1 /* 2 * hostapd / IEEE 802.11 Management 3 * Copyright (c) 2002-2017, Jouni Malinen <j (at) w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "utils/includes.h" 10 11 #ifndef CONFIG_NATIVE_WINDOWS 12 13 #include "utils/common.h" 14 #include "utils/eloop.h" 15 #include "crypto/crypto.h" 16 #include "crypto/sha256.h" 17 #include "crypto/random.h" 18 #include "common/ieee802_11_defs.h" 19 #include "common/ieee802_11_common.h" 20 #include "common/wpa_ctrl.h" 21 #include "common/sae.h" 22 #include "radius/radius.h" 23 #include "radius/radius_client.h" 24 #include "p2p/p2p.h" 25 #include "wps/wps.h" 26 #include "fst/fst.h" 27 #include "hostapd.h" 28 #include "beacon.h" 29 #include "ieee802_11_auth.h" 30 #include "sta_info.h" 31 #include "ieee802_1x.h" 32 #include "wpa_auth.h" 33 #include "pmksa_cache_auth.h" 34 #include "wmm.h" 35 #include "ap_list.h" 36 #include "accounting.h" 37 #include "ap_config.h" 38 #include "ap_mlme.h" 39 #include "p2p_hostapd.h" 40 #include "ap_drv_ops.h" 41 #include "wnm_ap.h" 42 #include "hw_features.h" 43 #include "ieee802_11.h" 44 #include "dfs.h" 45 #include "mbo_ap.h" 46 #include "rrm.h" 47 #include "taxonomy.h" 48 #include "fils_hlp.h" 49 50 51 u8 * hostapd_eid_supp_rates(struct hostapd_data *hapd, u8 *eid) 52 { 53 u8 *pos = eid; 54 int i, num, count; 55 56 if (hapd->iface->current_rates == NULL) 57 return eid; 58 59 *pos++ = WLAN_EID_SUPP_RATES; 60 num = hapd->iface->num_rates; 61 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht) 62 num++; 63 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht) 64 num++; 65 if (num > 8) { 66 /* rest of the rates are encoded in Extended supported 67 * rates element */ 68 num = 8; 69 } 70 71 *pos++ = num; 72 for (i = 0, count = 0; i < hapd->iface->num_rates && count < num; 73 i++) { 74 count++; 75 *pos = hapd->iface->current_rates[i].rate / 5; 76 if (hapd->iface->current_rates[i].flags & HOSTAPD_RATE_BASIC) 77 *pos |= 0x80; 78 pos++; 79 } 80 81 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht && count < 8) { 82 count++; 83 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_HT_PHY; 84 } 85 86 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht && count < 8) { 87 count++; 88 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_VHT_PHY; 89 } 90 91 return pos; 92 } 93 94 95 u8 * hostapd_eid_ext_supp_rates(struct hostapd_data *hapd, u8 *eid) 96 { 97 u8 *pos = eid; 98 int i, num, count; 99 100 if (hapd->iface->current_rates == NULL) 101 return eid; 102 103 num = hapd->iface->num_rates; 104 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht) 105 num++; 106 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht) 107 num++; 108 if (num <= 8) 109 return eid; 110 num -= 8; 111 112 *pos++ = WLAN_EID_EXT_SUPP_RATES; 113 *pos++ = num; 114 for (i = 0, count = 0; i < hapd->iface->num_rates && count < num + 8; 115 i++) { 116 count++; 117 if (count <= 8) 118 continue; /* already in SuppRates IE */ 119 *pos = hapd->iface->current_rates[i].rate / 5; 120 if (hapd->iface->current_rates[i].flags & HOSTAPD_RATE_BASIC) 121 *pos |= 0x80; 122 pos++; 123 } 124 125 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht) { 126 count++; 127 if (count > 8) 128 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_HT_PHY; 129 } 130 131 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht) { 132 count++; 133 if (count > 8) 134 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_VHT_PHY; 135 } 136 137 return pos; 138 } 139 140 141 u16 hostapd_own_capab_info(struct hostapd_data *hapd) 142 { 143 int capab = WLAN_CAPABILITY_ESS; 144 int privacy; 145 int dfs; 146 int i; 147 148 /* Check if any of configured channels require DFS */ 149 dfs = hostapd_is_dfs_required(hapd->iface); 150 if (dfs < 0) { 151 wpa_printf(MSG_WARNING, "Failed to check if DFS is required; ret=%d", 152 dfs); 153 dfs = 0; 154 } 155 156 if (hapd->iface->num_sta_no_short_preamble == 0 && 157 hapd->iconf->preamble == SHORT_PREAMBLE) 158 capab |= WLAN_CAPABILITY_SHORT_PREAMBLE; 159 160 privacy = hapd->conf->ssid.wep.keys_set; 161 162 if (hapd->conf->ieee802_1x && 163 (hapd->conf->default_wep_key_len || 164 hapd->conf->individual_wep_key_len)) 165 privacy = 1; 166 167 if (hapd->conf->wpa) 168 privacy = 1; 169 170 #ifdef CONFIG_HS20 171 if (hapd->conf->osen) 172 privacy = 1; 173 #endif /* CONFIG_HS20 */ 174 175 if (privacy) 176 capab |= WLAN_CAPABILITY_PRIVACY; 177 178 if (hapd->iface->current_mode && 179 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G && 180 hapd->iface->num_sta_no_short_slot_time == 0) 181 capab |= WLAN_CAPABILITY_SHORT_SLOT_TIME; 182 183 /* 184 * Currently, Spectrum Management capability bit is set when directly 185 * requested in configuration by spectrum_mgmt_required or when AP is 186 * running on DFS channel. 187 * TODO: Also consider driver support for TPC to set Spectrum Mgmt bit 188 */ 189 if (hapd->iface->current_mode && 190 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211A && 191 (hapd->iconf->spectrum_mgmt_required || dfs)) 192 capab |= WLAN_CAPABILITY_SPECTRUM_MGMT; 193 194 for (i = 0; i < RRM_CAPABILITIES_IE_LEN; i++) { 195 if (hapd->conf->radio_measurements[i]) { 196 capab |= IEEE80211_CAP_RRM; 197 break; 198 } 199 } 200 201 return capab; 202 } 203 204 205 #ifndef CONFIG_NO_RC4 206 static u16 auth_shared_key(struct hostapd_data *hapd, struct sta_info *sta, 207 u16 auth_transaction, const u8 *challenge, 208 int iswep) 209 { 210 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 211 HOSTAPD_LEVEL_DEBUG, 212 "authentication (shared key, transaction %d)", 213 auth_transaction); 214 215 if (auth_transaction == 1) { 216 if (!sta->challenge) { 217 /* Generate a pseudo-random challenge */ 218 u8 key[8]; 219 220 sta->challenge = os_zalloc(WLAN_AUTH_CHALLENGE_LEN); 221 if (sta->challenge == NULL) 222 return WLAN_STATUS_UNSPECIFIED_FAILURE; 223 224 if (os_get_random(key, sizeof(key)) < 0) { 225 os_free(sta->challenge); 226 sta->challenge = NULL; 227 return WLAN_STATUS_UNSPECIFIED_FAILURE; 228 } 229 230 rc4_skip(key, sizeof(key), 0, 231 sta->challenge, WLAN_AUTH_CHALLENGE_LEN); 232 } 233 return 0; 234 } 235 236 if (auth_transaction != 3) 237 return WLAN_STATUS_UNSPECIFIED_FAILURE; 238 239 /* Transaction 3 */ 240 if (!iswep || !sta->challenge || !challenge || 241 os_memcmp_const(sta->challenge, challenge, 242 WLAN_AUTH_CHALLENGE_LEN)) { 243 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 244 HOSTAPD_LEVEL_INFO, 245 "shared key authentication - invalid " 246 "challenge-response"); 247 return WLAN_STATUS_CHALLENGE_FAIL; 248 } 249 250 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 251 HOSTAPD_LEVEL_DEBUG, 252 "authentication OK (shared key)"); 253 sta->flags |= WLAN_STA_AUTH; 254 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH); 255 os_free(sta->challenge); 256 sta->challenge = NULL; 257 258 return 0; 259 } 260 #endif /* CONFIG_NO_RC4 */ 261 262 263 static int send_auth_reply(struct hostapd_data *hapd, 264 const u8 *dst, const u8 *bssid, 265 u16 auth_alg, u16 auth_transaction, u16 resp, 266 const u8 *ies, size_t ies_len) 267 { 268 struct ieee80211_mgmt *reply; 269 u8 *buf; 270 size_t rlen; 271 int reply_res = WLAN_STATUS_UNSPECIFIED_FAILURE; 272 273 rlen = IEEE80211_HDRLEN + sizeof(reply->u.auth) + ies_len; 274 buf = os_zalloc(rlen); 275 if (buf == NULL) 276 return -1; 277 278 reply = (struct ieee80211_mgmt *) buf; 279 reply->frame_control = IEEE80211_FC(WLAN_FC_TYPE_MGMT, 280 WLAN_FC_STYPE_AUTH); 281 os_memcpy(reply->da, dst, ETH_ALEN); 282 os_memcpy(reply->sa, hapd->own_addr, ETH_ALEN); 283 os_memcpy(reply->bssid, bssid, ETH_ALEN); 284 285 reply->u.auth.auth_alg = host_to_le16(auth_alg); 286 reply->u.auth.auth_transaction = host_to_le16(auth_transaction); 287 reply->u.auth.status_code = host_to_le16(resp); 288 289 if (ies && ies_len) 290 os_memcpy(reply->u.auth.variable, ies, ies_len); 291 292 wpa_printf(MSG_DEBUG, "authentication reply: STA=" MACSTR 293 " auth_alg=%d auth_transaction=%d resp=%d (IE len=%lu)", 294 MAC2STR(dst), auth_alg, auth_transaction, 295 resp, (unsigned long) ies_len); 296 if (hostapd_drv_send_mlme(hapd, reply, rlen, 0) < 0) 297 wpa_printf(MSG_INFO, "send_auth_reply: send failed"); 298 else 299 reply_res = WLAN_STATUS_SUCCESS; 300 301 os_free(buf); 302 303 return reply_res; 304 } 305 306 307 #ifdef CONFIG_IEEE80211R_AP 308 static void handle_auth_ft_finish(void *ctx, const u8 *dst, const u8 *bssid, 309 u16 auth_transaction, u16 status, 310 const u8 *ies, size_t ies_len) 311 { 312 struct hostapd_data *hapd = ctx; 313 struct sta_info *sta; 314 int reply_res; 315 316 reply_res = send_auth_reply(hapd, dst, bssid, WLAN_AUTH_FT, 317 auth_transaction, status, ies, ies_len); 318 319 sta = ap_get_sta(hapd, dst); 320 if (sta == NULL) 321 return; 322 323 if (sta->added_unassoc && (reply_res != WLAN_STATUS_SUCCESS || 324 status != WLAN_STATUS_SUCCESS)) { 325 hostapd_drv_sta_remove(hapd, sta->addr); 326 sta->added_unassoc = 0; 327 return; 328 } 329 330 if (status != WLAN_STATUS_SUCCESS) 331 return; 332 333 hostapd_logger(hapd, dst, HOSTAPD_MODULE_IEEE80211, 334 HOSTAPD_LEVEL_DEBUG, "authentication OK (FT)"); 335 sta->flags |= WLAN_STA_AUTH; 336 mlme_authenticate_indication(hapd, sta); 337 } 338 #endif /* CONFIG_IEEE80211R_AP */ 339 340 341 #ifdef CONFIG_SAE 342 343 #define dot11RSNASAESync 5 /* attempts */ 344 345 346 static struct wpabuf * auth_build_sae_commit(struct hostapd_data *hapd, 347 struct sta_info *sta, int update) 348 { 349 struct wpabuf *buf; 350 351 if (hapd->conf->ssid.wpa_passphrase == NULL) { 352 wpa_printf(MSG_DEBUG, "SAE: No password available"); 353 return NULL; 354 } 355 356 if (update && 357 sae_prepare_commit(hapd->own_addr, sta->addr, 358 (u8 *) hapd->conf->ssid.wpa_passphrase, 359 os_strlen(hapd->conf->ssid.wpa_passphrase), 360 sta->sae) < 0) { 361 wpa_printf(MSG_DEBUG, "SAE: Could not pick PWE"); 362 return NULL; 363 } 364 365 buf = wpabuf_alloc(SAE_COMMIT_MAX_LEN); 366 if (buf == NULL) 367 return NULL; 368 sae_write_commit(sta->sae, buf, sta->sae->tmp ? 369 sta->sae->tmp->anti_clogging_token : NULL); 370 371 return buf; 372 } 373 374 375 static struct wpabuf * auth_build_sae_confirm(struct hostapd_data *hapd, 376 struct sta_info *sta) 377 { 378 struct wpabuf *buf; 379 380 buf = wpabuf_alloc(SAE_CONFIRM_MAX_LEN); 381 if (buf == NULL) 382 return NULL; 383 384 sae_write_confirm(sta->sae, buf); 385 386 return buf; 387 } 388 389 390 static int auth_sae_send_commit(struct hostapd_data *hapd, 391 struct sta_info *sta, 392 const u8 *bssid, int update) 393 { 394 struct wpabuf *data; 395 int reply_res; 396 397 data = auth_build_sae_commit(hapd, sta, update); 398 if (data == NULL) 399 return WLAN_STATUS_UNSPECIFIED_FAILURE; 400 401 reply_res = send_auth_reply(hapd, sta->addr, bssid, WLAN_AUTH_SAE, 1, 402 WLAN_STATUS_SUCCESS, wpabuf_head(data), 403 wpabuf_len(data)); 404 405 wpabuf_free(data); 406 407 return reply_res; 408 } 409 410 411 static int auth_sae_send_confirm(struct hostapd_data *hapd, 412 struct sta_info *sta, 413 const u8 *bssid) 414 { 415 struct wpabuf *data; 416 int reply_res; 417 418 data = auth_build_sae_confirm(hapd, sta); 419 if (data == NULL) 420 return WLAN_STATUS_UNSPECIFIED_FAILURE; 421 422 reply_res = send_auth_reply(hapd, sta->addr, bssid, WLAN_AUTH_SAE, 2, 423 WLAN_STATUS_SUCCESS, wpabuf_head(data), 424 wpabuf_len(data)); 425 426 wpabuf_free(data); 427 428 return reply_res; 429 } 430 431 432 static int use_sae_anti_clogging(struct hostapd_data *hapd) 433 { 434 struct sta_info *sta; 435 unsigned int open = 0; 436 437 if (hapd->conf->sae_anti_clogging_threshold == 0) 438 return 1; 439 440 for (sta = hapd->sta_list; sta; sta = sta->next) { 441 if (!sta->sae) 442 continue; 443 if (sta->sae->state != SAE_COMMITTED && 444 sta->sae->state != SAE_CONFIRMED) 445 continue; 446 open++; 447 if (open >= hapd->conf->sae_anti_clogging_threshold) 448 return 1; 449 } 450 451 return 0; 452 } 453 454 455 static int check_sae_token(struct hostapd_data *hapd, const u8 *addr, 456 const u8 *token, size_t token_len) 457 { 458 u8 mac[SHA256_MAC_LEN]; 459 460 if (token_len != SHA256_MAC_LEN) 461 return -1; 462 if (hmac_sha256(hapd->sae_token_key, sizeof(hapd->sae_token_key), 463 addr, ETH_ALEN, mac) < 0 || 464 os_memcmp_const(token, mac, SHA256_MAC_LEN) != 0) 465 return -1; 466 467 return 0; 468 } 469 470 471 static struct wpabuf * auth_build_token_req(struct hostapd_data *hapd, 472 int group, const u8 *addr) 473 { 474 struct wpabuf *buf; 475 u8 *token; 476 struct os_reltime now; 477 478 os_get_reltime(&now); 479 if (!os_reltime_initialized(&hapd->last_sae_token_key_update) || 480 os_reltime_expired(&now, &hapd->last_sae_token_key_update, 60)) { 481 if (random_get_bytes(hapd->sae_token_key, 482 sizeof(hapd->sae_token_key)) < 0) 483 return NULL; 484 wpa_hexdump(MSG_DEBUG, "SAE: Updated token key", 485 hapd->sae_token_key, sizeof(hapd->sae_token_key)); 486 hapd->last_sae_token_key_update = now; 487 } 488 489 buf = wpabuf_alloc(sizeof(le16) + SHA256_MAC_LEN); 490 if (buf == NULL) 491 return NULL; 492 493 wpabuf_put_le16(buf, group); /* Finite Cyclic Group */ 494 495 token = wpabuf_put(buf, SHA256_MAC_LEN); 496 hmac_sha256(hapd->sae_token_key, sizeof(hapd->sae_token_key), 497 addr, ETH_ALEN, token); 498 499 return buf; 500 } 501 502 503 static int sae_check_big_sync(struct sta_info *sta) 504 { 505 if (sta->sae->sync > dot11RSNASAESync) { 506 sta->sae->state = SAE_NOTHING; 507 sta->sae->sync = 0; 508 return -1; 509 } 510 return 0; 511 } 512 513 514 static void auth_sae_retransmit_timer(void *eloop_ctx, void *eloop_data) 515 { 516 struct hostapd_data *hapd = eloop_ctx; 517 struct sta_info *sta = eloop_data; 518 int ret; 519 520 if (sae_check_big_sync(sta)) 521 return; 522 sta->sae->sync++; 523 wpa_printf(MSG_DEBUG, "SAE: Auth SAE retransmit timer for " MACSTR 524 " (sync=%d state=%d)", 525 MAC2STR(sta->addr), sta->sae->sync, sta->sae->state); 526 527 switch (sta->sae->state) { 528 case SAE_COMMITTED: 529 ret = auth_sae_send_commit(hapd, sta, hapd->own_addr, 0); 530 eloop_register_timeout(0, 531 hapd->dot11RSNASAERetransPeriod * 1000, 532 auth_sae_retransmit_timer, hapd, sta); 533 break; 534 case SAE_CONFIRMED: 535 ret = auth_sae_send_confirm(hapd, sta, hapd->own_addr); 536 eloop_register_timeout(0, 537 hapd->dot11RSNASAERetransPeriod * 1000, 538 auth_sae_retransmit_timer, hapd, sta); 539 break; 540 default: 541 ret = -1; 542 break; 543 } 544 545 if (ret != WLAN_STATUS_SUCCESS) 546 wpa_printf(MSG_INFO, "SAE: Failed to retransmit: ret=%d", ret); 547 } 548 549 550 void sae_clear_retransmit_timer(struct hostapd_data *hapd, struct sta_info *sta) 551 { 552 eloop_cancel_timeout(auth_sae_retransmit_timer, hapd, sta); 553 } 554 555 556 static void sae_set_retransmit_timer(struct hostapd_data *hapd, 557 struct sta_info *sta) 558 { 559 if (!(hapd->conf->mesh & MESH_ENABLED)) 560 return; 561 562 eloop_cancel_timeout(auth_sae_retransmit_timer, hapd, sta); 563 eloop_register_timeout(0, hapd->dot11RSNASAERetransPeriod * 1000, 564 auth_sae_retransmit_timer, hapd, sta); 565 } 566 567 568 void sae_accept_sta(struct hostapd_data *hapd, struct sta_info *sta) 569 { 570 sta->flags |= WLAN_STA_AUTH; 571 sta->auth_alg = WLAN_AUTH_SAE; 572 mlme_authenticate_indication(hapd, sta); 573 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH); 574 sta->sae->state = SAE_ACCEPTED; 575 wpa_auth_pmksa_add_sae(hapd->wpa_auth, sta->addr, 576 sta->sae->pmk, sta->sae->pmkid); 577 } 578 579 580 static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta, 581 const u8 *bssid, u8 auth_transaction) 582 { 583 int ret; 584 585 if (auth_transaction != 1 && auth_transaction != 2) 586 return WLAN_STATUS_UNSPECIFIED_FAILURE; 587 588 switch (sta->sae->state) { 589 case SAE_NOTHING: 590 if (auth_transaction == 1) { 591 ret = auth_sae_send_commit(hapd, sta, bssid, 1); 592 if (ret) 593 return ret; 594 sta->sae->state = SAE_COMMITTED; 595 596 if (sae_process_commit(sta->sae) < 0) 597 return WLAN_STATUS_UNSPECIFIED_FAILURE; 598 599 /* 600 * In mesh case, both Commit and Confirm can be sent 601 * immediately. In infrastructure BSS, only a single 602 * Authentication frame (Commit) is expected from the AP 603 * here and the second one (Confirm) will be sent once 604 * the STA has sent its second Authentication frame 605 * (Confirm). 606 */ 607 if (hapd->conf->mesh & MESH_ENABLED) { 608 /* 609 * Send both Commit and Confirm immediately 610 * based on SAE finite state machine 611 * Nothing -> Confirm transition. 612 */ 613 ret = auth_sae_send_confirm(hapd, sta, bssid); 614 if (ret) 615 return ret; 616 sta->sae->state = SAE_CONFIRMED; 617 } else { 618 /* 619 * For infrastructure BSS, send only the Commit 620 * message now to get alternating sequence of 621 * Authentication frames between the AP and STA. 622 * Confirm will be sent in 623 * Committed -> Confirmed/Accepted transition 624 * when receiving Confirm from STA. 625 */ 626 } 627 sta->sae->sync = 0; 628 sae_set_retransmit_timer(hapd, sta); 629 } else { 630 hostapd_logger(hapd, sta->addr, 631 HOSTAPD_MODULE_IEEE80211, 632 HOSTAPD_LEVEL_DEBUG, 633 "SAE confirm before commit"); 634 } 635 break; 636 case SAE_COMMITTED: 637 sae_clear_retransmit_timer(hapd, sta); 638 if (auth_transaction == 1) { 639 if (sae_process_commit(sta->sae) < 0) 640 return WLAN_STATUS_UNSPECIFIED_FAILURE; 641 642 ret = auth_sae_send_confirm(hapd, sta, bssid); 643 if (ret) 644 return ret; 645 sta->sae->state = SAE_CONFIRMED; 646 sta->sae->sync = 0; 647 sae_set_retransmit_timer(hapd, sta); 648 } else if (hapd->conf->mesh & MESH_ENABLED) { 649 /* 650 * In mesh case, follow SAE finite state machine and 651 * send Commit now, if sync count allows. 652 */ 653 if (sae_check_big_sync(sta)) 654 return WLAN_STATUS_SUCCESS; 655 sta->sae->sync++; 656 657 ret = auth_sae_send_commit(hapd, sta, bssid, 0); 658 if (ret) 659 return ret; 660 661 sae_set_retransmit_timer(hapd, sta); 662 } else { 663 /* 664 * For instructure BSS, send the postponed Confirm from 665 * Nothing -> Confirmed transition that was reduced to 666 * Nothing -> Committed above. 667 */ 668 ret = auth_sae_send_confirm(hapd, sta, bssid); 669 if (ret) 670 return ret; 671 672 sta->sae->state = SAE_CONFIRMED; 673 674 /* 675 * Since this was triggered on Confirm RX, run another 676 * step to get to Accepted without waiting for 677 * additional events. 678 */ 679 return sae_sm_step(hapd, sta, bssid, auth_transaction); 680 } 681 break; 682 case SAE_CONFIRMED: 683 sae_clear_retransmit_timer(hapd, sta); 684 if (auth_transaction == 1) { 685 if (sae_check_big_sync(sta)) 686 return WLAN_STATUS_SUCCESS; 687 sta->sae->sync++; 688 689 ret = auth_sae_send_commit(hapd, sta, bssid, 1); 690 if (ret) 691 return ret; 692 693 if (sae_process_commit(sta->sae) < 0) 694 return WLAN_STATUS_UNSPECIFIED_FAILURE; 695 696 ret = auth_sae_send_confirm(hapd, sta, bssid); 697 if (ret) 698 return ret; 699 700 sae_set_retransmit_timer(hapd, sta); 701 } else { 702 sae_accept_sta(hapd, sta); 703 } 704 break; 705 case SAE_ACCEPTED: 706 if (auth_transaction == 1) { 707 wpa_printf(MSG_DEBUG, "SAE: remove the STA (" MACSTR 708 ") doing reauthentication", 709 MAC2STR(sta->addr)); 710 ap_free_sta(hapd, sta); 711 wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr); 712 } else { 713 if (sae_check_big_sync(sta)) 714 return WLAN_STATUS_SUCCESS; 715 sta->sae->sync++; 716 717 ret = auth_sae_send_confirm(hapd, sta, bssid); 718 sae_clear_temp_data(sta->sae); 719 if (ret) 720 return ret; 721 } 722 break; 723 default: 724 wpa_printf(MSG_ERROR, "SAE: invalid state %d", 725 sta->sae->state); 726 return WLAN_STATUS_UNSPECIFIED_FAILURE; 727 } 728 return WLAN_STATUS_SUCCESS; 729 } 730 731 732 static void sae_pick_next_group(struct hostapd_data *hapd, struct sta_info *sta) 733 { 734 struct sae_data *sae = sta->sae; 735 int i, *groups = hapd->conf->sae_groups; 736 737 if (sae->state != SAE_COMMITTED) 738 return; 739 740 wpa_printf(MSG_DEBUG, "SAE: Previously selected group: %d", sae->group); 741 742 for (i = 0; groups && groups[i] > 0; i++) { 743 if (sae->group == groups[i]) 744 break; 745 } 746 747 if (!groups || groups[i] <= 0) { 748 wpa_printf(MSG_DEBUG, 749 "SAE: Previously selected group not found from the current configuration"); 750 return; 751 } 752 753 for (;;) { 754 i++; 755 if (groups[i] <= 0) { 756 wpa_printf(MSG_DEBUG, 757 "SAE: No alternative group enabled"); 758 return; 759 } 760 761 if (sae_set_group(sae, groups[i]) < 0) 762 continue; 763 764 break; 765 } 766 wpa_printf(MSG_DEBUG, "SAE: Selected new group: %d", groups[i]); 767 } 768 769 770 static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta, 771 const struct ieee80211_mgmt *mgmt, size_t len, 772 u16 auth_transaction, u16 status_code) 773 { 774 int resp = WLAN_STATUS_SUCCESS; 775 struct wpabuf *data = NULL; 776 777 if (!sta->sae) { 778 if (auth_transaction != 1 || 779 status_code != WLAN_STATUS_SUCCESS) { 780 resp = -1; 781 goto remove_sta; 782 } 783 sta->sae = os_zalloc(sizeof(*sta->sae)); 784 if (!sta->sae) { 785 resp = -1; 786 goto remove_sta; 787 } 788 sta->sae->state = SAE_NOTHING; 789 sta->sae->sync = 0; 790 } 791 792 if (sta->mesh_sae_pmksa_caching) { 793 wpa_printf(MSG_DEBUG, 794 "SAE: Cancel use of mesh PMKSA caching because peer starts SAE authentication"); 795 wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr); 796 sta->mesh_sae_pmksa_caching = 0; 797 } 798 799 if (auth_transaction == 1) { 800 const u8 *token = NULL, *pos, *end; 801 size_t token_len = 0; 802 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 803 HOSTAPD_LEVEL_DEBUG, 804 "start SAE authentication (RX commit, status=%u)", 805 status_code); 806 807 if ((hapd->conf->mesh & MESH_ENABLED) && 808 status_code == WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ && 809 sta->sae->tmp) { 810 pos = mgmt->u.auth.variable; 811 end = ((const u8 *) mgmt) + len; 812 if (pos + sizeof(le16) > end) { 813 wpa_printf(MSG_ERROR, 814 "SAE: Too short anti-clogging token request"); 815 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 816 goto reply; 817 } 818 resp = sae_group_allowed(sta->sae, 819 hapd->conf->sae_groups, 820 WPA_GET_LE16(pos)); 821 if (resp != WLAN_STATUS_SUCCESS) { 822 wpa_printf(MSG_ERROR, 823 "SAE: Invalid group in anti-clogging token request"); 824 goto reply; 825 } 826 pos += sizeof(le16); 827 828 wpabuf_free(sta->sae->tmp->anti_clogging_token); 829 sta->sae->tmp->anti_clogging_token = 830 wpabuf_alloc_copy(pos, end - pos); 831 if (sta->sae->tmp->anti_clogging_token == NULL) { 832 wpa_printf(MSG_ERROR, 833 "SAE: Failed to alloc for anti-clogging token"); 834 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 835 goto remove_sta; 836 } 837 838 /* 839 * IEEE Std 802.11-2012, 11.3.8.6.4: If the Status code 840 * is 76, a new Commit Message shall be constructed 841 * with the Anti-Clogging Token from the received 842 * Authentication frame, and the commit-scalar and 843 * COMMIT-ELEMENT previously sent. 844 */ 845 resp = auth_sae_send_commit(hapd, sta, mgmt->bssid, 0); 846 if (resp != WLAN_STATUS_SUCCESS) { 847 wpa_printf(MSG_ERROR, 848 "SAE: Failed to send commit message"); 849 goto remove_sta; 850 } 851 sta->sae->state = SAE_COMMITTED; 852 sta->sae->sync = 0; 853 sae_set_retransmit_timer(hapd, sta); 854 return; 855 } 856 857 if ((hapd->conf->mesh & MESH_ENABLED) && 858 status_code == 859 WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED && 860 sta->sae->tmp) { 861 wpa_printf(MSG_DEBUG, 862 "SAE: Peer did not accept our SAE group"); 863 sae_pick_next_group(hapd, sta); 864 goto remove_sta; 865 } 866 867 if (status_code != WLAN_STATUS_SUCCESS) 868 goto remove_sta; 869 870 resp = sae_parse_commit(sta->sae, mgmt->u.auth.variable, 871 ((const u8 *) mgmt) + len - 872 mgmt->u.auth.variable, &token, 873 &token_len, hapd->conf->sae_groups); 874 if (resp == SAE_SILENTLY_DISCARD) { 875 wpa_printf(MSG_DEBUG, 876 "SAE: Drop commit message from " MACSTR " due to reflection attack", 877 MAC2STR(sta->addr)); 878 goto remove_sta; 879 } 880 if (token && check_sae_token(hapd, sta->addr, token, token_len) 881 < 0) { 882 wpa_printf(MSG_DEBUG, "SAE: Drop commit message with " 883 "incorrect token from " MACSTR, 884 MAC2STR(sta->addr)); 885 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 886 goto remove_sta; 887 } 888 889 if (resp != WLAN_STATUS_SUCCESS) 890 goto reply; 891 892 if (!token && use_sae_anti_clogging(hapd)) { 893 wpa_printf(MSG_DEBUG, 894 "SAE: Request anti-clogging token from " 895 MACSTR, MAC2STR(sta->addr)); 896 data = auth_build_token_req(hapd, sta->sae->group, 897 sta->addr); 898 resp = WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ; 899 if (hapd->conf->mesh & MESH_ENABLED) 900 sta->sae->state = SAE_NOTHING; 901 goto reply; 902 } 903 904 resp = sae_sm_step(hapd, sta, mgmt->bssid, auth_transaction); 905 } else if (auth_transaction == 2) { 906 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 907 HOSTAPD_LEVEL_DEBUG, 908 "SAE authentication (RX confirm, status=%u)", 909 status_code); 910 if (status_code != WLAN_STATUS_SUCCESS) 911 goto remove_sta; 912 if (sta->sae->state >= SAE_CONFIRMED || 913 !(hapd->conf->mesh & MESH_ENABLED)) { 914 if (sae_check_confirm(sta->sae, mgmt->u.auth.variable, 915 ((u8 *) mgmt) + len - 916 mgmt->u.auth.variable) < 0) { 917 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 918 goto reply; 919 } 920 } 921 resp = sae_sm_step(hapd, sta, mgmt->bssid, auth_transaction); 922 } else { 923 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 924 HOSTAPD_LEVEL_DEBUG, 925 "unexpected SAE authentication transaction %u (status=%u)", 926 auth_transaction, status_code); 927 if (status_code != WLAN_STATUS_SUCCESS) 928 goto remove_sta; 929 resp = WLAN_STATUS_UNKNOWN_AUTH_TRANSACTION; 930 } 931 932 reply: 933 if (resp != WLAN_STATUS_SUCCESS) { 934 send_auth_reply(hapd, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE, 935 auth_transaction, resp, 936 data ? wpabuf_head(data) : (u8 *) "", 937 data ? wpabuf_len(data) : 0); 938 } 939 940 remove_sta: 941 if (sta->added_unassoc && (resp != WLAN_STATUS_SUCCESS || 942 status_code != WLAN_STATUS_SUCCESS)) { 943 hostapd_drv_sta_remove(hapd, sta->addr); 944 sta->added_unassoc = 0; 945 } 946 wpabuf_free(data); 947 } 948 949 950 /** 951 * auth_sae_init_committed - Send COMMIT and start SAE in committed state 952 * @hapd: BSS data for the device initiating the authentication 953 * @sta: the peer to which commit authentication frame is sent 954 * 955 * This function implements Init event handling (IEEE Std 802.11-2012, 956 * 11.3.8.6.3) in which initial COMMIT message is sent. Prior to calling, the 957 * sta->sae structure should be initialized appropriately via a call to 958 * sae_prepare_commit(). 959 */ 960 int auth_sae_init_committed(struct hostapd_data *hapd, struct sta_info *sta) 961 { 962 int ret; 963 964 if (!sta->sae || !sta->sae->tmp) 965 return -1; 966 967 if (sta->sae->state != SAE_NOTHING) 968 return -1; 969 970 ret = auth_sae_send_commit(hapd, sta, hapd->own_addr, 0); 971 if (ret) 972 return -1; 973 974 sta->sae->state = SAE_COMMITTED; 975 sta->sae->sync = 0; 976 sae_set_retransmit_timer(hapd, sta); 977 978 return 0; 979 } 980 981 #endif /* CONFIG_SAE */ 982 983 984 static u16 wpa_res_to_status_code(int res) 985 { 986 if (res == WPA_INVALID_GROUP) 987 return WLAN_STATUS_GROUP_CIPHER_NOT_VALID; 988 if (res == WPA_INVALID_PAIRWISE) 989 return WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID; 990 if (res == WPA_INVALID_AKMP) 991 return WLAN_STATUS_AKMP_NOT_VALID; 992 if (res == WPA_ALLOC_FAIL) 993 return WLAN_STATUS_UNSPECIFIED_FAILURE; 994 #ifdef CONFIG_IEEE80211W 995 if (res == WPA_MGMT_FRAME_PROTECTION_VIOLATION) 996 return WLAN_STATUS_ROBUST_MGMT_FRAME_POLICY_VIOLATION; 997 if (res == WPA_INVALID_MGMT_GROUP_CIPHER) 998 return WLAN_STATUS_ROBUST_MGMT_FRAME_POLICY_VIOLATION; 999 #endif /* CONFIG_IEEE80211W */ 1000 if (res == WPA_INVALID_MDIE) 1001 return WLAN_STATUS_INVALID_MDIE; 1002 if (res != WPA_IE_OK) 1003 return WLAN_STATUS_INVALID_IE; 1004 return WLAN_STATUS_SUCCESS; 1005 } 1006 1007 1008 #ifdef CONFIG_FILS 1009 1010 static void handle_auth_fils_finish(struct hostapd_data *hapd, 1011 struct sta_info *sta, u16 resp, 1012 struct rsn_pmksa_cache_entry *pmksa, 1013 struct wpabuf *erp_resp, 1014 const u8 *msk, size_t msk_len); 1015 1016 static void handle_auth_fils(struct hostapd_data *hapd, struct sta_info *sta, 1017 const struct ieee80211_mgmt *mgmt, size_t len, 1018 u16 auth_transaction, u16 status_code) 1019 { 1020 u16 resp = WLAN_STATUS_SUCCESS; 1021 const u8 *pos, *end; 1022 struct ieee802_11_elems elems; 1023 int res; 1024 struct wpa_ie_data rsn; 1025 struct rsn_pmksa_cache_entry *pmksa = NULL; 1026 1027 if (auth_transaction != 1 || status_code != WLAN_STATUS_SUCCESS) 1028 return; 1029 1030 pos = mgmt->u.auth.variable; 1031 end = ((const u8 *) mgmt) + len; 1032 1033 wpa_hexdump(MSG_DEBUG, "FILS: Authentication frame fields", 1034 pos, end - pos); 1035 1036 /* TODO: Finite Cyclic Group when using PK or PFS */ 1037 /* TODO: Element when using PK or PFS */ 1038 1039 wpa_hexdump(MSG_DEBUG, "FILS: Remaining IEs", pos, end - pos); 1040 if (ieee802_11_parse_elems(pos, end - pos, &elems, 1) == ParseFailed) { 1041 wpa_printf(MSG_DEBUG, "FILS: Could not parse elements"); 1042 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1043 goto fail; 1044 } 1045 1046 /* RSNE */ 1047 wpa_hexdump(MSG_DEBUG, "FILS: RSN element", 1048 elems.rsn_ie, elems.rsn_ie_len); 1049 if (!elems.rsn_ie || 1050 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2, 1051 &rsn) < 0) { 1052 wpa_printf(MSG_DEBUG, "FILS: No valid RSN element"); 1053 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1054 goto fail; 1055 } 1056 1057 if (!sta->wpa_sm) 1058 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, sta->addr, 1059 NULL); 1060 if (!sta->wpa_sm) { 1061 wpa_printf(MSG_DEBUG, 1062 "FILS: Failed to initialize RSN state machine"); 1063 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1064 goto fail; 1065 } 1066 1067 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm, 1068 elems.rsn_ie - 2, elems.rsn_ie_len + 2, 1069 elems.mdie, elems.mdie_len); 1070 resp = wpa_res_to_status_code(res); 1071 if (resp != WLAN_STATUS_SUCCESS) 1072 goto fail; 1073 1074 /* TODO: MDE when using FILS+FT */ 1075 /* TODO: FTE when using FILS+FT */ 1076 1077 if (!elems.fils_nonce) { 1078 wpa_printf(MSG_DEBUG, "FILS: No FILS Nonce field"); 1079 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1080 goto fail; 1081 } 1082 wpa_hexdump(MSG_DEBUG, "FILS: SNonce", elems.fils_nonce, 1083 FILS_NONCE_LEN); 1084 os_memcpy(sta->fils_snonce, elems.fils_nonce, FILS_NONCE_LEN); 1085 1086 /* PMKID List */ 1087 if (rsn.pmkid && rsn.num_pmkid > 0) { 1088 u8 num; 1089 const u8 *pmkid; 1090 1091 wpa_hexdump(MSG_DEBUG, "FILS: PMKID List", 1092 rsn.pmkid, rsn.num_pmkid * PMKID_LEN); 1093 1094 pmkid = rsn.pmkid; 1095 num = rsn.num_pmkid; 1096 while (num) { 1097 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", pmkid, PMKID_LEN); 1098 pmksa = wpa_auth_pmksa_get(hapd->wpa_auth, sta->addr, 1099 pmkid); 1100 if (pmksa) 1101 break; 1102 pmkid += PMKID_LEN; 1103 num--; 1104 } 1105 } 1106 if (pmksa && wpa_auth_sta_key_mgmt(sta->wpa_sm) != pmksa->akmp) { 1107 wpa_printf(MSG_DEBUG, 1108 "FILS: Matching PMKSA cache entry has different AKMP (0x%x != 0x%x) - ignore", 1109 wpa_auth_sta_key_mgmt(sta->wpa_sm), pmksa->akmp); 1110 pmksa = NULL; 1111 } 1112 if (pmksa) 1113 wpa_printf(MSG_DEBUG, "FILS: Found matching PMKSA cache entry"); 1114 1115 /* FILS Session */ 1116 if (!elems.fils_session) { 1117 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element"); 1118 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1119 goto fail; 1120 } 1121 wpa_hexdump(MSG_DEBUG, "FILS: FILS Session", elems.fils_session, 1122 FILS_SESSION_LEN); 1123 os_memcpy(sta->fils_session, elems.fils_session, FILS_SESSION_LEN); 1124 1125 /* FILS Wrapped Data */ 1126 if (elems.fils_wrapped_data) { 1127 wpa_hexdump(MSG_DEBUG, "FILS: Wrapped Data", 1128 elems.fils_wrapped_data, 1129 elems.fils_wrapped_data_len); 1130 if (!pmksa) { 1131 #ifndef CONFIG_NO_RADIUS 1132 if (!sta->eapol_sm) { 1133 sta->eapol_sm = 1134 ieee802_1x_alloc_eapol_sm(hapd, sta); 1135 } 1136 wpa_printf(MSG_DEBUG, 1137 "FILS: Forward EAP-Identity/Re-auth Start to authentication server"); 1138 ieee802_1x_encapsulate_radius( 1139 hapd, sta, elems.fils_wrapped_data, 1140 elems.fils_wrapped_data_len); 1141 wpa_printf(MSG_DEBUG, 1142 "FILS: Will send Authentication frame once the response from authentication server is available"); 1143 sta->flags |= WLAN_STA_PENDING_FILS_ERP; 1144 return; 1145 #else /* CONFIG_NO_RADIUS */ 1146 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1147 goto fail; 1148 #endif /* CONFIG_NO_RADIUS */ 1149 } 1150 } 1151 1152 fail: 1153 handle_auth_fils_finish(hapd, sta, resp, pmksa, NULL, NULL, 0); 1154 } 1155 1156 1157 static void handle_auth_fils_finish(struct hostapd_data *hapd, 1158 struct sta_info *sta, u16 resp, 1159 struct rsn_pmksa_cache_entry *pmksa, 1160 struct wpabuf *erp_resp, 1161 const u8 *msk, size_t msk_len) 1162 { 1163 u8 fils_nonce[FILS_NONCE_LEN]; 1164 size_t ielen; 1165 struct wpabuf *data = NULL; 1166 const u8 *ie; 1167 u8 *ie_buf = NULL; 1168 const u8 *pmk = NULL; 1169 size_t pmk_len = 0; 1170 u8 pmk_buf[PMK_LEN_MAX]; 1171 1172 if (resp != WLAN_STATUS_SUCCESS) 1173 goto fail; 1174 1175 ie = wpa_auth_get_wpa_ie(hapd->wpa_auth, &ielen); 1176 if (!ie) { 1177 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1178 goto fail; 1179 } 1180 if (pmksa) { 1181 /* Add PMKID of the selected PMKSA into RSNE */ 1182 ie_buf = os_malloc(ielen + 2 + 2 + PMKID_LEN); 1183 if (!ie_buf) { 1184 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1185 goto fail; 1186 } 1187 os_memcpy(ie_buf, ie, ielen); 1188 if (wpa_insert_pmkid(ie_buf, &ielen, pmksa->pmkid) < 0) { 1189 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1190 goto fail; 1191 } 1192 ie = ie_buf; 1193 } 1194 1195 if (random_get_bytes(fils_nonce, FILS_NONCE_LEN) < 0) { 1196 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1197 goto fail; 1198 } 1199 wpa_hexdump(MSG_DEBUG, "RSN: Generated FILS Nonce", 1200 fils_nonce, FILS_NONCE_LEN); 1201 1202 data = wpabuf_alloc(1000 + ielen); 1203 if (!data) { 1204 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1205 goto fail; 1206 } 1207 1208 /* TODO: Finite Cyclic Group when using PK or PFS */ 1209 /* TODO: Element when using PK or PFS */ 1210 1211 /* RSNE */ 1212 wpabuf_put_data(data, ie, ielen); 1213 1214 /* TODO: MDE when using FILS+FT */ 1215 /* TODO: FTE when using FILS+FT */ 1216 1217 /* FILS Nonce */ 1218 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */ 1219 wpabuf_put_u8(data, 1 + FILS_NONCE_LEN); /* Length */ 1220 /* Element ID Extension */ 1221 wpabuf_put_u8(data, WLAN_EID_EXT_FILS_NONCE); 1222 wpabuf_put_data(data, fils_nonce, FILS_NONCE_LEN); 1223 1224 /* FILS Session */ 1225 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */ 1226 wpabuf_put_u8(data, 1 + FILS_SESSION_LEN); /* Length */ 1227 /* Element ID Extension */ 1228 wpabuf_put_u8(data, WLAN_EID_EXT_FILS_SESSION); 1229 wpabuf_put_data(data, sta->fils_session, FILS_SESSION_LEN); 1230 1231 /* FILS Wrapped Data */ 1232 if (!pmksa && erp_resp) { 1233 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */ 1234 wpabuf_put_u8(data, 1 + wpabuf_len(erp_resp)); /* Length */ 1235 /* Element ID Extension */ 1236 wpabuf_put_u8(data, WLAN_EID_EXT_FILS_WRAPPED_DATA); 1237 wpabuf_put_buf(data, erp_resp); 1238 1239 if (fils_rmsk_to_pmk(wpa_auth_sta_key_mgmt(sta->wpa_sm), 1240 msk, msk_len, sta->fils_snonce, fils_nonce, 1241 NULL, 0, pmk_buf, &pmk_len)) { 1242 wpa_printf(MSG_DEBUG, "FILS: Failed to derive PMK"); 1243 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1244 wpabuf_free(data); 1245 data = NULL; 1246 goto fail; 1247 } 1248 pmk = pmk_buf; 1249 } else if (pmksa) { 1250 pmk = pmksa->pmk; 1251 pmk_len = pmksa->pmk_len; 1252 } 1253 1254 if (!pmk) { 1255 wpa_printf(MSG_DEBUG, "FILS: No PMK available"); 1256 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1257 wpabuf_free(data); 1258 data = NULL; 1259 goto fail; 1260 } 1261 1262 if (fils_auth_pmk_to_ptk(sta->wpa_sm, pmk, pmk_len, 1263 sta->fils_snonce, fils_nonce) < 0) { 1264 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1265 wpabuf_free(data); 1266 data = NULL; 1267 goto fail; 1268 } 1269 1270 fail: 1271 send_auth_reply(hapd, sta->addr, hapd->own_addr, WLAN_AUTH_FILS_SK, 2, 1272 resp, 1273 data ? wpabuf_head(data) : (u8 *) "", 1274 data ? wpabuf_len(data) : 0); 1275 wpabuf_free(data); 1276 1277 if (resp == WLAN_STATUS_SUCCESS) { 1278 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 1279 HOSTAPD_LEVEL_DEBUG, 1280 "authentication OK (FILS)"); 1281 sta->flags |= WLAN_STA_AUTH; 1282 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH); 1283 sta->auth_alg = WLAN_AUTH_FILS_SK; 1284 mlme_authenticate_indication(hapd, sta); 1285 } 1286 1287 os_free(ie_buf); 1288 } 1289 1290 1291 void ieee802_11_finish_fils_auth(struct hostapd_data *hapd, 1292 struct sta_info *sta, int success, 1293 struct wpabuf *erp_resp, 1294 const u8 *msk, size_t msk_len) 1295 { 1296 sta->flags &= ~WLAN_STA_PENDING_FILS_ERP; 1297 handle_auth_fils_finish(hapd, sta, success ? WLAN_STATUS_SUCCESS : 1298 WLAN_STATUS_UNSPECIFIED_FAILURE, NULL, 1299 erp_resp, msk, msk_len); 1300 } 1301 1302 #endif /* CONFIG_FILS */ 1303 1304 1305 static int 1306 ieee802_11_allowed_address(struct hostapd_data *hapd, const u8 *addr, 1307 const u8 *msg, size_t len, u32 *session_timeout, 1308 u32 *acct_interim_interval, 1309 struct vlan_description *vlan_id, 1310 struct hostapd_sta_wpa_psk_short **psk, 1311 char **identity, char **radius_cui) 1312 { 1313 int res; 1314 1315 os_memset(vlan_id, 0, sizeof(*vlan_id)); 1316 res = hostapd_allowed_address(hapd, addr, msg, len, 1317 session_timeout, acct_interim_interval, 1318 vlan_id, psk, identity, radius_cui); 1319 1320 if (res == HOSTAPD_ACL_REJECT) { 1321 wpa_printf(MSG_INFO, 1322 "Station " MACSTR " not allowed to authenticate", 1323 MAC2STR(addr)); 1324 return HOSTAPD_ACL_REJECT; 1325 } 1326 1327 if (res == HOSTAPD_ACL_PENDING) { 1328 wpa_printf(MSG_DEBUG, "Authentication frame from " MACSTR 1329 " waiting for an external authentication", 1330 MAC2STR(addr)); 1331 /* Authentication code will re-send the authentication frame 1332 * after it has received (and cached) information from the 1333 * external source. */ 1334 return HOSTAPD_ACL_PENDING; 1335 } 1336 1337 return res; 1338 } 1339 1340 1341 static int 1342 ieee802_11_set_radius_info(struct hostapd_data *hapd, struct sta_info *sta, 1343 int res, u32 session_timeout, 1344 u32 acct_interim_interval, 1345 struct vlan_description *vlan_id, 1346 struct hostapd_sta_wpa_psk_short **psk, 1347 char **identity, char **radius_cui) 1348 { 1349 if (vlan_id->notempty && 1350 !hostapd_vlan_valid(hapd->conf->vlan, vlan_id)) { 1351 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS, 1352 HOSTAPD_LEVEL_INFO, 1353 "Invalid VLAN %d%s received from RADIUS server", 1354 vlan_id->untagged, 1355 vlan_id->tagged[0] ? "+" : ""); 1356 return -1; 1357 } 1358 if (ap_sta_set_vlan(hapd, sta, vlan_id) < 0) 1359 return -1; 1360 if (sta->vlan_id) 1361 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS, 1362 HOSTAPD_LEVEL_INFO, "VLAN ID %d", sta->vlan_id); 1363 1364 hostapd_free_psk_list(sta->psk); 1365 if (hapd->conf->wpa_psk_radius != PSK_RADIUS_IGNORED) { 1366 sta->psk = *psk; 1367 *psk = NULL; 1368 } else { 1369 sta->psk = NULL; 1370 } 1371 1372 sta->identity = *identity; 1373 *identity = NULL; 1374 sta->radius_cui = *radius_cui; 1375 *radius_cui = NULL; 1376 1377 if (hapd->conf->acct_interim_interval == 0 && acct_interim_interval) 1378 sta->acct_interim_interval = acct_interim_interval; 1379 if (res == HOSTAPD_ACL_ACCEPT_TIMEOUT) 1380 ap_sta_session_timeout(hapd, sta, session_timeout); 1381 else 1382 ap_sta_no_session_timeout(hapd, sta); 1383 1384 return 0; 1385 } 1386 1387 1388 static void handle_auth(struct hostapd_data *hapd, 1389 const struct ieee80211_mgmt *mgmt, size_t len) 1390 { 1391 u16 auth_alg, auth_transaction, status_code; 1392 u16 resp = WLAN_STATUS_SUCCESS; 1393 struct sta_info *sta = NULL; 1394 int res, reply_res; 1395 u16 fc; 1396 const u8 *challenge = NULL; 1397 u32 session_timeout, acct_interim_interval; 1398 struct vlan_description vlan_id; 1399 struct hostapd_sta_wpa_psk_short *psk = NULL; 1400 u8 resp_ies[2 + WLAN_AUTH_CHALLENGE_LEN]; 1401 size_t resp_ies_len = 0; 1402 char *identity = NULL; 1403 char *radius_cui = NULL; 1404 u16 seq_ctrl; 1405 1406 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) { 1407 wpa_printf(MSG_INFO, "handle_auth - too short payload (len=%lu)", 1408 (unsigned long) len); 1409 return; 1410 } 1411 1412 #ifdef CONFIG_TESTING_OPTIONS 1413 if (hapd->iconf->ignore_auth_probability > 0.0 && 1414 drand48() < hapd->iconf->ignore_auth_probability) { 1415 wpa_printf(MSG_INFO, 1416 "TESTING: ignoring auth frame from " MACSTR, 1417 MAC2STR(mgmt->sa)); 1418 return; 1419 } 1420 #endif /* CONFIG_TESTING_OPTIONS */ 1421 1422 auth_alg = le_to_host16(mgmt->u.auth.auth_alg); 1423 auth_transaction = le_to_host16(mgmt->u.auth.auth_transaction); 1424 status_code = le_to_host16(mgmt->u.auth.status_code); 1425 fc = le_to_host16(mgmt->frame_control); 1426 seq_ctrl = le_to_host16(mgmt->seq_ctrl); 1427 1428 if (len >= IEEE80211_HDRLEN + sizeof(mgmt->u.auth) + 1429 2 + WLAN_AUTH_CHALLENGE_LEN && 1430 mgmt->u.auth.variable[0] == WLAN_EID_CHALLENGE && 1431 mgmt->u.auth.variable[1] == WLAN_AUTH_CHALLENGE_LEN) 1432 challenge = &mgmt->u.auth.variable[2]; 1433 1434 wpa_printf(MSG_DEBUG, "authentication: STA=" MACSTR " auth_alg=%d " 1435 "auth_transaction=%d status_code=%d wep=%d%s " 1436 "seq_ctrl=0x%x%s", 1437 MAC2STR(mgmt->sa), auth_alg, auth_transaction, 1438 status_code, !!(fc & WLAN_FC_ISWEP), 1439 challenge ? " challenge" : "", 1440 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : ""); 1441 1442 #ifdef CONFIG_NO_RC4 1443 if (auth_alg == WLAN_AUTH_SHARED_KEY) { 1444 wpa_printf(MSG_INFO, 1445 "Unsupported authentication algorithm (%d)", 1446 auth_alg); 1447 resp = WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG; 1448 goto fail; 1449 } 1450 #endif /* CONFIG_NO_RC4 */ 1451 1452 if (hapd->tkip_countermeasures) { 1453 resp = WLAN_REASON_MICHAEL_MIC_FAILURE; 1454 goto fail; 1455 } 1456 1457 if (!(((hapd->conf->auth_algs & WPA_AUTH_ALG_OPEN) && 1458 auth_alg == WLAN_AUTH_OPEN) || 1459 #ifdef CONFIG_IEEE80211R_AP 1460 (hapd->conf->wpa && wpa_key_mgmt_ft(hapd->conf->wpa_key_mgmt) && 1461 auth_alg == WLAN_AUTH_FT) || 1462 #endif /* CONFIG_IEEE80211R_AP */ 1463 #ifdef CONFIG_SAE 1464 (hapd->conf->wpa && wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt) && 1465 auth_alg == WLAN_AUTH_SAE) || 1466 #endif /* CONFIG_SAE */ 1467 #ifdef CONFIG_FILS 1468 (hapd->conf->wpa && wpa_key_mgmt_fils(hapd->conf->wpa_key_mgmt) && 1469 auth_alg == WLAN_AUTH_FILS_SK) || 1470 #endif /* CONFIG_FILS */ 1471 ((hapd->conf->auth_algs & WPA_AUTH_ALG_SHARED) && 1472 auth_alg == WLAN_AUTH_SHARED_KEY))) { 1473 wpa_printf(MSG_INFO, "Unsupported authentication algorithm (%d)", 1474 auth_alg); 1475 resp = WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG; 1476 goto fail; 1477 } 1478 1479 if (!(auth_transaction == 1 || auth_alg == WLAN_AUTH_SAE || 1480 (auth_alg == WLAN_AUTH_SHARED_KEY && auth_transaction == 3))) { 1481 wpa_printf(MSG_INFO, "Unknown authentication transaction number (%d)", 1482 auth_transaction); 1483 resp = WLAN_STATUS_UNKNOWN_AUTH_TRANSACTION; 1484 goto fail; 1485 } 1486 1487 if (os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) { 1488 wpa_printf(MSG_INFO, "Station " MACSTR " not allowed to authenticate", 1489 MAC2STR(mgmt->sa)); 1490 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1491 goto fail; 1492 } 1493 1494 if (hapd->conf->no_auth_if_seen_on) { 1495 struct hostapd_data *other; 1496 1497 other = sta_track_seen_on(hapd->iface, mgmt->sa, 1498 hapd->conf->no_auth_if_seen_on); 1499 if (other) { 1500 u8 *pos; 1501 u32 info; 1502 u8 op_class, channel, phytype; 1503 1504 wpa_printf(MSG_DEBUG, "%s: Reject authentication from " 1505 MACSTR " since STA has been seen on %s", 1506 hapd->conf->iface, MAC2STR(mgmt->sa), 1507 hapd->conf->no_auth_if_seen_on); 1508 1509 resp = WLAN_STATUS_REJECTED_WITH_SUGGESTED_BSS_TRANSITION; 1510 pos = &resp_ies[0]; 1511 *pos++ = WLAN_EID_NEIGHBOR_REPORT; 1512 *pos++ = 13; 1513 os_memcpy(pos, other->own_addr, ETH_ALEN); 1514 pos += ETH_ALEN; 1515 info = 0; /* TODO: BSSID Information */ 1516 WPA_PUT_LE32(pos, info); 1517 pos += 4; 1518 if (other->iconf->hw_mode == HOSTAPD_MODE_IEEE80211AD) 1519 phytype = 8; /* dmg */ 1520 else if (other->iconf->ieee80211ac) 1521 phytype = 9; /* vht */ 1522 else if (other->iconf->ieee80211n) 1523 phytype = 7; /* ht */ 1524 else if (other->iconf->hw_mode == 1525 HOSTAPD_MODE_IEEE80211A) 1526 phytype = 4; /* ofdm */ 1527 else if (other->iconf->hw_mode == 1528 HOSTAPD_MODE_IEEE80211G) 1529 phytype = 6; /* erp */ 1530 else 1531 phytype = 5; /* hrdsss */ 1532 if (ieee80211_freq_to_channel_ext( 1533 hostapd_hw_get_freq(other, 1534 other->iconf->channel), 1535 other->iconf->secondary_channel, 1536 other->iconf->ieee80211ac, 1537 &op_class, &channel) == NUM_HOSTAPD_MODES) { 1538 op_class = 0; 1539 channel = other->iconf->channel; 1540 } 1541 *pos++ = op_class; 1542 *pos++ = channel; 1543 *pos++ = phytype; 1544 resp_ies_len = pos - &resp_ies[0]; 1545 goto fail; 1546 } 1547 } 1548 1549 res = ieee802_11_allowed_address( 1550 hapd, mgmt->sa, (const u8 *) mgmt, len, &session_timeout, 1551 &acct_interim_interval, &vlan_id, &psk, &identity, &radius_cui); 1552 if (res == HOSTAPD_ACL_REJECT) { 1553 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1554 goto fail; 1555 } 1556 if (res == HOSTAPD_ACL_PENDING) 1557 return; 1558 1559 sta = ap_get_sta(hapd, mgmt->sa); 1560 if (sta) { 1561 sta->flags &= ~WLAN_STA_PENDING_FILS_ERP; 1562 if ((fc & WLAN_FC_RETRY) && 1563 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ && 1564 sta->last_seq_ctrl == seq_ctrl && 1565 sta->last_subtype == WLAN_FC_STYPE_AUTH) { 1566 hostapd_logger(hapd, sta->addr, 1567 HOSTAPD_MODULE_IEEE80211, 1568 HOSTAPD_LEVEL_DEBUG, 1569 "Drop repeated authentication frame seq_ctrl=0x%x", 1570 seq_ctrl); 1571 return; 1572 } 1573 #ifdef CONFIG_MESH 1574 if ((hapd->conf->mesh & MESH_ENABLED) && 1575 sta->plink_state == PLINK_BLOCKED) { 1576 wpa_printf(MSG_DEBUG, "Mesh peer " MACSTR 1577 " is blocked - drop Authentication frame", 1578 MAC2STR(mgmt->sa)); 1579 return; 1580 } 1581 #endif /* CONFIG_MESH */ 1582 } else { 1583 #ifdef CONFIG_MESH 1584 if (hapd->conf->mesh & MESH_ENABLED) { 1585 /* if the mesh peer is not available, we don't do auth. 1586 */ 1587 wpa_printf(MSG_DEBUG, "Mesh peer " MACSTR 1588 " not yet known - drop Authentication frame", 1589 MAC2STR(mgmt->sa)); 1590 /* 1591 * Save a copy of the frame so that it can be processed 1592 * if a new peer entry is added shortly after this. 1593 */ 1594 wpabuf_free(hapd->mesh_pending_auth); 1595 hapd->mesh_pending_auth = wpabuf_alloc_copy(mgmt, len); 1596 os_get_reltime(&hapd->mesh_pending_auth_time); 1597 return; 1598 } 1599 #endif /* CONFIG_MESH */ 1600 1601 sta = ap_sta_add(hapd, mgmt->sa); 1602 if (!sta) { 1603 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA; 1604 goto fail; 1605 } 1606 } 1607 sta->last_seq_ctrl = seq_ctrl; 1608 sta->last_subtype = WLAN_FC_STYPE_AUTH; 1609 1610 res = ieee802_11_set_radius_info( 1611 hapd, sta, res, session_timeout, acct_interim_interval, 1612 &vlan_id, &psk, &identity, &radius_cui); 1613 if (res) { 1614 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1615 goto fail; 1616 } 1617 1618 sta->flags &= ~WLAN_STA_PREAUTH; 1619 ieee802_1x_notify_pre_auth(sta->eapol_sm, 0); 1620 1621 /* 1622 * If the driver supports full AP client state, add a station to the 1623 * driver before sending authentication reply to make sure the driver 1624 * has resources, and not to go through the entire authentication and 1625 * association handshake, and fail it at the end. 1626 * 1627 * If this is not the first transaction, in a multi-step authentication 1628 * algorithm, the station already exists in the driver 1629 * (sta->added_unassoc = 1) so skip it. 1630 * 1631 * In mesh mode, the station was already added to the driver when the 1632 * NEW_PEER_CANDIDATE event is received. 1633 * 1634 * If PMF was negotiated for the existing association, skip this to 1635 * avoid dropping the STA entry and the associated keys. This is needed 1636 * to allow the original connection work until the attempt can complete 1637 * (re)association, so that unprotected Authentication frame cannot be 1638 * used to bypass PMF protection. 1639 */ 1640 if (FULL_AP_CLIENT_STATE_SUPP(hapd->iface->drv_flags) && 1641 (!(sta->flags & WLAN_STA_MFP) || !ap_sta_is_authorized(sta)) && 1642 !(hapd->conf->mesh & MESH_ENABLED) && 1643 !(sta->added_unassoc)) { 1644 /* 1645 * If a station that is already associated to the AP, is trying 1646 * to authenticate again, remove the STA entry, in order to make 1647 * sure the STA PS state gets cleared and configuration gets 1648 * updated. To handle this, station's added_unassoc flag is 1649 * cleared once the station has completed association. 1650 */ 1651 hostapd_drv_sta_remove(hapd, sta->addr); 1652 sta->flags &= ~(WLAN_STA_ASSOC | WLAN_STA_AUTH | 1653 WLAN_STA_AUTHORIZED); 1654 1655 if (hostapd_sta_add(hapd, sta->addr, 0, 0, NULL, 0, 0, 1656 NULL, NULL, sta->flags, 0, 0, 0, 0)) { 1657 hostapd_logger(hapd, sta->addr, 1658 HOSTAPD_MODULE_IEEE80211, 1659 HOSTAPD_LEVEL_NOTICE, 1660 "Could not add STA to kernel driver"); 1661 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA; 1662 goto fail; 1663 } 1664 1665 sta->added_unassoc = 1; 1666 } 1667 1668 switch (auth_alg) { 1669 case WLAN_AUTH_OPEN: 1670 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 1671 HOSTAPD_LEVEL_DEBUG, 1672 "authentication OK (open system)"); 1673 sta->flags |= WLAN_STA_AUTH; 1674 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH); 1675 sta->auth_alg = WLAN_AUTH_OPEN; 1676 mlme_authenticate_indication(hapd, sta); 1677 break; 1678 #ifndef CONFIG_NO_RC4 1679 case WLAN_AUTH_SHARED_KEY: 1680 resp = auth_shared_key(hapd, sta, auth_transaction, challenge, 1681 fc & WLAN_FC_ISWEP); 1682 sta->auth_alg = WLAN_AUTH_SHARED_KEY; 1683 mlme_authenticate_indication(hapd, sta); 1684 if (sta->challenge && auth_transaction == 1) { 1685 resp_ies[0] = WLAN_EID_CHALLENGE; 1686 resp_ies[1] = WLAN_AUTH_CHALLENGE_LEN; 1687 os_memcpy(resp_ies + 2, sta->challenge, 1688 WLAN_AUTH_CHALLENGE_LEN); 1689 resp_ies_len = 2 + WLAN_AUTH_CHALLENGE_LEN; 1690 } 1691 break; 1692 #endif /* CONFIG_NO_RC4 */ 1693 #ifdef CONFIG_IEEE80211R_AP 1694 case WLAN_AUTH_FT: 1695 sta->auth_alg = WLAN_AUTH_FT; 1696 if (sta->wpa_sm == NULL) 1697 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, 1698 sta->addr, NULL); 1699 if (sta->wpa_sm == NULL) { 1700 wpa_printf(MSG_DEBUG, "FT: Failed to initialize WPA " 1701 "state machine"); 1702 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1703 goto fail; 1704 } 1705 wpa_ft_process_auth(sta->wpa_sm, mgmt->bssid, 1706 auth_transaction, mgmt->u.auth.variable, 1707 len - IEEE80211_HDRLEN - 1708 sizeof(mgmt->u.auth), 1709 handle_auth_ft_finish, hapd); 1710 /* handle_auth_ft_finish() callback will complete auth. */ 1711 return; 1712 #endif /* CONFIG_IEEE80211R_AP */ 1713 #ifdef CONFIG_SAE 1714 case WLAN_AUTH_SAE: 1715 #ifdef CONFIG_MESH 1716 if (status_code == WLAN_STATUS_SUCCESS && 1717 hapd->conf->mesh & MESH_ENABLED) { 1718 if (sta->wpa_sm == NULL) 1719 sta->wpa_sm = 1720 wpa_auth_sta_init(hapd->wpa_auth, 1721 sta->addr, NULL); 1722 if (sta->wpa_sm == NULL) { 1723 wpa_printf(MSG_DEBUG, 1724 "SAE: Failed to initialize WPA state machine"); 1725 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1726 goto fail; 1727 } 1728 } 1729 #endif /* CONFIG_MESH */ 1730 handle_auth_sae(hapd, sta, mgmt, len, auth_transaction, 1731 status_code); 1732 return; 1733 #endif /* CONFIG_SAE */ 1734 #ifdef CONFIG_FILS 1735 case WLAN_AUTH_FILS_SK: 1736 handle_auth_fils(hapd, sta, mgmt, len, auth_transaction, 1737 status_code); 1738 return; 1739 #endif /* CONFIG_FILS */ 1740 } 1741 1742 fail: 1743 os_free(identity); 1744 os_free(radius_cui); 1745 hostapd_free_psk_list(psk); 1746 1747 reply_res = send_auth_reply(hapd, mgmt->sa, mgmt->bssid, auth_alg, 1748 auth_transaction + 1, resp, resp_ies, 1749 resp_ies_len); 1750 1751 if (sta && sta->added_unassoc && (resp != WLAN_STATUS_SUCCESS || 1752 reply_res != WLAN_STATUS_SUCCESS)) { 1753 hostapd_drv_sta_remove(hapd, sta->addr); 1754 sta->added_unassoc = 0; 1755 } 1756 } 1757 1758 1759 int hostapd_get_aid(struct hostapd_data *hapd, struct sta_info *sta) 1760 { 1761 int i, j = 32, aid; 1762 1763 /* get a unique AID */ 1764 if (sta->aid > 0) { 1765 wpa_printf(MSG_DEBUG, " old AID %d", sta->aid); 1766 return 0; 1767 } 1768 1769 if (TEST_FAIL()) 1770 return -1; 1771 1772 for (i = 0; i < AID_WORDS; i++) { 1773 if (hapd->sta_aid[i] == (u32) -1) 1774 continue; 1775 for (j = 0; j < 32; j++) { 1776 if (!(hapd->sta_aid[i] & BIT(j))) 1777 break; 1778 } 1779 if (j < 32) 1780 break; 1781 } 1782 if (j == 32) 1783 return -1; 1784 aid = i * 32 + j + 1; 1785 if (aid > 2007) 1786 return -1; 1787 1788 sta->aid = aid; 1789 hapd->sta_aid[i] |= BIT(j); 1790 wpa_printf(MSG_DEBUG, " new AID %d", sta->aid); 1791 return 0; 1792 } 1793 1794 1795 static u16 check_ssid(struct hostapd_data *hapd, struct sta_info *sta, 1796 const u8 *ssid_ie, size_t ssid_ie_len) 1797 { 1798 if (ssid_ie == NULL) 1799 return WLAN_STATUS_UNSPECIFIED_FAILURE; 1800 1801 if (ssid_ie_len != hapd->conf->ssid.ssid_len || 1802 os_memcmp(ssid_ie, hapd->conf->ssid.ssid, ssid_ie_len) != 0) { 1803 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 1804 HOSTAPD_LEVEL_INFO, 1805 "Station tried to associate with unknown SSID " 1806 "'%s'", wpa_ssid_txt(ssid_ie, ssid_ie_len)); 1807 return WLAN_STATUS_UNSPECIFIED_FAILURE; 1808 } 1809 1810 return WLAN_STATUS_SUCCESS; 1811 } 1812 1813 1814 static u16 check_wmm(struct hostapd_data *hapd, struct sta_info *sta, 1815 const u8 *wmm_ie, size_t wmm_ie_len) 1816 { 1817 sta->flags &= ~WLAN_STA_WMM; 1818 sta->qosinfo = 0; 1819 if (wmm_ie && hapd->conf->wmm_enabled) { 1820 struct wmm_information_element *wmm; 1821 1822 if (!hostapd_eid_wmm_valid(hapd, wmm_ie, wmm_ie_len)) { 1823 hostapd_logger(hapd, sta->addr, 1824 HOSTAPD_MODULE_WPA, 1825 HOSTAPD_LEVEL_DEBUG, 1826 "invalid WMM element in association " 1827 "request"); 1828 return WLAN_STATUS_UNSPECIFIED_FAILURE; 1829 } 1830 1831 sta->flags |= WLAN_STA_WMM; 1832 wmm = (struct wmm_information_element *) wmm_ie; 1833 sta->qosinfo = wmm->qos_info; 1834 } 1835 return WLAN_STATUS_SUCCESS; 1836 } 1837 1838 1839 static u16 copy_supp_rates(struct hostapd_data *hapd, struct sta_info *sta, 1840 struct ieee802_11_elems *elems) 1841 { 1842 /* Supported rates not used in IEEE 802.11ad/DMG */ 1843 if (hapd->iface->current_mode && 1844 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211AD) 1845 return WLAN_STATUS_SUCCESS; 1846 1847 if (!elems->supp_rates) { 1848 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 1849 HOSTAPD_LEVEL_DEBUG, 1850 "No supported rates element in AssocReq"); 1851 return WLAN_STATUS_UNSPECIFIED_FAILURE; 1852 } 1853 1854 if (elems->supp_rates_len + elems->ext_supp_rates_len > 1855 sizeof(sta->supported_rates)) { 1856 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 1857 HOSTAPD_LEVEL_DEBUG, 1858 "Invalid supported rates element length %d+%d", 1859 elems->supp_rates_len, 1860 elems->ext_supp_rates_len); 1861 return WLAN_STATUS_UNSPECIFIED_FAILURE; 1862 } 1863 1864 sta->supported_rates_len = merge_byte_arrays( 1865 sta->supported_rates, sizeof(sta->supported_rates), 1866 elems->supp_rates, elems->supp_rates_len, 1867 elems->ext_supp_rates, elems->ext_supp_rates_len); 1868 1869 return WLAN_STATUS_SUCCESS; 1870 } 1871 1872 1873 static u16 check_ext_capab(struct hostapd_data *hapd, struct sta_info *sta, 1874 const u8 *ext_capab_ie, size_t ext_capab_ie_len) 1875 { 1876 #ifdef CONFIG_INTERWORKING 1877 /* check for QoS Map support */ 1878 if (ext_capab_ie_len >= 5) { 1879 if (ext_capab_ie[4] & 0x01) 1880 sta->qos_map_enabled = 1; 1881 } 1882 #endif /* CONFIG_INTERWORKING */ 1883 1884 if (ext_capab_ie_len > 0) 1885 sta->ecsa_supported = !!(ext_capab_ie[0] & BIT(2)); 1886 1887 return WLAN_STATUS_SUCCESS; 1888 } 1889 1890 1891 static u16 check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta, 1892 const u8 *ies, size_t ies_len, int reassoc) 1893 { 1894 struct ieee802_11_elems elems; 1895 u16 resp; 1896 const u8 *wpa_ie; 1897 size_t wpa_ie_len; 1898 const u8 *p2p_dev_addr = NULL; 1899 1900 if (ieee802_11_parse_elems(ies, ies_len, &elems, 1) == ParseFailed) { 1901 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 1902 HOSTAPD_LEVEL_INFO, "Station sent an invalid " 1903 "association request"); 1904 return WLAN_STATUS_UNSPECIFIED_FAILURE; 1905 } 1906 1907 resp = check_ssid(hapd, sta, elems.ssid, elems.ssid_len); 1908 if (resp != WLAN_STATUS_SUCCESS) 1909 return resp; 1910 resp = check_wmm(hapd, sta, elems.wmm, elems.wmm_len); 1911 if (resp != WLAN_STATUS_SUCCESS) 1912 return resp; 1913 resp = check_ext_capab(hapd, sta, elems.ext_capab, elems.ext_capab_len); 1914 if (resp != WLAN_STATUS_SUCCESS) 1915 return resp; 1916 resp = copy_supp_rates(hapd, sta, &elems); 1917 if (resp != WLAN_STATUS_SUCCESS) 1918 return resp; 1919 #ifdef CONFIG_IEEE80211N 1920 resp = copy_sta_ht_capab(hapd, sta, elems.ht_capabilities); 1921 if (resp != WLAN_STATUS_SUCCESS) 1922 return resp; 1923 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht && 1924 !(sta->flags & WLAN_STA_HT)) { 1925 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 1926 HOSTAPD_LEVEL_INFO, "Station does not support " 1927 "mandatory HT PHY - reject association"); 1928 return WLAN_STATUS_ASSOC_DENIED_NO_HT; 1929 } 1930 #endif /* CONFIG_IEEE80211N */ 1931 1932 #ifdef CONFIG_IEEE80211AC 1933 if (hapd->iconf->ieee80211ac) { 1934 resp = copy_sta_vht_capab(hapd, sta, elems.vht_capabilities); 1935 if (resp != WLAN_STATUS_SUCCESS) 1936 return resp; 1937 1938 resp = set_sta_vht_opmode(hapd, sta, elems.vht_opmode_notif); 1939 if (resp != WLAN_STATUS_SUCCESS) 1940 return resp; 1941 } 1942 1943 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht && 1944 !(sta->flags & WLAN_STA_VHT)) { 1945 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 1946 HOSTAPD_LEVEL_INFO, "Station does not support " 1947 "mandatory VHT PHY - reject association"); 1948 return WLAN_STATUS_ASSOC_DENIED_NO_VHT; 1949 } 1950 1951 if (hapd->conf->vendor_vht && !elems.vht_capabilities) { 1952 resp = copy_sta_vendor_vht(hapd, sta, elems.vendor_vht, 1953 elems.vendor_vht_len); 1954 if (resp != WLAN_STATUS_SUCCESS) 1955 return resp; 1956 } 1957 #endif /* CONFIG_IEEE80211AC */ 1958 1959 #ifdef CONFIG_P2P 1960 if (elems.p2p) { 1961 wpabuf_free(sta->p2p_ie); 1962 sta->p2p_ie = ieee802_11_vendor_ie_concat(ies, ies_len, 1963 P2P_IE_VENDOR_TYPE); 1964 if (sta->p2p_ie) 1965 p2p_dev_addr = p2p_get_go_dev_addr(sta->p2p_ie); 1966 } else { 1967 wpabuf_free(sta->p2p_ie); 1968 sta->p2p_ie = NULL; 1969 } 1970 #endif /* CONFIG_P2P */ 1971 1972 if ((hapd->conf->wpa & WPA_PROTO_RSN) && elems.rsn_ie) { 1973 wpa_ie = elems.rsn_ie; 1974 wpa_ie_len = elems.rsn_ie_len; 1975 } else if ((hapd->conf->wpa & WPA_PROTO_WPA) && 1976 elems.wpa_ie) { 1977 wpa_ie = elems.wpa_ie; 1978 wpa_ie_len = elems.wpa_ie_len; 1979 } else { 1980 wpa_ie = NULL; 1981 wpa_ie_len = 0; 1982 } 1983 1984 #ifdef CONFIG_WPS 1985 sta->flags &= ~(WLAN_STA_WPS | WLAN_STA_MAYBE_WPS | WLAN_STA_WPS2); 1986 if (hapd->conf->wps_state && elems.wps_ie) { 1987 wpa_printf(MSG_DEBUG, "STA included WPS IE in (Re)Association " 1988 "Request - assume WPS is used"); 1989 sta->flags |= WLAN_STA_WPS; 1990 wpabuf_free(sta->wps_ie); 1991 sta->wps_ie = ieee802_11_vendor_ie_concat(ies, ies_len, 1992 WPS_IE_VENDOR_TYPE); 1993 if (sta->wps_ie && wps_is_20(sta->wps_ie)) { 1994 wpa_printf(MSG_DEBUG, "WPS: STA supports WPS 2.0"); 1995 sta->flags |= WLAN_STA_WPS2; 1996 } 1997 wpa_ie = NULL; 1998 wpa_ie_len = 0; 1999 if (sta->wps_ie && wps_validate_assoc_req(sta->wps_ie) < 0) { 2000 wpa_printf(MSG_DEBUG, "WPS: Invalid WPS IE in " 2001 "(Re)Association Request - reject"); 2002 return WLAN_STATUS_INVALID_IE; 2003 } 2004 } else if (hapd->conf->wps_state && wpa_ie == NULL) { 2005 wpa_printf(MSG_DEBUG, "STA did not include WPA/RSN IE in " 2006 "(Re)Association Request - possible WPS use"); 2007 sta->flags |= WLAN_STA_MAYBE_WPS; 2008 } else 2009 #endif /* CONFIG_WPS */ 2010 if (hapd->conf->wpa && wpa_ie == NULL) { 2011 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 2012 HOSTAPD_LEVEL_INFO, 2013 "No WPA/RSN IE in association request"); 2014 return WLAN_STATUS_INVALID_IE; 2015 } 2016 2017 if (hapd->conf->wpa && wpa_ie) { 2018 int res; 2019 wpa_ie -= 2; 2020 wpa_ie_len += 2; 2021 if (sta->wpa_sm == NULL) 2022 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, 2023 sta->addr, 2024 p2p_dev_addr); 2025 if (sta->wpa_sm == NULL) { 2026 wpa_printf(MSG_WARNING, "Failed to initialize WPA " 2027 "state machine"); 2028 return WLAN_STATUS_UNSPECIFIED_FAILURE; 2029 } 2030 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm, 2031 wpa_ie, wpa_ie_len, 2032 elems.mdie, elems.mdie_len); 2033 resp = wpa_res_to_status_code(res); 2034 if (resp != WLAN_STATUS_SUCCESS) 2035 return resp; 2036 #ifdef CONFIG_IEEE80211W 2037 if ((sta->flags & WLAN_STA_MFP) && !sta->sa_query_timed_out && 2038 sta->sa_query_count > 0) 2039 ap_check_sa_query_timeout(hapd, sta); 2040 if ((sta->flags & WLAN_STA_MFP) && !sta->sa_query_timed_out && 2041 (!reassoc || sta->auth_alg != WLAN_AUTH_FT)) { 2042 /* 2043 * STA has already been associated with MFP and SA 2044 * Query timeout has not been reached. Reject the 2045 * association attempt temporarily and start SA Query, 2046 * if one is not pending. 2047 */ 2048 2049 if (sta->sa_query_count == 0) 2050 ap_sta_start_sa_query(hapd, sta); 2051 2052 return WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY; 2053 } 2054 2055 if (wpa_auth_uses_mfp(sta->wpa_sm)) 2056 sta->flags |= WLAN_STA_MFP; 2057 else 2058 sta->flags &= ~WLAN_STA_MFP; 2059 #endif /* CONFIG_IEEE80211W */ 2060 2061 #ifdef CONFIG_IEEE80211R_AP 2062 if (sta->auth_alg == WLAN_AUTH_FT) { 2063 if (!reassoc) { 2064 wpa_printf(MSG_DEBUG, "FT: " MACSTR " tried " 2065 "to use association (not " 2066 "re-association) with FT auth_alg", 2067 MAC2STR(sta->addr)); 2068 return WLAN_STATUS_UNSPECIFIED_FAILURE; 2069 } 2070 2071 resp = wpa_ft_validate_reassoc(sta->wpa_sm, ies, 2072 ies_len); 2073 if (resp != WLAN_STATUS_SUCCESS) 2074 return resp; 2075 } 2076 #endif /* CONFIG_IEEE80211R_AP */ 2077 2078 #ifdef CONFIG_SAE 2079 if (wpa_auth_uses_sae(sta->wpa_sm) && 2080 sta->auth_alg == WLAN_AUTH_OPEN) { 2081 struct rsn_pmksa_cache_entry *sa; 2082 sa = wpa_auth_sta_get_pmksa(sta->wpa_sm); 2083 if (!sa || sa->akmp != WPA_KEY_MGMT_SAE) { 2084 wpa_printf(MSG_DEBUG, 2085 "SAE: No PMKSA cache entry found for " 2086 MACSTR, MAC2STR(sta->addr)); 2087 return WLAN_STATUS_INVALID_PMKID; 2088 } 2089 wpa_printf(MSG_DEBUG, "SAE: " MACSTR 2090 " using PMKSA caching", MAC2STR(sta->addr)); 2091 } else if (wpa_auth_uses_sae(sta->wpa_sm) && 2092 sta->auth_alg != WLAN_AUTH_SAE && 2093 !(sta->auth_alg == WLAN_AUTH_FT && 2094 wpa_auth_uses_ft_sae(sta->wpa_sm))) { 2095 wpa_printf(MSG_DEBUG, "SAE: " MACSTR " tried to use " 2096 "SAE AKM after non-SAE auth_alg %u", 2097 MAC2STR(sta->addr), sta->auth_alg); 2098 return WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG; 2099 } 2100 #endif /* CONFIG_SAE */ 2101 2102 #ifdef CONFIG_IEEE80211N 2103 if ((sta->flags & (WLAN_STA_HT | WLAN_STA_VHT)) && 2104 wpa_auth_get_pairwise(sta->wpa_sm) == WPA_CIPHER_TKIP) { 2105 hostapd_logger(hapd, sta->addr, 2106 HOSTAPD_MODULE_IEEE80211, 2107 HOSTAPD_LEVEL_INFO, 2108 "Station tried to use TKIP with HT " 2109 "association"); 2110 return WLAN_STATUS_CIPHER_REJECTED_PER_POLICY; 2111 } 2112 #endif /* CONFIG_IEEE80211N */ 2113 #ifdef CONFIG_HS20 2114 } else if (hapd->conf->osen) { 2115 if (elems.osen == NULL) { 2116 hostapd_logger( 2117 hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 2118 HOSTAPD_LEVEL_INFO, 2119 "No HS 2.0 OSEN element in association request"); 2120 return WLAN_STATUS_INVALID_IE; 2121 } 2122 2123 wpa_printf(MSG_DEBUG, "HS 2.0: OSEN association"); 2124 if (sta->wpa_sm == NULL) 2125 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, 2126 sta->addr, NULL); 2127 if (sta->wpa_sm == NULL) { 2128 wpa_printf(MSG_WARNING, "Failed to initialize WPA " 2129 "state machine"); 2130 return WLAN_STATUS_UNSPECIFIED_FAILURE; 2131 } 2132 if (wpa_validate_osen(hapd->wpa_auth, sta->wpa_sm, 2133 elems.osen - 2, elems.osen_len + 2) < 0) 2134 return WLAN_STATUS_INVALID_IE; 2135 #endif /* CONFIG_HS20 */ 2136 } else 2137 wpa_auth_sta_no_wpa(sta->wpa_sm); 2138 2139 #ifdef CONFIG_P2P 2140 p2p_group_notif_assoc(hapd->p2p_group, sta->addr, ies, ies_len); 2141 #endif /* CONFIG_P2P */ 2142 2143 #ifdef CONFIG_HS20 2144 wpabuf_free(sta->hs20_ie); 2145 if (elems.hs20 && elems.hs20_len > 4) { 2146 sta->hs20_ie = wpabuf_alloc_copy(elems.hs20 + 4, 2147 elems.hs20_len - 4); 2148 } else 2149 sta->hs20_ie = NULL; 2150 #endif /* CONFIG_HS20 */ 2151 2152 #ifdef CONFIG_FST 2153 wpabuf_free(sta->mb_ies); 2154 if (hapd->iface->fst) 2155 sta->mb_ies = mb_ies_by_info(&elems.mb_ies); 2156 else 2157 sta->mb_ies = NULL; 2158 #endif /* CONFIG_FST */ 2159 2160 #ifdef CONFIG_MBO 2161 mbo_ap_check_sta_assoc(hapd, sta, &elems); 2162 2163 if (hapd->conf->mbo_enabled && (hapd->conf->wpa & 2) && 2164 elems.mbo && sta->cell_capa && !(sta->flags & WLAN_STA_MFP) && 2165 hapd->conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) { 2166 wpa_printf(MSG_INFO, 2167 "MBO: Reject WPA2 association without PMF"); 2168 return WLAN_STATUS_UNSPECIFIED_FAILURE; 2169 } 2170 #endif /* CONFIG_MBO */ 2171 2172 ap_copy_sta_supp_op_classes(sta, elems.supp_op_classes, 2173 elems.supp_op_classes_len); 2174 2175 if ((sta->capability & WLAN_CAPABILITY_RADIO_MEASUREMENT) && 2176 elems.rrm_enabled && 2177 elems.rrm_enabled_len >= sizeof(sta->rrm_enabled_capa)) 2178 os_memcpy(sta->rrm_enabled_capa, elems.rrm_enabled, 2179 sizeof(sta->rrm_enabled_capa)); 2180 2181 return WLAN_STATUS_SUCCESS; 2182 } 2183 2184 2185 static void send_deauth(struct hostapd_data *hapd, const u8 *addr, 2186 u16 reason_code) 2187 { 2188 int send_len; 2189 struct ieee80211_mgmt reply; 2190 2191 os_memset(&reply, 0, sizeof(reply)); 2192 reply.frame_control = 2193 IEEE80211_FC(WLAN_FC_TYPE_MGMT, WLAN_FC_STYPE_DEAUTH); 2194 os_memcpy(reply.da, addr, ETH_ALEN); 2195 os_memcpy(reply.sa, hapd->own_addr, ETH_ALEN); 2196 os_memcpy(reply.bssid, hapd->own_addr, ETH_ALEN); 2197 2198 send_len = IEEE80211_HDRLEN + sizeof(reply.u.deauth); 2199 reply.u.deauth.reason_code = host_to_le16(reason_code); 2200 2201 if (hostapd_drv_send_mlme(hapd, &reply, send_len, 0) < 0) 2202 wpa_printf(MSG_INFO, "Failed to send deauth: %s", 2203 strerror(errno)); 2204 } 2205 2206 2207 static int add_associated_sta(struct hostapd_data *hapd, 2208 struct sta_info *sta) 2209 { 2210 struct ieee80211_ht_capabilities ht_cap; 2211 struct ieee80211_vht_capabilities vht_cap; 2212 2213 /* 2214 * Remove the STA entry to ensure the STA PS state gets cleared and 2215 * configuration gets updated. This is relevant for cases, such as 2216 * FT-over-the-DS, where a station re-associates back to the same AP but 2217 * skips the authentication flow, or if working with a driver that 2218 * does not support full AP client state. 2219 */ 2220 if (!sta->added_unassoc) 2221 hostapd_drv_sta_remove(hapd, sta->addr); 2222 2223 #ifdef CONFIG_IEEE80211N 2224 if (sta->flags & WLAN_STA_HT) 2225 hostapd_get_ht_capab(hapd, sta->ht_capabilities, &ht_cap); 2226 #endif /* CONFIG_IEEE80211N */ 2227 #ifdef CONFIG_IEEE80211AC 2228 if (sta->flags & WLAN_STA_VHT) 2229 hostapd_get_vht_capab(hapd, sta->vht_capabilities, &vht_cap); 2230 #endif /* CONFIG_IEEE80211AC */ 2231 2232 /* 2233 * Add the station with forced WLAN_STA_ASSOC flag. The sta->flags 2234 * will be set when the ACK frame for the (Re)Association Response frame 2235 * is processed (TX status driver event). 2236 */ 2237 if (hostapd_sta_add(hapd, sta->addr, sta->aid, sta->capability, 2238 sta->supported_rates, sta->supported_rates_len, 2239 sta->listen_interval, 2240 sta->flags & WLAN_STA_HT ? &ht_cap : NULL, 2241 sta->flags & WLAN_STA_VHT ? &vht_cap : NULL, 2242 sta->flags | WLAN_STA_ASSOC, sta->qosinfo, 2243 sta->vht_opmode, sta->p2p_ie ? 1 : 0, 2244 sta->added_unassoc)) { 2245 hostapd_logger(hapd, sta->addr, 2246 HOSTAPD_MODULE_IEEE80211, HOSTAPD_LEVEL_NOTICE, 2247 "Could not %s STA to kernel driver", 2248 sta->added_unassoc ? "set" : "add"); 2249 2250 if (sta->added_unassoc) { 2251 hostapd_drv_sta_remove(hapd, sta->addr); 2252 sta->added_unassoc = 0; 2253 } 2254 2255 return -1; 2256 } 2257 2258 sta->added_unassoc = 0; 2259 2260 return 0; 2261 } 2262 2263 2264 static u16 send_assoc_resp(struct hostapd_data *hapd, struct sta_info *sta, 2265 const u8 *addr, u16 status_code, int reassoc, 2266 const u8 *ies, size_t ies_len) 2267 { 2268 int send_len; 2269 u8 *buf; 2270 size_t buflen; 2271 struct ieee80211_mgmt *reply; 2272 u8 *p; 2273 u16 res = WLAN_STATUS_SUCCESS; 2274 2275 buflen = sizeof(struct ieee80211_mgmt) + 1024; 2276 #ifdef CONFIG_FILS 2277 if (sta && sta->fils_hlp_resp) 2278 buflen += wpabuf_len(sta->fils_hlp_resp); 2279 #endif /* CONFIG_FILS */ 2280 buf = os_zalloc(buflen); 2281 if (!buf) { 2282 res = WLAN_STATUS_UNSPECIFIED_FAILURE; 2283 goto done; 2284 } 2285 reply = (struct ieee80211_mgmt *) buf; 2286 reply->frame_control = 2287 IEEE80211_FC(WLAN_FC_TYPE_MGMT, 2288 (reassoc ? WLAN_FC_STYPE_REASSOC_RESP : 2289 WLAN_FC_STYPE_ASSOC_RESP)); 2290 os_memcpy(reply->da, addr, ETH_ALEN); 2291 os_memcpy(reply->sa, hapd->own_addr, ETH_ALEN); 2292 os_memcpy(reply->bssid, hapd->own_addr, ETH_ALEN); 2293 2294 send_len = IEEE80211_HDRLEN; 2295 send_len += sizeof(reply->u.assoc_resp); 2296 reply->u.assoc_resp.capab_info = 2297 host_to_le16(hostapd_own_capab_info(hapd)); 2298 reply->u.assoc_resp.status_code = host_to_le16(status_code); 2299 2300 reply->u.assoc_resp.aid = host_to_le16((sta ? sta->aid : 0) | 2301 BIT(14) | BIT(15)); 2302 /* Supported rates */ 2303 p = hostapd_eid_supp_rates(hapd, reply->u.assoc_resp.variable); 2304 /* Extended supported rates */ 2305 p = hostapd_eid_ext_supp_rates(hapd, p); 2306 2307 #ifdef CONFIG_IEEE80211R_AP 2308 if (sta && status_code == WLAN_STATUS_SUCCESS) { 2309 /* IEEE 802.11r: Mobility Domain Information, Fast BSS 2310 * Transition Information, RSN, [RIC Response] */ 2311 p = wpa_sm_write_assoc_resp_ies(sta->wpa_sm, p, 2312 buf + buflen - p, 2313 sta->auth_alg, ies, ies_len); 2314 } 2315 #endif /* CONFIG_IEEE80211R_AP */ 2316 2317 #ifdef CONFIG_IEEE80211W 2318 if (sta && status_code == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY) 2319 p = hostapd_eid_assoc_comeback_time(hapd, sta, p); 2320 #endif /* CONFIG_IEEE80211W */ 2321 2322 #ifdef CONFIG_IEEE80211N 2323 p = hostapd_eid_ht_capabilities(hapd, p); 2324 p = hostapd_eid_ht_operation(hapd, p); 2325 #endif /* CONFIG_IEEE80211N */ 2326 2327 #ifdef CONFIG_IEEE80211AC 2328 if (hapd->iconf->ieee80211ac && !hapd->conf->disable_11ac) { 2329 u32 nsts = 0, sta_nsts; 2330 2331 if (sta && hapd->conf->use_sta_nsts && sta->vht_capabilities) { 2332 struct ieee80211_vht_capabilities *capa; 2333 2334 nsts = (hapd->iface->conf->vht_capab >> 2335 VHT_CAP_BEAMFORMEE_STS_OFFSET) & 7; 2336 capa = sta->vht_capabilities; 2337 sta_nsts = (le_to_host32(capa->vht_capabilities_info) >> 2338 VHT_CAP_BEAMFORMEE_STS_OFFSET) & 7; 2339 2340 if (nsts < sta_nsts) 2341 nsts = 0; 2342 else 2343 nsts = sta_nsts; 2344 } 2345 p = hostapd_eid_vht_capabilities(hapd, p, nsts); 2346 p = hostapd_eid_vht_operation(hapd, p); 2347 } 2348 #endif /* CONFIG_IEEE80211AC */ 2349 2350 p = hostapd_eid_ext_capab(hapd, p); 2351 p = hostapd_eid_bss_max_idle_period(hapd, p); 2352 if (sta && sta->qos_map_enabled) 2353 p = hostapd_eid_qos_map_set(hapd, p); 2354 2355 #ifdef CONFIG_FST 2356 if (hapd->iface->fst_ies) { 2357 os_memcpy(p, wpabuf_head(hapd->iface->fst_ies), 2358 wpabuf_len(hapd->iface->fst_ies)); 2359 p += wpabuf_len(hapd->iface->fst_ies); 2360 } 2361 #endif /* CONFIG_FST */ 2362 2363 #ifdef CONFIG_IEEE80211AC 2364 if (sta && hapd->conf->vendor_vht && (sta->flags & WLAN_STA_VENDOR_VHT)) 2365 p = hostapd_eid_vendor_vht(hapd, p); 2366 #endif /* CONFIG_IEEE80211AC */ 2367 2368 if (sta && (sta->flags & WLAN_STA_WMM)) 2369 p = hostapd_eid_wmm(hapd, p); 2370 2371 #ifdef CONFIG_WPS 2372 if (sta && 2373 ((sta->flags & WLAN_STA_WPS) || 2374 ((sta->flags & WLAN_STA_MAYBE_WPS) && hapd->conf->wpa))) { 2375 struct wpabuf *wps = wps_build_assoc_resp_ie(); 2376 if (wps) { 2377 os_memcpy(p, wpabuf_head(wps), wpabuf_len(wps)); 2378 p += wpabuf_len(wps); 2379 wpabuf_free(wps); 2380 } 2381 } 2382 #endif /* CONFIG_WPS */ 2383 2384 #ifdef CONFIG_P2P 2385 if (sta && sta->p2p_ie && hapd->p2p_group) { 2386 struct wpabuf *p2p_resp_ie; 2387 enum p2p_status_code status; 2388 switch (status_code) { 2389 case WLAN_STATUS_SUCCESS: 2390 status = P2P_SC_SUCCESS; 2391 break; 2392 case WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA: 2393 status = P2P_SC_FAIL_LIMIT_REACHED; 2394 break; 2395 default: 2396 status = P2P_SC_FAIL_INVALID_PARAMS; 2397 break; 2398 } 2399 p2p_resp_ie = p2p_group_assoc_resp_ie(hapd->p2p_group, status); 2400 if (p2p_resp_ie) { 2401 os_memcpy(p, wpabuf_head(p2p_resp_ie), 2402 wpabuf_len(p2p_resp_ie)); 2403 p += wpabuf_len(p2p_resp_ie); 2404 wpabuf_free(p2p_resp_ie); 2405 } 2406 } 2407 #endif /* CONFIG_P2P */ 2408 2409 #ifdef CONFIG_P2P_MANAGER 2410 if (hapd->conf->p2p & P2P_MANAGE) 2411 p = hostapd_eid_p2p_manage(hapd, p); 2412 #endif /* CONFIG_P2P_MANAGER */ 2413 2414 p = hostapd_eid_mbo(hapd, p, buf + buflen - p); 2415 2416 if (hapd->conf->assocresp_elements && 2417 (size_t) (buf + buflen - p) >= 2418 wpabuf_len(hapd->conf->assocresp_elements)) { 2419 os_memcpy(p, wpabuf_head(hapd->conf->assocresp_elements), 2420 wpabuf_len(hapd->conf->assocresp_elements)); 2421 p += wpabuf_len(hapd->conf->assocresp_elements); 2422 } 2423 2424 send_len += p - reply->u.assoc_resp.variable; 2425 2426 #ifdef CONFIG_FILS 2427 if (sta && 2428 (sta->auth_alg == WLAN_AUTH_FILS_SK || 2429 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS || 2430 sta->auth_alg == WLAN_AUTH_FILS_PK) && 2431 status_code == WLAN_STATUS_SUCCESS) { 2432 struct ieee802_11_elems elems; 2433 2434 if (ieee802_11_parse_elems(ies, ies_len, &elems, 0) == 2435 ParseFailed || !elems.fils_session) { 2436 res = WLAN_STATUS_UNSPECIFIED_FAILURE; 2437 goto done; 2438 } 2439 2440 /* FILS Session */ 2441 *p++ = WLAN_EID_EXTENSION; /* Element ID */ 2442 *p++ = 1 + FILS_SESSION_LEN; /* Length */ 2443 *p++ = WLAN_EID_EXT_FILS_SESSION; /* Element ID Extension */ 2444 os_memcpy(p, elems.fils_session, FILS_SESSION_LEN); 2445 send_len += 2 + 1 + FILS_SESSION_LEN; 2446 2447 send_len = fils_encrypt_assoc(sta->wpa_sm, buf, send_len, 2448 buflen, sta->fils_hlp_resp); 2449 if (send_len < 0) { 2450 res = WLAN_STATUS_UNSPECIFIED_FAILURE; 2451 goto done; 2452 } 2453 } 2454 #endif /* CONFIG_FILS */ 2455 2456 if (hostapd_drv_send_mlme(hapd, reply, send_len, 0) < 0) { 2457 wpa_printf(MSG_INFO, "Failed to send assoc resp: %s", 2458 strerror(errno)); 2459 res = WLAN_STATUS_UNSPECIFIED_FAILURE; 2460 } 2461 2462 done: 2463 os_free(buf); 2464 return res; 2465 } 2466 2467 2468 #ifdef CONFIG_FILS 2469 2470 void fils_hlp_finish_assoc(struct hostapd_data *hapd, struct sta_info *sta) 2471 { 2472 u16 reply_res; 2473 2474 wpa_printf(MSG_DEBUG, "FILS: Finish association with " MACSTR, 2475 MAC2STR(sta->addr)); 2476 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta); 2477 if (!sta->fils_pending_assoc_req) 2478 return; 2479 reply_res = send_assoc_resp(hapd, sta, sta->addr, WLAN_STATUS_SUCCESS, 2480 sta->fils_pending_assoc_is_reassoc, 2481 sta->fils_pending_assoc_req, 2482 sta->fils_pending_assoc_req_len); 2483 os_free(sta->fils_pending_assoc_req); 2484 sta->fils_pending_assoc_req = NULL; 2485 sta->fils_pending_assoc_req_len = 0; 2486 wpabuf_free(sta->fils_hlp_resp); 2487 sta->fils_hlp_resp = NULL; 2488 wpabuf_free(sta->hlp_dhcp_discover); 2489 sta->hlp_dhcp_discover = NULL; 2490 2491 /* 2492 * Remove the station in case tranmission of a success response fails 2493 * (the STA was added associated to the driver) or if the station was 2494 * previously added unassociated. 2495 */ 2496 if (reply_res != WLAN_STATUS_SUCCESS || sta->added_unassoc) { 2497 hostapd_drv_sta_remove(hapd, sta->addr); 2498 sta->added_unassoc = 0; 2499 } 2500 } 2501 2502 2503 void fils_hlp_timeout(void *eloop_ctx, void *eloop_data) 2504 { 2505 struct hostapd_data *hapd = eloop_ctx; 2506 struct sta_info *sta = eloop_data; 2507 2508 wpa_printf(MSG_DEBUG, 2509 "FILS: HLP response timeout - continue with association response for " 2510 MACSTR, MAC2STR(sta->addr)); 2511 fils_hlp_finish_assoc(hapd, sta); 2512 } 2513 2514 #endif /* CONFIG_FILS */ 2515 2516 2517 static void handle_assoc(struct hostapd_data *hapd, 2518 const struct ieee80211_mgmt *mgmt, size_t len, 2519 int reassoc) 2520 { 2521 u16 capab_info, listen_interval, seq_ctrl, fc; 2522 u16 resp = WLAN_STATUS_SUCCESS, reply_res; 2523 const u8 *pos; 2524 int left, i; 2525 struct sta_info *sta; 2526 u8 *tmp = NULL; 2527 struct hostapd_sta_wpa_psk_short *psk = NULL; 2528 char *identity = NULL; 2529 char *radius_cui = NULL; 2530 #ifdef CONFIG_FILS 2531 int delay_assoc = 0; 2532 #endif /* CONFIG_FILS */ 2533 2534 if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_req) : 2535 sizeof(mgmt->u.assoc_req))) { 2536 wpa_printf(MSG_INFO, "handle_assoc(reassoc=%d) - too short payload (len=%lu)", 2537 reassoc, (unsigned long) len); 2538 return; 2539 } 2540 2541 #ifdef CONFIG_TESTING_OPTIONS 2542 if (reassoc) { 2543 if (hapd->iconf->ignore_reassoc_probability > 0.0 && 2544 drand48() < hapd->iconf->ignore_reassoc_probability) { 2545 wpa_printf(MSG_INFO, 2546 "TESTING: ignoring reassoc request from " 2547 MACSTR, MAC2STR(mgmt->sa)); 2548 return; 2549 } 2550 } else { 2551 if (hapd->iconf->ignore_assoc_probability > 0.0 && 2552 drand48() < hapd->iconf->ignore_assoc_probability) { 2553 wpa_printf(MSG_INFO, 2554 "TESTING: ignoring assoc request from " 2555 MACSTR, MAC2STR(mgmt->sa)); 2556 return; 2557 } 2558 } 2559 #endif /* CONFIG_TESTING_OPTIONS */ 2560 2561 fc = le_to_host16(mgmt->frame_control); 2562 seq_ctrl = le_to_host16(mgmt->seq_ctrl); 2563 2564 if (reassoc) { 2565 capab_info = le_to_host16(mgmt->u.reassoc_req.capab_info); 2566 listen_interval = le_to_host16( 2567 mgmt->u.reassoc_req.listen_interval); 2568 wpa_printf(MSG_DEBUG, "reassociation request: STA=" MACSTR 2569 " capab_info=0x%02x listen_interval=%d current_ap=" 2570 MACSTR " seq_ctrl=0x%x%s", 2571 MAC2STR(mgmt->sa), capab_info, listen_interval, 2572 MAC2STR(mgmt->u.reassoc_req.current_ap), 2573 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : ""); 2574 left = len - (IEEE80211_HDRLEN + sizeof(mgmt->u.reassoc_req)); 2575 pos = mgmt->u.reassoc_req.variable; 2576 } else { 2577 capab_info = le_to_host16(mgmt->u.assoc_req.capab_info); 2578 listen_interval = le_to_host16( 2579 mgmt->u.assoc_req.listen_interval); 2580 wpa_printf(MSG_DEBUG, "association request: STA=" MACSTR 2581 " capab_info=0x%02x listen_interval=%d " 2582 "seq_ctrl=0x%x%s", 2583 MAC2STR(mgmt->sa), capab_info, listen_interval, 2584 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : ""); 2585 left = len - (IEEE80211_HDRLEN + sizeof(mgmt->u.assoc_req)); 2586 pos = mgmt->u.assoc_req.variable; 2587 } 2588 2589 sta = ap_get_sta(hapd, mgmt->sa); 2590 #ifdef CONFIG_IEEE80211R_AP 2591 if (sta && sta->auth_alg == WLAN_AUTH_FT && 2592 (sta->flags & WLAN_STA_AUTH) == 0) { 2593 wpa_printf(MSG_DEBUG, "FT: Allow STA " MACSTR " to associate " 2594 "prior to authentication since it is using " 2595 "over-the-DS FT", MAC2STR(mgmt->sa)); 2596 2597 /* 2598 * Mark station as authenticated, to avoid adding station 2599 * entry in the driver as associated and not authenticated 2600 */ 2601 sta->flags |= WLAN_STA_AUTH; 2602 } else 2603 #endif /* CONFIG_IEEE80211R_AP */ 2604 if (sta == NULL || (sta->flags & WLAN_STA_AUTH) == 0) { 2605 if (hapd->iface->current_mode && 2606 hapd->iface->current_mode->mode == 2607 HOSTAPD_MODE_IEEE80211AD) { 2608 int acl_res; 2609 u32 session_timeout, acct_interim_interval; 2610 struct vlan_description vlan_id; 2611 2612 acl_res = ieee802_11_allowed_address( 2613 hapd, mgmt->sa, (const u8 *) mgmt, len, 2614 &session_timeout, &acct_interim_interval, 2615 &vlan_id, &psk, &identity, &radius_cui); 2616 if (acl_res == HOSTAPD_ACL_REJECT) { 2617 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 2618 goto fail; 2619 } 2620 if (acl_res == HOSTAPD_ACL_PENDING) 2621 return; 2622 2623 /* DMG/IEEE 802.11ad does not use authentication. 2624 * Allocate sta entry upon association. */ 2625 sta = ap_sta_add(hapd, mgmt->sa); 2626 if (!sta) { 2627 hostapd_logger(hapd, mgmt->sa, 2628 HOSTAPD_MODULE_IEEE80211, 2629 HOSTAPD_LEVEL_INFO, 2630 "Failed to add STA"); 2631 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA; 2632 goto fail; 2633 } 2634 2635 acl_res = ieee802_11_set_radius_info( 2636 hapd, sta, acl_res, session_timeout, 2637 acct_interim_interval, &vlan_id, &psk, 2638 &identity, &radius_cui); 2639 if (acl_res) { 2640 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 2641 goto fail; 2642 } 2643 2644 hostapd_logger(hapd, sta->addr, 2645 HOSTAPD_MODULE_IEEE80211, 2646 HOSTAPD_LEVEL_DEBUG, 2647 "Skip authentication for DMG/IEEE 802.11ad"); 2648 sta->flags |= WLAN_STA_AUTH; 2649 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH); 2650 sta->auth_alg = WLAN_AUTH_OPEN; 2651 } else { 2652 hostapd_logger(hapd, mgmt->sa, 2653 HOSTAPD_MODULE_IEEE80211, 2654 HOSTAPD_LEVEL_INFO, 2655 "Station tried to associate before authentication (aid=%d flags=0x%x)", 2656 sta ? sta->aid : -1, 2657 sta ? sta->flags : 0); 2658 send_deauth(hapd, mgmt->sa, 2659 WLAN_REASON_CLASS2_FRAME_FROM_NONAUTH_STA); 2660 return; 2661 } 2662 } 2663 2664 if ((fc & WLAN_FC_RETRY) && 2665 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ && 2666 sta->last_seq_ctrl == seq_ctrl && 2667 sta->last_subtype == (reassoc ? WLAN_FC_STYPE_REASSOC_REQ : 2668 WLAN_FC_STYPE_ASSOC_REQ)) { 2669 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 2670 HOSTAPD_LEVEL_DEBUG, 2671 "Drop repeated association frame seq_ctrl=0x%x", 2672 seq_ctrl); 2673 return; 2674 } 2675 sta->last_seq_ctrl = seq_ctrl; 2676 sta->last_subtype = reassoc ? WLAN_FC_STYPE_REASSOC_REQ : 2677 WLAN_FC_STYPE_ASSOC_REQ; 2678 2679 if (hapd->tkip_countermeasures) { 2680 resp = WLAN_REASON_MICHAEL_MIC_FAILURE; 2681 goto fail; 2682 } 2683 2684 if (listen_interval > hapd->conf->max_listen_interval) { 2685 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211, 2686 HOSTAPD_LEVEL_DEBUG, 2687 "Too large Listen Interval (%d)", 2688 listen_interval); 2689 resp = WLAN_STATUS_ASSOC_DENIED_LISTEN_INT_TOO_LARGE; 2690 goto fail; 2691 } 2692 2693 #ifdef CONFIG_MBO 2694 if (hapd->conf->mbo_enabled && hapd->mbo_assoc_disallow) { 2695 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA; 2696 goto fail; 2697 } 2698 #endif /* CONFIG_MBO */ 2699 2700 /* 2701 * sta->capability is used in check_assoc_ies() for RRM enabled 2702 * capability element. 2703 */ 2704 sta->capability = capab_info; 2705 2706 #ifdef CONFIG_FILS 2707 if (sta->auth_alg == WLAN_AUTH_FILS_SK || 2708 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS || 2709 sta->auth_alg == WLAN_AUTH_FILS_PK) { 2710 /* The end of the payload is encrypted. Need to decrypt it 2711 * before parsing. */ 2712 2713 tmp = os_malloc(left); 2714 if (!tmp) { 2715 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 2716 goto fail; 2717 } 2718 os_memcpy(tmp, pos, left); 2719 2720 left = fils_decrypt_assoc(sta->wpa_sm, sta->fils_session, mgmt, 2721 len, tmp, left); 2722 if (left < 0) { 2723 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 2724 goto fail; 2725 } 2726 pos = tmp; 2727 } 2728 #endif /* CONFIG_FILS */ 2729 2730 /* followed by SSID and Supported rates; and HT capabilities if 802.11n 2731 * is used */ 2732 resp = check_assoc_ies(hapd, sta, pos, left, reassoc); 2733 if (resp != WLAN_STATUS_SUCCESS) 2734 goto fail; 2735 2736 if (hostapd_get_aid(hapd, sta) < 0) { 2737 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211, 2738 HOSTAPD_LEVEL_INFO, "No room for more AIDs"); 2739 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA; 2740 goto fail; 2741 } 2742 2743 sta->listen_interval = listen_interval; 2744 2745 if (hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G) 2746 sta->flags |= WLAN_STA_NONERP; 2747 for (i = 0; i < sta->supported_rates_len; i++) { 2748 if ((sta->supported_rates[i] & 0x7f) > 22) { 2749 sta->flags &= ~WLAN_STA_NONERP; 2750 break; 2751 } 2752 } 2753 if (sta->flags & WLAN_STA_NONERP && !sta->nonerp_set) { 2754 sta->nonerp_set = 1; 2755 hapd->iface->num_sta_non_erp++; 2756 if (hapd->iface->num_sta_non_erp == 1) 2757 ieee802_11_set_beacons(hapd->iface); 2758 } 2759 2760 if (!(sta->capability & WLAN_CAPABILITY_SHORT_SLOT_TIME) && 2761 !sta->no_short_slot_time_set) { 2762 sta->no_short_slot_time_set = 1; 2763 hapd->iface->num_sta_no_short_slot_time++; 2764 if (hapd->iface->current_mode->mode == 2765 HOSTAPD_MODE_IEEE80211G && 2766 hapd->iface->num_sta_no_short_slot_time == 1) 2767 ieee802_11_set_beacons(hapd->iface); 2768 } 2769 2770 if (sta->capability & WLAN_CAPABILITY_SHORT_PREAMBLE) 2771 sta->flags |= WLAN_STA_SHORT_PREAMBLE; 2772 else 2773 sta->flags &= ~WLAN_STA_SHORT_PREAMBLE; 2774 2775 if (!(sta->capability & WLAN_CAPABILITY_SHORT_PREAMBLE) && 2776 !sta->no_short_preamble_set) { 2777 sta->no_short_preamble_set = 1; 2778 hapd->iface->num_sta_no_short_preamble++; 2779 if (hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G 2780 && hapd->iface->num_sta_no_short_preamble == 1) 2781 ieee802_11_set_beacons(hapd->iface); 2782 } 2783 2784 #ifdef CONFIG_IEEE80211N 2785 update_ht_state(hapd, sta); 2786 #endif /* CONFIG_IEEE80211N */ 2787 2788 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 2789 HOSTAPD_LEVEL_DEBUG, 2790 "association OK (aid %d)", sta->aid); 2791 /* Station will be marked associated, after it acknowledges AssocResp 2792 */ 2793 sta->flags |= WLAN_STA_ASSOC_REQ_OK; 2794 2795 #ifdef CONFIG_IEEE80211W 2796 if ((sta->flags & WLAN_STA_MFP) && sta->sa_query_timed_out) { 2797 wpa_printf(MSG_DEBUG, "Allowing %sassociation after timed out " 2798 "SA Query procedure", reassoc ? "re" : ""); 2799 /* TODO: Send a protected Disassociate frame to the STA using 2800 * the old key and Reason Code "Previous Authentication no 2801 * longer valid". Make sure this is only sent protected since 2802 * unprotected frame would be received by the STA that is now 2803 * trying to associate. 2804 */ 2805 } 2806 #endif /* CONFIG_IEEE80211W */ 2807 2808 /* Make sure that the previously registered inactivity timer will not 2809 * remove the STA immediately. */ 2810 sta->timeout_next = STA_NULLFUNC; 2811 2812 #ifdef CONFIG_TAXONOMY 2813 taxonomy_sta_info_assoc_req(hapd, sta, pos, left); 2814 #endif /* CONFIG_TAXONOMY */ 2815 2816 sta->pending_wds_enable = 0; 2817 2818 #ifdef CONFIG_FILS 2819 if (sta->auth_alg == WLAN_AUTH_FILS_SK || 2820 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS || 2821 sta->auth_alg == WLAN_AUTH_FILS_PK) { 2822 if (fils_process_hlp(hapd, sta, pos, left) > 0) 2823 delay_assoc = 1; 2824 } 2825 #endif /* CONFIG_FILS */ 2826 2827 fail: 2828 os_free(identity); 2829 os_free(radius_cui); 2830 hostapd_free_psk_list(psk); 2831 2832 /* 2833 * In case of a successful response, add the station to the driver. 2834 * Otherwise, the kernel may ignore Data frames before we process the 2835 * ACK frame (TX status). In case of a failure, this station will be 2836 * removed. 2837 * 2838 * Note that this is not compliant with the IEEE 802.11 standard that 2839 * states that a non-AP station should transition into the 2840 * authenticated/associated state only after the station acknowledges 2841 * the (Re)Association Response frame. However, still do this as: 2842 * 2843 * 1. In case the station does not acknowledge the (Re)Association 2844 * Response frame, it will be removed. 2845 * 2. Data frames will be dropped in the kernel until the station is 2846 * set into authorized state, and there are no significant known 2847 * issues with processing other non-Data Class 3 frames during this 2848 * window. 2849 */ 2850 if (resp == WLAN_STATUS_SUCCESS && sta && add_associated_sta(hapd, sta)) 2851 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA; 2852 2853 #ifdef CONFIG_FILS 2854 if (sta) { 2855 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta); 2856 os_free(sta->fils_pending_assoc_req); 2857 sta->fils_pending_assoc_req = NULL; 2858 sta->fils_pending_assoc_req_len = 0; 2859 wpabuf_free(sta->fils_hlp_resp); 2860 sta->fils_hlp_resp = NULL; 2861 } 2862 if (sta && delay_assoc && resp == WLAN_STATUS_SUCCESS) { 2863 sta->fils_pending_assoc_req = tmp; 2864 sta->fils_pending_assoc_req_len = left; 2865 sta->fils_pending_assoc_is_reassoc = reassoc; 2866 wpa_printf(MSG_DEBUG, 2867 "FILS: Waiting for HLP processing before sending (Re)Association Response frame to " 2868 MACSTR, MAC2STR(sta->addr)); 2869 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta); 2870 eloop_register_timeout(0, hapd->conf->fils_hlp_wait_time * 1024, 2871 fils_hlp_timeout, hapd, sta); 2872 return; 2873 } 2874 #endif /* CONFIG_FILS */ 2875 2876 reply_res = send_assoc_resp(hapd, sta, mgmt->sa, resp, reassoc, pos, 2877 left); 2878 os_free(tmp); 2879 2880 /* 2881 * Remove the station in case tranmission of a success response fails 2882 * (the STA was added associated to the driver) or if the station was 2883 * previously added unassociated. 2884 */ 2885 if (sta && ((reply_res != WLAN_STATUS_SUCCESS && 2886 resp == WLAN_STATUS_SUCCESS) || sta->added_unassoc)) { 2887 hostapd_drv_sta_remove(hapd, sta->addr); 2888 sta->added_unassoc = 0; 2889 } 2890 } 2891 2892 2893 static void handle_disassoc(struct hostapd_data *hapd, 2894 const struct ieee80211_mgmt *mgmt, size_t len) 2895 { 2896 struct sta_info *sta; 2897 2898 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.disassoc)) { 2899 wpa_printf(MSG_INFO, "handle_disassoc - too short payload (len=%lu)", 2900 (unsigned long) len); 2901 return; 2902 } 2903 2904 wpa_printf(MSG_DEBUG, "disassocation: STA=" MACSTR " reason_code=%d", 2905 MAC2STR(mgmt->sa), 2906 le_to_host16(mgmt->u.disassoc.reason_code)); 2907 2908 sta = ap_get_sta(hapd, mgmt->sa); 2909 if (sta == NULL) { 2910 wpa_printf(MSG_INFO, "Station " MACSTR " trying to disassociate, but it is not associated", 2911 MAC2STR(mgmt->sa)); 2912 return; 2913 } 2914 2915 ap_sta_set_authorized(hapd, sta, 0); 2916 sta->last_seq_ctrl = WLAN_INVALID_MGMT_SEQ; 2917 sta->flags &= ~(WLAN_STA_ASSOC | WLAN_STA_ASSOC_REQ_OK); 2918 wpa_auth_sm_event(sta->wpa_sm, WPA_DISASSOC); 2919 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 2920 HOSTAPD_LEVEL_INFO, "disassociated"); 2921 sta->acct_terminate_cause = RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST; 2922 ieee802_1x_notify_port_enabled(sta->eapol_sm, 0); 2923 /* Stop Accounting and IEEE 802.1X sessions, but leave the STA 2924 * authenticated. */ 2925 accounting_sta_stop(hapd, sta); 2926 ieee802_1x_free_station(hapd, sta); 2927 if (sta->ipaddr) 2928 hostapd_drv_br_delete_ip_neigh(hapd, 4, (u8 *) &sta->ipaddr); 2929 ap_sta_ip6addr_del(hapd, sta); 2930 hostapd_drv_sta_remove(hapd, sta->addr); 2931 sta->added_unassoc = 0; 2932 2933 if (sta->timeout_next == STA_NULLFUNC || 2934 sta->timeout_next == STA_DISASSOC) { 2935 sta->timeout_next = STA_DEAUTH; 2936 eloop_cancel_timeout(ap_handle_timer, hapd, sta); 2937 eloop_register_timeout(AP_DEAUTH_DELAY, 0, ap_handle_timer, 2938 hapd, sta); 2939 } 2940 2941 mlme_disassociate_indication( 2942 hapd, sta, le_to_host16(mgmt->u.disassoc.reason_code)); 2943 2944 /* DMG/IEEE 802.11ad does not use deauthication. Deallocate sta upon 2945 * disassociation. */ 2946 if (hapd->iface->current_mode && 2947 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211AD) { 2948 sta->flags &= ~WLAN_STA_AUTH; 2949 wpa_auth_sm_event(sta->wpa_sm, WPA_DEAUTH); 2950 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 2951 HOSTAPD_LEVEL_DEBUG, "deauthenticated"); 2952 ap_free_sta(hapd, sta); 2953 } 2954 } 2955 2956 2957 static void handle_deauth(struct hostapd_data *hapd, 2958 const struct ieee80211_mgmt *mgmt, size_t len) 2959 { 2960 struct sta_info *sta; 2961 2962 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.deauth)) { 2963 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "handle_deauth - too short " 2964 "payload (len=%lu)", (unsigned long) len); 2965 return; 2966 } 2967 2968 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "deauthentication: STA=" MACSTR 2969 " reason_code=%d", 2970 MAC2STR(mgmt->sa), le_to_host16(mgmt->u.deauth.reason_code)); 2971 2972 sta = ap_get_sta(hapd, mgmt->sa); 2973 if (sta == NULL) { 2974 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "Station " MACSTR " trying " 2975 "to deauthenticate, but it is not authenticated", 2976 MAC2STR(mgmt->sa)); 2977 return; 2978 } 2979 2980 ap_sta_set_authorized(hapd, sta, 0); 2981 sta->last_seq_ctrl = WLAN_INVALID_MGMT_SEQ; 2982 sta->flags &= ~(WLAN_STA_AUTH | WLAN_STA_ASSOC | 2983 WLAN_STA_ASSOC_REQ_OK); 2984 wpa_auth_sm_event(sta->wpa_sm, WPA_DEAUTH); 2985 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 2986 HOSTAPD_LEVEL_DEBUG, "deauthenticated"); 2987 mlme_deauthenticate_indication( 2988 hapd, sta, le_to_host16(mgmt->u.deauth.reason_code)); 2989 sta->acct_terminate_cause = RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST; 2990 ieee802_1x_notify_port_enabled(sta->eapol_sm, 0); 2991 ap_free_sta(hapd, sta); 2992 } 2993 2994 2995 static void handle_beacon(struct hostapd_data *hapd, 2996 const struct ieee80211_mgmt *mgmt, size_t len, 2997 struct hostapd_frame_info *fi) 2998 { 2999 struct ieee802_11_elems elems; 3000 3001 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.beacon)) { 3002 wpa_printf(MSG_INFO, "handle_beacon - too short payload (len=%lu)", 3003 (unsigned long) len); 3004 return; 3005 } 3006 3007 (void) ieee802_11_parse_elems(mgmt->u.beacon.variable, 3008 len - (IEEE80211_HDRLEN + 3009 sizeof(mgmt->u.beacon)), &elems, 3010 0); 3011 3012 ap_list_process_beacon(hapd->iface, mgmt, &elems, fi); 3013 } 3014 3015 3016 #ifdef CONFIG_IEEE80211W 3017 3018 static int hostapd_sa_query_action(struct hostapd_data *hapd, 3019 const struct ieee80211_mgmt *mgmt, 3020 size_t len) 3021 { 3022 const u8 *end; 3023 3024 end = mgmt->u.action.u.sa_query_resp.trans_id + 3025 WLAN_SA_QUERY_TR_ID_LEN; 3026 if (((u8 *) mgmt) + len < end) { 3027 wpa_printf(MSG_DEBUG, "IEEE 802.11: Too short SA Query Action " 3028 "frame (len=%lu)", (unsigned long) len); 3029 return 0; 3030 } 3031 3032 ieee802_11_sa_query_action(hapd, mgmt->sa, 3033 mgmt->u.action.u.sa_query_resp.action, 3034 mgmt->u.action.u.sa_query_resp.trans_id); 3035 return 1; 3036 } 3037 3038 3039 static int robust_action_frame(u8 category) 3040 { 3041 return category != WLAN_ACTION_PUBLIC && 3042 category != WLAN_ACTION_HT; 3043 } 3044 #endif /* CONFIG_IEEE80211W */ 3045 3046 3047 static int handle_action(struct hostapd_data *hapd, 3048 const struct ieee80211_mgmt *mgmt, size_t len) 3049 { 3050 struct sta_info *sta; 3051 sta = ap_get_sta(hapd, mgmt->sa); 3052 3053 if (len < IEEE80211_HDRLEN + 1) { 3054 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211, 3055 HOSTAPD_LEVEL_DEBUG, 3056 "handle_action - too short payload (len=%lu)", 3057 (unsigned long) len); 3058 return 0; 3059 } 3060 3061 if (mgmt->u.action.category != WLAN_ACTION_PUBLIC && 3062 (sta == NULL || !(sta->flags & WLAN_STA_ASSOC))) { 3063 wpa_printf(MSG_DEBUG, "IEEE 802.11: Ignored Action " 3064 "frame (category=%u) from unassociated STA " MACSTR, 3065 mgmt->u.action.category, MAC2STR(mgmt->sa)); 3066 return 0; 3067 } 3068 3069 #ifdef CONFIG_IEEE80211W 3070 if (sta && (sta->flags & WLAN_STA_MFP) && 3071 !(mgmt->frame_control & host_to_le16(WLAN_FC_ISWEP)) && 3072 robust_action_frame(mgmt->u.action.category)) { 3073 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211, 3074 HOSTAPD_LEVEL_DEBUG, 3075 "Dropped unprotected Robust Action frame from " 3076 "an MFP STA"); 3077 return 0; 3078 } 3079 #endif /* CONFIG_IEEE80211W */ 3080 3081 if (sta) { 3082 u16 fc = le_to_host16(mgmt->frame_control); 3083 u16 seq_ctrl = le_to_host16(mgmt->seq_ctrl); 3084 3085 if ((fc & WLAN_FC_RETRY) && 3086 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ && 3087 sta->last_seq_ctrl == seq_ctrl && 3088 sta->last_subtype == WLAN_FC_STYPE_ACTION) { 3089 hostapd_logger(hapd, sta->addr, 3090 HOSTAPD_MODULE_IEEE80211, 3091 HOSTAPD_LEVEL_DEBUG, 3092 "Drop repeated action frame seq_ctrl=0x%x", 3093 seq_ctrl); 3094 return 1; 3095 } 3096 3097 sta->last_seq_ctrl = seq_ctrl; 3098 sta->last_subtype = WLAN_FC_STYPE_ACTION; 3099 } 3100 3101 switch (mgmt->u.action.category) { 3102 #ifdef CONFIG_IEEE80211R_AP 3103 case WLAN_ACTION_FT: 3104 if (!sta || 3105 wpa_ft_action_rx(sta->wpa_sm, (u8 *) &mgmt->u.action, 3106 len - IEEE80211_HDRLEN)) 3107 break; 3108 return 1; 3109 #endif /* CONFIG_IEEE80211R_AP */ 3110 case WLAN_ACTION_WMM: 3111 hostapd_wmm_action(hapd, mgmt, len); 3112 return 1; 3113 #ifdef CONFIG_IEEE80211W 3114 case WLAN_ACTION_SA_QUERY: 3115 return hostapd_sa_query_action(hapd, mgmt, len); 3116 #endif /* CONFIG_IEEE80211W */ 3117 #ifdef CONFIG_WNM 3118 case WLAN_ACTION_WNM: 3119 ieee802_11_rx_wnm_action_ap(hapd, mgmt, len); 3120 return 1; 3121 #endif /* CONFIG_WNM */ 3122 #ifdef CONFIG_FST 3123 case WLAN_ACTION_FST: 3124 if (hapd->iface->fst) 3125 fst_rx_action(hapd->iface->fst, mgmt, len); 3126 else 3127 wpa_printf(MSG_DEBUG, 3128 "FST: Ignore FST Action frame - no FST attached"); 3129 return 1; 3130 #endif /* CONFIG_FST */ 3131 case WLAN_ACTION_PUBLIC: 3132 case WLAN_ACTION_PROTECTED_DUAL: 3133 #ifdef CONFIG_IEEE80211N 3134 if (len >= IEEE80211_HDRLEN + 2 && 3135 mgmt->u.action.u.public_action.action == 3136 WLAN_PA_20_40_BSS_COEX) { 3137 wpa_printf(MSG_DEBUG, 3138 "HT20/40 coex mgmt frame received from STA " 3139 MACSTR, MAC2STR(mgmt->sa)); 3140 hostapd_2040_coex_action(hapd, mgmt, len); 3141 } 3142 #endif /* CONFIG_IEEE80211N */ 3143 if (hapd->public_action_cb) { 3144 hapd->public_action_cb(hapd->public_action_cb_ctx, 3145 (u8 *) mgmt, len, 3146 hapd->iface->freq); 3147 } 3148 if (hapd->public_action_cb2) { 3149 hapd->public_action_cb2(hapd->public_action_cb2_ctx, 3150 (u8 *) mgmt, len, 3151 hapd->iface->freq); 3152 } 3153 if (hapd->public_action_cb || hapd->public_action_cb2) 3154 return 1; 3155 break; 3156 case WLAN_ACTION_VENDOR_SPECIFIC: 3157 if (hapd->vendor_action_cb) { 3158 if (hapd->vendor_action_cb(hapd->vendor_action_cb_ctx, 3159 (u8 *) mgmt, len, 3160 hapd->iface->freq) == 0) 3161 return 1; 3162 } 3163 break; 3164 case WLAN_ACTION_RADIO_MEASUREMENT: 3165 hostapd_handle_radio_measurement(hapd, (const u8 *) mgmt, len); 3166 return 1; 3167 } 3168 3169 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211, 3170 HOSTAPD_LEVEL_DEBUG, 3171 "handle_action - unknown action category %d or invalid " 3172 "frame", 3173 mgmt->u.action.category); 3174 if (!is_multicast_ether_addr(mgmt->da) && 3175 !(mgmt->u.action.category & 0x80) && 3176 !is_multicast_ether_addr(mgmt->sa)) { 3177 struct ieee80211_mgmt *resp; 3178 3179 /* 3180 * IEEE 802.11-REVma/D9.0 - 7.3.1.11 3181 * Return the Action frame to the source without change 3182 * except that MSB of the Category set to 1. 3183 */ 3184 wpa_printf(MSG_DEBUG, "IEEE 802.11: Return unknown Action " 3185 "frame back to sender"); 3186 resp = os_malloc(len); 3187 if (resp == NULL) 3188 return 0; 3189 os_memcpy(resp, mgmt, len); 3190 os_memcpy(resp->da, resp->sa, ETH_ALEN); 3191 os_memcpy(resp->sa, hapd->own_addr, ETH_ALEN); 3192 os_memcpy(resp->bssid, hapd->own_addr, ETH_ALEN); 3193 resp->u.action.category |= 0x80; 3194 3195 if (hostapd_drv_send_mlme(hapd, resp, len, 0) < 0) { 3196 wpa_printf(MSG_ERROR, "IEEE 802.11: Failed to send " 3197 "Action frame"); 3198 } 3199 os_free(resp); 3200 } 3201 3202 return 1; 3203 } 3204 3205 3206 /** 3207 * ieee802_11_mgmt - process incoming IEEE 802.11 management frames 3208 * @hapd: hostapd BSS data structure (the BSS to which the management frame was 3209 * sent to) 3210 * @buf: management frame data (starting from IEEE 802.11 header) 3211 * @len: length of frame data in octets 3212 * @fi: meta data about received frame (signal level, etc.) 3213 * 3214 * Process all incoming IEEE 802.11 management frames. This will be called for 3215 * each frame received from the kernel driver through wlan#ap interface. In 3216 * addition, it can be called to re-inserted pending frames (e.g., when using 3217 * external RADIUS server as an MAC ACL). 3218 */ 3219 int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len, 3220 struct hostapd_frame_info *fi) 3221 { 3222 struct ieee80211_mgmt *mgmt; 3223 u16 fc, stype; 3224 int ret = 0; 3225 3226 if (len < 24) 3227 return 0; 3228 3229 mgmt = (struct ieee80211_mgmt *) buf; 3230 fc = le_to_host16(mgmt->frame_control); 3231 stype = WLAN_FC_GET_STYPE(fc); 3232 3233 if (stype == WLAN_FC_STYPE_BEACON) { 3234 handle_beacon(hapd, mgmt, len, fi); 3235 return 1; 3236 } 3237 3238 if (!is_broadcast_ether_addr(mgmt->bssid) && 3239 #ifdef CONFIG_P2P 3240 /* Invitation responses can be sent with the peer MAC as BSSID */ 3241 !((hapd->conf->p2p & P2P_GROUP_OWNER) && 3242 stype == WLAN_FC_STYPE_ACTION) && 3243 #endif /* CONFIG_P2P */ 3244 #ifdef CONFIG_MESH 3245 !(hapd->conf->mesh & MESH_ENABLED) && 3246 #endif /* CONFIG_MESH */ 3247 os_memcmp(mgmt->bssid, hapd->own_addr, ETH_ALEN) != 0) { 3248 wpa_printf(MSG_INFO, "MGMT: BSSID=" MACSTR " not our address", 3249 MAC2STR(mgmt->bssid)); 3250 return 0; 3251 } 3252 3253 3254 if (stype == WLAN_FC_STYPE_PROBE_REQ) { 3255 handle_probe_req(hapd, mgmt, len, fi->ssi_signal); 3256 return 1; 3257 } 3258 3259 if (os_memcmp(mgmt->da, hapd->own_addr, ETH_ALEN) != 0) { 3260 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211, 3261 HOSTAPD_LEVEL_DEBUG, 3262 "MGMT: DA=" MACSTR " not our address", 3263 MAC2STR(mgmt->da)); 3264 return 0; 3265 } 3266 3267 if (hapd->iconf->track_sta_max_num) 3268 sta_track_add(hapd->iface, mgmt->sa, fi->ssi_signal); 3269 3270 switch (stype) { 3271 case WLAN_FC_STYPE_AUTH: 3272 wpa_printf(MSG_DEBUG, "mgmt::auth"); 3273 handle_auth(hapd, mgmt, len); 3274 ret = 1; 3275 break; 3276 case WLAN_FC_STYPE_ASSOC_REQ: 3277 wpa_printf(MSG_DEBUG, "mgmt::assoc_req"); 3278 handle_assoc(hapd, mgmt, len, 0); 3279 ret = 1; 3280 break; 3281 case WLAN_FC_STYPE_REASSOC_REQ: 3282 wpa_printf(MSG_DEBUG, "mgmt::reassoc_req"); 3283 handle_assoc(hapd, mgmt, len, 1); 3284 ret = 1; 3285 break; 3286 case WLAN_FC_STYPE_DISASSOC: 3287 wpa_printf(MSG_DEBUG, "mgmt::disassoc"); 3288 handle_disassoc(hapd, mgmt, len); 3289 ret = 1; 3290 break; 3291 case WLAN_FC_STYPE_DEAUTH: 3292 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "mgmt::deauth"); 3293 handle_deauth(hapd, mgmt, len); 3294 ret = 1; 3295 break; 3296 case WLAN_FC_STYPE_ACTION: 3297 wpa_printf(MSG_DEBUG, "mgmt::action"); 3298 ret = handle_action(hapd, mgmt, len); 3299 break; 3300 default: 3301 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211, 3302 HOSTAPD_LEVEL_DEBUG, 3303 "unknown mgmt frame subtype %d", stype); 3304 break; 3305 } 3306 3307 return ret; 3308 } 3309 3310 3311 static void handle_auth_cb(struct hostapd_data *hapd, 3312 const struct ieee80211_mgmt *mgmt, 3313 size_t len, int ok) 3314 { 3315 u16 auth_alg, auth_transaction, status_code; 3316 struct sta_info *sta; 3317 3318 sta = ap_get_sta(hapd, mgmt->da); 3319 if (!sta) { 3320 wpa_printf(MSG_INFO, "handle_auth_cb: STA " MACSTR " not found", 3321 MAC2STR(mgmt->da)); 3322 return; 3323 } 3324 3325 auth_alg = le_to_host16(mgmt->u.auth.auth_alg); 3326 auth_transaction = le_to_host16(mgmt->u.auth.auth_transaction); 3327 status_code = le_to_host16(mgmt->u.auth.status_code); 3328 3329 if (!ok) { 3330 hostapd_logger(hapd, mgmt->da, HOSTAPD_MODULE_IEEE80211, 3331 HOSTAPD_LEVEL_NOTICE, 3332 "did not acknowledge authentication response"); 3333 goto fail; 3334 } 3335 3336 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) { 3337 wpa_printf(MSG_INFO, "handle_auth_cb - too short payload (len=%lu)", 3338 (unsigned long) len); 3339 goto fail; 3340 } 3341 3342 if (status_code == WLAN_STATUS_SUCCESS && 3343 ((auth_alg == WLAN_AUTH_OPEN && auth_transaction == 2) || 3344 (auth_alg == WLAN_AUTH_SHARED_KEY && auth_transaction == 4))) { 3345 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 3346 HOSTAPD_LEVEL_INFO, "authenticated"); 3347 sta->flags |= WLAN_STA_AUTH; 3348 if (sta->added_unassoc) 3349 hostapd_set_sta_flags(hapd, sta); 3350 return; 3351 } 3352 3353 fail: 3354 if (status_code != WLAN_STATUS_SUCCESS && sta->added_unassoc) { 3355 hostapd_drv_sta_remove(hapd, sta->addr); 3356 sta->added_unassoc = 0; 3357 } 3358 } 3359 3360 3361 static void hostapd_set_wds_encryption(struct hostapd_data *hapd, 3362 struct sta_info *sta, 3363 char *ifname_wds) 3364 { 3365 int i; 3366 struct hostapd_ssid *ssid = &hapd->conf->ssid; 3367 3368 if (hapd->conf->ieee802_1x || hapd->conf->wpa) 3369 return; 3370 3371 for (i = 0; i < 4; i++) { 3372 if (ssid->wep.key[i] && 3373 hostapd_drv_set_key(ifname_wds, hapd, WPA_ALG_WEP, NULL, i, 3374 i == ssid->wep.idx, NULL, 0, 3375 ssid->wep.key[i], ssid->wep.len[i])) { 3376 wpa_printf(MSG_WARNING, 3377 "Could not set WEP keys for WDS interface; %s", 3378 ifname_wds); 3379 break; 3380 } 3381 } 3382 } 3383 3384 3385 static void handle_assoc_cb(struct hostapd_data *hapd, 3386 const struct ieee80211_mgmt *mgmt, 3387 size_t len, int reassoc, int ok) 3388 { 3389 u16 status; 3390 struct sta_info *sta; 3391 int new_assoc = 1; 3392 3393 sta = ap_get_sta(hapd, mgmt->da); 3394 if (!sta) { 3395 wpa_printf(MSG_INFO, "handle_assoc_cb: STA " MACSTR " not found", 3396 MAC2STR(mgmt->da)); 3397 return; 3398 } 3399 3400 if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_resp) : 3401 sizeof(mgmt->u.assoc_resp))) { 3402 wpa_printf(MSG_INFO, 3403 "handle_assoc_cb(reassoc=%d) - too short payload (len=%lu)", 3404 reassoc, (unsigned long) len); 3405 hostapd_drv_sta_remove(hapd, sta->addr); 3406 return; 3407 } 3408 3409 if (reassoc) 3410 status = le_to_host16(mgmt->u.reassoc_resp.status_code); 3411 else 3412 status = le_to_host16(mgmt->u.assoc_resp.status_code); 3413 3414 if (!ok) { 3415 hostapd_logger(hapd, mgmt->da, HOSTAPD_MODULE_IEEE80211, 3416 HOSTAPD_LEVEL_DEBUG, 3417 "did not acknowledge association response"); 3418 sta->flags &= ~WLAN_STA_ASSOC_REQ_OK; 3419 /* The STA is added only in case of SUCCESS */ 3420 if (status == WLAN_STATUS_SUCCESS) 3421 hostapd_drv_sta_remove(hapd, sta->addr); 3422 3423 return; 3424 } 3425 3426 if (status != WLAN_STATUS_SUCCESS) 3427 return; 3428 3429 /* Stop previous accounting session, if one is started, and allocate 3430 * new session id for the new session. */ 3431 accounting_sta_stop(hapd, sta); 3432 3433 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 3434 HOSTAPD_LEVEL_INFO, 3435 "associated (aid %d)", 3436 sta->aid); 3437 3438 if (sta->flags & WLAN_STA_ASSOC) 3439 new_assoc = 0; 3440 sta->flags |= WLAN_STA_ASSOC; 3441 sta->flags &= ~WLAN_STA_WNM_SLEEP_MODE; 3442 if ((!hapd->conf->ieee802_1x && !hapd->conf->wpa && 3443 !hapd->conf->osen) || 3444 sta->auth_alg == WLAN_AUTH_FILS_SK || 3445 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS || 3446 sta->auth_alg == WLAN_AUTH_FILS_PK || 3447 sta->auth_alg == WLAN_AUTH_FT) { 3448 /* 3449 * Open, static WEP, FT protocol, or FILS; no separate 3450 * authorization step. 3451 */ 3452 ap_sta_set_authorized(hapd, sta, 1); 3453 } 3454 3455 if (reassoc) 3456 mlme_reassociate_indication(hapd, sta); 3457 else 3458 mlme_associate_indication(hapd, sta); 3459 3460 #ifdef CONFIG_IEEE80211W 3461 sta->sa_query_timed_out = 0; 3462 #endif /* CONFIG_IEEE80211W */ 3463 3464 if (sta->eapol_sm == NULL) { 3465 /* 3466 * This STA does not use RADIUS server for EAP authentication, 3467 * so bind it to the selected VLAN interface now, since the 3468 * interface selection is not going to change anymore. 3469 */ 3470 if (ap_sta_bind_vlan(hapd, sta) < 0) 3471 return; 3472 } else if (sta->vlan_id) { 3473 /* VLAN ID already set (e.g., by PMKSA caching), so bind STA */ 3474 if (ap_sta_bind_vlan(hapd, sta) < 0) 3475 return; 3476 } 3477 3478 hostapd_set_sta_flags(hapd, sta); 3479 3480 if (!(sta->flags & WLAN_STA_WDS) && sta->pending_wds_enable) { 3481 wpa_printf(MSG_DEBUG, "Enable 4-address WDS mode for STA " 3482 MACSTR " based on pending request", 3483 MAC2STR(sta->addr)); 3484 sta->pending_wds_enable = 0; 3485 sta->flags |= WLAN_STA_WDS; 3486 } 3487 3488 if (sta->flags & WLAN_STA_WDS) { 3489 int ret; 3490 char ifname_wds[IFNAMSIZ + 1]; 3491 3492 wpa_printf(MSG_DEBUG, "Reenable 4-address WDS mode for STA " 3493 MACSTR " (aid %u)", 3494 MAC2STR(sta->addr), sta->aid); 3495 ret = hostapd_set_wds_sta(hapd, ifname_wds, sta->addr, 3496 sta->aid, 1); 3497 if (!ret) 3498 hostapd_set_wds_encryption(hapd, sta, ifname_wds); 3499 } 3500 3501 if (sta->auth_alg == WLAN_AUTH_FT) 3502 wpa_auth_sm_event(sta->wpa_sm, WPA_ASSOC_FT); 3503 else 3504 wpa_auth_sm_event(sta->wpa_sm, WPA_ASSOC); 3505 hapd->new_assoc_sta_cb(hapd, sta, !new_assoc); 3506 ieee802_1x_notify_port_enabled(sta->eapol_sm, 1); 3507 3508 #ifdef CONFIG_FILS 3509 if ((sta->auth_alg == WLAN_AUTH_FILS_SK || 3510 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS || 3511 sta->auth_alg == WLAN_AUTH_FILS_PK) && 3512 fils_set_tk(sta->wpa_sm) < 0) { 3513 wpa_printf(MSG_DEBUG, "FILS: TK configuration failed"); 3514 ap_sta_disconnect(hapd, sta, sta->addr, 3515 WLAN_REASON_UNSPECIFIED); 3516 return; 3517 } 3518 #endif /* CONFIG_FILS */ 3519 3520 if (sta->pending_eapol_rx) { 3521 struct os_reltime now, age; 3522 3523 os_get_reltime(&now); 3524 os_reltime_sub(&now, &sta->pending_eapol_rx->rx_time, &age); 3525 if (age.sec == 0 && age.usec < 200000) { 3526 wpa_printf(MSG_DEBUG, 3527 "Process pending EAPOL frame that was received from " MACSTR " just before association notification", 3528 MAC2STR(sta->addr)); 3529 ieee802_1x_receive( 3530 hapd, mgmt->da, 3531 wpabuf_head(sta->pending_eapol_rx->buf), 3532 wpabuf_len(sta->pending_eapol_rx->buf)); 3533 } 3534 wpabuf_free(sta->pending_eapol_rx->buf); 3535 os_free(sta->pending_eapol_rx); 3536 sta->pending_eapol_rx = NULL; 3537 } 3538 } 3539 3540 3541 static void handle_deauth_cb(struct hostapd_data *hapd, 3542 const struct ieee80211_mgmt *mgmt, 3543 size_t len, int ok) 3544 { 3545 struct sta_info *sta; 3546 if (is_multicast_ether_addr(mgmt->da)) 3547 return; 3548 sta = ap_get_sta(hapd, mgmt->da); 3549 if (!sta) { 3550 wpa_printf(MSG_DEBUG, "handle_deauth_cb: STA " MACSTR 3551 " not found", MAC2STR(mgmt->da)); 3552 return; 3553 } 3554 if (ok) 3555 wpa_printf(MSG_DEBUG, "STA " MACSTR " acknowledged deauth", 3556 MAC2STR(sta->addr)); 3557 else 3558 wpa_printf(MSG_DEBUG, "STA " MACSTR " did not acknowledge " 3559 "deauth", MAC2STR(sta->addr)); 3560 3561 ap_sta_deauth_cb(hapd, sta); 3562 } 3563 3564 3565 static void handle_disassoc_cb(struct hostapd_data *hapd, 3566 const struct ieee80211_mgmt *mgmt, 3567 size_t len, int ok) 3568 { 3569 struct sta_info *sta; 3570 if (is_multicast_ether_addr(mgmt->da)) 3571 return; 3572 sta = ap_get_sta(hapd, mgmt->da); 3573 if (!sta) { 3574 wpa_printf(MSG_DEBUG, "handle_disassoc_cb: STA " MACSTR 3575 " not found", MAC2STR(mgmt->da)); 3576 return; 3577 } 3578 if (ok) 3579 wpa_printf(MSG_DEBUG, "STA " MACSTR " acknowledged disassoc", 3580 MAC2STR(sta->addr)); 3581 else 3582 wpa_printf(MSG_DEBUG, "STA " MACSTR " did not acknowledge " 3583 "disassoc", MAC2STR(sta->addr)); 3584 3585 ap_sta_disassoc_cb(hapd, sta); 3586 } 3587 3588 3589 static void handle_action_cb(struct hostapd_data *hapd, 3590 const struct ieee80211_mgmt *mgmt, 3591 size_t len, int ok) 3592 { 3593 struct sta_info *sta; 3594 const struct rrm_measurement_report_element *report; 3595 3596 if (is_multicast_ether_addr(mgmt->da)) 3597 return; 3598 sta = ap_get_sta(hapd, mgmt->da); 3599 if (!sta) { 3600 wpa_printf(MSG_DEBUG, "handle_action_cb: STA " MACSTR 3601 " not found", MAC2STR(mgmt->da)); 3602 return; 3603 } 3604 3605 if (len < 24 + 5 + sizeof(*report)) 3606 return; 3607 report = (const struct rrm_measurement_report_element *) 3608 &mgmt->u.action.u.rrm.variable[2]; 3609 if (mgmt->u.action.category == WLAN_ACTION_RADIO_MEASUREMENT && 3610 mgmt->u.action.u.rrm.action == WLAN_RRM_RADIO_MEASUREMENT_REQUEST && 3611 report->eid == WLAN_EID_MEASURE_REQUEST && 3612 report->len >= 3 && 3613 report->type == MEASURE_TYPE_BEACON) 3614 hostapd_rrm_beacon_req_tx_status(hapd, mgmt, len, ok); 3615 } 3616 3617 3618 /** 3619 * ieee802_11_mgmt_cb - Process management frame TX status callback 3620 * @hapd: hostapd BSS data structure (the BSS from which the management frame 3621 * was sent from) 3622 * @buf: management frame data (starting from IEEE 802.11 header) 3623 * @len: length of frame data in octets 3624 * @stype: management frame subtype from frame control field 3625 * @ok: Whether the frame was ACK'ed 3626 */ 3627 void ieee802_11_mgmt_cb(struct hostapd_data *hapd, const u8 *buf, size_t len, 3628 u16 stype, int ok) 3629 { 3630 const struct ieee80211_mgmt *mgmt; 3631 mgmt = (const struct ieee80211_mgmt *) buf; 3632 3633 #ifdef CONFIG_TESTING_OPTIONS 3634 if (hapd->ext_mgmt_frame_handling) { 3635 wpa_msg(hapd->msg_ctx, MSG_INFO, "MGMT-TX-STATUS stype=%u ok=%d", 3636 stype, ok); 3637 return; 3638 } 3639 #endif /* CONFIG_TESTING_OPTIONS */ 3640 3641 switch (stype) { 3642 case WLAN_FC_STYPE_AUTH: 3643 wpa_printf(MSG_DEBUG, "mgmt::auth cb"); 3644 handle_auth_cb(hapd, mgmt, len, ok); 3645 break; 3646 case WLAN_FC_STYPE_ASSOC_RESP: 3647 wpa_printf(MSG_DEBUG, "mgmt::assoc_resp cb"); 3648 handle_assoc_cb(hapd, mgmt, len, 0, ok); 3649 break; 3650 case WLAN_FC_STYPE_REASSOC_RESP: 3651 wpa_printf(MSG_DEBUG, "mgmt::reassoc_resp cb"); 3652 handle_assoc_cb(hapd, mgmt, len, 1, ok); 3653 break; 3654 case WLAN_FC_STYPE_PROBE_RESP: 3655 wpa_printf(MSG_EXCESSIVE, "mgmt::proberesp cb ok=%d", ok); 3656 break; 3657 case WLAN_FC_STYPE_DEAUTH: 3658 wpa_printf(MSG_DEBUG, "mgmt::deauth cb"); 3659 handle_deauth_cb(hapd, mgmt, len, ok); 3660 break; 3661 case WLAN_FC_STYPE_DISASSOC: 3662 wpa_printf(MSG_DEBUG, "mgmt::disassoc cb"); 3663 handle_disassoc_cb(hapd, mgmt, len, ok); 3664 break; 3665 case WLAN_FC_STYPE_ACTION: 3666 wpa_printf(MSG_DEBUG, "mgmt::action cb ok=%d", ok); 3667 handle_action_cb(hapd, mgmt, len, ok); 3668 break; 3669 default: 3670 wpa_printf(MSG_INFO, "unknown mgmt cb frame subtype %d", stype); 3671 break; 3672 } 3673 } 3674 3675 3676 int ieee802_11_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen) 3677 { 3678 /* TODO */ 3679 return 0; 3680 } 3681 3682 3683 int ieee802_11_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta, 3684 char *buf, size_t buflen) 3685 { 3686 /* TODO */ 3687 return 0; 3688 } 3689 3690 3691 void hostapd_tx_status(struct hostapd_data *hapd, const u8 *addr, 3692 const u8 *buf, size_t len, int ack) 3693 { 3694 struct sta_info *sta; 3695 struct hostapd_iface *iface = hapd->iface; 3696 3697 sta = ap_get_sta(hapd, addr); 3698 if (sta == NULL && iface->num_bss > 1) { 3699 size_t j; 3700 for (j = 0; j < iface->num_bss; j++) { 3701 hapd = iface->bss[j]; 3702 sta = ap_get_sta(hapd, addr); 3703 if (sta) 3704 break; 3705 } 3706 } 3707 if (sta == NULL || !(sta->flags & WLAN_STA_ASSOC)) 3708 return; 3709 if (sta->flags & WLAN_STA_PENDING_POLL) { 3710 wpa_printf(MSG_DEBUG, "STA " MACSTR " %s pending " 3711 "activity poll", MAC2STR(sta->addr), 3712 ack ? "ACKed" : "did not ACK"); 3713 if (ack) 3714 sta->flags &= ~WLAN_STA_PENDING_POLL; 3715 } 3716 3717 ieee802_1x_tx_status(hapd, sta, buf, len, ack); 3718 } 3719 3720 3721 void hostapd_eapol_tx_status(struct hostapd_data *hapd, const u8 *dst, 3722 const u8 *data, size_t len, int ack) 3723 { 3724 struct sta_info *sta; 3725 struct hostapd_iface *iface = hapd->iface; 3726 3727 sta = ap_get_sta(hapd, dst); 3728 if (sta == NULL && iface->num_bss > 1) { 3729 size_t j; 3730 for (j = 0; j < iface->num_bss; j++) { 3731 hapd = iface->bss[j]; 3732 sta = ap_get_sta(hapd, dst); 3733 if (sta) 3734 break; 3735 } 3736 } 3737 if (sta == NULL || !(sta->flags & WLAN_STA_ASSOC)) { 3738 wpa_printf(MSG_DEBUG, "Ignore TX status for Data frame to STA " 3739 MACSTR " that is not currently associated", 3740 MAC2STR(dst)); 3741 return; 3742 } 3743 3744 ieee802_1x_eapol_tx_status(hapd, sta, data, len, ack); 3745 } 3746 3747 3748 void hostapd_client_poll_ok(struct hostapd_data *hapd, const u8 *addr) 3749 { 3750 struct sta_info *sta; 3751 struct hostapd_iface *iface = hapd->iface; 3752 3753 sta = ap_get_sta(hapd, addr); 3754 if (sta == NULL && iface->num_bss > 1) { 3755 size_t j; 3756 for (j = 0; j < iface->num_bss; j++) { 3757 hapd = iface->bss[j]; 3758 sta = ap_get_sta(hapd, addr); 3759 if (sta) 3760 break; 3761 } 3762 } 3763 if (sta == NULL) 3764 return; 3765 wpa_msg(hapd->msg_ctx, MSG_INFO, AP_STA_POLL_OK MACSTR, 3766 MAC2STR(sta->addr)); 3767 if (!(sta->flags & WLAN_STA_PENDING_POLL)) 3768 return; 3769 3770 wpa_printf(MSG_DEBUG, "STA " MACSTR " ACKed pending " 3771 "activity poll", MAC2STR(sta->addr)); 3772 sta->flags &= ~WLAN_STA_PENDING_POLL; 3773 } 3774 3775 3776 void ieee802_11_rx_from_unknown(struct hostapd_data *hapd, const u8 *src, 3777 int wds) 3778 { 3779 struct sta_info *sta; 3780 3781 sta = ap_get_sta(hapd, src); 3782 if (sta && 3783 ((sta->flags & WLAN_STA_ASSOC) || 3784 ((sta->flags & WLAN_STA_ASSOC_REQ_OK) && wds))) { 3785 if (!hapd->conf->wds_sta) 3786 return; 3787 3788 if ((sta->flags & (WLAN_STA_ASSOC | WLAN_STA_ASSOC_REQ_OK)) == 3789 WLAN_STA_ASSOC_REQ_OK) { 3790 wpa_printf(MSG_DEBUG, 3791 "Postpone 4-address WDS mode enabling for STA " 3792 MACSTR " since TX status for AssocResp is not yet known", 3793 MAC2STR(sta->addr)); 3794 sta->pending_wds_enable = 1; 3795 return; 3796 } 3797 3798 if (wds && !(sta->flags & WLAN_STA_WDS)) { 3799 int ret; 3800 char ifname_wds[IFNAMSIZ + 1]; 3801 3802 wpa_printf(MSG_DEBUG, "Enable 4-address WDS mode for " 3803 "STA " MACSTR " (aid %u)", 3804 MAC2STR(sta->addr), sta->aid); 3805 sta->flags |= WLAN_STA_WDS; 3806 ret = hostapd_set_wds_sta(hapd, ifname_wds, 3807 sta->addr, sta->aid, 1); 3808 if (!ret) 3809 hostapd_set_wds_encryption(hapd, sta, 3810 ifname_wds); 3811 } 3812 return; 3813 } 3814 3815 wpa_printf(MSG_DEBUG, "Data/PS-poll frame from not associated STA " 3816 MACSTR, MAC2STR(src)); 3817 if (is_multicast_ether_addr(src)) { 3818 /* Broadcast bit set in SA?! Ignore the frame silently. */ 3819 return; 3820 } 3821 3822 if (sta && (sta->flags & WLAN_STA_ASSOC_REQ_OK)) { 3823 wpa_printf(MSG_DEBUG, "Association Response to the STA has " 3824 "already been sent, but no TX status yet known - " 3825 "ignore Class 3 frame issue with " MACSTR, 3826 MAC2STR(src)); 3827 return; 3828 } 3829 3830 if (sta && (sta->flags & WLAN_STA_AUTH)) 3831 hostapd_drv_sta_disassoc( 3832 hapd, src, 3833 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA); 3834 else 3835 hostapd_drv_sta_deauth( 3836 hapd, src, 3837 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA); 3838 } 3839 3840 3841 #endif /* CONFIG_NATIVE_WINDOWS */ 3842