1 /* 2 * hostapd / IEEE 802.11 Management 3 * Copyright (c) 2002-2017, Jouni Malinen <j (at) w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "utils/includes.h" 10 11 #ifndef CONFIG_NATIVE_WINDOWS 12 13 #include "utils/common.h" 14 #include "utils/eloop.h" 15 #include "crypto/crypto.h" 16 #include "crypto/sha256.h" 17 #include "crypto/sha384.h" 18 #include "crypto/sha512.h" 19 #include "crypto/random.h" 20 #include "common/ieee802_11_defs.h" 21 #include "common/ieee802_11_common.h" 22 #include "common/wpa_ctrl.h" 23 #include "common/sae.h" 24 #include "common/dpp.h" 25 #include "common/ocv.h" 26 #include "radius/radius.h" 27 #include "radius/radius_client.h" 28 #include "p2p/p2p.h" 29 #include "wps/wps.h" 30 #include "fst/fst.h" 31 #include "hostapd.h" 32 #include "beacon.h" 33 #include "ieee802_11_auth.h" 34 #include "sta_info.h" 35 #include "ieee802_1x.h" 36 #include "wpa_auth.h" 37 #include "pmksa_cache_auth.h" 38 #include "wmm.h" 39 #include "ap_list.h" 40 #include "accounting.h" 41 #include "ap_config.h" 42 #include "ap_mlme.h" 43 #include "p2p_hostapd.h" 44 #include "ap_drv_ops.h" 45 #include "wnm_ap.h" 46 #include "hw_features.h" 47 #include "ieee802_11.h" 48 #include "dfs.h" 49 #include "mbo_ap.h" 50 #include "rrm.h" 51 #include "taxonomy.h" 52 #include "fils_hlp.h" 53 #include "dpp_hostapd.h" 54 #include "gas_query_ap.h" 55 56 57 #ifdef CONFIG_FILS 58 static struct wpabuf * 59 prepare_auth_resp_fils(struct hostapd_data *hapd, 60 struct sta_info *sta, u16 *resp, 61 struct rsn_pmksa_cache_entry *pmksa, 62 struct wpabuf *erp_resp, 63 const u8 *msk, size_t msk_len, 64 int *is_pub); 65 #endif /* CONFIG_FILS */ 66 static void handle_auth(struct hostapd_data *hapd, 67 const struct ieee80211_mgmt *mgmt, size_t len, 68 int rssi, int from_queue); 69 70 71 u8 * hostapd_eid_multi_ap(struct hostapd_data *hapd, u8 *eid) 72 { 73 u8 multi_ap_val = 0; 74 75 if (!hapd->conf->multi_ap) 76 return eid; 77 if (hapd->conf->multi_ap & BACKHAUL_BSS) 78 multi_ap_val |= MULTI_AP_BACKHAUL_BSS; 79 if (hapd->conf->multi_ap & FRONTHAUL_BSS) 80 multi_ap_val |= MULTI_AP_FRONTHAUL_BSS; 81 82 return eid + add_multi_ap_ie(eid, 9, multi_ap_val); 83 } 84 85 86 u8 * hostapd_eid_supp_rates(struct hostapd_data *hapd, u8 *eid) 87 { 88 u8 *pos = eid; 89 int i, num, count; 90 91 if (hapd->iface->current_rates == NULL) 92 return eid; 93 94 *pos++ = WLAN_EID_SUPP_RATES; 95 num = hapd->iface->num_rates; 96 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht) 97 num++; 98 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht) 99 num++; 100 if (num > 8) { 101 /* rest of the rates are encoded in Extended supported 102 * rates element */ 103 num = 8; 104 } 105 106 *pos++ = num; 107 for (i = 0, count = 0; i < hapd->iface->num_rates && count < num; 108 i++) { 109 count++; 110 *pos = hapd->iface->current_rates[i].rate / 5; 111 if (hapd->iface->current_rates[i].flags & HOSTAPD_RATE_BASIC) 112 *pos |= 0x80; 113 pos++; 114 } 115 116 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht && count < 8) { 117 count++; 118 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_HT_PHY; 119 } 120 121 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht && count < 8) { 122 count++; 123 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_VHT_PHY; 124 } 125 126 return pos; 127 } 128 129 130 u8 * hostapd_eid_ext_supp_rates(struct hostapd_data *hapd, u8 *eid) 131 { 132 u8 *pos = eid; 133 int i, num, count; 134 135 if (hapd->iface->current_rates == NULL) 136 return eid; 137 138 num = hapd->iface->num_rates; 139 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht) 140 num++; 141 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht) 142 num++; 143 if (num <= 8) 144 return eid; 145 num -= 8; 146 147 *pos++ = WLAN_EID_EXT_SUPP_RATES; 148 *pos++ = num; 149 for (i = 0, count = 0; i < hapd->iface->num_rates && count < num + 8; 150 i++) { 151 count++; 152 if (count <= 8) 153 continue; /* already in SuppRates IE */ 154 *pos = hapd->iface->current_rates[i].rate / 5; 155 if (hapd->iface->current_rates[i].flags & HOSTAPD_RATE_BASIC) 156 *pos |= 0x80; 157 pos++; 158 } 159 160 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht) { 161 count++; 162 if (count > 8) 163 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_HT_PHY; 164 } 165 166 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht) { 167 count++; 168 if (count > 8) 169 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_VHT_PHY; 170 } 171 172 return pos; 173 } 174 175 176 u16 hostapd_own_capab_info(struct hostapd_data *hapd) 177 { 178 int capab = WLAN_CAPABILITY_ESS; 179 int privacy; 180 int dfs; 181 int i; 182 183 /* Check if any of configured channels require DFS */ 184 dfs = hostapd_is_dfs_required(hapd->iface); 185 if (dfs < 0) { 186 wpa_printf(MSG_WARNING, "Failed to check if DFS is required; ret=%d", 187 dfs); 188 dfs = 0; 189 } 190 191 if (hapd->iface->num_sta_no_short_preamble == 0 && 192 hapd->iconf->preamble == SHORT_PREAMBLE) 193 capab |= WLAN_CAPABILITY_SHORT_PREAMBLE; 194 195 privacy = hapd->conf->ssid.wep.keys_set; 196 197 if (hapd->conf->ieee802_1x && 198 (hapd->conf->default_wep_key_len || 199 hapd->conf->individual_wep_key_len)) 200 privacy = 1; 201 202 if (hapd->conf->wpa) 203 privacy = 1; 204 205 #ifdef CONFIG_HS20 206 if (hapd->conf->osen) 207 privacy = 1; 208 #endif /* CONFIG_HS20 */ 209 210 if (privacy) 211 capab |= WLAN_CAPABILITY_PRIVACY; 212 213 if (hapd->iface->current_mode && 214 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G && 215 hapd->iface->num_sta_no_short_slot_time == 0) 216 capab |= WLAN_CAPABILITY_SHORT_SLOT_TIME; 217 218 /* 219 * Currently, Spectrum Management capability bit is set when directly 220 * requested in configuration by spectrum_mgmt_required or when AP is 221 * running on DFS channel. 222 * TODO: Also consider driver support for TPC to set Spectrum Mgmt bit 223 */ 224 if (hapd->iface->current_mode && 225 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211A && 226 (hapd->iconf->spectrum_mgmt_required || dfs)) 227 capab |= WLAN_CAPABILITY_SPECTRUM_MGMT; 228 229 for (i = 0; i < RRM_CAPABILITIES_IE_LEN; i++) { 230 if (hapd->conf->radio_measurements[i]) { 231 capab |= IEEE80211_CAP_RRM; 232 break; 233 } 234 } 235 236 return capab; 237 } 238 239 240 #ifndef CONFIG_NO_RC4 241 static u16 auth_shared_key(struct hostapd_data *hapd, struct sta_info *sta, 242 u16 auth_transaction, const u8 *challenge, 243 int iswep) 244 { 245 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 246 HOSTAPD_LEVEL_DEBUG, 247 "authentication (shared key, transaction %d)", 248 auth_transaction); 249 250 if (auth_transaction == 1) { 251 if (!sta->challenge) { 252 /* Generate a pseudo-random challenge */ 253 u8 key[8]; 254 255 sta->challenge = os_zalloc(WLAN_AUTH_CHALLENGE_LEN); 256 if (sta->challenge == NULL) 257 return WLAN_STATUS_UNSPECIFIED_FAILURE; 258 259 if (os_get_random(key, sizeof(key)) < 0) { 260 os_free(sta->challenge); 261 sta->challenge = NULL; 262 return WLAN_STATUS_UNSPECIFIED_FAILURE; 263 } 264 265 rc4_skip(key, sizeof(key), 0, 266 sta->challenge, WLAN_AUTH_CHALLENGE_LEN); 267 } 268 return 0; 269 } 270 271 if (auth_transaction != 3) 272 return WLAN_STATUS_UNSPECIFIED_FAILURE; 273 274 /* Transaction 3 */ 275 if (!iswep || !sta->challenge || !challenge || 276 os_memcmp_const(sta->challenge, challenge, 277 WLAN_AUTH_CHALLENGE_LEN)) { 278 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 279 HOSTAPD_LEVEL_INFO, 280 "shared key authentication - invalid " 281 "challenge-response"); 282 return WLAN_STATUS_CHALLENGE_FAIL; 283 } 284 285 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 286 HOSTAPD_LEVEL_DEBUG, 287 "authentication OK (shared key)"); 288 sta->flags |= WLAN_STA_AUTH; 289 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH); 290 os_free(sta->challenge); 291 sta->challenge = NULL; 292 293 return 0; 294 } 295 #endif /* CONFIG_NO_RC4 */ 296 297 298 static int send_auth_reply(struct hostapd_data *hapd, 299 const u8 *dst, const u8 *bssid, 300 u16 auth_alg, u16 auth_transaction, u16 resp, 301 const u8 *ies, size_t ies_len, const char *dbg) 302 { 303 struct ieee80211_mgmt *reply; 304 u8 *buf; 305 size_t rlen; 306 int reply_res = WLAN_STATUS_UNSPECIFIED_FAILURE; 307 308 rlen = IEEE80211_HDRLEN + sizeof(reply->u.auth) + ies_len; 309 buf = os_zalloc(rlen); 310 if (buf == NULL) 311 return -1; 312 313 reply = (struct ieee80211_mgmt *) buf; 314 reply->frame_control = IEEE80211_FC(WLAN_FC_TYPE_MGMT, 315 WLAN_FC_STYPE_AUTH); 316 os_memcpy(reply->da, dst, ETH_ALEN); 317 os_memcpy(reply->sa, hapd->own_addr, ETH_ALEN); 318 os_memcpy(reply->bssid, bssid, ETH_ALEN); 319 320 reply->u.auth.auth_alg = host_to_le16(auth_alg); 321 reply->u.auth.auth_transaction = host_to_le16(auth_transaction); 322 reply->u.auth.status_code = host_to_le16(resp); 323 324 if (ies && ies_len) 325 os_memcpy(reply->u.auth.variable, ies, ies_len); 326 327 wpa_printf(MSG_DEBUG, "authentication reply: STA=" MACSTR 328 " auth_alg=%d auth_transaction=%d resp=%d (IE len=%lu) (dbg=%s)", 329 MAC2STR(dst), auth_alg, auth_transaction, 330 resp, (unsigned long) ies_len, dbg); 331 if (hostapd_drv_send_mlme(hapd, reply, rlen, 0) < 0) 332 wpa_printf(MSG_INFO, "send_auth_reply: send failed"); 333 else 334 reply_res = WLAN_STATUS_SUCCESS; 335 336 os_free(buf); 337 338 return reply_res; 339 } 340 341 342 #ifdef CONFIG_IEEE80211R_AP 343 static void handle_auth_ft_finish(void *ctx, const u8 *dst, const u8 *bssid, 344 u16 auth_transaction, u16 status, 345 const u8 *ies, size_t ies_len) 346 { 347 struct hostapd_data *hapd = ctx; 348 struct sta_info *sta; 349 int reply_res; 350 351 reply_res = send_auth_reply(hapd, dst, bssid, WLAN_AUTH_FT, 352 auth_transaction, status, ies, ies_len, 353 "auth-ft-finish"); 354 355 sta = ap_get_sta(hapd, dst); 356 if (sta == NULL) 357 return; 358 359 if (sta->added_unassoc && (reply_res != WLAN_STATUS_SUCCESS || 360 status != WLAN_STATUS_SUCCESS)) { 361 hostapd_drv_sta_remove(hapd, sta->addr); 362 sta->added_unassoc = 0; 363 return; 364 } 365 366 if (status != WLAN_STATUS_SUCCESS) 367 return; 368 369 hostapd_logger(hapd, dst, HOSTAPD_MODULE_IEEE80211, 370 HOSTAPD_LEVEL_DEBUG, "authentication OK (FT)"); 371 sta->flags |= WLAN_STA_AUTH; 372 mlme_authenticate_indication(hapd, sta); 373 } 374 #endif /* CONFIG_IEEE80211R_AP */ 375 376 377 #ifdef CONFIG_SAE 378 379 static void sae_set_state(struct sta_info *sta, enum sae_state state, 380 const char *reason) 381 { 382 wpa_printf(MSG_DEBUG, "SAE: State %s -> %s for peer " MACSTR " (%s)", 383 sae_state_txt(sta->sae->state), sae_state_txt(state), 384 MAC2STR(sta->addr), reason); 385 sta->sae->state = state; 386 } 387 388 389 static struct wpabuf * auth_build_sae_commit(struct hostapd_data *hapd, 390 struct sta_info *sta, int update) 391 { 392 struct wpabuf *buf; 393 const char *password = NULL; 394 struct sae_password_entry *pw; 395 const char *rx_id = NULL; 396 397 if (sta->sae->tmp) 398 rx_id = sta->sae->tmp->pw_id; 399 400 for (pw = hapd->conf->sae_passwords; pw; pw = pw->next) { 401 if (!is_broadcast_ether_addr(pw->peer_addr) && 402 os_memcmp(pw->peer_addr, sta->addr, ETH_ALEN) != 0) 403 continue; 404 if ((rx_id && !pw->identifier) || (!rx_id && pw->identifier)) 405 continue; 406 if (rx_id && pw->identifier && 407 os_strcmp(rx_id, pw->identifier) != 0) 408 continue; 409 password = pw->password; 410 break; 411 } 412 if (!password) 413 password = hapd->conf->ssid.wpa_passphrase; 414 if (!password) { 415 wpa_printf(MSG_DEBUG, "SAE: No password available"); 416 return NULL; 417 } 418 419 if (update && 420 sae_prepare_commit(hapd->own_addr, sta->addr, 421 (u8 *) password, os_strlen(password), rx_id, 422 sta->sae) < 0) { 423 wpa_printf(MSG_DEBUG, "SAE: Could not pick PWE"); 424 return NULL; 425 } 426 427 if (pw && pw->vlan_id) { 428 if (!sta->sae->tmp) { 429 wpa_printf(MSG_INFO, 430 "SAE: No temporary data allocated - cannot store VLAN ID"); 431 return NULL; 432 } 433 sta->sae->tmp->vlan_id = pw->vlan_id; 434 } 435 436 buf = wpabuf_alloc(SAE_COMMIT_MAX_LEN + 437 (rx_id ? 3 + os_strlen(rx_id) : 0)); 438 if (buf == NULL) 439 return NULL; 440 sae_write_commit(sta->sae, buf, sta->sae->tmp ? 441 sta->sae->tmp->anti_clogging_token : NULL, rx_id); 442 443 return buf; 444 } 445 446 447 static struct wpabuf * auth_build_sae_confirm(struct hostapd_data *hapd, 448 struct sta_info *sta) 449 { 450 struct wpabuf *buf; 451 452 buf = wpabuf_alloc(SAE_CONFIRM_MAX_LEN); 453 if (buf == NULL) 454 return NULL; 455 456 sae_write_confirm(sta->sae, buf); 457 458 return buf; 459 } 460 461 462 static int auth_sae_send_commit(struct hostapd_data *hapd, 463 struct sta_info *sta, 464 const u8 *bssid, int update) 465 { 466 struct wpabuf *data; 467 int reply_res; 468 469 data = auth_build_sae_commit(hapd, sta, update); 470 if (!data && sta->sae->tmp && sta->sae->tmp->pw_id) 471 return WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER; 472 if (data == NULL) 473 return WLAN_STATUS_UNSPECIFIED_FAILURE; 474 475 reply_res = send_auth_reply(hapd, sta->addr, bssid, WLAN_AUTH_SAE, 1, 476 WLAN_STATUS_SUCCESS, wpabuf_head(data), 477 wpabuf_len(data), "sae-send-commit"); 478 479 wpabuf_free(data); 480 481 return reply_res; 482 } 483 484 485 static int auth_sae_send_confirm(struct hostapd_data *hapd, 486 struct sta_info *sta, 487 const u8 *bssid) 488 { 489 struct wpabuf *data; 490 int reply_res; 491 492 data = auth_build_sae_confirm(hapd, sta); 493 if (data == NULL) 494 return WLAN_STATUS_UNSPECIFIED_FAILURE; 495 496 reply_res = send_auth_reply(hapd, sta->addr, bssid, WLAN_AUTH_SAE, 2, 497 WLAN_STATUS_SUCCESS, wpabuf_head(data), 498 wpabuf_len(data), "sae-send-confirm"); 499 500 wpabuf_free(data); 501 502 return reply_res; 503 } 504 505 506 static int use_sae_anti_clogging(struct hostapd_data *hapd) 507 { 508 struct sta_info *sta; 509 unsigned int open = 0; 510 511 if (hapd->conf->sae_anti_clogging_threshold == 0) 512 return 1; 513 514 for (sta = hapd->sta_list; sta; sta = sta->next) { 515 if (!sta->sae) 516 continue; 517 if (sta->sae->state != SAE_COMMITTED && 518 sta->sae->state != SAE_CONFIRMED) 519 continue; 520 open++; 521 if (open >= hapd->conf->sae_anti_clogging_threshold) 522 return 1; 523 } 524 525 /* In addition to already existing open SAE sessions, check whether 526 * there are enough pending commit messages in the processing queue to 527 * potentially result in too many open sessions. */ 528 if (open + dl_list_len(&hapd->sae_commit_queue) >= 529 hapd->conf->sae_anti_clogging_threshold) 530 return 1; 531 532 return 0; 533 } 534 535 536 static u8 sae_token_hash(struct hostapd_data *hapd, const u8 *addr) 537 { 538 u8 hash[SHA256_MAC_LEN]; 539 540 hmac_sha256(hapd->sae_token_key, sizeof(hapd->sae_token_key), 541 addr, ETH_ALEN, hash); 542 return hash[0]; 543 } 544 545 546 static int check_sae_token(struct hostapd_data *hapd, const u8 *addr, 547 const u8 *token, size_t token_len) 548 { 549 u8 mac[SHA256_MAC_LEN]; 550 const u8 *addrs[2]; 551 size_t len[2]; 552 u16 token_idx; 553 u8 idx; 554 555 if (token_len != SHA256_MAC_LEN) 556 return -1; 557 idx = sae_token_hash(hapd, addr); 558 token_idx = hapd->sae_pending_token_idx[idx]; 559 if (token_idx == 0 || token_idx != WPA_GET_BE16(token)) { 560 wpa_printf(MSG_DEBUG, "SAE: Invalid anti-clogging token from " 561 MACSTR " - token_idx 0x%04x, expected 0x%04x", 562 MAC2STR(addr), WPA_GET_BE16(token), token_idx); 563 return -1; 564 } 565 566 addrs[0] = addr; 567 len[0] = ETH_ALEN; 568 addrs[1] = token; 569 len[1] = 2; 570 if (hmac_sha256_vector(hapd->sae_token_key, sizeof(hapd->sae_token_key), 571 2, addrs, len, mac) < 0 || 572 os_memcmp_const(token + 2, &mac[2], SHA256_MAC_LEN - 2) != 0) 573 return -1; 574 575 hapd->sae_pending_token_idx[idx] = 0; /* invalidate used token */ 576 577 return 0; 578 } 579 580 581 static struct wpabuf * auth_build_token_req(struct hostapd_data *hapd, 582 int group, const u8 *addr) 583 { 584 struct wpabuf *buf; 585 u8 *token; 586 struct os_reltime now; 587 u8 idx[2]; 588 const u8 *addrs[2]; 589 size_t len[2]; 590 u8 p_idx; 591 u16 token_idx; 592 593 os_get_reltime(&now); 594 if (!os_reltime_initialized(&hapd->last_sae_token_key_update) || 595 os_reltime_expired(&now, &hapd->last_sae_token_key_update, 60) || 596 hapd->sae_token_idx == 0xffff) { 597 if (random_get_bytes(hapd->sae_token_key, 598 sizeof(hapd->sae_token_key)) < 0) 599 return NULL; 600 wpa_hexdump(MSG_DEBUG, "SAE: Updated token key", 601 hapd->sae_token_key, sizeof(hapd->sae_token_key)); 602 hapd->last_sae_token_key_update = now; 603 hapd->sae_token_idx = 0; 604 os_memset(hapd->sae_pending_token_idx, 0, 605 sizeof(hapd->sae_pending_token_idx)); 606 } 607 608 buf = wpabuf_alloc(sizeof(le16) + SHA256_MAC_LEN); 609 if (buf == NULL) 610 return NULL; 611 612 wpabuf_put_le16(buf, group); /* Finite Cyclic Group */ 613 614 p_idx = sae_token_hash(hapd, addr); 615 token_idx = hapd->sae_pending_token_idx[p_idx]; 616 if (!token_idx) { 617 hapd->sae_token_idx++; 618 token_idx = hapd->sae_token_idx; 619 hapd->sae_pending_token_idx[p_idx] = token_idx; 620 } 621 WPA_PUT_BE16(idx, token_idx); 622 token = wpabuf_put(buf, SHA256_MAC_LEN); 623 addrs[0] = addr; 624 len[0] = ETH_ALEN; 625 addrs[1] = idx; 626 len[1] = sizeof(idx); 627 if (hmac_sha256_vector(hapd->sae_token_key, sizeof(hapd->sae_token_key), 628 2, addrs, len, token) < 0) { 629 wpabuf_free(buf); 630 return NULL; 631 } 632 WPA_PUT_BE16(token, token_idx); 633 634 return buf; 635 } 636 637 638 static int sae_check_big_sync(struct hostapd_data *hapd, struct sta_info *sta) 639 { 640 if (sta->sae->sync > hapd->conf->sae_sync) { 641 sae_set_state(sta, SAE_NOTHING, "Sync > dot11RSNASAESync"); 642 sta->sae->sync = 0; 643 return -1; 644 } 645 return 0; 646 } 647 648 649 static void auth_sae_retransmit_timer(void *eloop_ctx, void *eloop_data) 650 { 651 struct hostapd_data *hapd = eloop_ctx; 652 struct sta_info *sta = eloop_data; 653 int ret; 654 655 if (sae_check_big_sync(hapd, sta)) 656 return; 657 sta->sae->sync++; 658 wpa_printf(MSG_DEBUG, "SAE: Auth SAE retransmit timer for " MACSTR 659 " (sync=%d state=%s)", 660 MAC2STR(sta->addr), sta->sae->sync, 661 sae_state_txt(sta->sae->state)); 662 663 switch (sta->sae->state) { 664 case SAE_COMMITTED: 665 ret = auth_sae_send_commit(hapd, sta, hapd->own_addr, 0); 666 eloop_register_timeout(0, 667 hapd->dot11RSNASAERetransPeriod * 1000, 668 auth_sae_retransmit_timer, hapd, sta); 669 break; 670 case SAE_CONFIRMED: 671 ret = auth_sae_send_confirm(hapd, sta, hapd->own_addr); 672 eloop_register_timeout(0, 673 hapd->dot11RSNASAERetransPeriod * 1000, 674 auth_sae_retransmit_timer, hapd, sta); 675 break; 676 default: 677 ret = -1; 678 break; 679 } 680 681 if (ret != WLAN_STATUS_SUCCESS) 682 wpa_printf(MSG_INFO, "SAE: Failed to retransmit: ret=%d", ret); 683 } 684 685 686 void sae_clear_retransmit_timer(struct hostapd_data *hapd, struct sta_info *sta) 687 { 688 eloop_cancel_timeout(auth_sae_retransmit_timer, hapd, sta); 689 } 690 691 692 static void sae_set_retransmit_timer(struct hostapd_data *hapd, 693 struct sta_info *sta) 694 { 695 if (!(hapd->conf->mesh & MESH_ENABLED)) 696 return; 697 698 eloop_cancel_timeout(auth_sae_retransmit_timer, hapd, sta); 699 eloop_register_timeout(0, hapd->dot11RSNASAERetransPeriod * 1000, 700 auth_sae_retransmit_timer, hapd, sta); 701 } 702 703 704 static void sae_sme_send_external_auth_status(struct hostapd_data *hapd, 705 struct sta_info *sta, u16 status) 706 { 707 struct external_auth params; 708 709 os_memset(¶ms, 0, sizeof(params)); 710 params.status = status; 711 params.bssid = sta->addr; 712 if (status == WLAN_STATUS_SUCCESS && sta->sae) 713 params.pmkid = sta->sae->pmkid; 714 715 hostapd_drv_send_external_auth_status(hapd, ¶ms); 716 } 717 718 719 void sae_accept_sta(struct hostapd_data *hapd, struct sta_info *sta) 720 { 721 #ifndef CONFIG_NO_VLAN 722 struct vlan_description vlan_desc; 723 724 if (sta->sae->tmp && sta->sae->tmp->vlan_id > 0) { 725 wpa_printf(MSG_DEBUG, "SAE: Assign STA " MACSTR 726 " to VLAN ID %d", 727 MAC2STR(sta->addr), sta->sae->tmp->vlan_id); 728 729 os_memset(&vlan_desc, 0, sizeof(vlan_desc)); 730 vlan_desc.notempty = 1; 731 vlan_desc.untagged = sta->sae->tmp->vlan_id; 732 if (!hostapd_vlan_valid(hapd->conf->vlan, &vlan_desc)) { 733 wpa_printf(MSG_INFO, 734 "Invalid VLAN ID %d in sae_password", 735 sta->sae->tmp->vlan_id); 736 return; 737 } 738 739 if (ap_sta_set_vlan(hapd, sta, &vlan_desc) < 0 || 740 ap_sta_bind_vlan(hapd, sta) < 0) { 741 wpa_printf(MSG_INFO, 742 "Failed to assign VLAN ID %d from sae_password to " 743 MACSTR, sta->sae->tmp->vlan_id, 744 MAC2STR(sta->addr)); 745 return; 746 } 747 } 748 #endif /* CONFIG_NO_VLAN */ 749 750 sta->flags |= WLAN_STA_AUTH; 751 sta->auth_alg = WLAN_AUTH_SAE; 752 mlme_authenticate_indication(hapd, sta); 753 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH); 754 sae_set_state(sta, SAE_ACCEPTED, "Accept Confirm"); 755 wpa_auth_pmksa_add_sae(hapd->wpa_auth, sta->addr, 756 sta->sae->pmk, sta->sae->pmkid); 757 sae_sme_send_external_auth_status(hapd, sta, WLAN_STATUS_SUCCESS); 758 } 759 760 761 static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta, 762 const u8 *bssid, u8 auth_transaction, int allow_reuse, 763 int *sta_removed) 764 { 765 int ret; 766 767 *sta_removed = 0; 768 769 if (auth_transaction != 1 && auth_transaction != 2) 770 return WLAN_STATUS_UNSPECIFIED_FAILURE; 771 772 wpa_printf(MSG_DEBUG, "SAE: Peer " MACSTR " state=%s auth_trans=%u", 773 MAC2STR(sta->addr), sae_state_txt(sta->sae->state), 774 auth_transaction); 775 switch (sta->sae->state) { 776 case SAE_NOTHING: 777 if (auth_transaction == 1) { 778 ret = auth_sae_send_commit(hapd, sta, bssid, 779 !allow_reuse); 780 if (ret) 781 return ret; 782 sae_set_state(sta, SAE_COMMITTED, "Sent Commit"); 783 784 if (sae_process_commit(sta->sae) < 0) 785 return WLAN_STATUS_UNSPECIFIED_FAILURE; 786 787 /* 788 * In mesh case, both Commit and Confirm can be sent 789 * immediately. In infrastructure BSS, only a single 790 * Authentication frame (Commit) is expected from the AP 791 * here and the second one (Confirm) will be sent once 792 * the STA has sent its second Authentication frame 793 * (Confirm). 794 */ 795 if (hapd->conf->mesh & MESH_ENABLED) { 796 /* 797 * Send both Commit and Confirm immediately 798 * based on SAE finite state machine 799 * Nothing -> Confirm transition. 800 */ 801 ret = auth_sae_send_confirm(hapd, sta, bssid); 802 if (ret) 803 return ret; 804 sae_set_state(sta, SAE_CONFIRMED, 805 "Sent Confirm (mesh)"); 806 } else { 807 /* 808 * For infrastructure BSS, send only the Commit 809 * message now to get alternating sequence of 810 * Authentication frames between the AP and STA. 811 * Confirm will be sent in 812 * Committed -> Confirmed/Accepted transition 813 * when receiving Confirm from STA. 814 */ 815 } 816 sta->sae->sync = 0; 817 sae_set_retransmit_timer(hapd, sta); 818 } else { 819 hostapd_logger(hapd, sta->addr, 820 HOSTAPD_MODULE_IEEE80211, 821 HOSTAPD_LEVEL_DEBUG, 822 "SAE confirm before commit"); 823 } 824 break; 825 case SAE_COMMITTED: 826 sae_clear_retransmit_timer(hapd, sta); 827 if (auth_transaction == 1) { 828 if (sae_process_commit(sta->sae) < 0) 829 return WLAN_STATUS_UNSPECIFIED_FAILURE; 830 831 ret = auth_sae_send_confirm(hapd, sta, bssid); 832 if (ret) 833 return ret; 834 sae_set_state(sta, SAE_CONFIRMED, "Sent Confirm"); 835 sta->sae->sync = 0; 836 sae_set_retransmit_timer(hapd, sta); 837 } else if (hapd->conf->mesh & MESH_ENABLED) { 838 /* 839 * In mesh case, follow SAE finite state machine and 840 * send Commit now, if sync count allows. 841 */ 842 if (sae_check_big_sync(hapd, sta)) 843 return WLAN_STATUS_SUCCESS; 844 sta->sae->sync++; 845 846 ret = auth_sae_send_commit(hapd, sta, bssid, 0); 847 if (ret) 848 return ret; 849 850 sae_set_retransmit_timer(hapd, sta); 851 } else { 852 /* 853 * For instructure BSS, send the postponed Confirm from 854 * Nothing -> Confirmed transition that was reduced to 855 * Nothing -> Committed above. 856 */ 857 ret = auth_sae_send_confirm(hapd, sta, bssid); 858 if (ret) 859 return ret; 860 861 sae_set_state(sta, SAE_CONFIRMED, "Sent Confirm"); 862 863 /* 864 * Since this was triggered on Confirm RX, run another 865 * step to get to Accepted without waiting for 866 * additional events. 867 */ 868 return sae_sm_step(hapd, sta, bssid, auth_transaction, 869 0, sta_removed); 870 } 871 break; 872 case SAE_CONFIRMED: 873 sae_clear_retransmit_timer(hapd, sta); 874 if (auth_transaction == 1) { 875 if (sae_check_big_sync(hapd, sta)) 876 return WLAN_STATUS_SUCCESS; 877 sta->sae->sync++; 878 879 ret = auth_sae_send_commit(hapd, sta, bssid, 1); 880 if (ret) 881 return ret; 882 883 if (sae_process_commit(sta->sae) < 0) 884 return WLAN_STATUS_UNSPECIFIED_FAILURE; 885 886 ret = auth_sae_send_confirm(hapd, sta, bssid); 887 if (ret) 888 return ret; 889 890 sae_set_retransmit_timer(hapd, sta); 891 } else { 892 sta->sae->send_confirm = 0xffff; 893 sae_accept_sta(hapd, sta); 894 } 895 break; 896 case SAE_ACCEPTED: 897 if (auth_transaction == 1 && 898 (hapd->conf->mesh & MESH_ENABLED)) { 899 wpa_printf(MSG_DEBUG, "SAE: remove the STA (" MACSTR 900 ") doing reauthentication", 901 MAC2STR(sta->addr)); 902 wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr); 903 ap_free_sta(hapd, sta); 904 *sta_removed = 1; 905 } else if (auth_transaction == 1) { 906 wpa_printf(MSG_DEBUG, "SAE: Start reauthentication"); 907 ret = auth_sae_send_commit(hapd, sta, bssid, 1); 908 if (ret) 909 return ret; 910 sae_set_state(sta, SAE_COMMITTED, "Sent Commit"); 911 912 if (sae_process_commit(sta->sae) < 0) 913 return WLAN_STATUS_UNSPECIFIED_FAILURE; 914 sta->sae->sync = 0; 915 sae_set_retransmit_timer(hapd, sta); 916 } else { 917 if (sae_check_big_sync(hapd, sta)) 918 return WLAN_STATUS_SUCCESS; 919 sta->sae->sync++; 920 921 ret = auth_sae_send_confirm(hapd, sta, bssid); 922 sae_clear_temp_data(sta->sae); 923 if (ret) 924 return ret; 925 } 926 break; 927 default: 928 wpa_printf(MSG_ERROR, "SAE: invalid state %d", 929 sta->sae->state); 930 return WLAN_STATUS_UNSPECIFIED_FAILURE; 931 } 932 return WLAN_STATUS_SUCCESS; 933 } 934 935 936 static void sae_pick_next_group(struct hostapd_data *hapd, struct sta_info *sta) 937 { 938 struct sae_data *sae = sta->sae; 939 int i, *groups = hapd->conf->sae_groups; 940 int default_groups[] = { 19, 0 }; 941 942 if (sae->state != SAE_COMMITTED) 943 return; 944 945 wpa_printf(MSG_DEBUG, "SAE: Previously selected group: %d", sae->group); 946 947 if (!groups) 948 groups = default_groups; 949 for (i = 0; groups[i] > 0; i++) { 950 if (sae->group == groups[i]) 951 break; 952 } 953 954 if (groups[i] <= 0) { 955 wpa_printf(MSG_DEBUG, 956 "SAE: Previously selected group not found from the current configuration"); 957 return; 958 } 959 960 for (;;) { 961 i++; 962 if (groups[i] <= 0) { 963 wpa_printf(MSG_DEBUG, 964 "SAE: No alternative group enabled"); 965 return; 966 } 967 968 if (sae_set_group(sae, groups[i]) < 0) 969 continue; 970 971 break; 972 } 973 wpa_printf(MSG_DEBUG, "SAE: Selected new group: %d", groups[i]); 974 } 975 976 977 static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta, 978 const struct ieee80211_mgmt *mgmt, size_t len, 979 u16 auth_transaction, u16 status_code) 980 { 981 int resp = WLAN_STATUS_SUCCESS; 982 struct wpabuf *data = NULL; 983 int *groups = hapd->conf->sae_groups; 984 int default_groups[] = { 19, 0 }; 985 const u8 *pos, *end; 986 int sta_removed = 0; 987 988 if (!groups) 989 groups = default_groups; 990 991 #ifdef CONFIG_TESTING_OPTIONS 992 if (hapd->conf->sae_reflection_attack && auth_transaction == 1) { 993 wpa_printf(MSG_DEBUG, "SAE: TESTING - reflection attack"); 994 pos = mgmt->u.auth.variable; 995 end = ((const u8 *) mgmt) + len; 996 send_auth_reply(hapd, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE, 997 auth_transaction, resp, pos, end - pos, 998 "auth-sae-reflection-attack"); 999 goto remove_sta; 1000 } 1001 1002 if (hapd->conf->sae_commit_override && auth_transaction == 1) { 1003 wpa_printf(MSG_DEBUG, "SAE: TESTING - commit override"); 1004 send_auth_reply(hapd, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE, 1005 auth_transaction, resp, 1006 wpabuf_head(hapd->conf->sae_commit_override), 1007 wpabuf_len(hapd->conf->sae_commit_override), 1008 "sae-commit-override"); 1009 goto remove_sta; 1010 } 1011 #endif /* CONFIG_TESTING_OPTIONS */ 1012 if (!sta->sae) { 1013 if (auth_transaction != 1 || 1014 status_code != WLAN_STATUS_SUCCESS) { 1015 resp = -1; 1016 goto remove_sta; 1017 } 1018 sta->sae = os_zalloc(sizeof(*sta->sae)); 1019 if (!sta->sae) { 1020 resp = -1; 1021 goto remove_sta; 1022 } 1023 sae_set_state(sta, SAE_NOTHING, "Init"); 1024 sta->sae->sync = 0; 1025 } 1026 1027 if (sta->mesh_sae_pmksa_caching) { 1028 wpa_printf(MSG_DEBUG, 1029 "SAE: Cancel use of mesh PMKSA caching because peer starts SAE authentication"); 1030 wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr); 1031 sta->mesh_sae_pmksa_caching = 0; 1032 } 1033 1034 if (auth_transaction == 1) { 1035 const u8 *token = NULL; 1036 size_t token_len = 0; 1037 int allow_reuse = 0; 1038 1039 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 1040 HOSTAPD_LEVEL_DEBUG, 1041 "start SAE authentication (RX commit, status=%u)", 1042 status_code); 1043 1044 if ((hapd->conf->mesh & MESH_ENABLED) && 1045 status_code == WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ && 1046 sta->sae->tmp) { 1047 pos = mgmt->u.auth.variable; 1048 end = ((const u8 *) mgmt) + len; 1049 if (pos + sizeof(le16) > end) { 1050 wpa_printf(MSG_ERROR, 1051 "SAE: Too short anti-clogging token request"); 1052 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1053 goto reply; 1054 } 1055 resp = sae_group_allowed(sta->sae, groups, 1056 WPA_GET_LE16(pos)); 1057 if (resp != WLAN_STATUS_SUCCESS) { 1058 wpa_printf(MSG_ERROR, 1059 "SAE: Invalid group in anti-clogging token request"); 1060 goto reply; 1061 } 1062 pos += sizeof(le16); 1063 1064 wpabuf_free(sta->sae->tmp->anti_clogging_token); 1065 sta->sae->tmp->anti_clogging_token = 1066 wpabuf_alloc_copy(pos, end - pos); 1067 if (sta->sae->tmp->anti_clogging_token == NULL) { 1068 wpa_printf(MSG_ERROR, 1069 "SAE: Failed to alloc for anti-clogging token"); 1070 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1071 goto remove_sta; 1072 } 1073 1074 /* 1075 * IEEE Std 802.11-2012, 11.3.8.6.4: If the Status code 1076 * is 76, a new Commit Message shall be constructed 1077 * with the Anti-Clogging Token from the received 1078 * Authentication frame, and the commit-scalar and 1079 * COMMIT-ELEMENT previously sent. 1080 */ 1081 resp = auth_sae_send_commit(hapd, sta, mgmt->bssid, 0); 1082 if (resp != WLAN_STATUS_SUCCESS) { 1083 wpa_printf(MSG_ERROR, 1084 "SAE: Failed to send commit message"); 1085 goto remove_sta; 1086 } 1087 sae_set_state(sta, SAE_COMMITTED, 1088 "Sent Commit (anti-clogging token case in mesh)"); 1089 sta->sae->sync = 0; 1090 sae_set_retransmit_timer(hapd, sta); 1091 return; 1092 } 1093 1094 if ((hapd->conf->mesh & MESH_ENABLED) && 1095 status_code == 1096 WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED && 1097 sta->sae->tmp) { 1098 wpa_printf(MSG_DEBUG, 1099 "SAE: Peer did not accept our SAE group"); 1100 sae_pick_next_group(hapd, sta); 1101 goto remove_sta; 1102 } 1103 1104 if (status_code != WLAN_STATUS_SUCCESS) 1105 goto remove_sta; 1106 1107 if (!(hapd->conf->mesh & MESH_ENABLED) && 1108 sta->sae->state == SAE_COMMITTED) { 1109 /* This is needed in the infrastructure BSS case to 1110 * address a sequence where a STA entry may remain in 1111 * hostapd across two attempts to do SAE authentication 1112 * by the same STA. The second attempt may end up trying 1113 * to use a different group and that would not be 1114 * allowed if we remain in Committed state with the 1115 * previously set parameters. */ 1116 pos = mgmt->u.auth.variable; 1117 end = ((const u8 *) mgmt) + len; 1118 if (end - pos >= (int) sizeof(le16) && 1119 sae_group_allowed(sta->sae, groups, 1120 WPA_GET_LE16(pos)) == 1121 WLAN_STATUS_SUCCESS) { 1122 /* Do not waste resources deriving the same PWE 1123 * again since the same group is reused. */ 1124 sae_set_state(sta, SAE_NOTHING, 1125 "Allow previous PWE to be reused"); 1126 allow_reuse = 1; 1127 } else { 1128 sae_set_state(sta, SAE_NOTHING, 1129 "Clear existing state to allow restart"); 1130 sae_clear_data(sta->sae); 1131 } 1132 } 1133 1134 resp = sae_parse_commit(sta->sae, mgmt->u.auth.variable, 1135 ((const u8 *) mgmt) + len - 1136 mgmt->u.auth.variable, &token, 1137 &token_len, groups); 1138 if (resp == SAE_SILENTLY_DISCARD) { 1139 wpa_printf(MSG_DEBUG, 1140 "SAE: Drop commit message from " MACSTR " due to reflection attack", 1141 MAC2STR(sta->addr)); 1142 goto remove_sta; 1143 } 1144 1145 if (resp == WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER) { 1146 wpa_msg(hapd->msg_ctx, MSG_INFO, 1147 WPA_EVENT_SAE_UNKNOWN_PASSWORD_IDENTIFIER 1148 MACSTR, MAC2STR(sta->addr)); 1149 sae_clear_retransmit_timer(hapd, sta); 1150 sae_set_state(sta, SAE_NOTHING, 1151 "Unknown Password Identifier"); 1152 goto remove_sta; 1153 } 1154 1155 if (token && check_sae_token(hapd, sta->addr, token, token_len) 1156 < 0) { 1157 wpa_printf(MSG_DEBUG, "SAE: Drop commit message with " 1158 "incorrect token from " MACSTR, 1159 MAC2STR(sta->addr)); 1160 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1161 goto remove_sta; 1162 } 1163 1164 if (resp != WLAN_STATUS_SUCCESS) 1165 goto reply; 1166 1167 if (!token && use_sae_anti_clogging(hapd) && !allow_reuse) { 1168 wpa_printf(MSG_DEBUG, 1169 "SAE: Request anti-clogging token from " 1170 MACSTR, MAC2STR(sta->addr)); 1171 data = auth_build_token_req(hapd, sta->sae->group, 1172 sta->addr); 1173 resp = WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ; 1174 if (hapd->conf->mesh & MESH_ENABLED) 1175 sae_set_state(sta, SAE_NOTHING, 1176 "Request anti-clogging token case in mesh"); 1177 goto reply; 1178 } 1179 1180 resp = sae_sm_step(hapd, sta, mgmt->bssid, auth_transaction, 1181 allow_reuse, &sta_removed); 1182 } else if (auth_transaction == 2) { 1183 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 1184 HOSTAPD_LEVEL_DEBUG, 1185 "SAE authentication (RX confirm, status=%u)", 1186 status_code); 1187 if (status_code != WLAN_STATUS_SUCCESS) 1188 goto remove_sta; 1189 if (sta->sae->state >= SAE_CONFIRMED || 1190 !(hapd->conf->mesh & MESH_ENABLED)) { 1191 const u8 *var; 1192 size_t var_len; 1193 u16 peer_send_confirm; 1194 1195 var = mgmt->u.auth.variable; 1196 var_len = ((u8 *) mgmt) + len - mgmt->u.auth.variable; 1197 if (var_len < 2) { 1198 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1199 goto reply; 1200 } 1201 1202 peer_send_confirm = WPA_GET_LE16(var); 1203 1204 if (sta->sae->state == SAE_ACCEPTED && 1205 (peer_send_confirm <= sta->sae->rc || 1206 peer_send_confirm == 0xffff)) { 1207 wpa_printf(MSG_DEBUG, 1208 "SAE: Silently ignore unexpected Confirm from peer " 1209 MACSTR 1210 " (peer-send-confirm=%u Rc=%u)", 1211 MAC2STR(sta->addr), 1212 peer_send_confirm, sta->sae->rc); 1213 return; 1214 } 1215 1216 if (sae_check_confirm(sta->sae, var, var_len) < 0) { 1217 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1218 goto reply; 1219 } 1220 sta->sae->rc = peer_send_confirm; 1221 } 1222 resp = sae_sm_step(hapd, sta, mgmt->bssid, auth_transaction, 0, 1223 &sta_removed); 1224 } else { 1225 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 1226 HOSTAPD_LEVEL_DEBUG, 1227 "unexpected SAE authentication transaction %u (status=%u)", 1228 auth_transaction, status_code); 1229 if (status_code != WLAN_STATUS_SUCCESS) 1230 goto remove_sta; 1231 resp = WLAN_STATUS_UNKNOWN_AUTH_TRANSACTION; 1232 } 1233 1234 reply: 1235 if (!sta_removed && resp != WLAN_STATUS_SUCCESS) { 1236 pos = mgmt->u.auth.variable; 1237 end = ((const u8 *) mgmt) + len; 1238 1239 /* Copy the Finite Cyclic Group field from the request if we 1240 * rejected it as unsupported group. */ 1241 if (resp == WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED && 1242 !data && end - pos >= 2) 1243 data = wpabuf_alloc_copy(pos, 2); 1244 1245 sae_sme_send_external_auth_status(hapd, sta, resp); 1246 send_auth_reply(hapd, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE, 1247 auth_transaction, resp, 1248 data ? wpabuf_head(data) : (u8 *) "", 1249 data ? wpabuf_len(data) : 0, "auth-sae"); 1250 } 1251 1252 remove_sta: 1253 if (!sta_removed && sta->added_unassoc && 1254 (resp != WLAN_STATUS_SUCCESS || 1255 status_code != WLAN_STATUS_SUCCESS)) { 1256 hostapd_drv_sta_remove(hapd, sta->addr); 1257 sta->added_unassoc = 0; 1258 } 1259 wpabuf_free(data); 1260 } 1261 1262 1263 /** 1264 * auth_sae_init_committed - Send COMMIT and start SAE in committed state 1265 * @hapd: BSS data for the device initiating the authentication 1266 * @sta: the peer to which commit authentication frame is sent 1267 * 1268 * This function implements Init event handling (IEEE Std 802.11-2012, 1269 * 11.3.8.6.3) in which initial COMMIT message is sent. Prior to calling, the 1270 * sta->sae structure should be initialized appropriately via a call to 1271 * sae_prepare_commit(). 1272 */ 1273 int auth_sae_init_committed(struct hostapd_data *hapd, struct sta_info *sta) 1274 { 1275 int ret; 1276 1277 if (!sta->sae || !sta->sae->tmp) 1278 return -1; 1279 1280 if (sta->sae->state != SAE_NOTHING) 1281 return -1; 1282 1283 ret = auth_sae_send_commit(hapd, sta, hapd->own_addr, 0); 1284 if (ret) 1285 return -1; 1286 1287 sae_set_state(sta, SAE_COMMITTED, "Init and sent commit"); 1288 sta->sae->sync = 0; 1289 sae_set_retransmit_timer(hapd, sta); 1290 1291 return 0; 1292 } 1293 1294 1295 void auth_sae_process_commit(void *eloop_ctx, void *user_ctx) 1296 { 1297 struct hostapd_data *hapd = eloop_ctx; 1298 struct hostapd_sae_commit_queue *q; 1299 unsigned int queue_len; 1300 1301 q = dl_list_first(&hapd->sae_commit_queue, 1302 struct hostapd_sae_commit_queue, list); 1303 if (!q) 1304 return; 1305 wpa_printf(MSG_DEBUG, 1306 "SAE: Process next available message from queue"); 1307 dl_list_del(&q->list); 1308 handle_auth(hapd, (const struct ieee80211_mgmt *) q->msg, q->len, 1309 q->rssi, 1); 1310 os_free(q); 1311 1312 if (eloop_is_timeout_registered(auth_sae_process_commit, hapd, NULL)) 1313 return; 1314 queue_len = dl_list_len(&hapd->sae_commit_queue); 1315 eloop_register_timeout(0, queue_len * 10000, auth_sae_process_commit, 1316 hapd, NULL); 1317 } 1318 1319 1320 static void auth_sae_queue(struct hostapd_data *hapd, 1321 const struct ieee80211_mgmt *mgmt, size_t len, 1322 int rssi) 1323 { 1324 struct hostapd_sae_commit_queue *q, *q2; 1325 unsigned int queue_len; 1326 const struct ieee80211_mgmt *mgmt2; 1327 1328 queue_len = dl_list_len(&hapd->sae_commit_queue); 1329 if (queue_len >= 15) { 1330 wpa_printf(MSG_DEBUG, 1331 "SAE: No more room in message queue - drop the new frame from " 1332 MACSTR, MAC2STR(mgmt->sa)); 1333 return; 1334 } 1335 1336 wpa_printf(MSG_DEBUG, "SAE: Queue Authentication message from " 1337 MACSTR " for processing (queue_len %u)", MAC2STR(mgmt->sa), 1338 queue_len); 1339 q = os_zalloc(sizeof(*q) + len); 1340 if (!q) 1341 return; 1342 q->rssi = rssi; 1343 q->len = len; 1344 os_memcpy(q->msg, mgmt, len); 1345 1346 /* Check whether there is already a queued Authentication frame from the 1347 * same station with the same transaction number and if so, replace that 1348 * queue entry with the new one. This avoids issues with a peer that 1349 * sends multiple times (e.g., due to frequent SAE retries). There is no 1350 * point in us trying to process the old attempts after a new one has 1351 * obsoleted them. */ 1352 dl_list_for_each(q2, &hapd->sae_commit_queue, 1353 struct hostapd_sae_commit_queue, list) { 1354 mgmt2 = (const struct ieee80211_mgmt *) q2->msg; 1355 if (os_memcmp(mgmt->sa, mgmt2->sa, ETH_ALEN) == 0 && 1356 mgmt->u.auth.auth_transaction == 1357 mgmt2->u.auth.auth_transaction) { 1358 wpa_printf(MSG_DEBUG, 1359 "SAE: Replace queued message from same STA with same transaction number"); 1360 dl_list_add(&q2->list, &q->list); 1361 dl_list_del(&q2->list); 1362 os_free(q2); 1363 goto queued; 1364 } 1365 } 1366 1367 /* No pending identical entry, so add to the end of the queue */ 1368 dl_list_add_tail(&hapd->sae_commit_queue, &q->list); 1369 1370 queued: 1371 if (eloop_is_timeout_registered(auth_sae_process_commit, hapd, NULL)) 1372 return; 1373 eloop_register_timeout(0, queue_len * 10000, auth_sae_process_commit, 1374 hapd, NULL); 1375 } 1376 1377 1378 static int auth_sae_queued_addr(struct hostapd_data *hapd, const u8 *addr) 1379 { 1380 struct hostapd_sae_commit_queue *q; 1381 const struct ieee80211_mgmt *mgmt; 1382 1383 dl_list_for_each(q, &hapd->sae_commit_queue, 1384 struct hostapd_sae_commit_queue, list) { 1385 mgmt = (const struct ieee80211_mgmt *) q->msg; 1386 if (os_memcmp(addr, mgmt->sa, ETH_ALEN) == 0) 1387 return 1; 1388 } 1389 1390 return 0; 1391 } 1392 1393 #endif /* CONFIG_SAE */ 1394 1395 1396 static u16 wpa_res_to_status_code(int res) 1397 { 1398 if (res == WPA_INVALID_GROUP) 1399 return WLAN_STATUS_GROUP_CIPHER_NOT_VALID; 1400 if (res == WPA_INVALID_PAIRWISE) 1401 return WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID; 1402 if (res == WPA_INVALID_AKMP) 1403 return WLAN_STATUS_AKMP_NOT_VALID; 1404 if (res == WPA_ALLOC_FAIL) 1405 return WLAN_STATUS_UNSPECIFIED_FAILURE; 1406 #ifdef CONFIG_IEEE80211W 1407 if (res == WPA_MGMT_FRAME_PROTECTION_VIOLATION) 1408 return WLAN_STATUS_ROBUST_MGMT_FRAME_POLICY_VIOLATION; 1409 if (res == WPA_INVALID_MGMT_GROUP_CIPHER) 1410 return WLAN_STATUS_CIPHER_REJECTED_PER_POLICY; 1411 #endif /* CONFIG_IEEE80211W */ 1412 if (res == WPA_INVALID_MDIE) 1413 return WLAN_STATUS_INVALID_MDIE; 1414 if (res == WPA_INVALID_PMKID) 1415 return WLAN_STATUS_INVALID_PMKID; 1416 if (res != WPA_IE_OK) 1417 return WLAN_STATUS_INVALID_IE; 1418 return WLAN_STATUS_SUCCESS; 1419 } 1420 1421 1422 #ifdef CONFIG_FILS 1423 1424 static void handle_auth_fils_finish(struct hostapd_data *hapd, 1425 struct sta_info *sta, u16 resp, 1426 struct wpabuf *data, int pub); 1427 1428 void handle_auth_fils(struct hostapd_data *hapd, struct sta_info *sta, 1429 const u8 *pos, size_t len, u16 auth_alg, 1430 u16 auth_transaction, u16 status_code, 1431 void (*cb)(struct hostapd_data *hapd, 1432 struct sta_info *sta, u16 resp, 1433 struct wpabuf *data, int pub)) 1434 { 1435 u16 resp = WLAN_STATUS_SUCCESS; 1436 const u8 *end; 1437 struct ieee802_11_elems elems; 1438 int res; 1439 struct wpa_ie_data rsn; 1440 struct rsn_pmksa_cache_entry *pmksa = NULL; 1441 1442 if (auth_transaction != 1 || status_code != WLAN_STATUS_SUCCESS) 1443 return; 1444 1445 end = pos + len; 1446 1447 wpa_hexdump(MSG_DEBUG, "FILS: Authentication frame fields", 1448 pos, end - pos); 1449 1450 /* TODO: FILS PK */ 1451 #ifdef CONFIG_FILS_SK_PFS 1452 if (auth_alg == WLAN_AUTH_FILS_SK_PFS) { 1453 u16 group; 1454 struct wpabuf *pub; 1455 size_t elem_len; 1456 1457 /* Using FILS PFS */ 1458 1459 /* Finite Cyclic Group */ 1460 if (end - pos < 2) { 1461 wpa_printf(MSG_DEBUG, 1462 "FILS: No room for Finite Cyclic Group"); 1463 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1464 goto fail; 1465 } 1466 group = WPA_GET_LE16(pos); 1467 pos += 2; 1468 if (group != hapd->conf->fils_dh_group) { 1469 wpa_printf(MSG_DEBUG, 1470 "FILS: Unsupported Finite Cyclic Group: %u (expected %u)", 1471 group, hapd->conf->fils_dh_group); 1472 resp = WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED; 1473 goto fail; 1474 } 1475 1476 crypto_ecdh_deinit(sta->fils_ecdh); 1477 sta->fils_ecdh = crypto_ecdh_init(group); 1478 if (!sta->fils_ecdh) { 1479 wpa_printf(MSG_INFO, 1480 "FILS: Could not initialize ECDH with group %d", 1481 group); 1482 resp = WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED; 1483 goto fail; 1484 } 1485 1486 pub = crypto_ecdh_get_pubkey(sta->fils_ecdh, 1); 1487 if (!pub) { 1488 wpa_printf(MSG_DEBUG, 1489 "FILS: Failed to derive ECDH public key"); 1490 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1491 goto fail; 1492 } 1493 elem_len = wpabuf_len(pub); 1494 wpabuf_free(pub); 1495 1496 /* Element */ 1497 if ((size_t) (end - pos) < elem_len) { 1498 wpa_printf(MSG_DEBUG, "FILS: No room for Element"); 1499 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1500 goto fail; 1501 } 1502 1503 wpabuf_free(sta->fils_g_sta); 1504 sta->fils_g_sta = wpabuf_alloc_copy(pos, elem_len); 1505 wpabuf_clear_free(sta->fils_dh_ss); 1506 sta->fils_dh_ss = crypto_ecdh_set_peerkey(sta->fils_ecdh, 1, 1507 pos, elem_len); 1508 if (!sta->fils_dh_ss) { 1509 wpa_printf(MSG_DEBUG, "FILS: ECDH operation failed"); 1510 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1511 goto fail; 1512 } 1513 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: DH_SS", sta->fils_dh_ss); 1514 pos += elem_len; 1515 } else { 1516 crypto_ecdh_deinit(sta->fils_ecdh); 1517 sta->fils_ecdh = NULL; 1518 wpabuf_clear_free(sta->fils_dh_ss); 1519 sta->fils_dh_ss = NULL; 1520 } 1521 #endif /* CONFIG_FILS_SK_PFS */ 1522 1523 wpa_hexdump(MSG_DEBUG, "FILS: Remaining IEs", pos, end - pos); 1524 if (ieee802_11_parse_elems(pos, end - pos, &elems, 1) == ParseFailed) { 1525 wpa_printf(MSG_DEBUG, "FILS: Could not parse elements"); 1526 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1527 goto fail; 1528 } 1529 1530 /* RSNE */ 1531 wpa_hexdump(MSG_DEBUG, "FILS: RSN element", 1532 elems.rsn_ie, elems.rsn_ie_len); 1533 if (!elems.rsn_ie || 1534 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2, 1535 &rsn) < 0) { 1536 wpa_printf(MSG_DEBUG, "FILS: No valid RSN element"); 1537 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1538 goto fail; 1539 } 1540 1541 if (!sta->wpa_sm) 1542 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, sta->addr, 1543 NULL); 1544 if (!sta->wpa_sm) { 1545 wpa_printf(MSG_DEBUG, 1546 "FILS: Failed to initialize RSN state machine"); 1547 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1548 goto fail; 1549 } 1550 1551 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm, 1552 hapd->iface->freq, 1553 elems.rsn_ie - 2, elems.rsn_ie_len + 2, 1554 elems.mdie, elems.mdie_len, NULL, 0); 1555 resp = wpa_res_to_status_code(res); 1556 if (resp != WLAN_STATUS_SUCCESS) 1557 goto fail; 1558 1559 if (!elems.fils_nonce) { 1560 wpa_printf(MSG_DEBUG, "FILS: No FILS Nonce field"); 1561 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1562 goto fail; 1563 } 1564 wpa_hexdump(MSG_DEBUG, "FILS: SNonce", elems.fils_nonce, 1565 FILS_NONCE_LEN); 1566 os_memcpy(sta->fils_snonce, elems.fils_nonce, FILS_NONCE_LEN); 1567 1568 /* PMKID List */ 1569 if (rsn.pmkid && rsn.num_pmkid > 0) { 1570 u8 num; 1571 const u8 *pmkid; 1572 1573 wpa_hexdump(MSG_DEBUG, "FILS: PMKID List", 1574 rsn.pmkid, rsn.num_pmkid * PMKID_LEN); 1575 1576 pmkid = rsn.pmkid; 1577 num = rsn.num_pmkid; 1578 while (num) { 1579 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", pmkid, PMKID_LEN); 1580 pmksa = wpa_auth_pmksa_get(hapd->wpa_auth, sta->addr, 1581 pmkid); 1582 if (pmksa) 1583 break; 1584 pmksa = wpa_auth_pmksa_get_fils_cache_id(hapd->wpa_auth, 1585 sta->addr, 1586 pmkid); 1587 if (pmksa) 1588 break; 1589 pmkid += PMKID_LEN; 1590 num--; 1591 } 1592 } 1593 if (pmksa && wpa_auth_sta_key_mgmt(sta->wpa_sm) != pmksa->akmp) { 1594 wpa_printf(MSG_DEBUG, 1595 "FILS: Matching PMKSA cache entry has different AKMP (0x%x != 0x%x) - ignore", 1596 wpa_auth_sta_key_mgmt(sta->wpa_sm), pmksa->akmp); 1597 pmksa = NULL; 1598 } 1599 if (pmksa) 1600 wpa_printf(MSG_DEBUG, "FILS: Found matching PMKSA cache entry"); 1601 1602 /* FILS Session */ 1603 if (!elems.fils_session) { 1604 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element"); 1605 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1606 goto fail; 1607 } 1608 wpa_hexdump(MSG_DEBUG, "FILS: FILS Session", elems.fils_session, 1609 FILS_SESSION_LEN); 1610 os_memcpy(sta->fils_session, elems.fils_session, FILS_SESSION_LEN); 1611 1612 /* FILS Wrapped Data */ 1613 if (elems.fils_wrapped_data) { 1614 wpa_hexdump(MSG_DEBUG, "FILS: Wrapped Data", 1615 elems.fils_wrapped_data, 1616 elems.fils_wrapped_data_len); 1617 if (!pmksa) { 1618 #ifndef CONFIG_NO_RADIUS 1619 if (!sta->eapol_sm) { 1620 sta->eapol_sm = 1621 ieee802_1x_alloc_eapol_sm(hapd, sta); 1622 } 1623 wpa_printf(MSG_DEBUG, 1624 "FILS: Forward EAP-Initiate/Re-auth to authentication server"); 1625 ieee802_1x_encapsulate_radius( 1626 hapd, sta, elems.fils_wrapped_data, 1627 elems.fils_wrapped_data_len); 1628 sta->fils_pending_cb = cb; 1629 wpa_printf(MSG_DEBUG, 1630 "FILS: Will send Authentication frame once the response from authentication server is available"); 1631 sta->flags |= WLAN_STA_PENDING_FILS_ERP; 1632 /* Calculate pending PMKID here so that we do not need 1633 * to maintain a copy of the EAP-Initiate/Reauth 1634 * message. */ 1635 if (fils_pmkid_erp(wpa_auth_sta_key_mgmt(sta->wpa_sm), 1636 elems.fils_wrapped_data, 1637 elems.fils_wrapped_data_len, 1638 sta->fils_erp_pmkid) == 0) 1639 sta->fils_erp_pmkid_set = 1; 1640 return; 1641 #else /* CONFIG_NO_RADIUS */ 1642 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1643 goto fail; 1644 #endif /* CONFIG_NO_RADIUS */ 1645 } 1646 } 1647 1648 fail: 1649 if (cb) { 1650 struct wpabuf *data; 1651 int pub = 0; 1652 1653 data = prepare_auth_resp_fils(hapd, sta, &resp, pmksa, NULL, 1654 NULL, 0, &pub); 1655 if (!data) { 1656 wpa_printf(MSG_DEBUG, 1657 "%s: prepare_auth_resp_fils() returned failure", 1658 __func__); 1659 } 1660 1661 cb(hapd, sta, resp, data, pub); 1662 } 1663 } 1664 1665 1666 static struct wpabuf * 1667 prepare_auth_resp_fils(struct hostapd_data *hapd, 1668 struct sta_info *sta, u16 *resp, 1669 struct rsn_pmksa_cache_entry *pmksa, 1670 struct wpabuf *erp_resp, 1671 const u8 *msk, size_t msk_len, 1672 int *is_pub) 1673 { 1674 u8 fils_nonce[FILS_NONCE_LEN]; 1675 size_t ielen; 1676 struct wpabuf *data = NULL; 1677 const u8 *ie; 1678 u8 *ie_buf = NULL; 1679 const u8 *pmk = NULL; 1680 size_t pmk_len = 0; 1681 u8 pmk_buf[PMK_LEN_MAX]; 1682 struct wpabuf *pub = NULL; 1683 1684 if (*resp != WLAN_STATUS_SUCCESS) 1685 goto fail; 1686 1687 ie = wpa_auth_get_wpa_ie(hapd->wpa_auth, &ielen); 1688 if (!ie) { 1689 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1690 goto fail; 1691 } 1692 1693 if (pmksa) { 1694 /* Add PMKID of the selected PMKSA into RSNE */ 1695 ie_buf = os_malloc(ielen + 2 + 2 + PMKID_LEN); 1696 if (!ie_buf) { 1697 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1698 goto fail; 1699 } 1700 1701 os_memcpy(ie_buf, ie, ielen); 1702 if (wpa_insert_pmkid(ie_buf, &ielen, pmksa->pmkid) < 0) { 1703 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1704 goto fail; 1705 } 1706 ie = ie_buf; 1707 } 1708 1709 if (random_get_bytes(fils_nonce, FILS_NONCE_LEN) < 0) { 1710 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1711 goto fail; 1712 } 1713 wpa_hexdump(MSG_DEBUG, "RSN: Generated FILS Nonce", 1714 fils_nonce, FILS_NONCE_LEN); 1715 1716 #ifdef CONFIG_FILS_SK_PFS 1717 if (sta->fils_dh_ss && sta->fils_ecdh) { 1718 pub = crypto_ecdh_get_pubkey(sta->fils_ecdh, 1); 1719 if (!pub) { 1720 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1721 goto fail; 1722 } 1723 } 1724 #endif /* CONFIG_FILS_SK_PFS */ 1725 1726 data = wpabuf_alloc(1000 + ielen + (pub ? wpabuf_len(pub) : 0)); 1727 if (!data) { 1728 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1729 goto fail; 1730 } 1731 1732 /* TODO: FILS PK */ 1733 #ifdef CONFIG_FILS_SK_PFS 1734 if (pub) { 1735 /* Finite Cyclic Group */ 1736 wpabuf_put_le16(data, hapd->conf->fils_dh_group); 1737 1738 /* Element */ 1739 wpabuf_put_buf(data, pub); 1740 } 1741 #endif /* CONFIG_FILS_SK_PFS */ 1742 1743 /* RSNE */ 1744 wpabuf_put_data(data, ie, ielen); 1745 1746 /* MDE when using FILS+FT (already included in ie,ielen with RSNE) */ 1747 1748 #ifdef CONFIG_IEEE80211R_AP 1749 if (wpa_key_mgmt_ft(wpa_auth_sta_key_mgmt(sta->wpa_sm))) { 1750 /* FTE[R1KH-ID,R0KH-ID] when using FILS+FT */ 1751 int res; 1752 int use_sha384 = wpa_key_mgmt_sha384( 1753 wpa_auth_sta_key_mgmt(sta->wpa_sm)); 1754 1755 res = wpa_auth_write_fte(hapd->wpa_auth, use_sha384, 1756 wpabuf_put(data, 0), 1757 wpabuf_tailroom(data)); 1758 if (res < 0) { 1759 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1760 goto fail; 1761 } 1762 wpabuf_put(data, res); 1763 } 1764 #endif /* CONFIG_IEEE80211R_AP */ 1765 1766 /* FILS Nonce */ 1767 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */ 1768 wpabuf_put_u8(data, 1 + FILS_NONCE_LEN); /* Length */ 1769 /* Element ID Extension */ 1770 wpabuf_put_u8(data, WLAN_EID_EXT_FILS_NONCE); 1771 wpabuf_put_data(data, fils_nonce, FILS_NONCE_LEN); 1772 1773 /* FILS Session */ 1774 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */ 1775 wpabuf_put_u8(data, 1 + FILS_SESSION_LEN); /* Length */ 1776 /* Element ID Extension */ 1777 wpabuf_put_u8(data, WLAN_EID_EXT_FILS_SESSION); 1778 wpabuf_put_data(data, sta->fils_session, FILS_SESSION_LEN); 1779 1780 /* FILS Wrapped Data */ 1781 if (!pmksa && erp_resp) { 1782 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */ 1783 wpabuf_put_u8(data, 1 + wpabuf_len(erp_resp)); /* Length */ 1784 /* Element ID Extension */ 1785 wpabuf_put_u8(data, WLAN_EID_EXT_FILS_WRAPPED_DATA); 1786 wpabuf_put_buf(data, erp_resp); 1787 1788 if (fils_rmsk_to_pmk(wpa_auth_sta_key_mgmt(sta->wpa_sm), 1789 msk, msk_len, sta->fils_snonce, fils_nonce, 1790 sta->fils_dh_ss ? 1791 wpabuf_head(sta->fils_dh_ss) : NULL, 1792 sta->fils_dh_ss ? 1793 wpabuf_len(sta->fils_dh_ss) : 0, 1794 pmk_buf, &pmk_len)) { 1795 wpa_printf(MSG_DEBUG, "FILS: Failed to derive PMK"); 1796 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1797 wpabuf_free(data); 1798 data = NULL; 1799 goto fail; 1800 } 1801 pmk = pmk_buf; 1802 1803 /* Don't use DHss in PTK derivation if PMKSA caching is not 1804 * used. */ 1805 wpabuf_clear_free(sta->fils_dh_ss); 1806 sta->fils_dh_ss = NULL; 1807 1808 if (sta->fils_erp_pmkid_set) { 1809 /* TODO: get PMKLifetime from WPA parameters */ 1810 unsigned int dot11RSNAConfigPMKLifetime = 43200; 1811 int session_timeout; 1812 1813 session_timeout = dot11RSNAConfigPMKLifetime; 1814 if (sta->session_timeout_set) { 1815 struct os_reltime now, diff; 1816 1817 os_get_reltime(&now); 1818 os_reltime_sub(&sta->session_timeout, &now, 1819 &diff); 1820 session_timeout = diff.sec; 1821 } 1822 1823 sta->fils_erp_pmkid_set = 0; 1824 if (!hapd->conf->disable_pmksa_caching && 1825 wpa_auth_pmksa_add2( 1826 hapd->wpa_auth, sta->addr, 1827 pmk, pmk_len, 1828 sta->fils_erp_pmkid, 1829 session_timeout, 1830 wpa_auth_sta_key_mgmt(sta->wpa_sm)) < 0) { 1831 wpa_printf(MSG_ERROR, 1832 "FILS: Failed to add PMKSA cache entry based on ERP"); 1833 } 1834 } 1835 } else if (pmksa) { 1836 pmk = pmksa->pmk; 1837 pmk_len = pmksa->pmk_len; 1838 } 1839 1840 if (!pmk) { 1841 wpa_printf(MSG_DEBUG, "FILS: No PMK available"); 1842 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1843 wpabuf_free(data); 1844 data = NULL; 1845 goto fail; 1846 } 1847 1848 if (fils_auth_pmk_to_ptk(sta->wpa_sm, pmk, pmk_len, 1849 sta->fils_snonce, fils_nonce, 1850 sta->fils_dh_ss ? 1851 wpabuf_head(sta->fils_dh_ss) : NULL, 1852 sta->fils_dh_ss ? 1853 wpabuf_len(sta->fils_dh_ss) : 0, 1854 sta->fils_g_sta, pub) < 0) { 1855 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1856 wpabuf_free(data); 1857 data = NULL; 1858 goto fail; 1859 } 1860 1861 fail: 1862 if (is_pub) 1863 *is_pub = pub != NULL; 1864 os_free(ie_buf); 1865 wpabuf_free(pub); 1866 wpabuf_clear_free(sta->fils_dh_ss); 1867 sta->fils_dh_ss = NULL; 1868 #ifdef CONFIG_FILS_SK_PFS 1869 crypto_ecdh_deinit(sta->fils_ecdh); 1870 sta->fils_ecdh = NULL; 1871 #endif /* CONFIG_FILS_SK_PFS */ 1872 return data; 1873 } 1874 1875 1876 static void handle_auth_fils_finish(struct hostapd_data *hapd, 1877 struct sta_info *sta, u16 resp, 1878 struct wpabuf *data, int pub) 1879 { 1880 u16 auth_alg; 1881 1882 auth_alg = (pub || 1883 resp == WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED) ? 1884 WLAN_AUTH_FILS_SK_PFS : WLAN_AUTH_FILS_SK; 1885 send_auth_reply(hapd, sta->addr, hapd->own_addr, auth_alg, 2, resp, 1886 data ? wpabuf_head(data) : (u8 *) "", 1887 data ? wpabuf_len(data) : 0, "auth-fils-finish"); 1888 wpabuf_free(data); 1889 1890 if (resp == WLAN_STATUS_SUCCESS) { 1891 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 1892 HOSTAPD_LEVEL_DEBUG, 1893 "authentication OK (FILS)"); 1894 sta->flags |= WLAN_STA_AUTH; 1895 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH); 1896 sta->auth_alg = pub ? WLAN_AUTH_FILS_SK_PFS : WLAN_AUTH_FILS_SK; 1897 mlme_authenticate_indication(hapd, sta); 1898 } 1899 } 1900 1901 1902 void ieee802_11_finish_fils_auth(struct hostapd_data *hapd, 1903 struct sta_info *sta, int success, 1904 struct wpabuf *erp_resp, 1905 const u8 *msk, size_t msk_len) 1906 { 1907 struct wpabuf *data; 1908 int pub = 0; 1909 u16 resp; 1910 1911 sta->flags &= ~WLAN_STA_PENDING_FILS_ERP; 1912 1913 if (!sta->fils_pending_cb) 1914 return; 1915 resp = success ? WLAN_STATUS_SUCCESS : WLAN_STATUS_UNSPECIFIED_FAILURE; 1916 data = prepare_auth_resp_fils(hapd, sta, &resp, NULL, erp_resp, 1917 msk, msk_len, &pub); 1918 if (!data) { 1919 wpa_printf(MSG_DEBUG, 1920 "%s: prepare_auth_resp_fils() returned failure", 1921 __func__); 1922 } 1923 sta->fils_pending_cb(hapd, sta, resp, data, pub); 1924 } 1925 1926 #endif /* CONFIG_FILS */ 1927 1928 1929 int 1930 ieee802_11_allowed_address(struct hostapd_data *hapd, const u8 *addr, 1931 const u8 *msg, size_t len, u32 *session_timeout, 1932 u32 *acct_interim_interval, 1933 struct vlan_description *vlan_id, 1934 struct hostapd_sta_wpa_psk_short **psk, 1935 char **identity, char **radius_cui, int is_probe_req) 1936 { 1937 int res; 1938 1939 os_memset(vlan_id, 0, sizeof(*vlan_id)); 1940 res = hostapd_allowed_address(hapd, addr, msg, len, 1941 session_timeout, acct_interim_interval, 1942 vlan_id, psk, identity, radius_cui, 1943 is_probe_req); 1944 1945 if (res == HOSTAPD_ACL_REJECT) { 1946 if (!is_probe_req) 1947 wpa_printf(MSG_DEBUG, 1948 "Station " MACSTR 1949 " not allowed to authenticate", 1950 MAC2STR(addr)); 1951 return HOSTAPD_ACL_REJECT; 1952 } 1953 1954 if (res == HOSTAPD_ACL_PENDING) { 1955 wpa_printf(MSG_DEBUG, "Authentication frame from " MACSTR 1956 " waiting for an external authentication", 1957 MAC2STR(addr)); 1958 /* Authentication code will re-send the authentication frame 1959 * after it has received (and cached) information from the 1960 * external source. */ 1961 return HOSTAPD_ACL_PENDING; 1962 } 1963 1964 return res; 1965 } 1966 1967 1968 static int 1969 ieee802_11_set_radius_info(struct hostapd_data *hapd, struct sta_info *sta, 1970 int res, u32 session_timeout, 1971 u32 acct_interim_interval, 1972 struct vlan_description *vlan_id, 1973 struct hostapd_sta_wpa_psk_short **psk, 1974 char **identity, char **radius_cui) 1975 { 1976 if (vlan_id->notempty && 1977 !hostapd_vlan_valid(hapd->conf->vlan, vlan_id)) { 1978 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS, 1979 HOSTAPD_LEVEL_INFO, 1980 "Invalid VLAN %d%s received from RADIUS server", 1981 vlan_id->untagged, 1982 vlan_id->tagged[0] ? "+" : ""); 1983 return -1; 1984 } 1985 if (ap_sta_set_vlan(hapd, sta, vlan_id) < 0) 1986 return -1; 1987 if (sta->vlan_id) 1988 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS, 1989 HOSTAPD_LEVEL_INFO, "VLAN ID %d", sta->vlan_id); 1990 1991 hostapd_free_psk_list(sta->psk); 1992 if (hapd->conf->wpa_psk_radius != PSK_RADIUS_IGNORED) { 1993 sta->psk = *psk; 1994 *psk = NULL; 1995 } else { 1996 sta->psk = NULL; 1997 } 1998 1999 os_free(sta->identity); 2000 sta->identity = *identity; 2001 *identity = NULL; 2002 2003 os_free(sta->radius_cui); 2004 sta->radius_cui = *radius_cui; 2005 *radius_cui = NULL; 2006 2007 if (hapd->conf->acct_interim_interval == 0 && acct_interim_interval) 2008 sta->acct_interim_interval = acct_interim_interval; 2009 if (res == HOSTAPD_ACL_ACCEPT_TIMEOUT) { 2010 sta->session_timeout_set = 1; 2011 os_get_reltime(&sta->session_timeout); 2012 sta->session_timeout.sec += session_timeout; 2013 ap_sta_session_timeout(hapd, sta, session_timeout); 2014 } else { 2015 sta->session_timeout_set = 0; 2016 ap_sta_no_session_timeout(hapd, sta); 2017 } 2018 2019 return 0; 2020 } 2021 2022 2023 static void handle_auth(struct hostapd_data *hapd, 2024 const struct ieee80211_mgmt *mgmt, size_t len, 2025 int rssi, int from_queue) 2026 { 2027 u16 auth_alg, auth_transaction, status_code; 2028 u16 resp = WLAN_STATUS_SUCCESS; 2029 struct sta_info *sta = NULL; 2030 int res, reply_res; 2031 u16 fc; 2032 const u8 *challenge = NULL; 2033 u32 session_timeout, acct_interim_interval; 2034 struct vlan_description vlan_id; 2035 struct hostapd_sta_wpa_psk_short *psk = NULL; 2036 u8 resp_ies[2 + WLAN_AUTH_CHALLENGE_LEN]; 2037 size_t resp_ies_len = 0; 2038 char *identity = NULL; 2039 char *radius_cui = NULL; 2040 u16 seq_ctrl; 2041 2042 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) { 2043 wpa_printf(MSG_INFO, "handle_auth - too short payload (len=%lu)", 2044 (unsigned long) len); 2045 return; 2046 } 2047 2048 #ifdef CONFIG_TESTING_OPTIONS 2049 if (hapd->iconf->ignore_auth_probability > 0.0 && 2050 drand48() < hapd->iconf->ignore_auth_probability) { 2051 wpa_printf(MSG_INFO, 2052 "TESTING: ignoring auth frame from " MACSTR, 2053 MAC2STR(mgmt->sa)); 2054 return; 2055 } 2056 #endif /* CONFIG_TESTING_OPTIONS */ 2057 2058 auth_alg = le_to_host16(mgmt->u.auth.auth_alg); 2059 auth_transaction = le_to_host16(mgmt->u.auth.auth_transaction); 2060 status_code = le_to_host16(mgmt->u.auth.status_code); 2061 fc = le_to_host16(mgmt->frame_control); 2062 seq_ctrl = le_to_host16(mgmt->seq_ctrl); 2063 2064 if (len >= IEEE80211_HDRLEN + sizeof(mgmt->u.auth) + 2065 2 + WLAN_AUTH_CHALLENGE_LEN && 2066 mgmt->u.auth.variable[0] == WLAN_EID_CHALLENGE && 2067 mgmt->u.auth.variable[1] == WLAN_AUTH_CHALLENGE_LEN) 2068 challenge = &mgmt->u.auth.variable[2]; 2069 2070 wpa_printf(MSG_DEBUG, "authentication: STA=" MACSTR " auth_alg=%d " 2071 "auth_transaction=%d status_code=%d wep=%d%s " 2072 "seq_ctrl=0x%x%s%s", 2073 MAC2STR(mgmt->sa), auth_alg, auth_transaction, 2074 status_code, !!(fc & WLAN_FC_ISWEP), 2075 challenge ? " challenge" : "", 2076 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "", 2077 from_queue ? " (from queue)" : ""); 2078 2079 #ifdef CONFIG_NO_RC4 2080 if (auth_alg == WLAN_AUTH_SHARED_KEY) { 2081 wpa_printf(MSG_INFO, 2082 "Unsupported authentication algorithm (%d)", 2083 auth_alg); 2084 resp = WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG; 2085 goto fail; 2086 } 2087 #endif /* CONFIG_NO_RC4 */ 2088 2089 if (hapd->tkip_countermeasures) { 2090 wpa_printf(MSG_DEBUG, 2091 "Ongoing TKIP countermeasures (Michael MIC failure) - reject authentication"); 2092 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 2093 goto fail; 2094 } 2095 2096 if (!(((hapd->conf->auth_algs & WPA_AUTH_ALG_OPEN) && 2097 auth_alg == WLAN_AUTH_OPEN) || 2098 #ifdef CONFIG_IEEE80211R_AP 2099 (hapd->conf->wpa && wpa_key_mgmt_ft(hapd->conf->wpa_key_mgmt) && 2100 auth_alg == WLAN_AUTH_FT) || 2101 #endif /* CONFIG_IEEE80211R_AP */ 2102 #ifdef CONFIG_SAE 2103 (hapd->conf->wpa && wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt) && 2104 auth_alg == WLAN_AUTH_SAE) || 2105 #endif /* CONFIG_SAE */ 2106 #ifdef CONFIG_FILS 2107 (hapd->conf->wpa && wpa_key_mgmt_fils(hapd->conf->wpa_key_mgmt) && 2108 auth_alg == WLAN_AUTH_FILS_SK) || 2109 (hapd->conf->wpa && wpa_key_mgmt_fils(hapd->conf->wpa_key_mgmt) && 2110 hapd->conf->fils_dh_group && 2111 auth_alg == WLAN_AUTH_FILS_SK_PFS) || 2112 #endif /* CONFIG_FILS */ 2113 ((hapd->conf->auth_algs & WPA_AUTH_ALG_SHARED) && 2114 auth_alg == WLAN_AUTH_SHARED_KEY))) { 2115 wpa_printf(MSG_INFO, "Unsupported authentication algorithm (%d)", 2116 auth_alg); 2117 resp = WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG; 2118 goto fail; 2119 } 2120 2121 if (!(auth_transaction == 1 || auth_alg == WLAN_AUTH_SAE || 2122 (auth_alg == WLAN_AUTH_SHARED_KEY && auth_transaction == 3))) { 2123 wpa_printf(MSG_INFO, "Unknown authentication transaction number (%d)", 2124 auth_transaction); 2125 resp = WLAN_STATUS_UNKNOWN_AUTH_TRANSACTION; 2126 goto fail; 2127 } 2128 2129 if (os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) { 2130 wpa_printf(MSG_INFO, "Station " MACSTR " not allowed to authenticate", 2131 MAC2STR(mgmt->sa)); 2132 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 2133 goto fail; 2134 } 2135 2136 if (hapd->conf->no_auth_if_seen_on) { 2137 struct hostapd_data *other; 2138 2139 other = sta_track_seen_on(hapd->iface, mgmt->sa, 2140 hapd->conf->no_auth_if_seen_on); 2141 if (other) { 2142 u8 *pos; 2143 u32 info; 2144 u8 op_class, channel, phytype; 2145 2146 wpa_printf(MSG_DEBUG, "%s: Reject authentication from " 2147 MACSTR " since STA has been seen on %s", 2148 hapd->conf->iface, MAC2STR(mgmt->sa), 2149 hapd->conf->no_auth_if_seen_on); 2150 2151 resp = WLAN_STATUS_REJECTED_WITH_SUGGESTED_BSS_TRANSITION; 2152 pos = &resp_ies[0]; 2153 *pos++ = WLAN_EID_NEIGHBOR_REPORT; 2154 *pos++ = 13; 2155 os_memcpy(pos, other->own_addr, ETH_ALEN); 2156 pos += ETH_ALEN; 2157 info = 0; /* TODO: BSSID Information */ 2158 WPA_PUT_LE32(pos, info); 2159 pos += 4; 2160 if (other->iconf->hw_mode == HOSTAPD_MODE_IEEE80211AD) 2161 phytype = 8; /* dmg */ 2162 else if (other->iconf->ieee80211ac) 2163 phytype = 9; /* vht */ 2164 else if (other->iconf->ieee80211n) 2165 phytype = 7; /* ht */ 2166 else if (other->iconf->hw_mode == 2167 HOSTAPD_MODE_IEEE80211A) 2168 phytype = 4; /* ofdm */ 2169 else if (other->iconf->hw_mode == 2170 HOSTAPD_MODE_IEEE80211G) 2171 phytype = 6; /* erp */ 2172 else 2173 phytype = 5; /* hrdsss */ 2174 if (ieee80211_freq_to_channel_ext( 2175 hostapd_hw_get_freq(other, 2176 other->iconf->channel), 2177 other->iconf->secondary_channel, 2178 other->iconf->ieee80211ac, 2179 &op_class, &channel) == NUM_HOSTAPD_MODES) { 2180 op_class = 0; 2181 channel = other->iconf->channel; 2182 } 2183 *pos++ = op_class; 2184 *pos++ = channel; 2185 *pos++ = phytype; 2186 resp_ies_len = pos - &resp_ies[0]; 2187 goto fail; 2188 } 2189 } 2190 2191 res = ieee802_11_allowed_address( 2192 hapd, mgmt->sa, (const u8 *) mgmt, len, &session_timeout, 2193 &acct_interim_interval, &vlan_id, &psk, &identity, &radius_cui, 2194 0); 2195 if (res == HOSTAPD_ACL_REJECT) { 2196 wpa_msg(hapd->msg_ctx, MSG_DEBUG, 2197 "Ignore Authentication frame from " MACSTR 2198 " due to ACL reject", MAC2STR(mgmt->sa)); 2199 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 2200 goto fail; 2201 } 2202 if (res == HOSTAPD_ACL_PENDING) 2203 return; 2204 2205 #ifdef CONFIG_SAE 2206 if (auth_alg == WLAN_AUTH_SAE && !from_queue && 2207 (auth_transaction == 1 || 2208 (auth_transaction == 2 && auth_sae_queued_addr(hapd, mgmt->sa)))) { 2209 /* Handle SAE Authentication commit message through a queue to 2210 * provide more control for postponing the needed heavy 2211 * processing under a possible DoS attack scenario. In addition, 2212 * queue SAE Authentication confirm message if there happens to 2213 * be a queued commit message from the same peer. This is needed 2214 * to avoid reordering Authentication frames within the same 2215 * SAE exchange. */ 2216 auth_sae_queue(hapd, mgmt, len, rssi); 2217 return; 2218 } 2219 #endif /* CONFIG_SAE */ 2220 2221 sta = ap_get_sta(hapd, mgmt->sa); 2222 if (sta) { 2223 sta->flags &= ~WLAN_STA_PENDING_FILS_ERP; 2224 sta->ft_over_ds = 0; 2225 if ((fc & WLAN_FC_RETRY) && 2226 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ && 2227 sta->last_seq_ctrl == seq_ctrl && 2228 sta->last_subtype == WLAN_FC_STYPE_AUTH) { 2229 hostapd_logger(hapd, sta->addr, 2230 HOSTAPD_MODULE_IEEE80211, 2231 HOSTAPD_LEVEL_DEBUG, 2232 "Drop repeated authentication frame seq_ctrl=0x%x", 2233 seq_ctrl); 2234 return; 2235 } 2236 #ifdef CONFIG_MESH 2237 if ((hapd->conf->mesh & MESH_ENABLED) && 2238 sta->plink_state == PLINK_BLOCKED) { 2239 wpa_printf(MSG_DEBUG, "Mesh peer " MACSTR 2240 " is blocked - drop Authentication frame", 2241 MAC2STR(mgmt->sa)); 2242 return; 2243 } 2244 #endif /* CONFIG_MESH */ 2245 } else { 2246 #ifdef CONFIG_MESH 2247 if (hapd->conf->mesh & MESH_ENABLED) { 2248 /* if the mesh peer is not available, we don't do auth. 2249 */ 2250 wpa_printf(MSG_DEBUG, "Mesh peer " MACSTR 2251 " not yet known - drop Authentication frame", 2252 MAC2STR(mgmt->sa)); 2253 /* 2254 * Save a copy of the frame so that it can be processed 2255 * if a new peer entry is added shortly after this. 2256 */ 2257 wpabuf_free(hapd->mesh_pending_auth); 2258 hapd->mesh_pending_auth = wpabuf_alloc_copy(mgmt, len); 2259 os_get_reltime(&hapd->mesh_pending_auth_time); 2260 return; 2261 } 2262 #endif /* CONFIG_MESH */ 2263 2264 sta = ap_sta_add(hapd, mgmt->sa); 2265 if (!sta) { 2266 wpa_printf(MSG_DEBUG, "ap_sta_add() failed"); 2267 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA; 2268 goto fail; 2269 } 2270 } 2271 sta->last_seq_ctrl = seq_ctrl; 2272 sta->last_subtype = WLAN_FC_STYPE_AUTH; 2273 #ifdef CONFIG_MBO 2274 sta->auth_rssi = rssi; 2275 #endif /* CONFIG_MBO */ 2276 2277 res = ieee802_11_set_radius_info( 2278 hapd, sta, res, session_timeout, acct_interim_interval, 2279 &vlan_id, &psk, &identity, &radius_cui); 2280 if (res) { 2281 wpa_printf(MSG_DEBUG, "ieee802_11_set_radius_info() failed"); 2282 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 2283 goto fail; 2284 } 2285 2286 sta->flags &= ~WLAN_STA_PREAUTH; 2287 ieee802_1x_notify_pre_auth(sta->eapol_sm, 0); 2288 2289 /* 2290 * If the driver supports full AP client state, add a station to the 2291 * driver before sending authentication reply to make sure the driver 2292 * has resources, and not to go through the entire authentication and 2293 * association handshake, and fail it at the end. 2294 * 2295 * If this is not the first transaction, in a multi-step authentication 2296 * algorithm, the station already exists in the driver 2297 * (sta->added_unassoc = 1) so skip it. 2298 * 2299 * In mesh mode, the station was already added to the driver when the 2300 * NEW_PEER_CANDIDATE event is received. 2301 * 2302 * If PMF was negotiated for the existing association, skip this to 2303 * avoid dropping the STA entry and the associated keys. This is needed 2304 * to allow the original connection work until the attempt can complete 2305 * (re)association, so that unprotected Authentication frame cannot be 2306 * used to bypass PMF protection. 2307 */ 2308 if (FULL_AP_CLIENT_STATE_SUPP(hapd->iface->drv_flags) && 2309 (!(sta->flags & WLAN_STA_MFP) || !ap_sta_is_authorized(sta)) && 2310 !(hapd->conf->mesh & MESH_ENABLED) && 2311 !(sta->added_unassoc)) { 2312 /* 2313 * If a station that is already associated to the AP, is trying 2314 * to authenticate again, remove the STA entry, in order to make 2315 * sure the STA PS state gets cleared and configuration gets 2316 * updated. To handle this, station's added_unassoc flag is 2317 * cleared once the station has completed association. 2318 */ 2319 ap_sta_set_authorized(hapd, sta, 0); 2320 hostapd_drv_sta_remove(hapd, sta->addr); 2321 sta->flags &= ~(WLAN_STA_ASSOC | WLAN_STA_AUTH | 2322 WLAN_STA_AUTHORIZED); 2323 2324 if (hostapd_sta_add(hapd, sta->addr, 0, 0, NULL, 0, 0, 2325 NULL, NULL, sta->flags, 0, 0, 0, 0)) { 2326 hostapd_logger(hapd, sta->addr, 2327 HOSTAPD_MODULE_IEEE80211, 2328 HOSTAPD_LEVEL_NOTICE, 2329 "Could not add STA to kernel driver"); 2330 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA; 2331 goto fail; 2332 } 2333 2334 sta->added_unassoc = 1; 2335 } 2336 2337 switch (auth_alg) { 2338 case WLAN_AUTH_OPEN: 2339 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 2340 HOSTAPD_LEVEL_DEBUG, 2341 "authentication OK (open system)"); 2342 sta->flags |= WLAN_STA_AUTH; 2343 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH); 2344 sta->auth_alg = WLAN_AUTH_OPEN; 2345 mlme_authenticate_indication(hapd, sta); 2346 break; 2347 #ifndef CONFIG_NO_RC4 2348 case WLAN_AUTH_SHARED_KEY: 2349 resp = auth_shared_key(hapd, sta, auth_transaction, challenge, 2350 fc & WLAN_FC_ISWEP); 2351 if (resp != 0) 2352 wpa_printf(MSG_DEBUG, 2353 "auth_shared_key() failed: status=%d", resp); 2354 sta->auth_alg = WLAN_AUTH_SHARED_KEY; 2355 mlme_authenticate_indication(hapd, sta); 2356 if (sta->challenge && auth_transaction == 1) { 2357 resp_ies[0] = WLAN_EID_CHALLENGE; 2358 resp_ies[1] = WLAN_AUTH_CHALLENGE_LEN; 2359 os_memcpy(resp_ies + 2, sta->challenge, 2360 WLAN_AUTH_CHALLENGE_LEN); 2361 resp_ies_len = 2 + WLAN_AUTH_CHALLENGE_LEN; 2362 } 2363 break; 2364 #endif /* CONFIG_NO_RC4 */ 2365 #ifdef CONFIG_IEEE80211R_AP 2366 case WLAN_AUTH_FT: 2367 sta->auth_alg = WLAN_AUTH_FT; 2368 if (sta->wpa_sm == NULL) 2369 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, 2370 sta->addr, NULL); 2371 if (sta->wpa_sm == NULL) { 2372 wpa_printf(MSG_DEBUG, "FT: Failed to initialize WPA " 2373 "state machine"); 2374 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 2375 goto fail; 2376 } 2377 wpa_ft_process_auth(sta->wpa_sm, mgmt->bssid, 2378 auth_transaction, mgmt->u.auth.variable, 2379 len - IEEE80211_HDRLEN - 2380 sizeof(mgmt->u.auth), 2381 handle_auth_ft_finish, hapd); 2382 /* handle_auth_ft_finish() callback will complete auth. */ 2383 return; 2384 #endif /* CONFIG_IEEE80211R_AP */ 2385 #ifdef CONFIG_SAE 2386 case WLAN_AUTH_SAE: 2387 #ifdef CONFIG_MESH 2388 if (status_code == WLAN_STATUS_SUCCESS && 2389 hapd->conf->mesh & MESH_ENABLED) { 2390 if (sta->wpa_sm == NULL) 2391 sta->wpa_sm = 2392 wpa_auth_sta_init(hapd->wpa_auth, 2393 sta->addr, NULL); 2394 if (sta->wpa_sm == NULL) { 2395 wpa_printf(MSG_DEBUG, 2396 "SAE: Failed to initialize WPA state machine"); 2397 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 2398 goto fail; 2399 } 2400 } 2401 #endif /* CONFIG_MESH */ 2402 handle_auth_sae(hapd, sta, mgmt, len, auth_transaction, 2403 status_code); 2404 return; 2405 #endif /* CONFIG_SAE */ 2406 #ifdef CONFIG_FILS 2407 case WLAN_AUTH_FILS_SK: 2408 case WLAN_AUTH_FILS_SK_PFS: 2409 handle_auth_fils(hapd, sta, mgmt->u.auth.variable, 2410 len - IEEE80211_HDRLEN - sizeof(mgmt->u.auth), 2411 auth_alg, auth_transaction, status_code, 2412 handle_auth_fils_finish); 2413 return; 2414 #endif /* CONFIG_FILS */ 2415 } 2416 2417 fail: 2418 os_free(identity); 2419 os_free(radius_cui); 2420 hostapd_free_psk_list(psk); 2421 2422 reply_res = send_auth_reply(hapd, mgmt->sa, mgmt->bssid, auth_alg, 2423 auth_transaction + 1, resp, resp_ies, 2424 resp_ies_len, "handle-auth"); 2425 2426 if (sta && sta->added_unassoc && (resp != WLAN_STATUS_SUCCESS || 2427 reply_res != WLAN_STATUS_SUCCESS)) { 2428 hostapd_drv_sta_remove(hapd, sta->addr); 2429 sta->added_unassoc = 0; 2430 } 2431 } 2432 2433 2434 int hostapd_get_aid(struct hostapd_data *hapd, struct sta_info *sta) 2435 { 2436 int i, j = 32, aid; 2437 2438 /* get a unique AID */ 2439 if (sta->aid > 0) { 2440 wpa_printf(MSG_DEBUG, " old AID %d", sta->aid); 2441 return 0; 2442 } 2443 2444 if (TEST_FAIL()) 2445 return -1; 2446 2447 for (i = 0; i < AID_WORDS; i++) { 2448 if (hapd->sta_aid[i] == (u32) -1) 2449 continue; 2450 for (j = 0; j < 32; j++) { 2451 if (!(hapd->sta_aid[i] & BIT(j))) 2452 break; 2453 } 2454 if (j < 32) 2455 break; 2456 } 2457 if (j == 32) 2458 return -1; 2459 aid = i * 32 + j + 1; 2460 if (aid > 2007) 2461 return -1; 2462 2463 sta->aid = aid; 2464 hapd->sta_aid[i] |= BIT(j); 2465 wpa_printf(MSG_DEBUG, " new AID %d", sta->aid); 2466 return 0; 2467 } 2468 2469 2470 static u16 check_ssid(struct hostapd_data *hapd, struct sta_info *sta, 2471 const u8 *ssid_ie, size_t ssid_ie_len) 2472 { 2473 if (ssid_ie == NULL) 2474 return WLAN_STATUS_UNSPECIFIED_FAILURE; 2475 2476 if (ssid_ie_len != hapd->conf->ssid.ssid_len || 2477 os_memcmp(ssid_ie, hapd->conf->ssid.ssid, ssid_ie_len) != 0) { 2478 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 2479 HOSTAPD_LEVEL_INFO, 2480 "Station tried to associate with unknown SSID " 2481 "'%s'", wpa_ssid_txt(ssid_ie, ssid_ie_len)); 2482 return WLAN_STATUS_UNSPECIFIED_FAILURE; 2483 } 2484 2485 return WLAN_STATUS_SUCCESS; 2486 } 2487 2488 2489 static u16 check_wmm(struct hostapd_data *hapd, struct sta_info *sta, 2490 const u8 *wmm_ie, size_t wmm_ie_len) 2491 { 2492 sta->flags &= ~WLAN_STA_WMM; 2493 sta->qosinfo = 0; 2494 if (wmm_ie && hapd->conf->wmm_enabled) { 2495 struct wmm_information_element *wmm; 2496 2497 if (!hostapd_eid_wmm_valid(hapd, wmm_ie, wmm_ie_len)) { 2498 hostapd_logger(hapd, sta->addr, 2499 HOSTAPD_MODULE_WPA, 2500 HOSTAPD_LEVEL_DEBUG, 2501 "invalid WMM element in association " 2502 "request"); 2503 return WLAN_STATUS_UNSPECIFIED_FAILURE; 2504 } 2505 2506 sta->flags |= WLAN_STA_WMM; 2507 wmm = (struct wmm_information_element *) wmm_ie; 2508 sta->qosinfo = wmm->qos_info; 2509 } 2510 return WLAN_STATUS_SUCCESS; 2511 } 2512 2513 static u16 check_multi_ap(struct hostapd_data *hapd, struct sta_info *sta, 2514 const u8 *multi_ap_ie, size_t multi_ap_len) 2515 { 2516 u8 multi_ap_value = 0; 2517 2518 sta->flags &= ~WLAN_STA_MULTI_AP; 2519 2520 if (!hapd->conf->multi_ap) 2521 return WLAN_STATUS_SUCCESS; 2522 2523 if (multi_ap_ie) { 2524 const u8 *multi_ap_subelem; 2525 2526 multi_ap_subelem = get_ie(multi_ap_ie + 4, 2527 multi_ap_len - 4, 2528 MULTI_AP_SUB_ELEM_TYPE); 2529 if (multi_ap_subelem && multi_ap_subelem[1] == 1) { 2530 multi_ap_value = multi_ap_subelem[2]; 2531 } else { 2532 hostapd_logger(hapd, sta->addr, 2533 HOSTAPD_MODULE_IEEE80211, 2534 HOSTAPD_LEVEL_INFO, 2535 "Multi-AP IE has missing or invalid Multi-AP subelement"); 2536 return WLAN_STATUS_INVALID_IE; 2537 } 2538 } 2539 2540 if (multi_ap_value && multi_ap_value != MULTI_AP_BACKHAUL_STA) 2541 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 2542 HOSTAPD_LEVEL_INFO, 2543 "Multi-AP IE with unexpected value 0x%02x", 2544 multi_ap_value); 2545 2546 if (!(multi_ap_value & MULTI_AP_BACKHAUL_STA)) { 2547 if (hapd->conf->multi_ap & FRONTHAUL_BSS) 2548 return WLAN_STATUS_SUCCESS; 2549 2550 hostapd_logger(hapd, sta->addr, 2551 HOSTAPD_MODULE_IEEE80211, 2552 HOSTAPD_LEVEL_INFO, 2553 "Non-Multi-AP STA tries to associate with backhaul-only BSS"); 2554 return WLAN_STATUS_ASSOC_DENIED_UNSPEC; 2555 } 2556 2557 if (!(hapd->conf->multi_ap & BACKHAUL_BSS)) 2558 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 2559 HOSTAPD_LEVEL_DEBUG, 2560 "Backhaul STA tries to associate with fronthaul-only BSS"); 2561 2562 sta->flags |= WLAN_STA_MULTI_AP; 2563 return WLAN_STATUS_SUCCESS; 2564 } 2565 2566 2567 static u16 copy_supp_rates(struct hostapd_data *hapd, struct sta_info *sta, 2568 struct ieee802_11_elems *elems) 2569 { 2570 /* Supported rates not used in IEEE 802.11ad/DMG */ 2571 if (hapd->iface->current_mode && 2572 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211AD) 2573 return WLAN_STATUS_SUCCESS; 2574 2575 if (!elems->supp_rates) { 2576 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 2577 HOSTAPD_LEVEL_DEBUG, 2578 "No supported rates element in AssocReq"); 2579 return WLAN_STATUS_UNSPECIFIED_FAILURE; 2580 } 2581 2582 if (elems->supp_rates_len + elems->ext_supp_rates_len > 2583 sizeof(sta->supported_rates)) { 2584 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 2585 HOSTAPD_LEVEL_DEBUG, 2586 "Invalid supported rates element length %d+%d", 2587 elems->supp_rates_len, 2588 elems->ext_supp_rates_len); 2589 return WLAN_STATUS_UNSPECIFIED_FAILURE; 2590 } 2591 2592 sta->supported_rates_len = merge_byte_arrays( 2593 sta->supported_rates, sizeof(sta->supported_rates), 2594 elems->supp_rates, elems->supp_rates_len, 2595 elems->ext_supp_rates, elems->ext_supp_rates_len); 2596 2597 return WLAN_STATUS_SUCCESS; 2598 } 2599 2600 2601 static u16 check_ext_capab(struct hostapd_data *hapd, struct sta_info *sta, 2602 const u8 *ext_capab_ie, size_t ext_capab_ie_len) 2603 { 2604 #ifdef CONFIG_INTERWORKING 2605 /* check for QoS Map support */ 2606 if (ext_capab_ie_len >= 5) { 2607 if (ext_capab_ie[4] & 0x01) 2608 sta->qos_map_enabled = 1; 2609 } 2610 #endif /* CONFIG_INTERWORKING */ 2611 2612 if (ext_capab_ie_len > 0) { 2613 sta->ecsa_supported = !!(ext_capab_ie[0] & BIT(2)); 2614 os_free(sta->ext_capability); 2615 sta->ext_capability = os_malloc(1 + ext_capab_ie_len); 2616 if (sta->ext_capability) { 2617 sta->ext_capability[0] = ext_capab_ie_len; 2618 os_memcpy(sta->ext_capability + 1, ext_capab_ie, 2619 ext_capab_ie_len); 2620 } 2621 } 2622 2623 return WLAN_STATUS_SUCCESS; 2624 } 2625 2626 2627 #ifdef CONFIG_OWE 2628 2629 static int owe_group_supported(struct hostapd_data *hapd, u16 group) 2630 { 2631 int i; 2632 int *groups = hapd->conf->owe_groups; 2633 2634 if (group != 19 && group != 20 && group != 21) 2635 return 0; 2636 2637 if (!groups) 2638 return 1; 2639 2640 for (i = 0; groups[i] > 0; i++) { 2641 if (groups[i] == group) 2642 return 1; 2643 } 2644 2645 return 0; 2646 } 2647 2648 2649 static u16 owe_process_assoc_req(struct hostapd_data *hapd, 2650 struct sta_info *sta, const u8 *owe_dh, 2651 u8 owe_dh_len) 2652 { 2653 struct wpabuf *secret, *pub, *hkey; 2654 int res; 2655 u8 prk[SHA512_MAC_LEN], pmkid[SHA512_MAC_LEN]; 2656 const char *info = "OWE Key Generation"; 2657 const u8 *addr[2]; 2658 size_t len[2]; 2659 u16 group; 2660 size_t hash_len, prime_len; 2661 2662 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) { 2663 wpa_printf(MSG_DEBUG, "OWE: Using PMKSA caching"); 2664 return WLAN_STATUS_SUCCESS; 2665 } 2666 2667 group = WPA_GET_LE16(owe_dh); 2668 if (!owe_group_supported(hapd, group)) { 2669 wpa_printf(MSG_DEBUG, "OWE: Unsupported DH group %u", group); 2670 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED; 2671 } 2672 if (group == 19) 2673 prime_len = 32; 2674 else if (group == 20) 2675 prime_len = 48; 2676 else if (group == 21) 2677 prime_len = 66; 2678 else 2679 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED; 2680 2681 crypto_ecdh_deinit(sta->owe_ecdh); 2682 sta->owe_ecdh = crypto_ecdh_init(group); 2683 if (!sta->owe_ecdh) 2684 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED; 2685 sta->owe_group = group; 2686 2687 secret = crypto_ecdh_set_peerkey(sta->owe_ecdh, 0, owe_dh + 2, 2688 owe_dh_len - 2); 2689 secret = wpabuf_zeropad(secret, prime_len); 2690 if (!secret) { 2691 wpa_printf(MSG_DEBUG, "OWE: Invalid peer DH public key"); 2692 return WLAN_STATUS_UNSPECIFIED_FAILURE; 2693 } 2694 wpa_hexdump_buf_key(MSG_DEBUG, "OWE: DH shared secret", secret); 2695 2696 /* prk = HKDF-extract(C | A | group, z) */ 2697 2698 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0); 2699 if (!pub) { 2700 wpabuf_clear_free(secret); 2701 return WLAN_STATUS_UNSPECIFIED_FAILURE; 2702 } 2703 2704 /* PMKID = Truncate-128(Hash(C | A)) */ 2705 addr[0] = owe_dh + 2; 2706 len[0] = owe_dh_len - 2; 2707 addr[1] = wpabuf_head(pub); 2708 len[1] = wpabuf_len(pub); 2709 if (group == 19) { 2710 res = sha256_vector(2, addr, len, pmkid); 2711 hash_len = SHA256_MAC_LEN; 2712 } else if (group == 20) { 2713 res = sha384_vector(2, addr, len, pmkid); 2714 hash_len = SHA384_MAC_LEN; 2715 } else if (group == 21) { 2716 res = sha512_vector(2, addr, len, pmkid); 2717 hash_len = SHA512_MAC_LEN; 2718 } else { 2719 wpabuf_free(pub); 2720 wpabuf_clear_free(secret); 2721 return WLAN_STATUS_UNSPECIFIED_FAILURE; 2722 } 2723 pub = wpabuf_zeropad(pub, prime_len); 2724 if (res < 0 || !pub) { 2725 wpabuf_free(pub); 2726 wpabuf_clear_free(secret); 2727 return WLAN_STATUS_UNSPECIFIED_FAILURE; 2728 } 2729 2730 hkey = wpabuf_alloc(owe_dh_len - 2 + wpabuf_len(pub) + 2); 2731 if (!hkey) { 2732 wpabuf_free(pub); 2733 wpabuf_clear_free(secret); 2734 return WLAN_STATUS_UNSPECIFIED_FAILURE; 2735 } 2736 2737 wpabuf_put_data(hkey, owe_dh + 2, owe_dh_len - 2); /* C */ 2738 wpabuf_put_buf(hkey, pub); /* A */ 2739 wpabuf_free(pub); 2740 wpabuf_put_le16(hkey, group); /* group */ 2741 if (group == 19) 2742 res = hmac_sha256(wpabuf_head(hkey), wpabuf_len(hkey), 2743 wpabuf_head(secret), wpabuf_len(secret), prk); 2744 else if (group == 20) 2745 res = hmac_sha384(wpabuf_head(hkey), wpabuf_len(hkey), 2746 wpabuf_head(secret), wpabuf_len(secret), prk); 2747 else if (group == 21) 2748 res = hmac_sha512(wpabuf_head(hkey), wpabuf_len(hkey), 2749 wpabuf_head(secret), wpabuf_len(secret), prk); 2750 wpabuf_clear_free(hkey); 2751 wpabuf_clear_free(secret); 2752 if (res < 0) 2753 return WLAN_STATUS_UNSPECIFIED_FAILURE; 2754 2755 wpa_hexdump_key(MSG_DEBUG, "OWE: prk", prk, hash_len); 2756 2757 /* PMK = HKDF-expand(prk, "OWE Key Generation", n) */ 2758 2759 os_free(sta->owe_pmk); 2760 sta->owe_pmk = os_malloc(hash_len); 2761 if (!sta->owe_pmk) { 2762 os_memset(prk, 0, SHA512_MAC_LEN); 2763 return WLAN_STATUS_UNSPECIFIED_FAILURE; 2764 } 2765 2766 if (group == 19) 2767 res = hmac_sha256_kdf(prk, hash_len, NULL, (const u8 *) info, 2768 os_strlen(info), sta->owe_pmk, hash_len); 2769 else if (group == 20) 2770 res = hmac_sha384_kdf(prk, hash_len, NULL, (const u8 *) info, 2771 os_strlen(info), sta->owe_pmk, hash_len); 2772 else if (group == 21) 2773 res = hmac_sha512_kdf(prk, hash_len, NULL, (const u8 *) info, 2774 os_strlen(info), sta->owe_pmk, hash_len); 2775 os_memset(prk, 0, SHA512_MAC_LEN); 2776 if (res < 0) { 2777 os_free(sta->owe_pmk); 2778 sta->owe_pmk = NULL; 2779 return WLAN_STATUS_UNSPECIFIED_FAILURE; 2780 } 2781 sta->owe_pmk_len = hash_len; 2782 2783 wpa_hexdump_key(MSG_DEBUG, "OWE: PMK", sta->owe_pmk, sta->owe_pmk_len); 2784 wpa_hexdump(MSG_DEBUG, "OWE: PMKID", pmkid, PMKID_LEN); 2785 wpa_auth_pmksa_add2(hapd->wpa_auth, sta->addr, sta->owe_pmk, 2786 sta->owe_pmk_len, pmkid, 0, WPA_KEY_MGMT_OWE); 2787 2788 return WLAN_STATUS_SUCCESS; 2789 } 2790 2791 #endif /* CONFIG_OWE */ 2792 2793 2794 static u16 check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta, 2795 const u8 *ies, size_t ies_len, int reassoc) 2796 { 2797 struct ieee802_11_elems elems; 2798 u16 resp; 2799 const u8 *wpa_ie; 2800 size_t wpa_ie_len; 2801 const u8 *p2p_dev_addr = NULL; 2802 2803 if (ieee802_11_parse_elems(ies, ies_len, &elems, 1) == ParseFailed) { 2804 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 2805 HOSTAPD_LEVEL_INFO, "Station sent an invalid " 2806 "association request"); 2807 return WLAN_STATUS_UNSPECIFIED_FAILURE; 2808 } 2809 2810 resp = check_ssid(hapd, sta, elems.ssid, elems.ssid_len); 2811 if (resp != WLAN_STATUS_SUCCESS) 2812 return resp; 2813 resp = check_wmm(hapd, sta, elems.wmm, elems.wmm_len); 2814 if (resp != WLAN_STATUS_SUCCESS) 2815 return resp; 2816 resp = check_ext_capab(hapd, sta, elems.ext_capab, elems.ext_capab_len); 2817 if (resp != WLAN_STATUS_SUCCESS) 2818 return resp; 2819 resp = copy_supp_rates(hapd, sta, &elems); 2820 if (resp != WLAN_STATUS_SUCCESS) 2821 return resp; 2822 2823 resp = check_multi_ap(hapd, sta, elems.multi_ap, elems.multi_ap_len); 2824 if (resp != WLAN_STATUS_SUCCESS) 2825 return resp; 2826 2827 #ifdef CONFIG_IEEE80211N 2828 resp = copy_sta_ht_capab(hapd, sta, elems.ht_capabilities); 2829 if (resp != WLAN_STATUS_SUCCESS) 2830 return resp; 2831 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht && 2832 !(sta->flags & WLAN_STA_HT)) { 2833 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 2834 HOSTAPD_LEVEL_INFO, "Station does not support " 2835 "mandatory HT PHY - reject association"); 2836 return WLAN_STATUS_ASSOC_DENIED_NO_HT; 2837 } 2838 #endif /* CONFIG_IEEE80211N */ 2839 2840 #ifdef CONFIG_IEEE80211AC 2841 if (hapd->iconf->ieee80211ac) { 2842 resp = copy_sta_vht_capab(hapd, sta, elems.vht_capabilities); 2843 if (resp != WLAN_STATUS_SUCCESS) 2844 return resp; 2845 2846 resp = copy_sta_vht_oper(hapd, sta, elems.vht_operation); 2847 if (resp != WLAN_STATUS_SUCCESS) 2848 return resp; 2849 2850 resp = set_sta_vht_opmode(hapd, sta, elems.vht_opmode_notif); 2851 if (resp != WLAN_STATUS_SUCCESS) 2852 return resp; 2853 } 2854 2855 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht && 2856 !(sta->flags & WLAN_STA_VHT)) { 2857 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 2858 HOSTAPD_LEVEL_INFO, "Station does not support " 2859 "mandatory VHT PHY - reject association"); 2860 return WLAN_STATUS_ASSOC_DENIED_NO_VHT; 2861 } 2862 2863 if (hapd->conf->vendor_vht && !elems.vht_capabilities) { 2864 resp = copy_sta_vendor_vht(hapd, sta, elems.vendor_vht, 2865 elems.vendor_vht_len); 2866 if (resp != WLAN_STATUS_SUCCESS) 2867 return resp; 2868 } 2869 #endif /* CONFIG_IEEE80211AC */ 2870 2871 #ifdef CONFIG_P2P 2872 if (elems.p2p) { 2873 wpabuf_free(sta->p2p_ie); 2874 sta->p2p_ie = ieee802_11_vendor_ie_concat(ies, ies_len, 2875 P2P_IE_VENDOR_TYPE); 2876 if (sta->p2p_ie) 2877 p2p_dev_addr = p2p_get_go_dev_addr(sta->p2p_ie); 2878 } else { 2879 wpabuf_free(sta->p2p_ie); 2880 sta->p2p_ie = NULL; 2881 } 2882 #endif /* CONFIG_P2P */ 2883 2884 if ((hapd->conf->wpa & WPA_PROTO_RSN) && elems.rsn_ie) { 2885 wpa_ie = elems.rsn_ie; 2886 wpa_ie_len = elems.rsn_ie_len; 2887 } else if ((hapd->conf->wpa & WPA_PROTO_WPA) && 2888 elems.wpa_ie) { 2889 wpa_ie = elems.wpa_ie; 2890 wpa_ie_len = elems.wpa_ie_len; 2891 } else { 2892 wpa_ie = NULL; 2893 wpa_ie_len = 0; 2894 } 2895 2896 #ifdef CONFIG_WPS 2897 sta->flags &= ~(WLAN_STA_WPS | WLAN_STA_MAYBE_WPS | WLAN_STA_WPS2); 2898 if (hapd->conf->wps_state && elems.wps_ie) { 2899 wpa_printf(MSG_DEBUG, "STA included WPS IE in (Re)Association " 2900 "Request - assume WPS is used"); 2901 sta->flags |= WLAN_STA_WPS; 2902 wpabuf_free(sta->wps_ie); 2903 sta->wps_ie = ieee802_11_vendor_ie_concat(ies, ies_len, 2904 WPS_IE_VENDOR_TYPE); 2905 if (sta->wps_ie && wps_is_20(sta->wps_ie)) { 2906 wpa_printf(MSG_DEBUG, "WPS: STA supports WPS 2.0"); 2907 sta->flags |= WLAN_STA_WPS2; 2908 } 2909 wpa_ie = NULL; 2910 wpa_ie_len = 0; 2911 if (sta->wps_ie && wps_validate_assoc_req(sta->wps_ie) < 0) { 2912 wpa_printf(MSG_DEBUG, "WPS: Invalid WPS IE in " 2913 "(Re)Association Request - reject"); 2914 return WLAN_STATUS_INVALID_IE; 2915 } 2916 } else if (hapd->conf->wps_state && wpa_ie == NULL) { 2917 wpa_printf(MSG_DEBUG, "STA did not include WPA/RSN IE in " 2918 "(Re)Association Request - possible WPS use"); 2919 sta->flags |= WLAN_STA_MAYBE_WPS; 2920 } else 2921 #endif /* CONFIG_WPS */ 2922 if (hapd->conf->wpa && wpa_ie == NULL) { 2923 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 2924 HOSTAPD_LEVEL_INFO, 2925 "No WPA/RSN IE in association request"); 2926 return WLAN_STATUS_INVALID_IE; 2927 } 2928 2929 if (hapd->conf->wpa && wpa_ie) { 2930 int res; 2931 wpa_ie -= 2; 2932 wpa_ie_len += 2; 2933 if (sta->wpa_sm == NULL) 2934 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, 2935 sta->addr, 2936 p2p_dev_addr); 2937 if (sta->wpa_sm == NULL) { 2938 wpa_printf(MSG_WARNING, "Failed to initialize WPA " 2939 "state machine"); 2940 return WLAN_STATUS_UNSPECIFIED_FAILURE; 2941 } 2942 wpa_auth_set_auth_alg(sta->wpa_sm, sta->auth_alg); 2943 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm, 2944 hapd->iface->freq, 2945 wpa_ie, wpa_ie_len, 2946 elems.mdie, elems.mdie_len, 2947 elems.owe_dh, elems.owe_dh_len); 2948 resp = wpa_res_to_status_code(res); 2949 if (resp != WLAN_STATUS_SUCCESS) 2950 return resp; 2951 #ifdef CONFIG_IEEE80211W 2952 if ((sta->flags & (WLAN_STA_ASSOC | WLAN_STA_MFP)) == 2953 (WLAN_STA_ASSOC | WLAN_STA_MFP) && 2954 !sta->sa_query_timed_out && 2955 sta->sa_query_count > 0) 2956 ap_check_sa_query_timeout(hapd, sta); 2957 if ((sta->flags & (WLAN_STA_ASSOC | WLAN_STA_MFP)) == 2958 (WLAN_STA_ASSOC | WLAN_STA_MFP) && 2959 !sta->sa_query_timed_out && 2960 (!reassoc || sta->auth_alg != WLAN_AUTH_FT)) { 2961 /* 2962 * STA has already been associated with MFP and SA 2963 * Query timeout has not been reached. Reject the 2964 * association attempt temporarily and start SA Query, 2965 * if one is not pending. 2966 */ 2967 2968 if (sta->sa_query_count == 0) 2969 ap_sta_start_sa_query(hapd, sta); 2970 2971 return WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY; 2972 } 2973 2974 if (wpa_auth_uses_mfp(sta->wpa_sm)) 2975 sta->flags |= WLAN_STA_MFP; 2976 else 2977 sta->flags &= ~WLAN_STA_MFP; 2978 #endif /* CONFIG_IEEE80211W */ 2979 2980 #ifdef CONFIG_IEEE80211R_AP 2981 if (sta->auth_alg == WLAN_AUTH_FT) { 2982 if (!reassoc) { 2983 wpa_printf(MSG_DEBUG, "FT: " MACSTR " tried " 2984 "to use association (not " 2985 "re-association) with FT auth_alg", 2986 MAC2STR(sta->addr)); 2987 return WLAN_STATUS_UNSPECIFIED_FAILURE; 2988 } 2989 2990 resp = wpa_ft_validate_reassoc(sta->wpa_sm, ies, 2991 ies_len); 2992 if (resp != WLAN_STATUS_SUCCESS) 2993 return resp; 2994 } 2995 #endif /* CONFIG_IEEE80211R_AP */ 2996 2997 #ifdef CONFIG_SAE 2998 if (wpa_auth_uses_sae(sta->wpa_sm) && sta->sae && 2999 sta->sae->state == SAE_ACCEPTED) 3000 wpa_auth_add_sae_pmkid(sta->wpa_sm, sta->sae->pmkid); 3001 3002 if (wpa_auth_uses_sae(sta->wpa_sm) && 3003 sta->auth_alg == WLAN_AUTH_OPEN) { 3004 struct rsn_pmksa_cache_entry *sa; 3005 sa = wpa_auth_sta_get_pmksa(sta->wpa_sm); 3006 if (!sa || sa->akmp != WPA_KEY_MGMT_SAE) { 3007 wpa_printf(MSG_DEBUG, 3008 "SAE: No PMKSA cache entry found for " 3009 MACSTR, MAC2STR(sta->addr)); 3010 return WLAN_STATUS_INVALID_PMKID; 3011 } 3012 wpa_printf(MSG_DEBUG, "SAE: " MACSTR 3013 " using PMKSA caching", MAC2STR(sta->addr)); 3014 } else if (wpa_auth_uses_sae(sta->wpa_sm) && 3015 sta->auth_alg != WLAN_AUTH_SAE && 3016 !(sta->auth_alg == WLAN_AUTH_FT && 3017 wpa_auth_uses_ft_sae(sta->wpa_sm))) { 3018 wpa_printf(MSG_DEBUG, "SAE: " MACSTR " tried to use " 3019 "SAE AKM after non-SAE auth_alg %u", 3020 MAC2STR(sta->addr), sta->auth_alg); 3021 return WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG; 3022 } 3023 #endif /* CONFIG_SAE */ 3024 3025 #ifdef CONFIG_OWE 3026 if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) && 3027 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE && 3028 elems.owe_dh) { 3029 resp = owe_process_assoc_req(hapd, sta, elems.owe_dh, 3030 elems.owe_dh_len); 3031 if (resp != WLAN_STATUS_SUCCESS) 3032 return resp; 3033 } 3034 #endif /* CONFIG_OWE */ 3035 3036 #ifdef CONFIG_DPP2 3037 dpp_pfs_free(sta->dpp_pfs); 3038 sta->dpp_pfs = NULL; 3039 3040 if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_DPP) && 3041 hapd->conf->dpp_netaccesskey && sta->wpa_sm && 3042 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_DPP && 3043 elems.owe_dh) { 3044 sta->dpp_pfs = dpp_pfs_init( 3045 wpabuf_head(hapd->conf->dpp_netaccesskey), 3046 wpabuf_len(hapd->conf->dpp_netaccesskey)); 3047 if (!sta->dpp_pfs) { 3048 wpa_printf(MSG_DEBUG, 3049 "DPP: Could not initialize PFS"); 3050 /* Try to continue without PFS */ 3051 goto pfs_fail; 3052 } 3053 3054 if (dpp_pfs_process(sta->dpp_pfs, elems.owe_dh, 3055 elems.owe_dh_len) < 0) { 3056 dpp_pfs_free(sta->dpp_pfs); 3057 sta->dpp_pfs = NULL; 3058 return WLAN_STATUS_UNSPECIFIED_FAILURE; 3059 } 3060 } 3061 3062 wpa_auth_set_dpp_z(sta->wpa_sm, sta->dpp_pfs ? 3063 sta->dpp_pfs->secret : NULL); 3064 pfs_fail: 3065 #endif /* CONFIG_DPP2 */ 3066 3067 #ifdef CONFIG_IEEE80211N 3068 if ((sta->flags & (WLAN_STA_HT | WLAN_STA_VHT)) && 3069 wpa_auth_get_pairwise(sta->wpa_sm) == WPA_CIPHER_TKIP) { 3070 hostapd_logger(hapd, sta->addr, 3071 HOSTAPD_MODULE_IEEE80211, 3072 HOSTAPD_LEVEL_INFO, 3073 "Station tried to use TKIP with HT " 3074 "association"); 3075 return WLAN_STATUS_CIPHER_REJECTED_PER_POLICY; 3076 } 3077 #endif /* CONFIG_IEEE80211N */ 3078 #ifdef CONFIG_HS20 3079 } else if (hapd->conf->osen) { 3080 if (elems.osen == NULL) { 3081 hostapd_logger( 3082 hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 3083 HOSTAPD_LEVEL_INFO, 3084 "No HS 2.0 OSEN element in association request"); 3085 return WLAN_STATUS_INVALID_IE; 3086 } 3087 3088 wpa_printf(MSG_DEBUG, "HS 2.0: OSEN association"); 3089 if (sta->wpa_sm == NULL) 3090 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, 3091 sta->addr, NULL); 3092 if (sta->wpa_sm == NULL) { 3093 wpa_printf(MSG_WARNING, "Failed to initialize WPA " 3094 "state machine"); 3095 return WLAN_STATUS_UNSPECIFIED_FAILURE; 3096 } 3097 if (wpa_validate_osen(hapd->wpa_auth, sta->wpa_sm, 3098 elems.osen - 2, elems.osen_len + 2) < 0) 3099 return WLAN_STATUS_INVALID_IE; 3100 #endif /* CONFIG_HS20 */ 3101 } else 3102 wpa_auth_sta_no_wpa(sta->wpa_sm); 3103 3104 #ifdef CONFIG_P2P 3105 p2p_group_notif_assoc(hapd->p2p_group, sta->addr, ies, ies_len); 3106 #endif /* CONFIG_P2P */ 3107 3108 #ifdef CONFIG_HS20 3109 wpabuf_free(sta->hs20_ie); 3110 if (elems.hs20 && elems.hs20_len > 4) { 3111 int release; 3112 3113 sta->hs20_ie = wpabuf_alloc_copy(elems.hs20 + 4, 3114 elems.hs20_len - 4); 3115 release = ((elems.hs20[4] >> 4) & 0x0f) + 1; 3116 if (release >= 2 && !wpa_auth_uses_mfp(sta->wpa_sm)) { 3117 wpa_printf(MSG_DEBUG, 3118 "HS 2.0: PMF not negotiated by release %d station " 3119 MACSTR, release, MAC2STR(sta->addr)); 3120 return WLAN_STATUS_ROBUST_MGMT_FRAME_POLICY_VIOLATION; 3121 } 3122 } else { 3123 sta->hs20_ie = NULL; 3124 } 3125 3126 wpabuf_free(sta->roaming_consortium); 3127 if (elems.roaming_cons_sel) 3128 sta->roaming_consortium = wpabuf_alloc_copy( 3129 elems.roaming_cons_sel + 4, 3130 elems.roaming_cons_sel_len - 4); 3131 else 3132 sta->roaming_consortium = NULL; 3133 #endif /* CONFIG_HS20 */ 3134 3135 #ifdef CONFIG_FST 3136 wpabuf_free(sta->mb_ies); 3137 if (hapd->iface->fst) 3138 sta->mb_ies = mb_ies_by_info(&elems.mb_ies); 3139 else 3140 sta->mb_ies = NULL; 3141 #endif /* CONFIG_FST */ 3142 3143 #ifdef CONFIG_MBO 3144 mbo_ap_check_sta_assoc(hapd, sta, &elems); 3145 3146 if (hapd->conf->mbo_enabled && (hapd->conf->wpa & 2) && 3147 elems.mbo && sta->cell_capa && !(sta->flags & WLAN_STA_MFP) && 3148 hapd->conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) { 3149 wpa_printf(MSG_INFO, 3150 "MBO: Reject WPA2 association without PMF"); 3151 return WLAN_STATUS_UNSPECIFIED_FAILURE; 3152 } 3153 #endif /* CONFIG_MBO */ 3154 3155 #if defined(CONFIG_FILS) && defined(CONFIG_OCV) 3156 if (wpa_auth_uses_ocv(sta->wpa_sm) && 3157 (sta->auth_alg == WLAN_AUTH_FILS_SK || 3158 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS || 3159 sta->auth_alg == WLAN_AUTH_FILS_PK)) { 3160 struct wpa_channel_info ci; 3161 int tx_chanwidth; 3162 int tx_seg1_idx; 3163 3164 if (hostapd_drv_channel_info(hapd, &ci) != 0) { 3165 wpa_printf(MSG_WARNING, 3166 "Failed to get channel info to validate received OCI in FILS (Re)Association Request frame"); 3167 return WLAN_STATUS_UNSPECIFIED_FAILURE; 3168 } 3169 3170 if (get_sta_tx_parameters(sta->wpa_sm, 3171 channel_width_to_int(ci.chanwidth), 3172 ci.seg1_idx, &tx_chanwidth, 3173 &tx_seg1_idx) < 0) 3174 return WLAN_STATUS_UNSPECIFIED_FAILURE; 3175 3176 if (ocv_verify_tx_params(elems.oci, elems.oci_len, &ci, 3177 tx_chanwidth, tx_seg1_idx) != 0) { 3178 wpa_printf(MSG_WARNING, "FILS: %s", ocv_errorstr); 3179 return WLAN_STATUS_UNSPECIFIED_FAILURE; 3180 } 3181 } 3182 #endif /* CONFIG_FILS && CONFIG_OCV */ 3183 3184 ap_copy_sta_supp_op_classes(sta, elems.supp_op_classes, 3185 elems.supp_op_classes_len); 3186 3187 if ((sta->capability & WLAN_CAPABILITY_RADIO_MEASUREMENT) && 3188 elems.rrm_enabled && 3189 elems.rrm_enabled_len >= sizeof(sta->rrm_enabled_capa)) 3190 os_memcpy(sta->rrm_enabled_capa, elems.rrm_enabled, 3191 sizeof(sta->rrm_enabled_capa)); 3192 3193 if (elems.power_capab) { 3194 sta->min_tx_power = elems.power_capab[0]; 3195 sta->max_tx_power = elems.power_capab[1]; 3196 sta->power_capab = 1; 3197 } else { 3198 sta->power_capab = 0; 3199 } 3200 3201 return WLAN_STATUS_SUCCESS; 3202 } 3203 3204 3205 static void send_deauth(struct hostapd_data *hapd, const u8 *addr, 3206 u16 reason_code) 3207 { 3208 int send_len; 3209 struct ieee80211_mgmt reply; 3210 3211 os_memset(&reply, 0, sizeof(reply)); 3212 reply.frame_control = 3213 IEEE80211_FC(WLAN_FC_TYPE_MGMT, WLAN_FC_STYPE_DEAUTH); 3214 os_memcpy(reply.da, addr, ETH_ALEN); 3215 os_memcpy(reply.sa, hapd->own_addr, ETH_ALEN); 3216 os_memcpy(reply.bssid, hapd->own_addr, ETH_ALEN); 3217 3218 send_len = IEEE80211_HDRLEN + sizeof(reply.u.deauth); 3219 reply.u.deauth.reason_code = host_to_le16(reason_code); 3220 3221 if (hostapd_drv_send_mlme(hapd, &reply, send_len, 0) < 0) 3222 wpa_printf(MSG_INFO, "Failed to send deauth: %s", 3223 strerror(errno)); 3224 } 3225 3226 3227 static int add_associated_sta(struct hostapd_data *hapd, 3228 struct sta_info *sta, int reassoc) 3229 { 3230 struct ieee80211_ht_capabilities ht_cap; 3231 struct ieee80211_vht_capabilities vht_cap; 3232 int set = 1; 3233 3234 /* 3235 * Remove the STA entry to ensure the STA PS state gets cleared and 3236 * configuration gets updated. This is relevant for cases, such as 3237 * FT-over-the-DS, where a station re-associates back to the same AP but 3238 * skips the authentication flow, or if working with a driver that 3239 * does not support full AP client state. 3240 * 3241 * Skip this if the STA has already completed FT reassociation and the 3242 * TK has been configured since the TX/RX PN must not be reset to 0 for 3243 * the same key. 3244 * 3245 * FT-over-the-DS has a special case where the STA entry (and as such, 3246 * the TK) has not yet been configured to the driver depending on which 3247 * driver interface is used. For that case, allow add-STA operation to 3248 * be used (instead of set-STA). This is needed to allow mac80211-based 3249 * drivers to accept the STA parameter configuration. Since this is 3250 * after a new FT-over-DS exchange, a new TK has been derived, so key 3251 * reinstallation is not a concern for this case. 3252 */ 3253 wpa_printf(MSG_DEBUG, "Add associated STA " MACSTR 3254 " (added_unassoc=%d auth_alg=%u ft_over_ds=%u reassoc=%d authorized=%d ft_tk=%d fils_tk=%d)", 3255 MAC2STR(sta->addr), sta->added_unassoc, sta->auth_alg, 3256 sta->ft_over_ds, reassoc, 3257 !!(sta->flags & WLAN_STA_AUTHORIZED), 3258 wpa_auth_sta_ft_tk_already_set(sta->wpa_sm), 3259 wpa_auth_sta_fils_tk_already_set(sta->wpa_sm)); 3260 3261 if (!sta->added_unassoc && 3262 (!(sta->flags & WLAN_STA_AUTHORIZED) || 3263 (reassoc && sta->ft_over_ds && sta->auth_alg == WLAN_AUTH_FT) || 3264 (!wpa_auth_sta_ft_tk_already_set(sta->wpa_sm) && 3265 !wpa_auth_sta_fils_tk_already_set(sta->wpa_sm)))) { 3266 hostapd_drv_sta_remove(hapd, sta->addr); 3267 wpa_auth_sm_event(sta->wpa_sm, WPA_DRV_STA_REMOVED); 3268 set = 0; 3269 3270 /* Do not allow the FT-over-DS exception to be used more than 3271 * once per authentication exchange to guarantee a new TK is 3272 * used here */ 3273 sta->ft_over_ds = 0; 3274 } 3275 3276 #ifdef CONFIG_IEEE80211N 3277 if (sta->flags & WLAN_STA_HT) 3278 hostapd_get_ht_capab(hapd, sta->ht_capabilities, &ht_cap); 3279 #endif /* CONFIG_IEEE80211N */ 3280 #ifdef CONFIG_IEEE80211AC 3281 if (sta->flags & WLAN_STA_VHT) 3282 hostapd_get_vht_capab(hapd, sta->vht_capabilities, &vht_cap); 3283 #endif /* CONFIG_IEEE80211AC */ 3284 3285 /* 3286 * Add the station with forced WLAN_STA_ASSOC flag. The sta->flags 3287 * will be set when the ACK frame for the (Re)Association Response frame 3288 * is processed (TX status driver event). 3289 */ 3290 if (hostapd_sta_add(hapd, sta->addr, sta->aid, sta->capability, 3291 sta->supported_rates, sta->supported_rates_len, 3292 sta->listen_interval, 3293 sta->flags & WLAN_STA_HT ? &ht_cap : NULL, 3294 sta->flags & WLAN_STA_VHT ? &vht_cap : NULL, 3295 sta->flags | WLAN_STA_ASSOC, sta->qosinfo, 3296 sta->vht_opmode, sta->p2p_ie ? 1 : 0, 3297 set)) { 3298 hostapd_logger(hapd, sta->addr, 3299 HOSTAPD_MODULE_IEEE80211, HOSTAPD_LEVEL_NOTICE, 3300 "Could not %s STA to kernel driver", 3301 set ? "set" : "add"); 3302 3303 if (sta->added_unassoc) { 3304 hostapd_drv_sta_remove(hapd, sta->addr); 3305 sta->added_unassoc = 0; 3306 } 3307 3308 return -1; 3309 } 3310 3311 sta->added_unassoc = 0; 3312 3313 return 0; 3314 } 3315 3316 3317 static u16 send_assoc_resp(struct hostapd_data *hapd, struct sta_info *sta, 3318 const u8 *addr, u16 status_code, int reassoc, 3319 const u8 *ies, size_t ies_len, int rssi) 3320 { 3321 int send_len; 3322 u8 *buf; 3323 size_t buflen; 3324 struct ieee80211_mgmt *reply; 3325 u8 *p; 3326 u16 res = WLAN_STATUS_SUCCESS; 3327 3328 buflen = sizeof(struct ieee80211_mgmt) + 1024; 3329 #ifdef CONFIG_FILS 3330 if (sta && sta->fils_hlp_resp) 3331 buflen += wpabuf_len(sta->fils_hlp_resp); 3332 #endif /* CONFIG_FILS */ 3333 #ifdef CONFIG_OWE 3334 if (sta && (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE)) 3335 buflen += 150; 3336 #endif /* CONFIG_OWE */ 3337 #ifdef CONFIG_DPP2 3338 if (sta && sta->dpp_pfs) 3339 buflen += 5 + sta->dpp_pfs->curve->prime_len; 3340 #endif /* CONFIG_DPP2 */ 3341 buf = os_zalloc(buflen); 3342 if (!buf) { 3343 res = WLAN_STATUS_UNSPECIFIED_FAILURE; 3344 goto done; 3345 } 3346 reply = (struct ieee80211_mgmt *) buf; 3347 reply->frame_control = 3348 IEEE80211_FC(WLAN_FC_TYPE_MGMT, 3349 (reassoc ? WLAN_FC_STYPE_REASSOC_RESP : 3350 WLAN_FC_STYPE_ASSOC_RESP)); 3351 os_memcpy(reply->da, addr, ETH_ALEN); 3352 os_memcpy(reply->sa, hapd->own_addr, ETH_ALEN); 3353 os_memcpy(reply->bssid, hapd->own_addr, ETH_ALEN); 3354 3355 send_len = IEEE80211_HDRLEN; 3356 send_len += sizeof(reply->u.assoc_resp); 3357 reply->u.assoc_resp.capab_info = 3358 host_to_le16(hostapd_own_capab_info(hapd)); 3359 reply->u.assoc_resp.status_code = host_to_le16(status_code); 3360 3361 reply->u.assoc_resp.aid = host_to_le16((sta ? sta->aid : 0) | 3362 BIT(14) | BIT(15)); 3363 /* Supported rates */ 3364 p = hostapd_eid_supp_rates(hapd, reply->u.assoc_resp.variable); 3365 /* Extended supported rates */ 3366 p = hostapd_eid_ext_supp_rates(hapd, p); 3367 3368 #ifdef CONFIG_MBO 3369 if (status_code == WLAN_STATUS_DENIED_POOR_CHANNEL_CONDITIONS && 3370 rssi != 0) { 3371 int delta = hapd->iconf->rssi_reject_assoc_rssi - rssi; 3372 3373 p = hostapd_eid_mbo_rssi_assoc_rej(hapd, p, buf + buflen - p, 3374 delta); 3375 } 3376 #endif /* CONFIG_MBO */ 3377 3378 #ifdef CONFIG_IEEE80211R_AP 3379 if (sta && status_code == WLAN_STATUS_SUCCESS) { 3380 /* IEEE 802.11r: Mobility Domain Information, Fast BSS 3381 * Transition Information, RSN, [RIC Response] */ 3382 p = wpa_sm_write_assoc_resp_ies(sta->wpa_sm, p, 3383 buf + buflen - p, 3384 sta->auth_alg, ies, ies_len); 3385 if (!p) { 3386 wpa_printf(MSG_DEBUG, 3387 "FT: Failed to write AssocResp IEs"); 3388 res = WLAN_STATUS_UNSPECIFIED_FAILURE; 3389 goto done; 3390 } 3391 } 3392 #endif /* CONFIG_IEEE80211R_AP */ 3393 3394 #ifdef CONFIG_OWE 3395 if (sta && status_code == WLAN_STATUS_SUCCESS && 3396 (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE)) 3397 p = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, p, 3398 buf + buflen - p, 3399 ies, ies_len); 3400 #endif /* CONFIG_OWE */ 3401 3402 #ifdef CONFIG_IEEE80211W 3403 if (sta && status_code == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY) 3404 p = hostapd_eid_assoc_comeback_time(hapd, sta, p); 3405 #endif /* CONFIG_IEEE80211W */ 3406 3407 #ifdef CONFIG_IEEE80211N 3408 p = hostapd_eid_ht_capabilities(hapd, p); 3409 p = hostapd_eid_ht_operation(hapd, p); 3410 #endif /* CONFIG_IEEE80211N */ 3411 3412 #ifdef CONFIG_IEEE80211AC 3413 if (hapd->iconf->ieee80211ac && !hapd->conf->disable_11ac) { 3414 u32 nsts = 0, sta_nsts; 3415 3416 if (sta && hapd->conf->use_sta_nsts && sta->vht_capabilities) { 3417 struct ieee80211_vht_capabilities *capa; 3418 3419 nsts = (hapd->iface->conf->vht_capab >> 3420 VHT_CAP_BEAMFORMEE_STS_OFFSET) & 7; 3421 capa = sta->vht_capabilities; 3422 sta_nsts = (le_to_host32(capa->vht_capabilities_info) >> 3423 VHT_CAP_BEAMFORMEE_STS_OFFSET) & 7; 3424 3425 if (nsts < sta_nsts) 3426 nsts = 0; 3427 else 3428 nsts = sta_nsts; 3429 } 3430 p = hostapd_eid_vht_capabilities(hapd, p, nsts); 3431 p = hostapd_eid_vht_operation(hapd, p); 3432 } 3433 #endif /* CONFIG_IEEE80211AC */ 3434 3435 p = hostapd_eid_ext_capab(hapd, p); 3436 p = hostapd_eid_bss_max_idle_period(hapd, p); 3437 if (sta && sta->qos_map_enabled) 3438 p = hostapd_eid_qos_map_set(hapd, p); 3439 3440 #ifdef CONFIG_FST 3441 if (hapd->iface->fst_ies) { 3442 os_memcpy(p, wpabuf_head(hapd->iface->fst_ies), 3443 wpabuf_len(hapd->iface->fst_ies)); 3444 p += wpabuf_len(hapd->iface->fst_ies); 3445 } 3446 #endif /* CONFIG_FST */ 3447 3448 #ifdef CONFIG_OWE 3449 if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) && 3450 sta && sta->owe_ecdh && status_code == WLAN_STATUS_SUCCESS && 3451 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE) { 3452 struct wpabuf *pub; 3453 3454 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0); 3455 if (!pub) { 3456 res = WLAN_STATUS_UNSPECIFIED_FAILURE; 3457 goto done; 3458 } 3459 /* OWE Diffie-Hellman Parameter element */ 3460 *p++ = WLAN_EID_EXTENSION; /* Element ID */ 3461 *p++ = 1 + 2 + wpabuf_len(pub); /* Length */ 3462 *p++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension */ 3463 WPA_PUT_LE16(p, sta->owe_group); 3464 p += 2; 3465 os_memcpy(p, wpabuf_head(pub), wpabuf_len(pub)); 3466 p += wpabuf_len(pub); 3467 wpabuf_free(pub); 3468 } 3469 #endif /* CONFIG_OWE */ 3470 3471 #ifdef CONFIG_DPP2 3472 if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_DPP) && 3473 sta && sta->dpp_pfs && status_code == WLAN_STATUS_SUCCESS && 3474 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_DPP) { 3475 os_memcpy(p, wpabuf_head(sta->dpp_pfs->ie), 3476 wpabuf_len(sta->dpp_pfs->ie)); 3477 p += wpabuf_len(sta->dpp_pfs->ie); 3478 } 3479 #endif /* CONFIG_DPP2 */ 3480 3481 #ifdef CONFIG_IEEE80211AC 3482 if (sta && hapd->conf->vendor_vht && (sta->flags & WLAN_STA_VENDOR_VHT)) 3483 p = hostapd_eid_vendor_vht(hapd, p); 3484 #endif /* CONFIG_IEEE80211AC */ 3485 3486 if (sta && (sta->flags & WLAN_STA_WMM)) 3487 p = hostapd_eid_wmm(hapd, p); 3488 3489 #ifdef CONFIG_WPS 3490 if (sta && 3491 ((sta->flags & WLAN_STA_WPS) || 3492 ((sta->flags & WLAN_STA_MAYBE_WPS) && hapd->conf->wpa))) { 3493 struct wpabuf *wps = wps_build_assoc_resp_ie(); 3494 if (wps) { 3495 os_memcpy(p, wpabuf_head(wps), wpabuf_len(wps)); 3496 p += wpabuf_len(wps); 3497 wpabuf_free(wps); 3498 } 3499 } 3500 #endif /* CONFIG_WPS */ 3501 3502 if (sta && (sta->flags & WLAN_STA_MULTI_AP)) 3503 p = hostapd_eid_multi_ap(hapd, p); 3504 3505 #ifdef CONFIG_P2P 3506 if (sta && sta->p2p_ie && hapd->p2p_group) { 3507 struct wpabuf *p2p_resp_ie; 3508 enum p2p_status_code status; 3509 switch (status_code) { 3510 case WLAN_STATUS_SUCCESS: 3511 status = P2P_SC_SUCCESS; 3512 break; 3513 case WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA: 3514 status = P2P_SC_FAIL_LIMIT_REACHED; 3515 break; 3516 default: 3517 status = P2P_SC_FAIL_INVALID_PARAMS; 3518 break; 3519 } 3520 p2p_resp_ie = p2p_group_assoc_resp_ie(hapd->p2p_group, status); 3521 if (p2p_resp_ie) { 3522 os_memcpy(p, wpabuf_head(p2p_resp_ie), 3523 wpabuf_len(p2p_resp_ie)); 3524 p += wpabuf_len(p2p_resp_ie); 3525 wpabuf_free(p2p_resp_ie); 3526 } 3527 } 3528 #endif /* CONFIG_P2P */ 3529 3530 #ifdef CONFIG_P2P_MANAGER 3531 if (hapd->conf->p2p & P2P_MANAGE) 3532 p = hostapd_eid_p2p_manage(hapd, p); 3533 #endif /* CONFIG_P2P_MANAGER */ 3534 3535 p = hostapd_eid_mbo(hapd, p, buf + buflen - p); 3536 3537 if (hapd->conf->assocresp_elements && 3538 (size_t) (buf + buflen - p) >= 3539 wpabuf_len(hapd->conf->assocresp_elements)) { 3540 os_memcpy(p, wpabuf_head(hapd->conf->assocresp_elements), 3541 wpabuf_len(hapd->conf->assocresp_elements)); 3542 p += wpabuf_len(hapd->conf->assocresp_elements); 3543 } 3544 3545 send_len += p - reply->u.assoc_resp.variable; 3546 3547 #ifdef CONFIG_FILS 3548 if (sta && 3549 (sta->auth_alg == WLAN_AUTH_FILS_SK || 3550 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS || 3551 sta->auth_alg == WLAN_AUTH_FILS_PK) && 3552 status_code == WLAN_STATUS_SUCCESS) { 3553 struct ieee802_11_elems elems; 3554 3555 if (ieee802_11_parse_elems(ies, ies_len, &elems, 0) == 3556 ParseFailed || !elems.fils_session) { 3557 res = WLAN_STATUS_UNSPECIFIED_FAILURE; 3558 goto done; 3559 } 3560 3561 /* FILS Session */ 3562 *p++ = WLAN_EID_EXTENSION; /* Element ID */ 3563 *p++ = 1 + FILS_SESSION_LEN; /* Length */ 3564 *p++ = WLAN_EID_EXT_FILS_SESSION; /* Element ID Extension */ 3565 os_memcpy(p, elems.fils_session, FILS_SESSION_LEN); 3566 send_len += 2 + 1 + FILS_SESSION_LEN; 3567 3568 send_len = fils_encrypt_assoc(sta->wpa_sm, buf, send_len, 3569 buflen, sta->fils_hlp_resp); 3570 if (send_len < 0) { 3571 res = WLAN_STATUS_UNSPECIFIED_FAILURE; 3572 goto done; 3573 } 3574 } 3575 #endif /* CONFIG_FILS */ 3576 3577 if (hostapd_drv_send_mlme(hapd, reply, send_len, 0) < 0) { 3578 wpa_printf(MSG_INFO, "Failed to send assoc resp: %s", 3579 strerror(errno)); 3580 res = WLAN_STATUS_UNSPECIFIED_FAILURE; 3581 } 3582 3583 done: 3584 os_free(buf); 3585 return res; 3586 } 3587 3588 3589 #ifdef CONFIG_OWE 3590 u8 * owe_assoc_req_process(struct hostapd_data *hapd, struct sta_info *sta, 3591 const u8 *owe_dh, u8 owe_dh_len, 3592 u8 *owe_buf, size_t owe_buf_len, u16 *reason) 3593 { 3594 #ifdef CONFIG_TESTING_OPTIONS 3595 if (hapd->conf->own_ie_override) { 3596 wpa_printf(MSG_DEBUG, "OWE: Using IE override"); 3597 *reason = WLAN_STATUS_SUCCESS; 3598 return wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf, 3599 owe_buf_len, NULL, 0); 3600 } 3601 #endif /* CONFIG_TESTING_OPTIONS */ 3602 3603 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) { 3604 wpa_printf(MSG_DEBUG, "OWE: Using PMKSA caching"); 3605 owe_buf = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf, 3606 owe_buf_len, NULL, 0); 3607 *reason = WLAN_STATUS_SUCCESS; 3608 return owe_buf; 3609 } 3610 3611 *reason = owe_process_assoc_req(hapd, sta, owe_dh, owe_dh_len); 3612 if (*reason != WLAN_STATUS_SUCCESS) 3613 return NULL; 3614 3615 owe_buf = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf, 3616 owe_buf_len, NULL, 0); 3617 3618 if (sta->owe_ecdh && owe_buf) { 3619 struct wpabuf *pub; 3620 3621 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0); 3622 if (!pub) { 3623 *reason = WLAN_STATUS_UNSPECIFIED_FAILURE; 3624 return owe_buf; 3625 } 3626 3627 /* OWE Diffie-Hellman Parameter element */ 3628 *owe_buf++ = WLAN_EID_EXTENSION; /* Element ID */ 3629 *owe_buf++ = 1 + 2 + wpabuf_len(pub); /* Length */ 3630 *owe_buf++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension 3631 */ 3632 WPA_PUT_LE16(owe_buf, sta->owe_group); 3633 owe_buf += 2; 3634 os_memcpy(owe_buf, wpabuf_head(pub), wpabuf_len(pub)); 3635 owe_buf += wpabuf_len(pub); 3636 wpabuf_free(pub); 3637 } 3638 3639 return owe_buf; 3640 } 3641 #endif /* CONFIG_OWE */ 3642 3643 3644 #ifdef CONFIG_FILS 3645 3646 void fils_hlp_finish_assoc(struct hostapd_data *hapd, struct sta_info *sta) 3647 { 3648 u16 reply_res; 3649 3650 wpa_printf(MSG_DEBUG, "FILS: Finish association with " MACSTR, 3651 MAC2STR(sta->addr)); 3652 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta); 3653 if (!sta->fils_pending_assoc_req) 3654 return; 3655 reply_res = send_assoc_resp(hapd, sta, sta->addr, WLAN_STATUS_SUCCESS, 3656 sta->fils_pending_assoc_is_reassoc, 3657 sta->fils_pending_assoc_req, 3658 sta->fils_pending_assoc_req_len, 0); 3659 os_free(sta->fils_pending_assoc_req); 3660 sta->fils_pending_assoc_req = NULL; 3661 sta->fils_pending_assoc_req_len = 0; 3662 wpabuf_free(sta->fils_hlp_resp); 3663 sta->fils_hlp_resp = NULL; 3664 wpabuf_free(sta->hlp_dhcp_discover); 3665 sta->hlp_dhcp_discover = NULL; 3666 3667 /* 3668 * Remove the station in case transmission of a success response fails. 3669 * At this point the station was already added associated to the driver. 3670 */ 3671 if (reply_res != WLAN_STATUS_SUCCESS) 3672 hostapd_drv_sta_remove(hapd, sta->addr); 3673 } 3674 3675 3676 void fils_hlp_timeout(void *eloop_ctx, void *eloop_data) 3677 { 3678 struct hostapd_data *hapd = eloop_ctx; 3679 struct sta_info *sta = eloop_data; 3680 3681 wpa_printf(MSG_DEBUG, 3682 "FILS: HLP response timeout - continue with association response for " 3683 MACSTR, MAC2STR(sta->addr)); 3684 if (sta->fils_drv_assoc_finish) 3685 hostapd_notify_assoc_fils_finish(hapd, sta); 3686 else 3687 fils_hlp_finish_assoc(hapd, sta); 3688 } 3689 3690 #endif /* CONFIG_FILS */ 3691 3692 3693 static void handle_assoc(struct hostapd_data *hapd, 3694 const struct ieee80211_mgmt *mgmt, size_t len, 3695 int reassoc, int rssi) 3696 { 3697 u16 capab_info, listen_interval, seq_ctrl, fc; 3698 u16 resp = WLAN_STATUS_SUCCESS, reply_res; 3699 const u8 *pos; 3700 int left, i; 3701 struct sta_info *sta; 3702 u8 *tmp = NULL; 3703 struct hostapd_sta_wpa_psk_short *psk = NULL; 3704 char *identity = NULL; 3705 char *radius_cui = NULL; 3706 #ifdef CONFIG_FILS 3707 int delay_assoc = 0; 3708 #endif /* CONFIG_FILS */ 3709 3710 if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_req) : 3711 sizeof(mgmt->u.assoc_req))) { 3712 wpa_printf(MSG_INFO, "handle_assoc(reassoc=%d) - too short payload (len=%lu)", 3713 reassoc, (unsigned long) len); 3714 return; 3715 } 3716 3717 #ifdef CONFIG_TESTING_OPTIONS 3718 if (reassoc) { 3719 if (hapd->iconf->ignore_reassoc_probability > 0.0 && 3720 drand48() < hapd->iconf->ignore_reassoc_probability) { 3721 wpa_printf(MSG_INFO, 3722 "TESTING: ignoring reassoc request from " 3723 MACSTR, MAC2STR(mgmt->sa)); 3724 return; 3725 } 3726 } else { 3727 if (hapd->iconf->ignore_assoc_probability > 0.0 && 3728 drand48() < hapd->iconf->ignore_assoc_probability) { 3729 wpa_printf(MSG_INFO, 3730 "TESTING: ignoring assoc request from " 3731 MACSTR, MAC2STR(mgmt->sa)); 3732 return; 3733 } 3734 } 3735 #endif /* CONFIG_TESTING_OPTIONS */ 3736 3737 fc = le_to_host16(mgmt->frame_control); 3738 seq_ctrl = le_to_host16(mgmt->seq_ctrl); 3739 3740 if (reassoc) { 3741 capab_info = le_to_host16(mgmt->u.reassoc_req.capab_info); 3742 listen_interval = le_to_host16( 3743 mgmt->u.reassoc_req.listen_interval); 3744 wpa_printf(MSG_DEBUG, "reassociation request: STA=" MACSTR 3745 " capab_info=0x%02x listen_interval=%d current_ap=" 3746 MACSTR " seq_ctrl=0x%x%s", 3747 MAC2STR(mgmt->sa), capab_info, listen_interval, 3748 MAC2STR(mgmt->u.reassoc_req.current_ap), 3749 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : ""); 3750 left = len - (IEEE80211_HDRLEN + sizeof(mgmt->u.reassoc_req)); 3751 pos = mgmt->u.reassoc_req.variable; 3752 } else { 3753 capab_info = le_to_host16(mgmt->u.assoc_req.capab_info); 3754 listen_interval = le_to_host16( 3755 mgmt->u.assoc_req.listen_interval); 3756 wpa_printf(MSG_DEBUG, "association request: STA=" MACSTR 3757 " capab_info=0x%02x listen_interval=%d " 3758 "seq_ctrl=0x%x%s", 3759 MAC2STR(mgmt->sa), capab_info, listen_interval, 3760 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : ""); 3761 left = len - (IEEE80211_HDRLEN + sizeof(mgmt->u.assoc_req)); 3762 pos = mgmt->u.assoc_req.variable; 3763 } 3764 3765 sta = ap_get_sta(hapd, mgmt->sa); 3766 #ifdef CONFIG_IEEE80211R_AP 3767 if (sta && sta->auth_alg == WLAN_AUTH_FT && 3768 (sta->flags & WLAN_STA_AUTH) == 0) { 3769 wpa_printf(MSG_DEBUG, "FT: Allow STA " MACSTR " to associate " 3770 "prior to authentication since it is using " 3771 "over-the-DS FT", MAC2STR(mgmt->sa)); 3772 3773 /* 3774 * Mark station as authenticated, to avoid adding station 3775 * entry in the driver as associated and not authenticated 3776 */ 3777 sta->flags |= WLAN_STA_AUTH; 3778 } else 3779 #endif /* CONFIG_IEEE80211R_AP */ 3780 if (sta == NULL || (sta->flags & WLAN_STA_AUTH) == 0) { 3781 if (hapd->iface->current_mode && 3782 hapd->iface->current_mode->mode == 3783 HOSTAPD_MODE_IEEE80211AD) { 3784 int acl_res; 3785 u32 session_timeout, acct_interim_interval; 3786 struct vlan_description vlan_id; 3787 3788 acl_res = ieee802_11_allowed_address( 3789 hapd, mgmt->sa, (const u8 *) mgmt, len, 3790 &session_timeout, &acct_interim_interval, 3791 &vlan_id, &psk, &identity, &radius_cui, 0); 3792 if (acl_res == HOSTAPD_ACL_REJECT) { 3793 wpa_msg(hapd->msg_ctx, MSG_DEBUG, 3794 "Ignore Association Request frame from " 3795 MACSTR " due to ACL reject", 3796 MAC2STR(mgmt->sa)); 3797 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 3798 goto fail; 3799 } 3800 if (acl_res == HOSTAPD_ACL_PENDING) 3801 return; 3802 3803 /* DMG/IEEE 802.11ad does not use authentication. 3804 * Allocate sta entry upon association. */ 3805 sta = ap_sta_add(hapd, mgmt->sa); 3806 if (!sta) { 3807 hostapd_logger(hapd, mgmt->sa, 3808 HOSTAPD_MODULE_IEEE80211, 3809 HOSTAPD_LEVEL_INFO, 3810 "Failed to add STA"); 3811 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA; 3812 goto fail; 3813 } 3814 3815 acl_res = ieee802_11_set_radius_info( 3816 hapd, sta, acl_res, session_timeout, 3817 acct_interim_interval, &vlan_id, &psk, 3818 &identity, &radius_cui); 3819 if (acl_res) { 3820 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 3821 goto fail; 3822 } 3823 3824 hostapd_logger(hapd, sta->addr, 3825 HOSTAPD_MODULE_IEEE80211, 3826 HOSTAPD_LEVEL_DEBUG, 3827 "Skip authentication for DMG/IEEE 802.11ad"); 3828 sta->flags |= WLAN_STA_AUTH; 3829 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH); 3830 sta->auth_alg = WLAN_AUTH_OPEN; 3831 } else { 3832 hostapd_logger(hapd, mgmt->sa, 3833 HOSTAPD_MODULE_IEEE80211, 3834 HOSTAPD_LEVEL_INFO, 3835 "Station tried to associate before authentication (aid=%d flags=0x%x)", 3836 sta ? sta->aid : -1, 3837 sta ? sta->flags : 0); 3838 send_deauth(hapd, mgmt->sa, 3839 WLAN_REASON_CLASS2_FRAME_FROM_NONAUTH_STA); 3840 return; 3841 } 3842 } 3843 3844 if ((fc & WLAN_FC_RETRY) && 3845 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ && 3846 sta->last_seq_ctrl == seq_ctrl && 3847 sta->last_subtype == (reassoc ? WLAN_FC_STYPE_REASSOC_REQ : 3848 WLAN_FC_STYPE_ASSOC_REQ)) { 3849 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 3850 HOSTAPD_LEVEL_DEBUG, 3851 "Drop repeated association frame seq_ctrl=0x%x", 3852 seq_ctrl); 3853 return; 3854 } 3855 sta->last_seq_ctrl = seq_ctrl; 3856 sta->last_subtype = reassoc ? WLAN_FC_STYPE_REASSOC_REQ : 3857 WLAN_FC_STYPE_ASSOC_REQ; 3858 3859 if (hapd->tkip_countermeasures) { 3860 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 3861 goto fail; 3862 } 3863 3864 if (listen_interval > hapd->conf->max_listen_interval) { 3865 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211, 3866 HOSTAPD_LEVEL_DEBUG, 3867 "Too large Listen Interval (%d)", 3868 listen_interval); 3869 resp = WLAN_STATUS_ASSOC_DENIED_LISTEN_INT_TOO_LARGE; 3870 goto fail; 3871 } 3872 3873 #ifdef CONFIG_MBO 3874 if (hapd->conf->mbo_enabled && hapd->mbo_assoc_disallow) { 3875 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA; 3876 goto fail; 3877 } 3878 3879 if (hapd->iconf->rssi_reject_assoc_rssi && rssi && 3880 rssi < hapd->iconf->rssi_reject_assoc_rssi && 3881 (sta->auth_rssi == 0 || 3882 sta->auth_rssi < hapd->iconf->rssi_reject_assoc_rssi)) { 3883 resp = WLAN_STATUS_DENIED_POOR_CHANNEL_CONDITIONS; 3884 goto fail; 3885 } 3886 #endif /* CONFIG_MBO */ 3887 3888 /* 3889 * sta->capability is used in check_assoc_ies() for RRM enabled 3890 * capability element. 3891 */ 3892 sta->capability = capab_info; 3893 3894 #ifdef CONFIG_FILS 3895 if (sta->auth_alg == WLAN_AUTH_FILS_SK || 3896 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS || 3897 sta->auth_alg == WLAN_AUTH_FILS_PK) { 3898 int res; 3899 3900 /* The end of the payload is encrypted. Need to decrypt it 3901 * before parsing. */ 3902 3903 tmp = os_memdup(pos, left); 3904 if (!tmp) { 3905 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 3906 goto fail; 3907 } 3908 3909 res = fils_decrypt_assoc(sta->wpa_sm, sta->fils_session, mgmt, 3910 len, tmp, left); 3911 if (res < 0) { 3912 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 3913 goto fail; 3914 } 3915 pos = tmp; 3916 left = res; 3917 } 3918 #endif /* CONFIG_FILS */ 3919 3920 /* followed by SSID and Supported rates; and HT capabilities if 802.11n 3921 * is used */ 3922 resp = check_assoc_ies(hapd, sta, pos, left, reassoc); 3923 if (resp != WLAN_STATUS_SUCCESS) 3924 goto fail; 3925 3926 if (hostapd_get_aid(hapd, sta) < 0) { 3927 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211, 3928 HOSTAPD_LEVEL_INFO, "No room for more AIDs"); 3929 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA; 3930 goto fail; 3931 } 3932 3933 sta->listen_interval = listen_interval; 3934 3935 if (hapd->iface->current_mode && 3936 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G) 3937 sta->flags |= WLAN_STA_NONERP; 3938 for (i = 0; i < sta->supported_rates_len; i++) { 3939 if ((sta->supported_rates[i] & 0x7f) > 22) { 3940 sta->flags &= ~WLAN_STA_NONERP; 3941 break; 3942 } 3943 } 3944 if (sta->flags & WLAN_STA_NONERP && !sta->nonerp_set) { 3945 sta->nonerp_set = 1; 3946 hapd->iface->num_sta_non_erp++; 3947 if (hapd->iface->num_sta_non_erp == 1) 3948 ieee802_11_set_beacons(hapd->iface); 3949 } 3950 3951 if (!(sta->capability & WLAN_CAPABILITY_SHORT_SLOT_TIME) && 3952 !sta->no_short_slot_time_set) { 3953 sta->no_short_slot_time_set = 1; 3954 hapd->iface->num_sta_no_short_slot_time++; 3955 if (hapd->iface->current_mode && 3956 hapd->iface->current_mode->mode == 3957 HOSTAPD_MODE_IEEE80211G && 3958 hapd->iface->num_sta_no_short_slot_time == 1) 3959 ieee802_11_set_beacons(hapd->iface); 3960 } 3961 3962 if (sta->capability & WLAN_CAPABILITY_SHORT_PREAMBLE) 3963 sta->flags |= WLAN_STA_SHORT_PREAMBLE; 3964 else 3965 sta->flags &= ~WLAN_STA_SHORT_PREAMBLE; 3966 3967 if (!(sta->capability & WLAN_CAPABILITY_SHORT_PREAMBLE) && 3968 !sta->no_short_preamble_set) { 3969 sta->no_short_preamble_set = 1; 3970 hapd->iface->num_sta_no_short_preamble++; 3971 if (hapd->iface->current_mode && 3972 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G 3973 && hapd->iface->num_sta_no_short_preamble == 1) 3974 ieee802_11_set_beacons(hapd->iface); 3975 } 3976 3977 #ifdef CONFIG_IEEE80211N 3978 update_ht_state(hapd, sta); 3979 #endif /* CONFIG_IEEE80211N */ 3980 3981 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 3982 HOSTAPD_LEVEL_DEBUG, 3983 "association OK (aid %d)", sta->aid); 3984 /* Station will be marked associated, after it acknowledges AssocResp 3985 */ 3986 sta->flags |= WLAN_STA_ASSOC_REQ_OK; 3987 3988 #ifdef CONFIG_IEEE80211W 3989 if ((sta->flags & WLAN_STA_MFP) && sta->sa_query_timed_out) { 3990 wpa_printf(MSG_DEBUG, "Allowing %sassociation after timed out " 3991 "SA Query procedure", reassoc ? "re" : ""); 3992 /* TODO: Send a protected Disassociate frame to the STA using 3993 * the old key and Reason Code "Previous Authentication no 3994 * longer valid". Make sure this is only sent protected since 3995 * unprotected frame would be received by the STA that is now 3996 * trying to associate. 3997 */ 3998 } 3999 #endif /* CONFIG_IEEE80211W */ 4000 4001 /* Make sure that the previously registered inactivity timer will not 4002 * remove the STA immediately. */ 4003 sta->timeout_next = STA_NULLFUNC; 4004 4005 #ifdef CONFIG_TAXONOMY 4006 taxonomy_sta_info_assoc_req(hapd, sta, pos, left); 4007 #endif /* CONFIG_TAXONOMY */ 4008 4009 sta->pending_wds_enable = 0; 4010 4011 #ifdef CONFIG_FILS 4012 if (sta->auth_alg == WLAN_AUTH_FILS_SK || 4013 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS || 4014 sta->auth_alg == WLAN_AUTH_FILS_PK) { 4015 if (fils_process_hlp(hapd, sta, pos, left) > 0) 4016 delay_assoc = 1; 4017 } 4018 #endif /* CONFIG_FILS */ 4019 4020 fail: 4021 os_free(identity); 4022 os_free(radius_cui); 4023 hostapd_free_psk_list(psk); 4024 4025 /* 4026 * In case of a successful response, add the station to the driver. 4027 * Otherwise, the kernel may ignore Data frames before we process the 4028 * ACK frame (TX status). In case of a failure, this station will be 4029 * removed. 4030 * 4031 * Note that this is not compliant with the IEEE 802.11 standard that 4032 * states that a non-AP station should transition into the 4033 * authenticated/associated state only after the station acknowledges 4034 * the (Re)Association Response frame. However, still do this as: 4035 * 4036 * 1. In case the station does not acknowledge the (Re)Association 4037 * Response frame, it will be removed. 4038 * 2. Data frames will be dropped in the kernel until the station is 4039 * set into authorized state, and there are no significant known 4040 * issues with processing other non-Data Class 3 frames during this 4041 * window. 4042 */ 4043 if (resp == WLAN_STATUS_SUCCESS && sta && 4044 add_associated_sta(hapd, sta, reassoc)) 4045 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA; 4046 4047 #ifdef CONFIG_FILS 4048 if (sta && delay_assoc && resp == WLAN_STATUS_SUCCESS && 4049 eloop_is_timeout_registered(fils_hlp_timeout, hapd, sta) && 4050 sta->fils_pending_assoc_req) { 4051 /* Do not reschedule fils_hlp_timeout in case the station 4052 * retransmits (Re)Association Request frame while waiting for 4053 * the previously started FILS HLP wait, so that the timeout can 4054 * be determined from the first pending attempt. */ 4055 wpa_printf(MSG_DEBUG, 4056 "FILS: Continue waiting for HLP processing before sending (Re)Association Response frame to " 4057 MACSTR, MAC2STR(sta->addr)); 4058 os_free(tmp); 4059 return; 4060 } 4061 if (sta) { 4062 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta); 4063 os_free(sta->fils_pending_assoc_req); 4064 sta->fils_pending_assoc_req = NULL; 4065 sta->fils_pending_assoc_req_len = 0; 4066 wpabuf_free(sta->fils_hlp_resp); 4067 sta->fils_hlp_resp = NULL; 4068 } 4069 if (sta && delay_assoc && resp == WLAN_STATUS_SUCCESS) { 4070 sta->fils_pending_assoc_req = tmp; 4071 sta->fils_pending_assoc_req_len = left; 4072 sta->fils_pending_assoc_is_reassoc = reassoc; 4073 sta->fils_drv_assoc_finish = 0; 4074 wpa_printf(MSG_DEBUG, 4075 "FILS: Waiting for HLP processing before sending (Re)Association Response frame to " 4076 MACSTR, MAC2STR(sta->addr)); 4077 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta); 4078 eloop_register_timeout(0, hapd->conf->fils_hlp_wait_time * 1024, 4079 fils_hlp_timeout, hapd, sta); 4080 return; 4081 } 4082 #endif /* CONFIG_FILS */ 4083 4084 reply_res = send_assoc_resp(hapd, sta, mgmt->sa, resp, reassoc, pos, 4085 left, rssi); 4086 os_free(tmp); 4087 4088 /* 4089 * Remove the station in case tranmission of a success response fails 4090 * (the STA was added associated to the driver) or if the station was 4091 * previously added unassociated. 4092 */ 4093 if (sta && ((reply_res != WLAN_STATUS_SUCCESS && 4094 resp == WLAN_STATUS_SUCCESS) || sta->added_unassoc)) { 4095 hostapd_drv_sta_remove(hapd, sta->addr); 4096 sta->added_unassoc = 0; 4097 } 4098 } 4099 4100 4101 static void handle_disassoc(struct hostapd_data *hapd, 4102 const struct ieee80211_mgmt *mgmt, size_t len) 4103 { 4104 struct sta_info *sta; 4105 4106 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.disassoc)) { 4107 wpa_printf(MSG_INFO, "handle_disassoc - too short payload (len=%lu)", 4108 (unsigned long) len); 4109 return; 4110 } 4111 4112 wpa_printf(MSG_DEBUG, "disassocation: STA=" MACSTR " reason_code=%d", 4113 MAC2STR(mgmt->sa), 4114 le_to_host16(mgmt->u.disassoc.reason_code)); 4115 4116 sta = ap_get_sta(hapd, mgmt->sa); 4117 if (sta == NULL) { 4118 wpa_printf(MSG_INFO, "Station " MACSTR " trying to disassociate, but it is not associated", 4119 MAC2STR(mgmt->sa)); 4120 return; 4121 } 4122 4123 ap_sta_set_authorized(hapd, sta, 0); 4124 sta->last_seq_ctrl = WLAN_INVALID_MGMT_SEQ; 4125 sta->flags &= ~(WLAN_STA_ASSOC | WLAN_STA_ASSOC_REQ_OK); 4126 wpa_auth_sm_event(sta->wpa_sm, WPA_DISASSOC); 4127 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 4128 HOSTAPD_LEVEL_INFO, "disassociated"); 4129 sta->acct_terminate_cause = RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST; 4130 ieee802_1x_notify_port_enabled(sta->eapol_sm, 0); 4131 /* Stop Accounting and IEEE 802.1X sessions, but leave the STA 4132 * authenticated. */ 4133 accounting_sta_stop(hapd, sta); 4134 ieee802_1x_free_station(hapd, sta); 4135 if (sta->ipaddr) 4136 hostapd_drv_br_delete_ip_neigh(hapd, 4, (u8 *) &sta->ipaddr); 4137 ap_sta_ip6addr_del(hapd, sta); 4138 hostapd_drv_sta_remove(hapd, sta->addr); 4139 sta->added_unassoc = 0; 4140 4141 if (sta->timeout_next == STA_NULLFUNC || 4142 sta->timeout_next == STA_DISASSOC) { 4143 sta->timeout_next = STA_DEAUTH; 4144 eloop_cancel_timeout(ap_handle_timer, hapd, sta); 4145 eloop_register_timeout(AP_DEAUTH_DELAY, 0, ap_handle_timer, 4146 hapd, sta); 4147 } 4148 4149 mlme_disassociate_indication( 4150 hapd, sta, le_to_host16(mgmt->u.disassoc.reason_code)); 4151 4152 /* DMG/IEEE 802.11ad does not use deauthication. Deallocate sta upon 4153 * disassociation. */ 4154 if (hapd->iface->current_mode && 4155 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211AD) { 4156 sta->flags &= ~WLAN_STA_AUTH; 4157 wpa_auth_sm_event(sta->wpa_sm, WPA_DEAUTH); 4158 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 4159 HOSTAPD_LEVEL_DEBUG, "deauthenticated"); 4160 ap_free_sta(hapd, sta); 4161 } 4162 } 4163 4164 4165 static void handle_deauth(struct hostapd_data *hapd, 4166 const struct ieee80211_mgmt *mgmt, size_t len) 4167 { 4168 struct sta_info *sta; 4169 4170 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.deauth)) { 4171 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "handle_deauth - too short " 4172 "payload (len=%lu)", (unsigned long) len); 4173 return; 4174 } 4175 4176 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "deauthentication: STA=" MACSTR 4177 " reason_code=%d", 4178 MAC2STR(mgmt->sa), le_to_host16(mgmt->u.deauth.reason_code)); 4179 4180 sta = ap_get_sta(hapd, mgmt->sa); 4181 if (sta == NULL) { 4182 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "Station " MACSTR " trying " 4183 "to deauthenticate, but it is not authenticated", 4184 MAC2STR(mgmt->sa)); 4185 return; 4186 } 4187 4188 ap_sta_set_authorized(hapd, sta, 0); 4189 sta->last_seq_ctrl = WLAN_INVALID_MGMT_SEQ; 4190 sta->flags &= ~(WLAN_STA_AUTH | WLAN_STA_ASSOC | 4191 WLAN_STA_ASSOC_REQ_OK); 4192 wpa_auth_sm_event(sta->wpa_sm, WPA_DEAUTH); 4193 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 4194 HOSTAPD_LEVEL_DEBUG, "deauthenticated"); 4195 mlme_deauthenticate_indication( 4196 hapd, sta, le_to_host16(mgmt->u.deauth.reason_code)); 4197 sta->acct_terminate_cause = RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST; 4198 ieee802_1x_notify_port_enabled(sta->eapol_sm, 0); 4199 ap_free_sta(hapd, sta); 4200 } 4201 4202 4203 static void handle_beacon(struct hostapd_data *hapd, 4204 const struct ieee80211_mgmt *mgmt, size_t len, 4205 struct hostapd_frame_info *fi) 4206 { 4207 struct ieee802_11_elems elems; 4208 4209 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.beacon)) { 4210 wpa_printf(MSG_INFO, "handle_beacon - too short payload (len=%lu)", 4211 (unsigned long) len); 4212 return; 4213 } 4214 4215 (void) ieee802_11_parse_elems(mgmt->u.beacon.variable, 4216 len - (IEEE80211_HDRLEN + 4217 sizeof(mgmt->u.beacon)), &elems, 4218 0); 4219 4220 ap_list_process_beacon(hapd->iface, mgmt, &elems, fi); 4221 } 4222 4223 4224 #ifdef CONFIG_IEEE80211W 4225 static int robust_action_frame(u8 category) 4226 { 4227 return category != WLAN_ACTION_PUBLIC && 4228 category != WLAN_ACTION_HT; 4229 } 4230 #endif /* CONFIG_IEEE80211W */ 4231 4232 4233 static int handle_action(struct hostapd_data *hapd, 4234 const struct ieee80211_mgmt *mgmt, size_t len, 4235 unsigned int freq) 4236 { 4237 struct sta_info *sta; 4238 u8 *action __maybe_unused; 4239 4240 if (len < IEEE80211_HDRLEN + 2 + 1) { 4241 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211, 4242 HOSTAPD_LEVEL_DEBUG, 4243 "handle_action - too short payload (len=%lu)", 4244 (unsigned long) len); 4245 return 0; 4246 } 4247 4248 action = (u8 *) &mgmt->u.action.u; 4249 wpa_printf(MSG_DEBUG, "RX_ACTION category %u action %u sa " MACSTR 4250 " da " MACSTR " len %d freq %u", 4251 mgmt->u.action.category, *action, 4252 MAC2STR(mgmt->sa), MAC2STR(mgmt->da), (int) len, freq); 4253 4254 sta = ap_get_sta(hapd, mgmt->sa); 4255 4256 if (mgmt->u.action.category != WLAN_ACTION_PUBLIC && 4257 (sta == NULL || !(sta->flags & WLAN_STA_ASSOC))) { 4258 wpa_printf(MSG_DEBUG, "IEEE 802.11: Ignored Action " 4259 "frame (category=%u) from unassociated STA " MACSTR, 4260 mgmt->u.action.category, MAC2STR(mgmt->sa)); 4261 return 0; 4262 } 4263 4264 #ifdef CONFIG_IEEE80211W 4265 if (sta && (sta->flags & WLAN_STA_MFP) && 4266 !(mgmt->frame_control & host_to_le16(WLAN_FC_ISWEP)) && 4267 robust_action_frame(mgmt->u.action.category)) { 4268 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211, 4269 HOSTAPD_LEVEL_DEBUG, 4270 "Dropped unprotected Robust Action frame from " 4271 "an MFP STA"); 4272 return 0; 4273 } 4274 #endif /* CONFIG_IEEE80211W */ 4275 4276 if (sta) { 4277 u16 fc = le_to_host16(mgmt->frame_control); 4278 u16 seq_ctrl = le_to_host16(mgmt->seq_ctrl); 4279 4280 if ((fc & WLAN_FC_RETRY) && 4281 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ && 4282 sta->last_seq_ctrl == seq_ctrl && 4283 sta->last_subtype == WLAN_FC_STYPE_ACTION) { 4284 hostapd_logger(hapd, sta->addr, 4285 HOSTAPD_MODULE_IEEE80211, 4286 HOSTAPD_LEVEL_DEBUG, 4287 "Drop repeated action frame seq_ctrl=0x%x", 4288 seq_ctrl); 4289 return 1; 4290 } 4291 4292 sta->last_seq_ctrl = seq_ctrl; 4293 sta->last_subtype = WLAN_FC_STYPE_ACTION; 4294 } 4295 4296 switch (mgmt->u.action.category) { 4297 #ifdef CONFIG_IEEE80211R_AP 4298 case WLAN_ACTION_FT: 4299 if (!sta || 4300 wpa_ft_action_rx(sta->wpa_sm, (u8 *) &mgmt->u.action, 4301 len - IEEE80211_HDRLEN)) 4302 break; 4303 return 1; 4304 #endif /* CONFIG_IEEE80211R_AP */ 4305 case WLAN_ACTION_WMM: 4306 hostapd_wmm_action(hapd, mgmt, len); 4307 return 1; 4308 #ifdef CONFIG_IEEE80211W 4309 case WLAN_ACTION_SA_QUERY: 4310 ieee802_11_sa_query_action(hapd, mgmt, len); 4311 return 1; 4312 #endif /* CONFIG_IEEE80211W */ 4313 #ifdef CONFIG_WNM_AP 4314 case WLAN_ACTION_WNM: 4315 ieee802_11_rx_wnm_action_ap(hapd, mgmt, len); 4316 return 1; 4317 #endif /* CONFIG_WNM_AP */ 4318 #ifdef CONFIG_FST 4319 case WLAN_ACTION_FST: 4320 if (hapd->iface->fst) 4321 fst_rx_action(hapd->iface->fst, mgmt, len); 4322 else 4323 wpa_printf(MSG_DEBUG, 4324 "FST: Ignore FST Action frame - no FST attached"); 4325 return 1; 4326 #endif /* CONFIG_FST */ 4327 case WLAN_ACTION_PUBLIC: 4328 case WLAN_ACTION_PROTECTED_DUAL: 4329 #ifdef CONFIG_IEEE80211N 4330 if (len >= IEEE80211_HDRLEN + 2 && 4331 mgmt->u.action.u.public_action.action == 4332 WLAN_PA_20_40_BSS_COEX) { 4333 hostapd_2040_coex_action(hapd, mgmt, len); 4334 return 1; 4335 } 4336 #endif /* CONFIG_IEEE80211N */ 4337 #ifdef CONFIG_DPP 4338 if (len >= IEEE80211_HDRLEN + 6 && 4339 mgmt->u.action.u.vs_public_action.action == 4340 WLAN_PA_VENDOR_SPECIFIC && 4341 WPA_GET_BE24(mgmt->u.action.u.vs_public_action.oui) == 4342 OUI_WFA && 4343 mgmt->u.action.u.vs_public_action.variable[0] == 4344 DPP_OUI_TYPE) { 4345 const u8 *pos, *end; 4346 4347 pos = mgmt->u.action.u.vs_public_action.oui; 4348 end = ((const u8 *) mgmt) + len; 4349 hostapd_dpp_rx_action(hapd, mgmt->sa, pos, end - pos, 4350 freq); 4351 return 1; 4352 } 4353 if (len >= IEEE80211_HDRLEN + 2 && 4354 (mgmt->u.action.u.public_action.action == 4355 WLAN_PA_GAS_INITIAL_RESP || 4356 mgmt->u.action.u.public_action.action == 4357 WLAN_PA_GAS_COMEBACK_RESP)) { 4358 const u8 *pos, *end; 4359 4360 pos = &mgmt->u.action.u.public_action.action; 4361 end = ((const u8 *) mgmt) + len; 4362 gas_query_ap_rx(hapd->gas, mgmt->sa, 4363 mgmt->u.action.category, 4364 pos, end - pos, hapd->iface->freq); 4365 return 1; 4366 } 4367 #endif /* CONFIG_DPP */ 4368 if (hapd->public_action_cb) { 4369 hapd->public_action_cb(hapd->public_action_cb_ctx, 4370 (u8 *) mgmt, len, 4371 hapd->iface->freq); 4372 } 4373 if (hapd->public_action_cb2) { 4374 hapd->public_action_cb2(hapd->public_action_cb2_ctx, 4375 (u8 *) mgmt, len, 4376 hapd->iface->freq); 4377 } 4378 if (hapd->public_action_cb || hapd->public_action_cb2) 4379 return 1; 4380 break; 4381 case WLAN_ACTION_VENDOR_SPECIFIC: 4382 if (hapd->vendor_action_cb) { 4383 if (hapd->vendor_action_cb(hapd->vendor_action_cb_ctx, 4384 (u8 *) mgmt, len, 4385 hapd->iface->freq) == 0) 4386 return 1; 4387 } 4388 break; 4389 case WLAN_ACTION_RADIO_MEASUREMENT: 4390 hostapd_handle_radio_measurement(hapd, (const u8 *) mgmt, len); 4391 return 1; 4392 } 4393 4394 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211, 4395 HOSTAPD_LEVEL_DEBUG, 4396 "handle_action - unknown action category %d or invalid " 4397 "frame", 4398 mgmt->u.action.category); 4399 if (!is_multicast_ether_addr(mgmt->da) && 4400 !(mgmt->u.action.category & 0x80) && 4401 !is_multicast_ether_addr(mgmt->sa)) { 4402 struct ieee80211_mgmt *resp; 4403 4404 /* 4405 * IEEE 802.11-REVma/D9.0 - 7.3.1.11 4406 * Return the Action frame to the source without change 4407 * except that MSB of the Category set to 1. 4408 */ 4409 wpa_printf(MSG_DEBUG, "IEEE 802.11: Return unknown Action " 4410 "frame back to sender"); 4411 resp = os_memdup(mgmt, len); 4412 if (resp == NULL) 4413 return 0; 4414 os_memcpy(resp->da, resp->sa, ETH_ALEN); 4415 os_memcpy(resp->sa, hapd->own_addr, ETH_ALEN); 4416 os_memcpy(resp->bssid, hapd->own_addr, ETH_ALEN); 4417 resp->u.action.category |= 0x80; 4418 4419 if (hostapd_drv_send_mlme(hapd, resp, len, 0) < 0) { 4420 wpa_printf(MSG_ERROR, "IEEE 802.11: Failed to send " 4421 "Action frame"); 4422 } 4423 os_free(resp); 4424 } 4425 4426 return 1; 4427 } 4428 4429 4430 /** 4431 * ieee802_11_mgmt - process incoming IEEE 802.11 management frames 4432 * @hapd: hostapd BSS data structure (the BSS to which the management frame was 4433 * sent to) 4434 * @buf: management frame data (starting from IEEE 802.11 header) 4435 * @len: length of frame data in octets 4436 * @fi: meta data about received frame (signal level, etc.) 4437 * 4438 * Process all incoming IEEE 802.11 management frames. This will be called for 4439 * each frame received from the kernel driver through wlan#ap interface. In 4440 * addition, it can be called to re-inserted pending frames (e.g., when using 4441 * external RADIUS server as an MAC ACL). 4442 */ 4443 int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len, 4444 struct hostapd_frame_info *fi) 4445 { 4446 struct ieee80211_mgmt *mgmt; 4447 u16 fc, stype; 4448 int ret = 0; 4449 unsigned int freq; 4450 int ssi_signal = fi ? fi->ssi_signal : 0; 4451 4452 if (len < 24) 4453 return 0; 4454 4455 if (fi && fi->freq) 4456 freq = fi->freq; 4457 else 4458 freq = hapd->iface->freq; 4459 4460 mgmt = (struct ieee80211_mgmt *) buf; 4461 fc = le_to_host16(mgmt->frame_control); 4462 stype = WLAN_FC_GET_STYPE(fc); 4463 4464 if (stype == WLAN_FC_STYPE_BEACON) { 4465 handle_beacon(hapd, mgmt, len, fi); 4466 return 1; 4467 } 4468 4469 if (!is_broadcast_ether_addr(mgmt->bssid) && 4470 #ifdef CONFIG_P2P 4471 /* Invitation responses can be sent with the peer MAC as BSSID */ 4472 !((hapd->conf->p2p & P2P_GROUP_OWNER) && 4473 stype == WLAN_FC_STYPE_ACTION) && 4474 #endif /* CONFIG_P2P */ 4475 #ifdef CONFIG_MESH 4476 !(hapd->conf->mesh & MESH_ENABLED) && 4477 #endif /* CONFIG_MESH */ 4478 os_memcmp(mgmt->bssid, hapd->own_addr, ETH_ALEN) != 0) { 4479 wpa_printf(MSG_INFO, "MGMT: BSSID=" MACSTR " not our address", 4480 MAC2STR(mgmt->bssid)); 4481 return 0; 4482 } 4483 4484 4485 if (stype == WLAN_FC_STYPE_PROBE_REQ) { 4486 handle_probe_req(hapd, mgmt, len, ssi_signal); 4487 return 1; 4488 } 4489 4490 if ((!is_broadcast_ether_addr(mgmt->da) || 4491 stype != WLAN_FC_STYPE_ACTION) && 4492 os_memcmp(mgmt->da, hapd->own_addr, ETH_ALEN) != 0) { 4493 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211, 4494 HOSTAPD_LEVEL_DEBUG, 4495 "MGMT: DA=" MACSTR " not our address", 4496 MAC2STR(mgmt->da)); 4497 return 0; 4498 } 4499 4500 if (hapd->iconf->track_sta_max_num) 4501 sta_track_add(hapd->iface, mgmt->sa, ssi_signal); 4502 4503 switch (stype) { 4504 case WLAN_FC_STYPE_AUTH: 4505 wpa_printf(MSG_DEBUG, "mgmt::auth"); 4506 handle_auth(hapd, mgmt, len, ssi_signal, 0); 4507 ret = 1; 4508 break; 4509 case WLAN_FC_STYPE_ASSOC_REQ: 4510 wpa_printf(MSG_DEBUG, "mgmt::assoc_req"); 4511 handle_assoc(hapd, mgmt, len, 0, ssi_signal); 4512 ret = 1; 4513 break; 4514 case WLAN_FC_STYPE_REASSOC_REQ: 4515 wpa_printf(MSG_DEBUG, "mgmt::reassoc_req"); 4516 handle_assoc(hapd, mgmt, len, 1, ssi_signal); 4517 ret = 1; 4518 break; 4519 case WLAN_FC_STYPE_DISASSOC: 4520 wpa_printf(MSG_DEBUG, "mgmt::disassoc"); 4521 handle_disassoc(hapd, mgmt, len); 4522 ret = 1; 4523 break; 4524 case WLAN_FC_STYPE_DEAUTH: 4525 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "mgmt::deauth"); 4526 handle_deauth(hapd, mgmt, len); 4527 ret = 1; 4528 break; 4529 case WLAN_FC_STYPE_ACTION: 4530 wpa_printf(MSG_DEBUG, "mgmt::action"); 4531 ret = handle_action(hapd, mgmt, len, freq); 4532 break; 4533 default: 4534 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211, 4535 HOSTAPD_LEVEL_DEBUG, 4536 "unknown mgmt frame subtype %d", stype); 4537 break; 4538 } 4539 4540 return ret; 4541 } 4542 4543 4544 static void handle_auth_cb(struct hostapd_data *hapd, 4545 const struct ieee80211_mgmt *mgmt, 4546 size_t len, int ok) 4547 { 4548 u16 auth_alg, auth_transaction, status_code; 4549 struct sta_info *sta; 4550 4551 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) { 4552 wpa_printf(MSG_INFO, "handle_auth_cb - too short payload (len=%lu)", 4553 (unsigned long) len); 4554 4555 /* 4556 * Initialize status_code here because we are not able to read 4557 * it from the short payload. 4558 */ 4559 status_code = WLAN_STATUS_UNSPECIFIED_FAILURE; 4560 goto fail; 4561 } 4562 4563 sta = ap_get_sta(hapd, mgmt->da); 4564 if (!sta) { 4565 wpa_printf(MSG_DEBUG, "handle_auth_cb: STA " MACSTR 4566 " not found", 4567 MAC2STR(mgmt->da)); 4568 return; 4569 } 4570 4571 auth_alg = le_to_host16(mgmt->u.auth.auth_alg); 4572 auth_transaction = le_to_host16(mgmt->u.auth.auth_transaction); 4573 status_code = le_to_host16(mgmt->u.auth.status_code); 4574 4575 if (!ok) { 4576 hostapd_logger(hapd, mgmt->da, HOSTAPD_MODULE_IEEE80211, 4577 HOSTAPD_LEVEL_NOTICE, 4578 "did not acknowledge authentication response"); 4579 goto fail; 4580 } 4581 4582 if (status_code == WLAN_STATUS_SUCCESS && 4583 ((auth_alg == WLAN_AUTH_OPEN && auth_transaction == 2) || 4584 (auth_alg == WLAN_AUTH_SHARED_KEY && auth_transaction == 4))) { 4585 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 4586 HOSTAPD_LEVEL_INFO, "authenticated"); 4587 sta->flags |= WLAN_STA_AUTH; 4588 if (sta->added_unassoc) 4589 hostapd_set_sta_flags(hapd, sta); 4590 return; 4591 } 4592 4593 fail: 4594 if (status_code != WLAN_STATUS_SUCCESS && sta->added_unassoc) { 4595 hostapd_drv_sta_remove(hapd, sta->addr); 4596 sta->added_unassoc = 0; 4597 } 4598 } 4599 4600 4601 static void hostapd_set_wds_encryption(struct hostapd_data *hapd, 4602 struct sta_info *sta, 4603 char *ifname_wds) 4604 { 4605 int i; 4606 struct hostapd_ssid *ssid = &hapd->conf->ssid; 4607 4608 if (hapd->conf->ieee802_1x || hapd->conf->wpa) 4609 return; 4610 4611 for (i = 0; i < 4; i++) { 4612 if (ssid->wep.key[i] && 4613 hostapd_drv_set_key(ifname_wds, hapd, WPA_ALG_WEP, NULL, i, 4614 i == ssid->wep.idx, NULL, 0, 4615 ssid->wep.key[i], ssid->wep.len[i])) { 4616 wpa_printf(MSG_WARNING, 4617 "Could not set WEP keys for WDS interface; %s", 4618 ifname_wds); 4619 break; 4620 } 4621 } 4622 } 4623 4624 4625 static void handle_assoc_cb(struct hostapd_data *hapd, 4626 const struct ieee80211_mgmt *mgmt, 4627 size_t len, int reassoc, int ok) 4628 { 4629 u16 status; 4630 struct sta_info *sta; 4631 int new_assoc = 1; 4632 4633 sta = ap_get_sta(hapd, mgmt->da); 4634 if (!sta) { 4635 wpa_printf(MSG_INFO, "handle_assoc_cb: STA " MACSTR " not found", 4636 MAC2STR(mgmt->da)); 4637 return; 4638 } 4639 4640 if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_resp) : 4641 sizeof(mgmt->u.assoc_resp))) { 4642 wpa_printf(MSG_INFO, 4643 "handle_assoc_cb(reassoc=%d) - too short payload (len=%lu)", 4644 reassoc, (unsigned long) len); 4645 hostapd_drv_sta_remove(hapd, sta->addr); 4646 return; 4647 } 4648 4649 if (reassoc) 4650 status = le_to_host16(mgmt->u.reassoc_resp.status_code); 4651 else 4652 status = le_to_host16(mgmt->u.assoc_resp.status_code); 4653 4654 if (!ok) { 4655 hostapd_logger(hapd, mgmt->da, HOSTAPD_MODULE_IEEE80211, 4656 HOSTAPD_LEVEL_DEBUG, 4657 "did not acknowledge association response"); 4658 sta->flags &= ~WLAN_STA_ASSOC_REQ_OK; 4659 /* The STA is added only in case of SUCCESS */ 4660 if (status == WLAN_STATUS_SUCCESS) 4661 hostapd_drv_sta_remove(hapd, sta->addr); 4662 4663 return; 4664 } 4665 4666 if (status != WLAN_STATUS_SUCCESS) 4667 return; 4668 4669 /* Stop previous accounting session, if one is started, and allocate 4670 * new session id for the new session. */ 4671 accounting_sta_stop(hapd, sta); 4672 4673 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 4674 HOSTAPD_LEVEL_INFO, 4675 "associated (aid %d)", 4676 sta->aid); 4677 4678 if (sta->flags & WLAN_STA_ASSOC) 4679 new_assoc = 0; 4680 sta->flags |= WLAN_STA_ASSOC; 4681 sta->flags &= ~WLAN_STA_WNM_SLEEP_MODE; 4682 if ((!hapd->conf->ieee802_1x && !hapd->conf->wpa && 4683 !hapd->conf->osen) || 4684 sta->auth_alg == WLAN_AUTH_FILS_SK || 4685 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS || 4686 sta->auth_alg == WLAN_AUTH_FILS_PK || 4687 sta->auth_alg == WLAN_AUTH_FT) { 4688 /* 4689 * Open, static WEP, FT protocol, or FILS; no separate 4690 * authorization step. 4691 */ 4692 ap_sta_set_authorized(hapd, sta, 1); 4693 } 4694 4695 if (reassoc) 4696 mlme_reassociate_indication(hapd, sta); 4697 else 4698 mlme_associate_indication(hapd, sta); 4699 4700 #ifdef CONFIG_IEEE80211W 4701 sta->sa_query_timed_out = 0; 4702 #endif /* CONFIG_IEEE80211W */ 4703 4704 if (sta->eapol_sm == NULL) { 4705 /* 4706 * This STA does not use RADIUS server for EAP authentication, 4707 * so bind it to the selected VLAN interface now, since the 4708 * interface selection is not going to change anymore. 4709 */ 4710 if (ap_sta_bind_vlan(hapd, sta) < 0) 4711 return; 4712 } else if (sta->vlan_id) { 4713 /* VLAN ID already set (e.g., by PMKSA caching), so bind STA */ 4714 if (ap_sta_bind_vlan(hapd, sta) < 0) 4715 return; 4716 } 4717 4718 hostapd_set_sta_flags(hapd, sta); 4719 4720 if (!(sta->flags & WLAN_STA_WDS) && sta->pending_wds_enable) { 4721 wpa_printf(MSG_DEBUG, "Enable 4-address WDS mode for STA " 4722 MACSTR " based on pending request", 4723 MAC2STR(sta->addr)); 4724 sta->pending_wds_enable = 0; 4725 sta->flags |= WLAN_STA_WDS; 4726 } 4727 4728 if (sta->flags & (WLAN_STA_WDS | WLAN_STA_MULTI_AP)) { 4729 int ret; 4730 char ifname_wds[IFNAMSIZ + 1]; 4731 4732 wpa_printf(MSG_DEBUG, "Reenable 4-address WDS mode for STA " 4733 MACSTR " (aid %u)", 4734 MAC2STR(sta->addr), sta->aid); 4735 ret = hostapd_set_wds_sta(hapd, ifname_wds, sta->addr, 4736 sta->aid, 1); 4737 if (!ret) 4738 hostapd_set_wds_encryption(hapd, sta, ifname_wds); 4739 } 4740 4741 if (sta->auth_alg == WLAN_AUTH_FT) 4742 wpa_auth_sm_event(sta->wpa_sm, WPA_ASSOC_FT); 4743 else 4744 wpa_auth_sm_event(sta->wpa_sm, WPA_ASSOC); 4745 hapd->new_assoc_sta_cb(hapd, sta, !new_assoc); 4746 ieee802_1x_notify_port_enabled(sta->eapol_sm, 1); 4747 4748 #ifdef CONFIG_FILS 4749 if ((sta->auth_alg == WLAN_AUTH_FILS_SK || 4750 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS || 4751 sta->auth_alg == WLAN_AUTH_FILS_PK) && 4752 fils_set_tk(sta->wpa_sm) < 0) { 4753 wpa_printf(MSG_DEBUG, "FILS: TK configuration failed"); 4754 ap_sta_disconnect(hapd, sta, sta->addr, 4755 WLAN_REASON_UNSPECIFIED); 4756 return; 4757 } 4758 #endif /* CONFIG_FILS */ 4759 4760 if (sta->pending_eapol_rx) { 4761 struct os_reltime now, age; 4762 4763 os_get_reltime(&now); 4764 os_reltime_sub(&now, &sta->pending_eapol_rx->rx_time, &age); 4765 if (age.sec == 0 && age.usec < 200000) { 4766 wpa_printf(MSG_DEBUG, 4767 "Process pending EAPOL frame that was received from " MACSTR " just before association notification", 4768 MAC2STR(sta->addr)); 4769 ieee802_1x_receive( 4770 hapd, mgmt->da, 4771 wpabuf_head(sta->pending_eapol_rx->buf), 4772 wpabuf_len(sta->pending_eapol_rx->buf)); 4773 } 4774 wpabuf_free(sta->pending_eapol_rx->buf); 4775 os_free(sta->pending_eapol_rx); 4776 sta->pending_eapol_rx = NULL; 4777 } 4778 } 4779 4780 4781 static void handle_deauth_cb(struct hostapd_data *hapd, 4782 const struct ieee80211_mgmt *mgmt, 4783 size_t len, int ok) 4784 { 4785 struct sta_info *sta; 4786 if (is_multicast_ether_addr(mgmt->da)) 4787 return; 4788 sta = ap_get_sta(hapd, mgmt->da); 4789 if (!sta) { 4790 wpa_printf(MSG_DEBUG, "handle_deauth_cb: STA " MACSTR 4791 " not found", MAC2STR(mgmt->da)); 4792 return; 4793 } 4794 if (ok) 4795 wpa_printf(MSG_DEBUG, "STA " MACSTR " acknowledged deauth", 4796 MAC2STR(sta->addr)); 4797 else 4798 wpa_printf(MSG_DEBUG, "STA " MACSTR " did not acknowledge " 4799 "deauth", MAC2STR(sta->addr)); 4800 4801 ap_sta_deauth_cb(hapd, sta); 4802 } 4803 4804 4805 static void handle_disassoc_cb(struct hostapd_data *hapd, 4806 const struct ieee80211_mgmt *mgmt, 4807 size_t len, int ok) 4808 { 4809 struct sta_info *sta; 4810 if (is_multicast_ether_addr(mgmt->da)) 4811 return; 4812 sta = ap_get_sta(hapd, mgmt->da); 4813 if (!sta) { 4814 wpa_printf(MSG_DEBUG, "handle_disassoc_cb: STA " MACSTR 4815 " not found", MAC2STR(mgmt->da)); 4816 return; 4817 } 4818 if (ok) 4819 wpa_printf(MSG_DEBUG, "STA " MACSTR " acknowledged disassoc", 4820 MAC2STR(sta->addr)); 4821 else 4822 wpa_printf(MSG_DEBUG, "STA " MACSTR " did not acknowledge " 4823 "disassoc", MAC2STR(sta->addr)); 4824 4825 ap_sta_disassoc_cb(hapd, sta); 4826 } 4827 4828 4829 static void handle_action_cb(struct hostapd_data *hapd, 4830 const struct ieee80211_mgmt *mgmt, 4831 size_t len, int ok) 4832 { 4833 struct sta_info *sta; 4834 const struct rrm_measurement_report_element *report; 4835 4836 if (is_multicast_ether_addr(mgmt->da)) 4837 return; 4838 #ifdef CONFIG_DPP 4839 if (len >= IEEE80211_HDRLEN + 6 && 4840 mgmt->u.action.category == WLAN_ACTION_PUBLIC && 4841 mgmt->u.action.u.vs_public_action.action == 4842 WLAN_PA_VENDOR_SPECIFIC && 4843 WPA_GET_BE24(mgmt->u.action.u.vs_public_action.oui) == 4844 OUI_WFA && 4845 mgmt->u.action.u.vs_public_action.variable[0] == 4846 DPP_OUI_TYPE) { 4847 const u8 *pos, *end; 4848 4849 pos = &mgmt->u.action.u.vs_public_action.variable[1]; 4850 end = ((const u8 *) mgmt) + len; 4851 hostapd_dpp_tx_status(hapd, mgmt->da, pos, end - pos, ok); 4852 return; 4853 } 4854 if (len >= IEEE80211_HDRLEN + 2 && 4855 mgmt->u.action.category == WLAN_ACTION_PUBLIC && 4856 (mgmt->u.action.u.public_action.action == 4857 WLAN_PA_GAS_INITIAL_REQ || 4858 mgmt->u.action.u.public_action.action == 4859 WLAN_PA_GAS_COMEBACK_REQ)) { 4860 const u8 *pos, *end; 4861 4862 pos = mgmt->u.action.u.public_action.variable; 4863 end = ((const u8 *) mgmt) + len; 4864 gas_query_ap_tx_status(hapd->gas, mgmt->da, pos, end - pos, ok); 4865 return; 4866 } 4867 #endif /* CONFIG_DPP */ 4868 sta = ap_get_sta(hapd, mgmt->da); 4869 if (!sta) { 4870 wpa_printf(MSG_DEBUG, "handle_action_cb: STA " MACSTR 4871 " not found", MAC2STR(mgmt->da)); 4872 return; 4873 } 4874 4875 if (len < 24 + 5 + sizeof(*report)) 4876 return; 4877 report = (const struct rrm_measurement_report_element *) 4878 &mgmt->u.action.u.rrm.variable[2]; 4879 if (mgmt->u.action.category == WLAN_ACTION_RADIO_MEASUREMENT && 4880 mgmt->u.action.u.rrm.action == WLAN_RRM_RADIO_MEASUREMENT_REQUEST && 4881 report->eid == WLAN_EID_MEASURE_REQUEST && 4882 report->len >= 3 && 4883 report->type == MEASURE_TYPE_BEACON) 4884 hostapd_rrm_beacon_req_tx_status(hapd, mgmt, len, ok); 4885 } 4886 4887 4888 /** 4889 * ieee802_11_mgmt_cb - Process management frame TX status callback 4890 * @hapd: hostapd BSS data structure (the BSS from which the management frame 4891 * was sent from) 4892 * @buf: management frame data (starting from IEEE 802.11 header) 4893 * @len: length of frame data in octets 4894 * @stype: management frame subtype from frame control field 4895 * @ok: Whether the frame was ACK'ed 4896 */ 4897 void ieee802_11_mgmt_cb(struct hostapd_data *hapd, const u8 *buf, size_t len, 4898 u16 stype, int ok) 4899 { 4900 const struct ieee80211_mgmt *mgmt; 4901 mgmt = (const struct ieee80211_mgmt *) buf; 4902 4903 #ifdef CONFIG_TESTING_OPTIONS 4904 if (hapd->ext_mgmt_frame_handling) { 4905 size_t hex_len = 2 * len + 1; 4906 char *hex = os_malloc(hex_len); 4907 4908 if (hex) { 4909 wpa_snprintf_hex(hex, hex_len, buf, len); 4910 wpa_msg(hapd->msg_ctx, MSG_INFO, 4911 "MGMT-TX-STATUS stype=%u ok=%d buf=%s", 4912 stype, ok, hex); 4913 os_free(hex); 4914 } 4915 return; 4916 } 4917 #endif /* CONFIG_TESTING_OPTIONS */ 4918 4919 switch (stype) { 4920 case WLAN_FC_STYPE_AUTH: 4921 wpa_printf(MSG_DEBUG, "mgmt::auth cb"); 4922 handle_auth_cb(hapd, mgmt, len, ok); 4923 break; 4924 case WLAN_FC_STYPE_ASSOC_RESP: 4925 wpa_printf(MSG_DEBUG, "mgmt::assoc_resp cb"); 4926 handle_assoc_cb(hapd, mgmt, len, 0, ok); 4927 break; 4928 case WLAN_FC_STYPE_REASSOC_RESP: 4929 wpa_printf(MSG_DEBUG, "mgmt::reassoc_resp cb"); 4930 handle_assoc_cb(hapd, mgmt, len, 1, ok); 4931 break; 4932 case WLAN_FC_STYPE_PROBE_RESP: 4933 wpa_printf(MSG_EXCESSIVE, "mgmt::proberesp cb ok=%d", ok); 4934 break; 4935 case WLAN_FC_STYPE_DEAUTH: 4936 wpa_printf(MSG_DEBUG, "mgmt::deauth cb"); 4937 handle_deauth_cb(hapd, mgmt, len, ok); 4938 break; 4939 case WLAN_FC_STYPE_DISASSOC: 4940 wpa_printf(MSG_DEBUG, "mgmt::disassoc cb"); 4941 handle_disassoc_cb(hapd, mgmt, len, ok); 4942 break; 4943 case WLAN_FC_STYPE_ACTION: 4944 wpa_printf(MSG_DEBUG, "mgmt::action cb ok=%d", ok); 4945 handle_action_cb(hapd, mgmt, len, ok); 4946 break; 4947 default: 4948 wpa_printf(MSG_INFO, "unknown mgmt cb frame subtype %d", stype); 4949 break; 4950 } 4951 } 4952 4953 4954 int ieee802_11_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen) 4955 { 4956 /* TODO */ 4957 return 0; 4958 } 4959 4960 4961 int ieee802_11_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta, 4962 char *buf, size_t buflen) 4963 { 4964 /* TODO */ 4965 return 0; 4966 } 4967 4968 4969 void hostapd_tx_status(struct hostapd_data *hapd, const u8 *addr, 4970 const u8 *buf, size_t len, int ack) 4971 { 4972 struct sta_info *sta; 4973 struct hostapd_iface *iface = hapd->iface; 4974 4975 sta = ap_get_sta(hapd, addr); 4976 if (sta == NULL && iface->num_bss > 1) { 4977 size_t j; 4978 for (j = 0; j < iface->num_bss; j++) { 4979 hapd = iface->bss[j]; 4980 sta = ap_get_sta(hapd, addr); 4981 if (sta) 4982 break; 4983 } 4984 } 4985 if (sta == NULL || !(sta->flags & WLAN_STA_ASSOC)) 4986 return; 4987 if (sta->flags & WLAN_STA_PENDING_POLL) { 4988 wpa_printf(MSG_DEBUG, "STA " MACSTR " %s pending " 4989 "activity poll", MAC2STR(sta->addr), 4990 ack ? "ACKed" : "did not ACK"); 4991 if (ack) 4992 sta->flags &= ~WLAN_STA_PENDING_POLL; 4993 } 4994 4995 ieee802_1x_tx_status(hapd, sta, buf, len, ack); 4996 } 4997 4998 4999 void hostapd_eapol_tx_status(struct hostapd_data *hapd, const u8 *dst, 5000 const u8 *data, size_t len, int ack) 5001 { 5002 struct sta_info *sta; 5003 struct hostapd_iface *iface = hapd->iface; 5004 5005 sta = ap_get_sta(hapd, dst); 5006 if (sta == NULL && iface->num_bss > 1) { 5007 size_t j; 5008 for (j = 0; j < iface->num_bss; j++) { 5009 hapd = iface->bss[j]; 5010 sta = ap_get_sta(hapd, dst); 5011 if (sta) 5012 break; 5013 } 5014 } 5015 if (sta == NULL || !(sta->flags & WLAN_STA_ASSOC)) { 5016 wpa_printf(MSG_DEBUG, "Ignore TX status for Data frame to STA " 5017 MACSTR " that is not currently associated", 5018 MAC2STR(dst)); 5019 return; 5020 } 5021 5022 ieee802_1x_eapol_tx_status(hapd, sta, data, len, ack); 5023 } 5024 5025 5026 void hostapd_client_poll_ok(struct hostapd_data *hapd, const u8 *addr) 5027 { 5028 struct sta_info *sta; 5029 struct hostapd_iface *iface = hapd->iface; 5030 5031 sta = ap_get_sta(hapd, addr); 5032 if (sta == NULL && iface->num_bss > 1) { 5033 size_t j; 5034 for (j = 0; j < iface->num_bss; j++) { 5035 hapd = iface->bss[j]; 5036 sta = ap_get_sta(hapd, addr); 5037 if (sta) 5038 break; 5039 } 5040 } 5041 if (sta == NULL) 5042 return; 5043 wpa_msg(hapd->msg_ctx, MSG_INFO, AP_STA_POLL_OK MACSTR, 5044 MAC2STR(sta->addr)); 5045 if (!(sta->flags & WLAN_STA_PENDING_POLL)) 5046 return; 5047 5048 wpa_printf(MSG_DEBUG, "STA " MACSTR " ACKed pending " 5049 "activity poll", MAC2STR(sta->addr)); 5050 sta->flags &= ~WLAN_STA_PENDING_POLL; 5051 } 5052 5053 5054 void ieee802_11_rx_from_unknown(struct hostapd_data *hapd, const u8 *src, 5055 int wds) 5056 { 5057 struct sta_info *sta; 5058 5059 sta = ap_get_sta(hapd, src); 5060 if (sta && 5061 ((sta->flags & WLAN_STA_ASSOC) || 5062 ((sta->flags & WLAN_STA_ASSOC_REQ_OK) && wds))) { 5063 if (!hapd->conf->wds_sta) 5064 return; 5065 5066 if ((sta->flags & (WLAN_STA_ASSOC | WLAN_STA_ASSOC_REQ_OK)) == 5067 WLAN_STA_ASSOC_REQ_OK) { 5068 wpa_printf(MSG_DEBUG, 5069 "Postpone 4-address WDS mode enabling for STA " 5070 MACSTR " since TX status for AssocResp is not yet known", 5071 MAC2STR(sta->addr)); 5072 sta->pending_wds_enable = 1; 5073 return; 5074 } 5075 5076 if (wds && !(sta->flags & WLAN_STA_WDS)) { 5077 int ret; 5078 char ifname_wds[IFNAMSIZ + 1]; 5079 5080 wpa_printf(MSG_DEBUG, "Enable 4-address WDS mode for " 5081 "STA " MACSTR " (aid %u)", 5082 MAC2STR(sta->addr), sta->aid); 5083 sta->flags |= WLAN_STA_WDS; 5084 ret = hostapd_set_wds_sta(hapd, ifname_wds, 5085 sta->addr, sta->aid, 1); 5086 if (!ret) 5087 hostapd_set_wds_encryption(hapd, sta, 5088 ifname_wds); 5089 } 5090 return; 5091 } 5092 5093 wpa_printf(MSG_DEBUG, "Data/PS-poll frame from not associated STA " 5094 MACSTR, MAC2STR(src)); 5095 if (is_multicast_ether_addr(src)) { 5096 /* Broadcast bit set in SA?! Ignore the frame silently. */ 5097 return; 5098 } 5099 5100 if (sta && (sta->flags & WLAN_STA_ASSOC_REQ_OK)) { 5101 wpa_printf(MSG_DEBUG, "Association Response to the STA has " 5102 "already been sent, but no TX status yet known - " 5103 "ignore Class 3 frame issue with " MACSTR, 5104 MAC2STR(src)); 5105 return; 5106 } 5107 5108 if (sta && (sta->flags & WLAN_STA_AUTH)) 5109 hostapd_drv_sta_disassoc( 5110 hapd, src, 5111 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA); 5112 else 5113 hostapd_drv_sta_deauth( 5114 hapd, src, 5115 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA); 5116 } 5117 5118 5119 #endif /* CONFIG_NATIVE_WINDOWS */ 5120
