1 /*
2  * hostapd / IEEE 802.11 Management
3  * Copyright (c) 2002-2017, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "utils/includes.h"
10 
11 #ifndef CONFIG_NATIVE_WINDOWS
12 
13 #include "utils/common.h"
14 #include "utils/eloop.h"
15 #include "crypto/crypto.h"
16 #include "crypto/sha256.h"
17 #include "crypto/sha384.h"
18 #include "crypto/sha512.h"
19 #include "crypto/random.h"
20 #include "common/ieee802_11_defs.h"
21 #include "common/ieee802_11_common.h"
22 #include "common/wpa_ctrl.h"
23 #include "common/sae.h"
24 #include "common/dpp.h"
25 #include "common/ocv.h"
26 #include "common/wpa_common.h"
27 #include "common/wpa_ctrl.h"
28 #include "common/ptksa_cache.h"
29 #include "radius/radius.h"
30 #include "radius/radius_client.h"
31 #include "p2p/p2p.h"
32 #include "wps/wps.h"
33 #include "fst/fst.h"
34 #include "hostapd.h"
35 #include "beacon.h"
36 #include "ieee802_11_auth.h"
37 #include "sta_info.h"
38 #include "ieee802_1x.h"
39 #include "wpa_auth.h"
40 #include "pmksa_cache_auth.h"
41 #include "wmm.h"
42 #include "ap_list.h"
43 #include "accounting.h"
44 #include "ap_config.h"
45 #include "ap_mlme.h"
46 #include "p2p_hostapd.h"
47 #include "ap_drv_ops.h"
48 #include "wnm_ap.h"
49 #include "hw_features.h"
50 #include "ieee802_11.h"
51 #include "dfs.h"
52 #include "mbo_ap.h"
53 #include "rrm.h"
54 #include "taxonomy.h"
55 #include "fils_hlp.h"
56 #include "dpp_hostapd.h"
57 #include "gas_query_ap.h"
58 
59 
60 #ifdef CONFIG_FILS
61 static struct wpabuf *
62 prepare_auth_resp_fils(struct hostapd_data *hapd,
63 		       struct sta_info *sta, u16 *resp,
64 		       struct rsn_pmksa_cache_entry *pmksa,
65 		       struct wpabuf *erp_resp,
66 		       const u8 *msk, size_t msk_len,
67 		       int *is_pub);
68 #endif /* CONFIG_FILS */
69 
70 #ifdef CONFIG_PASN
71 
72 static int handle_auth_pasn_resp(struct hostapd_data *hapd,
73 				 struct sta_info *sta,
74 				 struct rsn_pmksa_cache_entry *pmksa,
75 				 u16 status);
76 #ifdef CONFIG_FILS
77 
78 static void pasn_fils_auth_resp(struct hostapd_data *hapd,
79 				struct sta_info *sta, u16 status,
80 				struct wpabuf *erp_resp,
81 				const u8 *msk, size_t msk_len);
82 
83 #endif /* CONFIG_FILS */
84 #endif /* CONFIG_PASN */
85 
86 static void handle_auth(struct hostapd_data *hapd,
87 			const struct ieee80211_mgmt *mgmt, size_t len,
88 			int rssi, int from_queue);
89 
90 
hostapd_eid_multi_ap(struct hostapd_data * hapd,u8 * eid)91 u8 * hostapd_eid_multi_ap(struct hostapd_data *hapd, u8 *eid)
92 {
93 	u8 multi_ap_val = 0;
94 
95 	if (!hapd->conf->multi_ap)
96 		return eid;
97 	if (hapd->conf->multi_ap & BACKHAUL_BSS)
98 		multi_ap_val |= MULTI_AP_BACKHAUL_BSS;
99 	if (hapd->conf->multi_ap & FRONTHAUL_BSS)
100 		multi_ap_val |= MULTI_AP_FRONTHAUL_BSS;
101 
102 	return eid + add_multi_ap_ie(eid, 9, multi_ap_val);
103 }
104 
105 
hostapd_eid_supp_rates(struct hostapd_data * hapd,u8 * eid)106 u8 * hostapd_eid_supp_rates(struct hostapd_data *hapd, u8 *eid)
107 {
108 	u8 *pos = eid;
109 	int i, num, count;
110 	int h2e_required;
111 
112 	if (hapd->iface->current_rates == NULL)
113 		return eid;
114 
115 	*pos++ = WLAN_EID_SUPP_RATES;
116 	num = hapd->iface->num_rates;
117 	if (hapd->iconf->ieee80211n && hapd->iconf->require_ht)
118 		num++;
119 	if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht)
120 		num++;
121 	h2e_required = (hapd->conf->sae_pwe == 1 ||
122 			hostapd_sae_pw_id_in_use(hapd->conf) == 2) &&
123 		hapd->conf->sae_pwe != 3 &&
124 		wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt);
125 	if (h2e_required)
126 		num++;
127 	if (num > 8) {
128 		/* rest of the rates are encoded in Extended supported
129 		 * rates element */
130 		num = 8;
131 	}
132 
133 	*pos++ = num;
134 	for (i = 0, count = 0; i < hapd->iface->num_rates && count < num;
135 	     i++) {
136 		count++;
137 		*pos = hapd->iface->current_rates[i].rate / 5;
138 		if (hapd->iface->current_rates[i].flags & HOSTAPD_RATE_BASIC)
139 			*pos |= 0x80;
140 		pos++;
141 	}
142 
143 	if (hapd->iconf->ieee80211n && hapd->iconf->require_ht && count < 8) {
144 		count++;
145 		*pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_HT_PHY;
146 	}
147 
148 	if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht && count < 8) {
149 		count++;
150 		*pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_VHT_PHY;
151 	}
152 
153 	if (h2e_required && count < 8) {
154 		count++;
155 		*pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_SAE_H2E_ONLY;
156 	}
157 
158 	return pos;
159 }
160 
161 
hostapd_eid_ext_supp_rates(struct hostapd_data * hapd,u8 * eid)162 u8 * hostapd_eid_ext_supp_rates(struct hostapd_data *hapd, u8 *eid)
163 {
164 	u8 *pos = eid;
165 	int i, num, count;
166 	int h2e_required;
167 
168 	if (hapd->iface->current_rates == NULL)
169 		return eid;
170 
171 	num = hapd->iface->num_rates;
172 	if (hapd->iconf->ieee80211n && hapd->iconf->require_ht)
173 		num++;
174 	if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht)
175 		num++;
176 	h2e_required = (hapd->conf->sae_pwe == 1 ||
177 			hostapd_sae_pw_id_in_use(hapd->conf) == 2) &&
178 		hapd->conf->sae_pwe != 3 &&
179 		wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt);
180 	if (h2e_required)
181 		num++;
182 	if (num <= 8)
183 		return eid;
184 	num -= 8;
185 
186 	*pos++ = WLAN_EID_EXT_SUPP_RATES;
187 	*pos++ = num;
188 	for (i = 0, count = 0; i < hapd->iface->num_rates && count < num + 8;
189 	     i++) {
190 		count++;
191 		if (count <= 8)
192 			continue; /* already in SuppRates IE */
193 		*pos = hapd->iface->current_rates[i].rate / 5;
194 		if (hapd->iface->current_rates[i].flags & HOSTAPD_RATE_BASIC)
195 			*pos |= 0x80;
196 		pos++;
197 	}
198 
199 	if (hapd->iconf->ieee80211n && hapd->iconf->require_ht) {
200 		count++;
201 		if (count > 8)
202 			*pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_HT_PHY;
203 	}
204 
205 	if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht) {
206 		count++;
207 		if (count > 8)
208 			*pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_VHT_PHY;
209 	}
210 
211 	if (h2e_required) {
212 		count++;
213 		if (count > 8)
214 			*pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_SAE_H2E_ONLY;
215 	}
216 
217 	return pos;
218 }
219 
220 
hostapd_eid_rm_enabled_capab(struct hostapd_data * hapd,u8 * eid,size_t len)221 u8 * hostapd_eid_rm_enabled_capab(struct hostapd_data *hapd, u8 *eid,
222 				  size_t len)
223 {
224 	size_t i;
225 
226 	for (i = 0; i < RRM_CAPABILITIES_IE_LEN; i++) {
227 		if (hapd->conf->radio_measurements[i])
228 			break;
229 	}
230 
231 	if (i == RRM_CAPABILITIES_IE_LEN || len < 2 + RRM_CAPABILITIES_IE_LEN)
232 		return eid;
233 
234 	*eid++ = WLAN_EID_RRM_ENABLED_CAPABILITIES;
235 	*eid++ = RRM_CAPABILITIES_IE_LEN;
236 	os_memcpy(eid, hapd->conf->radio_measurements, RRM_CAPABILITIES_IE_LEN);
237 
238 	return eid + RRM_CAPABILITIES_IE_LEN;
239 }
240 
241 
hostapd_own_capab_info(struct hostapd_data * hapd)242 u16 hostapd_own_capab_info(struct hostapd_data *hapd)
243 {
244 	int capab = WLAN_CAPABILITY_ESS;
245 	int privacy = 0;
246 	int dfs;
247 	int i;
248 
249 	/* Check if any of configured channels require DFS */
250 	dfs = hostapd_is_dfs_required(hapd->iface);
251 	if (dfs < 0) {
252 		wpa_printf(MSG_WARNING, "Failed to check if DFS is required; ret=%d",
253 			   dfs);
254 		dfs = 0;
255 	}
256 
257 	if (hapd->iface->num_sta_no_short_preamble == 0 &&
258 	    hapd->iconf->preamble == SHORT_PREAMBLE)
259 		capab |= WLAN_CAPABILITY_SHORT_PREAMBLE;
260 
261 #ifdef CONFIG_WEP
262 	privacy = hapd->conf->ssid.wep.keys_set;
263 
264 	if (hapd->conf->ieee802_1x &&
265 	    (hapd->conf->default_wep_key_len ||
266 	     hapd->conf->individual_wep_key_len))
267 		privacy = 1;
268 #endif /* CONFIG_WEP */
269 
270 	if (hapd->conf->wpa)
271 		privacy = 1;
272 
273 #ifdef CONFIG_HS20
274 	if (hapd->conf->osen)
275 		privacy = 1;
276 #endif /* CONFIG_HS20 */
277 
278 	if (privacy)
279 		capab |= WLAN_CAPABILITY_PRIVACY;
280 
281 	if (hapd->iface->current_mode &&
282 	    hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G &&
283 	    hapd->iface->num_sta_no_short_slot_time == 0)
284 		capab |= WLAN_CAPABILITY_SHORT_SLOT_TIME;
285 
286 	/*
287 	 * Currently, Spectrum Management capability bit is set when directly
288 	 * requested in configuration by spectrum_mgmt_required or when AP is
289 	 * running on DFS channel.
290 	 * TODO: Also consider driver support for TPC to set Spectrum Mgmt bit
291 	 */
292 	if (hapd->iface->current_mode &&
293 	    hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211A &&
294 	    (hapd->iconf->spectrum_mgmt_required || dfs))
295 		capab |= WLAN_CAPABILITY_SPECTRUM_MGMT;
296 
297 	for (i = 0; i < RRM_CAPABILITIES_IE_LEN; i++) {
298 		if (hapd->conf->radio_measurements[i]) {
299 			capab |= IEEE80211_CAP_RRM;
300 			break;
301 		}
302 	}
303 
304 	return capab;
305 }
306 
307 
308 #ifdef CONFIG_WEP
309 #ifndef CONFIG_NO_RC4
auth_shared_key(struct hostapd_data * hapd,struct sta_info * sta,u16 auth_transaction,const u8 * challenge,int iswep)310 static u16 auth_shared_key(struct hostapd_data *hapd, struct sta_info *sta,
311 			   u16 auth_transaction, const u8 *challenge,
312 			   int iswep)
313 {
314 	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
315 		       HOSTAPD_LEVEL_DEBUG,
316 		       "authentication (shared key, transaction %d)",
317 		       auth_transaction);
318 
319 	if (auth_transaction == 1) {
320 		if (!sta->challenge) {
321 			/* Generate a pseudo-random challenge */
322 			u8 key[8];
323 
324 			sta->challenge = os_zalloc(WLAN_AUTH_CHALLENGE_LEN);
325 			if (sta->challenge == NULL)
326 				return WLAN_STATUS_UNSPECIFIED_FAILURE;
327 
328 			if (os_get_random(key, sizeof(key)) < 0) {
329 				os_free(sta->challenge);
330 				sta->challenge = NULL;
331 				return WLAN_STATUS_UNSPECIFIED_FAILURE;
332 			}
333 
334 			rc4_skip(key, sizeof(key), 0,
335 				 sta->challenge, WLAN_AUTH_CHALLENGE_LEN);
336 		}
337 		return 0;
338 	}
339 
340 	if (auth_transaction != 3)
341 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
342 
343 	/* Transaction 3 */
344 	if (!iswep || !sta->challenge || !challenge ||
345 	    os_memcmp_const(sta->challenge, challenge,
346 			    WLAN_AUTH_CHALLENGE_LEN)) {
347 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
348 			       HOSTAPD_LEVEL_INFO,
349 			       "shared key authentication - invalid "
350 			       "challenge-response");
351 		return WLAN_STATUS_CHALLENGE_FAIL;
352 	}
353 
354 	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
355 		       HOSTAPD_LEVEL_DEBUG,
356 		       "authentication OK (shared key)");
357 	sta->flags |= WLAN_STA_AUTH;
358 	wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
359 	os_free(sta->challenge);
360 	sta->challenge = NULL;
361 
362 	return 0;
363 }
364 #endif /* CONFIG_NO_RC4 */
365 #endif /* CONFIG_WEP */
366 
367 
send_auth_reply(struct hostapd_data * hapd,struct sta_info * sta,const u8 * dst,const u8 * bssid,u16 auth_alg,u16 auth_transaction,u16 resp,const u8 * ies,size_t ies_len,const char * dbg)368 static int send_auth_reply(struct hostapd_data *hapd, struct sta_info *sta,
369 			   const u8 *dst, const u8 *bssid,
370 			   u16 auth_alg, u16 auth_transaction, u16 resp,
371 			   const u8 *ies, size_t ies_len, const char *dbg)
372 {
373 	struct ieee80211_mgmt *reply;
374 	u8 *buf;
375 	size_t rlen;
376 	int reply_res = WLAN_STATUS_UNSPECIFIED_FAILURE;
377 
378 	rlen = IEEE80211_HDRLEN + sizeof(reply->u.auth) + ies_len;
379 	buf = os_zalloc(rlen);
380 	if (buf == NULL)
381 		return -1;
382 
383 	reply = (struct ieee80211_mgmt *) buf;
384 	reply->frame_control = IEEE80211_FC(WLAN_FC_TYPE_MGMT,
385 					    WLAN_FC_STYPE_AUTH);
386 	os_memcpy(reply->da, dst, ETH_ALEN);
387 	os_memcpy(reply->sa, hapd->own_addr, ETH_ALEN);
388 	os_memcpy(reply->bssid, bssid, ETH_ALEN);
389 
390 	reply->u.auth.auth_alg = host_to_le16(auth_alg);
391 	reply->u.auth.auth_transaction = host_to_le16(auth_transaction);
392 	reply->u.auth.status_code = host_to_le16(resp);
393 
394 	if (ies && ies_len)
395 		os_memcpy(reply->u.auth.variable, ies, ies_len);
396 
397 	wpa_printf(MSG_DEBUG, "authentication reply: STA=" MACSTR
398 		   " auth_alg=%d auth_transaction=%d resp=%d (IE len=%lu) (dbg=%s)",
399 		   MAC2STR(dst), auth_alg, auth_transaction,
400 		   resp, (unsigned long) ies_len, dbg);
401 #ifdef CONFIG_TESTING_OPTIONS
402 #ifdef CONFIG_SAE
403 	if (hapd->conf->sae_confirm_immediate == 2 &&
404 	    auth_alg == WLAN_AUTH_SAE) {
405 		if (auth_transaction == 1 && sta &&
406 		    (resp == WLAN_STATUS_SUCCESS ||
407 		     resp == WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
408 		     resp == WLAN_STATUS_SAE_PK)) {
409 			wpa_printf(MSG_DEBUG,
410 				   "TESTING: Postpone SAE Commit transmission until Confirm is ready");
411 			os_free(sta->sae_postponed_commit);
412 			sta->sae_postponed_commit = buf;
413 			sta->sae_postponed_commit_len = rlen;
414 			return WLAN_STATUS_SUCCESS;
415 		}
416 
417 		if (auth_transaction == 2 && sta && sta->sae_postponed_commit) {
418 			wpa_printf(MSG_DEBUG,
419 				   "TESTING: Send postponed SAE Commit first, immediately followed by SAE Confirm");
420 			if (hostapd_drv_send_mlme(hapd,
421 						  sta->sae_postponed_commit,
422 						  sta->sae_postponed_commit_len,
423 						  0, NULL, 0, 0) < 0)
424 				wpa_printf(MSG_INFO, "send_auth_reply: send failed");
425 			os_free(sta->sae_postponed_commit);
426 			sta->sae_postponed_commit = NULL;
427 			sta->sae_postponed_commit_len = 0;
428 		}
429 	}
430 #endif /* CONFIG_SAE */
431 #endif /* CONFIG_TESTING_OPTIONS */
432 	if (hostapd_drv_send_mlme(hapd, reply, rlen, 0, NULL, 0, 0) < 0)
433 		wpa_printf(MSG_INFO, "send_auth_reply: send failed");
434 	else
435 		reply_res = WLAN_STATUS_SUCCESS;
436 
437 	os_free(buf);
438 
439 	return reply_res;
440 }
441 
442 
443 #ifdef CONFIG_IEEE80211R_AP
handle_auth_ft_finish(void * ctx,const u8 * dst,const u8 * bssid,u16 auth_transaction,u16 status,const u8 * ies,size_t ies_len)444 static void handle_auth_ft_finish(void *ctx, const u8 *dst, const u8 *bssid,
445 				  u16 auth_transaction, u16 status,
446 				  const u8 *ies, size_t ies_len)
447 {
448 	struct hostapd_data *hapd = ctx;
449 	struct sta_info *sta;
450 	int reply_res;
451 
452 	reply_res = send_auth_reply(hapd, NULL, dst, bssid, WLAN_AUTH_FT,
453 				    auth_transaction, status, ies, ies_len,
454 				    "auth-ft-finish");
455 
456 	sta = ap_get_sta(hapd, dst);
457 	if (sta == NULL)
458 		return;
459 
460 	if (sta->added_unassoc && (reply_res != WLAN_STATUS_SUCCESS ||
461 				   status != WLAN_STATUS_SUCCESS)) {
462 		hostapd_drv_sta_remove(hapd, sta->addr);
463 		sta->added_unassoc = 0;
464 		return;
465 	}
466 
467 	if (status != WLAN_STATUS_SUCCESS)
468 		return;
469 
470 	hostapd_logger(hapd, dst, HOSTAPD_MODULE_IEEE80211,
471 		       HOSTAPD_LEVEL_DEBUG, "authentication OK (FT)");
472 	sta->flags |= WLAN_STA_AUTH;
473 	mlme_authenticate_indication(hapd, sta);
474 }
475 #endif /* CONFIG_IEEE80211R_AP */
476 
477 
478 #ifdef CONFIG_SAE
479 
sae_set_state(struct sta_info * sta,enum sae_state state,const char * reason)480 static void sae_set_state(struct sta_info *sta, enum sae_state state,
481 			  const char *reason)
482 {
483 	wpa_printf(MSG_DEBUG, "SAE: State %s -> %s for peer " MACSTR " (%s)",
484 		   sae_state_txt(sta->sae->state), sae_state_txt(state),
485 		   MAC2STR(sta->addr), reason);
486 	sta->sae->state = state;
487 }
488 
489 
sae_get_password(struct hostapd_data * hapd,struct sta_info * sta,const char * rx_id,struct sae_password_entry ** pw_entry,struct sae_pt ** s_pt,const struct sae_pk ** s_pk)490 static const char * sae_get_password(struct hostapd_data *hapd,
491 				     struct sta_info *sta,
492 				     const char *rx_id,
493 				     struct sae_password_entry **pw_entry,
494 				     struct sae_pt **s_pt,
495 				     const struct sae_pk **s_pk)
496 {
497 	const char *password = NULL;
498 	struct sae_password_entry *pw;
499 	struct sae_pt *pt = NULL;
500 	const struct sae_pk *pk = NULL;
501 
502 	for (pw = hapd->conf->sae_passwords; pw; pw = pw->next) {
503 		if (!is_broadcast_ether_addr(pw->peer_addr) &&
504 		    os_memcmp(pw->peer_addr, sta->addr, ETH_ALEN) != 0)
505 			continue;
506 		if ((rx_id && !pw->identifier) || (!rx_id && pw->identifier))
507 			continue;
508 		if (rx_id && pw->identifier &&
509 		    os_strcmp(rx_id, pw->identifier) != 0)
510 			continue;
511 		password = pw->password;
512 		pt = pw->pt;
513 		if (!(hapd->conf->mesh & MESH_ENABLED))
514 			pk = pw->pk;
515 		break;
516 	}
517 	if (!password) {
518 		password = hapd->conf->ssid.wpa_passphrase;
519 		pt = hapd->conf->ssid.pt;
520 	}
521 
522 	if (pw_entry)
523 		*pw_entry = pw;
524 	if (s_pt)
525 		*s_pt = pt;
526 	if (s_pk)
527 		*s_pk = pk;
528 
529 	return password;
530 }
531 
532 
auth_build_sae_commit(struct hostapd_data * hapd,struct sta_info * sta,int update,int status_code)533 static struct wpabuf * auth_build_sae_commit(struct hostapd_data *hapd,
534 					     struct sta_info *sta, int update,
535 					     int status_code)
536 {
537 	struct wpabuf *buf;
538 	const char *password = NULL;
539 	struct sae_password_entry *pw;
540 	const char *rx_id = NULL;
541 	int use_pt = 0;
542 	struct sae_pt *pt = NULL;
543 	const struct sae_pk *pk = NULL;
544 
545 	if (sta->sae->tmp) {
546 		rx_id = sta->sae->tmp->pw_id;
547 		use_pt = sta->sae->h2e;
548 #ifdef CONFIG_SAE_PK
549 		os_memcpy(sta->sae->tmp->own_addr, hapd->own_addr, ETH_ALEN);
550 		os_memcpy(sta->sae->tmp->peer_addr, sta->addr, ETH_ALEN);
551 #endif /* CONFIG_SAE_PK */
552 	}
553 
554 	if (rx_id && hapd->conf->sae_pwe != 3)
555 		use_pt = 1;
556 	else if (status_code == WLAN_STATUS_SUCCESS)
557 		use_pt = 0;
558 	else if (status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
559 		 status_code == WLAN_STATUS_SAE_PK)
560 		use_pt = 1;
561 
562 	password = sae_get_password(hapd, sta, rx_id, &pw, &pt, &pk);
563 	if (!password || (use_pt && !pt)) {
564 		wpa_printf(MSG_DEBUG, "SAE: No password available");
565 		return NULL;
566 	}
567 
568 	if (update && use_pt &&
569 	    sae_prepare_commit_pt(sta->sae, pt, hapd->own_addr, sta->addr,
570 				  NULL, pk) < 0)
571 		return NULL;
572 
573 	if (update && !use_pt &&
574 	    sae_prepare_commit(hapd->own_addr, sta->addr,
575 			       (u8 *) password, os_strlen(password), rx_id,
576 			       sta->sae) < 0) {
577 		wpa_printf(MSG_DEBUG, "SAE: Could not pick PWE");
578 		return NULL;
579 	}
580 
581 	if (pw && pw->vlan_id) {
582 		if (!sta->sae->tmp) {
583 			wpa_printf(MSG_INFO,
584 				   "SAE: No temporary data allocated - cannot store VLAN ID");
585 			return NULL;
586 		}
587 		sta->sae->tmp->vlan_id = pw->vlan_id;
588 	}
589 
590 	buf = wpabuf_alloc(SAE_COMMIT_MAX_LEN +
591 			   (rx_id ? 3 + os_strlen(rx_id) : 0));
592 	if (buf &&
593 	    sae_write_commit(sta->sae, buf, sta->sae->tmp ?
594 			     sta->sae->tmp->anti_clogging_token : NULL,
595 			     rx_id) < 0) {
596 		wpabuf_free(buf);
597 		buf = NULL;
598 	}
599 
600 	return buf;
601 }
602 
603 
auth_build_sae_confirm(struct hostapd_data * hapd,struct sta_info * sta)604 static struct wpabuf * auth_build_sae_confirm(struct hostapd_data *hapd,
605 					      struct sta_info *sta)
606 {
607 	struct wpabuf *buf;
608 
609 	buf = wpabuf_alloc(SAE_CONFIRM_MAX_LEN);
610 	if (buf == NULL)
611 		return NULL;
612 
613 #ifdef CONFIG_SAE_PK
614 #ifdef CONFIG_TESTING_OPTIONS
615 	if (sta->sae->tmp)
616 		sta->sae->tmp->omit_pk_elem = hapd->conf->sae_pk_omit;
617 #endif /* CONFIG_TESTING_OPTIONS */
618 #endif /* CONFIG_SAE_PK */
619 
620 	if (sae_write_confirm(sta->sae, buf) < 0) {
621 		wpabuf_free(buf);
622 		return NULL;
623 	}
624 
625 	return buf;
626 }
627 
628 
auth_sae_send_commit(struct hostapd_data * hapd,struct sta_info * sta,const u8 * bssid,int update,int status_code)629 static int auth_sae_send_commit(struct hostapd_data *hapd,
630 				struct sta_info *sta,
631 				const u8 *bssid, int update, int status_code)
632 {
633 	struct wpabuf *data;
634 	int reply_res;
635 	u16 status;
636 
637 	data = auth_build_sae_commit(hapd, sta, update, status_code);
638 	if (!data && sta->sae->tmp && sta->sae->tmp->pw_id)
639 		return WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER;
640 	if (data == NULL)
641 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
642 
643 	if (sta->sae->tmp && sta->sae->pk)
644 		status = WLAN_STATUS_SAE_PK;
645 	else if (sta->sae->tmp && sta->sae->h2e)
646 		status = WLAN_STATUS_SAE_HASH_TO_ELEMENT;
647 	else
648 		status = WLAN_STATUS_SUCCESS;
649 #ifdef CONFIG_TESTING_OPTIONS
650 	if (hapd->conf->sae_commit_status >= 0 &&
651 	    hapd->conf->sae_commit_status != status) {
652 		wpa_printf(MSG_INFO,
653 			   "TESTING: Override SAE commit status code %u --> %d",
654 			   status, hapd->conf->sae_commit_status);
655 		status = hapd->conf->sae_commit_status;
656 	}
657 #endif /* CONFIG_TESTING_OPTIONS */
658 	reply_res = send_auth_reply(hapd, sta, sta->addr, bssid,
659 				    WLAN_AUTH_SAE, 1,
660 				    status, wpabuf_head(data),
661 				    wpabuf_len(data), "sae-send-commit");
662 
663 	wpabuf_free(data);
664 
665 	return reply_res;
666 }
667 
668 
auth_sae_send_confirm(struct hostapd_data * hapd,struct sta_info * sta,const u8 * bssid)669 static int auth_sae_send_confirm(struct hostapd_data *hapd,
670 				 struct sta_info *sta,
671 				 const u8 *bssid)
672 {
673 	struct wpabuf *data;
674 	int reply_res;
675 
676 	data = auth_build_sae_confirm(hapd, sta);
677 	if (data == NULL)
678 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
679 
680 	reply_res = send_auth_reply(hapd, sta, sta->addr, bssid,
681 				    WLAN_AUTH_SAE, 2,
682 				    WLAN_STATUS_SUCCESS, wpabuf_head(data),
683 				    wpabuf_len(data), "sae-send-confirm");
684 
685 	wpabuf_free(data);
686 
687 	return reply_res;
688 }
689 
690 
use_sae_anti_clogging(struct hostapd_data * hapd)691 static int use_sae_anti_clogging(struct hostapd_data *hapd)
692 {
693 	struct sta_info *sta;
694 	unsigned int open = 0;
695 
696 	if (hapd->conf->sae_anti_clogging_threshold == 0)
697 		return 1;
698 
699 	for (sta = hapd->sta_list; sta; sta = sta->next) {
700 		if (!sta->sae)
701 			continue;
702 		if (sta->sae->state != SAE_COMMITTED &&
703 		    sta->sae->state != SAE_CONFIRMED)
704 			continue;
705 		open++;
706 		if (open >= hapd->conf->sae_anti_clogging_threshold)
707 			return 1;
708 	}
709 
710 	/* In addition to already existing open SAE sessions, check whether
711 	 * there are enough pending commit messages in the processing queue to
712 	 * potentially result in too many open sessions. */
713 	if (open + dl_list_len(&hapd->sae_commit_queue) >=
714 	    hapd->conf->sae_anti_clogging_threshold)
715 		return 1;
716 
717 	return 0;
718 }
719 
720 
sae_token_hash(struct hostapd_data * hapd,const u8 * addr,u8 * idx)721 static int sae_token_hash(struct hostapd_data *hapd, const u8 *addr, u8 *idx)
722 {
723 	u8 hash[SHA256_MAC_LEN];
724 
725 	if (hmac_sha256(hapd->sae_token_key, sizeof(hapd->sae_token_key),
726 			addr, ETH_ALEN, hash) < 0)
727 		return -1;
728 	*idx = hash[0];
729 	return 0;
730 }
731 
732 
check_sae_token(struct hostapd_data * hapd,const u8 * addr,const u8 * token,size_t token_len)733 static int check_sae_token(struct hostapd_data *hapd, const u8 *addr,
734 			   const u8 *token, size_t token_len)
735 {
736 	u8 mac[SHA256_MAC_LEN];
737 	const u8 *addrs[2];
738 	size_t len[2];
739 	u16 token_idx;
740 	u8 idx;
741 
742 	if (token_len != SHA256_MAC_LEN || sae_token_hash(hapd, addr, &idx) < 0)
743 		return -1;
744 	token_idx = hapd->sae_pending_token_idx[idx];
745 	if (token_idx == 0 || token_idx != WPA_GET_BE16(token)) {
746 		wpa_printf(MSG_DEBUG, "SAE: Invalid anti-clogging token from "
747 			   MACSTR " - token_idx 0x%04x, expected 0x%04x",
748 			   MAC2STR(addr), WPA_GET_BE16(token), token_idx);
749 		return -1;
750 	}
751 
752 	addrs[0] = addr;
753 	len[0] = ETH_ALEN;
754 	addrs[1] = token;
755 	len[1] = 2;
756 	if (hmac_sha256_vector(hapd->sae_token_key, sizeof(hapd->sae_token_key),
757 			       2, addrs, len, mac) < 0 ||
758 	    os_memcmp_const(token + 2, &mac[2], SHA256_MAC_LEN - 2) != 0)
759 		return -1;
760 
761 	hapd->sae_pending_token_idx[idx] = 0; /* invalidate used token */
762 
763 	return 0;
764 }
765 
766 
auth_build_token_req(struct hostapd_data * hapd,int group,const u8 * addr,int h2e)767 static struct wpabuf * auth_build_token_req(struct hostapd_data *hapd,
768 					    int group, const u8 *addr, int h2e)
769 {
770 	struct wpabuf *buf;
771 	u8 *token;
772 	struct os_reltime now;
773 	u8 idx[2];
774 	const u8 *addrs[2];
775 	size_t len[2];
776 	u8 p_idx;
777 	u16 token_idx;
778 
779 	os_get_reltime(&now);
780 	if (!os_reltime_initialized(&hapd->last_sae_token_key_update) ||
781 	    os_reltime_expired(&now, &hapd->last_sae_token_key_update, 60) ||
782 	    hapd->sae_token_idx == 0xffff) {
783 		if (random_get_bytes(hapd->sae_token_key,
784 				     sizeof(hapd->sae_token_key)) < 0)
785 			return NULL;
786 		wpa_hexdump(MSG_DEBUG, "SAE: Updated token key",
787 			    hapd->sae_token_key, sizeof(hapd->sae_token_key));
788 		hapd->last_sae_token_key_update = now;
789 		hapd->sae_token_idx = 0;
790 		os_memset(hapd->sae_pending_token_idx, 0,
791 			  sizeof(hapd->sae_pending_token_idx));
792 	}
793 
794 	buf = wpabuf_alloc(sizeof(le16) + 3 + SHA256_MAC_LEN);
795 	if (buf == NULL)
796 		return NULL;
797 
798 	wpabuf_put_le16(buf, group); /* Finite Cyclic Group */
799 
800 	if (h2e) {
801 		/* Encapsulate Anti-clogging Token field in a container IE */
802 		wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
803 		wpabuf_put_u8(buf, 1 + SHA256_MAC_LEN);
804 		wpabuf_put_u8(buf, WLAN_EID_EXT_ANTI_CLOGGING_TOKEN);
805 	}
806 
807 	if (sae_token_hash(hapd, addr, &p_idx) < 0) {
808 		wpabuf_free(buf);
809 		return NULL;
810 	}
811 	token_idx = hapd->sae_pending_token_idx[p_idx];
812 	if (!token_idx) {
813 		hapd->sae_token_idx++;
814 		token_idx = hapd->sae_token_idx;
815 		hapd->sae_pending_token_idx[p_idx] = token_idx;
816 	}
817 	WPA_PUT_BE16(idx, token_idx);
818 	token = wpabuf_put(buf, SHA256_MAC_LEN);
819 	addrs[0] = addr;
820 	len[0] = ETH_ALEN;
821 	addrs[1] = idx;
822 	len[1] = sizeof(idx);
823 	if (hmac_sha256_vector(hapd->sae_token_key, sizeof(hapd->sae_token_key),
824 			       2, addrs, len, token) < 0) {
825 		wpabuf_free(buf);
826 		return NULL;
827 	}
828 	WPA_PUT_BE16(token, token_idx);
829 
830 	return buf;
831 }
832 
833 
sae_check_big_sync(struct hostapd_data * hapd,struct sta_info * sta)834 static int sae_check_big_sync(struct hostapd_data *hapd, struct sta_info *sta)
835 {
836 	if (sta->sae->sync > hapd->conf->sae_sync) {
837 		sae_set_state(sta, SAE_NOTHING, "Sync > dot11RSNASAESync");
838 		sta->sae->sync = 0;
839 		return -1;
840 	}
841 	return 0;
842 }
843 
844 
auth_sae_retransmit_timer(void * eloop_ctx,void * eloop_data)845 static void auth_sae_retransmit_timer(void *eloop_ctx, void *eloop_data)
846 {
847 	struct hostapd_data *hapd = eloop_ctx;
848 	struct sta_info *sta = eloop_data;
849 	int ret;
850 
851 	if (sae_check_big_sync(hapd, sta))
852 		return;
853 	sta->sae->sync++;
854 	wpa_printf(MSG_DEBUG, "SAE: Auth SAE retransmit timer for " MACSTR
855 		   " (sync=%d state=%s)",
856 		   MAC2STR(sta->addr), sta->sae->sync,
857 		   sae_state_txt(sta->sae->state));
858 
859 	switch (sta->sae->state) {
860 	case SAE_COMMITTED:
861 		ret = auth_sae_send_commit(hapd, sta, hapd->own_addr, 0, -1);
862 		eloop_register_timeout(0,
863 				       hapd->dot11RSNASAERetransPeriod * 1000,
864 				       auth_sae_retransmit_timer, hapd, sta);
865 		break;
866 	case SAE_CONFIRMED:
867 		ret = auth_sae_send_confirm(hapd, sta, hapd->own_addr);
868 		eloop_register_timeout(0,
869 				       hapd->dot11RSNASAERetransPeriod * 1000,
870 				       auth_sae_retransmit_timer, hapd, sta);
871 		break;
872 	default:
873 		ret = -1;
874 		break;
875 	}
876 
877 	if (ret != WLAN_STATUS_SUCCESS)
878 		wpa_printf(MSG_INFO, "SAE: Failed to retransmit: ret=%d", ret);
879 }
880 
881 
sae_clear_retransmit_timer(struct hostapd_data * hapd,struct sta_info * sta)882 void sae_clear_retransmit_timer(struct hostapd_data *hapd, struct sta_info *sta)
883 {
884 	eloop_cancel_timeout(auth_sae_retransmit_timer, hapd, sta);
885 }
886 
887 
sae_set_retransmit_timer(struct hostapd_data * hapd,struct sta_info * sta)888 static void sae_set_retransmit_timer(struct hostapd_data *hapd,
889 				     struct sta_info *sta)
890 {
891 	if (!(hapd->conf->mesh & MESH_ENABLED))
892 		return;
893 
894 	eloop_cancel_timeout(auth_sae_retransmit_timer, hapd, sta);
895 	eloop_register_timeout(0, hapd->dot11RSNASAERetransPeriod * 1000,
896 			       auth_sae_retransmit_timer, hapd, sta);
897 }
898 
899 
sae_sme_send_external_auth_status(struct hostapd_data * hapd,struct sta_info * sta,u16 status)900 static void sae_sme_send_external_auth_status(struct hostapd_data *hapd,
901 					      struct sta_info *sta, u16 status)
902 {
903 	struct external_auth params;
904 
905 	os_memset(&params, 0, sizeof(params));
906 	params.status = status;
907 	params.bssid = sta->addr;
908 	if (status == WLAN_STATUS_SUCCESS && sta->sae &&
909 	    !hapd->conf->disable_pmksa_caching)
910 		params.pmkid = sta->sae->pmkid;
911 
912 	hostapd_drv_send_external_auth_status(hapd, &params);
913 }
914 
915 
sae_accept_sta(struct hostapd_data * hapd,struct sta_info * sta)916 void sae_accept_sta(struct hostapd_data *hapd, struct sta_info *sta)
917 {
918 #ifndef CONFIG_NO_VLAN
919 	struct vlan_description vlan_desc;
920 
921 	if (sta->sae->tmp && sta->sae->tmp->vlan_id > 0) {
922 		wpa_printf(MSG_DEBUG, "SAE: Assign STA " MACSTR
923 			   " to VLAN ID %d",
924 			   MAC2STR(sta->addr), sta->sae->tmp->vlan_id);
925 
926 		os_memset(&vlan_desc, 0, sizeof(vlan_desc));
927 		vlan_desc.notempty = 1;
928 		vlan_desc.untagged = sta->sae->tmp->vlan_id;
929 		if (!hostapd_vlan_valid(hapd->conf->vlan, &vlan_desc)) {
930 			wpa_printf(MSG_INFO,
931 				   "Invalid VLAN ID %d in sae_password",
932 				   sta->sae->tmp->vlan_id);
933 			return;
934 		}
935 
936 		if (ap_sta_set_vlan(hapd, sta, &vlan_desc) < 0 ||
937 		    ap_sta_bind_vlan(hapd, sta) < 0) {
938 			wpa_printf(MSG_INFO,
939 				   "Failed to assign VLAN ID %d from sae_password to "
940 				   MACSTR, sta->sae->tmp->vlan_id,
941 				   MAC2STR(sta->addr));
942 			return;
943 		}
944 	}
945 #endif /* CONFIG_NO_VLAN */
946 
947 	sta->flags |= WLAN_STA_AUTH;
948 	sta->auth_alg = WLAN_AUTH_SAE;
949 	mlme_authenticate_indication(hapd, sta);
950 	wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
951 	sae_set_state(sta, SAE_ACCEPTED, "Accept Confirm");
952 	crypto_bignum_deinit(sta->sae->peer_commit_scalar_accepted, 0);
953 	sta->sae->peer_commit_scalar_accepted = sta->sae->peer_commit_scalar;
954 	sta->sae->peer_commit_scalar = NULL;
955 	wpa_auth_pmksa_add_sae(hapd->wpa_auth, sta->addr,
956 			       sta->sae->pmk, sta->sae->pmkid);
957 	sae_sme_send_external_auth_status(hapd, sta, WLAN_STATUS_SUCCESS);
958 }
959 
960 
sae_sm_step(struct hostapd_data * hapd,struct sta_info * sta,const u8 * bssid,u16 auth_transaction,u16 status_code,int allow_reuse,int * sta_removed)961 static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta,
962 		       const u8 *bssid, u16 auth_transaction, u16 status_code,
963 		       int allow_reuse, int *sta_removed)
964 {
965 	int ret;
966 
967 	*sta_removed = 0;
968 
969 	if (auth_transaction != 1 && auth_transaction != 2)
970 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
971 
972 	wpa_printf(MSG_DEBUG, "SAE: Peer " MACSTR " state=%s auth_trans=%u",
973 		   MAC2STR(sta->addr), sae_state_txt(sta->sae->state),
974 		   auth_transaction);
975 	switch (sta->sae->state) {
976 	case SAE_NOTHING:
977 		if (auth_transaction == 1) {
978 			if (sta->sae->tmp) {
979 				sta->sae->h2e =
980 					(status_code ==
981 					 WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
982 					 status_code == WLAN_STATUS_SAE_PK);
983 				sta->sae->pk =
984 					status_code == WLAN_STATUS_SAE_PK;
985 			}
986 			ret = auth_sae_send_commit(hapd, sta, bssid,
987 						   !allow_reuse, status_code);
988 			if (ret)
989 				return ret;
990 			sae_set_state(sta, SAE_COMMITTED, "Sent Commit");
991 
992 			if (sae_process_commit(sta->sae) < 0)
993 				return WLAN_STATUS_UNSPECIFIED_FAILURE;
994 
995 			/*
996 			 * In mesh case, both Commit and Confirm are sent
997 			 * immediately. In infrastructure BSS, by default, only
998 			 * a single Authentication frame (Commit) is expected
999 			 * from the AP here and the second one (Confirm) will
1000 			 * be sent once the STA has sent its second
1001 			 * Authentication frame (Confirm). This behavior can be
1002 			 * overridden with explicit configuration so that the
1003 			 * infrastructure BSS case sends both frames together.
1004 			 */
1005 			if ((hapd->conf->mesh & MESH_ENABLED) ||
1006 			    hapd->conf->sae_confirm_immediate) {
1007 				/*
1008 				 * Send both Commit and Confirm immediately
1009 				 * based on SAE finite state machine
1010 				 * Nothing -> Confirm transition.
1011 				 */
1012 				ret = auth_sae_send_confirm(hapd, sta, bssid);
1013 				if (ret)
1014 					return ret;
1015 				sae_set_state(sta, SAE_CONFIRMED,
1016 					      "Sent Confirm (mesh)");
1017 			} else {
1018 				/*
1019 				 * For infrastructure BSS, send only the Commit
1020 				 * message now to get alternating sequence of
1021 				 * Authentication frames between the AP and STA.
1022 				 * Confirm will be sent in
1023 				 * Committed -> Confirmed/Accepted transition
1024 				 * when receiving Confirm from STA.
1025 				 */
1026 			}
1027 			sta->sae->sync = 0;
1028 			sae_set_retransmit_timer(hapd, sta);
1029 		} else {
1030 			hostapd_logger(hapd, sta->addr,
1031 				       HOSTAPD_MODULE_IEEE80211,
1032 				       HOSTAPD_LEVEL_DEBUG,
1033 				       "SAE confirm before commit");
1034 		}
1035 		break;
1036 	case SAE_COMMITTED:
1037 		sae_clear_retransmit_timer(hapd, sta);
1038 		if (auth_transaction == 1) {
1039 			if (sae_process_commit(sta->sae) < 0)
1040 				return WLAN_STATUS_UNSPECIFIED_FAILURE;
1041 
1042 			ret = auth_sae_send_confirm(hapd, sta, bssid);
1043 			if (ret)
1044 				return ret;
1045 			sae_set_state(sta, SAE_CONFIRMED, "Sent Confirm");
1046 			sta->sae->sync = 0;
1047 			sae_set_retransmit_timer(hapd, sta);
1048 		} else if (hapd->conf->mesh & MESH_ENABLED) {
1049 			/*
1050 			 * In mesh case, follow SAE finite state machine and
1051 			 * send Commit now, if sync count allows.
1052 			 */
1053 			if (sae_check_big_sync(hapd, sta))
1054 				return WLAN_STATUS_SUCCESS;
1055 			sta->sae->sync++;
1056 
1057 			ret = auth_sae_send_commit(hapd, sta, bssid, 0,
1058 						   status_code);
1059 			if (ret)
1060 				return ret;
1061 
1062 			sae_set_retransmit_timer(hapd, sta);
1063 		} else {
1064 			/*
1065 			 * For instructure BSS, send the postponed Confirm from
1066 			 * Nothing -> Confirmed transition that was reduced to
1067 			 * Nothing -> Committed above.
1068 			 */
1069 			ret = auth_sae_send_confirm(hapd, sta, bssid);
1070 			if (ret)
1071 				return ret;
1072 
1073 			sae_set_state(sta, SAE_CONFIRMED, "Sent Confirm");
1074 
1075 			/*
1076 			 * Since this was triggered on Confirm RX, run another
1077 			 * step to get to Accepted without waiting for
1078 			 * additional events.
1079 			 */
1080 			return sae_sm_step(hapd, sta, bssid, auth_transaction,
1081 					   WLAN_STATUS_SUCCESS, 0, sta_removed);
1082 		}
1083 		break;
1084 	case SAE_CONFIRMED:
1085 		sae_clear_retransmit_timer(hapd, sta);
1086 		if (auth_transaction == 1) {
1087 			if (sae_check_big_sync(hapd, sta))
1088 				return WLAN_STATUS_SUCCESS;
1089 			sta->sae->sync++;
1090 
1091 			ret = auth_sae_send_commit(hapd, sta, bssid, 1,
1092 						   status_code);
1093 			if (ret)
1094 				return ret;
1095 
1096 			if (sae_process_commit(sta->sae) < 0)
1097 				return WLAN_STATUS_UNSPECIFIED_FAILURE;
1098 
1099 			ret = auth_sae_send_confirm(hapd, sta, bssid);
1100 			if (ret)
1101 				return ret;
1102 
1103 			sae_set_retransmit_timer(hapd, sta);
1104 		} else {
1105 			sta->sae->send_confirm = 0xffff;
1106 			sae_accept_sta(hapd, sta);
1107 		}
1108 		break;
1109 	case SAE_ACCEPTED:
1110 		if (auth_transaction == 1 &&
1111 		    (hapd->conf->mesh & MESH_ENABLED)) {
1112 			wpa_printf(MSG_DEBUG, "SAE: remove the STA (" MACSTR
1113 				   ") doing reauthentication",
1114 				   MAC2STR(sta->addr));
1115 			wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr);
1116 			ap_free_sta(hapd, sta);
1117 			*sta_removed = 1;
1118 		} else if (auth_transaction == 1) {
1119 			wpa_printf(MSG_DEBUG, "SAE: Start reauthentication");
1120 			ret = auth_sae_send_commit(hapd, sta, bssid, 1,
1121 						   status_code);
1122 			if (ret)
1123 				return ret;
1124 			sae_set_state(sta, SAE_COMMITTED, "Sent Commit");
1125 
1126 			if (sae_process_commit(sta->sae) < 0)
1127 				return WLAN_STATUS_UNSPECIFIED_FAILURE;
1128 			sta->sae->sync = 0;
1129 			sae_set_retransmit_timer(hapd, sta);
1130 		} else {
1131 			if (sae_check_big_sync(hapd, sta))
1132 				return WLAN_STATUS_SUCCESS;
1133 			sta->sae->sync++;
1134 
1135 			ret = auth_sae_send_confirm(hapd, sta, bssid);
1136 			sae_clear_temp_data(sta->sae);
1137 			if (ret)
1138 				return ret;
1139 		}
1140 		break;
1141 	default:
1142 		wpa_printf(MSG_ERROR, "SAE: invalid state %d",
1143 			   sta->sae->state);
1144 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
1145 	}
1146 	return WLAN_STATUS_SUCCESS;
1147 }
1148 
1149 
sae_pick_next_group(struct hostapd_data * hapd,struct sta_info * sta)1150 static void sae_pick_next_group(struct hostapd_data *hapd, struct sta_info *sta)
1151 {
1152 	struct sae_data *sae = sta->sae;
1153 	int i, *groups = hapd->conf->sae_groups;
1154 	int default_groups[] = { 19, 0 };
1155 
1156 	if (sae->state != SAE_COMMITTED)
1157 		return;
1158 
1159 	wpa_printf(MSG_DEBUG, "SAE: Previously selected group: %d", sae->group);
1160 
1161 	if (!groups)
1162 		groups = default_groups;
1163 	for (i = 0; groups[i] > 0; i++) {
1164 		if (sae->group == groups[i])
1165 			break;
1166 	}
1167 
1168 	if (groups[i] <= 0) {
1169 		wpa_printf(MSG_DEBUG,
1170 			   "SAE: Previously selected group not found from the current configuration");
1171 		return;
1172 	}
1173 
1174 	for (;;) {
1175 		i++;
1176 		if (groups[i] <= 0) {
1177 			wpa_printf(MSG_DEBUG,
1178 				   "SAE: No alternative group enabled");
1179 			return;
1180 		}
1181 
1182 		if (sae_set_group(sae, groups[i]) < 0)
1183 			continue;
1184 
1185 		break;
1186 	}
1187 	wpa_printf(MSG_DEBUG, "SAE: Selected new group: %d", groups[i]);
1188 }
1189 
1190 
sae_status_success(struct hostapd_data * hapd,u16 status_code)1191 static int sae_status_success(struct hostapd_data *hapd, u16 status_code)
1192 {
1193 	int sae_pwe = hapd->conf->sae_pwe;
1194 	int id_in_use;
1195 	bool sae_pk = false;
1196 
1197 	id_in_use = hostapd_sae_pw_id_in_use(hapd->conf);
1198 	if (id_in_use == 2 && sae_pwe != 3)
1199 		sae_pwe = 1;
1200 	else if (id_in_use == 1 && sae_pwe == 0)
1201 		sae_pwe = 2;
1202 #ifdef CONFIG_SAE_PK
1203 	sae_pk = hostapd_sae_pk_in_use(hapd->conf);
1204 	if (sae_pwe == 0 && sae_pk)
1205 		sae_pwe = 2;
1206 #endif /* CONFIG_SAE_PK */
1207 
1208 	return ((sae_pwe == 0 || sae_pwe == 3) &&
1209 		status_code == WLAN_STATUS_SUCCESS) ||
1210 		(sae_pwe == 1 &&
1211 		 (status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
1212 		  (sae_pk && status_code == WLAN_STATUS_SAE_PK))) ||
1213 		(sae_pwe == 2 &&
1214 		 (status_code == WLAN_STATUS_SUCCESS ||
1215 		  status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
1216 		  (sae_pk && status_code == WLAN_STATUS_SAE_PK)));
1217 }
1218 
1219 
sae_is_group_enabled(struct hostapd_data * hapd,int group)1220 static int sae_is_group_enabled(struct hostapd_data *hapd, int group)
1221 {
1222 	int *groups = hapd->conf->sae_groups;
1223 	int default_groups[] = { 19, 0 };
1224 	int i;
1225 
1226 	if (!groups)
1227 		groups = default_groups;
1228 
1229 	for (i = 0; groups[i] > 0; i++) {
1230 		if (groups[i] == group)
1231 			return 1;
1232 	}
1233 
1234 	return 0;
1235 }
1236 
1237 
check_sae_rejected_groups(struct hostapd_data * hapd,struct sae_data * sae)1238 static int check_sae_rejected_groups(struct hostapd_data *hapd,
1239 				     struct sae_data *sae)
1240 {
1241 	const struct wpabuf *groups;
1242 	size_t i, count;
1243 	const u8 *pos;
1244 
1245 	if (!sae->tmp)
1246 		return 0;
1247 	groups = sae->tmp->peer_rejected_groups;
1248 	if (!groups)
1249 		return 0;
1250 
1251 	pos = wpabuf_head(groups);
1252 	count = wpabuf_len(groups) / 2;
1253 	for (i = 0; i < count; i++) {
1254 		int enabled;
1255 		u16 group;
1256 
1257 		group = WPA_GET_LE16(pos);
1258 		pos += 2;
1259 		enabled = sae_is_group_enabled(hapd, group);
1260 		wpa_printf(MSG_DEBUG, "SAE: Rejected group %u is %s",
1261 			   group, enabled ? "enabled" : "disabled");
1262 		if (enabled)
1263 			return 1;
1264 	}
1265 
1266 	return 0;
1267 }
1268 
1269 
handle_auth_sae(struct hostapd_data * hapd,struct sta_info * sta,const struct ieee80211_mgmt * mgmt,size_t len,u16 auth_transaction,u16 status_code)1270 static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta,
1271 			    const struct ieee80211_mgmt *mgmt, size_t len,
1272 			    u16 auth_transaction, u16 status_code)
1273 {
1274 	int resp = WLAN_STATUS_SUCCESS;
1275 	struct wpabuf *data = NULL;
1276 	int *groups = hapd->conf->sae_groups;
1277 	int default_groups[] = { 19, 0 };
1278 	const u8 *pos, *end;
1279 	int sta_removed = 0;
1280 	bool success_status;
1281 
1282 	if (!groups)
1283 		groups = default_groups;
1284 
1285 #ifdef CONFIG_TESTING_OPTIONS
1286 	if (hapd->conf->sae_reflection_attack && auth_transaction == 1) {
1287 		wpa_printf(MSG_DEBUG, "SAE: TESTING - reflection attack");
1288 		pos = mgmt->u.auth.variable;
1289 		end = ((const u8 *) mgmt) + len;
1290 		resp = status_code;
1291 		send_auth_reply(hapd, sta, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
1292 				auth_transaction, resp, pos, end - pos,
1293 				"auth-sae-reflection-attack");
1294 		goto remove_sta;
1295 	}
1296 
1297 	if (hapd->conf->sae_commit_override && auth_transaction == 1) {
1298 		wpa_printf(MSG_DEBUG, "SAE: TESTING - commit override");
1299 		send_auth_reply(hapd, sta, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
1300 				auth_transaction, resp,
1301 				wpabuf_head(hapd->conf->sae_commit_override),
1302 				wpabuf_len(hapd->conf->sae_commit_override),
1303 				"sae-commit-override");
1304 		goto remove_sta;
1305 	}
1306 #endif /* CONFIG_TESTING_OPTIONS */
1307 	if (!sta->sae) {
1308 		if (auth_transaction != 1 ||
1309 		    !sae_status_success(hapd, status_code)) {
1310 			wpa_printf(MSG_DEBUG, "SAE: Unexpected Status Code %u",
1311 				   status_code);
1312 			resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1313 			goto reply;
1314 		}
1315 		sta->sae = os_zalloc(sizeof(*sta->sae));
1316 		if (!sta->sae) {
1317 			resp = -1;
1318 			goto remove_sta;
1319 		}
1320 		sae_set_state(sta, SAE_NOTHING, "Init");
1321 		sta->sae->sync = 0;
1322 	}
1323 
1324 	if (sta->mesh_sae_pmksa_caching) {
1325 		wpa_printf(MSG_DEBUG,
1326 			   "SAE: Cancel use of mesh PMKSA caching because peer starts SAE authentication");
1327 		wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr);
1328 		sta->mesh_sae_pmksa_caching = 0;
1329 	}
1330 
1331 	if (auth_transaction == 1) {
1332 		const u8 *token = NULL;
1333 		size_t token_len = 0;
1334 		int allow_reuse = 0;
1335 
1336 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1337 			       HOSTAPD_LEVEL_DEBUG,
1338 			       "start SAE authentication (RX commit, status=%u (%s))",
1339 			       status_code, status2str(status_code));
1340 
1341 		if ((hapd->conf->mesh & MESH_ENABLED) &&
1342 		    status_code == WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ &&
1343 		    sta->sae->tmp) {
1344 			pos = mgmt->u.auth.variable;
1345 			end = ((const u8 *) mgmt) + len;
1346 			if (pos + sizeof(le16) > end) {
1347 				wpa_printf(MSG_ERROR,
1348 					   "SAE: Too short anti-clogging token request");
1349 				resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1350 				goto reply;
1351 			}
1352 			resp = sae_group_allowed(sta->sae, groups,
1353 						 WPA_GET_LE16(pos));
1354 			if (resp != WLAN_STATUS_SUCCESS) {
1355 				wpa_printf(MSG_ERROR,
1356 					   "SAE: Invalid group in anti-clogging token request");
1357 				goto reply;
1358 			}
1359 			pos += sizeof(le16);
1360 
1361 			wpabuf_free(sta->sae->tmp->anti_clogging_token);
1362 			sta->sae->tmp->anti_clogging_token =
1363 				wpabuf_alloc_copy(pos, end - pos);
1364 			if (sta->sae->tmp->anti_clogging_token == NULL) {
1365 				wpa_printf(MSG_ERROR,
1366 					   "SAE: Failed to alloc for anti-clogging token");
1367 				resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1368 				goto remove_sta;
1369 			}
1370 
1371 			/*
1372 			 * IEEE Std 802.11-2012, 11.3.8.6.4: If the Status code
1373 			 * is 76, a new Commit Message shall be constructed
1374 			 * with the Anti-Clogging Token from the received
1375 			 * Authentication frame, and the commit-scalar and
1376 			 * COMMIT-ELEMENT previously sent.
1377 			 */
1378 			resp = auth_sae_send_commit(hapd, sta, mgmt->bssid, 0,
1379 						    status_code);
1380 			if (resp != WLAN_STATUS_SUCCESS) {
1381 				wpa_printf(MSG_ERROR,
1382 					   "SAE: Failed to send commit message");
1383 				goto remove_sta;
1384 			}
1385 			sae_set_state(sta, SAE_COMMITTED,
1386 				      "Sent Commit (anti-clogging token case in mesh)");
1387 			sta->sae->sync = 0;
1388 			sae_set_retransmit_timer(hapd, sta);
1389 			return;
1390 		}
1391 
1392 		if ((hapd->conf->mesh & MESH_ENABLED) &&
1393 		    status_code ==
1394 		    WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED &&
1395 		    sta->sae->tmp) {
1396 			wpa_printf(MSG_DEBUG,
1397 				   "SAE: Peer did not accept our SAE group");
1398 			sae_pick_next_group(hapd, sta);
1399 			goto remove_sta;
1400 		}
1401 
1402 		if (!sae_status_success(hapd, status_code))
1403 			goto remove_sta;
1404 
1405 		if (!(hapd->conf->mesh & MESH_ENABLED) &&
1406 		    sta->sae->state == SAE_COMMITTED) {
1407 			/* This is needed in the infrastructure BSS case to
1408 			 * address a sequence where a STA entry may remain in
1409 			 * hostapd across two attempts to do SAE authentication
1410 			 * by the same STA. The second attempt may end up trying
1411 			 * to use a different group and that would not be
1412 			 * allowed if we remain in Committed state with the
1413 			 * previously set parameters. */
1414 			pos = mgmt->u.auth.variable;
1415 			end = ((const u8 *) mgmt) + len;
1416 			if (end - pos >= (int) sizeof(le16) &&
1417 			    sae_group_allowed(sta->sae, groups,
1418 					      WPA_GET_LE16(pos)) ==
1419 			    WLAN_STATUS_SUCCESS) {
1420 				/* Do not waste resources deriving the same PWE
1421 				 * again since the same group is reused. */
1422 				sae_set_state(sta, SAE_NOTHING,
1423 					      "Allow previous PWE to be reused");
1424 				allow_reuse = 1;
1425 			} else {
1426 				sae_set_state(sta, SAE_NOTHING,
1427 					      "Clear existing state to allow restart");
1428 				sae_clear_data(sta->sae);
1429 			}
1430 		}
1431 
1432 		resp = sae_parse_commit(sta->sae, mgmt->u.auth.variable,
1433 					((const u8 *) mgmt) + len -
1434 					mgmt->u.auth.variable, &token,
1435 					&token_len, groups, status_code ==
1436 					WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
1437 					status_code == WLAN_STATUS_SAE_PK);
1438 		if (resp == SAE_SILENTLY_DISCARD) {
1439 			wpa_printf(MSG_DEBUG,
1440 				   "SAE: Drop commit message from " MACSTR " due to reflection attack",
1441 				   MAC2STR(sta->addr));
1442 			goto remove_sta;
1443 		}
1444 
1445 		if (resp == WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER) {
1446 			wpa_msg(hapd->msg_ctx, MSG_INFO,
1447 				WPA_EVENT_SAE_UNKNOWN_PASSWORD_IDENTIFIER
1448 				MACSTR, MAC2STR(sta->addr));
1449 			sae_clear_retransmit_timer(hapd, sta);
1450 			sae_set_state(sta, SAE_NOTHING,
1451 				      "Unknown Password Identifier");
1452 			goto remove_sta;
1453 		}
1454 
1455 		if (token && check_sae_token(hapd, sta->addr, token, token_len)
1456 		    < 0) {
1457 			wpa_printf(MSG_DEBUG, "SAE: Drop commit message with "
1458 				   "incorrect token from " MACSTR,
1459 				   MAC2STR(sta->addr));
1460 			resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1461 			goto remove_sta;
1462 		}
1463 
1464 		if (resp != WLAN_STATUS_SUCCESS)
1465 			goto reply;
1466 
1467 		if (check_sae_rejected_groups(hapd, sta->sae)) {
1468 			resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1469 			goto reply;
1470 		}
1471 
1472 		if (!token && use_sae_anti_clogging(hapd) && !allow_reuse) {
1473 			int h2e = 0;
1474 
1475 			wpa_printf(MSG_DEBUG,
1476 				   "SAE: Request anti-clogging token from "
1477 				   MACSTR, MAC2STR(sta->addr));
1478 			if (sta->sae->tmp)
1479 				h2e = sta->sae->h2e;
1480 			if (status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
1481 			    status_code == WLAN_STATUS_SAE_PK)
1482 				h2e = 1;
1483 			data = auth_build_token_req(hapd, sta->sae->group,
1484 						    sta->addr, h2e);
1485 			resp = WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ;
1486 			if (hapd->conf->mesh & MESH_ENABLED)
1487 				sae_set_state(sta, SAE_NOTHING,
1488 					      "Request anti-clogging token case in mesh");
1489 			goto reply;
1490 		}
1491 
1492 		resp = sae_sm_step(hapd, sta, mgmt->bssid, auth_transaction,
1493 				   status_code, allow_reuse, &sta_removed);
1494 	} else if (auth_transaction == 2) {
1495 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1496 			       HOSTAPD_LEVEL_DEBUG,
1497 			       "SAE authentication (RX confirm, status=%u (%s))",
1498 			       status_code, status2str(status_code));
1499 		if (status_code != WLAN_STATUS_SUCCESS)
1500 			goto remove_sta;
1501 		if (sta->sae->state >= SAE_CONFIRMED ||
1502 		    !(hapd->conf->mesh & MESH_ENABLED)) {
1503 			const u8 *var;
1504 			size_t var_len;
1505 			u16 peer_send_confirm;
1506 
1507 			var = mgmt->u.auth.variable;
1508 			var_len = ((u8 *) mgmt) + len - mgmt->u.auth.variable;
1509 			if (var_len < 2) {
1510 				resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1511 				goto reply;
1512 			}
1513 
1514 			peer_send_confirm = WPA_GET_LE16(var);
1515 
1516 			if (sta->sae->state == SAE_ACCEPTED &&
1517 			    (peer_send_confirm <= sta->sae->rc ||
1518 			     peer_send_confirm == 0xffff)) {
1519 				wpa_printf(MSG_DEBUG,
1520 					   "SAE: Silently ignore unexpected Confirm from peer "
1521 					   MACSTR
1522 					   " (peer-send-confirm=%u Rc=%u)",
1523 					   MAC2STR(sta->addr),
1524 					   peer_send_confirm, sta->sae->rc);
1525 				return;
1526 			}
1527 
1528 			if (sae_check_confirm(sta->sae, var, var_len) < 0) {
1529 				resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1530 				goto reply;
1531 			}
1532 			sta->sae->rc = peer_send_confirm;
1533 		}
1534 		resp = sae_sm_step(hapd, sta, mgmt->bssid, auth_transaction,
1535 				   status_code, 0, &sta_removed);
1536 	} else {
1537 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1538 			       HOSTAPD_LEVEL_DEBUG,
1539 			       "unexpected SAE authentication transaction %u (status=%u (%s))",
1540 			       auth_transaction, status_code,
1541 			       status2str(status_code));
1542 		if (status_code != WLAN_STATUS_SUCCESS)
1543 			goto remove_sta;
1544 		resp = WLAN_STATUS_UNKNOWN_AUTH_TRANSACTION;
1545 	}
1546 
1547 reply:
1548 	if (!sta_removed && resp != WLAN_STATUS_SUCCESS) {
1549 		pos = mgmt->u.auth.variable;
1550 		end = ((const u8 *) mgmt) + len;
1551 
1552 		/* Copy the Finite Cyclic Group field from the request if we
1553 		 * rejected it as unsupported group. */
1554 		if (resp == WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED &&
1555 		    !data && end - pos >= 2)
1556 			data = wpabuf_alloc_copy(pos, 2);
1557 
1558 		sae_sme_send_external_auth_status(hapd, sta, resp);
1559 		send_auth_reply(hapd, sta, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
1560 				auth_transaction, resp,
1561 				data ? wpabuf_head(data) : (u8 *) "",
1562 				data ? wpabuf_len(data) : 0, "auth-sae");
1563 	}
1564 
1565 remove_sta:
1566 	if (auth_transaction == 1)
1567 		success_status = sae_status_success(hapd, status_code);
1568 	else
1569 		success_status = status_code == WLAN_STATUS_SUCCESS;
1570 	if (!sta_removed && sta->added_unassoc &&
1571 	    (resp != WLAN_STATUS_SUCCESS || !success_status)) {
1572 		hostapd_drv_sta_remove(hapd, sta->addr);
1573 		sta->added_unassoc = 0;
1574 	}
1575 	wpabuf_free(data);
1576 }
1577 
1578 
1579 /**
1580  * auth_sae_init_committed - Send COMMIT and start SAE in committed state
1581  * @hapd: BSS data for the device initiating the authentication
1582  * @sta: the peer to which commit authentication frame is sent
1583  *
1584  * This function implements Init event handling (IEEE Std 802.11-2012,
1585  * 11.3.8.6.3) in which initial COMMIT message is sent. Prior to calling, the
1586  * sta->sae structure should be initialized appropriately via a call to
1587  * sae_prepare_commit().
1588  */
auth_sae_init_committed(struct hostapd_data * hapd,struct sta_info * sta)1589 int auth_sae_init_committed(struct hostapd_data *hapd, struct sta_info *sta)
1590 {
1591 	int ret;
1592 
1593 	if (!sta->sae || !sta->sae->tmp)
1594 		return -1;
1595 
1596 	if (sta->sae->state != SAE_NOTHING)
1597 		return -1;
1598 
1599 	ret = auth_sae_send_commit(hapd, sta, hapd->own_addr, 0, -1);
1600 	if (ret)
1601 		return -1;
1602 
1603 	sae_set_state(sta, SAE_COMMITTED, "Init and sent commit");
1604 	sta->sae->sync = 0;
1605 	sae_set_retransmit_timer(hapd, sta);
1606 
1607 	return 0;
1608 }
1609 
1610 
auth_sae_process_commit(void * eloop_ctx,void * user_ctx)1611 void auth_sae_process_commit(void *eloop_ctx, void *user_ctx)
1612 {
1613 	struct hostapd_data *hapd = eloop_ctx;
1614 	struct hostapd_sae_commit_queue *q;
1615 	unsigned int queue_len;
1616 
1617 	q = dl_list_first(&hapd->sae_commit_queue,
1618 			  struct hostapd_sae_commit_queue, list);
1619 	if (!q)
1620 		return;
1621 	wpa_printf(MSG_DEBUG,
1622 		   "SAE: Process next available message from queue");
1623 	dl_list_del(&q->list);
1624 	handle_auth(hapd, (const struct ieee80211_mgmt *) q->msg, q->len,
1625 		    q->rssi, 1);
1626 	os_free(q);
1627 
1628 	if (eloop_is_timeout_registered(auth_sae_process_commit, hapd, NULL))
1629 		return;
1630 	queue_len = dl_list_len(&hapd->sae_commit_queue);
1631 	eloop_register_timeout(0, queue_len * 10000, auth_sae_process_commit,
1632 			       hapd, NULL);
1633 }
1634 
1635 
auth_sae_queue(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int rssi)1636 static void auth_sae_queue(struct hostapd_data *hapd,
1637 			   const struct ieee80211_mgmt *mgmt, size_t len,
1638 			   int rssi)
1639 {
1640 	struct hostapd_sae_commit_queue *q, *q2;
1641 	unsigned int queue_len;
1642 	const struct ieee80211_mgmt *mgmt2;
1643 
1644 	queue_len = dl_list_len(&hapd->sae_commit_queue);
1645 	if (queue_len >= 15) {
1646 		wpa_printf(MSG_DEBUG,
1647 			   "SAE: No more room in message queue - drop the new frame from "
1648 			   MACSTR, MAC2STR(mgmt->sa));
1649 		return;
1650 	}
1651 
1652 	wpa_printf(MSG_DEBUG, "SAE: Queue Authentication message from "
1653 		   MACSTR " for processing (queue_len %u)", MAC2STR(mgmt->sa),
1654 		   queue_len);
1655 	q = os_zalloc(sizeof(*q) + len);
1656 	if (!q)
1657 		return;
1658 	q->rssi = rssi;
1659 	q->len = len;
1660 	os_memcpy(q->msg, mgmt, len);
1661 
1662 	/* Check whether there is already a queued Authentication frame from the
1663 	 * same station with the same transaction number and if so, replace that
1664 	 * queue entry with the new one. This avoids issues with a peer that
1665 	 * sends multiple times (e.g., due to frequent SAE retries). There is no
1666 	 * point in us trying to process the old attempts after a new one has
1667 	 * obsoleted them. */
1668 	dl_list_for_each(q2, &hapd->sae_commit_queue,
1669 			 struct hostapd_sae_commit_queue, list) {
1670 		mgmt2 = (const struct ieee80211_mgmt *) q2->msg;
1671 		if (os_memcmp(mgmt->sa, mgmt2->sa, ETH_ALEN) == 0 &&
1672 		    mgmt->u.auth.auth_transaction ==
1673 		    mgmt2->u.auth.auth_transaction) {
1674 			wpa_printf(MSG_DEBUG,
1675 				   "SAE: Replace queued message from same STA with same transaction number");
1676 			dl_list_add(&q2->list, &q->list);
1677 			dl_list_del(&q2->list);
1678 			os_free(q2);
1679 			goto queued;
1680 		}
1681 	}
1682 
1683 	/* No pending identical entry, so add to the end of the queue */
1684 	dl_list_add_tail(&hapd->sae_commit_queue, &q->list);
1685 
1686 queued:
1687 	if (eloop_is_timeout_registered(auth_sae_process_commit, hapd, NULL))
1688 		return;
1689 	eloop_register_timeout(0, queue_len * 10000, auth_sae_process_commit,
1690 			       hapd, NULL);
1691 }
1692 
1693 
auth_sae_queued_addr(struct hostapd_data * hapd,const u8 * addr)1694 static int auth_sae_queued_addr(struct hostapd_data *hapd, const u8 *addr)
1695 {
1696 	struct hostapd_sae_commit_queue *q;
1697 	const struct ieee80211_mgmt *mgmt;
1698 
1699 	dl_list_for_each(q, &hapd->sae_commit_queue,
1700 			 struct hostapd_sae_commit_queue, list) {
1701 		mgmt = (const struct ieee80211_mgmt *) q->msg;
1702 		if (os_memcmp(addr, mgmt->sa, ETH_ALEN) == 0)
1703 			return 1;
1704 	}
1705 
1706 	return 0;
1707 }
1708 
1709 #endif /* CONFIG_SAE */
1710 
1711 
wpa_res_to_status_code(enum wpa_validate_result res)1712 static u16 wpa_res_to_status_code(enum wpa_validate_result res)
1713 {
1714 	switch (res) {
1715 	case WPA_IE_OK:
1716 		return WLAN_STATUS_SUCCESS;
1717 	case WPA_INVALID_IE:
1718 		return WLAN_STATUS_INVALID_IE;
1719 	case WPA_INVALID_GROUP:
1720 		return WLAN_STATUS_GROUP_CIPHER_NOT_VALID;
1721 	case WPA_INVALID_PAIRWISE:
1722 		return WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID;
1723 	case WPA_INVALID_AKMP:
1724 		return WLAN_STATUS_AKMP_NOT_VALID;
1725 	case WPA_NOT_ENABLED:
1726 		return WLAN_STATUS_INVALID_IE;
1727 	case WPA_ALLOC_FAIL:
1728 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
1729 	case WPA_MGMT_FRAME_PROTECTION_VIOLATION:
1730 		return WLAN_STATUS_ROBUST_MGMT_FRAME_POLICY_VIOLATION;
1731 	case WPA_INVALID_MGMT_GROUP_CIPHER:
1732 		return WLAN_STATUS_CIPHER_REJECTED_PER_POLICY;
1733 	case WPA_INVALID_MDIE:
1734 		return WLAN_STATUS_INVALID_MDIE;
1735 	case WPA_INVALID_PROTO:
1736 		return WLAN_STATUS_INVALID_IE;
1737 	case WPA_INVALID_PMKID:
1738 		return WLAN_STATUS_INVALID_PMKID;
1739 	case WPA_DENIED_OTHER_REASON:
1740 		return WLAN_STATUS_ASSOC_DENIED_UNSPEC;
1741 	}
1742 	return WLAN_STATUS_INVALID_IE;
1743 }
1744 
1745 
1746 #ifdef CONFIG_FILS
1747 
1748 static void handle_auth_fils_finish(struct hostapd_data *hapd,
1749 				    struct sta_info *sta, u16 resp,
1750 				    struct wpabuf *data, int pub);
1751 
handle_auth_fils(struct hostapd_data * hapd,struct sta_info * sta,const u8 * pos,size_t len,u16 auth_alg,u16 auth_transaction,u16 status_code,void (* cb)(struct hostapd_data * hapd,struct sta_info * sta,u16 resp,struct wpabuf * data,int pub))1752 void handle_auth_fils(struct hostapd_data *hapd, struct sta_info *sta,
1753 		      const u8 *pos, size_t len, u16 auth_alg,
1754 		      u16 auth_transaction, u16 status_code,
1755 		      void (*cb)(struct hostapd_data *hapd,
1756 				 struct sta_info *sta, u16 resp,
1757 				 struct wpabuf *data, int pub))
1758 {
1759 	u16 resp = WLAN_STATUS_SUCCESS;
1760 	const u8 *end;
1761 	struct ieee802_11_elems elems;
1762 	enum wpa_validate_result res;
1763 	struct wpa_ie_data rsn;
1764 	struct rsn_pmksa_cache_entry *pmksa = NULL;
1765 
1766 	if (auth_transaction != 1 || status_code != WLAN_STATUS_SUCCESS)
1767 		return;
1768 
1769 	end = pos + len;
1770 
1771 	wpa_hexdump(MSG_DEBUG, "FILS: Authentication frame fields",
1772 		    pos, end - pos);
1773 
1774 	/* TODO: FILS PK */
1775 #ifdef CONFIG_FILS_SK_PFS
1776 	if (auth_alg == WLAN_AUTH_FILS_SK_PFS) {
1777 		u16 group;
1778 		struct wpabuf *pub;
1779 		size_t elem_len;
1780 
1781 		/* Using FILS PFS */
1782 
1783 		/* Finite Cyclic Group */
1784 		if (end - pos < 2) {
1785 			wpa_printf(MSG_DEBUG,
1786 				   "FILS: No room for Finite Cyclic Group");
1787 			resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1788 			goto fail;
1789 		}
1790 		group = WPA_GET_LE16(pos);
1791 		pos += 2;
1792 		if (group != hapd->conf->fils_dh_group) {
1793 			wpa_printf(MSG_DEBUG,
1794 				   "FILS: Unsupported Finite Cyclic Group: %u (expected %u)",
1795 				   group, hapd->conf->fils_dh_group);
1796 			resp = WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
1797 			goto fail;
1798 		}
1799 
1800 		crypto_ecdh_deinit(sta->fils_ecdh);
1801 		sta->fils_ecdh = crypto_ecdh_init(group);
1802 		if (!sta->fils_ecdh) {
1803 			wpa_printf(MSG_INFO,
1804 				   "FILS: Could not initialize ECDH with group %d",
1805 				   group);
1806 			resp = WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
1807 			goto fail;
1808 		}
1809 
1810 		pub = crypto_ecdh_get_pubkey(sta->fils_ecdh, 1);
1811 		if (!pub) {
1812 			wpa_printf(MSG_DEBUG,
1813 				   "FILS: Failed to derive ECDH public key");
1814 			resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1815 			goto fail;
1816 		}
1817 		elem_len = wpabuf_len(pub);
1818 		wpabuf_free(pub);
1819 
1820 		/* Element */
1821 		if ((size_t) (end - pos) < elem_len) {
1822 			wpa_printf(MSG_DEBUG, "FILS: No room for Element");
1823 			resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1824 			goto fail;
1825 		}
1826 
1827 		wpabuf_free(sta->fils_g_sta);
1828 		sta->fils_g_sta = wpabuf_alloc_copy(pos, elem_len);
1829 		wpabuf_clear_free(sta->fils_dh_ss);
1830 		sta->fils_dh_ss = crypto_ecdh_set_peerkey(sta->fils_ecdh, 1,
1831 							  pos, elem_len);
1832 		if (!sta->fils_dh_ss) {
1833 			wpa_printf(MSG_DEBUG, "FILS: ECDH operation failed");
1834 			resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1835 			goto fail;
1836 		}
1837 		wpa_hexdump_buf_key(MSG_DEBUG, "FILS: DH_SS", sta->fils_dh_ss);
1838 		pos += elem_len;
1839 	} else {
1840 		crypto_ecdh_deinit(sta->fils_ecdh);
1841 		sta->fils_ecdh = NULL;
1842 		wpabuf_clear_free(sta->fils_dh_ss);
1843 		sta->fils_dh_ss = NULL;
1844 	}
1845 #endif /* CONFIG_FILS_SK_PFS */
1846 
1847 	wpa_hexdump(MSG_DEBUG, "FILS: Remaining IEs", pos, end - pos);
1848 	if (ieee802_11_parse_elems(pos, end - pos, &elems, 1) == ParseFailed) {
1849 		wpa_printf(MSG_DEBUG, "FILS: Could not parse elements");
1850 		resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1851 		goto fail;
1852 	}
1853 
1854 	/* RSNE */
1855 	wpa_hexdump(MSG_DEBUG, "FILS: RSN element",
1856 		    elems.rsn_ie, elems.rsn_ie_len);
1857 	if (!elems.rsn_ie ||
1858 	    wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
1859 				 &rsn) < 0) {
1860 		wpa_printf(MSG_DEBUG, "FILS: No valid RSN element");
1861 		resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1862 		goto fail;
1863 	}
1864 
1865 	if (!sta->wpa_sm)
1866 		sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, sta->addr,
1867 						NULL);
1868 	if (!sta->wpa_sm) {
1869 		wpa_printf(MSG_DEBUG,
1870 			   "FILS: Failed to initialize RSN state machine");
1871 		resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1872 		goto fail;
1873 	}
1874 
1875 	res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
1876 				  hapd->iface->freq,
1877 				  elems.rsn_ie - 2, elems.rsn_ie_len + 2,
1878 				  elems.rsnxe ? elems.rsnxe - 2 : NULL,
1879 				  elems.rsnxe ? elems.rsnxe_len + 2 : 0,
1880 				  elems.mdie, elems.mdie_len, NULL, 0);
1881 	resp = wpa_res_to_status_code(res);
1882 	if (resp != WLAN_STATUS_SUCCESS)
1883 		goto fail;
1884 
1885 	if (!elems.fils_nonce) {
1886 		wpa_printf(MSG_DEBUG, "FILS: No FILS Nonce field");
1887 		resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1888 		goto fail;
1889 	}
1890 	wpa_hexdump(MSG_DEBUG, "FILS: SNonce", elems.fils_nonce,
1891 		    FILS_NONCE_LEN);
1892 	os_memcpy(sta->fils_snonce, elems.fils_nonce, FILS_NONCE_LEN);
1893 
1894 	/* PMKID List */
1895 	if (rsn.pmkid && rsn.num_pmkid > 0) {
1896 		u8 num;
1897 		const u8 *pmkid;
1898 
1899 		wpa_hexdump(MSG_DEBUG, "FILS: PMKID List",
1900 			    rsn.pmkid, rsn.num_pmkid * PMKID_LEN);
1901 
1902 		pmkid = rsn.pmkid;
1903 		num = rsn.num_pmkid;
1904 		while (num) {
1905 			wpa_hexdump(MSG_DEBUG, "FILS: PMKID", pmkid, PMKID_LEN);
1906 			pmksa = wpa_auth_pmksa_get(hapd->wpa_auth, sta->addr,
1907 						   pmkid);
1908 			if (pmksa)
1909 				break;
1910 			pmksa = wpa_auth_pmksa_get_fils_cache_id(hapd->wpa_auth,
1911 								 sta->addr,
1912 								 pmkid);
1913 			if (pmksa)
1914 				break;
1915 			pmkid += PMKID_LEN;
1916 			num--;
1917 		}
1918 	}
1919 	if (pmksa && wpa_auth_sta_key_mgmt(sta->wpa_sm) != pmksa->akmp) {
1920 		wpa_printf(MSG_DEBUG,
1921 			   "FILS: Matching PMKSA cache entry has different AKMP (0x%x != 0x%x) - ignore",
1922 			   wpa_auth_sta_key_mgmt(sta->wpa_sm), pmksa->akmp);
1923 		pmksa = NULL;
1924 	}
1925 	if (pmksa)
1926 		wpa_printf(MSG_DEBUG, "FILS: Found matching PMKSA cache entry");
1927 
1928 	/* FILS Session */
1929 	if (!elems.fils_session) {
1930 		wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
1931 		resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1932 		goto fail;
1933 	}
1934 	wpa_hexdump(MSG_DEBUG, "FILS: FILS Session", elems.fils_session,
1935 		    FILS_SESSION_LEN);
1936 	os_memcpy(sta->fils_session, elems.fils_session, FILS_SESSION_LEN);
1937 
1938 	/* Wrapped Data */
1939 	if (elems.wrapped_data) {
1940 		wpa_hexdump(MSG_DEBUG, "FILS: Wrapped Data",
1941 			    elems.wrapped_data,
1942 			    elems.wrapped_data_len);
1943 		if (!pmksa) {
1944 #ifndef CONFIG_NO_RADIUS
1945 			if (!sta->eapol_sm) {
1946 				sta->eapol_sm =
1947 					ieee802_1x_alloc_eapol_sm(hapd, sta);
1948 			}
1949 			wpa_printf(MSG_DEBUG,
1950 				   "FILS: Forward EAP-Initiate/Re-auth to authentication server");
1951 			ieee802_1x_encapsulate_radius(
1952 				hapd, sta, elems.wrapped_data,
1953 				elems.wrapped_data_len);
1954 			sta->fils_pending_cb = cb;
1955 			wpa_printf(MSG_DEBUG,
1956 				   "FILS: Will send Authentication frame once the response from authentication server is available");
1957 			sta->flags |= WLAN_STA_PENDING_FILS_ERP;
1958 			/* Calculate pending PMKID here so that we do not need
1959 			 * to maintain a copy of the EAP-Initiate/Reauth
1960 			 * message. */
1961 			if (fils_pmkid_erp(wpa_auth_sta_key_mgmt(sta->wpa_sm),
1962 					   elems.wrapped_data,
1963 					   elems.wrapped_data_len,
1964 					   sta->fils_erp_pmkid) == 0)
1965 				sta->fils_erp_pmkid_set = 1;
1966 			return;
1967 #else /* CONFIG_NO_RADIUS */
1968 			resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1969 			goto fail;
1970 #endif /* CONFIG_NO_RADIUS */
1971 		}
1972 	}
1973 
1974 fail:
1975 	if (cb) {
1976 		struct wpabuf *data;
1977 		int pub = 0;
1978 
1979 		data = prepare_auth_resp_fils(hapd, sta, &resp, pmksa, NULL,
1980 					      NULL, 0, &pub);
1981 		if (!data) {
1982 			wpa_printf(MSG_DEBUG,
1983 				   "%s: prepare_auth_resp_fils() returned failure",
1984 				   __func__);
1985 		}
1986 
1987 		cb(hapd, sta, resp, data, pub);
1988 	}
1989 }
1990 
1991 
1992 static struct wpabuf *
prepare_auth_resp_fils(struct hostapd_data * hapd,struct sta_info * sta,u16 * resp,struct rsn_pmksa_cache_entry * pmksa,struct wpabuf * erp_resp,const u8 * msk,size_t msk_len,int * is_pub)1993 prepare_auth_resp_fils(struct hostapd_data *hapd,
1994 		       struct sta_info *sta, u16 *resp,
1995 		       struct rsn_pmksa_cache_entry *pmksa,
1996 		       struct wpabuf *erp_resp,
1997 		       const u8 *msk, size_t msk_len,
1998 		       int *is_pub)
1999 {
2000 	u8 fils_nonce[FILS_NONCE_LEN];
2001 	size_t ielen;
2002 	struct wpabuf *data = NULL;
2003 	const u8 *ie;
2004 	u8 *ie_buf = NULL;
2005 	const u8 *pmk = NULL;
2006 	size_t pmk_len = 0;
2007 	u8 pmk_buf[PMK_LEN_MAX];
2008 	struct wpabuf *pub = NULL;
2009 
2010 	if (*resp != WLAN_STATUS_SUCCESS)
2011 		goto fail;
2012 
2013 	ie = wpa_auth_get_wpa_ie(hapd->wpa_auth, &ielen);
2014 	if (!ie) {
2015 		*resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2016 		goto fail;
2017 	}
2018 
2019 	if (pmksa) {
2020 		/* Add PMKID of the selected PMKSA into RSNE */
2021 		ie_buf = os_malloc(ielen + 2 + 2 + PMKID_LEN);
2022 		if (!ie_buf) {
2023 			*resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2024 			goto fail;
2025 		}
2026 
2027 		os_memcpy(ie_buf, ie, ielen);
2028 		if (wpa_insert_pmkid(ie_buf, &ielen, pmksa->pmkid) < 0) {
2029 			*resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2030 			goto fail;
2031 		}
2032 		ie = ie_buf;
2033 	}
2034 
2035 	if (random_get_bytes(fils_nonce, FILS_NONCE_LEN) < 0) {
2036 		*resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2037 		goto fail;
2038 	}
2039 	wpa_hexdump(MSG_DEBUG, "RSN: Generated FILS Nonce",
2040 		    fils_nonce, FILS_NONCE_LEN);
2041 
2042 #ifdef CONFIG_FILS_SK_PFS
2043 	if (sta->fils_dh_ss && sta->fils_ecdh) {
2044 		pub = crypto_ecdh_get_pubkey(sta->fils_ecdh, 1);
2045 		if (!pub) {
2046 			*resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2047 			goto fail;
2048 		}
2049 	}
2050 #endif /* CONFIG_FILS_SK_PFS */
2051 
2052 	data = wpabuf_alloc(1000 + ielen + (pub ? wpabuf_len(pub) : 0));
2053 	if (!data) {
2054 		*resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2055 		goto fail;
2056 	}
2057 
2058 	/* TODO: FILS PK */
2059 #ifdef CONFIG_FILS_SK_PFS
2060 	if (pub) {
2061 		/* Finite Cyclic Group */
2062 		wpabuf_put_le16(data, hapd->conf->fils_dh_group);
2063 
2064 		/* Element */
2065 		wpabuf_put_buf(data, pub);
2066 	}
2067 #endif /* CONFIG_FILS_SK_PFS */
2068 
2069 	/* RSNE */
2070 	wpabuf_put_data(data, ie, ielen);
2071 
2072 	/* MDE when using FILS+FT (already included in ie,ielen with RSNE) */
2073 
2074 #ifdef CONFIG_IEEE80211R_AP
2075 	if (wpa_key_mgmt_ft(wpa_auth_sta_key_mgmt(sta->wpa_sm))) {
2076 		/* FTE[R1KH-ID,R0KH-ID] when using FILS+FT */
2077 		int res;
2078 		int use_sha384 = wpa_key_mgmt_sha384(
2079 			wpa_auth_sta_key_mgmt(sta->wpa_sm));
2080 
2081 		res = wpa_auth_write_fte(hapd->wpa_auth, use_sha384,
2082 					 wpabuf_put(data, 0),
2083 					 wpabuf_tailroom(data));
2084 		if (res < 0) {
2085 			*resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2086 			goto fail;
2087 		}
2088 		wpabuf_put(data, res);
2089 	}
2090 #endif /* CONFIG_IEEE80211R_AP */
2091 
2092 	/* FILS Nonce */
2093 	wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
2094 	wpabuf_put_u8(data, 1 + FILS_NONCE_LEN); /* Length */
2095 	/* Element ID Extension */
2096 	wpabuf_put_u8(data, WLAN_EID_EXT_FILS_NONCE);
2097 	wpabuf_put_data(data, fils_nonce, FILS_NONCE_LEN);
2098 
2099 	/* FILS Session */
2100 	wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
2101 	wpabuf_put_u8(data, 1 + FILS_SESSION_LEN); /* Length */
2102 	/* Element ID Extension */
2103 	wpabuf_put_u8(data, WLAN_EID_EXT_FILS_SESSION);
2104 	wpabuf_put_data(data, sta->fils_session, FILS_SESSION_LEN);
2105 
2106 	/* Wrapped Data */
2107 	if (!pmksa && erp_resp) {
2108 		wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
2109 		wpabuf_put_u8(data, 1 + wpabuf_len(erp_resp)); /* Length */
2110 		/* Element ID Extension */
2111 		wpabuf_put_u8(data, WLAN_EID_EXT_WRAPPED_DATA);
2112 		wpabuf_put_buf(data, erp_resp);
2113 
2114 		if (fils_rmsk_to_pmk(wpa_auth_sta_key_mgmt(sta->wpa_sm),
2115 				     msk, msk_len, sta->fils_snonce, fils_nonce,
2116 				     sta->fils_dh_ss ?
2117 				     wpabuf_head(sta->fils_dh_ss) : NULL,
2118 				     sta->fils_dh_ss ?
2119 				     wpabuf_len(sta->fils_dh_ss) : 0,
2120 				     pmk_buf, &pmk_len)) {
2121 			wpa_printf(MSG_DEBUG, "FILS: Failed to derive PMK");
2122 			*resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2123 			wpabuf_free(data);
2124 			data = NULL;
2125 			goto fail;
2126 		}
2127 		pmk = pmk_buf;
2128 
2129 		/* Don't use DHss in PTK derivation if PMKSA caching is not
2130 		 * used. */
2131 		wpabuf_clear_free(sta->fils_dh_ss);
2132 		sta->fils_dh_ss = NULL;
2133 
2134 		if (sta->fils_erp_pmkid_set) {
2135 			/* TODO: get PMKLifetime from WPA parameters */
2136 			unsigned int dot11RSNAConfigPMKLifetime = 43200;
2137 			int session_timeout;
2138 
2139 			session_timeout = dot11RSNAConfigPMKLifetime;
2140 			if (sta->session_timeout_set) {
2141 				struct os_reltime now, diff;
2142 
2143 				os_get_reltime(&now);
2144 				os_reltime_sub(&sta->session_timeout, &now,
2145 					       &diff);
2146 				session_timeout = diff.sec;
2147 			}
2148 
2149 			sta->fils_erp_pmkid_set = 0;
2150 			wpa_auth_add_fils_pmk_pmkid(sta->wpa_sm, pmk, pmk_len,
2151 						    sta->fils_erp_pmkid);
2152 			if (!hapd->conf->disable_pmksa_caching &&
2153 			    wpa_auth_pmksa_add2(
2154 				    hapd->wpa_auth, sta->addr,
2155 				    pmk, pmk_len,
2156 				    sta->fils_erp_pmkid,
2157 				    session_timeout,
2158 				    wpa_auth_sta_key_mgmt(sta->wpa_sm)) < 0) {
2159 				wpa_printf(MSG_ERROR,
2160 					   "FILS: Failed to add PMKSA cache entry based on ERP");
2161 			}
2162 		}
2163 	} else if (pmksa) {
2164 		pmk = pmksa->pmk;
2165 		pmk_len = pmksa->pmk_len;
2166 	}
2167 
2168 	if (!pmk) {
2169 		wpa_printf(MSG_DEBUG, "FILS: No PMK available");
2170 		*resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2171 		wpabuf_free(data);
2172 		data = NULL;
2173 		goto fail;
2174 	}
2175 
2176 	if (fils_auth_pmk_to_ptk(sta->wpa_sm, pmk, pmk_len,
2177 				 sta->fils_snonce, fils_nonce,
2178 				 sta->fils_dh_ss ?
2179 				 wpabuf_head(sta->fils_dh_ss) : NULL,
2180 				 sta->fils_dh_ss ?
2181 				 wpabuf_len(sta->fils_dh_ss) : 0,
2182 				 sta->fils_g_sta, pub) < 0) {
2183 		*resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2184 		wpabuf_free(data);
2185 		data = NULL;
2186 		goto fail;
2187 	}
2188 
2189 fail:
2190 	if (is_pub)
2191 		*is_pub = pub != NULL;
2192 	os_free(ie_buf);
2193 	wpabuf_free(pub);
2194 	wpabuf_clear_free(sta->fils_dh_ss);
2195 	sta->fils_dh_ss = NULL;
2196 #ifdef CONFIG_FILS_SK_PFS
2197 	crypto_ecdh_deinit(sta->fils_ecdh);
2198 	sta->fils_ecdh = NULL;
2199 #endif /* CONFIG_FILS_SK_PFS */
2200 	return data;
2201 }
2202 
2203 
handle_auth_fils_finish(struct hostapd_data * hapd,struct sta_info * sta,u16 resp,struct wpabuf * data,int pub)2204 static void handle_auth_fils_finish(struct hostapd_data *hapd,
2205 				    struct sta_info *sta, u16 resp,
2206 				    struct wpabuf *data, int pub)
2207 {
2208 	u16 auth_alg;
2209 
2210 	auth_alg = (pub ||
2211 		    resp == WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED) ?
2212 		WLAN_AUTH_FILS_SK_PFS : WLAN_AUTH_FILS_SK;
2213 	send_auth_reply(hapd, sta, sta->addr, hapd->own_addr, auth_alg, 2, resp,
2214 			data ? wpabuf_head(data) : (u8 *) "",
2215 			data ? wpabuf_len(data) : 0, "auth-fils-finish");
2216 	wpabuf_free(data);
2217 
2218 	if (resp == WLAN_STATUS_SUCCESS) {
2219 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2220 			       HOSTAPD_LEVEL_DEBUG,
2221 			       "authentication OK (FILS)");
2222 		sta->flags |= WLAN_STA_AUTH;
2223 		wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
2224 		sta->auth_alg = pub ? WLAN_AUTH_FILS_SK_PFS : WLAN_AUTH_FILS_SK;
2225 		mlme_authenticate_indication(hapd, sta);
2226 	}
2227 }
2228 
2229 
ieee802_11_finish_fils_auth(struct hostapd_data * hapd,struct sta_info * sta,int success,struct wpabuf * erp_resp,const u8 * msk,size_t msk_len)2230 void ieee802_11_finish_fils_auth(struct hostapd_data *hapd,
2231 				 struct sta_info *sta, int success,
2232 				 struct wpabuf *erp_resp,
2233 				 const u8 *msk, size_t msk_len)
2234 {
2235 	u16 resp;
2236 	u32 flags = sta->flags;
2237 
2238 	sta->flags &= ~(WLAN_STA_PENDING_FILS_ERP |
2239 			WLAN_STA_PENDING_PASN_FILS_ERP);
2240 
2241 	resp = success ? WLAN_STATUS_SUCCESS : WLAN_STATUS_UNSPECIFIED_FAILURE;
2242 
2243 	if (flags & WLAN_STA_PENDING_FILS_ERP) {
2244 		struct wpabuf *data;
2245 		int pub = 0;
2246 
2247 		if (!sta->fils_pending_cb)
2248 			return;
2249 
2250 		data = prepare_auth_resp_fils(hapd, sta, &resp, NULL, erp_resp,
2251 					      msk, msk_len, &pub);
2252 		if (!data) {
2253 			wpa_printf(MSG_DEBUG,
2254 				   "%s: prepare_auth_resp_fils() failure",
2255 				   __func__);
2256 		}
2257 		sta->fils_pending_cb(hapd, sta, resp, data, pub);
2258 #ifdef CONFIG_PASN
2259 	} else if (flags & WLAN_STA_PENDING_PASN_FILS_ERP) {
2260 		pasn_fils_auth_resp(hapd, sta, resp, erp_resp,
2261 				    msk, msk_len);
2262 #endif /* CONFIG_PASN */
2263 	}
2264 }
2265 
2266 #endif /* CONFIG_FILS */
2267 
2268 
ieee802_11_allowed_address(struct hostapd_data * hapd,const u8 * addr,const u8 * msg,size_t len,struct radius_sta * info)2269 static int ieee802_11_allowed_address(struct hostapd_data *hapd, const u8 *addr,
2270 				      const u8 *msg, size_t len,
2271 				      struct radius_sta *info)
2272 {
2273 	int res;
2274 
2275 	res = hostapd_allowed_address(hapd, addr, msg, len, info, 0);
2276 
2277 	if (res == HOSTAPD_ACL_REJECT) {
2278 		wpa_printf(MSG_DEBUG, "Station " MACSTR
2279 			   " not allowed to authenticate",
2280 			   MAC2STR(addr));
2281 		return HOSTAPD_ACL_REJECT;
2282 	}
2283 
2284 	if (res == HOSTAPD_ACL_PENDING) {
2285 		wpa_printf(MSG_DEBUG, "Authentication frame from " MACSTR
2286 			   " waiting for an external authentication",
2287 			   MAC2STR(addr));
2288 		/* Authentication code will re-send the authentication frame
2289 		 * after it has received (and cached) information from the
2290 		 * external source. */
2291 		return HOSTAPD_ACL_PENDING;
2292 	}
2293 
2294 	return res;
2295 }
2296 
2297 
2298 static int
ieee802_11_set_radius_info(struct hostapd_data * hapd,struct sta_info * sta,int res,struct radius_sta * info)2299 ieee802_11_set_radius_info(struct hostapd_data *hapd, struct sta_info *sta,
2300 			   int res, struct radius_sta *info)
2301 {
2302 	u32 session_timeout = info->session_timeout;
2303 	u32 acct_interim_interval = info->acct_interim_interval;
2304 	struct vlan_description *vlan_id = &info->vlan_id;
2305 	struct hostapd_sta_wpa_psk_short *psk = info->psk;
2306 	char *identity = info->identity;
2307 	char *radius_cui = info->radius_cui;
2308 
2309 	if (vlan_id->notempty &&
2310 	    !hostapd_vlan_valid(hapd->conf->vlan, vlan_id)) {
2311 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS,
2312 			       HOSTAPD_LEVEL_INFO,
2313 			       "Invalid VLAN %d%s received from RADIUS server",
2314 			       vlan_id->untagged,
2315 			       vlan_id->tagged[0] ? "+" : "");
2316 		return -1;
2317 	}
2318 	if (ap_sta_set_vlan(hapd, sta, vlan_id) < 0)
2319 		return -1;
2320 	if (sta->vlan_id)
2321 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS,
2322 			       HOSTAPD_LEVEL_INFO, "VLAN ID %d", sta->vlan_id);
2323 
2324 	hostapd_free_psk_list(sta->psk);
2325 	if (hapd->conf->wpa_psk_radius != PSK_RADIUS_IGNORED)
2326 		hostapd_copy_psk_list(&sta->psk, psk);
2327 	else
2328 		sta->psk = NULL;
2329 
2330 	os_free(sta->identity);
2331 	if (identity)
2332 		sta->identity = os_strdup(identity);
2333 	else
2334 		sta->identity = NULL;
2335 
2336 	os_free(sta->radius_cui);
2337 	if (radius_cui)
2338 		sta->radius_cui = os_strdup(radius_cui);
2339 	else
2340 		sta->radius_cui = NULL;
2341 
2342 	if (hapd->conf->acct_interim_interval == 0 && acct_interim_interval)
2343 		sta->acct_interim_interval = acct_interim_interval;
2344 	if (res == HOSTAPD_ACL_ACCEPT_TIMEOUT) {
2345 		sta->session_timeout_set = 1;
2346 		os_get_reltime(&sta->session_timeout);
2347 		sta->session_timeout.sec += session_timeout;
2348 		ap_sta_session_timeout(hapd, sta, session_timeout);
2349 	} else {
2350 		sta->session_timeout_set = 0;
2351 		ap_sta_no_session_timeout(hapd, sta);
2352 	}
2353 
2354 	return 0;
2355 }
2356 
2357 
2358 #ifdef CONFIG_PASN
2359 #ifdef CONFIG_SAE
2360 
pasn_wd_handle_sae_commit(struct hostapd_data * hapd,struct sta_info * sta,struct wpabuf * wd)2361 static int pasn_wd_handle_sae_commit(struct hostapd_data *hapd,
2362 				     struct sta_info *sta,
2363 				     struct wpabuf *wd)
2364 {
2365 	struct pasn_data *pasn = sta->pasn;
2366 	const char *password = NULL;
2367 	const u8 *data;
2368 	size_t buf_len;
2369 	u16 res, alg, seq, status;
2370 	int groups[] = { pasn->group, 0 };
2371 	int ret;
2372 
2373 	if (!wd)
2374 		return -1;
2375 
2376 	data = wpabuf_head_u8(wd);
2377 	buf_len = wpabuf_len(wd);
2378 
2379 	if (buf_len < 6) {
2380 		wpa_printf(MSG_DEBUG, "PASN: SAE buffer too short. len=%lu",
2381 			   buf_len);
2382 		return -1;
2383 	}
2384 
2385 	alg = WPA_GET_LE16(data);
2386 	seq = WPA_GET_LE16(data + 2);
2387 	status = WPA_GET_LE16(data + 4);
2388 
2389 	wpa_printf(MSG_DEBUG, "PASN: SAE commit: alg=%u, seq=%u, status=%u",
2390 		   alg, seq, status);
2391 
2392 	/* TODO: SAE H2E */
2393 	if (alg != WLAN_AUTH_SAE || seq != 1 || status != WLAN_STATUS_SUCCESS) {
2394 		wpa_printf(MSG_DEBUG, "PASN: Dropping peer SAE commit");
2395 		return -1;
2396 	}
2397 
2398 	sae_clear_data(&pasn->sae);
2399 	pasn->sae.state = SAE_NOTHING;
2400 
2401 	ret = sae_set_group(&pasn->sae, pasn->group);
2402 	if (ret) {
2403 		wpa_printf(MSG_DEBUG, "PASN: Failed to set SAE group");
2404 		return -1;
2405 	}
2406 
2407 	password = sae_get_password(hapd, sta, NULL, NULL, NULL, NULL);
2408 	if (!password) {
2409 		wpa_printf(MSG_DEBUG, "PASN: No SAE password found");
2410 		return -1;
2411 	}
2412 
2413 	ret = sae_prepare_commit(hapd->own_addr, sta->addr,
2414 				 (const u8 *) password, os_strlen(password), 0,
2415 				 &pasn->sae);
2416 	if (ret) {
2417 		wpa_printf(MSG_DEBUG, "PASN: Failed to prepare SAE commit");
2418 		return -1;
2419 	}
2420 
2421 	res = sae_parse_commit(&pasn->sae, data + 6, buf_len - 6, NULL, 0,
2422 			       groups, 0);
2423 	if (res != WLAN_STATUS_SUCCESS) {
2424 		wpa_printf(MSG_DEBUG, "PASN: Failed parsing SAE commit");
2425 		return -1;
2426 	}
2427 
2428 	/* Process the commit message and derive the PMK */
2429 	ret = sae_process_commit(&pasn->sae);
2430 	if (ret) {
2431 		wpa_printf(MSG_DEBUG, "SAE: Failed to process peer commit");
2432 		return -1;
2433 	}
2434 
2435 	pasn->sae.state = SAE_COMMITTED;
2436 
2437 	return 0;
2438 }
2439 
2440 
pasn_wd_handle_sae_confirm(struct hostapd_data * hapd,struct sta_info * sta,struct wpabuf * wd)2441 static int pasn_wd_handle_sae_confirm(struct hostapd_data *hapd,
2442 				      struct sta_info *sta,
2443 				      struct wpabuf *wd)
2444 {
2445 	struct pasn_data *pasn = sta->pasn;
2446 	const u8 *data;
2447 	size_t buf_len;
2448 	u16 res, alg, seq, status;
2449 
2450 	if (!wd)
2451 		return -1;
2452 
2453 	data = wpabuf_head_u8(wd);
2454 	buf_len = wpabuf_len(wd);
2455 
2456 	if (buf_len < 6) {
2457 		wpa_printf(MSG_DEBUG, "PASN: SAE buffer too short. len=%lu",
2458 			   buf_len);
2459 		return -1;
2460 	}
2461 
2462 	alg = WPA_GET_LE16(data);
2463 	seq = WPA_GET_LE16(data + 2);
2464 	status = WPA_GET_LE16(data + 4);
2465 
2466 	wpa_printf(MSG_DEBUG, "PASN: SAE confirm: alg=%u, seq=%u, status=%u",
2467 		   alg, seq, status);
2468 
2469 	if (alg != WLAN_AUTH_SAE || seq != 2 || status != WLAN_STATUS_SUCCESS) {
2470 		wpa_printf(MSG_DEBUG, "PASN: Dropping peer SAE confirm");
2471 		return -1;
2472 	}
2473 
2474 	res = sae_check_confirm(&pasn->sae, data + 6, buf_len - 6);
2475 	if (res != WLAN_STATUS_SUCCESS) {
2476 		wpa_printf(MSG_DEBUG, "PASN: SAE failed checking confirm");
2477 		return -1;
2478 	}
2479 
2480 	pasn->sae.state = SAE_ACCEPTED;
2481 
2482 	/*
2483 	 * TODO: Based on on IEEE P802.11az/D2.6, the PMKSA derived with
2484 	 * PASN/SAE should only be allowed with future PASN only. For now do not
2485 	 * restrict this only for PASN.
2486 	 */
2487 	wpa_auth_pmksa_add_sae(hapd->wpa_auth, sta->addr,
2488 			       pasn->sae.pmk, pasn->sae.pmkid);
2489 	return 0;
2490 }
2491 
2492 
pasn_get_sae_wd(struct hostapd_data * hapd,struct sta_info * sta)2493 static struct wpabuf * pasn_get_sae_wd(struct hostapd_data *hapd,
2494 				       struct sta_info *sta)
2495 {
2496 	struct pasn_data *pasn = sta->pasn;
2497 	struct wpabuf *buf = NULL;
2498 	u8 *len_ptr;
2499 	size_t len;
2500 
2501 	/* Need to add the entire Authentication frame body */
2502 	buf = wpabuf_alloc(8 + SAE_COMMIT_MAX_LEN + 8 + SAE_CONFIRM_MAX_LEN);
2503 	if (!buf) {
2504 		wpa_printf(MSG_DEBUG, "PASN: Failed to allocate SAE buffer");
2505 		return NULL;
2506 	}
2507 
2508 	/* Need to add the entire authentication frame body for the commit */
2509 	len_ptr = wpabuf_put(buf, 2);
2510 	wpabuf_put_le16(buf, WLAN_AUTH_SAE);
2511 	wpabuf_put_le16(buf, 1);
2512 	wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
2513 
2514 	/* Write the actual commit and update the length accordingly */
2515 	sae_write_commit(&pasn->sae, buf, NULL, 0);
2516 	len = wpabuf_len(buf);
2517 	WPA_PUT_LE16(len_ptr, len - 2);
2518 
2519 	/* Need to add the entire Authentication frame body for the confirm */
2520 	len_ptr = wpabuf_put(buf, 2);
2521 	wpabuf_put_le16(buf, WLAN_AUTH_SAE);
2522 	wpabuf_put_le16(buf, 2);
2523 	wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
2524 
2525 	sae_write_confirm(&pasn->sae, buf);
2526 	WPA_PUT_LE16(len_ptr, wpabuf_len(buf) - len - 2);
2527 
2528 	pasn->sae.state = SAE_CONFIRMED;
2529 
2530 	return buf;
2531 }
2532 
2533 #endif /* CONFIG_SAE */
2534 
2535 
2536 #ifdef CONFIG_FILS
2537 
pasn_get_fils_wd(struct hostapd_data * hapd,struct sta_info * sta)2538 static struct wpabuf * pasn_get_fils_wd(struct hostapd_data *hapd,
2539 					struct sta_info *sta)
2540 {
2541 	struct pasn_data *pasn = sta->pasn;
2542 	struct pasn_fils_data *fils = &pasn->fils;
2543 	struct wpabuf *buf = NULL;
2544 
2545 	if (!fils->erp_resp) {
2546 		wpa_printf(MSG_DEBUG, "PASN: FILS: Missing erp_resp");
2547 		return NULL;
2548 	}
2549 
2550 	buf = wpabuf_alloc(1500);
2551 	if (!buf)
2552 		return NULL;
2553 
2554 	/* Add the authentication algorithm */
2555 	wpabuf_put_le16(buf, WLAN_AUTH_FILS_SK);
2556 
2557 	/* Authentication Transaction seq# */
2558 	wpabuf_put_le16(buf, 2);
2559 
2560 	/* Status Code */
2561 	wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
2562 
2563 	/* Own RSNE */
2564 	wpa_pasn_add_rsne(buf, NULL, pasn->akmp, pasn->cipher);
2565 
2566 	/* FILS Nonce */
2567 	wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
2568 	wpabuf_put_u8(buf, 1 + FILS_NONCE_LEN);
2569 	wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_NONCE);
2570 	wpabuf_put_data(buf, fils->anonce, FILS_NONCE_LEN);
2571 
2572 	/* FILS Session */
2573 	wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
2574 	wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN);
2575 	wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION);
2576 	wpabuf_put_data(buf, fils->session, FILS_SESSION_LEN);
2577 
2578 	/* Wrapped Data */
2579 	wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
2580 	wpabuf_put_u8(buf, 1 + wpabuf_len(fils->erp_resp));
2581 	wpabuf_put_u8(buf, WLAN_EID_EXT_WRAPPED_DATA);
2582 	wpabuf_put_buf(buf, fils->erp_resp);
2583 
2584 	return buf;
2585 }
2586 
2587 
pasn_fils_auth_resp(struct hostapd_data * hapd,struct sta_info * sta,u16 status,struct wpabuf * erp_resp,const u8 * msk,size_t msk_len)2588 static void pasn_fils_auth_resp(struct hostapd_data *hapd,
2589 				struct sta_info *sta, u16 status,
2590 				struct wpabuf *erp_resp,
2591 				const u8 *msk, size_t msk_len)
2592 {
2593 	struct pasn_data *pasn = sta->pasn;
2594 	struct pasn_fils_data *fils = &pasn->fils;
2595 	u8 pmk[PMK_LEN_MAX];
2596 	size_t pmk_len;
2597 	int ret;
2598 
2599 	wpa_printf(MSG_DEBUG, "PASN: FILS: Handle AS response - status=%u",
2600 		   status);
2601 
2602 	if (status != WLAN_STATUS_SUCCESS)
2603 		goto fail;
2604 
2605 	if (!pasn->secret) {
2606 		wpa_printf(MSG_DEBUG, "PASN: FILS: Missing secret");
2607 		goto fail;
2608 	}
2609 
2610 	if (random_get_bytes(fils->anonce, FILS_NONCE_LEN) < 0) {
2611 		wpa_printf(MSG_DEBUG, "PASN: FILS: Failed to get ANonce");
2612 		goto fail;
2613 	}
2614 
2615 	wpa_hexdump(MSG_DEBUG, "RSN: Generated FILS ANonce",
2616 		    fils->anonce, FILS_NONCE_LEN);
2617 
2618 	ret = fils_rmsk_to_pmk(pasn->akmp, msk, msk_len, fils->nonce,
2619 			       fils->anonce, NULL, 0, pmk, &pmk_len);
2620 	if (ret) {
2621 		wpa_printf(MSG_DEBUG, "FILS: Failed to derive PMK");
2622 		goto fail;
2623 	}
2624 
2625 	ret = pasn_pmk_to_ptk(pmk, pmk_len, sta->addr, hapd->own_addr,
2626 			      wpabuf_head(pasn->secret),
2627 			      wpabuf_len(pasn->secret),
2628 			      &sta->pasn->ptk, sta->pasn->akmp,
2629 			      sta->pasn->cipher, WPA_KDK_MAX_LEN);
2630 	if (ret) {
2631 		wpa_printf(MSG_DEBUG, "PASN: FILS: Failed to derive PTK");
2632 		goto fail;
2633 	}
2634 
2635 	wpa_printf(MSG_DEBUG, "PASN: PTK successfully derived");
2636 
2637 	wpabuf_free(pasn->secret);
2638 	pasn->secret = NULL;
2639 
2640 	fils->erp_resp = erp_resp;
2641 	ret = handle_auth_pasn_resp(hapd, sta, NULL, WLAN_STATUS_SUCCESS);
2642 	fils->erp_resp = NULL;
2643 
2644 	if (ret) {
2645 		wpa_printf(MSG_DEBUG, "PASN: FILS: Failed to send response");
2646 		goto fail;
2647 	}
2648 
2649 	fils->state = PASN_FILS_STATE_COMPLETE;
2650 	return;
2651 fail:
2652 	ap_free_sta(hapd, sta);
2653 }
2654 
2655 
pasn_wd_handle_fils(struct hostapd_data * hapd,struct sta_info * sta,struct wpabuf * wd)2656 static int pasn_wd_handle_fils(struct hostapd_data *hapd, struct sta_info *sta,
2657 			       struct wpabuf *wd)
2658 {
2659 	struct pasn_data *pasn = sta->pasn;
2660 	struct pasn_fils_data *fils = &pasn->fils;
2661 	struct ieee802_11_elems elems;
2662 	struct wpa_ie_data rsne_data;
2663 	struct wpabuf *fils_wd;
2664 	const u8 *data;
2665 	size_t buf_len;
2666 	u16 alg, seq, status;
2667 	int ret;
2668 
2669 	if (fils->state != PASN_FILS_STATE_NONE) {
2670 		wpa_printf(MSG_DEBUG, "PASN: FILS: Not expecting wrapped data");
2671 		return -1;
2672 	}
2673 
2674 	if (!wd) {
2675 		wpa_printf(MSG_DEBUG, "PASN: FILS: No wrapped data");
2676 		return -1;
2677 	}
2678 
2679 	data = wpabuf_head_u8(wd);
2680 	buf_len = wpabuf_len(wd);
2681 
2682 	if (buf_len < 6) {
2683 		wpa_printf(MSG_DEBUG, "PASN: FILS: Buffer too short. len=%lu",
2684 			   buf_len);
2685 		return -1;
2686 	}
2687 
2688 	alg = WPA_GET_LE16(data);
2689 	seq = WPA_GET_LE16(data + 2);
2690 	status = WPA_GET_LE16(data + 4);
2691 
2692 	wpa_printf(MSG_DEBUG, "PASN: FILS: alg=%u, seq=%u, status=%u",
2693 		   alg, seq, status);
2694 
2695 	if (alg != WLAN_AUTH_FILS_SK || seq != 1 ||
2696 	    status != WLAN_STATUS_SUCCESS) {
2697 		wpa_printf(MSG_DEBUG,
2698 			   "PASN: FILS: Dropping peer authentication");
2699 		return -1;
2700 	}
2701 
2702 	data += 6;
2703 	buf_len -= 6;
2704 
2705 	if (ieee802_11_parse_elems(data, buf_len, &elems, 1) == ParseFailed) {
2706 		wpa_printf(MSG_DEBUG, "PASN: FILS: Could not parse elements");
2707 		return -1;
2708 	}
2709 
2710 	if (!elems.rsn_ie || !elems.fils_nonce || !elems.fils_nonce ||
2711 	    !elems.wrapped_data) {
2712 		wpa_printf(MSG_DEBUG, "PASN: FILS: Missing IEs");
2713 		return -1;
2714 	}
2715 
2716 	ret = wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
2717 				   &rsne_data);
2718 	if (ret) {
2719 		wpa_printf(MSG_DEBUG, "PASN: FILS: Failed parsing RNSE");
2720 		return -1;
2721 	}
2722 
2723 	ret = wpa_pasn_validate_rsne(&rsne_data);
2724 	if (ret) {
2725 		wpa_printf(MSG_DEBUG, "PASN: FILS: Failed validating RSNE");
2726 		return -1;
2727 	}
2728 
2729 	if (rsne_data.num_pmkid) {
2730 		wpa_printf(MSG_DEBUG,
2731 			   "PASN: FILS: Not expecting PMKID in RSNE");
2732 		return -1;
2733 	}
2734 
2735 	wpa_hexdump(MSG_DEBUG, "PASN: FILS: Nonce", elems.fils_nonce,
2736 		    FILS_NONCE_LEN);
2737 	os_memcpy(fils->nonce, elems.fils_nonce, FILS_NONCE_LEN);
2738 
2739 	wpa_hexdump(MSG_DEBUG, "PASN: FILS: Session", elems.fils_session,
2740 		    FILS_SESSION_LEN);
2741 	os_memcpy(fils->session, elems.fils_session, FILS_SESSION_LEN);
2742 
2743 #ifdef CONFIG_NO_RADIUS
2744 	wpa_printf(MSG_DEBUG, "PASN: FILS: RADIUS is not configured. Fail");
2745 	return -1;
2746 #endif /* CONFIG_NO_RADIUS */
2747 
2748 	fils_wd = ieee802_11_defrag(&elems, WLAN_EID_EXTENSION,
2749 				    WLAN_EID_EXT_WRAPPED_DATA);
2750 
2751 	if (!fils_wd) {
2752 		wpa_printf(MSG_DEBUG, "PASN: FILS: Missing wrapped data");
2753 		return -1;
2754 	}
2755 
2756 	if (!sta->eapol_sm)
2757 		sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta);
2758 
2759 	wpa_printf(MSG_DEBUG,
2760 		   "PASN: FILS: Forward EAP-Initiate/Re-auth to AS");
2761 
2762 	ieee802_1x_encapsulate_radius(hapd, sta, wpabuf_head(fils_wd),
2763 				      wpabuf_len(fils_wd));
2764 
2765 	sta->flags |= WLAN_STA_PENDING_PASN_FILS_ERP;
2766 
2767 	fils->state = PASN_FILS_STATE_PENDING_AS;
2768 
2769 	/*
2770 	 * Calculate pending PMKID here so that we do not need to maintain a
2771 	 * copy of the EAP-Initiate/Reautt message.
2772 	 */
2773 	fils_pmkid_erp(pasn->akmp, wpabuf_head(fils_wd), wpabuf_len(fils_wd),
2774 		       fils->erp_pmkid);
2775 
2776 	wpabuf_free(fils_wd);
2777 	return 0;
2778 }
2779 
2780 #endif /* CONFIG_FILS */
2781 
2782 
pasn_get_wrapped_data(struct hostapd_data * hapd,struct sta_info * sta)2783 static struct wpabuf * pasn_get_wrapped_data(struct hostapd_data *hapd,
2784 					     struct sta_info *sta)
2785 {
2786 	switch (sta->pasn->akmp) {
2787 	case WPA_KEY_MGMT_PASN:
2788 		/* no wrapped data */
2789 		return NULL;
2790 	case WPA_KEY_MGMT_SAE:
2791 #ifdef CONFIG_SAE
2792 		return pasn_get_sae_wd(hapd, sta);
2793 #else /* CONFIG_SAE */
2794 		wpa_printf(MSG_ERROR,
2795 			   "PASN: SAE: Cannot derive wrapped data");
2796 		return NULL;
2797 #endif /* CONFIG_SAE */
2798 	case WPA_KEY_MGMT_FILS_SHA256:
2799 	case WPA_KEY_MGMT_FILS_SHA384:
2800 #ifdef CONFIG_FILS
2801 		return pasn_get_fils_wd(hapd, sta);
2802 #endif /* CONFIG_FILS */
2803 		/* fall through */
2804 	case WPA_KEY_MGMT_FT_PSK:
2805 	case WPA_KEY_MGMT_FT_IEEE8021X:
2806 	case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
2807 	default:
2808 		wpa_printf(MSG_ERROR,
2809 			   "PASN: TODO: Wrapped data for akmp=0x%x",
2810 			   sta->pasn->akmp);
2811 		return NULL;
2812 	}
2813 }
2814 
2815 
2816 static int
pasn_derive_keys(struct hostapd_data * hapd,struct sta_info * sta,const u8 * cached_pmk,size_t cached_pmk_len,struct wpa_pasn_params_data * pasn_data,struct wpabuf * wrapped_data,struct wpabuf * secret)2817 pasn_derive_keys(struct hostapd_data *hapd, struct sta_info *sta,
2818 		 const u8 *cached_pmk, size_t cached_pmk_len,
2819 		 struct wpa_pasn_params_data *pasn_data,
2820 		 struct wpabuf *wrapped_data,
2821 		 struct wpabuf *secret)
2822 {
2823 	static const u8 pasn_default_pmk[] = {'P', 'M', 'K', 'z'};
2824 	u8 pmk[PMK_LEN_MAX];
2825 	u8 pmk_len;
2826 	int ret;
2827 
2828 	os_memset(pmk, 0, sizeof(pmk));
2829 	pmk_len = 0;
2830 
2831 	if (!cached_pmk || !cached_pmk_len)
2832 		wpa_printf(MSG_DEBUG, "PASN: No valid PMKSA entry");
2833 
2834 	if (sta->pasn->akmp == WPA_KEY_MGMT_PASN) {
2835 		wpa_printf(MSG_DEBUG, "PASN: Using default PMK");
2836 
2837 		pmk_len = WPA_PASN_PMK_LEN;
2838 		os_memcpy(pmk, pasn_default_pmk, sizeof(pasn_default_pmk));
2839 	} else if (cached_pmk && cached_pmk_len) {
2840 		wpa_printf(MSG_DEBUG, "PASN: Using PMKSA entry");
2841 
2842 		pmk_len = cached_pmk_len;
2843 		os_memcpy(pmk, cached_pmk, cached_pmk_len);
2844 	} else {
2845 		switch (sta->pasn->akmp) {
2846 #ifdef CONFIG_SAE
2847 		case WPA_KEY_MGMT_SAE:
2848 			if (sta->pasn->sae.state == SAE_COMMITTED) {
2849 				pmk_len = PMK_LEN;
2850 				os_memcpy(pmk, sta->pasn->sae.pmk, PMK_LEN);
2851 				break;
2852 			}
2853 #endif /* CONFIG_SAE */
2854 			/* fall through */
2855 		default:
2856 			/* TODO: Derive PMK based on wrapped data */
2857 			wpa_printf(MSG_DEBUG,
2858 				   "PASN: Missing PMK derivation");
2859 			return -1;
2860 		}
2861 	}
2862 
2863 	ret = pasn_pmk_to_ptk(pmk, pmk_len, sta->addr, hapd->own_addr,
2864 			      wpabuf_head(secret), wpabuf_len(secret),
2865 			      &sta->pasn->ptk, sta->pasn->akmp,
2866 			      sta->pasn->cipher, WPA_KDK_MAX_LEN);
2867 	if (ret) {
2868 		wpa_printf(MSG_DEBUG, "PASN: Failed to derive PTK");
2869 		return -1;
2870 	}
2871 
2872 	wpa_printf(MSG_DEBUG, "PASN: PTK successfully derived");
2873 	return 0;
2874 }
2875 
2876 
handle_auth_pasn_resp(struct hostapd_data * hapd,struct sta_info * sta,struct rsn_pmksa_cache_entry * pmksa,u16 status)2877 static int handle_auth_pasn_resp(struct hostapd_data *hapd,
2878 				 struct sta_info *sta,
2879 				 struct rsn_pmksa_cache_entry *pmksa,
2880 				 u16 status)
2881 {
2882 	struct wpabuf *buf, *pubkey = NULL, *wrapped_data_buf = NULL;
2883 	u8 mic[WPA_PASN_MAX_MIC_LEN];
2884 	u8 mic_len, frame_len, data_len;
2885 	u8 *ptr;
2886 	const u8 *frame, *data, *rsn_ie, *rsnxe_ie;
2887 	u8 *data_buf = NULL;
2888 	size_t rsn_ie_len;
2889 	int ret;
2890 
2891 	wpa_printf(MSG_DEBUG, "PASN: Building frame 2: status=%u", status);
2892 
2893 	buf = wpabuf_alloc(1500);
2894 	if (!buf)
2895 		goto fail;
2896 
2897 	wpa_pasn_build_auth_header(buf, hapd->own_addr, hapd->own_addr,
2898 				   sta->addr, 2, status);
2899 
2900 	if (status != WLAN_STATUS_SUCCESS)
2901 		goto done;
2902 
2903 	if (wpa_pasn_add_rsne(buf, pmksa ? pmksa->pmkid : NULL,
2904 			      sta->pasn->akmp, sta->pasn->cipher) < 0)
2905 		goto fail;
2906 
2907 	/* No need to derive PMK if PMKSA is given */
2908 	if (!pmksa)
2909 		wrapped_data_buf = pasn_get_wrapped_data(hapd, sta);
2910 	else
2911 		sta->pasn->wrapped_data_format = WPA_PASN_WRAPPED_DATA_NO;
2912 
2913 	/* Get public key */
2914 	pubkey = crypto_ecdh_get_pubkey(sta->pasn->ecdh, 0);
2915 	pubkey = wpabuf_zeropad(pubkey,
2916 				crypto_ecdh_prime_len(sta->pasn->ecdh));
2917 	if (!pubkey) {
2918 		wpa_printf(MSG_DEBUG, "PASN: Failed to get pubkey");
2919 		goto fail;
2920 	}
2921 
2922 	wpa_pasn_add_parameter_ie(buf, sta->pasn->group,
2923 				  sta->pasn->wrapped_data_format,
2924 				  pubkey, NULL, 0);
2925 
2926 	if (wpa_pasn_add_wrapped_data(buf, wrapped_data_buf) < 0)
2927 		goto fail;
2928 
2929 	wpabuf_free(wrapped_data_buf);
2930 	wrapped_data_buf = NULL;
2931 	wpabuf_free(pubkey);
2932 	pubkey = NULL;
2933 
2934 	/* Add RSNXE if needed */
2935 	rsnxe_ie = hostapd_wpa_ie(hapd, WLAN_EID_RSNX);
2936 	if (rsnxe_ie)
2937 		wpabuf_put_data(buf, rsnxe_ie, 2 + rsnxe_ie[1]);
2938 
2939 	/* Add the mic */
2940 	mic_len = pasn_mic_len(sta->pasn->akmp, sta->pasn->cipher);
2941 	wpabuf_put_u8(buf, WLAN_EID_MIC);
2942 	wpabuf_put_u8(buf, mic_len);
2943 	ptr = wpabuf_put(buf, mic_len);
2944 
2945 	os_memset(ptr, 0, mic_len);
2946 
2947 	frame = wpabuf_head_u8(buf) + IEEE80211_HDRLEN;
2948 	frame_len = wpabuf_len(buf) - IEEE80211_HDRLEN;
2949 
2950 	rsn_ie = wpa_auth_get_wpa_ie(hapd->wpa_auth, &rsn_ie_len);
2951 	if (!rsn_ie || !rsn_ie_len)
2952 		goto fail;
2953 
2954 	/*
2955 	 * Note: wpa_auth_get_wpa_ie() might return not only the RSNE but also
2956 	 * MDE, etc. Thus, do not use the returned length but instead use the
2957 	 * length specified in the IE header.
2958 	 */
2959 	data_len = rsn_ie[1] + 2;
2960 	if (rsnxe_ie) {
2961 		data_buf = os_zalloc(rsn_ie[1] + 2 + rsnxe_ie[1] + 2);
2962 		if (!data_buf)
2963 			goto fail;
2964 
2965 		os_memcpy(data_buf, rsn_ie, rsn_ie[1] + 2);
2966 		os_memcpy(data_buf + rsn_ie[1] + 2, rsnxe_ie, rsnxe_ie[1] + 2);
2967 		data_len += rsnxe_ie[1] + 2;
2968 		data = data_buf;
2969 	} else {
2970 		data = rsn_ie;
2971 	}
2972 
2973 	ret = pasn_mic(sta->pasn->ptk.kck, sta->pasn->akmp, sta->pasn->cipher,
2974 		       hapd->own_addr, sta->addr, data, data_len,
2975 		       frame, frame_len, mic);
2976 	os_free(data_buf);
2977 	if (ret) {
2978 		wpa_printf(MSG_DEBUG, "PASN: Frame 3: Failed MIC calculation");
2979 		goto fail;
2980 	}
2981 
2982 	os_memcpy(ptr, mic, mic_len);
2983 
2984 done:
2985 	wpa_printf(MSG_DEBUG,
2986 		   "PASN: Building frame 2: success; resp STA=" MACSTR,
2987 		   MAC2STR(sta->addr));
2988 
2989 	ret = hostapd_drv_send_mlme(hapd, wpabuf_head(buf), wpabuf_len(buf), 0,
2990 				    NULL, 0, 0);
2991 	if (ret)
2992 		wpa_printf(MSG_INFO, "send_auth_reply: Send failed");
2993 
2994 	wpabuf_free(buf);
2995 	return ret;
2996 fail:
2997 	wpabuf_free(wrapped_data_buf);
2998 	wpabuf_free(pubkey);
2999 	wpabuf_free(buf);
3000 	return -1;
3001 }
3002 
3003 
handle_auth_pasn_1(struct hostapd_data * hapd,struct sta_info * sta,const struct ieee80211_mgmt * mgmt,size_t len)3004 static void handle_auth_pasn_1(struct hostapd_data *hapd, struct sta_info *sta,
3005 			       const struct ieee80211_mgmt *mgmt, size_t len)
3006 {
3007 	struct ieee802_11_elems elems;
3008 	struct wpa_ie_data rsn_data;
3009 	struct wpa_pasn_params_data pasn_params;
3010 	struct rsn_pmksa_cache_entry *pmksa = NULL;
3011 	const u8 *cached_pmk = NULL;
3012 	size_t cached_pmk_len = 0;
3013 #ifdef CONFIG_IEEE80211R_AP
3014 	u8 pmk_r1[PMK_LEN_MAX];
3015 	size_t pmk_r1_len;
3016 #endif /* CONFIG_IEEE80211R_AP */
3017 	struct wpabuf *wrapped_data = NULL, *secret = NULL;
3018 	const int *groups = hapd->conf->pasn_groups;
3019 	static const int default_groups[] = { 19, 0 };
3020 	u16 status = WLAN_STATUS_SUCCESS;
3021 	int ret;
3022 	bool derive_keys;
3023 	u32 i;
3024 
3025 	if (!groups)
3026 		groups = default_groups;
3027 
3028 	if (ieee802_11_parse_elems(mgmt->u.auth.variable,
3029 				   len - offsetof(struct ieee80211_mgmt,
3030 						  u.auth.variable),
3031 				   &elems, 0) == ParseFailed) {
3032 		wpa_printf(MSG_DEBUG,
3033 			   "PASN: Failed parsing Authentication frame");
3034 		status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3035 		goto send_resp;
3036 	}
3037 
3038 	ret = wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
3039 				   &rsn_data);
3040 	if (ret) {
3041 		wpa_printf(MSG_DEBUG, "PASN: Failed parsing RNSE");
3042 		status = WLAN_STATUS_INVALID_RSNIE;
3043 		goto send_resp;
3044 	}
3045 
3046 	ret = wpa_pasn_validate_rsne(&rsn_data);
3047 	if (ret) {
3048 		wpa_printf(MSG_DEBUG, "PASN: Failed validating RSNE");
3049 		status = WLAN_STATUS_INVALID_RSNIE;
3050 		goto send_resp;
3051 	}
3052 
3053 	if (!(rsn_data.key_mgmt & hapd->conf->wpa_key_mgmt) ||
3054 	    !(rsn_data.pairwise_cipher & hapd->conf->rsn_pairwise)) {
3055 		wpa_printf(MSG_DEBUG, "PASN: Mismatch in AKMP/cipher");
3056 		status = WLAN_STATUS_INVALID_RSNIE;
3057 		goto send_resp;
3058 	}
3059 
3060 	sta->pasn->akmp = rsn_data.key_mgmt;
3061 	sta->pasn->cipher = rsn_data.pairwise_cipher;
3062 
3063 	if (!elems.pasn_params || !elems.pasn_params_len) {
3064 		wpa_printf(MSG_DEBUG,
3065 			   "PASN: No PASN Parameters element found");
3066 		status = WLAN_STATUS_INVALID_PARAMETERS;
3067 		goto send_resp;
3068 	}
3069 
3070 	ret = wpa_pasn_parse_parameter_ie(elems.pasn_params - 3,
3071 					  elems.pasn_params_len + 3,
3072 					  false, &pasn_params);
3073 	if (ret) {
3074 		wpa_printf(MSG_DEBUG,
3075 			   "PASN: Failed validation of PASN Parameters IE");
3076 		status = WLAN_STATUS_INVALID_PARAMETERS;
3077 		goto send_resp;
3078 	}
3079 
3080 	for (i = 0; groups[i] > 0 && groups[i] != pasn_params.group; i++)
3081 		;
3082 
3083 	if (!pasn_params.group || groups[i] != pasn_params.group) {
3084 		wpa_printf(MSG_DEBUG, "PASN: Requested group=%hu not allowed",
3085 			   pasn_params.group);
3086 		status = WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
3087 		goto send_resp;
3088 	}
3089 
3090 	if (!pasn_params.pubkey || !pasn_params.pubkey_len) {
3091 		wpa_printf(MSG_DEBUG, "PASN: Invalid public key");
3092 		status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3093 		goto send_resp;
3094 	}
3095 
3096 	sta->pasn->ecdh = crypto_ecdh_init(pasn_params.group);
3097 	if (!sta->pasn->ecdh) {
3098 		wpa_printf(MSG_DEBUG, "PASN: Failed to init ECDH");
3099 		status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3100 		goto send_resp;
3101 	}
3102 
3103 	sta->pasn->group = pasn_params.group;
3104 
3105 	secret = crypto_ecdh_set_peerkey(sta->pasn->ecdh, 0,
3106 					 pasn_params.pubkey,
3107 					 pasn_params.pubkey_len);
3108 	if (!secret) {
3109 		wpa_printf(MSG_DEBUG, "PASN: Failed to derive shared secret");
3110 		status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3111 		goto send_resp;
3112 	}
3113 
3114 	derive_keys = true;
3115 	if (pasn_params.wrapped_data_format != WPA_PASN_WRAPPED_DATA_NO) {
3116 		wrapped_data = ieee802_11_defrag(&elems,
3117 						 WLAN_EID_EXTENSION,
3118 						 WLAN_EID_EXT_WRAPPED_DATA);
3119 		if (!wrapped_data) {
3120 			wpa_printf(MSG_DEBUG, "PASN: Missing wrapped data");
3121 			status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3122 			goto send_resp;
3123 		}
3124 
3125 #ifdef CONFIG_SAE
3126 		if (sta->pasn->akmp == WPA_KEY_MGMT_SAE) {
3127 			ret = pasn_wd_handle_sae_commit(hapd, sta,
3128 							wrapped_data);
3129 			if (ret) {
3130 				wpa_printf(MSG_DEBUG,
3131 					   "PASN: Failed processing SAE commit");
3132 				status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3133 				goto send_resp;
3134 			}
3135 		}
3136 #endif /* CONFIG_SAE */
3137 #ifdef CONFIG_FILS
3138 		if (sta->pasn->akmp == WPA_KEY_MGMT_FILS_SHA256 ||
3139 		    sta->pasn->akmp == WPA_KEY_MGMT_FILS_SHA384) {
3140 			ret = pasn_wd_handle_fils(hapd, sta, wrapped_data);
3141 			if (ret) {
3142 				wpa_printf(MSG_DEBUG,
3143 					   "PASN: Failed processing FILS wrapped data");
3144 				status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3145 				goto send_resp;
3146 			}
3147 
3148 			wpa_printf(MSG_DEBUG,
3149 				   "PASN: FILS: Pending AS response");
3150 
3151 			/*
3152 			 * With PASN/FILS, keys can be derived only after a
3153 			 * response from the AS is processed.
3154 			 */
3155 			derive_keys = false;
3156 		}
3157 #endif /* CONFIG_FILS */
3158 	}
3159 
3160 	sta->pasn->wrapped_data_format = pasn_params.wrapped_data_format;
3161 
3162 	ret = pasn_auth_frame_hash(sta->pasn->akmp, sta->pasn->cipher,
3163 				   ((const u8 *) mgmt) + IEEE80211_HDRLEN,
3164 				   len - IEEE80211_HDRLEN, sta->pasn->hash);
3165 	if (ret) {
3166 		wpa_printf(MSG_DEBUG, "PASN: Failed to compute hash");
3167 		status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3168 		goto send_resp;
3169 	}
3170 
3171 	if (!derive_keys) {
3172 		wpa_printf(MSG_DEBUG, "PASN: Storing secret");
3173 		sta->pasn->secret = secret;
3174 		wpabuf_free(wrapped_data);
3175 		return;
3176 	}
3177 
3178 	if (rsn_data.num_pmkid) {
3179 		if (wpa_key_mgmt_ft(sta->pasn->akmp)) {
3180 #ifdef CONFIG_IEEE80211R_AP
3181 			wpa_printf(MSG_DEBUG, "PASN: FT: Fetch PMK-R1");
3182 
3183 			ret = wpa_ft_fetch_pmk_r1(hapd->wpa_auth, sta->addr,
3184 						  rsn_data.pmkid,
3185 						  pmk_r1, &pmk_r1_len, NULL,
3186 						  NULL, NULL, NULL,
3187 						  NULL, NULL, NULL);
3188 			if (ret) {
3189 				wpa_printf(MSG_DEBUG,
3190 					   "PASN: FT: Failed getting PMK-R1");
3191 				status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3192 				goto send_resp;
3193 			}
3194 			cached_pmk = pmk_r1;
3195 			cached_pmk_len = pmk_r1_len;
3196 #else /* CONFIG_IEEE80211R_AP */
3197 			wpa_printf(MSG_DEBUG, "PASN: FT: Not supported");
3198 			status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3199 			goto send_resp;
3200 #endif /* CONFIG_IEEE80211R_AP */
3201 		} else {
3202 			wpa_printf(MSG_DEBUG, "PASN: Try to find PMKSA entry");
3203 
3204 			pmksa = wpa_auth_pmksa_get(hapd->wpa_auth, sta->addr,
3205 						   rsn_data.pmkid);
3206 			if (pmksa) {
3207 				cached_pmk = pmksa->pmk;
3208 				cached_pmk_len = pmksa->pmk_len;
3209 			}
3210 		}
3211 	} else {
3212 		wpa_printf(MSG_DEBUG, "PASN: No PMKID specified");
3213 	}
3214 
3215 	ret = pasn_derive_keys(hapd, sta, cached_pmk, cached_pmk_len,
3216 			       &pasn_params, wrapped_data, secret);
3217 	if (ret) {
3218 		wpa_printf(MSG_DEBUG, "PASN: Failed to derive keys");
3219 		status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3220 		goto send_resp;
3221 	}
3222 
3223 	ret = pasn_auth_frame_hash(sta->pasn->akmp, sta->pasn->cipher,
3224 				   ((const u8 *) mgmt) + IEEE80211_HDRLEN,
3225 				   len - IEEE80211_HDRLEN, sta->pasn->hash);
3226 	if (ret) {
3227 		wpa_printf(MSG_DEBUG, "PASN: Failed to compute hash");
3228 		status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3229 	}
3230 
3231 send_resp:
3232 	ret = handle_auth_pasn_resp(hapd, sta, pmksa, status);
3233 	if (ret) {
3234 		wpa_printf(MSG_DEBUG, "PASN: Failed to send response");
3235 		status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3236 	} else {
3237 		wpa_printf(MSG_DEBUG,
3238 			   "PASN: Success handling transaction == 1");
3239 	}
3240 
3241 	wpabuf_free(secret);
3242 	wpabuf_free(wrapped_data);
3243 
3244 	if (status != WLAN_STATUS_SUCCESS)
3245 		ap_free_sta(hapd, sta);
3246 }
3247 
3248 
handle_auth_pasn_3(struct hostapd_data * hapd,struct sta_info * sta,const struct ieee80211_mgmt * mgmt,size_t len)3249 static void handle_auth_pasn_3(struct hostapd_data *hapd, struct sta_info *sta,
3250 			       const struct ieee80211_mgmt *mgmt, size_t len)
3251 {
3252 	struct ieee802_11_elems elems;
3253 	struct wpa_pasn_params_data pasn_params;
3254 	struct wpabuf *wrapped_data = NULL;
3255 	u8 mic[WPA_PASN_MAX_MIC_LEN], out_mic[WPA_PASN_MAX_MIC_LEN];
3256 	u8 mic_len;
3257 	int ret;
3258 
3259 	if (ieee802_11_parse_elems(mgmt->u.auth.variable,
3260 				   len - offsetof(struct ieee80211_mgmt,
3261 						  u.auth.variable),
3262 				   &elems, 0) == ParseFailed) {
3263 		wpa_printf(MSG_DEBUG,
3264 			   "PASN: Failed parsing Authentication frame");
3265 		goto fail;
3266 	}
3267 
3268 	/* Check that the MIC IE exists. Save it and zero out the memory. */
3269 	mic_len = pasn_mic_len(sta->pasn->akmp, sta->pasn->cipher);
3270 	if (!elems.mic || elems.mic_len != mic_len) {
3271 		wpa_printf(MSG_DEBUG,
3272 			   "PASN: Invalid MIC. Expecting len=%u", mic_len);
3273 		goto fail;
3274 	} else {
3275 		os_memcpy(mic, elems.mic, mic_len);
3276 		/* TODO: Clean this up.. Should not modify received frame
3277 		 * buffer. */
3278 		os_memset((u8 *) elems.mic, 0, mic_len);
3279 	}
3280 
3281 	if (!elems.pasn_params || !elems.pasn_params_len) {
3282 		wpa_printf(MSG_DEBUG,
3283 			   "PASN: No PASN Parameters element found");
3284 		goto fail;
3285 	}
3286 
3287 	ret = wpa_pasn_parse_parameter_ie(elems.pasn_params - 3,
3288 					  elems.pasn_params_len + 3,
3289 					  false, &pasn_params);
3290 	if (ret) {
3291 		wpa_printf(MSG_DEBUG,
3292 			   "PASN: Failed validation of PASN Parameters IE");
3293 		goto fail;
3294 	}
3295 
3296 	if (pasn_params.pubkey || pasn_params.pubkey_len) {
3297 		wpa_printf(MSG_DEBUG,
3298 			   "PASN: Public key should not be included");
3299 		goto fail;
3300 	}
3301 
3302 	/* Verify the MIC */
3303 	ret = pasn_mic(sta->pasn->ptk.kck, sta->pasn->akmp, sta->pasn->cipher,
3304 		       sta->addr, hapd->own_addr,
3305 		       sta->pasn->hash, mic_len * 2,
3306 		       (u8 *) &mgmt->u.auth,
3307 		       len - offsetof(struct ieee80211_mgmt, u.auth),
3308 		       out_mic);
3309 
3310 	wpa_hexdump_key(MSG_DEBUG, "PASN: Frame MIC", mic, mic_len);
3311 	if (ret || os_memcmp(mic, out_mic, mic_len) != 0) {
3312 		wpa_printf(MSG_DEBUG, "PASN: Failed MIC verification");
3313 		goto fail;
3314 	}
3315 
3316 	if (pasn_params.wrapped_data_format != WPA_PASN_WRAPPED_DATA_NO) {
3317 		wrapped_data = ieee802_11_defrag(&elems,
3318 						 WLAN_EID_EXTENSION,
3319 						 WLAN_EID_EXT_WRAPPED_DATA);
3320 
3321 		if (!wrapped_data) {
3322 			wpa_printf(MSG_DEBUG, "PASN: Missing wrapped data");
3323 			goto fail;
3324 		}
3325 
3326 #ifdef CONFIG_SAE
3327 		if (sta->pasn->akmp == WPA_KEY_MGMT_SAE) {
3328 			ret = pasn_wd_handle_sae_confirm(hapd, sta,
3329 							 wrapped_data);
3330 			if (ret) {
3331 				wpa_printf(MSG_DEBUG,
3332 					   "PASN: Failed processing SAE confirm");
3333 				wpabuf_free(wrapped_data);
3334 				goto fail;
3335 			}
3336 		}
3337 #endif /* CONFIG_SAE */
3338 #ifdef CONFIG_FILS
3339 		if (sta->pasn->akmp == WPA_KEY_MGMT_FILS_SHA256 ||
3340 		    sta->pasn->akmp == WPA_KEY_MGMT_FILS_SHA384) {
3341 			if (wrapped_data) {
3342 				wpa_printf(MSG_DEBUG,
3343 					   "PASN: FILS: Ignore wrapped data");
3344 			}
3345 		}
3346 #endif /* CONFIG_FILS */
3347 		wpabuf_free(wrapped_data);
3348 	}
3349 
3350 	wpa_printf(MSG_INFO,
3351 		   "PASN: Success handling transaction == 3. Store PTK");
3352 
3353 	ptksa_cache_add(hapd->ptksa, sta->addr, sta->pasn->cipher, 43200,
3354 			&sta->pasn->ptk);
3355 fail:
3356 	ap_free_sta(hapd, sta);
3357 }
3358 
3359 
handle_auth_pasn(struct hostapd_data * hapd,struct sta_info * sta,const struct ieee80211_mgmt * mgmt,size_t len,u16 trans_seq,u16 status)3360 static void handle_auth_pasn(struct hostapd_data *hapd, struct sta_info *sta,
3361 			     const struct ieee80211_mgmt *mgmt, size_t len,
3362 			     u16 trans_seq, u16 status)
3363 {
3364 	if (hapd->conf->wpa != WPA_PROTO_RSN) {
3365 		wpa_printf(MSG_INFO, "PASN: RSN is not configured");
3366 		return;
3367 	}
3368 
3369 	wpa_printf(MSG_INFO, "PASN authentication: sta=" MACSTR,
3370 		   MAC2STR(sta->addr));
3371 
3372 	if (trans_seq == 1) {
3373 		if (sta->pasn) {
3374 			wpa_printf(MSG_DEBUG,
3375 				   "PASN: Not expecting transaction == 1");
3376 			return;
3377 		}
3378 
3379 		if (status != WLAN_STATUS_SUCCESS) {
3380 			wpa_printf(MSG_DEBUG,
3381 				   "PASN: Failure status in transaction == 1");
3382 			return;
3383 		}
3384 
3385 		sta->pasn = os_zalloc(sizeof(*sta->pasn));
3386 		if (!sta->pasn) {
3387 			wpa_printf(MSG_DEBUG,
3388 				   "PASN: Failed to allocate PASN context");
3389 			return;
3390 		}
3391 
3392 		handle_auth_pasn_1(hapd, sta, mgmt, len);
3393 	} else if (trans_seq == 3) {
3394 		if (!sta->pasn) {
3395 			wpa_printf(MSG_DEBUG,
3396 				   "PASN: Not expecting transaction == 3");
3397 			return;
3398 		}
3399 
3400 		if (status != WLAN_STATUS_SUCCESS) {
3401 			wpa_printf(MSG_DEBUG,
3402 				   "PASN: Failure status in transaction == 3");
3403 			ap_free_sta_pasn(hapd, sta);
3404 			return;
3405 		}
3406 
3407 		handle_auth_pasn_3(hapd, sta, mgmt, len);
3408 	} else {
3409 		wpa_printf(MSG_DEBUG,
3410 			   "PASN: Invalid transaction %u - ignore", trans_seq);
3411 	}
3412 }
3413 
3414 #endif /* CONFIG_PASN */
3415 
3416 
handle_auth(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int rssi,int from_queue)3417 static void handle_auth(struct hostapd_data *hapd,
3418 			const struct ieee80211_mgmt *mgmt, size_t len,
3419 			int rssi, int from_queue)
3420 {
3421 	u16 auth_alg, auth_transaction, status_code;
3422 	u16 resp = WLAN_STATUS_SUCCESS;
3423 	struct sta_info *sta = NULL;
3424 	int res, reply_res;
3425 	u16 fc;
3426 	const u8 *challenge = NULL;
3427 	u8 resp_ies[2 + WLAN_AUTH_CHALLENGE_LEN];
3428 	size_t resp_ies_len = 0;
3429 	u16 seq_ctrl;
3430 	struct radius_sta rad_info;
3431 
3432 	if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) {
3433 		wpa_printf(MSG_INFO, "handle_auth - too short payload (len=%lu)",
3434 			   (unsigned long) len);
3435 		return;
3436 	}
3437 
3438 #ifdef CONFIG_TESTING_OPTIONS
3439 	if (hapd->iconf->ignore_auth_probability > 0.0 &&
3440 	    drand48() < hapd->iconf->ignore_auth_probability) {
3441 		wpa_printf(MSG_INFO,
3442 			   "TESTING: ignoring auth frame from " MACSTR,
3443 			   MAC2STR(mgmt->sa));
3444 		return;
3445 	}
3446 #endif /* CONFIG_TESTING_OPTIONS */
3447 
3448 	auth_alg = le_to_host16(mgmt->u.auth.auth_alg);
3449 	auth_transaction = le_to_host16(mgmt->u.auth.auth_transaction);
3450 	status_code = le_to_host16(mgmt->u.auth.status_code);
3451 	fc = le_to_host16(mgmt->frame_control);
3452 	seq_ctrl = le_to_host16(mgmt->seq_ctrl);
3453 
3454 	if (len >= IEEE80211_HDRLEN + sizeof(mgmt->u.auth) +
3455 	    2 + WLAN_AUTH_CHALLENGE_LEN &&
3456 	    mgmt->u.auth.variable[0] == WLAN_EID_CHALLENGE &&
3457 	    mgmt->u.auth.variable[1] == WLAN_AUTH_CHALLENGE_LEN)
3458 		challenge = &mgmt->u.auth.variable[2];
3459 
3460 	wpa_printf(MSG_DEBUG, "authentication: STA=" MACSTR " auth_alg=%d "
3461 		   "auth_transaction=%d status_code=%d wep=%d%s "
3462 		   "seq_ctrl=0x%x%s%s",
3463 		   MAC2STR(mgmt->sa), auth_alg, auth_transaction,
3464 		   status_code, !!(fc & WLAN_FC_ISWEP),
3465 		   challenge ? " challenge" : "",
3466 		   seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "",
3467 		   from_queue ? " (from queue)" : "");
3468 
3469 #ifdef CONFIG_NO_RC4
3470 	if (auth_alg == WLAN_AUTH_SHARED_KEY) {
3471 		wpa_printf(MSG_INFO,
3472 			   "Unsupported authentication algorithm (%d)",
3473 			   auth_alg);
3474 		resp = WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
3475 		goto fail;
3476 	}
3477 #endif /* CONFIG_NO_RC4 */
3478 
3479 	if (hapd->tkip_countermeasures) {
3480 		wpa_printf(MSG_DEBUG,
3481 			   "Ongoing TKIP countermeasures (Michael MIC failure) - reject authentication");
3482 		resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3483 		goto fail;
3484 	}
3485 
3486 	if (!(((hapd->conf->auth_algs & WPA_AUTH_ALG_OPEN) &&
3487 	       auth_alg == WLAN_AUTH_OPEN) ||
3488 #ifdef CONFIG_IEEE80211R_AP
3489 	      (hapd->conf->wpa && wpa_key_mgmt_ft(hapd->conf->wpa_key_mgmt) &&
3490 	       auth_alg == WLAN_AUTH_FT) ||
3491 #endif /* CONFIG_IEEE80211R_AP */
3492 #ifdef CONFIG_SAE
3493 	      (hapd->conf->wpa && wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt) &&
3494 	       auth_alg == WLAN_AUTH_SAE) ||
3495 #endif /* CONFIG_SAE */
3496 #ifdef CONFIG_FILS
3497 	      (hapd->conf->wpa && wpa_key_mgmt_fils(hapd->conf->wpa_key_mgmt) &&
3498 	       auth_alg == WLAN_AUTH_FILS_SK) ||
3499 	      (hapd->conf->wpa && wpa_key_mgmt_fils(hapd->conf->wpa_key_mgmt) &&
3500 	       hapd->conf->fils_dh_group &&
3501 	       auth_alg == WLAN_AUTH_FILS_SK_PFS) ||
3502 #endif /* CONFIG_FILS */
3503 #ifdef CONFIG_PASN
3504 	      (hapd->conf->wpa &&
3505 	       (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_PASN) &&
3506 	       auth_alg == WLAN_AUTH_PASN) ||
3507 #endif /* CONFIG_PASN */
3508 	      ((hapd->conf->auth_algs & WPA_AUTH_ALG_SHARED) &&
3509 	       auth_alg == WLAN_AUTH_SHARED_KEY))) {
3510 		wpa_printf(MSG_INFO, "Unsupported authentication algorithm (%d)",
3511 			   auth_alg);
3512 		resp = WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
3513 		goto fail;
3514 	}
3515 
3516 	if (!(auth_transaction == 1 || auth_alg == WLAN_AUTH_SAE ||
3517 #ifdef CONFIG_PASN
3518 	      (auth_alg == WLAN_AUTH_PASN && auth_transaction == 3) ||
3519 #endif /* CONFIG_PASN */
3520 	      (auth_alg == WLAN_AUTH_SHARED_KEY && auth_transaction == 3))) {
3521 		wpa_printf(MSG_INFO, "Unknown authentication transaction number (%d)",
3522 			   auth_transaction);
3523 		resp = WLAN_STATUS_UNKNOWN_AUTH_TRANSACTION;
3524 		goto fail;
3525 	}
3526 
3527 	if (os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
3528 		wpa_printf(MSG_INFO, "Station " MACSTR " not allowed to authenticate",
3529 			   MAC2STR(mgmt->sa));
3530 		resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3531 		goto fail;
3532 	}
3533 
3534 	if (hapd->conf->no_auth_if_seen_on) {
3535 		struct hostapd_data *other;
3536 
3537 		other = sta_track_seen_on(hapd->iface, mgmt->sa,
3538 					  hapd->conf->no_auth_if_seen_on);
3539 		if (other) {
3540 			u8 *pos;
3541 			u32 info;
3542 			u8 op_class, channel, phytype;
3543 
3544 			wpa_printf(MSG_DEBUG, "%s: Reject authentication from "
3545 				   MACSTR " since STA has been seen on %s",
3546 				   hapd->conf->iface, MAC2STR(mgmt->sa),
3547 				   hapd->conf->no_auth_if_seen_on);
3548 
3549 			resp = WLAN_STATUS_REJECTED_WITH_SUGGESTED_BSS_TRANSITION;
3550 			pos = &resp_ies[0];
3551 			*pos++ = WLAN_EID_NEIGHBOR_REPORT;
3552 			*pos++ = 13;
3553 			os_memcpy(pos, other->own_addr, ETH_ALEN);
3554 			pos += ETH_ALEN;
3555 			info = 0; /* TODO: BSSID Information */
3556 			WPA_PUT_LE32(pos, info);
3557 			pos += 4;
3558 			if (other->iconf->hw_mode == HOSTAPD_MODE_IEEE80211AD)
3559 				phytype = 8; /* dmg */
3560 			else if (other->iconf->ieee80211ac)
3561 				phytype = 9; /* vht */
3562 			else if (other->iconf->ieee80211n)
3563 				phytype = 7; /* ht */
3564 			else if (other->iconf->hw_mode ==
3565 				 HOSTAPD_MODE_IEEE80211A)
3566 				phytype = 4; /* ofdm */
3567 			else if (other->iconf->hw_mode ==
3568 				 HOSTAPD_MODE_IEEE80211G)
3569 				phytype = 6; /* erp */
3570 			else
3571 				phytype = 5; /* hrdsss */
3572 			if (ieee80211_freq_to_channel_ext(
3573 				    hostapd_hw_get_freq(other,
3574 							other->iconf->channel),
3575 				    other->iconf->secondary_channel,
3576 				    other->iconf->ieee80211ac,
3577 				    &op_class, &channel) == NUM_HOSTAPD_MODES) {
3578 				op_class = 0;
3579 				channel = other->iconf->channel;
3580 			}
3581 			*pos++ = op_class;
3582 			*pos++ = channel;
3583 			*pos++ = phytype;
3584 			resp_ies_len = pos - &resp_ies[0];
3585 			goto fail;
3586 		}
3587 	}
3588 
3589 	res = ieee802_11_allowed_address(hapd, mgmt->sa, (const u8 *) mgmt, len,
3590 					 &rad_info);
3591 	if (res == HOSTAPD_ACL_REJECT) {
3592 		wpa_msg(hapd->msg_ctx, MSG_DEBUG,
3593 			"Ignore Authentication frame from " MACSTR
3594 			" due to ACL reject", MAC2STR(mgmt->sa));
3595 		resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3596 		goto fail;
3597 	}
3598 	if (res == HOSTAPD_ACL_PENDING)
3599 		return;
3600 
3601 #ifdef CONFIG_SAE
3602 	if (auth_alg == WLAN_AUTH_SAE && !from_queue &&
3603 	    (auth_transaction == 1 ||
3604 	     (auth_transaction == 2 && auth_sae_queued_addr(hapd, mgmt->sa)))) {
3605 		/* Handle SAE Authentication commit message through a queue to
3606 		 * provide more control for postponing the needed heavy
3607 		 * processing under a possible DoS attack scenario. In addition,
3608 		 * queue SAE Authentication confirm message if there happens to
3609 		 * be a queued commit message from the same peer. This is needed
3610 		 * to avoid reordering Authentication frames within the same
3611 		 * SAE exchange. */
3612 		auth_sae_queue(hapd, mgmt, len, rssi);
3613 		return;
3614 	}
3615 #endif /* CONFIG_SAE */
3616 
3617 	sta = ap_get_sta(hapd, mgmt->sa);
3618 	if (sta) {
3619 		sta->flags &= ~WLAN_STA_PENDING_FILS_ERP;
3620 		sta->ft_over_ds = 0;
3621 		if ((fc & WLAN_FC_RETRY) &&
3622 		    sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
3623 		    sta->last_seq_ctrl == seq_ctrl &&
3624 		    sta->last_subtype == WLAN_FC_STYPE_AUTH) {
3625 			hostapd_logger(hapd, sta->addr,
3626 				       HOSTAPD_MODULE_IEEE80211,
3627 				       HOSTAPD_LEVEL_DEBUG,
3628 				       "Drop repeated authentication frame seq_ctrl=0x%x",
3629 				       seq_ctrl);
3630 			return;
3631 		}
3632 #ifdef CONFIG_MESH
3633 		if ((hapd->conf->mesh & MESH_ENABLED) &&
3634 		    sta->plink_state == PLINK_BLOCKED) {
3635 			wpa_printf(MSG_DEBUG, "Mesh peer " MACSTR
3636 				   " is blocked - drop Authentication frame",
3637 				   MAC2STR(mgmt->sa));
3638 			return;
3639 		}
3640 #endif /* CONFIG_MESH */
3641 #ifdef CONFIG_PASN
3642 		if (auth_alg == WLAN_AUTH_PASN &&
3643 		    (sta->flags & WLAN_STA_ASSOC)) {
3644 			wpa_printf(MSG_DEBUG,
3645 				   "PASN: auth: Existing station: " MACSTR,
3646 				   MAC2STR(sta->addr));
3647 			return;
3648 		}
3649 #endif /* CONFIG_PASN */
3650 	} else {
3651 #ifdef CONFIG_MESH
3652 		if (hapd->conf->mesh & MESH_ENABLED) {
3653 			/* if the mesh peer is not available, we don't do auth.
3654 			 */
3655 			wpa_printf(MSG_DEBUG, "Mesh peer " MACSTR
3656 				   " not yet known - drop Authentication frame",
3657 				   MAC2STR(mgmt->sa));
3658 			/*
3659 			 * Save a copy of the frame so that it can be processed
3660 			 * if a new peer entry is added shortly after this.
3661 			 */
3662 			wpabuf_free(hapd->mesh_pending_auth);
3663 			hapd->mesh_pending_auth = wpabuf_alloc_copy(mgmt, len);
3664 			os_get_reltime(&hapd->mesh_pending_auth_time);
3665 			return;
3666 		}
3667 #endif /* CONFIG_MESH */
3668 
3669 		sta = ap_sta_add(hapd, mgmt->sa);
3670 		if (!sta) {
3671 			wpa_printf(MSG_DEBUG, "ap_sta_add() failed");
3672 			resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
3673 			goto fail;
3674 		}
3675 	}
3676 	sta->last_seq_ctrl = seq_ctrl;
3677 	sta->last_subtype = WLAN_FC_STYPE_AUTH;
3678 #ifdef CONFIG_MBO
3679 	sta->auth_rssi = rssi;
3680 #endif /* CONFIG_MBO */
3681 
3682 	res = ieee802_11_set_radius_info(hapd, sta, res, &rad_info);
3683 	if (res) {
3684 		wpa_printf(MSG_DEBUG, "ieee802_11_set_radius_info() failed");
3685 		resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3686 		goto fail;
3687 	}
3688 
3689 	sta->flags &= ~WLAN_STA_PREAUTH;
3690 	ieee802_1x_notify_pre_auth(sta->eapol_sm, 0);
3691 
3692 	/*
3693 	 * If the driver supports full AP client state, add a station to the
3694 	 * driver before sending authentication reply to make sure the driver
3695 	 * has resources, and not to go through the entire authentication and
3696 	 * association handshake, and fail it at the end.
3697 	 *
3698 	 * If this is not the first transaction, in a multi-step authentication
3699 	 * algorithm, the station already exists in the driver
3700 	 * (sta->added_unassoc = 1) so skip it.
3701 	 *
3702 	 * In mesh mode, the station was already added to the driver when the
3703 	 * NEW_PEER_CANDIDATE event is received.
3704 	 *
3705 	 * If PMF was negotiated for the existing association, skip this to
3706 	 * avoid dropping the STA entry and the associated keys. This is needed
3707 	 * to allow the original connection work until the attempt can complete
3708 	 * (re)association, so that unprotected Authentication frame cannot be
3709 	 * used to bypass PMF protection.
3710 	 *
3711 	 * PASN authentication does not require adding/removing station to the
3712 	 * driver so skip this flow in case of PASN authentication.
3713 	 */
3714 	if (FULL_AP_CLIENT_STATE_SUPP(hapd->iface->drv_flags) &&
3715 	    (!(sta->flags & WLAN_STA_MFP) || !ap_sta_is_authorized(sta)) &&
3716 	    !(hapd->conf->mesh & MESH_ENABLED) &&
3717 	    !(sta->added_unassoc) && auth_alg != WLAN_AUTH_PASN) {
3718 		if (ap_sta_re_add(hapd, sta) < 0) {
3719 			resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
3720 			goto fail;
3721 		}
3722 	}
3723 
3724 	switch (auth_alg) {
3725 	case WLAN_AUTH_OPEN:
3726 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3727 			       HOSTAPD_LEVEL_DEBUG,
3728 			       "authentication OK (open system)");
3729 		sta->flags |= WLAN_STA_AUTH;
3730 		wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
3731 		sta->auth_alg = WLAN_AUTH_OPEN;
3732 		mlme_authenticate_indication(hapd, sta);
3733 		break;
3734 #ifdef CONFIG_WEP
3735 #ifndef CONFIG_NO_RC4
3736 	case WLAN_AUTH_SHARED_KEY:
3737 		resp = auth_shared_key(hapd, sta, auth_transaction, challenge,
3738 				       fc & WLAN_FC_ISWEP);
3739 		if (resp != 0)
3740 			wpa_printf(MSG_DEBUG,
3741 				   "auth_shared_key() failed: status=%d", resp);
3742 		sta->auth_alg = WLAN_AUTH_SHARED_KEY;
3743 		mlme_authenticate_indication(hapd, sta);
3744 		if (sta->challenge && auth_transaction == 1) {
3745 			resp_ies[0] = WLAN_EID_CHALLENGE;
3746 			resp_ies[1] = WLAN_AUTH_CHALLENGE_LEN;
3747 			os_memcpy(resp_ies + 2, sta->challenge,
3748 				  WLAN_AUTH_CHALLENGE_LEN);
3749 			resp_ies_len = 2 + WLAN_AUTH_CHALLENGE_LEN;
3750 		}
3751 		break;
3752 #endif /* CONFIG_NO_RC4 */
3753 #endif /* CONFIG_WEP */
3754 #ifdef CONFIG_IEEE80211R_AP
3755 	case WLAN_AUTH_FT:
3756 		sta->auth_alg = WLAN_AUTH_FT;
3757 		if (sta->wpa_sm == NULL)
3758 			sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
3759 							sta->addr, NULL);
3760 		if (sta->wpa_sm == NULL) {
3761 			wpa_printf(MSG_DEBUG, "FT: Failed to initialize WPA "
3762 				   "state machine");
3763 			resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3764 			goto fail;
3765 		}
3766 		wpa_ft_process_auth(sta->wpa_sm, mgmt->bssid,
3767 				    auth_transaction, mgmt->u.auth.variable,
3768 				    len - IEEE80211_HDRLEN -
3769 				    sizeof(mgmt->u.auth),
3770 				    handle_auth_ft_finish, hapd);
3771 		/* handle_auth_ft_finish() callback will complete auth. */
3772 		return;
3773 #endif /* CONFIG_IEEE80211R_AP */
3774 #ifdef CONFIG_SAE
3775 	case WLAN_AUTH_SAE:
3776 #ifdef CONFIG_MESH
3777 		if (status_code == WLAN_STATUS_SUCCESS &&
3778 		    hapd->conf->mesh & MESH_ENABLED) {
3779 			if (sta->wpa_sm == NULL)
3780 				sta->wpa_sm =
3781 					wpa_auth_sta_init(hapd->wpa_auth,
3782 							  sta->addr, NULL);
3783 			if (sta->wpa_sm == NULL) {
3784 				wpa_printf(MSG_DEBUG,
3785 					   "SAE: Failed to initialize WPA state machine");
3786 				resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3787 				goto fail;
3788 			}
3789 		}
3790 #endif /* CONFIG_MESH */
3791 		handle_auth_sae(hapd, sta, mgmt, len, auth_transaction,
3792 				status_code);
3793 		return;
3794 #endif /* CONFIG_SAE */
3795 #ifdef CONFIG_FILS
3796 	case WLAN_AUTH_FILS_SK:
3797 	case WLAN_AUTH_FILS_SK_PFS:
3798 		handle_auth_fils(hapd, sta, mgmt->u.auth.variable,
3799 				 len - IEEE80211_HDRLEN - sizeof(mgmt->u.auth),
3800 				 auth_alg, auth_transaction, status_code,
3801 				 handle_auth_fils_finish);
3802 		return;
3803 #endif /* CONFIG_FILS */
3804 #ifdef CONFIG_PASN
3805 	case WLAN_AUTH_PASN:
3806 		handle_auth_pasn(hapd, sta, mgmt, len, auth_transaction,
3807 				 status_code);
3808 		return;
3809 #endif /* CONFIG_PASN */
3810 	}
3811 
3812  fail:
3813 	reply_res = send_auth_reply(hapd, sta, mgmt->sa, mgmt->bssid, auth_alg,
3814 				    auth_transaction + 1, resp, resp_ies,
3815 				    resp_ies_len, "handle-auth");
3816 
3817 	if (sta && sta->added_unassoc && (resp != WLAN_STATUS_SUCCESS ||
3818 					  reply_res != WLAN_STATUS_SUCCESS)) {
3819 		hostapd_drv_sta_remove(hapd, sta->addr);
3820 		sta->added_unassoc = 0;
3821 	}
3822 }
3823 
3824 
hostapd_get_aid(struct hostapd_data * hapd,struct sta_info * sta)3825 int hostapd_get_aid(struct hostapd_data *hapd, struct sta_info *sta)
3826 {
3827 	int i, j = 32, aid;
3828 
3829 	/* get a unique AID */
3830 	if (sta->aid > 0) {
3831 		wpa_printf(MSG_DEBUG, "  old AID %d", sta->aid);
3832 		return 0;
3833 	}
3834 
3835 	if (TEST_FAIL())
3836 		return -1;
3837 
3838 	for (i = 0; i < AID_WORDS; i++) {
3839 		if (hapd->sta_aid[i] == (u32) -1)
3840 			continue;
3841 		for (j = 0; j < 32; j++) {
3842 			if (!(hapd->sta_aid[i] & BIT(j)))
3843 				break;
3844 		}
3845 		if (j < 32)
3846 			break;
3847 	}
3848 	if (j == 32)
3849 		return -1;
3850 	aid = i * 32 + j + 1;
3851 	if (aid > 2007)
3852 		return -1;
3853 
3854 	sta->aid = aid;
3855 	hapd->sta_aid[i] |= BIT(j);
3856 	wpa_printf(MSG_DEBUG, "  new AID %d", sta->aid);
3857 	return 0;
3858 }
3859 
3860 
check_ssid(struct hostapd_data * hapd,struct sta_info * sta,const u8 * ssid_ie,size_t ssid_ie_len)3861 static u16 check_ssid(struct hostapd_data *hapd, struct sta_info *sta,
3862 		      const u8 *ssid_ie, size_t ssid_ie_len)
3863 {
3864 	if (ssid_ie == NULL)
3865 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
3866 
3867 	if (ssid_ie_len != hapd->conf->ssid.ssid_len ||
3868 	    os_memcmp(ssid_ie, hapd->conf->ssid.ssid, ssid_ie_len) != 0) {
3869 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3870 			       HOSTAPD_LEVEL_INFO,
3871 			       "Station tried to associate with unknown SSID "
3872 			       "'%s'", wpa_ssid_txt(ssid_ie, ssid_ie_len));
3873 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
3874 	}
3875 
3876 	return WLAN_STATUS_SUCCESS;
3877 }
3878 
3879 
check_wmm(struct hostapd_data * hapd,struct sta_info * sta,const u8 * wmm_ie,size_t wmm_ie_len)3880 static u16 check_wmm(struct hostapd_data *hapd, struct sta_info *sta,
3881 		     const u8 *wmm_ie, size_t wmm_ie_len)
3882 {
3883 	sta->flags &= ~WLAN_STA_WMM;
3884 	sta->qosinfo = 0;
3885 	if (wmm_ie && hapd->conf->wmm_enabled) {
3886 		struct wmm_information_element *wmm;
3887 
3888 		if (!hostapd_eid_wmm_valid(hapd, wmm_ie, wmm_ie_len)) {
3889 			hostapd_logger(hapd, sta->addr,
3890 				       HOSTAPD_MODULE_WPA,
3891 				       HOSTAPD_LEVEL_DEBUG,
3892 				       "invalid WMM element in association "
3893 				       "request");
3894 			return WLAN_STATUS_UNSPECIFIED_FAILURE;
3895 		}
3896 
3897 		sta->flags |= WLAN_STA_WMM;
3898 		wmm = (struct wmm_information_element *) wmm_ie;
3899 		sta->qosinfo = wmm->qos_info;
3900 	}
3901 	return WLAN_STATUS_SUCCESS;
3902 }
3903 
check_multi_ap(struct hostapd_data * hapd,struct sta_info * sta,const u8 * multi_ap_ie,size_t multi_ap_len)3904 static u16 check_multi_ap(struct hostapd_data *hapd, struct sta_info *sta,
3905 			  const u8 *multi_ap_ie, size_t multi_ap_len)
3906 {
3907 	u8 multi_ap_value = 0;
3908 
3909 	sta->flags &= ~WLAN_STA_MULTI_AP;
3910 
3911 	if (!hapd->conf->multi_ap)
3912 		return WLAN_STATUS_SUCCESS;
3913 
3914 	if (multi_ap_ie) {
3915 		const u8 *multi_ap_subelem;
3916 
3917 		multi_ap_subelem = get_ie(multi_ap_ie + 4,
3918 					  multi_ap_len - 4,
3919 					  MULTI_AP_SUB_ELEM_TYPE);
3920 		if (multi_ap_subelem && multi_ap_subelem[1] == 1) {
3921 			multi_ap_value = multi_ap_subelem[2];
3922 		} else {
3923 			hostapd_logger(hapd, sta->addr,
3924 				       HOSTAPD_MODULE_IEEE80211,
3925 				       HOSTAPD_LEVEL_INFO,
3926 				       "Multi-AP IE has missing or invalid Multi-AP subelement");
3927 			return WLAN_STATUS_INVALID_IE;
3928 		}
3929 	}
3930 
3931 	if (multi_ap_value && multi_ap_value != MULTI_AP_BACKHAUL_STA)
3932 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3933 			       HOSTAPD_LEVEL_INFO,
3934 			       "Multi-AP IE with unexpected value 0x%02x",
3935 			       multi_ap_value);
3936 
3937 	if (!(multi_ap_value & MULTI_AP_BACKHAUL_STA)) {
3938 		if (hapd->conf->multi_ap & FRONTHAUL_BSS)
3939 			return WLAN_STATUS_SUCCESS;
3940 
3941 		hostapd_logger(hapd, sta->addr,
3942 			       HOSTAPD_MODULE_IEEE80211,
3943 			       HOSTAPD_LEVEL_INFO,
3944 			       "Non-Multi-AP STA tries to associate with backhaul-only BSS");
3945 		return WLAN_STATUS_ASSOC_DENIED_UNSPEC;
3946 	}
3947 
3948 	if (!(hapd->conf->multi_ap & BACKHAUL_BSS))
3949 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3950 			       HOSTAPD_LEVEL_DEBUG,
3951 			       "Backhaul STA tries to associate with fronthaul-only BSS");
3952 
3953 	sta->flags |= WLAN_STA_MULTI_AP;
3954 	return WLAN_STATUS_SUCCESS;
3955 }
3956 
3957 
copy_supp_rates(struct hostapd_data * hapd,struct sta_info * sta,struct ieee802_11_elems * elems)3958 static u16 copy_supp_rates(struct hostapd_data *hapd, struct sta_info *sta,
3959 			   struct ieee802_11_elems *elems)
3960 {
3961 	/* Supported rates not used in IEEE 802.11ad/DMG */
3962 	if (hapd->iface->current_mode &&
3963 	    hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211AD)
3964 		return WLAN_STATUS_SUCCESS;
3965 
3966 	if (!elems->supp_rates) {
3967 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3968 			       HOSTAPD_LEVEL_DEBUG,
3969 			       "No supported rates element in AssocReq");
3970 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
3971 	}
3972 
3973 	if (elems->supp_rates_len + elems->ext_supp_rates_len >
3974 	    sizeof(sta->supported_rates)) {
3975 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3976 			       HOSTAPD_LEVEL_DEBUG,
3977 			       "Invalid supported rates element length %d+%d",
3978 			       elems->supp_rates_len,
3979 			       elems->ext_supp_rates_len);
3980 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
3981 	}
3982 
3983 	sta->supported_rates_len = merge_byte_arrays(
3984 		sta->supported_rates, sizeof(sta->supported_rates),
3985 		elems->supp_rates, elems->supp_rates_len,
3986 		elems->ext_supp_rates, elems->ext_supp_rates_len);
3987 
3988 	return WLAN_STATUS_SUCCESS;
3989 }
3990 
3991 
check_ext_capab(struct hostapd_data * hapd,struct sta_info * sta,const u8 * ext_capab_ie,size_t ext_capab_ie_len)3992 static u16 check_ext_capab(struct hostapd_data *hapd, struct sta_info *sta,
3993 			   const u8 *ext_capab_ie, size_t ext_capab_ie_len)
3994 {
3995 #ifdef CONFIG_INTERWORKING
3996 	/* check for QoS Map support */
3997 	if (ext_capab_ie_len >= 5) {
3998 		if (ext_capab_ie[4] & 0x01)
3999 			sta->qos_map_enabled = 1;
4000 	}
4001 #endif /* CONFIG_INTERWORKING */
4002 
4003 	if (ext_capab_ie_len > 0) {
4004 		sta->ecsa_supported = !!(ext_capab_ie[0] & BIT(2));
4005 		os_free(sta->ext_capability);
4006 		sta->ext_capability = os_malloc(1 + ext_capab_ie_len);
4007 		if (sta->ext_capability) {
4008 			sta->ext_capability[0] = ext_capab_ie_len;
4009 			os_memcpy(sta->ext_capability + 1, ext_capab_ie,
4010 				  ext_capab_ie_len);
4011 		}
4012 	}
4013 
4014 	return WLAN_STATUS_SUCCESS;
4015 }
4016 
4017 
4018 #ifdef CONFIG_OWE
4019 
owe_group_supported(struct hostapd_data * hapd,u16 group)4020 static int owe_group_supported(struct hostapd_data *hapd, u16 group)
4021 {
4022 	int i;
4023 	int *groups = hapd->conf->owe_groups;
4024 
4025 	if (group != 19 && group != 20 && group != 21)
4026 		return 0;
4027 
4028 	if (!groups)
4029 		return 1;
4030 
4031 	for (i = 0; groups[i] > 0; i++) {
4032 		if (groups[i] == group)
4033 			return 1;
4034 	}
4035 
4036 	return 0;
4037 }
4038 
4039 
owe_process_assoc_req(struct hostapd_data * hapd,struct sta_info * sta,const u8 * owe_dh,u8 owe_dh_len)4040 static u16 owe_process_assoc_req(struct hostapd_data *hapd,
4041 				 struct sta_info *sta, const u8 *owe_dh,
4042 				 u8 owe_dh_len)
4043 {
4044 	struct wpabuf *secret, *pub, *hkey;
4045 	int res;
4046 	u8 prk[SHA512_MAC_LEN], pmkid[SHA512_MAC_LEN];
4047 	const char *info = "OWE Key Generation";
4048 	const u8 *addr[2];
4049 	size_t len[2];
4050 	u16 group;
4051 	size_t hash_len, prime_len;
4052 
4053 	if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) {
4054 		wpa_printf(MSG_DEBUG, "OWE: Using PMKSA caching");
4055 		return WLAN_STATUS_SUCCESS;
4056 	}
4057 
4058 	group = WPA_GET_LE16(owe_dh);
4059 	if (!owe_group_supported(hapd, group)) {
4060 		wpa_printf(MSG_DEBUG, "OWE: Unsupported DH group %u", group);
4061 		return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
4062 	}
4063 	if (group == 19)
4064 		prime_len = 32;
4065 	else if (group == 20)
4066 		prime_len = 48;
4067 	else if (group == 21)
4068 		prime_len = 66;
4069 	else
4070 		return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
4071 
4072 	crypto_ecdh_deinit(sta->owe_ecdh);
4073 	sta->owe_ecdh = crypto_ecdh_init(group);
4074 	if (!sta->owe_ecdh)
4075 		return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
4076 	sta->owe_group = group;
4077 
4078 	secret = crypto_ecdh_set_peerkey(sta->owe_ecdh, 0, owe_dh + 2,
4079 					 owe_dh_len - 2);
4080 	secret = wpabuf_zeropad(secret, prime_len);
4081 	if (!secret) {
4082 		wpa_printf(MSG_DEBUG, "OWE: Invalid peer DH public key");
4083 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
4084 	}
4085 	wpa_hexdump_buf_key(MSG_DEBUG, "OWE: DH shared secret", secret);
4086 
4087 	/* prk = HKDF-extract(C | A | group, z) */
4088 
4089 	pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
4090 	if (!pub) {
4091 		wpabuf_clear_free(secret);
4092 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
4093 	}
4094 
4095 	/* PMKID = Truncate-128(Hash(C | A)) */
4096 	addr[0] = owe_dh + 2;
4097 	len[0] = owe_dh_len - 2;
4098 	addr[1] = wpabuf_head(pub);
4099 	len[1] = wpabuf_len(pub);
4100 	if (group == 19) {
4101 		res = sha256_vector(2, addr, len, pmkid);
4102 		hash_len = SHA256_MAC_LEN;
4103 	} else if (group == 20) {
4104 		res = sha384_vector(2, addr, len, pmkid);
4105 		hash_len = SHA384_MAC_LEN;
4106 	} else if (group == 21) {
4107 		res = sha512_vector(2, addr, len, pmkid);
4108 		hash_len = SHA512_MAC_LEN;
4109 	} else {
4110 		wpabuf_free(pub);
4111 		wpabuf_clear_free(secret);
4112 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
4113 	}
4114 	pub = wpabuf_zeropad(pub, prime_len);
4115 	if (res < 0 || !pub) {
4116 		wpabuf_free(pub);
4117 		wpabuf_clear_free(secret);
4118 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
4119 	}
4120 
4121 	hkey = wpabuf_alloc(owe_dh_len - 2 + wpabuf_len(pub) + 2);
4122 	if (!hkey) {
4123 		wpabuf_free(pub);
4124 		wpabuf_clear_free(secret);
4125 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
4126 	}
4127 
4128 	wpabuf_put_data(hkey, owe_dh + 2, owe_dh_len - 2); /* C */
4129 	wpabuf_put_buf(hkey, pub); /* A */
4130 	wpabuf_free(pub);
4131 	wpabuf_put_le16(hkey, group); /* group */
4132 	if (group == 19)
4133 		res = hmac_sha256(wpabuf_head(hkey), wpabuf_len(hkey),
4134 				  wpabuf_head(secret), wpabuf_len(secret), prk);
4135 	else if (group == 20)
4136 		res = hmac_sha384(wpabuf_head(hkey), wpabuf_len(hkey),
4137 				  wpabuf_head(secret), wpabuf_len(secret), prk);
4138 	else if (group == 21)
4139 		res = hmac_sha512(wpabuf_head(hkey), wpabuf_len(hkey),
4140 				  wpabuf_head(secret), wpabuf_len(secret), prk);
4141 	wpabuf_clear_free(hkey);
4142 	wpabuf_clear_free(secret);
4143 	if (res < 0)
4144 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
4145 
4146 	wpa_hexdump_key(MSG_DEBUG, "OWE: prk", prk, hash_len);
4147 
4148 	/* PMK = HKDF-expand(prk, "OWE Key Generation", n) */
4149 
4150 	os_free(sta->owe_pmk);
4151 	sta->owe_pmk = os_malloc(hash_len);
4152 	if (!sta->owe_pmk) {
4153 		os_memset(prk, 0, SHA512_MAC_LEN);
4154 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
4155 	}
4156 
4157 	if (group == 19)
4158 		res = hmac_sha256_kdf(prk, hash_len, NULL, (const u8 *) info,
4159 				      os_strlen(info), sta->owe_pmk, hash_len);
4160 	else if (group == 20)
4161 		res = hmac_sha384_kdf(prk, hash_len, NULL, (const u8 *) info,
4162 				      os_strlen(info), sta->owe_pmk, hash_len);
4163 	else if (group == 21)
4164 		res = hmac_sha512_kdf(prk, hash_len, NULL, (const u8 *) info,
4165 				      os_strlen(info), sta->owe_pmk, hash_len);
4166 	os_memset(prk, 0, SHA512_MAC_LEN);
4167 	if (res < 0) {
4168 		os_free(sta->owe_pmk);
4169 		sta->owe_pmk = NULL;
4170 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
4171 	}
4172 	sta->owe_pmk_len = hash_len;
4173 
4174 	wpa_hexdump_key(MSG_DEBUG, "OWE: PMK", sta->owe_pmk, sta->owe_pmk_len);
4175 	wpa_hexdump(MSG_DEBUG, "OWE: PMKID", pmkid, PMKID_LEN);
4176 	wpa_auth_pmksa_add2(hapd->wpa_auth, sta->addr, sta->owe_pmk,
4177 			    sta->owe_pmk_len, pmkid, 0, WPA_KEY_MGMT_OWE);
4178 
4179 	return WLAN_STATUS_SUCCESS;
4180 }
4181 
4182 
owe_validate_request(struct hostapd_data * hapd,const u8 * peer,const u8 * rsn_ie,size_t rsn_ie_len,const u8 * owe_dh,size_t owe_dh_len)4183 u16 owe_validate_request(struct hostapd_data *hapd, const u8 *peer,
4184 			 const u8 *rsn_ie, size_t rsn_ie_len,
4185 			 const u8 *owe_dh, size_t owe_dh_len)
4186 {
4187 	struct wpa_ie_data data;
4188 	int res;
4189 
4190 	if (!rsn_ie || rsn_ie_len < 2) {
4191 		wpa_printf(MSG_DEBUG, "OWE: Invalid RSNE from " MACSTR,
4192 			   MAC2STR(peer));
4193 		return WLAN_STATUS_INVALID_IE;
4194 	}
4195 	rsn_ie -= 2;
4196 	rsn_ie_len += 2;
4197 
4198 	res = wpa_parse_wpa_ie_rsn(rsn_ie, rsn_ie_len, &data);
4199 	if (res) {
4200 		wpa_printf(MSG_DEBUG, "Failed to parse RSNE from " MACSTR
4201 			   " (res=%d)", MAC2STR(peer), res);
4202 		wpa_hexdump(MSG_DEBUG, "RSNE", rsn_ie, rsn_ie_len);
4203 		return wpa_res_to_status_code(res);
4204 	}
4205 	if (!(data.key_mgmt & WPA_KEY_MGMT_OWE)) {
4206 		wpa_printf(MSG_DEBUG,
4207 			   "OWE: Unexpected key mgmt 0x%x from " MACSTR,
4208 			   (unsigned int) data.key_mgmt, MAC2STR(peer));
4209 		return WLAN_STATUS_AKMP_NOT_VALID;
4210 	}
4211 	if (!owe_dh) {
4212 		wpa_printf(MSG_DEBUG,
4213 			   "OWE: No Diffie-Hellman Parameter element from "
4214 			   MACSTR, MAC2STR(peer));
4215 		return WLAN_STATUS_AKMP_NOT_VALID;
4216 	}
4217 
4218 	return WLAN_STATUS_SUCCESS;
4219 }
4220 
4221 
owe_process_rsn_ie(struct hostapd_data * hapd,struct sta_info * sta,const u8 * rsn_ie,size_t rsn_ie_len,const u8 * owe_dh,size_t owe_dh_len)4222 u16 owe_process_rsn_ie(struct hostapd_data *hapd,
4223 		       struct sta_info *sta,
4224 		       const u8 *rsn_ie, size_t rsn_ie_len,
4225 		       const u8 *owe_dh, size_t owe_dh_len)
4226 {
4227 	u16 status;
4228 	u8 *owe_buf, ie[256 * 2];
4229 	size_t ie_len = 0;
4230 	enum wpa_validate_result res;
4231 
4232 	if (!rsn_ie || rsn_ie_len < 2) {
4233 		wpa_printf(MSG_DEBUG, "OWE: No RSNE in (Re)AssocReq");
4234 		status = WLAN_STATUS_INVALID_IE;
4235 		goto end;
4236 	}
4237 
4238 	if (!sta->wpa_sm)
4239 		sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,	sta->addr,
4240 						NULL);
4241 	if (!sta->wpa_sm) {
4242 		wpa_printf(MSG_WARNING,
4243 			   "OWE: Failed to initialize WPA state machine");
4244 		status = WLAN_STATUS_UNSPECIFIED_FAILURE;
4245 		goto end;
4246 	}
4247 	rsn_ie -= 2;
4248 	rsn_ie_len += 2;
4249 	res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
4250 				  hapd->iface->freq, rsn_ie, rsn_ie_len,
4251 				  NULL, 0, NULL, 0, owe_dh, owe_dh_len);
4252 	status = wpa_res_to_status_code(res);
4253 	if (status != WLAN_STATUS_SUCCESS)
4254 		goto end;
4255 	status = owe_process_assoc_req(hapd, sta, owe_dh, owe_dh_len);
4256 	if (status != WLAN_STATUS_SUCCESS)
4257 		goto end;
4258 	owe_buf = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, ie, sizeof(ie),
4259 						NULL, 0);
4260 	if (!owe_buf) {
4261 		status = WLAN_STATUS_UNSPECIFIED_FAILURE;
4262 		goto end;
4263 	}
4264 
4265 	if (sta->owe_ecdh) {
4266 		struct wpabuf *pub;
4267 
4268 		pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
4269 		if (!pub) {
4270 			status = WLAN_STATUS_UNSPECIFIED_FAILURE;
4271 			goto end;
4272 		}
4273 
4274 		/* OWE Diffie-Hellman Parameter element */
4275 		*owe_buf++ = WLAN_EID_EXTENSION; /* Element ID */
4276 		*owe_buf++ = 1 + 2 + wpabuf_len(pub); /* Length */
4277 		*owe_buf++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension
4278 							 */
4279 		WPA_PUT_LE16(owe_buf, sta->owe_group);
4280 		owe_buf += 2;
4281 		os_memcpy(owe_buf, wpabuf_head(pub), wpabuf_len(pub));
4282 		owe_buf += wpabuf_len(pub);
4283 		wpabuf_free(pub);
4284 		sta->external_dh_updated = 1;
4285 	}
4286 	ie_len = owe_buf - ie;
4287 
4288 end:
4289 	wpa_printf(MSG_DEBUG, "OWE: Update status %d, ie len %d for peer "
4290 			      MACSTR, status, (unsigned int) ie_len,
4291 			      MAC2STR(sta->addr));
4292 	hostapd_drv_update_dh_ie(hapd, sta->addr, status,
4293 				 status == WLAN_STATUS_SUCCESS ? ie : NULL,
4294 				 ie_len);
4295 
4296 	return status;
4297 }
4298 
4299 #endif /* CONFIG_OWE */
4300 
4301 
check_sa_query(struct hostapd_data * hapd,struct sta_info * sta,int reassoc)4302 static bool check_sa_query(struct hostapd_data *hapd, struct sta_info *sta,
4303 			   int reassoc)
4304 {
4305 	if ((sta->flags &
4306 	     (WLAN_STA_ASSOC | WLAN_STA_MFP | WLAN_STA_AUTHORIZED)) !=
4307 	    (WLAN_STA_ASSOC | WLAN_STA_MFP | WLAN_STA_AUTHORIZED))
4308 		return false;
4309 
4310 	if (!sta->sa_query_timed_out && sta->sa_query_count > 0)
4311 		ap_check_sa_query_timeout(hapd, sta);
4312 
4313 	if (!sta->sa_query_timed_out &&
4314 	    (!reassoc || sta->auth_alg != WLAN_AUTH_FT)) {
4315 		/*
4316 		 * STA has already been associated with MFP and SA Query timeout
4317 		 * has not been reached. Reject the association attempt
4318 		 * temporarily and start SA Query, if one is not pending.
4319 		 */
4320 		if (sta->sa_query_count == 0)
4321 			ap_sta_start_sa_query(hapd, sta);
4322 
4323 		return true;
4324 	}
4325 
4326 	return false;
4327 }
4328 
4329 
check_assoc_ies(struct hostapd_data * hapd,struct sta_info * sta,const u8 * ies,size_t ies_len,int reassoc)4330 static int check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta,
4331 			   const u8 *ies, size_t ies_len, int reassoc)
4332 {
4333 	struct ieee802_11_elems elems;
4334 	int resp;
4335 	const u8 *wpa_ie;
4336 	size_t wpa_ie_len;
4337 	const u8 *p2p_dev_addr = NULL;
4338 
4339 	if (ieee802_11_parse_elems(ies, ies_len, &elems, 1) == ParseFailed) {
4340 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4341 			       HOSTAPD_LEVEL_INFO, "Station sent an invalid "
4342 			       "association request");
4343 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
4344 	}
4345 
4346 	resp = check_ssid(hapd, sta, elems.ssid, elems.ssid_len);
4347 	if (resp != WLAN_STATUS_SUCCESS)
4348 		return resp;
4349 	resp = check_wmm(hapd, sta, elems.wmm, elems.wmm_len);
4350 	if (resp != WLAN_STATUS_SUCCESS)
4351 		return resp;
4352 	resp = check_ext_capab(hapd, sta, elems.ext_capab, elems.ext_capab_len);
4353 	if (resp != WLAN_STATUS_SUCCESS)
4354 		return resp;
4355 	resp = copy_supp_rates(hapd, sta, &elems);
4356 	if (resp != WLAN_STATUS_SUCCESS)
4357 		return resp;
4358 
4359 	resp = check_multi_ap(hapd, sta, elems.multi_ap, elems.multi_ap_len);
4360 	if (resp != WLAN_STATUS_SUCCESS)
4361 		return resp;
4362 
4363 	resp = copy_sta_ht_capab(hapd, sta, elems.ht_capabilities);
4364 	if (resp != WLAN_STATUS_SUCCESS)
4365 		return resp;
4366 	if (hapd->iconf->ieee80211n && hapd->iconf->require_ht &&
4367 	    !(sta->flags & WLAN_STA_HT)) {
4368 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4369 			       HOSTAPD_LEVEL_INFO, "Station does not support "
4370 			       "mandatory HT PHY - reject association");
4371 		return WLAN_STATUS_ASSOC_DENIED_NO_HT;
4372 	}
4373 
4374 #ifdef CONFIG_IEEE80211AC
4375 	if (hapd->iconf->ieee80211ac) {
4376 		resp = copy_sta_vht_capab(hapd, sta, elems.vht_capabilities);
4377 		if (resp != WLAN_STATUS_SUCCESS)
4378 			return resp;
4379 
4380 		resp = set_sta_vht_opmode(hapd, sta, elems.vht_opmode_notif);
4381 		if (resp != WLAN_STATUS_SUCCESS)
4382 			return resp;
4383 	}
4384 
4385 	if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht &&
4386 	    !(sta->flags & WLAN_STA_VHT)) {
4387 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4388 			       HOSTAPD_LEVEL_INFO, "Station does not support "
4389 			       "mandatory VHT PHY - reject association");
4390 		return WLAN_STATUS_ASSOC_DENIED_NO_VHT;
4391 	}
4392 
4393 	if (hapd->conf->vendor_vht && !elems.vht_capabilities) {
4394 		resp = copy_sta_vendor_vht(hapd, sta, elems.vendor_vht,
4395 					   elems.vendor_vht_len);
4396 		if (resp != WLAN_STATUS_SUCCESS)
4397 			return resp;
4398 	}
4399 #endif /* CONFIG_IEEE80211AC */
4400 #ifdef CONFIG_IEEE80211AX
4401 	if (hapd->iconf->ieee80211ax && !hapd->conf->disable_11ax) {
4402 		resp = copy_sta_he_capab(hapd, sta, IEEE80211_MODE_AP,
4403 					 elems.he_capabilities,
4404 					 elems.he_capabilities_len);
4405 		if (resp != WLAN_STATUS_SUCCESS)
4406 			return resp;
4407 		if (is_6ghz_op_class(hapd->iconf->op_class)) {
4408 			if (!(sta->flags & WLAN_STA_HE)) {
4409 				hostapd_logger(hapd, sta->addr,
4410 					       HOSTAPD_MODULE_IEEE80211,
4411 					       HOSTAPD_LEVEL_INFO,
4412 					       "Station does not support mandatory HE PHY - reject association");
4413 				return WLAN_STATUS_DENIED_HE_NOT_SUPPORTED;
4414 			}
4415 			resp = copy_sta_he_6ghz_capab(hapd, sta,
4416 						      elems.he_6ghz_band_cap);
4417 			if (resp != WLAN_STATUS_SUCCESS)
4418 				return resp;
4419 		}
4420 	}
4421 #endif /* CONFIG_IEEE80211AX */
4422 
4423 #ifdef CONFIG_P2P
4424 	if (elems.p2p) {
4425 		wpabuf_free(sta->p2p_ie);
4426 		sta->p2p_ie = ieee802_11_vendor_ie_concat(ies, ies_len,
4427 							  P2P_IE_VENDOR_TYPE);
4428 		if (sta->p2p_ie)
4429 			p2p_dev_addr = p2p_get_go_dev_addr(sta->p2p_ie);
4430 	} else {
4431 		wpabuf_free(sta->p2p_ie);
4432 		sta->p2p_ie = NULL;
4433 	}
4434 #endif /* CONFIG_P2P */
4435 
4436 	if ((hapd->conf->wpa & WPA_PROTO_RSN) && elems.rsn_ie) {
4437 		wpa_ie = elems.rsn_ie;
4438 		wpa_ie_len = elems.rsn_ie_len;
4439 	} else if ((hapd->conf->wpa & WPA_PROTO_WPA) &&
4440 		   elems.wpa_ie) {
4441 		wpa_ie = elems.wpa_ie;
4442 		wpa_ie_len = elems.wpa_ie_len;
4443 	} else {
4444 		wpa_ie = NULL;
4445 		wpa_ie_len = 0;
4446 	}
4447 
4448 #ifdef CONFIG_WPS
4449 	sta->flags &= ~(WLAN_STA_WPS | WLAN_STA_MAYBE_WPS | WLAN_STA_WPS2);
4450 	if (hapd->conf->wps_state && elems.wps_ie) {
4451 		wpa_printf(MSG_DEBUG, "STA included WPS IE in (Re)Association "
4452 			   "Request - assume WPS is used");
4453 		if (check_sa_query(hapd, sta, reassoc))
4454 			return WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY;
4455 		sta->flags |= WLAN_STA_WPS;
4456 		wpabuf_free(sta->wps_ie);
4457 		sta->wps_ie = ieee802_11_vendor_ie_concat(ies, ies_len,
4458 							  WPS_IE_VENDOR_TYPE);
4459 		if (sta->wps_ie && wps_is_20(sta->wps_ie)) {
4460 			wpa_printf(MSG_DEBUG, "WPS: STA supports WPS 2.0");
4461 			sta->flags |= WLAN_STA_WPS2;
4462 		}
4463 		wpa_ie = NULL;
4464 		wpa_ie_len = 0;
4465 		if (sta->wps_ie && wps_validate_assoc_req(sta->wps_ie) < 0) {
4466 			wpa_printf(MSG_DEBUG, "WPS: Invalid WPS IE in "
4467 				   "(Re)Association Request - reject");
4468 			return WLAN_STATUS_INVALID_IE;
4469 		}
4470 	} else if (hapd->conf->wps_state && wpa_ie == NULL) {
4471 		wpa_printf(MSG_DEBUG, "STA did not include WPA/RSN IE in "
4472 			   "(Re)Association Request - possible WPS use");
4473 		sta->flags |= WLAN_STA_MAYBE_WPS;
4474 	} else
4475 #endif /* CONFIG_WPS */
4476 	if (hapd->conf->wpa && wpa_ie == NULL) {
4477 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4478 			       HOSTAPD_LEVEL_INFO,
4479 			       "No WPA/RSN IE in association request");
4480 		return WLAN_STATUS_INVALID_IE;
4481 	}
4482 
4483 	if (hapd->conf->wpa && wpa_ie) {
4484 		enum wpa_validate_result res;
4485 
4486 		wpa_ie -= 2;
4487 		wpa_ie_len += 2;
4488 		if (sta->wpa_sm == NULL)
4489 			sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
4490 							sta->addr,
4491 							p2p_dev_addr);
4492 		if (sta->wpa_sm == NULL) {
4493 			wpa_printf(MSG_WARNING, "Failed to initialize WPA "
4494 				   "state machine");
4495 			return WLAN_STATUS_UNSPECIFIED_FAILURE;
4496 		}
4497 		wpa_auth_set_auth_alg(sta->wpa_sm, sta->auth_alg);
4498 		res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
4499 					  hapd->iface->freq,
4500 					  wpa_ie, wpa_ie_len,
4501 					  elems.rsnxe ? elems.rsnxe - 2 : NULL,
4502 					  elems.rsnxe ? elems.rsnxe_len + 2 : 0,
4503 					  elems.mdie, elems.mdie_len,
4504 					  elems.owe_dh, elems.owe_dh_len);
4505 		resp = wpa_res_to_status_code(res);
4506 		if (resp != WLAN_STATUS_SUCCESS)
4507 			return resp;
4508 
4509 		if (check_sa_query(hapd, sta, reassoc))
4510 			return WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY;
4511 
4512 		if (wpa_auth_uses_mfp(sta->wpa_sm))
4513 			sta->flags |= WLAN_STA_MFP;
4514 		else
4515 			sta->flags &= ~WLAN_STA_MFP;
4516 
4517 #ifdef CONFIG_IEEE80211R_AP
4518 		if (sta->auth_alg == WLAN_AUTH_FT) {
4519 			if (!reassoc) {
4520 				wpa_printf(MSG_DEBUG, "FT: " MACSTR " tried "
4521 					   "to use association (not "
4522 					   "re-association) with FT auth_alg",
4523 					   MAC2STR(sta->addr));
4524 				return WLAN_STATUS_UNSPECIFIED_FAILURE;
4525 			}
4526 
4527 			resp = wpa_ft_validate_reassoc(sta->wpa_sm, ies,
4528 						       ies_len);
4529 			if (resp != WLAN_STATUS_SUCCESS)
4530 				return resp;
4531 		}
4532 #endif /* CONFIG_IEEE80211R_AP */
4533 
4534 #ifdef CONFIG_SAE
4535 		if (wpa_auth_uses_sae(sta->wpa_sm) && sta->sae &&
4536 		    sta->sae->state == SAE_ACCEPTED)
4537 			wpa_auth_add_sae_pmkid(sta->wpa_sm, sta->sae->pmkid);
4538 
4539 		if (wpa_auth_uses_sae(sta->wpa_sm) &&
4540 		    sta->auth_alg == WLAN_AUTH_OPEN) {
4541 			struct rsn_pmksa_cache_entry *sa;
4542 			sa = wpa_auth_sta_get_pmksa(sta->wpa_sm);
4543 			if (!sa || sa->akmp != WPA_KEY_MGMT_SAE) {
4544 				wpa_printf(MSG_DEBUG,
4545 					   "SAE: No PMKSA cache entry found for "
4546 					   MACSTR, MAC2STR(sta->addr));
4547 				return WLAN_STATUS_INVALID_PMKID;
4548 			}
4549 			wpa_printf(MSG_DEBUG, "SAE: " MACSTR
4550 				   " using PMKSA caching", MAC2STR(sta->addr));
4551 		} else if (wpa_auth_uses_sae(sta->wpa_sm) &&
4552 			   sta->auth_alg != WLAN_AUTH_SAE &&
4553 			   !(sta->auth_alg == WLAN_AUTH_FT &&
4554 			     wpa_auth_uses_ft_sae(sta->wpa_sm))) {
4555 			wpa_printf(MSG_DEBUG, "SAE: " MACSTR " tried to use "
4556 				   "SAE AKM after non-SAE auth_alg %u",
4557 				   MAC2STR(sta->addr), sta->auth_alg);
4558 			return WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
4559 		}
4560 
4561 		if (hapd->conf->sae_pwe == 2 &&
4562 		    sta->auth_alg == WLAN_AUTH_SAE &&
4563 		    sta->sae && !sta->sae->h2e &&
4564 		    elems.rsnxe && elems.rsnxe_len >= 1 &&
4565 		    (elems.rsnxe[0] & BIT(WLAN_RSNX_CAPAB_SAE_H2E))) {
4566 			wpa_printf(MSG_INFO, "SAE: " MACSTR
4567 				   " indicates support for SAE H2E, but did not use it",
4568 				   MAC2STR(sta->addr));
4569 			return WLAN_STATUS_UNSPECIFIED_FAILURE;
4570 		}
4571 #endif /* CONFIG_SAE */
4572 
4573 #ifdef CONFIG_OWE
4574 		if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) &&
4575 		    wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE &&
4576 		    elems.owe_dh) {
4577 			resp = owe_process_assoc_req(hapd, sta, elems.owe_dh,
4578 						     elems.owe_dh_len);
4579 			if (resp != WLAN_STATUS_SUCCESS)
4580 				return resp;
4581 		}
4582 #endif /* CONFIG_OWE */
4583 
4584 #ifdef CONFIG_DPP2
4585 		dpp_pfs_free(sta->dpp_pfs);
4586 		sta->dpp_pfs = NULL;
4587 
4588 		if (DPP_VERSION > 1 &&
4589 		    (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_DPP) &&
4590 		    hapd->conf->dpp_netaccesskey && sta->wpa_sm &&
4591 		    wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_DPP &&
4592 		    elems.owe_dh) {
4593 			sta->dpp_pfs = dpp_pfs_init(
4594 				wpabuf_head(hapd->conf->dpp_netaccesskey),
4595 				wpabuf_len(hapd->conf->dpp_netaccesskey));
4596 			if (!sta->dpp_pfs) {
4597 				wpa_printf(MSG_DEBUG,
4598 					   "DPP: Could not initialize PFS");
4599 				/* Try to continue without PFS */
4600 				goto pfs_fail;
4601 			}
4602 
4603 			if (dpp_pfs_process(sta->dpp_pfs, elems.owe_dh,
4604 					    elems.owe_dh_len) < 0) {
4605 				dpp_pfs_free(sta->dpp_pfs);
4606 				sta->dpp_pfs = NULL;
4607 				return WLAN_STATUS_UNSPECIFIED_FAILURE;
4608 			}
4609 		}
4610 
4611 		wpa_auth_set_dpp_z(sta->wpa_sm, sta->dpp_pfs ?
4612 				   sta->dpp_pfs->secret : NULL);
4613 	pfs_fail:
4614 #endif /* CONFIG_DPP2 */
4615 
4616 		if ((sta->flags & (WLAN_STA_HT | WLAN_STA_VHT)) &&
4617 		    wpa_auth_get_pairwise(sta->wpa_sm) == WPA_CIPHER_TKIP) {
4618 			hostapd_logger(hapd, sta->addr,
4619 				       HOSTAPD_MODULE_IEEE80211,
4620 				       HOSTAPD_LEVEL_INFO,
4621 				       "Station tried to use TKIP with HT "
4622 				       "association");
4623 			return WLAN_STATUS_CIPHER_REJECTED_PER_POLICY;
4624 		}
4625 #ifdef CONFIG_HS20
4626 	} else if (hapd->conf->osen) {
4627 		if (elems.osen == NULL) {
4628 			hostapd_logger(
4629 				hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4630 				HOSTAPD_LEVEL_INFO,
4631 				"No HS 2.0 OSEN element in association request");
4632 			return WLAN_STATUS_INVALID_IE;
4633 		}
4634 
4635 		wpa_printf(MSG_DEBUG, "HS 2.0: OSEN association");
4636 		if (sta->wpa_sm == NULL)
4637 			sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
4638 							sta->addr, NULL);
4639 		if (sta->wpa_sm == NULL) {
4640 			wpa_printf(MSG_WARNING, "Failed to initialize WPA "
4641 				   "state machine");
4642 			return WLAN_STATUS_UNSPECIFIED_FAILURE;
4643 		}
4644 		if (wpa_validate_osen(hapd->wpa_auth, sta->wpa_sm,
4645 				      elems.osen - 2, elems.osen_len + 2) < 0)
4646 			return WLAN_STATUS_INVALID_IE;
4647 #endif /* CONFIG_HS20 */
4648 	} else
4649 		wpa_auth_sta_no_wpa(sta->wpa_sm);
4650 
4651 #ifdef CONFIG_P2P
4652 	p2p_group_notif_assoc(hapd->p2p_group, sta->addr, ies, ies_len);
4653 #endif /* CONFIG_P2P */
4654 
4655 #ifdef CONFIG_HS20
4656 	wpabuf_free(sta->hs20_ie);
4657 	if (elems.hs20 && elems.hs20_len > 4) {
4658 		int release;
4659 
4660 		sta->hs20_ie = wpabuf_alloc_copy(elems.hs20 + 4,
4661 						 elems.hs20_len - 4);
4662 		release = ((elems.hs20[4] >> 4) & 0x0f) + 1;
4663 		if (release >= 2 && !wpa_auth_uses_mfp(sta->wpa_sm) &&
4664 		    hapd->conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
4665 			wpa_printf(MSG_DEBUG,
4666 				   "HS 2.0: PMF not negotiated by release %d station "
4667 				   MACSTR, release, MAC2STR(sta->addr));
4668 			return WLAN_STATUS_ROBUST_MGMT_FRAME_POLICY_VIOLATION;
4669 		}
4670 	} else {
4671 		sta->hs20_ie = NULL;
4672 	}
4673 
4674 	wpabuf_free(sta->roaming_consortium);
4675 	if (elems.roaming_cons_sel)
4676 		sta->roaming_consortium = wpabuf_alloc_copy(
4677 			elems.roaming_cons_sel + 4,
4678 			elems.roaming_cons_sel_len - 4);
4679 	else
4680 		sta->roaming_consortium = NULL;
4681 #endif /* CONFIG_HS20 */
4682 
4683 #ifdef CONFIG_FST
4684 	wpabuf_free(sta->mb_ies);
4685 	if (hapd->iface->fst)
4686 		sta->mb_ies = mb_ies_by_info(&elems.mb_ies);
4687 	else
4688 		sta->mb_ies = NULL;
4689 #endif /* CONFIG_FST */
4690 
4691 #ifdef CONFIG_MBO
4692 	mbo_ap_check_sta_assoc(hapd, sta, &elems);
4693 
4694 	if (hapd->conf->mbo_enabled && (hapd->conf->wpa & 2) &&
4695 	    elems.mbo && sta->cell_capa && !(sta->flags & WLAN_STA_MFP) &&
4696 	    hapd->conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
4697 		wpa_printf(MSG_INFO,
4698 			   "MBO: Reject WPA2 association without PMF");
4699 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
4700 	}
4701 #endif /* CONFIG_MBO */
4702 
4703 #if defined(CONFIG_FILS) && defined(CONFIG_OCV)
4704 	if (wpa_auth_uses_ocv(sta->wpa_sm) &&
4705 	    (sta->auth_alg == WLAN_AUTH_FILS_SK ||
4706 	     sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
4707 	     sta->auth_alg == WLAN_AUTH_FILS_PK)) {
4708 		struct wpa_channel_info ci;
4709 		int tx_chanwidth;
4710 		int tx_seg1_idx;
4711 		enum oci_verify_result res;
4712 
4713 		if (hostapd_drv_channel_info(hapd, &ci) != 0) {
4714 			wpa_printf(MSG_WARNING,
4715 				   "Failed to get channel info to validate received OCI in FILS (Re)Association Request frame");
4716 			return WLAN_STATUS_UNSPECIFIED_FAILURE;
4717 		}
4718 
4719 		if (get_sta_tx_parameters(sta->wpa_sm,
4720 					  channel_width_to_int(ci.chanwidth),
4721 					  ci.seg1_idx, &tx_chanwidth,
4722 					  &tx_seg1_idx) < 0)
4723 			return WLAN_STATUS_UNSPECIFIED_FAILURE;
4724 
4725 		res = ocv_verify_tx_params(elems.oci, elems.oci_len, &ci,
4726 					   tx_chanwidth, tx_seg1_idx);
4727 		if (wpa_auth_uses_ocv(sta->wpa_sm) == 2 &&
4728 		    res == OCI_NOT_FOUND) {
4729 			/* Work around misbehaving STAs */
4730 			wpa_printf(MSG_INFO,
4731 				   "FILS: Disable OCV with a STA that does not send OCI");
4732 			wpa_auth_set_ocv(sta->wpa_sm, 0);
4733 		} else if (res != OCI_SUCCESS) {
4734 			wpa_printf(MSG_WARNING, "FILS: OCV failed: %s",
4735 				   ocv_errorstr);
4736 			wpa_msg(hapd->msg_ctx, MSG_INFO, OCV_FAILURE "addr="
4737 				MACSTR " frame=fils-reassoc-req error=%s",
4738 				MAC2STR(sta->addr), ocv_errorstr);
4739 			return WLAN_STATUS_UNSPECIFIED_FAILURE;
4740 		}
4741 	}
4742 #endif /* CONFIG_FILS && CONFIG_OCV */
4743 
4744 	ap_copy_sta_supp_op_classes(sta, elems.supp_op_classes,
4745 				    elems.supp_op_classes_len);
4746 
4747 	if ((sta->capability & WLAN_CAPABILITY_RADIO_MEASUREMENT) &&
4748 	    elems.rrm_enabled &&
4749 	    elems.rrm_enabled_len >= sizeof(sta->rrm_enabled_capa))
4750 		os_memcpy(sta->rrm_enabled_capa, elems.rrm_enabled,
4751 			  sizeof(sta->rrm_enabled_capa));
4752 
4753 	if (elems.power_capab) {
4754 		sta->min_tx_power = elems.power_capab[0];
4755 		sta->max_tx_power = elems.power_capab[1];
4756 		sta->power_capab = 1;
4757 	} else {
4758 		sta->power_capab = 0;
4759 	}
4760 
4761 	return WLAN_STATUS_SUCCESS;
4762 }
4763 
4764 
send_deauth(struct hostapd_data * hapd,const u8 * addr,u16 reason_code)4765 static void send_deauth(struct hostapd_data *hapd, const u8 *addr,
4766 			u16 reason_code)
4767 {
4768 	int send_len;
4769 	struct ieee80211_mgmt reply;
4770 
4771 	os_memset(&reply, 0, sizeof(reply));
4772 	reply.frame_control =
4773 		IEEE80211_FC(WLAN_FC_TYPE_MGMT, WLAN_FC_STYPE_DEAUTH);
4774 	os_memcpy(reply.da, addr, ETH_ALEN);
4775 	os_memcpy(reply.sa, hapd->own_addr, ETH_ALEN);
4776 	os_memcpy(reply.bssid, hapd->own_addr, ETH_ALEN);
4777 
4778 	send_len = IEEE80211_HDRLEN + sizeof(reply.u.deauth);
4779 	reply.u.deauth.reason_code = host_to_le16(reason_code);
4780 
4781 	if (hostapd_drv_send_mlme(hapd, &reply, send_len, 0, NULL, 0, 0) < 0)
4782 		wpa_printf(MSG_INFO, "Failed to send deauth: %s",
4783 			   strerror(errno));
4784 }
4785 
4786 
add_associated_sta(struct hostapd_data * hapd,struct sta_info * sta,int reassoc)4787 static int add_associated_sta(struct hostapd_data *hapd,
4788 			      struct sta_info *sta, int reassoc)
4789 {
4790 	struct ieee80211_ht_capabilities ht_cap;
4791 	struct ieee80211_vht_capabilities vht_cap;
4792 	struct ieee80211_he_capabilities he_cap;
4793 	int set = 1;
4794 
4795 	/*
4796 	 * Remove the STA entry to ensure the STA PS state gets cleared and
4797 	 * configuration gets updated. This is relevant for cases, such as
4798 	 * FT-over-the-DS, where a station re-associates back to the same AP but
4799 	 * skips the authentication flow, or if working with a driver that
4800 	 * does not support full AP client state.
4801 	 *
4802 	 * Skip this if the STA has already completed FT reassociation and the
4803 	 * TK has been configured since the TX/RX PN must not be reset to 0 for
4804 	 * the same key.
4805 	 *
4806 	 * FT-over-the-DS has a special case where the STA entry (and as such,
4807 	 * the TK) has not yet been configured to the driver depending on which
4808 	 * driver interface is used. For that case, allow add-STA operation to
4809 	 * be used (instead of set-STA). This is needed to allow mac80211-based
4810 	 * drivers to accept the STA parameter configuration. Since this is
4811 	 * after a new FT-over-DS exchange, a new TK has been derived, so key
4812 	 * reinstallation is not a concern for this case.
4813 	 */
4814 	wpa_printf(MSG_DEBUG, "Add associated STA " MACSTR
4815 		   " (added_unassoc=%d auth_alg=%u ft_over_ds=%u reassoc=%d authorized=%d ft_tk=%d fils_tk=%d)",
4816 		   MAC2STR(sta->addr), sta->added_unassoc, sta->auth_alg,
4817 		   sta->ft_over_ds, reassoc,
4818 		   !!(sta->flags & WLAN_STA_AUTHORIZED),
4819 		   wpa_auth_sta_ft_tk_already_set(sta->wpa_sm),
4820 		   wpa_auth_sta_fils_tk_already_set(sta->wpa_sm));
4821 
4822 	if (!sta->added_unassoc &&
4823 	    (!(sta->flags & WLAN_STA_AUTHORIZED) ||
4824 	     (reassoc && sta->ft_over_ds && sta->auth_alg == WLAN_AUTH_FT) ||
4825 	     (!wpa_auth_sta_ft_tk_already_set(sta->wpa_sm) &&
4826 	      !wpa_auth_sta_fils_tk_already_set(sta->wpa_sm)))) {
4827 		hostapd_drv_sta_remove(hapd, sta->addr);
4828 		wpa_auth_sm_event(sta->wpa_sm, WPA_DRV_STA_REMOVED);
4829 		set = 0;
4830 
4831 		 /* Do not allow the FT-over-DS exception to be used more than
4832 		  * once per authentication exchange to guarantee a new TK is
4833 		  * used here */
4834 		sta->ft_over_ds = 0;
4835 	}
4836 
4837 	if (sta->flags & WLAN_STA_HT)
4838 		hostapd_get_ht_capab(hapd, sta->ht_capabilities, &ht_cap);
4839 #ifdef CONFIG_IEEE80211AC
4840 	if (sta->flags & WLAN_STA_VHT)
4841 		hostapd_get_vht_capab(hapd, sta->vht_capabilities, &vht_cap);
4842 #endif /* CONFIG_IEEE80211AC */
4843 #ifdef CONFIG_IEEE80211AX
4844 	if (sta->flags & WLAN_STA_HE) {
4845 		hostapd_get_he_capab(hapd, sta->he_capab, &he_cap,
4846 				     sta->he_capab_len);
4847 	}
4848 #endif /* CONFIG_IEEE80211AX */
4849 
4850 	/*
4851 	 * Add the station with forced WLAN_STA_ASSOC flag. The sta->flags
4852 	 * will be set when the ACK frame for the (Re)Association Response frame
4853 	 * is processed (TX status driver event).
4854 	 */
4855 	if (hostapd_sta_add(hapd, sta->addr, sta->aid, sta->capability,
4856 			    sta->supported_rates, sta->supported_rates_len,
4857 			    sta->listen_interval,
4858 			    sta->flags & WLAN_STA_HT ? &ht_cap : NULL,
4859 			    sta->flags & WLAN_STA_VHT ? &vht_cap : NULL,
4860 			    sta->flags & WLAN_STA_HE ? &he_cap : NULL,
4861 			    sta->flags & WLAN_STA_HE ? sta->he_capab_len : 0,
4862 			    sta->he_6ghz_capab,
4863 			    sta->flags | WLAN_STA_ASSOC, sta->qosinfo,
4864 			    sta->vht_opmode, sta->p2p_ie ? 1 : 0,
4865 			    set)) {
4866 		hostapd_logger(hapd, sta->addr,
4867 			       HOSTAPD_MODULE_IEEE80211, HOSTAPD_LEVEL_NOTICE,
4868 			       "Could not %s STA to kernel driver",
4869 			       set ? "set" : "add");
4870 
4871 		if (sta->added_unassoc) {
4872 			hostapd_drv_sta_remove(hapd, sta->addr);
4873 			sta->added_unassoc = 0;
4874 		}
4875 
4876 		return -1;
4877 	}
4878 
4879 	sta->added_unassoc = 0;
4880 
4881 	return 0;
4882 }
4883 
4884 
send_assoc_resp(struct hostapd_data * hapd,struct sta_info * sta,const u8 * addr,u16 status_code,int reassoc,const u8 * ies,size_t ies_len,int rssi,int omit_rsnxe)4885 static u16 send_assoc_resp(struct hostapd_data *hapd, struct sta_info *sta,
4886 			   const u8 *addr, u16 status_code, int reassoc,
4887 			   const u8 *ies, size_t ies_len, int rssi,
4888 			   int omit_rsnxe)
4889 {
4890 	int send_len;
4891 	u8 *buf;
4892 	size_t buflen;
4893 	struct ieee80211_mgmt *reply;
4894 	u8 *p;
4895 	u16 res = WLAN_STATUS_SUCCESS;
4896 
4897 	buflen = sizeof(struct ieee80211_mgmt) + 1024;
4898 #ifdef CONFIG_FILS
4899 	if (sta && sta->fils_hlp_resp)
4900 		buflen += wpabuf_len(sta->fils_hlp_resp);
4901 	if (sta)
4902 		buflen += 150;
4903 #endif /* CONFIG_FILS */
4904 #ifdef CONFIG_OWE
4905 	if (sta && (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE))
4906 		buflen += 150;
4907 #endif /* CONFIG_OWE */
4908 #ifdef CONFIG_DPP2
4909 	if (sta && sta->dpp_pfs)
4910 		buflen += 5 + sta->dpp_pfs->curve->prime_len;
4911 #endif /* CONFIG_DPP2 */
4912 	buf = os_zalloc(buflen);
4913 	if (!buf) {
4914 		res = WLAN_STATUS_UNSPECIFIED_FAILURE;
4915 		goto done;
4916 	}
4917 	reply = (struct ieee80211_mgmt *) buf;
4918 	reply->frame_control =
4919 		IEEE80211_FC(WLAN_FC_TYPE_MGMT,
4920 			     (reassoc ? WLAN_FC_STYPE_REASSOC_RESP :
4921 			      WLAN_FC_STYPE_ASSOC_RESP));
4922 	os_memcpy(reply->da, addr, ETH_ALEN);
4923 	os_memcpy(reply->sa, hapd->own_addr, ETH_ALEN);
4924 	os_memcpy(reply->bssid, hapd->own_addr, ETH_ALEN);
4925 
4926 	send_len = IEEE80211_HDRLEN;
4927 	send_len += sizeof(reply->u.assoc_resp);
4928 	reply->u.assoc_resp.capab_info =
4929 		host_to_le16(hostapd_own_capab_info(hapd));
4930 	reply->u.assoc_resp.status_code = host_to_le16(status_code);
4931 
4932 	reply->u.assoc_resp.aid = host_to_le16((sta ? sta->aid : 0) |
4933 					       BIT(14) | BIT(15));
4934 	/* Supported rates */
4935 	p = hostapd_eid_supp_rates(hapd, reply->u.assoc_resp.variable);
4936 	/* Extended supported rates */
4937 	p = hostapd_eid_ext_supp_rates(hapd, p);
4938 
4939 	/* Radio measurement capabilities */
4940 	p = hostapd_eid_rm_enabled_capab(hapd, p, buf + buflen - p);
4941 
4942 #ifdef CONFIG_MBO
4943 	if (status_code == WLAN_STATUS_DENIED_POOR_CHANNEL_CONDITIONS &&
4944 	    rssi != 0) {
4945 		int delta = hapd->iconf->rssi_reject_assoc_rssi - rssi;
4946 
4947 		p = hostapd_eid_mbo_rssi_assoc_rej(hapd, p, buf + buflen - p,
4948 						   delta);
4949 	}
4950 #endif /* CONFIG_MBO */
4951 
4952 #ifdef CONFIG_IEEE80211R_AP
4953 	if (sta && status_code == WLAN_STATUS_SUCCESS) {
4954 		/* IEEE 802.11r: Mobility Domain Information, Fast BSS
4955 		 * Transition Information, RSN, [RIC Response] */
4956 		p = wpa_sm_write_assoc_resp_ies(sta->wpa_sm, p,
4957 						buf + buflen - p,
4958 						sta->auth_alg, ies, ies_len,
4959 						omit_rsnxe);
4960 		if (!p) {
4961 			wpa_printf(MSG_DEBUG,
4962 				   "FT: Failed to write AssocResp IEs");
4963 			res = WLAN_STATUS_UNSPECIFIED_FAILURE;
4964 			goto done;
4965 		}
4966 	}
4967 #endif /* CONFIG_IEEE80211R_AP */
4968 #ifdef CONFIG_FILS
4969 	if (sta && status_code == WLAN_STATUS_SUCCESS &&
4970 	    (sta->auth_alg == WLAN_AUTH_FILS_SK ||
4971 	     sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
4972 	     sta->auth_alg == WLAN_AUTH_FILS_PK))
4973 		p = wpa_auth_write_assoc_resp_fils(sta->wpa_sm, p,
4974 						   buf + buflen - p,
4975 						   ies, ies_len);
4976 #endif /* CONFIG_FILS */
4977 
4978 #ifdef CONFIG_OWE
4979 	if (sta && status_code == WLAN_STATUS_SUCCESS &&
4980 	    (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE))
4981 		p = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, p,
4982 						  buf + buflen - p,
4983 						  ies, ies_len);
4984 #endif /* CONFIG_OWE */
4985 
4986 	if (sta && status_code == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY)
4987 		p = hostapd_eid_assoc_comeback_time(hapd, sta, p);
4988 
4989 	p = hostapd_eid_ht_capabilities(hapd, p);
4990 	p = hostapd_eid_ht_operation(hapd, p);
4991 
4992 #ifdef CONFIG_IEEE80211AC
4993 	if (hapd->iconf->ieee80211ac && !hapd->conf->disable_11ac &&
4994 	    !is_6ghz_op_class(hapd->iconf->op_class)) {
4995 		u32 nsts = 0, sta_nsts;
4996 
4997 		if (sta && hapd->conf->use_sta_nsts && sta->vht_capabilities) {
4998 			struct ieee80211_vht_capabilities *capa;
4999 
5000 			nsts = (hapd->iface->conf->vht_capab >>
5001 				VHT_CAP_BEAMFORMEE_STS_OFFSET) & 7;
5002 			capa = sta->vht_capabilities;
5003 			sta_nsts = (le_to_host32(capa->vht_capabilities_info) >>
5004 				    VHT_CAP_BEAMFORMEE_STS_OFFSET) & 7;
5005 
5006 			if (nsts < sta_nsts)
5007 				nsts = 0;
5008 			else
5009 				nsts = sta_nsts;
5010 		}
5011 		p = hostapd_eid_vht_capabilities(hapd, p, nsts);
5012 		p = hostapd_eid_vht_operation(hapd, p);
5013 	}
5014 #endif /* CONFIG_IEEE80211AC */
5015 
5016 #ifdef CONFIG_IEEE80211AX
5017 	if (hapd->iconf->ieee80211ax && !hapd->conf->disable_11ax) {
5018 		p = hostapd_eid_he_capab(hapd, p, IEEE80211_MODE_AP);
5019 		p = hostapd_eid_he_operation(hapd, p);
5020 		p = hostapd_eid_spatial_reuse(hapd, p);
5021 		p = hostapd_eid_he_mu_edca_parameter_set(hapd, p);
5022 		p = hostapd_eid_he_6ghz_band_cap(hapd, p);
5023 	}
5024 #endif /* CONFIG_IEEE80211AX */
5025 
5026 	p = hostapd_eid_ext_capab(hapd, p);
5027 	p = hostapd_eid_bss_max_idle_period(hapd, p);
5028 	if (sta && sta->qos_map_enabled)
5029 		p = hostapd_eid_qos_map_set(hapd, p);
5030 
5031 #ifdef CONFIG_FST
5032 	if (hapd->iface->fst_ies) {
5033 		os_memcpy(p, wpabuf_head(hapd->iface->fst_ies),
5034 			  wpabuf_len(hapd->iface->fst_ies));
5035 		p += wpabuf_len(hapd->iface->fst_ies);
5036 	}
5037 #endif /* CONFIG_FST */
5038 
5039 #ifdef CONFIG_TESTING_OPTIONS
5040 	if (hapd->conf->rsnxe_override_ft &&
5041 	    buf + buflen - p >=
5042 	    (long int) wpabuf_len(hapd->conf->rsnxe_override_ft) &&
5043 	    sta && sta->auth_alg == WLAN_AUTH_FT) {
5044 		wpa_printf(MSG_DEBUG, "TESTING: RSNXE FT override");
5045 		os_memcpy(p, wpabuf_head(hapd->conf->rsnxe_override_ft),
5046 			  wpabuf_len(hapd->conf->rsnxe_override_ft));
5047 		p += wpabuf_len(hapd->conf->rsnxe_override_ft);
5048 		goto rsnxe_done;
5049 	}
5050 #endif /* CONFIG_TESTING_OPTIONS */
5051 	if (!omit_rsnxe)
5052 		p = hostapd_eid_rsnxe(hapd, p, buf + buflen - p);
5053 #ifdef CONFIG_TESTING_OPTIONS
5054 rsnxe_done:
5055 #endif /* CONFIG_TESTING_OPTIONS */
5056 
5057 #ifdef CONFIG_OWE
5058 	if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) &&
5059 	    sta && sta->owe_ecdh && status_code == WLAN_STATUS_SUCCESS &&
5060 	    wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE &&
5061 	    !wpa_auth_sta_get_pmksa(sta->wpa_sm)) {
5062 		struct wpabuf *pub;
5063 
5064 		pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
5065 		if (!pub) {
5066 			res = WLAN_STATUS_UNSPECIFIED_FAILURE;
5067 			goto done;
5068 		}
5069 		/* OWE Diffie-Hellman Parameter element */
5070 		*p++ = WLAN_EID_EXTENSION; /* Element ID */
5071 		*p++ = 1 + 2 + wpabuf_len(pub); /* Length */
5072 		*p++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension */
5073 		WPA_PUT_LE16(p, sta->owe_group);
5074 		p += 2;
5075 		os_memcpy(p, wpabuf_head(pub), wpabuf_len(pub));
5076 		p += wpabuf_len(pub);
5077 		wpabuf_free(pub);
5078 	}
5079 #endif /* CONFIG_OWE */
5080 
5081 #ifdef CONFIG_DPP2
5082 	if (DPP_VERSION > 1 && (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_DPP) &&
5083 	    sta && sta->dpp_pfs && status_code == WLAN_STATUS_SUCCESS &&
5084 	    wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_DPP) {
5085 		os_memcpy(p, wpabuf_head(sta->dpp_pfs->ie),
5086 			  wpabuf_len(sta->dpp_pfs->ie));
5087 		p += wpabuf_len(sta->dpp_pfs->ie);
5088 	}
5089 #endif /* CONFIG_DPP2 */
5090 
5091 #ifdef CONFIG_IEEE80211AC
5092 	if (sta && hapd->conf->vendor_vht && (sta->flags & WLAN_STA_VENDOR_VHT))
5093 		p = hostapd_eid_vendor_vht(hapd, p);
5094 #endif /* CONFIG_IEEE80211AC */
5095 
5096 	if (sta && (sta->flags & WLAN_STA_WMM))
5097 		p = hostapd_eid_wmm(hapd, p);
5098 
5099 #ifdef CONFIG_WPS
5100 	if (sta &&
5101 	    ((sta->flags & WLAN_STA_WPS) ||
5102 	     ((sta->flags & WLAN_STA_MAYBE_WPS) && hapd->conf->wpa))) {
5103 		struct wpabuf *wps = wps_build_assoc_resp_ie();
5104 		if (wps) {
5105 			os_memcpy(p, wpabuf_head(wps), wpabuf_len(wps));
5106 			p += wpabuf_len(wps);
5107 			wpabuf_free(wps);
5108 		}
5109 	}
5110 #endif /* CONFIG_WPS */
5111 
5112 	if (sta && (sta->flags & WLAN_STA_MULTI_AP))
5113 		p = hostapd_eid_multi_ap(hapd, p);
5114 
5115 #ifdef CONFIG_P2P
5116 	if (sta && sta->p2p_ie && hapd->p2p_group) {
5117 		struct wpabuf *p2p_resp_ie;
5118 		enum p2p_status_code status;
5119 		switch (status_code) {
5120 		case WLAN_STATUS_SUCCESS:
5121 			status = P2P_SC_SUCCESS;
5122 			break;
5123 		case WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA:
5124 			status = P2P_SC_FAIL_LIMIT_REACHED;
5125 			break;
5126 		default:
5127 			status = P2P_SC_FAIL_INVALID_PARAMS;
5128 			break;
5129 		}
5130 		p2p_resp_ie = p2p_group_assoc_resp_ie(hapd->p2p_group, status);
5131 		if (p2p_resp_ie) {
5132 			os_memcpy(p, wpabuf_head(p2p_resp_ie),
5133 				  wpabuf_len(p2p_resp_ie));
5134 			p += wpabuf_len(p2p_resp_ie);
5135 			wpabuf_free(p2p_resp_ie);
5136 		}
5137 	}
5138 #endif /* CONFIG_P2P */
5139 
5140 #ifdef CONFIG_P2P_MANAGER
5141 	if (hapd->conf->p2p & P2P_MANAGE)
5142 		p = hostapd_eid_p2p_manage(hapd, p);
5143 #endif /* CONFIG_P2P_MANAGER */
5144 
5145 	p = hostapd_eid_mbo(hapd, p, buf + buflen - p);
5146 
5147 	if (hapd->conf->assocresp_elements &&
5148 	    (size_t) (buf + buflen - p) >=
5149 	    wpabuf_len(hapd->conf->assocresp_elements)) {
5150 		os_memcpy(p, wpabuf_head(hapd->conf->assocresp_elements),
5151 			  wpabuf_len(hapd->conf->assocresp_elements));
5152 		p += wpabuf_len(hapd->conf->assocresp_elements);
5153 	}
5154 
5155 	send_len += p - reply->u.assoc_resp.variable;
5156 
5157 #ifdef CONFIG_FILS
5158 	if (sta &&
5159 	    (sta->auth_alg == WLAN_AUTH_FILS_SK ||
5160 	     sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
5161 	     sta->auth_alg == WLAN_AUTH_FILS_PK) &&
5162 	    status_code == WLAN_STATUS_SUCCESS) {
5163 		struct ieee802_11_elems elems;
5164 
5165 		if (ieee802_11_parse_elems(ies, ies_len, &elems, 0) ==
5166 		    ParseFailed || !elems.fils_session) {
5167 			res = WLAN_STATUS_UNSPECIFIED_FAILURE;
5168 			goto done;
5169 		}
5170 
5171 		/* FILS Session */
5172 		*p++ = WLAN_EID_EXTENSION; /* Element ID */
5173 		*p++ = 1 + FILS_SESSION_LEN; /* Length */
5174 		*p++ = WLAN_EID_EXT_FILS_SESSION; /* Element ID Extension */
5175 		os_memcpy(p, elems.fils_session, FILS_SESSION_LEN);
5176 		send_len += 2 + 1 + FILS_SESSION_LEN;
5177 
5178 		send_len = fils_encrypt_assoc(sta->wpa_sm, buf, send_len,
5179 					      buflen, sta->fils_hlp_resp);
5180 		if (send_len < 0) {
5181 			res = WLAN_STATUS_UNSPECIFIED_FAILURE;
5182 			goto done;
5183 		}
5184 	}
5185 #endif /* CONFIG_FILS */
5186 
5187 	if (hostapd_drv_send_mlme(hapd, reply, send_len, 0, NULL, 0, 0) < 0) {
5188 		wpa_printf(MSG_INFO, "Failed to send assoc resp: %s",
5189 			   strerror(errno));
5190 		res = WLAN_STATUS_UNSPECIFIED_FAILURE;
5191 	}
5192 
5193 done:
5194 	os_free(buf);
5195 	return res;
5196 }
5197 
5198 
5199 #ifdef CONFIG_OWE
owe_assoc_req_process(struct hostapd_data * hapd,struct sta_info * sta,const u8 * owe_dh,u8 owe_dh_len,u8 * owe_buf,size_t owe_buf_len,u16 * status)5200 u8 * owe_assoc_req_process(struct hostapd_data *hapd, struct sta_info *sta,
5201 			   const u8 *owe_dh, u8 owe_dh_len,
5202 			   u8 *owe_buf, size_t owe_buf_len, u16 *status)
5203 {
5204 #ifdef CONFIG_TESTING_OPTIONS
5205 	if (hapd->conf->own_ie_override) {
5206 		wpa_printf(MSG_DEBUG, "OWE: Using IE override");
5207 		*status = WLAN_STATUS_SUCCESS;
5208 		return wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf,
5209 						     owe_buf_len, NULL, 0);
5210 	}
5211 #endif /* CONFIG_TESTING_OPTIONS */
5212 
5213 	if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) {
5214 		wpa_printf(MSG_DEBUG, "OWE: Using PMKSA caching");
5215 		owe_buf = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf,
5216 							owe_buf_len, NULL, 0);
5217 		*status = WLAN_STATUS_SUCCESS;
5218 		return owe_buf;
5219 	}
5220 
5221 	if (sta->owe_pmk && sta->external_dh_updated) {
5222 		wpa_printf(MSG_DEBUG, "OWE: Using previously derived PMK");
5223 		*status = WLAN_STATUS_SUCCESS;
5224 		return owe_buf;
5225 	}
5226 
5227 	*status = owe_process_assoc_req(hapd, sta, owe_dh, owe_dh_len);
5228 	if (*status != WLAN_STATUS_SUCCESS)
5229 		return NULL;
5230 
5231 	owe_buf = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf,
5232 						owe_buf_len, NULL, 0);
5233 
5234 	if (sta->owe_ecdh && owe_buf) {
5235 		struct wpabuf *pub;
5236 
5237 		pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
5238 		if (!pub) {
5239 			*status = WLAN_STATUS_UNSPECIFIED_FAILURE;
5240 			return owe_buf;
5241 		}
5242 
5243 		/* OWE Diffie-Hellman Parameter element */
5244 		*owe_buf++ = WLAN_EID_EXTENSION; /* Element ID */
5245 		*owe_buf++ = 1 + 2 + wpabuf_len(pub); /* Length */
5246 		*owe_buf++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension
5247 							 */
5248 		WPA_PUT_LE16(owe_buf, sta->owe_group);
5249 		owe_buf += 2;
5250 		os_memcpy(owe_buf, wpabuf_head(pub), wpabuf_len(pub));
5251 		owe_buf += wpabuf_len(pub);
5252 		wpabuf_free(pub);
5253 	}
5254 
5255 	return owe_buf;
5256 }
5257 #endif /* CONFIG_OWE */
5258 
5259 
5260 #ifdef CONFIG_FILS
5261 
fils_hlp_finish_assoc(struct hostapd_data * hapd,struct sta_info * sta)5262 void fils_hlp_finish_assoc(struct hostapd_data *hapd, struct sta_info *sta)
5263 {
5264 	u16 reply_res;
5265 
5266 	wpa_printf(MSG_DEBUG, "FILS: Finish association with " MACSTR,
5267 		   MAC2STR(sta->addr));
5268 	eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
5269 	if (!sta->fils_pending_assoc_req)
5270 		return;
5271 	reply_res = send_assoc_resp(hapd, sta, sta->addr, WLAN_STATUS_SUCCESS,
5272 				    sta->fils_pending_assoc_is_reassoc,
5273 				    sta->fils_pending_assoc_req,
5274 				    sta->fils_pending_assoc_req_len, 0, 0);
5275 	os_free(sta->fils_pending_assoc_req);
5276 	sta->fils_pending_assoc_req = NULL;
5277 	sta->fils_pending_assoc_req_len = 0;
5278 	wpabuf_free(sta->fils_hlp_resp);
5279 	sta->fils_hlp_resp = NULL;
5280 	wpabuf_free(sta->hlp_dhcp_discover);
5281 	sta->hlp_dhcp_discover = NULL;
5282 
5283 	/*
5284 	 * Remove the station in case transmission of a success response fails.
5285 	 * At this point the station was already added associated to the driver.
5286 	 */
5287 	if (reply_res != WLAN_STATUS_SUCCESS)
5288 		hostapd_drv_sta_remove(hapd, sta->addr);
5289 }
5290 
5291 
fils_hlp_timeout(void * eloop_ctx,void * eloop_data)5292 void fils_hlp_timeout(void *eloop_ctx, void *eloop_data)
5293 {
5294 	struct hostapd_data *hapd = eloop_ctx;
5295 	struct sta_info *sta = eloop_data;
5296 
5297 	wpa_printf(MSG_DEBUG,
5298 		   "FILS: HLP response timeout - continue with association response for "
5299 		   MACSTR, MAC2STR(sta->addr));
5300 	if (sta->fils_drv_assoc_finish)
5301 		hostapd_notify_assoc_fils_finish(hapd, sta);
5302 	else
5303 		fils_hlp_finish_assoc(hapd, sta);
5304 }
5305 
5306 #endif /* CONFIG_FILS */
5307 
5308 
handle_assoc(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int reassoc,int rssi)5309 static void handle_assoc(struct hostapd_data *hapd,
5310 			 const struct ieee80211_mgmt *mgmt, size_t len,
5311 			 int reassoc, int rssi)
5312 {
5313 	u16 capab_info, listen_interval, seq_ctrl, fc;
5314 	int resp = WLAN_STATUS_SUCCESS;
5315 	u16 reply_res = WLAN_STATUS_UNSPECIFIED_FAILURE;
5316 	const u8 *pos;
5317 	int left, i;
5318 	struct sta_info *sta;
5319 	u8 *tmp = NULL;
5320 #ifdef CONFIG_FILS
5321 	int delay_assoc = 0;
5322 #endif /* CONFIG_FILS */
5323 	int omit_rsnxe = 0;
5324 
5325 	if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_req) :
5326 				      sizeof(mgmt->u.assoc_req))) {
5327 		wpa_printf(MSG_INFO, "handle_assoc(reassoc=%d) - too short payload (len=%lu)",
5328 			   reassoc, (unsigned long) len);
5329 		return;
5330 	}
5331 
5332 #ifdef CONFIG_TESTING_OPTIONS
5333 	if (reassoc) {
5334 		if (hapd->iconf->ignore_reassoc_probability > 0.0 &&
5335 		    drand48() < hapd->iconf->ignore_reassoc_probability) {
5336 			wpa_printf(MSG_INFO,
5337 				   "TESTING: ignoring reassoc request from "
5338 				   MACSTR, MAC2STR(mgmt->sa));
5339 			return;
5340 		}
5341 	} else {
5342 		if (hapd->iconf->ignore_assoc_probability > 0.0 &&
5343 		    drand48() < hapd->iconf->ignore_assoc_probability) {
5344 			wpa_printf(MSG_INFO,
5345 				   "TESTING: ignoring assoc request from "
5346 				   MACSTR, MAC2STR(mgmt->sa));
5347 			return;
5348 		}
5349 	}
5350 #endif /* CONFIG_TESTING_OPTIONS */
5351 
5352 	fc = le_to_host16(mgmt->frame_control);
5353 	seq_ctrl = le_to_host16(mgmt->seq_ctrl);
5354 
5355 	if (reassoc) {
5356 		capab_info = le_to_host16(mgmt->u.reassoc_req.capab_info);
5357 		listen_interval = le_to_host16(
5358 			mgmt->u.reassoc_req.listen_interval);
5359 		wpa_printf(MSG_DEBUG, "reassociation request: STA=" MACSTR
5360 			   " capab_info=0x%02x listen_interval=%d current_ap="
5361 			   MACSTR " seq_ctrl=0x%x%s",
5362 			   MAC2STR(mgmt->sa), capab_info, listen_interval,
5363 			   MAC2STR(mgmt->u.reassoc_req.current_ap),
5364 			   seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "");
5365 		left = len - (IEEE80211_HDRLEN + sizeof(mgmt->u.reassoc_req));
5366 		pos = mgmt->u.reassoc_req.variable;
5367 	} else {
5368 		capab_info = le_to_host16(mgmt->u.assoc_req.capab_info);
5369 		listen_interval = le_to_host16(
5370 			mgmt->u.assoc_req.listen_interval);
5371 		wpa_printf(MSG_DEBUG, "association request: STA=" MACSTR
5372 			   " capab_info=0x%02x listen_interval=%d "
5373 			   "seq_ctrl=0x%x%s",
5374 			   MAC2STR(mgmt->sa), capab_info, listen_interval,
5375 			   seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "");
5376 		left = len - (IEEE80211_HDRLEN + sizeof(mgmt->u.assoc_req));
5377 		pos = mgmt->u.assoc_req.variable;
5378 	}
5379 
5380 	sta = ap_get_sta(hapd, mgmt->sa);
5381 #ifdef CONFIG_IEEE80211R_AP
5382 	if (sta && sta->auth_alg == WLAN_AUTH_FT &&
5383 	    (sta->flags & WLAN_STA_AUTH) == 0) {
5384 		wpa_printf(MSG_DEBUG, "FT: Allow STA " MACSTR " to associate "
5385 			   "prior to authentication since it is using "
5386 			   "over-the-DS FT", MAC2STR(mgmt->sa));
5387 
5388 		/*
5389 		 * Mark station as authenticated, to avoid adding station
5390 		 * entry in the driver as associated and not authenticated
5391 		 */
5392 		sta->flags |= WLAN_STA_AUTH;
5393 	} else
5394 #endif /* CONFIG_IEEE80211R_AP */
5395 	if (sta == NULL || (sta->flags & WLAN_STA_AUTH) == 0) {
5396 		if (hapd->iface->current_mode &&
5397 		    hapd->iface->current_mode->mode ==
5398 			HOSTAPD_MODE_IEEE80211AD) {
5399 			int acl_res;
5400 			struct radius_sta info;
5401 
5402 			acl_res = ieee802_11_allowed_address(hapd, mgmt->sa,
5403 							     (const u8 *) mgmt,
5404 							     len, &info);
5405 			if (acl_res == HOSTAPD_ACL_REJECT) {
5406 				wpa_msg(hapd->msg_ctx, MSG_DEBUG,
5407 					"Ignore Association Request frame from "
5408 					MACSTR " due to ACL reject",
5409 					MAC2STR(mgmt->sa));
5410 				resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
5411 				goto fail;
5412 			}
5413 			if (acl_res == HOSTAPD_ACL_PENDING)
5414 				return;
5415 
5416 			/* DMG/IEEE 802.11ad does not use authentication.
5417 			 * Allocate sta entry upon association. */
5418 			sta = ap_sta_add(hapd, mgmt->sa);
5419 			if (!sta) {
5420 				hostapd_logger(hapd, mgmt->sa,
5421 					       HOSTAPD_MODULE_IEEE80211,
5422 					       HOSTAPD_LEVEL_INFO,
5423 					       "Failed to add STA");
5424 				resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
5425 				goto fail;
5426 			}
5427 
5428 			acl_res = ieee802_11_set_radius_info(
5429 				hapd, sta, acl_res, &info);
5430 			if (acl_res) {
5431 				resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
5432 				goto fail;
5433 			}
5434 
5435 			hostapd_logger(hapd, sta->addr,
5436 				       HOSTAPD_MODULE_IEEE80211,
5437 				       HOSTAPD_LEVEL_DEBUG,
5438 				       "Skip authentication for DMG/IEEE 802.11ad");
5439 			sta->flags |= WLAN_STA_AUTH;
5440 			wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
5441 			sta->auth_alg = WLAN_AUTH_OPEN;
5442 		} else {
5443 			hostapd_logger(hapd, mgmt->sa,
5444 				       HOSTAPD_MODULE_IEEE80211,
5445 				       HOSTAPD_LEVEL_INFO,
5446 				       "Station tried to associate before authentication (aid=%d flags=0x%x)",
5447 				       sta ? sta->aid : -1,
5448 				       sta ? sta->flags : 0);
5449 			send_deauth(hapd, mgmt->sa,
5450 				    WLAN_REASON_CLASS2_FRAME_FROM_NONAUTH_STA);
5451 			return;
5452 		}
5453 	}
5454 
5455 	if ((fc & WLAN_FC_RETRY) &&
5456 	    sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
5457 	    sta->last_seq_ctrl == seq_ctrl &&
5458 	    sta->last_subtype == (reassoc ? WLAN_FC_STYPE_REASSOC_REQ :
5459 				  WLAN_FC_STYPE_ASSOC_REQ)) {
5460 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
5461 			       HOSTAPD_LEVEL_DEBUG,
5462 			       "Drop repeated association frame seq_ctrl=0x%x",
5463 			       seq_ctrl);
5464 		return;
5465 	}
5466 	sta->last_seq_ctrl = seq_ctrl;
5467 	sta->last_subtype = reassoc ? WLAN_FC_STYPE_REASSOC_REQ :
5468 		WLAN_FC_STYPE_ASSOC_REQ;
5469 
5470 	if (hapd->tkip_countermeasures) {
5471 		resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
5472 		goto fail;
5473 	}
5474 
5475 	if (listen_interval > hapd->conf->max_listen_interval) {
5476 		hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
5477 			       HOSTAPD_LEVEL_DEBUG,
5478 			       "Too large Listen Interval (%d)",
5479 			       listen_interval);
5480 		resp = WLAN_STATUS_ASSOC_DENIED_LISTEN_INT_TOO_LARGE;
5481 		goto fail;
5482 	}
5483 
5484 #ifdef CONFIG_MBO
5485 	if (hapd->conf->mbo_enabled && hapd->mbo_assoc_disallow) {
5486 		resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
5487 		goto fail;
5488 	}
5489 
5490 	if (hapd->iconf->rssi_reject_assoc_rssi && rssi &&
5491 	    rssi < hapd->iconf->rssi_reject_assoc_rssi &&
5492 	    (sta->auth_rssi == 0 ||
5493 	     sta->auth_rssi < hapd->iconf->rssi_reject_assoc_rssi)) {
5494 		resp = WLAN_STATUS_DENIED_POOR_CHANNEL_CONDITIONS;
5495 		goto fail;
5496 	}
5497 #endif /* CONFIG_MBO */
5498 
5499 	/*
5500 	 * sta->capability is used in check_assoc_ies() for RRM enabled
5501 	 * capability element.
5502 	 */
5503 	sta->capability = capab_info;
5504 
5505 #ifdef CONFIG_FILS
5506 	if (sta->auth_alg == WLAN_AUTH_FILS_SK ||
5507 	    sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
5508 	    sta->auth_alg == WLAN_AUTH_FILS_PK) {
5509 		int res;
5510 
5511 		/* The end of the payload is encrypted. Need to decrypt it
5512 		 * before parsing. */
5513 
5514 		tmp = os_memdup(pos, left);
5515 		if (!tmp) {
5516 			resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
5517 			goto fail;
5518 		}
5519 
5520 		res = fils_decrypt_assoc(sta->wpa_sm, sta->fils_session, mgmt,
5521 					 len, tmp, left);
5522 		if (res < 0) {
5523 			resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
5524 			goto fail;
5525 		}
5526 		pos = tmp;
5527 		left = res;
5528 	}
5529 #endif /* CONFIG_FILS */
5530 
5531 	/* followed by SSID and Supported rates; and HT capabilities if 802.11n
5532 	 * is used */
5533 	resp = check_assoc_ies(hapd, sta, pos, left, reassoc);
5534 	if (resp != WLAN_STATUS_SUCCESS)
5535 		goto fail;
5536 	omit_rsnxe = !get_ie(pos, left, WLAN_EID_RSNX);
5537 
5538 	if (hostapd_get_aid(hapd, sta) < 0) {
5539 		hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
5540 			       HOSTAPD_LEVEL_INFO, "No room for more AIDs");
5541 		resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
5542 		goto fail;
5543 	}
5544 
5545 	sta->listen_interval = listen_interval;
5546 
5547 	if (hapd->iface->current_mode &&
5548 	    hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G)
5549 		sta->flags |= WLAN_STA_NONERP;
5550 	for (i = 0; i < sta->supported_rates_len; i++) {
5551 		if ((sta->supported_rates[i] & 0x7f) > 22) {
5552 			sta->flags &= ~WLAN_STA_NONERP;
5553 			break;
5554 		}
5555 	}
5556 	if (sta->flags & WLAN_STA_NONERP && !sta->nonerp_set) {
5557 		sta->nonerp_set = 1;
5558 		hapd->iface->num_sta_non_erp++;
5559 		if (hapd->iface->num_sta_non_erp == 1)
5560 			ieee802_11_set_beacons(hapd->iface);
5561 	}
5562 
5563 	if (!(sta->capability & WLAN_CAPABILITY_SHORT_SLOT_TIME) &&
5564 	    !sta->no_short_slot_time_set) {
5565 		sta->no_short_slot_time_set = 1;
5566 		hapd->iface->num_sta_no_short_slot_time++;
5567 		if (hapd->iface->current_mode &&
5568 		    hapd->iface->current_mode->mode ==
5569 		    HOSTAPD_MODE_IEEE80211G &&
5570 		    hapd->iface->num_sta_no_short_slot_time == 1)
5571 			ieee802_11_set_beacons(hapd->iface);
5572 	}
5573 
5574 	if (sta->capability & WLAN_CAPABILITY_SHORT_PREAMBLE)
5575 		sta->flags |= WLAN_STA_SHORT_PREAMBLE;
5576 	else
5577 		sta->flags &= ~WLAN_STA_SHORT_PREAMBLE;
5578 
5579 	if (!(sta->capability & WLAN_CAPABILITY_SHORT_PREAMBLE) &&
5580 	    !sta->no_short_preamble_set) {
5581 		sta->no_short_preamble_set = 1;
5582 		hapd->iface->num_sta_no_short_preamble++;
5583 		if (hapd->iface->current_mode &&
5584 		    hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G
5585 		    && hapd->iface->num_sta_no_short_preamble == 1)
5586 			ieee802_11_set_beacons(hapd->iface);
5587 	}
5588 
5589 	update_ht_state(hapd, sta);
5590 
5591 	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
5592 		       HOSTAPD_LEVEL_DEBUG,
5593 		       "association OK (aid %d)", sta->aid);
5594 	/* Station will be marked associated, after it acknowledges AssocResp
5595 	 */
5596 	sta->flags |= WLAN_STA_ASSOC_REQ_OK;
5597 
5598 	if ((sta->flags & WLAN_STA_MFP) && sta->sa_query_timed_out) {
5599 		wpa_printf(MSG_DEBUG, "Allowing %sassociation after timed out "
5600 			   "SA Query procedure", reassoc ? "re" : "");
5601 		/* TODO: Send a protected Disassociate frame to the STA using
5602 		 * the old key and Reason Code "Previous Authentication no
5603 		 * longer valid". Make sure this is only sent protected since
5604 		 * unprotected frame would be received by the STA that is now
5605 		 * trying to associate.
5606 		 */
5607 	}
5608 
5609 	/* Make sure that the previously registered inactivity timer will not
5610 	 * remove the STA immediately. */
5611 	sta->timeout_next = STA_NULLFUNC;
5612 
5613 #ifdef CONFIG_TAXONOMY
5614 	taxonomy_sta_info_assoc_req(hapd, sta, pos, left);
5615 #endif /* CONFIG_TAXONOMY */
5616 
5617 	sta->pending_wds_enable = 0;
5618 
5619 #ifdef CONFIG_FILS
5620 	if (sta->auth_alg == WLAN_AUTH_FILS_SK ||
5621 	    sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
5622 	    sta->auth_alg == WLAN_AUTH_FILS_PK) {
5623 		if (fils_process_hlp(hapd, sta, pos, left) > 0)
5624 			delay_assoc = 1;
5625 	}
5626 #endif /* CONFIG_FILS */
5627 
5628  fail:
5629 
5630 	/*
5631 	 * In case of a successful response, add the station to the driver.
5632 	 * Otherwise, the kernel may ignore Data frames before we process the
5633 	 * ACK frame (TX status). In case of a failure, this station will be
5634 	 * removed.
5635 	 *
5636 	 * Note that this is not compliant with the IEEE 802.11 standard that
5637 	 * states that a non-AP station should transition into the
5638 	 * authenticated/associated state only after the station acknowledges
5639 	 * the (Re)Association Response frame. However, still do this as:
5640 	 *
5641 	 * 1. In case the station does not acknowledge the (Re)Association
5642 	 *    Response frame, it will be removed.
5643 	 * 2. Data frames will be dropped in the kernel until the station is
5644 	 *    set into authorized state, and there are no significant known
5645 	 *    issues with processing other non-Data Class 3 frames during this
5646 	 *    window.
5647 	 */
5648 	if (resp == WLAN_STATUS_SUCCESS && sta &&
5649 	    add_associated_sta(hapd, sta, reassoc))
5650 		resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
5651 
5652 #ifdef CONFIG_FILS
5653 	if (sta && delay_assoc && resp == WLAN_STATUS_SUCCESS &&
5654 	    eloop_is_timeout_registered(fils_hlp_timeout, hapd, sta) &&
5655 	    sta->fils_pending_assoc_req) {
5656 		/* Do not reschedule fils_hlp_timeout in case the station
5657 		 * retransmits (Re)Association Request frame while waiting for
5658 		 * the previously started FILS HLP wait, so that the timeout can
5659 		 * be determined from the first pending attempt. */
5660 		wpa_printf(MSG_DEBUG,
5661 			   "FILS: Continue waiting for HLP processing before sending (Re)Association Response frame to "
5662 			   MACSTR, MAC2STR(sta->addr));
5663 		os_free(tmp);
5664 		return;
5665 	}
5666 	if (sta) {
5667 		eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
5668 		os_free(sta->fils_pending_assoc_req);
5669 		sta->fils_pending_assoc_req = NULL;
5670 		sta->fils_pending_assoc_req_len = 0;
5671 		wpabuf_free(sta->fils_hlp_resp);
5672 		sta->fils_hlp_resp = NULL;
5673 	}
5674 	if (sta && delay_assoc && resp == WLAN_STATUS_SUCCESS) {
5675 		sta->fils_pending_assoc_req = tmp;
5676 		sta->fils_pending_assoc_req_len = left;
5677 		sta->fils_pending_assoc_is_reassoc = reassoc;
5678 		sta->fils_drv_assoc_finish = 0;
5679 		wpa_printf(MSG_DEBUG,
5680 			   "FILS: Waiting for HLP processing before sending (Re)Association Response frame to "
5681 			   MACSTR, MAC2STR(sta->addr));
5682 		eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
5683 		eloop_register_timeout(0, hapd->conf->fils_hlp_wait_time * 1024,
5684 				       fils_hlp_timeout, hapd, sta);
5685 		return;
5686 	}
5687 #endif /* CONFIG_FILS */
5688 
5689 	if (resp >= 0)
5690 		reply_res = send_assoc_resp(hapd, sta, mgmt->sa, resp, reassoc,
5691 					    pos, left, rssi, omit_rsnxe);
5692 	os_free(tmp);
5693 
5694 	/*
5695 	 * Remove the station in case transmission of a success response fails
5696 	 * (the STA was added associated to the driver) or if the station was
5697 	 * previously added unassociated.
5698 	 */
5699 	if (sta && ((reply_res != WLAN_STATUS_SUCCESS &&
5700 		     resp == WLAN_STATUS_SUCCESS) || sta->added_unassoc)) {
5701 		hostapd_drv_sta_remove(hapd, sta->addr);
5702 		sta->added_unassoc = 0;
5703 	}
5704 }
5705 
5706 
handle_disassoc(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len)5707 static void handle_disassoc(struct hostapd_data *hapd,
5708 			    const struct ieee80211_mgmt *mgmt, size_t len)
5709 {
5710 	struct sta_info *sta;
5711 
5712 	if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.disassoc)) {
5713 		wpa_printf(MSG_INFO, "handle_disassoc - too short payload (len=%lu)",
5714 			   (unsigned long) len);
5715 		return;
5716 	}
5717 
5718 	wpa_printf(MSG_DEBUG, "disassocation: STA=" MACSTR " reason_code=%d",
5719 		   MAC2STR(mgmt->sa),
5720 		   le_to_host16(mgmt->u.disassoc.reason_code));
5721 
5722 	sta = ap_get_sta(hapd, mgmt->sa);
5723 	if (sta == NULL) {
5724 		wpa_printf(MSG_INFO, "Station " MACSTR " trying to disassociate, but it is not associated",
5725 			   MAC2STR(mgmt->sa));
5726 		return;
5727 	}
5728 
5729 	ap_sta_set_authorized(hapd, sta, 0);
5730 	sta->last_seq_ctrl = WLAN_INVALID_MGMT_SEQ;
5731 	sta->flags &= ~(WLAN_STA_ASSOC | WLAN_STA_ASSOC_REQ_OK);
5732 	hostapd_set_sta_flags(hapd, sta);
5733 	wpa_auth_sm_event(sta->wpa_sm, WPA_DISASSOC);
5734 	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
5735 		       HOSTAPD_LEVEL_INFO, "disassociated");
5736 	sta->acct_terminate_cause = RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST;
5737 	ieee802_1x_notify_port_enabled(sta->eapol_sm, 0);
5738 	/* Stop Accounting and IEEE 802.1X sessions, but leave the STA
5739 	 * authenticated. */
5740 	accounting_sta_stop(hapd, sta);
5741 	ieee802_1x_free_station(hapd, sta);
5742 	if (sta->ipaddr)
5743 		hostapd_drv_br_delete_ip_neigh(hapd, 4, (u8 *) &sta->ipaddr);
5744 	ap_sta_ip6addr_del(hapd, sta);
5745 	hostapd_drv_sta_remove(hapd, sta->addr);
5746 	sta->added_unassoc = 0;
5747 
5748 	if (sta->timeout_next == STA_NULLFUNC ||
5749 	    sta->timeout_next == STA_DISASSOC) {
5750 		sta->timeout_next = STA_DEAUTH;
5751 		eloop_cancel_timeout(ap_handle_timer, hapd, sta);
5752 		eloop_register_timeout(AP_DEAUTH_DELAY, 0, ap_handle_timer,
5753 				       hapd, sta);
5754 	}
5755 
5756 	mlme_disassociate_indication(
5757 		hapd, sta, le_to_host16(mgmt->u.disassoc.reason_code));
5758 
5759 	/* DMG/IEEE 802.11ad does not use deauthication. Deallocate sta upon
5760 	 * disassociation. */
5761 	if (hapd->iface->current_mode &&
5762 	    hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211AD) {
5763 		sta->flags &= ~WLAN_STA_AUTH;
5764 		wpa_auth_sm_event(sta->wpa_sm, WPA_DEAUTH);
5765 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
5766 			       HOSTAPD_LEVEL_DEBUG, "deauthenticated");
5767 		ap_free_sta(hapd, sta);
5768 	}
5769 }
5770 
5771 
handle_deauth(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len)5772 static void handle_deauth(struct hostapd_data *hapd,
5773 			  const struct ieee80211_mgmt *mgmt, size_t len)
5774 {
5775 	struct sta_info *sta;
5776 
5777 	if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.deauth)) {
5778 		wpa_msg(hapd->msg_ctx, MSG_DEBUG, "handle_deauth - too short "
5779 			"payload (len=%lu)", (unsigned long) len);
5780 		return;
5781 	}
5782 
5783 	wpa_msg(hapd->msg_ctx, MSG_DEBUG, "deauthentication: STA=" MACSTR
5784 		" reason_code=%d",
5785 		MAC2STR(mgmt->sa), le_to_host16(mgmt->u.deauth.reason_code));
5786 
5787 	sta = ap_get_sta(hapd, mgmt->sa);
5788 	if (sta == NULL) {
5789 		wpa_msg(hapd->msg_ctx, MSG_DEBUG, "Station " MACSTR " trying "
5790 			"to deauthenticate, but it is not authenticated",
5791 			MAC2STR(mgmt->sa));
5792 		return;
5793 	}
5794 
5795 	ap_sta_set_authorized(hapd, sta, 0);
5796 	sta->last_seq_ctrl = WLAN_INVALID_MGMT_SEQ;
5797 	sta->flags &= ~(WLAN_STA_AUTH | WLAN_STA_ASSOC |
5798 			WLAN_STA_ASSOC_REQ_OK);
5799 	hostapd_set_sta_flags(hapd, sta);
5800 	wpa_auth_sm_event(sta->wpa_sm, WPA_DEAUTH);
5801 	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
5802 		       HOSTAPD_LEVEL_DEBUG, "deauthenticated");
5803 	mlme_deauthenticate_indication(
5804 		hapd, sta, le_to_host16(mgmt->u.deauth.reason_code));
5805 	sta->acct_terminate_cause = RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST;
5806 	ieee802_1x_notify_port_enabled(sta->eapol_sm, 0);
5807 	ap_free_sta(hapd, sta);
5808 }
5809 
5810 
handle_beacon(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,struct hostapd_frame_info * fi)5811 static void handle_beacon(struct hostapd_data *hapd,
5812 			  const struct ieee80211_mgmt *mgmt, size_t len,
5813 			  struct hostapd_frame_info *fi)
5814 {
5815 	struct ieee802_11_elems elems;
5816 
5817 	if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.beacon)) {
5818 		wpa_printf(MSG_INFO, "handle_beacon - too short payload (len=%lu)",
5819 			   (unsigned long) len);
5820 		return;
5821 	}
5822 
5823 	(void) ieee802_11_parse_elems(mgmt->u.beacon.variable,
5824 				      len - (IEEE80211_HDRLEN +
5825 					     sizeof(mgmt->u.beacon)), &elems,
5826 				      0);
5827 
5828 	ap_list_process_beacon(hapd->iface, mgmt, &elems, fi);
5829 }
5830 
5831 
robust_action_frame(u8 category)5832 static int robust_action_frame(u8 category)
5833 {
5834 	return category != WLAN_ACTION_PUBLIC &&
5835 		category != WLAN_ACTION_HT;
5836 }
5837 
5838 
handle_action(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,unsigned int freq)5839 static int handle_action(struct hostapd_data *hapd,
5840 			 const struct ieee80211_mgmt *mgmt, size_t len,
5841 			 unsigned int freq)
5842 {
5843 	struct sta_info *sta;
5844 	u8 *action __maybe_unused;
5845 
5846 	if (len < IEEE80211_HDRLEN + 2 + 1) {
5847 		hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
5848 			       HOSTAPD_LEVEL_DEBUG,
5849 			       "handle_action - too short payload (len=%lu)",
5850 			       (unsigned long) len);
5851 		return 0;
5852 	}
5853 
5854 	action = (u8 *) &mgmt->u.action.u;
5855 	wpa_printf(MSG_DEBUG, "RX_ACTION category %u action %u sa " MACSTR
5856 		   " da " MACSTR " len %d freq %u",
5857 		   mgmt->u.action.category, *action,
5858 		   MAC2STR(mgmt->sa), MAC2STR(mgmt->da), (int) len, freq);
5859 
5860 	sta = ap_get_sta(hapd, mgmt->sa);
5861 
5862 	if (mgmt->u.action.category != WLAN_ACTION_PUBLIC &&
5863 	    (sta == NULL || !(sta->flags & WLAN_STA_ASSOC))) {
5864 		wpa_printf(MSG_DEBUG, "IEEE 802.11: Ignored Action "
5865 			   "frame (category=%u) from unassociated STA " MACSTR,
5866 			   mgmt->u.action.category, MAC2STR(mgmt->sa));
5867 		return 0;
5868 	}
5869 
5870 	if (sta && (sta->flags & WLAN_STA_MFP) &&
5871 	    !(mgmt->frame_control & host_to_le16(WLAN_FC_ISWEP)) &&
5872 	    robust_action_frame(mgmt->u.action.category)) {
5873 		hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
5874 			       HOSTAPD_LEVEL_DEBUG,
5875 			       "Dropped unprotected Robust Action frame from "
5876 			       "an MFP STA");
5877 		return 0;
5878 	}
5879 
5880 	if (sta) {
5881 		u16 fc = le_to_host16(mgmt->frame_control);
5882 		u16 seq_ctrl = le_to_host16(mgmt->seq_ctrl);
5883 
5884 		if ((fc & WLAN_FC_RETRY) &&
5885 		    sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
5886 		    sta->last_seq_ctrl == seq_ctrl &&
5887 		    sta->last_subtype == WLAN_FC_STYPE_ACTION) {
5888 			hostapd_logger(hapd, sta->addr,
5889 				       HOSTAPD_MODULE_IEEE80211,
5890 				       HOSTAPD_LEVEL_DEBUG,
5891 				       "Drop repeated action frame seq_ctrl=0x%x",
5892 				       seq_ctrl);
5893 			return 1;
5894 		}
5895 
5896 		sta->last_seq_ctrl = seq_ctrl;
5897 		sta->last_subtype = WLAN_FC_STYPE_ACTION;
5898 	}
5899 
5900 	switch (mgmt->u.action.category) {
5901 #ifdef CONFIG_IEEE80211R_AP
5902 	case WLAN_ACTION_FT:
5903 		if (!sta ||
5904 		    wpa_ft_action_rx(sta->wpa_sm, (u8 *) &mgmt->u.action,
5905 				     len - IEEE80211_HDRLEN))
5906 			break;
5907 		return 1;
5908 #endif /* CONFIG_IEEE80211R_AP */
5909 	case WLAN_ACTION_WMM:
5910 		hostapd_wmm_action(hapd, mgmt, len);
5911 		return 1;
5912 	case WLAN_ACTION_SA_QUERY:
5913 		ieee802_11_sa_query_action(hapd, mgmt, len);
5914 		return 1;
5915 #ifdef CONFIG_WNM_AP
5916 	case WLAN_ACTION_WNM:
5917 		ieee802_11_rx_wnm_action_ap(hapd, mgmt, len);
5918 		return 1;
5919 #endif /* CONFIG_WNM_AP */
5920 #ifdef CONFIG_FST
5921 	case WLAN_ACTION_FST:
5922 		if (hapd->iface->fst)
5923 			fst_rx_action(hapd->iface->fst, mgmt, len);
5924 		else
5925 			wpa_printf(MSG_DEBUG,
5926 				   "FST: Ignore FST Action frame - no FST attached");
5927 		return 1;
5928 #endif /* CONFIG_FST */
5929 	case WLAN_ACTION_PUBLIC:
5930 	case WLAN_ACTION_PROTECTED_DUAL:
5931 		if (len >= IEEE80211_HDRLEN + 2 &&
5932 		    mgmt->u.action.u.public_action.action ==
5933 		    WLAN_PA_20_40_BSS_COEX) {
5934 			hostapd_2040_coex_action(hapd, mgmt, len);
5935 			return 1;
5936 		}
5937 #ifdef CONFIG_DPP
5938 		if (len >= IEEE80211_HDRLEN + 6 &&
5939 		    mgmt->u.action.u.vs_public_action.action ==
5940 		    WLAN_PA_VENDOR_SPECIFIC &&
5941 		    WPA_GET_BE24(mgmt->u.action.u.vs_public_action.oui) ==
5942 		    OUI_WFA &&
5943 		    mgmt->u.action.u.vs_public_action.variable[0] ==
5944 		    DPP_OUI_TYPE) {
5945 			const u8 *pos, *end;
5946 
5947 			pos = mgmt->u.action.u.vs_public_action.oui;
5948 			end = ((const u8 *) mgmt) + len;
5949 			hostapd_dpp_rx_action(hapd, mgmt->sa, pos, end - pos,
5950 					      freq);
5951 			return 1;
5952 		}
5953 		if (len >= IEEE80211_HDRLEN + 2 &&
5954 		    (mgmt->u.action.u.public_action.action ==
5955 		     WLAN_PA_GAS_INITIAL_RESP ||
5956 		     mgmt->u.action.u.public_action.action ==
5957 		     WLAN_PA_GAS_COMEBACK_RESP)) {
5958 			const u8 *pos, *end;
5959 
5960 			pos = &mgmt->u.action.u.public_action.action;
5961 			end = ((const u8 *) mgmt) + len;
5962 			gas_query_ap_rx(hapd->gas, mgmt->sa,
5963 					mgmt->u.action.category,
5964 					pos, end - pos, hapd->iface->freq);
5965 			return 1;
5966 		}
5967 #endif /* CONFIG_DPP */
5968 		if (hapd->public_action_cb) {
5969 			hapd->public_action_cb(hapd->public_action_cb_ctx,
5970 					       (u8 *) mgmt, len,
5971 					       hapd->iface->freq);
5972 		}
5973 		if (hapd->public_action_cb2) {
5974 			hapd->public_action_cb2(hapd->public_action_cb2_ctx,
5975 						(u8 *) mgmt, len,
5976 						hapd->iface->freq);
5977 		}
5978 		if (hapd->public_action_cb || hapd->public_action_cb2)
5979 			return 1;
5980 		break;
5981 	case WLAN_ACTION_VENDOR_SPECIFIC:
5982 		if (hapd->vendor_action_cb) {
5983 			if (hapd->vendor_action_cb(hapd->vendor_action_cb_ctx,
5984 						   (u8 *) mgmt, len,
5985 						   hapd->iface->freq) == 0)
5986 				return 1;
5987 		}
5988 		break;
5989 	case WLAN_ACTION_RADIO_MEASUREMENT:
5990 		hostapd_handle_radio_measurement(hapd, (const u8 *) mgmt, len);
5991 		return 1;
5992 	}
5993 
5994 	hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
5995 		       HOSTAPD_LEVEL_DEBUG,
5996 		       "handle_action - unknown action category %d or invalid "
5997 		       "frame",
5998 		       mgmt->u.action.category);
5999 	if (!is_multicast_ether_addr(mgmt->da) &&
6000 	    !(mgmt->u.action.category & 0x80) &&
6001 	    !is_multicast_ether_addr(mgmt->sa)) {
6002 		struct ieee80211_mgmt *resp;
6003 
6004 		/*
6005 		 * IEEE 802.11-REVma/D9.0 - 7.3.1.11
6006 		 * Return the Action frame to the source without change
6007 		 * except that MSB of the Category set to 1.
6008 		 */
6009 		wpa_printf(MSG_DEBUG, "IEEE 802.11: Return unknown Action "
6010 			   "frame back to sender");
6011 		resp = os_memdup(mgmt, len);
6012 		if (resp == NULL)
6013 			return 0;
6014 		os_memcpy(resp->da, resp->sa, ETH_ALEN);
6015 		os_memcpy(resp->sa, hapd->own_addr, ETH_ALEN);
6016 		os_memcpy(resp->bssid, hapd->own_addr, ETH_ALEN);
6017 		resp->u.action.category |= 0x80;
6018 
6019 		if (hostapd_drv_send_mlme(hapd, resp, len, 0, NULL, 0, 0) < 0) {
6020 			wpa_printf(MSG_ERROR, "IEEE 802.11: Failed to send "
6021 				   "Action frame");
6022 		}
6023 		os_free(resp);
6024 	}
6025 
6026 	return 1;
6027 }
6028 
6029 
6030 /**
6031  * notify_mgmt_frame - Notify of Management frames on the control interface
6032  * @hapd: hostapd BSS data structure (the BSS to which the Management frame was
6033  * sent to)
6034  * @buf: Management frame data (starting from the IEEE 802.11 header)
6035  * @len: Length of frame data in octets
6036  *
6037  * Notify the control interface of any received Management frame.
6038  */
notify_mgmt_frame(struct hostapd_data * hapd,const u8 * buf,size_t len)6039 static void notify_mgmt_frame(struct hostapd_data *hapd, const u8 *buf,
6040 			      size_t len)
6041 {
6042 
6043 	int hex_len = len * 2 + 1;
6044 	char *hex = os_malloc(hex_len);
6045 
6046 	if (hex) {
6047 		wpa_snprintf_hex(hex, hex_len, buf, len);
6048 		wpa_msg_ctrl(hapd->msg_ctx, MSG_INFO,
6049 			     AP_MGMT_FRAME_RECEIVED "buf=%s", hex);
6050 		os_free(hex);
6051 	}
6052 }
6053 
6054 
6055 /**
6056  * ieee802_11_mgmt - process incoming IEEE 802.11 management frames
6057  * @hapd: hostapd BSS data structure (the BSS to which the management frame was
6058  * sent to)
6059  * @buf: management frame data (starting from IEEE 802.11 header)
6060  * @len: length of frame data in octets
6061  * @fi: meta data about received frame (signal level, etc.)
6062  *
6063  * Process all incoming IEEE 802.11 management frames. This will be called for
6064  * each frame received from the kernel driver through wlan#ap interface. In
6065  * addition, it can be called to re-inserted pending frames (e.g., when using
6066  * external RADIUS server as an MAC ACL).
6067  */
ieee802_11_mgmt(struct hostapd_data * hapd,const u8 * buf,size_t len,struct hostapd_frame_info * fi)6068 int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len,
6069 		    struct hostapd_frame_info *fi)
6070 {
6071 	struct ieee80211_mgmt *mgmt;
6072 	u16 fc, stype;
6073 	int ret = 0;
6074 	unsigned int freq;
6075 	int ssi_signal = fi ? fi->ssi_signal : 0;
6076 
6077 	if (len < 24)
6078 		return 0;
6079 
6080 	if (fi && fi->freq)
6081 		freq = fi->freq;
6082 	else
6083 		freq = hapd->iface->freq;
6084 
6085 	mgmt = (struct ieee80211_mgmt *) buf;
6086 	fc = le_to_host16(mgmt->frame_control);
6087 	stype = WLAN_FC_GET_STYPE(fc);
6088 
6089 	if (is_multicast_ether_addr(mgmt->sa) ||
6090 	    is_zero_ether_addr(mgmt->sa) ||
6091 	    os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
6092 		/* Do not process any frames with unexpected/invalid SA so that
6093 		 * we do not add any state for unexpected STA addresses or end
6094 		 * up sending out frames to unexpected destination. */
6095 		wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR
6096 			   " in received frame - ignore this frame silently",
6097 			   MAC2STR(mgmt->sa));
6098 		return 0;
6099 	}
6100 
6101 	if (stype == WLAN_FC_STYPE_BEACON) {
6102 		handle_beacon(hapd, mgmt, len, fi);
6103 		return 1;
6104 	}
6105 
6106 	if (!is_broadcast_ether_addr(mgmt->bssid) &&
6107 #ifdef CONFIG_P2P
6108 	    /* Invitation responses can be sent with the peer MAC as BSSID */
6109 	    !((hapd->conf->p2p & P2P_GROUP_OWNER) &&
6110 	      stype == WLAN_FC_STYPE_ACTION) &&
6111 #endif /* CONFIG_P2P */
6112 #ifdef CONFIG_MESH
6113 	    !(hapd->conf->mesh & MESH_ENABLED) &&
6114 #endif /* CONFIG_MESH */
6115 	    os_memcmp(mgmt->bssid, hapd->own_addr, ETH_ALEN) != 0) {
6116 		wpa_printf(MSG_INFO, "MGMT: BSSID=" MACSTR " not our address",
6117 			   MAC2STR(mgmt->bssid));
6118 		return 0;
6119 	}
6120 
6121 	if (hapd->iface->state != HAPD_IFACE_ENABLED) {
6122 		wpa_printf(MSG_DEBUG, "MGMT: Ignore management frame while interface is not enabled (SA=" MACSTR " DA=" MACSTR " subtype=%u)",
6123 			   MAC2STR(mgmt->sa), MAC2STR(mgmt->da), stype);
6124 		return 1;
6125 	}
6126 
6127 	if (stype == WLAN_FC_STYPE_PROBE_REQ) {
6128 		handle_probe_req(hapd, mgmt, len, ssi_signal);
6129 		return 1;
6130 	}
6131 
6132 	if ((!is_broadcast_ether_addr(mgmt->da) ||
6133 	     stype != WLAN_FC_STYPE_ACTION) &&
6134 	    os_memcmp(mgmt->da, hapd->own_addr, ETH_ALEN) != 0) {
6135 		hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
6136 			       HOSTAPD_LEVEL_DEBUG,
6137 			       "MGMT: DA=" MACSTR " not our address",
6138 			       MAC2STR(mgmt->da));
6139 		return 0;
6140 	}
6141 
6142 	if (hapd->iconf->track_sta_max_num)
6143 		sta_track_add(hapd->iface, mgmt->sa, ssi_signal);
6144 
6145 	if (hapd->conf->notify_mgmt_frames)
6146 		notify_mgmt_frame(hapd, buf, len);
6147 
6148 	switch (stype) {
6149 	case WLAN_FC_STYPE_AUTH:
6150 		wpa_printf(MSG_DEBUG, "mgmt::auth");
6151 		handle_auth(hapd, mgmt, len, ssi_signal, 0);
6152 		ret = 1;
6153 		break;
6154 	case WLAN_FC_STYPE_ASSOC_REQ:
6155 		wpa_printf(MSG_DEBUG, "mgmt::assoc_req");
6156 		handle_assoc(hapd, mgmt, len, 0, ssi_signal);
6157 		ret = 1;
6158 		break;
6159 	case WLAN_FC_STYPE_REASSOC_REQ:
6160 		wpa_printf(MSG_DEBUG, "mgmt::reassoc_req");
6161 		handle_assoc(hapd, mgmt, len, 1, ssi_signal);
6162 		ret = 1;
6163 		break;
6164 	case WLAN_FC_STYPE_DISASSOC:
6165 		wpa_printf(MSG_DEBUG, "mgmt::disassoc");
6166 		handle_disassoc(hapd, mgmt, len);
6167 		ret = 1;
6168 		break;
6169 	case WLAN_FC_STYPE_DEAUTH:
6170 		wpa_msg(hapd->msg_ctx, MSG_DEBUG, "mgmt::deauth");
6171 		handle_deauth(hapd, mgmt, len);
6172 		ret = 1;
6173 		break;
6174 	case WLAN_FC_STYPE_ACTION:
6175 		wpa_printf(MSG_DEBUG, "mgmt::action");
6176 		ret = handle_action(hapd, mgmt, len, freq);
6177 		break;
6178 	default:
6179 		hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
6180 			       HOSTAPD_LEVEL_DEBUG,
6181 			       "unknown mgmt frame subtype %d", stype);
6182 		break;
6183 	}
6184 
6185 	return ret;
6186 }
6187 
6188 
handle_auth_cb(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int ok)6189 static void handle_auth_cb(struct hostapd_data *hapd,
6190 			   const struct ieee80211_mgmt *mgmt,
6191 			   size_t len, int ok)
6192 {
6193 	u16 auth_alg, auth_transaction, status_code;
6194 	struct sta_info *sta;
6195 	bool success_status;
6196 
6197 	sta = ap_get_sta(hapd, mgmt->da);
6198 	if (!sta) {
6199 		wpa_printf(MSG_DEBUG, "handle_auth_cb: STA " MACSTR
6200 			   " not found",
6201 			   MAC2STR(mgmt->da));
6202 		return;
6203 	}
6204 
6205 	if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) {
6206 		wpa_printf(MSG_INFO, "handle_auth_cb - too short payload (len=%lu)",
6207 			   (unsigned long) len);
6208 		auth_alg = 0;
6209 		auth_transaction = 0;
6210 		status_code = WLAN_STATUS_UNSPECIFIED_FAILURE;
6211 		goto fail;
6212 	}
6213 
6214 	auth_alg = le_to_host16(mgmt->u.auth.auth_alg);
6215 	auth_transaction = le_to_host16(mgmt->u.auth.auth_transaction);
6216 	status_code = le_to_host16(mgmt->u.auth.status_code);
6217 
6218 	if (!ok) {
6219 		hostapd_logger(hapd, mgmt->da, HOSTAPD_MODULE_IEEE80211,
6220 			       HOSTAPD_LEVEL_NOTICE,
6221 			       "did not acknowledge authentication response");
6222 		goto fail;
6223 	}
6224 
6225 	if (status_code == WLAN_STATUS_SUCCESS &&
6226 	    ((auth_alg == WLAN_AUTH_OPEN && auth_transaction == 2) ||
6227 	     (auth_alg == WLAN_AUTH_SHARED_KEY && auth_transaction == 4))) {
6228 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
6229 			       HOSTAPD_LEVEL_INFO, "authenticated");
6230 		sta->flags |= WLAN_STA_AUTH;
6231 		if (sta->added_unassoc)
6232 			hostapd_set_sta_flags(hapd, sta);
6233 		return;
6234 	}
6235 
6236 fail:
6237 	success_status = status_code == WLAN_STATUS_SUCCESS;
6238 #ifdef CONFIG_SAE
6239 	if (auth_alg == WLAN_AUTH_SAE && auth_transaction == 1)
6240 		success_status = sae_status_success(hapd, status_code);
6241 #endif /* CONFIG_SAE */
6242 	if (!success_status && sta->added_unassoc) {
6243 		hostapd_drv_sta_remove(hapd, sta->addr);
6244 		sta->added_unassoc = 0;
6245 	}
6246 }
6247 
6248 
hostapd_set_wds_encryption(struct hostapd_data * hapd,struct sta_info * sta,char * ifname_wds)6249 static void hostapd_set_wds_encryption(struct hostapd_data *hapd,
6250 				       struct sta_info *sta,
6251 				       char *ifname_wds)
6252 {
6253 #ifdef CONFIG_WEP
6254 	int i;
6255 	struct hostapd_ssid *ssid = &hapd->conf->ssid;
6256 
6257 	if (hapd->conf->ieee802_1x || hapd->conf->wpa)
6258 		return;
6259 
6260 	for (i = 0; i < 4; i++) {
6261 		if (ssid->wep.key[i] &&
6262 		    hostapd_drv_set_key(ifname_wds, hapd, WPA_ALG_WEP, NULL, i,
6263 					0, i == ssid->wep.idx, NULL, 0,
6264 					ssid->wep.key[i], ssid->wep.len[i],
6265 					i == ssid->wep.idx ?
6266 					KEY_FLAG_GROUP_RX_TX_DEFAULT :
6267 					KEY_FLAG_GROUP_RX_TX)) {
6268 			wpa_printf(MSG_WARNING,
6269 				   "Could not set WEP keys for WDS interface; %s",
6270 				   ifname_wds);
6271 			break;
6272 		}
6273 	}
6274 #endif /* CONFIG_WEP */
6275 }
6276 
6277 
handle_assoc_cb(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int reassoc,int ok)6278 static void handle_assoc_cb(struct hostapd_data *hapd,
6279 			    const struct ieee80211_mgmt *mgmt,
6280 			    size_t len, int reassoc, int ok)
6281 {
6282 	u16 status;
6283 	struct sta_info *sta;
6284 	int new_assoc = 1;
6285 
6286 	sta = ap_get_sta(hapd, mgmt->da);
6287 	if (!sta) {
6288 		wpa_printf(MSG_INFO, "handle_assoc_cb: STA " MACSTR " not found",
6289 			   MAC2STR(mgmt->da));
6290 		return;
6291 	}
6292 
6293 	if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_resp) :
6294 				      sizeof(mgmt->u.assoc_resp))) {
6295 		wpa_printf(MSG_INFO,
6296 			   "handle_assoc_cb(reassoc=%d) - too short payload (len=%lu)",
6297 			   reassoc, (unsigned long) len);
6298 		hostapd_drv_sta_remove(hapd, sta->addr);
6299 		return;
6300 	}
6301 
6302 	if (reassoc)
6303 		status = le_to_host16(mgmt->u.reassoc_resp.status_code);
6304 	else
6305 		status = le_to_host16(mgmt->u.assoc_resp.status_code);
6306 
6307 	if (!ok) {
6308 		hostapd_logger(hapd, mgmt->da, HOSTAPD_MODULE_IEEE80211,
6309 			       HOSTAPD_LEVEL_DEBUG,
6310 			       "did not acknowledge association response");
6311 		sta->flags &= ~WLAN_STA_ASSOC_REQ_OK;
6312 		/* The STA is added only in case of SUCCESS */
6313 		if (status == WLAN_STATUS_SUCCESS)
6314 			hostapd_drv_sta_remove(hapd, sta->addr);
6315 
6316 		return;
6317 	}
6318 
6319 	if (status != WLAN_STATUS_SUCCESS)
6320 		return;
6321 
6322 	/* Stop previous accounting session, if one is started, and allocate
6323 	 * new session id for the new session. */
6324 	accounting_sta_stop(hapd, sta);
6325 
6326 	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
6327 		       HOSTAPD_LEVEL_INFO,
6328 		       "associated (aid %d)",
6329 		       sta->aid);
6330 
6331 	if (sta->flags & WLAN_STA_ASSOC)
6332 		new_assoc = 0;
6333 	sta->flags |= WLAN_STA_ASSOC;
6334 	sta->flags &= ~WLAN_STA_WNM_SLEEP_MODE;
6335 	if ((!hapd->conf->ieee802_1x && !hapd->conf->wpa &&
6336 	     !hapd->conf->osen) ||
6337 	    sta->auth_alg == WLAN_AUTH_FILS_SK ||
6338 	    sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
6339 	    sta->auth_alg == WLAN_AUTH_FILS_PK ||
6340 	    sta->auth_alg == WLAN_AUTH_FT) {
6341 		/*
6342 		 * Open, static WEP, FT protocol, or FILS; no separate
6343 		 * authorization step.
6344 		 */
6345 		ap_sta_set_authorized(hapd, sta, 1);
6346 	}
6347 
6348 	if (reassoc)
6349 		mlme_reassociate_indication(hapd, sta);
6350 	else
6351 		mlme_associate_indication(hapd, sta);
6352 
6353 	sta->sa_query_timed_out = 0;
6354 
6355 	if (sta->eapol_sm == NULL) {
6356 		/*
6357 		 * This STA does not use RADIUS server for EAP authentication,
6358 		 * so bind it to the selected VLAN interface now, since the
6359 		 * interface selection is not going to change anymore.
6360 		 */
6361 		if (ap_sta_bind_vlan(hapd, sta) < 0)
6362 			return;
6363 	} else if (sta->vlan_id) {
6364 		/* VLAN ID already set (e.g., by PMKSA caching), so bind STA */
6365 		if (ap_sta_bind_vlan(hapd, sta) < 0)
6366 			return;
6367 	}
6368 
6369 	hostapd_set_sta_flags(hapd, sta);
6370 
6371 	if (!(sta->flags & WLAN_STA_WDS) && sta->pending_wds_enable) {
6372 		wpa_printf(MSG_DEBUG, "Enable 4-address WDS mode for STA "
6373 			   MACSTR " based on pending request",
6374 			   MAC2STR(sta->addr));
6375 		sta->pending_wds_enable = 0;
6376 		sta->flags |= WLAN_STA_WDS;
6377 	}
6378 
6379 	if (sta->flags & (WLAN_STA_WDS | WLAN_STA_MULTI_AP)) {
6380 		int ret;
6381 		char ifname_wds[IFNAMSIZ + 1];
6382 
6383 		wpa_printf(MSG_DEBUG, "Reenable 4-address WDS mode for STA "
6384 			   MACSTR " (aid %u)",
6385 			   MAC2STR(sta->addr), sta->aid);
6386 		ret = hostapd_set_wds_sta(hapd, ifname_wds, sta->addr,
6387 					  sta->aid, 1);
6388 		if (!ret)
6389 			hostapd_set_wds_encryption(hapd, sta, ifname_wds);
6390 	}
6391 
6392 	if (sta->auth_alg == WLAN_AUTH_FT)
6393 		wpa_auth_sm_event(sta->wpa_sm, WPA_ASSOC_FT);
6394 	else
6395 		wpa_auth_sm_event(sta->wpa_sm, WPA_ASSOC);
6396 	hapd->new_assoc_sta_cb(hapd, sta, !new_assoc);
6397 	ieee802_1x_notify_port_enabled(sta->eapol_sm, 1);
6398 
6399 #ifdef CONFIG_FILS
6400 	if ((sta->auth_alg == WLAN_AUTH_FILS_SK ||
6401 	     sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
6402 	     sta->auth_alg == WLAN_AUTH_FILS_PK) &&
6403 	    fils_set_tk(sta->wpa_sm) < 0) {
6404 		wpa_printf(MSG_DEBUG, "FILS: TK configuration failed");
6405 		ap_sta_disconnect(hapd, sta, sta->addr,
6406 				  WLAN_REASON_UNSPECIFIED);
6407 		return;
6408 	}
6409 #endif /* CONFIG_FILS */
6410 
6411 	if (sta->pending_eapol_rx) {
6412 		struct os_reltime now, age;
6413 
6414 		os_get_reltime(&now);
6415 		os_reltime_sub(&now, &sta->pending_eapol_rx->rx_time, &age);
6416 		if (age.sec == 0 && age.usec < 200000) {
6417 			wpa_printf(MSG_DEBUG,
6418 				   "Process pending EAPOL frame that was received from " MACSTR " just before association notification",
6419 				   MAC2STR(sta->addr));
6420 			ieee802_1x_receive(
6421 				hapd, mgmt->da,
6422 				wpabuf_head(sta->pending_eapol_rx->buf),
6423 				wpabuf_len(sta->pending_eapol_rx->buf));
6424 		}
6425 		wpabuf_free(sta->pending_eapol_rx->buf);
6426 		os_free(sta->pending_eapol_rx);
6427 		sta->pending_eapol_rx = NULL;
6428 	}
6429 }
6430 
6431 
handle_deauth_cb(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int ok)6432 static void handle_deauth_cb(struct hostapd_data *hapd,
6433 			     const struct ieee80211_mgmt *mgmt,
6434 			     size_t len, int ok)
6435 {
6436 	struct sta_info *sta;
6437 	if (is_multicast_ether_addr(mgmt->da))
6438 		return;
6439 	sta = ap_get_sta(hapd, mgmt->da);
6440 	if (!sta) {
6441 		wpa_printf(MSG_DEBUG, "handle_deauth_cb: STA " MACSTR
6442 			   " not found", MAC2STR(mgmt->da));
6443 		return;
6444 	}
6445 	if (ok)
6446 		wpa_printf(MSG_DEBUG, "STA " MACSTR " acknowledged deauth",
6447 			   MAC2STR(sta->addr));
6448 	else
6449 		wpa_printf(MSG_DEBUG, "STA " MACSTR " did not acknowledge "
6450 			   "deauth", MAC2STR(sta->addr));
6451 
6452 	ap_sta_deauth_cb(hapd, sta);
6453 }
6454 
6455 
handle_disassoc_cb(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int ok)6456 static void handle_disassoc_cb(struct hostapd_data *hapd,
6457 			       const struct ieee80211_mgmt *mgmt,
6458 			       size_t len, int ok)
6459 {
6460 	struct sta_info *sta;
6461 	if (is_multicast_ether_addr(mgmt->da))
6462 		return;
6463 	sta = ap_get_sta(hapd, mgmt->da);
6464 	if (!sta) {
6465 		wpa_printf(MSG_DEBUG, "handle_disassoc_cb: STA " MACSTR
6466 			   " not found", MAC2STR(mgmt->da));
6467 		return;
6468 	}
6469 	if (ok)
6470 		wpa_printf(MSG_DEBUG, "STA " MACSTR " acknowledged disassoc",
6471 			   MAC2STR(sta->addr));
6472 	else
6473 		wpa_printf(MSG_DEBUG, "STA " MACSTR " did not acknowledge "
6474 			   "disassoc", MAC2STR(sta->addr));
6475 
6476 	ap_sta_disassoc_cb(hapd, sta);
6477 }
6478 
6479 
handle_action_cb(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int ok)6480 static void handle_action_cb(struct hostapd_data *hapd,
6481 			     const struct ieee80211_mgmt *mgmt,
6482 			     size_t len, int ok)
6483 {
6484 	struct sta_info *sta;
6485 	const struct rrm_measurement_report_element *report;
6486 
6487 	if (is_multicast_ether_addr(mgmt->da))
6488 		return;
6489 #ifdef CONFIG_DPP
6490 	if (len >= IEEE80211_HDRLEN + 6 &&
6491 	    mgmt->u.action.category == WLAN_ACTION_PUBLIC &&
6492 	    mgmt->u.action.u.vs_public_action.action ==
6493 	    WLAN_PA_VENDOR_SPECIFIC &&
6494 	    WPA_GET_BE24(mgmt->u.action.u.vs_public_action.oui) ==
6495 	    OUI_WFA &&
6496 	    mgmt->u.action.u.vs_public_action.variable[0] ==
6497 	    DPP_OUI_TYPE) {
6498 		const u8 *pos, *end;
6499 
6500 		pos = &mgmt->u.action.u.vs_public_action.variable[1];
6501 		end = ((const u8 *) mgmt) + len;
6502 		hostapd_dpp_tx_status(hapd, mgmt->da, pos, end - pos, ok);
6503 		return;
6504 	}
6505 	if (len >= IEEE80211_HDRLEN + 2 &&
6506 	    mgmt->u.action.category == WLAN_ACTION_PUBLIC &&
6507 	    (mgmt->u.action.u.public_action.action ==
6508 	     WLAN_PA_GAS_INITIAL_REQ ||
6509 	     mgmt->u.action.u.public_action.action ==
6510 	     WLAN_PA_GAS_COMEBACK_REQ)) {
6511 		const u8 *pos, *end;
6512 
6513 		pos = mgmt->u.action.u.public_action.variable;
6514 		end = ((const u8 *) mgmt) + len;
6515 		gas_query_ap_tx_status(hapd->gas, mgmt->da, pos, end - pos, ok);
6516 		return;
6517 	}
6518 #endif /* CONFIG_DPP */
6519 	sta = ap_get_sta(hapd, mgmt->da);
6520 	if (!sta) {
6521 		wpa_printf(MSG_DEBUG, "handle_action_cb: STA " MACSTR
6522 			   " not found", MAC2STR(mgmt->da));
6523 		return;
6524 	}
6525 
6526 	if (len < 24 + 5 + sizeof(*report))
6527 		return;
6528 	report = (const struct rrm_measurement_report_element *)
6529 		&mgmt->u.action.u.rrm.variable[2];
6530 	if (mgmt->u.action.category == WLAN_ACTION_RADIO_MEASUREMENT &&
6531 	    mgmt->u.action.u.rrm.action == WLAN_RRM_RADIO_MEASUREMENT_REQUEST &&
6532 	    report->eid == WLAN_EID_MEASURE_REQUEST &&
6533 	    report->len >= 3 &&
6534 	    report->type == MEASURE_TYPE_BEACON)
6535 		hostapd_rrm_beacon_req_tx_status(hapd, mgmt, len, ok);
6536 }
6537 
6538 
6539 /**
6540  * ieee802_11_mgmt_cb - Process management frame TX status callback
6541  * @hapd: hostapd BSS data structure (the BSS from which the management frame
6542  * was sent from)
6543  * @buf: management frame data (starting from IEEE 802.11 header)
6544  * @len: length of frame data in octets
6545  * @stype: management frame subtype from frame control field
6546  * @ok: Whether the frame was ACK'ed
6547  */
ieee802_11_mgmt_cb(struct hostapd_data * hapd,const u8 * buf,size_t len,u16 stype,int ok)6548 void ieee802_11_mgmt_cb(struct hostapd_data *hapd, const u8 *buf, size_t len,
6549 			u16 stype, int ok)
6550 {
6551 	const struct ieee80211_mgmt *mgmt;
6552 	mgmt = (const struct ieee80211_mgmt *) buf;
6553 
6554 #ifdef CONFIG_TESTING_OPTIONS
6555 	if (hapd->ext_mgmt_frame_handling) {
6556 		size_t hex_len = 2 * len + 1;
6557 		char *hex = os_malloc(hex_len);
6558 
6559 		if (hex) {
6560 			wpa_snprintf_hex(hex, hex_len, buf, len);
6561 			wpa_msg(hapd->msg_ctx, MSG_INFO,
6562 				"MGMT-TX-STATUS stype=%u ok=%d buf=%s",
6563 				stype, ok, hex);
6564 			os_free(hex);
6565 		}
6566 		return;
6567 	}
6568 #endif /* CONFIG_TESTING_OPTIONS */
6569 
6570 	switch (stype) {
6571 	case WLAN_FC_STYPE_AUTH:
6572 		wpa_printf(MSG_DEBUG, "mgmt::auth cb");
6573 		handle_auth_cb(hapd, mgmt, len, ok);
6574 		break;
6575 	case WLAN_FC_STYPE_ASSOC_RESP:
6576 		wpa_printf(MSG_DEBUG, "mgmt::assoc_resp cb");
6577 		handle_assoc_cb(hapd, mgmt, len, 0, ok);
6578 		break;
6579 	case WLAN_FC_STYPE_REASSOC_RESP:
6580 		wpa_printf(MSG_DEBUG, "mgmt::reassoc_resp cb");
6581 		handle_assoc_cb(hapd, mgmt, len, 1, ok);
6582 		break;
6583 	case WLAN_FC_STYPE_PROBE_RESP:
6584 		wpa_printf(MSG_EXCESSIVE, "mgmt::proberesp cb ok=%d", ok);
6585 		break;
6586 	case WLAN_FC_STYPE_DEAUTH:
6587 		wpa_printf(MSG_DEBUG, "mgmt::deauth cb");
6588 		handle_deauth_cb(hapd, mgmt, len, ok);
6589 		break;
6590 	case WLAN_FC_STYPE_DISASSOC:
6591 		wpa_printf(MSG_DEBUG, "mgmt::disassoc cb");
6592 		handle_disassoc_cb(hapd, mgmt, len, ok);
6593 		break;
6594 	case WLAN_FC_STYPE_ACTION:
6595 		wpa_printf(MSG_DEBUG, "mgmt::action cb ok=%d", ok);
6596 		handle_action_cb(hapd, mgmt, len, ok);
6597 		break;
6598 	default:
6599 		wpa_printf(MSG_INFO, "unknown mgmt cb frame subtype %d", stype);
6600 		break;
6601 	}
6602 }
6603 
6604 
ieee802_11_get_mib(struct hostapd_data * hapd,char * buf,size_t buflen)6605 int ieee802_11_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen)
6606 {
6607 	/* TODO */
6608 	return 0;
6609 }
6610 
6611 
ieee802_11_get_mib_sta(struct hostapd_data * hapd,struct sta_info * sta,char * buf,size_t buflen)6612 int ieee802_11_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta,
6613 			   char *buf, size_t buflen)
6614 {
6615 	/* TODO */
6616 	return 0;
6617 }
6618 
6619 
hostapd_tx_status(struct hostapd_data * hapd,const u8 * addr,const u8 * buf,size_t len,int ack)6620 void hostapd_tx_status(struct hostapd_data *hapd, const u8 *addr,
6621 		       const u8 *buf, size_t len, int ack)
6622 {
6623 	struct sta_info *sta;
6624 	struct hostapd_iface *iface = hapd->iface;
6625 
6626 	sta = ap_get_sta(hapd, addr);
6627 	if (sta == NULL && iface->num_bss > 1) {
6628 		size_t j;
6629 		for (j = 0; j < iface->num_bss; j++) {
6630 			hapd = iface->bss[j];
6631 			sta = ap_get_sta(hapd, addr);
6632 			if (sta)
6633 				break;
6634 		}
6635 	}
6636 	if (sta == NULL || !(sta->flags & WLAN_STA_ASSOC))
6637 		return;
6638 	if (sta->flags & WLAN_STA_PENDING_POLL) {
6639 		wpa_printf(MSG_DEBUG, "STA " MACSTR " %s pending "
6640 			   "activity poll", MAC2STR(sta->addr),
6641 			   ack ? "ACKed" : "did not ACK");
6642 		if (ack)
6643 			sta->flags &= ~WLAN_STA_PENDING_POLL;
6644 	}
6645 
6646 	ieee802_1x_tx_status(hapd, sta, buf, len, ack);
6647 }
6648 
6649 
hostapd_eapol_tx_status(struct hostapd_data * hapd,const u8 * dst,const u8 * data,size_t len,int ack)6650 void hostapd_eapol_tx_status(struct hostapd_data *hapd, const u8 *dst,
6651 			     const u8 *data, size_t len, int ack)
6652 {
6653 	struct sta_info *sta;
6654 	struct hostapd_iface *iface = hapd->iface;
6655 
6656 	sta = ap_get_sta(hapd, dst);
6657 	if (sta == NULL && iface->num_bss > 1) {
6658 		size_t j;
6659 		for (j = 0; j < iface->num_bss; j++) {
6660 			hapd = iface->bss[j];
6661 			sta = ap_get_sta(hapd, dst);
6662 			if (sta)
6663 				break;
6664 		}
6665 	}
6666 	if (sta == NULL || !(sta->flags & WLAN_STA_ASSOC)) {
6667 		wpa_printf(MSG_DEBUG, "Ignore TX status for Data frame to STA "
6668 			   MACSTR " that is not currently associated",
6669 			   MAC2STR(dst));
6670 		return;
6671 	}
6672 
6673 	ieee802_1x_eapol_tx_status(hapd, sta, data, len, ack);
6674 }
6675 
6676 
hostapd_client_poll_ok(struct hostapd_data * hapd,const u8 * addr)6677 void hostapd_client_poll_ok(struct hostapd_data *hapd, const u8 *addr)
6678 {
6679 	struct sta_info *sta;
6680 	struct hostapd_iface *iface = hapd->iface;
6681 
6682 	sta = ap_get_sta(hapd, addr);
6683 	if (sta == NULL && iface->num_bss > 1) {
6684 		size_t j;
6685 		for (j = 0; j < iface->num_bss; j++) {
6686 			hapd = iface->bss[j];
6687 			sta = ap_get_sta(hapd, addr);
6688 			if (sta)
6689 				break;
6690 		}
6691 	}
6692 	if (sta == NULL)
6693 		return;
6694 	wpa_msg(hapd->msg_ctx, MSG_INFO, AP_STA_POLL_OK MACSTR,
6695 		MAC2STR(sta->addr));
6696 	if (!(sta->flags & WLAN_STA_PENDING_POLL))
6697 		return;
6698 
6699 	wpa_printf(MSG_DEBUG, "STA " MACSTR " ACKed pending "
6700 		   "activity poll", MAC2STR(sta->addr));
6701 	sta->flags &= ~WLAN_STA_PENDING_POLL;
6702 }
6703 
6704 
ieee802_11_rx_from_unknown(struct hostapd_data * hapd,const u8 * src,int wds)6705 void ieee802_11_rx_from_unknown(struct hostapd_data *hapd, const u8 *src,
6706 				int wds)
6707 {
6708 	struct sta_info *sta;
6709 
6710 	sta = ap_get_sta(hapd, src);
6711 	if (sta &&
6712 	    ((sta->flags & WLAN_STA_ASSOC) ||
6713 	     ((sta->flags & WLAN_STA_ASSOC_REQ_OK) && wds))) {
6714 		if (!hapd->conf->wds_sta)
6715 			return;
6716 
6717 		if ((sta->flags & (WLAN_STA_ASSOC | WLAN_STA_ASSOC_REQ_OK)) ==
6718 		    WLAN_STA_ASSOC_REQ_OK) {
6719 			wpa_printf(MSG_DEBUG,
6720 				   "Postpone 4-address WDS mode enabling for STA "
6721 				   MACSTR " since TX status for AssocResp is not yet known",
6722 				   MAC2STR(sta->addr));
6723 			sta->pending_wds_enable = 1;
6724 			return;
6725 		}
6726 
6727 		if (wds && !(sta->flags & WLAN_STA_WDS)) {
6728 			int ret;
6729 			char ifname_wds[IFNAMSIZ + 1];
6730 
6731 			wpa_printf(MSG_DEBUG, "Enable 4-address WDS mode for "
6732 				   "STA " MACSTR " (aid %u)",
6733 				   MAC2STR(sta->addr), sta->aid);
6734 			sta->flags |= WLAN_STA_WDS;
6735 			ret = hostapd_set_wds_sta(hapd, ifname_wds,
6736 						  sta->addr, sta->aid, 1);
6737 			if (!ret)
6738 				hostapd_set_wds_encryption(hapd, sta,
6739 							   ifname_wds);
6740 		}
6741 		return;
6742 	}
6743 
6744 	wpa_printf(MSG_DEBUG, "Data/PS-poll frame from not associated STA "
6745 		   MACSTR, MAC2STR(src));
6746 	if (is_multicast_ether_addr(src) || is_zero_ether_addr(src) ||
6747 	    os_memcmp(src, hapd->own_addr, ETH_ALEN) == 0) {
6748 		/* Broadcast bit set in SA or unexpected SA?! Ignore the frame
6749 		 * silently. */
6750 		return;
6751 	}
6752 
6753 	if (sta && (sta->flags & WLAN_STA_ASSOC_REQ_OK)) {
6754 		wpa_printf(MSG_DEBUG, "Association Response to the STA has "
6755 			   "already been sent, but no TX status yet known - "
6756 			   "ignore Class 3 frame issue with " MACSTR,
6757 			   MAC2STR(src));
6758 		return;
6759 	}
6760 
6761 	if (sta && (sta->flags & WLAN_STA_AUTH))
6762 		hostapd_drv_sta_disassoc(
6763 			hapd, src,
6764 			WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA);
6765 	else
6766 		hostapd_drv_sta_deauth(
6767 			hapd, src,
6768 			WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA);
6769 }
6770 
6771 
hostapd_eid_txpower_envelope(struct hostapd_data * hapd,u8 * eid)6772 u8 * hostapd_eid_txpower_envelope(struct hostapd_data *hapd, u8 *eid)
6773 {
6774 	struct hostapd_iface *iface = hapd->iface;
6775 	struct hostapd_config *iconf = iface->conf;
6776 	struct hostapd_hw_modes *mode = iface->current_mode;
6777 	struct hostapd_channel_data *chan;
6778 	int dfs, i;
6779 	u8 channel, tx_pwr_count, local_pwr_constraint;
6780 	int max_tx_power;
6781 	u8 tx_pwr;
6782 
6783 	if (!mode)
6784 		return eid;
6785 
6786 	if (ieee80211_freq_to_chan(iface->freq, &channel) == NUM_HOSTAPD_MODES)
6787 		return eid;
6788 
6789 	for (i = 0; i < mode->num_channels; i++) {
6790 		if (mode->channels[i].freq == iface->freq)
6791 			break;
6792 	}
6793 	if (i == mode->num_channels)
6794 		return eid;
6795 
6796 	switch (hostapd_get_oper_chwidth(iconf)) {
6797 	case CHANWIDTH_USE_HT:
6798 		if (iconf->secondary_channel == 0) {
6799 			/* Max Transmit Power count = 0 (20 MHz) */
6800 			tx_pwr_count = 0;
6801 		} else {
6802 			/* Max Transmit Power count = 1 (20, 40 MHz) */
6803 			tx_pwr_count = 1;
6804 		}
6805 		break;
6806 	case CHANWIDTH_80MHZ:
6807 		/* Max Transmit Power count = 2 (20, 40, and 80 MHz) */
6808 		tx_pwr_count = 2;
6809 		break;
6810 	case CHANWIDTH_80P80MHZ:
6811 	case CHANWIDTH_160MHZ:
6812 		/* Max Transmit Power count = 3 (20, 40, 80, 160/80+80 MHz) */
6813 		tx_pwr_count = 3;
6814 		break;
6815 	default:
6816 		return eid;
6817 	}
6818 
6819 	/*
6820 	 * Below local_pwr_constraint logic is referred from
6821 	 * hostapd_eid_pwr_constraint.
6822 	 *
6823 	 * Check if DFS is required by regulatory.
6824 	 */
6825 	dfs = hostapd_is_dfs_required(hapd->iface);
6826 	if (dfs < 0)
6827 		dfs = 0;
6828 
6829 	/*
6830 	 * In order to meet regulations when TPC is not implemented using
6831 	 * a transmit power that is below the legal maximum (including any
6832 	 * mitigation factor) should help. In this case, indicate 3 dB below
6833 	 * maximum allowed transmit power.
6834 	 */
6835 	if (hapd->iconf->local_pwr_constraint == -1)
6836 		local_pwr_constraint = (dfs == 0) ? 0 : 3;
6837 	else
6838 		local_pwr_constraint = hapd->iconf->local_pwr_constraint;
6839 
6840 	/*
6841 	 * A STA that is not an AP shall use a transmit power less than or
6842 	 * equal to the local maximum transmit power level for the channel.
6843 	 * The local maximum transmit power can be calculated from the formula:
6844 	 * local max TX pwr = max TX pwr - local pwr constraint
6845 	 * Where max TX pwr is maximum transmit power level specified for
6846 	 * channel in Country element and local pwr constraint is specified
6847 	 * for channel in this Power Constraint element.
6848 	 */
6849 	chan = &mode->channels[i];
6850 	max_tx_power = chan->max_tx_power - local_pwr_constraint;
6851 
6852 	/*
6853 	 * Local Maximum Transmit power is encoded as two's complement
6854 	 * with a 0.5 dB step.
6855 	 */
6856 	max_tx_power *= 2; /* in 0.5 dB steps */
6857 	if (max_tx_power > 127) {
6858 		/* 63.5 has special meaning of 63.5 dBm or higher */
6859 		max_tx_power = 127;
6860 	}
6861 	if (max_tx_power < -128)
6862 		max_tx_power = -128;
6863 	if (max_tx_power < 0)
6864 		tx_pwr = 0x80 + max_tx_power + 128;
6865 	else
6866 		tx_pwr = max_tx_power;
6867 
6868 	*eid++ = WLAN_EID_TRANSMIT_POWER_ENVELOPE;
6869 	*eid++ = 2 + tx_pwr_count;
6870 
6871 	/*
6872 	 * Max Transmit Power count and
6873 	 * Max Transmit Power units = 0 (EIRP)
6874 	 */
6875 	*eid++ = tx_pwr_count;
6876 
6877 	for (i = 0; i <= tx_pwr_count; i++)
6878 		*eid++ = tx_pwr;
6879 
6880 	return eid;
6881 }
6882 
6883 
hostapd_eid_wb_chsw_wrapper(struct hostapd_data * hapd,u8 * eid)6884 u8 * hostapd_eid_wb_chsw_wrapper(struct hostapd_data *hapd, u8 *eid)
6885 {
6886 	u8 bw, chan1, chan2 = 0;
6887 	int freq1;
6888 
6889 	if (!hapd->cs_freq_params.channel ||
6890 	    (!hapd->cs_freq_params.vht_enabled &&
6891 	     !hapd->cs_freq_params.he_enabled))
6892 		return eid;
6893 
6894 	/* bandwidth: 0: 40, 1: 80, 2: 160, 3: 80+80 */
6895 	switch (hapd->cs_freq_params.bandwidth) {
6896 	case 40:
6897 		bw = 0;
6898 		break;
6899 	case 80:
6900 		/* check if it's 80+80 */
6901 		if (!hapd->cs_freq_params.center_freq2)
6902 			bw = 1;
6903 		else
6904 			bw = 3;
6905 		break;
6906 	case 160:
6907 		bw = 2;
6908 		break;
6909 	default:
6910 		/* not valid VHT bandwidth or not in CSA */
6911 		return eid;
6912 	}
6913 
6914 	freq1 = hapd->cs_freq_params.center_freq1 ?
6915 		hapd->cs_freq_params.center_freq1 :
6916 		hapd->cs_freq_params.freq;
6917 	if (ieee80211_freq_to_chan(freq1, &chan1) !=
6918 	    HOSTAPD_MODE_IEEE80211A)
6919 		return eid;
6920 
6921 	if (hapd->cs_freq_params.center_freq2 &&
6922 	    ieee80211_freq_to_chan(hapd->cs_freq_params.center_freq2,
6923 				   &chan2) != HOSTAPD_MODE_IEEE80211A)
6924 		return eid;
6925 
6926 	*eid++ = WLAN_EID_VHT_CHANNEL_SWITCH_WRAPPER;
6927 	*eid++ = 5; /* Length of Channel Switch Wrapper */
6928 	*eid++ = WLAN_EID_VHT_WIDE_BW_CHSWITCH;
6929 	*eid++ = 3; /* Length of Wide Bandwidth Channel Switch element */
6930 	*eid++ = bw; /* New Channel Width */
6931 	*eid++ = chan1; /* New Channel Center Frequency Segment 0 */
6932 	*eid++ = chan2; /* New Channel Center Frequency Segment 1 */
6933 
6934 	return eid;
6935 }
6936 
6937 #endif /* CONFIG_NATIVE_WINDOWS */
6938