1 /*
2 * hostapd / IEEE 802.11 Management
3 * Copyright (c) 2002-2017, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "utils/includes.h"
10
11 #ifndef CONFIG_NATIVE_WINDOWS
12
13 #include "utils/common.h"
14 #include "utils/eloop.h"
15 #include "crypto/crypto.h"
16 #include "crypto/sha256.h"
17 #include "crypto/sha384.h"
18 #include "crypto/sha512.h"
19 #include "crypto/random.h"
20 #include "common/ieee802_11_defs.h"
21 #include "common/ieee802_11_common.h"
22 #include "common/wpa_ctrl.h"
23 #include "common/sae.h"
24 #include "common/dpp.h"
25 #include "common/ocv.h"
26 #include "common/wpa_common.h"
27 #include "common/wpa_ctrl.h"
28 #include "common/ptksa_cache.h"
29 #include "radius/radius.h"
30 #include "radius/radius_client.h"
31 #include "p2p/p2p.h"
32 #include "wps/wps.h"
33 #include "fst/fst.h"
34 #include "hostapd.h"
35 #include "beacon.h"
36 #include "ieee802_11_auth.h"
37 #include "sta_info.h"
38 #include "ieee802_1x.h"
39 #include "wpa_auth.h"
40 #include "pmksa_cache_auth.h"
41 #include "wmm.h"
42 #include "ap_list.h"
43 #include "accounting.h"
44 #include "ap_config.h"
45 #include "ap_mlme.h"
46 #include "p2p_hostapd.h"
47 #include "ap_drv_ops.h"
48 #include "wnm_ap.h"
49 #include "hw_features.h"
50 #include "ieee802_11.h"
51 #include "dfs.h"
52 #include "mbo_ap.h"
53 #include "rrm.h"
54 #include "taxonomy.h"
55 #include "fils_hlp.h"
56 #include "dpp_hostapd.h"
57 #include "gas_query_ap.h"
58
59
60 #ifdef CONFIG_FILS
61 static struct wpabuf *
62 prepare_auth_resp_fils(struct hostapd_data *hapd,
63 struct sta_info *sta, u16 *resp,
64 struct rsn_pmksa_cache_entry *pmksa,
65 struct wpabuf *erp_resp,
66 const u8 *msk, size_t msk_len,
67 int *is_pub);
68 #endif /* CONFIG_FILS */
69
70 #ifdef CONFIG_PASN
71
72 static int handle_auth_pasn_resp(struct hostapd_data *hapd,
73 struct sta_info *sta,
74 struct rsn_pmksa_cache_entry *pmksa,
75 u16 status);
76 #ifdef CONFIG_FILS
77
78 static void pasn_fils_auth_resp(struct hostapd_data *hapd,
79 struct sta_info *sta, u16 status,
80 struct wpabuf *erp_resp,
81 const u8 *msk, size_t msk_len);
82
83 #endif /* CONFIG_FILS */
84 #endif /* CONFIG_PASN */
85
86 static void handle_auth(struct hostapd_data *hapd,
87 const struct ieee80211_mgmt *mgmt, size_t len,
88 int rssi, int from_queue);
89
90
hostapd_eid_multi_ap(struct hostapd_data *hapd, u8 *eid)91 u8 * hostapd_eid_multi_ap(struct hostapd_data *hapd, u8 *eid)
92 {
93 u8 multi_ap_val = 0;
94
95 if (!hapd->conf->multi_ap)
96 return eid;
97 if (hapd->conf->multi_ap & BACKHAUL_BSS)
98 multi_ap_val |= MULTI_AP_BACKHAUL_BSS;
99 if (hapd->conf->multi_ap & FRONTHAUL_BSS)
100 multi_ap_val |= MULTI_AP_FRONTHAUL_BSS;
101
102 return eid + add_multi_ap_ie(eid, 9, multi_ap_val);
103 }
104
105
hostapd_eid_supp_rates(struct hostapd_data *hapd, u8 *eid)106 u8 * hostapd_eid_supp_rates(struct hostapd_data *hapd, u8 *eid)
107 {
108 u8 *pos = eid;
109 int i, num, count;
110 int h2e_required;
111
112 if (hapd->iface->current_rates == NULL)
113 return eid;
114
115 *pos++ = WLAN_EID_SUPP_RATES;
116 num = hapd->iface->num_rates;
117 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht)
118 num++;
119 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht)
120 num++;
121 h2e_required = (hapd->conf->sae_pwe == 1 ||
122 hostapd_sae_pw_id_in_use(hapd->conf) == 2) &&
123 hapd->conf->sae_pwe != 3 &&
124 wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt);
125 if (h2e_required)
126 num++;
127 if (num > 8) {
128 /* rest of the rates are encoded in Extended supported
129 * rates element */
130 num = 8;
131 }
132
133 *pos++ = num;
134 for (i = 0, count = 0; i < hapd->iface->num_rates && count < num;
135 i++) {
136 count++;
137 *pos = hapd->iface->current_rates[i].rate / 5;
138 if (hapd->iface->current_rates[i].flags & HOSTAPD_RATE_BASIC)
139 *pos |= 0x80;
140 pos++;
141 }
142
143 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht && count < 8) {
144 count++;
145 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_HT_PHY;
146 }
147
148 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht && count < 8) {
149 count++;
150 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_VHT_PHY;
151 }
152
153 if (h2e_required && count < 8) {
154 count++;
155 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_SAE_H2E_ONLY;
156 }
157
158 return pos;
159 }
160
161
hostapd_eid_ext_supp_rates(struct hostapd_data *hapd, u8 *eid)162 u8 * hostapd_eid_ext_supp_rates(struct hostapd_data *hapd, u8 *eid)
163 {
164 u8 *pos = eid;
165 int i, num, count;
166 int h2e_required;
167
168 if (hapd->iface->current_rates == NULL)
169 return eid;
170
171 num = hapd->iface->num_rates;
172 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht)
173 num++;
174 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht)
175 num++;
176 h2e_required = (hapd->conf->sae_pwe == 1 ||
177 hostapd_sae_pw_id_in_use(hapd->conf) == 2) &&
178 hapd->conf->sae_pwe != 3 &&
179 wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt);
180 if (h2e_required)
181 num++;
182 if (num <= 8)
183 return eid;
184 num -= 8;
185
186 *pos++ = WLAN_EID_EXT_SUPP_RATES;
187 *pos++ = num;
188 for (i = 0, count = 0; i < hapd->iface->num_rates && count < num + 8;
189 i++) {
190 count++;
191 if (count <= 8)
192 continue; /* already in SuppRates IE */
193 *pos = hapd->iface->current_rates[i].rate / 5;
194 if (hapd->iface->current_rates[i].flags & HOSTAPD_RATE_BASIC)
195 *pos |= 0x80;
196 pos++;
197 }
198
199 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht) {
200 count++;
201 if (count > 8)
202 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_HT_PHY;
203 }
204
205 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht) {
206 count++;
207 if (count > 8)
208 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_VHT_PHY;
209 }
210
211 if (h2e_required) {
212 count++;
213 if (count > 8)
214 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_SAE_H2E_ONLY;
215 }
216
217 return pos;
218 }
219
220
hostapd_eid_rm_enabled_capab(struct hostapd_data *hapd, u8 *eid, size_t len)221 u8 * hostapd_eid_rm_enabled_capab(struct hostapd_data *hapd, u8 *eid,
222 size_t len)
223 {
224 size_t i;
225
226 for (i = 0; i < RRM_CAPABILITIES_IE_LEN; i++) {
227 if (hapd->conf->radio_measurements[i])
228 break;
229 }
230
231 if (i == RRM_CAPABILITIES_IE_LEN || len < 2 + RRM_CAPABILITIES_IE_LEN)
232 return eid;
233
234 *eid++ = WLAN_EID_RRM_ENABLED_CAPABILITIES;
235 *eid++ = RRM_CAPABILITIES_IE_LEN;
236 os_memcpy(eid, hapd->conf->radio_measurements, RRM_CAPABILITIES_IE_LEN);
237
238 return eid + RRM_CAPABILITIES_IE_LEN;
239 }
240
241
hostapd_own_capab_info(struct hostapd_data *hapd)242 u16 hostapd_own_capab_info(struct hostapd_data *hapd)
243 {
244 int capab = WLAN_CAPABILITY_ESS;
245 int privacy = 0;
246 int dfs;
247 int i;
248
249 /* Check if any of configured channels require DFS */
250 dfs = hostapd_is_dfs_required(hapd->iface);
251 if (dfs < 0) {
252 wpa_printf(MSG_WARNING, "Failed to check if DFS is required; ret=%d",
253 dfs);
254 dfs = 0;
255 }
256
257 if (hapd->iface->num_sta_no_short_preamble == 0 &&
258 hapd->iconf->preamble == SHORT_PREAMBLE)
259 capab |= WLAN_CAPABILITY_SHORT_PREAMBLE;
260
261 #ifdef CONFIG_WEP
262 privacy = hapd->conf->ssid.wep.keys_set;
263
264 if (hapd->conf->ieee802_1x &&
265 (hapd->conf->default_wep_key_len ||
266 hapd->conf->individual_wep_key_len))
267 privacy = 1;
268 #endif /* CONFIG_WEP */
269
270 if (hapd->conf->wpa)
271 privacy = 1;
272
273 #ifdef CONFIG_HS20
274 if (hapd->conf->osen)
275 privacy = 1;
276 #endif /* CONFIG_HS20 */
277
278 if (privacy)
279 capab |= WLAN_CAPABILITY_PRIVACY;
280
281 if (hapd->iface->current_mode &&
282 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G &&
283 hapd->iface->num_sta_no_short_slot_time == 0)
284 capab |= WLAN_CAPABILITY_SHORT_SLOT_TIME;
285
286 /*
287 * Currently, Spectrum Management capability bit is set when directly
288 * requested in configuration by spectrum_mgmt_required or when AP is
289 * running on DFS channel.
290 * TODO: Also consider driver support for TPC to set Spectrum Mgmt bit
291 */
292 if (hapd->iface->current_mode &&
293 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211A &&
294 (hapd->iconf->spectrum_mgmt_required || dfs))
295 capab |= WLAN_CAPABILITY_SPECTRUM_MGMT;
296
297 for (i = 0; i < RRM_CAPABILITIES_IE_LEN; i++) {
298 if (hapd->conf->radio_measurements[i]) {
299 capab |= IEEE80211_CAP_RRM;
300 break;
301 }
302 }
303
304 return capab;
305 }
306
307
308 #ifdef CONFIG_WEP
309 #ifndef CONFIG_NO_RC4
auth_shared_key(struct hostapd_data *hapd, struct sta_info *sta, u16 auth_transaction, const u8 *challenge, int iswep)310 static u16 auth_shared_key(struct hostapd_data *hapd, struct sta_info *sta,
311 u16 auth_transaction, const u8 *challenge,
312 int iswep)
313 {
314 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
315 HOSTAPD_LEVEL_DEBUG,
316 "authentication (shared key, transaction %d)",
317 auth_transaction);
318
319 if (auth_transaction == 1) {
320 if (!sta->challenge) {
321 /* Generate a pseudo-random challenge */
322 u8 key[8];
323
324 sta->challenge = os_zalloc(WLAN_AUTH_CHALLENGE_LEN);
325 if (sta->challenge == NULL)
326 return WLAN_STATUS_UNSPECIFIED_FAILURE;
327
328 if (os_get_random(key, sizeof(key)) < 0) {
329 os_free(sta->challenge);
330 sta->challenge = NULL;
331 return WLAN_STATUS_UNSPECIFIED_FAILURE;
332 }
333
334 rc4_skip(key, sizeof(key), 0,
335 sta->challenge, WLAN_AUTH_CHALLENGE_LEN);
336 }
337 return 0;
338 }
339
340 if (auth_transaction != 3)
341 return WLAN_STATUS_UNSPECIFIED_FAILURE;
342
343 /* Transaction 3 */
344 if (!iswep || !sta->challenge || !challenge ||
345 os_memcmp_const(sta->challenge, challenge,
346 WLAN_AUTH_CHALLENGE_LEN)) {
347 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
348 HOSTAPD_LEVEL_INFO,
349 "shared key authentication - invalid "
350 "challenge-response");
351 return WLAN_STATUS_CHALLENGE_FAIL;
352 }
353
354 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
355 HOSTAPD_LEVEL_DEBUG,
356 "authentication OK (shared key)");
357 sta->flags |= WLAN_STA_AUTH;
358 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
359 os_free(sta->challenge);
360 sta->challenge = NULL;
361
362 return 0;
363 }
364 #endif /* CONFIG_NO_RC4 */
365 #endif /* CONFIG_WEP */
366
367
send_auth_reply(struct hostapd_data *hapd, struct sta_info *sta, const u8 *dst, const u8 *bssid, u16 auth_alg, u16 auth_transaction, u16 resp, const u8 *ies, size_t ies_len, const char *dbg)368 static int send_auth_reply(struct hostapd_data *hapd, struct sta_info *sta,
369 const u8 *dst, const u8 *bssid,
370 u16 auth_alg, u16 auth_transaction, u16 resp,
371 const u8 *ies, size_t ies_len, const char *dbg)
372 {
373 struct ieee80211_mgmt *reply;
374 u8 *buf;
375 size_t rlen;
376 int reply_res = WLAN_STATUS_UNSPECIFIED_FAILURE;
377
378 rlen = IEEE80211_HDRLEN + sizeof(reply->u.auth) + ies_len;
379 buf = os_zalloc(rlen);
380 if (buf == NULL)
381 return -1;
382
383 reply = (struct ieee80211_mgmt *) buf;
384 reply->frame_control = IEEE80211_FC(WLAN_FC_TYPE_MGMT,
385 WLAN_FC_STYPE_AUTH);
386 os_memcpy(reply->da, dst, ETH_ALEN);
387 os_memcpy(reply->sa, hapd->own_addr, ETH_ALEN);
388 os_memcpy(reply->bssid, bssid, ETH_ALEN);
389
390 reply->u.auth.auth_alg = host_to_le16(auth_alg);
391 reply->u.auth.auth_transaction = host_to_le16(auth_transaction);
392 reply->u.auth.status_code = host_to_le16(resp);
393
394 if (ies && ies_len)
395 os_memcpy(reply->u.auth.variable, ies, ies_len);
396
397 wpa_printf(MSG_DEBUG, "authentication reply: STA=" MACSTR_SEC
398 " auth_alg=%d auth_transaction=%d resp=%d (IE len=%lu) (dbg=%s)",
399 MAC2STR_SEC(dst), auth_alg, auth_transaction,
400 resp, (unsigned long) ies_len, dbg);
401 #ifdef CONFIG_TESTING_OPTIONS
402 #ifdef CONFIG_SAE
403 if (hapd->conf->sae_confirm_immediate == 2 &&
404 auth_alg == WLAN_AUTH_SAE) {
405 if (auth_transaction == 1 && sta &&
406 (resp == WLAN_STATUS_SUCCESS ||
407 resp == WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
408 resp == WLAN_STATUS_SAE_PK)) {
409 wpa_printf(MSG_DEBUG,
410 "TESTING: Postpone SAE Commit transmission until Confirm is ready");
411 os_free(sta->sae_postponed_commit);
412 sta->sae_postponed_commit = buf;
413 sta->sae_postponed_commit_len = rlen;
414 return WLAN_STATUS_SUCCESS;
415 }
416
417 if (auth_transaction == 2 && sta && sta->sae_postponed_commit) {
418 wpa_printf(MSG_DEBUG,
419 "TESTING: Send postponed SAE Commit first, immediately followed by SAE Confirm");
420 if (hostapd_drv_send_mlme(hapd,
421 sta->sae_postponed_commit,
422 sta->sae_postponed_commit_len,
423 0, NULL, 0, 0) < 0)
424 wpa_printf(MSG_INFO, "send_auth_reply: send failed");
425 os_free(sta->sae_postponed_commit);
426 sta->sae_postponed_commit = NULL;
427 sta->sae_postponed_commit_len = 0;
428 }
429 }
430 #endif /* CONFIG_SAE */
431 #endif /* CONFIG_TESTING_OPTIONS */
432 if (hostapd_drv_send_mlme(hapd, reply, rlen, 0, NULL, 0, 0) < 0)
433 wpa_printf(MSG_INFO, "send_auth_reply: send failed");
434 else
435 reply_res = WLAN_STATUS_SUCCESS;
436
437 os_free(buf);
438
439 return reply_res;
440 }
441
442
443 #ifdef CONFIG_IEEE80211R_AP
handle_auth_ft_finish(void *ctx, const u8 *dst, const u8 *bssid, u16 auth_transaction, u16 status, const u8 *ies, size_t ies_len)444 static void handle_auth_ft_finish(void *ctx, const u8 *dst, const u8 *bssid,
445 u16 auth_transaction, u16 status,
446 const u8 *ies, size_t ies_len)
447 {
448 struct hostapd_data *hapd = ctx;
449 struct sta_info *sta;
450 int reply_res;
451
452 reply_res = send_auth_reply(hapd, NULL, dst, bssid, WLAN_AUTH_FT,
453 auth_transaction, status, ies, ies_len,
454 "auth-ft-finish");
455
456 sta = ap_get_sta(hapd, dst);
457 if (sta == NULL)
458 return;
459
460 if (sta->added_unassoc && (reply_res != WLAN_STATUS_SUCCESS ||
461 status != WLAN_STATUS_SUCCESS)) {
462 hostapd_drv_sta_remove(hapd, sta->addr);
463 sta->added_unassoc = 0;
464 return;
465 }
466
467 if (status != WLAN_STATUS_SUCCESS)
468 return;
469
470 hostapd_logger(hapd, dst, HOSTAPD_MODULE_IEEE80211,
471 HOSTAPD_LEVEL_DEBUG, "authentication OK (FT)");
472 sta->flags |= WLAN_STA_AUTH;
473 mlme_authenticate_indication(hapd, sta);
474 }
475 #endif /* CONFIG_IEEE80211R_AP */
476
477
478 #ifdef CONFIG_SAE
479
sae_set_state(struct sta_info *sta, enum sae_state state, const char *reason)480 static void sae_set_state(struct sta_info *sta, enum sae_state state,
481 const char *reason)
482 {
483 wpa_printf(MSG_DEBUG, "SAE: State %s -> %s for peer " MACSTR_SEC " (%s)",
484 sae_state_txt(sta->sae->state), sae_state_txt(state),
485 MAC2STR_SEC(sta->addr), reason);
486 sta->sae->state = state;
487 }
488
489
sae_get_password(struct hostapd_data *hapd, struct sta_info *sta, const char *rx_id, struct sae_password_entry **pw_entry, struct sae_pt **s_pt, const struct sae_pk **s_pk)490 static const char * sae_get_password(struct hostapd_data *hapd,
491 struct sta_info *sta,
492 const char *rx_id,
493 struct sae_password_entry **pw_entry,
494 struct sae_pt **s_pt,
495 const struct sae_pk **s_pk)
496 {
497 const char *password = NULL;
498 struct sae_password_entry *pw;
499 struct sae_pt *pt = NULL;
500 const struct sae_pk *pk = NULL;
501
502 for (pw = hapd->conf->sae_passwords; pw; pw = pw->next) {
503 if (!is_broadcast_ether_addr(pw->peer_addr) &&
504 os_memcmp(pw->peer_addr, sta->addr, ETH_ALEN) != 0)
505 continue;
506 if ((rx_id && !pw->identifier) || (!rx_id && pw->identifier))
507 continue;
508 if (rx_id && pw->identifier &&
509 os_strcmp(rx_id, pw->identifier) != 0)
510 continue;
511 password = pw->password;
512 pt = pw->pt;
513 if (!(hapd->conf->mesh & MESH_ENABLED))
514 pk = pw->pk;
515 break;
516 }
517 if (!password) {
518 password = hapd->conf->ssid.wpa_passphrase;
519 pt = hapd->conf->ssid.pt;
520 }
521
522 if (pw_entry)
523 *pw_entry = pw;
524 if (s_pt)
525 *s_pt = pt;
526 if (s_pk)
527 *s_pk = pk;
528
529 return password;
530 }
531
532
auth_build_sae_commit(struct hostapd_data *hapd, struct sta_info *sta, int update, int status_code)533 static struct wpabuf * auth_build_sae_commit(struct hostapd_data *hapd,
534 struct sta_info *sta, int update,
535 int status_code)
536 {
537 struct wpabuf *buf;
538 const char *password = NULL;
539 struct sae_password_entry *pw;
540 const char *rx_id = NULL;
541 int use_pt = 0;
542 struct sae_pt *pt = NULL;
543 const struct sae_pk *pk = NULL;
544
545 if (sta->sae->tmp) {
546 rx_id = sta->sae->tmp->pw_id;
547 use_pt = sta->sae->h2e;
548 #ifdef CONFIG_SAE_PK
549 os_memcpy(sta->sae->tmp->own_addr, hapd->own_addr, ETH_ALEN);
550 os_memcpy(sta->sae->tmp->peer_addr, sta->addr, ETH_ALEN);
551 #endif /* CONFIG_SAE_PK */
552 }
553
554 if (rx_id && hapd->conf->sae_pwe != 3)
555 use_pt = 1;
556 else if (status_code == WLAN_STATUS_SUCCESS)
557 use_pt = 0;
558 else if (status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
559 status_code == WLAN_STATUS_SAE_PK)
560 use_pt = 1;
561
562 password = sae_get_password(hapd, sta, rx_id, &pw, &pt, &pk);
563 if (!password || (use_pt && !pt)) {
564 wpa_printf(MSG_DEBUG, "SAE: No password available");
565 return NULL;
566 }
567
568 if (update && use_pt &&
569 sae_prepare_commit_pt(sta->sae, pt, hapd->own_addr, sta->addr,
570 NULL, pk) < 0)
571 return NULL;
572
573 if (update && !use_pt &&
574 sae_prepare_commit(hapd->own_addr, sta->addr,
575 (u8 *) password, os_strlen(password),
576 sta->sae) < 0) {
577 wpa_printf(MSG_DEBUG, "SAE: Could not pick PWE");
578 return NULL;
579 }
580
581 if (pw && pw->vlan_id) {
582 if (!sta->sae->tmp) {
583 wpa_printf(MSG_INFO,
584 "SAE: No temporary data allocated - cannot store VLAN ID");
585 return NULL;
586 }
587 sta->sae->tmp->vlan_id = pw->vlan_id;
588 }
589
590 buf = wpabuf_alloc(SAE_COMMIT_MAX_LEN +
591 (rx_id ? 3 + os_strlen(rx_id) : 0));
592 if (buf &&
593 sae_write_commit(sta->sae, buf, sta->sae->tmp ?
594 sta->sae->tmp->anti_clogging_token : NULL,
595 rx_id) < 0) {
596 wpabuf_free(buf);
597 buf = NULL;
598 }
599
600 return buf;
601 }
602
603
auth_build_sae_confirm(struct hostapd_data *hapd, struct sta_info *sta)604 static struct wpabuf * auth_build_sae_confirm(struct hostapd_data *hapd,
605 struct sta_info *sta)
606 {
607 struct wpabuf *buf;
608
609 buf = wpabuf_alloc(SAE_CONFIRM_MAX_LEN);
610 if (buf == NULL)
611 return NULL;
612
613 #ifdef CONFIG_SAE_PK
614 #ifdef CONFIG_TESTING_OPTIONS
615 if (sta->sae->tmp)
616 sta->sae->tmp->omit_pk_elem = hapd->conf->sae_pk_omit;
617 #endif /* CONFIG_TESTING_OPTIONS */
618 #endif /* CONFIG_SAE_PK */
619
620 if (sae_write_confirm(sta->sae, buf) < 0) {
621 wpabuf_free(buf);
622 return NULL;
623 }
624
625 return buf;
626 }
627
628
auth_sae_send_commit(struct hostapd_data *hapd, struct sta_info *sta, const u8 *bssid, int update, int status_code)629 static int auth_sae_send_commit(struct hostapd_data *hapd,
630 struct sta_info *sta,
631 const u8 *bssid, int update, int status_code)
632 {
633 struct wpabuf *data;
634 int reply_res;
635 u16 status;
636
637 data = auth_build_sae_commit(hapd, sta, update, status_code);
638 if (!data && sta->sae->tmp && sta->sae->tmp->pw_id)
639 return WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER;
640 if (data == NULL)
641 return WLAN_STATUS_UNSPECIFIED_FAILURE;
642
643 if (sta->sae->tmp && sta->sae->pk)
644 status = WLAN_STATUS_SAE_PK;
645 else if (sta->sae->tmp && sta->sae->h2e)
646 status = WLAN_STATUS_SAE_HASH_TO_ELEMENT;
647 else
648 status = WLAN_STATUS_SUCCESS;
649 #ifdef CONFIG_TESTING_OPTIONS
650 if (hapd->conf->sae_commit_status >= 0 &&
651 hapd->conf->sae_commit_status != status) {
652 wpa_printf(MSG_INFO,
653 "TESTING: Override SAE commit status code %u --> %d",
654 status, hapd->conf->sae_commit_status);
655 status = hapd->conf->sae_commit_status;
656 }
657 #endif /* CONFIG_TESTING_OPTIONS */
658 reply_res = send_auth_reply(hapd, sta, sta->addr, bssid,
659 WLAN_AUTH_SAE, 1,
660 status, wpabuf_head(data),
661 wpabuf_len(data), "sae-send-commit");
662
663 wpabuf_free(data);
664
665 return reply_res;
666 }
667
668
auth_sae_send_confirm(struct hostapd_data *hapd, struct sta_info *sta, const u8 *bssid)669 static int auth_sae_send_confirm(struct hostapd_data *hapd,
670 struct sta_info *sta,
671 const u8 *bssid)
672 {
673 struct wpabuf *data;
674 int reply_res;
675
676 data = auth_build_sae_confirm(hapd, sta);
677 if (data == NULL)
678 return WLAN_STATUS_UNSPECIFIED_FAILURE;
679
680 reply_res = send_auth_reply(hapd, sta, sta->addr, bssid,
681 WLAN_AUTH_SAE, 2,
682 WLAN_STATUS_SUCCESS, wpabuf_head(data),
683 wpabuf_len(data), "sae-send-confirm");
684
685 wpabuf_free(data);
686
687 return reply_res;
688 }
689
690 #endif /* CONFIG_SAE */
691
692
693 #if defined(CONFIG_SAE) || defined(CONFIG_PASN)
694
use_anti_clogging(struct hostapd_data *hapd)695 static int use_anti_clogging(struct hostapd_data *hapd)
696 {
697 struct sta_info *sta;
698 unsigned int open = 0;
699
700 if (hapd->conf->anti_clogging_threshold == 0)
701 return 1;
702
703 for (sta = hapd->sta_list; sta; sta = sta->next) {
704 #ifdef CONFIG_SAE
705 if (sta->sae &&
706 (sta->sae->state == SAE_COMMITTED ||
707 sta->sae->state == SAE_CONFIRMED))
708 open++;
709 #endif /* CONFIG_SAE */
710 #ifdef CONFIG_PASN
711 if (sta->pasn && sta->pasn->ecdh)
712 open++;
713 #endif /* CONFIG_PASN */
714 if (open >= hapd->conf->anti_clogging_threshold)
715 return 1;
716 }
717
718 #ifdef CONFIG_SAE
719 /* In addition to already existing open SAE sessions, check whether
720 * there are enough pending commit messages in the processing queue to
721 * potentially result in too many open sessions. */
722 if (open + dl_list_len(&hapd->sae_commit_queue) >=
723 hapd->conf->anti_clogging_threshold)
724 return 1;
725 #endif /* CONFIG_SAE */
726
727 return 0;
728 }
729
730
comeback_token_hash(struct hostapd_data *hapd, const u8 *addr, u8 *idx)731 static int comeback_token_hash(struct hostapd_data *hapd, const u8 *addr,
732 u8 *idx)
733 {
734 u8 hash[SHA256_MAC_LEN];
735
736 if (hmac_sha256(hapd->comeback_key, sizeof(hapd->comeback_key),
737 addr, ETH_ALEN, hash) < 0)
738 return -1;
739 *idx = hash[0];
740 return 0;
741 }
742
743
check_comeback_token(struct hostapd_data *hapd, const u8 *addr, const u8 *token, size_t token_len)744 static int check_comeback_token(struct hostapd_data *hapd, const u8 *addr,
745 const u8 *token, size_t token_len)
746 {
747 u8 mac[SHA256_MAC_LEN];
748 const u8 *addrs[2];
749 size_t len[2];
750 u16 token_idx;
751 u8 idx;
752
753 if (token_len != SHA256_MAC_LEN ||
754 comeback_token_hash(hapd, addr, &idx) < 0)
755 return -1;
756 token_idx = hapd->comeback_pending_idx[idx];
757 if (token_idx == 0 || token_idx != WPA_GET_BE16(token)) {
758 wpa_printf(MSG_DEBUG,
759 "Comeback: Invalid anti-clogging token from "
760 MACSTR_SEC " - token_idx 0x%04x, expected 0x%04x",
761 MAC2STR_SEC(addr), WPA_GET_BE16(token), token_idx);
762 return -1;
763 }
764
765 addrs[0] = addr;
766 len[0] = ETH_ALEN;
767 addrs[1] = token;
768 len[1] = 2;
769 if (hmac_sha256_vector(hapd->comeback_key, sizeof(hapd->comeback_key),
770 2, addrs, len, mac) < 0 ||
771 os_memcmp_const(token + 2, &mac[2], SHA256_MAC_LEN - 2) != 0)
772 return -1;
773
774 hapd->comeback_pending_idx[idx] = 0; /* invalidate used token */
775
776 return 0;
777 }
778
779
auth_build_token_req(struct hostapd_data *hapd, int group, const u8 *addr, int h2e)780 static struct wpabuf * auth_build_token_req(struct hostapd_data *hapd,
781 int group, const u8 *addr, int h2e)
782 {
783 struct wpabuf *buf;
784 u8 *token;
785 struct os_reltime now;
786 u8 idx[2];
787 const u8 *addrs[2];
788 size_t len[2];
789 u8 p_idx;
790 u16 token_idx;
791
792 os_get_reltime(&now);
793 if (!os_reltime_initialized(&hapd->last_comeback_key_update) ||
794 os_reltime_expired(&now, &hapd->last_comeback_key_update, 60) ||
795 hapd->comeback_idx == 0xffff) {
796 if (random_get_bytes(hapd->comeback_key,
797 sizeof(hapd->comeback_key)) < 0)
798 return NULL;
799 wpa_hexdump(MSG_DEBUG, "Comeback: Updated token key",
800 hapd->comeback_key, sizeof(hapd->comeback_key));
801 hapd->last_comeback_key_update = now;
802 hapd->comeback_idx = 0;
803 os_memset(hapd->comeback_pending_idx, 0,
804 sizeof(hapd->comeback_pending_idx));
805 }
806
807 buf = wpabuf_alloc(sizeof(le16) + 3 + SHA256_MAC_LEN);
808 if (buf == NULL)
809 return NULL;
810
811 if (group)
812 wpabuf_put_le16(buf, group); /* Finite Cyclic Group */
813
814 if (h2e) {
815 /* Encapsulate Anti-clogging Token field in a container IE */
816 wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
817 wpabuf_put_u8(buf, 1 + SHA256_MAC_LEN);
818 wpabuf_put_u8(buf, WLAN_EID_EXT_ANTI_CLOGGING_TOKEN);
819 }
820
821 if (comeback_token_hash(hapd, addr, &p_idx) < 0) {
822 wpabuf_free(buf);
823 return NULL;
824 }
825
826 token_idx = hapd->comeback_pending_idx[p_idx];
827 if (!token_idx) {
828 hapd->comeback_idx++;
829 token_idx = hapd->comeback_idx;
830 hapd->comeback_pending_idx[p_idx] = token_idx;
831 }
832 WPA_PUT_BE16(idx, token_idx);
833 token = wpabuf_put(buf, SHA256_MAC_LEN);
834 addrs[0] = addr;
835 len[0] = ETH_ALEN;
836 addrs[1] = idx;
837 len[1] = sizeof(idx);
838 if (hmac_sha256_vector(hapd->comeback_key, sizeof(hapd->comeback_key),
839 2, addrs, len, token) < 0) {
840 wpabuf_free(buf);
841 return NULL;
842 }
843 WPA_PUT_BE16(token, token_idx);
844
845 return buf;
846 }
847
848 #endif /* defined(CONFIG_SAE) || defined(CONFIG_PASN) */
849
850
851 #ifdef CONFIG_SAE
852
sae_check_big_sync(struct hostapd_data *hapd, struct sta_info *sta)853 static int sae_check_big_sync(struct hostapd_data *hapd, struct sta_info *sta)
854 {
855 if (sta->sae->sync > hapd->conf->sae_sync) {
856 sae_set_state(sta, SAE_NOTHING, "Sync > dot11RSNASAESync");
857 sta->sae->sync = 0;
858 return -1;
859 }
860 return 0;
861 }
862
863
auth_sae_retransmit_timer(void *eloop_ctx, void *eloop_data)864 static void auth_sae_retransmit_timer(void *eloop_ctx, void *eloop_data)
865 {
866 struct hostapd_data *hapd = eloop_ctx;
867 struct sta_info *sta = eloop_data;
868 int ret;
869
870 if (sae_check_big_sync(hapd, sta))
871 return;
872 sta->sae->sync++;
873 wpa_printf(MSG_DEBUG, "SAE: Auth SAE retransmit timer for " MACSTR_SEC
874 " (sync=%d state=%s)",
875 MAC2STR_SEC(sta->addr), sta->sae->sync,
876 sae_state_txt(sta->sae->state));
877
878 switch (sta->sae->state) {
879 case SAE_COMMITTED:
880 ret = auth_sae_send_commit(hapd, sta, hapd->own_addr, 0, -1);
881 eloop_register_timeout(0,
882 hapd->dot11RSNASAERetransPeriod * 1000,
883 auth_sae_retransmit_timer, hapd, sta);
884 break;
885 case SAE_CONFIRMED:
886 ret = auth_sae_send_confirm(hapd, sta, hapd->own_addr);
887 eloop_register_timeout(0,
888 hapd->dot11RSNASAERetransPeriod * 1000,
889 auth_sae_retransmit_timer, hapd, sta);
890 break;
891 default:
892 ret = -1;
893 break;
894 }
895
896 if (ret != WLAN_STATUS_SUCCESS)
897 wpa_printf(MSG_INFO, "SAE: Failed to retransmit: ret=%d", ret);
898 }
899
900
sae_clear_retransmit_timer(struct hostapd_data *hapd, struct sta_info *sta)901 void sae_clear_retransmit_timer(struct hostapd_data *hapd, struct sta_info *sta)
902 {
903 eloop_cancel_timeout(auth_sae_retransmit_timer, hapd, sta);
904 }
905
906
sae_set_retransmit_timer(struct hostapd_data *hapd, struct sta_info *sta)907 static void sae_set_retransmit_timer(struct hostapd_data *hapd,
908 struct sta_info *sta)
909 {
910 if (!(hapd->conf->mesh & MESH_ENABLED))
911 return;
912
913 eloop_cancel_timeout(auth_sae_retransmit_timer, hapd, sta);
914 eloop_register_timeout(0, hapd->dot11RSNASAERetransPeriod * 1000,
915 auth_sae_retransmit_timer, hapd, sta);
916 }
917
918
sae_sme_send_external_auth_status(struct hostapd_data *hapd, struct sta_info *sta, u16 status)919 static void sae_sme_send_external_auth_status(struct hostapd_data *hapd,
920 struct sta_info *sta, u16 status)
921 {
922 struct external_auth params;
923
924 os_memset(¶ms, 0, sizeof(params));
925 params.status = status;
926 params.bssid = sta->addr;
927 if (status == WLAN_STATUS_SUCCESS && sta->sae &&
928 !hapd->conf->disable_pmksa_caching)
929 params.pmkid = sta->sae->pmkid;
930
931 hostapd_drv_send_external_auth_status(hapd, ¶ms);
932 }
933
934
sae_accept_sta(struct hostapd_data *hapd, struct sta_info *sta)935 void sae_accept_sta(struct hostapd_data *hapd, struct sta_info *sta)
936 {
937 #ifndef CONFIG_NO_VLAN
938 struct vlan_description vlan_desc;
939
940 if (sta->sae->tmp && sta->sae->tmp->vlan_id > 0) {
941 wpa_printf(MSG_DEBUG, "SAE: Assign STA " MACSTR_SEC
942 " to VLAN ID %d",
943 MAC2STR_SEC(sta->addr), sta->sae->tmp->vlan_id);
944
945 os_memset(&vlan_desc, 0, sizeof(vlan_desc));
946 vlan_desc.notempty = 1;
947 vlan_desc.untagged = sta->sae->tmp->vlan_id;
948 if (!hostapd_vlan_valid(hapd->conf->vlan, &vlan_desc)) {
949 wpa_printf(MSG_INFO,
950 "Invalid VLAN ID %d in sae_password",
951 sta->sae->tmp->vlan_id);
952 return;
953 }
954
955 if (ap_sta_set_vlan(hapd, sta, &vlan_desc) < 0 ||
956 ap_sta_bind_vlan(hapd, sta) < 0) {
957 wpa_printf(MSG_INFO,
958 "Failed to assign VLAN ID %d from sae_password to "
959 MACSTR_SEC, sta->sae->tmp->vlan_id,
960 MAC2STR_SEC(sta->addr));
961 return;
962 }
963 }
964 #endif /* CONFIG_NO_VLAN */
965
966 sta->flags |= WLAN_STA_AUTH;
967 sta->auth_alg = WLAN_AUTH_SAE;
968 mlme_authenticate_indication(hapd, sta);
969 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
970 sae_set_state(sta, SAE_ACCEPTED, "Accept Confirm");
971 crypto_bignum_deinit(sta->sae->peer_commit_scalar_accepted, 0);
972 sta->sae->peer_commit_scalar_accepted = sta->sae->peer_commit_scalar;
973 sta->sae->peer_commit_scalar = NULL;
974 wpa_auth_pmksa_add_sae(hapd->wpa_auth, sta->addr,
975 sta->sae->pmk, sta->sae->pmk_len,
976 sta->sae->pmkid, sta->sae->akmp);
977 sae_sme_send_external_auth_status(hapd, sta, WLAN_STATUS_SUCCESS);
978 }
979
980
sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta, const u8 *bssid, u16 auth_transaction, u16 status_code, int allow_reuse, int *sta_removed)981 static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta,
982 const u8 *bssid, u16 auth_transaction, u16 status_code,
983 int allow_reuse, int *sta_removed)
984 {
985 int ret;
986
987 *sta_removed = 0;
988
989 if (auth_transaction != 1 && auth_transaction != 2)
990 return WLAN_STATUS_UNSPECIFIED_FAILURE;
991
992 wpa_printf(MSG_DEBUG, "SAE: Peer " MACSTR_SEC " state=%s auth_trans=%u",
993 MAC2STR_SEC(sta->addr), sae_state_txt(sta->sae->state),
994 auth_transaction);
995 switch (sta->sae->state) {
996 case SAE_NOTHING:
997 if (auth_transaction == 1) {
998 if (sta->sae->tmp) {
999 sta->sae->h2e =
1000 (status_code ==
1001 WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
1002 status_code == WLAN_STATUS_SAE_PK);
1003 sta->sae->pk =
1004 status_code == WLAN_STATUS_SAE_PK;
1005 }
1006 ret = auth_sae_send_commit(hapd, sta, bssid,
1007 !allow_reuse, status_code);
1008 if (ret)
1009 return ret;
1010 sae_set_state(sta, SAE_COMMITTED, "Sent Commit");
1011
1012 if (sae_process_commit(sta->sae) < 0)
1013 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1014
1015 /*
1016 * In mesh case, both Commit and Confirm are sent
1017 * immediately. In infrastructure BSS, by default, only
1018 * a single Authentication frame (Commit) is expected
1019 * from the AP here and the second one (Confirm) will
1020 * be sent once the STA has sent its second
1021 * Authentication frame (Confirm). This behavior can be
1022 * overridden with explicit configuration so that the
1023 * infrastructure BSS case sends both frames together.
1024 */
1025 if ((hapd->conf->mesh & MESH_ENABLED) ||
1026 hapd->conf->sae_confirm_immediate) {
1027 /*
1028 * Send both Commit and Confirm immediately
1029 * based on SAE finite state machine
1030 * Nothing -> Confirm transition.
1031 */
1032 ret = auth_sae_send_confirm(hapd, sta, bssid);
1033 if (ret)
1034 return ret;
1035 sae_set_state(sta, SAE_CONFIRMED,
1036 "Sent Confirm (mesh)");
1037 } else {
1038 /*
1039 * For infrastructure BSS, send only the Commit
1040 * message now to get alternating sequence of
1041 * Authentication frames between the AP and STA.
1042 * Confirm will be sent in
1043 * Committed -> Confirmed/Accepted transition
1044 * when receiving Confirm from STA.
1045 */
1046 }
1047 sta->sae->sync = 0;
1048 sae_set_retransmit_timer(hapd, sta);
1049 } else {
1050 hostapd_logger(hapd, sta->addr,
1051 HOSTAPD_MODULE_IEEE80211,
1052 HOSTAPD_LEVEL_DEBUG,
1053 "SAE confirm before commit");
1054 }
1055 break;
1056 case SAE_COMMITTED:
1057 sae_clear_retransmit_timer(hapd, sta);
1058 if (auth_transaction == 1) {
1059 if (sae_process_commit(sta->sae) < 0)
1060 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1061
1062 ret = auth_sae_send_confirm(hapd, sta, bssid);
1063 if (ret)
1064 return ret;
1065 sae_set_state(sta, SAE_CONFIRMED, "Sent Confirm");
1066 sta->sae->sync = 0;
1067 sae_set_retransmit_timer(hapd, sta);
1068 } else if (hapd->conf->mesh & MESH_ENABLED) {
1069 /*
1070 * In mesh case, follow SAE finite state machine and
1071 * send Commit now, if sync count allows.
1072 */
1073 if (sae_check_big_sync(hapd, sta))
1074 return WLAN_STATUS_SUCCESS;
1075 sta->sae->sync++;
1076
1077 ret = auth_sae_send_commit(hapd, sta, bssid, 0,
1078 status_code);
1079 if (ret)
1080 return ret;
1081
1082 sae_set_retransmit_timer(hapd, sta);
1083 } else {
1084 /*
1085 * For instructure BSS, send the postponed Confirm from
1086 * Nothing -> Confirmed transition that was reduced to
1087 * Nothing -> Committed above.
1088 */
1089 ret = auth_sae_send_confirm(hapd, sta, bssid);
1090 if (ret)
1091 return ret;
1092
1093 sae_set_state(sta, SAE_CONFIRMED, "Sent Confirm");
1094
1095 /*
1096 * Since this was triggered on Confirm RX, run another
1097 * step to get to Accepted without waiting for
1098 * additional events.
1099 */
1100 return sae_sm_step(hapd, sta, bssid, auth_transaction,
1101 WLAN_STATUS_SUCCESS, 0, sta_removed);
1102 }
1103 break;
1104 case SAE_CONFIRMED:
1105 sae_clear_retransmit_timer(hapd, sta);
1106 if (auth_transaction == 1) {
1107 if (sae_check_big_sync(hapd, sta))
1108 return WLAN_STATUS_SUCCESS;
1109 sta->sae->sync++;
1110
1111 ret = auth_sae_send_commit(hapd, sta, bssid, 1,
1112 status_code);
1113 if (ret)
1114 return ret;
1115
1116 if (sae_process_commit(sta->sae) < 0)
1117 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1118
1119 ret = auth_sae_send_confirm(hapd, sta, bssid);
1120 if (ret)
1121 return ret;
1122
1123 sae_set_retransmit_timer(hapd, sta);
1124 } else {
1125 sta->sae->send_confirm = 0xffff;
1126 sae_accept_sta(hapd, sta);
1127 }
1128 break;
1129 case SAE_ACCEPTED:
1130 if (auth_transaction == 1 &&
1131 (hapd->conf->mesh & MESH_ENABLED)) {
1132 wpa_printf(MSG_DEBUG, "SAE: remove the STA (" MACSTR_SEC
1133 ") doing reauthentication",
1134 MAC2STR_SEC(sta->addr));
1135 wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr);
1136 ap_free_sta(hapd, sta);
1137 *sta_removed = 1;
1138 } else if (auth_transaction == 1) {
1139 wpa_printf(MSG_DEBUG, "SAE: Start reauthentication");
1140 ret = auth_sae_send_commit(hapd, sta, bssid, 1,
1141 status_code);
1142 if (ret)
1143 return ret;
1144 sae_set_state(sta, SAE_COMMITTED, "Sent Commit");
1145
1146 if (sae_process_commit(sta->sae) < 0)
1147 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1148 sta->sae->sync = 0;
1149 sae_set_retransmit_timer(hapd, sta);
1150 } else {
1151 if (sae_check_big_sync(hapd, sta))
1152 return WLAN_STATUS_SUCCESS;
1153 sta->sae->sync++;
1154
1155 ret = auth_sae_send_confirm(hapd, sta, bssid);
1156 sae_clear_temp_data(sta->sae);
1157 if (ret)
1158 return ret;
1159 }
1160 break;
1161 default:
1162 wpa_printf(MSG_ERROR, "SAE: invalid state %d",
1163 sta->sae->state);
1164 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1165 }
1166 return WLAN_STATUS_SUCCESS;
1167 }
1168
1169
sae_pick_next_group(struct hostapd_data *hapd, struct sta_info *sta)1170 static void sae_pick_next_group(struct hostapd_data *hapd, struct sta_info *sta)
1171 {
1172 struct sae_data *sae = sta->sae;
1173 int i, *groups = hapd->conf->sae_groups;
1174 int default_groups[] = { 19, 0 };
1175
1176 if (sae->state != SAE_COMMITTED)
1177 return;
1178
1179 wpa_printf(MSG_DEBUG, "SAE: Previously selected group: %d", sae->group);
1180
1181 if (!groups)
1182 groups = default_groups;
1183 for (i = 0; groups[i] > 0; i++) {
1184 if (sae->group == groups[i])
1185 break;
1186 }
1187
1188 if (groups[i] <= 0) {
1189 wpa_printf(MSG_DEBUG,
1190 "SAE: Previously selected group not found from the current configuration");
1191 return;
1192 }
1193
1194 for (;;) {
1195 i++;
1196 if (groups[i] <= 0) {
1197 wpa_printf(MSG_DEBUG,
1198 "SAE: No alternative group enabled");
1199 return;
1200 }
1201
1202 if (sae_set_group(sae, groups[i]) < 0)
1203 continue;
1204
1205 break;
1206 }
1207 wpa_printf(MSG_DEBUG, "SAE: Selected new group: %d", groups[i]);
1208 }
1209
1210
sae_status_success(struct hostapd_data *hapd, u16 status_code)1211 static int sae_status_success(struct hostapd_data *hapd, u16 status_code)
1212 {
1213 int sae_pwe = hapd->conf->sae_pwe;
1214 int id_in_use;
1215 bool sae_pk = false;
1216
1217 id_in_use = hostapd_sae_pw_id_in_use(hapd->conf);
1218 if (id_in_use == 2 && sae_pwe != 3)
1219 sae_pwe = 1;
1220 else if (id_in_use == 1 && sae_pwe == 0)
1221 sae_pwe = 2;
1222 #ifdef CONFIG_SAE_PK
1223 sae_pk = hostapd_sae_pk_in_use(hapd->conf);
1224 if (sae_pwe == 0 && sae_pk)
1225 sae_pwe = 2;
1226 #endif /* CONFIG_SAE_PK */
1227 if (sae_pwe == SAE_PWE_HUNT_AND_PECK &&
1228 (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_SAE_EXT_KEY))
1229 sae_pwe = SAE_PWE_BOTH;
1230
1231 return ((sae_pwe == 0 || sae_pwe == 3) &&
1232 status_code == WLAN_STATUS_SUCCESS) ||
1233 (sae_pwe == 1 &&
1234 (status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
1235 (sae_pk && status_code == WLAN_STATUS_SAE_PK))) ||
1236 (sae_pwe == 2 &&
1237 (status_code == WLAN_STATUS_SUCCESS ||
1238 status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
1239 (sae_pk && status_code == WLAN_STATUS_SAE_PK)));
1240 }
1241
1242
sae_is_group_enabled(struct hostapd_data *hapd, int group)1243 static int sae_is_group_enabled(struct hostapd_data *hapd, int group)
1244 {
1245 int *groups = hapd->conf->sae_groups;
1246 int default_groups[] = { 19, 0 };
1247 int i;
1248
1249 if (!groups)
1250 groups = default_groups;
1251
1252 for (i = 0; groups[i] > 0; i++) {
1253 if (groups[i] == group)
1254 return 1;
1255 }
1256
1257 return 0;
1258 }
1259
1260
check_sae_rejected_groups(struct hostapd_data *hapd, struct sae_data *sae)1261 static int check_sae_rejected_groups(struct hostapd_data *hapd,
1262 struct sae_data *sae)
1263 {
1264 const struct wpabuf *groups;
1265 size_t i, count;
1266 const u8 *pos;
1267
1268 if (!sae->tmp)
1269 return 0;
1270 groups = sae->tmp->peer_rejected_groups;
1271 if (!groups)
1272 return 0;
1273
1274 pos = wpabuf_head(groups);
1275 count = wpabuf_len(groups) / 2;
1276 for (i = 0; i < count; i++) {
1277 int enabled;
1278 u16 group;
1279
1280 group = WPA_GET_LE16(pos);
1281 pos += 2;
1282 enabled = sae_is_group_enabled(hapd, group);
1283 wpa_printf(MSG_DEBUG, "SAE: Rejected group %u is %s",
1284 group, enabled ? "enabled" : "disabled");
1285 if (enabled)
1286 return 1;
1287 }
1288
1289 return 0;
1290 }
1291
1292
handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta, const struct ieee80211_mgmt *mgmt, size_t len, u16 auth_transaction, u16 status_code)1293 static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta,
1294 const struct ieee80211_mgmt *mgmt, size_t len,
1295 u16 auth_transaction, u16 status_code)
1296 {
1297 int resp = WLAN_STATUS_SUCCESS;
1298 struct wpabuf *data = NULL;
1299 int *groups = hapd->conf->sae_groups;
1300 int default_groups[] = { 19, 0 };
1301 const u8 *pos, *end;
1302 int sta_removed = 0;
1303 bool success_status;
1304
1305 if (!groups)
1306 groups = default_groups;
1307
1308 #ifdef CONFIG_TESTING_OPTIONS
1309 if (hapd->conf->sae_reflection_attack && auth_transaction == 1) {
1310 wpa_printf(MSG_DEBUG, "SAE: TESTING - reflection attack");
1311 pos = mgmt->u.auth.variable;
1312 end = ((const u8 *) mgmt) + len;
1313 resp = status_code;
1314 send_auth_reply(hapd, sta, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
1315 auth_transaction, resp, pos, end - pos,
1316 "auth-sae-reflection-attack");
1317 goto remove_sta;
1318 }
1319
1320 if (hapd->conf->sae_commit_override && auth_transaction == 1) {
1321 wpa_printf(MSG_DEBUG, "SAE: TESTING - commit override");
1322 send_auth_reply(hapd, sta, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
1323 auth_transaction, resp,
1324 wpabuf_head(hapd->conf->sae_commit_override),
1325 wpabuf_len(hapd->conf->sae_commit_override),
1326 "sae-commit-override");
1327 goto remove_sta;
1328 }
1329 #endif /* CONFIG_TESTING_OPTIONS */
1330 if (!sta->sae) {
1331 if (auth_transaction != 1 ||
1332 !sae_status_success(hapd, status_code)) {
1333 wpa_printf(MSG_DEBUG, "SAE: Unexpected Status Code %u",
1334 status_code);
1335 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1336 goto reply;
1337 }
1338 sta->sae = os_zalloc(sizeof(*sta->sae));
1339 if (!sta->sae) {
1340 resp = -1;
1341 goto remove_sta;
1342 }
1343 sae_set_state(sta, SAE_NOTHING, "Init");
1344 sta->sae->sync = 0;
1345 }
1346
1347 if (sta->mesh_sae_pmksa_caching) {
1348 wpa_printf(MSG_DEBUG,
1349 "SAE: Cancel use of mesh PMKSA caching because peer starts SAE authentication");
1350 wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr);
1351 sta->mesh_sae_pmksa_caching = 0;
1352 }
1353
1354 if (auth_transaction == 1) {
1355 const u8 *token = NULL;
1356 size_t token_len = 0;
1357 int allow_reuse = 0;
1358
1359 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1360 HOSTAPD_LEVEL_DEBUG,
1361 "start SAE authentication (RX commit, status=%u (%s))",
1362 status_code, status2str(status_code));
1363
1364 if ((hapd->conf->mesh & MESH_ENABLED) &&
1365 status_code == WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ &&
1366 sta->sae->tmp) {
1367 pos = mgmt->u.auth.variable;
1368 end = ((const u8 *) mgmt) + len;
1369 if (pos + sizeof(le16) > end) {
1370 wpa_printf(MSG_ERROR,
1371 "SAE: Too short anti-clogging token request");
1372 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1373 goto reply;
1374 }
1375 resp = sae_group_allowed(sta->sae, groups,
1376 WPA_GET_LE16(pos));
1377 if (resp != WLAN_STATUS_SUCCESS) {
1378 wpa_printf(MSG_ERROR,
1379 "SAE: Invalid group in anti-clogging token request");
1380 goto reply;
1381 }
1382 pos += sizeof(le16);
1383
1384 wpabuf_free(sta->sae->tmp->anti_clogging_token);
1385 sta->sae->tmp->anti_clogging_token =
1386 wpabuf_alloc_copy(pos, end - pos);
1387 if (sta->sae->tmp->anti_clogging_token == NULL) {
1388 wpa_printf(MSG_ERROR,
1389 "SAE: Failed to alloc for anti-clogging token");
1390 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1391 goto remove_sta;
1392 }
1393
1394 /*
1395 * IEEE Std 802.11-2012, 11.3.8.6.4: If the Status code
1396 * is 76, a new Commit Message shall be constructed
1397 * with the Anti-Clogging Token from the received
1398 * Authentication frame, and the commit-scalar and
1399 * COMMIT-ELEMENT previously sent.
1400 */
1401 resp = auth_sae_send_commit(hapd, sta, mgmt->bssid, 0,
1402 status_code);
1403 if (resp != WLAN_STATUS_SUCCESS) {
1404 wpa_printf(MSG_ERROR,
1405 "SAE: Failed to send commit message");
1406 goto remove_sta;
1407 }
1408 sae_set_state(sta, SAE_COMMITTED,
1409 "Sent Commit (anti-clogging token case in mesh)");
1410 sta->sae->sync = 0;
1411 sae_set_retransmit_timer(hapd, sta);
1412 return;
1413 }
1414
1415 if ((hapd->conf->mesh & MESH_ENABLED) &&
1416 status_code ==
1417 WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED &&
1418 sta->sae->tmp) {
1419 wpa_printf(MSG_DEBUG,
1420 "SAE: Peer did not accept our SAE group");
1421 sae_pick_next_group(hapd, sta);
1422 goto remove_sta;
1423 }
1424
1425 if (!sae_status_success(hapd, status_code))
1426 goto remove_sta;
1427
1428 if (!(hapd->conf->mesh & MESH_ENABLED) &&
1429 sta->sae->state == SAE_COMMITTED) {
1430 /* This is needed in the infrastructure BSS case to
1431 * address a sequence where a STA entry may remain in
1432 * hostapd across two attempts to do SAE authentication
1433 * by the same STA. The second attempt may end up trying
1434 * to use a different group and that would not be
1435 * allowed if we remain in Committed state with the
1436 * previously set parameters. */
1437 pos = mgmt->u.auth.variable;
1438 end = ((const u8 *) mgmt) + len;
1439 if (end - pos >= (int) sizeof(le16) &&
1440 sae_group_allowed(sta->sae, groups,
1441 WPA_GET_LE16(pos)) ==
1442 WLAN_STATUS_SUCCESS) {
1443 /* Do not waste resources deriving the same PWE
1444 * again since the same group is reused. */
1445 sae_set_state(sta, SAE_NOTHING,
1446 "Allow previous PWE to be reused");
1447 allow_reuse = 1;
1448 } else {
1449 sae_set_state(sta, SAE_NOTHING,
1450 "Clear existing state to allow restart");
1451 sae_clear_data(sta->sae);
1452 }
1453 }
1454
1455 resp = sae_parse_commit(sta->sae, mgmt->u.auth.variable,
1456 ((const u8 *) mgmt) + len -
1457 mgmt->u.auth.variable, &token,
1458 &token_len, groups, status_code ==
1459 WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
1460 status_code == WLAN_STATUS_SAE_PK
1461 #ifdef CONFIG_MLD_PATCH
1462 , NULL
1463 #endif
1464 );
1465
1466 if (resp == SAE_SILENTLY_DISCARD) {
1467 wpa_printf(MSG_DEBUG,
1468 "SAE: Drop commit message from " MACSTR_SEC " due to reflection attack",
1469 MAC2STR_SEC(sta->addr));
1470 goto remove_sta;
1471 }
1472
1473 if (resp == WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER) {
1474 wpa_msg(hapd->msg_ctx, MSG_INFO,
1475 WPA_EVENT_SAE_UNKNOWN_PASSWORD_IDENTIFIER
1476 MACSTR, MAC2STR(sta->addr));
1477 sae_clear_retransmit_timer(hapd, sta);
1478 sae_set_state(sta, SAE_NOTHING,
1479 "Unknown Password Identifier");
1480 goto remove_sta;
1481 }
1482
1483 if (token &&
1484 check_comeback_token(hapd, sta->addr, token, token_len)
1485 < 0) {
1486 wpa_printf(MSG_DEBUG, "SAE: Drop commit message with "
1487 "incorrect token from " MACSTR_SEC,
1488 MAC2STR_SEC(sta->addr));
1489 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1490 goto remove_sta;
1491 }
1492
1493 if (resp != WLAN_STATUS_SUCCESS)
1494 goto reply;
1495
1496 if (check_sae_rejected_groups(hapd, sta->sae)) {
1497 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1498 goto reply;
1499 }
1500
1501 if (!token && use_anti_clogging(hapd) && !allow_reuse) {
1502 int h2e = 0;
1503
1504 wpa_printf(MSG_DEBUG,
1505 "SAE: Request anti-clogging token from "
1506 MACSTR_SEC, MAC2STR_SEC(sta->addr));
1507 if (sta->sae->tmp)
1508 h2e = sta->sae->h2e;
1509 if (status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
1510 status_code == WLAN_STATUS_SAE_PK)
1511 h2e = 1;
1512 data = auth_build_token_req(hapd, sta->sae->group,
1513 sta->addr, h2e);
1514 resp = WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ;
1515 if (hapd->conf->mesh & MESH_ENABLED)
1516 sae_set_state(sta, SAE_NOTHING,
1517 "Request anti-clogging token case in mesh");
1518 goto reply;
1519 }
1520
1521 resp = sae_sm_step(hapd, sta, mgmt->bssid, auth_transaction,
1522 status_code, allow_reuse, &sta_removed);
1523 } else if (auth_transaction == 2) {
1524 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1525 HOSTAPD_LEVEL_DEBUG,
1526 "SAE authentication (RX confirm, status=%u (%s))",
1527 status_code, status2str(status_code));
1528 if (status_code != WLAN_STATUS_SUCCESS)
1529 goto remove_sta;
1530 if (sta->sae->state >= SAE_CONFIRMED ||
1531 !(hapd->conf->mesh & MESH_ENABLED)) {
1532 const u8 *var;
1533 size_t var_len;
1534 u16 peer_send_confirm;
1535
1536 var = mgmt->u.auth.variable;
1537 var_len = ((u8 *) mgmt) + len - mgmt->u.auth.variable;
1538 if (var_len < 2) {
1539 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1540 goto reply;
1541 }
1542
1543 peer_send_confirm = WPA_GET_LE16(var);
1544
1545 if (sta->sae->state == SAE_ACCEPTED &&
1546 (peer_send_confirm <= sta->sae->rc ||
1547 peer_send_confirm == 0xffff)) {
1548 wpa_printf(MSG_DEBUG,
1549 "SAE: Silently ignore unexpected Confirm from peer "
1550 MACSTR_SEC
1551 " (peer-send-confirm=%u Rc=%u)",
1552 MAC2STR_SEC(sta->addr),
1553 peer_send_confirm, sta->sae->rc);
1554 return;
1555 }
1556
1557 if (sae_check_confirm(sta->sae, var, var_len
1558 #ifdef CONFIG_MLD_PATCH
1559 , NULL
1560 #endif
1561 ) < 0) {
1562 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1563 goto reply;
1564 }
1565 sta->sae->rc = peer_send_confirm;
1566 }
1567 resp = sae_sm_step(hapd, sta, mgmt->bssid, auth_transaction,
1568 status_code, 0, &sta_removed);
1569 } else {
1570 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1571 HOSTAPD_LEVEL_DEBUG,
1572 "unexpected SAE authentication transaction %u (status=%u (%s))",
1573 auth_transaction, status_code,
1574 status2str(status_code));
1575 if (status_code != WLAN_STATUS_SUCCESS)
1576 goto remove_sta;
1577 resp = WLAN_STATUS_UNKNOWN_AUTH_TRANSACTION;
1578 }
1579
1580 reply:
1581 if (!sta_removed && resp != WLAN_STATUS_SUCCESS) {
1582 pos = mgmt->u.auth.variable;
1583 end = ((const u8 *) mgmt) + len;
1584
1585 /* Copy the Finite Cyclic Group field from the request if we
1586 * rejected it as unsupported group. */
1587 if (resp == WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED &&
1588 !data && end - pos >= 2)
1589 data = wpabuf_alloc_copy(pos, 2);
1590
1591 sae_sme_send_external_auth_status(hapd, sta, resp);
1592 send_auth_reply(hapd, sta, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
1593 auth_transaction, resp,
1594 data ? wpabuf_head(data) : (u8 *) "",
1595 data ? wpabuf_len(data) : 0, "auth-sae");
1596 }
1597
1598 remove_sta:
1599 if (auth_transaction == 1)
1600 success_status = sae_status_success(hapd, status_code);
1601 else
1602 success_status = status_code == WLAN_STATUS_SUCCESS;
1603 if (!sta_removed && sta->added_unassoc &&
1604 (resp != WLAN_STATUS_SUCCESS || !success_status)) {
1605 hostapd_drv_sta_remove(hapd, sta->addr);
1606 sta->added_unassoc = 0;
1607 }
1608 wpabuf_free(data);
1609 }
1610
1611
1612 /**
1613 * auth_sae_init_committed - Send COMMIT and start SAE in committed state
1614 * @hapd: BSS data for the device initiating the authentication
1615 * @sta: the peer to which commit authentication frame is sent
1616 *
1617 * This function implements Init event handling (IEEE Std 802.11-2012,
1618 * 11.3.8.6.3) in which initial COMMIT message is sent. Prior to calling, the
1619 * sta->sae structure should be initialized appropriately via a call to
1620 * sae_prepare_commit().
1621 */
auth_sae_init_committed(struct hostapd_data *hapd, struct sta_info *sta)1622 int auth_sae_init_committed(struct hostapd_data *hapd, struct sta_info *sta)
1623 {
1624 int ret;
1625
1626 if (!sta->sae || !sta->sae->tmp)
1627 return -1;
1628
1629 if (sta->sae->state != SAE_NOTHING)
1630 return -1;
1631
1632 ret = auth_sae_send_commit(hapd, sta, hapd->own_addr, 0, -1);
1633 if (ret)
1634 return -1;
1635
1636 sae_set_state(sta, SAE_COMMITTED, "Init and sent commit");
1637 sta->sae->sync = 0;
1638 sae_set_retransmit_timer(hapd, sta);
1639
1640 return 0;
1641 }
1642
1643
auth_sae_process_commit(void *eloop_ctx, void *user_ctx)1644 void auth_sae_process_commit(void *eloop_ctx, void *user_ctx)
1645 {
1646 struct hostapd_data *hapd = eloop_ctx;
1647 struct hostapd_sae_commit_queue *q;
1648 unsigned int queue_len;
1649
1650 q = dl_list_first(&hapd->sae_commit_queue,
1651 struct hostapd_sae_commit_queue, list);
1652 if (!q)
1653 return;
1654 wpa_printf(MSG_DEBUG,
1655 "SAE: Process next available message from queue");
1656 dl_list_del(&q->list);
1657 handle_auth(hapd, (const struct ieee80211_mgmt *) q->msg, q->len,
1658 q->rssi, 1);
1659 os_free(q);
1660
1661 if (eloop_is_timeout_registered(auth_sae_process_commit, hapd, NULL))
1662 return;
1663 queue_len = dl_list_len(&hapd->sae_commit_queue);
1664 eloop_register_timeout(0, queue_len * 10000, auth_sae_process_commit,
1665 hapd, NULL);
1666 }
1667
1668
auth_sae_queue(struct hostapd_data *hapd, const struct ieee80211_mgmt *mgmt, size_t len, int rssi)1669 static void auth_sae_queue(struct hostapd_data *hapd,
1670 const struct ieee80211_mgmt *mgmt, size_t len,
1671 int rssi)
1672 {
1673 struct hostapd_sae_commit_queue *q, *q2;
1674 unsigned int queue_len;
1675 const struct ieee80211_mgmt *mgmt2;
1676
1677 queue_len = dl_list_len(&hapd->sae_commit_queue);
1678 if (queue_len >= 15) {
1679 wpa_printf(MSG_DEBUG,
1680 "SAE: No more room in message queue - drop the new frame from "
1681 MACSTR_SEC, MAC2STR_SEC(mgmt->sa));
1682 return;
1683 }
1684
1685 wpa_printf(MSG_DEBUG, "SAE: Queue Authentication message from "
1686 MACSTR_SEC " for processing (queue_len %u)", MAC2STR_SEC(mgmt->sa),
1687 queue_len);
1688 q = os_zalloc(sizeof(*q) + len);
1689 if (!q)
1690 return;
1691 q->rssi = rssi;
1692 q->len = len;
1693 os_memcpy(q->msg, mgmt, len);
1694
1695 /* Check whether there is already a queued Authentication frame from the
1696 * same station with the same transaction number and if so, replace that
1697 * queue entry with the new one. This avoids issues with a peer that
1698 * sends multiple times (e.g., due to frequent SAE retries). There is no
1699 * point in us trying to process the old attempts after a new one has
1700 * obsoleted them. */
1701 dl_list_for_each(q2, &hapd->sae_commit_queue,
1702 struct hostapd_sae_commit_queue, list) {
1703 mgmt2 = (const struct ieee80211_mgmt *) q2->msg;
1704 if (os_memcmp(mgmt->sa, mgmt2->sa, ETH_ALEN) == 0 &&
1705 mgmt->u.auth.auth_transaction ==
1706 mgmt2->u.auth.auth_transaction) {
1707 wpa_printf(MSG_DEBUG,
1708 "SAE: Replace queued message from same STA with same transaction number");
1709 dl_list_add(&q2->list, &q->list);
1710 dl_list_del(&q2->list);
1711 os_free(q2);
1712 goto queued;
1713 }
1714 }
1715
1716 /* No pending identical entry, so add to the end of the queue */
1717 dl_list_add_tail(&hapd->sae_commit_queue, &q->list);
1718
1719 queued:
1720 if (eloop_is_timeout_registered(auth_sae_process_commit, hapd, NULL))
1721 return;
1722 eloop_register_timeout(0, queue_len * 10000, auth_sae_process_commit,
1723 hapd, NULL);
1724 }
1725
1726
auth_sae_queued_addr(struct hostapd_data *hapd, const u8 *addr)1727 static int auth_sae_queued_addr(struct hostapd_data *hapd, const u8 *addr)
1728 {
1729 struct hostapd_sae_commit_queue *q;
1730 const struct ieee80211_mgmt *mgmt;
1731
1732 dl_list_for_each(q, &hapd->sae_commit_queue,
1733 struct hostapd_sae_commit_queue, list) {
1734 mgmt = (const struct ieee80211_mgmt *) q->msg;
1735 if (os_memcmp(addr, mgmt->sa, ETH_ALEN) == 0)
1736 return 1;
1737 }
1738
1739 return 0;
1740 }
1741
1742 #endif /* CONFIG_SAE */
1743
1744
wpa_res_to_status_code(enum wpa_validate_result res)1745 static u16 wpa_res_to_status_code(enum wpa_validate_result res)
1746 {
1747 switch (res) {
1748 case WPA_IE_OK:
1749 return WLAN_STATUS_SUCCESS;
1750 case WPA_INVALID_IE:
1751 return WLAN_STATUS_INVALID_IE;
1752 case WPA_INVALID_GROUP:
1753 return WLAN_STATUS_GROUP_CIPHER_NOT_VALID;
1754 case WPA_INVALID_PAIRWISE:
1755 return WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID;
1756 case WPA_INVALID_AKMP:
1757 return WLAN_STATUS_AKMP_NOT_VALID;
1758 case WPA_NOT_ENABLED:
1759 return WLAN_STATUS_INVALID_IE;
1760 case WPA_ALLOC_FAIL:
1761 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1762 case WPA_MGMT_FRAME_PROTECTION_VIOLATION:
1763 return WLAN_STATUS_ROBUST_MGMT_FRAME_POLICY_VIOLATION;
1764 case WPA_INVALID_MGMT_GROUP_CIPHER:
1765 return WLAN_STATUS_CIPHER_REJECTED_PER_POLICY;
1766 case WPA_INVALID_MDIE:
1767 return WLAN_STATUS_INVALID_MDIE;
1768 case WPA_INVALID_PROTO:
1769 return WLAN_STATUS_INVALID_IE;
1770 case WPA_INVALID_PMKID:
1771 return WLAN_STATUS_INVALID_PMKID;
1772 case WPA_DENIED_OTHER_REASON:
1773 return WLAN_STATUS_ASSOC_DENIED_UNSPEC;
1774 }
1775 return WLAN_STATUS_INVALID_IE;
1776 }
1777
1778
1779 #ifdef CONFIG_FILS
1780
1781 static void handle_auth_fils_finish(struct hostapd_data *hapd,
1782 struct sta_info *sta, u16 resp,
1783 struct wpabuf *data, int pub);
1784
handle_auth_fils(struct hostapd_data *hapd, struct sta_info *sta, const u8 *pos, size_t len, u16 auth_alg, u16 auth_transaction, u16 status_code, void (*cb)(struct hostapd_data *hapd, struct sta_info *sta, u16 resp, struct wpabuf *data, int pub))1785 void handle_auth_fils(struct hostapd_data *hapd, struct sta_info *sta,
1786 const u8 *pos, size_t len, u16 auth_alg,
1787 u16 auth_transaction, u16 status_code,
1788 void (*cb)(struct hostapd_data *hapd,
1789 struct sta_info *sta, u16 resp,
1790 struct wpabuf *data, int pub))
1791 {
1792 u16 resp = WLAN_STATUS_SUCCESS;
1793 const u8 *end;
1794 struct ieee802_11_elems elems;
1795 enum wpa_validate_result res;
1796 struct wpa_ie_data rsn;
1797 struct rsn_pmksa_cache_entry *pmksa = NULL;
1798
1799 if (auth_transaction != 1 || status_code != WLAN_STATUS_SUCCESS)
1800 return;
1801
1802 end = pos + len;
1803
1804 wpa_hexdump(MSG_DEBUG, "FILS: Authentication frame fields",
1805 pos, end - pos);
1806
1807 /* TODO: FILS PK */
1808 #ifdef CONFIG_FILS_SK_PFS
1809 if (auth_alg == WLAN_AUTH_FILS_SK_PFS) {
1810 u16 group;
1811 struct wpabuf *pub;
1812 size_t elem_len;
1813
1814 /* Using FILS PFS */
1815
1816 /* Finite Cyclic Group */
1817 if (end - pos < 2) {
1818 wpa_printf(MSG_DEBUG,
1819 "FILS: No room for Finite Cyclic Group");
1820 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1821 goto fail;
1822 }
1823 group = WPA_GET_LE16(pos);
1824 pos += 2;
1825 if (group != hapd->conf->fils_dh_group) {
1826 wpa_printf(MSG_DEBUG,
1827 "FILS: Unsupported Finite Cyclic Group: %u (expected %u)",
1828 group, hapd->conf->fils_dh_group);
1829 resp = WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
1830 goto fail;
1831 }
1832
1833 crypto_ecdh_deinit(sta->fils_ecdh);
1834 sta->fils_ecdh = crypto_ecdh_init(group);
1835 if (!sta->fils_ecdh) {
1836 wpa_printf(MSG_INFO,
1837 "FILS: Could not initialize ECDH with group %d",
1838 group);
1839 resp = WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
1840 goto fail;
1841 }
1842
1843 pub = crypto_ecdh_get_pubkey(sta->fils_ecdh, 1);
1844 if (!pub) {
1845 wpa_printf(MSG_DEBUG,
1846 "FILS: Failed to derive ECDH public key");
1847 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1848 goto fail;
1849 }
1850 elem_len = wpabuf_len(pub);
1851 wpabuf_free(pub);
1852
1853 /* Element */
1854 if ((size_t) (end - pos) < elem_len) {
1855 wpa_printf(MSG_DEBUG, "FILS: No room for Element");
1856 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1857 goto fail;
1858 }
1859
1860 wpabuf_free(sta->fils_g_sta);
1861 sta->fils_g_sta = wpabuf_alloc_copy(pos, elem_len);
1862 wpabuf_clear_free(sta->fils_dh_ss);
1863 sta->fils_dh_ss = crypto_ecdh_set_peerkey(sta->fils_ecdh, 1,
1864 pos, elem_len);
1865 if (!sta->fils_dh_ss) {
1866 wpa_printf(MSG_DEBUG, "FILS: ECDH operation failed");
1867 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1868 goto fail;
1869 }
1870 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: DH_SS", sta->fils_dh_ss);
1871 pos += elem_len;
1872 } else {
1873 crypto_ecdh_deinit(sta->fils_ecdh);
1874 sta->fils_ecdh = NULL;
1875 wpabuf_clear_free(sta->fils_dh_ss);
1876 sta->fils_dh_ss = NULL;
1877 }
1878 #endif /* CONFIG_FILS_SK_PFS */
1879
1880 wpa_hexdump(MSG_DEBUG, "FILS: Remaining IEs", pos, end - pos);
1881 if (ieee802_11_parse_elems(pos, end - pos, &elems, 1) == ParseFailed) {
1882 wpa_printf(MSG_DEBUG, "FILS: Could not parse elements");
1883 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1884 goto fail;
1885 }
1886
1887 /* RSNE */
1888 wpa_hexdump(MSG_DEBUG, "FILS: RSN element",
1889 elems.rsn_ie, elems.rsn_ie_len);
1890 if (!elems.rsn_ie ||
1891 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
1892 &rsn) < 0) {
1893 wpa_printf(MSG_DEBUG, "FILS: No valid RSN element");
1894 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1895 goto fail;
1896 }
1897
1898 if (!sta->wpa_sm)
1899 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, sta->addr,
1900 NULL);
1901 if (!sta->wpa_sm) {
1902 wpa_printf(MSG_DEBUG,
1903 "FILS: Failed to initialize RSN state machine");
1904 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1905 goto fail;
1906 }
1907
1908 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
1909 hapd->iface->freq,
1910 elems.rsn_ie - 2, elems.rsn_ie_len + 2,
1911 elems.rsnxe ? elems.rsnxe - 2 : NULL,
1912 elems.rsnxe ? elems.rsnxe_len + 2 : 0,
1913 elems.mdie, elems.mdie_len, NULL, 0);
1914 resp = wpa_res_to_status_code(res);
1915 if (resp != WLAN_STATUS_SUCCESS)
1916 goto fail;
1917
1918 if (!elems.fils_nonce) {
1919 wpa_printf(MSG_DEBUG, "FILS: No FILS Nonce field");
1920 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1921 goto fail;
1922 }
1923 wpa_hexdump(MSG_DEBUG, "FILS: SNonce", elems.fils_nonce,
1924 FILS_NONCE_LEN);
1925 os_memcpy(sta->fils_snonce, elems.fils_nonce, FILS_NONCE_LEN);
1926
1927 /* PMKID List */
1928 if (rsn.pmkid && rsn.num_pmkid > 0) {
1929 u8 num;
1930 const u8 *pmkid;
1931
1932 wpa_hexdump(MSG_DEBUG, "FILS: PMKID List",
1933 rsn.pmkid, rsn.num_pmkid * PMKID_LEN);
1934
1935 pmkid = rsn.pmkid;
1936 num = rsn.num_pmkid;
1937 while (num) {
1938 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", pmkid, PMKID_LEN);
1939 pmksa = wpa_auth_pmksa_get(hapd->wpa_auth, sta->addr,
1940 pmkid);
1941 if (pmksa)
1942 break;
1943 pmksa = wpa_auth_pmksa_get_fils_cache_id(hapd->wpa_auth,
1944 sta->addr,
1945 pmkid);
1946 if (pmksa)
1947 break;
1948 pmkid += PMKID_LEN;
1949 num--;
1950 }
1951 }
1952 if (pmksa && wpa_auth_sta_key_mgmt(sta->wpa_sm) != pmksa->akmp) {
1953 wpa_printf(MSG_DEBUG,
1954 "FILS: Matching PMKSA cache entry has different AKMP (0x%x != 0x%x) - ignore",
1955 wpa_auth_sta_key_mgmt(sta->wpa_sm), pmksa->akmp);
1956 pmksa = NULL;
1957 }
1958 if (pmksa)
1959 wpa_printf(MSG_DEBUG, "FILS: Found matching PMKSA cache entry");
1960
1961 /* FILS Session */
1962 if (!elems.fils_session) {
1963 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
1964 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1965 goto fail;
1966 }
1967 wpa_hexdump(MSG_DEBUG, "FILS: FILS Session", elems.fils_session,
1968 FILS_SESSION_LEN);
1969 os_memcpy(sta->fils_session, elems.fils_session, FILS_SESSION_LEN);
1970
1971 /* Wrapped Data */
1972 if (elems.wrapped_data) {
1973 wpa_hexdump(MSG_DEBUG, "FILS: Wrapped Data",
1974 elems.wrapped_data,
1975 elems.wrapped_data_len);
1976 if (!pmksa) {
1977 #ifndef CONFIG_NO_RADIUS
1978 if (!sta->eapol_sm) {
1979 sta->eapol_sm =
1980 ieee802_1x_alloc_eapol_sm(hapd, sta);
1981 }
1982 wpa_printf(MSG_DEBUG,
1983 "FILS: Forward EAP-Initiate/Re-auth to authentication server");
1984 ieee802_1x_encapsulate_radius(
1985 hapd, sta, elems.wrapped_data,
1986 elems.wrapped_data_len);
1987 sta->fils_pending_cb = cb;
1988 wpa_printf(MSG_DEBUG,
1989 "FILS: Will send Authentication frame once the response from authentication server is available");
1990 sta->flags |= WLAN_STA_PENDING_FILS_ERP;
1991 /* Calculate pending PMKID here so that we do not need
1992 * to maintain a copy of the EAP-Initiate/Reauth
1993 * message. */
1994 if (fils_pmkid_erp(wpa_auth_sta_key_mgmt(sta->wpa_sm),
1995 elems.wrapped_data,
1996 elems.wrapped_data_len,
1997 sta->fils_erp_pmkid) == 0)
1998 sta->fils_erp_pmkid_set = 1;
1999 return;
2000 #else /* CONFIG_NO_RADIUS */
2001 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2002 goto fail;
2003 #endif /* CONFIG_NO_RADIUS */
2004 }
2005 }
2006
2007 fail:
2008 if (cb) {
2009 struct wpabuf *data;
2010 int pub = 0;
2011
2012 data = prepare_auth_resp_fils(hapd, sta, &resp, pmksa, NULL,
2013 NULL, 0, &pub);
2014 if (!data) {
2015 wpa_printf(MSG_DEBUG,
2016 "%s: prepare_auth_resp_fils() returned failure",
2017 __func__);
2018 }
2019
2020 cb(hapd, sta, resp, data, pub);
2021 }
2022 }
2023
2024
2025 static struct wpabuf *
prepare_auth_resp_fils(struct hostapd_data *hapd, struct sta_info *sta, u16 *resp, struct rsn_pmksa_cache_entry *pmksa, struct wpabuf *erp_resp, const u8 *msk, size_t msk_len, int *is_pub)2026 prepare_auth_resp_fils(struct hostapd_data *hapd,
2027 struct sta_info *sta, u16 *resp,
2028 struct rsn_pmksa_cache_entry *pmksa,
2029 struct wpabuf *erp_resp,
2030 const u8 *msk, size_t msk_len,
2031 int *is_pub)
2032 {
2033 u8 fils_nonce[FILS_NONCE_LEN];
2034 size_t ielen;
2035 struct wpabuf *data = NULL;
2036 const u8 *ie;
2037 u8 *ie_buf = NULL;
2038 const u8 *pmk = NULL;
2039 size_t pmk_len = 0;
2040 u8 pmk_buf[PMK_LEN_MAX];
2041 struct wpabuf *pub = NULL;
2042
2043 if (*resp != WLAN_STATUS_SUCCESS)
2044 goto fail;
2045
2046 ie = wpa_auth_get_wpa_ie(hapd->wpa_auth, &ielen);
2047 if (!ie) {
2048 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2049 goto fail;
2050 }
2051
2052 if (pmksa) {
2053 /* Add PMKID of the selected PMKSA into RSNE */
2054 ie_buf = os_malloc(ielen + 2 + 2 + PMKID_LEN);
2055 if (!ie_buf) {
2056 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2057 goto fail;
2058 }
2059
2060 os_memcpy(ie_buf, ie, ielen);
2061 if (wpa_insert_pmkid(ie_buf, &ielen, pmksa->pmkid) < 0) {
2062 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2063 goto fail;
2064 }
2065 ie = ie_buf;
2066 }
2067
2068 if (random_get_bytes(fils_nonce, FILS_NONCE_LEN) < 0) {
2069 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2070 goto fail;
2071 }
2072 wpa_hexdump(MSG_DEBUG, "RSN: Generated FILS Nonce",
2073 fils_nonce, FILS_NONCE_LEN);
2074
2075 #ifdef CONFIG_FILS_SK_PFS
2076 if (sta->fils_dh_ss && sta->fils_ecdh) {
2077 pub = crypto_ecdh_get_pubkey(sta->fils_ecdh, 1);
2078 if (!pub) {
2079 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2080 goto fail;
2081 }
2082 }
2083 #endif /* CONFIG_FILS_SK_PFS */
2084
2085 data = wpabuf_alloc(1000 + ielen + (pub ? wpabuf_len(pub) : 0));
2086 if (!data) {
2087 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2088 goto fail;
2089 }
2090
2091 /* TODO: FILS PK */
2092 #ifdef CONFIG_FILS_SK_PFS
2093 if (pub) {
2094 /* Finite Cyclic Group */
2095 wpabuf_put_le16(data, hapd->conf->fils_dh_group);
2096
2097 /* Element */
2098 wpabuf_put_buf(data, pub);
2099 }
2100 #endif /* CONFIG_FILS_SK_PFS */
2101
2102 /* RSNE */
2103 wpabuf_put_data(data, ie, ielen);
2104
2105 /* MDE when using FILS+FT (already included in ie,ielen with RSNE) */
2106
2107 #ifdef CONFIG_IEEE80211R_AP
2108 if (wpa_key_mgmt_ft(wpa_auth_sta_key_mgmt(sta->wpa_sm))) {
2109 /* FTE[R1KH-ID,R0KH-ID] when using FILS+FT */
2110 int res;
2111 int use_sha384 = wpa_key_mgmt_sha384(
2112 wpa_auth_sta_key_mgmt(sta->wpa_sm));
2113
2114 res = wpa_auth_write_fte(hapd->wpa_auth, use_sha384,
2115 wpabuf_put(data, 0),
2116 wpabuf_tailroom(data));
2117 if (res < 0) {
2118 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2119 goto fail;
2120 }
2121 wpabuf_put(data, res);
2122 }
2123 #endif /* CONFIG_IEEE80211R_AP */
2124
2125 /* FILS Nonce */
2126 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
2127 wpabuf_put_u8(data, 1 + FILS_NONCE_LEN); /* Length */
2128 /* Element ID Extension */
2129 wpabuf_put_u8(data, WLAN_EID_EXT_FILS_NONCE);
2130 wpabuf_put_data(data, fils_nonce, FILS_NONCE_LEN);
2131
2132 /* FILS Session */
2133 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
2134 wpabuf_put_u8(data, 1 + FILS_SESSION_LEN); /* Length */
2135 /* Element ID Extension */
2136 wpabuf_put_u8(data, WLAN_EID_EXT_FILS_SESSION);
2137 wpabuf_put_data(data, sta->fils_session, FILS_SESSION_LEN);
2138
2139 /* Wrapped Data */
2140 if (!pmksa && erp_resp) {
2141 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
2142 wpabuf_put_u8(data, 1 + wpabuf_len(erp_resp)); /* Length */
2143 /* Element ID Extension */
2144 wpabuf_put_u8(data, WLAN_EID_EXT_WRAPPED_DATA);
2145 wpabuf_put_buf(data, erp_resp);
2146
2147 if (fils_rmsk_to_pmk(wpa_auth_sta_key_mgmt(sta->wpa_sm),
2148 msk, msk_len, sta->fils_snonce, fils_nonce,
2149 sta->fils_dh_ss ?
2150 wpabuf_head(sta->fils_dh_ss) : NULL,
2151 sta->fils_dh_ss ?
2152 wpabuf_len(sta->fils_dh_ss) : 0,
2153 pmk_buf, &pmk_len)) {
2154 wpa_printf(MSG_DEBUG, "FILS: Failed to derive PMK");
2155 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2156 wpabuf_free(data);
2157 data = NULL;
2158 goto fail;
2159 }
2160 pmk = pmk_buf;
2161
2162 /* Don't use DHss in PTK derivation if PMKSA caching is not
2163 * used. */
2164 wpabuf_clear_free(sta->fils_dh_ss);
2165 sta->fils_dh_ss = NULL;
2166
2167 if (sta->fils_erp_pmkid_set) {
2168 /* TODO: get PMKLifetime from WPA parameters */
2169 unsigned int dot11RSNAConfigPMKLifetime = 43200;
2170 int session_timeout;
2171
2172 session_timeout = dot11RSNAConfigPMKLifetime;
2173 if (sta->session_timeout_set) {
2174 struct os_reltime now, diff;
2175
2176 os_get_reltime(&now);
2177 os_reltime_sub(&sta->session_timeout, &now,
2178 &diff);
2179 session_timeout = diff.sec;
2180 }
2181
2182 sta->fils_erp_pmkid_set = 0;
2183 wpa_auth_add_fils_pmk_pmkid(sta->wpa_sm, pmk, pmk_len,
2184 sta->fils_erp_pmkid);
2185 if (!hapd->conf->disable_pmksa_caching &&
2186 wpa_auth_pmksa_add2(
2187 hapd->wpa_auth, sta->addr,
2188 pmk, pmk_len,
2189 sta->fils_erp_pmkid,
2190 session_timeout,
2191 wpa_auth_sta_key_mgmt(sta->wpa_sm)) < 0) {
2192 wpa_printf(MSG_ERROR,
2193 "FILS: Failed to add PMKSA cache entry based on ERP");
2194 }
2195 }
2196 } else if (pmksa) {
2197 pmk = pmksa->pmk;
2198 pmk_len = pmksa->pmk_len;
2199 }
2200
2201 if (!pmk) {
2202 wpa_printf(MSG_DEBUG, "FILS: No PMK available");
2203 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2204 wpabuf_free(data);
2205 data = NULL;
2206 goto fail;
2207 }
2208
2209 if (fils_auth_pmk_to_ptk(sta->wpa_sm, pmk, pmk_len,
2210 sta->fils_snonce, fils_nonce,
2211 sta->fils_dh_ss ?
2212 wpabuf_head(sta->fils_dh_ss) : NULL,
2213 sta->fils_dh_ss ?
2214 wpabuf_len(sta->fils_dh_ss) : 0,
2215 sta->fils_g_sta, pub) < 0) {
2216 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2217 wpabuf_free(data);
2218 data = NULL;
2219 goto fail;
2220 }
2221
2222 fail:
2223 if (is_pub)
2224 *is_pub = pub != NULL;
2225 os_free(ie_buf);
2226 wpabuf_free(pub);
2227 wpabuf_clear_free(sta->fils_dh_ss);
2228 sta->fils_dh_ss = NULL;
2229 #ifdef CONFIG_FILS_SK_PFS
2230 crypto_ecdh_deinit(sta->fils_ecdh);
2231 sta->fils_ecdh = NULL;
2232 #endif /* CONFIG_FILS_SK_PFS */
2233 return data;
2234 }
2235
2236
handle_auth_fils_finish(struct hostapd_data *hapd, struct sta_info *sta, u16 resp, struct wpabuf *data, int pub)2237 static void handle_auth_fils_finish(struct hostapd_data *hapd,
2238 struct sta_info *sta, u16 resp,
2239 struct wpabuf *data, int pub)
2240 {
2241 u16 auth_alg;
2242
2243 auth_alg = (pub ||
2244 resp == WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED) ?
2245 WLAN_AUTH_FILS_SK_PFS : WLAN_AUTH_FILS_SK;
2246 send_auth_reply(hapd, sta, sta->addr, hapd->own_addr, auth_alg, 2, resp,
2247 data ? wpabuf_head(data) : (u8 *) "",
2248 data ? wpabuf_len(data) : 0, "auth-fils-finish");
2249 wpabuf_free(data);
2250
2251 if (resp == WLAN_STATUS_SUCCESS) {
2252 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2253 HOSTAPD_LEVEL_DEBUG,
2254 "authentication OK (FILS)");
2255 sta->flags |= WLAN_STA_AUTH;
2256 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
2257 sta->auth_alg = pub ? WLAN_AUTH_FILS_SK_PFS : WLAN_AUTH_FILS_SK;
2258 mlme_authenticate_indication(hapd, sta);
2259 }
2260 }
2261
2262
ieee802_11_finish_fils_auth(struct hostapd_data *hapd, struct sta_info *sta, int success, struct wpabuf *erp_resp, const u8 *msk, size_t msk_len)2263 void ieee802_11_finish_fils_auth(struct hostapd_data *hapd,
2264 struct sta_info *sta, int success,
2265 struct wpabuf *erp_resp,
2266 const u8 *msk, size_t msk_len)
2267 {
2268 u16 resp;
2269 u32 flags = sta->flags;
2270
2271 sta->flags &= ~(WLAN_STA_PENDING_FILS_ERP |
2272 WLAN_STA_PENDING_PASN_FILS_ERP);
2273
2274 resp = success ? WLAN_STATUS_SUCCESS : WLAN_STATUS_UNSPECIFIED_FAILURE;
2275
2276 if (flags & WLAN_STA_PENDING_FILS_ERP) {
2277 struct wpabuf *data;
2278 int pub = 0;
2279
2280 if (!sta->fils_pending_cb)
2281 return;
2282
2283 data = prepare_auth_resp_fils(hapd, sta, &resp, NULL, erp_resp,
2284 msk, msk_len, &pub);
2285 if (!data) {
2286 wpa_printf(MSG_DEBUG,
2287 "%s: prepare_auth_resp_fils() failure",
2288 __func__);
2289 }
2290 sta->fils_pending_cb(hapd, sta, resp, data, pub);
2291 #ifdef CONFIG_PASN
2292 } else if (flags & WLAN_STA_PENDING_PASN_FILS_ERP) {
2293 pasn_fils_auth_resp(hapd, sta, resp, erp_resp,
2294 msk, msk_len);
2295 #endif /* CONFIG_PASN */
2296 }
2297 }
2298
2299 #endif /* CONFIG_FILS */
2300
2301
ieee802_11_allowed_address(struct hostapd_data *hapd, const u8 *addr, const u8 *msg, size_t len, struct radius_sta *info)2302 static int ieee802_11_allowed_address(struct hostapd_data *hapd, const u8 *addr,
2303 const u8 *msg, size_t len,
2304 struct radius_sta *info)
2305 {
2306 int res;
2307
2308 res = hostapd_allowed_address(hapd, addr, msg, len, info, 0);
2309
2310 if (res == HOSTAPD_ACL_REJECT) {
2311 wpa_printf(MSG_DEBUG, "Station " MACSTR_SEC
2312 " not allowed to authenticate",
2313 MAC2STR_SEC(addr));
2314 return HOSTAPD_ACL_REJECT;
2315 }
2316
2317 if (res == HOSTAPD_ACL_PENDING) {
2318 wpa_printf(MSG_DEBUG, "Authentication frame from " MACSTR_SEC
2319 " waiting for an external authentication",
2320 MAC2STR_SEC(addr));
2321 /* Authentication code will re-send the authentication frame
2322 * after it has received (and cached) information from the
2323 * external source. */
2324 return HOSTAPD_ACL_PENDING;
2325 }
2326
2327 return res;
2328 }
2329
2330
2331 static int
ieee802_11_set_radius_info(struct hostapd_data *hapd, struct sta_info *sta, int res, struct radius_sta *info)2332 ieee802_11_set_radius_info(struct hostapd_data *hapd, struct sta_info *sta,
2333 int res, struct radius_sta *info)
2334 {
2335 u32 session_timeout = info->session_timeout;
2336 u32 acct_interim_interval = info->acct_interim_interval;
2337 struct vlan_description *vlan_id = &info->vlan_id;
2338 struct hostapd_sta_wpa_psk_short *psk = info->psk;
2339 char *identity = info->identity;
2340 char *radius_cui = info->radius_cui;
2341
2342 if (vlan_id->notempty &&
2343 !hostapd_vlan_valid(hapd->conf->vlan, vlan_id)) {
2344 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS,
2345 HOSTAPD_LEVEL_INFO,
2346 "Invalid VLAN %d%s received from RADIUS server",
2347 vlan_id->untagged,
2348 vlan_id->tagged[0] ? "+" : "");
2349 return -1;
2350 }
2351 if (ap_sta_set_vlan(hapd, sta, vlan_id) < 0)
2352 return -1;
2353 if (sta->vlan_id)
2354 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS,
2355 HOSTAPD_LEVEL_INFO, "VLAN ID %d", sta->vlan_id);
2356
2357 hostapd_free_psk_list(sta->psk);
2358 if (hapd->conf->wpa_psk_radius != PSK_RADIUS_IGNORED)
2359 hostapd_copy_psk_list(&sta->psk, psk);
2360 else
2361 sta->psk = NULL;
2362
2363 os_free(sta->identity);
2364 if (identity)
2365 sta->identity = os_strdup(identity);
2366 else
2367 sta->identity = NULL;
2368
2369 os_free(sta->radius_cui);
2370 if (radius_cui)
2371 sta->radius_cui = os_strdup(radius_cui);
2372 else
2373 sta->radius_cui = NULL;
2374
2375 if (hapd->conf->acct_interim_interval == 0 && acct_interim_interval)
2376 sta->acct_interim_interval = acct_interim_interval;
2377 if (res == HOSTAPD_ACL_ACCEPT_TIMEOUT) {
2378 sta->session_timeout_set = 1;
2379 os_get_reltime(&sta->session_timeout);
2380 sta->session_timeout.sec += session_timeout;
2381 ap_sta_session_timeout(hapd, sta, session_timeout);
2382 } else {
2383 sta->session_timeout_set = 0;
2384 ap_sta_no_session_timeout(hapd, sta);
2385 }
2386
2387 return 0;
2388 }
2389
2390
2391 #ifdef CONFIG_PASN
2392 #ifdef CONFIG_SAE
2393
pasn_wd_handle_sae_commit(struct hostapd_data *hapd, struct sta_info *sta, struct wpabuf *wd)2394 static int pasn_wd_handle_sae_commit(struct hostapd_data *hapd,
2395 struct sta_info *sta,
2396 struct wpabuf *wd)
2397 {
2398 struct pasn_data *pasn = sta->pasn;
2399 const char *password;
2400 const u8 *data;
2401 size_t buf_len;
2402 u16 res, alg, seq, status;
2403 int groups[] = { pasn->group, 0 };
2404 struct sae_pt *pt = NULL;
2405 int ret;
2406
2407 if (!wd)
2408 return -1;
2409
2410 data = wpabuf_head_u8(wd);
2411 buf_len = wpabuf_len(wd);
2412
2413 if (buf_len < 6) {
2414 wpa_printf(MSG_DEBUG, "PASN: SAE buffer too short. len=%zu",
2415 buf_len);
2416 return -1;
2417 }
2418
2419 alg = WPA_GET_LE16(data);
2420 seq = WPA_GET_LE16(data + 2);
2421 status = WPA_GET_LE16(data + 4);
2422
2423 wpa_printf(MSG_DEBUG, "PASN: SAE commit: alg=%u, seq=%u, status=%u",
2424 alg, seq, status);
2425
2426 if (alg != WLAN_AUTH_SAE || seq != 1 ||
2427 status != WLAN_STATUS_SAE_HASH_TO_ELEMENT) {
2428 wpa_printf(MSG_DEBUG, "PASN: Dropping peer SAE commit");
2429 return -1;
2430 }
2431
2432 sae_clear_data(&pasn->sae);
2433 pasn->sae.state = SAE_NOTHING;
2434
2435 ret = sae_set_group(&pasn->sae, pasn->group);
2436 if (ret) {
2437 wpa_printf(MSG_DEBUG, "PASN: Failed to set SAE group");
2438 return -1;
2439 }
2440
2441 password = sae_get_password(hapd, sta, NULL, NULL, &pt, NULL);
2442 if (!password || !pt) {
2443 wpa_printf(MSG_DEBUG, "PASN: No SAE PT found");
2444 return -1;
2445 }
2446
2447 ret = sae_prepare_commit_pt(&pasn->sae, pt, hapd->own_addr, sta->addr,
2448 NULL, NULL);
2449 if (ret) {
2450 wpa_printf(MSG_DEBUG, "PASN: Failed to prepare SAE commit");
2451 return -1;
2452 }
2453
2454 res = sae_parse_commit(&pasn->sae, data + 6, buf_len - 6, NULL, 0,
2455 groups, 0
2456 #ifdef CONFIG_MLD_PATCH
2457 , NULL
2458 #endif
2459 );
2460 if (res != WLAN_STATUS_SUCCESS) {
2461 wpa_printf(MSG_DEBUG, "PASN: Failed parsing SAE commit");
2462 return -1;
2463 }
2464
2465 /* Process the commit message and derive the PMK */
2466 ret = sae_process_commit(&pasn->sae);
2467 if (ret) {
2468 wpa_printf(MSG_DEBUG, "SAE: Failed to process peer commit");
2469 return -1;
2470 }
2471
2472 pasn->sae.state = SAE_COMMITTED;
2473
2474 return 0;
2475 }
2476
2477
pasn_wd_handle_sae_confirm(struct hostapd_data *hapd, struct sta_info *sta, struct wpabuf *wd)2478 static int pasn_wd_handle_sae_confirm(struct hostapd_data *hapd,
2479 struct sta_info *sta,
2480 struct wpabuf *wd)
2481 {
2482 struct pasn_data *pasn = sta->pasn;
2483 const u8 *data;
2484 size_t buf_len;
2485 u16 res, alg, seq, status;
2486
2487 if (!wd)
2488 return -1;
2489
2490 data = wpabuf_head_u8(wd);
2491 buf_len = wpabuf_len(wd);
2492
2493 if (buf_len < 6) {
2494 wpa_printf(MSG_DEBUG, "PASN: SAE buffer too short. len=%zu",
2495 buf_len);
2496 return -1;
2497 }
2498
2499 alg = WPA_GET_LE16(data);
2500 seq = WPA_GET_LE16(data + 2);
2501 status = WPA_GET_LE16(data + 4);
2502
2503 wpa_printf(MSG_DEBUG, "PASN: SAE confirm: alg=%u, seq=%u, status=%u",
2504 alg, seq, status);
2505
2506 if (alg != WLAN_AUTH_SAE || seq != 2 || status != WLAN_STATUS_SUCCESS) {
2507 wpa_printf(MSG_DEBUG, "PASN: Dropping peer SAE confirm");
2508 return -1;
2509 }
2510
2511 res = sae_check_confirm(&pasn->sae, data + 6, buf_len - 6
2512 #ifdef CONFIG_MLD_PATCH
2513 , NULL
2514 #endif
2515 );
2516 if (res != WLAN_STATUS_SUCCESS) {
2517 wpa_printf(MSG_DEBUG, "PASN: SAE failed checking confirm");
2518 return -1;
2519 }
2520
2521 pasn->sae.state = SAE_ACCEPTED;
2522
2523 /*
2524 * TODO: Based on on IEEE P802.11az/D2.6, the PMKSA derived with
2525 * PASN/SAE should only be allowed with future PASN only. For now do not
2526 * restrict this only for PASN.
2527 */
2528 wpa_auth_pmksa_add_sae(hapd->wpa_auth, sta->addr,
2529 pasn->sae.pmk, pasn->sae.pmk_len,
2530 pasn->sae.pmkid, pasn->sae.akmp);
2531 return 0;
2532 }
2533
2534
pasn_get_sae_wd(struct hostapd_data *hapd, struct sta_info *sta)2535 static struct wpabuf * pasn_get_sae_wd(struct hostapd_data *hapd,
2536 struct sta_info *sta)
2537 {
2538 struct pasn_data *pasn = sta->pasn;
2539 struct wpabuf *buf = NULL;
2540 u8 *len_ptr;
2541 size_t len;
2542
2543 /* Need to add the entire Authentication frame body */
2544 buf = wpabuf_alloc(8 + SAE_COMMIT_MAX_LEN + 8 + SAE_CONFIRM_MAX_LEN);
2545 if (!buf) {
2546 wpa_printf(MSG_DEBUG, "PASN: Failed to allocate SAE buffer");
2547 return NULL;
2548 }
2549
2550 /* Need to add the entire authentication frame body for the commit */
2551 len_ptr = wpabuf_put(buf, 2);
2552 wpabuf_put_le16(buf, WLAN_AUTH_SAE);
2553 wpabuf_put_le16(buf, 1);
2554 wpabuf_put_le16(buf, WLAN_STATUS_SAE_HASH_TO_ELEMENT);
2555
2556 /* Write the actual commit and update the length accordingly */
2557 sae_write_commit(&pasn->sae, buf, NULL, 0);
2558 len = wpabuf_len(buf);
2559 WPA_PUT_LE16(len_ptr, len - 2);
2560
2561 /* Need to add the entire Authentication frame body for the confirm */
2562 len_ptr = wpabuf_put(buf, 2);
2563 wpabuf_put_le16(buf, WLAN_AUTH_SAE);
2564 wpabuf_put_le16(buf, 2);
2565 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
2566
2567 sae_write_confirm(&pasn->sae, buf);
2568 WPA_PUT_LE16(len_ptr, wpabuf_len(buf) - len - 2);
2569
2570 pasn->sae.state = SAE_CONFIRMED;
2571
2572 return buf;
2573 }
2574
2575 #endif /* CONFIG_SAE */
2576
2577
2578 #ifdef CONFIG_FILS
2579
pasn_get_fils_wd(struct hostapd_data *hapd, struct sta_info *sta)2580 static struct wpabuf * pasn_get_fils_wd(struct hostapd_data *hapd,
2581 struct sta_info *sta)
2582 {
2583 struct pasn_data *pasn = sta->pasn;
2584 struct pasn_fils_data *fils = &pasn->fils;
2585 struct wpabuf *buf = NULL;
2586
2587 if (!fils->erp_resp) {
2588 wpa_printf(MSG_DEBUG, "PASN: FILS: Missing erp_resp");
2589 return NULL;
2590 }
2591
2592 buf = wpabuf_alloc(1500);
2593 if (!buf)
2594 return NULL;
2595
2596 /* Add the authentication algorithm */
2597 wpabuf_put_le16(buf, WLAN_AUTH_FILS_SK);
2598
2599 /* Authentication Transaction seq# */
2600 wpabuf_put_le16(buf, 2);
2601
2602 /* Status Code */
2603 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
2604
2605 /* Own RSNE */
2606 wpa_pasn_add_rsne(buf, NULL, pasn->akmp, pasn->cipher);
2607
2608 /* FILS Nonce */
2609 wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
2610 wpabuf_put_u8(buf, 1 + FILS_NONCE_LEN);
2611 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_NONCE);
2612 wpabuf_put_data(buf, fils->anonce, FILS_NONCE_LEN);
2613
2614 /* FILS Session */
2615 wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
2616 wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN);
2617 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION);
2618 wpabuf_put_data(buf, fils->session, FILS_SESSION_LEN);
2619
2620 /* Wrapped Data */
2621 wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
2622 wpabuf_put_u8(buf, 1 + wpabuf_len(fils->erp_resp));
2623 wpabuf_put_u8(buf, WLAN_EID_EXT_WRAPPED_DATA);
2624 wpabuf_put_buf(buf, fils->erp_resp);
2625
2626 return buf;
2627 }
2628
2629
pasn_fils_auth_resp(struct hostapd_data *hapd, struct sta_info *sta, u16 status, struct wpabuf *erp_resp, const u8 *msk, size_t msk_len)2630 static void pasn_fils_auth_resp(struct hostapd_data *hapd,
2631 struct sta_info *sta, u16 status,
2632 struct wpabuf *erp_resp,
2633 const u8 *msk, size_t msk_len)
2634 {
2635 struct pasn_data *pasn = sta->pasn;
2636 struct pasn_fils_data *fils = &pasn->fils;
2637 u8 pmk[PMK_LEN_MAX];
2638 size_t pmk_len;
2639 int ret;
2640
2641 wpa_printf(MSG_DEBUG, "PASN: FILS: Handle AS response - status=%u",
2642 status);
2643
2644 if (status != WLAN_STATUS_SUCCESS)
2645 goto fail;
2646
2647 if (!pasn->secret) {
2648 wpa_printf(MSG_DEBUG, "PASN: FILS: Missing secret");
2649 goto fail;
2650 }
2651
2652 if (random_get_bytes(fils->anonce, FILS_NONCE_LEN) < 0) {
2653 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed to get ANonce");
2654 goto fail;
2655 }
2656
2657 wpa_hexdump(MSG_DEBUG, "RSN: Generated FILS ANonce",
2658 fils->anonce, FILS_NONCE_LEN);
2659
2660 ret = fils_rmsk_to_pmk(pasn->akmp, msk, msk_len, fils->nonce,
2661 fils->anonce, NULL, 0, pmk, &pmk_len);
2662 if (ret) {
2663 wpa_printf(MSG_DEBUG, "FILS: Failed to derive PMK");
2664 goto fail;
2665 }
2666
2667 ret = pasn_pmk_to_ptk(pmk, pmk_len, sta->addr, hapd->own_addr,
2668 wpabuf_head(pasn->secret),
2669 wpabuf_len(pasn->secret),
2670 &sta->pasn->ptk, sta->pasn->akmp,
2671 sta->pasn->cipher, sta->pasn->kdk_len);
2672 if (ret) {
2673 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed to derive PTK");
2674 goto fail;
2675 }
2676
2677 wpa_printf(MSG_DEBUG, "PASN: PTK successfully derived");
2678
2679 wpabuf_free(pasn->secret);
2680 pasn->secret = NULL;
2681
2682 fils->erp_resp = erp_resp;
2683 ret = handle_auth_pasn_resp(hapd, sta, NULL, WLAN_STATUS_SUCCESS);
2684 fils->erp_resp = NULL;
2685
2686 if (ret) {
2687 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed to send response");
2688 goto fail;
2689 }
2690
2691 fils->state = PASN_FILS_STATE_COMPLETE;
2692 return;
2693 fail:
2694 ap_free_sta(hapd, sta);
2695 }
2696
2697
pasn_wd_handle_fils(struct hostapd_data *hapd, struct sta_info *sta, struct wpabuf *wd)2698 static int pasn_wd_handle_fils(struct hostapd_data *hapd, struct sta_info *sta,
2699 struct wpabuf *wd)
2700 {
2701 #ifdef CONFIG_NO_RADIUS
2702 wpa_printf(MSG_DEBUG, "PASN: FILS: RADIUS is not configured. Fail");
2703 return -1;
2704 #else /* CONFIG_NO_RADIUS */
2705 struct pasn_data *pasn = sta->pasn;
2706 struct pasn_fils_data *fils = &pasn->fils;
2707 struct ieee802_11_elems elems;
2708 struct wpa_ie_data rsne_data;
2709 struct wpabuf *fils_wd;
2710 const u8 *data;
2711 size_t buf_len;
2712 u16 alg, seq, status;
2713 int ret;
2714
2715 if (fils->state != PASN_FILS_STATE_NONE) {
2716 wpa_printf(MSG_DEBUG, "PASN: FILS: Not expecting wrapped data");
2717 return -1;
2718 }
2719
2720 if (!wd) {
2721 wpa_printf(MSG_DEBUG, "PASN: FILS: No wrapped data");
2722 return -1;
2723 }
2724
2725 data = wpabuf_head_u8(wd);
2726 buf_len = wpabuf_len(wd);
2727
2728 if (buf_len < 6) {
2729 wpa_printf(MSG_DEBUG, "PASN: FILS: Buffer too short. len=%zu",
2730 buf_len);
2731 return -1;
2732 }
2733
2734 alg = WPA_GET_LE16(data);
2735 seq = WPA_GET_LE16(data + 2);
2736 status = WPA_GET_LE16(data + 4);
2737
2738 wpa_printf(MSG_DEBUG, "PASN: FILS: alg=%u, seq=%u, status=%u",
2739 alg, seq, status);
2740
2741 if (alg != WLAN_AUTH_FILS_SK || seq != 1 ||
2742 status != WLAN_STATUS_SUCCESS) {
2743 wpa_printf(MSG_DEBUG,
2744 "PASN: FILS: Dropping peer authentication");
2745 return -1;
2746 }
2747
2748 data += 6;
2749 buf_len -= 6;
2750
2751 if (ieee802_11_parse_elems(data, buf_len, &elems, 1) == ParseFailed) {
2752 wpa_printf(MSG_DEBUG, "PASN: FILS: Could not parse elements");
2753 return -1;
2754 }
2755
2756 if (!elems.rsn_ie || !elems.fils_nonce || !elems.fils_nonce ||
2757 !elems.wrapped_data) {
2758 wpa_printf(MSG_DEBUG, "PASN: FILS: Missing IEs");
2759 return -1;
2760 }
2761
2762 ret = wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
2763 &rsne_data);
2764 if (ret) {
2765 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed parsing RNSE");
2766 return -1;
2767 }
2768
2769 ret = wpa_pasn_validate_rsne(&rsne_data);
2770 if (ret) {
2771 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed validating RSNE");
2772 return -1;
2773 }
2774
2775 if (rsne_data.num_pmkid) {
2776 wpa_printf(MSG_DEBUG,
2777 "PASN: FILS: Not expecting PMKID in RSNE");
2778 return -1;
2779 }
2780
2781 wpa_hexdump(MSG_DEBUG, "PASN: FILS: Nonce", elems.fils_nonce,
2782 FILS_NONCE_LEN);
2783 os_memcpy(fils->nonce, elems.fils_nonce, FILS_NONCE_LEN);
2784
2785 wpa_hexdump(MSG_DEBUG, "PASN: FILS: Session", elems.fils_session,
2786 FILS_SESSION_LEN);
2787 os_memcpy(fils->session, elems.fils_session, FILS_SESSION_LEN);
2788
2789 fils_wd = ieee802_11_defrag(&elems, WLAN_EID_EXTENSION,
2790 WLAN_EID_EXT_WRAPPED_DATA);
2791
2792 if (!fils_wd) {
2793 wpa_printf(MSG_DEBUG, "PASN: FILS: Missing wrapped data");
2794 return -1;
2795 }
2796
2797 if (!sta->eapol_sm)
2798 sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta);
2799
2800 wpa_printf(MSG_DEBUG,
2801 "PASN: FILS: Forward EAP-Initiate/Re-auth to AS");
2802
2803 ieee802_1x_encapsulate_radius(hapd, sta, wpabuf_head(fils_wd),
2804 wpabuf_len(fils_wd));
2805
2806 sta->flags |= WLAN_STA_PENDING_PASN_FILS_ERP;
2807
2808 fils->state = PASN_FILS_STATE_PENDING_AS;
2809
2810 /*
2811 * Calculate pending PMKID here so that we do not need to maintain a
2812 * copy of the EAP-Initiate/Reautt message.
2813 */
2814 fils_pmkid_erp(pasn->akmp, wpabuf_head(fils_wd), wpabuf_len(fils_wd),
2815 fils->erp_pmkid);
2816
2817 wpabuf_free(fils_wd);
2818 return 0;
2819 #endif /* CONFIG_NO_RADIUS */
2820 }
2821
2822 #endif /* CONFIG_FILS */
2823
2824
pasn_get_wrapped_data(struct hostapd_data *hapd, struct sta_info *sta)2825 static struct wpabuf * pasn_get_wrapped_data(struct hostapd_data *hapd,
2826 struct sta_info *sta)
2827 {
2828 switch (sta->pasn->akmp) {
2829 case WPA_KEY_MGMT_PASN:
2830 /* no wrapped data */
2831 return NULL;
2832 case WPA_KEY_MGMT_SAE:
2833 #ifdef CONFIG_SAE
2834 return pasn_get_sae_wd(hapd, sta);
2835 #else /* CONFIG_SAE */
2836 wpa_printf(MSG_ERROR,
2837 "PASN: SAE: Cannot derive wrapped data");
2838 return NULL;
2839 #endif /* CONFIG_SAE */
2840 case WPA_KEY_MGMT_FILS_SHA256:
2841 case WPA_KEY_MGMT_FILS_SHA384:
2842 #ifdef CONFIG_FILS
2843 return pasn_get_fils_wd(hapd, sta);
2844 #endif /* CONFIG_FILS */
2845 /* fall through */
2846 case WPA_KEY_MGMT_FT_PSK:
2847 case WPA_KEY_MGMT_FT_IEEE8021X:
2848 case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
2849 default:
2850 wpa_printf(MSG_ERROR,
2851 "PASN: TODO: Wrapped data for akmp=0x%x",
2852 sta->pasn->akmp);
2853 return NULL;
2854 }
2855 }
2856
2857
2858 static int
pasn_derive_keys(struct hostapd_data *hapd, struct sta_info *sta, const u8 *cached_pmk, size_t cached_pmk_len, struct wpa_pasn_params_data *pasn_data, struct wpabuf *wrapped_data, struct wpabuf *secret)2859 pasn_derive_keys(struct hostapd_data *hapd, struct sta_info *sta,
2860 const u8 *cached_pmk, size_t cached_pmk_len,
2861 struct wpa_pasn_params_data *pasn_data,
2862 struct wpabuf *wrapped_data,
2863 struct wpabuf *secret)
2864 {
2865 static const u8 pasn_default_pmk[] = {'P', 'M', 'K', 'z'};
2866 u8 pmk[PMK_LEN_MAX];
2867 u8 pmk_len;
2868 int ret;
2869
2870 os_memset(pmk, 0, sizeof(pmk));
2871 pmk_len = 0;
2872
2873 if (!cached_pmk || !cached_pmk_len)
2874 wpa_printf(MSG_DEBUG, "PASN: No valid PMKSA entry");
2875
2876 if (sta->pasn->akmp == WPA_KEY_MGMT_PASN) {
2877 wpa_printf(MSG_DEBUG, "PASN: Using default PMK");
2878
2879 pmk_len = WPA_PASN_PMK_LEN;
2880 os_memcpy(pmk, pasn_default_pmk, sizeof(pasn_default_pmk));
2881 } else if (cached_pmk && cached_pmk_len) {
2882 wpa_printf(MSG_DEBUG, "PASN: Using PMKSA entry");
2883
2884 pmk_len = cached_pmk_len;
2885 os_memcpy(pmk, cached_pmk, cached_pmk_len);
2886 } else {
2887 switch (sta->pasn->akmp) {
2888 #ifdef CONFIG_SAE
2889 case WPA_KEY_MGMT_SAE:
2890 if (sta->pasn->sae.state == SAE_COMMITTED) {
2891 pmk_len = PMK_LEN;
2892 os_memcpy(pmk, sta->pasn->sae.pmk, PMK_LEN);
2893 break;
2894 }
2895 #endif /* CONFIG_SAE */
2896 /* fall through */
2897 default:
2898 /* TODO: Derive PMK based on wrapped data */
2899 wpa_printf(MSG_DEBUG,
2900 "PASN: Missing PMK derivation");
2901 return -1;
2902 }
2903 }
2904
2905 ret = pasn_pmk_to_ptk(pmk, pmk_len, sta->addr, hapd->own_addr,
2906 wpabuf_head(secret), wpabuf_len(secret),
2907 &sta->pasn->ptk, sta->pasn->akmp,
2908 sta->pasn->cipher, sta->pasn->kdk_len);
2909 if (ret) {
2910 wpa_printf(MSG_DEBUG, "PASN: Failed to derive PTK");
2911 return -1;
2912 }
2913
2914 wpa_printf(MSG_DEBUG, "PASN: PTK successfully derived");
2915 return 0;
2916 }
2917
2918
handle_auth_pasn_comeback(struct hostapd_data *hapd, struct sta_info *sta, u16 group)2919 static void handle_auth_pasn_comeback(struct hostapd_data *hapd,
2920 struct sta_info *sta, u16 group)
2921 {
2922 struct wpabuf *buf, *comeback;
2923 int ret;
2924
2925 wpa_printf(MSG_DEBUG,
2926 "PASN: Building comeback frame 2. Comeback after=%u",
2927 hapd->conf->pasn_comeback_after);
2928
2929 buf = wpabuf_alloc(1500);
2930 if (!buf)
2931 return;
2932
2933 wpa_pasn_build_auth_header(buf, hapd->own_addr, hapd->own_addr,
2934 sta->addr, 2,
2935 WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY);
2936
2937 /*
2938 * Do not include the group as a part of the token since it is not going
2939 * to be used.
2940 */
2941 comeback = auth_build_token_req(hapd, 0, sta->addr, 0);
2942 if (!comeback) {
2943 wpa_printf(MSG_DEBUG,
2944 "PASN: Failed sending auth with comeback");
2945 wpabuf_free(buf);
2946 return;
2947 }
2948
2949 wpa_pasn_add_parameter_ie(buf, group,
2950 WPA_PASN_WRAPPED_DATA_NO,
2951 NULL, 0, comeback,
2952 hapd->conf->pasn_comeback_after);
2953 wpabuf_free(comeback);
2954
2955 wpa_printf(MSG_DEBUG,
2956 "PASN: comeback: STA=" MACSTR_SEC, MAC2STR_SEC(sta->addr));
2957
2958 ret = hostapd_drv_send_mlme(hapd, wpabuf_head(buf), wpabuf_len(buf), 0,
2959 NULL, 0, 0);
2960 if (ret)
2961 wpa_printf(MSG_INFO, "PASN: Failed to send comeback frame 2");
2962
2963 wpabuf_free(buf);
2964 }
2965
2966
handle_auth_pasn_resp(struct hostapd_data *hapd, struct sta_info *sta, struct rsn_pmksa_cache_entry *pmksa, u16 status)2967 static int handle_auth_pasn_resp(struct hostapd_data *hapd,
2968 struct sta_info *sta,
2969 struct rsn_pmksa_cache_entry *pmksa,
2970 u16 status)
2971 {
2972 struct wpabuf *buf, *pubkey = NULL, *wrapped_data_buf = NULL;
2973 u8 mic[WPA_PASN_MAX_MIC_LEN];
2974 u8 mic_len;
2975 u8 *ptr;
2976 const u8 *frame, *data, *rsn_ie, *rsnxe_ie;
2977 u8 *data_buf = NULL;
2978 size_t rsn_ie_len, frame_len, data_len;
2979 int ret;
2980 const u8 *pmkid = NULL;
2981
2982 wpa_printf(MSG_DEBUG, "PASN: Building frame 2: status=%u", status);
2983
2984 buf = wpabuf_alloc(1500);
2985 if (!buf)
2986 goto fail;
2987
2988 wpa_pasn_build_auth_header(buf, hapd->own_addr, hapd->own_addr,
2989 sta->addr, 2, status);
2990
2991 if (status != WLAN_STATUS_SUCCESS)
2992 goto done;
2993
2994 if (pmksa) {
2995 pmkid = pmksa->pmkid;
2996 #ifdef CONFIG_SAE
2997 } else if (sta->pasn->akmp == WPA_KEY_MGMT_SAE) {
2998 wpa_printf(MSG_DEBUG, "PASN: Use SAE PMKID");
2999 pmkid = sta->pasn->sae.pmkid;
3000 #endif /* CONFIG_SAE */
3001 #ifdef CONFIG_FILS
3002 } else if (sta->pasn->akmp == WPA_KEY_MGMT_FILS_SHA256 ||
3003 sta->pasn->akmp == WPA_KEY_MGMT_FILS_SHA384) {
3004 wpa_printf(MSG_DEBUG, "PASN: Use FILS ERP PMKID");
3005 pmkid = sta->pasn->fils.erp_pmkid;
3006 #endif /* CONFIG_FILS */
3007 }
3008
3009 if (wpa_pasn_add_rsne(buf, pmkid,
3010 sta->pasn->akmp, sta->pasn->cipher) < 0)
3011 goto fail;
3012
3013 /* No need to derive PMK if PMKSA is given */
3014 if (!pmksa)
3015 wrapped_data_buf = pasn_get_wrapped_data(hapd, sta);
3016 else
3017 sta->pasn->wrapped_data_format = WPA_PASN_WRAPPED_DATA_NO;
3018
3019 /* Get public key */
3020 pubkey = crypto_ecdh_get_pubkey(sta->pasn->ecdh, 0);
3021 pubkey = wpabuf_zeropad(pubkey,
3022 crypto_ecdh_prime_len(sta->pasn->ecdh));
3023 if (!pubkey) {
3024 wpa_printf(MSG_DEBUG, "PASN: Failed to get pubkey");
3025 goto fail;
3026 }
3027
3028 wpa_pasn_add_parameter_ie(buf, sta->pasn->group,
3029 sta->pasn->wrapped_data_format,
3030 pubkey, true, NULL, 0);
3031
3032 if (wpa_pasn_add_wrapped_data(buf, wrapped_data_buf) < 0)
3033 goto fail;
3034
3035 wpabuf_free(wrapped_data_buf);
3036 wrapped_data_buf = NULL;
3037 wpabuf_free(pubkey);
3038 pubkey = NULL;
3039
3040 /* Add RSNXE if needed */
3041 rsnxe_ie = hostapd_wpa_ie(hapd, WLAN_EID_RSNX);
3042 if (rsnxe_ie)
3043 wpabuf_put_data(buf, rsnxe_ie, 2 + rsnxe_ie[1]);
3044
3045 /* Add the mic */
3046 mic_len = pasn_mic_len(sta->pasn->akmp, sta->pasn->cipher);
3047 wpabuf_put_u8(buf, WLAN_EID_MIC);
3048 wpabuf_put_u8(buf, mic_len);
3049 ptr = wpabuf_put(buf, mic_len);
3050
3051 os_memset(ptr, 0, mic_len);
3052
3053 frame = wpabuf_head_u8(buf) + IEEE80211_HDRLEN;
3054 frame_len = wpabuf_len(buf) - IEEE80211_HDRLEN;
3055
3056 rsn_ie = wpa_auth_get_wpa_ie(hapd->wpa_auth, &rsn_ie_len);
3057 if (!rsn_ie || !rsn_ie_len)
3058 goto fail;
3059
3060 /*
3061 * Note: wpa_auth_get_wpa_ie() might return not only the RSNE but also
3062 * MDE, etc. Thus, do not use the returned length but instead use the
3063 * length specified in the IE header.
3064 */
3065 data_len = rsn_ie[1] + 2;
3066 if (rsnxe_ie) {
3067 data_buf = os_zalloc(rsn_ie[1] + 2 + rsnxe_ie[1] + 2);
3068 if (!data_buf)
3069 goto fail;
3070
3071 os_memcpy(data_buf, rsn_ie, rsn_ie[1] + 2);
3072 os_memcpy(data_buf + rsn_ie[1] + 2, rsnxe_ie, rsnxe_ie[1] + 2);
3073 data_len += rsnxe_ie[1] + 2;
3074 data = data_buf;
3075 } else {
3076 data = rsn_ie;
3077 }
3078
3079 ret = pasn_mic(sta->pasn->ptk.kck, sta->pasn->akmp, sta->pasn->cipher,
3080 hapd->own_addr, sta->addr, data, data_len,
3081 frame, frame_len, mic);
3082 os_free(data_buf);
3083 if (ret) {
3084 wpa_printf(MSG_DEBUG, "PASN: Frame 3: Failed MIC calculation");
3085 goto fail;
3086 }
3087
3088 #ifdef CONFIG_TESTING_OPTIONS
3089 if (hapd->conf->pasn_corrupt_mic) {
3090 wpa_printf(MSG_DEBUG, "PASN: frame 2: Corrupt MIC");
3091 mic[0] = ~mic[0];
3092 }
3093 #endif /* CONFIG_TESTING_OPTIONS */
3094
3095 os_memcpy(ptr, mic, mic_len);
3096
3097 done:
3098 wpa_printf(MSG_DEBUG,
3099 "PASN: Building frame 2: success; resp STA=" MACSTR_SEC,
3100 MAC2STR_SEC(sta->addr));
3101
3102 ret = hostapd_drv_send_mlme(hapd, wpabuf_head(buf), wpabuf_len(buf), 0,
3103 NULL, 0, 0);
3104 if (ret)
3105 wpa_printf(MSG_INFO, "send_auth_reply: Send failed");
3106
3107 wpabuf_free(buf);
3108 return ret;
3109 fail:
3110 wpabuf_free(wrapped_data_buf);
3111 wpabuf_free(pubkey);
3112 wpabuf_free(buf);
3113 return -1;
3114 }
3115
3116
handle_auth_pasn_1(struct hostapd_data *hapd, struct sta_info *sta, const struct ieee80211_mgmt *mgmt, size_t len)3117 static void handle_auth_pasn_1(struct hostapd_data *hapd, struct sta_info *sta,
3118 const struct ieee80211_mgmt *mgmt, size_t len)
3119 {
3120 struct ieee802_11_elems elems;
3121 struct wpa_ie_data rsn_data;
3122 struct wpa_pasn_params_data pasn_params;
3123 struct rsn_pmksa_cache_entry *pmksa = NULL;
3124 const u8 *cached_pmk = NULL;
3125 size_t cached_pmk_len = 0;
3126 #ifdef CONFIG_IEEE80211R_AP
3127 u8 pmk_r1[PMK_LEN_MAX];
3128 size_t pmk_r1_len;
3129 #endif /* CONFIG_IEEE80211R_AP */
3130 struct wpabuf *wrapped_data = NULL, *secret = NULL;
3131 const int *groups = hapd->conf->pasn_groups;
3132 static const int default_groups[] = { 19, 0 };
3133 u16 status = WLAN_STATUS_SUCCESS;
3134 int ret, inc_y;
3135 bool derive_keys;
3136 u32 i;
3137
3138 if (!groups)
3139 groups = default_groups;
3140
3141 if (ieee802_11_parse_elems(mgmt->u.auth.variable,
3142 len - offsetof(struct ieee80211_mgmt,
3143 u.auth.variable),
3144 &elems, 0) == ParseFailed) {
3145 wpa_printf(MSG_DEBUG,
3146 "PASN: Failed parsing Authentication frame");
3147 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3148 goto send_resp;
3149 }
3150
3151 ret = wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
3152 &rsn_data);
3153 if (ret) {
3154 wpa_printf(MSG_DEBUG, "PASN: Failed parsing RNSE");
3155 status = WLAN_STATUS_INVALID_RSNIE;
3156 goto send_resp;
3157 }
3158
3159 ret = wpa_pasn_validate_rsne(&rsn_data);
3160 if (ret) {
3161 wpa_printf(MSG_DEBUG, "PASN: Failed validating RSNE");
3162 status = WLAN_STATUS_INVALID_RSNIE;
3163 goto send_resp;
3164 }
3165
3166 if (!(rsn_data.key_mgmt & hapd->conf->wpa_key_mgmt) ||
3167 !(rsn_data.pairwise_cipher & hapd->conf->rsn_pairwise)) {
3168 wpa_printf(MSG_DEBUG, "PASN: Mismatch in AKMP/cipher");
3169 status = WLAN_STATUS_INVALID_RSNIE;
3170 goto send_resp;
3171 }
3172
3173 sta->pasn->akmp = rsn_data.key_mgmt;
3174 sta->pasn->cipher = rsn_data.pairwise_cipher;
3175
3176 if (hapd->conf->force_kdk_derivation ||
3177 ((hapd->iface->drv_flags2 & WPA_DRIVER_FLAGS2_SEC_LTF) &&
3178 ieee802_11_rsnx_capab_len(elems.rsnxe, elems.rsnxe_len,
3179 WLAN_RSNX_CAPAB_SECURE_LTF)))
3180 sta->pasn->kdk_len = WPA_KDK_MAX_LEN;
3181 else
3182 sta->pasn->kdk_len = 0;
3183 wpa_printf(MSG_DEBUG, "PASN: kdk_len=%zu", sta->pasn->kdk_len);
3184
3185 if (!elems.pasn_params || !elems.pasn_params_len) {
3186 wpa_printf(MSG_DEBUG,
3187 "PASN: No PASN Parameters element found");
3188 status = WLAN_STATUS_INVALID_PARAMETERS;
3189 goto send_resp;
3190 }
3191
3192 ret = wpa_pasn_parse_parameter_ie(elems.pasn_params - 3,
3193 elems.pasn_params_len + 3,
3194 false, &pasn_params);
3195 if (ret) {
3196 wpa_printf(MSG_DEBUG,
3197 "PASN: Failed validation of PASN Parameters IE");
3198 status = WLAN_STATUS_INVALID_PARAMETERS;
3199 goto send_resp;
3200 }
3201
3202 for (i = 0; groups[i] > 0 && groups[i] != pasn_params.group; i++)
3203 ;
3204
3205 if (!pasn_params.group || groups[i] != pasn_params.group) {
3206 wpa_printf(MSG_DEBUG, "PASN: Requested group=%hu not allowed",
3207 pasn_params.group);
3208 status = WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
3209 goto send_resp;
3210 }
3211
3212 if (!pasn_params.pubkey || !pasn_params.pubkey_len) {
3213 wpa_printf(MSG_DEBUG, "PASN: Invalid public key");
3214 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3215 goto send_resp;
3216 }
3217
3218 if (pasn_params.comeback) {
3219 wpa_printf(MSG_DEBUG, "PASN: Checking peer comeback token");
3220
3221 ret = check_comeback_token(hapd, sta->addr,
3222 pasn_params.comeback,
3223 pasn_params.comeback_len);
3224
3225 if (ret) {
3226 wpa_printf(MSG_DEBUG, "PASN: Invalid comeback token");
3227 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3228 goto send_resp;
3229 }
3230 } else if (use_anti_clogging(hapd)) {
3231 wpa_printf(MSG_DEBUG, "PASN: Respond with comeback");
3232 handle_auth_pasn_comeback(hapd, sta, pasn_params.group);
3233 ap_free_sta(hapd, sta);
3234 return;
3235 }
3236
3237 sta->pasn->ecdh = crypto_ecdh_init(pasn_params.group);
3238 if (!sta->pasn->ecdh) {
3239 wpa_printf(MSG_DEBUG, "PASN: Failed to init ECDH");
3240 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3241 goto send_resp;
3242 }
3243
3244 sta->pasn->group = pasn_params.group;
3245
3246 if (pasn_params.pubkey[0] == WPA_PASN_PUBKEY_UNCOMPRESSED) {
3247 inc_y = 1;
3248 } else if (pasn_params.pubkey[0] == WPA_PASN_PUBKEY_COMPRESSED_0 ||
3249 pasn_params.pubkey[0] == WPA_PASN_PUBKEY_COMPRESSED_1) {
3250 inc_y = 0;
3251 } else {
3252 wpa_printf(MSG_DEBUG,
3253 "PASN: Invalid first octet in pubkey=0x%x",
3254 pasn_params.pubkey[0]);
3255 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3256 goto send_resp;
3257 }
3258
3259 secret = crypto_ecdh_set_peerkey(sta->pasn->ecdh, inc_y,
3260 pasn_params.pubkey + 1,
3261 pasn_params.pubkey_len - 1);
3262 if (!secret) {
3263 wpa_printf(MSG_DEBUG, "PASN: Failed to derive shared secret");
3264 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3265 goto send_resp;
3266 }
3267
3268 derive_keys = true;
3269 if (pasn_params.wrapped_data_format != WPA_PASN_WRAPPED_DATA_NO) {
3270 wrapped_data = ieee802_11_defrag(&elems,
3271 WLAN_EID_EXTENSION,
3272 WLAN_EID_EXT_WRAPPED_DATA);
3273 if (!wrapped_data) {
3274 wpa_printf(MSG_DEBUG, "PASN: Missing wrapped data");
3275 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3276 goto send_resp;
3277 }
3278
3279 #ifdef CONFIG_SAE
3280 if (sta->pasn->akmp == WPA_KEY_MGMT_SAE) {
3281 ret = pasn_wd_handle_sae_commit(hapd, sta,
3282 wrapped_data);
3283 if (ret) {
3284 wpa_printf(MSG_DEBUG,
3285 "PASN: Failed processing SAE commit");
3286 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3287 goto send_resp;
3288 }
3289 }
3290 #endif /* CONFIG_SAE */
3291 #ifdef CONFIG_FILS
3292 if (sta->pasn->akmp == WPA_KEY_MGMT_FILS_SHA256 ||
3293 sta->pasn->akmp == WPA_KEY_MGMT_FILS_SHA384) {
3294 ret = pasn_wd_handle_fils(hapd, sta, wrapped_data);
3295 if (ret) {
3296 wpa_printf(MSG_DEBUG,
3297 "PASN: Failed processing FILS wrapped data");
3298 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3299 goto send_resp;
3300 }
3301
3302 wpa_printf(MSG_DEBUG,
3303 "PASN: FILS: Pending AS response");
3304
3305 /*
3306 * With PASN/FILS, keys can be derived only after a
3307 * response from the AS is processed.
3308 */
3309 derive_keys = false;
3310 }
3311 #endif /* CONFIG_FILS */
3312 }
3313
3314 sta->pasn->wrapped_data_format = pasn_params.wrapped_data_format;
3315
3316 ret = pasn_auth_frame_hash(sta->pasn->akmp, sta->pasn->cipher,
3317 ((const u8 *) mgmt) + IEEE80211_HDRLEN,
3318 len - IEEE80211_HDRLEN, sta->pasn->hash);
3319 if (ret) {
3320 wpa_printf(MSG_DEBUG, "PASN: Failed to compute hash");
3321 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3322 goto send_resp;
3323 }
3324
3325 if (!derive_keys) {
3326 wpa_printf(MSG_DEBUG, "PASN: Storing secret");
3327 sta->pasn->secret = secret;
3328 wpabuf_free(wrapped_data);
3329 return;
3330 }
3331
3332 if (rsn_data.num_pmkid) {
3333 if (wpa_key_mgmt_ft(sta->pasn->akmp)) {
3334 #ifdef CONFIG_IEEE80211R_AP
3335 wpa_printf(MSG_DEBUG, "PASN: FT: Fetch PMK-R1");
3336
3337 ret = wpa_ft_fetch_pmk_r1(hapd->wpa_auth, sta->addr,
3338 rsn_data.pmkid,
3339 pmk_r1, &pmk_r1_len, NULL,
3340 NULL, NULL, NULL,
3341 NULL, NULL, NULL);
3342 if (ret) {
3343 wpa_printf(MSG_DEBUG,
3344 "PASN: FT: Failed getting PMK-R1");
3345 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3346 goto send_resp;
3347 }
3348 cached_pmk = pmk_r1;
3349 cached_pmk_len = pmk_r1_len;
3350 #else /* CONFIG_IEEE80211R_AP */
3351 wpa_printf(MSG_DEBUG, "PASN: FT: Not supported");
3352 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3353 goto send_resp;
3354 #endif /* CONFIG_IEEE80211R_AP */
3355 } else {
3356 wpa_printf(MSG_DEBUG, "PASN: Try to find PMKSA entry");
3357
3358 pmksa = wpa_auth_pmksa_get(hapd->wpa_auth, sta->addr,
3359 rsn_data.pmkid);
3360 if (pmksa) {
3361 cached_pmk = pmksa->pmk;
3362 cached_pmk_len = pmksa->pmk_len;
3363 }
3364 }
3365 } else {
3366 wpa_printf(MSG_DEBUG, "PASN: No PMKID specified");
3367 }
3368
3369 ret = pasn_derive_keys(hapd, sta, cached_pmk, cached_pmk_len,
3370 &pasn_params, wrapped_data, secret);
3371 if (ret) {
3372 wpa_printf(MSG_DEBUG, "PASN: Failed to derive keys");
3373 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3374 goto send_resp;
3375 }
3376
3377 ret = pasn_auth_frame_hash(sta->pasn->akmp, sta->pasn->cipher,
3378 ((const u8 *) mgmt) + IEEE80211_HDRLEN,
3379 len - IEEE80211_HDRLEN, sta->pasn->hash);
3380 if (ret) {
3381 wpa_printf(MSG_DEBUG, "PASN: Failed to compute hash");
3382 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3383 }
3384
3385 send_resp:
3386 ret = handle_auth_pasn_resp(hapd, sta, pmksa, status);
3387 if (ret) {
3388 wpa_printf(MSG_DEBUG, "PASN: Failed to send response");
3389 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3390 } else {
3391 wpa_printf(MSG_DEBUG,
3392 "PASN: Success handling transaction == 1");
3393 }
3394
3395 wpabuf_free(secret);
3396 wpabuf_free(wrapped_data);
3397
3398 if (status != WLAN_STATUS_SUCCESS)
3399 ap_free_sta(hapd, sta);
3400 }
3401
3402
handle_auth_pasn_3(struct hostapd_data *hapd, struct sta_info *sta, const struct ieee80211_mgmt *mgmt, size_t len)3403 static void handle_auth_pasn_3(struct hostapd_data *hapd, struct sta_info *sta,
3404 const struct ieee80211_mgmt *mgmt, size_t len)
3405 {
3406 struct ieee802_11_elems elems;
3407 struct wpa_pasn_params_data pasn_params;
3408 struct wpabuf *wrapped_data = NULL;
3409 u8 mic[WPA_PASN_MAX_MIC_LEN], out_mic[WPA_PASN_MAX_MIC_LEN];
3410 u8 mic_len;
3411 int ret;
3412
3413 if (ieee802_11_parse_elems(mgmt->u.auth.variable,
3414 len - offsetof(struct ieee80211_mgmt,
3415 u.auth.variable),
3416 &elems, 0) == ParseFailed) {
3417 wpa_printf(MSG_DEBUG,
3418 "PASN: Failed parsing Authentication frame");
3419 goto fail;
3420 }
3421
3422 /* Check that the MIC IE exists. Save it and zero out the memory. */
3423 mic_len = pasn_mic_len(sta->pasn->akmp, sta->pasn->cipher);
3424 if (!elems.mic || elems.mic_len != mic_len) {
3425 wpa_printf(MSG_DEBUG,
3426 "PASN: Invalid MIC. Expecting len=%u", mic_len);
3427 goto fail;
3428 } else {
3429 os_memcpy(mic, elems.mic, mic_len);
3430 /* TODO: Clean this up.. Should not modify received frame
3431 * buffer. */
3432 os_memset((u8 *) elems.mic, 0, mic_len);
3433 }
3434
3435 if (!elems.pasn_params || !elems.pasn_params_len) {
3436 wpa_printf(MSG_DEBUG,
3437 "PASN: No PASN Parameters element found");
3438 goto fail;
3439 }
3440
3441 ret = wpa_pasn_parse_parameter_ie(elems.pasn_params - 3,
3442 elems.pasn_params_len + 3,
3443 false, &pasn_params);
3444 if (ret) {
3445 wpa_printf(MSG_DEBUG,
3446 "PASN: Failed validation of PASN Parameters IE");
3447 goto fail;
3448 }
3449
3450 if (pasn_params.pubkey || pasn_params.pubkey_len) {
3451 wpa_printf(MSG_DEBUG,
3452 "PASN: Public key should not be included");
3453 goto fail;
3454 }
3455
3456 /* Verify the MIC */
3457 ret = pasn_mic(sta->pasn->ptk.kck, sta->pasn->akmp, sta->pasn->cipher,
3458 sta->addr, hapd->own_addr,
3459 sta->pasn->hash, mic_len * 2,
3460 (u8 *) &mgmt->u.auth,
3461 len - offsetof(struct ieee80211_mgmt, u.auth),
3462 out_mic);
3463
3464 wpa_hexdump_key(MSG_DEBUG, "PASN: Frame MIC", mic, mic_len);
3465 if (ret || os_memcmp(mic, out_mic, mic_len) != 0) {
3466 wpa_printf(MSG_DEBUG, "PASN: Failed MIC verification");
3467 goto fail;
3468 }
3469
3470 if (pasn_params.wrapped_data_format != WPA_PASN_WRAPPED_DATA_NO) {
3471 wrapped_data = ieee802_11_defrag(&elems,
3472 WLAN_EID_EXTENSION,
3473 WLAN_EID_EXT_WRAPPED_DATA);
3474
3475 if (!wrapped_data) {
3476 wpa_printf(MSG_DEBUG, "PASN: Missing wrapped data");
3477 goto fail;
3478 }
3479
3480 #ifdef CONFIG_SAE
3481 if (sta->pasn->akmp == WPA_KEY_MGMT_SAE) {
3482 ret = pasn_wd_handle_sae_confirm(hapd, sta,
3483 wrapped_data);
3484 if (ret) {
3485 wpa_printf(MSG_DEBUG,
3486 "PASN: Failed processing SAE confirm");
3487 wpabuf_free(wrapped_data);
3488 goto fail;
3489 }
3490 }
3491 #endif /* CONFIG_SAE */
3492 #ifdef CONFIG_FILS
3493 if (sta->pasn->akmp == WPA_KEY_MGMT_FILS_SHA256 ||
3494 sta->pasn->akmp == WPA_KEY_MGMT_FILS_SHA384) {
3495 if (wrapped_data) {
3496 wpa_printf(MSG_DEBUG,
3497 "PASN: FILS: Ignore wrapped data");
3498 }
3499 }
3500 #endif /* CONFIG_FILS */
3501 wpabuf_free(wrapped_data);
3502 }
3503
3504 wpa_printf(MSG_INFO,
3505 "PASN: Success handling transaction == 3. Store PTK");
3506
3507 ptksa_cache_add(hapd->ptksa, sta->addr, sta->pasn->cipher, 43200,
3508 &sta->pasn->ptk);
3509 fail:
3510 ap_free_sta(hapd, sta);
3511 }
3512
3513
handle_auth_pasn(struct hostapd_data *hapd, struct sta_info *sta, const struct ieee80211_mgmt *mgmt, size_t len, u16 trans_seq, u16 status)3514 static void handle_auth_pasn(struct hostapd_data *hapd, struct sta_info *sta,
3515 const struct ieee80211_mgmt *mgmt, size_t len,
3516 u16 trans_seq, u16 status)
3517 {
3518 if (hapd->conf->wpa != WPA_PROTO_RSN) {
3519 wpa_printf(MSG_INFO, "PASN: RSN is not configured");
3520 return;
3521 }
3522
3523 wpa_printf(MSG_INFO, "PASN authentication: sta=" MACSTR_SEC,
3524 MAC2STR_SEC(sta->addr));
3525
3526 if (trans_seq == 1) {
3527 if (sta->pasn) {
3528 wpa_printf(MSG_DEBUG,
3529 "PASN: Not expecting transaction == 1");
3530 return;
3531 }
3532
3533 if (status != WLAN_STATUS_SUCCESS) {
3534 wpa_printf(MSG_DEBUG,
3535 "PASN: Failure status in transaction == 1");
3536 return;
3537 }
3538
3539 sta->pasn = os_zalloc(sizeof(*sta->pasn));
3540 if (!sta->pasn) {
3541 wpa_printf(MSG_DEBUG,
3542 "PASN: Failed to allocate PASN context");
3543 return;
3544 }
3545
3546 handle_auth_pasn_1(hapd, sta, mgmt, len);
3547 } else if (trans_seq == 3) {
3548 if (!sta->pasn) {
3549 wpa_printf(MSG_DEBUG,
3550 "PASN: Not expecting transaction == 3");
3551 return;
3552 }
3553
3554 if (status != WLAN_STATUS_SUCCESS) {
3555 wpa_printf(MSG_DEBUG,
3556 "PASN: Failure status in transaction == 3");
3557 ap_free_sta_pasn(hapd, sta);
3558 return;
3559 }
3560
3561 handle_auth_pasn_3(hapd, sta, mgmt, len);
3562 } else {
3563 wpa_printf(MSG_DEBUG,
3564 "PASN: Invalid transaction %u - ignore", trans_seq);
3565 }
3566 }
3567
3568 #endif /* CONFIG_PASN */
3569
3570
handle_auth(struct hostapd_data *hapd, const struct ieee80211_mgmt *mgmt, size_t len, int rssi, int from_queue)3571 static void handle_auth(struct hostapd_data *hapd,
3572 const struct ieee80211_mgmt *mgmt, size_t len,
3573 int rssi, int from_queue)
3574 {
3575 u16 auth_alg, auth_transaction, status_code;
3576 u16 resp = WLAN_STATUS_SUCCESS;
3577 struct sta_info *sta = NULL;
3578 int res, reply_res;
3579 u16 fc;
3580 const u8 *challenge = NULL;
3581 u8 resp_ies[2 + WLAN_AUTH_CHALLENGE_LEN];
3582 size_t resp_ies_len = 0;
3583 u16 seq_ctrl;
3584 struct radius_sta rad_info;
3585
3586 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) {
3587 wpa_printf(MSG_INFO, "handle_auth - too short payload (len=%lu)",
3588 (unsigned long) len);
3589 return;
3590 }
3591
3592 #ifdef CONFIG_TESTING_OPTIONS
3593 if (hapd->iconf->ignore_auth_probability > 0.0 &&
3594 drand48() < hapd->iconf->ignore_auth_probability) {
3595 wpa_printf(MSG_INFO,
3596 "TESTING: ignoring auth frame from " MACSTR_SEC,
3597 MAC2STR_SEC(mgmt->sa));
3598 return;
3599 }
3600 #endif /* CONFIG_TESTING_OPTIONS */
3601
3602 auth_alg = le_to_host16(mgmt->u.auth.auth_alg);
3603 auth_transaction = le_to_host16(mgmt->u.auth.auth_transaction);
3604 status_code = le_to_host16(mgmt->u.auth.status_code);
3605 fc = le_to_host16(mgmt->frame_control);
3606 seq_ctrl = le_to_host16(mgmt->seq_ctrl);
3607
3608 if (len >= IEEE80211_HDRLEN + sizeof(mgmt->u.auth) +
3609 2 + WLAN_AUTH_CHALLENGE_LEN &&
3610 mgmt->u.auth.variable[0] == WLAN_EID_CHALLENGE &&
3611 mgmt->u.auth.variable[1] == WLAN_AUTH_CHALLENGE_LEN)
3612 challenge = &mgmt->u.auth.variable[2];
3613
3614 wpa_printf(MSG_DEBUG, "authentication: STA=" MACSTR_SEC " auth_alg=%d "
3615 "auth_transaction=%d status_code=%d wep=%d%s "
3616 "seq_ctrl=0x%x%s%s",
3617 MAC2STR_SEC(mgmt->sa), auth_alg, auth_transaction,
3618 status_code, !!(fc & WLAN_FC_ISWEP),
3619 challenge ? " challenge" : "",
3620 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "",
3621 from_queue ? " (from queue)" : "");
3622
3623 #ifdef CONFIG_NO_RC4
3624 if (auth_alg == WLAN_AUTH_SHARED_KEY) {
3625 wpa_printf(MSG_INFO,
3626 "Unsupported authentication algorithm (%d)",
3627 auth_alg);
3628 resp = WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
3629 goto fail;
3630 }
3631 #endif /* CONFIG_NO_RC4 */
3632
3633 if (hapd->tkip_countermeasures) {
3634 wpa_printf(MSG_DEBUG,
3635 "Ongoing TKIP countermeasures (Michael MIC failure) - reject authentication");
3636 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3637 goto fail;
3638 }
3639
3640 if (!(((hapd->conf->auth_algs & WPA_AUTH_ALG_OPEN) &&
3641 auth_alg == WLAN_AUTH_OPEN) ||
3642 #ifdef CONFIG_IEEE80211R_AP
3643 (hapd->conf->wpa && wpa_key_mgmt_ft(hapd->conf->wpa_key_mgmt) &&
3644 auth_alg == WLAN_AUTH_FT) ||
3645 #endif /* CONFIG_IEEE80211R_AP */
3646 #ifdef CONFIG_SAE
3647 (hapd->conf->wpa && wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt) &&
3648 auth_alg == WLAN_AUTH_SAE) ||
3649 #endif /* CONFIG_SAE */
3650 #ifdef CONFIG_FILS
3651 (hapd->conf->wpa && wpa_key_mgmt_fils(hapd->conf->wpa_key_mgmt) &&
3652 auth_alg == WLAN_AUTH_FILS_SK) ||
3653 (hapd->conf->wpa && wpa_key_mgmt_fils(hapd->conf->wpa_key_mgmt) &&
3654 hapd->conf->fils_dh_group &&
3655 auth_alg == WLAN_AUTH_FILS_SK_PFS) ||
3656 #endif /* CONFIG_FILS */
3657 #ifdef CONFIG_PASN
3658 (hapd->conf->wpa &&
3659 (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_PASN) &&
3660 auth_alg == WLAN_AUTH_PASN) ||
3661 #endif /* CONFIG_PASN */
3662 ((hapd->conf->auth_algs & WPA_AUTH_ALG_SHARED) &&
3663 auth_alg == WLAN_AUTH_SHARED_KEY))) {
3664 wpa_printf(MSG_INFO, "Unsupported authentication algorithm (%d)",
3665 auth_alg);
3666 resp = WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
3667 goto fail;
3668 }
3669
3670 if (!(auth_transaction == 1 || auth_alg == WLAN_AUTH_SAE ||
3671 #ifdef CONFIG_PASN
3672 (auth_alg == WLAN_AUTH_PASN && auth_transaction == 3) ||
3673 #endif /* CONFIG_PASN */
3674 (auth_alg == WLAN_AUTH_SHARED_KEY && auth_transaction == 3))) {
3675 wpa_printf(MSG_INFO, "Unknown authentication transaction number (%d)",
3676 auth_transaction);
3677 resp = WLAN_STATUS_UNKNOWN_AUTH_TRANSACTION;
3678 goto fail;
3679 }
3680
3681 if (os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
3682 wpa_printf(MSG_INFO, "Station " MACSTR_SEC " not allowed to authenticate",
3683 MAC2STR_SEC(mgmt->sa));
3684 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3685 goto fail;
3686 }
3687
3688 if (hapd->conf->no_auth_if_seen_on) {
3689 struct hostapd_data *other;
3690
3691 other = sta_track_seen_on(hapd->iface, mgmt->sa,
3692 hapd->conf->no_auth_if_seen_on);
3693 if (other) {
3694 u8 *pos;
3695 u32 info;
3696 u8 op_class, channel, phytype;
3697
3698 wpa_printf(MSG_DEBUG, "%s: Reject authentication from "
3699 MACSTR_SEC " since STA has been seen on %s",
3700 hapd->conf->iface, MAC2STR_SEC(mgmt->sa),
3701 hapd->conf->no_auth_if_seen_on);
3702
3703 resp = WLAN_STATUS_REJECTED_WITH_SUGGESTED_BSS_TRANSITION;
3704 pos = &resp_ies[0];
3705 *pos++ = WLAN_EID_NEIGHBOR_REPORT;
3706 *pos++ = 13;
3707 os_memcpy(pos, other->own_addr, ETH_ALEN);
3708 pos += ETH_ALEN;
3709 info = 0; /* TODO: BSSID Information */
3710 WPA_PUT_LE32(pos, info);
3711 pos += 4;
3712 if (other->iconf->hw_mode == HOSTAPD_MODE_IEEE80211AD)
3713 phytype = 8; /* dmg */
3714 else if (other->iconf->ieee80211ac)
3715 phytype = 9; /* vht */
3716 else if (other->iconf->ieee80211n)
3717 phytype = 7; /* ht */
3718 else if (other->iconf->hw_mode ==
3719 HOSTAPD_MODE_IEEE80211A)
3720 phytype = 4; /* ofdm */
3721 else if (other->iconf->hw_mode ==
3722 HOSTAPD_MODE_IEEE80211G)
3723 phytype = 6; /* erp */
3724 else
3725 phytype = 5; /* hrdsss */
3726 if (ieee80211_freq_to_channel_ext(
3727 hostapd_hw_get_freq(other,
3728 other->iconf->channel),
3729 other->iconf->secondary_channel,
3730 other->iconf->ieee80211ac,
3731 &op_class, &channel) == NUM_HOSTAPD_MODES) {
3732 op_class = 0;
3733 channel = other->iconf->channel;
3734 }
3735 *pos++ = op_class;
3736 *pos++ = channel;
3737 *pos++ = phytype;
3738 resp_ies_len = pos - &resp_ies[0];
3739 goto fail;
3740 }
3741 }
3742
3743 res = ieee802_11_allowed_address(hapd, mgmt->sa, (const u8 *) mgmt, len,
3744 &rad_info);
3745 if (res == HOSTAPD_ACL_REJECT) {
3746 wpa_msg(hapd->msg_ctx, MSG_DEBUG,
3747 "Ignore Authentication frame from " MACSTR
3748 " due to ACL reject", MAC2STR(mgmt->sa));
3749 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3750 goto fail;
3751 }
3752 if (res == HOSTAPD_ACL_PENDING)
3753 return;
3754
3755 #ifdef CONFIG_SAE
3756 if (auth_alg == WLAN_AUTH_SAE && !from_queue &&
3757 (auth_transaction == 1 ||
3758 (auth_transaction == 2 && auth_sae_queued_addr(hapd, mgmt->sa)))) {
3759 /* Handle SAE Authentication commit message through a queue to
3760 * provide more control for postponing the needed heavy
3761 * processing under a possible DoS attack scenario. In addition,
3762 * queue SAE Authentication confirm message if there happens to
3763 * be a queued commit message from the same peer. This is needed
3764 * to avoid reordering Authentication frames within the same
3765 * SAE exchange. */
3766 auth_sae_queue(hapd, mgmt, len, rssi);
3767 return;
3768 }
3769 #endif /* CONFIG_SAE */
3770
3771 sta = ap_get_sta(hapd, mgmt->sa);
3772 if (sta) {
3773 sta->flags &= ~WLAN_STA_PENDING_FILS_ERP;
3774 sta->ft_over_ds = 0;
3775 if ((fc & WLAN_FC_RETRY) &&
3776 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
3777 sta->last_seq_ctrl == seq_ctrl &&
3778 sta->last_subtype == WLAN_FC_STYPE_AUTH) {
3779 hostapd_logger(hapd, sta->addr,
3780 HOSTAPD_MODULE_IEEE80211,
3781 HOSTAPD_LEVEL_DEBUG,
3782 "Drop repeated authentication frame seq_ctrl=0x%x",
3783 seq_ctrl);
3784 return;
3785 }
3786 #ifdef CONFIG_MESH
3787 if ((hapd->conf->mesh & MESH_ENABLED) &&
3788 sta->plink_state == PLINK_BLOCKED) {
3789 wpa_printf(MSG_DEBUG, "Mesh peer " MACSTR_SEC
3790 " is blocked - drop Authentication frame",
3791 MAC2STR_SEC(mgmt->sa));
3792 return;
3793 }
3794 #endif /* CONFIG_MESH */
3795 #ifdef CONFIG_PASN
3796 if (auth_alg == WLAN_AUTH_PASN &&
3797 (sta->flags & WLAN_STA_ASSOC)) {
3798 wpa_printf(MSG_DEBUG,
3799 "PASN: auth: Existing station: " MACSTR_SEC,
3800 MAC2STR_SEC(sta->addr));
3801 return;
3802 }
3803 #endif /* CONFIG_PASN */
3804 } else {
3805 #ifdef CONFIG_MESH
3806 if (hapd->conf->mesh & MESH_ENABLED) {
3807 /* if the mesh peer is not available, we don't do auth.
3808 */
3809 wpa_printf(MSG_DEBUG, "Mesh peer " MACSTR_SEC
3810 " not yet known - drop Authentication frame",
3811 MAC2STR_SEC(mgmt->sa));
3812 /*
3813 * Save a copy of the frame so that it can be processed
3814 * if a new peer entry is added shortly after this.
3815 */
3816 wpabuf_free(hapd->mesh_pending_auth);
3817 hapd->mesh_pending_auth = wpabuf_alloc_copy(mgmt, len);
3818 os_get_reltime(&hapd->mesh_pending_auth_time);
3819 return;
3820 }
3821 #endif /* CONFIG_MESH */
3822
3823 sta = ap_sta_add(hapd, mgmt->sa);
3824 if (!sta) {
3825 wpa_printf(MSG_DEBUG, "ap_sta_add() failed");
3826 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
3827 goto fail;
3828 }
3829 }
3830 sta->last_seq_ctrl = seq_ctrl;
3831 sta->last_subtype = WLAN_FC_STYPE_AUTH;
3832 #ifdef CONFIG_MBO
3833 sta->auth_rssi = rssi;
3834 #endif /* CONFIG_MBO */
3835
3836 res = ieee802_11_set_radius_info(hapd, sta, res, &rad_info);
3837 if (res) {
3838 wpa_printf(MSG_DEBUG, "ieee802_11_set_radius_info() failed");
3839 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3840 goto fail;
3841 }
3842
3843 sta->flags &= ~WLAN_STA_PREAUTH;
3844 ieee802_1x_notify_pre_auth(sta->eapol_sm, 0);
3845
3846 /*
3847 * If the driver supports full AP client state, add a station to the
3848 * driver before sending authentication reply to make sure the driver
3849 * has resources, and not to go through the entire authentication and
3850 * association handshake, and fail it at the end.
3851 *
3852 * If this is not the first transaction, in a multi-step authentication
3853 * algorithm, the station already exists in the driver
3854 * (sta->added_unassoc = 1) so skip it.
3855 *
3856 * In mesh mode, the station was already added to the driver when the
3857 * NEW_PEER_CANDIDATE event is received.
3858 *
3859 * If PMF was negotiated for the existing association, skip this to
3860 * avoid dropping the STA entry and the associated keys. This is needed
3861 * to allow the original connection work until the attempt can complete
3862 * (re)association, so that unprotected Authentication frame cannot be
3863 * used to bypass PMF protection.
3864 *
3865 * PASN authentication does not require adding/removing station to the
3866 * driver so skip this flow in case of PASN authentication.
3867 */
3868 if (FULL_AP_CLIENT_STATE_SUPP(hapd->iface->drv_flags) &&
3869 (!(sta->flags & WLAN_STA_MFP) || !ap_sta_is_authorized(sta)) &&
3870 !(hapd->conf->mesh & MESH_ENABLED) &&
3871 !(sta->added_unassoc) && auth_alg != WLAN_AUTH_PASN) {
3872 if (ap_sta_re_add(hapd, sta) < 0) {
3873 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
3874 goto fail;
3875 }
3876 }
3877
3878 switch (auth_alg) {
3879 case WLAN_AUTH_OPEN:
3880 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3881 HOSTAPD_LEVEL_DEBUG,
3882 "authentication OK (open system)");
3883 sta->flags |= WLAN_STA_AUTH;
3884 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
3885 sta->auth_alg = WLAN_AUTH_OPEN;
3886 mlme_authenticate_indication(hapd, sta);
3887 break;
3888 #ifdef CONFIG_WEP
3889 #ifndef CONFIG_NO_RC4
3890 case WLAN_AUTH_SHARED_KEY:
3891 resp = auth_shared_key(hapd, sta, auth_transaction, challenge,
3892 fc & WLAN_FC_ISWEP);
3893 if (resp != 0)
3894 wpa_printf(MSG_DEBUG,
3895 "auth_shared_key() failed: status=%d", resp);
3896 sta->auth_alg = WLAN_AUTH_SHARED_KEY;
3897 mlme_authenticate_indication(hapd, sta);
3898 if (sta->challenge && auth_transaction == 1) {
3899 resp_ies[0] = WLAN_EID_CHALLENGE;
3900 resp_ies[1] = WLAN_AUTH_CHALLENGE_LEN;
3901 os_memcpy(resp_ies + 2, sta->challenge,
3902 WLAN_AUTH_CHALLENGE_LEN);
3903 resp_ies_len = 2 + WLAN_AUTH_CHALLENGE_LEN;
3904 }
3905 break;
3906 #endif /* CONFIG_NO_RC4 */
3907 #endif /* CONFIG_WEP */
3908 #ifdef CONFIG_IEEE80211R_AP
3909 case WLAN_AUTH_FT:
3910 sta->auth_alg = WLAN_AUTH_FT;
3911 if (sta->wpa_sm == NULL)
3912 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
3913 sta->addr, NULL);
3914 if (sta->wpa_sm == NULL) {
3915 wpa_printf(MSG_DEBUG, "FT: Failed to initialize WPA "
3916 "state machine");
3917 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3918 goto fail;
3919 }
3920 wpa_ft_process_auth(sta->wpa_sm, mgmt->bssid,
3921 auth_transaction, mgmt->u.auth.variable,
3922 len - IEEE80211_HDRLEN -
3923 sizeof(mgmt->u.auth),
3924 handle_auth_ft_finish, hapd);
3925 /* handle_auth_ft_finish() callback will complete auth. */
3926 return;
3927 #endif /* CONFIG_IEEE80211R_AP */
3928 #ifdef CONFIG_SAE
3929 case WLAN_AUTH_SAE:
3930 #ifdef CONFIG_MESH
3931 if (status_code == WLAN_STATUS_SUCCESS &&
3932 hapd->conf->mesh & MESH_ENABLED) {
3933 if (sta->wpa_sm == NULL)
3934 sta->wpa_sm =
3935 wpa_auth_sta_init(hapd->wpa_auth,
3936 sta->addr, NULL);
3937 if (sta->wpa_sm == NULL) {
3938 wpa_printf(MSG_DEBUG,
3939 "SAE: Failed to initialize WPA state machine");
3940 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3941 goto fail;
3942 }
3943 }
3944 #endif /* CONFIG_MESH */
3945 handle_auth_sae(hapd, sta, mgmt, len, auth_transaction,
3946 status_code);
3947 return;
3948 #endif /* CONFIG_SAE */
3949 #ifdef CONFIG_FILS
3950 case WLAN_AUTH_FILS_SK:
3951 case WLAN_AUTH_FILS_SK_PFS:
3952 handle_auth_fils(hapd, sta, mgmt->u.auth.variable,
3953 len - IEEE80211_HDRLEN - sizeof(mgmt->u.auth),
3954 auth_alg, auth_transaction, status_code,
3955 handle_auth_fils_finish);
3956 return;
3957 #endif /* CONFIG_FILS */
3958 #ifdef CONFIG_PASN
3959 case WLAN_AUTH_PASN:
3960 handle_auth_pasn(hapd, sta, mgmt, len, auth_transaction,
3961 status_code);
3962 return;
3963 #endif /* CONFIG_PASN */
3964 }
3965
3966 fail:
3967 reply_res = send_auth_reply(hapd, sta, mgmt->sa, mgmt->bssid, auth_alg,
3968 auth_alg == WLAN_AUTH_SAE ?
3969 auth_transaction : auth_transaction + 1,
3970 resp, resp_ies, resp_ies_len,
3971 "handle-auth");
3972
3973 if (sta && sta->added_unassoc && (resp != WLAN_STATUS_SUCCESS ||
3974 reply_res != WLAN_STATUS_SUCCESS)) {
3975 hostapd_drv_sta_remove(hapd, sta->addr);
3976 sta->added_unassoc = 0;
3977 }
3978 }
3979
3980
hostapd_get_aid(struct hostapd_data *hapd, struct sta_info *sta)3981 int hostapd_get_aid(struct hostapd_data *hapd, struct sta_info *sta)
3982 {
3983 int i, j = 32, aid;
3984
3985 /* get a unique AID */
3986 if (sta->aid > 0) {
3987 wpa_printf(MSG_DEBUG, " old AID %d", sta->aid);
3988 return 0;
3989 }
3990
3991 if (TEST_FAIL())
3992 return -1;
3993
3994 for (i = 0; i < AID_WORDS; i++) {
3995 if (hapd->sta_aid[i] == (u32) -1)
3996 continue;
3997 for (j = 0; j < 32; j++) {
3998 if (!(hapd->sta_aid[i] & BIT(j)))
3999 break;
4000 }
4001 if (j < 32)
4002 break;
4003 }
4004 if (j == 32)
4005 return -1;
4006 aid = i * 32 + j + 1;
4007 if (aid > 2007)
4008 return -1;
4009
4010 sta->aid = aid;
4011 hapd->sta_aid[i] |= BIT(j);
4012 wpa_printf(MSG_DEBUG, " new AID %d", sta->aid);
4013 return 0;
4014 }
4015
4016
check_ssid(struct hostapd_data *hapd, struct sta_info *sta, const u8 *ssid_ie, size_t ssid_ie_len)4017 static u16 check_ssid(struct hostapd_data *hapd, struct sta_info *sta,
4018 const u8 *ssid_ie, size_t ssid_ie_len)
4019 {
4020 if (ssid_ie == NULL)
4021 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4022
4023 if (ssid_ie_len != hapd->conf->ssid.ssid_len ||
4024 os_memcmp(ssid_ie, hapd->conf->ssid.ssid, ssid_ie_len) != 0) {
4025 hostapd_logger_only_for_cb(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4026 HOSTAPD_LEVEL_INFO,
4027 "Station tried to associate with unknown SSID "
4028 "'%s'", wpa_ssid_txt(ssid_ie, ssid_ie_len));
4029 wpa_printf(MSG_DEBUG, "hostapd_logger: Station tried to associate with unknown SSID "
4030 "'%s'", anonymize_ssid(wpa_ssid_txt(ssid_ie, ssid_ie_len)));
4031 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4032 }
4033
4034 return WLAN_STATUS_SUCCESS;
4035 }
4036
4037
check_wmm(struct hostapd_data *hapd, struct sta_info *sta, const u8 *wmm_ie, size_t wmm_ie_len)4038 static u16 check_wmm(struct hostapd_data *hapd, struct sta_info *sta,
4039 const u8 *wmm_ie, size_t wmm_ie_len)
4040 {
4041 sta->flags &= ~WLAN_STA_WMM;
4042 sta->qosinfo = 0;
4043 if (wmm_ie && hapd->conf->wmm_enabled) {
4044 struct wmm_information_element *wmm;
4045
4046 if (!hostapd_eid_wmm_valid(hapd, wmm_ie, wmm_ie_len)) {
4047 hostapd_logger(hapd, sta->addr,
4048 HOSTAPD_MODULE_WPA,
4049 HOSTAPD_LEVEL_DEBUG,
4050 "invalid WMM element in association "
4051 "request");
4052 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4053 }
4054
4055 sta->flags |= WLAN_STA_WMM;
4056 wmm = (struct wmm_information_element *) wmm_ie;
4057 sta->qosinfo = wmm->qos_info;
4058 }
4059 return WLAN_STATUS_SUCCESS;
4060 }
4061
check_multi_ap(struct hostapd_data *hapd, struct sta_info *sta, const u8 *multi_ap_ie, size_t multi_ap_len)4062 static u16 check_multi_ap(struct hostapd_data *hapd, struct sta_info *sta,
4063 const u8 *multi_ap_ie, size_t multi_ap_len)
4064 {
4065 u8 multi_ap_value = 0;
4066
4067 sta->flags &= ~WLAN_STA_MULTI_AP;
4068
4069 if (!hapd->conf->multi_ap)
4070 return WLAN_STATUS_SUCCESS;
4071
4072 if (multi_ap_ie) {
4073 const u8 *multi_ap_subelem;
4074
4075 multi_ap_subelem = get_ie(multi_ap_ie + 4,
4076 multi_ap_len - 4,
4077 MULTI_AP_SUB_ELEM_TYPE);
4078 if (multi_ap_subelem && multi_ap_subelem[1] == 1) {
4079 multi_ap_value = multi_ap_subelem[2];
4080 } else {
4081 hostapd_logger(hapd, sta->addr,
4082 HOSTAPD_MODULE_IEEE80211,
4083 HOSTAPD_LEVEL_INFO,
4084 "Multi-AP IE has missing or invalid Multi-AP subelement");
4085 return WLAN_STATUS_INVALID_IE;
4086 }
4087 }
4088
4089 if (multi_ap_value && multi_ap_value != MULTI_AP_BACKHAUL_STA)
4090 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4091 HOSTAPD_LEVEL_INFO,
4092 "Multi-AP IE with unexpected value 0x%02x",
4093 multi_ap_value);
4094
4095 if (!(multi_ap_value & MULTI_AP_BACKHAUL_STA)) {
4096 if (hapd->conf->multi_ap & FRONTHAUL_BSS)
4097 return WLAN_STATUS_SUCCESS;
4098
4099 hostapd_logger(hapd, sta->addr,
4100 HOSTAPD_MODULE_IEEE80211,
4101 HOSTAPD_LEVEL_INFO,
4102 "Non-Multi-AP STA tries to associate with backhaul-only BSS");
4103 return WLAN_STATUS_ASSOC_DENIED_UNSPEC;
4104 }
4105
4106 if (!(hapd->conf->multi_ap & BACKHAUL_BSS))
4107 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4108 HOSTAPD_LEVEL_DEBUG,
4109 "Backhaul STA tries to associate with fronthaul-only BSS");
4110
4111 sta->flags |= WLAN_STA_MULTI_AP;
4112 return WLAN_STATUS_SUCCESS;
4113 }
4114
4115
copy_supp_rates(struct hostapd_data *hapd, struct sta_info *sta, struct ieee802_11_elems *elems)4116 static u16 copy_supp_rates(struct hostapd_data *hapd, struct sta_info *sta,
4117 struct ieee802_11_elems *elems)
4118 {
4119 /* Supported rates not used in IEEE 802.11ad/DMG */
4120 if (hapd->iface->current_mode &&
4121 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211AD)
4122 return WLAN_STATUS_SUCCESS;
4123
4124 if (!elems->supp_rates) {
4125 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4126 HOSTAPD_LEVEL_DEBUG,
4127 "No supported rates element in AssocReq");
4128 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4129 }
4130
4131 if (elems->supp_rates_len + elems->ext_supp_rates_len >
4132 sizeof(sta->supported_rates)) {
4133 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4134 HOSTAPD_LEVEL_DEBUG,
4135 "Invalid supported rates element length %d+%d",
4136 elems->supp_rates_len,
4137 elems->ext_supp_rates_len);
4138 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4139 }
4140
4141 sta->supported_rates_len = merge_byte_arrays(
4142 sta->supported_rates, sizeof(sta->supported_rates),
4143 elems->supp_rates, elems->supp_rates_len,
4144 elems->ext_supp_rates, elems->ext_supp_rates_len);
4145
4146 return WLAN_STATUS_SUCCESS;
4147 }
4148
4149
check_ext_capab(struct hostapd_data *hapd, struct sta_info *sta, const u8 *ext_capab_ie, size_t ext_capab_ie_len)4150 static u16 check_ext_capab(struct hostapd_data *hapd, struct sta_info *sta,
4151 const u8 *ext_capab_ie, size_t ext_capab_ie_len)
4152 {
4153 #ifdef CONFIG_INTERWORKING
4154 /* check for QoS Map support */
4155 if (ext_capab_ie_len >= 5) {
4156 if (ext_capab_ie[4] & 0x01)
4157 sta->qos_map_enabled = 1;
4158 }
4159 #endif /* CONFIG_INTERWORKING */
4160
4161 if (ext_capab_ie_len > 0) {
4162 sta->ecsa_supported = !!(ext_capab_ie[0] & BIT(2));
4163 os_free(sta->ext_capability);
4164 sta->ext_capability = os_malloc(1 + ext_capab_ie_len);
4165 if (sta->ext_capability) {
4166 sta->ext_capability[0] = ext_capab_ie_len;
4167 os_memcpy(sta->ext_capability + 1, ext_capab_ie,
4168 ext_capab_ie_len);
4169 }
4170 }
4171
4172 return WLAN_STATUS_SUCCESS;
4173 }
4174
4175
4176 #ifdef CONFIG_OWE
4177
owe_group_supported(struct hostapd_data *hapd, u16 group)4178 static int owe_group_supported(struct hostapd_data *hapd, u16 group)
4179 {
4180 int i;
4181 int *groups = hapd->conf->owe_groups;
4182
4183 if (group != 19 && group != 20 && group != 21)
4184 return 0;
4185
4186 if (!groups)
4187 return 1;
4188
4189 for (i = 0; groups[i] > 0; i++) {
4190 if (groups[i] == group)
4191 return 1;
4192 }
4193
4194 return 0;
4195 }
4196
4197
owe_process_assoc_req(struct hostapd_data *hapd, struct sta_info *sta, const u8 *owe_dh, u8 owe_dh_len)4198 static u16 owe_process_assoc_req(struct hostapd_data *hapd,
4199 struct sta_info *sta, const u8 *owe_dh,
4200 u8 owe_dh_len)
4201 {
4202 struct wpabuf *secret, *pub, *hkey;
4203 int res;
4204 u8 prk[SHA512_MAC_LEN], pmkid[SHA512_MAC_LEN];
4205 const char *info = "OWE Key Generation";
4206 const u8 *addr[2];
4207 size_t len[2];
4208 u16 group;
4209 size_t hash_len, prime_len;
4210
4211 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) {
4212 wpa_printf(MSG_DEBUG, "OWE: Using PMKSA caching");
4213 return WLAN_STATUS_SUCCESS;
4214 }
4215
4216 group = WPA_GET_LE16(owe_dh);
4217 if (!owe_group_supported(hapd, group)) {
4218 wpa_printf(MSG_DEBUG, "OWE: Unsupported DH group %u", group);
4219 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
4220 }
4221 if (group == 19)
4222 prime_len = 32;
4223 else if (group == 20)
4224 prime_len = 48;
4225 else if (group == 21)
4226 prime_len = 66;
4227 else
4228 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
4229
4230 crypto_ecdh_deinit(sta->owe_ecdh);
4231 sta->owe_ecdh = crypto_ecdh_init(group);
4232 if (!sta->owe_ecdh)
4233 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
4234 sta->owe_group = group;
4235
4236 secret = crypto_ecdh_set_peerkey(sta->owe_ecdh, 0, owe_dh + 2,
4237 owe_dh_len - 2);
4238 secret = wpabuf_zeropad(secret, prime_len);
4239 if (!secret) {
4240 wpa_printf(MSG_DEBUG, "OWE: Invalid peer DH public key");
4241 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4242 }
4243 wpa_hexdump_buf_key(MSG_DEBUG, "OWE: DH shared secret", secret);
4244
4245 /* prk = HKDF-extract(C | A | group, z) */
4246
4247 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
4248 if (!pub) {
4249 wpabuf_clear_free(secret);
4250 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4251 }
4252
4253 /* PMKID = Truncate-128(Hash(C | A)) */
4254 addr[0] = owe_dh + 2;
4255 len[0] = owe_dh_len - 2;
4256 addr[1] = wpabuf_head(pub);
4257 len[1] = wpabuf_len(pub);
4258 if (group == 19) {
4259 res = sha256_vector(2, addr, len, pmkid);
4260 hash_len = SHA256_MAC_LEN;
4261 } else if (group == 20) {
4262 res = sha384_vector(2, addr, len, pmkid);
4263 hash_len = SHA384_MAC_LEN;
4264 } else if (group == 21) {
4265 res = sha512_vector(2, addr, len, pmkid);
4266 hash_len = SHA512_MAC_LEN;
4267 } else {
4268 wpabuf_free(pub);
4269 wpabuf_clear_free(secret);
4270 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4271 }
4272 pub = wpabuf_zeropad(pub, prime_len);
4273 if (res < 0 || !pub) {
4274 wpabuf_free(pub);
4275 wpabuf_clear_free(secret);
4276 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4277 }
4278
4279 hkey = wpabuf_alloc(owe_dh_len - 2 + wpabuf_len(pub) + 2);
4280 if (!hkey) {
4281 wpabuf_free(pub);
4282 wpabuf_clear_free(secret);
4283 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4284 }
4285
4286 wpabuf_put_data(hkey, owe_dh + 2, owe_dh_len - 2); /* C */
4287 wpabuf_put_buf(hkey, pub); /* A */
4288 wpabuf_free(pub);
4289 wpabuf_put_le16(hkey, group); /* group */
4290 if (group == 19)
4291 res = hmac_sha256(wpabuf_head(hkey), wpabuf_len(hkey),
4292 wpabuf_head(secret), wpabuf_len(secret), prk);
4293 else if (group == 20)
4294 res = hmac_sha384(wpabuf_head(hkey), wpabuf_len(hkey),
4295 wpabuf_head(secret), wpabuf_len(secret), prk);
4296 else if (group == 21)
4297 res = hmac_sha512(wpabuf_head(hkey), wpabuf_len(hkey),
4298 wpabuf_head(secret), wpabuf_len(secret), prk);
4299 wpabuf_clear_free(hkey);
4300 wpabuf_clear_free(secret);
4301 if (res < 0)
4302 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4303
4304 wpa_hexdump_key(MSG_DEBUG, "OWE: prk", prk, hash_len);
4305
4306 /* PMK = HKDF-expand(prk, "OWE Key Generation", n) */
4307
4308 os_free(sta->owe_pmk);
4309 sta->owe_pmk = os_malloc(hash_len);
4310 if (!sta->owe_pmk) {
4311 os_memset(prk, 0, SHA512_MAC_LEN);
4312 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4313 }
4314
4315 if (group == 19)
4316 res = hmac_sha256_kdf(prk, hash_len, NULL, (const u8 *) info,
4317 os_strlen(info), sta->owe_pmk, hash_len);
4318 else if (group == 20)
4319 res = hmac_sha384_kdf(prk, hash_len, NULL, (const u8 *) info,
4320 os_strlen(info), sta->owe_pmk, hash_len);
4321 else if (group == 21)
4322 res = hmac_sha512_kdf(prk, hash_len, NULL, (const u8 *) info,
4323 os_strlen(info), sta->owe_pmk, hash_len);
4324 os_memset(prk, 0, SHA512_MAC_LEN);
4325 if (res < 0) {
4326 os_free(sta->owe_pmk);
4327 sta->owe_pmk = NULL;
4328 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4329 }
4330 sta->owe_pmk_len = hash_len;
4331
4332 wpa_hexdump_key(MSG_DEBUG, "OWE: PMK", sta->owe_pmk, sta->owe_pmk_len);
4333 wpa_hexdump(MSG_DEBUG, "OWE: PMKID", pmkid, PMKID_LEN);
4334 wpa_auth_pmksa_add2(hapd->wpa_auth, sta->addr, sta->owe_pmk,
4335 sta->owe_pmk_len, pmkid, 0, WPA_KEY_MGMT_OWE);
4336
4337 return WLAN_STATUS_SUCCESS;
4338 }
4339
4340
owe_validate_request(struct hostapd_data *hapd, const u8 *peer, const u8 *rsn_ie, size_t rsn_ie_len, const u8 *owe_dh, size_t owe_dh_len)4341 u16 owe_validate_request(struct hostapd_data *hapd, const u8 *peer,
4342 const u8 *rsn_ie, size_t rsn_ie_len,
4343 const u8 *owe_dh, size_t owe_dh_len)
4344 {
4345 struct wpa_ie_data data;
4346 int res;
4347
4348 if (!rsn_ie || rsn_ie_len < 2) {
4349 wpa_printf(MSG_DEBUG, "OWE: Invalid RSNE from " MACSTR_SEC,
4350 MAC2STR_SEC(peer));
4351 return WLAN_STATUS_INVALID_IE;
4352 }
4353 rsn_ie -= 2;
4354 rsn_ie_len += 2;
4355
4356 res = wpa_parse_wpa_ie_rsn(rsn_ie, rsn_ie_len, &data);
4357 if (res) {
4358 wpa_printf(MSG_DEBUG, "Failed to parse RSNE from " MACSTR_SEC
4359 " (res=%d)", MAC2STR_SEC(peer), res);
4360 wpa_hexdump(MSG_DEBUG, "RSNE", rsn_ie, rsn_ie_len);
4361 return wpa_res_to_status_code(res);
4362 }
4363 if (!(data.key_mgmt & WPA_KEY_MGMT_OWE)) {
4364 wpa_printf(MSG_DEBUG,
4365 "OWE: Unexpected key mgmt 0x%x from " MACSTR_SEC,
4366 (unsigned int) data.key_mgmt, MAC2STR_SEC(peer));
4367 return WLAN_STATUS_AKMP_NOT_VALID;
4368 }
4369 if (!owe_dh) {
4370 wpa_printf(MSG_DEBUG,
4371 "OWE: No Diffie-Hellman Parameter element from "
4372 MACSTR_SEC, MAC2STR_SEC(peer));
4373 return WLAN_STATUS_AKMP_NOT_VALID;
4374 }
4375
4376 return WLAN_STATUS_SUCCESS;
4377 }
4378
4379
owe_process_rsn_ie(struct hostapd_data *hapd, struct sta_info *sta, const u8 *rsn_ie, size_t rsn_ie_len, const u8 *owe_dh, size_t owe_dh_len)4380 u16 owe_process_rsn_ie(struct hostapd_data *hapd,
4381 struct sta_info *sta,
4382 const u8 *rsn_ie, size_t rsn_ie_len,
4383 const u8 *owe_dh, size_t owe_dh_len)
4384 {
4385 u16 status;
4386 u8 *owe_buf, ie[256 * 2];
4387 size_t ie_len = 0;
4388 enum wpa_validate_result res;
4389
4390 if (!rsn_ie || rsn_ie_len < 2) {
4391 wpa_printf(MSG_DEBUG, "OWE: No RSNE in (Re)AssocReq");
4392 status = WLAN_STATUS_INVALID_IE;
4393 goto end;
4394 }
4395
4396 if (!sta->wpa_sm)
4397 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, sta->addr,
4398 NULL);
4399 if (!sta->wpa_sm) {
4400 wpa_printf(MSG_WARNING,
4401 "OWE: Failed to initialize WPA state machine");
4402 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
4403 goto end;
4404 }
4405 rsn_ie -= 2;
4406 rsn_ie_len += 2;
4407 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
4408 hapd->iface->freq, rsn_ie, rsn_ie_len,
4409 NULL, 0, NULL, 0, owe_dh, owe_dh_len);
4410 status = wpa_res_to_status_code(res);
4411 if (status != WLAN_STATUS_SUCCESS)
4412 goto end;
4413 status = owe_process_assoc_req(hapd, sta, owe_dh, owe_dh_len);
4414 if (status != WLAN_STATUS_SUCCESS)
4415 goto end;
4416 owe_buf = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, ie, sizeof(ie),
4417 NULL, 0);
4418 if (!owe_buf) {
4419 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
4420 goto end;
4421 }
4422
4423 if (sta->owe_ecdh) {
4424 struct wpabuf *pub;
4425
4426 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
4427 if (!pub) {
4428 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
4429 goto end;
4430 }
4431
4432 /* OWE Diffie-Hellman Parameter element */
4433 *owe_buf++ = WLAN_EID_EXTENSION; /* Element ID */
4434 *owe_buf++ = 1 + 2 + wpabuf_len(pub); /* Length */
4435 *owe_buf++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension
4436 */
4437 WPA_PUT_LE16(owe_buf, sta->owe_group);
4438 owe_buf += 2;
4439 os_memcpy(owe_buf, wpabuf_head(pub), wpabuf_len(pub));
4440 owe_buf += wpabuf_len(pub);
4441 wpabuf_free(pub);
4442 sta->external_dh_updated = 1;
4443 }
4444 ie_len = owe_buf - ie;
4445
4446 end:
4447 wpa_printf(MSG_DEBUG, "OWE: Update status %d, ie len %d for peer "
4448 MACSTR_SEC, status, (unsigned int) ie_len,
4449 MAC2STR_SEC(sta->addr));
4450 hostapd_drv_update_dh_ie(hapd, sta->addr, status,
4451 status == WLAN_STATUS_SUCCESS ? ie : NULL,
4452 ie_len);
4453
4454 return status;
4455 }
4456
4457 #endif /* CONFIG_OWE */
4458
4459
check_sa_query(struct hostapd_data *hapd, struct sta_info *sta, int reassoc)4460 static bool check_sa_query(struct hostapd_data *hapd, struct sta_info *sta,
4461 int reassoc)
4462 {
4463 if ((sta->flags &
4464 (WLAN_STA_ASSOC | WLAN_STA_MFP | WLAN_STA_AUTHORIZED)) !=
4465 (WLAN_STA_ASSOC | WLAN_STA_MFP | WLAN_STA_AUTHORIZED))
4466 return false;
4467
4468 if (!sta->sa_query_timed_out && sta->sa_query_count > 0)
4469 ap_check_sa_query_timeout(hapd, sta);
4470
4471 if (!sta->sa_query_timed_out &&
4472 (!reassoc || sta->auth_alg != WLAN_AUTH_FT)) {
4473 /*
4474 * STA has already been associated with MFP and SA Query timeout
4475 * has not been reached. Reject the association attempt
4476 * temporarily and start SA Query, if one is not pending.
4477 */
4478 if (sta->sa_query_count == 0)
4479 ap_sta_start_sa_query(hapd, sta);
4480
4481 return true;
4482 }
4483
4484 return false;
4485 }
4486
4487
check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta, const u8 *ies, size_t ies_len, int reassoc)4488 static int check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta,
4489 const u8 *ies, size_t ies_len, int reassoc)
4490 {
4491 struct ieee802_11_elems elems;
4492 int resp;
4493 const u8 *wpa_ie;
4494 size_t wpa_ie_len;
4495 const u8 *p2p_dev_addr = NULL;
4496
4497 if (ieee802_11_parse_elems(ies, ies_len, &elems, 1) == ParseFailed) {
4498 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4499 HOSTAPD_LEVEL_INFO, "Station sent an invalid "
4500 "association request");
4501 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4502 }
4503
4504 resp = check_ssid(hapd, sta, elems.ssid, elems.ssid_len);
4505 if (resp != WLAN_STATUS_SUCCESS)
4506 return resp;
4507 resp = check_wmm(hapd, sta, elems.wmm, elems.wmm_len);
4508 if (resp != WLAN_STATUS_SUCCESS)
4509 return resp;
4510 resp = check_ext_capab(hapd, sta, elems.ext_capab, elems.ext_capab_len);
4511 if (resp != WLAN_STATUS_SUCCESS)
4512 return resp;
4513 resp = copy_supp_rates(hapd, sta, &elems);
4514 if (resp != WLAN_STATUS_SUCCESS)
4515 return resp;
4516
4517 resp = check_multi_ap(hapd, sta, elems.multi_ap, elems.multi_ap_len);
4518 if (resp != WLAN_STATUS_SUCCESS)
4519 return resp;
4520
4521 resp = copy_sta_ht_capab(hapd, sta, elems.ht_capabilities);
4522 if (resp != WLAN_STATUS_SUCCESS)
4523 return resp;
4524 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht &&
4525 !(sta->flags & WLAN_STA_HT)) {
4526 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4527 HOSTAPD_LEVEL_INFO, "Station does not support "
4528 "mandatory HT PHY - reject association");
4529 return WLAN_STATUS_ASSOC_DENIED_NO_HT;
4530 }
4531
4532 #ifdef CONFIG_IEEE80211AC
4533 if (hapd->iconf->ieee80211ac) {
4534 resp = copy_sta_vht_capab(hapd, sta, elems.vht_capabilities);
4535 if (resp != WLAN_STATUS_SUCCESS)
4536 return resp;
4537
4538 resp = set_sta_vht_opmode(hapd, sta, elems.vht_opmode_notif);
4539 if (resp != WLAN_STATUS_SUCCESS)
4540 return resp;
4541 }
4542
4543 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht &&
4544 !(sta->flags & WLAN_STA_VHT)) {
4545 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4546 HOSTAPD_LEVEL_INFO, "Station does not support "
4547 "mandatory VHT PHY - reject association");
4548 return WLAN_STATUS_ASSOC_DENIED_NO_VHT;
4549 }
4550
4551 if (hapd->conf->vendor_vht && !elems.vht_capabilities) {
4552 resp = copy_sta_vendor_vht(hapd, sta, elems.vendor_vht,
4553 elems.vendor_vht_len);
4554 if (resp != WLAN_STATUS_SUCCESS)
4555 return resp;
4556 }
4557 #endif /* CONFIG_IEEE80211AC */
4558 #ifdef CONFIG_IEEE80211AX
4559 if (hapd->iconf->ieee80211ax && !hapd->conf->disable_11ax) {
4560 resp = copy_sta_he_capab(hapd, sta, IEEE80211_MODE_AP,
4561 elems.he_capabilities,
4562 elems.he_capabilities_len);
4563 if (resp != WLAN_STATUS_SUCCESS)
4564 return resp;
4565 if (is_6ghz_op_class(hapd->iconf->op_class)) {
4566 if (!(sta->flags & WLAN_STA_HE)) {
4567 hostapd_logger(hapd, sta->addr,
4568 HOSTAPD_MODULE_IEEE80211,
4569 HOSTAPD_LEVEL_INFO,
4570 "Station does not support mandatory HE PHY - reject association");
4571 return WLAN_STATUS_DENIED_HE_NOT_SUPPORTED;
4572 }
4573 resp = copy_sta_he_6ghz_capab(hapd, sta,
4574 elems.he_6ghz_band_cap);
4575 if (resp != WLAN_STATUS_SUCCESS)
4576 return resp;
4577 }
4578 }
4579 #endif /* CONFIG_IEEE80211AX */
4580
4581 #ifdef CONFIG_P2P
4582 if (elems.p2p) {
4583 wpabuf_free(sta->p2p_ie);
4584 sta->p2p_ie = ieee802_11_vendor_ie_concat(ies, ies_len,
4585 P2P_IE_VENDOR_TYPE);
4586 if (sta->p2p_ie)
4587 p2p_dev_addr = p2p_get_go_dev_addr(sta->p2p_ie);
4588 } else {
4589 wpabuf_free(sta->p2p_ie);
4590 sta->p2p_ie = NULL;
4591 }
4592 #endif /* CONFIG_P2P */
4593
4594 if ((hapd->conf->wpa & WPA_PROTO_RSN) && elems.rsn_ie) {
4595 wpa_ie = elems.rsn_ie;
4596 wpa_ie_len = elems.rsn_ie_len;
4597 } else if ((hapd->conf->wpa & WPA_PROTO_WPA) &&
4598 elems.wpa_ie) {
4599 wpa_ie = elems.wpa_ie;
4600 wpa_ie_len = elems.wpa_ie_len;
4601 } else {
4602 wpa_ie = NULL;
4603 wpa_ie_len = 0;
4604 }
4605
4606 #ifdef CONFIG_WPS
4607 sta->flags &= ~(WLAN_STA_WPS | WLAN_STA_MAYBE_WPS | WLAN_STA_WPS2);
4608 if (hapd->conf->wps_state && elems.wps_ie) {
4609 wpa_printf(MSG_DEBUG, "STA included WPS IE in (Re)Association "
4610 "Request - assume WPS is used");
4611 if (check_sa_query(hapd, sta, reassoc))
4612 return WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY;
4613 sta->flags |= WLAN_STA_WPS;
4614 wpabuf_free(sta->wps_ie);
4615 sta->wps_ie = ieee802_11_vendor_ie_concat(ies, ies_len,
4616 WPS_IE_VENDOR_TYPE);
4617 if (sta->wps_ie && wps_is_20(sta->wps_ie)) {
4618 wpa_printf(MSG_DEBUG, "WPS: STA supports WPS 2.0");
4619 sta->flags |= WLAN_STA_WPS2;
4620 }
4621 wpa_ie = NULL;
4622 wpa_ie_len = 0;
4623 if (sta->wps_ie && wps_validate_assoc_req(sta->wps_ie) < 0) {
4624 wpa_printf(MSG_DEBUG, "WPS: Invalid WPS IE in "
4625 "(Re)Association Request - reject");
4626 return WLAN_STATUS_INVALID_IE;
4627 }
4628 } else if (hapd->conf->wps_state && wpa_ie == NULL) {
4629 wpa_printf(MSG_DEBUG, "STA did not include WPA/RSN IE in "
4630 "(Re)Association Request - possible WPS use");
4631 sta->flags |= WLAN_STA_MAYBE_WPS;
4632 } else
4633 #endif /* CONFIG_WPS */
4634 if (hapd->conf->wpa && wpa_ie == NULL) {
4635 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4636 HOSTAPD_LEVEL_INFO,
4637 "No WPA/RSN IE in association request");
4638 return WLAN_STATUS_INVALID_IE;
4639 }
4640
4641 if (hapd->conf->wpa && wpa_ie) {
4642 enum wpa_validate_result res;
4643
4644 wpa_ie -= 2;
4645 wpa_ie_len += 2;
4646 if (sta->wpa_sm == NULL)
4647 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
4648 sta->addr,
4649 p2p_dev_addr);
4650 if (sta->wpa_sm == NULL) {
4651 wpa_printf(MSG_WARNING, "Failed to initialize WPA "
4652 "state machine");
4653 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4654 }
4655 wpa_auth_set_auth_alg(sta->wpa_sm, sta->auth_alg);
4656 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
4657 hapd->iface->freq,
4658 wpa_ie, wpa_ie_len,
4659 elems.rsnxe ? elems.rsnxe - 2 : NULL,
4660 elems.rsnxe ? elems.rsnxe_len + 2 : 0,
4661 elems.mdie, elems.mdie_len,
4662 elems.owe_dh, elems.owe_dh_len);
4663 resp = wpa_res_to_status_code(res);
4664 if (resp != WLAN_STATUS_SUCCESS)
4665 return resp;
4666
4667 if (check_sa_query(hapd, sta, reassoc))
4668 return WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY;
4669
4670 if (wpa_auth_uses_mfp(sta->wpa_sm))
4671 sta->flags |= WLAN_STA_MFP;
4672 else
4673 sta->flags &= ~WLAN_STA_MFP;
4674
4675 #ifdef CONFIG_IEEE80211R_AP
4676 if (sta->auth_alg == WLAN_AUTH_FT) {
4677 if (!reassoc) {
4678 wpa_printf(MSG_DEBUG, "FT: " MACSTR_SEC " tried "
4679 "to use association (not "
4680 "re-association) with FT auth_alg",
4681 MAC2STR_SEC(sta->addr));
4682 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4683 }
4684
4685 resp = wpa_ft_validate_reassoc(sta->wpa_sm, ies,
4686 ies_len);
4687 if (resp != WLAN_STATUS_SUCCESS)
4688 return resp;
4689 }
4690 #endif /* CONFIG_IEEE80211R_AP */
4691
4692 #ifdef CONFIG_SAE
4693 if (wpa_auth_uses_sae(sta->wpa_sm) && sta->sae &&
4694 sta->sae->state == SAE_ACCEPTED)
4695 wpa_auth_add_sae_pmkid(sta->wpa_sm, sta->sae->pmkid);
4696
4697 if (wpa_auth_uses_sae(sta->wpa_sm) &&
4698 sta->auth_alg == WLAN_AUTH_OPEN) {
4699 struct rsn_pmksa_cache_entry *sa;
4700 sa = wpa_auth_sta_get_pmksa(sta->wpa_sm);
4701 if (!sa || !wpa_key_mgmt_sae(sa->akmp)) {
4702 wpa_printf(MSG_DEBUG,
4703 "SAE: No PMKSA cache entry found for "
4704 MACSTR_SEC, MAC2STR_SEC(sta->addr));
4705 return WLAN_STATUS_INVALID_PMKID;
4706 }
4707 wpa_printf(MSG_DEBUG, "SAE: " MACSTR_SEC
4708 " using PMKSA caching", MAC2STR_SEC(sta->addr));
4709 } else if (wpa_auth_uses_sae(sta->wpa_sm) &&
4710 sta->auth_alg != WLAN_AUTH_SAE &&
4711 !(sta->auth_alg == WLAN_AUTH_FT &&
4712 wpa_auth_uses_ft_sae(sta->wpa_sm))) {
4713 wpa_printf(MSG_DEBUG, "SAE: " MACSTR_SEC " tried to use "
4714 "SAE AKM after non-SAE auth_alg %u",
4715 MAC2STR_SEC(sta->addr), sta->auth_alg);
4716 return WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
4717 }
4718
4719 if (hapd->conf->sae_pwe == 2 &&
4720 sta->auth_alg == WLAN_AUTH_SAE &&
4721 sta->sae && !sta->sae->h2e &&
4722 ieee802_11_rsnx_capab_len(elems.rsnxe, elems.rsnxe_len,
4723 WLAN_RSNX_CAPAB_SAE_H2E)) {
4724 wpa_printf(MSG_INFO, "SAE: " MACSTR_SEC
4725 " indicates support for SAE H2E, but did not use it",
4726 MAC2STR_SEC(sta->addr));
4727 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4728 }
4729 #endif /* CONFIG_SAE */
4730
4731 #ifdef CONFIG_OWE
4732 if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) &&
4733 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE &&
4734 elems.owe_dh) {
4735 resp = owe_process_assoc_req(hapd, sta, elems.owe_dh,
4736 elems.owe_dh_len);
4737 if (resp != WLAN_STATUS_SUCCESS)
4738 return resp;
4739 }
4740 #endif /* CONFIG_OWE */
4741
4742 #ifdef CONFIG_DPP2
4743 dpp_pfs_free(sta->dpp_pfs);
4744 sta->dpp_pfs = NULL;
4745
4746 if (DPP_VERSION > 1 &&
4747 (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_DPP) &&
4748 hapd->conf->dpp_netaccesskey && sta->wpa_sm &&
4749 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_DPP &&
4750 elems.owe_dh) {
4751 sta->dpp_pfs = dpp_pfs_init(
4752 wpabuf_head(hapd->conf->dpp_netaccesskey),
4753 wpabuf_len(hapd->conf->dpp_netaccesskey));
4754 if (!sta->dpp_pfs) {
4755 wpa_printf(MSG_DEBUG,
4756 "DPP: Could not initialize PFS");
4757 /* Try to continue without PFS */
4758 goto pfs_fail;
4759 }
4760
4761 if (dpp_pfs_process(sta->dpp_pfs, elems.owe_dh,
4762 elems.owe_dh_len) < 0) {
4763 dpp_pfs_free(sta->dpp_pfs);
4764 sta->dpp_pfs = NULL;
4765 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4766 }
4767 }
4768
4769 wpa_auth_set_dpp_z(sta->wpa_sm, sta->dpp_pfs ?
4770 sta->dpp_pfs->secret : NULL);
4771 pfs_fail:
4772 #endif /* CONFIG_DPP2 */
4773
4774 if ((sta->flags & (WLAN_STA_HT | WLAN_STA_VHT)) &&
4775 wpa_auth_get_pairwise(sta->wpa_sm) == WPA_CIPHER_TKIP) {
4776 hostapd_logger(hapd, sta->addr,
4777 HOSTAPD_MODULE_IEEE80211,
4778 HOSTAPD_LEVEL_INFO,
4779 "Station tried to use TKIP with HT "
4780 "association");
4781 return WLAN_STATUS_CIPHER_REJECTED_PER_POLICY;
4782 }
4783 #ifdef CONFIG_HS20
4784 } else if (hapd->conf->osen) {
4785 if (elems.osen == NULL) {
4786 hostapd_logger(
4787 hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4788 HOSTAPD_LEVEL_INFO,
4789 "No HS 2.0 OSEN element in association request");
4790 return WLAN_STATUS_INVALID_IE;
4791 }
4792
4793 wpa_printf(MSG_DEBUG, "HS 2.0: OSEN association");
4794 if (sta->wpa_sm == NULL)
4795 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
4796 sta->addr, NULL);
4797 if (sta->wpa_sm == NULL) {
4798 wpa_printf(MSG_WARNING, "Failed to initialize WPA "
4799 "state machine");
4800 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4801 }
4802 if (wpa_validate_osen(hapd->wpa_auth, sta->wpa_sm,
4803 elems.osen - 2, elems.osen_len + 2) < 0)
4804 return WLAN_STATUS_INVALID_IE;
4805 #endif /* CONFIG_HS20 */
4806 } else
4807 wpa_auth_sta_no_wpa(sta->wpa_sm);
4808
4809 #ifdef CONFIG_P2P
4810 p2p_group_notif_assoc(hapd->p2p_group, sta->addr, ies, ies_len);
4811 #endif /* CONFIG_P2P */
4812
4813 #ifdef CONFIG_HS20
4814 wpabuf_free(sta->hs20_ie);
4815 if (elems.hs20 && elems.hs20_len > 4) {
4816 int release;
4817
4818 sta->hs20_ie = wpabuf_alloc_copy(elems.hs20 + 4,
4819 elems.hs20_len - 4);
4820 release = ((elems.hs20[4] >> 4) & 0x0f) + 1;
4821 if (release >= 2 && !wpa_auth_uses_mfp(sta->wpa_sm) &&
4822 hapd->conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
4823 wpa_printf(MSG_DEBUG,
4824 "HS 2.0: PMF not negotiated by release %d station "
4825 MACSTR_SEC, release, MAC2STR_SEC(sta->addr));
4826 return WLAN_STATUS_ROBUST_MGMT_FRAME_POLICY_VIOLATION;
4827 }
4828 } else {
4829 sta->hs20_ie = NULL;
4830 }
4831
4832 wpabuf_free(sta->roaming_consortium);
4833 if (elems.roaming_cons_sel)
4834 sta->roaming_consortium = wpabuf_alloc_copy(
4835 elems.roaming_cons_sel + 4,
4836 elems.roaming_cons_sel_len - 4);
4837 else
4838 sta->roaming_consortium = NULL;
4839 #endif /* CONFIG_HS20 */
4840
4841 #ifdef CONFIG_FST
4842 wpabuf_free(sta->mb_ies);
4843 if (hapd->iface->fst)
4844 sta->mb_ies = mb_ies_by_info(&elems.mb_ies);
4845 else
4846 sta->mb_ies = NULL;
4847 #endif /* CONFIG_FST */
4848
4849 #ifdef CONFIG_MBO
4850 mbo_ap_check_sta_assoc(hapd, sta, &elems);
4851
4852 if (hapd->conf->mbo_enabled && (hapd->conf->wpa & 2) &&
4853 elems.mbo && sta->cell_capa && !(sta->flags & WLAN_STA_MFP) &&
4854 hapd->conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
4855 wpa_printf(MSG_INFO,
4856 "MBO: Reject WPA2 association without PMF");
4857 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4858 }
4859 #endif /* CONFIG_MBO */
4860
4861 #if defined(CONFIG_FILS) && defined(CONFIG_OCV)
4862 if (wpa_auth_uses_ocv(sta->wpa_sm) &&
4863 (sta->auth_alg == WLAN_AUTH_FILS_SK ||
4864 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
4865 sta->auth_alg == WLAN_AUTH_FILS_PK)) {
4866 struct wpa_channel_info ci;
4867 int tx_chanwidth;
4868 int tx_seg1_idx;
4869 enum oci_verify_result res;
4870
4871 if (hostapd_drv_channel_info(hapd, &ci) != 0) {
4872 wpa_printf(MSG_WARNING,
4873 "Failed to get channel info to validate received OCI in FILS (Re)Association Request frame");
4874 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4875 }
4876
4877 if (get_sta_tx_parameters(sta->wpa_sm,
4878 channel_width_to_int(ci.chanwidth),
4879 ci.seg1_idx, &tx_chanwidth,
4880 &tx_seg1_idx) < 0)
4881 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4882
4883 res = ocv_verify_tx_params(elems.oci, elems.oci_len, &ci,
4884 tx_chanwidth, tx_seg1_idx);
4885 if (wpa_auth_uses_ocv(sta->wpa_sm) == 2 &&
4886 res == OCI_NOT_FOUND) {
4887 /* Work around misbehaving STAs */
4888 wpa_printf(MSG_INFO,
4889 "FILS: Disable OCV with a STA that does not send OCI");
4890 wpa_auth_set_ocv(sta->wpa_sm, 0);
4891 } else if (res != OCI_SUCCESS) {
4892 wpa_printf(MSG_WARNING, "FILS: OCV failed: %s",
4893 ocv_errorstr);
4894 wpa_msg(hapd->msg_ctx, MSG_INFO, OCV_FAILURE "addr="
4895 MACSTR " frame=fils-reassoc-req error=%s",
4896 MAC2STR(sta->addr), ocv_errorstr);
4897 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4898 }
4899 }
4900 #endif /* CONFIG_FILS && CONFIG_OCV */
4901
4902 ap_copy_sta_supp_op_classes(sta, elems.supp_op_classes,
4903 elems.supp_op_classes_len);
4904
4905 if ((sta->capability & WLAN_CAPABILITY_RADIO_MEASUREMENT) &&
4906 elems.rrm_enabled &&
4907 elems.rrm_enabled_len >= sizeof(sta->rrm_enabled_capa))
4908 os_memcpy(sta->rrm_enabled_capa, elems.rrm_enabled,
4909 sizeof(sta->rrm_enabled_capa));
4910
4911 if (elems.power_capab) {
4912 sta->min_tx_power = elems.power_capab[0];
4913 sta->max_tx_power = elems.power_capab[1];
4914 sta->power_capab = 1;
4915 } else {
4916 sta->power_capab = 0;
4917 }
4918
4919 return WLAN_STATUS_SUCCESS;
4920 }
4921
4922
send_deauth(struct hostapd_data *hapd, const u8 *addr, u16 reason_code)4923 static void send_deauth(struct hostapd_data *hapd, const u8 *addr,
4924 u16 reason_code)
4925 {
4926 int send_len;
4927 struct ieee80211_mgmt reply;
4928
4929 os_memset(&reply, 0, sizeof(reply));
4930 reply.frame_control =
4931 IEEE80211_FC(WLAN_FC_TYPE_MGMT, WLAN_FC_STYPE_DEAUTH);
4932 os_memcpy(reply.da, addr, ETH_ALEN);
4933 os_memcpy(reply.sa, hapd->own_addr, ETH_ALEN);
4934 os_memcpy(reply.bssid, hapd->own_addr, ETH_ALEN);
4935
4936 send_len = IEEE80211_HDRLEN + sizeof(reply.u.deauth);
4937 reply.u.deauth.reason_code = host_to_le16(reason_code);
4938
4939 if (hostapd_drv_send_mlme(hapd, &reply, send_len, 0, NULL, 0, 0) < 0)
4940 wpa_printf(MSG_INFO, "Failed to send deauth: %s",
4941 strerror(errno));
4942 }
4943
4944
add_associated_sta(struct hostapd_data *hapd, struct sta_info *sta, int reassoc)4945 static int add_associated_sta(struct hostapd_data *hapd,
4946 struct sta_info *sta, int reassoc)
4947 {
4948 struct ieee80211_ht_capabilities ht_cap;
4949 struct ieee80211_vht_capabilities vht_cap;
4950 struct ieee80211_he_capabilities he_cap;
4951 int set = 1;
4952
4953 /*
4954 * Remove the STA entry to ensure the STA PS state gets cleared and
4955 * configuration gets updated. This is relevant for cases, such as
4956 * FT-over-the-DS, where a station re-associates back to the same AP but
4957 * skips the authentication flow, or if working with a driver that
4958 * does not support full AP client state.
4959 *
4960 * Skip this if the STA has already completed FT reassociation and the
4961 * TK has been configured since the TX/RX PN must not be reset to 0 for
4962 * the same key.
4963 *
4964 * FT-over-the-DS has a special case where the STA entry (and as such,
4965 * the TK) has not yet been configured to the driver depending on which
4966 * driver interface is used. For that case, allow add-STA operation to
4967 * be used (instead of set-STA). This is needed to allow mac80211-based
4968 * drivers to accept the STA parameter configuration. Since this is
4969 * after a new FT-over-DS exchange, a new TK has been derived, so key
4970 * reinstallation is not a concern for this case.
4971 */
4972 wpa_printf(MSG_DEBUG, "Add associated STA " MACSTR_SEC
4973 " (added_unassoc=%d auth_alg=%u ft_over_ds=%u reassoc=%d authorized=%d ft_tk=%d fils_tk=%d)",
4974 MAC2STR_SEC(sta->addr), sta->added_unassoc, sta->auth_alg,
4975 sta->ft_over_ds, reassoc,
4976 !!(sta->flags & WLAN_STA_AUTHORIZED),
4977 wpa_auth_sta_ft_tk_already_set(sta->wpa_sm),
4978 wpa_auth_sta_fils_tk_already_set(sta->wpa_sm));
4979
4980 if (!sta->added_unassoc &&
4981 (!(sta->flags & WLAN_STA_AUTHORIZED) ||
4982 (reassoc && sta->ft_over_ds && sta->auth_alg == WLAN_AUTH_FT) ||
4983 (!wpa_auth_sta_ft_tk_already_set(sta->wpa_sm) &&
4984 !wpa_auth_sta_fils_tk_already_set(sta->wpa_sm)))) {
4985 hostapd_drv_sta_remove(hapd, sta->addr);
4986 wpa_auth_sm_event(sta->wpa_sm, WPA_DRV_STA_REMOVED);
4987 set = 0;
4988
4989 /* Do not allow the FT-over-DS exception to be used more than
4990 * once per authentication exchange to guarantee a new TK is
4991 * used here */
4992 sta->ft_over_ds = 0;
4993 }
4994
4995 if (sta->flags & WLAN_STA_HT)
4996 hostapd_get_ht_capab(hapd, sta->ht_capabilities, &ht_cap);
4997 #ifdef CONFIG_IEEE80211AC
4998 if (sta->flags & WLAN_STA_VHT)
4999 hostapd_get_vht_capab(hapd, sta->vht_capabilities, &vht_cap);
5000 #endif /* CONFIG_IEEE80211AC */
5001 #ifdef CONFIG_IEEE80211AX
5002 if (sta->flags & WLAN_STA_HE) {
5003 hostapd_get_he_capab(hapd, sta->he_capab, &he_cap,
5004 sta->he_capab_len);
5005 }
5006 #endif /* CONFIG_IEEE80211AX */
5007
5008 /*
5009 * Add the station with forced WLAN_STA_ASSOC flag. The sta->flags
5010 * will be set when the ACK frame for the (Re)Association Response frame
5011 * is processed (TX status driver event).
5012 */
5013 if (hostapd_sta_add(hapd, sta->addr, sta->aid, sta->capability,
5014 sta->supported_rates, sta->supported_rates_len,
5015 sta->listen_interval,
5016 sta->flags & WLAN_STA_HT ? &ht_cap : NULL,
5017 sta->flags & WLAN_STA_VHT ? &vht_cap : NULL,
5018 sta->flags & WLAN_STA_HE ? &he_cap : NULL,
5019 sta->flags & WLAN_STA_HE ? sta->he_capab_len : 0,
5020 sta->he_6ghz_capab,
5021 sta->flags | WLAN_STA_ASSOC, sta->qosinfo,
5022 sta->vht_opmode, sta->p2p_ie ? 1 : 0,
5023 set)) {
5024 hostapd_logger(hapd, sta->addr,
5025 HOSTAPD_MODULE_IEEE80211, HOSTAPD_LEVEL_NOTICE,
5026 "Could not %s STA to kernel driver",
5027 set ? "set" : "add");
5028
5029 if (sta->added_unassoc) {
5030 hostapd_drv_sta_remove(hapd, sta->addr);
5031 sta->added_unassoc = 0;
5032 }
5033
5034 return -1;
5035 }
5036
5037 sta->added_unassoc = 0;
5038
5039 return 0;
5040 }
5041
5042
send_assoc_resp(struct hostapd_data *hapd, struct sta_info *sta, const u8 *addr, u16 status_code, int reassoc, const u8 *ies, size_t ies_len, int rssi, int omit_rsnxe)5043 static u16 send_assoc_resp(struct hostapd_data *hapd, struct sta_info *sta,
5044 const u8 *addr, u16 status_code, int reassoc,
5045 const u8 *ies, size_t ies_len, int rssi,
5046 int omit_rsnxe)
5047 {
5048 int send_len;
5049 u8 *buf;
5050 size_t buflen;
5051 struct ieee80211_mgmt *reply;
5052 u8 *p;
5053 u16 res = WLAN_STATUS_SUCCESS;
5054
5055 buflen = sizeof(struct ieee80211_mgmt) + 1024;
5056 #ifdef CONFIG_FILS
5057 if (sta && sta->fils_hlp_resp)
5058 buflen += wpabuf_len(sta->fils_hlp_resp);
5059 if (sta)
5060 buflen += 150;
5061 #endif /* CONFIG_FILS */
5062 #ifdef CONFIG_OWE
5063 if (sta && (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE))
5064 buflen += 150;
5065 #endif /* CONFIG_OWE */
5066 #ifdef CONFIG_DPP2
5067 if (sta && sta->dpp_pfs)
5068 buflen += 5 + sta->dpp_pfs->curve->prime_len;
5069 #endif /* CONFIG_DPP2 */
5070 buf = os_zalloc(buflen);
5071 if (!buf) {
5072 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
5073 goto done;
5074 }
5075 reply = (struct ieee80211_mgmt *) buf;
5076 reply->frame_control =
5077 IEEE80211_FC(WLAN_FC_TYPE_MGMT,
5078 (reassoc ? WLAN_FC_STYPE_REASSOC_RESP :
5079 WLAN_FC_STYPE_ASSOC_RESP));
5080 os_memcpy(reply->da, addr, ETH_ALEN);
5081 os_memcpy(reply->sa, hapd->own_addr, ETH_ALEN);
5082 os_memcpy(reply->bssid, hapd->own_addr, ETH_ALEN);
5083
5084 send_len = IEEE80211_HDRLEN;
5085 send_len += sizeof(reply->u.assoc_resp);
5086 reply->u.assoc_resp.capab_info =
5087 host_to_le16(hostapd_own_capab_info(hapd));
5088 reply->u.assoc_resp.status_code = host_to_le16(status_code);
5089
5090 reply->u.assoc_resp.aid = host_to_le16((sta ? sta->aid : 0) |
5091 BIT(14) | BIT(15));
5092 /* Supported rates */
5093 p = hostapd_eid_supp_rates(hapd, reply->u.assoc_resp.variable);
5094 /* Extended supported rates */
5095 p = hostapd_eid_ext_supp_rates(hapd, p);
5096
5097 /* Radio measurement capabilities */
5098 p = hostapd_eid_rm_enabled_capab(hapd, p, buf + buflen - p);
5099
5100 #ifdef CONFIG_MBO
5101 if (status_code == WLAN_STATUS_DENIED_POOR_CHANNEL_CONDITIONS &&
5102 rssi != 0) {
5103 int delta = hapd->iconf->rssi_reject_assoc_rssi - rssi;
5104
5105 p = hostapd_eid_mbo_rssi_assoc_rej(hapd, p, buf + buflen - p,
5106 delta);
5107 }
5108 #endif /* CONFIG_MBO */
5109
5110 #ifdef CONFIG_IEEE80211R_AP
5111 if (sta && status_code == WLAN_STATUS_SUCCESS) {
5112 /* IEEE 802.11r: Mobility Domain Information, Fast BSS
5113 * Transition Information, RSN, [RIC Response] */
5114 p = wpa_sm_write_assoc_resp_ies(sta->wpa_sm, p,
5115 buf + buflen - p,
5116 sta->auth_alg, ies, ies_len,
5117 omit_rsnxe);
5118 if (!p) {
5119 wpa_printf(MSG_DEBUG,
5120 "FT: Failed to write AssocResp IEs");
5121 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
5122 goto done;
5123 }
5124 }
5125 #endif /* CONFIG_IEEE80211R_AP */
5126 #ifdef CONFIG_FILS
5127 if (sta && status_code == WLAN_STATUS_SUCCESS &&
5128 (sta->auth_alg == WLAN_AUTH_FILS_SK ||
5129 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
5130 sta->auth_alg == WLAN_AUTH_FILS_PK))
5131 p = wpa_auth_write_assoc_resp_fils(sta->wpa_sm, p,
5132 buf + buflen - p,
5133 ies, ies_len);
5134 #endif /* CONFIG_FILS */
5135
5136 #ifdef CONFIG_OWE
5137 if (sta && status_code == WLAN_STATUS_SUCCESS &&
5138 (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE))
5139 p = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, p,
5140 buf + buflen - p,
5141 ies, ies_len);
5142 #endif /* CONFIG_OWE */
5143
5144 if (sta && status_code == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY)
5145 p = hostapd_eid_assoc_comeback_time(hapd, sta, p);
5146
5147 p = hostapd_eid_ht_capabilities(hapd, p);
5148 p = hostapd_eid_ht_operation(hapd, p);
5149
5150 #ifdef CONFIG_IEEE80211AC
5151 if (hapd->iconf->ieee80211ac && !hapd->conf->disable_11ac &&
5152 !is_6ghz_op_class(hapd->iconf->op_class)) {
5153 u32 nsts = 0, sta_nsts;
5154
5155 if (sta && hapd->conf->use_sta_nsts && sta->vht_capabilities) {
5156 struct ieee80211_vht_capabilities *capa;
5157
5158 nsts = (hapd->iface->conf->vht_capab >>
5159 VHT_CAP_BEAMFORMEE_STS_OFFSET) & 7;
5160 capa = sta->vht_capabilities;
5161 sta_nsts = (le_to_host32(capa->vht_capabilities_info) >>
5162 VHT_CAP_BEAMFORMEE_STS_OFFSET) & 7;
5163
5164 if (nsts < sta_nsts)
5165 nsts = 0;
5166 else
5167 nsts = sta_nsts;
5168 }
5169 p = hostapd_eid_vht_capabilities(hapd, p, nsts);
5170 p = hostapd_eid_vht_operation(hapd, p);
5171 }
5172 #endif /* CONFIG_IEEE80211AC */
5173
5174 #ifdef CONFIG_IEEE80211AX
5175 if (hapd->iconf->ieee80211ax && !hapd->conf->disable_11ax) {
5176 p = hostapd_eid_he_capab(hapd, p, IEEE80211_MODE_AP);
5177 p = hostapd_eid_he_operation(hapd, p);
5178 p = hostapd_eid_spatial_reuse(hapd, p);
5179 p = hostapd_eid_he_mu_edca_parameter_set(hapd, p);
5180 p = hostapd_eid_he_6ghz_band_cap(hapd, p);
5181 }
5182 #endif /* CONFIG_IEEE80211AX */
5183
5184 p = hostapd_eid_ext_capab(hapd, p);
5185 p = hostapd_eid_bss_max_idle_period(hapd, p);
5186 if (sta && sta->qos_map_enabled)
5187 p = hostapd_eid_qos_map_set(hapd, p);
5188
5189 #ifdef CONFIG_FST
5190 if (hapd->iface->fst_ies) {
5191 os_memcpy(p, wpabuf_head(hapd->iface->fst_ies),
5192 wpabuf_len(hapd->iface->fst_ies));
5193 p += wpabuf_len(hapd->iface->fst_ies);
5194 }
5195 #endif /* CONFIG_FST */
5196
5197 #ifdef CONFIG_TESTING_OPTIONS
5198 if (hapd->conf->rsnxe_override_ft &&
5199 buf + buflen - p >=
5200 (long int) wpabuf_len(hapd->conf->rsnxe_override_ft) &&
5201 sta && sta->auth_alg == WLAN_AUTH_FT) {
5202 wpa_printf(MSG_DEBUG, "TESTING: RSNXE FT override");
5203 os_memcpy(p, wpabuf_head(hapd->conf->rsnxe_override_ft),
5204 wpabuf_len(hapd->conf->rsnxe_override_ft));
5205 p += wpabuf_len(hapd->conf->rsnxe_override_ft);
5206 goto rsnxe_done;
5207 }
5208 #endif /* CONFIG_TESTING_OPTIONS */
5209 if (!omit_rsnxe)
5210 p = hostapd_eid_rsnxe(hapd, p, buf + buflen - p);
5211 #ifdef CONFIG_TESTING_OPTIONS
5212 rsnxe_done:
5213 #endif /* CONFIG_TESTING_OPTIONS */
5214
5215 #ifdef CONFIG_OWE
5216 if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) &&
5217 sta && sta->owe_ecdh && status_code == WLAN_STATUS_SUCCESS &&
5218 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE &&
5219 !wpa_auth_sta_get_pmksa(sta->wpa_sm)) {
5220 struct wpabuf *pub;
5221
5222 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
5223 if (!pub) {
5224 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
5225 goto done;
5226 }
5227 /* OWE Diffie-Hellman Parameter element */
5228 *p++ = WLAN_EID_EXTENSION; /* Element ID */
5229 *p++ = 1 + 2 + wpabuf_len(pub); /* Length */
5230 *p++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension */
5231 WPA_PUT_LE16(p, sta->owe_group);
5232 p += 2;
5233 os_memcpy(p, wpabuf_head(pub), wpabuf_len(pub));
5234 p += wpabuf_len(pub);
5235 wpabuf_free(pub);
5236 }
5237 #endif /* CONFIG_OWE */
5238
5239 #ifdef CONFIG_DPP2
5240 if (DPP_VERSION > 1 && (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_DPP) &&
5241 sta && sta->dpp_pfs && status_code == WLAN_STATUS_SUCCESS &&
5242 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_DPP) {
5243 os_memcpy(p, wpabuf_head(sta->dpp_pfs->ie),
5244 wpabuf_len(sta->dpp_pfs->ie));
5245 p += wpabuf_len(sta->dpp_pfs->ie);
5246 }
5247 #endif /* CONFIG_DPP2 */
5248
5249 #ifdef CONFIG_IEEE80211AC
5250 if (sta && hapd->conf->vendor_vht && (sta->flags & WLAN_STA_VENDOR_VHT))
5251 p = hostapd_eid_vendor_vht(hapd, p);
5252 #endif /* CONFIG_IEEE80211AC */
5253
5254 if (sta && (sta->flags & WLAN_STA_WMM))
5255 p = hostapd_eid_wmm(hapd, p);
5256
5257 #ifdef CONFIG_WPS
5258 if (sta &&
5259 ((sta->flags & WLAN_STA_WPS) ||
5260 ((sta->flags & WLAN_STA_MAYBE_WPS) && hapd->conf->wpa))) {
5261 struct wpabuf *wps = wps_build_assoc_resp_ie();
5262 if (wps) {
5263 os_memcpy(p, wpabuf_head(wps), wpabuf_len(wps));
5264 p += wpabuf_len(wps);
5265 wpabuf_free(wps);
5266 }
5267 }
5268 #endif /* CONFIG_WPS */
5269
5270 if (sta && (sta->flags & WLAN_STA_MULTI_AP))
5271 p = hostapd_eid_multi_ap(hapd, p);
5272
5273 #ifdef CONFIG_P2P
5274 if (sta && sta->p2p_ie && hapd->p2p_group) {
5275 struct wpabuf *p2p_resp_ie;
5276 enum p2p_status_code status;
5277 switch (status_code) {
5278 case WLAN_STATUS_SUCCESS:
5279 status = P2P_SC_SUCCESS;
5280 break;
5281 case WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA:
5282 status = P2P_SC_FAIL_LIMIT_REACHED;
5283 break;
5284 default:
5285 status = P2P_SC_FAIL_INVALID_PARAMS;
5286 break;
5287 }
5288 p2p_resp_ie = p2p_group_assoc_resp_ie(hapd->p2p_group, status);
5289 if (p2p_resp_ie) {
5290 os_memcpy(p, wpabuf_head(p2p_resp_ie),
5291 wpabuf_len(p2p_resp_ie));
5292 p += wpabuf_len(p2p_resp_ie);
5293 wpabuf_free(p2p_resp_ie);
5294 }
5295 }
5296 #endif /* CONFIG_P2P */
5297
5298 #ifdef CONFIG_P2P_MANAGER
5299 if (hapd->conf->p2p & P2P_MANAGE)
5300 p = hostapd_eid_p2p_manage(hapd, p);
5301 #endif /* CONFIG_P2P_MANAGER */
5302
5303 p = hostapd_eid_mbo(hapd, p, buf + buflen - p);
5304
5305 if (hapd->conf->assocresp_elements &&
5306 (size_t) (buf + buflen - p) >=
5307 wpabuf_len(hapd->conf->assocresp_elements)) {
5308 os_memcpy(p, wpabuf_head(hapd->conf->assocresp_elements),
5309 wpabuf_len(hapd->conf->assocresp_elements));
5310 p += wpabuf_len(hapd->conf->assocresp_elements);
5311 }
5312
5313 send_len += p - reply->u.assoc_resp.variable;
5314
5315 #ifdef CONFIG_FILS
5316 if (sta &&
5317 (sta->auth_alg == WLAN_AUTH_FILS_SK ||
5318 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
5319 sta->auth_alg == WLAN_AUTH_FILS_PK) &&
5320 status_code == WLAN_STATUS_SUCCESS) {
5321 struct ieee802_11_elems elems;
5322
5323 if (ieee802_11_parse_elems(ies, ies_len, &elems, 0) ==
5324 ParseFailed || !elems.fils_session) {
5325 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
5326 goto done;
5327 }
5328
5329 /* FILS Session */
5330 *p++ = WLAN_EID_EXTENSION; /* Element ID */
5331 *p++ = 1 + FILS_SESSION_LEN; /* Length */
5332 *p++ = WLAN_EID_EXT_FILS_SESSION; /* Element ID Extension */
5333 os_memcpy(p, elems.fils_session, FILS_SESSION_LEN);
5334 send_len += 2 + 1 + FILS_SESSION_LEN;
5335
5336 send_len = fils_encrypt_assoc(sta->wpa_sm, buf, send_len,
5337 buflen, sta->fils_hlp_resp);
5338 if (send_len < 0) {
5339 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
5340 goto done;
5341 }
5342 }
5343 #endif /* CONFIG_FILS */
5344
5345 if (hostapd_drv_send_mlme(hapd, reply, send_len, 0, NULL, 0, 0) < 0) {
5346 wpa_printf(MSG_INFO, "Failed to send assoc resp: %s",
5347 strerror(errno));
5348 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
5349 }
5350
5351 done:
5352 os_free(buf);
5353 return res;
5354 }
5355
5356
5357 #ifdef CONFIG_OWE
owe_assoc_req_process(struct hostapd_data *hapd, struct sta_info *sta, const u8 *owe_dh, u8 owe_dh_len, u8 *owe_buf, size_t owe_buf_len, u16 *status)5358 u8 * owe_assoc_req_process(struct hostapd_data *hapd, struct sta_info *sta,
5359 const u8 *owe_dh, u8 owe_dh_len,
5360 u8 *owe_buf, size_t owe_buf_len, u16 *status)
5361 {
5362 #ifdef CONFIG_TESTING_OPTIONS
5363 if (hapd->conf->own_ie_override) {
5364 wpa_printf(MSG_DEBUG, "OWE: Using IE override");
5365 *status = WLAN_STATUS_SUCCESS;
5366 return wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf,
5367 owe_buf_len, NULL, 0);
5368 }
5369 #endif /* CONFIG_TESTING_OPTIONS */
5370
5371 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) {
5372 wpa_printf(MSG_DEBUG, "OWE: Using PMKSA caching");
5373 owe_buf = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf,
5374 owe_buf_len, NULL, 0);
5375 *status = WLAN_STATUS_SUCCESS;
5376 return owe_buf;
5377 }
5378
5379 if (sta->owe_pmk && sta->external_dh_updated) {
5380 wpa_printf(MSG_DEBUG, "OWE: Using previously derived PMK");
5381 *status = WLAN_STATUS_SUCCESS;
5382 return owe_buf;
5383 }
5384
5385 *status = owe_process_assoc_req(hapd, sta, owe_dh, owe_dh_len);
5386 if (*status != WLAN_STATUS_SUCCESS)
5387 return NULL;
5388
5389 owe_buf = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf,
5390 owe_buf_len, NULL, 0);
5391
5392 if (sta->owe_ecdh && owe_buf) {
5393 struct wpabuf *pub;
5394
5395 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
5396 if (!pub) {
5397 *status = WLAN_STATUS_UNSPECIFIED_FAILURE;
5398 return owe_buf;
5399 }
5400
5401 /* OWE Diffie-Hellman Parameter element */
5402 *owe_buf++ = WLAN_EID_EXTENSION; /* Element ID */
5403 *owe_buf++ = 1 + 2 + wpabuf_len(pub); /* Length */
5404 *owe_buf++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension
5405 */
5406 WPA_PUT_LE16(owe_buf, sta->owe_group);
5407 owe_buf += 2;
5408 os_memcpy(owe_buf, wpabuf_head(pub), wpabuf_len(pub));
5409 owe_buf += wpabuf_len(pub);
5410 wpabuf_free(pub);
5411 }
5412
5413 return owe_buf;
5414 }
5415 #endif /* CONFIG_OWE */
5416
5417
5418 #ifdef CONFIG_FILS
5419
fils_hlp_finish_assoc(struct hostapd_data *hapd, struct sta_info *sta)5420 void fils_hlp_finish_assoc(struct hostapd_data *hapd, struct sta_info *sta)
5421 {
5422 u16 reply_res;
5423
5424 wpa_printf(MSG_DEBUG, "FILS: Finish association with " MACSTR_SEC,
5425 MAC2STR_SEC(sta->addr));
5426 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
5427 if (!sta->fils_pending_assoc_req)
5428 return;
5429 reply_res = send_assoc_resp(hapd, sta, sta->addr, WLAN_STATUS_SUCCESS,
5430 sta->fils_pending_assoc_is_reassoc,
5431 sta->fils_pending_assoc_req,
5432 sta->fils_pending_assoc_req_len, 0, 0);
5433 os_free(sta->fils_pending_assoc_req);
5434 sta->fils_pending_assoc_req = NULL;
5435 sta->fils_pending_assoc_req_len = 0;
5436 wpabuf_free(sta->fils_hlp_resp);
5437 sta->fils_hlp_resp = NULL;
5438 wpabuf_free(sta->hlp_dhcp_discover);
5439 sta->hlp_dhcp_discover = NULL;
5440
5441 /*
5442 * Remove the station in case transmission of a success response fails.
5443 * At this point the station was already added associated to the driver.
5444 */
5445 if (reply_res != WLAN_STATUS_SUCCESS)
5446 hostapd_drv_sta_remove(hapd, sta->addr);
5447 }
5448
5449
fils_hlp_timeout(void *eloop_ctx, void *eloop_data)5450 void fils_hlp_timeout(void *eloop_ctx, void *eloop_data)
5451 {
5452 struct hostapd_data *hapd = eloop_ctx;
5453 struct sta_info *sta = eloop_data;
5454
5455 wpa_printf(MSG_DEBUG,
5456 "FILS: HLP response timeout - continue with association response for "
5457 MACSTR_SEC, MAC2STR_SEC(sta->addr));
5458 if (sta->fils_drv_assoc_finish)
5459 hostapd_notify_assoc_fils_finish(hapd, sta);
5460 else
5461 fils_hlp_finish_assoc(hapd, sta);
5462 }
5463
5464 #endif /* CONFIG_FILS */
5465
5466
handle_assoc(struct hostapd_data *hapd, const struct ieee80211_mgmt *mgmt, size_t len, int reassoc, int rssi)5467 static void handle_assoc(struct hostapd_data *hapd,
5468 const struct ieee80211_mgmt *mgmt, size_t len,
5469 int reassoc, int rssi)
5470 {
5471 u16 capab_info, listen_interval, seq_ctrl, fc;
5472 int resp = WLAN_STATUS_SUCCESS;
5473 u16 reply_res = WLAN_STATUS_UNSPECIFIED_FAILURE;
5474 const u8 *pos;
5475 int left, i;
5476 struct sta_info *sta;
5477 u8 *tmp = NULL;
5478 #ifdef CONFIG_FILS
5479 int delay_assoc = 0;
5480 #endif /* CONFIG_FILS */
5481 int omit_rsnxe = 0;
5482
5483 if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_req) :
5484 sizeof(mgmt->u.assoc_req))) {
5485 wpa_printf(MSG_INFO, "handle_assoc(reassoc=%d) - too short payload (len=%lu)",
5486 reassoc, (unsigned long) len);
5487 return;
5488 }
5489
5490 #ifdef CONFIG_TESTING_OPTIONS
5491 if (reassoc) {
5492 if (hapd->iconf->ignore_reassoc_probability > 0.0 &&
5493 drand48() < hapd->iconf->ignore_reassoc_probability) {
5494 wpa_printf(MSG_INFO,
5495 "TESTING: ignoring reassoc request from "
5496 MACSTR_SEC, MAC2STR_SEC(mgmt->sa));
5497 return;
5498 }
5499 } else {
5500 if (hapd->iconf->ignore_assoc_probability > 0.0 &&
5501 drand48() < hapd->iconf->ignore_assoc_probability) {
5502 wpa_printf(MSG_INFO,
5503 "TESTING: ignoring assoc request from "
5504 MACSTR_SEC, MAC2STR_SEC(mgmt->sa));
5505 return;
5506 }
5507 }
5508 #endif /* CONFIG_TESTING_OPTIONS */
5509
5510 fc = le_to_host16(mgmt->frame_control);
5511 seq_ctrl = le_to_host16(mgmt->seq_ctrl);
5512
5513 if (reassoc) {
5514 capab_info = le_to_host16(mgmt->u.reassoc_req.capab_info);
5515 listen_interval = le_to_host16(
5516 mgmt->u.reassoc_req.listen_interval);
5517 wpa_printf(MSG_DEBUG, "reassociation request: STA=" MACSTR_SEC
5518 " capab_info=0x%02x listen_interval=%d current_ap="
5519 MACSTR_SEC " seq_ctrl=0x%x%s",
5520 MAC2STR_SEC(mgmt->sa), capab_info, listen_interval,
5521 MAC2STR_SEC(mgmt->u.reassoc_req.current_ap),
5522 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "");
5523 left = len - (IEEE80211_HDRLEN + sizeof(mgmt->u.reassoc_req));
5524 pos = mgmt->u.reassoc_req.variable;
5525 } else {
5526 capab_info = le_to_host16(mgmt->u.assoc_req.capab_info);
5527 listen_interval = le_to_host16(
5528 mgmt->u.assoc_req.listen_interval);
5529 wpa_printf(MSG_DEBUG, "association request: STA=" MACSTR_SEC
5530 " capab_info=0x%02x listen_interval=%d "
5531 "seq_ctrl=0x%x%s",
5532 MAC2STR_SEC(mgmt->sa), capab_info, listen_interval,
5533 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "");
5534 left = len - (IEEE80211_HDRLEN + sizeof(mgmt->u.assoc_req));
5535 pos = mgmt->u.assoc_req.variable;
5536 }
5537
5538 sta = ap_get_sta(hapd, mgmt->sa);
5539 #ifdef CONFIG_IEEE80211R_AP
5540 if (sta && sta->auth_alg == WLAN_AUTH_FT &&
5541 (sta->flags & WLAN_STA_AUTH) == 0) {
5542 wpa_printf(MSG_DEBUG, "FT: Allow STA " MACSTR_SEC " to associate "
5543 "prior to authentication since it is using "
5544 "over-the-DS FT", MAC2STR_SEC(mgmt->sa));
5545
5546 /*
5547 * Mark station as authenticated, to avoid adding station
5548 * entry in the driver as associated and not authenticated
5549 */
5550 sta->flags |= WLAN_STA_AUTH;
5551 } else
5552 #endif /* CONFIG_IEEE80211R_AP */
5553 if (sta == NULL || (sta->flags & WLAN_STA_AUTH) == 0) {
5554 if (hapd->iface->current_mode &&
5555 hapd->iface->current_mode->mode ==
5556 HOSTAPD_MODE_IEEE80211AD) {
5557 int acl_res;
5558 struct radius_sta info;
5559
5560 acl_res = ieee802_11_allowed_address(hapd, mgmt->sa,
5561 (const u8 *) mgmt,
5562 len, &info);
5563 if (acl_res == HOSTAPD_ACL_REJECT) {
5564 wpa_msg(hapd->msg_ctx, MSG_DEBUG,
5565 "Ignore Association Request frame from "
5566 MACSTR " due to ACL reject",
5567 MAC2STR(mgmt->sa));
5568 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
5569 goto fail;
5570 }
5571 if (acl_res == HOSTAPD_ACL_PENDING)
5572 return;
5573
5574 /* DMG/IEEE 802.11ad does not use authentication.
5575 * Allocate sta entry upon association. */
5576 sta = ap_sta_add(hapd, mgmt->sa);
5577 if (!sta) {
5578 hostapd_logger(hapd, mgmt->sa,
5579 HOSTAPD_MODULE_IEEE80211,
5580 HOSTAPD_LEVEL_INFO,
5581 "Failed to add STA");
5582 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
5583 goto fail;
5584 }
5585
5586 acl_res = ieee802_11_set_radius_info(
5587 hapd, sta, acl_res, &info);
5588 if (acl_res) {
5589 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
5590 goto fail;
5591 }
5592
5593 hostapd_logger(hapd, sta->addr,
5594 HOSTAPD_MODULE_IEEE80211,
5595 HOSTAPD_LEVEL_DEBUG,
5596 "Skip authentication for DMG/IEEE 802.11ad");
5597 sta->flags |= WLAN_STA_AUTH;
5598 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
5599 sta->auth_alg = WLAN_AUTH_OPEN;
5600 } else {
5601 hostapd_logger(hapd, mgmt->sa,
5602 HOSTAPD_MODULE_IEEE80211,
5603 HOSTAPD_LEVEL_INFO,
5604 "Station tried to associate before authentication (aid=%d flags=0x%x)",
5605 sta ? sta->aid : -1,
5606 sta ? sta->flags : 0);
5607 send_deauth(hapd, mgmt->sa,
5608 WLAN_REASON_CLASS2_FRAME_FROM_NONAUTH_STA);
5609 return;
5610 }
5611 }
5612
5613 if ((fc & WLAN_FC_RETRY) &&
5614 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
5615 sta->last_seq_ctrl == seq_ctrl &&
5616 sta->last_subtype == (reassoc ? WLAN_FC_STYPE_REASSOC_REQ :
5617 WLAN_FC_STYPE_ASSOC_REQ)) {
5618 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
5619 HOSTAPD_LEVEL_DEBUG,
5620 "Drop repeated association frame seq_ctrl=0x%x",
5621 seq_ctrl);
5622 return;
5623 }
5624 sta->last_seq_ctrl = seq_ctrl;
5625 sta->last_subtype = reassoc ? WLAN_FC_STYPE_REASSOC_REQ :
5626 WLAN_FC_STYPE_ASSOC_REQ;
5627
5628 if (hapd->tkip_countermeasures) {
5629 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
5630 goto fail;
5631 }
5632
5633 if (listen_interval > hapd->conf->max_listen_interval) {
5634 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
5635 HOSTAPD_LEVEL_DEBUG,
5636 "Too large Listen Interval (%d)",
5637 listen_interval);
5638 resp = WLAN_STATUS_ASSOC_DENIED_LISTEN_INT_TOO_LARGE;
5639 goto fail;
5640 }
5641
5642 #ifdef CONFIG_MBO
5643 if (hapd->conf->mbo_enabled && hapd->mbo_assoc_disallow) {
5644 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
5645 goto fail;
5646 }
5647
5648 if (hapd->iconf->rssi_reject_assoc_rssi && rssi &&
5649 rssi < hapd->iconf->rssi_reject_assoc_rssi &&
5650 (sta->auth_rssi == 0 ||
5651 sta->auth_rssi < hapd->iconf->rssi_reject_assoc_rssi)) {
5652 resp = WLAN_STATUS_DENIED_POOR_CHANNEL_CONDITIONS;
5653 goto fail;
5654 }
5655 #endif /* CONFIG_MBO */
5656
5657 /*
5658 * sta->capability is used in check_assoc_ies() for RRM enabled
5659 * capability element.
5660 */
5661 sta->capability = capab_info;
5662
5663 #ifdef CONFIG_FILS
5664 if (sta->auth_alg == WLAN_AUTH_FILS_SK ||
5665 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
5666 sta->auth_alg == WLAN_AUTH_FILS_PK) {
5667 int res;
5668
5669 /* The end of the payload is encrypted. Need to decrypt it
5670 * before parsing. */
5671
5672 tmp = os_memdup(pos, left);
5673 if (!tmp) {
5674 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
5675 goto fail;
5676 }
5677
5678 res = fils_decrypt_assoc(sta->wpa_sm, sta->fils_session, mgmt,
5679 len, tmp, left);
5680 if (res < 0) {
5681 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
5682 goto fail;
5683 }
5684 pos = tmp;
5685 left = res;
5686 }
5687 #endif /* CONFIG_FILS */
5688
5689 /* followed by SSID and Supported rates; and HT capabilities if 802.11n
5690 * is used */
5691 resp = check_assoc_ies(hapd, sta, pos, left, reassoc);
5692 if (resp != WLAN_STATUS_SUCCESS)
5693 goto fail;
5694 omit_rsnxe = !get_ie(pos, left, WLAN_EID_RSNX);
5695
5696 if (hostapd_get_aid(hapd, sta) < 0) {
5697 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
5698 HOSTAPD_LEVEL_INFO, "No room for more AIDs");
5699 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
5700 goto fail;
5701 }
5702
5703 sta->listen_interval = listen_interval;
5704
5705 if (hapd->iface->current_mode &&
5706 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G)
5707 sta->flags |= WLAN_STA_NONERP;
5708 for (i = 0; i < sta->supported_rates_len; i++) {
5709 if ((sta->supported_rates[i] & 0x7f) > 22) {
5710 sta->flags &= ~WLAN_STA_NONERP;
5711 break;
5712 }
5713 }
5714 if (sta->flags & WLAN_STA_NONERP && !sta->nonerp_set) {
5715 sta->nonerp_set = 1;
5716 hapd->iface->num_sta_non_erp++;
5717 if (hapd->iface->num_sta_non_erp == 1)
5718 ieee802_11_set_beacons(hapd->iface);
5719 }
5720
5721 if (!(sta->capability & WLAN_CAPABILITY_SHORT_SLOT_TIME) &&
5722 !sta->no_short_slot_time_set) {
5723 sta->no_short_slot_time_set = 1;
5724 hapd->iface->num_sta_no_short_slot_time++;
5725 if (hapd->iface->current_mode &&
5726 hapd->iface->current_mode->mode ==
5727 HOSTAPD_MODE_IEEE80211G &&
5728 hapd->iface->num_sta_no_short_slot_time == 1)
5729 ieee802_11_set_beacons(hapd->iface);
5730 }
5731
5732 if (sta->capability & WLAN_CAPABILITY_SHORT_PREAMBLE)
5733 sta->flags |= WLAN_STA_SHORT_PREAMBLE;
5734 else
5735 sta->flags &= ~WLAN_STA_SHORT_PREAMBLE;
5736
5737 if (!(sta->capability & WLAN_CAPABILITY_SHORT_PREAMBLE) &&
5738 !sta->no_short_preamble_set) {
5739 sta->no_short_preamble_set = 1;
5740 hapd->iface->num_sta_no_short_preamble++;
5741 if (hapd->iface->current_mode &&
5742 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G
5743 && hapd->iface->num_sta_no_short_preamble == 1)
5744 ieee802_11_set_beacons(hapd->iface);
5745 }
5746
5747 update_ht_state(hapd, sta);
5748
5749 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
5750 HOSTAPD_LEVEL_DEBUG,
5751 "association OK (aid %d)", sta->aid);
5752 /* Station will be marked associated, after it acknowledges AssocResp
5753 */
5754 sta->flags |= WLAN_STA_ASSOC_REQ_OK;
5755
5756 if ((sta->flags & WLAN_STA_MFP) && sta->sa_query_timed_out) {
5757 wpa_printf(MSG_DEBUG, "Allowing %sassociation after timed out "
5758 "SA Query procedure", reassoc ? "re" : "");
5759 /* TODO: Send a protected Disassociate frame to the STA using
5760 * the old key and Reason Code "Previous Authentication no
5761 * longer valid". Make sure this is only sent protected since
5762 * unprotected frame would be received by the STA that is now
5763 * trying to associate.
5764 */
5765 }
5766
5767 /* Make sure that the previously registered inactivity timer will not
5768 * remove the STA immediately. */
5769 sta->timeout_next = STA_NULLFUNC;
5770
5771 #ifdef CONFIG_TAXONOMY
5772 taxonomy_sta_info_assoc_req(hapd, sta, pos, left);
5773 #endif /* CONFIG_TAXONOMY */
5774
5775 sta->pending_wds_enable = 0;
5776
5777 #ifdef CONFIG_FILS
5778 if (sta->auth_alg == WLAN_AUTH_FILS_SK ||
5779 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
5780 sta->auth_alg == WLAN_AUTH_FILS_PK) {
5781 if (fils_process_hlp(hapd, sta, pos, left) > 0)
5782 delay_assoc = 1;
5783 }
5784 #endif /* CONFIG_FILS */
5785
5786 fail:
5787
5788 /*
5789 * In case of a successful response, add the station to the driver.
5790 * Otherwise, the kernel may ignore Data frames before we process the
5791 * ACK frame (TX status). In case of a failure, this station will be
5792 * removed.
5793 *
5794 * Note that this is not compliant with the IEEE 802.11 standard that
5795 * states that a non-AP station should transition into the
5796 * authenticated/associated state only after the station acknowledges
5797 * the (Re)Association Response frame. However, still do this as:
5798 *
5799 * 1. In case the station does not acknowledge the (Re)Association
5800 * Response frame, it will be removed.
5801 * 2. Data frames will be dropped in the kernel until the station is
5802 * set into authorized state, and there are no significant known
5803 * issues with processing other non-Data Class 3 frames during this
5804 * window.
5805 */
5806 if (resp == WLAN_STATUS_SUCCESS && sta &&
5807 add_associated_sta(hapd, sta, reassoc))
5808 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
5809
5810 #ifdef CONFIG_FILS
5811 if (sta && delay_assoc && resp == WLAN_STATUS_SUCCESS &&
5812 eloop_is_timeout_registered(fils_hlp_timeout, hapd, sta) &&
5813 sta->fils_pending_assoc_req) {
5814 /* Do not reschedule fils_hlp_timeout in case the station
5815 * retransmits (Re)Association Request frame while waiting for
5816 * the previously started FILS HLP wait, so that the timeout can
5817 * be determined from the first pending attempt. */
5818 wpa_printf(MSG_DEBUG,
5819 "FILS: Continue waiting for HLP processing before sending (Re)Association Response frame to "
5820 MACSTR_SEC, MAC2STR_SEC(sta->addr));
5821 os_free(tmp);
5822 return;
5823 }
5824 if (sta) {
5825 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
5826 os_free(sta->fils_pending_assoc_req);
5827 sta->fils_pending_assoc_req = NULL;
5828 sta->fils_pending_assoc_req_len = 0;
5829 wpabuf_free(sta->fils_hlp_resp);
5830 sta->fils_hlp_resp = NULL;
5831 }
5832 if (sta && delay_assoc && resp == WLAN_STATUS_SUCCESS) {
5833 sta->fils_pending_assoc_req = tmp;
5834 sta->fils_pending_assoc_req_len = left;
5835 sta->fils_pending_assoc_is_reassoc = reassoc;
5836 sta->fils_drv_assoc_finish = 0;
5837 wpa_printf(MSG_DEBUG,
5838 "FILS: Waiting for HLP processing before sending (Re)Association Response frame to "
5839 MACSTR_SEC, MAC2STR_SEC(sta->addr));
5840 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
5841 eloop_register_timeout(0, hapd->conf->fils_hlp_wait_time * 1024,
5842 fils_hlp_timeout, hapd, sta);
5843 return;
5844 }
5845 #endif /* CONFIG_FILS */
5846
5847 if (resp >= 0)
5848 reply_res = send_assoc_resp(hapd, sta, mgmt->sa, resp, reassoc,
5849 pos, left, rssi, omit_rsnxe);
5850 os_free(tmp);
5851
5852 /*
5853 * Remove the station in case transmission of a success response fails
5854 * (the STA was added associated to the driver) or if the station was
5855 * previously added unassociated.
5856 */
5857 if (sta && ((reply_res != WLAN_STATUS_SUCCESS &&
5858 resp == WLAN_STATUS_SUCCESS) || sta->added_unassoc)) {
5859 hostapd_drv_sta_remove(hapd, sta->addr);
5860 sta->added_unassoc = 0;
5861 }
5862 }
5863
5864
handle_disassoc(struct hostapd_data *hapd, const struct ieee80211_mgmt *mgmt, size_t len)5865 static void handle_disassoc(struct hostapd_data *hapd,
5866 const struct ieee80211_mgmt *mgmt, size_t len)
5867 {
5868 struct sta_info *sta;
5869
5870 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.disassoc)) {
5871 wpa_printf(MSG_INFO, "handle_disassoc - too short payload (len=%lu)",
5872 (unsigned long) len);
5873 return;
5874 }
5875
5876 wpa_printf(MSG_DEBUG, "disassocation: STA=" MACSTR_SEC " reason_code=%d",
5877 MAC2STR_SEC(mgmt->sa),
5878 le_to_host16(mgmt->u.disassoc.reason_code));
5879
5880 sta = ap_get_sta(hapd, mgmt->sa);
5881 if (sta == NULL) {
5882 wpa_printf(MSG_INFO, "Station " MACSTR_SEC " trying to disassociate, but it is not associated",
5883 MAC2STR_SEC(mgmt->sa));
5884 return;
5885 }
5886
5887 ap_sta_set_authorized(hapd, sta, 0);
5888 sta->last_seq_ctrl = WLAN_INVALID_MGMT_SEQ;
5889 sta->flags &= ~(WLAN_STA_ASSOC | WLAN_STA_ASSOC_REQ_OK);
5890 hostapd_set_sta_flags(hapd, sta);
5891 wpa_auth_sm_event(sta->wpa_sm, WPA_DISASSOC);
5892 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
5893 HOSTAPD_LEVEL_INFO, "disassociated");
5894 sta->acct_terminate_cause = RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST;
5895 ieee802_1x_notify_port_enabled(sta->eapol_sm, 0);
5896 /* Stop Accounting and IEEE 802.1X sessions, but leave the STA
5897 * authenticated. */
5898 accounting_sta_stop(hapd, sta);
5899 ieee802_1x_free_station(hapd, sta);
5900 if (sta->ipaddr)
5901 hostapd_drv_br_delete_ip_neigh(hapd, 4, (u8 *) &sta->ipaddr);
5902 ap_sta_ip6addr_del(hapd, sta);
5903 hostapd_drv_sta_remove(hapd, sta->addr);
5904 sta->added_unassoc = 0;
5905
5906 if (sta->timeout_next == STA_NULLFUNC ||
5907 sta->timeout_next == STA_DISASSOC) {
5908 sta->timeout_next = STA_DEAUTH;
5909 eloop_cancel_timeout(ap_handle_timer, hapd, sta);
5910 eloop_register_timeout(AP_DEAUTH_DELAY, 0, ap_handle_timer,
5911 hapd, sta);
5912 }
5913
5914 mlme_disassociate_indication(
5915 hapd, sta, le_to_host16(mgmt->u.disassoc.reason_code));
5916
5917 /* DMG/IEEE 802.11ad does not use deauthication. Deallocate sta upon
5918 * disassociation. */
5919 if (hapd->iface->current_mode &&
5920 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211AD) {
5921 sta->flags &= ~WLAN_STA_AUTH;
5922 wpa_auth_sm_event(sta->wpa_sm, WPA_DEAUTH);
5923 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
5924 HOSTAPD_LEVEL_DEBUG, "deauthenticated");
5925 ap_free_sta(hapd, sta);
5926 }
5927 }
5928
5929
handle_deauth(struct hostapd_data *hapd, const struct ieee80211_mgmt *mgmt, size_t len)5930 static void handle_deauth(struct hostapd_data *hapd,
5931 const struct ieee80211_mgmt *mgmt, size_t len)
5932 {
5933 struct sta_info *sta;
5934
5935 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.deauth)) {
5936 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "handle_deauth - too short "
5937 "payload (len=%lu)", (unsigned long) len);
5938 return;
5939 }
5940
5941 wpa_msg_only_for_cb(hapd->msg_ctx, MSG_DEBUG, "deauthentication: STA=" MACSTR
5942 " reason_code=%d",
5943 MAC2STR(mgmt->sa), le_to_host16(mgmt->u.deauth.reason_code));
5944 wpa_printf(MSG_DEBUG, "deauthentication: STA=" MACSTR_SEC
5945 " reason_code=%d",
5946 MAC2STR_SEC(mgmt->sa), le_to_host16(mgmt->u.deauth.reason_code));
5947
5948 /* Clear the PTKSA cache entries for PASN */
5949 ptksa_cache_flush(hapd->ptksa, mgmt->sa, WPA_CIPHER_NONE);
5950
5951 sta = ap_get_sta(hapd, mgmt->sa);
5952 if (sta == NULL) {
5953 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "Station " MACSTR " trying "
5954 "to deauthenticate, but it is not authenticated",
5955 MAC2STR(mgmt->sa));
5956 return;
5957 }
5958
5959 ap_sta_set_authorized(hapd, sta, 0);
5960 sta->last_seq_ctrl = WLAN_INVALID_MGMT_SEQ;
5961 sta->flags &= ~(WLAN_STA_AUTH | WLAN_STA_ASSOC |
5962 WLAN_STA_ASSOC_REQ_OK);
5963 hostapd_set_sta_flags(hapd, sta);
5964 wpa_auth_sm_event(sta->wpa_sm, WPA_DEAUTH);
5965 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
5966 HOSTAPD_LEVEL_DEBUG, "deauthenticated");
5967 mlme_deauthenticate_indication(
5968 hapd, sta, le_to_host16(mgmt->u.deauth.reason_code));
5969 sta->acct_terminate_cause = RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST;
5970 ieee802_1x_notify_port_enabled(sta->eapol_sm, 0);
5971 ap_free_sta(hapd, sta);
5972 }
5973
5974
handle_beacon(struct hostapd_data *hapd, const struct ieee80211_mgmt *mgmt, size_t len, struct hostapd_frame_info *fi)5975 static void handle_beacon(struct hostapd_data *hapd,
5976 const struct ieee80211_mgmt *mgmt, size_t len,
5977 struct hostapd_frame_info *fi)
5978 {
5979 struct ieee802_11_elems elems;
5980
5981 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.beacon)) {
5982 wpa_printf(MSG_INFO, "handle_beacon - too short payload (len=%lu)",
5983 (unsigned long) len);
5984 return;
5985 }
5986
5987 (void) ieee802_11_parse_elems(mgmt->u.beacon.variable,
5988 len - (IEEE80211_HDRLEN +
5989 sizeof(mgmt->u.beacon)), &elems,
5990 0);
5991
5992 ap_list_process_beacon(hapd->iface, mgmt, &elems, fi);
5993 }
5994
5995
robust_action_frame(u8 category)5996 static int robust_action_frame(u8 category)
5997 {
5998 return category != WLAN_ACTION_PUBLIC &&
5999 category != WLAN_ACTION_HT;
6000 }
6001
6002
handle_action(struct hostapd_data *hapd, const struct ieee80211_mgmt *mgmt, size_t len, unsigned int freq)6003 static int handle_action(struct hostapd_data *hapd,
6004 const struct ieee80211_mgmt *mgmt, size_t len,
6005 unsigned int freq)
6006 {
6007 struct sta_info *sta;
6008 u8 *action __maybe_unused;
6009
6010 if (len < IEEE80211_HDRLEN + 2 + 1) {
6011 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
6012 HOSTAPD_LEVEL_DEBUG,
6013 "handle_action - too short payload (len=%lu)",
6014 (unsigned long) len);
6015 return 0;
6016 }
6017
6018 action = (u8 *) &mgmt->u.action.u;
6019 wpa_printf(MSG_DEBUG, "RX_ACTION category %u action %u sa " MACSTR_SEC
6020 " da " MACSTR_SEC " len %d freq %u",
6021 mgmt->u.action.category, *action,
6022 MAC2STR_SEC(mgmt->sa), MAC2STR_SEC(mgmt->da), (int) len, freq);
6023
6024 sta = ap_get_sta(hapd, mgmt->sa);
6025
6026 if (mgmt->u.action.category != WLAN_ACTION_PUBLIC &&
6027 (sta == NULL || !(sta->flags & WLAN_STA_ASSOC))) {
6028 wpa_printf(MSG_DEBUG, "IEEE 802.11: Ignored Action "
6029 "frame (category=%u) from unassociated STA " MACSTR_SEC,
6030 mgmt->u.action.category, MAC2STR_SEC(mgmt->sa));
6031 return 0;
6032 }
6033
6034 if (sta && (sta->flags & WLAN_STA_MFP) &&
6035 !(mgmt->frame_control & host_to_le16(WLAN_FC_ISWEP)) &&
6036 robust_action_frame(mgmt->u.action.category)) {
6037 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
6038 HOSTAPD_LEVEL_DEBUG,
6039 "Dropped unprotected Robust Action frame from "
6040 "an MFP STA");
6041 return 0;
6042 }
6043
6044 if (sta) {
6045 u16 fc = le_to_host16(mgmt->frame_control);
6046 u16 seq_ctrl = le_to_host16(mgmt->seq_ctrl);
6047
6048 if ((fc & WLAN_FC_RETRY) &&
6049 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
6050 sta->last_seq_ctrl == seq_ctrl &&
6051 sta->last_subtype == WLAN_FC_STYPE_ACTION) {
6052 hostapd_logger(hapd, sta->addr,
6053 HOSTAPD_MODULE_IEEE80211,
6054 HOSTAPD_LEVEL_DEBUG,
6055 "Drop repeated action frame seq_ctrl=0x%x",
6056 seq_ctrl);
6057 return 1;
6058 }
6059
6060 sta->last_seq_ctrl = seq_ctrl;
6061 sta->last_subtype = WLAN_FC_STYPE_ACTION;
6062 }
6063
6064 switch (mgmt->u.action.category) {
6065 #ifdef CONFIG_IEEE80211R_AP
6066 case WLAN_ACTION_FT:
6067 if (!sta ||
6068 wpa_ft_action_rx(sta->wpa_sm, (u8 *) &mgmt->u.action,
6069 len - IEEE80211_HDRLEN))
6070 break;
6071 return 1;
6072 #endif /* CONFIG_IEEE80211R_AP */
6073 case WLAN_ACTION_WMM:
6074 hostapd_wmm_action(hapd, mgmt, len);
6075 return 1;
6076 case WLAN_ACTION_SA_QUERY:
6077 ieee802_11_sa_query_action(hapd, mgmt, len);
6078 return 1;
6079 #ifdef CONFIG_WNM_AP
6080 case WLAN_ACTION_WNM:
6081 ieee802_11_rx_wnm_action_ap(hapd, mgmt, len);
6082 return 1;
6083 #endif /* CONFIG_WNM_AP */
6084 #ifdef CONFIG_FST
6085 case WLAN_ACTION_FST:
6086 if (hapd->iface->fst)
6087 fst_rx_action(hapd->iface->fst, mgmt, len);
6088 else
6089 wpa_printf(MSG_DEBUG,
6090 "FST: Ignore FST Action frame - no FST attached");
6091 return 1;
6092 #endif /* CONFIG_FST */
6093 case WLAN_ACTION_PUBLIC:
6094 case WLAN_ACTION_PROTECTED_DUAL:
6095 if (len >= IEEE80211_HDRLEN + 2 &&
6096 mgmt->u.action.u.public_action.action ==
6097 WLAN_PA_20_40_BSS_COEX) {
6098 hostapd_2040_coex_action(hapd, mgmt, len);
6099 return 1;
6100 }
6101 #ifdef CONFIG_DPP
6102 if (len >= IEEE80211_HDRLEN + 6 &&
6103 mgmt->u.action.u.vs_public_action.action ==
6104 WLAN_PA_VENDOR_SPECIFIC &&
6105 WPA_GET_BE24(mgmt->u.action.u.vs_public_action.oui) ==
6106 OUI_WFA &&
6107 mgmt->u.action.u.vs_public_action.variable[0] ==
6108 DPP_OUI_TYPE) {
6109 const u8 *pos, *end;
6110
6111 pos = mgmt->u.action.u.vs_public_action.oui;
6112 end = ((const u8 *) mgmt) + len;
6113 hostapd_dpp_rx_action(hapd, mgmt->sa, pos, end - pos,
6114 freq);
6115 return 1;
6116 }
6117 if (len >= IEEE80211_HDRLEN + 2 &&
6118 (mgmt->u.action.u.public_action.action ==
6119 WLAN_PA_GAS_INITIAL_RESP ||
6120 mgmt->u.action.u.public_action.action ==
6121 WLAN_PA_GAS_COMEBACK_RESP)) {
6122 const u8 *pos, *end;
6123
6124 pos = &mgmt->u.action.u.public_action.action;
6125 end = ((const u8 *) mgmt) + len;
6126 gas_query_ap_rx(hapd->gas, mgmt->sa,
6127 mgmt->u.action.category,
6128 pos, end - pos, hapd->iface->freq);
6129 return 1;
6130 }
6131 #endif /* CONFIG_DPP */
6132 if (hapd->public_action_cb) {
6133 hapd->public_action_cb(hapd->public_action_cb_ctx,
6134 (u8 *) mgmt, len,
6135 hapd->iface->freq);
6136 }
6137 if (hapd->public_action_cb2) {
6138 hapd->public_action_cb2(hapd->public_action_cb2_ctx,
6139 (u8 *) mgmt, len,
6140 hapd->iface->freq);
6141 }
6142 if (hapd->public_action_cb || hapd->public_action_cb2)
6143 return 1;
6144 break;
6145 case WLAN_ACTION_VENDOR_SPECIFIC:
6146 if (hapd->vendor_action_cb) {
6147 if (hapd->vendor_action_cb(hapd->vendor_action_cb_ctx,
6148 (u8 *) mgmt, len,
6149 hapd->iface->freq) == 0)
6150 return 1;
6151 }
6152 break;
6153 case WLAN_ACTION_RADIO_MEASUREMENT:
6154 hostapd_handle_radio_measurement(hapd, (const u8 *) mgmt, len);
6155 return 1;
6156 }
6157
6158 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
6159 HOSTAPD_LEVEL_DEBUG,
6160 "handle_action - unknown action category %d or invalid "
6161 "frame",
6162 mgmt->u.action.category);
6163 if (!is_multicast_ether_addr(mgmt->da) &&
6164 !(mgmt->u.action.category & 0x80) &&
6165 !is_multicast_ether_addr(mgmt->sa)) {
6166 struct ieee80211_mgmt *resp;
6167
6168 /*
6169 * IEEE 802.11-REVma/D9.0 - 7.3.1.11
6170 * Return the Action frame to the source without change
6171 * except that MSB of the Category set to 1.
6172 */
6173 wpa_printf(MSG_DEBUG, "IEEE 802.11: Return unknown Action "
6174 "frame back to sender");
6175 resp = os_memdup(mgmt, len);
6176 if (resp == NULL)
6177 return 0;
6178 os_memcpy(resp->da, resp->sa, ETH_ALEN);
6179 os_memcpy(resp->sa, hapd->own_addr, ETH_ALEN);
6180 os_memcpy(resp->bssid, hapd->own_addr, ETH_ALEN);
6181 resp->u.action.category |= 0x80;
6182
6183 if (hostapd_drv_send_mlme(hapd, resp, len, 0, NULL, 0, 0) < 0) {
6184 wpa_printf(MSG_ERROR, "IEEE 802.11: Failed to send "
6185 "Action frame");
6186 }
6187 os_free(resp);
6188 }
6189
6190 return 1;
6191 }
6192
6193
6194 /**
6195 * notify_mgmt_frame - Notify of Management frames on the control interface
6196 * @hapd: hostapd BSS data structure (the BSS to which the Management frame was
6197 * sent to)
6198 * @buf: Management frame data (starting from the IEEE 802.11 header)
6199 * @len: Length of frame data in octets
6200 *
6201 * Notify the control interface of any received Management frame.
6202 */
notify_mgmt_frame(struct hostapd_data *hapd, const u8 *buf, size_t len)6203 static void notify_mgmt_frame(struct hostapd_data *hapd, const u8 *buf,
6204 size_t len)
6205 {
6206
6207 int hex_len = len * 2 + 1;
6208 char *hex = os_malloc(hex_len);
6209
6210 if (hex) {
6211 wpa_snprintf_hex(hex, hex_len, buf, len);
6212 wpa_msg_ctrl(hapd->msg_ctx, MSG_INFO,
6213 AP_MGMT_FRAME_RECEIVED "buf=%s", hex);
6214 os_free(hex);
6215 }
6216 }
6217
6218
6219 /**
6220 * ieee802_11_mgmt - process incoming IEEE 802.11 management frames
6221 * @hapd: hostapd BSS data structure (the BSS to which the management frame was
6222 * sent to)
6223 * @buf: management frame data (starting from IEEE 802.11 header)
6224 * @len: length of frame data in octets
6225 * @fi: meta data about received frame (signal level, etc.)
6226 *
6227 * Process all incoming IEEE 802.11 management frames. This will be called for
6228 * each frame received from the kernel driver through wlan#ap interface. In
6229 * addition, it can be called to re-inserted pending frames (e.g., when using
6230 * external RADIUS server as an MAC ACL).
6231 */
ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len, struct hostapd_frame_info *fi)6232 int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len,
6233 struct hostapd_frame_info *fi)
6234 {
6235 struct ieee80211_mgmt *mgmt;
6236 u16 fc, stype;
6237 int ret = 0;
6238 unsigned int freq;
6239 int ssi_signal = fi ? fi->ssi_signal : 0;
6240
6241 if (len < 24)
6242 return 0;
6243
6244 if (fi && fi->freq)
6245 freq = fi->freq;
6246 else
6247 freq = hapd->iface->freq;
6248
6249 mgmt = (struct ieee80211_mgmt *) buf;
6250 fc = le_to_host16(mgmt->frame_control);
6251 stype = WLAN_FC_GET_STYPE(fc);
6252
6253 if (is_multicast_ether_addr(mgmt->sa) ||
6254 is_zero_ether_addr(mgmt->sa) ||
6255 os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
6256 /* Do not process any frames with unexpected/invalid SA so that
6257 * we do not add any state for unexpected STA addresses or end
6258 * up sending out frames to unexpected destination. */
6259 wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR_SEC
6260 " in received frame - ignore this frame silently",
6261 MAC2STR_SEC(mgmt->sa));
6262 return 0;
6263 }
6264
6265 if (stype == WLAN_FC_STYPE_BEACON) {
6266 handle_beacon(hapd, mgmt, len, fi);
6267 return 1;
6268 }
6269
6270 if (!is_broadcast_ether_addr(mgmt->bssid) &&
6271 #ifdef CONFIG_P2P
6272 /* Invitation responses can be sent with the peer MAC as BSSID */
6273 !((hapd->conf->p2p & P2P_GROUP_OWNER) &&
6274 stype == WLAN_FC_STYPE_ACTION) &&
6275 #endif /* CONFIG_P2P */
6276 #ifdef CONFIG_MESH
6277 !(hapd->conf->mesh & MESH_ENABLED) &&
6278 #endif /* CONFIG_MESH */
6279 os_memcmp(mgmt->bssid, hapd->own_addr, ETH_ALEN) != 0) {
6280 wpa_printf(MSG_INFO, "MGMT: BSSID=" MACSTR_SEC " not our address",
6281 MAC2STR_SEC(mgmt->bssid));
6282 return 0;
6283 }
6284
6285 if (hapd->iface->state != HAPD_IFACE_ENABLED) {
6286 wpa_printf(MSG_DEBUG, "MGMT: Ignore management frame while interface is not enabled (SA=" MACSTR_SEC " DA=" MACSTR_SEC " subtype=%u)",
6287 MAC2STR_SEC(mgmt->sa), MAC2STR_SEC(mgmt->da), stype);
6288 return 1;
6289 }
6290
6291 if (stype == WLAN_FC_STYPE_PROBE_REQ) {
6292 handle_probe_req(hapd, mgmt, len, ssi_signal);
6293 return 1;
6294 }
6295
6296 if ((!is_broadcast_ether_addr(mgmt->da) ||
6297 stype != WLAN_FC_STYPE_ACTION) &&
6298 os_memcmp(mgmt->da, hapd->own_addr, ETH_ALEN) != 0) {
6299 hostapd_logger_only_for_cb(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
6300 HOSTAPD_LEVEL_DEBUG,
6301 "MGMT: DA=" MACSTR " not our address",
6302 MAC2STR(mgmt->da));
6303 wpa_printf(MSG_DEBUG, "MGMT: DA=" MACSTR_SEC " not our address",
6304 MAC2STR_SEC(mgmt->da));
6305 return 0;
6306 }
6307
6308 if (hapd->iconf->track_sta_max_num)
6309 sta_track_add(hapd->iface, mgmt->sa, ssi_signal);
6310
6311 if (hapd->conf->notify_mgmt_frames)
6312 notify_mgmt_frame(hapd, buf, len);
6313
6314 switch (stype) {
6315 case WLAN_FC_STYPE_AUTH:
6316 wpa_printf(MSG_DEBUG, "mgmt::auth");
6317 handle_auth(hapd, mgmt, len, ssi_signal, 0);
6318 ret = 1;
6319 break;
6320 case WLAN_FC_STYPE_ASSOC_REQ:
6321 wpa_printf(MSG_DEBUG, "mgmt::assoc_req");
6322 handle_assoc(hapd, mgmt, len, 0, ssi_signal);
6323 ret = 1;
6324 break;
6325 case WLAN_FC_STYPE_REASSOC_REQ:
6326 wpa_printf(MSG_DEBUG, "mgmt::reassoc_req");
6327 handle_assoc(hapd, mgmt, len, 1, ssi_signal);
6328 ret = 1;
6329 break;
6330 case WLAN_FC_STYPE_DISASSOC:
6331 wpa_printf(MSG_DEBUG, "mgmt::disassoc");
6332 handle_disassoc(hapd, mgmt, len);
6333 ret = 1;
6334 break;
6335 case WLAN_FC_STYPE_DEAUTH:
6336 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "mgmt::deauth");
6337 handle_deauth(hapd, mgmt, len);
6338 ret = 1;
6339 break;
6340 case WLAN_FC_STYPE_ACTION:
6341 wpa_printf(MSG_DEBUG, "mgmt::action");
6342 ret = handle_action(hapd, mgmt, len, freq);
6343 break;
6344 default:
6345 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
6346 HOSTAPD_LEVEL_DEBUG,
6347 "unknown mgmt frame subtype %d", stype);
6348 break;
6349 }
6350
6351 return ret;
6352 }
6353
6354
handle_auth_cb(struct hostapd_data *hapd, const struct ieee80211_mgmt *mgmt, size_t len, int ok)6355 static void handle_auth_cb(struct hostapd_data *hapd,
6356 const struct ieee80211_mgmt *mgmt,
6357 size_t len, int ok)
6358 {
6359 u16 auth_alg, auth_transaction, status_code;
6360 struct sta_info *sta;
6361 bool success_status;
6362
6363 sta = ap_get_sta(hapd, mgmt->da);
6364 if (!sta) {
6365 wpa_printf(MSG_DEBUG, "handle_auth_cb: STA " MACSTR_SEC
6366 " not found",
6367 MAC2STR_SEC(mgmt->da));
6368 return;
6369 }
6370
6371 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) {
6372 wpa_printf(MSG_INFO, "handle_auth_cb - too short payload (len=%lu)",
6373 (unsigned long) len);
6374 auth_alg = 0;
6375 auth_transaction = 0;
6376 status_code = WLAN_STATUS_UNSPECIFIED_FAILURE;
6377 goto fail;
6378 }
6379
6380 auth_alg = le_to_host16(mgmt->u.auth.auth_alg);
6381 auth_transaction = le_to_host16(mgmt->u.auth.auth_transaction);
6382 status_code = le_to_host16(mgmt->u.auth.status_code);
6383
6384 if (!ok) {
6385 hostapd_logger(hapd, mgmt->da, HOSTAPD_MODULE_IEEE80211,
6386 HOSTAPD_LEVEL_NOTICE,
6387 "did not acknowledge authentication response");
6388 goto fail;
6389 }
6390
6391 if (status_code == WLAN_STATUS_SUCCESS &&
6392 ((auth_alg == WLAN_AUTH_OPEN && auth_transaction == 2) ||
6393 (auth_alg == WLAN_AUTH_SHARED_KEY && auth_transaction == 4))) {
6394 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
6395 HOSTAPD_LEVEL_INFO, "authenticated");
6396 sta->flags |= WLAN_STA_AUTH;
6397 if (sta->added_unassoc)
6398 hostapd_set_sta_flags(hapd, sta);
6399 return;
6400 }
6401
6402 fail:
6403 success_status = status_code == WLAN_STATUS_SUCCESS;
6404 #ifdef CONFIG_SAE
6405 if (auth_alg == WLAN_AUTH_SAE && auth_transaction == 1)
6406 success_status = sae_status_success(hapd, status_code);
6407 #endif /* CONFIG_SAE */
6408 if (!success_status && sta->added_unassoc) {
6409 hostapd_drv_sta_remove(hapd, sta->addr);
6410 sta->added_unassoc = 0;
6411 }
6412 }
6413
6414
hostapd_set_wds_encryption(struct hostapd_data *hapd, struct sta_info *sta, char *ifname_wds)6415 static void hostapd_set_wds_encryption(struct hostapd_data *hapd,
6416 struct sta_info *sta,
6417 char *ifname_wds)
6418 {
6419 #ifdef CONFIG_WEP
6420 int i;
6421 struct hostapd_ssid *ssid = &hapd->conf->ssid;
6422
6423 if (hapd->conf->ieee802_1x || hapd->conf->wpa)
6424 return;
6425
6426 for (i = 0; i < 4; i++) {
6427 if (ssid->wep.key[i] &&
6428 hostapd_drv_set_key(ifname_wds, hapd, WPA_ALG_WEP, NULL, i,
6429 0, i == ssid->wep.idx, NULL, 0,
6430 ssid->wep.key[i], ssid->wep.len[i],
6431 i == ssid->wep.idx ?
6432 KEY_FLAG_GROUP_RX_TX_DEFAULT :
6433 KEY_FLAG_GROUP_RX_TX)) {
6434 wpa_printf(MSG_WARNING,
6435 "Could not set WEP keys for WDS interface; %s",
6436 ifname_wds);
6437 break;
6438 }
6439 }
6440 #endif /* CONFIG_WEP */
6441 }
6442
6443
handle_assoc_cb(struct hostapd_data *hapd, const struct ieee80211_mgmt *mgmt, size_t len, int reassoc, int ok)6444 static void handle_assoc_cb(struct hostapd_data *hapd,
6445 const struct ieee80211_mgmt *mgmt,
6446 size_t len, int reassoc, int ok)
6447 {
6448 u16 status;
6449 struct sta_info *sta;
6450 int new_assoc = 1;
6451
6452 sta = ap_get_sta(hapd, mgmt->da);
6453 if (!sta) {
6454 wpa_printf(MSG_INFO, "handle_assoc_cb: STA " MACSTR_SEC " not found",
6455 MAC2STR_SEC(mgmt->da));
6456 return;
6457 }
6458
6459 if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_resp) :
6460 sizeof(mgmt->u.assoc_resp))) {
6461 wpa_printf(MSG_INFO,
6462 "handle_assoc_cb(reassoc=%d) - too short payload (len=%lu)",
6463 reassoc, (unsigned long) len);
6464 hostapd_drv_sta_remove(hapd, sta->addr);
6465 return;
6466 }
6467
6468 if (reassoc)
6469 status = le_to_host16(mgmt->u.reassoc_resp.status_code);
6470 else
6471 status = le_to_host16(mgmt->u.assoc_resp.status_code);
6472
6473 if (!ok) {
6474 hostapd_logger(hapd, mgmt->da, HOSTAPD_MODULE_IEEE80211,
6475 HOSTAPD_LEVEL_DEBUG,
6476 "did not acknowledge association response");
6477 sta->flags &= ~WLAN_STA_ASSOC_REQ_OK;
6478 /* The STA is added only in case of SUCCESS */
6479 if (status == WLAN_STATUS_SUCCESS)
6480 hostapd_drv_sta_remove(hapd, sta->addr);
6481
6482 return;
6483 }
6484
6485 if (status != WLAN_STATUS_SUCCESS)
6486 return;
6487
6488 /* Stop previous accounting session, if one is started, and allocate
6489 * new session id for the new session. */
6490 accounting_sta_stop(hapd, sta);
6491
6492 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
6493 HOSTAPD_LEVEL_INFO,
6494 "associated (aid %d)",
6495 sta->aid);
6496
6497 if (sta->flags & WLAN_STA_ASSOC)
6498 new_assoc = 0;
6499 sta->flags |= WLAN_STA_ASSOC;
6500 sta->flags &= ~WLAN_STA_WNM_SLEEP_MODE;
6501 if ((!hapd->conf->ieee802_1x && !hapd->conf->wpa &&
6502 !hapd->conf->osen) ||
6503 sta->auth_alg == WLAN_AUTH_FILS_SK ||
6504 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
6505 sta->auth_alg == WLAN_AUTH_FILS_PK ||
6506 sta->auth_alg == WLAN_AUTH_FT) {
6507 /*
6508 * Open, static WEP, FT protocol, or FILS; no separate
6509 * authorization step.
6510 */
6511 ap_sta_set_authorized(hapd, sta, 1);
6512 }
6513
6514 if (reassoc)
6515 mlme_reassociate_indication(hapd, sta);
6516 else
6517 mlme_associate_indication(hapd, sta);
6518
6519 sta->sa_query_timed_out = 0;
6520
6521 if (sta->eapol_sm == NULL) {
6522 /*
6523 * This STA does not use RADIUS server for EAP authentication,
6524 * so bind it to the selected VLAN interface now, since the
6525 * interface selection is not going to change anymore.
6526 */
6527 if (ap_sta_bind_vlan(hapd, sta) < 0)
6528 return;
6529 } else if (sta->vlan_id) {
6530 /* VLAN ID already set (e.g., by PMKSA caching), so bind STA */
6531 if (ap_sta_bind_vlan(hapd, sta) < 0)
6532 return;
6533 }
6534
6535 hostapd_set_sta_flags(hapd, sta);
6536
6537 if (!(sta->flags & WLAN_STA_WDS) && sta->pending_wds_enable) {
6538 wpa_printf(MSG_DEBUG, "Enable 4-address WDS mode for STA "
6539 MACSTR_SEC " based on pending request",
6540 MAC2STR_SEC(sta->addr));
6541 sta->pending_wds_enable = 0;
6542 sta->flags |= WLAN_STA_WDS;
6543 }
6544
6545 if (sta->flags & (WLAN_STA_WDS | WLAN_STA_MULTI_AP)) {
6546 int ret;
6547 char ifname_wds[IFNAMSIZ + 1];
6548
6549 wpa_printf(MSG_DEBUG, "Reenable 4-address WDS mode for STA "
6550 MACSTR_SEC " (aid %u)",
6551 MAC2STR_SEC(sta->addr), sta->aid);
6552 ret = hostapd_set_wds_sta(hapd, ifname_wds, sta->addr,
6553 sta->aid, 1);
6554 if (!ret)
6555 hostapd_set_wds_encryption(hapd, sta, ifname_wds);
6556 }
6557
6558 if (sta->auth_alg == WLAN_AUTH_FT)
6559 wpa_auth_sm_event(sta->wpa_sm, WPA_ASSOC_FT);
6560 else
6561 wpa_auth_sm_event(sta->wpa_sm, WPA_ASSOC);
6562 hapd->new_assoc_sta_cb(hapd, sta, !new_assoc);
6563 ieee802_1x_notify_port_enabled(sta->eapol_sm, 1);
6564
6565 #ifdef CONFIG_FILS
6566 if ((sta->auth_alg == WLAN_AUTH_FILS_SK ||
6567 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
6568 sta->auth_alg == WLAN_AUTH_FILS_PK) &&
6569 fils_set_tk(sta->wpa_sm) < 0) {
6570 wpa_printf(MSG_DEBUG, "FILS: TK configuration failed");
6571 ap_sta_disconnect(hapd, sta, sta->addr,
6572 WLAN_REASON_UNSPECIFIED);
6573 return;
6574 }
6575 #endif /* CONFIG_FILS */
6576
6577 if (sta->pending_eapol_rx) {
6578 struct os_reltime now, age;
6579
6580 os_get_reltime(&now);
6581 os_reltime_sub(&now, &sta->pending_eapol_rx->rx_time, &age);
6582 if (age.sec == 0 && age.usec < 200000) {
6583 wpa_printf(MSG_DEBUG,
6584 "Process pending EAPOL frame that was received from " MACSTR_SEC " just before association notification",
6585 MAC2STR_SEC(sta->addr));
6586 ieee802_1x_receive(
6587 hapd, mgmt->da,
6588 wpabuf_head(sta->pending_eapol_rx->buf),
6589 wpabuf_len(sta->pending_eapol_rx->buf));
6590 }
6591 wpabuf_free(sta->pending_eapol_rx->buf);
6592 os_free(sta->pending_eapol_rx);
6593 sta->pending_eapol_rx = NULL;
6594 }
6595 }
6596
6597
handle_deauth_cb(struct hostapd_data *hapd, const struct ieee80211_mgmt *mgmt, size_t len, int ok)6598 static void handle_deauth_cb(struct hostapd_data *hapd,
6599 const struct ieee80211_mgmt *mgmt,
6600 size_t len, int ok)
6601 {
6602 struct sta_info *sta;
6603 if (is_multicast_ether_addr(mgmt->da))
6604 return;
6605 sta = ap_get_sta(hapd, mgmt->da);
6606 if (!sta) {
6607 wpa_printf(MSG_DEBUG, "handle_deauth_cb: STA " MACSTR_SEC
6608 " not found", MAC2STR_SEC(mgmt->da));
6609 return;
6610 }
6611 if (ok)
6612 wpa_printf(MSG_DEBUG, "STA " MACSTR_SEC " acknowledged deauth",
6613 MAC2STR_SEC(sta->addr));
6614 else
6615 wpa_printf(MSG_DEBUG, "STA " MACSTR_SEC " did not acknowledge "
6616 "deauth", MAC2STR_SEC(sta->addr));
6617
6618 ap_sta_deauth_cb(hapd, sta);
6619 }
6620
6621
handle_disassoc_cb(struct hostapd_data *hapd, const struct ieee80211_mgmt *mgmt, size_t len, int ok)6622 static void handle_disassoc_cb(struct hostapd_data *hapd,
6623 const struct ieee80211_mgmt *mgmt,
6624 size_t len, int ok)
6625 {
6626 struct sta_info *sta;
6627 if (is_multicast_ether_addr(mgmt->da))
6628 return;
6629 sta = ap_get_sta(hapd, mgmt->da);
6630 if (!sta) {
6631 wpa_printf(MSG_DEBUG, "handle_disassoc_cb: STA " MACSTR_SEC
6632 " not found", MAC2STR_SEC(mgmt->da));
6633 return;
6634 }
6635 if (ok)
6636 wpa_printf(MSG_DEBUG, "STA " MACSTR_SEC " acknowledged disassoc",
6637 MAC2STR_SEC(sta->addr));
6638 else
6639 wpa_printf(MSG_DEBUG, "STA " MACSTR_SEC " did not acknowledge "
6640 "disassoc", MAC2STR_SEC(sta->addr));
6641
6642 ap_sta_disassoc_cb(hapd, sta);
6643 }
6644
6645
handle_action_cb(struct hostapd_data *hapd, const struct ieee80211_mgmt *mgmt, size_t len, int ok)6646 static void handle_action_cb(struct hostapd_data *hapd,
6647 const struct ieee80211_mgmt *mgmt,
6648 size_t len, int ok)
6649 {
6650 struct sta_info *sta;
6651 const struct rrm_measurement_report_element *report;
6652
6653 if (is_multicast_ether_addr(mgmt->da))
6654 return;
6655 #ifdef CONFIG_DPP
6656 if (len >= IEEE80211_HDRLEN + 6 &&
6657 mgmt->u.action.category == WLAN_ACTION_PUBLIC &&
6658 mgmt->u.action.u.vs_public_action.action ==
6659 WLAN_PA_VENDOR_SPECIFIC &&
6660 WPA_GET_BE24(mgmt->u.action.u.vs_public_action.oui) ==
6661 OUI_WFA &&
6662 mgmt->u.action.u.vs_public_action.variable[0] ==
6663 DPP_OUI_TYPE) {
6664 const u8 *pos, *end;
6665
6666 pos = &mgmt->u.action.u.vs_public_action.variable[1];
6667 end = ((const u8 *) mgmt) + len;
6668 hostapd_dpp_tx_status(hapd, mgmt->da, pos, end - pos, ok);
6669 return;
6670 }
6671 if (len >= IEEE80211_HDRLEN + 2 &&
6672 mgmt->u.action.category == WLAN_ACTION_PUBLIC &&
6673 (mgmt->u.action.u.public_action.action ==
6674 WLAN_PA_GAS_INITIAL_REQ ||
6675 mgmt->u.action.u.public_action.action ==
6676 WLAN_PA_GAS_COMEBACK_REQ)) {
6677 const u8 *pos, *end;
6678
6679 pos = mgmt->u.action.u.public_action.variable;
6680 end = ((const u8 *) mgmt) + len;
6681 gas_query_ap_tx_status(hapd->gas, mgmt->da, pos, end - pos, ok);
6682 return;
6683 }
6684 #endif /* CONFIG_DPP */
6685 sta = ap_get_sta(hapd, mgmt->da);
6686 if (!sta) {
6687 wpa_printf(MSG_DEBUG, "handle_action_cb: STA " MACSTR_SEC
6688 " not found", MAC2STR_SEC(mgmt->da));
6689 return;
6690 }
6691
6692 if (len < 24 + 5 + sizeof(*report))
6693 return;
6694 report = (const struct rrm_measurement_report_element *)
6695 &mgmt->u.action.u.rrm.variable[2];
6696 if (mgmt->u.action.category == WLAN_ACTION_RADIO_MEASUREMENT &&
6697 mgmt->u.action.u.rrm.action == WLAN_RRM_RADIO_MEASUREMENT_REQUEST &&
6698 report->eid == WLAN_EID_MEASURE_REQUEST &&
6699 report->len >= 3 &&
6700 report->type == MEASURE_TYPE_BEACON)
6701 hostapd_rrm_beacon_req_tx_status(hapd, mgmt, len, ok);
6702 }
6703
6704
6705 /**
6706 * ieee802_11_mgmt_cb - Process management frame TX status callback
6707 * @hapd: hostapd BSS data structure (the BSS from which the management frame
6708 * was sent from)
6709 * @buf: management frame data (starting from IEEE 802.11 header)
6710 * @len: length of frame data in octets
6711 * @stype: management frame subtype from frame control field
6712 * @ok: Whether the frame was ACK'ed
6713 */
ieee802_11_mgmt_cb(struct hostapd_data *hapd, const u8 *buf, size_t len, u16 stype, int ok)6714 void ieee802_11_mgmt_cb(struct hostapd_data *hapd, const u8 *buf, size_t len,
6715 u16 stype, int ok)
6716 {
6717 const struct ieee80211_mgmt *mgmt;
6718 mgmt = (const struct ieee80211_mgmt *) buf;
6719
6720 #ifdef CONFIG_TESTING_OPTIONS
6721 if (hapd->ext_mgmt_frame_handling) {
6722 size_t hex_len = 2 * len + 1;
6723 char *hex = os_malloc(hex_len);
6724
6725 if (hex) {
6726 wpa_snprintf_hex(hex, hex_len, buf, len);
6727 wpa_msg(hapd->msg_ctx, MSG_INFO,
6728 "MGMT-TX-STATUS stype=%u ok=%d buf=%s",
6729 stype, ok, hex);
6730 os_free(hex);
6731 }
6732 return;
6733 }
6734 #endif /* CONFIG_TESTING_OPTIONS */
6735
6736 switch (stype) {
6737 case WLAN_FC_STYPE_AUTH:
6738 wpa_printf(MSG_DEBUG, "mgmt::auth cb");
6739 handle_auth_cb(hapd, mgmt, len, ok);
6740 break;
6741 case WLAN_FC_STYPE_ASSOC_RESP:
6742 wpa_printf(MSG_DEBUG, "mgmt::assoc_resp cb");
6743 handle_assoc_cb(hapd, mgmt, len, 0, ok);
6744 break;
6745 case WLAN_FC_STYPE_REASSOC_RESP:
6746 wpa_printf(MSG_DEBUG, "mgmt::reassoc_resp cb");
6747 handle_assoc_cb(hapd, mgmt, len, 1, ok);
6748 break;
6749 case WLAN_FC_STYPE_PROBE_RESP:
6750 wpa_printf(MSG_EXCESSIVE, "mgmt::proberesp cb ok=%d", ok);
6751 break;
6752 case WLAN_FC_STYPE_DEAUTH:
6753 wpa_printf(MSG_DEBUG, "mgmt::deauth cb");
6754 handle_deauth_cb(hapd, mgmt, len, ok);
6755 break;
6756 case WLAN_FC_STYPE_DISASSOC:
6757 wpa_printf(MSG_DEBUG, "mgmt::disassoc cb");
6758 handle_disassoc_cb(hapd, mgmt, len, ok);
6759 break;
6760 case WLAN_FC_STYPE_ACTION:
6761 wpa_printf(MSG_DEBUG, "mgmt::action cb ok=%d", ok);
6762 handle_action_cb(hapd, mgmt, len, ok);
6763 break;
6764 default:
6765 wpa_printf(MSG_INFO, "unknown mgmt cb frame subtype %d", stype);
6766 break;
6767 }
6768 }
6769
6770
ieee802_11_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen)6771 int ieee802_11_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen)
6772 {
6773 /* TODO */
6774 return 0;
6775 }
6776
6777
ieee802_11_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta, char *buf, size_t buflen)6778 int ieee802_11_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta,
6779 char *buf, size_t buflen)
6780 {
6781 /* TODO */
6782 return 0;
6783 }
6784
6785
hostapd_tx_status(struct hostapd_data *hapd, const u8 *addr, const u8 *buf, size_t len, int ack)6786 void hostapd_tx_status(struct hostapd_data *hapd, const u8 *addr,
6787 const u8 *buf, size_t len, int ack)
6788 {
6789 struct sta_info *sta;
6790 struct hostapd_iface *iface = hapd->iface;
6791
6792 sta = ap_get_sta(hapd, addr);
6793 if (sta == NULL && iface->num_bss > 1) {
6794 size_t j;
6795 for (j = 0; j < iface->num_bss; j++) {
6796 hapd = iface->bss[j];
6797 sta = ap_get_sta(hapd, addr);
6798 if (sta)
6799 break;
6800 }
6801 }
6802 if (sta == NULL || !(sta->flags & WLAN_STA_ASSOC))
6803 return;
6804 if (sta->flags & WLAN_STA_PENDING_POLL) {
6805 wpa_printf(MSG_DEBUG, "STA " MACSTR_SEC " %s pending "
6806 "activity poll", MAC2STR_SEC(sta->addr),
6807 ack ? "ACKed" : "did not ACK");
6808 if (ack)
6809 sta->flags &= ~WLAN_STA_PENDING_POLL;
6810 }
6811
6812 ieee802_1x_tx_status(hapd, sta, buf, len, ack);
6813 }
6814
6815
hostapd_eapol_tx_status(struct hostapd_data *hapd, const u8 *dst, const u8 *data, size_t len, int ack)6816 void hostapd_eapol_tx_status(struct hostapd_data *hapd, const u8 *dst,
6817 const u8 *data, size_t len, int ack)
6818 {
6819 struct sta_info *sta;
6820 struct hostapd_iface *iface = hapd->iface;
6821
6822 sta = ap_get_sta(hapd, dst);
6823 if (sta == NULL && iface->num_bss > 1) {
6824 size_t j;
6825 for (j = 0; j < iface->num_bss; j++) {
6826 hapd = iface->bss[j];
6827 sta = ap_get_sta(hapd, dst);
6828 if (sta)
6829 break;
6830 }
6831 }
6832 if (sta == NULL || !(sta->flags & WLAN_STA_ASSOC)) {
6833 wpa_printf(MSG_DEBUG, "Ignore TX status for Data frame to STA "
6834 MACSTR_SEC " that is not currently associated",
6835 MAC2STR_SEC(dst));
6836 return;
6837 }
6838
6839 ieee802_1x_eapol_tx_status(hapd, sta, data, len, ack);
6840 }
6841
6842
hostapd_client_poll_ok(struct hostapd_data *hapd, const u8 *addr)6843 void hostapd_client_poll_ok(struct hostapd_data *hapd, const u8 *addr)
6844 {
6845 struct sta_info *sta;
6846 struct hostapd_iface *iface = hapd->iface;
6847
6848 sta = ap_get_sta(hapd, addr);
6849 if (sta == NULL && iface->num_bss > 1) {
6850 size_t j;
6851 for (j = 0; j < iface->num_bss; j++) {
6852 hapd = iface->bss[j];
6853 sta = ap_get_sta(hapd, addr);
6854 if (sta)
6855 break;
6856 }
6857 }
6858 if (sta == NULL)
6859 return;
6860 wpa_msg(hapd->msg_ctx, MSG_INFO, AP_STA_POLL_OK MACSTR,
6861 MAC2STR(sta->addr));
6862 if (!(sta->flags & WLAN_STA_PENDING_POLL))
6863 return;
6864
6865 wpa_printf(MSG_DEBUG, "STA " MACSTR_SEC " ACKed pending "
6866 "activity poll", MAC2STR_SEC(sta->addr));
6867 sta->flags &= ~WLAN_STA_PENDING_POLL;
6868 }
6869
6870
ieee802_11_rx_from_unknown(struct hostapd_data *hapd, const u8 *src, int wds)6871 void ieee802_11_rx_from_unknown(struct hostapd_data *hapd, const u8 *src,
6872 int wds)
6873 {
6874 struct sta_info *sta;
6875
6876 sta = ap_get_sta(hapd, src);
6877 if (sta &&
6878 ((sta->flags & WLAN_STA_ASSOC) ||
6879 ((sta->flags & WLAN_STA_ASSOC_REQ_OK) && wds))) {
6880 if (!hapd->conf->wds_sta)
6881 return;
6882
6883 if ((sta->flags & (WLAN_STA_ASSOC | WLAN_STA_ASSOC_REQ_OK)) ==
6884 WLAN_STA_ASSOC_REQ_OK) {
6885 wpa_printf(MSG_DEBUG,
6886 "Postpone 4-address WDS mode enabling for STA "
6887 MACSTR_SEC " since TX status for AssocResp is not yet known",
6888 MAC2STR_SEC(sta->addr));
6889 sta->pending_wds_enable = 1;
6890 return;
6891 }
6892
6893 if (wds && !(sta->flags & WLAN_STA_WDS)) {
6894 int ret;
6895 char ifname_wds[IFNAMSIZ + 1];
6896
6897 wpa_printf(MSG_DEBUG, "Enable 4-address WDS mode for "
6898 "STA " MACSTR_SEC " (aid %u)",
6899 MAC2STR_SEC(sta->addr), sta->aid);
6900 sta->flags |= WLAN_STA_WDS;
6901 ret = hostapd_set_wds_sta(hapd, ifname_wds,
6902 sta->addr, sta->aid, 1);
6903 if (!ret)
6904 hostapd_set_wds_encryption(hapd, sta,
6905 ifname_wds);
6906 }
6907 return;
6908 }
6909
6910 wpa_printf(MSG_DEBUG, "Data/PS-poll frame from not associated STA "
6911 MACSTR_SEC, MAC2STR_SEC(src));
6912 if (is_multicast_ether_addr(src) || is_zero_ether_addr(src) ||
6913 os_memcmp(src, hapd->own_addr, ETH_ALEN) == 0) {
6914 /* Broadcast bit set in SA or unexpected SA?! Ignore the frame
6915 * silently. */
6916 return;
6917 }
6918
6919 if (sta && (sta->flags & WLAN_STA_ASSOC_REQ_OK)) {
6920 wpa_printf(MSG_DEBUG, "Association Response to the STA has "
6921 "already been sent, but no TX status yet known - "
6922 "ignore Class 3 frame issue with " MACSTR_SEC,
6923 MAC2STR_SEC(src));
6924 return;
6925 }
6926
6927 if (sta && (sta->flags & WLAN_STA_AUTH))
6928 hostapd_drv_sta_disassoc(
6929 hapd, src,
6930 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA);
6931 else
6932 hostapd_drv_sta_deauth(
6933 hapd, src,
6934 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA);
6935 }
6936
6937
hostapd_eid_txpower_envelope(struct hostapd_data *hapd, u8 *eid)6938 u8 * hostapd_eid_txpower_envelope(struct hostapd_data *hapd, u8 *eid)
6939 {
6940 struct hostapd_iface *iface = hapd->iface;
6941 struct hostapd_config *iconf = iface->conf;
6942 struct hostapd_hw_modes *mode = iface->current_mode;
6943 struct hostapd_channel_data *chan;
6944 int dfs, i;
6945 u8 channel, tx_pwr_count, local_pwr_constraint;
6946 int max_tx_power;
6947 u8 tx_pwr;
6948
6949 if (!mode)
6950 return eid;
6951
6952 if (ieee80211_freq_to_chan(iface->freq, &channel) == NUM_HOSTAPD_MODES)
6953 return eid;
6954
6955 for (i = 0; i < mode->num_channels; i++) {
6956 if (mode->channels[i].freq == iface->freq)
6957 break;
6958 }
6959 if (i == mode->num_channels)
6960 return eid;
6961
6962 switch (hostapd_get_oper_chwidth(iconf)) {
6963 case CHANWIDTH_USE_HT:
6964 if (iconf->secondary_channel == 0) {
6965 /* Max Transmit Power count = 0 (20 MHz) */
6966 tx_pwr_count = 0;
6967 } else {
6968 /* Max Transmit Power count = 1 (20, 40 MHz) */
6969 tx_pwr_count = 1;
6970 }
6971 break;
6972 case CHANWIDTH_80MHZ:
6973 /* Max Transmit Power count = 2 (20, 40, and 80 MHz) */
6974 tx_pwr_count = 2;
6975 break;
6976 case CHANWIDTH_80P80MHZ:
6977 case CHANWIDTH_160MHZ:
6978 /* Max Transmit Power count = 3 (20, 40, 80, 160/80+80 MHz) */
6979 tx_pwr_count = 3;
6980 break;
6981 default:
6982 return eid;
6983 }
6984
6985 /*
6986 * Below local_pwr_constraint logic is referred from
6987 * hostapd_eid_pwr_constraint.
6988 *
6989 * Check if DFS is required by regulatory.
6990 */
6991 dfs = hostapd_is_dfs_required(hapd->iface);
6992 if (dfs < 0)
6993 dfs = 0;
6994
6995 /*
6996 * In order to meet regulations when TPC is not implemented using
6997 * a transmit power that is below the legal maximum (including any
6998 * mitigation factor) should help. In this case, indicate 3 dB below
6999 * maximum allowed transmit power.
7000 */
7001 if (hapd->iconf->local_pwr_constraint == -1)
7002 local_pwr_constraint = (dfs == 0) ? 0 : 3;
7003 else
7004 local_pwr_constraint = hapd->iconf->local_pwr_constraint;
7005
7006 /*
7007 * A STA that is not an AP shall use a transmit power less than or
7008 * equal to the local maximum transmit power level for the channel.
7009 * The local maximum transmit power can be calculated from the formula:
7010 * local max TX pwr = max TX pwr - local pwr constraint
7011 * Where max TX pwr is maximum transmit power level specified for
7012 * channel in Country element and local pwr constraint is specified
7013 * for channel in this Power Constraint element.
7014 */
7015 chan = &mode->channels[i];
7016 max_tx_power = chan->max_tx_power - local_pwr_constraint;
7017
7018 /*
7019 * Local Maximum Transmit power is encoded as two's complement
7020 * with a 0.5 dB step.
7021 */
7022 max_tx_power *= 2; /* in 0.5 dB steps */
7023 if (max_tx_power > 127) {
7024 /* 63.5 has special meaning of 63.5 dBm or higher */
7025 max_tx_power = 127;
7026 }
7027 if (max_tx_power < -128)
7028 max_tx_power = -128;
7029 if (max_tx_power < 0)
7030 tx_pwr = 0x80 + max_tx_power + 128;
7031 else
7032 tx_pwr = max_tx_power;
7033
7034 *eid++ = WLAN_EID_TRANSMIT_POWER_ENVELOPE;
7035 *eid++ = 2 + tx_pwr_count;
7036
7037 /*
7038 * Max Transmit Power count and
7039 * Max Transmit Power units = 0 (EIRP)
7040 */
7041 *eid++ = tx_pwr_count;
7042
7043 for (i = 0; i <= tx_pwr_count; i++)
7044 *eid++ = tx_pwr;
7045
7046 return eid;
7047 }
7048
7049
hostapd_eid_wb_chsw_wrapper(struct hostapd_data *hapd, u8 *eid)7050 u8 * hostapd_eid_wb_chsw_wrapper(struct hostapd_data *hapd, u8 *eid)
7051 {
7052 u8 bw, chan1, chan2 = 0;
7053 int freq1;
7054
7055 if (!hapd->cs_freq_params.channel ||
7056 (!hapd->cs_freq_params.vht_enabled &&
7057 !hapd->cs_freq_params.he_enabled))
7058 return eid;
7059
7060 /* bandwidth: 0: 40, 1: 80, 2: 160, 3: 80+80 */
7061 switch (hapd->cs_freq_params.bandwidth) {
7062 case 40:
7063 bw = 0;
7064 break;
7065 case 80:
7066 /* check if it's 80+80 */
7067 if (!hapd->cs_freq_params.center_freq2)
7068 bw = 1;
7069 else
7070 bw = 3;
7071 break;
7072 case 160:
7073 bw = 2;
7074 break;
7075 default:
7076 /* not valid VHT bandwidth or not in CSA */
7077 return eid;
7078 }
7079
7080 freq1 = hapd->cs_freq_params.center_freq1 ?
7081 hapd->cs_freq_params.center_freq1 :
7082 hapd->cs_freq_params.freq;
7083 if (ieee80211_freq_to_chan(freq1, &chan1) !=
7084 HOSTAPD_MODE_IEEE80211A)
7085 return eid;
7086
7087 if (hapd->cs_freq_params.center_freq2 &&
7088 ieee80211_freq_to_chan(hapd->cs_freq_params.center_freq2,
7089 &chan2) != HOSTAPD_MODE_IEEE80211A)
7090 return eid;
7091
7092 *eid++ = WLAN_EID_VHT_CHANNEL_SWITCH_WRAPPER;
7093 *eid++ = 5; /* Length of Channel Switch Wrapper */
7094 *eid++ = WLAN_EID_VHT_WIDE_BW_CHSWITCH;
7095 *eid++ = 3; /* Length of Wide Bandwidth Channel Switch element */
7096 *eid++ = bw; /* New Channel Width */
7097 *eid++ = chan1; /* New Channel Center Frequency Segment 0 */
7098 *eid++ = chan2; /* New Channel Center Frequency Segment 1 */
7099
7100 return eid;
7101 }
7102
7103
hostapd_eid_nr_db_len(struct hostapd_data *hapd, size_t *current_len)7104 static size_t hostapd_eid_nr_db_len(struct hostapd_data *hapd,
7105 size_t *current_len)
7106 {
7107 struct hostapd_neighbor_entry *nr;
7108 size_t total_len = 0, len = *current_len;
7109
7110 dl_list_for_each(nr, &hapd->nr_db, struct hostapd_neighbor_entry,
7111 list) {
7112 if (!nr->nr || wpabuf_len(nr->nr) < 12)
7113 continue;
7114
7115 if (nr->short_ssid == hapd->conf->ssid.short_ssid)
7116 continue;
7117
7118 /* Start a new element */
7119 if (!len ||
7120 len + RNR_TBTT_HEADER_LEN + RNR_TBTT_INFO_LEN > 255) {
7121 len = RNR_HEADER_LEN;
7122 total_len += RNR_HEADER_LEN;
7123 }
7124
7125 len += RNR_TBTT_HEADER_LEN + RNR_TBTT_INFO_LEN;
7126 total_len += RNR_TBTT_HEADER_LEN + RNR_TBTT_INFO_LEN;
7127 }
7128
7129 *current_len = len;
7130 return total_len;
7131 }
7132
7133
hostapd_eid_rnr_iface_len(struct hostapd_data *hapd, struct hostapd_data *reporting_hapd, size_t *current_len)7134 static size_t hostapd_eid_rnr_iface_len(struct hostapd_data *hapd,
7135 struct hostapd_data *reporting_hapd,
7136 size_t *current_len)
7137 {
7138 size_t total_len = 0, len = *current_len;
7139 int tbtt_count = 0;
7140 size_t i, start = 0;
7141
7142 while (start < hapd->iface->num_bss) {
7143 if (!len ||
7144 len + RNR_TBTT_HEADER_LEN + RNR_TBTT_INFO_LEN > 255) {
7145 len = RNR_HEADER_LEN;
7146 total_len += RNR_HEADER_LEN;
7147 }
7148
7149 len += RNR_TBTT_HEADER_LEN;
7150 total_len += RNR_TBTT_HEADER_LEN;
7151
7152 for (i = start; i < hapd->iface->num_bss; i++) {
7153 struct hostapd_data *bss = hapd->iface->bss[i];
7154
7155 if (!bss || !bss->conf || !bss->started)
7156 continue;
7157
7158 if (bss == reporting_hapd ||
7159 bss->conf->ignore_broadcast_ssid)
7160 continue;
7161
7162 if (len + RNR_TBTT_INFO_LEN > 255 ||
7163 tbtt_count >= RNR_TBTT_INFO_COUNT_MAX)
7164 break;
7165
7166 len += RNR_TBTT_INFO_LEN;
7167 total_len += RNR_TBTT_INFO_LEN;
7168 tbtt_count++;
7169 }
7170 start = i;
7171 }
7172
7173 if (!tbtt_count)
7174 total_len = 0;
7175 else
7176 *current_len = len;
7177
7178 return total_len;
7179 }
7180
7181
7182 enum colocation_mode {
7183 NO_COLOCATED_6GHZ,
7184 STANDALONE_6GHZ,
7185 COLOCATED_6GHZ,
7186 COLOCATED_LOWER_BAND,
7187 };
7188
get_colocation_mode(struct hostapd_data *hapd)7189 static enum colocation_mode get_colocation_mode(struct hostapd_data *hapd)
7190 {
7191 u8 i;
7192 bool is_6ghz = is_6ghz_op_class(hapd->iconf->op_class);
7193
7194 if (!hapd->iface || !hapd->iface->interfaces)
7195 return NO_COLOCATED_6GHZ;
7196
7197 if (is_6ghz && hapd->iface->interfaces->count == 1)
7198 return STANDALONE_6GHZ;
7199
7200 for (i = 0; i < hapd->iface->interfaces->count; i++) {
7201 struct hostapd_iface *iface;
7202 bool is_colocated_6ghz;
7203
7204 iface = hapd->iface->interfaces->iface[i];
7205 if (iface == hapd->iface || !iface || !iface->conf)
7206 continue;
7207
7208 is_colocated_6ghz = is_6ghz_op_class(iface->conf->op_class);
7209 if (!is_6ghz && is_colocated_6ghz)
7210 return COLOCATED_LOWER_BAND;
7211 if (is_6ghz && !is_colocated_6ghz)
7212 return COLOCATED_6GHZ;
7213 }
7214
7215 if (is_6ghz)
7216 return STANDALONE_6GHZ;
7217
7218 return NO_COLOCATED_6GHZ;
7219 }
7220
7221
hostapd_eid_rnr_colocation_len(struct hostapd_data *hapd, size_t *current_len)7222 static size_t hostapd_eid_rnr_colocation_len(struct hostapd_data *hapd,
7223 size_t *current_len)
7224 {
7225 struct hostapd_iface *iface;
7226 size_t len = 0;
7227 size_t i;
7228
7229 if (!hapd->iface || !hapd->iface->interfaces)
7230 return 0;
7231
7232 for (i = 0; i < hapd->iface->interfaces->count; i++) {
7233 iface = hapd->iface->interfaces->iface[i];
7234
7235 if (iface == hapd->iface ||
7236 !is_6ghz_op_class(iface->conf->op_class))
7237 continue;
7238
7239 len += hostapd_eid_rnr_iface_len(iface->bss[0], hapd,
7240 current_len);
7241 }
7242
7243 return len;
7244 }
7245
7246
hostapd_eid_rnr_len(struct hostapd_data *hapd, u32 type)7247 size_t hostapd_eid_rnr_len(struct hostapd_data *hapd, u32 type)
7248 {
7249 size_t total_len = 0, current_len = 0;
7250 enum colocation_mode mode = get_colocation_mode(hapd);
7251
7252 switch (type) {
7253 case WLAN_FC_STYPE_BEACON:
7254 if (hapd->conf->rnr)
7255 total_len += hostapd_eid_nr_db_len(hapd, ¤t_len);
7256 /* fallthrough */
7257
7258 case WLAN_FC_STYPE_PROBE_RESP:
7259 if (mode == COLOCATED_LOWER_BAND)
7260 total_len += hostapd_eid_rnr_colocation_len(
7261 hapd, ¤t_len);
7262
7263 if (hapd->conf->rnr && hapd->iface->num_bss > 1)
7264 total_len += hostapd_eid_rnr_iface_len(hapd, hapd,
7265 ¤t_len);
7266 break;
7267
7268 case WLAN_FC_STYPE_ACTION:
7269 if (hapd->iface->num_bss > 1 && mode == STANDALONE_6GHZ)
7270 total_len += hostapd_eid_rnr_iface_len(hapd, hapd,
7271 ¤t_len);
7272 break;
7273
7274 default:
7275 break;
7276 }
7277
7278 return total_len;
7279 }
7280
7281
hostapd_eid_nr_db(struct hostapd_data *hapd, u8 *eid, size_t *current_len)7282 static u8 * hostapd_eid_nr_db(struct hostapd_data *hapd, u8 *eid,
7283 size_t *current_len)
7284 {
7285 struct hostapd_neighbor_entry *nr;
7286 size_t len = *current_len;
7287 u8 *size_offset = (eid - len) + 1;
7288
7289 dl_list_for_each(nr, &hapd->nr_db, struct hostapd_neighbor_entry,
7290 list) {
7291 if (!nr->nr || wpabuf_len(nr->nr) < 12)
7292 continue;
7293
7294 if (nr->short_ssid == hapd->conf->ssid.short_ssid)
7295 continue;
7296
7297 /* Start a new element */
7298 if (!len ||
7299 len + RNR_TBTT_HEADER_LEN + RNR_TBTT_INFO_LEN > 255) {
7300 *eid++ = WLAN_EID_REDUCED_NEIGHBOR_REPORT;
7301 size_offset = eid++;
7302 len = RNR_HEADER_LEN;
7303 }
7304
7305 /* TBTT Information Header subfield (2 octets) */
7306 *eid++ = 0;
7307 /* TBTT Information Length */
7308 *eid++ = RNR_TBTT_INFO_LEN;
7309 /* Operating Class */
7310 *eid++ = wpabuf_head_u8(nr->nr)[10];
7311 /* Channel Number */
7312 *eid++ = wpabuf_head_u8(nr->nr)[11];
7313 len += RNR_TBTT_HEADER_LEN;
7314 /* TBTT Information Set */
7315 /* TBTT Information field */
7316 /* Neighbor AP TBTT Offset */
7317 *eid++ = RNR_NEIGHBOR_AP_OFFSET_UNKNOWN;
7318 /* BSSID */
7319 os_memcpy(eid, nr->bssid, ETH_ALEN);
7320 eid += ETH_ALEN;
7321 /* Short SSID */
7322 os_memcpy(eid, &nr->short_ssid, 4);
7323 eid += 4;
7324 /* BSS parameters */
7325 *eid++ = nr->bss_parameters;
7326 /* 20 MHz PSD */
7327 *eid++ = RNR_20_MHZ_PSD_MAX_TXPOWER - 1;
7328 len += RNR_TBTT_INFO_LEN;
7329 *size_offset = (eid - size_offset) - 1;
7330 }
7331
7332 *current_len = len;
7333 return eid;
7334 }
7335
7336
hostapd_eid_rnr_iface(struct hostapd_data *hapd, struct hostapd_data *reporting_hapd, u8 *eid, size_t *current_len)7337 static u8 * hostapd_eid_rnr_iface(struct hostapd_data *hapd,
7338 struct hostapd_data *reporting_hapd,
7339 u8 *eid, size_t *current_len)
7340 {
7341 struct hostapd_data *bss;
7342 struct hostapd_iface *iface = hapd->iface;
7343 size_t i, start = 0;
7344 size_t len = *current_len;
7345 u8 *tbtt_count_pos, *eid_start = eid, *size_offset = (eid - len) + 1;
7346 u8 tbtt_count = 0, op_class, channel, bss_param;
7347
7348 if (!(iface->drv_flags & WPA_DRIVER_FLAGS_AP_CSA) || !iface->freq)
7349 return eid;
7350
7351 if (ieee80211_freq_to_channel_ext(iface->freq,
7352 hapd->iconf->secondary_channel,
7353 hostapd_get_oper_chwidth(hapd->iconf),
7354 &op_class, &channel) ==
7355 NUM_HOSTAPD_MODES)
7356 return eid;
7357
7358 while (start < iface->num_bss) {
7359 if (!len ||
7360 len + RNR_TBTT_HEADER_LEN + RNR_TBTT_INFO_LEN > 255) {
7361 eid_start = eid;
7362 *eid++ = WLAN_EID_REDUCED_NEIGHBOR_REPORT;
7363 size_offset = eid++;
7364 len = RNR_HEADER_LEN;
7365 tbtt_count = 0;
7366 }
7367
7368 tbtt_count_pos = eid++;
7369 *eid++ = RNR_TBTT_INFO_LEN;
7370 *eid++ = op_class;
7371 *eid++ = hapd->iconf->channel;
7372 len += RNR_TBTT_HEADER_LEN;
7373
7374 for (i = start; i < iface->num_bss; i++) {
7375 bss_param = 0;
7376 bss = iface->bss[i];
7377 if (!bss || !bss->conf || !bss->started)
7378 continue;
7379
7380 if (bss == reporting_hapd ||
7381 bss->conf->ignore_broadcast_ssid)
7382 continue;
7383
7384 if (len + RNR_TBTT_INFO_LEN > 255 ||
7385 tbtt_count >= RNR_TBTT_INFO_COUNT_MAX)
7386 break;
7387
7388 *eid++ = RNR_NEIGHBOR_AP_OFFSET_UNKNOWN;
7389 os_memcpy(eid, bss->conf->bssid, ETH_ALEN);
7390 eid += ETH_ALEN;
7391 os_memcpy(eid, &bss->conf->ssid.short_ssid, 4);
7392 eid += 4;
7393 if (bss->conf->ssid.short_ssid ==
7394 reporting_hapd->conf->ssid.short_ssid)
7395 bss_param |= RNR_BSS_PARAM_SAME_SSID;
7396
7397 if (is_6ghz_op_class(hapd->iconf->op_class) &&
7398 bss->conf->unsol_bcast_probe_resp_interval)
7399 bss_param |=
7400 RNR_BSS_PARAM_UNSOLIC_PROBE_RESP_ACTIVE;
7401
7402 bss_param |= RNR_BSS_PARAM_CO_LOCATED;
7403
7404 *eid++ = bss_param;
7405 *eid++ = RNR_20_MHZ_PSD_MAX_TXPOWER - 1;
7406 len += RNR_TBTT_INFO_LEN;
7407 tbtt_count += 1;
7408 }
7409
7410 start = i;
7411 *tbtt_count_pos = RNR_TBTT_INFO_COUNT(tbtt_count - 1);
7412 *size_offset = (eid - size_offset) - 1;
7413 }
7414
7415 if (tbtt_count == 0)
7416 return eid_start;
7417
7418 *current_len = len;
7419 return eid;
7420 }
7421
7422
hostapd_eid_rnr_colocation(struct hostapd_data *hapd, u8 *eid, size_t *current_len)7423 static u8 * hostapd_eid_rnr_colocation(struct hostapd_data *hapd, u8 *eid,
7424 size_t *current_len)
7425 {
7426 struct hostapd_iface *iface;
7427 size_t i;
7428
7429 if (!hapd->iface || !hapd->iface->interfaces)
7430 return eid;
7431
7432 for (i = 0; i < hapd->iface->interfaces->count; i++) {
7433 iface = hapd->iface->interfaces->iface[i];
7434
7435 if (iface == hapd->iface ||
7436 !is_6ghz_op_class(iface->conf->op_class))
7437 continue;
7438
7439 eid = hostapd_eid_rnr_iface(iface->bss[0], hapd, eid,
7440 current_len);
7441 }
7442
7443 return eid;
7444 }
7445
7446
hostapd_eid_rnr(struct hostapd_data *hapd, u8 *eid, u32 type)7447 u8 * hostapd_eid_rnr(struct hostapd_data *hapd, u8 *eid, u32 type)
7448 {
7449 u8 *eid_start = eid;
7450 size_t current_len = 0;
7451 enum colocation_mode mode = get_colocation_mode(hapd);
7452
7453 switch (type) {
7454 case WLAN_FC_STYPE_BEACON:
7455 if (hapd->conf->rnr)
7456 eid = hostapd_eid_nr_db(hapd, eid, ¤t_len);
7457 /* fallthrough */
7458
7459 case WLAN_FC_STYPE_PROBE_RESP:
7460 if (mode == COLOCATED_LOWER_BAND)
7461 eid = hostapd_eid_rnr_colocation(hapd, eid,
7462 ¤t_len);
7463
7464 if (hapd->conf->rnr && hapd->iface->num_bss > 1)
7465 eid = hostapd_eid_rnr_iface(hapd, hapd, eid,
7466 ¤t_len);
7467 break;
7468
7469 case WLAN_FC_STYPE_ACTION:
7470 if (hapd->iface->num_bss > 1 && mode == STANDALONE_6GHZ)
7471 eid = hostapd_eid_rnr_iface(hapd, hapd, eid,
7472 ¤t_len);
7473 break;
7474
7475 default:
7476 return eid_start;
7477 }
7478
7479 if (eid == eid_start + 2)
7480 return eid_start;
7481
7482 return eid;
7483 }
7484
7485 #endif /* CONFIG_NATIVE_WINDOWS */
7486