1 /*
2 * hostapd / IEEE 802.11 Management
3 * Copyright (c) 2002-2017, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "utils/includes.h"
10
11 #ifndef CONFIG_NATIVE_WINDOWS
12
13 #include "utils/common.h"
14 #include "utils/eloop.h"
15 #include "crypto/crypto.h"
16 #include "crypto/sha256.h"
17 #include "crypto/sha384.h"
18 #include "crypto/sha512.h"
19 #include "crypto/random.h"
20 #include "common/ieee802_11_defs.h"
21 #include "common/ieee802_11_common.h"
22 #include "common/wpa_ctrl.h"
23 #include "common/sae.h"
24 #include "common/dpp.h"
25 #include "common/ocv.h"
26 #include "common/wpa_common.h"
27 #include "common/wpa_ctrl.h"
28 #include "common/ptksa_cache.h"
29 #include "radius/radius.h"
30 #include "radius/radius_client.h"
31 #include "p2p/p2p.h"
32 #include "wps/wps.h"
33 #include "fst/fst.h"
34 #include "hostapd.h"
35 #include "beacon.h"
36 #include "ieee802_11_auth.h"
37 #include "sta_info.h"
38 #include "ieee802_1x.h"
39 #include "wpa_auth.h"
40 #include "pmksa_cache_auth.h"
41 #include "wmm.h"
42 #include "ap_list.h"
43 #include "accounting.h"
44 #include "ap_config.h"
45 #include "ap_mlme.h"
46 #include "p2p_hostapd.h"
47 #include "ap_drv_ops.h"
48 #include "wnm_ap.h"
49 #include "hw_features.h"
50 #include "ieee802_11.h"
51 #include "dfs.h"
52 #include "mbo_ap.h"
53 #include "rrm.h"
54 #include "taxonomy.h"
55 #include "fils_hlp.h"
56 #include "dpp_hostapd.h"
57 #include "gas_query_ap.h"
58
59
60 #ifdef CONFIG_FILS
61 static struct wpabuf *
62 prepare_auth_resp_fils(struct hostapd_data *hapd,
63 struct sta_info *sta, u16 *resp,
64 struct rsn_pmksa_cache_entry *pmksa,
65 struct wpabuf *erp_resp,
66 const u8 *msk, size_t msk_len,
67 int *is_pub);
68 #endif /* CONFIG_FILS */
69
70 #ifdef CONFIG_PASN
71
72 static int handle_auth_pasn_resp(struct hostapd_data *hapd,
73 struct sta_info *sta,
74 struct rsn_pmksa_cache_entry *pmksa,
75 u16 status);
76 #ifdef CONFIG_FILS
77
78 static void pasn_fils_auth_resp(struct hostapd_data *hapd,
79 struct sta_info *sta, u16 status,
80 struct wpabuf *erp_resp,
81 const u8 *msk, size_t msk_len);
82
83 #endif /* CONFIG_FILS */
84 #endif /* CONFIG_PASN */
85
86 static void handle_auth(struct hostapd_data *hapd,
87 const struct ieee80211_mgmt *mgmt, size_t len,
88 int rssi, int from_queue);
89
90
hostapd_eid_multi_ap(struct hostapd_data * hapd,u8 * eid)91 u8 * hostapd_eid_multi_ap(struct hostapd_data *hapd, u8 *eid)
92 {
93 u8 multi_ap_val = 0;
94
95 if (!hapd->conf->multi_ap)
96 return eid;
97 if (hapd->conf->multi_ap & BACKHAUL_BSS)
98 multi_ap_val |= MULTI_AP_BACKHAUL_BSS;
99 if (hapd->conf->multi_ap & FRONTHAUL_BSS)
100 multi_ap_val |= MULTI_AP_FRONTHAUL_BSS;
101
102 return eid + add_multi_ap_ie(eid, 9, multi_ap_val);
103 }
104
105
hostapd_eid_supp_rates(struct hostapd_data * hapd,u8 * eid)106 u8 * hostapd_eid_supp_rates(struct hostapd_data *hapd, u8 *eid)
107 {
108 u8 *pos = eid;
109 int i, num, count;
110 int h2e_required;
111
112 if (hapd->iface->current_rates == NULL)
113 return eid;
114
115 *pos++ = WLAN_EID_SUPP_RATES;
116 num = hapd->iface->num_rates;
117 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht)
118 num++;
119 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht)
120 num++;
121 h2e_required = (hapd->conf->sae_pwe == 1 ||
122 hostapd_sae_pw_id_in_use(hapd->conf) == 2) &&
123 hapd->conf->sae_pwe != 3 &&
124 wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt);
125 if (h2e_required)
126 num++;
127 if (num > 8) {
128 /* rest of the rates are encoded in Extended supported
129 * rates element */
130 num = 8;
131 }
132
133 *pos++ = num;
134 for (i = 0, count = 0; i < hapd->iface->num_rates && count < num;
135 i++) {
136 count++;
137 *pos = hapd->iface->current_rates[i].rate / 5;
138 if (hapd->iface->current_rates[i].flags & HOSTAPD_RATE_BASIC)
139 *pos |= 0x80;
140 pos++;
141 }
142
143 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht && count < 8) {
144 count++;
145 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_HT_PHY;
146 }
147
148 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht && count < 8) {
149 count++;
150 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_VHT_PHY;
151 }
152
153 if (h2e_required && count < 8) {
154 count++;
155 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_SAE_H2E_ONLY;
156 }
157
158 return pos;
159 }
160
161
hostapd_eid_ext_supp_rates(struct hostapd_data * hapd,u8 * eid)162 u8 * hostapd_eid_ext_supp_rates(struct hostapd_data *hapd, u8 *eid)
163 {
164 u8 *pos = eid;
165 int i, num, count;
166 int h2e_required;
167
168 if (hapd->iface->current_rates == NULL)
169 return eid;
170
171 num = hapd->iface->num_rates;
172 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht)
173 num++;
174 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht)
175 num++;
176 h2e_required = (hapd->conf->sae_pwe == 1 ||
177 hostapd_sae_pw_id_in_use(hapd->conf) == 2) &&
178 hapd->conf->sae_pwe != 3 &&
179 wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt);
180 if (h2e_required)
181 num++;
182 if (num <= 8)
183 return eid;
184 num -= 8;
185
186 *pos++ = WLAN_EID_EXT_SUPP_RATES;
187 *pos++ = num;
188 for (i = 0, count = 0; i < hapd->iface->num_rates && count < num + 8;
189 i++) {
190 count++;
191 if (count <= 8)
192 continue; /* already in SuppRates IE */
193 *pos = hapd->iface->current_rates[i].rate / 5;
194 if (hapd->iface->current_rates[i].flags & HOSTAPD_RATE_BASIC)
195 *pos |= 0x80;
196 pos++;
197 }
198
199 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht) {
200 count++;
201 if (count > 8)
202 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_HT_PHY;
203 }
204
205 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht) {
206 count++;
207 if (count > 8)
208 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_VHT_PHY;
209 }
210
211 if (h2e_required) {
212 count++;
213 if (count > 8)
214 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_SAE_H2E_ONLY;
215 }
216
217 return pos;
218 }
219
220
hostapd_eid_rm_enabled_capab(struct hostapd_data * hapd,u8 * eid,size_t len)221 u8 * hostapd_eid_rm_enabled_capab(struct hostapd_data *hapd, u8 *eid,
222 size_t len)
223 {
224 size_t i;
225
226 for (i = 0; i < RRM_CAPABILITIES_IE_LEN; i++) {
227 if (hapd->conf->radio_measurements[i])
228 break;
229 }
230
231 if (i == RRM_CAPABILITIES_IE_LEN || len < 2 + RRM_CAPABILITIES_IE_LEN)
232 return eid;
233
234 *eid++ = WLAN_EID_RRM_ENABLED_CAPABILITIES;
235 *eid++ = RRM_CAPABILITIES_IE_LEN;
236 os_memcpy(eid, hapd->conf->radio_measurements, RRM_CAPABILITIES_IE_LEN);
237
238 return eid + RRM_CAPABILITIES_IE_LEN;
239 }
240
241
hostapd_own_capab_info(struct hostapd_data * hapd)242 u16 hostapd_own_capab_info(struct hostapd_data *hapd)
243 {
244 int capab = WLAN_CAPABILITY_ESS;
245 int privacy = 0;
246 int dfs;
247 int i;
248
249 /* Check if any of configured channels require DFS */
250 dfs = hostapd_is_dfs_required(hapd->iface);
251 if (dfs < 0) {
252 wpa_printf(MSG_WARNING, "Failed to check if DFS is required; ret=%d",
253 dfs);
254 dfs = 0;
255 }
256
257 if (hapd->iface->num_sta_no_short_preamble == 0 &&
258 hapd->iconf->preamble == SHORT_PREAMBLE)
259 capab |= WLAN_CAPABILITY_SHORT_PREAMBLE;
260
261 #ifdef CONFIG_WEP
262 privacy = hapd->conf->ssid.wep.keys_set;
263
264 if (hapd->conf->ieee802_1x &&
265 (hapd->conf->default_wep_key_len ||
266 hapd->conf->individual_wep_key_len))
267 privacy = 1;
268 #endif /* CONFIG_WEP */
269
270 if (hapd->conf->wpa)
271 privacy = 1;
272
273 #ifdef CONFIG_HS20
274 if (hapd->conf->osen)
275 privacy = 1;
276 #endif /* CONFIG_HS20 */
277
278 if (privacy)
279 capab |= WLAN_CAPABILITY_PRIVACY;
280
281 if (hapd->iface->current_mode &&
282 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G &&
283 hapd->iface->num_sta_no_short_slot_time == 0)
284 capab |= WLAN_CAPABILITY_SHORT_SLOT_TIME;
285
286 /*
287 * Currently, Spectrum Management capability bit is set when directly
288 * requested in configuration by spectrum_mgmt_required or when AP is
289 * running on DFS channel.
290 * TODO: Also consider driver support for TPC to set Spectrum Mgmt bit
291 */
292 if (hapd->iface->current_mode &&
293 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211A &&
294 (hapd->iconf->spectrum_mgmt_required || dfs))
295 capab |= WLAN_CAPABILITY_SPECTRUM_MGMT;
296
297 for (i = 0; i < RRM_CAPABILITIES_IE_LEN; i++) {
298 if (hapd->conf->radio_measurements[i]) {
299 capab |= IEEE80211_CAP_RRM;
300 break;
301 }
302 }
303
304 return capab;
305 }
306
307
308 #ifdef CONFIG_WEP
309 #ifndef CONFIG_NO_RC4
auth_shared_key(struct hostapd_data * hapd,struct sta_info * sta,u16 auth_transaction,const u8 * challenge,int iswep)310 static u16 auth_shared_key(struct hostapd_data *hapd, struct sta_info *sta,
311 u16 auth_transaction, const u8 *challenge,
312 int iswep)
313 {
314 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
315 HOSTAPD_LEVEL_DEBUG,
316 "authentication (shared key, transaction %d)",
317 auth_transaction);
318
319 if (auth_transaction == 1) {
320 if (!sta->challenge) {
321 /* Generate a pseudo-random challenge */
322 u8 key[8];
323
324 sta->challenge = os_zalloc(WLAN_AUTH_CHALLENGE_LEN);
325 if (sta->challenge == NULL)
326 return WLAN_STATUS_UNSPECIFIED_FAILURE;
327
328 if (os_get_random(key, sizeof(key)) < 0) {
329 os_free(sta->challenge);
330 sta->challenge = NULL;
331 return WLAN_STATUS_UNSPECIFIED_FAILURE;
332 }
333
334 rc4_skip(key, sizeof(key), 0,
335 sta->challenge, WLAN_AUTH_CHALLENGE_LEN);
336 }
337 return 0;
338 }
339
340 if (auth_transaction != 3)
341 return WLAN_STATUS_UNSPECIFIED_FAILURE;
342
343 /* Transaction 3 */
344 if (!iswep || !sta->challenge || !challenge ||
345 os_memcmp_const(sta->challenge, challenge,
346 WLAN_AUTH_CHALLENGE_LEN)) {
347 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
348 HOSTAPD_LEVEL_INFO,
349 "shared key authentication - invalid "
350 "challenge-response");
351 return WLAN_STATUS_CHALLENGE_FAIL;
352 }
353
354 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
355 HOSTAPD_LEVEL_DEBUG,
356 "authentication OK (shared key)");
357 sta->flags |= WLAN_STA_AUTH;
358 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
359 os_free(sta->challenge);
360 sta->challenge = NULL;
361
362 return 0;
363 }
364 #endif /* CONFIG_NO_RC4 */
365 #endif /* CONFIG_WEP */
366
367
send_auth_reply(struct hostapd_data * hapd,struct sta_info * sta,const u8 * dst,const u8 * bssid,u16 auth_alg,u16 auth_transaction,u16 resp,const u8 * ies,size_t ies_len,const char * dbg)368 static int send_auth_reply(struct hostapd_data *hapd, struct sta_info *sta,
369 const u8 *dst, const u8 *bssid,
370 u16 auth_alg, u16 auth_transaction, u16 resp,
371 const u8 *ies, size_t ies_len, const char *dbg)
372 {
373 struct ieee80211_mgmt *reply;
374 u8 *buf;
375 size_t rlen;
376 int reply_res = WLAN_STATUS_UNSPECIFIED_FAILURE;
377
378 rlen = IEEE80211_HDRLEN + sizeof(reply->u.auth) + ies_len;
379 buf = os_zalloc(rlen);
380 if (buf == NULL)
381 return -1;
382
383 reply = (struct ieee80211_mgmt *) buf;
384 reply->frame_control = IEEE80211_FC(WLAN_FC_TYPE_MGMT,
385 WLAN_FC_STYPE_AUTH);
386 os_memcpy(reply->da, dst, ETH_ALEN);
387 os_memcpy(reply->sa, hapd->own_addr, ETH_ALEN);
388 os_memcpy(reply->bssid, bssid, ETH_ALEN);
389
390 reply->u.auth.auth_alg = host_to_le16(auth_alg);
391 reply->u.auth.auth_transaction = host_to_le16(auth_transaction);
392 reply->u.auth.status_code = host_to_le16(resp);
393
394 if (ies && ies_len)
395 os_memcpy(reply->u.auth.variable, ies, ies_len);
396
397 wpa_printf(MSG_DEBUG, "authentication reply: STA=" MACSTR
398 " auth_alg=%d auth_transaction=%d resp=%d (IE len=%lu) (dbg=%s)",
399 MAC2STR(dst), auth_alg, auth_transaction,
400 resp, (unsigned long) ies_len, dbg);
401 #ifdef CONFIG_TESTING_OPTIONS
402 #ifdef CONFIG_SAE
403 if (hapd->conf->sae_confirm_immediate == 2 &&
404 auth_alg == WLAN_AUTH_SAE) {
405 if (auth_transaction == 1 && sta &&
406 (resp == WLAN_STATUS_SUCCESS ||
407 resp == WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
408 resp == WLAN_STATUS_SAE_PK)) {
409 wpa_printf(MSG_DEBUG,
410 "TESTING: Postpone SAE Commit transmission until Confirm is ready");
411 os_free(sta->sae_postponed_commit);
412 sta->sae_postponed_commit = buf;
413 sta->sae_postponed_commit_len = rlen;
414 return WLAN_STATUS_SUCCESS;
415 }
416
417 if (auth_transaction == 2 && sta && sta->sae_postponed_commit) {
418 wpa_printf(MSG_DEBUG,
419 "TESTING: Send postponed SAE Commit first, immediately followed by SAE Confirm");
420 if (hostapd_drv_send_mlme(hapd,
421 sta->sae_postponed_commit,
422 sta->sae_postponed_commit_len,
423 0, NULL, 0, 0) < 0)
424 wpa_printf(MSG_INFO, "send_auth_reply: send failed");
425 os_free(sta->sae_postponed_commit);
426 sta->sae_postponed_commit = NULL;
427 sta->sae_postponed_commit_len = 0;
428 }
429 }
430 #endif /* CONFIG_SAE */
431 #endif /* CONFIG_TESTING_OPTIONS */
432 if (hostapd_drv_send_mlme(hapd, reply, rlen, 0, NULL, 0, 0) < 0)
433 wpa_printf(MSG_INFO, "send_auth_reply: send failed");
434 else
435 reply_res = WLAN_STATUS_SUCCESS;
436
437 os_free(buf);
438
439 return reply_res;
440 }
441
442
443 #ifdef CONFIG_IEEE80211R_AP
handle_auth_ft_finish(void * ctx,const u8 * dst,const u8 * bssid,u16 auth_transaction,u16 status,const u8 * ies,size_t ies_len)444 static void handle_auth_ft_finish(void *ctx, const u8 *dst, const u8 *bssid,
445 u16 auth_transaction, u16 status,
446 const u8 *ies, size_t ies_len)
447 {
448 struct hostapd_data *hapd = ctx;
449 struct sta_info *sta;
450 int reply_res;
451
452 reply_res = send_auth_reply(hapd, NULL, dst, bssid, WLAN_AUTH_FT,
453 auth_transaction, status, ies, ies_len,
454 "auth-ft-finish");
455
456 sta = ap_get_sta(hapd, dst);
457 if (sta == NULL)
458 return;
459
460 if (sta->added_unassoc && (reply_res != WLAN_STATUS_SUCCESS ||
461 status != WLAN_STATUS_SUCCESS)) {
462 hostapd_drv_sta_remove(hapd, sta->addr);
463 sta->added_unassoc = 0;
464 return;
465 }
466
467 if (status != WLAN_STATUS_SUCCESS)
468 return;
469
470 hostapd_logger(hapd, dst, HOSTAPD_MODULE_IEEE80211,
471 HOSTAPD_LEVEL_DEBUG, "authentication OK (FT)");
472 sta->flags |= WLAN_STA_AUTH;
473 mlme_authenticate_indication(hapd, sta);
474 }
475 #endif /* CONFIG_IEEE80211R_AP */
476
477
478 #ifdef CONFIG_SAE
479
sae_set_state(struct sta_info * sta,enum sae_state state,const char * reason)480 static void sae_set_state(struct sta_info *sta, enum sae_state state,
481 const char *reason)
482 {
483 wpa_printf(MSG_DEBUG, "SAE: State %s -> %s for peer " MACSTR " (%s)",
484 sae_state_txt(sta->sae->state), sae_state_txt(state),
485 MAC2STR(sta->addr), reason);
486 sta->sae->state = state;
487 }
488
489
sae_get_password(struct hostapd_data * hapd,struct sta_info * sta,const char * rx_id,struct sae_password_entry ** pw_entry,struct sae_pt ** s_pt,const struct sae_pk ** s_pk)490 static const char * sae_get_password(struct hostapd_data *hapd,
491 struct sta_info *sta,
492 const char *rx_id,
493 struct sae_password_entry **pw_entry,
494 struct sae_pt **s_pt,
495 const struct sae_pk **s_pk)
496 {
497 const char *password = NULL;
498 struct sae_password_entry *pw;
499 struct sae_pt *pt = NULL;
500 const struct sae_pk *pk = NULL;
501 struct hostapd_sta_wpa_psk_short *psk = NULL;
502
503 for (pw = hapd->conf->sae_passwords; pw; pw = pw->next) {
504 if (!is_broadcast_ether_addr(pw->peer_addr) &&
505 os_memcmp(pw->peer_addr, sta->addr, ETH_ALEN) != 0)
506 continue;
507 if ((rx_id && !pw->identifier) || (!rx_id && pw->identifier))
508 continue;
509 if (rx_id && pw->identifier &&
510 os_strcmp(rx_id, pw->identifier) != 0)
511 continue;
512 password = pw->password;
513 pt = pw->pt;
514 if (!(hapd->conf->mesh & MESH_ENABLED))
515 pk = pw->pk;
516 break;
517 }
518 if (!password) {
519 password = hapd->conf->ssid.wpa_passphrase;
520 pt = hapd->conf->ssid.pt;
521 }
522
523 if (!password) {
524 for (psk = sta->psk; psk; psk = psk->next) {
525 if (psk->is_passphrase) {
526 password = psk->passphrase;
527 break;
528 }
529 }
530 }
531
532 if (pw_entry)
533 *pw_entry = pw;
534 if (s_pt)
535 *s_pt = pt;
536 if (s_pk)
537 *s_pk = pk;
538
539 return password;
540 }
541
542
auth_build_sae_commit(struct hostapd_data * hapd,struct sta_info * sta,int update,int status_code)543 static struct wpabuf * auth_build_sae_commit(struct hostapd_data *hapd,
544 struct sta_info *sta, int update,
545 int status_code)
546 {
547 struct wpabuf *buf;
548 const char *password = NULL;
549 struct sae_password_entry *pw;
550 const char *rx_id = NULL;
551 int use_pt = 0;
552 struct sae_pt *pt = NULL;
553 const struct sae_pk *pk = NULL;
554
555 if (sta->sae->tmp) {
556 rx_id = sta->sae->tmp->pw_id;
557 use_pt = sta->sae->h2e;
558 #ifdef CONFIG_SAE_PK
559 os_memcpy(sta->sae->tmp->own_addr, hapd->own_addr, ETH_ALEN);
560 os_memcpy(sta->sae->tmp->peer_addr, sta->addr, ETH_ALEN);
561 #endif /* CONFIG_SAE_PK */
562 }
563
564 if (rx_id && hapd->conf->sae_pwe != 3)
565 use_pt = 1;
566 else if (status_code == WLAN_STATUS_SUCCESS)
567 use_pt = 0;
568 else if (status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
569 status_code == WLAN_STATUS_SAE_PK)
570 use_pt = 1;
571
572 password = sae_get_password(hapd, sta, rx_id, &pw, &pt, &pk);
573 if (!password || (use_pt && !pt)) {
574 wpa_printf(MSG_DEBUG, "SAE: No password available");
575 return NULL;
576 }
577
578 if (update && use_pt &&
579 sae_prepare_commit_pt(sta->sae, pt, hapd->own_addr, sta->addr,
580 NULL, pk) < 0)
581 return NULL;
582
583 if (update && !use_pt &&
584 sae_prepare_commit(hapd->own_addr, sta->addr,
585 (u8 *) password, os_strlen(password),
586 sta->sae) < 0) {
587 wpa_printf(MSG_DEBUG, "SAE: Could not pick PWE");
588 return NULL;
589 }
590
591 if (pw && pw->vlan_id) {
592 if (!sta->sae->tmp) {
593 wpa_printf(MSG_INFO,
594 "SAE: No temporary data allocated - cannot store VLAN ID");
595 return NULL;
596 }
597 sta->sae->tmp->vlan_id = pw->vlan_id;
598 }
599
600 buf = wpabuf_alloc(SAE_COMMIT_MAX_LEN +
601 (rx_id ? 3 + os_strlen(rx_id) : 0));
602 if (buf &&
603 sae_write_commit(sta->sae, buf, sta->sae->tmp ?
604 sta->sae->tmp->anti_clogging_token : NULL,
605 rx_id) < 0) {
606 wpabuf_free(buf);
607 buf = NULL;
608 }
609
610 return buf;
611 }
612
613
auth_build_sae_confirm(struct hostapd_data * hapd,struct sta_info * sta)614 static struct wpabuf * auth_build_sae_confirm(struct hostapd_data *hapd,
615 struct sta_info *sta)
616 {
617 struct wpabuf *buf;
618
619 buf = wpabuf_alloc(SAE_CONFIRM_MAX_LEN);
620 if (buf == NULL)
621 return NULL;
622
623 #ifdef CONFIG_SAE_PK
624 #ifdef CONFIG_TESTING_OPTIONS
625 if (sta->sae->tmp)
626 sta->sae->tmp->omit_pk_elem = hapd->conf->sae_pk_omit;
627 #endif /* CONFIG_TESTING_OPTIONS */
628 #endif /* CONFIG_SAE_PK */
629
630 if (sae_write_confirm(sta->sae, buf) < 0) {
631 wpabuf_free(buf);
632 return NULL;
633 }
634
635 return buf;
636 }
637
638
auth_sae_send_commit(struct hostapd_data * hapd,struct sta_info * sta,const u8 * bssid,int update,int status_code)639 static int auth_sae_send_commit(struct hostapd_data *hapd,
640 struct sta_info *sta,
641 const u8 *bssid, int update, int status_code)
642 {
643 struct wpabuf *data;
644 int reply_res;
645 u16 status;
646
647 data = auth_build_sae_commit(hapd, sta, update, status_code);
648 if (!data && sta->sae->tmp && sta->sae->tmp->pw_id)
649 return WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER;
650 if (data == NULL)
651 return WLAN_STATUS_UNSPECIFIED_FAILURE;
652
653 if (sta->sae->tmp && sta->sae->pk)
654 status = WLAN_STATUS_SAE_PK;
655 else if (sta->sae->tmp && sta->sae->h2e)
656 status = WLAN_STATUS_SAE_HASH_TO_ELEMENT;
657 else
658 status = WLAN_STATUS_SUCCESS;
659 #ifdef CONFIG_TESTING_OPTIONS
660 if (hapd->conf->sae_commit_status >= 0 &&
661 hapd->conf->sae_commit_status != status) {
662 wpa_printf(MSG_INFO,
663 "TESTING: Override SAE commit status code %u --> %d",
664 status, hapd->conf->sae_commit_status);
665 status = hapd->conf->sae_commit_status;
666 }
667 #endif /* CONFIG_TESTING_OPTIONS */
668 reply_res = send_auth_reply(hapd, sta, sta->addr, bssid,
669 WLAN_AUTH_SAE, 1,
670 status, wpabuf_head(data),
671 wpabuf_len(data), "sae-send-commit");
672
673 wpabuf_free(data);
674
675 return reply_res;
676 }
677
678
auth_sae_send_confirm(struct hostapd_data * hapd,struct sta_info * sta,const u8 * bssid)679 static int auth_sae_send_confirm(struct hostapd_data *hapd,
680 struct sta_info *sta,
681 const u8 *bssid)
682 {
683 struct wpabuf *data;
684 int reply_res;
685
686 data = auth_build_sae_confirm(hapd, sta);
687 if (data == NULL)
688 return WLAN_STATUS_UNSPECIFIED_FAILURE;
689
690 reply_res = send_auth_reply(hapd, sta, sta->addr, bssid,
691 WLAN_AUTH_SAE, 2,
692 WLAN_STATUS_SUCCESS, wpabuf_head(data),
693 wpabuf_len(data), "sae-send-confirm");
694
695 wpabuf_free(data);
696
697 return reply_res;
698 }
699
700 #endif /* CONFIG_SAE */
701
702
703 #if defined(CONFIG_SAE) || defined(CONFIG_PASN)
704
use_anti_clogging(struct hostapd_data * hapd)705 static int use_anti_clogging(struct hostapd_data *hapd)
706 {
707 struct sta_info *sta;
708 unsigned int open = 0;
709
710 if (hapd->conf->anti_clogging_threshold == 0)
711 return 1;
712
713 for (sta = hapd->sta_list; sta; sta = sta->next) {
714 #ifdef CONFIG_SAE
715 if (sta->sae &&
716 (sta->sae->state == SAE_COMMITTED ||
717 sta->sae->state == SAE_CONFIRMED))
718 open++;
719 #endif /* CONFIG_SAE */
720 #ifdef CONFIG_PASN
721 if (sta->pasn && sta->pasn->ecdh)
722 open++;
723 #endif /* CONFIG_PASN */
724 if (open >= hapd->conf->anti_clogging_threshold)
725 return 1;
726 }
727
728 #ifdef CONFIG_SAE
729 /* In addition to already existing open SAE sessions, check whether
730 * there are enough pending commit messages in the processing queue to
731 * potentially result in too many open sessions. */
732 if (open + dl_list_len(&hapd->sae_commit_queue) >=
733 hapd->conf->anti_clogging_threshold)
734 return 1;
735 #endif /* CONFIG_SAE */
736
737 return 0;
738 }
739
740
comeback_token_hash(struct hostapd_data * hapd,const u8 * addr,u8 * idx)741 static int comeback_token_hash(struct hostapd_data *hapd, const u8 *addr,
742 u8 *idx)
743 {
744 u8 hash[SHA256_MAC_LEN];
745
746 if (hmac_sha256(hapd->comeback_key, sizeof(hapd->comeback_key),
747 addr, ETH_ALEN, hash) < 0)
748 return -1;
749 *idx = hash[0];
750 return 0;
751 }
752
753
check_comeback_token(struct hostapd_data * hapd,const u8 * addr,const u8 * token,size_t token_len)754 static int check_comeback_token(struct hostapd_data *hapd, const u8 *addr,
755 const u8 *token, size_t token_len)
756 {
757 u8 mac[SHA256_MAC_LEN];
758 const u8 *addrs[2];
759 size_t len[2];
760 u16 token_idx;
761 u8 idx;
762
763 if (token_len != SHA256_MAC_LEN ||
764 comeback_token_hash(hapd, addr, &idx) < 0)
765 return -1;
766 token_idx = hapd->comeback_pending_idx[idx];
767 if (token_idx == 0 || token_idx != WPA_GET_BE16(token)) {
768 wpa_printf(MSG_DEBUG,
769 "Comeback: Invalid anti-clogging token from "
770 MACSTR " - token_idx 0x%04x, expected 0x%04x",
771 MAC2STR(addr), WPA_GET_BE16(token), token_idx);
772 return -1;
773 }
774
775 addrs[0] = addr;
776 len[0] = ETH_ALEN;
777 addrs[1] = token;
778 len[1] = 2;
779 if (hmac_sha256_vector(hapd->comeback_key, sizeof(hapd->comeback_key),
780 2, addrs, len, mac) < 0 ||
781 os_memcmp_const(token + 2, &mac[2], SHA256_MAC_LEN - 2) != 0)
782 return -1;
783
784 hapd->comeback_pending_idx[idx] = 0; /* invalidate used token */
785
786 return 0;
787 }
788
789
auth_build_token_req(struct hostapd_data * hapd,int group,const u8 * addr,int h2e)790 static struct wpabuf * auth_build_token_req(struct hostapd_data *hapd,
791 int group, const u8 *addr, int h2e)
792 {
793 struct wpabuf *buf;
794 u8 *token;
795 struct os_reltime now;
796 u8 idx[2];
797 const u8 *addrs[2];
798 size_t len[2];
799 u8 p_idx;
800 u16 token_idx;
801
802 os_get_reltime(&now);
803 if (!os_reltime_initialized(&hapd->last_comeback_key_update) ||
804 os_reltime_expired(&now, &hapd->last_comeback_key_update, 60) ||
805 hapd->comeback_idx == 0xffff) {
806 if (random_get_bytes(hapd->comeback_key,
807 sizeof(hapd->comeback_key)) < 0)
808 return NULL;
809 wpa_hexdump(MSG_DEBUG, "Comeback: Updated token key",
810 hapd->comeback_key, sizeof(hapd->comeback_key));
811 hapd->last_comeback_key_update = now;
812 hapd->comeback_idx = 0;
813 os_memset(hapd->comeback_pending_idx, 0,
814 sizeof(hapd->comeback_pending_idx));
815 }
816
817 buf = wpabuf_alloc(sizeof(le16) + 3 + SHA256_MAC_LEN);
818 if (buf == NULL)
819 return NULL;
820
821 if (group)
822 wpabuf_put_le16(buf, group); /* Finite Cyclic Group */
823
824 if (h2e) {
825 /* Encapsulate Anti-clogging Token field in a container IE */
826 wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
827 wpabuf_put_u8(buf, 1 + SHA256_MAC_LEN);
828 wpabuf_put_u8(buf, WLAN_EID_EXT_ANTI_CLOGGING_TOKEN);
829 }
830
831 if (comeback_token_hash(hapd, addr, &p_idx) < 0) {
832 wpabuf_free(buf);
833 return NULL;
834 }
835
836 token_idx = hapd->comeback_pending_idx[p_idx];
837 if (!token_idx) {
838 hapd->comeback_idx++;
839 token_idx = hapd->comeback_idx;
840 hapd->comeback_pending_idx[p_idx] = token_idx;
841 }
842 WPA_PUT_BE16(idx, token_idx);
843 token = wpabuf_put(buf, SHA256_MAC_LEN);
844 addrs[0] = addr;
845 len[0] = ETH_ALEN;
846 addrs[1] = idx;
847 len[1] = sizeof(idx);
848 if (hmac_sha256_vector(hapd->comeback_key, sizeof(hapd->comeback_key),
849 2, addrs, len, token) < 0) {
850 wpabuf_free(buf);
851 return NULL;
852 }
853 WPA_PUT_BE16(token, token_idx);
854
855 return buf;
856 }
857
858 #endif /* defined(CONFIG_SAE) || defined(CONFIG_PASN) */
859
860
861 #ifdef CONFIG_SAE
862
sae_check_big_sync(struct hostapd_data * hapd,struct sta_info * sta)863 static int sae_check_big_sync(struct hostapd_data *hapd, struct sta_info *sta)
864 {
865 if (sta->sae->sync > hapd->conf->sae_sync) {
866 sae_set_state(sta, SAE_NOTHING, "Sync > dot11RSNASAESync");
867 sta->sae->sync = 0;
868 return -1;
869 }
870 return 0;
871 }
872
873
auth_sae_retransmit_timer(void * eloop_ctx,void * eloop_data)874 static void auth_sae_retransmit_timer(void *eloop_ctx, void *eloop_data)
875 {
876 struct hostapd_data *hapd = eloop_ctx;
877 struct sta_info *sta = eloop_data;
878 int ret;
879
880 if (sae_check_big_sync(hapd, sta))
881 return;
882 sta->sae->sync++;
883 wpa_printf(MSG_DEBUG, "SAE: Auth SAE retransmit timer for " MACSTR
884 " (sync=%d state=%s)",
885 MAC2STR(sta->addr), sta->sae->sync,
886 sae_state_txt(sta->sae->state));
887
888 switch (sta->sae->state) {
889 case SAE_COMMITTED:
890 ret = auth_sae_send_commit(hapd, sta, hapd->own_addr, 0, -1);
891 eloop_register_timeout(0,
892 hapd->dot11RSNASAERetransPeriod * 1000,
893 auth_sae_retransmit_timer, hapd, sta);
894 break;
895 case SAE_CONFIRMED:
896 ret = auth_sae_send_confirm(hapd, sta, hapd->own_addr);
897 eloop_register_timeout(0,
898 hapd->dot11RSNASAERetransPeriod * 1000,
899 auth_sae_retransmit_timer, hapd, sta);
900 break;
901 default:
902 ret = -1;
903 break;
904 }
905
906 if (ret != WLAN_STATUS_SUCCESS)
907 wpa_printf(MSG_INFO, "SAE: Failed to retransmit: ret=%d", ret);
908 }
909
910
sae_clear_retransmit_timer(struct hostapd_data * hapd,struct sta_info * sta)911 void sae_clear_retransmit_timer(struct hostapd_data *hapd, struct sta_info *sta)
912 {
913 eloop_cancel_timeout(auth_sae_retransmit_timer, hapd, sta);
914 }
915
916
sae_set_retransmit_timer(struct hostapd_data * hapd,struct sta_info * sta)917 static void sae_set_retransmit_timer(struct hostapd_data *hapd,
918 struct sta_info *sta)
919 {
920 if (!(hapd->conf->mesh & MESH_ENABLED))
921 return;
922
923 eloop_cancel_timeout(auth_sae_retransmit_timer, hapd, sta);
924 eloop_register_timeout(0, hapd->dot11RSNASAERetransPeriod * 1000,
925 auth_sae_retransmit_timer, hapd, sta);
926 }
927
928
sae_sme_send_external_auth_status(struct hostapd_data * hapd,struct sta_info * sta,u16 status)929 static void sae_sme_send_external_auth_status(struct hostapd_data *hapd,
930 struct sta_info *sta, u16 status)
931 {
932 struct external_auth params;
933
934 os_memset(¶ms, 0, sizeof(params));
935 params.status = status;
936 params.bssid = sta->addr;
937 if (status == WLAN_STATUS_SUCCESS && sta->sae &&
938 !hapd->conf->disable_pmksa_caching)
939 params.pmkid = sta->sae->pmkid;
940
941 hostapd_drv_send_external_auth_status(hapd, ¶ms);
942 }
943
944
sae_accept_sta(struct hostapd_data * hapd,struct sta_info * sta)945 void sae_accept_sta(struct hostapd_data *hapd, struct sta_info *sta)
946 {
947 #ifndef CONFIG_NO_VLAN
948 struct vlan_description vlan_desc;
949
950 if (sta->sae->tmp && sta->sae->tmp->vlan_id > 0) {
951 wpa_printf(MSG_DEBUG, "SAE: Assign STA " MACSTR
952 " to VLAN ID %d",
953 MAC2STR(sta->addr), sta->sae->tmp->vlan_id);
954
955 os_memset(&vlan_desc, 0, sizeof(vlan_desc));
956 vlan_desc.notempty = 1;
957 vlan_desc.untagged = sta->sae->tmp->vlan_id;
958 if (!hostapd_vlan_valid(hapd->conf->vlan, &vlan_desc)) {
959 wpa_printf(MSG_INFO,
960 "Invalid VLAN ID %d in sae_password",
961 sta->sae->tmp->vlan_id);
962 return;
963 }
964
965 if (ap_sta_set_vlan(hapd, sta, &vlan_desc) < 0 ||
966 ap_sta_bind_vlan(hapd, sta) < 0) {
967 wpa_printf(MSG_INFO,
968 "Failed to assign VLAN ID %d from sae_password to "
969 MACSTR, sta->sae->tmp->vlan_id,
970 MAC2STR(sta->addr));
971 return;
972 }
973 }
974 #endif /* CONFIG_NO_VLAN */
975
976 sta->flags |= WLAN_STA_AUTH;
977 sta->auth_alg = WLAN_AUTH_SAE;
978 mlme_authenticate_indication(hapd, sta);
979 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
980 sae_set_state(sta, SAE_ACCEPTED, "Accept Confirm");
981 crypto_bignum_deinit(sta->sae->peer_commit_scalar_accepted, 0);
982 sta->sae->peer_commit_scalar_accepted = sta->sae->peer_commit_scalar;
983 sta->sae->peer_commit_scalar = NULL;
984 wpa_auth_pmksa_add_sae(hapd->wpa_auth, sta->addr,
985 sta->sae->pmk, sta->sae->pmkid);
986 sae_sme_send_external_auth_status(hapd, sta, WLAN_STATUS_SUCCESS);
987 }
988
989
sae_sm_step(struct hostapd_data * hapd,struct sta_info * sta,const u8 * bssid,u16 auth_transaction,u16 status_code,int allow_reuse,int * sta_removed)990 static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta,
991 const u8 *bssid, u16 auth_transaction, u16 status_code,
992 int allow_reuse, int *sta_removed)
993 {
994 int ret;
995
996 *sta_removed = 0;
997
998 if (auth_transaction != 1 && auth_transaction != 2)
999 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1000
1001 wpa_printf(MSG_DEBUG, "SAE: Peer " MACSTR " state=%s auth_trans=%u",
1002 MAC2STR(sta->addr), sae_state_txt(sta->sae->state),
1003 auth_transaction);
1004 switch (sta->sae->state) {
1005 case SAE_NOTHING:
1006 if (auth_transaction == 1) {
1007 if (sta->sae->tmp) {
1008 sta->sae->h2e =
1009 (status_code ==
1010 WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
1011 status_code == WLAN_STATUS_SAE_PK);
1012 sta->sae->pk =
1013 status_code == WLAN_STATUS_SAE_PK;
1014 }
1015 ret = auth_sae_send_commit(hapd, sta, bssid,
1016 !allow_reuse, status_code);
1017 if (ret)
1018 return ret;
1019 sae_set_state(sta, SAE_COMMITTED, "Sent Commit");
1020
1021 if (sae_process_commit(sta->sae) < 0)
1022 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1023
1024 /*
1025 * In mesh case, both Commit and Confirm are sent
1026 * immediately. In infrastructure BSS, by default, only
1027 * a single Authentication frame (Commit) is expected
1028 * from the AP here and the second one (Confirm) will
1029 * be sent once the STA has sent its second
1030 * Authentication frame (Confirm). This behavior can be
1031 * overridden with explicit configuration so that the
1032 * infrastructure BSS case sends both frames together.
1033 */
1034 if ((hapd->conf->mesh & MESH_ENABLED) ||
1035 hapd->conf->sae_confirm_immediate) {
1036 /*
1037 * Send both Commit and Confirm immediately
1038 * based on SAE finite state machine
1039 * Nothing -> Confirm transition.
1040 */
1041 ret = auth_sae_send_confirm(hapd, sta, bssid);
1042 if (ret)
1043 return ret;
1044 sae_set_state(sta, SAE_CONFIRMED,
1045 "Sent Confirm (mesh)");
1046 } else {
1047 /*
1048 * For infrastructure BSS, send only the Commit
1049 * message now to get alternating sequence of
1050 * Authentication frames between the AP and STA.
1051 * Confirm will be sent in
1052 * Committed -> Confirmed/Accepted transition
1053 * when receiving Confirm from STA.
1054 */
1055 }
1056 sta->sae->sync = 0;
1057 sae_set_retransmit_timer(hapd, sta);
1058 } else {
1059 hostapd_logger(hapd, sta->addr,
1060 HOSTAPD_MODULE_IEEE80211,
1061 HOSTAPD_LEVEL_DEBUG,
1062 "SAE confirm before commit");
1063 }
1064 break;
1065 case SAE_COMMITTED:
1066 sae_clear_retransmit_timer(hapd, sta);
1067 if (auth_transaction == 1) {
1068 if (sae_process_commit(sta->sae) < 0)
1069 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1070
1071 ret = auth_sae_send_confirm(hapd, sta, bssid);
1072 if (ret)
1073 return ret;
1074 sae_set_state(sta, SAE_CONFIRMED, "Sent Confirm");
1075 sta->sae->sync = 0;
1076 sae_set_retransmit_timer(hapd, sta);
1077 } else if (hapd->conf->mesh & MESH_ENABLED) {
1078 /*
1079 * In mesh case, follow SAE finite state machine and
1080 * send Commit now, if sync count allows.
1081 */
1082 if (sae_check_big_sync(hapd, sta))
1083 return WLAN_STATUS_SUCCESS;
1084 sta->sae->sync++;
1085
1086 ret = auth_sae_send_commit(hapd, sta, bssid, 0,
1087 status_code);
1088 if (ret)
1089 return ret;
1090
1091 sae_set_retransmit_timer(hapd, sta);
1092 } else {
1093 /*
1094 * For instructure BSS, send the postponed Confirm from
1095 * Nothing -> Confirmed transition that was reduced to
1096 * Nothing -> Committed above.
1097 */
1098 ret = auth_sae_send_confirm(hapd, sta, bssid);
1099 if (ret)
1100 return ret;
1101
1102 sae_set_state(sta, SAE_CONFIRMED, "Sent Confirm");
1103
1104 /*
1105 * Since this was triggered on Confirm RX, run another
1106 * step to get to Accepted without waiting for
1107 * additional events.
1108 */
1109 return sae_sm_step(hapd, sta, bssid, auth_transaction,
1110 WLAN_STATUS_SUCCESS, 0, sta_removed);
1111 }
1112 break;
1113 case SAE_CONFIRMED:
1114 sae_clear_retransmit_timer(hapd, sta);
1115 if (auth_transaction == 1) {
1116 if (sae_check_big_sync(hapd, sta))
1117 return WLAN_STATUS_SUCCESS;
1118 sta->sae->sync++;
1119
1120 ret = auth_sae_send_commit(hapd, sta, bssid, 1,
1121 status_code);
1122 if (ret)
1123 return ret;
1124
1125 if (sae_process_commit(sta->sae) < 0)
1126 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1127
1128 ret = auth_sae_send_confirm(hapd, sta, bssid);
1129 if (ret)
1130 return ret;
1131
1132 sae_set_retransmit_timer(hapd, sta);
1133 } else {
1134 sta->sae->send_confirm = 0xffff;
1135 sae_accept_sta(hapd, sta);
1136 }
1137 break;
1138 case SAE_ACCEPTED:
1139 if (auth_transaction == 1 &&
1140 (hapd->conf->mesh & MESH_ENABLED)) {
1141 wpa_printf(MSG_DEBUG, "SAE: remove the STA (" MACSTR
1142 ") doing reauthentication",
1143 MAC2STR(sta->addr));
1144 wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr);
1145 ap_free_sta(hapd, sta);
1146 *sta_removed = 1;
1147 } else if (auth_transaction == 1) {
1148 wpa_printf(MSG_DEBUG, "SAE: Start reauthentication");
1149 ret = auth_sae_send_commit(hapd, sta, bssid, 1,
1150 status_code);
1151 if (ret)
1152 return ret;
1153 sae_set_state(sta, SAE_COMMITTED, "Sent Commit");
1154
1155 if (sae_process_commit(sta->sae) < 0)
1156 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1157 sta->sae->sync = 0;
1158 sae_set_retransmit_timer(hapd, sta);
1159 } else {
1160 if (sae_check_big_sync(hapd, sta))
1161 return WLAN_STATUS_SUCCESS;
1162 sta->sae->sync++;
1163
1164 ret = auth_sae_send_confirm(hapd, sta, bssid);
1165 sae_clear_temp_data(sta->sae);
1166 if (ret)
1167 return ret;
1168 }
1169 break;
1170 default:
1171 wpa_printf(MSG_ERROR, "SAE: invalid state %d",
1172 sta->sae->state);
1173 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1174 }
1175 return WLAN_STATUS_SUCCESS;
1176 }
1177
1178
sae_pick_next_group(struct hostapd_data * hapd,struct sta_info * sta)1179 static void sae_pick_next_group(struct hostapd_data *hapd, struct sta_info *sta)
1180 {
1181 struct sae_data *sae = sta->sae;
1182 int i, *groups = hapd->conf->sae_groups;
1183 int default_groups[] = { 19, 0 };
1184
1185 if (sae->state != SAE_COMMITTED)
1186 return;
1187
1188 wpa_printf(MSG_DEBUG, "SAE: Previously selected group: %d", sae->group);
1189
1190 if (!groups)
1191 groups = default_groups;
1192 for (i = 0; groups[i] > 0; i++) {
1193 if (sae->group == groups[i])
1194 break;
1195 }
1196
1197 if (groups[i] <= 0) {
1198 wpa_printf(MSG_DEBUG,
1199 "SAE: Previously selected group not found from the current configuration");
1200 return;
1201 }
1202
1203 for (;;) {
1204 i++;
1205 if (groups[i] <= 0) {
1206 wpa_printf(MSG_DEBUG,
1207 "SAE: No alternative group enabled");
1208 return;
1209 }
1210
1211 if (sae_set_group(sae, groups[i]) < 0)
1212 continue;
1213
1214 break;
1215 }
1216 wpa_printf(MSG_DEBUG, "SAE: Selected new group: %d", groups[i]);
1217 }
1218
1219
sae_status_success(struct hostapd_data * hapd,u16 status_code)1220 static int sae_status_success(struct hostapd_data *hapd, u16 status_code)
1221 {
1222 int sae_pwe = hapd->conf->sae_pwe;
1223 int id_in_use;
1224 bool sae_pk = false;
1225
1226 id_in_use = hostapd_sae_pw_id_in_use(hapd->conf);
1227 if (id_in_use == 2 && sae_pwe != 3)
1228 sae_pwe = 1;
1229 else if (id_in_use == 1 && sae_pwe == 0)
1230 sae_pwe = 2;
1231 #ifdef CONFIG_SAE_PK
1232 sae_pk = hostapd_sae_pk_in_use(hapd->conf);
1233 if (sae_pwe == 0 && sae_pk)
1234 sae_pwe = 2;
1235 #endif /* CONFIG_SAE_PK */
1236
1237 return ((sae_pwe == 0 || sae_pwe == 3) &&
1238 status_code == WLAN_STATUS_SUCCESS) ||
1239 (sae_pwe == 1 &&
1240 (status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
1241 (sae_pk && status_code == WLAN_STATUS_SAE_PK))) ||
1242 (sae_pwe == 2 &&
1243 (status_code == WLAN_STATUS_SUCCESS ||
1244 status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
1245 (sae_pk && status_code == WLAN_STATUS_SAE_PK)));
1246 }
1247
1248
sae_is_group_enabled(struct hostapd_data * hapd,int group)1249 static int sae_is_group_enabled(struct hostapd_data *hapd, int group)
1250 {
1251 int *groups = hapd->conf->sae_groups;
1252 int default_groups[] = { 19, 0 };
1253 int i;
1254
1255 if (!groups)
1256 groups = default_groups;
1257
1258 for (i = 0; groups[i] > 0; i++) {
1259 if (groups[i] == group)
1260 return 1;
1261 }
1262
1263 return 0;
1264 }
1265
1266
check_sae_rejected_groups(struct hostapd_data * hapd,struct sae_data * sae)1267 static int check_sae_rejected_groups(struct hostapd_data *hapd,
1268 struct sae_data *sae)
1269 {
1270 const struct wpabuf *groups;
1271 size_t i, count;
1272 const u8 *pos;
1273
1274 if (!sae->tmp)
1275 return 0;
1276 groups = sae->tmp->peer_rejected_groups;
1277 if (!groups)
1278 return 0;
1279
1280 pos = wpabuf_head(groups);
1281 count = wpabuf_len(groups) / 2;
1282 for (i = 0; i < count; i++) {
1283 int enabled;
1284 u16 group;
1285
1286 group = WPA_GET_LE16(pos);
1287 pos += 2;
1288 enabled = sae_is_group_enabled(hapd, group);
1289 wpa_printf(MSG_DEBUG, "SAE: Rejected group %u is %s",
1290 group, enabled ? "enabled" : "disabled");
1291 if (enabled)
1292 return 1;
1293 }
1294
1295 return 0;
1296 }
1297
1298
handle_auth_sae(struct hostapd_data * hapd,struct sta_info * sta,const struct ieee80211_mgmt * mgmt,size_t len,u16 auth_transaction,u16 status_code)1299 static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta,
1300 const struct ieee80211_mgmt *mgmt, size_t len,
1301 u16 auth_transaction, u16 status_code)
1302 {
1303 int resp = WLAN_STATUS_SUCCESS;
1304 struct wpabuf *data = NULL;
1305 int *groups = hapd->conf->sae_groups;
1306 int default_groups[] = { 19, 0 };
1307 const u8 *pos, *end;
1308 int sta_removed = 0;
1309 bool success_status;
1310
1311 if (!groups)
1312 groups = default_groups;
1313
1314 #ifdef CONFIG_TESTING_OPTIONS
1315 if (hapd->conf->sae_reflection_attack && auth_transaction == 1) {
1316 wpa_printf(MSG_DEBUG, "SAE: TESTING - reflection attack");
1317 pos = mgmt->u.auth.variable;
1318 end = ((const u8 *) mgmt) + len;
1319 resp = status_code;
1320 send_auth_reply(hapd, sta, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
1321 auth_transaction, resp, pos, end - pos,
1322 "auth-sae-reflection-attack");
1323 goto remove_sta;
1324 }
1325
1326 if (hapd->conf->sae_commit_override && auth_transaction == 1) {
1327 wpa_printf(MSG_DEBUG, "SAE: TESTING - commit override");
1328 send_auth_reply(hapd, sta, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
1329 auth_transaction, resp,
1330 wpabuf_head(hapd->conf->sae_commit_override),
1331 wpabuf_len(hapd->conf->sae_commit_override),
1332 "sae-commit-override");
1333 goto remove_sta;
1334 }
1335 #endif /* CONFIG_TESTING_OPTIONS */
1336 if (!sta->sae) {
1337 if (auth_transaction != 1 ||
1338 !sae_status_success(hapd, status_code)) {
1339 wpa_printf(MSG_DEBUG, "SAE: Unexpected Status Code %u",
1340 status_code);
1341 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1342 goto reply;
1343 }
1344 sta->sae = os_zalloc(sizeof(*sta->sae));
1345 if (!sta->sae) {
1346 resp = -1;
1347 goto remove_sta;
1348 }
1349 sae_set_state(sta, SAE_NOTHING, "Init");
1350 sta->sae->sync = 0;
1351 }
1352
1353 if (sta->mesh_sae_pmksa_caching) {
1354 wpa_printf(MSG_DEBUG,
1355 "SAE: Cancel use of mesh PMKSA caching because peer starts SAE authentication");
1356 wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr);
1357 sta->mesh_sae_pmksa_caching = 0;
1358 }
1359
1360 if (auth_transaction == 1) {
1361 const u8 *token = NULL;
1362 size_t token_len = 0;
1363 int allow_reuse = 0;
1364
1365 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1366 HOSTAPD_LEVEL_DEBUG,
1367 "start SAE authentication (RX commit, status=%u (%s))",
1368 status_code, status2str(status_code));
1369
1370 if ((hapd->conf->mesh & MESH_ENABLED) &&
1371 status_code == WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ &&
1372 sta->sae->tmp) {
1373 pos = mgmt->u.auth.variable;
1374 end = ((const u8 *) mgmt) + len;
1375 if (pos + sizeof(le16) > end) {
1376 wpa_printf(MSG_ERROR,
1377 "SAE: Too short anti-clogging token request");
1378 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1379 goto reply;
1380 }
1381 resp = sae_group_allowed(sta->sae, groups,
1382 WPA_GET_LE16(pos));
1383 if (resp != WLAN_STATUS_SUCCESS) {
1384 wpa_printf(MSG_ERROR,
1385 "SAE: Invalid group in anti-clogging token request");
1386 goto reply;
1387 }
1388 pos += sizeof(le16);
1389
1390 wpabuf_free(sta->sae->tmp->anti_clogging_token);
1391 sta->sae->tmp->anti_clogging_token =
1392 wpabuf_alloc_copy(pos, end - pos);
1393 if (sta->sae->tmp->anti_clogging_token == NULL) {
1394 wpa_printf(MSG_ERROR,
1395 "SAE: Failed to alloc for anti-clogging token");
1396 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1397 goto remove_sta;
1398 }
1399
1400 /*
1401 * IEEE Std 802.11-2012, 11.3.8.6.4: If the Status code
1402 * is 76, a new Commit Message shall be constructed
1403 * with the Anti-Clogging Token from the received
1404 * Authentication frame, and the commit-scalar and
1405 * COMMIT-ELEMENT previously sent.
1406 */
1407 resp = auth_sae_send_commit(hapd, sta, mgmt->bssid, 0,
1408 status_code);
1409 if (resp != WLAN_STATUS_SUCCESS) {
1410 wpa_printf(MSG_ERROR,
1411 "SAE: Failed to send commit message");
1412 goto remove_sta;
1413 }
1414 sae_set_state(sta, SAE_COMMITTED,
1415 "Sent Commit (anti-clogging token case in mesh)");
1416 sta->sae->sync = 0;
1417 sae_set_retransmit_timer(hapd, sta);
1418 return;
1419 }
1420
1421 if ((hapd->conf->mesh & MESH_ENABLED) &&
1422 status_code ==
1423 WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED &&
1424 sta->sae->tmp) {
1425 wpa_printf(MSG_DEBUG,
1426 "SAE: Peer did not accept our SAE group");
1427 sae_pick_next_group(hapd, sta);
1428 goto remove_sta;
1429 }
1430
1431 if (!sae_status_success(hapd, status_code))
1432 goto remove_sta;
1433
1434 if (!(hapd->conf->mesh & MESH_ENABLED) &&
1435 sta->sae->state == SAE_COMMITTED) {
1436 /* This is needed in the infrastructure BSS case to
1437 * address a sequence where a STA entry may remain in
1438 * hostapd across two attempts to do SAE authentication
1439 * by the same STA. The second attempt may end up trying
1440 * to use a different group and that would not be
1441 * allowed if we remain in Committed state with the
1442 * previously set parameters. */
1443 pos = mgmt->u.auth.variable;
1444 end = ((const u8 *) mgmt) + len;
1445 if (end - pos >= (int) sizeof(le16) &&
1446 sae_group_allowed(sta->sae, groups,
1447 WPA_GET_LE16(pos)) ==
1448 WLAN_STATUS_SUCCESS) {
1449 /* Do not waste resources deriving the same PWE
1450 * again since the same group is reused. */
1451 sae_set_state(sta, SAE_NOTHING,
1452 "Allow previous PWE to be reused");
1453 allow_reuse = 1;
1454 } else {
1455 sae_set_state(sta, SAE_NOTHING,
1456 "Clear existing state to allow restart");
1457 sae_clear_data(sta->sae);
1458 }
1459 }
1460
1461 resp = sae_parse_commit(sta->sae, mgmt->u.auth.variable,
1462 ((const u8 *) mgmt) + len -
1463 mgmt->u.auth.variable, &token,
1464 &token_len, groups, status_code ==
1465 WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
1466 status_code == WLAN_STATUS_SAE_PK);
1467 if (resp == SAE_SILENTLY_DISCARD) {
1468 wpa_printf(MSG_DEBUG,
1469 "SAE: Drop commit message from " MACSTR " due to reflection attack",
1470 MAC2STR(sta->addr));
1471 goto remove_sta;
1472 }
1473
1474 if (resp == WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER) {
1475 wpa_msg(hapd->msg_ctx, MSG_INFO,
1476 WPA_EVENT_SAE_UNKNOWN_PASSWORD_IDENTIFIER
1477 MACSTR, MAC2STR(sta->addr));
1478 sae_clear_retransmit_timer(hapd, sta);
1479 sae_set_state(sta, SAE_NOTHING,
1480 "Unknown Password Identifier");
1481 goto remove_sta;
1482 }
1483
1484 if (token &&
1485 check_comeback_token(hapd, sta->addr, token, token_len)
1486 < 0) {
1487 wpa_printf(MSG_DEBUG, "SAE: Drop commit message with "
1488 "incorrect token from " MACSTR,
1489 MAC2STR(sta->addr));
1490 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1491 goto remove_sta;
1492 }
1493
1494 if (resp != WLAN_STATUS_SUCCESS)
1495 goto reply;
1496
1497 if (check_sae_rejected_groups(hapd, sta->sae)) {
1498 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1499 goto reply;
1500 }
1501
1502 if (!token && use_anti_clogging(hapd) && !allow_reuse) {
1503 int h2e = 0;
1504
1505 wpa_printf(MSG_DEBUG,
1506 "SAE: Request anti-clogging token from "
1507 MACSTR, MAC2STR(sta->addr));
1508 if (sta->sae->tmp)
1509 h2e = sta->sae->h2e;
1510 if (status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
1511 status_code == WLAN_STATUS_SAE_PK)
1512 h2e = 1;
1513 data = auth_build_token_req(hapd, sta->sae->group,
1514 sta->addr, h2e);
1515 resp = WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ;
1516 if (hapd->conf->mesh & MESH_ENABLED)
1517 sae_set_state(sta, SAE_NOTHING,
1518 "Request anti-clogging token case in mesh");
1519 goto reply;
1520 }
1521
1522 resp = sae_sm_step(hapd, sta, mgmt->bssid, auth_transaction,
1523 status_code, allow_reuse, &sta_removed);
1524 } else if (auth_transaction == 2) {
1525 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1526 HOSTAPD_LEVEL_DEBUG,
1527 "SAE authentication (RX confirm, status=%u (%s))",
1528 status_code, status2str(status_code));
1529 if (status_code != WLAN_STATUS_SUCCESS)
1530 goto remove_sta;
1531 if (sta->sae->state >= SAE_CONFIRMED ||
1532 !(hapd->conf->mesh & MESH_ENABLED)) {
1533 const u8 *var;
1534 size_t var_len;
1535 u16 peer_send_confirm;
1536
1537 var = mgmt->u.auth.variable;
1538 var_len = ((u8 *) mgmt) + len - mgmt->u.auth.variable;
1539 if (var_len < 2) {
1540 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1541 goto reply;
1542 }
1543
1544 peer_send_confirm = WPA_GET_LE16(var);
1545
1546 if (sta->sae->state == SAE_ACCEPTED &&
1547 (peer_send_confirm <= sta->sae->rc ||
1548 peer_send_confirm == 0xffff)) {
1549 wpa_printf(MSG_DEBUG,
1550 "SAE: Silently ignore unexpected Confirm from peer "
1551 MACSTR
1552 " (peer-send-confirm=%u Rc=%u)",
1553 MAC2STR(sta->addr),
1554 peer_send_confirm, sta->sae->rc);
1555 return;
1556 }
1557
1558 if (sae_check_confirm(sta->sae, var, var_len) < 0) {
1559 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1560 goto reply;
1561 }
1562 sta->sae->rc = peer_send_confirm;
1563 }
1564 resp = sae_sm_step(hapd, sta, mgmt->bssid, auth_transaction,
1565 status_code, 0, &sta_removed);
1566 } else {
1567 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1568 HOSTAPD_LEVEL_DEBUG,
1569 "unexpected SAE authentication transaction %u (status=%u (%s))",
1570 auth_transaction, status_code,
1571 status2str(status_code));
1572 if (status_code != WLAN_STATUS_SUCCESS)
1573 goto remove_sta;
1574 resp = WLAN_STATUS_UNKNOWN_AUTH_TRANSACTION;
1575 }
1576
1577 reply:
1578 if (!sta_removed && resp != WLAN_STATUS_SUCCESS) {
1579 pos = mgmt->u.auth.variable;
1580 end = ((const u8 *) mgmt) + len;
1581
1582 /* Copy the Finite Cyclic Group field from the request if we
1583 * rejected it as unsupported group. */
1584 if (resp == WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED &&
1585 !data && end - pos >= 2)
1586 data = wpabuf_alloc_copy(pos, 2);
1587
1588 sae_sme_send_external_auth_status(hapd, sta, resp);
1589 send_auth_reply(hapd, sta, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
1590 auth_transaction, resp,
1591 data ? wpabuf_head(data) : (u8 *) "",
1592 data ? wpabuf_len(data) : 0, "auth-sae");
1593 }
1594
1595 remove_sta:
1596 if (auth_transaction == 1)
1597 success_status = sae_status_success(hapd, status_code);
1598 else
1599 success_status = status_code == WLAN_STATUS_SUCCESS;
1600 if (!sta_removed && sta->added_unassoc &&
1601 (resp != WLAN_STATUS_SUCCESS || !success_status)) {
1602 hostapd_drv_sta_remove(hapd, sta->addr);
1603 sta->added_unassoc = 0;
1604 }
1605 wpabuf_free(data);
1606 }
1607
1608
1609 /**
1610 * auth_sae_init_committed - Send COMMIT and start SAE in committed state
1611 * @hapd: BSS data for the device initiating the authentication
1612 * @sta: the peer to which commit authentication frame is sent
1613 *
1614 * This function implements Init event handling (IEEE Std 802.11-2012,
1615 * 11.3.8.6.3) in which initial COMMIT message is sent. Prior to calling, the
1616 * sta->sae structure should be initialized appropriately via a call to
1617 * sae_prepare_commit().
1618 */
auth_sae_init_committed(struct hostapd_data * hapd,struct sta_info * sta)1619 int auth_sae_init_committed(struct hostapd_data *hapd, struct sta_info *sta)
1620 {
1621 int ret;
1622
1623 if (!sta->sae || !sta->sae->tmp)
1624 return -1;
1625
1626 if (sta->sae->state != SAE_NOTHING)
1627 return -1;
1628
1629 ret = auth_sae_send_commit(hapd, sta, hapd->own_addr, 0, -1);
1630 if (ret)
1631 return -1;
1632
1633 sae_set_state(sta, SAE_COMMITTED, "Init and sent commit");
1634 sta->sae->sync = 0;
1635 sae_set_retransmit_timer(hapd, sta);
1636
1637 return 0;
1638 }
1639
1640
auth_sae_process_commit(void * eloop_ctx,void * user_ctx)1641 void auth_sae_process_commit(void *eloop_ctx, void *user_ctx)
1642 {
1643 struct hostapd_data *hapd = eloop_ctx;
1644 struct hostapd_sae_commit_queue *q;
1645 unsigned int queue_len;
1646
1647 q = dl_list_first(&hapd->sae_commit_queue,
1648 struct hostapd_sae_commit_queue, list);
1649 if (!q)
1650 return;
1651 wpa_printf(MSG_DEBUG,
1652 "SAE: Process next available message from queue");
1653 dl_list_del(&q->list);
1654 handle_auth(hapd, (const struct ieee80211_mgmt *) q->msg, q->len,
1655 q->rssi, 1);
1656 os_free(q);
1657
1658 if (eloop_is_timeout_registered(auth_sae_process_commit, hapd, NULL))
1659 return;
1660 queue_len = dl_list_len(&hapd->sae_commit_queue);
1661 eloop_register_timeout(0, queue_len * 10000, auth_sae_process_commit,
1662 hapd, NULL);
1663 }
1664
1665
auth_sae_queue(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int rssi)1666 static void auth_sae_queue(struct hostapd_data *hapd,
1667 const struct ieee80211_mgmt *mgmt, size_t len,
1668 int rssi)
1669 {
1670 struct hostapd_sae_commit_queue *q, *q2;
1671 unsigned int queue_len;
1672 const struct ieee80211_mgmt *mgmt2;
1673
1674 queue_len = dl_list_len(&hapd->sae_commit_queue);
1675 if (queue_len >= 15) {
1676 wpa_printf(MSG_DEBUG,
1677 "SAE: No more room in message queue - drop the new frame from "
1678 MACSTR, MAC2STR(mgmt->sa));
1679 return;
1680 }
1681
1682 wpa_printf(MSG_DEBUG, "SAE: Queue Authentication message from "
1683 MACSTR " for processing (queue_len %u)", MAC2STR(mgmt->sa),
1684 queue_len);
1685 q = os_zalloc(sizeof(*q) + len);
1686 if (!q)
1687 return;
1688 q->rssi = rssi;
1689 q->len = len;
1690 os_memcpy(q->msg, mgmt, len);
1691
1692 /* Check whether there is already a queued Authentication frame from the
1693 * same station with the same transaction number and if so, replace that
1694 * queue entry with the new one. This avoids issues with a peer that
1695 * sends multiple times (e.g., due to frequent SAE retries). There is no
1696 * point in us trying to process the old attempts after a new one has
1697 * obsoleted them. */
1698 dl_list_for_each(q2, &hapd->sae_commit_queue,
1699 struct hostapd_sae_commit_queue, list) {
1700 mgmt2 = (const struct ieee80211_mgmt *) q2->msg;
1701 if (os_memcmp(mgmt->sa, mgmt2->sa, ETH_ALEN) == 0 &&
1702 mgmt->u.auth.auth_transaction ==
1703 mgmt2->u.auth.auth_transaction) {
1704 wpa_printf(MSG_DEBUG,
1705 "SAE: Replace queued message from same STA with same transaction number");
1706 dl_list_add(&q2->list, &q->list);
1707 dl_list_del(&q2->list);
1708 os_free(q2);
1709 goto queued;
1710 }
1711 }
1712
1713 /* No pending identical entry, so add to the end of the queue */
1714 dl_list_add_tail(&hapd->sae_commit_queue, &q->list);
1715
1716 queued:
1717 if (eloop_is_timeout_registered(auth_sae_process_commit, hapd, NULL))
1718 return;
1719 eloop_register_timeout(0, queue_len * 10000, auth_sae_process_commit,
1720 hapd, NULL);
1721 }
1722
1723
auth_sae_queued_addr(struct hostapd_data * hapd,const u8 * addr)1724 static int auth_sae_queued_addr(struct hostapd_data *hapd, const u8 *addr)
1725 {
1726 struct hostapd_sae_commit_queue *q;
1727 const struct ieee80211_mgmt *mgmt;
1728
1729 dl_list_for_each(q, &hapd->sae_commit_queue,
1730 struct hostapd_sae_commit_queue, list) {
1731 mgmt = (const struct ieee80211_mgmt *) q->msg;
1732 if (os_memcmp(addr, mgmt->sa, ETH_ALEN) == 0)
1733 return 1;
1734 }
1735
1736 return 0;
1737 }
1738
1739 #endif /* CONFIG_SAE */
1740
1741
wpa_res_to_status_code(enum wpa_validate_result res)1742 static u16 wpa_res_to_status_code(enum wpa_validate_result res)
1743 {
1744 switch (res) {
1745 case WPA_IE_OK:
1746 return WLAN_STATUS_SUCCESS;
1747 case WPA_INVALID_IE:
1748 return WLAN_STATUS_INVALID_IE;
1749 case WPA_INVALID_GROUP:
1750 return WLAN_STATUS_GROUP_CIPHER_NOT_VALID;
1751 case WPA_INVALID_PAIRWISE:
1752 return WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID;
1753 case WPA_INVALID_AKMP:
1754 return WLAN_STATUS_AKMP_NOT_VALID;
1755 case WPA_NOT_ENABLED:
1756 return WLAN_STATUS_INVALID_IE;
1757 case WPA_ALLOC_FAIL:
1758 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1759 case WPA_MGMT_FRAME_PROTECTION_VIOLATION:
1760 return WLAN_STATUS_ROBUST_MGMT_FRAME_POLICY_VIOLATION;
1761 case WPA_INVALID_MGMT_GROUP_CIPHER:
1762 return WLAN_STATUS_CIPHER_REJECTED_PER_POLICY;
1763 case WPA_INVALID_MDIE:
1764 return WLAN_STATUS_INVALID_MDIE;
1765 case WPA_INVALID_PROTO:
1766 return WLAN_STATUS_INVALID_IE;
1767 case WPA_INVALID_PMKID:
1768 return WLAN_STATUS_INVALID_PMKID;
1769 case WPA_DENIED_OTHER_REASON:
1770 return WLAN_STATUS_ASSOC_DENIED_UNSPEC;
1771 }
1772 return WLAN_STATUS_INVALID_IE;
1773 }
1774
1775
1776 #ifdef CONFIG_FILS
1777
1778 static void handle_auth_fils_finish(struct hostapd_data *hapd,
1779 struct sta_info *sta, u16 resp,
1780 struct wpabuf *data, int pub);
1781
handle_auth_fils(struct hostapd_data * hapd,struct sta_info * sta,const u8 * pos,size_t len,u16 auth_alg,u16 auth_transaction,u16 status_code,void (* cb)(struct hostapd_data * hapd,struct sta_info * sta,u16 resp,struct wpabuf * data,int pub))1782 void handle_auth_fils(struct hostapd_data *hapd, struct sta_info *sta,
1783 const u8 *pos, size_t len, u16 auth_alg,
1784 u16 auth_transaction, u16 status_code,
1785 void (*cb)(struct hostapd_data *hapd,
1786 struct sta_info *sta, u16 resp,
1787 struct wpabuf *data, int pub))
1788 {
1789 u16 resp = WLAN_STATUS_SUCCESS;
1790 const u8 *end;
1791 struct ieee802_11_elems elems;
1792 enum wpa_validate_result res;
1793 struct wpa_ie_data rsn;
1794 struct rsn_pmksa_cache_entry *pmksa = NULL;
1795
1796 if (auth_transaction != 1 || status_code != WLAN_STATUS_SUCCESS)
1797 return;
1798
1799 end = pos + len;
1800
1801 wpa_hexdump(MSG_DEBUG, "FILS: Authentication frame fields",
1802 pos, end - pos);
1803
1804 /* TODO: FILS PK */
1805 #ifdef CONFIG_FILS_SK_PFS
1806 if (auth_alg == WLAN_AUTH_FILS_SK_PFS) {
1807 u16 group;
1808 struct wpabuf *pub;
1809 size_t elem_len;
1810
1811 /* Using FILS PFS */
1812
1813 /* Finite Cyclic Group */
1814 if (end - pos < 2) {
1815 wpa_printf(MSG_DEBUG,
1816 "FILS: No room for Finite Cyclic Group");
1817 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1818 goto fail;
1819 }
1820 group = WPA_GET_LE16(pos);
1821 pos += 2;
1822 if (group != hapd->conf->fils_dh_group) {
1823 wpa_printf(MSG_DEBUG,
1824 "FILS: Unsupported Finite Cyclic Group: %u (expected %u)",
1825 group, hapd->conf->fils_dh_group);
1826 resp = WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
1827 goto fail;
1828 }
1829
1830 crypto_ecdh_deinit(sta->fils_ecdh);
1831 sta->fils_ecdh = crypto_ecdh_init(group);
1832 if (!sta->fils_ecdh) {
1833 wpa_printf(MSG_INFO,
1834 "FILS: Could not initialize ECDH with group %d",
1835 group);
1836 resp = WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
1837 goto fail;
1838 }
1839
1840 pub = crypto_ecdh_get_pubkey(sta->fils_ecdh, 1);
1841 if (!pub) {
1842 wpa_printf(MSG_DEBUG,
1843 "FILS: Failed to derive ECDH public key");
1844 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1845 goto fail;
1846 }
1847 elem_len = wpabuf_len(pub);
1848 wpabuf_free(pub);
1849
1850 /* Element */
1851 if ((size_t) (end - pos) < elem_len) {
1852 wpa_printf(MSG_DEBUG, "FILS: No room for Element");
1853 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1854 goto fail;
1855 }
1856
1857 wpabuf_free(sta->fils_g_sta);
1858 sta->fils_g_sta = wpabuf_alloc_copy(pos, elem_len);
1859 wpabuf_clear_free(sta->fils_dh_ss);
1860 sta->fils_dh_ss = crypto_ecdh_set_peerkey(sta->fils_ecdh, 1,
1861 pos, elem_len);
1862 if (!sta->fils_dh_ss) {
1863 wpa_printf(MSG_DEBUG, "FILS: ECDH operation failed");
1864 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1865 goto fail;
1866 }
1867 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: DH_SS", sta->fils_dh_ss);
1868 pos += elem_len;
1869 } else {
1870 crypto_ecdh_deinit(sta->fils_ecdh);
1871 sta->fils_ecdh = NULL;
1872 wpabuf_clear_free(sta->fils_dh_ss);
1873 sta->fils_dh_ss = NULL;
1874 }
1875 #endif /* CONFIG_FILS_SK_PFS */
1876
1877 wpa_hexdump(MSG_DEBUG, "FILS: Remaining IEs", pos, end - pos);
1878 if (ieee802_11_parse_elems(pos, end - pos, &elems, 1) == ParseFailed) {
1879 wpa_printf(MSG_DEBUG, "FILS: Could not parse elements");
1880 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1881 goto fail;
1882 }
1883
1884 /* RSNE */
1885 wpa_hexdump(MSG_DEBUG, "FILS: RSN element",
1886 elems.rsn_ie, elems.rsn_ie_len);
1887 if (!elems.rsn_ie ||
1888 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
1889 &rsn) < 0) {
1890 wpa_printf(MSG_DEBUG, "FILS: No valid RSN element");
1891 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1892 goto fail;
1893 }
1894
1895 if (!sta->wpa_sm)
1896 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, sta->addr,
1897 NULL);
1898 if (!sta->wpa_sm) {
1899 wpa_printf(MSG_DEBUG,
1900 "FILS: Failed to initialize RSN state machine");
1901 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1902 goto fail;
1903 }
1904
1905 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
1906 hapd->iface->freq,
1907 elems.rsn_ie - 2, elems.rsn_ie_len + 2,
1908 elems.rsnxe ? elems.rsnxe - 2 : NULL,
1909 elems.rsnxe ? elems.rsnxe_len + 2 : 0,
1910 elems.mdie, elems.mdie_len, NULL, 0);
1911 resp = wpa_res_to_status_code(res);
1912 if (resp != WLAN_STATUS_SUCCESS)
1913 goto fail;
1914
1915 if (!elems.fils_nonce) {
1916 wpa_printf(MSG_DEBUG, "FILS: No FILS Nonce field");
1917 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1918 goto fail;
1919 }
1920 wpa_hexdump(MSG_DEBUG, "FILS: SNonce", elems.fils_nonce,
1921 FILS_NONCE_LEN);
1922 os_memcpy(sta->fils_snonce, elems.fils_nonce, FILS_NONCE_LEN);
1923
1924 /* PMKID List */
1925 if (rsn.pmkid && rsn.num_pmkid > 0) {
1926 u8 num;
1927 const u8 *pmkid;
1928
1929 wpa_hexdump(MSG_DEBUG, "FILS: PMKID List",
1930 rsn.pmkid, rsn.num_pmkid * PMKID_LEN);
1931
1932 pmkid = rsn.pmkid;
1933 num = rsn.num_pmkid;
1934 while (num) {
1935 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", pmkid, PMKID_LEN);
1936 pmksa = wpa_auth_pmksa_get(hapd->wpa_auth, sta->addr,
1937 pmkid);
1938 if (pmksa)
1939 break;
1940 pmksa = wpa_auth_pmksa_get_fils_cache_id(hapd->wpa_auth,
1941 sta->addr,
1942 pmkid);
1943 if (pmksa)
1944 break;
1945 pmkid += PMKID_LEN;
1946 num--;
1947 }
1948 }
1949 if (pmksa && wpa_auth_sta_key_mgmt(sta->wpa_sm) != pmksa->akmp) {
1950 wpa_printf(MSG_DEBUG,
1951 "FILS: Matching PMKSA cache entry has different AKMP (0x%x != 0x%x) - ignore",
1952 wpa_auth_sta_key_mgmt(sta->wpa_sm), pmksa->akmp);
1953 pmksa = NULL;
1954 }
1955 if (pmksa)
1956 wpa_printf(MSG_DEBUG, "FILS: Found matching PMKSA cache entry");
1957
1958 /* FILS Session */
1959 if (!elems.fils_session) {
1960 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
1961 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1962 goto fail;
1963 }
1964 wpa_hexdump(MSG_DEBUG, "FILS: FILS Session", elems.fils_session,
1965 FILS_SESSION_LEN);
1966 os_memcpy(sta->fils_session, elems.fils_session, FILS_SESSION_LEN);
1967
1968 /* Wrapped Data */
1969 if (elems.wrapped_data) {
1970 wpa_hexdump(MSG_DEBUG, "FILS: Wrapped Data",
1971 elems.wrapped_data,
1972 elems.wrapped_data_len);
1973 if (!pmksa) {
1974 #ifndef CONFIG_NO_RADIUS
1975 if (!sta->eapol_sm) {
1976 sta->eapol_sm =
1977 ieee802_1x_alloc_eapol_sm(hapd, sta);
1978 }
1979 wpa_printf(MSG_DEBUG,
1980 "FILS: Forward EAP-Initiate/Re-auth to authentication server");
1981 ieee802_1x_encapsulate_radius(
1982 hapd, sta, elems.wrapped_data,
1983 elems.wrapped_data_len);
1984 sta->fils_pending_cb = cb;
1985 wpa_printf(MSG_DEBUG,
1986 "FILS: Will send Authentication frame once the response from authentication server is available");
1987 sta->flags |= WLAN_STA_PENDING_FILS_ERP;
1988 /* Calculate pending PMKID here so that we do not need
1989 * to maintain a copy of the EAP-Initiate/Reauth
1990 * message. */
1991 if (fils_pmkid_erp(wpa_auth_sta_key_mgmt(sta->wpa_sm),
1992 elems.wrapped_data,
1993 elems.wrapped_data_len,
1994 sta->fils_erp_pmkid) == 0)
1995 sta->fils_erp_pmkid_set = 1;
1996 return;
1997 #else /* CONFIG_NO_RADIUS */
1998 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1999 goto fail;
2000 #endif /* CONFIG_NO_RADIUS */
2001 }
2002 }
2003
2004 fail:
2005 if (cb) {
2006 struct wpabuf *data;
2007 int pub = 0;
2008
2009 data = prepare_auth_resp_fils(hapd, sta, &resp, pmksa, NULL,
2010 NULL, 0, &pub);
2011 if (!data) {
2012 wpa_printf(MSG_DEBUG,
2013 "%s: prepare_auth_resp_fils() returned failure",
2014 __func__);
2015 }
2016
2017 cb(hapd, sta, resp, data, pub);
2018 }
2019 }
2020
2021
2022 static struct wpabuf *
prepare_auth_resp_fils(struct hostapd_data * hapd,struct sta_info * sta,u16 * resp,struct rsn_pmksa_cache_entry * pmksa,struct wpabuf * erp_resp,const u8 * msk,size_t msk_len,int * is_pub)2023 prepare_auth_resp_fils(struct hostapd_data *hapd,
2024 struct sta_info *sta, u16 *resp,
2025 struct rsn_pmksa_cache_entry *pmksa,
2026 struct wpabuf *erp_resp,
2027 const u8 *msk, size_t msk_len,
2028 int *is_pub)
2029 {
2030 u8 fils_nonce[FILS_NONCE_LEN];
2031 size_t ielen;
2032 struct wpabuf *data = NULL;
2033 const u8 *ie;
2034 u8 *ie_buf = NULL;
2035 const u8 *pmk = NULL;
2036 size_t pmk_len = 0;
2037 u8 pmk_buf[PMK_LEN_MAX];
2038 struct wpabuf *pub = NULL;
2039
2040 if (*resp != WLAN_STATUS_SUCCESS)
2041 goto fail;
2042
2043 ie = wpa_auth_get_wpa_ie(hapd->wpa_auth, &ielen);
2044 if (!ie) {
2045 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2046 goto fail;
2047 }
2048
2049 if (pmksa) {
2050 /* Add PMKID of the selected PMKSA into RSNE */
2051 ie_buf = os_malloc(ielen + 2 + 2 + PMKID_LEN);
2052 if (!ie_buf) {
2053 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2054 goto fail;
2055 }
2056
2057 os_memcpy(ie_buf, ie, ielen);
2058 if (wpa_insert_pmkid(ie_buf, &ielen, pmksa->pmkid) < 0) {
2059 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2060 goto fail;
2061 }
2062 ie = ie_buf;
2063 }
2064
2065 if (random_get_bytes(fils_nonce, FILS_NONCE_LEN) < 0) {
2066 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2067 goto fail;
2068 }
2069 wpa_hexdump(MSG_DEBUG, "RSN: Generated FILS Nonce",
2070 fils_nonce, FILS_NONCE_LEN);
2071
2072 #ifdef CONFIG_FILS_SK_PFS
2073 if (sta->fils_dh_ss && sta->fils_ecdh) {
2074 pub = crypto_ecdh_get_pubkey(sta->fils_ecdh, 1);
2075 if (!pub) {
2076 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2077 goto fail;
2078 }
2079 }
2080 #endif /* CONFIG_FILS_SK_PFS */
2081
2082 data = wpabuf_alloc(1000 + ielen + (pub ? wpabuf_len(pub) : 0));
2083 if (!data) {
2084 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2085 goto fail;
2086 }
2087
2088 /* TODO: FILS PK */
2089 #ifdef CONFIG_FILS_SK_PFS
2090 if (pub) {
2091 /* Finite Cyclic Group */
2092 wpabuf_put_le16(data, hapd->conf->fils_dh_group);
2093
2094 /* Element */
2095 wpabuf_put_buf(data, pub);
2096 }
2097 #endif /* CONFIG_FILS_SK_PFS */
2098
2099 /* RSNE */
2100 wpabuf_put_data(data, ie, ielen);
2101
2102 /* MDE when using FILS+FT (already included in ie,ielen with RSNE) */
2103
2104 #ifdef CONFIG_IEEE80211R_AP
2105 if (wpa_key_mgmt_ft(wpa_auth_sta_key_mgmt(sta->wpa_sm))) {
2106 /* FTE[R1KH-ID,R0KH-ID] when using FILS+FT */
2107 int res;
2108 int use_sha384 = wpa_key_mgmt_sha384(
2109 wpa_auth_sta_key_mgmt(sta->wpa_sm));
2110
2111 res = wpa_auth_write_fte(hapd->wpa_auth, use_sha384,
2112 wpabuf_put(data, 0),
2113 wpabuf_tailroom(data));
2114 if (res < 0) {
2115 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2116 goto fail;
2117 }
2118 wpabuf_put(data, res);
2119 }
2120 #endif /* CONFIG_IEEE80211R_AP */
2121
2122 /* FILS Nonce */
2123 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
2124 wpabuf_put_u8(data, 1 + FILS_NONCE_LEN); /* Length */
2125 /* Element ID Extension */
2126 wpabuf_put_u8(data, WLAN_EID_EXT_FILS_NONCE);
2127 wpabuf_put_data(data, fils_nonce, FILS_NONCE_LEN);
2128
2129 /* FILS Session */
2130 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
2131 wpabuf_put_u8(data, 1 + FILS_SESSION_LEN); /* Length */
2132 /* Element ID Extension */
2133 wpabuf_put_u8(data, WLAN_EID_EXT_FILS_SESSION);
2134 wpabuf_put_data(data, sta->fils_session, FILS_SESSION_LEN);
2135
2136 /* Wrapped Data */
2137 if (!pmksa && erp_resp) {
2138 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
2139 wpabuf_put_u8(data, 1 + wpabuf_len(erp_resp)); /* Length */
2140 /* Element ID Extension */
2141 wpabuf_put_u8(data, WLAN_EID_EXT_WRAPPED_DATA);
2142 wpabuf_put_buf(data, erp_resp);
2143
2144 if (fils_rmsk_to_pmk(wpa_auth_sta_key_mgmt(sta->wpa_sm),
2145 msk, msk_len, sta->fils_snonce, fils_nonce,
2146 sta->fils_dh_ss ?
2147 wpabuf_head(sta->fils_dh_ss) : NULL,
2148 sta->fils_dh_ss ?
2149 wpabuf_len(sta->fils_dh_ss) : 0,
2150 pmk_buf, &pmk_len)) {
2151 wpa_printf(MSG_DEBUG, "FILS: Failed to derive PMK");
2152 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2153 wpabuf_free(data);
2154 data = NULL;
2155 goto fail;
2156 }
2157 pmk = pmk_buf;
2158
2159 /* Don't use DHss in PTK derivation if PMKSA caching is not
2160 * used. */
2161 wpabuf_clear_free(sta->fils_dh_ss);
2162 sta->fils_dh_ss = NULL;
2163
2164 if (sta->fils_erp_pmkid_set) {
2165 /* TODO: get PMKLifetime from WPA parameters */
2166 unsigned int dot11RSNAConfigPMKLifetime = 43200;
2167 int session_timeout;
2168
2169 session_timeout = dot11RSNAConfigPMKLifetime;
2170 if (sta->session_timeout_set) {
2171 struct os_reltime now, diff;
2172
2173 os_get_reltime(&now);
2174 os_reltime_sub(&sta->session_timeout, &now,
2175 &diff);
2176 session_timeout = diff.sec;
2177 }
2178
2179 sta->fils_erp_pmkid_set = 0;
2180 wpa_auth_add_fils_pmk_pmkid(sta->wpa_sm, pmk, pmk_len,
2181 sta->fils_erp_pmkid);
2182 if (!hapd->conf->disable_pmksa_caching &&
2183 wpa_auth_pmksa_add2(
2184 hapd->wpa_auth, sta->addr,
2185 pmk, pmk_len,
2186 sta->fils_erp_pmkid,
2187 session_timeout,
2188 wpa_auth_sta_key_mgmt(sta->wpa_sm)) < 0) {
2189 wpa_printf(MSG_ERROR,
2190 "FILS: Failed to add PMKSA cache entry based on ERP");
2191 }
2192 }
2193 } else if (pmksa) {
2194 pmk = pmksa->pmk;
2195 pmk_len = pmksa->pmk_len;
2196 }
2197
2198 if (!pmk) {
2199 wpa_printf(MSG_DEBUG, "FILS: No PMK available");
2200 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2201 wpabuf_free(data);
2202 data = NULL;
2203 goto fail;
2204 }
2205
2206 if (fils_auth_pmk_to_ptk(sta->wpa_sm, pmk, pmk_len,
2207 sta->fils_snonce, fils_nonce,
2208 sta->fils_dh_ss ?
2209 wpabuf_head(sta->fils_dh_ss) : NULL,
2210 sta->fils_dh_ss ?
2211 wpabuf_len(sta->fils_dh_ss) : 0,
2212 sta->fils_g_sta, pub) < 0) {
2213 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2214 wpabuf_free(data);
2215 data = NULL;
2216 goto fail;
2217 }
2218
2219 fail:
2220 if (is_pub)
2221 *is_pub = pub != NULL;
2222 os_free(ie_buf);
2223 wpabuf_free(pub);
2224 wpabuf_clear_free(sta->fils_dh_ss);
2225 sta->fils_dh_ss = NULL;
2226 #ifdef CONFIG_FILS_SK_PFS
2227 crypto_ecdh_deinit(sta->fils_ecdh);
2228 sta->fils_ecdh = NULL;
2229 #endif /* CONFIG_FILS_SK_PFS */
2230 return data;
2231 }
2232
2233
handle_auth_fils_finish(struct hostapd_data * hapd,struct sta_info * sta,u16 resp,struct wpabuf * data,int pub)2234 static void handle_auth_fils_finish(struct hostapd_data *hapd,
2235 struct sta_info *sta, u16 resp,
2236 struct wpabuf *data, int pub)
2237 {
2238 u16 auth_alg;
2239
2240 auth_alg = (pub ||
2241 resp == WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED) ?
2242 WLAN_AUTH_FILS_SK_PFS : WLAN_AUTH_FILS_SK;
2243 send_auth_reply(hapd, sta, sta->addr, hapd->own_addr, auth_alg, 2, resp,
2244 data ? wpabuf_head(data) : (u8 *) "",
2245 data ? wpabuf_len(data) : 0, "auth-fils-finish");
2246 wpabuf_free(data);
2247
2248 if (resp == WLAN_STATUS_SUCCESS) {
2249 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2250 HOSTAPD_LEVEL_DEBUG,
2251 "authentication OK (FILS)");
2252 sta->flags |= WLAN_STA_AUTH;
2253 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
2254 sta->auth_alg = pub ? WLAN_AUTH_FILS_SK_PFS : WLAN_AUTH_FILS_SK;
2255 mlme_authenticate_indication(hapd, sta);
2256 }
2257 }
2258
2259
ieee802_11_finish_fils_auth(struct hostapd_data * hapd,struct sta_info * sta,int success,struct wpabuf * erp_resp,const u8 * msk,size_t msk_len)2260 void ieee802_11_finish_fils_auth(struct hostapd_data *hapd,
2261 struct sta_info *sta, int success,
2262 struct wpabuf *erp_resp,
2263 const u8 *msk, size_t msk_len)
2264 {
2265 u16 resp;
2266 u32 flags = sta->flags;
2267
2268 sta->flags &= ~(WLAN_STA_PENDING_FILS_ERP |
2269 WLAN_STA_PENDING_PASN_FILS_ERP);
2270
2271 resp = success ? WLAN_STATUS_SUCCESS : WLAN_STATUS_UNSPECIFIED_FAILURE;
2272
2273 if (flags & WLAN_STA_PENDING_FILS_ERP) {
2274 struct wpabuf *data;
2275 int pub = 0;
2276
2277 if (!sta->fils_pending_cb)
2278 return;
2279
2280 data = prepare_auth_resp_fils(hapd, sta, &resp, NULL, erp_resp,
2281 msk, msk_len, &pub);
2282 if (!data) {
2283 wpa_printf(MSG_DEBUG,
2284 "%s: prepare_auth_resp_fils() failure",
2285 __func__);
2286 }
2287 sta->fils_pending_cb(hapd, sta, resp, data, pub);
2288 #ifdef CONFIG_PASN
2289 } else if (flags & WLAN_STA_PENDING_PASN_FILS_ERP) {
2290 pasn_fils_auth_resp(hapd, sta, resp, erp_resp,
2291 msk, msk_len);
2292 #endif /* CONFIG_PASN */
2293 }
2294 }
2295
2296 #endif /* CONFIG_FILS */
2297
2298
ieee802_11_allowed_address(struct hostapd_data * hapd,const u8 * addr,const u8 * msg,size_t len,struct radius_sta * info)2299 static int ieee802_11_allowed_address(struct hostapd_data *hapd, const u8 *addr,
2300 const u8 *msg, size_t len,
2301 struct radius_sta *info)
2302 {
2303 int res;
2304
2305 res = hostapd_allowed_address(hapd, addr, msg, len, info, 0);
2306
2307 if (res == HOSTAPD_ACL_REJECT) {
2308 wpa_printf(MSG_DEBUG, "Station " MACSTR
2309 " not allowed to authenticate",
2310 MAC2STR(addr));
2311 return HOSTAPD_ACL_REJECT;
2312 }
2313
2314 if (res == HOSTAPD_ACL_PENDING) {
2315 wpa_printf(MSG_DEBUG, "Authentication frame from " MACSTR
2316 " waiting for an external authentication",
2317 MAC2STR(addr));
2318 /* Authentication code will re-send the authentication frame
2319 * after it has received (and cached) information from the
2320 * external source. */
2321 return HOSTAPD_ACL_PENDING;
2322 }
2323
2324 return res;
2325 }
2326
2327
2328 static int
ieee802_11_set_radius_info(struct hostapd_data * hapd,struct sta_info * sta,int res,struct radius_sta * info)2329 ieee802_11_set_radius_info(struct hostapd_data *hapd, struct sta_info *sta,
2330 int res, struct radius_sta *info)
2331 {
2332 u32 session_timeout = info->session_timeout;
2333 u32 acct_interim_interval = info->acct_interim_interval;
2334 struct vlan_description *vlan_id = &info->vlan_id;
2335 struct hostapd_sta_wpa_psk_short *psk = info->psk;
2336 char *identity = info->identity;
2337 char *radius_cui = info->radius_cui;
2338
2339 if (vlan_id->notempty &&
2340 !hostapd_vlan_valid(hapd->conf->vlan, vlan_id)) {
2341 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS,
2342 HOSTAPD_LEVEL_INFO,
2343 "Invalid VLAN %d%s received from RADIUS server",
2344 vlan_id->untagged,
2345 vlan_id->tagged[0] ? "+" : "");
2346 return -1;
2347 }
2348 if (ap_sta_set_vlan(hapd, sta, vlan_id) < 0)
2349 return -1;
2350 if (sta->vlan_id)
2351 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS,
2352 HOSTAPD_LEVEL_INFO, "VLAN ID %d", sta->vlan_id);
2353
2354 hostapd_free_psk_list(sta->psk);
2355 if (hapd->conf->wpa_psk_radius != PSK_RADIUS_IGNORED)
2356 hostapd_copy_psk_list(&sta->psk, psk);
2357 else
2358 sta->psk = NULL;
2359
2360 os_free(sta->identity);
2361 if (identity)
2362 sta->identity = os_strdup(identity);
2363 else
2364 sta->identity = NULL;
2365
2366 os_free(sta->radius_cui);
2367 if (radius_cui)
2368 sta->radius_cui = os_strdup(radius_cui);
2369 else
2370 sta->radius_cui = NULL;
2371
2372 if (hapd->conf->acct_interim_interval == 0 && acct_interim_interval)
2373 sta->acct_interim_interval = acct_interim_interval;
2374 if (res == HOSTAPD_ACL_ACCEPT_TIMEOUT) {
2375 sta->session_timeout_set = 1;
2376 os_get_reltime(&sta->session_timeout);
2377 sta->session_timeout.sec += session_timeout;
2378 ap_sta_session_timeout(hapd, sta, session_timeout);
2379 } else {
2380 sta->session_timeout_set = 0;
2381 ap_sta_no_session_timeout(hapd, sta);
2382 }
2383
2384 return 0;
2385 }
2386
2387
2388 #ifdef CONFIG_PASN
2389 #ifdef CONFIG_SAE
2390
pasn_wd_handle_sae_commit(struct hostapd_data * hapd,struct sta_info * sta,struct wpabuf * wd)2391 static int pasn_wd_handle_sae_commit(struct hostapd_data *hapd,
2392 struct sta_info *sta,
2393 struct wpabuf *wd)
2394 {
2395 struct pasn_data *pasn = sta->pasn;
2396 const char *password;
2397 const u8 *data;
2398 size_t buf_len;
2399 u16 res, alg, seq, status;
2400 int groups[] = { pasn->group, 0 };
2401 struct sae_pt *pt = NULL;
2402 int ret;
2403
2404 if (!wd)
2405 return -1;
2406
2407 data = wpabuf_head_u8(wd);
2408 buf_len = wpabuf_len(wd);
2409
2410 if (buf_len < 6) {
2411 wpa_printf(MSG_DEBUG, "PASN: SAE buffer too short. len=%zu",
2412 buf_len);
2413 return -1;
2414 }
2415
2416 alg = WPA_GET_LE16(data);
2417 seq = WPA_GET_LE16(data + 2);
2418 status = WPA_GET_LE16(data + 4);
2419
2420 wpa_printf(MSG_DEBUG, "PASN: SAE commit: alg=%u, seq=%u, status=%u",
2421 alg, seq, status);
2422
2423 if (alg != WLAN_AUTH_SAE || seq != 1 ||
2424 status != WLAN_STATUS_SAE_HASH_TO_ELEMENT) {
2425 wpa_printf(MSG_DEBUG, "PASN: Dropping peer SAE commit");
2426 return -1;
2427 }
2428
2429 sae_clear_data(&pasn->sae);
2430 pasn->sae.state = SAE_NOTHING;
2431
2432 ret = sae_set_group(&pasn->sae, pasn->group);
2433 if (ret) {
2434 wpa_printf(MSG_DEBUG, "PASN: Failed to set SAE group");
2435 return -1;
2436 }
2437
2438 password = sae_get_password(hapd, sta, NULL, NULL, &pt, NULL);
2439 if (!password || !pt) {
2440 wpa_printf(MSG_DEBUG, "PASN: No SAE PT found");
2441 return -1;
2442 }
2443
2444 ret = sae_prepare_commit_pt(&pasn->sae, pt, hapd->own_addr, sta->addr,
2445 NULL, NULL);
2446 if (ret) {
2447 wpa_printf(MSG_DEBUG, "PASN: Failed to prepare SAE commit");
2448 return -1;
2449 }
2450
2451 res = sae_parse_commit(&pasn->sae, data + 6, buf_len - 6, NULL, 0,
2452 groups, 0);
2453 if (res != WLAN_STATUS_SUCCESS) {
2454 wpa_printf(MSG_DEBUG, "PASN: Failed parsing SAE commit");
2455 return -1;
2456 }
2457
2458 /* Process the commit message and derive the PMK */
2459 ret = sae_process_commit(&pasn->sae);
2460 if (ret) {
2461 wpa_printf(MSG_DEBUG, "SAE: Failed to process peer commit");
2462 return -1;
2463 }
2464
2465 pasn->sae.state = SAE_COMMITTED;
2466
2467 return 0;
2468 }
2469
2470
pasn_wd_handle_sae_confirm(struct hostapd_data * hapd,struct sta_info * sta,struct wpabuf * wd)2471 static int pasn_wd_handle_sae_confirm(struct hostapd_data *hapd,
2472 struct sta_info *sta,
2473 struct wpabuf *wd)
2474 {
2475 struct pasn_data *pasn = sta->pasn;
2476 const u8 *data;
2477 size_t buf_len;
2478 u16 res, alg, seq, status;
2479
2480 if (!wd)
2481 return -1;
2482
2483 data = wpabuf_head_u8(wd);
2484 buf_len = wpabuf_len(wd);
2485
2486 if (buf_len < 6) {
2487 wpa_printf(MSG_DEBUG, "PASN: SAE buffer too short. len=%zu",
2488 buf_len);
2489 return -1;
2490 }
2491
2492 alg = WPA_GET_LE16(data);
2493 seq = WPA_GET_LE16(data + 2);
2494 status = WPA_GET_LE16(data + 4);
2495
2496 wpa_printf(MSG_DEBUG, "PASN: SAE confirm: alg=%u, seq=%u, status=%u",
2497 alg, seq, status);
2498
2499 if (alg != WLAN_AUTH_SAE || seq != 2 || status != WLAN_STATUS_SUCCESS) {
2500 wpa_printf(MSG_DEBUG, "PASN: Dropping peer SAE confirm");
2501 return -1;
2502 }
2503
2504 res = sae_check_confirm(&pasn->sae, data + 6, buf_len - 6);
2505 if (res != WLAN_STATUS_SUCCESS) {
2506 wpa_printf(MSG_DEBUG, "PASN: SAE failed checking confirm");
2507 return -1;
2508 }
2509
2510 pasn->sae.state = SAE_ACCEPTED;
2511
2512 /*
2513 * TODO: Based on on IEEE P802.11az/D2.6, the PMKSA derived with
2514 * PASN/SAE should only be allowed with future PASN only. For now do not
2515 * restrict this only for PASN.
2516 */
2517 wpa_auth_pmksa_add_sae(hapd->wpa_auth, sta->addr,
2518 pasn->sae.pmk, pasn->sae.pmkid);
2519 return 0;
2520 }
2521
2522
pasn_get_sae_wd(struct hostapd_data * hapd,struct sta_info * sta)2523 static struct wpabuf * pasn_get_sae_wd(struct hostapd_data *hapd,
2524 struct sta_info *sta)
2525 {
2526 struct pasn_data *pasn = sta->pasn;
2527 struct wpabuf *buf = NULL;
2528 u8 *len_ptr;
2529 size_t len;
2530
2531 /* Need to add the entire Authentication frame body */
2532 buf = wpabuf_alloc(8 + SAE_COMMIT_MAX_LEN + 8 + SAE_CONFIRM_MAX_LEN);
2533 if (!buf) {
2534 wpa_printf(MSG_DEBUG, "PASN: Failed to allocate SAE buffer");
2535 return NULL;
2536 }
2537
2538 /* Need to add the entire authentication frame body for the commit */
2539 len_ptr = wpabuf_put(buf, 2);
2540 wpabuf_put_le16(buf, WLAN_AUTH_SAE);
2541 wpabuf_put_le16(buf, 1);
2542 wpabuf_put_le16(buf, WLAN_STATUS_SAE_HASH_TO_ELEMENT);
2543
2544 /* Write the actual commit and update the length accordingly */
2545 sae_write_commit(&pasn->sae, buf, NULL, 0);
2546 len = wpabuf_len(buf);
2547 WPA_PUT_LE16(len_ptr, len - 2);
2548
2549 /* Need to add the entire Authentication frame body for the confirm */
2550 len_ptr = wpabuf_put(buf, 2);
2551 wpabuf_put_le16(buf, WLAN_AUTH_SAE);
2552 wpabuf_put_le16(buf, 2);
2553 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
2554
2555 sae_write_confirm(&pasn->sae, buf);
2556 WPA_PUT_LE16(len_ptr, wpabuf_len(buf) - len - 2);
2557
2558 pasn->sae.state = SAE_CONFIRMED;
2559
2560 return buf;
2561 }
2562
2563 #endif /* CONFIG_SAE */
2564
2565
2566 #ifdef CONFIG_FILS
2567
pasn_get_fils_wd(struct hostapd_data * hapd,struct sta_info * sta)2568 static struct wpabuf * pasn_get_fils_wd(struct hostapd_data *hapd,
2569 struct sta_info *sta)
2570 {
2571 struct pasn_data *pasn = sta->pasn;
2572 struct pasn_fils_data *fils = &pasn->fils;
2573 struct wpabuf *buf = NULL;
2574
2575 if (!fils->erp_resp) {
2576 wpa_printf(MSG_DEBUG, "PASN: FILS: Missing erp_resp");
2577 return NULL;
2578 }
2579
2580 buf = wpabuf_alloc(1500);
2581 if (!buf)
2582 return NULL;
2583
2584 /* Add the authentication algorithm */
2585 wpabuf_put_le16(buf, WLAN_AUTH_FILS_SK);
2586
2587 /* Authentication Transaction seq# */
2588 wpabuf_put_le16(buf, 2);
2589
2590 /* Status Code */
2591 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
2592
2593 /* Own RSNE */
2594 wpa_pasn_add_rsne(buf, NULL, pasn->akmp, pasn->cipher);
2595
2596 /* FILS Nonce */
2597 wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
2598 wpabuf_put_u8(buf, 1 + FILS_NONCE_LEN);
2599 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_NONCE);
2600 wpabuf_put_data(buf, fils->anonce, FILS_NONCE_LEN);
2601
2602 /* FILS Session */
2603 wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
2604 wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN);
2605 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION);
2606 wpabuf_put_data(buf, fils->session, FILS_SESSION_LEN);
2607
2608 /* Wrapped Data */
2609 wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
2610 wpabuf_put_u8(buf, 1 + wpabuf_len(fils->erp_resp));
2611 wpabuf_put_u8(buf, WLAN_EID_EXT_WRAPPED_DATA);
2612 wpabuf_put_buf(buf, fils->erp_resp);
2613
2614 return buf;
2615 }
2616
2617
pasn_fils_auth_resp(struct hostapd_data * hapd,struct sta_info * sta,u16 status,struct wpabuf * erp_resp,const u8 * msk,size_t msk_len)2618 static void pasn_fils_auth_resp(struct hostapd_data *hapd,
2619 struct sta_info *sta, u16 status,
2620 struct wpabuf *erp_resp,
2621 const u8 *msk, size_t msk_len)
2622 {
2623 struct pasn_data *pasn = sta->pasn;
2624 struct pasn_fils_data *fils = &pasn->fils;
2625 u8 pmk[PMK_LEN_MAX];
2626 size_t pmk_len;
2627 int ret;
2628
2629 wpa_printf(MSG_DEBUG, "PASN: FILS: Handle AS response - status=%u",
2630 status);
2631
2632 if (status != WLAN_STATUS_SUCCESS)
2633 goto fail;
2634
2635 if (!pasn->secret) {
2636 wpa_printf(MSG_DEBUG, "PASN: FILS: Missing secret");
2637 goto fail;
2638 }
2639
2640 if (random_get_bytes(fils->anonce, FILS_NONCE_LEN) < 0) {
2641 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed to get ANonce");
2642 goto fail;
2643 }
2644
2645 wpa_hexdump(MSG_DEBUG, "RSN: Generated FILS ANonce",
2646 fils->anonce, FILS_NONCE_LEN);
2647
2648 ret = fils_rmsk_to_pmk(pasn->akmp, msk, msk_len, fils->nonce,
2649 fils->anonce, NULL, 0, pmk, &pmk_len);
2650 if (ret) {
2651 wpa_printf(MSG_DEBUG, "FILS: Failed to derive PMK");
2652 goto fail;
2653 }
2654
2655 ret = pasn_pmk_to_ptk(pmk, pmk_len, sta->addr, hapd->own_addr,
2656 wpabuf_head(pasn->secret),
2657 wpabuf_len(pasn->secret),
2658 &sta->pasn->ptk, sta->pasn->akmp,
2659 sta->pasn->cipher, sta->pasn->kdk_len);
2660 if (ret) {
2661 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed to derive PTK");
2662 goto fail;
2663 }
2664
2665 wpa_printf(MSG_DEBUG, "PASN: PTK successfully derived");
2666
2667 wpabuf_free(pasn->secret);
2668 pasn->secret = NULL;
2669
2670 fils->erp_resp = erp_resp;
2671 ret = handle_auth_pasn_resp(hapd, sta, NULL, WLAN_STATUS_SUCCESS);
2672 fils->erp_resp = NULL;
2673
2674 if (ret) {
2675 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed to send response");
2676 goto fail;
2677 }
2678
2679 fils->state = PASN_FILS_STATE_COMPLETE;
2680 return;
2681 fail:
2682 ap_free_sta(hapd, sta);
2683 }
2684
2685
pasn_wd_handle_fils(struct hostapd_data * hapd,struct sta_info * sta,struct wpabuf * wd)2686 static int pasn_wd_handle_fils(struct hostapd_data *hapd, struct sta_info *sta,
2687 struct wpabuf *wd)
2688 {
2689 #ifdef CONFIG_NO_RADIUS
2690 wpa_printf(MSG_DEBUG, "PASN: FILS: RADIUS is not configured. Fail");
2691 return -1;
2692 #else /* CONFIG_NO_RADIUS */
2693 struct pasn_data *pasn = sta->pasn;
2694 struct pasn_fils_data *fils = &pasn->fils;
2695 struct ieee802_11_elems elems;
2696 struct wpa_ie_data rsne_data;
2697 struct wpabuf *fils_wd;
2698 const u8 *data;
2699 size_t buf_len;
2700 u16 alg, seq, status;
2701 int ret;
2702
2703 if (fils->state != PASN_FILS_STATE_NONE) {
2704 wpa_printf(MSG_DEBUG, "PASN: FILS: Not expecting wrapped data");
2705 return -1;
2706 }
2707
2708 if (!wd) {
2709 wpa_printf(MSG_DEBUG, "PASN: FILS: No wrapped data");
2710 return -1;
2711 }
2712
2713 data = wpabuf_head_u8(wd);
2714 buf_len = wpabuf_len(wd);
2715
2716 if (buf_len < 6) {
2717 wpa_printf(MSG_DEBUG, "PASN: FILS: Buffer too short. len=%zu",
2718 buf_len);
2719 return -1;
2720 }
2721
2722 alg = WPA_GET_LE16(data);
2723 seq = WPA_GET_LE16(data + 2);
2724 status = WPA_GET_LE16(data + 4);
2725
2726 wpa_printf(MSG_DEBUG, "PASN: FILS: alg=%u, seq=%u, status=%u",
2727 alg, seq, status);
2728
2729 if (alg != WLAN_AUTH_FILS_SK || seq != 1 ||
2730 status != WLAN_STATUS_SUCCESS) {
2731 wpa_printf(MSG_DEBUG,
2732 "PASN: FILS: Dropping peer authentication");
2733 return -1;
2734 }
2735
2736 data += 6;
2737 buf_len -= 6;
2738
2739 if (ieee802_11_parse_elems(data, buf_len, &elems, 1) == ParseFailed) {
2740 wpa_printf(MSG_DEBUG, "PASN: FILS: Could not parse elements");
2741 return -1;
2742 }
2743
2744 if (!elems.rsn_ie || !elems.fils_nonce || !elems.fils_nonce ||
2745 !elems.wrapped_data) {
2746 wpa_printf(MSG_DEBUG, "PASN: FILS: Missing IEs");
2747 return -1;
2748 }
2749
2750 ret = wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
2751 &rsne_data);
2752 if (ret) {
2753 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed parsing RNSE");
2754 return -1;
2755 }
2756
2757 ret = wpa_pasn_validate_rsne(&rsne_data);
2758 if (ret) {
2759 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed validating RSNE");
2760 return -1;
2761 }
2762
2763 if (rsne_data.num_pmkid) {
2764 wpa_printf(MSG_DEBUG,
2765 "PASN: FILS: Not expecting PMKID in RSNE");
2766 return -1;
2767 }
2768
2769 wpa_hexdump(MSG_DEBUG, "PASN: FILS: Nonce", elems.fils_nonce,
2770 FILS_NONCE_LEN);
2771 os_memcpy(fils->nonce, elems.fils_nonce, FILS_NONCE_LEN);
2772
2773 wpa_hexdump(MSG_DEBUG, "PASN: FILS: Session", elems.fils_session,
2774 FILS_SESSION_LEN);
2775 os_memcpy(fils->session, elems.fils_session, FILS_SESSION_LEN);
2776
2777 fils_wd = ieee802_11_defrag(&elems, WLAN_EID_EXTENSION,
2778 WLAN_EID_EXT_WRAPPED_DATA);
2779
2780 if (!fils_wd) {
2781 wpa_printf(MSG_DEBUG, "PASN: FILS: Missing wrapped data");
2782 return -1;
2783 }
2784
2785 if (!sta->eapol_sm)
2786 sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta);
2787
2788 wpa_printf(MSG_DEBUG,
2789 "PASN: FILS: Forward EAP-Initiate/Re-auth to AS");
2790
2791 ieee802_1x_encapsulate_radius(hapd, sta, wpabuf_head(fils_wd),
2792 wpabuf_len(fils_wd));
2793
2794 sta->flags |= WLAN_STA_PENDING_PASN_FILS_ERP;
2795
2796 fils->state = PASN_FILS_STATE_PENDING_AS;
2797
2798 /*
2799 * Calculate pending PMKID here so that we do not need to maintain a
2800 * copy of the EAP-Initiate/Reautt message.
2801 */
2802 fils_pmkid_erp(pasn->akmp, wpabuf_head(fils_wd), wpabuf_len(fils_wd),
2803 fils->erp_pmkid);
2804
2805 wpabuf_free(fils_wd);
2806 return 0;
2807 #endif /* CONFIG_NO_RADIUS */
2808 }
2809
2810 #endif /* CONFIG_FILS */
2811
2812
pasn_get_wrapped_data(struct hostapd_data * hapd,struct sta_info * sta)2813 static struct wpabuf * pasn_get_wrapped_data(struct hostapd_data *hapd,
2814 struct sta_info *sta)
2815 {
2816 switch (sta->pasn->akmp) {
2817 case WPA_KEY_MGMT_PASN:
2818 /* no wrapped data */
2819 return NULL;
2820 case WPA_KEY_MGMT_SAE:
2821 #ifdef CONFIG_SAE
2822 return pasn_get_sae_wd(hapd, sta);
2823 #else /* CONFIG_SAE */
2824 wpa_printf(MSG_ERROR,
2825 "PASN: SAE: Cannot derive wrapped data");
2826 return NULL;
2827 #endif /* CONFIG_SAE */
2828 case WPA_KEY_MGMT_FILS_SHA256:
2829 case WPA_KEY_MGMT_FILS_SHA384:
2830 #ifdef CONFIG_FILS
2831 return pasn_get_fils_wd(hapd, sta);
2832 #endif /* CONFIG_FILS */
2833 /* fall through */
2834 case WPA_KEY_MGMT_FT_PSK:
2835 case WPA_KEY_MGMT_FT_IEEE8021X:
2836 case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
2837 default:
2838 wpa_printf(MSG_ERROR,
2839 "PASN: TODO: Wrapped data for akmp=0x%x",
2840 sta->pasn->akmp);
2841 return NULL;
2842 }
2843 }
2844
2845
2846 static int
pasn_derive_keys(struct hostapd_data * hapd,struct sta_info * sta,const u8 * cached_pmk,size_t cached_pmk_len,struct wpa_pasn_params_data * pasn_data,struct wpabuf * wrapped_data,struct wpabuf * secret)2847 pasn_derive_keys(struct hostapd_data *hapd, struct sta_info *sta,
2848 const u8 *cached_pmk, size_t cached_pmk_len,
2849 struct wpa_pasn_params_data *pasn_data,
2850 struct wpabuf *wrapped_data,
2851 struct wpabuf *secret)
2852 {
2853 static const u8 pasn_default_pmk[] = {'P', 'M', 'K', 'z'};
2854 u8 pmk[PMK_LEN_MAX];
2855 u8 pmk_len;
2856 int ret;
2857
2858 os_memset(pmk, 0, sizeof(pmk));
2859 pmk_len = 0;
2860
2861 if (!cached_pmk || !cached_pmk_len)
2862 wpa_printf(MSG_DEBUG, "PASN: No valid PMKSA entry");
2863
2864 if (sta->pasn->akmp == WPA_KEY_MGMT_PASN) {
2865 wpa_printf(MSG_DEBUG, "PASN: Using default PMK");
2866
2867 pmk_len = WPA_PASN_PMK_LEN;
2868 os_memcpy(pmk, pasn_default_pmk, sizeof(pasn_default_pmk));
2869 } else if (cached_pmk && cached_pmk_len) {
2870 wpa_printf(MSG_DEBUG, "PASN: Using PMKSA entry");
2871
2872 pmk_len = cached_pmk_len;
2873 os_memcpy(pmk, cached_pmk, cached_pmk_len);
2874 } else {
2875 switch (sta->pasn->akmp) {
2876 #ifdef CONFIG_SAE
2877 case WPA_KEY_MGMT_SAE:
2878 if (sta->pasn->sae.state == SAE_COMMITTED) {
2879 pmk_len = PMK_LEN;
2880 os_memcpy(pmk, sta->pasn->sae.pmk, PMK_LEN);
2881 break;
2882 }
2883 #endif /* CONFIG_SAE */
2884 /* fall through */
2885 default:
2886 /* TODO: Derive PMK based on wrapped data */
2887 wpa_printf(MSG_DEBUG,
2888 "PASN: Missing PMK derivation");
2889 return -1;
2890 }
2891 }
2892
2893 ret = pasn_pmk_to_ptk(pmk, pmk_len, sta->addr, hapd->own_addr,
2894 wpabuf_head(secret), wpabuf_len(secret),
2895 &sta->pasn->ptk, sta->pasn->akmp,
2896 sta->pasn->cipher, sta->pasn->kdk_len);
2897 if (ret) {
2898 wpa_printf(MSG_DEBUG, "PASN: Failed to derive PTK");
2899 return -1;
2900 }
2901
2902 wpa_printf(MSG_DEBUG, "PASN: PTK successfully derived");
2903 return 0;
2904 }
2905
2906
handle_auth_pasn_comeback(struct hostapd_data * hapd,struct sta_info * sta,u16 group)2907 static void handle_auth_pasn_comeback(struct hostapd_data *hapd,
2908 struct sta_info *sta, u16 group)
2909 {
2910 struct wpabuf *buf, *comeback;
2911 int ret;
2912
2913 wpa_printf(MSG_DEBUG,
2914 "PASN: Building comeback frame 2. Comeback after=%u",
2915 hapd->conf->pasn_comeback_after);
2916
2917 buf = wpabuf_alloc(1500);
2918 if (!buf)
2919 return;
2920
2921 wpa_pasn_build_auth_header(buf, hapd->own_addr, hapd->own_addr,
2922 sta->addr, 2,
2923 WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY);
2924
2925 /*
2926 * Do not include the group as a part of the token since it is not going
2927 * to be used.
2928 */
2929 comeback = auth_build_token_req(hapd, 0, sta->addr, 0);
2930 if (!comeback) {
2931 wpa_printf(MSG_DEBUG,
2932 "PASN: Failed sending auth with comeback");
2933 wpabuf_free(buf);
2934 return;
2935 }
2936
2937 wpa_pasn_add_parameter_ie(buf, group,
2938 WPA_PASN_WRAPPED_DATA_NO,
2939 NULL, 0, comeback,
2940 hapd->conf->pasn_comeback_after);
2941 wpabuf_free(comeback);
2942
2943 wpa_printf(MSG_DEBUG,
2944 "PASN: comeback: STA=" MACSTR, MAC2STR(sta->addr));
2945
2946 ret = hostapd_drv_send_mlme(hapd, wpabuf_head(buf), wpabuf_len(buf), 0,
2947 NULL, 0, 0);
2948 if (ret)
2949 wpa_printf(MSG_INFO, "PASN: Failed to send comeback frame 2");
2950
2951 wpabuf_free(buf);
2952 }
2953
2954
handle_auth_pasn_resp(struct hostapd_data * hapd,struct sta_info * sta,struct rsn_pmksa_cache_entry * pmksa,u16 status)2955 static int handle_auth_pasn_resp(struct hostapd_data *hapd,
2956 struct sta_info *sta,
2957 struct rsn_pmksa_cache_entry *pmksa,
2958 u16 status)
2959 {
2960 struct wpabuf *buf, *pubkey = NULL, *wrapped_data_buf = NULL;
2961 u8 mic[WPA_PASN_MAX_MIC_LEN];
2962 u8 mic_len;
2963 u8 *ptr;
2964 const u8 *frame, *data, *rsn_ie, *rsnxe_ie;
2965 u8 *data_buf = NULL;
2966 size_t rsn_ie_len, frame_len, data_len;
2967 int ret;
2968 const u8 *pmkid = NULL;
2969
2970 wpa_printf(MSG_DEBUG, "PASN: Building frame 2: status=%u", status);
2971
2972 buf = wpabuf_alloc(1500);
2973 if (!buf)
2974 goto fail;
2975
2976 wpa_pasn_build_auth_header(buf, hapd->own_addr, hapd->own_addr,
2977 sta->addr, 2, status);
2978
2979 if (status != WLAN_STATUS_SUCCESS)
2980 goto done;
2981
2982 if (pmksa) {
2983 pmkid = pmksa->pmkid;
2984 #ifdef CONFIG_SAE
2985 } else if (sta->pasn->akmp == WPA_KEY_MGMT_SAE) {
2986 wpa_printf(MSG_DEBUG, "PASN: Use SAE PMKID");
2987 pmkid = sta->pasn->sae.pmkid;
2988 #endif /* CONFIG_SAE */
2989 #ifdef CONFIG_FILS
2990 } else if (sta->pasn->akmp == WPA_KEY_MGMT_FILS_SHA256 ||
2991 sta->pasn->akmp == WPA_KEY_MGMT_FILS_SHA384) {
2992 wpa_printf(MSG_DEBUG, "PASN: Use FILS ERP PMKID");
2993 pmkid = sta->pasn->fils.erp_pmkid;
2994 #endif /* CONFIG_FILS */
2995 }
2996
2997 if (wpa_pasn_add_rsne(buf, pmkid,
2998 sta->pasn->akmp, sta->pasn->cipher) < 0)
2999 goto fail;
3000
3001 /* No need to derive PMK if PMKSA is given */
3002 if (!pmksa)
3003 wrapped_data_buf = pasn_get_wrapped_data(hapd, sta);
3004 else
3005 sta->pasn->wrapped_data_format = WPA_PASN_WRAPPED_DATA_NO;
3006
3007 /* Get public key */
3008 pubkey = crypto_ecdh_get_pubkey(sta->pasn->ecdh, 0);
3009 pubkey = wpabuf_zeropad(pubkey,
3010 crypto_ecdh_prime_len(sta->pasn->ecdh));
3011 if (!pubkey) {
3012 wpa_printf(MSG_DEBUG, "PASN: Failed to get pubkey");
3013 goto fail;
3014 }
3015
3016 wpa_pasn_add_parameter_ie(buf, sta->pasn->group,
3017 sta->pasn->wrapped_data_format,
3018 pubkey, true, NULL, 0);
3019
3020 if (wpa_pasn_add_wrapped_data(buf, wrapped_data_buf) < 0)
3021 goto fail;
3022
3023 wpabuf_free(wrapped_data_buf);
3024 wrapped_data_buf = NULL;
3025 wpabuf_free(pubkey);
3026 pubkey = NULL;
3027
3028 /* Add RSNXE if needed */
3029 rsnxe_ie = hostapd_wpa_ie(hapd, WLAN_EID_RSNX);
3030 if (rsnxe_ie)
3031 wpabuf_put_data(buf, rsnxe_ie, 2 + rsnxe_ie[1]);
3032
3033 /* Add the mic */
3034 mic_len = pasn_mic_len(sta->pasn->akmp, sta->pasn->cipher);
3035 wpabuf_put_u8(buf, WLAN_EID_MIC);
3036 wpabuf_put_u8(buf, mic_len);
3037 ptr = wpabuf_put(buf, mic_len);
3038
3039 os_memset(ptr, 0, mic_len);
3040
3041 frame = wpabuf_head_u8(buf) + IEEE80211_HDRLEN;
3042 frame_len = wpabuf_len(buf) - IEEE80211_HDRLEN;
3043
3044 rsn_ie = wpa_auth_get_wpa_ie(hapd->wpa_auth, &rsn_ie_len);
3045 if (!rsn_ie || !rsn_ie_len)
3046 goto fail;
3047
3048 /*
3049 * Note: wpa_auth_get_wpa_ie() might return not only the RSNE but also
3050 * MDE, etc. Thus, do not use the returned length but instead use the
3051 * length specified in the IE header.
3052 */
3053 data_len = rsn_ie[1] + 2;
3054 if (rsnxe_ie) {
3055 data_buf = os_zalloc(rsn_ie[1] + 2 + rsnxe_ie[1] + 2);
3056 if (!data_buf)
3057 goto fail;
3058
3059 os_memcpy(data_buf, rsn_ie, rsn_ie[1] + 2);
3060 os_memcpy(data_buf + rsn_ie[1] + 2, rsnxe_ie, rsnxe_ie[1] + 2);
3061 data_len += rsnxe_ie[1] + 2;
3062 data = data_buf;
3063 } else {
3064 data = rsn_ie;
3065 }
3066
3067 ret = pasn_mic(sta->pasn->ptk.kck, sta->pasn->akmp, sta->pasn->cipher,
3068 hapd->own_addr, sta->addr, data, data_len,
3069 frame, frame_len, mic);
3070 os_free(data_buf);
3071 if (ret) {
3072 wpa_printf(MSG_DEBUG, "PASN: Frame 3: Failed MIC calculation");
3073 goto fail;
3074 }
3075
3076 #ifdef CONFIG_TESTING_OPTIONS
3077 if (hapd->conf->pasn_corrupt_mic) {
3078 wpa_printf(MSG_DEBUG, "PASN: frame 2: Corrupt MIC");
3079 mic[0] = ~mic[0];
3080 }
3081 #endif /* CONFIG_TESTING_OPTIONS */
3082
3083 os_memcpy(ptr, mic, mic_len);
3084
3085 done:
3086 wpa_printf(MSG_DEBUG,
3087 "PASN: Building frame 2: success; resp STA=" MACSTR,
3088 MAC2STR(sta->addr));
3089
3090 ret = hostapd_drv_send_mlme(hapd, wpabuf_head(buf), wpabuf_len(buf), 0,
3091 NULL, 0, 0);
3092 if (ret)
3093 wpa_printf(MSG_INFO, "send_auth_reply: Send failed");
3094
3095 wpabuf_free(buf);
3096 return ret;
3097 fail:
3098 wpabuf_free(wrapped_data_buf);
3099 wpabuf_free(pubkey);
3100 wpabuf_free(buf);
3101 return -1;
3102 }
3103
3104
handle_auth_pasn_1(struct hostapd_data * hapd,struct sta_info * sta,const struct ieee80211_mgmt * mgmt,size_t len)3105 static void handle_auth_pasn_1(struct hostapd_data *hapd, struct sta_info *sta,
3106 const struct ieee80211_mgmt *mgmt, size_t len)
3107 {
3108 struct ieee802_11_elems elems;
3109 struct wpa_ie_data rsn_data;
3110 struct wpa_pasn_params_data pasn_params;
3111 struct rsn_pmksa_cache_entry *pmksa = NULL;
3112 const u8 *cached_pmk = NULL;
3113 size_t cached_pmk_len = 0;
3114 #ifdef CONFIG_IEEE80211R_AP
3115 u8 pmk_r1[PMK_LEN_MAX];
3116 size_t pmk_r1_len;
3117 #endif /* CONFIG_IEEE80211R_AP */
3118 struct wpabuf *wrapped_data = NULL, *secret = NULL;
3119 const int *groups = hapd->conf->pasn_groups;
3120 static const int default_groups[] = { 19, 0 };
3121 u16 status = WLAN_STATUS_SUCCESS;
3122 int ret, inc_y;
3123 bool derive_keys;
3124 u32 i;
3125
3126 if (!groups)
3127 groups = default_groups;
3128
3129 if (ieee802_11_parse_elems(mgmt->u.auth.variable,
3130 len - offsetof(struct ieee80211_mgmt,
3131 u.auth.variable),
3132 &elems, 0) == ParseFailed) {
3133 wpa_printf(MSG_DEBUG,
3134 "PASN: Failed parsing Authentication frame");
3135 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3136 goto send_resp;
3137 }
3138
3139 ret = wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
3140 &rsn_data);
3141 if (ret) {
3142 wpa_printf(MSG_DEBUG, "PASN: Failed parsing RNSE");
3143 status = WLAN_STATUS_INVALID_RSNIE;
3144 goto send_resp;
3145 }
3146
3147 ret = wpa_pasn_validate_rsne(&rsn_data);
3148 if (ret) {
3149 wpa_printf(MSG_DEBUG, "PASN: Failed validating RSNE");
3150 status = WLAN_STATUS_INVALID_RSNIE;
3151 goto send_resp;
3152 }
3153
3154 if (!(rsn_data.key_mgmt & hapd->conf->wpa_key_mgmt) ||
3155 !(rsn_data.pairwise_cipher & hapd->conf->rsn_pairwise)) {
3156 wpa_printf(MSG_DEBUG, "PASN: Mismatch in AKMP/cipher");
3157 status = WLAN_STATUS_INVALID_RSNIE;
3158 goto send_resp;
3159 }
3160
3161 sta->pasn->akmp = rsn_data.key_mgmt;
3162 sta->pasn->cipher = rsn_data.pairwise_cipher;
3163
3164 if (hapd->conf->force_kdk_derivation ||
3165 ((hapd->iface->drv_flags2 & WPA_DRIVER_FLAGS2_SEC_LTF) &&
3166 ieee802_11_rsnx_capab_len(elems.rsnxe, elems.rsnxe_len,
3167 WLAN_RSNX_CAPAB_SECURE_LTF)))
3168 sta->pasn->kdk_len = WPA_KDK_MAX_LEN;
3169 else
3170 sta->pasn->kdk_len = 0;
3171 wpa_printf(MSG_DEBUG, "PASN: kdk_len=%zu", sta->pasn->kdk_len);
3172
3173 if (!elems.pasn_params || !elems.pasn_params_len) {
3174 wpa_printf(MSG_DEBUG,
3175 "PASN: No PASN Parameters element found");
3176 status = WLAN_STATUS_INVALID_PARAMETERS;
3177 goto send_resp;
3178 }
3179
3180 ret = wpa_pasn_parse_parameter_ie(elems.pasn_params - 3,
3181 elems.pasn_params_len + 3,
3182 false, &pasn_params);
3183 if (ret) {
3184 wpa_printf(MSG_DEBUG,
3185 "PASN: Failed validation of PASN Parameters IE");
3186 status = WLAN_STATUS_INVALID_PARAMETERS;
3187 goto send_resp;
3188 }
3189
3190 for (i = 0; groups[i] > 0 && groups[i] != pasn_params.group; i++)
3191 ;
3192
3193 if (!pasn_params.group || groups[i] != pasn_params.group) {
3194 wpa_printf(MSG_DEBUG, "PASN: Requested group=%hu not allowed",
3195 pasn_params.group);
3196 status = WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
3197 goto send_resp;
3198 }
3199
3200 if (!pasn_params.pubkey || !pasn_params.pubkey_len) {
3201 wpa_printf(MSG_DEBUG, "PASN: Invalid public key");
3202 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3203 goto send_resp;
3204 }
3205
3206 if (pasn_params.comeback) {
3207 wpa_printf(MSG_DEBUG, "PASN: Checking peer comeback token");
3208
3209 ret = check_comeback_token(hapd, sta->addr,
3210 pasn_params.comeback,
3211 pasn_params.comeback_len);
3212
3213 if (ret) {
3214 wpa_printf(MSG_DEBUG, "PASN: Invalid comeback token");
3215 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3216 goto send_resp;
3217 }
3218 } else if (use_anti_clogging(hapd)) {
3219 wpa_printf(MSG_DEBUG, "PASN: Respond with comeback");
3220 handle_auth_pasn_comeback(hapd, sta, pasn_params.group);
3221 ap_free_sta(hapd, sta);
3222 return;
3223 }
3224
3225 sta->pasn->ecdh = crypto_ecdh_init(pasn_params.group);
3226 if (!sta->pasn->ecdh) {
3227 wpa_printf(MSG_DEBUG, "PASN: Failed to init ECDH");
3228 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3229 goto send_resp;
3230 }
3231
3232 sta->pasn->group = pasn_params.group;
3233
3234 if (pasn_params.pubkey[0] == WPA_PASN_PUBKEY_UNCOMPRESSED) {
3235 inc_y = 1;
3236 } else if (pasn_params.pubkey[0] == WPA_PASN_PUBKEY_COMPRESSED_0 ||
3237 pasn_params.pubkey[0] == WPA_PASN_PUBKEY_COMPRESSED_1) {
3238 inc_y = 0;
3239 } else {
3240 wpa_printf(MSG_DEBUG,
3241 "PASN: Invalid first octet in pubkey=0x%x",
3242 pasn_params.pubkey[0]);
3243 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3244 goto send_resp;
3245 }
3246
3247 secret = crypto_ecdh_set_peerkey(sta->pasn->ecdh, inc_y,
3248 pasn_params.pubkey + 1,
3249 pasn_params.pubkey_len - 1);
3250 if (!secret) {
3251 wpa_printf(MSG_DEBUG, "PASN: Failed to derive shared secret");
3252 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3253 goto send_resp;
3254 }
3255
3256 derive_keys = true;
3257 if (pasn_params.wrapped_data_format != WPA_PASN_WRAPPED_DATA_NO) {
3258 wrapped_data = ieee802_11_defrag(&elems,
3259 WLAN_EID_EXTENSION,
3260 WLAN_EID_EXT_WRAPPED_DATA);
3261 if (!wrapped_data) {
3262 wpa_printf(MSG_DEBUG, "PASN: Missing wrapped data");
3263 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3264 goto send_resp;
3265 }
3266
3267 #ifdef CONFIG_SAE
3268 if (sta->pasn->akmp == WPA_KEY_MGMT_SAE) {
3269 ret = pasn_wd_handle_sae_commit(hapd, sta,
3270 wrapped_data);
3271 if (ret) {
3272 wpa_printf(MSG_DEBUG,
3273 "PASN: Failed processing SAE commit");
3274 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3275 goto send_resp;
3276 }
3277 }
3278 #endif /* CONFIG_SAE */
3279 #ifdef CONFIG_FILS
3280 if (sta->pasn->akmp == WPA_KEY_MGMT_FILS_SHA256 ||
3281 sta->pasn->akmp == WPA_KEY_MGMT_FILS_SHA384) {
3282 ret = pasn_wd_handle_fils(hapd, sta, wrapped_data);
3283 if (ret) {
3284 wpa_printf(MSG_DEBUG,
3285 "PASN: Failed processing FILS wrapped data");
3286 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3287 goto send_resp;
3288 }
3289
3290 wpa_printf(MSG_DEBUG,
3291 "PASN: FILS: Pending AS response");
3292
3293 /*
3294 * With PASN/FILS, keys can be derived only after a
3295 * response from the AS is processed.
3296 */
3297 derive_keys = false;
3298 }
3299 #endif /* CONFIG_FILS */
3300 }
3301
3302 sta->pasn->wrapped_data_format = pasn_params.wrapped_data_format;
3303
3304 ret = pasn_auth_frame_hash(sta->pasn->akmp, sta->pasn->cipher,
3305 ((const u8 *) mgmt) + IEEE80211_HDRLEN,
3306 len - IEEE80211_HDRLEN, sta->pasn->hash);
3307 if (ret) {
3308 wpa_printf(MSG_DEBUG, "PASN: Failed to compute hash");
3309 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3310 goto send_resp;
3311 }
3312
3313 if (!derive_keys) {
3314 wpa_printf(MSG_DEBUG, "PASN: Storing secret");
3315 sta->pasn->secret = secret;
3316 wpabuf_free(wrapped_data);
3317 return;
3318 }
3319
3320 if (rsn_data.num_pmkid) {
3321 if (wpa_key_mgmt_ft(sta->pasn->akmp)) {
3322 #ifdef CONFIG_IEEE80211R_AP
3323 wpa_printf(MSG_DEBUG, "PASN: FT: Fetch PMK-R1");
3324
3325 ret = wpa_ft_fetch_pmk_r1(hapd->wpa_auth, sta->addr,
3326 rsn_data.pmkid,
3327 pmk_r1, &pmk_r1_len, NULL,
3328 NULL, NULL, NULL,
3329 NULL, NULL, NULL);
3330 if (ret) {
3331 wpa_printf(MSG_DEBUG,
3332 "PASN: FT: Failed getting PMK-R1");
3333 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3334 goto send_resp;
3335 }
3336 cached_pmk = pmk_r1;
3337 cached_pmk_len = pmk_r1_len;
3338 #else /* CONFIG_IEEE80211R_AP */
3339 wpa_printf(MSG_DEBUG, "PASN: FT: Not supported");
3340 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3341 goto send_resp;
3342 #endif /* CONFIG_IEEE80211R_AP */
3343 } else {
3344 wpa_printf(MSG_DEBUG, "PASN: Try to find PMKSA entry");
3345
3346 pmksa = wpa_auth_pmksa_get(hapd->wpa_auth, sta->addr,
3347 rsn_data.pmkid);
3348 if (pmksa) {
3349 cached_pmk = pmksa->pmk;
3350 cached_pmk_len = pmksa->pmk_len;
3351 }
3352 }
3353 } else {
3354 wpa_printf(MSG_DEBUG, "PASN: No PMKID specified");
3355 }
3356
3357 ret = pasn_derive_keys(hapd, sta, cached_pmk, cached_pmk_len,
3358 &pasn_params, wrapped_data, secret);
3359 if (ret) {
3360 wpa_printf(MSG_DEBUG, "PASN: Failed to derive keys");
3361 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3362 goto send_resp;
3363 }
3364
3365 ret = pasn_auth_frame_hash(sta->pasn->akmp, sta->pasn->cipher,
3366 ((const u8 *) mgmt) + IEEE80211_HDRLEN,
3367 len - IEEE80211_HDRLEN, sta->pasn->hash);
3368 if (ret) {
3369 wpa_printf(MSG_DEBUG, "PASN: Failed to compute hash");
3370 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3371 }
3372
3373 send_resp:
3374 ret = handle_auth_pasn_resp(hapd, sta, pmksa, status);
3375 if (ret) {
3376 wpa_printf(MSG_DEBUG, "PASN: Failed to send response");
3377 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3378 } else {
3379 wpa_printf(MSG_DEBUG,
3380 "PASN: Success handling transaction == 1");
3381 }
3382
3383 wpabuf_free(secret);
3384 wpabuf_free(wrapped_data);
3385
3386 if (status != WLAN_STATUS_SUCCESS)
3387 ap_free_sta(hapd, sta);
3388 }
3389
3390
handle_auth_pasn_3(struct hostapd_data * hapd,struct sta_info * sta,const struct ieee80211_mgmt * mgmt,size_t len)3391 static void handle_auth_pasn_3(struct hostapd_data *hapd, struct sta_info *sta,
3392 const struct ieee80211_mgmt *mgmt, size_t len)
3393 {
3394 struct ieee802_11_elems elems;
3395 struct wpa_pasn_params_data pasn_params;
3396 struct wpabuf *wrapped_data = NULL;
3397 u8 mic[WPA_PASN_MAX_MIC_LEN], out_mic[WPA_PASN_MAX_MIC_LEN];
3398 u8 mic_len;
3399 int ret;
3400
3401 if (ieee802_11_parse_elems(mgmt->u.auth.variable,
3402 len - offsetof(struct ieee80211_mgmt,
3403 u.auth.variable),
3404 &elems, 0) == ParseFailed) {
3405 wpa_printf(MSG_DEBUG,
3406 "PASN: Failed parsing Authentication frame");
3407 goto fail;
3408 }
3409
3410 /* Check that the MIC IE exists. Save it and zero out the memory. */
3411 mic_len = pasn_mic_len(sta->pasn->akmp, sta->pasn->cipher);
3412 if (!elems.mic || elems.mic_len != mic_len) {
3413 wpa_printf(MSG_DEBUG,
3414 "PASN: Invalid MIC. Expecting len=%u", mic_len);
3415 goto fail;
3416 } else {
3417 os_memcpy(mic, elems.mic, mic_len);
3418 /* TODO: Clean this up.. Should not modify received frame
3419 * buffer. */
3420 os_memset((u8 *) elems.mic, 0, mic_len);
3421 }
3422
3423 if (!elems.pasn_params || !elems.pasn_params_len) {
3424 wpa_printf(MSG_DEBUG,
3425 "PASN: No PASN Parameters element found");
3426 goto fail;
3427 }
3428
3429 ret = wpa_pasn_parse_parameter_ie(elems.pasn_params - 3,
3430 elems.pasn_params_len + 3,
3431 false, &pasn_params);
3432 if (ret) {
3433 wpa_printf(MSG_DEBUG,
3434 "PASN: Failed validation of PASN Parameters IE");
3435 goto fail;
3436 }
3437
3438 if (pasn_params.pubkey || pasn_params.pubkey_len) {
3439 wpa_printf(MSG_DEBUG,
3440 "PASN: Public key should not be included");
3441 goto fail;
3442 }
3443
3444 /* Verify the MIC */
3445 ret = pasn_mic(sta->pasn->ptk.kck, sta->pasn->akmp, sta->pasn->cipher,
3446 sta->addr, hapd->own_addr,
3447 sta->pasn->hash, mic_len * 2,
3448 (u8 *) &mgmt->u.auth,
3449 len - offsetof(struct ieee80211_mgmt, u.auth),
3450 out_mic);
3451
3452 wpa_hexdump_key(MSG_DEBUG, "PASN: Frame MIC", mic, mic_len);
3453 if (ret || os_memcmp(mic, out_mic, mic_len) != 0) {
3454 wpa_printf(MSG_DEBUG, "PASN: Failed MIC verification");
3455 goto fail;
3456 }
3457
3458 if (pasn_params.wrapped_data_format != WPA_PASN_WRAPPED_DATA_NO) {
3459 wrapped_data = ieee802_11_defrag(&elems,
3460 WLAN_EID_EXTENSION,
3461 WLAN_EID_EXT_WRAPPED_DATA);
3462
3463 if (!wrapped_data) {
3464 wpa_printf(MSG_DEBUG, "PASN: Missing wrapped data");
3465 goto fail;
3466 }
3467
3468 #ifdef CONFIG_SAE
3469 if (sta->pasn->akmp == WPA_KEY_MGMT_SAE) {
3470 ret = pasn_wd_handle_sae_confirm(hapd, sta,
3471 wrapped_data);
3472 if (ret) {
3473 wpa_printf(MSG_DEBUG,
3474 "PASN: Failed processing SAE confirm");
3475 wpabuf_free(wrapped_data);
3476 goto fail;
3477 }
3478 }
3479 #endif /* CONFIG_SAE */
3480 #ifdef CONFIG_FILS
3481 if (sta->pasn->akmp == WPA_KEY_MGMT_FILS_SHA256 ||
3482 sta->pasn->akmp == WPA_KEY_MGMT_FILS_SHA384) {
3483 if (wrapped_data) {
3484 wpa_printf(MSG_DEBUG,
3485 "PASN: FILS: Ignore wrapped data");
3486 }
3487 }
3488 #endif /* CONFIG_FILS */
3489 wpabuf_free(wrapped_data);
3490 }
3491
3492 wpa_printf(MSG_INFO,
3493 "PASN: Success handling transaction == 3. Store PTK");
3494
3495 ptksa_cache_add(hapd->ptksa, sta->addr, sta->pasn->cipher, 43200,
3496 &sta->pasn->ptk);
3497 fail:
3498 ap_free_sta(hapd, sta);
3499 }
3500
3501
handle_auth_pasn(struct hostapd_data * hapd,struct sta_info * sta,const struct ieee80211_mgmt * mgmt,size_t len,u16 trans_seq,u16 status)3502 static void handle_auth_pasn(struct hostapd_data *hapd, struct sta_info *sta,
3503 const struct ieee80211_mgmt *mgmt, size_t len,
3504 u16 trans_seq, u16 status)
3505 {
3506 if (hapd->conf->wpa != WPA_PROTO_RSN) {
3507 wpa_printf(MSG_INFO, "PASN: RSN is not configured");
3508 return;
3509 }
3510
3511 wpa_printf(MSG_INFO, "PASN authentication: sta=" MACSTR,
3512 MAC2STR(sta->addr));
3513
3514 if (trans_seq == 1) {
3515 if (sta->pasn) {
3516 wpa_printf(MSG_DEBUG,
3517 "PASN: Not expecting transaction == 1");
3518 return;
3519 }
3520
3521 if (status != WLAN_STATUS_SUCCESS) {
3522 wpa_printf(MSG_DEBUG,
3523 "PASN: Failure status in transaction == 1");
3524 return;
3525 }
3526
3527 sta->pasn = os_zalloc(sizeof(*sta->pasn));
3528 if (!sta->pasn) {
3529 wpa_printf(MSG_DEBUG,
3530 "PASN: Failed to allocate PASN context");
3531 return;
3532 }
3533
3534 handle_auth_pasn_1(hapd, sta, mgmt, len);
3535 } else if (trans_seq == 3) {
3536 if (!sta->pasn) {
3537 wpa_printf(MSG_DEBUG,
3538 "PASN: Not expecting transaction == 3");
3539 return;
3540 }
3541
3542 if (status != WLAN_STATUS_SUCCESS) {
3543 wpa_printf(MSG_DEBUG,
3544 "PASN: Failure status in transaction == 3");
3545 ap_free_sta_pasn(hapd, sta);
3546 return;
3547 }
3548
3549 handle_auth_pasn_3(hapd, sta, mgmt, len);
3550 } else {
3551 wpa_printf(MSG_DEBUG,
3552 "PASN: Invalid transaction %u - ignore", trans_seq);
3553 }
3554 }
3555
3556 #endif /* CONFIG_PASN */
3557
3558
handle_auth(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int rssi,int from_queue)3559 static void handle_auth(struct hostapd_data *hapd,
3560 const struct ieee80211_mgmt *mgmt, size_t len,
3561 int rssi, int from_queue)
3562 {
3563 u16 auth_alg, auth_transaction, status_code;
3564 u16 resp = WLAN_STATUS_SUCCESS;
3565 struct sta_info *sta = NULL;
3566 int res, reply_res;
3567 u16 fc;
3568 const u8 *challenge = NULL;
3569 u8 resp_ies[2 + WLAN_AUTH_CHALLENGE_LEN];
3570 size_t resp_ies_len = 0;
3571 u16 seq_ctrl;
3572 struct radius_sta rad_info;
3573
3574 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) {
3575 wpa_printf(MSG_INFO, "handle_auth - too short payload (len=%lu)",
3576 (unsigned long) len);
3577 return;
3578 }
3579
3580 #ifdef CONFIG_TESTING_OPTIONS
3581 if (hapd->iconf->ignore_auth_probability > 0.0 &&
3582 drand48() < hapd->iconf->ignore_auth_probability) {
3583 wpa_printf(MSG_INFO,
3584 "TESTING: ignoring auth frame from " MACSTR,
3585 MAC2STR(mgmt->sa));
3586 return;
3587 }
3588 #endif /* CONFIG_TESTING_OPTIONS */
3589
3590 auth_alg = le_to_host16(mgmt->u.auth.auth_alg);
3591 auth_transaction = le_to_host16(mgmt->u.auth.auth_transaction);
3592 status_code = le_to_host16(mgmt->u.auth.status_code);
3593 fc = le_to_host16(mgmt->frame_control);
3594 seq_ctrl = le_to_host16(mgmt->seq_ctrl);
3595
3596 if (len >= IEEE80211_HDRLEN + sizeof(mgmt->u.auth) +
3597 2 + WLAN_AUTH_CHALLENGE_LEN &&
3598 mgmt->u.auth.variable[0] == WLAN_EID_CHALLENGE &&
3599 mgmt->u.auth.variable[1] == WLAN_AUTH_CHALLENGE_LEN)
3600 challenge = &mgmt->u.auth.variable[2];
3601
3602 wpa_printf(MSG_DEBUG, "authentication: STA=" MACSTR " auth_alg=%d "
3603 "auth_transaction=%d status_code=%d wep=%d%s "
3604 "seq_ctrl=0x%x%s%s",
3605 MAC2STR(mgmt->sa), auth_alg, auth_transaction,
3606 status_code, !!(fc & WLAN_FC_ISWEP),
3607 challenge ? " challenge" : "",
3608 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "",
3609 from_queue ? " (from queue)" : "");
3610
3611 #ifdef CONFIG_NO_RC4
3612 if (auth_alg == WLAN_AUTH_SHARED_KEY) {
3613 wpa_printf(MSG_INFO,
3614 "Unsupported authentication algorithm (%d)",
3615 auth_alg);
3616 resp = WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
3617 goto fail;
3618 }
3619 #endif /* CONFIG_NO_RC4 */
3620
3621 if (hapd->tkip_countermeasures) {
3622 wpa_printf(MSG_DEBUG,
3623 "Ongoing TKIP countermeasures (Michael MIC failure) - reject authentication");
3624 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3625 goto fail;
3626 }
3627
3628 if (!(((hapd->conf->auth_algs & WPA_AUTH_ALG_OPEN) &&
3629 auth_alg == WLAN_AUTH_OPEN) ||
3630 #ifdef CONFIG_IEEE80211R_AP
3631 (hapd->conf->wpa && wpa_key_mgmt_ft(hapd->conf->wpa_key_mgmt) &&
3632 auth_alg == WLAN_AUTH_FT) ||
3633 #endif /* CONFIG_IEEE80211R_AP */
3634 #ifdef CONFIG_SAE
3635 (hapd->conf->wpa && wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt) &&
3636 auth_alg == WLAN_AUTH_SAE) ||
3637 #endif /* CONFIG_SAE */
3638 #ifdef CONFIG_FILS
3639 (hapd->conf->wpa && wpa_key_mgmt_fils(hapd->conf->wpa_key_mgmt) &&
3640 auth_alg == WLAN_AUTH_FILS_SK) ||
3641 (hapd->conf->wpa && wpa_key_mgmt_fils(hapd->conf->wpa_key_mgmt) &&
3642 hapd->conf->fils_dh_group &&
3643 auth_alg == WLAN_AUTH_FILS_SK_PFS) ||
3644 #endif /* CONFIG_FILS */
3645 #ifdef CONFIG_PASN
3646 (hapd->conf->wpa &&
3647 (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_PASN) &&
3648 auth_alg == WLAN_AUTH_PASN) ||
3649 #endif /* CONFIG_PASN */
3650 ((hapd->conf->auth_algs & WPA_AUTH_ALG_SHARED) &&
3651 auth_alg == WLAN_AUTH_SHARED_KEY))) {
3652 wpa_printf(MSG_INFO, "Unsupported authentication algorithm (%d)",
3653 auth_alg);
3654 resp = WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
3655 goto fail;
3656 }
3657
3658 if (!(auth_transaction == 1 || auth_alg == WLAN_AUTH_SAE ||
3659 #ifdef CONFIG_PASN
3660 (auth_alg == WLAN_AUTH_PASN && auth_transaction == 3) ||
3661 #endif /* CONFIG_PASN */
3662 (auth_alg == WLAN_AUTH_SHARED_KEY && auth_transaction == 3))) {
3663 wpa_printf(MSG_INFO, "Unknown authentication transaction number (%d)",
3664 auth_transaction);
3665 resp = WLAN_STATUS_UNKNOWN_AUTH_TRANSACTION;
3666 goto fail;
3667 }
3668
3669 if (os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
3670 wpa_printf(MSG_INFO, "Station " MACSTR " not allowed to authenticate",
3671 MAC2STR(mgmt->sa));
3672 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3673 goto fail;
3674 }
3675
3676 if (hapd->conf->no_auth_if_seen_on) {
3677 struct hostapd_data *other;
3678
3679 other = sta_track_seen_on(hapd->iface, mgmt->sa,
3680 hapd->conf->no_auth_if_seen_on);
3681 if (other) {
3682 u8 *pos;
3683 u32 info;
3684 u8 op_class, channel, phytype;
3685
3686 wpa_printf(MSG_DEBUG, "%s: Reject authentication from "
3687 MACSTR " since STA has been seen on %s",
3688 hapd->conf->iface, MAC2STR(mgmt->sa),
3689 hapd->conf->no_auth_if_seen_on);
3690
3691 resp = WLAN_STATUS_REJECTED_WITH_SUGGESTED_BSS_TRANSITION;
3692 pos = &resp_ies[0];
3693 *pos++ = WLAN_EID_NEIGHBOR_REPORT;
3694 *pos++ = 13;
3695 os_memcpy(pos, other->own_addr, ETH_ALEN);
3696 pos += ETH_ALEN;
3697 info = 0; /* TODO: BSSID Information */
3698 WPA_PUT_LE32(pos, info);
3699 pos += 4;
3700 if (other->iconf->hw_mode == HOSTAPD_MODE_IEEE80211AD)
3701 phytype = 8; /* dmg */
3702 else if (other->iconf->ieee80211ac)
3703 phytype = 9; /* vht */
3704 else if (other->iconf->ieee80211n)
3705 phytype = 7; /* ht */
3706 else if (other->iconf->hw_mode ==
3707 HOSTAPD_MODE_IEEE80211A)
3708 phytype = 4; /* ofdm */
3709 else if (other->iconf->hw_mode ==
3710 HOSTAPD_MODE_IEEE80211G)
3711 phytype = 6; /* erp */
3712 else
3713 phytype = 5; /* hrdsss */
3714 if (ieee80211_freq_to_channel_ext(
3715 hostapd_hw_get_freq(other,
3716 other->iconf->channel),
3717 other->iconf->secondary_channel,
3718 other->iconf->ieee80211ac,
3719 &op_class, &channel) == NUM_HOSTAPD_MODES) {
3720 op_class = 0;
3721 channel = other->iconf->channel;
3722 }
3723 *pos++ = op_class;
3724 *pos++ = channel;
3725 *pos++ = phytype;
3726 resp_ies_len = pos - &resp_ies[0];
3727 goto fail;
3728 }
3729 }
3730
3731 res = ieee802_11_allowed_address(hapd, mgmt->sa, (const u8 *) mgmt, len,
3732 &rad_info);
3733 if (res == HOSTAPD_ACL_REJECT) {
3734 wpa_msg(hapd->msg_ctx, MSG_DEBUG,
3735 "Ignore Authentication frame from " MACSTR
3736 " due to ACL reject", MAC2STR(mgmt->sa));
3737 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3738 goto fail;
3739 }
3740 if (res == HOSTAPD_ACL_PENDING)
3741 return;
3742
3743 #ifdef CONFIG_SAE
3744 if (auth_alg == WLAN_AUTH_SAE && !from_queue &&
3745 (auth_transaction == 1 ||
3746 (auth_transaction == 2 && auth_sae_queued_addr(hapd, mgmt->sa)))) {
3747 /* Handle SAE Authentication commit message through a queue to
3748 * provide more control for postponing the needed heavy
3749 * processing under a possible DoS attack scenario. In addition,
3750 * queue SAE Authentication confirm message if there happens to
3751 * be a queued commit message from the same peer. This is needed
3752 * to avoid reordering Authentication frames within the same
3753 * SAE exchange. */
3754 auth_sae_queue(hapd, mgmt, len, rssi);
3755 return;
3756 }
3757 #endif /* CONFIG_SAE */
3758
3759 sta = ap_get_sta(hapd, mgmt->sa);
3760 if (sta) {
3761 sta->flags &= ~WLAN_STA_PENDING_FILS_ERP;
3762 sta->ft_over_ds = 0;
3763 if ((fc & WLAN_FC_RETRY) &&
3764 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
3765 sta->last_seq_ctrl == seq_ctrl &&
3766 sta->last_subtype == WLAN_FC_STYPE_AUTH) {
3767 hostapd_logger(hapd, sta->addr,
3768 HOSTAPD_MODULE_IEEE80211,
3769 HOSTAPD_LEVEL_DEBUG,
3770 "Drop repeated authentication frame seq_ctrl=0x%x",
3771 seq_ctrl);
3772 return;
3773 }
3774 #ifdef CONFIG_MESH
3775 if ((hapd->conf->mesh & MESH_ENABLED) &&
3776 sta->plink_state == PLINK_BLOCKED) {
3777 wpa_printf(MSG_DEBUG, "Mesh peer " MACSTR
3778 " is blocked - drop Authentication frame",
3779 MAC2STR(mgmt->sa));
3780 return;
3781 }
3782 #endif /* CONFIG_MESH */
3783 #ifdef CONFIG_PASN
3784 if (auth_alg == WLAN_AUTH_PASN &&
3785 (sta->flags & WLAN_STA_ASSOC)) {
3786 wpa_printf(MSG_DEBUG,
3787 "PASN: auth: Existing station: " MACSTR,
3788 MAC2STR(sta->addr));
3789 return;
3790 }
3791 #endif /* CONFIG_PASN */
3792 } else {
3793 #ifdef CONFIG_MESH
3794 if (hapd->conf->mesh & MESH_ENABLED) {
3795 /* if the mesh peer is not available, we don't do auth.
3796 */
3797 wpa_printf(MSG_DEBUG, "Mesh peer " MACSTR
3798 " not yet known - drop Authentication frame",
3799 MAC2STR(mgmt->sa));
3800 /*
3801 * Save a copy of the frame so that it can be processed
3802 * if a new peer entry is added shortly after this.
3803 */
3804 wpabuf_free(hapd->mesh_pending_auth);
3805 hapd->mesh_pending_auth = wpabuf_alloc_copy(mgmt, len);
3806 os_get_reltime(&hapd->mesh_pending_auth_time);
3807 return;
3808 }
3809 #endif /* CONFIG_MESH */
3810
3811 sta = ap_sta_add(hapd, mgmt->sa);
3812 if (!sta) {
3813 wpa_printf(MSG_DEBUG, "ap_sta_add() failed");
3814 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
3815 goto fail;
3816 }
3817 }
3818 sta->last_seq_ctrl = seq_ctrl;
3819 sta->last_subtype = WLAN_FC_STYPE_AUTH;
3820 #ifdef CONFIG_MBO
3821 sta->auth_rssi = rssi;
3822 #endif /* CONFIG_MBO */
3823
3824 res = ieee802_11_set_radius_info(hapd, sta, res, &rad_info);
3825 if (res) {
3826 wpa_printf(MSG_DEBUG, "ieee802_11_set_radius_info() failed");
3827 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3828 goto fail;
3829 }
3830
3831 sta->flags &= ~WLAN_STA_PREAUTH;
3832 ieee802_1x_notify_pre_auth(sta->eapol_sm, 0);
3833
3834 /*
3835 * If the driver supports full AP client state, add a station to the
3836 * driver before sending authentication reply to make sure the driver
3837 * has resources, and not to go through the entire authentication and
3838 * association handshake, and fail it at the end.
3839 *
3840 * If this is not the first transaction, in a multi-step authentication
3841 * algorithm, the station already exists in the driver
3842 * (sta->added_unassoc = 1) so skip it.
3843 *
3844 * In mesh mode, the station was already added to the driver when the
3845 * NEW_PEER_CANDIDATE event is received.
3846 *
3847 * If PMF was negotiated for the existing association, skip this to
3848 * avoid dropping the STA entry and the associated keys. This is needed
3849 * to allow the original connection work until the attempt can complete
3850 * (re)association, so that unprotected Authentication frame cannot be
3851 * used to bypass PMF protection.
3852 *
3853 * PASN authentication does not require adding/removing station to the
3854 * driver so skip this flow in case of PASN authentication.
3855 */
3856 if (FULL_AP_CLIENT_STATE_SUPP(hapd->iface->drv_flags) &&
3857 (!(sta->flags & WLAN_STA_MFP) || !ap_sta_is_authorized(sta)) &&
3858 !(hapd->conf->mesh & MESH_ENABLED) &&
3859 !(sta->added_unassoc) && auth_alg != WLAN_AUTH_PASN) {
3860 if (ap_sta_re_add(hapd, sta) < 0) {
3861 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
3862 goto fail;
3863 }
3864 }
3865
3866 switch (auth_alg) {
3867 case WLAN_AUTH_OPEN:
3868 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3869 HOSTAPD_LEVEL_DEBUG,
3870 "authentication OK (open system)");
3871 sta->flags |= WLAN_STA_AUTH;
3872 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
3873 sta->auth_alg = WLAN_AUTH_OPEN;
3874 mlme_authenticate_indication(hapd, sta);
3875 break;
3876 #ifdef CONFIG_WEP
3877 #ifndef CONFIG_NO_RC4
3878 case WLAN_AUTH_SHARED_KEY:
3879 resp = auth_shared_key(hapd, sta, auth_transaction, challenge,
3880 fc & WLAN_FC_ISWEP);
3881 if (resp != 0)
3882 wpa_printf(MSG_DEBUG,
3883 "auth_shared_key() failed: status=%d", resp);
3884 sta->auth_alg = WLAN_AUTH_SHARED_KEY;
3885 mlme_authenticate_indication(hapd, sta);
3886 if (sta->challenge && auth_transaction == 1) {
3887 resp_ies[0] = WLAN_EID_CHALLENGE;
3888 resp_ies[1] = WLAN_AUTH_CHALLENGE_LEN;
3889 os_memcpy(resp_ies + 2, sta->challenge,
3890 WLAN_AUTH_CHALLENGE_LEN);
3891 resp_ies_len = 2 + WLAN_AUTH_CHALLENGE_LEN;
3892 }
3893 break;
3894 #endif /* CONFIG_NO_RC4 */
3895 #endif /* CONFIG_WEP */
3896 #ifdef CONFIG_IEEE80211R_AP
3897 case WLAN_AUTH_FT:
3898 sta->auth_alg = WLAN_AUTH_FT;
3899 if (sta->wpa_sm == NULL)
3900 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
3901 sta->addr, NULL);
3902 if (sta->wpa_sm == NULL) {
3903 wpa_printf(MSG_DEBUG, "FT: Failed to initialize WPA "
3904 "state machine");
3905 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3906 goto fail;
3907 }
3908 wpa_ft_process_auth(sta->wpa_sm, mgmt->bssid,
3909 auth_transaction, mgmt->u.auth.variable,
3910 len - IEEE80211_HDRLEN -
3911 sizeof(mgmt->u.auth),
3912 handle_auth_ft_finish, hapd);
3913 /* handle_auth_ft_finish() callback will complete auth. */
3914 return;
3915 #endif /* CONFIG_IEEE80211R_AP */
3916 #ifdef CONFIG_SAE
3917 case WLAN_AUTH_SAE:
3918 #ifdef CONFIG_MESH
3919 if (status_code == WLAN_STATUS_SUCCESS &&
3920 hapd->conf->mesh & MESH_ENABLED) {
3921 if (sta->wpa_sm == NULL)
3922 sta->wpa_sm =
3923 wpa_auth_sta_init(hapd->wpa_auth,
3924 sta->addr, NULL);
3925 if (sta->wpa_sm == NULL) {
3926 wpa_printf(MSG_DEBUG,
3927 "SAE: Failed to initialize WPA state machine");
3928 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3929 goto fail;
3930 }
3931 }
3932 #endif /* CONFIG_MESH */
3933 handle_auth_sae(hapd, sta, mgmt, len, auth_transaction,
3934 status_code);
3935 return;
3936 #endif /* CONFIG_SAE */
3937 #ifdef CONFIG_FILS
3938 case WLAN_AUTH_FILS_SK:
3939 case WLAN_AUTH_FILS_SK_PFS:
3940 handle_auth_fils(hapd, sta, mgmt->u.auth.variable,
3941 len - IEEE80211_HDRLEN - sizeof(mgmt->u.auth),
3942 auth_alg, auth_transaction, status_code,
3943 handle_auth_fils_finish);
3944 return;
3945 #endif /* CONFIG_FILS */
3946 #ifdef CONFIG_PASN
3947 case WLAN_AUTH_PASN:
3948 handle_auth_pasn(hapd, sta, mgmt, len, auth_transaction,
3949 status_code);
3950 return;
3951 #endif /* CONFIG_PASN */
3952 }
3953
3954 fail:
3955 reply_res = send_auth_reply(hapd, sta, mgmt->sa, mgmt->bssid, auth_alg,
3956 auth_alg == WLAN_AUTH_SAE ?
3957 auth_transaction : auth_transaction + 1,
3958 resp, resp_ies, resp_ies_len,
3959 "handle-auth");
3960
3961 if (sta && sta->added_unassoc && (resp != WLAN_STATUS_SUCCESS ||
3962 reply_res != WLAN_STATUS_SUCCESS)) {
3963 hostapd_drv_sta_remove(hapd, sta->addr);
3964 sta->added_unassoc = 0;
3965 }
3966 }
3967
3968
hostapd_get_aid(struct hostapd_data * hapd,struct sta_info * sta)3969 int hostapd_get_aid(struct hostapd_data *hapd, struct sta_info *sta)
3970 {
3971 int i, j = 32, aid;
3972
3973 /* get a unique AID */
3974 if (sta->aid > 0) {
3975 wpa_printf(MSG_DEBUG, " old AID %d", sta->aid);
3976 return 0;
3977 }
3978
3979 if (TEST_FAIL())
3980 return -1;
3981
3982 for (i = 0; i < AID_WORDS; i++) {
3983 if (hapd->sta_aid[i] == (u32) -1)
3984 continue;
3985 for (j = 0; j < 32; j++) {
3986 if (!(hapd->sta_aid[i] & BIT(j)))
3987 break;
3988 }
3989 if (j < 32)
3990 break;
3991 }
3992 if (j == 32)
3993 return -1;
3994 aid = i * 32 + j + 1;
3995 if (aid > 2007)
3996 return -1;
3997
3998 sta->aid = aid;
3999 hapd->sta_aid[i] |= BIT(j);
4000 wpa_printf(MSG_DEBUG, " new AID %d", sta->aid);
4001 return 0;
4002 }
4003
4004
check_ssid(struct hostapd_data * hapd,struct sta_info * sta,const u8 * ssid_ie,size_t ssid_ie_len)4005 static u16 check_ssid(struct hostapd_data *hapd, struct sta_info *sta,
4006 const u8 *ssid_ie, size_t ssid_ie_len)
4007 {
4008 if (ssid_ie == NULL)
4009 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4010
4011 if (ssid_ie_len != hapd->conf->ssid.ssid_len ||
4012 os_memcmp(ssid_ie, hapd->conf->ssid.ssid, ssid_ie_len) != 0) {
4013 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4014 HOSTAPD_LEVEL_INFO,
4015 "Station tried to associate with unknown SSID "
4016 "'%s'", wpa_ssid_txt(ssid_ie, ssid_ie_len));
4017 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4018 }
4019
4020 return WLAN_STATUS_SUCCESS;
4021 }
4022
4023
check_wmm(struct hostapd_data * hapd,struct sta_info * sta,const u8 * wmm_ie,size_t wmm_ie_len)4024 static u16 check_wmm(struct hostapd_data *hapd, struct sta_info *sta,
4025 const u8 *wmm_ie, size_t wmm_ie_len)
4026 {
4027 sta->flags &= ~WLAN_STA_WMM;
4028 sta->qosinfo = 0;
4029 if (wmm_ie && hapd->conf->wmm_enabled) {
4030 struct wmm_information_element *wmm;
4031
4032 if (!hostapd_eid_wmm_valid(hapd, wmm_ie, wmm_ie_len)) {
4033 hostapd_logger(hapd, sta->addr,
4034 HOSTAPD_MODULE_WPA,
4035 HOSTAPD_LEVEL_DEBUG,
4036 "invalid WMM element in association "
4037 "request");
4038 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4039 }
4040
4041 sta->flags |= WLAN_STA_WMM;
4042 wmm = (struct wmm_information_element *) wmm_ie;
4043 sta->qosinfo = wmm->qos_info;
4044 }
4045 return WLAN_STATUS_SUCCESS;
4046 }
4047
check_multi_ap(struct hostapd_data * hapd,struct sta_info * sta,const u8 * multi_ap_ie,size_t multi_ap_len)4048 static u16 check_multi_ap(struct hostapd_data *hapd, struct sta_info *sta,
4049 const u8 *multi_ap_ie, size_t multi_ap_len)
4050 {
4051 u8 multi_ap_value = 0;
4052
4053 sta->flags &= ~WLAN_STA_MULTI_AP;
4054
4055 if (!hapd->conf->multi_ap)
4056 return WLAN_STATUS_SUCCESS;
4057
4058 if (multi_ap_ie) {
4059 const u8 *multi_ap_subelem;
4060
4061 multi_ap_subelem = get_ie(multi_ap_ie + 4,
4062 multi_ap_len - 4,
4063 MULTI_AP_SUB_ELEM_TYPE);
4064 if (multi_ap_subelem && multi_ap_subelem[1] == 1) {
4065 multi_ap_value = multi_ap_subelem[2];
4066 } else {
4067 hostapd_logger(hapd, sta->addr,
4068 HOSTAPD_MODULE_IEEE80211,
4069 HOSTAPD_LEVEL_INFO,
4070 "Multi-AP IE has missing or invalid Multi-AP subelement");
4071 return WLAN_STATUS_INVALID_IE;
4072 }
4073 }
4074
4075 if (multi_ap_value && multi_ap_value != MULTI_AP_BACKHAUL_STA)
4076 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4077 HOSTAPD_LEVEL_INFO,
4078 "Multi-AP IE with unexpected value 0x%02x",
4079 multi_ap_value);
4080
4081 if (!(multi_ap_value & MULTI_AP_BACKHAUL_STA)) {
4082 if (hapd->conf->multi_ap & FRONTHAUL_BSS)
4083 return WLAN_STATUS_SUCCESS;
4084
4085 hostapd_logger(hapd, sta->addr,
4086 HOSTAPD_MODULE_IEEE80211,
4087 HOSTAPD_LEVEL_INFO,
4088 "Non-Multi-AP STA tries to associate with backhaul-only BSS");
4089 return WLAN_STATUS_ASSOC_DENIED_UNSPEC;
4090 }
4091
4092 if (!(hapd->conf->multi_ap & BACKHAUL_BSS))
4093 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4094 HOSTAPD_LEVEL_DEBUG,
4095 "Backhaul STA tries to associate with fronthaul-only BSS");
4096
4097 sta->flags |= WLAN_STA_MULTI_AP;
4098 return WLAN_STATUS_SUCCESS;
4099 }
4100
4101
copy_supp_rates(struct hostapd_data * hapd,struct sta_info * sta,struct ieee802_11_elems * elems)4102 static u16 copy_supp_rates(struct hostapd_data *hapd, struct sta_info *sta,
4103 struct ieee802_11_elems *elems)
4104 {
4105 /* Supported rates not used in IEEE 802.11ad/DMG */
4106 if (hapd->iface->current_mode &&
4107 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211AD)
4108 return WLAN_STATUS_SUCCESS;
4109
4110 if (!elems->supp_rates) {
4111 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4112 HOSTAPD_LEVEL_DEBUG,
4113 "No supported rates element in AssocReq");
4114 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4115 }
4116
4117 if (elems->supp_rates_len + elems->ext_supp_rates_len >
4118 sizeof(sta->supported_rates)) {
4119 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4120 HOSTAPD_LEVEL_DEBUG,
4121 "Invalid supported rates element length %d+%d",
4122 elems->supp_rates_len,
4123 elems->ext_supp_rates_len);
4124 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4125 }
4126
4127 sta->supported_rates_len = merge_byte_arrays(
4128 sta->supported_rates, sizeof(sta->supported_rates),
4129 elems->supp_rates, elems->supp_rates_len,
4130 elems->ext_supp_rates, elems->ext_supp_rates_len);
4131
4132 return WLAN_STATUS_SUCCESS;
4133 }
4134
4135
check_ext_capab(struct hostapd_data * hapd,struct sta_info * sta,const u8 * ext_capab_ie,size_t ext_capab_ie_len)4136 static u16 check_ext_capab(struct hostapd_data *hapd, struct sta_info *sta,
4137 const u8 *ext_capab_ie, size_t ext_capab_ie_len)
4138 {
4139 #ifdef CONFIG_INTERWORKING
4140 /* check for QoS Map support */
4141 if (ext_capab_ie_len >= 5) {
4142 if (ext_capab_ie[4] & 0x01)
4143 sta->qos_map_enabled = 1;
4144 }
4145 #endif /* CONFIG_INTERWORKING */
4146
4147 if (ext_capab_ie_len > 0) {
4148 sta->ecsa_supported = !!(ext_capab_ie[0] & BIT(2));
4149 os_free(sta->ext_capability);
4150 sta->ext_capability = os_malloc(1 + ext_capab_ie_len);
4151 if (sta->ext_capability) {
4152 sta->ext_capability[0] = ext_capab_ie_len;
4153 os_memcpy(sta->ext_capability + 1, ext_capab_ie,
4154 ext_capab_ie_len);
4155 }
4156 }
4157
4158 return WLAN_STATUS_SUCCESS;
4159 }
4160
4161
4162 #ifdef CONFIG_OWE
4163
owe_group_supported(struct hostapd_data * hapd,u16 group)4164 static int owe_group_supported(struct hostapd_data *hapd, u16 group)
4165 {
4166 int i;
4167 int *groups = hapd->conf->owe_groups;
4168
4169 if (group != 19 && group != 20 && group != 21)
4170 return 0;
4171
4172 if (!groups)
4173 return 1;
4174
4175 for (i = 0; groups[i] > 0; i++) {
4176 if (groups[i] == group)
4177 return 1;
4178 }
4179
4180 return 0;
4181 }
4182
4183
owe_process_assoc_req(struct hostapd_data * hapd,struct sta_info * sta,const u8 * owe_dh,u8 owe_dh_len)4184 static u16 owe_process_assoc_req(struct hostapd_data *hapd,
4185 struct sta_info *sta, const u8 *owe_dh,
4186 u8 owe_dh_len)
4187 {
4188 struct wpabuf *secret, *pub, *hkey;
4189 int res;
4190 u8 prk[SHA512_MAC_LEN], pmkid[SHA512_MAC_LEN];
4191 const char *info = "OWE Key Generation";
4192 const u8 *addr[2];
4193 size_t len[2];
4194 u16 group;
4195 size_t hash_len, prime_len;
4196
4197 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) {
4198 wpa_printf(MSG_DEBUG, "OWE: Using PMKSA caching");
4199 return WLAN_STATUS_SUCCESS;
4200 }
4201
4202 group = WPA_GET_LE16(owe_dh);
4203 if (!owe_group_supported(hapd, group)) {
4204 wpa_printf(MSG_DEBUG, "OWE: Unsupported DH group %u", group);
4205 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
4206 }
4207 if (group == 19)
4208 prime_len = 32;
4209 else if (group == 20)
4210 prime_len = 48;
4211 else if (group == 21)
4212 prime_len = 66;
4213 else
4214 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
4215
4216 crypto_ecdh_deinit(sta->owe_ecdh);
4217 sta->owe_ecdh = crypto_ecdh_init(group);
4218 if (!sta->owe_ecdh)
4219 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
4220 sta->owe_group = group;
4221
4222 secret = crypto_ecdh_set_peerkey(sta->owe_ecdh, 0, owe_dh + 2,
4223 owe_dh_len - 2);
4224 secret = wpabuf_zeropad(secret, prime_len);
4225 if (!secret) {
4226 wpa_printf(MSG_DEBUG, "OWE: Invalid peer DH public key");
4227 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4228 }
4229 wpa_hexdump_buf_key(MSG_DEBUG, "OWE: DH shared secret", secret);
4230
4231 /* prk = HKDF-extract(C | A | group, z) */
4232
4233 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
4234 if (!pub) {
4235 wpabuf_clear_free(secret);
4236 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4237 }
4238
4239 /* PMKID = Truncate-128(Hash(C | A)) */
4240 addr[0] = owe_dh + 2;
4241 len[0] = owe_dh_len - 2;
4242 addr[1] = wpabuf_head(pub);
4243 len[1] = wpabuf_len(pub);
4244 if (group == 19) {
4245 res = sha256_vector(2, addr, len, pmkid);
4246 hash_len = SHA256_MAC_LEN;
4247 } else if (group == 20) {
4248 res = sha384_vector(2, addr, len, pmkid);
4249 hash_len = SHA384_MAC_LEN;
4250 } else if (group == 21) {
4251 res = sha512_vector(2, addr, len, pmkid);
4252 hash_len = SHA512_MAC_LEN;
4253 } else {
4254 wpabuf_free(pub);
4255 wpabuf_clear_free(secret);
4256 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4257 }
4258 pub = wpabuf_zeropad(pub, prime_len);
4259 if (res < 0 || !pub) {
4260 wpabuf_free(pub);
4261 wpabuf_clear_free(secret);
4262 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4263 }
4264
4265 hkey = wpabuf_alloc(owe_dh_len - 2 + wpabuf_len(pub) + 2);
4266 if (!hkey) {
4267 wpabuf_free(pub);
4268 wpabuf_clear_free(secret);
4269 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4270 }
4271
4272 wpabuf_put_data(hkey, owe_dh + 2, owe_dh_len - 2); /* C */
4273 wpabuf_put_buf(hkey, pub); /* A */
4274 wpabuf_free(pub);
4275 wpabuf_put_le16(hkey, group); /* group */
4276 if (group == 19)
4277 res = hmac_sha256(wpabuf_head(hkey), wpabuf_len(hkey),
4278 wpabuf_head(secret), wpabuf_len(secret), prk);
4279 else if (group == 20)
4280 res = hmac_sha384(wpabuf_head(hkey), wpabuf_len(hkey),
4281 wpabuf_head(secret), wpabuf_len(secret), prk);
4282 else if (group == 21)
4283 res = hmac_sha512(wpabuf_head(hkey), wpabuf_len(hkey),
4284 wpabuf_head(secret), wpabuf_len(secret), prk);
4285 wpabuf_clear_free(hkey);
4286 wpabuf_clear_free(secret);
4287 if (res < 0)
4288 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4289
4290 wpa_hexdump_key(MSG_DEBUG, "OWE: prk", prk, hash_len);
4291
4292 /* PMK = HKDF-expand(prk, "OWE Key Generation", n) */
4293
4294 os_free(sta->owe_pmk);
4295 sta->owe_pmk = os_malloc(hash_len);
4296 if (!sta->owe_pmk) {
4297 os_memset(prk, 0, SHA512_MAC_LEN);
4298 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4299 }
4300
4301 if (group == 19)
4302 res = hmac_sha256_kdf(prk, hash_len, NULL, (const u8 *) info,
4303 os_strlen(info), sta->owe_pmk, hash_len);
4304 else if (group == 20)
4305 res = hmac_sha384_kdf(prk, hash_len, NULL, (const u8 *) info,
4306 os_strlen(info), sta->owe_pmk, hash_len);
4307 else if (group == 21)
4308 res = hmac_sha512_kdf(prk, hash_len, NULL, (const u8 *) info,
4309 os_strlen(info), sta->owe_pmk, hash_len);
4310 os_memset(prk, 0, SHA512_MAC_LEN);
4311 if (res < 0) {
4312 os_free(sta->owe_pmk);
4313 sta->owe_pmk = NULL;
4314 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4315 }
4316 sta->owe_pmk_len = hash_len;
4317
4318 wpa_hexdump_key(MSG_DEBUG, "OWE: PMK", sta->owe_pmk, sta->owe_pmk_len);
4319 wpa_hexdump(MSG_DEBUG, "OWE: PMKID", pmkid, PMKID_LEN);
4320 wpa_auth_pmksa_add2(hapd->wpa_auth, sta->addr, sta->owe_pmk,
4321 sta->owe_pmk_len, pmkid, 0, WPA_KEY_MGMT_OWE);
4322
4323 return WLAN_STATUS_SUCCESS;
4324 }
4325
4326
owe_validate_request(struct hostapd_data * hapd,const u8 * peer,const u8 * rsn_ie,size_t rsn_ie_len,const u8 * owe_dh,size_t owe_dh_len)4327 u16 owe_validate_request(struct hostapd_data *hapd, const u8 *peer,
4328 const u8 *rsn_ie, size_t rsn_ie_len,
4329 const u8 *owe_dh, size_t owe_dh_len)
4330 {
4331 struct wpa_ie_data data;
4332 int res;
4333
4334 if (!rsn_ie || rsn_ie_len < 2) {
4335 wpa_printf(MSG_DEBUG, "OWE: Invalid RSNE from " MACSTR,
4336 MAC2STR(peer));
4337 return WLAN_STATUS_INVALID_IE;
4338 }
4339 rsn_ie -= 2;
4340 rsn_ie_len += 2;
4341
4342 res = wpa_parse_wpa_ie_rsn(rsn_ie, rsn_ie_len, &data);
4343 if (res) {
4344 wpa_printf(MSG_DEBUG, "Failed to parse RSNE from " MACSTR
4345 " (res=%d)", MAC2STR(peer), res);
4346 wpa_hexdump(MSG_DEBUG, "RSNE", rsn_ie, rsn_ie_len);
4347 return wpa_res_to_status_code(res);
4348 }
4349 if (!(data.key_mgmt & WPA_KEY_MGMT_OWE)) {
4350 wpa_printf(MSG_DEBUG,
4351 "OWE: Unexpected key mgmt 0x%x from " MACSTR,
4352 (unsigned int) data.key_mgmt, MAC2STR(peer));
4353 return WLAN_STATUS_AKMP_NOT_VALID;
4354 }
4355 if (!owe_dh) {
4356 wpa_printf(MSG_DEBUG,
4357 "OWE: No Diffie-Hellman Parameter element from "
4358 MACSTR, MAC2STR(peer));
4359 return WLAN_STATUS_AKMP_NOT_VALID;
4360 }
4361
4362 return WLAN_STATUS_SUCCESS;
4363 }
4364
4365
owe_process_rsn_ie(struct hostapd_data * hapd,struct sta_info * sta,const u8 * rsn_ie,size_t rsn_ie_len,const u8 * owe_dh,size_t owe_dh_len)4366 u16 owe_process_rsn_ie(struct hostapd_data *hapd,
4367 struct sta_info *sta,
4368 const u8 *rsn_ie, size_t rsn_ie_len,
4369 const u8 *owe_dh, size_t owe_dh_len)
4370 {
4371 u16 status;
4372 u8 *owe_buf, ie[256 * 2];
4373 size_t ie_len = 0;
4374 enum wpa_validate_result res;
4375
4376 if (!rsn_ie || rsn_ie_len < 2) {
4377 wpa_printf(MSG_DEBUG, "OWE: No RSNE in (Re)AssocReq");
4378 status = WLAN_STATUS_INVALID_IE;
4379 goto end;
4380 }
4381
4382 if (!sta->wpa_sm)
4383 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, sta->addr,
4384 NULL);
4385 if (!sta->wpa_sm) {
4386 wpa_printf(MSG_WARNING,
4387 "OWE: Failed to initialize WPA state machine");
4388 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
4389 goto end;
4390 }
4391 rsn_ie -= 2;
4392 rsn_ie_len += 2;
4393 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
4394 hapd->iface->freq, rsn_ie, rsn_ie_len,
4395 NULL, 0, NULL, 0, owe_dh, owe_dh_len);
4396 status = wpa_res_to_status_code(res);
4397 if (status != WLAN_STATUS_SUCCESS)
4398 goto end;
4399 status = owe_process_assoc_req(hapd, sta, owe_dh, owe_dh_len);
4400 if (status != WLAN_STATUS_SUCCESS)
4401 goto end;
4402 owe_buf = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, ie, sizeof(ie),
4403 NULL, 0);
4404 if (!owe_buf) {
4405 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
4406 goto end;
4407 }
4408
4409 if (sta->owe_ecdh) {
4410 struct wpabuf *pub;
4411
4412 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
4413 if (!pub) {
4414 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
4415 goto end;
4416 }
4417
4418 /* OWE Diffie-Hellman Parameter element */
4419 *owe_buf++ = WLAN_EID_EXTENSION; /* Element ID */
4420 *owe_buf++ = 1 + 2 + wpabuf_len(pub); /* Length */
4421 *owe_buf++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension
4422 */
4423 WPA_PUT_LE16(owe_buf, sta->owe_group);
4424 owe_buf += 2;
4425 os_memcpy(owe_buf, wpabuf_head(pub), wpabuf_len(pub));
4426 owe_buf += wpabuf_len(pub);
4427 wpabuf_free(pub);
4428 sta->external_dh_updated = 1;
4429 }
4430 ie_len = owe_buf - ie;
4431
4432 end:
4433 wpa_printf(MSG_DEBUG, "OWE: Update status %d, ie len %d for peer "
4434 MACSTR, status, (unsigned int) ie_len,
4435 MAC2STR(sta->addr));
4436 hostapd_drv_update_dh_ie(hapd, sta->addr, status,
4437 status == WLAN_STATUS_SUCCESS ? ie : NULL,
4438 ie_len);
4439
4440 return status;
4441 }
4442
4443 #endif /* CONFIG_OWE */
4444
4445
check_sa_query(struct hostapd_data * hapd,struct sta_info * sta,int reassoc)4446 static bool check_sa_query(struct hostapd_data *hapd, struct sta_info *sta,
4447 int reassoc)
4448 {
4449 if ((sta->flags &
4450 (WLAN_STA_ASSOC | WLAN_STA_MFP | WLAN_STA_AUTHORIZED)) !=
4451 (WLAN_STA_ASSOC | WLAN_STA_MFP | WLAN_STA_AUTHORIZED))
4452 return false;
4453
4454 if (!sta->sa_query_timed_out && sta->sa_query_count > 0)
4455 ap_check_sa_query_timeout(hapd, sta);
4456
4457 if (!sta->sa_query_timed_out &&
4458 (!reassoc || sta->auth_alg != WLAN_AUTH_FT)) {
4459 /*
4460 * STA has already been associated with MFP and SA Query timeout
4461 * has not been reached. Reject the association attempt
4462 * temporarily and start SA Query, if one is not pending.
4463 */
4464 if (sta->sa_query_count == 0)
4465 ap_sta_start_sa_query(hapd, sta);
4466
4467 return true;
4468 }
4469
4470 return false;
4471 }
4472
4473
check_assoc_ies(struct hostapd_data * hapd,struct sta_info * sta,const u8 * ies,size_t ies_len,int reassoc)4474 static int check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta,
4475 const u8 *ies, size_t ies_len, int reassoc)
4476 {
4477 struct ieee802_11_elems elems;
4478 int resp;
4479 const u8 *wpa_ie;
4480 size_t wpa_ie_len;
4481 const u8 *p2p_dev_addr = NULL;
4482
4483 if (ieee802_11_parse_elems(ies, ies_len, &elems, 1) == ParseFailed) {
4484 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4485 HOSTAPD_LEVEL_INFO, "Station sent an invalid "
4486 "association request");
4487 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4488 }
4489
4490 resp = check_ssid(hapd, sta, elems.ssid, elems.ssid_len);
4491 if (resp != WLAN_STATUS_SUCCESS)
4492 return resp;
4493 resp = check_wmm(hapd, sta, elems.wmm, elems.wmm_len);
4494 if (resp != WLAN_STATUS_SUCCESS)
4495 return resp;
4496 resp = check_ext_capab(hapd, sta, elems.ext_capab, elems.ext_capab_len);
4497 if (resp != WLAN_STATUS_SUCCESS)
4498 return resp;
4499 resp = copy_supp_rates(hapd, sta, &elems);
4500 if (resp != WLAN_STATUS_SUCCESS)
4501 return resp;
4502
4503 resp = check_multi_ap(hapd, sta, elems.multi_ap, elems.multi_ap_len);
4504 if (resp != WLAN_STATUS_SUCCESS)
4505 return resp;
4506
4507 resp = copy_sta_ht_capab(hapd, sta, elems.ht_capabilities);
4508 if (resp != WLAN_STATUS_SUCCESS)
4509 return resp;
4510 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht &&
4511 !(sta->flags & WLAN_STA_HT)) {
4512 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4513 HOSTAPD_LEVEL_INFO, "Station does not support "
4514 "mandatory HT PHY - reject association");
4515 return WLAN_STATUS_ASSOC_DENIED_NO_HT;
4516 }
4517
4518 #ifdef CONFIG_IEEE80211AC
4519 if (hapd->iconf->ieee80211ac) {
4520 resp = copy_sta_vht_capab(hapd, sta, elems.vht_capabilities);
4521 if (resp != WLAN_STATUS_SUCCESS)
4522 return resp;
4523
4524 resp = set_sta_vht_opmode(hapd, sta, elems.vht_opmode_notif);
4525 if (resp != WLAN_STATUS_SUCCESS)
4526 return resp;
4527 }
4528
4529 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht &&
4530 !(sta->flags & WLAN_STA_VHT)) {
4531 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4532 HOSTAPD_LEVEL_INFO, "Station does not support "
4533 "mandatory VHT PHY - reject association");
4534 return WLAN_STATUS_ASSOC_DENIED_NO_VHT;
4535 }
4536
4537 if (hapd->conf->vendor_vht && !elems.vht_capabilities) {
4538 resp = copy_sta_vendor_vht(hapd, sta, elems.vendor_vht,
4539 elems.vendor_vht_len);
4540 if (resp != WLAN_STATUS_SUCCESS)
4541 return resp;
4542 }
4543 #endif /* CONFIG_IEEE80211AC */
4544 #ifdef CONFIG_IEEE80211AX
4545 if (hapd->iconf->ieee80211ax && !hapd->conf->disable_11ax) {
4546 resp = copy_sta_he_capab(hapd, sta, IEEE80211_MODE_AP,
4547 elems.he_capabilities,
4548 elems.he_capabilities_len);
4549 if (resp != WLAN_STATUS_SUCCESS)
4550 return resp;
4551 if (is_6ghz_op_class(hapd->iconf->op_class)) {
4552 if (!(sta->flags & WLAN_STA_HE)) {
4553 hostapd_logger(hapd, sta->addr,
4554 HOSTAPD_MODULE_IEEE80211,
4555 HOSTAPD_LEVEL_INFO,
4556 "Station does not support mandatory HE PHY - reject association");
4557 return WLAN_STATUS_DENIED_HE_NOT_SUPPORTED;
4558 }
4559 resp = copy_sta_he_6ghz_capab(hapd, sta,
4560 elems.he_6ghz_band_cap);
4561 if (resp != WLAN_STATUS_SUCCESS)
4562 return resp;
4563 }
4564 }
4565 #endif /* CONFIG_IEEE80211AX */
4566
4567 #ifdef CONFIG_P2P
4568 if (elems.p2p) {
4569 wpabuf_free(sta->p2p_ie);
4570 sta->p2p_ie = ieee802_11_vendor_ie_concat(ies, ies_len,
4571 P2P_IE_VENDOR_TYPE);
4572 if (sta->p2p_ie)
4573 p2p_dev_addr = p2p_get_go_dev_addr(sta->p2p_ie);
4574 } else {
4575 wpabuf_free(sta->p2p_ie);
4576 sta->p2p_ie = NULL;
4577 }
4578 #endif /* CONFIG_P2P */
4579
4580 if ((hapd->conf->wpa & WPA_PROTO_RSN) && elems.rsn_ie) {
4581 wpa_ie = elems.rsn_ie;
4582 wpa_ie_len = elems.rsn_ie_len;
4583 } else if ((hapd->conf->wpa & WPA_PROTO_WPA) &&
4584 elems.wpa_ie) {
4585 wpa_ie = elems.wpa_ie;
4586 wpa_ie_len = elems.wpa_ie_len;
4587 } else {
4588 wpa_ie = NULL;
4589 wpa_ie_len = 0;
4590 }
4591
4592 #ifdef CONFIG_WPS
4593 sta->flags &= ~(WLAN_STA_WPS | WLAN_STA_MAYBE_WPS | WLAN_STA_WPS2);
4594 if (hapd->conf->wps_state && elems.wps_ie) {
4595 wpa_printf(MSG_DEBUG, "STA included WPS IE in (Re)Association "
4596 "Request - assume WPS is used");
4597 if (check_sa_query(hapd, sta, reassoc))
4598 return WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY;
4599 sta->flags |= WLAN_STA_WPS;
4600 wpabuf_free(sta->wps_ie);
4601 sta->wps_ie = ieee802_11_vendor_ie_concat(ies, ies_len,
4602 WPS_IE_VENDOR_TYPE);
4603 if (sta->wps_ie && wps_is_20(sta->wps_ie)) {
4604 wpa_printf(MSG_DEBUG, "WPS: STA supports WPS 2.0");
4605 sta->flags |= WLAN_STA_WPS2;
4606 }
4607 wpa_ie = NULL;
4608 wpa_ie_len = 0;
4609 if (sta->wps_ie && wps_validate_assoc_req(sta->wps_ie) < 0) {
4610 wpa_printf(MSG_DEBUG, "WPS: Invalid WPS IE in "
4611 "(Re)Association Request - reject");
4612 return WLAN_STATUS_INVALID_IE;
4613 }
4614 } else if (hapd->conf->wps_state && wpa_ie == NULL) {
4615 wpa_printf(MSG_DEBUG, "STA did not include WPA/RSN IE in "
4616 "(Re)Association Request - possible WPS use");
4617 sta->flags |= WLAN_STA_MAYBE_WPS;
4618 } else
4619 #endif /* CONFIG_WPS */
4620 if (hapd->conf->wpa && wpa_ie == NULL) {
4621 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4622 HOSTAPD_LEVEL_INFO,
4623 "No WPA/RSN IE in association request");
4624 return WLAN_STATUS_INVALID_IE;
4625 }
4626
4627 if (hapd->conf->wpa && wpa_ie) {
4628 enum wpa_validate_result res;
4629
4630 wpa_ie -= 2;
4631 wpa_ie_len += 2;
4632 if (sta->wpa_sm == NULL)
4633 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
4634 sta->addr,
4635 p2p_dev_addr);
4636 if (sta->wpa_sm == NULL) {
4637 wpa_printf(MSG_WARNING, "Failed to initialize WPA "
4638 "state machine");
4639 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4640 }
4641 wpa_auth_set_auth_alg(sta->wpa_sm, sta->auth_alg);
4642 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
4643 hapd->iface->freq,
4644 wpa_ie, wpa_ie_len,
4645 elems.rsnxe ? elems.rsnxe - 2 : NULL,
4646 elems.rsnxe ? elems.rsnxe_len + 2 : 0,
4647 elems.mdie, elems.mdie_len,
4648 elems.owe_dh, elems.owe_dh_len);
4649 resp = wpa_res_to_status_code(res);
4650 if (resp != WLAN_STATUS_SUCCESS)
4651 return resp;
4652
4653 if (check_sa_query(hapd, sta, reassoc))
4654 return WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY;
4655
4656 if (wpa_auth_uses_mfp(sta->wpa_sm))
4657 sta->flags |= WLAN_STA_MFP;
4658 else
4659 sta->flags &= ~WLAN_STA_MFP;
4660
4661 #ifdef CONFIG_IEEE80211R_AP
4662 if (sta->auth_alg == WLAN_AUTH_FT) {
4663 if (!reassoc) {
4664 wpa_printf(MSG_DEBUG, "FT: " MACSTR " tried "
4665 "to use association (not "
4666 "re-association) with FT auth_alg",
4667 MAC2STR(sta->addr));
4668 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4669 }
4670
4671 resp = wpa_ft_validate_reassoc(sta->wpa_sm, ies,
4672 ies_len);
4673 if (resp != WLAN_STATUS_SUCCESS)
4674 return resp;
4675 }
4676 #endif /* CONFIG_IEEE80211R_AP */
4677
4678 #ifdef CONFIG_SAE
4679 if (wpa_auth_uses_sae(sta->wpa_sm) && sta->sae &&
4680 sta->sae->state == SAE_ACCEPTED)
4681 wpa_auth_add_sae_pmkid(sta->wpa_sm, sta->sae->pmkid);
4682
4683 if (wpa_auth_uses_sae(sta->wpa_sm) &&
4684 sta->auth_alg == WLAN_AUTH_OPEN) {
4685 struct rsn_pmksa_cache_entry *sa;
4686 sa = wpa_auth_sta_get_pmksa(sta->wpa_sm);
4687 if (!sa || sa->akmp != WPA_KEY_MGMT_SAE) {
4688 wpa_printf(MSG_DEBUG,
4689 "SAE: No PMKSA cache entry found for "
4690 MACSTR, MAC2STR(sta->addr));
4691 return WLAN_STATUS_INVALID_PMKID;
4692 }
4693 wpa_printf(MSG_DEBUG, "SAE: " MACSTR
4694 " using PMKSA caching", MAC2STR(sta->addr));
4695 } else if (wpa_auth_uses_sae(sta->wpa_sm) &&
4696 sta->auth_alg != WLAN_AUTH_SAE &&
4697 !(sta->auth_alg == WLAN_AUTH_FT &&
4698 wpa_auth_uses_ft_sae(sta->wpa_sm))) {
4699 wpa_printf(MSG_DEBUG, "SAE: " MACSTR " tried to use "
4700 "SAE AKM after non-SAE auth_alg %u",
4701 MAC2STR(sta->addr), sta->auth_alg);
4702 return WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
4703 }
4704
4705 if (hapd->conf->sae_pwe == 2 &&
4706 sta->auth_alg == WLAN_AUTH_SAE &&
4707 sta->sae && !sta->sae->h2e &&
4708 ieee802_11_rsnx_capab_len(elems.rsnxe, elems.rsnxe_len,
4709 WLAN_RSNX_CAPAB_SAE_H2E)) {
4710 wpa_printf(MSG_INFO, "SAE: " MACSTR
4711 " indicates support for SAE H2E, but did not use it",
4712 MAC2STR(sta->addr));
4713 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4714 }
4715 #endif /* CONFIG_SAE */
4716
4717 #ifdef CONFIG_OWE
4718 if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) &&
4719 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE &&
4720 elems.owe_dh) {
4721 resp = owe_process_assoc_req(hapd, sta, elems.owe_dh,
4722 elems.owe_dh_len);
4723 if (resp != WLAN_STATUS_SUCCESS)
4724 return resp;
4725 }
4726 #endif /* CONFIG_OWE */
4727
4728 #ifdef CONFIG_DPP2
4729 dpp_pfs_free(sta->dpp_pfs);
4730 sta->dpp_pfs = NULL;
4731
4732 if (DPP_VERSION > 1 &&
4733 (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_DPP) &&
4734 hapd->conf->dpp_netaccesskey && sta->wpa_sm &&
4735 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_DPP &&
4736 elems.owe_dh) {
4737 sta->dpp_pfs = dpp_pfs_init(
4738 wpabuf_head(hapd->conf->dpp_netaccesskey),
4739 wpabuf_len(hapd->conf->dpp_netaccesskey));
4740 if (!sta->dpp_pfs) {
4741 wpa_printf(MSG_DEBUG,
4742 "DPP: Could not initialize PFS");
4743 /* Try to continue without PFS */
4744 goto pfs_fail;
4745 }
4746
4747 if (dpp_pfs_process(sta->dpp_pfs, elems.owe_dh,
4748 elems.owe_dh_len) < 0) {
4749 dpp_pfs_free(sta->dpp_pfs);
4750 sta->dpp_pfs = NULL;
4751 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4752 }
4753 }
4754
4755 wpa_auth_set_dpp_z(sta->wpa_sm, sta->dpp_pfs ?
4756 sta->dpp_pfs->secret : NULL);
4757 pfs_fail:
4758 #endif /* CONFIG_DPP2 */
4759
4760 if ((sta->flags & (WLAN_STA_HT | WLAN_STA_VHT)) &&
4761 wpa_auth_get_pairwise(sta->wpa_sm) == WPA_CIPHER_TKIP) {
4762 hostapd_logger(hapd, sta->addr,
4763 HOSTAPD_MODULE_IEEE80211,
4764 HOSTAPD_LEVEL_INFO,
4765 "Station tried to use TKIP with HT "
4766 "association");
4767 return WLAN_STATUS_CIPHER_REJECTED_PER_POLICY;
4768 }
4769 #ifdef CONFIG_HS20
4770 } else if (hapd->conf->osen) {
4771 if (elems.osen == NULL) {
4772 hostapd_logger(
4773 hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4774 HOSTAPD_LEVEL_INFO,
4775 "No HS 2.0 OSEN element in association request");
4776 return WLAN_STATUS_INVALID_IE;
4777 }
4778
4779 wpa_printf(MSG_DEBUG, "HS 2.0: OSEN association");
4780 if (sta->wpa_sm == NULL)
4781 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
4782 sta->addr, NULL);
4783 if (sta->wpa_sm == NULL) {
4784 wpa_printf(MSG_WARNING, "Failed to initialize WPA "
4785 "state machine");
4786 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4787 }
4788 if (wpa_validate_osen(hapd->wpa_auth, sta->wpa_sm,
4789 elems.osen - 2, elems.osen_len + 2) < 0)
4790 return WLAN_STATUS_INVALID_IE;
4791 #endif /* CONFIG_HS20 */
4792 } else
4793 wpa_auth_sta_no_wpa(sta->wpa_sm);
4794
4795 #ifdef CONFIG_P2P
4796 p2p_group_notif_assoc(hapd->p2p_group, sta->addr, ies, ies_len);
4797 #endif /* CONFIG_P2P */
4798
4799 #ifdef CONFIG_HS20
4800 wpabuf_free(sta->hs20_ie);
4801 if (elems.hs20 && elems.hs20_len > 4) {
4802 int release;
4803
4804 sta->hs20_ie = wpabuf_alloc_copy(elems.hs20 + 4,
4805 elems.hs20_len - 4);
4806 release = ((elems.hs20[4] >> 4) & 0x0f) + 1;
4807 if (release >= 2 && !wpa_auth_uses_mfp(sta->wpa_sm) &&
4808 hapd->conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
4809 wpa_printf(MSG_DEBUG,
4810 "HS 2.0: PMF not negotiated by release %d station "
4811 MACSTR, release, MAC2STR(sta->addr));
4812 return WLAN_STATUS_ROBUST_MGMT_FRAME_POLICY_VIOLATION;
4813 }
4814 } else {
4815 sta->hs20_ie = NULL;
4816 }
4817
4818 wpabuf_free(sta->roaming_consortium);
4819 if (elems.roaming_cons_sel)
4820 sta->roaming_consortium = wpabuf_alloc_copy(
4821 elems.roaming_cons_sel + 4,
4822 elems.roaming_cons_sel_len - 4);
4823 else
4824 sta->roaming_consortium = NULL;
4825 #endif /* CONFIG_HS20 */
4826
4827 #ifdef CONFIG_FST
4828 wpabuf_free(sta->mb_ies);
4829 if (hapd->iface->fst)
4830 sta->mb_ies = mb_ies_by_info(&elems.mb_ies);
4831 else
4832 sta->mb_ies = NULL;
4833 #endif /* CONFIG_FST */
4834
4835 #ifdef CONFIG_MBO
4836 mbo_ap_check_sta_assoc(hapd, sta, &elems);
4837
4838 if (hapd->conf->mbo_enabled && (hapd->conf->wpa & 2) &&
4839 elems.mbo && sta->cell_capa && !(sta->flags & WLAN_STA_MFP) &&
4840 hapd->conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
4841 wpa_printf(MSG_INFO,
4842 "MBO: Reject WPA2 association without PMF");
4843 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4844 }
4845 #endif /* CONFIG_MBO */
4846
4847 #if defined(CONFIG_FILS) && defined(CONFIG_OCV)
4848 if (wpa_auth_uses_ocv(sta->wpa_sm) &&
4849 (sta->auth_alg == WLAN_AUTH_FILS_SK ||
4850 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
4851 sta->auth_alg == WLAN_AUTH_FILS_PK)) {
4852 struct wpa_channel_info ci;
4853 int tx_chanwidth;
4854 int tx_seg1_idx;
4855 enum oci_verify_result res;
4856
4857 if (hostapd_drv_channel_info(hapd, &ci) != 0) {
4858 wpa_printf(MSG_WARNING,
4859 "Failed to get channel info to validate received OCI in FILS (Re)Association Request frame");
4860 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4861 }
4862
4863 if (get_sta_tx_parameters(sta->wpa_sm,
4864 channel_width_to_int(ci.chanwidth),
4865 ci.seg1_idx, &tx_chanwidth,
4866 &tx_seg1_idx) < 0)
4867 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4868
4869 res = ocv_verify_tx_params(elems.oci, elems.oci_len, &ci,
4870 tx_chanwidth, tx_seg1_idx);
4871 if (wpa_auth_uses_ocv(sta->wpa_sm) == 2 &&
4872 res == OCI_NOT_FOUND) {
4873 /* Work around misbehaving STAs */
4874 wpa_printf(MSG_INFO,
4875 "FILS: Disable OCV with a STA that does not send OCI");
4876 wpa_auth_set_ocv(sta->wpa_sm, 0);
4877 } else if (res != OCI_SUCCESS) {
4878 wpa_printf(MSG_WARNING, "FILS: OCV failed: %s",
4879 ocv_errorstr);
4880 wpa_msg(hapd->msg_ctx, MSG_INFO, OCV_FAILURE "addr="
4881 MACSTR " frame=fils-reassoc-req error=%s",
4882 MAC2STR(sta->addr), ocv_errorstr);
4883 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4884 }
4885 }
4886 #endif /* CONFIG_FILS && CONFIG_OCV */
4887
4888 ap_copy_sta_supp_op_classes(sta, elems.supp_op_classes,
4889 elems.supp_op_classes_len);
4890
4891 if ((sta->capability & WLAN_CAPABILITY_RADIO_MEASUREMENT) &&
4892 elems.rrm_enabled &&
4893 elems.rrm_enabled_len >= sizeof(sta->rrm_enabled_capa))
4894 os_memcpy(sta->rrm_enabled_capa, elems.rrm_enabled,
4895 sizeof(sta->rrm_enabled_capa));
4896
4897 if (elems.power_capab) {
4898 sta->min_tx_power = elems.power_capab[0];
4899 sta->max_tx_power = elems.power_capab[1];
4900 sta->power_capab = 1;
4901 } else {
4902 sta->power_capab = 0;
4903 }
4904
4905 return WLAN_STATUS_SUCCESS;
4906 }
4907
4908
send_deauth(struct hostapd_data * hapd,const u8 * addr,u16 reason_code)4909 static void send_deauth(struct hostapd_data *hapd, const u8 *addr,
4910 u16 reason_code)
4911 {
4912 int send_len;
4913 struct ieee80211_mgmt reply;
4914
4915 os_memset(&reply, 0, sizeof(reply));
4916 reply.frame_control =
4917 IEEE80211_FC(WLAN_FC_TYPE_MGMT, WLAN_FC_STYPE_DEAUTH);
4918 os_memcpy(reply.da, addr, ETH_ALEN);
4919 os_memcpy(reply.sa, hapd->own_addr, ETH_ALEN);
4920 os_memcpy(reply.bssid, hapd->own_addr, ETH_ALEN);
4921
4922 send_len = IEEE80211_HDRLEN + sizeof(reply.u.deauth);
4923 reply.u.deauth.reason_code = host_to_le16(reason_code);
4924
4925 if (hostapd_drv_send_mlme(hapd, &reply, send_len, 0, NULL, 0, 0) < 0)
4926 wpa_printf(MSG_INFO, "Failed to send deauth: %s",
4927 strerror(errno));
4928 }
4929
4930
add_associated_sta(struct hostapd_data * hapd,struct sta_info * sta,int reassoc)4931 static int add_associated_sta(struct hostapd_data *hapd,
4932 struct sta_info *sta, int reassoc)
4933 {
4934 struct ieee80211_ht_capabilities ht_cap;
4935 struct ieee80211_vht_capabilities vht_cap;
4936 struct ieee80211_he_capabilities he_cap;
4937 int set = 1;
4938
4939 /*
4940 * Remove the STA entry to ensure the STA PS state gets cleared and
4941 * configuration gets updated. This is relevant for cases, such as
4942 * FT-over-the-DS, where a station re-associates back to the same AP but
4943 * skips the authentication flow, or if working with a driver that
4944 * does not support full AP client state.
4945 *
4946 * Skip this if the STA has already completed FT reassociation and the
4947 * TK has been configured since the TX/RX PN must not be reset to 0 for
4948 * the same key.
4949 *
4950 * FT-over-the-DS has a special case where the STA entry (and as such,
4951 * the TK) has not yet been configured to the driver depending on which
4952 * driver interface is used. For that case, allow add-STA operation to
4953 * be used (instead of set-STA). This is needed to allow mac80211-based
4954 * drivers to accept the STA parameter configuration. Since this is
4955 * after a new FT-over-DS exchange, a new TK has been derived, so key
4956 * reinstallation is not a concern for this case.
4957 */
4958 wpa_printf(MSG_DEBUG, "Add associated STA " MACSTR
4959 " (added_unassoc=%d auth_alg=%u ft_over_ds=%u reassoc=%d authorized=%d ft_tk=%d fils_tk=%d)",
4960 MAC2STR(sta->addr), sta->added_unassoc, sta->auth_alg,
4961 sta->ft_over_ds, reassoc,
4962 !!(sta->flags & WLAN_STA_AUTHORIZED),
4963 wpa_auth_sta_ft_tk_already_set(sta->wpa_sm),
4964 wpa_auth_sta_fils_tk_already_set(sta->wpa_sm));
4965
4966 if (!sta->added_unassoc &&
4967 (!(sta->flags & WLAN_STA_AUTHORIZED) ||
4968 (reassoc && sta->ft_over_ds && sta->auth_alg == WLAN_AUTH_FT) ||
4969 (!wpa_auth_sta_ft_tk_already_set(sta->wpa_sm) &&
4970 !wpa_auth_sta_fils_tk_already_set(sta->wpa_sm)))) {
4971 hostapd_drv_sta_remove(hapd, sta->addr);
4972 wpa_auth_sm_event(sta->wpa_sm, WPA_DRV_STA_REMOVED);
4973 set = 0;
4974
4975 /* Do not allow the FT-over-DS exception to be used more than
4976 * once per authentication exchange to guarantee a new TK is
4977 * used here */
4978 sta->ft_over_ds = 0;
4979 }
4980
4981 if (sta->flags & WLAN_STA_HT)
4982 hostapd_get_ht_capab(hapd, sta->ht_capabilities, &ht_cap);
4983 #ifdef CONFIG_IEEE80211AC
4984 if (sta->flags & WLAN_STA_VHT)
4985 hostapd_get_vht_capab(hapd, sta->vht_capabilities, &vht_cap);
4986 #endif /* CONFIG_IEEE80211AC */
4987 #ifdef CONFIG_IEEE80211AX
4988 if (sta->flags & WLAN_STA_HE) {
4989 hostapd_get_he_capab(hapd, sta->he_capab, &he_cap,
4990 sta->he_capab_len);
4991 }
4992 #endif /* CONFIG_IEEE80211AX */
4993
4994 /*
4995 * Add the station with forced WLAN_STA_ASSOC flag. The sta->flags
4996 * will be set when the ACK frame for the (Re)Association Response frame
4997 * is processed (TX status driver event).
4998 */
4999 if (hostapd_sta_add(hapd, sta->addr, sta->aid, sta->capability,
5000 sta->supported_rates, sta->supported_rates_len,
5001 sta->listen_interval,
5002 sta->flags & WLAN_STA_HT ? &ht_cap : NULL,
5003 sta->flags & WLAN_STA_VHT ? &vht_cap : NULL,
5004 sta->flags & WLAN_STA_HE ? &he_cap : NULL,
5005 sta->flags & WLAN_STA_HE ? sta->he_capab_len : 0,
5006 sta->he_6ghz_capab,
5007 sta->flags | WLAN_STA_ASSOC, sta->qosinfo,
5008 sta->vht_opmode, sta->p2p_ie ? 1 : 0,
5009 set)) {
5010 hostapd_logger(hapd, sta->addr,
5011 HOSTAPD_MODULE_IEEE80211, HOSTAPD_LEVEL_NOTICE,
5012 "Could not %s STA to kernel driver",
5013 set ? "set" : "add");
5014
5015 if (sta->added_unassoc) {
5016 hostapd_drv_sta_remove(hapd, sta->addr);
5017 sta->added_unassoc = 0;
5018 }
5019
5020 return -1;
5021 }
5022
5023 sta->added_unassoc = 0;
5024
5025 return 0;
5026 }
5027
5028
send_assoc_resp(struct hostapd_data * hapd,struct sta_info * sta,const u8 * addr,u16 status_code,int reassoc,const u8 * ies,size_t ies_len,int rssi,int omit_rsnxe)5029 static u16 send_assoc_resp(struct hostapd_data *hapd, struct sta_info *sta,
5030 const u8 *addr, u16 status_code, int reassoc,
5031 const u8 *ies, size_t ies_len, int rssi,
5032 int omit_rsnxe)
5033 {
5034 int send_len;
5035 u8 *buf;
5036 size_t buflen;
5037 struct ieee80211_mgmt *reply;
5038 u8 *p;
5039 u16 res = WLAN_STATUS_SUCCESS;
5040
5041 buflen = sizeof(struct ieee80211_mgmt) + 1024;
5042 #ifdef CONFIG_FILS
5043 if (sta && sta->fils_hlp_resp)
5044 buflen += wpabuf_len(sta->fils_hlp_resp);
5045 if (sta)
5046 buflen += 150;
5047 #endif /* CONFIG_FILS */
5048 #ifdef CONFIG_OWE
5049 if (sta && (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE))
5050 buflen += 150;
5051 #endif /* CONFIG_OWE */
5052 #ifdef CONFIG_DPP2
5053 if (sta && sta->dpp_pfs)
5054 buflen += 5 + sta->dpp_pfs->curve->prime_len;
5055 #endif /* CONFIG_DPP2 */
5056 buf = os_zalloc(buflen);
5057 if (!buf) {
5058 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
5059 goto done;
5060 }
5061 reply = (struct ieee80211_mgmt *) buf;
5062 reply->frame_control =
5063 IEEE80211_FC(WLAN_FC_TYPE_MGMT,
5064 (reassoc ? WLAN_FC_STYPE_REASSOC_RESP :
5065 WLAN_FC_STYPE_ASSOC_RESP));
5066 os_memcpy(reply->da, addr, ETH_ALEN);
5067 os_memcpy(reply->sa, hapd->own_addr, ETH_ALEN);
5068 os_memcpy(reply->bssid, hapd->own_addr, ETH_ALEN);
5069
5070 send_len = IEEE80211_HDRLEN;
5071 send_len += sizeof(reply->u.assoc_resp);
5072 reply->u.assoc_resp.capab_info =
5073 host_to_le16(hostapd_own_capab_info(hapd));
5074 reply->u.assoc_resp.status_code = host_to_le16(status_code);
5075
5076 reply->u.assoc_resp.aid = host_to_le16((sta ? sta->aid : 0) |
5077 BIT(14) | BIT(15));
5078 /* Supported rates */
5079 p = hostapd_eid_supp_rates(hapd, reply->u.assoc_resp.variable);
5080 /* Extended supported rates */
5081 p = hostapd_eid_ext_supp_rates(hapd, p);
5082
5083 /* Radio measurement capabilities */
5084 p = hostapd_eid_rm_enabled_capab(hapd, p, buf + buflen - p);
5085
5086 #ifdef CONFIG_MBO
5087 if (status_code == WLAN_STATUS_DENIED_POOR_CHANNEL_CONDITIONS &&
5088 rssi != 0) {
5089 int delta = hapd->iconf->rssi_reject_assoc_rssi - rssi;
5090
5091 p = hostapd_eid_mbo_rssi_assoc_rej(hapd, p, buf + buflen - p,
5092 delta);
5093 }
5094 #endif /* CONFIG_MBO */
5095
5096 #ifdef CONFIG_IEEE80211R_AP
5097 if (sta && status_code == WLAN_STATUS_SUCCESS) {
5098 /* IEEE 802.11r: Mobility Domain Information, Fast BSS
5099 * Transition Information, RSN, [RIC Response] */
5100 p = wpa_sm_write_assoc_resp_ies(sta->wpa_sm, p,
5101 buf + buflen - p,
5102 sta->auth_alg, ies, ies_len,
5103 omit_rsnxe);
5104 if (!p) {
5105 wpa_printf(MSG_DEBUG,
5106 "FT: Failed to write AssocResp IEs");
5107 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
5108 goto done;
5109 }
5110 }
5111 #endif /* CONFIG_IEEE80211R_AP */
5112 #ifdef CONFIG_FILS
5113 if (sta && status_code == WLAN_STATUS_SUCCESS &&
5114 (sta->auth_alg == WLAN_AUTH_FILS_SK ||
5115 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
5116 sta->auth_alg == WLAN_AUTH_FILS_PK))
5117 p = wpa_auth_write_assoc_resp_fils(sta->wpa_sm, p,
5118 buf + buflen - p,
5119 ies, ies_len);
5120 #endif /* CONFIG_FILS */
5121
5122 #ifdef CONFIG_OWE
5123 if (sta && status_code == WLAN_STATUS_SUCCESS &&
5124 (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE))
5125 p = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, p,
5126 buf + buflen - p,
5127 ies, ies_len);
5128 #endif /* CONFIG_OWE */
5129
5130 if (sta && status_code == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY)
5131 p = hostapd_eid_assoc_comeback_time(hapd, sta, p);
5132
5133 p = hostapd_eid_ht_capabilities(hapd, p);
5134 p = hostapd_eid_ht_operation(hapd, p);
5135
5136 #ifdef CONFIG_IEEE80211AC
5137 if (hapd->iconf->ieee80211ac && !hapd->conf->disable_11ac &&
5138 !is_6ghz_op_class(hapd->iconf->op_class)) {
5139 u32 nsts = 0, sta_nsts;
5140
5141 if (sta && hapd->conf->use_sta_nsts && sta->vht_capabilities) {
5142 struct ieee80211_vht_capabilities *capa;
5143
5144 nsts = (hapd->iface->conf->vht_capab >>
5145 VHT_CAP_BEAMFORMEE_STS_OFFSET) & 7;
5146 capa = sta->vht_capabilities;
5147 sta_nsts = (le_to_host32(capa->vht_capabilities_info) >>
5148 VHT_CAP_BEAMFORMEE_STS_OFFSET) & 7;
5149
5150 if (nsts < sta_nsts)
5151 nsts = 0;
5152 else
5153 nsts = sta_nsts;
5154 }
5155 p = hostapd_eid_vht_capabilities(hapd, p, nsts);
5156 p = hostapd_eid_vht_operation(hapd, p);
5157 }
5158 #endif /* CONFIG_IEEE80211AC */
5159
5160 #ifdef CONFIG_IEEE80211AX
5161 if (hapd->iconf->ieee80211ax && !hapd->conf->disable_11ax) {
5162 p = hostapd_eid_he_capab(hapd, p, IEEE80211_MODE_AP);
5163 p = hostapd_eid_he_operation(hapd, p);
5164 p = hostapd_eid_spatial_reuse(hapd, p);
5165 p = hostapd_eid_he_mu_edca_parameter_set(hapd, p);
5166 p = hostapd_eid_he_6ghz_band_cap(hapd, p);
5167 }
5168 #endif /* CONFIG_IEEE80211AX */
5169
5170 p = hostapd_eid_ext_capab(hapd, p);
5171 p = hostapd_eid_bss_max_idle_period(hapd, p);
5172 if (sta && sta->qos_map_enabled)
5173 p = hostapd_eid_qos_map_set(hapd, p);
5174
5175 #ifdef CONFIG_FST
5176 if (hapd->iface->fst_ies) {
5177 os_memcpy(p, wpabuf_head(hapd->iface->fst_ies),
5178 wpabuf_len(hapd->iface->fst_ies));
5179 p += wpabuf_len(hapd->iface->fst_ies);
5180 }
5181 #endif /* CONFIG_FST */
5182
5183 #ifdef CONFIG_TESTING_OPTIONS
5184 if (hapd->conf->rsnxe_override_ft &&
5185 buf + buflen - p >=
5186 (long int) wpabuf_len(hapd->conf->rsnxe_override_ft) &&
5187 sta && sta->auth_alg == WLAN_AUTH_FT) {
5188 wpa_printf(MSG_DEBUG, "TESTING: RSNXE FT override");
5189 os_memcpy(p, wpabuf_head(hapd->conf->rsnxe_override_ft),
5190 wpabuf_len(hapd->conf->rsnxe_override_ft));
5191 p += wpabuf_len(hapd->conf->rsnxe_override_ft);
5192 goto rsnxe_done;
5193 }
5194 #endif /* CONFIG_TESTING_OPTIONS */
5195 if (!omit_rsnxe)
5196 p = hostapd_eid_rsnxe(hapd, p, buf + buflen - p);
5197 #ifdef CONFIG_TESTING_OPTIONS
5198 rsnxe_done:
5199 #endif /* CONFIG_TESTING_OPTIONS */
5200
5201 #ifdef CONFIG_OWE
5202 if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) &&
5203 sta && sta->owe_ecdh && status_code == WLAN_STATUS_SUCCESS &&
5204 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE &&
5205 !wpa_auth_sta_get_pmksa(sta->wpa_sm)) {
5206 struct wpabuf *pub;
5207
5208 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
5209 if (!pub) {
5210 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
5211 goto done;
5212 }
5213 /* OWE Diffie-Hellman Parameter element */
5214 *p++ = WLAN_EID_EXTENSION; /* Element ID */
5215 *p++ = 1 + 2 + wpabuf_len(pub); /* Length */
5216 *p++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension */
5217 WPA_PUT_LE16(p, sta->owe_group);
5218 p += 2;
5219 os_memcpy(p, wpabuf_head(pub), wpabuf_len(pub));
5220 p += wpabuf_len(pub);
5221 wpabuf_free(pub);
5222 }
5223 #endif /* CONFIG_OWE */
5224
5225 #ifdef CONFIG_DPP2
5226 if (DPP_VERSION > 1 && (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_DPP) &&
5227 sta && sta->dpp_pfs && status_code == WLAN_STATUS_SUCCESS &&
5228 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_DPP) {
5229 os_memcpy(p, wpabuf_head(sta->dpp_pfs->ie),
5230 wpabuf_len(sta->dpp_pfs->ie));
5231 p += wpabuf_len(sta->dpp_pfs->ie);
5232 }
5233 #endif /* CONFIG_DPP2 */
5234
5235 #ifdef CONFIG_IEEE80211AC
5236 if (sta && hapd->conf->vendor_vht && (sta->flags & WLAN_STA_VENDOR_VHT))
5237 p = hostapd_eid_vendor_vht(hapd, p);
5238 #endif /* CONFIG_IEEE80211AC */
5239
5240 if (sta && (sta->flags & WLAN_STA_WMM))
5241 p = hostapd_eid_wmm(hapd, p);
5242
5243 #ifdef CONFIG_WPS
5244 if (sta &&
5245 ((sta->flags & WLAN_STA_WPS) ||
5246 ((sta->flags & WLAN_STA_MAYBE_WPS) && hapd->conf->wpa))) {
5247 struct wpabuf *wps = wps_build_assoc_resp_ie();
5248 if (wps) {
5249 os_memcpy(p, wpabuf_head(wps), wpabuf_len(wps));
5250 p += wpabuf_len(wps);
5251 wpabuf_free(wps);
5252 }
5253 }
5254 #endif /* CONFIG_WPS */
5255
5256 if (sta && (sta->flags & WLAN_STA_MULTI_AP))
5257 p = hostapd_eid_multi_ap(hapd, p);
5258
5259 #ifdef CONFIG_P2P
5260 if (sta && sta->p2p_ie && hapd->p2p_group) {
5261 struct wpabuf *p2p_resp_ie;
5262 enum p2p_status_code status;
5263 switch (status_code) {
5264 case WLAN_STATUS_SUCCESS:
5265 status = P2P_SC_SUCCESS;
5266 break;
5267 case WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA:
5268 status = P2P_SC_FAIL_LIMIT_REACHED;
5269 break;
5270 default:
5271 status = P2P_SC_FAIL_INVALID_PARAMS;
5272 break;
5273 }
5274 p2p_resp_ie = p2p_group_assoc_resp_ie(hapd->p2p_group, status);
5275 if (p2p_resp_ie) {
5276 os_memcpy(p, wpabuf_head(p2p_resp_ie),
5277 wpabuf_len(p2p_resp_ie));
5278 p += wpabuf_len(p2p_resp_ie);
5279 wpabuf_free(p2p_resp_ie);
5280 }
5281 }
5282 #endif /* CONFIG_P2P */
5283
5284 #ifdef CONFIG_P2P_MANAGER
5285 if (hapd->conf->p2p & P2P_MANAGE)
5286 p = hostapd_eid_p2p_manage(hapd, p);
5287 #endif /* CONFIG_P2P_MANAGER */
5288
5289 p = hostapd_eid_mbo(hapd, p, buf + buflen - p);
5290
5291 if (hapd->conf->assocresp_elements &&
5292 (size_t) (buf + buflen - p) >=
5293 wpabuf_len(hapd->conf->assocresp_elements)) {
5294 os_memcpy(p, wpabuf_head(hapd->conf->assocresp_elements),
5295 wpabuf_len(hapd->conf->assocresp_elements));
5296 p += wpabuf_len(hapd->conf->assocresp_elements);
5297 }
5298
5299 send_len += p - reply->u.assoc_resp.variable;
5300
5301 #ifdef CONFIG_FILS
5302 if (sta &&
5303 (sta->auth_alg == WLAN_AUTH_FILS_SK ||
5304 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
5305 sta->auth_alg == WLAN_AUTH_FILS_PK) &&
5306 status_code == WLAN_STATUS_SUCCESS) {
5307 struct ieee802_11_elems elems;
5308
5309 if (ieee802_11_parse_elems(ies, ies_len, &elems, 0) ==
5310 ParseFailed || !elems.fils_session) {
5311 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
5312 goto done;
5313 }
5314
5315 /* FILS Session */
5316 *p++ = WLAN_EID_EXTENSION; /* Element ID */
5317 *p++ = 1 + FILS_SESSION_LEN; /* Length */
5318 *p++ = WLAN_EID_EXT_FILS_SESSION; /* Element ID Extension */
5319 os_memcpy(p, elems.fils_session, FILS_SESSION_LEN);
5320 send_len += 2 + 1 + FILS_SESSION_LEN;
5321
5322 send_len = fils_encrypt_assoc(sta->wpa_sm, buf, send_len,
5323 buflen, sta->fils_hlp_resp);
5324 if (send_len < 0) {
5325 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
5326 goto done;
5327 }
5328 }
5329 #endif /* CONFIG_FILS */
5330
5331 if (hostapd_drv_send_mlme(hapd, reply, send_len, 0, NULL, 0, 0) < 0) {
5332 wpa_printf(MSG_INFO, "Failed to send assoc resp: %s",
5333 strerror(errno));
5334 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
5335 }
5336
5337 done:
5338 os_free(buf);
5339 return res;
5340 }
5341
5342
5343 #ifdef CONFIG_OWE
owe_assoc_req_process(struct hostapd_data * hapd,struct sta_info * sta,const u8 * owe_dh,u8 owe_dh_len,u8 * owe_buf,size_t owe_buf_len,u16 * status)5344 u8 * owe_assoc_req_process(struct hostapd_data *hapd, struct sta_info *sta,
5345 const u8 *owe_dh, u8 owe_dh_len,
5346 u8 *owe_buf, size_t owe_buf_len, u16 *status)
5347 {
5348 #ifdef CONFIG_TESTING_OPTIONS
5349 if (hapd->conf->own_ie_override) {
5350 wpa_printf(MSG_DEBUG, "OWE: Using IE override");
5351 *status = WLAN_STATUS_SUCCESS;
5352 return wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf,
5353 owe_buf_len, NULL, 0);
5354 }
5355 #endif /* CONFIG_TESTING_OPTIONS */
5356
5357 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) {
5358 wpa_printf(MSG_DEBUG, "OWE: Using PMKSA caching");
5359 owe_buf = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf,
5360 owe_buf_len, NULL, 0);
5361 *status = WLAN_STATUS_SUCCESS;
5362 return owe_buf;
5363 }
5364
5365 if (sta->owe_pmk && sta->external_dh_updated) {
5366 wpa_printf(MSG_DEBUG, "OWE: Using previously derived PMK");
5367 *status = WLAN_STATUS_SUCCESS;
5368 return owe_buf;
5369 }
5370
5371 *status = owe_process_assoc_req(hapd, sta, owe_dh, owe_dh_len);
5372 if (*status != WLAN_STATUS_SUCCESS)
5373 return NULL;
5374
5375 owe_buf = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf,
5376 owe_buf_len, NULL, 0);
5377
5378 if (sta->owe_ecdh && owe_buf) {
5379 struct wpabuf *pub;
5380
5381 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
5382 if (!pub) {
5383 *status = WLAN_STATUS_UNSPECIFIED_FAILURE;
5384 return owe_buf;
5385 }
5386
5387 /* OWE Diffie-Hellman Parameter element */
5388 *owe_buf++ = WLAN_EID_EXTENSION; /* Element ID */
5389 *owe_buf++ = 1 + 2 + wpabuf_len(pub); /* Length */
5390 *owe_buf++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension
5391 */
5392 WPA_PUT_LE16(owe_buf, sta->owe_group);
5393 owe_buf += 2;
5394 os_memcpy(owe_buf, wpabuf_head(pub), wpabuf_len(pub));
5395 owe_buf += wpabuf_len(pub);
5396 wpabuf_free(pub);
5397 }
5398
5399 return owe_buf;
5400 }
5401 #endif /* CONFIG_OWE */
5402
5403
5404 #ifdef CONFIG_FILS
5405
fils_hlp_finish_assoc(struct hostapd_data * hapd,struct sta_info * sta)5406 void fils_hlp_finish_assoc(struct hostapd_data *hapd, struct sta_info *sta)
5407 {
5408 u16 reply_res;
5409
5410 wpa_printf(MSG_DEBUG, "FILS: Finish association with " MACSTR,
5411 MAC2STR(sta->addr));
5412 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
5413 if (!sta->fils_pending_assoc_req)
5414 return;
5415 reply_res = send_assoc_resp(hapd, sta, sta->addr, WLAN_STATUS_SUCCESS,
5416 sta->fils_pending_assoc_is_reassoc,
5417 sta->fils_pending_assoc_req,
5418 sta->fils_pending_assoc_req_len, 0, 0);
5419 os_free(sta->fils_pending_assoc_req);
5420 sta->fils_pending_assoc_req = NULL;
5421 sta->fils_pending_assoc_req_len = 0;
5422 wpabuf_free(sta->fils_hlp_resp);
5423 sta->fils_hlp_resp = NULL;
5424 wpabuf_free(sta->hlp_dhcp_discover);
5425 sta->hlp_dhcp_discover = NULL;
5426
5427 /*
5428 * Remove the station in case transmission of a success response fails.
5429 * At this point the station was already added associated to the driver.
5430 */
5431 if (reply_res != WLAN_STATUS_SUCCESS)
5432 hostapd_drv_sta_remove(hapd, sta->addr);
5433 }
5434
5435
fils_hlp_timeout(void * eloop_ctx,void * eloop_data)5436 void fils_hlp_timeout(void *eloop_ctx, void *eloop_data)
5437 {
5438 struct hostapd_data *hapd = eloop_ctx;
5439 struct sta_info *sta = eloop_data;
5440
5441 wpa_printf(MSG_DEBUG,
5442 "FILS: HLP response timeout - continue with association response for "
5443 MACSTR, MAC2STR(sta->addr));
5444 if (sta->fils_drv_assoc_finish)
5445 hostapd_notify_assoc_fils_finish(hapd, sta);
5446 else
5447 fils_hlp_finish_assoc(hapd, sta);
5448 }
5449
5450 #endif /* CONFIG_FILS */
5451
5452
handle_assoc(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int reassoc,int rssi)5453 static void handle_assoc(struct hostapd_data *hapd,
5454 const struct ieee80211_mgmt *mgmt, size_t len,
5455 int reassoc, int rssi)
5456 {
5457 u16 capab_info, listen_interval, seq_ctrl, fc;
5458 int resp = WLAN_STATUS_SUCCESS;
5459 u16 reply_res = WLAN_STATUS_UNSPECIFIED_FAILURE;
5460 const u8 *pos;
5461 int left, i;
5462 struct sta_info *sta;
5463 u8 *tmp = NULL;
5464 #ifdef CONFIG_FILS
5465 int delay_assoc = 0;
5466 #endif /* CONFIG_FILS */
5467 int omit_rsnxe = 0;
5468
5469 if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_req) :
5470 sizeof(mgmt->u.assoc_req))) {
5471 wpa_printf(MSG_INFO, "handle_assoc(reassoc=%d) - too short payload (len=%lu)",
5472 reassoc, (unsigned long) len);
5473 return;
5474 }
5475
5476 #ifdef CONFIG_TESTING_OPTIONS
5477 if (reassoc) {
5478 if (hapd->iconf->ignore_reassoc_probability > 0.0 &&
5479 drand48() < hapd->iconf->ignore_reassoc_probability) {
5480 wpa_printf(MSG_INFO,
5481 "TESTING: ignoring reassoc request from "
5482 MACSTR, MAC2STR(mgmt->sa));
5483 return;
5484 }
5485 } else {
5486 if (hapd->iconf->ignore_assoc_probability > 0.0 &&
5487 drand48() < hapd->iconf->ignore_assoc_probability) {
5488 wpa_printf(MSG_INFO,
5489 "TESTING: ignoring assoc request from "
5490 MACSTR, MAC2STR(mgmt->sa));
5491 return;
5492 }
5493 }
5494 #endif /* CONFIG_TESTING_OPTIONS */
5495
5496 fc = le_to_host16(mgmt->frame_control);
5497 seq_ctrl = le_to_host16(mgmt->seq_ctrl);
5498
5499 if (reassoc) {
5500 capab_info = le_to_host16(mgmt->u.reassoc_req.capab_info);
5501 listen_interval = le_to_host16(
5502 mgmt->u.reassoc_req.listen_interval);
5503 wpa_printf(MSG_DEBUG, "reassociation request: STA=" MACSTR
5504 " capab_info=0x%02x listen_interval=%d current_ap="
5505 MACSTR " seq_ctrl=0x%x%s",
5506 MAC2STR(mgmt->sa), capab_info, listen_interval,
5507 MAC2STR(mgmt->u.reassoc_req.current_ap),
5508 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "");
5509 left = len - (IEEE80211_HDRLEN + sizeof(mgmt->u.reassoc_req));
5510 pos = mgmt->u.reassoc_req.variable;
5511 } else {
5512 capab_info = le_to_host16(mgmt->u.assoc_req.capab_info);
5513 listen_interval = le_to_host16(
5514 mgmt->u.assoc_req.listen_interval);
5515 wpa_printf(MSG_DEBUG, "association request: STA=" MACSTR
5516 " capab_info=0x%02x listen_interval=%d "
5517 "seq_ctrl=0x%x%s",
5518 MAC2STR(mgmt->sa), capab_info, listen_interval,
5519 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "");
5520 left = len - (IEEE80211_HDRLEN + sizeof(mgmt->u.assoc_req));
5521 pos = mgmt->u.assoc_req.variable;
5522 }
5523
5524 sta = ap_get_sta(hapd, mgmt->sa);
5525 #ifdef CONFIG_IEEE80211R_AP
5526 if (sta && sta->auth_alg == WLAN_AUTH_FT &&
5527 (sta->flags & WLAN_STA_AUTH) == 0) {
5528 wpa_printf(MSG_DEBUG, "FT: Allow STA " MACSTR " to associate "
5529 "prior to authentication since it is using "
5530 "over-the-DS FT", MAC2STR(mgmt->sa));
5531
5532 /*
5533 * Mark station as authenticated, to avoid adding station
5534 * entry in the driver as associated and not authenticated
5535 */
5536 sta->flags |= WLAN_STA_AUTH;
5537 } else
5538 #endif /* CONFIG_IEEE80211R_AP */
5539 if (sta == NULL || (sta->flags & WLAN_STA_AUTH) == 0) {
5540 if (hapd->iface->current_mode &&
5541 hapd->iface->current_mode->mode ==
5542 HOSTAPD_MODE_IEEE80211AD) {
5543 int acl_res;
5544 struct radius_sta info;
5545
5546 acl_res = ieee802_11_allowed_address(hapd, mgmt->sa,
5547 (const u8 *) mgmt,
5548 len, &info);
5549 if (acl_res == HOSTAPD_ACL_REJECT) {
5550 wpa_msg(hapd->msg_ctx, MSG_DEBUG,
5551 "Ignore Association Request frame from "
5552 MACSTR " due to ACL reject",
5553 MAC2STR(mgmt->sa));
5554 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
5555 goto fail;
5556 }
5557 if (acl_res == HOSTAPD_ACL_PENDING)
5558 return;
5559
5560 /* DMG/IEEE 802.11ad does not use authentication.
5561 * Allocate sta entry upon association. */
5562 sta = ap_sta_add(hapd, mgmt->sa);
5563 if (!sta) {
5564 hostapd_logger(hapd, mgmt->sa,
5565 HOSTAPD_MODULE_IEEE80211,
5566 HOSTAPD_LEVEL_INFO,
5567 "Failed to add STA");
5568 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
5569 goto fail;
5570 }
5571
5572 acl_res = ieee802_11_set_radius_info(
5573 hapd, sta, acl_res, &info);
5574 if (acl_res) {
5575 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
5576 goto fail;
5577 }
5578
5579 hostapd_logger(hapd, sta->addr,
5580 HOSTAPD_MODULE_IEEE80211,
5581 HOSTAPD_LEVEL_DEBUG,
5582 "Skip authentication for DMG/IEEE 802.11ad");
5583 sta->flags |= WLAN_STA_AUTH;
5584 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
5585 sta->auth_alg = WLAN_AUTH_OPEN;
5586 } else {
5587 hostapd_logger(hapd, mgmt->sa,
5588 HOSTAPD_MODULE_IEEE80211,
5589 HOSTAPD_LEVEL_INFO,
5590 "Station tried to associate before authentication (aid=%d flags=0x%x)",
5591 sta ? sta->aid : -1,
5592 sta ? sta->flags : 0);
5593 send_deauth(hapd, mgmt->sa,
5594 WLAN_REASON_CLASS2_FRAME_FROM_NONAUTH_STA);
5595 return;
5596 }
5597 }
5598
5599 if ((fc & WLAN_FC_RETRY) &&
5600 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
5601 sta->last_seq_ctrl == seq_ctrl &&
5602 sta->last_subtype == (reassoc ? WLAN_FC_STYPE_REASSOC_REQ :
5603 WLAN_FC_STYPE_ASSOC_REQ)) {
5604 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
5605 HOSTAPD_LEVEL_DEBUG,
5606 "Drop repeated association frame seq_ctrl=0x%x",
5607 seq_ctrl);
5608 return;
5609 }
5610 sta->last_seq_ctrl = seq_ctrl;
5611 sta->last_subtype = reassoc ? WLAN_FC_STYPE_REASSOC_REQ :
5612 WLAN_FC_STYPE_ASSOC_REQ;
5613
5614 if (hapd->tkip_countermeasures) {
5615 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
5616 goto fail;
5617 }
5618
5619 if (listen_interval > hapd->conf->max_listen_interval) {
5620 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
5621 HOSTAPD_LEVEL_DEBUG,
5622 "Too large Listen Interval (%d)",
5623 listen_interval);
5624 resp = WLAN_STATUS_ASSOC_DENIED_LISTEN_INT_TOO_LARGE;
5625 goto fail;
5626 }
5627
5628 #ifdef CONFIG_MBO
5629 if (hapd->conf->mbo_enabled && hapd->mbo_assoc_disallow) {
5630 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
5631 goto fail;
5632 }
5633
5634 if (hapd->iconf->rssi_reject_assoc_rssi && rssi &&
5635 rssi < hapd->iconf->rssi_reject_assoc_rssi &&
5636 (sta->auth_rssi == 0 ||
5637 sta->auth_rssi < hapd->iconf->rssi_reject_assoc_rssi)) {
5638 resp = WLAN_STATUS_DENIED_POOR_CHANNEL_CONDITIONS;
5639 goto fail;
5640 }
5641 #endif /* CONFIG_MBO */
5642
5643 /*
5644 * sta->capability is used in check_assoc_ies() for RRM enabled
5645 * capability element.
5646 */
5647 sta->capability = capab_info;
5648
5649 #ifdef CONFIG_FILS
5650 if (sta->auth_alg == WLAN_AUTH_FILS_SK ||
5651 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
5652 sta->auth_alg == WLAN_AUTH_FILS_PK) {
5653 int res;
5654
5655 /* The end of the payload is encrypted. Need to decrypt it
5656 * before parsing. */
5657
5658 tmp = os_memdup(pos, left);
5659 if (!tmp) {
5660 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
5661 goto fail;
5662 }
5663
5664 res = fils_decrypt_assoc(sta->wpa_sm, sta->fils_session, mgmt,
5665 len, tmp, left);
5666 if (res < 0) {
5667 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
5668 goto fail;
5669 }
5670 pos = tmp;
5671 left = res;
5672 }
5673 #endif /* CONFIG_FILS */
5674
5675 /* followed by SSID and Supported rates; and HT capabilities if 802.11n
5676 * is used */
5677 resp = check_assoc_ies(hapd, sta, pos, left, reassoc);
5678 if (resp != WLAN_STATUS_SUCCESS)
5679 goto fail;
5680 omit_rsnxe = !get_ie(pos, left, WLAN_EID_RSNX);
5681
5682 if (hostapd_get_aid(hapd, sta) < 0) {
5683 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
5684 HOSTAPD_LEVEL_INFO, "No room for more AIDs");
5685 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
5686 goto fail;
5687 }
5688
5689 sta->listen_interval = listen_interval;
5690
5691 if (hapd->iface->current_mode &&
5692 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G)
5693 sta->flags |= WLAN_STA_NONERP;
5694 for (i = 0; i < sta->supported_rates_len; i++) {
5695 if ((sta->supported_rates[i] & 0x7f) > 22) {
5696 sta->flags &= ~WLAN_STA_NONERP;
5697 break;
5698 }
5699 }
5700 if (sta->flags & WLAN_STA_NONERP && !sta->nonerp_set) {
5701 sta->nonerp_set = 1;
5702 hapd->iface->num_sta_non_erp++;
5703 if (hapd->iface->num_sta_non_erp == 1)
5704 ieee802_11_set_beacons(hapd->iface);
5705 }
5706
5707 if (!(sta->capability & WLAN_CAPABILITY_SHORT_SLOT_TIME) &&
5708 !sta->no_short_slot_time_set) {
5709 sta->no_short_slot_time_set = 1;
5710 hapd->iface->num_sta_no_short_slot_time++;
5711 if (hapd->iface->current_mode &&
5712 hapd->iface->current_mode->mode ==
5713 HOSTAPD_MODE_IEEE80211G &&
5714 hapd->iface->num_sta_no_short_slot_time == 1)
5715 ieee802_11_set_beacons(hapd->iface);
5716 }
5717
5718 if (sta->capability & WLAN_CAPABILITY_SHORT_PREAMBLE)
5719 sta->flags |= WLAN_STA_SHORT_PREAMBLE;
5720 else
5721 sta->flags &= ~WLAN_STA_SHORT_PREAMBLE;
5722
5723 if (!(sta->capability & WLAN_CAPABILITY_SHORT_PREAMBLE) &&
5724 !sta->no_short_preamble_set) {
5725 sta->no_short_preamble_set = 1;
5726 hapd->iface->num_sta_no_short_preamble++;
5727 if (hapd->iface->current_mode &&
5728 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G
5729 && hapd->iface->num_sta_no_short_preamble == 1)
5730 ieee802_11_set_beacons(hapd->iface);
5731 }
5732
5733 update_ht_state(hapd, sta);
5734
5735 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
5736 HOSTAPD_LEVEL_DEBUG,
5737 "association OK (aid %d)", sta->aid);
5738 /* Station will be marked associated, after it acknowledges AssocResp
5739 */
5740 sta->flags |= WLAN_STA_ASSOC_REQ_OK;
5741
5742 if ((sta->flags & WLAN_STA_MFP) && sta->sa_query_timed_out) {
5743 wpa_printf(MSG_DEBUG, "Allowing %sassociation after timed out "
5744 "SA Query procedure", reassoc ? "re" : "");
5745 /* TODO: Send a protected Disassociate frame to the STA using
5746 * the old key and Reason Code "Previous Authentication no
5747 * longer valid". Make sure this is only sent protected since
5748 * unprotected frame would be received by the STA that is now
5749 * trying to associate.
5750 */
5751 }
5752
5753 /* Make sure that the previously registered inactivity timer will not
5754 * remove the STA immediately. */
5755 sta->timeout_next = STA_NULLFUNC;
5756
5757 #ifdef CONFIG_TAXONOMY
5758 taxonomy_sta_info_assoc_req(hapd, sta, pos, left);
5759 #endif /* CONFIG_TAXONOMY */
5760
5761 sta->pending_wds_enable = 0;
5762
5763 #ifdef CONFIG_FILS
5764 if (sta->auth_alg == WLAN_AUTH_FILS_SK ||
5765 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
5766 sta->auth_alg == WLAN_AUTH_FILS_PK) {
5767 if (fils_process_hlp(hapd, sta, pos, left) > 0)
5768 delay_assoc = 1;
5769 }
5770 #endif /* CONFIG_FILS */
5771
5772 fail:
5773
5774 /*
5775 * In case of a successful response, add the station to the driver.
5776 * Otherwise, the kernel may ignore Data frames before we process the
5777 * ACK frame (TX status). In case of a failure, this station will be
5778 * removed.
5779 *
5780 * Note that this is not compliant with the IEEE 802.11 standard that
5781 * states that a non-AP station should transition into the
5782 * authenticated/associated state only after the station acknowledges
5783 * the (Re)Association Response frame. However, still do this as:
5784 *
5785 * 1. In case the station does not acknowledge the (Re)Association
5786 * Response frame, it will be removed.
5787 * 2. Data frames will be dropped in the kernel until the station is
5788 * set into authorized state, and there are no significant known
5789 * issues with processing other non-Data Class 3 frames during this
5790 * window.
5791 */
5792 if (resp == WLAN_STATUS_SUCCESS && sta &&
5793 add_associated_sta(hapd, sta, reassoc))
5794 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
5795
5796 #ifdef CONFIG_FILS
5797 if (sta && delay_assoc && resp == WLAN_STATUS_SUCCESS &&
5798 eloop_is_timeout_registered(fils_hlp_timeout, hapd, sta) &&
5799 sta->fils_pending_assoc_req) {
5800 /* Do not reschedule fils_hlp_timeout in case the station
5801 * retransmits (Re)Association Request frame while waiting for
5802 * the previously started FILS HLP wait, so that the timeout can
5803 * be determined from the first pending attempt. */
5804 wpa_printf(MSG_DEBUG,
5805 "FILS: Continue waiting for HLP processing before sending (Re)Association Response frame to "
5806 MACSTR, MAC2STR(sta->addr));
5807 os_free(tmp);
5808 return;
5809 }
5810 if (sta) {
5811 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
5812 os_free(sta->fils_pending_assoc_req);
5813 sta->fils_pending_assoc_req = NULL;
5814 sta->fils_pending_assoc_req_len = 0;
5815 wpabuf_free(sta->fils_hlp_resp);
5816 sta->fils_hlp_resp = NULL;
5817 }
5818 if (sta && delay_assoc && resp == WLAN_STATUS_SUCCESS) {
5819 sta->fils_pending_assoc_req = tmp;
5820 sta->fils_pending_assoc_req_len = left;
5821 sta->fils_pending_assoc_is_reassoc = reassoc;
5822 sta->fils_drv_assoc_finish = 0;
5823 wpa_printf(MSG_DEBUG,
5824 "FILS: Waiting for HLP processing before sending (Re)Association Response frame to "
5825 MACSTR, MAC2STR(sta->addr));
5826 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
5827 eloop_register_timeout(0, hapd->conf->fils_hlp_wait_time * 1024,
5828 fils_hlp_timeout, hapd, sta);
5829 return;
5830 }
5831 #endif /* CONFIG_FILS */
5832
5833 if (resp >= 0)
5834 reply_res = send_assoc_resp(hapd, sta, mgmt->sa, resp, reassoc,
5835 pos, left, rssi, omit_rsnxe);
5836 os_free(tmp);
5837
5838 /*
5839 * Remove the station in case transmission of a success response fails
5840 * (the STA was added associated to the driver) or if the station was
5841 * previously added unassociated.
5842 */
5843 if (sta && ((reply_res != WLAN_STATUS_SUCCESS &&
5844 resp == WLAN_STATUS_SUCCESS) || sta->added_unassoc)) {
5845 hostapd_drv_sta_remove(hapd, sta->addr);
5846 sta->added_unassoc = 0;
5847 }
5848 }
5849
5850
handle_disassoc(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len)5851 static void handle_disassoc(struct hostapd_data *hapd,
5852 const struct ieee80211_mgmt *mgmt, size_t len)
5853 {
5854 struct sta_info *sta;
5855
5856 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.disassoc)) {
5857 wpa_printf(MSG_INFO, "handle_disassoc - too short payload (len=%lu)",
5858 (unsigned long) len);
5859 return;
5860 }
5861
5862 wpa_printf(MSG_DEBUG, "disassocation: STA=" MACSTR " reason_code=%d",
5863 MAC2STR(mgmt->sa),
5864 le_to_host16(mgmt->u.disassoc.reason_code));
5865
5866 sta = ap_get_sta(hapd, mgmt->sa);
5867 if (sta == NULL) {
5868 wpa_printf(MSG_INFO, "Station " MACSTR " trying to disassociate, but it is not associated",
5869 MAC2STR(mgmt->sa));
5870 return;
5871 }
5872
5873 ap_sta_set_authorized(hapd, sta, 0);
5874 sta->last_seq_ctrl = WLAN_INVALID_MGMT_SEQ;
5875 sta->flags &= ~(WLAN_STA_ASSOC | WLAN_STA_ASSOC_REQ_OK);
5876 hostapd_set_sta_flags(hapd, sta);
5877 wpa_auth_sm_event(sta->wpa_sm, WPA_DISASSOC);
5878 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
5879 HOSTAPD_LEVEL_INFO, "disassociated");
5880 sta->acct_terminate_cause = RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST;
5881 ieee802_1x_notify_port_enabled(sta->eapol_sm, 0);
5882 /* Stop Accounting and IEEE 802.1X sessions, but leave the STA
5883 * authenticated. */
5884 accounting_sta_stop(hapd, sta);
5885 ieee802_1x_free_station(hapd, sta);
5886 if (sta->ipaddr)
5887 hostapd_drv_br_delete_ip_neigh(hapd, 4, (u8 *) &sta->ipaddr);
5888 ap_sta_ip6addr_del(hapd, sta);
5889 hostapd_drv_sta_remove(hapd, sta->addr);
5890 sta->added_unassoc = 0;
5891
5892 if (sta->timeout_next == STA_NULLFUNC ||
5893 sta->timeout_next == STA_DISASSOC) {
5894 sta->timeout_next = STA_DEAUTH;
5895 eloop_cancel_timeout(ap_handle_timer, hapd, sta);
5896 eloop_register_timeout(AP_DEAUTH_DELAY, 0, ap_handle_timer,
5897 hapd, sta);
5898 }
5899
5900 mlme_disassociate_indication(
5901 hapd, sta, le_to_host16(mgmt->u.disassoc.reason_code));
5902
5903 /* DMG/IEEE 802.11ad does not use deauthication. Deallocate sta upon
5904 * disassociation. */
5905 if (hapd->iface->current_mode &&
5906 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211AD) {
5907 sta->flags &= ~WLAN_STA_AUTH;
5908 wpa_auth_sm_event(sta->wpa_sm, WPA_DEAUTH);
5909 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
5910 HOSTAPD_LEVEL_DEBUG, "deauthenticated");
5911 ap_free_sta(hapd, sta);
5912 }
5913 }
5914
5915
handle_deauth(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len)5916 static void handle_deauth(struct hostapd_data *hapd,
5917 const struct ieee80211_mgmt *mgmt, size_t len)
5918 {
5919 struct sta_info *sta;
5920
5921 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.deauth)) {
5922 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "handle_deauth - too short "
5923 "payload (len=%lu)", (unsigned long) len);
5924 return;
5925 }
5926
5927 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "deauthentication: STA=" MACSTR
5928 " reason_code=%d",
5929 MAC2STR(mgmt->sa), le_to_host16(mgmt->u.deauth.reason_code));
5930
5931 /* Clear the PTKSA cache entries for PASN */
5932 ptksa_cache_flush(hapd->ptksa, mgmt->sa, WPA_CIPHER_NONE);
5933
5934 sta = ap_get_sta(hapd, mgmt->sa);
5935 if (sta == NULL) {
5936 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "Station " MACSTR " trying "
5937 "to deauthenticate, but it is not authenticated",
5938 MAC2STR(mgmt->sa));
5939 return;
5940 }
5941
5942 ap_sta_set_authorized(hapd, sta, 0);
5943 sta->last_seq_ctrl = WLAN_INVALID_MGMT_SEQ;
5944 sta->flags &= ~(WLAN_STA_AUTH | WLAN_STA_ASSOC |
5945 WLAN_STA_ASSOC_REQ_OK);
5946 hostapd_set_sta_flags(hapd, sta);
5947 wpa_auth_sm_event(sta->wpa_sm, WPA_DEAUTH);
5948 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
5949 HOSTAPD_LEVEL_DEBUG, "deauthenticated");
5950 mlme_deauthenticate_indication(
5951 hapd, sta, le_to_host16(mgmt->u.deauth.reason_code));
5952 sta->acct_terminate_cause = RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST;
5953 ieee802_1x_notify_port_enabled(sta->eapol_sm, 0);
5954 ap_free_sta(hapd, sta);
5955 }
5956
5957
handle_beacon(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,struct hostapd_frame_info * fi)5958 static void handle_beacon(struct hostapd_data *hapd,
5959 const struct ieee80211_mgmt *mgmt, size_t len,
5960 struct hostapd_frame_info *fi)
5961 {
5962 struct ieee802_11_elems elems;
5963
5964 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.beacon)) {
5965 wpa_printf(MSG_INFO, "handle_beacon - too short payload (len=%lu)",
5966 (unsigned long) len);
5967 return;
5968 }
5969
5970 (void) ieee802_11_parse_elems(mgmt->u.beacon.variable,
5971 len - (IEEE80211_HDRLEN +
5972 sizeof(mgmt->u.beacon)), &elems,
5973 0);
5974
5975 ap_list_process_beacon(hapd->iface, mgmt, &elems, fi);
5976 }
5977
5978
robust_action_frame(u8 category)5979 static int robust_action_frame(u8 category)
5980 {
5981 return category != WLAN_ACTION_PUBLIC &&
5982 category != WLAN_ACTION_HT;
5983 }
5984
5985
handle_action(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,unsigned int freq)5986 static int handle_action(struct hostapd_data *hapd,
5987 const struct ieee80211_mgmt *mgmt, size_t len,
5988 unsigned int freq)
5989 {
5990 struct sta_info *sta;
5991 u8 *action __maybe_unused;
5992
5993 if (len < IEEE80211_HDRLEN + 2 + 1) {
5994 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
5995 HOSTAPD_LEVEL_DEBUG,
5996 "handle_action - too short payload (len=%lu)",
5997 (unsigned long) len);
5998 return 0;
5999 }
6000
6001 action = (u8 *) &mgmt->u.action.u;
6002 wpa_printf(MSG_DEBUG, "RX_ACTION category %u action %u sa " MACSTR
6003 " da " MACSTR " len %d freq %u",
6004 mgmt->u.action.category, *action,
6005 MAC2STR(mgmt->sa), MAC2STR(mgmt->da), (int) len, freq);
6006
6007 sta = ap_get_sta(hapd, mgmt->sa);
6008
6009 if (mgmt->u.action.category != WLAN_ACTION_PUBLIC &&
6010 (sta == NULL || !(sta->flags & WLAN_STA_ASSOC))) {
6011 wpa_printf(MSG_DEBUG, "IEEE 802.11: Ignored Action "
6012 "frame (category=%u) from unassociated STA " MACSTR,
6013 mgmt->u.action.category, MAC2STR(mgmt->sa));
6014 return 0;
6015 }
6016
6017 if (sta && (sta->flags & WLAN_STA_MFP) &&
6018 !(mgmt->frame_control & host_to_le16(WLAN_FC_ISWEP)) &&
6019 robust_action_frame(mgmt->u.action.category)) {
6020 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
6021 HOSTAPD_LEVEL_DEBUG,
6022 "Dropped unprotected Robust Action frame from "
6023 "an MFP STA");
6024 return 0;
6025 }
6026
6027 if (sta) {
6028 u16 fc = le_to_host16(mgmt->frame_control);
6029 u16 seq_ctrl = le_to_host16(mgmt->seq_ctrl);
6030
6031 if ((fc & WLAN_FC_RETRY) &&
6032 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
6033 sta->last_seq_ctrl == seq_ctrl &&
6034 sta->last_subtype == WLAN_FC_STYPE_ACTION) {
6035 hostapd_logger(hapd, sta->addr,
6036 HOSTAPD_MODULE_IEEE80211,
6037 HOSTAPD_LEVEL_DEBUG,
6038 "Drop repeated action frame seq_ctrl=0x%x",
6039 seq_ctrl);
6040 return 1;
6041 }
6042
6043 sta->last_seq_ctrl = seq_ctrl;
6044 sta->last_subtype = WLAN_FC_STYPE_ACTION;
6045 }
6046
6047 switch (mgmt->u.action.category) {
6048 #ifdef CONFIG_IEEE80211R_AP
6049 case WLAN_ACTION_FT:
6050 if (!sta ||
6051 wpa_ft_action_rx(sta->wpa_sm, (u8 *) &mgmt->u.action,
6052 len - IEEE80211_HDRLEN))
6053 break;
6054 return 1;
6055 #endif /* CONFIG_IEEE80211R_AP */
6056 case WLAN_ACTION_WMM:
6057 hostapd_wmm_action(hapd, mgmt, len);
6058 return 1;
6059 case WLAN_ACTION_SA_QUERY:
6060 ieee802_11_sa_query_action(hapd, mgmt, len);
6061 return 1;
6062 #ifdef CONFIG_WNM_AP
6063 case WLAN_ACTION_WNM:
6064 ieee802_11_rx_wnm_action_ap(hapd, mgmt, len);
6065 return 1;
6066 #endif /* CONFIG_WNM_AP */
6067 #ifdef CONFIG_FST
6068 case WLAN_ACTION_FST:
6069 if (hapd->iface->fst)
6070 fst_rx_action(hapd->iface->fst, mgmt, len);
6071 else
6072 wpa_printf(MSG_DEBUG,
6073 "FST: Ignore FST Action frame - no FST attached");
6074 return 1;
6075 #endif /* CONFIG_FST */
6076 case WLAN_ACTION_PUBLIC:
6077 case WLAN_ACTION_PROTECTED_DUAL:
6078 if (len >= IEEE80211_HDRLEN + 2 &&
6079 mgmt->u.action.u.public_action.action ==
6080 WLAN_PA_20_40_BSS_COEX) {
6081 hostapd_2040_coex_action(hapd, mgmt, len);
6082 return 1;
6083 }
6084 #ifdef CONFIG_DPP
6085 if (len >= IEEE80211_HDRLEN + 6 &&
6086 mgmt->u.action.u.vs_public_action.action ==
6087 WLAN_PA_VENDOR_SPECIFIC &&
6088 WPA_GET_BE24(mgmt->u.action.u.vs_public_action.oui) ==
6089 OUI_WFA &&
6090 mgmt->u.action.u.vs_public_action.variable[0] ==
6091 DPP_OUI_TYPE) {
6092 const u8 *pos, *end;
6093
6094 pos = mgmt->u.action.u.vs_public_action.oui;
6095 end = ((const u8 *) mgmt) + len;
6096 hostapd_dpp_rx_action(hapd, mgmt->sa, pos, end - pos,
6097 freq);
6098 return 1;
6099 }
6100 if (len >= IEEE80211_HDRLEN + 2 &&
6101 (mgmt->u.action.u.public_action.action ==
6102 WLAN_PA_GAS_INITIAL_RESP ||
6103 mgmt->u.action.u.public_action.action ==
6104 WLAN_PA_GAS_COMEBACK_RESP)) {
6105 const u8 *pos, *end;
6106
6107 pos = &mgmt->u.action.u.public_action.action;
6108 end = ((const u8 *) mgmt) + len;
6109 gas_query_ap_rx(hapd->gas, mgmt->sa,
6110 mgmt->u.action.category,
6111 pos, end - pos, freq);
6112 return 1;
6113 }
6114 #endif /* CONFIG_DPP */
6115 if (hapd->public_action_cb) {
6116 hapd->public_action_cb(hapd->public_action_cb_ctx,
6117 (u8 *) mgmt, len, freq);
6118 }
6119 if (hapd->public_action_cb2) {
6120 hapd->public_action_cb2(hapd->public_action_cb2_ctx,
6121 (u8 *) mgmt, len, freq);
6122 }
6123 if (hapd->public_action_cb || hapd->public_action_cb2)
6124 return 1;
6125 break;
6126 case WLAN_ACTION_VENDOR_SPECIFIC:
6127 if (hapd->vendor_action_cb) {
6128 if (hapd->vendor_action_cb(hapd->vendor_action_cb_ctx,
6129 (u8 *) mgmt, len, freq) == 0)
6130 return 1;
6131 }
6132 break;
6133 case WLAN_ACTION_RADIO_MEASUREMENT:
6134 hostapd_handle_radio_measurement(hapd, (const u8 *) mgmt, len);
6135 return 1;
6136 }
6137
6138 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
6139 HOSTAPD_LEVEL_DEBUG,
6140 "handle_action - unknown action category %d or invalid "
6141 "frame",
6142 mgmt->u.action.category);
6143 if (!is_multicast_ether_addr(mgmt->da) &&
6144 !(mgmt->u.action.category & 0x80) &&
6145 !is_multicast_ether_addr(mgmt->sa)) {
6146 struct ieee80211_mgmt *resp;
6147
6148 /*
6149 * IEEE 802.11-REVma/D9.0 - 7.3.1.11
6150 * Return the Action frame to the source without change
6151 * except that MSB of the Category set to 1.
6152 */
6153 wpa_printf(MSG_DEBUG, "IEEE 802.11: Return unknown Action "
6154 "frame back to sender");
6155 resp = os_memdup(mgmt, len);
6156 if (resp == NULL)
6157 return 0;
6158 os_memcpy(resp->da, resp->sa, ETH_ALEN);
6159 os_memcpy(resp->sa, hapd->own_addr, ETH_ALEN);
6160 os_memcpy(resp->bssid, hapd->own_addr, ETH_ALEN);
6161 resp->u.action.category |= 0x80;
6162
6163 if (hostapd_drv_send_mlme(hapd, resp, len, 0, NULL, 0, 0) < 0) {
6164 wpa_printf(MSG_ERROR, "IEEE 802.11: Failed to send "
6165 "Action frame");
6166 }
6167 os_free(resp);
6168 }
6169
6170 return 1;
6171 }
6172
6173
6174 /**
6175 * notify_mgmt_frame - Notify of Management frames on the control interface
6176 * @hapd: hostapd BSS data structure (the BSS to which the Management frame was
6177 * sent to)
6178 * @buf: Management frame data (starting from the IEEE 802.11 header)
6179 * @len: Length of frame data in octets
6180 *
6181 * Notify the control interface of any received Management frame.
6182 */
notify_mgmt_frame(struct hostapd_data * hapd,const u8 * buf,size_t len)6183 static void notify_mgmt_frame(struct hostapd_data *hapd, const u8 *buf,
6184 size_t len)
6185 {
6186
6187 int hex_len = len * 2 + 1;
6188 char *hex = os_malloc(hex_len);
6189
6190 if (hex) {
6191 wpa_snprintf_hex(hex, hex_len, buf, len);
6192 wpa_msg_ctrl(hapd->msg_ctx, MSG_INFO,
6193 AP_MGMT_FRAME_RECEIVED "buf=%s", hex);
6194 os_free(hex);
6195 }
6196 }
6197
6198
6199 /**
6200 * ieee802_11_mgmt - process incoming IEEE 802.11 management frames
6201 * @hapd: hostapd BSS data structure (the BSS to which the management frame was
6202 * sent to)
6203 * @buf: management frame data (starting from IEEE 802.11 header)
6204 * @len: length of frame data in octets
6205 * @fi: meta data about received frame (signal level, etc.)
6206 *
6207 * Process all incoming IEEE 802.11 management frames. This will be called for
6208 * each frame received from the kernel driver through wlan#ap interface. In
6209 * addition, it can be called to re-inserted pending frames (e.g., when using
6210 * external RADIUS server as an MAC ACL).
6211 */
ieee802_11_mgmt(struct hostapd_data * hapd,const u8 * buf,size_t len,struct hostapd_frame_info * fi)6212 int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len,
6213 struct hostapd_frame_info *fi)
6214 {
6215 struct ieee80211_mgmt *mgmt;
6216 u16 fc, stype;
6217 int ret = 0;
6218 unsigned int freq;
6219 int ssi_signal = fi ? fi->ssi_signal : 0;
6220
6221 if (len < 24)
6222 return 0;
6223
6224 if (fi && fi->freq)
6225 freq = fi->freq;
6226 else
6227 freq = hapd->iface->freq;
6228
6229 mgmt = (struct ieee80211_mgmt *) buf;
6230 fc = le_to_host16(mgmt->frame_control);
6231 stype = WLAN_FC_GET_STYPE(fc);
6232
6233 if (is_multicast_ether_addr(mgmt->sa) ||
6234 is_zero_ether_addr(mgmt->sa) ||
6235 os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
6236 /* Do not process any frames with unexpected/invalid SA so that
6237 * we do not add any state for unexpected STA addresses or end
6238 * up sending out frames to unexpected destination. */
6239 wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR
6240 " in received frame - ignore this frame silently",
6241 MAC2STR(mgmt->sa));
6242 return 0;
6243 }
6244
6245 if (stype == WLAN_FC_STYPE_BEACON) {
6246 handle_beacon(hapd, mgmt, len, fi);
6247 return 1;
6248 }
6249
6250 if (!is_broadcast_ether_addr(mgmt->bssid) &&
6251 #ifdef CONFIG_P2P
6252 /* Invitation responses can be sent with the peer MAC as BSSID */
6253 !((hapd->conf->p2p & P2P_GROUP_OWNER) &&
6254 stype == WLAN_FC_STYPE_ACTION) &&
6255 #endif /* CONFIG_P2P */
6256 #ifdef CONFIG_MESH
6257 !(hapd->conf->mesh & MESH_ENABLED) &&
6258 #endif /* CONFIG_MESH */
6259 os_memcmp(mgmt->bssid, hapd->own_addr, ETH_ALEN) != 0) {
6260 wpa_printf(MSG_INFO, "MGMT: BSSID=" MACSTR " not our address",
6261 MAC2STR(mgmt->bssid));
6262 return 0;
6263 }
6264
6265 if (hapd->iface->state != HAPD_IFACE_ENABLED) {
6266 wpa_printf(MSG_DEBUG, "MGMT: Ignore management frame while interface is not enabled (SA=" MACSTR " DA=" MACSTR " subtype=%u)",
6267 MAC2STR(mgmt->sa), MAC2STR(mgmt->da), stype);
6268 return 1;
6269 }
6270
6271 if (stype == WLAN_FC_STYPE_PROBE_REQ) {
6272 handle_probe_req(hapd, mgmt, len, ssi_signal);
6273 return 1;
6274 }
6275
6276 if ((!is_broadcast_ether_addr(mgmt->da) ||
6277 stype != WLAN_FC_STYPE_ACTION) &&
6278 os_memcmp(mgmt->da, hapd->own_addr, ETH_ALEN) != 0) {
6279 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
6280 HOSTAPD_LEVEL_DEBUG,
6281 "MGMT: DA=" MACSTR " not our address",
6282 MAC2STR(mgmt->da));
6283 return 0;
6284 }
6285
6286 if (hapd->iconf->track_sta_max_num)
6287 sta_track_add(hapd->iface, mgmt->sa, ssi_signal);
6288
6289 if (hapd->conf->notify_mgmt_frames)
6290 notify_mgmt_frame(hapd, buf, len);
6291
6292 switch (stype) {
6293 case WLAN_FC_STYPE_AUTH:
6294 wpa_printf(MSG_DEBUG, "mgmt::auth");
6295 handle_auth(hapd, mgmt, len, ssi_signal, 0);
6296 ret = 1;
6297 break;
6298 case WLAN_FC_STYPE_ASSOC_REQ:
6299 wpa_printf(MSG_DEBUG, "mgmt::assoc_req");
6300 handle_assoc(hapd, mgmt, len, 0, ssi_signal);
6301 ret = 1;
6302 break;
6303 case WLAN_FC_STYPE_REASSOC_REQ:
6304 wpa_printf(MSG_DEBUG, "mgmt::reassoc_req");
6305 handle_assoc(hapd, mgmt, len, 1, ssi_signal);
6306 ret = 1;
6307 break;
6308 case WLAN_FC_STYPE_DISASSOC:
6309 wpa_printf(MSG_DEBUG, "mgmt::disassoc");
6310 handle_disassoc(hapd, mgmt, len);
6311 ret = 1;
6312 break;
6313 case WLAN_FC_STYPE_DEAUTH:
6314 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "mgmt::deauth");
6315 handle_deauth(hapd, mgmt, len);
6316 ret = 1;
6317 break;
6318 case WLAN_FC_STYPE_ACTION:
6319 wpa_printf(MSG_DEBUG, "mgmt::action");
6320 ret = handle_action(hapd, mgmt, len, freq);
6321 break;
6322 default:
6323 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
6324 HOSTAPD_LEVEL_DEBUG,
6325 "unknown mgmt frame subtype %d", stype);
6326 break;
6327 }
6328
6329 return ret;
6330 }
6331
6332
handle_auth_cb(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int ok)6333 static void handle_auth_cb(struct hostapd_data *hapd,
6334 const struct ieee80211_mgmt *mgmt,
6335 size_t len, int ok)
6336 {
6337 u16 auth_alg, auth_transaction, status_code;
6338 struct sta_info *sta;
6339 bool success_status;
6340
6341 sta = ap_get_sta(hapd, mgmt->da);
6342 if (!sta) {
6343 wpa_printf(MSG_DEBUG, "handle_auth_cb: STA " MACSTR
6344 " not found",
6345 MAC2STR(mgmt->da));
6346 return;
6347 }
6348
6349 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) {
6350 wpa_printf(MSG_INFO, "handle_auth_cb - too short payload (len=%lu)",
6351 (unsigned long) len);
6352 auth_alg = 0;
6353 auth_transaction = 0;
6354 status_code = WLAN_STATUS_UNSPECIFIED_FAILURE;
6355 goto fail;
6356 }
6357
6358 auth_alg = le_to_host16(mgmt->u.auth.auth_alg);
6359 auth_transaction = le_to_host16(mgmt->u.auth.auth_transaction);
6360 status_code = le_to_host16(mgmt->u.auth.status_code);
6361
6362 if (!ok) {
6363 hostapd_logger(hapd, mgmt->da, HOSTAPD_MODULE_IEEE80211,
6364 HOSTAPD_LEVEL_NOTICE,
6365 "did not acknowledge authentication response");
6366 goto fail;
6367 }
6368
6369 if (status_code == WLAN_STATUS_SUCCESS &&
6370 ((auth_alg == WLAN_AUTH_OPEN && auth_transaction == 2) ||
6371 (auth_alg == WLAN_AUTH_SHARED_KEY && auth_transaction == 4))) {
6372 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
6373 HOSTAPD_LEVEL_INFO, "authenticated");
6374 sta->flags |= WLAN_STA_AUTH;
6375 if (sta->added_unassoc)
6376 hostapd_set_sta_flags(hapd, sta);
6377 return;
6378 }
6379
6380 fail:
6381 success_status = status_code == WLAN_STATUS_SUCCESS;
6382 #ifdef CONFIG_SAE
6383 if (auth_alg == WLAN_AUTH_SAE && auth_transaction == 1)
6384 success_status = sae_status_success(hapd, status_code);
6385 #endif /* CONFIG_SAE */
6386 if (!success_status && sta->added_unassoc) {
6387 hostapd_drv_sta_remove(hapd, sta->addr);
6388 sta->added_unassoc = 0;
6389 }
6390 }
6391
6392
hostapd_set_wds_encryption(struct hostapd_data * hapd,struct sta_info * sta,char * ifname_wds)6393 static void hostapd_set_wds_encryption(struct hostapd_data *hapd,
6394 struct sta_info *sta,
6395 char *ifname_wds)
6396 {
6397 #ifdef CONFIG_WEP
6398 int i;
6399 struct hostapd_ssid *ssid = &hapd->conf->ssid;
6400
6401 if (hapd->conf->ieee802_1x || hapd->conf->wpa)
6402 return;
6403
6404 for (i = 0; i < 4; i++) {
6405 if (ssid->wep.key[i] &&
6406 hostapd_drv_set_key(ifname_wds, hapd, WPA_ALG_WEP, NULL, i,
6407 0, i == ssid->wep.idx, NULL, 0,
6408 ssid->wep.key[i], ssid->wep.len[i],
6409 i == ssid->wep.idx ?
6410 KEY_FLAG_GROUP_RX_TX_DEFAULT :
6411 KEY_FLAG_GROUP_RX_TX)) {
6412 wpa_printf(MSG_WARNING,
6413 "Could not set WEP keys for WDS interface; %s",
6414 ifname_wds);
6415 break;
6416 }
6417 }
6418 #endif /* CONFIG_WEP */
6419 }
6420
6421
handle_assoc_cb(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int reassoc,int ok)6422 static void handle_assoc_cb(struct hostapd_data *hapd,
6423 const struct ieee80211_mgmt *mgmt,
6424 size_t len, int reassoc, int ok)
6425 {
6426 u16 status;
6427 struct sta_info *sta;
6428 int new_assoc = 1;
6429
6430 sta = ap_get_sta(hapd, mgmt->da);
6431 if (!sta) {
6432 wpa_printf(MSG_INFO, "handle_assoc_cb: STA " MACSTR " not found",
6433 MAC2STR(mgmt->da));
6434 return;
6435 }
6436
6437 if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_resp) :
6438 sizeof(mgmt->u.assoc_resp))) {
6439 wpa_printf(MSG_INFO,
6440 "handle_assoc_cb(reassoc=%d) - too short payload (len=%lu)",
6441 reassoc, (unsigned long) len);
6442 hostapd_drv_sta_remove(hapd, sta->addr);
6443 return;
6444 }
6445
6446 if (reassoc)
6447 status = le_to_host16(mgmt->u.reassoc_resp.status_code);
6448 else
6449 status = le_to_host16(mgmt->u.assoc_resp.status_code);
6450
6451 if (!ok) {
6452 hostapd_logger(hapd, mgmt->da, HOSTAPD_MODULE_IEEE80211,
6453 HOSTAPD_LEVEL_DEBUG,
6454 "did not acknowledge association response");
6455 sta->flags &= ~WLAN_STA_ASSOC_REQ_OK;
6456 /* The STA is added only in case of SUCCESS */
6457 if (status == WLAN_STATUS_SUCCESS)
6458 hostapd_drv_sta_remove(hapd, sta->addr);
6459
6460 return;
6461 }
6462
6463 if (status != WLAN_STATUS_SUCCESS)
6464 return;
6465
6466 /* Stop previous accounting session, if one is started, and allocate
6467 * new session id for the new session. */
6468 accounting_sta_stop(hapd, sta);
6469
6470 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
6471 HOSTAPD_LEVEL_INFO,
6472 "associated (aid %d)",
6473 sta->aid);
6474
6475 if (sta->flags & WLAN_STA_ASSOC)
6476 new_assoc = 0;
6477 sta->flags |= WLAN_STA_ASSOC;
6478 sta->flags &= ~WLAN_STA_WNM_SLEEP_MODE;
6479 if ((!hapd->conf->ieee802_1x && !hapd->conf->wpa &&
6480 !hapd->conf->osen) ||
6481 sta->auth_alg == WLAN_AUTH_FILS_SK ||
6482 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
6483 sta->auth_alg == WLAN_AUTH_FILS_PK ||
6484 sta->auth_alg == WLAN_AUTH_FT) {
6485 /*
6486 * Open, static WEP, FT protocol, or FILS; no separate
6487 * authorization step.
6488 */
6489 ap_sta_set_authorized(hapd, sta, 1);
6490 }
6491
6492 if (reassoc)
6493 mlme_reassociate_indication(hapd, sta);
6494 else
6495 mlme_associate_indication(hapd, sta);
6496
6497 sta->sa_query_timed_out = 0;
6498
6499 if (sta->eapol_sm == NULL) {
6500 /*
6501 * This STA does not use RADIUS server for EAP authentication,
6502 * so bind it to the selected VLAN interface now, since the
6503 * interface selection is not going to change anymore.
6504 */
6505 if (ap_sta_bind_vlan(hapd, sta) < 0)
6506 return;
6507 } else if (sta->vlan_id) {
6508 /* VLAN ID already set (e.g., by PMKSA caching), so bind STA */
6509 if (ap_sta_bind_vlan(hapd, sta) < 0)
6510 return;
6511 }
6512
6513 hostapd_set_sta_flags(hapd, sta);
6514
6515 if (!(sta->flags & WLAN_STA_WDS) && sta->pending_wds_enable) {
6516 wpa_printf(MSG_DEBUG, "Enable 4-address WDS mode for STA "
6517 MACSTR " based on pending request",
6518 MAC2STR(sta->addr));
6519 sta->pending_wds_enable = 0;
6520 sta->flags |= WLAN_STA_WDS;
6521 }
6522
6523 if (sta->flags & (WLAN_STA_WDS | WLAN_STA_MULTI_AP)) {
6524 int ret;
6525 char ifname_wds[IFNAMSIZ + 1];
6526
6527 wpa_printf(MSG_DEBUG, "Reenable 4-address WDS mode for STA "
6528 MACSTR " (aid %u)",
6529 MAC2STR(sta->addr), sta->aid);
6530 ret = hostapd_set_wds_sta(hapd, ifname_wds, sta->addr,
6531 sta->aid, 1);
6532 if (!ret)
6533 hostapd_set_wds_encryption(hapd, sta, ifname_wds);
6534 }
6535
6536 if (sta->auth_alg == WLAN_AUTH_FT)
6537 wpa_auth_sm_event(sta->wpa_sm, WPA_ASSOC_FT);
6538 else
6539 wpa_auth_sm_event(sta->wpa_sm, WPA_ASSOC);
6540 hapd->new_assoc_sta_cb(hapd, sta, !new_assoc);
6541 ieee802_1x_notify_port_enabled(sta->eapol_sm, 1);
6542
6543 #ifdef CONFIG_FILS
6544 if ((sta->auth_alg == WLAN_AUTH_FILS_SK ||
6545 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
6546 sta->auth_alg == WLAN_AUTH_FILS_PK) &&
6547 fils_set_tk(sta->wpa_sm) < 0) {
6548 wpa_printf(MSG_DEBUG, "FILS: TK configuration failed");
6549 ap_sta_disconnect(hapd, sta, sta->addr,
6550 WLAN_REASON_UNSPECIFIED);
6551 return;
6552 }
6553 #endif /* CONFIG_FILS */
6554
6555 if (sta->pending_eapol_rx) {
6556 struct os_reltime now, age;
6557
6558 os_get_reltime(&now);
6559 os_reltime_sub(&now, &sta->pending_eapol_rx->rx_time, &age);
6560 if (age.sec == 0 && age.usec < 200000) {
6561 wpa_printf(MSG_DEBUG,
6562 "Process pending EAPOL frame that was received from " MACSTR " just before association notification",
6563 MAC2STR(sta->addr));
6564 ieee802_1x_receive(
6565 hapd, mgmt->da,
6566 wpabuf_head(sta->pending_eapol_rx->buf),
6567 wpabuf_len(sta->pending_eapol_rx->buf));
6568 }
6569 wpabuf_free(sta->pending_eapol_rx->buf);
6570 os_free(sta->pending_eapol_rx);
6571 sta->pending_eapol_rx = NULL;
6572 }
6573 }
6574
6575
handle_deauth_cb(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int ok)6576 static void handle_deauth_cb(struct hostapd_data *hapd,
6577 const struct ieee80211_mgmt *mgmt,
6578 size_t len, int ok)
6579 {
6580 struct sta_info *sta;
6581 if (is_multicast_ether_addr(mgmt->da))
6582 return;
6583 sta = ap_get_sta(hapd, mgmt->da);
6584 if (!sta) {
6585 wpa_printf(MSG_DEBUG, "handle_deauth_cb: STA " MACSTR
6586 " not found", MAC2STR(mgmt->da));
6587 return;
6588 }
6589 if (ok)
6590 wpa_printf(MSG_DEBUG, "STA " MACSTR " acknowledged deauth",
6591 MAC2STR(sta->addr));
6592 else
6593 wpa_printf(MSG_DEBUG, "STA " MACSTR " did not acknowledge "
6594 "deauth", MAC2STR(sta->addr));
6595
6596 ap_sta_deauth_cb(hapd, sta);
6597 }
6598
6599
handle_disassoc_cb(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int ok)6600 static void handle_disassoc_cb(struct hostapd_data *hapd,
6601 const struct ieee80211_mgmt *mgmt,
6602 size_t len, int ok)
6603 {
6604 struct sta_info *sta;
6605 if (is_multicast_ether_addr(mgmt->da))
6606 return;
6607 sta = ap_get_sta(hapd, mgmt->da);
6608 if (!sta) {
6609 wpa_printf(MSG_DEBUG, "handle_disassoc_cb: STA " MACSTR
6610 " not found", MAC2STR(mgmt->da));
6611 return;
6612 }
6613 if (ok)
6614 wpa_printf(MSG_DEBUG, "STA " MACSTR " acknowledged disassoc",
6615 MAC2STR(sta->addr));
6616 else
6617 wpa_printf(MSG_DEBUG, "STA " MACSTR " did not acknowledge "
6618 "disassoc", MAC2STR(sta->addr));
6619
6620 ap_sta_disassoc_cb(hapd, sta);
6621 }
6622
6623
handle_action_cb(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int ok)6624 static void handle_action_cb(struct hostapd_data *hapd,
6625 const struct ieee80211_mgmt *mgmt,
6626 size_t len, int ok)
6627 {
6628 struct sta_info *sta;
6629 const struct rrm_measurement_report_element *report;
6630
6631 #ifdef CONFIG_DPP
6632 if (len >= IEEE80211_HDRLEN + 6 &&
6633 mgmt->u.action.category == WLAN_ACTION_PUBLIC &&
6634 mgmt->u.action.u.vs_public_action.action ==
6635 WLAN_PA_VENDOR_SPECIFIC &&
6636 WPA_GET_BE24(mgmt->u.action.u.vs_public_action.oui) ==
6637 OUI_WFA &&
6638 mgmt->u.action.u.vs_public_action.variable[0] ==
6639 DPP_OUI_TYPE) {
6640 const u8 *pos, *end;
6641
6642 pos = &mgmt->u.action.u.vs_public_action.variable[1];
6643 end = ((const u8 *) mgmt) + len;
6644 hostapd_dpp_tx_status(hapd, mgmt->da, pos, end - pos, ok);
6645 return;
6646 }
6647 if (len >= IEEE80211_HDRLEN + 2 &&
6648 mgmt->u.action.category == WLAN_ACTION_PUBLIC &&
6649 (mgmt->u.action.u.public_action.action ==
6650 WLAN_PA_GAS_INITIAL_REQ ||
6651 mgmt->u.action.u.public_action.action ==
6652 WLAN_PA_GAS_COMEBACK_REQ)) {
6653 const u8 *pos, *end;
6654
6655 pos = mgmt->u.action.u.public_action.variable;
6656 end = ((const u8 *) mgmt) + len;
6657 gas_query_ap_tx_status(hapd->gas, mgmt->da, pos, end - pos, ok);
6658 return;
6659 }
6660 #endif /* CONFIG_DPP */
6661 if (is_multicast_ether_addr(mgmt->da))
6662 return;
6663 sta = ap_get_sta(hapd, mgmt->da);
6664 if (!sta) {
6665 wpa_printf(MSG_DEBUG, "handle_action_cb: STA " MACSTR
6666 " not found", MAC2STR(mgmt->da));
6667 return;
6668 }
6669
6670 if (len < 24 + 5 + sizeof(*report))
6671 return;
6672 report = (const struct rrm_measurement_report_element *)
6673 &mgmt->u.action.u.rrm.variable[2];
6674 if (mgmt->u.action.category == WLAN_ACTION_RADIO_MEASUREMENT &&
6675 mgmt->u.action.u.rrm.action == WLAN_RRM_RADIO_MEASUREMENT_REQUEST &&
6676 report->eid == WLAN_EID_MEASURE_REQUEST &&
6677 report->len >= 3 &&
6678 report->type == MEASURE_TYPE_BEACON)
6679 hostapd_rrm_beacon_req_tx_status(hapd, mgmt, len, ok);
6680 }
6681
6682
6683 /**
6684 * ieee802_11_mgmt_cb - Process management frame TX status callback
6685 * @hapd: hostapd BSS data structure (the BSS from which the management frame
6686 * was sent from)
6687 * @buf: management frame data (starting from IEEE 802.11 header)
6688 * @len: length of frame data in octets
6689 * @stype: management frame subtype from frame control field
6690 * @ok: Whether the frame was ACK'ed
6691 */
ieee802_11_mgmt_cb(struct hostapd_data * hapd,const u8 * buf,size_t len,u16 stype,int ok)6692 void ieee802_11_mgmt_cb(struct hostapd_data *hapd, const u8 *buf, size_t len,
6693 u16 stype, int ok)
6694 {
6695 const struct ieee80211_mgmt *mgmt;
6696 mgmt = (const struct ieee80211_mgmt *) buf;
6697
6698 #ifdef CONFIG_TESTING_OPTIONS
6699 if (hapd->ext_mgmt_frame_handling) {
6700 size_t hex_len = 2 * len + 1;
6701 char *hex = os_malloc(hex_len);
6702
6703 if (hex) {
6704 wpa_snprintf_hex(hex, hex_len, buf, len);
6705 wpa_msg(hapd->msg_ctx, MSG_INFO,
6706 "MGMT-TX-STATUS stype=%u ok=%d buf=%s",
6707 stype, ok, hex);
6708 os_free(hex);
6709 }
6710 return;
6711 }
6712 #endif /* CONFIG_TESTING_OPTIONS */
6713
6714 switch (stype) {
6715 case WLAN_FC_STYPE_AUTH:
6716 wpa_printf(MSG_DEBUG, "mgmt::auth cb");
6717 handle_auth_cb(hapd, mgmt, len, ok);
6718 break;
6719 case WLAN_FC_STYPE_ASSOC_RESP:
6720 wpa_printf(MSG_DEBUG, "mgmt::assoc_resp cb");
6721 handle_assoc_cb(hapd, mgmt, len, 0, ok);
6722 break;
6723 case WLAN_FC_STYPE_REASSOC_RESP:
6724 wpa_printf(MSG_DEBUG, "mgmt::reassoc_resp cb");
6725 handle_assoc_cb(hapd, mgmt, len, 1, ok);
6726 break;
6727 case WLAN_FC_STYPE_PROBE_RESP:
6728 wpa_printf(MSG_EXCESSIVE, "mgmt::proberesp cb ok=%d", ok);
6729 break;
6730 case WLAN_FC_STYPE_DEAUTH:
6731 wpa_printf(MSG_DEBUG, "mgmt::deauth cb");
6732 handle_deauth_cb(hapd, mgmt, len, ok);
6733 break;
6734 case WLAN_FC_STYPE_DISASSOC:
6735 wpa_printf(MSG_DEBUG, "mgmt::disassoc cb");
6736 handle_disassoc_cb(hapd, mgmt, len, ok);
6737 break;
6738 case WLAN_FC_STYPE_ACTION:
6739 wpa_printf(MSG_DEBUG, "mgmt::action cb ok=%d", ok);
6740 handle_action_cb(hapd, mgmt, len, ok);
6741 break;
6742 default:
6743 wpa_printf(MSG_INFO, "unknown mgmt cb frame subtype %d", stype);
6744 break;
6745 }
6746 }
6747
6748
ieee802_11_get_mib(struct hostapd_data * hapd,char * buf,size_t buflen)6749 int ieee802_11_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen)
6750 {
6751 /* TODO */
6752 return 0;
6753 }
6754
6755
ieee802_11_get_mib_sta(struct hostapd_data * hapd,struct sta_info * sta,char * buf,size_t buflen)6756 int ieee802_11_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta,
6757 char *buf, size_t buflen)
6758 {
6759 /* TODO */
6760 return 0;
6761 }
6762
6763
hostapd_tx_status(struct hostapd_data * hapd,const u8 * addr,const u8 * buf,size_t len,int ack)6764 void hostapd_tx_status(struct hostapd_data *hapd, const u8 *addr,
6765 const u8 *buf, size_t len, int ack)
6766 {
6767 struct sta_info *sta;
6768 struct hostapd_iface *iface = hapd->iface;
6769
6770 sta = ap_get_sta(hapd, addr);
6771 if (sta == NULL && iface->num_bss > 1) {
6772 size_t j;
6773 for (j = 0; j < iface->num_bss; j++) {
6774 hapd = iface->bss[j];
6775 sta = ap_get_sta(hapd, addr);
6776 if (sta)
6777 break;
6778 }
6779 }
6780 if (sta == NULL || !(sta->flags & WLAN_STA_ASSOC))
6781 return;
6782 if (sta->flags & WLAN_STA_PENDING_POLL) {
6783 wpa_printf(MSG_DEBUG, "STA " MACSTR " %s pending "
6784 "activity poll", MAC2STR(sta->addr),
6785 ack ? "ACKed" : "did not ACK");
6786 if (ack)
6787 sta->flags &= ~WLAN_STA_PENDING_POLL;
6788 }
6789
6790 ieee802_1x_tx_status(hapd, sta, buf, len, ack);
6791 }
6792
6793
hostapd_eapol_tx_status(struct hostapd_data * hapd,const u8 * dst,const u8 * data,size_t len,int ack)6794 void hostapd_eapol_tx_status(struct hostapd_data *hapd, const u8 *dst,
6795 const u8 *data, size_t len, int ack)
6796 {
6797 struct sta_info *sta;
6798 struct hostapd_iface *iface = hapd->iface;
6799
6800 sta = ap_get_sta(hapd, dst);
6801 if (sta == NULL && iface->num_bss > 1) {
6802 size_t j;
6803 for (j = 0; j < iface->num_bss; j++) {
6804 hapd = iface->bss[j];
6805 sta = ap_get_sta(hapd, dst);
6806 if (sta)
6807 break;
6808 }
6809 }
6810 if (sta == NULL || !(sta->flags & WLAN_STA_ASSOC)) {
6811 wpa_printf(MSG_DEBUG, "Ignore TX status for Data frame to STA "
6812 MACSTR " that is not currently associated",
6813 MAC2STR(dst));
6814 return;
6815 }
6816
6817 ieee802_1x_eapol_tx_status(hapd, sta, data, len, ack);
6818 }
6819
6820
hostapd_client_poll_ok(struct hostapd_data * hapd,const u8 * addr)6821 void hostapd_client_poll_ok(struct hostapd_data *hapd, const u8 *addr)
6822 {
6823 struct sta_info *sta;
6824 struct hostapd_iface *iface = hapd->iface;
6825
6826 sta = ap_get_sta(hapd, addr);
6827 if (sta == NULL && iface->num_bss > 1) {
6828 size_t j;
6829 for (j = 0; j < iface->num_bss; j++) {
6830 hapd = iface->bss[j];
6831 sta = ap_get_sta(hapd, addr);
6832 if (sta)
6833 break;
6834 }
6835 }
6836 if (sta == NULL)
6837 return;
6838 wpa_msg(hapd->msg_ctx, MSG_INFO, AP_STA_POLL_OK MACSTR,
6839 MAC2STR(sta->addr));
6840 if (!(sta->flags & WLAN_STA_PENDING_POLL))
6841 return;
6842
6843 wpa_printf(MSG_DEBUG, "STA " MACSTR " ACKed pending "
6844 "activity poll", MAC2STR(sta->addr));
6845 sta->flags &= ~WLAN_STA_PENDING_POLL;
6846 }
6847
6848
ieee802_11_rx_from_unknown(struct hostapd_data * hapd,const u8 * src,int wds)6849 void ieee802_11_rx_from_unknown(struct hostapd_data *hapd, const u8 *src,
6850 int wds)
6851 {
6852 struct sta_info *sta;
6853
6854 sta = ap_get_sta(hapd, src);
6855 if (sta &&
6856 ((sta->flags & WLAN_STA_ASSOC) ||
6857 ((sta->flags & WLAN_STA_ASSOC_REQ_OK) && wds))) {
6858 if (!hapd->conf->wds_sta)
6859 return;
6860
6861 if ((sta->flags & (WLAN_STA_ASSOC | WLAN_STA_ASSOC_REQ_OK)) ==
6862 WLAN_STA_ASSOC_REQ_OK) {
6863 wpa_printf(MSG_DEBUG,
6864 "Postpone 4-address WDS mode enabling for STA "
6865 MACSTR " since TX status for AssocResp is not yet known",
6866 MAC2STR(sta->addr));
6867 sta->pending_wds_enable = 1;
6868 return;
6869 }
6870
6871 if (wds && !(sta->flags & WLAN_STA_WDS)) {
6872 int ret;
6873 char ifname_wds[IFNAMSIZ + 1];
6874
6875 wpa_printf(MSG_DEBUG, "Enable 4-address WDS mode for "
6876 "STA " MACSTR " (aid %u)",
6877 MAC2STR(sta->addr), sta->aid);
6878 sta->flags |= WLAN_STA_WDS;
6879 ret = hostapd_set_wds_sta(hapd, ifname_wds,
6880 sta->addr, sta->aid, 1);
6881 if (!ret)
6882 hostapd_set_wds_encryption(hapd, sta,
6883 ifname_wds);
6884 }
6885 return;
6886 }
6887
6888 wpa_printf(MSG_DEBUG, "Data/PS-poll frame from not associated STA "
6889 MACSTR, MAC2STR(src));
6890 if (is_multicast_ether_addr(src) || is_zero_ether_addr(src) ||
6891 os_memcmp(src, hapd->own_addr, ETH_ALEN) == 0) {
6892 /* Broadcast bit set in SA or unexpected SA?! Ignore the frame
6893 * silently. */
6894 return;
6895 }
6896
6897 if (sta && (sta->flags & WLAN_STA_ASSOC_REQ_OK)) {
6898 wpa_printf(MSG_DEBUG, "Association Response to the STA has "
6899 "already been sent, but no TX status yet known - "
6900 "ignore Class 3 frame issue with " MACSTR,
6901 MAC2STR(src));
6902 return;
6903 }
6904
6905 if (sta && (sta->flags & WLAN_STA_AUTH))
6906 hostapd_drv_sta_disassoc(
6907 hapd, src,
6908 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA);
6909 else
6910 hostapd_drv_sta_deauth(
6911 hapd, src,
6912 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA);
6913 }
6914
6915
hostapd_eid_txpower_envelope(struct hostapd_data * hapd,u8 * eid)6916 u8 * hostapd_eid_txpower_envelope(struct hostapd_data *hapd, u8 *eid)
6917 {
6918 struct hostapd_iface *iface = hapd->iface;
6919 struct hostapd_config *iconf = iface->conf;
6920 struct hostapd_hw_modes *mode = iface->current_mode;
6921 struct hostapd_channel_data *chan;
6922 int dfs, i;
6923 u8 channel, tx_pwr_count, local_pwr_constraint;
6924 int max_tx_power;
6925 u8 tx_pwr;
6926
6927 if (!mode)
6928 return eid;
6929
6930 if (ieee80211_freq_to_chan(iface->freq, &channel) == NUM_HOSTAPD_MODES)
6931 return eid;
6932
6933 for (i = 0; i < mode->num_channels; i++) {
6934 if (mode->channels[i].freq == iface->freq)
6935 break;
6936 }
6937 if (i == mode->num_channels)
6938 return eid;
6939
6940 switch (hostapd_get_oper_chwidth(iconf)) {
6941 case CHANWIDTH_USE_HT:
6942 if (iconf->secondary_channel == 0) {
6943 /* Max Transmit Power count = 0 (20 MHz) */
6944 tx_pwr_count = 0;
6945 } else {
6946 /* Max Transmit Power count = 1 (20, 40 MHz) */
6947 tx_pwr_count = 1;
6948 }
6949 break;
6950 case CHANWIDTH_80MHZ:
6951 /* Max Transmit Power count = 2 (20, 40, and 80 MHz) */
6952 tx_pwr_count = 2;
6953 break;
6954 case CHANWIDTH_80P80MHZ:
6955 case CHANWIDTH_160MHZ:
6956 /* Max Transmit Power count = 3 (20, 40, 80, 160/80+80 MHz) */
6957 tx_pwr_count = 3;
6958 break;
6959 default:
6960 return eid;
6961 }
6962
6963 /*
6964 * Below local_pwr_constraint logic is referred from
6965 * hostapd_eid_pwr_constraint.
6966 *
6967 * Check if DFS is required by regulatory.
6968 */
6969 dfs = hostapd_is_dfs_required(hapd->iface);
6970 if (dfs < 0)
6971 dfs = 0;
6972
6973 /*
6974 * In order to meet regulations when TPC is not implemented using
6975 * a transmit power that is below the legal maximum (including any
6976 * mitigation factor) should help. In this case, indicate 3 dB below
6977 * maximum allowed transmit power.
6978 */
6979 if (hapd->iconf->local_pwr_constraint == -1)
6980 local_pwr_constraint = (dfs == 0) ? 0 : 3;
6981 else
6982 local_pwr_constraint = hapd->iconf->local_pwr_constraint;
6983
6984 /*
6985 * A STA that is not an AP shall use a transmit power less than or
6986 * equal to the local maximum transmit power level for the channel.
6987 * The local maximum transmit power can be calculated from the formula:
6988 * local max TX pwr = max TX pwr - local pwr constraint
6989 * Where max TX pwr is maximum transmit power level specified for
6990 * channel in Country element and local pwr constraint is specified
6991 * for channel in this Power Constraint element.
6992 */
6993 chan = &mode->channels[i];
6994 max_tx_power = chan->max_tx_power - local_pwr_constraint;
6995
6996 /*
6997 * Local Maximum Transmit power is encoded as two's complement
6998 * with a 0.5 dB step.
6999 */
7000 max_tx_power *= 2; /* in 0.5 dB steps */
7001 if (max_tx_power > 127) {
7002 /* 63.5 has special meaning of 63.5 dBm or higher */
7003 max_tx_power = 127;
7004 }
7005 if (max_tx_power < -128)
7006 max_tx_power = -128;
7007 if (max_tx_power < 0)
7008 tx_pwr = 0x80 + max_tx_power + 128;
7009 else
7010 tx_pwr = max_tx_power;
7011
7012 *eid++ = WLAN_EID_TRANSMIT_POWER_ENVELOPE;
7013 *eid++ = 2 + tx_pwr_count;
7014
7015 /*
7016 * Max Transmit Power count and
7017 * Max Transmit Power units = 0 (EIRP)
7018 */
7019 *eid++ = tx_pwr_count;
7020
7021 for (i = 0; i <= tx_pwr_count; i++)
7022 *eid++ = tx_pwr;
7023
7024 return eid;
7025 }
7026
7027
hostapd_eid_wb_chsw_wrapper(struct hostapd_data * hapd,u8 * eid)7028 u8 * hostapd_eid_wb_chsw_wrapper(struct hostapd_data *hapd, u8 *eid)
7029 {
7030 u8 bw, chan1, chan2 = 0;
7031 int freq1;
7032
7033 if (!hapd->cs_freq_params.channel ||
7034 (!hapd->cs_freq_params.vht_enabled &&
7035 !hapd->cs_freq_params.he_enabled))
7036 return eid;
7037
7038 /* bandwidth: 0: 40, 1: 80, 2: 160, 3: 80+80 */
7039 switch (hapd->cs_freq_params.bandwidth) {
7040 case 40:
7041 bw = 0;
7042 break;
7043 case 80:
7044 /* check if it's 80+80 */
7045 if (!hapd->cs_freq_params.center_freq2)
7046 bw = 1;
7047 else
7048 bw = 3;
7049 break;
7050 case 160:
7051 bw = 2;
7052 break;
7053 default:
7054 /* not valid VHT bandwidth or not in CSA */
7055 return eid;
7056 }
7057
7058 freq1 = hapd->cs_freq_params.center_freq1 ?
7059 hapd->cs_freq_params.center_freq1 :
7060 hapd->cs_freq_params.freq;
7061 if (ieee80211_freq_to_chan(freq1, &chan1) !=
7062 HOSTAPD_MODE_IEEE80211A)
7063 return eid;
7064
7065 if (hapd->cs_freq_params.center_freq2 &&
7066 ieee80211_freq_to_chan(hapd->cs_freq_params.center_freq2,
7067 &chan2) != HOSTAPD_MODE_IEEE80211A)
7068 return eid;
7069
7070 *eid++ = WLAN_EID_VHT_CHANNEL_SWITCH_WRAPPER;
7071 *eid++ = 5; /* Length of Channel Switch Wrapper */
7072 *eid++ = WLAN_EID_VHT_WIDE_BW_CHSWITCH;
7073 *eid++ = 3; /* Length of Wide Bandwidth Channel Switch element */
7074 *eid++ = bw; /* New Channel Width */
7075 *eid++ = chan1; /* New Channel Center Frequency Segment 0 */
7076 *eid++ = chan2; /* New Channel Center Frequency Segment 1 */
7077
7078 return eid;
7079 }
7080
7081
hostapd_eid_nr_db_len(struct hostapd_data * hapd,size_t * current_len)7082 static size_t hostapd_eid_nr_db_len(struct hostapd_data *hapd,
7083 size_t *current_len)
7084 {
7085 struct hostapd_neighbor_entry *nr;
7086 size_t total_len = 0, len = *current_len;
7087
7088 dl_list_for_each(nr, &hapd->nr_db, struct hostapd_neighbor_entry,
7089 list) {
7090 if (!nr->nr || wpabuf_len(nr->nr) < 12)
7091 continue;
7092
7093 if (nr->short_ssid == hapd->conf->ssid.short_ssid)
7094 continue;
7095
7096 /* Start a new element */
7097 if (!len ||
7098 len + RNR_TBTT_HEADER_LEN + RNR_TBTT_INFO_LEN > 255) {
7099 len = RNR_HEADER_LEN;
7100 total_len += RNR_HEADER_LEN;
7101 }
7102
7103 len += RNR_TBTT_HEADER_LEN + RNR_TBTT_INFO_LEN;
7104 total_len += RNR_TBTT_HEADER_LEN + RNR_TBTT_INFO_LEN;
7105 }
7106
7107 *current_len = len;
7108 return total_len;
7109 }
7110
7111
hostapd_eid_rnr_iface_len(struct hostapd_data * hapd,struct hostapd_data * reporting_hapd,size_t * current_len)7112 static size_t hostapd_eid_rnr_iface_len(struct hostapd_data *hapd,
7113 struct hostapd_data *reporting_hapd,
7114 size_t *current_len)
7115 {
7116 size_t total_len = 0, len = *current_len;
7117 int tbtt_count = 0;
7118 size_t i, start = 0;
7119
7120 while (start < hapd->iface->num_bss) {
7121 if (!len ||
7122 len + RNR_TBTT_HEADER_LEN + RNR_TBTT_INFO_LEN > 255) {
7123 len = RNR_HEADER_LEN;
7124 total_len += RNR_HEADER_LEN;
7125 }
7126
7127 len += RNR_TBTT_HEADER_LEN;
7128 total_len += RNR_TBTT_HEADER_LEN;
7129
7130 for (i = start; i < hapd->iface->num_bss; i++) {
7131 struct hostapd_data *bss = hapd->iface->bss[i];
7132
7133 if (!bss || !bss->conf || !bss->started)
7134 continue;
7135
7136 if (bss == reporting_hapd ||
7137 bss->conf->ignore_broadcast_ssid)
7138 continue;
7139
7140 if (len + RNR_TBTT_INFO_LEN > 255 ||
7141 tbtt_count >= RNR_TBTT_INFO_COUNT_MAX)
7142 break;
7143
7144 len += RNR_TBTT_INFO_LEN;
7145 total_len += RNR_TBTT_INFO_LEN;
7146 tbtt_count++;
7147 }
7148 start = i;
7149 }
7150
7151 if (!tbtt_count)
7152 total_len = 0;
7153 else
7154 *current_len = len;
7155
7156 return total_len;
7157 }
7158
7159
7160 enum colocation_mode {
7161 NO_COLOCATED_6GHZ,
7162 STANDALONE_6GHZ,
7163 COLOCATED_6GHZ,
7164 COLOCATED_LOWER_BAND,
7165 };
7166
get_colocation_mode(struct hostapd_data * hapd)7167 static enum colocation_mode get_colocation_mode(struct hostapd_data *hapd)
7168 {
7169 u8 i;
7170 bool is_6ghz = is_6ghz_op_class(hapd->iconf->op_class);
7171
7172 if (!hapd->iface || !hapd->iface->interfaces)
7173 return NO_COLOCATED_6GHZ;
7174
7175 if (is_6ghz && hapd->iface->interfaces->count == 1)
7176 return STANDALONE_6GHZ;
7177
7178 for (i = 0; i < hapd->iface->interfaces->count; i++) {
7179 struct hostapd_iface *iface;
7180 bool is_colocated_6ghz;
7181
7182 iface = hapd->iface->interfaces->iface[i];
7183 if (iface == hapd->iface || !iface || !iface->conf)
7184 continue;
7185
7186 is_colocated_6ghz = is_6ghz_op_class(iface->conf->op_class);
7187 if (!is_6ghz && is_colocated_6ghz)
7188 return COLOCATED_LOWER_BAND;
7189 if (is_6ghz && !is_colocated_6ghz)
7190 return COLOCATED_6GHZ;
7191 }
7192
7193 if (is_6ghz)
7194 return STANDALONE_6GHZ;
7195
7196 return NO_COLOCATED_6GHZ;
7197 }
7198
7199
hostapd_eid_rnr_colocation_len(struct hostapd_data * hapd,size_t * current_len)7200 static size_t hostapd_eid_rnr_colocation_len(struct hostapd_data *hapd,
7201 size_t *current_len)
7202 {
7203 struct hostapd_iface *iface;
7204 size_t len = 0;
7205 size_t i;
7206
7207 if (!hapd->iface || !hapd->iface->interfaces)
7208 return 0;
7209
7210 for (i = 0; i < hapd->iface->interfaces->count; i++) {
7211 iface = hapd->iface->interfaces->iface[i];
7212
7213 if (iface == hapd->iface ||
7214 !is_6ghz_op_class(iface->conf->op_class))
7215 continue;
7216
7217 len += hostapd_eid_rnr_iface_len(iface->bss[0], hapd,
7218 current_len);
7219 }
7220
7221 return len;
7222 }
7223
7224
hostapd_eid_rnr_len(struct hostapd_data * hapd,u32 type)7225 size_t hostapd_eid_rnr_len(struct hostapd_data *hapd, u32 type)
7226 {
7227 size_t total_len = 0, current_len = 0;
7228 enum colocation_mode mode = get_colocation_mode(hapd);
7229
7230 switch (type) {
7231 case WLAN_FC_STYPE_BEACON:
7232 if (hapd->conf->rnr)
7233 total_len += hostapd_eid_nr_db_len(hapd, ¤t_len);
7234 /* fallthrough */
7235
7236 case WLAN_FC_STYPE_PROBE_RESP:
7237 if (mode == COLOCATED_LOWER_BAND)
7238 total_len += hostapd_eid_rnr_colocation_len(
7239 hapd, ¤t_len);
7240
7241 if (hapd->conf->rnr && hapd->iface->num_bss > 1)
7242 total_len += hostapd_eid_rnr_iface_len(hapd, hapd,
7243 ¤t_len);
7244 break;
7245
7246 case WLAN_FC_STYPE_ACTION:
7247 if (hapd->iface->num_bss > 1 && mode == STANDALONE_6GHZ)
7248 total_len += hostapd_eid_rnr_iface_len(hapd, hapd,
7249 ¤t_len);
7250 break;
7251
7252 default:
7253 break;
7254 }
7255
7256 return total_len;
7257 }
7258
7259
hostapd_eid_nr_db(struct hostapd_data * hapd,u8 * eid,size_t * current_len)7260 static u8 * hostapd_eid_nr_db(struct hostapd_data *hapd, u8 *eid,
7261 size_t *current_len)
7262 {
7263 struct hostapd_neighbor_entry *nr;
7264 size_t len = *current_len;
7265 u8 *size_offset = (eid - len) + 1;
7266
7267 dl_list_for_each(nr, &hapd->nr_db, struct hostapd_neighbor_entry,
7268 list) {
7269 if (!nr->nr || wpabuf_len(nr->nr) < 12)
7270 continue;
7271
7272 if (nr->short_ssid == hapd->conf->ssid.short_ssid)
7273 continue;
7274
7275 /* Start a new element */
7276 if (!len ||
7277 len + RNR_TBTT_HEADER_LEN + RNR_TBTT_INFO_LEN > 255) {
7278 *eid++ = WLAN_EID_REDUCED_NEIGHBOR_REPORT;
7279 size_offset = eid++;
7280 len = RNR_HEADER_LEN;
7281 }
7282
7283 /* TBTT Information Header subfield (2 octets) */
7284 *eid++ = 0;
7285 /* TBTT Information Length */
7286 *eid++ = RNR_TBTT_INFO_LEN;
7287 /* Operating Class */
7288 *eid++ = wpabuf_head_u8(nr->nr)[10];
7289 /* Channel Number */
7290 *eid++ = wpabuf_head_u8(nr->nr)[11];
7291 len += RNR_TBTT_HEADER_LEN;
7292 /* TBTT Information Set */
7293 /* TBTT Information field */
7294 /* Neighbor AP TBTT Offset */
7295 *eid++ = RNR_NEIGHBOR_AP_OFFSET_UNKNOWN;
7296 /* BSSID */
7297 os_memcpy(eid, nr->bssid, ETH_ALEN);
7298 eid += ETH_ALEN;
7299 /* Short SSID */
7300 os_memcpy(eid, &nr->short_ssid, 4);
7301 eid += 4;
7302 /* BSS parameters */
7303 *eid++ = nr->bss_parameters;
7304 /* 20 MHz PSD */
7305 *eid++ = RNR_20_MHZ_PSD_MAX_TXPOWER - 1;
7306 len += RNR_TBTT_INFO_LEN;
7307 *size_offset = (eid - size_offset) - 1;
7308 }
7309
7310 *current_len = len;
7311 return eid;
7312 }
7313
7314
hostapd_eid_rnr_iface(struct hostapd_data * hapd,struct hostapd_data * reporting_hapd,u8 * eid,size_t * current_len)7315 static u8 * hostapd_eid_rnr_iface(struct hostapd_data *hapd,
7316 struct hostapd_data *reporting_hapd,
7317 u8 *eid, size_t *current_len)
7318 {
7319 struct hostapd_data *bss;
7320 struct hostapd_iface *iface = hapd->iface;
7321 size_t i, start = 0;
7322 size_t len = *current_len;
7323 u8 *tbtt_count_pos, *eid_start = eid, *size_offset = (eid - len) + 1;
7324 u8 tbtt_count = 0, op_class, channel, bss_param;
7325
7326 if (!(iface->drv_flags & WPA_DRIVER_FLAGS_AP_CSA) || !iface->freq)
7327 return eid;
7328
7329 if (ieee80211_freq_to_channel_ext(iface->freq,
7330 hapd->iconf->secondary_channel,
7331 hostapd_get_oper_chwidth(hapd->iconf),
7332 &op_class, &channel) ==
7333 NUM_HOSTAPD_MODES)
7334 return eid;
7335
7336 while (start < iface->num_bss) {
7337 if (!len ||
7338 len + RNR_TBTT_HEADER_LEN + RNR_TBTT_INFO_LEN > 255) {
7339 eid_start = eid;
7340 *eid++ = WLAN_EID_REDUCED_NEIGHBOR_REPORT;
7341 size_offset = eid++;
7342 len = RNR_HEADER_LEN;
7343 tbtt_count = 0;
7344 }
7345
7346 tbtt_count_pos = eid++;
7347 *eid++ = RNR_TBTT_INFO_LEN;
7348 *eid++ = op_class;
7349 *eid++ = hapd->iconf->channel;
7350 len += RNR_TBTT_HEADER_LEN;
7351
7352 for (i = start; i < iface->num_bss; i++) {
7353 bss_param = 0;
7354 bss = iface->bss[i];
7355 if (!bss || !bss->conf || !bss->started)
7356 continue;
7357
7358 if (bss == reporting_hapd ||
7359 bss->conf->ignore_broadcast_ssid)
7360 continue;
7361
7362 if (len + RNR_TBTT_INFO_LEN > 255 ||
7363 tbtt_count >= RNR_TBTT_INFO_COUNT_MAX)
7364 break;
7365
7366 *eid++ = RNR_NEIGHBOR_AP_OFFSET_UNKNOWN;
7367 os_memcpy(eid, bss->conf->bssid, ETH_ALEN);
7368 eid += ETH_ALEN;
7369 os_memcpy(eid, &bss->conf->ssid.short_ssid, 4);
7370 eid += 4;
7371 if (bss->conf->ssid.short_ssid ==
7372 reporting_hapd->conf->ssid.short_ssid)
7373 bss_param |= RNR_BSS_PARAM_SAME_SSID;
7374
7375 if (is_6ghz_op_class(hapd->iconf->op_class) &&
7376 bss->conf->unsol_bcast_probe_resp_interval)
7377 bss_param |=
7378 RNR_BSS_PARAM_UNSOLIC_PROBE_RESP_ACTIVE;
7379
7380 bss_param |= RNR_BSS_PARAM_CO_LOCATED;
7381
7382 *eid++ = bss_param;
7383 *eid++ = RNR_20_MHZ_PSD_MAX_TXPOWER - 1;
7384 len += RNR_TBTT_INFO_LEN;
7385 tbtt_count += 1;
7386 }
7387
7388 start = i;
7389 *tbtt_count_pos = RNR_TBTT_INFO_COUNT(tbtt_count - 1);
7390 *size_offset = (eid - size_offset) - 1;
7391 }
7392
7393 if (tbtt_count == 0)
7394 return eid_start;
7395
7396 *current_len = len;
7397 return eid;
7398 }
7399
7400
hostapd_eid_rnr_colocation(struct hostapd_data * hapd,u8 * eid,size_t * current_len)7401 static u8 * hostapd_eid_rnr_colocation(struct hostapd_data *hapd, u8 *eid,
7402 size_t *current_len)
7403 {
7404 struct hostapd_iface *iface;
7405 size_t i;
7406
7407 if (!hapd->iface || !hapd->iface->interfaces)
7408 return eid;
7409
7410 for (i = 0; i < hapd->iface->interfaces->count; i++) {
7411 iface = hapd->iface->interfaces->iface[i];
7412
7413 if (iface == hapd->iface ||
7414 !is_6ghz_op_class(iface->conf->op_class))
7415 continue;
7416
7417 eid = hostapd_eid_rnr_iface(iface->bss[0], hapd, eid,
7418 current_len);
7419 }
7420
7421 return eid;
7422 }
7423
7424
hostapd_eid_rnr(struct hostapd_data * hapd,u8 * eid,u32 type)7425 u8 * hostapd_eid_rnr(struct hostapd_data *hapd, u8 *eid, u32 type)
7426 {
7427 u8 *eid_start = eid;
7428 size_t current_len = 0;
7429 enum colocation_mode mode = get_colocation_mode(hapd);
7430
7431 switch (type) {
7432 case WLAN_FC_STYPE_BEACON:
7433 if (hapd->conf->rnr)
7434 eid = hostapd_eid_nr_db(hapd, eid, ¤t_len);
7435 /* fallthrough */
7436
7437 case WLAN_FC_STYPE_PROBE_RESP:
7438 if (mode == COLOCATED_LOWER_BAND)
7439 eid = hostapd_eid_rnr_colocation(hapd, eid,
7440 ¤t_len);
7441
7442 if (hapd->conf->rnr && hapd->iface->num_bss > 1)
7443 eid = hostapd_eid_rnr_iface(hapd, hapd, eid,
7444 ¤t_len);
7445 break;
7446
7447 case WLAN_FC_STYPE_ACTION:
7448 if (hapd->iface->num_bss > 1 && mode == STANDALONE_6GHZ)
7449 eid = hostapd_eid_rnr_iface(hapd, hapd, eid,
7450 ¤t_len);
7451 break;
7452
7453 default:
7454 return eid_start;
7455 }
7456
7457 if (eid == eid_start + 2)
7458 return eid_start;
7459
7460 return eid;
7461 }
7462
7463 #endif /* CONFIG_NATIVE_WINDOWS */
7464
