2 * hostapd / IEEE 802.11 Management
3 * Copyright (c) 2002-2017, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
9 #include "utils/includes.h"
11 #ifndef CONFIG_NATIVE_WINDOWS
13 #include "utils/common.h"
14 #include "utils/eloop.h"
15 #include "crypto/crypto.h"
16 #include "crypto/sha256.h"
17 #include "crypto/sha384.h"
18 #include "crypto/sha512.h"
19 #include "crypto/random.h"
20 #include "common/ieee802_11_defs.h"
21 #include "common/ieee802_11_common.h"
22 #include "common/wpa_ctrl.h"
23 #include "common/sae.h"
24 #include "common/dpp.h"
25 #include "common/ocv.h"
26 #include "radius/radius.h"
27 #include "radius/radius_client.h"
33 #include "ieee802_11_auth.h"
35 #include "ieee802_1x.h"
37 #include "pmksa_cache_auth.h"
40 #include "accounting.h"
41 #include "ap_config.h"
43 #include "p2p_hostapd.h"
44 #include "ap_drv_ops.h"
46 #include "hw_features.h"
47 #include "ieee802_11.h"
53 #include "dpp_hostapd.h"
54 #include "gas_query_ap.h"
58 static struct wpabuf *
59 prepare_auth_resp_fils(struct hostapd_data *hapd,
60 struct sta_info *sta, u16 *resp,
61 struct rsn_pmksa_cache_entry *pmksa,
62 struct wpabuf *erp_resp,
63 const u8 *msk, size_t msk_len,
65 #endif /* CONFIG_FILS */
66 static void handle_auth(struct hostapd_data *hapd,
67 const struct ieee80211_mgmt *mgmt, size_t len,
68 int rssi, int from_queue);
71 u8 * hostapd_eid_multi_ap(struct hostapd_data *hapd, u8 *eid)
75 if (!hapd->conf->multi_ap)
77 if (hapd->conf->multi_ap & BACKHAUL_BSS)
78 multi_ap_val |= MULTI_AP_BACKHAUL_BSS;
79 if (hapd->conf->multi_ap & FRONTHAUL_BSS)
80 multi_ap_val |= MULTI_AP_FRONTHAUL_BSS;
82 return eid + add_multi_ap_ie(eid, 9, multi_ap_val);
86 u8 * hostapd_eid_supp_rates(struct hostapd_data *hapd, u8 *eid)
91 if (hapd->iface->current_rates == NULL)
94 *pos++ = WLAN_EID_SUPP_RATES;
95 num = hapd->iface->num_rates;
96 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht)
98 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht)
101 /* rest of the rates are encoded in Extended supported
107 for (i = 0, count = 0; i < hapd->iface->num_rates && count < num;
110 *pos = hapd->iface->current_rates[i].rate / 5;
111 if (hapd->iface->current_rates[i].flags & HOSTAPD_RATE_BASIC)
116 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht && count < 8) {
118 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_HT_PHY;
121 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht && count < 8) {
123 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_VHT_PHY;
130 u8 * hostapd_eid_ext_supp_rates(struct hostapd_data *hapd, u8 *eid)
135 if (hapd->iface->current_rates == NULL)
138 num = hapd->iface->num_rates;
139 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht)
141 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht)
147 *pos++ = WLAN_EID_EXT_SUPP_RATES;
149 for (i = 0, count = 0; i < hapd->iface->num_rates && count < num + 8;
153 continue; /* already in SuppRates IE */
154 *pos = hapd->iface->current_rates[i].rate / 5;
155 if (hapd->iface->current_rates[i].flags & HOSTAPD_RATE_BASIC)
160 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht) {
163 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_HT_PHY;
166 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht) {
169 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_VHT_PHY;
176 u16 hostapd_own_capab_info(struct hostapd_data *hapd)
178 int capab = WLAN_CAPABILITY_ESS;
183 /* Check if any of configured channels require DFS */
184 dfs = hostapd_is_dfs_required(hapd->iface);
186 wpa_printf(MSG_WARNING, "Failed to check if DFS is required; ret=%d",
191 if (hapd->iface->num_sta_no_short_preamble == 0 &&
192 hapd->iconf->preamble == SHORT_PREAMBLE)
193 capab |= WLAN_CAPABILITY_SHORT_PREAMBLE;
195 privacy = hapd->conf->ssid.wep.keys_set;
197 if (hapd->conf->ieee802_1x &&
198 (hapd->conf->default_wep_key_len ||
199 hapd->conf->individual_wep_key_len))
206 if (hapd->conf->osen)
208 #endif /* CONFIG_HS20 */
211 capab |= WLAN_CAPABILITY_PRIVACY;
213 if (hapd->iface->current_mode &&
214 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G &&
215 hapd->iface->num_sta_no_short_slot_time == 0)
216 capab |= WLAN_CAPABILITY_SHORT_SLOT_TIME;
219 * Currently, Spectrum Management capability bit is set when directly
220 * requested in configuration by spectrum_mgmt_required or when AP is
221 * running on DFS channel.
222 * TODO: Also consider driver support for TPC to set Spectrum Mgmt bit
224 if (hapd->iface->current_mode &&
225 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211A &&
226 (hapd->iconf->spectrum_mgmt_required || dfs))
227 capab |= WLAN_CAPABILITY_SPECTRUM_MGMT;
229 for (i = 0; i < RRM_CAPABILITIES_IE_LEN; i++) {
230 if (hapd->conf->radio_measurements[i]) {
231 capab |= IEEE80211_CAP_RRM;
240 #ifndef CONFIG_NO_RC4
241 static u16 auth_shared_key(struct hostapd_data *hapd, struct sta_info *sta,
242 u16 auth_transaction, const u8 *challenge,
245 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
247 "authentication (shared key, transaction %d)",
250 if (auth_transaction == 1) {
251 if (!sta->challenge) {
252 /* Generate a pseudo-random challenge */
255 sta->challenge = os_zalloc(WLAN_AUTH_CHALLENGE_LEN);
256 if (sta->challenge == NULL)
257 return WLAN_STATUS_UNSPECIFIED_FAILURE;
259 if (os_get_random(key, sizeof(key)) < 0) {
260 os_free(sta->challenge);
261 sta->challenge = NULL;
262 return WLAN_STATUS_UNSPECIFIED_FAILURE;
265 rc4_skip(key, sizeof(key), 0,
266 sta->challenge, WLAN_AUTH_CHALLENGE_LEN);
271 if (auth_transaction != 3)
272 return WLAN_STATUS_UNSPECIFIED_FAILURE;
275 if (!iswep || !sta->challenge || !challenge ||
276 os_memcmp_const(sta->challenge, challenge,
277 WLAN_AUTH_CHALLENGE_LEN)) {
278 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
280 "shared key authentication - invalid "
281 "challenge-response");
282 return WLAN_STATUS_CHALLENGE_FAIL;
285 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
287 "authentication OK (shared key)");
288 sta->flags |= WLAN_STA_AUTH;
289 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
290 os_free(sta->challenge);
291 sta->challenge = NULL;
295 #endif /* CONFIG_NO_RC4 */
298 static int send_auth_reply(struct hostapd_data *hapd,
299 const u8 *dst, const u8 *bssid,
300 u16 auth_alg, u16 auth_transaction, u16 resp,
301 const u8 *ies, size_t ies_len, const char *dbg)
303 struct ieee80211_mgmt *reply;
306 int reply_res = WLAN_STATUS_UNSPECIFIED_FAILURE;
308 rlen = IEEE80211_HDRLEN + sizeof(reply->u.auth) + ies_len;
309 buf = os_zalloc(rlen);
313 reply = (struct ieee80211_mgmt *) buf;
314 reply->frame_control = IEEE80211_FC(WLAN_FC_TYPE_MGMT,
316 os_memcpy(reply->da, dst, ETH_ALEN);
317 os_memcpy(reply->sa, hapd->own_addr, ETH_ALEN);
318 os_memcpy(reply->bssid, bssid, ETH_ALEN);
320 reply->u.auth.auth_alg = host_to_le16(auth_alg);
321 reply->u.auth.auth_transaction = host_to_le16(auth_transaction);
322 reply->u.auth.status_code = host_to_le16(resp);
325 os_memcpy(reply->u.auth.variable, ies, ies_len);
327 wpa_printf(MSG_DEBUG, "authentication reply: STA=" MACSTR
328 " auth_alg=%d auth_transaction=%d resp=%d (IE len=%lu) (dbg=%s)",
329 MAC2STR(dst), auth_alg, auth_transaction,
330 resp, (unsigned long) ies_len, dbg);
331 if (hostapd_drv_send_mlme(hapd, reply, rlen, 0) < 0)
332 wpa_printf(MSG_INFO, "send_auth_reply: send failed");
334 reply_res = WLAN_STATUS_SUCCESS;
342 #ifdef CONFIG_IEEE80211R_AP
343 static void handle_auth_ft_finish(void *ctx, const u8 *dst, const u8 *bssid,
344 u16 auth_transaction, u16 status,
345 const u8 *ies, size_t ies_len)
347 struct hostapd_data *hapd = ctx;
348 struct sta_info *sta;
351 reply_res = send_auth_reply(hapd, dst, bssid, WLAN_AUTH_FT,
352 auth_transaction, status, ies, ies_len,
355 sta = ap_get_sta(hapd, dst);
359 if (sta->added_unassoc && (reply_res != WLAN_STATUS_SUCCESS ||
360 status != WLAN_STATUS_SUCCESS)) {
361 hostapd_drv_sta_remove(hapd, sta->addr);
362 sta->added_unassoc = 0;
366 if (status != WLAN_STATUS_SUCCESS)
369 hostapd_logger(hapd, dst, HOSTAPD_MODULE_IEEE80211,
370 HOSTAPD_LEVEL_DEBUG, "authentication OK (FT)");
371 sta->flags |= WLAN_STA_AUTH;
372 mlme_authenticate_indication(hapd, sta);
374 #endif /* CONFIG_IEEE80211R_AP */
379 static void sae_set_state(struct sta_info *sta, enum sae_state state,
382 wpa_printf(MSG_DEBUG, "SAE: State %s -> %s for peer " MACSTR " (%s)",
383 sae_state_txt(sta->sae->state), sae_state_txt(state),
384 MAC2STR(sta->addr), reason);
385 sta->sae->state = state;
389 static struct wpabuf * auth_build_sae_commit(struct hostapd_data *hapd,
390 struct sta_info *sta, int update)
393 const char *password = NULL;
394 struct sae_password_entry *pw;
395 const char *rx_id = NULL;
398 rx_id = sta->sae->tmp->pw_id;
400 for (pw = hapd->conf->sae_passwords; pw; pw = pw->next) {
401 if (!is_broadcast_ether_addr(pw->peer_addr) &&
402 os_memcmp(pw->peer_addr, sta->addr, ETH_ALEN) != 0)
404 if ((rx_id && !pw->identifier) || (!rx_id && pw->identifier))
406 if (rx_id && pw->identifier &&
407 os_strcmp(rx_id, pw->identifier) != 0)
409 password = pw->password;
413 password = hapd->conf->ssid.wpa_passphrase;
415 wpa_printf(MSG_DEBUG, "SAE: No password available");
420 sae_prepare_commit(hapd->own_addr, sta->addr,
421 (u8 *) password, os_strlen(password), rx_id,
423 wpa_printf(MSG_DEBUG, "SAE: Could not pick PWE");
427 if (pw && pw->vlan_id) {
428 if (!sta->sae->tmp) {
430 "SAE: No temporary data allocated - cannot store VLAN ID");
433 sta->sae->tmp->vlan_id = pw->vlan_id;
436 buf = wpabuf_alloc(SAE_COMMIT_MAX_LEN +
437 (rx_id ? 3 + os_strlen(rx_id) : 0));
440 sae_write_commit(sta->sae, buf, sta->sae->tmp ?
441 sta->sae->tmp->anti_clogging_token : NULL, rx_id);
447 static struct wpabuf * auth_build_sae_confirm(struct hostapd_data *hapd,
448 struct sta_info *sta)
452 buf = wpabuf_alloc(SAE_CONFIRM_MAX_LEN);
456 sae_write_confirm(sta->sae, buf);
462 static int auth_sae_send_commit(struct hostapd_data *hapd,
463 struct sta_info *sta,
464 const u8 *bssid, int update)
469 data = auth_build_sae_commit(hapd, sta, update);
470 if (!data && sta->sae->tmp && sta->sae->tmp->pw_id)
471 return WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER;
473 return WLAN_STATUS_UNSPECIFIED_FAILURE;
475 reply_res = send_auth_reply(hapd, sta->addr, bssid, WLAN_AUTH_SAE, 1,
476 WLAN_STATUS_SUCCESS, wpabuf_head(data),
477 wpabuf_len(data), "sae-send-commit");
485 static int auth_sae_send_confirm(struct hostapd_data *hapd,
486 struct sta_info *sta,
492 data = auth_build_sae_confirm(hapd, sta);
494 return WLAN_STATUS_UNSPECIFIED_FAILURE;
496 reply_res = send_auth_reply(hapd, sta->addr, bssid, WLAN_AUTH_SAE, 2,
497 WLAN_STATUS_SUCCESS, wpabuf_head(data),
498 wpabuf_len(data), "sae-send-confirm");
506 static int use_sae_anti_clogging(struct hostapd_data *hapd)
508 struct sta_info *sta;
509 unsigned int open = 0;
511 if (hapd->conf->sae_anti_clogging_threshold == 0)
514 for (sta = hapd->sta_list; sta; sta = sta->next) {
517 if (sta->sae->state != SAE_COMMITTED &&
518 sta->sae->state != SAE_CONFIRMED)
521 if (open >= hapd->conf->sae_anti_clogging_threshold)
525 /* In addition to already existing open SAE sessions, check whether
526 * there are enough pending commit messages in the processing queue to
527 * potentially result in too many open sessions. */
528 if (open + dl_list_len(&hapd->sae_commit_queue) >=
529 hapd->conf->sae_anti_clogging_threshold)
536 static u8 sae_token_hash(struct hostapd_data *hapd, const u8 *addr)
538 u8 hash[SHA256_MAC_LEN];
540 hmac_sha256(hapd->sae_token_key, sizeof(hapd->sae_token_key),
541 addr, ETH_ALEN, hash);
546 static int check_sae_token(struct hostapd_data *hapd, const u8 *addr,
547 const u8 *token, size_t token_len)
549 u8 mac[SHA256_MAC_LEN];
555 if (token_len != SHA256_MAC_LEN)
557 idx = sae_token_hash(hapd, addr);
558 token_idx = hapd->sae_pending_token_idx[idx];
559 if (token_idx == 0 || token_idx != WPA_GET_BE16(token)) {
560 wpa_printf(MSG_DEBUG, "SAE: Invalid anti-clogging token from "
561 MACSTR " - token_idx 0x%04x, expected 0x%04x",
562 MAC2STR(addr), WPA_GET_BE16(token), token_idx);
570 if (hmac_sha256_vector(hapd->sae_token_key, sizeof(hapd->sae_token_key),
571 2, addrs, len, mac) < 0 ||
572 os_memcmp_const(token + 2, &mac[2], SHA256_MAC_LEN - 2) != 0)
575 hapd->sae_pending_token_idx[idx] = 0; /* invalidate used token */
581 static struct wpabuf * auth_build_token_req(struct hostapd_data *hapd,
582 int group, const u8 *addr)
586 struct os_reltime now;
593 os_get_reltime(&now);
594 if (!os_reltime_initialized(&hapd->last_sae_token_key_update) ||
595 os_reltime_expired(&now, &hapd->last_sae_token_key_update, 60) ||
596 hapd->sae_token_idx == 0xffff) {
597 if (random_get_bytes(hapd->sae_token_key,
598 sizeof(hapd->sae_token_key)) < 0)
600 wpa_hexdump(MSG_DEBUG, "SAE: Updated token key",
601 hapd->sae_token_key, sizeof(hapd->sae_token_key));
602 hapd->last_sae_token_key_update = now;
603 hapd->sae_token_idx = 0;
604 os_memset(hapd->sae_pending_token_idx, 0,
605 sizeof(hapd->sae_pending_token_idx));
608 buf = wpabuf_alloc(sizeof(le16) + SHA256_MAC_LEN);
612 wpabuf_put_le16(buf, group); /* Finite Cyclic Group */
614 p_idx = sae_token_hash(hapd, addr);
615 token_idx = hapd->sae_pending_token_idx[p_idx];
617 hapd->sae_token_idx++;
618 token_idx = hapd->sae_token_idx;
619 hapd->sae_pending_token_idx[p_idx] = token_idx;
621 WPA_PUT_BE16(idx, token_idx);
622 token = wpabuf_put(buf, SHA256_MAC_LEN);
626 len[1] = sizeof(idx);
627 if (hmac_sha256_vector(hapd->sae_token_key, sizeof(hapd->sae_token_key),
628 2, addrs, len, token) < 0) {
632 WPA_PUT_BE16(token, token_idx);
638 static int sae_check_big_sync(struct hostapd_data *hapd, struct sta_info *sta)
640 if (sta->sae->sync > hapd->conf->sae_sync) {
641 sae_set_state(sta, SAE_NOTHING, "Sync > dot11RSNASAESync");
649 static void auth_sae_retransmit_timer(void *eloop_ctx, void *eloop_data)
651 struct hostapd_data *hapd = eloop_ctx;
652 struct sta_info *sta = eloop_data;
655 if (sae_check_big_sync(hapd, sta))
658 wpa_printf(MSG_DEBUG, "SAE: Auth SAE retransmit timer for " MACSTR
659 " (sync=%d state=%s)",
660 MAC2STR(sta->addr), sta->sae->sync,
661 sae_state_txt(sta->sae->state));
663 switch (sta->sae->state) {
665 ret = auth_sae_send_commit(hapd, sta, hapd->own_addr, 0);
666 eloop_register_timeout(0,
667 hapd->dot11RSNASAERetransPeriod * 1000,
668 auth_sae_retransmit_timer, hapd, sta);
671 ret = auth_sae_send_confirm(hapd, sta, hapd->own_addr);
672 eloop_register_timeout(0,
673 hapd->dot11RSNASAERetransPeriod * 1000,
674 auth_sae_retransmit_timer, hapd, sta);
681 if (ret != WLAN_STATUS_SUCCESS)
682 wpa_printf(MSG_INFO, "SAE: Failed to retransmit: ret=%d", ret);
686 void sae_clear_retransmit_timer(struct hostapd_data *hapd, struct sta_info *sta)
688 eloop_cancel_timeout(auth_sae_retransmit_timer, hapd, sta);
692 static void sae_set_retransmit_timer(struct hostapd_data *hapd,
693 struct sta_info *sta)
695 if (!(hapd->conf->mesh & MESH_ENABLED))
698 eloop_cancel_timeout(auth_sae_retransmit_timer, hapd, sta);
699 eloop_register_timeout(0, hapd->dot11RSNASAERetransPeriod * 1000,
700 auth_sae_retransmit_timer, hapd, sta);
704 static void sae_sme_send_external_auth_status(struct hostapd_data *hapd,
705 struct sta_info *sta, u16 status)
707 struct external_auth params;
709 os_memset(¶ms, 0, sizeof(params));
710 params.status = status;
711 params.bssid = sta->addr;
712 if (status == WLAN_STATUS_SUCCESS && sta->sae)
713 params.pmkid = sta->sae->pmkid;
715 hostapd_drv_send_external_auth_status(hapd, ¶ms);
719 void sae_accept_sta(struct hostapd_data *hapd, struct sta_info *sta)
721 #ifndef CONFIG_NO_VLAN
722 struct vlan_description vlan_desc;
724 if (sta->sae->tmp && sta->sae->tmp->vlan_id > 0) {
725 wpa_printf(MSG_DEBUG, "SAE: Assign STA " MACSTR
727 MAC2STR(sta->addr), sta->sae->tmp->vlan_id);
729 os_memset(&vlan_desc, 0, sizeof(vlan_desc));
730 vlan_desc.notempty = 1;
731 vlan_desc.untagged = sta->sae->tmp->vlan_id;
732 if (!hostapd_vlan_valid(hapd->conf->vlan, &vlan_desc)) {
734 "Invalid VLAN ID %d in sae_password",
735 sta->sae->tmp->vlan_id);
739 if (ap_sta_set_vlan(hapd, sta, &vlan_desc) < 0 ||
740 ap_sta_bind_vlan(hapd, sta) < 0) {
742 "Failed to assign VLAN ID %d from sae_password to "
743 MACSTR, sta->sae->tmp->vlan_id,
748 #endif /* CONFIG_NO_VLAN */
750 sta->flags |= WLAN_STA_AUTH;
751 sta->auth_alg = WLAN_AUTH_SAE;
752 mlme_authenticate_indication(hapd, sta);
753 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
754 sae_set_state(sta, SAE_ACCEPTED, "Accept Confirm");
755 wpa_auth_pmksa_add_sae(hapd->wpa_auth, sta->addr,
756 sta->sae->pmk, sta->sae->pmkid);
757 sae_sme_send_external_auth_status(hapd, sta, WLAN_STATUS_SUCCESS);
761 static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta,
762 const u8 *bssid, u8 auth_transaction, int allow_reuse,
769 if (auth_transaction != 1 && auth_transaction != 2)
770 return WLAN_STATUS_UNSPECIFIED_FAILURE;
772 wpa_printf(MSG_DEBUG, "SAE: Peer " MACSTR " state=%s auth_trans=%u",
773 MAC2STR(sta->addr), sae_state_txt(sta->sae->state),
775 switch (sta->sae->state) {
777 if (auth_transaction == 1) {
778 ret = auth_sae_send_commit(hapd, sta, bssid,
782 sae_set_state(sta, SAE_COMMITTED, "Sent Commit");
784 if (sae_process_commit(sta->sae) < 0)
785 return WLAN_STATUS_UNSPECIFIED_FAILURE;
788 * In mesh case, both Commit and Confirm can be sent
789 * immediately. In infrastructure BSS, only a single
790 * Authentication frame (Commit) is expected from the AP
791 * here and the second one (Confirm) will be sent once
792 * the STA has sent its second Authentication frame
795 if (hapd->conf->mesh & MESH_ENABLED) {
797 * Send both Commit and Confirm immediately
798 * based on SAE finite state machine
799 * Nothing -> Confirm transition.
801 ret = auth_sae_send_confirm(hapd, sta, bssid);
804 sae_set_state(sta, SAE_CONFIRMED,
805 "Sent Confirm (mesh)");
808 * For infrastructure BSS, send only the Commit
809 * message now to get alternating sequence of
810 * Authentication frames between the AP and STA.
811 * Confirm will be sent in
812 * Committed -> Confirmed/Accepted transition
813 * when receiving Confirm from STA.
817 sae_set_retransmit_timer(hapd, sta);
819 hostapd_logger(hapd, sta->addr,
820 HOSTAPD_MODULE_IEEE80211,
822 "SAE confirm before commit");
826 sae_clear_retransmit_timer(hapd, sta);
827 if (auth_transaction == 1) {
828 if (sae_process_commit(sta->sae) < 0)
829 return WLAN_STATUS_UNSPECIFIED_FAILURE;
831 ret = auth_sae_send_confirm(hapd, sta, bssid);
834 sae_set_state(sta, SAE_CONFIRMED, "Sent Confirm");
836 sae_set_retransmit_timer(hapd, sta);
837 } else if (hapd->conf->mesh & MESH_ENABLED) {
839 * In mesh case, follow SAE finite state machine and
840 * send Commit now, if sync count allows.
842 if (sae_check_big_sync(hapd, sta))
843 return WLAN_STATUS_SUCCESS;
846 ret = auth_sae_send_commit(hapd, sta, bssid, 0);
850 sae_set_retransmit_timer(hapd, sta);
853 * For instructure BSS, send the postponed Confirm from
854 * Nothing -> Confirmed transition that was reduced to
855 * Nothing -> Committed above.
857 ret = auth_sae_send_confirm(hapd, sta, bssid);
861 sae_set_state(sta, SAE_CONFIRMED, "Sent Confirm");
864 * Since this was triggered on Confirm RX, run another
865 * step to get to Accepted without waiting for
868 return sae_sm_step(hapd, sta, bssid, auth_transaction,
873 sae_clear_retransmit_timer(hapd, sta);
874 if (auth_transaction == 1) {
875 if (sae_check_big_sync(hapd, sta))
876 return WLAN_STATUS_SUCCESS;
879 ret = auth_sae_send_commit(hapd, sta, bssid, 1);
883 if (sae_process_commit(sta->sae) < 0)
884 return WLAN_STATUS_UNSPECIFIED_FAILURE;
886 ret = auth_sae_send_confirm(hapd, sta, bssid);
890 sae_set_retransmit_timer(hapd, sta);
892 sta->sae->send_confirm = 0xffff;
893 sae_accept_sta(hapd, sta);
897 if (auth_transaction == 1 &&
898 (hapd->conf->mesh & MESH_ENABLED)) {
899 wpa_printf(MSG_DEBUG, "SAE: remove the STA (" MACSTR
900 ") doing reauthentication",
902 wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr);
903 ap_free_sta(hapd, sta);
905 } else if (auth_transaction == 1) {
906 wpa_printf(MSG_DEBUG, "SAE: Start reauthentication");
907 ret = auth_sae_send_commit(hapd, sta, bssid, 1);
910 sae_set_state(sta, SAE_COMMITTED, "Sent Commit");
912 if (sae_process_commit(sta->sae) < 0)
913 return WLAN_STATUS_UNSPECIFIED_FAILURE;
915 sae_set_retransmit_timer(hapd, sta);
917 if (sae_check_big_sync(hapd, sta))
918 return WLAN_STATUS_SUCCESS;
921 ret = auth_sae_send_confirm(hapd, sta, bssid);
922 sae_clear_temp_data(sta->sae);
928 wpa_printf(MSG_ERROR, "SAE: invalid state %d",
930 return WLAN_STATUS_UNSPECIFIED_FAILURE;
932 return WLAN_STATUS_SUCCESS;
936 static void sae_pick_next_group(struct hostapd_data *hapd, struct sta_info *sta)
938 struct sae_data *sae = sta->sae;
939 int i, *groups = hapd->conf->sae_groups;
940 int default_groups[] = { 19, 0 };
942 if (sae->state != SAE_COMMITTED)
945 wpa_printf(MSG_DEBUG, "SAE: Previously selected group: %d", sae->group);
948 groups = default_groups;
949 for (i = 0; groups[i] > 0; i++) {
950 if (sae->group == groups[i])
954 if (groups[i] <= 0) {
955 wpa_printf(MSG_DEBUG,
956 "SAE: Previously selected group not found from the current configuration");
962 if (groups[i] <= 0) {
963 wpa_printf(MSG_DEBUG,
964 "SAE: No alternative group enabled");
968 if (sae_set_group(sae, groups[i]) < 0)
973 wpa_printf(MSG_DEBUG, "SAE: Selected new group: %d", groups[i]);
977 static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta,
978 const struct ieee80211_mgmt *mgmt, size_t len,
979 u16 auth_transaction, u16 status_code)
981 int resp = WLAN_STATUS_SUCCESS;
982 struct wpabuf *data = NULL;
983 int *groups = hapd->conf->sae_groups;
984 int default_groups[] = { 19, 0 };
989 groups = default_groups;
991 #ifdef CONFIG_TESTING_OPTIONS
992 if (hapd->conf->sae_reflection_attack && auth_transaction == 1) {
993 wpa_printf(MSG_DEBUG, "SAE: TESTING - reflection attack");
994 pos = mgmt->u.auth.variable;
995 end = ((const u8 *) mgmt) + len;
996 send_auth_reply(hapd, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
997 auth_transaction, resp, pos, end - pos,
998 "auth-sae-reflection-attack");
1002 if (hapd->conf->sae_commit_override && auth_transaction == 1) {
1003 wpa_printf(MSG_DEBUG, "SAE: TESTING - commit override");
1004 send_auth_reply(hapd, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
1005 auth_transaction, resp,
1006 wpabuf_head(hapd->conf->sae_commit_override),
1007 wpabuf_len(hapd->conf->sae_commit_override),
1008 "sae-commit-override");
1011 #endif /* CONFIG_TESTING_OPTIONS */
1013 if (auth_transaction != 1 ||
1014 status_code != WLAN_STATUS_SUCCESS) {
1018 sta->sae = os_zalloc(sizeof(*sta->sae));
1023 sae_set_state(sta, SAE_NOTHING, "Init");
1027 if (sta->mesh_sae_pmksa_caching) {
1028 wpa_printf(MSG_DEBUG,
1029 "SAE: Cancel use of mesh PMKSA caching because peer starts SAE authentication");
1030 wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr);
1031 sta->mesh_sae_pmksa_caching = 0;
1034 if (auth_transaction == 1) {
1035 const u8 *token = NULL;
1036 size_t token_len = 0;
1037 int allow_reuse = 0;
1039 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1040 HOSTAPD_LEVEL_DEBUG,
1041 "start SAE authentication (RX commit, status=%u)",
1044 if ((hapd->conf->mesh & MESH_ENABLED) &&
1045 status_code == WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ &&
1047 pos = mgmt->u.auth.variable;
1048 end = ((const u8 *) mgmt) + len;
1049 if (pos + sizeof(le16) > end) {
1050 wpa_printf(MSG_ERROR,
1051 "SAE: Too short anti-clogging token request");
1052 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1055 resp = sae_group_allowed(sta->sae, groups,
1057 if (resp != WLAN_STATUS_SUCCESS) {
1058 wpa_printf(MSG_ERROR,
1059 "SAE: Invalid group in anti-clogging token request");
1062 pos += sizeof(le16);
1064 wpabuf_free(sta->sae->tmp->anti_clogging_token);
1065 sta->sae->tmp->anti_clogging_token =
1066 wpabuf_alloc_copy(pos, end - pos);
1067 if (sta->sae->tmp->anti_clogging_token == NULL) {
1068 wpa_printf(MSG_ERROR,
1069 "SAE: Failed to alloc for anti-clogging token");
1070 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1075 * IEEE Std 802.11-2012, 11.3.8.6.4: If the Status code
1076 * is 76, a new Commit Message shall be constructed
1077 * with the Anti-Clogging Token from the received
1078 * Authentication frame, and the commit-scalar and
1079 * COMMIT-ELEMENT previously sent.
1081 resp = auth_sae_send_commit(hapd, sta, mgmt->bssid, 0);
1082 if (resp != WLAN_STATUS_SUCCESS) {
1083 wpa_printf(MSG_ERROR,
1084 "SAE: Failed to send commit message");
1087 sae_set_state(sta, SAE_COMMITTED,
1088 "Sent Commit (anti-clogging token case in mesh)");
1090 sae_set_retransmit_timer(hapd, sta);
1094 if ((hapd->conf->mesh & MESH_ENABLED) &&
1096 WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED &&
1098 wpa_printf(MSG_DEBUG,
1099 "SAE: Peer did not accept our SAE group");
1100 sae_pick_next_group(hapd, sta);
1104 if (status_code != WLAN_STATUS_SUCCESS)
1107 if (!(hapd->conf->mesh & MESH_ENABLED) &&
1108 sta->sae->state == SAE_COMMITTED) {
1109 /* This is needed in the infrastructure BSS case to
1110 * address a sequence where a STA entry may remain in
1111 * hostapd across two attempts to do SAE authentication
1112 * by the same STA. The second attempt may end up trying
1113 * to use a different group and that would not be
1114 * allowed if we remain in Committed state with the
1115 * previously set parameters. */
1116 pos = mgmt->u.auth.variable;
1117 end = ((const u8 *) mgmt) + len;
1118 if (end - pos >= (int) sizeof(le16) &&
1119 sae_group_allowed(sta->sae, groups,
1120 WPA_GET_LE16(pos)) ==
1121 WLAN_STATUS_SUCCESS) {
1122 /* Do not waste resources deriving the same PWE
1123 * again since the same group is reused. */
1124 sae_set_state(sta, SAE_NOTHING,
1125 "Allow previous PWE to be reused");
1128 sae_set_state(sta, SAE_NOTHING,
1129 "Clear existing state to allow restart");
1130 sae_clear_data(sta->sae);
1134 resp = sae_parse_commit(sta->sae, mgmt->u.auth.variable,
1135 ((const u8 *) mgmt) + len -
1136 mgmt->u.auth.variable, &token,
1137 &token_len, groups);
1138 if (resp == SAE_SILENTLY_DISCARD) {
1139 wpa_printf(MSG_DEBUG,
1140 "SAE: Drop commit message from " MACSTR " due to reflection attack",
1141 MAC2STR(sta->addr));
1145 if (resp == WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER) {
1146 wpa_msg(hapd->msg_ctx, MSG_INFO,
1147 WPA_EVENT_SAE_UNKNOWN_PASSWORD_IDENTIFIER
1148 MACSTR, MAC2STR(sta->addr));
1149 sae_clear_retransmit_timer(hapd, sta);
1150 sae_set_state(sta, SAE_NOTHING,
1151 "Unknown Password Identifier");
1155 if (token && check_sae_token(hapd, sta->addr, token, token_len)
1157 wpa_printf(MSG_DEBUG, "SAE: Drop commit message with "
1158 "incorrect token from " MACSTR,
1159 MAC2STR(sta->addr));
1160 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1164 if (resp != WLAN_STATUS_SUCCESS)
1167 if (!token && use_sae_anti_clogging(hapd) && !allow_reuse) {
1168 wpa_printf(MSG_DEBUG,
1169 "SAE: Request anti-clogging token from "
1170 MACSTR, MAC2STR(sta->addr));
1171 data = auth_build_token_req(hapd, sta->sae->group,
1173 resp = WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ;
1174 if (hapd->conf->mesh & MESH_ENABLED)
1175 sae_set_state(sta, SAE_NOTHING,
1176 "Request anti-clogging token case in mesh");
1180 resp = sae_sm_step(hapd, sta, mgmt->bssid, auth_transaction,
1181 allow_reuse, &sta_removed);
1182 } else if (auth_transaction == 2) {
1183 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1184 HOSTAPD_LEVEL_DEBUG,
1185 "SAE authentication (RX confirm, status=%u)",
1187 if (status_code != WLAN_STATUS_SUCCESS)
1189 if (sta->sae->state >= SAE_CONFIRMED ||
1190 !(hapd->conf->mesh & MESH_ENABLED)) {
1193 u16 peer_send_confirm;
1195 var = mgmt->u.auth.variable;
1196 var_len = ((u8 *) mgmt) + len - mgmt->u.auth.variable;
1198 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1202 peer_send_confirm = WPA_GET_LE16(var);
1204 if (sta->sae->state == SAE_ACCEPTED &&
1205 (peer_send_confirm <= sta->sae->rc ||
1206 peer_send_confirm == 0xffff)) {
1207 wpa_printf(MSG_DEBUG,
1208 "SAE: Silently ignore unexpected Confirm from peer "
1210 " (peer-send-confirm=%u Rc=%u)",
1212 peer_send_confirm, sta->sae->rc);
1216 if (sae_check_confirm(sta->sae, var, var_len) < 0) {
1217 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1220 sta->sae->rc = peer_send_confirm;
1222 resp = sae_sm_step(hapd, sta, mgmt->bssid, auth_transaction, 0,
1225 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1226 HOSTAPD_LEVEL_DEBUG,
1227 "unexpected SAE authentication transaction %u (status=%u)",
1228 auth_transaction, status_code);
1229 if (status_code != WLAN_STATUS_SUCCESS)
1231 resp = WLAN_STATUS_UNKNOWN_AUTH_TRANSACTION;
1235 if (!sta_removed && resp != WLAN_STATUS_SUCCESS) {
1236 pos = mgmt->u.auth.variable;
1237 end = ((const u8 *) mgmt) + len;
1239 /* Copy the Finite Cyclic Group field from the request if we
1240 * rejected it as unsupported group. */
1241 if (resp == WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED &&
1242 !data && end - pos >= 2)
1243 data = wpabuf_alloc_copy(pos, 2);
1245 sae_sme_send_external_auth_status(hapd, sta, resp);
1246 send_auth_reply(hapd, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
1247 auth_transaction, resp,
1248 data ? wpabuf_head(data) : (u8 *) "",
1249 data ? wpabuf_len(data) : 0, "auth-sae");
1253 if (!sta_removed && sta->added_unassoc &&
1254 (resp != WLAN_STATUS_SUCCESS ||
1255 status_code != WLAN_STATUS_SUCCESS)) {
1256 hostapd_drv_sta_remove(hapd, sta->addr);
1257 sta->added_unassoc = 0;
1264 * auth_sae_init_committed - Send COMMIT and start SAE in committed state
1265 * @hapd: BSS data for the device initiating the authentication
1266 * @sta: the peer to which commit authentication frame is sent
1268 * This function implements Init event handling (IEEE Std 802.11-2012,
1269 * 11.3.8.6.3) in which initial COMMIT message is sent. Prior to calling, the
1270 * sta->sae structure should be initialized appropriately via a call to
1271 * sae_prepare_commit().
1273 int auth_sae_init_committed(struct hostapd_data *hapd, struct sta_info *sta)
1277 if (!sta->sae || !sta->sae->tmp)
1280 if (sta->sae->state != SAE_NOTHING)
1283 ret = auth_sae_send_commit(hapd, sta, hapd->own_addr, 0);
1287 sae_set_state(sta, SAE_COMMITTED, "Init and sent commit");
1289 sae_set_retransmit_timer(hapd, sta);
1295 void auth_sae_process_commit(void *eloop_ctx, void *user_ctx)
1297 struct hostapd_data *hapd = eloop_ctx;
1298 struct hostapd_sae_commit_queue *q;
1299 unsigned int queue_len;
1301 q = dl_list_first(&hapd->sae_commit_queue,
1302 struct hostapd_sae_commit_queue, list);
1305 wpa_printf(MSG_DEBUG,
1306 "SAE: Process next available message from queue");
1307 dl_list_del(&q->list);
1308 handle_auth(hapd, (const struct ieee80211_mgmt *) q->msg, q->len,
1312 if (eloop_is_timeout_registered(auth_sae_process_commit, hapd, NULL))
1314 queue_len = dl_list_len(&hapd->sae_commit_queue);
1315 eloop_register_timeout(0, queue_len * 10000, auth_sae_process_commit,
1320 static void auth_sae_queue(struct hostapd_data *hapd,
1321 const struct ieee80211_mgmt *mgmt, size_t len,
1324 struct hostapd_sae_commit_queue *q, *q2;
1325 unsigned int queue_len;
1326 const struct ieee80211_mgmt *mgmt2;
1328 queue_len = dl_list_len(&hapd->sae_commit_queue);
1329 if (queue_len >= 15) {
1330 wpa_printf(MSG_DEBUG,
1331 "SAE: No more room in message queue - drop the new frame from "
1332 MACSTR, MAC2STR(mgmt->sa));
1336 wpa_printf(MSG_DEBUG, "SAE: Queue Authentication message from "
1337 MACSTR " for processing (queue_len %u)", MAC2STR(mgmt->sa),
1339 q = os_zalloc(sizeof(*q) + len);
1344 os_memcpy(q->msg, mgmt, len);
1346 /* Check whether there is already a queued Authentication frame from the
1347 * same station with the same transaction number and if so, replace that
1348 * queue entry with the new one. This avoids issues with a peer that
1349 * sends multiple times (e.g., due to frequent SAE retries). There is no
1350 * point in us trying to process the old attempts after a new one has
1351 * obsoleted them. */
1352 dl_list_for_each(q2, &hapd->sae_commit_queue,
1353 struct hostapd_sae_commit_queue, list) {
1354 mgmt2 = (const struct ieee80211_mgmt *) q2->msg;
1355 if (os_memcmp(mgmt->sa, mgmt2->sa, ETH_ALEN) == 0 &&
1356 mgmt->u.auth.auth_transaction ==
1357 mgmt2->u.auth.auth_transaction) {
1358 wpa_printf(MSG_DEBUG,
1359 "SAE: Replace queued message from same STA with same transaction number");
1360 dl_list_add(&q2->list, &q->list);
1361 dl_list_del(&q2->list);
1367 /* No pending identical entry, so add to the end of the queue */
1368 dl_list_add_tail(&hapd->sae_commit_queue, &q->list);
1371 if (eloop_is_timeout_registered(auth_sae_process_commit, hapd, NULL))
1373 eloop_register_timeout(0, queue_len * 10000, auth_sae_process_commit,
1378 static int auth_sae_queued_addr(struct hostapd_data *hapd, const u8 *addr)
1380 struct hostapd_sae_commit_queue *q;
1381 const struct ieee80211_mgmt *mgmt;
1383 dl_list_for_each(q, &hapd->sae_commit_queue,
1384 struct hostapd_sae_commit_queue, list) {
1385 mgmt = (const struct ieee80211_mgmt *) q->msg;
1386 if (os_memcmp(addr, mgmt->sa, ETH_ALEN) == 0)
1393 #endif /* CONFIG_SAE */
1396 static u16 wpa_res_to_status_code(int res)
1398 if (res == WPA_INVALID_GROUP)
1399 return WLAN_STATUS_GROUP_CIPHER_NOT_VALID;
1400 if (res == WPA_INVALID_PAIRWISE)
1401 return WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID;
1402 if (res == WPA_INVALID_AKMP)
1403 return WLAN_STATUS_AKMP_NOT_VALID;
1404 if (res == WPA_ALLOC_FAIL)
1405 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1406 #ifdef CONFIG_IEEE80211W
1407 if (res == WPA_MGMT_FRAME_PROTECTION_VIOLATION)
1408 return WLAN_STATUS_ROBUST_MGMT_FRAME_POLICY_VIOLATION;
1409 if (res == WPA_INVALID_MGMT_GROUP_CIPHER)
1410 return WLAN_STATUS_CIPHER_REJECTED_PER_POLICY;
1411 #endif /* CONFIG_IEEE80211W */
1412 if (res == WPA_INVALID_MDIE)
1413 return WLAN_STATUS_INVALID_MDIE;
1414 if (res == WPA_INVALID_PMKID)
1415 return WLAN_STATUS_INVALID_PMKID;
1416 if (res != WPA_IE_OK)
1417 return WLAN_STATUS_INVALID_IE;
1418 return WLAN_STATUS_SUCCESS;
1424 static void handle_auth_fils_finish(struct hostapd_data *hapd,
1425 struct sta_info *sta, u16 resp,
1426 struct wpabuf *data, int pub);
1428 void handle_auth_fils(struct hostapd_data *hapd, struct sta_info *sta,
1429 const u8 *pos, size_t len, u16 auth_alg,
1430 u16 auth_transaction, u16 status_code,
1431 void (*cb)(struct hostapd_data *hapd,
1432 struct sta_info *sta, u16 resp,
1433 struct wpabuf *data, int pub))
1435 u16 resp = WLAN_STATUS_SUCCESS;
1437 struct ieee802_11_elems elems;
1439 struct wpa_ie_data rsn;
1440 struct rsn_pmksa_cache_entry *pmksa = NULL;
1442 if (auth_transaction != 1 || status_code != WLAN_STATUS_SUCCESS)
1447 wpa_hexdump(MSG_DEBUG, "FILS: Authentication frame fields",
1451 #ifdef CONFIG_FILS_SK_PFS
1452 if (auth_alg == WLAN_AUTH_FILS_SK_PFS) {
1457 /* Using FILS PFS */
1459 /* Finite Cyclic Group */
1460 if (end - pos < 2) {
1461 wpa_printf(MSG_DEBUG,
1462 "FILS: No room for Finite Cyclic Group");
1463 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1466 group = WPA_GET_LE16(pos);
1468 if (group != hapd->conf->fils_dh_group) {
1469 wpa_printf(MSG_DEBUG,
1470 "FILS: Unsupported Finite Cyclic Group: %u (expected %u)",
1471 group, hapd->conf->fils_dh_group);
1472 resp = WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
1476 crypto_ecdh_deinit(sta->fils_ecdh);
1477 sta->fils_ecdh = crypto_ecdh_init(group);
1478 if (!sta->fils_ecdh) {
1479 wpa_printf(MSG_INFO,
1480 "FILS: Could not initialize ECDH with group %d",
1482 resp = WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
1486 pub = crypto_ecdh_get_pubkey(sta->fils_ecdh, 1);
1488 wpa_printf(MSG_DEBUG,
1489 "FILS: Failed to derive ECDH public key");
1490 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1493 elem_len = wpabuf_len(pub);
1497 if ((size_t) (end - pos) < elem_len) {
1498 wpa_printf(MSG_DEBUG, "FILS: No room for Element");
1499 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1503 wpabuf_free(sta->fils_g_sta);
1504 sta->fils_g_sta = wpabuf_alloc_copy(pos, elem_len);
1505 wpabuf_clear_free(sta->fils_dh_ss);
1506 sta->fils_dh_ss = crypto_ecdh_set_peerkey(sta->fils_ecdh, 1,
1508 if (!sta->fils_dh_ss) {
1509 wpa_printf(MSG_DEBUG, "FILS: ECDH operation failed");
1510 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1513 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: DH_SS", sta->fils_dh_ss);
1516 crypto_ecdh_deinit(sta->fils_ecdh);
1517 sta->fils_ecdh = NULL;
1518 wpabuf_clear_free(sta->fils_dh_ss);
1519 sta->fils_dh_ss = NULL;
1521 #endif /* CONFIG_FILS_SK_PFS */
1523 wpa_hexdump(MSG_DEBUG, "FILS: Remaining IEs", pos, end - pos);
1524 if (ieee802_11_parse_elems(pos, end - pos, &elems, 1) == ParseFailed) {
1525 wpa_printf(MSG_DEBUG, "FILS: Could not parse elements");
1526 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1531 wpa_hexdump(MSG_DEBUG, "FILS: RSN element",
1532 elems.rsn_ie, elems.rsn_ie_len);
1533 if (!elems.rsn_ie ||
1534 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
1536 wpa_printf(MSG_DEBUG, "FILS: No valid RSN element");
1537 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1542 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, sta->addr,
1545 wpa_printf(MSG_DEBUG,
1546 "FILS: Failed to initialize RSN state machine");
1547 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1551 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
1553 elems.rsn_ie - 2, elems.rsn_ie_len + 2,
1554 elems.mdie, elems.mdie_len, NULL, 0);
1555 resp = wpa_res_to_status_code(res);
1556 if (resp != WLAN_STATUS_SUCCESS)
1559 if (!elems.fils_nonce) {
1560 wpa_printf(MSG_DEBUG, "FILS: No FILS Nonce field");
1561 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1564 wpa_hexdump(MSG_DEBUG, "FILS: SNonce", elems.fils_nonce,
1566 os_memcpy(sta->fils_snonce, elems.fils_nonce, FILS_NONCE_LEN);
1569 if (rsn.pmkid && rsn.num_pmkid > 0) {
1573 wpa_hexdump(MSG_DEBUG, "FILS: PMKID List",
1574 rsn.pmkid, rsn.num_pmkid * PMKID_LEN);
1577 num = rsn.num_pmkid;
1579 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", pmkid, PMKID_LEN);
1580 pmksa = wpa_auth_pmksa_get(hapd->wpa_auth, sta->addr,
1584 pmksa = wpa_auth_pmksa_get_fils_cache_id(hapd->wpa_auth,
1593 if (pmksa && wpa_auth_sta_key_mgmt(sta->wpa_sm) != pmksa->akmp) {
1594 wpa_printf(MSG_DEBUG,
1595 "FILS: Matching PMKSA cache entry has different AKMP (0x%x != 0x%x) - ignore",
1596 wpa_auth_sta_key_mgmt(sta->wpa_sm), pmksa->akmp);
1600 wpa_printf(MSG_DEBUG, "FILS: Found matching PMKSA cache entry");
1603 if (!elems.fils_session) {
1604 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
1605 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1608 wpa_hexdump(MSG_DEBUG, "FILS: FILS Session", elems.fils_session,
1610 os_memcpy(sta->fils_session, elems.fils_session, FILS_SESSION_LEN);
1612 /* FILS Wrapped Data */
1613 if (elems.fils_wrapped_data) {
1614 wpa_hexdump(MSG_DEBUG, "FILS: Wrapped Data",
1615 elems.fils_wrapped_data,
1616 elems.fils_wrapped_data_len);
1618 #ifndef CONFIG_NO_RADIUS
1619 if (!sta->eapol_sm) {
1621 ieee802_1x_alloc_eapol_sm(hapd, sta);
1623 wpa_printf(MSG_DEBUG,
1624 "FILS: Forward EAP-Initiate/Re-auth to authentication server");
1625 ieee802_1x_encapsulate_radius(
1626 hapd, sta, elems.fils_wrapped_data,
1627 elems.fils_wrapped_data_len);
1628 sta->fils_pending_cb = cb;
1629 wpa_printf(MSG_DEBUG,
1630 "FILS: Will send Authentication frame once the response from authentication server is available");
1631 sta->flags |= WLAN_STA_PENDING_FILS_ERP;
1632 /* Calculate pending PMKID here so that we do not need
1633 * to maintain a copy of the EAP-Initiate/Reauth
1635 if (fils_pmkid_erp(wpa_auth_sta_key_mgmt(sta->wpa_sm),
1636 elems.fils_wrapped_data,
1637 elems.fils_wrapped_data_len,
1638 sta->fils_erp_pmkid) == 0)
1639 sta->fils_erp_pmkid_set = 1;
1641 #else /* CONFIG_NO_RADIUS */
1642 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1644 #endif /* CONFIG_NO_RADIUS */
1650 struct wpabuf *data;
1653 data = prepare_auth_resp_fils(hapd, sta, &resp, pmksa, NULL,
1656 wpa_printf(MSG_DEBUG,
1657 "%s: prepare_auth_resp_fils() returned failure",
1661 cb(hapd, sta, resp, data, pub);
1666 static struct wpabuf *
1667 prepare_auth_resp_fils(struct hostapd_data *hapd,
1668 struct sta_info *sta, u16 *resp,
1669 struct rsn_pmksa_cache_entry *pmksa,
1670 struct wpabuf *erp_resp,
1671 const u8 *msk, size_t msk_len,
1674 u8 fils_nonce[FILS_NONCE_LEN];
1676 struct wpabuf *data = NULL;
1679 const u8 *pmk = NULL;
1681 u8 pmk_buf[PMK_LEN_MAX];
1682 struct wpabuf *pub = NULL;
1684 if (*resp != WLAN_STATUS_SUCCESS)
1687 ie = wpa_auth_get_wpa_ie(hapd->wpa_auth, &ielen);
1689 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1694 /* Add PMKID of the selected PMKSA into RSNE */
1695 ie_buf = os_malloc(ielen + 2 + 2 + PMKID_LEN);
1697 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1701 os_memcpy(ie_buf, ie, ielen);
1702 if (wpa_insert_pmkid(ie_buf, &ielen, pmksa->pmkid) < 0) {
1703 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1709 if (random_get_bytes(fils_nonce, FILS_NONCE_LEN) < 0) {
1710 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1713 wpa_hexdump(MSG_DEBUG, "RSN: Generated FILS Nonce",
1714 fils_nonce, FILS_NONCE_LEN);
1716 #ifdef CONFIG_FILS_SK_PFS
1717 if (sta->fils_dh_ss && sta->fils_ecdh) {
1718 pub = crypto_ecdh_get_pubkey(sta->fils_ecdh, 1);
1720 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1724 #endif /* CONFIG_FILS_SK_PFS */
1726 data = wpabuf_alloc(1000 + ielen + (pub ? wpabuf_len(pub) : 0));
1728 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1733 #ifdef CONFIG_FILS_SK_PFS
1735 /* Finite Cyclic Group */
1736 wpabuf_put_le16(data, hapd->conf->fils_dh_group);
1739 wpabuf_put_buf(data, pub);
1741 #endif /* CONFIG_FILS_SK_PFS */
1744 wpabuf_put_data(data, ie, ielen);
1746 /* MDE when using FILS+FT (already included in ie,ielen with RSNE) */
1748 #ifdef CONFIG_IEEE80211R_AP
1749 if (wpa_key_mgmt_ft(wpa_auth_sta_key_mgmt(sta->wpa_sm))) {
1750 /* FTE[R1KH-ID,R0KH-ID] when using FILS+FT */
1752 int use_sha384 = wpa_key_mgmt_sha384(
1753 wpa_auth_sta_key_mgmt(sta->wpa_sm));
1755 res = wpa_auth_write_fte(hapd->wpa_auth, use_sha384,
1756 wpabuf_put(data, 0),
1757 wpabuf_tailroom(data));
1759 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1762 wpabuf_put(data, res);
1764 #endif /* CONFIG_IEEE80211R_AP */
1767 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
1768 wpabuf_put_u8(data, 1 + FILS_NONCE_LEN); /* Length */
1769 /* Element ID Extension */
1770 wpabuf_put_u8(data, WLAN_EID_EXT_FILS_NONCE);
1771 wpabuf_put_data(data, fils_nonce, FILS_NONCE_LEN);
1774 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
1775 wpabuf_put_u8(data, 1 + FILS_SESSION_LEN); /* Length */
1776 /* Element ID Extension */
1777 wpabuf_put_u8(data, WLAN_EID_EXT_FILS_SESSION);
1778 wpabuf_put_data(data, sta->fils_session, FILS_SESSION_LEN);
1780 /* FILS Wrapped Data */
1781 if (!pmksa && erp_resp) {
1782 wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
1783 wpabuf_put_u8(data, 1 + wpabuf_len(erp_resp)); /* Length */
1784 /* Element ID Extension */
1785 wpabuf_put_u8(data, WLAN_EID_EXT_FILS_WRAPPED_DATA);
1786 wpabuf_put_buf(data, erp_resp);
1788 if (fils_rmsk_to_pmk(wpa_auth_sta_key_mgmt(sta->wpa_sm),
1789 msk, msk_len, sta->fils_snonce, fils_nonce,
1791 wpabuf_head(sta->fils_dh_ss) : NULL,
1793 wpabuf_len(sta->fils_dh_ss) : 0,
1794 pmk_buf, &pmk_len)) {
1795 wpa_printf(MSG_DEBUG, "FILS: Failed to derive PMK");
1796 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1803 /* Don't use DHss in PTK derivation if PMKSA caching is not
1805 wpabuf_clear_free(sta->fils_dh_ss);
1806 sta->fils_dh_ss = NULL;
1808 if (sta->fils_erp_pmkid_set) {
1809 /* TODO: get PMKLifetime from WPA parameters */
1810 unsigned int dot11RSNAConfigPMKLifetime = 43200;
1811 int session_timeout;
1813 session_timeout = dot11RSNAConfigPMKLifetime;
1814 if (sta->session_timeout_set) {
1815 struct os_reltime now, diff;
1817 os_get_reltime(&now);
1818 os_reltime_sub(&sta->session_timeout, &now,
1820 session_timeout = diff.sec;
1823 sta->fils_erp_pmkid_set = 0;
1824 wpa_auth_add_fils_pmk_pmkid(sta->wpa_sm, pmk, pmk_len,
1825 sta->fils_erp_pmkid);
1826 if (!hapd->conf->disable_pmksa_caching &&
1827 wpa_auth_pmksa_add2(
1828 hapd->wpa_auth, sta->addr,
1830 sta->fils_erp_pmkid,
1832 wpa_auth_sta_key_mgmt(sta->wpa_sm)) < 0) {
1833 wpa_printf(MSG_ERROR,
1834 "FILS: Failed to add PMKSA cache entry based on ERP");
1839 pmk_len = pmksa->pmk_len;
1843 wpa_printf(MSG_DEBUG, "FILS: No PMK available");
1844 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1850 if (fils_auth_pmk_to_ptk(sta->wpa_sm, pmk, pmk_len,
1851 sta->fils_snonce, fils_nonce,
1853 wpabuf_head(sta->fils_dh_ss) : NULL,
1855 wpabuf_len(sta->fils_dh_ss) : 0,
1856 sta->fils_g_sta, pub) < 0) {
1857 *resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1865 *is_pub = pub != NULL;
1868 wpabuf_clear_free(sta->fils_dh_ss);
1869 sta->fils_dh_ss = NULL;
1870 #ifdef CONFIG_FILS_SK_PFS
1871 crypto_ecdh_deinit(sta->fils_ecdh);
1872 sta->fils_ecdh = NULL;
1873 #endif /* CONFIG_FILS_SK_PFS */
1878 static void handle_auth_fils_finish(struct hostapd_data *hapd,
1879 struct sta_info *sta, u16 resp,
1880 struct wpabuf *data, int pub)
1885 resp == WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED) ?
1886 WLAN_AUTH_FILS_SK_PFS : WLAN_AUTH_FILS_SK;
1887 send_auth_reply(hapd, sta->addr, hapd->own_addr, auth_alg, 2, resp,
1888 data ? wpabuf_head(data) : (u8 *) "",
1889 data ? wpabuf_len(data) : 0, "auth-fils-finish");
1892 if (resp == WLAN_STATUS_SUCCESS) {
1893 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
1894 HOSTAPD_LEVEL_DEBUG,
1895 "authentication OK (FILS)");
1896 sta->flags |= WLAN_STA_AUTH;
1897 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
1898 sta->auth_alg = pub ? WLAN_AUTH_FILS_SK_PFS : WLAN_AUTH_FILS_SK;
1899 mlme_authenticate_indication(hapd, sta);
1904 void ieee802_11_finish_fils_auth(struct hostapd_data *hapd,
1905 struct sta_info *sta, int success,
1906 struct wpabuf *erp_resp,
1907 const u8 *msk, size_t msk_len)
1909 struct wpabuf *data;
1913 sta->flags &= ~WLAN_STA_PENDING_FILS_ERP;
1915 if (!sta->fils_pending_cb)
1917 resp = success ? WLAN_STATUS_SUCCESS : WLAN_STATUS_UNSPECIFIED_FAILURE;
1918 data = prepare_auth_resp_fils(hapd, sta, &resp, NULL, erp_resp,
1919 msk, msk_len, &pub);
1921 wpa_printf(MSG_DEBUG,
1922 "%s: prepare_auth_resp_fils() returned failure",
1925 sta->fils_pending_cb(hapd, sta, resp, data, pub);
1928 #endif /* CONFIG_FILS */
1932 ieee802_11_allowed_address(struct hostapd_data *hapd, const u8 *addr,
1933 const u8 *msg, size_t len, u32 *session_timeout,
1934 u32 *acct_interim_interval,
1935 struct vlan_description *vlan_id,
1936 struct hostapd_sta_wpa_psk_short **psk,
1937 char **identity, char **radius_cui, int is_probe_req)
1941 os_memset(vlan_id, 0, sizeof(*vlan_id));
1942 res = hostapd_allowed_address(hapd, addr, msg, len,
1943 session_timeout, acct_interim_interval,
1944 vlan_id, psk, identity, radius_cui,
1947 if (res == HOSTAPD_ACL_REJECT) {
1949 wpa_printf(MSG_DEBUG,
1951 " not allowed to authenticate",
1953 return HOSTAPD_ACL_REJECT;
1956 if (res == HOSTAPD_ACL_PENDING) {
1957 wpa_printf(MSG_DEBUG, "Authentication frame from " MACSTR
1958 " waiting for an external authentication",
1960 /* Authentication code will re-send the authentication frame
1961 * after it has received (and cached) information from the
1962 * external source. */
1963 return HOSTAPD_ACL_PENDING;
1971 ieee802_11_set_radius_info(struct hostapd_data *hapd, struct sta_info *sta,
1972 int res, u32 session_timeout,
1973 u32 acct_interim_interval,
1974 struct vlan_description *vlan_id,
1975 struct hostapd_sta_wpa_psk_short **psk,
1976 char **identity, char **radius_cui)
1978 if (vlan_id->notempty &&
1979 !hostapd_vlan_valid(hapd->conf->vlan, vlan_id)) {
1980 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS,
1982 "Invalid VLAN %d%s received from RADIUS server",
1984 vlan_id->tagged[0] ? "+" : "");
1987 if (ap_sta_set_vlan(hapd, sta, vlan_id) < 0)
1990 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS,
1991 HOSTAPD_LEVEL_INFO, "VLAN ID %d", sta->vlan_id);
1993 hostapd_free_psk_list(sta->psk);
1994 if (hapd->conf->wpa_psk_radius != PSK_RADIUS_IGNORED) {
2001 os_free(sta->identity);
2002 sta->identity = *identity;
2005 os_free(sta->radius_cui);
2006 sta->radius_cui = *radius_cui;
2009 if (hapd->conf->acct_interim_interval == 0 && acct_interim_interval)
2010 sta->acct_interim_interval = acct_interim_interval;
2011 if (res == HOSTAPD_ACL_ACCEPT_TIMEOUT) {
2012 sta->session_timeout_set = 1;
2013 os_get_reltime(&sta->session_timeout);
2014 sta->session_timeout.sec += session_timeout;
2015 ap_sta_session_timeout(hapd, sta, session_timeout);
2017 sta->session_timeout_set = 0;
2018 ap_sta_no_session_timeout(hapd, sta);
2025 static void handle_auth(struct hostapd_data *hapd,
2026 const struct ieee80211_mgmt *mgmt, size_t len,
2027 int rssi, int from_queue)
2029 u16 auth_alg, auth_transaction, status_code;
2030 u16 resp = WLAN_STATUS_SUCCESS;
2031 struct sta_info *sta = NULL;
2034 const u8 *challenge = NULL;
2035 u32 session_timeout, acct_interim_interval;
2036 struct vlan_description vlan_id;
2037 struct hostapd_sta_wpa_psk_short *psk = NULL;
2038 u8 resp_ies[2 + WLAN_AUTH_CHALLENGE_LEN];
2039 size_t resp_ies_len = 0;
2040 char *identity = NULL;
2041 char *radius_cui = NULL;
2044 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) {
2045 wpa_printf(MSG_INFO, "handle_auth - too short payload (len=%lu)",
2046 (unsigned long) len);
2050 #ifdef CONFIG_TESTING_OPTIONS
2051 if (hapd->iconf->ignore_auth_probability > 0.0 &&
2052 drand48() < hapd->iconf->ignore_auth_probability) {
2053 wpa_printf(MSG_INFO,
2054 "TESTING: ignoring auth frame from " MACSTR,
2058 #endif /* CONFIG_TESTING_OPTIONS */
2060 auth_alg = le_to_host16(mgmt->u.auth.auth_alg);
2061 auth_transaction = le_to_host16(mgmt->u.auth.auth_transaction);
2062 status_code = le_to_host16(mgmt->u.auth.status_code);
2063 fc = le_to_host16(mgmt->frame_control);
2064 seq_ctrl = le_to_host16(mgmt->seq_ctrl);
2066 if (len >= IEEE80211_HDRLEN + sizeof(mgmt->u.auth) +
2067 2 + WLAN_AUTH_CHALLENGE_LEN &&
2068 mgmt->u.auth.variable[0] == WLAN_EID_CHALLENGE &&
2069 mgmt->u.auth.variable[1] == WLAN_AUTH_CHALLENGE_LEN)
2070 challenge = &mgmt->u.auth.variable[2];
2072 wpa_printf(MSG_DEBUG, "authentication: STA=" MACSTR " auth_alg=%d "
2073 "auth_transaction=%d status_code=%d wep=%d%s "
2074 "seq_ctrl=0x%x%s%s",
2075 MAC2STR(mgmt->sa), auth_alg, auth_transaction,
2076 status_code, !!(fc & WLAN_FC_ISWEP),
2077 challenge ? " challenge" : "",
2078 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "",
2079 from_queue ? " (from queue)" : "");
2081 #ifdef CONFIG_NO_RC4
2082 if (auth_alg == WLAN_AUTH_SHARED_KEY) {
2083 wpa_printf(MSG_INFO,
2084 "Unsupported authentication algorithm (%d)",
2086 resp = WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
2089 #endif /* CONFIG_NO_RC4 */
2091 if (hapd->tkip_countermeasures) {
2092 wpa_printf(MSG_DEBUG,
2093 "Ongoing TKIP countermeasures (Michael MIC failure) - reject authentication");
2094 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2098 if (!(((hapd->conf->auth_algs & WPA_AUTH_ALG_OPEN) &&
2099 auth_alg == WLAN_AUTH_OPEN) ||
2100 #ifdef CONFIG_IEEE80211R_AP
2101 (hapd->conf->wpa && wpa_key_mgmt_ft(hapd->conf->wpa_key_mgmt) &&
2102 auth_alg == WLAN_AUTH_FT) ||
2103 #endif /* CONFIG_IEEE80211R_AP */
2105 (hapd->conf->wpa && wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt) &&
2106 auth_alg == WLAN_AUTH_SAE) ||
2107 #endif /* CONFIG_SAE */
2109 (hapd->conf->wpa && wpa_key_mgmt_fils(hapd->conf->wpa_key_mgmt) &&
2110 auth_alg == WLAN_AUTH_FILS_SK) ||
2111 (hapd->conf->wpa && wpa_key_mgmt_fils(hapd->conf->wpa_key_mgmt) &&
2112 hapd->conf->fils_dh_group &&
2113 auth_alg == WLAN_AUTH_FILS_SK_PFS) ||
2114 #endif /* CONFIG_FILS */
2115 ((hapd->conf->auth_algs & WPA_AUTH_ALG_SHARED) &&
2116 auth_alg == WLAN_AUTH_SHARED_KEY))) {
2117 wpa_printf(MSG_INFO, "Unsupported authentication algorithm (%d)",
2119 resp = WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
2123 if (!(auth_transaction == 1 || auth_alg == WLAN_AUTH_SAE ||
2124 (auth_alg == WLAN_AUTH_SHARED_KEY && auth_transaction == 3))) {
2125 wpa_printf(MSG_INFO, "Unknown authentication transaction number (%d)",
2127 resp = WLAN_STATUS_UNKNOWN_AUTH_TRANSACTION;
2131 if (os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
2132 wpa_printf(MSG_INFO, "Station " MACSTR " not allowed to authenticate",
2134 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2138 if (hapd->conf->no_auth_if_seen_on) {
2139 struct hostapd_data *other;
2141 other = sta_track_seen_on(hapd->iface, mgmt->sa,
2142 hapd->conf->no_auth_if_seen_on);
2146 u8 op_class, channel, phytype;
2148 wpa_printf(MSG_DEBUG, "%s: Reject authentication from "
2149 MACSTR " since STA has been seen on %s",
2150 hapd->conf->iface, MAC2STR(mgmt->sa),
2151 hapd->conf->no_auth_if_seen_on);
2153 resp = WLAN_STATUS_REJECTED_WITH_SUGGESTED_BSS_TRANSITION;
2155 *pos++ = WLAN_EID_NEIGHBOR_REPORT;
2157 os_memcpy(pos, other->own_addr, ETH_ALEN);
2159 info = 0; /* TODO: BSSID Information */
2160 WPA_PUT_LE32(pos, info);
2162 if (other->iconf->hw_mode == HOSTAPD_MODE_IEEE80211AD)
2163 phytype = 8; /* dmg */
2164 else if (other->iconf->ieee80211ac)
2165 phytype = 9; /* vht */
2166 else if (other->iconf->ieee80211n)
2167 phytype = 7; /* ht */
2168 else if (other->iconf->hw_mode ==
2169 HOSTAPD_MODE_IEEE80211A)
2170 phytype = 4; /* ofdm */
2171 else if (other->iconf->hw_mode ==
2172 HOSTAPD_MODE_IEEE80211G)
2173 phytype = 6; /* erp */
2175 phytype = 5; /* hrdsss */
2176 if (ieee80211_freq_to_channel_ext(
2177 hostapd_hw_get_freq(other,
2178 other->iconf->channel),
2179 other->iconf->secondary_channel,
2180 other->iconf->ieee80211ac,
2181 &op_class, &channel) == NUM_HOSTAPD_MODES) {
2183 channel = other->iconf->channel;
2188 resp_ies_len = pos - &resp_ies[0];
2193 res = ieee802_11_allowed_address(
2194 hapd, mgmt->sa, (const u8 *) mgmt, len, &session_timeout,
2195 &acct_interim_interval, &vlan_id, &psk, &identity, &radius_cui,
2197 if (res == HOSTAPD_ACL_REJECT) {
2198 wpa_msg(hapd->msg_ctx, MSG_DEBUG,
2199 "Ignore Authentication frame from " MACSTR
2200 " due to ACL reject", MAC2STR(mgmt->sa));
2201 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2204 if (res == HOSTAPD_ACL_PENDING)
2208 if (auth_alg == WLAN_AUTH_SAE && !from_queue &&
2209 (auth_transaction == 1 ||
2210 (auth_transaction == 2 && auth_sae_queued_addr(hapd, mgmt->sa)))) {
2211 /* Handle SAE Authentication commit message through a queue to
2212 * provide more control for postponing the needed heavy
2213 * processing under a possible DoS attack scenario. In addition,
2214 * queue SAE Authentication confirm message if there happens to
2215 * be a queued commit message from the same peer. This is needed
2216 * to avoid reordering Authentication frames within the same
2218 auth_sae_queue(hapd, mgmt, len, rssi);
2221 #endif /* CONFIG_SAE */
2223 sta = ap_get_sta(hapd, mgmt->sa);
2225 sta->flags &= ~WLAN_STA_PENDING_FILS_ERP;
2226 sta->ft_over_ds = 0;
2227 if ((fc & WLAN_FC_RETRY) &&
2228 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
2229 sta->last_seq_ctrl == seq_ctrl &&
2230 sta->last_subtype == WLAN_FC_STYPE_AUTH) {
2231 hostapd_logger(hapd, sta->addr,
2232 HOSTAPD_MODULE_IEEE80211,
2233 HOSTAPD_LEVEL_DEBUG,
2234 "Drop repeated authentication frame seq_ctrl=0x%x",
2239 if ((hapd->conf->mesh & MESH_ENABLED) &&
2240 sta->plink_state == PLINK_BLOCKED) {
2241 wpa_printf(MSG_DEBUG, "Mesh peer " MACSTR
2242 " is blocked - drop Authentication frame",
2246 #endif /* CONFIG_MESH */
2249 if (hapd->conf->mesh & MESH_ENABLED) {
2250 /* if the mesh peer is not available, we don't do auth.
2252 wpa_printf(MSG_DEBUG, "Mesh peer " MACSTR
2253 " not yet known - drop Authentication frame",
2256 * Save a copy of the frame so that it can be processed
2257 * if a new peer entry is added shortly after this.
2259 wpabuf_free(hapd->mesh_pending_auth);
2260 hapd->mesh_pending_auth = wpabuf_alloc_copy(mgmt, len);
2261 os_get_reltime(&hapd->mesh_pending_auth_time);
2264 #endif /* CONFIG_MESH */
2266 sta = ap_sta_add(hapd, mgmt->sa);
2268 wpa_printf(MSG_DEBUG, "ap_sta_add() failed");
2269 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
2273 sta->last_seq_ctrl = seq_ctrl;
2274 sta->last_subtype = WLAN_FC_STYPE_AUTH;
2276 sta->auth_rssi = rssi;
2277 #endif /* CONFIG_MBO */
2279 res = ieee802_11_set_radius_info(
2280 hapd, sta, res, session_timeout, acct_interim_interval,
2281 &vlan_id, &psk, &identity, &radius_cui);
2283 wpa_printf(MSG_DEBUG, "ieee802_11_set_radius_info() failed");
2284 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2288 sta->flags &= ~WLAN_STA_PREAUTH;
2289 ieee802_1x_notify_pre_auth(sta->eapol_sm, 0);
2292 * If the driver supports full AP client state, add a station to the
2293 * driver before sending authentication reply to make sure the driver
2294 * has resources, and not to go through the entire authentication and
2295 * association handshake, and fail it at the end.
2297 * If this is not the first transaction, in a multi-step authentication
2298 * algorithm, the station already exists in the driver
2299 * (sta->added_unassoc = 1) so skip it.
2301 * In mesh mode, the station was already added to the driver when the
2302 * NEW_PEER_CANDIDATE event is received.
2304 * If PMF was negotiated for the existing association, skip this to
2305 * avoid dropping the STA entry and the associated keys. This is needed
2306 * to allow the original connection work until the attempt can complete
2307 * (re)association, so that unprotected Authentication frame cannot be
2308 * used to bypass PMF protection.
2310 if (FULL_AP_CLIENT_STATE_SUPP(hapd->iface->drv_flags) &&
2311 (!(sta->flags & WLAN_STA_MFP) || !ap_sta_is_authorized(sta)) &&
2312 !(hapd->conf->mesh & MESH_ENABLED) &&
2313 !(sta->added_unassoc)) {
2315 * If a station that is already associated to the AP, is trying
2316 * to authenticate again, remove the STA entry, in order to make
2317 * sure the STA PS state gets cleared and configuration gets
2318 * updated. To handle this, station's added_unassoc flag is
2319 * cleared once the station has completed association.
2321 ap_sta_set_authorized(hapd, sta, 0);
2322 hostapd_drv_sta_remove(hapd, sta->addr);
2323 sta->flags &= ~(WLAN_STA_ASSOC | WLAN_STA_AUTH |
2324 WLAN_STA_AUTHORIZED);
2326 if (hostapd_sta_add(hapd, sta->addr, 0, 0, NULL, 0, 0,
2327 NULL, NULL, sta->flags, 0, 0, 0, 0)) {
2328 hostapd_logger(hapd, sta->addr,
2329 HOSTAPD_MODULE_IEEE80211,
2330 HOSTAPD_LEVEL_NOTICE,
2331 "Could not add STA to kernel driver");
2332 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
2336 sta->added_unassoc = 1;
2340 case WLAN_AUTH_OPEN:
2341 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2342 HOSTAPD_LEVEL_DEBUG,
2343 "authentication OK (open system)");
2344 sta->flags |= WLAN_STA_AUTH;
2345 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
2346 sta->auth_alg = WLAN_AUTH_OPEN;
2347 mlme_authenticate_indication(hapd, sta);
2349 #ifndef CONFIG_NO_RC4
2350 case WLAN_AUTH_SHARED_KEY:
2351 resp = auth_shared_key(hapd, sta, auth_transaction, challenge,
2352 fc & WLAN_FC_ISWEP);
2354 wpa_printf(MSG_DEBUG,
2355 "auth_shared_key() failed: status=%d", resp);
2356 sta->auth_alg = WLAN_AUTH_SHARED_KEY;
2357 mlme_authenticate_indication(hapd, sta);
2358 if (sta->challenge && auth_transaction == 1) {
2359 resp_ies[0] = WLAN_EID_CHALLENGE;
2360 resp_ies[1] = WLAN_AUTH_CHALLENGE_LEN;
2361 os_memcpy(resp_ies + 2, sta->challenge,
2362 WLAN_AUTH_CHALLENGE_LEN);
2363 resp_ies_len = 2 + WLAN_AUTH_CHALLENGE_LEN;
2366 #endif /* CONFIG_NO_RC4 */
2367 #ifdef CONFIG_IEEE80211R_AP
2369 sta->auth_alg = WLAN_AUTH_FT;
2370 if (sta->wpa_sm == NULL)
2371 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
2373 if (sta->wpa_sm == NULL) {
2374 wpa_printf(MSG_DEBUG, "FT: Failed to initialize WPA "
2376 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2379 wpa_ft_process_auth(sta->wpa_sm, mgmt->bssid,
2380 auth_transaction, mgmt->u.auth.variable,
2381 len - IEEE80211_HDRLEN -
2382 sizeof(mgmt->u.auth),
2383 handle_auth_ft_finish, hapd);
2384 /* handle_auth_ft_finish() callback will complete auth. */
2386 #endif /* CONFIG_IEEE80211R_AP */
2390 if (status_code == WLAN_STATUS_SUCCESS &&
2391 hapd->conf->mesh & MESH_ENABLED) {
2392 if (sta->wpa_sm == NULL)
2394 wpa_auth_sta_init(hapd->wpa_auth,
2396 if (sta->wpa_sm == NULL) {
2397 wpa_printf(MSG_DEBUG,
2398 "SAE: Failed to initialize WPA state machine");
2399 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
2403 #endif /* CONFIG_MESH */
2404 handle_auth_sae(hapd, sta, mgmt, len, auth_transaction,
2407 #endif /* CONFIG_SAE */
2409 case WLAN_AUTH_FILS_SK:
2410 case WLAN_AUTH_FILS_SK_PFS:
2411 handle_auth_fils(hapd, sta, mgmt->u.auth.variable,
2412 len - IEEE80211_HDRLEN - sizeof(mgmt->u.auth),
2413 auth_alg, auth_transaction, status_code,
2414 handle_auth_fils_finish);
2416 #endif /* CONFIG_FILS */
2421 os_free(radius_cui);
2422 hostapd_free_psk_list(psk);
2424 reply_res = send_auth_reply(hapd, mgmt->sa, mgmt->bssid, auth_alg,
2425 auth_transaction + 1, resp, resp_ies,
2426 resp_ies_len, "handle-auth");
2428 if (sta && sta->added_unassoc && (resp != WLAN_STATUS_SUCCESS ||
2429 reply_res != WLAN_STATUS_SUCCESS)) {
2430 hostapd_drv_sta_remove(hapd, sta->addr);
2431 sta->added_unassoc = 0;
2436 int hostapd_get_aid(struct hostapd_data *hapd, struct sta_info *sta)
2440 /* get a unique AID */
2442 wpa_printf(MSG_DEBUG, " old AID %d", sta->aid);
2449 for (i = 0; i < AID_WORDS; i++) {
2450 if (hapd->sta_aid[i] == (u32) -1)
2452 for (j = 0; j < 32; j++) {
2453 if (!(hapd->sta_aid[i] & BIT(j)))
2461 aid = i * 32 + j + 1;
2466 hapd->sta_aid[i] |= BIT(j);
2467 wpa_printf(MSG_DEBUG, " new AID %d", sta->aid);
2472 static u16 check_ssid(struct hostapd_data *hapd, struct sta_info *sta,
2473 const u8 *ssid_ie, size_t ssid_ie_len)
2475 if (ssid_ie == NULL)
2476 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2478 if (ssid_ie_len != hapd->conf->ssid.ssid_len ||
2479 os_memcmp(ssid_ie, hapd->conf->ssid.ssid, ssid_ie_len) != 0) {
2480 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2482 "Station tried to associate with unknown SSID "
2483 "'%s'", wpa_ssid_txt(ssid_ie, ssid_ie_len));
2484 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2487 return WLAN_STATUS_SUCCESS;
2491 static u16 check_wmm(struct hostapd_data *hapd, struct sta_info *sta,
2492 const u8 *wmm_ie, size_t wmm_ie_len)
2494 sta->flags &= ~WLAN_STA_WMM;
2496 if (wmm_ie && hapd->conf->wmm_enabled) {
2497 struct wmm_information_element *wmm;
2499 if (!hostapd_eid_wmm_valid(hapd, wmm_ie, wmm_ie_len)) {
2500 hostapd_logger(hapd, sta->addr,
2502 HOSTAPD_LEVEL_DEBUG,
2503 "invalid WMM element in association "
2505 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2508 sta->flags |= WLAN_STA_WMM;
2509 wmm = (struct wmm_information_element *) wmm_ie;
2510 sta->qosinfo = wmm->qos_info;
2512 return WLAN_STATUS_SUCCESS;
2515 static u16 check_multi_ap(struct hostapd_data *hapd, struct sta_info *sta,
2516 const u8 *multi_ap_ie, size_t multi_ap_len)
2518 u8 multi_ap_value = 0;
2520 sta->flags &= ~WLAN_STA_MULTI_AP;
2522 if (!hapd->conf->multi_ap)
2523 return WLAN_STATUS_SUCCESS;
2526 const u8 *multi_ap_subelem;
2528 multi_ap_subelem = get_ie(multi_ap_ie + 4,
2530 MULTI_AP_SUB_ELEM_TYPE);
2531 if (multi_ap_subelem && multi_ap_subelem[1] == 1) {
2532 multi_ap_value = multi_ap_subelem[2];
2534 hostapd_logger(hapd, sta->addr,
2535 HOSTAPD_MODULE_IEEE80211,
2537 "Multi-AP IE has missing or invalid Multi-AP subelement");
2538 return WLAN_STATUS_INVALID_IE;
2542 if (multi_ap_value && multi_ap_value != MULTI_AP_BACKHAUL_STA)
2543 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2545 "Multi-AP IE with unexpected value 0x%02x",
2548 if (!(multi_ap_value & MULTI_AP_BACKHAUL_STA)) {
2549 if (hapd->conf->multi_ap & FRONTHAUL_BSS)
2550 return WLAN_STATUS_SUCCESS;
2552 hostapd_logger(hapd, sta->addr,
2553 HOSTAPD_MODULE_IEEE80211,
2555 "Non-Multi-AP STA tries to associate with backhaul-only BSS");
2556 return WLAN_STATUS_ASSOC_DENIED_UNSPEC;
2559 if (!(hapd->conf->multi_ap & BACKHAUL_BSS))
2560 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2561 HOSTAPD_LEVEL_DEBUG,
2562 "Backhaul STA tries to associate with fronthaul-only BSS");
2564 sta->flags |= WLAN_STA_MULTI_AP;
2565 return WLAN_STATUS_SUCCESS;
2569 static u16 copy_supp_rates(struct hostapd_data *hapd, struct sta_info *sta,
2570 struct ieee802_11_elems *elems)
2572 /* Supported rates not used in IEEE 802.11ad/DMG */
2573 if (hapd->iface->current_mode &&
2574 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211AD)
2575 return WLAN_STATUS_SUCCESS;
2577 if (!elems->supp_rates) {
2578 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2579 HOSTAPD_LEVEL_DEBUG,
2580 "No supported rates element in AssocReq");
2581 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2584 if (elems->supp_rates_len + elems->ext_supp_rates_len >
2585 sizeof(sta->supported_rates)) {
2586 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2587 HOSTAPD_LEVEL_DEBUG,
2588 "Invalid supported rates element length %d+%d",
2589 elems->supp_rates_len,
2590 elems->ext_supp_rates_len);
2591 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2594 sta->supported_rates_len = merge_byte_arrays(
2595 sta->supported_rates, sizeof(sta->supported_rates),
2596 elems->supp_rates, elems->supp_rates_len,
2597 elems->ext_supp_rates, elems->ext_supp_rates_len);
2599 return WLAN_STATUS_SUCCESS;
2603 static u16 check_ext_capab(struct hostapd_data *hapd, struct sta_info *sta,
2604 const u8 *ext_capab_ie, size_t ext_capab_ie_len)
2606 #ifdef CONFIG_INTERWORKING
2607 /* check for QoS Map support */
2608 if (ext_capab_ie_len >= 5) {
2609 if (ext_capab_ie[4] & 0x01)
2610 sta->qos_map_enabled = 1;
2612 #endif /* CONFIG_INTERWORKING */
2614 if (ext_capab_ie_len > 0) {
2615 sta->ecsa_supported = !!(ext_capab_ie[0] & BIT(2));
2616 os_free(sta->ext_capability);
2617 sta->ext_capability = os_malloc(1 + ext_capab_ie_len);
2618 if (sta->ext_capability) {
2619 sta->ext_capability[0] = ext_capab_ie_len;
2620 os_memcpy(sta->ext_capability + 1, ext_capab_ie,
2625 return WLAN_STATUS_SUCCESS;
2631 static int owe_group_supported(struct hostapd_data *hapd, u16 group)
2634 int *groups = hapd->conf->owe_groups;
2636 if (group != 19 && group != 20 && group != 21)
2642 for (i = 0; groups[i] > 0; i++) {
2643 if (groups[i] == group)
2651 static u16 owe_process_assoc_req(struct hostapd_data *hapd,
2652 struct sta_info *sta, const u8 *owe_dh,
2655 struct wpabuf *secret, *pub, *hkey;
2657 u8 prk[SHA512_MAC_LEN], pmkid[SHA512_MAC_LEN];
2658 const char *info = "OWE Key Generation";
2662 size_t hash_len, prime_len;
2664 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) {
2665 wpa_printf(MSG_DEBUG, "OWE: Using PMKSA caching");
2666 return WLAN_STATUS_SUCCESS;
2669 group = WPA_GET_LE16(owe_dh);
2670 if (!owe_group_supported(hapd, group)) {
2671 wpa_printf(MSG_DEBUG, "OWE: Unsupported DH group %u", group);
2672 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
2676 else if (group == 20)
2678 else if (group == 21)
2681 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
2683 crypto_ecdh_deinit(sta->owe_ecdh);
2684 sta->owe_ecdh = crypto_ecdh_init(group);
2686 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
2687 sta->owe_group = group;
2689 secret = crypto_ecdh_set_peerkey(sta->owe_ecdh, 0, owe_dh + 2,
2691 secret = wpabuf_zeropad(secret, prime_len);
2693 wpa_printf(MSG_DEBUG, "OWE: Invalid peer DH public key");
2694 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2696 wpa_hexdump_buf_key(MSG_DEBUG, "OWE: DH shared secret", secret);
2698 /* prk = HKDF-extract(C | A | group, z) */
2700 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
2702 wpabuf_clear_free(secret);
2703 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2706 /* PMKID = Truncate-128(Hash(C | A)) */
2707 addr[0] = owe_dh + 2;
2708 len[0] = owe_dh_len - 2;
2709 addr[1] = wpabuf_head(pub);
2710 len[1] = wpabuf_len(pub);
2712 res = sha256_vector(2, addr, len, pmkid);
2713 hash_len = SHA256_MAC_LEN;
2714 } else if (group == 20) {
2715 res = sha384_vector(2, addr, len, pmkid);
2716 hash_len = SHA384_MAC_LEN;
2717 } else if (group == 21) {
2718 res = sha512_vector(2, addr, len, pmkid);
2719 hash_len = SHA512_MAC_LEN;
2722 wpabuf_clear_free(secret);
2723 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2725 pub = wpabuf_zeropad(pub, prime_len);
2726 if (res < 0 || !pub) {
2728 wpabuf_clear_free(secret);
2729 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2732 hkey = wpabuf_alloc(owe_dh_len - 2 + wpabuf_len(pub) + 2);
2735 wpabuf_clear_free(secret);
2736 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2739 wpabuf_put_data(hkey, owe_dh + 2, owe_dh_len - 2); /* C */
2740 wpabuf_put_buf(hkey, pub); /* A */
2742 wpabuf_put_le16(hkey, group); /* group */
2744 res = hmac_sha256(wpabuf_head(hkey), wpabuf_len(hkey),
2745 wpabuf_head(secret), wpabuf_len(secret), prk);
2746 else if (group == 20)
2747 res = hmac_sha384(wpabuf_head(hkey), wpabuf_len(hkey),
2748 wpabuf_head(secret), wpabuf_len(secret), prk);
2749 else if (group == 21)
2750 res = hmac_sha512(wpabuf_head(hkey), wpabuf_len(hkey),
2751 wpabuf_head(secret), wpabuf_len(secret), prk);
2752 wpabuf_clear_free(hkey);
2753 wpabuf_clear_free(secret);
2755 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2757 wpa_hexdump_key(MSG_DEBUG, "OWE: prk", prk, hash_len);
2759 /* PMK = HKDF-expand(prk, "OWE Key Generation", n) */
2761 os_free(sta->owe_pmk);
2762 sta->owe_pmk = os_malloc(hash_len);
2763 if (!sta->owe_pmk) {
2764 os_memset(prk, 0, SHA512_MAC_LEN);
2765 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2769 res = hmac_sha256_kdf(prk, hash_len, NULL, (const u8 *) info,
2770 os_strlen(info), sta->owe_pmk, hash_len);
2771 else if (group == 20)
2772 res = hmac_sha384_kdf(prk, hash_len, NULL, (const u8 *) info,
2773 os_strlen(info), sta->owe_pmk, hash_len);
2774 else if (group == 21)
2775 res = hmac_sha512_kdf(prk, hash_len, NULL, (const u8 *) info,
2776 os_strlen(info), sta->owe_pmk, hash_len);
2777 os_memset(prk, 0, SHA512_MAC_LEN);
2779 os_free(sta->owe_pmk);
2780 sta->owe_pmk = NULL;
2781 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2783 sta->owe_pmk_len = hash_len;
2785 wpa_hexdump_key(MSG_DEBUG, "OWE: PMK", sta->owe_pmk, sta->owe_pmk_len);
2786 wpa_hexdump(MSG_DEBUG, "OWE: PMKID", pmkid, PMKID_LEN);
2787 wpa_auth_pmksa_add2(hapd->wpa_auth, sta->addr, sta->owe_pmk,
2788 sta->owe_pmk_len, pmkid, 0, WPA_KEY_MGMT_OWE);
2790 return WLAN_STATUS_SUCCESS;
2793 #endif /* CONFIG_OWE */
2796 static u16 check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta,
2797 const u8 *ies, size_t ies_len, int reassoc)
2799 struct ieee802_11_elems elems;
2803 const u8 *p2p_dev_addr = NULL;
2805 if (ieee802_11_parse_elems(ies, ies_len, &elems, 1) == ParseFailed) {
2806 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2807 HOSTAPD_LEVEL_INFO, "Station sent an invalid "
2808 "association request");
2809 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2812 resp = check_ssid(hapd, sta, elems.ssid, elems.ssid_len);
2813 if (resp != WLAN_STATUS_SUCCESS)
2815 resp = check_wmm(hapd, sta, elems.wmm, elems.wmm_len);
2816 if (resp != WLAN_STATUS_SUCCESS)
2818 resp = check_ext_capab(hapd, sta, elems.ext_capab, elems.ext_capab_len);
2819 if (resp != WLAN_STATUS_SUCCESS)
2821 resp = copy_supp_rates(hapd, sta, &elems);
2822 if (resp != WLAN_STATUS_SUCCESS)
2825 resp = check_multi_ap(hapd, sta, elems.multi_ap, elems.multi_ap_len);
2826 if (resp != WLAN_STATUS_SUCCESS)
2829 #ifdef CONFIG_IEEE80211N
2830 resp = copy_sta_ht_capab(hapd, sta, elems.ht_capabilities);
2831 if (resp != WLAN_STATUS_SUCCESS)
2833 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht &&
2834 !(sta->flags & WLAN_STA_HT)) {
2835 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2836 HOSTAPD_LEVEL_INFO, "Station does not support "
2837 "mandatory HT PHY - reject association");
2838 return WLAN_STATUS_ASSOC_DENIED_NO_HT;
2840 #endif /* CONFIG_IEEE80211N */
2842 #ifdef CONFIG_IEEE80211AC
2843 if (hapd->iconf->ieee80211ac) {
2844 resp = copy_sta_vht_capab(hapd, sta, elems.vht_capabilities);
2845 if (resp != WLAN_STATUS_SUCCESS)
2848 resp = copy_sta_vht_oper(hapd, sta, elems.vht_operation);
2849 if (resp != WLAN_STATUS_SUCCESS)
2852 resp = set_sta_vht_opmode(hapd, sta, elems.vht_opmode_notif);
2853 if (resp != WLAN_STATUS_SUCCESS)
2857 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht &&
2858 !(sta->flags & WLAN_STA_VHT)) {
2859 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2860 HOSTAPD_LEVEL_INFO, "Station does not support "
2861 "mandatory VHT PHY - reject association");
2862 return WLAN_STATUS_ASSOC_DENIED_NO_VHT;
2865 if (hapd->conf->vendor_vht && !elems.vht_capabilities) {
2866 resp = copy_sta_vendor_vht(hapd, sta, elems.vendor_vht,
2867 elems.vendor_vht_len);
2868 if (resp != WLAN_STATUS_SUCCESS)
2871 #endif /* CONFIG_IEEE80211AC */
2875 wpabuf_free(sta->p2p_ie);
2876 sta->p2p_ie = ieee802_11_vendor_ie_concat(ies, ies_len,
2877 P2P_IE_VENDOR_TYPE);
2879 p2p_dev_addr = p2p_get_go_dev_addr(sta->p2p_ie);
2881 wpabuf_free(sta->p2p_ie);
2884 #endif /* CONFIG_P2P */
2886 if ((hapd->conf->wpa & WPA_PROTO_RSN) && elems.rsn_ie) {
2887 wpa_ie = elems.rsn_ie;
2888 wpa_ie_len = elems.rsn_ie_len;
2889 } else if ((hapd->conf->wpa & WPA_PROTO_WPA) &&
2891 wpa_ie = elems.wpa_ie;
2892 wpa_ie_len = elems.wpa_ie_len;
2899 sta->flags &= ~(WLAN_STA_WPS | WLAN_STA_MAYBE_WPS | WLAN_STA_WPS2);
2900 if (hapd->conf->wps_state && elems.wps_ie) {
2901 wpa_printf(MSG_DEBUG, "STA included WPS IE in (Re)Association "
2902 "Request - assume WPS is used");
2903 sta->flags |= WLAN_STA_WPS;
2904 wpabuf_free(sta->wps_ie);
2905 sta->wps_ie = ieee802_11_vendor_ie_concat(ies, ies_len,
2906 WPS_IE_VENDOR_TYPE);
2907 if (sta->wps_ie && wps_is_20(sta->wps_ie)) {
2908 wpa_printf(MSG_DEBUG, "WPS: STA supports WPS 2.0");
2909 sta->flags |= WLAN_STA_WPS2;
2913 if (sta->wps_ie && wps_validate_assoc_req(sta->wps_ie) < 0) {
2914 wpa_printf(MSG_DEBUG, "WPS: Invalid WPS IE in "
2915 "(Re)Association Request - reject");
2916 return WLAN_STATUS_INVALID_IE;
2918 } else if (hapd->conf->wps_state && wpa_ie == NULL) {
2919 wpa_printf(MSG_DEBUG, "STA did not include WPA/RSN IE in "
2920 "(Re)Association Request - possible WPS use");
2921 sta->flags |= WLAN_STA_MAYBE_WPS;
2923 #endif /* CONFIG_WPS */
2924 if (hapd->conf->wpa && wpa_ie == NULL) {
2925 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
2927 "No WPA/RSN IE in association request");
2928 return WLAN_STATUS_INVALID_IE;
2931 if (hapd->conf->wpa && wpa_ie) {
2935 if (sta->wpa_sm == NULL)
2936 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
2939 if (sta->wpa_sm == NULL) {
2940 wpa_printf(MSG_WARNING, "Failed to initialize WPA "
2942 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2944 wpa_auth_set_auth_alg(sta->wpa_sm, sta->auth_alg);
2945 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
2948 elems.mdie, elems.mdie_len,
2949 elems.owe_dh, elems.owe_dh_len);
2950 resp = wpa_res_to_status_code(res);
2951 if (resp != WLAN_STATUS_SUCCESS)
2953 #ifdef CONFIG_IEEE80211W
2954 if ((sta->flags & (WLAN_STA_ASSOC | WLAN_STA_MFP)) ==
2955 (WLAN_STA_ASSOC | WLAN_STA_MFP) &&
2956 !sta->sa_query_timed_out &&
2957 sta->sa_query_count > 0)
2958 ap_check_sa_query_timeout(hapd, sta);
2959 if ((sta->flags & (WLAN_STA_ASSOC | WLAN_STA_MFP)) ==
2960 (WLAN_STA_ASSOC | WLAN_STA_MFP) &&
2961 !sta->sa_query_timed_out &&
2962 (!reassoc || sta->auth_alg != WLAN_AUTH_FT)) {
2964 * STA has already been associated with MFP and SA
2965 * Query timeout has not been reached. Reject the
2966 * association attempt temporarily and start SA Query,
2967 * if one is not pending.
2970 if (sta->sa_query_count == 0)
2971 ap_sta_start_sa_query(hapd, sta);
2973 return WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY;
2976 if (wpa_auth_uses_mfp(sta->wpa_sm))
2977 sta->flags |= WLAN_STA_MFP;
2979 sta->flags &= ~WLAN_STA_MFP;
2980 #endif /* CONFIG_IEEE80211W */
2982 #ifdef CONFIG_IEEE80211R_AP
2983 if (sta->auth_alg == WLAN_AUTH_FT) {
2985 wpa_printf(MSG_DEBUG, "FT: " MACSTR " tried "
2986 "to use association (not "
2987 "re-association) with FT auth_alg",
2988 MAC2STR(sta->addr));
2989 return WLAN_STATUS_UNSPECIFIED_FAILURE;
2992 resp = wpa_ft_validate_reassoc(sta->wpa_sm, ies,
2994 if (resp != WLAN_STATUS_SUCCESS)
2997 #endif /* CONFIG_IEEE80211R_AP */
3000 if (wpa_auth_uses_sae(sta->wpa_sm) && sta->sae &&
3001 sta->sae->state == SAE_ACCEPTED)
3002 wpa_auth_add_sae_pmkid(sta->wpa_sm, sta->sae->pmkid);
3004 if (wpa_auth_uses_sae(sta->wpa_sm) &&
3005 sta->auth_alg == WLAN_AUTH_OPEN) {
3006 struct rsn_pmksa_cache_entry *sa;
3007 sa = wpa_auth_sta_get_pmksa(sta->wpa_sm);
3008 if (!sa || sa->akmp != WPA_KEY_MGMT_SAE) {
3009 wpa_printf(MSG_DEBUG,
3010 "SAE: No PMKSA cache entry found for "
3011 MACSTR, MAC2STR(sta->addr));
3012 return WLAN_STATUS_INVALID_PMKID;
3014 wpa_printf(MSG_DEBUG, "SAE: " MACSTR
3015 " using PMKSA caching", MAC2STR(sta->addr));
3016 } else if (wpa_auth_uses_sae(sta->wpa_sm) &&
3017 sta->auth_alg != WLAN_AUTH_SAE &&
3018 !(sta->auth_alg == WLAN_AUTH_FT &&
3019 wpa_auth_uses_ft_sae(sta->wpa_sm))) {
3020 wpa_printf(MSG_DEBUG, "SAE: " MACSTR " tried to use "
3021 "SAE AKM after non-SAE auth_alg %u",
3022 MAC2STR(sta->addr), sta->auth_alg);
3023 return WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
3025 #endif /* CONFIG_SAE */
3028 if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) &&
3029 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE &&
3031 resp = owe_process_assoc_req(hapd, sta, elems.owe_dh,
3033 if (resp != WLAN_STATUS_SUCCESS)
3036 #endif /* CONFIG_OWE */
3039 dpp_pfs_free(sta->dpp_pfs);
3040 sta->dpp_pfs = NULL;
3042 if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_DPP) &&
3043 hapd->conf->dpp_netaccesskey && sta->wpa_sm &&
3044 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_DPP &&
3046 sta->dpp_pfs = dpp_pfs_init(
3047 wpabuf_head(hapd->conf->dpp_netaccesskey),
3048 wpabuf_len(hapd->conf->dpp_netaccesskey));
3049 if (!sta->dpp_pfs) {
3050 wpa_printf(MSG_DEBUG,
3051 "DPP: Could not initialize PFS");
3052 /* Try to continue without PFS */
3056 if (dpp_pfs_process(sta->dpp_pfs, elems.owe_dh,
3057 elems.owe_dh_len) < 0) {
3058 dpp_pfs_free(sta->dpp_pfs);
3059 sta->dpp_pfs = NULL;
3060 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3064 wpa_auth_set_dpp_z(sta->wpa_sm, sta->dpp_pfs ?
3065 sta->dpp_pfs->secret : NULL);
3067 #endif /* CONFIG_DPP2 */
3069 #ifdef CONFIG_IEEE80211N
3070 if ((sta->flags & (WLAN_STA_HT | WLAN_STA_VHT)) &&
3071 wpa_auth_get_pairwise(sta->wpa_sm) == WPA_CIPHER_TKIP) {
3072 hostapd_logger(hapd, sta->addr,
3073 HOSTAPD_MODULE_IEEE80211,
3075 "Station tried to use TKIP with HT "
3077 return WLAN_STATUS_CIPHER_REJECTED_PER_POLICY;
3079 #endif /* CONFIG_IEEE80211N */
3081 } else if (hapd->conf->osen) {
3082 if (elems.osen == NULL) {
3084 hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3086 "No HS 2.0 OSEN element in association request");
3087 return WLAN_STATUS_INVALID_IE;
3090 wpa_printf(MSG_DEBUG, "HS 2.0: OSEN association");
3091 if (sta->wpa_sm == NULL)
3092 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
3094 if (sta->wpa_sm == NULL) {
3095 wpa_printf(MSG_WARNING, "Failed to initialize WPA "
3097 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3099 if (wpa_validate_osen(hapd->wpa_auth, sta->wpa_sm,
3100 elems.osen - 2, elems.osen_len + 2) < 0)
3101 return WLAN_STATUS_INVALID_IE;
3102 #endif /* CONFIG_HS20 */
3104 wpa_auth_sta_no_wpa(sta->wpa_sm);
3107 p2p_group_notif_assoc(hapd->p2p_group, sta->addr, ies, ies_len);
3108 #endif /* CONFIG_P2P */
3111 wpabuf_free(sta->hs20_ie);
3112 if (elems.hs20 && elems.hs20_len > 4) {
3115 sta->hs20_ie = wpabuf_alloc_copy(elems.hs20 + 4,
3116 elems.hs20_len - 4);
3117 release = ((elems.hs20[4] >> 4) & 0x0f) + 1;
3118 if (release >= 2 && !wpa_auth_uses_mfp(sta->wpa_sm)) {
3119 wpa_printf(MSG_DEBUG,
3120 "HS 2.0: PMF not negotiated by release %d station "
3121 MACSTR, release, MAC2STR(sta->addr));
3122 return WLAN_STATUS_ROBUST_MGMT_FRAME_POLICY_VIOLATION;
3125 sta->hs20_ie = NULL;
3128 wpabuf_free(sta->roaming_consortium);
3129 if (elems.roaming_cons_sel)
3130 sta->roaming_consortium = wpabuf_alloc_copy(
3131 elems.roaming_cons_sel + 4,
3132 elems.roaming_cons_sel_len - 4);
3134 sta->roaming_consortium = NULL;
3135 #endif /* CONFIG_HS20 */
3138 wpabuf_free(sta->mb_ies);
3139 if (hapd->iface->fst)
3140 sta->mb_ies = mb_ies_by_info(&elems.mb_ies);
3143 #endif /* CONFIG_FST */
3146 mbo_ap_check_sta_assoc(hapd, sta, &elems);
3148 if (hapd->conf->mbo_enabled && (hapd->conf->wpa & 2) &&
3149 elems.mbo && sta->cell_capa && !(sta->flags & WLAN_STA_MFP) &&
3150 hapd->conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
3151 wpa_printf(MSG_INFO,
3152 "MBO: Reject WPA2 association without PMF");
3153 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3155 #endif /* CONFIG_MBO */
3157 #if defined(CONFIG_FILS) && defined(CONFIG_OCV)
3158 if (wpa_auth_uses_ocv(sta->wpa_sm) &&
3159 (sta->auth_alg == WLAN_AUTH_FILS_SK ||
3160 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
3161 sta->auth_alg == WLAN_AUTH_FILS_PK)) {
3162 struct wpa_channel_info ci;
3166 if (hostapd_drv_channel_info(hapd, &ci) != 0) {
3167 wpa_printf(MSG_WARNING,
3168 "Failed to get channel info to validate received OCI in FILS (Re)Association Request frame");
3169 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3172 if (get_sta_tx_parameters(sta->wpa_sm,
3173 channel_width_to_int(ci.chanwidth),
3174 ci.seg1_idx, &tx_chanwidth,
3176 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3178 if (ocv_verify_tx_params(elems.oci, elems.oci_len, &ci,
3179 tx_chanwidth, tx_seg1_idx) != 0) {
3180 wpa_printf(MSG_WARNING, "FILS: %s", ocv_errorstr);
3181 return WLAN_STATUS_UNSPECIFIED_FAILURE;
3184 #endif /* CONFIG_FILS && CONFIG_OCV */
3186 ap_copy_sta_supp_op_classes(sta, elems.supp_op_classes,
3187 elems.supp_op_classes_len);
3189 if ((sta->capability & WLAN_CAPABILITY_RADIO_MEASUREMENT) &&
3190 elems.rrm_enabled &&
3191 elems.rrm_enabled_len >= sizeof(sta->rrm_enabled_capa))
3192 os_memcpy(sta->rrm_enabled_capa, elems.rrm_enabled,
3193 sizeof(sta->rrm_enabled_capa));
3195 if (elems.power_capab) {
3196 sta->min_tx_power = elems.power_capab[0];
3197 sta->max_tx_power = elems.power_capab[1];
3198 sta->power_capab = 1;
3200 sta->power_capab = 0;
3203 return WLAN_STATUS_SUCCESS;
3207 static void send_deauth(struct hostapd_data *hapd, const u8 *addr,
3211 struct ieee80211_mgmt reply;
3213 os_memset(&reply, 0, sizeof(reply));
3214 reply.frame_control =
3215 IEEE80211_FC(WLAN_FC_TYPE_MGMT, WLAN_FC_STYPE_DEAUTH);
3216 os_memcpy(reply.da, addr, ETH_ALEN);
3217 os_memcpy(reply.sa, hapd->own_addr, ETH_ALEN);
3218 os_memcpy(reply.bssid, hapd->own_addr, ETH_ALEN);
3220 send_len = IEEE80211_HDRLEN + sizeof(reply.u.deauth);
3221 reply.u.deauth.reason_code = host_to_le16(reason_code);
3223 if (hostapd_drv_send_mlme(hapd, &reply, send_len, 0) < 0)
3224 wpa_printf(MSG_INFO, "Failed to send deauth: %s",
3229 static int add_associated_sta(struct hostapd_data *hapd,
3230 struct sta_info *sta, int reassoc)
3232 struct ieee80211_ht_capabilities ht_cap;
3233 struct ieee80211_vht_capabilities vht_cap;
3237 * Remove the STA entry to ensure the STA PS state gets cleared and
3238 * configuration gets updated. This is relevant for cases, such as
3239 * FT-over-the-DS, where a station re-associates back to the same AP but
3240 * skips the authentication flow, or if working with a driver that
3241 * does not support full AP client state.
3243 * Skip this if the STA has already completed FT reassociation and the
3244 * TK has been configured since the TX/RX PN must not be reset to 0 for
3247 * FT-over-the-DS has a special case where the STA entry (and as such,
3248 * the TK) has not yet been configured to the driver depending on which
3249 * driver interface is used. For that case, allow add-STA operation to
3250 * be used (instead of set-STA). This is needed to allow mac80211-based
3251 * drivers to accept the STA parameter configuration. Since this is
3252 * after a new FT-over-DS exchange, a new TK has been derived, so key
3253 * reinstallation is not a concern for this case.
3255 wpa_printf(MSG_DEBUG, "Add associated STA " MACSTR
3256 " (added_unassoc=%d auth_alg=%u ft_over_ds=%u reassoc=%d authorized=%d ft_tk=%d fils_tk=%d)",
3257 MAC2STR(sta->addr), sta->added_unassoc, sta->auth_alg,
3258 sta->ft_over_ds, reassoc,
3259 !!(sta->flags & WLAN_STA_AUTHORIZED),
3260 wpa_auth_sta_ft_tk_already_set(sta->wpa_sm),
3261 wpa_auth_sta_fils_tk_already_set(sta->wpa_sm));
3263 if (!sta->added_unassoc &&
3264 (!(sta->flags & WLAN_STA_AUTHORIZED) ||
3265 (reassoc && sta->ft_over_ds && sta->auth_alg == WLAN_AUTH_FT) ||
3266 (!wpa_auth_sta_ft_tk_already_set(sta->wpa_sm) &&
3267 !wpa_auth_sta_fils_tk_already_set(sta->wpa_sm)))) {
3268 hostapd_drv_sta_remove(hapd, sta->addr);
3269 wpa_auth_sm_event(sta->wpa_sm, WPA_DRV_STA_REMOVED);
3272 /* Do not allow the FT-over-DS exception to be used more than
3273 * once per authentication exchange to guarantee a new TK is
3275 sta->ft_over_ds = 0;
3278 #ifdef CONFIG_IEEE80211N
3279 if (sta->flags & WLAN_STA_HT)
3280 hostapd_get_ht_capab(hapd, sta->ht_capabilities, &ht_cap);
3281 #endif /* CONFIG_IEEE80211N */
3282 #ifdef CONFIG_IEEE80211AC
3283 if (sta->flags & WLAN_STA_VHT)
3284 hostapd_get_vht_capab(hapd, sta->vht_capabilities, &vht_cap);
3285 #endif /* CONFIG_IEEE80211AC */
3288 * Add the station with forced WLAN_STA_ASSOC flag. The sta->flags
3289 * will be set when the ACK frame for the (Re)Association Response frame
3290 * is processed (TX status driver event).
3292 if (hostapd_sta_add(hapd, sta->addr, sta->aid, sta->capability,
3293 sta->supported_rates, sta->supported_rates_len,
3294 sta->listen_interval,
3295 sta->flags & WLAN_STA_HT ? &ht_cap : NULL,
3296 sta->flags & WLAN_STA_VHT ? &vht_cap : NULL,
3297 sta->flags | WLAN_STA_ASSOC, sta->qosinfo,
3298 sta->vht_opmode, sta->p2p_ie ? 1 : 0,
3300 hostapd_logger(hapd, sta->addr,
3301 HOSTAPD_MODULE_IEEE80211, HOSTAPD_LEVEL_NOTICE,
3302 "Could not %s STA to kernel driver",
3303 set ? "set" : "add");
3305 if (sta->added_unassoc) {
3306 hostapd_drv_sta_remove(hapd, sta->addr);
3307 sta->added_unassoc = 0;
3313 sta->added_unassoc = 0;
3319 static u16 send_assoc_resp(struct hostapd_data *hapd, struct sta_info *sta,
3320 const u8 *addr, u16 status_code, int reassoc,
3321 const u8 *ies, size_t ies_len, int rssi)
3326 struct ieee80211_mgmt *reply;
3328 u16 res = WLAN_STATUS_SUCCESS;
3330 buflen = sizeof(struct ieee80211_mgmt) + 1024;
3332 if (sta && sta->fils_hlp_resp)
3333 buflen += wpabuf_len(sta->fils_hlp_resp);
3334 #endif /* CONFIG_FILS */
3336 if (sta && (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE))
3338 #endif /* CONFIG_OWE */
3340 if (sta && sta->dpp_pfs)
3341 buflen += 5 + sta->dpp_pfs->curve->prime_len;
3342 #endif /* CONFIG_DPP2 */
3343 buf = os_zalloc(buflen);
3345 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
3348 reply = (struct ieee80211_mgmt *) buf;
3349 reply->frame_control =
3350 IEEE80211_FC(WLAN_FC_TYPE_MGMT,
3351 (reassoc ? WLAN_FC_STYPE_REASSOC_RESP :
3352 WLAN_FC_STYPE_ASSOC_RESP));
3353 os_memcpy(reply->da, addr, ETH_ALEN);
3354 os_memcpy(reply->sa, hapd->own_addr, ETH_ALEN);
3355 os_memcpy(reply->bssid, hapd->own_addr, ETH_ALEN);
3357 send_len = IEEE80211_HDRLEN;
3358 send_len += sizeof(reply->u.assoc_resp);
3359 reply->u.assoc_resp.capab_info =
3360 host_to_le16(hostapd_own_capab_info(hapd));
3361 reply->u.assoc_resp.status_code = host_to_le16(status_code);
3363 reply->u.assoc_resp.aid = host_to_le16((sta ? sta->aid : 0) |
3365 /* Supported rates */
3366 p = hostapd_eid_supp_rates(hapd, reply->u.assoc_resp.variable);
3367 /* Extended supported rates */
3368 p = hostapd_eid_ext_supp_rates(hapd, p);
3371 if (status_code == WLAN_STATUS_DENIED_POOR_CHANNEL_CONDITIONS &&
3373 int delta = hapd->iconf->rssi_reject_assoc_rssi - rssi;
3375 p = hostapd_eid_mbo_rssi_assoc_rej(hapd, p, buf + buflen - p,
3378 #endif /* CONFIG_MBO */
3380 #ifdef CONFIG_IEEE80211R_AP
3381 if (sta && status_code == WLAN_STATUS_SUCCESS) {
3382 /* IEEE 802.11r: Mobility Domain Information, Fast BSS
3383 * Transition Information, RSN, [RIC Response] */
3384 p = wpa_sm_write_assoc_resp_ies(sta->wpa_sm, p,
3386 sta->auth_alg, ies, ies_len);
3388 wpa_printf(MSG_DEBUG,
3389 "FT: Failed to write AssocResp IEs");
3390 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
3394 #endif /* CONFIG_IEEE80211R_AP */
3397 if (sta && status_code == WLAN_STATUS_SUCCESS &&
3398 (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE))
3399 p = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, p,
3402 #endif /* CONFIG_OWE */
3404 #ifdef CONFIG_IEEE80211W
3405 if (sta && status_code == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY)
3406 p = hostapd_eid_assoc_comeback_time(hapd, sta, p);
3407 #endif /* CONFIG_IEEE80211W */
3409 #ifdef CONFIG_IEEE80211N
3410 p = hostapd_eid_ht_capabilities(hapd, p);
3411 p = hostapd_eid_ht_operation(hapd, p);
3412 #endif /* CONFIG_IEEE80211N */
3414 #ifdef CONFIG_IEEE80211AC
3415 if (hapd->iconf->ieee80211ac && !hapd->conf->disable_11ac) {
3416 u32 nsts = 0, sta_nsts;
3418 if (sta && hapd->conf->use_sta_nsts && sta->vht_capabilities) {
3419 struct ieee80211_vht_capabilities *capa;
3421 nsts = (hapd->iface->conf->vht_capab >>
3422 VHT_CAP_BEAMFORMEE_STS_OFFSET) & 7;
3423 capa = sta->vht_capabilities;
3424 sta_nsts = (le_to_host32(capa->vht_capabilities_info) >>
3425 VHT_CAP_BEAMFORMEE_STS_OFFSET) & 7;
3427 if (nsts < sta_nsts)
3432 p = hostapd_eid_vht_capabilities(hapd, p, nsts);
3433 p = hostapd_eid_vht_operation(hapd, p);
3435 #endif /* CONFIG_IEEE80211AC */
3437 p = hostapd_eid_ext_capab(hapd, p);
3438 p = hostapd_eid_bss_max_idle_period(hapd, p);
3439 if (sta && sta->qos_map_enabled)
3440 p = hostapd_eid_qos_map_set(hapd, p);
3443 if (hapd->iface->fst_ies) {
3444 os_memcpy(p, wpabuf_head(hapd->iface->fst_ies),
3445 wpabuf_len(hapd->iface->fst_ies));
3446 p += wpabuf_len(hapd->iface->fst_ies);
3448 #endif /* CONFIG_FST */
3451 if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) &&
3452 sta && sta->owe_ecdh && status_code == WLAN_STATUS_SUCCESS &&
3453 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE) {
3456 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
3458 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
3461 /* OWE Diffie-Hellman Parameter element */
3462 *p++ = WLAN_EID_EXTENSION; /* Element ID */
3463 *p++ = 1 + 2 + wpabuf_len(pub); /* Length */
3464 *p++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension */
3465 WPA_PUT_LE16(p, sta->owe_group);
3467 os_memcpy(p, wpabuf_head(pub), wpabuf_len(pub));
3468 p += wpabuf_len(pub);
3471 #endif /* CONFIG_OWE */
3474 if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_DPP) &&
3475 sta && sta->dpp_pfs && status_code == WLAN_STATUS_SUCCESS &&
3476 wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_DPP) {
3477 os_memcpy(p, wpabuf_head(sta->dpp_pfs->ie),
3478 wpabuf_len(sta->dpp_pfs->ie));
3479 p += wpabuf_len(sta->dpp_pfs->ie);
3481 #endif /* CONFIG_DPP2 */
3483 #ifdef CONFIG_IEEE80211AC
3484 if (sta && hapd->conf->vendor_vht && (sta->flags & WLAN_STA_VENDOR_VHT))
3485 p = hostapd_eid_vendor_vht(hapd, p);
3486 #endif /* CONFIG_IEEE80211AC */
3488 if (sta && (sta->flags & WLAN_STA_WMM))
3489 p = hostapd_eid_wmm(hapd, p);
3493 ((sta->flags & WLAN_STA_WPS) ||
3494 ((sta->flags & WLAN_STA_MAYBE_WPS) && hapd->conf->wpa))) {
3495 struct wpabuf *wps = wps_build_assoc_resp_ie();
3497 os_memcpy(p, wpabuf_head(wps), wpabuf_len(wps));
3498 p += wpabuf_len(wps);
3502 #endif /* CONFIG_WPS */
3504 if (sta && (sta->flags & WLAN_STA_MULTI_AP))
3505 p = hostapd_eid_multi_ap(hapd, p);
3508 if (sta && sta->p2p_ie && hapd->p2p_group) {
3509 struct wpabuf *p2p_resp_ie;
3510 enum p2p_status_code status;
3511 switch (status_code) {
3512 case WLAN_STATUS_SUCCESS:
3513 status = P2P_SC_SUCCESS;
3515 case WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA:
3516 status = P2P_SC_FAIL_LIMIT_REACHED;
3519 status = P2P_SC_FAIL_INVALID_PARAMS;
3522 p2p_resp_ie = p2p_group_assoc_resp_ie(hapd->p2p_group, status);
3524 os_memcpy(p, wpabuf_head(p2p_resp_ie),
3525 wpabuf_len(p2p_resp_ie));
3526 p += wpabuf_len(p2p_resp_ie);
3527 wpabuf_free(p2p_resp_ie);
3530 #endif /* CONFIG_P2P */
3532 #ifdef CONFIG_P2P_MANAGER
3533 if (hapd->conf->p2p & P2P_MANAGE)
3534 p = hostapd_eid_p2p_manage(hapd, p);
3535 #endif /* CONFIG_P2P_MANAGER */
3537 p = hostapd_eid_mbo(hapd, p, buf + buflen - p);
3539 if (hapd->conf->assocresp_elements &&
3540 (size_t) (buf + buflen - p) >=
3541 wpabuf_len(hapd->conf->assocresp_elements)) {
3542 os_memcpy(p, wpabuf_head(hapd->conf->assocresp_elements),
3543 wpabuf_len(hapd->conf->assocresp_elements));
3544 p += wpabuf_len(hapd->conf->assocresp_elements);
3547 send_len += p - reply->u.assoc_resp.variable;
3551 (sta->auth_alg == WLAN_AUTH_FILS_SK ||
3552 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
3553 sta->auth_alg == WLAN_AUTH_FILS_PK) &&
3554 status_code == WLAN_STATUS_SUCCESS) {
3555 struct ieee802_11_elems elems;
3557 if (ieee802_11_parse_elems(ies, ies_len, &elems, 0) ==
3558 ParseFailed || !elems.fils_session) {
3559 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
3564 *p++ = WLAN_EID_EXTENSION; /* Element ID */
3565 *p++ = 1 + FILS_SESSION_LEN; /* Length */
3566 *p++ = WLAN_EID_EXT_FILS_SESSION; /* Element ID Extension */
3567 os_memcpy(p, elems.fils_session, FILS_SESSION_LEN);
3568 send_len += 2 + 1 + FILS_SESSION_LEN;
3570 send_len = fils_encrypt_assoc(sta->wpa_sm, buf, send_len,
3571 buflen, sta->fils_hlp_resp);
3573 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
3577 #endif /* CONFIG_FILS */
3579 if (hostapd_drv_send_mlme(hapd, reply, send_len, 0) < 0) {
3580 wpa_printf(MSG_INFO, "Failed to send assoc resp: %s",
3582 res = WLAN_STATUS_UNSPECIFIED_FAILURE;
3592 u8 * owe_assoc_req_process(struct hostapd_data *hapd, struct sta_info *sta,
3593 const u8 *owe_dh, u8 owe_dh_len,
3594 u8 *owe_buf, size_t owe_buf_len, u16 *reason)
3596 #ifdef CONFIG_TESTING_OPTIONS
3597 if (hapd->conf->own_ie_override) {
3598 wpa_printf(MSG_DEBUG, "OWE: Using IE override");
3599 *reason = WLAN_STATUS_SUCCESS;
3600 return wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf,
3601 owe_buf_len, NULL, 0);
3603 #endif /* CONFIG_TESTING_OPTIONS */
3605 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) {
3606 wpa_printf(MSG_DEBUG, "OWE: Using PMKSA caching");
3607 owe_buf = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf,
3608 owe_buf_len, NULL, 0);
3609 *reason = WLAN_STATUS_SUCCESS;
3613 *reason = owe_process_assoc_req(hapd, sta, owe_dh, owe_dh_len);
3614 if (*reason != WLAN_STATUS_SUCCESS)
3617 owe_buf = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, owe_buf,
3618 owe_buf_len, NULL, 0);
3620 if (sta->owe_ecdh && owe_buf) {
3623 pub = crypto_ecdh_get_pubkey(sta->owe_ecdh, 0);
3625 *reason = WLAN_STATUS_UNSPECIFIED_FAILURE;
3629 /* OWE Diffie-Hellman Parameter element */
3630 *owe_buf++ = WLAN_EID_EXTENSION; /* Element ID */
3631 *owe_buf++ = 1 + 2 + wpabuf_len(pub); /* Length */
3632 *owe_buf++ = WLAN_EID_EXT_OWE_DH_PARAM; /* Element ID Extension
3634 WPA_PUT_LE16(owe_buf, sta->owe_group);
3636 os_memcpy(owe_buf, wpabuf_head(pub), wpabuf_len(pub));
3637 owe_buf += wpabuf_len(pub);
3643 #endif /* CONFIG_OWE */
3648 void fils_hlp_finish_assoc(struct hostapd_data *hapd, struct sta_info *sta)
3652 wpa_printf(MSG_DEBUG, "FILS: Finish association with " MACSTR,
3653 MAC2STR(sta->addr));
3654 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
3655 if (!sta->fils_pending_assoc_req)
3657 reply_res = send_assoc_resp(hapd, sta, sta->addr, WLAN_STATUS_SUCCESS,
3658 sta->fils_pending_assoc_is_reassoc,
3659 sta->fils_pending_assoc_req,
3660 sta->fils_pending_assoc_req_len, 0);
3661 os_free(sta->fils_pending_assoc_req);
3662 sta->fils_pending_assoc_req = NULL;
3663 sta->fils_pending_assoc_req_len = 0;
3664 wpabuf_free(sta->fils_hlp_resp);
3665 sta->fils_hlp_resp = NULL;
3666 wpabuf_free(sta->hlp_dhcp_discover);
3667 sta->hlp_dhcp_discover = NULL;
3670 * Remove the station in case transmission of a success response fails.
3671 * At this point the station was already added associated to the driver.
3673 if (reply_res != WLAN_STATUS_SUCCESS)
3674 hostapd_drv_sta_remove(hapd, sta->addr);
3678 void fils_hlp_timeout(void *eloop_ctx, void *eloop_data)
3680 struct hostapd_data *hapd = eloop_ctx;
3681 struct sta_info *sta = eloop_data;
3683 wpa_printf(MSG_DEBUG,
3684 "FILS: HLP response timeout - continue with association response for "
3685 MACSTR, MAC2STR(sta->addr));
3686 if (sta->fils_drv_assoc_finish)
3687 hostapd_notify_assoc_fils_finish(hapd, sta);
3689 fils_hlp_finish_assoc(hapd, sta);
3692 #endif /* CONFIG_FILS */
3695 static void handle_assoc(struct hostapd_data *hapd,
3696 const struct ieee80211_mgmt *mgmt, size_t len,
3697 int reassoc, int rssi)
3699 u16 capab_info, listen_interval, seq_ctrl, fc;
3700 u16 resp = WLAN_STATUS_SUCCESS, reply_res;
3703 struct sta_info *sta;
3705 struct hostapd_sta_wpa_psk_short *psk = NULL;
3706 char *identity = NULL;
3707 char *radius_cui = NULL;
3709 int delay_assoc = 0;
3710 #endif /* CONFIG_FILS */
3712 if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_req) :
3713 sizeof(mgmt->u.assoc_req))) {
3714 wpa_printf(MSG_INFO, "handle_assoc(reassoc=%d) - too short payload (len=%lu)",
3715 reassoc, (unsigned long) len);
3719 #ifdef CONFIG_TESTING_OPTIONS
3721 if (hapd->iconf->ignore_reassoc_probability > 0.0 &&
3722 drand48() < hapd->iconf->ignore_reassoc_probability) {
3723 wpa_printf(MSG_INFO,
3724 "TESTING: ignoring reassoc request from "
3725 MACSTR, MAC2STR(mgmt->sa));
3729 if (hapd->iconf->ignore_assoc_probability > 0.0 &&
3730 drand48() < hapd->iconf->ignore_assoc_probability) {
3731 wpa_printf(MSG_INFO,
3732 "TESTING: ignoring assoc request from "
3733 MACSTR, MAC2STR(mgmt->sa));
3737 #endif /* CONFIG_TESTING_OPTIONS */
3739 fc = le_to_host16(mgmt->frame_control);
3740 seq_ctrl = le_to_host16(mgmt->seq_ctrl);
3743 capab_info = le_to_host16(mgmt->u.reassoc_req.capab_info);
3744 listen_interval = le_to_host16(
3745 mgmt->u.reassoc_req.listen_interval);
3746 wpa_printf(MSG_DEBUG, "reassociation request: STA=" MACSTR
3747 " capab_info=0x%02x listen_interval=%d current_ap="
3748 MACSTR " seq_ctrl=0x%x%s",
3749 MAC2STR(mgmt->sa), capab_info, listen_interval,
3750 MAC2STR(mgmt->u.reassoc_req.current_ap),
3751 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "");
3752 left = len - (IEEE80211_HDRLEN + sizeof(mgmt->u.reassoc_req));
3753 pos = mgmt->u.reassoc_req.variable;
3755 capab_info = le_to_host16(mgmt->u.assoc_req.capab_info);
3756 listen_interval = le_to_host16(
3757 mgmt->u.assoc_req.listen_interval);
3758 wpa_printf(MSG_DEBUG, "association request: STA=" MACSTR
3759 " capab_info=0x%02x listen_interval=%d "
3761 MAC2STR(mgmt->sa), capab_info, listen_interval,
3762 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : "");
3763 left = len - (IEEE80211_HDRLEN + sizeof(mgmt->u.assoc_req));
3764 pos = mgmt->u.assoc_req.variable;
3767 sta = ap_get_sta(hapd, mgmt->sa);
3768 #ifdef CONFIG_IEEE80211R_AP
3769 if (sta && sta->auth_alg == WLAN_AUTH_FT &&
3770 (sta->flags & WLAN_STA_AUTH) == 0) {
3771 wpa_printf(MSG_DEBUG, "FT: Allow STA " MACSTR " to associate "
3772 "prior to authentication since it is using "
3773 "over-the-DS FT", MAC2STR(mgmt->sa));
3776 * Mark station as authenticated, to avoid adding station
3777 * entry in the driver as associated and not authenticated
3779 sta->flags |= WLAN_STA_AUTH;
3781 #endif /* CONFIG_IEEE80211R_AP */
3782 if (sta == NULL || (sta->flags & WLAN_STA_AUTH) == 0) {
3783 if (hapd->iface->current_mode &&
3784 hapd->iface->current_mode->mode ==
3785 HOSTAPD_MODE_IEEE80211AD) {
3787 u32 session_timeout, acct_interim_interval;
3788 struct vlan_description vlan_id;
3790 acl_res = ieee802_11_allowed_address(
3791 hapd, mgmt->sa, (const u8 *) mgmt, len,
3792 &session_timeout, &acct_interim_interval,
3793 &vlan_id, &psk, &identity, &radius_cui, 0);
3794 if (acl_res == HOSTAPD_ACL_REJECT) {
3795 wpa_msg(hapd->msg_ctx, MSG_DEBUG,
3796 "Ignore Association Request frame from "
3797 MACSTR " due to ACL reject",
3799 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3802 if (acl_res == HOSTAPD_ACL_PENDING)
3805 /* DMG/IEEE 802.11ad does not use authentication.
3806 * Allocate sta entry upon association. */
3807 sta = ap_sta_add(hapd, mgmt->sa);
3809 hostapd_logger(hapd, mgmt->sa,
3810 HOSTAPD_MODULE_IEEE80211,
3812 "Failed to add STA");
3813 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
3817 acl_res = ieee802_11_set_radius_info(
3818 hapd, sta, acl_res, session_timeout,
3819 acct_interim_interval, &vlan_id, &psk,
3820 &identity, &radius_cui);
3822 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3826 hostapd_logger(hapd, sta->addr,
3827 HOSTAPD_MODULE_IEEE80211,
3828 HOSTAPD_LEVEL_DEBUG,
3829 "Skip authentication for DMG/IEEE 802.11ad");
3830 sta->flags |= WLAN_STA_AUTH;
3831 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
3832 sta->auth_alg = WLAN_AUTH_OPEN;
3834 hostapd_logger(hapd, mgmt->sa,
3835 HOSTAPD_MODULE_IEEE80211,
3837 "Station tried to associate before authentication (aid=%d flags=0x%x)",
3838 sta ? sta->aid : -1,
3839 sta ? sta->flags : 0);
3840 send_deauth(hapd, mgmt->sa,
3841 WLAN_REASON_CLASS2_FRAME_FROM_NONAUTH_STA);
3846 if ((fc & WLAN_FC_RETRY) &&
3847 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
3848 sta->last_seq_ctrl == seq_ctrl &&
3849 sta->last_subtype == (reassoc ? WLAN_FC_STYPE_REASSOC_REQ :
3850 WLAN_FC_STYPE_ASSOC_REQ)) {
3851 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3852 HOSTAPD_LEVEL_DEBUG,
3853 "Drop repeated association frame seq_ctrl=0x%x",
3857 sta->last_seq_ctrl = seq_ctrl;
3858 sta->last_subtype = reassoc ? WLAN_FC_STYPE_REASSOC_REQ :
3859 WLAN_FC_STYPE_ASSOC_REQ;
3861 if (hapd->tkip_countermeasures) {
3862 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3866 if (listen_interval > hapd->conf->max_listen_interval) {
3867 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
3868 HOSTAPD_LEVEL_DEBUG,
3869 "Too large Listen Interval (%d)",
3871 resp = WLAN_STATUS_ASSOC_DENIED_LISTEN_INT_TOO_LARGE;
3876 if (hapd->conf->mbo_enabled && hapd->mbo_assoc_disallow) {
3877 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
3881 if (hapd->iconf->rssi_reject_assoc_rssi && rssi &&
3882 rssi < hapd->iconf->rssi_reject_assoc_rssi &&
3883 (sta->auth_rssi == 0 ||
3884 sta->auth_rssi < hapd->iconf->rssi_reject_assoc_rssi)) {
3885 resp = WLAN_STATUS_DENIED_POOR_CHANNEL_CONDITIONS;
3888 #endif /* CONFIG_MBO */
3891 * sta->capability is used in check_assoc_ies() for RRM enabled
3892 * capability element.
3894 sta->capability = capab_info;
3897 if (sta->auth_alg == WLAN_AUTH_FILS_SK ||
3898 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
3899 sta->auth_alg == WLAN_AUTH_FILS_PK) {
3902 /* The end of the payload is encrypted. Need to decrypt it
3903 * before parsing. */
3905 tmp = os_memdup(pos, left);
3907 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3911 res = fils_decrypt_assoc(sta->wpa_sm, sta->fils_session, mgmt,
3914 resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
3920 #endif /* CONFIG_FILS */
3922 /* followed by SSID and Supported rates; and HT capabilities if 802.11n
3924 resp = check_assoc_ies(hapd, sta, pos, left, reassoc);
3925 if (resp != WLAN_STATUS_SUCCESS)
3928 if (hostapd_get_aid(hapd, sta) < 0) {
3929 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
3930 HOSTAPD_LEVEL_INFO, "No room for more AIDs");
3931 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
3935 sta->listen_interval = listen_interval;
3937 if (hapd->iface->current_mode &&
3938 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G)
3939 sta->flags |= WLAN_STA_NONERP;
3940 for (i = 0; i < sta->supported_rates_len; i++) {
3941 if ((sta->supported_rates[i] & 0x7f) > 22) {
3942 sta->flags &= ~WLAN_STA_NONERP;
3946 if (sta->flags & WLAN_STA_NONERP && !sta->nonerp_set) {
3947 sta->nonerp_set = 1;
3948 hapd->iface->num_sta_non_erp++;
3949 if (hapd->iface->num_sta_non_erp == 1)
3950 ieee802_11_set_beacons(hapd->iface);
3953 if (!(sta->capability & WLAN_CAPABILITY_SHORT_SLOT_TIME) &&
3954 !sta->no_short_slot_time_set) {
3955 sta->no_short_slot_time_set = 1;
3956 hapd->iface->num_sta_no_short_slot_time++;
3957 if (hapd->iface->current_mode &&
3958 hapd->iface->current_mode->mode ==
3959 HOSTAPD_MODE_IEEE80211G &&
3960 hapd->iface->num_sta_no_short_slot_time == 1)
3961 ieee802_11_set_beacons(hapd->iface);
3964 if (sta->capability & WLAN_CAPABILITY_SHORT_PREAMBLE)
3965 sta->flags |= WLAN_STA_SHORT_PREAMBLE;
3967 sta->flags &= ~WLAN_STA_SHORT_PREAMBLE;
3969 if (!(sta->capability & WLAN_CAPABILITY_SHORT_PREAMBLE) &&
3970 !sta->no_short_preamble_set) {
3971 sta->no_short_preamble_set = 1;
3972 hapd->iface->num_sta_no_short_preamble++;
3973 if (hapd->iface->current_mode &&
3974 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G
3975 && hapd->iface->num_sta_no_short_preamble == 1)
3976 ieee802_11_set_beacons(hapd->iface);
3979 #ifdef CONFIG_IEEE80211N
3980 update_ht_state(hapd, sta);
3981 #endif /* CONFIG_IEEE80211N */
3983 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
3984 HOSTAPD_LEVEL_DEBUG,
3985 "association OK (aid %d)", sta->aid);
3986 /* Station will be marked associated, after it acknowledges AssocResp
3988 sta->flags |= WLAN_STA_ASSOC_REQ_OK;
3990 #ifdef CONFIG_IEEE80211W
3991 if ((sta->flags & WLAN_STA_MFP) && sta->sa_query_timed_out) {
3992 wpa_printf(MSG_DEBUG, "Allowing %sassociation after timed out "
3993 "SA Query procedure", reassoc ? "re" : "");
3994 /* TODO: Send a protected Disassociate frame to the STA using
3995 * the old key and Reason Code "Previous Authentication no
3996 * longer valid". Make sure this is only sent protected since
3997 * unprotected frame would be received by the STA that is now
3998 * trying to associate.
4001 #endif /* CONFIG_IEEE80211W */
4003 /* Make sure that the previously registered inactivity timer will not
4004 * remove the STA immediately. */
4005 sta->timeout_next = STA_NULLFUNC;
4007 #ifdef CONFIG_TAXONOMY
4008 taxonomy_sta_info_assoc_req(hapd, sta, pos, left);
4009 #endif /* CONFIG_TAXONOMY */
4011 sta->pending_wds_enable = 0;
4014 if (sta->auth_alg == WLAN_AUTH_FILS_SK ||
4015 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
4016 sta->auth_alg == WLAN_AUTH_FILS_PK) {
4017 if (fils_process_hlp(hapd, sta, pos, left) > 0)
4020 #endif /* CONFIG_FILS */
4024 os_free(radius_cui);
4025 hostapd_free_psk_list(psk);
4028 * In case of a successful response, add the station to the driver.
4029 * Otherwise, the kernel may ignore Data frames before we process the
4030 * ACK frame (TX status). In case of a failure, this station will be
4033 * Note that this is not compliant with the IEEE 802.11 standard that
4034 * states that a non-AP station should transition into the
4035 * authenticated/associated state only after the station acknowledges
4036 * the (Re)Association Response frame. However, still do this as:
4038 * 1. In case the station does not acknowledge the (Re)Association
4039 * Response frame, it will be removed.
4040 * 2. Data frames will be dropped in the kernel until the station is
4041 * set into authorized state, and there are no significant known
4042 * issues with processing other non-Data Class 3 frames during this
4045 if (resp == WLAN_STATUS_SUCCESS && sta &&
4046 add_associated_sta(hapd, sta, reassoc))
4047 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
4050 if (sta && delay_assoc && resp == WLAN_STATUS_SUCCESS &&
4051 eloop_is_timeout_registered(fils_hlp_timeout, hapd, sta) &&
4052 sta->fils_pending_assoc_req) {
4053 /* Do not reschedule fils_hlp_timeout in case the station
4054 * retransmits (Re)Association Request frame while waiting for
4055 * the previously started FILS HLP wait, so that the timeout can
4056 * be determined from the first pending attempt. */
4057 wpa_printf(MSG_DEBUG,
4058 "FILS: Continue waiting for HLP processing before sending (Re)Association Response frame to "
4059 MACSTR, MAC2STR(sta->addr));
4064 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
4065 os_free(sta->fils_pending_assoc_req);
4066 sta->fils_pending_assoc_req = NULL;
4067 sta->fils_pending_assoc_req_len = 0;
4068 wpabuf_free(sta->fils_hlp_resp);
4069 sta->fils_hlp_resp = NULL;
4071 if (sta && delay_assoc && resp == WLAN_STATUS_SUCCESS) {
4072 sta->fils_pending_assoc_req = tmp;
4073 sta->fils_pending_assoc_req_len = left;
4074 sta->fils_pending_assoc_is_reassoc = reassoc;
4075 sta->fils_drv_assoc_finish = 0;
4076 wpa_printf(MSG_DEBUG,
4077 "FILS: Waiting for HLP processing before sending (Re)Association Response frame to "
4078 MACSTR, MAC2STR(sta->addr));
4079 eloop_cancel_timeout(fils_hlp_timeout, hapd, sta);
4080 eloop_register_timeout(0, hapd->conf->fils_hlp_wait_time * 1024,
4081 fils_hlp_timeout, hapd, sta);
4084 #endif /* CONFIG_FILS */
4086 reply_res = send_assoc_resp(hapd, sta, mgmt->sa, resp, reassoc, pos,
4091 * Remove the station in case tranmission of a success response fails
4092 * (the STA was added associated to the driver) or if the station was
4093 * previously added unassociated.
4095 if (sta && ((reply_res != WLAN_STATUS_SUCCESS &&
4096 resp == WLAN_STATUS_SUCCESS) || sta->added_unassoc)) {
4097 hostapd_drv_sta_remove(hapd, sta->addr);
4098 sta->added_unassoc = 0;
4103 static void handle_disassoc(struct hostapd_data *hapd,
4104 const struct ieee80211_mgmt *mgmt, size_t len)
4106 struct sta_info *sta;
4108 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.disassoc)) {
4109 wpa_printf(MSG_INFO, "handle_disassoc - too short payload (len=%lu)",
4110 (unsigned long) len);
4114 wpa_printf(MSG_DEBUG, "disassocation: STA=" MACSTR " reason_code=%d",
4116 le_to_host16(mgmt->u.disassoc.reason_code));
4118 sta = ap_get_sta(hapd, mgmt->sa);
4120 wpa_printf(MSG_INFO, "Station " MACSTR " trying to disassociate, but it is not associated",
4125 ap_sta_set_authorized(hapd, sta, 0);
4126 sta->last_seq_ctrl = WLAN_INVALID_MGMT_SEQ;
4127 sta->flags &= ~(WLAN_STA_ASSOC | WLAN_STA_ASSOC_REQ_OK);
4128 wpa_auth_sm_event(sta->wpa_sm, WPA_DISASSOC);
4129 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4130 HOSTAPD_LEVEL_INFO, "disassociated");
4131 sta->acct_terminate_cause = RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST;
4132 ieee802_1x_notify_port_enabled(sta->eapol_sm, 0);
4133 /* Stop Accounting and IEEE 802.1X sessions, but leave the STA
4135 accounting_sta_stop(hapd, sta);
4136 ieee802_1x_free_station(hapd, sta);
4138 hostapd_drv_br_delete_ip_neigh(hapd, 4, (u8 *) &sta->ipaddr);
4139 ap_sta_ip6addr_del(hapd, sta);
4140 hostapd_drv_sta_remove(hapd, sta->addr);
4141 sta->added_unassoc = 0;
4143 if (sta->timeout_next == STA_NULLFUNC ||
4144 sta->timeout_next == STA_DISASSOC) {
4145 sta->timeout_next = STA_DEAUTH;
4146 eloop_cancel_timeout(ap_handle_timer, hapd, sta);
4147 eloop_register_timeout(AP_DEAUTH_DELAY, 0, ap_handle_timer,
4151 mlme_disassociate_indication(
4152 hapd, sta, le_to_host16(mgmt->u.disassoc.reason_code));
4154 /* DMG/IEEE 802.11ad does not use deauthication. Deallocate sta upon
4155 * disassociation. */
4156 if (hapd->iface->current_mode &&
4157 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211AD) {
4158 sta->flags &= ~WLAN_STA_AUTH;
4159 wpa_auth_sm_event(sta->wpa_sm, WPA_DEAUTH);
4160 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4161 HOSTAPD_LEVEL_DEBUG, "deauthenticated");
4162 ap_free_sta(hapd, sta);
4167 static void handle_deauth(struct hostapd_data *hapd,
4168 const struct ieee80211_mgmt *mgmt, size_t len)
4170 struct sta_info *sta;
4172 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.deauth)) {
4173 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "handle_deauth - too short "
4174 "payload (len=%lu)", (unsigned long) len);
4178 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "deauthentication: STA=" MACSTR
4180 MAC2STR(mgmt->sa), le_to_host16(mgmt->u.deauth.reason_code));
4182 sta = ap_get_sta(hapd, mgmt->sa);
4184 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "Station " MACSTR " trying "
4185 "to deauthenticate, but it is not authenticated",
4190 ap_sta_set_authorized(hapd, sta, 0);
4191 sta->last_seq_ctrl = WLAN_INVALID_MGMT_SEQ;
4192 sta->flags &= ~(WLAN_STA_AUTH | WLAN_STA_ASSOC |
4193 WLAN_STA_ASSOC_REQ_OK);
4194 wpa_auth_sm_event(sta->wpa_sm, WPA_DEAUTH);
4195 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4196 HOSTAPD_LEVEL_DEBUG, "deauthenticated");
4197 mlme_deauthenticate_indication(
4198 hapd, sta, le_to_host16(mgmt->u.deauth.reason_code));
4199 sta->acct_terminate_cause = RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST;
4200 ieee802_1x_notify_port_enabled(sta->eapol_sm, 0);
4201 ap_free_sta(hapd, sta);
4205 static void handle_beacon(struct hostapd_data *hapd,
4206 const struct ieee80211_mgmt *mgmt, size_t len,
4207 struct hostapd_frame_info *fi)
4209 struct ieee802_11_elems elems;
4211 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.beacon)) {
4212 wpa_printf(MSG_INFO, "handle_beacon - too short payload (len=%lu)",
4213 (unsigned long) len);
4217 (void) ieee802_11_parse_elems(mgmt->u.beacon.variable,
4218 len - (IEEE80211_HDRLEN +
4219 sizeof(mgmt->u.beacon)), &elems,
4222 ap_list_process_beacon(hapd->iface, mgmt, &elems, fi);
4226 #ifdef CONFIG_IEEE80211W
4227 static int robust_action_frame(u8 category)
4229 return category != WLAN_ACTION_PUBLIC &&
4230 category != WLAN_ACTION_HT;
4232 #endif /* CONFIG_IEEE80211W */
4235 static int handle_action(struct hostapd_data *hapd,
4236 const struct ieee80211_mgmt *mgmt, size_t len,
4239 struct sta_info *sta;
4240 u8 *action __maybe_unused;
4242 if (len < IEEE80211_HDRLEN + 2 + 1) {
4243 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
4244 HOSTAPD_LEVEL_DEBUG,
4245 "handle_action - too short payload (len=%lu)",
4246 (unsigned long) len);
4250 action = (u8 *) &mgmt->u.action.u;
4251 wpa_printf(MSG_DEBUG, "RX_ACTION category %u action %u sa " MACSTR
4252 " da " MACSTR " len %d freq %u",
4253 mgmt->u.action.category, *action,
4254 MAC2STR(mgmt->sa), MAC2STR(mgmt->da), (int) len, freq);
4256 sta = ap_get_sta(hapd, mgmt->sa);
4258 if (mgmt->u.action.category != WLAN_ACTION_PUBLIC &&
4259 (sta == NULL || !(sta->flags & WLAN_STA_ASSOC))) {
4260 wpa_printf(MSG_DEBUG, "IEEE 802.11: Ignored Action "
4261 "frame (category=%u) from unassociated STA " MACSTR,
4262 mgmt->u.action.category, MAC2STR(mgmt->sa));
4266 #ifdef CONFIG_IEEE80211W
4267 if (sta && (sta->flags & WLAN_STA_MFP) &&
4268 !(mgmt->frame_control & host_to_le16(WLAN_FC_ISWEP)) &&
4269 robust_action_frame(mgmt->u.action.category)) {
4270 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
4271 HOSTAPD_LEVEL_DEBUG,
4272 "Dropped unprotected Robust Action frame from "
4276 #endif /* CONFIG_IEEE80211W */
4279 u16 fc = le_to_host16(mgmt->frame_control);
4280 u16 seq_ctrl = le_to_host16(mgmt->seq_ctrl);
4282 if ((fc & WLAN_FC_RETRY) &&
4283 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
4284 sta->last_seq_ctrl == seq_ctrl &&
4285 sta->last_subtype == WLAN_FC_STYPE_ACTION) {
4286 hostapd_logger(hapd, sta->addr,
4287 HOSTAPD_MODULE_IEEE80211,
4288 HOSTAPD_LEVEL_DEBUG,
4289 "Drop repeated action frame seq_ctrl=0x%x",
4294 sta->last_seq_ctrl = seq_ctrl;
4295 sta->last_subtype = WLAN_FC_STYPE_ACTION;
4298 switch (mgmt->u.action.category) {
4299 #ifdef CONFIG_IEEE80211R_AP
4300 case WLAN_ACTION_FT:
4302 wpa_ft_action_rx(sta->wpa_sm, (u8 *) &mgmt->u.action,
4303 len - IEEE80211_HDRLEN))
4306 #endif /* CONFIG_IEEE80211R_AP */
4307 case WLAN_ACTION_WMM:
4308 hostapd_wmm_action(hapd, mgmt, len);
4310 #ifdef CONFIG_IEEE80211W
4311 case WLAN_ACTION_SA_QUERY:
4312 ieee802_11_sa_query_action(hapd, mgmt, len);
4314 #endif /* CONFIG_IEEE80211W */
4315 #ifdef CONFIG_WNM_AP
4316 case WLAN_ACTION_WNM:
4317 ieee802_11_rx_wnm_action_ap(hapd, mgmt, len);
4319 #endif /* CONFIG_WNM_AP */
4321 case WLAN_ACTION_FST:
4322 if (hapd->iface->fst)
4323 fst_rx_action(hapd->iface->fst, mgmt, len);
4325 wpa_printf(MSG_DEBUG,
4326 "FST: Ignore FST Action frame - no FST attached");
4328 #endif /* CONFIG_FST */
4329 case WLAN_ACTION_PUBLIC:
4330 case WLAN_ACTION_PROTECTED_DUAL:
4331 #ifdef CONFIG_IEEE80211N
4332 if (len >= IEEE80211_HDRLEN + 2 &&
4333 mgmt->u.action.u.public_action.action ==
4334 WLAN_PA_20_40_BSS_COEX) {
4335 hostapd_2040_coex_action(hapd, mgmt, len);
4338 #endif /* CONFIG_IEEE80211N */
4340 if (len >= IEEE80211_HDRLEN + 6 &&
4341 mgmt->u.action.u.vs_public_action.action ==
4342 WLAN_PA_VENDOR_SPECIFIC &&
4343 WPA_GET_BE24(mgmt->u.action.u.vs_public_action.oui) ==
4345 mgmt->u.action.u.vs_public_action.variable[0] ==
4347 const u8 *pos, *end;
4349 pos = mgmt->u.action.u.vs_public_action.oui;
4350 end = ((const u8 *) mgmt) + len;
4351 hostapd_dpp_rx_action(hapd, mgmt->sa, pos, end - pos,
4355 if (len >= IEEE80211_HDRLEN + 2 &&
4356 (mgmt->u.action.u.public_action.action ==
4357 WLAN_PA_GAS_INITIAL_RESP ||
4358 mgmt->u.action.u.public_action.action ==
4359 WLAN_PA_GAS_COMEBACK_RESP)) {
4360 const u8 *pos, *end;
4362 pos = &mgmt->u.action.u.public_action.action;
4363 end = ((const u8 *) mgmt) + len;
4364 gas_query_ap_rx(hapd->gas, mgmt->sa,
4365 mgmt->u.action.category,
4366 pos, end - pos, hapd->iface->freq);
4369 #endif /* CONFIG_DPP */
4370 if (hapd->public_action_cb) {
4371 hapd->public_action_cb(hapd->public_action_cb_ctx,
4375 if (hapd->public_action_cb2) {
4376 hapd->public_action_cb2(hapd->public_action_cb2_ctx,
4380 if (hapd->public_action_cb || hapd->public_action_cb2)
4383 case WLAN_ACTION_VENDOR_SPECIFIC:
4384 if (hapd->vendor_action_cb) {
4385 if (hapd->vendor_action_cb(hapd->vendor_action_cb_ctx,
4387 hapd->iface->freq) == 0)
4391 case WLAN_ACTION_RADIO_MEASUREMENT:
4392 hostapd_handle_radio_measurement(hapd, (const u8 *) mgmt, len);
4396 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
4397 HOSTAPD_LEVEL_DEBUG,
4398 "handle_action - unknown action category %d or invalid "
4400 mgmt->u.action.category);
4401 if (!is_multicast_ether_addr(mgmt->da) &&
4402 !(mgmt->u.action.category & 0x80) &&
4403 !is_multicast_ether_addr(mgmt->sa)) {
4404 struct ieee80211_mgmt *resp;
4407 * IEEE 802.11-REVma/D9.0 - 7.3.1.11
4408 * Return the Action frame to the source without change
4409 * except that MSB of the Category set to 1.
4411 wpa_printf(MSG_DEBUG, "IEEE 802.11: Return unknown Action "
4412 "frame back to sender");
4413 resp = os_memdup(mgmt, len);
4416 os_memcpy(resp->da, resp->sa, ETH_ALEN);
4417 os_memcpy(resp->sa, hapd->own_addr, ETH_ALEN);
4418 os_memcpy(resp->bssid, hapd->own_addr, ETH_ALEN);
4419 resp->u.action.category |= 0x80;
4421 if (hostapd_drv_send_mlme(hapd, resp, len, 0) < 0) {
4422 wpa_printf(MSG_ERROR, "IEEE 802.11: Failed to send "
4433 * ieee802_11_mgmt - process incoming IEEE 802.11 management frames
4434 * @hapd: hostapd BSS data structure (the BSS to which the management frame was
4436 * @buf: management frame data (starting from IEEE 802.11 header)
4437 * @len: length of frame data in octets
4438 * @fi: meta data about received frame (signal level, etc.)
4440 * Process all incoming IEEE 802.11 management frames. This will be called for
4441 * each frame received from the kernel driver through wlan#ap interface. In
4442 * addition, it can be called to re-inserted pending frames (e.g., when using
4443 * external RADIUS server as an MAC ACL).
4445 int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len,
4446 struct hostapd_frame_info *fi)
4448 struct ieee80211_mgmt *mgmt;
4452 int ssi_signal = fi ? fi->ssi_signal : 0;
4460 freq = hapd->iface->freq;
4462 mgmt = (struct ieee80211_mgmt *) buf;
4463 fc = le_to_host16(mgmt->frame_control);
4464 stype = WLAN_FC_GET_STYPE(fc);
4466 if (stype == WLAN_FC_STYPE_BEACON) {
4467 handle_beacon(hapd, mgmt, len, fi);
4471 if (!is_broadcast_ether_addr(mgmt->bssid) &&
4473 /* Invitation responses can be sent with the peer MAC as BSSID */
4474 !((hapd->conf->p2p & P2P_GROUP_OWNER) &&
4475 stype == WLAN_FC_STYPE_ACTION) &&
4476 #endif /* CONFIG_P2P */
4478 !(hapd->conf->mesh & MESH_ENABLED) &&
4479 #endif /* CONFIG_MESH */
4480 os_memcmp(mgmt->bssid, hapd->own_addr, ETH_ALEN) != 0) {
4481 wpa_printf(MSG_INFO, "MGMT: BSSID=" MACSTR " not our address",
4482 MAC2STR(mgmt->bssid));
4487 if (stype == WLAN_FC_STYPE_PROBE_REQ) {
4488 handle_probe_req(hapd, mgmt, len, ssi_signal);
4492 if ((!is_broadcast_ether_addr(mgmt->da) ||
4493 stype != WLAN_FC_STYPE_ACTION) &&
4494 os_memcmp(mgmt->da, hapd->own_addr, ETH_ALEN) != 0) {
4495 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
4496 HOSTAPD_LEVEL_DEBUG,
4497 "MGMT: DA=" MACSTR " not our address",
4502 if (hapd->iconf->track_sta_max_num)
4503 sta_track_add(hapd->iface, mgmt->sa, ssi_signal);
4506 case WLAN_FC_STYPE_AUTH:
4507 wpa_printf(MSG_DEBUG, "mgmt::auth");
4508 handle_auth(hapd, mgmt, len, ssi_signal, 0);
4511 case WLAN_FC_STYPE_ASSOC_REQ:
4512 wpa_printf(MSG_DEBUG, "mgmt::assoc_req");
4513 handle_assoc(hapd, mgmt, len, 0, ssi_signal);
4516 case WLAN_FC_STYPE_REASSOC_REQ:
4517 wpa_printf(MSG_DEBUG, "mgmt::reassoc_req");
4518 handle_assoc(hapd, mgmt, len, 1, ssi_signal);
4521 case WLAN_FC_STYPE_DISASSOC:
4522 wpa_printf(MSG_DEBUG, "mgmt::disassoc");
4523 handle_disassoc(hapd, mgmt, len);
4526 case WLAN_FC_STYPE_DEAUTH:
4527 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "mgmt::deauth");
4528 handle_deauth(hapd, mgmt, len);
4531 case WLAN_FC_STYPE_ACTION:
4532 wpa_printf(MSG_DEBUG, "mgmt::action");
4533 ret = handle_action(hapd, mgmt, len, freq);
4536 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
4537 HOSTAPD_LEVEL_DEBUG,
4538 "unknown mgmt frame subtype %d", stype);
4546 static void handle_auth_cb(struct hostapd_data *hapd,
4547 const struct ieee80211_mgmt *mgmt,
4550 u16 auth_alg, auth_transaction, status_code;
4551 struct sta_info *sta;
4553 sta = ap_get_sta(hapd, mgmt->da);
4555 wpa_printf(MSG_DEBUG, "handle_auth_cb: STA " MACSTR
4561 auth_alg = le_to_host16(mgmt->u.auth.auth_alg);
4562 auth_transaction = le_to_host16(mgmt->u.auth.auth_transaction);
4563 status_code = le_to_host16(mgmt->u.auth.status_code);
4566 hostapd_logger(hapd, mgmt->da, HOSTAPD_MODULE_IEEE80211,
4567 HOSTAPD_LEVEL_NOTICE,
4568 "did not acknowledge authentication response");
4572 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) {
4573 wpa_printf(MSG_INFO, "handle_auth_cb - too short payload (len=%lu)",
4574 (unsigned long) len);
4578 if (status_code == WLAN_STATUS_SUCCESS &&
4579 ((auth_alg == WLAN_AUTH_OPEN && auth_transaction == 2) ||
4580 (auth_alg == WLAN_AUTH_SHARED_KEY && auth_transaction == 4))) {
4581 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4582 HOSTAPD_LEVEL_INFO, "authenticated");
4583 sta->flags |= WLAN_STA_AUTH;
4584 if (sta->added_unassoc)
4585 hostapd_set_sta_flags(hapd, sta);
4590 if (status_code != WLAN_STATUS_SUCCESS && sta->added_unassoc) {
4591 hostapd_drv_sta_remove(hapd, sta->addr);
4592 sta->added_unassoc = 0;
4597 static void hostapd_set_wds_encryption(struct hostapd_data *hapd,
4598 struct sta_info *sta,
4602 struct hostapd_ssid *ssid = &hapd->conf->ssid;
4604 if (hapd->conf->ieee802_1x || hapd->conf->wpa)
4607 for (i = 0; i < 4; i++) {
4608 if (ssid->wep.key[i] &&
4609 hostapd_drv_set_key(ifname_wds, hapd, WPA_ALG_WEP, NULL, i,
4610 i == ssid->wep.idx, NULL, 0,
4611 ssid->wep.key[i], ssid->wep.len[i])) {
4612 wpa_printf(MSG_WARNING,
4613 "Could not set WEP keys for WDS interface; %s",
4621 static void handle_assoc_cb(struct hostapd_data *hapd,
4622 const struct ieee80211_mgmt *mgmt,
4623 size_t len, int reassoc, int ok)
4626 struct sta_info *sta;
4629 sta = ap_get_sta(hapd, mgmt->da);
4631 wpa_printf(MSG_INFO, "handle_assoc_cb: STA " MACSTR " not found",
4636 if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_resp) :
4637 sizeof(mgmt->u.assoc_resp))) {
4638 wpa_printf(MSG_INFO,
4639 "handle_assoc_cb(reassoc=%d) - too short payload (len=%lu)",
4640 reassoc, (unsigned long) len);
4641 hostapd_drv_sta_remove(hapd, sta->addr);
4646 status = le_to_host16(mgmt->u.reassoc_resp.status_code);
4648 status = le_to_host16(mgmt->u.assoc_resp.status_code);
4651 hostapd_logger(hapd, mgmt->da, HOSTAPD_MODULE_IEEE80211,
4652 HOSTAPD_LEVEL_DEBUG,
4653 "did not acknowledge association response");
4654 sta->flags &= ~WLAN_STA_ASSOC_REQ_OK;
4655 /* The STA is added only in case of SUCCESS */
4656 if (status == WLAN_STATUS_SUCCESS)
4657 hostapd_drv_sta_remove(hapd, sta->addr);
4662 if (status != WLAN_STATUS_SUCCESS)
4665 /* Stop previous accounting session, if one is started, and allocate
4666 * new session id for the new session. */
4667 accounting_sta_stop(hapd, sta);
4669 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
4671 "associated (aid %d)",
4674 if (sta->flags & WLAN_STA_ASSOC)
4676 sta->flags |= WLAN_STA_ASSOC;
4677 sta->flags &= ~WLAN_STA_WNM_SLEEP_MODE;
4678 if ((!hapd->conf->ieee802_1x && !hapd->conf->wpa &&
4679 !hapd->conf->osen) ||
4680 sta->auth_alg == WLAN_AUTH_FILS_SK ||
4681 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
4682 sta->auth_alg == WLAN_AUTH_FILS_PK ||
4683 sta->auth_alg == WLAN_AUTH_FT) {
4685 * Open, static WEP, FT protocol, or FILS; no separate
4686 * authorization step.
4688 ap_sta_set_authorized(hapd, sta, 1);
4692 mlme_reassociate_indication(hapd, sta);
4694 mlme_associate_indication(hapd, sta);
4696 #ifdef CONFIG_IEEE80211W
4697 sta->sa_query_timed_out = 0;
4698 #endif /* CONFIG_IEEE80211W */
4700 if (sta->eapol_sm == NULL) {
4702 * This STA does not use RADIUS server for EAP authentication,
4703 * so bind it to the selected VLAN interface now, since the
4704 * interface selection is not going to change anymore.
4706 if (ap_sta_bind_vlan(hapd, sta) < 0)
4708 } else if (sta->vlan_id) {
4709 /* VLAN ID already set (e.g., by PMKSA caching), so bind STA */
4710 if (ap_sta_bind_vlan(hapd, sta) < 0)
4714 hostapd_set_sta_flags(hapd, sta);
4716 if (!(sta->flags & WLAN_STA_WDS) && sta->pending_wds_enable) {
4717 wpa_printf(MSG_DEBUG, "Enable 4-address WDS mode for STA "
4718 MACSTR " based on pending request",
4719 MAC2STR(sta->addr));
4720 sta->pending_wds_enable = 0;
4721 sta->flags |= WLAN_STA_WDS;
4724 if (sta->flags & (WLAN_STA_WDS | WLAN_STA_MULTI_AP)) {
4726 char ifname_wds[IFNAMSIZ + 1];
4728 wpa_printf(MSG_DEBUG, "Reenable 4-address WDS mode for STA "
4730 MAC2STR(sta->addr), sta->aid);
4731 ret = hostapd_set_wds_sta(hapd, ifname_wds, sta->addr,
4734 hostapd_set_wds_encryption(hapd, sta, ifname_wds);
4737 if (sta->auth_alg == WLAN_AUTH_FT)
4738 wpa_auth_sm_event(sta->wpa_sm, WPA_ASSOC_FT);
4740 wpa_auth_sm_event(sta->wpa_sm, WPA_ASSOC);
4741 hapd->new_assoc_sta_cb(hapd, sta, !new_assoc);
4742 ieee802_1x_notify_port_enabled(sta->eapol_sm, 1);
4745 if ((sta->auth_alg == WLAN_AUTH_FILS_SK ||
4746 sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
4747 sta->auth_alg == WLAN_AUTH_FILS_PK) &&
4748 fils_set_tk(sta->wpa_sm) < 0) {
4749 wpa_printf(MSG_DEBUG, "FILS: TK configuration failed");
4750 ap_sta_disconnect(hapd, sta, sta->addr,
4751 WLAN_REASON_UNSPECIFIED);
4754 #endif /* CONFIG_FILS */
4756 if (sta->pending_eapol_rx) {
4757 struct os_reltime now, age;
4759 os_get_reltime(&now);
4760 os_reltime_sub(&now, &sta->pending_eapol_rx->rx_time, &age);
4761 if (age.sec == 0 && age.usec < 200000) {
4762 wpa_printf(MSG_DEBUG,
4763 "Process pending EAPOL frame that was received from " MACSTR " just before association notification",
4764 MAC2STR(sta->addr));
4767 wpabuf_head(sta->pending_eapol_rx->buf),
4768 wpabuf_len(sta->pending_eapol_rx->buf));
4770 wpabuf_free(sta->pending_eapol_rx->buf);
4771 os_free(sta->pending_eapol_rx);
4772 sta->pending_eapol_rx = NULL;
4777 static void handle_deauth_cb(struct hostapd_data *hapd,
4778 const struct ieee80211_mgmt *mgmt,
4781 struct sta_info *sta;
4782 if (is_multicast_ether_addr(mgmt->da))
4784 sta = ap_get_sta(hapd, mgmt->da);
4786 wpa_printf(MSG_DEBUG, "handle_deauth_cb: STA " MACSTR
4787 " not found", MAC2STR(mgmt->da));
4791 wpa_printf(MSG_DEBUG, "STA " MACSTR " acknowledged deauth",
4792 MAC2STR(sta->addr));
4794 wpa_printf(MSG_DEBUG, "STA " MACSTR " did not acknowledge "
4795 "deauth", MAC2STR(sta->addr));
4797 ap_sta_deauth_cb(hapd, sta);
4801 static void handle_disassoc_cb(struct hostapd_data *hapd,
4802 const struct ieee80211_mgmt *mgmt,
4805 struct sta_info *sta;
4806 if (is_multicast_ether_addr(mgmt->da))
4808 sta = ap_get_sta(hapd, mgmt->da);
4810 wpa_printf(MSG_DEBUG, "handle_disassoc_cb: STA " MACSTR
4811 " not found", MAC2STR(mgmt->da));
4815 wpa_printf(MSG_DEBUG, "STA " MACSTR " acknowledged disassoc",
4816 MAC2STR(sta->addr));
4818 wpa_printf(MSG_DEBUG, "STA " MACSTR " did not acknowledge "
4819 "disassoc", MAC2STR(sta->addr));
4821 ap_sta_disassoc_cb(hapd, sta);
4825 static void handle_action_cb(struct hostapd_data *hapd,
4826 const struct ieee80211_mgmt *mgmt,
4829 struct sta_info *sta;
4830 const struct rrm_measurement_report_element *report;
4832 if (is_multicast_ether_addr(mgmt->da))
4835 if (len >= IEEE80211_HDRLEN + 6 &&
4836 mgmt->u.action.category == WLAN_ACTION_PUBLIC &&
4837 mgmt->u.action.u.vs_public_action.action ==
4838 WLAN_PA_VENDOR_SPECIFIC &&
4839 WPA_GET_BE24(mgmt->u.action.u.vs_public_action.oui) ==
4841 mgmt->u.action.u.vs_public_action.variable[0] ==
4843 const u8 *pos, *end;
4845 pos = &mgmt->u.action.u.vs_public_action.variable[1];
4846 end = ((const u8 *) mgmt) + len;
4847 hostapd_dpp_tx_status(hapd, mgmt->da, pos, end - pos, ok);
4850 if (len >= IEEE80211_HDRLEN + 2 &&
4851 mgmt->u.action.category == WLAN_ACTION_PUBLIC &&
4852 (mgmt->u.action.u.public_action.action ==
4853 WLAN_PA_GAS_INITIAL_REQ ||
4854 mgmt->u.action.u.public_action.action ==
4855 WLAN_PA_GAS_COMEBACK_REQ)) {
4856 const u8 *pos, *end;
4858 pos = mgmt->u.action.u.public_action.variable;
4859 end = ((const u8 *) mgmt) + len;
4860 gas_query_ap_tx_status(hapd->gas, mgmt->da, pos, end - pos, ok);
4863 #endif /* CONFIG_DPP */
4864 sta = ap_get_sta(hapd, mgmt->da);
4866 wpa_printf(MSG_DEBUG, "handle_action_cb: STA " MACSTR
4867 " not found", MAC2STR(mgmt->da));
4871 if (len < 24 + 5 + sizeof(*report))
4873 report = (const struct rrm_measurement_report_element *)
4874 &mgmt->u.action.u.rrm.variable[2];
4875 if (mgmt->u.action.category == WLAN_ACTION_RADIO_MEASUREMENT &&
4876 mgmt->u.action.u.rrm.action == WLAN_RRM_RADIO_MEASUREMENT_REQUEST &&
4877 report->eid == WLAN_EID_MEASURE_REQUEST &&
4879 report->type == MEASURE_TYPE_BEACON)
4880 hostapd_rrm_beacon_req_tx_status(hapd, mgmt, len, ok);
4885 * ieee802_11_mgmt_cb - Process management frame TX status callback
4886 * @hapd: hostapd BSS data structure (the BSS from which the management frame
4888 * @buf: management frame data (starting from IEEE 802.11 header)
4889 * @len: length of frame data in octets
4890 * @stype: management frame subtype from frame control field
4891 * @ok: Whether the frame was ACK'ed
4893 void ieee802_11_mgmt_cb(struct hostapd_data *hapd, const u8 *buf, size_t len,
4896 const struct ieee80211_mgmt *mgmt;
4897 mgmt = (const struct ieee80211_mgmt *) buf;
4899 #ifdef CONFIG_TESTING_OPTIONS
4900 if (hapd->ext_mgmt_frame_handling) {
4901 size_t hex_len = 2 * len + 1;
4902 char *hex = os_malloc(hex_len);
4905 wpa_snprintf_hex(hex, hex_len, buf, len);
4906 wpa_msg(hapd->msg_ctx, MSG_INFO,
4907 "MGMT-TX-STATUS stype=%u ok=%d buf=%s",
4913 #endif /* CONFIG_TESTING_OPTIONS */
4916 case WLAN_FC_STYPE_AUTH:
4917 wpa_printf(MSG_DEBUG, "mgmt::auth cb");
4918 handle_auth_cb(hapd, mgmt, len, ok);
4920 case WLAN_FC_STYPE_ASSOC_RESP:
4921 wpa_printf(MSG_DEBUG, "mgmt::assoc_resp cb");
4922 handle_assoc_cb(hapd, mgmt, len, 0, ok);
4924 case WLAN_FC_STYPE_REASSOC_RESP:
4925 wpa_printf(MSG_DEBUG, "mgmt::reassoc_resp cb");
4926 handle_assoc_cb(hapd, mgmt, len, 1, ok);
4928 case WLAN_FC_STYPE_PROBE_RESP:
4929 wpa_printf(MSG_EXCESSIVE, "mgmt::proberesp cb ok=%d", ok);
4931 case WLAN_FC_STYPE_DEAUTH:
4932 wpa_printf(MSG_DEBUG, "mgmt::deauth cb");
4933 handle_deauth_cb(hapd, mgmt, len, ok);
4935 case WLAN_FC_STYPE_DISASSOC:
4936 wpa_printf(MSG_DEBUG, "mgmt::disassoc cb");
4937 handle_disassoc_cb(hapd, mgmt, len, ok);
4939 case WLAN_FC_STYPE_ACTION:
4940 wpa_printf(MSG_DEBUG, "mgmt::action cb ok=%d", ok);
4941 handle_action_cb(hapd, mgmt, len, ok);
4944 wpa_printf(MSG_INFO, "unknown mgmt cb frame subtype %d", stype);
4950 int ieee802_11_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen)
4957 int ieee802_11_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta,
4958 char *buf, size_t buflen)
4965 void hostapd_tx_status(struct hostapd_data *hapd, const u8 *addr,
4966 const u8 *buf, size_t len, int ack)
4968 struct sta_info *sta;
4969 struct hostapd_iface *iface = hapd->iface;
4971 sta = ap_get_sta(hapd, addr);
4972 if (sta == NULL && iface->num_bss > 1) {
4974 for (j = 0; j < iface->num_bss; j++) {
4975 hapd = iface->bss[j];
4976 sta = ap_get_sta(hapd, addr);
4981 if (sta == NULL || !(sta->flags & WLAN_STA_ASSOC))
4983 if (sta->flags & WLAN_STA_PENDING_POLL) {
4984 wpa_printf(MSG_DEBUG, "STA " MACSTR " %s pending "
4985 "activity poll", MAC2STR(sta->addr),
4986 ack ? "ACKed" : "did not ACK");
4988 sta->flags &= ~WLAN_STA_PENDING_POLL;
4991 ieee802_1x_tx_status(hapd, sta, buf, len, ack);
4995 void hostapd_eapol_tx_status(struct hostapd_data *hapd, const u8 *dst,
4996 const u8 *data, size_t len, int ack)
4998 struct sta_info *sta;
4999 struct hostapd_iface *iface = hapd->iface;
5001 sta = ap_get_sta(hapd, dst);
5002 if (sta == NULL && iface->num_bss > 1) {
5004 for (j = 0; j < iface->num_bss; j++) {
5005 hapd = iface->bss[j];
5006 sta = ap_get_sta(hapd, dst);
5011 if (sta == NULL || !(sta->flags & WLAN_STA_ASSOC)) {
5012 wpa_printf(MSG_DEBUG, "Ignore TX status for Data frame to STA "
5013 MACSTR " that is not currently associated",
5018 ieee802_1x_eapol_tx_status(hapd, sta, data, len, ack);
5022 void hostapd_client_poll_ok(struct hostapd_data *hapd, const u8 *addr)
5024 struct sta_info *sta;
5025 struct hostapd_iface *iface = hapd->iface;
5027 sta = ap_get_sta(hapd, addr);
5028 if (sta == NULL && iface->num_bss > 1) {
5030 for (j = 0; j < iface->num_bss; j++) {
5031 hapd = iface->bss[j];
5032 sta = ap_get_sta(hapd, addr);
5039 wpa_msg(hapd->msg_ctx, MSG_INFO, AP_STA_POLL_OK MACSTR,
5040 MAC2STR(sta->addr));
5041 if (!(sta->flags & WLAN_STA_PENDING_POLL))
5044 wpa_printf(MSG_DEBUG, "STA " MACSTR " ACKed pending "
5045 "activity poll", MAC2STR(sta->addr));
5046 sta->flags &= ~WLAN_STA_PENDING_POLL;
5050 void ieee802_11_rx_from_unknown(struct hostapd_data *hapd, const u8 *src,
5053 struct sta_info *sta;
5055 sta = ap_get_sta(hapd, src);
5057 ((sta->flags & WLAN_STA_ASSOC) ||
5058 ((sta->flags & WLAN_STA_ASSOC_REQ_OK) && wds))) {
5059 if (!hapd->conf->wds_sta)
5062 if ((sta->flags & (WLAN_STA_ASSOC | WLAN_STA_ASSOC_REQ_OK)) ==
5063 WLAN_STA_ASSOC_REQ_OK) {
5064 wpa_printf(MSG_DEBUG,
5065 "Postpone 4-address WDS mode enabling for STA "
5066 MACSTR " since TX status for AssocResp is not yet known",
5067 MAC2STR(sta->addr));
5068 sta->pending_wds_enable = 1;
5072 if (wds && !(sta->flags & WLAN_STA_WDS)) {
5074 char ifname_wds[IFNAMSIZ + 1];
5076 wpa_printf(MSG_DEBUG, "Enable 4-address WDS mode for "
5077 "STA " MACSTR " (aid %u)",
5078 MAC2STR(sta->addr), sta->aid);
5079 sta->flags |= WLAN_STA_WDS;
5080 ret = hostapd_set_wds_sta(hapd, ifname_wds,
5081 sta->addr, sta->aid, 1);
5083 hostapd_set_wds_encryption(hapd, sta,
5089 wpa_printf(MSG_DEBUG, "Data/PS-poll frame from not associated STA "
5090 MACSTR, MAC2STR(src));
5091 if (is_multicast_ether_addr(src)) {
5092 /* Broadcast bit set in SA?! Ignore the frame silently. */
5096 if (sta && (sta->flags & WLAN_STA_ASSOC_REQ_OK)) {
5097 wpa_printf(MSG_DEBUG, "Association Response to the STA has "
5098 "already been sent, but no TX status yet known - "
5099 "ignore Class 3 frame issue with " MACSTR,
5104 if (sta && (sta->flags & WLAN_STA_AUTH))
5105 hostapd_drv_sta_disassoc(
5107 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA);
5109 hostapd_drv_sta_deauth(
5111 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA);
5115 #endif /* CONFIG_NATIVE_WINDOWS */