1 /* 2 * hostapd / IEEE 802.11 Management 3 * Copyright (c) 2002-2017, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "utils/includes.h" 10 11 #ifndef CONFIG_NATIVE_WINDOWS 12 13 #include "utils/common.h" 14 #include "utils/eloop.h" 15 #include "crypto/crypto.h" 16 #include "crypto/sha256.h" 17 #include "crypto/sha384.h" 18 #include "crypto/sha512.h" 19 #include "crypto/random.h" 20 #include "common/ieee802_11_defs.h" 21 #include "common/ieee802_11_common.h" 22 #include "common/wpa_ctrl.h" 23 #include "common/sae.h" 24 #include "common/dpp.h" 25 #include "common/ocv.h" 26 #include "common/wpa_common.h" 27 #include "radius/radius.h" 28 #include "radius/radius_client.h" 29 #include "p2p/p2p.h" 30 #include "wps/wps.h" 31 #include "fst/fst.h" 32 #include "hostapd.h" 33 #include "beacon.h" 34 #include "ieee802_11_auth.h" 35 #include "sta_info.h" 36 #include "ieee802_1x.h" 37 #include "wpa_auth.h" 38 #include "pmksa_cache_auth.h" 39 #include "wmm.h" 40 #include "ap_list.h" 41 #include "accounting.h" 42 #include "ap_config.h" 43 #include "ap_mlme.h" 44 #include "p2p_hostapd.h" 45 #include "ap_drv_ops.h" 46 #include "wnm_ap.h" 47 #include "hw_features.h" 48 #include "ieee802_11.h" 49 #include "dfs.h" 50 #include "mbo_ap.h" 51 #include "rrm.h" 52 #include "taxonomy.h" 53 #include "fils_hlp.h" 54 #include "dpp_hostapd.h" 55 #include "gas_query_ap.h" 56 57 58 #ifdef CONFIG_FILS 59 static struct wpabuf * 60 prepare_auth_resp_fils(struct hostapd_data *hapd, 61 struct sta_info *sta, u16 *resp, 62 struct rsn_pmksa_cache_entry *pmksa, 63 struct wpabuf *erp_resp, 64 const u8 *msk, size_t msk_len, 65 int *is_pub); 66 #endif /* CONFIG_FILS */ 67 static void handle_auth(struct hostapd_data *hapd, 68 const struct ieee80211_mgmt *mgmt, size_t len, 69 int rssi, int from_queue); 70 71 72 u8 * hostapd_eid_multi_ap(struct hostapd_data *hapd, u8 *eid) 73 { 74 u8 multi_ap_val = 0; 75 76 if (!hapd->conf->multi_ap) 77 return eid; 78 if (hapd->conf->multi_ap & BACKHAUL_BSS) 79 multi_ap_val |= MULTI_AP_BACKHAUL_BSS; 80 if (hapd->conf->multi_ap & FRONTHAUL_BSS) 81 multi_ap_val |= MULTI_AP_FRONTHAUL_BSS; 82 83 return eid + add_multi_ap_ie(eid, 9, multi_ap_val); 84 } 85 86 87 u8 * hostapd_eid_supp_rates(struct hostapd_data *hapd, u8 *eid) 88 { 89 u8 *pos = eid; 90 int i, num, count; 91 92 if (hapd->iface->current_rates == NULL) 93 return eid; 94 95 *pos++ = WLAN_EID_SUPP_RATES; 96 num = hapd->iface->num_rates; 97 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht) 98 num++; 99 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht) 100 num++; 101 if (num > 8) { 102 /* rest of the rates are encoded in Extended supported 103 * rates element */ 104 num = 8; 105 } 106 107 *pos++ = num; 108 for (i = 0, count = 0; i < hapd->iface->num_rates && count < num; 109 i++) { 110 count++; 111 *pos = hapd->iface->current_rates[i].rate / 5; 112 if (hapd->iface->current_rates[i].flags & HOSTAPD_RATE_BASIC) 113 *pos |= 0x80; 114 pos++; 115 } 116 117 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht && count < 8) { 118 count++; 119 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_HT_PHY; 120 } 121 122 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht && count < 8) { 123 count++; 124 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_VHT_PHY; 125 } 126 127 return pos; 128 } 129 130 131 u8 * hostapd_eid_ext_supp_rates(struct hostapd_data *hapd, u8 *eid) 132 { 133 u8 *pos = eid; 134 int i, num, count; 135 136 if (hapd->iface->current_rates == NULL) 137 return eid; 138 139 num = hapd->iface->num_rates; 140 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht) 141 num++; 142 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht) 143 num++; 144 if (num <= 8) 145 return eid; 146 num -= 8; 147 148 *pos++ = WLAN_EID_EXT_SUPP_RATES; 149 *pos++ = num; 150 for (i = 0, count = 0; i < hapd->iface->num_rates && count < num + 8; 151 i++) { 152 count++; 153 if (count <= 8) 154 continue; /* already in SuppRates IE */ 155 *pos = hapd->iface->current_rates[i].rate / 5; 156 if (hapd->iface->current_rates[i].flags & HOSTAPD_RATE_BASIC) 157 *pos |= 0x80; 158 pos++; 159 } 160 161 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht) { 162 count++; 163 if (count > 8) 164 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_HT_PHY; 165 } 166 167 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht) { 168 count++; 169 if (count > 8) 170 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_VHT_PHY; 171 } 172 173 return pos; 174 } 175 176 177 u16 hostapd_own_capab_info(struct hostapd_data *hapd) 178 { 179 int capab = WLAN_CAPABILITY_ESS; 180 int privacy; 181 int dfs; 182 int i; 183 184 /* Check if any of configured channels require DFS */ 185 dfs = hostapd_is_dfs_required(hapd->iface); 186 if (dfs < 0) { 187 wpa_printf(MSG_WARNING, "Failed to check if DFS is required; ret=%d", 188 dfs); 189 dfs = 0; 190 } 191 192 if (hapd->iface->num_sta_no_short_preamble == 0 && 193 hapd->iconf->preamble == SHORT_PREAMBLE) 194 capab |= WLAN_CAPABILITY_SHORT_PREAMBLE; 195 196 privacy = hapd->conf->ssid.wep.keys_set; 197 198 if (hapd->conf->ieee802_1x && 199 (hapd->conf->default_wep_key_len || 200 hapd->conf->individual_wep_key_len)) 201 privacy = 1; 202 203 if (hapd->conf->wpa) 204 privacy = 1; 205 206 #ifdef CONFIG_HS20 207 if (hapd->conf->osen) 208 privacy = 1; 209 #endif /* CONFIG_HS20 */ 210 211 if (privacy) 212 capab |= WLAN_CAPABILITY_PRIVACY; 213 214 if (hapd->iface->current_mode && 215 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G && 216 hapd->iface->num_sta_no_short_slot_time == 0) 217 capab |= WLAN_CAPABILITY_SHORT_SLOT_TIME; 218 219 /* 220 * Currently, Spectrum Management capability bit is set when directly 221 * requested in configuration by spectrum_mgmt_required or when AP is 222 * running on DFS channel. 223 * TODO: Also consider driver support for TPC to set Spectrum Mgmt bit 224 */ 225 if (hapd->iface->current_mode && 226 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211A && 227 (hapd->iconf->spectrum_mgmt_required || dfs)) 228 capab |= WLAN_CAPABILITY_SPECTRUM_MGMT; 229 230 for (i = 0; i < RRM_CAPABILITIES_IE_LEN; i++) { 231 if (hapd->conf->radio_measurements[i]) { 232 capab |= IEEE80211_CAP_RRM; 233 break; 234 } 235 } 236 237 return capab; 238 } 239 240 241 #ifndef CONFIG_NO_RC4 242 static u16 auth_shared_key(struct hostapd_data *hapd, struct sta_info *sta, 243 u16 auth_transaction, const u8 *challenge, 244 int iswep) 245 { 246 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 247 HOSTAPD_LEVEL_DEBUG, 248 "authentication (shared key, transaction %d)", 249 auth_transaction); 250 251 if (auth_transaction == 1) { 252 if (!sta->challenge) { 253 /* Generate a pseudo-random challenge */ 254 u8 key[8]; 255 256 sta->challenge = os_zalloc(WLAN_AUTH_CHALLENGE_LEN); 257 if (sta->challenge == NULL) 258 return WLAN_STATUS_UNSPECIFIED_FAILURE; 259 260 if (os_get_random(key, sizeof(key)) < 0) { 261 os_free(sta->challenge); 262 sta->challenge = NULL; 263 return WLAN_STATUS_UNSPECIFIED_FAILURE; 264 } 265 266 rc4_skip(key, sizeof(key), 0, 267 sta->challenge, WLAN_AUTH_CHALLENGE_LEN); 268 } 269 return 0; 270 } 271 272 if (auth_transaction != 3) 273 return WLAN_STATUS_UNSPECIFIED_FAILURE; 274 275 /* Transaction 3 */ 276 if (!iswep || !sta->challenge || !challenge || 277 os_memcmp_const(sta->challenge, challenge, 278 WLAN_AUTH_CHALLENGE_LEN)) { 279 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 280 HOSTAPD_LEVEL_INFO, 281 "shared key authentication - invalid " 282 "challenge-response"); 283 return WLAN_STATUS_CHALLENGE_FAIL; 284 } 285 286 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 287 HOSTAPD_LEVEL_DEBUG, 288 "authentication OK (shared key)"); 289 sta->flags |= WLAN_STA_AUTH; 290 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH); 291 os_free(sta->challenge); 292 sta->challenge = NULL; 293 294 return 0; 295 } 296 #endif /* CONFIG_NO_RC4 */ 297 298 299 static int send_auth_reply(struct hostapd_data *hapd, 300 const u8 *dst, const u8 *bssid, 301 u16 auth_alg, u16 auth_transaction, u16 resp, 302 const u8 *ies, size_t ies_len, const char *dbg) 303 { 304 struct ieee80211_mgmt *reply; 305 u8 *buf; 306 size_t rlen; 307 int reply_res = WLAN_STATUS_UNSPECIFIED_FAILURE; 308 309 rlen = IEEE80211_HDRLEN + sizeof(reply->u.auth) + ies_len; 310 buf = os_zalloc(rlen); 311 if (buf == NULL) 312 return -1; 313 314 reply = (struct ieee80211_mgmt *) buf; 315 reply->frame_control = IEEE80211_FC(WLAN_FC_TYPE_MGMT, 316 WLAN_FC_STYPE_AUTH); 317 os_memcpy(reply->da, dst, ETH_ALEN); 318 os_memcpy(reply->sa, hapd->own_addr, ETH_ALEN); 319 os_memcpy(reply->bssid, bssid, ETH_ALEN); 320 321 reply->u.auth.auth_alg = host_to_le16(auth_alg); 322 reply->u.auth.auth_transaction = host_to_le16(auth_transaction); 323 reply->u.auth.status_code = host_to_le16(resp); 324 325 if (ies && ies_len) 326 os_memcpy(reply->u.auth.variable, ies, ies_len); 327 328 wpa_printf(MSG_DEBUG, "authentication reply: STA=" MACSTR 329 " auth_alg=%d auth_transaction=%d resp=%d (IE len=%lu) (dbg=%s)", 330 MAC2STR(dst), auth_alg, auth_transaction, 331 resp, (unsigned long) ies_len, dbg); 332 if (hostapd_drv_send_mlme(hapd, reply, rlen, 0) < 0) 333 wpa_printf(MSG_INFO, "send_auth_reply: send failed"); 334 else 335 reply_res = WLAN_STATUS_SUCCESS; 336 337 os_free(buf); 338 339 return reply_res; 340 } 341 342 343 #ifdef CONFIG_IEEE80211R_AP 344 static void handle_auth_ft_finish(void *ctx, const u8 *dst, const u8 *bssid, 345 u16 auth_transaction, u16 status, 346 const u8 *ies, size_t ies_len) 347 { 348 struct hostapd_data *hapd = ctx; 349 struct sta_info *sta; 350 int reply_res; 351 352 reply_res = send_auth_reply(hapd, dst, bssid, WLAN_AUTH_FT, 353 auth_transaction, status, ies, ies_len, 354 "auth-ft-finish"); 355 356 sta = ap_get_sta(hapd, dst); 357 if (sta == NULL) 358 return; 359 360 if (sta->added_unassoc && (reply_res != WLAN_STATUS_SUCCESS || 361 status != WLAN_STATUS_SUCCESS)) { 362 hostapd_drv_sta_remove(hapd, sta->addr); 363 sta->added_unassoc = 0; 364 return; 365 } 366 367 if (status != WLAN_STATUS_SUCCESS) 368 return; 369 370 hostapd_logger(hapd, dst, HOSTAPD_MODULE_IEEE80211, 371 HOSTAPD_LEVEL_DEBUG, "authentication OK (FT)"); 372 sta->flags |= WLAN_STA_AUTH; 373 mlme_authenticate_indication(hapd, sta); 374 } 375 #endif /* CONFIG_IEEE80211R_AP */ 376 377 378 #ifdef CONFIG_SAE 379 380 static void sae_set_state(struct sta_info *sta, enum sae_state state, 381 const char *reason) 382 { 383 wpa_printf(MSG_DEBUG, "SAE: State %s -> %s for peer " MACSTR " (%s)", 384 sae_state_txt(sta->sae->state), sae_state_txt(state), 385 MAC2STR(sta->addr), reason); 386 sta->sae->state = state; 387 } 388 389 390 static struct wpabuf * auth_build_sae_commit(struct hostapd_data *hapd, 391 struct sta_info *sta, int update) 392 { 393 struct wpabuf *buf; 394 const char *password = NULL; 395 struct sae_password_entry *pw; 396 const char *rx_id = NULL; 397 398 if (sta->sae->tmp) 399 rx_id = sta->sae->tmp->pw_id; 400 401 for (pw = hapd->conf->sae_passwords; pw; pw = pw->next) { 402 if (!is_broadcast_ether_addr(pw->peer_addr) && 403 os_memcmp(pw->peer_addr, sta->addr, ETH_ALEN) != 0) 404 continue; 405 if ((rx_id && !pw->identifier) || (!rx_id && pw->identifier)) 406 continue; 407 if (rx_id && pw->identifier && 408 os_strcmp(rx_id, pw->identifier) != 0) 409 continue; 410 password = pw->password; 411 break; 412 } 413 if (!password) 414 password = hapd->conf->ssid.wpa_passphrase; 415 if (!password) { 416 wpa_printf(MSG_DEBUG, "SAE: No password available"); 417 return NULL; 418 } 419 420 if (update && 421 sae_prepare_commit(hapd->own_addr, sta->addr, 422 (u8 *) password, os_strlen(password), rx_id, 423 sta->sae) < 0) { 424 wpa_printf(MSG_DEBUG, "SAE: Could not pick PWE"); 425 return NULL; 426 } 427 428 if (pw && pw->vlan_id) { 429 if (!sta->sae->tmp) { 430 wpa_printf(MSG_INFO, 431 "SAE: No temporary data allocated - cannot store VLAN ID"); 432 return NULL; 433 } 434 sta->sae->tmp->vlan_id = pw->vlan_id; 435 } 436 437 buf = wpabuf_alloc(SAE_COMMIT_MAX_LEN + 438 (rx_id ? 3 + os_strlen(rx_id) : 0)); 439 if (buf == NULL) 440 return NULL; 441 sae_write_commit(sta->sae, buf, sta->sae->tmp ? 442 sta->sae->tmp->anti_clogging_token : NULL, rx_id); 443 444 return buf; 445 } 446 447 448 static struct wpabuf * auth_build_sae_confirm(struct hostapd_data *hapd, 449 struct sta_info *sta) 450 { 451 struct wpabuf *buf; 452 453 buf = wpabuf_alloc(SAE_CONFIRM_MAX_LEN); 454 if (buf == NULL) 455 return NULL; 456 457 sae_write_confirm(sta->sae, buf); 458 459 return buf; 460 } 461 462 463 static int auth_sae_send_commit(struct hostapd_data *hapd, 464 struct sta_info *sta, 465 const u8 *bssid, int update) 466 { 467 struct wpabuf *data; 468 int reply_res; 469 470 data = auth_build_sae_commit(hapd, sta, update); 471 if (!data && sta->sae->tmp && sta->sae->tmp->pw_id) 472 return WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER; 473 if (data == NULL) 474 return WLAN_STATUS_UNSPECIFIED_FAILURE; 475 476 reply_res = send_auth_reply(hapd, sta->addr, bssid, WLAN_AUTH_SAE, 1, 477 WLAN_STATUS_SUCCESS, wpabuf_head(data), 478 wpabuf_len(data), "sae-send-commit"); 479 480 wpabuf_free(data); 481 482 return reply_res; 483 } 484 485 486 static int auth_sae_send_confirm(struct hostapd_data *hapd, 487 struct sta_info *sta, 488 const u8 *bssid) 489 { 490 struct wpabuf *data; 491 int reply_res; 492 493 data = auth_build_sae_confirm(hapd, sta); 494 if (data == NULL) 495 return WLAN_STATUS_UNSPECIFIED_FAILURE; 496 497 reply_res = send_auth_reply(hapd, sta->addr, bssid, WLAN_AUTH_SAE, 2, 498 WLAN_STATUS_SUCCESS, wpabuf_head(data), 499 wpabuf_len(data), "sae-send-confirm"); 500 501 wpabuf_free(data); 502 503 return reply_res; 504 } 505 506 507 static int use_sae_anti_clogging(struct hostapd_data *hapd) 508 { 509 struct sta_info *sta; 510 unsigned int open = 0; 511 512 if (hapd->conf->sae_anti_clogging_threshold == 0) 513 return 1; 514 515 for (sta = hapd->sta_list; sta; sta = sta->next) { 516 if (!sta->sae) 517 continue; 518 if (sta->sae->state != SAE_COMMITTED && 519 sta->sae->state != SAE_CONFIRMED) 520 continue; 521 open++; 522 if (open >= hapd->conf->sae_anti_clogging_threshold) 523 return 1; 524 } 525 526 /* In addition to already existing open SAE sessions, check whether 527 * there are enough pending commit messages in the processing queue to 528 * potentially result in too many open sessions. */ 529 if (open + dl_list_len(&hapd->sae_commit_queue) >= 530 hapd->conf->sae_anti_clogging_threshold) 531 return 1; 532 533 return 0; 534 } 535 536 537 static u8 sae_token_hash(struct hostapd_data *hapd, const u8 *addr) 538 { 539 u8 hash[SHA256_MAC_LEN]; 540 541 hmac_sha256(hapd->sae_token_key, sizeof(hapd->sae_token_key), 542 addr, ETH_ALEN, hash); 543 return hash[0]; 544 } 545 546 547 static int check_sae_token(struct hostapd_data *hapd, const u8 *addr, 548 const u8 *token, size_t token_len) 549 { 550 u8 mac[SHA256_MAC_LEN]; 551 const u8 *addrs[2]; 552 size_t len[2]; 553 u16 token_idx; 554 u8 idx; 555 556 if (token_len != SHA256_MAC_LEN) 557 return -1; 558 idx = sae_token_hash(hapd, addr); 559 token_idx = hapd->sae_pending_token_idx[idx]; 560 if (token_idx == 0 || token_idx != WPA_GET_BE16(token)) { 561 wpa_printf(MSG_DEBUG, "SAE: Invalid anti-clogging token from " 562 MACSTR " - token_idx 0x%04x, expected 0x%04x", 563 MAC2STR(addr), WPA_GET_BE16(token), token_idx); 564 return -1; 565 } 566 567 addrs[0] = addr; 568 len[0] = ETH_ALEN; 569 addrs[1] = token; 570 len[1] = 2; 571 if (hmac_sha256_vector(hapd->sae_token_key, sizeof(hapd->sae_token_key), 572 2, addrs, len, mac) < 0 || 573 os_memcmp_const(token + 2, &mac[2], SHA256_MAC_LEN - 2) != 0) 574 return -1; 575 576 hapd->sae_pending_token_idx[idx] = 0; /* invalidate used token */ 577 578 return 0; 579 } 580 581 582 static struct wpabuf * auth_build_token_req(struct hostapd_data *hapd, 583 int group, const u8 *addr) 584 { 585 struct wpabuf *buf; 586 u8 *token; 587 struct os_reltime now; 588 u8 idx[2]; 589 const u8 *addrs[2]; 590 size_t len[2]; 591 u8 p_idx; 592 u16 token_idx; 593 594 os_get_reltime(&now); 595 if (!os_reltime_initialized(&hapd->last_sae_token_key_update) || 596 os_reltime_expired(&now, &hapd->last_sae_token_key_update, 60) || 597 hapd->sae_token_idx == 0xffff) { 598 if (random_get_bytes(hapd->sae_token_key, 599 sizeof(hapd->sae_token_key)) < 0) 600 return NULL; 601 wpa_hexdump(MSG_DEBUG, "SAE: Updated token key", 602 hapd->sae_token_key, sizeof(hapd->sae_token_key)); 603 hapd->last_sae_token_key_update = now; 604 hapd->sae_token_idx = 0; 605 os_memset(hapd->sae_pending_token_idx, 0, 606 sizeof(hapd->sae_pending_token_idx)); 607 } 608 609 buf = wpabuf_alloc(sizeof(le16) + SHA256_MAC_LEN); 610 if (buf == NULL) 611 return NULL; 612 613 wpabuf_put_le16(buf, group); /* Finite Cyclic Group */ 614 615 p_idx = sae_token_hash(hapd, addr); 616 token_idx = hapd->sae_pending_token_idx[p_idx]; 617 if (!token_idx) { 618 hapd->sae_token_idx++; 619 token_idx = hapd->sae_token_idx; 620 hapd->sae_pending_token_idx[p_idx] = token_idx; 621 } 622 WPA_PUT_BE16(idx, token_idx); 623 token = wpabuf_put(buf, SHA256_MAC_LEN); 624 addrs[0] = addr; 625 len[0] = ETH_ALEN; 626 addrs[1] = idx; 627 len[1] = sizeof(idx); 628 if (hmac_sha256_vector(hapd->sae_token_key, sizeof(hapd->sae_token_key), 629 2, addrs, len, token) < 0) { 630 wpabuf_free(buf); 631 return NULL; 632 } 633 WPA_PUT_BE16(token, token_idx); 634 635 return buf; 636 } 637 638 639 static int sae_check_big_sync(struct hostapd_data *hapd, struct sta_info *sta) 640 { 641 if (sta->sae->sync > hapd->conf->sae_sync) { 642 sae_set_state(sta, SAE_NOTHING, "Sync > dot11RSNASAESync"); 643 sta->sae->sync = 0; 644 return -1; 645 } 646 return 0; 647 } 648 649 650 static void auth_sae_retransmit_timer(void *eloop_ctx, void *eloop_data) 651 { 652 struct hostapd_data *hapd = eloop_ctx; 653 struct sta_info *sta = eloop_data; 654 int ret; 655 656 if (sae_check_big_sync(hapd, sta)) 657 return; 658 sta->sae->sync++; 659 wpa_printf(MSG_DEBUG, "SAE: Auth SAE retransmit timer for " MACSTR 660 " (sync=%d state=%s)", 661 MAC2STR(sta->addr), sta->sae->sync, 662 sae_state_txt(sta->sae->state)); 663 664 switch (sta->sae->state) { 665 case SAE_COMMITTED: 666 ret = auth_sae_send_commit(hapd, sta, hapd->own_addr, 0); 667 eloop_register_timeout(0, 668 hapd->dot11RSNASAERetransPeriod * 1000, 669 auth_sae_retransmit_timer, hapd, sta); 670 break; 671 case SAE_CONFIRMED: 672 ret = auth_sae_send_confirm(hapd, sta, hapd->own_addr); 673 eloop_register_timeout(0, 674 hapd->dot11RSNASAERetransPeriod * 1000, 675 auth_sae_retransmit_timer, hapd, sta); 676 break; 677 default: 678 ret = -1; 679 break; 680 } 681 682 if (ret != WLAN_STATUS_SUCCESS) 683 wpa_printf(MSG_INFO, "SAE: Failed to retransmit: ret=%d", ret); 684 } 685 686 687 void sae_clear_retransmit_timer(struct hostapd_data *hapd, struct sta_info *sta) 688 { 689 eloop_cancel_timeout(auth_sae_retransmit_timer, hapd, sta); 690 } 691 692 693 static void sae_set_retransmit_timer(struct hostapd_data *hapd, 694 struct sta_info *sta) 695 { 696 if (!(hapd->conf->mesh & MESH_ENABLED)) 697 return; 698 699 eloop_cancel_timeout(auth_sae_retransmit_timer, hapd, sta); 700 eloop_register_timeout(0, hapd->dot11RSNASAERetransPeriod * 1000, 701 auth_sae_retransmit_timer, hapd, sta); 702 } 703 704 705 static void sae_sme_send_external_auth_status(struct hostapd_data *hapd, 706 struct sta_info *sta, u16 status) 707 { 708 struct external_auth params; 709 710 os_memset(¶ms, 0, sizeof(params)); 711 params.status = status; 712 params.bssid = sta->addr; 713 if (status == WLAN_STATUS_SUCCESS && sta->sae && 714 !hapd->conf->disable_pmksa_caching) 715 params.pmkid = sta->sae->pmkid; 716 717 hostapd_drv_send_external_auth_status(hapd, ¶ms); 718 } 719 720 721 void sae_accept_sta(struct hostapd_data *hapd, struct sta_info *sta) 722 { 723 #ifndef CONFIG_NO_VLAN 724 struct vlan_description vlan_desc; 725 726 if (sta->sae->tmp && sta->sae->tmp->vlan_id > 0) { 727 wpa_printf(MSG_DEBUG, "SAE: Assign STA " MACSTR 728 " to VLAN ID %d", 729 MAC2STR(sta->addr), sta->sae->tmp->vlan_id); 730 731 os_memset(&vlan_desc, 0, sizeof(vlan_desc)); 732 vlan_desc.notempty = 1; 733 vlan_desc.untagged = sta->sae->tmp->vlan_id; 734 if (!hostapd_vlan_valid(hapd->conf->vlan, &vlan_desc)) { 735 wpa_printf(MSG_INFO, 736 "Invalid VLAN ID %d in sae_password", 737 sta->sae->tmp->vlan_id); 738 return; 739 } 740 741 if (ap_sta_set_vlan(hapd, sta, &vlan_desc) < 0 || 742 ap_sta_bind_vlan(hapd, sta) < 0) { 743 wpa_printf(MSG_INFO, 744 "Failed to assign VLAN ID %d from sae_password to " 745 MACSTR, sta->sae->tmp->vlan_id, 746 MAC2STR(sta->addr)); 747 return; 748 } 749 } 750 #endif /* CONFIG_NO_VLAN */ 751 752 sta->flags |= WLAN_STA_AUTH; 753 sta->auth_alg = WLAN_AUTH_SAE; 754 mlme_authenticate_indication(hapd, sta); 755 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH); 756 sae_set_state(sta, SAE_ACCEPTED, "Accept Confirm"); 757 wpa_auth_pmksa_add_sae(hapd->wpa_auth, sta->addr, 758 sta->sae->pmk, sta->sae->pmkid); 759 sae_sme_send_external_auth_status(hapd, sta, WLAN_STATUS_SUCCESS); 760 } 761 762 763 static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta, 764 const u8 *bssid, u8 auth_transaction, int allow_reuse, 765 int *sta_removed) 766 { 767 int ret; 768 769 *sta_removed = 0; 770 771 if (auth_transaction != 1 && auth_transaction != 2) 772 return WLAN_STATUS_UNSPECIFIED_FAILURE; 773 774 wpa_printf(MSG_DEBUG, "SAE: Peer " MACSTR " state=%s auth_trans=%u", 775 MAC2STR(sta->addr), sae_state_txt(sta->sae->state), 776 auth_transaction); 777 switch (sta->sae->state) { 778 case SAE_NOTHING: 779 if (auth_transaction == 1) { 780 ret = auth_sae_send_commit(hapd, sta, bssid, 781 !allow_reuse); 782 if (ret) 783 return ret; 784 sae_set_state(sta, SAE_COMMITTED, "Sent Commit"); 785 786 if (sae_process_commit(sta->sae) < 0) 787 return WLAN_STATUS_UNSPECIFIED_FAILURE; 788 789 /* 790 * In mesh case, both Commit and Confirm can be sent 791 * immediately. In infrastructure BSS, only a single 792 * Authentication frame (Commit) is expected from the AP 793 * here and the second one (Confirm) will be sent once 794 * the STA has sent its second Authentication frame 795 * (Confirm). 796 */ 797 if (hapd->conf->mesh & MESH_ENABLED) { 798 /* 799 * Send both Commit and Confirm immediately 800 * based on SAE finite state machine 801 * Nothing -> Confirm transition. 802 */ 803 ret = auth_sae_send_confirm(hapd, sta, bssid); 804 if (ret) 805 return ret; 806 sae_set_state(sta, SAE_CONFIRMED, 807 "Sent Confirm (mesh)"); 808 } else { 809 /* 810 * For infrastructure BSS, send only the Commit 811 * message now to get alternating sequence of 812 * Authentication frames between the AP and STA. 813 * Confirm will be sent in 814 * Committed -> Confirmed/Accepted transition 815 * when receiving Confirm from STA. 816 */ 817 } 818 sta->sae->sync = 0; 819 sae_set_retransmit_timer(hapd, sta); 820 } else { 821 hostapd_logger(hapd, sta->addr, 822 HOSTAPD_MODULE_IEEE80211, 823 HOSTAPD_LEVEL_DEBUG, 824 "SAE confirm before commit"); 825 } 826 break; 827 case SAE_COMMITTED: 828 sae_clear_retransmit_timer(hapd, sta); 829 if (auth_transaction == 1) { 830 if (sae_process_commit(sta->sae) < 0) 831 return WLAN_STATUS_UNSPECIFIED_FAILURE; 832 833 ret = auth_sae_send_confirm(hapd, sta, bssid); 834 if (ret) 835 return ret; 836 sae_set_state(sta, SAE_CONFIRMED, "Sent Confirm"); 837 sta->sae->sync = 0; 838 sae_set_retransmit_timer(hapd, sta); 839 } else if (hapd->conf->mesh & MESH_ENABLED) { 840 /* 841 * In mesh case, follow SAE finite state machine and 842 * send Commit now, if sync count allows. 843 */ 844 if (sae_check_big_sync(hapd, sta)) 845 return WLAN_STATUS_SUCCESS; 846 sta->sae->sync++; 847 848 ret = auth_sae_send_commit(hapd, sta, bssid, 0); 849 if (ret) 850 return ret; 851 852 sae_set_retransmit_timer(hapd, sta); 853 } else { 854 /* 855 * For instructure BSS, send the postponed Confirm from 856 * Nothing -> Confirmed transition that was reduced to 857 * Nothing -> Committed above. 858 */ 859 ret = auth_sae_send_confirm(hapd, sta, bssid); 860 if (ret) 861 return ret; 862 863 sae_set_state(sta, SAE_CONFIRMED, "Sent Confirm"); 864 865 /* 866 * Since this was triggered on Confirm RX, run another 867 * step to get to Accepted without waiting for 868 * additional events. 869 */ 870 return sae_sm_step(hapd, sta, bssid, auth_transaction, 871 0, sta_removed); 872 } 873 break; 874 case SAE_CONFIRMED: 875 sae_clear_retransmit_timer(hapd, sta); 876 if (auth_transaction == 1) { 877 if (sae_check_big_sync(hapd, sta)) 878 return WLAN_STATUS_SUCCESS; 879 sta->sae->sync++; 880 881 ret = auth_sae_send_commit(hapd, sta, bssid, 1); 882 if (ret) 883 return ret; 884 885 if (sae_process_commit(sta->sae) < 0) 886 return WLAN_STATUS_UNSPECIFIED_FAILURE; 887 888 ret = auth_sae_send_confirm(hapd, sta, bssid); 889 if (ret) 890 return ret; 891 892 sae_set_retransmit_timer(hapd, sta); 893 } else { 894 sta->sae->send_confirm = 0xffff; 895 sae_accept_sta(hapd, sta); 896 } 897 break; 898 case SAE_ACCEPTED: 899 if (auth_transaction == 1 && 900 (hapd->conf->mesh & MESH_ENABLED)) { 901 wpa_printf(MSG_DEBUG, "SAE: remove the STA (" MACSTR 902 ") doing reauthentication", 903 MAC2STR(sta->addr)); 904 wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr); 905 ap_free_sta(hapd, sta); 906 *sta_removed = 1; 907 } else if (auth_transaction == 1) { 908 wpa_printf(MSG_DEBUG, "SAE: Start reauthentication"); 909 ret = auth_sae_send_commit(hapd, sta, bssid, 1); 910 if (ret) 911 return ret; 912 sae_set_state(sta, SAE_COMMITTED, "Sent Commit"); 913 914 if (sae_process_commit(sta->sae) < 0) 915 return WLAN_STATUS_UNSPECIFIED_FAILURE; 916 sta->sae->sync = 0; 917 sae_set_retransmit_timer(hapd, sta); 918 } else { 919 if (sae_check_big_sync(hapd, sta)) 920 return WLAN_STATUS_SUCCESS; 921 sta->sae->sync++; 922 923 ret = auth_sae_send_confirm(hapd, sta, bssid); 924 sae_clear_temp_data(sta->sae); 925 if (ret) 926 return ret; 927 } 928 break; 929 default: 930 wpa_printf(MSG_ERROR, "SAE: invalid state %d", 931 sta->sae->state); 932 return WLAN_STATUS_UNSPECIFIED_FAILURE; 933 } 934 return WLAN_STATUS_SUCCESS; 935 } 936 937 938 static void sae_pick_next_group(struct hostapd_data *hapd, struct sta_info *sta) 939 { 940 struct sae_data *sae = sta->sae; 941 int i, *groups = hapd->conf->sae_groups; 942 int default_groups[] = { 19, 0 }; 943 944 if (sae->state != SAE_COMMITTED) 945 return; 946 947 wpa_printf(MSG_DEBUG, "SAE: Previously selected group: %d", sae->group); 948 949 if (!groups) 950 groups = default_groups; 951 for (i = 0; groups[i] > 0; i++) { 952 if (sae->group == groups[i]) 953 break; 954 } 955 956 if (groups[i] <= 0) { 957 wpa_printf(MSG_DEBUG, 958 "SAE: Previously selected group not found from the current configuration"); 959 return; 960 } 961 962 for (;;) { 963 i++; 964 if (groups[i] <= 0) { 965 wpa_printf(MSG_DEBUG, 966 "SAE: No alternative group enabled"); 967 return; 968 } 969 970 if (sae_set_group(sae, groups[i]) < 0) 971 continue; 972 973 break; 974 } 975 wpa_printf(MSG_DEBUG, "SAE: Selected new group: %d", groups[i]); 976 } 977 978 979 static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta, 980 const struct ieee80211_mgmt *mgmt, size_t len, 981 u16 auth_transaction, u16 status_code) 982 { 983 int resp = WLAN_STATUS_SUCCESS; 984 struct wpabuf *data = NULL; 985 int *groups = hapd->conf->sae_groups; 986 int default_groups[] = { 19, 0 }; 987 const u8 *pos, *end; 988 int sta_removed = 0; 989 990 if (!groups) 991 groups = default_groups; 992 993 #ifdef CONFIG_TESTING_OPTIONS 994 if (hapd->conf->sae_reflection_attack && auth_transaction == 1) { 995 wpa_printf(MSG_DEBUG, "SAE: TESTING - reflection attack"); 996 pos = mgmt->u.auth.variable; 997 end = ((const u8 *) mgmt) + len; 998 send_auth_reply(hapd, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE, 999 auth_transaction, resp, pos, end - pos, 1000 "auth-sae-reflection-attack"); 1001 goto remove_sta; 1002 } 1003 1004 if (hapd->conf->sae_commit_override && auth_transaction == 1) { 1005 wpa_printf(MSG_DEBUG, "SAE: TESTING - commit override"); 1006 send_auth_reply(hapd, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE, 1007 auth_transaction, resp, 1008 wpabuf_head(hapd->conf->sae_commit_override), 1009 wpabuf_len(hapd->conf->sae_commit_override), 1010 "sae-commit-override"); 1011 goto remove_sta; 1012 } 1013 #endif /* CONFIG_TESTING_OPTIONS */ 1014 if (!sta->sae) { 1015 if (auth_transaction != 1 || 1016 status_code != WLAN_STATUS_SUCCESS) { 1017 resp = -1; 1018 goto remove_sta; 1019 } 1020 sta->sae = os_zalloc(sizeof(*sta->sae)); 1021 if (!sta->sae) { 1022 resp = -1; 1023 goto remove_sta; 1024 } 1025 sae_set_state(sta, SAE_NOTHING, "Init"); 1026 sta->sae->sync = 0; 1027 } 1028 1029 if (sta->mesh_sae_pmksa_caching) { 1030 wpa_printf(MSG_DEBUG, 1031 "SAE: Cancel use of mesh PMKSA caching because peer starts SAE authentication"); 1032 wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr); 1033 sta->mesh_sae_pmksa_caching = 0; 1034 } 1035 1036 if (auth_transaction == 1) { 1037 const u8 *token = NULL; 1038 size_t token_len = 0; 1039 int allow_reuse = 0; 1040 1041 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 1042 HOSTAPD_LEVEL_DEBUG, 1043 "start SAE authentication (RX commit, status=%u (%s))", 1044 status_code, status2str(status_code)); 1045 1046 if ((hapd->conf->mesh & MESH_ENABLED) && 1047 status_code == WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ && 1048 sta->sae->tmp) { 1049 pos = mgmt->u.auth.variable; 1050 end = ((const u8 *) mgmt) + len; 1051 if (pos + sizeof(le16) > end) { 1052 wpa_printf(MSG_ERROR, 1053 "SAE: Too short anti-clogging token request"); 1054 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1055 goto reply; 1056 } 1057 resp = sae_group_allowed(sta->sae, groups, 1058 WPA_GET_LE16(pos)); 1059 if (resp != WLAN_STATUS_SUCCESS) { 1060 wpa_printf(MSG_ERROR, 1061 "SAE: Invalid group in anti-clogging token request"); 1062 goto reply; 1063 } 1064 pos += sizeof(le16); 1065 1066 wpabuf_free(sta->sae->tmp->anti_clogging_token); 1067 sta->sae->tmp->anti_clogging_token = 1068 wpabuf_alloc_copy(pos, end - pos); 1069 if (sta->sae->tmp->anti_clogging_token == NULL) { 1070 wpa_printf(MSG_ERROR, 1071 "SAE: Failed to alloc for anti-clogging token"); 1072 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1073 goto remove_sta; 1074 } 1075 1076 /* 1077 * IEEE Std 802.11-2012, 11.3.8.6.4: If the Status code 1078 * is 76, a new Commit Message shall be constructed 1079 * with the Anti-Clogging Token from the received 1080 * Authentication frame, and the commit-scalar and 1081 * COMMIT-ELEMENT previously sent. 1082 */ 1083 resp = auth_sae_send_commit(hapd, sta, mgmt->bssid, 0); 1084 if (resp != WLAN_STATUS_SUCCESS) { 1085 wpa_printf(MSG_ERROR, 1086 "SAE: Failed to send commit message"); 1087 goto remove_sta; 1088 } 1089 sae_set_state(sta, SAE_COMMITTED, 1090 "Sent Commit (anti-clogging token case in mesh)"); 1091 sta->sae->sync = 0; 1092 sae_set_retransmit_timer(hapd, sta); 1093 return; 1094 } 1095 1096 if ((hapd->conf->mesh & MESH_ENABLED) && 1097 status_code == 1098 WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED && 1099 sta->sae->tmp) { 1100 wpa_printf(MSG_DEBUG, 1101 "SAE: Peer did not accept our SAE group"); 1102 sae_pick_next_group(hapd, sta); 1103 goto remove_sta; 1104 } 1105 1106 if (status_code != WLAN_STATUS_SUCCESS) 1107 goto remove_sta; 1108 1109 if (!(hapd->conf->mesh & MESH_ENABLED) && 1110 sta->sae->state == SAE_COMMITTED) { 1111 /* This is needed in the infrastructure BSS case to 1112 * address a sequence where a STA entry may remain in 1113 * hostapd across two attempts to do SAE authentication 1114 * by the same STA. The second attempt may end up trying 1115 * to use a different group and that would not be 1116 * allowed if we remain in Committed state with the 1117 * previously set parameters. */ 1118 pos = mgmt->u.auth.variable; 1119 end = ((const u8 *) mgmt) + len; 1120 if (end - pos >= (int) sizeof(le16) && 1121 sae_group_allowed(sta->sae, groups, 1122 WPA_GET_LE16(pos)) == 1123 WLAN_STATUS_SUCCESS) { 1124 /* Do not waste resources deriving the same PWE 1125 * again since the same group is reused. */ 1126 sae_set_state(sta, SAE_NOTHING, 1127 "Allow previous PWE to be reused"); 1128 allow_reuse = 1; 1129 } else { 1130 sae_set_state(sta, SAE_NOTHING, 1131 "Clear existing state to allow restart"); 1132 sae_clear_data(sta->sae); 1133 } 1134 } 1135 1136 resp = sae_parse_commit(sta->sae, mgmt->u.auth.variable, 1137 ((const u8 *) mgmt) + len - 1138 mgmt->u.auth.variable, &token, 1139 &token_len, groups); 1140 if (resp == SAE_SILENTLY_DISCARD) { 1141 wpa_printf(MSG_DEBUG, 1142 "SAE: Drop commit message from " MACSTR " due to reflection attack", 1143 MAC2STR(sta->addr)); 1144 goto remove_sta; 1145 } 1146 1147 if (resp == WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER) { 1148 wpa_msg(hapd->msg_ctx, MSG_INFO, 1149 WPA_EVENT_SAE_UNKNOWN_PASSWORD_IDENTIFIER 1150 MACSTR, MAC2STR(sta->addr)); 1151 sae_clear_retransmit_timer(hapd, sta); 1152 sae_set_state(sta, SAE_NOTHING, 1153 "Unknown Password Identifier"); 1154 goto remove_sta; 1155 } 1156 1157 if (token && check_sae_token(hapd, sta->addr, token, token_len) 1158 < 0) { 1159 wpa_printf(MSG_DEBUG, "SAE: Drop commit message with " 1160 "incorrect token from " MACSTR, 1161 MAC2STR(sta->addr)); 1162 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1163 goto remove_sta; 1164 } 1165 1166 if (resp != WLAN_STATUS_SUCCESS) 1167 goto reply; 1168 1169 if (!token && use_sae_anti_clogging(hapd) && !allow_reuse) { 1170 wpa_printf(MSG_DEBUG, 1171 "SAE: Request anti-clogging token from " 1172 MACSTR, MAC2STR(sta->addr)); 1173 data = auth_build_token_req(hapd, sta->sae->group, 1174 sta->addr); 1175 resp = WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ; 1176 if (hapd->conf->mesh & MESH_ENABLED) 1177 sae_set_state(sta, SAE_NOTHING, 1178 "Request anti-clogging token case in mesh"); 1179 goto reply; 1180 } 1181 1182 resp = sae_sm_step(hapd, sta, mgmt->bssid, auth_transaction, 1183 allow_reuse, &sta_removed); 1184 } else if (auth_transaction == 2) { 1185 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 1186 HOSTAPD_LEVEL_DEBUG, 1187 "SAE authentication (RX confirm, status=%u (%s))", 1188 status_code, status2str(status_code)); 1189 if (status_code != WLAN_STATUS_SUCCESS) 1190 goto remove_sta; 1191 if (sta->sae->state >= SAE_CONFIRMED || 1192 !(hapd->conf->mesh & MESH_ENABLED)) { 1193 const u8 *var; 1194 size_t var_len; 1195 u16 peer_send_confirm; 1196 1197 var = mgmt->u.auth.variable; 1198 var_len = ((u8 *) mgmt) + len - mgmt->u.auth.variable; 1199 if (var_len < 2) { 1200 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1201 goto reply; 1202 } 1203 1204 peer_send_confirm = WPA_GET_LE16(var); 1205 1206 if (sta->sae->state == SAE_ACCEPTED && 1207 (peer_send_confirm <= sta->sae->rc || 1208 peer_send_confirm == 0xffff)) { 1209 wpa_printf(MSG_DEBUG, 1210 "SAE: Silently ignore unexpected Confirm from peer " 1211 MACSTR 1212 " (peer-send-confirm=%u Rc=%u)", 1213 MAC2STR(sta->addr), 1214 peer_send_confirm, sta->sae->rc); 1215 return; 1216 } 1217 1218 if (sae_check_confirm(sta->sae, var, var_len) < 0) { 1219 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1220 goto reply; 1221 } 1222 sta->sae->rc = peer_send_confirm; 1223 } 1224 resp = sae_sm_step(hapd, sta, mgmt->bssid, auth_transaction, 0, 1225 &sta_removed); 1226 } else { 1227 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 1228 HOSTAPD_LEVEL_DEBUG, 1229 "unexpected SAE authentication transaction %u (status=%u (%s))", 1230 auth_transaction, status_code, 1231 status2str(status_code)); 1232 if (status_code != WLAN_STATUS_SUCCESS) 1233 goto remove_sta; 1234 resp = WLAN_STATUS_UNKNOWN_AUTH_TRANSACTION; 1235 } 1236 1237 reply: 1238 if (!sta_removed && resp != WLAN_STATUS_SUCCESS) { 1239 pos = mgmt->u.auth.variable; 1240 end = ((const u8 *) mgmt) + len; 1241 1242 /* Copy the Finite Cyclic Group field from the request if we 1243 * rejected it as unsupported group. */ 1244 if (resp == WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED && 1245 !data && end - pos >= 2) 1246 data = wpabuf_alloc_copy(pos, 2); 1247 1248 sae_sme_send_external_auth_status(hapd, sta, resp); 1249 send_auth_reply(hapd, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE, 1250 auth_transaction, resp, 1251 data ? wpabuf_head(data) : (u8 *) "", 1252 data ? wpabuf_len(data) : 0, "auth-sae"); 1253 } 1254 1255 remove_sta: 1256 if (!sta_removed && sta->added_unassoc && 1257 (resp != WLAN_STATUS_SUCCESS || 1258 status_code != WLAN_STATUS_SUCCESS)) { 1259 hostapd_drv_sta_remove(hapd, sta->addr); 1260 sta->added_unassoc = 0; 1261 } 1262 wpabuf_free(data); 1263 } 1264 1265 1266 /** 1267 * auth_sae_init_committed - Send COMMIT and start SAE in committed state 1268 * @hapd: BSS data for the device initiating the authentication 1269 * @sta: the peer to which commit authentication frame is sent 1270 * 1271 * This function implements Init event handling (IEEE Std 802.11-2012, 1272 * 11.3.8.6.3) in which initial COMMIT message is sent. Prior to calling, the 1273 * sta->sae structure should be initialized appropriately via a call to 1274 * sae_prepare_commit(). 1275 */ 1276 int auth_sae_init_committed(struct hostapd_data *hapd, struct sta_info *sta) 1277 { 1278 int ret; 1279 1280 if (!sta->sae || !sta->sae->tmp) 1281 return -1; 1282 1283 if (sta->sae->state != SAE_NOTHING) 1284 return -1; 1285 1286 ret = auth_sae_send_commit(hapd, sta, hapd->own_addr, 0); 1287 if (ret) 1288 return -1; 1289 1290 sae_set_state(sta, SAE_COMMITTED, "Init and sent commit"); 1291 sta->sae->sync = 0; 1292 sae_set_retransmit_timer(hapd, sta); 1293 1294 return 0; 1295 } 1296 1297 1298 void auth_sae_process_commit(void *eloop_ctx, void *user_ctx) 1299 { 1300 struct hostapd_data *hapd = eloop_ctx; 1301 struct hostapd_sae_commit_queue *q; 1302 unsigned int queue_len; 1303 1304 q = dl_list_first(&hapd->sae_commit_queue, 1305 struct hostapd_sae_commit_queue, list); 1306 if (!q) 1307 return; 1308 wpa_printf(MSG_DEBUG, 1309 "SAE: Process next available message from queue"); 1310 dl_list_del(&q->list); 1311 handle_auth(hapd, (const struct ieee80211_mgmt *) q->msg, q->len, 1312 q->rssi, 1); 1313 os_free(q); 1314 1315 if (eloop_is_timeout_registered(auth_sae_process_commit, hapd, NULL)) 1316 return; 1317 queue_len = dl_list_len(&hapd->sae_commit_queue); 1318 eloop_register_timeout(0, queue_len * 10000, auth_sae_process_commit, 1319 hapd, NULL); 1320 } 1321 1322 1323 static void auth_sae_queue(struct hostapd_data *hapd, 1324 const struct ieee80211_mgmt *mgmt, size_t len, 1325 int rssi) 1326 { 1327 struct hostapd_sae_commit_queue *q, *q2; 1328 unsigned int queue_len; 1329 const struct ieee80211_mgmt *mgmt2; 1330 1331 queue_len = dl_list_len(&hapd->sae_commit_queue); 1332 if (queue_len >= 15) { 1333 wpa_printf(MSG_DEBUG, 1334 "SAE: No more room in message queue - drop the new frame from " 1335 MACSTR, MAC2STR(mgmt->sa)); 1336 return; 1337 } 1338 1339 wpa_printf(MSG_DEBUG, "SAE: Queue Authentication message from " 1340 MACSTR " for processing (queue_len %u)", MAC2STR(mgmt->sa), 1341 queue_len); 1342 q = os_zalloc(sizeof(*q) + len); 1343 if (!q) 1344 return; 1345 q->rssi = rssi; 1346 q->len = len; 1347 os_memcpy(q->msg, mgmt, len); 1348 1349 /* Check whether there is already a queued Authentication frame from the 1350 * same station with the same transaction number and if so, replace that 1351 * queue entry with the new one. This avoids issues with a peer that 1352 * sends multiple times (e.g., due to frequent SAE retries). There is no 1353 * point in us trying to process the old attempts after a new one has 1354 * obsoleted them. */ 1355 dl_list_for_each(q2, &hapd->sae_commit_queue, 1356 struct hostapd_sae_commit_queue, list) { 1357 mgmt2 = (const struct ieee80211_mgmt *) q2->msg; 1358 if (os_memcmp(mgmt->sa, mgmt2->sa, ETH_ALEN) == 0 && 1359 mgmt->u.auth.auth_transaction == 1360 mgmt2->u.auth.auth_transaction) { 1361 wpa_printf(MSG_DEBUG, 1362 "SAE: Replace queued message from same STA with same transaction number"); 1363 dl_list_add(&q2->list, &q->list); 1364 dl_list_del(&q2->list); 1365 os_free(q2); 1366 goto queued; 1367 } 1368 } 1369 1370 /* No pending identical entry, so add to the end of the queue */ 1371 dl_list_add_tail(&hapd->sae_commit_queue, &q->list); 1372 1373 queued: 1374 if (eloop_is_timeout_registered(auth_sae_process_commit, hapd, NULL)) 1375 return; 1376 eloop_register_timeout(0, queue_len * 10000, auth_sae_process_commit, 1377 hapd, NULL); 1378 } 1379 1380 1381 static int auth_sae_queued_addr(struct hostapd_data *hapd, const u8 *addr) 1382 { 1383 struct hostapd_sae_commit_queue *q; 1384 const struct ieee80211_mgmt *mgmt; 1385 1386 dl_list_for_each(q, &hapd->sae_commit_queue, 1387 struct hostapd_sae_commit_queue, list) { 1388 mgmt = (const struct ieee80211_mgmt *) q->msg; 1389 if (os_memcmp(addr, mgmt->sa, ETH_ALEN) == 0) 1390 return 1; 1391 } 1392 1393 return 0; 1394 } 1395 1396 #endif /* CONFIG_SAE */ 1397 1398 1399 static u16 wpa_res_to_status_code(int res) 1400 { 1401 if (res == WPA_INVALID_GROUP) 1402 return WLAN_STATUS_GROUP_CIPHER_NOT_VALID; 1403 if (res == WPA_INVALID_PAIRWISE) 1404 return WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID; 1405 if (res == WPA_INVALID_AKMP) 1406 return WLAN_STATUS_AKMP_NOT_VALID; 1407 if (res == WPA_ALLOC_FAIL) 1408 return WLAN_STATUS_UNSPECIFIED_FAILURE; 1409 #ifdef CONFIG_IEEE80211W 1410 if (res == WPA_MGMT_FRAME_PROTECTION_VIOLATION) 1411 return WLAN_STATUS_ROBUST_MGMT_FRAME_POLICY_VIOLATION; 1412 if (res == WPA_INVALID_MGMT_GROUP_CIPHER) 1413 return WLAN_STATUS_CIPHER_REJECTED_PER_POLICY; 1414 #endif /* CONFIG_IEEE80211W */ 1415 if (res == WPA_INVALID_MDIE) 1416 return WLAN_STATUS_INVALID_MDIE; 1417 if (res == WPA_INVALID_PMKID) 1418 return WLAN_STATUS_INVALID_PMKID; 1419 if (res != WPA_IE_OK) 1420 return WLAN_STATUS_INVALID_IE; 1421 return WLAN_STATUS_SUCCESS; 1422 } 1423 1424 1425 #ifdef CONFIG_FILS 1426 1427 static void handle_auth_fils_finish(struct hostapd_data *hapd, 1428 struct sta_info *sta, u16 resp, 1429 struct wpabuf *data, int pub); 1430 1431 void handle_auth_fils(struct hostapd_data *hapd, struct sta_info *sta, 1432 const u8 *pos, size_t len, u16 auth_alg, 1433 u16 auth_transaction, u16 status_code, 1434 void (*cb)(struct hostapd_data *hapd, 1435 struct sta_info *sta, u16 resp, 1436 struct wpabuf *data, int pub)) 1437 { 1438 u16 resp = WLAN_STATUS_SUCCESS; 1439 const u8 *end; 1440 struct ieee802_11_elems elems; 1441 int res; 1442 struct wpa_ie_data rsn; 1443 struct rsn_pmksa_cache_entry *pmksa = NULL; 1444 1445 if (auth_transaction != 1 || status_code != WLAN_STATUS_SUCCESS) 1446 return; 1447 1448 end = pos + len; 1449 1450 wpa_hexdump(MSG_DEBUG, "FILS: Authentication frame fields", 1451 pos, end - pos); 1452 1453 /* TODO: FILS PK */ 1454 #ifdef CONFIG_FILS_SK_PFS 1455 if (auth_alg == WLAN_AUTH_FILS_SK_PFS) { 1456 u16 group; 1457 struct wpabuf *pub; 1458 size_t elem_len; 1459 1460 /* Using FILS PFS */ 1461 1462 /* Finite Cyclic Group */ 1463 if (end - pos < 2) { 1464 wpa_printf(MSG_DEBUG, 1465 "FILS: No room for Finite Cyclic Group"); 1466 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1467 goto fail; 1468 } 1469 group = WPA_GET_LE16(pos); 1470 pos += 2; 1471 if (group != hapd->conf->fils_dh_group) { 1472 wpa_printf(MSG_DEBUG, 1473 "FILS: Unsupported Finite Cyclic Group: %u (expected %u)", 1474 group, hapd->conf->fils_dh_group); 1475 resp = WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED; 1476 goto fail; 1477 } 1478 1479 crypto_ecdh_deinit(sta->fils_ecdh); 1480 sta->fils_ecdh = crypto_ecdh_init(group); 1481 if (!sta->fils_ecdh) { 1482 wpa_printf(MSG_INFO, 1483 "FILS: Could not initialize ECDH with group %d", 1484 group); 1485 resp = WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED; 1486 goto fail; 1487 } 1488 1489 pub = crypto_ecdh_get_pubkey(sta->fils_ecdh, 1); 1490 if (!pub) { 1491 wpa_printf(MSG_DEBUG, 1492 "FILS: Failed to derive ECDH public key"); 1493 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1494 goto fail; 1495 } 1496 elem_len = wpabuf_len(pub); 1497 wpabuf_free(pub); 1498 1499 /* Element */ 1500 if ((size_t) (end - pos) < elem_len) { 1501 wpa_printf(MSG_DEBUG, "FILS: No room for Element"); 1502 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1503 goto fail; 1504 } 1505 1506 wpabuf_free(sta->fils_g_sta); 1507 sta->fils_g_sta = wpabuf_alloc_copy(pos, elem_len); 1508 wpabuf_clear_free(sta->fils_dh_ss); 1509 sta->fils_dh_ss = crypto_ecdh_set_peerkey(sta->fils_ecdh, 1, 1510 pos, elem_len); 1511 if (!sta->fils_dh_ss) { 1512 wpa_printf(MSG_DEBUG, "FILS: ECDH operation failed"); 1513 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1514 goto fail; 1515 } 1516 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: DH_SS", sta->fils_dh_ss); 1517 pos += elem_len; 1518 } else { 1519 crypto_ecdh_deinit(sta->fils_ecdh); 1520 sta->fils_ecdh = NULL; 1521 wpabuf_clear_free(sta->fils_dh_ss); 1522 sta->fils_dh_ss = NULL; 1523 } 1524 #endif /* CONFIG_FILS_SK_PFS */ 1525 1526 wpa_hexdump(MSG_DEBUG, "FILS: Remaining IEs", pos, end - pos); 1527 if (ieee802_11_parse_elems(pos, end - pos, &elems, 1) == ParseFailed) { 1528 wpa_printf(MSG_DEBUG, "FILS: Could not parse elements"); 1529 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1530 goto fail; 1531 } 1532 1533 /* RSNE */ 1534 wpa_hexdump(MSG_DEBUG, "FILS: RSN element", 1535 elems.rsn_ie, elems.rsn_ie_len); 1536 if (!elems.rsn_ie || 1537 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2, 1538 &rsn) < 0) { 1539 wpa_printf(MSG_DEBUG, "FILS: No valid RSN element"); 1540 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1541 goto fail; 1542 } 1543 1544 if (!sta->wpa_sm) 1545 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, sta->addr, 1546 NULL); 1547 if (!sta->wpa_sm) { 1548 wpa_printf(MSG_DEBUG, 1549 "FILS: Failed to initialize RSN state machine"); 1550 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1551 goto fail; 1552 } 1553 1554 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm, 1555 hapd->iface->freq, 1556 elems.rsn_ie - 2, elems.rsn_ie_len + 2, 1557 elems.mdie, elems.mdie_len, NULL, 0); 1558 resp = wpa_res_to_status_code(res); 1559 if (resp != WLAN_STATUS_SUCCESS) 1560 goto fail; 1561 1562 if (!elems.fils_nonce) { 1563 wpa_printf(MSG_DEBUG, "FILS: No FILS Nonce field"); 1564 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1565 goto fail; 1566 } 1567 wpa_hexdump(MSG_DEBUG, "FILS: SNonce", elems.fils_nonce, 1568 FILS_NONCE_LEN); 1569 os_memcpy(sta->fils_snonce, elems.fils_nonce, FILS_NONCE_LEN); 1570 1571 /* PMKID List */ 1572 if (rsn.pmkid && rsn.num_pmkid > 0) { 1573 u8 num; 1574 const u8 *pmkid; 1575 1576 wpa_hexdump(MSG_DEBUG, "FILS: PMKID List", 1577 rsn.pmkid, rsn.num_pmkid * PMKID_LEN); 1578 1579 pmkid = rsn.pmkid; 1580 num = rsn.num_pmkid; 1581 while (num) { 1582 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", pmkid, PMKID_LEN); 1583 pmksa = wpa_auth_pmksa_get(hapd->wpa_auth, sta->addr, 1584 pmkid); 1585 if (pmksa) 1586 break; 1587 pmksa = wpa_auth_pmksa_get_fils_cache_id(hapd->wpa_auth, 1588 sta->addr, 1589 pmkid); 1590 if (pmksa) 1591 break; 1592 pmkid += PMKID_LEN; 1593 num--; 1594 } 1595 } 1596 if (pmksa && wpa_auth_sta_key_mgmt(sta->wpa_sm) != pmksa->akmp) { 1597 wpa_printf(MSG_DEBUG, 1598 "FILS: Matching PMKSA cache entry has different AKMP (0x%x != 0x%x) - ignore", 1599 wpa_auth_sta_key_mgmt(sta->wpa_sm), pmksa->akmp); 1600 pmksa = NULL; 1601 } 1602 if (pmksa) 1603 wpa_printf(MSG_DEBUG, "FILS: Found matching PMKSA cache entry"); 1604 1605 /* FILS Session */ 1606 if (!elems.fils_session) { 1607 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element"); 1608 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1609 goto fail; 1610 } 1611 wpa_hexdump(MSG_DEBUG, "FILS: FILS Session", elems.fils_session, 1612 FILS_SESSION_LEN); 1613 os_memcpy(sta->fils_session, elems.fils_session, FILS_SESSION_LEN); 1614 1615 /* FILS Wrapped Data */ 1616 if (elems.fils_wrapped_data) { 1617 wpa_hexdump(MSG_DEBUG, "FILS: Wrapped Data", 1618 elems.fils_wrapped_data, 1619 elems.fils_wrapped_data_len); 1620 if (!pmksa) { 1621 #ifndef CONFIG_NO_RADIUS 1622 if (!sta->eapol_sm) { 1623 sta->eapol_sm = 1624 ieee802_1x_alloc_eapol_sm(hapd, sta); 1625 } 1626 wpa_printf(MSG_DEBUG, 1627 "FILS: Forward EAP-Initiate/Re-auth to authentication server"); 1628 ieee802_1x_encapsulate_radius( 1629 hapd, sta, elems.fils_wrapped_data, 1630 elems.fils_wrapped_data_len); 1631 sta->fils_pending_cb = cb; 1632 wpa_printf(MSG_DEBUG, 1633 "FILS: Will send Authentication frame once the response from authentication server is available"); 1634 sta->flags |= WLAN_STA_PENDING_FILS_ERP; 1635 /* Calculate pending PMKID here so that we do not need 1636 * to maintain a copy of the EAP-Initiate/Reauth 1637 * message. */ 1638 if (fils_pmkid_erp(wpa_auth_sta_key_mgmt(sta->wpa_sm), 1639 elems.fils_wrapped_data, 1640 elems.fils_wrapped_data_len, 1641 sta->fils_erp_pmkid) == 0) 1642 sta->fils_erp_pmkid_set = 1; 1643 return; 1644 #else /* CONFIG_NO_RADIUS */ 1645 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1646 goto fail; 1647 #endif /* CONFIG_NO_RADIUS */ 1648 } 1649 } 1650 1651 fail: 1652 if (cb) { 1653 struct wpabuf *data; 1654 int pub = 0; 1655 1656 data = prepare_auth_resp_fils(hapd, sta, &resp, pmksa, NULL, 1657 NULL, 0, &pub); 1658 if (!data) { 1659 wpa_printf(MSG_DEBUG, 1660 "%s: prepare_auth_resp_fils() returned failure", 1661 __func__); 1662 } 1663 1664 cb(hapd, sta, resp, data, pub); 1665 } 1666 } 1667 1668 1669 static struct wpabuf * 1670 prepare_auth_resp_fils(struct hostapd_data *hapd, 1671 struct sta_info *sta, u16 *resp, 1672 struct rsn_pmksa_cache_entry *pmksa, 1673 struct wpabuf *erp_resp, 1674 const u8 *msk, size_t msk_len, 1675 int *is_pub) 1676 { 1677 u8 fils_nonce[FILS_NONCE_LEN]; 1678 size_t ielen; 1679 struct wpabuf *data = NULL; 1680 const u8 *ie; 1681 u8 *ie_buf = NULL; 1682 const u8 *pmk = NULL; 1683 size_t pmk_len = 0; 1684 u8 pmk_buf[PMK_LEN_MAX]; 1685 struct wpabuf *pub = NULL; 1686 1687 if (*resp != WLAN_STATUS_SUCCESS) 1688 goto fail; 1689 1690 ie = wpa_auth_get_wpa_ie(hapd->wpa_auth, &ielen); 1691 if (!ie) { 1692 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1693 goto fail; 1694 } 1695 1696 if (pmksa) { 1697 /* Add PMKID of the selected PMKSA into RSNE */ 1698 ie_buf = os_malloc(ielen + 2 + 2 + PMKID_LEN); 1699 if (!ie_buf) { 1700 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1701 goto fail; 1702 } 1703 1704 os_memcpy(ie_buf, ie, ielen); 1705 if (wpa_insert_pmkid(ie_buf, &ielen, pmksa->pmkid) < 0) { 1706 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1707 goto fail; 1708 } 1709 ie = ie_buf; 1710 } 1711 1712 if (random_get_bytes(fils_nonce, FILS_NONCE_LEN) < 0) { 1713 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1714 goto fail; 1715 } 1716 wpa_hexdump(MSG_DEBUG, "RSN: Generated FILS Nonce", 1717 fils_nonce, FILS_NONCE_LEN); 1718 1719 #ifdef CONFIG_FILS_SK_PFS 1720 if (sta->fils_dh_ss && sta->fils_ecdh) { 1721 pub = crypto_ecdh_get_pubkey(sta->fils_ecdh, 1); 1722 if (!pub) { 1723 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1724 goto fail; 1725 } 1726 } 1727 #endif /* CONFIG_FILS_SK_PFS */ 1728 1729 data = wpabuf_alloc(1000 + ielen + (pub ? wpabuf_len(pub) : 0)); 1730 if (!data) { 1731 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1732 goto fail; 1733 } 1734 1735 /* TODO: FILS PK */ 1736 #ifdef CONFIG_FILS_SK_PFS 1737 if (pub) { 1738 /* Finite Cyclic Group */ 1739 wpabuf_put_le16(data, hapd->conf->fils_dh_group); 1740 1741 /* Element */ 1742 wpabuf_put_buf(data, pub); 1743 } 1744 #endif /* CONFIG_FILS_SK_PFS */ 1745 1746 /* RSNE */ 1747 wpabuf_put_data(data, ie, ielen); 1748 1749 /* MDE when using FILS+FT (already included in ie,ielen with RSNE) */ 1750 1751 #ifdef CONFIG_IEEE80211R_AP 1752 if (wpa_key_mgmt_ft(wpa_auth_sta_key_mgmt(sta->wpa_sm))) { 1753 /* FTE[R1KH-ID,R0KH-ID] when using FILS+FT */ 1754 int res; 1755 int use_sha384 = wpa_key_mgmt_sha384( 1756 wpa_auth_sta_key_mgmt(sta->wpa_sm)); 1757 1758 res = wpa_auth_write_fte(hapd->wpa_auth, use_sha384, 1759 wpabuf_put(data, 0), 1760 wpabuf_tailroom(data)); 1761 if (res < 0) { 1762 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1763 goto fail; 1764 } 1765 wpabuf_put(data, res); 1766 } 1767 #endif /* CONFIG_IEEE80211R_AP */ 1768 1769 /* FILS Nonce */ 1770 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */ 1771 wpabuf_put_u8(data, 1 + FILS_NONCE_LEN); /* Length */ 1772 /* Element ID Extension */ 1773 wpabuf_put_u8(data, WLAN_EID_EXT_FILS_NONCE); 1774 wpabuf_put_data(data, fils_nonce, FILS_NONCE_LEN); 1775 1776 /* FILS Session */ 1777 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */ 1778 wpabuf_put_u8(data, 1 + FILS_SESSION_LEN); /* Length */ 1779 /* Element ID Extension */ 1780 wpabuf_put_u8(data, WLAN_EID_EXT_FILS_SESSION); 1781 wpabuf_put_data(data, sta->fils_session, FILS_SESSION_LEN); 1782 1783 /* FILS Wrapped Data */ 1784 if (!pmksa && erp_resp) { 1785 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */ 1786 wpabuf_put_u8(data, 1 + wpabuf_len(erp_resp)); /* Length */ 1787 /* Element ID Extension */ 1788 wpabuf_put_u8(data, WLAN_EID_EXT_FILS_WRAPPED_DATA); 1789 wpabuf_put_buf(data, erp_resp); 1790 1791 if (fils_rmsk_to_pmk(wpa_auth_sta_key_mgmt(sta->wpa_sm), 1792 msk, msk_len, sta->fils_snonce, fils_nonce, 1793 sta->fils_dh_ss ? 1794 wpabuf_head(sta->fils_dh_ss) : NULL, 1795 sta->fils_dh_ss ? 1796 wpabuf_len(sta->fils_dh_ss) : 0, 1797 pmk_buf, &pmk_len)) { 1798 wpa_printf(MSG_DEBUG, "FILS: Failed to derive PMK"); 1799 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1800 wpabuf_free(data); 1801 data = NULL; 1802 goto fail; 1803 } 1804 pmk = pmk_buf; 1805 1806 /* Don't use DHss in PTK derivation if PMKSA caching is not 1807 * used. */ 1808 wpabuf_clear_free(sta->fils_dh_ss); 1809 sta->fils_dh_ss = NULL; 1810 1811 if (sta->fils_erp_pmkid_set) { 1812 /* TODO: get PMKLifetime from WPA parameters */ 1813 unsigned int dot11RSNAConfigPMKLifetime = 43200; 1814 int session_timeout; 1815 1816 session_timeout = dot11RSNAConfigPMKLifetime; 1817 if (sta->session_timeout_set) { 1818 struct os_reltime now, diff; 1819 1820 os_get_reltime(&now); 1821 os_reltime_sub(&sta->session_timeout, &now, 1822 &diff); 1823 session_timeout = diff.sec; 1824 } 1825 1826 sta->fils_erp_pmkid_set = 0; 1827 wpa_auth_add_fils_pmk_pmkid(sta->wpa_sm, pmk, pmk_len, 1828 sta->fils_erp_pmkid); 1829 if (!hapd->conf->disable_pmksa_caching && 1830 wpa_auth_pmksa_add2( 1831 hapd->wpa_auth, sta->addr, 1832 pmk, pmk_len, 1833 sta->fils_erp_pmkid, 1834 session_timeout, 1835 wpa_auth_sta_key_mgmt(sta->wpa_sm)) < 0) { 1836 wpa_printf(MSG_ERROR, 1837 "FILS: Failed to add PMKSA cache entry based on ERP"); 1838 } 1839 } 1840 } else if (pmksa) { 1841 pmk = pmksa->pmk; 1842 pmk_len = pmksa->pmk_len; 1843 } 1844 1845 if (!pmk) { 1846 wpa_printf(MSG_DEBUG, "FILS: No PMK available"); 1847 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1848 wpabuf_free(data); 1849 data = NULL; 1850 goto fail; 1851 } 1852 1853 if (fils_auth_pmk_to_ptk(sta->wpa_sm, pmk, pmk_len, 1854 sta->fils_snonce, fils_nonce, 1855 sta->fils_dh_ss ? 1856 wpabuf_head(sta->fils_dh_ss) : NULL, 1857 sta->fils_dh_ss ? 1858 wpabuf_len(sta->fils_dh_ss) : 0, 1859 sta->fils_g_sta, pub) < 0) { 1860 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1861 wpabuf_free(data); 1862 data = NULL; 1863 goto fail; 1864 } 1865 1866 fail: 1867 if (is_pub) 1868 *is_pub = pub != NULL; 1869 os_free(ie_buf); 1870 wpabuf_free(pub); 1871 wpabuf_clear_free(sta->fils_dh_ss); 1872 sta->fils_dh_ss = NULL; 1873 #ifdef CONFIG_FILS_SK_PFS 1874 crypto_ecdh_deinit(sta->fils_ecdh); 1875 sta->fils_ecdh = NULL; 1876 #endif /* CONFIG_FILS_SK_PFS */ 1877 return data; 1878 } 1879 1880 1881 static void handle_auth_fils_finish(struct hostapd_data *hapd, 1882 struct sta_info *sta, u16 resp, 1883 struct wpabuf *data, int pub) 1884 { 1885 u16 auth_alg; 1886 1887 auth_alg = (pub || 1888 resp == WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED) ? 1889 WLAN_AUTH_FILS_SK_PFS : WLAN_AUTH_FILS_SK; 1890 send_auth_reply(hapd, sta->addr, hapd->own_addr, auth_alg, 2, resp, 1891 data ? wpabuf_head(data) : (u8 *) "", 1892 data ? wpabuf_len(data) : 0, "auth-fils-finish"); 1893 wpabuf_free(data); 1894 1895 if (resp == WLAN_STATUS_SUCCESS) { 1896 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 1897 HOSTAPD_LEVEL_DEBUG, 1898 "authentication OK (FILS)"); 1899 sta->flags |= WLAN_STA_AUTH; 1900 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH); 1901 sta->auth_alg = pub ? WLAN_AUTH_FILS_SK_PFS : WLAN_AUTH_FILS_SK; 1902 mlme_authenticate_indication(hapd, sta); 1903 } 1904 } 1905 1906 1907 void ieee802_11_finish_fils_auth(struct hostapd_data *hapd, 1908 struct sta_info *sta, int success, 1909 struct wpabuf *erp_resp, 1910 const u8 *msk, size_t msk_len) 1911 { 1912 struct wpabuf *data; 1913 int pub = 0; 1914 u16 resp; 1915 1916 sta->flags &= ~WLAN_STA_PENDING_FILS_ERP; 1917 1918 if (!sta->fils_pending_cb) 1919 return; 1920 resp = success ? WLAN_STATUS_SUCCESS : WLAN_STATUS_UNSPECIFIED_FAILURE; 1921 data = prepare_auth_resp_fils(hapd, sta, &resp, NULL, erp_resp, 1922 msk, msk_len, &pub); 1923 if (!data) { 1924 wpa_printf(MSG_DEBUG, 1925 "%s: prepare_auth_resp_fils() returned failure", 1926 __func__); 1927 } 1928 sta->fils_pending_cb(hapd, sta, resp, data, pub); 1929 } 1930 1931 #endif /* CONFIG_FILS */ 1932 1933 1934 int 1935 ieee802_11_allowed_address(struct hostapd_data *hapd, const u8 *addr, 1936 const u8 *msg, size_t len, u32 *session_timeout, 1937 u32 *acct_interim_interval, 1938 struct vlan_description *vlan_id, 1939 struct hostapd_sta_wpa_psk_short **psk, 1940 char **identity, char **radius_cui, int is_probe_req) 1941 { 1942 int res; 1943 1944 os_memset(vlan_id, 0, sizeof(*vlan_id)); 1945 res = hostapd_allowed_address(hapd, addr, msg, len, 1946 session_timeout, acct_interim_interval, 1947 vlan_id, psk, identity, radius_cui, 1948 is_probe_req); 1949 1950 if (res == HOSTAPD_ACL_REJECT) { 1951 if (!is_probe_req) 1952 wpa_printf(MSG_DEBUG, 1953 "Station " MACSTR 1954 " not allowed to authenticate", 1955 MAC2STR(addr)); 1956 return HOSTAPD_ACL_REJECT; 1957 } 1958 1959 if (res == HOSTAPD_ACL_PENDING) { 1960 wpa_printf(MSG_DEBUG, "Authentication frame from " MACSTR 1961 " waiting for an external authentication", 1962 MAC2STR(addr)); 1963 /* Authentication code will re-send the authentication frame 1964 * after it has received (and cached) information from the 1965 * external source. */ 1966 return HOSTAPD_ACL_PENDING; 1967 } 1968 1969 return res; 1970 } 1971 1972 1973 static int 1974 ieee802_11_set_radius_info(struct hostapd_data *hapd, struct sta_info *sta, 1975 int res, u32 session_timeout, 1976 u32 acct_interim_interval, 1977 struct vlan_description *vlan_id, 1978 struct hostapd_sta_wpa_psk_short **psk, 1979 char **identity, char **radius_cui) 1980 { 1981 if (vlan_id->notempty && 1982 !hostapd_vlan_valid(hapd->conf->vlan, vlan_id)) { 1983 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS, 1984 HOSTAPD_LEVEL_INFO, 1985 "Invalid VLAN %d%s received from RADIUS server", 1986 vlan_id->untagged, 1987 vlan_id->tagged[0] ? "+" : ""); 1988 return -1; 1989 } 1990 if (ap_sta_set_vlan(hapd, sta, vlan_id) < 0) 1991 return -1; 1992 if (sta->vlan_id) 1993 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS, 1994 HOSTAPD_LEVEL_INFO, "VLAN ID %d", sta->vlan_id); 1995 1996 hostapd_free_psk_list(sta->psk); 1997 if (hapd->conf->wpa_psk_radius != PSK_RADIUS_IGNORED) { 1998 sta->psk = *psk; 1999 *psk = NULL; 2000 } else { 2001 sta->psk = NULL; 2002 } 2003 2004 os_free(sta->identity); 2005 sta->identity = *identity; 2006 *identity = NULL; 2007 2008 os_free(sta->radius_cui); 2009 sta->radius_cui = *radius_cui; 2010 *radius_cui = NULL; 2011 2012 if (hapd->conf->acct_interim_interval == 0 && acct_interim_interval) 2013 sta->acct_interim_interval = acct_interim_interval; 2014 if (res == HOSTAPD_ACL_ACCEPT_TIMEOUT) { 2015 sta->session_timeout_set = 1; 2016 os_get_reltime(&sta->session_timeout); 2017 sta->session_timeout.sec += session_timeout; 2018 ap_sta_session_timeout(hapd, sta, session_timeout); 2019 } else { 2020 sta->session_timeout_set = 0; 2021 ap_sta_no_session_timeout(hapd, sta); 2022 } 2023 2024 return 0; 2025 } 2026 2027 2028 static void handle_auth(struct hostapd_data *hapd, 2029 const struct ieee80211_mgmt *mgmt, size_t len, 2030 int rssi, int from_queue) 2031 { 2032 u16 auth_alg, auth_transaction, status_code; 2033 u16 resp = WLAN_STATUS_SUCCESS; 2034 struct sta_info *sta = NULL; 2035 int res, reply_res; 2036 u16 fc; 2037 const u8 *challenge = NULL; 2038 u32 session_timeout, acct_interim_interval; 2039 struct vlan_description vlan_id; 2040 struct hostapd_sta_wpa_psk_short *psk = NULL; 2041 u8 resp_ies[2 + WLAN_AUTH_CHALLENGE_LEN]; 2042 size_t resp_ies_len = 0; 2043 char *identity = NULL; 2044 char *radius_cui = NULL; 2045 u16 seq_ctrl; 2046 2047 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) { 2048 wpa_printf(MSG_INFO, "handle_auth - too short payload (len=%lu)", 2049 (unsigned long) len); 2050 return; 2051 } 2052 2053 #ifdef CONFIG_TESTING_OPTIONS 2054 if (hapd->iconf->ignore_auth_probability > 0.0 && 2055 drand48() < hapd->iconf->ignore_auth_probability) { 2056 wpa_printf(MSG_INFO, 2057 "TESTING: ignoring auth frame from " MACSTR, 2058 MAC2STR(mgmt->sa)); 2059 return; 2060 } 2061 #endif /* CONFIG_TESTING_OPTIONS */ 2062 2063 auth_alg = le_to_host16(mgmt->u.auth.auth_alg); 2064 auth_transaction = le_to_host16(mgmt->u.auth.auth_transaction); 2065 status_code = le_to_host16(mgmt->u.auth.status_code); 2066 fc = le_to_host16(mgmt->frame_control); 2067 seq_ctrl = le_to_host16(mgmt->seq_ctrl); 2068 2069 if (len >= IEEE80211_HDRLEN + sizeof(mgmt->u.auth) + 2070 2 + WLAN_AUTH_CHALLENGE_LEN && 2071 mgmt->u.auth.variable[0] == WLAN_EID_CHALLENGE && 2072 mgmt->u.auth.variable[1] == WLAN_AUTH_CHALLENGE_LEN) 2073 challenge = &mgmt->u.auth.variable[2]; 2074 2075 wpa_printf(MSG_DEBUG, "authentication: STA=" MACSTR " auth_alg=%d " 2076 "auth_transaction=%d status_code=%d wep=%d%s " 2077 "seq_ctrl=0x%x%s%s", 2078 MAC2STR(mgmt->sa), auth_alg, auth_transaction, 2079 status_code, !!(fc & WLAN_FC_ISWEP), 2080 challenge ? " challenge" : "", 2081 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "", 2082 from_queue ? " (from queue)" : ""); 2083 2084 #ifdef CONFIG_NO_RC4 2085 if (auth_alg == WLAN_AUTH_SHARED_KEY) { 2086 wpa_printf(MSG_INFO, 2087 "Unsupported authentication algorithm (%d)", 2088 auth_alg); 2089 resp = WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG; 2090 goto fail; 2091 } 2092 #endif /* CONFIG_NO_RC4 */ 2093 2094 if (hapd->tkip_countermeasures) { 2095 wpa_printf(MSG_DEBUG, 2096 "Ongoing TKIP countermeasures (Michael MIC failure) - reject authentication"); 2097 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 2098 goto fail; 2099 } 2100 2101 if (!(((hapd->conf->auth_algs & WPA_AUTH_ALG_OPEN) && 2102 auth_alg == WLAN_AUTH_OPEN) || 2103 #ifdef CONFIG_IEEE80211R_AP 2104 (hapd->conf->wpa && wpa_key_mgmt_ft(hapd->conf->wpa_key_mgmt) && 2105 auth_alg == WLAN_AUTH_FT) || 2106 #endif /* CONFIG_IEEE80211R_AP */ 2107 #ifdef CONFIG_SAE 2108 (hapd->conf->wpa && wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt) && 2109 auth_alg == WLAN_AUTH_SAE) || 2110 #endif /* CONFIG_SAE */ 2111 #ifdef CONFIG_FILS 2112 (hapd->conf->wpa && wpa_key_mgmt_fils(hapd->conf->wpa_key_mgmt) && 2113 auth_alg == WLAN_AUTH_FILS_SK) || 2114 (hapd->conf->wpa && wpa_key_mgmt_fils(hapd->conf->wpa_key_mgmt) && 2115 hapd->conf->fils_dh_group && 2116 auth_alg == WLAN_AUTH_FILS_SK_PFS) || 2117 #endif /* CONFIG_FILS */ 2118 ((hapd->conf->auth_algs & WPA_AUTH_ALG_SHARED) && 2119 auth_alg == WLAN_AUTH_SHARED_KEY))) { 2120 wpa_printf(MSG_INFO, "Unsupported authentication algorithm (%d)", 2121 auth_alg); 2122 resp = WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG; 2123 goto fail; 2124 } 2125 2126 if (!(auth_transaction == 1 || auth_alg == WLAN_AUTH_SAE || 2127 (auth_alg == WLAN_AUTH_SHARED_KEY && auth_transaction == 3))) { 2128 wpa_printf(MSG_INFO, "Unknown authentication transaction number (%d)", 2129 auth_transaction); 2130 resp = WLAN_STATUS_UNKNOWN_AUTH_TRANSACTION; 2131 goto fail; 2132 } 2133 2134 if (os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) { 2135 wpa_printf(MSG_INFO, "Station " MACSTR " not allowed to authenticate", 2136 MAC2STR(mgmt->sa)); 2137 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 2138 goto fail; 2139 } 2140 2141 if (hapd->conf->no_auth_if_seen_on) { 2142 struct hostapd_data *other; 2143 2144 other = sta_track_seen_on(hapd->iface, mgmt->sa, 2145 hapd->conf->no_auth_if_seen_on); 2146 if (other) { 2147 u8 *pos; 2148 u32 info; 2149 u8 op_class, channel, phytype; 2150 2151 wpa_printf(MSG_DEBUG, "%s: Reject authentication from " 2152 MACSTR " since STA has been seen on %s", 2153 hapd->conf->iface, MAC2STR(mgmt->sa), 2154 hapd->conf->no_auth_if_seen_on); 2155 2156 resp = WLAN_STATUS_REJECTED_WITH_SUGGESTED_BSS_TRANSITION; 2157 pos = &resp_ies[0]; 2158 *pos++ = WLAN_EID_NEIGHBOR_REPORT; 2159 *pos++ = 13; 2160 os_memcpy(pos, other->own_addr, ETH_ALEN); 2161 pos += ETH_ALEN; 2162 info = 0; /* TODO: BSSID Information */ 2163 WPA_PUT_LE32(pos, info); 2164 pos += 4; 2165 if (other->iconf->hw_mode == HOSTAPD_MODE_IEEE80211AD) 2166 phytype = 8; /* dmg */ 2167 else if (other->iconf->ieee80211ac) 2168 phytype = 9; /* vht */ 2169 else if (other->iconf->ieee80211n) 2170 phytype = 7; /* ht */ 2171 else if (other->iconf->hw_mode == 2172 HOSTAPD_MODE_IEEE80211A) 2173 phytype = 4; /* ofdm */ 2174 else if (other->iconf->hw_mode == 2175 HOSTAPD_MODE_IEEE80211G) 2176 phytype = 6; /* erp */ 2177 else 2178 phytype = 5; /* hrdsss */ 2179 if (ieee80211_freq_to_channel_ext( 2180 hostapd_hw_get_freq(other, 2181 other->iconf->channel), 2182 other->iconf->secondary_channel, 2183 other->iconf->ieee80211ac, 2184 &op_class, &channel) == NUM_HOSTAPD_MODES) { 2185 op_class = 0; 2186 channel = other->iconf->channel; 2187 } 2188 *pos++ = op_class; 2189 *pos++ = channel; 2190 *pos++ = phytype; 2191 resp_ies_len = pos - &resp_ies[0]; 2192 goto fail; 2193 } 2194 } 2195 2196 res = ieee802_11_allowed_address( 2197 hapd, mgmt->sa, (const u8 *) mgmt, len, &session_timeout, 2198 &acct_interim_interval, &vlan_id, &psk, &identity, &radius_cui, 2199 0); 2200 if (res == HOSTAPD_ACL_REJECT) { 2201 wpa_msg(hapd->msg_ctx, MSG_DEBUG, 2202 "Ignore Authentication frame from " MACSTR 2203 " due to ACL reject", MAC2STR(mgmt->sa)); 2204 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 2205 goto fail; 2206 } 2207 if (res == HOSTAPD_ACL_PENDING) 2208 return; 2209 2210 #ifdef CONFIG_SAE 2211 if (auth_alg == WLAN_AUTH_SAE && !from_queue && 2212 (auth_transaction == 1 || 2213 (auth_transaction == 2 && auth_sae_queued_addr(hapd, mgmt->sa)))) { 2214 /* Handle SAE Authentication commit message through a queue to 2215 * provide more control for postponing the needed heavy 2216 * processing under a possible DoS attack scenario. In addition, 2217 * queue SAE Authentication confirm message if there happens to 2218 * be a queued commit message from the same peer. This is needed 2219 * to avoid reordering Authentication frames within the same 2220 * SAE exchange. */ 2221 auth_sae_queue(hapd, mgmt, len, rssi); 2222 return; 2223 } 2224 #endif /* CONFIG_SAE */ 2225 2226 sta = ap_get_sta(hapd, mgmt->sa); 2227 if (sta) { 2228 sta->flags &= ~WLAN_STA_PENDING_FILS_ERP; 2229 sta->ft_over_ds = 0; 2230 if ((fc & WLAN_FC_RETRY) && 2231 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ && 2232 sta->last_seq_ctrl == seq_ctrl && 2233 sta->last_subtype == WLAN_FC_STYPE_AUTH) { 2234 hostapd_logger(hapd, sta->addr, 2235 HOSTAPD_MODULE_IEEE80211, 2236 HOSTAPD_LEVEL_DEBUG, 2237 "Drop repeated authentication frame seq_ctrl=0x%x", 2238 seq_ctrl); 2239 return; 2240 } 2241 #ifdef CONFIG_MESH 2242 if ((hapd->conf->mesh & MESH_ENABLED) && 2243 sta->plink_state == PLINK_BLOCKED) { 2244 wpa_printf(MSG_DEBUG, "Mesh peer " MACSTR 2245 " is blocked - drop Authentication frame", 2246 MAC2STR(mgmt->sa)); 2247 return; 2248 } 2249 #endif /* CONFIG_MESH */ 2250 } else { 2251 #ifdef CONFIG_MESH 2252 if (hapd->conf->mesh & MESH_ENABLED) { 2253 /* if the mesh peer is not available, we don't do auth. 2254 */ 2255 wpa_printf(MSG_DEBUG, "Mesh peer " MACSTR 2256 " not yet known - drop Authentication frame", 2257 MAC2STR(mgmt->sa)); 2258 /* 2259 * Save a copy of the frame so that it can be processed 2260 * if a new peer entry is added shortly after this. 2261 */ 2262 wpabuf_free(hapd->mesh_pending_auth); 2263 hapd->mesh_pending_auth = wpabuf_alloc_copy(mgmt, len); 2264 os_get_reltime(&hapd->mesh_pending_auth_time); 2265 return; 2266 } 2267 #endif /* CONFIG_MESH */ 2268 2269 sta = ap_sta_add(hapd, mgmt->sa); 2270 if (!sta) { 2271 wpa_printf(MSG_DEBUG, "ap_sta_add() failed"); 2272 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA; 2273 goto fail; 2274 } 2275 } 2276 sta->last_seq_ctrl = seq_ctrl; 2277 sta->last_subtype = WLAN_FC_STYPE_AUTH; 2278 #ifdef CONFIG_MBO 2279 sta->auth_rssi = rssi; 2280 #endif /* CONFIG_MBO */ 2281 2282 res = ieee802_11_set_radius_info( 2283 hapd, sta, res, session_timeout, acct_interim_interval, 2284 &vlan_id, &psk, &identity, &radius_cui); 2285 if (res) { 2286 wpa_printf(MSG_DEBUG, "ieee802_11_set_radius_info() failed"); 2287 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 2288 goto fail; 2289 } 2290 2291 sta->flags &= ~WLAN_STA_PREAUTH; 2292 ieee802_1x_notify_pre_auth(sta->eapol_sm, 0); 2293 2294 /* 2295 * If the driver supports full AP client state, add a station to the 2296 * driver before sending authentication reply to make sure the driver 2297 * has resources, and not to go through the entire authentication and 2298 * association handshake, and fail it at the end. 2299 * 2300 * If this is not the first transaction, in a multi-step authentication 2301 * algorithm, the station already exists in the driver 2302 * (sta->added_unassoc = 1) so skip it. 2303 * 2304 * In mesh mode, the station was already added to the driver when the 2305 * NEW_PEER_CANDIDATE event is received. 2306 * 2307 * If PMF was negotiated for the existing association, skip this to 2308 * avoid dropping the STA entry and the associated keys. This is needed 2309 * to allow the original connection work until the attempt can complete 2310 * (re)association, so that unprotected Authentication frame cannot be 2311 * used to bypass PMF protection. 2312 */ 2313 if (FULL_AP_CLIENT_STATE_SUPP(hapd->iface->drv_flags) && 2314 (!(sta->flags & WLAN_STA_MFP) || !ap_sta_is_authorized(sta)) && 2315 !(hapd->conf->mesh & MESH_ENABLED) && 2316 !(sta->added_unassoc)) { 2317 /* 2318 * If a station that is already associated to the AP, is trying 2319 * to authenticate again, remove the STA entry, in order to make 2320 * sure the STA PS state gets cleared and configuration gets 2321 * updated. To handle this, station's added_unassoc flag is 2322 * cleared once the station has completed association. 2323 */ 2324 ap_sta_set_authorized(hapd, sta, 0); 2325 hostapd_drv_sta_remove(hapd, sta->addr); 2326 sta->flags &= ~(WLAN_STA_ASSOC | WLAN_STA_AUTH | 2327 WLAN_STA_AUTHORIZED); 2328 2329 if (hostapd_sta_add(hapd, sta->addr, 0, 0, 2330 sta->supported_rates, 2331 sta->supported_rates_len, 2332 0, NULL, NULL, NULL, 0, 2333 sta->flags, 0, 0, 0, 0)) { 2334 hostapd_logger(hapd, sta->addr, 2335 HOSTAPD_MODULE_IEEE80211, 2336 HOSTAPD_LEVEL_NOTICE, 2337 "Could not add STA to kernel driver"); 2338 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA; 2339 goto fail; 2340 } 2341 2342 sta->added_unassoc = 1; 2343 } 2344 2345 switch (auth_alg) { 2346 case WLAN_AUTH_OPEN: 2347 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 2348 HOSTAPD_LEVEL_DEBUG, 2349 "authentication OK (open system)"); 2350 sta->flags |= WLAN_STA_AUTH; 2351 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH); 2352 sta->auth_alg = WLAN_AUTH_OPEN; 2353 mlme_authenticate_indication(hapd, sta); 2354 break; 2355 #ifndef CONFIG_NO_RC4 2356 case WLAN_AUTH_SHARED_KEY: 2357 resp = auth_shared_key(hapd, sta, auth_transaction, challenge, 2358 fc & WLAN_FC_ISWEP); 2359 if (resp != 0) 2360 wpa_printf(MSG_DEBUG, 2361 "auth_shared_key() failed: status=%d", resp); 2362 sta->auth_alg = WLAN_AUTH_SHARED_KEY; 2363 mlme_authenticate_indication(hapd, sta); 2364 if (sta->challenge && auth_transaction == 1) { 2365 resp_ies[0] = WLAN_EID_CHALLENGE; 2366 resp_ies[1] = WLAN_AUTH_CHALLENGE_LEN; 2367 os_memcpy(resp_ies + 2, sta->challenge, 2368 WLAN_AUTH_CHALLENGE_LEN); 2369 resp_ies_len = 2 + WLAN_AUTH_CHALLENGE_LEN; 2370 } 2371 break; 2372 #endif /* CONFIG_NO_RC4 */ 2373 #ifdef CONFIG_IEEE80211R_AP 2374 case WLAN_AUTH_FT: 2375 sta->auth_alg = WLAN_AUTH_FT; 2376 if (sta->wpa_sm == NULL) 2377 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, 2378 sta->addr, NULL); 2379 if (sta->wpa_sm == NULL) { 2380 wpa_printf(MSG_DEBUG, "FT: Failed to initialize WPA " 2381 "state machine"); 2382 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 2383 goto fail; 2384 } 2385 wpa_ft_process_auth(sta->wpa_sm, mgmt->bssid, 2386 auth_transaction, mgmt->u.auth.variable, 2387 len - IEEE80211_HDRLEN - 2388 sizeof(mgmt->u.auth), 2389 handle_auth_ft_finish, hapd); 2390 /* handle_auth_ft_finish() callback will complete auth. */ 2391 return; 2392 #endif /* CONFIG_IEEE80211R_AP */ 2393 #ifdef CONFIG_SAE 2394 case WLAN_AUTH_SAE: 2395 #ifdef CONFIG_MESH 2396 if (status_code == WLAN_STATUS_SUCCESS && 2397 hapd->conf->mesh & MESH_ENABLED) { 2398 if (sta->wpa_sm == NULL) 2399 sta->wpa_sm = 2400 wpa_auth_sta_init(hapd->wpa_auth, 2401 sta->addr, NULL); 2402 if (sta->wpa_sm == NULL) { 2403 wpa_printf(MSG_DEBUG, 2404 "SAE: Failed to initialize WPA state machine"); 2405 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 2406 goto fail; 2407 } 2408 } 2409 #endif /* CONFIG_MESH */ 2410 handle_auth_sae(hapd, sta, mgmt, len, auth_transaction, 2411 status_code); 2412 return; 2413 #endif /* CONFIG_SAE */ 2414 #ifdef CONFIG_FILS 2415 case WLAN_AUTH_FILS_SK: 2416 case WLAN_AUTH_FILS_SK_PFS: 2417 handle_auth_fils(hapd, sta, mgmt->u.auth.variable, 2418 len - IEEE80211_HDRLEN - sizeof(mgmt->u.auth), 2419 auth_alg, auth_transaction, status_code, 2420 handle_auth_fils_finish); 2421 return; 2422 #endif /* CONFIG_FILS */ 2423 } 2424 2425 fail: 2426 os_free(identity); 2427 os_free(radius_cui); 2428 hostapd_free_psk_list(psk); 2429 2430 reply_res = send_auth_reply(hapd, mgmt->sa, mgmt->bssid, auth_alg, 2431 auth_transaction + 1, resp, resp_ies, 2432 resp_ies_len, "handle-auth"); 2433 2434 if (sta && sta->added_unassoc && (resp != WLAN_STATUS_SUCCESS || 2435 reply_res != WLAN_STATUS_SUCCESS)) { 2436 hostapd_drv_sta_remove(hapd, sta->addr); 2437 sta->added_unassoc = 0; 2438 } 2439 } 2440 2441 2442 int hostapd_get_aid(struct hostapd_data *hapd, struct sta_info *sta) 2443 { 2444 int i, j = 32, aid; 2445 2446 /* get a unique AID */ 2447 if (sta->aid > 0) { 2448 wpa_printf(MSG_DEBUG, " old AID %d", sta->aid); 2449 return 0; 2450 } 2451 2452 if (TEST_FAIL()) 2453 return -1; 2454 2455 for (i = 0; i < AID_WORDS; i++) { 2456 if (hapd->sta_aid[i] == (u32) -1) 2457 continue; 2458 for (j = 0; j < 32; j++) { 2459 if (!(hapd->sta_aid[i] & BIT(j))) 2460 break; 2461 } 2462 if (j < 32) 2463 break; 2464 } 2465 if (j == 32) 2466 return -1; 2467 aid = i * 32 + j + 1; 2468 if (aid > 2007) 2469 return -1; 2470 2471 sta->aid = aid; 2472 hapd->sta_aid[i] |= BIT(j); 2473 wpa_printf(MSG_DEBUG, " new AID %d", sta->aid); 2474 return 0; 2475 } 2476 2477 2478 static u16 check_ssid(struct hostapd_data *hapd, struct sta_info *sta, 2479 const u8 *ssid_ie, size_t ssid_ie_len) 2480 { 2481 if (ssid_ie == NULL) 2482 return WLAN_STATUS_UNSPECIFIED_FAILURE; 2483 2484 if (ssid_ie_len != hapd->conf->ssid.ssid_len || 2485 os_memcmp(ssid_ie, hapd->conf->ssid.ssid, ssid_ie_len) != 0) { 2486 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 2487 HOSTAPD_LEVEL_INFO, 2488 "Station tried to associate with unknown SSID " 2489 "'%s'", wpa_ssid_txt(ssid_ie, ssid_ie_len)); 2490 return WLAN_STATUS_UNSPECIFIED_FAILURE; 2491 } 2492 2493 return WLAN_STATUS_SUCCESS; 2494 } 2495 2496 2497 static u16 check_wmm(struct hostapd_data *hapd, struct sta_info *sta, 2498 const u8 *wmm_ie, size_t wmm_ie_len) 2499 { 2500 sta->flags &= ~WLAN_STA_WMM; 2501 sta->qosinfo = 0; 2502 if (wmm_ie && hapd->conf->wmm_enabled) { 2503 struct wmm_information_element *wmm; 2504 2505 if (!hostapd_eid_wmm_valid(hapd, wmm_ie, wmm_ie_len)) { 2506 hostapd_logger(hapd, sta->addr, 2507 HOSTAPD_MODULE_WPA, 2508 HOSTAPD_LEVEL_DEBUG, 2509 "invalid WMM element in association " 2510 "request"); 2511 return WLAN_STATUS_UNSPECIFIED_FAILURE; 2512 } 2513 2514 sta->flags |= WLAN_STA_WMM; 2515 wmm = (struct wmm_information_element *) wmm_ie; 2516 sta->qosinfo = wmm->qos_info; 2517 } 2518 return WLAN_STATUS_SUCCESS; 2519 } 2520 2521 static u16 check_multi_ap(struct hostapd_data *hapd, struct sta_info *sta, 2522 const u8 *multi_ap_ie, size_t multi_ap_len) 2523 { 2524 u8 multi_ap_value = 0; 2525 2526 sta->flags &= ~WLAN_STA_MULTI_AP; 2527 2528 if (!hapd->conf->multi_ap) 2529 return WLAN_STATUS_SUCCESS; 2530 2531 if (multi_ap_ie) { 2532 const u8 *multi_ap_subelem; 2533 2534 multi_ap_subelem = get_ie(multi_ap_ie + 4, 2535 multi_ap_len - 4, 2536 MULTI_AP_SUB_ELEM_TYPE); 2537 if (multi_ap_subelem && multi_ap_subelem[1] == 1) { 2538 multi_ap_value = multi_ap_subelem[2]; 2539 } else { 2540 hostapd_logger(hapd, sta->addr, 2541 HOSTAPD_MODULE_IEEE80211, 2542 HOSTAPD_LEVEL_INFO, 2543 "Multi-AP IE has missing or invalid Multi-AP subelement"); 2544 return WLAN_STATUS_INVALID_IE; 2545 } 2546 } 2547 2548 if (multi_ap_value && multi_ap_value != MULTI_AP_BACKHAUL_STA) 2549 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 2550 HOSTAPD_LEVEL_INFO, 2551 "Multi-AP IE with unexpected value 0x%02x", 2552 multi_ap_value); 2553 2554 if (!(multi_ap_value & MULTI_AP_BACKHAUL_STA)) { 2555 if (hapd->conf->multi_ap & FRONTHAUL_BSS) 2556 return WLAN_STATUS_SUCCESS; 2557 2558 hostapd_logger(hapd, sta->addr, 2559 HOSTAPD_MODULE_IEEE80211, 2560 HOSTAPD_LEVEL_INFO, 2561 "Non-Multi-AP STA tries to associate with backhaul-only BSS"); 2562 return WLAN_STATUS_ASSOC_DENIED_UNSPEC; 2563 } 2564 2565 if (!(hapd->conf->multi_ap & BACKHAUL_BSS)) 2566 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 2567 HOSTAPD_LEVEL_DEBUG, 2568 "Backhaul STA tries to associate with fronthaul-only BSS"); 2569 2570 sta->flags |= WLAN_STA_MULTI_AP; 2571 return WLAN_STATUS_SUCCESS; 2572 } 2573 2574 2575 static u16 copy_supp_rates(struct hostapd_data *hapd, struct sta_info *sta, 2576 struct ieee802_11_elems *elems) 2577 { 2578 /* Supported rates not used in IEEE 802.11ad/DMG */ 2579 if (hapd->iface->current_mode && 2580 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211AD) 2581 return WLAN_STATUS_SUCCESS; 2582 2583 if (!elems->supp_rates) { 2584 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 2585 HOSTAPD_LEVEL_DEBUG, 2586 "No supported rates element in AssocReq"); 2587 return WLAN_STATUS_UNSPECIFIED_FAILURE; 2588 } 2589 2590 if (elems->supp_rates_len + elems->ext_supp_rates_len > 2591 sizeof(sta->supported_rates)) { 2592 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 2593 HOSTAPD_LEVEL_DEBUG, 2594 "Invalid supported rates element length %d+%d", 2595 elems->supp_rates_len, 2596 elems->ext_supp_rates_len); 2597 return WLAN_STATUS_UNSPECIFIED_FAILURE; 2598 } 2599 2600 sta->supported_rates_len = merge_byte_arrays( 2601 sta->supported_rates, sizeof(sta->supported_rates), 2602 elems->supp_rates, elems->supp_rates_len, 2603 elems->ext_supp_rates, elems->ext_supp_rates_len); 2604 2605 return WLAN_STATUS_SUCCESS; 2606 } 2607 2608 2609 static u16 check_ext_capab(struct hostapd_data *hapd, struct sta_info *sta, 2610 const u8 *ext_capab_ie, size_t ext_capab_ie_len) 2611 { 2612 #ifdef CONFIG_INTERWORKING 2613 /* check for QoS Map support */ 2614 if (ext_capab_ie_len >= 5) { 2615 if (ext_capab_ie[4] & 0x01) 2616 sta->qos_map_enabled = 1; 2617 } 2618 #endif /* CONFIG_INTERWORKING */ 2619 2620 if (ext_capab_ie_len > 0) { 2621 sta->ecsa_supported = !!(ext_capab_ie[0] & BIT(2)); 2622 os_free(sta->ext_capability); 2623 sta->ext_capability = os_malloc(1 + ext_capab_ie_len); 2624 if (sta->ext_capability) { 2625 sta->ext_capability[0] = ext_capab_ie_len; 2626 os_memcpy(sta->ext_capability + 1, ext_capab_ie, 2627 ext_capab_ie_len); 2628 } 2629 } 2630 2631 return WLAN_STATUS_SUCCESS; 2632 } 2633 2634 2635 #ifdef CONFIG_OWE 2636 2637 static int owe_group_supported(struct hostapd_data *hapd, u16 group) 2638 { 2639 int i; 2640 int *groups = hapd->conf->owe_groups; 2641 2642 if (group != 19 && group != 20 && group != 21) 2643 return 0; 2644 2645 if (!groups) 2646 return 1; 2647 2648 for (i = 0; groups[i] > 0; i++) { 2649 if (groups[i] == group) 2650 return 1; 2651 } 2652 2653 return 0; 2654 } 2655 2656 2657 static u16 owe_process_assoc_req(struct hostapd_data *hapd, 2658 struct sta_info *sta, const u8 *owe_dh, 2659 u8 owe_dh_len) 2660 { 2661 struct wpabuf *secret, *pub, *hkey; 2662 int res; 2663 u8 prk[SHA512_MAC_LEN], pmkid[SHA512_MAC_LEN]; 2664 const char *info = "OWE Key Generation"; 2665 const u8 *addr[2]; 2666 size_t len[2]; 2667 u16 group; 2668 size_t hash_len, prime_len; 2669 2670 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) { 2671 wpa_printf(MSG_DEBUG, "OWE: Using PMKSA caching"); 2672 return WLAN_STATUS_SUCCESS; 2673 } 2674 2675 group = WPA_GET_LE16(owe_dh); 2676 if (!owe_group_supported(hapd, group)) { 2677 wpa_printf(MSG_DEBUG, "OWE: Unsupported DH group %u", group); 2678 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED; 2679 } 2680 if (group == 19) 2681 prime_len = 32; 2682 else if (group == 20) 2683 prime_len = 48; 2684 else if (group == 21) 2685 prime_len = 66; 2686 else 2687 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED; 2688 2689 crypto_ecdh_deinit(sta->owe_ecdh); 2690 sta->owe_ecdh = crypto_ecdh_init(group); 2691 if (!sta->owe_ecdh) 2692 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED; 2693 sta->owe_group = group; 2694 2695 secret = crypto_ecdh_set_peerkey(sta->owe_ecdh, 0, owe_dh + 2, 2696 owe_dh_len - 2); 2697 secret = wpabuf_zeropad(secret, prime_len); 2698 if (!secret) { 2699 wpa_printf(MSG_DEBUG, "OWE: Invalid peer DH public key"); 2700 return WLAN_STATUS_UNSPECIFIED_FAILURE; 2701 } 2702 wpa_hexdump_buf_key(MSG_DEBUG, "OWE: DH shared secret", secret); 2703 2704 /* prk = HKDF-extract(C | A | group, z) */ 2705 2706 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0); 2707 if (!pub) { 2708 wpabuf_clear_free(secret); 2709 return WLAN_STATUS_UNSPECIFIED_FAILURE; 2710 } 2711 2712 /* PMKID = Truncate-128(Hash(C | A)) */ 2713 addr[0] = owe_dh + 2; 2714 len[0] = owe_dh_len - 2; 2715 addr[1] = wpabuf_head(pub); 2716 len[1] = wpabuf_len(pub); 2717 if (group == 19) { 2718 res = sha256_vector(2, addr, len, pmkid); 2719 hash_len = SHA256_MAC_LEN; 2720 } else if (group == 20) { 2721 res = sha384_vector(2, addr, len, pmkid); 2722 hash_len = SHA384_MAC_LEN; 2723 } else if (group == 21) { 2724 res = sha512_vector(2, addr, len, pmkid); 2725 hash_len = SHA512_MAC_LEN; 2726 } else { 2727 wpabuf_free(pub); 2728 wpabuf_clear_free(secret); 2729 return WLAN_STATUS_UNSPECIFIED_FAILURE; 2730 } 2731 pub = wpabuf_zeropad(pub, prime_len); 2732 if (res < 0 || !pub) { 2733 wpabuf_free(pub); 2734 wpabuf_clear_free(secret); 2735 return WLAN_STATUS_UNSPECIFIED_FAILURE; 2736 } 2737 2738 hkey = wpabuf_alloc(owe_dh_len - 2 + wpabuf_len(pub) + 2); 2739 if (!hkey) { 2740 wpabuf_free(pub); 2741 wpabuf_clear_free(secret); 2742 return WLAN_STATUS_UNSPECIFIED_FAILURE; 2743 } 2744 2745 wpabuf_put_data(hkey, owe_dh + 2, owe_dh_len - 2); /* C */ 2746 wpabuf_put_buf(hkey, pub); /* A */ 2747 wpabuf_free(pub); 2748 wpabuf_put_le16(hkey, group); /* group */ 2749 if (group == 19) 2750 res = hmac_sha256(wpabuf_head(hkey), wpabuf_len(hkey), 2751 wpabuf_head(secret), wpabuf_len(secret), prk); 2752 else if (group == 20) 2753 res = hmac_sha384(wpabuf_head(hkey), wpabuf_len(hkey), 2754 wpabuf_head(secret), wpabuf_len(secret), prk); 2755 else if (group == 21) 2756 res = hmac_sha512(wpabuf_head(hkey), wpabuf_len(hkey), 2757 wpabuf_head(secret), wpabuf_len(secret), prk); 2758 wpabuf_clear_free(hkey); 2759 wpabuf_clear_free(secret); 2760 if (res < 0) 2761 return WLAN_STATUS_UNSPECIFIED_FAILURE; 2762 2763 wpa_hexdump_key(MSG_DEBUG, "OWE: prk", prk, hash_len); 2764 2765 /* PMK = HKDF-expand(prk, "OWE Key Generation", n) */ 2766 2767 os_free(sta->owe_pmk); 2768 sta->owe_pmk = os_malloc(hash_len); 2769 if (!sta->owe_pmk) { 2770 os_memset(prk, 0, SHA512_MAC_LEN); 2771 return WLAN_STATUS_UNSPECIFIED_FAILURE; 2772 } 2773 2774 if (group == 19) 2775 res = hmac_sha256_kdf(prk, hash_len, NULL, (const u8 *) info, 2776 os_strlen(info), sta->owe_pmk, hash_len); 2777 else if (group == 20) 2778 res = hmac_sha384_kdf(prk, hash_len, NULL, (const u8 *) info, 2779 os_strlen(info), sta->owe_pmk, hash_len); 2780 else if (group == 21) 2781 res = hmac_sha512_kdf(prk, hash_len, NULL, (const u8 *) info, 2782 os_strlen(info), sta->owe_pmk, hash_len); 2783 os_memset(prk, 0, SHA512_MAC_LEN); 2784 if (res < 0) { 2785 os_free(sta->owe_pmk); 2786 sta->owe_pmk = NULL; 2787 return WLAN_STATUS_UNSPECIFIED_FAILURE; 2788 } 2789 sta->owe_pmk_len = hash_len; 2790 2791 wpa_hexdump_key(MSG_DEBUG, "OWE: PMK", sta->owe_pmk, sta->owe_pmk_len); 2792 wpa_hexdump(MSG_DEBUG, "OWE: PMKID", pmkid, PMKID_LEN); 2793 wpa_auth_pmksa_add2(hapd->wpa_auth, sta->addr, sta->owe_pmk, 2794 sta->owe_pmk_len, pmkid, 0, WPA_KEY_MGMT_OWE); 2795 2796 return WLAN_STATUS_SUCCESS; 2797 } 2798 2799 2800 u16 owe_validate_request(struct hostapd_data *hapd, const u8 *peer, 2801 const u8 *rsn_ie, size_t rsn_ie_len, 2802 const u8 *owe_dh, size_t owe_dh_len) 2803 { 2804 struct wpa_ie_data data; 2805 int res; 2806 2807 if (!rsn_ie || rsn_ie_len < 2) { 2808 wpa_printf(MSG_DEBUG, "OWE: Invalid RSNE from " MACSTR, 2809 MAC2STR(peer)); 2810 return WLAN_STATUS_INVALID_IE; 2811 } 2812 rsn_ie -= 2; 2813 rsn_ie_len += 2; 2814 2815 res = wpa_parse_wpa_ie_rsn(rsn_ie, rsn_ie_len, &data); 2816 if (res) { 2817 wpa_printf(MSG_DEBUG, "Failed to parse RSNE from " MACSTR 2818 " (res=%d)", MAC2STR(peer), res); 2819 wpa_hexdump(MSG_DEBUG, "RSNE", rsn_ie, rsn_ie_len); 2820 return wpa_res_to_status_code(res); 2821 } 2822 if (!(data.key_mgmt & WPA_KEY_MGMT_OWE)) { 2823 wpa_printf(MSG_DEBUG, 2824 "OWE: Unexpected key mgmt 0x%x from " MACSTR, 2825 (unsigned int) data.key_mgmt, MAC2STR(peer)); 2826 return WLAN_STATUS_AKMP_NOT_VALID; 2827 } 2828 if (!owe_dh) { 2829 wpa_printf(MSG_DEBUG, 2830 "OWE: No Diffie-Hellman Parameter element from " 2831 MACSTR, MAC2STR(peer)); 2832 return WLAN_STATUS_AKMP_NOT_VALID; 2833 } 2834 2835 return WLAN_STATUS_SUCCESS; 2836 } 2837 2838 2839 u16 owe_process_rsn_ie(struct hostapd_data *hapd, 2840 struct sta_info *sta, 2841 const u8 *rsn_ie, size_t rsn_ie_len, 2842 const u8 *owe_dh, size_t owe_dh_len) 2843 { 2844 u16 status; 2845 u8 *owe_buf, ie[256 * 2]; 2846 size_t ie_len = 0; 2847 int res; 2848 2849 if (!rsn_ie || rsn_ie_len < 2) { 2850 wpa_printf(MSG_DEBUG, "OWE: No RSNE in (Re)AssocReq"); 2851 status = WLAN_STATUS_INVALID_IE; 2852 goto end; 2853 } 2854 2855 if (!sta->wpa_sm) 2856 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, sta->addr, 2857 NULL); 2858 if (!sta->wpa_sm) { 2859 wpa_printf(MSG_WARNING, 2860 "OWE: Failed to initialize WPA state machine"); 2861 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 2862 goto end; 2863 } 2864 rsn_ie -= 2; 2865 rsn_ie_len += 2; 2866 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm, 2867 hapd->iface->freq, rsn_ie, rsn_ie_len, 2868 NULL, 0, owe_dh, owe_dh_len); 2869 status = wpa_res_to_status_code(res); 2870 if (status != WLAN_STATUS_SUCCESS) 2871 goto end; 2872 status = owe_process_assoc_req(hapd, sta, owe_dh, owe_dh_len); 2873 if (status != WLAN_STATUS_SUCCESS) 2874 goto end; 2875 owe_buf = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, ie, sizeof(ie), 2876 NULL, 0); 2877 if (!owe_buf) { 2878 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 2879 goto end; 2880 } 2881 2882 if (sta->owe_ecdh) { 2883 struct wpabuf *pub; 2884 2885 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0); 2886 if (!pub) { 2887 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 2888 goto end; 2889 } 2890 2891 /* OWE Diffie-Hellman Parameter element */ 2892 *owe_buf++ = WLAN_EID_EXTENSION; /* Element ID */ 2893 *owe_buf++ = 1 + 2 + wpabuf_len(pub); /* Length */ 2894 *owe_buf++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension 2895 */ 2896 WPA_PUT_LE16(owe_buf, sta->owe_group); 2897 owe_buf += 2; 2898 os_memcpy(owe_buf, wpabuf_head(pub), wpabuf_len(pub)); 2899 owe_buf += wpabuf_len(pub); 2900 wpabuf_free(pub); 2901 sta->external_dh_updated = 1; 2902 } 2903 ie_len = owe_buf - ie; 2904 2905 end: 2906 wpa_printf(MSG_DEBUG, "OWE: Update status %d, ie len %d for peer " 2907 MACSTR, status, (unsigned int) ie_len, 2908 MAC2STR(sta->addr)); 2909 hostapd_drv_update_dh_ie(hapd, sta->addr, status, 2910 status == WLAN_STATUS_SUCCESS ? ie : NULL, 2911 ie_len); 2912 2913 return status; 2914 } 2915 2916 #endif /* CONFIG_OWE */ 2917 2918 2919 static u16 check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta, 2920 const u8 *ies, size_t ies_len, int reassoc) 2921 { 2922 struct ieee802_11_elems elems; 2923 u16 resp; 2924 const u8 *wpa_ie; 2925 size_t wpa_ie_len; 2926 const u8 *p2p_dev_addr = NULL; 2927 2928 if (ieee802_11_parse_elems(ies, ies_len, &elems, 1) == ParseFailed) { 2929 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 2930 HOSTAPD_LEVEL_INFO, "Station sent an invalid " 2931 "association request"); 2932 return WLAN_STATUS_UNSPECIFIED_FAILURE; 2933 } 2934 2935 resp = check_ssid(hapd, sta, elems.ssid, elems.ssid_len); 2936 if (resp != WLAN_STATUS_SUCCESS) 2937 return resp; 2938 resp = check_wmm(hapd, sta, elems.wmm, elems.wmm_len); 2939 if (resp != WLAN_STATUS_SUCCESS) 2940 return resp; 2941 resp = check_ext_capab(hapd, sta, elems.ext_capab, elems.ext_capab_len); 2942 if (resp != WLAN_STATUS_SUCCESS) 2943 return resp; 2944 resp = copy_supp_rates(hapd, sta, &elems); 2945 if (resp != WLAN_STATUS_SUCCESS) 2946 return resp; 2947 2948 resp = check_multi_ap(hapd, sta, elems.multi_ap, elems.multi_ap_len); 2949 if (resp != WLAN_STATUS_SUCCESS) 2950 return resp; 2951 2952 #ifdef CONFIG_IEEE80211N 2953 resp = copy_sta_ht_capab(hapd, sta, elems.ht_capabilities); 2954 if (resp != WLAN_STATUS_SUCCESS) 2955 return resp; 2956 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht && 2957 !(sta->flags & WLAN_STA_HT)) { 2958 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 2959 HOSTAPD_LEVEL_INFO, "Station does not support " 2960 "mandatory HT PHY - reject association"); 2961 return WLAN_STATUS_ASSOC_DENIED_NO_HT; 2962 } 2963 #endif /* CONFIG_IEEE80211N */ 2964 2965 #ifdef CONFIG_IEEE80211AC 2966 if (hapd->iconf->ieee80211ac) { 2967 resp = copy_sta_vht_capab(hapd, sta, elems.vht_capabilities); 2968 if (resp != WLAN_STATUS_SUCCESS) 2969 return resp; 2970 2971 resp = set_sta_vht_opmode(hapd, sta, elems.vht_opmode_notif); 2972 if (resp != WLAN_STATUS_SUCCESS) 2973 return resp; 2974 } 2975 2976 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht && 2977 !(sta->flags & WLAN_STA_VHT)) { 2978 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 2979 HOSTAPD_LEVEL_INFO, "Station does not support " 2980 "mandatory VHT PHY - reject association"); 2981 return WLAN_STATUS_ASSOC_DENIED_NO_VHT; 2982 } 2983 2984 if (hapd->conf->vendor_vht && !elems.vht_capabilities) { 2985 resp = copy_sta_vendor_vht(hapd, sta, elems.vendor_vht, 2986 elems.vendor_vht_len); 2987 if (resp != WLAN_STATUS_SUCCESS) 2988 return resp; 2989 } 2990 #endif /* CONFIG_IEEE80211AC */ 2991 #ifdef CONFIG_IEEE80211AX 2992 if (hapd->iconf->ieee80211ax) { 2993 resp = copy_sta_he_capab(hapd, sta, IEEE80211_MODE_AP, 2994 elems.he_capabilities, 2995 elems.he_capabilities_len); 2996 if (resp != WLAN_STATUS_SUCCESS) 2997 return resp; 2998 } 2999 #endif /* CONFIG_IEEE80211AX */ 3000 3001 #ifdef CONFIG_P2P 3002 if (elems.p2p) { 3003 wpabuf_free(sta->p2p_ie); 3004 sta->p2p_ie = ieee802_11_vendor_ie_concat(ies, ies_len, 3005 P2P_IE_VENDOR_TYPE); 3006 if (sta->p2p_ie) 3007 p2p_dev_addr = p2p_get_go_dev_addr(sta->p2p_ie); 3008 } else { 3009 wpabuf_free(sta->p2p_ie); 3010 sta->p2p_ie = NULL; 3011 } 3012 #endif /* CONFIG_P2P */ 3013 3014 if ((hapd->conf->wpa & WPA_PROTO_RSN) && elems.rsn_ie) { 3015 wpa_ie = elems.rsn_ie; 3016 wpa_ie_len = elems.rsn_ie_len; 3017 } else if ((hapd->conf->wpa & WPA_PROTO_WPA) && 3018 elems.wpa_ie) { 3019 wpa_ie = elems.wpa_ie; 3020 wpa_ie_len = elems.wpa_ie_len; 3021 } else { 3022 wpa_ie = NULL; 3023 wpa_ie_len = 0; 3024 } 3025 3026 #ifdef CONFIG_WPS 3027 sta->flags &= ~(WLAN_STA_WPS | WLAN_STA_MAYBE_WPS | WLAN_STA_WPS2); 3028 if (hapd->conf->wps_state && elems.wps_ie) { 3029 wpa_printf(MSG_DEBUG, "STA included WPS IE in (Re)Association " 3030 "Request - assume WPS is used"); 3031 sta->flags |= WLAN_STA_WPS; 3032 wpabuf_free(sta->wps_ie); 3033 sta->wps_ie = ieee802_11_vendor_ie_concat(ies, ies_len, 3034 WPS_IE_VENDOR_TYPE); 3035 if (sta->wps_ie && wps_is_20(sta->wps_ie)) { 3036 wpa_printf(MSG_DEBUG, "WPS: STA supports WPS 2.0"); 3037 sta->flags |= WLAN_STA_WPS2; 3038 } 3039 wpa_ie = NULL; 3040 wpa_ie_len = 0; 3041 if (sta->wps_ie && wps_validate_assoc_req(sta->wps_ie) < 0) { 3042 wpa_printf(MSG_DEBUG, "WPS: Invalid WPS IE in " 3043 "(Re)Association Request - reject"); 3044 return WLAN_STATUS_INVALID_IE; 3045 } 3046 } else if (hapd->conf->wps_state && wpa_ie == NULL) { 3047 wpa_printf(MSG_DEBUG, "STA did not include WPA/RSN IE in " 3048 "(Re)Association Request - possible WPS use"); 3049 sta->flags |= WLAN_STA_MAYBE_WPS; 3050 } else 3051 #endif /* CONFIG_WPS */ 3052 if (hapd->conf->wpa && wpa_ie == NULL) { 3053 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 3054 HOSTAPD_LEVEL_INFO, 3055 "No WPA/RSN IE in association request"); 3056 return WLAN_STATUS_INVALID_IE; 3057 } 3058 3059 if (hapd->conf->wpa && wpa_ie) { 3060 int res; 3061 wpa_ie -= 2; 3062 wpa_ie_len += 2; 3063 if (sta->wpa_sm == NULL) 3064 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, 3065 sta->addr, 3066 p2p_dev_addr); 3067 if (sta->wpa_sm == NULL) { 3068 wpa_printf(MSG_WARNING, "Failed to initialize WPA " 3069 "state machine"); 3070 return WLAN_STATUS_UNSPECIFIED_FAILURE; 3071 } 3072 wpa_auth_set_auth_alg(sta->wpa_sm, sta->auth_alg); 3073 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm, 3074 hapd->iface->freq, 3075 wpa_ie, wpa_ie_len, 3076 elems.mdie, elems.mdie_len, 3077 elems.owe_dh, elems.owe_dh_len); 3078 resp = wpa_res_to_status_code(res); 3079 if (resp != WLAN_STATUS_SUCCESS) 3080 return resp; 3081 #ifdef CONFIG_IEEE80211W 3082 if ((sta->flags & (WLAN_STA_ASSOC | WLAN_STA_MFP)) == 3083 (WLAN_STA_ASSOC | WLAN_STA_MFP) && 3084 !sta->sa_query_timed_out && 3085 sta->sa_query_count > 0) 3086 ap_check_sa_query_timeout(hapd, sta); 3087 if ((sta->flags & (WLAN_STA_ASSOC | WLAN_STA_MFP)) == 3088 (WLAN_STA_ASSOC | WLAN_STA_MFP) && 3089 !sta->sa_query_timed_out && 3090 (!reassoc || sta->auth_alg != WLAN_AUTH_FT)) { 3091 /* 3092 * STA has already been associated with MFP and SA 3093 * Query timeout has not been reached. Reject the 3094 * association attempt temporarily and start SA Query, 3095 * if one is not pending. 3096 */ 3097 3098 if (sta->sa_query_count == 0) 3099 ap_sta_start_sa_query(hapd, sta); 3100 3101 return WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY; 3102 } 3103 3104 if (wpa_auth_uses_mfp(sta->wpa_sm)) 3105 sta->flags |= WLAN_STA_MFP; 3106 else 3107 sta->flags &= ~WLAN_STA_MFP; 3108 #endif /* CONFIG_IEEE80211W */ 3109 3110 #ifdef CONFIG_IEEE80211R_AP 3111 if (sta->auth_alg == WLAN_AUTH_FT) { 3112 if (!reassoc) { 3113 wpa_printf(MSG_DEBUG, "FT: " MACSTR " tried " 3114 "to use association (not " 3115 "re-association) with FT auth_alg", 3116 MAC2STR(sta->addr)); 3117 return WLAN_STATUS_UNSPECIFIED_FAILURE; 3118 } 3119 3120 resp = wpa_ft_validate_reassoc(sta->wpa_sm, ies, 3121 ies_len); 3122 if (resp != WLAN_STATUS_SUCCESS) 3123 return resp; 3124 } 3125 #endif /* CONFIG_IEEE80211R_AP */ 3126 3127 #ifdef CONFIG_SAE 3128 if (wpa_auth_uses_sae(sta->wpa_sm) && sta->sae && 3129 sta->sae->state == SAE_ACCEPTED) 3130 wpa_auth_add_sae_pmkid(sta->wpa_sm, sta->sae->pmkid); 3131 3132 if (wpa_auth_uses_sae(sta->wpa_sm) && 3133 sta->auth_alg == WLAN_AUTH_OPEN) { 3134 struct rsn_pmksa_cache_entry *sa; 3135 sa = wpa_auth_sta_get_pmksa(sta->wpa_sm); 3136 if (!sa || sa->akmp != WPA_KEY_MGMT_SAE) { 3137 wpa_printf(MSG_DEBUG, 3138 "SAE: No PMKSA cache entry found for " 3139 MACSTR, MAC2STR(sta->addr)); 3140 return WLAN_STATUS_INVALID_PMKID; 3141 } 3142 wpa_printf(MSG_DEBUG, "SAE: " MACSTR 3143 " using PMKSA caching", MAC2STR(sta->addr)); 3144 } else if (wpa_auth_uses_sae(sta->wpa_sm) && 3145 sta->auth_alg != WLAN_AUTH_SAE && 3146 !(sta->auth_alg == WLAN_AUTH_FT && 3147 wpa_auth_uses_ft_sae(sta->wpa_sm))) { 3148 wpa_printf(MSG_DEBUG, "SAE: " MACSTR " tried to use " 3149 "SAE AKM after non-SAE auth_alg %u", 3150 MAC2STR(sta->addr), sta->auth_alg); 3151 return WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG; 3152 } 3153 #endif /* CONFIG_SAE */ 3154 3155 #ifdef CONFIG_OWE 3156 if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) && 3157 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE && 3158 elems.owe_dh) { 3159 resp = owe_process_assoc_req(hapd, sta, elems.owe_dh, 3160 elems.owe_dh_len); 3161 if (resp != WLAN_STATUS_SUCCESS) 3162 return resp; 3163 } 3164 #endif /* CONFIG_OWE */ 3165 3166 #ifdef CONFIG_DPP2 3167 dpp_pfs_free(sta->dpp_pfs); 3168 sta->dpp_pfs = NULL; 3169 3170 if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_DPP) && 3171 hapd->conf->dpp_netaccesskey && sta->wpa_sm && 3172 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_DPP && 3173 elems.owe_dh) { 3174 sta->dpp_pfs = dpp_pfs_init( 3175 wpabuf_head(hapd->conf->dpp_netaccesskey), 3176 wpabuf_len(hapd->conf->dpp_netaccesskey)); 3177 if (!sta->dpp_pfs) { 3178 wpa_printf(MSG_DEBUG, 3179 "DPP: Could not initialize PFS"); 3180 /* Try to continue without PFS */ 3181 goto pfs_fail; 3182 } 3183 3184 if (dpp_pfs_process(sta->dpp_pfs, elems.owe_dh, 3185 elems.owe_dh_len) < 0) { 3186 dpp_pfs_free(sta->dpp_pfs); 3187 sta->dpp_pfs = NULL; 3188 return WLAN_STATUS_UNSPECIFIED_FAILURE; 3189 } 3190 } 3191 3192 wpa_auth_set_dpp_z(sta->wpa_sm, sta->dpp_pfs ? 3193 sta->dpp_pfs->secret : NULL); 3194 pfs_fail: 3195 #endif /* CONFIG_DPP2 */ 3196 3197 #ifdef CONFIG_IEEE80211N 3198 if ((sta->flags & (WLAN_STA_HT | WLAN_STA_VHT)) && 3199 wpa_auth_get_pairwise(sta->wpa_sm) == WPA_CIPHER_TKIP) { 3200 hostapd_logger(hapd, sta->addr, 3201 HOSTAPD_MODULE_IEEE80211, 3202 HOSTAPD_LEVEL_INFO, 3203 "Station tried to use TKIP with HT " 3204 "association"); 3205 return WLAN_STATUS_CIPHER_REJECTED_PER_POLICY; 3206 } 3207 #endif /* CONFIG_IEEE80211N */ 3208 #ifdef CONFIG_HS20 3209 } else if (hapd->conf->osen) { 3210 if (elems.osen == NULL) { 3211 hostapd_logger( 3212 hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 3213 HOSTAPD_LEVEL_INFO, 3214 "No HS 2.0 OSEN element in association request"); 3215 return WLAN_STATUS_INVALID_IE; 3216 } 3217 3218 wpa_printf(MSG_DEBUG, "HS 2.0: OSEN association"); 3219 if (sta->wpa_sm == NULL) 3220 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, 3221 sta->addr, NULL); 3222 if (sta->wpa_sm == NULL) { 3223 wpa_printf(MSG_WARNING, "Failed to initialize WPA " 3224 "state machine"); 3225 return WLAN_STATUS_UNSPECIFIED_FAILURE; 3226 } 3227 if (wpa_validate_osen(hapd->wpa_auth, sta->wpa_sm, 3228 elems.osen - 2, elems.osen_len + 2) < 0) 3229 return WLAN_STATUS_INVALID_IE; 3230 #endif /* CONFIG_HS20 */ 3231 } else 3232 wpa_auth_sta_no_wpa(sta->wpa_sm); 3233 3234 #ifdef CONFIG_P2P 3235 p2p_group_notif_assoc(hapd->p2p_group, sta->addr, ies, ies_len); 3236 #endif /* CONFIG_P2P */ 3237 3238 #ifdef CONFIG_HS20 3239 wpabuf_free(sta->hs20_ie); 3240 if (elems.hs20 && elems.hs20_len > 4) { 3241 int release; 3242 3243 sta->hs20_ie = wpabuf_alloc_copy(elems.hs20 + 4, 3244 elems.hs20_len - 4); 3245 release = ((elems.hs20[4] >> 4) & 0x0f) + 1; 3246 if (release >= 2 && !wpa_auth_uses_mfp(sta->wpa_sm)) { 3247 wpa_printf(MSG_DEBUG, 3248 "HS 2.0: PMF not negotiated by release %d station " 3249 MACSTR, release, MAC2STR(sta->addr)); 3250 return WLAN_STATUS_ROBUST_MGMT_FRAME_POLICY_VIOLATION; 3251 } 3252 } else { 3253 sta->hs20_ie = NULL; 3254 } 3255 3256 wpabuf_free(sta->roaming_consortium); 3257 if (elems.roaming_cons_sel) 3258 sta->roaming_consortium = wpabuf_alloc_copy( 3259 elems.roaming_cons_sel + 4, 3260 elems.roaming_cons_sel_len - 4); 3261 else 3262 sta->roaming_consortium = NULL; 3263 #endif /* CONFIG_HS20 */ 3264 3265 #ifdef CONFIG_FST 3266 wpabuf_free(sta->mb_ies); 3267 if (hapd->iface->fst) 3268 sta->mb_ies = mb_ies_by_info(&elems.mb_ies); 3269 else 3270 sta->mb_ies = NULL; 3271 #endif /* CONFIG_FST */ 3272 3273 #ifdef CONFIG_MBO 3274 mbo_ap_check_sta_assoc(hapd, sta, &elems); 3275 3276 if (hapd->conf->mbo_enabled && (hapd->conf->wpa & 2) && 3277 elems.mbo && sta->cell_capa && !(sta->flags & WLAN_STA_MFP) && 3278 hapd->conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) { 3279 wpa_printf(MSG_INFO, 3280 "MBO: Reject WPA2 association without PMF"); 3281 return WLAN_STATUS_UNSPECIFIED_FAILURE; 3282 } 3283 #endif /* CONFIG_MBO */ 3284 3285 #if defined(CONFIG_FILS) && defined(CONFIG_OCV) 3286 if (wpa_auth_uses_ocv(sta->wpa_sm) && 3287 (sta->auth_alg == WLAN_AUTH_FILS_SK || 3288 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS || 3289 sta->auth_alg == WLAN_AUTH_FILS_PK)) { 3290 struct wpa_channel_info ci; 3291 int tx_chanwidth; 3292 int tx_seg1_idx; 3293 3294 if (hostapd_drv_channel_info(hapd, &ci) != 0) { 3295 wpa_printf(MSG_WARNING, 3296 "Failed to get channel info to validate received OCI in FILS (Re)Association Request frame"); 3297 return WLAN_STATUS_UNSPECIFIED_FAILURE; 3298 } 3299 3300 if (get_sta_tx_parameters(sta->wpa_sm, 3301 channel_width_to_int(ci.chanwidth), 3302 ci.seg1_idx, &tx_chanwidth, 3303 &tx_seg1_idx) < 0) 3304 return WLAN_STATUS_UNSPECIFIED_FAILURE; 3305 3306 if (ocv_verify_tx_params(elems.oci, elems.oci_len, &ci, 3307 tx_chanwidth, tx_seg1_idx) != 0) { 3308 wpa_printf(MSG_WARNING, "FILS: %s", ocv_errorstr); 3309 return WLAN_STATUS_UNSPECIFIED_FAILURE; 3310 } 3311 } 3312 #endif /* CONFIG_FILS && CONFIG_OCV */ 3313 3314 ap_copy_sta_supp_op_classes(sta, elems.supp_op_classes, 3315 elems.supp_op_classes_len); 3316 3317 if ((sta->capability & WLAN_CAPABILITY_RADIO_MEASUREMENT) && 3318 elems.rrm_enabled && 3319 elems.rrm_enabled_len >= sizeof(sta->rrm_enabled_capa)) 3320 os_memcpy(sta->rrm_enabled_capa, elems.rrm_enabled, 3321 sizeof(sta->rrm_enabled_capa)); 3322 3323 if (elems.power_capab) { 3324 sta->min_tx_power = elems.power_capab[0]; 3325 sta->max_tx_power = elems.power_capab[1]; 3326 sta->power_capab = 1; 3327 } else { 3328 sta->power_capab = 0; 3329 } 3330 3331 return WLAN_STATUS_SUCCESS; 3332 } 3333 3334 3335 static void send_deauth(struct hostapd_data *hapd, const u8 *addr, 3336 u16 reason_code) 3337 { 3338 int send_len; 3339 struct ieee80211_mgmt reply; 3340 3341 os_memset(&reply, 0, sizeof(reply)); 3342 reply.frame_control = 3343 IEEE80211_FC(WLAN_FC_TYPE_MGMT, WLAN_FC_STYPE_DEAUTH); 3344 os_memcpy(reply.da, addr, ETH_ALEN); 3345 os_memcpy(reply.sa, hapd->own_addr, ETH_ALEN); 3346 os_memcpy(reply.bssid, hapd->own_addr, ETH_ALEN); 3347 3348 send_len = IEEE80211_HDRLEN + sizeof(reply.u.deauth); 3349 reply.u.deauth.reason_code = host_to_le16(reason_code); 3350 3351 if (hostapd_drv_send_mlme(hapd, &reply, send_len, 0) < 0) 3352 wpa_printf(MSG_INFO, "Failed to send deauth: %s", 3353 strerror(errno)); 3354 } 3355 3356 3357 static int add_associated_sta(struct hostapd_data *hapd, 3358 struct sta_info *sta, int reassoc) 3359 { 3360 struct ieee80211_ht_capabilities ht_cap; 3361 struct ieee80211_vht_capabilities vht_cap; 3362 struct ieee80211_he_capabilities he_cap; 3363 int set = 1; 3364 3365 /* 3366 * Remove the STA entry to ensure the STA PS state gets cleared and 3367 * configuration gets updated. This is relevant for cases, such as 3368 * FT-over-the-DS, where a station re-associates back to the same AP but 3369 * skips the authentication flow, or if working with a driver that 3370 * does not support full AP client state. 3371 * 3372 * Skip this if the STA has already completed FT reassociation and the 3373 * TK has been configured since the TX/RX PN must not be reset to 0 for 3374 * the same key. 3375 * 3376 * FT-over-the-DS has a special case where the STA entry (and as such, 3377 * the TK) has not yet been configured to the driver depending on which 3378 * driver interface is used. For that case, allow add-STA operation to 3379 * be used (instead of set-STA). This is needed to allow mac80211-based 3380 * drivers to accept the STA parameter configuration. Since this is 3381 * after a new FT-over-DS exchange, a new TK has been derived, so key 3382 * reinstallation is not a concern for this case. 3383 */ 3384 wpa_printf(MSG_DEBUG, "Add associated STA " MACSTR 3385 " (added_unassoc=%d auth_alg=%u ft_over_ds=%u reassoc=%d authorized=%d ft_tk=%d fils_tk=%d)", 3386 MAC2STR(sta->addr), sta->added_unassoc, sta->auth_alg, 3387 sta->ft_over_ds, reassoc, 3388 !!(sta->flags & WLAN_STA_AUTHORIZED), 3389 wpa_auth_sta_ft_tk_already_set(sta->wpa_sm), 3390 wpa_auth_sta_fils_tk_already_set(sta->wpa_sm)); 3391 3392 if (!sta->added_unassoc && 3393 (!(sta->flags & WLAN_STA_AUTHORIZED) || 3394 (reassoc && sta->ft_over_ds && sta->auth_alg == WLAN_AUTH_FT) || 3395 (!wpa_auth_sta_ft_tk_already_set(sta->wpa_sm) && 3396 !wpa_auth_sta_fils_tk_already_set(sta->wpa_sm)))) { 3397 hostapd_drv_sta_remove(hapd, sta->addr); 3398 wpa_auth_sm_event(sta->wpa_sm, WPA_DRV_STA_REMOVED); 3399 set = 0; 3400 3401 /* Do not allow the FT-over-DS exception to be used more than 3402 * once per authentication exchange to guarantee a new TK is 3403 * used here */ 3404 sta->ft_over_ds = 0; 3405 } 3406 3407 #ifdef CONFIG_IEEE80211N 3408 if (sta->flags & WLAN_STA_HT) 3409 hostapd_get_ht_capab(hapd, sta->ht_capabilities, &ht_cap); 3410 #endif /* CONFIG_IEEE80211N */ 3411 #ifdef CONFIG_IEEE80211AC 3412 if (sta->flags & WLAN_STA_VHT) 3413 hostapd_get_vht_capab(hapd, sta->vht_capabilities, &vht_cap); 3414 #endif /* CONFIG_IEEE80211AC */ 3415 #ifdef CONFIG_IEEE80211AX 3416 if (sta->flags & WLAN_STA_HE) { 3417 hostapd_get_he_capab(hapd, sta->he_capab, &he_cap, 3418 sta->he_capab_len); 3419 } 3420 #endif /* CONFIG_IEEE80211AX */ 3421 3422 /* 3423 * Add the station with forced WLAN_STA_ASSOC flag. The sta->flags 3424 * will be set when the ACK frame for the (Re)Association Response frame 3425 * is processed (TX status driver event). 3426 */ 3427 if (hostapd_sta_add(hapd, sta->addr, sta->aid, sta->capability, 3428 sta->supported_rates, sta->supported_rates_len, 3429 sta->listen_interval, 3430 sta->flags & WLAN_STA_HT ? &ht_cap : NULL, 3431 sta->flags & WLAN_STA_VHT ? &vht_cap : NULL, 3432 sta->flags & WLAN_STA_HE ? &he_cap : NULL, 3433 sta->flags & WLAN_STA_HE ? sta->he_capab_len : 0, 3434 sta->flags | WLAN_STA_ASSOC, sta->qosinfo, 3435 sta->vht_opmode, sta->p2p_ie ? 1 : 0, 3436 set)) { 3437 hostapd_logger(hapd, sta->addr, 3438 HOSTAPD_MODULE_IEEE80211, HOSTAPD_LEVEL_NOTICE, 3439 "Could not %s STA to kernel driver", 3440 set ? "set" : "add"); 3441 3442 if (sta->added_unassoc) { 3443 hostapd_drv_sta_remove(hapd, sta->addr); 3444 sta->added_unassoc = 0; 3445 } 3446 3447 return -1; 3448 } 3449 3450 sta->added_unassoc = 0; 3451 3452 return 0; 3453 } 3454 3455 3456 static u16 send_assoc_resp(struct hostapd_data *hapd, struct sta_info *sta, 3457 const u8 *addr, u16 status_code, int reassoc, 3458 const u8 *ies, size_t ies_len, int rssi) 3459 { 3460 int send_len; 3461 u8 *buf; 3462 size_t buflen; 3463 struct ieee80211_mgmt *reply; 3464 u8 *p; 3465 u16 res = WLAN_STATUS_SUCCESS; 3466 3467 buflen = sizeof(struct ieee80211_mgmt) + 1024; 3468 #ifdef CONFIG_FILS 3469 if (sta && sta->fils_hlp_resp) 3470 buflen += wpabuf_len(sta->fils_hlp_resp); 3471 if (sta) 3472 buflen += 150; 3473 #endif /* CONFIG_FILS */ 3474 #ifdef CONFIG_OWE 3475 if (sta && (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE)) 3476 buflen += 150; 3477 #endif /* CONFIG_OWE */ 3478 #ifdef CONFIG_DPP2 3479 if (sta && sta->dpp_pfs) 3480 buflen += 5 + sta->dpp_pfs->curve->prime_len; 3481 #endif /* CONFIG_DPP2 */ 3482 buf = os_zalloc(buflen); 3483 if (!buf) { 3484 res = WLAN_STATUS_UNSPECIFIED_FAILURE; 3485 goto done; 3486 } 3487 reply = (struct ieee80211_mgmt *) buf; 3488 reply->frame_control = 3489 IEEE80211_FC(WLAN_FC_TYPE_MGMT, 3490 (reassoc ? WLAN_FC_STYPE_REASSOC_RESP : 3491 WLAN_FC_STYPE_ASSOC_RESP)); 3492 os_memcpy(reply->da, addr, ETH_ALEN); 3493 os_memcpy(reply->sa, hapd->own_addr, ETH_ALEN); 3494 os_memcpy(reply->bssid, hapd->own_addr, ETH_ALEN); 3495 3496 send_len = IEEE80211_HDRLEN; 3497 send_len += sizeof(reply->u.assoc_resp); 3498 reply->u.assoc_resp.capab_info = 3499 host_to_le16(hostapd_own_capab_info(hapd)); 3500 reply->u.assoc_resp.status_code = host_to_le16(status_code); 3501 3502 reply->u.assoc_resp.aid = host_to_le16((sta ? sta->aid : 0) | 3503 BIT(14) | BIT(15)); 3504 /* Supported rates */ 3505 p = hostapd_eid_supp_rates(hapd, reply->u.assoc_resp.variable); 3506 /* Extended supported rates */ 3507 p = hostapd_eid_ext_supp_rates(hapd, p); 3508 3509 #ifdef CONFIG_MBO 3510 if (status_code == WLAN_STATUS_DENIED_POOR_CHANNEL_CONDITIONS && 3511 rssi != 0) { 3512 int delta = hapd->iconf->rssi_reject_assoc_rssi - rssi; 3513 3514 p = hostapd_eid_mbo_rssi_assoc_rej(hapd, p, buf + buflen - p, 3515 delta); 3516 } 3517 #endif /* CONFIG_MBO */ 3518 3519 #ifdef CONFIG_IEEE80211R_AP 3520 if (sta && status_code == WLAN_STATUS_SUCCESS) { 3521 /* IEEE 802.11r: Mobility Domain Information, Fast BSS 3522 * Transition Information, RSN, [RIC Response] */ 3523 p = wpa_sm_write_assoc_resp_ies(sta->wpa_sm, p, 3524 buf + buflen - p, 3525 sta->auth_alg, ies, ies_len); 3526 if (!p) { 3527 wpa_printf(MSG_DEBUG, 3528 "FT: Failed to write AssocResp IEs"); 3529 res = WLAN_STATUS_UNSPECIFIED_FAILURE; 3530 goto done; 3531 } 3532 } 3533 #endif /* CONFIG_IEEE80211R_AP */ 3534 #ifdef CONFIG_FILS 3535 if (sta && status_code == WLAN_STATUS_SUCCESS && 3536 (sta->auth_alg == WLAN_AUTH_FILS_SK || 3537 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS || 3538 sta->auth_alg == WLAN_AUTH_FILS_PK)) 3539 p = wpa_auth_write_assoc_resp_fils(sta->wpa_sm, p, 3540 buf + buflen - p, 3541 ies, ies_len); 3542 #endif /* CONFIG_FILS */ 3543 3544 #ifdef CONFIG_OWE 3545 if (sta && status_code == WLAN_STATUS_SUCCESS && 3546 (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE)) 3547 p = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, p, 3548 buf + buflen - p, 3549 ies, ies_len); 3550 #endif /* CONFIG_OWE */ 3551 3552 #ifdef CONFIG_IEEE80211W 3553 if (sta && status_code == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY) 3554 p = hostapd_eid_assoc_comeback_time(hapd, sta, p); 3555 #endif /* CONFIG_IEEE80211W */ 3556 3557 #ifdef CONFIG_IEEE80211N 3558 p = hostapd_eid_ht_capabilities(hapd, p); 3559 p = hostapd_eid_ht_operation(hapd, p); 3560 #endif /* CONFIG_IEEE80211N */ 3561 3562 #ifdef CONFIG_IEEE80211AC 3563 if (hapd->iconf->ieee80211ac && !hapd->conf->disable_11ac) { 3564 u32 nsts = 0, sta_nsts; 3565 3566 if (sta && hapd->conf->use_sta_nsts && sta->vht_capabilities) { 3567 struct ieee80211_vht_capabilities *capa; 3568 3569 nsts = (hapd->iface->conf->vht_capab >> 3570 VHT_CAP_BEAMFORMEE_STS_OFFSET) & 7; 3571 capa = sta->vht_capabilities; 3572 sta_nsts = (le_to_host32(capa->vht_capabilities_info) >> 3573 VHT_CAP_BEAMFORMEE_STS_OFFSET) & 7; 3574 3575 if (nsts < sta_nsts) 3576 nsts = 0; 3577 else 3578 nsts = sta_nsts; 3579 } 3580 p = hostapd_eid_vht_capabilities(hapd, p, nsts); 3581 p = hostapd_eid_vht_operation(hapd, p); 3582 } 3583 #endif /* CONFIG_IEEE80211AC */ 3584 3585 #ifdef CONFIG_IEEE80211AX 3586 if (hapd->iconf->ieee80211ax) { 3587 p = hostapd_eid_he_capab(hapd, p, IEEE80211_MODE_AP); 3588 p = hostapd_eid_he_operation(hapd, p); 3589 p = hostapd_eid_spatial_reuse(hapd, p); 3590 p = hostapd_eid_he_mu_edca_parameter_set(hapd, p); 3591 } 3592 #endif /* CONFIG_IEEE80211AX */ 3593 3594 p = hostapd_eid_ext_capab(hapd, p); 3595 p = hostapd_eid_bss_max_idle_period(hapd, p); 3596 if (sta && sta->qos_map_enabled) 3597 p = hostapd_eid_qos_map_set(hapd, p); 3598 3599 #ifdef CONFIG_FST 3600 if (hapd->iface->fst_ies) { 3601 os_memcpy(p, wpabuf_head(hapd->iface->fst_ies), 3602 wpabuf_len(hapd->iface->fst_ies)); 3603 p += wpabuf_len(hapd->iface->fst_ies); 3604 } 3605 #endif /* CONFIG_FST */ 3606 3607 #ifdef CONFIG_OWE 3608 if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) && 3609 sta && sta->owe_ecdh && status_code == WLAN_STATUS_SUCCESS && 3610 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE) { 3611 struct wpabuf *pub; 3612 3613 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0); 3614 if (!pub) { 3615 res = WLAN_STATUS_UNSPECIFIED_FAILURE; 3616 goto done; 3617 } 3618 /* OWE Diffie-Hellman Parameter element */ 3619 *p++ = WLAN_EID_EXTENSION; /* Element ID */ 3620 *p++ = 1 + 2 + wpabuf_len(pub); /* Length */ 3621 *p++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension */ 3622 WPA_PUT_LE16(p, sta->owe_group); 3623 p += 2; 3624 os_memcpy(p, wpabuf_head(pub), wpabuf_len(pub)); 3625 p += wpabuf_len(pub); 3626 wpabuf_free(pub); 3627 } 3628 #endif /* CONFIG_OWE */ 3629 3630 #ifdef CONFIG_DPP2 3631 if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_DPP) && 3632 sta && sta->dpp_pfs && status_code == WLAN_STATUS_SUCCESS && 3633 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_DPP) { 3634 os_memcpy(p, wpabuf_head(sta->dpp_pfs->ie), 3635 wpabuf_len(sta->dpp_pfs->ie)); 3636 p += wpabuf_len(sta->dpp_pfs->ie); 3637 } 3638 #endif /* CONFIG_DPP2 */ 3639 3640 #ifdef CONFIG_IEEE80211AC 3641 if (sta && hapd->conf->vendor_vht && (sta->flags & WLAN_STA_VENDOR_VHT)) 3642 p = hostapd_eid_vendor_vht(hapd, p); 3643 #endif /* CONFIG_IEEE80211AC */ 3644 3645 if (sta && (sta->flags & WLAN_STA_WMM)) 3646 p = hostapd_eid_wmm(hapd, p); 3647 3648 #ifdef CONFIG_WPS 3649 if (sta && 3650 ((sta->flags & WLAN_STA_WPS) || 3651 ((sta->flags & WLAN_STA_MAYBE_WPS) && hapd->conf->wpa))) { 3652 struct wpabuf *wps = wps_build_assoc_resp_ie(); 3653 if (wps) { 3654 os_memcpy(p, wpabuf_head(wps), wpabuf_len(wps)); 3655 p += wpabuf_len(wps); 3656 wpabuf_free(wps); 3657 } 3658 } 3659 #endif /* CONFIG_WPS */ 3660 3661 if (sta && (sta->flags & WLAN_STA_MULTI_AP)) 3662 p = hostapd_eid_multi_ap(hapd, p); 3663 3664 #ifdef CONFIG_P2P 3665 if (sta && sta->p2p_ie && hapd->p2p_group) { 3666 struct wpabuf *p2p_resp_ie; 3667 enum p2p_status_code status; 3668 switch (status_code) { 3669 case WLAN_STATUS_SUCCESS: 3670 status = P2P_SC_SUCCESS; 3671 break; 3672 case WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA: 3673 status = P2P_SC_FAIL_LIMIT_REACHED; 3674 break; 3675 default: 3676 status = P2P_SC_FAIL_INVALID_PARAMS; 3677 break; 3678 } 3679 p2p_resp_ie = p2p_group_assoc_resp_ie(hapd->p2p_group, status); 3680 if (p2p_resp_ie) { 3681 os_memcpy(p, wpabuf_head(p2p_resp_ie), 3682 wpabuf_len(p2p_resp_ie)); 3683 p += wpabuf_len(p2p_resp_ie); 3684 wpabuf_free(p2p_resp_ie); 3685 } 3686 } 3687 #endif /* CONFIG_P2P */ 3688 3689 #ifdef CONFIG_P2P_MANAGER 3690 if (hapd->conf->p2p & P2P_MANAGE) 3691 p = hostapd_eid_p2p_manage(hapd, p); 3692 #endif /* CONFIG_P2P_MANAGER */ 3693 3694 p = hostapd_eid_mbo(hapd, p, buf + buflen - p); 3695 3696 if (hapd->conf->assocresp_elements && 3697 (size_t) (buf + buflen - p) >= 3698 wpabuf_len(hapd->conf->assocresp_elements)) { 3699 os_memcpy(p, wpabuf_head(hapd->conf->assocresp_elements), 3700 wpabuf_len(hapd->conf->assocresp_elements)); 3701 p += wpabuf_len(hapd->conf->assocresp_elements); 3702 } 3703 3704 send_len += p - reply->u.assoc_resp.variable; 3705 3706 #ifdef CONFIG_FILS 3707 if (sta && 3708 (sta->auth_alg == WLAN_AUTH_FILS_SK || 3709 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS || 3710 sta->auth_alg == WLAN_AUTH_FILS_PK) && 3711 status_code == WLAN_STATUS_SUCCESS) { 3712 struct ieee802_11_elems elems; 3713 3714 if (ieee802_11_parse_elems(ies, ies_len, &elems, 0) == 3715 ParseFailed || !elems.fils_session) { 3716 res = WLAN_STATUS_UNSPECIFIED_FAILURE; 3717 goto done; 3718 } 3719 3720 /* FILS Session */ 3721 *p++ = WLAN_EID_EXTENSION; /* Element ID */ 3722 *p++ = 1 + FILS_SESSION_LEN; /* Length */ 3723 *p++ = WLAN_EID_EXT_FILS_SESSION; /* Element ID Extension */ 3724 os_memcpy(p, elems.fils_session, FILS_SESSION_LEN); 3725 send_len += 2 + 1 + FILS_SESSION_LEN; 3726 3727 send_len = fils_encrypt_assoc(sta->wpa_sm, buf, send_len, 3728 buflen, sta->fils_hlp_resp); 3729 if (send_len < 0) { 3730 res = WLAN_STATUS_UNSPECIFIED_FAILURE; 3731 goto done; 3732 } 3733 } 3734 #endif /* CONFIG_FILS */ 3735 3736 if (hostapd_drv_send_mlme(hapd, reply, send_len, 0) < 0) { 3737 wpa_printf(MSG_INFO, "Failed to send assoc resp: %s", 3738 strerror(errno)); 3739 res = WLAN_STATUS_UNSPECIFIED_FAILURE; 3740 } 3741 3742 done: 3743 os_free(buf); 3744 return res; 3745 } 3746 3747 3748 #ifdef CONFIG_OWE 3749 u8 * owe_assoc_req_process(struct hostapd_data *hapd, struct sta_info *sta, 3750 const u8 *owe_dh, u8 owe_dh_len, 3751 u8 *owe_buf, size_t owe_buf_len, u16 *reason) 3752 { 3753 #ifdef CONFIG_TESTING_OPTIONS 3754 if (hapd->conf->own_ie_override) { 3755 wpa_printf(MSG_DEBUG, "OWE: Using IE override"); 3756 *reason = WLAN_STATUS_SUCCESS; 3757 return wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf, 3758 owe_buf_len, NULL, 0); 3759 } 3760 #endif /* CONFIG_TESTING_OPTIONS */ 3761 3762 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) { 3763 wpa_printf(MSG_DEBUG, "OWE: Using PMKSA caching"); 3764 owe_buf = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf, 3765 owe_buf_len, NULL, 0); 3766 *reason = WLAN_STATUS_SUCCESS; 3767 return owe_buf; 3768 } 3769 3770 if (sta->owe_pmk && sta->external_dh_updated) { 3771 wpa_printf(MSG_DEBUG, "OWE: Using previously derived PMK"); 3772 *reason = WLAN_STATUS_SUCCESS; 3773 return owe_buf; 3774 } 3775 3776 *reason = owe_process_assoc_req(hapd, sta, owe_dh, owe_dh_len); 3777 if (*reason != WLAN_STATUS_SUCCESS) 3778 return NULL; 3779 3780 owe_buf = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf, 3781 owe_buf_len, NULL, 0); 3782 3783 if (sta->owe_ecdh && owe_buf) { 3784 struct wpabuf *pub; 3785 3786 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0); 3787 if (!pub) { 3788 *reason = WLAN_STATUS_UNSPECIFIED_FAILURE; 3789 return owe_buf; 3790 } 3791 3792 /* OWE Diffie-Hellman Parameter element */ 3793 *owe_buf++ = WLAN_EID_EXTENSION; /* Element ID */ 3794 *owe_buf++ = 1 + 2 + wpabuf_len(pub); /* Length */ 3795 *owe_buf++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension 3796 */ 3797 WPA_PUT_LE16(owe_buf, sta->owe_group); 3798 owe_buf += 2; 3799 os_memcpy(owe_buf, wpabuf_head(pub), wpabuf_len(pub)); 3800 owe_buf += wpabuf_len(pub); 3801 wpabuf_free(pub); 3802 } 3803 3804 return owe_buf; 3805 } 3806 #endif /* CONFIG_OWE */ 3807 3808 3809 #ifdef CONFIG_FILS 3810 3811 void fils_hlp_finish_assoc(struct hostapd_data *hapd, struct sta_info *sta) 3812 { 3813 u16 reply_res; 3814 3815 wpa_printf(MSG_DEBUG, "FILS: Finish association with " MACSTR, 3816 MAC2STR(sta->addr)); 3817 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta); 3818 if (!sta->fils_pending_assoc_req) 3819 return; 3820 reply_res = send_assoc_resp(hapd, sta, sta->addr, WLAN_STATUS_SUCCESS, 3821 sta->fils_pending_assoc_is_reassoc, 3822 sta->fils_pending_assoc_req, 3823 sta->fils_pending_assoc_req_len, 0); 3824 os_free(sta->fils_pending_assoc_req); 3825 sta->fils_pending_assoc_req = NULL; 3826 sta->fils_pending_assoc_req_len = 0; 3827 wpabuf_free(sta->fils_hlp_resp); 3828 sta->fils_hlp_resp = NULL; 3829 wpabuf_free(sta->hlp_dhcp_discover); 3830 sta->hlp_dhcp_discover = NULL; 3831 3832 /* 3833 * Remove the station in case transmission of a success response fails. 3834 * At this point the station was already added associated to the driver. 3835 */ 3836 if (reply_res != WLAN_STATUS_SUCCESS) 3837 hostapd_drv_sta_remove(hapd, sta->addr); 3838 } 3839 3840 3841 void fils_hlp_timeout(void *eloop_ctx, void *eloop_data) 3842 { 3843 struct hostapd_data *hapd = eloop_ctx; 3844 struct sta_info *sta = eloop_data; 3845 3846 wpa_printf(MSG_DEBUG, 3847 "FILS: HLP response timeout - continue with association response for " 3848 MACSTR, MAC2STR(sta->addr)); 3849 if (sta->fils_drv_assoc_finish) 3850 hostapd_notify_assoc_fils_finish(hapd, sta); 3851 else 3852 fils_hlp_finish_assoc(hapd, sta); 3853 } 3854 3855 #endif /* CONFIG_FILS */ 3856 3857 3858 static void handle_assoc(struct hostapd_data *hapd, 3859 const struct ieee80211_mgmt *mgmt, size_t len, 3860 int reassoc, int rssi) 3861 { 3862 u16 capab_info, listen_interval, seq_ctrl, fc; 3863 u16 resp = WLAN_STATUS_SUCCESS, reply_res; 3864 const u8 *pos; 3865 int left, i; 3866 struct sta_info *sta; 3867 u8 *tmp = NULL; 3868 struct hostapd_sta_wpa_psk_short *psk = NULL; 3869 char *identity = NULL; 3870 char *radius_cui = NULL; 3871 #ifdef CONFIG_FILS 3872 int delay_assoc = 0; 3873 #endif /* CONFIG_FILS */ 3874 3875 if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_req) : 3876 sizeof(mgmt->u.assoc_req))) { 3877 wpa_printf(MSG_INFO, "handle_assoc(reassoc=%d) - too short payload (len=%lu)", 3878 reassoc, (unsigned long) len); 3879 return; 3880 } 3881 3882 #ifdef CONFIG_TESTING_OPTIONS 3883 if (reassoc) { 3884 if (hapd->iconf->ignore_reassoc_probability > 0.0 && 3885 drand48() < hapd->iconf->ignore_reassoc_probability) { 3886 wpa_printf(MSG_INFO, 3887 "TESTING: ignoring reassoc request from " 3888 MACSTR, MAC2STR(mgmt->sa)); 3889 return; 3890 } 3891 } else { 3892 if (hapd->iconf->ignore_assoc_probability > 0.0 && 3893 drand48() < hapd->iconf->ignore_assoc_probability) { 3894 wpa_printf(MSG_INFO, 3895 "TESTING: ignoring assoc request from " 3896 MACSTR, MAC2STR(mgmt->sa)); 3897 return; 3898 } 3899 } 3900 #endif /* CONFIG_TESTING_OPTIONS */ 3901 3902 fc = le_to_host16(mgmt->frame_control); 3903 seq_ctrl = le_to_host16(mgmt->seq_ctrl); 3904 3905 if (reassoc) { 3906 capab_info = le_to_host16(mgmt->u.reassoc_req.capab_info); 3907 listen_interval = le_to_host16( 3908 mgmt->u.reassoc_req.listen_interval); 3909 wpa_printf(MSG_DEBUG, "reassociation request: STA=" MACSTR 3910 " capab_info=0x%02x listen_interval=%d current_ap=" 3911 MACSTR " seq_ctrl=0x%x%s", 3912 MAC2STR(mgmt->sa), capab_info, listen_interval, 3913 MAC2STR(mgmt->u.reassoc_req.current_ap), 3914 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : ""); 3915 left = len - (IEEE80211_HDRLEN + sizeof(mgmt->u.reassoc_req)); 3916 pos = mgmt->u.reassoc_req.variable; 3917 } else { 3918 capab_info = le_to_host16(mgmt->u.assoc_req.capab_info); 3919 listen_interval = le_to_host16( 3920 mgmt->u.assoc_req.listen_interval); 3921 wpa_printf(MSG_DEBUG, "association request: STA=" MACSTR 3922 " capab_info=0x%02x listen_interval=%d " 3923 "seq_ctrl=0x%x%s", 3924 MAC2STR(mgmt->sa), capab_info, listen_interval, 3925 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : ""); 3926 left = len - (IEEE80211_HDRLEN + sizeof(mgmt->u.assoc_req)); 3927 pos = mgmt->u.assoc_req.variable; 3928 } 3929 3930 sta = ap_get_sta(hapd, mgmt->sa); 3931 #ifdef CONFIG_IEEE80211R_AP 3932 if (sta && sta->auth_alg == WLAN_AUTH_FT && 3933 (sta->flags & WLAN_STA_AUTH) == 0) { 3934 wpa_printf(MSG_DEBUG, "FT: Allow STA " MACSTR " to associate " 3935 "prior to authentication since it is using " 3936 "over-the-DS FT", MAC2STR(mgmt->sa)); 3937 3938 /* 3939 * Mark station as authenticated, to avoid adding station 3940 * entry in the driver as associated and not authenticated 3941 */ 3942 sta->flags |= WLAN_STA_AUTH; 3943 } else 3944 #endif /* CONFIG_IEEE80211R_AP */ 3945 if (sta == NULL || (sta->flags & WLAN_STA_AUTH) == 0) { 3946 if (hapd->iface->current_mode && 3947 hapd->iface->current_mode->mode == 3948 HOSTAPD_MODE_IEEE80211AD) { 3949 int acl_res; 3950 u32 session_timeout, acct_interim_interval; 3951 struct vlan_description vlan_id; 3952 3953 acl_res = ieee802_11_allowed_address( 3954 hapd, mgmt->sa, (const u8 *) mgmt, len, 3955 &session_timeout, &acct_interim_interval, 3956 &vlan_id, &psk, &identity, &radius_cui, 0); 3957 if (acl_res == HOSTAPD_ACL_REJECT) { 3958 wpa_msg(hapd->msg_ctx, MSG_DEBUG, 3959 "Ignore Association Request frame from " 3960 MACSTR " due to ACL reject", 3961 MAC2STR(mgmt->sa)); 3962 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 3963 goto fail; 3964 } 3965 if (acl_res == HOSTAPD_ACL_PENDING) 3966 return; 3967 3968 /* DMG/IEEE 802.11ad does not use authentication. 3969 * Allocate sta entry upon association. */ 3970 sta = ap_sta_add(hapd, mgmt->sa); 3971 if (!sta) { 3972 hostapd_logger(hapd, mgmt->sa, 3973 HOSTAPD_MODULE_IEEE80211, 3974 HOSTAPD_LEVEL_INFO, 3975 "Failed to add STA"); 3976 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA; 3977 goto fail; 3978 } 3979 3980 acl_res = ieee802_11_set_radius_info( 3981 hapd, sta, acl_res, session_timeout, 3982 acct_interim_interval, &vlan_id, &psk, 3983 &identity, &radius_cui); 3984 if (acl_res) { 3985 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 3986 goto fail; 3987 } 3988 3989 hostapd_logger(hapd, sta->addr, 3990 HOSTAPD_MODULE_IEEE80211, 3991 HOSTAPD_LEVEL_DEBUG, 3992 "Skip authentication for DMG/IEEE 802.11ad"); 3993 sta->flags |= WLAN_STA_AUTH; 3994 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH); 3995 sta->auth_alg = WLAN_AUTH_OPEN; 3996 } else { 3997 hostapd_logger(hapd, mgmt->sa, 3998 HOSTAPD_MODULE_IEEE80211, 3999 HOSTAPD_LEVEL_INFO, 4000 "Station tried to associate before authentication (aid=%d flags=0x%x)", 4001 sta ? sta->aid : -1, 4002 sta ? sta->flags : 0); 4003 send_deauth(hapd, mgmt->sa, 4004 WLAN_REASON_CLASS2_FRAME_FROM_NONAUTH_STA); 4005 return; 4006 } 4007 } 4008 4009 if ((fc & WLAN_FC_RETRY) && 4010 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ && 4011 sta->last_seq_ctrl == seq_ctrl && 4012 sta->last_subtype == (reassoc ? WLAN_FC_STYPE_REASSOC_REQ : 4013 WLAN_FC_STYPE_ASSOC_REQ)) { 4014 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 4015 HOSTAPD_LEVEL_DEBUG, 4016 "Drop repeated association frame seq_ctrl=0x%x", 4017 seq_ctrl); 4018 return; 4019 } 4020 sta->last_seq_ctrl = seq_ctrl; 4021 sta->last_subtype = reassoc ? WLAN_FC_STYPE_REASSOC_REQ : 4022 WLAN_FC_STYPE_ASSOC_REQ; 4023 4024 if (hapd->tkip_countermeasures) { 4025 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 4026 goto fail; 4027 } 4028 4029 if (listen_interval > hapd->conf->max_listen_interval) { 4030 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211, 4031 HOSTAPD_LEVEL_DEBUG, 4032 "Too large Listen Interval (%d)", 4033 listen_interval); 4034 resp = WLAN_STATUS_ASSOC_DENIED_LISTEN_INT_TOO_LARGE; 4035 goto fail; 4036 } 4037 4038 #ifdef CONFIG_MBO 4039 if (hapd->conf->mbo_enabled && hapd->mbo_assoc_disallow) { 4040 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA; 4041 goto fail; 4042 } 4043 4044 if (hapd->iconf->rssi_reject_assoc_rssi && rssi && 4045 rssi < hapd->iconf->rssi_reject_assoc_rssi && 4046 (sta->auth_rssi == 0 || 4047 sta->auth_rssi < hapd->iconf->rssi_reject_assoc_rssi)) { 4048 resp = WLAN_STATUS_DENIED_POOR_CHANNEL_CONDITIONS; 4049 goto fail; 4050 } 4051 #endif /* CONFIG_MBO */ 4052 4053 /* 4054 * sta->capability is used in check_assoc_ies() for RRM enabled 4055 * capability element. 4056 */ 4057 sta->capability = capab_info; 4058 4059 #ifdef CONFIG_FILS 4060 if (sta->auth_alg == WLAN_AUTH_FILS_SK || 4061 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS || 4062 sta->auth_alg == WLAN_AUTH_FILS_PK) { 4063 int res; 4064 4065 /* The end of the payload is encrypted. Need to decrypt it 4066 * before parsing. */ 4067 4068 tmp = os_memdup(pos, left); 4069 if (!tmp) { 4070 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 4071 goto fail; 4072 } 4073 4074 res = fils_decrypt_assoc(sta->wpa_sm, sta->fils_session, mgmt, 4075 len, tmp, left); 4076 if (res < 0) { 4077 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 4078 goto fail; 4079 } 4080 pos = tmp; 4081 left = res; 4082 } 4083 #endif /* CONFIG_FILS */ 4084 4085 /* followed by SSID and Supported rates; and HT capabilities if 802.11n 4086 * is used */ 4087 resp = check_assoc_ies(hapd, sta, pos, left, reassoc); 4088 if (resp != WLAN_STATUS_SUCCESS) 4089 goto fail; 4090 4091 if (hostapd_get_aid(hapd, sta) < 0) { 4092 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211, 4093 HOSTAPD_LEVEL_INFO, "No room for more AIDs"); 4094 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA; 4095 goto fail; 4096 } 4097 4098 sta->listen_interval = listen_interval; 4099 4100 if (hapd->iface->current_mode && 4101 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G) 4102 sta->flags |= WLAN_STA_NONERP; 4103 for (i = 0; i < sta->supported_rates_len; i++) { 4104 if ((sta->supported_rates[i] & 0x7f) > 22) { 4105 sta->flags &= ~WLAN_STA_NONERP; 4106 break; 4107 } 4108 } 4109 if (sta->flags & WLAN_STA_NONERP && !sta->nonerp_set) { 4110 sta->nonerp_set = 1; 4111 hapd->iface->num_sta_non_erp++; 4112 if (hapd->iface->num_sta_non_erp == 1) 4113 ieee802_11_set_beacons(hapd->iface); 4114 } 4115 4116 if (!(sta->capability & WLAN_CAPABILITY_SHORT_SLOT_TIME) && 4117 !sta->no_short_slot_time_set) { 4118 sta->no_short_slot_time_set = 1; 4119 hapd->iface->num_sta_no_short_slot_time++; 4120 if (hapd->iface->current_mode && 4121 hapd->iface->current_mode->mode == 4122 HOSTAPD_MODE_IEEE80211G && 4123 hapd->iface->num_sta_no_short_slot_time == 1) 4124 ieee802_11_set_beacons(hapd->iface); 4125 } 4126 4127 if (sta->capability & WLAN_CAPABILITY_SHORT_PREAMBLE) 4128 sta->flags |= WLAN_STA_SHORT_PREAMBLE; 4129 else 4130 sta->flags &= ~WLAN_STA_SHORT_PREAMBLE; 4131 4132 if (!(sta->capability & WLAN_CAPABILITY_SHORT_PREAMBLE) && 4133 !sta->no_short_preamble_set) { 4134 sta->no_short_preamble_set = 1; 4135 hapd->iface->num_sta_no_short_preamble++; 4136 if (hapd->iface->current_mode && 4137 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G 4138 && hapd->iface->num_sta_no_short_preamble == 1) 4139 ieee802_11_set_beacons(hapd->iface); 4140 } 4141 4142 #ifdef CONFIG_IEEE80211N 4143 update_ht_state(hapd, sta); 4144 #endif /* CONFIG_IEEE80211N */ 4145 4146 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 4147 HOSTAPD_LEVEL_DEBUG, 4148 "association OK (aid %d)", sta->aid); 4149 /* Station will be marked associated, after it acknowledges AssocResp 4150 */ 4151 sta->flags |= WLAN_STA_ASSOC_REQ_OK; 4152 4153 #ifdef CONFIG_IEEE80211W 4154 if ((sta->flags & WLAN_STA_MFP) && sta->sa_query_timed_out) { 4155 wpa_printf(MSG_DEBUG, "Allowing %sassociation after timed out " 4156 "SA Query procedure", reassoc ? "re" : ""); 4157 /* TODO: Send a protected Disassociate frame to the STA using 4158 * the old key and Reason Code "Previous Authentication no 4159 * longer valid". Make sure this is only sent protected since 4160 * unprotected frame would be received by the STA that is now 4161 * trying to associate. 4162 */ 4163 } 4164 #endif /* CONFIG_IEEE80211W */ 4165 4166 /* Make sure that the previously registered inactivity timer will not 4167 * remove the STA immediately. */ 4168 sta->timeout_next = STA_NULLFUNC; 4169 4170 #ifdef CONFIG_TAXONOMY 4171 taxonomy_sta_info_assoc_req(hapd, sta, pos, left); 4172 #endif /* CONFIG_TAXONOMY */ 4173 4174 sta->pending_wds_enable = 0; 4175 4176 #ifdef CONFIG_FILS 4177 if (sta->auth_alg == WLAN_AUTH_FILS_SK || 4178 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS || 4179 sta->auth_alg == WLAN_AUTH_FILS_PK) { 4180 if (fils_process_hlp(hapd, sta, pos, left) > 0) 4181 delay_assoc = 1; 4182 } 4183 #endif /* CONFIG_FILS */ 4184 4185 fail: 4186 os_free(identity); 4187 os_free(radius_cui); 4188 hostapd_free_psk_list(psk); 4189 4190 /* 4191 * In case of a successful response, add the station to the driver. 4192 * Otherwise, the kernel may ignore Data frames before we process the 4193 * ACK frame (TX status). In case of a failure, this station will be 4194 * removed. 4195 * 4196 * Note that this is not compliant with the IEEE 802.11 standard that 4197 * states that a non-AP station should transition into the 4198 * authenticated/associated state only after the station acknowledges 4199 * the (Re)Association Response frame. However, still do this as: 4200 * 4201 * 1. In case the station does not acknowledge the (Re)Association 4202 * Response frame, it will be removed. 4203 * 2. Data frames will be dropped in the kernel until the station is 4204 * set into authorized state, and there are no significant known 4205 * issues with processing other non-Data Class 3 frames during this 4206 * window. 4207 */ 4208 if (resp == WLAN_STATUS_SUCCESS && sta && 4209 add_associated_sta(hapd, sta, reassoc)) 4210 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA; 4211 4212 #ifdef CONFIG_FILS 4213 if (sta && delay_assoc && resp == WLAN_STATUS_SUCCESS && 4214 eloop_is_timeout_registered(fils_hlp_timeout, hapd, sta) && 4215 sta->fils_pending_assoc_req) { 4216 /* Do not reschedule fils_hlp_timeout in case the station 4217 * retransmits (Re)Association Request frame while waiting for 4218 * the previously started FILS HLP wait, so that the timeout can 4219 * be determined from the first pending attempt. */ 4220 wpa_printf(MSG_DEBUG, 4221 "FILS: Continue waiting for HLP processing before sending (Re)Association Response frame to " 4222 MACSTR, MAC2STR(sta->addr)); 4223 os_free(tmp); 4224 return; 4225 } 4226 if (sta) { 4227 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta); 4228 os_free(sta->fils_pending_assoc_req); 4229 sta->fils_pending_assoc_req = NULL; 4230 sta->fils_pending_assoc_req_len = 0; 4231 wpabuf_free(sta->fils_hlp_resp); 4232 sta->fils_hlp_resp = NULL; 4233 } 4234 if (sta && delay_assoc && resp == WLAN_STATUS_SUCCESS) { 4235 sta->fils_pending_assoc_req = tmp; 4236 sta->fils_pending_assoc_req_len = left; 4237 sta->fils_pending_assoc_is_reassoc = reassoc; 4238 sta->fils_drv_assoc_finish = 0; 4239 wpa_printf(MSG_DEBUG, 4240 "FILS: Waiting for HLP processing before sending (Re)Association Response frame to " 4241 MACSTR, MAC2STR(sta->addr)); 4242 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta); 4243 eloop_register_timeout(0, hapd->conf->fils_hlp_wait_time * 1024, 4244 fils_hlp_timeout, hapd, sta); 4245 return; 4246 } 4247 #endif /* CONFIG_FILS */ 4248 4249 reply_res = send_assoc_resp(hapd, sta, mgmt->sa, resp, reassoc, pos, 4250 left, rssi); 4251 os_free(tmp); 4252 4253 /* 4254 * Remove the station in case tranmission of a success response fails 4255 * (the STA was added associated to the driver) or if the station was 4256 * previously added unassociated. 4257 */ 4258 if (sta && ((reply_res != WLAN_STATUS_SUCCESS && 4259 resp == WLAN_STATUS_SUCCESS) || sta->added_unassoc)) { 4260 hostapd_drv_sta_remove(hapd, sta->addr); 4261 sta->added_unassoc = 0; 4262 } 4263 } 4264 4265 4266 static void handle_disassoc(struct hostapd_data *hapd, 4267 const struct ieee80211_mgmt *mgmt, size_t len) 4268 { 4269 struct sta_info *sta; 4270 4271 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.disassoc)) { 4272 wpa_printf(MSG_INFO, "handle_disassoc - too short payload (len=%lu)", 4273 (unsigned long) len); 4274 return; 4275 } 4276 4277 wpa_printf(MSG_DEBUG, "disassocation: STA=" MACSTR " reason_code=%d", 4278 MAC2STR(mgmt->sa), 4279 le_to_host16(mgmt->u.disassoc.reason_code)); 4280 4281 sta = ap_get_sta(hapd, mgmt->sa); 4282 if (sta == NULL) { 4283 wpa_printf(MSG_INFO, "Station " MACSTR " trying to disassociate, but it is not associated", 4284 MAC2STR(mgmt->sa)); 4285 return; 4286 } 4287 4288 ap_sta_set_authorized(hapd, sta, 0); 4289 sta->last_seq_ctrl = WLAN_INVALID_MGMT_SEQ; 4290 sta->flags &= ~(WLAN_STA_ASSOC | WLAN_STA_ASSOC_REQ_OK); 4291 wpa_auth_sm_event(sta->wpa_sm, WPA_DISASSOC); 4292 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 4293 HOSTAPD_LEVEL_INFO, "disassociated"); 4294 sta->acct_terminate_cause = RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST; 4295 ieee802_1x_notify_port_enabled(sta->eapol_sm, 0); 4296 /* Stop Accounting and IEEE 802.1X sessions, but leave the STA 4297 * authenticated. */ 4298 accounting_sta_stop(hapd, sta); 4299 ieee802_1x_free_station(hapd, sta); 4300 if (sta->ipaddr) 4301 hostapd_drv_br_delete_ip_neigh(hapd, 4, (u8 *) &sta->ipaddr); 4302 ap_sta_ip6addr_del(hapd, sta); 4303 hostapd_drv_sta_remove(hapd, sta->addr); 4304 sta->added_unassoc = 0; 4305 4306 if (sta->timeout_next == STA_NULLFUNC || 4307 sta->timeout_next == STA_DISASSOC) { 4308 sta->timeout_next = STA_DEAUTH; 4309 eloop_cancel_timeout(ap_handle_timer, hapd, sta); 4310 eloop_register_timeout(AP_DEAUTH_DELAY, 0, ap_handle_timer, 4311 hapd, sta); 4312 } 4313 4314 mlme_disassociate_indication( 4315 hapd, sta, le_to_host16(mgmt->u.disassoc.reason_code)); 4316 4317 /* DMG/IEEE 802.11ad does not use deauthication. Deallocate sta upon 4318 * disassociation. */ 4319 if (hapd->iface->current_mode && 4320 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211AD) { 4321 sta->flags &= ~WLAN_STA_AUTH; 4322 wpa_auth_sm_event(sta->wpa_sm, WPA_DEAUTH); 4323 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 4324 HOSTAPD_LEVEL_DEBUG, "deauthenticated"); 4325 ap_free_sta(hapd, sta); 4326 } 4327 } 4328 4329 4330 static void handle_deauth(struct hostapd_data *hapd, 4331 const struct ieee80211_mgmt *mgmt, size_t len) 4332 { 4333 struct sta_info *sta; 4334 4335 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.deauth)) { 4336 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "handle_deauth - too short " 4337 "payload (len=%lu)", (unsigned long) len); 4338 return; 4339 } 4340 4341 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "deauthentication: STA=" MACSTR 4342 " reason_code=%d", 4343 MAC2STR(mgmt->sa), le_to_host16(mgmt->u.deauth.reason_code)); 4344 4345 sta = ap_get_sta(hapd, mgmt->sa); 4346 if (sta == NULL) { 4347 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "Station " MACSTR " trying " 4348 "to deauthenticate, but it is not authenticated", 4349 MAC2STR(mgmt->sa)); 4350 return; 4351 } 4352 4353 ap_sta_set_authorized(hapd, sta, 0); 4354 sta->last_seq_ctrl = WLAN_INVALID_MGMT_SEQ; 4355 sta->flags &= ~(WLAN_STA_AUTH | WLAN_STA_ASSOC | 4356 WLAN_STA_ASSOC_REQ_OK); 4357 wpa_auth_sm_event(sta->wpa_sm, WPA_DEAUTH); 4358 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 4359 HOSTAPD_LEVEL_DEBUG, "deauthenticated"); 4360 mlme_deauthenticate_indication( 4361 hapd, sta, le_to_host16(mgmt->u.deauth.reason_code)); 4362 sta->acct_terminate_cause = RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST; 4363 ieee802_1x_notify_port_enabled(sta->eapol_sm, 0); 4364 ap_free_sta(hapd, sta); 4365 } 4366 4367 4368 static void handle_beacon(struct hostapd_data *hapd, 4369 const struct ieee80211_mgmt *mgmt, size_t len, 4370 struct hostapd_frame_info *fi) 4371 { 4372 struct ieee802_11_elems elems; 4373 4374 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.beacon)) { 4375 wpa_printf(MSG_INFO, "handle_beacon - too short payload (len=%lu)", 4376 (unsigned long) len); 4377 return; 4378 } 4379 4380 (void) ieee802_11_parse_elems(mgmt->u.beacon.variable, 4381 len - (IEEE80211_HDRLEN + 4382 sizeof(mgmt->u.beacon)), &elems, 4383 0); 4384 4385 ap_list_process_beacon(hapd->iface, mgmt, &elems, fi); 4386 } 4387 4388 4389 #ifdef CONFIG_IEEE80211W 4390 static int robust_action_frame(u8 category) 4391 { 4392 return category != WLAN_ACTION_PUBLIC && 4393 category != WLAN_ACTION_HT; 4394 } 4395 #endif /* CONFIG_IEEE80211W */ 4396 4397 4398 static int handle_action(struct hostapd_data *hapd, 4399 const struct ieee80211_mgmt *mgmt, size_t len, 4400 unsigned int freq) 4401 { 4402 struct sta_info *sta; 4403 u8 *action __maybe_unused; 4404 4405 if (len < IEEE80211_HDRLEN + 2 + 1) { 4406 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211, 4407 HOSTAPD_LEVEL_DEBUG, 4408 "handle_action - too short payload (len=%lu)", 4409 (unsigned long) len); 4410 return 0; 4411 } 4412 4413 action = (u8 *) &mgmt->u.action.u; 4414 wpa_printf(MSG_DEBUG, "RX_ACTION category %u action %u sa " MACSTR 4415 " da " MACSTR " len %d freq %u", 4416 mgmt->u.action.category, *action, 4417 MAC2STR(mgmt->sa), MAC2STR(mgmt->da), (int) len, freq); 4418 4419 sta = ap_get_sta(hapd, mgmt->sa); 4420 4421 if (mgmt->u.action.category != WLAN_ACTION_PUBLIC && 4422 (sta == NULL || !(sta->flags & WLAN_STA_ASSOC))) { 4423 wpa_printf(MSG_DEBUG, "IEEE 802.11: Ignored Action " 4424 "frame (category=%u) from unassociated STA " MACSTR, 4425 mgmt->u.action.category, MAC2STR(mgmt->sa)); 4426 return 0; 4427 } 4428 4429 #ifdef CONFIG_IEEE80211W 4430 if (sta && (sta->flags & WLAN_STA_MFP) && 4431 !(mgmt->frame_control & host_to_le16(WLAN_FC_ISWEP)) && 4432 robust_action_frame(mgmt->u.action.category)) { 4433 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211, 4434 HOSTAPD_LEVEL_DEBUG, 4435 "Dropped unprotected Robust Action frame from " 4436 "an MFP STA"); 4437 return 0; 4438 } 4439 #endif /* CONFIG_IEEE80211W */ 4440 4441 if (sta) { 4442 u16 fc = le_to_host16(mgmt->frame_control); 4443 u16 seq_ctrl = le_to_host16(mgmt->seq_ctrl); 4444 4445 if ((fc & WLAN_FC_RETRY) && 4446 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ && 4447 sta->last_seq_ctrl == seq_ctrl && 4448 sta->last_subtype == WLAN_FC_STYPE_ACTION) { 4449 hostapd_logger(hapd, sta->addr, 4450 HOSTAPD_MODULE_IEEE80211, 4451 HOSTAPD_LEVEL_DEBUG, 4452 "Drop repeated action frame seq_ctrl=0x%x", 4453 seq_ctrl); 4454 return 1; 4455 } 4456 4457 sta->last_seq_ctrl = seq_ctrl; 4458 sta->last_subtype = WLAN_FC_STYPE_ACTION; 4459 } 4460 4461 switch (mgmt->u.action.category) { 4462 #ifdef CONFIG_IEEE80211R_AP 4463 case WLAN_ACTION_FT: 4464 if (!sta || 4465 wpa_ft_action_rx(sta->wpa_sm, (u8 *) &mgmt->u.action, 4466 len - IEEE80211_HDRLEN)) 4467 break; 4468 return 1; 4469 #endif /* CONFIG_IEEE80211R_AP */ 4470 case WLAN_ACTION_WMM: 4471 hostapd_wmm_action(hapd, mgmt, len); 4472 return 1; 4473 #ifdef CONFIG_IEEE80211W 4474 case WLAN_ACTION_SA_QUERY: 4475 ieee802_11_sa_query_action(hapd, mgmt, len); 4476 return 1; 4477 #endif /* CONFIG_IEEE80211W */ 4478 #ifdef CONFIG_WNM_AP 4479 case WLAN_ACTION_WNM: 4480 ieee802_11_rx_wnm_action_ap(hapd, mgmt, len); 4481 return 1; 4482 #endif /* CONFIG_WNM_AP */ 4483 #ifdef CONFIG_FST 4484 case WLAN_ACTION_FST: 4485 if (hapd->iface->fst) 4486 fst_rx_action(hapd->iface->fst, mgmt, len); 4487 else 4488 wpa_printf(MSG_DEBUG, 4489 "FST: Ignore FST Action frame - no FST attached"); 4490 return 1; 4491 #endif /* CONFIG_FST */ 4492 case WLAN_ACTION_PUBLIC: 4493 case WLAN_ACTION_PROTECTED_DUAL: 4494 #ifdef CONFIG_IEEE80211N 4495 if (len >= IEEE80211_HDRLEN + 2 && 4496 mgmt->u.action.u.public_action.action == 4497 WLAN_PA_20_40_BSS_COEX) { 4498 hostapd_2040_coex_action(hapd, mgmt, len); 4499 return 1; 4500 } 4501 #endif /* CONFIG_IEEE80211N */ 4502 #ifdef CONFIG_DPP 4503 if (len >= IEEE80211_HDRLEN + 6 && 4504 mgmt->u.action.u.vs_public_action.action == 4505 WLAN_PA_VENDOR_SPECIFIC && 4506 WPA_GET_BE24(mgmt->u.action.u.vs_public_action.oui) == 4507 OUI_WFA && 4508 mgmt->u.action.u.vs_public_action.variable[0] == 4509 DPP_OUI_TYPE) { 4510 const u8 *pos, *end; 4511 4512 pos = mgmt->u.action.u.vs_public_action.oui; 4513 end = ((const u8 *) mgmt) + len; 4514 hostapd_dpp_rx_action(hapd, mgmt->sa, pos, end - pos, 4515 freq); 4516 return 1; 4517 } 4518 if (len >= IEEE80211_HDRLEN + 2 && 4519 (mgmt->u.action.u.public_action.action == 4520 WLAN_PA_GAS_INITIAL_RESP || 4521 mgmt->u.action.u.public_action.action == 4522 WLAN_PA_GAS_COMEBACK_RESP)) { 4523 const u8 *pos, *end; 4524 4525 pos = &mgmt->u.action.u.public_action.action; 4526 end = ((const u8 *) mgmt) + len; 4527 gas_query_ap_rx(hapd->gas, mgmt->sa, 4528 mgmt->u.action.category, 4529 pos, end - pos, hapd->iface->freq); 4530 return 1; 4531 } 4532 #endif /* CONFIG_DPP */ 4533 if (hapd->public_action_cb) { 4534 hapd->public_action_cb(hapd->public_action_cb_ctx, 4535 (u8 *) mgmt, len, 4536 hapd->iface->freq); 4537 } 4538 if (hapd->public_action_cb2) { 4539 hapd->public_action_cb2(hapd->public_action_cb2_ctx, 4540 (u8 *) mgmt, len, 4541 hapd->iface->freq); 4542 } 4543 if (hapd->public_action_cb || hapd->public_action_cb2) 4544 return 1; 4545 break; 4546 case WLAN_ACTION_VENDOR_SPECIFIC: 4547 if (hapd->vendor_action_cb) { 4548 if (hapd->vendor_action_cb(hapd->vendor_action_cb_ctx, 4549 (u8 *) mgmt, len, 4550 hapd->iface->freq) == 0) 4551 return 1; 4552 } 4553 break; 4554 case WLAN_ACTION_RADIO_MEASUREMENT: 4555 hostapd_handle_radio_measurement(hapd, (const u8 *) mgmt, len); 4556 return 1; 4557 } 4558 4559 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211, 4560 HOSTAPD_LEVEL_DEBUG, 4561 "handle_action - unknown action category %d or invalid " 4562 "frame", 4563 mgmt->u.action.category); 4564 if (!is_multicast_ether_addr(mgmt->da) && 4565 !(mgmt->u.action.category & 0x80) && 4566 !is_multicast_ether_addr(mgmt->sa)) { 4567 struct ieee80211_mgmt *resp; 4568 4569 /* 4570 * IEEE 802.11-REVma/D9.0 - 7.3.1.11 4571 * Return the Action frame to the source without change 4572 * except that MSB of the Category set to 1. 4573 */ 4574 wpa_printf(MSG_DEBUG, "IEEE 802.11: Return unknown Action " 4575 "frame back to sender"); 4576 resp = os_memdup(mgmt, len); 4577 if (resp == NULL) 4578 return 0; 4579 os_memcpy(resp->da, resp->sa, ETH_ALEN); 4580 os_memcpy(resp->sa, hapd->own_addr, ETH_ALEN); 4581 os_memcpy(resp->bssid, hapd->own_addr, ETH_ALEN); 4582 resp->u.action.category |= 0x80; 4583 4584 if (hostapd_drv_send_mlme(hapd, resp, len, 0) < 0) { 4585 wpa_printf(MSG_ERROR, "IEEE 802.11: Failed to send " 4586 "Action frame"); 4587 } 4588 os_free(resp); 4589 } 4590 4591 return 1; 4592 } 4593 4594 4595 /** 4596 * ieee802_11_mgmt - process incoming IEEE 802.11 management frames 4597 * @hapd: hostapd BSS data structure (the BSS to which the management frame was 4598 * sent to) 4599 * @buf: management frame data (starting from IEEE 802.11 header) 4600 * @len: length of frame data in octets 4601 * @fi: meta data about received frame (signal level, etc.) 4602 * 4603 * Process all incoming IEEE 802.11 management frames. This will be called for 4604 * each frame received from the kernel driver through wlan#ap interface. In 4605 * addition, it can be called to re-inserted pending frames (e.g., when using 4606 * external RADIUS server as an MAC ACL). 4607 */ 4608 int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len, 4609 struct hostapd_frame_info *fi) 4610 { 4611 struct ieee80211_mgmt *mgmt; 4612 u16 fc, stype; 4613 int ret = 0; 4614 unsigned int freq; 4615 int ssi_signal = fi ? fi->ssi_signal : 0; 4616 4617 if (len < 24) 4618 return 0; 4619 4620 if (fi && fi->freq) 4621 freq = fi->freq; 4622 else 4623 freq = hapd->iface->freq; 4624 4625 mgmt = (struct ieee80211_mgmt *) buf; 4626 fc = le_to_host16(mgmt->frame_control); 4627 stype = WLAN_FC_GET_STYPE(fc); 4628 4629 if (stype == WLAN_FC_STYPE_BEACON) { 4630 handle_beacon(hapd, mgmt, len, fi); 4631 return 1; 4632 } 4633 4634 if (!is_broadcast_ether_addr(mgmt->bssid) && 4635 #ifdef CONFIG_P2P 4636 /* Invitation responses can be sent with the peer MAC as BSSID */ 4637 !((hapd->conf->p2p & P2P_GROUP_OWNER) && 4638 stype == WLAN_FC_STYPE_ACTION) && 4639 #endif /* CONFIG_P2P */ 4640 #ifdef CONFIG_MESH 4641 !(hapd->conf->mesh & MESH_ENABLED) && 4642 #endif /* CONFIG_MESH */ 4643 os_memcmp(mgmt->bssid, hapd->own_addr, ETH_ALEN) != 0) { 4644 wpa_printf(MSG_INFO, "MGMT: BSSID=" MACSTR " not our address", 4645 MAC2STR(mgmt->bssid)); 4646 return 0; 4647 } 4648 4649 4650 if (stype == WLAN_FC_STYPE_PROBE_REQ) { 4651 handle_probe_req(hapd, mgmt, len, ssi_signal); 4652 return 1; 4653 } 4654 4655 if ((!is_broadcast_ether_addr(mgmt->da) || 4656 stype != WLAN_FC_STYPE_ACTION) && 4657 os_memcmp(mgmt->da, hapd->own_addr, ETH_ALEN) != 0) { 4658 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211, 4659 HOSTAPD_LEVEL_DEBUG, 4660 "MGMT: DA=" MACSTR " not our address", 4661 MAC2STR(mgmt->da)); 4662 return 0; 4663 } 4664 4665 if (hapd->iconf->track_sta_max_num) 4666 sta_track_add(hapd->iface, mgmt->sa, ssi_signal); 4667 4668 switch (stype) { 4669 case WLAN_FC_STYPE_AUTH: 4670 wpa_printf(MSG_DEBUG, "mgmt::auth"); 4671 handle_auth(hapd, mgmt, len, ssi_signal, 0); 4672 ret = 1; 4673 break; 4674 case WLAN_FC_STYPE_ASSOC_REQ: 4675 wpa_printf(MSG_DEBUG, "mgmt::assoc_req"); 4676 handle_assoc(hapd, mgmt, len, 0, ssi_signal); 4677 ret = 1; 4678 break; 4679 case WLAN_FC_STYPE_REASSOC_REQ: 4680 wpa_printf(MSG_DEBUG, "mgmt::reassoc_req"); 4681 handle_assoc(hapd, mgmt, len, 1, ssi_signal); 4682 ret = 1; 4683 break; 4684 case WLAN_FC_STYPE_DISASSOC: 4685 wpa_printf(MSG_DEBUG, "mgmt::disassoc"); 4686 handle_disassoc(hapd, mgmt, len); 4687 ret = 1; 4688 break; 4689 case WLAN_FC_STYPE_DEAUTH: 4690 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "mgmt::deauth"); 4691 handle_deauth(hapd, mgmt, len); 4692 ret = 1; 4693 break; 4694 case WLAN_FC_STYPE_ACTION: 4695 wpa_printf(MSG_DEBUG, "mgmt::action"); 4696 ret = handle_action(hapd, mgmt, len, freq); 4697 break; 4698 default: 4699 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211, 4700 HOSTAPD_LEVEL_DEBUG, 4701 "unknown mgmt frame subtype %d", stype); 4702 break; 4703 } 4704 4705 return ret; 4706 } 4707 4708 4709 static void handle_auth_cb(struct hostapd_data *hapd, 4710 const struct ieee80211_mgmt *mgmt, 4711 size_t len, int ok) 4712 { 4713 u16 auth_alg, auth_transaction, status_code; 4714 struct sta_info *sta; 4715 4716 sta = ap_get_sta(hapd, mgmt->da); 4717 if (!sta) { 4718 wpa_printf(MSG_DEBUG, "handle_auth_cb: STA " MACSTR 4719 " not found", 4720 MAC2STR(mgmt->da)); 4721 return; 4722 } 4723 4724 auth_alg = le_to_host16(mgmt->u.auth.auth_alg); 4725 auth_transaction = le_to_host16(mgmt->u.auth.auth_transaction); 4726 status_code = le_to_host16(mgmt->u.auth.status_code); 4727 4728 if (!ok) { 4729 hostapd_logger(hapd, mgmt->da, HOSTAPD_MODULE_IEEE80211, 4730 HOSTAPD_LEVEL_NOTICE, 4731 "did not acknowledge authentication response"); 4732 goto fail; 4733 } 4734 4735 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) { 4736 wpa_printf(MSG_INFO, "handle_auth_cb - too short payload (len=%lu)", 4737 (unsigned long) len); 4738 goto fail; 4739 } 4740 4741 if (status_code == WLAN_STATUS_SUCCESS && 4742 ((auth_alg == WLAN_AUTH_OPEN && auth_transaction == 2) || 4743 (auth_alg == WLAN_AUTH_SHARED_KEY && auth_transaction == 4))) { 4744 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 4745 HOSTAPD_LEVEL_INFO, "authenticated"); 4746 sta->flags |= WLAN_STA_AUTH; 4747 if (sta->added_unassoc) 4748 hostapd_set_sta_flags(hapd, sta); 4749 return; 4750 } 4751 4752 fail: 4753 if (status_code != WLAN_STATUS_SUCCESS && sta->added_unassoc) { 4754 hostapd_drv_sta_remove(hapd, sta->addr); 4755 sta->added_unassoc = 0; 4756 } 4757 } 4758 4759 4760 static void hostapd_set_wds_encryption(struct hostapd_data *hapd, 4761 struct sta_info *sta, 4762 char *ifname_wds) 4763 { 4764 int i; 4765 struct hostapd_ssid *ssid = &hapd->conf->ssid; 4766 4767 if (hapd->conf->ieee802_1x || hapd->conf->wpa) 4768 return; 4769 4770 for (i = 0; i < 4; i++) { 4771 if (ssid->wep.key[i] && 4772 hostapd_drv_set_key(ifname_wds, hapd, WPA_ALG_WEP, NULL, i, 4773 i == ssid->wep.idx, NULL, 0, 4774 ssid->wep.key[i], ssid->wep.len[i])) { 4775 wpa_printf(MSG_WARNING, 4776 "Could not set WEP keys for WDS interface; %s", 4777 ifname_wds); 4778 break; 4779 } 4780 } 4781 } 4782 4783 4784 static void handle_assoc_cb(struct hostapd_data *hapd, 4785 const struct ieee80211_mgmt *mgmt, 4786 size_t len, int reassoc, int ok) 4787 { 4788 u16 status; 4789 struct sta_info *sta; 4790 int new_assoc = 1; 4791 4792 sta = ap_get_sta(hapd, mgmt->da); 4793 if (!sta) { 4794 wpa_printf(MSG_INFO, "handle_assoc_cb: STA " MACSTR " not found", 4795 MAC2STR(mgmt->da)); 4796 return; 4797 } 4798 4799 if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_resp) : 4800 sizeof(mgmt->u.assoc_resp))) { 4801 wpa_printf(MSG_INFO, 4802 "handle_assoc_cb(reassoc=%d) - too short payload (len=%lu)", 4803 reassoc, (unsigned long) len); 4804 hostapd_drv_sta_remove(hapd, sta->addr); 4805 return; 4806 } 4807 4808 if (reassoc) 4809 status = le_to_host16(mgmt->u.reassoc_resp.status_code); 4810 else 4811 status = le_to_host16(mgmt->u.assoc_resp.status_code); 4812 4813 if (!ok) { 4814 hostapd_logger(hapd, mgmt->da, HOSTAPD_MODULE_IEEE80211, 4815 HOSTAPD_LEVEL_DEBUG, 4816 "did not acknowledge association response"); 4817 sta->flags &= ~WLAN_STA_ASSOC_REQ_OK; 4818 /* The STA is added only in case of SUCCESS */ 4819 if (status == WLAN_STATUS_SUCCESS) 4820 hostapd_drv_sta_remove(hapd, sta->addr); 4821 4822 return; 4823 } 4824 4825 if (status != WLAN_STATUS_SUCCESS) 4826 return; 4827 4828 /* Stop previous accounting session, if one is started, and allocate 4829 * new session id for the new session. */ 4830 accounting_sta_stop(hapd, sta); 4831 4832 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 4833 HOSTAPD_LEVEL_INFO, 4834 "associated (aid %d)", 4835 sta->aid); 4836 4837 if (sta->flags & WLAN_STA_ASSOC) 4838 new_assoc = 0; 4839 sta->flags |= WLAN_STA_ASSOC; 4840 sta->flags &= ~WLAN_STA_WNM_SLEEP_MODE; 4841 if ((!hapd->conf->ieee802_1x && !hapd->conf->wpa && 4842 !hapd->conf->osen) || 4843 sta->auth_alg == WLAN_AUTH_FILS_SK || 4844 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS || 4845 sta->auth_alg == WLAN_AUTH_FILS_PK || 4846 sta->auth_alg == WLAN_AUTH_FT) { 4847 /* 4848 * Open, static WEP, FT protocol, or FILS; no separate 4849 * authorization step. 4850 */ 4851 ap_sta_set_authorized(hapd, sta, 1); 4852 } 4853 4854 if (reassoc) 4855 mlme_reassociate_indication(hapd, sta); 4856 else 4857 mlme_associate_indication(hapd, sta); 4858 4859 #ifdef CONFIG_IEEE80211W 4860 sta->sa_query_timed_out = 0; 4861 #endif /* CONFIG_IEEE80211W */ 4862 4863 if (sta->eapol_sm == NULL) { 4864 /* 4865 * This STA does not use RADIUS server for EAP authentication, 4866 * so bind it to the selected VLAN interface now, since the 4867 * interface selection is not going to change anymore. 4868 */ 4869 if (ap_sta_bind_vlan(hapd, sta) < 0) 4870 return; 4871 } else if (sta->vlan_id) { 4872 /* VLAN ID already set (e.g., by PMKSA caching), so bind STA */ 4873 if (ap_sta_bind_vlan(hapd, sta) < 0) 4874 return; 4875 } 4876 4877 hostapd_set_sta_flags(hapd, sta); 4878 4879 if (!(sta->flags & WLAN_STA_WDS) && sta->pending_wds_enable) { 4880 wpa_printf(MSG_DEBUG, "Enable 4-address WDS mode for STA " 4881 MACSTR " based on pending request", 4882 MAC2STR(sta->addr)); 4883 sta->pending_wds_enable = 0; 4884 sta->flags |= WLAN_STA_WDS; 4885 } 4886 4887 if (sta->flags & (WLAN_STA_WDS | WLAN_STA_MULTI_AP)) { 4888 int ret; 4889 char ifname_wds[IFNAMSIZ + 1]; 4890 4891 wpa_printf(MSG_DEBUG, "Reenable 4-address WDS mode for STA " 4892 MACSTR " (aid %u)", 4893 MAC2STR(sta->addr), sta->aid); 4894 ret = hostapd_set_wds_sta(hapd, ifname_wds, sta->addr, 4895 sta->aid, 1); 4896 if (!ret) 4897 hostapd_set_wds_encryption(hapd, sta, ifname_wds); 4898 } 4899 4900 if (sta->auth_alg == WLAN_AUTH_FT) 4901 wpa_auth_sm_event(sta->wpa_sm, WPA_ASSOC_FT); 4902 else 4903 wpa_auth_sm_event(sta->wpa_sm, WPA_ASSOC); 4904 hapd->new_assoc_sta_cb(hapd, sta, !new_assoc); 4905 ieee802_1x_notify_port_enabled(sta->eapol_sm, 1); 4906 4907 #ifdef CONFIG_FILS 4908 if ((sta->auth_alg == WLAN_AUTH_FILS_SK || 4909 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS || 4910 sta->auth_alg == WLAN_AUTH_FILS_PK) && 4911 fils_set_tk(sta->wpa_sm) < 0) { 4912 wpa_printf(MSG_DEBUG, "FILS: TK configuration failed"); 4913 ap_sta_disconnect(hapd, sta, sta->addr, 4914 WLAN_REASON_UNSPECIFIED); 4915 return; 4916 } 4917 #endif /* CONFIG_FILS */ 4918 4919 if (sta->pending_eapol_rx) { 4920 struct os_reltime now, age; 4921 4922 os_get_reltime(&now); 4923 os_reltime_sub(&now, &sta->pending_eapol_rx->rx_time, &age); 4924 if (age.sec == 0 && age.usec < 200000) { 4925 wpa_printf(MSG_DEBUG, 4926 "Process pending EAPOL frame that was received from " MACSTR " just before association notification", 4927 MAC2STR(sta->addr)); 4928 ieee802_1x_receive( 4929 hapd, mgmt->da, 4930 wpabuf_head(sta->pending_eapol_rx->buf), 4931 wpabuf_len(sta->pending_eapol_rx->buf)); 4932 } 4933 wpabuf_free(sta->pending_eapol_rx->buf); 4934 os_free(sta->pending_eapol_rx); 4935 sta->pending_eapol_rx = NULL; 4936 } 4937 } 4938 4939 4940 static void handle_deauth_cb(struct hostapd_data *hapd, 4941 const struct ieee80211_mgmt *mgmt, 4942 size_t len, int ok) 4943 { 4944 struct sta_info *sta; 4945 if (is_multicast_ether_addr(mgmt->da)) 4946 return; 4947 sta = ap_get_sta(hapd, mgmt->da); 4948 if (!sta) { 4949 wpa_printf(MSG_DEBUG, "handle_deauth_cb: STA " MACSTR 4950 " not found", MAC2STR(mgmt->da)); 4951 return; 4952 } 4953 if (ok) 4954 wpa_printf(MSG_DEBUG, "STA " MACSTR " acknowledged deauth", 4955 MAC2STR(sta->addr)); 4956 else 4957 wpa_printf(MSG_DEBUG, "STA " MACSTR " did not acknowledge " 4958 "deauth", MAC2STR(sta->addr)); 4959 4960 ap_sta_deauth_cb(hapd, sta); 4961 } 4962 4963 4964 static void handle_disassoc_cb(struct hostapd_data *hapd, 4965 const struct ieee80211_mgmt *mgmt, 4966 size_t len, int ok) 4967 { 4968 struct sta_info *sta; 4969 if (is_multicast_ether_addr(mgmt->da)) 4970 return; 4971 sta = ap_get_sta(hapd, mgmt->da); 4972 if (!sta) { 4973 wpa_printf(MSG_DEBUG, "handle_disassoc_cb: STA " MACSTR 4974 " not found", MAC2STR(mgmt->da)); 4975 return; 4976 } 4977 if (ok) 4978 wpa_printf(MSG_DEBUG, "STA " MACSTR " acknowledged disassoc", 4979 MAC2STR(sta->addr)); 4980 else 4981 wpa_printf(MSG_DEBUG, "STA " MACSTR " did not acknowledge " 4982 "disassoc", MAC2STR(sta->addr)); 4983 4984 ap_sta_disassoc_cb(hapd, sta); 4985 } 4986 4987 4988 static void handle_action_cb(struct hostapd_data *hapd, 4989 const struct ieee80211_mgmt *mgmt, 4990 size_t len, int ok) 4991 { 4992 struct sta_info *sta; 4993 const struct rrm_measurement_report_element *report; 4994 4995 if (is_multicast_ether_addr(mgmt->da)) 4996 return; 4997 #ifdef CONFIG_DPP 4998 if (len >= IEEE80211_HDRLEN + 6 && 4999 mgmt->u.action.category == WLAN_ACTION_PUBLIC && 5000 mgmt->u.action.u.vs_public_action.action == 5001 WLAN_PA_VENDOR_SPECIFIC && 5002 WPA_GET_BE24(mgmt->u.action.u.vs_public_action.oui) == 5003 OUI_WFA && 5004 mgmt->u.action.u.vs_public_action.variable[0] == 5005 DPP_OUI_TYPE) { 5006 const u8 *pos, *end; 5007 5008 pos = &mgmt->u.action.u.vs_public_action.variable[1]; 5009 end = ((const u8 *) mgmt) + len; 5010 hostapd_dpp_tx_status(hapd, mgmt->da, pos, end - pos, ok); 5011 return; 5012 } 5013 if (len >= IEEE80211_HDRLEN + 2 && 5014 mgmt->u.action.category == WLAN_ACTION_PUBLIC && 5015 (mgmt->u.action.u.public_action.action == 5016 WLAN_PA_GAS_INITIAL_REQ || 5017 mgmt->u.action.u.public_action.action == 5018 WLAN_PA_GAS_COMEBACK_REQ)) { 5019 const u8 *pos, *end; 5020 5021 pos = mgmt->u.action.u.public_action.variable; 5022 end = ((const u8 *) mgmt) + len; 5023 gas_query_ap_tx_status(hapd->gas, mgmt->da, pos, end - pos, ok); 5024 return; 5025 } 5026 #endif /* CONFIG_DPP */ 5027 sta = ap_get_sta(hapd, mgmt->da); 5028 if (!sta) { 5029 wpa_printf(MSG_DEBUG, "handle_action_cb: STA " MACSTR 5030 " not found", MAC2STR(mgmt->da)); 5031 return; 5032 } 5033 5034 if (len < 24 + 5 + sizeof(*report)) 5035 return; 5036 report = (const struct rrm_measurement_report_element *) 5037 &mgmt->u.action.u.rrm.variable[2]; 5038 if (mgmt->u.action.category == WLAN_ACTION_RADIO_MEASUREMENT && 5039 mgmt->u.action.u.rrm.action == WLAN_RRM_RADIO_MEASUREMENT_REQUEST && 5040 report->eid == WLAN_EID_MEASURE_REQUEST && 5041 report->len >= 3 && 5042 report->type == MEASURE_TYPE_BEACON) 5043 hostapd_rrm_beacon_req_tx_status(hapd, mgmt, len, ok); 5044 } 5045 5046 5047 /** 5048 * ieee802_11_mgmt_cb - Process management frame TX status callback 5049 * @hapd: hostapd BSS data structure (the BSS from which the management frame 5050 * was sent from) 5051 * @buf: management frame data (starting from IEEE 802.11 header) 5052 * @len: length of frame data in octets 5053 * @stype: management frame subtype from frame control field 5054 * @ok: Whether the frame was ACK'ed 5055 */ 5056 void ieee802_11_mgmt_cb(struct hostapd_data *hapd, const u8 *buf, size_t len, 5057 u16 stype, int ok) 5058 { 5059 const struct ieee80211_mgmt *mgmt; 5060 mgmt = (const struct ieee80211_mgmt *) buf; 5061 5062 #ifdef CONFIG_TESTING_OPTIONS 5063 if (hapd->ext_mgmt_frame_handling) { 5064 size_t hex_len = 2 * len + 1; 5065 char *hex = os_malloc(hex_len); 5066 5067 if (hex) { 5068 wpa_snprintf_hex(hex, hex_len, buf, len); 5069 wpa_msg(hapd->msg_ctx, MSG_INFO, 5070 "MGMT-TX-STATUS stype=%u ok=%d buf=%s", 5071 stype, ok, hex); 5072 os_free(hex); 5073 } 5074 return; 5075 } 5076 #endif /* CONFIG_TESTING_OPTIONS */ 5077 5078 switch (stype) { 5079 case WLAN_FC_STYPE_AUTH: 5080 wpa_printf(MSG_DEBUG, "mgmt::auth cb"); 5081 handle_auth_cb(hapd, mgmt, len, ok); 5082 break; 5083 case WLAN_FC_STYPE_ASSOC_RESP: 5084 wpa_printf(MSG_DEBUG, "mgmt::assoc_resp cb"); 5085 handle_assoc_cb(hapd, mgmt, len, 0, ok); 5086 break; 5087 case WLAN_FC_STYPE_REASSOC_RESP: 5088 wpa_printf(MSG_DEBUG, "mgmt::reassoc_resp cb"); 5089 handle_assoc_cb(hapd, mgmt, len, 1, ok); 5090 break; 5091 case WLAN_FC_STYPE_PROBE_RESP: 5092 wpa_printf(MSG_EXCESSIVE, "mgmt::proberesp cb ok=%d", ok); 5093 break; 5094 case WLAN_FC_STYPE_DEAUTH: 5095 wpa_printf(MSG_DEBUG, "mgmt::deauth cb"); 5096 handle_deauth_cb(hapd, mgmt, len, ok); 5097 break; 5098 case WLAN_FC_STYPE_DISASSOC: 5099 wpa_printf(MSG_DEBUG, "mgmt::disassoc cb"); 5100 handle_disassoc_cb(hapd, mgmt, len, ok); 5101 break; 5102 case WLAN_FC_STYPE_ACTION: 5103 wpa_printf(MSG_DEBUG, "mgmt::action cb ok=%d", ok); 5104 handle_action_cb(hapd, mgmt, len, ok); 5105 break; 5106 default: 5107 wpa_printf(MSG_INFO, "unknown mgmt cb frame subtype %d", stype); 5108 break; 5109 } 5110 } 5111 5112 5113 int ieee802_11_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen) 5114 { 5115 /* TODO */ 5116 return 0; 5117 } 5118 5119 5120 int ieee802_11_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta, 5121 char *buf, size_t buflen) 5122 { 5123 /* TODO */ 5124 return 0; 5125 } 5126 5127 5128 void hostapd_tx_status(struct hostapd_data *hapd, const u8 *addr, 5129 const u8 *buf, size_t len, int ack) 5130 { 5131 struct sta_info *sta; 5132 struct hostapd_iface *iface = hapd->iface; 5133 5134 sta = ap_get_sta(hapd, addr); 5135 if (sta == NULL && iface->num_bss > 1) { 5136 size_t j; 5137 for (j = 0; j < iface->num_bss; j++) { 5138 hapd = iface->bss[j]; 5139 sta = ap_get_sta(hapd, addr); 5140 if (sta) 5141 break; 5142 } 5143 } 5144 if (sta == NULL || !(sta->flags & WLAN_STA_ASSOC)) 5145 return; 5146 if (sta->flags & WLAN_STA_PENDING_POLL) { 5147 wpa_printf(MSG_DEBUG, "STA " MACSTR " %s pending " 5148 "activity poll", MAC2STR(sta->addr), 5149 ack ? "ACKed" : "did not ACK"); 5150 if (ack) 5151 sta->flags &= ~WLAN_STA_PENDING_POLL; 5152 } 5153 5154 ieee802_1x_tx_status(hapd, sta, buf, len, ack); 5155 } 5156 5157 5158 void hostapd_eapol_tx_status(struct hostapd_data *hapd, const u8 *dst, 5159 const u8 *data, size_t len, int ack) 5160 { 5161 struct sta_info *sta; 5162 struct hostapd_iface *iface = hapd->iface; 5163 5164 sta = ap_get_sta(hapd, dst); 5165 if (sta == NULL && iface->num_bss > 1) { 5166 size_t j; 5167 for (j = 0; j < iface->num_bss; j++) { 5168 hapd = iface->bss[j]; 5169 sta = ap_get_sta(hapd, dst); 5170 if (sta) 5171 break; 5172 } 5173 } 5174 if (sta == NULL || !(sta->flags & WLAN_STA_ASSOC)) { 5175 wpa_printf(MSG_DEBUG, "Ignore TX status for Data frame to STA " 5176 MACSTR " that is not currently associated", 5177 MAC2STR(dst)); 5178 return; 5179 } 5180 5181 ieee802_1x_eapol_tx_status(hapd, sta, data, len, ack); 5182 } 5183 5184 5185 void hostapd_client_poll_ok(struct hostapd_data *hapd, const u8 *addr) 5186 { 5187 struct sta_info *sta; 5188 struct hostapd_iface *iface = hapd->iface; 5189 5190 sta = ap_get_sta(hapd, addr); 5191 if (sta == NULL && iface->num_bss > 1) { 5192 size_t j; 5193 for (j = 0; j < iface->num_bss; j++) { 5194 hapd = iface->bss[j]; 5195 sta = ap_get_sta(hapd, addr); 5196 if (sta) 5197 break; 5198 } 5199 } 5200 if (sta == NULL) 5201 return; 5202 wpa_msg(hapd->msg_ctx, MSG_INFO, AP_STA_POLL_OK MACSTR, 5203 MAC2STR(sta->addr)); 5204 if (!(sta->flags & WLAN_STA_PENDING_POLL)) 5205 return; 5206 5207 wpa_printf(MSG_DEBUG, "STA " MACSTR " ACKed pending " 5208 "activity poll", MAC2STR(sta->addr)); 5209 sta->flags &= ~WLAN_STA_PENDING_POLL; 5210 } 5211 5212 5213 void ieee802_11_rx_from_unknown(struct hostapd_data *hapd, const u8 *src, 5214 int wds) 5215 { 5216 struct sta_info *sta; 5217 5218 sta = ap_get_sta(hapd, src); 5219 if (sta && 5220 ((sta->flags & WLAN_STA_ASSOC) || 5221 ((sta->flags & WLAN_STA_ASSOC_REQ_OK) && wds))) { 5222 if (!hapd->conf->wds_sta) 5223 return; 5224 5225 if ((sta->flags & (WLAN_STA_ASSOC | WLAN_STA_ASSOC_REQ_OK)) == 5226 WLAN_STA_ASSOC_REQ_OK) { 5227 wpa_printf(MSG_DEBUG, 5228 "Postpone 4-address WDS mode enabling for STA " 5229 MACSTR " since TX status for AssocResp is not yet known", 5230 MAC2STR(sta->addr)); 5231 sta->pending_wds_enable = 1; 5232 return; 5233 } 5234 5235 if (wds && !(sta->flags & WLAN_STA_WDS)) { 5236 int ret; 5237 char ifname_wds[IFNAMSIZ + 1]; 5238 5239 wpa_printf(MSG_DEBUG, "Enable 4-address WDS mode for " 5240 "STA " MACSTR " (aid %u)", 5241 MAC2STR(sta->addr), sta->aid); 5242 sta->flags |= WLAN_STA_WDS; 5243 ret = hostapd_set_wds_sta(hapd, ifname_wds, 5244 sta->addr, sta->aid, 1); 5245 if (!ret) 5246 hostapd_set_wds_encryption(hapd, sta, 5247 ifname_wds); 5248 } 5249 return; 5250 } 5251 5252 wpa_printf(MSG_DEBUG, "Data/PS-poll frame from not associated STA " 5253 MACSTR, MAC2STR(src)); 5254 if (is_multicast_ether_addr(src)) { 5255 /* Broadcast bit set in SA?! Ignore the frame silently. */ 5256 return; 5257 } 5258 5259 if (sta && (sta->flags & WLAN_STA_ASSOC_REQ_OK)) { 5260 wpa_printf(MSG_DEBUG, "Association Response to the STA has " 5261 "already been sent, but no TX status yet known - " 5262 "ignore Class 3 frame issue with " MACSTR, 5263 MAC2STR(src)); 5264 return; 5265 } 5266 5267 if (sta && (sta->flags & WLAN_STA_AUTH)) 5268 hostapd_drv_sta_disassoc( 5269 hapd, src, 5270 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA); 5271 else 5272 hostapd_drv_sta_deauth( 5273 hapd, src, 5274 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA); 5275 } 5276 5277 5278 #endif /* CONFIG_NATIVE_WINDOWS */ 5279