]> git.ipfire.org Git - thirdparty/hostap.git/blob - wpa_supplicant/sme.c
projects / thirdparty / hostap.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
MBO/OCE: Work around misbehaving MBO/OCE APs that use RSN without PMF
[thirdparty/hostap.git] / wpa_supplicant / sme.c
1 /*
2 * wpa_supplicant - SME
3 * Copyright (c) 2009-2014, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "includes.h"
10
11 #include "common.h"
12 #include "utils/eloop.h"
13 #include "common/ieee802_11_defs.h"
14 #include "common/ieee802_11_common.h"
15 #include "common/ocv.h"
16 #include "eapol_supp/eapol_supp_sm.h"
17 #include "common/wpa_common.h"
18 #include "common/sae.h"
19 #include "common/dpp.h"
20 #include "rsn_supp/wpa.h"
21 #include "rsn_supp/pmksa_cache.h"
22 #include "config.h"
23 #include "wpa_supplicant_i.h"
24 #include "driver_i.h"
25 #include "wpas_glue.h"
26 #include "wps_supplicant.h"
27 #include "p2p_supplicant.h"
28 #include "notify.h"
29 #include "bss.h"
30 #include "scan.h"
31 #include "sme.h"
32 #include "hs20_supplicant.h"
33
34 #define SME_AUTH_TIMEOUT 5
35 #define SME_ASSOC_TIMEOUT 5
36
37 static void sme_auth_timer(void *eloop_ctx, void *timeout_ctx);
38 static void sme_assoc_timer(void *eloop_ctx, void *timeout_ctx);
39 static void sme_obss_scan_timeout(void *eloop_ctx, void *timeout_ctx);
40 static void sme_stop_sa_query(struct wpa_supplicant *wpa_s);
41
42
43 #ifdef CONFIG_SAE
44
45 static int index_within_array(const int *array, int idx)
46 {
47 int i;
48 for (i = 0; i < idx; i++) {
49 if (array[i] <= 0)
50 return 0;
51 }
52 return 1;
53 }
54
55
56 static int sme_set_sae_group(struct wpa_supplicant *wpa_s)
57 {
58 int *groups = wpa_s->conf->sae_groups;
59 int default_groups[] = { 19, 20, 21, 0 };
60
61 if (!groups || groups[0] <= 0)
62 groups = default_groups;
63
64 /* Configuration may have changed, so validate current index */
65 if (!index_within_array(groups, wpa_s->sme.sae_group_index))
66 return -1;
67
68 for (;;) {
69 int group = groups[wpa_s->sme.sae_group_index];
70 if (group <= 0)
71 break;
72 if (sae_set_group(&wpa_s->sme.sae, group) == 0) {
73 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Selected SAE group %d",
74 wpa_s->sme.sae.group);
75 return 0;
76 }
77 wpa_s->sme.sae_group_index++;
78 }
79
80 return -1;
81 }
82
83
84 static struct wpabuf * sme_auth_build_sae_commit(struct wpa_supplicant *wpa_s,
85 struct wpa_ssid *ssid,
86 const u8 *bssid, int external,
87 int reuse)
88 {
89 struct wpabuf *buf;
90 size_t len;
91 const char *password;
92
93 #ifdef CONFIG_TESTING_OPTIONS
94 if (wpa_s->sae_commit_override) {
95 wpa_printf(MSG_DEBUG, "SAE: TESTING - commit override");
96 buf = wpabuf_alloc(4 + wpabuf_len(wpa_s->sae_commit_override));
97 if (!buf)
98 return NULL;
99 if (!external) {
100 wpabuf_put_le16(buf, 1); /* Transaction seq# */
101 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
102 }
103 wpabuf_put_buf(buf, wpa_s->sae_commit_override);
104 return buf;
105 }
106 #endif /* CONFIG_TESTING_OPTIONS */
107
108 password = ssid->sae_password;
109 if (!password)
110 password = ssid->passphrase;
111 if (!password) {
112 wpa_printf(MSG_DEBUG, "SAE: No password available");
113 return NULL;
114 }
115
116 if (reuse && wpa_s->sme.sae.tmp &&
117 os_memcmp(bssid, wpa_s->sme.sae.tmp->bssid, ETH_ALEN) == 0) {
118 wpa_printf(MSG_DEBUG,
119 "SAE: Reuse previously generated PWE on a retry with the same AP");
120 goto reuse_data;
121 }
122 if (sme_set_sae_group(wpa_s) < 0) {
123 wpa_printf(MSG_DEBUG, "SAE: Failed to select group");
124 return NULL;
125 }
126
127 if (sae_prepare_commit(wpa_s->own_addr, bssid,
128 (u8 *) password, os_strlen(password),
129 ssid->sae_password_id,
130 &wpa_s->sme.sae) < 0) {
131 wpa_printf(MSG_DEBUG, "SAE: Could not pick PWE");
132 return NULL;
133 }
134 if (wpa_s->sme.sae.tmp)
135 os_memcpy(wpa_s->sme.sae.tmp->bssid, bssid, ETH_ALEN);
136
137 reuse_data:
138 len = wpa_s->sme.sae_token ? wpabuf_len(wpa_s->sme.sae_token) : 0;
139 if (ssid->sae_password_id)
140 len += 4 + os_strlen(ssid->sae_password_id);
141 buf = wpabuf_alloc(4 + SAE_COMMIT_MAX_LEN + len);
142 if (buf == NULL)
143 return NULL;
144 if (!external) {
145 wpabuf_put_le16(buf, 1); /* Transaction seq# */
146 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
147 }
148 sae_write_commit(&wpa_s->sme.sae, buf, wpa_s->sme.sae_token,
149 ssid->sae_password_id);
150
151 return buf;
152 }
153
154
155 static struct wpabuf * sme_auth_build_sae_confirm(struct wpa_supplicant *wpa_s,
156 int external)
157 {
158 struct wpabuf *buf;
159
160 buf = wpabuf_alloc(4 + SAE_CONFIRM_MAX_LEN);
161 if (buf == NULL)
162 return NULL;
163
164 if (!external) {
165 wpabuf_put_le16(buf, 2); /* Transaction seq# */
166 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
167 }
168 sae_write_confirm(&wpa_s->sme.sae, buf);
169
170 return buf;
171 }
172
173 #endif /* CONFIG_SAE */
174
175
176 /**
177 * sme_auth_handle_rrm - Handle RRM aspects of current authentication attempt
178 * @wpa_s: Pointer to wpa_supplicant data
179 * @bss: Pointer to the bss which is the target of authentication attempt
180 */
181 static void sme_auth_handle_rrm(struct wpa_supplicant *wpa_s,
182 struct wpa_bss *bss)
183 {
184 const u8 rrm_ie_len = 5;
185 u8 *pos;
186 const u8 *rrm_ie;
187
188 wpa_s->rrm.rrm_used = 0;
189
190 wpa_printf(MSG_DEBUG,
191 "RRM: Determining whether RRM can be used - device support: 0x%x",
192 wpa_s->drv_rrm_flags);
193
194 rrm_ie = wpa_bss_get_ie(bss, WLAN_EID_RRM_ENABLED_CAPABILITIES);
195 if (!rrm_ie || !(bss->caps & IEEE80211_CAP_RRM)) {
196 wpa_printf(MSG_DEBUG, "RRM: No RRM in network");
197 return;
198 }
199
200 if (!((wpa_s->drv_rrm_flags &
201 WPA_DRIVER_FLAGS_DS_PARAM_SET_IE_IN_PROBES) &&
202 (wpa_s->drv_rrm_flags & WPA_DRIVER_FLAGS_QUIET)) &&
203 !(wpa_s->drv_rrm_flags & WPA_DRIVER_FLAGS_SUPPORT_RRM)) {
204 wpa_printf(MSG_DEBUG,
205 "RRM: Insufficient RRM support in driver - do not use RRM");
206 return;
207 }
208
209 if (sizeof(wpa_s->sme.assoc_req_ie) <
210 wpa_s->sme.assoc_req_ie_len + rrm_ie_len + 2) {
211 wpa_printf(MSG_INFO,
212 "RRM: Unable to use RRM, no room for RRM IE");
213 return;
214 }
215
216 wpa_printf(MSG_DEBUG, "RRM: Adding RRM IE to Association Request");
217 pos = wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len;
218 os_memset(pos, 0, 2 + rrm_ie_len);
219 *pos++ = WLAN_EID_RRM_ENABLED_CAPABILITIES;
220 *pos++ = rrm_ie_len;
221
222 /* Set supported capabilites flags */
223 if (wpa_s->drv_rrm_flags & WPA_DRIVER_FLAGS_TX_POWER_INSERTION)
224 *pos |= WLAN_RRM_CAPS_LINK_MEASUREMENT;
225
226 *pos |= WLAN_RRM_CAPS_BEACON_REPORT_PASSIVE |
227 WLAN_RRM_CAPS_BEACON_REPORT_ACTIVE |
228 WLAN_RRM_CAPS_BEACON_REPORT_TABLE;
229
230 if (wpa_s->lci)
231 pos[1] |= WLAN_RRM_CAPS_LCI_MEASUREMENT;
232
233 wpa_s->sme.assoc_req_ie_len += rrm_ie_len + 2;
234 wpa_s->rrm.rrm_used = 1;
235 }
236
237
238 static void sme_send_authentication(struct wpa_supplicant *wpa_s,
239 struct wpa_bss *bss, struct wpa_ssid *ssid,
240 int start)
241 {
242 struct wpa_driver_auth_params params;
243 struct wpa_ssid *old_ssid;
244 #ifdef CONFIG_IEEE80211R
245 const u8 *ie;
246 #endif /* CONFIG_IEEE80211R */
247 #if defined(CONFIG_IEEE80211R) || defined(CONFIG_FILS)
248 const u8 *md = NULL;
249 #endif /* CONFIG_IEEE80211R || CONFIG_FILS */
250 int i, bssid_changed;
251 struct wpabuf *resp = NULL;
252 u8 ext_capab[18];
253 int ext_capab_len;
254 int skip_auth;
255 u8 *wpa_ie;
256 size_t wpa_ie_len;
257 #ifdef CONFIG_MBO
258 const u8 *mbo_ie;
259 #endif /* CONFIG_MBO */
260
261 if (bss == NULL) {
262 wpa_msg(wpa_s, MSG_ERROR, "SME: No scan result available for "
263 "the network");
264 wpas_connect_work_done(wpa_s);
265 return;
266 }
267
268 skip_auth = wpa_s->conf->reassoc_same_bss_optim &&
269 wpa_s->reassoc_same_bss;
270 wpa_s->current_bss = bss;
271
272 os_memset(&params, 0, sizeof(params));
273 wpa_s->reassociate = 0;
274
275 params.freq = bss->freq;
276 params.bssid = bss->bssid;
277 params.ssid = bss->ssid;
278 params.ssid_len = bss->ssid_len;
279 params.p2p = ssid->p2p_group;
280
281 if (wpa_s->sme.ssid_len != params.ssid_len ||
282 os_memcmp(wpa_s->sme.ssid, params.ssid, params.ssid_len) != 0)
283 wpa_s->sme.prev_bssid_set = 0;
284
285 wpa_s->sme.freq = params.freq;
286 os_memcpy(wpa_s->sme.ssid, params.ssid, params.ssid_len);
287 wpa_s->sme.ssid_len = params.ssid_len;
288
289 params.auth_alg = WPA_AUTH_ALG_OPEN;
290 #ifdef IEEE8021X_EAPOL
291 if (ssid->key_mgmt & WPA_KEY_MGMT_IEEE8021X_NO_WPA) {
292 if (ssid->leap) {
293 if (ssid->non_leap == 0)
294 params.auth_alg = WPA_AUTH_ALG_LEAP;
295 else
296 params.auth_alg |= WPA_AUTH_ALG_LEAP;
297 }
298 }
299 #endif /* IEEE8021X_EAPOL */
300 wpa_dbg(wpa_s, MSG_DEBUG, "Automatic auth_alg selection: 0x%x",
301 params.auth_alg);
302 if (ssid->auth_alg) {
303 params.auth_alg = ssid->auth_alg;
304 wpa_dbg(wpa_s, MSG_DEBUG, "Overriding auth_alg selection: "
305 "0x%x", params.auth_alg);
306 }
307 #ifdef CONFIG_SAE
308 wpa_s->sme.sae_pmksa_caching = 0;
309 if (wpa_key_mgmt_sae(ssid->key_mgmt)) {
310 const u8 *rsn;
311 struct wpa_ie_data ied;
312
313 rsn = wpa_bss_get_ie(bss, WLAN_EID_RSN);
314 if (!rsn) {
315 wpa_dbg(wpa_s, MSG_DEBUG,
316 "SAE enabled, but target BSS does not advertise RSN");
317 #ifdef CONFIG_DPP
318 } else if (wpa_parse_wpa_ie(rsn, 2 + rsn[1], &ied) == 0 &&
319 (ssid->key_mgmt & WPA_KEY_MGMT_DPP) &&
320 (ied.key_mgmt & WPA_KEY_MGMT_DPP)) {
321 wpa_dbg(wpa_s, MSG_DEBUG, "Prefer DPP over SAE when both are enabled");
322 #endif /* CONFIG_DPP */
323 } else if (wpa_parse_wpa_ie(rsn, 2 + rsn[1], &ied) == 0 &&
324 wpa_key_mgmt_sae(ied.key_mgmt)) {
325 wpa_dbg(wpa_s, MSG_DEBUG, "Using SAE auth_alg");
326 params.auth_alg = WPA_AUTH_ALG_SAE;
327 } else {
328 wpa_dbg(wpa_s, MSG_DEBUG,
329 "SAE enabled, but target BSS does not advertise SAE AKM for RSN");
330 }
331 }
332 #endif /* CONFIG_SAE */
333
334 for (i = 0; i < NUM_WEP_KEYS; i++) {
335 if (ssid->wep_key_len[i])
336 params.wep_key[i] = ssid->wep_key[i];
337 params.wep_key_len[i] = ssid->wep_key_len[i];
338 }
339 params.wep_tx_keyidx = ssid->wep_tx_keyidx;
340
341 bssid_changed = !is_zero_ether_addr(wpa_s->bssid);
342 os_memset(wpa_s->bssid, 0, ETH_ALEN);
343 os_memcpy(wpa_s->pending_bssid, bss->bssid, ETH_ALEN);
344 if (bssid_changed)
345 wpas_notify_bssid_changed(wpa_s);
346
347 if ((wpa_bss_get_vendor_ie(bss, WPA_IE_VENDOR_TYPE) ||
348 wpa_bss_get_ie(bss, WLAN_EID_RSN)) &&
349 wpa_key_mgmt_wpa(ssid->key_mgmt)) {
350 int try_opportunistic;
351 const u8 *cache_id = NULL;
352
353 try_opportunistic = (ssid->proactive_key_caching < 0 ?
354 wpa_s->conf->okc :
355 ssid->proactive_key_caching) &&
356 (ssid->proto & WPA_PROTO_RSN);
357 #ifdef CONFIG_FILS
358 if (wpa_key_mgmt_fils(ssid->key_mgmt))
359 cache_id = wpa_bss_get_fils_cache_id(bss);
360 #endif /* CONFIG_FILS */
361 if (pmksa_cache_set_current(wpa_s->wpa, NULL, bss->bssid,
362 wpa_s->current_ssid,
363 try_opportunistic, cache_id,
364 0) == 0)
365 eapol_sm_notify_pmkid_attempt(wpa_s->eapol);
366 wpa_s->sme.assoc_req_ie_len = sizeof(wpa_s->sme.assoc_req_ie);
367 if (wpa_supplicant_set_suites(wpa_s, bss, ssid,
368 wpa_s->sme.assoc_req_ie,
369 &wpa_s->sme.assoc_req_ie_len)) {
370 wpa_msg(wpa_s, MSG_WARNING, "SME: Failed to set WPA "
371 "key management and encryption suites");
372 wpas_connect_work_done(wpa_s);
373 return;
374 }
375 #ifdef CONFIG_HS20
376 } else if (wpa_bss_get_vendor_ie(bss, OSEN_IE_VENDOR_TYPE) &&
377 (ssid->key_mgmt & WPA_KEY_MGMT_OSEN)) {
378 /* No PMKSA caching, but otherwise similar to RSN/WPA */
379 wpa_s->sme.assoc_req_ie_len = sizeof(wpa_s->sme.assoc_req_ie);
380 if (wpa_supplicant_set_suites(wpa_s, bss, ssid,
381 wpa_s->sme.assoc_req_ie,
382 &wpa_s->sme.assoc_req_ie_len)) {
383 wpa_msg(wpa_s, MSG_WARNING, "SME: Failed to set WPA "
384 "key management and encryption suites");
385 wpas_connect_work_done(wpa_s);
386 return;
387 }
388 #endif /* CONFIG_HS20 */
389 } else if ((ssid->key_mgmt & WPA_KEY_MGMT_IEEE8021X_NO_WPA) &&
390 wpa_key_mgmt_wpa_ieee8021x(ssid->key_mgmt)) {
391 /*
392 * Both WPA and non-WPA IEEE 802.1X enabled in configuration -
393 * use non-WPA since the scan results did not indicate that the
394 * AP is using WPA or WPA2.
395 */
396 wpa_supplicant_set_non_wpa_policy(wpa_s, ssid);
397 wpa_s->sme.assoc_req_ie_len = 0;
398 } else if (wpa_key_mgmt_wpa_any(ssid->key_mgmt)) {
399 wpa_s->sme.assoc_req_ie_len = sizeof(wpa_s->sme.assoc_req_ie);
400 if (wpa_supplicant_set_suites(wpa_s, NULL, ssid,
401 wpa_s->sme.assoc_req_ie,
402 &wpa_s->sme.assoc_req_ie_len)) {
403 wpa_msg(wpa_s, MSG_WARNING, "SME: Failed to set WPA "
404 "key management and encryption suites (no "
405 "scan results)");
406 wpas_connect_work_done(wpa_s);
407 return;
408 }
409 #ifdef CONFIG_WPS
410 } else if (ssid->key_mgmt & WPA_KEY_MGMT_WPS) {
411 struct wpabuf *wps_ie;
412 wps_ie = wps_build_assoc_req_ie(wpas_wps_get_req_type(ssid));
413 if (wps_ie && wpabuf_len(wps_ie) <=
414 sizeof(wpa_s->sme.assoc_req_ie)) {
415 wpa_s->sme.assoc_req_ie_len = wpabuf_len(wps_ie);
416 os_memcpy(wpa_s->sme.assoc_req_ie, wpabuf_head(wps_ie),
417 wpa_s->sme.assoc_req_ie_len);
418 } else
419 wpa_s->sme.assoc_req_ie_len = 0;
420 wpabuf_free(wps_ie);
421 wpa_supplicant_set_non_wpa_policy(wpa_s, ssid);
422 #endif /* CONFIG_WPS */
423 } else {
424 wpa_supplicant_set_non_wpa_policy(wpa_s, ssid);
425 wpa_s->sme.assoc_req_ie_len = 0;
426 }
427
428 /* In case the WPA vendor IE is used, it should be placed after all the
429 * non-vendor IEs, as the lower layer expects the IEs to be ordered as
430 * defined in the standard. Store the WPA IE so it can later be
431 * inserted at the correct location.
432 */
433 wpa_ie = NULL;
434 wpa_ie_len = 0;
435 if (wpa_s->wpa_proto == WPA_PROTO_WPA) {
436 wpa_ie = os_memdup(wpa_s->sme.assoc_req_ie,
437 wpa_s->sme.assoc_req_ie_len);
438 if (wpa_ie) {
439 wpa_dbg(wpa_s, MSG_DEBUG, "WPA: Storing WPA IE");
440
441 wpa_ie_len = wpa_s->sme.assoc_req_ie_len;
442 wpa_s->sme.assoc_req_ie_len = 0;
443 } else {
444 wpa_msg(wpa_s, MSG_WARNING, "WPA: Failed copy WPA IE");
445 wpas_connect_work_done(wpa_s);
446 return;
447 }
448 }
449
450 #ifdef CONFIG_IEEE80211R
451 ie = wpa_bss_get_ie(bss, WLAN_EID_MOBILITY_DOMAIN);
452 if (ie && ie[1] >= MOBILITY_DOMAIN_ID_LEN)
453 md = ie + 2;
454 wpa_sm_set_ft_params(wpa_s->wpa, ie, ie ? 2 + ie[1] : 0);
455 if (md && (!wpa_key_mgmt_ft(ssid->key_mgmt) ||
456 !wpa_key_mgmt_ft(wpa_s->key_mgmt)))
457 md = NULL;
458 if (md) {
459 /* Prepare for the next transition */
460 wpa_ft_prepare_auth_request(wpa_s->wpa, ie);
461 }
462
463 if (md) {
464 wpa_dbg(wpa_s, MSG_DEBUG, "SME: FT mobility domain %02x%02x",
465 md[0], md[1]);
466
467 if (wpa_s->sme.assoc_req_ie_len + 5 <
468 sizeof(wpa_s->sme.assoc_req_ie)) {
469 struct rsn_mdie *mdie;
470 u8 *pos = wpa_s->sme.assoc_req_ie +
471 wpa_s->sme.assoc_req_ie_len;
472 *pos++ = WLAN_EID_MOBILITY_DOMAIN;
473 *pos++ = sizeof(*mdie);
474 mdie = (struct rsn_mdie *) pos;
475 os_memcpy(mdie->mobility_domain, md,
476 MOBILITY_DOMAIN_ID_LEN);
477 mdie->ft_capab = md[MOBILITY_DOMAIN_ID_LEN];
478 wpa_s->sme.assoc_req_ie_len += 5;
479 }
480
481 if (wpa_s->sme.prev_bssid_set && wpa_s->sme.ft_used &&
482 os_memcmp(md, wpa_s->sme.mobility_domain, 2) == 0 &&
483 wpa_sm_has_ptk(wpa_s->wpa)) {
484 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Trying to use FT "
485 "over-the-air");
486 params.auth_alg = WPA_AUTH_ALG_FT;
487 params.ie = wpa_s->sme.ft_ies;
488 params.ie_len = wpa_s->sme.ft_ies_len;
489 }
490 }
491 #endif /* CONFIG_IEEE80211R */
492
493 wpa_s->sme.mfp = wpas_get_ssid_pmf(wpa_s, ssid);
494 if (wpa_s->sme.mfp != NO_MGMT_FRAME_PROTECTION) {
495 const u8 *rsn = wpa_bss_get_ie(bss, WLAN_EID_RSN);
496 struct wpa_ie_data _ie;
497 if (rsn && wpa_parse_wpa_ie(rsn, 2 + rsn[1], &_ie) == 0 &&
498 _ie.capabilities &
499 (WPA_CAPABILITY_MFPC | WPA_CAPABILITY_MFPR)) {
500 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Selected AP supports "
501 "MFP: require MFP");
502 wpa_s->sme.mfp = MGMT_FRAME_PROTECTION_REQUIRED;
503 }
504 }
505
506 #ifdef CONFIG_P2P
507 if (wpa_s->global->p2p) {
508 u8 *pos;
509 size_t len;
510 int res;
511 pos = wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len;
512 len = sizeof(wpa_s->sme.assoc_req_ie) -
513 wpa_s->sme.assoc_req_ie_len;
514 res = wpas_p2p_assoc_req_ie(wpa_s, bss, pos, len,
515 ssid->p2p_group);
516 if (res >= 0)
517 wpa_s->sme.assoc_req_ie_len += res;
518 }
519 #endif /* CONFIG_P2P */
520
521 #ifdef CONFIG_FST
522 if (wpa_s->fst_ies) {
523 int fst_ies_len = wpabuf_len(wpa_s->fst_ies);
524
525 if (wpa_s->sme.assoc_req_ie_len + fst_ies_len <=
526 sizeof(wpa_s->sme.assoc_req_ie)) {
527 os_memcpy(wpa_s->sme.assoc_req_ie +
528 wpa_s->sme.assoc_req_ie_len,
529 wpabuf_head(wpa_s->fst_ies),
530 fst_ies_len);
531 wpa_s->sme.assoc_req_ie_len += fst_ies_len;
532 }
533 }
534 #endif /* CONFIG_FST */
535
536 sme_auth_handle_rrm(wpa_s, bss);
537
538 wpa_s->sme.assoc_req_ie_len += wpas_supp_op_class_ie(
539 wpa_s, ssid, bss->freq,
540 wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len,
541 sizeof(wpa_s->sme.assoc_req_ie) - wpa_s->sme.assoc_req_ie_len);
542
543 if (params.p2p)
544 wpa_drv_get_ext_capa(wpa_s, WPA_IF_P2P_CLIENT);
545 else
546 wpa_drv_get_ext_capa(wpa_s, WPA_IF_STATION);
547
548 ext_capab_len = wpas_build_ext_capab(wpa_s, ext_capab,
549 sizeof(ext_capab));
550 if (ext_capab_len > 0) {
551 u8 *pos = wpa_s->sme.assoc_req_ie;
552 if (wpa_s->sme.assoc_req_ie_len > 0 && pos[0] == WLAN_EID_RSN)
553 pos += 2 + pos[1];
554 os_memmove(pos + ext_capab_len, pos,
555 wpa_s->sme.assoc_req_ie_len -
556 (pos - wpa_s->sme.assoc_req_ie));
557 wpa_s->sme.assoc_req_ie_len += ext_capab_len;
558 os_memcpy(pos, ext_capab, ext_capab_len);
559 }
560
561 #ifdef CONFIG_HS20
562 if (is_hs20_network(wpa_s, ssid, bss)) {
563 struct wpabuf *hs20;
564
565 hs20 = wpabuf_alloc(20 + MAX_ROAMING_CONS_OI_LEN);
566 if (hs20) {
567 int pps_mo_id = hs20_get_pps_mo_id(wpa_s, ssid);
568 size_t len;
569
570 wpas_hs20_add_indication(hs20, pps_mo_id,
571 get_hs20_version(bss));
572 wpas_hs20_add_roam_cons_sel(hs20, ssid);
573 len = sizeof(wpa_s->sme.assoc_req_ie) -
574 wpa_s->sme.assoc_req_ie_len;
575 if (wpabuf_len(hs20) <= len) {
576 os_memcpy(wpa_s->sme.assoc_req_ie +
577 wpa_s->sme.assoc_req_ie_len,
578 wpabuf_head(hs20), wpabuf_len(hs20));
579 wpa_s->sme.assoc_req_ie_len += wpabuf_len(hs20);
580 }
581 wpabuf_free(hs20);
582 }
583 }
584 #endif /* CONFIG_HS20 */
585
586 if (wpa_ie) {
587 size_t len;
588
589 wpa_dbg(wpa_s, MSG_DEBUG, "WPA: Reinsert WPA IE");
590
591 len = sizeof(wpa_s->sme.assoc_req_ie) -
592 wpa_s->sme.assoc_req_ie_len;
593
594 if (len > wpa_ie_len) {
595 os_memcpy(wpa_s->sme.assoc_req_ie +
596 wpa_s->sme.assoc_req_ie_len,
597 wpa_ie, wpa_ie_len);
598 wpa_s->sme.assoc_req_ie_len += wpa_ie_len;
599 } else {
600 wpa_dbg(wpa_s, MSG_DEBUG, "WPA: Failed to add WPA IE");
601 }
602
603 os_free(wpa_ie);
604 }
605
606 if (wpa_s->vendor_elem[VENDOR_ELEM_ASSOC_REQ]) {
607 struct wpabuf *buf = wpa_s->vendor_elem[VENDOR_ELEM_ASSOC_REQ];
608 size_t len;
609
610 len = sizeof(wpa_s->sme.assoc_req_ie) -
611 wpa_s->sme.assoc_req_ie_len;
612 if (wpabuf_len(buf) <= len) {
613 os_memcpy(wpa_s->sme.assoc_req_ie +
614 wpa_s->sme.assoc_req_ie_len,
615 wpabuf_head(buf), wpabuf_len(buf));
616 wpa_s->sme.assoc_req_ie_len += wpabuf_len(buf);
617 }
618 }
619
620 #ifdef CONFIG_MBO
621 mbo_ie = wpa_bss_get_vendor_ie(bss, MBO_IE_VENDOR_TYPE);
622 if (!wpa_s->disable_mbo_oce && mbo_ie) {
623 int len;
624
625 len = wpas_mbo_ie(wpa_s, wpa_s->sme.assoc_req_ie +
626 wpa_s->sme.assoc_req_ie_len,
627 sizeof(wpa_s->sme.assoc_req_ie) -
628 wpa_s->sme.assoc_req_ie_len,
629 !!mbo_attr_from_mbo_ie(mbo_ie,
630 OCE_ATTR_ID_CAPA_IND));
631 if (len >= 0)
632 wpa_s->sme.assoc_req_ie_len += len;
633 }
634 #endif /* CONFIG_MBO */
635
636 #ifdef CONFIG_SAE
637 if (!skip_auth && params.auth_alg == WPA_AUTH_ALG_SAE &&
638 pmksa_cache_set_current(wpa_s->wpa, NULL, bss->bssid, ssid, 0,
639 NULL,
640 wpa_s->key_mgmt == WPA_KEY_MGMT_FT_SAE ?
641 WPA_KEY_MGMT_FT_SAE :
642 WPA_KEY_MGMT_SAE) == 0) {
643 wpa_dbg(wpa_s, MSG_DEBUG,
644 "PMKSA cache entry found - try to use PMKSA caching instead of new SAE authentication");
645 wpa_sm_set_pmk_from_pmksa(wpa_s->wpa);
646 params.auth_alg = WPA_AUTH_ALG_OPEN;
647 wpa_s->sme.sae_pmksa_caching = 1;
648 }
649
650 if (!skip_auth && params.auth_alg == WPA_AUTH_ALG_SAE) {
651 if (start)
652 resp = sme_auth_build_sae_commit(wpa_s, ssid,
653 bss->bssid, 0,
654 start == 2);
655 else
656 resp = sme_auth_build_sae_confirm(wpa_s, 0);
657 if (resp == NULL) {
658 wpas_connection_failed(wpa_s, bss->bssid);
659 return;
660 }
661 params.auth_data = wpabuf_head(resp);
662 params.auth_data_len = wpabuf_len(resp);
663 wpa_s->sme.sae.state = start ? SAE_COMMITTED : SAE_CONFIRMED;
664 }
665 #endif /* CONFIG_SAE */
666
667 old_ssid = wpa_s->current_ssid;
668 wpa_s->current_ssid = ssid;
669 wpa_supplicant_rsn_supp_set_config(wpa_s, wpa_s->current_ssid);
670 wpa_supplicant_initiate_eapol(wpa_s);
671
672 #ifdef CONFIG_FILS
673 /* TODO: FILS operations can in some cases be done between different
674 * network_ctx (i.e., same credentials can be used with multiple
675 * networks). */
676 if (params.auth_alg == WPA_AUTH_ALG_OPEN &&
677 wpa_key_mgmt_fils(ssid->key_mgmt)) {
678 const u8 *indic;
679 u16 fils_info;
680 const u8 *realm, *username, *rrk;
681 size_t realm_len, username_len, rrk_len;
682 u16 next_seq_num;
683
684 /*
685 * Check FILS Indication element (FILS Information field) bits
686 * indicating supported authentication algorithms against local
687 * configuration (ssid->fils_dh_group). Try to use FILS
688 * authentication only if the AP supports the combination in the
689 * network profile. */
690 indic = wpa_bss_get_ie(bss, WLAN_EID_FILS_INDICATION);
691 if (!indic || indic[1] < 2) {
692 wpa_printf(MSG_DEBUG, "SME: " MACSTR
693 " does not include FILS Indication element - cannot use FILS authentication with it",
694 MAC2STR(bss->bssid));
695 goto no_fils;
696 }
697
698 fils_info = WPA_GET_LE16(indic + 2);
699 if (ssid->fils_dh_group == 0 && !(fils_info & BIT(9))) {
700 wpa_printf(MSG_DEBUG, "SME: " MACSTR
701 " does not support FILS SK without PFS - cannot use FILS authentication with it",
702 MAC2STR(bss->bssid));
703 goto no_fils;
704 }
705 if (ssid->fils_dh_group != 0 && !(fils_info & BIT(10))) {
706 wpa_printf(MSG_DEBUG, "SME: " MACSTR
707 " does not support FILS SK with PFS - cannot use FILS authentication with it",
708 MAC2STR(bss->bssid));
709 goto no_fils;
710 }
711
712 if (wpa_s->last_con_fail_realm &&
713 eapol_sm_get_erp_info(wpa_s->eapol, &ssid->eap,
714 &username, &username_len,
715 &realm, &realm_len, &next_seq_num,
716 &rrk, &rrk_len) == 0 &&
717 realm && realm_len == wpa_s->last_con_fail_realm_len &&
718 os_memcmp(realm, wpa_s->last_con_fail_realm,
719 realm_len) == 0) {
720 wpa_printf(MSG_DEBUG,
721 "SME: FILS authentication for this realm failed last time - try to regenerate ERP key hierarchy");
722 goto no_fils;
723 }
724
725 if (pmksa_cache_set_current(wpa_s->wpa, NULL, bss->bssid,
726 ssid, 0,
727 wpa_bss_get_fils_cache_id(bss),
728 0) == 0)
729 wpa_printf(MSG_DEBUG,
730 "SME: Try to use FILS with PMKSA caching");
731 resp = fils_build_auth(wpa_s->wpa, ssid->fils_dh_group, md);
732 if (resp) {
733 int auth_alg;
734
735 if (ssid->fils_dh_group)
736 wpa_printf(MSG_DEBUG,
737 "SME: Try to use FILS SK authentication with PFS (DH Group %u)",
738 ssid->fils_dh_group);
739 else
740 wpa_printf(MSG_DEBUG,
741 "SME: Try to use FILS SK authentication without PFS");
742 auth_alg = ssid->fils_dh_group ?
743 WPA_AUTH_ALG_FILS_SK_PFS : WPA_AUTH_ALG_FILS;
744 params.auth_alg = auth_alg;
745 params.auth_data = wpabuf_head(resp);
746 params.auth_data_len = wpabuf_len(resp);
747 wpa_s->sme.auth_alg = auth_alg;
748 }
749 }
750 no_fils:
751 #endif /* CONFIG_FILS */
752
753 wpa_supplicant_cancel_sched_scan(wpa_s);
754 wpa_supplicant_cancel_scan(wpa_s);
755
756 wpa_msg(wpa_s, MSG_INFO, "SME: Trying to authenticate with " MACSTR
757 " (SSID='%s' freq=%d MHz)", MAC2STR(params.bssid),
758 wpa_ssid_txt(params.ssid, params.ssid_len), params.freq);
759
760 eapol_sm_notify_portValid(wpa_s->eapol, FALSE);
761 wpa_clear_keys(wpa_s, bss->bssid);
762 wpa_supplicant_set_state(wpa_s, WPA_AUTHENTICATING);
763 if (old_ssid != wpa_s->current_ssid)
764 wpas_notify_network_changed(wpa_s);
765
766 #ifdef CONFIG_HS20
767 hs20_configure_frame_filters(wpa_s);
768 #endif /* CONFIG_HS20 */
769
770 #ifdef CONFIG_P2P
771 /*
772 * If multi-channel concurrency is not supported, check for any
773 * frequency conflict. In case of any frequency conflict, remove the
774 * least prioritized connection.
775 */
776 if (wpa_s->num_multichan_concurrent < 2) {
777 int freq, num;
778 num = get_shared_radio_freqs(wpa_s, &freq, 1);
779 if (num > 0 && freq > 0 && freq != params.freq) {
780 wpa_printf(MSG_DEBUG,
781 "Conflicting frequency found (%d != %d)",
782 freq, params.freq);
783 if (wpas_p2p_handle_frequency_conflicts(wpa_s,
784 params.freq,
785 ssid) < 0) {
786 wpas_connection_failed(wpa_s, bss->bssid);
787 wpa_supplicant_mark_disassoc(wpa_s);
788 wpabuf_free(resp);
789 wpas_connect_work_done(wpa_s);
790 return;
791 }
792 }
793 }
794 #endif /* CONFIG_P2P */
795
796 if (skip_auth) {
797 wpa_msg(wpa_s, MSG_DEBUG,
798 "SME: Skip authentication step on reassoc-to-same-BSS");
799 wpabuf_free(resp);
800 sme_associate(wpa_s, ssid->mode, bss->bssid, WLAN_AUTH_OPEN);
801 return;
802 }
803
804
805 wpa_s->sme.auth_alg = params.auth_alg;
806 if (wpa_drv_authenticate(wpa_s, &params) < 0) {
807 wpa_msg(wpa_s, MSG_INFO, "SME: Authentication request to the "
808 "driver failed");
809 wpas_connection_failed(wpa_s, bss->bssid);
810 wpa_supplicant_mark_disassoc(wpa_s);
811 wpabuf_free(resp);
812 wpas_connect_work_done(wpa_s);
813 return;
814 }
815
816 eloop_register_timeout(SME_AUTH_TIMEOUT, 0, sme_auth_timer, wpa_s,
817 NULL);
818
819 /*
820 * Association will be started based on the authentication event from
821 * the driver.
822 */
823
824 wpabuf_free(resp);
825 }
826
827
828 static void sme_auth_start_cb(struct wpa_radio_work *work, int deinit)
829 {
830 struct wpa_connect_work *cwork = work->ctx;
831 struct wpa_supplicant *wpa_s = work->wpa_s;
832
833 if (deinit) {
834 if (work->started)
835 wpa_s->connect_work = NULL;
836
837 wpas_connect_work_free(cwork);
838 return;
839 }
840
841 wpa_s->connect_work = work;
842
843 if (cwork->bss_removed ||
844 !wpas_valid_bss_ssid(wpa_s, cwork->bss, cwork->ssid) ||
845 wpas_network_disabled(wpa_s, cwork->ssid)) {
846 wpa_dbg(wpa_s, MSG_DEBUG, "SME: BSS/SSID entry for authentication not valid anymore - drop connection attempt");
847 wpas_connect_work_done(wpa_s);
848 return;
849 }
850
851 /* Starting new connection, so clear the possibly used WPA IE from the
852 * previous association. */
853 wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, NULL, 0);
854
855 sme_send_authentication(wpa_s, cwork->bss, cwork->ssid, 1);
856 }
857
858
859 void sme_authenticate(struct wpa_supplicant *wpa_s,
860 struct wpa_bss *bss, struct wpa_ssid *ssid)
861 {
862 struct wpa_connect_work *cwork;
863
864 if (bss == NULL || ssid == NULL)
865 return;
866 if (wpa_s->connect_work) {
867 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Reject sme_authenticate() call since connect_work exist");
868 return;
869 }
870
871 if (radio_work_pending(wpa_s, "sme-connect")) {
872 /*
873 * The previous sme-connect work might no longer be valid due to
874 * the fact that the BSS list was updated. In addition, it makes
875 * sense to adhere to the 'newer' decision.
876 */
877 wpa_dbg(wpa_s, MSG_DEBUG,
878 "SME: Remove previous pending sme-connect");
879 radio_remove_works(wpa_s, "sme-connect", 0);
880 }
881
882 wpas_abort_ongoing_scan(wpa_s);
883
884 cwork = os_zalloc(sizeof(*cwork));
885 if (cwork == NULL)
886 return;
887 cwork->bss = bss;
888 cwork->ssid = ssid;
889 cwork->sme = 1;
890
891 #ifdef CONFIG_SAE
892 wpa_s->sme.sae.state = SAE_NOTHING;
893 wpa_s->sme.sae.send_confirm = 0;
894 wpa_s->sme.sae_group_index = 0;
895 #endif /* CONFIG_SAE */
896
897 if (radio_add_work(wpa_s, bss->freq, "sme-connect", 1,
898 sme_auth_start_cb, cwork) < 0)
899 wpas_connect_work_free(cwork);
900 }
901
902
903 #ifdef CONFIG_SAE
904
905 static int sme_external_auth_build_buf(struct wpabuf *buf,
906 struct wpabuf *params,
907 const u8 *sa, const u8 *da,
908 u16 auth_transaction, u16 seq_num)
909 {
910 struct ieee80211_mgmt *resp;
911
912 resp = wpabuf_put(buf, offsetof(struct ieee80211_mgmt,
913 u.auth.variable));
914
915 resp->frame_control = host_to_le16((WLAN_FC_TYPE_MGMT << 2) |
916 (WLAN_FC_STYPE_AUTH << 4));
917 os_memcpy(resp->da, da, ETH_ALEN);
918 os_memcpy(resp->sa, sa, ETH_ALEN);
919 os_memcpy(resp->bssid, da, ETH_ALEN);
920 resp->u.auth.auth_alg = host_to_le16(WLAN_AUTH_SAE);
921 resp->seq_ctrl = host_to_le16(seq_num << 4);
922 resp->u.auth.auth_transaction = host_to_le16(auth_transaction);
923 resp->u.auth.status_code = host_to_le16(WLAN_STATUS_SUCCESS);
924 if (params)
925 wpabuf_put_buf(buf, params);
926
927 return 0;
928 }
929
930
931 static int sme_external_auth_send_sae_commit(struct wpa_supplicant *wpa_s,
932 const u8 *bssid,
933 struct wpa_ssid *ssid)
934 {
935 struct wpabuf *resp, *buf;
936
937 resp = sme_auth_build_sae_commit(wpa_s, ssid, bssid, 1, 0);
938 if (!resp) {
939 wpa_printf(MSG_DEBUG, "SAE: Failed to build SAE commit");
940 return -1;
941 }
942
943 wpa_s->sme.sae.state = SAE_COMMITTED;
944 buf = wpabuf_alloc(4 + SAE_COMMIT_MAX_LEN + wpabuf_len(resp));
945 if (!buf) {
946 wpabuf_free(resp);
947 return -1;
948 }
949
950 wpa_s->sme.seq_num++;
951 sme_external_auth_build_buf(buf, resp, wpa_s->own_addr,
952 bssid, 1, wpa_s->sme.seq_num);
953 wpa_drv_send_mlme(wpa_s, wpabuf_head(buf), wpabuf_len(buf), 1, 0);
954 wpabuf_free(resp);
955 wpabuf_free(buf);
956
957 return 0;
958 }
959
960
961 static void sme_send_external_auth_status(struct wpa_supplicant *wpa_s,
962 u16 status)
963 {
964 struct external_auth params;
965
966 os_memset(&params, 0, sizeof(params));
967 params.status = status;
968 params.ssid = wpa_s->sme.ext_auth_ssid;
969 params.ssid_len = wpa_s->sme.ext_auth_ssid_len;
970 params.bssid = wpa_s->sme.ext_auth_bssid;
971 if (wpa_s->conf->sae_pmkid_in_assoc && status == WLAN_STATUS_SUCCESS)
972 params.pmkid = wpa_s->sme.sae.pmkid;
973 wpa_drv_send_external_auth_status(wpa_s, &params);
974 }
975
976
977 static int sme_handle_external_auth_start(struct wpa_supplicant *wpa_s,
978 union wpa_event_data *data)
979 {
980 struct wpa_ssid *ssid;
981 size_t ssid_str_len = data->external_auth.ssid_len;
982 const u8 *ssid_str = data->external_auth.ssid;
983
984 /* Get the SSID conf from the ssid string obtained */
985 for (ssid = wpa_s->conf->ssid; ssid; ssid = ssid->next) {
986 if (!wpas_network_disabled(wpa_s, ssid) &&
987 ssid_str_len == ssid->ssid_len &&
988 os_memcmp(ssid_str, ssid->ssid, ssid_str_len) == 0 &&
989 (ssid->key_mgmt & (WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_FT_SAE)))
990 break;
991 }
992 if (!ssid ||
993 sme_external_auth_send_sae_commit(wpa_s, data->external_auth.bssid,
994 ssid) < 0)
995 return -1;
996
997 return 0;
998 }
999
1000
1001 static void sme_external_auth_send_sae_confirm(struct wpa_supplicant *wpa_s,
1002 const u8 *da)
1003 {
1004 struct wpabuf *resp, *buf;
1005
1006 resp = sme_auth_build_sae_confirm(wpa_s, 1);
1007 if (!resp) {
1008 wpa_printf(MSG_DEBUG, "SAE: Confirm message buf alloc failure");
1009 return;
1010 }
1011
1012 wpa_s->sme.sae.state = SAE_CONFIRMED;
1013 buf = wpabuf_alloc(4 + SAE_CONFIRM_MAX_LEN + wpabuf_len(resp));
1014 if (!buf) {
1015 wpa_printf(MSG_DEBUG, "SAE: Auth Confirm buf alloc failure");
1016 wpabuf_free(resp);
1017 return;
1018 }
1019 wpa_s->sme.seq_num++;
1020 sme_external_auth_build_buf(buf, resp, wpa_s->own_addr,
1021 da, 2, wpa_s->sme.seq_num);
1022 wpa_drv_send_mlme(wpa_s, wpabuf_head(buf), wpabuf_len(buf), 1, 0);
1023 wpabuf_free(resp);
1024 wpabuf_free(buf);
1025 }
1026
1027
1028 void sme_external_auth_trigger(struct wpa_supplicant *wpa_s,
1029 union wpa_event_data *data)
1030 {
1031 if (RSN_SELECTOR_GET(&data->external_auth.key_mgmt_suite) !=
1032 RSN_AUTH_KEY_MGMT_SAE)
1033 return;
1034
1035 if (data->external_auth.action == EXT_AUTH_START) {
1036 if (!data->external_auth.bssid || !data->external_auth.ssid)
1037 return;
1038 os_memcpy(wpa_s->sme.ext_auth_bssid, data->external_auth.bssid,
1039 ETH_ALEN);
1040 os_memcpy(wpa_s->sme.ext_auth_ssid, data->external_auth.ssid,
1041 data->external_auth.ssid_len);
1042 wpa_s->sme.ext_auth_ssid_len = data->external_auth.ssid_len;
1043 wpa_s->sme.seq_num = 0;
1044 wpa_s->sme.sae.state = SAE_NOTHING;
1045 wpa_s->sme.sae.send_confirm = 0;
1046 wpa_s->sme.sae_group_index = 0;
1047 if (sme_handle_external_auth_start(wpa_s, data) < 0)
1048 sme_send_external_auth_status(wpa_s,
1049 WLAN_STATUS_UNSPECIFIED_FAILURE);
1050 } else if (data->external_auth.action == EXT_AUTH_ABORT) {
1051 /* Report failure to driver for the wrong trigger */
1052 sme_send_external_auth_status(wpa_s,
1053 WLAN_STATUS_UNSPECIFIED_FAILURE);
1054 }
1055 }
1056
1057
1058 static int sme_sae_auth(struct wpa_supplicant *wpa_s, u16 auth_transaction,
1059 u16 status_code, const u8 *data, size_t len,
1060 int external, const u8 *sa)
1061 {
1062 int *groups;
1063
1064 wpa_dbg(wpa_s, MSG_DEBUG, "SME: SAE authentication transaction %u "
1065 "status code %u", auth_transaction, status_code);
1066
1067 if (auth_transaction == 1 &&
1068 status_code == WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ &&
1069 wpa_s->sme.sae.state == SAE_COMMITTED &&
1070 (external || wpa_s->current_bss) && wpa_s->current_ssid) {
1071 int default_groups[] = { 19, 20, 21, 0 };
1072 u16 group;
1073
1074 groups = wpa_s->conf->sae_groups;
1075 if (!groups || groups[0] <= 0)
1076 groups = default_groups;
1077
1078 if (len < sizeof(le16)) {
1079 wpa_dbg(wpa_s, MSG_DEBUG,
1080 "SME: Too short SAE anti-clogging token request");
1081 return -1;
1082 }
1083 group = WPA_GET_LE16(data);
1084 wpa_dbg(wpa_s, MSG_DEBUG,
1085 "SME: SAE anti-clogging token requested (group %u)",
1086 group);
1087 if (sae_group_allowed(&wpa_s->sme.sae, groups, group) !=
1088 WLAN_STATUS_SUCCESS) {
1089 wpa_dbg(wpa_s, MSG_ERROR,
1090 "SME: SAE group %u of anti-clogging request is invalid",
1091 group);
1092 return -1;
1093 }
1094 wpabuf_free(wpa_s->sme.sae_token);
1095 wpa_s->sme.sae_token = wpabuf_alloc_copy(data + sizeof(le16),
1096 len - sizeof(le16));
1097 if (!external)
1098 sme_send_authentication(wpa_s, wpa_s->current_bss,
1099 wpa_s->current_ssid, 2);
1100 else
1101 sme_external_auth_send_sae_commit(
1102 wpa_s, wpa_s->sme.ext_auth_bssid,
1103 wpa_s->current_ssid);
1104 return 0;
1105 }
1106
1107 if (auth_transaction == 1 &&
1108 status_code == WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED &&
1109 wpa_s->sme.sae.state == SAE_COMMITTED &&
1110 (external || wpa_s->current_bss) && wpa_s->current_ssid) {
1111 wpa_dbg(wpa_s, MSG_DEBUG, "SME: SAE group not supported");
1112 wpa_s->sme.sae_group_index++;
1113 if (sme_set_sae_group(wpa_s) < 0)
1114 return -1; /* no other groups enabled */
1115 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Try next enabled SAE group");
1116 if (!external)
1117 sme_send_authentication(wpa_s, wpa_s->current_bss,
1118 wpa_s->current_ssid, 1);
1119 else
1120 sme_external_auth_send_sae_commit(
1121 wpa_s, wpa_s->sme.ext_auth_bssid,
1122 wpa_s->current_ssid);
1123 return 0;
1124 }
1125
1126 if (auth_transaction == 1 &&
1127 status_code == WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER) {
1128 const u8 *bssid = sa ? sa : wpa_s->pending_bssid;
1129
1130 wpa_msg(wpa_s, MSG_INFO,
1131 WPA_EVENT_SAE_UNKNOWN_PASSWORD_IDENTIFIER MACSTR,
1132 MAC2STR(bssid));
1133 return -1;
1134 }
1135
1136 if (status_code != WLAN_STATUS_SUCCESS)
1137 return -1;
1138
1139 if (auth_transaction == 1) {
1140 u16 res;
1141
1142 groups = wpa_s->conf->sae_groups;
1143
1144 wpa_dbg(wpa_s, MSG_DEBUG, "SME SAE commit");
1145 if ((!external && wpa_s->current_bss == NULL) ||
1146 wpa_s->current_ssid == NULL)
1147 return -1;
1148 if (wpa_s->sme.sae.state != SAE_COMMITTED)
1149 return -1;
1150 if (groups && groups[0] <= 0)
1151 groups = NULL;
1152 res = sae_parse_commit(&wpa_s->sme.sae, data, len, NULL, NULL,
1153 groups);
1154 if (res == SAE_SILENTLY_DISCARD) {
1155 wpa_printf(MSG_DEBUG,
1156 "SAE: Drop commit message due to reflection attack");
1157 return 0;
1158 }
1159 if (res != WLAN_STATUS_SUCCESS)
1160 return -1;
1161
1162 if (sae_process_commit(&wpa_s->sme.sae) < 0) {
1163 wpa_printf(MSG_DEBUG, "SAE: Failed to process peer "
1164 "commit");
1165 return -1;
1166 }
1167
1168 wpabuf_free(wpa_s->sme.sae_token);
1169 wpa_s->sme.sae_token = NULL;
1170 if (!external)
1171 sme_send_authentication(wpa_s, wpa_s->current_bss,
1172 wpa_s->current_ssid, 0);
1173 else
1174 sme_external_auth_send_sae_confirm(wpa_s, sa);
1175 return 0;
1176 } else if (auth_transaction == 2) {
1177 wpa_dbg(wpa_s, MSG_DEBUG, "SME SAE confirm");
1178 if (wpa_s->sme.sae.state != SAE_CONFIRMED)
1179 return -1;
1180 if (sae_check_confirm(&wpa_s->sme.sae, data, len) < 0)
1181 return -1;
1182 wpa_s->sme.sae.state = SAE_ACCEPTED;
1183 sae_clear_temp_data(&wpa_s->sme.sae);
1184
1185 if (external) {
1186 /* Report success to driver */
1187 sme_send_external_auth_status(wpa_s,
1188 WLAN_STATUS_SUCCESS);
1189 }
1190
1191 return 1;
1192 }
1193
1194 return -1;
1195 }
1196
1197
1198 static int sme_sae_set_pmk(struct wpa_supplicant *wpa_s, const u8 *bssid)
1199 {
1200 wpa_printf(MSG_DEBUG,
1201 "SME: SAE completed - setting PMK for 4-way handshake");
1202 wpa_sm_set_pmk(wpa_s->wpa, wpa_s->sme.sae.pmk, PMK_LEN,
1203 wpa_s->sme.sae.pmkid, bssid);
1204 if (wpa_s->conf->sae_pmkid_in_assoc) {
1205 /* Update the own RSNE contents now that we have set the PMK
1206 * and added a PMKSA cache entry based on the successfully
1207 * completed SAE exchange. In practice, this will add the PMKID
1208 * into RSNE. */
1209 if (wpa_s->sme.assoc_req_ie_len + 2 + PMKID_LEN >
1210 sizeof(wpa_s->sme.assoc_req_ie)) {
1211 wpa_msg(wpa_s, MSG_WARNING,
1212 "RSN: Not enough room for inserting own PMKID into RSNE");
1213 return -1;
1214 }
1215 if (wpa_insert_pmkid(wpa_s->sme.assoc_req_ie,
1216 &wpa_s->sme.assoc_req_ie_len,
1217 wpa_s->sme.sae.pmkid) < 0)
1218 return -1;
1219 wpa_hexdump(MSG_DEBUG,
1220 "SME: Updated Association Request IEs",
1221 wpa_s->sme.assoc_req_ie,
1222 wpa_s->sme.assoc_req_ie_len);
1223 }
1224
1225 return 0;
1226 }
1227
1228
1229 void sme_external_auth_mgmt_rx(struct wpa_supplicant *wpa_s,
1230 const u8 *auth_frame, size_t len)
1231 {
1232 const struct ieee80211_mgmt *header;
1233 size_t auth_length;
1234
1235 header = (const struct ieee80211_mgmt *) auth_frame;
1236 auth_length = IEEE80211_HDRLEN + sizeof(header->u.auth);
1237
1238 if (len < auth_length) {
1239 /* Notify failure to the driver */
1240 sme_send_external_auth_status(wpa_s,
1241 WLAN_STATUS_UNSPECIFIED_FAILURE);
1242 return;
1243 }
1244
1245 if (le_to_host16(header->u.auth.auth_alg) == WLAN_AUTH_SAE) {
1246 int res;
1247
1248 res = sme_sae_auth(
1249 wpa_s, le_to_host16(header->u.auth.auth_transaction),
1250 le_to_host16(header->u.auth.status_code),
1251 header->u.auth.variable,
1252 len - auth_length, 1, header->sa);
1253 if (res < 0) {
1254 /* Notify failure to the driver */
1255 sme_send_external_auth_status(
1256 wpa_s, WLAN_STATUS_UNSPECIFIED_FAILURE);
1257 return;
1258 }
1259 if (res != 1)
1260 return;
1261
1262 if (sme_sae_set_pmk(wpa_s, wpa_s->sme.ext_auth_bssid) < 0)
1263 return;
1264 }
1265 }
1266
1267 #endif /* CONFIG_SAE */
1268
1269
1270 void sme_event_auth(struct wpa_supplicant *wpa_s, union wpa_event_data *data)
1271 {
1272 struct wpa_ssid *ssid = wpa_s->current_ssid;
1273
1274 if (ssid == NULL) {
1275 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Ignore authentication event "
1276 "when network is not selected");
1277 return;
1278 }
1279
1280 if (wpa_s->wpa_state != WPA_AUTHENTICATING) {
1281 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Ignore authentication event "
1282 "when not in authenticating state");
1283 return;
1284 }
1285
1286 if (os_memcmp(wpa_s->pending_bssid, data->auth.peer, ETH_ALEN) != 0) {
1287 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Ignore authentication with "
1288 "unexpected peer " MACSTR,
1289 MAC2STR(data->auth.peer));
1290 return;
1291 }
1292
1293 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Authentication response: peer=" MACSTR
1294 " auth_type=%d auth_transaction=%d status_code=%d",
1295 MAC2STR(data->auth.peer), data->auth.auth_type,
1296 data->auth.auth_transaction, data->auth.status_code);
1297 wpa_hexdump(MSG_MSGDUMP, "SME: Authentication response IEs",
1298 data->auth.ies, data->auth.ies_len);
1299
1300 eloop_cancel_timeout(sme_auth_timer, wpa_s, NULL);
1301
1302 #ifdef CONFIG_SAE
1303 if (data->auth.auth_type == WLAN_AUTH_SAE) {
1304 int res;
1305 res = sme_sae_auth(wpa_s, data->auth.auth_transaction,
1306 data->auth.status_code, data->auth.ies,
1307 data->auth.ies_len, 0, NULL);
1308 if (res < 0) {
1309 wpas_connection_failed(wpa_s, wpa_s->pending_bssid);
1310 wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED);
1311
1312 }
1313 if (res != 1)
1314 return;
1315
1316 if (sme_sae_set_pmk(wpa_s, wpa_s->pending_bssid) < 0)
1317 return;
1318 }
1319 #endif /* CONFIG_SAE */
1320
1321 if (data->auth.status_code != WLAN_STATUS_SUCCESS) {
1322 char *ie_txt = NULL;
1323
1324 if (data->auth.ies && data->auth.ies_len) {
1325 size_t buflen = 2 * data->auth.ies_len + 1;
1326 ie_txt = os_malloc(buflen);
1327 if (ie_txt) {
1328 wpa_snprintf_hex(ie_txt, buflen, data->auth.ies,
1329 data->auth.ies_len);
1330 }
1331 }
1332 wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_AUTH_REJECT MACSTR
1333 " auth_type=%u auth_transaction=%u status_code=%u%s%s",
1334 MAC2STR(data->auth.peer), data->auth.auth_type,
1335 data->auth.auth_transaction, data->auth.status_code,
1336 ie_txt ? " ie=" : "",
1337 ie_txt ? ie_txt : "");
1338 os_free(ie_txt);
1339
1340 #ifdef CONFIG_FILS
1341 if (wpa_s->sme.auth_alg == WPA_AUTH_ALG_FILS ||
1342 wpa_s->sme.auth_alg == WPA_AUTH_ALG_FILS_SK_PFS)
1343 fils_connection_failure(wpa_s);
1344 #endif /* CONFIG_FILS */
1345
1346 if (data->auth.status_code !=
1347 WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG ||
1348 wpa_s->sme.auth_alg == data->auth.auth_type ||
1349 wpa_s->current_ssid->auth_alg == WPA_AUTH_ALG_LEAP) {
1350 wpas_connection_failed(wpa_s, wpa_s->pending_bssid);
1351 wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED);
1352 return;
1353 }
1354
1355 wpas_connect_work_done(wpa_s);
1356
1357 switch (data->auth.auth_type) {
1358 case WLAN_AUTH_OPEN:
1359 wpa_s->current_ssid->auth_alg = WPA_AUTH_ALG_SHARED;
1360
1361 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Trying SHARED auth");
1362 wpa_supplicant_associate(wpa_s, wpa_s->current_bss,
1363 wpa_s->current_ssid);
1364 return;
1365
1366 case WLAN_AUTH_SHARED_KEY:
1367 wpa_s->current_ssid->auth_alg = WPA_AUTH_ALG_LEAP;
1368
1369 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Trying LEAP auth");
1370 wpa_supplicant_associate(wpa_s, wpa_s->current_bss,
1371 wpa_s->current_ssid);
1372 return;
1373
1374 default:
1375 return;
1376 }
1377 }
1378
1379 #ifdef CONFIG_IEEE80211R
1380 if (data->auth.auth_type == WLAN_AUTH_FT) {
1381 const u8 *ric_ies = NULL;
1382 size_t ric_ies_len = 0;
1383
1384 if (wpa_s->ric_ies) {
1385 ric_ies = wpabuf_head(wpa_s->ric_ies);
1386 ric_ies_len = wpabuf_len(wpa_s->ric_ies);
1387 }
1388 if (wpa_ft_process_response(wpa_s->wpa, data->auth.ies,
1389 data->auth.ies_len, 0,
1390 data->auth.peer,
1391 ric_ies, ric_ies_len) < 0) {
1392 wpa_dbg(wpa_s, MSG_DEBUG,
1393 "SME: FT Authentication response processing failed");
1394 wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_DISCONNECTED "bssid="
1395 MACSTR
1396 " reason=%d locally_generated=1",
1397 MAC2STR(wpa_s->pending_bssid),
1398 WLAN_REASON_DEAUTH_LEAVING);
1399 wpas_connection_failed(wpa_s, wpa_s->pending_bssid);
1400 wpa_supplicant_mark_disassoc(wpa_s);
1401 return;
1402 }
1403 }
1404 #endif /* CONFIG_IEEE80211R */
1405
1406 #ifdef CONFIG_FILS
1407 if (data->auth.auth_type == WLAN_AUTH_FILS_SK ||
1408 data->auth.auth_type == WLAN_AUTH_FILS_SK_PFS) {
1409 u16 expect_auth_type;
1410
1411 expect_auth_type = wpa_s->sme.auth_alg ==
1412 WPA_AUTH_ALG_FILS_SK_PFS ? WLAN_AUTH_FILS_SK_PFS :
1413 WLAN_AUTH_FILS_SK;
1414 if (data->auth.auth_type != expect_auth_type) {
1415 wpa_dbg(wpa_s, MSG_DEBUG,
1416 "SME: FILS Authentication response used different auth alg (%u; expected %u)",
1417 data->auth.auth_type, expect_auth_type);
1418 wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_DISCONNECTED "bssid="
1419 MACSTR
1420 " reason=%d locally_generated=1",
1421 MAC2STR(wpa_s->pending_bssid),
1422 WLAN_REASON_DEAUTH_LEAVING);
1423 wpas_connection_failed(wpa_s, wpa_s->pending_bssid);
1424 wpa_supplicant_mark_disassoc(wpa_s);
1425 return;
1426 }
1427
1428 if (fils_process_auth(wpa_s->wpa, wpa_s->pending_bssid,
1429 data->auth.ies, data->auth.ies_len) < 0) {
1430 wpa_dbg(wpa_s, MSG_DEBUG,
1431 "SME: FILS Authentication response processing failed");
1432 wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_DISCONNECTED "bssid="
1433 MACSTR
1434 " reason=%d locally_generated=1",
1435 MAC2STR(wpa_s->pending_bssid),
1436 WLAN_REASON_DEAUTH_LEAVING);
1437 wpas_connection_failed(wpa_s, wpa_s->pending_bssid);
1438 wpa_supplicant_mark_disassoc(wpa_s);
1439 return;
1440 }
1441 }
1442 #endif /* CONFIG_FILS */
1443
1444 sme_associate(wpa_s, ssid->mode, data->auth.peer,
1445 data->auth.auth_type);
1446 }
1447
1448
1449 #ifdef CONFIG_IEEE80211R
1450 static void remove_ie(u8 *buf, size_t *len, u8 eid)
1451 {
1452 u8 *pos, *next, *end;
1453
1454 pos = (u8 *) get_ie(buf, *len, eid);
1455 if (pos) {
1456 next = pos + 2 + pos[1];
1457 end = buf + *len;
1458 *len -= 2 + pos[1];
1459 os_memmove(pos, next, end - next);
1460 }
1461 }
1462 #endif /* CONFIG_IEEE80211R */
1463
1464
1465 void sme_associate(struct wpa_supplicant *wpa_s, enum wpas_mode mode,
1466 const u8 *bssid, u16 auth_type)
1467 {
1468 struct wpa_driver_associate_params params;
1469 struct ieee802_11_elems elems;
1470 #ifdef CONFIG_FILS
1471 u8 nonces[2 * FILS_NONCE_LEN];
1472 #endif /* CONFIG_FILS */
1473 #ifdef CONFIG_HT_OVERRIDES
1474 struct ieee80211_ht_capabilities htcaps;
1475 struct ieee80211_ht_capabilities htcaps_mask;
1476 #endif /* CONFIG_HT_OVERRIDES */
1477 #ifdef CONFIG_VHT_OVERRIDES
1478 struct ieee80211_vht_capabilities vhtcaps;
1479 struct ieee80211_vht_capabilities vhtcaps_mask;
1480 #endif /* CONFIG_VHT_OVERRIDES */
1481
1482 os_memset(&params, 0, sizeof(params));
1483
1484 #ifdef CONFIG_FILS
1485 if (auth_type == WLAN_AUTH_FILS_SK ||
1486 auth_type == WLAN_AUTH_FILS_SK_PFS) {
1487 struct wpabuf *buf;
1488 const u8 *snonce, *anonce;
1489 const unsigned int max_hlp = 20;
1490 struct wpabuf *hlp[max_hlp];
1491 unsigned int i, num_hlp = 0;
1492 struct fils_hlp_req *req;
1493
1494 dl_list_for_each(req, &wpa_s->fils_hlp_req, struct fils_hlp_req,
1495 list) {
1496 hlp[num_hlp] = wpabuf_alloc(2 * ETH_ALEN + 6 +
1497 wpabuf_len(req->pkt));
1498 if (!hlp[num_hlp])
1499 break;
1500 wpabuf_put_data(hlp[num_hlp], req->dst, ETH_ALEN);
1501 wpabuf_put_data(hlp[num_hlp], wpa_s->own_addr,
1502 ETH_ALEN);
1503 wpabuf_put_data(hlp[num_hlp],
1504 "\xaa\xaa\x03\x00\x00\x00", 6);
1505 wpabuf_put_buf(hlp[num_hlp], req->pkt);
1506 num_hlp++;
1507 if (num_hlp >= max_hlp)
1508 break;
1509 }
1510
1511 buf = fils_build_assoc_req(wpa_s->wpa, &params.fils_kek,
1512 &params.fils_kek_len, &snonce,
1513 &anonce,
1514 (const struct wpabuf **) hlp,
1515 num_hlp);
1516 for (i = 0; i < num_hlp; i++)
1517 wpabuf_free(hlp[i]);
1518 if (!buf)
1519 return;
1520 wpa_hexdump(MSG_DEBUG, "FILS: assoc_req before FILS elements",
1521 wpa_s->sme.assoc_req_ie,
1522 wpa_s->sme.assoc_req_ie_len);
1523 #ifdef CONFIG_IEEE80211R
1524 if (wpa_key_mgmt_ft(wpa_s->key_mgmt)) {
1525 /* Remove RSNE and MDE to allow them to be overridden
1526 * with FILS+FT specific values from
1527 * fils_build_assoc_req(). */
1528 remove_ie(wpa_s->sme.assoc_req_ie,
1529 &wpa_s->sme.assoc_req_ie_len,
1530 WLAN_EID_RSN);
1531 wpa_hexdump(MSG_DEBUG,
1532 "FILS: assoc_req after RSNE removal",
1533 wpa_s->sme.assoc_req_ie,
1534 wpa_s->sme.assoc_req_ie_len);
1535 remove_ie(wpa_s->sme.assoc_req_ie,
1536 &wpa_s->sme.assoc_req_ie_len,
1537 WLAN_EID_MOBILITY_DOMAIN);
1538 wpa_hexdump(MSG_DEBUG,
1539 "FILS: assoc_req after MDE removal",
1540 wpa_s->sme.assoc_req_ie,
1541 wpa_s->sme.assoc_req_ie_len);
1542 }
1543 #endif /* CONFIG_IEEE80211R */
1544 /* TODO: Make wpa_s->sme.assoc_req_ie use dynamic allocation */
1545 if (wpa_s->sme.assoc_req_ie_len + wpabuf_len(buf) >
1546 sizeof(wpa_s->sme.assoc_req_ie)) {
1547 wpa_printf(MSG_ERROR,
1548 "FILS: Not enough buffer room for own AssocReq elements");
1549 wpabuf_free(buf);
1550 return;
1551 }
1552 os_memcpy(wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len,
1553 wpabuf_head(buf), wpabuf_len(buf));
1554 wpa_s->sme.assoc_req_ie_len += wpabuf_len(buf);
1555 wpabuf_free(buf);
1556 wpa_hexdump(MSG_DEBUG, "FILS: assoc_req after FILS elements",
1557 wpa_s->sme.assoc_req_ie,
1558 wpa_s->sme.assoc_req_ie_len);
1559
1560 os_memcpy(nonces, snonce, FILS_NONCE_LEN);
1561 os_memcpy(nonces + FILS_NONCE_LEN, anonce, FILS_NONCE_LEN);
1562 params.fils_nonces = nonces;
1563 params.fils_nonces_len = sizeof(nonces);
1564 }
1565 #endif /* CONFIG_FILS */
1566
1567 #ifdef CONFIG_OWE
1568 #ifdef CONFIG_TESTING_OPTIONS
1569 if (get_ie_ext(wpa_s->sme.assoc_req_ie, wpa_s->sme.assoc_req_ie_len,
1570 WLAN_EID_EXT_OWE_DH_PARAM)) {
1571 wpa_printf(MSG_INFO, "TESTING: Override OWE DH element");
1572 } else
1573 #endif /* CONFIG_TESTING_OPTIONS */
1574 if (auth_type == WLAN_AUTH_OPEN &&
1575 wpa_s->key_mgmt == WPA_KEY_MGMT_OWE) {
1576 struct wpabuf *owe_ie;
1577 u16 group;
1578
1579 if (wpa_s->current_ssid && wpa_s->current_ssid->owe_group) {
1580 group = wpa_s->current_ssid->owe_group;
1581 } else if (wpa_s->assoc_status_code ==
1582 WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED) {
1583 if (wpa_s->last_owe_group == 19)
1584 group = 20;
1585 else if (wpa_s->last_owe_group == 20)
1586 group = 21;
1587 else
1588 group = OWE_DH_GROUP;
1589 } else {
1590 group = OWE_DH_GROUP;
1591 }
1592
1593 wpa_s->last_owe_group = group;
1594 wpa_printf(MSG_DEBUG, "OWE: Try to use group %u", group);
1595 owe_ie = owe_build_assoc_req(wpa_s->wpa, group);
1596 if (!owe_ie) {
1597 wpa_printf(MSG_ERROR,
1598 "OWE: Failed to build IE for Association Request frame");
1599 return;
1600 }
1601 if (wpa_s->sme.assoc_req_ie_len + wpabuf_len(owe_ie) >
1602 sizeof(wpa_s->sme.assoc_req_ie)) {
1603 wpa_printf(MSG_ERROR,
1604 "OWE: Not enough buffer room for own Association Request frame elements");
1605 wpabuf_free(owe_ie);
1606 return;
1607 }
1608 os_memcpy(wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len,
1609 wpabuf_head(owe_ie), wpabuf_len(owe_ie));
1610 wpa_s->sme.assoc_req_ie_len += wpabuf_len(owe_ie);
1611 wpabuf_free(owe_ie);
1612 }
1613 #endif /* CONFIG_OWE */
1614
1615 #ifdef CONFIG_DPP2
1616 if (wpa_s->key_mgmt == WPA_KEY_MGMT_DPP && wpa_s->current_ssid &&
1617 wpa_s->current_ssid->dpp_netaccesskey) {
1618 struct wpa_ssid *ssid = wpa_s->current_ssid;
1619
1620 dpp_pfs_free(wpa_s->dpp_pfs);
1621 wpa_s->dpp_pfs = dpp_pfs_init(ssid->dpp_netaccesskey,
1622 ssid->dpp_netaccesskey_len);
1623 if (!wpa_s->dpp_pfs) {
1624 wpa_printf(MSG_DEBUG, "DPP: Could not initialize PFS");
1625 /* Try to continue without PFS */
1626 goto pfs_fail;
1627 }
1628 if (wpa_s->sme.assoc_req_ie_len +
1629 wpabuf_len(wpa_s->dpp_pfs->ie) >
1630 sizeof(wpa_s->sme.assoc_req_ie)) {
1631 wpa_printf(MSG_ERROR,
1632 "DPP: Not enough buffer room for own Association Request frame elements");
1633 dpp_pfs_free(wpa_s->dpp_pfs);
1634 wpa_s->dpp_pfs = NULL;
1635 goto pfs_fail;
1636 }
1637 os_memcpy(wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len,
1638 wpabuf_head(wpa_s->dpp_pfs->ie),
1639 wpabuf_len(wpa_s->dpp_pfs->ie));
1640 wpa_s->sme.assoc_req_ie_len += wpabuf_len(wpa_s->dpp_pfs->ie);
1641 }
1642 pfs_fail:
1643 #endif /* CONFIG_DPP2 */
1644
1645 if (wpa_s->current_ssid && wpa_s->current_ssid->multi_ap_backhaul_sta) {
1646 size_t multi_ap_ie_len;
1647
1648 multi_ap_ie_len = add_multi_ap_ie(
1649 wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len,
1650 sizeof(wpa_s->sme.assoc_req_ie) -
1651 wpa_s->sme.assoc_req_ie_len,
1652 MULTI_AP_BACKHAUL_STA);
1653 if (multi_ap_ie_len == 0) {
1654 wpa_printf(MSG_ERROR,
1655 "Multi-AP: Failed to build Multi-AP IE");
1656 return;
1657 }
1658 wpa_s->sme.assoc_req_ie_len += multi_ap_ie_len;
1659 }
1660
1661 params.bssid = bssid;
1662 params.ssid = wpa_s->sme.ssid;
1663 params.ssid_len = wpa_s->sme.ssid_len;
1664 params.freq.freq = wpa_s->sme.freq;
1665 params.bg_scan_period = wpa_s->current_ssid ?
1666 wpa_s->current_ssid->bg_scan_period : -1;
1667 params.wpa_ie = wpa_s->sme.assoc_req_ie_len ?
1668 wpa_s->sme.assoc_req_ie : NULL;
1669 params.wpa_ie_len = wpa_s->sme.assoc_req_ie_len;
1670 wpa_hexdump(MSG_DEBUG, "SME: Association Request IEs",
1671 params.wpa_ie, params.wpa_ie_len);
1672 params.pairwise_suite = wpa_s->pairwise_cipher;
1673 params.group_suite = wpa_s->group_cipher;
1674 params.mgmt_group_suite = wpa_s->mgmt_group_cipher;
1675 params.key_mgmt_suite = wpa_s->key_mgmt;
1676 params.wpa_proto = wpa_s->wpa_proto;
1677 #ifdef CONFIG_HT_OVERRIDES
1678 os_memset(&htcaps, 0, sizeof(htcaps));
1679 os_memset(&htcaps_mask, 0, sizeof(htcaps_mask));
1680 params.htcaps = (u8 *) &htcaps;
1681 params.htcaps_mask = (u8 *) &htcaps_mask;
1682 wpa_supplicant_apply_ht_overrides(wpa_s, wpa_s->current_ssid, &params);
1683 #endif /* CONFIG_HT_OVERRIDES */
1684 #ifdef CONFIG_VHT_OVERRIDES
1685 os_memset(&vhtcaps, 0, sizeof(vhtcaps));
1686 os_memset(&vhtcaps_mask, 0, sizeof(vhtcaps_mask));
1687 params.vhtcaps = &vhtcaps;
1688 params.vhtcaps_mask = &vhtcaps_mask;
1689 wpa_supplicant_apply_vht_overrides(wpa_s, wpa_s->current_ssid, &params);
1690 #endif /* CONFIG_VHT_OVERRIDES */
1691 #ifdef CONFIG_IEEE80211R
1692 if (auth_type == WLAN_AUTH_FT && wpa_s->sme.ft_ies &&
1693 get_ie(wpa_s->sme.ft_ies, wpa_s->sme.ft_ies_len,
1694 WLAN_EID_RIC_DATA)) {
1695 /* There seems to be a pretty inconvenient bug in the Linux
1696 * kernel IE splitting functionality when RIC is used. For now,
1697 * skip correct behavior in IE construction here (i.e., drop the
1698 * additional non-FT-specific IEs) to avoid kernel issues. This
1699 * is fine since RIC is used only for testing purposes in the
1700 * current implementation. */
1701 wpa_printf(MSG_INFO,
1702 "SME: Linux kernel workaround - do not try to include additional IEs with RIC");
1703 params.wpa_ie = wpa_s->sme.ft_ies;
1704 params.wpa_ie_len = wpa_s->sme.ft_ies_len;
1705 } else if (auth_type == WLAN_AUTH_FT && wpa_s->sme.ft_ies) {
1706 const u8 *rm_en, *pos, *end;
1707 size_t rm_en_len = 0;
1708 u8 *rm_en_dup = NULL, *wpos;
1709
1710 /* Remove RSNE, MDE, FTE to allow them to be overridden with
1711 * FT specific values */
1712 remove_ie(wpa_s->sme.assoc_req_ie,
1713 &wpa_s->sme.assoc_req_ie_len,
1714 WLAN_EID_RSN);
1715 remove_ie(wpa_s->sme.assoc_req_ie,
1716 &wpa_s->sme.assoc_req_ie_len,
1717 WLAN_EID_MOBILITY_DOMAIN);
1718 remove_ie(wpa_s->sme.assoc_req_ie,
1719 &wpa_s->sme.assoc_req_ie_len,
1720 WLAN_EID_FAST_BSS_TRANSITION);
1721 rm_en = get_ie(wpa_s->sme.assoc_req_ie,
1722 wpa_s->sme.assoc_req_ie_len,
1723 WLAN_EID_RRM_ENABLED_CAPABILITIES);
1724 if (rm_en) {
1725 /* Need to remove RM Enabled Capabilities element as
1726 * well temporarily, so that it can be placed between
1727 * RSNE and MDE. */
1728 rm_en_len = 2 + rm_en[1];
1729 rm_en_dup = os_memdup(rm_en, rm_en_len);
1730 remove_ie(wpa_s->sme.assoc_req_ie,
1731 &wpa_s->sme.assoc_req_ie_len,
1732 WLAN_EID_RRM_ENABLED_CAPABILITIES);
1733 }
1734 wpa_hexdump(MSG_DEBUG,
1735 "SME: Association Request IEs after FT IE removal",
1736 wpa_s->sme.assoc_req_ie,
1737 wpa_s->sme.assoc_req_ie_len);
1738 if (wpa_s->sme.assoc_req_ie_len + wpa_s->sme.ft_ies_len +
1739 rm_en_len > sizeof(wpa_s->sme.assoc_req_ie)) {
1740 wpa_printf(MSG_ERROR,
1741 "SME: Not enough buffer room for FT IEs in Association Request frame");
1742 os_free(rm_en_dup);
1743 return;
1744 }
1745
1746 os_memmove(wpa_s->sme.assoc_req_ie + wpa_s->sme.ft_ies_len +
1747 rm_en_len,
1748 wpa_s->sme.assoc_req_ie,
1749 wpa_s->sme.assoc_req_ie_len);
1750 pos = wpa_s->sme.ft_ies;
1751 end = pos + wpa_s->sme.ft_ies_len;
1752 wpos = wpa_s->sme.assoc_req_ie;
1753 if (*pos == WLAN_EID_RSN) {
1754 os_memcpy(wpos, pos, 2 + pos[1]);
1755 wpos += 2 + pos[1];
1756 pos += 2 + pos[1];
1757 }
1758 if (rm_en_dup) {
1759 os_memcpy(wpos, rm_en_dup, rm_en_len);
1760 wpos += rm_en_len;
1761 os_free(rm_en_dup);
1762 }
1763 os_memcpy(wpos, pos, end - pos);
1764 wpa_s->sme.assoc_req_ie_len += wpa_s->sme.ft_ies_len +
1765 rm_en_len;
1766 params.wpa_ie = wpa_s->sme.assoc_req_ie;
1767 params.wpa_ie_len = wpa_s->sme.assoc_req_ie_len;
1768 wpa_hexdump(MSG_DEBUG,
1769 "SME: Association Request IEs after FT override",
1770 params.wpa_ie, params.wpa_ie_len);
1771 }
1772 #endif /* CONFIG_IEEE80211R */
1773 params.mode = mode;
1774 params.mgmt_frame_protection = wpa_s->sme.mfp;
1775 params.rrm_used = wpa_s->rrm.rrm_used;
1776 if (wpa_s->sme.prev_bssid_set)
1777 params.prev_bssid = wpa_s->sme.prev_bssid;
1778
1779 wpa_msg(wpa_s, MSG_INFO, "Trying to associate with " MACSTR
1780 " (SSID='%s' freq=%d MHz)", MAC2STR(params.bssid),
1781 params.ssid ? wpa_ssid_txt(params.ssid, params.ssid_len) : "",
1782 params.freq.freq);
1783
1784 wpa_supplicant_set_state(wpa_s, WPA_ASSOCIATING);
1785
1786 if (params.wpa_ie == NULL ||
1787 ieee802_11_parse_elems(params.wpa_ie, params.wpa_ie_len, &elems, 0)
1788 < 0) {
1789 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Could not parse own IEs?!");
1790 os_memset(&elems, 0, sizeof(elems));
1791 }
1792 if (elems.rsn_ie) {
1793 params.wpa_proto = WPA_PROTO_RSN;
1794 wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, elems.rsn_ie - 2,
1795 elems.rsn_ie_len + 2);
1796 } else if (elems.wpa_ie) {
1797 params.wpa_proto = WPA_PROTO_WPA;
1798 wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, elems.wpa_ie - 2,
1799 elems.wpa_ie_len + 2);
1800 } else if (elems.osen) {
1801 params.wpa_proto = WPA_PROTO_OSEN;
1802 wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, elems.osen - 2,
1803 elems.osen_len + 2);
1804 } else
1805 wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, NULL, 0);
1806 if (wpa_s->current_ssid && wpa_s->current_ssid->p2p_group)
1807 params.p2p = 1;
1808
1809 if (wpa_s->p2pdev->set_sta_uapsd)
1810 params.uapsd = wpa_s->p2pdev->sta_uapsd;
1811 else
1812 params.uapsd = -1;
1813
1814 if (wpa_drv_associate(wpa_s, &params) < 0) {
1815 wpa_msg(wpa_s, MSG_INFO, "SME: Association request to the "
1816 "driver failed");
1817 wpas_connection_failed(wpa_s, wpa_s->pending_bssid);
1818 wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED);
1819 os_memset(wpa_s->pending_bssid, 0, ETH_ALEN);
1820 return;
1821 }
1822
1823 eloop_register_timeout(SME_ASSOC_TIMEOUT, 0, sme_assoc_timer, wpa_s,
1824 NULL);
1825
1826 #ifdef CONFIG_TESTING_OPTIONS
1827 wpabuf_free(wpa_s->last_assoc_req_wpa_ie);
1828 wpa_s->last_assoc_req_wpa_ie = NULL;
1829 if (params.wpa_ie)
1830 wpa_s->last_assoc_req_wpa_ie =
1831 wpabuf_alloc_copy(params.wpa_ie, params.wpa_ie_len);
1832 #endif /* CONFIG_TESTING_OPTIONS */
1833 }
1834
1835
1836 int sme_update_ft_ies(struct wpa_supplicant *wpa_s, const u8 *md,
1837 const u8 *ies, size_t ies_len)
1838 {
1839 if (md == NULL || ies == NULL) {
1840 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Remove mobility domain");
1841 os_free(wpa_s->sme.ft_ies);
1842 wpa_s->sme.ft_ies = NULL;
1843 wpa_s->sme.ft_ies_len = 0;
1844 wpa_s->sme.ft_used = 0;
1845 return 0;
1846 }
1847
1848 os_memcpy(wpa_s->sme.mobility_domain, md, MOBILITY_DOMAIN_ID_LEN);
1849 wpa_hexdump(MSG_DEBUG, "SME: FT IEs", ies, ies_len);
1850 os_free(wpa_s->sme.ft_ies);
1851 wpa_s->sme.ft_ies = os_memdup(ies, ies_len);
1852 if (wpa_s->sme.ft_ies == NULL)
1853 return -1;
1854 wpa_s->sme.ft_ies_len = ies_len;
1855 return 0;
1856 }
1857
1858
1859 static void sme_deauth(struct wpa_supplicant *wpa_s)
1860 {
1861 int bssid_changed;
1862
1863 bssid_changed = !is_zero_ether_addr(wpa_s->bssid);
1864
1865 if (wpa_drv_deauthenticate(wpa_s, wpa_s->pending_bssid,
1866 WLAN_REASON_DEAUTH_LEAVING) < 0) {
1867 wpa_msg(wpa_s, MSG_INFO, "SME: Deauth request to the driver "
1868 "failed");
1869 }
1870 wpa_s->sme.prev_bssid_set = 0;
1871
1872 wpas_connection_failed(wpa_s, wpa_s->pending_bssid);
1873 wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED);
1874 os_memset(wpa_s->bssid, 0, ETH_ALEN);
1875 os_memset(wpa_s->pending_bssid, 0, ETH_ALEN);
1876 if (bssid_changed)
1877 wpas_notify_bssid_changed(wpa_s);
1878 }
1879
1880
1881 void sme_event_assoc_reject(struct wpa_supplicant *wpa_s,
1882 union wpa_event_data *data)
1883 {
1884 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Association with " MACSTR " failed: "
1885 "status code %d", MAC2STR(wpa_s->pending_bssid),
1886 data->assoc_reject.status_code);
1887
1888 eloop_cancel_timeout(sme_assoc_timer, wpa_s, NULL);
1889
1890 #ifdef CONFIG_SAE
1891 if (wpa_s->sme.sae_pmksa_caching && wpa_s->current_ssid &&
1892 wpa_key_mgmt_sae(wpa_s->current_ssid->key_mgmt)) {
1893 wpa_dbg(wpa_s, MSG_DEBUG,
1894 "PMKSA caching attempt rejected - drop PMKSA cache entry and fall back to SAE authentication");
1895 wpa_sm_aborted_cached(wpa_s->wpa);
1896 wpa_sm_pmksa_cache_flush(wpa_s->wpa, wpa_s->current_ssid);
1897 if (wpa_s->current_bss) {
1898 struct wpa_bss *bss = wpa_s->current_bss;
1899 struct wpa_ssid *ssid = wpa_s->current_ssid;
1900
1901 wpa_drv_deauthenticate(wpa_s, wpa_s->pending_bssid,
1902 WLAN_REASON_DEAUTH_LEAVING);
1903 wpas_connect_work_done(wpa_s);
1904 wpa_supplicant_mark_disassoc(wpa_s);
1905 wpa_supplicant_connect(wpa_s, bss, ssid);
1906 return;
1907 }
1908 }
1909 #endif /* CONFIG_SAE */
1910
1911 /*
1912 * For now, unconditionally terminate the previous authentication. In
1913 * theory, this should not be needed, but mac80211 gets quite confused
1914 * if the authentication is left pending.. Some roaming cases might
1915 * benefit from using the previous authentication, so this could be
1916 * optimized in the future.
1917 */
1918 sme_deauth(wpa_s);
1919 }
1920
1921
1922 void sme_event_auth_timed_out(struct wpa_supplicant *wpa_s,
1923 union wpa_event_data *data)
1924 {
1925 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Authentication timed out");
1926 wpas_connection_failed(wpa_s, wpa_s->pending_bssid);
1927 wpa_supplicant_mark_disassoc(wpa_s);
1928 }
1929
1930
1931 void sme_event_assoc_timed_out(struct wpa_supplicant *wpa_s,
1932 union wpa_event_data *data)
1933 {
1934 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Association timed out");
1935 wpas_connection_failed(wpa_s, wpa_s->pending_bssid);
1936 wpa_supplicant_mark_disassoc(wpa_s);
1937 }
1938
1939
1940 void sme_event_disassoc(struct wpa_supplicant *wpa_s,
1941 struct disassoc_info *info)
1942 {
1943 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Disassociation event received");
1944 if (wpa_s->sme.prev_bssid_set) {
1945 /*
1946 * cfg80211/mac80211 can get into somewhat confused state if
1947 * the AP only disassociates us and leaves us in authenticated
1948 * state. For now, force the state to be cleared to avoid
1949 * confusing errors if we try to associate with the AP again.
1950 */
1951 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Deauthenticate to clear "
1952 "driver state");
1953 wpa_drv_deauthenticate(wpa_s, wpa_s->sme.prev_bssid,
1954 WLAN_REASON_DEAUTH_LEAVING);
1955 }
1956 }
1957
1958
1959 static void sme_auth_timer(void *eloop_ctx, void *timeout_ctx)
1960 {
1961 struct wpa_supplicant *wpa_s = eloop_ctx;
1962 if (wpa_s->wpa_state == WPA_AUTHENTICATING) {
1963 wpa_msg(wpa_s, MSG_DEBUG, "SME: Authentication timeout");
1964 sme_deauth(wpa_s);
1965 }
1966 }
1967
1968
1969 static void sme_assoc_timer(void *eloop_ctx, void *timeout_ctx)
1970 {
1971 struct wpa_supplicant *wpa_s = eloop_ctx;
1972 if (wpa_s->wpa_state == WPA_ASSOCIATING) {
1973 wpa_msg(wpa_s, MSG_DEBUG, "SME: Association timeout");
1974 sme_deauth(wpa_s);
1975 }
1976 }
1977
1978
1979 void sme_state_changed(struct wpa_supplicant *wpa_s)
1980 {
1981 /* Make sure timers are cleaned up appropriately. */
1982 if (wpa_s->wpa_state != WPA_ASSOCIATING)
1983 eloop_cancel_timeout(sme_assoc_timer, wpa_s, NULL);
1984 if (wpa_s->wpa_state != WPA_AUTHENTICATING)
1985 eloop_cancel_timeout(sme_auth_timer, wpa_s, NULL);
1986 }
1987
1988
1989 void sme_disassoc_while_authenticating(struct wpa_supplicant *wpa_s,
1990 const u8 *prev_pending_bssid)
1991 {
1992 /*
1993 * mac80211-workaround to force deauth on failed auth cmd,
1994 * requires us to remain in authenticating state to allow the
1995 * second authentication attempt to be continued properly.
1996 */
1997 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Allow pending authentication "
1998 "to proceed after disconnection event");
1999 wpa_supplicant_set_state(wpa_s, WPA_AUTHENTICATING);
2000 os_memcpy(wpa_s->pending_bssid, prev_pending_bssid, ETH_ALEN);
2001
2002 /*
2003 * Re-arm authentication timer in case auth fails for whatever reason.
2004 */
2005 eloop_cancel_timeout(sme_auth_timer, wpa_s, NULL);
2006 eloop_register_timeout(SME_AUTH_TIMEOUT, 0, sme_auth_timer, wpa_s,
2007 NULL);
2008 }
2009
2010
2011 void sme_clear_on_disassoc(struct wpa_supplicant *wpa_s)
2012 {
2013 wpa_s->sme.prev_bssid_set = 0;
2014 #ifdef CONFIG_SAE
2015 wpabuf_free(wpa_s->sme.sae_token);
2016 wpa_s->sme.sae_token = NULL;
2017 sae_clear_data(&wpa_s->sme.sae);
2018 #endif /* CONFIG_SAE */
2019 #ifdef CONFIG_IEEE80211R
2020 if (wpa_s->sme.ft_ies || wpa_s->sme.ft_used)
2021 sme_update_ft_ies(wpa_s, NULL, NULL, 0);
2022 #endif /* CONFIG_IEEE80211R */
2023 sme_stop_sa_query(wpa_s);
2024 }
2025
2026
2027 void sme_deinit(struct wpa_supplicant *wpa_s)
2028 {
2029 sme_clear_on_disassoc(wpa_s);
2030
2031 eloop_cancel_timeout(sme_assoc_timer, wpa_s, NULL);
2032 eloop_cancel_timeout(sme_auth_timer, wpa_s, NULL);
2033 eloop_cancel_timeout(sme_obss_scan_timeout, wpa_s, NULL);
2034 }
2035
2036
2037 static void sme_send_2040_bss_coex(struct wpa_supplicant *wpa_s,
2038 const u8 *chan_list, u8 num_channels,
2039 u8 num_intol)
2040 {
2041 struct ieee80211_2040_bss_coex_ie *bc_ie;
2042 struct ieee80211_2040_intol_chan_report *ic_report;
2043 struct wpabuf *buf;
2044
2045 wpa_printf(MSG_DEBUG, "SME: Send 20/40 BSS Coexistence to " MACSTR
2046 " (num_channels=%u num_intol=%u)",
2047 MAC2STR(wpa_s->bssid), num_channels, num_intol);
2048 wpa_hexdump(MSG_DEBUG, "SME: 20/40 BSS Intolerant Channels",
2049 chan_list, num_channels);
2050
2051 buf = wpabuf_alloc(2 + /* action.category + action_code */
2052 sizeof(struct ieee80211_2040_bss_coex_ie) +
2053 sizeof(struct ieee80211_2040_intol_chan_report) +
2054 num_channels);
2055 if (buf == NULL)
2056 return;
2057
2058 wpabuf_put_u8(buf, WLAN_ACTION_PUBLIC);
2059 wpabuf_put_u8(buf, WLAN_PA_20_40_BSS_COEX);
2060
2061 bc_ie = wpabuf_put(buf, sizeof(*bc_ie));
2062 bc_ie->element_id = WLAN_EID_20_40_BSS_COEXISTENCE;
2063 bc_ie->length = 1;
2064 if (num_intol)
2065 bc_ie->coex_param |= WLAN_20_40_BSS_COEX_20MHZ_WIDTH_REQ;
2066
2067 if (num_channels > 0) {
2068 ic_report = wpabuf_put(buf, sizeof(*ic_report));
2069 ic_report->element_id = WLAN_EID_20_40_BSS_INTOLERANT;
2070 ic_report->length = num_channels + 1;
2071 ic_report->op_class = 0;
2072 os_memcpy(wpabuf_put(buf, num_channels), chan_list,
2073 num_channels);
2074 }
2075
2076 if (wpa_drv_send_action(wpa_s, wpa_s->assoc_freq, 0, wpa_s->bssid,
2077 wpa_s->own_addr, wpa_s->bssid,
2078 wpabuf_head(buf), wpabuf_len(buf), 0) < 0) {
2079 wpa_msg(wpa_s, MSG_INFO,
2080 "SME: Failed to send 20/40 BSS Coexistence frame");
2081 }
2082
2083 wpabuf_free(buf);
2084 }
2085
2086
2087 int sme_proc_obss_scan(struct wpa_supplicant *wpa_s)
2088 {
2089 struct wpa_bss *bss;
2090 const u8 *ie;
2091 u16 ht_cap;
2092 u8 chan_list[P2P_MAX_CHANNELS], channel;
2093 u8 num_channels = 0, num_intol = 0, i;
2094
2095 if (!wpa_s->sme.sched_obss_scan)
2096 return 0;
2097
2098 wpa_s->sme.sched_obss_scan = 0;
2099 if (!wpa_s->current_bss || wpa_s->wpa_state != WPA_COMPLETED)
2100 return 1;
2101
2102 /*
2103 * Check whether AP uses regulatory triplet or channel triplet in
2104 * country info. Right now the operating class of the BSS channel
2105 * width trigger event is "unknown" (IEEE Std 802.11-2012 10.15.12),
2106 * based on the assumption that operating class triplet is not used in
2107 * beacon frame. If the First Channel Number/Operating Extension
2108 * Identifier octet has a positive integer value of 201 or greater,
2109 * then its operating class triplet.
2110 *
2111 * TODO: If Supported Operating Classes element is present in beacon
2112 * frame, have to lookup operating class in Annex E and fill them in
2113 * 2040 coex frame.
2114 */
2115 ie = wpa_bss_get_ie(wpa_s->current_bss, WLAN_EID_COUNTRY);
2116 if (ie && (ie[1] >= 6) && (ie[5] >= 201))
2117 return 1;
2118
2119 os_memset(chan_list, 0, sizeof(chan_list));
2120
2121 dl_list_for_each(bss, &wpa_s->bss, struct wpa_bss, list) {
2122 /* Skip other band bss */
2123 enum hostapd_hw_mode mode;
2124 mode = ieee80211_freq_to_chan(bss->freq, &channel);
2125 if (mode != HOSTAPD_MODE_IEEE80211G &&
2126 mode != HOSTAPD_MODE_IEEE80211B)
2127 continue;
2128
2129 ie = wpa_bss_get_ie(bss, WLAN_EID_HT_CAP);
2130 ht_cap = (ie && (ie[1] == 26)) ? WPA_GET_LE16(ie + 2) : 0;
2131 wpa_printf(MSG_DEBUG, "SME OBSS scan BSS " MACSTR
2132 " freq=%u chan=%u ht_cap=0x%x",
2133 MAC2STR(bss->bssid), bss->freq, channel, ht_cap);
2134
2135 if (!ht_cap || (ht_cap & HT_CAP_INFO_40MHZ_INTOLERANT)) {
2136 if (ht_cap & HT_CAP_INFO_40MHZ_INTOLERANT)
2137 num_intol++;
2138
2139 /* Check whether the channel is already considered */
2140 for (i = 0; i < num_channels; i++) {
2141 if (channel == chan_list[i])
2142 break;
2143 }
2144 if (i != num_channels)
2145 continue;
2146
2147 chan_list[num_channels++] = channel;
2148 }
2149 }
2150
2151 sme_send_2040_bss_coex(wpa_s, chan_list, num_channels, num_intol);
2152 return 1;
2153 }
2154
2155
2156 static void wpa_obss_scan_freqs_list(struct wpa_supplicant *wpa_s,
2157 struct wpa_driver_scan_params *params)
2158 {
2159 /* Include only affected channels */
2160 struct hostapd_hw_modes *mode;
2161 int count, i;
2162 int start, end;
2163
2164 mode = get_mode(wpa_s->hw.modes, wpa_s->hw.num_modes,
2165 HOSTAPD_MODE_IEEE80211G);
2166 if (mode == NULL) {
2167 /* No channels supported in this band - use empty list */
2168 params->freqs = os_zalloc(sizeof(int));
2169 return;
2170 }
2171
2172 if (wpa_s->sme.ht_sec_chan == HT_SEC_CHAN_UNKNOWN &&
2173 wpa_s->current_bss) {
2174 const u8 *ie;
2175
2176 ie = wpa_bss_get_ie(wpa_s->current_bss, WLAN_EID_HT_OPERATION);
2177 if (ie && ie[1] >= 2) {
2178 u8 o;
2179
2180 o = ie[3] & HT_INFO_HT_PARAM_SECONDARY_CHNL_OFF_MASK;
2181 if (o == HT_INFO_HT_PARAM_SECONDARY_CHNL_ABOVE)
2182 wpa_s->sme.ht_sec_chan = HT_SEC_CHAN_ABOVE;
2183 else if (o == HT_INFO_HT_PARAM_SECONDARY_CHNL_BELOW)
2184 wpa_s->sme.ht_sec_chan = HT_SEC_CHAN_BELOW;
2185 }
2186 }
2187
2188 start = wpa_s->assoc_freq - 10;
2189 end = wpa_s->assoc_freq + 10;
2190 switch (wpa_s->sme.ht_sec_chan) {
2191 case HT_SEC_CHAN_UNKNOWN:
2192 /* HT40+ possible on channels 1..9 */
2193 if (wpa_s->assoc_freq <= 2452)
2194 start -= 20;
2195 /* HT40- possible on channels 5-13 */
2196 if (wpa_s->assoc_freq >= 2432)
2197 end += 20;
2198 break;
2199 case HT_SEC_CHAN_ABOVE:
2200 end += 20;
2201 break;
2202 case HT_SEC_CHAN_BELOW:
2203 start -= 20;
2204 break;
2205 }
2206 wpa_printf(MSG_DEBUG,
2207 "OBSS: assoc_freq %d possible affected range %d-%d",
2208 wpa_s->assoc_freq, start, end);
2209
2210 params->freqs = os_calloc(mode->num_channels + 1, sizeof(int));
2211 if (params->freqs == NULL)
2212 return;
2213 for (count = 0, i = 0; i < mode->num_channels; i++) {
2214 int freq;
2215
2216 if (mode->channels[i].flag & HOSTAPD_CHAN_DISABLED)
2217 continue;
2218 freq = mode->channels[i].freq;
2219 if (freq - 10 >= end || freq + 10 <= start)
2220 continue; /* not affected */
2221 params->freqs[count++] = freq;
2222 }
2223 }
2224
2225
2226 static void sme_obss_scan_timeout(void *eloop_ctx, void *timeout_ctx)
2227 {
2228 struct wpa_supplicant *wpa_s = eloop_ctx;
2229 struct wpa_driver_scan_params params;
2230
2231 if (!wpa_s->current_bss) {
2232 wpa_printf(MSG_DEBUG, "SME OBSS: Ignore scan request");
2233 return;
2234 }
2235
2236 os_memset(&params, 0, sizeof(params));
2237 wpa_obss_scan_freqs_list(wpa_s, &params);
2238 params.low_priority = 1;
2239 wpa_printf(MSG_DEBUG, "SME OBSS: Request an OBSS scan");
2240
2241 if (wpa_supplicant_trigger_scan(wpa_s, &params))
2242 wpa_printf(MSG_DEBUG, "SME OBSS: Failed to trigger scan");
2243 else
2244 wpa_s->sme.sched_obss_scan = 1;
2245 os_free(params.freqs);
2246
2247 eloop_register_timeout(wpa_s->sme.obss_scan_int, 0,
2248 sme_obss_scan_timeout, wpa_s, NULL);
2249 }
2250
2251
2252 void sme_sched_obss_scan(struct wpa_supplicant *wpa_s, int enable)
2253 {
2254 const u8 *ie;
2255 struct wpa_bss *bss = wpa_s->current_bss;
2256 struct wpa_ssid *ssid = wpa_s->current_ssid;
2257 struct hostapd_hw_modes *hw_mode = NULL;
2258 int i;
2259
2260 eloop_cancel_timeout(sme_obss_scan_timeout, wpa_s, NULL);
2261 wpa_s->sme.sched_obss_scan = 0;
2262 wpa_s->sme.ht_sec_chan = HT_SEC_CHAN_UNKNOWN;
2263 if (!enable)
2264 return;
2265
2266 /*
2267 * Schedule OBSS scan if driver is using station SME in wpa_supplicant
2268 * or it expects OBSS scan to be performed by wpa_supplicant.
2269 */
2270 if (!((wpa_s->drv_flags & WPA_DRIVER_FLAGS_SME) ||
2271 (wpa_s->drv_flags & WPA_DRIVER_FLAGS_OBSS_SCAN)) ||
2272 ssid == NULL || ssid->mode != WPAS_MODE_INFRA)
2273 return;
2274
2275 if (!wpa_s->hw.modes)
2276 return;
2277
2278 /* only HT caps in 11g mode are relevant */
2279 for (i = 0; i < wpa_s->hw.num_modes; i++) {
2280 hw_mode = &wpa_s->hw.modes[i];
2281 if (hw_mode->mode == HOSTAPD_MODE_IEEE80211G)
2282 break;
2283 }
2284
2285 /* Driver does not support HT40 for 11g or doesn't have 11g. */
2286 if (i == wpa_s->hw.num_modes || !hw_mode ||
2287 !(hw_mode->ht_capab & HT_CAP_INFO_SUPP_CHANNEL_WIDTH_SET))
2288 return;
2289
2290 if (bss == NULL || bss->freq < 2400 || bss->freq > 2500)
2291 return; /* Not associated on 2.4 GHz band */
2292
2293 /* Check whether AP supports HT40 */
2294 ie = wpa_bss_get_ie(wpa_s->current_bss, WLAN_EID_HT_CAP);
2295 if (!ie || ie[1] < 2 ||
2296 !(WPA_GET_LE16(ie + 2) & HT_CAP_INFO_SUPP_CHANNEL_WIDTH_SET))
2297 return; /* AP does not support HT40 */
2298
2299 ie = wpa_bss_get_ie(wpa_s->current_bss,
2300 WLAN_EID_OVERLAPPING_BSS_SCAN_PARAMS);
2301 if (!ie || ie[1] < 14)
2302 return; /* AP does not request OBSS scans */
2303
2304 wpa_s->sme.obss_scan_int = WPA_GET_LE16(ie + 6);
2305 if (wpa_s->sme.obss_scan_int < 10) {
2306 wpa_printf(MSG_DEBUG, "SME: Invalid OBSS Scan Interval %u "
2307 "replaced with the minimum 10 sec",
2308 wpa_s->sme.obss_scan_int);
2309 wpa_s->sme.obss_scan_int = 10;
2310 }
2311 wpa_printf(MSG_DEBUG, "SME: OBSS Scan Interval %u sec",
2312 wpa_s->sme.obss_scan_int);
2313 eloop_register_timeout(wpa_s->sme.obss_scan_int, 0,
2314 sme_obss_scan_timeout, wpa_s, NULL);
2315 }
2316
2317
2318 static const unsigned int sa_query_max_timeout = 1000;
2319 static const unsigned int sa_query_retry_timeout = 201;
2320 static const unsigned int sa_query_ch_switch_max_delay = 5000; /* in usec */
2321
2322 static int sme_check_sa_query_timeout(struct wpa_supplicant *wpa_s)
2323 {
2324 u32 tu;
2325 struct os_reltime now, passed;
2326 os_get_reltime(&now);
2327 os_reltime_sub(&now, &wpa_s->sme.sa_query_start, &passed);
2328 tu = (passed.sec * 1000000 + passed.usec) / 1024;
2329 if (sa_query_max_timeout < tu) {
2330 wpa_dbg(wpa_s, MSG_DEBUG, "SME: SA Query timed out");
2331 sme_stop_sa_query(wpa_s);
2332 wpa_supplicant_deauthenticate(
2333 wpa_s, WLAN_REASON_PREV_AUTH_NOT_VALID);
2334 return 1;
2335 }
2336
2337 return 0;
2338 }
2339
2340
2341 static void sme_send_sa_query_req(struct wpa_supplicant *wpa_s,
2342 const u8 *trans_id)
2343 {
2344 u8 req[2 + WLAN_SA_QUERY_TR_ID_LEN + OCV_OCI_EXTENDED_LEN];
2345 u8 req_len = 2 + WLAN_SA_QUERY_TR_ID_LEN;
2346
2347 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Sending SA Query Request to "
2348 MACSTR, MAC2STR(wpa_s->bssid));
2349 wpa_hexdump(MSG_DEBUG, "SME: SA Query Transaction ID",
2350 trans_id, WLAN_SA_QUERY_TR_ID_LEN);
2351 req[0] = WLAN_ACTION_SA_QUERY;
2352 req[1] = WLAN_SA_QUERY_REQUEST;
2353 os_memcpy(req + 2, trans_id, WLAN_SA_QUERY_TR_ID_LEN);
2354
2355 #ifdef CONFIG_OCV
2356 if (wpa_sm_ocv_enabled(wpa_s->wpa)) {
2357 struct wpa_channel_info ci;
2358
2359 if (wpa_drv_channel_info(wpa_s, &ci) != 0) {
2360 wpa_printf(MSG_WARNING,
2361 "Failed to get channel info for OCI element in SA Query Request frame");
2362 return;
2363 }
2364
2365 if (ocv_insert_extended_oci(&ci, req + req_len) < 0)
2366 return;
2367
2368 req_len += OCV_OCI_EXTENDED_LEN;
2369 }
2370 #endif /* CONFIG_OCV */
2371
2372 if (wpa_drv_send_action(wpa_s, wpa_s->assoc_freq, 0, wpa_s->bssid,
2373 wpa_s->own_addr, wpa_s->bssid,
2374 req, req_len, 0) < 0)
2375 wpa_msg(wpa_s, MSG_INFO, "SME: Failed to send SA Query "
2376 "Request");
2377 }
2378
2379
2380 static void sme_sa_query_timer(void *eloop_ctx, void *timeout_ctx)
2381 {
2382 struct wpa_supplicant *wpa_s = eloop_ctx;
2383 unsigned int timeout, sec, usec;
2384 u8 *trans_id, *nbuf;
2385
2386 if (wpa_s->sme.sa_query_count > 0 &&
2387 sme_check_sa_query_timeout(wpa_s))
2388 return;
2389
2390 nbuf = os_realloc_array(wpa_s->sme.sa_query_trans_id,
2391 wpa_s->sme.sa_query_count + 1,
2392 WLAN_SA_QUERY_TR_ID_LEN);
2393 if (nbuf == NULL) {
2394 sme_stop_sa_query(wpa_s);
2395 return;
2396 }
2397 if (wpa_s->sme.sa_query_count == 0) {
2398 /* Starting a new SA Query procedure */
2399 os_get_reltime(&wpa_s->sme.sa_query_start);
2400 }
2401 trans_id = nbuf + wpa_s->sme.sa_query_count * WLAN_SA_QUERY_TR_ID_LEN;
2402 wpa_s->sme.sa_query_trans_id = nbuf;
2403 wpa_s->sme.sa_query_count++;
2404
2405 if (os_get_random(trans_id, WLAN_SA_QUERY_TR_ID_LEN) < 0) {
2406 wpa_printf(MSG_DEBUG, "Could not generate SA Query ID");
2407 sme_stop_sa_query(wpa_s);
2408 return;
2409 }
2410
2411 timeout = sa_query_retry_timeout;
2412 sec = ((timeout / 1000) * 1024) / 1000;
2413 usec = (timeout % 1000) * 1024;
2414 eloop_register_timeout(sec, usec, sme_sa_query_timer, wpa_s, NULL);
2415
2416 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Association SA Query attempt %d",
2417 wpa_s->sme.sa_query_count);
2418
2419 sme_send_sa_query_req(wpa_s, trans_id);
2420 }
2421
2422
2423 static void sme_start_sa_query(struct wpa_supplicant *wpa_s)
2424 {
2425 sme_sa_query_timer(wpa_s, NULL);
2426 }
2427
2428
2429 static void sme_stop_sa_query(struct wpa_supplicant *wpa_s)
2430 {
2431 if (wpa_s->sme.sa_query_trans_id)
2432 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Stop SA Query");
2433 eloop_cancel_timeout(sme_sa_query_timer, wpa_s, NULL);
2434 os_free(wpa_s->sme.sa_query_trans_id);
2435 wpa_s->sme.sa_query_trans_id = NULL;
2436 wpa_s->sme.sa_query_count = 0;
2437 }
2438
2439
2440 void sme_event_unprot_disconnect(struct wpa_supplicant *wpa_s, const u8 *sa,
2441 const u8 *da, u16 reason_code)
2442 {
2443 struct wpa_ssid *ssid;
2444 struct os_reltime now;
2445
2446 if (wpa_s->wpa_state != WPA_COMPLETED)
2447 return;
2448 ssid = wpa_s->current_ssid;
2449 if (wpas_get_ssid_pmf(wpa_s, ssid) == NO_MGMT_FRAME_PROTECTION)
2450 return;
2451 if (os_memcmp(sa, wpa_s->bssid, ETH_ALEN) != 0)
2452 return;
2453 if (reason_code != WLAN_REASON_CLASS2_FRAME_FROM_NONAUTH_STA &&
2454 reason_code != WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA)
2455 return;
2456 if (wpa_s->sme.sa_query_count > 0)
2457 return;
2458
2459 os_get_reltime(&now);
2460 if (wpa_s->sme.last_unprot_disconnect.sec &&
2461 !os_reltime_expired(&now, &wpa_s->sme.last_unprot_disconnect, 10))
2462 return; /* limit SA Query procedure frequency */
2463 wpa_s->sme.last_unprot_disconnect = now;
2464
2465 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Unprotected disconnect dropped - "
2466 "possible AP/STA state mismatch - trigger SA Query");
2467 sme_start_sa_query(wpa_s);
2468 }
2469
2470
2471 void sme_event_ch_switch(struct wpa_supplicant *wpa_s)
2472 {
2473 unsigned int usec;
2474 u32 _rand;
2475
2476 if (wpa_s->wpa_state != WPA_COMPLETED ||
2477 !wpa_sm_ocv_enabled(wpa_s->wpa))
2478 return;
2479
2480 wpa_dbg(wpa_s, MSG_DEBUG,
2481 "SME: Channel switch completed - trigger new SA Query to verify new operating channel");
2482 sme_stop_sa_query(wpa_s);
2483
2484 if (os_get_random((u8 *) &_rand, sizeof(_rand)) < 0)
2485 _rand = os_random();
2486 usec = _rand % (sa_query_ch_switch_max_delay + 1);
2487 eloop_register_timeout(0, usec, sme_sa_query_timer, wpa_s, NULL);
2488 }
2489
2490
2491 static void sme_process_sa_query_request(struct wpa_supplicant *wpa_s,
2492 const u8 *sa, const u8 *data,
2493 size_t len)
2494 {
2495 u8 resp[2 + WLAN_SA_QUERY_TR_ID_LEN + OCV_OCI_EXTENDED_LEN];
2496 u8 resp_len = 2 + WLAN_SA_QUERY_TR_ID_LEN;
2497
2498 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Sending SA Query Response to "
2499 MACSTR, MAC2STR(wpa_s->bssid));
2500
2501 resp[0] = WLAN_ACTION_SA_QUERY;
2502 resp[1] = WLAN_SA_QUERY_RESPONSE;
2503 os_memcpy(resp + 2, data + 1, WLAN_SA_QUERY_TR_ID_LEN);
2504
2505 #ifdef CONFIG_OCV
2506 if (wpa_sm_ocv_enabled(wpa_s->wpa)) {
2507 struct wpa_channel_info ci;
2508
2509 if (wpa_drv_channel_info(wpa_s, &ci) != 0) {
2510 wpa_printf(MSG_WARNING,
2511 "Failed to get channel info for OCI element in SA Query Response frame");
2512 return;
2513 }
2514
2515 if (ocv_insert_extended_oci(&ci, resp + resp_len) < 0)
2516 return;
2517
2518 resp_len += OCV_OCI_EXTENDED_LEN;
2519 }
2520 #endif /* CONFIG_OCV */
2521
2522 if (wpa_drv_send_action(wpa_s, wpa_s->assoc_freq, 0, wpa_s->bssid,
2523 wpa_s->own_addr, wpa_s->bssid,
2524 resp, resp_len, 0) < 0)
2525 wpa_msg(wpa_s, MSG_INFO,
2526 "SME: Failed to send SA Query Response");
2527 }
2528
2529
2530 static void sme_process_sa_query_response(struct wpa_supplicant *wpa_s,
2531 const u8 *sa, const u8 *data,
2532 size_t len)
2533 {
2534 int i;
2535
2536 if (!wpa_s->sme.sa_query_trans_id)
2537 return;
2538
2539 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Received SA Query response from "
2540 MACSTR " (trans_id %02x%02x)", MAC2STR(sa), data[1], data[2]);
2541
2542 if (os_memcmp(sa, wpa_s->bssid, ETH_ALEN) != 0)
2543 return;
2544
2545 for (i = 0; i < wpa_s->sme.sa_query_count; i++) {
2546 if (os_memcmp(wpa_s->sme.sa_query_trans_id +
2547 i * WLAN_SA_QUERY_TR_ID_LEN,
2548 data + 1, WLAN_SA_QUERY_TR_ID_LEN) == 0)
2549 break;
2550 }
2551
2552 if (i >= wpa_s->sme.sa_query_count) {
2553 wpa_dbg(wpa_s, MSG_DEBUG, "SME: No matching SA Query "
2554 "transaction identifier found");
2555 return;
2556 }
2557
2558 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Reply to pending SA Query received "
2559 "from " MACSTR, MAC2STR(sa));
2560 sme_stop_sa_query(wpa_s);
2561 }
2562
2563
2564 void sme_sa_query_rx(struct wpa_supplicant *wpa_s, const u8 *sa,
2565 const u8 *data, size_t len)
2566 {
2567 if (len < 1 + WLAN_SA_QUERY_TR_ID_LEN)
2568 return;
2569
2570 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Received SA Query frame from "
2571 MACSTR " (trans_id %02x%02x)", MAC2STR(sa), data[1], data[2]);
2572
2573 #ifdef CONFIG_OCV
2574 if (wpa_sm_ocv_enabled(wpa_s->wpa)) {
2575 struct ieee802_11_elems elems;
2576 struct wpa_channel_info ci;
2577
2578 if (ieee802_11_parse_elems(data + 1 + WLAN_SA_QUERY_TR_ID_LEN,
2579 len - 1 - WLAN_SA_QUERY_TR_ID_LEN,
2580 &elems, 1) == ParseFailed) {
2581 wpa_printf(MSG_DEBUG,
2582 "SA Query: Failed to parse elements");
2583 return;
2584 }
2585
2586 if (wpa_drv_channel_info(wpa_s, &ci) != 0) {
2587 wpa_printf(MSG_WARNING,
2588 "Failed to get channel info to validate received OCI in SA Query Action frame");
2589 return;
2590 }
2591
2592 if (ocv_verify_tx_params(elems.oci, elems.oci_len, &ci,
2593 channel_width_to_int(ci.chanwidth),
2594 ci.seg1_idx) != 0) {
2595 wpa_printf(MSG_WARNING, "%s", ocv_errorstr);
2596 return;
2597 }
2598 }
2599 #endif /* CONFIG_OCV */
2600
2601 if (data[0] == WLAN_SA_QUERY_REQUEST)
2602 sme_process_sa_query_request(wpa_s, sa, data, len);
2603 else if (data[0] == WLAN_SA_QUERY_RESPONSE)
2604 sme_process_sa_query_response(wpa_s, sa, data, len);
2605 }
Unnamed repository; edit this file 'description' to name the repository.