1 /*
2 * hostapd / IEEE 802.11 Management
3 * Copyright (c) 2002-2017, Jouni Malinen <[email protected]>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "utils/includes.h"
10
11 #ifndef CONFIG_NATIVE_WINDOWS
12
13 #include "utils/common.h"
14 #include "utils/eloop.h"
15 #include "crypto/crypto.h"
16 #include "crypto/sha256.h"
17 #include "crypto/sha384.h"
18 #include "crypto/sha512.h"
19 #include "crypto/random.h"
20 #include "common/ieee802_11_defs.h"
21 #include "common/ieee802_11_common.h"
22 #include "common/wpa_ctrl.h"
23 #include "common/sae.h"
24 #include "common/dpp.h"
25 #include "common/ocv.h"
26 #include "common/wpa_common.h"
27 #include "common/wpa_ctrl.h"
28 #include "common/ptksa_cache.h"
29 #include "radius/radius.h"
30 #include "radius/radius_client.h"
31 #include "p2p/p2p.h"
32 #include "wps/wps.h"
33 #include "fst/fst.h"
34 #include "hostapd.h"
35 #include "beacon.h"
36 #include "ieee802_11_auth.h"
37 #include "sta_info.h"
38 #include "ieee802_1x.h"
39 #include "wpa_auth.h"
40 #include "pmksa_cache_auth.h"
41 #include "wmm.h"
42 #include "ap_list.h"
43 #include "accounting.h"
44 #include "ap_config.h"
45 #include "ap_mlme.h"
46 #include "p2p_hostapd.h"
47 #include "ap_drv_ops.h"
48 #include "wnm_ap.h"
49 #include "hw_features.h"
50 #include "ieee802_11.h"
51 #include "dfs.h"
52 #include "mbo_ap.h"
53 #include "rrm.h"
54 #include "taxonomy.h"
55 #include "fils_hlp.h"
56 #include "dpp_hostapd.h"
57 #include "gas_query_ap.h"
58 #include "comeback_token.h"
59 #include "nan_usd_ap.h"
60 #include "pasn/pasn_common.h"
61
62
63 #ifdef CONFIG_FILS
64 static struct wpabuf *
65 prepare_auth_resp_fils(struct hostapd_data *hapd,
66 struct sta_info *sta, u16 *resp,
67 struct rsn_pmksa_cache_entry *pmksa,
68 struct wpabuf *erp_resp,
69 const u8 *msk, size_t msk_len,
70 int *is_pub);
71 #endif /* CONFIG_FILS */
72
73 #ifdef CONFIG_PASN
74 #ifdef CONFIG_FILS
75
76 static void pasn_fils_auth_resp(struct hostapd_data *hapd,
77 struct sta_info *sta, u16 status,
78 struct wpabuf *erp_resp,
79 const u8 *msk, size_t msk_len);
80
81 #endif /* CONFIG_FILS */
82 #endif /* CONFIG_PASN */
83
84 static void handle_auth(struct hostapd_data *hapd,
85 const struct ieee80211_mgmt *mgmt, size_t len,
86 int rssi, int from_queue);
87 static int add_associated_sta(struct hostapd_data *hapd,
88 struct sta_info *sta, int reassoc);
89
90
hostapd_eid_multi_ap(struct hostapd_data * hapd,u8 * eid,size_t len)91 static u8 * hostapd_eid_multi_ap(struct hostapd_data *hapd, u8 *eid, size_t len)
92 {
93 struct multi_ap_params multi_ap = { 0 };
94
95 if (!hapd->conf->multi_ap)
96 return eid;
97
98 if (hapd->conf->multi_ap & BACKHAUL_BSS)
99 multi_ap.capability |= MULTI_AP_BACKHAUL_BSS;
100 if (hapd->conf->multi_ap & FRONTHAUL_BSS)
101 multi_ap.capability |= MULTI_AP_FRONTHAUL_BSS;
102
103 if (hapd->conf->multi_ap_client_disallow &
104 PROFILE1_CLIENT_ASSOC_DISALLOW)
105 multi_ap.capability |=
106 MULTI_AP_PROFILE1_BACKHAUL_STA_DISALLOWED;
107 if (hapd->conf->multi_ap_client_disallow &
108 PROFILE2_CLIENT_ASSOC_DISALLOW)
109 multi_ap.capability |=
110 MULTI_AP_PROFILE2_BACKHAUL_STA_DISALLOWED;
111
112 multi_ap.profile = hapd->conf->multi_ap_profile;
113 multi_ap.vlanid = hapd->conf->multi_ap_vlanid;
114
115 return eid + add_multi_ap_ie(eid, len, &multi_ap);
116 }
117
118
hostapd_eid_supp_rates(struct hostapd_data * hapd,u8 * eid)119 u8 * hostapd_eid_supp_rates(struct hostapd_data *hapd, u8 *eid)
120 {
121 u8 *pos = eid;
122 int i, num, count;
123 int h2e_required;
124
125 if (hapd->iface->current_rates == NULL)
126 return eid;
127
128 *pos++ = WLAN_EID_SUPP_RATES;
129 num = hapd->iface->num_rates;
130 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht)
131 num++;
132 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht)
133 num++;
134 #ifdef CONFIG_IEEE80211AX
135 if (hapd->iconf->ieee80211ax && hapd->iconf->require_he)
136 num++;
137 #endif /* CONFIG_IEEE80211AX */
138 h2e_required = (hapd->conf->sae_pwe == SAE_PWE_HASH_TO_ELEMENT ||
139 hostapd_sae_pw_id_in_use(hapd->conf) == 2) &&
140 hapd->conf->sae_pwe != SAE_PWE_FORCE_HUNT_AND_PECK &&
141 wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt);
142 if (h2e_required)
143 num++;
144 if (num > 8) {
145 /* rest of the rates are encoded in Extended supported
146 * rates element */
147 num = 8;
148 }
149
150 *pos++ = num;
151 for (i = 0, count = 0; i < hapd->iface->num_rates && count < num;
152 i++) {
153 count++;
154 *pos = hapd->iface->current_rates[i].rate / 5;
155 if (hapd->iface->current_rates[i].flags & HOSTAPD_RATE_BASIC)
156 *pos |= 0x80;
157 pos++;
158 }
159
160 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht && count < 8) {
161 count++;
162 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_HT_PHY;
163 }
164
165 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht && count < 8) {
166 count++;
167 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_VHT_PHY;
168 }
169
170 #ifdef CONFIG_IEEE80211AX
171 if (hapd->iconf->ieee80211ax && hapd->iconf->require_he && count < 8) {
172 count++;
173 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_HE_PHY;
174 }
175 #endif /* CONFIG_IEEE80211AX */
176
177 if (h2e_required && count < 8) {
178 count++;
179 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_SAE_H2E_ONLY;
180 }
181
182 return pos;
183 }
184
185
hostapd_eid_ext_supp_rates(struct hostapd_data * hapd,u8 * eid)186 u8 * hostapd_eid_ext_supp_rates(struct hostapd_data *hapd, u8 *eid)
187 {
188 u8 *pos = eid;
189 int i, num, count;
190 int h2e_required;
191
192 hapd->conf->xrates_supported = false;
193 if (hapd->iface->current_rates == NULL)
194 return eid;
195
196 num = hapd->iface->num_rates;
197 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht)
198 num++;
199 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht)
200 num++;
201 #ifdef CONFIG_IEEE80211AX
202 if (hapd->iconf->ieee80211ax && hapd->iconf->require_he)
203 num++;
204 #endif /* CONFIG_IEEE80211AX */
205 h2e_required = (hapd->conf->sae_pwe == SAE_PWE_HASH_TO_ELEMENT ||
206 hostapd_sae_pw_id_in_use(hapd->conf) == 2) &&
207 hapd->conf->sae_pwe != SAE_PWE_FORCE_HUNT_AND_PECK &&
208 wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt);
209 if (h2e_required)
210 num++;
211 if (num <= 8)
212 return eid;
213 num -= 8;
214
215 *pos++ = WLAN_EID_EXT_SUPP_RATES;
216 *pos++ = num;
217 for (i = 0, count = 0; i < hapd->iface->num_rates && count < num + 8;
218 i++) {
219 count++;
220 if (count <= 8)
221 continue; /* already in SuppRates IE */
222 *pos = hapd->iface->current_rates[i].rate / 5;
223 if (hapd->iface->current_rates[i].flags & HOSTAPD_RATE_BASIC)
224 *pos |= 0x80;
225 pos++;
226 }
227
228 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht) {
229 count++;
230 if (count > 8)
231 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_HT_PHY;
232 }
233
234 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht) {
235 count++;
236 if (count > 8)
237 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_VHT_PHY;
238 }
239
240 #ifdef CONFIG_IEEE80211AX
241 if (hapd->iconf->ieee80211ax && hapd->iconf->require_he) {
242 count++;
243 if (count > 8)
244 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_HE_PHY;
245 }
246 #endif /* CONFIG_IEEE80211AX */
247
248 if (h2e_required) {
249 count++;
250 if (count > 8)
251 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_SAE_H2E_ONLY;
252 }
253
254 hapd->conf->xrates_supported = true;
255 return pos;
256 }
257
258
hostapd_eid_rm_enabled_capab(struct hostapd_data * hapd,u8 * eid,size_t len)259 u8 * hostapd_eid_rm_enabled_capab(struct hostapd_data *hapd, u8 *eid,
260 size_t len)
261 {
262 size_t i;
263
264 for (i = 0; i < RRM_CAPABILITIES_IE_LEN; i++) {
265 if (hapd->conf->radio_measurements[i])
266 break;
267 }
268
269 if (i == RRM_CAPABILITIES_IE_LEN || len < 2 + RRM_CAPABILITIES_IE_LEN)
270 return eid;
271
272 *eid++ = WLAN_EID_RRM_ENABLED_CAPABILITIES;
273 *eid++ = RRM_CAPABILITIES_IE_LEN;
274 os_memcpy(eid, hapd->conf->radio_measurements, RRM_CAPABILITIES_IE_LEN);
275
276 return eid + RRM_CAPABILITIES_IE_LEN;
277 }
278
279
hostapd_own_capab_info(struct hostapd_data * hapd)280 u16 hostapd_own_capab_info(struct hostapd_data *hapd)
281 {
282 int capab = WLAN_CAPABILITY_ESS;
283 int privacy = 0;
284 int dfs;
285 int i;
286
287 /* Check if any of configured channels require DFS */
288 dfs = hostapd_is_dfs_required(hapd->iface);
289 if (dfs < 0) {
290 wpa_printf(MSG_WARNING, "Failed to check if DFS is required; ret=%d",
291 dfs);
292 dfs = 0;
293 }
294
295 if (hapd->iface->num_sta_no_short_preamble == 0 &&
296 hapd->iconf->preamble == SHORT_PREAMBLE)
297 capab |= WLAN_CAPABILITY_SHORT_PREAMBLE;
298
299 #ifdef CONFIG_WEP
300 privacy = hapd->conf->ssid.wep.keys_set;
301
302 if (hapd->conf->ieee802_1x &&
303 (hapd->conf->default_wep_key_len ||
304 hapd->conf->individual_wep_key_len))
305 privacy = 1;
306 #endif /* CONFIG_WEP */
307
308 if (hapd->conf->wpa)
309 privacy = 1;
310
311 #ifdef CONFIG_HS20
312 if (hapd->conf->osen)
313 privacy = 1;
314 #endif /* CONFIG_HS20 */
315
316 if (privacy)
317 capab |= WLAN_CAPABILITY_PRIVACY;
318
319 if (hapd->iface->current_mode &&
320 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G &&
321 hapd->iface->num_sta_no_short_slot_time == 0)
322 capab |= WLAN_CAPABILITY_SHORT_SLOT_TIME;
323
324 /*
325 * Currently, Spectrum Management capability bit is set when directly
326 * requested in configuration by spectrum_mgmt_required or when AP is
327 * running on DFS channel.
328 * TODO: Also consider driver support for TPC to set Spectrum Mgmt bit
329 */
330 if (hapd->iface->current_mode &&
331 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211A &&
332 (hapd->iconf->spectrum_mgmt_required || dfs))
333 capab |= WLAN_CAPABILITY_SPECTRUM_MGMT;
334
335 for (i = 0; i < RRM_CAPABILITIES_IE_LEN; i++) {
336 if (hapd->conf->radio_measurements[i]) {
337 capab |= IEEE80211_CAP_RRM;
338 break;
339 }
340 }
341
342 return capab;
343 }
344
345
346 #ifdef CONFIG_WEP
347 #ifndef CONFIG_NO_RC4
auth_shared_key(struct hostapd_data * hapd,struct sta_info * sta,u16 auth_transaction,const u8 * challenge,int iswep)348 static u16 auth_shared_key(struct hostapd_data *hapd, struct sta_info *sta,
349 u16 auth_transaction, const u8 *challenge,
350 int iswep)
351 {
352 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
353 HOSTAPD_LEVEL_DEBUG,
354 "authentication (shared key, transaction %d)",
355 auth_transaction);
356
357 if (auth_transaction == 1) {
358 if (!sta->challenge) {
359 /* Generate a pseudo-random challenge */
360 u8 key[8];
361
362 sta->challenge = os_zalloc(WLAN_AUTH_CHALLENGE_LEN);
363 if (sta->challenge == NULL)
364 return WLAN_STATUS_UNSPECIFIED_FAILURE;
365
366 if (os_get_random(key, sizeof(key)) < 0) {
367 os_free(sta->challenge);
368 sta->challenge = NULL;
369 return WLAN_STATUS_UNSPECIFIED_FAILURE;
370 }
371
372 rc4_skip(key, sizeof(key), 0,
373 sta->challenge, WLAN_AUTH_CHALLENGE_LEN);
374 }
375 return 0;
376 }
377
378 if (auth_transaction != 3)
379 return WLAN_STATUS_UNSPECIFIED_FAILURE;
380
381 /* Transaction 3 */
382 if (!iswep || !sta->challenge || !challenge ||
383 os_memcmp_const(sta->challenge, challenge,
384 WLAN_AUTH_CHALLENGE_LEN)) {
385 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
386 HOSTAPD_LEVEL_INFO,
387 "shared key authentication - invalid "
388 "challenge-response");
389 return WLAN_STATUS_CHALLENGE_FAIL;
390 }
391
392 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
393 HOSTAPD_LEVEL_DEBUG,
394 "authentication OK (shared key)");
395 sta->flags |= WLAN_STA_AUTH;
396 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
397 os_free(sta->challenge);
398 sta->challenge = NULL;
399
400 return 0;
401 }
402 #endif /* CONFIG_NO_RC4 */
403 #endif /* CONFIG_WEP */
404
405
send_auth_reply(struct hostapd_data * hapd,struct sta_info * sta,const u8 * dst,u16 auth_alg,u16 auth_transaction,u16 resp,const u8 * ies,size_t ies_len,const char * dbg)406 static int send_auth_reply(struct hostapd_data *hapd, struct sta_info *sta,
407 const u8 *dst,
408 u16 auth_alg, u16 auth_transaction, u16 resp,
409 const u8 *ies, size_t ies_len, const char *dbg)
410 {
411 struct ieee80211_mgmt *reply;
412 u8 *buf;
413 size_t rlen;
414 int reply_res = WLAN_STATUS_UNSPECIFIED_FAILURE;
415 const u8 *sa = hapd->own_addr;
416 struct wpabuf *ml_resp = NULL;
417
418 #ifdef CONFIG_IEEE80211BE
419 if (ap_sta_is_mld(hapd, sta)) {
420 ml_resp = hostapd_ml_auth_resp(hapd);
421 if (!ml_resp)
422 return -1;
423 }
424 #endif /* CONFIG_IEEE80211BE */
425
426 rlen = IEEE80211_HDRLEN + sizeof(reply->u.auth) + ies_len;
427 if (ml_resp)
428 rlen += wpabuf_len(ml_resp);
429 buf = os_zalloc(rlen);
430 if (!buf) {
431 wpabuf_free(ml_resp);
432 return -1;
433 }
434
435 reply = (struct ieee80211_mgmt *) buf;
436 reply->frame_control = IEEE80211_FC(WLAN_FC_TYPE_MGMT,
437 WLAN_FC_STYPE_AUTH);
438 os_memcpy(reply->da, dst, ETH_ALEN);
439 os_memcpy(reply->sa, sa, ETH_ALEN);
440 os_memcpy(reply->bssid, sa, ETH_ALEN);
441
442 reply->u.auth.auth_alg = host_to_le16(auth_alg);
443 reply->u.auth.auth_transaction = host_to_le16(auth_transaction);
444 reply->u.auth.status_code = host_to_le16(resp);
445
446 if (ies && ies_len)
447 os_memcpy(reply->u.auth.variable, ies, ies_len);
448
449 #ifdef CONFIG_IEEE80211BE
450 if (ml_resp)
451 os_memcpy(reply->u.auth.variable + ies_len,
452 wpabuf_head(ml_resp), wpabuf_len(ml_resp));
453
454 wpabuf_free(ml_resp);
455 #endif /* CONFIG_IEEE80211BE */
456
457 wpa_printf(MSG_DEBUG, "authentication reply: STA=" MACSTR
458 " auth_alg=%d auth_transaction=%d resp=%d (IE len=%lu) (dbg=%s)",
459 MAC2STR(dst), auth_alg, auth_transaction,
460 resp, (unsigned long) ies_len, dbg);
461 #ifdef CONFIG_TESTING_OPTIONS
462 #ifdef CONFIG_SAE
463 if (hapd->conf->sae_confirm_immediate == 2 &&
464 auth_alg == WLAN_AUTH_SAE) {
465 if (auth_transaction == 1 && sta &&
466 (resp == WLAN_STATUS_SUCCESS ||
467 resp == WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
468 resp == WLAN_STATUS_SAE_PK)) {
469 wpa_printf(MSG_DEBUG,
470 "TESTING: Postpone SAE Commit transmission until Confirm is ready");
471 os_free(sta->sae_postponed_commit);
472 sta->sae_postponed_commit = buf;
473 sta->sae_postponed_commit_len = rlen;
474 return WLAN_STATUS_SUCCESS;
475 }
476
477 if (auth_transaction == 2 && sta && sta->sae_postponed_commit) {
478 wpa_printf(MSG_DEBUG,
479 "TESTING: Send postponed SAE Commit first, immediately followed by SAE Confirm");
480 if (hostapd_drv_send_mlme(hapd,
481 sta->sae_postponed_commit,
482 sta->sae_postponed_commit_len,
483 0, NULL, 0, 0) < 0)
484 wpa_printf(MSG_INFO, "send_auth_reply: send failed");
485 os_free(sta->sae_postponed_commit);
486 sta->sae_postponed_commit = NULL;
487 sta->sae_postponed_commit_len = 0;
488 }
489 }
490 #endif /* CONFIG_SAE */
491 #endif /* CONFIG_TESTING_OPTIONS */
492 if (hostapd_drv_send_mlme(hapd, reply, rlen, 0, NULL, 0, 0) < 0)
493 wpa_printf(MSG_INFO, "send_auth_reply: send failed");
494 else
495 reply_res = WLAN_STATUS_SUCCESS;
496
497 os_free(buf);
498
499 return reply_res;
500 }
501
502
503 #ifdef CONFIG_IEEE80211R_AP
handle_auth_ft_finish(void * ctx,const u8 * dst,u16 auth_transaction,u16 status,const u8 * ies,size_t ies_len)504 static void handle_auth_ft_finish(void *ctx, const u8 *dst,
505 u16 auth_transaction, u16 status,
506 const u8 *ies, size_t ies_len)
507 {
508 struct hostapd_data *hapd = ctx;
509 struct sta_info *sta;
510 int reply_res;
511
512 reply_res = send_auth_reply(hapd, NULL, dst, WLAN_AUTH_FT,
513 auth_transaction, status, ies, ies_len,
514 "auth-ft-finish");
515
516 sta = ap_get_sta(hapd, dst);
517 if (sta == NULL)
518 return;
519
520 if (sta->added_unassoc && (reply_res != WLAN_STATUS_SUCCESS ||
521 status != WLAN_STATUS_SUCCESS)) {
522 hostapd_drv_sta_remove(hapd, sta->addr);
523 sta->added_unassoc = 0;
524 return;
525 }
526
527 if (status != WLAN_STATUS_SUCCESS)
528 return;
529
530 hostapd_logger(hapd, dst, HOSTAPD_MODULE_IEEE80211,
531 HOSTAPD_LEVEL_DEBUG, "authentication OK (FT)");
532 sta->flags |= WLAN_STA_AUTH;
533 mlme_authenticate_indication(hapd, sta);
534 }
535 #endif /* CONFIG_IEEE80211R_AP */
536
537
538 #ifdef CONFIG_SAE
539
sae_set_state(struct sta_info * sta,enum sae_state state,const char * reason)540 static void sae_set_state(struct sta_info *sta, enum sae_state state,
541 const char *reason)
542 {
543 wpa_printf(MSG_DEBUG, "SAE: State %s -> %s for peer " MACSTR " (%s)",
544 sae_state_txt(sta->sae->state), sae_state_txt(state),
545 MAC2STR(sta->addr), reason);
546 sta->sae->state = state;
547 }
548
549
sae_get_password(struct hostapd_data * hapd,struct sta_info * sta,const char * rx_id,struct sae_password_entry ** pw_entry,struct sae_pt ** s_pt,const struct sae_pk ** s_pk)550 const char * sae_get_password(struct hostapd_data *hapd,
551 struct sta_info *sta,
552 const char *rx_id,
553 struct sae_password_entry **pw_entry,
554 struct sae_pt **s_pt,
555 const struct sae_pk **s_pk)
556 {
557 const char *password = NULL;
558 struct sae_password_entry *pw;
559 struct sae_pt *pt = NULL;
560 const struct sae_pk *pk = NULL;
561 struct hostapd_sta_wpa_psk_short *psk = NULL;
562
563 for (pw = hapd->conf->sae_passwords; pw; pw = pw->next) {
564 if (!is_broadcast_ether_addr(pw->peer_addr) &&
565 (!sta ||
566 !ether_addr_equal(pw->peer_addr, sta->addr)))
567 continue;
568 if ((rx_id && !pw->identifier) || (!rx_id && pw->identifier))
569 continue;
570 if (rx_id && pw->identifier &&
571 os_strcmp(rx_id, pw->identifier) != 0)
572 continue;
573 password = pw->password;
574 pt = pw->pt;
575 if (!(hapd->conf->mesh & MESH_ENABLED))
576 pk = pw->pk;
577 break;
578 }
579 if (!password) {
580 password = hapd->conf->ssid.wpa_passphrase;
581 pt = hapd->conf->ssid.pt;
582 }
583
584 if (!password && sta) {
585 for (psk = sta->psk; psk; psk = psk->next) {
586 if (psk->is_passphrase) {
587 password = psk->passphrase;
588 break;
589 }
590 }
591 }
592
593 if (pw_entry)
594 *pw_entry = pw;
595 if (s_pt)
596 *s_pt = pt;
597 if (s_pk)
598 *s_pk = pk;
599
600 return password;
601 }
602
603
auth_build_sae_commit(struct hostapd_data * hapd,struct sta_info * sta,int update,int status_code)604 static struct wpabuf * auth_build_sae_commit(struct hostapd_data *hapd,
605 struct sta_info *sta, int update,
606 int status_code)
607 {
608 struct wpabuf *buf;
609 const char *password = NULL;
610 struct sae_password_entry *pw;
611 const char *rx_id = NULL;
612 int use_pt = 0;
613 struct sae_pt *pt = NULL;
614 const struct sae_pk *pk = NULL;
615 const u8 *own_addr = hapd->own_addr;
616
617 #ifdef CONFIG_IEEE80211BE
618 if (ap_sta_is_mld(hapd, sta))
619 own_addr = hapd->mld->mld_addr;
620 #endif /* CONFIG_IEEE80211BE */
621
622 if (sta->sae->tmp) {
623 rx_id = sta->sae->tmp->pw_id;
624 use_pt = sta->sae->h2e;
625 #ifdef CONFIG_SAE_PK
626 os_memcpy(sta->sae->tmp->own_addr, own_addr, ETH_ALEN);
627 os_memcpy(sta->sae->tmp->peer_addr, sta->addr, ETH_ALEN);
628 #endif /* CONFIG_SAE_PK */
629 }
630
631 if (rx_id && hapd->conf->sae_pwe != SAE_PWE_FORCE_HUNT_AND_PECK)
632 use_pt = 1;
633 else if (status_code == WLAN_STATUS_SUCCESS)
634 use_pt = 0;
635 else if (status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
636 status_code == WLAN_STATUS_SAE_PK)
637 use_pt = 1;
638
639 password = sae_get_password(hapd, sta, rx_id, &pw, &pt, &pk);
640 if (!password || (use_pt && !pt)) {
641 wpa_printf(MSG_DEBUG, "SAE: No password available");
642 return NULL;
643 }
644
645 if (update && use_pt &&
646 sae_prepare_commit_pt(sta->sae, pt, own_addr, sta->addr,
647 NULL, pk) < 0)
648 return NULL;
649
650 if (update && !use_pt &&
651 sae_prepare_commit(own_addr, sta->addr,
652 (u8 *) password, os_strlen(password),
653 sta->sae) < 0) {
654 wpa_printf(MSG_DEBUG, "SAE: Could not pick PWE");
655 return NULL;
656 }
657
658 if (pw && pw->vlan_id) {
659 if (!sta->sae->tmp) {
660 wpa_printf(MSG_INFO,
661 "SAE: No temporary data allocated - cannot store VLAN ID");
662 return NULL;
663 }
664 sta->sae->tmp->vlan_id = pw->vlan_id;
665 }
666
667 buf = wpabuf_alloc(SAE_COMMIT_MAX_LEN +
668 (rx_id ? 3 + os_strlen(rx_id) : 0));
669 if (buf &&
670 sae_write_commit(sta->sae, buf, sta->sae->tmp ?
671 sta->sae->tmp->anti_clogging_token : NULL,
672 rx_id) < 0) {
673 wpabuf_free(buf);
674 buf = NULL;
675 }
676
677 return buf;
678 }
679
680
auth_build_sae_confirm(struct hostapd_data * hapd,struct sta_info * sta)681 static struct wpabuf * auth_build_sae_confirm(struct hostapd_data *hapd,
682 struct sta_info *sta)
683 {
684 struct wpabuf *buf;
685
686 buf = wpabuf_alloc(SAE_CONFIRM_MAX_LEN);
687 if (buf == NULL)
688 return NULL;
689
690 #ifdef CONFIG_SAE_PK
691 #ifdef CONFIG_TESTING_OPTIONS
692 if (sta->sae->tmp)
693 sta->sae->tmp->omit_pk_elem = hapd->conf->sae_pk_omit;
694 #endif /* CONFIG_TESTING_OPTIONS */
695 #endif /* CONFIG_SAE_PK */
696
697 if (sae_write_confirm(sta->sae, buf) < 0) {
698 wpabuf_free(buf);
699 return NULL;
700 }
701
702 return buf;
703 }
704
705
auth_sae_send_commit(struct hostapd_data * hapd,struct sta_info * sta,int update,int status_code)706 static int auth_sae_send_commit(struct hostapd_data *hapd,
707 struct sta_info *sta,
708 int update, int status_code)
709 {
710 struct wpabuf *data;
711 int reply_res;
712 u16 status;
713
714 data = auth_build_sae_commit(hapd, sta, update, status_code);
715 if (!data && sta->sae->tmp && sta->sae->tmp->pw_id)
716 return WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER;
717 if (data == NULL)
718 return WLAN_STATUS_UNSPECIFIED_FAILURE;
719
720 if (sta->sae->tmp && sta->sae->pk)
721 status = WLAN_STATUS_SAE_PK;
722 else if (sta->sae->tmp && sta->sae->h2e)
723 status = WLAN_STATUS_SAE_HASH_TO_ELEMENT;
724 else
725 status = WLAN_STATUS_SUCCESS;
726 #ifdef CONFIG_TESTING_OPTIONS
727 if (hapd->conf->sae_commit_status >= 0 &&
728 hapd->conf->sae_commit_status != status) {
729 wpa_printf(MSG_INFO,
730 "TESTING: Override SAE commit status code %u --> %d",
731 status, hapd->conf->sae_commit_status);
732 status = hapd->conf->sae_commit_status;
733 }
734 #endif /* CONFIG_TESTING_OPTIONS */
735 reply_res = send_auth_reply(hapd, sta, sta->addr,
736 WLAN_AUTH_SAE, 1,
737 status, wpabuf_head(data),
738 wpabuf_len(data), "sae-send-commit");
739
740 wpabuf_free(data);
741
742 return reply_res;
743 }
744
745
auth_sae_send_confirm(struct hostapd_data * hapd,struct sta_info * sta)746 static int auth_sae_send_confirm(struct hostapd_data *hapd,
747 struct sta_info *sta)
748 {
749 struct wpabuf *data;
750 int reply_res;
751
752 data = auth_build_sae_confirm(hapd, sta);
753 if (data == NULL)
754 return WLAN_STATUS_UNSPECIFIED_FAILURE;
755
756 reply_res = send_auth_reply(hapd, sta, sta->addr,
757 WLAN_AUTH_SAE, 2,
758 WLAN_STATUS_SUCCESS, wpabuf_head(data),
759 wpabuf_len(data), "sae-send-confirm");
760
761 wpabuf_free(data);
762
763 return reply_res;
764 }
765
766 #endif /* CONFIG_SAE */
767
768
769 #if defined(CONFIG_SAE) || defined(CONFIG_PASN)
770
use_anti_clogging(struct hostapd_data * hapd)771 static int use_anti_clogging(struct hostapd_data *hapd)
772 {
773 struct sta_info *sta;
774 unsigned int open = 0;
775
776 if (hapd->conf->anti_clogging_threshold == 0)
777 return 1;
778
779 for (sta = hapd->sta_list; sta; sta = sta->next) {
780 #ifdef CONFIG_SAE
781 if (sta->sae &&
782 (sta->sae->state == SAE_COMMITTED ||
783 sta->sae->state == SAE_CONFIRMED))
784 open++;
785 #endif /* CONFIG_SAE */
786 #ifdef CONFIG_PASN
787 if (sta->pasn && sta->pasn->ecdh)
788 open++;
789 #endif /* CONFIG_PASN */
790 if (open >= hapd->conf->anti_clogging_threshold)
791 return 1;
792 }
793
794 #ifdef CONFIG_SAE
795 /* In addition to already existing open SAE sessions, check whether
796 * there are enough pending commit messages in the processing queue to
797 * potentially result in too many open sessions. */
798 if (open + dl_list_len(&hapd->sae_commit_queue) >=
799 hapd->conf->anti_clogging_threshold)
800 return 1;
801 #endif /* CONFIG_SAE */
802
803 return 0;
804 }
805
806 #endif /* defined(CONFIG_SAE) || defined(CONFIG_PASN) */
807
808
809 #ifdef CONFIG_SAE
810
sae_check_big_sync(struct hostapd_data * hapd,struct sta_info * sta)811 static int sae_check_big_sync(struct hostapd_data *hapd, struct sta_info *sta)
812 {
813 if (sta->sae->sync > hapd->conf->sae_sync) {
814 sae_set_state(sta, SAE_NOTHING, "Sync > dot11RSNASAESync");
815 sta->sae->sync = 0;
816 if (sta->sae->tmp) {
817 /* Disable this SAE instance for 10 seconds to avoid
818 * unnecessary flood of multiple SAE commits in
819 * unexpected mesh cases. */
820 if (os_get_reltime(&sta->sae->tmp->disabled_until) == 0)
821 sta->sae->tmp->disabled_until.sec += 10;
822 }
823 return -1;
824 }
825 return 0;
826 }
827
828
sae_proto_instance_disabled(struct sta_info * sta)829 static bool sae_proto_instance_disabled(struct sta_info *sta)
830 {
831 struct sae_temporary_data *tmp;
832
833 if (!sta->sae)
834 return false;
835 tmp = sta->sae->tmp;
836 if (!tmp)
837 return false;
838
839 if (os_reltime_initialized(&tmp->disabled_until)) {
840 struct os_reltime now;
841
842 os_get_reltime(&now);
843 if (os_reltime_before(&now, &tmp->disabled_until))
844 return true;
845 }
846
847 return false;
848 }
849
850
auth_sae_retransmit_timer(void * eloop_ctx,void * eloop_data)851 static void auth_sae_retransmit_timer(void *eloop_ctx, void *eloop_data)
852 {
853 struct hostapd_data *hapd = eloop_ctx;
854 struct sta_info *sta = eloop_data;
855 int ret;
856
857 if (sae_check_big_sync(hapd, sta))
858 return;
859 sta->sae->sync++;
860 wpa_printf(MSG_DEBUG, "SAE: Auth SAE retransmit timer for " MACSTR
861 " (sync=%d state=%s)",
862 MAC2STR(sta->addr), sta->sae->sync,
863 sae_state_txt(sta->sae->state));
864
865 switch (sta->sae->state) {
866 case SAE_COMMITTED:
867 ret = auth_sae_send_commit(hapd, sta, 0, -1);
868 eloop_register_timeout(0,
869 hapd->dot11RSNASAERetransPeriod * 1000,
870 auth_sae_retransmit_timer, hapd, sta);
871 break;
872 case SAE_CONFIRMED:
873 ret = auth_sae_send_confirm(hapd, sta);
874 eloop_register_timeout(0,
875 hapd->dot11RSNASAERetransPeriod * 1000,
876 auth_sae_retransmit_timer, hapd, sta);
877 break;
878 default:
879 ret = -1;
880 break;
881 }
882
883 if (ret != WLAN_STATUS_SUCCESS)
884 wpa_printf(MSG_INFO, "SAE: Failed to retransmit: ret=%d", ret);
885 }
886
887
sae_clear_retransmit_timer(struct hostapd_data * hapd,struct sta_info * sta)888 void sae_clear_retransmit_timer(struct hostapd_data *hapd, struct sta_info *sta)
889 {
890 eloop_cancel_timeout(auth_sae_retransmit_timer, hapd, sta);
891 }
892
893
sae_set_retransmit_timer(struct hostapd_data * hapd,struct sta_info * sta)894 static void sae_set_retransmit_timer(struct hostapd_data *hapd,
895 struct sta_info *sta)
896 {
897 if (!(hapd->conf->mesh & MESH_ENABLED))
898 return;
899
900 eloop_cancel_timeout(auth_sae_retransmit_timer, hapd, sta);
901 eloop_register_timeout(0, hapd->dot11RSNASAERetransPeriod * 1000,
902 auth_sae_retransmit_timer, hapd, sta);
903 }
904
905
sae_sme_send_external_auth_status(struct hostapd_data * hapd,struct sta_info * sta,u16 status)906 static void sae_sme_send_external_auth_status(struct hostapd_data *hapd,
907 struct sta_info *sta, u16 status)
908 {
909 struct external_auth params;
910
911 os_memset(¶ms, 0, sizeof(params));
912 params.status = status;
913
914 #ifdef CONFIG_IEEE80211BE
915 if (ap_sta_is_mld(hapd, sta))
916 params.bssid =
917 sta->mld_info.links[sta->mld_assoc_link_id].peer_addr;
918 #endif /* CONFIG_IEEE80211BE */
919 if (!params.bssid)
920 params.bssid = sta->addr;
921
922 if (status == WLAN_STATUS_SUCCESS && sta->sae &&
923 !hapd->conf->disable_pmksa_caching)
924 params.pmkid = sta->sae->pmkid;
925
926 hostapd_drv_send_external_auth_status(hapd, ¶ms);
927 }
928
929
sae_accept_sta(struct hostapd_data * hapd,struct sta_info * sta)930 void sae_accept_sta(struct hostapd_data *hapd, struct sta_info *sta)
931 {
932 #ifndef CONFIG_NO_VLAN
933 struct vlan_description vlan_desc;
934
935 if (sta->sae->tmp && sta->sae->tmp->vlan_id > 0) {
936 wpa_printf(MSG_DEBUG, "SAE: Assign STA " MACSTR
937 " to VLAN ID %d",
938 MAC2STR(sta->addr), sta->sae->tmp->vlan_id);
939
940 if (!(hapd->iface->drv_flags & WPA_DRIVER_FLAGS_VLAN_OFFLOAD)) {
941 os_memset(&vlan_desc, 0, sizeof(vlan_desc));
942 vlan_desc.notempty = 1;
943 vlan_desc.untagged = sta->sae->tmp->vlan_id;
944 if (!hostapd_vlan_valid(hapd->conf->vlan, &vlan_desc)) {
945 wpa_printf(MSG_INFO,
946 "Invalid VLAN ID %d in sae_password",
947 sta->sae->tmp->vlan_id);
948 return;
949 }
950
951 if (ap_sta_set_vlan(hapd, sta, &vlan_desc) < 0 ||
952 ap_sta_bind_vlan(hapd, sta) < 0) {
953 wpa_printf(MSG_INFO,
954 "Failed to assign VLAN ID %d from sae_password to "
955 MACSTR, sta->sae->tmp->vlan_id,
956 MAC2STR(sta->addr));
957 return;
958 }
959 } else {
960 sta->vlan_id = sta->sae->tmp->vlan_id;
961 }
962 }
963 #endif /* CONFIG_NO_VLAN */
964
965 sta->flags |= WLAN_STA_AUTH;
966 sta->auth_alg = WLAN_AUTH_SAE;
967 mlme_authenticate_indication(hapd, sta);
968 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
969 sae_set_state(sta, SAE_ACCEPTED, "Accept Confirm");
970 crypto_bignum_deinit(sta->sae->peer_commit_scalar_accepted, 0);
971 sta->sae->peer_commit_scalar_accepted = sta->sae->peer_commit_scalar;
972 sta->sae->peer_commit_scalar = NULL;
973 wpa_auth_pmksa_add_sae(hapd->wpa_auth, sta->addr,
974 sta->sae->pmk, sta->sae->pmk_len,
975 sta->sae->pmkid, sta->sae->akmp);
976 sae_sme_send_external_auth_status(hapd, sta, WLAN_STATUS_SUCCESS);
977 }
978
979
sae_sm_step(struct hostapd_data * hapd,struct sta_info * sta,u16 auth_transaction,u16 status_code,int allow_reuse,int * sta_removed)980 static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta,
981 u16 auth_transaction, u16 status_code,
982 int allow_reuse, int *sta_removed)
983 {
984 int ret;
985
986 *sta_removed = 0;
987
988 if (auth_transaction != 1 && auth_transaction != 2)
989 return WLAN_STATUS_UNSPECIFIED_FAILURE;
990
991 wpa_printf(MSG_DEBUG, "SAE: Peer " MACSTR " state=%s auth_trans=%u",
992 MAC2STR(sta->addr), sae_state_txt(sta->sae->state),
993 auth_transaction);
994
995 if (auth_transaction == 1 && sae_proto_instance_disabled(sta)) {
996 wpa_printf(MSG_DEBUG,
997 "SAE: Protocol instance temporarily disabled - discard received SAE commit");
998 return WLAN_STATUS_SUCCESS;
999 }
1000
1001 switch (sta->sae->state) {
1002 case SAE_NOTHING:
1003 if (auth_transaction == 1) {
1004 if (sta->sae->tmp) {
1005 sta->sae->h2e =
1006 (status_code ==
1007 WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
1008 status_code == WLAN_STATUS_SAE_PK);
1009 sta->sae->pk =
1010 status_code == WLAN_STATUS_SAE_PK;
1011 }
1012 ret = auth_sae_send_commit(hapd, sta,
1013 !allow_reuse, status_code);
1014 if (ret)
1015 return ret;
1016 sae_set_state(sta, SAE_COMMITTED, "Sent Commit");
1017
1018 if (sae_process_commit(sta->sae) < 0)
1019 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1020
1021 /*
1022 * In mesh case, both Commit and Confirm are sent
1023 * immediately. In infrastructure BSS, by default, only
1024 * a single Authentication frame (Commit) is expected
1025 * from the AP here and the second one (Confirm) will
1026 * be sent once the STA has sent its second
1027 * Authentication frame (Confirm). This behavior can be
1028 * overridden with explicit configuration so that the
1029 * infrastructure BSS case sends both frames together.
1030 */
1031 if ((hapd->conf->mesh & MESH_ENABLED) ||
1032 hapd->conf->sae_confirm_immediate) {
1033 /*
1034 * Send both Commit and Confirm immediately
1035 * based on SAE finite state machine
1036 * Nothing -> Confirm transition.
1037 */
1038 ret = auth_sae_send_confirm(hapd, sta);
1039 if (ret)
1040 return ret;
1041 sae_set_state(sta, SAE_CONFIRMED,
1042 "Sent Confirm (mesh)");
1043 } else {
1044 /*
1045 * For infrastructure BSS, send only the Commit
1046 * message now to get alternating sequence of
1047 * Authentication frames between the AP and STA.
1048 * Confirm will be sent in
1049 * Committed -> Confirmed/Accepted transition
1050 * when receiving Confirm from STA.
1051 */
1052 }
1053 sta->sae->sync = 0;
1054 sae_set_retransmit_timer(hapd, sta);
1055 } else {
1056 hostapd_logger(hapd, sta->addr,
1057 HOSTAPD_MODULE_IEEE80211,
1058 HOSTAPD_LEVEL_DEBUG,
1059 "SAE confirm before commit");
1060 }
1061 break;
1062 case SAE_COMMITTED:
1063 sae_clear_retransmit_timer(hapd, sta);
1064 if (auth_transaction == 1) {
1065 if (sae_process_commit(sta->sae) < 0)
1066 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1067
1068 ret = auth_sae_send_confirm(hapd, sta);
1069 if (ret)
1070 return ret;
1071 sae_set_state(sta, SAE_CONFIRMED, "Sent Confirm");
1072 sta->sae->sync = 0;
1073 sae_set_retransmit_timer(hapd, sta);
1074 } else if (hapd->conf->mesh & MESH_ENABLED) {
1075 /*
1076 * In mesh case, follow SAE finite state machine and
1077 * send Commit now, if sync count allows.
1078 */
1079 if (sae_check_big_sync(hapd, sta))
1080 return WLAN_STATUS_SUCCESS;
1081 sta->sae->sync++;
1082
1083 ret = auth_sae_send_commit(hapd, sta, 0, status_code);
1084 if (ret)
1085 return ret;
1086
1087 sae_set_retransmit_timer(hapd, sta);
1088 } else {
1089 /*
1090 * For instructure BSS, send the postponed Confirm from
1091 * Nothing -> Confirmed transition that was reduced to
1092 * Nothing -> Committed above.
1093 */
1094 ret = auth_sae_send_confirm(hapd, sta);
1095 if (ret)
1096 return ret;
1097
1098 sae_set_state(sta, SAE_CONFIRMED, "Sent Confirm");
1099
1100 /*
1101 * Since this was triggered on Confirm RX, run another
1102 * step to get to Accepted without waiting for
1103 * additional events.
1104 */
1105 return sae_sm_step(hapd, sta, auth_transaction,
1106 WLAN_STATUS_SUCCESS, 0, sta_removed);
1107 }
1108 break;
1109 case SAE_CONFIRMED:
1110 sae_clear_retransmit_timer(hapd, sta);
1111 if (auth_transaction == 1) {
1112 if (sae_check_big_sync(hapd, sta))
1113 return WLAN_STATUS_SUCCESS;
1114 sta->sae->sync++;
1115
1116 ret = auth_sae_send_commit(hapd, sta, 1, status_code);
1117 if (ret)
1118 return ret;
1119
1120 if (sae_process_commit(sta->sae) < 0)
1121 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1122
1123 ret = auth_sae_send_confirm(hapd, sta);
1124 if (ret)
1125 return ret;
1126
1127 sae_set_retransmit_timer(hapd, sta);
1128 } else {
1129 sta->sae->send_confirm = 0xffff;
1130 sae_accept_sta(hapd, sta);
1131 }
1132 break;
1133 case SAE_ACCEPTED:
1134 if (auth_transaction == 1 &&
1135 (hapd->conf->mesh & MESH_ENABLED)) {
1136 wpa_printf(MSG_DEBUG, "SAE: remove the STA (" MACSTR
1137 ") doing reauthentication",
1138 MAC2STR(sta->addr));
1139 wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr);
1140 ap_free_sta(hapd, sta);
1141 *sta_removed = 1;
1142 } else if (auth_transaction == 1) {
1143 wpa_printf(MSG_DEBUG, "SAE: Start reauthentication");
1144 ret = auth_sae_send_commit(hapd, sta, 1, status_code);
1145 if (ret)
1146 return ret;
1147 sae_set_state(sta, SAE_COMMITTED, "Sent Commit");
1148
1149 if (sae_process_commit(sta->sae) < 0)
1150 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1151 sta->sae->sync = 0;
1152 sae_set_retransmit_timer(hapd, sta);
1153 } else {
1154 if (sae_check_big_sync(hapd, sta))
1155 return WLAN_STATUS_SUCCESS;
1156 sta->sae->sync++;
1157
1158 ret = auth_sae_send_confirm(hapd, sta);
1159 sae_clear_temp_data(sta->sae);
1160 if (ret)
1161 return ret;
1162 }
1163 break;
1164 default:
1165 wpa_printf(MSG_ERROR, "SAE: invalid state %d",
1166 sta->sae->state);
1167 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1168 }
1169 return WLAN_STATUS_SUCCESS;
1170 }
1171
1172
sae_pick_next_group(struct hostapd_data * hapd,struct sta_info * sta)1173 static void sae_pick_next_group(struct hostapd_data *hapd, struct sta_info *sta)
1174 {
1175 struct sae_data *sae = sta->sae;
1176 struct hostapd_bss_config *conf = hapd->conf;
1177 int i, *groups = conf->sae_groups;
1178 int default_groups[] = { 19, 0, 0 };
1179
1180 if (sae->state != SAE_COMMITTED)
1181 return;
1182
1183 wpa_printf(MSG_DEBUG, "SAE: Previously selected group: %d", sae->group);
1184
1185 if (!groups) {
1186 groups = default_groups;
1187 if (wpa_key_mgmt_sae_ext_key(conf->wpa_key_mgmt |
1188 conf->rsn_override_key_mgmt |
1189 conf->rsn_override_key_mgmt_2))
1190 default_groups[1] = 20;
1191 }
1192
1193 for (i = 0; groups[i] > 0; i++) {
1194 if (sae->group == groups[i])
1195 break;
1196 }
1197
1198 if (groups[i] <= 0) {
1199 wpa_printf(MSG_DEBUG,
1200 "SAE: Previously selected group not found from the current configuration");
1201 return;
1202 }
1203
1204 for (;;) {
1205 i++;
1206 if (groups[i] <= 0) {
1207 wpa_printf(MSG_DEBUG,
1208 "SAE: No alternative group enabled");
1209 return;
1210 }
1211
1212 if (sae_set_group(sae, groups[i]) < 0)
1213 continue;
1214
1215 break;
1216 }
1217 wpa_printf(MSG_DEBUG, "SAE: Selected new group: %d", groups[i]);
1218 }
1219
1220
sae_status_success(struct hostapd_data * hapd,u16 status_code)1221 static int sae_status_success(struct hostapd_data *hapd, u16 status_code)
1222 {
1223 enum sae_pwe sae_pwe = hapd->conf->sae_pwe;
1224 int id_in_use;
1225 bool sae_pk = false;
1226
1227 id_in_use = hostapd_sae_pw_id_in_use(hapd->conf);
1228 if (id_in_use == 2 && sae_pwe != SAE_PWE_FORCE_HUNT_AND_PECK)
1229 sae_pwe = SAE_PWE_HASH_TO_ELEMENT;
1230 else if (id_in_use == 1 && sae_pwe == SAE_PWE_HUNT_AND_PECK)
1231 sae_pwe = SAE_PWE_BOTH;
1232 #ifdef CONFIG_SAE_PK
1233 sae_pk = hostapd_sae_pk_in_use(hapd->conf);
1234 if (sae_pwe == SAE_PWE_HUNT_AND_PECK && sae_pk)
1235 sae_pwe = SAE_PWE_BOTH;
1236 #endif /* CONFIG_SAE_PK */
1237 if (sae_pwe == SAE_PWE_HUNT_AND_PECK &&
1238 (hapd->conf->wpa_key_mgmt &
1239 (WPA_KEY_MGMT_SAE_EXT_KEY | WPA_KEY_MGMT_FT_SAE_EXT_KEY)))
1240 sae_pwe = SAE_PWE_BOTH;
1241
1242 return ((sae_pwe == SAE_PWE_HUNT_AND_PECK ||
1243 sae_pwe == SAE_PWE_FORCE_HUNT_AND_PECK) &&
1244 status_code == WLAN_STATUS_SUCCESS) ||
1245 (sae_pwe == SAE_PWE_HASH_TO_ELEMENT &&
1246 (status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
1247 (sae_pk && status_code == WLAN_STATUS_SAE_PK))) ||
1248 (sae_pwe == SAE_PWE_BOTH &&
1249 (status_code == WLAN_STATUS_SUCCESS ||
1250 status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
1251 (sae_pk && status_code == WLAN_STATUS_SAE_PK)));
1252 }
1253
1254
sae_is_group_enabled(struct hostapd_data * hapd,int group)1255 static int sae_is_group_enabled(struct hostapd_data *hapd, int group)
1256 {
1257 struct hostapd_bss_config *conf = hapd->conf;
1258 int *groups = conf->sae_groups;
1259 int default_groups[] = { 19, 0, 0 };
1260 int i;
1261
1262 if (!groups) {
1263 groups = default_groups;
1264 if (wpa_key_mgmt_sae_ext_key(conf->wpa_key_mgmt |
1265 conf->rsn_override_key_mgmt |
1266 conf->rsn_override_key_mgmt_2))
1267 default_groups[1] = 20;
1268 }
1269
1270 for (i = 0; groups[i] > 0; i++) {
1271 if (groups[i] == group)
1272 return 1;
1273 }
1274
1275 return 0;
1276 }
1277
1278
check_sae_rejected_groups(struct hostapd_data * hapd,struct sae_data * sae)1279 static int check_sae_rejected_groups(struct hostapd_data *hapd,
1280 struct sae_data *sae)
1281 {
1282 const struct wpabuf *groups;
1283 size_t i, count, len;
1284 const u8 *pos;
1285
1286 if (!sae->tmp)
1287 return 0;
1288 groups = sae->tmp->peer_rejected_groups;
1289 if (!groups)
1290 return 0;
1291
1292 pos = wpabuf_head(groups);
1293 len = wpabuf_len(groups);
1294 if (len & 1) {
1295 wpa_printf(MSG_DEBUG,
1296 "SAE: Invalid length of the Rejected Groups element payload: %zu",
1297 len);
1298 return 1;
1299 }
1300
1301 count = len / 2;
1302 for (i = 0; i < count; i++) {
1303 int enabled;
1304 u16 group;
1305
1306 group = WPA_GET_LE16(pos);
1307 pos += 2;
1308 enabled = sae_is_group_enabled(hapd, group);
1309 wpa_printf(MSG_DEBUG, "SAE: Rejected group %u is %s",
1310 group, enabled ? "enabled" : "disabled");
1311 if (enabled)
1312 return 1;
1313 }
1314
1315 return 0;
1316 }
1317
1318
handle_auth_sae(struct hostapd_data * hapd,struct sta_info * sta,const struct ieee80211_mgmt * mgmt,size_t len,u16 auth_transaction,u16 status_code)1319 static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta,
1320 const struct ieee80211_mgmt *mgmt, size_t len,
1321 u16 auth_transaction, u16 status_code)
1322 {
1323 int resp = WLAN_STATUS_SUCCESS;
1324 struct wpabuf *data = NULL;
1325 struct hostapd_bss_config *conf = hapd->conf;
1326 int *groups = conf->sae_groups;
1327 int default_groups[] = { 19, 0, 0 };
1328 const u8 *pos, *end;
1329 int sta_removed = 0;
1330 bool success_status;
1331
1332 if (!groups) {
1333 groups = default_groups;
1334 if (wpa_key_mgmt_sae_ext_key(conf->wpa_key_mgmt |
1335 conf->rsn_override_key_mgmt |
1336 conf->rsn_override_key_mgmt_2))
1337 default_groups[1] = 20;
1338 }
1339
1340 #ifdef CONFIG_TESTING_OPTIONS
1341 if (hapd->conf->sae_reflection_attack && auth_transaction == 1) {
1342 wpa_printf(MSG_DEBUG, "SAE: TESTING - reflection attack");
1343 pos = mgmt->u.auth.variable;
1344 end = ((const u8 *) mgmt) + len;
1345 resp = status_code;
1346 send_auth_reply(hapd, sta, sta->addr,
1347 WLAN_AUTH_SAE,
1348 auth_transaction, resp, pos, end - pos,
1349 "auth-sae-reflection-attack");
1350 goto remove_sta;
1351 }
1352
1353 if (hapd->conf->sae_commit_override && auth_transaction == 1) {
1354 wpa_printf(MSG_DEBUG, "SAE: TESTING - commit override");
1355 send_auth_reply(hapd, sta, sta->addr,
1356 WLAN_AUTH_SAE,
1357 auth_transaction, resp,
1358 wpabuf_head(hapd->conf->sae_commit_override),
1359 wpabuf_len(hapd->conf->sae_commit_override),
1360 "sae-commit-override");
1361 goto remove_sta;
1362 }
1363 #endif /* CONFIG_TESTING_OPTIONS */
1364 if (!sta->sae) {
1365 if (auth_transaction != 1 ||
1366 !sae_status_success(hapd, status_code)) {
1367 wpa_printf(MSG_DEBUG, "SAE: Unexpected Status Code %u",
1368 status_code);
1369 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1370 goto reply;
1371 }
1372 sta->sae = os_zalloc(sizeof(*sta->sae));
1373 if (!sta->sae) {
1374 resp = -1;
1375 goto remove_sta;
1376 }
1377 sae_set_state(sta, SAE_NOTHING, "Init");
1378 sta->sae->sync = 0;
1379 }
1380
1381 if (sta->mesh_sae_pmksa_caching) {
1382 wpa_printf(MSG_DEBUG,
1383 "SAE: Cancel use of mesh PMKSA caching because peer starts SAE authentication");
1384 wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr);
1385 sta->mesh_sae_pmksa_caching = 0;
1386 }
1387
1388 if (auth_transaction == 1) {
1389 const u8 *token = NULL;
1390 size_t token_len = 0;
1391 int allow_reuse = 0;
1392
1393 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1394 HOSTAPD_LEVEL_DEBUG,
1395 "start SAE authentication (RX commit, status=%u (%s))",
1396 status_code, status2str(status_code));
1397
1398 if ((hapd->conf->mesh & MESH_ENABLED) &&
1399 status_code == WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ &&
1400 sta->sae->tmp) {
1401 pos = mgmt->u.auth.variable;
1402 end = ((const u8 *) mgmt) + len;
1403 if (pos + sizeof(le16) > end) {
1404 wpa_printf(MSG_ERROR,
1405 "SAE: Too short anti-clogging token request");
1406 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1407 goto reply;
1408 }
1409 resp = sae_group_allowed(sta->sae, groups,
1410 WPA_GET_LE16(pos));
1411 if (resp != WLAN_STATUS_SUCCESS) {
1412 wpa_printf(MSG_ERROR,
1413 "SAE: Invalid group in anti-clogging token request");
1414 goto reply;
1415 }
1416 pos += sizeof(le16);
1417
1418 wpabuf_free(sta->sae->tmp->anti_clogging_token);
1419 sta->sae->tmp->anti_clogging_token =
1420 wpabuf_alloc_copy(pos, end - pos);
1421 if (sta->sae->tmp->anti_clogging_token == NULL) {
1422 wpa_printf(MSG_ERROR,
1423 "SAE: Failed to alloc for anti-clogging token");
1424 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1425 goto remove_sta;
1426 }
1427
1428 /*
1429 * IEEE Std 802.11-2012, 11.3.8.6.4: If the Status code
1430 * is 76, a new Commit Message shall be constructed
1431 * with the Anti-Clogging Token from the received
1432 * Authentication frame, and the commit-scalar and
1433 * COMMIT-ELEMENT previously sent.
1434 */
1435 resp = auth_sae_send_commit(hapd, sta, 0, status_code);
1436 if (resp != WLAN_STATUS_SUCCESS) {
1437 wpa_printf(MSG_ERROR,
1438 "SAE: Failed to send commit message");
1439 goto remove_sta;
1440 }
1441 sae_set_state(sta, SAE_COMMITTED,
1442 "Sent Commit (anti-clogging token case in mesh)");
1443 sta->sae->sync = 0;
1444 sae_set_retransmit_timer(hapd, sta);
1445 return;
1446 }
1447
1448 if ((hapd->conf->mesh & MESH_ENABLED) &&
1449 status_code ==
1450 WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED &&
1451 sta->sae->tmp) {
1452 wpa_printf(MSG_DEBUG,
1453 "SAE: Peer did not accept our SAE group");
1454 sae_pick_next_group(hapd, sta);
1455 goto remove_sta;
1456 }
1457
1458 if (!sae_status_success(hapd, status_code))
1459 goto remove_sta;
1460
1461 if (sae_proto_instance_disabled(sta)) {
1462 wpa_printf(MSG_DEBUG,
1463 "SAE: Protocol instance temporarily disabled - discard received SAE commit");
1464 return;
1465 }
1466
1467 if (!(hapd->conf->mesh & MESH_ENABLED) &&
1468 sta->sae->state == SAE_COMMITTED) {
1469 /* This is needed in the infrastructure BSS case to
1470 * address a sequence where a STA entry may remain in
1471 * hostapd across two attempts to do SAE authentication
1472 * by the same STA. The second attempt may end up trying
1473 * to use a different group and that would not be
1474 * allowed if we remain in Committed state with the
1475 * previously set parameters. */
1476 pos = mgmt->u.auth.variable;
1477 end = ((const u8 *) mgmt) + len;
1478 if (end - pos >= (int) sizeof(le16) &&
1479 sae_group_allowed(sta->sae, groups,
1480 WPA_GET_LE16(pos)) ==
1481 WLAN_STATUS_SUCCESS) {
1482 /* Do not waste resources deriving the same PWE
1483 * again since the same group is reused. */
1484 sae_set_state(sta, SAE_NOTHING,
1485 "Allow previous PWE to be reused");
1486 allow_reuse = 1;
1487 } else {
1488 sae_set_state(sta, SAE_NOTHING,
1489 "Clear existing state to allow restart");
1490 sae_clear_data(sta->sae);
1491 }
1492 }
1493
1494 resp = sae_parse_commit(sta->sae, mgmt->u.auth.variable,
1495 ((const u8 *) mgmt) + len -
1496 mgmt->u.auth.variable, &token,
1497 &token_len, groups, status_code ==
1498 WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
1499 status_code == WLAN_STATUS_SAE_PK,
1500 NULL);
1501 if (resp == SAE_SILENTLY_DISCARD) {
1502 wpa_printf(MSG_DEBUG,
1503 "SAE: Drop commit message from " MACSTR " due to reflection attack",
1504 MAC2STR(sta->addr));
1505 goto remove_sta;
1506 }
1507
1508 if (resp == WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER) {
1509 wpa_msg(hapd->msg_ctx, MSG_INFO,
1510 WPA_EVENT_SAE_UNKNOWN_PASSWORD_IDENTIFIER
1511 MACSTR, MAC2STR(sta->addr));
1512 sae_clear_retransmit_timer(hapd, sta);
1513 sae_set_state(sta, SAE_NOTHING,
1514 "Unknown Password Identifier");
1515 goto remove_sta;
1516 }
1517
1518 if (token &&
1519 check_comeback_token(hapd->comeback_key,
1520 hapd->comeback_pending_idx, sta->addr,
1521 token, token_len)
1522 < 0) {
1523 wpa_printf(MSG_DEBUG, "SAE: Drop commit message with "
1524 "incorrect token from " MACSTR,
1525 MAC2STR(sta->addr));
1526 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1527 goto remove_sta;
1528 }
1529
1530 if (resp != WLAN_STATUS_SUCCESS)
1531 goto reply;
1532
1533 if (check_sae_rejected_groups(hapd, sta->sae)) {
1534 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1535 goto reply;
1536 }
1537
1538 if (!token && use_anti_clogging(hapd) && !allow_reuse) {
1539 int h2e = 0;
1540
1541 wpa_printf(MSG_DEBUG,
1542 "SAE: Request anti-clogging token from "
1543 MACSTR, MAC2STR(sta->addr));
1544 if (sta->sae->tmp)
1545 h2e = sta->sae->h2e;
1546 if (status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
1547 status_code == WLAN_STATUS_SAE_PK)
1548 h2e = 1;
1549 data = auth_build_token_req(
1550 &hapd->last_comeback_key_update,
1551 hapd->comeback_key,
1552 hapd->comeback_idx,
1553 hapd->comeback_pending_idx,
1554 sizeof(hapd->comeback_pending_idx),
1555 sta->sae->group,
1556 sta->addr, h2e);
1557 resp = WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ;
1558 if (hapd->conf->mesh & MESH_ENABLED)
1559 sae_set_state(sta, SAE_NOTHING,
1560 "Request anti-clogging token case in mesh");
1561 goto reply;
1562 }
1563
1564 resp = sae_sm_step(hapd, sta, auth_transaction,
1565 status_code, allow_reuse, &sta_removed);
1566 } else if (auth_transaction == 2) {
1567 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1568 HOSTAPD_LEVEL_DEBUG,
1569 "SAE authentication (RX confirm, status=%u (%s))",
1570 status_code, status2str(status_code));
1571 if (status_code != WLAN_STATUS_SUCCESS)
1572 goto remove_sta;
1573 if (sta->sae->state >= SAE_CONFIRMED ||
1574 !(hapd->conf->mesh & MESH_ENABLED)) {
1575 const u8 *var;
1576 size_t var_len;
1577 u16 peer_send_confirm;
1578
1579 var = mgmt->u.auth.variable;
1580 var_len = ((u8 *) mgmt) + len - mgmt->u.auth.variable;
1581 if (var_len < 2) {
1582 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1583 goto reply;
1584 }
1585
1586 peer_send_confirm = WPA_GET_LE16(var);
1587
1588 if (sta->sae->state == SAE_ACCEPTED &&
1589 (peer_send_confirm <= sta->sae->rc ||
1590 peer_send_confirm == 0xffff)) {
1591 wpa_printf(MSG_DEBUG,
1592 "SAE: Silently ignore unexpected Confirm from peer "
1593 MACSTR
1594 " (peer-send-confirm=%u Rc=%u)",
1595 MAC2STR(sta->addr),
1596 peer_send_confirm, sta->sae->rc);
1597 return;
1598 }
1599
1600 if (sae_check_confirm(sta->sae, var, var_len,
1601 NULL) < 0) {
1602 resp = WLAN_STATUS_CHALLENGE_FAIL;
1603 goto reply;
1604 }
1605 sta->sae->rc = peer_send_confirm;
1606 }
1607 resp = sae_sm_step(hapd, sta, auth_transaction,
1608 status_code, 0, &sta_removed);
1609 } else {
1610 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1611 HOSTAPD_LEVEL_DEBUG,
1612 "unexpected SAE authentication transaction %u (status=%u (%s))",
1613 auth_transaction, status_code,
1614 status2str(status_code));
1615 if (status_code != WLAN_STATUS_SUCCESS)
1616 goto remove_sta;
1617 resp = WLAN_STATUS_UNKNOWN_AUTH_TRANSACTION;
1618 }
1619
1620 reply:
1621 if (!sta_removed && resp != WLAN_STATUS_SUCCESS) {
1622 pos = mgmt->u.auth.variable;
1623 end = ((const u8 *) mgmt) + len;
1624
1625 /* Copy the Finite Cyclic Group field from the request if we
1626 * rejected it as unsupported group. */
1627 if (resp == WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED &&
1628 !data && end - pos >= 2)
1629 data = wpabuf_alloc_copy(pos, 2);
1630
1631 send_auth_reply(hapd, sta, sta->addr,
1632 WLAN_AUTH_SAE,
1633 auth_transaction, resp,
1634 data ? wpabuf_head(data) : (u8 *) "",
1635 data ? wpabuf_len(data) : 0, "auth-sae");
1636 sae_sme_send_external_auth_status(hapd, sta, resp);
1637 if (sta->sae && sta->sae->tmp && sta->sae->tmp->pw_id &&
1638 resp == WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER &&
1639 auth_transaction == 1) {
1640 wpa_printf(MSG_DEBUG,
1641 "SAE: Clear stored password identifier since this SAE commit was not accepted");
1642 os_free(sta->sae->tmp->pw_id);
1643 sta->sae->tmp->pw_id = NULL;
1644 }
1645 }
1646
1647 remove_sta:
1648 if (auth_transaction == 1)
1649 success_status = sae_status_success(hapd, status_code);
1650 else
1651 success_status = status_code == WLAN_STATUS_SUCCESS;
1652 if (!sta_removed && sta->added_unassoc &&
1653 (resp != WLAN_STATUS_SUCCESS || !success_status)) {
1654 hostapd_drv_sta_remove(hapd, sta->addr);
1655 sta->added_unassoc = 0;
1656 }
1657 wpabuf_free(data);
1658 }
1659
1660
1661 /**
1662 * auth_sae_init_committed - Send COMMIT and start SAE in committed state
1663 * @hapd: BSS data for the device initiating the authentication
1664 * @sta: the peer to which commit authentication frame is sent
1665 *
1666 * This function implements Init event handling (IEEE Std 802.11-2012,
1667 * 11.3.8.6.3) in which initial COMMIT message is sent. Prior to calling, the
1668 * sta->sae structure should be initialized appropriately via a call to
1669 * sae_prepare_commit().
1670 */
auth_sae_init_committed(struct hostapd_data * hapd,struct sta_info * sta)1671 int auth_sae_init_committed(struct hostapd_data *hapd, struct sta_info *sta)
1672 {
1673 int ret;
1674
1675 if (!sta->sae || !sta->sae->tmp)
1676 return -1;
1677
1678 if (sta->sae->state != SAE_NOTHING)
1679 return -1;
1680
1681 ret = auth_sae_send_commit(hapd, sta, 0, -1);
1682 if (ret)
1683 return -1;
1684
1685 sae_set_state(sta, SAE_COMMITTED, "Init and sent commit");
1686 sta->sae->sync = 0;
1687 sae_set_retransmit_timer(hapd, sta);
1688
1689 return 0;
1690 }
1691
1692
auth_sae_process_commit(void * eloop_ctx,void * user_ctx)1693 void auth_sae_process_commit(void *eloop_ctx, void *user_ctx)
1694 {
1695 struct hostapd_data *hapd = eloop_ctx;
1696 struct hostapd_sae_commit_queue *q;
1697 unsigned int queue_len;
1698
1699 q = dl_list_first(&hapd->sae_commit_queue,
1700 struct hostapd_sae_commit_queue, list);
1701 if (!q)
1702 return;
1703 wpa_printf(MSG_DEBUG,
1704 "SAE: Process next available message from queue");
1705 dl_list_del(&q->list);
1706 handle_auth(hapd, (const struct ieee80211_mgmt *) q->msg, q->len,
1707 q->rssi, 1);
1708 os_free(q);
1709
1710 if (eloop_is_timeout_registered(auth_sae_process_commit, hapd, NULL))
1711 return;
1712 queue_len = dl_list_len(&hapd->sae_commit_queue);
1713 eloop_register_timeout(0, queue_len * 10000, auth_sae_process_commit,
1714 hapd, NULL);
1715 }
1716
1717
auth_sae_queue(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int rssi)1718 static void auth_sae_queue(struct hostapd_data *hapd,
1719 const struct ieee80211_mgmt *mgmt, size_t len,
1720 int rssi)
1721 {
1722 struct hostapd_sae_commit_queue *q, *q2;
1723 unsigned int queue_len;
1724 const struct ieee80211_mgmt *mgmt2;
1725
1726 queue_len = dl_list_len(&hapd->sae_commit_queue);
1727 if (queue_len >= 15) {
1728 wpa_printf(MSG_DEBUG,
1729 "SAE: No more room in message queue - drop the new frame from "
1730 MACSTR, MAC2STR(mgmt->sa));
1731 return;
1732 }
1733
1734 wpa_printf(MSG_DEBUG, "SAE: Queue Authentication message from "
1735 MACSTR " for processing (queue_len %u)", MAC2STR(mgmt->sa),
1736 queue_len);
1737 q = os_zalloc(sizeof(*q) + len);
1738 if (!q)
1739 return;
1740 q->rssi = rssi;
1741 q->len = len;
1742 os_memcpy(q->msg, mgmt, len);
1743
1744 /* Check whether there is already a queued Authentication frame from the
1745 * same station with the same transaction number and if so, replace that
1746 * queue entry with the new one. This avoids issues with a peer that
1747 * sends multiple times (e.g., due to frequent SAE retries). There is no
1748 * point in us trying to process the old attempts after a new one has
1749 * obsoleted them. */
1750 dl_list_for_each(q2, &hapd->sae_commit_queue,
1751 struct hostapd_sae_commit_queue, list) {
1752 mgmt2 = (const struct ieee80211_mgmt *) q2->msg;
1753 if (ether_addr_equal(mgmt->sa, mgmt2->sa) &&
1754 mgmt->u.auth.auth_transaction ==
1755 mgmt2->u.auth.auth_transaction) {
1756 wpa_printf(MSG_DEBUG,
1757 "SAE: Replace queued message from same STA with same transaction number");
1758 dl_list_add(&q2->list, &q->list);
1759 dl_list_del(&q2->list);
1760 os_free(q2);
1761 goto queued;
1762 }
1763 }
1764
1765 /* No pending identical entry, so add to the end of the queue */
1766 dl_list_add_tail(&hapd->sae_commit_queue, &q->list);
1767
1768 queued:
1769 if (eloop_is_timeout_registered(auth_sae_process_commit, hapd, NULL))
1770 return;
1771 eloop_register_timeout(0, queue_len * 10000, auth_sae_process_commit,
1772 hapd, NULL);
1773 }
1774
1775
auth_sae_queued_addr(struct hostapd_data * hapd,const u8 * addr)1776 static int auth_sae_queued_addr(struct hostapd_data *hapd, const u8 *addr)
1777 {
1778 struct hostapd_sae_commit_queue *q;
1779 const struct ieee80211_mgmt *mgmt;
1780
1781 dl_list_for_each(q, &hapd->sae_commit_queue,
1782 struct hostapd_sae_commit_queue, list) {
1783 mgmt = (const struct ieee80211_mgmt *) q->msg;
1784 if (ether_addr_equal(addr, mgmt->sa))
1785 return 1;
1786 }
1787
1788 return 0;
1789 }
1790
1791 #endif /* CONFIG_SAE */
1792
1793
wpa_res_to_status_code(enum wpa_validate_result res)1794 static u16 wpa_res_to_status_code(enum wpa_validate_result res)
1795 {
1796 switch (res) {
1797 case WPA_IE_OK:
1798 return WLAN_STATUS_SUCCESS;
1799 case WPA_INVALID_IE:
1800 return WLAN_STATUS_INVALID_IE;
1801 case WPA_INVALID_GROUP:
1802 return WLAN_STATUS_GROUP_CIPHER_NOT_VALID;
1803 case WPA_INVALID_PAIRWISE:
1804 return WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID;
1805 case WPA_INVALID_AKMP:
1806 return WLAN_STATUS_AKMP_NOT_VALID;
1807 case WPA_NOT_ENABLED:
1808 return WLAN_STATUS_INVALID_IE;
1809 case WPA_ALLOC_FAIL:
1810 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1811 case WPA_MGMT_FRAME_PROTECTION_VIOLATION:
1812 return WLAN_STATUS_ROBUST_MGMT_FRAME_POLICY_VIOLATION;
1813 case WPA_INVALID_MGMT_GROUP_CIPHER:
1814 return WLAN_STATUS_CIPHER_REJECTED_PER_POLICY;
1815 case WPA_INVALID_MDIE:
1816 return WLAN_STATUS_INVALID_MDIE;
1817 case WPA_INVALID_PROTO:
1818 return WLAN_STATUS_INVALID_IE;
1819 case WPA_INVALID_PMKID:
1820 return WLAN_STATUS_INVALID_PMKID;
1821 case WPA_DENIED_OTHER_REASON:
1822 return WLAN_STATUS_ASSOC_DENIED_UNSPEC;
1823 }
1824 return WLAN_STATUS_INVALID_IE;
1825 }
1826
1827
1828 #ifdef CONFIG_FILS
1829
1830 static void handle_auth_fils_finish(struct hostapd_data *hapd,
1831 struct sta_info *sta, u16 resp,
1832 struct wpabuf *data, int pub);
1833
handle_auth_fils(struct hostapd_data * hapd,struct sta_info * sta,const u8 * pos,size_t len,u16 auth_alg,u16 auth_transaction,u16 status_code,void (* cb)(struct hostapd_data * hapd,struct sta_info * sta,u16 resp,struct wpabuf * data,int pub))1834 void handle_auth_fils(struct hostapd_data *hapd, struct sta_info *sta,
1835 const u8 *pos, size_t len, u16 auth_alg,
1836 u16 auth_transaction, u16 status_code,
1837 void (*cb)(struct hostapd_data *hapd,
1838 struct sta_info *sta, u16 resp,
1839 struct wpabuf *data, int pub))
1840 {
1841 u16 resp = WLAN_STATUS_SUCCESS;
1842 const u8 *end;
1843 struct ieee802_11_elems elems;
1844 enum wpa_validate_result res;
1845 struct wpa_ie_data rsn;
1846 struct rsn_pmksa_cache_entry *pmksa = NULL;
1847
1848 if (auth_transaction != 1 || status_code != WLAN_STATUS_SUCCESS)
1849 return;
1850
1851 end = pos + len;
1852
1853 wpa_hexdump(MSG_DEBUG, "FILS: Authentication frame fields",
1854 pos, end - pos);
1855
1856 /* TODO: FILS PK */
1857 #ifdef CONFIG_FILS_SK_PFS
1858 if (auth_alg == WLAN_AUTH_FILS_SK_PFS) {
1859 u16 group;
1860 struct wpabuf *pub;
1861 size_t elem_len;
1862
1863 /* Using FILS PFS */
1864
1865 /* Finite Cyclic Group */
1866 if (end - pos < 2) {
1867 wpa_printf(MSG_DEBUG,
1868 "FILS: No room for Finite Cyclic Group");
1869 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1870 goto fail;
1871 }
1872 group = WPA_GET_LE16(pos);
1873 pos += 2;
1874 if (group != hapd->conf->fils_dh_group) {
1875 wpa_printf(MSG_DEBUG,
1876 "FILS: Unsupported Finite Cyclic Group: %u (expected %u)",
1877 group, hapd->conf->fils_dh_group);
1878 resp = WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
1879 goto fail;
1880 }
1881
1882 crypto_ecdh_deinit(sta->fils_ecdh);
1883 sta->fils_ecdh = crypto_ecdh_init(group);
1884 if (!sta->fils_ecdh) {
1885 wpa_printf(MSG_INFO,
1886 "FILS: Could not initialize ECDH with group %d",
1887 group);
1888 resp = WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
1889 goto fail;
1890 }
1891
1892 pub = crypto_ecdh_get_pubkey(sta->fils_ecdh, 1);
1893 if (!pub) {
1894 wpa_printf(MSG_DEBUG,
1895 "FILS: Failed to derive ECDH public key");
1896 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1897 goto fail;
1898 }
1899 elem_len = wpabuf_len(pub);
1900 wpabuf_free(pub);
1901
1902 /* Element */
1903 if ((size_t) (end - pos) < elem_len) {
1904 wpa_printf(MSG_DEBUG, "FILS: No room for Element");
1905 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1906 goto fail;
1907 }
1908
1909 wpabuf_free(sta->fils_g_sta);
1910 sta->fils_g_sta = wpabuf_alloc_copy(pos, elem_len);
1911 wpabuf_clear_free(sta->fils_dh_ss);
1912 sta->fils_dh_ss = crypto_ecdh_set_peerkey(sta->fils_ecdh, 1,
1913 pos, elem_len);
1914 if (!sta->fils_dh_ss) {
1915 wpa_printf(MSG_DEBUG, "FILS: ECDH operation failed");
1916 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1917 goto fail;
1918 }
1919 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: DH_SS", sta->fils_dh_ss);
1920 pos += elem_len;
1921 } else {
1922 crypto_ecdh_deinit(sta->fils_ecdh);
1923 sta->fils_ecdh = NULL;
1924 wpabuf_clear_free(sta->fils_dh_ss);
1925 sta->fils_dh_ss = NULL;
1926 }
1927 #endif /* CONFIG_FILS_SK_PFS */
1928
1929 wpa_hexdump(MSG_DEBUG, "FILS: Remaining IEs", pos, end - pos);
1930 if (ieee802_11_parse_elems(pos, end - pos, &elems, 1) == ParseFailed) {
1931 wpa_printf(MSG_DEBUG, "FILS: Could not parse elements");
1932 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1933 goto fail;
1934 }
1935
1936 /* RSNE */
1937 wpa_hexdump(MSG_DEBUG, "FILS: RSN element",
1938 elems.rsn_ie, elems.rsn_ie_len);
1939 if (!elems.rsn_ie ||
1940 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
1941 &rsn) < 0) {
1942 wpa_printf(MSG_DEBUG, "FILS: No valid RSN element");
1943 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1944 goto fail;
1945 }
1946
1947 if (!sta->wpa_sm)
1948 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, sta->addr,
1949 NULL);
1950 if (!sta->wpa_sm) {
1951 wpa_printf(MSG_DEBUG,
1952 "FILS: Failed to initialize RSN state machine");
1953 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1954 goto fail;
1955 }
1956
1957 wpa_auth_set_rsn_selection(sta->wpa_sm, elems.rsn_selection,
1958 elems.rsn_selection_len);
1959 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
1960 hapd->iface->freq,
1961 elems.rsn_ie - 2, elems.rsn_ie_len + 2,
1962 elems.rsnxe ? elems.rsnxe - 2 : NULL,
1963 elems.rsnxe ? elems.rsnxe_len + 2 : 0,
1964 elems.mdie, elems.mdie_len, NULL, 0, NULL);
1965 resp = wpa_res_to_status_code(res);
1966 if (resp != WLAN_STATUS_SUCCESS)
1967 goto fail;
1968
1969 if (!elems.fils_nonce) {
1970 wpa_printf(MSG_DEBUG, "FILS: No FILS Nonce field");
1971 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1972 goto fail;
1973 }
1974 wpa_hexdump(MSG_DEBUG, "FILS: SNonce", elems.fils_nonce,
1975 FILS_NONCE_LEN);
1976 os_memcpy(sta->fils_snonce, elems.fils_nonce, FILS_NONCE_LEN);
1977
1978 /* PMKID List */
1979 if (rsn.pmkid && rsn.num_pmkid > 0) {
1980 u8 num;
1981 const u8 *pmkid;
1982
1983 wpa_hexdump(MSG_DEBUG, "FILS: PMKID List",
1984 rsn.pmkid, rsn.num_pmkid * PMKID_LEN);
1985
1986 pmkid = rsn.pmkid;
1987 num = rsn.num_pmkid;
1988 while (num) {
1989 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", pmkid, PMKID_LEN);
1990 pmksa = wpa_auth_pmksa_get(hapd->wpa_auth, sta->addr,
1991 pmkid);
1992 if (pmksa)
1993 break;
1994 pmksa = wpa_auth_pmksa_get_fils_cache_id(hapd->wpa_auth,
1995 sta->addr,
1996 pmkid);
1997 if (pmksa)
1998 break;
1999 pmkid += PMKID_LEN;
2000 num--;
2001 }
2002 }
2003 if (pmksa && wpa_auth_sta_key_mgmt(sta->wpa_sm) != pmksa->akmp) {
2004 wpa_printf(MSG_DEBUG,
2005 "FILS: Matching PMKSA cache entry has different AKMP (0x%x != 0x%x) - ignore",
2006 wpa_auth_sta_key_mgmt(sta->wpa_sm), pmksa->akmp);
2007 pmksa = NULL;
2008 }
2009 if (pmksa)
2010 wpa_printf(MSG_DEBUG, "FILS: Found matching PMKSA cache entry");
2011
2012 /* FILS Session */
2013 if (!elems.fils_session) {
2014 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
2015 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2016 goto fail;
2017 }
2018 wpa_hexdump(MSG_DEBUG, "FILS: FILS Session", elems.fils_session,
2019 FILS_SESSION_LEN);
2020 os_memcpy(sta->fils_session, elems.fils_session, FILS_SESSION_LEN);
2021
2022 /* Wrapped Data */
2023 if (elems.wrapped_data) {
2024 wpa_hexdump(MSG_DEBUG, "FILS: Wrapped Data",
2025 elems.wrapped_data,
2026 elems.wrapped_data_len);
2027 if (!pmksa) {
2028 #ifndef CONFIG_NO_RADIUS
2029 if (!sta->eapol_sm) {
2030 sta->eapol_sm =
2031 ieee802_1x_alloc_eapol_sm(hapd, sta);
2032 }
2033 wpa_printf(MSG_DEBUG,
2034 "FILS: Forward EAP-Initiate/Re-auth to authentication server");
2035 ieee802_1x_encapsulate_radius(
2036 hapd, sta, elems.wrapped_data,
2037 elems.wrapped_data_len);
2038 sta->fils_pending_cb = cb;
2039 wpa_printf(MSG_DEBUG,
2040 "FILS: Will send Authentication frame once the response from authentication server is available");
2041 sta->flags |= WLAN_STA_PENDING_FILS_ERP;
2042 /* Calculate pending PMKID here so that we do not need
2043 * to maintain a copy of the EAP-Initiate/Reauth
2044 * message. */
2045 if (fils_pmkid_erp(wpa_auth_sta_key_mgmt(sta->wpa_sm),
2046 elems.wrapped_data,
2047 elems.wrapped_data_len,
2048 sta->fils_erp_pmkid) == 0)
2049 sta->fils_erp_pmkid_set = 1;
2050 return;
2051 #else /* CONFIG_NO_RADIUS */
2052 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2053 goto fail;
2054 #endif /* CONFIG_NO_RADIUS */
2055 }
2056 }
2057
2058 fail:
2059 if (cb) {
2060 struct wpabuf *data;
2061 int pub = 0;
2062
2063 data = prepare_auth_resp_fils(hapd, sta, &resp, pmksa, NULL,
2064 NULL, 0, &pub);
2065 if (!data) {
2066 wpa_printf(MSG_DEBUG,
2067 "%s: prepare_auth_resp_fils() returned failure",
2068 __func__);
2069 }
2070
2071 cb(hapd, sta, resp, data, pub);
2072 }
2073 }
2074
2075
2076 static struct wpabuf *
prepare_auth_resp_fils(struct hostapd_data * hapd,struct sta_info * sta,u16 * resp,struct rsn_pmksa_cache_entry * pmksa,struct wpabuf * erp_resp,const u8 * msk,size_t msk_len,int * is_pub)2077 prepare_auth_resp_fils(struct hostapd_data *hapd,
2078 struct sta_info *sta, u16 *resp,
2079 struct rsn_pmksa_cache_entry *pmksa,
2080 struct wpabuf *erp_resp,
2081 const u8 *msk, size_t msk_len,
2082 int *is_pub)
2083 {
2084 u8 fils_nonce[FILS_NONCE_LEN];
2085 size_t ielen;
2086 struct wpabuf *data = NULL;
2087 const u8 *ie;
2088 u8 *ie_buf = NULL;
2089 const u8 *pmk = NULL;
2090 size_t pmk_len = 0;
2091 u8 pmk_buf[PMK_LEN_MAX];
2092 struct wpabuf *pub = NULL;
2093
2094 if (*resp != WLAN_STATUS_SUCCESS)
2095 goto fail;
2096
2097 ie = wpa_auth_get_wpa_ie(hapd->wpa_auth, &ielen);
2098 if (!ie) {
2099 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2100 goto fail;
2101 }
2102
2103 if (pmksa) {
2104 /* Add PMKID of the selected PMKSA into RSNE */
2105 ie_buf = os_malloc(ielen + 2 + 2 + PMKID_LEN);
2106 if (!ie_buf) {
2107 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2108 goto fail;
2109 }
2110
2111 os_memcpy(ie_buf, ie, ielen);
2112 if (wpa_insert_pmkid(ie_buf, &ielen, pmksa->pmkid, true) < 0) {
2113 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2114 goto fail;
2115 }
2116 ie = ie_buf;
2117 }
2118
2119 if (random_get_bytes(fils_nonce, FILS_NONCE_LEN) < 0) {
2120 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2121 goto fail;
2122 }
2123 wpa_hexdump(MSG_DEBUG, "RSN: Generated FILS Nonce",
2124 fils_nonce, FILS_NONCE_LEN);
2125
2126 #ifdef CONFIG_FILS_SK_PFS
2127 if (sta->fils_dh_ss && sta->fils_ecdh) {
2128 pub = crypto_ecdh_get_pubkey(sta->fils_ecdh, 1);
2129 if (!pub) {
2130 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2131 goto fail;
2132 }
2133 }
2134 #endif /* CONFIG_FILS_SK_PFS */
2135
2136 data = wpabuf_alloc(1000 + ielen + (pub ? wpabuf_len(pub) : 0));
2137 if (!data) {
2138 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2139 goto fail;
2140 }
2141
2142 /* TODO: FILS PK */
2143 #ifdef CONFIG_FILS_SK_PFS
2144 if (pub) {
2145 /* Finite Cyclic Group */
2146 wpabuf_put_le16(data, hapd->conf->fils_dh_group);
2147
2148 /* Element */
2149 wpabuf_put_buf(data, pub);
2150 }
2151 #endif /* CONFIG_FILS_SK_PFS */
2152
2153 /* RSNE */
2154 wpabuf_put_data(data, ie, ielen);
2155
2156 /* MDE when using FILS+FT (already included in ie,ielen with RSNE) */
2157
2158 #ifdef CONFIG_IEEE80211R_AP
2159 if (wpa_key_mgmt_ft(wpa_auth_sta_key_mgmt(sta->wpa_sm))) {
2160 /* FTE[R1KH-ID,R0KH-ID] when using FILS+FT */
2161 int res;
2162
2163 res = wpa_auth_write_fte(hapd->wpa_auth, sta->wpa_sm,
2164 wpabuf_put(data, 0),
2165 wpabuf_tailroom(data));
2166 if (res < 0) {
2167 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2168 goto fail;
2169 }
2170 wpabuf_put(data, res);
2171 }
2172 #endif /* CONFIG_IEEE80211R_AP */
2173
2174 /* FILS Nonce */
2175 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
2176 wpabuf_put_u8(data, 1 + FILS_NONCE_LEN); /* Length */
2177 /* Element ID Extension */
2178 wpabuf_put_u8(data, WLAN_EID_EXT_FILS_NONCE);
2179 wpabuf_put_data(data, fils_nonce, FILS_NONCE_LEN);
2180
2181 /* FILS Session */
2182 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
2183 wpabuf_put_u8(data, 1 + FILS_SESSION_LEN); /* Length */
2184 /* Element ID Extension */
2185 wpabuf_put_u8(data, WLAN_EID_EXT_FILS_SESSION);
2186 wpabuf_put_data(data, sta->fils_session, FILS_SESSION_LEN);
2187
2188 /* Wrapped Data */
2189 if (!pmksa && erp_resp) {
2190 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
2191 wpabuf_put_u8(data, 1 + wpabuf_len(erp_resp)); /* Length */
2192 /* Element ID Extension */
2193 wpabuf_put_u8(data, WLAN_EID_EXT_WRAPPED_DATA);
2194 wpabuf_put_buf(data, erp_resp);
2195
2196 if (fils_rmsk_to_pmk(wpa_auth_sta_key_mgmt(sta->wpa_sm),
2197 msk, msk_len, sta->fils_snonce, fils_nonce,
2198 sta->fils_dh_ss ?
2199 wpabuf_head(sta->fils_dh_ss) : NULL,
2200 sta->fils_dh_ss ?
2201 wpabuf_len(sta->fils_dh_ss) : 0,
2202 pmk_buf, &pmk_len)) {
2203 wpa_printf(MSG_DEBUG, "FILS: Failed to derive PMK");
2204 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2205 wpabuf_free(data);
2206 data = NULL;
2207 goto fail;
2208 }
2209 pmk = pmk_buf;
2210
2211 /* Don't use DHss in PTK derivation if PMKSA caching is not
2212 * used. */
2213 wpabuf_clear_free(sta->fils_dh_ss);
2214 sta->fils_dh_ss = NULL;
2215
2216 if (sta->fils_erp_pmkid_set) {
2217 /* TODO: get PMKLifetime from WPA parameters */
2218 unsigned int dot11RSNAConfigPMKLifetime = 43200;
2219 int session_timeout;
2220
2221 session_timeout = dot11RSNAConfigPMKLifetime;
2222 if (sta->session_timeout_set) {
2223 struct os_reltime now, diff;
2224
2225 os_get_reltime(&now);
2226 os_reltime_sub(&sta->session_timeout, &now,
2227 &diff);
2228 session_timeout = diff.sec;
2229 }
2230
2231 sta->fils_erp_pmkid_set = 0;
2232 wpa_auth_add_fils_pmk_pmkid(sta->wpa_sm, pmk, pmk_len,
2233 sta->fils_erp_pmkid);
2234 if (!hapd->conf->disable_pmksa_caching &&
2235 wpa_auth_pmksa_add2(
2236 hapd->wpa_auth, sta->addr,
2237 pmk, pmk_len,
2238 sta->fils_erp_pmkid,
2239 session_timeout,
2240 wpa_auth_sta_key_mgmt(sta->wpa_sm),
2241 NULL) < 0) {
2242 wpa_printf(MSG_ERROR,
2243 "FILS: Failed to add PMKSA cache entry based on ERP");
2244 }
2245 }
2246 } else if (pmksa) {
2247 pmk = pmksa->pmk;
2248 pmk_len = pmksa->pmk_len;
2249 }
2250
2251 if (!pmk) {
2252 wpa_printf(MSG_DEBUG, "FILS: No PMK available");
2253 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2254 wpabuf_free(data);
2255 data = NULL;
2256 goto fail;
2257 }
2258
2259 if (fils_auth_pmk_to_ptk(sta->wpa_sm, pmk, pmk_len,
2260 sta->fils_snonce, fils_nonce,
2261 sta->fils_dh_ss ?
2262 wpabuf_head(sta->fils_dh_ss) : NULL,
2263 sta->fils_dh_ss ?
2264 wpabuf_len(sta->fils_dh_ss) : 0,
2265 sta->fils_g_sta, pub) < 0) {
2266 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2267 wpabuf_free(data);
2268 data = NULL;
2269 goto fail;
2270 }
2271
2272 fail:
2273 if (is_pub)
2274 *is_pub = pub != NULL;
2275 os_free(ie_buf);
2276 wpabuf_free(pub);
2277 wpabuf_clear_free(sta->fils_dh_ss);
2278 sta->fils_dh_ss = NULL;
2279 #ifdef CONFIG_FILS_SK_PFS
2280 crypto_ecdh_deinit(sta->fils_ecdh);
2281 sta->fils_ecdh = NULL;
2282 #endif /* CONFIG_FILS_SK_PFS */
2283 return data;
2284 }
2285
2286
handle_auth_fils_finish(struct hostapd_data * hapd,struct sta_info * sta,u16 resp,struct wpabuf * data,int pub)2287 static void handle_auth_fils_finish(struct hostapd_data *hapd,
2288 struct sta_info *sta, u16 resp,
2289 struct wpabuf *data, int pub)
2290 {
2291 u16 auth_alg;
2292
2293 auth_alg = (pub ||
2294 resp == WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED) ?
2295 WLAN_AUTH_FILS_SK_PFS : WLAN_AUTH_FILS_SK;
2296 send_auth_reply(hapd, sta, sta->addr, auth_alg, 2, resp,
2297 data ? wpabuf_head(data) : (u8 *) "",
2298 data ? wpabuf_len(data) : 0, "auth-fils-finish");
2299 wpabuf_free(data);
2300
2301 if (resp == WLAN_STATUS_SUCCESS) {
2302 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2303 HOSTAPD_LEVEL_DEBUG,
2304 "authentication OK (FILS)");
2305 sta->flags |= WLAN_STA_AUTH;
2306 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
2307 sta->auth_alg = pub ? WLAN_AUTH_FILS_SK_PFS : WLAN_AUTH_FILS_SK;
2308 mlme_authenticate_indication(hapd, sta);
2309 }
2310 }
2311
2312
ieee802_11_finish_fils_auth(struct hostapd_data * hapd,struct sta_info * sta,int success,struct wpabuf * erp_resp,const u8 * msk,size_t msk_len)2313 void ieee802_11_finish_fils_auth(struct hostapd_data *hapd,
2314 struct sta_info *sta, int success,
2315 struct wpabuf *erp_resp,
2316 const u8 *msk, size_t msk_len)
2317 {
2318 u16 resp;
2319 u32 flags = sta->flags;
2320
2321 sta->flags &= ~(WLAN_STA_PENDING_FILS_ERP |
2322 WLAN_STA_PENDING_PASN_FILS_ERP);
2323
2324 resp = success ? WLAN_STATUS_SUCCESS : WLAN_STATUS_UNSPECIFIED_FAILURE;
2325
2326 if (flags & WLAN_STA_PENDING_FILS_ERP) {
2327 struct wpabuf *data;
2328 int pub = 0;
2329
2330 if (!sta->fils_pending_cb)
2331 return;
2332
2333 data = prepare_auth_resp_fils(hapd, sta, &resp, NULL, erp_resp,
2334 msk, msk_len, &pub);
2335 if (!data) {
2336 wpa_printf(MSG_DEBUG,
2337 "%s: prepare_auth_resp_fils() failure",
2338 __func__);
2339 }
2340 sta->fils_pending_cb(hapd, sta, resp, data, pub);
2341 #ifdef CONFIG_PASN
2342 } else if (flags & WLAN_STA_PENDING_PASN_FILS_ERP) {
2343 pasn_fils_auth_resp(hapd, sta, resp, erp_resp,
2344 msk, msk_len);
2345 #endif /* CONFIG_PASN */
2346 }
2347 }
2348
2349 #endif /* CONFIG_FILS */
2350
2351
ieee802_11_allowed_address(struct hostapd_data * hapd,const u8 * addr,const u8 * msg,size_t len,struct radius_sta * info)2352 static int ieee802_11_allowed_address(struct hostapd_data *hapd, const u8 *addr,
2353 const u8 *msg, size_t len,
2354 struct radius_sta *info)
2355 {
2356 int res;
2357
2358 res = hostapd_allowed_address(hapd, addr, msg, len, info, 0);
2359
2360 if (res == HOSTAPD_ACL_REJECT) {
2361 wpa_printf(MSG_DEBUG, "Station " MACSTR
2362 " not allowed to authenticate",
2363 MAC2STR(addr));
2364 return HOSTAPD_ACL_REJECT;
2365 }
2366
2367 if (res == HOSTAPD_ACL_PENDING) {
2368 wpa_printf(MSG_DEBUG, "Authentication frame from " MACSTR
2369 " waiting for an external authentication",
2370 MAC2STR(addr));
2371 /* Authentication code will re-send the authentication frame
2372 * after it has received (and cached) information from the
2373 * external source. */
2374 return HOSTAPD_ACL_PENDING;
2375 }
2376
2377 return res;
2378 }
2379
2380
ieee802_11_set_radius_info(struct hostapd_data * hapd,struct sta_info * sta,int res,struct radius_sta * info)2381 int ieee802_11_set_radius_info(struct hostapd_data *hapd, struct sta_info *sta,
2382 int res, struct radius_sta *info)
2383 {
2384 u32 session_timeout = info->session_timeout;
2385 u32 acct_interim_interval = info->acct_interim_interval;
2386 struct vlan_description *vlan_id = &info->vlan_id;
2387 struct hostapd_sta_wpa_psk_short *psk = info->psk;
2388 char *identity = info->identity;
2389 char *radius_cui = info->radius_cui;
2390
2391 if (vlan_id->notempty &&
2392 !hostapd_vlan_valid(hapd->conf->vlan, vlan_id)) {
2393 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS,
2394 HOSTAPD_LEVEL_INFO,
2395 "Invalid VLAN %d%s received from RADIUS server",
2396 vlan_id->untagged,
2397 vlan_id->tagged[0] ? "+" : "");
2398 return -1;
2399 }
2400 if (ap_sta_set_vlan(hapd, sta, vlan_id) < 0)
2401 return -1;
2402 if (sta->vlan_id)
2403 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS,
2404 HOSTAPD_LEVEL_INFO, "VLAN ID %d", sta->vlan_id);
2405
2406 hostapd_free_psk_list(sta->psk);
2407 if (hapd->conf->wpa_psk_radius != PSK_RADIUS_IGNORED)
2408 hostapd_copy_psk_list(&sta->psk, psk);
2409 else
2410 sta->psk = NULL;
2411
2412 os_free(sta->identity);
2413 if (identity)
2414 sta->identity = os_strdup(identity);
2415 else
2416 sta->identity = NULL;
2417
2418 os_free(sta->radius_cui);
2419 if (radius_cui)
2420 sta->radius_cui = os_strdup(radius_cui);
2421 else
2422 sta->radius_cui = NULL;
2423
2424 if (hapd->conf->acct_interim_interval == 0 && acct_interim_interval)
2425 sta->acct_interim_interval = acct_interim_interval;
2426 if (res == HOSTAPD_ACL_ACCEPT_TIMEOUT) {
2427 sta->session_timeout_set = 1;
2428 os_get_reltime(&sta->session_timeout);
2429 sta->session_timeout.sec += session_timeout;
2430 ap_sta_session_timeout(hapd, sta, session_timeout);
2431 } else {
2432 sta->session_timeout_set = 0;
2433 ap_sta_no_session_timeout(hapd, sta);
2434 }
2435
2436 return 0;
2437 }
2438
2439
2440 #ifdef CONFIG_PASN
2441 #ifdef CONFIG_FILS
2442
pasn_fils_auth_resp(struct hostapd_data * hapd,struct sta_info * sta,u16 status,struct wpabuf * erp_resp,const u8 * msk,size_t msk_len)2443 static void pasn_fils_auth_resp(struct hostapd_data *hapd,
2444 struct sta_info *sta, u16 status,
2445 struct wpabuf *erp_resp,
2446 const u8 *msk, size_t msk_len)
2447 {
2448 struct pasn_data *pasn = sta->pasn;
2449 struct pasn_fils *fils = &pasn->fils;
2450 u8 pmk[PMK_LEN_MAX];
2451 size_t pmk_len;
2452 int ret;
2453
2454 wpa_printf(MSG_DEBUG, "PASN: FILS: Handle AS response - status=%u",
2455 status);
2456
2457 if (status != WLAN_STATUS_SUCCESS)
2458 goto fail;
2459
2460 if (!pasn->secret) {
2461 wpa_printf(MSG_DEBUG, "PASN: FILS: Missing secret");
2462 goto fail;
2463 }
2464
2465 if (random_get_bytes(fils->anonce, FILS_NONCE_LEN) < 0) {
2466 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed to get ANonce");
2467 goto fail;
2468 }
2469
2470 wpa_hexdump(MSG_DEBUG, "RSN: Generated FILS ANonce",
2471 fils->anonce, FILS_NONCE_LEN);
2472
2473 ret = fils_rmsk_to_pmk(pasn_get_akmp(pasn), msk, msk_len, fils->nonce,
2474 fils->anonce, NULL, 0, pmk, &pmk_len);
2475 if (ret) {
2476 wpa_printf(MSG_DEBUG, "FILS: Failed to derive PMK");
2477 goto fail;
2478 }
2479
2480 ret = pasn_pmk_to_ptk(pmk, pmk_len, sta->addr, hapd->own_addr,
2481 wpabuf_head(pasn->secret),
2482 wpabuf_len(pasn->secret),
2483 pasn_get_ptk(sta->pasn), pasn_get_akmp(sta->pasn),
2484 pasn_get_cipher(sta->pasn), sta->pasn->kdk_len,
2485 sta->pasn->kek_len);
2486 if (ret) {
2487 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed to derive PTK");
2488 goto fail;
2489 }
2490
2491 if (pasn->secure_ltf) {
2492 ret = wpa_ltf_keyseed(pasn_get_ptk(pasn), pasn_get_akmp(pasn),
2493 pasn_get_cipher(pasn));
2494 if (ret) {
2495 wpa_printf(MSG_DEBUG,
2496 "PASN: FILS: Failed to derive LTF keyseed");
2497 goto fail;
2498 }
2499 }
2500
2501 wpa_printf(MSG_DEBUG, "PASN: PTK successfully derived");
2502
2503 wpabuf_free(pasn->secret);
2504 pasn->secret = NULL;
2505
2506 fils->erp_resp = erp_resp;
2507 ret = handle_auth_pasn_resp(sta->pasn, hapd->own_addr, sta->addr, NULL,
2508 WLAN_STATUS_SUCCESS);
2509 fils->erp_resp = NULL;
2510
2511 if (ret) {
2512 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed to send response");
2513 goto fail;
2514 }
2515
2516 fils->state = PASN_FILS_STATE_COMPLETE;
2517 return;
2518 fail:
2519 ap_free_sta(hapd, sta);
2520 }
2521
2522
pasn_wd_handle_fils(struct hostapd_data * hapd,struct sta_info * sta,struct wpabuf * wd)2523 static int pasn_wd_handle_fils(struct hostapd_data *hapd, struct sta_info *sta,
2524 struct wpabuf *wd)
2525 {
2526 #ifdef CONFIG_NO_RADIUS
2527 wpa_printf(MSG_DEBUG, "PASN: FILS: RADIUS is not configured. Fail");
2528 return -1;
2529 #else /* CONFIG_NO_RADIUS */
2530 struct pasn_data *pasn = sta->pasn;
2531 struct pasn_fils *fils = &pasn->fils;
2532 struct ieee802_11_elems elems;
2533 struct wpa_ie_data rsne_data;
2534 struct wpabuf *fils_wd;
2535 const u8 *data;
2536 size_t buf_len;
2537 u16 alg, seq, status;
2538 int ret;
2539
2540 if (fils->state != PASN_FILS_STATE_NONE) {
2541 wpa_printf(MSG_DEBUG, "PASN: FILS: Not expecting wrapped data");
2542 return -1;
2543 }
2544
2545 if (!wd) {
2546 wpa_printf(MSG_DEBUG, "PASN: FILS: No wrapped data");
2547 return -1;
2548 }
2549
2550 data = wpabuf_head_u8(wd);
2551 buf_len = wpabuf_len(wd);
2552
2553 if (buf_len < 6) {
2554 wpa_printf(MSG_DEBUG, "PASN: FILS: Buffer too short. len=%zu",
2555 buf_len);
2556 return -1;
2557 }
2558
2559 alg = WPA_GET_LE16(data);
2560 seq = WPA_GET_LE16(data + 2);
2561 status = WPA_GET_LE16(data + 4);
2562
2563 wpa_printf(MSG_DEBUG, "PASN: FILS: alg=%u, seq=%u, status=%u",
2564 alg, seq, status);
2565
2566 if (alg != WLAN_AUTH_FILS_SK || seq != 1 ||
2567 status != WLAN_STATUS_SUCCESS) {
2568 wpa_printf(MSG_DEBUG,
2569 "PASN: FILS: Dropping peer authentication");
2570 return -1;
2571 }
2572
2573 data += 6;
2574 buf_len -= 6;
2575
2576 if (ieee802_11_parse_elems(data, buf_len, &elems, 1) == ParseFailed) {
2577 wpa_printf(MSG_DEBUG, "PASN: FILS: Could not parse elements");
2578 return -1;
2579 }
2580
2581 if (!elems.rsn_ie || !elems.fils_nonce || !elems.fils_nonce ||
2582 !elems.wrapped_data || !elems.fils_session) {
2583 wpa_printf(MSG_DEBUG, "PASN: FILS: Missing IEs");
2584 return -1;
2585 }
2586
2587 ret = wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
2588 &rsne_data);
2589 if (ret) {
2590 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed parsing RSNE");
2591 return -1;
2592 }
2593
2594 ret = wpa_pasn_validate_rsne(&rsne_data);
2595 if (ret) {
2596 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed validating RSNE");
2597 return -1;
2598 }
2599
2600 if (rsne_data.num_pmkid) {
2601 wpa_printf(MSG_DEBUG,
2602 "PASN: FILS: Not expecting PMKID in RSNE");
2603 return -1;
2604 }
2605
2606 wpa_hexdump(MSG_DEBUG, "PASN: FILS: Nonce", elems.fils_nonce,
2607 FILS_NONCE_LEN);
2608 os_memcpy(fils->nonce, elems.fils_nonce, FILS_NONCE_LEN);
2609
2610 wpa_hexdump(MSG_DEBUG, "PASN: FILS: Session", elems.fils_session,
2611 FILS_SESSION_LEN);
2612 os_memcpy(fils->session, elems.fils_session, FILS_SESSION_LEN);
2613
2614 fils_wd = ieee802_11_defrag(elems.wrapped_data, elems.wrapped_data_len,
2615 true);
2616
2617 if (!fils_wd) {
2618 wpa_printf(MSG_DEBUG, "PASN: FILS: Missing wrapped data");
2619 return -1;
2620 }
2621
2622 if (!sta->eapol_sm)
2623 sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta);
2624
2625 wpa_printf(MSG_DEBUG,
2626 "PASN: FILS: Forward EAP-Initiate/Re-auth to AS");
2627
2628 ieee802_1x_encapsulate_radius(hapd, sta, wpabuf_head(fils_wd),
2629 wpabuf_len(fils_wd));
2630
2631 sta->flags |= WLAN_STA_PENDING_PASN_FILS_ERP;
2632
2633 fils->state = PASN_FILS_STATE_PENDING_AS;
2634
2635 /*
2636 * Calculate pending PMKID here so that we do not need to maintain a
2637 * copy of the EAP-Initiate/Reautt message.
2638 */
2639 fils_pmkid_erp(pasn_get_akmp(pasn),
2640 wpabuf_head(fils_wd), wpabuf_len(fils_wd),
2641 fils->erp_pmkid);
2642
2643 wpabuf_free(fils_wd);
2644 return 0;
2645 #endif /* CONFIG_NO_RADIUS */
2646 }
2647
2648 #endif /* CONFIG_FILS */
2649
2650
hapd_pasn_send_mlme(void * ctx,const u8 * data,size_t data_len,int noack,unsigned int freq,unsigned int wait)2651 static int hapd_pasn_send_mlme(void *ctx, const u8 *data, size_t data_len,
2652 int noack, unsigned int freq, unsigned int wait)
2653 {
2654 struct hostapd_data *hapd = ctx;
2655
2656 return hostapd_drv_send_mlme(hapd, data, data_len, 0, NULL, 0, 0);
2657 }
2658
2659
hapd_initialize_pasn(struct hostapd_data * hapd,struct sta_info * sta)2660 static void hapd_initialize_pasn(struct hostapd_data *hapd,
2661 struct sta_info *sta)
2662 {
2663 struct pasn_data *pasn = sta->pasn;
2664
2665 pasn_register_callbacks(pasn, hapd, hapd_pasn_send_mlme, NULL);
2666 pasn_set_bssid(pasn, hapd->own_addr);
2667 pasn_set_own_addr(pasn, hapd->own_addr);
2668 pasn_set_peer_addr(pasn, sta->addr);
2669 pasn_set_wpa_key_mgmt(pasn, hapd->conf->wpa_key_mgmt);
2670 pasn_set_rsn_pairwise(pasn, hapd->conf->rsn_pairwise);
2671 pasn->pasn_groups = hapd->conf->pasn_groups;
2672 pasn->noauth = hapd->conf->pasn_noauth;
2673 if (hapd->iface->drv_flags2 & WPA_DRIVER_FLAGS2_SEC_LTF_AP)
2674 pasn_enable_kdk_derivation(pasn);
2675
2676 #ifdef CONFIG_TESTING_OPTIONS
2677 pasn->corrupt_mic = hapd->conf->pasn_corrupt_mic;
2678 if (hapd->conf->force_kdk_derivation)
2679 pasn_enable_kdk_derivation(pasn);
2680 #endif /* CONFIG_TESTING_OPTIONS */
2681 pasn->use_anti_clogging = use_anti_clogging(hapd);
2682 pasn_set_password(pasn, sae_get_password(hapd, sta, NULL, NULL,
2683 &pasn->pt, NULL));
2684 pasn->rsn_ie = wpa_auth_get_wpa_ie(hapd->wpa_auth, &pasn->rsn_ie_len);
2685 pasn_set_rsnxe_ie(pasn, hostapd_wpa_ie(hapd, WLAN_EID_RSNX));
2686 pasn->disable_pmksa_caching = hapd->conf->disable_pmksa_caching;
2687 pasn_set_responder_pmksa(pasn,
2688 wpa_auth_get_pmksa_cache(hapd->wpa_auth));
2689
2690 pasn->comeback_after = hapd->conf->pasn_comeback_after;
2691 pasn->comeback_idx = hapd->comeback_idx;
2692 pasn->comeback_key = hapd->comeback_key;
2693 pasn->comeback_pending_idx = hapd->comeback_pending_idx;
2694 }
2695
2696
pasn_set_keys_from_cache(struct hostapd_data * hapd,const u8 * own_addr,const u8 * sta_addr,int cipher,int akmp)2697 static int pasn_set_keys_from_cache(struct hostapd_data *hapd,
2698 const u8 *own_addr, const u8 *sta_addr,
2699 int cipher, int akmp)
2700 {
2701 struct ptksa_cache_entry *entry;
2702
2703 entry = ptksa_cache_get(hapd->ptksa, sta_addr, cipher);
2704 if (!entry) {
2705 wpa_printf(MSG_DEBUG, "PASN: peer " MACSTR
2706 " not present in PTKSA cache", MAC2STR(sta_addr));
2707 return -1;
2708 }
2709
2710 if (!ether_addr_equal(entry->own_addr, own_addr)) {
2711 wpa_printf(MSG_DEBUG,
2712 "PASN: own addr " MACSTR " and PTKSA entry own addr "
2713 MACSTR " differ",
2714 MAC2STR(own_addr), MAC2STR(entry->own_addr));
2715 return -1;
2716 }
2717
2718 wpa_printf(MSG_DEBUG, "PASN: " MACSTR " present in PTKSA cache",
2719 MAC2STR(sta_addr));
2720 hostapd_drv_set_secure_ranging_ctx(hapd, own_addr, sta_addr, cipher,
2721 entry->ptk.tk_len, entry->ptk.tk,
2722 entry->ptk.ltf_keyseed_len,
2723 entry->ptk.ltf_keyseed, 0);
2724
2725 return 0;
2726 }
2727
2728
hapd_pasn_update_params(struct hostapd_data * hapd,struct sta_info * sta,const struct ieee80211_mgmt * mgmt,size_t len)2729 static void hapd_pasn_update_params(struct hostapd_data *hapd,
2730 struct sta_info *sta,
2731 const struct ieee80211_mgmt *mgmt,
2732 size_t len)
2733 {
2734 struct pasn_data *pasn = sta->pasn;
2735 struct ieee802_11_elems elems;
2736 struct wpa_ie_data rsn_data;
2737 #ifdef CONFIG_FILS
2738 struct wpa_pasn_params_data pasn_params;
2739 struct wpabuf *wrapped_data = NULL;
2740 #endif /* CONFIG_FILS */
2741 int akmp;
2742
2743 if (ieee802_11_parse_elems(mgmt->u.auth.variable,
2744 len - offsetof(struct ieee80211_mgmt,
2745 u.auth.variable),
2746 &elems, 0) == ParseFailed) {
2747 wpa_printf(MSG_DEBUG,
2748 "PASN: Failed parsing Authentication frame");
2749 return;
2750 }
2751
2752 if (!elems.rsn_ie ||
2753 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
2754 &rsn_data)) {
2755 wpa_printf(MSG_DEBUG, "PASN: Failed parsing RSNE");
2756 return;
2757 }
2758
2759 if (!(rsn_data.key_mgmt & pasn->wpa_key_mgmt) ||
2760 !(rsn_data.pairwise_cipher & pasn->rsn_pairwise)) {
2761 wpa_printf(MSG_DEBUG, "PASN: Mismatch in AKMP/cipher");
2762 return;
2763 }
2764
2765 pasn_set_akmp(pasn, rsn_data.key_mgmt);
2766 pasn_set_cipher(pasn, rsn_data.pairwise_cipher);
2767
2768 if (pasn->derive_kdk &&
2769 !ieee802_11_rsnx_capab_len(elems.rsnxe, elems.rsnxe_len,
2770 WLAN_RSNX_CAPAB_SECURE_LTF))
2771 pasn_disable_kdk_derivation(pasn);
2772 #ifdef CONFIG_TESTING_OPTIONS
2773 if (hapd->conf->force_kdk_derivation)
2774 pasn_enable_kdk_derivation(pasn);
2775 #endif /* CONFIG_TESTING_OPTIONS */
2776 akmp = pasn_get_akmp(pasn);
2777
2778 if (wpa_key_mgmt_ft(akmp) && rsn_data.num_pmkid) {
2779 #ifdef CONFIG_IEEE80211R_AP
2780 pasn->pmk_r1_len = 0;
2781 wpa_ft_fetch_pmk_r1(hapd->wpa_auth, sta->addr,
2782 rsn_data.pmkid,
2783 pasn->pmk_r1, &pasn->pmk_r1_len, NULL,
2784 NULL, NULL, NULL,
2785 NULL, NULL, NULL);
2786 #endif /* CONFIG_IEEE80211R_AP */
2787 }
2788 #ifdef CONFIG_FILS
2789 if (akmp != WPA_KEY_MGMT_FILS_SHA256 &&
2790 akmp != WPA_KEY_MGMT_FILS_SHA384)
2791 return;
2792 if (!elems.pasn_params ||
2793 wpa_pasn_parse_parameter_ie(elems.pasn_params - 3,
2794 elems.pasn_params_len + 3,
2795 false, &pasn_params)) {
2796 wpa_printf(MSG_DEBUG,
2797 "PASN: Failed validation of PASN Parameters element");
2798 return;
2799 }
2800 if (pasn_params.wrapped_data_format != WPA_PASN_WRAPPED_DATA_NO) {
2801 wrapped_data = ieee802_11_defrag(elems.wrapped_data,
2802 elems.wrapped_data_len, true);
2803 if (!wrapped_data) {
2804 wpa_printf(MSG_DEBUG, "PASN: Missing wrapped data");
2805 return;
2806 }
2807 if (pasn_wd_handle_fils(hapd, sta, wrapped_data))
2808 wpa_printf(MSG_DEBUG,
2809 "PASN: Failed processing FILS wrapped data");
2810 else
2811 pasn->fils_wd_valid = true;
2812 }
2813 wpabuf_free(wrapped_data);
2814 #endif /* CONFIG_FILS */
2815 }
2816
2817
handle_auth_pasn(struct hostapd_data * hapd,struct sta_info * sta,const struct ieee80211_mgmt * mgmt,size_t len,u16 trans_seq,u16 status)2818 static void handle_auth_pasn(struct hostapd_data *hapd, struct sta_info *sta,
2819 const struct ieee80211_mgmt *mgmt, size_t len,
2820 u16 trans_seq, u16 status)
2821 {
2822 if (hapd->conf->wpa != WPA_PROTO_RSN) {
2823 wpa_printf(MSG_INFO, "PASN: RSN is not configured");
2824 return;
2825 }
2826
2827 wpa_printf(MSG_INFO, "PASN authentication: sta=" MACSTR,
2828 MAC2STR(sta->addr));
2829
2830 if (trans_seq == 1) {
2831 if (sta->pasn) {
2832 wpa_printf(MSG_DEBUG,
2833 "PASN: Not expecting transaction == 1");
2834 return;
2835 }
2836
2837 if (status != WLAN_STATUS_SUCCESS) {
2838 wpa_printf(MSG_DEBUG,
2839 "PASN: Failure status in transaction == 1");
2840 return;
2841 }
2842
2843 sta->pasn = pasn_data_init();
2844 if (!sta->pasn) {
2845 wpa_printf(MSG_DEBUG,
2846 "PASN: Failed to allocate PASN context");
2847 return;
2848 }
2849
2850 hapd_initialize_pasn(hapd, sta);
2851
2852 hapd_pasn_update_params(hapd, sta, mgmt, len);
2853 if (handle_auth_pasn_1(sta->pasn, hapd->own_addr,
2854 sta->addr, mgmt, len, false) < 0)
2855 ap_free_sta(hapd, sta);
2856 } else if (trans_seq == 3) {
2857 if (!sta->pasn) {
2858 wpa_printf(MSG_DEBUG,
2859 "PASN: Not expecting transaction == 3");
2860 return;
2861 }
2862
2863 if (status != WLAN_STATUS_SUCCESS) {
2864 wpa_printf(MSG_DEBUG,
2865 "PASN: Failure status in transaction == 3");
2866 ap_free_sta_pasn(hapd, sta);
2867 return;
2868 }
2869
2870 if (handle_auth_pasn_3(sta->pasn, hapd->own_addr,
2871 sta->addr, mgmt, len) == 0) {
2872 ptksa_cache_add(hapd->ptksa, hapd->own_addr, sta->addr,
2873 pasn_get_cipher(sta->pasn), 43200,
2874 pasn_get_ptk(sta->pasn), NULL, NULL,
2875 pasn_get_akmp(sta->pasn));
2876
2877 pasn_set_keys_from_cache(hapd, hapd->own_addr,
2878 sta->addr,
2879 pasn_get_cipher(sta->pasn),
2880 pasn_get_akmp(sta->pasn));
2881 }
2882 ap_free_sta(hapd, sta);
2883 } else {
2884 wpa_printf(MSG_DEBUG,
2885 "PASN: Invalid transaction %u - ignore", trans_seq);
2886 }
2887 }
2888
2889 #endif /* CONFIG_PASN */
2890
2891
handle_auth(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int rssi,int from_queue)2892 static void handle_auth(struct hostapd_data *hapd,
2893 const struct ieee80211_mgmt *mgmt, size_t len,
2894 int rssi, int from_queue)
2895 {
2896 u16 auth_alg, auth_transaction, status_code;
2897 u16 resp = WLAN_STATUS_SUCCESS;
2898 struct sta_info *sta = NULL;
2899 int res, reply_res;
2900 u16 fc;
2901 const u8 *challenge = NULL;
2902 u8 resp_ies[2 + WLAN_AUTH_CHALLENGE_LEN];
2903 size_t resp_ies_len = 0;
2904 u16 seq_ctrl;
2905 struct radius_sta rad_info;
2906 const u8 *dst, *sa;
2907 #ifdef CONFIG_IEEE80211BE
2908 bool mld_sta = false;
2909 #endif /* CONFIG_IEEE80211BE */
2910
2911 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) {
2912 wpa_printf(MSG_INFO, "handle_auth - too short payload (len=%lu)",
2913 (unsigned long) len);
2914 return;
2915 }
2916
2917 #ifdef CONFIG_TESTING_OPTIONS
2918 if (hapd->iconf->ignore_auth_probability > 0.0 &&
2919 drand48() < hapd->iconf->ignore_auth_probability) {
2920 wpa_printf(MSG_INFO,
2921 "TESTING: ignoring auth frame from " MACSTR,
2922 MAC2STR(mgmt->sa));
2923 return;
2924 }
2925 #endif /* CONFIG_TESTING_OPTIONS */
2926
2927 sa = mgmt->sa;
2928 #ifdef CONFIG_IEEE80211BE
2929 /*
2930 * Handle MLO authentication before the station is added to hostapd and
2931 * the driver so that the station MLD MAC address would be used in both
2932 * hostapd and the driver.
2933 */
2934 sa = hostapd_process_ml_auth(hapd, mgmt, len);
2935 if (sa)
2936 mld_sta = true;
2937 else
2938 sa = mgmt->sa;
2939 #endif /* CONFIG_IEEE80211BE */
2940
2941 auth_alg = le_to_host16(mgmt->u.auth.auth_alg);
2942 auth_transaction = le_to_host16(mgmt->u.auth.auth_transaction);
2943 status_code = le_to_host16(mgmt->u.auth.status_code);
2944 fc = le_to_host16(mgmt->frame_control);
2945 seq_ctrl = le_to_host16(mgmt->seq_ctrl);
2946
2947 if (len >= IEEE80211_HDRLEN + sizeof(mgmt->u.auth) +
2948 2 + WLAN_AUTH_CHALLENGE_LEN &&
2949 mgmt->u.auth.variable[0] == WLAN_EID_CHALLENGE &&
2950 mgmt->u.auth.variable[1] == WLAN_AUTH_CHALLENGE_LEN)
2951 challenge = &mgmt->u.auth.variable[2];
2952
2953 wpa_printf(MSG_DEBUG, "authentication: STA=" MACSTR " auth_alg=%d "
2954 "auth_transaction=%d status_code=%d wep=%d%s "
2955 "seq_ctrl=0x%x%s%s",
2956 MAC2STR(sa), auth_alg, auth_transaction,
2957 status_code, !!(fc & WLAN_FC_ISWEP),
2958 challenge ? " challenge" : "",
2959 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "",
2960 from_queue ? " (from queue)" : "");
2961
2962 #ifdef CONFIG_NO_RC4
2963 if (auth_alg == WLAN_AUTH_SHARED_KEY) {
2964 wpa_printf(MSG_INFO,
2965 "Unsupported authentication algorithm (%d)",
2966 auth_alg);
2967 resp = WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
2968 goto fail;
2969 }
2970 #endif /* CONFIG_NO_RC4 */
2971
2972 if (hapd->tkip_countermeasures) {
2973 wpa_printf(MSG_DEBUG,
2974 "Ongoing TKIP countermeasures (Michael MIC failure) - reject authentication");
2975 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2976 goto fail;
2977 }
2978
2979 if (!(((hapd->conf->auth_algs & WPA_AUTH_ALG_OPEN) &&
2980 auth_alg == WLAN_AUTH_OPEN) ||
2981 #ifdef CONFIG_IEEE80211R_AP
2982 (hapd->conf->wpa && wpa_key_mgmt_ft(hapd->conf->wpa_key_mgmt) &&
2983 auth_alg == WLAN_AUTH_FT) ||
2984 #endif /* CONFIG_IEEE80211R_AP */
2985 #ifdef CONFIG_SAE
2986 (hapd->conf->wpa &&
2987 wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt |
2988 hapd->conf->rsn_override_key_mgmt |
2989 hapd->conf->rsn_override_key_mgmt_2) &&
2990 auth_alg == WLAN_AUTH_SAE) ||
2991 #endif /* CONFIG_SAE */
2992 #ifdef CONFIG_FILS
2993 (hapd->conf->wpa && wpa_key_mgmt_fils(hapd->conf->wpa_key_mgmt) &&
2994 auth_alg == WLAN_AUTH_FILS_SK) ||
2995 (hapd->conf->wpa && wpa_key_mgmt_fils(hapd->conf->wpa_key_mgmt) &&
2996 hapd->conf->fils_dh_group &&
2997 auth_alg == WLAN_AUTH_FILS_SK_PFS) ||
2998 #endif /* CONFIG_FILS */
2999 #ifdef CONFIG_PASN
3000 (hapd->conf->wpa &&
3001 (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_PASN) &&
3002 auth_alg == WLAN_AUTH_PASN) ||
3003 #endif /* CONFIG_PASN */
3004 ((hapd->conf->auth_algs & WPA_AUTH_ALG_SHARED) &&
3005 auth_alg == WLAN_AUTH_SHARED_KEY))) {
3006 wpa_printf(MSG_INFO, "Unsupported authentication algorithm (%d)",
3007 auth_alg);
3008 resp = WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
3009 goto fail;
3010 }
3011
3012 if (!(auth_transaction == 1 || auth_alg == WLAN_AUTH_SAE ||
3013 #ifdef CONFIG_PASN
3014 (auth_alg == WLAN_AUTH_PASN && auth_transaction == 3) ||
3015 #endif /* CONFIG_PASN */
3016 (auth_alg == WLAN_AUTH_SHARED_KEY && auth_transaction == 3))) {
3017 wpa_printf(MSG_INFO, "Unknown authentication transaction number (%d)",
3018 auth_transaction);
3019 resp = WLAN_STATUS_UNKNOWN_AUTH_TRANSACTION;
3020 goto fail;
3021 }
3022
3023 if (ether_addr_equal(mgmt->sa, hapd->own_addr)) {
3024 wpa_printf(MSG_INFO, "Station " MACSTR " not allowed to authenticate",
3025 MAC2STR(sa));
3026 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3027 goto fail;
3028 }
3029
3030 #ifdef CONFIG_IEEE80211BE
3031 if (mld_sta &&
3032 (ether_addr_equal(sa, hapd->own_addr) ||
3033 ether_addr_equal(sa, hapd->mld->mld_addr))) {
3034 wpa_printf(MSG_INFO,
3035 "Station " MACSTR " not allowed to authenticate",
3036 MAC2STR(sa));
3037 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3038 goto fail;
3039 }
3040 #endif /* CONFIG_IEEE80211BE */
3041
3042 if (hapd->conf->no_auth_if_seen_on) {
3043 struct hostapd_data *other;
3044
3045 other = sta_track_seen_on(hapd->iface, sa,
3046 hapd->conf->no_auth_if_seen_on);
3047 if (other) {
3048 u8 *pos;
3049 u32 info;
3050 u8 op_class, channel, phytype;
3051
3052 wpa_printf(MSG_DEBUG, "%s: Reject authentication from "
3053 MACSTR " since STA has been seen on %s",
3054 hapd->conf->iface, MAC2STR(sa),
3055 hapd->conf->no_auth_if_seen_on);
3056
3057 resp = WLAN_STATUS_REJECTED_WITH_SUGGESTED_BSS_TRANSITION;
3058 pos = &resp_ies[0];
3059 *pos++ = WLAN_EID_NEIGHBOR_REPORT;
3060 *pos++ = 13;
3061 os_memcpy(pos, other->own_addr, ETH_ALEN);
3062 pos += ETH_ALEN;
3063 info = 0; /* TODO: BSSID Information */
3064 WPA_PUT_LE32(pos, info);
3065 pos += 4;
3066 if (other->iconf->hw_mode == HOSTAPD_MODE_IEEE80211AD)
3067 phytype = 8; /* dmg */
3068 else if (other->iconf->ieee80211ac)
3069 phytype = 9; /* vht */
3070 else if (other->iconf->ieee80211n)
3071 phytype = 7; /* ht */
3072 else if (other->iconf->hw_mode ==
3073 HOSTAPD_MODE_IEEE80211A)
3074 phytype = 4; /* ofdm */
3075 else if (other->iconf->hw_mode ==
3076 HOSTAPD_MODE_IEEE80211G)
3077 phytype = 6; /* erp */
3078 else
3079 phytype = 5; /* hrdsss */
3080 if (ieee80211_freq_to_channel_ext(
3081 hostapd_hw_get_freq(other,
3082 other->iconf->channel),
3083 other->iconf->secondary_channel,
3084 other->iconf->ieee80211ac,
3085 &op_class, &channel) == NUM_HOSTAPD_MODES) {
3086 op_class = 0;
3087 channel = other->iconf->channel;
3088 }
3089 *pos++ = op_class;
3090 *pos++ = channel;
3091 *pos++ = phytype;
3092 resp_ies_len = pos - &resp_ies[0];
3093 goto fail;
3094 }
3095 }
3096
3097 res = ieee802_11_allowed_address(hapd, sa, (const u8 *) mgmt, len,
3098 &rad_info);
3099 if (res == HOSTAPD_ACL_REJECT) {
3100 wpa_msg(hapd->msg_ctx, MSG_DEBUG,
3101 "Ignore Authentication frame from " MACSTR
3102 " due to ACL reject", MAC2STR(sa));
3103 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3104 goto fail;
3105 }
3106 if (res == HOSTAPD_ACL_PENDING)
3107 return;
3108
3109 #ifdef CONFIG_SAE
3110 if (auth_alg == WLAN_AUTH_SAE && !from_queue &&
3111 (auth_transaction == 1 ||
3112 (auth_transaction == 2 && auth_sae_queued_addr(hapd, sa)))) {
3113 /* Handle SAE Authentication commit message through a queue to
3114 * provide more control for postponing the needed heavy
3115 * processing under a possible DoS attack scenario. In addition,
3116 * queue SAE Authentication confirm message if there happens to
3117 * be a queued commit message from the same peer. This is needed
3118 * to avoid reordering Authentication frames within the same
3119 * SAE exchange. */
3120 auth_sae_queue(hapd, mgmt, len, rssi);
3121 return;
3122 }
3123 #endif /* CONFIG_SAE */
3124
3125 sta = ap_get_sta(hapd, sa);
3126 if (sta) {
3127 sta->flags &= ~WLAN_STA_PENDING_FILS_ERP;
3128 sta->ft_over_ds = 0;
3129 if ((fc & WLAN_FC_RETRY) &&
3130 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
3131 sta->last_seq_ctrl == seq_ctrl &&
3132 sta->last_subtype == WLAN_FC_STYPE_AUTH) {
3133 hostapd_logger(hapd, sta->addr,
3134 HOSTAPD_MODULE_IEEE80211,
3135 HOSTAPD_LEVEL_DEBUG,
3136 "Drop repeated authentication frame seq_ctrl=0x%x",
3137 seq_ctrl);
3138 return;
3139 }
3140 #ifdef CONFIG_PASN
3141 if (auth_alg == WLAN_AUTH_PASN &&
3142 (sta->flags & WLAN_STA_ASSOC)) {
3143 wpa_printf(MSG_DEBUG,
3144 "PASN: auth: Existing station: " MACSTR,
3145 MAC2STR(sta->addr));
3146 return;
3147 }
3148 #endif /* CONFIG_PASN */
3149 } else {
3150 #ifdef CONFIG_MESH
3151 if (hapd->conf->mesh & MESH_ENABLED) {
3152 /* if the mesh peer is not available, we don't do auth.
3153 */
3154 wpa_printf(MSG_DEBUG, "Mesh peer " MACSTR
3155 " not yet known - drop Authentication frame",
3156 MAC2STR(sa));
3157 /*
3158 * Save a copy of the frame so that it can be processed
3159 * if a new peer entry is added shortly after this.
3160 */
3161 wpabuf_free(hapd->mesh_pending_auth);
3162 hapd->mesh_pending_auth = wpabuf_alloc_copy(mgmt, len);
3163 os_get_reltime(&hapd->mesh_pending_auth_time);
3164 return;
3165 }
3166 #endif /* CONFIG_MESH */
3167
3168 sta = ap_sta_add(hapd, sa);
3169 if (!sta) {
3170 wpa_printf(MSG_DEBUG, "ap_sta_add() failed");
3171 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
3172 goto fail;
3173 }
3174 }
3175
3176 #ifdef CONFIG_IEEE80211BE
3177 /* Set the non-AP MLD information based on the initial Authentication
3178 * frame. Once the STA entry has been added to the driver, the driver
3179 * will translate addresses in the frame and we need to avoid overriding
3180 * peer_addr based on mgmt->sa which would have been translated to the
3181 * MLD MAC address. */
3182 if (!sta->added_unassoc && auth_transaction == 1) {
3183 ap_sta_free_sta_profile(&sta->mld_info);
3184 os_memset(&sta->mld_info, 0, sizeof(sta->mld_info));
3185
3186 if (mld_sta) {
3187 u8 link_id = hapd->mld_link_id;
3188
3189 ap_sta_set_mld(sta, true);
3190 sta->mld_assoc_link_id = link_id;
3191
3192 /*
3193 * Set the MLD address as the station address and the
3194 * station addresses.
3195 */
3196 os_memcpy(sta->mld_info.common_info.mld_addr, sa,
3197 ETH_ALEN);
3198 os_memcpy(sta->mld_info.links[link_id].peer_addr,
3199 mgmt->sa, ETH_ALEN);
3200 os_memcpy(sta->mld_info.links[link_id].local_addr,
3201 hapd->own_addr, ETH_ALEN);
3202 }
3203 }
3204 #endif /* CONFIG_IEEE80211BE */
3205
3206 sta->last_seq_ctrl = seq_ctrl;
3207 sta->last_subtype = WLAN_FC_STYPE_AUTH;
3208 #ifdef CONFIG_MBO
3209 sta->auth_rssi = rssi;
3210 #endif /* CONFIG_MBO */
3211
3212 res = ieee802_11_set_radius_info(hapd, sta, res, &rad_info);
3213 if (res) {
3214 wpa_printf(MSG_DEBUG, "ieee802_11_set_radius_info() failed");
3215 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3216 goto fail;
3217 }
3218
3219 sta->flags &= ~WLAN_STA_PREAUTH;
3220 ieee802_1x_notify_pre_auth(sta->eapol_sm, 0);
3221
3222 /*
3223 * If the driver supports full AP client state, add a station to the
3224 * driver before sending authentication reply to make sure the driver
3225 * has resources, and not to go through the entire authentication and
3226 * association handshake, and fail it at the end.
3227 *
3228 * If this is not the first transaction, in a multi-step authentication
3229 * algorithm, the station already exists in the driver
3230 * (sta->added_unassoc = 1) so skip it.
3231 *
3232 * In mesh mode, the station was already added to the driver when the
3233 * NEW_PEER_CANDIDATE event is received.
3234 *
3235 * If PMF was negotiated for the existing association, skip this to
3236 * avoid dropping the STA entry and the associated keys. This is needed
3237 * to allow the original connection work until the attempt can complete
3238 * (re)association, so that unprotected Authentication frame cannot be
3239 * used to bypass PMF protection.
3240 *
3241 * PASN authentication does not require adding/removing station to the
3242 * driver so skip this flow in case of PASN authentication.
3243 */
3244 if (FULL_AP_CLIENT_STATE_SUPP(hapd->iface->drv_flags) &&
3245 (!(sta->flags & WLAN_STA_MFP) || !ap_sta_is_authorized(sta)) &&
3246 !(hapd->conf->mesh & MESH_ENABLED) &&
3247 !(sta->added_unassoc) && auth_alg != WLAN_AUTH_PASN) {
3248 if (ap_sta_re_add(hapd, sta) < 0) {
3249 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
3250 goto fail;
3251 }
3252 }
3253
3254 switch (auth_alg) {
3255 case WLAN_AUTH_OPEN:
3256 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3257 HOSTAPD_LEVEL_DEBUG,
3258 "authentication OK (open system)");
3259 sta->flags |= WLAN_STA_AUTH;
3260 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
3261 sta->auth_alg = WLAN_AUTH_OPEN;
3262 mlme_authenticate_indication(hapd, sta);
3263 break;
3264 #ifdef CONFIG_WEP
3265 #ifndef CONFIG_NO_RC4
3266 case WLAN_AUTH_SHARED_KEY:
3267 resp = auth_shared_key(hapd, sta, auth_transaction, challenge,
3268 fc & WLAN_FC_ISWEP);
3269 if (resp != 0)
3270 wpa_printf(MSG_DEBUG,
3271 "auth_shared_key() failed: status=%d", resp);
3272 sta->auth_alg = WLAN_AUTH_SHARED_KEY;
3273 mlme_authenticate_indication(hapd, sta);
3274 if (sta->challenge && auth_transaction == 1) {
3275 resp_ies[0] = WLAN_EID_CHALLENGE;
3276 resp_ies[1] = WLAN_AUTH_CHALLENGE_LEN;
3277 os_memcpy(resp_ies + 2, sta->challenge,
3278 WLAN_AUTH_CHALLENGE_LEN);
3279 resp_ies_len = 2 + WLAN_AUTH_CHALLENGE_LEN;
3280 }
3281 break;
3282 #endif /* CONFIG_NO_RC4 */
3283 #endif /* CONFIG_WEP */
3284 #ifdef CONFIG_IEEE80211R_AP
3285 case WLAN_AUTH_FT:
3286 sta->auth_alg = WLAN_AUTH_FT;
3287 if (sta->wpa_sm == NULL)
3288 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
3289 sta->addr, NULL);
3290 if (sta->wpa_sm == NULL) {
3291 wpa_printf(MSG_DEBUG, "FT: Failed to initialize WPA "
3292 "state machine");
3293 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3294 goto fail;
3295 }
3296 wpa_ft_process_auth(sta->wpa_sm,
3297 auth_transaction, mgmt->u.auth.variable,
3298 len - IEEE80211_HDRLEN -
3299 sizeof(mgmt->u.auth),
3300 handle_auth_ft_finish, hapd);
3301 /* handle_auth_ft_finish() callback will complete auth. */
3302 return;
3303 #endif /* CONFIG_IEEE80211R_AP */
3304 #ifdef CONFIG_SAE
3305 case WLAN_AUTH_SAE:
3306 #ifdef CONFIG_MESH
3307 if (status_code == WLAN_STATUS_SUCCESS &&
3308 hapd->conf->mesh & MESH_ENABLED) {
3309 if (sta->wpa_sm == NULL)
3310 sta->wpa_sm =
3311 wpa_auth_sta_init(hapd->wpa_auth,
3312 sta->addr, NULL);
3313 if (sta->wpa_sm == NULL) {
3314 wpa_printf(MSG_DEBUG,
3315 "SAE: Failed to initialize WPA state machine");
3316 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3317 goto fail;
3318 }
3319 }
3320 #endif /* CONFIG_MESH */
3321 handle_auth_sae(hapd, sta, mgmt, len, auth_transaction,
3322 status_code);
3323 return;
3324 #endif /* CONFIG_SAE */
3325 #ifdef CONFIG_FILS
3326 case WLAN_AUTH_FILS_SK:
3327 case WLAN_AUTH_FILS_SK_PFS:
3328 handle_auth_fils(hapd, sta, mgmt->u.auth.variable,
3329 len - IEEE80211_HDRLEN - sizeof(mgmt->u.auth),
3330 auth_alg, auth_transaction, status_code,
3331 handle_auth_fils_finish);
3332 return;
3333 #endif /* CONFIG_FILS */
3334 #ifdef CONFIG_PASN
3335 case WLAN_AUTH_PASN:
3336 handle_auth_pasn(hapd, sta, mgmt, len, auth_transaction,
3337 status_code);
3338 return;
3339 #endif /* CONFIG_PASN */
3340 }
3341
3342 fail:
3343 dst = mgmt->sa;
3344
3345 #ifdef CONFIG_IEEE80211BE
3346 if (ap_sta_is_mld(hapd, sta))
3347 dst = sta->addr;
3348 #endif /* CONFIG_IEEE80211BE */
3349
3350 reply_res = send_auth_reply(hapd, sta, dst, auth_alg,
3351 auth_alg == WLAN_AUTH_SAE ?
3352 auth_transaction : auth_transaction + 1,
3353 resp, resp_ies, resp_ies_len,
3354 "handle-auth");
3355
3356 if (sta && sta->added_unassoc && (resp != WLAN_STATUS_SUCCESS ||
3357 reply_res != WLAN_STATUS_SUCCESS)) {
3358 hostapd_drv_sta_remove(hapd, sta->addr);
3359 sta->added_unassoc = 0;
3360 }
3361 }
3362
3363
hostapd_max_bssid_indicator(struct hostapd_data * hapd)3364 static u8 hostapd_max_bssid_indicator(struct hostapd_data *hapd)
3365 {
3366 size_t num_bss_nontx;
3367 u8 max_bssid_ind = 0;
3368
3369 if (!hapd->iconf->mbssid || hapd->iface->num_bss <= 1)
3370 return 0;
3371
3372 num_bss_nontx = hapd->iface->num_bss - 1;
3373 while (num_bss_nontx > 0) {
3374 max_bssid_ind++;
3375 num_bss_nontx >>= 1;
3376 }
3377 return max_bssid_ind;
3378 }
3379
3380
hostapd_get_aid_word(struct hostapd_data * hapd,struct sta_info * sta,int i)3381 static u32 hostapd_get_aid_word(struct hostapd_data *hapd,
3382 struct sta_info *sta, int i)
3383 {
3384 #ifdef CONFIG_IEEE80211BE
3385 u32 aid_word = 0;
3386
3387 /* Do not assign an AID that is in use on any of the affiliated links
3388 * when finding an AID for a non-AP MLD. */
3389 if (hapd->conf->mld_ap && sta->mld_info.mld_sta) {
3390 int j;
3391
3392 for (j = 0; j < MAX_NUM_MLD_LINKS; j++) {
3393 struct hostapd_data *link_bss;
3394
3395 if (!sta->mld_info.links[j].valid)
3396 continue;
3397
3398 link_bss = hostapd_mld_get_link_bss(hapd, j);
3399 if (!link_bss) {
3400 /* This shouldn't happen, just skip */
3401 wpa_printf(MSG_ERROR,
3402 "MLD: Failed to get link BSS for AID");
3403 continue;
3404 }
3405
3406 aid_word |= link_bss->sta_aid[i];
3407 }
3408
3409 return aid_word;
3410 }
3411 #endif /* CONFIG_IEEE80211BE */
3412
3413 return hapd->sta_aid[i];
3414 }
3415
3416
hostapd_get_aid(struct hostapd_data * hapd,struct sta_info * sta)3417 int hostapd_get_aid(struct hostapd_data *hapd, struct sta_info *sta)
3418 {
3419 int i, j = 32, aid;
3420
3421 /* Transmitted and non-transmitted BSSIDs share the same AID pool, so
3422 * use the shared storage in the transmitted BSS to find the next
3423 * available value. */
3424 hapd = hostapd_mbssid_get_tx_bss(hapd);
3425
3426 /* get a unique AID */
3427 if (sta->aid > 0) {
3428 wpa_printf(MSG_DEBUG, " old AID %d", sta->aid);
3429 return 0;
3430 }
3431
3432 if (TEST_FAIL())
3433 return -1;
3434
3435 for (i = 0; i < AID_WORDS; i++) {
3436 u32 aid_word = hostapd_get_aid_word(hapd, sta, i);
3437
3438 if (aid_word == (u32) -1)
3439 continue;
3440 for (j = 0; j < 32; j++) {
3441 if (!(aid_word & BIT(j)))
3442 break;
3443 }
3444 if (j < 32)
3445 break;
3446 }
3447 if (j == 32)
3448 return -1;
3449 aid = i * 32 + j + (1 << hostapd_max_bssid_indicator(hapd));
3450 if (aid > 2007)
3451 return -1;
3452
3453 sta->aid = aid;
3454 hapd->sta_aid[i] |= BIT(j);
3455 wpa_printf(MSG_DEBUG, " new AID %d", sta->aid);
3456 return 0;
3457 }
3458
3459
check_ssid(struct hostapd_data * hapd,struct sta_info * sta,const u8 * ssid_ie,size_t ssid_ie_len)3460 static u16 check_ssid(struct hostapd_data *hapd, struct sta_info *sta,
3461 const u8 *ssid_ie, size_t ssid_ie_len)
3462 {
3463 if (ssid_ie == NULL)
3464 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3465
3466 if (ssid_ie_len != hapd->conf->ssid.ssid_len ||
3467 os_memcmp(ssid_ie, hapd->conf->ssid.ssid, ssid_ie_len) != 0) {
3468 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3469 HOSTAPD_LEVEL_INFO,
3470 "Station tried to associate with unknown SSID "
3471 "'%s'", wpa_ssid_txt(ssid_ie, ssid_ie_len));
3472 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3473 }
3474
3475 return WLAN_STATUS_SUCCESS;
3476 }
3477
3478
check_wmm(struct hostapd_data * hapd,struct sta_info * sta,const u8 * wmm_ie,size_t wmm_ie_len)3479 static u16 check_wmm(struct hostapd_data *hapd, struct sta_info *sta,
3480 const u8 *wmm_ie, size_t wmm_ie_len)
3481 {
3482 sta->flags &= ~WLAN_STA_WMM;
3483 sta->qosinfo = 0;
3484 if (wmm_ie && hapd->conf->wmm_enabled) {
3485 struct wmm_information_element *wmm;
3486
3487 if (!hostapd_eid_wmm_valid(hapd, wmm_ie, wmm_ie_len)) {
3488 hostapd_logger(hapd, sta->addr,
3489 HOSTAPD_MODULE_WPA,
3490 HOSTAPD_LEVEL_DEBUG,
3491 "invalid WMM element in association "
3492 "request");
3493 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3494 }
3495
3496 sta->flags |= WLAN_STA_WMM;
3497 wmm = (struct wmm_information_element *) wmm_ie;
3498 sta->qosinfo = wmm->qos_info;
3499 }
3500 return WLAN_STATUS_SUCCESS;
3501 }
3502
check_multi_ap(struct hostapd_data * hapd,struct sta_info * sta,const u8 * multi_ap_ie,size_t multi_ap_len)3503 static u16 check_multi_ap(struct hostapd_data *hapd, struct sta_info *sta,
3504 const u8 *multi_ap_ie, size_t multi_ap_len)
3505 {
3506 struct multi_ap_params multi_ap;
3507 u16 status;
3508
3509 sta->flags &= ~WLAN_STA_MULTI_AP;
3510
3511 if (!hapd->conf->multi_ap)
3512 return WLAN_STATUS_SUCCESS;
3513
3514 if (!multi_ap_ie) {
3515 if (!(hapd->conf->multi_ap & FRONTHAUL_BSS)) {
3516 hostapd_logger(hapd, sta->addr,
3517 HOSTAPD_MODULE_IEEE80211,
3518 HOSTAPD_LEVEL_INFO,
3519 "Non-Multi-AP STA tries to associate with backhaul-only BSS");
3520 return WLAN_STATUS_ASSOC_DENIED_UNSPEC;
3521 }
3522
3523 return WLAN_STATUS_SUCCESS;
3524 }
3525
3526 status = check_multi_ap_ie(multi_ap_ie + 4, multi_ap_len - 4,
3527 &multi_ap);
3528 if (status != WLAN_STATUS_SUCCESS)
3529 return status;
3530
3531 if (multi_ap.capability && multi_ap.capability != MULTI_AP_BACKHAUL_STA)
3532 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3533 HOSTAPD_LEVEL_INFO,
3534 "Multi-AP IE with unexpected value 0x%02x",
3535 multi_ap.capability);
3536
3537 if (multi_ap.profile == MULTI_AP_PROFILE_1 &&
3538 (hapd->conf->multi_ap_client_disallow &
3539 PROFILE1_CLIENT_ASSOC_DISALLOW)) {
3540 hostapd_logger(hapd, sta->addr,
3541 HOSTAPD_MODULE_IEEE80211,
3542 HOSTAPD_LEVEL_INFO,
3543 "Multi-AP Profile-1 clients not allowed");
3544 return WLAN_STATUS_ASSOC_DENIED_UNSPEC;
3545 }
3546
3547 if (multi_ap.profile >= MULTI_AP_PROFILE_2 &&
3548 (hapd->conf->multi_ap_client_disallow &
3549 PROFILE2_CLIENT_ASSOC_DISALLOW)) {
3550 hostapd_logger(hapd, sta->addr,
3551 HOSTAPD_MODULE_IEEE80211,
3552 HOSTAPD_LEVEL_INFO,
3553 "Multi-AP Profile-2 clients not allowed");
3554 return WLAN_STATUS_ASSOC_DENIED_UNSPEC;
3555 }
3556
3557 if (!(multi_ap.capability & MULTI_AP_BACKHAUL_STA)) {
3558 if (hapd->conf->multi_ap & FRONTHAUL_BSS)
3559 return WLAN_STATUS_SUCCESS;
3560
3561 hostapd_logger(hapd, sta->addr,
3562 HOSTAPD_MODULE_IEEE80211,
3563 HOSTAPD_LEVEL_INFO,
3564 "Non-Multi-AP STA tries to associate with backhaul-only BSS");
3565 return WLAN_STATUS_ASSOC_DENIED_UNSPEC;
3566 }
3567
3568 if (!(hapd->conf->multi_ap & BACKHAUL_BSS))
3569 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3570 HOSTAPD_LEVEL_DEBUG,
3571 "Backhaul STA tries to associate with fronthaul-only BSS");
3572
3573 sta->flags |= WLAN_STA_MULTI_AP;
3574 return WLAN_STATUS_SUCCESS;
3575 }
3576
3577
copy_supp_rates(struct hostapd_data * hapd,struct sta_info * sta,struct ieee802_11_elems * elems)3578 static u16 copy_supp_rates(struct hostapd_data *hapd, struct sta_info *sta,
3579 struct ieee802_11_elems *elems)
3580 {
3581 /* Supported rates not used in IEEE 802.11ad/DMG */
3582 if (hapd->iface->current_mode &&
3583 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211AD)
3584 return WLAN_STATUS_SUCCESS;
3585
3586 if (!elems->supp_rates) {
3587 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3588 HOSTAPD_LEVEL_DEBUG,
3589 "No supported rates element in AssocReq");
3590 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3591 }
3592
3593 if (elems->supp_rates_len + elems->ext_supp_rates_len >
3594 sizeof(sta->supported_rates)) {
3595 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3596 HOSTAPD_LEVEL_DEBUG,
3597 "Invalid supported rates element length %d+%d",
3598 elems->supp_rates_len,
3599 elems->ext_supp_rates_len);
3600 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3601 }
3602
3603 sta->supported_rates_len = merge_byte_arrays(
3604 sta->supported_rates, sizeof(sta->supported_rates),
3605 elems->supp_rates, elems->supp_rates_len,
3606 elems->ext_supp_rates, elems->ext_supp_rates_len);
3607
3608 return WLAN_STATUS_SUCCESS;
3609 }
3610
3611
3612 #ifdef CONFIG_OWE
3613
owe_group_supported(struct hostapd_data * hapd,u16 group)3614 static int owe_group_supported(struct hostapd_data *hapd, u16 group)
3615 {
3616 int i;
3617 int *groups = hapd->conf->owe_groups;
3618
3619 if (group != 19 && group != 20 && group != 21)
3620 return 0;
3621
3622 if (!groups)
3623 return 1;
3624
3625 for (i = 0; groups[i] > 0; i++) {
3626 if (groups[i] == group)
3627 return 1;
3628 }
3629
3630 return 0;
3631 }
3632
3633
owe_process_assoc_req(struct hostapd_data * hapd,struct sta_info * sta,const u8 * owe_dh,u8 owe_dh_len)3634 static u16 owe_process_assoc_req(struct hostapd_data *hapd,
3635 struct sta_info *sta, const u8 *owe_dh,
3636 u8 owe_dh_len)
3637 {
3638 struct wpabuf *secret, *pub, *hkey;
3639 int res;
3640 u8 prk[SHA512_MAC_LEN], pmkid[SHA512_MAC_LEN];
3641 const char *info = "OWE Key Generation";
3642 const u8 *addr[2];
3643 size_t len[2];
3644 u16 group;
3645 size_t hash_len, prime_len;
3646
3647 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) {
3648 wpa_printf(MSG_DEBUG, "OWE: Using PMKSA caching");
3649 return WLAN_STATUS_SUCCESS;
3650 }
3651
3652 group = WPA_GET_LE16(owe_dh);
3653 if (!owe_group_supported(hapd, group)) {
3654 wpa_printf(MSG_DEBUG, "OWE: Unsupported DH group %u", group);
3655 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
3656 }
3657 if (group == 19)
3658 prime_len = 32;
3659 else if (group == 20)
3660 prime_len = 48;
3661 else if (group == 21)
3662 prime_len = 66;
3663 else
3664 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
3665
3666 if (sta->owe_group == group && sta->owe_ecdh) {
3667 /* This is a workaround for mac80211 behavior of retransmitting
3668 * the Association Request frames multiple times if the link
3669 * layer retries (i.e., seq# remains same) fail. The mac80211
3670 * initiated retransmission will use a different seq# and as
3671 * such, will go through duplicate detection. If we were to
3672 * change our DH key for that attempt, there would be two
3673 * different DH shared secrets and the STA would likely select
3674 * the wrong one. */
3675 wpa_printf(MSG_DEBUG,
3676 "OWE: Try to reuse own previous DH key since the STA tried to go through OWE association again");
3677 } else {
3678 crypto_ecdh_deinit(sta->owe_ecdh);
3679 sta->owe_ecdh = crypto_ecdh_init(group);
3680 }
3681 if (!sta->owe_ecdh)
3682 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
3683 sta->owe_group = group;
3684
3685 secret = crypto_ecdh_set_peerkey(sta->owe_ecdh, 0, owe_dh + 2,
3686 owe_dh_len - 2);
3687 secret = wpabuf_zeropad(secret, prime_len);
3688 if (!secret) {
3689 wpa_printf(MSG_DEBUG, "OWE: Invalid peer DH public key");
3690 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3691 }
3692 wpa_hexdump_buf_key(MSG_DEBUG, "OWE: DH shared secret", secret);
3693
3694 /* prk = HKDF-extract(C | A | group, z) */
3695
3696 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
3697 if (!pub) {
3698 wpabuf_clear_free(secret);
3699 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3700 }
3701
3702 /* PMKID = Truncate-128(Hash(C | A)) */
3703 addr[0] = owe_dh + 2;
3704 len[0] = owe_dh_len - 2;
3705 addr[1] = wpabuf_head(pub);
3706 len[1] = wpabuf_len(pub);
3707 if (group == 19) {
3708 res = sha256_vector(2, addr, len, pmkid);
3709 hash_len = SHA256_MAC_LEN;
3710 } else if (group == 20) {
3711 res = sha384_vector(2, addr, len, pmkid);
3712 hash_len = SHA384_MAC_LEN;
3713 } else if (group == 21) {
3714 res = sha512_vector(2, addr, len, pmkid);
3715 hash_len = SHA512_MAC_LEN;
3716 } else {
3717 wpabuf_free(pub);
3718 wpabuf_clear_free(secret);
3719 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3720 }
3721 pub = wpabuf_zeropad(pub, prime_len);
3722 if (res < 0 || !pub) {
3723 wpabuf_free(pub);
3724 wpabuf_clear_free(secret);
3725 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3726 }
3727
3728 hkey = wpabuf_alloc(owe_dh_len - 2 + wpabuf_len(pub) + 2);
3729 if (!hkey) {
3730 wpabuf_free(pub);
3731 wpabuf_clear_free(secret);
3732 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3733 }
3734
3735 wpabuf_put_data(hkey, owe_dh + 2, owe_dh_len - 2); /* C */
3736 wpabuf_put_buf(hkey, pub); /* A */
3737 wpabuf_free(pub);
3738 wpabuf_put_le16(hkey, group); /* group */
3739 if (group == 19)
3740 res = hmac_sha256(wpabuf_head(hkey), wpabuf_len(hkey),
3741 wpabuf_head(secret), wpabuf_len(secret), prk);
3742 else if (group == 20)
3743 res = hmac_sha384(wpabuf_head(hkey), wpabuf_len(hkey),
3744 wpabuf_head(secret), wpabuf_len(secret), prk);
3745 else if (group == 21)
3746 res = hmac_sha512(wpabuf_head(hkey), wpabuf_len(hkey),
3747 wpabuf_head(secret), wpabuf_len(secret), prk);
3748 wpabuf_clear_free(hkey);
3749 wpabuf_clear_free(secret);
3750 if (res < 0)
3751 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3752
3753 wpa_hexdump_key(MSG_DEBUG, "OWE: prk", prk, hash_len);
3754
3755 /* PMK = HKDF-expand(prk, "OWE Key Generation", n) */
3756
3757 os_free(sta->owe_pmk);
3758 sta->owe_pmk = os_malloc(hash_len);
3759 if (!sta->owe_pmk) {
3760 os_memset(prk, 0, SHA512_MAC_LEN);
3761 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3762 }
3763
3764 if (group == 19)
3765 res = hmac_sha256_kdf(prk, hash_len, NULL, (const u8 *) info,
3766 os_strlen(info), sta->owe_pmk, hash_len);
3767 else if (group == 20)
3768 res = hmac_sha384_kdf(prk, hash_len, NULL, (const u8 *) info,
3769 os_strlen(info), sta->owe_pmk, hash_len);
3770 else if (group == 21)
3771 res = hmac_sha512_kdf(prk, hash_len, NULL, (const u8 *) info,
3772 os_strlen(info), sta->owe_pmk, hash_len);
3773 os_memset(prk, 0, SHA512_MAC_LEN);
3774 if (res < 0) {
3775 os_free(sta->owe_pmk);
3776 sta->owe_pmk = NULL;
3777 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3778 }
3779 sta->owe_pmk_len = hash_len;
3780
3781 wpa_hexdump_key(MSG_DEBUG, "OWE: PMK", sta->owe_pmk, sta->owe_pmk_len);
3782 wpa_hexdump(MSG_DEBUG, "OWE: PMKID", pmkid, PMKID_LEN);
3783 wpa_auth_pmksa_add2(hapd->wpa_auth, sta->addr, sta->owe_pmk,
3784 sta->owe_pmk_len, pmkid, 0, WPA_KEY_MGMT_OWE, NULL);
3785
3786 return WLAN_STATUS_SUCCESS;
3787 }
3788
3789
owe_validate_request(struct hostapd_data * hapd,const u8 * peer,const u8 * rsn_ie,size_t rsn_ie_len,const u8 * owe_dh,size_t owe_dh_len)3790 u16 owe_validate_request(struct hostapd_data *hapd, const u8 *peer,
3791 const u8 *rsn_ie, size_t rsn_ie_len,
3792 const u8 *owe_dh, size_t owe_dh_len)
3793 {
3794 struct wpa_ie_data data;
3795 int res;
3796
3797 if (!rsn_ie || rsn_ie_len < 2) {
3798 wpa_printf(MSG_DEBUG, "OWE: Invalid RSNE from " MACSTR,
3799 MAC2STR(peer));
3800 return WLAN_STATUS_INVALID_IE;
3801 }
3802 rsn_ie -= 2;
3803 rsn_ie_len += 2;
3804
3805 res = wpa_parse_wpa_ie_rsn(rsn_ie, rsn_ie_len, &data);
3806 if (res) {
3807 wpa_printf(MSG_DEBUG, "Failed to parse RSNE from " MACSTR
3808 " (res=%d)", MAC2STR(peer), res);
3809 wpa_hexdump(MSG_DEBUG, "RSNE", rsn_ie, rsn_ie_len);
3810 return wpa_res_to_status_code(res);
3811 }
3812 if (!(data.key_mgmt & WPA_KEY_MGMT_OWE)) {
3813 wpa_printf(MSG_DEBUG,
3814 "OWE: Unexpected key mgmt 0x%x from " MACSTR,
3815 (unsigned int) data.key_mgmt, MAC2STR(peer));
3816 return WLAN_STATUS_AKMP_NOT_VALID;
3817 }
3818 if (!owe_dh) {
3819 wpa_printf(MSG_DEBUG,
3820 "OWE: No Diffie-Hellman Parameter element from "
3821 MACSTR, MAC2STR(peer));
3822 return WLAN_STATUS_AKMP_NOT_VALID;
3823 }
3824
3825 return WLAN_STATUS_SUCCESS;
3826 }
3827
3828
owe_process_rsn_ie(struct hostapd_data * hapd,struct sta_info * sta,const u8 * rsn_ie,size_t rsn_ie_len,const u8 * owe_dh,size_t owe_dh_len,const u8 * link_addr)3829 u16 owe_process_rsn_ie(struct hostapd_data *hapd,
3830 struct sta_info *sta,
3831 const u8 *rsn_ie, size_t rsn_ie_len,
3832 const u8 *owe_dh, size_t owe_dh_len,
3833 const u8 *link_addr)
3834 {
3835 u16 status;
3836 u8 *owe_buf, ie[256 * 2];
3837 size_t ie_len = 0;
3838 enum wpa_validate_result res;
3839
3840 if (!rsn_ie || rsn_ie_len < 2) {
3841 wpa_printf(MSG_DEBUG, "OWE: No RSNE in (Re)AssocReq");
3842 status = WLAN_STATUS_INVALID_IE;
3843 goto end;
3844 }
3845
3846 if (!sta->wpa_sm)
3847 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, sta->addr,
3848 NULL);
3849 if (!sta->wpa_sm) {
3850 wpa_printf(MSG_WARNING,
3851 "OWE: Failed to initialize WPA state machine");
3852 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3853 goto end;
3854 }
3855 #ifdef CONFIG_IEEE80211BE
3856 if (ap_sta_is_mld(hapd, sta))
3857 wpa_auth_set_ml_info(sta->wpa_sm,
3858 sta->mld_assoc_link_id, &sta->mld_info);
3859 #endif /* CONFIG_IEEE80211BE */
3860 rsn_ie -= 2;
3861 rsn_ie_len += 2;
3862 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
3863 hapd->iface->freq, rsn_ie, rsn_ie_len,
3864 NULL, 0, NULL, 0, owe_dh, owe_dh_len, NULL);
3865 status = wpa_res_to_status_code(res);
3866 if (status != WLAN_STATUS_SUCCESS)
3867 goto end;
3868 status = owe_process_assoc_req(hapd, sta, owe_dh, owe_dh_len);
3869 if (status != WLAN_STATUS_SUCCESS)
3870 goto end;
3871 owe_buf = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, ie, sizeof(ie),
3872 NULL, 0);
3873 if (!owe_buf) {
3874 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3875 goto end;
3876 }
3877
3878 if (sta->owe_ecdh) {
3879 struct wpabuf *pub;
3880
3881 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
3882 if (!pub) {
3883 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
3884 goto end;
3885 }
3886
3887 /* OWE Diffie-Hellman Parameter element */
3888 *owe_buf++ = WLAN_EID_EXTENSION; /* Element ID */
3889 *owe_buf++ = 1 + 2 + wpabuf_len(pub); /* Length */
3890 *owe_buf++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension
3891 */
3892 WPA_PUT_LE16(owe_buf, sta->owe_group);
3893 owe_buf += 2;
3894 os_memcpy(owe_buf, wpabuf_head(pub), wpabuf_len(pub));
3895 owe_buf += wpabuf_len(pub);
3896 wpabuf_free(pub);
3897 sta->external_dh_updated = 1;
3898 }
3899 ie_len = owe_buf - ie;
3900
3901 end:
3902 wpa_printf(MSG_DEBUG, "OWE: Update status %d, ie len %d for peer "
3903 MACSTR, status, (unsigned int) ie_len,
3904 MAC2STR(link_addr ? link_addr : sta->addr));
3905 hostapd_drv_update_dh_ie(hapd, link_addr ? link_addr : sta->addr,
3906 status,
3907 status == WLAN_STATUS_SUCCESS ? ie : NULL,
3908 ie_len);
3909
3910 return status;
3911 }
3912
3913 #endif /* CONFIG_OWE */
3914
3915
check_sa_query(struct hostapd_data * hapd,struct sta_info * sta,int reassoc)3916 static bool check_sa_query(struct hostapd_data *hapd, struct sta_info *sta,
3917 int reassoc)
3918 {
3919 if ((sta->flags &
3920 (WLAN_STA_ASSOC | WLAN_STA_MFP | WLAN_STA_AUTHORIZED)) !=
3921 (WLAN_STA_ASSOC | WLAN_STA_MFP | WLAN_STA_AUTHORIZED))
3922 return false;
3923
3924 if (!sta->sa_query_timed_out && sta->sa_query_count > 0)
3925 ap_check_sa_query_timeout(hapd, sta);
3926
3927 if (!sta->sa_query_timed_out &&
3928 (!reassoc || sta->auth_alg != WLAN_AUTH_FT)) {
3929 /*
3930 * STA has already been associated with MFP and SA Query timeout
3931 * has not been reached. Reject the association attempt
3932 * temporarily and start SA Query, if one is not pending.
3933 */
3934 if (sta->sa_query_count == 0)
3935 ap_sta_start_sa_query(hapd, sta);
3936
3937 return true;
3938 }
3939
3940 return false;
3941 }
3942
3943
__check_assoc_ies(struct hostapd_data * hapd,struct sta_info * sta,const u8 * ies,size_t ies_len,struct ieee802_11_elems * elems,int reassoc,bool link)3944 static int __check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta,
3945 const u8 *ies, size_t ies_len,
3946 struct ieee802_11_elems *elems, int reassoc,
3947 bool link)
3948 {
3949 int resp;
3950 const u8 *wpa_ie;
3951 size_t wpa_ie_len;
3952 const u8 *p2p_dev_addr = NULL;
3953 struct hostapd_data *assoc_hapd;
3954 struct sta_info *assoc_sta = NULL;
3955
3956 resp = check_ssid(hapd, sta, elems->ssid, elems->ssid_len);
3957 if (resp != WLAN_STATUS_SUCCESS)
3958 return resp;
3959 resp = check_wmm(hapd, sta, elems->wmm, elems->wmm_len);
3960 if (resp != WLAN_STATUS_SUCCESS)
3961 return resp;
3962 resp = check_ext_capab(hapd, sta, elems->ext_capab,
3963 elems->ext_capab_len);
3964 if (resp != WLAN_STATUS_SUCCESS)
3965 return resp;
3966 resp = copy_supp_rates(hapd, sta, elems);
3967 if (resp != WLAN_STATUS_SUCCESS)
3968 return resp;
3969
3970 resp = check_multi_ap(hapd, sta, elems->multi_ap, elems->multi_ap_len);
3971 if (resp != WLAN_STATUS_SUCCESS)
3972 return resp;
3973
3974 resp = copy_sta_ht_capab(hapd, sta, elems->ht_capabilities);
3975 if (resp != WLAN_STATUS_SUCCESS)
3976 return resp;
3977 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht &&
3978 !(sta->flags & WLAN_STA_HT)) {
3979 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3980 HOSTAPD_LEVEL_INFO, "Station does not support "
3981 "mandatory HT PHY - reject association");
3982 return WLAN_STATUS_ASSOC_DENIED_NO_HT;
3983 }
3984
3985 #ifdef CONFIG_IEEE80211AC
3986 if (hapd->iconf->ieee80211ac) {
3987 resp = copy_sta_vht_capab(hapd, sta, elems->vht_capabilities);
3988 if (resp != WLAN_STATUS_SUCCESS)
3989 return resp;
3990
3991 resp = set_sta_vht_opmode(hapd, sta, elems->opmode_notif);
3992 if (resp != WLAN_STATUS_SUCCESS)
3993 return resp;
3994 }
3995
3996 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht &&
3997 !(sta->flags & WLAN_STA_VHT)) {
3998 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3999 HOSTAPD_LEVEL_INFO, "Station does not support "
4000 "mandatory VHT PHY - reject association");
4001 return WLAN_STATUS_ASSOC_DENIED_NO_VHT;
4002 }
4003
4004 if (hapd->conf->vendor_vht && !elems->vht_capabilities) {
4005 resp = copy_sta_vendor_vht(hapd, sta, elems->vendor_vht,
4006 elems->vendor_vht_len);
4007 if (resp != WLAN_STATUS_SUCCESS)
4008 return resp;
4009 }
4010 #endif /* CONFIG_IEEE80211AC */
4011 #ifdef CONFIG_IEEE80211AX
4012 if (hapd->iconf->ieee80211ax && !hapd->conf->disable_11ax) {
4013 resp = copy_sta_he_capab(hapd, sta, IEEE80211_MODE_AP,
4014 elems->he_capabilities,
4015 elems->he_capabilities_len);
4016 if (resp != WLAN_STATUS_SUCCESS)
4017 return resp;
4018
4019 if (hapd->iconf->require_he && !(sta->flags & WLAN_STA_HE)) {
4020 hostapd_logger(hapd, sta->addr,
4021 HOSTAPD_MODULE_IEEE80211,
4022 HOSTAPD_LEVEL_INFO,
4023 "Station does not support mandatory HE PHY - reject association");
4024 return WLAN_STATUS_DENIED_HE_NOT_SUPPORTED;
4025 }
4026
4027 if (is_6ghz_op_class(hapd->iconf->op_class)) {
4028 if (!(sta->flags & WLAN_STA_HE)) {
4029 hostapd_logger(hapd, sta->addr,
4030 HOSTAPD_MODULE_IEEE80211,
4031 HOSTAPD_LEVEL_INFO,
4032 "Station does not support mandatory HE PHY - reject association");
4033 return WLAN_STATUS_DENIED_HE_NOT_SUPPORTED;
4034 }
4035 resp = copy_sta_he_6ghz_capab(hapd, sta,
4036 elems->he_6ghz_band_cap);
4037 if (resp != WLAN_STATUS_SUCCESS)
4038 return resp;
4039 }
4040 }
4041 #endif /* CONFIG_IEEE80211AX */
4042 #ifdef CONFIG_IEEE80211BE
4043 if (hapd->iconf->ieee80211be && !hapd->conf->disable_11be) {
4044 resp = copy_sta_eht_capab(hapd, sta, IEEE80211_MODE_AP,
4045 elems->he_capabilities,
4046 elems->he_capabilities_len,
4047 elems->eht_capabilities,
4048 elems->eht_capabilities_len);
4049 if (resp != WLAN_STATUS_SUCCESS)
4050 return resp;
4051
4052 if (!link) {
4053 resp = hostapd_process_ml_assoc_req(hapd, elems, sta);
4054 if (resp != WLAN_STATUS_SUCCESS)
4055 return resp;
4056 }
4057 }
4058 #endif /* CONFIG_IEEE80211BE */
4059
4060 #ifdef CONFIG_P2P
4061 if (elems->p2p && ies && ies_len) {
4062 wpabuf_free(sta->p2p_ie);
4063 sta->p2p_ie = ieee802_11_vendor_ie_concat(ies, ies_len,
4064 P2P_IE_VENDOR_TYPE);
4065 if (sta->p2p_ie)
4066 p2p_dev_addr = p2p_get_go_dev_addr(sta->p2p_ie);
4067 } else {
4068 wpabuf_free(sta->p2p_ie);
4069 sta->p2p_ie = NULL;
4070 }
4071 #endif /* CONFIG_P2P */
4072
4073 if ((hapd->conf->wpa & WPA_PROTO_RSN) && elems->rsn_ie) {
4074 wpa_ie = elems->rsn_ie;
4075 wpa_ie_len = elems->rsn_ie_len;
4076 } else if ((hapd->conf->wpa & WPA_PROTO_WPA) &&
4077 elems->wpa_ie) {
4078 wpa_ie = elems->wpa_ie;
4079 wpa_ie_len = elems->wpa_ie_len;
4080 } else {
4081 wpa_ie = NULL;
4082 wpa_ie_len = 0;
4083 }
4084
4085 #ifdef CONFIG_WPS
4086 sta->flags &= ~(WLAN_STA_WPS | WLAN_STA_MAYBE_WPS | WLAN_STA_WPS2);
4087 if (hapd->conf->wps_state && elems->wps_ie && ies && ies_len) {
4088 wpa_printf(MSG_DEBUG, "STA included WPS IE in (Re)Association "
4089 "Request - assume WPS is used");
4090 sta->flags |= WLAN_STA_WPS;
4091 wpabuf_free(sta->wps_ie);
4092 sta->wps_ie = ieee802_11_vendor_ie_concat(ies, ies_len,
4093 WPS_IE_VENDOR_TYPE);
4094 if (sta->wps_ie && wps_is_20(sta->wps_ie)) {
4095 wpa_printf(MSG_DEBUG, "WPS: STA supports WPS 2.0");
4096 sta->flags |= WLAN_STA_WPS2;
4097 }
4098 wpa_ie = NULL;
4099 wpa_ie_len = 0;
4100 if (sta->wps_ie && wps_validate_assoc_req(sta->wps_ie) < 0) {
4101 wpa_printf(MSG_DEBUG, "WPS: Invalid WPS IE in "
4102 "(Re)Association Request - reject");
4103 return WLAN_STATUS_INVALID_IE;
4104 }
4105 } else if (hapd->conf->wps_state && wpa_ie == NULL) {
4106 wpa_printf(MSG_DEBUG, "STA did not include WPA/RSN IE in "
4107 "(Re)Association Request - possible WPS use");
4108 sta->flags |= WLAN_STA_MAYBE_WPS;
4109 } else
4110 #endif /* CONFIG_WPS */
4111 if (hapd->conf->wpa && wpa_ie == NULL) {
4112 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4113 HOSTAPD_LEVEL_INFO,
4114 "No WPA/RSN IE in association request");
4115 return WLAN_STATUS_INVALID_IE;
4116 }
4117
4118 if (hapd->conf->wpa && wpa_ie) {
4119 enum wpa_validate_result res;
4120 #ifdef CONFIG_IEEE80211BE
4121 struct mld_info *info = &sta->mld_info;
4122 bool init = !sta->wpa_sm;
4123 #endif /* CONFIG_IEEE80211BE */
4124
4125 wpa_ie -= 2;
4126 wpa_ie_len += 2;
4127
4128 if (!sta->wpa_sm) {
4129 if (!link)
4130 assoc_sta = hostapd_ml_get_assoc_sta(
4131 hapd, sta, &assoc_hapd);
4132
4133 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
4134 sta->addr,
4135 p2p_dev_addr);
4136
4137 if (!sta->wpa_sm) {
4138 wpa_printf(MSG_WARNING,
4139 "Failed to initialize RSN state machine");
4140 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4141 }
4142 }
4143
4144 #ifdef CONFIG_IEEE80211BE
4145 if (ap_sta_is_mld(hapd, sta)) {
4146 wpa_printf(MSG_DEBUG,
4147 "MLD: %s ML info in RSN Authenticator",
4148 init ? "Set" : "Reset");
4149 wpa_auth_set_ml_info(sta->wpa_sm,
4150 sta->mld_assoc_link_id,
4151 info);
4152 }
4153 #endif /* CONFIG_IEEE80211BE */
4154
4155 wpa_auth_set_auth_alg(sta->wpa_sm, sta->auth_alg);
4156 wpa_auth_set_rsn_selection(sta->wpa_sm, elems->rsn_selection,
4157 elems->rsn_selection_len);
4158 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
4159 hapd->iface->freq,
4160 wpa_ie, wpa_ie_len,
4161 elems->rsnxe ? elems->rsnxe - 2 :
4162 NULL,
4163 elems->rsnxe ? elems->rsnxe_len + 2 :
4164 0,
4165 elems->mdie, elems->mdie_len,
4166 elems->owe_dh, elems->owe_dh_len,
4167 assoc_sta ? assoc_sta->wpa_sm : NULL);
4168 resp = wpa_res_to_status_code(res);
4169 if (resp != WLAN_STATUS_SUCCESS)
4170 return resp;
4171
4172 if (wpa_auth_uses_mfp(sta->wpa_sm))
4173 sta->flags |= WLAN_STA_MFP;
4174 else
4175 sta->flags &= ~WLAN_STA_MFP;
4176
4177 #ifdef CONFIG_IEEE80211R_AP
4178 if (sta->auth_alg == WLAN_AUTH_FT) {
4179 if (!reassoc) {
4180 wpa_printf(MSG_DEBUG, "FT: " MACSTR " tried "
4181 "to use association (not "
4182 "re-association) with FT auth_alg",
4183 MAC2STR(sta->addr));
4184 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4185 }
4186
4187 resp = wpa_ft_validate_reassoc(sta->wpa_sm, ies,
4188 ies_len);
4189 if (resp != WLAN_STATUS_SUCCESS)
4190 return resp;
4191 }
4192 #endif /* CONFIG_IEEE80211R_AP */
4193
4194 if (link)
4195 goto skip_sae_owe;
4196 #ifdef CONFIG_SAE
4197 if (wpa_auth_uses_sae(sta->wpa_sm) && sta->sae &&
4198 sta->sae->state == SAE_ACCEPTED)
4199 wpa_auth_add_sae_pmkid(sta->wpa_sm, sta->sae->pmkid);
4200
4201 if (wpa_auth_uses_sae(sta->wpa_sm) &&
4202 sta->auth_alg == WLAN_AUTH_OPEN) {
4203 struct rsn_pmksa_cache_entry *sa;
4204 sa = wpa_auth_sta_get_pmksa(sta->wpa_sm);
4205 if (!sa || !wpa_key_mgmt_sae(sa->akmp)) {
4206 wpa_printf(MSG_DEBUG,
4207 "SAE: No PMKSA cache entry found for "
4208 MACSTR, MAC2STR(sta->addr));
4209 return WLAN_STATUS_INVALID_PMKID;
4210 }
4211 wpa_printf(MSG_DEBUG, "SAE: " MACSTR
4212 " using PMKSA caching", MAC2STR(sta->addr));
4213 } else if (wpa_auth_uses_sae(sta->wpa_sm) &&
4214 sta->auth_alg != WLAN_AUTH_SAE &&
4215 !(sta->auth_alg == WLAN_AUTH_FT &&
4216 wpa_auth_uses_ft_sae(sta->wpa_sm))) {
4217 wpa_printf(MSG_DEBUG, "SAE: " MACSTR " tried to use "
4218 "SAE AKM after non-SAE auth_alg %u",
4219 MAC2STR(sta->addr), sta->auth_alg);
4220 return WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
4221 }
4222
4223 if (hapd->conf->sae_pwe == SAE_PWE_BOTH &&
4224 sta->auth_alg == WLAN_AUTH_SAE &&
4225 sta->sae && !sta->sae->h2e &&
4226 ieee802_11_rsnx_capab_len(elems->rsnxe, elems->rsnxe_len,
4227 WLAN_RSNX_CAPAB_SAE_H2E)) {
4228 wpa_printf(MSG_INFO, "SAE: " MACSTR
4229 " indicates support for SAE H2E, but did not use it",
4230 MAC2STR(sta->addr));
4231 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4232 }
4233 #endif /* CONFIG_SAE */
4234
4235 #ifdef CONFIG_OWE
4236 if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) &&
4237 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE &&
4238 elems->owe_dh) {
4239 resp = owe_process_assoc_req(hapd, sta, elems->owe_dh,
4240 elems->owe_dh_len);
4241 if (resp != WLAN_STATUS_SUCCESS)
4242 return resp;
4243 }
4244 #endif /* CONFIG_OWE */
4245 skip_sae_owe:
4246
4247 #ifdef CONFIG_DPP2
4248 dpp_pfs_free(sta->dpp_pfs);
4249 sta->dpp_pfs = NULL;
4250
4251 if (DPP_VERSION > 1 &&
4252 (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_DPP) &&
4253 hapd->conf->dpp_netaccesskey && sta->wpa_sm &&
4254 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_DPP &&
4255 elems->owe_dh) {
4256 sta->dpp_pfs = dpp_pfs_init(
4257 wpabuf_head(hapd->conf->dpp_netaccesskey),
4258 wpabuf_len(hapd->conf->dpp_netaccesskey));
4259 if (!sta->dpp_pfs) {
4260 wpa_printf(MSG_DEBUG,
4261 "DPP: Could not initialize PFS");
4262 /* Try to continue without PFS */
4263 goto pfs_fail;
4264 }
4265
4266 if (dpp_pfs_process(sta->dpp_pfs, elems->owe_dh,
4267 elems->owe_dh_len) < 0) {
4268 dpp_pfs_free(sta->dpp_pfs);
4269 sta->dpp_pfs = NULL;
4270 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4271 }
4272 }
4273
4274 wpa_auth_set_dpp_z(sta->wpa_sm, sta->dpp_pfs ?
4275 sta->dpp_pfs->secret : NULL);
4276 pfs_fail:
4277 #endif /* CONFIG_DPP2 */
4278
4279 if ((sta->flags & (WLAN_STA_HT | WLAN_STA_VHT)) &&
4280 wpa_auth_get_pairwise(sta->wpa_sm) == WPA_CIPHER_TKIP) {
4281 hostapd_logger(hapd, sta->addr,
4282 HOSTAPD_MODULE_IEEE80211,
4283 HOSTAPD_LEVEL_INFO,
4284 "Station tried to use TKIP with HT "
4285 "association");
4286 return WLAN_STATUS_CIPHER_REJECTED_PER_POLICY;
4287 }
4288
4289 wpa_auth_set_ssid_protection(
4290 sta->wpa_sm,
4291 hapd->conf->ssid_protection &&
4292 ieee802_11_rsnx_capab_len(
4293 elems->rsnxe, elems->rsnxe_len,
4294 WLAN_RSNX_CAPAB_SSID_PROTECTION));
4295 #ifdef CONFIG_HS20
4296 } else if (hapd->conf->osen) {
4297 if (!elems->osen) {
4298 hostapd_logger(
4299 hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4300 HOSTAPD_LEVEL_INFO,
4301 "No HS 2.0 OSEN element in association request");
4302 return WLAN_STATUS_INVALID_IE;
4303 }
4304
4305 wpa_printf(MSG_DEBUG, "HS 2.0: OSEN association");
4306 if (sta->wpa_sm == NULL)
4307 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
4308 sta->addr, NULL);
4309 if (sta->wpa_sm == NULL) {
4310 wpa_printf(MSG_WARNING, "Failed to initialize WPA "
4311 "state machine");
4312 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4313 }
4314 if (wpa_validate_osen(hapd->wpa_auth, sta->wpa_sm,
4315 elems->osen - 2, elems->osen_len + 2) < 0)
4316 return WLAN_STATUS_INVALID_IE;
4317 #endif /* CONFIG_HS20 */
4318 } else
4319 wpa_auth_sta_no_wpa(sta->wpa_sm);
4320
4321 #ifdef CONFIG_P2P
4322 p2p_group_notif_assoc(hapd->p2p_group, sta->addr, ies, ies_len);
4323 #endif /* CONFIG_P2P */
4324
4325 #ifdef CONFIG_HS20
4326 wpabuf_free(sta->hs20_ie);
4327 if (elems->hs20 && elems->hs20_len > 4) {
4328 int release;
4329
4330 sta->hs20_ie = wpabuf_alloc_copy(elems->hs20 + 4,
4331 elems->hs20_len - 4);
4332 release = ((elems->hs20[4] >> 4) & 0x0f) + 1;
4333 if (release >= 2 && !wpa_auth_uses_mfp(sta->wpa_sm) &&
4334 hapd->conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
4335 wpa_printf(MSG_DEBUG,
4336 "HS 2.0: PMF not negotiated by release %d station "
4337 MACSTR, release, MAC2STR(sta->addr));
4338 return WLAN_STATUS_ROBUST_MGMT_FRAME_POLICY_VIOLATION;
4339 }
4340 } else {
4341 sta->hs20_ie = NULL;
4342 }
4343
4344 wpabuf_free(sta->roaming_consortium);
4345 if (elems->roaming_cons_sel)
4346 sta->roaming_consortium = wpabuf_alloc_copy(
4347 elems->roaming_cons_sel + 4,
4348 elems->roaming_cons_sel_len - 4);
4349 else
4350 sta->roaming_consortium = NULL;
4351 #endif /* CONFIG_HS20 */
4352
4353 #ifdef CONFIG_FST
4354 wpabuf_free(sta->mb_ies);
4355 if (hapd->iface->fst)
4356 sta->mb_ies = mb_ies_by_info(&elems->mb_ies);
4357 else
4358 sta->mb_ies = NULL;
4359 #endif /* CONFIG_FST */
4360
4361 #ifdef CONFIG_MBO
4362 mbo_ap_check_sta_assoc(hapd, sta, elems);
4363
4364 if (hapd->conf->mbo_enabled && (hapd->conf->wpa & 2) &&
4365 elems->mbo && sta->cell_capa && !(sta->flags & WLAN_STA_MFP) &&
4366 hapd->conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
4367 wpa_printf(MSG_INFO,
4368 "MBO: Reject WPA2 association without PMF");
4369 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4370 }
4371 #endif /* CONFIG_MBO */
4372
4373 #if defined(CONFIG_FILS) && defined(CONFIG_OCV)
4374 if (wpa_auth_uses_ocv(sta->wpa_sm) &&
4375 (sta->auth_alg == WLAN_AUTH_FILS_SK ||
4376 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
4377 sta->auth_alg == WLAN_AUTH_FILS_PK)) {
4378 struct wpa_channel_info ci;
4379 int tx_chanwidth;
4380 int tx_seg1_idx;
4381 enum oci_verify_result res;
4382
4383 if (hostapd_drv_channel_info(hapd, &ci) != 0) {
4384 wpa_printf(MSG_WARNING,
4385 "Failed to get channel info to validate received OCI in FILS (Re)Association Request frame");
4386 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4387 }
4388
4389 if (get_sta_tx_parameters(sta->wpa_sm,
4390 channel_width_to_int(ci.chanwidth),
4391 ci.seg1_idx, &tx_chanwidth,
4392 &tx_seg1_idx) < 0)
4393 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4394
4395 res = ocv_verify_tx_params(elems->oci, elems->oci_len, &ci,
4396 tx_chanwidth, tx_seg1_idx);
4397 if (wpa_auth_uses_ocv(sta->wpa_sm) == 2 &&
4398 res == OCI_NOT_FOUND) {
4399 /* Work around misbehaving STAs */
4400 wpa_printf(MSG_INFO,
4401 "FILS: Disable OCV with a STA that does not send OCI");
4402 wpa_auth_set_ocv(sta->wpa_sm, 0);
4403 } else if (res != OCI_SUCCESS) {
4404 wpa_printf(MSG_WARNING, "FILS: OCV failed: %s",
4405 ocv_errorstr);
4406 wpa_msg(hapd->msg_ctx, MSG_INFO, OCV_FAILURE "addr="
4407 MACSTR " frame=fils-reassoc-req error=%s",
4408 MAC2STR(sta->addr), ocv_errorstr);
4409 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4410 }
4411 }
4412 #endif /* CONFIG_FILS && CONFIG_OCV */
4413
4414 ap_copy_sta_supp_op_classes(sta, elems->supp_op_classes,
4415 elems->supp_op_classes_len);
4416
4417 if ((sta->capability & WLAN_CAPABILITY_RADIO_MEASUREMENT) &&
4418 elems->rrm_enabled &&
4419 elems->rrm_enabled_len >= sizeof(sta->rrm_enabled_capa))
4420 os_memcpy(sta->rrm_enabled_capa, elems->rrm_enabled,
4421 sizeof(sta->rrm_enabled_capa));
4422
4423 if (elems->power_capab) {
4424 sta->min_tx_power = elems->power_capab[0];
4425 sta->max_tx_power = elems->power_capab[1];
4426 sta->power_capab = 1;
4427 } else {
4428 sta->power_capab = 0;
4429 }
4430
4431 if (elems->bss_max_idle_period &&
4432 hapd->conf->max_acceptable_idle_period) {
4433 u16 req;
4434
4435 req = WPA_GET_LE16(elems->bss_max_idle_period);
4436 if (req <= hapd->conf->max_acceptable_idle_period)
4437 sta->max_idle_period = req;
4438 else if (hapd->conf->max_acceptable_idle_period >
4439 hapd->conf->ap_max_inactivity)
4440 sta->max_idle_period =
4441 hapd->conf->max_acceptable_idle_period;
4442 }
4443
4444 return WLAN_STATUS_SUCCESS;
4445 }
4446
4447
check_assoc_ies(struct hostapd_data * hapd,struct sta_info * sta,const u8 * ies,size_t ies_len,int reassoc)4448 static int check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta,
4449 const u8 *ies, size_t ies_len, int reassoc)
4450 {
4451 struct ieee802_11_elems elems;
4452
4453 if (ieee802_11_parse_elems(ies, ies_len, &elems, 1) == ParseFailed) {
4454 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4455 HOSTAPD_LEVEL_INFO,
4456 "Station sent an invalid association request");
4457 return WLAN_STATUS_UNSPECIFIED_FAILURE;
4458 }
4459
4460 return __check_assoc_ies(hapd, sta, ies, ies_len, &elems, reassoc,
4461 false);
4462 }
4463
4464
4465 #ifdef CONFIG_IEEE80211BE
4466
ieee80211_ml_build_assoc_resp(struct hostapd_data * hapd,struct mld_link_info * link)4467 static void ieee80211_ml_build_assoc_resp(struct hostapd_data *hapd,
4468 struct mld_link_info *link)
4469 {
4470 u8 buf[EHT_ML_MAX_STA_PROF_LEN];
4471 u8 *p = buf;
4472 size_t buflen = sizeof(buf);
4473
4474 /* Capability Info */
4475 WPA_PUT_LE16(p, hostapd_own_capab_info(hapd));
4476 p += 2;
4477
4478 /* Status Code */
4479 WPA_PUT_LE16(p, link->status);
4480 p += 2;
4481
4482 if (link->status != WLAN_STATUS_SUCCESS)
4483 goto out;
4484
4485 /* AID is not included */
4486 p = hostapd_eid_supp_rates(hapd, p);
4487 p = hostapd_eid_ext_supp_rates(hapd, p);
4488 p = hostapd_eid_rm_enabled_capab(hapd, p, buf + buflen - p);
4489 p = hostapd_eid_ht_capabilities(hapd, p);
4490 p = hostapd_eid_ht_operation(hapd, p);
4491
4492 if (hapd->iconf->ieee80211ac && !hapd->conf->disable_11ac) {
4493 p = hostapd_eid_vht_capabilities(hapd, p, 0);
4494 p = hostapd_eid_vht_operation(hapd, p);
4495 }
4496
4497 if (hapd->iconf->ieee80211ax && !hapd->conf->disable_11ax) {
4498 p = hostapd_eid_he_capab(hapd, p, IEEE80211_MODE_AP);
4499 p = hostapd_eid_he_operation(hapd, p);
4500 p = hostapd_eid_spatial_reuse(hapd, p);
4501 p = hostapd_eid_he_mu_edca_parameter_set(hapd, p);
4502 p = hostapd_eid_he_6ghz_band_cap(hapd, p);
4503 if (hapd->iconf->ieee80211be && !hapd->conf->disable_11be) {
4504 p = hostapd_eid_eht_capab(hapd, p, IEEE80211_MODE_AP);
4505 p = hostapd_eid_eht_operation(hapd, p);
4506 }
4507 }
4508
4509 p = hostapd_eid_ext_capab(hapd, p, false);
4510 p = hostapd_eid_mbo(hapd, p, buf + buflen - p);
4511 p = hostapd_eid_wmm(hapd, p);
4512
4513 if (hapd->conf->assocresp_elements &&
4514 (size_t) (buf + buflen - p) >=
4515 wpabuf_len(hapd->conf->assocresp_elements)) {
4516 os_memcpy(p, wpabuf_head(hapd->conf->assocresp_elements),
4517 wpabuf_len(hapd->conf->assocresp_elements));
4518 p += wpabuf_len(hapd->conf->assocresp_elements);
4519 }
4520
4521 out:
4522 os_free(link->resp_sta_profile);
4523 link->resp_sta_profile = os_memdup(buf, p - buf);
4524 link->resp_sta_profile_len = link->resp_sta_profile ? p - buf : 0;
4525 }
4526
4527
ieee80211_ml_process_link(struct hostapd_data * hapd,struct sta_info * origin_sta,struct mld_link_info * link,const u8 * ies,size_t ies_len,bool reassoc,bool offload)4528 static int ieee80211_ml_process_link(struct hostapd_data *hapd,
4529 struct sta_info *origin_sta,
4530 struct mld_link_info *link,
4531 const u8 *ies, size_t ies_len,
4532 bool reassoc, bool offload)
4533 {
4534 struct ieee802_11_elems elems;
4535 struct wpabuf *mlbuf = NULL;
4536 struct sta_info *sta = NULL;
4537 u16 status = WLAN_STATUS_SUCCESS;
4538 int i;
4539
4540 wpa_printf(MSG_DEBUG, "MLD: link: link_id=%u, peer=" MACSTR,
4541 hapd->mld_link_id, MAC2STR(link->peer_addr));
4542
4543 if (ieee802_11_parse_elems(ies, ies_len, &elems, 1) == ParseFailed) {
4544 wpa_printf(MSG_DEBUG, "MLD: link: Element parsing failed");
4545 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
4546 goto out;
4547 }
4548
4549 sta = ap_get_sta(hapd, origin_sta->addr);
4550 if (sta) {
4551 wpa_printf(MSG_INFO, "MLD: link: Station already exists");
4552 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
4553 sta = NULL;
4554 goto out;
4555 }
4556
4557 sta = ap_sta_add(hapd, origin_sta->addr);
4558 if (!sta) {
4559 wpa_printf(MSG_DEBUG, "MLD: link: ap_sta_add() failed");
4560 status = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
4561 goto out;
4562 }
4563
4564 mlbuf = ieee802_11_defrag(elems.basic_mle, elems.basic_mle_len, true);
4565 if (!mlbuf)
4566 goto out;
4567
4568 if (ieee802_11_parse_link_assoc_req(ies, ies_len, &elems, mlbuf,
4569 hapd->mld_link_id, true) ==
4570 ParseFailed) {
4571 wpa_printf(MSG_DEBUG,
4572 "MLD: link: Failed to parse association request Multi-Link element");
4573 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
4574 goto out;
4575 }
4576
4577 sta->flags |= origin_sta->flags | WLAN_STA_ASSOC_REQ_OK;
4578 sta->mld_assoc_link_id = origin_sta->mld_assoc_link_id;
4579
4580 status = __check_assoc_ies(hapd, sta, NULL, 0, &elems, reassoc, true);
4581 if (status != WLAN_STATUS_SUCCESS) {
4582 wpa_printf(MSG_DEBUG, "MLD: link: Element check failed");
4583 goto out;
4584 }
4585
4586 ap_sta_set_mld(sta, true);
4587
4588 os_memcpy(&sta->mld_info, &origin_sta->mld_info, sizeof(sta->mld_info));
4589 for (i = 0; i < MAX_NUM_MLD_LINKS; i++) {
4590 struct mld_link_info *li = &sta->mld_info.links[i];
4591
4592 li->resp_sta_profile = NULL;
4593 li->resp_sta_profile_len = 0;
4594 }
4595
4596 if (!offload) {
4597 /*
4598 * Get the AID from the station on which the association was
4599 * performed, and mark it as used.
4600 */
4601 sta->aid = origin_sta->aid;
4602 if (sta->aid == 0) {
4603 wpa_printf(MSG_DEBUG, "MLD: link: No AID assigned");
4604 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
4605 goto out;
4606 }
4607 hapd->sta_aid[(sta->aid - 1) / 32] |= BIT((sta->aid - 1) % 32);
4608 sta->listen_interval = origin_sta->listen_interval;
4609 if (update_ht_state(hapd, sta) > 0)
4610 ieee802_11_update_beacons(hapd->iface);
4611 }
4612
4613 /* Maintain state machine reference on all link STAs, this is needed
4614 * during group rekey handling.
4615 */
4616 wpa_auth_sta_deinit(sta->wpa_sm);
4617 sta->wpa_sm = origin_sta->wpa_sm;
4618
4619 /*
4620 * Do not initialize the EAPOL state machine.
4621 * TODO: Maybe it is needed?
4622 */
4623 sta->eapol_sm = NULL;
4624
4625 wpa_printf(MSG_DEBUG, "MLD: link=%u, association OK (aid=%u)",
4626 hapd->mld_link_id, sta->aid);
4627
4628 sta->flags |= WLAN_STA_AUTH | WLAN_STA_ASSOC_REQ_OK;
4629
4630 /* TODO: What other processing is required? */
4631
4632 if (!offload && add_associated_sta(hapd, sta, reassoc))
4633 status = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
4634 out:
4635 wpabuf_free(mlbuf);
4636 link->status = status;
4637
4638 if (!offload)
4639 ieee80211_ml_build_assoc_resp(hapd, link);
4640
4641 wpa_printf(MSG_DEBUG, "MLD: link: status=%u", status);
4642 if (status != WLAN_STATUS_SUCCESS) {
4643 if (sta)
4644 ap_free_sta(hapd, sta);
4645 return -1;
4646 }
4647
4648 return 0;
4649 }
4650
4651
hostapd_is_mld_ap(struct hostapd_data * hapd)4652 bool hostapd_is_mld_ap(struct hostapd_data *hapd)
4653 {
4654 if (!hapd->conf->mld_ap)
4655 return false;
4656
4657 if (!hapd->iface || !hapd->iface->interfaces ||
4658 hapd->iface->interfaces->count <= 1)
4659 return false;
4660
4661 return true;
4662 }
4663
4664 #endif /* CONFIG_IEEE80211BE */
4665
4666
hostapd_process_assoc_ml_info(struct hostapd_data * hapd,struct sta_info * sta,const u8 * ies,size_t ies_len,bool reassoc,int tx_link_status,bool offload)4667 int hostapd_process_assoc_ml_info(struct hostapd_data *hapd,
4668 struct sta_info *sta,
4669 const u8 *ies, size_t ies_len,
4670 bool reassoc, int tx_link_status,
4671 bool offload)
4672 {
4673 #ifdef CONFIG_IEEE80211BE
4674 unsigned int i;
4675
4676 if (!hostapd_is_mld_ap(hapd))
4677 return 0;
4678
4679 for (i = 0; i < MAX_NUM_MLD_LINKS; i++) {
4680 struct hostapd_data *bss = NULL;
4681 struct mld_link_info *link = &sta->mld_info.links[i];
4682 bool link_bss_found = false;
4683
4684 if (!link->valid || i == sta->mld_assoc_link_id)
4685 continue;
4686
4687 for_each_mld_link(bss, hapd) {
4688 if (bss == hapd)
4689 continue;
4690
4691 if (bss->mld_link_id != i)
4692 continue;
4693
4694 link_bss_found = true;
4695 break;
4696 }
4697
4698 if (!link_bss_found || TEST_FAIL()) {
4699 wpa_printf(MSG_DEBUG,
4700 "MLD: No link match for link_id=%u", i);
4701
4702 link->status = WLAN_STATUS_UNSPECIFIED_FAILURE;
4703 if (!offload)
4704 ieee80211_ml_build_assoc_resp(hapd, link);
4705 } else if (tx_link_status != WLAN_STATUS_SUCCESS) {
4706 /* TX link rejected the connection */
4707 link->status = WLAN_STATUS_DENIED_TX_LINK_NOT_ACCEPTED;
4708 if (!offload)
4709 ieee80211_ml_build_assoc_resp(hapd, link);
4710 } else {
4711 if (ieee80211_ml_process_link(bss, sta, link,
4712 ies, ies_len, reassoc,
4713 offload))
4714 return -1;
4715 }
4716 }
4717 #endif /* CONFIG_IEEE80211BE */
4718
4719 return 0;
4720 }
4721
4722
send_deauth(struct hostapd_data * hapd,const u8 * addr,u16 reason_code)4723 static void send_deauth(struct hostapd_data *hapd, const u8 *addr,
4724 u16 reason_code)
4725 {
4726 int send_len;
4727 struct ieee80211_mgmt reply;
4728
4729 os_memset(&reply, 0, sizeof(reply));
4730 reply.frame_control =
4731 IEEE80211_FC(WLAN_FC_TYPE_MGMT, WLAN_FC_STYPE_DEAUTH);
4732 os_memcpy(reply.da, addr, ETH_ALEN);
4733 os_memcpy(reply.sa, hapd->own_addr, ETH_ALEN);
4734 os_memcpy(reply.bssid, hapd->own_addr, ETH_ALEN);
4735
4736 send_len = IEEE80211_HDRLEN + sizeof(reply.u.deauth);
4737 reply.u.deauth.reason_code = host_to_le16(reason_code);
4738
4739 if (hostapd_drv_send_mlme(hapd, &reply, send_len, 0, NULL, 0, 0) < 0)
4740 wpa_printf(MSG_INFO, "Failed to send deauth: %s",
4741 strerror(errno));
4742 }
4743
4744
add_associated_sta(struct hostapd_data * hapd,struct sta_info * sta,int reassoc)4745 static int add_associated_sta(struct hostapd_data *hapd,
4746 struct sta_info *sta, int reassoc)
4747 {
4748 struct ieee80211_ht_capabilities ht_cap;
4749 struct ieee80211_vht_capabilities vht_cap;
4750 struct ieee80211_he_capabilities he_cap;
4751 struct ieee80211_eht_capabilities eht_cap;
4752 int set = 1;
4753 const u8 *mld_link_addr = NULL;
4754 bool mld_link_sta = false;
4755
4756 #ifdef CONFIG_IEEE80211BE
4757 if (ap_sta_is_mld(hapd, sta)) {
4758 u8 mld_link_id = hapd->mld_link_id;
4759
4760 mld_link_sta = sta->mld_assoc_link_id != mld_link_id;
4761 mld_link_addr = sta->mld_info.links[mld_link_id].peer_addr;
4762
4763 if (hapd->mld_link_id != sta->mld_assoc_link_id)
4764 set = 0;
4765 }
4766 #endif /* CONFIG_IEEE80211BE */
4767
4768 /*
4769 * Remove the STA entry to ensure the STA PS state gets cleared and
4770 * configuration gets updated. This is relevant for cases, such as
4771 * FT-over-the-DS, where a station re-associates back to the same AP but
4772 * skips the authentication flow, or if working with a driver that
4773 * does not support full AP client state.
4774 *
4775 * Skip this if the STA has already completed FT reassociation and the
4776 * TK has been configured since the TX/RX PN must not be reset to 0 for
4777 * the same key.
4778 *
4779 * FT-over-the-DS has a special case where the STA entry (and as such,
4780 * the TK) has not yet been configured to the driver depending on which
4781 * driver interface is used. For that case, allow add-STA operation to
4782 * be used (instead of set-STA). This is needed to allow mac80211-based
4783 * drivers to accept the STA parameter configuration. Since this is
4784 * after a new FT-over-DS exchange, a new TK has been derived, so key
4785 * reinstallation is not a concern for this case.
4786 */
4787 wpa_printf(MSG_DEBUG, "Add associated STA " MACSTR
4788 " (added_unassoc=%d auth_alg=%u ft_over_ds=%u reassoc=%d authorized=%d ft_tk=%d fils_tk=%d)",
4789 MAC2STR(sta->addr), sta->added_unassoc, sta->auth_alg,
4790 sta->ft_over_ds, reassoc,
4791 !!(sta->flags & WLAN_STA_AUTHORIZED),
4792 wpa_auth_sta_ft_tk_already_set(sta->wpa_sm),
4793 wpa_auth_sta_fils_tk_already_set(sta->wpa_sm));
4794
4795 if (!mld_link_sta && !sta->added_unassoc &&
4796 (!(sta->flags & WLAN_STA_AUTHORIZED) ||
4797 (reassoc && sta->ft_over_ds && sta->auth_alg == WLAN_AUTH_FT) ||
4798 (!wpa_auth_sta_ft_tk_already_set(sta->wpa_sm) &&
4799 !wpa_auth_sta_fils_tk_already_set(sta->wpa_sm)))) {
4800 hostapd_drv_sta_remove(hapd, sta->addr);
4801 wpa_auth_sm_event(sta->wpa_sm, WPA_DRV_STA_REMOVED);
4802 set = 0;
4803
4804 /* Do not allow the FT-over-DS exception to be used more than
4805 * once per authentication exchange to guarantee a new TK is
4806 * used here */
4807 sta->ft_over_ds = 0;
4808 }
4809
4810 if (sta->flags & WLAN_STA_HT)
4811 hostapd_get_ht_capab(hapd, sta->ht_capabilities, &ht_cap);
4812 #ifdef CONFIG_IEEE80211AC
4813 if (sta->flags & WLAN_STA_VHT)
4814 hostapd_get_vht_capab(hapd, sta->vht_capabilities, &vht_cap);
4815 #endif /* CONFIG_IEEE80211AC */
4816 #ifdef CONFIG_IEEE80211AX
4817 if (sta->flags & WLAN_STA_HE) {
4818 hostapd_get_he_capab(hapd, sta->he_capab, &he_cap,
4819 sta->he_capab_len);
4820 }
4821 #endif /* CONFIG_IEEE80211AX */
4822 #ifdef CONFIG_IEEE80211BE
4823 if (sta->flags & WLAN_STA_EHT)
4824 hostapd_get_eht_capab(hapd, sta->eht_capab, &eht_cap,
4825 sta->eht_capab_len);
4826 #endif /* CONFIG_IEEE80211BE */
4827
4828 /*
4829 * Add the station with forced WLAN_STA_ASSOC flag. The sta->flags
4830 * will be set when the ACK frame for the (Re)Association Response frame
4831 * is processed (TX status driver event).
4832 */
4833 if (hostapd_sta_add(hapd, sta->addr, sta->aid, sta->capability,
4834 sta->supported_rates, sta->supported_rates_len,
4835 sta->listen_interval,
4836 sta->flags & WLAN_STA_HT ? &ht_cap : NULL,
4837 sta->flags & WLAN_STA_VHT ? &vht_cap : NULL,
4838 sta->flags & WLAN_STA_HE ? &he_cap : NULL,
4839 sta->flags & WLAN_STA_HE ? sta->he_capab_len : 0,
4840 sta->flags & WLAN_STA_EHT ? &eht_cap : NULL,
4841 sta->flags & WLAN_STA_EHT ? sta->eht_capab_len : 0,
4842 sta->he_6ghz_capab,
4843 sta->flags | WLAN_STA_ASSOC, sta->qosinfo,
4844 sta->vht_opmode, sta->p2p_ie ? 1 : 0,
4845 set, mld_link_addr, mld_link_sta)) {
4846 hostapd_logger(hapd, sta->addr,
4847 HOSTAPD_MODULE_IEEE80211, HOSTAPD_LEVEL_NOTICE,
4848 "Could not %s STA to kernel driver",
4849 set ? "set" : "add");
4850
4851 if (sta->added_unassoc) {
4852 hostapd_drv_sta_remove(hapd, sta->addr);
4853 sta->added_unassoc = 0;
4854 }
4855
4856 return -1;
4857 }
4858
4859 sta->added_unassoc = 0;
4860
4861 return 0;
4862 }
4863
4864
send_assoc_resp(struct hostapd_data * hapd,struct sta_info * sta,const u8 * addr,u16 status_code,int reassoc,const u8 * ies,size_t ies_len,int rssi,int omit_rsnxe,bool allow_mld_addr_trans)4865 static u16 send_assoc_resp(struct hostapd_data *hapd, struct sta_info *sta,
4866 const u8 *addr, u16 status_code, int reassoc,
4867 const u8 *ies, size_t ies_len, int rssi,
4868 int omit_rsnxe, bool allow_mld_addr_trans)
4869 {
4870 int send_len;
4871 u8 *buf;
4872 size_t buflen;
4873 struct ieee80211_mgmt *reply;
4874 u8 *p;
4875 u16 res = WLAN_STATUS_SUCCESS;
4876
4877 buflen = sizeof(struct ieee80211_mgmt) + 1024;
4878 #ifdef CONFIG_FILS
4879 if (sta && sta->fils_hlp_resp)
4880 buflen += wpabuf_len(sta->fils_hlp_resp);
4881 if (sta)
4882 buflen += 150;
4883 #endif /* CONFIG_FILS */
4884 #ifdef CONFIG_OWE
4885 if (sta && (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE))
4886 buflen += 150;
4887 #endif /* CONFIG_OWE */
4888 #ifdef CONFIG_DPP2
4889 if (sta && sta->dpp_pfs)
4890 buflen += 5 + sta->dpp_pfs->curve->prime_len;
4891 #endif /* CONFIG_DPP2 */
4892 #ifdef CONFIG_IEEE80211BE
4893 if (hapd->iconf->ieee80211be && !hapd->conf->disable_11be) {
4894 buflen += hostapd_eid_eht_capab_len(hapd, IEEE80211_MODE_AP);
4895 buflen += 3 + sizeof(struct ieee80211_eht_operation);
4896 if (hapd->iconf->punct_bitmap)
4897 buflen += EHT_OPER_DISABLED_SUBCHAN_BITMAP_SIZE;
4898 }
4899 #endif /* CONFIG_IEEE80211BE */
4900
4901 buf = os_zalloc(buflen);
4902 if (!buf) {
4903 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
4904 goto done;
4905 }
4906 reply = (struct ieee80211_mgmt *) buf;
4907 reply->frame_control =
4908 IEEE80211_FC(WLAN_FC_TYPE_MGMT,
4909 (reassoc ? WLAN_FC_STYPE_REASSOC_RESP :
4910 WLAN_FC_STYPE_ASSOC_RESP));
4911
4912 os_memcpy(reply->da, addr, ETH_ALEN);
4913 os_memcpy(reply->sa, hapd->own_addr, ETH_ALEN);
4914 os_memcpy(reply->bssid, hapd->own_addr, ETH_ALEN);
4915
4916 send_len = IEEE80211_HDRLEN;
4917 send_len += sizeof(reply->u.assoc_resp);
4918 reply->u.assoc_resp.capab_info =
4919 host_to_le16(hostapd_own_capab_info(hapd));
4920 reply->u.assoc_resp.status_code = host_to_le16(status_code);
4921
4922 reply->u.assoc_resp.aid = host_to_le16((sta ? sta->aid : 0) |
4923 BIT(14) | BIT(15));
4924 /* Supported rates */
4925 p = hostapd_eid_supp_rates(hapd, reply->u.assoc_resp.variable);
4926 /* Extended supported rates */
4927 p = hostapd_eid_ext_supp_rates(hapd, p);
4928
4929 /* Radio measurement capabilities */
4930 p = hostapd_eid_rm_enabled_capab(hapd, p, buf + buflen - p);
4931
4932 #ifdef CONFIG_MBO
4933 if (status_code == WLAN_STATUS_DENIED_POOR_CHANNEL_CONDITIONS &&
4934 rssi != 0) {
4935 int delta = hapd->iconf->rssi_reject_assoc_rssi - rssi;
4936
4937 p = hostapd_eid_mbo_rssi_assoc_rej(hapd, p, buf + buflen - p,
4938 delta);
4939 }
4940 #endif /* CONFIG_MBO */
4941
4942 #ifdef CONFIG_IEEE80211R_AP
4943 if (sta && status_code == WLAN_STATUS_SUCCESS) {
4944 /* IEEE 802.11r: Mobility Domain Information, Fast BSS
4945 * Transition Information, RSN, [RIC Response] */
4946 p = wpa_sm_write_assoc_resp_ies(sta->wpa_sm, p,
4947 buf + buflen - p,
4948 sta->auth_alg, ies, ies_len,
4949 omit_rsnxe);
4950 if (!p) {
4951 wpa_printf(MSG_DEBUG,
4952 "FT: Failed to write AssocResp IEs");
4953 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
4954 goto done;
4955 }
4956 }
4957 #endif /* CONFIG_IEEE80211R_AP */
4958 #ifdef CONFIG_FILS
4959 if (sta && status_code == WLAN_STATUS_SUCCESS &&
4960 (sta->auth_alg == WLAN_AUTH_FILS_SK ||
4961 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
4962 sta->auth_alg == WLAN_AUTH_FILS_PK))
4963 p = wpa_auth_write_assoc_resp_fils(sta->wpa_sm, p,
4964 buf + buflen - p,
4965 ies, ies_len);
4966 #endif /* CONFIG_FILS */
4967
4968 #ifdef CONFIG_OWE
4969 if (sta && status_code == WLAN_STATUS_SUCCESS &&
4970 (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE))
4971 p = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, p,
4972 buf + buflen - p,
4973 ies, ies_len);
4974 #endif /* CONFIG_OWE */
4975
4976 if (sta && status_code == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY)
4977 p = hostapd_eid_assoc_comeback_time(hapd, sta, p);
4978
4979 p = hostapd_eid_ht_capabilities(hapd, p);
4980 p = hostapd_eid_ht_operation(hapd, p);
4981
4982 #ifdef CONFIG_IEEE80211AC
4983 if (hapd->iconf->ieee80211ac && !hapd->conf->disable_11ac &&
4984 !is_6ghz_op_class(hapd->iconf->op_class)) {
4985 u32 nsts = 0, sta_nsts;
4986
4987 if (sta && hapd->conf->use_sta_nsts && sta->vht_capabilities) {
4988 struct ieee80211_vht_capabilities *capa;
4989
4990 nsts = (hapd->iface->conf->vht_capab >>
4991 VHT_CAP_BEAMFORMEE_STS_OFFSET) & 7;
4992 capa = sta->vht_capabilities;
4993 sta_nsts = (le_to_host32(capa->vht_capabilities_info) >>
4994 VHT_CAP_BEAMFORMEE_STS_OFFSET) & 7;
4995
4996 if (nsts < sta_nsts)
4997 nsts = 0;
4998 else
4999 nsts = sta_nsts;
5000 }
5001 p = hostapd_eid_vht_capabilities(hapd, p, nsts);
5002 p = hostapd_eid_vht_operation(hapd, p);
5003 }
5004 #endif /* CONFIG_IEEE80211AC */
5005
5006 #ifdef CONFIG_IEEE80211AX
5007 if (hapd->iconf->ieee80211ax && !hapd->conf->disable_11ax) {
5008 p = hostapd_eid_he_capab(hapd, p, IEEE80211_MODE_AP);
5009 p = hostapd_eid_he_operation(hapd, p);
5010 p = hostapd_eid_cca(hapd, p);
5011 p = hostapd_eid_spatial_reuse(hapd, p);
5012 p = hostapd_eid_he_mu_edca_parameter_set(hapd, p);
5013 p = hostapd_eid_he_6ghz_band_cap(hapd, p);
5014 }
5015 #endif /* CONFIG_IEEE80211AX */
5016
5017 p = hostapd_eid_ext_capab(hapd, p, false);
5018 p = hostapd_eid_bss_max_idle_period(hapd, p,
5019 sta ? sta->max_idle_period : 0);
5020 if (sta && sta->qos_map_enabled)
5021 p = hostapd_eid_qos_map_set(hapd, p);
5022
5023 #ifdef CONFIG_FST
5024 if (hapd->iface->fst_ies) {
5025 os_memcpy(p, wpabuf_head(hapd->iface->fst_ies),
5026 wpabuf_len(hapd->iface->fst_ies));
5027 p += wpabuf_len(hapd->iface->fst_ies);
5028 }
5029 #endif /* CONFIG_FST */
5030
5031 #ifdef CONFIG_TESTING_OPTIONS
5032 if (hapd->conf->rsnxe_override_ft &&
5033 buf + buflen - p >=
5034 (long int) wpabuf_len(hapd->conf->rsnxe_override_ft) &&
5035 sta && sta->auth_alg == WLAN_AUTH_FT) {
5036 wpa_printf(MSG_DEBUG, "TESTING: RSNXE FT override");
5037 os_memcpy(p, wpabuf_head(hapd->conf->rsnxe_override_ft),
5038 wpabuf_len(hapd->conf->rsnxe_override_ft));
5039 p += wpabuf_len(hapd->conf->rsnxe_override_ft);
5040 goto rsnxe_done;
5041 }
5042 #endif /* CONFIG_TESTING_OPTIONS */
5043 if (!omit_rsnxe)
5044 p = hostapd_eid_rsnxe(hapd, p, buf + buflen - p);
5045 #ifdef CONFIG_TESTING_OPTIONS
5046 rsnxe_done:
5047 #endif /* CONFIG_TESTING_OPTIONS */
5048
5049 #ifdef CONFIG_IEEE80211BE
5050 if (hapd->iconf->ieee80211be && !hapd->conf->disable_11be) {
5051 if (hapd->conf->mld_ap)
5052 p = hostapd_eid_eht_ml_assoc(hapd, sta, p);
5053 p = hostapd_eid_eht_capab(hapd, p, IEEE80211_MODE_AP);
5054 p = hostapd_eid_eht_operation(hapd, p);
5055 }
5056 #endif /* CONFIG_IEEE80211BE */
5057
5058 #ifdef CONFIG_OWE
5059 if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) &&
5060 sta && sta->owe_ecdh && status_code == WLAN_STATUS_SUCCESS &&
5061 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE &&
5062 !wpa_auth_sta_get_pmksa(sta->wpa_sm)) {
5063 struct wpabuf *pub;
5064
5065 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
5066 if (!pub) {
5067 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
5068 goto done;
5069 }
5070 /* OWE Diffie-Hellman Parameter element */
5071 *p++ = WLAN_EID_EXTENSION; /* Element ID */
5072 *p++ = 1 + 2 + wpabuf_len(pub); /* Length */
5073 *p++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension */
5074 WPA_PUT_LE16(p, sta->owe_group);
5075 p += 2;
5076 os_memcpy(p, wpabuf_head(pub), wpabuf_len(pub));
5077 p += wpabuf_len(pub);
5078 wpabuf_free(pub);
5079 }
5080 #endif /* CONFIG_OWE */
5081
5082 #ifdef CONFIG_DPP2
5083 if (DPP_VERSION > 1 && (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_DPP) &&
5084 sta && sta->dpp_pfs && status_code == WLAN_STATUS_SUCCESS &&
5085 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_DPP) {
5086 os_memcpy(p, wpabuf_head(sta->dpp_pfs->ie),
5087 wpabuf_len(sta->dpp_pfs->ie));
5088 p += wpabuf_len(sta->dpp_pfs->ie);
5089 }
5090 #endif /* CONFIG_DPP2 */
5091
5092 #ifdef CONFIG_IEEE80211AC
5093 if (sta && hapd->conf->vendor_vht && (sta->flags & WLAN_STA_VENDOR_VHT))
5094 p = hostapd_eid_vendor_vht(hapd, p);
5095 #endif /* CONFIG_IEEE80211AC */
5096
5097 if (sta && (sta->flags & WLAN_STA_WMM))
5098 p = hostapd_eid_wmm(hapd, p);
5099
5100 #ifdef CONFIG_WPS
5101 if (sta &&
5102 ((sta->flags & WLAN_STA_WPS) ||
5103 ((sta->flags & WLAN_STA_MAYBE_WPS) && hapd->conf->wpa))) {
5104 struct wpabuf *wps = wps_build_assoc_resp_ie();
5105 if (wps) {
5106 os_memcpy(p, wpabuf_head(wps), wpabuf_len(wps));
5107 p += wpabuf_len(wps);
5108 wpabuf_free(wps);
5109 }
5110 }
5111 #endif /* CONFIG_WPS */
5112
5113 if (sta && (sta->flags & WLAN_STA_MULTI_AP))
5114 p = hostapd_eid_multi_ap(hapd, p, buf + buflen - p);
5115
5116 #ifdef CONFIG_P2P
5117 if (sta && sta->p2p_ie && hapd->p2p_group) {
5118 struct wpabuf *p2p_resp_ie;
5119 enum p2p_status_code status;
5120 switch (status_code) {
5121 case WLAN_STATUS_SUCCESS:
5122 status = P2P_SC_SUCCESS;
5123 break;
5124 case WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA:
5125 status = P2P_SC_FAIL_LIMIT_REACHED;
5126 break;
5127 default:
5128 status = P2P_SC_FAIL_INVALID_PARAMS;
5129 break;
5130 }
5131 p2p_resp_ie = p2p_group_assoc_resp_ie(hapd->p2p_group, status);
5132 if (p2p_resp_ie) {
5133 os_memcpy(p, wpabuf_head(p2p_resp_ie),
5134 wpabuf_len(p2p_resp_ie));
5135 p += wpabuf_len(p2p_resp_ie);
5136 wpabuf_free(p2p_resp_ie);
5137 }
5138 }
5139 #endif /* CONFIG_P2P */
5140
5141 #ifdef CONFIG_P2P_MANAGER
5142 if (hapd->conf->p2p & P2P_MANAGE)
5143 p = hostapd_eid_p2p_manage(hapd, p);
5144 #endif /* CONFIG_P2P_MANAGER */
5145
5146 p = hostapd_eid_mbo(hapd, p, buf + buflen - p);
5147
5148 if (hapd->conf->assocresp_elements &&
5149 (size_t) (buf + buflen - p) >=
5150 wpabuf_len(hapd->conf->assocresp_elements)) {
5151 os_memcpy(p, wpabuf_head(hapd->conf->assocresp_elements),
5152 wpabuf_len(hapd->conf->assocresp_elements));
5153 p += wpabuf_len(hapd->conf->assocresp_elements);
5154 }
5155
5156 send_len += p - reply->u.assoc_resp.variable;
5157
5158 #ifdef CONFIG_FILS
5159 if (sta &&
5160 (sta->auth_alg == WLAN_AUTH_FILS_SK ||
5161 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
5162 sta->auth_alg == WLAN_AUTH_FILS_PK) &&
5163 status_code == WLAN_STATUS_SUCCESS) {
5164 struct ieee802_11_elems elems;
5165
5166 if (ieee802_11_parse_elems(ies, ies_len, &elems, 0) ==
5167 ParseFailed || !elems.fils_session) {
5168 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
5169 goto done;
5170 }
5171
5172 /* FILS Session */
5173 *p++ = WLAN_EID_EXTENSION; /* Element ID */
5174 *p++ = 1 + FILS_SESSION_LEN; /* Length */
5175 *p++ = WLAN_EID_EXT_FILS_SESSION; /* Element ID Extension */
5176 os_memcpy(p, elems.fils_session, FILS_SESSION_LEN);
5177 send_len += 2 + 1 + FILS_SESSION_LEN;
5178
5179 send_len = fils_encrypt_assoc(sta->wpa_sm, buf, send_len,
5180 buflen, sta->fils_hlp_resp);
5181 if (send_len < 0) {
5182 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
5183 goto done;
5184 }
5185 }
5186 #endif /* CONFIG_FILS */
5187
5188 if (hostapd_drv_send_mlme(hapd, reply, send_len, 0, NULL, 0, 0) < 0) {
5189 wpa_printf(MSG_INFO, "Failed to send assoc resp: %s",
5190 strerror(errno));
5191 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
5192 }
5193
5194 done:
5195 os_free(buf);
5196 return res;
5197 }
5198
5199
5200 #ifdef CONFIG_OWE
owe_assoc_req_process(struct hostapd_data * hapd,struct sta_info * sta,const u8 * owe_dh,u8 owe_dh_len,u8 * owe_buf,size_t owe_buf_len,u16 * status)5201 u8 * owe_assoc_req_process(struct hostapd_data *hapd, struct sta_info *sta,
5202 const u8 *owe_dh, u8 owe_dh_len,
5203 u8 *owe_buf, size_t owe_buf_len, u16 *status)
5204 {
5205 #ifdef CONFIG_TESTING_OPTIONS
5206 if (hapd->conf->own_ie_override) {
5207 wpa_printf(MSG_DEBUG, "OWE: Using IE override");
5208 *status = WLAN_STATUS_SUCCESS;
5209 return wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf,
5210 owe_buf_len, NULL, 0);
5211 }
5212 #endif /* CONFIG_TESTING_OPTIONS */
5213
5214 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) {
5215 wpa_printf(MSG_DEBUG, "OWE: Using PMKSA caching");
5216 owe_buf = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf,
5217 owe_buf_len, NULL, 0);
5218 *status = WLAN_STATUS_SUCCESS;
5219 return owe_buf;
5220 }
5221
5222 if (sta->owe_pmk && sta->external_dh_updated) {
5223 wpa_printf(MSG_DEBUG, "OWE: Using previously derived PMK");
5224 *status = WLAN_STATUS_SUCCESS;
5225 return owe_buf;
5226 }
5227
5228 *status = owe_process_assoc_req(hapd, sta, owe_dh, owe_dh_len);
5229 if (*status != WLAN_STATUS_SUCCESS)
5230 return NULL;
5231
5232 owe_buf = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf,
5233 owe_buf_len, NULL, 0);
5234
5235 if (sta->owe_ecdh && owe_buf) {
5236 struct wpabuf *pub;
5237
5238 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
5239 if (!pub) {
5240 *status = WLAN_STATUS_UNSPECIFIED_FAILURE;
5241 return owe_buf;
5242 }
5243
5244 /* OWE Diffie-Hellman Parameter element */
5245 *owe_buf++ = WLAN_EID_EXTENSION; /* Element ID */
5246 *owe_buf++ = 1 + 2 + wpabuf_len(pub); /* Length */
5247 *owe_buf++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension
5248 */
5249 WPA_PUT_LE16(owe_buf, sta->owe_group);
5250 owe_buf += 2;
5251 os_memcpy(owe_buf, wpabuf_head(pub), wpabuf_len(pub));
5252 owe_buf += wpabuf_len(pub);
5253 wpabuf_free(pub);
5254 }
5255
5256 return owe_buf;
5257 }
5258 #endif /* CONFIG_OWE */
5259
5260
5261 #ifdef CONFIG_FILS
5262
fils_hlp_finish_assoc(struct hostapd_data * hapd,struct sta_info * sta)5263 void fils_hlp_finish_assoc(struct hostapd_data *hapd, struct sta_info *sta)
5264 {
5265 u16 reply_res;
5266
5267 wpa_printf(MSG_DEBUG, "FILS: Finish association with " MACSTR,
5268 MAC2STR(sta->addr));
5269 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
5270 if (!sta->fils_pending_assoc_req)
5271 return;
5272 reply_res = send_assoc_resp(hapd, sta, sta->addr, WLAN_STATUS_SUCCESS,
5273 sta->fils_pending_assoc_is_reassoc,
5274 sta->fils_pending_assoc_req,
5275 sta->fils_pending_assoc_req_len, 0, 0,
5276 true);
5277 os_free(sta->fils_pending_assoc_req);
5278 sta->fils_pending_assoc_req = NULL;
5279 sta->fils_pending_assoc_req_len = 0;
5280 wpabuf_free(sta->fils_hlp_resp);
5281 sta->fils_hlp_resp = NULL;
5282 wpabuf_free(sta->hlp_dhcp_discover);
5283 sta->hlp_dhcp_discover = NULL;
5284
5285 /*
5286 * Remove the station in case transmission of a success response fails.
5287 * At this point the station was already added associated to the driver.
5288 */
5289 if (reply_res != WLAN_STATUS_SUCCESS)
5290 hostapd_drv_sta_remove(hapd, sta->addr);
5291 }
5292
5293
fils_hlp_timeout(void * eloop_ctx,void * eloop_data)5294 void fils_hlp_timeout(void *eloop_ctx, void *eloop_data)
5295 {
5296 struct hostapd_data *hapd = eloop_ctx;
5297 struct sta_info *sta = eloop_data;
5298
5299 wpa_printf(MSG_DEBUG,
5300 "FILS: HLP response timeout - continue with association response for "
5301 MACSTR, MAC2STR(sta->addr));
5302 if (sta->fils_drv_assoc_finish)
5303 hostapd_notify_assoc_fils_finish(hapd, sta);
5304 else
5305 fils_hlp_finish_assoc(hapd, sta);
5306 }
5307
5308 #endif /* CONFIG_FILS */
5309
5310
5311 #ifdef CONFIG_IEEE80211BE
handle_mlo_translate(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,bool reassoc,struct hostapd_data ** assoc_hapd)5312 static struct sta_info * handle_mlo_translate(struct hostapd_data *hapd,
5313 const struct ieee80211_mgmt *mgmt,
5314 size_t len, bool reassoc,
5315 struct hostapd_data **assoc_hapd)
5316 {
5317 struct sta_info *sta;
5318 struct ieee802_11_elems elems;
5319 u8 mld_addr[ETH_ALEN];
5320 const u8 *pos;
5321
5322 if (!hapd->iconf->ieee80211be || hapd->conf->disable_11be)
5323 return NULL;
5324
5325 if (reassoc) {
5326 len -= IEEE80211_HDRLEN + sizeof(mgmt->u.reassoc_req);
5327 pos = mgmt->u.reassoc_req.variable;
5328 } else {
5329 len -= IEEE80211_HDRLEN + sizeof(mgmt->u.assoc_req);
5330 pos = mgmt->u.assoc_req.variable;
5331 }
5332
5333 if (ieee802_11_parse_elems(pos, len, &elems, 1) == ParseFailed)
5334 return NULL;
5335
5336 if (hostapd_process_ml_assoc_req_addr(hapd, elems.basic_mle,
5337 elems.basic_mle_len,
5338 mld_addr))
5339 return NULL;
5340
5341 sta = ap_get_sta(hapd, mld_addr);
5342 if (!sta)
5343 return NULL;
5344
5345 wpa_printf(MSG_DEBUG, "MLD: assoc: mld=" MACSTR ", link=" MACSTR,
5346 MAC2STR(mld_addr), MAC2STR(mgmt->sa));
5347
5348 return hostapd_ml_get_assoc_sta(hapd, sta, assoc_hapd);
5349 }
5350 #endif /* CONFIG_IEEE80211BE */
5351
5352
handle_assoc(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int reassoc,int rssi)5353 static void handle_assoc(struct hostapd_data *hapd,
5354 const struct ieee80211_mgmt *mgmt, size_t len,
5355 int reassoc, int rssi)
5356 {
5357 u16 capab_info, listen_interval, seq_ctrl, fc;
5358 int resp = WLAN_STATUS_SUCCESS;
5359 u16 reply_res = WLAN_STATUS_UNSPECIFIED_FAILURE;
5360 const u8 *pos;
5361 int left, i;
5362 struct sta_info *sta;
5363 u8 *tmp = NULL;
5364 #ifdef CONFIG_FILS
5365 int delay_assoc = 0;
5366 #endif /* CONFIG_FILS */
5367 int omit_rsnxe = 0;
5368 bool set_beacon = false;
5369 bool mld_addrs_not_translated = false;
5370
5371 if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_req) :
5372 sizeof(mgmt->u.assoc_req))) {
5373 wpa_printf(MSG_INFO, "handle_assoc(reassoc=%d) - too short payload (len=%lu)",
5374 reassoc, (unsigned long) len);
5375 return;
5376 }
5377
5378 #ifdef CONFIG_TESTING_OPTIONS
5379 if (reassoc) {
5380 if (hapd->iconf->ignore_reassoc_probability > 0.0 &&
5381 drand48() < hapd->iconf->ignore_reassoc_probability) {
5382 wpa_printf(MSG_INFO,
5383 "TESTING: ignoring reassoc request from "
5384 MACSTR, MAC2STR(mgmt->sa));
5385 return;
5386 }
5387 } else {
5388 if (hapd->iconf->ignore_assoc_probability > 0.0 &&
5389 drand48() < hapd->iconf->ignore_assoc_probability) {
5390 wpa_printf(MSG_INFO,
5391 "TESTING: ignoring assoc request from "
5392 MACSTR, MAC2STR(mgmt->sa));
5393 return;
5394 }
5395 }
5396 #endif /* CONFIG_TESTING_OPTIONS */
5397
5398 fc = le_to_host16(mgmt->frame_control);
5399 seq_ctrl = le_to_host16(mgmt->seq_ctrl);
5400
5401 if (reassoc) {
5402 capab_info = le_to_host16(mgmt->u.reassoc_req.capab_info);
5403 listen_interval = le_to_host16(
5404 mgmt->u.reassoc_req.listen_interval);
5405 wpa_printf(MSG_DEBUG, "reassociation request: STA=" MACSTR
5406 " capab_info=0x%02x listen_interval=%d current_ap="
5407 MACSTR " seq_ctrl=0x%x%s",
5408 MAC2STR(mgmt->sa), capab_info, listen_interval,
5409 MAC2STR(mgmt->u.reassoc_req.current_ap),
5410 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "");
5411 left = len - (IEEE80211_HDRLEN + sizeof(mgmt->u.reassoc_req));
5412 pos = mgmt->u.reassoc_req.variable;
5413 } else {
5414 capab_info = le_to_host16(mgmt->u.assoc_req.capab_info);
5415 listen_interval = le_to_host16(
5416 mgmt->u.assoc_req.listen_interval);
5417 wpa_printf(MSG_DEBUG, "association request: STA=" MACSTR
5418 " capab_info=0x%02x listen_interval=%d "
5419 "seq_ctrl=0x%x%s",
5420 MAC2STR(mgmt->sa), capab_info, listen_interval,
5421 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "");
5422 left = len - (IEEE80211_HDRLEN + sizeof(mgmt->u.assoc_req));
5423 pos = mgmt->u.assoc_req.variable;
5424 }
5425
5426 sta = ap_get_sta(hapd, mgmt->sa);
5427
5428 #ifdef CONFIG_IEEE80211BE
5429 /*
5430 * It is possible that the association frame is from an associated
5431 * non-AP MLD station, that tries to re-associate using different link
5432 * addresses. In such a case, try to find the station based on the AP
5433 * MLD MAC address.
5434 */
5435 if (!sta) {
5436 struct hostapd_data *assoc_hapd;
5437
5438 sta = handle_mlo_translate(hapd, mgmt, len, reassoc,
5439 &assoc_hapd);
5440 if (sta) {
5441 wpa_printf(MSG_DEBUG,
5442 "MLD: Switching to assoc hapd/station");
5443 hapd = assoc_hapd;
5444 mld_addrs_not_translated = true;
5445 }
5446 }
5447 #endif /* CONFIG_IEEE80211BE */
5448
5449 #ifdef CONFIG_IEEE80211R_AP
5450 if (sta && sta->auth_alg == WLAN_AUTH_FT &&
5451 (sta->flags & WLAN_STA_AUTH) == 0) {
5452 wpa_printf(MSG_DEBUG, "FT: Allow STA " MACSTR " to associate "
5453 "prior to authentication since it is using "
5454 "over-the-DS FT", MAC2STR(mgmt->sa));
5455
5456 /*
5457 * Mark station as authenticated, to avoid adding station
5458 * entry in the driver as associated and not authenticated
5459 */
5460 sta->flags |= WLAN_STA_AUTH;
5461 } else
5462 #endif /* CONFIG_IEEE80211R_AP */
5463 if (sta == NULL || (sta->flags & WLAN_STA_AUTH) == 0) {
5464 if (hapd->iface->current_mode &&
5465 hapd->iface->current_mode->mode ==
5466 HOSTAPD_MODE_IEEE80211AD) {
5467 int acl_res;
5468 struct radius_sta info;
5469
5470 acl_res = ieee802_11_allowed_address(hapd, mgmt->sa,
5471 (const u8 *) mgmt,
5472 len, &info);
5473 if (acl_res == HOSTAPD_ACL_REJECT) {
5474 wpa_msg(hapd->msg_ctx, MSG_DEBUG,
5475 "Ignore Association Request frame from "
5476 MACSTR " due to ACL reject",
5477 MAC2STR(mgmt->sa));
5478 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
5479 goto fail;
5480 }
5481 if (acl_res == HOSTAPD_ACL_PENDING)
5482 return;
5483
5484 /* DMG/IEEE 802.11ad does not use authentication.
5485 * Allocate sta entry upon association. */
5486 sta = ap_sta_add(hapd, mgmt->sa);
5487 if (!sta) {
5488 hostapd_logger(hapd, mgmt->sa,
5489 HOSTAPD_MODULE_IEEE80211,
5490 HOSTAPD_LEVEL_INFO,
5491 "Failed to add STA");
5492 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
5493 goto fail;
5494 }
5495
5496 acl_res = ieee802_11_set_radius_info(
5497 hapd, sta, acl_res, &info);
5498 if (acl_res) {
5499 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
5500 goto fail;
5501 }
5502
5503 hostapd_logger(hapd, sta->addr,
5504 HOSTAPD_MODULE_IEEE80211,
5505 HOSTAPD_LEVEL_DEBUG,
5506 "Skip authentication for DMG/IEEE 802.11ad");
5507 sta->flags |= WLAN_STA_AUTH;
5508 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
5509 sta->auth_alg = WLAN_AUTH_OPEN;
5510 } else {
5511 hostapd_logger(hapd, mgmt->sa,
5512 HOSTAPD_MODULE_IEEE80211,
5513 HOSTAPD_LEVEL_INFO,
5514 "Station tried to associate before authentication (aid=%d flags=0x%x)",
5515 sta ? sta->aid : -1,
5516 sta ? sta->flags : 0);
5517 send_deauth(hapd, mgmt->sa,
5518 WLAN_REASON_CLASS2_FRAME_FROM_NONAUTH_STA);
5519 return;
5520 }
5521 }
5522
5523 if ((fc & WLAN_FC_RETRY) &&
5524 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
5525 sta->last_seq_ctrl == seq_ctrl &&
5526 sta->last_subtype == (reassoc ? WLAN_FC_STYPE_REASSOC_REQ :
5527 WLAN_FC_STYPE_ASSOC_REQ)) {
5528 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
5529 HOSTAPD_LEVEL_DEBUG,
5530 "Drop repeated association frame seq_ctrl=0x%x",
5531 seq_ctrl);
5532 return;
5533 }
5534 sta->last_seq_ctrl = seq_ctrl;
5535 sta->last_subtype = reassoc ? WLAN_FC_STYPE_REASSOC_REQ :
5536 WLAN_FC_STYPE_ASSOC_REQ;
5537
5538 if (hapd->tkip_countermeasures) {
5539 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
5540 goto fail;
5541 }
5542
5543 if (listen_interval > hapd->conf->max_listen_interval) {
5544 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
5545 HOSTAPD_LEVEL_DEBUG,
5546 "Too large Listen Interval (%d)",
5547 listen_interval);
5548 resp = WLAN_STATUS_ASSOC_DENIED_LISTEN_INT_TOO_LARGE;
5549 goto fail;
5550 }
5551
5552 #ifdef CONFIG_MBO
5553 if (hapd->conf->mbo_enabled && hapd->mbo_assoc_disallow) {
5554 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
5555 goto fail;
5556 }
5557
5558 if (hapd->iconf->rssi_reject_assoc_rssi && rssi &&
5559 rssi < hapd->iconf->rssi_reject_assoc_rssi &&
5560 (sta->auth_rssi == 0 ||
5561 sta->auth_rssi < hapd->iconf->rssi_reject_assoc_rssi)) {
5562 resp = WLAN_STATUS_DENIED_POOR_CHANNEL_CONDITIONS;
5563 goto fail;
5564 }
5565 #endif /* CONFIG_MBO */
5566
5567 if (hapd->conf->wpa && check_sa_query(hapd, sta, reassoc)) {
5568 resp = WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY;
5569 goto fail;
5570 }
5571
5572 /*
5573 * sta->capability is used in check_assoc_ies() for RRM enabled
5574 * capability element.
5575 */
5576 sta->capability = capab_info;
5577
5578 #ifdef CONFIG_FILS
5579 if (sta->auth_alg == WLAN_AUTH_FILS_SK ||
5580 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
5581 sta->auth_alg == WLAN_AUTH_FILS_PK) {
5582 int res;
5583
5584 /* The end of the payload is encrypted. Need to decrypt it
5585 * before parsing. */
5586
5587 tmp = os_memdup(pos, left);
5588 if (!tmp) {
5589 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
5590 goto fail;
5591 }
5592
5593 res = fils_decrypt_assoc(sta->wpa_sm, sta->fils_session, mgmt,
5594 len, tmp, left);
5595 if (res < 0) {
5596 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
5597 goto fail;
5598 }
5599 pos = tmp;
5600 left = res;
5601 }
5602 #endif /* CONFIG_FILS */
5603
5604 /* followed by SSID and Supported rates; and HT capabilities if 802.11n
5605 * is used */
5606 resp = check_assoc_ies(hapd, sta, pos, left, reassoc);
5607 if (resp != WLAN_STATUS_SUCCESS)
5608 goto fail;
5609 omit_rsnxe = !get_ie(pos, left, WLAN_EID_RSNX);
5610
5611 if (hostapd_get_aid(hapd, sta) < 0) {
5612 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
5613 HOSTAPD_LEVEL_INFO, "No room for more AIDs");
5614 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
5615 goto fail;
5616 }
5617
5618 sta->listen_interval = listen_interval;
5619
5620 if (hapd->iface->current_mode &&
5621 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G)
5622 sta->flags |= WLAN_STA_NONERP;
5623 for (i = 0; i < sta->supported_rates_len; i++) {
5624 if ((sta->supported_rates[i] & 0x7f) > 22) {
5625 sta->flags &= ~WLAN_STA_NONERP;
5626 break;
5627 }
5628 }
5629 if (sta->flags & WLAN_STA_NONERP && !sta->nonerp_set) {
5630 sta->nonerp_set = 1;
5631 hapd->iface->num_sta_non_erp++;
5632 if (hapd->iface->num_sta_non_erp == 1)
5633 set_beacon = true;
5634 }
5635
5636 if (!(sta->capability & WLAN_CAPABILITY_SHORT_SLOT_TIME) &&
5637 !sta->no_short_slot_time_set) {
5638 sta->no_short_slot_time_set = 1;
5639 hapd->iface->num_sta_no_short_slot_time++;
5640 if (hapd->iface->current_mode &&
5641 hapd->iface->current_mode->mode ==
5642 HOSTAPD_MODE_IEEE80211G &&
5643 hapd->iface->num_sta_no_short_slot_time == 1)
5644 set_beacon = true;
5645 }
5646
5647 if (sta->capability & WLAN_CAPABILITY_SHORT_PREAMBLE)
5648 sta->flags |= WLAN_STA_SHORT_PREAMBLE;
5649 else
5650 sta->flags &= ~WLAN_STA_SHORT_PREAMBLE;
5651
5652 if (!(sta->capability & WLAN_CAPABILITY_SHORT_PREAMBLE) &&
5653 !sta->no_short_preamble_set) {
5654 sta->no_short_preamble_set = 1;
5655 hapd->iface->num_sta_no_short_preamble++;
5656 if (hapd->iface->current_mode &&
5657 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G
5658 && hapd->iface->num_sta_no_short_preamble == 1)
5659 set_beacon = true;
5660 }
5661
5662 if (update_ht_state(hapd, sta) > 0)
5663 set_beacon = true;
5664
5665 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
5666 HOSTAPD_LEVEL_DEBUG,
5667 "association OK (aid %d)", sta->aid);
5668 /* Station will be marked associated, after it acknowledges AssocResp
5669 */
5670 sta->flags |= WLAN_STA_ASSOC_REQ_OK;
5671
5672 if ((sta->flags & WLAN_STA_MFP) && sta->sa_query_timed_out) {
5673 wpa_printf(MSG_DEBUG, "Allowing %sassociation after timed out "
5674 "SA Query procedure", reassoc ? "re" : "");
5675 /* TODO: Send a protected Disassociate frame to the STA using
5676 * the old key and Reason Code "Previous Authentication no
5677 * longer valid". Make sure this is only sent protected since
5678 * unprotected frame would be received by the STA that is now
5679 * trying to associate.
5680 */
5681 }
5682
5683 /* Make sure that the previously registered inactivity timer will not
5684 * remove the STA immediately. */
5685 sta->timeout_next = STA_NULLFUNC;
5686
5687 #ifdef CONFIG_TAXONOMY
5688 taxonomy_sta_info_assoc_req(hapd, sta, pos, left);
5689 #endif /* CONFIG_TAXONOMY */
5690
5691 sta->pending_wds_enable = 0;
5692
5693 #ifdef CONFIG_FILS
5694 if (sta->auth_alg == WLAN_AUTH_FILS_SK ||
5695 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
5696 sta->auth_alg == WLAN_AUTH_FILS_PK) {
5697 if (fils_process_hlp(hapd, sta, pos, left) > 0)
5698 delay_assoc = 1;
5699 }
5700 #endif /* CONFIG_FILS */
5701
5702 if (set_beacon)
5703 ieee802_11_update_beacons(hapd->iface);
5704
5705 fail:
5706
5707 /*
5708 * In case of a successful response, add the station to the driver.
5709 * Otherwise, the kernel may ignore Data frames before we process the
5710 * ACK frame (TX status). In case of a failure, this station will be
5711 * removed.
5712 *
5713 * Note that this is not compliant with the IEEE 802.11 standard that
5714 * states that a non-AP station should transition into the
5715 * authenticated/associated state only after the station acknowledges
5716 * the (Re)Association Response frame. However, still do this as:
5717 *
5718 * 1. In case the station does not acknowledge the (Re)Association
5719 * Response frame, it will be removed.
5720 * 2. Data frames will be dropped in the kernel until the station is
5721 * set into authorized state, and there are no significant known
5722 * issues with processing other non-Data Class 3 frames during this
5723 * window.
5724 */
5725 if (sta)
5726 hostapd_process_assoc_ml_info(hapd, sta, pos, left, reassoc,
5727 resp, false);
5728
5729 if (resp == WLAN_STATUS_SUCCESS && sta &&
5730 add_associated_sta(hapd, sta, reassoc))
5731 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
5732
5733 #ifdef CONFIG_FILS
5734 if (sta && delay_assoc && resp == WLAN_STATUS_SUCCESS &&
5735 eloop_is_timeout_registered(fils_hlp_timeout, hapd, sta) &&
5736 sta->fils_pending_assoc_req) {
5737 /* Do not reschedule fils_hlp_timeout in case the station
5738 * retransmits (Re)Association Request frame while waiting for
5739 * the previously started FILS HLP wait, so that the timeout can
5740 * be determined from the first pending attempt. */
5741 wpa_printf(MSG_DEBUG,
5742 "FILS: Continue waiting for HLP processing before sending (Re)Association Response frame to "
5743 MACSTR, MAC2STR(sta->addr));
5744 os_free(tmp);
5745 return;
5746 }
5747 if (sta) {
5748 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
5749 os_free(sta->fils_pending_assoc_req);
5750 sta->fils_pending_assoc_req = NULL;
5751 sta->fils_pending_assoc_req_len = 0;
5752 wpabuf_free(sta->fils_hlp_resp);
5753 sta->fils_hlp_resp = NULL;
5754 }
5755 if (sta && delay_assoc && resp == WLAN_STATUS_SUCCESS) {
5756 sta->fils_pending_assoc_req = tmp;
5757 sta->fils_pending_assoc_req_len = left;
5758 sta->fils_pending_assoc_is_reassoc = reassoc;
5759 sta->fils_drv_assoc_finish = 0;
5760 wpa_printf(MSG_DEBUG,
5761 "FILS: Waiting for HLP processing before sending (Re)Association Response frame to "
5762 MACSTR, MAC2STR(sta->addr));
5763 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
5764 eloop_register_timeout(0, hapd->conf->fils_hlp_wait_time * 1024,
5765 fils_hlp_timeout, hapd, sta);
5766 return;
5767 }
5768 #endif /* CONFIG_FILS */
5769
5770 if (resp >= 0)
5771 reply_res = send_assoc_resp(hapd,
5772 mld_addrs_not_translated ?
5773 NULL : sta,
5774 mgmt->sa, resp, reassoc,
5775 pos, left, rssi, omit_rsnxe,
5776 !mld_addrs_not_translated);
5777 os_free(tmp);
5778
5779 /*
5780 * Remove the station in case transmission of a success response fails
5781 * (the STA was added associated to the driver) or if the station was
5782 * previously added unassociated.
5783 */
5784 if (sta && ((reply_res != WLAN_STATUS_SUCCESS &&
5785 resp == WLAN_STATUS_SUCCESS) || sta->added_unassoc)) {
5786 hostapd_drv_sta_remove(hapd, sta->addr);
5787 sta->added_unassoc = 0;
5788 }
5789 }
5790
5791
hostapd_deauth_sta(struct hostapd_data * hapd,struct sta_info * sta,const struct ieee80211_mgmt * mgmt)5792 static void hostapd_deauth_sta(struct hostapd_data *hapd,
5793 struct sta_info *sta,
5794 const struct ieee80211_mgmt *mgmt)
5795 {
5796 wpa_msg(hapd->msg_ctx, MSG_DEBUG,
5797 "deauthentication: STA=" MACSTR " reason_code=%d",
5798 MAC2STR(mgmt->sa), le_to_host16(mgmt->u.deauth.reason_code));
5799
5800 ap_sta_set_authorized(hapd, sta, 0);
5801 sta->last_seq_ctrl = WLAN_INVALID_MGMT_SEQ;
5802 sta->flags &= ~(WLAN_STA_AUTH | WLAN_STA_ASSOC |
5803 WLAN_STA_ASSOC_REQ_OK);
5804 hostapd_set_sta_flags(hapd, sta);
5805 wpa_auth_sm_event(sta->wpa_sm, WPA_DEAUTH);
5806 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
5807 HOSTAPD_LEVEL_DEBUG, "deauthenticated");
5808 mlme_deauthenticate_indication(
5809 hapd, sta, le_to_host16(mgmt->u.deauth.reason_code));
5810 sta->acct_terminate_cause = RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST;
5811 ieee802_1x_notify_port_enabled(sta->eapol_sm, 0);
5812 ap_free_sta(hapd, sta);
5813 }
5814
5815
hostapd_disassoc_sta(struct hostapd_data * hapd,struct sta_info * sta,const struct ieee80211_mgmt * mgmt)5816 static void hostapd_disassoc_sta(struct hostapd_data *hapd,
5817 struct sta_info *sta,
5818 const struct ieee80211_mgmt *mgmt)
5819 {
5820 wpa_msg(hapd->msg_ctx, MSG_DEBUG,
5821 "disassocation: STA=" MACSTR " reason_code=%d",
5822 MAC2STR(mgmt->sa), le_to_host16(mgmt->u.disassoc.reason_code));
5823
5824 ap_sta_set_authorized(hapd, sta, 0);
5825 sta->last_seq_ctrl = WLAN_INVALID_MGMT_SEQ;
5826 sta->flags &= ~(WLAN_STA_ASSOC | WLAN_STA_ASSOC_REQ_OK);
5827 hostapd_set_sta_flags(hapd, sta);
5828 wpa_auth_sm_event(sta->wpa_sm, WPA_DISASSOC);
5829 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
5830 HOSTAPD_LEVEL_INFO, "disassociated");
5831 sta->acct_terminate_cause = RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST;
5832 ieee802_1x_notify_port_enabled(sta->eapol_sm, 0);
5833 /* Stop Accounting and IEEE 802.1X sessions, but leave the STA
5834 * authenticated. */
5835 accounting_sta_stop(hapd, sta);
5836 ieee802_1x_free_station(hapd, sta);
5837 if (sta->ipaddr)
5838 hostapd_drv_br_delete_ip_neigh(hapd, 4, (u8 *) &sta->ipaddr);
5839 ap_sta_ip6addr_del(hapd, sta);
5840 hostapd_drv_sta_remove(hapd, sta->addr);
5841 sta->added_unassoc = 0;
5842
5843 if (sta->timeout_next == STA_NULLFUNC ||
5844 sta->timeout_next == STA_DISASSOC) {
5845 sta->timeout_next = STA_DEAUTH;
5846 eloop_cancel_timeout(ap_handle_timer, hapd, sta);
5847 eloop_register_timeout(AP_DEAUTH_DELAY, 0, ap_handle_timer,
5848 hapd, sta);
5849 }
5850
5851 mlme_disassociate_indication(
5852 hapd, sta, le_to_host16(mgmt->u.disassoc.reason_code));
5853
5854 /* DMG/IEEE 802.11ad does not use deauthication. Deallocate sta upon
5855 * disassociation. */
5856 if (hapd->iface->current_mode &&
5857 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211AD) {
5858 sta->flags &= ~WLAN_STA_AUTH;
5859 wpa_auth_sm_event(sta->wpa_sm, WPA_DEAUTH);
5860 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
5861 HOSTAPD_LEVEL_DEBUG, "deauthenticated");
5862 ap_free_sta(hapd, sta);
5863 }
5864 }
5865
5866
hostapd_ml_handle_disconnect(struct hostapd_data * hapd,struct sta_info * sta,const struct ieee80211_mgmt * mgmt,bool disassoc)5867 static bool hostapd_ml_handle_disconnect(struct hostapd_data *hapd,
5868 struct sta_info *sta,
5869 const struct ieee80211_mgmt *mgmt,
5870 bool disassoc)
5871 {
5872 #ifdef CONFIG_IEEE80211BE
5873 struct hostapd_data *assoc_hapd, *tmp_hapd;
5874 struct sta_info *assoc_sta;
5875 struct sta_info *tmp_sta;
5876
5877 if (!hostapd_is_mld_ap(hapd))
5878 return false;
5879
5880 /*
5881 * Get the station on which the association was performed, as it holds
5882 * the information about all the other links.
5883 */
5884 assoc_sta = hostapd_ml_get_assoc_sta(hapd, sta, &assoc_hapd);
5885 if (!assoc_sta)
5886 return false;
5887
5888 for_each_mld_link(tmp_hapd, assoc_hapd) {
5889 if (tmp_hapd == assoc_hapd)
5890 continue;
5891
5892 if (!assoc_sta->mld_info.links[tmp_hapd->mld_link_id].valid)
5893 continue;
5894
5895 for (tmp_sta = tmp_hapd->sta_list; tmp_sta;
5896 tmp_sta = tmp_sta->next) {
5897 if (tmp_sta->mld_assoc_link_id !=
5898 assoc_sta->mld_assoc_link_id ||
5899 tmp_sta->aid != assoc_sta->aid)
5900 continue;
5901
5902 if (!disassoc)
5903 hostapd_deauth_sta(tmp_hapd, tmp_sta, mgmt);
5904 else
5905 hostapd_disassoc_sta(tmp_hapd, tmp_sta, mgmt);
5906 break;
5907 }
5908 }
5909
5910 /* Remove the station on which the association was performed. */
5911 if (!disassoc)
5912 hostapd_deauth_sta(assoc_hapd, assoc_sta, mgmt);
5913 else
5914 hostapd_disassoc_sta(assoc_hapd, assoc_sta, mgmt);
5915
5916 return true;
5917 #else /* CONFIG_IEEE80211BE */
5918 return false;
5919 #endif /* CONFIG_IEEE80211BE */
5920 }
5921
5922
handle_disassoc(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len)5923 static void handle_disassoc(struct hostapd_data *hapd,
5924 const struct ieee80211_mgmt *mgmt, size_t len)
5925 {
5926 struct sta_info *sta;
5927
5928 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.disassoc)) {
5929 wpa_msg(hapd->msg_ctx, MSG_DEBUG,
5930 "handle_disassoc - too short payload (len=%lu)",
5931 (unsigned long) len);
5932 return;
5933 }
5934
5935 sta = ap_get_sta(hapd, mgmt->sa);
5936 if (!sta) {
5937 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "Station " MACSTR
5938 " trying to disassociate, but it is not associated",
5939 MAC2STR(mgmt->sa));
5940 return;
5941 }
5942
5943 if (hostapd_ml_handle_disconnect(hapd, sta, mgmt, true))
5944 return;
5945
5946 hostapd_disassoc_sta(hapd, sta, mgmt);
5947 }
5948
5949
handle_deauth(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len)5950 static void handle_deauth(struct hostapd_data *hapd,
5951 const struct ieee80211_mgmt *mgmt, size_t len)
5952 {
5953 struct sta_info *sta;
5954
5955 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.deauth)) {
5956 wpa_msg(hapd->msg_ctx, MSG_DEBUG,
5957 "handle_deauth - too short payload (len=%lu)",
5958 (unsigned long) len);
5959 return;
5960 }
5961
5962 /* Clear the PTKSA cache entries for PASN */
5963 ptksa_cache_flush(hapd->ptksa, mgmt->sa, WPA_CIPHER_NONE);
5964
5965 sta = ap_get_sta(hapd, mgmt->sa);
5966 if (!sta) {
5967 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "Station " MACSTR
5968 " trying to deauthenticate, but it is not authenticated",
5969 MAC2STR(mgmt->sa));
5970 return;
5971 }
5972
5973 if (hostapd_ml_handle_disconnect(hapd, sta, mgmt, false))
5974 return;
5975
5976 hostapd_deauth_sta(hapd, sta, mgmt);
5977 }
5978
5979
handle_beacon(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,struct hostapd_frame_info * fi)5980 static void handle_beacon(struct hostapd_data *hapd,
5981 const struct ieee80211_mgmt *mgmt, size_t len,
5982 struct hostapd_frame_info *fi)
5983 {
5984 struct ieee802_11_elems elems;
5985
5986 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.beacon)) {
5987 wpa_printf(MSG_INFO, "handle_beacon - too short payload (len=%lu)",
5988 (unsigned long) len);
5989 return;
5990 }
5991
5992 (void) ieee802_11_parse_elems(mgmt->u.beacon.variable,
5993 len - (IEEE80211_HDRLEN +
5994 sizeof(mgmt->u.beacon)), &elems,
5995 0);
5996
5997 ap_list_process_beacon(hapd->iface, mgmt, &elems, fi);
5998 }
5999
6000
robust_action_frame(u8 category)6001 static int robust_action_frame(u8 category)
6002 {
6003 return category != WLAN_ACTION_PUBLIC &&
6004 category != WLAN_ACTION_HT;
6005 }
6006
6007
handle_action(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,unsigned int freq)6008 static int handle_action(struct hostapd_data *hapd,
6009 const struct ieee80211_mgmt *mgmt, size_t len,
6010 unsigned int freq)
6011 {
6012 struct sta_info *sta;
6013 u8 *action __maybe_unused;
6014
6015 if (len < IEEE80211_HDRLEN + 2 + 1) {
6016 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
6017 HOSTAPD_LEVEL_DEBUG,
6018 "handle_action - too short payload (len=%lu)",
6019 (unsigned long) len);
6020 return 0;
6021 }
6022
6023 action = (u8 *) &mgmt->u.action.u;
6024 wpa_printf(MSG_DEBUG, "RX_ACTION category %u action %u sa " MACSTR
6025 " da " MACSTR " len %d freq %u",
6026 mgmt->u.action.category, *action,
6027 MAC2STR(mgmt->sa), MAC2STR(mgmt->da), (int) len, freq);
6028
6029 sta = ap_get_sta(hapd, mgmt->sa);
6030
6031 if (mgmt->u.action.category != WLAN_ACTION_PUBLIC &&
6032 (sta == NULL || !(sta->flags & WLAN_STA_ASSOC))) {
6033 wpa_printf(MSG_DEBUG, "IEEE 802.11: Ignored Action "
6034 "frame (category=%u) from unassociated STA " MACSTR,
6035 mgmt->u.action.category, MAC2STR(mgmt->sa));
6036 return 0;
6037 }
6038
6039 if (sta && (sta->flags & WLAN_STA_MFP) &&
6040 !(mgmt->frame_control & host_to_le16(WLAN_FC_ISWEP)) &&
6041 robust_action_frame(mgmt->u.action.category)) {
6042 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
6043 HOSTAPD_LEVEL_DEBUG,
6044 "Dropped unprotected Robust Action frame from "
6045 "an MFP STA");
6046 return 0;
6047 }
6048
6049 if (sta) {
6050 u16 fc = le_to_host16(mgmt->frame_control);
6051 u16 seq_ctrl = le_to_host16(mgmt->seq_ctrl);
6052
6053 if ((fc & WLAN_FC_RETRY) &&
6054 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
6055 sta->last_seq_ctrl == seq_ctrl &&
6056 sta->last_subtype == WLAN_FC_STYPE_ACTION) {
6057 hostapd_logger(hapd, sta->addr,
6058 HOSTAPD_MODULE_IEEE80211,
6059 HOSTAPD_LEVEL_DEBUG,
6060 "Drop repeated action frame seq_ctrl=0x%x",
6061 seq_ctrl);
6062 return 1;
6063 }
6064
6065 sta->last_seq_ctrl = seq_ctrl;
6066 sta->last_subtype = WLAN_FC_STYPE_ACTION;
6067 }
6068
6069 switch (mgmt->u.action.category) {
6070 #ifdef CONFIG_IEEE80211R_AP
6071 case WLAN_ACTION_FT:
6072 if (!sta ||
6073 wpa_ft_action_rx(sta->wpa_sm, (u8 *) &mgmt->u.action,
6074 len - IEEE80211_HDRLEN))
6075 break;
6076 return 1;
6077 #endif /* CONFIG_IEEE80211R_AP */
6078 case WLAN_ACTION_WMM:
6079 hostapd_wmm_action(hapd, mgmt, len);
6080 return 1;
6081 case WLAN_ACTION_SA_QUERY:
6082 ieee802_11_sa_query_action(hapd, mgmt, len);
6083 return 1;
6084 #ifdef CONFIG_WNM_AP
6085 case WLAN_ACTION_WNM:
6086 ieee802_11_rx_wnm_action_ap(hapd, mgmt, len);
6087 return 1;
6088 #endif /* CONFIG_WNM_AP */
6089 #ifdef CONFIG_FST
6090 case WLAN_ACTION_FST:
6091 if (hapd->iface->fst)
6092 fst_rx_action(hapd->iface->fst, mgmt, len);
6093 else
6094 wpa_printf(MSG_DEBUG,
6095 "FST: Ignore FST Action frame - no FST attached");
6096 return 1;
6097 #endif /* CONFIG_FST */
6098 case WLAN_ACTION_PUBLIC:
6099 case WLAN_ACTION_PROTECTED_DUAL:
6100 if (len >= IEEE80211_HDRLEN + 2 &&
6101 mgmt->u.action.u.public_action.action ==
6102 WLAN_PA_20_40_BSS_COEX) {
6103 hostapd_2040_coex_action(hapd, mgmt, len);
6104 return 1;
6105 }
6106 #ifdef CONFIG_DPP
6107 if (len >= IEEE80211_HDRLEN + 6 &&
6108 mgmt->u.action.u.vs_public_action.action ==
6109 WLAN_PA_VENDOR_SPECIFIC &&
6110 WPA_GET_BE24(mgmt->u.action.u.vs_public_action.oui) ==
6111 OUI_WFA &&
6112 mgmt->u.action.u.vs_public_action.variable[0] ==
6113 DPP_OUI_TYPE) {
6114 const u8 *pos, *end;
6115
6116 pos = mgmt->u.action.u.vs_public_action.oui;
6117 end = ((const u8 *) mgmt) + len;
6118 hostapd_dpp_rx_action(hapd, mgmt->sa, pos, end - pos,
6119 freq);
6120 return 1;
6121 }
6122 if (len >= IEEE80211_HDRLEN + 2 &&
6123 (mgmt->u.action.u.public_action.action ==
6124 WLAN_PA_GAS_INITIAL_RESP ||
6125 mgmt->u.action.u.public_action.action ==
6126 WLAN_PA_GAS_COMEBACK_RESP)) {
6127 const u8 *pos, *end;
6128
6129 pos = &mgmt->u.action.u.public_action.action;
6130 end = ((const u8 *) mgmt) + len;
6131 if (gas_query_ap_rx(hapd->gas, mgmt->sa,
6132 mgmt->u.action.category,
6133 pos, end - pos, freq) == 0)
6134 return 1;
6135 }
6136 #endif /* CONFIG_DPP */
6137 #ifdef CONFIG_NAN_USD
6138 if (mgmt->u.action.category == WLAN_ACTION_PUBLIC &&
6139 len >= IEEE80211_HDRLEN + 5 &&
6140 mgmt->u.action.u.vs_public_action.action ==
6141 WLAN_PA_VENDOR_SPECIFIC &&
6142 WPA_GET_BE24(mgmt->u.action.u.vs_public_action.oui) ==
6143 OUI_WFA &&
6144 mgmt->u.action.u.vs_public_action.variable[0] ==
6145 NAN_OUI_TYPE) {
6146 const u8 *pos, *end;
6147
6148 pos = mgmt->u.action.u.vs_public_action.variable;
6149 end = ((const u8 *) mgmt) + len;
6150 pos++;
6151 hostapd_nan_usd_rx_sdf(hapd, mgmt->sa, freq,
6152 pos, end - pos);
6153 return 1;
6154 }
6155 #endif /* CONFIG_NAN_USD */
6156 if (hapd->public_action_cb) {
6157 hapd->public_action_cb(hapd->public_action_cb_ctx,
6158 (u8 *) mgmt, len, freq);
6159 }
6160 if (hapd->public_action_cb2) {
6161 hapd->public_action_cb2(hapd->public_action_cb2_ctx,
6162 (u8 *) mgmt, len, freq);
6163 }
6164 if (hapd->public_action_cb || hapd->public_action_cb2)
6165 return 1;
6166 break;
6167 case WLAN_ACTION_VENDOR_SPECIFIC:
6168 if (hapd->vendor_action_cb) {
6169 if (hapd->vendor_action_cb(hapd->vendor_action_cb_ctx,
6170 (u8 *) mgmt, len, freq) == 0)
6171 return 1;
6172 }
6173 break;
6174 #ifndef CONFIG_NO_RRM
6175 case WLAN_ACTION_RADIO_MEASUREMENT:
6176 hostapd_handle_radio_measurement(hapd, (const u8 *) mgmt, len);
6177 return 1;
6178 #endif /* CONFIG_NO_RRM */
6179 }
6180
6181 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
6182 HOSTAPD_LEVEL_DEBUG,
6183 "handle_action - unknown action category %d or invalid "
6184 "frame",
6185 mgmt->u.action.category);
6186 if (!is_multicast_ether_addr(mgmt->da) &&
6187 !(mgmt->u.action.category & 0x80) &&
6188 !is_multicast_ether_addr(mgmt->sa)) {
6189 struct ieee80211_mgmt *resp;
6190
6191 /*
6192 * IEEE 802.11-REVma/D9.0 - 7.3.1.11
6193 * Return the Action frame to the source without change
6194 * except that MSB of the Category set to 1.
6195 */
6196 wpa_printf(MSG_DEBUG, "IEEE 802.11: Return unknown Action "
6197 "frame back to sender");
6198 resp = os_memdup(mgmt, len);
6199 if (resp == NULL)
6200 return 0;
6201 os_memcpy(resp->da, resp->sa, ETH_ALEN);
6202 os_memcpy(resp->sa, hapd->own_addr, ETH_ALEN);
6203 os_memcpy(resp->bssid, hapd->own_addr, ETH_ALEN);
6204 resp->u.action.category |= 0x80;
6205
6206 if (hostapd_drv_send_mlme(hapd, resp, len, 0, NULL, 0, 0) < 0) {
6207 wpa_printf(MSG_ERROR, "IEEE 802.11: Failed to send "
6208 "Action frame");
6209 }
6210 os_free(resp);
6211 }
6212
6213 return 1;
6214 }
6215
6216
6217 /**
6218 * notify_mgmt_frame - Notify of Management frames on the control interface
6219 * @hapd: hostapd BSS data structure (the BSS to which the Management frame was
6220 * sent to)
6221 * @buf: Management frame data (starting from the IEEE 802.11 header)
6222 * @len: Length of frame data in octets
6223 *
6224 * Notify the control interface of any received Management frame.
6225 */
notify_mgmt_frame(struct hostapd_data * hapd,const u8 * buf,size_t len)6226 static void notify_mgmt_frame(struct hostapd_data *hapd, const u8 *buf,
6227 size_t len)
6228 {
6229
6230 int hex_len = len * 2 + 1;
6231 char *hex = os_malloc(hex_len);
6232
6233 if (hex) {
6234 wpa_snprintf_hex(hex, hex_len, buf, len);
6235 wpa_msg_ctrl(hapd->msg_ctx, MSG_INFO,
6236 AP_MGMT_FRAME_RECEIVED "buf=%s", hex);
6237 os_free(hex);
6238 }
6239 }
6240
6241
6242 /**
6243 * ieee802_11_mgmt - process incoming IEEE 802.11 management frames
6244 * @hapd: hostapd BSS data structure (the BSS to which the management frame was
6245 * sent to)
6246 * @buf: management frame data (starting from IEEE 802.11 header)
6247 * @len: length of frame data in octets
6248 * @fi: meta data about received frame (signal level, etc.)
6249 *
6250 * Process all incoming IEEE 802.11 management frames. This will be called for
6251 * each frame received from the kernel driver through wlan#ap interface. In
6252 * addition, it can be called to re-inserted pending frames (e.g., when using
6253 * external RADIUS server as an MAC ACL).
6254 */
ieee802_11_mgmt(struct hostapd_data * hapd,const u8 * buf,size_t len,struct hostapd_frame_info * fi)6255 int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len,
6256 struct hostapd_frame_info *fi)
6257 {
6258 struct ieee80211_mgmt *mgmt;
6259 u16 fc, stype;
6260 int ret = 0;
6261 unsigned int freq;
6262 int ssi_signal = fi ? fi->ssi_signal : 0;
6263 #ifdef CONFIG_NAN_USD
6264 static const u8 nan_network_id[ETH_ALEN] =
6265 { 0x51, 0x6f, 0x9a, 0x01, 0x00, 0x00 };
6266 #endif /* CONFIG_NAN_USD */
6267
6268 if (len < 24)
6269 return 0;
6270
6271 if (fi && fi->freq)
6272 freq = fi->freq;
6273 else
6274 freq = hapd->iface->freq;
6275
6276 mgmt = (struct ieee80211_mgmt *) buf;
6277 fc = le_to_host16(mgmt->frame_control);
6278 stype = WLAN_FC_GET_STYPE(fc);
6279
6280 if (is_multicast_ether_addr(mgmt->sa) ||
6281 is_zero_ether_addr(mgmt->sa) ||
6282 ether_addr_equal(mgmt->sa, hapd->own_addr)) {
6283 /* Do not process any frames with unexpected/invalid SA so that
6284 * we do not add any state for unexpected STA addresses or end
6285 * up sending out frames to unexpected destination. */
6286 wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR
6287 " in received frame - ignore this frame silently",
6288 MAC2STR(mgmt->sa));
6289 return 0;
6290 }
6291
6292 if (stype == WLAN_FC_STYPE_BEACON) {
6293 handle_beacon(hapd, mgmt, len, fi);
6294 return 1;
6295 }
6296
6297 if (!is_broadcast_ether_addr(mgmt->bssid) &&
6298 #ifdef CONFIG_P2P
6299 /* Invitation responses can be sent with the peer MAC as BSSID */
6300 !((hapd->conf->p2p & P2P_GROUP_OWNER) &&
6301 stype == WLAN_FC_STYPE_ACTION) &&
6302 #endif /* CONFIG_P2P */
6303 #ifdef CONFIG_MESH
6304 !(hapd->conf->mesh & MESH_ENABLED) &&
6305 #endif /* CONFIG_MESH */
6306 #ifdef CONFIG_IEEE80211BE
6307 !(hapd->conf->mld_ap &&
6308 ether_addr_equal(hapd->mld->mld_addr, mgmt->bssid)) &&
6309 #endif /* CONFIG_IEEE80211BE */
6310 !ether_addr_equal(mgmt->bssid, hapd->own_addr)) {
6311 wpa_printf(MSG_INFO, "MGMT: BSSID=" MACSTR " not our address",
6312 MAC2STR(mgmt->bssid));
6313 return 0;
6314 }
6315
6316 if (hapd->iface->state != HAPD_IFACE_ENABLED) {
6317 wpa_printf(MSG_DEBUG, "MGMT: Ignore management frame while interface is not enabled (SA=" MACSTR " DA=" MACSTR " subtype=%u)",
6318 MAC2STR(mgmt->sa), MAC2STR(mgmt->da), stype);
6319 return 1;
6320 }
6321
6322 if (stype == WLAN_FC_STYPE_PROBE_REQ) {
6323 handle_probe_req(hapd, mgmt, len, ssi_signal);
6324 return 1;
6325 }
6326
6327 if ((!is_broadcast_ether_addr(mgmt->da) ||
6328 stype != WLAN_FC_STYPE_ACTION) &&
6329 #ifdef CONFIG_IEEE80211BE
6330 !(hapd->conf->mld_ap &&
6331 ether_addr_equal(hapd->mld->mld_addr, mgmt->bssid)) &&
6332 #endif /* CONFIG_IEEE80211BE */
6333 #ifdef CONFIG_NAN_USD
6334 !ether_addr_equal(mgmt->da, nan_network_id) &&
6335 #endif /* CONFIG_NAN_USD */
6336 !ether_addr_equal(mgmt->da, hapd->own_addr)) {
6337 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
6338 HOSTAPD_LEVEL_DEBUG,
6339 "MGMT: DA=" MACSTR " not our address",
6340 MAC2STR(mgmt->da));
6341 return 0;
6342 }
6343
6344 if (hapd->iconf->track_sta_max_num)
6345 sta_track_add(hapd->iface, mgmt->sa, ssi_signal);
6346
6347 if (hapd->conf->notify_mgmt_frames)
6348 notify_mgmt_frame(hapd, buf, len);
6349
6350 switch (stype) {
6351 case WLAN_FC_STYPE_AUTH:
6352 wpa_printf(MSG_DEBUG, "mgmt::auth");
6353 handle_auth(hapd, mgmt, len, ssi_signal, 0);
6354 ret = 1;
6355 break;
6356 case WLAN_FC_STYPE_ASSOC_REQ:
6357 wpa_printf(MSG_DEBUG, "mgmt::assoc_req");
6358 handle_assoc(hapd, mgmt, len, 0, ssi_signal);
6359 ret = 1;
6360 break;
6361 case WLAN_FC_STYPE_REASSOC_REQ:
6362 wpa_printf(MSG_DEBUG, "mgmt::reassoc_req");
6363 handle_assoc(hapd, mgmt, len, 1, ssi_signal);
6364 ret = 1;
6365 break;
6366 case WLAN_FC_STYPE_DISASSOC:
6367 wpa_printf(MSG_DEBUG, "mgmt::disassoc");
6368 handle_disassoc(hapd, mgmt, len);
6369 ret = 1;
6370 break;
6371 case WLAN_FC_STYPE_DEAUTH:
6372 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "mgmt::deauth");
6373 handle_deauth(hapd, mgmt, len);
6374 ret = 1;
6375 break;
6376 case WLAN_FC_STYPE_ACTION:
6377 wpa_printf(MSG_DEBUG, "mgmt::action");
6378 ret = handle_action(hapd, mgmt, len, freq);
6379 break;
6380 default:
6381 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
6382 HOSTAPD_LEVEL_DEBUG,
6383 "unknown mgmt frame subtype %d", stype);
6384 break;
6385 }
6386
6387 return ret;
6388 }
6389
6390
handle_auth_cb(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int ok)6391 static void handle_auth_cb(struct hostapd_data *hapd,
6392 const struct ieee80211_mgmt *mgmt,
6393 size_t len, int ok)
6394 {
6395 u16 auth_alg, auth_transaction, status_code;
6396 struct sta_info *sta;
6397 bool success_status;
6398
6399 sta = ap_get_sta(hapd, mgmt->da);
6400 if (!sta) {
6401 wpa_printf(MSG_DEBUG, "handle_auth_cb: STA " MACSTR
6402 " not found",
6403 MAC2STR(mgmt->da));
6404 return;
6405 }
6406
6407 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) {
6408 wpa_printf(MSG_INFO, "handle_auth_cb - too short payload (len=%lu)",
6409 (unsigned long) len);
6410 auth_alg = 0;
6411 auth_transaction = 0;
6412 status_code = WLAN_STATUS_UNSPECIFIED_FAILURE;
6413 goto fail;
6414 }
6415
6416 auth_alg = le_to_host16(mgmt->u.auth.auth_alg);
6417 auth_transaction = le_to_host16(mgmt->u.auth.auth_transaction);
6418 status_code = le_to_host16(mgmt->u.auth.status_code);
6419
6420 if (!ok) {
6421 hostapd_logger(hapd, mgmt->da, HOSTAPD_MODULE_IEEE80211,
6422 HOSTAPD_LEVEL_NOTICE,
6423 "did not acknowledge authentication response");
6424 goto fail;
6425 }
6426
6427 if (status_code == WLAN_STATUS_SUCCESS &&
6428 ((auth_alg == WLAN_AUTH_OPEN && auth_transaction == 2) ||
6429 (auth_alg == WLAN_AUTH_SHARED_KEY && auth_transaction == 4))) {
6430 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
6431 HOSTAPD_LEVEL_INFO, "authenticated");
6432 sta->flags |= WLAN_STA_AUTH;
6433 if (sta->added_unassoc)
6434 hostapd_set_sta_flags(hapd, sta);
6435 return;
6436 }
6437
6438 fail:
6439 success_status = status_code == WLAN_STATUS_SUCCESS;
6440 #ifdef CONFIG_SAE
6441 if (auth_alg == WLAN_AUTH_SAE && auth_transaction == 1)
6442 success_status = sae_status_success(hapd, status_code);
6443 #endif /* CONFIG_SAE */
6444 if (!success_status && sta->added_unassoc) {
6445 hostapd_drv_sta_remove(hapd, sta->addr);
6446 sta->added_unassoc = 0;
6447 }
6448 }
6449
6450
hostapd_set_wds_encryption(struct hostapd_data * hapd,struct sta_info * sta,char * ifname_wds)6451 static void hostapd_set_wds_encryption(struct hostapd_data *hapd,
6452 struct sta_info *sta,
6453 char *ifname_wds)
6454 {
6455 #ifdef CONFIG_WEP
6456 int i;
6457 struct hostapd_ssid *ssid = &hapd->conf->ssid;
6458
6459 if (hapd->conf->ieee802_1x || hapd->conf->wpa)
6460 return;
6461
6462 for (i = 0; i < 4; i++) {
6463 if (ssid->wep.key[i] &&
6464 hostapd_drv_set_key(ifname_wds, hapd, WPA_ALG_WEP, NULL, i,
6465 0, i == ssid->wep.idx, NULL, 0,
6466 ssid->wep.key[i], ssid->wep.len[i],
6467 i == ssid->wep.idx ?
6468 KEY_FLAG_GROUP_RX_TX_DEFAULT :
6469 KEY_FLAG_GROUP_RX_TX)) {
6470 wpa_printf(MSG_WARNING,
6471 "Could not set WEP keys for WDS interface; %s",
6472 ifname_wds);
6473 break;
6474 }
6475 }
6476 #endif /* CONFIG_WEP */
6477 }
6478
6479
6480 #ifdef CONFIG_IEEE80211BE
ieee80211_ml_link_sta_assoc_cb(struct hostapd_data * hapd,struct sta_info * sta,struct mld_link_info * link,bool ok)6481 static void ieee80211_ml_link_sta_assoc_cb(struct hostapd_data *hapd,
6482 struct sta_info *sta,
6483 struct mld_link_info *link,
6484 bool ok)
6485 {
6486 bool updated = false;
6487
6488 if (!ok) {
6489 hostapd_logger(hapd, link->peer_addr, HOSTAPD_MODULE_IEEE80211,
6490 HOSTAPD_LEVEL_DEBUG,
6491 "did not acknowledge association response");
6492 sta->flags &= ~WLAN_STA_ASSOC_REQ_OK;
6493
6494 /* The STA is added only in case of SUCCESS */
6495 if (link->status == WLAN_STATUS_SUCCESS)
6496 hostapd_drv_sta_remove(hapd, sta->addr);
6497
6498 return;
6499 }
6500
6501 if (link->status != WLAN_STATUS_SUCCESS)
6502 return;
6503
6504 sta->flags |= WLAN_STA_ASSOC;
6505 sta->flags &= ~WLAN_STA_WNM_SLEEP_MODE;
6506
6507 if (!hapd->conf->ieee802_1x && !hapd->conf->wpa)
6508 updated = ap_sta_set_authorized_flag(hapd, sta, 1);
6509
6510 hostapd_set_sta_flags(hapd, sta);
6511 if (updated)
6512 ap_sta_set_authorized_event(hapd, sta, 1);
6513
6514 /*
6515 * TODOs:
6516 * - IEEE 802.1X port enablement is not needed as done on the station
6517 * doing the connection.
6518 * - Not handling accounting
6519 * - Need to handle VLAN configuration
6520 */
6521 }
6522 #endif /* CONFIG_IEEE80211BE */
6523
6524
hostapd_ml_handle_assoc_cb(struct hostapd_data * hapd,struct sta_info * sta,bool ok)6525 static void hostapd_ml_handle_assoc_cb(struct hostapd_data *hapd,
6526 struct sta_info *sta, bool ok)
6527 {
6528 #ifdef CONFIG_IEEE80211BE
6529 struct hostapd_data *tmp_hapd;
6530
6531 if (!hostapd_is_mld_ap(hapd))
6532 return;
6533
6534 for_each_mld_link(tmp_hapd, hapd) {
6535 struct mld_link_info *link;
6536 struct sta_info *tmp_sta;
6537
6538 if (tmp_hapd == hapd)
6539 continue;
6540
6541 link = &sta->mld_info.links[tmp_hapd->mld_link_id];
6542 if (!link->valid)
6543 continue;
6544
6545 for (tmp_sta = tmp_hapd->sta_list; tmp_sta;
6546 tmp_sta = tmp_sta->next) {
6547 if (tmp_sta == sta ||
6548 tmp_sta->mld_assoc_link_id !=
6549 sta->mld_assoc_link_id ||
6550 tmp_sta->aid != sta->aid)
6551 continue;
6552
6553 ieee80211_ml_link_sta_assoc_cb(tmp_hapd, tmp_sta, link,
6554 ok);
6555 break;
6556 }
6557 }
6558 #endif /* CONFIG_IEEE80211BE */
6559 }
6560
6561
handle_assoc_cb(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int reassoc,int ok)6562 static void handle_assoc_cb(struct hostapd_data *hapd,
6563 const struct ieee80211_mgmt *mgmt,
6564 size_t len, int reassoc, int ok)
6565 {
6566 u16 status;
6567 struct sta_info *sta;
6568 int new_assoc = 1;
6569
6570 sta = ap_get_sta(hapd, mgmt->da);
6571 if (!sta) {
6572 wpa_printf(MSG_INFO, "handle_assoc_cb: STA " MACSTR " not found",
6573 MAC2STR(mgmt->da));
6574 return;
6575 }
6576
6577 #ifdef CONFIG_IEEE80211BE
6578 if (ap_sta_is_mld(hapd, sta) &&
6579 hapd->mld_link_id != sta->mld_assoc_link_id) {
6580 /* See ieee80211_ml_link_sta_assoc_cb() for the MLD case */
6581 wpa_printf(MSG_DEBUG,
6582 "%s: MLD: ignore on link station (%d != %d)",
6583 __func__, hapd->mld_link_id, sta->mld_assoc_link_id);
6584 return;
6585 }
6586 #endif /* CONFIG_IEEE80211BE */
6587
6588 if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_resp) :
6589 sizeof(mgmt->u.assoc_resp))) {
6590 wpa_printf(MSG_INFO,
6591 "handle_assoc_cb(reassoc=%d) - too short payload (len=%lu)",
6592 reassoc, (unsigned long) len);
6593 hostapd_drv_sta_remove(hapd, sta->addr);
6594 return;
6595 }
6596
6597 if (reassoc)
6598 status = le_to_host16(mgmt->u.reassoc_resp.status_code);
6599 else
6600 status = le_to_host16(mgmt->u.assoc_resp.status_code);
6601
6602 if (!ok) {
6603 hostapd_logger(hapd, mgmt->da, HOSTAPD_MODULE_IEEE80211,
6604 HOSTAPD_LEVEL_DEBUG,
6605 "did not acknowledge association response");
6606 sta->flags &= ~WLAN_STA_ASSOC_REQ_OK;
6607 /* The STA is added only in case of SUCCESS */
6608 if (status == WLAN_STATUS_SUCCESS)
6609 hostapd_drv_sta_remove(hapd, sta->addr);
6610
6611 goto handle_ml;
6612 }
6613
6614 if (status != WLAN_STATUS_SUCCESS)
6615 goto handle_ml;
6616
6617 /* Stop previous accounting session, if one is started, and allocate
6618 * new session id for the new session. */
6619 accounting_sta_stop(hapd, sta);
6620
6621 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
6622 HOSTAPD_LEVEL_INFO,
6623 "associated (aid %d)",
6624 sta->aid);
6625
6626 if (sta->flags & WLAN_STA_ASSOC)
6627 new_assoc = 0;
6628 sta->flags |= WLAN_STA_ASSOC;
6629 sta->flags &= ~WLAN_STA_WNM_SLEEP_MODE;
6630 if ((!hapd->conf->ieee802_1x && !hapd->conf->wpa &&
6631 !hapd->conf->osen) ||
6632 sta->auth_alg == WLAN_AUTH_FILS_SK ||
6633 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
6634 sta->auth_alg == WLAN_AUTH_FILS_PK ||
6635 sta->auth_alg == WLAN_AUTH_FT) {
6636 /*
6637 * Open, static WEP, FT protocol, or FILS; no separate
6638 * authorization step.
6639 */
6640 ap_sta_set_authorized(hapd, sta, 1);
6641 }
6642
6643 if (reassoc)
6644 mlme_reassociate_indication(hapd, sta);
6645 else
6646 mlme_associate_indication(hapd, sta);
6647
6648 sta->sa_query_timed_out = 0;
6649
6650 if (sta->eapol_sm == NULL) {
6651 /*
6652 * This STA does not use RADIUS server for EAP authentication,
6653 * so bind it to the selected VLAN interface now, since the
6654 * interface selection is not going to change anymore.
6655 */
6656 if (ap_sta_bind_vlan(hapd, sta) < 0)
6657 goto handle_ml;
6658 } else if (sta->vlan_id) {
6659 /* VLAN ID already set (e.g., by PMKSA caching), so bind STA */
6660 if (ap_sta_bind_vlan(hapd, sta) < 0)
6661 goto handle_ml;
6662 }
6663
6664 hostapd_set_sta_flags(hapd, sta);
6665
6666 if (!(sta->flags & WLAN_STA_WDS) && sta->pending_wds_enable) {
6667 wpa_printf(MSG_DEBUG, "Enable 4-address WDS mode for STA "
6668 MACSTR " based on pending request",
6669 MAC2STR(sta->addr));
6670 sta->pending_wds_enable = 0;
6671 sta->flags |= WLAN_STA_WDS;
6672 }
6673
6674 /* WPS not supported on backhaul BSS. Disable 4addr mode on fronthaul */
6675 if ((sta->flags & WLAN_STA_WDS) ||
6676 (sta->flags & WLAN_STA_MULTI_AP &&
6677 (hapd->conf->multi_ap & BACKHAUL_BSS) &&
6678 hapd->conf->wds_sta &&
6679 !(sta->flags & WLAN_STA_WPS))) {
6680 int ret;
6681 char ifname_wds[IFNAMSIZ + 1];
6682
6683 wpa_printf(MSG_DEBUG, "Reenable 4-address WDS mode for STA "
6684 MACSTR " (aid %u)",
6685 MAC2STR(sta->addr), sta->aid);
6686 ret = hostapd_set_wds_sta(hapd, ifname_wds, sta->addr,
6687 sta->aid, 1);
6688 if (!ret)
6689 hostapd_set_wds_encryption(hapd, sta, ifname_wds);
6690 }
6691
6692 if (sta->auth_alg == WLAN_AUTH_FT)
6693 wpa_auth_sm_event(sta->wpa_sm, WPA_ASSOC_FT);
6694 else
6695 wpa_auth_sm_event(sta->wpa_sm, WPA_ASSOC);
6696 hapd->new_assoc_sta_cb(hapd, sta, !new_assoc);
6697 ieee802_1x_notify_port_enabled(sta->eapol_sm, 1);
6698
6699 #ifdef CONFIG_FILS
6700 if ((sta->auth_alg == WLAN_AUTH_FILS_SK ||
6701 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
6702 sta->auth_alg == WLAN_AUTH_FILS_PK) &&
6703 fils_set_tk(sta->wpa_sm) < 0) {
6704 wpa_printf(MSG_DEBUG, "FILS: TK configuration failed");
6705 ap_sta_disconnect(hapd, sta, sta->addr,
6706 WLAN_REASON_UNSPECIFIED);
6707 return;
6708 }
6709 #endif /* CONFIG_FILS */
6710
6711 if (sta->pending_eapol_rx) {
6712 struct os_reltime now, age;
6713
6714 os_get_reltime(&now);
6715 os_reltime_sub(&now, &sta->pending_eapol_rx->rx_time, &age);
6716 if (age.sec == 0 && age.usec < 200000) {
6717 wpa_printf(MSG_DEBUG,
6718 "Process pending EAPOL frame that was received from " MACSTR " just before association notification",
6719 MAC2STR(sta->addr));
6720 ieee802_1x_receive(
6721 hapd, mgmt->da,
6722 wpabuf_head(sta->pending_eapol_rx->buf),
6723 wpabuf_len(sta->pending_eapol_rx->buf),
6724 sta->pending_eapol_rx->encrypted);
6725 }
6726 wpabuf_free(sta->pending_eapol_rx->buf);
6727 os_free(sta->pending_eapol_rx);
6728 sta->pending_eapol_rx = NULL;
6729 }
6730
6731 handle_ml:
6732 hostapd_ml_handle_assoc_cb(hapd, sta, ok);
6733 }
6734
6735
handle_deauth_cb(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int ok)6736 static void handle_deauth_cb(struct hostapd_data *hapd,
6737 const struct ieee80211_mgmt *mgmt,
6738 size_t len, int ok)
6739 {
6740 struct sta_info *sta;
6741 if (is_multicast_ether_addr(mgmt->da))
6742 return;
6743 sta = ap_get_sta(hapd, mgmt->da);
6744 if (!sta) {
6745 wpa_printf(MSG_DEBUG, "handle_deauth_cb: STA " MACSTR
6746 " not found", MAC2STR(mgmt->da));
6747 return;
6748 }
6749 if (ok)
6750 wpa_printf(MSG_DEBUG, "STA " MACSTR " acknowledged deauth",
6751 MAC2STR(sta->addr));
6752 else
6753 wpa_printf(MSG_DEBUG, "STA " MACSTR " did not acknowledge "
6754 "deauth", MAC2STR(sta->addr));
6755
6756 ap_sta_deauth_cb(hapd, sta);
6757 }
6758
6759
handle_disassoc_cb(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int ok)6760 static void handle_disassoc_cb(struct hostapd_data *hapd,
6761 const struct ieee80211_mgmt *mgmt,
6762 size_t len, int ok)
6763 {
6764 struct sta_info *sta;
6765 if (is_multicast_ether_addr(mgmt->da))
6766 return;
6767 sta = ap_get_sta(hapd, mgmt->da);
6768 if (!sta) {
6769 wpa_printf(MSG_DEBUG, "handle_disassoc_cb: STA " MACSTR
6770 " not found", MAC2STR(mgmt->da));
6771 return;
6772 }
6773 if (ok)
6774 wpa_printf(MSG_DEBUG, "STA " MACSTR " acknowledged disassoc",
6775 MAC2STR(sta->addr));
6776 else
6777 wpa_printf(MSG_DEBUG, "STA " MACSTR " did not acknowledge "
6778 "disassoc", MAC2STR(sta->addr));
6779
6780 ap_sta_disassoc_cb(hapd, sta);
6781 }
6782
6783
handle_action_cb(struct hostapd_data * hapd,const struct ieee80211_mgmt * mgmt,size_t len,int ok)6784 static void handle_action_cb(struct hostapd_data *hapd,
6785 const struct ieee80211_mgmt *mgmt,
6786 size_t len, int ok)
6787 {
6788 struct sta_info *sta;
6789 #ifndef CONFIG_NO_RRM
6790 const struct rrm_measurement_report_element *report;
6791 #endif /* CONFIG_NO_RRM */
6792
6793 #ifdef CONFIG_DPP
6794 if (len >= IEEE80211_HDRLEN + 6 &&
6795 mgmt->u.action.category == WLAN_ACTION_PUBLIC &&
6796 mgmt->u.action.u.vs_public_action.action ==
6797 WLAN_PA_VENDOR_SPECIFIC &&
6798 WPA_GET_BE24(mgmt->u.action.u.vs_public_action.oui) ==
6799 OUI_WFA &&
6800 mgmt->u.action.u.vs_public_action.variable[0] ==
6801 DPP_OUI_TYPE) {
6802 const u8 *pos, *end;
6803
6804 pos = &mgmt->u.action.u.vs_public_action.variable[1];
6805 end = ((const u8 *) mgmt) + len;
6806 hostapd_dpp_tx_status(hapd, mgmt->da, pos, end - pos, ok);
6807 return;
6808 }
6809 if (len >= IEEE80211_HDRLEN + 2 &&
6810 mgmt->u.action.category == WLAN_ACTION_PUBLIC &&
6811 (mgmt->u.action.u.public_action.action ==
6812 WLAN_PA_GAS_INITIAL_REQ ||
6813 mgmt->u.action.u.public_action.action ==
6814 WLAN_PA_GAS_COMEBACK_REQ)) {
6815 const u8 *pos, *end;
6816
6817 pos = mgmt->u.action.u.public_action.variable;
6818 end = ((const u8 *) mgmt) + len;
6819 gas_query_ap_tx_status(hapd->gas, mgmt->da, pos, end - pos, ok);
6820 return;
6821 }
6822 #endif /* CONFIG_DPP */
6823 if (is_multicast_ether_addr(mgmt->da))
6824 return;
6825 sta = ap_get_sta(hapd, mgmt->da);
6826 if (!sta) {
6827 wpa_printf(MSG_DEBUG, "handle_action_cb: STA " MACSTR
6828 " not found", MAC2STR(mgmt->da));
6829 return;
6830 }
6831
6832 #ifdef CONFIG_HS20
6833 if (ok && len >= IEEE80211_HDRLEN + 2 &&
6834 mgmt->u.action.category == WLAN_ACTION_WNM &&
6835 mgmt->u.action.u.vs_public_action.action == WNM_NOTIFICATION_REQ &&
6836 sta->hs20_deauth_on_ack) {
6837 wpa_printf(MSG_DEBUG, "HS 2.0: Deauthenticate STA " MACSTR
6838 " on acknowledging the WNM-Notification",
6839 MAC2STR(sta->addr));
6840 ap_sta_session_timeout(hapd, sta, 0);
6841 return;
6842 }
6843 #endif /* CONFIG_HS20 */
6844
6845 #ifndef CONFIG_NO_RRM
6846 if (len < 24 + 5 + sizeof(*report))
6847 return;
6848 report = (const struct rrm_measurement_report_element *)
6849 &mgmt->u.action.u.rrm.variable[2];
6850 if (mgmt->u.action.category == WLAN_ACTION_RADIO_MEASUREMENT &&
6851 mgmt->u.action.u.rrm.action == WLAN_RRM_RADIO_MEASUREMENT_REQUEST &&
6852 report->eid == WLAN_EID_MEASURE_REQUEST &&
6853 report->len >= 3 &&
6854 report->type == MEASURE_TYPE_BEACON)
6855 hostapd_rrm_beacon_req_tx_status(hapd, mgmt, len, ok);
6856 #endif /* CONFIG_NO_RRM */
6857 }
6858
6859
6860 /**
6861 * ieee802_11_mgmt_cb - Process management frame TX status callback
6862 * @hapd: hostapd BSS data structure (the BSS from which the management frame
6863 * was sent from)
6864 * @buf: management frame data (starting from IEEE 802.11 header)
6865 * @len: length of frame data in octets
6866 * @stype: management frame subtype from frame control field
6867 * @ok: Whether the frame was ACK'ed
6868 */
ieee802_11_mgmt_cb(struct hostapd_data * hapd,const u8 * buf,size_t len,u16 stype,int ok)6869 void ieee802_11_mgmt_cb(struct hostapd_data *hapd, const u8 *buf, size_t len,
6870 u16 stype, int ok)
6871 {
6872 const struct ieee80211_mgmt *mgmt;
6873 mgmt = (const struct ieee80211_mgmt *) buf;
6874
6875 #ifdef CONFIG_TESTING_OPTIONS
6876 if (hapd->ext_mgmt_frame_handling) {
6877 size_t hex_len = 2 * len + 1;
6878 char *hex = os_malloc(hex_len);
6879
6880 if (hex) {
6881 wpa_snprintf_hex(hex, hex_len, buf, len);
6882 wpa_msg(hapd->msg_ctx, MSG_INFO,
6883 "MGMT-TX-STATUS stype=%u ok=%d buf=%s",
6884 stype, ok, hex);
6885 os_free(hex);
6886 }
6887 return;
6888 }
6889 #endif /* CONFIG_TESTING_OPTIONS */
6890
6891 switch (stype) {
6892 case WLAN_FC_STYPE_AUTH:
6893 wpa_printf(MSG_DEBUG, "mgmt::auth cb");
6894 handle_auth_cb(hapd, mgmt, len, ok);
6895 break;
6896 case WLAN_FC_STYPE_ASSOC_RESP:
6897 wpa_printf(MSG_DEBUG, "mgmt::assoc_resp cb");
6898 handle_assoc_cb(hapd, mgmt, len, 0, ok);
6899 break;
6900 case WLAN_FC_STYPE_REASSOC_RESP:
6901 wpa_printf(MSG_DEBUG, "mgmt::reassoc_resp cb");
6902 handle_assoc_cb(hapd, mgmt, len, 1, ok);
6903 break;
6904 case WLAN_FC_STYPE_PROBE_RESP:
6905 wpa_printf(MSG_EXCESSIVE, "mgmt::proberesp cb ok=%d", ok);
6906 break;
6907 case WLAN_FC_STYPE_DEAUTH:
6908 wpa_printf(MSG_DEBUG, "mgmt::deauth cb");
6909 handle_deauth_cb(hapd, mgmt, len, ok);
6910 break;
6911 case WLAN_FC_STYPE_DISASSOC:
6912 wpa_printf(MSG_DEBUG, "mgmt::disassoc cb");
6913 handle_disassoc_cb(hapd, mgmt, len, ok);
6914 break;
6915 case WLAN_FC_STYPE_ACTION:
6916 wpa_printf(MSG_DEBUG, "mgmt::action cb ok=%d", ok);
6917 handle_action_cb(hapd, mgmt, len, ok);
6918 break;
6919 default:
6920 wpa_printf(MSG_INFO, "unknown mgmt cb frame subtype %d", stype);
6921 break;
6922 }
6923 }
6924
6925
ieee802_11_get_mib(struct hostapd_data * hapd,char * buf,size_t buflen)6926 int ieee802_11_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen)
6927 {
6928 /* TODO */
6929 return 0;
6930 }
6931
6932
ieee802_11_get_mib_sta(struct hostapd_data * hapd,struct sta_info * sta,char * buf,size_t buflen)6933 int ieee802_11_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta,
6934 char *buf, size_t buflen)
6935 {
6936 /* TODO */
6937 return 0;
6938 }
6939
6940
hostapd_tx_status(struct hostapd_data * hapd,const u8 * addr,const u8 * buf,size_t len,int ack)6941 void hostapd_tx_status(struct hostapd_data *hapd, const u8 *addr,
6942 const u8 *buf, size_t len, int ack)
6943 {
6944 struct sta_info *sta;
6945 struct hostapd_iface *iface = hapd->iface;
6946
6947 sta = ap_get_sta(hapd, addr);
6948 if (sta == NULL && iface->num_bss > 1) {
6949 size_t j;
6950 for (j = 0; j < iface->num_bss; j++) {
6951 hapd = iface->bss[j];
6952 sta = ap_get_sta(hapd, addr);
6953 if (sta)
6954 break;
6955 }
6956 }
6957 if (sta == NULL || !(sta->flags & WLAN_STA_ASSOC))
6958 return;
6959 if (sta->flags & WLAN_STA_PENDING_POLL) {
6960 wpa_printf(MSG_DEBUG, "STA " MACSTR " %s pending "
6961 "activity poll", MAC2STR(sta->addr),
6962 ack ? "ACKed" : "did not ACK");
6963 if (ack)
6964 sta->flags &= ~WLAN_STA_PENDING_POLL;
6965 }
6966
6967 ieee802_1x_tx_status(hapd, sta, buf, len, ack);
6968 }
6969
6970
hostapd_client_poll_ok(struct hostapd_data * hapd,const u8 * addr)6971 void hostapd_client_poll_ok(struct hostapd_data *hapd, const u8 *addr)
6972 {
6973 struct sta_info *sta;
6974 struct hostapd_iface *iface = hapd->iface;
6975
6976 sta = ap_get_sta(hapd, addr);
6977 if (sta == NULL && iface->num_bss > 1) {
6978 size_t j;
6979 for (j = 0; j < iface->num_bss; j++) {
6980 hapd = iface->bss[j];
6981 sta = ap_get_sta(hapd, addr);
6982 if (sta)
6983 break;
6984 }
6985 }
6986 if (sta == NULL)
6987 return;
6988 wpa_msg(hapd->msg_ctx, MSG_INFO, AP_STA_POLL_OK MACSTR,
6989 MAC2STR(sta->addr));
6990 if (!(sta->flags & WLAN_STA_PENDING_POLL))
6991 return;
6992
6993 wpa_printf(MSG_DEBUG, "STA " MACSTR " ACKed pending "
6994 "activity poll", MAC2STR(sta->addr));
6995 sta->flags &= ~WLAN_STA_PENDING_POLL;
6996 }
6997
6998
ieee802_11_rx_from_unknown(struct hostapd_data * hapd,const u8 * src,int wds)6999 void ieee802_11_rx_from_unknown(struct hostapd_data *hapd, const u8 *src,
7000 int wds)
7001 {
7002 struct sta_info *sta;
7003
7004 sta = ap_get_sta(hapd, src);
7005 if (sta &&
7006 ((sta->flags & WLAN_STA_ASSOC) ||
7007 ((sta->flags & WLAN_STA_ASSOC_REQ_OK) && wds))) {
7008 if (!hapd->conf->wds_sta)
7009 return;
7010
7011 if ((sta->flags & (WLAN_STA_ASSOC | WLAN_STA_ASSOC_REQ_OK)) ==
7012 WLAN_STA_ASSOC_REQ_OK) {
7013 wpa_printf(MSG_DEBUG,
7014 "Postpone 4-address WDS mode enabling for STA "
7015 MACSTR " since TX status for AssocResp is not yet known",
7016 MAC2STR(sta->addr));
7017 sta->pending_wds_enable = 1;
7018 return;
7019 }
7020
7021 if (wds && !(sta->flags & WLAN_STA_WDS)) {
7022 int ret;
7023 char ifname_wds[IFNAMSIZ + 1];
7024
7025 wpa_printf(MSG_DEBUG, "Enable 4-address WDS mode for "
7026 "STA " MACSTR " (aid %u)",
7027 MAC2STR(sta->addr), sta->aid);
7028 sta->flags |= WLAN_STA_WDS;
7029 ret = hostapd_set_wds_sta(hapd, ifname_wds,
7030 sta->addr, sta->aid, 1);
7031 if (!ret)
7032 hostapd_set_wds_encryption(hapd, sta,
7033 ifname_wds);
7034 }
7035 return;
7036 }
7037
7038 wpa_printf(MSG_DEBUG, "Data/PS-poll frame from not associated STA "
7039 MACSTR, MAC2STR(src));
7040 if (is_multicast_ether_addr(src) || is_zero_ether_addr(src) ||
7041 ether_addr_equal(src, hapd->own_addr)) {
7042 /* Broadcast bit set in SA or unexpected SA?! Ignore the frame
7043 * silently. */
7044 return;
7045 }
7046
7047 if (sta && (sta->flags & WLAN_STA_ASSOC_REQ_OK)) {
7048 wpa_printf(MSG_DEBUG, "Association Response to the STA has "
7049 "already been sent, but no TX status yet known - "
7050 "ignore Class 3 frame issue with " MACSTR,
7051 MAC2STR(src));
7052 return;
7053 }
7054
7055 if (sta && (sta->flags & WLAN_STA_AUTH))
7056 hostapd_drv_sta_disassoc(
7057 hapd, src,
7058 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA);
7059 else
7060 hostapd_drv_sta_deauth(
7061 hapd, src,
7062 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA);
7063 }
7064
7065
hostapd_add_tpe_info(u8 * eid,u8 tx_pwr_count,enum max_tx_pwr_interpretation tx_pwr_intrpn,u8 tx_pwr_cat,u8 tx_pwr)7066 static u8 * hostapd_add_tpe_info(u8 *eid, u8 tx_pwr_count,
7067 enum max_tx_pwr_interpretation tx_pwr_intrpn,
7068 u8 tx_pwr_cat, u8 tx_pwr)
7069 {
7070 int i;
7071
7072 *eid++ = WLAN_EID_TRANSMIT_POWER_ENVELOPE; /* Element ID */
7073 *eid++ = 2 + tx_pwr_count; /* Length */
7074
7075 /*
7076 * Transmit Power Information field
7077 * bits 0-2 : Maximum Transmit Power Count
7078 * bits 3-5 : Maximum Transmit Power Interpretation
7079 * bits 6-7 : Maximum Transmit Power Category
7080 */
7081 *eid++ = tx_pwr_count | (tx_pwr_intrpn << 3) | (tx_pwr_cat << 6);
7082
7083 /* Maximum Transmit Power field */
7084 for (i = 0; i <= tx_pwr_count; i++)
7085 *eid++ = tx_pwr;
7086
7087 return eid;
7088 }
7089
7090
7091 /*
7092 * TODO: Extract power limits from channel data after 6G regulatory
7093 * support.
7094 */
7095 #define REG_PSD_MAX_TXPOWER_FOR_DEFAULT_CLIENT (-1) /* dBm/MHz */
7096 #define REG_PSD_MAX_TXPOWER_FOR_SUBORDINATE_CLIENT 5 /* dBm/MHz */
7097
hostapd_eid_txpower_envelope(struct hostapd_data * hapd,u8 * eid)7098 u8 * hostapd_eid_txpower_envelope(struct hostapd_data *hapd, u8 *eid)
7099 {
7100 struct hostapd_iface *iface = hapd->iface;
7101 struct hostapd_config *iconf = iface->conf;
7102 struct hostapd_hw_modes *mode = iface->current_mode;
7103 struct hostapd_channel_data *chan;
7104 int dfs, i;
7105 u8 channel, tx_pwr_count, local_pwr_constraint;
7106 int max_tx_power;
7107 u8 tx_pwr;
7108
7109 if (!mode)
7110 return eid;
7111
7112 if (ieee80211_freq_to_chan(iface->freq, &channel) == NUM_HOSTAPD_MODES)
7113 return eid;
7114
7115 for (i = 0; i < mode->num_channels; i++) {
7116 if (mode->channels[i].freq == iface->freq)
7117 break;
7118 }
7119 if (i == mode->num_channels)
7120 return eid;
7121
7122 #ifdef CONFIG_IEEE80211AX
7123 /* IEEE Std 802.11ax-2021, Annex E.2.7 (6 GHz band in the United
7124 * States): An AP that is an Indoor Access Point per regulatory rules
7125 * shall send at least two Transmit Power Envelope elements in Beacon
7126 * and Probe Response frames as follows:
7127 * - Maximum Transmit Power Category subfield = Default;
7128 * Unit interpretation = Regulatory client EIRP PSD
7129 * - Maximum Transmit Power Category subfield = Subordinate Device;
7130 * Unit interpretation = Regulatory client EIRP PSD
7131 */
7132 if (is_6ghz_op_class(iconf->op_class)) {
7133 enum max_tx_pwr_interpretation tx_pwr_intrpn;
7134
7135 /* Same Maximum Transmit Power for all 20 MHz bands */
7136 tx_pwr_count = 0;
7137 tx_pwr_intrpn = REGULATORY_CLIENT_EIRP_PSD;
7138
7139 /* Default Transmit Power Envelope for Global Operating Class */
7140 if (hapd->iconf->reg_def_cli_eirp_psd != -1)
7141 tx_pwr = hapd->iconf->reg_def_cli_eirp_psd;
7142 else
7143 tx_pwr = REG_PSD_MAX_TXPOWER_FOR_DEFAULT_CLIENT * 2;
7144
7145 eid = hostapd_add_tpe_info(eid, tx_pwr_count, tx_pwr_intrpn,
7146 REG_DEFAULT_CLIENT, tx_pwr);
7147
7148 /* Indoor Access Point must include an additional TPE for
7149 * subordinate devices */
7150 if (he_reg_is_indoor(iconf->he_6ghz_reg_pwr_type)) {
7151 /* TODO: Extract PSD limits from channel data */
7152 if (hapd->iconf->reg_sub_cli_eirp_psd != -1)
7153 tx_pwr = hapd->iconf->reg_sub_cli_eirp_psd;
7154 else
7155 tx_pwr = REG_PSD_MAX_TXPOWER_FOR_SUBORDINATE_CLIENT * 2;
7156 eid = hostapd_add_tpe_info(eid, tx_pwr_count,
7157 tx_pwr_intrpn,
7158 REG_SUBORDINATE_CLIENT,
7159 tx_pwr);
7160 }
7161
7162 if (iconf->reg_def_cli_eirp != -1 &&
7163 he_reg_is_sp(iconf->he_6ghz_reg_pwr_type))
7164 eid = hostapd_add_tpe_info(
7165 eid, tx_pwr_count, REGULATORY_CLIENT_EIRP,
7166 REG_DEFAULT_CLIENT,
7167 hapd->iconf->reg_def_cli_eirp);
7168
7169 return eid;
7170 }
7171 #endif /* CONFIG_IEEE80211AX */
7172
7173 switch (hostapd_get_oper_chwidth(iconf)) {
7174 case CONF_OPER_CHWIDTH_USE_HT:
7175 if (iconf->secondary_channel == 0) {
7176 /* Max Transmit Power count = 0 (20 MHz) */
7177 tx_pwr_count = 0;
7178 } else {
7179 /* Max Transmit Power count = 1 (20, 40 MHz) */
7180 tx_pwr_count = 1;
7181 }
7182 break;
7183 case CONF_OPER_CHWIDTH_80MHZ:
7184 /* Max Transmit Power count = 2 (20, 40, and 80 MHz) */
7185 tx_pwr_count = 2;
7186 break;
7187 case CONF_OPER_CHWIDTH_80P80MHZ:
7188 case CONF_OPER_CHWIDTH_160MHZ:
7189 /* Max Transmit Power count = 3 (20, 40, 80, 160/80+80 MHz) */
7190 tx_pwr_count = 3;
7191 break;
7192 default:
7193 return eid;
7194 }
7195
7196 /*
7197 * Below local_pwr_constraint logic is referred from
7198 * hostapd_eid_pwr_constraint.
7199 *
7200 * Check if DFS is required by regulatory.
7201 */
7202 dfs = hostapd_is_dfs_required(hapd->iface);
7203 if (dfs < 0)
7204 dfs = 0;
7205
7206 /*
7207 * In order to meet regulations when TPC is not implemented using
7208 * a transmit power that is below the legal maximum (including any
7209 * mitigation factor) should help. In this case, indicate 3 dB below
7210 * maximum allowed transmit power.
7211 */
7212 if (hapd->iconf->local_pwr_constraint == -1)
7213 local_pwr_constraint = (dfs == 0) ? 0 : 3;
7214 else
7215 local_pwr_constraint = hapd->iconf->local_pwr_constraint;
7216
7217 /*
7218 * A STA that is not an AP shall use a transmit power less than or
7219 * equal to the local maximum transmit power level for the channel.
7220 * The local maximum transmit power can be calculated from the formula:
7221 * local max TX pwr = max TX pwr - local pwr constraint
7222 * Where max TX pwr is maximum transmit power level specified for
7223 * channel in Country element and local pwr constraint is specified
7224 * for channel in this Power Constraint element.
7225 */
7226 chan = &mode->channels[i];
7227 max_tx_power = chan->max_tx_power - local_pwr_constraint;
7228
7229 /*
7230 * Local Maximum Transmit power is encoded as two's complement
7231 * with a 0.5 dB step.
7232 */
7233 max_tx_power *= 2; /* in 0.5 dB steps */
7234 if (max_tx_power > 127) {
7235 /* 63.5 has special meaning of 63.5 dBm or higher */
7236 max_tx_power = 127;
7237 }
7238 if (max_tx_power < -128)
7239 max_tx_power = -128;
7240 if (max_tx_power < 0)
7241 tx_pwr = 0x80 + max_tx_power + 128;
7242 else
7243 tx_pwr = max_tx_power;
7244
7245 return hostapd_add_tpe_info(eid, tx_pwr_count, LOCAL_EIRP,
7246 0 /* Reserved for bands other than 6 GHz */,
7247 tx_pwr);
7248 }
7249
7250
7251 /* Wide Bandwidth Channel Switch subelement */
hostapd_eid_wb_channel_switch(struct hostapd_data * hapd,u8 * eid,u8 chan1,u8 chan2)7252 static u8 * hostapd_eid_wb_channel_switch(struct hostapd_data *hapd, u8 *eid,
7253 u8 chan1, u8 chan2)
7254 {
7255 u8 bw;
7256
7257 /* bandwidth: 0: 40, 1: 80, 160, 80+80, 4: 320 as per
7258 * IEEE P802.11-REVme/D4.0, 9.4.2.159 and Table 9-314. */
7259 switch (hapd->cs_freq_params.bandwidth) {
7260 case 40:
7261 bw = 0;
7262 break;
7263 case 80:
7264 bw = 1;
7265 break;
7266 case 160:
7267 bw = 1;
7268 break;
7269 case 320:
7270 bw = 4;
7271 break;
7272 default:
7273 /* not valid VHT bandwidth or not in CSA */
7274 return eid;
7275 }
7276
7277 *eid++ = WLAN_EID_WIDE_BW_CHSWITCH;
7278 *eid++ = 3; /* Length of Wide Bandwidth Channel Switch element */
7279 *eid++ = bw; /* New Channel Width */
7280 if (hapd->cs_freq_params.bandwidth == 160) {
7281 /* Update the CCFS0 and CCFS1 values in the element based on
7282 * IEEE P802.11-REVme/D4.0, Table 9-314 */
7283
7284 /* CCFS1 - The channel center frequency index of the 160 MHz
7285 * channel. */
7286 chan2 = chan1;
7287
7288 /* CCFS0 - The channel center frequency index of the 80 MHz
7289 * channel segment that contains the primary channel. */
7290 if (hapd->cs_freq_params.channel < chan1)
7291 chan1 -= 8;
7292 else
7293 chan1 += 8;
7294 }
7295 *eid++ = chan1; /* New Channel Center Frequency Segment 0 */
7296 *eid++ = chan2; /* New Channel Center Frequency Segment 1 */
7297
7298 return eid;
7299 }
7300
7301
7302 #ifdef CONFIG_IEEE80211BE
7303 /* Bandwidth Indication element that is also used as the Bandwidth Indication
7304 * For Channel Switch subelement within a Channel Switch Wrapper element. */
hostapd_eid_bw_indication(struct hostapd_data * hapd,u8 * eid,u8 chan1,u8 chan2)7305 static u8 * hostapd_eid_bw_indication(struct hostapd_data *hapd, u8 *eid,
7306 u8 chan1, u8 chan2)
7307 {
7308 u16 punct_bitmap = hostapd_get_punct_bitmap(hapd);
7309 struct ieee80211_bw_ind_element *bw_ind_elem;
7310 size_t elen = 3;
7311
7312 if (hapd->cs_freq_params.bandwidth <= 160 && !punct_bitmap)
7313 return eid;
7314
7315 if (punct_bitmap)
7316 elen += EHT_OPER_DISABLED_SUBCHAN_BITMAP_SIZE;
7317
7318 *eid++ = WLAN_EID_EXTENSION;
7319 *eid++ = 1 + elen;
7320 *eid++ = WLAN_EID_EXT_BANDWIDTH_INDICATION;
7321
7322 bw_ind_elem = (struct ieee80211_bw_ind_element *) eid;
7323 os_memset(bw_ind_elem, 0, sizeof(struct ieee80211_bw_ind_element));
7324
7325 switch (hapd->cs_freq_params.bandwidth) {
7326 case 320:
7327 bw_ind_elem->bw_ind_info.control |= BW_IND_CHANNEL_WIDTH_320MHZ;
7328 chan2 = chan1;
7329 if (hapd->cs_freq_params.channel < chan1)
7330 chan1 -= 16;
7331 else
7332 chan1 += 16;
7333 break;
7334 case 160:
7335 bw_ind_elem->bw_ind_info.control |= BW_IND_CHANNEL_WIDTH_160MHZ;
7336 chan2 = chan1;
7337 if (hapd->cs_freq_params.channel < chan1)
7338 chan1 -= 8;
7339 else
7340 chan1 += 8;
7341 break;
7342 case 80:
7343 bw_ind_elem->bw_ind_info.control |= BW_IND_CHANNEL_WIDTH_80MHZ;
7344 break;
7345 case 40:
7346 if (hapd->cs_freq_params.sec_channel_offset == 1)
7347 bw_ind_elem->bw_ind_info.control |=
7348 BW_IND_CHANNEL_WIDTH_40MHZ;
7349 else
7350 bw_ind_elem->bw_ind_info.control |=
7351 BW_IND_CHANNEL_WIDTH_20MHZ;
7352 break;
7353 default:
7354 bw_ind_elem->bw_ind_info.control |= BW_IND_CHANNEL_WIDTH_20MHZ;
7355 break;
7356 }
7357
7358 bw_ind_elem->bw_ind_info.ccfs0 = chan1;
7359 bw_ind_elem->bw_ind_info.ccfs1 = chan2;
7360
7361 if (punct_bitmap) {
7362 bw_ind_elem->bw_ind_params |=
7363 BW_IND_PARAMETER_DISABLED_SUBCHAN_BITMAP_PRESENT;
7364 bw_ind_elem->bw_ind_info.disabled_chan_bitmap =
7365 host_to_le16(punct_bitmap);
7366 }
7367
7368 return eid + elen;
7369 }
7370 #endif /* CONFIG_IEEE80211BE */
7371
7372
hostapd_eid_chsw_wrapper(struct hostapd_data * hapd,u8 * eid)7373 u8 * hostapd_eid_chsw_wrapper(struct hostapd_data *hapd, u8 *eid)
7374 {
7375 u8 chan1 = 0, chan2 = 0;
7376 u8 *eid_len_offset;
7377 int freq1;
7378
7379 if (!hapd->cs_freq_params.channel ||
7380 (!hapd->cs_freq_params.vht_enabled &&
7381 !hapd->cs_freq_params.he_enabled &&
7382 !hapd->cs_freq_params.eht_enabled))
7383 return eid;
7384
7385 freq1 = hapd->cs_freq_params.center_freq1 ?
7386 hapd->cs_freq_params.center_freq1 :
7387 hapd->cs_freq_params.freq;
7388 if (ieee80211_freq_to_chan(freq1, &chan1) !=
7389 HOSTAPD_MODE_IEEE80211A)
7390 return eid;
7391
7392 if (hapd->cs_freq_params.center_freq2 &&
7393 ieee80211_freq_to_chan(hapd->cs_freq_params.center_freq2,
7394 &chan2) != HOSTAPD_MODE_IEEE80211A)
7395 return eid;
7396
7397 *eid++ = WLAN_EID_CHANNEL_SWITCH_WRAPPER;
7398 eid_len_offset = eid++; /* Length of Channel Switch Wrapper element */
7399
7400 eid = hostapd_eid_wb_channel_switch(hapd, eid, chan1, chan2);
7401
7402 #ifdef CONFIG_IEEE80211BE
7403 if (hapd->iconf->ieee80211be && !hapd->conf->disable_11be) {
7404 /* Bandwidth Indication For Channel Switch subelement */
7405 eid = hostapd_eid_bw_indication(hapd, eid, chan1, chan2);
7406 }
7407 #endif /* CONFIG_IEEE80211BE */
7408
7409 *eid_len_offset = (eid - eid_len_offset) - 1;
7410 return eid;
7411 }
7412
7413
hostapd_eid_nr_db_len(struct hostapd_data * hapd,size_t * current_len)7414 static size_t hostapd_eid_nr_db_len(struct hostapd_data *hapd,
7415 size_t *current_len)
7416 {
7417 struct hostapd_neighbor_entry *nr;
7418 size_t total_len = 0, len = *current_len;
7419
7420 dl_list_for_each(nr, &hapd->nr_db, struct hostapd_neighbor_entry,
7421 list) {
7422 if (!nr->nr || wpabuf_len(nr->nr) < 12)
7423 continue;
7424
7425 if (nr->short_ssid == hapd->conf->ssid.short_ssid)
7426 continue;
7427
7428 /* Start a new element */
7429 if (!len ||
7430 len + RNR_TBTT_HEADER_LEN + RNR_TBTT_INFO_LEN > 255) {
7431 len = RNR_HEADER_LEN;
7432 total_len += RNR_HEADER_LEN;
7433 }
7434
7435 len += RNR_TBTT_HEADER_LEN + RNR_TBTT_INFO_LEN;
7436 total_len += RNR_TBTT_HEADER_LEN + RNR_TBTT_INFO_LEN;
7437 }
7438
7439 *current_len = len;
7440 return total_len;
7441 }
7442
7443
7444 struct mbssid_ie_profiles {
7445 u8 start;
7446 u8 end;
7447 };
7448
hostapd_skip_rnr(size_t i,struct mbssid_ie_profiles * skip_profiles,bool ap_mld,u8 tbtt_info_len,bool mld_update,struct hostapd_data * reporting_hapd,struct hostapd_data * bss)7449 static bool hostapd_skip_rnr(size_t i, struct mbssid_ie_profiles *skip_profiles,
7450 bool ap_mld, u8 tbtt_info_len, bool mld_update,
7451 struct hostapd_data *reporting_hapd,
7452 struct hostapd_data *bss)
7453 {
7454 if (skip_profiles &&
7455 i >= skip_profiles->start && i < skip_profiles->end)
7456 return true;
7457
7458 /* No need to report if length is for normal TBTT and the BSS is
7459 * affiliated with an AP MLD. MLD TBTT will include this. */
7460 if (tbtt_info_len == RNR_TBTT_INFO_LEN && ap_mld)
7461 return true;
7462
7463 /* No need to report if length is for MLD TBTT and the BSS is not
7464 * affiliated with an aP MLD. Normal TBTT will include this. */
7465 if (tbtt_info_len == RNR_TBTT_INFO_MLD_LEN && !ap_mld)
7466 return true;
7467
7468 #ifdef CONFIG_IEEE80211BE
7469 /* If building for co-location and they are ML partners, no need to
7470 * include since the ML RNR will carry this. */
7471 if (!mld_update && hostapd_is_ml_partner(reporting_hapd, bss))
7472 return true;
7473
7474 /* If building for ML RNR and they are not ML partners, don't include.
7475 */
7476 if (mld_update && !hostapd_is_ml_partner(reporting_hapd, bss))
7477 return true;
7478 #endif /* CONFIG_IEEE80211BE */
7479
7480 return false;
7481 }
7482
7483
7484 static size_t
hostapd_eid_rnr_iface_len(struct hostapd_data * hapd,struct hostapd_data * reporting_hapd,size_t * current_len,struct mbssid_ie_profiles * skip_profiles,bool mld_update)7485 hostapd_eid_rnr_iface_len(struct hostapd_data *hapd,
7486 struct hostapd_data *reporting_hapd,
7487 size_t *current_len,
7488 struct mbssid_ie_profiles *skip_profiles,
7489 bool mld_update)
7490 {
7491 size_t total_len = 0, len = *current_len;
7492 int tbtt_count, total_tbtt_count = 0;
7493 size_t i, start;
7494 u8 tbtt_info_len = mld_update ? RNR_TBTT_INFO_MLD_LEN :
7495 RNR_TBTT_INFO_LEN;
7496
7497 repeat_rnr_len:
7498 start = 0;
7499 tbtt_count = 0;
7500
7501 while (start < hapd->iface->num_bss) {
7502 if (!len ||
7503 len + RNR_TBTT_HEADER_LEN + tbtt_info_len > 255 ||
7504 tbtt_count >= RNR_TBTT_INFO_COUNT_MAX) {
7505 len = RNR_HEADER_LEN;
7506 total_len += RNR_HEADER_LEN;
7507 tbtt_count = 0;
7508 }
7509
7510 len += RNR_TBTT_HEADER_LEN;
7511 total_len += RNR_TBTT_HEADER_LEN;
7512
7513 for (i = start; i < hapd->iface->num_bss; i++) {
7514 struct hostapd_data *bss = hapd->iface->bss[i];
7515 bool ap_mld = false;
7516
7517 if (!bss || !bss->conf || !bss->started)
7518 continue;
7519
7520 #ifdef CONFIG_IEEE80211BE
7521 ap_mld = bss->conf->mld_ap;
7522 #endif /* CONFIG_IEEE80211BE */
7523
7524 if (bss == reporting_hapd ||
7525 bss->conf->ignore_broadcast_ssid)
7526 continue;
7527
7528 if (hostapd_skip_rnr(i, skip_profiles, ap_mld,
7529 tbtt_info_len, mld_update,
7530 reporting_hapd, bss))
7531 continue;
7532
7533 if (len + tbtt_info_len > 255 ||
7534 tbtt_count >= RNR_TBTT_INFO_COUNT_MAX)
7535 break;
7536
7537 len += tbtt_info_len;
7538 total_len += tbtt_info_len;
7539 tbtt_count++;
7540 }
7541 start = i;
7542 }
7543
7544 total_tbtt_count += tbtt_count;
7545
7546 /* If building for co-location, re-build again but this time include
7547 * ML TBTTs.
7548 */
7549 if (!mld_update && tbtt_info_len == RNR_TBTT_INFO_LEN) {
7550 tbtt_info_len = RNR_TBTT_INFO_MLD_LEN;
7551
7552 /* If no TBTT was found, adjust the len and total_len since it
7553 * would have incremented before we checked all BSSs. */
7554 if (!tbtt_count) {
7555 len -= RNR_TBTT_HEADER_LEN;
7556 total_len -= RNR_TBTT_HEADER_LEN;
7557 }
7558
7559 goto repeat_rnr_len;
7560 }
7561
7562 /* This is possible when in the re-built case and no suitable TBTT was
7563 * found. Adjust the length accordingly. */
7564 if (!tbtt_count && total_tbtt_count) {
7565 len -= RNR_TBTT_HEADER_LEN;
7566 total_len -= RNR_TBTT_HEADER_LEN;
7567 }
7568
7569 if (!total_tbtt_count)
7570 total_len = 0;
7571 else
7572 *current_len = len;
7573
7574 return total_len;
7575 }
7576
7577
7578 enum colocation_mode {
7579 NO_COLOCATED_6GHZ,
7580 STANDALONE_6GHZ,
7581 COLOCATED_6GHZ,
7582 COLOCATED_LOWER_BAND,
7583 };
7584
get_colocation_mode(struct hostapd_data * hapd)7585 static enum colocation_mode get_colocation_mode(struct hostapd_data *hapd)
7586 {
7587 u8 i;
7588 bool is_6ghz = is_6ghz_op_class(hapd->iconf->op_class);
7589
7590 if (!hapd->iface || !hapd->iface->interfaces)
7591 return NO_COLOCATED_6GHZ;
7592
7593 if (is_6ghz && hapd->iface->interfaces->count == 1)
7594 return STANDALONE_6GHZ;
7595
7596 for (i = 0; i < hapd->iface->interfaces->count; i++) {
7597 struct hostapd_iface *iface;
7598 bool is_colocated_6ghz;
7599
7600 iface = hapd->iface->interfaces->iface[i];
7601 if (iface == hapd->iface || !iface || !iface->conf)
7602 continue;
7603
7604 is_colocated_6ghz = is_6ghz_op_class(iface->conf->op_class);
7605 if (!is_6ghz && is_colocated_6ghz)
7606 return COLOCATED_LOWER_BAND;
7607 if (is_6ghz && !is_colocated_6ghz)
7608 return COLOCATED_6GHZ;
7609 }
7610
7611 if (is_6ghz)
7612 return STANDALONE_6GHZ;
7613
7614 return NO_COLOCATED_6GHZ;
7615 }
7616
7617
hostapd_eid_rnr_colocation_len(struct hostapd_data * hapd,size_t * current_len)7618 static size_t hostapd_eid_rnr_colocation_len(struct hostapd_data *hapd,
7619 size_t *current_len)
7620 {
7621 struct hostapd_iface *iface;
7622 size_t len = 0;
7623 size_t i;
7624
7625 if (!hapd->iface || !hapd->iface->interfaces)
7626 return 0;
7627
7628 for (i = 0; i < hapd->iface->interfaces->count; i++) {
7629 iface = hapd->iface->interfaces->iface[i];
7630
7631 if (!iface || iface == hapd->iface ||
7632 iface->state != HAPD_IFACE_ENABLED ||
7633 !is_6ghz_op_class(iface->conf->op_class))
7634 continue;
7635
7636 len += hostapd_eid_rnr_iface_len(iface->bss[0], hapd,
7637 current_len, NULL, false);
7638 }
7639
7640 return len;
7641 }
7642
7643
hostapd_eid_rnr_mlo_len(struct hostapd_data * hapd,u32 type,size_t * current_len)7644 static size_t hostapd_eid_rnr_mlo_len(struct hostapd_data *hapd, u32 type,
7645 size_t *current_len)
7646 {
7647 size_t len = 0;
7648 #ifdef CONFIG_IEEE80211BE
7649 struct hostapd_iface *iface;
7650 size_t i;
7651
7652 if (!hapd->iface || !hapd->iface->interfaces || !hapd->conf->mld_ap)
7653 return 0;
7654
7655 /* TODO: Allow for FILS/Action as well */
7656 if (type != WLAN_FC_STYPE_BEACON && type != WLAN_FC_STYPE_PROBE_RESP)
7657 return 0;
7658
7659 for (i = 0; i < hapd->iface->interfaces->count; i++) {
7660 iface = hapd->iface->interfaces->iface[i];
7661
7662 if (!iface || iface == hapd->iface ||
7663 hapd->iface->freq == iface->freq)
7664 continue;
7665
7666 len += hostapd_eid_rnr_iface_len(iface->bss[0], hapd,
7667 current_len, NULL, true);
7668 }
7669 #endif /* CONFIG_IEEE80211BE */
7670
7671 return len;
7672 }
7673
7674
hostapd_eid_rnr_len(struct hostapd_data * hapd,u32 type,bool include_mld_params)7675 size_t hostapd_eid_rnr_len(struct hostapd_data *hapd, u32 type,
7676 bool include_mld_params)
7677 {
7678 size_t total_len = 0, current_len = 0;
7679 enum colocation_mode mode = get_colocation_mode(hapd);
7680
7681 switch (type) {
7682 case WLAN_FC_STYPE_BEACON:
7683 if (hapd->conf->rnr)
7684 total_len += hostapd_eid_nr_db_len(hapd, ¤t_len);
7685 /* fallthrough */
7686 case WLAN_FC_STYPE_PROBE_RESP:
7687 if (mode == COLOCATED_LOWER_BAND)
7688 total_len +=
7689 hostapd_eid_rnr_colocation_len(hapd,
7690 ¤t_len);
7691
7692 if (hapd->conf->rnr && hapd->iface->num_bss > 1 &&
7693 !hapd->iconf->mbssid)
7694 total_len += hostapd_eid_rnr_iface_len(hapd, hapd,
7695 ¤t_len,
7696 NULL, false);
7697 break;
7698 case WLAN_FC_STYPE_ACTION:
7699 if (hapd->iface->num_bss > 1 && mode == STANDALONE_6GHZ)
7700 total_len += hostapd_eid_rnr_iface_len(hapd, hapd,
7701 ¤t_len,
7702 NULL, false);
7703 break;
7704 }
7705
7706 /* For EMA Beacons, MLD neighbor repoting is added as part of
7707 * MBSSID RNR. */
7708 if (include_mld_params &&
7709 (type != WLAN_FC_STYPE_BEACON ||
7710 hapd->iconf->mbssid != ENHANCED_MBSSID_ENABLED))
7711 total_len += hostapd_eid_rnr_mlo_len(hapd, type, ¤t_len);
7712
7713 return total_len;
7714 }
7715
7716
hostapd_eid_nr_db(struct hostapd_data * hapd,u8 * eid,size_t * current_len)7717 static u8 * hostapd_eid_nr_db(struct hostapd_data *hapd, u8 *eid,
7718 size_t *current_len)
7719 {
7720 struct hostapd_neighbor_entry *nr;
7721 size_t len = *current_len;
7722 u8 *size_offset = (eid - len) + 1;
7723
7724 dl_list_for_each(nr, &hapd->nr_db, struct hostapd_neighbor_entry,
7725 list) {
7726 if (!nr->nr || wpabuf_len(nr->nr) < 12)
7727 continue;
7728
7729 if (nr->short_ssid == hapd->conf->ssid.short_ssid)
7730 continue;
7731
7732 /* Start a new element */
7733 if (!len ||
7734 len + RNR_TBTT_HEADER_LEN + RNR_TBTT_INFO_LEN > 255) {
7735 *eid++ = WLAN_EID_REDUCED_NEIGHBOR_REPORT;
7736 size_offset = eid++;
7737 len = RNR_HEADER_LEN;
7738 }
7739
7740 /* TBTT Information Header subfield (2 octets) */
7741 *eid++ = 0;
7742 /* TBTT Information Length */
7743 *eid++ = RNR_TBTT_INFO_LEN;
7744 /* Operating Class */
7745 *eid++ = wpabuf_head_u8(nr->nr)[10];
7746 /* Channel Number */
7747 *eid++ = wpabuf_head_u8(nr->nr)[11];
7748 len += RNR_TBTT_HEADER_LEN;
7749 /* TBTT Information Set */
7750 /* TBTT Information field */
7751 /* Neighbor AP TBTT Offset */
7752 *eid++ = RNR_NEIGHBOR_AP_OFFSET_UNKNOWN;
7753 /* BSSID */
7754 os_memcpy(eid, nr->bssid, ETH_ALEN);
7755 eid += ETH_ALEN;
7756 /* Short SSID */
7757 os_memcpy(eid, &nr->short_ssid, 4);
7758 eid += 4;
7759 /* BSS parameters */
7760 *eid++ = nr->bss_parameters;
7761 /* 20 MHz PSD */
7762 *eid++ = RNR_20_MHZ_PSD_MAX_TXPOWER;
7763 len += RNR_TBTT_INFO_LEN;
7764 *size_offset = (eid - size_offset) - 1;
7765 }
7766
7767 *current_len = len;
7768 return eid;
7769 }
7770
7771
hostapd_eid_rnr_bss(struct hostapd_data * hapd,struct hostapd_data * reporting_hapd,struct mbssid_ie_profiles * skip_profiles,size_t i,u8 * tbtt_count,size_t * len,u8 ** pos,u8 ** tbtt_count_pos,u8 tbtt_info_len,u8 op_class,bool mld_update)7772 static bool hostapd_eid_rnr_bss(struct hostapd_data *hapd,
7773 struct hostapd_data *reporting_hapd,
7774 struct mbssid_ie_profiles *skip_profiles,
7775 size_t i, u8 *tbtt_count, size_t *len,
7776 u8 **pos, u8 **tbtt_count_pos, u8 tbtt_info_len,
7777 u8 op_class, bool mld_update)
7778 {
7779 struct hostapd_iface *iface = hapd->iface;
7780 struct hostapd_data *bss = iface->bss[i];
7781 u8 bss_param = 0;
7782 bool ap_mld = false;
7783 u8 *eid = *pos;
7784
7785 #ifdef CONFIG_IEEE80211BE
7786 ap_mld = !!hapd->conf->mld_ap;
7787 #endif /* CONFIG_IEEE80211BE */
7788
7789 if (!bss || !bss->conf || !bss->started ||
7790 bss == reporting_hapd || bss->conf->ignore_broadcast_ssid)
7791 return false;
7792
7793 if (hostapd_skip_rnr(i, skip_profiles, ap_mld, tbtt_info_len,
7794 mld_update, reporting_hapd, bss))
7795 return false;
7796
7797 if (*len + RNR_TBTT_INFO_LEN > 255 ||
7798 *tbtt_count >= RNR_TBTT_INFO_COUNT_MAX)
7799 return true;
7800
7801 if (!(*tbtt_count)) {
7802 /* Add neighbor report header info only if there is at least
7803 * one TBTT info available. */
7804 *tbtt_count_pos = eid++;
7805 *eid++ = tbtt_info_len;
7806 *eid++ = op_class;
7807 *eid++ = bss->iconf->channel;
7808 *len += RNR_TBTT_HEADER_LEN;
7809 }
7810
7811 *eid++ = RNR_NEIGHBOR_AP_OFFSET_UNKNOWN;
7812 os_memcpy(eid, bss->own_addr, ETH_ALEN);
7813 eid += ETH_ALEN;
7814 os_memcpy(eid, &bss->conf->ssid.short_ssid, 4);
7815 eid += 4;
7816 if (bss->conf->ssid.short_ssid == reporting_hapd->conf->ssid.short_ssid)
7817 bss_param |= RNR_BSS_PARAM_SAME_SSID;
7818
7819 if (iface->conf->mbssid != MBSSID_DISABLED && iface->num_bss > 1) {
7820 bss_param |= RNR_BSS_PARAM_MULTIPLE_BSSID;
7821 if (bss == hostapd_mbssid_get_tx_bss(hapd))
7822 bss_param |= RNR_BSS_PARAM_TRANSMITTED_BSSID;
7823 }
7824
7825 if (is_6ghz_op_class(hapd->iconf->op_class) &&
7826 bss->conf->unsol_bcast_probe_resp_interval)
7827 bss_param |= RNR_BSS_PARAM_UNSOLIC_PROBE_RESP_ACTIVE;
7828
7829 bss_param |= RNR_BSS_PARAM_CO_LOCATED;
7830
7831 *eid++ = bss_param;
7832 *eid++ = RNR_20_MHZ_PSD_MAX_TXPOWER;
7833
7834 #ifdef CONFIG_IEEE80211BE
7835 if (ap_mld) {
7836 u8 param_ch = bss->eht_mld_bss_param_change;
7837 bool is_partner;
7838
7839 /* If BSS is not a partner of the reporting_hapd
7840 * a) MLD ID advertised shall be 255.
7841 * b) Link ID advertised shall be 15.
7842 * c) BPCC advertised shall be 255 */
7843 is_partner = hostapd_is_ml_partner(bss, reporting_hapd);
7844 /* MLD ID */
7845 *eid++ = is_partner ? hostapd_get_mld_id(bss) : 0xFF;
7846 /* Link ID (Bit 3 to Bit 0)
7847 * BPCC (Bit 4 to Bit 7) */
7848 *eid++ = is_partner ?
7849 bss->mld_link_id | ((param_ch & 0xF) << 4) :
7850 (MAX_NUM_MLD_LINKS | 0xF0);
7851 /* BPCC (Bit 3 to Bit 0) */
7852 *eid = is_partner ? ((param_ch & 0xF0) >> 4) : 0x0F;
7853 #ifdef CONFIG_TESTING_OPTIONS
7854 if (bss->conf->mld_indicate_disabled)
7855 *eid |= RNR_TBTT_INFO_MLD_PARAM2_LINK_DISABLED;
7856 #endif /* CONFIG_TESTING_OPTIONS */
7857 eid++;
7858 }
7859 #endif /* CONFIG_IEEE80211BE */
7860
7861 *len += tbtt_info_len;
7862 (*tbtt_count)++;
7863 *pos = eid;
7864
7865 return false;
7866 }
7867
7868
hostapd_eid_rnr_iface(struct hostapd_data * hapd,struct hostapd_data * reporting_hapd,u8 * eid,size_t * current_len,struct mbssid_ie_profiles * skip_profiles,bool mld_update)7869 static u8 * hostapd_eid_rnr_iface(struct hostapd_data *hapd,
7870 struct hostapd_data *reporting_hapd,
7871 u8 *eid, size_t *current_len,
7872 struct mbssid_ie_profiles *skip_profiles,
7873 bool mld_update)
7874 {
7875 struct hostapd_iface *iface = hapd->iface;
7876 size_t i, start;
7877 size_t len = *current_len;
7878 u8 *eid_start = eid, *size_offset = (eid - len) + 1;
7879 u8 *tbtt_count_pos = size_offset + 1;
7880 u8 tbtt_count, total_tbtt_count = 0, op_class, channel;
7881 u8 tbtt_info_len = mld_update ? RNR_TBTT_INFO_MLD_LEN :
7882 RNR_TBTT_INFO_LEN;
7883
7884 if (!(iface->drv_flags & WPA_DRIVER_FLAGS_AP_CSA) || !iface->freq)
7885 return eid;
7886
7887 if (ieee80211_freq_to_channel_ext(iface->freq,
7888 hapd->iconf->secondary_channel,
7889 hostapd_get_oper_chwidth(hapd->iconf),
7890 &op_class, &channel) ==
7891 NUM_HOSTAPD_MODES)
7892 return eid;
7893
7894 repeat_rnr:
7895 start = 0;
7896 tbtt_count = 0;
7897 while (start < iface->num_bss) {
7898 if (!len ||
7899 len + RNR_TBTT_HEADER_LEN + tbtt_info_len > 255 ||
7900 tbtt_count >= RNR_TBTT_INFO_COUNT_MAX) {
7901 eid_start = eid;
7902 *eid++ = WLAN_EID_REDUCED_NEIGHBOR_REPORT;
7903 size_offset = eid++;
7904 len = RNR_HEADER_LEN;
7905 tbtt_count = 0;
7906 }
7907
7908 for (i = start; i < iface->num_bss; i++) {
7909 if (hostapd_eid_rnr_bss(hapd, reporting_hapd,
7910 skip_profiles, i,
7911 &tbtt_count, &len, &eid,
7912 &tbtt_count_pos, tbtt_info_len,
7913 op_class, mld_update))
7914 break;
7915 }
7916
7917 start = i;
7918
7919 if (tbtt_count) {
7920 *tbtt_count_pos = RNR_TBTT_INFO_COUNT(tbtt_count - 1);
7921 *size_offset = (eid - size_offset) - 1;
7922 }
7923 }
7924
7925 total_tbtt_count += tbtt_count;
7926
7927 /* If building for co-location, re-build again but this time include
7928 * ML TBTTs.
7929 */
7930 if (!mld_update && tbtt_info_len == RNR_TBTT_INFO_LEN) {
7931 tbtt_info_len = RNR_TBTT_INFO_MLD_LEN;
7932 goto repeat_rnr;
7933 }
7934
7935 if (!total_tbtt_count)
7936 return eid_start;
7937
7938 *current_len = len;
7939 return eid;
7940 }
7941
7942
hostapd_eid_rnr_colocation(struct hostapd_data * hapd,u8 * eid,size_t * current_len)7943 u8 * hostapd_eid_rnr_colocation(struct hostapd_data *hapd, u8 *eid,
7944 size_t *current_len)
7945 {
7946 struct hostapd_iface *iface;
7947 size_t i;
7948
7949 if (!hapd->iface || !hapd->iface->interfaces)
7950 return eid;
7951
7952 for (i = 0; i < hapd->iface->interfaces->count; i++) {
7953 iface = hapd->iface->interfaces->iface[i];
7954
7955 if (!iface || iface == hapd->iface ||
7956 iface->state != HAPD_IFACE_ENABLED ||
7957 !is_6ghz_op_class(iface->conf->op_class))
7958 continue;
7959
7960 eid = hostapd_eid_rnr_iface(iface->bss[0], hapd, eid,
7961 current_len, NULL, false);
7962 }
7963
7964 return eid;
7965 }
7966
7967
hostapd_eid_rnr_mlo(struct hostapd_data * hapd,u32 type,u8 * eid,size_t * current_len)7968 u8 * hostapd_eid_rnr_mlo(struct hostapd_data *hapd, u32 type,
7969 u8 *eid, size_t *current_len)
7970 {
7971 #ifdef CONFIG_IEEE80211BE
7972 struct hostapd_iface *iface;
7973 size_t i;
7974
7975 if (!hapd->iface || !hapd->iface->interfaces || !hapd->conf->mld_ap)
7976 return eid;
7977
7978 /* TODO: Allow for FILS/Action as well */
7979 if (type != WLAN_FC_STYPE_BEACON && type != WLAN_FC_STYPE_PROBE_RESP)
7980 return eid;
7981
7982 for (i = 0; i < hapd->iface->interfaces->count; i++) {
7983 iface = hapd->iface->interfaces->iface[i];
7984
7985 if (!iface || iface == hapd->iface ||
7986 hapd->iface->freq == iface->freq)
7987 continue;
7988
7989 eid = hostapd_eid_rnr_iface(iface->bss[0], hapd, eid,
7990 current_len, NULL, true);
7991 }
7992 #endif /* CONFIG_IEEE80211BE */
7993
7994 return eid;
7995 }
7996
7997
hostapd_eid_rnr(struct hostapd_data * hapd,u8 * eid,u32 type,bool include_mld_params)7998 u8 * hostapd_eid_rnr(struct hostapd_data *hapd, u8 *eid, u32 type,
7999 bool include_mld_params)
8000 {
8001 u8 *eid_start = eid;
8002 size_t current_len = 0;
8003 enum colocation_mode mode = get_colocation_mode(hapd);
8004
8005 switch (type) {
8006 case WLAN_FC_STYPE_BEACON:
8007 if (hapd->conf->rnr)
8008 eid = hostapd_eid_nr_db(hapd, eid, ¤t_len);
8009 /* fallthrough */
8010 case WLAN_FC_STYPE_PROBE_RESP:
8011 if (mode == COLOCATED_LOWER_BAND)
8012 eid = hostapd_eid_rnr_colocation(hapd, eid,
8013 ¤t_len);
8014
8015 if (hapd->conf->rnr && hapd->iface->num_bss > 1 &&
8016 !hapd->iconf->mbssid)
8017 eid = hostapd_eid_rnr_iface(hapd, hapd, eid,
8018 ¤t_len, NULL, false);
8019 break;
8020 case WLAN_FC_STYPE_ACTION:
8021 if (hapd->iface->num_bss > 1 && mode == STANDALONE_6GHZ)
8022 eid = hostapd_eid_rnr_iface(hapd, hapd, eid,
8023 ¤t_len, NULL, false);
8024 break;
8025 default:
8026 return eid_start;
8027 }
8028
8029 /* For EMA Beacons, MLD neighbor repoting is added as part of
8030 * MBSSID RNR. */
8031 if (include_mld_params &&
8032 (type != WLAN_FC_STYPE_BEACON ||
8033 hapd->iconf->mbssid != ENHANCED_MBSSID_ENABLED))
8034 eid = hostapd_eid_rnr_mlo(hapd, type, eid, ¤t_len);
8035
8036 if (eid == eid_start + 2)
8037 return eid_start;
8038
8039 return eid;
8040 }
8041
8042
mbssid_known_bss(unsigned int i,const u8 * known_bss,size_t known_bss_len)8043 static bool mbssid_known_bss(unsigned int i, const u8 *known_bss,
8044 size_t known_bss_len)
8045 {
8046 if (!known_bss || known_bss_len <= i / 8)
8047 return false;
8048 known_bss = &known_bss[i / 8];
8049 return *known_bss & (u8) (BIT(i % 8));
8050 }
8051
8052
hostapd_mbssid_ext_capa(struct hostapd_data * bss,struct hostapd_data * tx_bss,u8 * buf)8053 static size_t hostapd_mbssid_ext_capa(struct hostapd_data *bss,
8054 struct hostapd_data *tx_bss, u8 *buf)
8055 {
8056 u8 ext_capa_tx[20], *ext_capa_tx_end, ext_capa[20], *ext_capa_end;
8057 size_t ext_capa_len, ext_capa_tx_len;
8058
8059 ext_capa_tx_end = hostapd_eid_ext_capab(tx_bss, ext_capa_tx,
8060 true);
8061 ext_capa_tx_len = ext_capa_tx_end - ext_capa_tx;
8062 ext_capa_end = hostapd_eid_ext_capab(bss, ext_capa, true);
8063 ext_capa_len = ext_capa_end - ext_capa;
8064 if (ext_capa_tx_len != ext_capa_len ||
8065 os_memcmp(ext_capa_tx, ext_capa, ext_capa_len) != 0) {
8066 os_memcpy(buf, ext_capa, ext_capa_len);
8067 return ext_capa_len;
8068 }
8069
8070 return 0;
8071 }
8072
8073
hostapd_eid_mbssid_elem_len(struct hostapd_data * hapd,u32 frame_type,size_t * bss_index,const u8 * known_bss,size_t known_bss_len)8074 static size_t hostapd_eid_mbssid_elem_len(struct hostapd_data *hapd,
8075 u32 frame_type, size_t *bss_index,
8076 const u8 *known_bss,
8077 size_t known_bss_len)
8078 {
8079 struct hostapd_data *tx_bss = hostapd_mbssid_get_tx_bss(hapd);
8080 size_t len, i;
8081 u8 ext_capa[20];
8082
8083 /* Element ID: 1 octet
8084 * Length: 1 octet
8085 * MaxBSSID Indicator: 1 octet
8086 * Optional Subelements: vatiable
8087 *
8088 * Total fixed length: 3 octets
8089 *
8090 * 1 octet in len for the MaxBSSID Indicator field.
8091 */
8092 len = 1;
8093
8094 for (i = *bss_index; i < hapd->iface->num_bss; i++) {
8095 struct hostapd_data *bss = hapd->iface->bss[i];
8096 const u8 *auth, *rsn = NULL, *rsnx = NULL;
8097 size_t nontx_profile_len, auth_len;
8098 u8 ie_count = 0;
8099
8100 if (!bss || !bss->conf || !bss->started ||
8101 mbssid_known_bss(i, known_bss, known_bss_len))
8102 continue;
8103
8104 /*
8105 * Sublement ID: 1 octet
8106 * Length: 1 octet
8107 * Nontransmitted capabilities: 4 octets
8108 * SSID element: 2 + variable
8109 * Multiple BSSID Index Element: 3 octets (+2 octets in beacons)
8110 * Fixed length = 1 + 1 + 4 + 2 + 3 = 11
8111 */
8112 nontx_profile_len = 11 + bss->conf->ssid.ssid_len;
8113
8114 if (frame_type == WLAN_FC_STYPE_BEACON)
8115 nontx_profile_len += 2;
8116
8117 auth = wpa_auth_get_wpa_ie(bss->wpa_auth, &auth_len);
8118 if (auth) {
8119 rsn = get_ie(auth, auth_len, WLAN_EID_RSN);
8120 if (rsn)
8121 nontx_profile_len += 2 + rsn[1];
8122
8123 rsnx = get_ie(auth, auth_len, WLAN_EID_RSNX);
8124 if (rsnx)
8125 nontx_profile_len += 2 + rsnx[1];
8126 }
8127
8128 nontx_profile_len += hostapd_mbssid_ext_capa(bss, tx_bss,
8129 ext_capa);
8130
8131 if (!rsn && hostapd_wpa_ie(tx_bss, WLAN_EID_RSN))
8132 ie_count++;
8133 if (!rsnx && hostapd_wpa_ie(tx_bss, WLAN_EID_RSNX))
8134 ie_count++;
8135 if (bss->conf->xrates_supported)
8136 nontx_profile_len += 8;
8137 else if (hapd->conf->xrates_supported)
8138 ie_count++;
8139 if (ie_count)
8140 nontx_profile_len += 4 + ie_count;
8141
8142 if (len + nontx_profile_len > 255)
8143 break;
8144
8145 len += nontx_profile_len;
8146 }
8147
8148 *bss_index = i;
8149
8150 /* Add 2 octets to get the full size of the element */
8151 return len + 2;
8152 }
8153
8154
hostapd_eid_mbssid_len(struct hostapd_data * hapd,u32 frame_type,u8 * elem_count,const u8 * known_bss,size_t known_bss_len,size_t * rnr_len)8155 size_t hostapd_eid_mbssid_len(struct hostapd_data *hapd, u32 frame_type,
8156 u8 *elem_count, const u8 *known_bss,
8157 size_t known_bss_len, size_t *rnr_len)
8158 {
8159 size_t len = 0, bss_index = 1;
8160 bool ap_mld = false;
8161
8162 #ifdef CONFIG_IEEE80211BE
8163 ap_mld = hapd->conf->mld_ap;
8164 #endif /* CONFIG_IEEE80211BE */
8165
8166 if (!hapd->iconf->mbssid || hapd->iface->num_bss <= 1 ||
8167 (frame_type != WLAN_FC_STYPE_BEACON &&
8168 frame_type != WLAN_FC_STYPE_PROBE_RESP))
8169 return 0;
8170
8171 if (frame_type == WLAN_FC_STYPE_BEACON) {
8172 if (!elem_count) {
8173 wpa_printf(MSG_INFO,
8174 "MBSSID: Insufficient data for Beacon frames");
8175 return 0;
8176 }
8177 *elem_count = 0;
8178 }
8179
8180 while (bss_index < hapd->iface->num_bss) {
8181 size_t rnr_count = bss_index;
8182
8183 len += hostapd_eid_mbssid_elem_len(hapd, frame_type,
8184 &bss_index, known_bss,
8185 known_bss_len);
8186
8187 if (frame_type == WLAN_FC_STYPE_BEACON)
8188 *elem_count += 1;
8189 if (hapd->iconf->mbssid == ENHANCED_MBSSID_ENABLED && rnr_len) {
8190 size_t rnr_cur_len = 0;
8191 struct mbssid_ie_profiles skip_profiles = {
8192 rnr_count, bss_index
8193 };
8194
8195 *rnr_len += hostapd_eid_rnr_iface_len(
8196 hapd, hostapd_mbssid_get_tx_bss(hapd),
8197 &rnr_cur_len, &skip_profiles, ap_mld);
8198 }
8199 }
8200
8201 if (hapd->iconf->mbssid == ENHANCED_MBSSID_ENABLED && rnr_len)
8202 *rnr_len += hostapd_eid_rnr_len(hapd, frame_type, false);
8203
8204 return len;
8205 }
8206
8207
hostapd_eid_mbssid_elem(struct hostapd_data * hapd,u8 * eid,u8 * end,u32 frame_type,u8 max_bssid_indicator,size_t * bss_index,u8 elem_count,const u8 * known_bss,size_t known_bss_len)8208 static u8 * hostapd_eid_mbssid_elem(struct hostapd_data *hapd, u8 *eid, u8 *end,
8209 u32 frame_type, u8 max_bssid_indicator,
8210 size_t *bss_index, u8 elem_count,
8211 const u8 *known_bss, size_t known_bss_len)
8212 {
8213 struct hostapd_data *tx_bss = hostapd_mbssid_get_tx_bss(hapd);
8214 size_t i;
8215 u8 *eid_len_offset, *max_bssid_indicator_offset;
8216
8217 *eid++ = WLAN_EID_MULTIPLE_BSSID;
8218 eid_len_offset = eid++;
8219 max_bssid_indicator_offset = eid++;
8220
8221 for (i = *bss_index; i < hapd->iface->num_bss; i++) {
8222 struct hostapd_data *bss = hapd->iface->bss[i];
8223 struct hostapd_bss_config *conf;
8224 u8 *eid_len_pos, *nontx_bss_start = eid;
8225 const u8 *auth, *rsn = NULL, *rsnx = NULL;
8226 u8 ie_count = 0, non_inherit_ie[3];
8227 size_t auth_len = 0;
8228 u16 capab_info;
8229
8230 if (!bss || !bss->conf || !bss->started ||
8231 mbssid_known_bss(i, known_bss, known_bss_len))
8232 continue;
8233 conf = bss->conf;
8234
8235 *eid++ = WLAN_MBSSID_SUBELEMENT_NONTRANSMITTED_BSSID_PROFILE;
8236 eid_len_pos = eid++;
8237
8238 capab_info = hostapd_own_capab_info(bss);
8239 *eid++ = WLAN_EID_NONTRANSMITTED_BSSID_CAPA;
8240 *eid++ = sizeof(capab_info);
8241 WPA_PUT_LE16(eid, capab_info);
8242 eid += sizeof(capab_info);
8243
8244 *eid++ = WLAN_EID_SSID;
8245 *eid++ = conf->ssid.ssid_len;
8246 os_memcpy(eid, conf->ssid.ssid, conf->ssid.ssid_len);
8247 eid += conf->ssid.ssid_len;
8248
8249 *eid++ = WLAN_EID_MULTIPLE_BSSID_INDEX;
8250 if (frame_type == WLAN_FC_STYPE_BEACON) {
8251 *eid++ = 3;
8252 *eid++ = i; /* BSSID Index */
8253 if (hapd->iconf->mbssid == ENHANCED_MBSSID_ENABLED &&
8254 (conf->dtim_period % elem_count))
8255 conf->dtim_period = elem_count;
8256 *eid++ = conf->dtim_period;
8257 /* The driver is expected to update the DTIM Count
8258 * field for each BSS that corresponds to a
8259 * nontransmitted BSSID. The value is initialized to
8260 * 0 here so that the DTIM count would be somewhat
8261 * functional even if the driver were not to update
8262 * this. */
8263 *eid++ = 0; /* DTIM Count */
8264 } else {
8265 /* Probe Request frame does not include DTIM Period and
8266 * DTIM Count fields. */
8267 *eid++ = 1;
8268 *eid++ = i; /* BSSID Index */
8269 }
8270
8271 auth = wpa_auth_get_wpa_ie(bss->wpa_auth, &auth_len);
8272 if (auth) {
8273 rsn = get_ie(auth, auth_len, WLAN_EID_RSN);
8274 if (rsn) {
8275 os_memcpy(eid, rsn, 2 + rsn[1]);
8276 eid += 2 + rsn[1];
8277 }
8278
8279 rsnx = get_ie(auth, auth_len, WLAN_EID_RSNX);
8280 if (rsnx) {
8281 os_memcpy(eid, rsnx, 2 + rsnx[1]);
8282 eid += 2 + rsnx[1];
8283 }
8284 }
8285
8286 eid += hostapd_mbssid_ext_capa(bss, tx_bss, eid);
8287
8288 /* List of Element ID values in increasing order */
8289 if (!rsn && hostapd_wpa_ie(tx_bss, WLAN_EID_RSN))
8290 non_inherit_ie[ie_count++] = WLAN_EID_RSN;
8291 if (hapd->conf->xrates_supported &&
8292 !bss->conf->xrates_supported)
8293 non_inherit_ie[ie_count++] = WLAN_EID_EXT_SUPP_RATES;
8294 if (!rsnx && hostapd_wpa_ie(tx_bss, WLAN_EID_RSNX))
8295 non_inherit_ie[ie_count++] = WLAN_EID_RSNX;
8296 if (ie_count) {
8297 *eid++ = WLAN_EID_EXTENSION;
8298 *eid++ = 2 + ie_count + 1;
8299 *eid++ = WLAN_EID_EXT_NON_INHERITANCE;
8300 *eid++ = ie_count;
8301 os_memcpy(eid, non_inherit_ie, ie_count);
8302 eid += ie_count;
8303 *eid++ = 0; /* No Element ID Extension List */
8304 }
8305
8306 *eid_len_pos = (eid - eid_len_pos) - 1;
8307
8308 if (((eid - eid_len_offset) - 1) > 255) {
8309 eid = nontx_bss_start;
8310 break;
8311 }
8312 }
8313
8314 *bss_index = i;
8315 *max_bssid_indicator_offset = max_bssid_indicator;
8316 if (*max_bssid_indicator_offset < 1)
8317 *max_bssid_indicator_offset = 1;
8318 *eid_len_offset = (eid - eid_len_offset) - 1;
8319 return eid;
8320 }
8321
8322
hostapd_eid_mbssid(struct hostapd_data * hapd,u8 * eid,u8 * end,unsigned int frame_stype,u8 elem_count,u8 ** elem_offset,const u8 * known_bss,size_t known_bss_len,u8 * rnr_eid,u8 * rnr_count,u8 ** rnr_offset,size_t rnr_len)8323 u8 * hostapd_eid_mbssid(struct hostapd_data *hapd, u8 *eid, u8 *end,
8324 unsigned int frame_stype, u8 elem_count,
8325 u8 **elem_offset,
8326 const u8 *known_bss, size_t known_bss_len, u8 *rnr_eid,
8327 u8 *rnr_count, u8 **rnr_offset, size_t rnr_len)
8328 {
8329 size_t bss_index = 1, cur_len = 0;
8330 u8 elem_index = 0, *rnr_start_eid = rnr_eid;
8331 bool add_rnr, ap_mld = false;
8332
8333 #ifdef CONFIG_IEEE80211BE
8334 ap_mld = hapd->conf->mld_ap;
8335 #endif /* CONFIG_IEEE80211BE */
8336
8337 if (!hapd->iconf->mbssid || hapd->iface->num_bss <= 1 ||
8338 (frame_stype != WLAN_FC_STYPE_BEACON &&
8339 frame_stype != WLAN_FC_STYPE_PROBE_RESP))
8340 return eid;
8341
8342 if (frame_stype == WLAN_FC_STYPE_BEACON && !elem_offset) {
8343 wpa_printf(MSG_INFO,
8344 "MBSSID: Insufficient data for Beacon frames");
8345 return eid;
8346 }
8347
8348 add_rnr = hapd->iconf->mbssid == ENHANCED_MBSSID_ENABLED &&
8349 frame_stype == WLAN_FC_STYPE_BEACON &&
8350 rnr_eid && rnr_count && rnr_offset && rnr_len;
8351
8352 while (bss_index < hapd->iface->num_bss) {
8353 unsigned int rnr_start_count = bss_index;
8354
8355 if (frame_stype == WLAN_FC_STYPE_BEACON) {
8356 if (elem_index == elem_count) {
8357 wpa_printf(MSG_WARNING,
8358 "MBSSID: Larger number of elements than there is room in the provided array");
8359 break;
8360 }
8361
8362 elem_offset[elem_index] = eid;
8363 elem_index = elem_index + 1;
8364 }
8365 eid = hostapd_eid_mbssid_elem(hapd, eid, end, frame_stype,
8366 hostapd_max_bssid_indicator(hapd),
8367 &bss_index, elem_count,
8368 known_bss, known_bss_len);
8369
8370 if (add_rnr) {
8371 struct mbssid_ie_profiles skip_profiles = {
8372 rnr_start_count, bss_index
8373 };
8374
8375 rnr_offset[*rnr_count] = rnr_eid;
8376 *rnr_count = *rnr_count + 1;
8377 cur_len = 0;
8378 rnr_eid = hostapd_eid_rnr_iface(
8379 hapd, hostapd_mbssid_get_tx_bss(hapd),
8380 rnr_eid, &cur_len, &skip_profiles, ap_mld);
8381 }
8382 }
8383
8384 if (add_rnr && (size_t) (rnr_eid - rnr_start_eid) < rnr_len) {
8385 rnr_offset[*rnr_count] = rnr_eid;
8386 *rnr_count = *rnr_count + 1;
8387 cur_len = 0;
8388
8389 if (hapd->conf->rnr)
8390 rnr_eid = hostapd_eid_nr_db(hapd, rnr_eid, &cur_len);
8391 if (get_colocation_mode(hapd) == COLOCATED_LOWER_BAND)
8392 rnr_eid = hostapd_eid_rnr_colocation(hapd, rnr_eid,
8393 &cur_len);
8394 }
8395
8396 return eid;
8397 }
8398
8399 #endif /* CONFIG_NATIVE_WINDOWS */
8400