1 /*
2 * hostapd / IEEE 802.11 Management
3 * Copyright (c) 2002-2017, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "utils/includes.h"
10
11 #ifndef CONFIG_NATIVE_WINDOWS
12
13 #include "utils/common.h"
14 #include "utils/eloop.h"
15 #include "crypto/crypto.h"
16 #include "crypto/sha256.h"
17 #include "crypto/sha384.h"
18 #include "crypto/sha512.h"
19 #include "crypto/random.h"
20 #include "common/ieee802_11_defs.h"
21 #include "common/ieee802_11_common.h"
22 #include "common/wpa_ctrl.h"
23 #include "common/sae.h"
24 #include "common/dpp.h"
25 #include "common/ocv.h"
26 #include "common/wpa_common.h"
27 #include "common/wpa_ctrl.h"
28 #include "common/ptksa_cache.h"
29 #include "radius/radius.h"
30 #include "radius/radius_client.h"
31 #include "p2p/p2p.h"
32 #include "wps/wps.h"
33 #include "fst/fst.h"
34 #include "hostapd.h"
35 #include "beacon.h"
36 #include "ieee802_11_auth.h"
37 #include "sta_info.h"
38 #include "ieee802_1x.h"
39 #include "wpa_auth.h"
40 #include "pmksa_cache_auth.h"
41 #include "wmm.h"
42 #include "ap_list.h"
43 #include "accounting.h"
44 #include "ap_config.h"
45 #include "ap_mlme.h"
46 #include "p2p_hostapd.h"
47 #include "ap_drv_ops.h"
48 #include "wnm_ap.h"
49 #include "hw_features.h"
50 #include "ieee802_11.h"
51 #include "dfs.h"
52 #include "mbo_ap.h"
53 #include "rrm.h"
54 #include "taxonomy.h"
55 #include "fils_hlp.h"
56 #include "dpp_hostapd.h"
57 #include "gas_query_ap.h"
58
59
60 #ifdef CONFIG_FILS
61 static struct wpabuf *
62 prepare_auth_resp_fils(struct hostapd_data *hapd,
63 struct sta_info *sta, u16 *resp,
64 struct rsn_pmksa_cache_entry *pmksa,
65 struct wpabuf *erp_resp,
66 const u8 *msk, size_t msk_len,
67 int *is_pub);
68 #endif /* CONFIG_FILS */
69
70 #ifdef CONFIG_PASN
71
72 static int handle_auth_pasn_resp(struct hostapd_data *hapd,
73 struct sta_info *sta,
74 struct rsn_pmksa_cache_entry *pmksa,
75 u16 status);
76 #ifdef CONFIG_FILS
77
78 static void pasn_fils_auth_resp(struct hostapd_data *hapd,
79 struct sta_info *sta, u16 status,
80 struct wpabuf *erp_resp,
81 const u8 *msk, size_t msk_len);
82
83 #endif /* CONFIG_FILS */
84 #endif /* CONFIG_PASN */
85
86 static void handle_auth(struct hostapd_data *hapd,
87 const struct ieee80211_mgmt *mgmt, size_t len,
88 int rssi, int from_queue);
89
90
hostapd_eid_multi_ap(struct hostapd_data * hapd,u8 * eid)91 u8 * hostapd_eid_multi_ap(struct hostapd_data *hapd, u8 *eid)
92 {
93 u8 multi_ap_val = 0;
94
95 if (!hapd->conf->multi_ap)
96 return eid;
97 if (hapd->conf->multi_ap & BACKHAUL_BSS)
98 multi_ap_val |= MULTI_AP_BACKHAUL_BSS;
99 if (hapd->conf->multi_ap & FRONTHAUL_BSS)
100 multi_ap_val |= MULTI_AP_FRONTHAUL_BSS;
101
102 return eid + add_multi_ap_ie(eid, 9, multi_ap_val);
103 }
104
105
hostapd_eid_supp_rates(struct hostapd_data * hapd,u8 * eid)106 u8 * hostapd_eid_supp_rates(struct hostapd_data *hapd, u8 *eid)
107 {
108 u8 *pos = eid;
109 int i, num, count;
110 int h2e_required;
111
112 if (hapd->iface->current_rates == NULL)
113 return eid;
114
115 *pos++ = WLAN_EID_SUPP_RATES;
116 num = hapd->iface->num_rates;
117 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht)
118 num++;
119 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht)
120 num++;
121 h2e_required = (hapd->conf->sae_pwe == 1 ||
122 hostapd_sae_pw_id_in_use(hapd->conf) == 2) &&
123 hapd->conf->sae_pwe != 3 &&
124 wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt);
125 if (h2e_required)
126 num++;
127 if (num > 8) {
128 /* rest of the rates are encoded in Extended supported
129 * rates element */
130 num = 8;
131 }
132
133 *pos++ = num;
134 for (i = 0, count = 0; i < hapd->iface->num_rates && count < num;
135 i++) {
136 count++;
137 *pos = hapd->iface->current_rates[i].rate / 5;
138 if (hapd->iface->current_rates[i].flags & HOSTAPD_RATE_BASIC)
139 *pos |= 0x80;
140 pos++;
141 }
142
143 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht && count < 8) {
144 count++;
145 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_HT_PHY;
146 }
147
148 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht && count < 8) {
149 count++;
150 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_VHT_PHY;
151 }
152
153 if (h2e_required && count < 8) {
154 count++;
155 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_SAE_H2E_ONLY;
156 }
157
158 return pos;
159 }
160
161
hostapd_eid_ext_supp_rates(struct hostapd_data * hapd,u8 * eid)162 u8 * hostapd_eid_ext_supp_rates(struct hostapd_data *hapd, u8 *eid)
163 {
164 u8 *pos = eid;
165 int i, num, count;
166 int h2e_required;
167
168 if (hapd->iface->current_rates == NULL)
169 return eid;
170
171 num = hapd->iface->num_rates;
172 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht)
173 num++;
174 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht)
175 num++;
176 h2e_required = (hapd->conf->sae_pwe == 1 ||
177 hostapd_sae_pw_id_in_use(hapd->conf) == 2) &&
178 hapd->conf->sae_pwe != 3 &&
179 wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt);
180 if (h2e_required)
181 num++;
182 if (num <= 8)
183 return eid;
184 num -= 8;
185
186 *pos++ = WLAN_EID_EXT_SUPP_RATES;
187 *pos++ = num;
188 for (i = 0, count = 0; i < hapd->iface->num_rates && count < num + 8;
189 i++) {
190 count++;
191 if (count <= 8)
192 continue; /* already in SuppRates IE */
193 *pos = hapd->iface->current_rates[i].rate / 5;
194 if (hapd->iface->current_rates[i].flags & HOSTAPD_RATE_BASIC)
195 *pos |= 0x80;
196 pos++;
197 }
198
199 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht) {
200 count++;
201 if (count > 8)
202 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_HT_PHY;
203 }
204
205 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht) {
206 count++;
207 if (count > 8)
208 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_VHT_PHY;
209 }
210
211 if (h2e_required) {
212 count++;
213 if (count > 8)
214 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_SAE_H2E_ONLY;
215 }
216
217 return pos;
218 }
219
220
hostapd_eid_rm_enabled_capab(struct hostapd_data * hapd,u8 * eid,size_t len)221 u8 * hostapd_eid_rm_enabled_capab(struct hostapd_data *hapd, u8 *eid,
222 size_t len)
223 {
224 size_t i;
225
226 for (i = 0; i < RRM_CAPABILITIES_IE_LEN; i++) {
227 if (hapd->conf->radio_measurements[i])
228 break;
229 }
230
231 if (i == RRM_CAPABILITIES_IE_LEN || len < 2 + RRM_CAPABILITIES_IE_LEN)
232 return eid;
233
234 *eid++ = WLAN_EID_RRM_ENABLED_CAPABILITIES;
235 *eid++ = RRM_CAPABILITIES_IE_LEN;
236 os_memcpy(eid, hapd->conf->radio_measurements, RRM_CAPABILITIES_IE_LEN);
237
238 return eid + RRM_CAPABILITIES_IE_LEN;
239 }
240
241
hostapd_own_capab_info(struct hostapd_data * hapd)242 u16 hostapd_own_capab_info(struct hostapd_data *hapd)
243 {
244 int capab = WLAN_CAPABILITY_ESS;
245 int privacy = 0;
246 int dfs;
247 int i;
248
249 /* Check if any of configured channels require DFS */
250 dfs = hostapd_is_dfs_required(hapd->iface);
251 if (dfs < 0) {
252 wpa_printf(MSG_WARNING, "Failed to check if DFS is required; ret=%d",
253 dfs);
254 dfs = 0;
255 }
256
257 if (hapd->iface->num_sta_no_short_preamble == 0 &&
258 hapd->iconf->preamble == SHORT_PREAMBLE)
259 capab |= WLAN_CAPABILITY_SHORT_PREAMBLE;
260
261 #ifdef CONFIG_WEP
262 privacy = hapd->conf->ssid.wep.keys_set;
263
264 if (hapd->conf->ieee802_1x &&
265 (hapd->conf->default_wep_key_len ||
266 hapd->conf->individual_wep_key_len))
267 privacy = 1;
268 #endif /* CONFIG_WEP */
269
270 if (hapd->conf->wpa)
271 privacy = 1;
272
273 #ifdef CONFIG_HS20
274 if (hapd->conf->osen)
275 privacy = 1;
276 #endif /* CONFIG_HS20 */
277
278 if (privacy)
279 capab |= WLAN_CAPABILITY_PRIVACY;
280
281 if (hapd->iface->current_mode &&
282 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G &&
283 hapd->iface->num_sta_no_short_slot_time == 0)
284 capab |= WLAN_CAPABILITY_SHORT_SLOT_TIME;
285
286 /*
287 * Currently, Spectrum Management capability bit is set when directly
288 * requested in configuration by spectrum_mgmt_required or when AP is
289 * running on DFS channel.
290 * TODO: Also consider driver support for TPC to set Spectrum Mgmt bit
291 */
292 if (hapd->iface->current_mode &&
293 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211A &&
294 (hapd->iconf->spectrum_mgmt_required || dfs))
295 capab |= WLAN_CAPABILITY_SPECTRUM_MGMT;
296
297 for (i = 0; i < RRM_CAPABILITIES_IE_LEN; i++) {
298 if (hapd->conf->radio_measurements[i]) {
299 capab |= IEEE80211_CAP_RRM;
300 break;
301 }
302 }
303
304 return capab;
305 }
306
307
308 #ifdef CONFIG_WEP
309 #ifndef CONFIG_NO_RC4
auth_shared_key(struct hostapd_data * hapd,struct sta_info * sta,u16 auth_transaction,const u8 * challenge,int iswep)310 static u16 auth_shared_key(struct hostapd_data *hapd, struct sta_info *sta,
311 u16 auth_transaction, const u8 *challenge,
312 int iswep)
313 {
314 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
315 HOSTAPD_LEVEL_DEBUG,
316 "authentication (shared key, transaction %d)",
317 auth_transaction);
318
319 if (auth_transaction == 1) {
320 if (!sta->challenge) {
321 /* Generate a pseudo-random challenge */
322 u8 key[8];
323
324 sta->challenge = os_zalloc(WLAN_AUTH_CHALLENGE_LEN);
325 if (sta->challenge == NULL)
326 return WLAN_STATUS_UNSPECIFIED_FAILURE;
327
328 if (os_get_random(key, sizeof(key)) < 0) {
329 os_free(sta->challenge);
330 sta->challenge = NULL;
331 return WLAN_STATUS_UNSPECIFIED_FAILURE;
332 }
333
334 rc4_skip(key, sizeof(key), 0,
335 sta->challenge, WLAN_AUTH_CHALLENGE_LEN);
336 }
337 return 0;
338 }
339
340 if (auth_transaction != 3)
341 return WLAN_STATUS_UNSPECIFIED_FAILURE;
342
343 /* Transaction 3 */
344 if (!iswep || !sta->challenge || !challenge ||
345 os_memcmp_const(sta->challenge, challenge,
346 WLAN_AUTH_CHALLENGE_LEN)) {
347 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
348 HOSTAPD_LEVEL_INFO,
349 "shared key authentication - invalid "
350 "challenge-response");
351 return WLAN_STATUS_CHALLENGE_FAIL;
352 }
353
354 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
355 HOSTAPD_LEVEL_DEBUG,
356 "authentication OK (shared key)");
357 sta->flags |= WLAN_STA_AUTH;
358 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
359 os_free(sta->challenge);
360 sta->challenge = NULL;
361
362 return 0;
363 }
364 #endif /* CONFIG_NO_RC4 */
365 #endif /* CONFIG_WEP */
366
367
send_auth_reply(struct hostapd_data * hapd,struct sta_info * sta,const u8 * dst,const u8 * bssid,u16 auth_alg,u16 auth_transaction,u16 resp,const u8 * ies,size_t ies_len,const char * dbg)368 static int send_auth_reply(struct hostapd_data *hapd, struct sta_info *sta,
369 const u8 *dst, const u8 *bssid,
370 u16 auth_alg, u16 auth_transaction, u16 resp,
371 const u8 *ies, size_t ies_len, const char *dbg)
372 {
373 struct ieee80211_mgmt *reply;
374 u8 *buf;
375 size_t rlen;
376 int reply_res = WLAN_STATUS_UNSPECIFIED_FAILURE;
377
378 rlen = IEEE80211_HDRLEN + sizeof(reply->u.auth) + ies_len;
379 buf = os_zalloc(rlen);
380 if (buf == NULL)
381 return -1;
382
383 reply = (struct ieee80211_mgmt *) buf;
384 reply->frame_control = IEEE80211_FC(WLAN_FC_TYPE_MGMT,
385 WLAN_FC_STYPE_AUTH);
386 os_memcpy(reply->da, dst, ETH_ALEN);
387 os_memcpy(reply->sa, hapd->own_addr, ETH_ALEN);
388 os_memcpy(reply->bssid, bssid, ETH_ALEN);
389
390 reply->u.auth.auth_alg = host_to_le16(auth_alg);
391 reply->u.auth.auth_transaction = host_to_le16(auth_transaction);
392 reply->u.auth.status_code = host_to_le16(resp);
393
394 if (ies && ies_len)
395 os_memcpy(reply->u.auth.variable, ies, ies_len);
396
397 wpa_printf(MSG_DEBUG, "authentication reply: STA=" MACSTR
398 " auth_alg=%d auth_transaction=%d resp=%d (IE len=%lu) (dbg=%s)",
399 MAC2STR(dst), auth_alg, auth_transaction,
400 resp, (unsigned long) ies_len, dbg);
401 #ifdef CONFIG_TESTING_OPTIONS
402 #ifdef CONFIG_SAE
403 if (hapd->conf->sae_confirm_immediate == 2 &&
404 auth_alg == WLAN_AUTH_SAE) {
405 if (auth_transaction == 1 && sta &&
406 (resp == WLAN_STATUS_SUCCESS ||
407 resp == WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
408 resp == WLAN_STATUS_SAE_PK)) {
409 wpa_printf(MSG_DEBUG,
410 "TESTING: Postpone SAE Commit transmission until Confirm is ready");
411 os_free(sta->sae_postponed_commit);
412 sta->sae_postponed_commit = buf;
413 sta->sae_postponed_commit_len = rlen;
414 return WLAN_STATUS_SUCCESS;
415 }
416
417 if (auth_transaction == 2 && sta && sta->sae_postponed_commit) {
418 wpa_printf(MSG_DEBUG,
419 "TESTING: Send postponed SAE Commit first, immediately followed by SAE Confirm");
420 if (hostapd_drv_send_mlme(hapd,
421 sta->sae_postponed_commit,
422 sta->sae_postponed_commit_len,
423 0, NULL, 0, 0) < 0)
424 wpa_printf(MSG_INFO, "send_auth_reply: send failed");
425 os_free(sta->sae_postponed_commit);
426 sta->sae_postponed_commit = NULL;
427 sta->sae_postponed_commit_len = 0;
428 }
429 }
430 #endif /* CONFIG_SAE */
431 #endif /* CONFIG_TESTING_OPTIONS */
432 if (hostapd_drv_send_mlme(hapd, reply, rlen, 0, NULL, 0, 0) < 0)
433 wpa_printf(MSG_INFO, "send_auth_reply: send failed");
434 else
435 reply_res = WLAN_STATUS_SUCCESS;
436
437 os_free(buf);
438
439 return reply_res;
440 }
441
442
443 #ifdef CONFIG_IEEE80211R_AP
handle_auth_ft_finish(void * ctx,const u8 * dst,const u8 * bssid,u16 auth_transaction,u16 status,const u8 * ies,size_t ies_len)444 static void handle_auth_ft_finish(void *ctx, const u8 *dst, const u8 *bssid,
445 u16 auth_transaction, u16 status,
446 const u8 *ies, size_t ies_len)
447 {
448 struct hostapd_data *hapd = ctx;
449 struct sta_info *sta;
450 int reply_res;
451
452 reply_res = send_auth_reply(hapd, NULL, dst, bssid, WLAN_AUTH_FT,
453 auth_transaction, status, ies, ies_len,
454 "auth-ft-finish");
455
456 sta = ap_get_sta(hapd, dst);
457 if (sta == NULL)
458 return;
459
460 if (sta->added_unassoc && (reply_res != WLAN_STATUS_SUCCESS ||
461 status != WLAN_STATUS_SUCCESS)) {
462 hostapd_drv_sta_remove(hapd, sta->addr);
463 sta->added_unassoc = 0;
464 return;
465 }
466
467 if (status != WLAN_STATUS_SUCCESS)
468 return;
469
470 hostapd_logger(hapd, dst, HOSTAPD_MODULE_IEEE80211,
471 HOSTAPD_LEVEL_DEBUG, "authentication OK (FT)");
472 sta->flags |= WLAN_STA_AUTH;
473 mlme_authenticate_indication(hapd, sta);
474 }
475 #endif /* CONFIG_IEEE80211R_AP */
476
477
478 #ifdef CONFIG_SAE
479
sae_set_state(struct sta_info * sta,enum sae_state state,const char * reason)480 static void sae_set_state(struct sta_info *sta, enum sae_state state,
481 const char *reason)
482 {
483 wpa_printf(MSG_DEBUG, "SAE: State %s -> %s for peer " MACSTR " (%s)",
484 sae_state_txt(sta->sae->state), sae_state_txt(state),
485 MAC2STR(sta->addr), reason);
486 sta->sae->state = state;
487 }
488
489
sae_get_password(struct hostapd_data * hapd,struct sta_info * sta,const char * rx_id,struct sae_password_entry ** pw_entry,struct sae_pt ** s_pt,const struct sae_pk ** s_pk)490 static const char * sae_get_password(struct hostapd_data *hapd,
491 struct sta_info *sta,
492 const char *rx_id,
493 struct sae_password_entry **pw_entry,
494 struct sae_pt **s_pt,
495 const struct sae_pk **s_pk)
496 {
497 const char *password = NULL;
498 struct sae_password_entry *pw;
499 struct sae_pt *pt = NULL;
500 const struct sae_pk *pk = NULL;
501
502 for (pw = hapd->conf->sae_passwords; pw; pw = pw->next) {
503 if (!is_broadcast_ether_addr(pw->peer_addr) &&
504 os_memcmp(pw->peer_addr, sta->addr, ETH_ALEN) != 0)
505 continue;
506 if ((rx_id && !pw->identifier) || (!rx_id && pw->identifier))
507 continue;
508 if (rx_id && pw->identifier &&
509 os_strcmp(rx_id, pw->identifier) != 0)
510 continue;
511 password = pw->password;
512 pt = pw->pt;
513 if (!(hapd->conf->mesh & MESH_ENABLED))
514 pk = pw->pk;
515 break;
516 }
517 if (!password) {
518 password = hapd->conf->ssid.wpa_passphrase;
519 pt = hapd->conf->ssid.pt;
520 }
521
522 if (pw_entry)
523 *pw_entry = pw;
524 if (s_pt)
525 *s_pt = pt;
526 if (s_pk)
527 *s_pk = pk;
528
529 return password;
530 }
531
532
auth_build_sae_commit(struct hostapd_data * hapd,struct sta_info * sta,int update,int status_code)533 static struct wpabuf * auth_build_sae_commit(struct hostapd_data *hapd,
534 struct sta_info *sta, int update,
535 int status_code)
536 {
537 struct wpabuf *buf;
538 const char *password = NULL;
539 struct sae_password_entry *pw;
540 const char *rx_id = NULL;
541 int use_pt = 0;
542 struct sae_pt *pt = NULL;
543 const struct sae_pk *pk = NULL;
544
545 if (sta->sae->tmp) {
546 rx_id = sta->sae->tmp->pw_id;
547 use_pt = sta->sae->h2e;
548 #ifdef CONFIG_SAE_PK
549 os_memcpy(sta->sae->tmp->own_addr, hapd->own_addr, ETH_ALEN);
550 os_memcpy(sta->sae->tmp->peer_addr, sta->addr, ETH_ALEN);
551 #endif /* CONFIG_SAE_PK */
552 }
553
554 if (rx_id && hapd->conf->sae_pwe != 3)
555 use_pt = 1;
556 else if (status_code == WLAN_STATUS_SUCCESS)
557 use_pt = 0;
558 else if (status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
559 status_code == WLAN_STATUS_SAE_PK)
560 use_pt = 1;
561
562 password = sae_get_password(hapd, sta, rx_id, &pw, &pt, &pk);
563 if (!password || (use_pt && !pt)) {
564 wpa_printf(MSG_DEBUG, "SAE: No password available");
565 return NULL;
566 }
567
568 if (update && use_pt &&
569 sae_prepare_commit_pt(sta->sae, pt, hapd->own_addr, sta->addr,
570 NULL, pk) < 0)
571 return NULL;
572
573 if (update && !use_pt &&
574 sae_prepare_commit(hapd->own_addr, sta->addr,
575 (u8 *) password, os_strlen(password),
576 sta->sae) < 0) {
577 wpa_printf(MSG_DEBUG, "SAE: Could not pick PWE");
578 return NULL;
579 }
580
581 if (pw && pw->vlan_id) {
582 if (!sta->sae->tmp) {
583 wpa_printf(MSG_INFO,
584 "SAE: No temporary data allocated - cannot store VLAN ID");
585 return NULL;
586 }
587 sta->sae->tmp->vlan_id = pw->vlan_id;
588 }
589
590 buf = wpabuf_alloc(SAE_COMMIT_MAX_LEN +
591 (rx_id ? 3 + os_strlen(rx_id) : 0));
592 if (buf &&
593 sae_write_commit(sta->sae, buf, sta->sae->tmp ?
594 sta->sae->tmp->anti_clogging_token : NULL,
595 rx_id) < 0) {
596 wpabuf_free(buf);
597 buf = NULL;
598 }
599
600 return buf;
601 }
602
603
auth_build_sae_confirm(struct hostapd_data * hapd,struct sta_info * sta)604 static struct wpabuf * auth_build_sae_confirm(struct hostapd_data *hapd,
605 struct sta_info *sta)
606 {
607 struct wpabuf *buf;
608
609 buf = wpabuf_alloc(SAE_CONFIRM_MAX_LEN);
610 if (buf == NULL)
611 return NULL;
612
613 #ifdef CONFIG_SAE_PK
614 #ifdef CONFIG_TESTING_OPTIONS
615 if (sta->sae->tmp)
616 sta->sae->tmp->omit_pk_elem = hapd->conf->sae_pk_omit;
617 #endif /* CONFIG_TESTING_OPTIONS */
618 #endif /* CONFIG_SAE_PK */
619
620 if (sae_write_confirm(sta->sae, buf) < 0) {
621 wpabuf_free(buf);
622 return NULL;
623 }
624
625 return buf;
626 }
627
628
auth_sae_send_commit(struct hostapd_data * hapd,struct sta_info * sta,const u8 * bssid,int update,int status_code)629 static int auth_sae_send_commit(struct hostapd_data *hapd,
630 struct sta_info *sta,
631 const u8 *bssid, int update, int status_code)
632 {
633 struct wpabuf *data;
634 int reply_res;
635 u16 status;
636
637 data = auth_build_sae_commit(hapd, sta, update, status_code);
638 if (!data && sta->sae->tmp && sta->sae->tmp->pw_id)
639 return WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER;
640 if (data == NULL)
641 return WLAN_STATUS_UNSPECIFIED_FAILURE;
642
643 if (sta->sae->tmp && sta->sae->pk)
644 status = WLAN_STATUS_SAE_PK;
645 else if (sta->sae->tmp && sta->sae->h2e)
646 status = WLAN_STATUS_SAE_HASH_TO_ELEMENT;
647 else
648 status = WLAN_STATUS_SUCCESS;
649 #ifdef CONFIG_TESTING_OPTIONS
650 if (hapd->conf->sae_commit_status >= 0 &&
651 hapd->conf->sae_commit_status != status) {
652 wpa_printf(MSG_INFO,
653 "TESTING: Override SAE commit status code %u --> %d",
654 status, hapd->conf->sae_commit_status);
655 status = hapd->conf->sae_commit_status;
656 }
657 #endif /* CONFIG_TESTING_OPTIONS */
658 reply_res = send_auth_reply(hapd, sta, sta->addr, bssid,
659 WLAN_AUTH_SAE, 1,
660 status, wpabuf_head(data),
661 wpabuf_len(data), "sae-send-commit");
662
663 wpabuf_free(data);
664
665 return reply_res;
666 }
667
668
auth_sae_send_confirm(struct hostapd_data * hapd,struct sta_info * sta,const u8 * bssid)669 static int auth_sae_send_confirm(struct hostapd_data *hapd,
670 struct sta_info *sta,
671 const u8 *bssid)
672 {
673 struct wpabuf *data;
674 int reply_res;
675
676 data = auth_build_sae_confirm(hapd, sta);
677 if (data == NULL)
678 return WLAN_STATUS_UNSPECIFIED_FAILURE;
679
680 reply_res = send_auth_reply(hapd, sta, sta->addr, bssid,
681 WLAN_AUTH_SAE, 2,
682 WLAN_STATUS_SUCCESS, wpabuf_head(data),
683 wpabuf_len(data), "sae-send-confirm");
684
685 wpabuf_free(data);
686
687 return reply_res;
688 }
689
690 #endif /* CONFIG_SAE */
691
692
693 #if defined(CONFIG_SAE) || defined(CONFIG_PASN)
694
use_anti_clogging(struct hostapd_data * hapd)695 static int use_anti_clogging(struct hostapd_data *hapd)
696 {
697 struct sta_info *sta;
698 unsigned int open = 0;
699
700 if (hapd->conf->anti_clogging_threshold == 0)
701 return 1;
702
703 for (sta = hapd->sta_list; sta; sta = sta->next) {
704 #ifdef CONFIG_SAE
705 if (sta->sae &&
706 (sta->sae->state == SAE_COMMITTED ||
707 sta->sae->state == SAE_CONFIRMED))
708 open++;
709 #endif /* CONFIG_SAE */
710 #ifdef CONFIG_PASN
711 if (sta->pasn && sta->pasn->ecdh)
712 open++;
713 #endif /* CONFIG_PASN */
714 if (open >= hapd->conf->anti_clogging_threshold)
715 return 1;
716 }
717
718 #ifdef CONFIG_SAE
719 /* In addition to already existing open SAE sessions, check whether
720 * there are enough pending commit messages in the processing queue to
721 * potentially result in too many open sessions. */
722 if (open + dl_list_len(&hapd->sae_commit_queue) >=
723 hapd->conf->anti_clogging_threshold)
724 return 1;
725 #endif /* CONFIG_SAE */
726
727 return 0;
728 }
729
730
comeback_token_hash(struct hostapd_data * hapd,const u8 * addr,u8 * idx)731 static int comeback_token_hash(struct hostapd_data *hapd, const u8 *addr,
732 u8 *idx)
733 {
734 u8 hash[SHA256_MAC_LEN];
735
736 if (hmac_sha256(hapd->comeback_key, sizeof(hapd->comeback_key),
737 addr, ETH_ALEN, hash) < 0)
738 return -1;
739 *idx = hash[0];
740 return 0;
741 }
742
743
check_comeback_token(struct hostapd_data * hapd,const u8 * addr,const u8 * token,size_t token_len)744 static int check_comeback_token(struct hostapd_data *hapd, const u8 *addr,
745 const u8 *token, size_t token_len)
746 {
747 u8 mac[SHA256_MAC_LEN];
748 const u8 *addrs[2];
749 size_t len[2];
750 u16 token_idx;
751 u8 idx;
752
753 if (token_len != SHA256_MAC_LEN ||
754 comeback_token_hash(hapd, addr, &idx) < 0)
755 return -1;
756 token_idx = hapd->comeback_pending_idx[idx];
757 if (token_idx == 0 || token_idx != WPA_GET_BE16(token)) {
758 wpa_printf(MSG_DEBUG,
759 "Comeback: Invalid anti-clogging token from "
760 MACSTR " - token_idx 0x%04x, expected 0x%04x",
761 MAC2STR(addr), WPA_GET_BE16(token), token_idx);
762 return -1;
763 }
764
765 addrs[0] = addr;
766 len[0] = ETH_ALEN;
767 addrs[1] = token;
768 len[1] = 2;
769 if (hmac_sha256_vector(hapd->comeback_key, sizeof(hapd->comeback_key),
770 2, addrs, len, mac) < 0 ||
771 os_memcmp_const(token + 2, &mac[2], SHA256_MAC_LEN - 2) != 0)
772 return -1;
773
774 hapd->comeback_pending_idx[idx] = 0; /* invalidate used token */
775
776 return 0;
777 }
778
779
auth_build_token_req(struct hostapd_data * hapd,int group,const u8 * addr,int h2e)780 static struct wpabuf * auth_build_token_req(struct hostapd_data *hapd,
781 int group, const u8 *addr, int h2e)
782 {
783 struct wpabuf *buf;
784 u8 *token;
785 struct os_reltime now;
786 u8 idx[2];
787 const u8 *addrs[2];
788 size_t len[2];
789 u8 p_idx;
790 u16 token_idx;
791
792 os_get_reltime(&now);
793 if (!os_reltime_initialized(&hapd->last_comeback_key_update) ||
794 os_reltime_expired(&now, &hapd->last_comeback_key_update, 60) ||
795 hapd->comeback_idx == 0xffff) {
796 if (random_get_bytes(hapd->comeback_key,
797 sizeof(hapd->comeback_key)) < 0)
798 return NULL;
799 wpa_hexdump(MSG_DEBUG, "Comeback: Updated token key",
800 hapd->comeback_key, sizeof(hapd->comeback_key));
801 hapd->last_comeback_key_update = now;
802 hapd->comeback_idx = 0;
803 os_memset(hapd->comeback_pending_idx, 0,
804 sizeof(hapd->comeback_pending_idx));
805 }
806
807 buf = wpabuf_alloc(sizeof(le16) + 3 + SHA256_MAC_LEN);
808 if (buf == NULL)
809 return NULL;
810
811 if (group)
812 wpabuf_put_le16(buf, group); /* Finite Cyclic Group */
813
814 if (h2e) {
815 /* Encapsulate Anti-clogging Token field in a container IE */
816 wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
817 wpabuf_put_u8(buf, 1 + SHA256_MAC_LEN);
818 wpabuf_put_u8(buf, WLAN_EID_EXT_ANTI_CLOGGING_TOKEN);
819 }
820
821 if (comeback_token_hash(hapd, addr, &p_idx) < 0) {
822 wpabuf_free(buf);
823 return NULL;
824 }
825
826 token_idx = hapd->comeback_pending_idx[p_idx];
827 if (!token_idx) {
828 hapd->comeback_idx++;
829 token_idx = hapd->comeback_idx;
830 hapd->comeback_pending_idx[p_idx] = token_idx;
831 }
832 WPA_PUT_BE16(idx, token_idx);
833 token = wpabuf_put(buf, SHA256_MAC_LEN);
834 addrs[0] = addr;
835 len[0] = ETH_ALEN;
836 addrs[1] = idx;
837 len[1] = sizeof(idx);
838 if (hmac_sha256_vector(hapd->comeback_key, sizeof(hapd->comeback_key),
839 2, addrs, len, token) < 0) {
840 wpabuf_free(buf);
841 return NULL;
842 }
843 WPA_PUT_BE16(token, token_idx);
844
845 return buf;
846 }
847
848 #endif /* defined(CONFIG_SAE) || defined(CONFIG_PASN) */
849
850
851 #ifdef CONFIG_SAE
852
sae_check_big_sync(struct hostapd_data * hapd,struct sta_info * sta)853 static int sae_check_big_sync(struct hostapd_data *hapd, struct sta_info *sta)
854 {
855 if (sta->sae->sync > hapd->conf->sae_sync) {
856 sae_set_state(sta, SAE_NOTHING, "Sync > dot11RSNASAESync");
857 sta->sae->sync = 0;
858 return -1;
859 }
860 return 0;
861 }
862
863
auth_sae_retransmit_timer(void * eloop_ctx,void * eloop_data)864 static void auth_sae_retransmit_timer(void *eloop_ctx, void *eloop_data)
865 {
866 struct hostapd_data *hapd = eloop_ctx;
867 struct sta_info *sta = eloop_data;
868 int ret;
869
870 if (sae_check_big_sync(hapd, sta))
871 return;
872 sta->sae->sync++;
873 wpa_printf(MSG_DEBUG, "SAE: Auth SAE retransmit timer for " MACSTR
874 " (sync=%d state=%s)",
875 MAC2STR(sta->addr), sta->sae->sync,
876 sae_state_txt(sta->sae->state));
877
878 switch (sta->sae->state) {
879 case SAE_COMMITTED:
880 ret = auth_sae_send_commit(hapd, sta, hapd->own_addr, 0, -1);
881 eloop_register_timeout(0,
882 hapd->dot11RSNASAERetransPeriod * 1000,
883 auth_sae_retransmit_timer, hapd, sta);
884 break;
885 case SAE_CONFIRMED:
886 ret = auth_sae_send_confirm(hapd, sta, hapd->own_addr);
887 eloop_register_timeout(0,
888 hapd->dot11RSNASAERetransPeriod * 1000,
889 auth_sae_retransmit_timer, hapd, sta);
890 break;
891 default:
892 ret = -1;
893 break;
894 }
895
896 if (ret != WLAN_STATUS_SUCCESS)
897 wpa_printf(MSG_INFO, "SAE: Failed to retransmit: ret=%d", ret);
898 }
899
900
sae_clear_retransmit_timer(struct hostapd_data * hapd,struct sta_info * sta)901 void sae_clear_retransmit_timer(struct hostapd_data *hapd, struct sta_info *sta)
902 {
903 eloop_cancel_timeout(auth_sae_retransmit_timer, hapd, sta);
904 }
905
906
sae_set_retransmit_timer(struct hostapd_data * hapd,struct sta_info * sta)907 static void sae_set_retransmit_timer(struct hostapd_data *hapd,
908 struct sta_info *sta)
909 {
910 if (!(hapd->conf->mesh & MESH_ENABLED))
911 return;
912
913 eloop_cancel_timeout(auth_sae_retransmit_timer, hapd, sta);
914 eloop_register_timeout(0, hapd->dot11RSNASAERetransPeriod * 1000,
915 auth_sae_retransmit_timer, hapd, sta);
916 }
917
918
sae_sme_send_external_auth_status(struct hostapd_data * hapd,struct sta_info * sta,u16 status)919 static void sae_sme_send_external_auth_status(struct hostapd_data *hapd,
920 struct sta_info *sta, u16 status)
921 {
922 struct external_auth params;
923
924 os_memset(¶ms, 0, sizeof(params));
925 params.status = status;
926 params.bssid = sta->addr;
927 if (status == WLAN_STATUS_SUCCESS && sta->sae &&
928 !hapd->conf->disable_pmksa_caching)
929 params.pmkid = sta->sae->pmkid;
930
931 hostapd_drv_send_external_auth_status(hapd, ¶ms);
932 }
933
934
sae_accept_sta(struct hostapd_data * hapd,struct sta_info * sta)935 void sae_accept_sta(struct hostapd_data *hapd, struct sta_info *sta)
936 {
937 #ifndef CONFIG_NO_VLAN
938 struct vlan_description vlan_desc;
939
940 if (sta->sae->tmp && sta->sae->tmp->vlan_id > 0) {
941 wpa_printf(MSG_DEBUG, "SAE: Assign STA " MACSTR
942 " to VLAN ID %d",
943 MAC2STR(sta->addr), sta->sae->tmp->vlan_id);
944
945 os_memset(&vlan_desc, 0, sizeof(vlan_desc));
946 vlan_desc.notempty = 1;
947 vlan_desc.untagged = sta->sae->tmp->vlan_id;
948 if (!hostapd_vlan_valid(hapd->conf->vlan, &vlan_desc)) {
949 wpa_printf(MSG_INFO,
950 "Invalid VLAN ID %d in sae_password",
951 sta->sae->tmp->vlan_id);
952 return;
953 }
954
955 if (ap_sta_set_vlan(hapd, sta, &vlan_desc) < 0 ||
956 ap_sta_bind_vlan(hapd, sta) < 0) {
957 wpa_printf(MSG_INFO,
958 "Failed to assign VLAN ID %d from sae_password to "
959 MACSTR, sta->sae->tmp->vlan_id,
960 MAC2STR(sta->addr));
961 return;
962 }
963 }
964 #endif /* CONFIG_NO_VLAN */
965
966 sta->flags |= WLAN_STA_AUTH;
967 sta->auth_alg = WLAN_AUTH_SAE;
968 mlme_authenticate_indication(hapd, sta);
969 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
970 sae_set_state(sta, SAE_ACCEPTED, "Accept Confirm");
971 crypto_bignum_deinit(sta->sae->peer_commit_scalar_accepted, 0);
972 sta->sae->peer_commit_scalar_accepted = sta->sae->peer_commit_scalar;
973 sta->sae->peer_commit_scalar = NULL;
974 wpa_auth_pmksa_add_sae(hapd->wpa_auth, sta->addr,
975 sta->sae->pmk, sta->sae->pmkid);
976 sae_sme_send_external_auth_status(hapd, sta, WLAN_STATUS_SUCCESS);
977 }
978
979
sae_sm_step(struct hostapd_data * hapd,struct sta_info * sta,const u8 * bssid,u16 auth_transaction,u16 status_code,int allow_reuse,int * sta_removed)980 static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta,
981 const u8 *bssid, u16 auth_transaction, u16 status_code,
982 int allow_reuse, int *sta_removed)
983 {
984 int ret;
985
986 *sta_removed = 0;
987
988 if (auth_transaction != 1 && auth_transaction != 2)
989 return WLAN_STATUS_UNSPECIFIED_FAILURE;
990
991 wpa_printf(MSG_DEBUG, "SAE: Peer " MACSTR " state=%s auth_trans=%u",
992 MAC2STR(sta->addr), sae_state_txt(sta->sae->state),
993 auth_transaction);
994 switch (sta->sae->state) {
995 case SAE_NOTHING:
996 if (auth_transaction == 1) {
997 if (sta->sae->tmp) {
998 sta->sae->h2e =
999 (status_code ==
1000 WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
1001 status_code == WLAN_STATUS_SAE_PK);
1002 sta->sae->pk =
1003 status_code == WLAN_STATUS_SAE_PK;
1004 }
1005 ret = auth_sae_send_commit(hapd, sta, bssid,
1006 !allow_reuse, status_code);
1007 if (ret)
1008 return ret;
1009 sae_set_state(sta, SAE_COMMITTED, "Sent Commit");
1010
1011 if (sae_process_commit(sta->sae) < 0)
1012 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1013
1014 /*
1015 * In mesh case, both Commit and Confirm are sent
1016 * immediately. In infrastructure BSS, by default, only
1017 * a single Authentication frame (Commit) is expected
1018 * from the AP here and the second one (Confirm) will
1019 * be sent once the STA has sent its second
1020 * Authentication frame (Confirm). This behavior can be
1021 * overridden with explicit configuration so that the
1022 * infrastructure BSS case sends both frames together.
1023 */
1024 if ((hapd->conf->mesh & MESH_ENABLED) ||
1025 hapd->conf->sae_confirm_immediate) {
1026 /*
1027 * Send both Commit and Confirm immediately
1028 * based on SAE finite state machine
1029 * Nothing -> Confirm transition.
1030 */
1031 ret = auth_sae_send_confirm(hapd, sta, bssid);
1032 if (ret)
1033 return ret;
1034 sae_set_state(sta, SAE_CONFIRMED,
1035 "Sent Confirm (mesh)");
1036 } else {
1037 /*
1038 * For infrastructure BSS, send only the Commit
1039 * message now to get alternating sequence of
1040 * Authentication frames between the AP and STA.
1041 * Confirm will be sent in
1042 * Committed -> Confirmed/Accepted transition
1043 * when receiving Confirm from STA.
1044 */
1045 }
1046 sta->sae->sync = 0;
1047 sae_set_retransmit_timer(hapd, sta);
1048 } else {
1049 hostapd_logger(hapd, sta->addr,
1050 HOSTAPD_MODULE_IEEE80211,
1051 HOSTAPD_LEVEL_DEBUG,
1052 "SAE confirm before commit");
1053 }
1054 break;
1055 case SAE_COMMITTED:
1056 sae_clear_retransmit_timer(hapd, sta);
1057 if (auth_transaction == 1) {
1058 if (sae_process_commit(sta->sae) < 0)
1059 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1060
1061 ret = auth_sae_send_confirm(hapd, sta, bssid);
1062 if (ret)
1063 return ret;
1064 sae_set_state(sta, SAE_CONFIRMED, "Sent Confirm");
1065 sta->sae->sync = 0;
1066 sae_set_retransmit_timer(hapd, sta);
1067 } else if (hapd->conf->mesh & MESH_ENABLED) {
1068 /*
1069 * In mesh case, follow SAE finite state machine and
1070 * send Commit now, if sync count allows.
1071 */
1072 if (sae_check_big_sync(hapd, sta))
1073 return WLAN_STATUS_SUCCESS;
1074 sta->sae->sync++;
1075
1076 ret = auth_sae_send_commit(hapd, sta, bssid, 0,
1077 status_code);
1078 if (ret)
1079 return ret;
1080
1081 sae_set_retransmit_timer(hapd, sta);
1082 } else {
1083 /*
1084 * For instructure BSS, send the postponed Confirm from
1085 * Nothing -> Confirmed transition that was reduced to
1086 * Nothing -> Committed above.
1087 */
1088 ret = auth_sae_send_confirm(hapd, sta, bssid);
1089 if (ret)
1090 return ret;
1091
1092 sae_set_state(sta, SAE_CONFIRMED, "Sent Confirm");
1093
1094 /*
1095 * Since this was triggered on Confirm RX, run another
1096 * step to get to Accepted without waiting for
1097 * additional events.
1098 */
1099 return sae_sm_step(hapd, sta, bssid, auth_transaction,
1100 WLAN_STATUS_SUCCESS, 0, sta_removed);
1101 }
1102 break;
1103 case SAE_CONFIRMED:
1104 sae_clear_retransmit_timer(hapd, sta);
1105 if (auth_transaction == 1) {
1106 if (sae_check_big_sync(hapd, sta))
1107 return WLAN_STATUS_SUCCESS;
1108 sta->sae->sync++;
1109
1110 ret = auth_sae_send_commit(hapd, sta, bssid, 1,
1111 status_code);
1112 if (ret)
1113 return ret;
1114
1115 if (sae_process_commit(sta->sae) < 0)
1116 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1117
1118 ret = auth_sae_send_confirm(hapd, sta, bssid);
1119 if (ret)
1120 return ret;
1121
1122 sae_set_retransmit_timer(hapd, sta);
1123 } else {
1124 sta->sae->send_confirm = 0xffff;
1125 sae_accept_sta(hapd, sta);
1126 }
1127 break;
1128 case SAE_ACCEPTED:
1129 if (auth_transaction == 1 &&
1130 (hapd->conf->mesh & MESH_ENABLED)) {
1131 wpa_printf(MSG_DEBUG, "SAE: remove the STA (" MACSTR
1132 ") doing reauthentication",
1133 MAC2STR(sta->addr));
1134 wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr);
1135 ap_free_sta(hapd, sta);
1136 *sta_removed = 1;
1137 } else if (auth_transaction == 1) {
1138 wpa_printf(MSG_DEBUG, "SAE: Start reauthentication");
1139 ret = auth_sae_send_commit(hapd, sta, bssid, 1,
1140 status_code);
1141 if (ret)
1142 return ret;
1143 sae_set_state(sta, SAE_COMMITTED, "Sent Commit");
1144
1145 if (sae_process_commit(sta->sae) < 0)
1146 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1147 sta->sae->sync = 0;
1148 sae_set_retransmit_timer(hapd, sta);
1149 } else {
1150 if (sae_check_big_sync(hapd, sta))
1151 return WLAN_STATUS_SUCCESS;
1152 sta->sae->sync++;
1153
1154 ret = auth_sae_send_confirm(hapd, sta, bssid);
1155 sae_clear_temp_data(sta->sae);
1156 if (ret)
1157 return ret;
1158 }
1159 break;
1160 default:
1161 wpa_printf(MSG_ERROR, "SAE: invalid state %d",
1162 sta->sae->state);
1163 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1164 }
1165 return WLAN_STATUS_SUCCESS;
1166 }
1167
1168
sae_pick_next_group(struct hostapd_data * hapd,struct sta_info * sta)1169 static void sae_pick_next_group(struct hostapd_data *hapd, struct sta_info *sta)
1170 {
1171 struct sae_data *sae = sta->sae;
1172 int i, *groups = hapd->conf->sae_groups;
1173 int default_groups[] = { 19, 0 };
1174
1175 if (sae->state != SAE_COMMITTED)
1176 return;
1177
1178 wpa_printf(MSG_DEBUG, "SAE: Previously selected group: %d", sae->group);
1179
1180 if (!groups)
1181 groups = default_groups;
1182 for (i = 0; groups[i] > 0; i++) {
1183 if (sae->group == groups[i])
1184 break;
1185 }
1186
1187 if (groups[i] <= 0) {
1188 wpa_printf(MSG_DEBUG,
1189 "SAE: Previously selected group not found from the current configuration");
1190 return;
1191 }
1192
1193 for (;;) {
1194 i++;
1195 if (groups[i] <= 0) {
1196 wpa_printf(MSG_DEBUG,
1197 "SAE: No alternative group enabled");
1198 return;
1199 }
1200
1201 if (sae_set_group(sae, groups[i]) < 0)
1202 continue;
1203
1204 break;
1205 }
1206 wpa_printf(MSG_DEBUG, "SAE: Selected new group: %d", groups[i]);
1207 }
1208
1209
sae_status_success(struct hostapd_data * hapd,u16 status_code)1210 static int sae_status_success(struct hostapd_data *hapd, u16 status_code)
1211 {
1212 int sae_pwe = hapd->conf->sae_pwe;
1213 int id_in_use;
1214 bool sae_pk = false;
1215
1216 id_in_use = hostapd_sae_pw_id_in_use(hapd->conf);
1217 if (id_in_use == 2 && sae_pwe != 3)
1218 sae_pwe = 1;
1219 else if (id_in_use == 1 && sae_pwe == 0)
1220 sae_pwe = 2;
1221 #ifdef CONFIG_SAE_PK
1222 sae_pk = hostapd_sae_pk_in_use(hapd->conf);
1223 if (sae_pwe == 0 && sae_pk)
1224 sae_pwe = 2;
1225 #endif /* CONFIG_SAE_PK */
1226
1227 return ((sae_pwe == 0 || sae_pwe == 3) &&
1228 status_code == WLAN_STATUS_SUCCESS) ||
1229 (sae_pwe == 1 &&
1230 (status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
1231 (sae_pk && status_code == WLAN_STATUS_SAE_PK))) ||
1232 (sae_pwe == 2 &&
1233 (status_code == WLAN_STATUS_SUCCESS ||
1234 status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
1235 (sae_pk && status_code == WLAN_STATUS_SAE_PK)));
1236 }
1237
1238
sae_is_group_enabled(struct hostapd_data * hapd,int group)1239 static int sae_is_group_enabled(struct hostapd_data *hapd, int group)
1240 {
1241 int *groups = hapd->conf->sae_groups;
1242 int default_groups[] = { 19, 0 };
1243 int i;
1244
1245 if (!groups)
1246 groups = default_groups;
1247
1248 for (i = 0; groups[i] > 0; i++) {
1249 if (groups[i] == group)
1250 return 1;
1251 }
1252
1253 return 0;
1254 }
1255
1256
check_sae_rejected_groups(struct hostapd_data * hapd,struct sae_data * sae)1257 static int check_sae_rejected_groups(struct hostapd_data *hapd,
1258 struct sae_data *sae)
1259 {
1260 const struct wpabuf *groups;
1261 size_t i, count;
1262 const u8 *pos;
1263
1264 if (!sae->tmp)
1265 return 0;
1266 groups = sae->tmp->peer_rejected_groups;
1267 if (!groups)
1268 return 0;
1269
1270 pos = wpabuf_head(groups);
1271 count = wpabuf_len(groups) / 2;
1272 for (i = 0; i < count; i++) {
1273 int enabled;
1274 u16 group;
1275
1276 group = WPA_GET_LE16(pos);
1277 pos += 2;
1278 enabled = sae_is_group_enabled(hapd, group);
1279 wpa_printf(MSG_DEBUG, "SAE: Rejected group %u is %s",
1280 group, enabled ? "enabled" : "disabled");
1281 if (enabled)
1282 return 1;
1283 }
1284
1285 return 0;
1286 }
1287
1288
handle_auth_sae(struct hostapd_data * hapd,struct sta_info * sta,const struct ieee80211_mgmt * mgmt,size_t len,u16 auth_transaction,u16 status_code)1289 static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta,
1290 const struct ieee80211_mgmt *mgmt, size_t len,
1291 u16 auth_transaction, u16 status_code)
1292 {
1293 int resp = WLAN_STATUS_SUCCESS;
1294 struct wpabuf *data = NULL;
1295 int *groups = hapd->conf->sae_groups;
1296 int default_groups[] = { 19, 0 };
1297 const u8 *pos, *end;
1298 int sta_removed = 0;
1299 bool success_status;
1300
1301 if (!groups)
1302 groups = default_groups;
1303
1304 #ifdef CONFIG_TESTING_OPTIONS
1305 if (hapd->conf->sae_reflection_attack && auth_transaction == 1) {
1306 wpa_printf(MSG_DEBUG, "SAE: TESTING - reflection attack");
1307 pos = mgmt->u.auth.variable;
1308 end = ((const u8 *) mgmt) + len;
1309 resp = status_code;
1310 send_auth_reply(hapd, sta, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
1311 auth_transaction, resp, pos, end - pos,
1312 "auth-sae-reflection-attack");
1313 goto remove_sta;
1314 }
1315
1316 if (hapd->conf->sae_commit_override && auth_transaction == 1) {
1317 wpa_printf(MSG_DEBUG, "SAE: TESTING - commit override");
1318 send_auth_reply(hapd, sta, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
1319 auth_transaction, resp,
1320 wpabuf_head(hapd->conf->sae_commit_override),
1321 wpabuf_len(hapd->conf->sae_commit_override),
1322 "sae-commit-override");
1323 goto remove_sta;
1324 }
1325 #endif /* CONFIG_TESTING_OPTIONS */
1326 if (!sta->sae) {
1327 if (auth_transaction != 1 ||
1328 !sae_status_success(hapd, status_code)) {
1329 wpa_printf(MSG_DEBUG, "SAE: Unexpected Status Code %u",
1330 status_code);
1331 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1332 goto reply;
1333 }
1334 sta->sae = os_zalloc(sizeof(*sta->sae));
1335 if (!sta->sae) {
1336 resp = -1;
1337 goto remove_sta;
1338 }
1339 sae_set_state(sta, SAE_NOTHING, "Init");
1340 sta->sae->sync = 0;
1341 }
1342
1343 if (sta->mesh_sae_pmksa_caching) {
1344 wpa_printf(MSG_DEBUG,
1345 "SAE: Cancel use of mesh PMKSA caching because peer starts SAE authentication");
1346 wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr);
1347 sta->mesh_sae_pmksa_caching = 0;
1348 }
1349
1350 if (auth_transaction == 1) {
1351 const u8 *token = NULL;
1352 size_t token_len = 0;
1353 int allow_reuse = 0;
1354
1355 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1356 HOSTAPD_LEVEL_DEBUG,
1357 "start SAE authentication (RX commit, status=%u (%s))",
1358 status_code, status2str(status_code));
1359
1360 if ((hapd->conf->mesh & MESH_ENABLED) &&
1361 status_code == WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ &&
1362 sta->sae->tmp) {
1363 pos = mgmt->u.auth.variable;
1364 end = ((const u8 *) mgmt) + len;
1365 if (pos + sizeof(le16) > end) {
1366 wpa_printf(MSG_ERROR,
1367 "SAE: Too short anti-clogging token request");
1368 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1369 goto reply;
1370 }
1371 resp = sae_group_allowed(sta->sae, groups,
1372 WPA_GET_LE16(pos));
1373 if (resp != WLAN_STATUS_SUCCESS) {
1374 wpa_printf(MSG_ERROR,
1375 "SAE: Invalid group in anti-clogging token request");
1376 goto reply;
1377 }
1378 pos += sizeof(le16);
1379
1380 wpabuf_free(sta->sae->tmp->anti_clogging_token);
1381 sta->sae->tmp->anti_clogging_token =
1382 wpabuf_alloc_copy(pos, end - pos);
1383 if (sta->sae->tmp->anti_clogging_token == NULL) {
1384 wpa_printf(MSG_ERROR,
1385 "SAE: Failed to alloc for anti-clogging token");
1386 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1387 goto remove_sta;
1388 }
1389
1390 /*
1391 * IEEE Std 802.11-2012, 11.3.8.6.4: If the Status code
1392 * is 76, a new Commit Message shall be constructed
1393 * with the Anti-Clogging Token from the received
1394 * Authentication frame, and the commit-scalar and
1395 * COMMIT-ELEMENT previously sent.
1396 */
1397 resp = auth_sae_send_commit(hapd, sta, mgmt->bssid, 0,
1398 status_code);
1399 if (resp != WLAN_STATUS_SUCCESS) {
1400 wpa_printf(MSG_ERROR,
1401 "SAE: Failed to send commit message");
1402 goto remove_sta;
1403 }
1404 sae_set_state(sta, SAE_COMMITTED,
1405 "Sent Commit (anti-clogging token case in mesh)");
1406 sta->sae->sync = 0;
1407 sae_set_retransmit_timer(hapd, sta);
1408 return;
1409 }
1410
1411 if ((hapd->conf->mesh & MESH_ENABLED) &&
1412 status_code ==
1413 WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED &&
1414 sta->sae->tmp) {
1415 wpa_printf(MSG_DEBUG,
1416 "SAE: Peer did not accept our SAE group");
1417 sae_pick_next_group(hapd, sta);
1418 goto remove_sta;
1419 }
1420
1421 if (!sae_status_success(hapd, status_code))
1422 goto remove_sta;
1423
1424 if (!(hapd->conf->mesh & MESH_ENABLED) &&
1425 sta->sae->state == SAE_COMMITTED) {
1426 /* This is needed in the infrastructure BSS case to
1427 * address a sequence where a STA entry may remain in
1428 * hostapd across two attempts to do SAE authentication
1429 * by the same STA. The second attempt may end up trying
1430 * to use a different group and that would not be
1431 * allowed if we remain in Committed state with the
1432 * previously set parameters. */
1433 pos = mgmt->u.auth.variable;
1434 end = ((const u8 *) mgmt) + len;
1435 if (end - pos >= (int) sizeof(le16) &&
1436 sae_group_allowed(sta->sae, groups,
1437 WPA_GET_LE16(pos)) ==
1438 WLAN_STATUS_SUCCESS) {
1439 /* Do not waste resources deriving the same PWE
1440 * again since the same group is reused. */
1441 sae_set_state(sta, SAE_NOTHING,
1442 "Allow previous PWE to be reused");
1443 allow_reuse = 1;
1444 } else {
1445 sae_set_state(sta, SAE_NOTHING,
1446 "Clear existing state to allow restart");
1447 sae_clear_data(sta->sae);
1448 }
1449 }
1450
1451 resp = sae_parse_commit(sta->sae, mgmt->u.auth.variable,
1452 ((const u8 *) mgmt) + len -
1453 mgmt->u.auth.variable, &token,
1454 &token_len, groups, status_code ==
1455 WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
1456 status_code == WLAN_STATUS_SAE_PK);
1457 if (resp == SAE_SILENTLY_DISCARD) {
1458 wpa_printf(MSG_DEBUG,
1459 "SAE: Drop commit message from " MACSTR " due to reflection attack",
1460 MAC2STR(sta->addr));
1461 goto remove_sta;
1462 }
1463
1464 if (resp == WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER) {
1465 wpa_msg(hapd->msg_ctx, MSG_INFO,
1466 WPA_EVENT_SAE_UNKNOWN_PASSWORD_IDENTIFIER
1467 MACSTR, MAC2STR(sta->addr));
1468 sae_clear_retransmit_timer(hapd, sta);
1469 sae_set_state(sta, SAE_NOTHING,
1470 "Unknown Password Identifier");
1471 goto remove_sta;
1472 }
1473
1474 if (token &&
1475 check_comeback_token(hapd, sta->addr, token, token_len)
1476 < 0) {
1477 wpa_printf(MSG_DEBUG, "SAE: Drop commit message with "
1478 "incorrect token from " MACSTR,
1479 MAC2STR(sta->addr));
1480 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1481 goto remove_sta;
1482 }
1483
1484 if (resp != WLAN_STATUS_SUCCESS)
1485 goto reply;
1486
1487 if (check_sae_rejected_groups(hapd, sta->sae)) {
1488 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1489 goto reply;
1490 }
1491
1492 if (!token && use_anti_clogging(hapd) && !allow_reuse) {
1493 int h2e = 0;
1494
1495 wpa_printf(MSG_DEBUG,
1496 "SAE: Request anti-clogging token from "
1497 MACSTR, MAC2STR(sta->addr));
1498 if (sta->sae->tmp)
1499 h2e = sta->sae->h2e;
1500 if (status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
1501 status_code == WLAN_STATUS_SAE_PK)
1502 h2e = 1;
1503 data = auth_build_token_req(hapd, sta->sae->group,
1504 sta->addr, h2e);
1505 resp = WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ;
1506 if (hapd->conf->mesh & MESH_ENABLED)
1507 sae_set_state(sta, SAE_NOTHING,
1508 "Request anti-clogging token case in mesh");
1509 goto reply;
1510 }
1511
1512 resp = sae_sm_step(hapd, sta, mgmt->bssid, auth_transaction,
1513 status_code, allow_reuse, &sta_removed);
1514 } else if (auth_transaction == 2) {
1515 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1516 HOSTAPD_LEVEL_DEBUG,
1517 "SAE authentication (RX confirm, status=%u (%s))",
1518 status_code, status2str(status_code));
1519 if (status_code != WLAN_STATUS_SUCCESS)
1520 goto remove_sta;
1521 if (sta->sae->state >= SAE_CONFIRMED ||
1522 !(hapd->conf->mesh & MESH_ENABLED)) {
1523 const u8 *var;
1524 size_t var_len;
1525 u16 peer_send_confirm;
1526
1527 var = mgmt->u.auth.variable;
1528 var_len = ((u8 *) mgmt) + len - mgmt->u.auth.variable;
1529 if (var_len < 2) {
1530 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1531 goto reply;
1532 }
1533
1534 peer_send_confirm = WPA_GET_LE16(var);
1535
1536 if (sta->sae->state == SAE_ACCEPTED &&
1537 (peer_send_confirm <= sta->sae->rc ||
1538 peer_send_confirm == 0xffff)) {
1539 wpa_printf(MSG_DEBUG,
1540 "SAE: Silently ignore unexpected Confirm from peer "
1541 MACSTR
1542 " (peer-send-confirm=%u Rc=%u)",
1543 MAC2STR(sta->addr),
1544 peer_send_confirm, sta->sae->rc);
1545 return;
1546 }
1547
1548 if (sae_check_confirm(sta->sae, var, var_len) < 0) {
1549 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1550 goto reply;
1551 }
1552 sta->sae->rc = peer_send_confirm;
1553 }
1554 resp = sae_sm_step(hapd, sta, mgmt->bssid, auth_transaction,
1555 status_code, 0, &sta_removed);
1556 } else {
1557 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1558 HOSTAPD_LEVEL_DEBUG,
1559 "unexpected SAE authentication transaction %u (status=%u (%s))",
1560 auth_transaction, status_code,
1561 status2str(status_code));
1562 if (status_code != WLAN_STATUS_SUCCESS)
1563 goto remove_sta;
1564 resp = WLAN_STATUS_UNKNOWN_AUTH_TRANSACTION;
1565 }
1566
1567 reply:
1568 if (!sta_removed && resp != WLAN_STATUS_SUCCESS) {
1569 pos = mgmt->u.auth.variable;
1570 end = ((const u8 *) mgmt) + len;
1571
1572 /* Copy the Finite Cyclic Group field from the request if we
1573 * rejected it as unsupported group. */
1574 if (resp == WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED &&
1575 !data && end - pos >= 2)
1576 data = wpabuf_alloc_copy(pos, 2);
1577
1578 sae_sme_send_external_auth_status(hapd, sta, resp);
1579 send_auth_reply(hapd, sta, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
1580 auth_transaction, resp,
1581 data ? wpabuf_head(data) : (u8 *) "",
1582 data ? wpabuf_len(data) : 0, "auth-sae");
1583 }
1584
1585 remove_sta:
1586 if (auth_transaction == 1)
1587 success_status = sae_status_success(hapd, status_code);
1588 else
1589 success_status = status_code == WLAN_STATUS_SUCCESS;
1590 if (!sta_removed && sta->added_unassoc &&
1591 (resp != WLAN_STATUS_SUCCESS || !success_status)) {
1592 hostapd_drv_sta_remove(hapd, sta->addr);
1593 sta->added_unassoc = 0;
1594 }
1595 wpabuf_free(data);
1596 }
1597
1598
1599 /**
1600 * auth_sae_init_committed - Send COMMIT and start SAE in committed state
1601 * @hapd: BSS data for the device initiating the authentication
1602 * @sta: the peer to which commit authentication frame is sent
1603 *
1604 * This function implements Init event handling (IEEE Std 802.11-2012,
1605 * 11.3.8.6.3) in which initial COMMIT message is sent. Prior to calling, the
1606 * sta->sae structure should be initialized appropriately via a call to
1607 * sae_prepare_commit().
1608 */
auth_sae_init_committed(struct hostapd_data * hapd,struct sta_info * sta)1609 int auth_sae_init_committed(struct hostapd_data *hapd, struct sta_info *sta)
1610 {
1611 int ret;
1612
1613 if (!sta->sae || !sta->sae->tmp)
1614 return -1;
1615
1616 if (sta->sae->state != SAE_NOTHING)
1617 return -1;
1618
1619 ret = auth_sae_send_commit(hapd, sta, hapd->own_addr, 0, -1);
1620 if (ret)
1621 return -1;
1622
1623 sae_set_state(sta, SAE_COMMITTED, "Init and sent commit");
1624 sta->sae->sync = 0;
1625 sae_set_retransmit_timer(hapd, sta);
1626
1627 return 0;
1628 }
1629
1630
auth_sae_process_commit(void * eloop_ctx,void * user_ctx)1631 void auth_sae_process_commit(void *eloop_ctx, void *user_ctx)
1632 {
1633 struct hostapd_data *hapd = eloop_ctx;
1634 struct hostapd_sae_commit_queue *q;
1635 unsigned int queue_len;
1636
1637 q = dl_list_first(&hapd->sae_commit_queue,
1638 struct hostapd_sae_commit_queue, list);
1639 if (!q)
1640 return;
1641 wpa_printf(MSG_DEBUG,
1642 "SAE: Process next available message from queue");
1643 dl_list_del(&q->list);
1644 handle_auth(hapd, (const struct ieee80211_mgmt *) q->msg, q->len,
1645 q->rssi, 1);
1646 os_free(q);
1647
1648 if (eloop_is_timeout_registered(auth_sae_process_commit, hapd, NULL))
1649 return;
1650 queue_len = dl_list_len(&hapd->sae_commit_queue);
1651 eloop_register_timeout(0, queue_len * 10000, auth_sae_process_commit,
1652 hapd, NULL);
1653 }
1654
1655
auth_sae_queue(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int rssi)1656 static void auth_sae_queue(struct hostapd_data *hapd,
1657 const struct ieee80211_mgmt *mgmt, size_t len,
1658 int rssi)
1659 {
1660 struct hostapd_sae_commit_queue *q, *q2;
1661 unsigned int queue_len;
1662 const struct ieee80211_mgmt *mgmt2;
1663
1664 queue_len = dl_list_len(&hapd->sae_commit_queue);
1665 if (queue_len >= 15) {
1666 wpa_printf(MSG_DEBUG,
1667 "SAE: No more room in message queue - drop the new frame from "
1668 MACSTR, MAC2STR(mgmt->sa));
1669 return;
1670 }
1671
1672 wpa_printf(MSG_DEBUG, "SAE: Queue Authentication message from "
1673 MACSTR " for processing (queue_len %u)", MAC2STR(mgmt->sa),
1674 queue_len);
1675 q = os_zalloc(sizeof(*q) + len);
1676 if (!q)
1677 return;
1678 q->rssi = rssi;
1679 q->len = len;
1680 os_memcpy(q->msg, mgmt, len);
1681
1682 /* Check whether there is already a queued Authentication frame from the
1683 * same station with the same transaction number and if so, replace that
1684 * queue entry with the new one. This avoids issues with a peer that
1685 * sends multiple times (e.g., due to frequent SAE retries). There is no
1686 * point in us trying to process the old attempts after a new one has
1687 * obsoleted them. */
1688 dl_list_for_each(q2, &hapd->sae_commit_queue,
1689 struct hostapd_sae_commit_queue, list) {
1690 mgmt2 = (const struct ieee80211_mgmt *) q2->msg;
1691 if (os_memcmp(mgmt->sa, mgmt2->sa, ETH_ALEN) == 0 &&
1692 mgmt->u.auth.auth_transaction ==
1693 mgmt2->u.auth.auth_transaction) {
1694 wpa_printf(MSG_DEBUG,
1695 "SAE: Replace queued message from same STA with same transaction number");
1696 dl_list_add(&q2->list, &q->list);
1697 dl_list_del(&q2->list);
1698 os_free(q2);
1699 goto queued;
1700 }
1701 }
1702
1703 /* No pending identical entry, so add to the end of the queue */
1704 dl_list_add_tail(&hapd->sae_commit_queue, &q->list);
1705
1706 queued:
1707 if (eloop_is_timeout_registered(auth_sae_process_commit, hapd, NULL))
1708 return;
1709 eloop_register_timeout(0, queue_len * 10000, auth_sae_process_commit,
1710 hapd, NULL);
1711 }
1712
1713
auth_sae_queued_addr(struct hostapd_data * hapd,const u8 * addr)1714 static int auth_sae_queued_addr(struct hostapd_data *hapd, const u8 *addr)
1715 {
1716 struct hostapd_sae_commit_queue *q;
1717 const struct ieee80211_mgmt *mgmt;
1718
1719 dl_list_for_each(q, &hapd->sae_commit_queue,
1720 struct hostapd_sae_commit_queue, list) {
1721 mgmt = (const struct ieee80211_mgmt *) q->msg;
1722 if (os_memcmp(addr, mgmt->sa, ETH_ALEN) == 0)
1723 return 1;
1724 }
1725
1726 return 0;
1727 }
1728
1729 #endif /* CONFIG_SAE */
1730
1731
wpa_res_to_status_code(enum wpa_validate_result res)1732 static u16 wpa_res_to_status_code(enum wpa_validate_result res)
1733 {
1734 switch (res) {
1735 case WPA_IE_OK:
1736 return WLAN_STATUS_SUCCESS;
1737 case WPA_INVALID_IE:
1738 return WLAN_STATUS_INVALID_IE;
1739 case WPA_INVALID_GROUP:
1740 return WLAN_STATUS_GROUP_CIPHER_NOT_VALID;
1741 case WPA_INVALID_PAIRWISE:
1742 return WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID;
1743 case WPA_INVALID_AKMP:
1744 return WLAN_STATUS_AKMP_NOT_VALID;
1745 case WPA_NOT_ENABLED:
1746 return WLAN_STATUS_INVALID_IE;
1747 case WPA_ALLOC_FAIL:
1748 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1749 case WPA_MGMT_FRAME_PROTECTION_VIOLATION:
1750 return WLAN_STATUS_ROBUST_MGMT_FRAME_POLICY_VIOLATION;
1751 case WPA_INVALID_MGMT_GROUP_CIPHER:
1752 return WLAN_STATUS_CIPHER_REJECTED_PER_POLICY;
1753 case WPA_INVALID_MDIE:
1754 return WLAN_STATUS_INVALID_MDIE;
1755 case WPA_INVALID_PROTO:
1756 return WLAN_STATUS_INVALID_IE;
1757 case WPA_INVALID_PMKID:
1758 return WLAN_STATUS_INVALID_PMKID;
1759 case WPA_DENIED_OTHER_REASON:
1760 return WLAN_STATUS_ASSOC_DENIED_UNSPEC;
1761 }
1762 return WLAN_STATUS_INVALID_IE;
1763 }
1764
1765
1766 #ifdef CONFIG_FILS
1767
1768 static void handle_auth_fils_finish(struct hostapd_data *hapd,
1769 struct sta_info *sta, u16 resp,
1770 struct wpabuf *data, int pub);
1771
handle_auth_fils(struct hostapd_data * hapd,struct sta_info * sta,const u8 * pos,size_t len,u16 auth_alg,u16 auth_transaction,u16 status_code,void (* cb)(struct hostapd_data * hapd,struct sta_info * sta,u16 resp,struct wpabuf * data,int pub))1772 void handle_auth_fils(struct hostapd_data *hapd, struct sta_info *sta,
1773 const u8 *pos, size_t len, u16 auth_alg,
1774 u16 auth_transaction, u16 status_code,
1775 void (*cb)(struct hostapd_data *hapd,
1776 struct sta_info *sta, u16 resp,
1777 struct wpabuf *data, int pub))
1778 {
1779 u16 resp = WLAN_STATUS_SUCCESS;
1780 const u8 *end;
1781 struct ieee802_11_elems elems;
1782 enum wpa_validate_result res;
1783 struct wpa_ie_data rsn;
1784 struct rsn_pmksa_cache_entry *pmksa = NULL;
1785
1786 if (auth_transaction != 1 || status_code != WLAN_STATUS_SUCCESS)
1787 return;
1788
1789 end = pos + len;
1790
1791 wpa_hexdump(MSG_DEBUG, "FILS: Authentication frame fields",
1792 pos, end - pos);
1793
1794 /* TODO: FILS PK */
1795 #ifdef CONFIG_FILS_SK_PFS
1796 if (auth_alg == WLAN_AUTH_FILS_SK_PFS) {
1797 u16 group;
1798 struct wpabuf *pub;
1799 size_t elem_len;
1800
1801 /* Using FILS PFS */
1802
1803 /* Finite Cyclic Group */
1804 if (end - pos < 2) {
1805 wpa_printf(MSG_DEBUG,
1806 "FILS: No room for Finite Cyclic Group");
1807 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1808 goto fail;
1809 }
1810 group = WPA_GET_LE16(pos);
1811 pos += 2;
1812 if (group != hapd->conf->fils_dh_group) {
1813 wpa_printf(MSG_DEBUG,
1814 "FILS: Unsupported Finite Cyclic Group: %u (expected %u)",
1815 group, hapd->conf->fils_dh_group);
1816 resp = WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
1817 goto fail;
1818 }
1819
1820 crypto_ecdh_deinit(sta->fils_ecdh);
1821 sta->fils_ecdh = crypto_ecdh_init(group);
1822 if (!sta->fils_ecdh) {
1823 wpa_printf(MSG_INFO,
1824 "FILS: Could not initialize ECDH with group %d",
1825 group);
1826 resp = WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
1827 goto fail;
1828 }
1829
1830 pub = crypto_ecdh_get_pubkey(sta->fils_ecdh, 1);
1831 if (!pub) {
1832 wpa_printf(MSG_DEBUG,
1833 "FILS: Failed to derive ECDH public key");
1834 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1835 goto fail;
1836 }
1837 elem_len = wpabuf_len(pub);
1838 wpabuf_free(pub);
1839
1840 /* Element */
1841 if ((size_t) (end - pos) < elem_len) {
1842 wpa_printf(MSG_DEBUG, "FILS: No room for Element");
1843 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1844 goto fail;
1845 }
1846
1847 wpabuf_free(sta->fils_g_sta);
1848 sta->fils_g_sta = wpabuf_alloc_copy(pos, elem_len);
1849 wpabuf_clear_free(sta->fils_dh_ss);
1850 sta->fils_dh_ss = crypto_ecdh_set_peerkey(sta->fils_ecdh, 1,
1851 pos, elem_len);
1852 if (!sta->fils_dh_ss) {
1853 wpa_printf(MSG_DEBUG, "FILS: ECDH operation failed");
1854 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1855 goto fail;
1856 }
1857 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: DH_SS", sta->fils_dh_ss);
1858 pos += elem_len;
1859 } else {
1860 crypto_ecdh_deinit(sta->fils_ecdh);
1861 sta->fils_ecdh = NULL;
1862 wpabuf_clear_free(sta->fils_dh_ss);
1863 sta->fils_dh_ss = NULL;
1864 }
1865 #endif /* CONFIG_FILS_SK_PFS */
1866
1867 wpa_hexdump(MSG_DEBUG, "FILS: Remaining IEs", pos, end - pos);
1868 if (ieee802_11_parse_elems(pos, end - pos, &elems, 1) == ParseFailed) {
1869 wpa_printf(MSG_DEBUG, "FILS: Could not parse elements");
1870 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1871 goto fail;
1872 }
1873
1874 /* RSNE */
1875 wpa_hexdump(MSG_DEBUG, "FILS: RSN element",
1876 elems.rsn_ie, elems.rsn_ie_len);
1877 if (!elems.rsn_ie ||
1878 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
1879 &rsn) < 0) {
1880 wpa_printf(MSG_DEBUG, "FILS: No valid RSN element");
1881 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1882 goto fail;
1883 }
1884
1885 if (!sta->wpa_sm)
1886 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, sta->addr,
1887 NULL);
1888 if (!sta->wpa_sm) {
1889 wpa_printf(MSG_DEBUG,
1890 "FILS: Failed to initialize RSN state machine");
1891 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1892 goto fail;
1893 }
1894
1895 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
1896 hapd->iface->freq,
1897 elems.rsn_ie - 2, elems.rsn_ie_len + 2,
1898 elems.rsnxe ? elems.rsnxe - 2 : NULL,
1899 elems.rsnxe ? elems.rsnxe_len + 2 : 0,
1900 elems.mdie, elems.mdie_len, NULL, 0);
1901 resp = wpa_res_to_status_code(res);
1902 if (resp != WLAN_STATUS_SUCCESS)
1903 goto fail;
1904
1905 if (!elems.fils_nonce) {
1906 wpa_printf(MSG_DEBUG, "FILS: No FILS Nonce field");
1907 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1908 goto fail;
1909 }
1910 wpa_hexdump(MSG_DEBUG, "FILS: SNonce", elems.fils_nonce,
1911 FILS_NONCE_LEN);
1912 os_memcpy(sta->fils_snonce, elems.fils_nonce, FILS_NONCE_LEN);
1913
1914 /* PMKID List */
1915 if (rsn.pmkid && rsn.num_pmkid > 0) {
1916 u8 num;
1917 const u8 *pmkid;
1918
1919 wpa_hexdump(MSG_DEBUG, "FILS: PMKID List",
1920 rsn.pmkid, rsn.num_pmkid * PMKID_LEN);
1921
1922 pmkid = rsn.pmkid;
1923 num = rsn.num_pmkid;
1924 while (num) {
1925 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", pmkid, PMKID_LEN);
1926 pmksa = wpa_auth_pmksa_get(hapd->wpa_auth, sta->addr,
1927 pmkid);
1928 if (pmksa)
1929 break;
1930 pmksa = wpa_auth_pmksa_get_fils_cache_id(hapd->wpa_auth,
1931 sta->addr,
1932 pmkid);
1933 if (pmksa)
1934 break;
1935 pmkid += PMKID_LEN;
1936 num--;
1937 }
1938 }
1939 if (pmksa && wpa_auth_sta_key_mgmt(sta->wpa_sm) != pmksa->akmp) {
1940 wpa_printf(MSG_DEBUG,
1941 "FILS: Matching PMKSA cache entry has different AKMP (0x%x != 0x%x) - ignore",
1942 wpa_auth_sta_key_mgmt(sta->wpa_sm), pmksa->akmp);
1943 pmksa = NULL;
1944 }
1945 if (pmksa)
1946 wpa_printf(MSG_DEBUG, "FILS: Found matching PMKSA cache entry");
1947
1948 /* FILS Session */
1949 if (!elems.fils_session) {
1950 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
1951 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1952 goto fail;
1953 }
1954 wpa_hexdump(MSG_DEBUG, "FILS: FILS Session", elems.fils_session,
1955 FILS_SESSION_LEN);
1956 os_memcpy(sta->fils_session, elems.fils_session, FILS_SESSION_LEN);
1957
1958 /* Wrapped Data */
1959 if (elems.wrapped_data) {
1960 wpa_hexdump(MSG_DEBUG, "FILS: Wrapped Data",
1961 elems.wrapped_data,
1962 elems.wrapped_data_len);
1963 if (!pmksa) {
1964 #ifndef CONFIG_NO_RADIUS
1965 if (!sta->eapol_sm) {
1966 sta->eapol_sm =
1967 ieee802_1x_alloc_eapol_sm(hapd, sta);
1968 }
1969 wpa_printf(MSG_DEBUG,
1970 "FILS: Forward EAP-Initiate/Re-auth to authentication server");
1971 ieee802_1x_encapsulate_radius(
1972 hapd, sta, elems.wrapped_data,
1973 elems.wrapped_data_len);
1974 sta->fils_pending_cb = cb;
1975 wpa_printf(MSG_DEBUG,
1976 "FILS: Will send Authentication frame once the response from authentication server is available");
1977 sta->flags |= WLAN_STA_PENDING_FILS_ERP;
1978 /* Calculate pending PMKID here so that we do not need
1979 * to maintain a copy of the EAP-Initiate/Reauth
1980 * message. */
1981 if (fils_pmkid_erp(wpa_auth_sta_key_mgmt(sta->wpa_sm),
1982 elems.wrapped_data,
1983 elems.wrapped_data_len,
1984 sta->fils_erp_pmkid) == 0)
1985 sta->fils_erp_pmkid_set = 1;
1986 return;
1987 #else /* CONFIG_NO_RADIUS */
1988 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1989 goto fail;
1990 #endif /* CONFIG_NO_RADIUS */
1991 }
1992 }
1993
1994 fail:
1995 if (cb) {
1996 struct wpabuf *data;
1997 int pub = 0;
1998
1999 data = prepare_auth_resp_fils(hapd, sta, &resp, pmksa, NULL,
2000 NULL, 0, &pub);
2001 if (!data) {
2002 wpa_printf(MSG_DEBUG,
2003 "%s: prepare_auth_resp_fils() returned failure",
2004 __func__);
2005 }
2006
2007 cb(hapd, sta, resp, data, pub);
2008 }
2009 }
2010
2011
2012 static struct wpabuf *
prepare_auth_resp_fils(struct hostapd_data * hapd,struct sta_info * sta,u16 * resp,struct rsn_pmksa_cache_entry * pmksa,struct wpabuf * erp_resp,const u8 * msk,size_t msk_len,int * is_pub)2013 prepare_auth_resp_fils(struct hostapd_data *hapd,
2014 struct sta_info *sta, u16 *resp,
2015 struct rsn_pmksa_cache_entry *pmksa,
2016 struct wpabuf *erp_resp,
2017 const u8 *msk, size_t msk_len,
2018 int *is_pub)
2019 {
2020 u8 fils_nonce[FILS_NONCE_LEN];
2021 size_t ielen;
2022 struct wpabuf *data = NULL;
2023 const u8 *ie;
2024 u8 *ie_buf = NULL;
2025 const u8 *pmk = NULL;
2026 size_t pmk_len = 0;
2027 u8 pmk_buf[PMK_LEN_MAX];
2028 struct wpabuf *pub = NULL;
2029
2030 if (*resp != WLAN_STATUS_SUCCESS)
2031 goto fail;
2032
2033 ie = wpa_auth_get_wpa_ie(hapd->wpa_auth, &ielen);
2034 if (!ie) {
2035 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2036 goto fail;
2037 }
2038
2039 if (pmksa) {
2040 /* Add PMKID of the selected PMKSA into RSNE */
2041 ie_buf = os_malloc(ielen + 2 + 2 + PMKID_LEN);
2042 if (!ie_buf) {
2043 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2044 goto fail;
2045 }
2046
2047 os_memcpy(ie_buf, ie, ielen);
2048 if (wpa_insert_pmkid(ie_buf, &ielen, pmksa->pmkid) < 0) {
2049 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2050 goto fail;
2051 }
2052 ie = ie_buf;
2053 }
2054
2055 if (random_get_bytes(fils_nonce, FILS_NONCE_LEN) < 0) {
2056 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2057 goto fail;
2058 }
2059 wpa_hexdump(MSG_DEBUG, "RSN: Generated FILS Nonce",
2060 fils_nonce, FILS_NONCE_LEN);
2061
2062 #ifdef CONFIG_FILS_SK_PFS
2063 if (sta->fils_dh_ss && sta->fils_ecdh) {
2064 pub = crypto_ecdh_get_pubkey(sta->fils_ecdh, 1);
2065 if (!pub) {
2066 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2067 goto fail;
2068 }
2069 }
2070 #endif /* CONFIG_FILS_SK_PFS */
2071
2072 data = wpabuf_alloc(1000 + ielen + (pub ? wpabuf_len(pub) : 0));
2073 if (!data) {
2074 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2075 goto fail;
2076 }
2077
2078 /* TODO: FILS PK */
2079 #ifdef CONFIG_FILS_SK_PFS
2080 if (pub) {
2081 /* Finite Cyclic Group */
2082 wpabuf_put_le16(data, hapd->conf->fils_dh_group);
2083
2084 /* Element */
2085 wpabuf_put_buf(data, pub);
2086 }
2087 #endif /* CONFIG_FILS_SK_PFS */
2088
2089 /* RSNE */
2090 wpabuf_put_data(data, ie, ielen);
2091
2092 /* MDE when using FILS+FT (already included in ie,ielen with RSNE) */
2093
2094 #ifdef CONFIG_IEEE80211R_AP
2095 if (wpa_key_mgmt_ft(wpa_auth_sta_key_mgmt(sta->wpa_sm))) {
2096 /* FTE[R1KH-ID,R0KH-ID] when using FILS+FT */
2097 int res;
2098 int use_sha384 = wpa_key_mgmt_sha384(
2099 wpa_auth_sta_key_mgmt(sta->wpa_sm));
2100
2101 res = wpa_auth_write_fte(hapd->wpa_auth, use_sha384,
2102 wpabuf_put(data, 0),
2103 wpabuf_tailroom(data));
2104 if (res < 0) {
2105 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2106 goto fail;
2107 }
2108 wpabuf_put(data, res);
2109 }
2110 #endif /* CONFIG_IEEE80211R_AP */
2111
2112 /* FILS Nonce */
2113 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
2114 wpabuf_put_u8(data, 1 + FILS_NONCE_LEN); /* Length */
2115 /* Element ID Extension */
2116 wpabuf_put_u8(data, WLAN_EID_EXT_FILS_NONCE);
2117 wpabuf_put_data(data, fils_nonce, FILS_NONCE_LEN);
2118
2119 /* FILS Session */
2120 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
2121 wpabuf_put_u8(data, 1 + FILS_SESSION_LEN); /* Length */
2122 /* Element ID Extension */
2123 wpabuf_put_u8(data, WLAN_EID_EXT_FILS_SESSION);
2124 wpabuf_put_data(data, sta->fils_session, FILS_SESSION_LEN);
2125
2126 /* Wrapped Data */
2127 if (!pmksa && erp_resp) {
2128 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
2129 wpabuf_put_u8(data, 1 + wpabuf_len(erp_resp)); /* Length */
2130 /* Element ID Extension */
2131 wpabuf_put_u8(data, WLAN_EID_EXT_WRAPPED_DATA);
2132 wpabuf_put_buf(data, erp_resp);
2133
2134 if (fils_rmsk_to_pmk(wpa_auth_sta_key_mgmt(sta->wpa_sm),
2135 msk, msk_len, sta->fils_snonce, fils_nonce,
2136 sta->fils_dh_ss ?
2137 wpabuf_head(sta->fils_dh_ss) : NULL,
2138 sta->fils_dh_ss ?
2139 wpabuf_len(sta->fils_dh_ss) : 0,
2140 pmk_buf, &pmk_len)) {
2141 wpa_printf(MSG_DEBUG, "FILS: Failed to derive PMK");
2142 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2143 wpabuf_free(data);
2144 data = NULL;
2145 goto fail;
2146 }
2147 pmk = pmk_buf;
2148
2149 /* Don't use DHss in PTK derivation if PMKSA caching is not
2150 * used. */
2151 wpabuf_clear_free(sta->fils_dh_ss);
2152 sta->fils_dh_ss = NULL;
2153
2154 if (sta->fils_erp_pmkid_set) {
2155 /* TODO: get PMKLifetime from WPA parameters */
2156 unsigned int dot11RSNAConfigPMKLifetime = 43200;
2157 int session_timeout;
2158
2159 session_timeout = dot11RSNAConfigPMKLifetime;
2160 if (sta->session_timeout_set) {
2161 struct os_reltime now, diff;
2162
2163 os_get_reltime(&now);
2164 os_reltime_sub(&sta->session_timeout, &now,
2165 &diff);
2166 session_timeout = diff.sec;
2167 }
2168
2169 sta->fils_erp_pmkid_set = 0;
2170 wpa_auth_add_fils_pmk_pmkid(sta->wpa_sm, pmk, pmk_len,
2171 sta->fils_erp_pmkid);
2172 if (!hapd->conf->disable_pmksa_caching &&
2173 wpa_auth_pmksa_add2(
2174 hapd->wpa_auth, sta->addr,
2175 pmk, pmk_len,
2176 sta->fils_erp_pmkid,
2177 session_timeout,
2178 wpa_auth_sta_key_mgmt(sta->wpa_sm)) < 0) {
2179 wpa_printf(MSG_ERROR,
2180 "FILS: Failed to add PMKSA cache entry based on ERP");
2181 }
2182 }
2183 } else if (pmksa) {
2184 pmk = pmksa->pmk;
2185 pmk_len = pmksa->pmk_len;
2186 }
2187
2188 if (!pmk) {
2189 wpa_printf(MSG_DEBUG, "FILS: No PMK available");
2190 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2191 wpabuf_free(data);
2192 data = NULL;
2193 goto fail;
2194 }
2195
2196 if (fils_auth_pmk_to_ptk(sta->wpa_sm, pmk, pmk_len,
2197 sta->fils_snonce, fils_nonce,
2198 sta->fils_dh_ss ?
2199 wpabuf_head(sta->fils_dh_ss) : NULL,
2200 sta->fils_dh_ss ?
2201 wpabuf_len(sta->fils_dh_ss) : 0,
2202 sta->fils_g_sta, pub) < 0) {
2203 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2204 wpabuf_free(data);
2205 data = NULL;
2206 goto fail;
2207 }
2208
2209 fail:
2210 if (is_pub)
2211 *is_pub = pub != NULL;
2212 os_free(ie_buf);
2213 wpabuf_free(pub);
2214 wpabuf_clear_free(sta->fils_dh_ss);
2215 sta->fils_dh_ss = NULL;
2216 #ifdef CONFIG_FILS_SK_PFS
2217 crypto_ecdh_deinit(sta->fils_ecdh);
2218 sta->fils_ecdh = NULL;
2219 #endif /* CONFIG_FILS_SK_PFS */
2220 return data;
2221 }
2222
2223
handle_auth_fils_finish(struct hostapd_data * hapd,struct sta_info * sta,u16 resp,struct wpabuf * data,int pub)2224 static void handle_auth_fils_finish(struct hostapd_data *hapd,
2225 struct sta_info *sta, u16 resp,
2226 struct wpabuf *data, int pub)
2227 {
2228 u16 auth_alg;
2229
2230 auth_alg = (pub ||
2231 resp == WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED) ?
2232 WLAN_AUTH_FILS_SK_PFS : WLAN_AUTH_FILS_SK;
2233 send_auth_reply(hapd, sta, sta->addr, hapd->own_addr, auth_alg, 2, resp,
2234 data ? wpabuf_head(data) : (u8 *) "",
2235 data ? wpabuf_len(data) : 0, "auth-fils-finish");
2236 wpabuf_free(data);
2237
2238 if (resp == WLAN_STATUS_SUCCESS) {
2239 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2240 HOSTAPD_LEVEL_DEBUG,
2241 "authentication OK (FILS)");
2242 sta->flags |= WLAN_STA_AUTH;
2243 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
2244 sta->auth_alg = pub ? WLAN_AUTH_FILS_SK_PFS : WLAN_AUTH_FILS_SK;
2245 mlme_authenticate_indication(hapd, sta);
2246 }
2247 }
2248
2249
ieee802_11_finish_fils_auth(struct hostapd_data * hapd,struct sta_info * sta,int success,struct wpabuf * erp_resp,const u8 * msk,size_t msk_len)2250 void ieee802_11_finish_fils_auth(struct hostapd_data *hapd,
2251 struct sta_info *sta, int success,
2252 struct wpabuf *erp_resp,
2253 const u8 *msk, size_t msk_len)
2254 {
2255 u16 resp;
2256 u32 flags = sta->flags;
2257
2258 sta->flags &= ~(WLAN_STA_PENDING_FILS_ERP |
2259 WLAN_STA_PENDING_PASN_FILS_ERP);
2260
2261 resp = success ? WLAN_STATUS_SUCCESS : WLAN_STATUS_UNSPECIFIED_FAILURE;
2262
2263 if (flags & WLAN_STA_PENDING_FILS_ERP) {
2264 struct wpabuf *data;
2265 int pub = 0;
2266
2267 if (!sta->fils_pending_cb)
2268 return;
2269
2270 data = prepare_auth_resp_fils(hapd, sta, &resp, NULL, erp_resp,
2271 msk, msk_len, &pub);
2272 if (!data) {
2273 wpa_printf(MSG_DEBUG,
2274 "%s: prepare_auth_resp_fils() failure",
2275 __func__);
2276 }
2277 sta->fils_pending_cb(hapd, sta, resp, data, pub);
2278 #ifdef CONFIG_PASN
2279 } else if (flags & WLAN_STA_PENDING_PASN_FILS_ERP) {
2280 pasn_fils_auth_resp(hapd, sta, resp, erp_resp,
2281 msk, msk_len);
2282 #endif /* CONFIG_PASN */
2283 }
2284 }
2285
2286 #endif /* CONFIG_FILS */
2287
2288
ieee802_11_allowed_address(struct hostapd_data * hapd,const u8 * addr,const u8 * msg,size_t len,struct radius_sta * info)2289 static int ieee802_11_allowed_address(struct hostapd_data *hapd, const u8 *addr,
2290 const u8 *msg, size_t len,
2291 struct radius_sta *info)
2292 {
2293 int res;
2294
2295 res = hostapd_allowed_address(hapd, addr, msg, len, info, 0);
2296
2297 if (res == HOSTAPD_ACL_REJECT) {
2298 wpa_printf(MSG_DEBUG, "Station " MACSTR
2299 " not allowed to authenticate",
2300 MAC2STR(addr));
2301 return HOSTAPD_ACL_REJECT;
2302 }
2303
2304 if (res == HOSTAPD_ACL_PENDING) {
2305 wpa_printf(MSG_DEBUG, "Authentication frame from " MACSTR
2306 " waiting for an external authentication",
2307 MAC2STR(addr));
2308 /* Authentication code will re-send the authentication frame
2309 * after it has received (and cached) information from the
2310 * external source. */
2311 return HOSTAPD_ACL_PENDING;
2312 }
2313
2314 return res;
2315 }
2316
2317
2318 static int
ieee802_11_set_radius_info(struct hostapd_data * hapd,struct sta_info * sta,int res,struct radius_sta * info)2319 ieee802_11_set_radius_info(struct hostapd_data *hapd, struct sta_info *sta,
2320 int res, struct radius_sta *info)
2321 {
2322 u32 session_timeout = info->session_timeout;
2323 u32 acct_interim_interval = info->acct_interim_interval;
2324 struct vlan_description *vlan_id = &info->vlan_id;
2325 struct hostapd_sta_wpa_psk_short *psk = info->psk;
2326 char *identity = info->identity;
2327 char *radius_cui = info->radius_cui;
2328
2329 if (vlan_id->notempty &&
2330 !hostapd_vlan_valid(hapd->conf->vlan, vlan_id)) {
2331 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS,
2332 HOSTAPD_LEVEL_INFO,
2333 "Invalid VLAN %d%s received from RADIUS server",
2334 vlan_id->untagged,
2335 vlan_id->tagged[0] ? "+" : "");
2336 return -1;
2337 }
2338 if (ap_sta_set_vlan(hapd, sta, vlan_id) < 0)
2339 return -1;
2340 if (sta->vlan_id)
2341 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS,
2342 HOSTAPD_LEVEL_INFO, "VLAN ID %d", sta->vlan_id);
2343
2344 hostapd_free_psk_list(sta->psk);
2345 if (hapd->conf->wpa_psk_radius != PSK_RADIUS_IGNORED)
2346 hostapd_copy_psk_list(&sta->psk, psk);
2347 else
2348 sta->psk = NULL;
2349
2350 os_free(sta->identity);
2351 if (identity)
2352 sta->identity = os_strdup(identity);
2353 else
2354 sta->identity = NULL;
2355
2356 os_free(sta->radius_cui);
2357 if (radius_cui)
2358 sta->radius_cui = os_strdup(radius_cui);
2359 else
2360 sta->radius_cui = NULL;
2361
2362 if (hapd->conf->acct_interim_interval == 0 && acct_interim_interval)
2363 sta->acct_interim_interval = acct_interim_interval;
2364 if (res == HOSTAPD_ACL_ACCEPT_TIMEOUT) {
2365 sta->session_timeout_set = 1;
2366 os_get_reltime(&sta->session_timeout);
2367 sta->session_timeout.sec += session_timeout;
2368 ap_sta_session_timeout(hapd, sta, session_timeout);
2369 } else {
2370 sta->session_timeout_set = 0;
2371 ap_sta_no_session_timeout(hapd, sta);
2372 }
2373
2374 return 0;
2375 }
2376
2377
2378 #ifdef CONFIG_PASN
2379 #ifdef CONFIG_SAE
2380
pasn_wd_handle_sae_commit(struct hostapd_data * hapd,struct sta_info * sta,struct wpabuf * wd)2381 static int pasn_wd_handle_sae_commit(struct hostapd_data *hapd,
2382 struct sta_info *sta,
2383 struct wpabuf *wd)
2384 {
2385 struct pasn_data *pasn = sta->pasn;
2386 const char *password;
2387 const u8 *data;
2388 size_t buf_len;
2389 u16 res, alg, seq, status;
2390 int groups[] = { pasn->group, 0 };
2391 struct sae_pt *pt = NULL;
2392 int ret;
2393
2394 if (!wd)
2395 return -1;
2396
2397 data = wpabuf_head_u8(wd);
2398 buf_len = wpabuf_len(wd);
2399
2400 if (buf_len < 6) {
2401 wpa_printf(MSG_DEBUG, "PASN: SAE buffer too short. len=%zu",
2402 buf_len);
2403 return -1;
2404 }
2405
2406 alg = WPA_GET_LE16(data);
2407 seq = WPA_GET_LE16(data + 2);
2408 status = WPA_GET_LE16(data + 4);
2409
2410 wpa_printf(MSG_DEBUG, "PASN: SAE commit: alg=%u, seq=%u, status=%u",
2411 alg, seq, status);
2412
2413 if (alg != WLAN_AUTH_SAE || seq != 1 ||
2414 status != WLAN_STATUS_SAE_HASH_TO_ELEMENT) {
2415 wpa_printf(MSG_DEBUG, "PASN: Dropping peer SAE commit");
2416 return -1;
2417 }
2418
2419 sae_clear_data(&pasn->sae);
2420 pasn->sae.state = SAE_NOTHING;
2421
2422 ret = sae_set_group(&pasn->sae, pasn->group);
2423 if (ret) {
2424 wpa_printf(MSG_DEBUG, "PASN: Failed to set SAE group");
2425 return -1;
2426 }
2427
2428 password = sae_get_password(hapd, sta, NULL, NULL, &pt, NULL);
2429 if (!password || !pt) {
2430 wpa_printf(MSG_DEBUG, "PASN: No SAE PT found");
2431 return -1;
2432 }
2433
2434 ret = sae_prepare_commit_pt(&pasn->sae, pt, hapd->own_addr, sta->addr,
2435 NULL, NULL);
2436 if (ret) {
2437 wpa_printf(MSG_DEBUG, "PASN: Failed to prepare SAE commit");
2438 return -1;
2439 }
2440
2441 res = sae_parse_commit(&pasn->sae, data + 6, buf_len - 6, NULL, 0,
2442 groups, 0);
2443 if (res != WLAN_STATUS_SUCCESS) {
2444 wpa_printf(MSG_DEBUG, "PASN: Failed parsing SAE commit");
2445 return -1;
2446 }
2447
2448 /* Process the commit message and derive the PMK */
2449 ret = sae_process_commit(&pasn->sae);
2450 if (ret) {
2451 wpa_printf(MSG_DEBUG, "SAE: Failed to process peer commit");
2452 return -1;
2453 }
2454
2455 pasn->sae.state = SAE_COMMITTED;
2456
2457 return 0;
2458 }
2459
2460
pasn_wd_handle_sae_confirm(struct hostapd_data * hapd,struct sta_info * sta,struct wpabuf * wd)2461 static int pasn_wd_handle_sae_confirm(struct hostapd_data *hapd,
2462 struct sta_info *sta,
2463 struct wpabuf *wd)
2464 {
2465 struct pasn_data *pasn = sta->pasn;
2466 const u8 *data;
2467 size_t buf_len;
2468 u16 res, alg, seq, status;
2469
2470 if (!wd)
2471 return -1;
2472
2473 data = wpabuf_head_u8(wd);
2474 buf_len = wpabuf_len(wd);
2475
2476 if (buf_len < 6) {
2477 wpa_printf(MSG_DEBUG, "PASN: SAE buffer too short. len=%zu",
2478 buf_len);
2479 return -1;
2480 }
2481
2482 alg = WPA_GET_LE16(data);
2483 seq = WPA_GET_LE16(data + 2);
2484 status = WPA_GET_LE16(data + 4);
2485
2486 wpa_printf(MSG_DEBUG, "PASN: SAE confirm: alg=%u, seq=%u, status=%u",
2487 alg, seq, status);
2488
2489 if (alg != WLAN_AUTH_SAE || seq != 2 || status != WLAN_STATUS_SUCCESS) {
2490 wpa_printf(MSG_DEBUG, "PASN: Dropping peer SAE confirm");
2491 return -1;
2492 }
2493
2494 res = sae_check_confirm(&pasn->sae, data + 6, buf_len - 6);
2495 if (res != WLAN_STATUS_SUCCESS) {
2496 wpa_printf(MSG_DEBUG, "PASN: SAE failed checking confirm");
2497 return -1;
2498 }
2499
2500 pasn->sae.state = SAE_ACCEPTED;
2501
2502 /*
2503 * TODO: Based on on IEEE P802.11az/D2.6, the PMKSA derived with
2504 * PASN/SAE should only be allowed with future PASN only. For now do not
2505 * restrict this only for PASN.
2506 */
2507 wpa_auth_pmksa_add_sae(hapd->wpa_auth, sta->addr,
2508 pasn->sae.pmk, pasn->sae.pmkid);
2509 return 0;
2510 }
2511
2512
pasn_get_sae_wd(struct hostapd_data * hapd,struct sta_info * sta)2513 static struct wpabuf * pasn_get_sae_wd(struct hostapd_data *hapd,
2514 struct sta_info *sta)
2515 {
2516 struct pasn_data *pasn = sta->pasn;
2517 struct wpabuf *buf = NULL;
2518 u8 *len_ptr;
2519 size_t len;
2520
2521 /* Need to add the entire Authentication frame body */
2522 buf = wpabuf_alloc(8 + SAE_COMMIT_MAX_LEN + 8 + SAE_CONFIRM_MAX_LEN);
2523 if (!buf) {
2524 wpa_printf(MSG_DEBUG, "PASN: Failed to allocate SAE buffer");
2525 return NULL;
2526 }
2527
2528 /* Need to add the entire authentication frame body for the commit */
2529 len_ptr = wpabuf_put(buf, 2);
2530 wpabuf_put_le16(buf, WLAN_AUTH_SAE);
2531 wpabuf_put_le16(buf, 1);
2532 wpabuf_put_le16(buf, WLAN_STATUS_SAE_HASH_TO_ELEMENT);
2533
2534 /* Write the actual commit and update the length accordingly */
2535 sae_write_commit(&pasn->sae, buf, NULL, 0);
2536 len = wpabuf_len(buf);
2537 WPA_PUT_LE16(len_ptr, len - 2);
2538
2539 /* Need to add the entire Authentication frame body for the confirm */
2540 len_ptr = wpabuf_put(buf, 2);
2541 wpabuf_put_le16(buf, WLAN_AUTH_SAE);
2542 wpabuf_put_le16(buf, 2);
2543 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
2544
2545 sae_write_confirm(&pasn->sae, buf);
2546 WPA_PUT_LE16(len_ptr, wpabuf_len(buf) - len - 2);
2547
2548 pasn->sae.state = SAE_CONFIRMED;
2549
2550 return buf;
2551 }
2552
2553 #endif /* CONFIG_SAE */
2554
2555
2556 #ifdef CONFIG_FILS
2557
pasn_get_fils_wd(struct hostapd_data * hapd,struct sta_info * sta)2558 static struct wpabuf * pasn_get_fils_wd(struct hostapd_data *hapd,
2559 struct sta_info *sta)
2560 {
2561 struct pasn_data *pasn = sta->pasn;
2562 struct pasn_fils_data *fils = &pasn->fils;
2563 struct wpabuf *buf = NULL;
2564
2565 if (!fils->erp_resp) {
2566 wpa_printf(MSG_DEBUG, "PASN: FILS: Missing erp_resp");
2567 return NULL;
2568 }
2569
2570 buf = wpabuf_alloc(1500);
2571 if (!buf)
2572 return NULL;
2573
2574 /* Add the authentication algorithm */
2575 wpabuf_put_le16(buf, WLAN_AUTH_FILS_SK);
2576
2577 /* Authentication Transaction seq# */
2578 wpabuf_put_le16(buf, 2);
2579
2580 /* Status Code */
2581 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
2582
2583 /* Own RSNE */
2584 wpa_pasn_add_rsne(buf, NULL, pasn->akmp, pasn->cipher);
2585
2586 /* FILS Nonce */
2587 wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
2588 wpabuf_put_u8(buf, 1 + FILS_NONCE_LEN);
2589 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_NONCE);
2590 wpabuf_put_data(buf, fils->anonce, FILS_NONCE_LEN);
2591
2592 /* FILS Session */
2593 wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
2594 wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN);
2595 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION);
2596 wpabuf_put_data(buf, fils->session, FILS_SESSION_LEN);
2597
2598 /* Wrapped Data */
2599 wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
2600 wpabuf_put_u8(buf, 1 + wpabuf_len(fils->erp_resp));
2601 wpabuf_put_u8(buf, WLAN_EID_EXT_WRAPPED_DATA);
2602 wpabuf_put_buf(buf, fils->erp_resp);
2603
2604 return buf;
2605 }
2606
2607
pasn_fils_auth_resp(struct hostapd_data * hapd,struct sta_info * sta,u16 status,struct wpabuf * erp_resp,const u8 * msk,size_t msk_len)2608 static void pasn_fils_auth_resp(struct hostapd_data *hapd,
2609 struct sta_info *sta, u16 status,
2610 struct wpabuf *erp_resp,
2611 const u8 *msk, size_t msk_len)
2612 {
2613 struct pasn_data *pasn = sta->pasn;
2614 struct pasn_fils_data *fils = &pasn->fils;
2615 u8 pmk[PMK_LEN_MAX];
2616 size_t pmk_len;
2617 int ret;
2618
2619 wpa_printf(MSG_DEBUG, "PASN: FILS: Handle AS response - status=%u",
2620 status);
2621
2622 if (status != WLAN_STATUS_SUCCESS)
2623 goto fail;
2624
2625 if (!pasn->secret) {
2626 wpa_printf(MSG_DEBUG, "PASN: FILS: Missing secret");
2627 goto fail;
2628 }
2629
2630 if (random_get_bytes(fils->anonce, FILS_NONCE_LEN) < 0) {
2631 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed to get ANonce");
2632 goto fail;
2633 }
2634
2635 wpa_hexdump(MSG_DEBUG, "RSN: Generated FILS ANonce",
2636 fils->anonce, FILS_NONCE_LEN);
2637
2638 ret = fils_rmsk_to_pmk(pasn->akmp, msk, msk_len, fils->nonce,
2639 fils->anonce, NULL, 0, pmk, &pmk_len);
2640 if (ret) {
2641 wpa_printf(MSG_DEBUG, "FILS: Failed to derive PMK");
2642 goto fail;
2643 }
2644
2645 ret = pasn_pmk_to_ptk(pmk, pmk_len, sta->addr, hapd->own_addr,
2646 wpabuf_head(pasn->secret),
2647 wpabuf_len(pasn->secret),
2648 &sta->pasn->ptk, sta->pasn->akmp,
2649 sta->pasn->cipher, sta->pasn->kdk_len);
2650 if (ret) {
2651 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed to derive PTK");
2652 goto fail;
2653 }
2654
2655 wpa_printf(MSG_DEBUG, "PASN: PTK successfully derived");
2656
2657 wpabuf_free(pasn->secret);
2658 pasn->secret = NULL;
2659
2660 fils->erp_resp = erp_resp;
2661 ret = handle_auth_pasn_resp(hapd, sta, NULL, WLAN_STATUS_SUCCESS);
2662 fils->erp_resp = NULL;
2663
2664 if (ret) {
2665 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed to send response");
2666 goto fail;
2667 }
2668
2669 fils->state = PASN_FILS_STATE_COMPLETE;
2670 return;
2671 fail:
2672 ap_free_sta(hapd, sta);
2673 }
2674
2675
pasn_wd_handle_fils(struct hostapd_data * hapd,struct sta_info * sta,struct wpabuf * wd)2676 static int pasn_wd_handle_fils(struct hostapd_data *hapd, struct sta_info *sta,
2677 struct wpabuf *wd)
2678 {
2679 #ifdef CONFIG_NO_RADIUS
2680 wpa_printf(MSG_DEBUG, "PASN: FILS: RADIUS is not configured. Fail");
2681 return -1;
2682 #else /* CONFIG_NO_RADIUS */
2683 struct pasn_data *pasn = sta->pasn;
2684 struct pasn_fils_data *fils = &pasn->fils;
2685 struct ieee802_11_elems elems;
2686 struct wpa_ie_data rsne_data;
2687 struct wpabuf *fils_wd;
2688 const u8 *data;
2689 size_t buf_len;
2690 u16 alg, seq, status;
2691 int ret;
2692
2693 if (fils->state != PASN_FILS_STATE_NONE) {
2694 wpa_printf(MSG_DEBUG, "PASN: FILS: Not expecting wrapped data");
2695 return -1;
2696 }
2697
2698 if (!wd) {
2699 wpa_printf(MSG_DEBUG, "PASN: FILS: No wrapped data");
2700 return -1;
2701 }
2702
2703 data = wpabuf_head_u8(wd);
2704 buf_len = wpabuf_len(wd);
2705
2706 if (buf_len < 6) {
2707 wpa_printf(MSG_DEBUG, "PASN: FILS: Buffer too short. len=%zu",
2708 buf_len);
2709 return -1;
2710 }
2711
2712 alg = WPA_GET_LE16(data);
2713 seq = WPA_GET_LE16(data + 2);
2714 status = WPA_GET_LE16(data + 4);
2715
2716 wpa_printf(MSG_DEBUG, "PASN: FILS: alg=%u, seq=%u, status=%u",
2717 alg, seq, status);
2718
2719 if (alg != WLAN_AUTH_FILS_SK || seq != 1 ||
2720 status != WLAN_STATUS_SUCCESS) {
2721 wpa_printf(MSG_DEBUG,
2722 "PASN: FILS: Dropping peer authentication");
2723 return -1;
2724 }
2725
2726 data += 6;
2727 buf_len -= 6;
2728
2729 if (ieee802_11_parse_elems(data, buf_len, &elems, 1) == ParseFailed) {
2730 wpa_printf(MSG_DEBUG, "PASN: FILS: Could not parse elements");
2731 return -1;
2732 }
2733
2734 if (!elems.rsn_ie || !elems.fils_nonce || !elems.fils_nonce ||
2735 !elems.wrapped_data) {
2736 wpa_printf(MSG_DEBUG, "PASN: FILS: Missing IEs");
2737 return -1;
2738 }
2739
2740 ret = wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
2741 &rsne_data);
2742 if (ret) {
2743 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed parsing RNSE");
2744 return -1;
2745 }
2746
2747 ret = wpa_pasn_validate_rsne(&rsne_data);
2748 if (ret) {
2749 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed validating RSNE");
2750 return -1;
2751 }
2752
2753 if (rsne_data.num_pmkid) {
2754 wpa_printf(MSG_DEBUG,
2755 "PASN: FILS: Not expecting PMKID in RSNE");
2756 return -1;
2757 }
2758
2759 wpa_hexdump(MSG_DEBUG, "PASN: FILS: Nonce", elems.fils_nonce,
2760 FILS_NONCE_LEN);
2761 os_memcpy(fils->nonce, elems.fils_nonce, FILS_NONCE_LEN);
2762
2763 wpa_hexdump(MSG_DEBUG, "PASN: FILS: Session", elems.fils_session,
2764 FILS_SESSION_LEN);
2765 os_memcpy(fils->session, elems.fils_session, FILS_SESSION_LEN);
2766
2767 fils_wd = ieee802_11_defrag(&elems, WLAN_EID_EXTENSION,
2768 WLAN_EID_EXT_WRAPPED_DATA);
2769
2770 if (!fils_wd) {
2771 wpa_printf(MSG_DEBUG, "PASN: FILS: Missing wrapped data");
2772 return -1;
2773 }
2774
2775 if (!sta->eapol_sm)
2776 sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta);
2777
2778 wpa_printf(MSG_DEBUG,
2779 "PASN: FILS: Forward EAP-Initiate/Re-auth to AS");
2780
2781 ieee802_1x_encapsulate_radius(hapd, sta, wpabuf_head(fils_wd),
2782 wpabuf_len(fils_wd));
2783
2784 sta->flags |= WLAN_STA_PENDING_PASN_FILS_ERP;
2785
2786 fils->state = PASN_FILS_STATE_PENDING_AS;
2787
2788 /*
2789 * Calculate pending PMKID here so that we do not need to maintain a
2790 * copy of the EAP-Initiate/Reautt message.
2791 */
2792 fils_pmkid_erp(pasn->akmp, wpabuf_head(fils_wd), wpabuf_len(fils_wd),
2793 fils->erp_pmkid);
2794
2795 wpabuf_free(fils_wd);
2796 return 0;
2797 #endif /* CONFIG_NO_RADIUS */
2798 }
2799
2800 #endif /* CONFIG_FILS */
2801
2802
pasn_get_wrapped_data(struct hostapd_data * hapd,struct sta_info * sta)2803 static struct wpabuf * pasn_get_wrapped_data(struct hostapd_data *hapd,
2804 struct sta_info *sta)
2805 {
2806 switch (sta->pasn->akmp) {
2807 case WPA_KEY_MGMT_PASN:
2808 /* no wrapped data */
2809 return NULL;
2810 case WPA_KEY_MGMT_SAE:
2811 #ifdef CONFIG_SAE
2812 return pasn_get_sae_wd(hapd, sta);
2813 #else /* CONFIG_SAE */
2814 wpa_printf(MSG_ERROR,
2815 "PASN: SAE: Cannot derive wrapped data");
2816 return NULL;
2817 #endif /* CONFIG_SAE */
2818 case WPA_KEY_MGMT_FILS_SHA256:
2819 case WPA_KEY_MGMT_FILS_SHA384:
2820 #ifdef CONFIG_FILS
2821 return pasn_get_fils_wd(hapd, sta);
2822 #endif /* CONFIG_FILS */
2823 /* fall through */
2824 case WPA_KEY_MGMT_FT_PSK:
2825 case WPA_KEY_MGMT_FT_IEEE8021X:
2826 case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
2827 default:
2828 wpa_printf(MSG_ERROR,
2829 "PASN: TODO: Wrapped data for akmp=0x%x",
2830 sta->pasn->akmp);
2831 return NULL;
2832 }
2833 }
2834
2835
2836 static int
pasn_derive_keys(struct hostapd_data * hapd,struct sta_info * sta,const u8 * cached_pmk,size_t cached_pmk_len,struct wpa_pasn_params_data * pasn_data,struct wpabuf * wrapped_data,struct wpabuf * secret)2837 pasn_derive_keys(struct hostapd_data *hapd, struct sta_info *sta,
2838 const u8 *cached_pmk, size_t cached_pmk_len,
2839 struct wpa_pasn_params_data *pasn_data,
2840 struct wpabuf *wrapped_data,
2841 struct wpabuf *secret)
2842 {
2843 static const u8 pasn_default_pmk[] = {'P', 'M', 'K', 'z'};
2844 u8 pmk[PMK_LEN_MAX];
2845 u8 pmk_len;
2846 int ret;
2847
2848 os_memset(pmk, 0, sizeof(pmk));
2849 pmk_len = 0;
2850
2851 if (!cached_pmk || !cached_pmk_len)
2852 wpa_printf(MSG_DEBUG, "PASN: No valid PMKSA entry");
2853
2854 if (sta->pasn->akmp == WPA_KEY_MGMT_PASN) {
2855 wpa_printf(MSG_DEBUG, "PASN: Using default PMK");
2856
2857 pmk_len = WPA_PASN_PMK_LEN;
2858 os_memcpy(pmk, pasn_default_pmk, sizeof(pasn_default_pmk));
2859 } else if (cached_pmk && cached_pmk_len) {
2860 wpa_printf(MSG_DEBUG, "PASN: Using PMKSA entry");
2861
2862 pmk_len = cached_pmk_len;
2863 os_memcpy(pmk, cached_pmk, cached_pmk_len);
2864 } else {
2865 switch (sta->pasn->akmp) {
2866 #ifdef CONFIG_SAE
2867 case WPA_KEY_MGMT_SAE:
2868 if (sta->pasn->sae.state == SAE_COMMITTED) {
2869 pmk_len = PMK_LEN;
2870 os_memcpy(pmk, sta->pasn->sae.pmk, PMK_LEN);
2871 break;
2872 }
2873 #endif /* CONFIG_SAE */
2874 /* fall through */
2875 default:
2876 /* TODO: Derive PMK based on wrapped data */
2877 wpa_printf(MSG_DEBUG,
2878 "PASN: Missing PMK derivation");
2879 return -1;
2880 }
2881 }
2882
2883 ret = pasn_pmk_to_ptk(pmk, pmk_len, sta->addr, hapd->own_addr,
2884 wpabuf_head(secret), wpabuf_len(secret),
2885 &sta->pasn->ptk, sta->pasn->akmp,
2886 sta->pasn->cipher, sta->pasn->kdk_len);
2887 if (ret) {
2888 wpa_printf(MSG_DEBUG, "PASN: Failed to derive PTK");
2889 return -1;
2890 }
2891
2892 wpa_printf(MSG_DEBUG, "PASN: PTK successfully derived");
2893 return 0;
2894 }
2895
2896
handle_auth_pasn_comeback(struct hostapd_data * hapd,struct sta_info * sta,u16 group)2897 static void handle_auth_pasn_comeback(struct hostapd_data *hapd,
2898 struct sta_info *sta, u16 group)
2899 {
2900 struct wpabuf *buf, *comeback;
2901 int ret;
2902
2903 wpa_printf(MSG_DEBUG,
2904 "PASN: Building comeback frame 2. Comeback after=%u",
2905 hapd->conf->pasn_comeback_after);
2906
2907 buf = wpabuf_alloc(1500);
2908 if (!buf)
2909 return;
2910
2911 wpa_pasn_build_auth_header(buf, hapd->own_addr, hapd->own_addr,
2912 sta->addr, 2,
2913 WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY);
2914
2915 /*
2916 * Do not include the group as a part of the token since it is not going
2917 * to be used.
2918 */
2919 comeback = auth_build_token_req(hapd, 0, sta->addr, 0);
2920 if (!comeback) {
2921 wpa_printf(MSG_DEBUG,
2922 "PASN: Failed sending auth with comeback");
2923 wpabuf_free(buf);
2924 return;
2925 }
2926
2927 wpa_pasn_add_parameter_ie(buf, group,
2928 WPA_PASN_WRAPPED_DATA_NO,
2929 NULL, 0, comeback,
2930 hapd->conf->pasn_comeback_after);
2931 wpabuf_free(comeback);
2932
2933 wpa_printf(MSG_DEBUG,
2934 "PASN: comeback: STA=" MACSTR, MAC2STR(sta->addr));
2935
2936 ret = hostapd_drv_send_mlme(hapd, wpabuf_head(buf), wpabuf_len(buf), 0,
2937 NULL, 0, 0);
2938 if (ret)
2939 wpa_printf(MSG_INFO, "PASN: Failed to send comeback frame 2");
2940
2941 wpabuf_free(buf);
2942 }
2943
2944
handle_auth_pasn_resp(struct hostapd_data * hapd,struct sta_info * sta,struct rsn_pmksa_cache_entry * pmksa,u16 status)2945 static int handle_auth_pasn_resp(struct hostapd_data *hapd,
2946 struct sta_info *sta,
2947 struct rsn_pmksa_cache_entry *pmksa,
2948 u16 status)
2949 {
2950 struct wpabuf *buf, *pubkey = NULL, *wrapped_data_buf = NULL;
2951 u8 mic[WPA_PASN_MAX_MIC_LEN];
2952 u8 mic_len;
2953 u8 *ptr;
2954 const u8 *frame, *data, *rsn_ie, *rsnxe_ie;
2955 u8 *data_buf = NULL;
2956 size_t rsn_ie_len, frame_len, data_len;
2957 int ret;
2958 const u8 *pmkid = NULL;
2959
2960 wpa_printf(MSG_DEBUG, "PASN: Building frame 2: status=%u", status);
2961
2962 buf = wpabuf_alloc(1500);
2963 if (!buf)
2964 goto fail;
2965
2966 wpa_pasn_build_auth_header(buf, hapd->own_addr, hapd->own_addr,
2967 sta->addr, 2, status);
2968
2969 if (status != WLAN_STATUS_SUCCESS)
2970 goto done;
2971
2972 if (pmksa) {
2973 pmkid = pmksa->pmkid;
2974 #ifdef CONFIG_SAE
2975 } else if (sta->pasn->akmp == WPA_KEY_MGMT_SAE) {
2976 wpa_printf(MSG_DEBUG, "PASN: Use SAE PMKID");
2977 pmkid = sta->pasn->sae.pmkid;
2978 #endif /* CONFIG_SAE */
2979 #ifdef CONFIG_FILS
2980 } else if (sta->pasn->akmp == WPA_KEY_MGMT_FILS_SHA256 ||
2981 sta->pasn->akmp == WPA_KEY_MGMT_FILS_SHA384) {
2982 wpa_printf(MSG_DEBUG, "PASN: Use FILS ERP PMKID");
2983 pmkid = sta->pasn->fils.erp_pmkid;
2984 #endif /* CONFIG_FILS */
2985 }
2986
2987 if (wpa_pasn_add_rsne(buf, pmkid,
2988 sta->pasn->akmp, sta->pasn->cipher) < 0)
2989 goto fail;
2990
2991 /* No need to derive PMK if PMKSA is given */
2992 if (!pmksa)
2993 wrapped_data_buf = pasn_get_wrapped_data(hapd, sta);
2994 else
2995 sta->pasn->wrapped_data_format = WPA_PASN_WRAPPED_DATA_NO;
2996
2997 /* Get public key */
2998 pubkey = crypto_ecdh_get_pubkey(sta->pasn->ecdh, 0);
2999 pubkey = wpabuf_zeropad(pubkey,
3000 crypto_ecdh_prime_len(sta->pasn->ecdh));
3001 if (!pubkey) {
3002 wpa_printf(MSG_DEBUG, "PASN: Failed to get pubkey");
3003 goto fail;
3004 }
3005
3006 wpa_pasn_add_parameter_ie(buf, sta->pasn->group,
3007 sta->pasn->wrapped_data_format,
3008 pubkey, true, NULL, 0);
3009
3010 if (wpa_pasn_add_wrapped_data(buf, wrapped_data_buf) < 0)
3011 goto fail;
3012
3013 wpabuf_free(wrapped_data_buf);
3014 wrapped_data_buf = NULL;
3015 wpabuf_free(pubkey);
3016 pubkey = NULL;
3017
3018 /* Add RSNXE if needed */
3019 rsnxe_ie = hostapd_wpa_ie(hapd, WLAN_EID_RSNX);
3020 if (rsnxe_ie)
3021 wpabuf_put_data(buf, rsnxe_ie, 2 + rsnxe_ie[1]);
3022
3023 /* Add the mic */
3024 mic_len = pasn_mic_len(sta->pasn->akmp, sta->pasn->cipher);
3025 wpabuf_put_u8(buf, WLAN_EID_MIC);
3026 wpabuf_put_u8(buf, mic_len);
3027 ptr = wpabuf_put(buf, mic_len);
3028
3029 os_memset(ptr, 0, mic_len);
3030
3031 frame = wpabuf_head_u8(buf) + IEEE80211_HDRLEN;
3032 frame_len = wpabuf_len(buf) - IEEE80211_HDRLEN;
3033
3034 rsn_ie = wpa_auth_get_wpa_ie(hapd->wpa_auth, &rsn_ie_len);
3035 if (!rsn_ie || !rsn_ie_len)
3036 goto fail;
3037
3038 /*
3039 * Note: wpa_auth_get_wpa_ie() might return not only the RSNE but also
3040 * MDE, etc. Thus, do not use the returned length but instead use the
3041 * length specified in the IE header.
3042 */
3043 data_len = rsn_ie[1] + 2;
3044 if (rsnxe_ie) {
3045 data_buf = os_zalloc(rsn_ie[1] + 2 + rsnxe_ie[1] + 2);
3046 if (!data_buf)
3047 goto fail;
3048
3049 os_memcpy(data_buf, rsn_ie, rsn_ie[1] + 2);
3050 os_memcpy(data_buf + rsn_ie[1] + 2, rsnxe_ie, rsnxe_ie[1] + 2);
3051 data_len += rsnxe_ie[1] + 2;
3052 data = data_buf;
3053 } else {
3054 data = rsn_ie;
3055 }
3056
3057 ret = pasn_mic(sta->pasn->ptk.kck, sta->pasn->akmp, sta->pasn->cipher,
3058 hapd->own_addr, sta->addr, data, data_len,
3059 frame, frame_len, mic);
3060 os_free(data_buf);
3061 if (ret) {
3062 wpa_printf(MSG_DEBUG, "PASN: Frame 3: Failed MIC calculation");
3063 goto fail;
3064 }
3065
3066 #ifdef CONFIG_TESTING_OPTIONS
3067 if (hapd->conf->pasn_corrupt_mic) {
3068 wpa_printf(MSG_DEBUG, "PASN: frame 2: Corrupt MIC");
3069 mic[0] = ~mic[0];
3070 }
3071 #endif /* CONFIG_TESTING_OPTIONS */
3072
3073 os_memcpy(ptr, mic, mic_len);
3074
3075 done:
3076 wpa_printf(MSG_DEBUG,
3077 "PASN: Building frame 2: success; resp STA=" MACSTR,
3078 MAC2STR(sta->addr));
3079
3080 ret = hostapd_drv_send_mlme(hapd, wpabuf_head(buf), wpabuf_len(buf), 0,
3081 NULL, 0, 0);
3082 if (ret)
3083 wpa_printf(MSG_INFO, "send_auth_reply: Send failed");
3084
3085 wpabuf_free(buf);
3086 return ret;
3087 fail:
3088 wpabuf_free(wrapped_data_buf);
3089 wpabuf_free(pubkey);
3090 wpabuf_free(buf);
3091 return -1;
3092 }
3093
3094
handle_auth_pasn_1(struct hostapd_data * hapd,struct sta_info * sta,const struct ieee80211_mgmt * mgmt,size_t len)3095 static void handle_auth_pasn_1(struct hostapd_data *hapd, struct sta_info *sta,
3096 const struct ieee80211_mgmt *mgmt, size_t len)
3097 {
3098 struct ieee802_11_elems elems;
3099 struct wpa_ie_data rsn_data;
3100 struct wpa_pasn_params_data pasn_params;
3101 struct rsn_pmksa_cache_entry *pmksa = NULL;
3102 const u8 *cached_pmk = NULL;
3103 size_t cached_pmk_len = 0;
3104 #ifdef CONFIG_IEEE80211R_AP
3105 u8 pmk_r1[PMK_LEN_MAX];
3106 size_t pmk_r1_len;
3107 #endif /* CONFIG_IEEE80211R_AP */
3108 struct wpabuf *wrapped_data = NULL, *secret = NULL;
3109 const int *groups = hapd->conf->pasn_groups;
3110 static const int default_groups[] = { 19, 0 };
3111 u16 status = WLAN_STATUS_SUCCESS;
3112 int ret, inc_y;
3113 bool derive_keys;
3114 u32 i;
3115
3116 if (!groups)
3117 groups = default_groups;
3118
3119 if (ieee802_11_parse_elems(mgmt->u.auth.variable,
3120 len - offsetof(struct ieee80211_mgmt,
3121 u.auth.variable),
3122 &elems, 0) == ParseFailed) {
3123 wpa_printf(MSG_DEBUG,
3124 "PASN: Failed parsing Authentication frame");
3125 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3126 goto send_resp;
3127 }
3128
3129 ret = wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
3130 &rsn_data);
3131 if (ret) {
3132 wpa_printf(MSG_DEBUG, "PASN: Failed parsing RNSE");
3133 status = WLAN_STATUS_INVALID_RSNIE;
3134 goto send_resp;
3135 }
3136
3137 ret = wpa_pasn_validate_rsne(&rsn_data);
3138 if (ret) {
3139 wpa_printf(MSG_DEBUG, "PASN: Failed validating RSNE");
3140 status = WLAN_STATUS_INVALID_RSNIE;
3141 goto send_resp;
3142 }
3143
3144 if (!(rsn_data.key_mgmt & hapd->conf->wpa_key_mgmt) ||
3145 !(rsn_data.pairwise_cipher & hapd->conf->rsn_pairwise)) {
3146 wpa_printf(MSG_DEBUG, "PASN: Mismatch in AKMP/cipher");
3147 status = WLAN_STATUS_INVALID_RSNIE;
3148 goto send_resp;
3149 }
3150
3151 sta->pasn->akmp = rsn_data.key_mgmt;
3152 sta->pasn->cipher = rsn_data.pairwise_cipher;
3153
3154 if (hapd->conf->force_kdk_derivation ||
3155 ((hapd->iface->drv_flags2 & WPA_DRIVER_FLAGS2_SEC_LTF) &&
3156 ieee802_11_rsnx_capab_len(elems.rsnxe, elems.rsnxe_len,
3157 WLAN_RSNX_CAPAB_SECURE_LTF)))
3158 sta->pasn->kdk_len = WPA_KDK_MAX_LEN;
3159 else
3160 sta->pasn->kdk_len = 0;
3161 wpa_printf(MSG_DEBUG, "PASN: kdk_len=%zu", sta->pasn->kdk_len);
3162
3163 if (!elems.pasn_params || !elems.pasn_params_len) {
3164 wpa_printf(MSG_DEBUG,
3165 "PASN: No PASN Parameters element found");
3166 status = WLAN_STATUS_INVALID_PARAMETERS;
3167 goto send_resp;
3168 }
3169
3170 ret = wpa_pasn_parse_parameter_ie(elems.pasn_params - 3,
3171 elems.pasn_params_len + 3,
3172 false, &pasn_params);
3173 if (ret) {
3174 wpa_printf(MSG_DEBUG,
3175 "PASN: Failed validation of PASN Parameters IE");
3176 status = WLAN_STATUS_INVALID_PARAMETERS;
3177 goto send_resp;
3178 }
3179
3180 for (i = 0; groups[i] > 0 && groups[i] != pasn_params.group; i++)
3181 ;
3182
3183 if (!pasn_params.group || groups[i] != pasn_params.group) {
3184 wpa_printf(MSG_DEBUG, "PASN: Requested group=%hu not allowed",
3185 pasn_params.group);
3186 status = WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
3187 goto send_resp;
3188 }
3189
3190 if (!pasn_params.pubkey || !pasn_params.pubkey_len) {
3191 wpa_printf(MSG_DEBUG, "PASN: Invalid public key");
3192 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3193 goto send_resp;
3194 }
3195
3196 if (pasn_params.comeback) {
3197 wpa_printf(MSG_DEBUG, "PASN: Checking peer comeback token");
3198
3199 ret = check_comeback_token(hapd, sta->addr,
3200 pasn_params.comeback,
3201 pasn_params.comeback_len);
3202
3203 if (ret) {
3204 wpa_printf(MSG_DEBUG, "PASN: Invalid comeback token");
3205 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3206 goto send_resp;
3207 }
3208 } else if (use_anti_clogging(hapd)) {
3209 wpa_printf(MSG_DEBUG, "PASN: Respond with comeback");
3210 handle_auth_pasn_comeback(hapd, sta, pasn_params.group);
3211 ap_free_sta(hapd, sta);
3212 return;
3213 }
3214
3215 sta->pasn->ecdh = crypto_ecdh_init(pasn_params.group);
3216 if (!sta->pasn->ecdh) {
3217 wpa_printf(MSG_DEBUG, "PASN: Failed to init ECDH");
3218 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3219 goto send_resp;
3220 }
3221
3222 sta->pasn->group = pasn_params.group;
3223
3224 if (pasn_params.pubkey[0] == WPA_PASN_PUBKEY_UNCOMPRESSED) {
3225 inc_y = 1;
3226 } else if (pasn_params.pubkey[0] == WPA_PASN_PUBKEY_COMPRESSED_0 ||
3227 pasn_params.pubkey[0] == WPA_PASN_PUBKEY_COMPRESSED_1) {
3228 inc_y = 0;
3229 } else {
3230 wpa_printf(MSG_DEBUG,
3231 "PASN: Invalid first octet in pubkey=0x%x",
3232 pasn_params.pubkey[0]);
3233 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3234 goto send_resp;
3235 }
3236
3237 secret = crypto_ecdh_set_peerkey(sta->pasn->ecdh, inc_y,
3238 pasn_params.pubkey + 1,
3239 pasn_params.pubkey_len - 1);
3240 if (!secret) {
3241 wpa_printf(MSG_DEBUG, "PASN: Failed to derive shared secret");
3242 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3243 goto send_resp;
3244 }
3245
3246 derive_keys = true;
3247 if (pasn_params.wrapped_data_format != WPA_PASN_WRAPPED_DATA_NO) {
3248 wrapped_data = ieee802_11_defrag(&elems,
3249 WLAN_EID_EXTENSION,
3250 WLAN_EID_EXT_WRAPPED_DATA);
3251 if (!wrapped_data) {
3252 wpa_printf(MSG_DEBUG, "PASN: Missing wrapped data");
3253 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3254 goto send_resp;
3255 }
3256
3257 #ifdef CONFIG_SAE
3258 if (sta->pasn->akmp == WPA_KEY_MGMT_SAE) {
3259 ret = pasn_wd_handle_sae_commit(hapd, sta,
3260 wrapped_data);
3261 if (ret) {
3262 wpa_printf(MSG_DEBUG,
3263 "PASN: Failed processing SAE commit");
3264 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3265 goto send_resp;
3266 }
3267 }
3268 #endif /* CONFIG_SAE */
3269 #ifdef CONFIG_FILS
3270 if (sta->pasn->akmp == WPA_KEY_MGMT_FILS_SHA256 ||
3271 sta->pasn->akmp == WPA_KEY_MGMT_FILS_SHA384) {
3272 ret = pasn_wd_handle_fils(hapd, sta, wrapped_data);
3273 if (ret) {
3274 wpa_printf(MSG_DEBUG,
3275 "PASN: Failed processing FILS wrapped data");
3276 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3277 goto send_resp;
3278 }
3279
3280 wpa_printf(MSG_DEBUG,
3281 "PASN: FILS: Pending AS response");
3282
3283 /*
3284 * With PASN/FILS, keys can be derived only after a
3285 * response from the AS is processed.
3286 */
3287 derive_keys = false;
3288 }
3289 #endif /* CONFIG_FILS */
3290 }
3291
3292 sta->pasn->wrapped_data_format = pasn_params.wrapped_data_format;
3293
3294 ret = pasn_auth_frame_hash(sta->pasn->akmp, sta->pasn->cipher,
3295 ((const u8 *) mgmt) + IEEE80211_HDRLEN,
3296 len - IEEE80211_HDRLEN, sta->pasn->hash);
3297 if (ret) {
3298 wpa_printf(MSG_DEBUG, "PASN: Failed to compute hash");
3299 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3300 goto send_resp;
3301 }
3302
3303 if (!derive_keys) {
3304 wpa_printf(MSG_DEBUG, "PASN: Storing secret");
3305 sta->pasn->secret = secret;
3306 wpabuf_free(wrapped_data);
3307 return;
3308 }
3309
3310 if (rsn_data.num_pmkid) {
3311 if (wpa_key_mgmt_ft(sta->pasn->akmp)) {
3312 #ifdef CONFIG_IEEE80211R_AP
3313 wpa_printf(MSG_DEBUG, "PASN: FT: Fetch PMK-R1");
3314
3315 ret = wpa_ft_fetch_pmk_r1(hapd->wpa_auth, sta->addr,
3316 rsn_data.pmkid,
3317 pmk_r1, &pmk_r1_len, NULL,
3318 NULL, NULL, NULL,
3319 NULL, NULL, NULL);
3320 if (ret) {
3321 wpa_printf(MSG_DEBUG,
3322 "PASN: FT: Failed getting PMK-R1");
3323 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3324 goto send_resp;
3325 }
3326 cached_pmk = pmk_r1;
3327 cached_pmk_len = pmk_r1_len;
3328 #else /* CONFIG_IEEE80211R_AP */
3329 wpa_printf(MSG_DEBUG, "PASN: FT: Not supported");
3330 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3331 goto send_resp;
3332 #endif /* CONFIG_IEEE80211R_AP */
3333 } else {
3334 wpa_printf(MSG_DEBUG, "PASN: Try to find PMKSA entry");
3335
3336 pmksa = wpa_auth_pmksa_get(hapd->wpa_auth, sta->addr,
3337 rsn_data.pmkid);
3338 if (pmksa) {
3339 cached_pmk = pmksa->pmk;
3340 cached_pmk_len = pmksa->pmk_len;
3341 }
3342 }
3343 } else {
3344 wpa_printf(MSG_DEBUG, "PASN: No PMKID specified");
3345 }
3346
3347 ret = pasn_derive_keys(hapd, sta, cached_pmk, cached_pmk_len,
3348 &pasn_params, wrapped_data, secret);
3349 if (ret) {
3350 wpa_printf(MSG_DEBUG, "PASN: Failed to derive keys");
3351 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3352 goto send_resp;
3353 }
3354
3355 ret = pasn_auth_frame_hash(sta->pasn->akmp, sta->pasn->cipher,
3356 ((const u8 *) mgmt) + IEEE80211_HDRLEN,
3357 len - IEEE80211_HDRLEN, sta->pasn->hash);
3358 if (ret) {
3359 wpa_printf(MSG_DEBUG, "PASN: Failed to compute hash");
3360 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3361 }
3362
3363 send_resp:
3364 ret = handle_auth_pasn_resp(hapd, sta, pmksa, status);
3365 if (ret) {
3366 wpa_printf(MSG_DEBUG, "PASN: Failed to send response");
3367 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3368 } else {
3369 wpa_printf(MSG_DEBUG,
3370 "PASN: Success handling transaction == 1");
3371 }
3372
3373 wpabuf_free(secret);
3374 wpabuf_free(wrapped_data);
3375
3376 if (status != WLAN_STATUS_SUCCESS)
3377 ap_free_sta(hapd, sta);
3378 }
3379
3380
handle_auth_pasn_3(struct hostapd_data * hapd,struct sta_info * sta,const struct ieee80211_mgmt * mgmt,size_t len)3381 static void handle_auth_pasn_3(struct hostapd_data *hapd, struct sta_info *sta,
3382 const struct ieee80211_mgmt *mgmt, size_t len)
3383 {
3384 struct ieee802_11_elems elems;
3385 struct wpa_pasn_params_data pasn_params;
3386 struct wpabuf *wrapped_data = NULL;
3387 u8 mic[WPA_PASN_MAX_MIC_LEN], out_mic[WPA_PASN_MAX_MIC_LEN];
3388 u8 mic_len;
3389 int ret;
3390
3391 if (ieee802_11_parse_elems(mgmt->u.auth.variable,
3392 len - offsetof(struct ieee80211_mgmt,
3393 u.auth.variable),
3394 &elems, 0) == ParseFailed) {
3395 wpa_printf(MSG_DEBUG,
3396 "PASN: Failed parsing Authentication frame");
3397 goto fail;
3398 }
3399
3400 /* Check that the MIC IE exists. Save it and zero out the memory. */
3401 mic_len = pasn_mic_len(sta->pasn->akmp, sta->pasn->cipher);
3402 if (!elems.mic || elems.mic_len != mic_len) {
3403 wpa_printf(MSG_DEBUG,
3404 "PASN: Invalid MIC. Expecting len=%u", mic_len);
3405 goto fail;
3406 } else {
3407 os_memcpy(mic, elems.mic, mic_len);
3408 /* TODO: Clean this up.. Should not modify received frame
3409 * buffer. */
3410 os_memset((u8 *) elems.mic, 0, mic_len);
3411 }
3412
3413 if (!elems.pasn_params || !elems.pasn_params_len) {
3414 wpa_printf(MSG_DEBUG,
3415 "PASN: No PASN Parameters element found");
3416 goto fail;
3417 }
3418
3419 ret = wpa_pasn_parse_parameter_ie(elems.pasn_params - 3,
3420 elems.pasn_params_len + 3,
3421 false, &pasn_params);
3422 if (ret) {
3423 wpa_printf(MSG_DEBUG,
3424 "PASN: Failed validation of PASN Parameters IE");
3425 goto fail;
3426 }
3427
3428 if (pasn_params.pubkey || pasn_params.pubkey_len) {
3429 wpa_printf(MSG_DEBUG,
3430 "PASN: Public key should not be included");
3431 goto fail;
3432 }
3433
3434 /* Verify the MIC */
3435 ret = pasn_mic(sta->pasn->ptk.kck, sta->pasn->akmp, sta->pasn->cipher,
3436 sta->addr, hapd->own_addr,
3437 sta->pasn->hash, mic_len * 2,
3438 (u8 *) &mgmt->u.auth,
3439 len - offsetof(struct ieee80211_mgmt, u.auth),
3440 out_mic);
3441
3442 wpa_hexdump_key(MSG_DEBUG, "PASN: Frame MIC", mic, mic_len);
3443 if (ret || os_memcmp(mic, out_mic, mic_len) != 0) {
3444 wpa_printf(MSG_DEBUG, "PASN: Failed MIC verification");
3445 goto fail;
3446 }
3447
3448 if (pasn_params.wrapped_data_format != WPA_PASN_WRAPPED_DATA_NO) {
3449 wrapped_data = ieee802_11_defrag(&elems,
3450 WLAN_EID_EXTENSION,
3451 WLAN_EID_EXT_WRAPPED_DATA);
3452
3453 if (!wrapped_data) {
3454 wpa_printf(MSG_DEBUG, "PASN: Missing wrapped data");
3455 goto fail;
3456 }
3457
3458 #ifdef CONFIG_SAE
3459 if (sta->pasn->akmp == WPA_KEY_MGMT_SAE) {
3460 ret = pasn_wd_handle_sae_confirm(hapd, sta,
3461 wrapped_data);
3462 if (ret) {
3463 wpa_printf(MSG_DEBUG,
3464 "PASN: Failed processing SAE confirm");
3465 wpabuf_free(wrapped_data);
3466 goto fail;
3467 }
3468 }
3469 #endif /* CONFIG_SAE */
3470 #ifdef CONFIG_FILS
3471 if (sta->pasn->akmp == WPA_KEY_MGMT_FILS_SHA256 ||
3472 sta->pasn->akmp == WPA_KEY_MGMT_FILS_SHA384) {
3473 if (wrapped_data) {
3474 wpa_printf(MSG_DEBUG,
3475 "PASN: FILS: Ignore wrapped data");
3476 }
3477 }
3478 #endif /* CONFIG_FILS */
3479 wpabuf_free(wrapped_data);
3480 }
3481
3482 wpa_printf(MSG_INFO,
3483 "PASN: Success handling transaction == 3. Store PTK");
3484
3485 ptksa_cache_add(hapd->ptksa, sta->addr, sta->pasn->cipher, 43200,
3486 &sta->pasn->ptk);
3487 fail:
3488 ap_free_sta(hapd, sta);
3489 }
3490
3491
handle_auth_pasn(struct hostapd_data * hapd,struct sta_info * sta,const struct ieee80211_mgmt * mgmt,size_t len,u16 trans_seq,u16 status)3492 static void handle_auth_pasn(struct hostapd_data *hapd, struct sta_info *sta,
3493 const struct ieee80211_mgmt *mgmt, size_t len,
3494 u16 trans_seq, u16 status)
3495 {
3496 if (hapd->conf->wpa != WPA_PROTO_RSN) {
3497 wpa_printf(MSG_INFO, "PASN: RSN is not configured");
3498 return;
3499 }
3500
3501 wpa_printf(MSG_INFO, "PASN authentication: sta=" MACSTR,
3502 MAC2STR(sta->addr));
3503
3504 if (trans_seq == 1) {
3505 if (sta->pasn) {
3506 wpa_printf(MSG_DEBUG,
3507 "PASN: Not expecting transaction == 1");
3508 return;
3509 }
3510
3511 if (status != WLAN_STATUS_SUCCESS) {
3512 wpa_printf(MSG_DEBUG,
3513 "PASN: Failure status in transaction == 1");
3514 return;
3515 }
3516
3517 sta->pasn = os_zalloc(sizeof(*sta->pasn));
3518 if (!sta->pasn) {
3519 wpa_printf(MSG_DEBUG,
3520 "PASN: Failed to allocate PASN context");
3521 return;
3522 }
3523
3524 handle_auth_pasn_1(hapd, sta, mgmt, len);
3525 } else if (trans_seq == 3) {
3526 if (!sta->pasn) {
3527 wpa_printf(MSG_DEBUG,
3528 "PASN: Not expecting transaction == 3");
3529 return;
3530 }
3531
3532 if (status != WLAN_STATUS_SUCCESS) {
3533 wpa_printf(MSG_DEBUG,
3534 "PASN: Failure status in transaction == 3");
3535 ap_free_sta_pasn(hapd, sta);
3536 return;
3537 }
3538
3539 handle_auth_pasn_3(hapd, sta, mgmt, len);
3540 } else {
3541 wpa_printf(MSG_DEBUG,
3542 "PASN: Invalid transaction %u - ignore", trans_seq);
3543 }
3544 }
3545
3546 #endif /* CONFIG_PASN */
3547
3548
handle_auth(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int rssi,int from_queue)3549 static void handle_auth(struct hostapd_data *hapd,
3550 const struct ieee80211_mgmt *mgmt, size_t len,
3551 int rssi, int from_queue)
3552 {
3553 u16 auth_alg, auth_transaction, status_code;
3554 u16 resp = WLAN_STATUS_SUCCESS;
3555 struct sta_info *sta = NULL;
3556 int res, reply_res;
3557 u16 fc;
3558 const u8 *challenge = NULL;
3559 u8 resp_ies[2 + WLAN_AUTH_CHALLENGE_LEN];
3560 size_t resp_ies_len = 0;
3561 u16 seq_ctrl;
3562 struct radius_sta rad_info;
3563
3564 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) {
3565 wpa_printf(MSG_INFO, "handle_auth - too short payload (len=%lu)",
3566 (unsigned long) len);
3567 return;
3568 }
3569
3570 #ifdef CONFIG_TESTING_OPTIONS
3571 if (hapd->iconf->ignore_auth_probability > 0.0 &&
3572 drand48() < hapd->iconf->ignore_auth_probability) {
3573 wpa_printf(MSG_INFO,
3574 "TESTING: ignoring auth frame from " MACSTR,
3575 MAC2STR(mgmt->sa));
3576 return;
3577 }
3578 #endif /* CONFIG_TESTING_OPTIONS */
3579
3580 auth_alg = le_to_host16(mgmt->u.auth.auth_alg);
3581 auth_transaction = le_to_host16(mgmt->u.auth.auth_transaction);
3582 status_code = le_to_host16(mgmt->u.auth.status_code);
3583 fc = le_to_host16(mgmt->frame_control);
3584 seq_ctrl = le_to_host16(mgmt->seq_ctrl);
3585
3586 if (len >= IEEE80211_HDRLEN + sizeof(mgmt->u.auth) +
3587 2 + WLAN_AUTH_CHALLENGE_LEN &&
3588 mgmt->u.auth.variable[0] == WLAN_EID_CHALLENGE &&
3589 mgmt->u.auth.variable[1] == WLAN_AUTH_CHALLENGE_LEN)
3590 challenge = &mgmt->u.auth.variable[2];
3591
3592 wpa_printf(MSG_DEBUG, "authentication: STA=" MACSTR " auth_alg=%d "
3593 "auth_transaction=%d status_code=%d wep=%d%s "
3594 "seq_ctrl=0x%x%s%s",
3595 MAC2STR(mgmt->sa), auth_alg, auth_transaction,
3596 status_code, !!(fc & WLAN_FC_ISWEP),
3597 challenge ? " challenge" : "",
3598 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "",
3599 from_queue ? " (from queue)" : "");
3600
3601 #ifdef CONFIG_NO_RC4
3602 if (auth_alg == WLAN_AUTH_SHARED_KEY) {
3603 wpa_printf(MSG_INFO,
3604 "Unsupported authentication algorithm (%d)",
3605 auth_alg);
3606 resp = WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
3607 goto fail;
3608 }
3609 #endif /* CONFIG_NO_RC4 */
3610
3611 if (hapd->tkip_countermeasures) {
3612 wpa_printf(MSG_DEBUG,
3613 "Ongoing TKIP countermeasures (Michael MIC failure) - reject authentication");
3614 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3615 goto fail;
3616 }
3617
3618 if (!(((hapd->conf->auth_algs & WPA_AUTH_ALG_OPEN) &&
3619 auth_alg == WLAN_AUTH_OPEN) ||
3620 #ifdef CONFIG_IEEE80211R_AP
3621 (hapd->conf->wpa && wpa_key_mgmt_ft(hapd->conf->wpa_key_mgmt) &&
3622 auth_alg == WLAN_AUTH_FT) ||
3623 #endif /* CONFIG_IEEE80211R_AP */
3624 #ifdef CONFIG_SAE
3625 (hapd->conf->wpa && wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt) &&
3626 auth_alg == WLAN_AUTH_SAE) ||
3627 #endif /* CONFIG_SAE */
3628 #ifdef CONFIG_FILS
3629 (hapd->conf->wpa && wpa_key_mgmt_fils(hapd->conf->wpa_key_mgmt) &&
3630 auth_alg == WLAN_AUTH_FILS_SK) ||
3631 (hapd->conf->wpa && wpa_key_mgmt_fils(hapd->conf->wpa_key_mgmt) &&
3632 hapd->conf->fils_dh_group &&
3633 auth_alg == WLAN_AUTH_FILS_SK_PFS) ||
3634 #endif /* CONFIG_FILS */
3635 #ifdef CONFIG_PASN
3636 (hapd->conf->wpa &&
3637 (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_PASN) &&
3638 auth_alg == WLAN_AUTH_PASN) ||
3639 #endif /* CONFIG_PASN */
3640 ((hapd->conf->auth_algs & WPA_AUTH_ALG_SHARED) &&
3641 auth_alg == WLAN_AUTH_SHARED_KEY))) {
3642 wpa_printf(MSG_INFO, "Unsupported authentication algorithm (%d)",
3643 auth_alg);
3644 resp = WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
3645 goto fail;
3646 }
3647
3648 if (!(auth_transaction == 1 || auth_alg == WLAN_AUTH_SAE ||
3649 #ifdef CONFIG_PASN
3650 (auth_alg == WLAN_AUTH_PASN && auth_transaction == 3) ||
3651 #endif /* CONFIG_PASN */
3652 (auth_alg == WLAN_AUTH_SHARED_KEY && auth_transaction == 3))) {
3653 wpa_printf(MSG_INFO, "Unknown authentication transaction number (%d)",
3654 auth_transaction);
3655 resp = WLAN_STATUS_UNKNOWN_AUTH_TRANSACTION;
3656 goto fail;
3657 }
3658
3659 if (os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
3660 wpa_printf(MSG_INFO, "Station " MACSTR " not allowed to authenticate",
3661 MAC2STR(mgmt->sa));
3662 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3663 goto fail;
3664 }
3665
3666 if (hapd->conf->no_auth_if_seen_on) {
3667 struct hostapd_data *other;
3668
3669 other = sta_track_seen_on(hapd->iface, mgmt->sa,
3670 hapd->conf->no_auth_if_seen_on);
3671 if (other) {
3672 u8 *pos;
3673 u32 info;
3674 u8 op_class, channel, phytype;
3675
3676 wpa_printf(MSG_DEBUG, "%s: Reject authentication from "
3677 MACSTR " since STA has been seen on %s",
3678 hapd->conf->iface, MAC2STR(mgmt->sa),
3679 hapd->conf->no_auth_if_seen_on);
3680
3681 resp = WLAN_STATUS_REJECTED_WITH_SUGGESTED_BSS_TRANSITION;
3682 pos = &resp_ies[0];
3683 *pos++ = WLAN_EID_NEIGHBOR_REPORT;
3684 *pos++ = 13;
3685 os_memcpy(pos, other->own_addr, ETH_ALEN);
3686 pos += ETH_ALEN;
3687 info = 0; /* TODO: BSSID Information */
3688 WPA_PUT_LE32(pos, info);
3689 pos += 4;
3690 if (other->iconf->hw_mode == HOSTAPD_MODE_IEEE80211AD)
3691 phytype = 8; /* dmg */
3692 else if (other->iconf->ieee80211ac)
3693 phytype = 9; /* vht */
3694 else if (other->iconf->ieee80211n)
3695 phytype = 7; /* ht */
3696 else if (other->iconf->hw_mode ==
3697 HOSTAPD_MODE_IEEE80211A)
3698 phytype = 4; /* ofdm */
3699 else if (other->iconf->hw_mode ==
3700 HOSTAPD_MODE_IEEE80211G)
3701 phytype = 6; /* erp */
3702 else
3703 phytype = 5; /* hrdsss */
3704 if (ieee80211_freq_to_channel_ext(
3705 hostapd_hw_get_freq(other,
3706 other->iconf->channel),
3707 other->iconf->secondary_channel,
3708 other->iconf->ieee80211ac,
3709 &op_class, &channel) == NUM_HOSTAPD_MODES) {
3710 op_class = 0;
3711 channel = other->iconf->channel;
3712 }
3713 *pos++ = op_class;
3714 *pos++ = channel;
3715 *pos++ = phytype;
3716 resp_ies_len = pos - &resp_ies[0];
3717 goto fail;
3718 }
3719 }
3720
3721 res = ieee802_11_allowed_address(hapd, mgmt->sa, (const u8 *) mgmt, len,
3722 &rad_info);
3723 if (res == HOSTAPD_ACL_REJECT) {
3724 wpa_msg(hapd->msg_ctx, MSG_DEBUG,
3725 "Ignore Authentication frame from " MACSTR
3726 " due to ACL reject", MAC2STR(mgmt->sa));
3727 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3728 goto fail;
3729 }
3730 if (res == HOSTAPD_ACL_PENDING)
3731 return;
3732
3733 #ifdef CONFIG_SAE
3734 if (auth_alg == WLAN_AUTH_SAE && !from_queue &&
3735 (auth_transaction == 1 ||
3736 (auth_transaction == 2 && auth_sae_queued_addr(hapd, mgmt->sa)))) {
3737 /* Handle SAE Authentication commit message through a queue to
3738 * provide more control for postponing the needed heavy
3739 * processing under a possible DoS attack scenario. In addition,
3740 * queue SAE Authentication confirm message if there happens to
3741 * be a queued commit message from the same peer. This is needed
3742 * to avoid reordering Authentication frames within the same
3743 * SAE exchange. */
3744 auth_sae_queue(hapd, mgmt, len, rssi);
3745 return;
3746 }
3747 #endif /* CONFIG_SAE */
3748
3749 sta = ap_get_sta(hapd, mgmt->sa);
3750 if (sta) {
3751 sta->flags &= ~WLAN_STA_PENDING_FILS_ERP;
3752 sta->ft_over_ds = 0;
3753 if ((fc & WLAN_FC_RETRY) &&
3754 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
3755 sta->last_seq_ctrl == seq_ctrl &&
3756 sta->last_subtype == WLAN_FC_STYPE_AUTH) {
3757 hostapd_logger(hapd, sta->addr,
3758 HOSTAPD_MODULE_IEEE80211,
3759 HOSTAPD_LEVEL_DEBUG,
3760 "Drop repeated authentication frame seq_ctrl=0x%x",
3761 seq_ctrl);
3762 return;
3763 }
3764 #ifdef CONFIG_MESH
3765 if ((hapd->conf->mesh & MESH_ENABLED) &&
3766 sta->plink_state == PLINK_BLOCKED) {
3767 wpa_printf(MSG_DEBUG, "Mesh peer " MACSTR
3768 " is blocked - drop Authentication frame",
3769 MAC2STR(mgmt->sa));
3770 return;
3771 }
3772 #endif /* CONFIG_MESH */
3773 #ifdef CONFIG_PASN
3774 if (auth_alg == WLAN_AUTH_PASN &&
3775 (sta->flags & WLAN_STA_ASSOC)) {
3776 wpa_printf(MSG_DEBUG,
3777 "PASN: auth: Existing station: " MACSTR,
3778 MAC2STR(sta->addr));
3779 return;
3780 }
3781 #endif /* CONFIG_PASN */
3782 } else {
3783 #ifdef CONFIG_MESH
3784 if (hapd->conf->mesh & MESH_ENABLED) {
3785 /* if the mesh peer is not available, we don't do auth.
3786 */
3787 wpa_printf(MSG_DEBUG, "Mesh peer " MACSTR
3788 " not yet known - drop Authentication frame",
3789 MAC2STR(mgmt->sa));
3790 /*
3791 * Save a copy of the frame so that it can be processed
3792 * if a new peer entry is added shortly after this.
3793 */
3794 wpabuf_free(hapd->mesh_pending_auth);
3795 hapd->mesh_pending_auth = wpabuf_alloc_copy(mgmt, len);
3796 os_get_reltime(&hapd->mesh_pending_auth_time);
3797 return;
3798 }
3799 #endif /* CONFIG_MESH */
3800
3801 sta = ap_sta_add(hapd, mgmt->sa);
3802 if (!sta) {
3803 wpa_printf(MSG_DEBUG, "ap_sta_add() failed");
3804 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
3805 goto fail;
3806 }
3807 }
3808 sta->last_seq_ctrl = seq_ctrl;
3809 sta->last_subtype = WLAN_FC_STYPE_AUTH;
3810 #ifdef CONFIG_MBO
3811 sta->auth_rssi = rssi;
3812 #endif /* CONFIG_MBO */
3813
3814 res = ieee802_11_set_radius_info(hapd, sta, res, &rad_info);
3815 if (res) {
3816 wpa_printf(MSG_DEBUG, "ieee802_11_set_radius_info() failed");
3817 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3818 goto fail;
3819 }
3820
3821 sta->flags &= ~WLAN_STA_PREAUTH;
3822 ieee802_1x_notify_pre_auth(sta->eapol_sm, 0);
3823
3824 /*
3825 * If the driver supports full AP client state, add a station to the
3826 * driver before sending authentication reply to make sure the driver
3827 * has resources, and not to go through the entire authentication and
3828 * association handshake, and fail it at the end.
3829 *
3830 * If this is not the first transaction, in a multi-step authentication
3831 * algorithm, the station already exists in the driver
3832 * (sta->added_unassoc = 1) so skip it.
3833 *
3834 * In mesh mode, the station was already added to the driver when the
3835 * NEW_PEER_CANDIDATE event is received.
3836 *
3837 * If PMF was negotiated for the existing association, skip this to
3838 * avoid dropping the STA entry and the associated keys. This is needed
3839 * to allow the original connection work until the attempt can complete
3840 * (re)association, so that unprotected Authentication frame cannot be
3841 * used to bypass PMF protection.
3842 *
3843 * PASN authentication does not require adding/removing station to the
3844 * driver so skip this flow in case of PASN authentication.
3845 */
3846 if (FULL_AP_CLIENT_STATE_SUPP(hapd->iface->drv_flags) &&
3847 (!(sta->flags & WLAN_STA_MFP) || !ap_sta_is_authorized(sta)) &&
3848 !(hapd->conf->mesh & MESH_ENABLED) &&
3849 !(sta->added_unassoc) && auth_alg != WLAN_AUTH_PASN) {
3850 if (ap_sta_re_add(hapd, sta) < 0) {
3851 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
3852 goto fail;
3853 }
3854 }
3855
3856 switch (auth_alg) {
3857 case WLAN_AUTH_OPEN:
3858 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3859 HOSTAPD_LEVEL_DEBUG,
3860 "authentication OK (open system)");
3861 sta->flags |= WLAN_STA_AUTH;
3862 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
3863 sta->auth_alg = WLAN_AUTH_OPEN;
3864 mlme_authenticate_indication(hapd, sta);
3865 break;
3866 #ifdef CONFIG_WEP
3867 #ifndef CONFIG_NO_RC4
3868 case WLAN_AUTH_SHARED_KEY:
3869 resp = auth_shared_key(hapd, sta, auth_transaction, challenge,
3870 fc & WLAN_FC_ISWEP);
3871 if (resp != 0)
3872 wpa_printf(MSG_DEBUG,
3873 "auth_shared_key() failed: status=%d", resp);
3874 sta->auth_alg = WLAN_AUTH_SHARED_KEY;
3875 mlme_authenticate_indication(hapd, sta);
3876 if (sta->challenge && auth_transaction == 1) {
3877 resp_ies[0] = WLAN_EID_CHALLENGE;
3878 resp_ies[1] = WLAN_AUTH_CHALLENGE_LEN;
3879 os_memcpy(resp_ies + 2, sta->challenge,
3880 WLAN_AUTH_CHALLENGE_LEN);
3881 resp_ies_len = 2 + WLAN_AUTH_CHALLENGE_LEN;
3882 }
3883 break;
3884 #endif /* CONFIG_NO_RC4 */
3885 #endif /* CONFIG_WEP */
3886 #ifdef CONFIG_IEEE80211R_AP
3887 case WLAN_AUTH_FT:
3888 sta->auth_alg = WLAN_AUTH_FT;
3889 if (sta->wpa_sm == NULL)
3890 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
3891 sta->addr, NULL);
3892 if (sta->wpa_sm == NULL) {
3893 wpa_printf(MSG_DEBUG, "FT: Failed to initialize WPA "
3894 "state machine");
3895 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3896 goto fail;
3897 }
3898 wpa_ft_process_auth(sta->wpa_sm, mgmt->bssid,
3899 auth_transaction, mgmt->u.auth.variable,
3900 len - IEEE80211_HDRLEN -
3901 sizeof(mgmt->u.auth),
3902 handle_auth_ft_finish, hapd);
3903 /* handle_auth_ft_finish() callback will complete auth. */
3904 return;
3905 #endif /* CONFIG_IEEE80211R_AP */
3906 #ifdef CONFIG_SAE
3907 case WLAN_AUTH_SAE:
3908 #ifdef CONFIG_MESH
3909 if (status_code == WLAN_STATUS_SUCCESS &&
3910 hapd->conf->mesh & MESH_ENABLED) {
3911 if (sta->wpa_sm == NULL)
3912 sta->wpa_sm =
3913 wpa_auth_sta_init(hapd->wpa_auth,
3914 sta->addr, NULL);
3915 if (sta->wpa_sm == NULL) {
3916 wpa_printf(MSG_DEBUG,
3917 "SAE: Failed to initialize WPA state machine");
3918 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3919 goto fail;
3920 }
3921 }
3922 #endif /* CONFIG_MESH */
3923 handle_auth_sae(hapd, sta, mgmt, len, auth_transaction,
3924 status_code);
3925 return;
3926 #endif /* CONFIG_SAE */
3927 #ifdef CONFIG_FILS
3928 case WLAN_AUTH_FILS_SK:
3929 case WLAN_AUTH_FILS_SK_PFS:
3930 handle_auth_fils(hapd, sta, mgmt->u.auth.variable,
3931 len - IEEE80211_HDRLEN - sizeof(mgmt->u.auth),
3932 auth_alg, auth_transaction, status_code,
3933 handle_auth_fils_finish);
3934 return;
3935 #endif /* CONFIG_FILS */
3936 #ifdef CONFIG_PASN
3937 case WLAN_AUTH_PASN:
3938 handle_auth_pasn(hapd, sta, mgmt, len, auth_transaction,
3939 status_code);
3940 return;
3941 #endif /* CONFIG_PASN */
3942 }
3943
3944 fail:
3945 reply_res = send_auth_reply(hapd, sta, mgmt->sa, mgmt->bssid, auth_alg,
3946 auth_alg == WLAN_AUTH_SAE ?
3947 auth_transaction : auth_transaction + 1,
3948 resp, resp_ies, resp_ies_len,
3949 "handle-auth");
3950
3951 if (sta && sta->added_unassoc && (resp != WLAN_STATUS_SUCCESS ||
3952 reply_res != WLAN_STATUS_SUCCESS)) {
3953 hostapd_drv_sta_remove(hapd, sta->addr);
3954 sta->added_unassoc = 0;
3955 }
3956 }
3957
3958
hostapd_get_aid(struct hostapd_data * hapd,struct sta_info * sta)3959 int hostapd_get_aid(struct hostapd_data *hapd, struct sta_info *sta)
3960 {
3961 int i, j = 32, aid;
3962
3963 /* get a unique AID */
3964 if (sta->aid > 0) {
3965 wpa_printf(MSG_DEBUG, " old AID %d", sta->aid);
3966 return 0;
3967 }
3968
3969 if (TEST_FAIL())
3970 return -1;
3971
3972 for (i = 0; i < AID_WORDS; i++) {
3973 if (hapd->sta_aid[i] == (u32) -1)
3974 continue;
3975 for (j = 0; j < 32; j++) {
3976 if (!(hapd->sta_aid[i] & BIT(j)))
3977 break;
3978 }
3979 if (j < 32)
3980 break;
3981 }
3982 if (j == 32)
3983 return -1;
3984 aid = i * 32 + j + 1;
3985 if (aid > 2007)
3986 return -1;
3987
3988 sta->aid = aid;
3989 hapd->sta_aid[i] |= BIT(j);
3990 wpa_printf(MSG_DEBUG, " new AID %d", sta->aid);
3991 return 0;
3992 }
3993
3994
check_ssid(struct hostapd_data * hapd,struct sta_info * sta,const u8 * ssid_ie,size_t ssid_ie_len)3995 static u16 check_ssid(struct hostapd_data *hapd, struct sta_info *sta,
3996 const u8 *ssid_ie, size_t ssid_ie_len)
3997 {
3998 if (ssid_ie == NULL)
3999 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4000
4001 if (ssid_ie_len != hapd->conf->ssid.ssid_len ||
4002 os_memcmp(ssid_ie, hapd->conf->ssid.ssid, ssid_ie_len) != 0) {
4003 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4004 HOSTAPD_LEVEL_INFO,
4005 "Station tried to associate with unknown SSID "
4006 "'%s'", wpa_ssid_txt(ssid_ie, ssid_ie_len));
4007 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4008 }
4009
4010 return WLAN_STATUS_SUCCESS;
4011 }
4012
4013
check_wmm(struct hostapd_data * hapd,struct sta_info * sta,const u8 * wmm_ie,size_t wmm_ie_len)4014 static u16 check_wmm(struct hostapd_data *hapd, struct sta_info *sta,
4015 const u8 *wmm_ie, size_t wmm_ie_len)
4016 {
4017 sta->flags &= ~WLAN_STA_WMM;
4018 sta->qosinfo = 0;
4019 if (wmm_ie && hapd->conf->wmm_enabled) {
4020 struct wmm_information_element *wmm;
4021
4022 if (!hostapd_eid_wmm_valid(hapd, wmm_ie, wmm_ie_len)) {
4023 hostapd_logger(hapd, sta->addr,
4024 HOSTAPD_MODULE_WPA,
4025 HOSTAPD_LEVEL_DEBUG,
4026 "invalid WMM element in association "
4027 "request");
4028 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4029 }
4030
4031 sta->flags |= WLAN_STA_WMM;
4032 wmm = (struct wmm_information_element *) wmm_ie;
4033 sta->qosinfo = wmm->qos_info;
4034 }
4035 return WLAN_STATUS_SUCCESS;
4036 }
4037
check_multi_ap(struct hostapd_data * hapd,struct sta_info * sta,const u8 * multi_ap_ie,size_t multi_ap_len)4038 static u16 check_multi_ap(struct hostapd_data *hapd, struct sta_info *sta,
4039 const u8 *multi_ap_ie, size_t multi_ap_len)
4040 {
4041 u8 multi_ap_value = 0;
4042
4043 sta->flags &= ~WLAN_STA_MULTI_AP;
4044
4045 if (!hapd->conf->multi_ap)
4046 return WLAN_STATUS_SUCCESS;
4047
4048 if (multi_ap_ie) {
4049 const u8 *multi_ap_subelem;
4050
4051 multi_ap_subelem = get_ie(multi_ap_ie + 4,
4052 multi_ap_len - 4,
4053 MULTI_AP_SUB_ELEM_TYPE);
4054 if (multi_ap_subelem && multi_ap_subelem[1] == 1) {
4055 multi_ap_value = multi_ap_subelem[2];
4056 } else {
4057 hostapd_logger(hapd, sta->addr,
4058 HOSTAPD_MODULE_IEEE80211,
4059 HOSTAPD_LEVEL_INFO,
4060 "Multi-AP IE has missing or invalid Multi-AP subelement");
4061 return WLAN_STATUS_INVALID_IE;
4062 }
4063 }
4064
4065 if (multi_ap_value && multi_ap_value != MULTI_AP_BACKHAUL_STA)
4066 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4067 HOSTAPD_LEVEL_INFO,
4068 "Multi-AP IE with unexpected value 0x%02x",
4069 multi_ap_value);
4070
4071 if (!(multi_ap_value & MULTI_AP_BACKHAUL_STA)) {
4072 if (hapd->conf->multi_ap & FRONTHAUL_BSS)
4073 return WLAN_STATUS_SUCCESS;
4074
4075 hostapd_logger(hapd, sta->addr,
4076 HOSTAPD_MODULE_IEEE80211,
4077 HOSTAPD_LEVEL_INFO,
4078 "Non-Multi-AP STA tries to associate with backhaul-only BSS");
4079 return WLAN_STATUS_ASSOC_DENIED_UNSPEC;
4080 }
4081
4082 if (!(hapd->conf->multi_ap & BACKHAUL_BSS))
4083 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4084 HOSTAPD_LEVEL_DEBUG,
4085 "Backhaul STA tries to associate with fronthaul-only BSS");
4086
4087 sta->flags |= WLAN_STA_MULTI_AP;
4088 return WLAN_STATUS_SUCCESS;
4089 }
4090
4091
copy_supp_rates(struct hostapd_data * hapd,struct sta_info * sta,struct ieee802_11_elems * elems)4092 static u16 copy_supp_rates(struct hostapd_data *hapd, struct sta_info *sta,
4093 struct ieee802_11_elems *elems)
4094 {
4095 /* Supported rates not used in IEEE 802.11ad/DMG */
4096 if (hapd->iface->current_mode &&
4097 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211AD)
4098 return WLAN_STATUS_SUCCESS;
4099
4100 if (!elems->supp_rates) {
4101 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4102 HOSTAPD_LEVEL_DEBUG,
4103 "No supported rates element in AssocReq");
4104 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4105 }
4106
4107 if (elems->supp_rates_len + elems->ext_supp_rates_len >
4108 sizeof(sta->supported_rates)) {
4109 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4110 HOSTAPD_LEVEL_DEBUG,
4111 "Invalid supported rates element length %d+%d",
4112 elems->supp_rates_len,
4113 elems->ext_supp_rates_len);
4114 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4115 }
4116
4117 sta->supported_rates_len = merge_byte_arrays(
4118 sta->supported_rates, sizeof(sta->supported_rates),
4119 elems->supp_rates, elems->supp_rates_len,
4120 elems->ext_supp_rates, elems->ext_supp_rates_len);
4121
4122 return WLAN_STATUS_SUCCESS;
4123 }
4124
4125
check_ext_capab(struct hostapd_data * hapd,struct sta_info * sta,const u8 * ext_capab_ie,size_t ext_capab_ie_len)4126 static u16 check_ext_capab(struct hostapd_data *hapd, struct sta_info *sta,
4127 const u8 *ext_capab_ie, size_t ext_capab_ie_len)
4128 {
4129 #ifdef CONFIG_INTERWORKING
4130 /* check for QoS Map support */
4131 if (ext_capab_ie_len >= 5) {
4132 if (ext_capab_ie[4] & 0x01)
4133 sta->qos_map_enabled = 1;
4134 }
4135 #endif /* CONFIG_INTERWORKING */
4136
4137 if (ext_capab_ie_len > 0) {
4138 sta->ecsa_supported = !!(ext_capab_ie[0] & BIT(2));
4139 os_free(sta->ext_capability);
4140 sta->ext_capability = os_malloc(1 + ext_capab_ie_len);
4141 if (sta->ext_capability) {
4142 sta->ext_capability[0] = ext_capab_ie_len;
4143 os_memcpy(sta->ext_capability + 1, ext_capab_ie,
4144 ext_capab_ie_len);
4145 }
4146 }
4147
4148 return WLAN_STATUS_SUCCESS;
4149 }
4150
4151
4152 #ifdef CONFIG_OWE
4153
owe_group_supported(struct hostapd_data * hapd,u16 group)4154 static int owe_group_supported(struct hostapd_data *hapd, u16 group)
4155 {
4156 int i;
4157 int *groups = hapd->conf->owe_groups;
4158
4159 if (group != 19 && group != 20 && group != 21)
4160 return 0;
4161
4162 if (!groups)
4163 return 1;
4164
4165 for (i = 0; groups[i] > 0; i++) {
4166 if (groups[i] == group)
4167 return 1;
4168 }
4169
4170 return 0;
4171 }
4172
4173
owe_process_assoc_req(struct hostapd_data * hapd,struct sta_info * sta,const u8 * owe_dh,u8 owe_dh_len)4174 static u16 owe_process_assoc_req(struct hostapd_data *hapd,
4175 struct sta_info *sta, const u8 *owe_dh,
4176 u8 owe_dh_len)
4177 {
4178 struct wpabuf *secret, *pub, *hkey;
4179 int res;
4180 u8 prk[SHA512_MAC_LEN], pmkid[SHA512_MAC_LEN];
4181 const char *info = "OWE Key Generation";
4182 const u8 *addr[2];
4183 size_t len[2];
4184 u16 group;
4185 size_t hash_len, prime_len;
4186
4187 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) {
4188 wpa_printf(MSG_DEBUG, "OWE: Using PMKSA caching");
4189 return WLAN_STATUS_SUCCESS;
4190 }
4191
4192 group = WPA_GET_LE16(owe_dh);
4193 if (!owe_group_supported(hapd, group)) {
4194 wpa_printf(MSG_DEBUG, "OWE: Unsupported DH group %u", group);
4195 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
4196 }
4197 if (group == 19)
4198 prime_len = 32;
4199 else if (group == 20)
4200 prime_len = 48;
4201 else if (group == 21)
4202 prime_len = 66;
4203 else
4204 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
4205
4206 crypto_ecdh_deinit(sta->owe_ecdh);
4207 sta->owe_ecdh = crypto_ecdh_init(group);
4208 if (!sta->owe_ecdh)
4209 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
4210 sta->owe_group = group;
4211
4212 secret = crypto_ecdh_set_peerkey(sta->owe_ecdh, 0, owe_dh + 2,
4213 owe_dh_len - 2);
4214 secret = wpabuf_zeropad(secret, prime_len);
4215 if (!secret) {
4216 wpa_printf(MSG_DEBUG, "OWE: Invalid peer DH public key");
4217 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4218 }
4219 wpa_hexdump_buf_key(MSG_DEBUG, "OWE: DH shared secret", secret);
4220
4221 /* prk = HKDF-extract(C | A | group, z) */
4222
4223 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
4224 if (!pub) {
4225 wpabuf_clear_free(secret);
4226 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4227 }
4228
4229 /* PMKID = Truncate-128(Hash(C | A)) */
4230 addr[0] = owe_dh + 2;
4231 len[0] = owe_dh_len - 2;
4232 addr[1] = wpabuf_head(pub);
4233 len[1] = wpabuf_len(pub);
4234 if (group == 19) {
4235 res = sha256_vector(2, addr, len, pmkid);
4236 hash_len = SHA256_MAC_LEN;
4237 } else if (group == 20) {
4238 res = sha384_vector(2, addr, len, pmkid);
4239 hash_len = SHA384_MAC_LEN;
4240 } else if (group == 21) {
4241 res = sha512_vector(2, addr, len, pmkid);
4242 hash_len = SHA512_MAC_LEN;
4243 } else {
4244 wpabuf_free(pub);
4245 wpabuf_clear_free(secret);
4246 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4247 }
4248 pub = wpabuf_zeropad(pub, prime_len);
4249 if (res < 0 || !pub) {
4250 wpabuf_free(pub);
4251 wpabuf_clear_free(secret);
4252 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4253 }
4254
4255 hkey = wpabuf_alloc(owe_dh_len - 2 + wpabuf_len(pub) + 2);
4256 if (!hkey) {
4257 wpabuf_free(pub);
4258 wpabuf_clear_free(secret);
4259 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4260 }
4261
4262 wpabuf_put_data(hkey, owe_dh + 2, owe_dh_len - 2); /* C */
4263 wpabuf_put_buf(hkey, pub); /* A */
4264 wpabuf_free(pub);
4265 wpabuf_put_le16(hkey, group); /* group */
4266 if (group == 19)
4267 res = hmac_sha256(wpabuf_head(hkey), wpabuf_len(hkey),
4268 wpabuf_head(secret), wpabuf_len(secret), prk);
4269 else if (group == 20)
4270 res = hmac_sha384(wpabuf_head(hkey), wpabuf_len(hkey),
4271 wpabuf_head(secret), wpabuf_len(secret), prk);
4272 else if (group == 21)
4273 res = hmac_sha512(wpabuf_head(hkey), wpabuf_len(hkey),
4274 wpabuf_head(secret), wpabuf_len(secret), prk);
4275 wpabuf_clear_free(hkey);
4276 wpabuf_clear_free(secret);
4277 if (res < 0)
4278 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4279
4280 wpa_hexdump_key(MSG_DEBUG, "OWE: prk", prk, hash_len);
4281
4282 /* PMK = HKDF-expand(prk, "OWE Key Generation", n) */
4283
4284 os_free(sta->owe_pmk);
4285 sta->owe_pmk = os_malloc(hash_len);
4286 if (!sta->owe_pmk) {
4287 os_memset(prk, 0, SHA512_MAC_LEN);
4288 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4289 }
4290
4291 if (group == 19)
4292 res = hmac_sha256_kdf(prk, hash_len, NULL, (const u8 *) info,
4293 os_strlen(info), sta->owe_pmk, hash_len);
4294 else if (group == 20)
4295 res = hmac_sha384_kdf(prk, hash_len, NULL, (const u8 *) info,
4296 os_strlen(info), sta->owe_pmk, hash_len);
4297 else if (group == 21)
4298 res = hmac_sha512_kdf(prk, hash_len, NULL, (const u8 *) info,
4299 os_strlen(info), sta->owe_pmk, hash_len);
4300 os_memset(prk, 0, SHA512_MAC_LEN);
4301 if (res < 0) {
4302 os_free(sta->owe_pmk);
4303 sta->owe_pmk = NULL;
4304 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4305 }
4306 sta->owe_pmk_len = hash_len;
4307
4308 wpa_hexdump_key(MSG_DEBUG, "OWE: PMK", sta->owe_pmk, sta->owe_pmk_len);
4309 wpa_hexdump(MSG_DEBUG, "OWE: PMKID", pmkid, PMKID_LEN);
4310 wpa_auth_pmksa_add2(hapd->wpa_auth, sta->addr, sta->owe_pmk,
4311 sta->owe_pmk_len, pmkid, 0, WPA_KEY_MGMT_OWE);
4312
4313 return WLAN_STATUS_SUCCESS;
4314 }
4315
4316
owe_validate_request(struct hostapd_data * hapd,const u8 * peer,const u8 * rsn_ie,size_t rsn_ie_len,const u8 * owe_dh,size_t owe_dh_len)4317 u16 owe_validate_request(struct hostapd_data *hapd, const u8 *peer,
4318 const u8 *rsn_ie, size_t rsn_ie_len,
4319 const u8 *owe_dh, size_t owe_dh_len)
4320 {
4321 struct wpa_ie_data data;
4322 int res;
4323
4324 if (!rsn_ie || rsn_ie_len < 2) {
4325 wpa_printf(MSG_DEBUG, "OWE: Invalid RSNE from " MACSTR,
4326 MAC2STR(peer));
4327 return WLAN_STATUS_INVALID_IE;
4328 }
4329 rsn_ie -= 2;
4330 rsn_ie_len += 2;
4331
4332 res = wpa_parse_wpa_ie_rsn(rsn_ie, rsn_ie_len, &data);
4333 if (res) {
4334 wpa_printf(MSG_DEBUG, "Failed to parse RSNE from " MACSTR
4335 " (res=%d)", MAC2STR(peer), res);
4336 wpa_hexdump(MSG_DEBUG, "RSNE", rsn_ie, rsn_ie_len);
4337 return wpa_res_to_status_code(res);
4338 }
4339 if (!(data.key_mgmt & WPA_KEY_MGMT_OWE)) {
4340 wpa_printf(MSG_DEBUG,
4341 "OWE: Unexpected key mgmt 0x%x from " MACSTR,
4342 (unsigned int) data.key_mgmt, MAC2STR(peer));
4343 return WLAN_STATUS_AKMP_NOT_VALID;
4344 }
4345 if (!owe_dh) {
4346 wpa_printf(MSG_DEBUG,
4347 "OWE: No Diffie-Hellman Parameter element from "
4348 MACSTR, MAC2STR(peer));
4349 return WLAN_STATUS_AKMP_NOT_VALID;
4350 }
4351
4352 return WLAN_STATUS_SUCCESS;
4353 }
4354
4355
owe_process_rsn_ie(struct hostapd_data * hapd,struct sta_info * sta,const u8 * rsn_ie,size_t rsn_ie_len,const u8 * owe_dh,size_t owe_dh_len)4356 u16 owe_process_rsn_ie(struct hostapd_data *hapd,
4357 struct sta_info *sta,
4358 const u8 *rsn_ie, size_t rsn_ie_len,
4359 const u8 *owe_dh, size_t owe_dh_len)
4360 {
4361 u16 status;
4362 u8 *owe_buf, ie[256 * 2];
4363 size_t ie_len = 0;
4364 enum wpa_validate_result res;
4365
4366 if (!rsn_ie || rsn_ie_len < 2) {
4367 wpa_printf(MSG_DEBUG, "OWE: No RSNE in (Re)AssocReq");
4368 status = WLAN_STATUS_INVALID_IE;
4369 goto end;
4370 }
4371
4372 if (!sta->wpa_sm)
4373 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, sta->addr,
4374 NULL);
4375 if (!sta->wpa_sm) {
4376 wpa_printf(MSG_WARNING,
4377 "OWE: Failed to initialize WPA state machine");
4378 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
4379 goto end;
4380 }
4381 rsn_ie -= 2;
4382 rsn_ie_len += 2;
4383 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
4384 hapd->iface->freq, rsn_ie, rsn_ie_len,
4385 NULL, 0, NULL, 0, owe_dh, owe_dh_len);
4386 status = wpa_res_to_status_code(res);
4387 if (status != WLAN_STATUS_SUCCESS)
4388 goto end;
4389 status = owe_process_assoc_req(hapd, sta, owe_dh, owe_dh_len);
4390 if (status != WLAN_STATUS_SUCCESS)
4391 goto end;
4392 owe_buf = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, ie, sizeof(ie),
4393 NULL, 0);
4394 if (!owe_buf) {
4395 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
4396 goto end;
4397 }
4398
4399 if (sta->owe_ecdh) {
4400 struct wpabuf *pub;
4401
4402 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
4403 if (!pub) {
4404 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
4405 goto end;
4406 }
4407
4408 /* OWE Diffie-Hellman Parameter element */
4409 *owe_buf++ = WLAN_EID_EXTENSION; /* Element ID */
4410 *owe_buf++ = 1 + 2 + wpabuf_len(pub); /* Length */
4411 *owe_buf++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension
4412 */
4413 WPA_PUT_LE16(owe_buf, sta->owe_group);
4414 owe_buf += 2;
4415 os_memcpy(owe_buf, wpabuf_head(pub), wpabuf_len(pub));
4416 owe_buf += wpabuf_len(pub);
4417 wpabuf_free(pub);
4418 sta->external_dh_updated = 1;
4419 }
4420 ie_len = owe_buf - ie;
4421
4422 end:
4423 wpa_printf(MSG_DEBUG, "OWE: Update status %d, ie len %d for peer "
4424 MACSTR, status, (unsigned int) ie_len,
4425 MAC2STR(sta->addr));
4426 hostapd_drv_update_dh_ie(hapd, sta->addr, status,
4427 status == WLAN_STATUS_SUCCESS ? ie : NULL,
4428 ie_len);
4429
4430 return status;
4431 }
4432
4433 #endif /* CONFIG_OWE */
4434
4435
check_sa_query(struct hostapd_data * hapd,struct sta_info * sta,int reassoc)4436 static bool check_sa_query(struct hostapd_data *hapd, struct sta_info *sta,
4437 int reassoc)
4438 {
4439 if ((sta->flags &
4440 (WLAN_STA_ASSOC | WLAN_STA_MFP | WLAN_STA_AUTHORIZED)) !=
4441 (WLAN_STA_ASSOC | WLAN_STA_MFP | WLAN_STA_AUTHORIZED))
4442 return false;
4443
4444 if (!sta->sa_query_timed_out && sta->sa_query_count > 0)
4445 ap_check_sa_query_timeout(hapd, sta);
4446
4447 if (!sta->sa_query_timed_out &&
4448 (!reassoc || sta->auth_alg != WLAN_AUTH_FT)) {
4449 /*
4450 * STA has already been associated with MFP and SA Query timeout
4451 * has not been reached. Reject the association attempt
4452 * temporarily and start SA Query, if one is not pending.
4453 */
4454 if (sta->sa_query_count == 0)
4455 ap_sta_start_sa_query(hapd, sta);
4456
4457 return true;
4458 }
4459
4460 return false;
4461 }
4462
4463
check_assoc_ies(struct hostapd_data * hapd,struct sta_info * sta,const u8 * ies,size_t ies_len,int reassoc)4464 static int check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta,
4465 const u8 *ies, size_t ies_len, int reassoc)
4466 {
4467 struct ieee802_11_elems elems;
4468 int resp;
4469 const u8 *wpa_ie;
4470 size_t wpa_ie_len;
4471 const u8 *p2p_dev_addr = NULL;
4472
4473 if (ieee802_11_parse_elems(ies, ies_len, &elems, 1) == ParseFailed) {
4474 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4475 HOSTAPD_LEVEL_INFO, "Station sent an invalid "
4476 "association request");
4477 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4478 }
4479
4480 resp = check_ssid(hapd, sta, elems.ssid, elems.ssid_len);
4481 if (resp != WLAN_STATUS_SUCCESS)
4482 return resp;
4483 resp = check_wmm(hapd, sta, elems.wmm, elems.wmm_len);
4484 if (resp != WLAN_STATUS_SUCCESS)
4485 return resp;
4486 resp = check_ext_capab(hapd, sta, elems.ext_capab, elems.ext_capab_len);
4487 if (resp != WLAN_STATUS_SUCCESS)
4488 return resp;
4489 resp = copy_supp_rates(hapd, sta, &elems);
4490 if (resp != WLAN_STATUS_SUCCESS)
4491 return resp;
4492
4493 resp = check_multi_ap(hapd, sta, elems.multi_ap, elems.multi_ap_len);
4494 if (resp != WLAN_STATUS_SUCCESS)
4495 return resp;
4496
4497 resp = copy_sta_ht_capab(hapd, sta, elems.ht_capabilities);
4498 if (resp != WLAN_STATUS_SUCCESS)
4499 return resp;
4500 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht &&
4501 !(sta->flags & WLAN_STA_HT)) {
4502 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4503 HOSTAPD_LEVEL_INFO, "Station does not support "
4504 "mandatory HT PHY - reject association");
4505 return WLAN_STATUS_ASSOC_DENIED_NO_HT;
4506 }
4507
4508 #ifdef CONFIG_IEEE80211AC
4509 if (hapd->iconf->ieee80211ac) {
4510 resp = copy_sta_vht_capab(hapd, sta, elems.vht_capabilities);
4511 if (resp != WLAN_STATUS_SUCCESS)
4512 return resp;
4513
4514 resp = set_sta_vht_opmode(hapd, sta, elems.vht_opmode_notif);
4515 if (resp != WLAN_STATUS_SUCCESS)
4516 return resp;
4517 }
4518
4519 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht &&
4520 !(sta->flags & WLAN_STA_VHT)) {
4521 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4522 HOSTAPD_LEVEL_INFO, "Station does not support "
4523 "mandatory VHT PHY - reject association");
4524 return WLAN_STATUS_ASSOC_DENIED_NO_VHT;
4525 }
4526
4527 if (hapd->conf->vendor_vht && !elems.vht_capabilities) {
4528 resp = copy_sta_vendor_vht(hapd, sta, elems.vendor_vht,
4529 elems.vendor_vht_len);
4530 if (resp != WLAN_STATUS_SUCCESS)
4531 return resp;
4532 }
4533 #endif /* CONFIG_IEEE80211AC */
4534 #ifdef CONFIG_IEEE80211AX
4535 if (hapd->iconf->ieee80211ax && !hapd->conf->disable_11ax) {
4536 resp = copy_sta_he_capab(hapd, sta, IEEE80211_MODE_AP,
4537 elems.he_capabilities,
4538 elems.he_capabilities_len);
4539 if (resp != WLAN_STATUS_SUCCESS)
4540 return resp;
4541 if (is_6ghz_op_class(hapd->iconf->op_class)) {
4542 if (!(sta->flags & WLAN_STA_HE)) {
4543 hostapd_logger(hapd, sta->addr,
4544 HOSTAPD_MODULE_IEEE80211,
4545 HOSTAPD_LEVEL_INFO,
4546 "Station does not support mandatory HE PHY - reject association");
4547 return WLAN_STATUS_DENIED_HE_NOT_SUPPORTED;
4548 }
4549 resp = copy_sta_he_6ghz_capab(hapd, sta,
4550 elems.he_6ghz_band_cap);
4551 if (resp != WLAN_STATUS_SUCCESS)
4552 return resp;
4553 }
4554 }
4555 #endif /* CONFIG_IEEE80211AX */
4556
4557 #ifdef CONFIG_P2P
4558 if (elems.p2p) {
4559 wpabuf_free(sta->p2p_ie);
4560 sta->p2p_ie = ieee802_11_vendor_ie_concat(ies, ies_len,
4561 P2P_IE_VENDOR_TYPE);
4562 if (sta->p2p_ie)
4563 p2p_dev_addr = p2p_get_go_dev_addr(sta->p2p_ie);
4564 } else {
4565 wpabuf_free(sta->p2p_ie);
4566 sta->p2p_ie = NULL;
4567 }
4568 #endif /* CONFIG_P2P */
4569
4570 if ((hapd->conf->wpa & WPA_PROTO_RSN) && elems.rsn_ie) {
4571 wpa_ie = elems.rsn_ie;
4572 wpa_ie_len = elems.rsn_ie_len;
4573 } else if ((hapd->conf->wpa & WPA_PROTO_WPA) &&
4574 elems.wpa_ie) {
4575 wpa_ie = elems.wpa_ie;
4576 wpa_ie_len = elems.wpa_ie_len;
4577 } else {
4578 wpa_ie = NULL;
4579 wpa_ie_len = 0;
4580 }
4581
4582 #ifdef CONFIG_WPS
4583 sta->flags &= ~(WLAN_STA_WPS | WLAN_STA_MAYBE_WPS | WLAN_STA_WPS2);
4584 if (hapd->conf->wps_state && elems.wps_ie) {
4585 wpa_printf(MSG_DEBUG, "STA included WPS IE in (Re)Association "
4586 "Request - assume WPS is used");
4587 if (check_sa_query(hapd, sta, reassoc))
4588 return WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY;
4589 sta->flags |= WLAN_STA_WPS;
4590 wpabuf_free(sta->wps_ie);
4591 sta->wps_ie = ieee802_11_vendor_ie_concat(ies, ies_len,
4592 WPS_IE_VENDOR_TYPE);
4593 if (sta->wps_ie && wps_is_20(sta->wps_ie)) {
4594 wpa_printf(MSG_DEBUG, "WPS: STA supports WPS 2.0");
4595 sta->flags |= WLAN_STA_WPS2;
4596 }
4597 wpa_ie = NULL;
4598 wpa_ie_len = 0;
4599 if (sta->wps_ie && wps_validate_assoc_req(sta->wps_ie) < 0) {
4600 wpa_printf(MSG_DEBUG, "WPS: Invalid WPS IE in "
4601 "(Re)Association Request - reject");
4602 return WLAN_STATUS_INVALID_IE;
4603 }
4604 } else if (hapd->conf->wps_state && wpa_ie == NULL) {
4605 wpa_printf(MSG_DEBUG, "STA did not include WPA/RSN IE in "
4606 "(Re)Association Request - possible WPS use");
4607 sta->flags |= WLAN_STA_MAYBE_WPS;
4608 } else
4609 #endif /* CONFIG_WPS */
4610 if (hapd->conf->wpa && wpa_ie == NULL) {
4611 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4612 HOSTAPD_LEVEL_INFO,
4613 "No WPA/RSN IE in association request");
4614 return WLAN_STATUS_INVALID_IE;
4615 }
4616
4617 if (hapd->conf->wpa && wpa_ie) {
4618 enum wpa_validate_result res;
4619
4620 wpa_ie -= 2;
4621 wpa_ie_len += 2;
4622 if (sta->wpa_sm == NULL)
4623 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
4624 sta->addr,
4625 p2p_dev_addr);
4626 if (sta->wpa_sm == NULL) {
4627 wpa_printf(MSG_WARNING, "Failed to initialize WPA "
4628 "state machine");
4629 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4630 }
4631 wpa_auth_set_auth_alg(sta->wpa_sm, sta->auth_alg);
4632 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
4633 hapd->iface->freq,
4634 wpa_ie, wpa_ie_len,
4635 elems.rsnxe ? elems.rsnxe - 2 : NULL,
4636 elems.rsnxe ? elems.rsnxe_len + 2 : 0,
4637 elems.mdie, elems.mdie_len,
4638 elems.owe_dh, elems.owe_dh_len);
4639 resp = wpa_res_to_status_code(res);
4640 if (resp != WLAN_STATUS_SUCCESS)
4641 return resp;
4642
4643 if (check_sa_query(hapd, sta, reassoc))
4644 return WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY;
4645
4646 if (wpa_auth_uses_mfp(sta->wpa_sm))
4647 sta->flags |= WLAN_STA_MFP;
4648 else
4649 sta->flags &= ~WLAN_STA_MFP;
4650
4651 #ifdef CONFIG_IEEE80211R_AP
4652 if (sta->auth_alg == WLAN_AUTH_FT) {
4653 if (!reassoc) {
4654 wpa_printf(MSG_DEBUG, "FT: " MACSTR " tried "
4655 "to use association (not "
4656 "re-association) with FT auth_alg",
4657 MAC2STR(sta->addr));
4658 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4659 }
4660
4661 resp = wpa_ft_validate_reassoc(sta->wpa_sm, ies,
4662 ies_len);
4663 if (resp != WLAN_STATUS_SUCCESS)
4664 return resp;
4665 }
4666 #endif /* CONFIG_IEEE80211R_AP */
4667
4668 #ifdef CONFIG_SAE
4669 if (wpa_auth_uses_sae(sta->wpa_sm) && sta->sae &&
4670 sta->sae->state == SAE_ACCEPTED)
4671 wpa_auth_add_sae_pmkid(sta->wpa_sm, sta->sae->pmkid);
4672
4673 if (wpa_auth_uses_sae(sta->wpa_sm) &&
4674 sta->auth_alg == WLAN_AUTH_OPEN) {
4675 struct rsn_pmksa_cache_entry *sa;
4676 sa = wpa_auth_sta_get_pmksa(sta->wpa_sm);
4677 if (!sa || sa->akmp != WPA_KEY_MGMT_SAE) {
4678 wpa_printf(MSG_DEBUG,
4679 "SAE: No PMKSA cache entry found for "
4680 MACSTR, MAC2STR(sta->addr));
4681 return WLAN_STATUS_INVALID_PMKID;
4682 }
4683 wpa_printf(MSG_DEBUG, "SAE: " MACSTR
4684 " using PMKSA caching", MAC2STR(sta->addr));
4685 } else if (wpa_auth_uses_sae(sta->wpa_sm) &&
4686 sta->auth_alg != WLAN_AUTH_SAE &&
4687 !(sta->auth_alg == WLAN_AUTH_FT &&
4688 wpa_auth_uses_ft_sae(sta->wpa_sm))) {
4689 wpa_printf(MSG_DEBUG, "SAE: " MACSTR " tried to use "
4690 "SAE AKM after non-SAE auth_alg %u",
4691 MAC2STR(sta->addr), sta->auth_alg);
4692 return WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
4693 }
4694
4695 if (hapd->conf->sae_pwe == 2 &&
4696 sta->auth_alg == WLAN_AUTH_SAE &&
4697 sta->sae && !sta->sae->h2e &&
4698 ieee802_11_rsnx_capab_len(elems.rsnxe, elems.rsnxe_len,
4699 WLAN_RSNX_CAPAB_SAE_H2E)) {
4700 wpa_printf(MSG_INFO, "SAE: " MACSTR
4701 " indicates support for SAE H2E, but did not use it",
4702 MAC2STR(sta->addr));
4703 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4704 }
4705 #endif /* CONFIG_SAE */
4706
4707 #ifdef CONFIG_OWE
4708 if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) &&
4709 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE &&
4710 elems.owe_dh) {
4711 resp = owe_process_assoc_req(hapd, sta, elems.owe_dh,
4712 elems.owe_dh_len);
4713 if (resp != WLAN_STATUS_SUCCESS)
4714 return resp;
4715 }
4716 #endif /* CONFIG_OWE */
4717
4718 #ifdef CONFIG_DPP2
4719 dpp_pfs_free(sta->dpp_pfs);
4720 sta->dpp_pfs = NULL;
4721
4722 if (DPP_VERSION > 1 &&
4723 (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_DPP) &&
4724 hapd->conf->dpp_netaccesskey && sta->wpa_sm &&
4725 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_DPP &&
4726 elems.owe_dh) {
4727 sta->dpp_pfs = dpp_pfs_init(
4728 wpabuf_head(hapd->conf->dpp_netaccesskey),
4729 wpabuf_len(hapd->conf->dpp_netaccesskey));
4730 if (!sta->dpp_pfs) {
4731 wpa_printf(MSG_DEBUG,
4732 "DPP: Could not initialize PFS");
4733 /* Try to continue without PFS */
4734 goto pfs_fail;
4735 }
4736
4737 if (dpp_pfs_process(sta->dpp_pfs, elems.owe_dh,
4738 elems.owe_dh_len) < 0) {
4739 dpp_pfs_free(sta->dpp_pfs);
4740 sta->dpp_pfs = NULL;
4741 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4742 }
4743 }
4744
4745 wpa_auth_set_dpp_z(sta->wpa_sm, sta->dpp_pfs ?
4746 sta->dpp_pfs->secret : NULL);
4747 pfs_fail:
4748 #endif /* CONFIG_DPP2 */
4749
4750 if ((sta->flags & (WLAN_STA_HT | WLAN_STA_VHT)) &&
4751 wpa_auth_get_pairwise(sta->wpa_sm) == WPA_CIPHER_TKIP) {
4752 hostapd_logger(hapd, sta->addr,
4753 HOSTAPD_MODULE_IEEE80211,
4754 HOSTAPD_LEVEL_INFO,
4755 "Station tried to use TKIP with HT "
4756 "association");
4757 return WLAN_STATUS_CIPHER_REJECTED_PER_POLICY;
4758 }
4759 #ifdef CONFIG_HS20
4760 } else if (hapd->conf->osen) {
4761 if (elems.osen == NULL) {
4762 hostapd_logger(
4763 hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4764 HOSTAPD_LEVEL_INFO,
4765 "No HS 2.0 OSEN element in association request");
4766 return WLAN_STATUS_INVALID_IE;
4767 }
4768
4769 wpa_printf(MSG_DEBUG, "HS 2.0: OSEN association");
4770 if (sta->wpa_sm == NULL)
4771 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
4772 sta->addr, NULL);
4773 if (sta->wpa_sm == NULL) {
4774 wpa_printf(MSG_WARNING, "Failed to initialize WPA "
4775 "state machine");
4776 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4777 }
4778 if (wpa_validate_osen(hapd->wpa_auth, sta->wpa_sm,
4779 elems.osen - 2, elems.osen_len + 2) < 0)
4780 return WLAN_STATUS_INVALID_IE;
4781 #endif /* CONFIG_HS20 */
4782 } else
4783 wpa_auth_sta_no_wpa(sta->wpa_sm);
4784
4785 #ifdef CONFIG_P2P
4786 p2p_group_notif_assoc(hapd->p2p_group, sta->addr, ies, ies_len);
4787 #endif /* CONFIG_P2P */
4788
4789 #ifdef CONFIG_HS20
4790 wpabuf_free(sta->hs20_ie);
4791 if (elems.hs20 && elems.hs20_len > 4) {
4792 int release;
4793
4794 sta->hs20_ie = wpabuf_alloc_copy(elems.hs20 + 4,
4795 elems.hs20_len - 4);
4796 release = ((elems.hs20[4] >> 4) & 0x0f) + 1;
4797 if (release >= 2 && !wpa_auth_uses_mfp(sta->wpa_sm) &&
4798 hapd->conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
4799 wpa_printf(MSG_DEBUG,
4800 "HS 2.0: PMF not negotiated by release %d station "
4801 MACSTR, release, MAC2STR(sta->addr));
4802 return WLAN_STATUS_ROBUST_MGMT_FRAME_POLICY_VIOLATION;
4803 }
4804 } else {
4805 sta->hs20_ie = NULL;
4806 }
4807
4808 wpabuf_free(sta->roaming_consortium);
4809 if (elems.roaming_cons_sel)
4810 sta->roaming_consortium = wpabuf_alloc_copy(
4811 elems.roaming_cons_sel + 4,
4812 elems.roaming_cons_sel_len - 4);
4813 else
4814 sta->roaming_consortium = NULL;
4815 #endif /* CONFIG_HS20 */
4816
4817 #ifdef CONFIG_FST
4818 wpabuf_free(sta->mb_ies);
4819 if (hapd->iface->fst)
4820 sta->mb_ies = mb_ies_by_info(&elems.mb_ies);
4821 else
4822 sta->mb_ies = NULL;
4823 #endif /* CONFIG_FST */
4824
4825 #ifdef CONFIG_MBO
4826 mbo_ap_check_sta_assoc(hapd, sta, &elems);
4827
4828 if (hapd->conf->mbo_enabled && (hapd->conf->wpa & 2) &&
4829 elems.mbo && sta->cell_capa && !(sta->flags & WLAN_STA_MFP) &&
4830 hapd->conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
4831 wpa_printf(MSG_INFO,
4832 "MBO: Reject WPA2 association without PMF");
4833 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4834 }
4835 #endif /* CONFIG_MBO */
4836
4837 #if defined(CONFIG_FILS) && defined(CONFIG_OCV)
4838 if (wpa_auth_uses_ocv(sta->wpa_sm) &&
4839 (sta->auth_alg == WLAN_AUTH_FILS_SK ||
4840 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
4841 sta->auth_alg == WLAN_AUTH_FILS_PK)) {
4842 struct wpa_channel_info ci;
4843 int tx_chanwidth;
4844 int tx_seg1_idx;
4845 enum oci_verify_result res;
4846
4847 if (hostapd_drv_channel_info(hapd, &ci) != 0) {
4848 wpa_printf(MSG_WARNING,
4849 "Failed to get channel info to validate received OCI in FILS (Re)Association Request frame");
4850 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4851 }
4852
4853 if (get_sta_tx_parameters(sta->wpa_sm,
4854 channel_width_to_int(ci.chanwidth),
4855 ci.seg1_idx, &tx_chanwidth,
4856 &tx_seg1_idx) < 0)
4857 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4858
4859 res = ocv_verify_tx_params(elems.oci, elems.oci_len, &ci,
4860 tx_chanwidth, tx_seg1_idx);
4861 if (wpa_auth_uses_ocv(sta->wpa_sm) == 2 &&
4862 res == OCI_NOT_FOUND) {
4863 /* Work around misbehaving STAs */
4864 wpa_printf(MSG_INFO,
4865 "FILS: Disable OCV with a STA that does not send OCI");
4866 wpa_auth_set_ocv(sta->wpa_sm, 0);
4867 } else if (res != OCI_SUCCESS) {
4868 wpa_printf(MSG_WARNING, "FILS: OCV failed: %s",
4869 ocv_errorstr);
4870 wpa_msg(hapd->msg_ctx, MSG_INFO, OCV_FAILURE "addr="
4871 MACSTR " frame=fils-reassoc-req error=%s",
4872 MAC2STR(sta->addr), ocv_errorstr);
4873 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4874 }
4875 }
4876 #endif /* CONFIG_FILS && CONFIG_OCV */
4877
4878 ap_copy_sta_supp_op_classes(sta, elems.supp_op_classes,
4879 elems.supp_op_classes_len);
4880
4881 if ((sta->capability & WLAN_CAPABILITY_RADIO_MEASUREMENT) &&
4882 elems.rrm_enabled &&
4883 elems.rrm_enabled_len >= sizeof(sta->rrm_enabled_capa))
4884 os_memcpy(sta->rrm_enabled_capa, elems.rrm_enabled,
4885 sizeof(sta->rrm_enabled_capa));
4886
4887 if (elems.power_capab) {
4888 sta->min_tx_power = elems.power_capab[0];
4889 sta->max_tx_power = elems.power_capab[1];
4890 sta->power_capab = 1;
4891 } else {
4892 sta->power_capab = 0;
4893 }
4894
4895 return WLAN_STATUS_SUCCESS;
4896 }
4897
4898
send_deauth(struct hostapd_data * hapd,const u8 * addr,u16 reason_code)4899 static void send_deauth(struct hostapd_data *hapd, const u8 *addr,
4900 u16 reason_code)
4901 {
4902 int send_len;
4903 struct ieee80211_mgmt reply;
4904
4905 os_memset(&reply, 0, sizeof(reply));
4906 reply.frame_control =
4907 IEEE80211_FC(WLAN_FC_TYPE_MGMT, WLAN_FC_STYPE_DEAUTH);
4908 os_memcpy(reply.da, addr, ETH_ALEN);
4909 os_memcpy(reply.sa, hapd->own_addr, ETH_ALEN);
4910 os_memcpy(reply.bssid, hapd->own_addr, ETH_ALEN);
4911
4912 send_len = IEEE80211_HDRLEN + sizeof(reply.u.deauth);
4913 reply.u.deauth.reason_code = host_to_le16(reason_code);
4914
4915 if (hostapd_drv_send_mlme(hapd, &reply, send_len, 0, NULL, 0, 0) < 0)
4916 wpa_printf(MSG_INFO, "Failed to send deauth: %s",
4917 strerror(errno));
4918 }
4919
4920
add_associated_sta(struct hostapd_data * hapd,struct sta_info * sta,int reassoc)4921 static int add_associated_sta(struct hostapd_data *hapd,
4922 struct sta_info *sta, int reassoc)
4923 {
4924 struct ieee80211_ht_capabilities ht_cap;
4925 struct ieee80211_vht_capabilities vht_cap;
4926 struct ieee80211_he_capabilities he_cap;
4927 int set = 1;
4928
4929 /*
4930 * Remove the STA entry to ensure the STA PS state gets cleared and
4931 * configuration gets updated. This is relevant for cases, such as
4932 * FT-over-the-DS, where a station re-associates back to the same AP but
4933 * skips the authentication flow, or if working with a driver that
4934 * does not support full AP client state.
4935 *
4936 * Skip this if the STA has already completed FT reassociation and the
4937 * TK has been configured since the TX/RX PN must not be reset to 0 for
4938 * the same key.
4939 *
4940 * FT-over-the-DS has a special case where the STA entry (and as such,
4941 * the TK) has not yet been configured to the driver depending on which
4942 * driver interface is used. For that case, allow add-STA operation to
4943 * be used (instead of set-STA). This is needed to allow mac80211-based
4944 * drivers to accept the STA parameter configuration. Since this is
4945 * after a new FT-over-DS exchange, a new TK has been derived, so key
4946 * reinstallation is not a concern for this case.
4947 */
4948 wpa_printf(MSG_DEBUG, "Add associated STA " MACSTR
4949 " (added_unassoc=%d auth_alg=%u ft_over_ds=%u reassoc=%d authorized=%d ft_tk=%d fils_tk=%d)",
4950 MAC2STR(sta->addr), sta->added_unassoc, sta->auth_alg,
4951 sta->ft_over_ds, reassoc,
4952 !!(sta->flags & WLAN_STA_AUTHORIZED),
4953 wpa_auth_sta_ft_tk_already_set(sta->wpa_sm),
4954 wpa_auth_sta_fils_tk_already_set(sta->wpa_sm));
4955
4956 if (!sta->added_unassoc &&
4957 (!(sta->flags & WLAN_STA_AUTHORIZED) ||
4958 (reassoc && sta->ft_over_ds && sta->auth_alg == WLAN_AUTH_FT) ||
4959 (!wpa_auth_sta_ft_tk_already_set(sta->wpa_sm) &&
4960 !wpa_auth_sta_fils_tk_already_set(sta->wpa_sm)))) {
4961 hostapd_drv_sta_remove(hapd, sta->addr);
4962 wpa_auth_sm_event(sta->wpa_sm, WPA_DRV_STA_REMOVED);
4963 set = 0;
4964
4965 /* Do not allow the FT-over-DS exception to be used more than
4966 * once per authentication exchange to guarantee a new TK is
4967 * used here */
4968 sta->ft_over_ds = 0;
4969 }
4970
4971 if (sta->flags & WLAN_STA_HT)
4972 hostapd_get_ht_capab(hapd, sta->ht_capabilities, &ht_cap);
4973 #ifdef CONFIG_IEEE80211AC
4974 if (sta->flags & WLAN_STA_VHT)
4975 hostapd_get_vht_capab(hapd, sta->vht_capabilities, &vht_cap);
4976 #endif /* CONFIG_IEEE80211AC */
4977 #ifdef CONFIG_IEEE80211AX
4978 if (sta->flags & WLAN_STA_HE) {
4979 hostapd_get_he_capab(hapd, sta->he_capab, &he_cap,
4980 sta->he_capab_len);
4981 }
4982 #endif /* CONFIG_IEEE80211AX */
4983
4984 /*
4985 * Add the station with forced WLAN_STA_ASSOC flag. The sta->flags
4986 * will be set when the ACK frame for the (Re)Association Response frame
4987 * is processed (TX status driver event).
4988 */
4989 if (hostapd_sta_add(hapd, sta->addr, sta->aid, sta->capability,
4990 sta->supported_rates, sta->supported_rates_len,
4991 sta->listen_interval,
4992 sta->flags & WLAN_STA_HT ? &ht_cap : NULL,
4993 sta->flags & WLAN_STA_VHT ? &vht_cap : NULL,
4994 sta->flags & WLAN_STA_HE ? &he_cap : NULL,
4995 sta->flags & WLAN_STA_HE ? sta->he_capab_len : 0,
4996 sta->he_6ghz_capab,
4997 sta->flags | WLAN_STA_ASSOC, sta->qosinfo,
4998 sta->vht_opmode, sta->p2p_ie ? 1 : 0,
4999 set)) {
5000 hostapd_logger(hapd, sta->addr,
5001 HOSTAPD_MODULE_IEEE80211, HOSTAPD_LEVEL_NOTICE,
5002 "Could not %s STA to kernel driver",
5003 set ? "set" : "add");
5004
5005 if (sta->added_unassoc) {
5006 hostapd_drv_sta_remove(hapd, sta->addr);
5007 sta->added_unassoc = 0;
5008 }
5009
5010 return -1;
5011 }
5012
5013 sta->added_unassoc = 0;
5014
5015 return 0;
5016 }
5017
5018
send_assoc_resp(struct hostapd_data * hapd,struct sta_info * sta,const u8 * addr,u16 status_code,int reassoc,const u8 * ies,size_t ies_len,int rssi,int omit_rsnxe)5019 static u16 send_assoc_resp(struct hostapd_data *hapd, struct sta_info *sta,
5020 const u8 *addr, u16 status_code, int reassoc,
5021 const u8 *ies, size_t ies_len, int rssi,
5022 int omit_rsnxe)
5023 {
5024 int send_len;
5025 u8 *buf;
5026 size_t buflen;
5027 struct ieee80211_mgmt *reply;
5028 u8 *p;
5029 u16 res = WLAN_STATUS_SUCCESS;
5030
5031 buflen = sizeof(struct ieee80211_mgmt) + 1024;
5032 #ifdef CONFIG_FILS
5033 if (sta && sta->fils_hlp_resp)
5034 buflen += wpabuf_len(sta->fils_hlp_resp);
5035 if (sta)
5036 buflen += 150;
5037 #endif /* CONFIG_FILS */
5038 #ifdef CONFIG_OWE
5039 if (sta && (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE))
5040 buflen += 150;
5041 #endif /* CONFIG_OWE */
5042 #ifdef CONFIG_DPP2
5043 if (sta && sta->dpp_pfs)
5044 buflen += 5 + sta->dpp_pfs->curve->prime_len;
5045 #endif /* CONFIG_DPP2 */
5046 buf = os_zalloc(buflen);
5047 if (!buf) {
5048 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
5049 goto done;
5050 }
5051 reply = (struct ieee80211_mgmt *) buf;
5052 reply->frame_control =
5053 IEEE80211_FC(WLAN_FC_TYPE_MGMT,
5054 (reassoc ? WLAN_FC_STYPE_REASSOC_RESP :
5055 WLAN_FC_STYPE_ASSOC_RESP));
5056 os_memcpy(reply->da, addr, ETH_ALEN);
5057 os_memcpy(reply->sa, hapd->own_addr, ETH_ALEN);
5058 os_memcpy(reply->bssid, hapd->own_addr, ETH_ALEN);
5059
5060 send_len = IEEE80211_HDRLEN;
5061 send_len += sizeof(reply->u.assoc_resp);
5062 reply->u.assoc_resp.capab_info =
5063 host_to_le16(hostapd_own_capab_info(hapd));
5064 reply->u.assoc_resp.status_code = host_to_le16(status_code);
5065
5066 reply->u.assoc_resp.aid = host_to_le16((sta ? sta->aid : 0) |
5067 BIT(14) | BIT(15));
5068 /* Supported rates */
5069 p = hostapd_eid_supp_rates(hapd, reply->u.assoc_resp.variable);
5070 /* Extended supported rates */
5071 p = hostapd_eid_ext_supp_rates(hapd, p);
5072
5073 /* Radio measurement capabilities */
5074 p = hostapd_eid_rm_enabled_capab(hapd, p, buf + buflen - p);
5075
5076 #ifdef CONFIG_MBO
5077 if (status_code == WLAN_STATUS_DENIED_POOR_CHANNEL_CONDITIONS &&
5078 rssi != 0) {
5079 int delta = hapd->iconf->rssi_reject_assoc_rssi - rssi;
5080
5081 p = hostapd_eid_mbo_rssi_assoc_rej(hapd, p, buf + buflen - p,
5082 delta);
5083 }
5084 #endif /* CONFIG_MBO */
5085
5086 #ifdef CONFIG_IEEE80211R_AP
5087 if (sta && status_code == WLAN_STATUS_SUCCESS) {
5088 /* IEEE 802.11r: Mobility Domain Information, Fast BSS
5089 * Transition Information, RSN, [RIC Response] */
5090 p = wpa_sm_write_assoc_resp_ies(sta->wpa_sm, p,
5091 buf + buflen - p,
5092 sta->auth_alg, ies, ies_len,
5093 omit_rsnxe);
5094 if (!p) {
5095 wpa_printf(MSG_DEBUG,
5096 "FT: Failed to write AssocResp IEs");
5097 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
5098 goto done;
5099 }
5100 }
5101 #endif /* CONFIG_IEEE80211R_AP */
5102 #ifdef CONFIG_FILS
5103 if (sta && status_code == WLAN_STATUS_SUCCESS &&
5104 (sta->auth_alg == WLAN_AUTH_FILS_SK ||
5105 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
5106 sta->auth_alg == WLAN_AUTH_FILS_PK))
5107 p = wpa_auth_write_assoc_resp_fils(sta->wpa_sm, p,
5108 buf + buflen - p,
5109 ies, ies_len);
5110 #endif /* CONFIG_FILS */
5111
5112 #ifdef CONFIG_OWE
5113 if (sta && status_code == WLAN_STATUS_SUCCESS &&
5114 (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE))
5115 p = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, p,
5116 buf + buflen - p,
5117 ies, ies_len);
5118 #endif /* CONFIG_OWE */
5119
5120 if (sta && status_code == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY)
5121 p = hostapd_eid_assoc_comeback_time(hapd, sta, p);
5122
5123 p = hostapd_eid_ht_capabilities(hapd, p);
5124 p = hostapd_eid_ht_operation(hapd, p);
5125
5126 #ifdef CONFIG_IEEE80211AC
5127 if (hapd->iconf->ieee80211ac && !hapd->conf->disable_11ac &&
5128 !is_6ghz_op_class(hapd->iconf->op_class)) {
5129 u32 nsts = 0, sta_nsts;
5130
5131 if (sta && hapd->conf->use_sta_nsts && sta->vht_capabilities) {
5132 struct ieee80211_vht_capabilities *capa;
5133
5134 nsts = (hapd->iface->conf->vht_capab >>
5135 VHT_CAP_BEAMFORMEE_STS_OFFSET) & 7;
5136 capa = sta->vht_capabilities;
5137 sta_nsts = (le_to_host32(capa->vht_capabilities_info) >>
5138 VHT_CAP_BEAMFORMEE_STS_OFFSET) & 7;
5139
5140 if (nsts < sta_nsts)
5141 nsts = 0;
5142 else
5143 nsts = sta_nsts;
5144 }
5145 p = hostapd_eid_vht_capabilities(hapd, p, nsts);
5146 p = hostapd_eid_vht_operation(hapd, p);
5147 }
5148 #endif /* CONFIG_IEEE80211AC */
5149
5150 #ifdef CONFIG_IEEE80211AX
5151 if (hapd->iconf->ieee80211ax && !hapd->conf->disable_11ax) {
5152 p = hostapd_eid_he_capab(hapd, p, IEEE80211_MODE_AP);
5153 p = hostapd_eid_he_operation(hapd, p);
5154 p = hostapd_eid_spatial_reuse(hapd, p);
5155 p = hostapd_eid_he_mu_edca_parameter_set(hapd, p);
5156 p = hostapd_eid_he_6ghz_band_cap(hapd, p);
5157 }
5158 #endif /* CONFIG_IEEE80211AX */
5159
5160 p = hostapd_eid_ext_capab(hapd, p);
5161 p = hostapd_eid_bss_max_idle_period(hapd, p);
5162 if (sta && sta->qos_map_enabled)
5163 p = hostapd_eid_qos_map_set(hapd, p);
5164
5165 #ifdef CONFIG_FST
5166 if (hapd->iface->fst_ies) {
5167 os_memcpy(p, wpabuf_head(hapd->iface->fst_ies),
5168 wpabuf_len(hapd->iface->fst_ies));
5169 p += wpabuf_len(hapd->iface->fst_ies);
5170 }
5171 #endif /* CONFIG_FST */
5172
5173 #ifdef CONFIG_TESTING_OPTIONS
5174 if (hapd->conf->rsnxe_override_ft &&
5175 buf + buflen - p >=
5176 (long int) wpabuf_len(hapd->conf->rsnxe_override_ft) &&
5177 sta && sta->auth_alg == WLAN_AUTH_FT) {
5178 wpa_printf(MSG_DEBUG, "TESTING: RSNXE FT override");
5179 os_memcpy(p, wpabuf_head(hapd->conf->rsnxe_override_ft),
5180 wpabuf_len(hapd->conf->rsnxe_override_ft));
5181 p += wpabuf_len(hapd->conf->rsnxe_override_ft);
5182 goto rsnxe_done;
5183 }
5184 #endif /* CONFIG_TESTING_OPTIONS */
5185 if (!omit_rsnxe)
5186 p = hostapd_eid_rsnxe(hapd, p, buf + buflen - p);
5187 #ifdef CONFIG_TESTING_OPTIONS
5188 rsnxe_done:
5189 #endif /* CONFIG_TESTING_OPTIONS */
5190
5191 #ifdef CONFIG_OWE
5192 if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) &&
5193 sta && sta->owe_ecdh && status_code == WLAN_STATUS_SUCCESS &&
5194 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE &&
5195 !wpa_auth_sta_get_pmksa(sta->wpa_sm)) {
5196 struct wpabuf *pub;
5197
5198 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
5199 if (!pub) {
5200 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
5201 goto done;
5202 }
5203 /* OWE Diffie-Hellman Parameter element */
5204 *p++ = WLAN_EID_EXTENSION; /* Element ID */
5205 *p++ = 1 + 2 + wpabuf_len(pub); /* Length */
5206 *p++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension */
5207 WPA_PUT_LE16(p, sta->owe_group);
5208 p += 2;
5209 os_memcpy(p, wpabuf_head(pub), wpabuf_len(pub));
5210 p += wpabuf_len(pub);
5211 wpabuf_free(pub);
5212 }
5213 #endif /* CONFIG_OWE */
5214
5215 #ifdef CONFIG_DPP2
5216 if (DPP_VERSION > 1 && (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_DPP) &&
5217 sta && sta->dpp_pfs && status_code == WLAN_STATUS_SUCCESS &&
5218 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_DPP) {
5219 os_memcpy(p, wpabuf_head(sta->dpp_pfs->ie),
5220 wpabuf_len(sta->dpp_pfs->ie));
5221 p += wpabuf_len(sta->dpp_pfs->ie);
5222 }
5223 #endif /* CONFIG_DPP2 */
5224
5225 #ifdef CONFIG_IEEE80211AC
5226 if (sta && hapd->conf->vendor_vht && (sta->flags & WLAN_STA_VENDOR_VHT))
5227 p = hostapd_eid_vendor_vht(hapd, p);
5228 #endif /* CONFIG_IEEE80211AC */
5229
5230 if (sta && (sta->flags & WLAN_STA_WMM))
5231 p = hostapd_eid_wmm(hapd, p);
5232
5233 #ifdef CONFIG_WPS
5234 if (sta &&
5235 ((sta->flags & WLAN_STA_WPS) ||
5236 ((sta->flags & WLAN_STA_MAYBE_WPS) && hapd->conf->wpa))) {
5237 struct wpabuf *wps = wps_build_assoc_resp_ie();
5238 if (wps) {
5239 os_memcpy(p, wpabuf_head(wps), wpabuf_len(wps));
5240 p += wpabuf_len(wps);
5241 wpabuf_free(wps);
5242 }
5243 }
5244 #endif /* CONFIG_WPS */
5245
5246 if (sta && (sta->flags & WLAN_STA_MULTI_AP))
5247 p = hostapd_eid_multi_ap(hapd, p);
5248
5249 #ifdef CONFIG_P2P
5250 if (sta && sta->p2p_ie && hapd->p2p_group) {
5251 struct wpabuf *p2p_resp_ie;
5252 enum p2p_status_code status;
5253 switch (status_code) {
5254 case WLAN_STATUS_SUCCESS:
5255 status = P2P_SC_SUCCESS;
5256 break;
5257 case WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA:
5258 status = P2P_SC_FAIL_LIMIT_REACHED;
5259 break;
5260 default:
5261 status = P2P_SC_FAIL_INVALID_PARAMS;
5262 break;
5263 }
5264 p2p_resp_ie = p2p_group_assoc_resp_ie(hapd->p2p_group, status);
5265 if (p2p_resp_ie) {
5266 os_memcpy(p, wpabuf_head(p2p_resp_ie),
5267 wpabuf_len(p2p_resp_ie));
5268 p += wpabuf_len(p2p_resp_ie);
5269 wpabuf_free(p2p_resp_ie);
5270 }
5271 }
5272 #endif /* CONFIG_P2P */
5273
5274 #ifdef CONFIG_P2P_MANAGER
5275 if (hapd->conf->p2p & P2P_MANAGE)
5276 p = hostapd_eid_p2p_manage(hapd, p);
5277 #endif /* CONFIG_P2P_MANAGER */
5278
5279 p = hostapd_eid_mbo(hapd, p, buf + buflen - p);
5280
5281 if (hapd->conf->assocresp_elements &&
5282 (size_t) (buf + buflen - p) >=
5283 wpabuf_len(hapd->conf->assocresp_elements)) {
5284 os_memcpy(p, wpabuf_head(hapd->conf->assocresp_elements),
5285 wpabuf_len(hapd->conf->assocresp_elements));
5286 p += wpabuf_len(hapd->conf->assocresp_elements);
5287 }
5288
5289 send_len += p - reply->u.assoc_resp.variable;
5290
5291 #ifdef CONFIG_FILS
5292 if (sta &&
5293 (sta->auth_alg == WLAN_AUTH_FILS_SK ||
5294 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
5295 sta->auth_alg == WLAN_AUTH_FILS_PK) &&
5296 status_code == WLAN_STATUS_SUCCESS) {
5297 struct ieee802_11_elems elems;
5298
5299 if (ieee802_11_parse_elems(ies, ies_len, &elems, 0) ==
5300 ParseFailed || !elems.fils_session) {
5301 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
5302 goto done;
5303 }
5304
5305 /* FILS Session */
5306 *p++ = WLAN_EID_EXTENSION; /* Element ID */
5307 *p++ = 1 + FILS_SESSION_LEN; /* Length */
5308 *p++ = WLAN_EID_EXT_FILS_SESSION; /* Element ID Extension */
5309 os_memcpy(p, elems.fils_session, FILS_SESSION_LEN);
5310 send_len += 2 + 1 + FILS_SESSION_LEN;
5311
5312 send_len = fils_encrypt_assoc(sta->wpa_sm, buf, send_len,
5313 buflen, sta->fils_hlp_resp);
5314 if (send_len < 0) {
5315 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
5316 goto done;
5317 }
5318 }
5319 #endif /* CONFIG_FILS */
5320
5321 if (hostapd_drv_send_mlme(hapd, reply, send_len, 0, NULL, 0, 0) < 0) {
5322 wpa_printf(MSG_INFO, "Failed to send assoc resp: %s",
5323 strerror(errno));
5324 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
5325 }
5326
5327 done:
5328 os_free(buf);
5329 return res;
5330 }
5331
5332
5333 #ifdef CONFIG_OWE
owe_assoc_req_process(struct hostapd_data * hapd,struct sta_info * sta,const u8 * owe_dh,u8 owe_dh_len,u8 * owe_buf,size_t owe_buf_len,u16 * status)5334 u8 * owe_assoc_req_process(struct hostapd_data *hapd, struct sta_info *sta,
5335 const u8 *owe_dh, u8 owe_dh_len,
5336 u8 *owe_buf, size_t owe_buf_len, u16 *status)
5337 {
5338 #ifdef CONFIG_TESTING_OPTIONS
5339 if (hapd->conf->own_ie_override) {
5340 wpa_printf(MSG_DEBUG, "OWE: Using IE override");
5341 *status = WLAN_STATUS_SUCCESS;
5342 return wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf,
5343 owe_buf_len, NULL, 0);
5344 }
5345 #endif /* CONFIG_TESTING_OPTIONS */
5346
5347 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) {
5348 wpa_printf(MSG_DEBUG, "OWE: Using PMKSA caching");
5349 owe_buf = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf,
5350 owe_buf_len, NULL, 0);
5351 *status = WLAN_STATUS_SUCCESS;
5352 return owe_buf;
5353 }
5354
5355 if (sta->owe_pmk && sta->external_dh_updated) {
5356 wpa_printf(MSG_DEBUG, "OWE: Using previously derived PMK");
5357 *status = WLAN_STATUS_SUCCESS;
5358 return owe_buf;
5359 }
5360
5361 *status = owe_process_assoc_req(hapd, sta, owe_dh, owe_dh_len);
5362 if (*status != WLAN_STATUS_SUCCESS)
5363 return NULL;
5364
5365 owe_buf = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf,
5366 owe_buf_len, NULL, 0);
5367
5368 if (sta->owe_ecdh && owe_buf) {
5369 struct wpabuf *pub;
5370
5371 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
5372 if (!pub) {
5373 *status = WLAN_STATUS_UNSPECIFIED_FAILURE;
5374 return owe_buf;
5375 }
5376
5377 /* OWE Diffie-Hellman Parameter element */
5378 *owe_buf++ = WLAN_EID_EXTENSION; /* Element ID */
5379 *owe_buf++ = 1 + 2 + wpabuf_len(pub); /* Length */
5380 *owe_buf++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension
5381 */
5382 WPA_PUT_LE16(owe_buf, sta->owe_group);
5383 owe_buf += 2;
5384 os_memcpy(owe_buf, wpabuf_head(pub), wpabuf_len(pub));
5385 owe_buf += wpabuf_len(pub);
5386 wpabuf_free(pub);
5387 }
5388
5389 return owe_buf;
5390 }
5391 #endif /* CONFIG_OWE */
5392
5393
5394 #ifdef CONFIG_FILS
5395
fils_hlp_finish_assoc(struct hostapd_data * hapd,struct sta_info * sta)5396 void fils_hlp_finish_assoc(struct hostapd_data *hapd, struct sta_info *sta)
5397 {
5398 u16 reply_res;
5399
5400 wpa_printf(MSG_DEBUG, "FILS: Finish association with " MACSTR,
5401 MAC2STR(sta->addr));
5402 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
5403 if (!sta->fils_pending_assoc_req)
5404 return;
5405 reply_res = send_assoc_resp(hapd, sta, sta->addr, WLAN_STATUS_SUCCESS,
5406 sta->fils_pending_assoc_is_reassoc,
5407 sta->fils_pending_assoc_req,
5408 sta->fils_pending_assoc_req_len, 0, 0);
5409 os_free(sta->fils_pending_assoc_req);
5410 sta->fils_pending_assoc_req = NULL;
5411 sta->fils_pending_assoc_req_len = 0;
5412 wpabuf_free(sta->fils_hlp_resp);
5413 sta->fils_hlp_resp = NULL;
5414 wpabuf_free(sta->hlp_dhcp_discover);
5415 sta->hlp_dhcp_discover = NULL;
5416
5417 /*
5418 * Remove the station in case transmission of a success response fails.
5419 * At this point the station was already added associated to the driver.
5420 */
5421 if (reply_res != WLAN_STATUS_SUCCESS)
5422 hostapd_drv_sta_remove(hapd, sta->addr);
5423 }
5424
5425
fils_hlp_timeout(void * eloop_ctx,void * eloop_data)5426 void fils_hlp_timeout(void *eloop_ctx, void *eloop_data)
5427 {
5428 struct hostapd_data *hapd = eloop_ctx;
5429 struct sta_info *sta = eloop_data;
5430
5431 wpa_printf(MSG_DEBUG,
5432 "FILS: HLP response timeout - continue with association response for "
5433 MACSTR, MAC2STR(sta->addr));
5434 if (sta->fils_drv_assoc_finish)
5435 hostapd_notify_assoc_fils_finish(hapd, sta);
5436 else
5437 fils_hlp_finish_assoc(hapd, sta);
5438 }
5439
5440 #endif /* CONFIG_FILS */
5441
5442
handle_assoc(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int reassoc,int rssi)5443 static void handle_assoc(struct hostapd_data *hapd,
5444 const struct ieee80211_mgmt *mgmt, size_t len,
5445 int reassoc, int rssi)
5446 {
5447 u16 capab_info, listen_interval, seq_ctrl, fc;
5448 int resp = WLAN_STATUS_SUCCESS;
5449 u16 reply_res = WLAN_STATUS_UNSPECIFIED_FAILURE;
5450 const u8 *pos;
5451 int left, i;
5452 struct sta_info *sta;
5453 u8 *tmp = NULL;
5454 #ifdef CONFIG_FILS
5455 int delay_assoc = 0;
5456 #endif /* CONFIG_FILS */
5457 int omit_rsnxe = 0;
5458
5459 if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_req) :
5460 sizeof(mgmt->u.assoc_req))) {
5461 wpa_printf(MSG_INFO, "handle_assoc(reassoc=%d) - too short payload (len=%lu)",
5462 reassoc, (unsigned long) len);
5463 return;
5464 }
5465
5466 #ifdef CONFIG_TESTING_OPTIONS
5467 if (reassoc) {
5468 if (hapd->iconf->ignore_reassoc_probability > 0.0 &&
5469 drand48() < hapd->iconf->ignore_reassoc_probability) {
5470 wpa_printf(MSG_INFO,
5471 "TESTING: ignoring reassoc request from "
5472 MACSTR, MAC2STR(mgmt->sa));
5473 return;
5474 }
5475 } else {
5476 if (hapd->iconf->ignore_assoc_probability > 0.0 &&
5477 drand48() < hapd->iconf->ignore_assoc_probability) {
5478 wpa_printf(MSG_INFO,
5479 "TESTING: ignoring assoc request from "
5480 MACSTR, MAC2STR(mgmt->sa));
5481 return;
5482 }
5483 }
5484 #endif /* CONFIG_TESTING_OPTIONS */
5485
5486 fc = le_to_host16(mgmt->frame_control);
5487 seq_ctrl = le_to_host16(mgmt->seq_ctrl);
5488
5489 if (reassoc) {
5490 capab_info = le_to_host16(mgmt->u.reassoc_req.capab_info);
5491 listen_interval = le_to_host16(
5492 mgmt->u.reassoc_req.listen_interval);
5493 wpa_printf(MSG_DEBUG, "reassociation request: STA=" MACSTR
5494 " capab_info=0x%02x listen_interval=%d current_ap="
5495 MACSTR " seq_ctrl=0x%x%s",
5496 MAC2STR(mgmt->sa), capab_info, listen_interval,
5497 MAC2STR(mgmt->u.reassoc_req.current_ap),
5498 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "");
5499 left = len - (IEEE80211_HDRLEN + sizeof(mgmt->u.reassoc_req));
5500 pos = mgmt->u.reassoc_req.variable;
5501 } else {
5502 capab_info = le_to_host16(mgmt->u.assoc_req.capab_info);
5503 listen_interval = le_to_host16(
5504 mgmt->u.assoc_req.listen_interval);
5505 wpa_printf(MSG_DEBUG, "association request: STA=" MACSTR
5506 " capab_info=0x%02x listen_interval=%d "
5507 "seq_ctrl=0x%x%s",
5508 MAC2STR(mgmt->sa), capab_info, listen_interval,
5509 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "");
5510 left = len - (IEEE80211_HDRLEN + sizeof(mgmt->u.assoc_req));
5511 pos = mgmt->u.assoc_req.variable;
5512 }
5513
5514 sta = ap_get_sta(hapd, mgmt->sa);
5515 #ifdef CONFIG_IEEE80211R_AP
5516 if (sta && sta->auth_alg == WLAN_AUTH_FT &&
5517 (sta->flags & WLAN_STA_AUTH) == 0) {
5518 wpa_printf(MSG_DEBUG, "FT: Allow STA " MACSTR " to associate "
5519 "prior to authentication since it is using "
5520 "over-the-DS FT", MAC2STR(mgmt->sa));
5521
5522 /*
5523 * Mark station as authenticated, to avoid adding station
5524 * entry in the driver as associated and not authenticated
5525 */
5526 sta->flags |= WLAN_STA_AUTH;
5527 } else
5528 #endif /* CONFIG_IEEE80211R_AP */
5529 if (sta == NULL || (sta->flags & WLAN_STA_AUTH) == 0) {
5530 if (hapd->iface->current_mode &&
5531 hapd->iface->current_mode->mode ==
5532 HOSTAPD_MODE_IEEE80211AD) {
5533 int acl_res;
5534 struct radius_sta info;
5535
5536 acl_res = ieee802_11_allowed_address(hapd, mgmt->sa,
5537 (const u8 *) mgmt,
5538 len, &info);
5539 if (acl_res == HOSTAPD_ACL_REJECT) {
5540 wpa_msg(hapd->msg_ctx, MSG_DEBUG,
5541 "Ignore Association Request frame from "
5542 MACSTR " due to ACL reject",
5543 MAC2STR(mgmt->sa));
5544 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
5545 goto fail;
5546 }
5547 if (acl_res == HOSTAPD_ACL_PENDING)
5548 return;
5549
5550 /* DMG/IEEE 802.11ad does not use authentication.
5551 * Allocate sta entry upon association. */
5552 sta = ap_sta_add(hapd, mgmt->sa);
5553 if (!sta) {
5554 hostapd_logger(hapd, mgmt->sa,
5555 HOSTAPD_MODULE_IEEE80211,
5556 HOSTAPD_LEVEL_INFO,
5557 "Failed to add STA");
5558 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
5559 goto fail;
5560 }
5561
5562 acl_res = ieee802_11_set_radius_info(
5563 hapd, sta, acl_res, &info);
5564 if (acl_res) {
5565 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
5566 goto fail;
5567 }
5568
5569 hostapd_logger(hapd, sta->addr,
5570 HOSTAPD_MODULE_IEEE80211,
5571 HOSTAPD_LEVEL_DEBUG,
5572 "Skip authentication for DMG/IEEE 802.11ad");
5573 sta->flags |= WLAN_STA_AUTH;
5574 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
5575 sta->auth_alg = WLAN_AUTH_OPEN;
5576 } else {
5577 hostapd_logger(hapd, mgmt->sa,
5578 HOSTAPD_MODULE_IEEE80211,
5579 HOSTAPD_LEVEL_INFO,
5580 "Station tried to associate before authentication (aid=%d flags=0x%x)",
5581 sta ? sta->aid : -1,
5582 sta ? sta->flags : 0);
5583 send_deauth(hapd, mgmt->sa,
5584 WLAN_REASON_CLASS2_FRAME_FROM_NONAUTH_STA);
5585 return;
5586 }
5587 }
5588
5589 if ((fc & WLAN_FC_RETRY) &&
5590 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
5591 sta->last_seq_ctrl == seq_ctrl &&
5592 sta->last_subtype == (reassoc ? WLAN_FC_STYPE_REASSOC_REQ :
5593 WLAN_FC_STYPE_ASSOC_REQ)) {
5594 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
5595 HOSTAPD_LEVEL_DEBUG,
5596 "Drop repeated association frame seq_ctrl=0x%x",
5597 seq_ctrl);
5598 return;
5599 }
5600 sta->last_seq_ctrl = seq_ctrl;
5601 sta->last_subtype = reassoc ? WLAN_FC_STYPE_REASSOC_REQ :
5602 WLAN_FC_STYPE_ASSOC_REQ;
5603
5604 if (hapd->tkip_countermeasures) {
5605 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
5606 goto fail;
5607 }
5608
5609 if (listen_interval > hapd->conf->max_listen_interval) {
5610 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
5611 HOSTAPD_LEVEL_DEBUG,
5612 "Too large Listen Interval (%d)",
5613 listen_interval);
5614 resp = WLAN_STATUS_ASSOC_DENIED_LISTEN_INT_TOO_LARGE;
5615 goto fail;
5616 }
5617
5618 #ifdef CONFIG_MBO
5619 if (hapd->conf->mbo_enabled && hapd->mbo_assoc_disallow) {
5620 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
5621 goto fail;
5622 }
5623
5624 if (hapd->iconf->rssi_reject_assoc_rssi && rssi &&
5625 rssi < hapd->iconf->rssi_reject_assoc_rssi &&
5626 (sta->auth_rssi == 0 ||
5627 sta->auth_rssi < hapd->iconf->rssi_reject_assoc_rssi)) {
5628 resp = WLAN_STATUS_DENIED_POOR_CHANNEL_CONDITIONS;
5629 goto fail;
5630 }
5631 #endif /* CONFIG_MBO */
5632
5633 /*
5634 * sta->capability is used in check_assoc_ies() for RRM enabled
5635 * capability element.
5636 */
5637 sta->capability = capab_info;
5638
5639 #ifdef CONFIG_FILS
5640 if (sta->auth_alg == WLAN_AUTH_FILS_SK ||
5641 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
5642 sta->auth_alg == WLAN_AUTH_FILS_PK) {
5643 int res;
5644
5645 /* The end of the payload is encrypted. Need to decrypt it
5646 * before parsing. */
5647
5648 tmp = os_memdup(pos, left);
5649 if (!tmp) {
5650 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
5651 goto fail;
5652 }
5653
5654 res = fils_decrypt_assoc(sta->wpa_sm, sta->fils_session, mgmt,
5655 len, tmp, left);
5656 if (res < 0) {
5657 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
5658 goto fail;
5659 }
5660 pos = tmp;
5661 left = res;
5662 }
5663 #endif /* CONFIG_FILS */
5664
5665 /* followed by SSID and Supported rates; and HT capabilities if 802.11n
5666 * is used */
5667 resp = check_assoc_ies(hapd, sta, pos, left, reassoc);
5668 if (resp != WLAN_STATUS_SUCCESS)
5669 goto fail;
5670 omit_rsnxe = !get_ie(pos, left, WLAN_EID_RSNX);
5671
5672 if (hostapd_get_aid(hapd, sta) < 0) {
5673 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
5674 HOSTAPD_LEVEL_INFO, "No room for more AIDs");
5675 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
5676 goto fail;
5677 }
5678
5679 sta->listen_interval = listen_interval;
5680
5681 if (hapd->iface->current_mode &&
5682 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G)
5683 sta->flags |= WLAN_STA_NONERP;
5684 for (i = 0; i < sta->supported_rates_len; i++) {
5685 if ((sta->supported_rates[i] & 0x7f) > 22) {
5686 sta->flags &= ~WLAN_STA_NONERP;
5687 break;
5688 }
5689 }
5690 if (sta->flags & WLAN_STA_NONERP && !sta->nonerp_set) {
5691 sta->nonerp_set = 1;
5692 hapd->iface->num_sta_non_erp++;
5693 if (hapd->iface->num_sta_non_erp == 1)
5694 ieee802_11_set_beacons(hapd->iface);
5695 }
5696
5697 if (!(sta->capability & WLAN_CAPABILITY_SHORT_SLOT_TIME) &&
5698 !sta->no_short_slot_time_set) {
5699 sta->no_short_slot_time_set = 1;
5700 hapd->iface->num_sta_no_short_slot_time++;
5701 if (hapd->iface->current_mode &&
5702 hapd->iface->current_mode->mode ==
5703 HOSTAPD_MODE_IEEE80211G &&
5704 hapd->iface->num_sta_no_short_slot_time == 1)
5705 ieee802_11_set_beacons(hapd->iface);
5706 }
5707
5708 if (sta->capability & WLAN_CAPABILITY_SHORT_PREAMBLE)
5709 sta->flags |= WLAN_STA_SHORT_PREAMBLE;
5710 else
5711 sta->flags &= ~WLAN_STA_SHORT_PREAMBLE;
5712
5713 if (!(sta->capability & WLAN_CAPABILITY_SHORT_PREAMBLE) &&
5714 !sta->no_short_preamble_set) {
5715 sta->no_short_preamble_set = 1;
5716 hapd->iface->num_sta_no_short_preamble++;
5717 if (hapd->iface->current_mode &&
5718 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G
5719 && hapd->iface->num_sta_no_short_preamble == 1)
5720 ieee802_11_set_beacons(hapd->iface);
5721 }
5722
5723 update_ht_state(hapd, sta);
5724
5725 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
5726 HOSTAPD_LEVEL_DEBUG,
5727 "association OK (aid %d)", sta->aid);
5728 /* Station will be marked associated, after it acknowledges AssocResp
5729 */
5730 sta->flags |= WLAN_STA_ASSOC_REQ_OK;
5731
5732 if ((sta->flags & WLAN_STA_MFP) && sta->sa_query_timed_out) {
5733 wpa_printf(MSG_DEBUG, "Allowing %sassociation after timed out "
5734 "SA Query procedure", reassoc ? "re" : "");
5735 /* TODO: Send a protected Disassociate frame to the STA using
5736 * the old key and Reason Code "Previous Authentication no
5737 * longer valid". Make sure this is only sent protected since
5738 * unprotected frame would be received by the STA that is now
5739 * trying to associate.
5740 */
5741 }
5742
5743 /* Make sure that the previously registered inactivity timer will not
5744 * remove the STA immediately. */
5745 sta->timeout_next = STA_NULLFUNC;
5746
5747 #ifdef CONFIG_TAXONOMY
5748 taxonomy_sta_info_assoc_req(hapd, sta, pos, left);
5749 #endif /* CONFIG_TAXONOMY */
5750
5751 sta->pending_wds_enable = 0;
5752
5753 #ifdef CONFIG_FILS
5754 if (sta->auth_alg == WLAN_AUTH_FILS_SK ||
5755 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
5756 sta->auth_alg == WLAN_AUTH_FILS_PK) {
5757 if (fils_process_hlp(hapd, sta, pos, left) > 0)
5758 delay_assoc = 1;
5759 }
5760 #endif /* CONFIG_FILS */
5761
5762 fail:
5763
5764 /*
5765 * In case of a successful response, add the station to the driver.
5766 * Otherwise, the kernel may ignore Data frames before we process the
5767 * ACK frame (TX status). In case of a failure, this station will be
5768 * removed.
5769 *
5770 * Note that this is not compliant with the IEEE 802.11 standard that
5771 * states that a non-AP station should transition into the
5772 * authenticated/associated state only after the station acknowledges
5773 * the (Re)Association Response frame. However, still do this as:
5774 *
5775 * 1. In case the station does not acknowledge the (Re)Association
5776 * Response frame, it will be removed.
5777 * 2. Data frames will be dropped in the kernel until the station is
5778 * set into authorized state, and there are no significant known
5779 * issues with processing other non-Data Class 3 frames during this
5780 * window.
5781 */
5782 if (resp == WLAN_STATUS_SUCCESS && sta &&
5783 add_associated_sta(hapd, sta, reassoc))
5784 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
5785
5786 #ifdef CONFIG_FILS
5787 if (sta && delay_assoc && resp == WLAN_STATUS_SUCCESS &&
5788 eloop_is_timeout_registered(fils_hlp_timeout, hapd, sta) &&
5789 sta->fils_pending_assoc_req) {
5790 /* Do not reschedule fils_hlp_timeout in case the station
5791 * retransmits (Re)Association Request frame while waiting for
5792 * the previously started FILS HLP wait, so that the timeout can
5793 * be determined from the first pending attempt. */
5794 wpa_printf(MSG_DEBUG,
5795 "FILS: Continue waiting for HLP processing before sending (Re)Association Response frame to "
5796 MACSTR, MAC2STR(sta->addr));
5797 os_free(tmp);
5798 return;
5799 }
5800 if (sta) {
5801 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
5802 os_free(sta->fils_pending_assoc_req);
5803 sta->fils_pending_assoc_req = NULL;
5804 sta->fils_pending_assoc_req_len = 0;
5805 wpabuf_free(sta->fils_hlp_resp);
5806 sta->fils_hlp_resp = NULL;
5807 }
5808 if (sta && delay_assoc && resp == WLAN_STATUS_SUCCESS) {
5809 sta->fils_pending_assoc_req = tmp;
5810 sta->fils_pending_assoc_req_len = left;
5811 sta->fils_pending_assoc_is_reassoc = reassoc;
5812 sta->fils_drv_assoc_finish = 0;
5813 wpa_printf(MSG_DEBUG,
5814 "FILS: Waiting for HLP processing before sending (Re)Association Response frame to "
5815 MACSTR, MAC2STR(sta->addr));
5816 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
5817 eloop_register_timeout(0, hapd->conf->fils_hlp_wait_time * 1024,
5818 fils_hlp_timeout, hapd, sta);
5819 return;
5820 }
5821 #endif /* CONFIG_FILS */
5822
5823 if (resp >= 0)
5824 reply_res = send_assoc_resp(hapd, sta, mgmt->sa, resp, reassoc,
5825 pos, left, rssi, omit_rsnxe);
5826 os_free(tmp);
5827
5828 /*
5829 * Remove the station in case transmission of a success response fails
5830 * (the STA was added associated to the driver) or if the station was
5831 * previously added unassociated.
5832 */
5833 if (sta && ((reply_res != WLAN_STATUS_SUCCESS &&
5834 resp == WLAN_STATUS_SUCCESS) || sta->added_unassoc)) {
5835 hostapd_drv_sta_remove(hapd, sta->addr);
5836 sta->added_unassoc = 0;
5837 }
5838 }
5839
5840
handle_disassoc(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len)5841 static void handle_disassoc(struct hostapd_data *hapd,
5842 const struct ieee80211_mgmt *mgmt, size_t len)
5843 {
5844 struct sta_info *sta;
5845
5846 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.disassoc)) {
5847 wpa_printf(MSG_INFO, "handle_disassoc - too short payload (len=%lu)",
5848 (unsigned long) len);
5849 return;
5850 }
5851
5852 wpa_printf(MSG_DEBUG, "disassocation: STA=" MACSTR " reason_code=%d",
5853 MAC2STR(mgmt->sa),
5854 le_to_host16(mgmt->u.disassoc.reason_code));
5855
5856 sta = ap_get_sta(hapd, mgmt->sa);
5857 if (sta == NULL) {
5858 wpa_printf(MSG_INFO, "Station " MACSTR " trying to disassociate, but it is not associated",
5859 MAC2STR(mgmt->sa));
5860 return;
5861 }
5862
5863 ap_sta_set_authorized(hapd, sta, 0);
5864 sta->last_seq_ctrl = WLAN_INVALID_MGMT_SEQ;
5865 sta->flags &= ~(WLAN_STA_ASSOC | WLAN_STA_ASSOC_REQ_OK);
5866 hostapd_set_sta_flags(hapd, sta);
5867 wpa_auth_sm_event(sta->wpa_sm, WPA_DISASSOC);
5868 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
5869 HOSTAPD_LEVEL_INFO, "disassociated");
5870 sta->acct_terminate_cause = RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST;
5871 ieee802_1x_notify_port_enabled(sta->eapol_sm, 0);
5872 /* Stop Accounting and IEEE 802.1X sessions, but leave the STA
5873 * authenticated. */
5874 accounting_sta_stop(hapd, sta);
5875 ieee802_1x_free_station(hapd, sta);
5876 if (sta->ipaddr)
5877 hostapd_drv_br_delete_ip_neigh(hapd, 4, (u8 *) &sta->ipaddr);
5878 ap_sta_ip6addr_del(hapd, sta);
5879 hostapd_drv_sta_remove(hapd, sta->addr);
5880 sta->added_unassoc = 0;
5881
5882 if (sta->timeout_next == STA_NULLFUNC ||
5883 sta->timeout_next == STA_DISASSOC) {
5884 sta->timeout_next = STA_DEAUTH;
5885 eloop_cancel_timeout(ap_handle_timer, hapd, sta);
5886 eloop_register_timeout(AP_DEAUTH_DELAY, 0, ap_handle_timer,
5887 hapd, sta);
5888 }
5889
5890 mlme_disassociate_indication(
5891 hapd, sta, le_to_host16(mgmt->u.disassoc.reason_code));
5892
5893 /* DMG/IEEE 802.11ad does not use deauthication. Deallocate sta upon
5894 * disassociation. */
5895 if (hapd->iface->current_mode &&
5896 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211AD) {
5897 sta->flags &= ~WLAN_STA_AUTH;
5898 wpa_auth_sm_event(sta->wpa_sm, WPA_DEAUTH);
5899 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
5900 HOSTAPD_LEVEL_DEBUG, "deauthenticated");
5901 ap_free_sta(hapd, sta);
5902 }
5903 }
5904
5905
handle_deauth(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len)5906 static void handle_deauth(struct hostapd_data *hapd,
5907 const struct ieee80211_mgmt *mgmt, size_t len)
5908 {
5909 struct sta_info *sta;
5910
5911 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.deauth)) {
5912 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "handle_deauth - too short "
5913 "payload (len=%lu)", (unsigned long) len);
5914 return;
5915 }
5916
5917 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "deauthentication: STA=" MACSTR
5918 " reason_code=%d",
5919 MAC2STR(mgmt->sa), le_to_host16(mgmt->u.deauth.reason_code));
5920
5921 /* Clear the PTKSA cache entries for PASN */
5922 ptksa_cache_flush(hapd->ptksa, mgmt->sa, WPA_CIPHER_NONE);
5923
5924 sta = ap_get_sta(hapd, mgmt->sa);
5925 if (sta == NULL) {
5926 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "Station " MACSTR " trying "
5927 "to deauthenticate, but it is not authenticated",
5928 MAC2STR(mgmt->sa));
5929 return;
5930 }
5931
5932 ap_sta_set_authorized(hapd, sta, 0);
5933 sta->last_seq_ctrl = WLAN_INVALID_MGMT_SEQ;
5934 sta->flags &= ~(WLAN_STA_AUTH | WLAN_STA_ASSOC |
5935 WLAN_STA_ASSOC_REQ_OK);
5936 hostapd_set_sta_flags(hapd, sta);
5937 wpa_auth_sm_event(sta->wpa_sm, WPA_DEAUTH);
5938 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
5939 HOSTAPD_LEVEL_DEBUG, "deauthenticated");
5940 mlme_deauthenticate_indication(
5941 hapd, sta, le_to_host16(mgmt->u.deauth.reason_code));
5942 sta->acct_terminate_cause = RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST;
5943 ieee802_1x_notify_port_enabled(sta->eapol_sm, 0);
5944 ap_free_sta(hapd, sta);
5945 }
5946
5947
handle_beacon(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,struct hostapd_frame_info * fi)5948 static void handle_beacon(struct hostapd_data *hapd,
5949 const struct ieee80211_mgmt *mgmt, size_t len,
5950 struct hostapd_frame_info *fi)
5951 {
5952 struct ieee802_11_elems elems;
5953
5954 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.beacon)) {
5955 wpa_printf(MSG_INFO, "handle_beacon - too short payload (len=%lu)",
5956 (unsigned long) len);
5957 return;
5958 }
5959
5960 (void) ieee802_11_parse_elems(mgmt->u.beacon.variable,
5961 len - (IEEE80211_HDRLEN +
5962 sizeof(mgmt->u.beacon)), &elems,
5963 0);
5964
5965 ap_list_process_beacon(hapd->iface, mgmt, &elems, fi);
5966 }
5967
5968
robust_action_frame(u8 category)5969 static int robust_action_frame(u8 category)
5970 {
5971 return category != WLAN_ACTION_PUBLIC &&
5972 category != WLAN_ACTION_HT;
5973 }
5974
5975
handle_action(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,unsigned int freq)5976 static int handle_action(struct hostapd_data *hapd,
5977 const struct ieee80211_mgmt *mgmt, size_t len,
5978 unsigned int freq)
5979 {
5980 struct sta_info *sta;
5981 u8 *action __maybe_unused;
5982
5983 if (len < IEEE80211_HDRLEN + 2 + 1) {
5984 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
5985 HOSTAPD_LEVEL_DEBUG,
5986 "handle_action - too short payload (len=%lu)",
5987 (unsigned long) len);
5988 return 0;
5989 }
5990
5991 action = (u8 *) &mgmt->u.action.u;
5992 wpa_printf(MSG_DEBUG, "RX_ACTION category %u action %u sa " MACSTR
5993 " da " MACSTR " len %d freq %u",
5994 mgmt->u.action.category, *action,
5995 MAC2STR(mgmt->sa), MAC2STR(mgmt->da), (int) len, freq);
5996
5997 sta = ap_get_sta(hapd, mgmt->sa);
5998
5999 if (mgmt->u.action.category != WLAN_ACTION_PUBLIC &&
6000 (sta == NULL || !(sta->flags & WLAN_STA_ASSOC))) {
6001 wpa_printf(MSG_DEBUG, "IEEE 802.11: Ignored Action "
6002 "frame (category=%u) from unassociated STA " MACSTR,
6003 mgmt->u.action.category, MAC2STR(mgmt->sa));
6004 return 0;
6005 }
6006
6007 if (sta && (sta->flags & WLAN_STA_MFP) &&
6008 !(mgmt->frame_control & host_to_le16(WLAN_FC_ISWEP)) &&
6009 robust_action_frame(mgmt->u.action.category)) {
6010 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
6011 HOSTAPD_LEVEL_DEBUG,
6012 "Dropped unprotected Robust Action frame from "
6013 "an MFP STA");
6014 return 0;
6015 }
6016
6017 if (sta) {
6018 u16 fc = le_to_host16(mgmt->frame_control);
6019 u16 seq_ctrl = le_to_host16(mgmt->seq_ctrl);
6020
6021 if ((fc & WLAN_FC_RETRY) &&
6022 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
6023 sta->last_seq_ctrl == seq_ctrl &&
6024 sta->last_subtype == WLAN_FC_STYPE_ACTION) {
6025 hostapd_logger(hapd, sta->addr,
6026 HOSTAPD_MODULE_IEEE80211,
6027 HOSTAPD_LEVEL_DEBUG,
6028 "Drop repeated action frame seq_ctrl=0x%x",
6029 seq_ctrl);
6030 return 1;
6031 }
6032
6033 sta->last_seq_ctrl = seq_ctrl;
6034 sta->last_subtype = WLAN_FC_STYPE_ACTION;
6035 }
6036
6037 switch (mgmt->u.action.category) {
6038 #ifdef CONFIG_IEEE80211R_AP
6039 case WLAN_ACTION_FT:
6040 if (!sta ||
6041 wpa_ft_action_rx(sta->wpa_sm, (u8 *) &mgmt->u.action,
6042 len - IEEE80211_HDRLEN))
6043 break;
6044 return 1;
6045 #endif /* CONFIG_IEEE80211R_AP */
6046 case WLAN_ACTION_WMM:
6047 hostapd_wmm_action(hapd, mgmt, len);
6048 return 1;
6049 case WLAN_ACTION_SA_QUERY:
6050 ieee802_11_sa_query_action(hapd, mgmt, len);
6051 return 1;
6052 #ifdef CONFIG_WNM_AP
6053 case WLAN_ACTION_WNM:
6054 ieee802_11_rx_wnm_action_ap(hapd, mgmt, len);
6055 return 1;
6056 #endif /* CONFIG_WNM_AP */
6057 #ifdef CONFIG_FST
6058 case WLAN_ACTION_FST:
6059 if (hapd->iface->fst)
6060 fst_rx_action(hapd->iface->fst, mgmt, len);
6061 else
6062 wpa_printf(MSG_DEBUG,
6063 "FST: Ignore FST Action frame - no FST attached");
6064 return 1;
6065 #endif /* CONFIG_FST */
6066 case WLAN_ACTION_PUBLIC:
6067 case WLAN_ACTION_PROTECTED_DUAL:
6068 if (len >= IEEE80211_HDRLEN + 2 &&
6069 mgmt->u.action.u.public_action.action ==
6070 WLAN_PA_20_40_BSS_COEX) {
6071 hostapd_2040_coex_action(hapd, mgmt, len);
6072 return 1;
6073 }
6074 #ifdef CONFIG_DPP
6075 if (len >= IEEE80211_HDRLEN + 6 &&
6076 mgmt->u.action.u.vs_public_action.action ==
6077 WLAN_PA_VENDOR_SPECIFIC &&
6078 WPA_GET_BE24(mgmt->u.action.u.vs_public_action.oui) ==
6079 OUI_WFA &&
6080 mgmt->u.action.u.vs_public_action.variable[0] ==
6081 DPP_OUI_TYPE) {
6082 const u8 *pos, *end;
6083
6084 pos = mgmt->u.action.u.vs_public_action.oui;
6085 end = ((const u8 *) mgmt) + len;
6086 hostapd_dpp_rx_action(hapd, mgmt->sa, pos, end - pos,
6087 freq);
6088 return 1;
6089 }
6090 if (len >= IEEE80211_HDRLEN + 2 &&
6091 (mgmt->u.action.u.public_action.action ==
6092 WLAN_PA_GAS_INITIAL_RESP ||
6093 mgmt->u.action.u.public_action.action ==
6094 WLAN_PA_GAS_COMEBACK_RESP)) {
6095 const u8 *pos, *end;
6096
6097 pos = &mgmt->u.action.u.public_action.action;
6098 end = ((const u8 *) mgmt) + len;
6099 gas_query_ap_rx(hapd->gas, mgmt->sa,
6100 mgmt->u.action.category,
6101 pos, end - pos, hapd->iface->freq);
6102 return 1;
6103 }
6104 #endif /* CONFIG_DPP */
6105 if (hapd->public_action_cb) {
6106 hapd->public_action_cb(hapd->public_action_cb_ctx,
6107 (u8 *) mgmt, len,
6108 hapd->iface->freq);
6109 }
6110 if (hapd->public_action_cb2) {
6111 hapd->public_action_cb2(hapd->public_action_cb2_ctx,
6112 (u8 *) mgmt, len,
6113 hapd->iface->freq);
6114 }
6115 if (hapd->public_action_cb || hapd->public_action_cb2)
6116 return 1;
6117 break;
6118 case WLAN_ACTION_VENDOR_SPECIFIC:
6119 if (hapd->vendor_action_cb) {
6120 if (hapd->vendor_action_cb(hapd->vendor_action_cb_ctx,
6121 (u8 *) mgmt, len,
6122 hapd->iface->freq) == 0)
6123 return 1;
6124 }
6125 break;
6126 case WLAN_ACTION_RADIO_MEASUREMENT:
6127 hostapd_handle_radio_measurement(hapd, (const u8 *) mgmt, len);
6128 return 1;
6129 }
6130
6131 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
6132 HOSTAPD_LEVEL_DEBUG,
6133 "handle_action - unknown action category %d or invalid "
6134 "frame",
6135 mgmt->u.action.category);
6136 if (!is_multicast_ether_addr(mgmt->da) &&
6137 !(mgmt->u.action.category & 0x80) &&
6138 !is_multicast_ether_addr(mgmt->sa)) {
6139 struct ieee80211_mgmt *resp;
6140
6141 /*
6142 * IEEE 802.11-REVma/D9.0 - 7.3.1.11
6143 * Return the Action frame to the source without change
6144 * except that MSB of the Category set to 1.
6145 */
6146 wpa_printf(MSG_DEBUG, "IEEE 802.11: Return unknown Action "
6147 "frame back to sender");
6148 resp = os_memdup(mgmt, len);
6149 if (resp == NULL)
6150 return 0;
6151 os_memcpy(resp->da, resp->sa, ETH_ALEN);
6152 os_memcpy(resp->sa, hapd->own_addr, ETH_ALEN);
6153 os_memcpy(resp->bssid, hapd->own_addr, ETH_ALEN);
6154 resp->u.action.category |= 0x80;
6155
6156 if (hostapd_drv_send_mlme(hapd, resp, len, 0, NULL, 0, 0) < 0) {
6157 wpa_printf(MSG_ERROR, "IEEE 802.11: Failed to send "
6158 "Action frame");
6159 }
6160 os_free(resp);
6161 }
6162
6163 return 1;
6164 }
6165
6166
6167 /**
6168 * notify_mgmt_frame - Notify of Management frames on the control interface
6169 * @hapd: hostapd BSS data structure (the BSS to which the Management frame was
6170 * sent to)
6171 * @buf: Management frame data (starting from the IEEE 802.11 header)
6172 * @len: Length of frame data in octets
6173 *
6174 * Notify the control interface of any received Management frame.
6175 */
notify_mgmt_frame(struct hostapd_data * hapd,const u8 * buf,size_t len)6176 static void notify_mgmt_frame(struct hostapd_data *hapd, const u8 *buf,
6177 size_t len)
6178 {
6179
6180 int hex_len = len * 2 + 1;
6181 char *hex = os_malloc(hex_len);
6182
6183 if (hex) {
6184 wpa_snprintf_hex(hex, hex_len, buf, len);
6185 wpa_msg_ctrl(hapd->msg_ctx, MSG_INFO,
6186 AP_MGMT_FRAME_RECEIVED "buf=%s", hex);
6187 os_free(hex);
6188 }
6189 }
6190
6191
6192 /**
6193 * ieee802_11_mgmt - process incoming IEEE 802.11 management frames
6194 * @hapd: hostapd BSS data structure (the BSS to which the management frame was
6195 * sent to)
6196 * @buf: management frame data (starting from IEEE 802.11 header)
6197 * @len: length of frame data in octets
6198 * @fi: meta data about received frame (signal level, etc.)
6199 *
6200 * Process all incoming IEEE 802.11 management frames. This will be called for
6201 * each frame received from the kernel driver through wlan#ap interface. In
6202 * addition, it can be called to re-inserted pending frames (e.g., when using
6203 * external RADIUS server as an MAC ACL).
6204 */
ieee802_11_mgmt(struct hostapd_data * hapd,const u8 * buf,size_t len,struct hostapd_frame_info * fi)6205 int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len,
6206 struct hostapd_frame_info *fi)
6207 {
6208 struct ieee80211_mgmt *mgmt;
6209 u16 fc, stype;
6210 int ret = 0;
6211 unsigned int freq;
6212 int ssi_signal = fi ? fi->ssi_signal : 0;
6213
6214 if (len < 24)
6215 return 0;
6216
6217 if (fi && fi->freq)
6218 freq = fi->freq;
6219 else
6220 freq = hapd->iface->freq;
6221
6222 mgmt = (struct ieee80211_mgmt *) buf;
6223 fc = le_to_host16(mgmt->frame_control);
6224 stype = WLAN_FC_GET_STYPE(fc);
6225
6226 if (is_multicast_ether_addr(mgmt->sa) ||
6227 is_zero_ether_addr(mgmt->sa) ||
6228 os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
6229 /* Do not process any frames with unexpected/invalid SA so that
6230 * we do not add any state for unexpected STA addresses or end
6231 * up sending out frames to unexpected destination. */
6232 wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR
6233 " in received frame - ignore this frame silently",
6234 MAC2STR(mgmt->sa));
6235 return 0;
6236 }
6237
6238 if (stype == WLAN_FC_STYPE_BEACON) {
6239 handle_beacon(hapd, mgmt, len, fi);
6240 return 1;
6241 }
6242
6243 if (!is_broadcast_ether_addr(mgmt->bssid) &&
6244 #ifdef CONFIG_P2P
6245 /* Invitation responses can be sent with the peer MAC as BSSID */
6246 !((hapd->conf->p2p & P2P_GROUP_OWNER) &&
6247 stype == WLAN_FC_STYPE_ACTION) &&
6248 #endif /* CONFIG_P2P */
6249 #ifdef CONFIG_MESH
6250 !(hapd->conf->mesh & MESH_ENABLED) &&
6251 #endif /* CONFIG_MESH */
6252 os_memcmp(mgmt->bssid, hapd->own_addr, ETH_ALEN) != 0) {
6253 wpa_printf(MSG_INFO, "MGMT: BSSID=" MACSTR " not our address",
6254 MAC2STR(mgmt->bssid));
6255 return 0;
6256 }
6257
6258 if (hapd->iface->state != HAPD_IFACE_ENABLED) {
6259 wpa_printf(MSG_DEBUG, "MGMT: Ignore management frame while interface is not enabled (SA=" MACSTR " DA=" MACSTR " subtype=%u)",
6260 MAC2STR(mgmt->sa), MAC2STR(mgmt->da), stype);
6261 return 1;
6262 }
6263
6264 if (stype == WLAN_FC_STYPE_PROBE_REQ) {
6265 handle_probe_req(hapd, mgmt, len, ssi_signal);
6266 return 1;
6267 }
6268
6269 if ((!is_broadcast_ether_addr(mgmt->da) ||
6270 stype != WLAN_FC_STYPE_ACTION) &&
6271 os_memcmp(mgmt->da, hapd->own_addr, ETH_ALEN) != 0) {
6272 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
6273 HOSTAPD_LEVEL_DEBUG,
6274 "MGMT: DA=" MACSTR " not our address",
6275 MAC2STR(mgmt->da));
6276 return 0;
6277 }
6278
6279 if (hapd->iconf->track_sta_max_num)
6280 sta_track_add(hapd->iface, mgmt->sa, ssi_signal);
6281
6282 if (hapd->conf->notify_mgmt_frames)
6283 notify_mgmt_frame(hapd, buf, len);
6284
6285 switch (stype) {
6286 case WLAN_FC_STYPE_AUTH:
6287 wpa_printf(MSG_DEBUG, "mgmt::auth");
6288 handle_auth(hapd, mgmt, len, ssi_signal, 0);
6289 ret = 1;
6290 break;
6291 case WLAN_FC_STYPE_ASSOC_REQ:
6292 wpa_printf(MSG_DEBUG, "mgmt::assoc_req");
6293 handle_assoc(hapd, mgmt, len, 0, ssi_signal);
6294 ret = 1;
6295 break;
6296 case WLAN_FC_STYPE_REASSOC_REQ:
6297 wpa_printf(MSG_DEBUG, "mgmt::reassoc_req");
6298 handle_assoc(hapd, mgmt, len, 1, ssi_signal);
6299 ret = 1;
6300 break;
6301 case WLAN_FC_STYPE_DISASSOC:
6302 wpa_printf(MSG_DEBUG, "mgmt::disassoc");
6303 handle_disassoc(hapd, mgmt, len);
6304 ret = 1;
6305 break;
6306 case WLAN_FC_STYPE_DEAUTH:
6307 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "mgmt::deauth");
6308 handle_deauth(hapd, mgmt, len);
6309 ret = 1;
6310 break;
6311 case WLAN_FC_STYPE_ACTION:
6312 wpa_printf(MSG_DEBUG, "mgmt::action");
6313 ret = handle_action(hapd, mgmt, len, freq);
6314 break;
6315 default:
6316 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
6317 HOSTAPD_LEVEL_DEBUG,
6318 "unknown mgmt frame subtype %d", stype);
6319 break;
6320 }
6321
6322 return ret;
6323 }
6324
6325
handle_auth_cb(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int ok)6326 static void handle_auth_cb(struct hostapd_data *hapd,
6327 const struct ieee80211_mgmt *mgmt,
6328 size_t len, int ok)
6329 {
6330 u16 auth_alg, auth_transaction, status_code;
6331 struct sta_info *sta;
6332 bool success_status;
6333
6334 sta = ap_get_sta(hapd, mgmt->da);
6335 if (!sta) {
6336 wpa_printf(MSG_DEBUG, "handle_auth_cb: STA " MACSTR
6337 " not found",
6338 MAC2STR(mgmt->da));
6339 return;
6340 }
6341
6342 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) {
6343 wpa_printf(MSG_INFO, "handle_auth_cb - too short payload (len=%lu)",
6344 (unsigned long) len);
6345 auth_alg = 0;
6346 auth_transaction = 0;
6347 status_code = WLAN_STATUS_UNSPECIFIED_FAILURE;
6348 goto fail;
6349 }
6350
6351 auth_alg = le_to_host16(mgmt->u.auth.auth_alg);
6352 auth_transaction = le_to_host16(mgmt->u.auth.auth_transaction);
6353 status_code = le_to_host16(mgmt->u.auth.status_code);
6354
6355 if (!ok) {
6356 hostapd_logger(hapd, mgmt->da, HOSTAPD_MODULE_IEEE80211,
6357 HOSTAPD_LEVEL_NOTICE,
6358 "did not acknowledge authentication response");
6359 goto fail;
6360 }
6361
6362 if (status_code == WLAN_STATUS_SUCCESS &&
6363 ((auth_alg == WLAN_AUTH_OPEN && auth_transaction == 2) ||
6364 (auth_alg == WLAN_AUTH_SHARED_KEY && auth_transaction == 4))) {
6365 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
6366 HOSTAPD_LEVEL_INFO, "authenticated");
6367 sta->flags |= WLAN_STA_AUTH;
6368 if (sta->added_unassoc)
6369 hostapd_set_sta_flags(hapd, sta);
6370 return;
6371 }
6372
6373 fail:
6374 success_status = status_code == WLAN_STATUS_SUCCESS;
6375 #ifdef CONFIG_SAE
6376 if (auth_alg == WLAN_AUTH_SAE && auth_transaction == 1)
6377 success_status = sae_status_success(hapd, status_code);
6378 #endif /* CONFIG_SAE */
6379 if (!success_status && sta->added_unassoc) {
6380 hostapd_drv_sta_remove(hapd, sta->addr);
6381 sta->added_unassoc = 0;
6382 }
6383 }
6384
6385
hostapd_set_wds_encryption(struct hostapd_data * hapd,struct sta_info * sta,char * ifname_wds)6386 static void hostapd_set_wds_encryption(struct hostapd_data *hapd,
6387 struct sta_info *sta,
6388 char *ifname_wds)
6389 {
6390 #ifdef CONFIG_WEP
6391 int i;
6392 struct hostapd_ssid *ssid = &hapd->conf->ssid;
6393
6394 if (hapd->conf->ieee802_1x || hapd->conf->wpa)
6395 return;
6396
6397 for (i = 0; i < 4; i++) {
6398 if (ssid->wep.key[i] &&
6399 hostapd_drv_set_key(ifname_wds, hapd, WPA_ALG_WEP, NULL, i,
6400 0, i == ssid->wep.idx, NULL, 0,
6401 ssid->wep.key[i], ssid->wep.len[i],
6402 i == ssid->wep.idx ?
6403 KEY_FLAG_GROUP_RX_TX_DEFAULT :
6404 KEY_FLAG_GROUP_RX_TX)) {
6405 wpa_printf(MSG_WARNING,
6406 "Could not set WEP keys for WDS interface; %s",
6407 ifname_wds);
6408 break;
6409 }
6410 }
6411 #endif /* CONFIG_WEP */
6412 }
6413
6414
handle_assoc_cb(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int reassoc,int ok)6415 static void handle_assoc_cb(struct hostapd_data *hapd,
6416 const struct ieee80211_mgmt *mgmt,
6417 size_t len, int reassoc, int ok)
6418 {
6419 u16 status;
6420 struct sta_info *sta;
6421 int new_assoc = 1;
6422
6423 sta = ap_get_sta(hapd, mgmt->da);
6424 if (!sta) {
6425 wpa_printf(MSG_INFO, "handle_assoc_cb: STA " MACSTR " not found",
6426 MAC2STR(mgmt->da));
6427 return;
6428 }
6429
6430 if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_resp) :
6431 sizeof(mgmt->u.assoc_resp))) {
6432 wpa_printf(MSG_INFO,
6433 "handle_assoc_cb(reassoc=%d) - too short payload (len=%lu)",
6434 reassoc, (unsigned long) len);
6435 hostapd_drv_sta_remove(hapd, sta->addr);
6436 return;
6437 }
6438
6439 if (reassoc)
6440 status = le_to_host16(mgmt->u.reassoc_resp.status_code);
6441 else
6442 status = le_to_host16(mgmt->u.assoc_resp.status_code);
6443
6444 if (!ok) {
6445 hostapd_logger(hapd, mgmt->da, HOSTAPD_MODULE_IEEE80211,
6446 HOSTAPD_LEVEL_DEBUG,
6447 "did not acknowledge association response");
6448 sta->flags &= ~WLAN_STA_ASSOC_REQ_OK;
6449 /* The STA is added only in case of SUCCESS */
6450 if (status == WLAN_STATUS_SUCCESS)
6451 hostapd_drv_sta_remove(hapd, sta->addr);
6452
6453 return;
6454 }
6455
6456 if (status != WLAN_STATUS_SUCCESS)
6457 return;
6458
6459 /* Stop previous accounting session, if one is started, and allocate
6460 * new session id for the new session. */
6461 accounting_sta_stop(hapd, sta);
6462
6463 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
6464 HOSTAPD_LEVEL_INFO,
6465 "associated (aid %d)",
6466 sta->aid);
6467
6468 if (sta->flags & WLAN_STA_ASSOC)
6469 new_assoc = 0;
6470 sta->flags |= WLAN_STA_ASSOC;
6471 sta->flags &= ~WLAN_STA_WNM_SLEEP_MODE;
6472 if ((!hapd->conf->ieee802_1x && !hapd->conf->wpa &&
6473 !hapd->conf->osen) ||
6474 sta->auth_alg == WLAN_AUTH_FILS_SK ||
6475 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
6476 sta->auth_alg == WLAN_AUTH_FILS_PK ||
6477 sta->auth_alg == WLAN_AUTH_FT) {
6478 /*
6479 * Open, static WEP, FT protocol, or FILS; no separate
6480 * authorization step.
6481 */
6482 ap_sta_set_authorized(hapd, sta, 1);
6483 }
6484
6485 if (reassoc)
6486 mlme_reassociate_indication(hapd, sta);
6487 else
6488 mlme_associate_indication(hapd, sta);
6489
6490 sta->sa_query_timed_out = 0;
6491
6492 if (sta->eapol_sm == NULL) {
6493 /*
6494 * This STA does not use RADIUS server for EAP authentication,
6495 * so bind it to the selected VLAN interface now, since the
6496 * interface selection is not going to change anymore.
6497 */
6498 if (ap_sta_bind_vlan(hapd, sta) < 0)
6499 return;
6500 } else if (sta->vlan_id) {
6501 /* VLAN ID already set (e.g., by PMKSA caching), so bind STA */
6502 if (ap_sta_bind_vlan(hapd, sta) < 0)
6503 return;
6504 }
6505
6506 hostapd_set_sta_flags(hapd, sta);
6507
6508 if (!(sta->flags & WLAN_STA_WDS) && sta->pending_wds_enable) {
6509 wpa_printf(MSG_DEBUG, "Enable 4-address WDS mode for STA "
6510 MACSTR " based on pending request",
6511 MAC2STR(sta->addr));
6512 sta->pending_wds_enable = 0;
6513 sta->flags |= WLAN_STA_WDS;
6514 }
6515
6516 if (sta->flags & (WLAN_STA_WDS | WLAN_STA_MULTI_AP)) {
6517 int ret;
6518 char ifname_wds[IFNAMSIZ + 1];
6519
6520 wpa_printf(MSG_DEBUG, "Reenable 4-address WDS mode for STA "
6521 MACSTR " (aid %u)",
6522 MAC2STR(sta->addr), sta->aid);
6523 ret = hostapd_set_wds_sta(hapd, ifname_wds, sta->addr,
6524 sta->aid, 1);
6525 if (!ret)
6526 hostapd_set_wds_encryption(hapd, sta, ifname_wds);
6527 }
6528
6529 if (sta->auth_alg == WLAN_AUTH_FT)
6530 wpa_auth_sm_event(sta->wpa_sm, WPA_ASSOC_FT);
6531 else
6532 wpa_auth_sm_event(sta->wpa_sm, WPA_ASSOC);
6533 hapd->new_assoc_sta_cb(hapd, sta, !new_assoc);
6534 ieee802_1x_notify_port_enabled(sta->eapol_sm, 1);
6535
6536 #ifdef CONFIG_FILS
6537 if ((sta->auth_alg == WLAN_AUTH_FILS_SK ||
6538 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
6539 sta->auth_alg == WLAN_AUTH_FILS_PK) &&
6540 fils_set_tk(sta->wpa_sm) < 0) {
6541 wpa_printf(MSG_DEBUG, "FILS: TK configuration failed");
6542 ap_sta_disconnect(hapd, sta, sta->addr,
6543 WLAN_REASON_UNSPECIFIED);
6544 return;
6545 }
6546 #endif /* CONFIG_FILS */
6547
6548 if (sta->pending_eapol_rx) {
6549 struct os_reltime now, age;
6550
6551 os_get_reltime(&now);
6552 os_reltime_sub(&now, &sta->pending_eapol_rx->rx_time, &age);
6553 if (age.sec == 0 && age.usec < 200000) {
6554 wpa_printf(MSG_DEBUG,
6555 "Process pending EAPOL frame that was received from " MACSTR " just before association notification",
6556 MAC2STR(sta->addr));
6557 ieee802_1x_receive(
6558 hapd, mgmt->da,
6559 wpabuf_head(sta->pending_eapol_rx->buf),
6560 wpabuf_len(sta->pending_eapol_rx->buf));
6561 }
6562 wpabuf_free(sta->pending_eapol_rx->buf);
6563 os_free(sta->pending_eapol_rx);
6564 sta->pending_eapol_rx = NULL;
6565 }
6566 }
6567
6568
handle_deauth_cb(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int ok)6569 static void handle_deauth_cb(struct hostapd_data *hapd,
6570 const struct ieee80211_mgmt *mgmt,
6571 size_t len, int ok)
6572 {
6573 struct sta_info *sta;
6574 if (is_multicast_ether_addr(mgmt->da))
6575 return;
6576 sta = ap_get_sta(hapd, mgmt->da);
6577 if (!sta) {
6578 wpa_printf(MSG_DEBUG, "handle_deauth_cb: STA " MACSTR
6579 " not found", MAC2STR(mgmt->da));
6580 return;
6581 }
6582 if (ok)
6583 wpa_printf(MSG_DEBUG, "STA " MACSTR " acknowledged deauth",
6584 MAC2STR(sta->addr));
6585 else
6586 wpa_printf(MSG_DEBUG, "STA " MACSTR " did not acknowledge "
6587 "deauth", MAC2STR(sta->addr));
6588
6589 ap_sta_deauth_cb(hapd, sta);
6590 }
6591
6592
handle_disassoc_cb(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int ok)6593 static void handle_disassoc_cb(struct hostapd_data *hapd,
6594 const struct ieee80211_mgmt *mgmt,
6595 size_t len, int ok)
6596 {
6597 struct sta_info *sta;
6598 if (is_multicast_ether_addr(mgmt->da))
6599 return;
6600 sta = ap_get_sta(hapd, mgmt->da);
6601 if (!sta) {
6602 wpa_printf(MSG_DEBUG, "handle_disassoc_cb: STA " MACSTR
6603 " not found", MAC2STR(mgmt->da));
6604 return;
6605 }
6606 if (ok)
6607 wpa_printf(MSG_DEBUG, "STA " MACSTR " acknowledged disassoc",
6608 MAC2STR(sta->addr));
6609 else
6610 wpa_printf(MSG_DEBUG, "STA " MACSTR " did not acknowledge "
6611 "disassoc", MAC2STR(sta->addr));
6612
6613 ap_sta_disassoc_cb(hapd, sta);
6614 }
6615
6616
handle_action_cb(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int ok)6617 static void handle_action_cb(struct hostapd_data *hapd,
6618 const struct ieee80211_mgmt *mgmt,
6619 size_t len, int ok)
6620 {
6621 struct sta_info *sta;
6622 const struct rrm_measurement_report_element *report;
6623
6624 if (is_multicast_ether_addr(mgmt->da))
6625 return;
6626 #ifdef CONFIG_DPP
6627 if (len >= IEEE80211_HDRLEN + 6 &&
6628 mgmt->u.action.category == WLAN_ACTION_PUBLIC &&
6629 mgmt->u.action.u.vs_public_action.action ==
6630 WLAN_PA_VENDOR_SPECIFIC &&
6631 WPA_GET_BE24(mgmt->u.action.u.vs_public_action.oui) ==
6632 OUI_WFA &&
6633 mgmt->u.action.u.vs_public_action.variable[0] ==
6634 DPP_OUI_TYPE) {
6635 const u8 *pos, *end;
6636
6637 pos = &mgmt->u.action.u.vs_public_action.variable[1];
6638 end = ((const u8 *) mgmt) + len;
6639 hostapd_dpp_tx_status(hapd, mgmt->da, pos, end - pos, ok);
6640 return;
6641 }
6642 if (len >= IEEE80211_HDRLEN + 2 &&
6643 mgmt->u.action.category == WLAN_ACTION_PUBLIC &&
6644 (mgmt->u.action.u.public_action.action ==
6645 WLAN_PA_GAS_INITIAL_REQ ||
6646 mgmt->u.action.u.public_action.action ==
6647 WLAN_PA_GAS_COMEBACK_REQ)) {
6648 const u8 *pos, *end;
6649
6650 pos = mgmt->u.action.u.public_action.variable;
6651 end = ((const u8 *) mgmt) + len;
6652 gas_query_ap_tx_status(hapd->gas, mgmt->da, pos, end - pos, ok);
6653 return;
6654 }
6655 #endif /* CONFIG_DPP */
6656 sta = ap_get_sta(hapd, mgmt->da);
6657 if (!sta) {
6658 wpa_printf(MSG_DEBUG, "handle_action_cb: STA " MACSTR
6659 " not found", MAC2STR(mgmt->da));
6660 return;
6661 }
6662
6663 if (len < 24 + 5 + sizeof(*report))
6664 return;
6665 report = (const struct rrm_measurement_report_element *)
6666 &mgmt->u.action.u.rrm.variable[2];
6667 if (mgmt->u.action.category == WLAN_ACTION_RADIO_MEASUREMENT &&
6668 mgmt->u.action.u.rrm.action == WLAN_RRM_RADIO_MEASUREMENT_REQUEST &&
6669 report->eid == WLAN_EID_MEASURE_REQUEST &&
6670 report->len >= 3 &&
6671 report->type == MEASURE_TYPE_BEACON)
6672 hostapd_rrm_beacon_req_tx_status(hapd, mgmt, len, ok);
6673 }
6674
6675
6676 /**
6677 * ieee802_11_mgmt_cb - Process management frame TX status callback
6678 * @hapd: hostapd BSS data structure (the BSS from which the management frame
6679 * was sent from)
6680 * @buf: management frame data (starting from IEEE 802.11 header)
6681 * @len: length of frame data in octets
6682 * @stype: management frame subtype from frame control field
6683 * @ok: Whether the frame was ACK'ed
6684 */
ieee802_11_mgmt_cb(struct hostapd_data * hapd,const u8 * buf,size_t len,u16 stype,int ok)6685 void ieee802_11_mgmt_cb(struct hostapd_data *hapd, const u8 *buf, size_t len,
6686 u16 stype, int ok)
6687 {
6688 const struct ieee80211_mgmt *mgmt;
6689 mgmt = (const struct ieee80211_mgmt *) buf;
6690
6691 #ifdef CONFIG_TESTING_OPTIONS
6692 if (hapd->ext_mgmt_frame_handling) {
6693 size_t hex_len = 2 * len + 1;
6694 char *hex = os_malloc(hex_len);
6695
6696 if (hex) {
6697 wpa_snprintf_hex(hex, hex_len, buf, len);
6698 wpa_msg(hapd->msg_ctx, MSG_INFO,
6699 "MGMT-TX-STATUS stype=%u ok=%d buf=%s",
6700 stype, ok, hex);
6701 os_free(hex);
6702 }
6703 return;
6704 }
6705 #endif /* CONFIG_TESTING_OPTIONS */
6706
6707 switch (stype) {
6708 case WLAN_FC_STYPE_AUTH:
6709 wpa_printf(MSG_DEBUG, "mgmt::auth cb");
6710 handle_auth_cb(hapd, mgmt, len, ok);
6711 break;
6712 case WLAN_FC_STYPE_ASSOC_RESP:
6713 wpa_printf(MSG_DEBUG, "mgmt::assoc_resp cb");
6714 handle_assoc_cb(hapd, mgmt, len, 0, ok);
6715 break;
6716 case WLAN_FC_STYPE_REASSOC_RESP:
6717 wpa_printf(MSG_DEBUG, "mgmt::reassoc_resp cb");
6718 handle_assoc_cb(hapd, mgmt, len, 1, ok);
6719 break;
6720 case WLAN_FC_STYPE_PROBE_RESP:
6721 wpa_printf(MSG_EXCESSIVE, "mgmt::proberesp cb ok=%d", ok);
6722 break;
6723 case WLAN_FC_STYPE_DEAUTH:
6724 wpa_printf(MSG_DEBUG, "mgmt::deauth cb");
6725 handle_deauth_cb(hapd, mgmt, len, ok);
6726 break;
6727 case WLAN_FC_STYPE_DISASSOC:
6728 wpa_printf(MSG_DEBUG, "mgmt::disassoc cb");
6729 handle_disassoc_cb(hapd, mgmt, len, ok);
6730 break;
6731 case WLAN_FC_STYPE_ACTION:
6732 wpa_printf(MSG_DEBUG, "mgmt::action cb ok=%d", ok);
6733 handle_action_cb(hapd, mgmt, len, ok);
6734 break;
6735 default:
6736 wpa_printf(MSG_INFO, "unknown mgmt cb frame subtype %d", stype);
6737 break;
6738 }
6739 }
6740
6741
ieee802_11_get_mib(struct hostapd_data * hapd,char * buf,size_t buflen)6742 int ieee802_11_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen)
6743 {
6744 /* TODO */
6745 return 0;
6746 }
6747
6748
ieee802_11_get_mib_sta(struct hostapd_data * hapd,struct sta_info * sta,char * buf,size_t buflen)6749 int ieee802_11_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta,
6750 char *buf, size_t buflen)
6751 {
6752 /* TODO */
6753 return 0;
6754 }
6755
6756
hostapd_tx_status(struct hostapd_data * hapd,const u8 * addr,const u8 * buf,size_t len,int ack)6757 void hostapd_tx_status(struct hostapd_data *hapd, const u8 *addr,
6758 const u8 *buf, size_t len, int ack)
6759 {
6760 struct sta_info *sta;
6761 struct hostapd_iface *iface = hapd->iface;
6762
6763 sta = ap_get_sta(hapd, addr);
6764 if (sta == NULL && iface->num_bss > 1) {
6765 size_t j;
6766 for (j = 0; j < iface->num_bss; j++) {
6767 hapd = iface->bss[j];
6768 sta = ap_get_sta(hapd, addr);
6769 if (sta)
6770 break;
6771 }
6772 }
6773 if (sta == NULL || !(sta->flags & WLAN_STA_ASSOC))
6774 return;
6775 if (sta->flags & WLAN_STA_PENDING_POLL) {
6776 wpa_printf(MSG_DEBUG, "STA " MACSTR " %s pending "
6777 "activity poll", MAC2STR(sta->addr),
6778 ack ? "ACKed" : "did not ACK");
6779 if (ack)
6780 sta->flags &= ~WLAN_STA_PENDING_POLL;
6781 }
6782
6783 ieee802_1x_tx_status(hapd, sta, buf, len, ack);
6784 }
6785
6786
hostapd_eapol_tx_status(struct hostapd_data * hapd,const u8 * dst,const u8 * data,size_t len,int ack)6787 void hostapd_eapol_tx_status(struct hostapd_data *hapd, const u8 *dst,
6788 const u8 *data, size_t len, int ack)
6789 {
6790 struct sta_info *sta;
6791 struct hostapd_iface *iface = hapd->iface;
6792
6793 sta = ap_get_sta(hapd, dst);
6794 if (sta == NULL && iface->num_bss > 1) {
6795 size_t j;
6796 for (j = 0; j < iface->num_bss; j++) {
6797 hapd = iface->bss[j];
6798 sta = ap_get_sta(hapd, dst);
6799 if (sta)
6800 break;
6801 }
6802 }
6803 if (sta == NULL || !(sta->flags & WLAN_STA_ASSOC)) {
6804 wpa_printf(MSG_DEBUG, "Ignore TX status for Data frame to STA "
6805 MACSTR " that is not currently associated",
6806 MAC2STR(dst));
6807 return;
6808 }
6809
6810 ieee802_1x_eapol_tx_status(hapd, sta, data, len, ack);
6811 }
6812
6813
hostapd_client_poll_ok(struct hostapd_data * hapd,const u8 * addr)6814 void hostapd_client_poll_ok(struct hostapd_data *hapd, const u8 *addr)
6815 {
6816 struct sta_info *sta;
6817 struct hostapd_iface *iface = hapd->iface;
6818
6819 sta = ap_get_sta(hapd, addr);
6820 if (sta == NULL && iface->num_bss > 1) {
6821 size_t j;
6822 for (j = 0; j < iface->num_bss; j++) {
6823 hapd = iface->bss[j];
6824 sta = ap_get_sta(hapd, addr);
6825 if (sta)
6826 break;
6827 }
6828 }
6829 if (sta == NULL)
6830 return;
6831 wpa_msg(hapd->msg_ctx, MSG_INFO, AP_STA_POLL_OK MACSTR,
6832 MAC2STR(sta->addr));
6833 if (!(sta->flags & WLAN_STA_PENDING_POLL))
6834 return;
6835
6836 wpa_printf(MSG_DEBUG, "STA " MACSTR " ACKed pending "
6837 "activity poll", MAC2STR(sta->addr));
6838 sta->flags &= ~WLAN_STA_PENDING_POLL;
6839 }
6840
6841
ieee802_11_rx_from_unknown(struct hostapd_data * hapd,const u8 * src,int wds)6842 void ieee802_11_rx_from_unknown(struct hostapd_data *hapd, const u8 *src,
6843 int wds)
6844 {
6845 struct sta_info *sta;
6846
6847 sta = ap_get_sta(hapd, src);
6848 if (sta &&
6849 ((sta->flags & WLAN_STA_ASSOC) ||
6850 ((sta->flags & WLAN_STA_ASSOC_REQ_OK) && wds))) {
6851 if (!hapd->conf->wds_sta)
6852 return;
6853
6854 if ((sta->flags & (WLAN_STA_ASSOC | WLAN_STA_ASSOC_REQ_OK)) ==
6855 WLAN_STA_ASSOC_REQ_OK) {
6856 wpa_printf(MSG_DEBUG,
6857 "Postpone 4-address WDS mode enabling for STA "
6858 MACSTR " since TX status for AssocResp is not yet known",
6859 MAC2STR(sta->addr));
6860 sta->pending_wds_enable = 1;
6861 return;
6862 }
6863
6864 if (wds && !(sta->flags & WLAN_STA_WDS)) {
6865 int ret;
6866 char ifname_wds[IFNAMSIZ + 1];
6867
6868 wpa_printf(MSG_DEBUG, "Enable 4-address WDS mode for "
6869 "STA " MACSTR " (aid %u)",
6870 MAC2STR(sta->addr), sta->aid);
6871 sta->flags |= WLAN_STA_WDS;
6872 ret = hostapd_set_wds_sta(hapd, ifname_wds,
6873 sta->addr, sta->aid, 1);
6874 if (!ret)
6875 hostapd_set_wds_encryption(hapd, sta,
6876 ifname_wds);
6877 }
6878 return;
6879 }
6880
6881 wpa_printf(MSG_DEBUG, "Data/PS-poll frame from not associated STA "
6882 MACSTR, MAC2STR(src));
6883 if (is_multicast_ether_addr(src) || is_zero_ether_addr(src) ||
6884 os_memcmp(src, hapd->own_addr, ETH_ALEN) == 0) {
6885 /* Broadcast bit set in SA or unexpected SA?! Ignore the frame
6886 * silently. */
6887 return;
6888 }
6889
6890 if (sta && (sta->flags & WLAN_STA_ASSOC_REQ_OK)) {
6891 wpa_printf(MSG_DEBUG, "Association Response to the STA has "
6892 "already been sent, but no TX status yet known - "
6893 "ignore Class 3 frame issue with " MACSTR,
6894 MAC2STR(src));
6895 return;
6896 }
6897
6898 if (sta && (sta->flags & WLAN_STA_AUTH))
6899 hostapd_drv_sta_disassoc(
6900 hapd, src,
6901 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA);
6902 else
6903 hostapd_drv_sta_deauth(
6904 hapd, src,
6905 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA);
6906 }
6907
6908
hostapd_eid_txpower_envelope(struct hostapd_data * hapd,u8 * eid)6909 u8 * hostapd_eid_txpower_envelope(struct hostapd_data *hapd, u8 *eid)
6910 {
6911 struct hostapd_iface *iface = hapd->iface;
6912 struct hostapd_config *iconf = iface->conf;
6913 struct hostapd_hw_modes *mode = iface->current_mode;
6914 struct hostapd_channel_data *chan;
6915 int dfs, i;
6916 u8 channel, tx_pwr_count, local_pwr_constraint;
6917 int max_tx_power;
6918 u8 tx_pwr;
6919
6920 if (!mode)
6921 return eid;
6922
6923 if (ieee80211_freq_to_chan(iface->freq, &channel) == NUM_HOSTAPD_MODES)
6924 return eid;
6925
6926 for (i = 0; i < mode->num_channels; i++) {
6927 if (mode->channels[i].freq == iface->freq)
6928 break;
6929 }
6930 if (i == mode->num_channels)
6931 return eid;
6932
6933 switch (hostapd_get_oper_chwidth(iconf)) {
6934 case CHANWIDTH_USE_HT:
6935 if (iconf->secondary_channel == 0) {
6936 /* Max Transmit Power count = 0 (20 MHz) */
6937 tx_pwr_count = 0;
6938 } else {
6939 /* Max Transmit Power count = 1 (20, 40 MHz) */
6940 tx_pwr_count = 1;
6941 }
6942 break;
6943 case CHANWIDTH_80MHZ:
6944 /* Max Transmit Power count = 2 (20, 40, and 80 MHz) */
6945 tx_pwr_count = 2;
6946 break;
6947 case CHANWIDTH_80P80MHZ:
6948 case CHANWIDTH_160MHZ:
6949 /* Max Transmit Power count = 3 (20, 40, 80, 160/80+80 MHz) */
6950 tx_pwr_count = 3;
6951 break;
6952 default:
6953 return eid;
6954 }
6955
6956 /*
6957 * Below local_pwr_constraint logic is referred from
6958 * hostapd_eid_pwr_constraint.
6959 *
6960 * Check if DFS is required by regulatory.
6961 */
6962 dfs = hostapd_is_dfs_required(hapd->iface);
6963 if (dfs < 0)
6964 dfs = 0;
6965
6966 /*
6967 * In order to meet regulations when TPC is not implemented using
6968 * a transmit power that is below the legal maximum (including any
6969 * mitigation factor) should help. In this case, indicate 3 dB below
6970 * maximum allowed transmit power.
6971 */
6972 if (hapd->iconf->local_pwr_constraint == -1)
6973 local_pwr_constraint = (dfs == 0) ? 0 : 3;
6974 else
6975 local_pwr_constraint = hapd->iconf->local_pwr_constraint;
6976
6977 /*
6978 * A STA that is not an AP shall use a transmit power less than or
6979 * equal to the local maximum transmit power level for the channel.
6980 * The local maximum transmit power can be calculated from the formula:
6981 * local max TX pwr = max TX pwr - local pwr constraint
6982 * Where max TX pwr is maximum transmit power level specified for
6983 * channel in Country element and local pwr constraint is specified
6984 * for channel in this Power Constraint element.
6985 */
6986 chan = &mode->channels[i];
6987 max_tx_power = chan->max_tx_power - local_pwr_constraint;
6988
6989 /*
6990 * Local Maximum Transmit power is encoded as two's complement
6991 * with a 0.5 dB step.
6992 */
6993 max_tx_power *= 2; /* in 0.5 dB steps */
6994 if (max_tx_power > 127) {
6995 /* 63.5 has special meaning of 63.5 dBm or higher */
6996 max_tx_power = 127;
6997 }
6998 if (max_tx_power < -128)
6999 max_tx_power = -128;
7000 if (max_tx_power < 0)
7001 tx_pwr = 0x80 + max_tx_power + 128;
7002 else
7003 tx_pwr = max_tx_power;
7004
7005 *eid++ = WLAN_EID_TRANSMIT_POWER_ENVELOPE;
7006 *eid++ = 2 + tx_pwr_count;
7007
7008 /*
7009 * Max Transmit Power count and
7010 * Max Transmit Power units = 0 (EIRP)
7011 */
7012 *eid++ = tx_pwr_count;
7013
7014 for (i = 0; i <= tx_pwr_count; i++)
7015 *eid++ = tx_pwr;
7016
7017 return eid;
7018 }
7019
7020
hostapd_eid_wb_chsw_wrapper(struct hostapd_data * hapd,u8 * eid)7021 u8 * hostapd_eid_wb_chsw_wrapper(struct hostapd_data *hapd, u8 *eid)
7022 {
7023 u8 bw, chan1, chan2 = 0;
7024 int freq1;
7025
7026 if (!hapd->cs_freq_params.channel ||
7027 (!hapd->cs_freq_params.vht_enabled &&
7028 !hapd->cs_freq_params.he_enabled))
7029 return eid;
7030
7031 /* bandwidth: 0: 40, 1: 80, 2: 160, 3: 80+80 */
7032 switch (hapd->cs_freq_params.bandwidth) {
7033 case 40:
7034 bw = 0;
7035 break;
7036 case 80:
7037 /* check if it's 80+80 */
7038 if (!hapd->cs_freq_params.center_freq2)
7039 bw = 1;
7040 else
7041 bw = 3;
7042 break;
7043 case 160:
7044 bw = 2;
7045 break;
7046 default:
7047 /* not valid VHT bandwidth or not in CSA */
7048 return eid;
7049 }
7050
7051 freq1 = hapd->cs_freq_params.center_freq1 ?
7052 hapd->cs_freq_params.center_freq1 :
7053 hapd->cs_freq_params.freq;
7054 if (ieee80211_freq_to_chan(freq1, &chan1) !=
7055 HOSTAPD_MODE_IEEE80211A)
7056 return eid;
7057
7058 if (hapd->cs_freq_params.center_freq2 &&
7059 ieee80211_freq_to_chan(hapd->cs_freq_params.center_freq2,
7060 &chan2) != HOSTAPD_MODE_IEEE80211A)
7061 return eid;
7062
7063 *eid++ = WLAN_EID_VHT_CHANNEL_SWITCH_WRAPPER;
7064 *eid++ = 5; /* Length of Channel Switch Wrapper */
7065 *eid++ = WLAN_EID_VHT_WIDE_BW_CHSWITCH;
7066 *eid++ = 3; /* Length of Wide Bandwidth Channel Switch element */
7067 *eid++ = bw; /* New Channel Width */
7068 *eid++ = chan1; /* New Channel Center Frequency Segment 0 */
7069 *eid++ = chan2; /* New Channel Center Frequency Segment 1 */
7070
7071 return eid;
7072 }
7073
7074
hostapd_eid_nr_db_len(struct hostapd_data * hapd,size_t * current_len)7075 static size_t hostapd_eid_nr_db_len(struct hostapd_data *hapd,
7076 size_t *current_len)
7077 {
7078 struct hostapd_neighbor_entry *nr;
7079 size_t total_len = 0, len = *current_len;
7080
7081 dl_list_for_each(nr, &hapd->nr_db, struct hostapd_neighbor_entry,
7082 list) {
7083 if (!nr->nr || wpabuf_len(nr->nr) < 12)
7084 continue;
7085
7086 if (nr->short_ssid == hapd->conf->ssid.short_ssid)
7087 continue;
7088
7089 /* Start a new element */
7090 if (!len ||
7091 len + RNR_TBTT_HEADER_LEN + RNR_TBTT_INFO_LEN > 255) {
7092 len = RNR_HEADER_LEN;
7093 total_len += RNR_HEADER_LEN;
7094 }
7095
7096 len += RNR_TBTT_HEADER_LEN + RNR_TBTT_INFO_LEN;
7097 total_len += RNR_TBTT_HEADER_LEN + RNR_TBTT_INFO_LEN;
7098 }
7099
7100 *current_len = len;
7101 return total_len;
7102 }
7103
7104
hostapd_eid_rnr_iface_len(struct hostapd_data * hapd,struct hostapd_data * reporting_hapd,size_t * current_len)7105 static size_t hostapd_eid_rnr_iface_len(struct hostapd_data *hapd,
7106 struct hostapd_data *reporting_hapd,
7107 size_t *current_len)
7108 {
7109 size_t total_len = 0, len = *current_len;
7110 int tbtt_count = 0;
7111 size_t i, start = 0;
7112
7113 while (start < hapd->iface->num_bss) {
7114 if (!len ||
7115 len + RNR_TBTT_HEADER_LEN + RNR_TBTT_INFO_LEN > 255) {
7116 len = RNR_HEADER_LEN;
7117 total_len += RNR_HEADER_LEN;
7118 }
7119
7120 len += RNR_TBTT_HEADER_LEN;
7121 total_len += RNR_TBTT_HEADER_LEN;
7122
7123 for (i = start; i < hapd->iface->num_bss; i++) {
7124 struct hostapd_data *bss = hapd->iface->bss[i];
7125
7126 if (!bss || !bss->conf || !bss->started)
7127 continue;
7128
7129 if (bss == reporting_hapd ||
7130 bss->conf->ignore_broadcast_ssid)
7131 continue;
7132
7133 if (len + RNR_TBTT_INFO_LEN > 255 ||
7134 tbtt_count >= RNR_TBTT_INFO_COUNT_MAX)
7135 break;
7136
7137 len += RNR_TBTT_INFO_LEN;
7138 total_len += RNR_TBTT_INFO_LEN;
7139 tbtt_count++;
7140 }
7141 start = i;
7142 }
7143
7144 if (!tbtt_count)
7145 total_len = 0;
7146 else
7147 *current_len = len;
7148
7149 return total_len;
7150 }
7151
7152
7153 enum colocation_mode {
7154 NO_COLOCATED_6GHZ,
7155 STANDALONE_6GHZ,
7156 COLOCATED_6GHZ,
7157 COLOCATED_LOWER_BAND,
7158 };
7159
get_colocation_mode(struct hostapd_data * hapd)7160 static enum colocation_mode get_colocation_mode(struct hostapd_data *hapd)
7161 {
7162 u8 i;
7163 bool is_6ghz = is_6ghz_op_class(hapd->iconf->op_class);
7164
7165 if (!hapd->iface || !hapd->iface->interfaces)
7166 return NO_COLOCATED_6GHZ;
7167
7168 if (is_6ghz && hapd->iface->interfaces->count == 1)
7169 return STANDALONE_6GHZ;
7170
7171 for (i = 0; i < hapd->iface->interfaces->count; i++) {
7172 struct hostapd_iface *iface;
7173 bool is_colocated_6ghz;
7174
7175 iface = hapd->iface->interfaces->iface[i];
7176 if (iface == hapd->iface || !iface || !iface->conf)
7177 continue;
7178
7179 is_colocated_6ghz = is_6ghz_op_class(iface->conf->op_class);
7180 if (!is_6ghz && is_colocated_6ghz)
7181 return COLOCATED_LOWER_BAND;
7182 if (is_6ghz && !is_colocated_6ghz)
7183 return COLOCATED_6GHZ;
7184 }
7185
7186 if (is_6ghz)
7187 return STANDALONE_6GHZ;
7188
7189 return NO_COLOCATED_6GHZ;
7190 }
7191
7192
hostapd_eid_rnr_colocation_len(struct hostapd_data * hapd,size_t * current_len)7193 static size_t hostapd_eid_rnr_colocation_len(struct hostapd_data *hapd,
7194 size_t *current_len)
7195 {
7196 struct hostapd_iface *iface;
7197 size_t len = 0;
7198 size_t i;
7199
7200 if (!hapd->iface || !hapd->iface->interfaces)
7201 return 0;
7202
7203 for (i = 0; i < hapd->iface->interfaces->count; i++) {
7204 iface = hapd->iface->interfaces->iface[i];
7205
7206 if (iface == hapd->iface ||
7207 !is_6ghz_op_class(iface->conf->op_class))
7208 continue;
7209
7210 len += hostapd_eid_rnr_iface_len(iface->bss[0], hapd,
7211 current_len);
7212 }
7213
7214 return len;
7215 }
7216
7217
hostapd_eid_rnr_len(struct hostapd_data * hapd,u32 type)7218 size_t hostapd_eid_rnr_len(struct hostapd_data *hapd, u32 type)
7219 {
7220 size_t total_len = 0, current_len = 0;
7221 enum colocation_mode mode = get_colocation_mode(hapd);
7222
7223 switch (type) {
7224 case WLAN_FC_STYPE_BEACON:
7225 if (hapd->conf->rnr)
7226 total_len += hostapd_eid_nr_db_len(hapd, ¤t_len);
7227 /* fallthrough */
7228
7229 case WLAN_FC_STYPE_PROBE_RESP:
7230 if (mode == COLOCATED_LOWER_BAND)
7231 total_len += hostapd_eid_rnr_colocation_len(
7232 hapd, ¤t_len);
7233
7234 if (hapd->conf->rnr && hapd->iface->num_bss > 1)
7235 total_len += hostapd_eid_rnr_iface_len(hapd, hapd,
7236 ¤t_len);
7237 break;
7238
7239 case WLAN_FC_STYPE_ACTION:
7240 if (hapd->iface->num_bss > 1 && mode == STANDALONE_6GHZ)
7241 total_len += hostapd_eid_rnr_iface_len(hapd, hapd,
7242 ¤t_len);
7243 break;
7244
7245 default:
7246 break;
7247 }
7248
7249 return total_len;
7250 }
7251
7252
hostapd_eid_nr_db(struct hostapd_data * hapd,u8 * eid,size_t * current_len)7253 static u8 * hostapd_eid_nr_db(struct hostapd_data *hapd, u8 *eid,
7254 size_t *current_len)
7255 {
7256 struct hostapd_neighbor_entry *nr;
7257 size_t len = *current_len;
7258 u8 *size_offset = (eid - len) + 1;
7259
7260 dl_list_for_each(nr, &hapd->nr_db, struct hostapd_neighbor_entry,
7261 list) {
7262 if (!nr->nr || wpabuf_len(nr->nr) < 12)
7263 continue;
7264
7265 if (nr->short_ssid == hapd->conf->ssid.short_ssid)
7266 continue;
7267
7268 /* Start a new element */
7269 if (!len ||
7270 len + RNR_TBTT_HEADER_LEN + RNR_TBTT_INFO_LEN > 255) {
7271 *eid++ = WLAN_EID_REDUCED_NEIGHBOR_REPORT;
7272 size_offset = eid++;
7273 len = RNR_HEADER_LEN;
7274 }
7275
7276 /* TBTT Information Header subfield (2 octets) */
7277 *eid++ = 0;
7278 /* TBTT Information Length */
7279 *eid++ = RNR_TBTT_INFO_LEN;
7280 /* Operating Class */
7281 *eid++ = wpabuf_head_u8(nr->nr)[10];
7282 /* Channel Number */
7283 *eid++ = wpabuf_head_u8(nr->nr)[11];
7284 len += RNR_TBTT_HEADER_LEN;
7285 /* TBTT Information Set */
7286 /* TBTT Information field */
7287 /* Neighbor AP TBTT Offset */
7288 *eid++ = RNR_NEIGHBOR_AP_OFFSET_UNKNOWN;
7289 /* BSSID */
7290 os_memcpy(eid, nr->bssid, ETH_ALEN);
7291 eid += ETH_ALEN;
7292 /* Short SSID */
7293 os_memcpy(eid, &nr->short_ssid, 4);
7294 eid += 4;
7295 /* BSS parameters */
7296 *eid++ = nr->bss_parameters;
7297 /* 20 MHz PSD */
7298 *eid++ = RNR_20_MHZ_PSD_MAX_TXPOWER - 1;
7299 len += RNR_TBTT_INFO_LEN;
7300 *size_offset = (eid - size_offset) - 1;
7301 }
7302
7303 *current_len = len;
7304 return eid;
7305 }
7306
7307
hostapd_eid_rnr_iface(struct hostapd_data * hapd,struct hostapd_data * reporting_hapd,u8 * eid,size_t * current_len)7308 static u8 * hostapd_eid_rnr_iface(struct hostapd_data *hapd,
7309 struct hostapd_data *reporting_hapd,
7310 u8 *eid, size_t *current_len)
7311 {
7312 struct hostapd_data *bss;
7313 struct hostapd_iface *iface = hapd->iface;
7314 size_t i, start = 0;
7315 size_t len = *current_len;
7316 u8 *tbtt_count_pos, *eid_start = eid, *size_offset = (eid - len) + 1;
7317 u8 tbtt_count = 0, op_class, channel, bss_param;
7318
7319 if (!(iface->drv_flags & WPA_DRIVER_FLAGS_AP_CSA) || !iface->freq)
7320 return eid;
7321
7322 if (ieee80211_freq_to_channel_ext(iface->freq,
7323 hapd->iconf->secondary_channel,
7324 hostapd_get_oper_chwidth(hapd->iconf),
7325 &op_class, &channel) ==
7326 NUM_HOSTAPD_MODES)
7327 return eid;
7328
7329 while (start < iface->num_bss) {
7330 if (!len ||
7331 len + RNR_TBTT_HEADER_LEN + RNR_TBTT_INFO_LEN > 255) {
7332 eid_start = eid;
7333 *eid++ = WLAN_EID_REDUCED_NEIGHBOR_REPORT;
7334 size_offset = eid++;
7335 len = RNR_HEADER_LEN;
7336 tbtt_count = 0;
7337 }
7338
7339 tbtt_count_pos = eid++;
7340 *eid++ = RNR_TBTT_INFO_LEN;
7341 *eid++ = op_class;
7342 *eid++ = hapd->iconf->channel;
7343 len += RNR_TBTT_HEADER_LEN;
7344
7345 for (i = start; i < iface->num_bss; i++) {
7346 bss_param = 0;
7347 bss = iface->bss[i];
7348 if (!bss || !bss->conf || !bss->started)
7349 continue;
7350
7351 if (bss == reporting_hapd ||
7352 bss->conf->ignore_broadcast_ssid)
7353 continue;
7354
7355 if (len + RNR_TBTT_INFO_LEN > 255 ||
7356 tbtt_count >= RNR_TBTT_INFO_COUNT_MAX)
7357 break;
7358
7359 *eid++ = RNR_NEIGHBOR_AP_OFFSET_UNKNOWN;
7360 os_memcpy(eid, bss->conf->bssid, ETH_ALEN);
7361 eid += ETH_ALEN;
7362 os_memcpy(eid, &bss->conf->ssid.short_ssid, 4);
7363 eid += 4;
7364 if (bss->conf->ssid.short_ssid ==
7365 reporting_hapd->conf->ssid.short_ssid)
7366 bss_param |= RNR_BSS_PARAM_SAME_SSID;
7367
7368 if (is_6ghz_op_class(hapd->iconf->op_class) &&
7369 bss->conf->unsol_bcast_probe_resp_interval)
7370 bss_param |=
7371 RNR_BSS_PARAM_UNSOLIC_PROBE_RESP_ACTIVE;
7372
7373 bss_param |= RNR_BSS_PARAM_CO_LOCATED;
7374
7375 *eid++ = bss_param;
7376 *eid++ = RNR_20_MHZ_PSD_MAX_TXPOWER - 1;
7377 len += RNR_TBTT_INFO_LEN;
7378 tbtt_count += 1;
7379 }
7380
7381 start = i;
7382 *tbtt_count_pos = RNR_TBTT_INFO_COUNT(tbtt_count - 1);
7383 *size_offset = (eid - size_offset) - 1;
7384 }
7385
7386 if (tbtt_count == 0)
7387 return eid_start;
7388
7389 *current_len = len;
7390 return eid;
7391 }
7392
7393
hostapd_eid_rnr_colocation(struct hostapd_data * hapd,u8 * eid,size_t * current_len)7394 static u8 * hostapd_eid_rnr_colocation(struct hostapd_data *hapd, u8 *eid,
7395 size_t *current_len)
7396 {
7397 struct hostapd_iface *iface;
7398 size_t i;
7399
7400 if (!hapd->iface || !hapd->iface->interfaces)
7401 return eid;
7402
7403 for (i = 0; i < hapd->iface->interfaces->count; i++) {
7404 iface = hapd->iface->interfaces->iface[i];
7405
7406 if (iface == hapd->iface ||
7407 !is_6ghz_op_class(iface->conf->op_class))
7408 continue;
7409
7410 eid = hostapd_eid_rnr_iface(iface->bss[0], hapd, eid,
7411 current_len);
7412 }
7413
7414 return eid;
7415 }
7416
7417
hostapd_eid_rnr(struct hostapd_data * hapd,u8 * eid,u32 type)7418 u8 * hostapd_eid_rnr(struct hostapd_data *hapd, u8 *eid, u32 type)
7419 {
7420 u8 *eid_start = eid;
7421 size_t current_len = 0;
7422 enum colocation_mode mode = get_colocation_mode(hapd);
7423
7424 switch (type) {
7425 case WLAN_FC_STYPE_BEACON:
7426 if (hapd->conf->rnr)
7427 eid = hostapd_eid_nr_db(hapd, eid, ¤t_len);
7428 /* fallthrough */
7429
7430 case WLAN_FC_STYPE_PROBE_RESP:
7431 if (mode == COLOCATED_LOWER_BAND)
7432 eid = hostapd_eid_rnr_colocation(hapd, eid,
7433 ¤t_len);
7434
7435 if (hapd->conf->rnr && hapd->iface->num_bss > 1)
7436 eid = hostapd_eid_rnr_iface(hapd, hapd, eid,
7437 ¤t_len);
7438 break;
7439
7440 case WLAN_FC_STYPE_ACTION:
7441 if (hapd->iface->num_bss > 1 && mode == STANDALONE_6GHZ)
7442 eid = hostapd_eid_rnr_iface(hapd, hapd, eid,
7443 ¤t_len);
7444 break;
7445
7446 default:
7447 return eid_start;
7448 }
7449
7450 if (eid == eid_start + 2)
7451 return eid_start;
7452
7453 return eid;
7454 }
7455
7456 #endif /* CONFIG_NATIVE_WINDOWS */
7457