1/* 2 * hostapd / IEEE 802.11 Management 3 * Copyright (c) 2002-2014, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9#include "utils/includes.h" 10 11#ifndef CONFIG_NATIVE_WINDOWS 12 13#include "utils/common.h" 14#include "utils/eloop.h" 15#include "crypto/crypto.h" 16#include "crypto/sha256.h" 17#include "crypto/random.h" 18#include "common/ieee802_11_defs.h" 19#include "common/ieee802_11_common.h" 20#include "common/wpa_ctrl.h" 21#include "common/sae.h" 22#include "radius/radius.h" 23#include "radius/radius_client.h" 24#include "p2p/p2p.h" 25#include "wps/wps.h" 26#include "hostapd.h" 27#include "beacon.h" 28#include "ieee802_11_auth.h" 29#include "sta_info.h" 30#include "ieee802_1x.h" 31#include "wpa_auth.h" 32#include "pmksa_cache_auth.h" 33#include "wmm.h" 34#include "ap_list.h" 35#include "accounting.h" 36#include "ap_config.h" 37#include "ap_mlme.h" 38#include "p2p_hostapd.h" 39#include "ap_drv_ops.h" 40#include "wnm_ap.h" 41#include "ieee802_11.h" 42#include "dfs.h" 43 44 45u8 * hostapd_eid_supp_rates(struct hostapd_data *hapd, u8 *eid) 46{ 47 u8 *pos = eid; 48 int i, num, count; 49 50 if (hapd->iface->current_rates == NULL) 51 return eid; 52 53 *pos++ = WLAN_EID_SUPP_RATES; 54 num = hapd->iface->num_rates; 55 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht) 56 num++; 57 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht) 58 num++; 59 if (num > 8) { 60 /* rest of the rates are encoded in Extended supported 61 * rates element */ 62 num = 8; 63 } 64 65 *pos++ = num; 66 for (i = 0, count = 0; i < hapd->iface->num_rates && count < num; 67 i++) { 68 count++; 69 *pos = hapd->iface->current_rates[i].rate / 5; 70 if (hapd->iface->current_rates[i].flags & HOSTAPD_RATE_BASIC) 71 *pos |= 0x80; 72 pos++; 73 } 74 75 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht && count < 8) { 76 count++; 77 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_HT_PHY; 78 } 79 80 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht && count < 8) { 81 count++; 82 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_VHT_PHY; 83 } 84 85 return pos; 86} 87 88 89u8 * hostapd_eid_ext_supp_rates(struct hostapd_data *hapd, u8 *eid) 90{ 91 u8 *pos = eid; 92 int i, num, count; 93 94 if (hapd->iface->current_rates == NULL) 95 return eid; 96 97 num = hapd->iface->num_rates; 98 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht) 99 num++; 100 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht) 101 num++; 102 if (num <= 8) 103 return eid; 104 num -= 8; 105 106 *pos++ = WLAN_EID_EXT_SUPP_RATES; 107 *pos++ = num; 108 for (i = 0, count = 0; i < hapd->iface->num_rates && count < num + 8; 109 i++) { 110 count++; 111 if (count <= 8) 112 continue; /* already in SuppRates IE */ 113 *pos = hapd->iface->current_rates[i].rate / 5; 114 if (hapd->iface->current_rates[i].flags & HOSTAPD_RATE_BASIC) 115 *pos |= 0x80; 116 pos++; 117 } 118 119 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht) { 120 count++; 121 if (count > 8) 122 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_HT_PHY; 123 } 124 125 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht) { 126 count++; 127 if (count > 8) 128 *pos++ = 0x80 | BSS_MEMBERSHIP_SELECTOR_VHT_PHY; 129 } 130 131 return pos; 132} 133 134 135u16 hostapd_own_capab_info(struct hostapd_data *hapd) 136{ 137 int capab = WLAN_CAPABILITY_ESS; 138 int privacy; 139 int dfs; 140 141 /* Check if any of configured channels require DFS */ 142 dfs = hostapd_is_dfs_required(hapd->iface); 143 if (dfs < 0) { 144 wpa_printf(MSG_WARNING, "Failed to check if DFS is required; ret=%d", 145 dfs); 146 dfs = 0; 147 } 148 149 if (hapd->iface->num_sta_no_short_preamble == 0 && 150 hapd->iconf->preamble == SHORT_PREAMBLE) 151 capab |= WLAN_CAPABILITY_SHORT_PREAMBLE; 152 153 privacy = hapd->conf->ssid.wep.keys_set; 154 155 if (hapd->conf->ieee802_1x && 156 (hapd->conf->default_wep_key_len || 157 hapd->conf->individual_wep_key_len)) 158 privacy = 1; 159 160 if (hapd->conf->wpa) 161 privacy = 1; 162 163#ifdef CONFIG_HS20 164 if (hapd->conf->osen) 165 privacy = 1; 166#endif /* CONFIG_HS20 */ 167 168 if (privacy) 169 capab |= WLAN_CAPABILITY_PRIVACY; 170 171 if (hapd->iface->current_mode && 172 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G && 173 hapd->iface->num_sta_no_short_slot_time == 0) 174 capab |= WLAN_CAPABILITY_SHORT_SLOT_TIME; 175 176 /* 177 * Currently, Spectrum Management capability bit is set when directly 178 * requested in configuration by spectrum_mgmt_required or when AP is 179 * running on DFS channel. 180 * TODO: Also consider driver support for TPC to set Spectrum Mgmt bit 181 */ 182 if (hapd->iface->current_mode && 183 hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211A && 184 (hapd->iconf->spectrum_mgmt_required || dfs)) 185 capab |= WLAN_CAPABILITY_SPECTRUM_MGMT; 186 187 if (hapd->conf->radio_measurements) 188 capab |= IEEE80211_CAP_RRM; 189 190 return capab; 191} 192 193 194static u16 auth_shared_key(struct hostapd_data *hapd, struct sta_info *sta, 195 u16 auth_transaction, const u8 *challenge, 196 int iswep) 197{ 198 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 199 HOSTAPD_LEVEL_DEBUG, 200 "authentication (shared key, transaction %d)", 201 auth_transaction); 202 203 if (auth_transaction == 1) { 204 if (!sta->challenge) { 205 /* Generate a pseudo-random challenge */ 206 u8 key[8]; 207 struct os_time now; 208 int r; 209 sta->challenge = os_zalloc(WLAN_AUTH_CHALLENGE_LEN); 210 if (sta->challenge == NULL) 211 return WLAN_STATUS_UNSPECIFIED_FAILURE; 212 213 os_get_time(&now); 214 r = os_random(); 215 os_memcpy(key, &now.sec, 4); 216 os_memcpy(key + 4, &r, 4); 217 rc4_skip(key, sizeof(key), 0, 218 sta->challenge, WLAN_AUTH_CHALLENGE_LEN); 219 } 220 return 0; 221 } 222 223 if (auth_transaction != 3) 224 return WLAN_STATUS_UNSPECIFIED_FAILURE; 225 226 /* Transaction 3 */ 227 if (!iswep || !sta->challenge || !challenge || 228 os_memcmp_const(sta->challenge, challenge, 229 WLAN_AUTH_CHALLENGE_LEN)) { 230 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 231 HOSTAPD_LEVEL_INFO, 232 "shared key authentication - invalid " 233 "challenge-response"); 234 return WLAN_STATUS_CHALLENGE_FAIL; 235 } 236 237 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 238 HOSTAPD_LEVEL_DEBUG, 239 "authentication OK (shared key)"); 240 sta->flags |= WLAN_STA_AUTH; 241 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH); 242 os_free(sta->challenge); 243 sta->challenge = NULL; 244 245 return 0; 246} 247 248 249static void send_auth_reply(struct hostapd_data *hapd, 250 const u8 *dst, const u8 *bssid, 251 u16 auth_alg, u16 auth_transaction, u16 resp, 252 const u8 *ies, size_t ies_len) 253{ 254 struct ieee80211_mgmt *reply; 255 u8 *buf; 256 size_t rlen; 257 258 rlen = IEEE80211_HDRLEN + sizeof(reply->u.auth) + ies_len; 259 buf = os_zalloc(rlen); 260 if (buf == NULL) 261 return; 262 263 reply = (struct ieee80211_mgmt *) buf; 264 reply->frame_control = IEEE80211_FC(WLAN_FC_TYPE_MGMT, 265 WLAN_FC_STYPE_AUTH); 266 os_memcpy(reply->da, dst, ETH_ALEN); 267 os_memcpy(reply->sa, hapd->own_addr, ETH_ALEN); 268 os_memcpy(reply->bssid, bssid, ETH_ALEN); 269 270 reply->u.auth.auth_alg = host_to_le16(auth_alg); 271 reply->u.auth.auth_transaction = host_to_le16(auth_transaction); 272 reply->u.auth.status_code = host_to_le16(resp); 273 274 if (ies && ies_len) 275 os_memcpy(reply->u.auth.variable, ies, ies_len); 276 277 wpa_printf(MSG_DEBUG, "authentication reply: STA=" MACSTR 278 " auth_alg=%d auth_transaction=%d resp=%d (IE len=%lu)", 279 MAC2STR(dst), auth_alg, auth_transaction, 280 resp, (unsigned long) ies_len); 281 if (hostapd_drv_send_mlme(hapd, reply, rlen, 0) < 0) 282 wpa_printf(MSG_INFO, "send_auth_reply: send"); 283 284 os_free(buf); 285} 286 287 288#ifdef CONFIG_IEEE80211R 289static void handle_auth_ft_finish(void *ctx, const u8 *dst, const u8 *bssid, 290 u16 auth_transaction, u16 status, 291 const u8 *ies, size_t ies_len) 292{ 293 struct hostapd_data *hapd = ctx; 294 struct sta_info *sta; 295 296 send_auth_reply(hapd, dst, bssid, WLAN_AUTH_FT, auth_transaction, 297 status, ies, ies_len); 298 299 if (status != WLAN_STATUS_SUCCESS) 300 return; 301 302 sta = ap_get_sta(hapd, dst); 303 if (sta == NULL) 304 return; 305 306 hostapd_logger(hapd, dst, HOSTAPD_MODULE_IEEE80211, 307 HOSTAPD_LEVEL_DEBUG, "authentication OK (FT)"); 308 sta->flags |= WLAN_STA_AUTH; 309 mlme_authenticate_indication(hapd, sta); 310} 311#endif /* CONFIG_IEEE80211R */ 312 313 314#ifdef CONFIG_SAE 315 316#define dot11RSNASAERetransPeriod 40 /* msec */ 317#define dot11RSNASAESync 5 /* attempts */ 318 319 320static struct wpabuf * auth_build_sae_commit(struct hostapd_data *hapd, 321 struct sta_info *sta, int update) 322{ 323 struct wpabuf *buf; 324 325 if (hapd->conf->ssid.wpa_passphrase == NULL) { 326 wpa_printf(MSG_DEBUG, "SAE: No password available"); 327 return NULL; 328 } 329 330 if (update && 331 sae_prepare_commit(hapd->own_addr, sta->addr, 332 (u8 *) hapd->conf->ssid.wpa_passphrase, 333 os_strlen(hapd->conf->ssid.wpa_passphrase), 334 sta->sae) < 0) { 335 wpa_printf(MSG_DEBUG, "SAE: Could not pick PWE"); 336 return NULL; 337 } 338 339 buf = wpabuf_alloc(SAE_COMMIT_MAX_LEN); 340 if (buf == NULL) 341 return NULL; 342 sae_write_commit(sta->sae, buf, sta->sae->tmp ? 343 sta->sae->tmp->anti_clogging_token : NULL); 344 345 return buf; 346} 347 348 349static struct wpabuf * auth_build_sae_confirm(struct hostapd_data *hapd, 350 struct sta_info *sta) 351{ 352 struct wpabuf *buf; 353 354 buf = wpabuf_alloc(SAE_CONFIRM_MAX_LEN); 355 if (buf == NULL) 356 return NULL; 357 358 sae_write_confirm(sta->sae, buf); 359 360 return buf; 361} 362 363 364static int auth_sae_send_commit(struct hostapd_data *hapd, 365 struct sta_info *sta, 366 const u8 *bssid, int update) 367{ 368 struct wpabuf *data; 369 370 data = auth_build_sae_commit(hapd, sta, update); 371 if (data == NULL) 372 return WLAN_STATUS_UNSPECIFIED_FAILURE; 373 374 send_auth_reply(hapd, sta->addr, bssid, 375 WLAN_AUTH_SAE, 1, WLAN_STATUS_SUCCESS, 376 wpabuf_head(data), wpabuf_len(data)); 377 378 wpabuf_free(data); 379 380 return WLAN_STATUS_SUCCESS; 381} 382 383 384static int auth_sae_send_confirm(struct hostapd_data *hapd, 385 struct sta_info *sta, 386 const u8 *bssid) 387{ 388 struct wpabuf *data; 389 390 data = auth_build_sae_confirm(hapd, sta); 391 if (data == NULL) 392 return WLAN_STATUS_UNSPECIFIED_FAILURE; 393 394 send_auth_reply(hapd, sta->addr, bssid, 395 WLAN_AUTH_SAE, 2, WLAN_STATUS_SUCCESS, 396 wpabuf_head(data), wpabuf_len(data)); 397 398 wpabuf_free(data); 399 400 return WLAN_STATUS_SUCCESS; 401} 402 403 404static int use_sae_anti_clogging(struct hostapd_data *hapd) 405{ 406 struct sta_info *sta; 407 unsigned int open = 0; 408 409 if (hapd->conf->sae_anti_clogging_threshold == 0) 410 return 1; 411 412 for (sta = hapd->sta_list; sta; sta = sta->next) { 413 if (!sta->sae) 414 continue; 415 if (sta->sae->state != SAE_COMMITTED && 416 sta->sae->state != SAE_CONFIRMED) 417 continue; 418 open++; 419 if (open >= hapd->conf->sae_anti_clogging_threshold) 420 return 1; 421 } 422 423 return 0; 424} 425 426 427static int check_sae_token(struct hostapd_data *hapd, const u8 *addr, 428 const u8 *token, size_t token_len) 429{ 430 u8 mac[SHA256_MAC_LEN]; 431 432 if (token_len != SHA256_MAC_LEN) 433 return -1; 434 if (hmac_sha256(hapd->sae_token_key, sizeof(hapd->sae_token_key), 435 addr, ETH_ALEN, mac) < 0 || 436 os_memcmp_const(token, mac, SHA256_MAC_LEN) != 0) 437 return -1; 438 439 return 0; 440} 441 442 443static struct wpabuf * auth_build_token_req(struct hostapd_data *hapd, 444 int group, const u8 *addr) 445{ 446 struct wpabuf *buf; 447 u8 *token; 448 struct os_reltime now; 449 450 os_get_reltime(&now); 451 if (!os_reltime_initialized(&hapd->last_sae_token_key_update) || 452 os_reltime_expired(&now, &hapd->last_sae_token_key_update, 60)) { 453 if (random_get_bytes(hapd->sae_token_key, 454 sizeof(hapd->sae_token_key)) < 0) 455 return NULL; 456 wpa_hexdump(MSG_DEBUG, "SAE: Updated token key", 457 hapd->sae_token_key, sizeof(hapd->sae_token_key)); 458 hapd->last_sae_token_key_update = now; 459 } 460 461 buf = wpabuf_alloc(sizeof(le16) + SHA256_MAC_LEN); 462 if (buf == NULL) 463 return NULL; 464 465 wpabuf_put_le16(buf, group); /* Finite Cyclic Group */ 466 467 token = wpabuf_put(buf, SHA256_MAC_LEN); 468 hmac_sha256(hapd->sae_token_key, sizeof(hapd->sae_token_key), 469 addr, ETH_ALEN, token); 470 471 return buf; 472} 473 474 475static int sae_check_big_sync(struct sta_info *sta) 476{ 477 if (sta->sae->sync > dot11RSNASAESync) { 478 sta->sae->state = SAE_NOTHING; 479 sta->sae->sync = 0; 480 return -1; 481 } 482 return 0; 483} 484 485 486static void auth_sae_retransmit_timer(void *eloop_ctx, void *eloop_data) 487{ 488 struct hostapd_data *hapd = eloop_ctx; 489 struct sta_info *sta = eloop_data; 490 int ret; 491 492 if (sae_check_big_sync(sta)) 493 return; 494 sta->sae->sync++; 495 496 switch (sta->sae->state) { 497 case SAE_COMMITTED: 498 ret = auth_sae_send_commit(hapd, sta, hapd->own_addr, 0); 499 eloop_register_timeout(0, dot11RSNASAERetransPeriod * 1000, 500 auth_sae_retransmit_timer, hapd, sta); 501 break; 502 case SAE_CONFIRMED: 503 ret = auth_sae_send_confirm(hapd, sta, hapd->own_addr); 504 eloop_register_timeout(0, dot11RSNASAERetransPeriod * 1000, 505 auth_sae_retransmit_timer, hapd, sta); 506 break; 507 default: 508 ret = -1; 509 break; 510 } 511 512 if (ret != WLAN_STATUS_SUCCESS) 513 wpa_printf(MSG_INFO, "SAE: Failed to retransmit: ret=%d", ret); 514} 515 516 517void sae_clear_retransmit_timer(struct hostapd_data *hapd, struct sta_info *sta) 518{ 519 eloop_cancel_timeout(auth_sae_retransmit_timer, hapd, sta); 520} 521 522 523static void sae_set_retransmit_timer(struct hostapd_data *hapd, 524 struct sta_info *sta) 525{ 526 if (!(hapd->conf->mesh & MESH_ENABLED)) 527 return; 528 529 eloop_cancel_timeout(auth_sae_retransmit_timer, hapd, sta); 530 eloop_register_timeout(0, dot11RSNASAERetransPeriod * 1000, 531 auth_sae_retransmit_timer, hapd, sta); 532} 533 534 535static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta, 536 const u8 *bssid, u8 auth_transaction) 537{ 538 int ret; 539 540 if (auth_transaction != 1 && auth_transaction != 2) 541 return WLAN_STATUS_UNSPECIFIED_FAILURE; 542 543 switch (sta->sae->state) { 544 case SAE_NOTHING: 545 if (auth_transaction == 1) { 546 ret = auth_sae_send_commit(hapd, sta, bssid, 1); 547 if (ret) 548 return ret; 549 sta->sae->state = SAE_COMMITTED; 550 551 if (sae_process_commit(sta->sae) < 0) 552 return WLAN_STATUS_UNSPECIFIED_FAILURE; 553 554 /* 555 * In mesh case, both Commit and Confirm can be sent 556 * immediately. In infrastructure BSS, only a single 557 * Authentication frame (Commit) is expected from the AP 558 * here and the second one (Confirm) will be sent once 559 * the STA has sent its second Authentication frame 560 * (Confirm). 561 */ 562 if (hapd->conf->mesh & MESH_ENABLED) { 563 /* 564 * Send both Commit and Confirm immediately 565 * based on SAE finite state machine 566 * Nothing -> Confirm transition. 567 */ 568 ret = auth_sae_send_confirm(hapd, sta, bssid); 569 if (ret) 570 return ret; 571 sta->sae->state = SAE_CONFIRMED; 572 } else { 573 /* 574 * For infrastructure BSS, send only the Commit 575 * message now to get alternating sequence of 576 * Authentication frames between the AP and STA. 577 * Confirm will be sent in 578 * Commited -> Confirmed/Accepted transition 579 * when receiving Confirm from STA. 580 */ 581 } 582 sta->sae->sync = 0; 583 sae_set_retransmit_timer(hapd, sta); 584 } else { 585 hostapd_logger(hapd, sta->addr, 586 HOSTAPD_MODULE_IEEE80211, 587 HOSTAPD_LEVEL_DEBUG, 588 "SAE confirm before commit"); 589 } 590 break; 591 case SAE_COMMITTED: 592 sae_clear_retransmit_timer(hapd, sta); 593 if (auth_transaction == 1) { 594 if (sae_process_commit(sta->sae) < 0) 595 return WLAN_STATUS_UNSPECIFIED_FAILURE; 596 597 ret = auth_sae_send_confirm(hapd, sta, bssid); 598 if (ret) 599 return ret; 600 sta->sae->state = SAE_CONFIRMED; 601 sta->sae->sync = 0; 602 sae_set_retransmit_timer(hapd, sta); 603 } else if (hapd->conf->mesh & MESH_ENABLED) { 604 /* 605 * In mesh case, follow SAE finite state machine and 606 * send Commit now, if sync count allows. 607 */ 608 if (sae_check_big_sync(sta)) 609 return WLAN_STATUS_SUCCESS; 610 sta->sae->sync++; 611 612 ret = auth_sae_send_commit(hapd, sta, bssid, 0); 613 if (ret) 614 return ret; 615 616 sae_set_retransmit_timer(hapd, sta); 617 } else { 618 /* 619 * For instructure BSS, send the postponed Confirm from 620 * Nothing -> Confirmed transition that was reduced to 621 * Nothing -> Committed above. 622 */ 623 ret = auth_sae_send_confirm(hapd, sta, bssid); 624 if (ret) 625 return ret; 626 627 sta->sae->state = SAE_CONFIRMED; 628 629 /* 630 * Since this was triggered on Confirm RX, run another 631 * step to get to Accepted without waiting for 632 * additional events. 633 */ 634 return sae_sm_step(hapd, sta, bssid, auth_transaction); 635 } 636 break; 637 case SAE_CONFIRMED: 638 sae_clear_retransmit_timer(hapd, sta); 639 if (auth_transaction == 1) { 640 if (sae_check_big_sync(sta)) 641 return WLAN_STATUS_SUCCESS; 642 sta->sae->sync++; 643 644 ret = auth_sae_send_commit(hapd, sta, bssid, 1); 645 if (ret) 646 return ret; 647 648 if (sae_process_commit(sta->sae) < 0) 649 return WLAN_STATUS_UNSPECIFIED_FAILURE; 650 651 ret = auth_sae_send_confirm(hapd, sta, bssid); 652 if (ret) 653 return ret; 654 655 sae_set_retransmit_timer(hapd, sta); 656 } else { 657 sta->flags |= WLAN_STA_AUTH; 658 sta->auth_alg = WLAN_AUTH_SAE; 659 mlme_authenticate_indication(hapd, sta); 660 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH); 661 sta->sae->state = SAE_ACCEPTED; 662 wpa_auth_pmksa_add_sae(hapd->wpa_auth, sta->addr, 663 sta->sae->pmk); 664 } 665 break; 666 case SAE_ACCEPTED: 667 if (auth_transaction == 1) { 668 wpa_printf(MSG_DEBUG, "SAE: remove the STA (" MACSTR 669 ") doing reauthentication", 670 MAC2STR(sta->addr)); 671 ap_free_sta(hapd, sta); 672 } else { 673 if (sae_check_big_sync(sta)) 674 return WLAN_STATUS_SUCCESS; 675 sta->sae->sync++; 676 677 ret = auth_sae_send_confirm(hapd, sta, bssid); 678 sae_clear_temp_data(sta->sae); 679 if (ret) 680 return ret; 681 } 682 break; 683 default: 684 wpa_printf(MSG_ERROR, "SAE: invalid state %d", 685 sta->sae->state); 686 return WLAN_STATUS_UNSPECIFIED_FAILURE; 687 } 688 return WLAN_STATUS_SUCCESS; 689} 690 691 692static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta, 693 const struct ieee80211_mgmt *mgmt, size_t len, 694 u16 auth_transaction, u16 status_code) 695{ 696 u16 resp = WLAN_STATUS_SUCCESS; 697 struct wpabuf *data = NULL; 698 699 if (!sta->sae) { 700 if (auth_transaction != 1 || status_code != WLAN_STATUS_SUCCESS) 701 return; 702 sta->sae = os_zalloc(sizeof(*sta->sae)); 703 if (sta->sae == NULL) 704 return; 705 sta->sae->state = SAE_NOTHING; 706 sta->sae->sync = 0; 707 } 708 709 if (auth_transaction == 1) { 710 const u8 *token = NULL, *pos, *end; 711 size_t token_len = 0; 712 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 713 HOSTAPD_LEVEL_DEBUG, 714 "start SAE authentication (RX commit, status=%u)", 715 status_code); 716 717 if ((hapd->conf->mesh & MESH_ENABLED) && 718 status_code == WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ && 719 sta->sae->tmp) { 720 pos = mgmt->u.auth.variable; 721 end = ((const u8 *) mgmt) + len; 722 if (pos + sizeof(le16) > end) { 723 wpa_printf(MSG_ERROR, 724 "SAE: Too short anti-clogging token request"); 725 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 726 goto reply; 727 } 728 resp = sae_group_allowed(sta->sae, 729 hapd->conf->sae_groups, 730 WPA_GET_LE16(pos)); 731 if (resp != WLAN_STATUS_SUCCESS) { 732 wpa_printf(MSG_ERROR, 733 "SAE: Invalid group in anti-clogging token request"); 734 goto reply; 735 } 736 pos += sizeof(le16); 737 738 wpabuf_free(sta->sae->tmp->anti_clogging_token); 739 sta->sae->tmp->anti_clogging_token = 740 wpabuf_alloc_copy(pos, end - pos); 741 if (sta->sae->tmp->anti_clogging_token == NULL) { 742 wpa_printf(MSG_ERROR, 743 "SAE: Failed to alloc for anti-clogging token"); 744 return; 745 } 746 747 /* 748 * IEEE Std 802.11-2012, 11.3.8.6.4: If the Status code 749 * is 76, a new Commit Message shall be constructed 750 * with the Anti-Clogging Token from the received 751 * Authentication frame, and the commit-scalar and 752 * COMMIT-ELEMENT previously sent. 753 */ 754 if (auth_sae_send_commit(hapd, sta, mgmt->bssid, 0)) { 755 wpa_printf(MSG_ERROR, 756 "SAE: Failed to send commit message"); 757 return; 758 } 759 sta->sae->state = SAE_COMMITTED; 760 sta->sae->sync = 0; 761 sae_set_retransmit_timer(hapd, sta); 762 return; 763 } 764 765 if (status_code != WLAN_STATUS_SUCCESS) 766 return; 767 768 resp = sae_parse_commit(sta->sae, mgmt->u.auth.variable, 769 ((const u8 *) mgmt) + len - 770 mgmt->u.auth.variable, &token, 771 &token_len, hapd->conf->sae_groups); 772 if (resp == SAE_SILENTLY_DISCARD) { 773 wpa_printf(MSG_DEBUG, 774 "SAE: Drop commit message from " MACSTR " due to reflection attack", 775 MAC2STR(sta->addr)); 776 return; 777 } 778 if (token && check_sae_token(hapd, sta->addr, token, token_len) 779 < 0) { 780 wpa_printf(MSG_DEBUG, "SAE: Drop commit message with " 781 "incorrect token from " MACSTR, 782 MAC2STR(sta->addr)); 783 return; 784 } 785 786 if (resp != WLAN_STATUS_SUCCESS) 787 goto reply; 788 789 if (!token && use_sae_anti_clogging(hapd)) { 790 wpa_printf(MSG_DEBUG, 791 "SAE: Request anti-clogging token from " 792 MACSTR, MAC2STR(sta->addr)); 793 data = auth_build_token_req(hapd, sta->sae->group, 794 sta->addr); 795 resp = WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ; 796 if (hapd->conf->mesh & MESH_ENABLED) 797 sta->sae->state = SAE_NOTHING; 798 goto reply; 799 } 800 801 resp = sae_sm_step(hapd, sta, mgmt->bssid, auth_transaction); 802 } else if (auth_transaction == 2) { 803 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 804 HOSTAPD_LEVEL_DEBUG, 805 "SAE authentication (RX confirm, status=%u)", 806 status_code); 807 if (status_code != WLAN_STATUS_SUCCESS) 808 return; 809 if (sta->sae->state >= SAE_CONFIRMED || 810 !(hapd->conf->mesh & MESH_ENABLED)) { 811 if (sae_check_confirm(sta->sae, mgmt->u.auth.variable, 812 ((u8 *) mgmt) + len - 813 mgmt->u.auth.variable) < 0) { 814 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 815 goto reply; 816 } 817 } 818 resp = sae_sm_step(hapd, sta, mgmt->bssid, auth_transaction); 819 } else { 820 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 821 HOSTAPD_LEVEL_DEBUG, 822 "unexpected SAE authentication transaction %u (status=%u)", 823 auth_transaction, status_code); 824 if (status_code != WLAN_STATUS_SUCCESS) 825 return; 826 resp = WLAN_STATUS_UNKNOWN_AUTH_TRANSACTION; 827 } 828 829reply: 830 if (resp != WLAN_STATUS_SUCCESS) { 831 send_auth_reply(hapd, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE, 832 auth_transaction, resp, 833 data ? wpabuf_head(data) : (u8 *) "", 834 data ? wpabuf_len(data) : 0); 835 } 836 wpabuf_free(data); 837} 838 839 840/** 841 * auth_sae_init_committed - Send COMMIT and start SAE in committed state 842 * @hapd: BSS data for the device initiating the authentication 843 * @sta: the peer to which commit authentication frame is sent 844 * 845 * This function implements Init event handling (IEEE Std 802.11-2012, 846 * 11.3.8.6.3) in which initial COMMIT message is sent. Prior to calling, the 847 * sta->sae structure should be initialized appropriately via a call to 848 * sae_prepare_commit(). 849 */ 850int auth_sae_init_committed(struct hostapd_data *hapd, struct sta_info *sta) 851{ 852 int ret; 853 854 if (!sta->sae || !sta->sae->tmp) 855 return -1; 856 857 if (sta->sae->state != SAE_NOTHING) 858 return -1; 859 860 ret = auth_sae_send_commit(hapd, sta, hapd->own_addr, 0); 861 if (ret) 862 return -1; 863 864 sta->sae->state = SAE_COMMITTED; 865 sta->sae->sync = 0; 866 sae_set_retransmit_timer(hapd, sta); 867 868 return 0; 869} 870 871#endif /* CONFIG_SAE */ 872 873 874static void handle_auth(struct hostapd_data *hapd, 875 const struct ieee80211_mgmt *mgmt, size_t len) 876{ 877 u16 auth_alg, auth_transaction, status_code; 878 u16 resp = WLAN_STATUS_SUCCESS; 879 struct sta_info *sta = NULL; 880 int res; 881 u16 fc; 882 const u8 *challenge = NULL; 883 u32 session_timeout, acct_interim_interval; 884 int vlan_id = 0; 885 struct hostapd_sta_wpa_psk_short *psk = NULL; 886 u8 resp_ies[2 + WLAN_AUTH_CHALLENGE_LEN]; 887 size_t resp_ies_len = 0; 888 char *identity = NULL; 889 char *radius_cui = NULL; 890 u16 seq_ctrl; 891 892 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) { 893 wpa_printf(MSG_INFO, "handle_auth - too short payload (len=%lu)", 894 (unsigned long) len); 895 return; 896 } 897 898#ifdef CONFIG_TESTING_OPTIONS 899 if (hapd->iconf->ignore_auth_probability > 0.0 && 900 drand48() < hapd->iconf->ignore_auth_probability) { 901 wpa_printf(MSG_INFO, 902 "TESTING: ignoring auth frame from " MACSTR, 903 MAC2STR(mgmt->sa)); 904 return; 905 } 906#endif /* CONFIG_TESTING_OPTIONS */ 907 908 auth_alg = le_to_host16(mgmt->u.auth.auth_alg); 909 auth_transaction = le_to_host16(mgmt->u.auth.auth_transaction); 910 status_code = le_to_host16(mgmt->u.auth.status_code); 911 fc = le_to_host16(mgmt->frame_control); 912 seq_ctrl = le_to_host16(mgmt->seq_ctrl); 913 914 if (len >= IEEE80211_HDRLEN + sizeof(mgmt->u.auth) + 915 2 + WLAN_AUTH_CHALLENGE_LEN && 916 mgmt->u.auth.variable[0] == WLAN_EID_CHALLENGE && 917 mgmt->u.auth.variable[1] == WLAN_AUTH_CHALLENGE_LEN) 918 challenge = &mgmt->u.auth.variable[2]; 919 920 wpa_printf(MSG_DEBUG, "authentication: STA=" MACSTR " auth_alg=%d " 921 "auth_transaction=%d status_code=%d wep=%d%s " 922 "seq_ctrl=0x%x%s", 923 MAC2STR(mgmt->sa), auth_alg, auth_transaction, 924 status_code, !!(fc & WLAN_FC_ISWEP), 925 challenge ? " challenge" : "", 926 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : ""); 927 928 if (hapd->tkip_countermeasures) { 929 resp = WLAN_REASON_MICHAEL_MIC_FAILURE; 930 goto fail; 931 } 932 933 if (!(((hapd->conf->auth_algs & WPA_AUTH_ALG_OPEN) && 934 auth_alg == WLAN_AUTH_OPEN) || 935#ifdef CONFIG_IEEE80211R 936 (hapd->conf->wpa && wpa_key_mgmt_ft(hapd->conf->wpa_key_mgmt) && 937 auth_alg == WLAN_AUTH_FT) || 938#endif /* CONFIG_IEEE80211R */ 939#ifdef CONFIG_SAE 940 (hapd->conf->wpa && wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt) && 941 auth_alg == WLAN_AUTH_SAE) || 942#endif /* CONFIG_SAE */ 943 ((hapd->conf->auth_algs & WPA_AUTH_ALG_SHARED) && 944 auth_alg == WLAN_AUTH_SHARED_KEY))) { 945 wpa_printf(MSG_INFO, "Unsupported authentication algorithm (%d)", 946 auth_alg); 947 resp = WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG; 948 goto fail; 949 } 950 951 if (!(auth_transaction == 1 || auth_alg == WLAN_AUTH_SAE || 952 (auth_alg == WLAN_AUTH_SHARED_KEY && auth_transaction == 3))) { 953 wpa_printf(MSG_INFO, "Unknown authentication transaction number (%d)", 954 auth_transaction); 955 resp = WLAN_STATUS_UNKNOWN_AUTH_TRANSACTION; 956 goto fail; 957 } 958 959 if (os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) { 960 wpa_printf(MSG_INFO, "Station " MACSTR " not allowed to authenticate", 961 MAC2STR(mgmt->sa)); 962 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 963 goto fail; 964 } 965 966 res = hostapd_allowed_address(hapd, mgmt->sa, (u8 *) mgmt, len, 967 &session_timeout, 968 &acct_interim_interval, &vlan_id, 969 &psk, &identity, &radius_cui); 970 971 if (res == HOSTAPD_ACL_REJECT) { 972 wpa_printf(MSG_INFO, "Station " MACSTR " not allowed to authenticate", 973 MAC2STR(mgmt->sa)); 974 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 975 goto fail; 976 } 977 if (res == HOSTAPD_ACL_PENDING) { 978 wpa_printf(MSG_DEBUG, "Authentication frame from " MACSTR 979 " waiting for an external authentication", 980 MAC2STR(mgmt->sa)); 981 /* Authentication code will re-send the authentication frame 982 * after it has received (and cached) information from the 983 * external source. */ 984 return; 985 } 986 987 sta = ap_get_sta(hapd, mgmt->sa); 988 if (sta) { 989 if ((fc & WLAN_FC_RETRY) && 990 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ && 991 sta->last_seq_ctrl == seq_ctrl && 992 sta->last_subtype == WLAN_FC_STYPE_AUTH) { 993 hostapd_logger(hapd, sta->addr, 994 HOSTAPD_MODULE_IEEE80211, 995 HOSTAPD_LEVEL_DEBUG, 996 "Drop repeated authentication frame seq_ctrl=0x%x", 997 seq_ctrl); 998 return; 999 } 1000 } else { 1001#ifdef CONFIG_MESH 1002 if (hapd->conf->mesh & MESH_ENABLED) { 1003 /* if the mesh peer is not available, we don't do auth. 1004 */ 1005 wpa_printf(MSG_DEBUG, "Mesh peer " MACSTR 1006 " not yet known - drop Authentiation frame", 1007 MAC2STR(mgmt->sa)); 1008 /* 1009 * Save a copy of the frame so that it can be processed 1010 * if a new peer entry is added shortly after this. 1011 */ 1012 wpabuf_free(hapd->mesh_pending_auth); 1013 hapd->mesh_pending_auth = wpabuf_alloc_copy(mgmt, len); 1014 os_get_reltime(&hapd->mesh_pending_auth_time); 1015 return; 1016 } 1017#endif /* CONFIG_MESH */ 1018 1019 sta = ap_sta_add(hapd, mgmt->sa); 1020 if (!sta) { 1021 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA; 1022 goto fail; 1023 } 1024 } 1025 sta->last_seq_ctrl = seq_ctrl; 1026 sta->last_subtype = WLAN_FC_STYPE_AUTH; 1027 1028 if (vlan_id > 0) { 1029 if (!hostapd_vlan_id_valid(hapd->conf->vlan, vlan_id)) { 1030 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS, 1031 HOSTAPD_LEVEL_INFO, "Invalid VLAN ID " 1032 "%d received from RADIUS server", 1033 vlan_id); 1034 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1035 goto fail; 1036 } 1037 sta->vlan_id = vlan_id; 1038 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS, 1039 HOSTAPD_LEVEL_INFO, "VLAN ID %d", sta->vlan_id); 1040 } 1041 1042 hostapd_free_psk_list(sta->psk); 1043 if (hapd->conf->wpa_psk_radius != PSK_RADIUS_IGNORED) { 1044 sta->psk = psk; 1045 psk = NULL; 1046 } else { 1047 sta->psk = NULL; 1048 } 1049 1050 sta->identity = identity; 1051 identity = NULL; 1052 sta->radius_cui = radius_cui; 1053 radius_cui = NULL; 1054 1055 sta->flags &= ~WLAN_STA_PREAUTH; 1056 ieee802_1x_notify_pre_auth(sta->eapol_sm, 0); 1057 1058 if (hapd->conf->acct_interim_interval == 0 && acct_interim_interval) 1059 sta->acct_interim_interval = acct_interim_interval; 1060 if (res == HOSTAPD_ACL_ACCEPT_TIMEOUT) 1061 ap_sta_session_timeout(hapd, sta, session_timeout); 1062 else 1063 ap_sta_no_session_timeout(hapd, sta); 1064 1065 switch (auth_alg) { 1066 case WLAN_AUTH_OPEN: 1067 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 1068 HOSTAPD_LEVEL_DEBUG, 1069 "authentication OK (open system)"); 1070 sta->flags |= WLAN_STA_AUTH; 1071 wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH); 1072 sta->auth_alg = WLAN_AUTH_OPEN; 1073 mlme_authenticate_indication(hapd, sta); 1074 break; 1075 case WLAN_AUTH_SHARED_KEY: 1076 resp = auth_shared_key(hapd, sta, auth_transaction, challenge, 1077 fc & WLAN_FC_ISWEP); 1078 sta->auth_alg = WLAN_AUTH_SHARED_KEY; 1079 mlme_authenticate_indication(hapd, sta); 1080 if (sta->challenge && auth_transaction == 1) { 1081 resp_ies[0] = WLAN_EID_CHALLENGE; 1082 resp_ies[1] = WLAN_AUTH_CHALLENGE_LEN; 1083 os_memcpy(resp_ies + 2, sta->challenge, 1084 WLAN_AUTH_CHALLENGE_LEN); 1085 resp_ies_len = 2 + WLAN_AUTH_CHALLENGE_LEN; 1086 } 1087 break; 1088#ifdef CONFIG_IEEE80211R 1089 case WLAN_AUTH_FT: 1090 sta->auth_alg = WLAN_AUTH_FT; 1091 if (sta->wpa_sm == NULL) 1092 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, 1093 sta->addr, NULL); 1094 if (sta->wpa_sm == NULL) { 1095 wpa_printf(MSG_DEBUG, "FT: Failed to initialize WPA " 1096 "state machine"); 1097 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1098 goto fail; 1099 } 1100 wpa_ft_process_auth(sta->wpa_sm, mgmt->bssid, 1101 auth_transaction, mgmt->u.auth.variable, 1102 len - IEEE80211_HDRLEN - 1103 sizeof(mgmt->u.auth), 1104 handle_auth_ft_finish, hapd); 1105 /* handle_auth_ft_finish() callback will complete auth. */ 1106 return; 1107#endif /* CONFIG_IEEE80211R */ 1108#ifdef CONFIG_SAE 1109 case WLAN_AUTH_SAE: 1110#ifdef CONFIG_MESH 1111 if (status_code == WLAN_STATUS_SUCCESS && 1112 hapd->conf->mesh & MESH_ENABLED) { 1113 if (sta->wpa_sm == NULL) 1114 sta->wpa_sm = 1115 wpa_auth_sta_init(hapd->wpa_auth, 1116 sta->addr, NULL); 1117 if (sta->wpa_sm == NULL) { 1118 wpa_printf(MSG_DEBUG, 1119 "SAE: Failed to initialize WPA state machine"); 1120 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1121 goto fail; 1122 } 1123 } 1124#endif /* CONFIG_MESH */ 1125 handle_auth_sae(hapd, sta, mgmt, len, auth_transaction, 1126 status_code); 1127 return; 1128#endif /* CONFIG_SAE */ 1129 } 1130 1131 fail: 1132 os_free(identity); 1133 os_free(radius_cui); 1134 hostapd_free_psk_list(psk); 1135 1136 send_auth_reply(hapd, mgmt->sa, mgmt->bssid, auth_alg, 1137 auth_transaction + 1, resp, resp_ies, resp_ies_len); 1138} 1139 1140 1141static int hostapd_get_aid(struct hostapd_data *hapd, struct sta_info *sta) 1142{ 1143 int i, j = 32, aid; 1144 1145 /* get a unique AID */ 1146 if (sta->aid > 0) { 1147 wpa_printf(MSG_DEBUG, " old AID %d", sta->aid); 1148 return 0; 1149 } 1150 1151 for (i = 0; i < AID_WORDS; i++) { 1152 if (hapd->sta_aid[i] == (u32) -1) 1153 continue; 1154 for (j = 0; j < 32; j++) { 1155 if (!(hapd->sta_aid[i] & BIT(j))) 1156 break; 1157 } 1158 if (j < 32) 1159 break; 1160 } 1161 if (j == 32) 1162 return -1; 1163 aid = i * 32 + j + 1; 1164 if (aid > 2007) 1165 return -1; 1166 1167 sta->aid = aid; 1168 hapd->sta_aid[i] |= BIT(j); 1169 wpa_printf(MSG_DEBUG, " new AID %d", sta->aid); 1170 return 0; 1171} 1172 1173 1174static u16 check_ssid(struct hostapd_data *hapd, struct sta_info *sta, 1175 const u8 *ssid_ie, size_t ssid_ie_len) 1176{ 1177 if (ssid_ie == NULL) 1178 return WLAN_STATUS_UNSPECIFIED_FAILURE; 1179 1180 if (ssid_ie_len != hapd->conf->ssid.ssid_len || 1181 os_memcmp(ssid_ie, hapd->conf->ssid.ssid, ssid_ie_len) != 0) { 1182 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 1183 HOSTAPD_LEVEL_INFO, 1184 "Station tried to associate with unknown SSID " 1185 "'%s'", wpa_ssid_txt(ssid_ie, ssid_ie_len)); 1186 return WLAN_STATUS_UNSPECIFIED_FAILURE; 1187 } 1188 1189 return WLAN_STATUS_SUCCESS; 1190} 1191 1192 1193static u16 check_wmm(struct hostapd_data *hapd, struct sta_info *sta, 1194 const u8 *wmm_ie, size_t wmm_ie_len) 1195{ 1196 sta->flags &= ~WLAN_STA_WMM; 1197 sta->qosinfo = 0; 1198 if (wmm_ie && hapd->conf->wmm_enabled) { 1199 struct wmm_information_element *wmm; 1200 1201 if (!hostapd_eid_wmm_valid(hapd, wmm_ie, wmm_ie_len)) { 1202 hostapd_logger(hapd, sta->addr, 1203 HOSTAPD_MODULE_WPA, 1204 HOSTAPD_LEVEL_DEBUG, 1205 "invalid WMM element in association " 1206 "request"); 1207 return WLAN_STATUS_UNSPECIFIED_FAILURE; 1208 } 1209 1210 sta->flags |= WLAN_STA_WMM; 1211 wmm = (struct wmm_information_element *) wmm_ie; 1212 sta->qosinfo = wmm->qos_info; 1213 } 1214 return WLAN_STATUS_SUCCESS; 1215} 1216 1217 1218static u16 copy_supp_rates(struct hostapd_data *hapd, struct sta_info *sta, 1219 struct ieee802_11_elems *elems) 1220{ 1221 if (!elems->supp_rates) { 1222 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 1223 HOSTAPD_LEVEL_DEBUG, 1224 "No supported rates element in AssocReq"); 1225 return WLAN_STATUS_UNSPECIFIED_FAILURE; 1226 } 1227 1228 if (elems->supp_rates_len + elems->ext_supp_rates_len > 1229 sizeof(sta->supported_rates)) { 1230 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 1231 HOSTAPD_LEVEL_DEBUG, 1232 "Invalid supported rates element length %d+%d", 1233 elems->supp_rates_len, 1234 elems->ext_supp_rates_len); 1235 return WLAN_STATUS_UNSPECIFIED_FAILURE; 1236 } 1237 1238 sta->supported_rates_len = merge_byte_arrays( 1239 sta->supported_rates, sizeof(sta->supported_rates), 1240 elems->supp_rates, elems->supp_rates_len, 1241 elems->ext_supp_rates, elems->ext_supp_rates_len); 1242 1243 return WLAN_STATUS_SUCCESS; 1244} 1245 1246 1247static u16 check_ext_capab(struct hostapd_data *hapd, struct sta_info *sta, 1248 const u8 *ext_capab_ie, size_t ext_capab_ie_len) 1249{ 1250#ifdef CONFIG_INTERWORKING 1251 /* check for QoS Map support */ 1252 if (ext_capab_ie_len >= 5) { 1253 if (ext_capab_ie[4] & 0x01) 1254 sta->qos_map_enabled = 1; 1255 } 1256#endif /* CONFIG_INTERWORKING */ 1257 1258 return WLAN_STATUS_SUCCESS; 1259} 1260 1261 1262static u16 check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta, 1263 const u8 *ies, size_t ies_len, int reassoc) 1264{ 1265 struct ieee802_11_elems elems; 1266 u16 resp; 1267 const u8 *wpa_ie; 1268 size_t wpa_ie_len; 1269 const u8 *p2p_dev_addr = NULL; 1270 1271 if (ieee802_11_parse_elems(ies, ies_len, &elems, 1) == ParseFailed) { 1272 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 1273 HOSTAPD_LEVEL_INFO, "Station sent an invalid " 1274 "association request"); 1275 return WLAN_STATUS_UNSPECIFIED_FAILURE; 1276 } 1277 1278 resp = check_ssid(hapd, sta, elems.ssid, elems.ssid_len); 1279 if (resp != WLAN_STATUS_SUCCESS) 1280 return resp; 1281 resp = check_wmm(hapd, sta, elems.wmm, elems.wmm_len); 1282 if (resp != WLAN_STATUS_SUCCESS) 1283 return resp; 1284 resp = check_ext_capab(hapd, sta, elems.ext_capab, elems.ext_capab_len); 1285 if (resp != WLAN_STATUS_SUCCESS) 1286 return resp; 1287 resp = copy_supp_rates(hapd, sta, &elems); 1288 if (resp != WLAN_STATUS_SUCCESS) 1289 return resp; 1290#ifdef CONFIG_IEEE80211N 1291 resp = copy_sta_ht_capab(hapd, sta, elems.ht_capabilities); 1292 if (resp != WLAN_STATUS_SUCCESS) 1293 return resp; 1294 if (hapd->iconf->ieee80211n && hapd->iconf->require_ht && 1295 !(sta->flags & WLAN_STA_HT)) { 1296 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 1297 HOSTAPD_LEVEL_INFO, "Station does not support " 1298 "mandatory HT PHY - reject association"); 1299 return WLAN_STATUS_ASSOC_DENIED_NO_HT; 1300 } 1301#endif /* CONFIG_IEEE80211N */ 1302 1303#ifdef CONFIG_IEEE80211AC 1304 resp = copy_sta_vht_capab(hapd, sta, elems.vht_capabilities); 1305 if (resp != WLAN_STATUS_SUCCESS) 1306 return resp; 1307 1308 resp = set_sta_vht_opmode(hapd, sta, elems.vht_opmode_notif); 1309 if (resp != WLAN_STATUS_SUCCESS) 1310 return resp; 1311 1312 if (hapd->iconf->ieee80211ac && hapd->iconf->require_vht && 1313 !(sta->flags & WLAN_STA_VHT)) { 1314 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 1315 HOSTAPD_LEVEL_INFO, "Station does not support " 1316 "mandatory VHT PHY - reject association"); 1317 return WLAN_STATUS_ASSOC_DENIED_NO_VHT; 1318 } 1319 1320 if (hapd->conf->vendor_vht && !elems.vht_capabilities) { 1321 resp = copy_sta_vendor_vht(hapd, sta, elems.vendor_vht, 1322 elems.vendor_vht_len); 1323 if (resp != WLAN_STATUS_SUCCESS) 1324 return resp; 1325 } 1326#endif /* CONFIG_IEEE80211AC */ 1327 1328#ifdef CONFIG_P2P 1329 if (elems.p2p) { 1330 wpabuf_free(sta->p2p_ie); 1331 sta->p2p_ie = ieee802_11_vendor_ie_concat(ies, ies_len, 1332 P2P_IE_VENDOR_TYPE); 1333 if (sta->p2p_ie) 1334 p2p_dev_addr = p2p_get_go_dev_addr(sta->p2p_ie); 1335 } else { 1336 wpabuf_free(sta->p2p_ie); 1337 sta->p2p_ie = NULL; 1338 } 1339#endif /* CONFIG_P2P */ 1340 1341 if ((hapd->conf->wpa & WPA_PROTO_RSN) && elems.rsn_ie) { 1342 wpa_ie = elems.rsn_ie; 1343 wpa_ie_len = elems.rsn_ie_len; 1344 } else if ((hapd->conf->wpa & WPA_PROTO_WPA) && 1345 elems.wpa_ie) { 1346 wpa_ie = elems.wpa_ie; 1347 wpa_ie_len = elems.wpa_ie_len; 1348 } else { 1349 wpa_ie = NULL; 1350 wpa_ie_len = 0; 1351 } 1352 1353#ifdef CONFIG_WPS 1354 sta->flags &= ~(WLAN_STA_WPS | WLAN_STA_MAYBE_WPS | WLAN_STA_WPS2); 1355 if (hapd->conf->wps_state && elems.wps_ie) { 1356 wpa_printf(MSG_DEBUG, "STA included WPS IE in (Re)Association " 1357 "Request - assume WPS is used"); 1358 sta->flags |= WLAN_STA_WPS; 1359 wpabuf_free(sta->wps_ie); 1360 sta->wps_ie = ieee802_11_vendor_ie_concat(ies, ies_len, 1361 WPS_IE_VENDOR_TYPE); 1362 if (sta->wps_ie && wps_is_20(sta->wps_ie)) { 1363 wpa_printf(MSG_DEBUG, "WPS: STA supports WPS 2.0"); 1364 sta->flags |= WLAN_STA_WPS2; 1365 } 1366 wpa_ie = NULL; 1367 wpa_ie_len = 0; 1368 if (sta->wps_ie && wps_validate_assoc_req(sta->wps_ie) < 0) { 1369 wpa_printf(MSG_DEBUG, "WPS: Invalid WPS IE in " 1370 "(Re)Association Request - reject"); 1371 return WLAN_STATUS_INVALID_IE; 1372 } 1373 } else if (hapd->conf->wps_state && wpa_ie == NULL) { 1374 wpa_printf(MSG_DEBUG, "STA did not include WPA/RSN IE in " 1375 "(Re)Association Request - possible WPS use"); 1376 sta->flags |= WLAN_STA_MAYBE_WPS; 1377 } else 1378#endif /* CONFIG_WPS */ 1379 if (hapd->conf->wpa && wpa_ie == NULL) { 1380 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 1381 HOSTAPD_LEVEL_INFO, 1382 "No WPA/RSN IE in association request"); 1383 return WLAN_STATUS_INVALID_IE; 1384 } 1385 1386 if (hapd->conf->wpa && wpa_ie) { 1387 int res; 1388 wpa_ie -= 2; 1389 wpa_ie_len += 2; 1390 if (sta->wpa_sm == NULL) 1391 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, 1392 sta->addr, 1393 p2p_dev_addr); 1394 if (sta->wpa_sm == NULL) { 1395 wpa_printf(MSG_WARNING, "Failed to initialize WPA " 1396 "state machine"); 1397 return WLAN_STATUS_UNSPECIFIED_FAILURE; 1398 } 1399 res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm, 1400 wpa_ie, wpa_ie_len, 1401 elems.mdie, elems.mdie_len); 1402 if (res == WPA_INVALID_GROUP) 1403 resp = WLAN_STATUS_GROUP_CIPHER_NOT_VALID; 1404 else if (res == WPA_INVALID_PAIRWISE) 1405 resp = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID; 1406 else if (res == WPA_INVALID_AKMP) 1407 resp = WLAN_STATUS_AKMP_NOT_VALID; 1408 else if (res == WPA_ALLOC_FAIL) 1409 resp = WLAN_STATUS_UNSPECIFIED_FAILURE; 1410#ifdef CONFIG_IEEE80211W 1411 else if (res == WPA_MGMT_FRAME_PROTECTION_VIOLATION) 1412 resp = WLAN_STATUS_ROBUST_MGMT_FRAME_POLICY_VIOLATION; 1413 else if (res == WPA_INVALID_MGMT_GROUP_CIPHER) 1414 resp = WLAN_STATUS_ROBUST_MGMT_FRAME_POLICY_VIOLATION; 1415#endif /* CONFIG_IEEE80211W */ 1416 else if (res == WPA_INVALID_MDIE) 1417 resp = WLAN_STATUS_INVALID_MDIE; 1418 else if (res != WPA_IE_OK) 1419 resp = WLAN_STATUS_INVALID_IE; 1420 if (resp != WLAN_STATUS_SUCCESS) 1421 return resp; 1422#ifdef CONFIG_IEEE80211W 1423 if ((sta->flags & WLAN_STA_MFP) && !sta->sa_query_timed_out && 1424 sta->sa_query_count > 0) 1425 ap_check_sa_query_timeout(hapd, sta); 1426 if ((sta->flags & WLAN_STA_MFP) && !sta->sa_query_timed_out && 1427 (!reassoc || sta->auth_alg != WLAN_AUTH_FT)) { 1428 /* 1429 * STA has already been associated with MFP and SA 1430 * Query timeout has not been reached. Reject the 1431 * association attempt temporarily and start SA Query, 1432 * if one is not pending. 1433 */ 1434 1435 if (sta->sa_query_count == 0) 1436 ap_sta_start_sa_query(hapd, sta); 1437 1438 return WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY; 1439 } 1440 1441 if (wpa_auth_uses_mfp(sta->wpa_sm)) 1442 sta->flags |= WLAN_STA_MFP; 1443 else 1444 sta->flags &= ~WLAN_STA_MFP; 1445#endif /* CONFIG_IEEE80211W */ 1446 1447#ifdef CONFIG_IEEE80211R 1448 if (sta->auth_alg == WLAN_AUTH_FT) { 1449 if (!reassoc) { 1450 wpa_printf(MSG_DEBUG, "FT: " MACSTR " tried " 1451 "to use association (not " 1452 "re-association) with FT auth_alg", 1453 MAC2STR(sta->addr)); 1454 return WLAN_STATUS_UNSPECIFIED_FAILURE; 1455 } 1456 1457 resp = wpa_ft_validate_reassoc(sta->wpa_sm, ies, 1458 ies_len); 1459 if (resp != WLAN_STATUS_SUCCESS) 1460 return resp; 1461 } 1462#endif /* CONFIG_IEEE80211R */ 1463 1464#ifdef CONFIG_SAE 1465 if (wpa_auth_uses_sae(sta->wpa_sm) && 1466 sta->auth_alg == WLAN_AUTH_OPEN) { 1467 struct rsn_pmksa_cache_entry *sa; 1468 sa = wpa_auth_sta_get_pmksa(sta->wpa_sm); 1469 if (!sa || sa->akmp != WPA_KEY_MGMT_SAE) { 1470 wpa_printf(MSG_DEBUG, 1471 "SAE: No PMKSA cache entry found for " 1472 MACSTR, MAC2STR(sta->addr)); 1473 return WLAN_STATUS_INVALID_PMKID; 1474 } 1475 wpa_printf(MSG_DEBUG, "SAE: " MACSTR 1476 " using PMKSA caching", MAC2STR(sta->addr)); 1477 } else if (wpa_auth_uses_sae(sta->wpa_sm) && 1478 sta->auth_alg != WLAN_AUTH_SAE && 1479 !(sta->auth_alg == WLAN_AUTH_FT && 1480 wpa_auth_uses_ft_sae(sta->wpa_sm))) { 1481 wpa_printf(MSG_DEBUG, "SAE: " MACSTR " tried to use " 1482 "SAE AKM after non-SAE auth_alg %u", 1483 MAC2STR(sta->addr), sta->auth_alg); 1484 return WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG; 1485 } 1486#endif /* CONFIG_SAE */ 1487 1488#ifdef CONFIG_IEEE80211N 1489 if ((sta->flags & (WLAN_STA_HT | WLAN_STA_VHT)) && 1490 wpa_auth_get_pairwise(sta->wpa_sm) == WPA_CIPHER_TKIP) { 1491 hostapd_logger(hapd, sta->addr, 1492 HOSTAPD_MODULE_IEEE80211, 1493 HOSTAPD_LEVEL_INFO, 1494 "Station tried to use TKIP with HT " 1495 "association"); 1496 return WLAN_STATUS_CIPHER_REJECTED_PER_POLICY; 1497 } 1498#endif /* CONFIG_IEEE80211N */ 1499#ifdef CONFIG_HS20 1500 } else if (hapd->conf->osen) { 1501 if (elems.osen == NULL) { 1502 hostapd_logger( 1503 hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 1504 HOSTAPD_LEVEL_INFO, 1505 "No HS 2.0 OSEN element in association request"); 1506 return WLAN_STATUS_INVALID_IE; 1507 } 1508 1509 wpa_printf(MSG_DEBUG, "HS 2.0: OSEN association"); 1510 if (sta->wpa_sm == NULL) 1511 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, 1512 sta->addr, NULL); 1513 if (sta->wpa_sm == NULL) { 1514 wpa_printf(MSG_WARNING, "Failed to initialize WPA " 1515 "state machine"); 1516 return WLAN_STATUS_UNSPECIFIED_FAILURE; 1517 } 1518 if (wpa_validate_osen(hapd->wpa_auth, sta->wpa_sm, 1519 elems.osen - 2, elems.osen_len + 2) < 0) 1520 return WLAN_STATUS_INVALID_IE; 1521#endif /* CONFIG_HS20 */ 1522 } else 1523 wpa_auth_sta_no_wpa(sta->wpa_sm); 1524 1525#ifdef CONFIG_P2P 1526 p2p_group_notif_assoc(hapd->p2p_group, sta->addr, ies, ies_len); 1527#endif /* CONFIG_P2P */ 1528 1529#ifdef CONFIG_HS20 1530 wpabuf_free(sta->hs20_ie); 1531 if (elems.hs20 && elems.hs20_len > 4) { 1532 sta->hs20_ie = wpabuf_alloc_copy(elems.hs20 + 4, 1533 elems.hs20_len - 4); 1534 } else 1535 sta->hs20_ie = NULL; 1536#endif /* CONFIG_HS20 */ 1537 1538 return WLAN_STATUS_SUCCESS; 1539} 1540 1541 1542static void send_deauth(struct hostapd_data *hapd, const u8 *addr, 1543 u16 reason_code) 1544{ 1545 int send_len; 1546 struct ieee80211_mgmt reply; 1547 1548 os_memset(&reply, 0, sizeof(reply)); 1549 reply.frame_control = 1550 IEEE80211_FC(WLAN_FC_TYPE_MGMT, WLAN_FC_STYPE_DEAUTH); 1551 os_memcpy(reply.da, addr, ETH_ALEN); 1552 os_memcpy(reply.sa, hapd->own_addr, ETH_ALEN); 1553 os_memcpy(reply.bssid, hapd->own_addr, ETH_ALEN); 1554 1555 send_len = IEEE80211_HDRLEN + sizeof(reply.u.deauth); 1556 reply.u.deauth.reason_code = host_to_le16(reason_code); 1557 1558 if (hostapd_drv_send_mlme(hapd, &reply, send_len, 0) < 0) 1559 wpa_printf(MSG_INFO, "Failed to send deauth: %s", 1560 strerror(errno)); 1561} 1562 1563 1564static void send_assoc_resp(struct hostapd_data *hapd, struct sta_info *sta, 1565 u16 status_code, int reassoc, const u8 *ies, 1566 size_t ies_len) 1567{ 1568 int send_len; 1569 u8 buf[sizeof(struct ieee80211_mgmt) + 1024]; 1570 struct ieee80211_mgmt *reply; 1571 u8 *p; 1572 1573 os_memset(buf, 0, sizeof(buf)); 1574 reply = (struct ieee80211_mgmt *) buf; 1575 reply->frame_control = 1576 IEEE80211_FC(WLAN_FC_TYPE_MGMT, 1577 (reassoc ? WLAN_FC_STYPE_REASSOC_RESP : 1578 WLAN_FC_STYPE_ASSOC_RESP)); 1579 os_memcpy(reply->da, sta->addr, ETH_ALEN); 1580 os_memcpy(reply->sa, hapd->own_addr, ETH_ALEN); 1581 os_memcpy(reply->bssid, hapd->own_addr, ETH_ALEN); 1582 1583 send_len = IEEE80211_HDRLEN; 1584 send_len += sizeof(reply->u.assoc_resp); 1585 reply->u.assoc_resp.capab_info = 1586 host_to_le16(hostapd_own_capab_info(hapd)); 1587 reply->u.assoc_resp.status_code = host_to_le16(status_code); 1588 reply->u.assoc_resp.aid = host_to_le16(sta->aid | BIT(14) | BIT(15)); 1589 /* Supported rates */ 1590 p = hostapd_eid_supp_rates(hapd, reply->u.assoc_resp.variable); 1591 /* Extended supported rates */ 1592 p = hostapd_eid_ext_supp_rates(hapd, p); 1593 1594#ifdef CONFIG_IEEE80211R 1595 if (status_code == WLAN_STATUS_SUCCESS) { 1596 /* IEEE 802.11r: Mobility Domain Information, Fast BSS 1597 * Transition Information, RSN, [RIC Response] */ 1598 p = wpa_sm_write_assoc_resp_ies(sta->wpa_sm, p, 1599 buf + sizeof(buf) - p, 1600 sta->auth_alg, ies, ies_len); 1601 } 1602#endif /* CONFIG_IEEE80211R */ 1603 1604#ifdef CONFIG_IEEE80211W 1605 if (status_code == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY) 1606 p = hostapd_eid_assoc_comeback_time(hapd, sta, p); 1607#endif /* CONFIG_IEEE80211W */ 1608 1609#ifdef CONFIG_IEEE80211N 1610 p = hostapd_eid_ht_capabilities(hapd, p); 1611 p = hostapd_eid_ht_operation(hapd, p); 1612#endif /* CONFIG_IEEE80211N */ 1613 1614#ifdef CONFIG_IEEE80211AC 1615 if (hapd->iconf->ieee80211ac && !hapd->conf->disable_11ac) { 1616 p = hostapd_eid_vht_capabilities(hapd, p); 1617 p = hostapd_eid_vht_operation(hapd, p); 1618 } 1619#endif /* CONFIG_IEEE80211AC */ 1620 1621 p = hostapd_eid_ext_capab(hapd, p); 1622 p = hostapd_eid_bss_max_idle_period(hapd, p); 1623 if (sta->qos_map_enabled) 1624 p = hostapd_eid_qos_map_set(hapd, p); 1625 1626#ifdef CONFIG_IEEE80211AC 1627 if (hapd->conf->vendor_vht && (sta->flags & WLAN_STA_VENDOR_VHT)) 1628 p = hostapd_eid_vendor_vht(hapd, p); 1629#endif /* CONFIG_IEEE80211AC */ 1630 1631 if (sta->flags & WLAN_STA_WMM) 1632 p = hostapd_eid_wmm(hapd, p); 1633 1634#ifdef CONFIG_WPS 1635 if ((sta->flags & WLAN_STA_WPS) || 1636 ((sta->flags & WLAN_STA_MAYBE_WPS) && hapd->conf->wpa)) { 1637 struct wpabuf *wps = wps_build_assoc_resp_ie(); 1638 if (wps) { 1639 os_memcpy(p, wpabuf_head(wps), wpabuf_len(wps)); 1640 p += wpabuf_len(wps); 1641 wpabuf_free(wps); 1642 } 1643 } 1644#endif /* CONFIG_WPS */ 1645 1646#ifdef CONFIG_P2P 1647 if (sta->p2p_ie) { 1648 struct wpabuf *p2p_resp_ie; 1649 enum p2p_status_code status; 1650 switch (status_code) { 1651 case WLAN_STATUS_SUCCESS: 1652 status = P2P_SC_SUCCESS; 1653 break; 1654 case WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA: 1655 status = P2P_SC_FAIL_LIMIT_REACHED; 1656 break; 1657 default: 1658 status = P2P_SC_FAIL_INVALID_PARAMS; 1659 break; 1660 } 1661 p2p_resp_ie = p2p_group_assoc_resp_ie(hapd->p2p_group, status); 1662 if (p2p_resp_ie) { 1663 os_memcpy(p, wpabuf_head(p2p_resp_ie), 1664 wpabuf_len(p2p_resp_ie)); 1665 p += wpabuf_len(p2p_resp_ie); 1666 wpabuf_free(p2p_resp_ie); 1667 } 1668 } 1669#endif /* CONFIG_P2P */ 1670 1671#ifdef CONFIG_P2P_MANAGER 1672 if (hapd->conf->p2p & P2P_MANAGE) 1673 p = hostapd_eid_p2p_manage(hapd, p); 1674#endif /* CONFIG_P2P_MANAGER */ 1675 1676 send_len += p - reply->u.assoc_resp.variable; 1677 1678 if (hostapd_drv_send_mlme(hapd, reply, send_len, 0) < 0) 1679 wpa_printf(MSG_INFO, "Failed to send assoc resp: %s", 1680 strerror(errno)); 1681} 1682 1683 1684static void handle_assoc(struct hostapd_data *hapd, 1685 const struct ieee80211_mgmt *mgmt, size_t len, 1686 int reassoc) 1687{ 1688 u16 capab_info, listen_interval, seq_ctrl, fc; 1689 u16 resp = WLAN_STATUS_SUCCESS; 1690 const u8 *pos; 1691 int left, i; 1692 struct sta_info *sta; 1693 1694 if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_req) : 1695 sizeof(mgmt->u.assoc_req))) { 1696 wpa_printf(MSG_INFO, "handle_assoc(reassoc=%d) - too short payload (len=%lu)", 1697 reassoc, (unsigned long) len); 1698 return; 1699 } 1700 1701#ifdef CONFIG_TESTING_OPTIONS 1702 if (reassoc) { 1703 if (hapd->iconf->ignore_reassoc_probability > 0.0 && 1704 drand48() < hapd->iconf->ignore_reassoc_probability) { 1705 wpa_printf(MSG_INFO, 1706 "TESTING: ignoring reassoc request from " 1707 MACSTR, MAC2STR(mgmt->sa)); 1708 return; 1709 } 1710 } else { 1711 if (hapd->iconf->ignore_assoc_probability > 0.0 && 1712 drand48() < hapd->iconf->ignore_assoc_probability) { 1713 wpa_printf(MSG_INFO, 1714 "TESTING: ignoring assoc request from " 1715 MACSTR, MAC2STR(mgmt->sa)); 1716 return; 1717 } 1718 } 1719#endif /* CONFIG_TESTING_OPTIONS */ 1720 1721 fc = le_to_host16(mgmt->frame_control); 1722 seq_ctrl = le_to_host16(mgmt->seq_ctrl); 1723 1724 if (reassoc) { 1725 capab_info = le_to_host16(mgmt->u.reassoc_req.capab_info); 1726 listen_interval = le_to_host16( 1727 mgmt->u.reassoc_req.listen_interval); 1728 wpa_printf(MSG_DEBUG, "reassociation request: STA=" MACSTR 1729 " capab_info=0x%02x listen_interval=%d current_ap=" 1730 MACSTR " seq_ctrl=0x%x%s", 1731 MAC2STR(mgmt->sa), capab_info, listen_interval, 1732 MAC2STR(mgmt->u.reassoc_req.current_ap), 1733 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : ""); 1734 left = len - (IEEE80211_HDRLEN + sizeof(mgmt->u.reassoc_req)); 1735 pos = mgmt->u.reassoc_req.variable; 1736 } else { 1737 capab_info = le_to_host16(mgmt->u.assoc_req.capab_info); 1738 listen_interval = le_to_host16( 1739 mgmt->u.assoc_req.listen_interval); 1740 wpa_printf(MSG_DEBUG, "association request: STA=" MACSTR 1741 " capab_info=0x%02x listen_interval=%d " 1742 "seq_ctrl=0x%x%s", 1743 MAC2STR(mgmt->sa), capab_info, listen_interval, 1744 seq_ctrl, (fc & WLAN_FC_RETRY) ? " retry" : ""); 1745 left = len - (IEEE80211_HDRLEN + sizeof(mgmt->u.assoc_req)); 1746 pos = mgmt->u.assoc_req.variable; 1747 } 1748 1749 sta = ap_get_sta(hapd, mgmt->sa); 1750#ifdef CONFIG_IEEE80211R 1751 if (sta && sta->auth_alg == WLAN_AUTH_FT && 1752 (sta->flags & WLAN_STA_AUTH) == 0) { 1753 wpa_printf(MSG_DEBUG, "FT: Allow STA " MACSTR " to associate " 1754 "prior to authentication since it is using " 1755 "over-the-DS FT", MAC2STR(mgmt->sa)); 1756 } else 1757#endif /* CONFIG_IEEE80211R */ 1758 if (sta == NULL || (sta->flags & WLAN_STA_AUTH) == 0) { 1759 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211, 1760 HOSTAPD_LEVEL_INFO, "Station tried to " 1761 "associate before authentication " 1762 "(aid=%d flags=0x%x)", 1763 sta ? sta->aid : -1, 1764 sta ? sta->flags : 0); 1765 send_deauth(hapd, mgmt->sa, 1766 WLAN_REASON_CLASS2_FRAME_FROM_NONAUTH_STA); 1767 return; 1768 } 1769 1770 if ((fc & WLAN_FC_RETRY) && 1771 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ && 1772 sta->last_seq_ctrl == seq_ctrl && 1773 sta->last_subtype == reassoc ? WLAN_FC_STYPE_REASSOC_REQ : 1774 WLAN_FC_STYPE_ASSOC_REQ) { 1775 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 1776 HOSTAPD_LEVEL_DEBUG, 1777 "Drop repeated association frame seq_ctrl=0x%x", 1778 seq_ctrl); 1779 return; 1780 } 1781 sta->last_seq_ctrl = seq_ctrl; 1782 sta->last_subtype = reassoc ? WLAN_FC_STYPE_REASSOC_REQ : 1783 WLAN_FC_STYPE_ASSOC_REQ; 1784 1785 if (hapd->tkip_countermeasures) { 1786 resp = WLAN_REASON_MICHAEL_MIC_FAILURE; 1787 goto fail; 1788 } 1789 1790 if (listen_interval > hapd->conf->max_listen_interval) { 1791 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211, 1792 HOSTAPD_LEVEL_DEBUG, 1793 "Too large Listen Interval (%d)", 1794 listen_interval); 1795 resp = WLAN_STATUS_ASSOC_DENIED_LISTEN_INT_TOO_LARGE; 1796 goto fail; 1797 } 1798 1799 /* followed by SSID and Supported rates; and HT capabilities if 802.11n 1800 * is used */ 1801 resp = check_assoc_ies(hapd, sta, pos, left, reassoc); 1802 if (resp != WLAN_STATUS_SUCCESS) 1803 goto fail; 1804 1805 if (hostapd_get_aid(hapd, sta) < 0) { 1806 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211, 1807 HOSTAPD_LEVEL_INFO, "No room for more AIDs"); 1808 resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA; 1809 goto fail; 1810 } 1811 1812 sta->capability = capab_info; 1813 sta->listen_interval = listen_interval; 1814 1815 if (hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G) 1816 sta->flags |= WLAN_STA_NONERP; 1817 for (i = 0; i < sta->supported_rates_len; i++) { 1818 if ((sta->supported_rates[i] & 0x7f) > 22) { 1819 sta->flags &= ~WLAN_STA_NONERP; 1820 break; 1821 } 1822 } 1823 if (sta->flags & WLAN_STA_NONERP && !sta->nonerp_set) { 1824 sta->nonerp_set = 1; 1825 hapd->iface->num_sta_non_erp++; 1826 if (hapd->iface->num_sta_non_erp == 1) 1827 ieee802_11_set_beacons(hapd->iface); 1828 } 1829 1830 if (!(sta->capability & WLAN_CAPABILITY_SHORT_SLOT_TIME) && 1831 !sta->no_short_slot_time_set) { 1832 sta->no_short_slot_time_set = 1; 1833 hapd->iface->num_sta_no_short_slot_time++; 1834 if (hapd->iface->current_mode->mode == 1835 HOSTAPD_MODE_IEEE80211G && 1836 hapd->iface->num_sta_no_short_slot_time == 1) 1837 ieee802_11_set_beacons(hapd->iface); 1838 } 1839 1840 if (sta->capability & WLAN_CAPABILITY_SHORT_PREAMBLE) 1841 sta->flags |= WLAN_STA_SHORT_PREAMBLE; 1842 else 1843 sta->flags &= ~WLAN_STA_SHORT_PREAMBLE; 1844 1845 if (!(sta->capability & WLAN_CAPABILITY_SHORT_PREAMBLE) && 1846 !sta->no_short_preamble_set) { 1847 sta->no_short_preamble_set = 1; 1848 hapd->iface->num_sta_no_short_preamble++; 1849 if (hapd->iface->current_mode->mode == HOSTAPD_MODE_IEEE80211G 1850 && hapd->iface->num_sta_no_short_preamble == 1) 1851 ieee802_11_set_beacons(hapd->iface); 1852 } 1853 1854#ifdef CONFIG_IEEE80211N 1855 update_ht_state(hapd, sta); 1856#endif /* CONFIG_IEEE80211N */ 1857 1858 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 1859 HOSTAPD_LEVEL_DEBUG, 1860 "association OK (aid %d)", sta->aid); 1861 /* Station will be marked associated, after it acknowledges AssocResp 1862 */ 1863 sta->flags |= WLAN_STA_ASSOC_REQ_OK; 1864 1865#ifdef CONFIG_IEEE80211W 1866 if ((sta->flags & WLAN_STA_MFP) && sta->sa_query_timed_out) { 1867 wpa_printf(MSG_DEBUG, "Allowing %sassociation after timed out " 1868 "SA Query procedure", reassoc ? "re" : ""); 1869 /* TODO: Send a protected Disassociate frame to the STA using 1870 * the old key and Reason Code "Previous Authentication no 1871 * longer valid". Make sure this is only sent protected since 1872 * unprotected frame would be received by the STA that is now 1873 * trying to associate. 1874 */ 1875 } 1876#endif /* CONFIG_IEEE80211W */ 1877 1878 /* Make sure that the previously registered inactivity timer will not 1879 * remove the STA immediately. */ 1880 sta->timeout_next = STA_NULLFUNC; 1881 1882 fail: 1883 send_assoc_resp(hapd, sta, resp, reassoc, pos, left); 1884} 1885 1886 1887static void handle_disassoc(struct hostapd_data *hapd, 1888 const struct ieee80211_mgmt *mgmt, size_t len) 1889{ 1890 struct sta_info *sta; 1891 1892 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.disassoc)) { 1893 wpa_printf(MSG_INFO, "handle_disassoc - too short payload (len=%lu)", 1894 (unsigned long) len); 1895 return; 1896 } 1897 1898 wpa_printf(MSG_DEBUG, "disassocation: STA=" MACSTR " reason_code=%d", 1899 MAC2STR(mgmt->sa), 1900 le_to_host16(mgmt->u.disassoc.reason_code)); 1901 1902 sta = ap_get_sta(hapd, mgmt->sa); 1903 if (sta == NULL) { 1904 wpa_printf(MSG_INFO, "Station " MACSTR " trying to disassociate, but it is not associated", 1905 MAC2STR(mgmt->sa)); 1906 return; 1907 } 1908 1909 ap_sta_set_authorized(hapd, sta, 0); 1910 sta->last_seq_ctrl = WLAN_INVALID_MGMT_SEQ; 1911 sta->flags &= ~(WLAN_STA_ASSOC | WLAN_STA_ASSOC_REQ_OK); 1912 wpa_auth_sm_event(sta->wpa_sm, WPA_DISASSOC); 1913 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 1914 HOSTAPD_LEVEL_INFO, "disassociated"); 1915 sta->acct_terminate_cause = RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST; 1916 ieee802_1x_notify_port_enabled(sta->eapol_sm, 0); 1917 /* Stop Accounting and IEEE 802.1X sessions, but leave the STA 1918 * authenticated. */ 1919 accounting_sta_stop(hapd, sta); 1920 ieee802_1x_free_station(sta); 1921 if (sta->ipaddr) 1922 hostapd_drv_br_delete_ip_neigh(hapd, 4, (u8 *) &sta->ipaddr); 1923 ap_sta_ip6addr_del(hapd, sta); 1924 hostapd_drv_sta_remove(hapd, sta->addr); 1925 1926 if (sta->timeout_next == STA_NULLFUNC || 1927 sta->timeout_next == STA_DISASSOC) { 1928 sta->timeout_next = STA_DEAUTH; 1929 eloop_cancel_timeout(ap_handle_timer, hapd, sta); 1930 eloop_register_timeout(AP_DEAUTH_DELAY, 0, ap_handle_timer, 1931 hapd, sta); 1932 } 1933 1934 mlme_disassociate_indication( 1935 hapd, sta, le_to_host16(mgmt->u.disassoc.reason_code)); 1936} 1937 1938 1939static void handle_deauth(struct hostapd_data *hapd, 1940 const struct ieee80211_mgmt *mgmt, size_t len) 1941{ 1942 struct sta_info *sta; 1943 1944 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.deauth)) { 1945 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "handle_deauth - too short " 1946 "payload (len=%lu)", (unsigned long) len); 1947 return; 1948 } 1949 1950 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "deauthentication: STA=" MACSTR 1951 " reason_code=%d", 1952 MAC2STR(mgmt->sa), le_to_host16(mgmt->u.deauth.reason_code)); 1953 1954 sta = ap_get_sta(hapd, mgmt->sa); 1955 if (sta == NULL) { 1956 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "Station " MACSTR " trying " 1957 "to deauthenticate, but it is not authenticated", 1958 MAC2STR(mgmt->sa)); 1959 return; 1960 } 1961 1962 ap_sta_set_authorized(hapd, sta, 0); 1963 sta->last_seq_ctrl = WLAN_INVALID_MGMT_SEQ; 1964 sta->flags &= ~(WLAN_STA_AUTH | WLAN_STA_ASSOC | 1965 WLAN_STA_ASSOC_REQ_OK); 1966 wpa_auth_sm_event(sta->wpa_sm, WPA_DEAUTH); 1967 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 1968 HOSTAPD_LEVEL_DEBUG, "deauthenticated"); 1969 mlme_deauthenticate_indication( 1970 hapd, sta, le_to_host16(mgmt->u.deauth.reason_code)); 1971 sta->acct_terminate_cause = RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST; 1972 ieee802_1x_notify_port_enabled(sta->eapol_sm, 0); 1973 ap_free_sta(hapd, sta); 1974} 1975 1976 1977static void handle_beacon(struct hostapd_data *hapd, 1978 const struct ieee80211_mgmt *mgmt, size_t len, 1979 struct hostapd_frame_info *fi) 1980{ 1981 struct ieee802_11_elems elems; 1982 1983 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.beacon)) { 1984 wpa_printf(MSG_INFO, "handle_beacon - too short payload (len=%lu)", 1985 (unsigned long) len); 1986 return; 1987 } 1988 1989 (void) ieee802_11_parse_elems(mgmt->u.beacon.variable, 1990 len - (IEEE80211_HDRLEN + 1991 sizeof(mgmt->u.beacon)), &elems, 1992 0); 1993 1994 ap_list_process_beacon(hapd->iface, mgmt, &elems, fi); 1995} 1996 1997 1998#ifdef CONFIG_IEEE80211W 1999 2000static int hostapd_sa_query_action(struct hostapd_data *hapd, 2001 const struct ieee80211_mgmt *mgmt, 2002 size_t len) 2003{ 2004 const u8 *end; 2005 2006 end = mgmt->u.action.u.sa_query_resp.trans_id + 2007 WLAN_SA_QUERY_TR_ID_LEN; 2008 if (((u8 *) mgmt) + len < end) { 2009 wpa_printf(MSG_DEBUG, "IEEE 802.11: Too short SA Query Action " 2010 "frame (len=%lu)", (unsigned long) len); 2011 return 0; 2012 } 2013 2014 ieee802_11_sa_query_action(hapd, mgmt->sa, 2015 mgmt->u.action.u.sa_query_resp.action, 2016 mgmt->u.action.u.sa_query_resp.trans_id); 2017 return 1; 2018} 2019 2020 2021static int robust_action_frame(u8 category) 2022{ 2023 return category != WLAN_ACTION_PUBLIC && 2024 category != WLAN_ACTION_HT; 2025} 2026#endif /* CONFIG_IEEE80211W */ 2027 2028 2029static int handle_action(struct hostapd_data *hapd, 2030 const struct ieee80211_mgmt *mgmt, size_t len) 2031{ 2032 struct sta_info *sta; 2033 sta = ap_get_sta(hapd, mgmt->sa); 2034 2035 if (len < IEEE80211_HDRLEN + 1) { 2036 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211, 2037 HOSTAPD_LEVEL_DEBUG, 2038 "handle_action - too short payload (len=%lu)", 2039 (unsigned long) len); 2040 return 0; 2041 } 2042 2043 if (mgmt->u.action.category != WLAN_ACTION_PUBLIC && 2044 (sta == NULL || !(sta->flags & WLAN_STA_ASSOC))) { 2045 wpa_printf(MSG_DEBUG, "IEEE 802.11: Ignored Action " 2046 "frame (category=%u) from unassociated STA " MACSTR, 2047 MAC2STR(mgmt->sa), mgmt->u.action.category); 2048 return 0; 2049 } 2050 2051#ifdef CONFIG_IEEE80211W 2052 if (sta && (sta->flags & WLAN_STA_MFP) && 2053 !(mgmt->frame_control & host_to_le16(WLAN_FC_ISWEP)) && 2054 robust_action_frame(mgmt->u.action.category)) { 2055 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211, 2056 HOSTAPD_LEVEL_DEBUG, 2057 "Dropped unprotected Robust Action frame from " 2058 "an MFP STA"); 2059 return 0; 2060 } 2061#endif /* CONFIG_IEEE80211W */ 2062 2063 if (sta) { 2064 u16 fc = le_to_host16(mgmt->frame_control); 2065 u16 seq_ctrl = le_to_host16(mgmt->seq_ctrl); 2066 2067 if ((fc & WLAN_FC_RETRY) && 2068 sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ && 2069 sta->last_seq_ctrl == seq_ctrl && 2070 sta->last_subtype == WLAN_FC_STYPE_ACTION) { 2071 hostapd_logger(hapd, sta->addr, 2072 HOSTAPD_MODULE_IEEE80211, 2073 HOSTAPD_LEVEL_DEBUG, 2074 "Drop repeated action frame seq_ctrl=0x%x", 2075 seq_ctrl); 2076 return 1; 2077 } 2078 2079 sta->last_seq_ctrl = seq_ctrl; 2080 sta->last_subtype = WLAN_FC_STYPE_ACTION; 2081 } 2082 2083 switch (mgmt->u.action.category) { 2084#ifdef CONFIG_IEEE80211R 2085 case WLAN_ACTION_FT: 2086 if (!sta || 2087 wpa_ft_action_rx(sta->wpa_sm, (u8 *) &mgmt->u.action, 2088 len - IEEE80211_HDRLEN)) 2089 break; 2090 return 1; 2091#endif /* CONFIG_IEEE80211R */ 2092 case WLAN_ACTION_WMM: 2093 hostapd_wmm_action(hapd, mgmt, len); 2094 return 1; 2095#ifdef CONFIG_IEEE80211W 2096 case WLAN_ACTION_SA_QUERY: 2097 return hostapd_sa_query_action(hapd, mgmt, len); 2098#endif /* CONFIG_IEEE80211W */ 2099#ifdef CONFIG_WNM 2100 case WLAN_ACTION_WNM: 2101 ieee802_11_rx_wnm_action_ap(hapd, mgmt, len); 2102 return 1; 2103#endif /* CONFIG_WNM */ 2104 case WLAN_ACTION_PUBLIC: 2105 case WLAN_ACTION_PROTECTED_DUAL: 2106#ifdef CONFIG_IEEE80211N 2107 if (len >= IEEE80211_HDRLEN + 2 && 2108 mgmt->u.action.u.public_action.action == 2109 WLAN_PA_20_40_BSS_COEX) { 2110 wpa_printf(MSG_DEBUG, 2111 "HT20/40 coex mgmt frame received from STA " 2112 MACSTR, MAC2STR(mgmt->sa)); 2113 hostapd_2040_coex_action(hapd, mgmt, len); 2114 } 2115#endif /* CONFIG_IEEE80211N */ 2116 if (hapd->public_action_cb) { 2117 hapd->public_action_cb(hapd->public_action_cb_ctx, 2118 (u8 *) mgmt, len, 2119 hapd->iface->freq); 2120 } 2121 if (hapd->public_action_cb2) { 2122 hapd->public_action_cb2(hapd->public_action_cb2_ctx, 2123 (u8 *) mgmt, len, 2124 hapd->iface->freq); 2125 } 2126 if (hapd->public_action_cb || hapd->public_action_cb2) 2127 return 1; 2128 break; 2129 case WLAN_ACTION_VENDOR_SPECIFIC: 2130 if (hapd->vendor_action_cb) { 2131 if (hapd->vendor_action_cb(hapd->vendor_action_cb_ctx, 2132 (u8 *) mgmt, len, 2133 hapd->iface->freq) == 0) 2134 return 1; 2135 } 2136 break; 2137 } 2138 2139 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211, 2140 HOSTAPD_LEVEL_DEBUG, 2141 "handle_action - unknown action category %d or invalid " 2142 "frame", 2143 mgmt->u.action.category); 2144 if (!(mgmt->da[0] & 0x01) && !(mgmt->u.action.category & 0x80) && 2145 !(mgmt->sa[0] & 0x01)) { 2146 struct ieee80211_mgmt *resp; 2147 2148 /* 2149 * IEEE 802.11-REVma/D9.0 - 7.3.1.11 2150 * Return the Action frame to the source without change 2151 * except that MSB of the Category set to 1. 2152 */ 2153 wpa_printf(MSG_DEBUG, "IEEE 802.11: Return unknown Action " 2154 "frame back to sender"); 2155 resp = os_malloc(len); 2156 if (resp == NULL) 2157 return 0; 2158 os_memcpy(resp, mgmt, len); 2159 os_memcpy(resp->da, resp->sa, ETH_ALEN); 2160 os_memcpy(resp->sa, hapd->own_addr, ETH_ALEN); 2161 os_memcpy(resp->bssid, hapd->own_addr, ETH_ALEN); 2162 resp->u.action.category |= 0x80; 2163 2164 if (hostapd_drv_send_mlme(hapd, resp, len, 0) < 0) { 2165 wpa_printf(MSG_ERROR, "IEEE 802.11: Failed to send " 2166 "Action frame"); 2167 } 2168 os_free(resp); 2169 } 2170 2171 return 1; 2172} 2173 2174 2175/** 2176 * ieee802_11_mgmt - process incoming IEEE 802.11 management frames 2177 * @hapd: hostapd BSS data structure (the BSS to which the management frame was 2178 * sent to) 2179 * @buf: management frame data (starting from IEEE 802.11 header) 2180 * @len: length of frame data in octets 2181 * @fi: meta data about received frame (signal level, etc.) 2182 * 2183 * Process all incoming IEEE 802.11 management frames. This will be called for 2184 * each frame received from the kernel driver through wlan#ap interface. In 2185 * addition, it can be called to re-inserted pending frames (e.g., when using 2186 * external RADIUS server as an MAC ACL). 2187 */ 2188int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len, 2189 struct hostapd_frame_info *fi) 2190{ 2191 struct ieee80211_mgmt *mgmt; 2192 int broadcast; 2193 u16 fc, stype; 2194 int ret = 0; 2195 2196 if (len < 24) 2197 return 0; 2198 2199 mgmt = (struct ieee80211_mgmt *) buf; 2200 fc = le_to_host16(mgmt->frame_control); 2201 stype = WLAN_FC_GET_STYPE(fc); 2202 2203 if (stype == WLAN_FC_STYPE_BEACON) { 2204 handle_beacon(hapd, mgmt, len, fi); 2205 return 1; 2206 } 2207 2208 broadcast = mgmt->bssid[0] == 0xff && mgmt->bssid[1] == 0xff && 2209 mgmt->bssid[2] == 0xff && mgmt->bssid[3] == 0xff && 2210 mgmt->bssid[4] == 0xff && mgmt->bssid[5] == 0xff; 2211 2212 if (!broadcast && 2213#ifdef CONFIG_P2P 2214 /* Invitation responses can be sent with the peer MAC as BSSID */ 2215 !((hapd->conf->p2p & P2P_GROUP_OWNER) && 2216 stype == WLAN_FC_STYPE_ACTION) && 2217#endif /* CONFIG_P2P */ 2218#ifdef CONFIG_MESH 2219 !(hapd->conf->mesh & MESH_ENABLED) && 2220#endif /* CONFIG_MESH */ 2221 os_memcmp(mgmt->bssid, hapd->own_addr, ETH_ALEN) != 0) { 2222 wpa_printf(MSG_INFO, "MGMT: BSSID=" MACSTR " not our address", 2223 MAC2STR(mgmt->bssid)); 2224 return 0; 2225 } 2226 2227 2228 if (stype == WLAN_FC_STYPE_PROBE_REQ) { 2229 handle_probe_req(hapd, mgmt, len, fi->ssi_signal); 2230 return 1; 2231 } 2232 2233 if (os_memcmp(mgmt->da, hapd->own_addr, ETH_ALEN) != 0) { 2234 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211, 2235 HOSTAPD_LEVEL_DEBUG, 2236 "MGMT: DA=" MACSTR " not our address", 2237 MAC2STR(mgmt->da)); 2238 return 0; 2239 } 2240 2241 switch (stype) { 2242 case WLAN_FC_STYPE_AUTH: 2243 wpa_printf(MSG_DEBUG, "mgmt::auth"); 2244 handle_auth(hapd, mgmt, len); 2245 ret = 1; 2246 break; 2247 case WLAN_FC_STYPE_ASSOC_REQ: 2248 wpa_printf(MSG_DEBUG, "mgmt::assoc_req"); 2249 handle_assoc(hapd, mgmt, len, 0); 2250 ret = 1; 2251 break; 2252 case WLAN_FC_STYPE_REASSOC_REQ: 2253 wpa_printf(MSG_DEBUG, "mgmt::reassoc_req"); 2254 handle_assoc(hapd, mgmt, len, 1); 2255 ret = 1; 2256 break; 2257 case WLAN_FC_STYPE_DISASSOC: 2258 wpa_printf(MSG_DEBUG, "mgmt::disassoc"); 2259 handle_disassoc(hapd, mgmt, len); 2260 ret = 1; 2261 break; 2262 case WLAN_FC_STYPE_DEAUTH: 2263 wpa_msg(hapd->msg_ctx, MSG_DEBUG, "mgmt::deauth"); 2264 handle_deauth(hapd, mgmt, len); 2265 ret = 1; 2266 break; 2267 case WLAN_FC_STYPE_ACTION: 2268 wpa_printf(MSG_DEBUG, "mgmt::action"); 2269 ret = handle_action(hapd, mgmt, len); 2270 break; 2271 default: 2272 hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211, 2273 HOSTAPD_LEVEL_DEBUG, 2274 "unknown mgmt frame subtype %d", stype); 2275 break; 2276 } 2277 2278 return ret; 2279} 2280 2281 2282static void handle_auth_cb(struct hostapd_data *hapd, 2283 const struct ieee80211_mgmt *mgmt, 2284 size_t len, int ok) 2285{ 2286 u16 auth_alg, auth_transaction, status_code; 2287 struct sta_info *sta; 2288 2289 if (!ok) { 2290 hostapd_logger(hapd, mgmt->da, HOSTAPD_MODULE_IEEE80211, 2291 HOSTAPD_LEVEL_NOTICE, 2292 "did not acknowledge authentication response"); 2293 return; 2294 } 2295 2296 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) { 2297 wpa_printf(MSG_INFO, "handle_auth_cb - too short payload (len=%lu)", 2298 (unsigned long) len); 2299 return; 2300 } 2301 2302 auth_alg = le_to_host16(mgmt->u.auth.auth_alg); 2303 auth_transaction = le_to_host16(mgmt->u.auth.auth_transaction); 2304 status_code = le_to_host16(mgmt->u.auth.status_code); 2305 2306 sta = ap_get_sta(hapd, mgmt->da); 2307 if (!sta) { 2308 wpa_printf(MSG_INFO, "handle_auth_cb: STA " MACSTR " not found", 2309 MAC2STR(mgmt->da)); 2310 return; 2311 } 2312 2313 if (status_code == WLAN_STATUS_SUCCESS && 2314 ((auth_alg == WLAN_AUTH_OPEN && auth_transaction == 2) || 2315 (auth_alg == WLAN_AUTH_SHARED_KEY && auth_transaction == 4))) { 2316 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 2317 HOSTAPD_LEVEL_INFO, "authenticated"); 2318 sta->flags |= WLAN_STA_AUTH; 2319 } 2320} 2321 2322 2323static void hostapd_set_wds_encryption(struct hostapd_data *hapd, 2324 struct sta_info *sta, 2325 char *ifname_wds) 2326{ 2327 int i; 2328 struct hostapd_ssid *ssid = &hapd->conf->ssid; 2329 2330 if (hapd->conf->ieee802_1x || hapd->conf->wpa) 2331 return; 2332 2333 for (i = 0; i < 4; i++) { 2334 if (ssid->wep.key[i] && 2335 hostapd_drv_set_key(ifname_wds, hapd, WPA_ALG_WEP, NULL, i, 2336 i == ssid->wep.idx, NULL, 0, 2337 ssid->wep.key[i], ssid->wep.len[i])) { 2338 wpa_printf(MSG_WARNING, 2339 "Could not set WEP keys for WDS interface; %s", 2340 ifname_wds); 2341 break; 2342 } 2343 } 2344} 2345 2346 2347static void handle_assoc_cb(struct hostapd_data *hapd, 2348 const struct ieee80211_mgmt *mgmt, 2349 size_t len, int reassoc, int ok) 2350{ 2351 u16 status; 2352 struct sta_info *sta; 2353 int new_assoc = 1; 2354 struct ieee80211_ht_capabilities ht_cap; 2355 struct ieee80211_vht_capabilities vht_cap; 2356 2357 if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_resp) : 2358 sizeof(mgmt->u.assoc_resp))) { 2359 wpa_printf(MSG_INFO, "handle_assoc_cb(reassoc=%d) - too short payload (len=%lu)", 2360 reassoc, (unsigned long) len); 2361 return; 2362 } 2363 2364 sta = ap_get_sta(hapd, mgmt->da); 2365 if (!sta) { 2366 wpa_printf(MSG_INFO, "handle_assoc_cb: STA " MACSTR " not found", 2367 MAC2STR(mgmt->da)); 2368 return; 2369 } 2370 2371 if (!ok) { 2372 hostapd_logger(hapd, mgmt->da, HOSTAPD_MODULE_IEEE80211, 2373 HOSTAPD_LEVEL_DEBUG, 2374 "did not acknowledge association response"); 2375 sta->flags &= ~WLAN_STA_ASSOC_REQ_OK; 2376 return; 2377 } 2378 2379 if (reassoc) 2380 status = le_to_host16(mgmt->u.reassoc_resp.status_code); 2381 else 2382 status = le_to_host16(mgmt->u.assoc_resp.status_code); 2383 2384 if (status != WLAN_STATUS_SUCCESS) 2385 return; 2386 2387 /* Stop previous accounting session, if one is started, and allocate 2388 * new session id for the new session. */ 2389 accounting_sta_stop(hapd, sta); 2390 2391 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 2392 HOSTAPD_LEVEL_INFO, 2393 "associated (aid %d)", 2394 sta->aid); 2395 2396 if (sta->flags & WLAN_STA_ASSOC) 2397 new_assoc = 0; 2398 sta->flags |= WLAN_STA_ASSOC; 2399 sta->flags &= ~WLAN_STA_WNM_SLEEP_MODE; 2400 if ((!hapd->conf->ieee802_1x && !hapd->conf->wpa && !hapd->conf->osen) || 2401 sta->auth_alg == WLAN_AUTH_FT) { 2402 /* 2403 * Open, static WEP, or FT protocol; no separate authorization 2404 * step. 2405 */ 2406 ap_sta_set_authorized(hapd, sta, 1); 2407 } 2408 2409 if (reassoc) 2410 mlme_reassociate_indication(hapd, sta); 2411 else 2412 mlme_associate_indication(hapd, sta); 2413 2414#ifdef CONFIG_IEEE80211W 2415 sta->sa_query_timed_out = 0; 2416#endif /* CONFIG_IEEE80211W */ 2417 2418 /* 2419 * Remove the STA entry in order to make sure the STA PS state gets 2420 * cleared and configuration gets updated in case of reassociation back 2421 * to the same AP. 2422 */ 2423 hostapd_drv_sta_remove(hapd, sta->addr); 2424 2425#ifdef CONFIG_IEEE80211N 2426 if (sta->flags & WLAN_STA_HT) 2427 hostapd_get_ht_capab(hapd, sta->ht_capabilities, &ht_cap); 2428#endif /* CONFIG_IEEE80211N */ 2429#ifdef CONFIG_IEEE80211AC 2430 if (sta->flags & WLAN_STA_VHT) 2431 hostapd_get_vht_capab(hapd, sta->vht_capabilities, &vht_cap); 2432#endif /* CONFIG_IEEE80211AC */ 2433 2434 if (hostapd_sta_add(hapd, sta->addr, sta->aid, sta->capability, 2435 sta->supported_rates, sta->supported_rates_len, 2436 sta->listen_interval, 2437 sta->flags & WLAN_STA_HT ? &ht_cap : NULL, 2438 sta->flags & WLAN_STA_VHT ? &vht_cap : NULL, 2439 sta->flags, sta->qosinfo, sta->vht_opmode)) { 2440 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 2441 HOSTAPD_LEVEL_NOTICE, 2442 "Could not add STA to kernel driver"); 2443 2444 ap_sta_disconnect(hapd, sta, sta->addr, 2445 WLAN_REASON_DISASSOC_AP_BUSY); 2446 2447 return; 2448 } 2449 2450 if (sta->flags & WLAN_STA_WDS) { 2451 int ret; 2452 char ifname_wds[IFNAMSIZ + 1]; 2453 2454 ret = hostapd_set_wds_sta(hapd, ifname_wds, sta->addr, 2455 sta->aid, 1); 2456 if (!ret) 2457 hostapd_set_wds_encryption(hapd, sta, ifname_wds); 2458 } 2459 2460 if (sta->eapol_sm == NULL) { 2461 /* 2462 * This STA does not use RADIUS server for EAP authentication, 2463 * so bind it to the selected VLAN interface now, since the 2464 * interface selection is not going to change anymore. 2465 */ 2466 if (ap_sta_bind_vlan(hapd, sta) < 0) 2467 return; 2468 } else if (sta->vlan_id) { 2469 /* VLAN ID already set (e.g., by PMKSA caching), so bind STA */ 2470 if (ap_sta_bind_vlan(hapd, sta) < 0) 2471 return; 2472 } 2473 2474 hostapd_set_sta_flags(hapd, sta); 2475 2476 if (sta->auth_alg == WLAN_AUTH_FT) 2477 wpa_auth_sm_event(sta->wpa_sm, WPA_ASSOC_FT); 2478 else 2479 wpa_auth_sm_event(sta->wpa_sm, WPA_ASSOC); 2480 hapd->new_assoc_sta_cb(hapd, sta, !new_assoc); 2481 2482 ieee802_1x_notify_port_enabled(sta->eapol_sm, 1); 2483} 2484 2485 2486static void handle_deauth_cb(struct hostapd_data *hapd, 2487 const struct ieee80211_mgmt *mgmt, 2488 size_t len, int ok) 2489{ 2490 struct sta_info *sta; 2491 if (mgmt->da[0] & 0x01) 2492 return; 2493 sta = ap_get_sta(hapd, mgmt->da); 2494 if (!sta) { 2495 wpa_printf(MSG_DEBUG, "handle_deauth_cb: STA " MACSTR 2496 " not found", MAC2STR(mgmt->da)); 2497 return; 2498 } 2499 if (ok) 2500 wpa_printf(MSG_DEBUG, "STA " MACSTR " acknowledged deauth", 2501 MAC2STR(sta->addr)); 2502 else 2503 wpa_printf(MSG_DEBUG, "STA " MACSTR " did not acknowledge " 2504 "deauth", MAC2STR(sta->addr)); 2505 2506 ap_sta_deauth_cb(hapd, sta); 2507} 2508 2509 2510static void handle_disassoc_cb(struct hostapd_data *hapd, 2511 const struct ieee80211_mgmt *mgmt, 2512 size_t len, int ok) 2513{ 2514 struct sta_info *sta; 2515 if (mgmt->da[0] & 0x01) 2516 return; 2517 sta = ap_get_sta(hapd, mgmt->da); 2518 if (!sta) { 2519 wpa_printf(MSG_DEBUG, "handle_disassoc_cb: STA " MACSTR 2520 " not found", MAC2STR(mgmt->da)); 2521 return; 2522 } 2523 if (ok) 2524 wpa_printf(MSG_DEBUG, "STA " MACSTR " acknowledged disassoc", 2525 MAC2STR(sta->addr)); 2526 else 2527 wpa_printf(MSG_DEBUG, "STA " MACSTR " did not acknowledge " 2528 "disassoc", MAC2STR(sta->addr)); 2529 2530 ap_sta_disassoc_cb(hapd, sta); 2531} 2532 2533 2534/** 2535 * ieee802_11_mgmt_cb - Process management frame TX status callback 2536 * @hapd: hostapd BSS data structure (the BSS from which the management frame 2537 * was sent from) 2538 * @buf: management frame data (starting from IEEE 802.11 header) 2539 * @len: length of frame data in octets 2540 * @stype: management frame subtype from frame control field 2541 * @ok: Whether the frame was ACK'ed 2542 */ 2543void ieee802_11_mgmt_cb(struct hostapd_data *hapd, const u8 *buf, size_t len, 2544 u16 stype, int ok) 2545{ 2546 const struct ieee80211_mgmt *mgmt; 2547 mgmt = (const struct ieee80211_mgmt *) buf; 2548 2549#ifdef CONFIG_TESTING_OPTIONS 2550 if (hapd->ext_mgmt_frame_handling) { 2551 wpa_msg(hapd->msg_ctx, MSG_INFO, "MGMT-TX-STATUS stype=%u ok=%d", 2552 stype, ok); 2553 return; 2554 } 2555#endif /* CONFIG_TESTING_OPTIONS */ 2556 2557 switch (stype) { 2558 case WLAN_FC_STYPE_AUTH: 2559 wpa_printf(MSG_DEBUG, "mgmt::auth cb"); 2560 handle_auth_cb(hapd, mgmt, len, ok); 2561 break; 2562 case WLAN_FC_STYPE_ASSOC_RESP: 2563 wpa_printf(MSG_DEBUG, "mgmt::assoc_resp cb"); 2564 handle_assoc_cb(hapd, mgmt, len, 0, ok); 2565 break; 2566 case WLAN_FC_STYPE_REASSOC_RESP: 2567 wpa_printf(MSG_DEBUG, "mgmt::reassoc_resp cb"); 2568 handle_assoc_cb(hapd, mgmt, len, 1, ok); 2569 break; 2570 case WLAN_FC_STYPE_PROBE_RESP: 2571 wpa_printf(MSG_EXCESSIVE, "mgmt::proberesp cb"); 2572 break; 2573 case WLAN_FC_STYPE_DEAUTH: 2574 wpa_printf(MSG_DEBUG, "mgmt::deauth cb"); 2575 handle_deauth_cb(hapd, mgmt, len, ok); 2576 break; 2577 case WLAN_FC_STYPE_DISASSOC: 2578 wpa_printf(MSG_DEBUG, "mgmt::disassoc cb"); 2579 handle_disassoc_cb(hapd, mgmt, len, ok); 2580 break; 2581 case WLAN_FC_STYPE_ACTION: 2582 wpa_printf(MSG_DEBUG, "mgmt::action cb"); 2583 break; 2584 default: 2585 wpa_printf(MSG_INFO, "unknown mgmt cb frame subtype %d", stype); 2586 break; 2587 } 2588} 2589 2590 2591int ieee802_11_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen) 2592{ 2593 /* TODO */ 2594 return 0; 2595} 2596 2597 2598int ieee802_11_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta, 2599 char *buf, size_t buflen) 2600{ 2601 /* TODO */ 2602 return 0; 2603} 2604 2605 2606void hostapd_tx_status(struct hostapd_data *hapd, const u8 *addr, 2607 const u8 *buf, size_t len, int ack) 2608{ 2609 struct sta_info *sta; 2610 struct hostapd_iface *iface = hapd->iface; 2611 2612 sta = ap_get_sta(hapd, addr); 2613 if (sta == NULL && iface->num_bss > 1) { 2614 size_t j; 2615 for (j = 0; j < iface->num_bss; j++) { 2616 hapd = iface->bss[j]; 2617 sta = ap_get_sta(hapd, addr); 2618 if (sta) 2619 break; 2620 } 2621 } 2622 if (sta == NULL || !(sta->flags & WLAN_STA_ASSOC)) 2623 return; 2624 if (sta->flags & WLAN_STA_PENDING_POLL) { 2625 wpa_printf(MSG_DEBUG, "STA " MACSTR " %s pending " 2626 "activity poll", MAC2STR(sta->addr), 2627 ack ? "ACKed" : "did not ACK"); 2628 if (ack) 2629 sta->flags &= ~WLAN_STA_PENDING_POLL; 2630 } 2631 2632 ieee802_1x_tx_status(hapd, sta, buf, len, ack); 2633} 2634 2635 2636void hostapd_eapol_tx_status(struct hostapd_data *hapd, const u8 *dst, 2637 const u8 *data, size_t len, int ack) 2638{ 2639 struct sta_info *sta; 2640 struct hostapd_iface *iface = hapd->iface; 2641 2642 sta = ap_get_sta(hapd, dst); 2643 if (sta == NULL && iface->num_bss > 1) { 2644 size_t j; 2645 for (j = 0; j < iface->num_bss; j++) { 2646 hapd = iface->bss[j]; 2647 sta = ap_get_sta(hapd, dst); 2648 if (sta) 2649 break; 2650 } 2651 } 2652 if (sta == NULL || !(sta->flags & WLAN_STA_ASSOC)) { 2653 wpa_printf(MSG_DEBUG, "Ignore TX status for Data frame to STA " 2654 MACSTR " that is not currently associated", 2655 MAC2STR(dst)); 2656 return; 2657 } 2658 2659 ieee802_1x_eapol_tx_status(hapd, sta, data, len, ack); 2660} 2661 2662 2663void hostapd_client_poll_ok(struct hostapd_data *hapd, const u8 *addr) 2664{ 2665 struct sta_info *sta; 2666 struct hostapd_iface *iface = hapd->iface; 2667 2668 sta = ap_get_sta(hapd, addr); 2669 if (sta == NULL && iface->num_bss > 1) { 2670 size_t j; 2671 for (j = 0; j < iface->num_bss; j++) { 2672 hapd = iface->bss[j]; 2673 sta = ap_get_sta(hapd, addr); 2674 if (sta) 2675 break; 2676 } 2677 } 2678 if (sta == NULL) 2679 return; 2680 if (!(sta->flags & WLAN_STA_PENDING_POLL)) 2681 return; 2682 2683 wpa_printf(MSG_DEBUG, "STA " MACSTR " ACKed pending " 2684 "activity poll", MAC2STR(sta->addr)); 2685 sta->flags &= ~WLAN_STA_PENDING_POLL; 2686} 2687 2688 2689void ieee802_11_rx_from_unknown(struct hostapd_data *hapd, const u8 *src, 2690 int wds) 2691{ 2692 struct sta_info *sta; 2693 2694 sta = ap_get_sta(hapd, src); 2695 if (sta && (sta->flags & WLAN_STA_ASSOC)) { 2696 if (!hapd->conf->wds_sta) 2697 return; 2698 2699 if (wds && !(sta->flags & WLAN_STA_WDS)) { 2700 int ret; 2701 char ifname_wds[IFNAMSIZ + 1]; 2702 2703 wpa_printf(MSG_DEBUG, "Enable 4-address WDS mode for " 2704 "STA " MACSTR " (aid %u)", 2705 MAC2STR(sta->addr), sta->aid); 2706 sta->flags |= WLAN_STA_WDS; 2707 ret = hostapd_set_wds_sta(hapd, ifname_wds, 2708 sta->addr, sta->aid, 1); 2709 if (!ret) 2710 hostapd_set_wds_encryption(hapd, sta, 2711 ifname_wds); 2712 } 2713 return; 2714 } 2715 2716 wpa_printf(MSG_DEBUG, "Data/PS-poll frame from not associated STA " 2717 MACSTR, MAC2STR(src)); 2718 if (src[0] & 0x01) { 2719 /* Broadcast bit set in SA?! Ignore the frame silently. */ 2720 return; 2721 } 2722 2723 if (sta && (sta->flags & WLAN_STA_ASSOC_REQ_OK)) { 2724 wpa_printf(MSG_DEBUG, "Association Response to the STA has " 2725 "already been sent, but no TX status yet known - " 2726 "ignore Class 3 frame issue with " MACSTR, 2727 MAC2STR(src)); 2728 return; 2729 } 2730 2731 if (sta && (sta->flags & WLAN_STA_AUTH)) 2732 hostapd_drv_sta_disassoc( 2733 hapd, src, 2734 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA); 2735 else 2736 hostapd_drv_sta_deauth( 2737 hapd, src, 2738 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA); 2739} 2740 2741 2742#endif /* CONFIG_NATIVE_WINDOWS */ 2743