1;
5700 		hapd->iface->num_sta_no_short_slot_time++;
5701 		if (hapd->iface->current_mode &&
5702 		    hapd->iface->current_mode->mode ==
5703 		    HOSTAPD_MODE_IEEE80211G &&
5704 		    hapd->iface->num_sta_no_short_slot_time == 1)
5705 			ieee802_11_set_beacons(hapd->iface);
5706 	}
5707 
5708 	if (sta->capability & WLAN_CAPABILITY_SHORT_PREAMBLE)
5709 		sta->flags |= WLAN_STA_SHORT_PREAMBLE;
5710 	else
5711 		sta->flags &= ~WLAN_STA_SHORT_PREAMBLE;
5712 
5713 	if (!(sta->capability & WLAN_CAPABILITY_SHORT_PREAMBLE) &&
5714 	    !sta->no_short_preamble_set) {
5715 		sta->no_short_preamble_set = 1;
5716 		hapd->iface->num_sta_no_short_preamble++;
5717 		if (hapd->iface->current_mode &&
5718 		    hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G
5719 		    && hapd->iface->num_sta_no_short_preamble == 1)
5720 			ieee802_11_set_beacons(hapd->iface);
5721 	}
5722 
5723 	update_ht_state(hapd, sta);
5724 
5725 	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
5726 		       HOSTAPD_LEVEL_DEBUG,
5727 		       "association OK (aid %d)", sta->aid);
5728 	/* Station will be marked associated, after it acknowledges AssocResp
5729 	 */
5730 	sta->flags |= WLAN_STA_ASSOC_REQ_OK;
5731 
5732 	if ((sta->flags & WLAN_STA_MFP) && sta->sa_query_timed_out) {
5733 		wpa_printf(MSG_DEBUG, "Allowing %sassociation after timed out "
5734 			   "SA Query procedure", reassoc ? "re" : "");
5735 		/* TODO: Send a protected Disassociate frame to the STA using
5736 		 * the old key and Reason Code "Previous Authentication no
5737 		 * longer valid". Make sure this is only sent protected since
5738 		 * unprotected frame would be received by the STA that is now
5739 		 * trying to associate.
5740 		 */
5741 	}
5742 
5743 	/* Make sure that the previously registered inactivity timer will not
5744 	 * remove the STA immediately. */
5745 	sta->timeout_next = STA_NULLFUNC;
5746 
5747 #ifdef CONFIG_TAXONOMY
5748 	taxonomy_sta_info_assoc_req(hapd, sta, pos, left);
5749 #endif /* CONFIG_TAXONOMY */
5750 
5751 	sta->pending_wds_enable = 0;
5752 
5753 #ifdef CONFIG_FILS
5754 	if (sta->auth_alg == WLAN_AUTH_FILS_SK ||
5755 	    sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
5756 	    sta->auth_alg == WLAN_AUTH_FILS_PK) {
5757 		if (fils_process_hlp(hapd, sta, pos, left) > 0)
5758 			delay_assoc = 1;
5759 	}
5760 #endif /* CONFIG_FILS */
5761 
5762  fail:
5763 
5764 	/*
5765 	 * In case of a successful response, add the station to the driver.
5766 	 * Otherwise, the kernel may ignore Data frames before we process the
5767 	 * ACK frame (TX status). In case of a failure, this station will be
5768 	 * removed.
5769 	 *
5770 	 * Note that this is not compliant with the IEEE 802.11 standard that
5771 	 * states that a non-AP station should transition into the
5772 	 * authenticated/associated state only after the station acknowledges
5773 	 * the (Re)Association Response frame. However, still do this as:
5774 	 *
5775 	 * 1. In case the station does not acknowledge the (Re)Association
5776 	 *    Response frame, it will be removed.
5777 	 * 2. Data frames will be dropped in the kernel until the station is
5778 	 *    set into authorized state, and there are no significant known
5779 	 *    issues with processing other non-Data Class 3 frames during this
5780 	 *    window.
5781 	 */
5782 	if (resp == WLAN_STATUS_SUCCESS && sta &&
5783 	    add_associated_sta(hapd, sta, reassoc))
5784 		resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
5785 
5786 #ifdef CONFIG_FILS
5787 	if (sta && delay_assoc && resp == WLAN_STATUS_SUCCESS &&
5788 	    eloop_is_timeout_registered(fils_hlp_timeout, hapd, sta) &&
5789 	    sta->fils_pending_assoc_req) {
5790 		/* Do not reschedule fils_hlp_timeout in case the station
5791 		 * retransmits (Re)Association Request frame while waiting for
5792 		 * the previously started FILS HLP wait, so that the timeout can
5793 		 * be determined from the first pending attempt. */
5794 		wpa_printf(MSG_DEBUG,
5795 			   "FILS: Continue waiting for HLP processing before sending (Re)Association Response frame to "
5796 			   MACSTR, MAC2STR(sta->addr));
5797 		os_free(tmp);
5798 		return;
5799 	}
5800 	if (sta) {
5801 		eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
5802 		os_free(sta->fils_pending_assoc_req);
5803 		sta->fils_pending_assoc_req = NULL;
5804 		sta->fils_pending_assoc_req_len = 0;
5805 		wpabuf_free(sta->fils_hlp_resp);
5806 		sta->fils_hlp_resp = NULL;
5807 	}
5808 	if (sta && delay_assoc && resp == WLAN_STATUS_SUCCESS) {
5809 		sta->fils_pending_assoc_req = tmp;
5810 		sta->fils_pending_assoc_req_len = left;
5811 		sta->fils_pending_assoc_is_reassoc = reassoc;
5812 		sta->fils_drv_assoc_finish = 0;
5813 		wpa_printf(MSG_DEBUG,
5814 			   "FILS: Waiting for HLP processing before sending (Re)Association Response frame to "
5815 			   MACSTR, MAC2STR(sta->addr));
5816 		eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
5817 		eloop_register_timeout(0, hapd->conf->fils_hlp_wait_time * 1024,
5818 				       fils_hlp_timeout, hapd, sta);
5819 		return;
5820 	}
5821 #endif /* CONFIG_FILS */
5822 
5823 	if (resp >= 0)
5824 		reply_res = send_assoc_resp(hapd, sta, mgmt->sa, resp, reassoc,
5825 					    pos, left, rssi, omit_rsnxe);
5826 	os_free(tmp);
5827 
5828 	/*
5829 	 * Remove the station in case transmission of a success response fails
5830 	 * (the STA was added associated to the driver) or if the station was
5831 	 * previously added unassociated.
5832 	 */
5833 	if (sta && ((reply_res != WLAN_STATUS_SUCCESS &&
5834 		     resp == WLAN_STATUS_SUCCESS) || sta->added_unassoc)) {
5835 		hostapd_drv_sta_remove(hapd, sta->addr);
5836 		sta->added_unassoc = 0;
5837 	}
5838 }
5839 
5840 
5841 static void handle_disassoc(struct hostapd_data *hapd,
5842 			    const struct ieee80211_mgmt *mgmt, size_t len)
5843 {
5844 	struct sta_info *sta;
5845 
5846 	if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.disassoc)) {
5847 		wpa_printf(MSG_INFO, "handle_disassoc - too short payload (len=%lu)",
5848 			   (unsigned long) len);
5849 		return;
5850 	}
5851 
5852 	wpa_printf(MSG_DEBUG, "disassocation: STA=" MACSTR " reason_code=%d",
5853 		   MAC2STR(mgmt->sa),
5854 		   le_to_host16(mgmt->u.disassoc.reason_code));
5855 
5856 	sta = ap_get_sta(hapd, mgmt->sa);
5857 	if (sta == NULL) {
5858 		wpa_printf(MSG_INFO, "Station " MACSTR " trying to disassociate, but it is not associated",
5859 			   MAC2STR(mgmt->sa));
5860 		return;
5861 	}
5862 
5863 	ap_sta_set_authorized(hapd, sta, 0);
5864 	sta->last_seq_ctrl = WLAN_INVALID_MGMT_SEQ;
5865 	sta->flags &= ~(WLAN_STA_ASSOC | WLAN_STA_ASSOC_REQ_OK);
5866 	hostapd_set_sta_flags(hapd, sta);
5867 	wpa_auth_sm_event(sta->wpa_sm, WPA_DISASSOC);
5868 	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
5869 		       HOSTAPD_LEVEL_INFO, "disassociated");
5870 	sta->acct_terminate_cause = RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST;
5871 	ieee802_1x_notify_port_enabled(sta->eapol_sm, 0);
5872 	/* Stop Accounting and IEEE 802.1X sessions, but leave the STA
5873 	 * authenticated. */
5874 	accounting_sta_stop(hapd, sta);
5875 	ieee802_1x_free_station(hapd, sta);
5876 	if (sta->ipaddr)
5877 		hostapd_drv_br_delete_ip_neigh(hapd, 4, (u8 *) &sta->ipaddr);
5878 	ap_sta_ip6addr_del(hapd, sta);
5879 	hostapd_drv_sta_remove(hapd, sta->addr);
5880 	sta->added_unassoc = 0;
5881 
5882 	if (sta->timeout_next == STA_NULLFUNC ||
5883 	    sta->timeout_next == STA_DISASSOC) {
5884 		sta->timeout_next = STA_DEAUTH;
5885 		eloop_cancel_timeout(ap_handle_timer, hapd, sta);
5886 		eloop_register_timeout(AP_DEAUTH_DELAY, 0, ap_handle_timer,
5887 				       hapd, sta);
5888 	}
5889 
5890 	mlme_disassociate_indication(
5891 		hapd, sta, le_to_host16(mgmt->u.disassoc.reason_code));
5892 
5893 	/* DMG/IEEE 802.11ad does not use deauthication. Deallocate sta upon
5894 	 * disassociation. */
5895 	if (hapd->iface->current_mode &&
5896 	    hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211AD) {
5897 		sta->flags &= ~WLAN_STA_AUTH;
5898 		wpa_auth_sm_event(sta->wpa_sm, WPA_DEAUTH);
5899 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
5900 			       HOSTAPD_LEVEL_DEBUG, "deauthenticated");
5901 		ap_free_sta(hapd, sta);
5902 	}
5903 }
5904 
5905 
5906 static void handle_deauth(struct hostapd_data *hapd,
5907 			  const struct ieee80211_mgmt *mgmt, size_t len)
5908 {
5909 	struct sta_info *sta;
5910 
5911 	if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.deauth)) {
5912 		wpa_msg(hapd->msg_ctx, MSG_DEBUG, "handle_deauth - too short "
5913 			"payload (len=%lu)", (unsigned long) len);
5914 		return;
5915 	}
5916 
5917 	wpa_msg(hapd->msg_ctx, MSG_DEBUG, "deauthentication: STA=" MACSTR
5918 		" reason_code=%d",
5919 		MAC2STR(mgmt->sa), le_to_host16(mgmt->u.deauth.reason_code));
5920 
5921 	/* Clear the PTKSA cache entries for PASN */
5922 	ptksa_cache_flush(hapd->ptksa, mgmt->sa, WPA_CIPHER_NONE);
5923 
5924 	sta = ap_get_sta(hapd, mgmt->sa);
5925 	if (sta == NULL) {
5926 		wpa_msg(hapd->msg_ctx, MSG_DEBUG, "Station " MACSTR " trying "
5927 			"to deauthenticate, but it is not authenticated",
5928 			MAC2STR(mgmt->sa));
5929 		return;
5930 	}
5931 
5932 	ap_sta_set_authorized(hapd, sta, 0);
5933 	sta->last_seq_ctrl = WLAN_INVALID_MGMT_SEQ;
5934 	sta->flags &= ~(WLAN_STA_AUTH | WLAN_STA_ASSOC |
5935 			WLAN_STA_ASSOC_REQ_OK);
5936 	hostapd_set_sta_flags(hapd, sta);
5937 	wpa_auth_sm_event(sta->wpa_sm, WPA_DEAUTH);
5938 	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
5939 		       HOSTAPD_LEVEL_DEBUG, "deauthenticated");
5940 	mlme_deauthenticate_indication(
5941 		hapd, sta, le_to_host16(mgmt->u.deauth.reason_code));
5942 	sta->acct_terminate_cause = RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST;
5943 	ieee802_1x_notify_port_enabled(sta->eapol_sm, 0);
5944 	ap_free_sta(hapd, sta);
5945 }
5946 
5947 
5948 static void handle_beacon(struct hostapd_data *hapd,
5949 			  const struct ieee80211_mgmt *mgmt, size_t len,
5950 			  struct hostapd_frame_info *fi)
5951 {
5952 	struct ieee802_11_elems elems;
5953 
5954 	if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.beacon)) {
5955 		wpa_printf(MSG_INFO, "handle_beacon - too short payload (len=%lu)",
5956 			   (unsigned long) len);
5957 		return;
5958 	}
5959 
5960 	(void) ieee802_11_parse_elems(mgmt->u.beacon.variable,
5961 				      len - (IEEE80211_HDRLEN +
5962 					     sizeof(mgmt->u.beacon)), &elems,
5963 				      0);
5964 
5965 	ap_list_process_beacon(hapd->iface, mgmt, &elems, fi);
5966 }
5967 
5968 
5969 static int robust_action_frame(u8 category)
5970 {
5971 	return category != WLAN_ACTION_PUBLIC &&
5972 		category != WLAN_ACTION_HT;
5973 }
5974 
5975 
5976 static int handle_action(struct hostapd_data *hapd,
5977 			 const struct ieee80211_mgmt *mgmt, size_t len,
5978 			 unsigned int freq)
5979 {
5980 	struct sta_info *sta;
5981 	u8 *action __maybe_unused;
5982 
5983 	if (len < IEEE80211_HDRLEN + 2 + 1) {
5984 		hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
5985 			       HOSTAPD_LEVEL_DEBUG,
5986 			       "handle_action - too short payload (len=%lu)",
5987 			       (unsigned long) len);
5988 		return 0;
5989 	}
5990 
5991 	action = (u8 *) &mgmt->u.action.u;
5992 	wpa_printf(MSG_DEBUG, "RX_ACTION category %u action %u sa " MACSTR
5993 		   " da " MACSTR " len %d freq %u",
5994 		   mgmt->u.action.category, *action,
5995 		   MAC2STR(mgmt->sa), MAC2STR(mgmt->da), (int) len, freq);
5996 
5997 	sta = ap_get_sta(hapd, mgmt->sa);
5998 
5999 	if (mgmt->u.action.category != WLAN_ACTION_PUBLIC &&
6000 	    (sta == NULL || !(sta->flags & WLAN_STA_ASSOC))) {
6001 		wpa_printf(MSG_DEBUG, "IEEE 802.11: Ignored Action "
6002 			   "frame (category=%u) from unassociated STA " MACSTR,
6003 			   mgmt->u.action.category, MAC2STR(mgmt->sa));
6004 		return 0;
6005 	}
6006 
6007 	if (sta && (sta->flags & WLAN_STA_MFP) &&
6008 	    !(mgmt->frame_control & host_to_le16(WLAN_FC_ISWEP)) &&
6009 	    robust_action_frame(mgmt->u.action.category)) {
6010 		hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
6011 			       HOSTAPD_LEVEL_DEBUG,
6012 			       "Dropped unprotected Robust Action frame from "
6013 			       "an MFP STA");
6014 		return 0;
6015 	}
6016 
6017 	if (sta) {
6018 		u16 fc = le_to_host16(mgmt->frame_control);
6019 		u16 seq_ctrl = le_to_host16(mgmt->seq_ctrl);
6020 
6021 		if ((fc & WLAN_FC_RETRY) &&
6022 		    sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
6023 		    sta->last_seq_ctrl == seq_ctrl &&
6024 		    sta->last_subtype == WLAN_FC_STYPE_ACTION) {
6025 			hostapd_logger(hapd, sta->addr,
6026 				       HOSTAPD_MODULE_IEEE80211,
6027 				       HOSTAPD_LEVEL_DEBUG,
6028 				       "Drop repeated action frame seq_ctrl=0x%x",
6029 				       seq_ctrl);
6030 			return 1;
6031 		}
6032 
6033 		sta->last_seq_ctrl = seq_ctrl;
6034 		sta->last_subtype = WLAN_FC_STYPE_ACTION;
6035 	}
6036 
6037 	switch (mgmt->u.action.category) {
6038 #ifdef CONFIG_IEEE80211R_AP
6039 	case WLAN_ACTION_FT:
6040 		if (!sta ||
6041 		    wpa_ft_action_rx(sta->wpa_sm, (u8 *) &mgmt->u.action,
6042 				     len - IEEE80211_HDRLEN))
6043 			break;
6044 		return 1;
6045 #endif /* CONFIG_IEEE80211R_AP */
6046 	case WLAN_ACTION_WMM:
6047 		hostapd_wmm_action(hapd, mgmt, len);
6048 		return 1;
6049 	case WLAN_ACTION_SA_QUERY:
6050 		ieee802_11_sa_query_action(hapd, mgmt, len);
6051 		return 1;
6052 #ifdef CONFIG_WNM_AP
6053 	case WLAN_ACTION_WNM:
6054 		ieee802_11_rx_wnm_action_ap(hapd, mgmt, len);
6055 		return 1;
6056 #endif /* CONFIG_WNM_AP */
6057 #ifdef CONFIG_FST
6058 	case WLAN_ACTION_FST:
6059 		if (hapd->iface->fst)
6060 			fst_rx_action(hapd->iface->fst, mgmt, len);
6061 		else
6062 			wpa_printf(MSG_DEBUG,
6063 				   "FST: Ignore FST Action frame - no FST attached");
6064 		return 1;
6065 #endif /* CONFIG_FST */
6066 	case WLAN_ACTION_PUBLIC:
6067 	case WLAN_ACTION_PROTECTED_DUAL:
6068 		if (len >= IEEE80211_HDRLEN + 2 &&
6069 		    mgmt->u.action.u.public_action.action ==
6070 		    WLAN_PA_20_40_BSS_COEX) {
6071 			hostapd_2040_coex_action(hapd, mgmt, len);
6072 			return 1;
6073 		}
6074 #ifdef CONFIG_DPP
6075 		if (len >= IEEE80211_HDRLEN + 6 &&
6076 		    mgmt->u.action.u.vs_public_action.action ==
6077 		    WLAN_PA_VENDOR_SPECIFIC &&
6078 		    WPA_GET_BE24(mgmt->u.action.u.vs_public_action.oui) ==
6079 		    OUI_WFA &&
6080 		    mgmt->u.action.u.vs_public_action.variable[0] ==
6081 		    DPP_OUI_TYPE) {
6082 			const u8 *pos, *end;
6083 
6084 			pos = mgmt->u.action.u.vs_public_action.oui;
6085 			end = ((const u8 *) mgmt) + len;
6086 			hostapd_dpp_rx_action(hapd, mgmt->sa, pos, end - pos,
6087 					      freq);
6088 			return 1;
6089 		}
6090 		if (len >= IEEE80211_HDRLEN + 2 &&
6091 		    (mgmt->u.action.u.public_action.action ==
6092 		     WLAN_PA_GAS_INITIAL_RESP ||
6093 		     mgmt->u.action.u.public_action.action ==
6094 		     WLAN_PA_GAS_COMEBACK_RESP)) {
6095 			const u8 *pos, *end;
6096 
6097 			pos = &mgmt->u.action.u.public_action.action;
6098 			end = ((const u8 *) mgmt) + len;
6099 			gas_query_ap_rx(hapd->gas, mgmt->sa,
6100 					mgmt->u.action.category,
6101 					pos, end - pos, hapd->iface->freq);
6102 			return 1;
6103 		}
6104 #endif /* CONFIG_DPP */
6105 		if (hapd->public_action_cb) {
6106 			hapd->public_action_cb(hapd->public_action_cb_ctx,
6107 					       (u8 *) mgmt, len,
6108 					       hapd->iface->freq);
6109 		}
6110 		if (hapd->public_action_cb2) {
6111 			hapd->public_action_cb2(hapd->public_action_cb2_ctx,
6112 						(u8 *) mgmt, len,
6113 						hapd->iface->freq);
6114 		}
6115 		if (hapd->public_action_cb || hapd->public_action_cb2)
6116 			return 1;
6117 		break;
6118 	case WLAN_ACTION_VENDOR_SPECIFIC:
6119 		if (hapd->vendor_action_cb) {
6120 			if (hapd->vendor_action_cb(hapd->vendor_action_cb_ctx,
6121 						   (u8 *) mgmt, len,
6122 						   hapd->iface->freq) == 0)
6123 				return 1;
6124 		}
6125 		break;
6126 	case WLAN_ACTION_RADIO_MEASUREMENT:
6127 		hostapd_handle_radio_measurement(hapd, (const u8 *) mgmt, len);
6128 		return 1;
6129 	}
6130 
6131 	hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
6132 		       HOSTAPD_LEVEL_DEBUG,
6133 		       "handle_action - unknown action category %d or invalid "
6134 		       "frame",
6135 		       mgmt->u.action.category);
6136 	if (!is_multicast_ether_addr(mgmt->da) &&
6137 	    !(mgmt->u.action.category & 0x80) &&
6138 	    !is_multicast_ether_addr(mgmt->sa)) {
6139 		struct ieee80211_mgmt *resp;
6140 
6141 		/*
6142 		 * IEEE 802.11-REVma/D9.0 - 7.3.1.11
6143 		 * Return the Action frame to the source without change
6144 		 * except that MSB of the Category set to 1.
6145 		 */
6146 		wpa_printf(MSG_DEBUG, "IEEE 802.11: Return unknown Action "
6147 			   "frame back to sender");
6148 		resp = os_memdup(mgmt, len);
6149 		if (resp == NULL)
6150 			return 0;
6151 		os_memcpy(resp->da, resp->sa, ETH_ALEN);
6152 		os_memcpy(resp->sa, hapd->own_addr, ETH_ALEN);
6153 		os_memcpy(resp->bssid, hapd->own_addr, ETH_ALEN);
6154 		resp->u.action.category |= 0x80;
6155 
6156 		if (hostapd_drv_send_mlme(hapd, resp, len, 0, NULL, 0, 0) < 0) {
6157 			wpa_printf(MSG_ERROR, "IEEE 802.11: Failed to send "
6158 				   "Action frame");
6159 		}
6160 		os_free(resp);
6161 	}
6162 
6163 	return 1;
6164 }
6165 
6166 
6167 /**
6168  * notify_mgmt_frame - Notify of Management frames on the control interface
6169  * @hapd: hostapd BSS data structure (the BSS to which the Management frame was
6170  * sent to)
6171  * @buf: Management frame data (starting from the IEEE 802.11 header)
6172  * @len: Length of frame data in octets
6173  *
6174  * Notify the control interface of any received Management frame.
6175  */
6176 static void notify_mgmt_frame(struct hostapd_data *hapd, const u8 *buf,
6177 			      size_t len)
6178 {
6179 
6180 	int hex_len = len * 2 + 1;
6181 	char *hex = os_malloc(hex_len);
6182 
6183 	if (hex) {
6184 		wpa_snprintf_hex(hex, hex_len, buf, len);
6185 		wpa_msg_ctrl(hapd->msg_ctx, MSG_INFO,
6186 			     AP_MGMT_FRAME_RECEIVED "buf=%s", hex);
6187 		os_free(hex);
6188 	}
6189 }
6190 
6191 
6192 /**
6193  * ieee802_11_mgmt - process incoming IEEE 802.11 management frames
6194  * @hapd: hostapd BSS data structure (the BSS to which the management frame was
6195  * sent to)
6196  * @buf: management frame data (starting from IEEE 802.11 header)
6197  * @len: length of frame data in octets
6198  * @fi: meta data about received frame (signal level, etc.)
6199  *
6200  * Process all incoming IEEE 802.11 management frames. This will be called for
6201  * each frame received from the kernel driver through wlan#ap interface. In
6202  * addition, it can be called to re-inserted pending frames (e.g., when using
6203  * external RADIUS server as an MAC ACL).
6204  */
6205 int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len,
6206 		    struct hostapd_frame_info *fi)
6207 {
6208 	struct ieee80211_mgmt *mgmt;
6209 	u16 fc, stype;
6210 	int ret = 0;
6211 	unsigned int freq;
6212 	int ssi_signal = fi ? fi->ssi_signal : 0;
6213 
6214 	if (len < 24)
6215 		return 0;
6216 
6217 	if (fi && fi->freq)
6218 		freq = fi->freq;
6219 	else
6220 		freq = hapd->iface->freq;
6221 
6222 	mgmt = (struct ieee80211_mgmt *) buf;
6223 	fc = le_to_host16(mgmt->frame_control);
6224 	stype = WLAN_FC_GET_STYPE(fc);
6225 
6226 	if (is_multicast_ether_addr(mgmt->sa) ||
6227 	    is_zero_ether_addr(mgmt->sa) ||
6228 	    os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
6229 		/* Do not process any frames with unexpected/invalid SA so that
6230 		 * we do not add any state for unexpected STA addresses or end
6231 		 * up sending out frames to unexpected destination. */
6232 		wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR
6233 			   " in received frame - ignore this frame silently",
6234 			   MAC2STR(mgmt->sa));
6235 		return 0;
6236 	}
6237 
6238 	if (stype == WLAN_FC_STYPE_BEACON) {
6239 		handle_beacon(hapd, mgmt, len, fi);
6240 		return 1;
6241 	}
6242 
6243 	if (!is_broadcast_ether_addr(mgmt->bssid) &&
6244 #ifdef CONFIG_P2P
6245 	    /* Invitation responses can be sent with the peer MAC as BSSID */
6246 	    !((hapd->conf->p2p & P2P_GROUP_OWNER) &&
6247 	      stype == WLAN_FC_STYPE_ACTION) &&
6248 #endif /* CONFIG_P2P */
6249 #ifdef CONFIG_MESH
6250 	    !(hapd->conf->mesh & MESH_ENABLED) &&
6251 #endif /* CONFIG_MESH */
6252 	    os_memcmp(mgmt->bssid, hapd->own_addr, ETH_ALEN) != 0) {
6253 		wpa_printf(MSG_INFO, "MGMT: BSSID=" MACSTR " not our address",
6254 			   MAC2STR(mgmt->bssid));
6255 		return 0;
6256 	}
6257 
6258 	if (hapd->iface->state != HAPD_IFACE_ENABLED) {
6259 		wpa_printf(MSG_DEBUG, "MGMT: Ignore management frame while interface is not enabled (SA=" MACSTR " DA=" MACSTR " subtype=%u)",
6260 			   MAC2STR(mgmt->sa), MAC2STR(mgmt->da), stype);
6261 		return 1;
6262 	}
6263 
6264 	if (stype == WLAN_FC_STYPE_PROBE_REQ) {
6265 		handle_probe_req(hapd, mgmt, len, ssi_signal);
6266 		return 1;
6267 	}
6268 
6269 	if ((!is_broadcast_ether_addr(mgmt->da) ||
6270 	     stype != WLAN_FC_STYPE_ACTION) &&
6271 	    os_memcmp(mgmt->da, hapd->own_addr, ETH_ALEN) != 0) {
6272 		hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
6273 			       HOSTAPD_LEVEL_DEBUG,
6274 			       "MGMT: DA=" MACSTR " not our address",
6275 			       MAC2STR(mgmt->da));
6276 		return 0;
6277 	}
6278 
6279 	if (hapd->iconf->track_sta_max_num)
6280 		sta_track_add(hapd->iface, mgmt->sa, ssi_signal);
6281 
6282 	if (hapd->conf->notify_mgmt_frames)
6283 		notify_mgmt_frame(hapd, buf, len);
6284 
6285 	switch (stype) {
6286 	case WLAN_FC_STYPE_AUTH:
6287 		wpa_printf(MSG_DEBUG, "mgmt::auth");
6288 		handle_auth(hapd, mgmt, len, ssi_signal, 0);
6289 		ret = 1;
6290 		break;
6291 	case WLAN_FC_STYPE_ASSOC_REQ:
6292 		wpa_printf(MSG_DEBUG, "mgmt::assoc_req");
6293 		handle_assoc(hapd, mgmt, len, 0, ssi_signal);
6294 		ret = 1;
6295 		break;
6296 	case WLAN_FC_STYPE_REASSOC_REQ:
6297 		wpa_printf(MSG_DEBUG, "mgmt::reassoc_req");
6298 		handle_assoc(hapd, mgmt, len, 1, ssi_signal);
6299 		ret = 1;
6300 		break;
6301 	case WLAN_FC_STYPE_DISASSOC:
6302 		wpa_printf(MSG_DEBUG, "mgmt::disassoc");
6303 		handle_disassoc(hapd, mgmt, len);
6304 		ret = 1;
6305 		break;
6306 	case WLAN_FC_STYPE_DEAUTH:
6307 		wpa_msg(hapd->msg_ctx, MSG_DEBUG, "mgmt::deauth");
6308 		handle_deauth(hapd, mgmt, len);
6309 		ret = 1;
6310 		break;
6311 	case WLAN_FC_STYPE_ACTION:
6312 		wpa_printf(MSG_DEBUG, "mgmt::action");
6313 		ret = handle_action(hapd, mgmt, len, freq);
6314 		break;
6315 	default:
6316 		hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
6317 			       HOSTAPD_LEVEL_DEBUG,
6318 			       "unknown mgmt frame subtype %d", stype);
6319 		break;
6320 	}
6321 
6322 	return ret;
6323 }
6324 
6325 
6326 static void handle_auth_cb(struct hostapd_data *hapd,
6327 			   const struct ieee80211_mgmt *mgmt,
6328 			   size_t len, int ok)
6329 {
6330 	u16 auth_alg, auth_transaction, status_code;
6331 	struct sta_info *sta;
6332 	bool success_status;
6333 
6334 	sta = ap_get_sta(hapd, mgmt->da);
6335 	if (!sta) {
6336 		wpa_printf(MSG_DEBUG, "handle_auth_cb: STA " MACSTR
6337 			   " not found",
6338 			   MAC2STR(mgmt->da));
6339 		return;
6340 	}
6341 
6342 	if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) {
6343 		wpa_printf(MSG_INFO, "handle_auth_cb - too short payload (len=%lu)",
6344 			   (unsigned long) len);
6345 		auth_alg = 0;
6346 		auth_transaction = 0;
6347 		status_code = WLAN_STATUS_UNSPECIFIED_FAILURE;
6348 		goto fail;
6349 	}
6350 
6351 	auth_alg = le_to_host16(mgmt->u.auth.auth_alg);
6352 	auth_transaction = le_to_host16(mgmt->u.auth.auth_transaction);
6353 	status_code = le_to_host16(mgmt->u.auth.status_code);
6354 
6355 	if (!ok) {
6356 		hostapd_logger(hapd, mgmt->da, HOSTAPD_MODULE_IEEE80211,
6357 			       HOSTAPD_LEVEL_NOTICE,
6358 			       "did not acknowledge authentication response");
6359 		goto fail;
6360 	}
6361 
6362 	if (status_code == WLAN_STATUS_SUCCESS &&
6363 	    ((auth_alg == WLAN_AUTH_OPEN && auth_transaction == 2) ||
6364 	     (auth_alg == WLAN_AUTH_SHARED_KEY && auth_transaction == 4))) {
6365 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
6366 			       HOSTAPD_LEVEL_INFO, "authenticated");
6367 		sta->flags |= WLAN_STA_AUTH;
6368 		if (sta->added_unassoc)
6369 			hostapd_set_sta_flags(hapd, sta);
6370 		return;
6371 	}
6372 
6373 fail:
6374 	success_status = status_code == WLAN_STATUS_SUCCESS;
6375 #ifdef CONFIG_SAE
6376 	if (auth_alg == WLAN_AUTH_SAE && auth_transaction == 1)
6377 		success_status = sae_status_success(hapd, status_code);
6378 #endif /* CONFIG_SAE */
6379 	if (!success_status && sta->added_unassoc) {
6380 		hostapd_drv_sta_remove(hapd, sta->addr);
6381 		sta->added_unassoc = 0;
6382 	}
6383 }
6384 
6385 
6386 static void hostapd_set_wds_encryption(struct hostapd_data *hapd,
6387 				       struct sta_info *sta,
6388 				       char *ifname_wds)
6389 {
6390 #ifdef CONFIG_WEP
6391 	int i;
6392 	struct hostapd_ssid *ssid = &hapd->conf->ssid;
6393 
6394 	if (hapd->conf->ieee802_1x || hapd->conf->wpa)
6395 		return;
6396 
6397 	for (i = 0; i < 4; i++) {
6398 		if (ssid->wep.key[i] &&
6399 		    hostapd_drv_set_key(ifname_wds, hapd, WPA_ALG_WEP, NULL, i,
6400 					0, i == ssid->wep.idx, NULL, 0,
6401 					ssid->wep.key[i], ssid->wep.len[i],
6402 					i == ssid->wep.idx ?
6403 					KEY_FLAG_GROUP_RX_TX_DEFAULT :
6404 					KEY_FLAG_GROUP_RX_TX)) {
6405 			wpa_printf(MSG_WARNING,
6406 				   "Could not set WEP keys for WDS interface; %s",
6407 				   ifname_wds);
6408 			break;
6409 		}
6410 	}
6411 #endif /* CONFIG_WEP */
6412 }
6413 
6414 
6415 static void handle_assoc_cb(struct hostapd_data *hapd,
6416 			    const struct ieee80211_mgmt *mgmt,
6417 			    size_t len, int reassoc, int ok)
6418 {
6419 	u16 status;
6420 	struct sta_info *sta;
6421 	int new_assoc = 1;
6422 
6423 	sta = ap_get_sta(hapd, mgmt->da);
6424 	if (!sta) {
6425 		wpa_printf(MSG_INFO, "handle_assoc_cb: STA " MACSTR " not found",
6426 			   MAC2STR(mgmt->da));
6427 		return;
6428 	}
6429 
6430 	if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_resp) :
6431 				      sizeof(mgmt->u.assoc_resp))) {
6432 		wpa_printf(MSG_INFO,
6433 			   "handle_assoc_cb(reassoc=%d) - too short payload (len=%lu)",
6434 			   reassoc, (unsigned long) len);
6435 		hostapd_drv_sta_remove(hapd, sta->addr);
6436 		return;
6437 	}
6438 
6439 	if (reassoc)
6440 		status = le_to_host16(mgmt->u.reassoc_resp.status_code);
6441 	else
6442 		status = le_to_host16(mgmt->u.assoc_resp.status_code);
6443 
6444 	if (!ok) {
6445 		hostapd_logger(hapd, mgmt->da, HOSTAPD_MODULE_IEEE80211,
6446 			       HOSTAPD_LEVEL_DEBUG,
6447 			       "did not acknowledge association response");
6448 		sta->flags &= ~WLAN_STA_ASSOC_REQ_OK;
6449 		/* The STA is added only in case of SUCCESS */
6450 		if (status == WLAN_STATUS_SUCCESS)
6451 			hostapd_drv_sta_remove(hapd, sta->addr);
6452 
6453 		return;
6454 	}
6455 
6456 	if (status != WLAN_STATUS_SUCCESS)
6457 		return;
6458 
6459 	/* Stop previous accounting session, if one is started, and allocate
6460 	 * new session id for the new session. */
6461 	accounting_sta_stop(hapd, sta);
6462 
6463 	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
6464 		       HOSTAPD_LEVEL_INFO,
6465 		       "associated (aid %d)",
6466 		       sta->aid);
6467 
6468 	if (sta->flags & WLAN_STA_ASSOC)
6469 		new_assoc = 0;
6470 	sta->flags |= WLAN_STA_ASSOC;
6471 	sta->flags &= ~WLAN_STA_WNM_SLEEP_MODE;
6472 	if ((!hapd->conf->ieee802_1x && !hapd->conf->wpa &&
6473 	     !hapd->conf->osen) ||
6474 	    sta->auth_alg == WLAN_AUTH_FILS_SK ||
6475 	    sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
6476 	    sta->auth_alg == WLAN_AUTH_FILS_PK ||
6477 	    sta->auth_alg == WLAN_AUTH_FT) {
6478 		/*
6479 		 * Open, static WEP, FT protocol, or FILS; no separate
6480 		 * authorization step.
6481 		 */
6482 		ap_sta_set_authorized(hapd, sta, 1);
6483 	}
6484 
6485 	if (reassoc)
6486 		mlme_reassociate_indication(hapd, sta);
6487 	else
6488 		mlme_associate_indication(hapd, sta);
6489 
6490 	sta->sa_query_timed_out = 0;
6491 
6492 	if (sta->eapol_sm == NULL) {
6493 		/*
6494 		 * This STA does not use RADIUS server for EAP authentication,
6495 		 * so bind it to the selected VLAN interface now, since the
6496 		 * interface selection is not going to change anymore.
6497 		 */
6498 		if (ap_sta_bind_vlan(hapd, sta) < 0)
6499 			return;
6500 	} else if (sta->vlan_id) {
6501 		/* VLAN ID already set (e.g., by PMKSA caching), so bind STA */
6502 		if (ap_sta_bind_vlan(hapd, sta) < 0)
6503 			return;
6504 	}
6505 
6506 	hostapd_set_sta_flags(hapd, sta);
6507 
6508 	if (!(sta->flags & WLAN_STA_WDS) && sta->pending_wds_enable) {
6509 		wpa_printf(MSG_DEBUG, "Enable 4-address WDS mode for STA "
6510 			   MACSTR " based on pending request",
6511 			   MAC2STR(sta->addr));
6512 		sta->pending_wds_enable = 0;
6513 		sta->flags |= WLAN_STA_WDS;
6514 	}
6515 
6516 	if (sta->flags & (WLAN_STA_WDS | WLAN_STA_MULTI_AP)) {
6517 		int ret;
6518 		char ifname_wds[IFNAMSIZ + 1];
6519 
6520 		wpa_printf(MSG_DEBUG, "Reenable 4-address WDS mode for STA "
6521 			   MACSTR " (aid %u)",
6522 			   MAC2STR(sta->addr), sta->aid);
6523 		ret = hostapd_set_wds_sta(hapd, ifname_wds, sta->addr,
6524 					  sta->aid, 1);
6525 		if (!ret)
6526 			hostapd_set_wds_encryption(hapd, sta, ifname_wds);
6527 	}
6528 
6529 	if (sta->auth_alg == WLAN_AUTH_FT)
6530 		wpa_auth_sm_event(sta->wpa_sm, WPA_ASSOC_FT);
6531 	else
6532 		wpa_auth_sm_event(sta->wpa_sm, WPA_ASSOC);
6533 	hapd->new_assoc_sta_cb(hapd, sta, !new_assoc);
6534 	ieee802_1x_notify_port_enabled(sta->eapol_sm, 1);
6535 
6536 #ifdef CONFIG_FILS
6537 	if ((sta->auth_alg == WLAN_AUTH_FILS_SK ||
6538 	     sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
6539 	     sta->auth_alg == WLAN_AUTH_FILS_PK) &&
6540 	    fils_set_tk(sta->wpa_sm) < 0) {
6541 		wpa_printf(MSG_DEBUG, "FILS: TK configuration failed");
6542 		ap_sta_disconnect(hapd, sta, sta->addr,
6543 				  WLAN_REASON_UNSPECIFIED);
6544 		return;
6545 	}
6546 #endif /* CONFIG_FILS */
6547 
6548 	if (sta->pending_eapol_rx) {
6549 		struct os_reltime now, age;
6550 
6551 		os_get_reltime(&now);
6552 		os_reltime_sub(&now, &sta->pending_eapol_rx->rx_time, &age);
6553 		if (age.sec == 0 && age.usec < 200000) {
6554 			wpa_printf(MSG_DEBUG,
6555 				   "Process pending EAPOL frame that was received from " MACSTR " just before association notification",
6556 				   MAC2STR(sta->addr));
6557 			ieee802_1x_receive(
6558 				hapd, mgmt->da,
6559 				wpabuf_head(sta->pending_eapol_rx->buf),
6560 				wpabuf_len(sta->pending_eapol_rx->buf));
6561 		}
6562 		wpabuf_free(sta->pending_eapol_rx->buf);
6563 		os_free(sta->pending_eapol_rx);
6564 		sta->pending_eapol_rx = NULL;
6565 	}
6566 }
6567 
6568 
6569 static void handle_deauth_cb(struct hostapd_data *hapd,
6570 			     const struct ieee80211_mgmt *mgmt,
6571 			     size_t len, int ok)
6572 {
6573 	struct sta_info *sta;
6574 	if (is_multicast_ether_addr(mgmt->da))
6575 		return;
6576 	sta = ap_get_sta(hapd, mgmt->da);
6577 	if (!sta) {
6578 		wpa_printf(MSG_DEBUG, "handle_deauth_cb: STA " MACSTR
6579 			   " not found", MAC2STR(mgmt->da));
6580 		return;
6581 	}
6582 	if (ok)
6583 		wpa_printf(MSG_DEBUG, "STA " MACSTR " acknowledged deauth",
6584 			   MAC2STR(sta->addr));
6585 	else
6586 		wpa_printf(MSG_DEBUG, "STA " MACSTR " did not acknowledge "
6587 			   "deauth", MAC2STR(sta->addr));
6588 
6589 	ap_sta_deauth_cb(hapd, sta);
6590 }
6591 
6592 
6593 static void handle_disassoc_cb(struct hostapd_data *hapd,
6594 			       const struct ieee80211_mgmt *mgmt,
6595 			       size_t len, int ok)
6596 {
6597 	struct sta_info *sta;
6598 	if (is_multicast_ether_addr(mgmt->da))
6599 		return;
6600 	sta = ap_get_sta(hapd, mgmt->da);
6601 	if (!sta) {
6602 		wpa_printf(MSG_DEBUG, "handle_disassoc_cb: STA " MACSTR
6603 			   " not found", MAC2STR(mgmt->da));
6604 		return;
6605 	}
6606 	if (ok)
6607 		wpa_printf(MSG_DEBUG, "STA " MACSTR " acknowledged disassoc",
6608 			   MAC2STR(sta->addr));
6609 	else
6610 		wpa_printf(MSG_DEBUG, "STA " MACSTR " did not acknowledge "
6611 			   "disassoc", MAC2STR(sta->addr));
6612 
6613 	ap_sta_disassoc_cb(hapd, sta);
6614 }
6615 
6616 
6617 static void handle_action_cb(struct hostapd_data *hapd,
6618 			     const struct ieee80211_mgmt *mgmt,
6619 			     size_t len, int ok)
6620 {
6621 	struct sta_info *sta;
6622 	const struct rrm_measurement_report_element *report;
6623 
6624 	if (is_multicast_ether_addr(mgmt->da))
6625 		return;
6626 #ifdef CONFIG_DPP
6627 	if (len >= IEEE80211_HDRLEN + 6 &&
6628 	    mgmt->u.action.category == WLAN_ACTION_PUBLIC &&
6629 	    mgmt->u.action.u.vs_public_action.action ==
6630 	    WLAN_PA_VENDOR_SPECIFIC &&
6631 	    WPA_GET_BE24(mgmt->u.action.u.vs_public_action.oui) ==
6632 	    OUI_WFA &&
6633 	    mgmt->u.action.u.vs_public_action.variable[0] ==
6634 	    DPP_OUI_TYPE) {
6635 		const u8 *pos, *end;
6636 
6637 		pos = &mgmt->u.action.u.vs_public_action.variable[1];
6638 		end = ((const u8 *) mgmt) + len;
6639 		hostapd_dpp_tx_status(hapd, mgmt->da, pos, end - pos, ok);
6640 		return;
6641 	}
6642 	if (len >= IEEE80211_HDRLEN + 2 &&
6643 	    mgmt->u.action.category == WLAN_ACTION_PUBLIC &&
6644 	    (mgmt->u.action.u.public_action.action ==
6645 	     WLAN_PA_GAS_INITIAL_REQ ||
6646 	     mgmt->u.action.u.public_action.action ==
6647 	     WLAN_PA_GAS_COMEBACK_REQ)) {
6648 		const u8 *pos, *end;
6649 
6650 		pos = mgmt->u.action.u.public_action.variable;
6651 		end = ((const u8 *) mgmt) + len;
6652 		gas_query_ap_tx_status(hapd->gas, mgmt->da, pos, end - pos, ok);
6653 		return;
6654 	}
6655 #endif /* CONFIG_DPP */
6656 	sta = ap_get_sta(hapd, mgmt->da);
6657 	if (!sta) {
6658 		wpa_printf(MSG_DEBUG, "handle_action_cb: STA " MACSTR
6659 			   " not found", MAC2STR(mgmt->da));
6660 		return;
6661 	}
6662 
6663 	if (len < 24 + 5 + sizeof(*report))
6664 		return;
6665 	report = (const struct rrm_measurement_report_element *)
6666 		&mgmt->u.action.u.rrm.variable[2];
6667 	if (mgmt->u.action.category == WLAN_ACTION_RADIO_MEASUREMENT &&
6668 	    mgmt->u.action.u.rrm.action == WLAN_RRM_RADIO_MEASUREMENT_REQUEST &&
6669 	    report->eid == WLAN_EID_MEASURE_REQUEST &&
6670 	    report->len >= 3 &&
6671 	    report->type == MEASURE_TYPE_BEACON)
6672 		hostapd_rrm_beacon_req_tx_status(hapd, mgmt, len, ok);
6673 }
6674 
6675 
6676 /**
6677  * ieee802_11_mgmt_cb - Process management frame TX status callback
6678  * @hapd: hostapd BSS data structure (the BSS from which the management frame
6679  * was sent from)
6680  * @buf: management frame data (starting from IEEE 802.11 header)
6681  * @len: length of frame data in octets
6682  * @stype: management frame subtype from frame control field
6683  * @ok: Whether the frame was ACK'ed
6684  */
6685 void ieee802_11_mgmt_cb(struct hostapd_data *hapd, const u8 *buf, size_t len,
6686 			u16 stype, int ok)
6687 {
6688 	const struct ieee80211_mgmt *mgmt;
6689 	mgmt = (const struct ieee80211_mgmt *) buf;
6690 
6691 #ifdef CONFIG_TESTING_OPTIONS
6692 	if (hapd->ext_mgmt_frame_handling) {
6693 		size_t hex_len = 2 * len + 1;
6694 		char *hex = os_malloc(hex_len);
6695 
6696 		if (hex) {
6697 			wpa_snprintf_hex(hex, hex_len, buf, len);
6698 			wpa_msg(hapd->msg_ctx, MSG_INFO,
6699 				"MGMT-TX-STATUS stype=%u ok=%d buf=%s",
6700 				stype, ok, hex);
6701 			os_free(hex);
6702 		}
6703 		return;
6704 	}
6705 #endif /* CONFIG_TESTING_OPTIONS */
6706 
6707 	switch (stype) {
6708 	case WLAN_FC_STYPE_AUTH:
6709 		wpa_printf(MSG_DEBUG, "mgmt::auth cb");
6710 		handle_auth_cb(hapd, mgmt, len, ok);
6711 		break;
6712 	case WLAN_FC_STYPE_ASSOC_RESP:
6713 		wpa_printf(MSG_DEBUG, "mgmt::assoc_resp cb");
6714 		handle_assoc_cb(hapd, mgmt, len, 0, ok);
6715 		break;
6716 	case WLAN_FC_STYPE_REASSOC_RESP:
6717 		wpa_printf(MSG_DEBUG, "mgmt::reassoc_resp cb");
6718 		handle_assoc_cb(hapd, mgmt, len, 1, ok);
6719 		break;
6720 	case WLAN_FC_STYPE_PROBE_RESP:
6721 		wpa_printf(MSG_EXCESSIVE, "mgmt::proberesp cb ok=%d", ok);
6722 		break;
6723 	case WLAN_FC_STYPE_DEAUTH:
6724 		wpa_printf(MSG_DEBUG, "mgmt::deauth cb");
6725 		handle_deauth_cb(hapd, mgmt, len, ok);
6726 		break;
6727 	case WLAN_FC_STYPE_DISASSOC:
6728 		wpa_printf(MSG_DEBUG, "mgmt::disassoc cb");
6729 		handle_disassoc_cb(hapd, mgmt, len, ok);
6730 		break;
6731 	case WLAN_FC_STYPE_ACTION:
6732 		wpa_printf(MSG_DEBUG, "mgmt::action cb ok=%d", ok);
6733 		handle_action_cb(hapd, mgmt, len, ok);
6734 		break;
6735 	default:
6736 		wpa_printf(MSG_INFO, "unknown mgmt cb frame subtype %d", stype);
6737 		break;
6738 	}
6739 }
6740 
6741 
6742 int ieee802_11_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen)
6743 {
6744 	/* TODO */
6745 	return 0;
6746 }
6747 
6748 
6749 int ieee802_11_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta,
6750 			   char *buf, size_t buflen)
6751 {
6752 	/* TODO */
6753 	return 0;
6754 }
6755 
6756 
6757 void hostapd_tx_status(struct hostapd_data *hapd, const u8 *addr,
6758 		       const u8 *buf, size_t len, int ack)
6759 {
6760 	struct sta_info *sta;
6761 	struct hostapd_iface *iface = hapd->iface;
6762 
6763 	sta = ap_get_sta(hapd, addr);
6764 	if (sta == NULL && iface->num_bss > 1) {
6765 		size_t j;
6766 		for (j = 0; j < iface->num_bss; j++) {
6767 			hapd = iface->bss[j];
6768 			sta = ap_get_sta(hapd, addr);
6769 			if (sta)
6770 				break;
6771 		}
6772 	}
6773 	if (sta == NULL || !(sta->flags & WLAN_STA_ASSOC))
6774 		return;
6775 	if (sta->flags & WLAN_STA_PENDING_POLL) {
6776 		wpa_printf(MSG_DEBUG, "STA " MACSTR " %s pending "
6777 			   "activity poll", MAC2STR(sta->addr),
6778 			   ack ? "ACKed" : "did not ACK");
6779 		if (ack)
6780 			sta->flags &= ~WLAN_STA_PENDING_POLL;
6781 	}
6782 
6783 	ieee802_1x_tx_status(hapd, sta, buf, len, ack);
6784 }
6785 
6786 
6787 void hostapd_eapol_tx_status(struct hostapd_data *hapd, const u8 *dst,
6788 			     const u8 *data, size_t len, int ack)
6789 {
6790 	struct sta_info *sta;
6791 	struct hostapd_iface *iface = hapd->iface;
6792 
6793 	sta = ap_get_sta(hapd, dst);
6794 	if (sta == NULL && iface->num_bss > 1) {
6795 		size_t j;
6796 		for (j = 0; j < iface->num_bss; j++) {
6797 			hapd = iface->bss[j];
6798 			sta = ap_get_sta(hapd, dst);
6799 			if (sta)
6800 				break;
6801 		}
6802 	}
6803 	if (sta == NULL || !(sta->flags & WLAN_STA_ASSOC)) {
6804 		wpa_printf(MSG_DEBUG, "Ignore TX status for Data frame to STA "
6805 			   MACSTR " that is not currently associated",
6806 			   MAC2STR(dst));
6807 		return;
6808 	}
6809 
6810 	ieee802_1x_eapol_tx_status(hapd, sta, data, len, ack);
6811 }
6812 
6813 
6814 void hostapd_client_poll_ok(struct hostapd_data *hapd, const u8 *addr)
6815 {
6816 	struct sta_info *sta;
6817 	struct hostapd_iface *iface = hapd->iface;
6818 
6819 	sta = ap_get_sta(hapd, addr);
6820 	if (sta == NULL && iface->num_bss > 1) {
6821 		size_t j;
6822 		for (j = 0; j < iface->num_bss; j++) {
6823 			hapd = iface->bss[j];
6824 			sta = ap_get_sta(hapd, addr);
6825 			if (sta)
6826 				break;
6827 		}
6828 	}
6829 	if (sta == NULL)
6830 		return;
6831 	wpa_msg(hapd->msg_ctx, MSG_INFO, AP_STA_POLL_OK MACSTR,
6832 		MAC2STR(sta->addr));
6833 	if (!(sta->flags & WLAN_STA_PENDING_POLL))
6834 		return;
6835 
6836 	wpa_printf(MSG_DEBUG, "STA " MACSTR " ACKed pending "
6837 		   "activity poll", MAC2STR(sta->addr));
6838 	sta->flags &= ~WLAN_STA_PENDING_POLL;
6839 }
6840 
6841 
6842 void ieee802_11_rx_from_unknown(struct hostapd_data *hapd, const u8 *src,
6843 				int wds)
6844 {
6845 	struct sta_info *sta;
6846 
6847 	sta = ap_get_sta(hapd, src);
6848 	if (sta &&
6849 	    ((sta->flags & WLAN_STA_ASSOC) ||
6850 	     ((sta->flags & WLAN_STA_ASSOC_REQ_OK) && wds))) {
6851 		if (!hapd->conf->wds_sta)
6852 			return;
6853 
6854 		if ((sta->flags & (WLAN_STA_ASSOC | WLAN_STA_ASSOC_REQ_OK)) ==
6855 		    WLAN_STA_ASSOC_REQ_OK) {
6856 			wpa_printf(MSG_DEBUG,
6857 				   "Postpone 4-address WDS mode enabling for STA "
6858 				   MACSTR " since TX status for AssocResp is not yet known",
6859 				   MAC2STR(sta->addr));
6860 			sta->pending_wds_enable = 1;
6861 			return;
6862 		}
6863 
6864 		if (wds && !(sta->flags & WLAN_STA_WDS)) {
6865 			int ret;
6866 			char ifname_wds[IFNAMSIZ + 1];
6867 
6868 			wpa_printf(MSG_DEBUG, "Enable 4-address WDS mode for "
6869 				   "STA " MACSTR " (aid %u)",
6870 				   MAC2STR(sta->addr), sta->aid);
6871 			sta->flags |= WLAN_STA_WDS;
6872 			ret = hostapd_set_wds_sta(hapd, ifname_wds,
6873 						  sta->addr, sta->aid, 1);
6874 			if (!ret)
6875 				hostapd_set_wds_encryption(hapd, sta,
6876 							   ifname_wds);
6877 		}
6878 		return;
6879 	}
6880 
6881 	wpa_printf(MSG_DEBUG, "Data/PS-poll frame from not associated STA "
6882 		   MACSTR, MAC2STR(src));
6883 	if (is_multicast_ether_addr(src) || is_zero_ether_addr(src) ||
6884 	    os_memcmp(src, hapd->own_addr, ETH_ALEN) == 0) {
6885 		/* Broadcast bit set in SA or unexpected SA?! Ignore the frame
6886 		 * silently. */
6887 		return;
6888 	}
6889 
6890 	if (sta && (sta->flags & WLAN_STA_ASSOC_REQ_OK)) {
6891 		wpa_printf(MSG_DEBUG, "Association Response to the STA has "
6892 			   "already been sent, but no TX status yet known - "
6893 			   "ignore Class 3 frame issue with " MACSTR,
6894 			   MAC2STR(src));
6895 		return;
6896 	}
6897 
6898 	if (sta && (sta->flags & WLAN_STA_AUTH))
6899 		hostapd_drv_sta_disassoc(
6900 			hapd, src,
6901 			WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA);
6902 	else
6903 		hostapd_drv_sta_deauth(
6904 			hapd, src,
6905 			WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA);
6906 }
6907 
6908 
6909 u8 * hostapd_eid_txpower_envelope(struct hostapd_data *hapd, u8 *eid)
6910 {
6911 	struct hostapd_iface *iface = hapd->iface;
6912 	struct hostapd_config *iconf = iface->conf;
6913 	struct hostapd_hw_modes *mode = iface->current_mode;
6914 	struct hostapd_channel_data *chan;
6915 	int dfs, i;
6916 	u8 channel, tx_pwr_count, local_pwr_constraint;
6917 	int max_tx_power;
6918 	u8 tx_pwr;
6919 
6920 	if (!mode)
6921 		return eid;
6922 
6923 	if (ieee80211_freq_to_chan(iface->freq, &channel) == NUM_HOSTAPD_MODES)
6924 		return eid;
6925 
6926 	for (i = 0; i < mode->num_channels; i++) {
6927 		if (mode->channels[i].freq == iface->freq)
6928 			break;
6929 	}
6930 	if (i == mode->num_channels)
6931 		return eid;
6932 
6933 	switch (hostapd_get_oper_chwidth(iconf)) {
6934 	case CHANWIDTH_USE_HT:
6935 		if (iconf->secondary_channel == 0) {
6936 			/* Max Transmit Power count = 0 (20 MHz) */
6937 			tx_pwr_count = 0;
6938 		} else {
6939 			/* Max Transmit Power count = 1 (20, 40 MHz) */
6940 			tx_pwr_count = 1;
6941 		}
6942 		break;
6943 	case CHANWIDTH_80MHZ:
6944 		/* Max Transmit Power count = 2 (20, 40, and 80 MHz) */
6945 		tx_pwr_count = 2;
6946 		break;
6947 	case CHANWIDTH_80P80MHZ:
6948 	case CHANWIDTH_160MHZ:
6949 		/* Max Transmit Power count = 3 (20, 40, 80, 160/80+80 MHz) */
6950 		tx_pwr_count = 3;
6951 		break;
6952 	default:
6953 		return eid;
6954 	}
6955 
6956 	/*
6957 	 * Below local_pwr_constraint logic is referred from
6958 	 * hostapd_eid_pwr_constraint.
6959 	 *
6960 	 * Check if DFS is required by regulatory.
6961 	 */
6962 	dfs = hostapd_is_dfs_required(hapd->iface);
6963 	if (dfs < 0)
6964 		dfs = 0;
6965 
6966 	/*
6967 	 * In order to meet regulations when TPC is not implemented using
6968 	 * a transmit power that is below the legal maximum (including any
6969 	 * mitigation factor) should help. In this case, indicate 3 dB below
6970 	 * maximum allowed transmit power.
6971 	 */
6972 	if (hapd->iconf->local_pwr_constraint == -1)
6973 		local_pwr_constraint = (dfs == 0) ? 0 : 3;
6974 	else
6975 		local_pwr_constraint = hapd->iconf->local_pwr_constraint;
6976 
6977 	/*
6978 	 * A STA that is not an AP shall use a transmit power less than or
6979 	 * equal to the local maximum transmit power level for the channel.
6980 	 * The local maximum transmit power can be calculated from the formula:
6981 	 * local max TX pwr = max TX pwr - local pwr constraint
6982 	 * Where max TX pwr is maximum transmit power level specified for
6983 	 * channel in Country element and local pwr constraint is specified
6984 	 * for channel in this Power Constraint element.
6985 	 */
6986 	chan = &mode->channels[i];
6987 	max_tx_power = chan->max_tx_power - local_pwr_constraint;
6988 
6989 	/*
6990 	 * Local Maximum Transmit power is encoded as two's complement
6991 	 * with a 0.5 dB step.
6992 	 */
6993 	max_tx_power *= 2; /* in 0.5 dB steps */
6994 	if (max_tx_power > 127) {
6995 		/* 63.5 has special meaning of 63.5 dBm or higher */
6996 		max_tx_power = 127;
6997 	}
6998 	if (max_tx_power < -128)
6999 		max_tx_power = -128;
7000 	if (max_tx_power < 0)
7001 		tx_pwr = 0x80 + max_tx_power + 128;
7002 	else
7003 		tx_pwr = max_tx_power;
7004 
7005 	*eid++ = WLAN_EID_TRANSMIT_POWER_ENVELOPE;
7006 	*eid++ = 2 + tx_pwr_count;
7007 
7008 	/*
7009 	 * Max Transmit Power count and
7010 	 * Max Transmit Power units = 0 (EIRP)
7011 	 */
7012 	*eid++ = tx_pwr_count;
7013 
7014 	for (i = 0; i <= tx_pwr_count; i++)
7015 		*eid++ = tx_pwr;
7016 
7017 	return eid;
7018 }
7019 
7020 
7021 u8 * hostapd_eid_wb_chsw_wrapper(struct hostapd_data *hapd, u8 *eid)
7022 {
7023 	u8 bw, chan1, chan2 = 0;
7024 	int freq1;
7025 
7026 	if (!hapd->cs_freq_params.channel ||
7027 	    (!hapd->cs_freq_params.vht_enabled &&
7028 	     !hapd->cs_freq_params.he_enabled))
7029 		return eid;
7030 
7031 	/* bandwidth: 0: 40, 1: 80, 2: 160, 3: 80+80 */
7032 	switch (hapd->cs_freq_params.bandwidth) {
7033 	case 40:
7034 		bw = 0;
7035 		break;
7036 	case 80:
7037 		/* check if it's 80+80 */
7038 		if (!hapd->cs_freq_params.center_freq2)
7039 			bw = 1;
7040 		else
7041 			bw = 3;
7042 		break;
7043 	case 160:
7044 		bw = 2;
7045 		break;
7046 	default:
7047 		/* not valid VHT bandwidth or not in CSA */
7048 		return eid;
7049 	}
7050 
7051 	freq1 = hapd->cs_freq_params.center_freq1 ?
7052 		hapd->cs_freq_params.center_freq1 :
7053 		hapd->cs_freq_params.freq;
7054 	if (ieee80211_freq_to_chan(freq1, &chan1) !=
7055 	    HOSTAPD_MODE_IEEE80211A)
7056 		return eid;
7057 
7058 	if (hapd->cs_freq_params.center_freq2 &&
7059 	    ieee80211_freq_to_chan(hapd->cs_freq_params.center_freq2,
7060 				   &chan2) != HOSTAPD_MODE_IEEE80211A)
7061 		return eid;
7062 
7063 	*eid++ = WLAN_EID_VHT_CHANNEL_SWITCH_WRAPPER;
7064 	*eid++ = 5; /* Length of Channel Switch Wrapper */
7065 	*eid++ = WLAN_EID_VHT_WIDE_BW_CHSWITCH;
7066 	*eid++ = 3; /* Length of Wide Bandwidth Channel Switch element */
7067 	*eid++ = bw; /* New Channel Width */
7068 	*eid++ = chan1; /* New Channel Center Frequency Segment 0 */
7069 	*eid++ = chan2; /* New Channel Center Frequency Segment 1 */
7070 
7071 	return eid;
7072 }
7073 
7074 
7075 static size_t hostapd_eid_nr_db_len(struct hostapd_data *hapd,
7076 				    size_t *current_len)
7077 {
7078 	struct hostapd_neighbor_entry *nr;
7079 	size_t total_len = 0, len = *current_len;
7080 
7081 	dl_list_for_each(nr, &hapd->nr_db, struct hostapd_neighbor_entry,
7082 			 list) {
7083 		if (!nr->nr || wpabuf_len(nr->nr) < 12)
7084 			continue;
7085 
7086 		if (nr->short_ssid == hapd->conf->ssid.short_ssid)
7087 			continue;
7088 
7089 		/* Start a new element */
7090 		if (!len ||
7091 		    len + RNR_TBTT_HEADER_LEN + RNR_TBTT_INFO_LEN > 255) {
7092 			len = RNR_HEADER_LEN;
7093 			total_len += RNR_HEADER_LEN;
7094 		}
7095 
7096 		len += RNR_TBTT_HEADER_LEN + RNR_TBTT_INFO_LEN;
7097 		total_len += RNR_TBTT_HEADER_LEN + RNR_TBTT_INFO_LEN;
7098 	}
7099 
7100 	*current_len = len;
7101 	return total_len;
7102 }
7103 
7104 
7105 static size_t hostapd_eid_rnr_iface_len(struct hostapd_data *hapd,
7106 					struct hostapd_data *reporting_hapd,
7107 					size_t *current_len)
7108 {
7109 	size_t total_len = 0, len = *current_len;
7110 	int tbtt_count = 0;
7111 	size_t i, start = 0;
7112 
7113 	while (start < hapd->iface->num_bss) {
7114 		if (!len ||
7115 		    len + RNR_TBTT_HEADER_LEN + RNR_TBTT_INFO_LEN > 255) {
7116 			len = RNR_HEADER_LEN;
7117 			total_len += RNR_HEADER_LEN;
7118 		}
7119 
7120 		len += RNR_TBTT_HEADER_LEN;
7121 		total_len += RNR_TBTT_HEADER_LEN;
7122 
7123 		for (i = start; i < hapd->iface->num_bss; i++) {
7124 			struct hostapd_data *bss = hapd->iface->bss[i];
7125 
7126 			if (!bss || !bss->conf || !bss->started)
7127 				continue;
7128 
7129 			if (bss == reporting_hapd ||
7130 			    bss->conf->ignore_broadcast_ssid)
7131 				continue;
7132 
7133 			if (len + RNR_TBTT_INFO_LEN > 255 ||
7134 			    tbtt_count >= RNR_TBTT_INFO_COUNT_MAX)
7135 				break;
7136 
7137 			len += RNR_TBTT_INFO_LEN;
7138 			total_len += RNR_TBTT_INFO_LEN;
7139 			tbtt_count++;
7140 		}
7141 		start = i;
7142 	}
7143 
7144 	if (!tbtt_count)
7145 		total_len = 0;
7146 	else
7147 		*current_len = len;
7148 
7149 	return total_len;
7150 }
7151 
7152 
7153 enum colocation_mode {
7154 	NO_COLOCATED_6GHZ,
7155 	STANDALONE_6GHZ,
7156 	COLOCATED_6GHZ,
7157 	COLOCATED_LOWER_BAND,
7158 };
7159 
7160 static enum colocation_mode get_colocation_mode(struct hostapd_data *hapd)
7161 {
7162 	u8 i;
7163 	bool is_6ghz = is_6ghz_op_class(hapd->iconf->op_class);
7164 
7165 	if (!hapd->iface || !hapd->iface->interfaces)
7166 		return NO_COLOCATED_6GHZ;
7167 
7168 	if (is_6ghz && hapd->iface->interfaces->count == 1)
7169 		return STANDALONE_6GHZ;
7170 
7171 	for (i = 0; i < hapd->iface->interfaces->count; i++) {
7172 		struct hostapd_iface *iface;
7173 		bool is_colocated_6ghz;
7174 
7175 		iface = hapd->iface->interfaces->iface[i];
7176 		if (iface == hapd->iface || !iface || !iface->conf)
7177 			continue;
7178 
7179 		is_colocated_6ghz = is_6ghz_op_class(iface->conf->op_class);
7180 		if (!is_6ghz && is_colocated_6ghz)
7181 			return COLOCATED_LOWER_BAND;
7182 		if (is_6ghz && !is_colocated_6ghz)
7183 			return COLOCATED_6GHZ;
7184 	}
7185 
7186 	if (is_6ghz)
7187 		return STANDALONE_6GHZ;
7188 
7189 	return NO_COLOCATED_6GHZ;
7190 }
7191 
7192 
7193 static size_t hostapd_eid_rnr_colocation_len(struct hostapd_data *hapd,
7194 					     size_t *current_len)
7195 {
7196 	struct hostapd_iface *iface;
7197 	size_t len = 0;
7198 	size_t i;
7199 
7200 	if (!hapd->iface || !hapd->iface->interfaces)
7201 		return 0;
7202 
7203 	for (i = 0; i < hapd->iface->interfaces->count; i++) {
7204 		iface = hapd->iface->interfaces->iface[i];
7205 
7206 		if (iface == hapd->iface ||
7207 		    !is_6ghz_op_class(iface->conf->op_class))
7208 			continue;
7209 
7210 		len += hostapd_eid_rnr_iface_len(iface->bss[0], hapd,
7211 						 current_len);
7212 	}
7213 
7214 	return len;
7215 }
7216 
7217 
7218 size_t hostapd_eid_rnr_len(struct hostapd_data *hapd, u32 type)
7219 {
7220 	size_t total_len = 0, current_len = 0;
7221 	enum colocation_mode mode = get_colocation_mode(hapd);
7222 
7223 	switch (type) {
7224 	case WLAN_FC_STYPE_BEACON:
7225 		if (hapd->conf->rnr)
7226 			total_len += hostapd_eid_nr_db_len(hapd, &current_len);
7227 		/* fallthrough */
7228 
7229 	case WLAN_FC_STYPE_PROBE_RESP:
7230 		if (mode == COLOCATED_LOWER_BAND)
7231 			total_len += hostapd_eid_rnr_colocation_len(
7232 				hapd, &current_len);
7233 
7234 		if (hapd->conf->rnr && hapd->iface->num_bss > 1)
7235 			total_len += hostapd_eid_rnr_iface_len(hapd, hapd,
7236 							       &current_len);
7237 		break;
7238 
7239 	case WLAN_FC_STYPE_ACTION:
7240 		if (hapd->iface->num_bss > 1 && mode == STANDALONE_6GHZ)
7241 			total_len += hostapd_eid_rnr_iface_len(hapd, hapd,
7242 							       &current_len);
7243 		break;
7244 
7245 	default:
7246 		break;
7247 	}
7248 
7249 	return total_len;
7250 }
7251 
7252 
7253 static u8 * hostapd_eid_nr_db(struct hostapd_data *hapd, u8 *eid,
7254 			      size_t *current_len)
7255 {
7256 	struct hostapd_neighbor_entry *nr;
7257 	size_t len = *current_len;
7258 	u8 *size_offset = (eid - len) + 1;
7259 
7260 	dl_list_for_each(nr, &hapd->nr_db, struct hostapd_neighbor_entry,
7261 			 list) {
7262 		if (!nr->nr || wpabuf_len(nr->nr) < 12)
7263 			continue;
7264 
7265 		if (nr->short_ssid == hapd->conf->ssid.short_ssid)
7266 			continue;
7267 
7268 		/* Start a new element */
7269 		if (!len ||
7270 		    len + RNR_TBTT_HEADER_LEN + RNR_TBTT_INFO_LEN > 255) {
7271 			*eid++ = WLAN_EID_REDUCED_NEIGHBOR_REPORT;
7272 			size_offset = eid++;
7273 			len = RNR_HEADER_LEN;
7274 		}
7275 
7276 		/* TBTT Information Header subfield (2 octets) */
7277 		*eid++ = 0;
7278 		/* TBTT Information Length */
7279 		*eid++ = RNR_TBTT_INFO_LEN;
7280 		/* Operating Class */
7281 		*eid++ = wpabuf_head_u8(nr->nr)[10];
7282 		/* Channel Number */
7283 		*eid++ = wpabuf_head_u8(nr->nr)[11];
7284 		len += RNR_TBTT_HEADER_LEN;
7285 		/* TBTT Information Set */
7286 		/* TBTT Information field */
7287 		/* Neighbor AP TBTT Offset */
7288 		*eid++ = RNR_NEIGHBOR_AP_OFFSET_UNKNOWN;
7289 		/* BSSID */
7290 		os_memcpy(eid, nr->bssid, ETH_ALEN);
7291 		eid += ETH_ALEN;
7292 		/* Short SSID */
7293 		os_memcpy(eid, &nr->short_ssid, 4);
7294 		eid += 4;
7295 		/* BSS parameters */
7296 		*eid++ = nr->bss_parameters;
7297 		/* 20 MHz PSD */
7298 		*eid++ = RNR_20_MHZ_PSD_MAX_TXPOWER - 1;
7299 		len += RNR_TBTT_INFO_LEN;
7300 		*size_offset = (eid - size_offset) - 1;
7301 	}
7302 
7303 	*current_len = len;
7304 	return eid;
7305 }
7306 
7307 
7308 static u8 * hostapd_eid_rnr_iface(struct hostapd_data *hapd,
7309 				  struct hostapd_data *reporting_hapd,
7310 				  u8 *eid, size_t *current_len)
7311 {
7312 	struct hostapd_data *bss;
7313 	struct hostapd_iface *iface = hapd->iface;
7314 	size_t i, start = 0;
7315 	size_t len = *current_len;
7316 	u8 *tbtt_count_pos, *eid_start = eid, *size_offset = (eid - len) + 1;
7317 	u8 tbtt_count = 0, op_class, channel, bss_param;
7318 
7319 	if (!(iface->drv_flags & WPA_DRIVER_FLAGS_AP_CSA) || !iface->freq)
7320 		return eid;
7321 
7322 	if (ieee80211_freq_to_channel_ext(iface->freq,
7323 					  hapd->iconf->secondary_channel,
7324 					  hostapd_get_oper_chwidth(hapd->iconf),
7325 					  &op_class, &channel) ==
7326 	    NUM_HOSTAPD_MODES)
7327 		return eid;
7328 
7329 	while (start < iface->num_bss) {
7330 		if (!len ||
7331 		    len + RNR_TBTT_HEADER_LEN + RNR_TBTT_INFO_LEN > 255) {
7332 			eid_start = eid;
7333 			*eid++ = WLAN_EID_REDUCED_NEIGHBOR_REPORT;
7334 			size_offset = eid++;
7335 			len = RNR_HEADER_LEN;
7336 			tbtt_count = 0;
7337 		}
7338 
7339 		tbtt_count_pos = eid++;
7340 		*eid++ = RNR_TBTT_INFO_LEN;
7341 		*eid++ = op_class;
7342 		*eid++ = hapd->iconf->channel;
7343 		len += RNR_TBTT_HEADER_LEN;
7344 
7345 		for (i = start; i < iface->num_bss; i++) {
7346 			bss_param = 0;
7347 			bss = iface->bss[i];
7348 			if (!bss || !bss->conf || !bss->started)
7349 				continue;
7350 
7351 			if (bss == reporting_hapd ||
7352 			    bss->conf->ignore_broadcast_ssid)
7353 				continue;
7354 
7355 			if (len + RNR_TBTT_INFO_LEN > 255 ||
7356 			    tbtt_count >= RNR_TBTT_INFO_COUNT_MAX)
7357 				break;
7358 
7359 			*eid++ = RNR_NEIGHBOR_AP_OFFSET_UNKNOWN;
7360 			os_memcpy(eid, bss->conf->bssid, ETH_ALEN);
7361 			eid += ETH_ALEN;
7362 			os_memcpy(eid, &bss->conf->ssid.short_ssid, 4);
7363 			eid += 4;
7364 			if (bss->conf->ssid.short_ssid ==
7365 			    reporting_hapd->conf->ssid.short_ssid)
7366 				bss_param |= RNR_BSS_PARAM_SAME_SSID;
7367 
7368 			if (is_6ghz_op_class(hapd->iconf->op_class) &&
7369 			    bss->conf->unsol_bcast_probe_resp_interval)
7370 				bss_param |=
7371 					RNR_BSS_PARAM_UNSOLIC_PROBE_RESP_ACTIVE;
7372 
7373 			bss_param |= RNR_BSS_PARAM_CO_LOCATED;
7374 
7375 			*eid++ = bss_param;
7376 			*eid++ = RNR_20_MHZ_PSD_MAX_TXPOWER - 1;
7377 			len += RNR_TBTT_INFO_LEN;
7378 			tbtt_count += 1;
7379 		}
7380 
7381 		start = i;
7382 		*tbtt_count_pos = RNR_TBTT_INFO_COUNT(tbtt_count - 1);
7383 		*size_offset = (eid - size_offset) - 1;
7384 	}
7385 
7386 	if (tbtt_count == 0)
7387 		return eid_start;
7388 
7389 	*current_len = len;
7390 	return eid;
7391 }
7392 
7393 
7394 static u8 * hostapd_eid_rnr_colocation(struct hostapd_data *hapd, u8 *eid,
7395 				       size_t *current_len)
7396 {
7397 	struct hostapd_iface *iface;
7398 	size_t i;
7399 
7400 	if (!hapd->iface || !hapd->iface->interfaces)
7401 		return eid;
7402 
7403 	for (i = 0; i < hapd->iface->interfaces->count; i++) {
7404 		iface = hapd->iface->interfaces->iface[i];
7405 
7406 		if (iface == hapd->iface ||
7407 		    !is_6ghz_op_class(iface->conf->op_class))
7408 			continue;
7409 
7410 		eid = hostapd_eid_rnr_iface(iface->bss[0], hapd, eid,
7411 					    current_len);
7412 	}
7413 
7414 	return eid;
7415 }
7416 
7417 
7418 u8 * hostapd_eid_rnr(struct hostapd_data *hapd, u8 *eid, u32 type)
7419 {
7420 	u8 *eid_start = eid;
7421 	size_t current_len = 0;
7422 	enum colocation_mode mode = get_colocation_mode(hapd);
7423 
7424 	switch (type) {
7425 	case WLAN_FC_STYPE_BEACON:
7426 		if (hapd->conf->rnr)
7427 			eid = hostapd_eid_nr_db(hapd, eid, &current_len);
7428 		/* fallthrough */
7429 
7430 	case WLAN_FC_STYPE_PROBE_RESP:
7431 		if (mode == COLOCATED_LOWER_BAND)
7432 			eid = hostapd_eid_rnr_colocation(hapd, eid,
7433 							 &current_len);
7434 
7435 		if (hapd->conf->rnr && hapd->iface->num_bss > 1)
7436 			eid = hostapd_eid_rnr_iface(hapd, hapd, eid,
7437 						    &current_len);
7438 		break;
7439 
7440 	case WLAN_FC_STYPE_ACTION:
7441 		if (hapd->iface->num_bss > 1 && mode == STANDALONE_6GHZ)
7442 			eid = hostapd_eid_rnr_iface(hapd, hapd,	eid,
7443 						    &current_len);
7444 		break;
7445 
7446 	default:
7447 		return eid_start;
7448 	}
7449 
7450 	if (eid == eid_start + 2)
7451 		return eid_start;
7452 
7453 	return eid;
7454 }
7455 
7456 #endif /* CONFIG_NATIVE_WINDOWS */
7457