1 /* 2 * hostapd / IEEE 802.11 Management 3 * Copyright (c) 2002-2017, Jouni Malinen <j (at) w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "utils/includes.h" 10 11 #ifndef CONFIG_NATIVE_WINDOWS 12 13 #include "utils/common.h" 14 #include "utils/eloop.h" 15 #include "crypto/crypto.h" 16 #include "crypto/sha256.h" 17 #include "crypto/random.h" 18 #include "common/ieee802_11_defs.h" 19 #include "common/ieee802_11_common.h" 20 #include "common/wpa_ctrl.h" 21 #include "common/sae.h" 22 #include "radius/radius.h" 23 #include "radius/radius_client.h" 24 #include "p2p/p2p.h" 25 #include "wps/wps.h" 26 #include "fst/fst.h" 27 #include "hostapd.h" 28 #include "beacon.h" 29 #include "ieee802_11_auth.h" 30 #include "sta_info.h" 31 #include "ieee802_1x.h" 32 #include "wpa_auth.h" 33 #include "pmksa_cache_auth.h" 34 #include "wmm.h" 35 #include "ap_list.h" 36 #include "accounting.h" 37 #include "ap_config.h" 38 #include "ap_mlme.h" 39 #include "p2p_hostapd.h" 40 #include "ap_drv_ops.h" 41 #include "wnm_ap.h" 42 #include "hw_features.h" 43 #include "ieee802_11.h" 44 #include "dfs.h" 45 #include "mbo_ap.h" 46 #include "rrm.h" 47 #include "taxonomy.h" 48 #include "fils_hlp.h" 49 50 51 u8 * hostapd_eid_supp_rates(struct hostapd_data *hapd, u8 *eid) 52 { 53 u8 *pos = eid; 54 int i, num, count; 55 56 if (hapd->iface->current_rates == NULL) 57 return eid; 58 59 *pos++ = WLAN_EID_SUPP_RATES; 60 num = hapd->iface->num_rates; 61 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht) 62 num++; 63 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht) 64 num++; 65 if (num > 8) { 66 /* rest of the rates are encoded in Extended supported 67 * rates element */ 68 num = 8; 69 } 70 71 *pos++ = num; 72 for (i = 0, count = 0; i < hapd->iface->num_rates && count < num; 73 i++) { 74 count++; 75 *pos = hapd->iface->current_rates[i].rate / 5; 76 if (hapd->iface->current_rates[i].flags & HOSTAPD_RATE_BASIC) 77 *pos |= 0x80; 78 pos++; 79 } 80 81 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht && count < 8) { 82 count++; 83 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_HT_PHY; 84 } 85 86 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht && count < 8) { 87 count++; 88 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_VHT_PHY; 89 } 90 91 return pos; 92 } 93 94 95 u8 * hostapd_eid_ext_supp_rates(struct hostapd_data *hapd, u8 *eid) 96 { 97 u8 *pos = eid; 98 int i, num, count; 99 100 if (hapd->iface->current_rates == NULL) 101 return eid; 102 103 num = hapd->iface->num_rates; 104 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht) 105 num++; 106 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht) 107 num++; 108 if (num <= 8) 109 return eid; 110 num -= 8; 111 112 *pos++ = WLAN_EID_EXT_SUPP_RATES; 113 *pos++ = num; 114 for (i = 0, count = 0; i < hapd->iface->num_rates && count < num + 8; 115 i++) { 116 count++; 117 if (count <= 8) 118 continue; /* already in SuppRates IE */ 119 *pos = hapd->iface->current_rates[i].rate / 5; 120 if (hapd->iface->current_rates[i].flags & HOSTAPD_RATE_BASIC) 121 *pos |= 0x80; 122 pos++; 123 } 124 125 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht) { 126 count++; 127 if (count > 8) 128 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_HT_PHY; 129 } 130 131 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht) { 132 count++; 133 if (count > 8) 134 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_VHT_PHY; 135 } 136 137 return pos; 138 } 139 140 141 u16 hostapd_own_capab_info(struct hostapd_data *hapd) 142 { 143 int capab = WLAN_CAPABILITY_ESS; 144 int privacy; 145 int dfs; 146 int i; 147 148 /* Check if any of configured channels require DFS */ 149 dfs = hostapd_is_dfs_required(hapd->iface); 150 if (dfs < 0) { 151 wpa_printf(MSG_WARNING, "Failed to check if DFS is required; ret=%d", 152 dfs); 153 dfs = 0; 154 } 155 156 if (hapd->iface->num_sta_no_short_preamble == 0 && 157 hapd->iconf->preamble == SHORT_PREAMBLE) 158 capab |= WLAN_CAPABILITY_SHORT_PREAMBLE; 159 160 privacy = hapd->conf->ssid.wep.keys_set; 161 162 if (hapd->conf->ieee802_1x && 163 (hapd->conf->default_wep_key_len || 164 hapd->conf->individual_wep_key_len)) 165 privacy = 1; 166 167 if (hapd->conf->wpa) 168 privacy = 1; 169 170 #ifdef CONFIG_HS20 171 if (hapd->conf->osen) 172 privacy = 1; 173 #endif /* CONFIG_HS20 */ 174 175 if (privacy) 176 capab |= WLAN_CAPABILITY_PRIVACY; 177 178 if (hapd->iface->current_mode && 179 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G && 180 hapd->iface->num_sta_no_short_slot_time == 0) 181 capab |= WLAN_CAPABILITY_SHORT_SLOT_TIME; 182 183 /* 184 * Currently, Spectrum Management capability bit is set when directly 185 * requested in configuration by spectrum_mgmt_required or when AP is 186 * running on DFS channel. 187 * TODO: Also consider driver support for TPC to set Spectrum Mgmt bit 188 */ 189 if (hapd->iface->current_mode && 190 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211A && 191 (hapd->iconf->spectrum_mgmt_required || dfs)) 192 capab |= WLAN_CAPABILITY_SPECTRUM_MGMT; 193 194 for (i = 0; i < RRM_CAPABILITIES_IE_LEN; i++) { 195 if (hapd->conf->radio_measurements[i]) { 196 capab |= IEEE80211_CAP_RRM; 197 break; 198 } 199 } 200 201 return capab; 202 } 203 204 205 #ifndef CONFIG_NO_RC4 206 static u16 auth_shared_key(struct hostapd_data *hapd, struct sta_info *sta, 207 u16 auth_transaction, const u8 *challenge, 208 int iswep) 209 { 210 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 211 HOSTAPD_LEVEL_DEBUG, 212 "authentication (shared key, transaction %d)", 213 auth_transaction); 214 215 if (auth_transaction == 1) { 216 if (!sta->challenge) { 217 /* Generate a pseudo-random challenge */ 218 u8 key[8]; 219 220 sta->challenge = os_zalloc(WLAN_AUTH_CHALLENGE_LEN); 221 if (sta->challenge == NULL) 222 return WLAN_STATUS_UNSPECIFIED_FAILURE; 223 224 if (os_get_random(key, sizeof(key)) < 0) { 225 os_free(sta->challenge); 226 sta->challenge = NULL; 227 return WLAN_STATUS_UNSPECIFIED_FAILURE; 228 } 229 230 rc4_skip(key, sizeof(key), 0, 231 sta->challenge, WLAN_AUTH_CHALLENGE_LEN); 232 } 233 return 0; 234 } 235 236 if (auth_transaction != 3) 237 return WLAN_STATUS_UNSPECIFIED_FAILURE; 238 239 /* Transaction 3 */ 240 if (!iswep || !sta->challenge || !challenge || 241 os_memcmp_const(sta->challenge, challenge, 242 WLAN_AUTH_CHALLENGE_LEN)) { 243 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 244 HOSTAPD_LEVEL_INFO, 245 "shared key authentication - invalid " 246 "challenge-response"); 247 return WLAN_STATUS_CHALLENGE_FAIL; 248 } 249 250 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 251 HOSTAPD_LEVEL_DEBUG, 252 "authentication OK (shared key)"); 253 sta->flags |= WLAN_STA_AUTH; 254 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH); 255 os_free(sta->challenge); 256 sta->challenge = NULL; 257 258 return 0; 259 } 260 #endif /* CONFIG_NO_RC4 */ 261 262 263 static int send_auth_reply(struct hostapd_data *hapd, 264 const u8 *dst, const u8 *bssid, 265 u16 auth_alg, u16 auth_transaction, u16 resp, 266 const u8 *ies, size_t ies_len) 267 { 268 struct ieee80211_mgmt *reply; 269 u8 *buf; 270 size_t rlen; 271 int reply_res = WLAN_STATUS_UNSPECIFIED_FAILURE; 272 273 rlen = IEEE80211_HDRLEN + sizeof(reply->u.auth) + ies_len; 274 buf = os_zalloc(rlen); 275 if (buf == NULL) 276 return -1; 277 278 reply = (struct ieee80211_mgmt *) buf; 279 reply->frame_control = IEEE80211_FC(WLAN_FC_TYPE_MGMT, 280 WLAN_FC_STYPE_AUTH); 281 os_memcpy(reply->da, dst, ETH_ALEN); 282 os_memcpy(reply->sa, hapd->own_addr, ETH_ALEN); 283 os_memcpy(reply->bssid, bssid, ETH_ALEN); 284 285 reply->u.auth.auth_alg = host_to_le16(auth_alg); 286 reply->u.auth.auth_transaction = host_to_le16(auth_transaction); 287 reply->u.auth.status_code = host_to_le16(resp); 288 289 if (ies && ies_len) 290 os_memcpy(reply->u.auth.variable, ies, ies_len); 291 292 wpa_printf(MSG_DEBUG, "authentication reply: STA=" MACSTR 293 " auth_alg=%d auth_transaction=%d resp=%d (IE len=%lu)", 294 MAC2STR(dst), auth_alg, auth_transaction, 295 resp, (unsigned long) ies_len); 296 if (hostapd_drv_send_mlme(hapd, reply, rlen, 0) < 0) 297 wpa_printf(MSG_INFO, "send_auth_reply: send failed"); 298 else 299 reply_res = WLAN_STATUS_SUCCESS; 300 301 os_free(buf); 302 303 return reply_res; 304 } 305 306 307 #ifdef CONFIG_IEEE80211R_AP 308 static void handle_auth_ft_finish(void *ctx, const u8 *dst, const u8 *bssid, 309 u16 auth_transaction, u16 status, 310 const u8 *ies, size_t ies_len) 311 { 312 struct hostapd_data *hapd = ctx; 313 struct sta_info *sta; 314 int reply_res; 315 316 reply_res = send_auth_reply(hapd, dst, bssid, WLAN_AUTH_FT, 317 auth_transaction, status, ies, ies_len); 318 319 sta = ap_get_sta(hapd, dst); 320 if (sta == NULL) 321 return; 322 323 if (sta->added_unassoc && (reply_res != WLAN_STATUS_SUCCESS || 324 status != WLAN_STATUS_SUCCESS)) { 325 hostapd_drv_sta_remove(hapd, sta->addr); 326 sta->added_unassoc = 0; 327 return; 328 } 329 330 if (status != WLAN_STATUS_SUCCESS) 331 return; 332 333 hostapd_logger(hapd, dst, HOSTAPD_MODULE_IEEE80211, 334 HOSTAPD_LEVEL_DEBUG, "authentication OK (FT)"); 335 sta->flags |= WLAN_STA_AUTH; 336 mlme_authenticate_indication(hapd, sta); 337 } 338 #endif /* CONFIG_IEEE80211R_AP */ 339 340 341 #ifdef CONFIG_SAE 342 343 #define dot11RSNASAESync 5 /* attempts */ 344 345 346 static struct wpabuf * auth_build_sae_commit(struct hostapd_data *hapd, 347 struct sta_info *sta, int update) 348 { 349 struct wpabuf *buf; 350 351 if (hapd->conf->ssid.wpa_passphrase == NULL) { 352 wpa_printf(MSG_DEBUG, "SAE: No password available"); 353 return NULL; 354 } 355 356 if (update && 357 sae_prepare_commit(hapd->own_addr, sta->addr, 358 (u8 *) hapd->conf->ssid.wpa_passphrase, 359 os_strlen(hapd->conf->ssid.wpa_passphrase), 360 sta->sae) < 0) { 361 wpa_printf(MSG_DEBUG, "SAE: Could not pick PWE"); 362 return NULL; 363 } 364 365 buf = wpabuf_alloc(SAE_COMMIT_MAX_LEN); 366 if (buf == NULL) 367 return NULL; 368 sae_write_commit(sta->sae, buf, sta->sae->tmp ? 369 sta->sae->tmp->anti_clogging_token : NULL); 370 371 return buf; 372 } 373 374 375 static struct wpabuf * auth_build_sae_confirm(struct hostapd_data *hapd, 376 struct sta_info *sta) 377 { 378 struct wpabuf *buf; 379 380 buf = wpabuf_alloc(SAE_CONFIRM_MAX_LEN); 381 if (buf == NULL) 382 return NULL; 383 384 sae_write_confirm(sta->sae, buf); 385 386 return buf; 387 } 388 389 390 static int auth_sae_send_commit(struct hostapd_data *hapd, 391 struct sta_info *sta, 392 const u8 *bssid, int update) 393 { 394 struct wpabuf *data; 395 int reply_res; 396 397 data = auth_build_sae_commit(hapd, sta, update); 398 if (data == NULL) 399 return WLAN_STATUS_UNSPECIFIED_FAILURE; 400 401 reply_res = send_auth_reply(hapd, sta->addr, bssid, WLAN_AUTH_SAE, 1, 402 WLAN_STATUS_SUCCESS, wpabuf_head(data), 403 wpabuf_len(data)); 404 405 wpabuf_free(data); 406 407 return reply_res; 408 } 409 410 411 static int auth_sae_send_confirm(struct hostapd_data *hapd, 412 struct sta_info *sta, 413 const u8 *bssid) 414 { 415 struct wpabuf *data; 416 int reply_res; 417 418 data = auth_build_sae_confirm(hapd, sta); 419 if (data == NULL) 420 return WLAN_STATUS_UNSPECIFIED_FAILURE; 421 422 reply_res = send_auth_reply(hapd, sta->addr, bssid, WLAN_AUTH_SAE, 2, 423 WLAN_STATUS_SUCCESS, wpabuf_head(data), 424 wpabuf_len(data)); 425 426 wpabuf_free(data); 427 428 return reply_res; 429 } 430 431 432 static int use_sae_anti_clogging(struct hostapd_data *hapd) 433 { 434 struct sta_info *sta; 435 unsigned int open = 0; 436 437 if (hapd->conf->sae_anti_clogging_threshold == 0) 438 return 1; 439 440 for (sta = hapd->sta_list; sta; sta = sta->next) { 441 if (!sta->sae) 442 continue; 443 if (sta->sae->state != SAE_COMMITTED && 444 sta->sae->state != SAE_CONFIRMED) 445 continue; 446 open++; 447 if (open >= hapd->conf->sae_anti_clogging_threshold) 448 return 1; 449 } 450 451 return 0; 452 } 453 454 455 static int check_sae_token(struct hostapd_data *hapd, const u8 *addr, 456 const u8 *token, size_t token_len) 457 { 458 u8 mac[SHA256_MAC_LEN]; 459 460 if (token_len != SHA256_MAC_LEN) 461 return -1; 462 if (hmac_sha256(hapd->sae_token_key, sizeof(hapd->sae_token_key), 463 addr, ETH_ALEN, mac) < 0 || 464 os_memcmp_const(token, mac, SHA256_MAC_LEN) != 0) 465 return -1; 466 467 return 0; 468 } 469 470 471 static struct wpabuf * auth_build_token_req(struct hostapd_data *hapd, 472 int group, const u8 *addr) 473 { 474 struct wpabuf *buf; 475 u8 *token; 476 struct os_reltime now; 477 478 os_get_reltime(&now); 479 if (!os_reltime_initialized(&hapd->last_sae_token_key_update) || 480 os_reltime_expired(&now, &hapd->last_sae_token_key_update, 60)) { 481 if (random_get_bytes(hapd->sae_token_key, 482 sizeof(hapd->sae_token_key)) < 0) 483 return NULL; 484 wpa_hexdump(MSG_DEBUG, "SAE: Updated token key", 485 hapd->sae_token_key, sizeof(hapd->sae_token_key)); 486 hapd->last_sae_token_key_update = now; 487 } 488 489 buf = wpabuf_alloc(sizeof(le16) + SHA256_MAC_LEN); 490 if (buf == NULL) 491 return NULL; 492 493 wpabuf_put_le16(buf, group); /* Finite Cyclic Group */ 494 495 token = wpabuf_put(buf, SHA256_MAC_LEN); 496 hmac_sha256(hapd->sae_token_key, sizeof(hapd->sae_token_key), 497 addr, ETH_ALEN, token); 498 499 return buf; 500 } 501 502 503 static int sae_check_big_sync(struct sta_info *sta) 504 { 505 if (sta->sae->sync > dot11RSNASAESync) { 506 sta->sae->state = SAE_NOTHING; 507 sta->sae->sync = 0; 508 return -1; 509 } 510 return 0; 511 } 512 513 514 static void auth_sae_retransmit_timer(void *eloop_ctx, void *eloop_data) 515 { 516 struct hostapd_data *hapd = eloop_ctx; 517 struct sta_info *sta = eloop_data; 518 int ret; 519 520 if (sae_check_big_sync(sta)) 521 return; 522 sta->sae->sync++; 523 wpa_printf(MSG_DEBUG, "SAE: Auth SAE retransmit timer for " MACSTR 524 " (sync=%d state=%d)", 525 MAC2STR(sta->addr), sta->sae->sync, sta->sae->state); 526 527 switch (sta->sae->state) { 528 case SAE_COMMITTED: 529 ret = auth_sae_send_commit(hapd, sta, hapd->own_addr, 0); 530 eloop_register_timeout(0, 531 hapd->dot11RSNASAERetransPeriod * 1000, 532 auth_sae_retransmit_timer, hapd, sta); 533 break; 534 case SAE_CONFIRMED: 535 ret = auth_sae_send_confirm(hapd, sta, hapd->own_addr); 536 eloop_register_timeout(0, 537 hapd->dot11RSNASAERetransPeriod * 1000, 538 auth_sae_retransmit_timer, hapd, sta); 539 break; 540 default: 541 ret = -1; 542 break; 543 } 544 545 if (ret != WLAN_STATUS_SUCCESS) 546 wpa_printf(MSG_INFO, "SAE: Failed to retransmit: ret=%d", ret); 547 } 548 549 550 void sae_clear_retransmit_timer(struct hostapd_data *hapd, struct sta_info *sta) 551 { 552 eloop_cancel_timeout(auth_sae_retransmit_timer, hapd, sta); 553 } 554 555 556 static void sae_set_retransmit_timer(struct hostapd_data *hapd, 557 struct sta_info *sta) 558 { 559 if (!(hapd->conf->mesh & MESH_ENABLED)) 560 return; 561 562 eloop_cancel_timeout(auth_sae_retransmit_timer, hapd, sta); 563 eloop_register_timeout(0, hapd->dot11RSNASAERetransPeriod * 1000, 564 auth_sae_retransmit_timer, hapd, sta); 565 } 566 567 568 void sae_accept_sta(struct hostapd_data *hapd, struct sta_info *sta) 569 { 570 sta->flags |= WLAN_STA_AUTH; 571 sta->auth_alg = WLAN_AUTH_SAE; 572 mlme_authenticate_indication(hapd, sta); 573 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH); 574 sta->sae->state = SAE_ACCEPTED; 575 wpa_auth_pmksa_add_sae(hapd->wpa_auth, sta->addr, 576 sta->sae->pmk, sta->sae->pmkid); 577 } 578 579 580 static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta, 581 const u8 *bssid, u8 auth_transaction) 582 { 583 int ret; 584 585 if (auth_transaction != 1 && auth_transaction != 2) 586 return WLAN_STATUS_UNSPECIFIED_FAILURE; 587 588 switch (sta->sae->state) { 589 case SAE_NOTHING: 590 if (auth_transaction == 1) { 591 ret = auth_sae_send_commit(hapd, sta, bssid, 1); 592 if (ret) 593 return ret; 594 sta->sae->state = SAE_COMMITTED; 595 596 if (sae_process_commit(sta->sae) < 0) 597 return WLAN_STATUS_UNSPECIFIED_FAILURE; 598 599 /* 600 * In mesh case, both Commit and Confirm can be sent 601 * immediately. In infrastructure BSS, only a single 602 * Authentication frame (Commit) is expected from the AP 603 * here and the second one (Confirm) will be sent once 604 * the STA has sent its second Authentication frame 605 * (Confirm). 606 */ 607 if (hapd->conf->mesh & MESH_ENABLED) { 608 /* 609 * Send both Commit and Confirm immediately 610 * based on SAE finite state machine 611 * Nothing -> Confirm transition. 612 */ 613 ret = auth_sae_send_confirm(hapd, sta, bssid); 614 if (ret) 615 return ret; 616 sta->sae->state = SAE_CONFIRMED; 617 } else { 618 /* 619 * For infrastructure BSS, send only the Commit 620 * message now to get alternating sequence of 621 * Authentication frames between the AP and STA. 622 * Confirm will be sent in 623 * Committed -> Confirmed/Accepted transition 624 * when receiving Confirm from STA. 625 */ 626 } 627 sta->sae->sync = 0; 628 sae_set_retransmit_timer(hapd, sta); 629 } else { 630 hostapd_logger(hapd, sta->addr, 631 HOSTAPD_MODULE_IEEE80211, 632 HOSTAPD_LEVEL_DEBUG, 633 "SAE confirm before commit"); 634 } 635 break; 636 case SAE_COMMITTED: 637 sae_clear_retransmit_timer(hapd, sta); 638 if (auth_transaction == 1) { 639 if (sae_process_commit(sta->sae) < 0) 640 return WLAN_STATUS_UNSPECIFIED_FAILURE; 641 642 ret = auth_sae_send_confirm(hapd, sta, bssid); 643 if (ret) 644 return ret; 645 sta->sae->state = SAE_CONFIRMED; 646 sta->sae->sync = 0; 647 sae_set_retransmit_timer(hapd, sta); 648 } else if (hapd->conf->mesh & MESH_ENABLED) { 649 /* 650 * In mesh case, follow SAE finite state machine and 651 * send Commit now, if sync count allows. 652 */ 653 if (sae_check_big_sync(sta)) 654 return WLAN_STATUS_SUCCESS; 655 sta->sae->sync++; 656 657 ret = auth_sae_send_commit(hapd, sta, bssid, 0); 658 if (ret) 659 return ret; 660 661 sae_set_retransmit_timer(hapd, sta); 662 } else { 663 /* 664 * For instructure BSS, send the postponed Confirm from 665 * Nothing -> Confirmed transition that was reduced to 666 * Nothing -> Committed above. 667 */ 668 ret = auth_sae_send_confirm(hapd, sta, bssid); 669 if (ret) 670 return ret; 671 672 sta->sae->state = SAE_CONFIRMED; 673 674 /* 675 * Since this was triggered on Confirm RX, run another 676 * step to get to Accepted without waiting for 677 * additional events. 678 */ 679 return sae_sm_step(hapd, sta, bssid, auth_transaction); 680 } 681 break; 682 case SAE_CONFIRMED: 683 sae_clear_retransmit_timer(hapd, sta); 684 if (auth_transaction == 1) { 685 if (sae_check_big_sync(sta)) 686 return WLAN_STATUS_SUCCESS; 687 sta->sae->sync++; 688 689 ret = auth_sae_send_commit(hapd, sta, bssid, 1); 690 if (ret) 691 return ret; 692 693 if (sae_process_commit(sta->sae) < 0) 694 return WLAN_STATUS_UNSPECIFIED_FAILURE; 695 696 ret = auth_sae_send_confirm(hapd, sta, bssid); 697 if (ret) 698 return ret; 699 700 sae_set_retransmit_timer(hapd, sta); 701 } else { 702 sae_accept_sta(hapd, sta); 703 } 704 break; 705 case SAE_ACCEPTED: 706 if (auth_transaction == 1) { 707 wpa_printf(MSG_DEBUG, "SAE: remove the STA (" MACSTR 708 ") doing reauthentication", 709 MAC2STR(sta->addr)); 710 ap_free_sta(hapd, sta); 711 wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr); 712 } else { 713 if (sae_check_big_sync(sta)) 714 return WLAN_STATUS_SUCCESS; 715 sta->sae->sync++; 716 717 ret = auth_sae_send_confirm(hapd, sta, bssid); 718 sae_clear_temp_data(sta->sae); 719 if (ret) 720 return ret; 721 } 722 break; 723 default: 724 wpa_printf(MSG_ERROR, "SAE: invalid state %d", 725 sta->sae->state); 726 return WLAN_STATUS_UNSPECIFIED_FAILURE; 727 } 728 return WLAN_STATUS_SUCCESS; 729 } 730 731 732 static void sae_pick_next_group(struct hostapd_data *hapd, struct sta_info *sta) 733 { 734 struct sae_data *sae = sta->sae; 735 int i, *groups = hapd->conf->sae_groups; 736 737 if (sae->state != SAE_COMMITTED) 738 return; 739 740 wpa_printf(MSG_DEBUG, "SAE: Previously selected group: %d", sae->group); 741 742 for (i = 0; groups && groups[i] > 0; i++) { 743 if (sae->group == groups[i]) 744 break; 745 } 746 747 if (!groups || groups[i] <= 0) { 748 wpa_printf(MSG_DEBUG, 749 "SAE: Previously selected group not found from the current configuration"); 750 return; 751 } 752 753 for (;;) { 754 i++; 755 if (groups[i] <= 0) { 756 wpa_printf(MSG_DEBUG, 757 "SAE: No alternative group enabled"); 758 return; 759 } 760 761 if (sae_set_group(sae, groups[i]) < 0) 762 continue; 763 764 break; 765 } 766 wpa_printf(MSG_DEBUG, "SAE: Selected new group: %d", groups[i]); 767 } 768 769 770 static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta, 771 const struct ieee80211_mgmt *mgmt, size_t len, 772 u16 auth_transaction, u16 status_code) 773 { 774 int resp = WLAN_STATUS_SUCCESS; 775 struct wpabuf *data = NULL; 776 777 if (!sta->sae) { 778 if (auth_transaction != 1 || 779 status_code != WLAN_STATUS_SUCCESS) { 780 resp = -1; 781 goto remove_sta; 782 } 783 sta->sae = os_zalloc(sizeof(*sta->sae)); 784 if (!sta->sae) { 785 resp = -1; 786 goto remove_sta; 787 } 788 sta->sae->state = SAE_NOTHING; 789 sta->sae->sync = 0; 790 } 791 792 if (sta->mesh_sae_pmksa_caching) { 793 wpa_printf(MSG_DEBUG, 794 "SAE: Cancel use of mesh PMKSA caching because peer starts SAE authentication"); 795 wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr); 796 sta->mesh_sae_pmksa_caching = 0; 797 } 798 799 if (auth_transaction == 1) { 800 const u8 *token = NULL, *pos, *end; 801 size_t token_len = 0; 802 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 803 HOSTAPD_LEVEL_DEBUG, 804 "start SAE authentication (RX commit, status=%u)", 805 status_code); 806 807 if ((hapd->conf->mesh & MESH_ENABLED) && 808 status_code == WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ && 809 sta->sae->tmp) { 810 pos = mgmt->u.auth.variable; 811 end = ((const u8 *) mgmt) + len; 812 if (pos + sizeof(le16) > end) { 813 wpa_printf(MSG_ERROR, 814 "SAE: Too short anti-clogging token request"); 815 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 816 goto reply; 817 } 818 resp = sae_group_allowed(sta->sae, 819 hapd->conf->sae_groups, 820 WPA_GET_LE16(pos)); 821 if (resp != WLAN_STATUS_SUCCESS) { 822 wpa_printf(MSG_ERROR, 823 "SAE: Invalid group in anti-clogging token request"); 824 goto reply; 825 } 826 pos += sizeof(le16); 827 828 wpabuf_free(sta->sae->tmp->anti_clogging_token); 829 sta->sae->tmp->anti_clogging_token = 830 wpabuf_alloc_copy(pos, end - pos); 831 if (sta->sae->tmp->anti_clogging_token == NULL) { 832 wpa_printf(MSG_ERROR, 833 "SAE: Failed to alloc for anti-clogging token"); 834 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 835 goto remove_sta; 836 } 837 838 /* 839 * IEEE Std 802.11-2012, 11.3.8.6.4: If the Status code 840 * is 76, a new Commit Message shall be constructed 841 * with the Anti-Clogging Token from the received 842 * Authentication frame, and the commit-scalar and 843 * COMMIT-ELEMENT previously sent. 844 */ 845 resp = auth_sae_send_commit(hapd, sta, mgmt->bssid, 0); 846 if (resp != WLAN_STATUS_SUCCESS) { 847 wpa_printf(MSG_ERROR, 848 "SAE: Failed to send commit message"); 849 goto remove_sta; 850 } 851 sta->sae->state = SAE_COMMITTED; 852 sta->sae->sync = 0; 853 sae_set_retransmit_timer(hapd, sta); 854 return; 855 } 856 857 if ((hapd->conf->mesh & MESH_ENABLED) && 858 status_code == 859 WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED && 860 sta->sae->tmp) { 861 wpa_printf(MSG_DEBUG, 862 "SAE: Peer did not accept our SAE group"); 863 sae_pick_next_group(hapd, sta); 864 goto remove_sta; 865 } 866 867 if (status_code != WLAN_STATUS_SUCCESS) 868 goto remove_sta; 869 870 resp = sae_parse_commit(sta->sae, mgmt->u.auth.variable, 871 ((const u8 *) mgmt) + len - 872 mgmt->u.auth.variable, &token, 873 &token_len, hapd->conf->sae_groups); 874 if (resp == SAE_SILENTLY_DISCARD) { 875 wpa_printf(MSG_DEBUG, 876 "SAE: Drop commit message from " MACSTR " due to reflection attack", 877 MAC2STR(sta->addr)); 878 goto remove_sta; 879 } 880 if (token && check_sae_token(hapd, sta->addr, token, token_len) 881 < 0) { 882 wpa_printf(MSG_DEBUG, "SAE: Drop commit message with " 883 "incorrect token from " MACSTR, 884 MAC2STR(sta->addr)); 885 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 886 goto remove_sta; 887 } 888 889 if (resp != WLAN_STATUS_SUCCESS) 890 goto reply; 891 892 if (!token && use_sae_anti_clogging(hapd)) { 893 wpa_printf(MSG_DEBUG, 894 "SAE: Request anti-clogging token from " 895 MACSTR, MAC2STR(sta->addr)); 896 data = auth_build_token_req(hapd, sta->sae->group, 897 sta->addr); 898 resp = WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ; 899 if (hapd->conf->mesh & MESH_ENABLED) 900 sta->sae->state = SAE_NOTHING; 901 goto reply; 902 } 903 904 resp = sae_sm_step(hapd, sta, mgmt->bssid, auth_transaction); 905 } else if (auth_transaction == 2) { 906 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 907 HOSTAPD_LEVEL_DEBUG, 908 "SAE authentication (RX confirm, status=%u)", 909 status_code); 910 if (status_code != WLAN_STATUS_SUCCESS) 911 goto remove_sta; 912 if (sta->sae->state >= SAE_CONFIRMED || 913 !(hapd->conf->mesh & MESH_ENABLED)) { 914 if (sae_check_confirm(sta->sae, mgmt->u.auth.variable, 915 ((u8 *) mgmt) + len - 916 mgmt->u.auth.variable) < 0) { 917 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 918 goto reply; 919 } 920 } 921 resp = sae_sm_step(hapd, sta, mgmt->bssid, auth_transaction); 922 } else { 923 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 924 HOSTAPD_LEVEL_DEBUG, 925 "unexpected SAE authentication transaction %u (status=%u)", 926 auth_transaction, status_code); 927 if (status_code != WLAN_STATUS_SUCCESS) 928 goto remove_sta; 929 resp = WLAN_STATUS_UNKNOWN_AUTH_TRANSACTION; 930 } 931 932 reply: 933 if (resp != WLAN_STATUS_SUCCESS) { 934 send_auth_reply(hapd, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE, 935 auth_transaction, resp, 936 data ? wpabuf_head(data) : (u8 *) "", 937 data ? wpabuf_len(data) : 0); 938 } 939 940 remove_sta: 941 if (sta->added_unassoc && (resp != WLAN_STATUS_SUCCESS || 942 status_code != WLAN_STATUS_SUCCESS)) { 943 hostapd_drv_sta_remove(hapd, sta->addr); 944 sta->added_unassoc = 0; 945 } 946 wpabuf_free(data); 947 } 948 949 950 /** 951 * auth_sae_init_committed - Send COMMIT and start SAE in committed state 952 * @hapd: BSS data for the device initiating the authentication 953 * @sta: the peer to which commit authentication frame is sent 954 * 955 * This function implements Init event handling (IEEE Std 802.11-2012, 956 * 11.3.8.6.3) in which initial COMMIT message is sent. Prior to calling, the 957 * sta->sae structure should be initialized appropriately via a call to 958 * sae_prepare_commit(). 959 */ 960 int auth_sae_init_committed(struct hostapd_data *hapd, struct sta_info *sta) 961 { 962 int ret; 963 964 if (!sta->sae || !sta->sae->tmp) 965 return -1; 966 967 if (sta->sae->state != SAE_NOTHING) 968 return -1; 969 970 ret = auth_sae_send_commit(hapd, sta, hapd->own_addr, 0); 971 if (ret) 972 return -1; 973 974 sta->sae->state = SAE_COMMITTED; 975 sta->sae->sync = 0; 976 sae_set_retransmit_timer(hapd, sta); 977 978 return 0; 979 } 980 981 #endif /* CONFIG_SAE */ 982 983 984 static u16 wpa_res_to_status_code(int res) 985 { 986 if (res == WPA_INVALID_GROUP) 987 return WLAN_STATUS_GROUP_CIPHER_NOT_VALID; 988 if (res == WPA_INVALID_PAIRWISE) 989 return WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID; 990 if (res == WPA_INVALID_AKMP) 991 return WLAN_STATUS_AKMP_NOT_VALID; 992 if (res == WPA_ALLOC_FAIL) 993 return WLAN_STATUS_UNSPECIFIED_FAILURE; 994 #ifdef CONFIG_IEEE80211W 995 if (res == WPA_MGMT_FRAME_PROTECTION_VIOLATION) 996 return WLAN_STATUS_ROBUST_MGMT_FRAME_POLICY_VIOLATION; 997 if (res == WPA_INVALID_MGMT_GROUP_CIPHER) 998 return WLAN_STATUS_ROBUST_MGMT_FRAME_POLICY_VIOLATION; 999 #endif /* CONFIG_IEEE80211W */ 1000 if (res == WPA_INVALID_MDIE) 1001 return WLAN_STATUS_INVALID_MDIE; 1002 if (res != WPA_IE_OK) 1003 return WLAN_STATUS_INVALID_IE; 1004 return WLAN_STATUS_SUCCESS; 1005 } 1006 1007 1008 #ifdef CONFIG_FILS 1009 1010 static void handle_auth_fils_finish(struct hostapd_data *hapd, 1011 struct sta_info *sta, u16 resp, 1012 struct rsn_pmksa_cache_entry *pmksa, 1013 struct wpabuf *erp_resp, 1014 const u8 *msk, size_t msk_len); 1015 1016 static void handle_auth_fils(struct hostapd_data *hapd, struct sta_info *sta, 1017 const struct ieee80211_mgmt *mgmt, size_t len, 1018 u16 auth_transaction, u16 status_code) 1019 { 1020 u16 resp = WLAN_STATUS_SUCCESS; 1021 const u8 *pos, *end; 1022 struct ieee802_11_elems elems; 1023 int res; 1024 struct wpa_ie_data rsn; 1025 struct rsn_pmksa_cache_entry *pmksa = NULL; 1026 1027 if (auth_transaction != 1 || status_code != WLAN_STATUS_SUCCESS) 1028 return; 1029 1030 pos = mgmt->u.auth.variable; 1031 end = ((const u8 *) mgmt) + len; 1032 1033 wpa_hexdump(MSG_DEBUG, "FILS: Authentication frame fields", 1034 pos, end - pos); 1035 1036 /* TODO: Finite Cyclic Group when using PK or PFS */ 1037 /* TODO: Element when using PK or PFS */ 1038 1039 wpa_hexdump(MSG_DEBUG, "FILS: Remaining IEs", pos, end - pos); 1040 if (ieee802_11_parse_elems(pos, end - pos, &elems, 1) == ParseFailed) { 1041 wpa_printf(MSG_DEBUG, "FILS: Could not parse elements"); 1042 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1043 goto fail; 1044 } 1045 1046 /* RSNE */ 1047 wpa_hexdump(MSG_DEBUG, "FILS: RSN element", 1048 elems.rsn_ie, elems.rsn_ie_len); 1049 if (!elems.rsn_ie || 1050 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2, 1051 &rsn) < 0) { 1052 wpa_printf(MSG_DEBUG, "FILS: No valid RSN element"); 1053 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1054 goto fail; 1055 } 1056 1057 if (!sta->wpa_sm) 1058 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, sta->addr, 1059 NULL); 1060 if (!sta->wpa_sm) { 1061 wpa_printf(MSG_DEBUG, 1062 "FILS: Failed to initialize RSN state machine"); 1063 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1064 goto fail; 1065 } 1066 1067 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm, 1068 elems.rsn_ie - 2, elems.rsn_ie_len + 2, 1069 elems.mdie, elems.mdie_len); 1070 resp = wpa_res_to_status_code(res); 1071 if (resp != WLAN_STATUS_SUCCESS) 1072 goto fail; 1073 1074 /* TODO: MDE when using FILS+FT */ 1075 /* TODO: FTE when using FILS+FT */ 1076 1077 if (!elems.fils_nonce) { 1078 wpa_printf(MSG_DEBUG, "FILS: No FILS Nonce field"); 1079 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1080 goto fail; 1081 } 1082 wpa_hexdump(MSG_DEBUG, "FILS: SNonce", elems.fils_nonce, 1083 FILS_NONCE_LEN); 1084 os_memcpy(sta->fils_snonce, elems.fils_nonce, FILS_NONCE_LEN); 1085 1086 /* PMKID List */ 1087 if (rsn.pmkid && rsn.num_pmkid > 0) { 1088 u8 num; 1089 const u8 *pmkid; 1090 1091 wpa_hexdump(MSG_DEBUG, "FILS: PMKID List", 1092 rsn.pmkid, rsn.num_pmkid * PMKID_LEN); 1093 1094 pmkid = rsn.pmkid; 1095 num = rsn.num_pmkid; 1096 while (num) { 1097 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", pmkid, PMKID_LEN); 1098 pmksa = wpa_auth_pmksa_get(hapd->wpa_auth, sta->addr, 1099 pmkid); 1100 if (pmksa) 1101 break; 1102 pmkid += PMKID_LEN; 1103 num--; 1104 } 1105 } 1106 if (pmksa && wpa_auth_sta_key_mgmt(sta->wpa_sm) != pmksa->akmp) { 1107 wpa_printf(MSG_DEBUG, 1108 "FILS: Matching PMKSA cache entry has different AKMP (0x%x != 0x%x) - ignore", 1109 wpa_auth_sta_key_mgmt(sta->wpa_sm), pmksa->akmp); 1110 pmksa = NULL; 1111 } 1112 if (pmksa) 1113 wpa_printf(MSG_DEBUG, "FILS: Found matching PMKSA cache entry"); 1114 1115 /* FILS Session */ 1116 if (!elems.fils_session) { 1117 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element"); 1118 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1119 goto fail; 1120 } 1121 wpa_hexdump(MSG_DEBUG, "FILS: FILS Session", elems.fils_session, 1122 FILS_SESSION_LEN); 1123 os_memcpy(sta->fils_session, elems.fils_session, FILS_SESSION_LEN); 1124 1125 /* FILS Wrapped Data */ 1126 if (elems.fils_wrapped_data) { 1127 wpa_hexdump(MSG_DEBUG, "FILS: Wrapped Data", 1128 elems.fils_wrapped_data, 1129 elems.fils_wrapped_data_len); 1130 if (!pmksa) { 1131 #ifndef CONFIG_NO_RADIUS 1132 if (!sta->eapol_sm) { 1133 sta->eapol_sm = 1134 ieee802_1x_alloc_eapol_sm(hapd, sta); 1135 } 1136 wpa_printf(MSG_DEBUG, 1137 "FILS: Forward EAP-Identity/Re-auth Start to authentication server"); 1138 ieee802_1x_encapsulate_radius( 1139 hapd, sta, elems.fils_wrapped_data, 1140 elems.fils_wrapped_data_len); 1141 wpa_printf(MSG_DEBUG, 1142 "FILS: Will send Authentication frame once the response from authentication server is available"); 1143 sta->flags |= WLAN_STA_PENDING_FILS_ERP; 1144 return; 1145 #else /* CONFIG_NO_RADIUS */ 1146 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1147 goto fail; 1148 #endif /* CONFIG_NO_RADIUS */ 1149 } 1150 } 1151 1152 fail: 1153 handle_auth_fils_finish(hapd, sta, resp, pmksa, NULL, NULL, 0); 1154 } 1155 1156 1157 static void handle_auth_fils_finish(struct hostapd_data *hapd, 1158 struct sta_info *sta, u16 resp, 1159 struct rsn_pmksa_cache_entry *pmksa, 1160 struct wpabuf *erp_resp, 1161 const u8 *msk, size_t msk_len) 1162 { 1163 u8 fils_nonce[FILS_NONCE_LEN]; 1164 size_t ielen; 1165 struct wpabuf *data = NULL; 1166 const u8 *ie; 1167 u8 *ie_buf = NULL; 1168 const u8 *pmk = NULL; 1169 size_t pmk_len = 0; 1170 u8 pmk_buf[PMK_LEN_MAX]; 1171 1172 if (resp != WLAN_STATUS_SUCCESS) 1173 goto fail; 1174 1175 ie = wpa_auth_get_wpa_ie(hapd->wpa_auth, &ielen); 1176 if (!ie) { 1177 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1178 goto fail; 1179 } 1180 if (pmksa) { 1181 /* Add PMKID of the selected PMKSA into RSNE */ 1182 ie_buf = os_malloc(ielen + 2 + 2 + PMKID_LEN); 1183 if (!ie_buf) { 1184 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1185 goto fail; 1186 } 1187 os_memcpy(ie_buf, ie, ielen); 1188 if (wpa_insert_pmkid(ie_buf, &ielen, pmksa->pmkid) < 0) { 1189 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1190 goto fail; 1191 } 1192 ie = ie_buf; 1193 } 1194 1195 if (random_get_bytes(fils_nonce, FILS_NONCE_LEN) < 0) { 1196 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1197 goto fail; 1198 } 1199 wpa_hexdump(MSG_DEBUG, "RSN: Generated FILS Nonce", 1200 fils_nonce, FILS_NONCE_LEN); 1201 1202 data = wpabuf_alloc(1000 + ielen); 1203 if (!data) { 1204 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1205 goto fail; 1206 } 1207 1208 /* TODO: Finite Cyclic Group when using PK or PFS */ 1209 /* TODO: Element when using PK or PFS */ 1210 1211 /* RSNE */ 1212 wpabuf_put_data(data, ie, ielen); 1213 1214 /* TODO: MDE when using FILS+FT */ 1215 /* TODO: FTE when using FILS+FT */ 1216 1217 /* FILS Nonce */ 1218 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */ 1219 wpabuf_put_u8(data, 1 + FILS_NONCE_LEN); /* Length */ 1220 /* Element ID Extension */ 1221 wpabuf_put_u8(data, WLAN_EID_EXT_FILS_NONCE); 1222 wpabuf_put_data(data, fils_nonce, FILS_NONCE_LEN); 1223 1224 /* FILS Session */ 1225 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */ 1226 wpabuf_put_u8(data, 1 + FILS_SESSION_LEN); /* Length */ 1227 /* Element ID Extension */ 1228 wpabuf_put_u8(data, WLAN_EID_EXT_FILS_SESSION); 1229 wpabuf_put_data(data, sta->fils_session, FILS_SESSION_LEN); 1230 1231 /* FILS Wrapped Data */ 1232 if (!pmksa && erp_resp) { 1233 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */ 1234 wpabuf_put_u8(data, 1 + wpabuf_len(erp_resp)); /* Length */ 1235 /* Element ID Extension */ 1236 wpabuf_put_u8(data, WLAN_EID_EXT_FILS_WRAPPED_DATA); 1237 wpabuf_put_buf(data, erp_resp); 1238 1239 if (fils_rmsk_to_pmk(wpa_auth_sta_key_mgmt(sta->wpa_sm), 1240 msk, msk_len, sta->fils_snonce, fils_nonce, 1241 NULL, 0, pmk_buf, &pmk_len)) { 1242 wpa_printf(MSG_DEBUG, "FILS: Failed to derive PMK"); 1243 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1244 wpabuf_free(data); 1245 data = NULL; 1246 goto fail; 1247 } 1248 pmk = pmk_buf; 1249 } else if (pmksa) { 1250 pmk = pmksa->pmk; 1251 pmk_len = pmksa->pmk_len; 1252 } 1253 1254 if (!pmk) { 1255 wpa_printf(MSG_DEBUG, "FILS: No PMK available"); 1256 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1257 wpabuf_free(data); 1258 data = NULL; 1259 goto fail; 1260 } 1261 1262 if (fils_auth_pmk_to_ptk(sta->wpa_sm, pmk, pmk_len, 1263 sta->fils_snonce, fils_nonce) < 0) { 1264 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1265 wpabuf_free(data); 1266 data = NULL; 1267 goto fail; 1268 } 1269 1270 fail: 1271 send_auth_reply(hapd, sta->addr, hapd->own_addr, WLAN_AUTH_FILS_SK, 2, 1272 resp, 1273 data ? wpabuf_head(data) : (u8 *) "", 1274 data ? wpabuf_len(data) : 0); 1275 wpabuf_free(data); 1276 1277 if (resp == WLAN_STATUS_SUCCESS) { 1278 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 1279 HOSTAPD_LEVEL_DEBUG, 1280 "authentication OK (FILS)"); 1281 sta->flags |= WLAN_STA_AUTH; 1282 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH); 1283 sta->auth_alg = WLAN_AUTH_FILS_SK; 1284 mlme_authenticate_indication(hapd, sta); 1285 } 1286 1287 os_free(ie_buf); 1288 } 1289 1290 1291 void ieee802_11_finish_fils_auth(struct hostapd_data *hapd, 1292 struct sta_info *sta, int success, 1293 struct wpabuf *erp_resp, 1294 const u8 *msk, size_t msk_len) 1295 { 1296 sta->flags &= ~WLAN_STA_PENDING_FILS_ERP; 1297 handle_auth_fils_finish(hapd, sta, success ? WLAN_STATUS_SUCCESS : 1298 WLAN_STATUS_UNSPECIFIED_FAILURE, NULL, 1299 erp_resp, msk, msk_len); 1300 } 1301 1302 #endif /* CONFIG_FILS */ 1303 1304 1305 static int 1306 ieee802_11_allowed_address(struct hostapd_data *hapd, const u8 *addr, 1307 const u8 *msg, size_t len, u32 *session_timeout, 1308 u32 *acct_interim_interval, 1309 struct vlan_description *vlan_id, 1310 struct hostapd_sta_wpa_psk_short **psk, 1311 char **identity, char **radius_cui) 1312 { 1313 int res; 1314 1315 os_memset(vlan_id, 0, sizeof(*vlan_id)); 1316 res = hostapd_allowed_address(hapd, addr, msg, len, 1317 session_timeout, acct_interim_interval, 1318 vlan_id, psk, identity, radius_cui); 1319 1320 if (res == HOSTAPD_ACL_REJECT) { 1321 wpa_printf(MSG_INFO, 1322 "Station " MACSTR " not allowed to authenticate", 1323 MAC2STR(addr)); 1324 return HOSTAPD_ACL_REJECT; 1325 } 1326 1327 if (res == HOSTAPD_ACL_PENDING) { 1328 wpa_printf(MSG_DEBUG, "Authentication frame from " MACSTR 1329 " waiting for an external authentication", 1330 MAC2STR(addr)); 1331 /* Authentication code will re-send the authentication frame 1332 * after it has received (and cached) information from the 1333 * external source. */ 1334 return HOSTAPD_ACL_PENDING; 1335 } 1336 1337 return res; 1338 } 1339 1340 1341 static int 1342 ieee802_11_set_radius_info(struct hostapd_data *hapd, struct sta_info *sta, 1343 int res, u32 session_timeout, 1344 u32 acct_interim_interval, 1345 struct vlan_description *vlan_id, 1346 struct hostapd_sta_wpa_psk_short **psk, 1347 char **identity, char **radius_cui) 1348 { 1349 if (vlan_id->notempty && 1350 !hostapd_vlan_valid(hapd->conf->vlan, vlan_id)) { 1351 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS, 1352 HOSTAPD_LEVEL_INFO, 1353 "Invalid VLAN %d%s received from RADIUS server", 1354 vlan_id->untagged, 1355 vlan_id->tagged[0] ? "+" : ""); 1356 return -1; 1357 } 1358 if (ap_sta_set_vlan(hapd, sta, vlan_id) < 0) 1359 return -1; 1360 if (sta->vlan_id) 1361 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS, 1362 HOSTAPD_LEVEL_INFO, "VLAN ID %d", sta->vlan_id); 1363 1364 hostapd_free_psk_list(sta->psk); 1365 if (hapd->conf->wpa_psk_radius != PSK_RADIUS_IGNORED) { 1366 sta->psk = *psk; 1367 *psk = NULL; 1368 } else { 1369 sta->psk = NULL; 1370 } 1371 1372 sta->identity = *identity; 1373 *identity = NULL; 1374 sta->radius_cui = *radius_cui; 1375 *radius_cui = NULL; 1376 1377 if (hapd->conf->acct_interim_interval == 0 && acct_interim_interval) 1378 sta->acct_interim_interval = acct_interim_interval; 1379 if (res == HOSTAPD_ACL_ACCEPT_TIMEOUT) 1380 ap_sta_session_timeout(hapd, sta, session_timeout); 1381 else 1382 ap_sta_no_session_timeout(hapd, sta); 1383 1384 return 0; 1385 } 1386 1387 1388 static void handle_auth(struct hostapd_data *hapd, 1389 const struct ieee80211_mgmt *mgmt, size_t len) 1390 { 1391 u16 auth_alg, auth_transaction, status_code; 1392 u16 resp = WLAN_STATUS_SUCCESS; 1393 struct sta_info *sta = NULL; 1394 int res, reply_res; 1395 u16 fc; 1396 const u8 *challenge = NULL; 1397 u32 session_timeout, acct_interim_interval; 1398 struct vlan_description vlan_id; 1399 struct hostapd_sta_wpa_psk_short *psk = NULL; 1400 u8 resp_ies[2 + WLAN_AUTH_CHALLENGE_LEN]; 1401 size_t resp_ies_len = 0; 1402 char *identity = NULL; 1403 char *radius_cui = NULL; 1404 u16 seq_ctrl; 1405 1406 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) { 1407 wpa_printf(MSG_INFO, "handle_auth - too short payload (len=%lu)", 1408 (unsigned long) len); 1409 return; 1410 } 1411 1412 #ifdef CONFIG_TESTING_OPTIONS 1413 if (hapd->iconf->ignore_auth_probability > 0.0 && 1414 drand48() < hapd->iconf->ignore_auth_probability) { 1415 wpa_printf(MSG_INFO, 1416 "TESTING: ignoring auth frame from " MACSTR, 1417 MAC2STR(mgmt->sa)); 1418 return; 1419 } 1420 #endif /* CONFIG_TESTING_OPTIONS */ 1421 1422 auth_alg = le_to_host16(mgmt->u.auth.auth_alg); 1423 auth_transaction = le_to_host16(mgmt->u.auth.auth_transaction); 1424 status_code = le_to_host16(mgmt->u.auth.status_code); 1425 fc = le_to_host16(mgmt->frame_control); 1426 seq_ctrl = le_to_host16(mgmt->seq_ctrl); 1427 1428 if (len >= IEEE80211_HDRLEN + sizeof(mgmt->u.auth) + 1429 2 + WLAN_AUTH_CHALLENGE_LEN && 1430 mgmt->u.auth.variable[0] == WLAN_EID_CHALLENGE && 1431 mgmt->u.auth.variable[1] == WLAN_AUTH_CHALLENGE_LEN) 1432 challenge = &mgmt->u.auth.variable[2]; 1433 1434 wpa_printf(MSG_DEBUG, "authentication: STA=" MACSTR " auth_alg=%d " 1435 "auth_transaction=%d status_code=%d wep=%d%s " 1436 "seq_ctrl=0x%x%s", 1437 MAC2STR(mgmt->sa), auth_alg, auth_transaction, 1438 status_code, !!(fc & WLAN_FC_ISWEP), 1439 challenge ? " challenge" : "", 1440 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : ""); 1441 1442 #ifdef CONFIG_NO_RC4 1443 if (auth_alg == WLAN_AUTH_SHARED_KEY) { 1444 wpa_printf(MSG_INFO, 1445 "Unsupported authentication algorithm (%d)", 1446 auth_alg); 1447 resp = WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG; 1448 goto fail; 1449 } 1450 #endif /* CONFIG_NO_RC4 */ 1451 1452 if (hapd->tkip_countermeasures) { 1453 resp = WLAN_REASON_MICHAEL_MIC_FAILURE; 1454 goto fail; 1455 } 1456 1457 if (!(((hapd->conf->auth_algs & WPA_AUTH_ALG_OPEN) && 1458 auth_alg == WLAN_AUTH_OPEN) || 1459 #ifdef CONFIG_IEEE80211R_AP 1460 (hapd->conf->wpa && wpa_key_mgmt_ft(hapd->conf->wpa_key_mgmt) && 1461 auth_alg == WLAN_AUTH_FT) || 1462 #endif /* CONFIG_IEEE80211R_AP */ 1463 #ifdef CONFIG_SAE 1464 (hapd->conf->wpa && wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt) && 1465 auth_alg == WLAN_AUTH_SAE) || 1466 #endif /* CONFIG_SAE */ 1467 #ifdef CONFIG_FILS 1468 (hapd->conf->wpa && wpa_key_mgmt_fils(hapd->conf->wpa_key_mgmt) && 1469 auth_alg == WLAN_AUTH_FILS_SK) || 1470 #endif /* CONFIG_FILS */ 1471 ((hapd->conf->auth_algs & WPA_AUTH_ALG_SHARED) && 1472 auth_alg == WLAN_AUTH_SHARED_KEY))) { 1473 wpa_printf(MSG_INFO, "Unsupported authentication algorithm (%d)", 1474 auth_alg); 1475 resp = WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG; 1476 goto fail; 1477 } 1478 1479 if (!(auth_transaction == 1 || auth_alg == WLAN_AUTH_SAE || 1480 (auth_alg == WLAN_AUTH_SHARED_KEY && auth_transaction == 3))) { 1481 wpa_printf(MSG_INFO, "Unknown authentication transaction number (%d)", 1482 auth_transaction); 1483 resp = WLAN_STATUS_UNKNOWN_AUTH_TRANSACTION; 1484 goto fail; 1485 } 1486 1487 if (os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) { 1488 wpa_printf(MSG_INFO, "Station " MACSTR " not allowed to authenticate", 1489 MAC2STR(mgmt->sa)); 1490 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1491 goto fail; 1492 } 1493 1494 if (hapd->conf->no_auth_if_seen_on) { 1495 struct hostapd_data *other; 1496 1497 other = sta_track_seen_on(hapd->iface, mgmt->sa, 1498 hapd->conf->no_auth_if_seen_on); 1499 if (other) { 1500 u8 *pos; 1501 u32 info; 1502 u8 op_class, channel, phytype; 1503 1504 wpa_printf(MSG_DEBUG, "%s: Reject authentication from " 1505 MACSTR " since STA has been seen on %s", 1506 hapd->conf->iface, MAC2STR(mgmt->sa), 1507 hapd->conf->no_auth_if_seen_on); 1508 1509 resp = WLAN_STATUS_REJECTED_WITH_SUGGESTED_BSS_TRANSITION; 1510 pos = &resp_ies[0]; 1511 *pos++ = WLAN_EID_NEIGHBOR_REPORT; 1512 *pos++ = 13; 1513 os_memcpy(pos, other->own_addr, ETH_ALEN); 1514 pos += ETH_ALEN; 1515 info = 0; /* TODO: BSSID Information */ 1516 WPA_PUT_LE32(pos, info); 1517 pos += 4; 1518 if (other->iconf->hw_mode == HOSTAPD_MODE_IEEE80211AD) 1519 phytype = 8; /* dmg */ 1520 else if (other->iconf->ieee80211ac) 1521 phytype = 9; /* vht */ 1522 else if (other->iconf->ieee80211n) 1523 phytype = 7; /* ht */ 1524 else if (other->iconf->hw_mode == 1525 HOSTAPD_MODE_IEEE80211A) 1526 phytype = 4; /* ofdm */ 1527 else if (other->iconf->hw_mode == 1528 HOSTAPD_MODE_IEEE80211G) 1529 phytype = 6; /* erp */ 1530 else 1531 phytype = 5; /* hrdsss */ 1532 if (ieee80211_freq_to_channel_ext( 1533 hostapd_hw_get_freq(other, 1534 other->iconf->channel), 1535 other->iconf->secondary_channel, 1536 other->iconf->ieee80211ac, 1537 &op_class, &channel) == NUM_HOSTAPD_MODES) { 1538 op_class = 0; 1539 channel = other->iconf->channel; 1540 } 1541 *pos++ = op_class; 1542 *pos++ = channel; 1543 *pos++ = phytype; 1544 resp_ies_len = pos - &resp_ies[0]; 1545 goto fail; 1546 } 1547 } 1548 1549 res = ieee802_11_allowed_address( 1550 hapd, mgmt->sa, (const u8 *) mgmt, len, &session_timeout, 1551 &acct_interim_interval, &vlan_id, &psk, &identity, &radius_cui); 1552 if (res == HOSTAPD_ACL_REJECT) { 1553 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1554 goto fail; 1555 } 1556 if (res == HOSTAPD_ACL_PENDING) 1557 return; 1558 1559 sta = ap_get_sta(hapd, mgmt->sa); 1560 if (sta) { 1561 sta->flags &= ~WLAN_STA_PENDING_FILS_ERP; 1562 if ((fc & WLAN_FC_RETRY) && 1563 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ && 1564 sta->last_seq_ctrl == seq_ctrl && 1565 sta->last_subtype == WLAN_FC_STYPE_AUTH) { 1566 hostapd_logger(hapd, sta->addr, 1567 HOSTAPD_MODULE_IEEE80211, 1568 HOSTAPD_LEVEL_DEBUG, 1569 "Drop repeated authentication frame seq_ctrl=0x%x", 1570 seq_ctrl); 1571 return; 1572 } 1573 #ifdef CONFIG_MESH 1574 if ((hapd->conf->mesh & MESH_ENABLED) && 1575 sta->plink_state == PLINK_BLOCKED) { 1576 wpa_printf(MSG_DEBUG, "Mesh peer " MACSTR 1577 " is blocked - drop Authentication frame", 1578 MAC2STR(mgmt->sa)); 1579 return; 1580 } 1581 #endif /* CONFIG_MESH */ 1582 } else { 1583 #ifdef CONFIG_MESH 1584 if (hapd->conf->mesh & MESH_ENABLED) { 1585 /* if the mesh peer is not available, we don't do auth. 1586 */ 1587 wpa_printf(MSG_DEBUG, "Mesh peer " MACSTR 1588 " not yet known - drop Authentication frame", 1589 MAC2STR(mgmt->sa)); 1590 /* 1591 * Save a copy of the frame so that it can be processed 1592 * if a new peer entry is added shortly after this. 1593 */ 1594 wpabuf_free(hapd->mesh_pending_auth); 1595 hapd->mesh_pending_auth = wpabuf_alloc_copy(mgmt, len); 1596 os_get_reltime(&hapd->mesh_pending_auth_time); 1597 return; 1598 } 1599 #endif /* CONFIG_MESH */ 1600 1601 sta = ap_sta_add(hapd, mgmt->sa); 1602 if (!sta) { 1603 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA; 1604 goto fail; 1605 } 1606 } 1607 sta->last_seq_ctrl = seq_ctrl; 1608 sta->last_subtype = WLAN_FC_STYPE_AUTH; 1609 1610 res = ieee802_11_set_radius_info( 1611 hapd, sta, res, session_timeout, acct_interim_interval, 1612 &vlan_id, &psk, &identity, &radius_cui); 1613 if (res) { 1614 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1615 goto fail; 1616 } 1617 1618 sta->flags &= ~WLAN_STA_PREAUTH; 1619 ieee802_1x_notify_pre_auth(sta->eapol_sm, 0); 1620 1621 /* 1622 * If the driver supports full AP client state, add a station to the 1623 * driver before sending authentication reply to make sure the driver 1624 * has resources, and not to go through the entire authentication and 1625 * association handshake, and fail it at the end. 1626 * 1627 * If this is not the first transaction, in a multi-step authentication 1628 * algorithm, the station already exists in the driver 1629 * (sta->added_unassoc = 1) so skip it. 1630 * 1631 * In mesh mode, the station was already added to the driver when the 1632 * NEW_PEER_CANDIDATE event is received. 1633 * 1634 * If PMF was negotiated for the existing association, skip this to 1635 * avoid dropping the STA entry and the associated keys. This is needed 1636 * to allow the original connection work until the attempt can complete 1637 * (re)association, so that unprotected Authentication frame cannot be 1638 * used to bypass PMF protection. 1639 */ 1640 if (FULL_AP_CLIENT_STATE_SUPP(hapd->iface->drv_flags) && 1641 (!(sta->flags & WLAN_STA_MFP) || !ap_sta_is_authorized(sta)) && 1642 !(hapd->conf->mesh & MESH_ENABLED) && 1643 !(sta->added_unassoc)) { 1644 /* 1645 * If a station that is already associated to the AP, is trying 1646 * to authenticate again, remove the STA entry, in order to make 1647 * sure the STA PS state gets cleared and configuration gets 1648 * updated. To handle this, station's added_unassoc flag is 1649 * cleared once the station has completed association. 1650 */ 1651 hostapd_drv_sta_remove(hapd, sta->addr); 1652 sta->flags &= ~(WLAN_STA_ASSOC | WLAN_STA_AUTH | 1653 WLAN_STA_AUTHORIZED); 1654 1655 if (hostapd_sta_add(hapd, sta->addr, 0, 0, NULL, 0, 0, 1656 NULL, NULL, sta->flags, 0, 0, 0, 0)) { 1657 hostapd_logger(hapd, sta->addr, 1658 HOSTAPD_MODULE_IEEE80211, 1659 HOSTAPD_LEVEL_NOTICE, 1660 "Could not add STA to kernel driver"); 1661 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA; 1662 goto fail; 1663 } 1664 1665 sta->added_unassoc = 1; 1666 } 1667 1668 switch (auth_alg) { 1669 case WLAN_AUTH_OPEN: 1670 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 1671 HOSTAPD_LEVEL_DEBUG, 1672 "authentication OK (open system)"); 1673 sta->flags |= WLAN_STA_AUTH; 1674 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH); 1675 sta->auth_alg = WLAN_AUTH_OPEN; 1676 mlme_authenticate_indication(hapd, sta); 1677 break; 1678 #ifndef CONFIG_NO_RC4 1679 case WLAN_AUTH_SHARED_KEY: 1680 resp = auth_shared_key(hapd, sta, auth_transaction, challenge, 1681 fc & WLAN_FC_ISWEP); 1682 sta->auth_alg = WLAN_AUTH_SHARED_KEY; 1683 mlme_authenticate_indication(hapd, sta); 1684 if (sta->challenge && auth_transaction == 1) { 1685 resp_ies[0] = WLAN_EID_CHALLENGE; 1686 resp_ies[1] = WLAN_AUTH_CHALLENGE_LEN; 1687 os_memcpy(resp_ies + 2, sta->challenge, 1688 WLAN_AUTH_CHALLENGE_LEN); 1689 resp_ies_len = 2 + WLAN_AUTH_CHALLENGE_LEN; 1690 } 1691 break; 1692 #endif /* CONFIG_NO_RC4 */ 1693 #ifdef CONFIG_IEEE80211R_AP 1694 case WLAN_AUTH_FT: 1695 sta->auth_alg = WLAN_AUTH_FT; 1696 if (sta->wpa_sm == NULL) 1697 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, 1698 sta->addr, NULL); 1699 if (sta->wpa_sm == NULL) { 1700 wpa_printf(MSG_DEBUG, "FT: Failed to initialize WPA " 1701 "state machine"); 1702 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1703 goto fail; 1704 } 1705 wpa_ft_process_auth(sta->wpa_sm, mgmt->bssid, 1706 auth_transaction, mgmt->u.auth.variable, 1707 len - IEEE80211_HDRLEN - 1708 sizeof(mgmt->u.auth), 1709 handle_auth_ft_finish, hapd); 1710 /* handle_auth_ft_finish() callback will complete auth. */ 1711 return; 1712 #endif /* CONFIG_IEEE80211R_AP */ 1713 #ifdef CONFIG_SAE 1714 case WLAN_AUTH_SAE: 1715 #ifdef CONFIG_MESH 1716 if (status_code == WLAN_STATUS_SUCCESS && 1717 hapd->conf->mesh & MESH_ENABLED) { 1718 if (sta->wpa_sm == NULL) 1719 sta->wpa_sm = 1720 wpa_auth_sta_init(hapd->wpa_auth, 1721 sta->addr, NULL); 1722 if (sta->wpa_sm == NULL) { 1723 wpa_printf(MSG_DEBUG, 1724 "SAE: Failed to initialize WPA state machine"); 1725 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1726 goto fail; 1727 } 1728 } 1729 #endif /* CONFIG_MESH */ 1730 handle_auth_sae(hapd, sta, mgmt, len, auth_transaction, 1731 status_code); 1732 return; 1733 #endif /* CONFIG_SAE */ 1734 #ifdef CONFIG_FILS 1735 case WLAN_AUTH_FILS_SK: 1736 handle_auth_fils(hapd, sta, mgmt, len, auth_transaction, 1737 status_code); 1738 return; 1739 #endif /* CONFIG_FILS */ 1740 } 1741 1742 fail: 1743 os_free(identity); 1744 os_free(radius_cui); 1745 hostapd_free_psk_list(psk); 1746 1747 reply_res = send_auth_reply(hapd, mgmt->sa, mgmt->bssid, auth_alg, 1748 auth_transaction + 1, resp, resp_ies, 1749 resp_ies_len); 1750 1751 if (sta && sta->added_unassoc && (resp != WLAN_STATUS_SUCCESS || 1752 reply_res != WLAN_STATUS_SUCCESS)) { 1753 hostapd_drv_sta_remove(hapd, sta->addr); 1754 sta->added_unassoc = 0; 1755 } 1756 } 1757 1758 1759 int hostapd_get_aid(struct hostapd_data *hapd, struct sta_info *sta) 1760 { 1761 int i, j = 32, aid; 1762 1763 /* get a unique AID */ 1764 if (sta->aid > 0) { 1765 wpa_printf(MSG_DEBUG, " old AID %d", sta->aid); 1766 return 0; 1767 } 1768 1769 if (TEST_FAIL()) 1770 return -1; 1771 1772 for (i = 0; i < AID_WORDS; i++) { 1773 if (hapd->sta_aid[i] == (u32) -1) 1774 continue; 1775 for (j = 0; j < 32; j++) { 1776 if (!(hapd->sta_aid[i] & BIT(j))) 1777 break; 1778 } 1779 if (j < 32) 1780 break; 1781 } 1782 if (j == 32) 1783 return -1; 1784 aid = i * 32 + j + 1; 1785 if (aid > 2007) 1786 return -1; 1787 1788 sta->aid = aid; 1789 hapd->sta_aid[i] |= BIT(j); 1790 wpa_printf(MSG_DEBUG, " new AID %d", sta->aid); 1791 return 0; 1792 } 1793 1794 1795 static u16 check_ssid(struct hostapd_data *hapd, struct sta_info *sta, 1796 const u8 *ssid_ie, size_t ssid_ie_len) 1797 { 1798 if (ssid_ie == NULL) 1799 return WLAN_STATUS_UNSPECIFIED_FAILURE; 1800 1801 if (ssid_ie_len != hapd->conf->ssid.ssid_len || 1802 os_memcmp(ssid_ie, hapd->conf->ssid.ssid, ssid_ie_len) != 0) { 1803 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 1804 HOSTAPD_LEVEL_INFO, 1805 "Station tried to associate with unknown SSID " 1806 "'%s'", wpa_ssid_txt(ssid_ie, ssid_ie_len)); 1807 return WLAN_STATUS_UNSPECIFIED_FAILURE; 1808 } 1809 1810 return WLAN_STATUS_SUCCESS; 1811 } 1812 1813 1814 static u16 check_wmm(struct hostapd_data *hapd, struct sta_info *sta, 1815 const u8 *wmm_ie, size_t wmm_ie_len) 1816 { 1817 sta->flags &= ~WLAN_STA_WMM; 1818 sta->qosinfo = 0; 1819 if (wmm_ie && hapd->conf->wmm_enabled) { 1820 struct wmm_information_element *wmm; 1821 1822 if (!hostapd_eid_wmm_valid(hapd, wmm_ie, wmm_ie_len)) { 1823 hostapd_logger(hapd, sta->addr, 1824 HOSTAPD_MODULE_WPA, 1825 HOSTAPD_LEVEL_DEBUG, 1826 "invalid WMM element in association " 1827 "request"); 1828 return WLAN_STATUS_UNSPECIFIED_FAILURE; 1829 } 1830 1831 sta->flags |= WLAN_STA_WMM; 1832 wmm = (struct wmm_information_element *) wmm_ie; 1833 sta->qosinfo = wmm->qos_info; 1834 } 1835 return WLAN_STATUS_SUCCESS; 1836 } 1837 1838 1839 static u16 copy_supp_rates(struct hostapd_data *hapd, struct sta_info *sta, 1840 struct ieee802_11_elems *elems) 1841 { 1842 /* Supported rates not used in IEEE 802.11ad/DMG */ 1843 if (hapd->iface->current_mode && 1844 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211AD) 1845 return WLAN_STATUS_SUCCESS; 1846 1847 if (!elems->supp_rates) { 1848 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 1849 HOSTAPD_LEVEL_DEBUG, 1850 "No supported rates element in AssocReq"); 1851 return WLAN_STATUS_UNSPECIFIED_FAILURE; 1852 } 1853 1854 if (elems->supp_rates_len + elems->ext_supp_rates_len > 1855 sizeof(sta->supported_rates)) { 1856 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 1857 HOSTAPD_LEVEL_DEBUG, 1858 "Invalid supported rates element length %d+%d", 1859 elems->supp_rates_len, 1860 elems->ext_supp_rates_len); 1861 return WLAN_STATUS_UNSPECIFIED_FAILURE; 1862 } 1863 1864 sta->supported_rates_len = merge_byte_arrays( 1865 sta->supported_rates, sizeof(sta->supported_rates), 1866 elems->supp_rates, elems->supp_rates_len, 1867 elems->ext_supp_rates, elems->ext_supp_rates_len); 1868 1869 return WLAN_STATUS_SUCCESS; 1870 } 1871 1872 1873 static u16 check_ext_capab(struct hostapd_data *hapd, struct sta_info *sta, 1874 const u8 *ext_capab_ie, size_t ext_capab_ie_len) 1875 { 1876 #ifdef CONFIG_INTERWORKING 1877 /* check for QoS Map support */ 1878 if (ext_capab_ie_len >= 5) { 1879 if (ext_capab_ie[4] & 0x01) 1880 sta->qos_map_enabled = 1; 1881 } 1882 #endif /* CONFIG_INTERWORKING */ 1883 1884 if (ext_capab_ie_len > 0) 1885 sta->ecsa_supported = !!(ext_capab_ie[0] & BIT(2)); 1886 1887 return WLAN_STATUS_SUCCESS; 1888 } 1889 1890 1891 static u16 check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta, 1892 const u8 *ies, size_t ies_len, int reassoc) 1893 { 1894 struct ieee802_11_elems elems; 1895 u16 resp; 1896 const u8 *wpa_ie; 1897 size_t wpa_ie_len; 1898 const u8 *p2p_dev_addr = NULL; 1899 1900 if (ieee802_11_parse_elems(ies, ies_len, &elems, 1) == ParseFailed) { 1901 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 1902 HOSTAPD_LEVEL_INFO, "Station sent an invalid " 1903 "association request"); 1904 return WLAN_STATUS_UNSPECIFIED_FAILURE; 1905 } 1906 1907 resp = check_ssid(hapd, sta, elems.ssid, elems.ssid_len); 1908 if (resp != WLAN_STATUS_SUCCESS) 1909 return resp; 1910 resp = check_wmm(hapd, sta, elems.wmm, elems.wmm_len); 1911 if (resp != WLAN_STATUS_SUCCESS) 1912 return resp; 1913 resp = check_ext_capab(hapd, sta, elems.ext_capab, elems.ext_capab_len); 1914 if (resp != WLAN_STATUS_SUCCESS) 1915 return resp; 1916 resp = copy_supp_rates(hapd, sta, &elems); 1917 if (resp != WLAN_STATUS_SUCCESS) 1918 return resp; 1919 #ifdef CONFIG_IEEE80211N 1920 resp = copy_sta_ht_capab(hapd, sta, elems.ht_capabilities); 1921 if (resp != WLAN_STATUS_SUCCESS) 1922 return resp; 1923 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht && 1924 !(sta->flags & WLAN_STA_HT)) { 1925 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 1926 HOSTAPD_LEVEL_INFO, "Station does not support " 1927 "mandatory HT PHY - reject association"); 1928 return WLAN_STATUS_ASSOC_DENIED_NO_HT; 1929 } 1930 #endif /* CONFIG_IEEE80211N */ 1931 1932 #ifdef CONFIG_IEEE80211AC 1933 if (hapd->iconf->ieee80211ac) { 1934 resp = copy_sta_vht_capab(hapd, sta, elems.vht_capabilities); 1935 if (resp != WLAN_STATUS_SUCCESS) 1936 return resp; 1937 1938 resp = set_sta_vht_opmode(hapd, sta, elems.vht_opmode_notif); 1939 if (resp != WLAN_STATUS_SUCCESS) 1940 return resp; 1941 } 1942 1943 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht && 1944 !(sta->flags & WLAN_STA_VHT)) { 1945 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 1946 HOSTAPD_LEVEL_INFO, "Station does not support " 1947 "mandatory VHT PHY - reject association"); 1948 return WLAN_STATUS_ASSOC_DENIED_NO_VHT; 1949 } 1950 1951 if (hapd->conf->vendor_vht && !elems.vht_capabilities) { 1952 resp = copy_sta_vendor_vht(hapd, sta, elems.vendor_vht, 1953 elems.vendor_vht_len); 1954 if (resp != WLAN_STATUS_SUCCESS) 1955 return resp; 1956 } 1957 #endif /* CONFIG_IEEE80211AC */ 1958 1959 #ifdef CONFIG_P2P 1960 if (elems.p2p) { 1961 wpabuf_free(sta->p2p_ie); 1962 sta->p2p_ie = ieee802_11_vendor_ie_concat(ies, ies_len, 1963 P2P_IE_VENDOR_TYPE); 1964 if (sta->p2p_ie) 1965 p2p_dev_addr = p2p_get_go_dev_addr(sta->p2p_ie); 1966 } else { 1967 wpabuf_free(sta->p2p_ie); 1968 sta->p2p_ie = NULL; 1969 } 1970 #endif /* CONFIG_P2P */ 1971 1972 if ((hapd->conf->wpa & WPA_PROTO_RSN) && elems.rsn_ie) { 1973 wpa_ie = elems.rsn_ie; 1974 wpa_ie_len = elems.rsn_ie_len; 1975 } else if ((hapd->conf->wpa & WPA_PROTO_WPA) && 1976 elems.wpa_ie) { 1977 wpa_ie = elems.wpa_ie; 1978 wpa_ie_len = elems.wpa_ie_len; 1979 } else { 1980 wpa_ie = NULL; 1981 wpa_ie_len = 0; 1982 } 1983 1984 #ifdef CONFIG_WPS 1985 sta->flags &= ~(WLAN_STA_WPS | WLAN_STA_MAYBE_WPS | WLAN_STA_WPS2); 1986 if (hapd->conf->wps_state && elems.wps_ie) { 1987 wpa_printf(MSG_DEBUG, "STA included WPS IE in (Re)Association " 1988 "Request - assume WPS is used"); 1989 sta->flags |= WLAN_STA_WPS; 1990 wpabuf_free(sta->wps_ie); 1991 sta->wps_ie = ieee802_11_vendor_ie_concat(ies, ies_len, 1992 WPS_IE_VENDOR_TYPE); 1993 if (sta->wps_ie && wps_is_20(sta->wps_ie)) { 1994 wpa_printf(MSG_DEBUG, "WPS: STA supports WPS 2.0"); 1995 sta->flags |= WLAN_STA_WPS2; 1996 } 1997 wpa_ie = NULL; 1998 wpa_ie_len = 0; 1999 if (sta->wps_ie && wps_validate_assoc_req(sta->wps_ie) < 0) { 2000 wpa_printf(MSG_DEBUG, "WPS: Invalid WPS IE in " 2001 "(Re)Association Request - reject"); 2002 return WLAN_STATUS_INVALID_IE; 2003 } 2004 } else if (hapd->conf->wps_state && wpa_ie == NULL) { 2005 wpa_printf(MSG_DEBUG, "STA did not include WPA/RSN IE in " 2006 "(Re)Association Request - possible WPS use"); 2007 sta->flags |= WLAN_STA_MAYBE_WPS; 2008 } else 2009 #endif /* CONFIG_WPS */ 2010 if (hapd->conf->wpa && wpa_ie == NULL) { 2011 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 2012 HOSTAPD_LEVEL_INFO, 2013 "No WPA/RSN IE in association request"); 2014 return WLAN_STATUS_INVALID_IE; 2015 } 2016 2017 if (hapd->conf->wpa && wpa_ie) { 2018 int res; 2019 wpa_ie -= 2; 2020 wpa_ie_len += 2; 2021 if (sta->wpa_sm == NULL) 2022 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, 2023 sta->addr, 2024 p2p_dev_addr); 2025 if (sta->wpa_sm == NULL) { 2026 wpa_printf(MSG_WARNING, "Failed to initialize WPA " 2027 "state machine"); 2028 return WLAN_STATUS_UNSPECIFIED_FAILURE; 2029 } 2030 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm, 2031 wpa_ie, wpa_ie_len, 2032 elems.mdie, elems.mdie_len); 2033 resp = wpa_res_to_status_code(res); 2034 if (resp != WLAN_STATUS_SUCCESS) 2035 return resp; 2036 #ifdef CONFIG_IEEE80211W 2037 if ((sta->flags & WLAN_STA_MFP) && !sta->sa_query_timed_out && 2038 sta->sa_query_count > 0) 2039 ap_check_sa_query_timeout(hapd, sta); 2040 if ((sta->flags & WLAN_STA_MFP) && !sta->sa_query_timed_out && 2041 (!reassoc || sta->auth_alg != WLAN_AUTH_FT)) { 2042 /* 2043 * STA has already been associated with MFP and SA 2044 * Query timeout has not been reached. Reject the 2045 * association attempt temporarily and start SA Query, 2046 * if one is not pending. 2047 */ 2048 2049 if (sta->sa_query_count == 0) 2050 ap_sta_start_sa_query(hapd, sta); 2051 2052 return WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY; 2053 } 2054 2055 if (wpa_auth_uses_mfp(sta->wpa_sm)) 2056 sta->flags |= WLAN_STA_MFP; 2057 else 2058 sta->flags &= ~WLAN_STA_MFP; 2059 #endif /* CONFIG_IEEE80211W */ 2060 2061 #ifdef CONFIG_IEEE80211R_AP 2062 if (sta->auth_alg == WLAN_AUTH_FT) { 2063 if (!reassoc) { 2064 wpa_printf(MSG_DEBUG, "FT: " MACSTR " tried " 2065 "to use association (not " 2066 "re-association) with FT auth_alg", 2067 MAC2STR(sta->addr)); 2068 return WLAN_STATUS_UNSPECIFIED_FAILURE; 2069 } 2070 2071 resp = wpa_ft_validate_reassoc(sta->wpa_sm, ies, 2072 ies_len); 2073 if (resp != WLAN_STATUS_SUCCESS) 2074 return resp; 2075 } 2076 #endif /* CONFIG_IEEE80211R_AP */ 2077 2078 #ifdef CONFIG_SAE 2079 if (wpa_auth_uses_sae(sta->wpa_sm) && 2080 sta->auth_alg == WLAN_AUTH_OPEN) { 2081 struct rsn_pmksa_cache_entry *sa; 2082 sa = wpa_auth_sta_get_pmksa(sta->wpa_sm); 2083 if (!sa || sa->akmp != WPA_KEY_MGMT_SAE) { 2084 wpa_printf(MSG_DEBUG, 2085 "SAE: No PMKSA cache entry found for " 2086 MACSTR, MAC2STR(sta->addr)); 2087 return WLAN_STATUS_INVALID_PMKID; 2088 } 2089 wpa_printf(MSG_DEBUG, "SAE: " MACSTR 2090 " using PMKSA caching", MAC2STR(sta->addr)); 2091 } else if (wpa_auth_uses_sae(sta->wpa_sm) && 2092 sta->auth_alg != WLAN_AUTH_SAE && 2093 !(sta->auth_alg == WLAN_AUTH_FT && 2094 wpa_auth_uses_ft_sae(sta->wpa_sm))) { 2095 wpa_printf(MSG_DEBUG, "SAE: " MACSTR " tried to use " 2096 "SAE AKM after non-SAE auth_alg %u", 2097 MAC2STR(sta->addr), sta->auth_alg); 2098 return WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG; 2099 } 2100 #endif /* CONFIG_SAE */ 2101 2102 #ifdef CONFIG_IEEE80211N 2103 if ((sta->flags & (WLAN_STA_HT | WLAN_STA_VHT)) && 2104 wpa_auth_get_pairwise(sta->wpa_sm) == WPA_CIPHER_TKIP) { 2105 hostapd_logger(hapd, sta->addr, 2106 HOSTAPD_MODULE_IEEE80211, 2107 HOSTAPD_LEVEL_INFO, 2108 "Station tried to use TKIP with HT " 2109 "association"); 2110 return WLAN_STATUS_CIPHER_REJECTED_PER_POLICY; 2111 } 2112 #endif /* CONFIG_IEEE80211N */ 2113 #ifdef CONFIG_HS20 2114 } else if (hapd->conf->osen) { 2115 if (elems.osen == NULL) { 2116 hostapd_logger( 2117 hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 2118 HOSTAPD_LEVEL_INFO, 2119 "No HS 2.0 OSEN element in association request"); 2120 return WLAN_STATUS_INVALID_IE; 2121 } 2122 2123 wpa_printf(MSG_DEBUG, "HS 2.0: OSEN association"); 2124 if (sta->wpa_sm == NULL) 2125 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, 2126 sta->addr, NULL); 2127 if (sta->wpa_sm == NULL) { 2128 wpa_printf(MSG_WARNING, "Failed to initialize WPA " 2129 "state machine"); 2130 return WLAN_STATUS_UNSPECIFIED_FAILURE; 2131 } 2132 if (wpa_validate_osen(hapd->wpa_auth, sta->wpa_sm, 2133 elems.osen - 2, elems.osen_len + 2) < 0) 2134 return WLAN_STATUS_INVALID_IE; 2135 #endif /* CONFIG_HS20 */ 2136 } else 2137 wpa_auth_sta_no_wpa(sta->wpa_sm); 2138 2139 #ifdef CONFIG_P2P 2140 p2p_group_notif_assoc(hapd->p2p_group, sta->addr, ies, ies_len); 2141 #endif /* CONFIG_P2P */ 2142 2143 #ifdef CONFIG_HS20 2144 wpabuf_free(sta->hs20_ie); 2145 if (elems.hs20 && elems.hs20_len > 4) { 2146 sta->hs20_ie = wpabuf_alloc_copy(elems.hs20 + 4, 2147 elems.hs20_len - 4); 2148 } else 2149 sta->hs20_ie = NULL; 2150 #endif /* CONFIG_HS20 */ 2151 2152 #ifdef CONFIG_FST 2153 wpabuf_free(sta->mb_ies); 2154 if (hapd->iface->fst) 2155 sta->mb_ies = mb_ies_by_info(&elems.mb_ies); 2156 else 2157 sta->mb_ies = NULL; 2158 #endif /* CONFIG_FST */ 2159 2160 #ifdef CONFIG_MBO 2161 mbo_ap_check_sta_assoc(hapd, sta, &elems); 2162 2163 if (hapd->conf->mbo_enabled && (hapd->conf->wpa & 2) && 2164 elems.mbo && sta->cell_capa && !(sta->flags & WLAN_STA_MFP) && 2165 hapd->conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) { 2166 wpa_printf(MSG_INFO, 2167 "MBO: Reject WPA2 association without PMF"); 2168 return WLAN_STATUS_UNSPECIFIED_FAILURE; 2169 } 2170 #endif /* CONFIG_MBO */ 2171 2172 ap_copy_sta_supp_op_classes(sta, elems.supp_op_classes, 2173 elems.supp_op_classes_len); 2174 2175 if ((sta->capability & WLAN_CAPABILITY_RADIO_MEASUREMENT) && 2176 elems.rrm_enabled && 2177 elems.rrm_enabled_len >= sizeof(sta->rrm_enabled_capa)) 2178 os_memcpy(sta->rrm_enabled_capa, elems.rrm_enabled, 2179 sizeof(sta->rrm_enabled_capa)); 2180 2181 return WLAN_STATUS_SUCCESS; 2182 } 2183 2184 2185 static void send_deauth(struct hostapd_data *hapd, const u8 *addr, 2186 u16 reason_code) 2187 { 2188 int send_len; 2189 struct ieee80211_mgmt reply; 2190 2191 os_memset(&reply, 0, sizeof(reply)); 2192 reply.frame_control = 2193 IEEE80211_FC(WLAN_FC_TYPE_MGMT, WLAN_FC_STYPE_DEAUTH); 2194 os_memcpy(reply.da, addr, ETH_ALEN); 2195 os_memcpy(reply.sa, hapd->own_addr, ETH_ALEN); 2196 os_memcpy(reply.bssid, hapd->own_addr, ETH_ALEN); 2197 2198 send_len = IEEE80211_HDRLEN + sizeof(reply.u.deauth); 2199 reply.u.deauth.reason_code = host_to_le16(reason_code); 2200 2201 if (hostapd_drv_send_mlme(hapd, &reply, send_len, 0) < 0) 2202 wpa_printf(MSG_INFO, "Failed to send deauth: %s", 2203 strerror(errno)); 2204 } 2205 2206 2207 static int add_associated_sta(struct hostapd_data *hapd, 2208 struct sta_info *sta) 2209 { 2210 struct ieee80211_ht_capabilities ht_cap; 2211 struct ieee80211_vht_capabilities vht_cap; 2212 int set = 1; 2213 2214 /* 2215 * Remove the STA entry to ensure the STA PS state gets cleared and 2216 * configuration gets updated. This is relevant for cases, such as 2217 * FT-over-the-DS, where a station re-associates back to the same AP but 2218 * skips the authentication flow, or if working with a driver that 2219 * does not support full AP client state. 2220 * 2221 * Skip this if the STA has already completed FT reassociation and the 2222 * TK has been configured since the TX/RX PN must not be reset to 0 for 2223 * the same key. 2224 */ 2225 if (!sta->added_unassoc && 2226 (!(sta->flags & WLAN_STA_AUTHORIZED) || 2227 !wpa_auth_sta_ft_tk_already_set(sta->wpa_sm))) { 2228 hostapd_drv_sta_remove(hapd, sta->addr); 2229 wpa_auth_sm_event(sta->wpa_sm, WPA_DRV_STA_REMOVED); 2230 set = 0; 2231 } 2232 2233 #ifdef CONFIG_IEEE80211N 2234 if (sta->flags & WLAN_STA_HT) 2235 hostapd_get_ht_capab(hapd, sta->ht_capabilities, &ht_cap); 2236 #endif /* CONFIG_IEEE80211N */ 2237 #ifdef CONFIG_IEEE80211AC 2238 if (sta->flags & WLAN_STA_VHT) 2239 hostapd_get_vht_capab(hapd, sta->vht_capabilities, &vht_cap); 2240 #endif /* CONFIG_IEEE80211AC */ 2241 2242 /* 2243 * Add the station with forced WLAN_STA_ASSOC flag. The sta->flags 2244 * will be set when the ACK frame for the (Re)Association Response frame 2245 * is processed (TX status driver event). 2246 */ 2247 if (hostapd_sta_add(hapd, sta->addr, sta->aid, sta->capability, 2248 sta->supported_rates, sta->supported_rates_len, 2249 sta->listen_interval, 2250 sta->flags & WLAN_STA_HT ? &ht_cap : NULL, 2251 sta->flags & WLAN_STA_VHT ? &vht_cap : NULL, 2252 sta->flags | WLAN_STA_ASSOC, sta->qosinfo, 2253 sta->vht_opmode, sta->p2p_ie ? 1 : 0, 2254 set)) { 2255 hostapd_logger(hapd, sta->addr, 2256 HOSTAPD_MODULE_IEEE80211, HOSTAPD_LEVEL_NOTICE, 2257 "Could not %s STA to kernel driver", 2258 set ? "set" : "add"); 2259 2260 if (sta->added_unassoc) { 2261 hostapd_drv_sta_remove(hapd, sta->addr); 2262 sta->added_unassoc = 0; 2263 } 2264 2265 return -1; 2266 } 2267 2268 sta->added_unassoc = 0; 2269 2270 return 0; 2271 } 2272 2273 2274 static u16 send_assoc_resp(struct hostapd_data *hapd, struct sta_info *sta, 2275 const u8 *addr, u16 status_code, int reassoc, 2276 const u8 *ies, size_t ies_len) 2277 { 2278 int send_len; 2279 u8 *buf; 2280 size_t buflen; 2281 struct ieee80211_mgmt *reply; 2282 u8 *p; 2283 u16 res = WLAN_STATUS_SUCCESS; 2284 2285 buflen = sizeof(struct ieee80211_mgmt) + 1024; 2286 #ifdef CONFIG_FILS 2287 if (sta && sta->fils_hlp_resp) 2288 buflen += wpabuf_len(sta->fils_hlp_resp); 2289 #endif /* CONFIG_FILS */ 2290 buf = os_zalloc(buflen); 2291 if (!buf) { 2292 res = WLAN_STATUS_UNSPECIFIED_FAILURE; 2293 goto done; 2294 } 2295 reply = (struct ieee80211_mgmt *) buf; 2296 reply->frame_control = 2297 IEEE80211_FC(WLAN_FC_TYPE_MGMT, 2298 (reassoc ? WLAN_FC_STYPE_REASSOC_RESP : 2299 WLAN_FC_STYPE_ASSOC_RESP)); 2300 os_memcpy(reply->da, addr, ETH_ALEN); 2301 os_memcpy(reply->sa, hapd->own_addr, ETH_ALEN); 2302 os_memcpy(reply->bssid, hapd->own_addr, ETH_ALEN); 2303 2304 send_len = IEEE80211_HDRLEN; 2305 send_len += sizeof(reply->u.assoc_resp); 2306 reply->u.assoc_resp.capab_info = 2307 host_to_le16(hostapd_own_capab_info(hapd)); 2308 reply->u.assoc_resp.status_code = host_to_le16(status_code); 2309 2310 reply->u.assoc_resp.aid = host_to_le16((sta ? sta->aid : 0) | 2311 BIT(14) | BIT(15)); 2312 /* Supported rates */ 2313 p = hostapd_eid_supp_rates(hapd, reply->u.assoc_resp.variable); 2314 /* Extended supported rates */ 2315 p = hostapd_eid_ext_supp_rates(hapd, p); 2316 2317 #ifdef CONFIG_IEEE80211R_AP 2318 if (sta && status_code == WLAN_STATUS_SUCCESS) { 2319 /* IEEE 802.11r: Mobility Domain Information, Fast BSS 2320 * Transition Information, RSN, [RIC Response] */ 2321 p = wpa_sm_write_assoc_resp_ies(sta->wpa_sm, p, 2322 buf + buflen - p, 2323 sta->auth_alg, ies, ies_len); 2324 } 2325 #endif /* CONFIG_IEEE80211R_AP */ 2326 2327 #ifdef CONFIG_IEEE80211W 2328 if (sta && status_code == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY) 2329 p = hostapd_eid_assoc_comeback_time(hapd, sta, p); 2330 #endif /* CONFIG_IEEE80211W */ 2331 2332 #ifdef CONFIG_IEEE80211N 2333 p = hostapd_eid_ht_capabilities(hapd, p); 2334 p = hostapd_eid_ht_operation(hapd, p); 2335 #endif /* CONFIG_IEEE80211N */ 2336 2337 #ifdef CONFIG_IEEE80211AC 2338 if (hapd->iconf->ieee80211ac && !hapd->conf->disable_11ac) { 2339 u32 nsts = 0, sta_nsts; 2340 2341 if (sta && hapd->conf->use_sta_nsts && sta->vht_capabilities) { 2342 struct ieee80211_vht_capabilities *capa; 2343 2344 nsts = (hapd->iface->conf->vht_capab >> 2345 VHT_CAP_BEAMFORMEE_STS_OFFSET) & 7; 2346 capa = sta->vht_capabilities; 2347 sta_nsts = (le_to_host32(capa->vht_capabilities_info) >> 2348 VHT_CAP_BEAMFORMEE_STS_OFFSET) & 7; 2349 2350 if (nsts < sta_nsts) 2351 nsts = 0; 2352 else 2353 nsts = sta_nsts; 2354 } 2355 p = hostapd_eid_vht_capabilities(hapd, p, nsts); 2356 p = hostapd_eid_vht_operation(hapd, p); 2357 } 2358 #endif /* CONFIG_IEEE80211AC */ 2359 2360 p = hostapd_eid_ext_capab(hapd, p); 2361 p = hostapd_eid_bss_max_idle_period(hapd, p); 2362 if (sta && sta->qos_map_enabled) 2363 p = hostapd_eid_qos_map_set(hapd, p); 2364 2365 #ifdef CONFIG_FST 2366 if (hapd->iface->fst_ies) { 2367 os_memcpy(p, wpabuf_head(hapd->iface->fst_ies), 2368 wpabuf_len(hapd->iface->fst_ies)); 2369 p += wpabuf_len(hapd->iface->fst_ies); 2370 } 2371 #endif /* CONFIG_FST */ 2372 2373 #ifdef CONFIG_IEEE80211AC 2374 if (sta && hapd->conf->vendor_vht && (sta->flags & WLAN_STA_VENDOR_VHT)) 2375 p = hostapd_eid_vendor_vht(hapd, p); 2376 #endif /* CONFIG_IEEE80211AC */ 2377 2378 if (sta && (sta->flags & WLAN_STA_WMM)) 2379 p = hostapd_eid_wmm(hapd, p); 2380 2381 #ifdef CONFIG_WPS 2382 if (sta && 2383 ((sta->flags & WLAN_STA_WPS) || 2384 ((sta->flags & WLAN_STA_MAYBE_WPS) && hapd->conf->wpa))) { 2385 struct wpabuf *wps = wps_build_assoc_resp_ie(); 2386 if (wps) { 2387 os_memcpy(p, wpabuf_head(wps), wpabuf_len(wps)); 2388 p += wpabuf_len(wps); 2389 wpabuf_free(wps); 2390 } 2391 } 2392 #endif /* CONFIG_WPS */ 2393 2394 #ifdef CONFIG_P2P 2395 if (sta && sta->p2p_ie && hapd->p2p_group) { 2396 struct wpabuf *p2p_resp_ie; 2397 enum p2p_status_code status; 2398 switch (status_code) { 2399 case WLAN_STATUS_SUCCESS: 2400 status = P2P_SC_SUCCESS; 2401 break; 2402 case WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA: 2403 status = P2P_SC_FAIL_LIMIT_REACHED; 2404 break; 2405 default: 2406 status = P2P_SC_FAIL_INVALID_PARAMS; 2407 break; 2408 } 2409 p2p_resp_ie = p2p_group_assoc_resp_ie(hapd->p2p_group, status); 2410 if (p2p_resp_ie) { 2411 os_memcpy(p, wpabuf_head(p2p_resp_ie), 2412 wpabuf_len(p2p_resp_ie)); 2413 p += wpabuf_len(p2p_resp_ie); 2414 wpabuf_free(p2p_resp_ie); 2415 } 2416 } 2417 #endif /* CONFIG_P2P */ 2418 2419 #ifdef CONFIG_P2P_MANAGER 2420 if (hapd->conf->p2p & P2P_MANAGE) 2421 p = hostapd_eid_p2p_manage(hapd, p); 2422 #endif /* CONFIG_P2P_MANAGER */ 2423 2424 p = hostapd_eid_mbo(hapd, p, buf + buflen - p); 2425 2426 if (hapd->conf->assocresp_elements && 2427 (size_t) (buf + buflen - p) >= 2428 wpabuf_len(hapd->conf->assocresp_elements)) { 2429 os_memcpy(p, wpabuf_head(hapd->conf->assocresp_elements), 2430 wpabuf_len(hapd->conf->assocresp_elements)); 2431 p += wpabuf_len(hapd->conf->assocresp_elements); 2432 } 2433 2434 send_len += p - reply->u.assoc_resp.variable; 2435 2436 #ifdef CONFIG_FILS 2437 if (sta && 2438 (sta->auth_alg == WLAN_AUTH_FILS_SK || 2439 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS || 2440 sta->auth_alg == WLAN_AUTH_FILS_PK) && 2441 status_code == WLAN_STATUS_SUCCESS) { 2442 struct ieee802_11_elems elems; 2443 2444 if (ieee802_11_parse_elems(ies, ies_len, &elems, 0) == 2445 ParseFailed || !elems.fils_session) { 2446 res = WLAN_STATUS_UNSPECIFIED_FAILURE; 2447 goto done; 2448 } 2449 2450 /* FILS Session */ 2451 *p++ = WLAN_EID_EXTENSION; /* Element ID */ 2452 *p++ = 1 + FILS_SESSION_LEN; /* Length */ 2453 *p++ = WLAN_EID_EXT_FILS_SESSION; /* Element ID Extension */ 2454 os_memcpy(p, elems.fils_session, FILS_SESSION_LEN); 2455 send_len += 2 + 1 + FILS_SESSION_LEN; 2456 2457 send_len = fils_encrypt_assoc(sta->wpa_sm, buf, send_len, 2458 buflen, sta->fils_hlp_resp); 2459 if (send_len < 0) { 2460 res = WLAN_STATUS_UNSPECIFIED_FAILURE; 2461 goto done; 2462 } 2463 } 2464 #endif /* CONFIG_FILS */ 2465 2466 if (hostapd_drv_send_mlme(hapd, reply, send_len, 0) < 0) { 2467 wpa_printf(MSG_INFO, "Failed to send assoc resp: %s", 2468 strerror(errno)); 2469 res = WLAN_STATUS_UNSPECIFIED_FAILURE; 2470 } 2471 2472 done: 2473 os_free(buf); 2474 return res; 2475 } 2476 2477 2478 #ifdef CONFIG_FILS 2479 2480 void fils_hlp_finish_assoc(struct hostapd_data *hapd, struct sta_info *sta) 2481 { 2482 u16 reply_res; 2483 2484 wpa_printf(MSG_DEBUG, "FILS: Finish association with " MACSTR, 2485 MAC2STR(sta->addr)); 2486 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta); 2487 if (!sta->fils_pending_assoc_req) 2488 return; 2489 reply_res = send_assoc_resp(hapd, sta, sta->addr, WLAN_STATUS_SUCCESS, 2490 sta->fils_pending_assoc_is_reassoc, 2491 sta->fils_pending_assoc_req, 2492 sta->fils_pending_assoc_req_len); 2493 os_free(sta->fils_pending_assoc_req); 2494 sta->fils_pending_assoc_req = NULL; 2495 sta->fils_pending_assoc_req_len = 0; 2496 wpabuf_free(sta->fils_hlp_resp); 2497 sta->fils_hlp_resp = NULL; 2498 wpabuf_free(sta->hlp_dhcp_discover); 2499 sta->hlp_dhcp_discover = NULL; 2500 2501 /* 2502 * Remove the station in case tranmission of a success response fails 2503 * (the STA was added associated to the driver) or if the station was 2504 * previously added unassociated. 2505 */ 2506 if (reply_res != WLAN_STATUS_SUCCESS || sta->added_unassoc) { 2507 hostapd_drv_sta_remove(hapd, sta->addr); 2508 sta->added_unassoc = 0; 2509 } 2510 } 2511 2512 2513 void fils_hlp_timeout(void *eloop_ctx, void *eloop_data) 2514 { 2515 struct hostapd_data *hapd = eloop_ctx; 2516 struct sta_info *sta = eloop_data; 2517 2518 wpa_printf(MSG_DEBUG, 2519 "FILS: HLP response timeout - continue with association response for " 2520 MACSTR, MAC2STR(sta->addr)); 2521 fils_hlp_finish_assoc(hapd, sta); 2522 } 2523 2524 #endif /* CONFIG_FILS */ 2525 2526 2527 static void handle_assoc(struct hostapd_data *hapd, 2528 const struct ieee80211_mgmt *mgmt, size_t len, 2529 int reassoc) 2530 { 2531 u16 capab_info, listen_interval, seq_ctrl, fc; 2532 u16 resp = WLAN_STATUS_SUCCESS, reply_res; 2533 const u8 *pos; 2534 int left, i; 2535 struct sta_info *sta; 2536 u8 *tmp = NULL; 2537 struct hostapd_sta_wpa_psk_short *psk = NULL; 2538 char *identity = NULL; 2539 char *radius_cui = NULL; 2540 #ifdef CONFIG_FILS 2541 int delay_assoc = 0; 2542 #endif /* CONFIG_FILS */ 2543 2544 if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_req) : 2545 sizeof(mgmt->u.assoc_req))) { 2546 wpa_printf(MSG_INFO, "handle_assoc(reassoc=%d) - too short payload (len=%lu)", 2547 reassoc, (unsigned long) len); 2548 return; 2549 } 2550 2551 #ifdef CONFIG_TESTING_OPTIONS 2552 if (reassoc) { 2553 if (hapd->iconf->ignore_reassoc_probability > 0.0 && 2554 drand48() < hapd->iconf->ignore_reassoc_probability) { 2555 wpa_printf(MSG_INFO, 2556 "TESTING: ignoring reassoc request from " 2557 MACSTR, MAC2STR(mgmt->sa)); 2558 return; 2559 } 2560 } else { 2561 if (hapd->iconf->ignore_assoc_probability > 0.0 && 2562 drand48() < hapd->iconf->ignore_assoc_probability) { 2563 wpa_printf(MSG_INFO, 2564 "TESTING: ignoring assoc request from " 2565 MACSTR, MAC2STR(mgmt->sa)); 2566 return; 2567 } 2568 } 2569 #endif /* CONFIG_TESTING_OPTIONS */ 2570 2571 fc = le_to_host16(mgmt->frame_control); 2572 seq_ctrl = le_to_host16(mgmt->seq_ctrl); 2573 2574 if (reassoc) { 2575 capab_info = le_to_host16(mgmt->u.reassoc_req.capab_info); 2576 listen_interval = le_to_host16( 2577 mgmt->u.reassoc_req.listen_interval); 2578 wpa_printf(MSG_DEBUG, "reassociation request: STA=" MACSTR 2579 " capab_info=0x%02x listen_interval=%d current_ap=" 2580 MACSTR " seq_ctrl=0x%x%s", 2581 MAC2STR(mgmt->sa), capab_info, listen_interval, 2582 MAC2STR(mgmt->u.reassoc_req.current_ap), 2583 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : ""); 2584 left = len - (IEEE80211_HDRLEN + sizeof(mgmt->u.reassoc_req)); 2585 pos = mgmt->u.reassoc_req.variable; 2586 } else { 2587 capab_info = le_to_host16(mgmt->u.assoc_req.capab_info); 2588 listen_interval = le_to_host16( 2589 mgmt->u.assoc_req.listen_interval); 2590 wpa_printf(MSG_DEBUG, "association request: STA=" MACSTR 2591 " capab_info=0x%02x listen_interval=%d " 2592 "seq_ctrl=0x%x%s", 2593 MAC2STR(mgmt->sa), capab_info, listen_interval, 2594 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : ""); 2595 left = len - (IEEE80211_HDRLEN + sizeof(mgmt->u.assoc_req)); 2596 pos = mgmt->u.assoc_req.variable; 2597 } 2598 2599 sta = ap_get_sta(hapd, mgmt->sa); 2600 #ifdef CONFIG_IEEE80211R_AP 2601 if (sta && sta->auth_alg == WLAN_AUTH_FT && 2602 (sta->flags & WLAN_STA_AUTH) == 0) { 2603 wpa_printf(MSG_DEBUG, "FT: Allow STA " MACSTR " to associate " 2604 "prior to authentication since it is using " 2605 "over-the-DS FT", MAC2STR(mgmt->sa)); 2606 2607 /* 2608 * Mark station as authenticated, to avoid adding station 2609 * entry in the driver as associated and not authenticated 2610 */ 2611 sta->flags |= WLAN_STA_AUTH; 2612 } else 2613 #endif /* CONFIG_IEEE80211R_AP */ 2614 if (sta == NULL || (sta->flags & WLAN_STA_AUTH) == 0) { 2615 if (hapd->iface->current_mode && 2616 hapd->iface->current_mode->mode == 2617 HOSTAPD_MODE_IEEE80211AD) { 2618 int acl_res; 2619 u32 session_timeout, acct_interim_interval; 2620 struct vlan_description vlan_id; 2621 2622 acl_res = ieee802_11_allowed_address( 2623 hapd, mgmt->sa, (const u8 *) mgmt, len, 2624 &session_timeout, &acct_interim_interval, 2625 &vlan_id, &psk, &identity, &radius_cui); 2626 if (acl_res == HOSTAPD_ACL_REJECT) { 2627 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 2628 goto fail; 2629 } 2630 if (acl_res == HOSTAPD_ACL_PENDING) 2631 return; 2632 2633 /* DMG/IEEE 802.11ad does not use authentication. 2634 * Allocate sta entry upon association. */ 2635 sta = ap_sta_add(hapd, mgmt->sa); 2636 if (!sta) { 2637 hostapd_logger(hapd, mgmt->sa, 2638 HOSTAPD_MODULE_IEEE80211, 2639 HOSTAPD_LEVEL_INFO, 2640 "Failed to add STA"); 2641 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA; 2642 goto fail; 2643 } 2644 2645 acl_res = ieee802_11_set_radius_info( 2646 hapd, sta, acl_res, session_timeout, 2647 acct_interim_interval, &vlan_id, &psk, 2648 &identity, &radius_cui); 2649 if (acl_res) { 2650 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 2651 goto fail; 2652 } 2653 2654 hostapd_logger(hapd, sta->addr, 2655 HOSTAPD_MODULE_IEEE80211, 2656 HOSTAPD_LEVEL_DEBUG, 2657 "Skip authentication for DMG/IEEE 802.11ad"); 2658 sta->flags |= WLAN_STA_AUTH; 2659 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH); 2660 sta->auth_alg = WLAN_AUTH_OPEN; 2661 } else { 2662 hostapd_logger(hapd, mgmt->sa, 2663 HOSTAPD_MODULE_IEEE80211, 2664 HOSTAPD_LEVEL_INFO, 2665 "Station tried to associate before authentication (aid=%d flags=0x%x)", 2666 sta ? sta->aid : -1, 2667 sta ? sta->flags : 0); 2668 send_deauth(hapd, mgmt->sa, 2669 WLAN_REASON_CLASS2_FRAME_FROM_NONAUTH_STA); 2670 return; 2671 } 2672 } 2673 2674 if ((fc & WLAN_FC_RETRY) && 2675 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ && 2676 sta->last_seq_ctrl == seq_ctrl && 2677 sta->last_subtype == (reassoc ? WLAN_FC_STYPE_REASSOC_REQ : 2678 WLAN_FC_STYPE_ASSOC_REQ)) { 2679 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 2680 HOSTAPD_LEVEL_DEBUG, 2681 "Drop repeated association frame seq_ctrl=0x%x", 2682 seq_ctrl); 2683 return; 2684 } 2685 sta->last_seq_ctrl = seq_ctrl; 2686 sta->last_subtype = reassoc ? WLAN_FC_STYPE_REASSOC_REQ : 2687 WLAN_FC_STYPE_ASSOC_REQ; 2688 2689 if (hapd->tkip_countermeasures) { 2690 resp = WLAN_REASON_MICHAEL_MIC_FAILURE; 2691 goto fail; 2692 } 2693 2694 if (listen_interval > hapd->conf->max_listen_interval) { 2695 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211, 2696 HOSTAPD_LEVEL_DEBUG, 2697 "Too large Listen Interval (%d)", 2698 listen_interval); 2699 resp = WLAN_STATUS_ASSOC_DENIED_LISTEN_INT_TOO_LARGE; 2700 goto fail; 2701 } 2702 2703 #ifdef CONFIG_MBO 2704 if (hapd->conf->mbo_enabled && hapd->mbo_assoc_disallow) { 2705 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA; 2706 goto fail; 2707 } 2708 #endif /* CONFIG_MBO */ 2709 2710 /* 2711 * sta->capability is used in check_assoc_ies() for RRM enabled 2712 * capability element. 2713 */ 2714 sta->capability = capab_info; 2715 2716 #ifdef CONFIG_FILS 2717 if (sta->auth_alg == WLAN_AUTH_FILS_SK || 2718 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS || 2719 sta->auth_alg == WLAN_AUTH_FILS_PK) { 2720 /* The end of the payload is encrypted. Need to decrypt it 2721 * before parsing. */ 2722 2723 tmp = os_malloc(left); 2724 if (!tmp) { 2725 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 2726 goto fail; 2727 } 2728 os_memcpy(tmp, pos, left); 2729 2730 left = fils_decrypt_assoc(sta->wpa_sm, sta->fils_session, mgmt, 2731 len, tmp, left); 2732 if (left < 0) { 2733 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 2734 goto fail; 2735 } 2736 pos = tmp; 2737 } 2738 #endif /* CONFIG_FILS */ 2739 2740 /* followed by SSID and Supported rates; and HT capabilities if 802.11n 2741 * is used */ 2742 resp = check_assoc_ies(hapd, sta, pos, left, reassoc); 2743 if (resp != WLAN_STATUS_SUCCESS) 2744 goto fail; 2745 2746 if (hostapd_get_aid(hapd, sta) < 0) { 2747 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211, 2748 HOSTAPD_LEVEL_INFO, "No room for more AIDs"); 2749 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA; 2750 goto fail; 2751 } 2752 2753 sta->listen_interval = listen_interval; 2754 2755 if (hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G) 2756 sta->flags |= WLAN_STA_NONERP; 2757 for (i = 0; i < sta->supported_rates_len; i++) { 2758 if ((sta->supported_rates[i] & 0x7f) > 22) { 2759 sta->flags &= ~WLAN_STA_NONERP; 2760 break; 2761 } 2762 } 2763 if (sta->flags & WLAN_STA_NONERP && !sta->nonerp_set) { 2764 sta->nonerp_set = 1; 2765 hapd->iface->num_sta_non_erp++; 2766 if (hapd->iface->num_sta_non_erp == 1) 2767 ieee802_11_set_beacons(hapd->iface); 2768 } 2769 2770 if (!(sta->capability & WLAN_CAPABILITY_SHORT_SLOT_TIME) && 2771 !sta->no_short_slot_time_set) { 2772 sta->no_short_slot_time_set = 1; 2773 hapd->iface->num_sta_no_short_slot_time++; 2774 if (hapd->iface->current_mode->mode == 2775 HOSTAPD_MODE_IEEE80211G && 2776 hapd->iface->num_sta_no_short_slot_time == 1) 2777 ieee802_11_set_beacons(hapd->iface); 2778 } 2779 2780 if (sta->capability & WLAN_CAPABILITY_SHORT_PREAMBLE) 2781 sta->flags |= WLAN_STA_SHORT_PREAMBLE; 2782 else 2783 sta->flags &= ~WLAN_STA_SHORT_PREAMBLE; 2784 2785 if (!(sta->capability & WLAN_CAPABILITY_SHORT_PREAMBLE) && 2786 !sta->no_short_preamble_set) { 2787 sta->no_short_preamble_set = 1; 2788 hapd->iface->num_sta_no_short_preamble++; 2789 if (hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G 2790 && hapd->iface->num_sta_no_short_preamble == 1) 2791 ieee802_11_set_beacons(hapd->iface); 2792 } 2793 2794 #ifdef CONFIG_IEEE80211N 2795 update_ht_state(hapd, sta); 2796 #endif /* CONFIG_IEEE80211N */ 2797 2798 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 2799 HOSTAPD_LEVEL_DEBUG, 2800 "association OK (aid %d)", sta->aid); 2801 /* Station will be marked associated, after it acknowledges AssocResp 2802 */ 2803 sta->flags |= WLAN_STA_ASSOC_REQ_OK; 2804 2805 #ifdef CONFIG_IEEE80211W 2806 if ((sta->flags & WLAN_STA_MFP) && sta->sa_query_timed_out) { 2807 wpa_printf(MSG_DEBUG, "Allowing %sassociation after timed out " 2808 "SA Query procedure", reassoc ? "re" : ""); 2809 /* TODO: Send a protected Disassociate frame to the STA using 2810 * the old key and Reason Code "Previous Authentication no 2811 * longer valid". Make sure this is only sent protected since 2812 * unprotected frame would be received by the STA that is now 2813 * trying to associate. 2814 */ 2815 } 2816 #endif /* CONFIG_IEEE80211W */ 2817 2818 /* Make sure that the previously registered inactivity timer will not 2819 * remove the STA immediately. */ 2820 sta->timeout_next = STA_NULLFUNC; 2821 2822 #ifdef CONFIG_TAXONOMY 2823 taxonomy_sta_info_assoc_req(hapd, sta, pos, left); 2824 #endif /* CONFIG_TAXONOMY */ 2825 2826 sta->pending_wds_enable = 0; 2827 2828 #ifdef CONFIG_FILS 2829 if (sta->auth_alg == WLAN_AUTH_FILS_SK || 2830 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS || 2831 sta->auth_alg == WLAN_AUTH_FILS_PK) { 2832 if (fils_process_hlp(hapd, sta, pos, left) > 0) 2833 delay_assoc = 1; 2834 } 2835 #endif /* CONFIG_FILS */ 2836 2837 fail: 2838 os_free(identity); 2839 os_free(radius_cui); 2840 hostapd_free_psk_list(psk); 2841 2842 /* 2843 * In case of a successful response, add the station to the driver. 2844 * Otherwise, the kernel may ignore Data frames before we process the 2845 * ACK frame (TX status). In case of a failure, this station will be 2846 * removed. 2847 * 2848 * Note that this is not compliant with the IEEE 802.11 standard that 2849 * states that a non-AP station should transition into the 2850 * authenticated/associated state only after the station acknowledges 2851 * the (Re)Association Response frame. However, still do this as: 2852 * 2853 * 1. In case the station does not acknowledge the (Re)Association 2854 * Response frame, it will be removed. 2855 * 2. Data frames will be dropped in the kernel until the station is 2856 * set into authorized state, and there are no significant known 2857 * issues with processing other non-Data Class 3 frames during this 2858 * window. 2859 */ 2860 if (resp == WLAN_STATUS_SUCCESS && sta && add_associated_sta(hapd, sta)) 2861 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA; 2862 2863 #ifdef CONFIG_FILS 2864 if (sta) { 2865 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta); 2866 os_free(sta->fils_pending_assoc_req); 2867 sta->fils_pending_assoc_req = NULL; 2868 sta->fils_pending_assoc_req_len = 0; 2869 wpabuf_free(sta->fils_hlp_resp); 2870 sta->fils_hlp_resp = NULL; 2871 } 2872 if (sta && delay_assoc && resp == WLAN_STATUS_SUCCESS) { 2873 sta->fils_pending_assoc_req = tmp; 2874 sta->fils_pending_assoc_req_len = left; 2875 sta->fils_pending_assoc_is_reassoc = reassoc; 2876 wpa_printf(MSG_DEBUG, 2877 "FILS: Waiting for HLP processing before sending (Re)Association Response frame to " 2878 MACSTR, MAC2STR(sta->addr)); 2879 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta); 2880 eloop_register_timeout(0, hapd->conf->fils_hlp_wait_time * 1024, 2881 fils_hlp_timeout, hapd, sta); 2882 return; 2883 } 2884 #endif /* CONFIG_FILS */ 2885 2886 reply_res = send_assoc_resp(hapd, sta, mgmt->sa, resp, reassoc, pos, 2887 left); 2888 os_free(tmp); 2889 2890 /* 2891 * Remove the station in case tranmission of a success response fails 2892 * (the STA was added associated to the driver) or if the station was 2893 * previously added unassociated. 2894 */ 2895 if (sta && ((reply_res != WLAN_STATUS_SUCCESS && 2896 resp == WLAN_STATUS_SUCCESS) || sta->added_unassoc)) { 2897 hostapd_drv_sta_remove(hapd, sta->addr); 2898 sta->added_unassoc = 0; 2899 } 2900 } 2901 2902 2903 static void handle_disassoc(struct hostapd_data *hapd, 2904 const struct ieee80211_mgmt *mgmt, size_t len) 2905 { 2906 struct sta_info *sta; 2907 2908 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.disassoc)) { 2909 wpa_printf(MSG_INFO, "handle_disassoc - too short payload (len=%lu)", 2910 (unsigned long) len); 2911 return; 2912 } 2913 2914 wpa_printf(MSG_DEBUG, "disassocation: STA=" MACSTR " reason_code=%d", 2915 MAC2STR(mgmt->sa), 2916 le_to_host16(mgmt->u.disassoc.reason_code)); 2917 2918 sta = ap_get_sta(hapd, mgmt->sa); 2919 if (sta == NULL) { 2920 wpa_printf(MSG_INFO, "Station " MACSTR " trying to disassociate, but it is not associated", 2921 MAC2STR(mgmt->sa)); 2922 return; 2923 } 2924 2925 ap_sta_set_authorized(hapd, sta, 0); 2926 sta->last_seq_ctrl = WLAN_INVALID_MGMT_SEQ; 2927 sta->flags &= ~(WLAN_STA_ASSOC | WLAN_STA_ASSOC_REQ_OK); 2928 wpa_auth_sm_event(sta->wpa_sm, WPA_DISASSOC); 2929 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 2930 HOSTAPD_LEVEL_INFO, "disassociated"); 2931 sta->acct_terminate_cause = RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST; 2932 ieee802_1x_notify_port_enabled(sta->eapol_sm, 0); 2933 /* Stop Accounting and IEEE 802.1X sessions, but leave the STA 2934 * authenticated. */ 2935 accounting_sta_stop(hapd, sta); 2936 ieee802_1x_free_station(hapd, sta); 2937 if (sta->ipaddr) 2938 hostapd_drv_br_delete_ip_neigh(hapd, 4, (u8 *) &sta->ipaddr); 2939 ap_sta_ip6addr_del(hapd, sta); 2940 hostapd_drv_sta_remove(hapd, sta->addr); 2941 sta->added_unassoc = 0; 2942 2943 if (sta->timeout_next == STA_NULLFUNC || 2944 sta->timeout_next == STA_DISASSOC) { 2945 sta->timeout_next = STA_DEAUTH; 2946 eloop_cancel_timeout(ap_handle_timer, hapd, sta); 2947 eloop_register_timeout(AP_DEAUTH_DELAY, 0, ap_handle_timer, 2948 hapd, sta); 2949 } 2950 2951 mlme_disassociate_indication( 2952 hapd, sta, le_to_host16(mgmt->u.disassoc.reason_code)); 2953 2954 /* DMG/IEEE 802.11ad does not use deauthication. Deallocate sta upon 2955 * disassociation. */ 2956 if (hapd->iface->current_mode && 2957 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211AD) { 2958 sta->flags &= ~WLAN_STA_AUTH; 2959 wpa_auth_sm_event(sta->wpa_sm, WPA_DEAUTH); 2960 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 2961 HOSTAPD_LEVEL_DEBUG, "deauthenticated"); 2962 ap_free_sta(hapd, sta); 2963 } 2964 } 2965 2966 2967 static void handle_deauth(struct hostapd_data *hapd, 2968 const struct ieee80211_mgmt *mgmt, size_t len) 2969 { 2970 struct sta_info *sta; 2971 2972 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.deauth)) { 2973 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "handle_deauth - too short " 2974 "payload (len=%lu)", (unsigned long) len); 2975 return; 2976 } 2977 2978 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "deauthentication: STA=" MACSTR 2979 " reason_code=%d", 2980 MAC2STR(mgmt->sa), le_to_host16(mgmt->u.deauth.reason_code)); 2981 2982 sta = ap_get_sta(hapd, mgmt->sa); 2983 if (sta == NULL) { 2984 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "Station " MACSTR " trying " 2985 "to deauthenticate, but it is not authenticated", 2986 MAC2STR(mgmt->sa)); 2987 return; 2988 } 2989 2990 ap_sta_set_authorized(hapd, sta, 0); 2991 sta->last_seq_ctrl = WLAN_INVALID_MGMT_SEQ; 2992 sta->flags &= ~(WLAN_STA_AUTH | WLAN_STA_ASSOC | 2993 WLAN_STA_ASSOC_REQ_OK); 2994 wpa_auth_sm_event(sta->wpa_sm, WPA_DEAUTH); 2995 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 2996 HOSTAPD_LEVEL_DEBUG, "deauthenticated"); 2997 mlme_deauthenticate_indication( 2998 hapd, sta, le_to_host16(mgmt->u.deauth.reason_code)); 2999 sta->acct_terminate_cause = RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST; 3000 ieee802_1x_notify_port_enabled(sta->eapol_sm, 0); 3001 ap_free_sta(hapd, sta); 3002 } 3003 3004 3005 static void handle_beacon(struct hostapd_data *hapd, 3006 const struct ieee80211_mgmt *mgmt, size_t len, 3007 struct hostapd_frame_info *fi) 3008 { 3009 struct ieee802_11_elems elems; 3010 3011 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.beacon)) { 3012 wpa_printf(MSG_INFO, "handle_beacon - too short payload (len=%lu)", 3013 (unsigned long) len); 3014 return; 3015 } 3016 3017 (void) ieee802_11_parse_elems(mgmt->u.beacon.variable, 3018 len - (IEEE80211_HDRLEN + 3019 sizeof(mgmt->u.beacon)), &elems, 3020 0); 3021 3022 ap_list_process_beacon(hapd->iface, mgmt, &elems, fi); 3023 } 3024 3025 3026 #ifdef CONFIG_IEEE80211W 3027 3028 static int hostapd_sa_query_action(struct hostapd_data *hapd, 3029 const struct ieee80211_mgmt *mgmt, 3030 size_t len) 3031 { 3032 const u8 *end; 3033 3034 end = mgmt->u.action.u.sa_query_resp.trans_id + 3035 WLAN_SA_QUERY_TR_ID_LEN; 3036 if (((u8 *) mgmt) + len < end) { 3037 wpa_printf(MSG_DEBUG, "IEEE 802.11: Too short SA Query Action " 3038 "frame (len=%lu)", (unsigned long) len); 3039 return 0; 3040 } 3041 3042 ieee802_11_sa_query_action(hapd, mgmt->sa, 3043 mgmt->u.action.u.sa_query_resp.action, 3044 mgmt->u.action.u.sa_query_resp.trans_id); 3045 return 1; 3046 } 3047 3048 3049 static int robust_action_frame(u8 category) 3050 { 3051 return category != WLAN_ACTION_PUBLIC && 3052 category != WLAN_ACTION_HT; 3053 } 3054 #endif /* CONFIG_IEEE80211W */ 3055 3056 3057 static int handle_action(struct hostapd_data *hapd, 3058 const struct ieee80211_mgmt *mgmt, size_t len) 3059 { 3060 struct sta_info *sta; 3061 sta = ap_get_sta(hapd, mgmt->sa); 3062 3063 if (len < IEEE80211_HDRLEN + 1) { 3064 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211, 3065 HOSTAPD_LEVEL_DEBUG, 3066 "handle_action - too short payload (len=%lu)", 3067 (unsigned long) len); 3068 return 0; 3069 } 3070 3071 if (mgmt->u.action.category != WLAN_ACTION_PUBLIC && 3072 (sta == NULL || !(sta->flags & WLAN_STA_ASSOC))) { 3073 wpa_printf(MSG_DEBUG, "IEEE 802.11: Ignored Action " 3074 "frame (category=%u) from unassociated STA " MACSTR, 3075 mgmt->u.action.category, MAC2STR(mgmt->sa)); 3076 return 0; 3077 } 3078 3079 #ifdef CONFIG_IEEE80211W 3080 if (sta && (sta->flags & WLAN_STA_MFP) && 3081 !(mgmt->frame_control & host_to_le16(WLAN_FC_ISWEP)) && 3082 robust_action_frame(mgmt->u.action.category)) { 3083 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211, 3084 HOSTAPD_LEVEL_DEBUG, 3085 "Dropped unprotected Robust Action frame from " 3086 "an MFP STA"); 3087 return 0; 3088 } 3089 #endif /* CONFIG_IEEE80211W */ 3090 3091 if (sta) { 3092 u16 fc = le_to_host16(mgmt->frame_control); 3093 u16 seq_ctrl = le_to_host16(mgmt->seq_ctrl); 3094 3095 if ((fc & WLAN_FC_RETRY) && 3096 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ && 3097 sta->last_seq_ctrl == seq_ctrl && 3098 sta->last_subtype == WLAN_FC_STYPE_ACTION) { 3099 hostapd_logger(hapd, sta->addr, 3100 HOSTAPD_MODULE_IEEE80211, 3101 HOSTAPD_LEVEL_DEBUG, 3102 "Drop repeated action frame seq_ctrl=0x%x", 3103 seq_ctrl); 3104 return 1; 3105 } 3106 3107 sta->last_seq_ctrl = seq_ctrl; 3108 sta->last_subtype = WLAN_FC_STYPE_ACTION; 3109 } 3110 3111 switch (mgmt->u.action.category) { 3112 #ifdef CONFIG_IEEE80211R_AP 3113 case WLAN_ACTION_FT: 3114 if (!sta || 3115 wpa_ft_action_rx(sta->wpa_sm, (u8 *) &mgmt->u.action, 3116 len - IEEE80211_HDRLEN)) 3117 break; 3118 return 1; 3119 #endif /* CONFIG_IEEE80211R_AP */ 3120 case WLAN_ACTION_WMM: 3121 hostapd_wmm_action(hapd, mgmt, len); 3122 return 1; 3123 #ifdef CONFIG_IEEE80211W 3124 case WLAN_ACTION_SA_QUERY: 3125 return hostapd_sa_query_action(hapd, mgmt, len); 3126 #endif /* CONFIG_IEEE80211W */ 3127 #ifdef CONFIG_WNM 3128 case WLAN_ACTION_WNM: 3129 ieee802_11_rx_wnm_action_ap(hapd, mgmt, len); 3130 return 1; 3131 #endif /* CONFIG_WNM */ 3132 #ifdef CONFIG_FST 3133 case WLAN_ACTION_FST: 3134 if (hapd->iface->fst) 3135 fst_rx_action(hapd->iface->fst, mgmt, len); 3136 else 3137 wpa_printf(MSG_DEBUG, 3138 "FST: Ignore FST Action frame - no FST attached"); 3139 return 1; 3140 #endif /* CONFIG_FST */ 3141 case WLAN_ACTION_PUBLIC: 3142 case WLAN_ACTION_PROTECTED_DUAL: 3143 #ifdef CONFIG_IEEE80211N 3144 if (len >= IEEE80211_HDRLEN + 2 && 3145 mgmt->u.action.u.public_action.action == 3146 WLAN_PA_20_40_BSS_COEX) { 3147 wpa_printf(MSG_DEBUG, 3148 "HT20/40 coex mgmt frame received from STA " 3149 MACSTR, MAC2STR(mgmt->sa)); 3150 hostapd_2040_coex_action(hapd, mgmt, len); 3151 } 3152 #endif /* CONFIG_IEEE80211N */ 3153 if (hapd->public_action_cb) { 3154 hapd->public_action_cb(hapd->public_action_cb_ctx, 3155 (u8 *) mgmt, len, 3156 hapd->iface->freq); 3157 } 3158 if (hapd->public_action_cb2) { 3159 hapd->public_action_cb2(hapd->public_action_cb2_ctx, 3160 (u8 *) mgmt, len, 3161 hapd->iface->freq); 3162 } 3163 if (hapd->public_action_cb || hapd->public_action_cb2) 3164 return 1; 3165 break; 3166 case WLAN_ACTION_VENDOR_SPECIFIC: 3167 if (hapd->vendor_action_cb) { 3168 if (hapd->vendor_action_cb(hapd->vendor_action_cb_ctx, 3169 (u8 *) mgmt, len, 3170 hapd->iface->freq) == 0) 3171 return 1; 3172 } 3173 break; 3174 case WLAN_ACTION_RADIO_MEASUREMENT: 3175 hostapd_handle_radio_measurement(hapd, (const u8 *) mgmt, len); 3176 return 1; 3177 } 3178 3179 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211, 3180 HOSTAPD_LEVEL_DEBUG, 3181 "handle_action - unknown action category %d or invalid " 3182 "frame", 3183 mgmt->u.action.category); 3184 if (!is_multicast_ether_addr(mgmt->da) && 3185 !(mgmt->u.action.category & 0x80) && 3186 !is_multicast_ether_addr(mgmt->sa)) { 3187 struct ieee80211_mgmt *resp; 3188 3189 /* 3190 * IEEE 802.11-REVma/D9.0 - 7.3.1.11 3191 * Return the Action frame to the source without change 3192 * except that MSB of the Category set to 1. 3193 */ 3194 wpa_printf(MSG_DEBUG, "IEEE 802.11: Return unknown Action " 3195 "frame back to sender"); 3196 resp = os_malloc(len); 3197 if (resp == NULL) 3198 return 0; 3199 os_memcpy(resp, mgmt, len); 3200 os_memcpy(resp->da, resp->sa, ETH_ALEN); 3201 os_memcpy(resp->sa, hapd->own_addr, ETH_ALEN); 3202 os_memcpy(resp->bssid, hapd->own_addr, ETH_ALEN); 3203 resp->u.action.category |= 0x80; 3204 3205 if (hostapd_drv_send_mlme(hapd, resp, len, 0) < 0) { 3206 wpa_printf(MSG_ERROR, "IEEE 802.11: Failed to send " 3207 "Action frame"); 3208 } 3209 os_free(resp); 3210 } 3211 3212 return 1; 3213 } 3214 3215 3216 /** 3217 * ieee802_11_mgmt - process incoming IEEE 802.11 management frames 3218 * @hapd: hostapd BSS data structure (the BSS to which the management frame was 3219 * sent to) 3220 * @buf: management frame data (starting from IEEE 802.11 header) 3221 * @len: length of frame data in octets 3222 * @fi: meta data about received frame (signal level, etc.) 3223 * 3224 * Process all incoming IEEE 802.11 management frames. This will be called for 3225 * each frame received from the kernel driver through wlan#ap interface. In 3226 * addition, it can be called to re-inserted pending frames (e.g., when using 3227 * external RADIUS server as an MAC ACL). 3228 */ 3229 int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len, 3230 struct hostapd_frame_info *fi) 3231 { 3232 struct ieee80211_mgmt *mgmt; 3233 u16 fc, stype; 3234 int ret = 0; 3235 3236 if (len < 24) 3237 return 0; 3238 3239 mgmt = (struct ieee80211_mgmt *) buf; 3240 fc = le_to_host16(mgmt->frame_control); 3241 stype = WLAN_FC_GET_STYPE(fc); 3242 3243 if (stype == WLAN_FC_STYPE_BEACON) { 3244 handle_beacon(hapd, mgmt, len, fi); 3245 return 1; 3246 } 3247 3248 if (!is_broadcast_ether_addr(mgmt->bssid) && 3249 #ifdef CONFIG_P2P 3250 /* Invitation responses can be sent with the peer MAC as BSSID */ 3251 !((hapd->conf->p2p & P2P_GROUP_OWNER) && 3252 stype == WLAN_FC_STYPE_ACTION) && 3253 #endif /* CONFIG_P2P */ 3254 #ifdef CONFIG_MESH 3255 !(hapd->conf->mesh & MESH_ENABLED) && 3256 #endif /* CONFIG_MESH */ 3257 os_memcmp(mgmt->bssid, hapd->own_addr, ETH_ALEN) != 0) { 3258 wpa_printf(MSG_INFO, "MGMT: BSSID=" MACSTR " not our address", 3259 MAC2STR(mgmt->bssid)); 3260 return 0; 3261 } 3262 3263 3264 if (stype == WLAN_FC_STYPE_PROBE_REQ) { 3265 handle_probe_req(hapd, mgmt, len, fi->ssi_signal); 3266 return 1; 3267 } 3268 3269 if (os_memcmp(mgmt->da, hapd->own_addr, ETH_ALEN) != 0) { 3270 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211, 3271 HOSTAPD_LEVEL_DEBUG, 3272 "MGMT: DA=" MACSTR " not our address", 3273 MAC2STR(mgmt->da)); 3274 return 0; 3275 } 3276 3277 if (hapd->iconf->track_sta_max_num) 3278 sta_track_add(hapd->iface, mgmt->sa, fi->ssi_signal); 3279 3280 switch (stype) { 3281 case WLAN_FC_STYPE_AUTH: 3282 wpa_printf(MSG_DEBUG, "mgmt::auth"); 3283 handle_auth(hapd, mgmt, len); 3284 ret = 1; 3285 break; 3286 case WLAN_FC_STYPE_ASSOC_REQ: 3287 wpa_printf(MSG_DEBUG, "mgmt::assoc_req"); 3288 handle_assoc(hapd, mgmt, len, 0); 3289 ret = 1; 3290 break; 3291 case WLAN_FC_STYPE_REASSOC_REQ: 3292 wpa_printf(MSG_DEBUG, "mgmt::reassoc_req"); 3293 handle_assoc(hapd, mgmt, len, 1); 3294 ret = 1; 3295 break; 3296 case WLAN_FC_STYPE_DISASSOC: 3297 wpa_printf(MSG_DEBUG, "mgmt::disassoc"); 3298 handle_disassoc(hapd, mgmt, len); 3299 ret = 1; 3300 break; 3301 case WLAN_FC_STYPE_DEAUTH: 3302 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "mgmt::deauth"); 3303 handle_deauth(hapd, mgmt, len); 3304 ret = 1; 3305 break; 3306 case WLAN_FC_STYPE_ACTION: 3307 wpa_printf(MSG_DEBUG, "mgmt::action"); 3308 ret = handle_action(hapd, mgmt, len); 3309 break; 3310 default: 3311 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211, 3312 HOSTAPD_LEVEL_DEBUG, 3313 "unknown mgmt frame subtype %d", stype); 3314 break; 3315 } 3316 3317 return ret; 3318 } 3319 3320 3321 static void handle_auth_cb(struct hostapd_data *hapd, 3322 const struct ieee80211_mgmt *mgmt, 3323 size_t len, int ok) 3324 { 3325 u16 auth_alg, auth_transaction, status_code; 3326 struct sta_info *sta; 3327 3328 sta = ap_get_sta(hapd, mgmt->da); 3329 if (!sta) { 3330 wpa_printf(MSG_INFO, "handle_auth_cb: STA " MACSTR " not found", 3331 MAC2STR(mgmt->da)); 3332 return; 3333 } 3334 3335 auth_alg = le_to_host16(mgmt->u.auth.auth_alg); 3336 auth_transaction = le_to_host16(mgmt->u.auth.auth_transaction); 3337 status_code = le_to_host16(mgmt->u.auth.status_code); 3338 3339 if (!ok) { 3340 hostapd_logger(hapd, mgmt->da, HOSTAPD_MODULE_IEEE80211, 3341 HOSTAPD_LEVEL_NOTICE, 3342 "did not acknowledge authentication response"); 3343 goto fail; 3344 } 3345 3346 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) { 3347 wpa_printf(MSG_INFO, "handle_auth_cb - too short payload (len=%lu)", 3348 (unsigned long) len); 3349 goto fail; 3350 } 3351 3352 if (status_code == WLAN_STATUS_SUCCESS && 3353 ((auth_alg == WLAN_AUTH_OPEN && auth_transaction == 2) || 3354 (auth_alg == WLAN_AUTH_SHARED_KEY && auth_transaction == 4))) { 3355 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 3356 HOSTAPD_LEVEL_INFO, "authenticated"); 3357 sta->flags |= WLAN_STA_AUTH; 3358 if (sta->added_unassoc) 3359 hostapd_set_sta_flags(hapd, sta); 3360 return; 3361 } 3362 3363 fail: 3364 if (status_code != WLAN_STATUS_SUCCESS && sta->added_unassoc) { 3365 hostapd_drv_sta_remove(hapd, sta->addr); 3366 sta->added_unassoc = 0; 3367 } 3368 } 3369 3370 3371 static void hostapd_set_wds_encryption(struct hostapd_data *hapd, 3372 struct sta_info *sta, 3373 char *ifname_wds) 3374 { 3375 int i; 3376 struct hostapd_ssid *ssid = &hapd->conf->ssid; 3377 3378 if (hapd->conf->ieee802_1x || hapd->conf->wpa) 3379 return; 3380 3381 for (i = 0; i < 4; i++) { 3382 if (ssid->wep.key[i] && 3383 hostapd_drv_set_key(ifname_wds, hapd, WPA_ALG_WEP, NULL, i, 3384 i == ssid->wep.idx, NULL, 0, 3385 ssid->wep.key[i], ssid->wep.len[i])) { 3386 wpa_printf(MSG_WARNING, 3387 "Could not set WEP keys for WDS interface; %s", 3388 ifname_wds); 3389 break; 3390 } 3391 } 3392 } 3393 3394 3395 static void handle_assoc_cb(struct hostapd_data *hapd, 3396 const struct ieee80211_mgmt *mgmt, 3397 size_t len, int reassoc, int ok) 3398 { 3399 u16 status; 3400 struct sta_info *sta; 3401 int new_assoc = 1; 3402 3403 sta = ap_get_sta(hapd, mgmt->da); 3404 if (!sta) { 3405 wpa_printf(MSG_INFO, "handle_assoc_cb: STA " MACSTR " not found", 3406 MAC2STR(mgmt->da)); 3407 return; 3408 } 3409 3410 if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_resp) : 3411 sizeof(mgmt->u.assoc_resp))) { 3412 wpa_printf(MSG_INFO, 3413 "handle_assoc_cb(reassoc=%d) - too short payload (len=%lu)", 3414 reassoc, (unsigned long) len); 3415 hostapd_drv_sta_remove(hapd, sta->addr); 3416 return; 3417 } 3418 3419 if (reassoc) 3420 status = le_to_host16(mgmt->u.reassoc_resp.status_code); 3421 else 3422 status = le_to_host16(mgmt->u.assoc_resp.status_code); 3423 3424 if (!ok) { 3425 hostapd_logger(hapd, mgmt->da, HOSTAPD_MODULE_IEEE80211, 3426 HOSTAPD_LEVEL_DEBUG, 3427 "did not acknowledge association response"); 3428 sta->flags &= ~WLAN_STA_ASSOC_REQ_OK; 3429 /* The STA is added only in case of SUCCESS */ 3430 if (status == WLAN_STATUS_SUCCESS) 3431 hostapd_drv_sta_remove(hapd, sta->addr); 3432 3433 return; 3434 } 3435 3436 if (status != WLAN_STATUS_SUCCESS) 3437 return; 3438 3439 /* Stop previous accounting session, if one is started, and allocate 3440 * new session id for the new session. */ 3441 accounting_sta_stop(hapd, sta); 3442 3443 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 3444 HOSTAPD_LEVEL_INFO, 3445 "associated (aid %d)", 3446 sta->aid); 3447 3448 if (sta->flags & WLAN_STA_ASSOC) 3449 new_assoc = 0; 3450 sta->flags |= WLAN_STA_ASSOC; 3451 sta->flags &= ~WLAN_STA_WNM_SLEEP_MODE; 3452 if ((!hapd->conf->ieee802_1x && !hapd->conf->wpa && 3453 !hapd->conf->osen) || 3454 sta->auth_alg == WLAN_AUTH_FILS_SK || 3455 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS || 3456 sta->auth_alg == WLAN_AUTH_FILS_PK || 3457 sta->auth_alg == WLAN_AUTH_FT) { 3458 /* 3459 * Open, static WEP, FT protocol, or FILS; no separate 3460 * authorization step. 3461 */ 3462 ap_sta_set_authorized(hapd, sta, 1); 3463 } 3464 3465 if (reassoc) 3466 mlme_reassociate_indication(hapd, sta); 3467 else 3468 mlme_associate_indication(hapd, sta); 3469 3470 #ifdef CONFIG_IEEE80211W 3471 sta->sa_query_timed_out = 0; 3472 #endif /* CONFIG_IEEE80211W */ 3473 3474 if (sta->eapol_sm == NULL) { 3475 /* 3476 * This STA does not use RADIUS server for EAP authentication, 3477 * so bind it to the selected VLAN interface now, since the 3478 * interface selection is not going to change anymore. 3479 */ 3480 if (ap_sta_bind_vlan(hapd, sta) < 0) 3481 return; 3482 } else if (sta->vlan_id) { 3483 /* VLAN ID already set (e.g., by PMKSA caching), so bind STA */ 3484 if (ap_sta_bind_vlan(hapd, sta) < 0) 3485 return; 3486 } 3487 3488 hostapd_set_sta_flags(hapd, sta); 3489 3490 if (!(sta->flags & WLAN_STA_WDS) && sta->pending_wds_enable) { 3491 wpa_printf(MSG_DEBUG, "Enable 4-address WDS mode for STA " 3492 MACSTR " based on pending request", 3493 MAC2STR(sta->addr)); 3494 sta->pending_wds_enable = 0; 3495 sta->flags |= WLAN_STA_WDS; 3496 } 3497 3498 if (sta->flags & WLAN_STA_WDS) { 3499 int ret; 3500 char ifname_wds[IFNAMSIZ + 1]; 3501 3502 wpa_printf(MSG_DEBUG, "Reenable 4-address WDS mode for STA " 3503 MACSTR " (aid %u)", 3504 MAC2STR(sta->addr), sta->aid); 3505 ret = hostapd_set_wds_sta(hapd, ifname_wds, sta->addr, 3506 sta->aid, 1); 3507 if (!ret) 3508 hostapd_set_wds_encryption(hapd, sta, ifname_wds); 3509 } 3510 3511 if (sta->auth_alg == WLAN_AUTH_FT) 3512 wpa_auth_sm_event(sta->wpa_sm, WPA_ASSOC_FT); 3513 else 3514 wpa_auth_sm_event(sta->wpa_sm, WPA_ASSOC); 3515 hapd->new_assoc_sta_cb(hapd, sta, !new_assoc); 3516 ieee802_1x_notify_port_enabled(sta->eapol_sm, 1); 3517 3518 #ifdef CONFIG_FILS 3519 if ((sta->auth_alg == WLAN_AUTH_FILS_SK || 3520 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS || 3521 sta->auth_alg == WLAN_AUTH_FILS_PK) && 3522 fils_set_tk(sta->wpa_sm) < 0) { 3523 wpa_printf(MSG_DEBUG, "FILS: TK configuration failed"); 3524 ap_sta_disconnect(hapd, sta, sta->addr, 3525 WLAN_REASON_UNSPECIFIED); 3526 return; 3527 } 3528 #endif /* CONFIG_FILS */ 3529 3530 if (sta->pending_eapol_rx) { 3531 struct os_reltime now, age; 3532 3533 os_get_reltime(&now); 3534 os_reltime_sub(&now, &sta->pending_eapol_rx->rx_time, &age); 3535 if (age.sec == 0 && age.usec < 200000) { 3536 wpa_printf(MSG_DEBUG, 3537 "Process pending EAPOL frame that was received from " MACSTR " just before association notification", 3538 MAC2STR(sta->addr)); 3539 ieee802_1x_receive( 3540 hapd, mgmt->da, 3541 wpabuf_head(sta->pending_eapol_rx->buf), 3542 wpabuf_len(sta->pending_eapol_rx->buf)); 3543 } 3544 wpabuf_free(sta->pending_eapol_rx->buf); 3545 os_free(sta->pending_eapol_rx); 3546 sta->pending_eapol_rx = NULL; 3547 } 3548 } 3549 3550 3551 static void handle_deauth_cb(struct hostapd_data *hapd, 3552 const struct ieee80211_mgmt *mgmt, 3553 size_t len, int ok) 3554 { 3555 struct sta_info *sta; 3556 if (is_multicast_ether_addr(mgmt->da)) 3557 return; 3558 sta = ap_get_sta(hapd, mgmt->da); 3559 if (!sta) { 3560 wpa_printf(MSG_DEBUG, "handle_deauth_cb: STA " MACSTR 3561 " not found", MAC2STR(mgmt->da)); 3562 return; 3563 } 3564 if (ok) 3565 wpa_printf(MSG_DEBUG, "STA " MACSTR " acknowledged deauth", 3566 MAC2STR(sta->addr)); 3567 else 3568 wpa_printf(MSG_DEBUG, "STA " MACSTR " did not acknowledge " 3569 "deauth", MAC2STR(sta->addr)); 3570 3571 ap_sta_deauth_cb(hapd, sta); 3572 } 3573 3574 3575 static void handle_disassoc_cb(struct hostapd_data *hapd, 3576 const struct ieee80211_mgmt *mgmt, 3577 size_t len, int ok) 3578 { 3579 struct sta_info *sta; 3580 if (is_multicast_ether_addr(mgmt->da)) 3581 return; 3582 sta = ap_get_sta(hapd, mgmt->da); 3583 if (!sta) { 3584 wpa_printf(MSG_DEBUG, "handle_disassoc_cb: STA " MACSTR 3585 " not found", MAC2STR(mgmt->da)); 3586 return; 3587 } 3588 if (ok) 3589 wpa_printf(MSG_DEBUG, "STA " MACSTR " acknowledged disassoc", 3590 MAC2STR(sta->addr)); 3591 else 3592 wpa_printf(MSG_DEBUG, "STA " MACSTR " did not acknowledge " 3593 "disassoc", MAC2STR(sta->addr)); 3594 3595 ap_sta_disassoc_cb(hapd, sta); 3596 } 3597 3598 3599 static void handle_action_cb(struct hostapd_data *hapd, 3600 const struct ieee80211_mgmt *mgmt, 3601 size_t len, int ok) 3602 { 3603 struct sta_info *sta; 3604 const struct rrm_measurement_report_element *report; 3605 3606 if (is_multicast_ether_addr(mgmt->da)) 3607 return; 3608 sta = ap_get_sta(hapd, mgmt->da); 3609 if (!sta) { 3610 wpa_printf(MSG_DEBUG, "handle_action_cb: STA " MACSTR 3611 " not found", MAC2STR(mgmt->da)); 3612 return; 3613 } 3614 3615 if (len < 24 + 5 + sizeof(*report)) 3616 return; 3617 report = (const struct rrm_measurement_report_element *) 3618 &mgmt->u.action.u.rrm.variable[2]; 3619 if (mgmt->u.action.category == WLAN_ACTION_RADIO_MEASUREMENT && 3620 mgmt->u.action.u.rrm.action == WLAN_RRM_RADIO_MEASUREMENT_REQUEST && 3621 report->eid == WLAN_EID_MEASURE_REQUEST && 3622 report->len >= 3 && 3623 report->type == MEASURE_TYPE_BEACON) 3624 hostapd_rrm_beacon_req_tx_status(hapd, mgmt, len, ok); 3625 } 3626 3627 3628 /** 3629 * ieee802_11_mgmt_cb - Process management frame TX status callback 3630 * @hapd: hostapd BSS data structure (the BSS from which the management frame 3631 * was sent from) 3632 * @buf: management frame data (starting from IEEE 802.11 header) 3633 * @len: length of frame data in octets 3634 * @stype: management frame subtype from frame control field 3635 * @ok: Whether the frame was ACK'ed 3636 */ 3637 void ieee802_11_mgmt_cb(struct hostapd_data *hapd, const u8 *buf, size_t len, 3638 u16 stype, int ok) 3639 { 3640 const struct ieee80211_mgmt *mgmt; 3641 mgmt = (const struct ieee80211_mgmt *) buf; 3642 3643 #ifdef CONFIG_TESTING_OPTIONS 3644 if (hapd->ext_mgmt_frame_handling) { 3645 wpa_msg(hapd->msg_ctx, MSG_INFO, "MGMT-TX-STATUS stype=%u ok=%d", 3646 stype, ok); 3647 return; 3648 } 3649 #endif /* CONFIG_TESTING_OPTIONS */ 3650 3651 switch (stype) { 3652 case WLAN_FC_STYPE_AUTH: 3653 wpa_printf(MSG_DEBUG, "mgmt::auth cb"); 3654 handle_auth_cb(hapd, mgmt, len, ok); 3655 break; 3656 case WLAN_FC_STYPE_ASSOC_RESP: 3657 wpa_printf(MSG_DEBUG, "mgmt::assoc_resp cb"); 3658 handle_assoc_cb(hapd, mgmt, len, 0, ok); 3659 break; 3660 case WLAN_FC_STYPE_REASSOC_RESP: 3661 wpa_printf(MSG_DEBUG, "mgmt::reassoc_resp cb"); 3662 handle_assoc_cb(hapd, mgmt, len, 1, ok); 3663 break; 3664 case WLAN_FC_STYPE_PROBE_RESP: 3665 wpa_printf(MSG_EXCESSIVE, "mgmt::proberesp cb ok=%d", ok); 3666 break; 3667 case WLAN_FC_STYPE_DEAUTH: 3668 wpa_printf(MSG_DEBUG, "mgmt::deauth cb"); 3669 handle_deauth_cb(hapd, mgmt, len, ok); 3670 break; 3671 case WLAN_FC_STYPE_DISASSOC: 3672 wpa_printf(MSG_DEBUG, "mgmt::disassoc cb"); 3673 handle_disassoc_cb(hapd, mgmt, len, ok); 3674 break; 3675 case WLAN_FC_STYPE_ACTION: 3676 wpa_printf(MSG_DEBUG, "mgmt::action cb ok=%d", ok); 3677 handle_action_cb(hapd, mgmt, len, ok); 3678 break; 3679 default: 3680 wpa_printf(MSG_INFO, "unknown mgmt cb frame subtype %d", stype); 3681 break; 3682 } 3683 } 3684 3685 3686 int ieee802_11_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen) 3687 { 3688 /* TODO */ 3689 return 0; 3690 } 3691 3692 3693 int ieee802_11_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta, 3694 char *buf, size_t buflen) 3695 { 3696 /* TODO */ 3697 return 0; 3698 } 3699 3700 3701 void hostapd_tx_status(struct hostapd_data *hapd, const u8 *addr, 3702 const u8 *buf, size_t len, int ack) 3703 { 3704 struct sta_info *sta; 3705 struct hostapd_iface *iface = hapd->iface; 3706 3707 sta = ap_get_sta(hapd, addr); 3708 if (sta == NULL && iface->num_bss > 1) { 3709 size_t j; 3710 for (j = 0; j < iface->num_bss; j++) { 3711 hapd = iface->bss[j]; 3712 sta = ap_get_sta(hapd, addr); 3713 if (sta) 3714 break; 3715 } 3716 } 3717 if (sta == NULL || !(sta->flags & WLAN_STA_ASSOC)) 3718 return; 3719 if (sta->flags & WLAN_STA_PENDING_POLL) { 3720 wpa_printf(MSG_DEBUG, "STA " MACSTR " %s pending " 3721 "activity poll", MAC2STR(sta->addr), 3722 ack ? "ACKed" : "did not ACK"); 3723 if (ack) 3724 sta->flags &= ~WLAN_STA_PENDING_POLL; 3725 } 3726 3727 ieee802_1x_tx_status(hapd, sta, buf, len, ack); 3728 } 3729 3730 3731 void hostapd_eapol_tx_status(struct hostapd_data *hapd, const u8 *dst, 3732 const u8 *data, size_t len, int ack) 3733 { 3734 struct sta_info *sta; 3735 struct hostapd_iface *iface = hapd->iface; 3736 3737 sta = ap_get_sta(hapd, dst); 3738 if (sta == NULL && iface->num_bss > 1) { 3739 size_t j; 3740 for (j = 0; j < iface->num_bss; j++) { 3741 hapd = iface->bss[j]; 3742 sta = ap_get_sta(hapd, dst); 3743 if (sta) 3744 break; 3745 } 3746 } 3747 if (sta == NULL || !(sta->flags & WLAN_STA_ASSOC)) { 3748 wpa_printf(MSG_DEBUG, "Ignore TX status for Data frame to STA " 3749 MACSTR " that is not currently associated", 3750 MAC2STR(dst)); 3751 return; 3752 } 3753 3754 ieee802_1x_eapol_tx_status(hapd, sta, data, len, ack); 3755 } 3756 3757 3758 void hostapd_client_poll_ok(struct hostapd_data *hapd, const u8 *addr) 3759 { 3760 struct sta_info *sta; 3761 struct hostapd_iface *iface = hapd->iface; 3762 3763 sta = ap_get_sta(hapd, addr); 3764 if (sta == NULL && iface->num_bss > 1) { 3765 size_t j; 3766 for (j = 0; j < iface->num_bss; j++) { 3767 hapd = iface->bss[j]; 3768 sta = ap_get_sta(hapd, addr); 3769 if (sta) 3770 break; 3771 } 3772 } 3773 if (sta == NULL) 3774 return; 3775 wpa_msg(hapd->msg_ctx, MSG_INFO, AP_STA_POLL_OK MACSTR, 3776 MAC2STR(sta->addr)); 3777 if (!(sta->flags & WLAN_STA_PENDING_POLL)) 3778 return; 3779 3780 wpa_printf(MSG_DEBUG, "STA " MACSTR " ACKed pending " 3781 "activity poll", MAC2STR(sta->addr)); 3782 sta->flags &= ~WLAN_STA_PENDING_POLL; 3783 } 3784 3785 3786 void ieee802_11_rx_from_unknown(struct hostapd_data *hapd, const u8 *src, 3787 int wds) 3788 { 3789 struct sta_info *sta; 3790 3791 sta = ap_get_sta(hapd, src); 3792 if (sta && 3793 ((sta->flags & WLAN_STA_ASSOC) || 3794 ((sta->flags & WLAN_STA_ASSOC_REQ_OK) && wds))) { 3795 if (!hapd->conf->wds_sta) 3796 return; 3797 3798 if ((sta->flags & (WLAN_STA_ASSOC | WLAN_STA_ASSOC_REQ_OK)) == 3799 WLAN_STA_ASSOC_REQ_OK) { 3800 wpa_printf(MSG_DEBUG, 3801 "Postpone 4-address WDS mode enabling for STA " 3802 MACSTR " since TX status for AssocResp is not yet known", 3803 MAC2STR(sta->addr)); 3804 sta->pending_wds_enable = 1; 3805 return; 3806 } 3807 3808 if (wds && !(sta->flags & WLAN_STA_WDS)) { 3809 int ret; 3810 char ifname_wds[IFNAMSIZ + 1]; 3811 3812 wpa_printf(MSG_DEBUG, "Enable 4-address WDS mode for " 3813 "STA " MACSTR " (aid %u)", 3814 MAC2STR(sta->addr), sta->aid); 3815 sta->flags |= WLAN_STA_WDS; 3816 ret = hostapd_set_wds_sta(hapd, ifname_wds, 3817 sta->addr, sta->aid, 1); 3818 if (!ret) 3819 hostapd_set_wds_encryption(hapd, sta, 3820 ifname_wds); 3821 } 3822 return; 3823 } 3824 3825 wpa_printf(MSG_DEBUG, "Data/PS-poll frame from not associated STA " 3826 MACSTR, MAC2STR(src)); 3827 if (is_multicast_ether_addr(src)) { 3828 /* Broadcast bit set in SA?! Ignore the frame silently. */ 3829 return; 3830 } 3831 3832 if (sta && (sta->flags & WLAN_STA_ASSOC_REQ_OK)) { 3833 wpa_printf(MSG_DEBUG, "Association Response to the STA has " 3834 "already been sent, but no TX status yet known - " 3835 "ignore Class 3 frame issue with " MACSTR, 3836 MAC2STR(src)); 3837 return; 3838 } 3839 3840 if (sta && (sta->flags & WLAN_STA_AUTH)) 3841 hostapd_drv_sta_disassoc( 3842 hapd, src, 3843 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA); 3844 else 3845 hostapd_drv_sta_deauth( 3846 hapd, src, 3847 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA); 3848 } 3849 3850 3851 #endif /* CONFIG_NATIVE_WINDOWS */ 3852
