1 /*
2 * hostapd / IEEE 802.11 Management
3 * Copyright (c) 2002-2017, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "utils/includes.h"
10
11 #ifndef CONFIG_NATIVE_WINDOWS
12
13 #include "utils/common.h"
14 #include "utils/eloop.h"
15 #include "crypto/crypto.h"
16 #include "crypto/sha256.h"
17 #include "crypto/sha384.h"
18 #include "crypto/sha512.h"
19 #include "crypto/random.h"
20 #include "common/ieee802_11_defs.h"
21 #include "common/ieee802_11_common.h"
22 #include "common/wpa_ctrl.h"
23 #include "common/sae.h"
24 #include "radius/radius.h"
25 #include "radius/radius_client.h"
26 #include "p2p/p2p.h"
27 #include "wps/wps.h"
28 #include "fst/fst.h"
29 #include "hostapd.h"
30 #include "beacon.h"
31 #include "ieee802_11_auth.h"
32 #include "sta_info.h"
33 #include "ieee802_1x.h"
34 #include "wpa_auth.h"
35 #include "pmksa_cache_auth.h"
36 #include "wmm.h"
37 #include "ap_list.h"
38 #include "accounting.h"
39 #include "ap_config.h"
40 #include "ap_mlme.h"
41 #include "p2p_hostapd.h"
42 #include "ap_drv_ops.h"
43 #include "wnm_ap.h"
44 #include "hw_features.h"
45 #include "ieee802_11.h"
46 #include "dfs.h"
47 #include "mbo_ap.h"
48 #include "rrm.h"
49 #include "taxonomy.h"
50 #include "fils_hlp.h"
51 #include "dpp_hostapd.h"
52 #include "gas_query_ap.h"
53
54
55 #ifdef CONFIG_FILS
56 static struct wpabuf *
57 prepare_auth_resp_fils(struct hostapd_data *hapd,
58 struct sta_info *sta, u16 *resp,
59 struct rsn_pmksa_cache_entry *pmksa,
60 struct wpabuf *erp_resp,
61 const u8 *msk, size_t msk_len,
62 int *is_pub);
63 #endif /* CONFIG_FILS */
64
hostapd_eid_supp_rates(struct hostapd_data * hapd,u8 * eid)65 u8 * hostapd_eid_supp_rates(struct hostapd_data *hapd, u8 *eid)
66 {
67 u8 *pos = eid;
68 int i, num, count;
69
70 if (hapd->iface->current_rates == NULL)
71 return eid;
72
73 *pos++ = WLAN_EID_SUPP_RATES;
74 num = hapd->iface->num_rates;
75 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht)
76 num++;
77 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht)
78 num++;
79 if (num > 8) {
80 /* rest of the rates are encoded in Extended supported
81 * rates element */
82 num = 8;
83 }
84
85 *pos++ = num;
86 for (i = 0, count = 0; i < hapd->iface->num_rates && count < num;
87 i++) {
88 count++;
89 *pos = hapd->iface->current_rates[i].rate / 5;
90 if (hapd->iface->current_rates[i].flags & HOSTAPD_RATE_BASIC)
91 *pos |= 0x80;
92 pos++;
93 }
94
95 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht && count < 8) {
96 count++;
97 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_HT_PHY;
98 }
99
100 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht && count < 8) {
101 count++;
102 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_VHT_PHY;
103 }
104
105 return pos;
106 }
107
108
hostapd_eid_ext_supp_rates(struct hostapd_data * hapd,u8 * eid)109 u8 * hostapd_eid_ext_supp_rates(struct hostapd_data *hapd, u8 *eid)
110 {
111 u8 *pos = eid;
112 int i, num, count;
113
114 if (hapd->iface->current_rates == NULL)
115 return eid;
116
117 num = hapd->iface->num_rates;
118 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht)
119 num++;
120 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht)
121 num++;
122 if (num <= 8)
123 return eid;
124 num -= 8;
125
126 *pos++ = WLAN_EID_EXT_SUPP_RATES;
127 *pos++ = num;
128 for (i = 0, count = 0; i < hapd->iface->num_rates && count < num + 8;
129 i++) {
130 count++;
131 if (count <= 8)
132 continue; /* already in SuppRates IE */
133 *pos = hapd->iface->current_rates[i].rate / 5;
134 if (hapd->iface->current_rates[i].flags & HOSTAPD_RATE_BASIC)
135 *pos |= 0x80;
136 pos++;
137 }
138
139 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht) {
140 count++;
141 if (count > 8)
142 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_HT_PHY;
143 }
144
145 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht) {
146 count++;
147 if (count > 8)
148 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_VHT_PHY;
149 }
150
151 return pos;
152 }
153
154
hostapd_own_capab_info(struct hostapd_data * hapd)155 u16 hostapd_own_capab_info(struct hostapd_data *hapd)
156 {
157 int capab = WLAN_CAPABILITY_ESS;
158 int privacy;
159 int dfs;
160 int i;
161
162 /* Check if any of configured channels require DFS */
163 dfs = hostapd_is_dfs_required(hapd->iface);
164 if (dfs < 0) {
165 wpa_printf(MSG_WARNING, "Failed to check if DFS is required; ret=%d",
166 dfs);
167 dfs = 0;
168 }
169
170 if (hapd->iface->num_sta_no_short_preamble == 0 &&
171 hapd->iconf->preamble == SHORT_PREAMBLE)
172 capab |= WLAN_CAPABILITY_SHORT_PREAMBLE;
173
174 privacy = hapd->conf->ssid.wep.keys_set;
175
176 if (hapd->conf->ieee802_1x &&
177 (hapd->conf->default_wep_key_len ||
178 hapd->conf->individual_wep_key_len))
179 privacy = 1;
180
181 if (hapd->conf->wpa)
182 privacy = 1;
183
184 #ifdef CONFIG_HS20
185 if (hapd->conf->osen)
186 privacy = 1;
187 #endif /* CONFIG_HS20 */
188
189 if (privacy)
190 capab |= WLAN_CAPABILITY_PRIVACY;
191
192 if (hapd->iface->current_mode &&
193 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G &&
194 hapd->iface->num_sta_no_short_slot_time == 0)
195 capab |= WLAN_CAPABILITY_SHORT_SLOT_TIME;
196
197 /*
198 * Currently, Spectrum Management capability bit is set when directly
199 * requested in configuration by spectrum_mgmt_required or when AP is
200 * running on DFS channel.
201 * TODO: Also consider driver support for TPC to set Spectrum Mgmt bit
202 */
203 if (hapd->iface->current_mode &&
204 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211A &&
205 (hapd->iconf->spectrum_mgmt_required || dfs))
206 capab |= WLAN_CAPABILITY_SPECTRUM_MGMT;
207
208 for (i = 0; i < RRM_CAPABILITIES_IE_LEN; i++) {
209 if (hapd->conf->radio_measurements[i]) {
210 capab |= IEEE80211_CAP_RRM;
211 break;
212 }
213 }
214
215 return capab;
216 }
217
218
219 #ifndef CONFIG_NO_RC4
auth_shared_key(struct hostapd_data * hapd,struct sta_info * sta,u16 auth_transaction,const u8 * challenge,int iswep)220 static u16 auth_shared_key(struct hostapd_data *hapd, struct sta_info *sta,
221 u16 auth_transaction, const u8 *challenge,
222 int iswep)
223 {
224 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
225 HOSTAPD_LEVEL_DEBUG,
226 "authentication (shared key, transaction %d)",
227 auth_transaction);
228
229 if (auth_transaction == 1) {
230 if (!sta->challenge) {
231 /* Generate a pseudo-random challenge */
232 u8 key[8];
233
234 sta->challenge = os_zalloc(WLAN_AUTH_CHALLENGE_LEN);
235 if (sta->challenge == NULL)
236 return WLAN_STATUS_UNSPECIFIED_FAILURE;
237
238 if (os_get_random(key, sizeof(key)) < 0) {
239 os_free(sta->challenge);
240 sta->challenge = NULL;
241 return WLAN_STATUS_UNSPECIFIED_FAILURE;
242 }
243
244 rc4_skip(key, sizeof(key), 0,
245 sta->challenge, WLAN_AUTH_CHALLENGE_LEN);
246 }
247 return 0;
248 }
249
250 if (auth_transaction != 3)
251 return WLAN_STATUS_UNSPECIFIED_FAILURE;
252
253 /* Transaction 3 */
254 if (!iswep || !sta->challenge || !challenge ||
255 os_memcmp_const(sta->challenge, challenge,
256 WLAN_AUTH_CHALLENGE_LEN)) {
257 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
258 HOSTAPD_LEVEL_INFO,
259 "shared key authentication - invalid "
260 "challenge-response");
261 return WLAN_STATUS_CHALLENGE_FAIL;
262 }
263
264 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
265 HOSTAPD_LEVEL_DEBUG,
266 "authentication OK (shared key)");
267 sta->flags |= WLAN_STA_AUTH;
268 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
269 os_free(sta->challenge);
270 sta->challenge = NULL;
271
272 return 0;
273 }
274 #endif /* CONFIG_NO_RC4 */
275
276
send_auth_reply(struct hostapd_data * hapd,const u8 * dst,const u8 * bssid,u16 auth_alg,u16 auth_transaction,u16 resp,const u8 * ies,size_t ies_len)277 static int send_auth_reply(struct hostapd_data *hapd,
278 const u8 *dst, const u8 *bssid,
279 u16 auth_alg, u16 auth_transaction, u16 resp,
280 const u8 *ies, size_t ies_len)
281 {
282 struct ieee80211_mgmt *reply;
283 u8 *buf;
284 size_t rlen;
285 int reply_res = WLAN_STATUS_UNSPECIFIED_FAILURE;
286
287 rlen = IEEE80211_HDRLEN + sizeof(reply->u.auth) + ies_len;
288 buf = os_zalloc(rlen);
289 if (buf == NULL)
290 return -1;
291
292 reply = (struct ieee80211_mgmt *) buf;
293 reply->frame_control = IEEE80211_FC(WLAN_FC_TYPE_MGMT,
294 WLAN_FC_STYPE_AUTH);
295 os_memcpy(reply->da, dst, ETH_ALEN);
296 os_memcpy(reply->sa, hapd->own_addr, ETH_ALEN);
297 os_memcpy(reply->bssid, bssid, ETH_ALEN);
298
299 reply->u.auth.auth_alg = host_to_le16(auth_alg);
300 reply->u.auth.auth_transaction = host_to_le16(auth_transaction);
301 reply->u.auth.status_code = host_to_le16(resp);
302
303 if (ies && ies_len)
304 os_memcpy(reply->u.auth.variable, ies, ies_len);
305
306 wpa_printf(MSG_DEBUG, "authentication reply: STA=" MACSTR
307 " auth_alg=%d auth_transaction=%d resp=%d (IE len=%lu)",
308 MAC2STR(dst), auth_alg, auth_transaction,
309 resp, (unsigned long) ies_len);
310 if (hostapd_drv_send_mlme(hapd, reply, rlen, 0) < 0)
311 wpa_printf(MSG_INFO, "send_auth_reply: send failed");
312 else
313 reply_res = WLAN_STATUS_SUCCESS;
314
315 os_free(buf);
316
317 return reply_res;
318 }
319
320
321 #ifdef CONFIG_IEEE80211R_AP
handle_auth_ft_finish(void * ctx,const u8 * dst,const u8 * bssid,u16 auth_transaction,u16 status,const u8 * ies,size_t ies_len)322 static void handle_auth_ft_finish(void *ctx, const u8 *dst, const u8 *bssid,
323 u16 auth_transaction, u16 status,
324 const u8 *ies, size_t ies_len)
325 {
326 struct hostapd_data *hapd = ctx;
327 struct sta_info *sta;
328 int reply_res;
329
330 reply_res = send_auth_reply(hapd, dst, bssid, WLAN_AUTH_FT,
331 auth_transaction, status, ies, ies_len);
332
333 sta = ap_get_sta(hapd, dst);
334 if (sta == NULL)
335 return;
336
337 if (sta->added_unassoc && (reply_res != WLAN_STATUS_SUCCESS ||
338 status != WLAN_STATUS_SUCCESS)) {
339 hostapd_drv_sta_remove(hapd, sta->addr);
340 sta->added_unassoc = 0;
341 return;
342 }
343
344 if (status != WLAN_STATUS_SUCCESS)
345 return;
346
347 hostapd_logger(hapd, dst, HOSTAPD_MODULE_IEEE80211,
348 HOSTAPD_LEVEL_DEBUG, "authentication OK (FT)");
349 sta->flags |= WLAN_STA_AUTH;
350 mlme_authenticate_indication(hapd, sta);
351 }
352 #endif /* CONFIG_IEEE80211R_AP */
353
354
355 #ifdef CONFIG_SAE
356
357 #define dot11RSNASAESync 5 /* attempts */
358
359
auth_build_sae_commit(struct hostapd_data * hapd,struct sta_info * sta,int update)360 static struct wpabuf * auth_build_sae_commit(struct hostapd_data *hapd,
361 struct sta_info *sta, int update)
362 {
363 struct wpabuf *buf;
364 const char *password;
365
366 password = hapd->conf->sae_password;
367 if (!password)
368 password = hapd->conf->ssid.wpa_passphrase;
369 if (!password) {
370 wpa_printf(MSG_DEBUG, "SAE: No password available");
371 return NULL;
372 }
373
374 if (update &&
375 sae_prepare_commit(hapd->own_addr, sta->addr,
376 (u8 *) password, os_strlen(password),
377 sta->sae) < 0) {
378 wpa_printf(MSG_DEBUG, "SAE: Could not pick PWE");
379 return NULL;
380 }
381
382 buf = wpabuf_alloc(SAE_COMMIT_MAX_LEN);
383 if (buf == NULL)
384 return NULL;
385 sae_write_commit(sta->sae, buf, sta->sae->tmp ?
386 sta->sae->tmp->anti_clogging_token : NULL);
387
388 return buf;
389 }
390
391
auth_build_sae_confirm(struct hostapd_data * hapd,struct sta_info * sta)392 static struct wpabuf * auth_build_sae_confirm(struct hostapd_data *hapd,
393 struct sta_info *sta)
394 {
395 struct wpabuf *buf;
396
397 buf = wpabuf_alloc(SAE_CONFIRM_MAX_LEN);
398 if (buf == NULL)
399 return NULL;
400
401 sae_write_confirm(sta->sae, buf);
402
403 return buf;
404 }
405
406
auth_sae_send_commit(struct hostapd_data * hapd,struct sta_info * sta,const u8 * bssid,int update)407 static int auth_sae_send_commit(struct hostapd_data *hapd,
408 struct sta_info *sta,
409 const u8 *bssid, int update)
410 {
411 struct wpabuf *data;
412 int reply_res;
413
414 data = auth_build_sae_commit(hapd, sta, update);
415 if (data == NULL)
416 return WLAN_STATUS_UNSPECIFIED_FAILURE;
417
418 reply_res = send_auth_reply(hapd, sta->addr, bssid, WLAN_AUTH_SAE, 1,
419 WLAN_STATUS_SUCCESS, wpabuf_head(data),
420 wpabuf_len(data));
421
422 wpabuf_free(data);
423
424 return reply_res;
425 }
426
427
auth_sae_send_confirm(struct hostapd_data * hapd,struct sta_info * sta,const u8 * bssid)428 static int auth_sae_send_confirm(struct hostapd_data *hapd,
429 struct sta_info *sta,
430 const u8 *bssid)
431 {
432 struct wpabuf *data;
433 int reply_res;
434
435 data = auth_build_sae_confirm(hapd, sta);
436 if (data == NULL)
437 return WLAN_STATUS_UNSPECIFIED_FAILURE;
438
439 reply_res = send_auth_reply(hapd, sta->addr, bssid, WLAN_AUTH_SAE, 2,
440 WLAN_STATUS_SUCCESS, wpabuf_head(data),
441 wpabuf_len(data));
442
443 wpabuf_free(data);
444
445 return reply_res;
446 }
447
448
use_sae_anti_clogging(struct hostapd_data * hapd)449 static int use_sae_anti_clogging(struct hostapd_data *hapd)
450 {
451 struct sta_info *sta;
452 unsigned int open = 0;
453
454 if (hapd->conf->sae_anti_clogging_threshold == 0)
455 return 1;
456
457 for (sta = hapd->sta_list; sta; sta = sta->next) {
458 if (!sta->sae)
459 continue;
460 if (sta->sae->state != SAE_COMMITTED &&
461 sta->sae->state != SAE_CONFIRMED)
462 continue;
463 open++;
464 if (open >= hapd->conf->sae_anti_clogging_threshold)
465 return 1;
466 }
467
468 return 0;
469 }
470
471
check_sae_token(struct hostapd_data * hapd,const u8 * addr,const u8 * token,size_t token_len)472 static int check_sae_token(struct hostapd_data *hapd, const u8 *addr,
473 const u8 *token, size_t token_len)
474 {
475 u8 mac[SHA256_MAC_LEN];
476
477 if (token_len != SHA256_MAC_LEN)
478 return -1;
479 if (hmac_sha256(hapd->sae_token_key, sizeof(hapd->sae_token_key),
480 addr, ETH_ALEN, mac) < 0 ||
481 os_memcmp_const(token, mac, SHA256_MAC_LEN) != 0)
482 return -1;
483
484 return 0;
485 }
486
487
auth_build_token_req(struct hostapd_data * hapd,int group,const u8 * addr)488 static struct wpabuf * auth_build_token_req(struct hostapd_data *hapd,
489 int group, const u8 *addr)
490 {
491 struct wpabuf *buf;
492 u8 *token;
493 struct os_reltime now;
494
495 os_get_reltime(&now);
496 if (!os_reltime_initialized(&hapd->last_sae_token_key_update) ||
497 os_reltime_expired(&now, &hapd->last_sae_token_key_update, 60)) {
498 if (random_get_bytes(hapd->sae_token_key,
499 sizeof(hapd->sae_token_key)) < 0)
500 return NULL;
501 wpa_hexdump(MSG_DEBUG, "SAE: Updated token key",
502 hapd->sae_token_key, sizeof(hapd->sae_token_key));
503 hapd->last_sae_token_key_update = now;
504 }
505
506 buf = wpabuf_alloc(sizeof(le16) + SHA256_MAC_LEN);
507 if (buf == NULL)
508 return NULL;
509
510 wpabuf_put_le16(buf, group); /* Finite Cyclic Group */
511
512 token = wpabuf_put(buf, SHA256_MAC_LEN);
513 hmac_sha256(hapd->sae_token_key, sizeof(hapd->sae_token_key),
514 addr, ETH_ALEN, token);
515
516 return buf;
517 }
518
519
sae_check_big_sync(struct sta_info * sta)520 static int sae_check_big_sync(struct sta_info *sta)
521 {
522 if (sta->sae->sync > dot11RSNASAESync) {
523 sta->sae->state = SAE_NOTHING;
524 sta->sae->sync = 0;
525 return -1;
526 }
527 return 0;
528 }
529
530
auth_sae_retransmit_timer(void * eloop_ctx,void * eloop_data)531 static void auth_sae_retransmit_timer(void *eloop_ctx, void *eloop_data)
532 {
533 struct hostapd_data *hapd = eloop_ctx;
534 struct sta_info *sta = eloop_data;
535 int ret;
536
537 if (sae_check_big_sync(sta))
538 return;
539 sta->sae->sync++;
540 wpa_printf(MSG_DEBUG, "SAE: Auth SAE retransmit timer for " MACSTR
541 " (sync=%d state=%d)",
542 MAC2STR(sta->addr), sta->sae->sync, sta->sae->state);
543
544 switch (sta->sae->state) {
545 case SAE_COMMITTED:
546 ret = auth_sae_send_commit(hapd, sta, hapd->own_addr, 0);
547 eloop_register_timeout(0,
548 hapd->dot11RSNASAERetransPeriod * 1000,
549 auth_sae_retransmit_timer, hapd, sta);
550 break;
551 case SAE_CONFIRMED:
552 ret = auth_sae_send_confirm(hapd, sta, hapd->own_addr);
553 eloop_register_timeout(0,
554 hapd->dot11RSNASAERetransPeriod * 1000,
555 auth_sae_retransmit_timer, hapd, sta);
556 break;
557 default:
558 ret = -1;
559 break;
560 }
561
562 if (ret != WLAN_STATUS_SUCCESS)
563 wpa_printf(MSG_INFO, "SAE: Failed to retransmit: ret=%d", ret);
564 }
565
566
sae_clear_retransmit_timer(struct hostapd_data * hapd,struct sta_info * sta)567 void sae_clear_retransmit_timer(struct hostapd_data *hapd, struct sta_info *sta)
568 {
569 eloop_cancel_timeout(auth_sae_retransmit_timer, hapd, sta);
570 }
571
572
sae_set_retransmit_timer(struct hostapd_data * hapd,struct sta_info * sta)573 static void sae_set_retransmit_timer(struct hostapd_data *hapd,
574 struct sta_info *sta)
575 {
576 if (!(hapd->conf->mesh & MESH_ENABLED))
577 return;
578
579 eloop_cancel_timeout(auth_sae_retransmit_timer, hapd, sta);
580 eloop_register_timeout(0, hapd->dot11RSNASAERetransPeriod * 1000,
581 auth_sae_retransmit_timer, hapd, sta);
582 }
583
584
sae_accept_sta(struct hostapd_data * hapd,struct sta_info * sta)585 void sae_accept_sta(struct hostapd_data *hapd, struct sta_info *sta)
586 {
587 sta->flags |= WLAN_STA_AUTH;
588 sta->auth_alg = WLAN_AUTH_SAE;
589 mlme_authenticate_indication(hapd, sta);
590 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
591 sta->sae->state = SAE_ACCEPTED;
592 wpa_auth_pmksa_add_sae(hapd->wpa_auth, sta->addr,
593 sta->sae->pmk, sta->sae->pmkid);
594 }
595
596
sae_sm_step(struct hostapd_data * hapd,struct sta_info * sta,const u8 * bssid,u8 auth_transaction)597 static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta,
598 const u8 *bssid, u8 auth_transaction)
599 {
600 int ret;
601
602 if (auth_transaction != 1 && auth_transaction != 2)
603 return WLAN_STATUS_UNSPECIFIED_FAILURE;
604
605 switch (sta->sae->state) {
606 case SAE_NOTHING:
607 if (auth_transaction == 1) {
608 ret = auth_sae_send_commit(hapd, sta, bssid, 1);
609 if (ret)
610 return ret;
611 sta->sae->state = SAE_COMMITTED;
612
613 if (sae_process_commit(sta->sae) < 0)
614 return WLAN_STATUS_UNSPECIFIED_FAILURE;
615
616 /*
617 * In mesh case, both Commit and Confirm can be sent
618 * immediately. In infrastructure BSS, only a single
619 * Authentication frame (Commit) is expected from the AP
620 * here and the second one (Confirm) will be sent once
621 * the STA has sent its second Authentication frame
622 * (Confirm).
623 */
624 if (hapd->conf->mesh & MESH_ENABLED) {
625 /*
626 * Send both Commit and Confirm immediately
627 * based on SAE finite state machine
628 * Nothing -> Confirm transition.
629 */
630 ret = auth_sae_send_confirm(hapd, sta, bssid);
631 if (ret)
632 return ret;
633 sta->sae->state = SAE_CONFIRMED;
634 } else {
635 /*
636 * For infrastructure BSS, send only the Commit
637 * message now to get alternating sequence of
638 * Authentication frames between the AP and STA.
639 * Confirm will be sent in
640 * Committed -> Confirmed/Accepted transition
641 * when receiving Confirm from STA.
642 */
643 }
644 sta->sae->sync = 0;
645 sae_set_retransmit_timer(hapd, sta);
646 } else {
647 hostapd_logger(hapd, sta->addr,
648 HOSTAPD_MODULE_IEEE80211,
649 HOSTAPD_LEVEL_DEBUG,
650 "SAE confirm before commit");
651 }
652 break;
653 case SAE_COMMITTED:
654 sae_clear_retransmit_timer(hapd, sta);
655 if (auth_transaction == 1) {
656 if (sae_process_commit(sta->sae) < 0)
657 return WLAN_STATUS_UNSPECIFIED_FAILURE;
658
659 ret = auth_sae_send_confirm(hapd, sta, bssid);
660 if (ret)
661 return ret;
662 sta->sae->state = SAE_CONFIRMED;
663 sta->sae->sync = 0;
664 sae_set_retransmit_timer(hapd, sta);
665 } else if (hapd->conf->mesh & MESH_ENABLED) {
666 /*
667 * In mesh case, follow SAE finite state machine and
668 * send Commit now, if sync count allows.
669 */
670 if (sae_check_big_sync(sta))
671 return WLAN_STATUS_SUCCESS;
672 sta->sae->sync++;
673
674 ret = auth_sae_send_commit(hapd, sta, bssid, 0);
675 if (ret)
676 return ret;
677
678 sae_set_retransmit_timer(hapd, sta);
679 } else {
680 /*
681 * For instructure BSS, send the postponed Confirm from
682 * Nothing -> Confirmed transition that was reduced to
683 * Nothing -> Committed above.
684 */
685 ret = auth_sae_send_confirm(hapd, sta, bssid);
686 if (ret)
687 return ret;
688
689 sta->sae->state = SAE_CONFIRMED;
690
691 /*
692 * Since this was triggered on Confirm RX, run another
693 * step to get to Accepted without waiting for
694 * additional events.
695 */
696 return sae_sm_step(hapd, sta, bssid, auth_transaction);
697 }
698 break;
699 case SAE_CONFIRMED:
700 sae_clear_retransmit_timer(hapd, sta);
701 if (auth_transaction == 1) {
702 if (sae_check_big_sync(sta))
703 return WLAN_STATUS_SUCCESS;
704 sta->sae->sync++;
705
706 ret = auth_sae_send_commit(hapd, sta, bssid, 1);
707 if (ret)
708 return ret;
709
710 if (sae_process_commit(sta->sae) < 0)
711 return WLAN_STATUS_UNSPECIFIED_FAILURE;
712
713 ret = auth_sae_send_confirm(hapd, sta, bssid);
714 if (ret)
715 return ret;
716
717 sae_set_retransmit_timer(hapd, sta);
718 } else {
719 sae_accept_sta(hapd, sta);
720 }
721 break;
722 case SAE_ACCEPTED:
723 if (auth_transaction == 1) {
724 wpa_printf(MSG_DEBUG, "SAE: remove the STA (" MACSTR
725 ") doing reauthentication",
726 MAC2STR(sta->addr));
727 ap_free_sta(hapd, sta);
728 wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr);
729 } else {
730 if (sae_check_big_sync(sta))
731 return WLAN_STATUS_SUCCESS;
732 sta->sae->sync++;
733
734 ret = auth_sae_send_confirm(hapd, sta, bssid);
735 sae_clear_temp_data(sta->sae);
736 if (ret)
737 return ret;
738 }
739 break;
740 default:
741 wpa_printf(MSG_ERROR, "SAE: invalid state %d",
742 sta->sae->state);
743 return WLAN_STATUS_UNSPECIFIED_FAILURE;
744 }
745 return WLAN_STATUS_SUCCESS;
746 }
747
748
sae_pick_next_group(struct hostapd_data * hapd,struct sta_info * sta)749 static void sae_pick_next_group(struct hostapd_data *hapd, struct sta_info *sta)
750 {
751 struct sae_data *sae = sta->sae;
752 int i, *groups = hapd->conf->sae_groups;
753
754 if (sae->state != SAE_COMMITTED)
755 return;
756
757 wpa_printf(MSG_DEBUG, "SAE: Previously selected group: %d", sae->group);
758
759 for (i = 0; groups && groups[i] > 0; i++) {
760 if (sae->group == groups[i])
761 break;
762 }
763
764 if (!groups || groups[i] <= 0) {
765 wpa_printf(MSG_DEBUG,
766 "SAE: Previously selected group not found from the current configuration");
767 return;
768 }
769
770 for (;;) {
771 i++;
772 if (groups[i] <= 0) {
773 wpa_printf(MSG_DEBUG,
774 "SAE: No alternative group enabled");
775 return;
776 }
777
778 if (sae_set_group(sae, groups[i]) < 0)
779 continue;
780
781 break;
782 }
783 wpa_printf(MSG_DEBUG, "SAE: Selected new group: %d", groups[i]);
784 }
785
786
handle_auth_sae(struct hostapd_data * hapd,struct sta_info * sta,const struct ieee80211_mgmt * mgmt,size_t len,u16 auth_transaction,u16 status_code)787 static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta,
788 const struct ieee80211_mgmt *mgmt, size_t len,
789 u16 auth_transaction, u16 status_code)
790 {
791 int resp = WLAN_STATUS_SUCCESS;
792 struct wpabuf *data = NULL;
793
794 #ifdef CONFIG_TESTING_OPTIONS
795 if (hapd->conf->sae_reflection_attack && auth_transaction == 1) {
796 const u8 *pos, *end;
797
798 wpa_printf(MSG_DEBUG, "SAE: TESTING - reflection attack");
799 pos = mgmt->u.auth.variable;
800 end = ((const u8 *) mgmt) + len;
801 send_auth_reply(hapd, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
802 auth_transaction, resp, pos, end - pos);
803 goto remove_sta;
804 }
805
806 if (hapd->conf->sae_commit_override && auth_transaction == 1) {
807 wpa_printf(MSG_DEBUG, "SAE: TESTING - commit override");
808 send_auth_reply(hapd, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
809 auth_transaction, resp,
810 wpabuf_head(hapd->conf->sae_commit_override),
811 wpabuf_len(hapd->conf->sae_commit_override));
812 goto remove_sta;
813 }
814 #endif /* CONFIG_TESTING_OPTIONS */
815 if (!sta->sae) {
816 if (auth_transaction != 1 ||
817 status_code != WLAN_STATUS_SUCCESS) {
818 resp = -1;
819 goto remove_sta;
820 }
821 sta->sae = os_zalloc(sizeof(*sta->sae));
822 if (!sta->sae) {
823 resp = -1;
824 goto remove_sta;
825 }
826 sta->sae->state = SAE_NOTHING;
827 sta->sae->sync = 0;
828 }
829
830 if (sta->mesh_sae_pmksa_caching) {
831 wpa_printf(MSG_DEBUG,
832 "SAE: Cancel use of mesh PMKSA caching because peer starts SAE authentication");
833 wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr);
834 sta->mesh_sae_pmksa_caching = 0;
835 }
836
837 if (auth_transaction == 1) {
838 const u8 *token = NULL, *pos, *end;
839 size_t token_len = 0;
840 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
841 HOSTAPD_LEVEL_DEBUG,
842 "start SAE authentication (RX commit, status=%u)",
843 status_code);
844
845 if ((hapd->conf->mesh & MESH_ENABLED) &&
846 status_code == WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ &&
847 sta->sae->tmp) {
848 pos = mgmt->u.auth.variable;
849 end = ((const u8 *) mgmt) + len;
850 if (pos + sizeof(le16) > end) {
851 wpa_printf(MSG_ERROR,
852 "SAE: Too short anti-clogging token request");
853 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
854 goto reply;
855 }
856 resp = sae_group_allowed(sta->sae,
857 hapd->conf->sae_groups,
858 WPA_GET_LE16(pos));
859 if (resp != WLAN_STATUS_SUCCESS) {
860 wpa_printf(MSG_ERROR,
861 "SAE: Invalid group in anti-clogging token request");
862 goto reply;
863 }
864 pos += sizeof(le16);
865
866 wpabuf_free(sta->sae->tmp->anti_clogging_token);
867 sta->sae->tmp->anti_clogging_token =
868 wpabuf_alloc_copy(pos, end - pos);
869 if (sta->sae->tmp->anti_clogging_token == NULL) {
870 wpa_printf(MSG_ERROR,
871 "SAE: Failed to alloc for anti-clogging token");
872 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
873 goto remove_sta;
874 }
875
876 /*
877 * IEEE Std 802.11-2012, 11.3.8.6.4: If the Status code
878 * is 76, a new Commit Message shall be constructed
879 * with the Anti-Clogging Token from the received
880 * Authentication frame, and the commit-scalar and
881 * COMMIT-ELEMENT previously sent.
882 */
883 resp = auth_sae_send_commit(hapd, sta, mgmt->bssid, 0);
884 if (resp != WLAN_STATUS_SUCCESS) {
885 wpa_printf(MSG_ERROR,
886 "SAE: Failed to send commit message");
887 goto remove_sta;
888 }
889 sta->sae->state = SAE_COMMITTED;
890 sta->sae->sync = 0;
891 sae_set_retransmit_timer(hapd, sta);
892 return;
893 }
894
895 if ((hapd->conf->mesh & MESH_ENABLED) &&
896 status_code ==
897 WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED &&
898 sta->sae->tmp) {
899 wpa_printf(MSG_DEBUG,
900 "SAE: Peer did not accept our SAE group");
901 sae_pick_next_group(hapd, sta);
902 goto remove_sta;
903 }
904
905 if (status_code != WLAN_STATUS_SUCCESS)
906 goto remove_sta;
907
908 resp = sae_parse_commit(sta->sae, mgmt->u.auth.variable,
909 ((const u8 *) mgmt) + len -
910 mgmt->u.auth.variable, &token,
911 &token_len, hapd->conf->sae_groups);
912 if (resp == SAE_SILENTLY_DISCARD) {
913 wpa_printf(MSG_DEBUG,
914 "SAE: Drop commit message from " MACSTR " due to reflection attack",
915 MAC2STR(sta->addr));
916 goto remove_sta;
917 }
918 if (token && check_sae_token(hapd, sta->addr, token, token_len)
919 < 0) {
920 wpa_printf(MSG_DEBUG, "SAE: Drop commit message with "
921 "incorrect token from " MACSTR,
922 MAC2STR(sta->addr));
923 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
924 goto remove_sta;
925 }
926
927 if (resp != WLAN_STATUS_SUCCESS)
928 goto reply;
929
930 if (!token && use_sae_anti_clogging(hapd)) {
931 wpa_printf(MSG_DEBUG,
932 "SAE: Request anti-clogging token from "
933 MACSTR, MAC2STR(sta->addr));
934 data = auth_build_token_req(hapd, sta->sae->group,
935 sta->addr);
936 resp = WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ;
937 if (hapd->conf->mesh & MESH_ENABLED)
938 sta->sae->state = SAE_NOTHING;
939 goto reply;
940 }
941
942 resp = sae_sm_step(hapd, sta, mgmt->bssid, auth_transaction);
943 } else if (auth_transaction == 2) {
944 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
945 HOSTAPD_LEVEL_DEBUG,
946 "SAE authentication (RX confirm, status=%u)",
947 status_code);
948 if (status_code != WLAN_STATUS_SUCCESS)
949 goto remove_sta;
950 if (sta->sae->state >= SAE_CONFIRMED ||
951 !(hapd->conf->mesh & MESH_ENABLED)) {
952 if (sae_check_confirm(sta->sae, mgmt->u.auth.variable,
953 ((u8 *) mgmt) + len -
954 mgmt->u.auth.variable) < 0) {
955 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
956 goto reply;
957 }
958 }
959 resp = sae_sm_step(hapd, sta, mgmt->bssid, auth_transaction);
960 } else {
961 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
962 HOSTAPD_LEVEL_DEBUG,
963 "unexpected SAE authentication transaction %u (status=%u)",
964 auth_transaction, status_code);
965 if (status_code != WLAN_STATUS_SUCCESS)
966 goto remove_sta;
967 resp = WLAN_STATUS_UNKNOWN_AUTH_TRANSACTION;
968 }
969
970 reply:
971 if (resp != WLAN_STATUS_SUCCESS) {
972 send_auth_reply(hapd, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
973 auth_transaction, resp,
974 data ? wpabuf_head(data) : (u8 *) "",
975 data ? wpabuf_len(data) : 0);
976 }
977
978 remove_sta:
979 if (sta->added_unassoc && (resp != WLAN_STATUS_SUCCESS ||
980 status_code != WLAN_STATUS_SUCCESS)) {
981 hostapd_drv_sta_remove(hapd, sta->addr);
982 sta->added_unassoc = 0;
983 }
984 wpabuf_free(data);
985 }
986
987
988 /**
989 * auth_sae_init_committed - Send COMMIT and start SAE in committed state
990 * @hapd: BSS data for the device initiating the authentication
991 * @sta: the peer to which commit authentication frame is sent
992 *
993 * This function implements Init event handling (IEEE Std 802.11-2012,
994 * 11.3.8.6.3) in which initial COMMIT message is sent. Prior to calling, the
995 * sta->sae structure should be initialized appropriately via a call to
996 * sae_prepare_commit().
997 */
auth_sae_init_committed(struct hostapd_data * hapd,struct sta_info * sta)998 int auth_sae_init_committed(struct hostapd_data *hapd, struct sta_info *sta)
999 {
1000 int ret;
1001
1002 if (!sta->sae || !sta->sae->tmp)
1003 return -1;
1004
1005 if (sta->sae->state != SAE_NOTHING)
1006 return -1;
1007
1008 ret = auth_sae_send_commit(hapd, sta, hapd->own_addr, 0);
1009 if (ret)
1010 return -1;
1011
1012 sta->sae->state = SAE_COMMITTED;
1013 sta->sae->sync = 0;
1014 sae_set_retransmit_timer(hapd, sta);
1015
1016 return 0;
1017 }
1018
1019 #endif /* CONFIG_SAE */
1020
1021
wpa_res_to_status_code(int res)1022 static u16 wpa_res_to_status_code(int res)
1023 {
1024 if (res == WPA_INVALID_GROUP)
1025 return WLAN_STATUS_GROUP_CIPHER_NOT_VALID;
1026 if (res == WPA_INVALID_PAIRWISE)
1027 return WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID;
1028 if (res == WPA_INVALID_AKMP)
1029 return WLAN_STATUS_AKMP_NOT_VALID;
1030 if (res == WPA_ALLOC_FAIL)
1031 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1032 #ifdef CONFIG_IEEE80211W
1033 if (res == WPA_MGMT_FRAME_PROTECTION_VIOLATION)
1034 return WLAN_STATUS_ROBUST_MGMT_FRAME_POLICY_VIOLATION;
1035 if (res == WPA_INVALID_MGMT_GROUP_CIPHER)
1036 return WLAN_STATUS_ROBUST_MGMT_FRAME_POLICY_VIOLATION;
1037 #endif /* CONFIG_IEEE80211W */
1038 if (res == WPA_INVALID_MDIE)
1039 return WLAN_STATUS_INVALID_MDIE;
1040 if (res == WPA_INVALID_PMKID)
1041 return WLAN_STATUS_INVALID_PMKID;
1042 if (res != WPA_IE_OK)
1043 return WLAN_STATUS_INVALID_IE;
1044 return WLAN_STATUS_SUCCESS;
1045 }
1046
1047
1048 #ifdef CONFIG_FILS
1049
1050 static void handle_auth_fils_finish(struct hostapd_data *hapd,
1051 struct sta_info *sta, u16 resp,
1052 struct wpabuf *data, int pub);
1053
handle_auth_fils(struct hostapd_data * hapd,struct sta_info * sta,const u8 * pos,size_t len,u16 auth_alg,u16 auth_transaction,u16 status_code,void (* cb)(struct hostapd_data * hapd,struct sta_info * sta,u16 resp,struct wpabuf * data,int pub))1054 void handle_auth_fils(struct hostapd_data *hapd, struct sta_info *sta,
1055 const u8 *pos, size_t len, u16 auth_alg,
1056 u16 auth_transaction, u16 status_code,
1057 void (*cb)(struct hostapd_data *hapd,
1058 struct sta_info *sta, u16 resp,
1059 struct wpabuf *data, int pub))
1060 {
1061 u16 resp = WLAN_STATUS_SUCCESS;
1062 const u8 *end;
1063 struct ieee802_11_elems elems;
1064 int res;
1065 struct wpa_ie_data rsn;
1066 struct rsn_pmksa_cache_entry *pmksa = NULL;
1067
1068 if (auth_transaction != 1 || status_code != WLAN_STATUS_SUCCESS)
1069 return;
1070
1071 end = pos + len;
1072
1073 wpa_hexdump(MSG_DEBUG, "FILS: Authentication frame fields",
1074 pos, end - pos);
1075
1076 /* TODO: FILS PK */
1077 #ifdef CONFIG_FILS_SK_PFS
1078 if (auth_alg == WLAN_AUTH_FILS_SK_PFS) {
1079 u16 group;
1080 struct wpabuf *pub;
1081 size_t elem_len;
1082
1083 /* Using FILS PFS */
1084
1085 /* Finite Cyclic Group */
1086 if (end - pos < 2) {
1087 wpa_printf(MSG_DEBUG,
1088 "FILS: No room for Finite Cyclic Group");
1089 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1090 goto fail;
1091 }
1092 group = WPA_GET_LE16(pos);
1093 pos += 2;
1094 if (group != hapd->conf->fils_dh_group) {
1095 wpa_printf(MSG_DEBUG,
1096 "FILS: Unsupported Finite Cyclic Group: %u (expected %u)",
1097 group, hapd->conf->fils_dh_group);
1098 resp = WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
1099 goto fail;
1100 }
1101
1102 crypto_ecdh_deinit(sta->fils_ecdh);
1103 sta->fils_ecdh = crypto_ecdh_init(group);
1104 if (!sta->fils_ecdh) {
1105 wpa_printf(MSG_INFO,
1106 "FILS: Could not initialize ECDH with group %d",
1107 group);
1108 resp = WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
1109 goto fail;
1110 }
1111
1112 pub = crypto_ecdh_get_pubkey(sta->fils_ecdh, 1);
1113 if (!pub) {
1114 wpa_printf(MSG_DEBUG,
1115 "FILS: Failed to derive ECDH public key");
1116 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1117 goto fail;
1118 }
1119 elem_len = wpabuf_len(pub);
1120 wpabuf_free(pub);
1121
1122 /* Element */
1123 if ((size_t) (end - pos) < elem_len) {
1124 wpa_printf(MSG_DEBUG, "FILS: No room for Element");
1125 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1126 goto fail;
1127 }
1128
1129 wpabuf_free(sta->fils_g_sta);
1130 sta->fils_g_sta = wpabuf_alloc_copy(pos, elem_len);
1131 wpabuf_clear_free(sta->fils_dh_ss);
1132 sta->fils_dh_ss = crypto_ecdh_set_peerkey(sta->fils_ecdh, 1,
1133 pos, elem_len);
1134 if (!sta->fils_dh_ss) {
1135 wpa_printf(MSG_DEBUG, "FILS: ECDH operation failed");
1136 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1137 goto fail;
1138 }
1139 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: DH_SS", sta->fils_dh_ss);
1140 pos += elem_len;
1141 } else {
1142 crypto_ecdh_deinit(sta->fils_ecdh);
1143 sta->fils_ecdh = NULL;
1144 wpabuf_clear_free(sta->fils_dh_ss);
1145 sta->fils_dh_ss = NULL;
1146 }
1147 #endif /* CONFIG_FILS_SK_PFS */
1148
1149 wpa_hexdump(MSG_DEBUG, "FILS: Remaining IEs", pos, end - pos);
1150 if (ieee802_11_parse_elems(pos, end - pos, &elems, 1) == ParseFailed) {
1151 wpa_printf(MSG_DEBUG, "FILS: Could not parse elements");
1152 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1153 goto fail;
1154 }
1155
1156 /* RSNE */
1157 wpa_hexdump(MSG_DEBUG, "FILS: RSN element",
1158 elems.rsn_ie, elems.rsn_ie_len);
1159 if (!elems.rsn_ie ||
1160 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
1161 &rsn) < 0) {
1162 wpa_printf(MSG_DEBUG, "FILS: No valid RSN element");
1163 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1164 goto fail;
1165 }
1166
1167 if (!sta->wpa_sm)
1168 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, sta->addr,
1169 NULL);
1170 if (!sta->wpa_sm) {
1171 wpa_printf(MSG_DEBUG,
1172 "FILS: Failed to initialize RSN state machine");
1173 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1174 goto fail;
1175 }
1176
1177 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
1178 elems.rsn_ie - 2, elems.rsn_ie_len + 2,
1179 elems.mdie, elems.mdie_len, NULL, 0);
1180 resp = wpa_res_to_status_code(res);
1181 if (resp != WLAN_STATUS_SUCCESS)
1182 goto fail;
1183
1184 if (!elems.fils_nonce) {
1185 wpa_printf(MSG_DEBUG, "FILS: No FILS Nonce field");
1186 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1187 goto fail;
1188 }
1189 wpa_hexdump(MSG_DEBUG, "FILS: SNonce", elems.fils_nonce,
1190 FILS_NONCE_LEN);
1191 os_memcpy(sta->fils_snonce, elems.fils_nonce, FILS_NONCE_LEN);
1192
1193 /* PMKID List */
1194 if (rsn.pmkid && rsn.num_pmkid > 0) {
1195 u8 num;
1196 const u8 *pmkid;
1197
1198 wpa_hexdump(MSG_DEBUG, "FILS: PMKID List",
1199 rsn.pmkid, rsn.num_pmkid * PMKID_LEN);
1200
1201 pmkid = rsn.pmkid;
1202 num = rsn.num_pmkid;
1203 while (num) {
1204 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", pmkid, PMKID_LEN);
1205 pmksa = wpa_auth_pmksa_get(hapd->wpa_auth, sta->addr,
1206 pmkid);
1207 if (pmksa)
1208 break;
1209 pmksa = wpa_auth_pmksa_get_fils_cache_id(hapd->wpa_auth,
1210 sta->addr,
1211 pmkid);
1212 if (pmksa)
1213 break;
1214 pmkid += PMKID_LEN;
1215 num--;
1216 }
1217 }
1218 if (pmksa && wpa_auth_sta_key_mgmt(sta->wpa_sm) != pmksa->akmp) {
1219 wpa_printf(MSG_DEBUG,
1220 "FILS: Matching PMKSA cache entry has different AKMP (0x%x != 0x%x) - ignore",
1221 wpa_auth_sta_key_mgmt(sta->wpa_sm), pmksa->akmp);
1222 pmksa = NULL;
1223 }
1224 if (pmksa)
1225 wpa_printf(MSG_DEBUG, "FILS: Found matching PMKSA cache entry");
1226
1227 /* FILS Session */
1228 if (!elems.fils_session) {
1229 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
1230 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1231 goto fail;
1232 }
1233 wpa_hexdump(MSG_DEBUG, "FILS: FILS Session", elems.fils_session,
1234 FILS_SESSION_LEN);
1235 os_memcpy(sta->fils_session, elems.fils_session, FILS_SESSION_LEN);
1236
1237 /* FILS Wrapped Data */
1238 if (elems.fils_wrapped_data) {
1239 wpa_hexdump(MSG_DEBUG, "FILS: Wrapped Data",
1240 elems.fils_wrapped_data,
1241 elems.fils_wrapped_data_len);
1242 if (!pmksa) {
1243 #ifndef CONFIG_NO_RADIUS
1244 if (!sta->eapol_sm) {
1245 sta->eapol_sm =
1246 ieee802_1x_alloc_eapol_sm(hapd, sta);
1247 }
1248 wpa_printf(MSG_DEBUG,
1249 "FILS: Forward EAP-Initiate/Re-auth to authentication server");
1250 ieee802_1x_encapsulate_radius(
1251 hapd, sta, elems.fils_wrapped_data,
1252 elems.fils_wrapped_data_len);
1253 sta->fils_pending_cb = cb;
1254 wpa_printf(MSG_DEBUG,
1255 "FILS: Will send Authentication frame once the response from authentication server is available");
1256 sta->flags |= WLAN_STA_PENDING_FILS_ERP;
1257 /* Calculate pending PMKID here so that we do not need
1258 * to maintain a copy of the EAP-Initiate/Reauth
1259 * message. */
1260 if (fils_pmkid_erp(wpa_auth_sta_key_mgmt(sta->wpa_sm),
1261 elems.fils_wrapped_data,
1262 elems.fils_wrapped_data_len,
1263 sta->fils_erp_pmkid) == 0)
1264 sta->fils_erp_pmkid_set = 1;
1265 return;
1266 #else /* CONFIG_NO_RADIUS */
1267 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1268 goto fail;
1269 #endif /* CONFIG_NO_RADIUS */
1270 }
1271 }
1272
1273 fail:
1274 if (cb) {
1275 struct wpabuf *data;
1276 int pub = 0;
1277
1278 data = prepare_auth_resp_fils(hapd, sta, &resp, pmksa, NULL,
1279 NULL, 0, &pub);
1280 if (!data) {
1281 wpa_printf(MSG_DEBUG,
1282 "%s: prepare_auth_resp_fils() returned failure",
1283 __func__);
1284 }
1285
1286 cb(hapd, sta, resp, data, pub);
1287 }
1288 }
1289
1290
1291 static struct wpabuf *
prepare_auth_resp_fils(struct hostapd_data * hapd,struct sta_info * sta,u16 * resp,struct rsn_pmksa_cache_entry * pmksa,struct wpabuf * erp_resp,const u8 * msk,size_t msk_len,int * is_pub)1292 prepare_auth_resp_fils(struct hostapd_data *hapd,
1293 struct sta_info *sta, u16 *resp,
1294 struct rsn_pmksa_cache_entry *pmksa,
1295 struct wpabuf *erp_resp,
1296 const u8 *msk, size_t msk_len,
1297 int *is_pub)
1298 {
1299 u8 fils_nonce[FILS_NONCE_LEN];
1300 size_t ielen;
1301 struct wpabuf *data = NULL;
1302 const u8 *ie;
1303 u8 *ie_buf = NULL;
1304 const u8 *pmk = NULL;
1305 size_t pmk_len = 0;
1306 u8 pmk_buf[PMK_LEN_MAX];
1307 struct wpabuf *pub = NULL;
1308
1309 if (*resp != WLAN_STATUS_SUCCESS)
1310 goto fail;
1311
1312 ie = wpa_auth_get_wpa_ie(hapd->wpa_auth, &ielen);
1313 if (!ie) {
1314 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1315 goto fail;
1316 }
1317
1318 if (pmksa) {
1319 /* Add PMKID of the selected PMKSA into RSNE */
1320 ie_buf = os_malloc(ielen + 2 + 2 + PMKID_LEN);
1321 if (!ie_buf) {
1322 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1323 goto fail;
1324 }
1325
1326 os_memcpy(ie_buf, ie, ielen);
1327 if (wpa_insert_pmkid(ie_buf, &ielen, pmksa->pmkid) < 0) {
1328 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1329 goto fail;
1330 }
1331 ie = ie_buf;
1332 }
1333
1334 if (random_get_bytes(fils_nonce, FILS_NONCE_LEN) < 0) {
1335 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1336 goto fail;
1337 }
1338 wpa_hexdump(MSG_DEBUG, "RSN: Generated FILS Nonce",
1339 fils_nonce, FILS_NONCE_LEN);
1340
1341 #ifdef CONFIG_FILS_SK_PFS
1342 if (sta->fils_dh_ss && sta->fils_ecdh) {
1343 pub = crypto_ecdh_get_pubkey(sta->fils_ecdh, 1);
1344 if (!pub) {
1345 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1346 goto fail;
1347 }
1348 }
1349 #endif /* CONFIG_FILS_SK_PFS */
1350
1351 data = wpabuf_alloc(1000 + ielen + (pub ? wpabuf_len(pub) : 0));
1352 if (!data) {
1353 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1354 goto fail;
1355 }
1356
1357 /* TODO: FILS PK */
1358 #ifdef CONFIG_FILS_SK_PFS
1359 if (pub) {
1360 /* Finite Cyclic Group */
1361 wpabuf_put_le16(data, hapd->conf->fils_dh_group);
1362
1363 /* Element */
1364 wpabuf_put_buf(data, pub);
1365 }
1366 #endif /* CONFIG_FILS_SK_PFS */
1367
1368 /* RSNE */
1369 wpabuf_put_data(data, ie, ielen);
1370
1371 /* MDE when using FILS+FT (already included in ie,ielen with RSNE) */
1372
1373 #ifdef CONFIG_IEEE80211R_AP
1374 if (wpa_key_mgmt_ft(wpa_auth_sta_key_mgmt(sta->wpa_sm))) {
1375 /* FTE[R1KH-ID,R0KH-ID] when using FILS+FT */
1376 int res;
1377
1378 res = wpa_auth_write_fte(hapd->wpa_auth, wpabuf_put(data, 0),
1379 wpabuf_tailroom(data));
1380 if (res < 0) {
1381 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1382 goto fail;
1383 }
1384 wpabuf_put(data, res);
1385 }
1386 #endif /* CONFIG_IEEE80211R_AP */
1387
1388 /* FILS Nonce */
1389 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
1390 wpabuf_put_u8(data, 1 + FILS_NONCE_LEN); /* Length */
1391 /* Element ID Extension */
1392 wpabuf_put_u8(data, WLAN_EID_EXT_FILS_NONCE);
1393 wpabuf_put_data(data, fils_nonce, FILS_NONCE_LEN);
1394
1395 /* FILS Session */
1396 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
1397 wpabuf_put_u8(data, 1 + FILS_SESSION_LEN); /* Length */
1398 /* Element ID Extension */
1399 wpabuf_put_u8(data, WLAN_EID_EXT_FILS_SESSION);
1400 wpabuf_put_data(data, sta->fils_session, FILS_SESSION_LEN);
1401
1402 /* FILS Wrapped Data */
1403 if (!pmksa && erp_resp) {
1404 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
1405 wpabuf_put_u8(data, 1 + wpabuf_len(erp_resp)); /* Length */
1406 /* Element ID Extension */
1407 wpabuf_put_u8(data, WLAN_EID_EXT_FILS_WRAPPED_DATA);
1408 wpabuf_put_buf(data, erp_resp);
1409
1410 if (fils_rmsk_to_pmk(wpa_auth_sta_key_mgmt(sta->wpa_sm),
1411 msk, msk_len, sta->fils_snonce, fils_nonce,
1412 sta->fils_dh_ss ?
1413 wpabuf_head(sta->fils_dh_ss) : NULL,
1414 sta->fils_dh_ss ?
1415 wpabuf_len(sta->fils_dh_ss) : 0,
1416 pmk_buf, &pmk_len)) {
1417 wpa_printf(MSG_DEBUG, "FILS: Failed to derive PMK");
1418 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1419 wpabuf_free(data);
1420 data = NULL;
1421 goto fail;
1422 }
1423 pmk = pmk_buf;
1424
1425 /* Don't use DHss in PTK derivation if PMKSA caching is not
1426 * used. */
1427 wpabuf_clear_free(sta->fils_dh_ss);
1428 sta->fils_dh_ss = NULL;
1429
1430 if (sta->fils_erp_pmkid_set) {
1431 /* TODO: get PMKLifetime from WPA parameters */
1432 unsigned int dot11RSNAConfigPMKLifetime = 43200;
1433
1434 sta->fils_erp_pmkid_set = 0;
1435 if (wpa_auth_pmksa_add2(
1436 hapd->wpa_auth, sta->addr,
1437 pmk, pmk_len,
1438 sta->fils_erp_pmkid,
1439 sta->session_timeout_set ?
1440 sta->session_timeout :
1441 dot11RSNAConfigPMKLifetime,
1442 wpa_auth_sta_key_mgmt(sta->wpa_sm)) < 0) {
1443 wpa_printf(MSG_ERROR,
1444 "FILS: Failed to add PMKSA cache entry based on ERP");
1445 }
1446 }
1447 } else if (pmksa) {
1448 pmk = pmksa->pmk;
1449 pmk_len = pmksa->pmk_len;
1450 }
1451
1452 if (!pmk) {
1453 wpa_printf(MSG_DEBUG, "FILS: No PMK available");
1454 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1455 wpabuf_free(data);
1456 data = NULL;
1457 goto fail;
1458 }
1459
1460 if (fils_auth_pmk_to_ptk(sta->wpa_sm, pmk, pmk_len,
1461 sta->fils_snonce, fils_nonce,
1462 sta->fils_dh_ss ?
1463 wpabuf_head(sta->fils_dh_ss) : NULL,
1464 sta->fils_dh_ss ?
1465 wpabuf_len(sta->fils_dh_ss) : 0,
1466 sta->fils_g_sta, pub) < 0) {
1467 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1468 wpabuf_free(data);
1469 data = NULL;
1470 goto fail;
1471 }
1472
1473 fail:
1474 if (is_pub)
1475 *is_pub = pub != NULL;
1476 os_free(ie_buf);
1477 wpabuf_free(pub);
1478 wpabuf_clear_free(sta->fils_dh_ss);
1479 sta->fils_dh_ss = NULL;
1480 #ifdef CONFIG_FILS_SK_PFS
1481 crypto_ecdh_deinit(sta->fils_ecdh);
1482 sta->fils_ecdh = NULL;
1483 #endif /* CONFIG_FILS_SK_PFS */
1484 return data;
1485 }
1486
1487
handle_auth_fils_finish(struct hostapd_data * hapd,struct sta_info * sta,u16 resp,struct wpabuf * data,int pub)1488 static void handle_auth_fils_finish(struct hostapd_data *hapd,
1489 struct sta_info *sta, u16 resp,
1490 struct wpabuf *data, int pub)
1491 {
1492 u16 auth_alg;
1493
1494 auth_alg = (pub ||
1495 resp == WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED) ?
1496 WLAN_AUTH_FILS_SK_PFS : WLAN_AUTH_FILS_SK;
1497 send_auth_reply(hapd, sta->addr, hapd->own_addr, auth_alg, 2, resp,
1498 data ? wpabuf_head(data) : (u8 *) "",
1499 data ? wpabuf_len(data) : 0);
1500 wpabuf_free(data);
1501
1502 if (resp == WLAN_STATUS_SUCCESS) {
1503 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1504 HOSTAPD_LEVEL_DEBUG,
1505 "authentication OK (FILS)");
1506 sta->flags |= WLAN_STA_AUTH;
1507 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
1508 sta->auth_alg = pub ? WLAN_AUTH_FILS_SK_PFS : WLAN_AUTH_FILS_SK;
1509 mlme_authenticate_indication(hapd, sta);
1510 }
1511 }
1512
1513
ieee802_11_finish_fils_auth(struct hostapd_data * hapd,struct sta_info * sta,int success,struct wpabuf * erp_resp,const u8 * msk,size_t msk_len)1514 void ieee802_11_finish_fils_auth(struct hostapd_data *hapd,
1515 struct sta_info *sta, int success,
1516 struct wpabuf *erp_resp,
1517 const u8 *msk, size_t msk_len)
1518 {
1519 struct wpabuf *data;
1520 int pub = 0;
1521 u16 resp;
1522
1523 sta->flags &= ~WLAN_STA_PENDING_FILS_ERP;
1524
1525 if (!sta->fils_pending_cb)
1526 return;
1527 resp = success ? WLAN_STATUS_SUCCESS : WLAN_STATUS_UNSPECIFIED_FAILURE;
1528 data = prepare_auth_resp_fils(hapd, sta, &resp, NULL, erp_resp,
1529 msk, msk_len, &pub);
1530 if (!data) {
1531 wpa_printf(MSG_DEBUG,
1532 "%s: prepare_auth_resp_fils() returned failure",
1533 __func__);
1534 }
1535 sta->fils_pending_cb(hapd, sta, resp, data, pub);
1536 }
1537
1538 #endif /* CONFIG_FILS */
1539
1540
1541 static int
ieee802_11_allowed_address(struct hostapd_data * hapd,const u8 * addr,const u8 * msg,size_t len,u32 * session_timeout,u32 * acct_interim_interval,struct vlan_description * vlan_id,struct hostapd_sta_wpa_psk_short ** psk,char ** identity,char ** radius_cui)1542 ieee802_11_allowed_address(struct hostapd_data *hapd, const u8 *addr,
1543 const u8 *msg, size_t len, u32 *session_timeout,
1544 u32 *acct_interim_interval,
1545 struct vlan_description *vlan_id,
1546 struct hostapd_sta_wpa_psk_short **psk,
1547 char **identity, char **radius_cui)
1548 {
1549 int res;
1550
1551 os_memset(vlan_id, 0, sizeof(*vlan_id));
1552 res = hostapd_allowed_address(hapd, addr, msg, len,
1553 session_timeout, acct_interim_interval,
1554 vlan_id, psk, identity, radius_cui);
1555
1556 if (res == HOSTAPD_ACL_REJECT) {
1557 wpa_printf(MSG_INFO,
1558 "Station " MACSTR " not allowed to authenticate",
1559 MAC2STR(addr));
1560 return HOSTAPD_ACL_REJECT;
1561 }
1562
1563 if (res == HOSTAPD_ACL_PENDING) {
1564 wpa_printf(MSG_DEBUG, "Authentication frame from " MACSTR
1565 " waiting for an external authentication",
1566 MAC2STR(addr));
1567 /* Authentication code will re-send the authentication frame
1568 * after it has received (and cached) information from the
1569 * external source. */
1570 return HOSTAPD_ACL_PENDING;
1571 }
1572
1573 return res;
1574 }
1575
1576
1577 static int
ieee802_11_set_radius_info(struct hostapd_data * hapd,struct sta_info * sta,int res,u32 session_timeout,u32 acct_interim_interval,struct vlan_description * vlan_id,struct hostapd_sta_wpa_psk_short ** psk,char ** identity,char ** radius_cui)1578 ieee802_11_set_radius_info(struct hostapd_data *hapd, struct sta_info *sta,
1579 int res, u32 session_timeout,
1580 u32 acct_interim_interval,
1581 struct vlan_description *vlan_id,
1582 struct hostapd_sta_wpa_psk_short **psk,
1583 char **identity, char **radius_cui)
1584 {
1585 if (vlan_id->notempty &&
1586 !hostapd_vlan_valid(hapd->conf->vlan, vlan_id)) {
1587 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS,
1588 HOSTAPD_LEVEL_INFO,
1589 "Invalid VLAN %d%s received from RADIUS server",
1590 vlan_id->untagged,
1591 vlan_id->tagged[0] ? "+" : "");
1592 return -1;
1593 }
1594 if (ap_sta_set_vlan(hapd, sta, vlan_id) < 0)
1595 return -1;
1596 if (sta->vlan_id)
1597 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS,
1598 HOSTAPD_LEVEL_INFO, "VLAN ID %d", sta->vlan_id);
1599
1600 hostapd_free_psk_list(sta->psk);
1601 if (hapd->conf->wpa_psk_radius != PSK_RADIUS_IGNORED) {
1602 sta->psk = *psk;
1603 *psk = NULL;
1604 } else {
1605 sta->psk = NULL;
1606 }
1607
1608 sta->identity = *identity;
1609 *identity = NULL;
1610 sta->radius_cui = *radius_cui;
1611 *radius_cui = NULL;
1612
1613 if (hapd->conf->acct_interim_interval == 0 && acct_interim_interval)
1614 sta->acct_interim_interval = acct_interim_interval;
1615 if (res == HOSTAPD_ACL_ACCEPT_TIMEOUT)
1616 ap_sta_session_timeout(hapd, sta, session_timeout);
1617 else
1618 ap_sta_no_session_timeout(hapd, sta);
1619
1620 return 0;
1621 }
1622
1623
handle_auth(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len)1624 static void handle_auth(struct hostapd_data *hapd,
1625 const struct ieee80211_mgmt *mgmt, size_t len)
1626 {
1627 u16 auth_alg, auth_transaction, status_code;
1628 u16 resp = WLAN_STATUS_SUCCESS;
1629 struct sta_info *sta = NULL;
1630 int res, reply_res;
1631 u16 fc;
1632 const u8 *challenge = NULL;
1633 u32 session_timeout, acct_interim_interval;
1634 struct vlan_description vlan_id;
1635 struct hostapd_sta_wpa_psk_short *psk = NULL;
1636 u8 resp_ies[2 + WLAN_AUTH_CHALLENGE_LEN];
1637 size_t resp_ies_len = 0;
1638 char *identity = NULL;
1639 char *radius_cui = NULL;
1640 u16 seq_ctrl;
1641
1642 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) {
1643 wpa_printf(MSG_INFO, "handle_auth - too short payload (len=%lu)",
1644 (unsigned long) len);
1645 return;
1646 }
1647
1648 #ifdef CONFIG_TESTING_OPTIONS
1649 if (hapd->iconf->ignore_auth_probability > 0.0 &&
1650 drand48() < hapd->iconf->ignore_auth_probability) {
1651 wpa_printf(MSG_INFO,
1652 "TESTING: ignoring auth frame from " MACSTR,
1653 MAC2STR(mgmt->sa));
1654 return;
1655 }
1656 #endif /* CONFIG_TESTING_OPTIONS */
1657
1658 auth_alg = le_to_host16(mgmt->u.auth.auth_alg);
1659 auth_transaction = le_to_host16(mgmt->u.auth.auth_transaction);
1660 status_code = le_to_host16(mgmt->u.auth.status_code);
1661 fc = le_to_host16(mgmt->frame_control);
1662 seq_ctrl = le_to_host16(mgmt->seq_ctrl);
1663
1664 if (len >= IEEE80211_HDRLEN + sizeof(mgmt->u.auth) +
1665 2 + WLAN_AUTH_CHALLENGE_LEN &&
1666 mgmt->u.auth.variable[0] == WLAN_EID_CHALLENGE &&
1667 mgmt->u.auth.variable[1] == WLAN_AUTH_CHALLENGE_LEN)
1668 challenge = &mgmt->u.auth.variable[2];
1669
1670 wpa_printf(MSG_DEBUG, "authentication: STA=" MACSTR " auth_alg=%d "
1671 "auth_transaction=%d status_code=%d wep=%d%s "
1672 "seq_ctrl=0x%x%s",
1673 MAC2STR(mgmt->sa), auth_alg, auth_transaction,
1674 status_code, !!(fc & WLAN_FC_ISWEP),
1675 challenge ? " challenge" : "",
1676 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "");
1677
1678 #ifdef CONFIG_NO_RC4
1679 if (auth_alg == WLAN_AUTH_SHARED_KEY) {
1680 wpa_printf(MSG_INFO,
1681 "Unsupported authentication algorithm (%d)",
1682 auth_alg);
1683 resp = WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
1684 goto fail;
1685 }
1686 #endif /* CONFIG_NO_RC4 */
1687
1688 if (hapd->tkip_countermeasures) {
1689 resp = WLAN_REASON_MICHAEL_MIC_FAILURE;
1690 goto fail;
1691 }
1692
1693 if (!(((hapd->conf->auth_algs & WPA_AUTH_ALG_OPEN) &&
1694 auth_alg == WLAN_AUTH_OPEN) ||
1695 #ifdef CONFIG_IEEE80211R_AP
1696 (hapd->conf->wpa && wpa_key_mgmt_ft(hapd->conf->wpa_key_mgmt) &&
1697 auth_alg == WLAN_AUTH_FT) ||
1698 #endif /* CONFIG_IEEE80211R_AP */
1699 #ifdef CONFIG_SAE
1700 (hapd->conf->wpa && wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt) &&
1701 auth_alg == WLAN_AUTH_SAE) ||
1702 #endif /* CONFIG_SAE */
1703 #ifdef CONFIG_FILS
1704 (hapd->conf->wpa && wpa_key_mgmt_fils(hapd->conf->wpa_key_mgmt) &&
1705 auth_alg == WLAN_AUTH_FILS_SK) ||
1706 (hapd->conf->wpa && wpa_key_mgmt_fils(hapd->conf->wpa_key_mgmt) &&
1707 hapd->conf->fils_dh_group &&
1708 auth_alg == WLAN_AUTH_FILS_SK_PFS) ||
1709 #endif /* CONFIG_FILS */
1710 ((hapd->conf->auth_algs & WPA_AUTH_ALG_SHARED) &&
1711 auth_alg == WLAN_AUTH_SHARED_KEY))) {
1712 wpa_printf(MSG_INFO, "Unsupported authentication algorithm (%d)",
1713 auth_alg);
1714 resp = WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
1715 goto fail;
1716 }
1717
1718 if (!(auth_transaction == 1 || auth_alg == WLAN_AUTH_SAE ||
1719 (auth_alg == WLAN_AUTH_SHARED_KEY && auth_transaction == 3))) {
1720 wpa_printf(MSG_INFO, "Unknown authentication transaction number (%d)",
1721 auth_transaction);
1722 resp = WLAN_STATUS_UNKNOWN_AUTH_TRANSACTION;
1723 goto fail;
1724 }
1725
1726 if (os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
1727 wpa_printf(MSG_INFO, "Station " MACSTR " not allowed to authenticate",
1728 MAC2STR(mgmt->sa));
1729 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1730 goto fail;
1731 }
1732
1733 if (hapd->conf->no_auth_if_seen_on) {
1734 struct hostapd_data *other;
1735
1736 other = sta_track_seen_on(hapd->iface, mgmt->sa,
1737 hapd->conf->no_auth_if_seen_on);
1738 if (other) {
1739 u8 *pos;
1740 u32 info;
1741 u8 op_class, channel, phytype;
1742
1743 wpa_printf(MSG_DEBUG, "%s: Reject authentication from "
1744 MACSTR " since STA has been seen on %s",
1745 hapd->conf->iface, MAC2STR(mgmt->sa),
1746 hapd->conf->no_auth_if_seen_on);
1747
1748 resp = WLAN_STATUS_REJECTED_WITH_SUGGESTED_BSS_TRANSITION;
1749 pos = &resp_ies[0];
1750 *pos++ = WLAN_EID_NEIGHBOR_REPORT;
1751 *pos++ = 13;
1752 os_memcpy(pos, other->own_addr, ETH_ALEN);
1753 pos += ETH_ALEN;
1754 info = 0; /* TODO: BSSID Information */
1755 WPA_PUT_LE32(pos, info);
1756 pos += 4;
1757 if (other->iconf->hw_mode == HOSTAPD_MODE_IEEE80211AD)
1758 phytype = 8; /* dmg */
1759 else if (other->iconf->ieee80211ac)
1760 phytype = 9; /* vht */
1761 else if (other->iconf->ieee80211n)
1762 phytype = 7; /* ht */
1763 else if (other->iconf->hw_mode ==
1764 HOSTAPD_MODE_IEEE80211A)
1765 phytype = 4; /* ofdm */
1766 else if (other->iconf->hw_mode ==
1767 HOSTAPD_MODE_IEEE80211G)
1768 phytype = 6; /* erp */
1769 else
1770 phytype = 5; /* hrdsss */
1771 if (ieee80211_freq_to_channel_ext(
1772 hostapd_hw_get_freq(other,
1773 other->iconf->channel),
1774 other->iconf->secondary_channel,
1775 other->iconf->ieee80211ac,
1776 &op_class, &channel) == NUM_HOSTAPD_MODES) {
1777 op_class = 0;
1778 channel = other->iconf->channel;
1779 }
1780 *pos++ = op_class;
1781 *pos++ = channel;
1782 *pos++ = phytype;
1783 resp_ies_len = pos - &resp_ies[0];
1784 goto fail;
1785 }
1786 }
1787
1788 res = ieee802_11_allowed_address(
1789 hapd, mgmt->sa, (const u8 *) mgmt, len, &session_timeout,
1790 &acct_interim_interval, &vlan_id, &psk, &identity, &radius_cui);
1791 if (res == HOSTAPD_ACL_REJECT) {
1792 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1793 goto fail;
1794 }
1795 if (res == HOSTAPD_ACL_PENDING)
1796 return;
1797
1798 sta = ap_get_sta(hapd, mgmt->sa);
1799 if (sta) {
1800 sta->flags &= ~WLAN_STA_PENDING_FILS_ERP;
1801 if ((fc & WLAN_FC_RETRY) &&
1802 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
1803 sta->last_seq_ctrl == seq_ctrl &&
1804 sta->last_subtype == WLAN_FC_STYPE_AUTH) {
1805 hostapd_logger(hapd, sta->addr,
1806 HOSTAPD_MODULE_IEEE80211,
1807 HOSTAPD_LEVEL_DEBUG,
1808 "Drop repeated authentication frame seq_ctrl=0x%x",
1809 seq_ctrl);
1810 return;
1811 }
1812 #ifdef CONFIG_MESH
1813 if ((hapd->conf->mesh & MESH_ENABLED) &&
1814 sta->plink_state == PLINK_BLOCKED) {
1815 wpa_printf(MSG_DEBUG, "Mesh peer " MACSTR
1816 " is blocked - drop Authentication frame",
1817 MAC2STR(mgmt->sa));
1818 return;
1819 }
1820 #endif /* CONFIG_MESH */
1821 } else {
1822 #ifdef CONFIG_MESH
1823 if (hapd->conf->mesh & MESH_ENABLED) {
1824 /* if the mesh peer is not available, we don't do auth.
1825 */
1826 wpa_printf(MSG_DEBUG, "Mesh peer " MACSTR
1827 " not yet known - drop Authentication frame",
1828 MAC2STR(mgmt->sa));
1829 /*
1830 * Save a copy of the frame so that it can be processed
1831 * if a new peer entry is added shortly after this.
1832 */
1833 wpabuf_free(hapd->mesh_pending_auth);
1834 hapd->mesh_pending_auth = wpabuf_alloc_copy(mgmt, len);
1835 os_get_reltime(&hapd->mesh_pending_auth_time);
1836 return;
1837 }
1838 #endif /* CONFIG_MESH */
1839
1840 sta = ap_sta_add(hapd, mgmt->sa);
1841 if (!sta) {
1842 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
1843 goto fail;
1844 }
1845 }
1846 sta->last_seq_ctrl = seq_ctrl;
1847 sta->last_subtype = WLAN_FC_STYPE_AUTH;
1848
1849 res = ieee802_11_set_radius_info(
1850 hapd, sta, res, session_timeout, acct_interim_interval,
1851 &vlan_id, &psk, &identity, &radius_cui);
1852 if (res) {
1853 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1854 goto fail;
1855 }
1856
1857 sta->flags &= ~WLAN_STA_PREAUTH;
1858 ieee802_1x_notify_pre_auth(sta->eapol_sm, 0);
1859
1860 /*
1861 * If the driver supports full AP client state, add a station to the
1862 * driver before sending authentication reply to make sure the driver
1863 * has resources, and not to go through the entire authentication and
1864 * association handshake, and fail it at the end.
1865 *
1866 * If this is not the first transaction, in a multi-step authentication
1867 * algorithm, the station already exists in the driver
1868 * (sta->added_unassoc = 1) so skip it.
1869 *
1870 * In mesh mode, the station was already added to the driver when the
1871 * NEW_PEER_CANDIDATE event is received.
1872 *
1873 * If PMF was negotiated for the existing association, skip this to
1874 * avoid dropping the STA entry and the associated keys. This is needed
1875 * to allow the original connection work until the attempt can complete
1876 * (re)association, so that unprotected Authentication frame cannot be
1877 * used to bypass PMF protection.
1878 */
1879 if (FULL_AP_CLIENT_STATE_SUPP(hapd->iface->drv_flags) &&
1880 (!(sta->flags & WLAN_STA_MFP) || !ap_sta_is_authorized(sta)) &&
1881 !(hapd->conf->mesh & MESH_ENABLED) &&
1882 !(sta->added_unassoc)) {
1883 /*
1884 * If a station that is already associated to the AP, is trying
1885 * to authenticate again, remove the STA entry, in order to make
1886 * sure the STA PS state gets cleared and configuration gets
1887 * updated. To handle this, station's added_unassoc flag is
1888 * cleared once the station has completed association.
1889 */
1890 hostapd_drv_sta_remove(hapd, sta->addr);
1891 sta->flags &= ~(WLAN_STA_ASSOC | WLAN_STA_AUTH |
1892 WLAN_STA_AUTHORIZED);
1893
1894 if (hostapd_sta_add(hapd, sta->addr, 0, 0, NULL, 0, 0,
1895 NULL, NULL, sta->flags, 0, 0, 0, 0)) {
1896 hostapd_logger(hapd, sta->addr,
1897 HOSTAPD_MODULE_IEEE80211,
1898 HOSTAPD_LEVEL_NOTICE,
1899 "Could not add STA to kernel driver");
1900 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
1901 goto fail;
1902 }
1903
1904 sta->added_unassoc = 1;
1905 }
1906
1907 switch (auth_alg) {
1908 case WLAN_AUTH_OPEN:
1909 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1910 HOSTAPD_LEVEL_DEBUG,
1911 "authentication OK (open system)");
1912 sta->flags |= WLAN_STA_AUTH;
1913 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
1914 sta->auth_alg = WLAN_AUTH_OPEN;
1915 mlme_authenticate_indication(hapd, sta);
1916 break;
1917 #ifndef CONFIG_NO_RC4
1918 case WLAN_AUTH_SHARED_KEY:
1919 resp = auth_shared_key(hapd, sta, auth_transaction, challenge,
1920 fc & WLAN_FC_ISWEP);
1921 sta->auth_alg = WLAN_AUTH_SHARED_KEY;
1922 mlme_authenticate_indication(hapd, sta);
1923 if (sta->challenge && auth_transaction == 1) {
1924 resp_ies[0] = WLAN_EID_CHALLENGE;
1925 resp_ies[1] = WLAN_AUTH_CHALLENGE_LEN;
1926 os_memcpy(resp_ies + 2, sta->challenge,
1927 WLAN_AUTH_CHALLENGE_LEN);
1928 resp_ies_len = 2 + WLAN_AUTH_CHALLENGE_LEN;
1929 }
1930 break;
1931 #endif /* CONFIG_NO_RC4 */
1932 #ifdef CONFIG_IEEE80211R_AP
1933 case WLAN_AUTH_FT:
1934 sta->auth_alg = WLAN_AUTH_FT;
1935 if (sta->wpa_sm == NULL)
1936 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
1937 sta->addr, NULL);
1938 if (sta->wpa_sm == NULL) {
1939 wpa_printf(MSG_DEBUG, "FT: Failed to initialize WPA "
1940 "state machine");
1941 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1942 goto fail;
1943 }
1944 wpa_ft_process_auth(sta->wpa_sm, mgmt->bssid,
1945 auth_transaction, mgmt->u.auth.variable,
1946 len - IEEE80211_HDRLEN -
1947 sizeof(mgmt->u.auth),
1948 handle_auth_ft_finish, hapd);
1949 /* handle_auth_ft_finish() callback will complete auth. */
1950 return;
1951 #endif /* CONFIG_IEEE80211R_AP */
1952 #ifdef CONFIG_SAE
1953 case WLAN_AUTH_SAE:
1954 #ifdef CONFIG_MESH
1955 if (status_code == WLAN_STATUS_SUCCESS &&
1956 hapd->conf->mesh & MESH_ENABLED) {
1957 if (sta->wpa_sm == NULL)
1958 sta->wpa_sm =
1959 wpa_auth_sta_init(hapd->wpa_auth,
1960 sta->addr, NULL);
1961 if (sta->wpa_sm == NULL) {
1962 wpa_printf(MSG_DEBUG,
1963 "SAE: Failed to initialize WPA state machine");
1964 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1965 goto fail;
1966 }
1967 }
1968 #endif /* CONFIG_MESH */
1969 handle_auth_sae(hapd, sta, mgmt, len, auth_transaction,
1970 status_code);
1971 return;
1972 #endif /* CONFIG_SAE */
1973 #ifdef CONFIG_FILS
1974 case WLAN_AUTH_FILS_SK:
1975 case WLAN_AUTH_FILS_SK_PFS:
1976 handle_auth_fils(hapd, sta, mgmt->u.auth.variable,
1977 len - IEEE80211_HDRLEN - sizeof(mgmt->u.auth),
1978 auth_alg, auth_transaction, status_code,
1979 handle_auth_fils_finish);
1980 return;
1981 #endif /* CONFIG_FILS */
1982 }
1983
1984 fail:
1985 os_free(identity);
1986 os_free(radius_cui);
1987 hostapd_free_psk_list(psk);
1988
1989 reply_res = send_auth_reply(hapd, mgmt->sa, mgmt->bssid, auth_alg,
1990 auth_transaction + 1, resp, resp_ies,
1991 resp_ies_len);
1992
1993 if (sta && sta->added_unassoc && (resp != WLAN_STATUS_SUCCESS ||
1994 reply_res != WLAN_STATUS_SUCCESS)) {
1995 hostapd_drv_sta_remove(hapd, sta->addr);
1996 sta->added_unassoc = 0;
1997 }
1998 }
1999
2000
hostapd_get_aid(struct hostapd_data * hapd,struct sta_info * sta)2001 int hostapd_get_aid(struct hostapd_data *hapd, struct sta_info *sta)
2002 {
2003 int i, j = 32, aid;
2004
2005 /* get a unique AID */
2006 if (sta->aid > 0) {
2007 wpa_printf(MSG_DEBUG, " old AID %d", sta->aid);
2008 return 0;
2009 }
2010
2011 if (TEST_FAIL())
2012 return -1;
2013
2014 for (i = 0; i < AID_WORDS; i++) {
2015 if (hapd->sta_aid[i] == (u32) -1)
2016 continue;
2017 for (j = 0; j < 32; j++) {
2018 if (!(hapd->sta_aid[i] & BIT(j)))
2019 break;
2020 }
2021 if (j < 32)
2022 break;
2023 }
2024 if (j == 32)
2025 return -1;
2026 aid = i * 32 + j + 1;
2027 if (aid > 2007)
2028 return -1;
2029
2030 sta->aid = aid;
2031 hapd->sta_aid[i] |= BIT(j);
2032 wpa_printf(MSG_DEBUG, " new AID %d", sta->aid);
2033 return 0;
2034 }
2035
2036
check_ssid(struct hostapd_data * hapd,struct sta_info * sta,const u8 * ssid_ie,size_t ssid_ie_len)2037 static u16 check_ssid(struct hostapd_data *hapd, struct sta_info *sta,
2038 const u8 *ssid_ie, size_t ssid_ie_len)
2039 {
2040 if (ssid_ie == NULL)
2041 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2042
2043 if (ssid_ie_len != hapd->conf->ssid.ssid_len ||
2044 os_memcmp(ssid_ie, hapd->conf->ssid.ssid, ssid_ie_len) != 0) {
2045 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2046 HOSTAPD_LEVEL_INFO,
2047 "Station tried to associate with unknown SSID "
2048 "'%s'", wpa_ssid_txt(ssid_ie, ssid_ie_len));
2049 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2050 }
2051
2052 return WLAN_STATUS_SUCCESS;
2053 }
2054
2055
check_wmm(struct hostapd_data * hapd,struct sta_info * sta,const u8 * wmm_ie,size_t wmm_ie_len)2056 static u16 check_wmm(struct hostapd_data *hapd, struct sta_info *sta,
2057 const u8 *wmm_ie, size_t wmm_ie_len)
2058 {
2059 sta->flags &= ~WLAN_STA_WMM;
2060 sta->qosinfo = 0;
2061 if (wmm_ie && hapd->conf->wmm_enabled) {
2062 struct wmm_information_element *wmm;
2063
2064 if (!hostapd_eid_wmm_valid(hapd, wmm_ie, wmm_ie_len)) {
2065 hostapd_logger(hapd, sta->addr,
2066 HOSTAPD_MODULE_WPA,
2067 HOSTAPD_LEVEL_DEBUG,
2068 "invalid WMM element in association "
2069 "request");
2070 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2071 }
2072
2073 sta->flags |= WLAN_STA_WMM;
2074 wmm = (struct wmm_information_element *) wmm_ie;
2075 sta->qosinfo = wmm->qos_info;
2076 }
2077 return WLAN_STATUS_SUCCESS;
2078 }
2079
2080
copy_supp_rates(struct hostapd_data * hapd,struct sta_info * sta,struct ieee802_11_elems * elems)2081 static u16 copy_supp_rates(struct hostapd_data *hapd, struct sta_info *sta,
2082 struct ieee802_11_elems *elems)
2083 {
2084 /* Supported rates not used in IEEE 802.11ad/DMG */
2085 if (hapd->iface->current_mode &&
2086 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211AD)
2087 return WLAN_STATUS_SUCCESS;
2088
2089 if (!elems->supp_rates) {
2090 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2091 HOSTAPD_LEVEL_DEBUG,
2092 "No supported rates element in AssocReq");
2093 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2094 }
2095
2096 if (elems->supp_rates_len + elems->ext_supp_rates_len >
2097 sizeof(sta->supported_rates)) {
2098 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2099 HOSTAPD_LEVEL_DEBUG,
2100 "Invalid supported rates element length %d+%d",
2101 elems->supp_rates_len,
2102 elems->ext_supp_rates_len);
2103 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2104 }
2105
2106 sta->supported_rates_len = merge_byte_arrays(
2107 sta->supported_rates, sizeof(sta->supported_rates),
2108 elems->supp_rates, elems->supp_rates_len,
2109 elems->ext_supp_rates, elems->ext_supp_rates_len);
2110
2111 return WLAN_STATUS_SUCCESS;
2112 }
2113
2114
check_ext_capab(struct hostapd_data * hapd,struct sta_info * sta,const u8 * ext_capab_ie,size_t ext_capab_ie_len)2115 static u16 check_ext_capab(struct hostapd_data *hapd, struct sta_info *sta,
2116 const u8 *ext_capab_ie, size_t ext_capab_ie_len)
2117 {
2118 #ifdef CONFIG_INTERWORKING
2119 /* check for QoS Map support */
2120 if (ext_capab_ie_len >= 5) {
2121 if (ext_capab_ie[4] & 0x01)
2122 sta->qos_map_enabled = 1;
2123 }
2124 #endif /* CONFIG_INTERWORKING */
2125
2126 if (ext_capab_ie_len > 0)
2127 sta->ecsa_supported = !!(ext_capab_ie[0] & BIT(2));
2128
2129 return WLAN_STATUS_SUCCESS;
2130 }
2131
2132
2133 #ifdef CONFIG_OWE
2134
owe_group_supported(struct hostapd_data * hapd,u16 group)2135 static int owe_group_supported(struct hostapd_data *hapd, u16 group)
2136 {
2137 int i;
2138 int *groups = hapd->conf->owe_groups;
2139
2140 if (group != 19 && group != 20 && group != 21)
2141 return 0;
2142
2143 if (!groups)
2144 return 1;
2145
2146 for (i = 0; groups[i] > 0; i++) {
2147 if (groups[i] == group)
2148 return 1;
2149 }
2150
2151 return 0;
2152 }
2153
2154
owe_process_assoc_req(struct hostapd_data * hapd,struct sta_info * sta,const u8 * owe_dh,u8 owe_dh_len)2155 static u16 owe_process_assoc_req(struct hostapd_data *hapd,
2156 struct sta_info *sta, const u8 *owe_dh,
2157 u8 owe_dh_len)
2158 {
2159 struct wpabuf *secret, *pub, *hkey;
2160 int res;
2161 u8 prk[SHA512_MAC_LEN], pmkid[SHA512_MAC_LEN];
2162 const char *info = "OWE Key Generation";
2163 const u8 *addr[2];
2164 size_t len[2];
2165 u16 group;
2166 size_t hash_len, prime_len;
2167
2168 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) {
2169 wpa_printf(MSG_DEBUG, "OWE: Using PMKSA caching");
2170 return WLAN_STATUS_SUCCESS;
2171 }
2172
2173 group = WPA_GET_LE16(owe_dh);
2174 if (!owe_group_supported(hapd, group)) {
2175 wpa_printf(MSG_DEBUG, "OWE: Unsupported DH group %u", group);
2176 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
2177 }
2178 if (group == 19)
2179 prime_len = 32;
2180 else if (group == 20)
2181 prime_len = 48;
2182 else if (group == 21)
2183 prime_len = 66;
2184 else
2185 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
2186
2187 crypto_ecdh_deinit(sta->owe_ecdh);
2188 sta->owe_ecdh = crypto_ecdh_init(group);
2189 if (!sta->owe_ecdh)
2190 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
2191 sta->owe_group = group;
2192
2193 secret = crypto_ecdh_set_peerkey(sta->owe_ecdh, 0, owe_dh + 2,
2194 owe_dh_len - 2);
2195 secret = wpabuf_zeropad(secret, prime_len);
2196 if (!secret) {
2197 wpa_printf(MSG_DEBUG, "OWE: Invalid peer DH public key");
2198 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2199 }
2200 wpa_hexdump_buf_key(MSG_DEBUG, "OWE: DH shared secret", secret);
2201
2202 /* prk = HKDF-extract(C | A | group, z) */
2203
2204 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
2205 if (!pub) {
2206 wpabuf_clear_free(secret);
2207 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2208 }
2209
2210 /* PMKID = Truncate-128(Hash(C | A)) */
2211 addr[0] = owe_dh + 2;
2212 len[0] = owe_dh_len - 2;
2213 addr[1] = wpabuf_head(pub);
2214 len[1] = wpabuf_len(pub);
2215 if (group == 19) {
2216 res = sha256_vector(2, addr, len, pmkid);
2217 hash_len = SHA256_MAC_LEN;
2218 } else if (group == 20) {
2219 res = sha384_vector(2, addr, len, pmkid);
2220 hash_len = SHA384_MAC_LEN;
2221 } else if (group == 21) {
2222 res = sha512_vector(2, addr, len, pmkid);
2223 hash_len = SHA512_MAC_LEN;
2224 } else {
2225 wpabuf_free(pub);
2226 wpabuf_clear_free(secret);
2227 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2228 }
2229 pub = wpabuf_zeropad(pub, prime_len);
2230 if (res < 0 || !pub) {
2231 wpabuf_free(pub);
2232 wpabuf_clear_free(secret);
2233 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2234 }
2235
2236 hkey = wpabuf_alloc(owe_dh_len - 2 + wpabuf_len(pub) + 2);
2237 if (!hkey) {
2238 wpabuf_free(pub);
2239 wpabuf_clear_free(secret);
2240 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2241 }
2242
2243 wpabuf_put_data(hkey, owe_dh + 2, owe_dh_len - 2); /* C */
2244 wpabuf_put_buf(hkey, pub); /* A */
2245 wpabuf_free(pub);
2246 wpabuf_put_le16(hkey, group); /* group */
2247 if (group == 19)
2248 res = hmac_sha256(wpabuf_head(hkey), wpabuf_len(hkey),
2249 wpabuf_head(secret), wpabuf_len(secret), prk);
2250 else if (group == 20)
2251 res = hmac_sha384(wpabuf_head(hkey), wpabuf_len(hkey),
2252 wpabuf_head(secret), wpabuf_len(secret), prk);
2253 else if (group == 21)
2254 res = hmac_sha512(wpabuf_head(hkey), wpabuf_len(hkey),
2255 wpabuf_head(secret), wpabuf_len(secret), prk);
2256 wpabuf_clear_free(hkey);
2257 wpabuf_clear_free(secret);
2258 if (res < 0)
2259 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2260
2261 wpa_hexdump_key(MSG_DEBUG, "OWE: prk", prk, hash_len);
2262
2263 /* PMK = HKDF-expand(prk, "OWE Key Generation", n) */
2264
2265 os_free(sta->owe_pmk);
2266 sta->owe_pmk = os_malloc(hash_len);
2267 if (!sta->owe_pmk) {
2268 os_memset(prk, 0, SHA512_MAC_LEN);
2269 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2270 }
2271
2272 if (group == 19)
2273 res = hmac_sha256_kdf(prk, hash_len, NULL, (const u8 *) info,
2274 os_strlen(info), sta->owe_pmk, hash_len);
2275 else if (group == 20)
2276 res = hmac_sha384_kdf(prk, hash_len, NULL, (const u8 *) info,
2277 os_strlen(info), sta->owe_pmk, hash_len);
2278 else if (group == 21)
2279 res = hmac_sha512_kdf(prk, hash_len, NULL, (const u8 *) info,
2280 os_strlen(info), sta->owe_pmk, hash_len);
2281 os_memset(prk, 0, SHA512_MAC_LEN);
2282 if (res < 0) {
2283 os_free(sta->owe_pmk);
2284 sta->owe_pmk = NULL;
2285 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2286 }
2287 sta->owe_pmk_len = hash_len;
2288
2289 wpa_hexdump_key(MSG_DEBUG, "OWE: PMK", sta->owe_pmk, sta->owe_pmk_len);
2290 wpa_hexdump(MSG_DEBUG, "OWE: PMKID", pmkid, PMKID_LEN);
2291 wpa_auth_pmksa_add2(hapd->wpa_auth, sta->addr, sta->owe_pmk,
2292 sta->owe_pmk_len, pmkid, 0, WPA_KEY_MGMT_OWE);
2293
2294 return WLAN_STATUS_SUCCESS;
2295 }
2296
2297 #endif /* CONFIG_OWE */
2298
2299
check_assoc_ies(struct hostapd_data * hapd,struct sta_info * sta,const u8 * ies,size_t ies_len,int reassoc)2300 static u16 check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta,
2301 const u8 *ies, size_t ies_len, int reassoc)
2302 {
2303 struct ieee802_11_elems elems;
2304 u16 resp;
2305 const u8 *wpa_ie;
2306 size_t wpa_ie_len;
2307 const u8 *p2p_dev_addr = NULL;
2308
2309 if (ieee802_11_parse_elems(ies, ies_len, &elems, 1) == ParseFailed) {
2310 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2311 HOSTAPD_LEVEL_INFO, "Station sent an invalid "
2312 "association request");
2313 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2314 }
2315
2316 resp = check_ssid(hapd, sta, elems.ssid, elems.ssid_len);
2317 if (resp != WLAN_STATUS_SUCCESS)
2318 return resp;
2319 resp = check_wmm(hapd, sta, elems.wmm, elems.wmm_len);
2320 if (resp != WLAN_STATUS_SUCCESS)
2321 return resp;
2322 resp = check_ext_capab(hapd, sta, elems.ext_capab, elems.ext_capab_len);
2323 if (resp != WLAN_STATUS_SUCCESS)
2324 return resp;
2325 resp = copy_supp_rates(hapd, sta, &elems);
2326 if (resp != WLAN_STATUS_SUCCESS)
2327 return resp;
2328 #ifdef CONFIG_IEEE80211N
2329 resp = copy_sta_ht_capab(hapd, sta, elems.ht_capabilities);
2330 if (resp != WLAN_STATUS_SUCCESS)
2331 return resp;
2332 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht &&
2333 !(sta->flags & WLAN_STA_HT)) {
2334 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2335 HOSTAPD_LEVEL_INFO, "Station does not support "
2336 "mandatory HT PHY - reject association");
2337 return WLAN_STATUS_ASSOC_DENIED_NO_HT;
2338 }
2339 #endif /* CONFIG_IEEE80211N */
2340
2341 #ifdef CONFIG_IEEE80211AC
2342 if (hapd->iconf->ieee80211ac) {
2343 resp = copy_sta_vht_capab(hapd, sta, elems.vht_capabilities);
2344 if (resp != WLAN_STATUS_SUCCESS)
2345 return resp;
2346
2347 resp = set_sta_vht_opmode(hapd, sta, elems.vht_opmode_notif);
2348 if (resp != WLAN_STATUS_SUCCESS)
2349 return resp;
2350 }
2351
2352 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht &&
2353 !(sta->flags & WLAN_STA_VHT)) {
2354 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2355 HOSTAPD_LEVEL_INFO, "Station does not support "
2356 "mandatory VHT PHY - reject association");
2357 return WLAN_STATUS_ASSOC_DENIED_NO_VHT;
2358 }
2359
2360 if (hapd->conf->vendor_vht && !elems.vht_capabilities) {
2361 resp = copy_sta_vendor_vht(hapd, sta, elems.vendor_vht,
2362 elems.vendor_vht_len);
2363 if (resp != WLAN_STATUS_SUCCESS)
2364 return resp;
2365 }
2366 #endif /* CONFIG_IEEE80211AC */
2367
2368 #ifdef CONFIG_P2P
2369 if (elems.p2p) {
2370 wpabuf_free(sta->p2p_ie);
2371 sta->p2p_ie = ieee802_11_vendor_ie_concat(ies, ies_len,
2372 P2P_IE_VENDOR_TYPE);
2373 if (sta->p2p_ie)
2374 p2p_dev_addr = p2p_get_go_dev_addr(sta->p2p_ie);
2375 } else {
2376 wpabuf_free(sta->p2p_ie);
2377 sta->p2p_ie = NULL;
2378 }
2379 #endif /* CONFIG_P2P */
2380
2381 if ((hapd->conf->wpa & WPA_PROTO_RSN) && elems.rsn_ie) {
2382 wpa_ie = elems.rsn_ie;
2383 wpa_ie_len = elems.rsn_ie_len;
2384 } else if ((hapd->conf->wpa & WPA_PROTO_WPA) &&
2385 elems.wpa_ie) {
2386 wpa_ie = elems.wpa_ie;
2387 wpa_ie_len = elems.wpa_ie_len;
2388 } else {
2389 wpa_ie = NULL;
2390 wpa_ie_len = 0;
2391 }
2392
2393 #ifdef CONFIG_WPS
2394 sta->flags &= ~(WLAN_STA_WPS | WLAN_STA_MAYBE_WPS | WLAN_STA_WPS2);
2395 if (hapd->conf->wps_state && elems.wps_ie) {
2396 wpa_printf(MSG_DEBUG, "STA included WPS IE in (Re)Association "
2397 "Request - assume WPS is used");
2398 sta->flags |= WLAN_STA_WPS;
2399 wpabuf_free(sta->wps_ie);
2400 sta->wps_ie = ieee802_11_vendor_ie_concat(ies, ies_len,
2401 WPS_IE_VENDOR_TYPE);
2402 if (sta->wps_ie && wps_is_20(sta->wps_ie)) {
2403 wpa_printf(MSG_DEBUG, "WPS: STA supports WPS 2.0");
2404 sta->flags |= WLAN_STA_WPS2;
2405 }
2406 wpa_ie = NULL;
2407 wpa_ie_len = 0;
2408 if (sta->wps_ie && wps_validate_assoc_req(sta->wps_ie) < 0) {
2409 wpa_printf(MSG_DEBUG, "WPS: Invalid WPS IE in "
2410 "(Re)Association Request - reject");
2411 return WLAN_STATUS_INVALID_IE;
2412 }
2413 } else if (hapd->conf->wps_state && wpa_ie == NULL) {
2414 wpa_printf(MSG_DEBUG, "STA did not include WPA/RSN IE in "
2415 "(Re)Association Request - possible WPS use");
2416 sta->flags |= WLAN_STA_MAYBE_WPS;
2417 } else
2418 #endif /* CONFIG_WPS */
2419 if (hapd->conf->wpa && wpa_ie == NULL) {
2420 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2421 HOSTAPD_LEVEL_INFO,
2422 "No WPA/RSN IE in association request");
2423 return WLAN_STATUS_INVALID_IE;
2424 }
2425
2426 if (hapd->conf->wpa && wpa_ie) {
2427 int res;
2428 wpa_ie -= 2;
2429 wpa_ie_len += 2;
2430 if (sta->wpa_sm == NULL)
2431 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
2432 sta->addr,
2433 p2p_dev_addr);
2434 if (sta->wpa_sm == NULL) {
2435 wpa_printf(MSG_WARNING, "Failed to initialize WPA "
2436 "state machine");
2437 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2438 }
2439 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
2440 wpa_ie, wpa_ie_len,
2441 elems.mdie, elems.mdie_len,
2442 elems.owe_dh, elems.owe_dh_len);
2443 resp = wpa_res_to_status_code(res);
2444 if (resp != WLAN_STATUS_SUCCESS)
2445 return resp;
2446 #ifdef CONFIG_IEEE80211W
2447 if ((sta->flags & WLAN_STA_MFP) && !sta->sa_query_timed_out &&
2448 sta->sa_query_count > 0)
2449 ap_check_sa_query_timeout(hapd, sta);
2450 if ((sta->flags & WLAN_STA_MFP) && !sta->sa_query_timed_out &&
2451 (!reassoc || sta->auth_alg != WLAN_AUTH_FT)) {
2452 /*
2453 * STA has already been associated with MFP and SA
2454 * Query timeout has not been reached. Reject the
2455 * association attempt temporarily and start SA Query,
2456 * if one is not pending.
2457 */
2458
2459 if (sta->sa_query_count == 0)
2460 ap_sta_start_sa_query(hapd, sta);
2461
2462 return WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY;
2463 }
2464
2465 if (wpa_auth_uses_mfp(sta->wpa_sm))
2466 sta->flags |= WLAN_STA_MFP;
2467 else
2468 sta->flags &= ~WLAN_STA_MFP;
2469 #endif /* CONFIG_IEEE80211W */
2470
2471 #ifdef CONFIG_IEEE80211R_AP
2472 if (sta->auth_alg == WLAN_AUTH_FT) {
2473 if (!reassoc) {
2474 wpa_printf(MSG_DEBUG, "FT: " MACSTR " tried "
2475 "to use association (not "
2476 "re-association) with FT auth_alg",
2477 MAC2STR(sta->addr));
2478 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2479 }
2480
2481 resp = wpa_ft_validate_reassoc(sta->wpa_sm, ies,
2482 ies_len);
2483 if (resp != WLAN_STATUS_SUCCESS)
2484 return resp;
2485 }
2486 #endif /* CONFIG_IEEE80211R_AP */
2487
2488 #ifdef CONFIG_SAE
2489 if (wpa_auth_uses_sae(sta->wpa_sm) &&
2490 sta->auth_alg == WLAN_AUTH_OPEN) {
2491 struct rsn_pmksa_cache_entry *sa;
2492 sa = wpa_auth_sta_get_pmksa(sta->wpa_sm);
2493 if (!sa || sa->akmp != WPA_KEY_MGMT_SAE) {
2494 wpa_printf(MSG_DEBUG,
2495 "SAE: No PMKSA cache entry found for "
2496 MACSTR, MAC2STR(sta->addr));
2497 return WLAN_STATUS_INVALID_PMKID;
2498 }
2499 wpa_printf(MSG_DEBUG, "SAE: " MACSTR
2500 " using PMKSA caching", MAC2STR(sta->addr));
2501 } else if (wpa_auth_uses_sae(sta->wpa_sm) &&
2502 sta->auth_alg != WLAN_AUTH_SAE &&
2503 !(sta->auth_alg == WLAN_AUTH_FT &&
2504 wpa_auth_uses_ft_sae(sta->wpa_sm))) {
2505 wpa_printf(MSG_DEBUG, "SAE: " MACSTR " tried to use "
2506 "SAE AKM after non-SAE auth_alg %u",
2507 MAC2STR(sta->addr), sta->auth_alg);
2508 return WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
2509 }
2510 #endif /* CONFIG_SAE */
2511
2512 #ifdef CONFIG_OWE
2513 if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) &&
2514 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE &&
2515 elems.owe_dh) {
2516 resp = owe_process_assoc_req(hapd, sta, elems.owe_dh,
2517 elems.owe_dh_len);
2518 if (resp != WLAN_STATUS_SUCCESS)
2519 return resp;
2520 }
2521 #endif /* CONFIG_OWE */
2522
2523 #ifdef CONFIG_IEEE80211N
2524 if ((sta->flags & (WLAN_STA_HT | WLAN_STA_VHT)) &&
2525 wpa_auth_get_pairwise(sta->wpa_sm) == WPA_CIPHER_TKIP) {
2526 hostapd_logger(hapd, sta->addr,
2527 HOSTAPD_MODULE_IEEE80211,
2528 HOSTAPD_LEVEL_INFO,
2529 "Station tried to use TKIP with HT "
2530 "association");
2531 return WLAN_STATUS_CIPHER_REJECTED_PER_POLICY;
2532 }
2533 #endif /* CONFIG_IEEE80211N */
2534 #ifdef CONFIG_HS20
2535 } else if (hapd->conf->osen) {
2536 if (elems.osen == NULL) {
2537 hostapd_logger(
2538 hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2539 HOSTAPD_LEVEL_INFO,
2540 "No HS 2.0 OSEN element in association request");
2541 return WLAN_STATUS_INVALID_IE;
2542 }
2543
2544 wpa_printf(MSG_DEBUG, "HS 2.0: OSEN association");
2545 if (sta->wpa_sm == NULL)
2546 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
2547 sta->addr, NULL);
2548 if (sta->wpa_sm == NULL) {
2549 wpa_printf(MSG_WARNING, "Failed to initialize WPA "
2550 "state machine");
2551 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2552 }
2553 if (wpa_validate_osen(hapd->wpa_auth, sta->wpa_sm,
2554 elems.osen - 2, elems.osen_len + 2) < 0)
2555 return WLAN_STATUS_INVALID_IE;
2556 #endif /* CONFIG_HS20 */
2557 } else
2558 wpa_auth_sta_no_wpa(sta->wpa_sm);
2559
2560 #ifdef CONFIG_P2P
2561 p2p_group_notif_assoc(hapd->p2p_group, sta->addr, ies, ies_len);
2562 #endif /* CONFIG_P2P */
2563
2564 #ifdef CONFIG_HS20
2565 wpabuf_free(sta->hs20_ie);
2566 if (elems.hs20 && elems.hs20_len > 4) {
2567 sta->hs20_ie = wpabuf_alloc_copy(elems.hs20 + 4,
2568 elems.hs20_len - 4);
2569 } else
2570 sta->hs20_ie = NULL;
2571 #endif /* CONFIG_HS20 */
2572
2573 #ifdef CONFIG_FST
2574 wpabuf_free(sta->mb_ies);
2575 if (hapd->iface->fst)
2576 sta->mb_ies = mb_ies_by_info(&elems.mb_ies);
2577 else
2578 sta->mb_ies = NULL;
2579 #endif /* CONFIG_FST */
2580
2581 #ifdef CONFIG_MBO
2582 mbo_ap_check_sta_assoc(hapd, sta, &elems);
2583
2584 if (hapd->conf->mbo_enabled && (hapd->conf->wpa & 2) &&
2585 elems.mbo && sta->cell_capa && !(sta->flags & WLAN_STA_MFP) &&
2586 hapd->conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
2587 wpa_printf(MSG_INFO,
2588 "MBO: Reject WPA2 association without PMF");
2589 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2590 }
2591 #endif /* CONFIG_MBO */
2592
2593 ap_copy_sta_supp_op_classes(sta, elems.supp_op_classes,
2594 elems.supp_op_classes_len);
2595
2596 if ((sta->capability & WLAN_CAPABILITY_RADIO_MEASUREMENT) &&
2597 elems.rrm_enabled &&
2598 elems.rrm_enabled_len >= sizeof(sta->rrm_enabled_capa))
2599 os_memcpy(sta->rrm_enabled_capa, elems.rrm_enabled,
2600 sizeof(sta->rrm_enabled_capa));
2601
2602 return WLAN_STATUS_SUCCESS;
2603 }
2604
2605
send_deauth(struct hostapd_data * hapd,const u8 * addr,u16 reason_code)2606 static void send_deauth(struct hostapd_data *hapd, const u8 *addr,
2607 u16 reason_code)
2608 {
2609 int send_len;
2610 struct ieee80211_mgmt reply;
2611
2612 os_memset(&reply, 0, sizeof(reply));
2613 reply.frame_control =
2614 IEEE80211_FC(WLAN_FC_TYPE_MGMT, WLAN_FC_STYPE_DEAUTH);
2615 os_memcpy(reply.da, addr, ETH_ALEN);
2616 os_memcpy(reply.sa, hapd->own_addr, ETH_ALEN);
2617 os_memcpy(reply.bssid, hapd->own_addr, ETH_ALEN);
2618
2619 send_len = IEEE80211_HDRLEN + sizeof(reply.u.deauth);
2620 reply.u.deauth.reason_code = host_to_le16(reason_code);
2621
2622 if (hostapd_drv_send_mlme(hapd, &reply, send_len, 0) < 0)
2623 wpa_printf(MSG_INFO, "Failed to send deauth: %s",
2624 strerror(errno));
2625 }
2626
2627
add_associated_sta(struct hostapd_data * hapd,struct sta_info * sta)2628 static int add_associated_sta(struct hostapd_data *hapd,
2629 struct sta_info *sta)
2630 {
2631 struct ieee80211_ht_capabilities ht_cap;
2632 struct ieee80211_vht_capabilities vht_cap;
2633 int set = 1;
2634
2635 /*
2636 * Remove the STA entry to ensure the STA PS state gets cleared and
2637 * configuration gets updated. This is relevant for cases, such as
2638 * FT-over-the-DS, where a station re-associates back to the same AP but
2639 * skips the authentication flow, or if working with a driver that
2640 * does not support full AP client state.
2641 *
2642 * Skip this if the STA has already completed FT reassociation and the
2643 * TK has been configured since the TX/RX PN must not be reset to 0 for
2644 * the same key.
2645 */
2646 if (!sta->added_unassoc &&
2647 (!(sta->flags & WLAN_STA_AUTHORIZED) ||
2648 (!wpa_auth_sta_ft_tk_already_set(sta->wpa_sm) &&
2649 !wpa_auth_sta_fils_tk_already_set(sta->wpa_sm)))) {
2650 hostapd_drv_sta_remove(hapd, sta->addr);
2651 wpa_auth_sm_event(sta->wpa_sm, WPA_DRV_STA_REMOVED);
2652 set = 0;
2653 }
2654
2655 #ifdef CONFIG_IEEE80211N
2656 if (sta->flags & WLAN_STA_HT)
2657 hostapd_get_ht_capab(hapd, sta->ht_capabilities, &ht_cap);
2658 #endif /* CONFIG_IEEE80211N */
2659 #ifdef CONFIG_IEEE80211AC
2660 if (sta->flags & WLAN_STA_VHT)
2661 hostapd_get_vht_capab(hapd, sta->vht_capabilities, &vht_cap);
2662 #endif /* CONFIG_IEEE80211AC */
2663
2664 /*
2665 * Add the station with forced WLAN_STA_ASSOC flag. The sta->flags
2666 * will be set when the ACK frame for the (Re)Association Response frame
2667 * is processed (TX status driver event).
2668 */
2669 if (hostapd_sta_add(hapd, sta->addr, sta->aid, sta->capability,
2670 sta->supported_rates, sta->supported_rates_len,
2671 sta->listen_interval,
2672 sta->flags & WLAN_STA_HT ? &ht_cap : NULL,
2673 sta->flags & WLAN_STA_VHT ? &vht_cap : NULL,
2674 sta->flags | WLAN_STA_ASSOC, sta->qosinfo,
2675 sta->vht_opmode, sta->p2p_ie ? 1 : 0,
2676 set)) {
2677 hostapd_logger(hapd, sta->addr,
2678 HOSTAPD_MODULE_IEEE80211, HOSTAPD_LEVEL_NOTICE,
2679 "Could not %s STA to kernel driver",
2680 set ? "set" : "add");
2681
2682 if (sta->added_unassoc) {
2683 hostapd_drv_sta_remove(hapd, sta->addr);
2684 sta->added_unassoc = 0;
2685 }
2686
2687 return -1;
2688 }
2689
2690 sta->added_unassoc = 0;
2691
2692 return 0;
2693 }
2694
2695
send_assoc_resp(struct hostapd_data * hapd,struct sta_info * sta,const u8 * addr,u16 status_code,int reassoc,const u8 * ies,size_t ies_len)2696 static u16 send_assoc_resp(struct hostapd_data *hapd, struct sta_info *sta,
2697 const u8 *addr, u16 status_code, int reassoc,
2698 const u8 *ies, size_t ies_len)
2699 {
2700 int send_len;
2701 u8 *buf;
2702 size_t buflen;
2703 struct ieee80211_mgmt *reply;
2704 u8 *p;
2705 u16 res = WLAN_STATUS_SUCCESS;
2706
2707 buflen = sizeof(struct ieee80211_mgmt) + 1024;
2708 #ifdef CONFIG_FILS
2709 if (sta && sta->fils_hlp_resp)
2710 buflen += wpabuf_len(sta->fils_hlp_resp);
2711 #endif /* CONFIG_FILS */
2712 #ifdef CONFIG_OWE
2713 if (sta && (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE))
2714 buflen += 150;
2715 #endif /* CONFIG_OWE */
2716 buf = os_zalloc(buflen);
2717 if (!buf) {
2718 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
2719 goto done;
2720 }
2721 reply = (struct ieee80211_mgmt *) buf;
2722 reply->frame_control =
2723 IEEE80211_FC(WLAN_FC_TYPE_MGMT,
2724 (reassoc ? WLAN_FC_STYPE_REASSOC_RESP :
2725 WLAN_FC_STYPE_ASSOC_RESP));
2726 os_memcpy(reply->da, addr, ETH_ALEN);
2727 os_memcpy(reply->sa, hapd->own_addr, ETH_ALEN);
2728 os_memcpy(reply->bssid, hapd->own_addr, ETH_ALEN);
2729
2730 send_len = IEEE80211_HDRLEN;
2731 send_len += sizeof(reply->u.assoc_resp);
2732 reply->u.assoc_resp.capab_info =
2733 host_to_le16(hostapd_own_capab_info(hapd));
2734 reply->u.assoc_resp.status_code = host_to_le16(status_code);
2735
2736 reply->u.assoc_resp.aid = host_to_le16((sta ? sta->aid : 0) |
2737 BIT(14) | BIT(15));
2738 /* Supported rates */
2739 p = hostapd_eid_supp_rates(hapd, reply->u.assoc_resp.variable);
2740 /* Extended supported rates */
2741 p = hostapd_eid_ext_supp_rates(hapd, p);
2742
2743 #ifdef CONFIG_IEEE80211R_AP
2744 if (sta && status_code == WLAN_STATUS_SUCCESS) {
2745 /* IEEE 802.11r: Mobility Domain Information, Fast BSS
2746 * Transition Information, RSN, [RIC Response] */
2747 p = wpa_sm_write_assoc_resp_ies(sta->wpa_sm, p,
2748 buf + buflen - p,
2749 sta->auth_alg, ies, ies_len);
2750 }
2751 #endif /* CONFIG_IEEE80211R_AP */
2752
2753 #ifdef CONFIG_OWE
2754 if (sta && (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE))
2755 p = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, p,
2756 buf + buflen - p,
2757 ies, ies_len);
2758 #endif /* CONFIG_OWE */
2759
2760 #ifdef CONFIG_IEEE80211W
2761 if (sta && status_code == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY)
2762 p = hostapd_eid_assoc_comeback_time(hapd, sta, p);
2763 #endif /* CONFIG_IEEE80211W */
2764
2765 #ifdef CONFIG_IEEE80211N
2766 p = hostapd_eid_ht_capabilities(hapd, p);
2767 p = hostapd_eid_ht_operation(hapd, p);
2768 #endif /* CONFIG_IEEE80211N */
2769
2770 #ifdef CONFIG_IEEE80211AC
2771 if (hapd->iconf->ieee80211ac && !hapd->conf->disable_11ac) {
2772 u32 nsts = 0, sta_nsts;
2773
2774 if (sta && hapd->conf->use_sta_nsts && sta->vht_capabilities) {
2775 struct ieee80211_vht_capabilities *capa;
2776
2777 nsts = (hapd->iface->conf->vht_capab >>
2778 VHT_CAP_BEAMFORMEE_STS_OFFSET) & 7;
2779 capa = sta->vht_capabilities;
2780 sta_nsts = (le_to_host32(capa->vht_capabilities_info) >>
2781 VHT_CAP_BEAMFORMEE_STS_OFFSET) & 7;
2782
2783 if (nsts < sta_nsts)
2784 nsts = 0;
2785 else
2786 nsts = sta_nsts;
2787 }
2788 p = hostapd_eid_vht_capabilities(hapd, p, nsts);
2789 p = hostapd_eid_vht_operation(hapd, p);
2790 }
2791 #endif /* CONFIG_IEEE80211AC */
2792
2793 p = hostapd_eid_ext_capab(hapd, p);
2794 p = hostapd_eid_bss_max_idle_period(hapd, p);
2795 if (sta && sta->qos_map_enabled)
2796 p = hostapd_eid_qos_map_set(hapd, p);
2797
2798 #ifdef CONFIG_FST
2799 if (hapd->iface->fst_ies) {
2800 os_memcpy(p, wpabuf_head(hapd->iface->fst_ies),
2801 wpabuf_len(hapd->iface->fst_ies));
2802 p += wpabuf_len(hapd->iface->fst_ies);
2803 }
2804 #endif /* CONFIG_FST */
2805
2806 #ifdef CONFIG_IEEE80211AC
2807 if (sta && hapd->conf->vendor_vht && (sta->flags & WLAN_STA_VENDOR_VHT))
2808 p = hostapd_eid_vendor_vht(hapd, p);
2809 #endif /* CONFIG_IEEE80211AC */
2810
2811 if (sta && (sta->flags & WLAN_STA_WMM))
2812 p = hostapd_eid_wmm(hapd, p);
2813
2814 #ifdef CONFIG_WPS
2815 if (sta &&
2816 ((sta->flags & WLAN_STA_WPS) ||
2817 ((sta->flags & WLAN_STA_MAYBE_WPS) && hapd->conf->wpa))) {
2818 struct wpabuf *wps = wps_build_assoc_resp_ie();
2819 if (wps) {
2820 os_memcpy(p, wpabuf_head(wps), wpabuf_len(wps));
2821 p += wpabuf_len(wps);
2822 wpabuf_free(wps);
2823 }
2824 }
2825 #endif /* CONFIG_WPS */
2826
2827 #ifdef CONFIG_P2P
2828 if (sta && sta->p2p_ie && hapd->p2p_group) {
2829 struct wpabuf *p2p_resp_ie;
2830 enum p2p_status_code status;
2831 switch (status_code) {
2832 case WLAN_STATUS_SUCCESS:
2833 status = P2P_SC_SUCCESS;
2834 break;
2835 case WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA:
2836 status = P2P_SC_FAIL_LIMIT_REACHED;
2837 break;
2838 default:
2839 status = P2P_SC_FAIL_INVALID_PARAMS;
2840 break;
2841 }
2842 p2p_resp_ie = p2p_group_assoc_resp_ie(hapd->p2p_group, status);
2843 if (p2p_resp_ie) {
2844 os_memcpy(p, wpabuf_head(p2p_resp_ie),
2845 wpabuf_len(p2p_resp_ie));
2846 p += wpabuf_len(p2p_resp_ie);
2847 wpabuf_free(p2p_resp_ie);
2848 }
2849 }
2850 #endif /* CONFIG_P2P */
2851
2852 #ifdef CONFIG_P2P_MANAGER
2853 if (hapd->conf->p2p & P2P_MANAGE)
2854 p = hostapd_eid_p2p_manage(hapd, p);
2855 #endif /* CONFIG_P2P_MANAGER */
2856
2857 p = hostapd_eid_mbo(hapd, p, buf + buflen - p);
2858
2859 if (hapd->conf->assocresp_elements &&
2860 (size_t) (buf + buflen - p) >=
2861 wpabuf_len(hapd->conf->assocresp_elements)) {
2862 os_memcpy(p, wpabuf_head(hapd->conf->assocresp_elements),
2863 wpabuf_len(hapd->conf->assocresp_elements));
2864 p += wpabuf_len(hapd->conf->assocresp_elements);
2865 }
2866
2867 send_len += p - reply->u.assoc_resp.variable;
2868
2869 #ifdef CONFIG_FILS
2870 if (sta &&
2871 (sta->auth_alg == WLAN_AUTH_FILS_SK ||
2872 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
2873 sta->auth_alg == WLAN_AUTH_FILS_PK) &&
2874 status_code == WLAN_STATUS_SUCCESS) {
2875 struct ieee802_11_elems elems;
2876
2877 if (ieee802_11_parse_elems(ies, ies_len, &elems, 0) ==
2878 ParseFailed || !elems.fils_session) {
2879 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
2880 goto done;
2881 }
2882
2883 /* FILS Session */
2884 *p++ = WLAN_EID_EXTENSION; /* Element ID */
2885 *p++ = 1 + FILS_SESSION_LEN; /* Length */
2886 *p++ = WLAN_EID_EXT_FILS_SESSION; /* Element ID Extension */
2887 os_memcpy(p, elems.fils_session, FILS_SESSION_LEN);
2888 send_len += 2 + 1 + FILS_SESSION_LEN;
2889
2890 send_len = fils_encrypt_assoc(sta->wpa_sm, buf, send_len,
2891 buflen, sta->fils_hlp_resp);
2892 if (send_len < 0) {
2893 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
2894 goto done;
2895 }
2896 }
2897 #endif /* CONFIG_FILS */
2898
2899 #ifdef CONFIG_OWE
2900 if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) &&
2901 sta && sta->owe_ecdh &&
2902 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE) {
2903 struct wpabuf *pub;
2904
2905 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
2906 if (!pub) {
2907 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
2908 goto done;
2909 }
2910 /* OWE Diffie-Hellman Parameter element */
2911 *p++ = WLAN_EID_EXTENSION; /* Element ID */
2912 *p++ = 1 + 2 + wpabuf_len(pub); /* Length */
2913 *p++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension */
2914 WPA_PUT_LE16(p, sta->owe_group);
2915 p += 2;
2916 os_memcpy(p, wpabuf_head(pub), wpabuf_len(pub));
2917 p += wpabuf_len(pub);
2918 send_len += 3 + 2 + wpabuf_len(pub);
2919 wpabuf_free(pub);
2920 }
2921 #endif /* CONFIG_OWE */
2922
2923 if (hostapd_drv_send_mlme(hapd, reply, send_len, 0) < 0) {
2924 wpa_printf(MSG_INFO, "Failed to send assoc resp: %s",
2925 strerror(errno));
2926 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
2927 }
2928
2929 done:
2930 os_free(buf);
2931 return res;
2932 }
2933
2934
2935 #ifdef CONFIG_FILS
2936
fils_hlp_finish_assoc(struct hostapd_data * hapd,struct sta_info * sta)2937 void fils_hlp_finish_assoc(struct hostapd_data *hapd, struct sta_info *sta)
2938 {
2939 u16 reply_res;
2940
2941 wpa_printf(MSG_DEBUG, "FILS: Finish association with " MACSTR,
2942 MAC2STR(sta->addr));
2943 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
2944 if (!sta->fils_pending_assoc_req)
2945 return;
2946 reply_res = send_assoc_resp(hapd, sta, sta->addr, WLAN_STATUS_SUCCESS,
2947 sta->fils_pending_assoc_is_reassoc,
2948 sta->fils_pending_assoc_req,
2949 sta->fils_pending_assoc_req_len);
2950 os_free(sta->fils_pending_assoc_req);
2951 sta->fils_pending_assoc_req = NULL;
2952 sta->fils_pending_assoc_req_len = 0;
2953 wpabuf_free(sta->fils_hlp_resp);
2954 sta->fils_hlp_resp = NULL;
2955 wpabuf_free(sta->hlp_dhcp_discover);
2956 sta->hlp_dhcp_discover = NULL;
2957
2958 /*
2959 * Remove the station in case transmission of a success response fails.
2960 * At this point the station was already added associated to the driver.
2961 */
2962 if (reply_res != WLAN_STATUS_SUCCESS)
2963 hostapd_drv_sta_remove(hapd, sta->addr);
2964 }
2965
2966
fils_hlp_timeout(void * eloop_ctx,void * eloop_data)2967 void fils_hlp_timeout(void *eloop_ctx, void *eloop_data)
2968 {
2969 struct hostapd_data *hapd = eloop_ctx;
2970 struct sta_info *sta = eloop_data;
2971
2972 wpa_printf(MSG_DEBUG,
2973 "FILS: HLP response timeout - continue with association response for "
2974 MACSTR, MAC2STR(sta->addr));
2975 if (sta->fils_drv_assoc_finish)
2976 hostapd_notify_assoc_fils_finish(hapd, sta);
2977 else
2978 fils_hlp_finish_assoc(hapd, sta);
2979 }
2980
2981 #endif /* CONFIG_FILS */
2982
2983
handle_assoc(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int reassoc)2984 static void handle_assoc(struct hostapd_data *hapd,
2985 const struct ieee80211_mgmt *mgmt, size_t len,
2986 int reassoc)
2987 {
2988 u16 capab_info, listen_interval, seq_ctrl, fc;
2989 u16 resp = WLAN_STATUS_SUCCESS, reply_res;
2990 const u8 *pos;
2991 int left, i;
2992 struct sta_info *sta;
2993 u8 *tmp = NULL;
2994 struct hostapd_sta_wpa_psk_short *psk = NULL;
2995 char *identity = NULL;
2996 char *radius_cui = NULL;
2997 #ifdef CONFIG_FILS
2998 int delay_assoc = 0;
2999 #endif /* CONFIG_FILS */
3000
3001 if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_req) :
3002 sizeof(mgmt->u.assoc_req))) {
3003 wpa_printf(MSG_INFO, "handle_assoc(reassoc=%d) - too short payload (len=%lu)",
3004 reassoc, (unsigned long) len);
3005 return;
3006 }
3007
3008 #ifdef CONFIG_TESTING_OPTIONS
3009 if (reassoc) {
3010 if (hapd->iconf->ignore_reassoc_probability > 0.0 &&
3011 drand48() < hapd->iconf->ignore_reassoc_probability) {
3012 wpa_printf(MSG_INFO,
3013 "TESTING: ignoring reassoc request from "
3014 MACSTR, MAC2STR(mgmt->sa));
3015 return;
3016 }
3017 } else {
3018 if (hapd->iconf->ignore_assoc_probability > 0.0 &&
3019 drand48() < hapd->iconf->ignore_assoc_probability) {
3020 wpa_printf(MSG_INFO,
3021 "TESTING: ignoring assoc request from "
3022 MACSTR, MAC2STR(mgmt->sa));
3023 return;
3024 }
3025 }
3026 #endif /* CONFIG_TESTING_OPTIONS */
3027
3028 fc = le_to_host16(mgmt->frame_control);
3029 seq_ctrl = le_to_host16(mgmt->seq_ctrl);
3030
3031 if (reassoc) {
3032 capab_info = le_to_host16(mgmt->u.reassoc_req.capab_info);
3033 listen_interval = le_to_host16(
3034 mgmt->u.reassoc_req.listen_interval);
3035 wpa_printf(MSG_DEBUG, "reassociation request: STA=" MACSTR
3036 " capab_info=0x%02x listen_interval=%d current_ap="
3037 MACSTR " seq_ctrl=0x%x%s",
3038 MAC2STR(mgmt->sa), capab_info, listen_interval,
3039 MAC2STR(mgmt->u.reassoc_req.current_ap),
3040 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "");
3041 left = len - (IEEE80211_HDRLEN + sizeof(mgmt->u.reassoc_req));
3042 pos = mgmt->u.reassoc_req.variable;
3043 } else {
3044 capab_info = le_to_host16(mgmt->u.assoc_req.capab_info);
3045 listen_interval = le_to_host16(
3046 mgmt->u.assoc_req.listen_interval);
3047 wpa_printf(MSG_DEBUG, "association request: STA=" MACSTR
3048 " capab_info=0x%02x listen_interval=%d "
3049 "seq_ctrl=0x%x%s",
3050 MAC2STR(mgmt->sa), capab_info, listen_interval,
3051 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "");
3052 left = len - (IEEE80211_HDRLEN + sizeof(mgmt->u.assoc_req));
3053 pos = mgmt->u.assoc_req.variable;
3054 }
3055
3056 sta = ap_get_sta(hapd, mgmt->sa);
3057 #ifdef CONFIG_IEEE80211R_AP
3058 if (sta && sta->auth_alg == WLAN_AUTH_FT &&
3059 (sta->flags & WLAN_STA_AUTH) == 0) {
3060 wpa_printf(MSG_DEBUG, "FT: Allow STA " MACSTR " to associate "
3061 "prior to authentication since it is using "
3062 "over-the-DS FT", MAC2STR(mgmt->sa));
3063
3064 /*
3065 * Mark station as authenticated, to avoid adding station
3066 * entry in the driver as associated and not authenticated
3067 */
3068 sta->flags |= WLAN_STA_AUTH;
3069 } else
3070 #endif /* CONFIG_IEEE80211R_AP */
3071 if (sta == NULL || (sta->flags & WLAN_STA_AUTH) == 0) {
3072 if (hapd->iface->current_mode &&
3073 hapd->iface->current_mode->mode ==
3074 HOSTAPD_MODE_IEEE80211AD) {
3075 int acl_res;
3076 u32 session_timeout, acct_interim_interval;
3077 struct vlan_description vlan_id;
3078
3079 acl_res = ieee802_11_allowed_address(
3080 hapd, mgmt->sa, (const u8 *) mgmt, len,
3081 &session_timeout, &acct_interim_interval,
3082 &vlan_id, &psk, &identity, &radius_cui);
3083 if (acl_res == HOSTAPD_ACL_REJECT) {
3084 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3085 goto fail;
3086 }
3087 if (acl_res == HOSTAPD_ACL_PENDING)
3088 return;
3089
3090 /* DMG/IEEE 802.11ad does not use authentication.
3091 * Allocate sta entry upon association. */
3092 sta = ap_sta_add(hapd, mgmt->sa);
3093 if (!sta) {
3094 hostapd_logger(hapd, mgmt->sa,
3095 HOSTAPD_MODULE_IEEE80211,
3096 HOSTAPD_LEVEL_INFO,
3097 "Failed to add STA");
3098 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
3099 goto fail;
3100 }
3101
3102 acl_res = ieee802_11_set_radius_info(
3103 hapd, sta, acl_res, session_timeout,
3104 acct_interim_interval, &vlan_id, &psk,
3105 &identity, &radius_cui);
3106 if (acl_res) {
3107 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3108 goto fail;
3109 }
3110
3111 hostapd_logger(hapd, sta->addr,
3112 HOSTAPD_MODULE_IEEE80211,
3113 HOSTAPD_LEVEL_DEBUG,
3114 "Skip authentication for DMG/IEEE 802.11ad");
3115 sta->flags |= WLAN_STA_AUTH;
3116 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
3117 sta->auth_alg = WLAN_AUTH_OPEN;
3118 } else {
3119 hostapd_logger(hapd, mgmt->sa,
3120 HOSTAPD_MODULE_IEEE80211,
3121 HOSTAPD_LEVEL_INFO,
3122 "Station tried to associate before authentication (aid=%d flags=0x%x)",
3123 sta ? sta->aid : -1,
3124 sta ? sta->flags : 0);
3125 send_deauth(hapd, mgmt->sa,
3126 WLAN_REASON_CLASS2_FRAME_FROM_NONAUTH_STA);
3127 return;
3128 }
3129 }
3130
3131 if ((fc & WLAN_FC_RETRY) &&
3132 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
3133 sta->last_seq_ctrl == seq_ctrl &&
3134 sta->last_subtype == (reassoc ? WLAN_FC_STYPE_REASSOC_REQ :
3135 WLAN_FC_STYPE_ASSOC_REQ)) {
3136 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3137 HOSTAPD_LEVEL_DEBUG,
3138 "Drop repeated association frame seq_ctrl=0x%x",
3139 seq_ctrl);
3140 return;
3141 }
3142 sta->last_seq_ctrl = seq_ctrl;
3143 sta->last_subtype = reassoc ? WLAN_FC_STYPE_REASSOC_REQ :
3144 WLAN_FC_STYPE_ASSOC_REQ;
3145
3146 if (hapd->tkip_countermeasures) {
3147 resp = WLAN_REASON_MICHAEL_MIC_FAILURE;
3148 goto fail;
3149 }
3150
3151 if (listen_interval > hapd->conf->max_listen_interval) {
3152 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
3153 HOSTAPD_LEVEL_DEBUG,
3154 "Too large Listen Interval (%d)",
3155 listen_interval);
3156 resp = WLAN_STATUS_ASSOC_DENIED_LISTEN_INT_TOO_LARGE;
3157 goto fail;
3158 }
3159
3160 #ifdef CONFIG_MBO
3161 if (hapd->conf->mbo_enabled && hapd->mbo_assoc_disallow) {
3162 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
3163 goto fail;
3164 }
3165 #endif /* CONFIG_MBO */
3166
3167 /*
3168 * sta->capability is used in check_assoc_ies() for RRM enabled
3169 * capability element.
3170 */
3171 sta->capability = capab_info;
3172
3173 #ifdef CONFIG_FILS
3174 if (sta->auth_alg == WLAN_AUTH_FILS_SK ||
3175 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
3176 sta->auth_alg == WLAN_AUTH_FILS_PK) {
3177 /* The end of the payload is encrypted. Need to decrypt it
3178 * before parsing. */
3179
3180 tmp = os_memdup(pos, left);
3181 if (!tmp) {
3182 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3183 goto fail;
3184 }
3185
3186 left = fils_decrypt_assoc(sta->wpa_sm, sta->fils_session, mgmt,
3187 len, tmp, left);
3188 if (left < 0) {
3189 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3190 goto fail;
3191 }
3192 pos = tmp;
3193 }
3194 #endif /* CONFIG_FILS */
3195
3196 /* followed by SSID and Supported rates; and HT capabilities if 802.11n
3197 * is used */
3198 resp = check_assoc_ies(hapd, sta, pos, left, reassoc);
3199 if (resp != WLAN_STATUS_SUCCESS)
3200 goto fail;
3201
3202 if (hostapd_get_aid(hapd, sta) < 0) {
3203 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
3204 HOSTAPD_LEVEL_INFO, "No room for more AIDs");
3205 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
3206 goto fail;
3207 }
3208
3209 sta->listen_interval = listen_interval;
3210
3211 if (hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G)
3212 sta->flags |= WLAN_STA_NONERP;
3213 for (i = 0; i < sta->supported_rates_len; i++) {
3214 if ((sta->supported_rates[i] & 0x7f) > 22) {
3215 sta->flags &= ~WLAN_STA_NONERP;
3216 break;
3217 }
3218 }
3219 if (sta->flags & WLAN_STA_NONERP && !sta->nonerp_set) {
3220 sta->nonerp_set = 1;
3221 hapd->iface->num_sta_non_erp++;
3222 if (hapd->iface->num_sta_non_erp == 1)
3223 ieee802_11_set_beacons(hapd->iface);
3224 }
3225
3226 if (!(sta->capability & WLAN_CAPABILITY_SHORT_SLOT_TIME) &&
3227 !sta->no_short_slot_time_set) {
3228 sta->no_short_slot_time_set = 1;
3229 hapd->iface->num_sta_no_short_slot_time++;
3230 if (hapd->iface->current_mode->mode ==
3231 HOSTAPD_MODE_IEEE80211G &&
3232 hapd->iface->num_sta_no_short_slot_time == 1)
3233 ieee802_11_set_beacons(hapd->iface);
3234 }
3235
3236 if (sta->capability & WLAN_CAPABILITY_SHORT_PREAMBLE)
3237 sta->flags |= WLAN_STA_SHORT_PREAMBLE;
3238 else
3239 sta->flags &= ~WLAN_STA_SHORT_PREAMBLE;
3240
3241 if (!(sta->capability & WLAN_CAPABILITY_SHORT_PREAMBLE) &&
3242 !sta->no_short_preamble_set) {
3243 sta->no_short_preamble_set = 1;
3244 hapd->iface->num_sta_no_short_preamble++;
3245 if (hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G
3246 && hapd->iface->num_sta_no_short_preamble == 1)
3247 ieee802_11_set_beacons(hapd->iface);
3248 }
3249
3250 #ifdef CONFIG_IEEE80211N
3251 update_ht_state(hapd, sta);
3252 #endif /* CONFIG_IEEE80211N */
3253
3254 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3255 HOSTAPD_LEVEL_DEBUG,
3256 "association OK (aid %d)", sta->aid);
3257 /* Station will be marked associated, after it acknowledges AssocResp
3258 */
3259 sta->flags |= WLAN_STA_ASSOC_REQ_OK;
3260
3261 #ifdef CONFIG_IEEE80211W
3262 if ((sta->flags & WLAN_STA_MFP) && sta->sa_query_timed_out) {
3263 wpa_printf(MSG_DEBUG, "Allowing %sassociation after timed out "
3264 "SA Query procedure", reassoc ? "re" : "");
3265 /* TODO: Send a protected Disassociate frame to the STA using
3266 * the old key and Reason Code "Previous Authentication no
3267 * longer valid". Make sure this is only sent protected since
3268 * unprotected frame would be received by the STA that is now
3269 * trying to associate.
3270 */
3271 }
3272 #endif /* CONFIG_IEEE80211W */
3273
3274 /* Make sure that the previously registered inactivity timer will not
3275 * remove the STA immediately. */
3276 sta->timeout_next = STA_NULLFUNC;
3277
3278 #ifdef CONFIG_TAXONOMY
3279 taxonomy_sta_info_assoc_req(hapd, sta, pos, left);
3280 #endif /* CONFIG_TAXONOMY */
3281
3282 sta->pending_wds_enable = 0;
3283
3284 #ifdef CONFIG_FILS
3285 if (sta->auth_alg == WLAN_AUTH_FILS_SK ||
3286 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
3287 sta->auth_alg == WLAN_AUTH_FILS_PK) {
3288 if (fils_process_hlp(hapd, sta, pos, left) > 0)
3289 delay_assoc = 1;
3290 }
3291 #endif /* CONFIG_FILS */
3292
3293 fail:
3294 os_free(identity);
3295 os_free(radius_cui);
3296 hostapd_free_psk_list(psk);
3297
3298 /*
3299 * In case of a successful response, add the station to the driver.
3300 * Otherwise, the kernel may ignore Data frames before we process the
3301 * ACK frame (TX status). In case of a failure, this station will be
3302 * removed.
3303 *
3304 * Note that this is not compliant with the IEEE 802.11 standard that
3305 * states that a non-AP station should transition into the
3306 * authenticated/associated state only after the station acknowledges
3307 * the (Re)Association Response frame. However, still do this as:
3308 *
3309 * 1. In case the station does not acknowledge the (Re)Association
3310 * Response frame, it will be removed.
3311 * 2. Data frames will be dropped in the kernel until the station is
3312 * set into authorized state, and there are no significant known
3313 * issues with processing other non-Data Class 3 frames during this
3314 * window.
3315 */
3316 if (resp == WLAN_STATUS_SUCCESS && sta && add_associated_sta(hapd, sta))
3317 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
3318
3319 #ifdef CONFIG_FILS
3320 if (sta) {
3321 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
3322 os_free(sta->fils_pending_assoc_req);
3323 sta->fils_pending_assoc_req = NULL;
3324 sta->fils_pending_assoc_req_len = 0;
3325 wpabuf_free(sta->fils_hlp_resp);
3326 sta->fils_hlp_resp = NULL;
3327 }
3328 if (sta && delay_assoc && resp == WLAN_STATUS_SUCCESS) {
3329 sta->fils_pending_assoc_req = tmp;
3330 sta->fils_pending_assoc_req_len = left;
3331 sta->fils_pending_assoc_is_reassoc = reassoc;
3332 sta->fils_drv_assoc_finish = 0;
3333 wpa_printf(MSG_DEBUG,
3334 "FILS: Waiting for HLP processing before sending (Re)Association Response frame to "
3335 MACSTR, MAC2STR(sta->addr));
3336 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
3337 eloop_register_timeout(0, hapd->conf->fils_hlp_wait_time * 1024,
3338 fils_hlp_timeout, hapd, sta);
3339 return;
3340 }
3341 #endif /* CONFIG_FILS */
3342
3343 reply_res = send_assoc_resp(hapd, sta, mgmt->sa, resp, reassoc, pos,
3344 left);
3345 os_free(tmp);
3346
3347 /*
3348 * Remove the station in case tranmission of a success response fails
3349 * (the STA was added associated to the driver) or if the station was
3350 * previously added unassociated.
3351 */
3352 if (sta && ((reply_res != WLAN_STATUS_SUCCESS &&
3353 resp == WLAN_STATUS_SUCCESS) || sta->added_unassoc)) {
3354 hostapd_drv_sta_remove(hapd, sta->addr);
3355 sta->added_unassoc = 0;
3356 }
3357 }
3358
3359
handle_disassoc(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len)3360 static void handle_disassoc(struct hostapd_data *hapd,
3361 const struct ieee80211_mgmt *mgmt, size_t len)
3362 {
3363 struct sta_info *sta;
3364
3365 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.disassoc)) {
3366 wpa_printf(MSG_INFO, "handle_disassoc - too short payload (len=%lu)",
3367 (unsigned long) len);
3368 return;
3369 }
3370
3371 wpa_printf(MSG_DEBUG, "disassocation: STA=" MACSTR " reason_code=%d",
3372 MAC2STR(mgmt->sa),
3373 le_to_host16(mgmt->u.disassoc.reason_code));
3374
3375 sta = ap_get_sta(hapd, mgmt->sa);
3376 if (sta == NULL) {
3377 wpa_printf(MSG_INFO, "Station " MACSTR " trying to disassociate, but it is not associated",
3378 MAC2STR(mgmt->sa));
3379 return;
3380 }
3381
3382 ap_sta_set_authorized(hapd, sta, 0);
3383 sta->last_seq_ctrl = WLAN_INVALID_MGMT_SEQ;
3384 sta->flags &= ~(WLAN_STA_ASSOC | WLAN_STA_ASSOC_REQ_OK);
3385 wpa_auth_sm_event(sta->wpa_sm, WPA_DISASSOC);
3386 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3387 HOSTAPD_LEVEL_INFO, "disassociated");
3388 sta->acct_terminate_cause = RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST;
3389 ieee802_1x_notify_port_enabled(sta->eapol_sm, 0);
3390 /* Stop Accounting and IEEE 802.1X sessions, but leave the STA
3391 * authenticated. */
3392 accounting_sta_stop(hapd, sta);
3393 ieee802_1x_free_station(hapd, sta);
3394 if (sta->ipaddr)
3395 hostapd_drv_br_delete_ip_neigh(hapd, 4, (u8 *) &sta->ipaddr);
3396 ap_sta_ip6addr_del(hapd, sta);
3397 hostapd_drv_sta_remove(hapd, sta->addr);
3398 sta->added_unassoc = 0;
3399
3400 if (sta->timeout_next == STA_NULLFUNC ||
3401 sta->timeout_next == STA_DISASSOC) {
3402 sta->timeout_next = STA_DEAUTH;
3403 eloop_cancel_timeout(ap_handle_timer, hapd, sta);
3404 eloop_register_timeout(AP_DEAUTH_DELAY, 0, ap_handle_timer,
3405 hapd, sta);
3406 }
3407
3408 mlme_disassociate_indication(
3409 hapd, sta, le_to_host16(mgmt->u.disassoc.reason_code));
3410
3411 /* DMG/IEEE 802.11ad does not use deauthication. Deallocate sta upon
3412 * disassociation. */
3413 if (hapd->iface->current_mode &&
3414 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211AD) {
3415 sta->flags &= ~WLAN_STA_AUTH;
3416 wpa_auth_sm_event(sta->wpa_sm, WPA_DEAUTH);
3417 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3418 HOSTAPD_LEVEL_DEBUG, "deauthenticated");
3419 ap_free_sta(hapd, sta);
3420 }
3421 }
3422
3423
handle_deauth(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len)3424 static void handle_deauth(struct hostapd_data *hapd,
3425 const struct ieee80211_mgmt *mgmt, size_t len)
3426 {
3427 struct sta_info *sta;
3428
3429 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.deauth)) {
3430 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "handle_deauth - too short "
3431 "payload (len=%lu)", (unsigned long) len);
3432 return;
3433 }
3434
3435 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "deauthentication: STA=" MACSTR
3436 " reason_code=%d",
3437 MAC2STR(mgmt->sa), le_to_host16(mgmt->u.deauth.reason_code));
3438
3439 sta = ap_get_sta(hapd, mgmt->sa);
3440 if (sta == NULL) {
3441 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "Station " MACSTR " trying "
3442 "to deauthenticate, but it is not authenticated",
3443 MAC2STR(mgmt->sa));
3444 return;
3445 }
3446
3447 ap_sta_set_authorized(hapd, sta, 0);
3448 sta->last_seq_ctrl = WLAN_INVALID_MGMT_SEQ;
3449 sta->flags &= ~(WLAN_STA_AUTH | WLAN_STA_ASSOC |
3450 WLAN_STA_ASSOC_REQ_OK);
3451 wpa_auth_sm_event(sta->wpa_sm, WPA_DEAUTH);
3452 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3453 HOSTAPD_LEVEL_DEBUG, "deauthenticated");
3454 mlme_deauthenticate_indication(
3455 hapd, sta, le_to_host16(mgmt->u.deauth.reason_code));
3456 sta->acct_terminate_cause = RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST;
3457 ieee802_1x_notify_port_enabled(sta->eapol_sm, 0);
3458 ap_free_sta(hapd, sta);
3459 }
3460
3461
handle_beacon(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,struct hostapd_frame_info * fi)3462 static void handle_beacon(struct hostapd_data *hapd,
3463 const struct ieee80211_mgmt *mgmt, size_t len,
3464 struct hostapd_frame_info *fi)
3465 {
3466 struct ieee802_11_elems elems;
3467
3468 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.beacon)) {
3469 wpa_printf(MSG_INFO, "handle_beacon - too short payload (len=%lu)",
3470 (unsigned long) len);
3471 return;
3472 }
3473
3474 (void) ieee802_11_parse_elems(mgmt->u.beacon.variable,
3475 len - (IEEE80211_HDRLEN +
3476 sizeof(mgmt->u.beacon)), &elems,
3477 0);
3478
3479 ap_list_process_beacon(hapd->iface, mgmt, &elems, fi);
3480 }
3481
3482
3483 #ifdef CONFIG_IEEE80211W
3484
hostapd_sa_query_action(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len)3485 static int hostapd_sa_query_action(struct hostapd_data *hapd,
3486 const struct ieee80211_mgmt *mgmt,
3487 size_t len)
3488 {
3489 const u8 *end;
3490
3491 end = mgmt->u.action.u.sa_query_resp.trans_id +
3492 WLAN_SA_QUERY_TR_ID_LEN;
3493 if (((u8 *) mgmt) + len < end) {
3494 wpa_printf(MSG_DEBUG, "IEEE 802.11: Too short SA Query Action "
3495 "frame (len=%lu)", (unsigned long) len);
3496 return 0;
3497 }
3498
3499 ieee802_11_sa_query_action(hapd, mgmt->sa,
3500 mgmt->u.action.u.sa_query_resp.action,
3501 mgmt->u.action.u.sa_query_resp.trans_id);
3502 return 1;
3503 }
3504
3505
robust_action_frame(u8 category)3506 static int robust_action_frame(u8 category)
3507 {
3508 return category != WLAN_ACTION_PUBLIC &&
3509 category != WLAN_ACTION_HT;
3510 }
3511 #endif /* CONFIG_IEEE80211W */
3512
3513
handle_action(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len)3514 static int handle_action(struct hostapd_data *hapd,
3515 const struct ieee80211_mgmt *mgmt, size_t len)
3516 {
3517 struct sta_info *sta;
3518 sta = ap_get_sta(hapd, mgmt->sa);
3519
3520 if (len < IEEE80211_HDRLEN + 1) {
3521 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
3522 HOSTAPD_LEVEL_DEBUG,
3523 "handle_action - too short payload (len=%lu)",
3524 (unsigned long) len);
3525 return 0;
3526 }
3527
3528 if (mgmt->u.action.category != WLAN_ACTION_PUBLIC &&
3529 (sta == NULL || !(sta->flags & WLAN_STA_ASSOC))) {
3530 wpa_printf(MSG_DEBUG, "IEEE 802.11: Ignored Action "
3531 "frame (category=%u) from unassociated STA " MACSTR,
3532 mgmt->u.action.category, MAC2STR(mgmt->sa));
3533 return 0;
3534 }
3535
3536 #ifdef CONFIG_IEEE80211W
3537 if (sta && (sta->flags & WLAN_STA_MFP) &&
3538 !(mgmt->frame_control & host_to_le16(WLAN_FC_ISWEP)) &&
3539 robust_action_frame(mgmt->u.action.category)) {
3540 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
3541 HOSTAPD_LEVEL_DEBUG,
3542 "Dropped unprotected Robust Action frame from "
3543 "an MFP STA");
3544 return 0;
3545 }
3546 #endif /* CONFIG_IEEE80211W */
3547
3548 if (sta) {
3549 u16 fc = le_to_host16(mgmt->frame_control);
3550 u16 seq_ctrl = le_to_host16(mgmt->seq_ctrl);
3551
3552 if ((fc & WLAN_FC_RETRY) &&
3553 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
3554 sta->last_seq_ctrl == seq_ctrl &&
3555 sta->last_subtype == WLAN_FC_STYPE_ACTION) {
3556 hostapd_logger(hapd, sta->addr,
3557 HOSTAPD_MODULE_IEEE80211,
3558 HOSTAPD_LEVEL_DEBUG,
3559 "Drop repeated action frame seq_ctrl=0x%x",
3560 seq_ctrl);
3561 return 1;
3562 }
3563
3564 sta->last_seq_ctrl = seq_ctrl;
3565 sta->last_subtype = WLAN_FC_STYPE_ACTION;
3566 }
3567
3568 switch (mgmt->u.action.category) {
3569 #ifdef CONFIG_IEEE80211R_AP
3570 case WLAN_ACTION_FT:
3571 if (!sta ||
3572 wpa_ft_action_rx(sta->wpa_sm, (u8 *) &mgmt->u.action,
3573 len - IEEE80211_HDRLEN))
3574 break;
3575 return 1;
3576 #endif /* CONFIG_IEEE80211R_AP */
3577 case WLAN_ACTION_WMM:
3578 hostapd_wmm_action(hapd, mgmt, len);
3579 return 1;
3580 #ifdef CONFIG_IEEE80211W
3581 case WLAN_ACTION_SA_QUERY:
3582 return hostapd_sa_query_action(hapd, mgmt, len);
3583 #endif /* CONFIG_IEEE80211W */
3584 #ifdef CONFIG_WNM_AP
3585 case WLAN_ACTION_WNM:
3586 ieee802_11_rx_wnm_action_ap(hapd, mgmt, len);
3587 return 1;
3588 #endif /* CONFIG_WNM_AP */
3589 #ifdef CONFIG_FST
3590 case WLAN_ACTION_FST:
3591 if (hapd->iface->fst)
3592 fst_rx_action(hapd->iface->fst, mgmt, len);
3593 else
3594 wpa_printf(MSG_DEBUG,
3595 "FST: Ignore FST Action frame - no FST attached");
3596 return 1;
3597 #endif /* CONFIG_FST */
3598 case WLAN_ACTION_PUBLIC:
3599 case WLAN_ACTION_PROTECTED_DUAL:
3600 #ifdef CONFIG_IEEE80211N
3601 if (len >= IEEE80211_HDRLEN + 2 &&
3602 mgmt->u.action.u.public_action.action ==
3603 WLAN_PA_20_40_BSS_COEX) {
3604 wpa_printf(MSG_DEBUG,
3605 "HT20/40 coex mgmt frame received from STA "
3606 MACSTR, MAC2STR(mgmt->sa));
3607 hostapd_2040_coex_action(hapd, mgmt, len);
3608 return 1;
3609 }
3610 #endif /* CONFIG_IEEE80211N */
3611 #ifdef CONFIG_DPP
3612 if (len >= IEEE80211_HDRLEN + 6 &&
3613 mgmt->u.action.u.vs_public_action.action ==
3614 WLAN_PA_VENDOR_SPECIFIC &&
3615 WPA_GET_BE24(mgmt->u.action.u.vs_public_action.oui) ==
3616 OUI_WFA &&
3617 mgmt->u.action.u.vs_public_action.variable[0] ==
3618 DPP_OUI_TYPE) {
3619 const u8 *pos, *end;
3620
3621 pos = mgmt->u.action.u.vs_public_action.oui;
3622 end = ((const u8 *) mgmt) + len;
3623 hostapd_dpp_rx_action(hapd, mgmt->sa, pos, end - pos,
3624 hapd->iface->freq);
3625 return 1;
3626 }
3627 if (len >= IEEE80211_HDRLEN + 2 &&
3628 (mgmt->u.action.u.public_action.action ==
3629 WLAN_PA_GAS_INITIAL_RESP ||
3630 mgmt->u.action.u.public_action.action ==
3631 WLAN_PA_GAS_COMEBACK_RESP)) {
3632 const u8 *pos, *end;
3633
3634 pos = &mgmt->u.action.u.public_action.action;
3635 end = ((const u8 *) mgmt) + len;
3636 gas_query_ap_rx(hapd->gas, mgmt->sa,
3637 mgmt->u.action.category,
3638 pos, end - pos, hapd->iface->freq);
3639 return 1;
3640 }
3641 #endif /* CONFIG_DPP */
3642 if (hapd->public_action_cb) {
3643 hapd->public_action_cb(hapd->public_action_cb_ctx,
3644 (u8 *) mgmt, len,
3645 hapd->iface->freq);
3646 }
3647 if (hapd->public_action_cb2) {
3648 hapd->public_action_cb2(hapd->public_action_cb2_ctx,
3649 (u8 *) mgmt, len,
3650 hapd->iface->freq);
3651 }
3652 if (hapd->public_action_cb || hapd->public_action_cb2)
3653 return 1;
3654 break;
3655 case WLAN_ACTION_VENDOR_SPECIFIC:
3656 if (hapd->vendor_action_cb) {
3657 if (hapd->vendor_action_cb(hapd->vendor_action_cb_ctx,
3658 (u8 *) mgmt, len,
3659 hapd->iface->freq) == 0)
3660 return 1;
3661 }
3662 break;
3663 case WLAN_ACTION_RADIO_MEASUREMENT:
3664 hostapd_handle_radio_measurement(hapd, (const u8 *) mgmt, len);
3665 return 1;
3666 }
3667
3668 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
3669 HOSTAPD_LEVEL_DEBUG,
3670 "handle_action - unknown action category %d or invalid "
3671 "frame",
3672 mgmt->u.action.category);
3673 if (!is_multicast_ether_addr(mgmt->da) &&
3674 !(mgmt->u.action.category & 0x80) &&
3675 !is_multicast_ether_addr(mgmt->sa)) {
3676 struct ieee80211_mgmt *resp;
3677
3678 /*
3679 * IEEE 802.11-REVma/D9.0 - 7.3.1.11
3680 * Return the Action frame to the source without change
3681 * except that MSB of the Category set to 1.
3682 */
3683 wpa_printf(MSG_DEBUG, "IEEE 802.11: Return unknown Action "
3684 "frame back to sender");
3685 resp = os_memdup(mgmt, len);
3686 if (resp == NULL)
3687 return 0;
3688 os_memcpy(resp->da, resp->sa, ETH_ALEN);
3689 os_memcpy(resp->sa, hapd->own_addr, ETH_ALEN);
3690 os_memcpy(resp->bssid, hapd->own_addr, ETH_ALEN);
3691 resp->u.action.category |= 0x80;
3692
3693 if (hostapd_drv_send_mlme(hapd, resp, len, 0) < 0) {
3694 wpa_printf(MSG_ERROR, "IEEE 802.11: Failed to send "
3695 "Action frame");
3696 }
3697 os_free(resp);
3698 }
3699
3700 return 1;
3701 }
3702
3703
3704 /**
3705 * ieee802_11_mgmt - process incoming IEEE 802.11 management frames
3706 * @hapd: hostapd BSS data structure (the BSS to which the management frame was
3707 * sent to)
3708 * @buf: management frame data (starting from IEEE 802.11 header)
3709 * @len: length of frame data in octets
3710 * @fi: meta data about received frame (signal level, etc.)
3711 *
3712 * Process all incoming IEEE 802.11 management frames. This will be called for
3713 * each frame received from the kernel driver through wlan#ap interface. In
3714 * addition, it can be called to re-inserted pending frames (e.g., when using
3715 * external RADIUS server as an MAC ACL).
3716 */
ieee802_11_mgmt(struct hostapd_data * hapd,const u8 * buf,size_t len,struct hostapd_frame_info * fi)3717 int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len,
3718 struct hostapd_frame_info *fi)
3719 {
3720 struct ieee80211_mgmt *mgmt;
3721 u16 fc, stype;
3722 int ret = 0;
3723
3724 if (len < 24)
3725 return 0;
3726
3727 mgmt = (struct ieee80211_mgmt *) buf;
3728 fc = le_to_host16(mgmt->frame_control);
3729 stype = WLAN_FC_GET_STYPE(fc);
3730
3731 if (stype == WLAN_FC_STYPE_BEACON) {
3732 handle_beacon(hapd, mgmt, len, fi);
3733 return 1;
3734 }
3735
3736 if (!is_broadcast_ether_addr(mgmt->bssid) &&
3737 #ifdef CONFIG_P2P
3738 /* Invitation responses can be sent with the peer MAC as BSSID */
3739 !((hapd->conf->p2p & P2P_GROUP_OWNER) &&
3740 stype == WLAN_FC_STYPE_ACTION) &&
3741 #endif /* CONFIG_P2P */
3742 #ifdef CONFIG_MESH
3743 !(hapd->conf->mesh & MESH_ENABLED) &&
3744 #endif /* CONFIG_MESH */
3745 os_memcmp(mgmt->bssid, hapd->own_addr, ETH_ALEN) != 0) {
3746 wpa_printf(MSG_INFO, "MGMT: BSSID=" MACSTR " not our address",
3747 MAC2STR(mgmt->bssid));
3748 return 0;
3749 }
3750
3751
3752 if (stype == WLAN_FC_STYPE_PROBE_REQ) {
3753 handle_probe_req(hapd, mgmt, len, fi->ssi_signal);
3754 return 1;
3755 }
3756
3757 if ((!is_broadcast_ether_addr(mgmt->da) ||
3758 stype != WLAN_FC_STYPE_ACTION) &&
3759 os_memcmp(mgmt->da, hapd->own_addr, ETH_ALEN) != 0) {
3760 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
3761 HOSTAPD_LEVEL_DEBUG,
3762 "MGMT: DA=" MACSTR " not our address",
3763 MAC2STR(mgmt->da));
3764 return 0;
3765 }
3766
3767 if (hapd->iconf->track_sta_max_num)
3768 sta_track_add(hapd->iface, mgmt->sa, fi->ssi_signal);
3769
3770 switch (stype) {
3771 case WLAN_FC_STYPE_AUTH:
3772 wpa_printf(MSG_DEBUG, "mgmt::auth");
3773 handle_auth(hapd, mgmt, len);
3774 ret = 1;
3775 break;
3776 case WLAN_FC_STYPE_ASSOC_REQ:
3777 wpa_printf(MSG_DEBUG, "mgmt::assoc_req");
3778 handle_assoc(hapd, mgmt, len, 0);
3779 ret = 1;
3780 break;
3781 case WLAN_FC_STYPE_REASSOC_REQ:
3782 wpa_printf(MSG_DEBUG, "mgmt::reassoc_req");
3783 handle_assoc(hapd, mgmt, len, 1);
3784 ret = 1;
3785 break;
3786 case WLAN_FC_STYPE_DISASSOC:
3787 wpa_printf(MSG_DEBUG, "mgmt::disassoc");
3788 handle_disassoc(hapd, mgmt, len);
3789 ret = 1;
3790 break;
3791 case WLAN_FC_STYPE_DEAUTH:
3792 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "mgmt::deauth");
3793 handle_deauth(hapd, mgmt, len);
3794 ret = 1;
3795 break;
3796 case WLAN_FC_STYPE_ACTION:
3797 wpa_printf(MSG_DEBUG, "mgmt::action");
3798 ret = handle_action(hapd, mgmt, len);
3799 break;
3800 default:
3801 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
3802 HOSTAPD_LEVEL_DEBUG,
3803 "unknown mgmt frame subtype %d", stype);
3804 break;
3805 }
3806
3807 return ret;
3808 }
3809
3810
handle_auth_cb(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int ok)3811 static void handle_auth_cb(struct hostapd_data *hapd,
3812 const struct ieee80211_mgmt *mgmt,
3813 size_t len, int ok)
3814 {
3815 u16 auth_alg, auth_transaction, status_code;
3816 struct sta_info *sta;
3817
3818 sta = ap_get_sta(hapd, mgmt->da);
3819 if (!sta) {
3820 wpa_printf(MSG_INFO, "handle_auth_cb: STA " MACSTR " not found",
3821 MAC2STR(mgmt->da));
3822 return;
3823 }
3824
3825 auth_alg = le_to_host16(mgmt->u.auth.auth_alg);
3826 auth_transaction = le_to_host16(mgmt->u.auth.auth_transaction);
3827 status_code = le_to_host16(mgmt->u.auth.status_code);
3828
3829 if (!ok) {
3830 hostapd_logger(hapd, mgmt->da, HOSTAPD_MODULE_IEEE80211,
3831 HOSTAPD_LEVEL_NOTICE,
3832 "did not acknowledge authentication response");
3833 goto fail;
3834 }
3835
3836 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) {
3837 wpa_printf(MSG_INFO, "handle_auth_cb - too short payload (len=%lu)",
3838 (unsigned long) len);
3839 goto fail;
3840 }
3841
3842 if (status_code == WLAN_STATUS_SUCCESS &&
3843 ((auth_alg == WLAN_AUTH_OPEN && auth_transaction == 2) ||
3844 (auth_alg == WLAN_AUTH_SHARED_KEY && auth_transaction == 4))) {
3845 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3846 HOSTAPD_LEVEL_INFO, "authenticated");
3847 sta->flags |= WLAN_STA_AUTH;
3848 if (sta->added_unassoc)
3849 hostapd_set_sta_flags(hapd, sta);
3850 return;
3851 }
3852
3853 fail:
3854 if (status_code != WLAN_STATUS_SUCCESS && sta->added_unassoc) {
3855 hostapd_drv_sta_remove(hapd, sta->addr);
3856 sta->added_unassoc = 0;
3857 }
3858 }
3859
3860
hostapd_set_wds_encryption(struct hostapd_data * hapd,struct sta_info * sta,char * ifname_wds)3861 static void hostapd_set_wds_encryption(struct hostapd_data *hapd,
3862 struct sta_info *sta,
3863 char *ifname_wds)
3864 {
3865 int i;
3866 struct hostapd_ssid *ssid = &hapd->conf->ssid;
3867
3868 if (hapd->conf->ieee802_1x || hapd->conf->wpa)
3869 return;
3870
3871 for (i = 0; i < 4; i++) {
3872 if (ssid->wep.key[i] &&
3873 hostapd_drv_set_key(ifname_wds, hapd, WPA_ALG_WEP, NULL, i,
3874 i == ssid->wep.idx, NULL, 0,
3875 ssid->wep.key[i], ssid->wep.len[i])) {
3876 wpa_printf(MSG_WARNING,
3877 "Could not set WEP keys for WDS interface; %s",
3878 ifname_wds);
3879 break;
3880 }
3881 }
3882 }
3883
3884
handle_assoc_cb(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int reassoc,int ok)3885 static void handle_assoc_cb(struct hostapd_data *hapd,
3886 const struct ieee80211_mgmt *mgmt,
3887 size_t len, int reassoc, int ok)
3888 {
3889 u16 status;
3890 struct sta_info *sta;
3891 int new_assoc = 1;
3892
3893 sta = ap_get_sta(hapd, mgmt->da);
3894 if (!sta) {
3895 wpa_printf(MSG_INFO, "handle_assoc_cb: STA " MACSTR " not found",
3896 MAC2STR(mgmt->da));
3897 return;
3898 }
3899
3900 if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_resp) :
3901 sizeof(mgmt->u.assoc_resp))) {
3902 wpa_printf(MSG_INFO,
3903 "handle_assoc_cb(reassoc=%d) - too short payload (len=%lu)",
3904 reassoc, (unsigned long) len);
3905 hostapd_drv_sta_remove(hapd, sta->addr);
3906 return;
3907 }
3908
3909 if (reassoc)
3910 status = le_to_host16(mgmt->u.reassoc_resp.status_code);
3911 else
3912 status = le_to_host16(mgmt->u.assoc_resp.status_code);
3913
3914 if (!ok) {
3915 hostapd_logger(hapd, mgmt->da, HOSTAPD_MODULE_IEEE80211,
3916 HOSTAPD_LEVEL_DEBUG,
3917 "did not acknowledge association response");
3918 sta->flags &= ~WLAN_STA_ASSOC_REQ_OK;
3919 /* The STA is added only in case of SUCCESS */
3920 if (status == WLAN_STATUS_SUCCESS)
3921 hostapd_drv_sta_remove(hapd, sta->addr);
3922
3923 return;
3924 }
3925
3926 if (status != WLAN_STATUS_SUCCESS)
3927 return;
3928
3929 /* Stop previous accounting session, if one is started, and allocate
3930 * new session id for the new session. */
3931 accounting_sta_stop(hapd, sta);
3932
3933 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3934 HOSTAPD_LEVEL_INFO,
3935 "associated (aid %d)",
3936 sta->aid);
3937
3938 if (sta->flags & WLAN_STA_ASSOC)
3939 new_assoc = 0;
3940 sta->flags |= WLAN_STA_ASSOC;
3941 sta->flags &= ~WLAN_STA_WNM_SLEEP_MODE;
3942 if ((!hapd->conf->ieee802_1x && !hapd->conf->wpa &&
3943 !hapd->conf->osen) ||
3944 sta->auth_alg == WLAN_AUTH_FILS_SK ||
3945 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
3946 sta->auth_alg == WLAN_AUTH_FILS_PK ||
3947 sta->auth_alg == WLAN_AUTH_FT) {
3948 /*
3949 * Open, static WEP, FT protocol, or FILS; no separate
3950 * authorization step.
3951 */
3952 ap_sta_set_authorized(hapd, sta, 1);
3953 }
3954
3955 if (reassoc)
3956 mlme_reassociate_indication(hapd, sta);
3957 else
3958 mlme_associate_indication(hapd, sta);
3959
3960 #ifdef CONFIG_IEEE80211W
3961 sta->sa_query_timed_out = 0;
3962 #endif /* CONFIG_IEEE80211W */
3963
3964 if (sta->eapol_sm == NULL) {
3965 /*
3966 * This STA does not use RADIUS server for EAP authentication,
3967 * so bind it to the selected VLAN interface now, since the
3968 * interface selection is not going to change anymore.
3969 */
3970 if (ap_sta_bind_vlan(hapd, sta) < 0)
3971 return;
3972 } else if (sta->vlan_id) {
3973 /* VLAN ID already set (e.g., by PMKSA caching), so bind STA */
3974 if (ap_sta_bind_vlan(hapd, sta) < 0)
3975 return;
3976 }
3977
3978 hostapd_set_sta_flags(hapd, sta);
3979
3980 if (!(sta->flags & WLAN_STA_WDS) && sta->pending_wds_enable) {
3981 wpa_printf(MSG_DEBUG, "Enable 4-address WDS mode for STA "
3982 MACSTR " based on pending request",
3983 MAC2STR(sta->addr));
3984 sta->pending_wds_enable = 0;
3985 sta->flags |= WLAN_STA_WDS;
3986 }
3987
3988 if (sta->flags & WLAN_STA_WDS) {
3989 int ret;
3990 char ifname_wds[IFNAMSIZ + 1];
3991
3992 wpa_printf(MSG_DEBUG, "Reenable 4-address WDS mode for STA "
3993 MACSTR " (aid %u)",
3994 MAC2STR(sta->addr), sta->aid);
3995 ret = hostapd_set_wds_sta(hapd, ifname_wds, sta->addr,
3996 sta->aid, 1);
3997 if (!ret)
3998 hostapd_set_wds_encryption(hapd, sta, ifname_wds);
3999 }
4000
4001 if (sta->auth_alg == WLAN_AUTH_FT)
4002 wpa_auth_sm_event(sta->wpa_sm, WPA_ASSOC_FT);
4003 else
4004 wpa_auth_sm_event(sta->wpa_sm, WPA_ASSOC);
4005 hapd->new_assoc_sta_cb(hapd, sta, !new_assoc);
4006 ieee802_1x_notify_port_enabled(sta->eapol_sm, 1);
4007
4008 #ifdef CONFIG_FILS
4009 if ((sta->auth_alg == WLAN_AUTH_FILS_SK ||
4010 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
4011 sta->auth_alg == WLAN_AUTH_FILS_PK) &&
4012 fils_set_tk(sta->wpa_sm) < 0) {
4013 wpa_printf(MSG_DEBUG, "FILS: TK configuration failed");
4014 ap_sta_disconnect(hapd, sta, sta->addr,
4015 WLAN_REASON_UNSPECIFIED);
4016 return;
4017 }
4018 #endif /* CONFIG_FILS */
4019
4020 if (sta->pending_eapol_rx) {
4021 struct os_reltime now, age;
4022
4023 os_get_reltime(&now);
4024 os_reltime_sub(&now, &sta->pending_eapol_rx->rx_time, &age);
4025 if (age.sec == 0 && age.usec < 200000) {
4026 wpa_printf(MSG_DEBUG,
4027 "Process pending EAPOL frame that was received from " MACSTR " just before association notification",
4028 MAC2STR(sta->addr));
4029 ieee802_1x_receive(
4030 hapd, mgmt->da,
4031 wpabuf_head(sta->pending_eapol_rx->buf),
4032 wpabuf_len(sta->pending_eapol_rx->buf));
4033 }
4034 wpabuf_free(sta->pending_eapol_rx->buf);
4035 os_free(sta->pending_eapol_rx);
4036 sta->pending_eapol_rx = NULL;
4037 }
4038 }
4039
4040
handle_deauth_cb(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int ok)4041 static void handle_deauth_cb(struct hostapd_data *hapd,
4042 const struct ieee80211_mgmt *mgmt,
4043 size_t len, int ok)
4044 {
4045 struct sta_info *sta;
4046 if (is_multicast_ether_addr(mgmt->da))
4047 return;
4048 sta = ap_get_sta(hapd, mgmt->da);
4049 if (!sta) {
4050 wpa_printf(MSG_DEBUG, "handle_deauth_cb: STA " MACSTR
4051 " not found", MAC2STR(mgmt->da));
4052 return;
4053 }
4054 if (ok)
4055 wpa_printf(MSG_DEBUG, "STA " MACSTR " acknowledged deauth",
4056 MAC2STR(sta->addr));
4057 else
4058 wpa_printf(MSG_DEBUG, "STA " MACSTR " did not acknowledge "
4059 "deauth", MAC2STR(sta->addr));
4060
4061 ap_sta_deauth_cb(hapd, sta);
4062 }
4063
4064
handle_disassoc_cb(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int ok)4065 static void handle_disassoc_cb(struct hostapd_data *hapd,
4066 const struct ieee80211_mgmt *mgmt,
4067 size_t len, int ok)
4068 {
4069 struct sta_info *sta;
4070 if (is_multicast_ether_addr(mgmt->da))
4071 return;
4072 sta = ap_get_sta(hapd, mgmt->da);
4073 if (!sta) {
4074 wpa_printf(MSG_DEBUG, "handle_disassoc_cb: STA " MACSTR
4075 " not found", MAC2STR(mgmt->da));
4076 return;
4077 }
4078 if (ok)
4079 wpa_printf(MSG_DEBUG, "STA " MACSTR " acknowledged disassoc",
4080 MAC2STR(sta->addr));
4081 else
4082 wpa_printf(MSG_DEBUG, "STA " MACSTR " did not acknowledge "
4083 "disassoc", MAC2STR(sta->addr));
4084
4085 ap_sta_disassoc_cb(hapd, sta);
4086 }
4087
4088
handle_action_cb(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int ok)4089 static void handle_action_cb(struct hostapd_data *hapd,
4090 const struct ieee80211_mgmt *mgmt,
4091 size_t len, int ok)
4092 {
4093 struct sta_info *sta;
4094 const struct rrm_measurement_report_element *report;
4095
4096 if (is_multicast_ether_addr(mgmt->da))
4097 return;
4098 #ifdef CONFIG_DPP
4099 if (len >= IEEE80211_HDRLEN + 6 &&
4100 mgmt->u.action.category == WLAN_ACTION_PUBLIC &&
4101 mgmt->u.action.u.vs_public_action.action ==
4102 WLAN_PA_VENDOR_SPECIFIC &&
4103 WPA_GET_BE24(mgmt->u.action.u.vs_public_action.oui) ==
4104 OUI_WFA &&
4105 mgmt->u.action.u.vs_public_action.variable[0] ==
4106 DPP_OUI_TYPE) {
4107 const u8 *pos, *end;
4108
4109 pos = &mgmt->u.action.u.vs_public_action.variable[1];
4110 end = ((const u8 *) mgmt) + len;
4111 hostapd_dpp_tx_status(hapd, mgmt->da, pos, end - pos, ok);
4112 return;
4113 }
4114 if (len >= IEEE80211_HDRLEN + 2 &&
4115 mgmt->u.action.category == WLAN_ACTION_PUBLIC &&
4116 (mgmt->u.action.u.public_action.action ==
4117 WLAN_PA_GAS_INITIAL_REQ ||
4118 mgmt->u.action.u.public_action.action ==
4119 WLAN_PA_GAS_COMEBACK_REQ)) {
4120 const u8 *pos, *end;
4121
4122 pos = mgmt->u.action.u.public_action.variable;
4123 end = ((const u8 *) mgmt) + len;
4124 gas_query_ap_tx_status(hapd->gas, mgmt->da, pos, end - pos, ok);
4125 return;
4126 }
4127 #endif /* CONFIG_DPP */
4128 sta = ap_get_sta(hapd, mgmt->da);
4129 if (!sta) {
4130 wpa_printf(MSG_DEBUG, "handle_action_cb: STA " MACSTR
4131 " not found", MAC2STR(mgmt->da));
4132 return;
4133 }
4134
4135 if (len < 24 + 5 + sizeof(*report))
4136 return;
4137 report = (const struct rrm_measurement_report_element *)
4138 &mgmt->u.action.u.rrm.variable[2];
4139 if (mgmt->u.action.category == WLAN_ACTION_RADIO_MEASUREMENT &&
4140 mgmt->u.action.u.rrm.action == WLAN_RRM_RADIO_MEASUREMENT_REQUEST &&
4141 report->eid == WLAN_EID_MEASURE_REQUEST &&
4142 report->len >= 3 &&
4143 report->type == MEASURE_TYPE_BEACON)
4144 hostapd_rrm_beacon_req_tx_status(hapd, mgmt, len, ok);
4145 }
4146
4147
4148 /**
4149 * ieee802_11_mgmt_cb - Process management frame TX status callback
4150 * @hapd: hostapd BSS data structure (the BSS from which the management frame
4151 * was sent from)
4152 * @buf: management frame data (starting from IEEE 802.11 header)
4153 * @len: length of frame data in octets
4154 * @stype: management frame subtype from frame control field
4155 * @ok: Whether the frame was ACK'ed
4156 */
ieee802_11_mgmt_cb(struct hostapd_data * hapd,const u8 * buf,size_t len,u16 stype,int ok)4157 void ieee802_11_mgmt_cb(struct hostapd_data *hapd, const u8 *buf, size_t len,
4158 u16 stype, int ok)
4159 {
4160 const struct ieee80211_mgmt *mgmt;
4161 mgmt = (const struct ieee80211_mgmt *) buf;
4162
4163 #ifdef CONFIG_TESTING_OPTIONS
4164 if (hapd->ext_mgmt_frame_handling) {
4165 size_t hex_len = 2 * len + 1;
4166 char *hex = os_malloc(hex_len);
4167
4168 if (hex) {
4169 wpa_snprintf_hex(hex, hex_len, buf, len);
4170 wpa_msg(hapd->msg_ctx, MSG_INFO,
4171 "MGMT-TX-STATUS stype=%u ok=%d buf=%s",
4172 stype, ok, hex);
4173 os_free(hex);
4174 }
4175 return;
4176 }
4177 #endif /* CONFIG_TESTING_OPTIONS */
4178
4179 switch (stype) {
4180 case WLAN_FC_STYPE_AUTH:
4181 wpa_printf(MSG_DEBUG, "mgmt::auth cb");
4182 handle_auth_cb(hapd, mgmt, len, ok);
4183 break;
4184 case WLAN_FC_STYPE_ASSOC_RESP:
4185 wpa_printf(MSG_DEBUG, "mgmt::assoc_resp cb");
4186 handle_assoc_cb(hapd, mgmt, len, 0, ok);
4187 break;
4188 case WLAN_FC_STYPE_REASSOC_RESP:
4189 wpa_printf(MSG_DEBUG, "mgmt::reassoc_resp cb");
4190 handle_assoc_cb(hapd, mgmt, len, 1, ok);
4191 break;
4192 case WLAN_FC_STYPE_PROBE_RESP:
4193 wpa_printf(MSG_EXCESSIVE, "mgmt::proberesp cb ok=%d", ok);
4194 break;
4195 case WLAN_FC_STYPE_DEAUTH:
4196 wpa_printf(MSG_DEBUG, "mgmt::deauth cb");
4197 handle_deauth_cb(hapd, mgmt, len, ok);
4198 break;
4199 case WLAN_FC_STYPE_DISASSOC:
4200 wpa_printf(MSG_DEBUG, "mgmt::disassoc cb");
4201 handle_disassoc_cb(hapd, mgmt, len, ok);
4202 break;
4203 case WLAN_FC_STYPE_ACTION:
4204 wpa_printf(MSG_DEBUG, "mgmt::action cb ok=%d", ok);
4205 handle_action_cb(hapd, mgmt, len, ok);
4206 break;
4207 default:
4208 wpa_printf(MSG_INFO, "unknown mgmt cb frame subtype %d", stype);
4209 break;
4210 }
4211 }
4212
4213
ieee802_11_get_mib(struct hostapd_data * hapd,char * buf,size_t buflen)4214 int ieee802_11_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen)
4215 {
4216 /* TODO */
4217 return 0;
4218 }
4219
4220
ieee802_11_get_mib_sta(struct hostapd_data * hapd,struct sta_info * sta,char * buf,size_t buflen)4221 int ieee802_11_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta,
4222 char *buf, size_t buflen)
4223 {
4224 /* TODO */
4225 return 0;
4226 }
4227
4228
hostapd_tx_status(struct hostapd_data * hapd,const u8 * addr,const u8 * buf,size_t len,int ack)4229 void hostapd_tx_status(struct hostapd_data *hapd, const u8 *addr,
4230 const u8 *buf, size_t len, int ack)
4231 {
4232 struct sta_info *sta;
4233 struct hostapd_iface *iface = hapd->iface;
4234
4235 sta = ap_get_sta(hapd, addr);
4236 if (sta == NULL && iface->num_bss > 1) {
4237 size_t j;
4238 for (j = 0; j < iface->num_bss; j++) {
4239 hapd = iface->bss[j];
4240 sta = ap_get_sta(hapd, addr);
4241 if (sta)
4242 break;
4243 }
4244 }
4245 if (sta == NULL || !(sta->flags & WLAN_STA_ASSOC))
4246 return;
4247 if (sta->flags & WLAN_STA_PENDING_POLL) {
4248 wpa_printf(MSG_DEBUG, "STA " MACSTR " %s pending "
4249 "activity poll", MAC2STR(sta->addr),
4250 ack ? "ACKed" : "did not ACK");
4251 if (ack)
4252 sta->flags &= ~WLAN_STA_PENDING_POLL;
4253 }
4254
4255 ieee802_1x_tx_status(hapd, sta, buf, len, ack);
4256 }
4257
4258
hostapd_eapol_tx_status(struct hostapd_data * hapd,const u8 * dst,const u8 * data,size_t len,int ack)4259 void hostapd_eapol_tx_status(struct hostapd_data *hapd, const u8 *dst,
4260 const u8 *data, size_t len, int ack)
4261 {
4262 struct sta_info *sta;
4263 struct hostapd_iface *iface = hapd->iface;
4264
4265 sta = ap_get_sta(hapd, dst);
4266 if (sta == NULL && iface->num_bss > 1) {
4267 size_t j;
4268 for (j = 0; j < iface->num_bss; j++) {
4269 hapd = iface->bss[j];
4270 sta = ap_get_sta(hapd, dst);
4271 if (sta)
4272 break;
4273 }
4274 }
4275 if (sta == NULL || !(sta->flags & WLAN_STA_ASSOC)) {
4276 wpa_printf(MSG_DEBUG, "Ignore TX status for Data frame to STA "
4277 MACSTR " that is not currently associated",
4278 MAC2STR(dst));
4279 return;
4280 }
4281
4282 ieee802_1x_eapol_tx_status(hapd, sta, data, len, ack);
4283 }
4284
4285
hostapd_client_poll_ok(struct hostapd_data * hapd,const u8 * addr)4286 void hostapd_client_poll_ok(struct hostapd_data *hapd, const u8 *addr)
4287 {
4288 struct sta_info *sta;
4289 struct hostapd_iface *iface = hapd->iface;
4290
4291 sta = ap_get_sta(hapd, addr);
4292 if (sta == NULL && iface->num_bss > 1) {
4293 size_t j;
4294 for (j = 0; j < iface->num_bss; j++) {
4295 hapd = iface->bss[j];
4296 sta = ap_get_sta(hapd, addr);
4297 if (sta)
4298 break;
4299 }
4300 }
4301 if (sta == NULL)
4302 return;
4303 wpa_msg(hapd->msg_ctx, MSG_INFO, AP_STA_POLL_OK MACSTR,
4304 MAC2STR(sta->addr));
4305 if (!(sta->flags & WLAN_STA_PENDING_POLL))
4306 return;
4307
4308 wpa_printf(MSG_DEBUG, "STA " MACSTR " ACKed pending "
4309 "activity poll", MAC2STR(sta->addr));
4310 sta->flags &= ~WLAN_STA_PENDING_POLL;
4311 }
4312
4313
ieee802_11_rx_from_unknown(struct hostapd_data * hapd,const u8 * src,int wds)4314 void ieee802_11_rx_from_unknown(struct hostapd_data *hapd, const u8 *src,
4315 int wds)
4316 {
4317 struct sta_info *sta;
4318
4319 sta = ap_get_sta(hapd, src);
4320 if (sta &&
4321 ((sta->flags & WLAN_STA_ASSOC) ||
4322 ((sta->flags & WLAN_STA_ASSOC_REQ_OK) && wds))) {
4323 if (!hapd->conf->wds_sta)
4324 return;
4325
4326 if ((sta->flags & (WLAN_STA_ASSOC | WLAN_STA_ASSOC_REQ_OK)) ==
4327 WLAN_STA_ASSOC_REQ_OK) {
4328 wpa_printf(MSG_DEBUG,
4329 "Postpone 4-address WDS mode enabling for STA "
4330 MACSTR " since TX status for AssocResp is not yet known",
4331 MAC2STR(sta->addr));
4332 sta->pending_wds_enable = 1;
4333 return;
4334 }
4335
4336 if (wds && !(sta->flags & WLAN_STA_WDS)) {
4337 int ret;
4338 char ifname_wds[IFNAMSIZ + 1];
4339
4340 wpa_printf(MSG_DEBUG, "Enable 4-address WDS mode for "
4341 "STA " MACSTR " (aid %u)",
4342 MAC2STR(sta->addr), sta->aid);
4343 sta->flags |= WLAN_STA_WDS;
4344 ret = hostapd_set_wds_sta(hapd, ifname_wds,
4345 sta->addr, sta->aid, 1);
4346 if (!ret)
4347 hostapd_set_wds_encryption(hapd, sta,
4348 ifname_wds);
4349 }
4350 return;
4351 }
4352
4353 wpa_printf(MSG_DEBUG, "Data/PS-poll frame from not associated STA "
4354 MACSTR, MAC2STR(src));
4355 if (is_multicast_ether_addr(src)) {
4356 /* Broadcast bit set in SA?! Ignore the frame silently. */
4357 return;
4358 }
4359
4360 if (sta && (sta->flags & WLAN_STA_ASSOC_REQ_OK)) {
4361 wpa_printf(MSG_DEBUG, "Association Response to the STA has "
4362 "already been sent, but no TX status yet known - "
4363 "ignore Class 3 frame issue with " MACSTR,
4364 MAC2STR(src));
4365 return;
4366 }
4367
4368 if (sta && (sta->flags & WLAN_STA_AUTH))
4369 hostapd_drv_sta_disassoc(
4370 hapd, src,
4371 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA);
4372 else
4373 hostapd_drv_sta_deauth(
4374 hapd, src,
4375 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA);
4376 }
4377
4378
4379 #endif /* CONFIG_NATIVE_WINDOWS */
4380