3 * Copyright (c) 2011-2013, Qualcomm Atheros, Inc.
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
9 #include "utils/includes.h"
11 #include "utils/common.h"
12 #include "common/ieee802_11_defs.h"
13 #include "common/ieee802_11_common.h"
14 #include "common/wpa_ctrl.h"
15 #include "common/ocv.h"
16 #include "rsn_supp/wpa.h"
18 #include "wpa_supplicant_i.h"
21 #include "ctrl_iface.h"
24 #include "hs20_supplicant.h"
26 #define MAX_TFS_IE_LEN 1024
27 #define WNM_MAX_NEIGHBOR_REPORT 10
29 #define WNM_SCAN_RESULT_AGE 2 /* 2 seconds */
31 /* get the TFS IE from driver */
32 static int ieee80211_11_get_tfs_ie(struct wpa_supplicant
*wpa_s
, u8
*buf
,
33 u16
*buf_len
, enum wnm_oper oper
)
35 wpa_printf(MSG_DEBUG
, "%s: TFS get operation %d", __func__
, oper
);
37 return wpa_drv_wnm_oper(wpa_s
, oper
, wpa_s
->bssid
, buf
, buf_len
);
41 /* set the TFS IE to driver */
42 static int ieee80211_11_set_tfs_ie(struct wpa_supplicant
*wpa_s
,
43 const u8
*addr
, const u8
*buf
, u16 buf_len
,
48 wpa_printf(MSG_DEBUG
, "%s: TFS set operation %d", __func__
, oper
);
50 return wpa_drv_wnm_oper(wpa_s
, oper
, addr
, (u8
*) buf
, &len
);
54 /* MLME-SLEEPMODE.request */
55 int ieee802_11_send_wnmsleep_req(struct wpa_supplicant
*wpa_s
,
56 u8 action
, u16 intval
, struct wpabuf
*tfs_req
)
58 struct ieee80211_mgmt
*mgmt
;
61 struct wnm_sleep_element
*wnmsleep_ie
;
62 u8
*wnmtfs_ie
, *oci_ie
;
63 u8 wnmsleep_ie_len
, oci_ie_len
;
64 u16 wnmtfs_ie_len
; /* possibly multiple IE(s) */
65 enum wnm_oper tfs_oper
= action
== 0 ? WNM_SLEEP_TFS_REQ_IE_ADD
:
66 WNM_SLEEP_TFS_REQ_IE_NONE
;
68 wpa_printf(MSG_DEBUG
, "WNM: Request to send WNM-Sleep Mode Request "
69 "action=%s to " MACSTR
,
70 action
== 0 ? "enter" : "exit",
71 MAC2STR(wpa_s
->bssid
));
73 /* WNM-Sleep Mode IE */
74 wnmsleep_ie_len
= sizeof(struct wnm_sleep_element
);
75 wnmsleep_ie
= os_zalloc(sizeof(struct wnm_sleep_element
));
76 if (wnmsleep_ie
== NULL
)
78 wnmsleep_ie
->eid
= WLAN_EID_WNMSLEEP
;
79 wnmsleep_ie
->len
= wnmsleep_ie_len
- 2;
80 wnmsleep_ie
->action_type
= action
;
81 wnmsleep_ie
->status
= WNM_STATUS_SLEEP_ACCEPT
;
82 wnmsleep_ie
->intval
= host_to_le16(intval
);
83 wpa_hexdump(MSG_DEBUG
, "WNM: WNM-Sleep Mode element",
84 (u8
*) wnmsleep_ie
, wnmsleep_ie_len
);
88 wnmtfs_ie_len
= wpabuf_len(tfs_req
);
89 wnmtfs_ie
= os_memdup(wpabuf_head(tfs_req
), wnmtfs_ie_len
);
90 if (wnmtfs_ie
== NULL
) {
95 wnmtfs_ie
= os_zalloc(MAX_TFS_IE_LEN
);
96 if (wnmtfs_ie
== NULL
) {
100 if (ieee80211_11_get_tfs_ie(wpa_s
, wnmtfs_ie
, &wnmtfs_ie_len
,
107 wpa_hexdump(MSG_DEBUG
, "WNM: TFS Request element",
108 (u8
*) wnmtfs_ie
, wnmtfs_ie_len
);
113 if (action
== WNM_SLEEP_MODE_EXIT
&& wpa_sm_ocv_enabled(wpa_s
->wpa
)) {
114 struct wpa_channel_info ci
;
116 if (wpa_drv_channel_info(wpa_s
, &ci
) != 0) {
117 wpa_printf(MSG_WARNING
,
118 "Failed to get channel info for OCI element in WNM-Sleep Mode frame");
119 os_free(wnmsleep_ie
);
124 oci_ie_len
= OCV_OCI_EXTENDED_LEN
;
125 oci_ie
= os_zalloc(oci_ie_len
);
127 wpa_printf(MSG_WARNING
,
128 "Failed to allocate buffer for for OCI element in WNM-Sleep Mode frame");
129 os_free(wnmsleep_ie
);
134 if (ocv_insert_extended_oci(&ci
, oci_ie
) < 0) {
135 os_free(wnmsleep_ie
);
141 #endif /* CONFIG_OCV */
143 mgmt
= os_zalloc(sizeof(*mgmt
) + wnmsleep_ie_len
+ wnmtfs_ie_len
+
146 wpa_printf(MSG_DEBUG
, "MLME: Failed to allocate buffer for "
147 "WNM-Sleep Request action frame");
148 os_free(wnmsleep_ie
);
153 os_memcpy(mgmt
->da
, wpa_s
->bssid
, ETH_ALEN
);
154 os_memcpy(mgmt
->sa
, wpa_s
->own_addr
, ETH_ALEN
);
155 os_memcpy(mgmt
->bssid
, wpa_s
->bssid
, ETH_ALEN
);
156 mgmt
->frame_control
= IEEE80211_FC(WLAN_FC_TYPE_MGMT
,
157 WLAN_FC_STYPE_ACTION
);
158 mgmt
->u
.action
.category
= WLAN_ACTION_WNM
;
159 mgmt
->u
.action
.u
.wnm_sleep_req
.action
= WNM_SLEEP_MODE_REQ
;
160 mgmt
->u
.action
.u
.wnm_sleep_req
.dialogtoken
= 1;
161 os_memcpy(mgmt
->u
.action
.u
.wnm_sleep_req
.variable
, wnmsleep_ie
,
163 /* copy TFS IE here */
164 if (wnmtfs_ie_len
> 0) {
165 os_memcpy(mgmt
->u
.action
.u
.wnm_sleep_req
.variable
+
166 wnmsleep_ie_len
, wnmtfs_ie
, wnmtfs_ie_len
);
170 /* copy OCV OCI here */
171 if (oci_ie_len
> 0) {
172 os_memcpy(mgmt
->u
.action
.u
.wnm_sleep_req
.variable
+
173 wnmsleep_ie_len
+ wnmtfs_ie_len
, oci_ie
, oci_ie_len
);
175 #endif /* CONFIG_OCV */
177 len
= 1 + sizeof(mgmt
->u
.action
.u
.wnm_sleep_req
) + wnmsleep_ie_len
+
178 wnmtfs_ie_len
+ oci_ie_len
;
180 res
= wpa_drv_send_action(wpa_s
, wpa_s
->assoc_freq
, 0, wpa_s
->bssid
,
181 wpa_s
->own_addr
, wpa_s
->bssid
,
182 &mgmt
->u
.action
.category
, len
, 0);
184 wpa_printf(MSG_DEBUG
, "Failed to send WNM-Sleep Request "
185 "(action=%d, intval=%d)", action
, intval
);
187 wpa_s
->wnmsleep_used
= 1;
189 os_free(wnmsleep_ie
);
198 static void wnm_sleep_mode_enter_success(struct wpa_supplicant
*wpa_s
,
199 const u8
*tfsresp_ie_start
,
200 const u8
*tfsresp_ie_end
)
202 wpa_drv_wnm_oper(wpa_s
, WNM_SLEEP_ENTER_CONFIRM
,
203 wpa_s
->bssid
, NULL
, NULL
);
204 /* remove GTK/IGTK ?? */
206 /* set the TFS Resp IE(s) */
207 if (tfsresp_ie_start
&& tfsresp_ie_end
&&
208 tfsresp_ie_end
- tfsresp_ie_start
>= 0) {
210 tfsresp_ie_len
= (tfsresp_ie_end
+ tfsresp_ie_end
[1] + 2) -
212 wpa_printf(MSG_DEBUG
, "TFS Resp IE(s) found");
213 /* pass the TFS Resp IE(s) to driver for processing */
214 if (ieee80211_11_set_tfs_ie(wpa_s
, wpa_s
->bssid
,
217 WNM_SLEEP_TFS_RESP_IE_SET
))
218 wpa_printf(MSG_DEBUG
, "WNM: Fail to set TFS Resp IE");
223 static void wnm_sleep_mode_exit_success(struct wpa_supplicant
*wpa_s
,
224 const u8
*frm
, u16 key_len_total
)
229 wpa_drv_wnm_oper(wpa_s
, WNM_SLEEP_EXIT_CONFIRM
, wpa_s
->bssid
,
232 /* Install GTK/IGTK */
234 /* point to key data field */
235 ptr
= (u8
*) frm
+ 1 + 2;
236 end
= ptr
+ key_len_total
;
237 wpa_hexdump_key(MSG_DEBUG
, "WNM: Key Data", ptr
, key_len_total
);
239 if (key_len_total
&& !wpa_sm_pmf_enabled(wpa_s
->wpa
)) {
240 wpa_msg(wpa_s
, MSG_INFO
,
241 "WNM: Ignore Key Data in WNM-Sleep Mode Response - PMF not enabled");
245 while (end
- ptr
> 1) {
246 if (2 + ptr
[1] > end
- ptr
) {
247 wpa_printf(MSG_DEBUG
, "WNM: Invalid Key Data element "
250 wpa_hexdump(MSG_DEBUG
, "WNM: Remaining data",
255 if (*ptr
== WNM_SLEEP_SUBELEM_GTK
) {
256 if (ptr
[1] < 11 + 5) {
257 wpa_printf(MSG_DEBUG
, "WNM: Too short GTK "
261 gtk_len
= *(ptr
+ 4);
262 if (ptr
[1] < 11 + gtk_len
||
263 gtk_len
< 5 || gtk_len
> 32) {
264 wpa_printf(MSG_DEBUG
, "WNM: Invalid GTK "
268 wpa_wnmsleep_install_key(
270 WNM_SLEEP_SUBELEM_GTK
,
273 #ifdef CONFIG_IEEE80211W
274 } else if (*ptr
== WNM_SLEEP_SUBELEM_IGTK
) {
275 if (ptr
[1] < 2 + 6 + WPA_IGTK_LEN
) {
276 wpa_printf(MSG_DEBUG
, "WNM: Too short IGTK "
280 wpa_wnmsleep_install_key(wpa_s
->wpa
,
281 WNM_SLEEP_SUBELEM_IGTK
, ptr
);
282 ptr
+= 10 + WPA_IGTK_LEN
;
283 #endif /* CONFIG_IEEE80211W */
285 break; /* skip the loop */
290 static void ieee802_11_rx_wnmsleep_resp(struct wpa_supplicant
*wpa_s
,
291 const u8
*frm
, int len
)
294 * Action [1] | Dialog Token [1] | Key Data Len [2] | Key Data |
295 * WNM-Sleep Mode IE | TFS Response IE
297 const u8
*pos
= frm
; /* point to payload after the action field */
299 struct wnm_sleep_element
*wnmsleep_ie
= NULL
;
300 /* multiple TFS Resp IE (assuming consecutive) */
301 const u8
*tfsresp_ie_start
= NULL
;
302 const u8
*tfsresp_ie_end
= NULL
;
304 const u8
*oci_ie
= NULL
;
306 #endif /* CONFIG_OCV */
309 if (!wpa_s
->wnmsleep_used
) {
310 wpa_printf(MSG_DEBUG
,
311 "WNM: Ignore WNM-Sleep Mode Response frame since WNM-Sleep Mode operation has not been requested");
317 key_len_total
= WPA_GET_LE16(frm
+ 1);
319 wpa_printf(MSG_DEBUG
, "WNM-Sleep Mode Response token=%u key_len_total=%d",
320 frm
[0], key_len_total
);
322 if (key_len_total
> left
) {
323 wpa_printf(MSG_INFO
, "WNM: Too short frame for Key Data field");
326 pos
+= 3 + key_len_total
;
327 while (pos
- frm
+ 1 < len
) {
328 u8 ie_len
= *(pos
+ 1);
329 if (2 + ie_len
> frm
+ len
- pos
) {
330 wpa_printf(MSG_INFO
, "WNM: Invalid IE len %u", ie_len
);
333 wpa_hexdump(MSG_DEBUG
, "WNM: Element", pos
, 2 + ie_len
);
334 if (*pos
== WLAN_EID_WNMSLEEP
&& ie_len
>= 4)
335 wnmsleep_ie
= (struct wnm_sleep_element
*) pos
;
336 else if (*pos
== WLAN_EID_TFS_RESP
) {
337 if (!tfsresp_ie_start
)
338 tfsresp_ie_start
= pos
;
339 tfsresp_ie_end
= pos
;
341 } else if (*pos
== WLAN_EID_EXTENSION
&& ie_len
>= 1 &&
342 pos
[2] == WLAN_EID_EXT_OCV_OCI
) {
344 oci_ie_len
= ie_len
- 1;
345 #endif /* CONFIG_OCV */
347 wpa_printf(MSG_DEBUG
, "EID %d not recognized", *pos
);
352 wpa_printf(MSG_DEBUG
, "No WNM-Sleep IE found");
357 if (wnmsleep_ie
->action_type
== WNM_SLEEP_MODE_EXIT
&&
358 wpa_sm_ocv_enabled(wpa_s
->wpa
)) {
359 struct wpa_channel_info ci
;
361 if (wpa_drv_channel_info(wpa_s
, &ci
) != 0) {
362 wpa_msg(wpa_s
, MSG_WARNING
,
363 "Failed to get channel info to validate received OCI in WNM-Sleep Mode frame");
367 if (ocv_verify_tx_params(oci_ie
, oci_ie_len
, &ci
,
368 channel_width_to_int(ci
.chanwidth
),
370 wpa_msg(wpa_s
, MSG_WARNING
, "WNM: %s", ocv_errorstr
);
374 #endif /* CONFIG_OCV */
376 wpa_s
->wnmsleep_used
= 0;
378 if (wnmsleep_ie
->status
== WNM_STATUS_SLEEP_ACCEPT
||
379 wnmsleep_ie
->status
== WNM_STATUS_SLEEP_EXIT_ACCEPT_GTK_UPDATE
) {
380 wpa_printf(MSG_DEBUG
, "Successfully recv WNM-Sleep Response "
381 "frame (action=%d, intval=%d)",
382 wnmsleep_ie
->action_type
, wnmsleep_ie
->intval
);
383 if (wnmsleep_ie
->action_type
== WNM_SLEEP_MODE_ENTER
) {
384 wnm_sleep_mode_enter_success(wpa_s
, tfsresp_ie_start
,
386 } else if (wnmsleep_ie
->action_type
== WNM_SLEEP_MODE_EXIT
) {
387 wnm_sleep_mode_exit_success(wpa_s
, frm
, key_len_total
);
390 wpa_printf(MSG_DEBUG
, "Reject recv WNM-Sleep Response frame "
391 "(action=%d, intval=%d)",
392 wnmsleep_ie
->action_type
, wnmsleep_ie
->intval
);
393 if (wnmsleep_ie
->action_type
== WNM_SLEEP_MODE_ENTER
)
394 wpa_drv_wnm_oper(wpa_s
, WNM_SLEEP_ENTER_FAIL
,
395 wpa_s
->bssid
, NULL
, NULL
);
396 else if (wnmsleep_ie
->action_type
== WNM_SLEEP_MODE_EXIT
)
397 wpa_drv_wnm_oper(wpa_s
, WNM_SLEEP_EXIT_FAIL
,
398 wpa_s
->bssid
, NULL
, NULL
);
403 void wnm_deallocate_memory(struct wpa_supplicant
*wpa_s
)
407 for (i
= 0; i
< wpa_s
->wnm_num_neighbor_report
; i
++) {
408 os_free(wpa_s
->wnm_neighbor_report_elements
[i
].meas_pilot
);
409 os_free(wpa_s
->wnm_neighbor_report_elements
[i
].mul_bssid
);
412 wpa_s
->wnm_num_neighbor_report
= 0;
413 os_free(wpa_s
->wnm_neighbor_report_elements
);
414 wpa_s
->wnm_neighbor_report_elements
= NULL
;
416 wpabuf_free(wpa_s
->coloc_intf_elems
);
417 wpa_s
->coloc_intf_elems
= NULL
;
421 static void wnm_parse_neighbor_report_elem(struct neighbor_report
*rep
,
422 u8 id
, u8 elen
, const u8
*pos
)
425 case WNM_NEIGHBOR_TSF
:
427 wpa_printf(MSG_DEBUG
, "WNM: Too short TSF");
430 rep
->tsf_offset
= WPA_GET_LE16(pos
);
431 rep
->beacon_int
= WPA_GET_LE16(pos
+ 2);
432 rep
->tsf_present
= 1;
434 case WNM_NEIGHBOR_CONDENSED_COUNTRY_STRING
:
436 wpa_printf(MSG_DEBUG
, "WNM: Too short condensed "
440 os_memcpy(rep
->country
, pos
, 2);
441 rep
->country_present
= 1;
443 case WNM_NEIGHBOR_BSS_TRANSITION_CANDIDATE
:
445 wpa_printf(MSG_DEBUG
, "WNM: Too short BSS transition "
449 rep
->preference
= pos
[0];
450 rep
->preference_present
= 1;
452 case WNM_NEIGHBOR_BSS_TERMINATION_DURATION
:
453 rep
->bss_term_tsf
= WPA_GET_LE64(pos
);
454 rep
->bss_term_dur
= WPA_GET_LE16(pos
+ 8);
455 rep
->bss_term_present
= 1;
457 case WNM_NEIGHBOR_BEARING
:
459 wpa_printf(MSG_DEBUG
, "WNM: Too short neighbor "
463 rep
->bearing
= WPA_GET_LE16(pos
);
464 rep
->distance
= WPA_GET_LE32(pos
+ 2);
465 rep
->rel_height
= WPA_GET_LE16(pos
+ 2 + 4);
466 rep
->bearing_present
= 1;
468 case WNM_NEIGHBOR_MEASUREMENT_PILOT
:
470 wpa_printf(MSG_DEBUG
, "WNM: Too short measurement "
474 os_free(rep
->meas_pilot
);
475 rep
->meas_pilot
= os_zalloc(sizeof(struct measurement_pilot
));
476 if (rep
->meas_pilot
== NULL
)
478 rep
->meas_pilot
->measurement_pilot
= pos
[0];
479 rep
->meas_pilot
->subelem_len
= elen
- 1;
480 os_memcpy(rep
->meas_pilot
->subelems
, pos
+ 1, elen
- 1);
482 case WNM_NEIGHBOR_RRM_ENABLED_CAPABILITIES
:
484 wpa_printf(MSG_DEBUG
, "WNM: Too short RRM enabled "
488 os_memcpy(rep
->rm_capab
, pos
, 5);
489 rep
->rm_capab_present
= 1;
491 case WNM_NEIGHBOR_MULTIPLE_BSSID
:
493 wpa_printf(MSG_DEBUG
, "WNM: Too short multiple BSSID");
496 os_free(rep
->mul_bssid
);
497 rep
->mul_bssid
= os_zalloc(sizeof(struct multiple_bssid
));
498 if (rep
->mul_bssid
== NULL
)
500 rep
->mul_bssid
->max_bssid_indicator
= pos
[0];
501 rep
->mul_bssid
->subelem_len
= elen
- 1;
502 os_memcpy(rep
->mul_bssid
->subelems
, pos
+ 1, elen
- 1);
508 static int wnm_nei_get_chan(struct wpa_supplicant
*wpa_s
, u8 op_class
, u8 chan
)
510 struct wpa_bss
*bss
= wpa_s
->current_bss
;
511 const char *country
= NULL
;
515 const u8
*elem
= wpa_bss_get_ie(bss
, WLAN_EID_COUNTRY
);
517 if (elem
&& elem
[1] >= 2)
518 country
= (const char *) (elem
+ 2);
521 freq
= ieee80211_chan_to_freq(country
, op_class
, chan
);
522 if (freq
<= 0 && op_class
== 0) {
524 * Some APs do not advertise correct operating class
525 * information. Try to determine the most likely operating
526 * frequency based on the channel number.
528 if (chan
>= 1 && chan
<= 13)
529 freq
= 2407 + chan
* 5;
532 else if (chan
>= 36 && chan
<= 169)
533 freq
= 5000 + chan
* 5;
539 static void wnm_parse_neighbor_report(struct wpa_supplicant
*wpa_s
,
540 const u8
*pos
, u8 len
,
541 struct neighbor_report
*rep
)
546 wpa_printf(MSG_DEBUG
, "WNM: Too short neighbor report");
550 os_memcpy(rep
->bssid
, pos
, ETH_ALEN
);
551 rep
->bssid_info
= WPA_GET_LE32(pos
+ ETH_ALEN
);
552 rep
->regulatory_class
= *(pos
+ 10);
553 rep
->channel_number
= *(pos
+ 11);
554 rep
->phy_type
= *(pos
+ 12);
564 wpa_printf(MSG_DEBUG
, "WNM: Subelement id=%u len=%u", id
, elen
);
567 wpa_printf(MSG_DEBUG
,
568 "WNM: Truncated neighbor report subelement");
571 wnm_parse_neighbor_report_elem(rep
, id
, elen
, pos
);
576 rep
->freq
= wnm_nei_get_chan(wpa_s
, rep
->regulatory_class
,
577 rep
->channel_number
);
581 static void wnm_clear_acceptable(struct wpa_supplicant
*wpa_s
)
585 for (i
= 0; i
< wpa_s
->wnm_num_neighbor_report
; i
++)
586 wpa_s
->wnm_neighbor_report_elements
[i
].acceptable
= 0;
590 static struct wpa_bss
* get_first_acceptable(struct wpa_supplicant
*wpa_s
)
593 struct neighbor_report
*nei
;
595 for (i
= 0; i
< wpa_s
->wnm_num_neighbor_report
; i
++) {
596 nei
= &wpa_s
->wnm_neighbor_report_elements
[i
];
598 return wpa_bss_get_bssid(wpa_s
, nei
->bssid
);
606 static struct wpa_bss
*
607 get_mbo_transition_candidate(struct wpa_supplicant
*wpa_s
,
608 enum mbo_transition_reject_reason
*reason
)
610 struct wpa_bss
*target
= NULL
;
611 struct wpa_bss_trans_info params
;
612 struct wpa_bss_candidate_info
*info
= NULL
;
613 struct neighbor_report
*nei
= wpa_s
->wnm_neighbor_report_elements
;
614 u8
*first_candidate_bssid
= NULL
, *pos
;
617 params
.mbo_transition_reason
= wpa_s
->wnm_mbo_transition_reason
;
618 params
.n_candidates
= 0;
619 params
.bssid
= os_calloc(wpa_s
->wnm_num_neighbor_report
, ETH_ALEN
);
624 for (i
= 0; i
< wpa_s
->wnm_num_neighbor_report
; nei
++, i
++) {
626 first_candidate_bssid
= nei
->bssid
;
627 if (!nei
->acceptable
)
629 os_memcpy(pos
, nei
->bssid
, ETH_ALEN
);
631 params
.n_candidates
++;
634 if (!params
.n_candidates
)
637 info
= wpa_drv_get_bss_trans_status(wpa_s
, ¶ms
);
639 /* If failed to get candidate BSS transition status from driver,
640 * get the first acceptable candidate from wpa_supplicant.
642 target
= wpa_bss_get_bssid(wpa_s
, params
.bssid
);
646 /* Get the first acceptable candidate from driver */
647 for (i
= 0; i
< info
->num
; i
++) {
648 if (info
->candidates
[i
].is_accept
) {
649 target
= wpa_bss_get_bssid(wpa_s
,
650 info
->candidates
[i
].bssid
);
655 /* If Disassociation Imminent is set and driver rejects all the
656 * candidate select first acceptable candidate which has
657 * rssi > disassoc_imminent_rssi_threshold
659 if (wpa_s
->wnm_mode
& WNM_BSS_TM_REQ_DISASSOC_IMMINENT
) {
660 for (i
= 0; i
< info
->num
; i
++) {
661 target
= wpa_bss_get_bssid(wpa_s
,
662 info
->candidates
[i
].bssid
);
665 wpa_s
->conf
->disassoc_imminent_rssi_threshold
))
671 /* While sending BTM reject use reason code of the first candidate
672 * received in BTM request frame
675 for (i
= 0; i
< info
->num
; i
++) {
676 if (first_candidate_bssid
&&
677 os_memcmp(first_candidate_bssid
,
678 info
->candidates
[i
].bssid
, ETH_ALEN
) == 0)
680 *reason
= info
->candidates
[i
].reject_reason
;
689 os_free(params
.bssid
);
691 os_free(info
->candidates
);
696 #endif /* CONFIG_MBO */
699 static struct wpa_bss
*
700 compare_scan_neighbor_results(struct wpa_supplicant
*wpa_s
, os_time_t age_secs
,
701 enum mbo_transition_reject_reason
*reason
)
704 struct wpa_bss
*bss
= wpa_s
->current_bss
;
705 struct wpa_bss
*target
;
710 wpa_printf(MSG_DEBUG
, "WNM: Current BSS " MACSTR
" RSSI %d",
711 MAC2STR(wpa_s
->bssid
), bss
->level
);
713 wnm_clear_acceptable(wpa_s
);
715 for (i
= 0; i
< wpa_s
->wnm_num_neighbor_report
; i
++) {
716 struct neighbor_report
*nei
;
718 nei
= &wpa_s
->wnm_neighbor_report_elements
[i
];
719 if (nei
->preference_present
&& nei
->preference
== 0) {
720 wpa_printf(MSG_DEBUG
, "Skip excluded BSS " MACSTR
,
721 MAC2STR(nei
->bssid
));
725 target
= wpa_bss_get_bssid(wpa_s
, nei
->bssid
);
727 wpa_printf(MSG_DEBUG
, "Candidate BSS " MACSTR
728 " (pref %d) not found in scan results",
730 nei
->preference_present
? nei
->preference
:
736 struct os_reltime now
;
738 if (os_get_reltime(&now
) == 0 &&
739 os_reltime_expired(&now
, &target
->last_update
,
741 wpa_printf(MSG_DEBUG
,
742 "Candidate BSS is more than %ld seconds old",
748 if (bss
->ssid_len
!= target
->ssid_len
||
749 os_memcmp(bss
->ssid
, target
->ssid
, bss
->ssid_len
) != 0) {
751 * TODO: Could consider allowing transition to another
752 * ESS if PMF was enabled for the association.
754 wpa_printf(MSG_DEBUG
, "Candidate BSS " MACSTR
755 " (pref %d) in different ESS",
757 nei
->preference_present
? nei
->preference
:
762 if (wpa_s
->current_ssid
&&
763 !wpa_scan_res_match(wpa_s
, 0, target
, wpa_s
->current_ssid
,
765 wpa_printf(MSG_DEBUG
, "Candidate BSS " MACSTR
766 " (pref %d) does not match the current network profile",
768 nei
->preference_present
? nei
->preference
:
773 if (wpa_is_bss_tmp_disallowed(wpa_s
, target
)) {
774 wpa_printf(MSG_DEBUG
,
775 "MBO: Candidate BSS " MACSTR
776 " retry delay is not over yet",
777 MAC2STR(nei
->bssid
));
781 if (target
->level
< bss
->level
&& target
->level
< -80) {
782 wpa_printf(MSG_DEBUG
, "Candidate BSS " MACSTR
783 " (pref %d) does not have sufficient signal level (%d)",
785 nei
->preference_present
? nei
->preference
:
795 if (wpa_s
->wnm_mbo_trans_reason_present
)
796 target
= get_mbo_transition_candidate(wpa_s
, reason
);
798 target
= get_first_acceptable(wpa_s
);
799 #else /* CONFIG_MBO */
800 target
= get_first_acceptable(wpa_s
);
801 #endif /* CONFIG_MBO */
804 wpa_printf(MSG_DEBUG
,
805 "WNM: Found an acceptable preferred transition candidate BSS "
807 MAC2STR(target
->bssid
), target
->level
);
814 static int wpa_bss_ies_eq(struct wpa_bss
*a
, struct wpa_bss
*b
, u8 eid
)
816 const u8
*ie_a
, *ie_b
;
821 ie_a
= wpa_bss_get_ie(a
, eid
);
822 ie_b
= wpa_bss_get_ie(b
, eid
);
824 if (!ie_a
|| !ie_b
|| ie_a
[1] != ie_b
[1])
827 return os_memcmp(ie_a
, ie_b
, ie_a
[1]) == 0;
831 static u32
wnm_get_bss_info(struct wpa_supplicant
*wpa_s
, struct wpa_bss
*bss
)
835 info
|= NEI_REP_BSSID_INFO_AP_UNKNOWN_REACH
;
838 * Leave the security and key scope bits unset to indicate that the
839 * security information is not available.
842 if (bss
->caps
& WLAN_CAPABILITY_SPECTRUM_MGMT
)
843 info
|= NEI_REP_BSSID_INFO_SPECTRUM_MGMT
;
844 if (bss
->caps
& WLAN_CAPABILITY_QOS
)
845 info
|= NEI_REP_BSSID_INFO_QOS
;
846 if (bss
->caps
& WLAN_CAPABILITY_APSD
)
847 info
|= NEI_REP_BSSID_INFO_APSD
;
848 if (bss
->caps
& WLAN_CAPABILITY_RADIO_MEASUREMENT
)
849 info
|= NEI_REP_BSSID_INFO_RM
;
850 if (bss
->caps
& WLAN_CAPABILITY_DELAYED_BLOCK_ACK
)
851 info
|= NEI_REP_BSSID_INFO_DELAYED_BA
;
852 if (bss
->caps
& WLAN_CAPABILITY_IMM_BLOCK_ACK
)
853 info
|= NEI_REP_BSSID_INFO_IMM_BA
;
854 if (wpa_bss_ies_eq(bss
, wpa_s
->current_bss
, WLAN_EID_MOBILITY_DOMAIN
))
855 info
|= NEI_REP_BSSID_INFO_MOBILITY_DOMAIN
;
856 if (wpa_bss_ies_eq(bss
, wpa_s
->current_bss
, WLAN_EID_HT_CAP
))
857 info
|= NEI_REP_BSSID_INFO_HT
;
863 static int wnm_add_nei_rep(struct wpabuf
**buf
, const u8
*bssid
,
864 u32 bss_info
, u8 op_class
, u8 chan
, u8 phy_type
,
867 if (wpabuf_len(*buf
) + 18 >
868 IEEE80211_MAX_MMPDU_SIZE
- IEEE80211_HDRLEN
) {
869 wpa_printf(MSG_DEBUG
,
870 "WNM: No room in frame for Neighbor Report element");
874 if (wpabuf_resize(buf
, 18) < 0) {
875 wpa_printf(MSG_DEBUG
,
876 "WNM: Failed to allocate memory for Neighbor Report element");
880 wpabuf_put_u8(*buf
, WLAN_EID_NEIGHBOR_REPORT
);
881 /* length: 13 for basic neighbor report + 3 for preference subelement */
882 wpabuf_put_u8(*buf
, 16);
883 wpabuf_put_data(*buf
, bssid
, ETH_ALEN
);
884 wpabuf_put_le32(*buf
, bss_info
);
885 wpabuf_put_u8(*buf
, op_class
);
886 wpabuf_put_u8(*buf
, chan
);
887 wpabuf_put_u8(*buf
, phy_type
);
888 wpabuf_put_u8(*buf
, WNM_NEIGHBOR_BSS_TRANSITION_CANDIDATE
);
889 wpabuf_put_u8(*buf
, 1);
890 wpabuf_put_u8(*buf
, pref
);
895 static int wnm_nei_rep_add_bss(struct wpa_supplicant
*wpa_s
,
896 struct wpa_bss
*bss
, struct wpabuf
**buf
,
901 int sec_chan
= 0, vht
= 0;
902 enum phy_type phy_type
;
904 struct ieee80211_ht_operation
*ht_oper
= NULL
;
905 struct ieee80211_vht_operation
*vht_oper
= NULL
;
907 ie
= wpa_bss_get_ie(bss
, WLAN_EID_HT_OPERATION
);
908 if (ie
&& ie
[1] >= 2) {
909 ht_oper
= (struct ieee80211_ht_operation
*) (ie
+ 2);
911 if (ht_oper
->ht_param
& HT_INFO_HT_PARAM_SECONDARY_CHNL_ABOVE
)
913 else if (ht_oper
->ht_param
&
914 HT_INFO_HT_PARAM_SECONDARY_CHNL_BELOW
)
918 ie
= wpa_bss_get_ie(bss
, WLAN_EID_VHT_OPERATION
);
919 if (ie
&& ie
[1] >= 1) {
920 vht_oper
= (struct ieee80211_vht_operation
*) (ie
+ 2);
922 if (vht_oper
->vht_op_info_chwidth
== VHT_CHANWIDTH_80MHZ
||
923 vht_oper
->vht_op_info_chwidth
== VHT_CHANWIDTH_160MHZ
||
924 vht_oper
->vht_op_info_chwidth
== VHT_CHANWIDTH_80P80MHZ
)
925 vht
= vht_oper
->vht_op_info_chwidth
;
928 if (ieee80211_freq_to_channel_ext(bss
->freq
, sec_chan
, vht
, &op_class
,
929 &chan
) == NUM_HOSTAPD_MODES
) {
930 wpa_printf(MSG_DEBUG
,
931 "WNM: Cannot determine operating class and channel");
935 phy_type
= ieee80211_get_phy_type(bss
->freq
, (ht_oper
!= NULL
),
937 if (phy_type
== PHY_TYPE_UNSPECIFIED
) {
938 wpa_printf(MSG_DEBUG
,
939 "WNM: Cannot determine BSS phy type for Neighbor Report");
943 info
= wnm_get_bss_info(wpa_s
, bss
);
945 return wnm_add_nei_rep(buf
, bss
->bssid
, info
, op_class
, chan
, phy_type
,
950 static void wnm_add_cand_list(struct wpa_supplicant
*wpa_s
, struct wpabuf
**buf
)
952 unsigned int i
, pref
= 255;
953 struct os_reltime now
;
954 struct wpa_ssid
*ssid
= wpa_s
->current_ssid
;
960 * TODO: Define when scan results are no longer valid for the candidate
963 os_get_reltime(&now
);
964 if (os_reltime_expired(&now
, &wpa_s
->last_scan
, 10))
967 wpa_printf(MSG_DEBUG
,
968 "WNM: Add candidate list to BSS Transition Management Response frame");
969 for (i
= 0; i
< wpa_s
->last_scan_res_used
&& pref
; i
++) {
970 struct wpa_bss
*bss
= wpa_s
->last_scan_res
[i
];
973 if (wpa_scan_res_match(wpa_s
, i
, bss
, ssid
, 1, 0)) {
974 res
= wnm_nei_rep_add_bss(wpa_s
, bss
, buf
, pref
--);
976 continue; /* could not build entry for BSS */
978 break; /* no more room for candidates */
984 wpa_hexdump_buf(MSG_DEBUG
,
985 "WNM: BSS Transition Management Response candidate list",
990 #define BTM_RESP_MIN_SIZE 5 + ETH_ALEN
992 static void wnm_send_bss_transition_mgmt_resp(
993 struct wpa_supplicant
*wpa_s
, u8 dialog_token
,
994 enum bss_trans_mgmt_status_code status
,
995 enum mbo_transition_reject_reason reason
,
996 u8 delay
, const u8
*target_bssid
)
1001 wpa_printf(MSG_DEBUG
,
1002 "WNM: Send BSS Transition Management Response to " MACSTR
1003 " dialog_token=%u status=%u reason=%u delay=%d",
1004 MAC2STR(wpa_s
->bssid
), dialog_token
, status
, reason
, delay
);
1005 if (!wpa_s
->current_bss
) {
1006 wpa_printf(MSG_DEBUG
,
1007 "WNM: Current BSS not known - drop response");
1011 buf
= wpabuf_alloc(BTM_RESP_MIN_SIZE
);
1013 wpa_printf(MSG_DEBUG
,
1014 "WNM: Failed to allocate memory for BTM response");
1018 wpabuf_put_u8(buf
, WLAN_ACTION_WNM
);
1019 wpabuf_put_u8(buf
, WNM_BSS_TRANS_MGMT_RESP
);
1020 wpabuf_put_u8(buf
, dialog_token
);
1021 wpabuf_put_u8(buf
, status
);
1022 wpabuf_put_u8(buf
, delay
);
1024 wpabuf_put_data(buf
, target_bssid
, ETH_ALEN
);
1025 } else if (status
== WNM_BSS_TM_ACCEPT
) {
1027 * P802.11-REVmc clarifies that the Target BSSID field is always
1028 * present when status code is zero, so use a fake value here if
1029 * no BSSID is yet known.
1031 wpabuf_put_data(buf
, "\0\0\0\0\0\0", ETH_ALEN
);
1034 if (status
== WNM_BSS_TM_ACCEPT
)
1035 wnm_add_cand_list(wpa_s
, &buf
);
1038 if (status
!= WNM_BSS_TM_ACCEPT
&&
1039 wpa_bss_get_vendor_ie(wpa_s
->current_bss
, MBO_IE_VENDOR_TYPE
)) {
1043 ret
= wpas_mbo_ie_bss_trans_reject(wpa_s
, mbo
, sizeof(mbo
),
1046 if (wpabuf_resize(&buf
, ret
) < 0) {
1048 wpa_printf(MSG_DEBUG
,
1049 "WNM: Failed to allocate memory for MBO IE");
1053 wpabuf_put_data(buf
, mbo
, ret
);
1056 #endif /* CONFIG_MBO */
1058 res
= wpa_drv_send_action(wpa_s
, wpa_s
->assoc_freq
, 0, wpa_s
->bssid
,
1059 wpa_s
->own_addr
, wpa_s
->bssid
,
1060 wpabuf_head_u8(buf
), wpabuf_len(buf
), 0);
1062 wpa_printf(MSG_DEBUG
,
1063 "WNM: Failed to send BSS Transition Management Response");
1070 static void wnm_bss_tm_connect(struct wpa_supplicant
*wpa_s
,
1071 struct wpa_bss
*bss
, struct wpa_ssid
*ssid
,
1074 wpa_dbg(wpa_s
, MSG_DEBUG
,
1075 "WNM: Transition to BSS " MACSTR
1076 " based on BSS Transition Management Request (old BSSID "
1077 MACSTR
" after_new_scan=%d)",
1078 MAC2STR(bss
->bssid
), MAC2STR(wpa_s
->bssid
), after_new_scan
);
1080 /* Send the BSS Management Response - Accept */
1081 if (wpa_s
->wnm_reply
) {
1082 wpa_s
->wnm_reply
= 0;
1083 wpa_printf(MSG_DEBUG
,
1084 "WNM: Sending successful BSS Transition Management Response");
1085 wnm_send_bss_transition_mgmt_resp(
1086 wpa_s
, wpa_s
->wnm_dialog_token
, WNM_BSS_TM_ACCEPT
,
1087 MBO_TRANSITION_REJECT_REASON_UNSPECIFIED
, 0,
1091 if (bss
== wpa_s
->current_bss
) {
1092 wpa_printf(MSG_DEBUG
,
1093 "WNM: Already associated with the preferred candidate");
1094 wnm_deallocate_memory(wpa_s
);
1098 wpa_s
->reassociate
= 1;
1099 wpa_printf(MSG_DEBUG
, "WNM: Issuing connect");
1100 wpa_supplicant_connect(wpa_s
, bss
, ssid
);
1101 wnm_deallocate_memory(wpa_s
);
1105 int wnm_scan_process(struct wpa_supplicant
*wpa_s
, int reply_on_fail
)
1107 struct wpa_bss
*bss
;
1108 struct wpa_ssid
*ssid
= wpa_s
->current_ssid
;
1109 enum bss_trans_mgmt_status_code status
= WNM_BSS_TM_REJECT_UNSPECIFIED
;
1110 enum mbo_transition_reject_reason reason
=
1111 MBO_TRANSITION_REJECT_REASON_UNSPECIFIED
;
1113 if (!wpa_s
->wnm_neighbor_report_elements
)
1116 wpa_dbg(wpa_s
, MSG_DEBUG
,
1117 "WNM: Process scan results for BSS Transition Management");
1118 if (os_reltime_before(&wpa_s
->wnm_cand_valid_until
,
1119 &wpa_s
->scan_trigger_time
)) {
1120 wpa_printf(MSG_DEBUG
, "WNM: Previously stored BSS transition candidate list is not valid anymore - drop it");
1121 wnm_deallocate_memory(wpa_s
);
1125 if (!wpa_s
->current_bss
||
1126 os_memcmp(wpa_s
->wnm_cand_from_bss
, wpa_s
->current_bss
->bssid
,
1128 wpa_printf(MSG_DEBUG
, "WNM: Stored BSS transition candidate list not from the current BSS - ignore it");
1132 /* Compare the Neighbor Report and scan results */
1133 bss
= compare_scan_neighbor_results(wpa_s
, 0, &reason
);
1135 wpa_printf(MSG_DEBUG
, "WNM: No BSS transition candidate match found");
1136 status
= WNM_BSS_TM_REJECT_NO_SUITABLE_CANDIDATES
;
1137 goto send_bss_resp_fail
;
1140 /* Associate to the network */
1141 wnm_bss_tm_connect(wpa_s
, bss
, ssid
, 1);
1148 /* Send reject response for all the failures */
1150 if (wpa_s
->wnm_reply
) {
1151 wpa_s
->wnm_reply
= 0;
1152 wnm_send_bss_transition_mgmt_resp(wpa_s
,
1153 wpa_s
->wnm_dialog_token
,
1154 status
, reason
, 0, NULL
);
1156 wnm_deallocate_memory(wpa_s
);
1162 static int cand_pref_compar(const void *a
, const void *b
)
1164 const struct neighbor_report
*aa
= a
;
1165 const struct neighbor_report
*bb
= b
;
1167 if (!aa
->preference_present
&& !bb
->preference_present
)
1169 if (!aa
->preference_present
)
1171 if (!bb
->preference_present
)
1173 if (bb
->preference
> aa
->preference
)
1175 if (bb
->preference
< aa
->preference
)
1181 static void wnm_sort_cand_list(struct wpa_supplicant
*wpa_s
)
1183 if (!wpa_s
->wnm_neighbor_report_elements
)
1185 qsort(wpa_s
->wnm_neighbor_report_elements
,
1186 wpa_s
->wnm_num_neighbor_report
, sizeof(struct neighbor_report
),
1191 static void wnm_dump_cand_list(struct wpa_supplicant
*wpa_s
)
1195 wpa_printf(MSG_DEBUG
, "WNM: BSS Transition Candidate List");
1196 if (!wpa_s
->wnm_neighbor_report_elements
)
1198 for (i
= 0; i
< wpa_s
->wnm_num_neighbor_report
; i
++) {
1199 struct neighbor_report
*nei
;
1201 nei
= &wpa_s
->wnm_neighbor_report_elements
[i
];
1202 wpa_printf(MSG_DEBUG
, "%u: " MACSTR
1203 " info=0x%x op_class=%u chan=%u phy=%u pref=%d freq=%d",
1204 i
, MAC2STR(nei
->bssid
), nei
->bssid_info
,
1205 nei
->regulatory_class
,
1206 nei
->channel_number
, nei
->phy_type
,
1207 nei
->preference_present
? nei
->preference
: -1,
1213 static int chan_supported(struct wpa_supplicant
*wpa_s
, int freq
)
1217 for (i
= 0; i
< wpa_s
->hw
.num_modes
; i
++) {
1218 struct hostapd_hw_modes
*mode
= &wpa_s
->hw
.modes
[i
];
1221 for (j
= 0; j
< mode
->num_channels
; j
++) {
1222 struct hostapd_channel_data
*chan
;
1224 chan
= &mode
->channels
[j
];
1225 if (chan
->freq
== freq
&&
1226 !(chan
->flag
& HOSTAPD_CHAN_DISABLED
))
1235 static void wnm_set_scan_freqs(struct wpa_supplicant
*wpa_s
)
1241 if (!wpa_s
->wnm_neighbor_report_elements
)
1244 if (wpa_s
->hw
.modes
== NULL
)
1247 os_free(wpa_s
->next_scan_freqs
);
1248 wpa_s
->next_scan_freqs
= NULL
;
1250 freqs
= os_calloc(wpa_s
->wnm_num_neighbor_report
+ 1, sizeof(int));
1254 for (i
= 0; i
< wpa_s
->wnm_num_neighbor_report
; i
++) {
1255 struct neighbor_report
*nei
;
1257 nei
= &wpa_s
->wnm_neighbor_report_elements
[i
];
1258 if (nei
->freq
<= 0) {
1259 wpa_printf(MSG_DEBUG
,
1260 "WNM: Unknown neighbor operating frequency for "
1261 MACSTR
" - scan all channels",
1262 MAC2STR(nei
->bssid
));
1266 if (chan_supported(wpa_s
, nei
->freq
))
1267 add_freq(freqs
, &num_freqs
, nei
->freq
);
1270 if (num_freqs
== 0) {
1275 wpa_printf(MSG_DEBUG
,
1276 "WNM: Scan %d frequencies based on transition candidate list",
1278 wpa_s
->next_scan_freqs
= freqs
;
1282 static int wnm_fetch_scan_results(struct wpa_supplicant
*wpa_s
)
1284 struct wpa_scan_results
*scan_res
;
1285 struct wpa_bss
*bss
;
1286 struct wpa_ssid
*ssid
= wpa_s
->current_ssid
;
1290 wpa_dbg(wpa_s
, MSG_DEBUG
,
1291 "WNM: Fetch current scan results from the driver for checking transition candidates");
1292 scan_res
= wpa_drv_get_scan_results2(wpa_s
);
1294 wpa_dbg(wpa_s
, MSG_DEBUG
, "WNM: Failed to get scan results");
1298 if (scan_res
->fetch_time
.sec
== 0)
1299 os_get_reltime(&scan_res
->fetch_time
);
1301 filter_scan_res(wpa_s
, scan_res
);
1303 for (i
= 0; i
< wpa_s
->wnm_num_neighbor_report
; i
++) {
1304 struct neighbor_report
*nei
;
1306 nei
= &wpa_s
->wnm_neighbor_report_elements
[i
];
1307 if (nei
->preference_present
&& nei
->preference
== 0)
1310 for (j
= 0; j
< scan_res
->num
; j
++) {
1311 struct wpa_scan_res
*res
;
1314 res
= scan_res
->res
[j
];
1315 if (os_memcmp(nei
->bssid
, res
->bssid
, ETH_ALEN
) != 0 ||
1316 res
->age
> WNM_SCAN_RESULT_AGE
* 1000)
1318 bss
= wpa_s
->current_bss
;
1319 ssid_ie
= wpa_scan_get_ie(res
, WLAN_EID_SSID
);
1320 if (bss
&& ssid_ie
&&
1321 (bss
->ssid_len
!= ssid_ie
[1] ||
1322 os_memcmp(bss
->ssid
, ssid_ie
+ 2,
1323 bss
->ssid_len
) != 0))
1326 /* Potential candidate found */
1329 scan_est_throughput(wpa_s
, res
);
1330 wpa_bss_update_scan_res(wpa_s
, res
,
1331 &scan_res
->fetch_time
);
1335 wpa_scan_results_free(scan_res
);
1337 wpa_dbg(wpa_s
, MSG_DEBUG
,
1338 "WNM: No transition candidate matches existing scan results");
1342 bss
= compare_scan_neighbor_results(wpa_s
, WNM_SCAN_RESULT_AGE
, NULL
);
1344 wpa_dbg(wpa_s
, MSG_DEBUG
,
1345 "WNM: Comparison of scan results against transition candidates did not find matches");
1349 /* Associate to the network */
1350 wnm_bss_tm_connect(wpa_s
, bss
, ssid
, 0);
1355 static void ieee802_11_rx_bss_trans_mgmt_req(struct wpa_supplicant
*wpa_s
,
1356 const u8
*pos
, const u8
*end
,
1359 unsigned int beacon_int
;
1363 #endif /* CONFIG_MBO */
1369 wpa_s
->wnm_mbo_trans_reason_present
= 0;
1370 wpa_s
->wnm_mbo_transition_reason
= 0;
1371 #endif /* CONFIG_MBO */
1373 if (wpa_s
->current_bss
)
1374 beacon_int
= wpa_s
->current_bss
->beacon_int
;
1376 beacon_int
= 100; /* best guess */
1378 wpa_s
->wnm_dialog_token
= pos
[0];
1379 wpa_s
->wnm_mode
= pos
[1];
1380 wpa_s
->wnm_dissoc_timer
= WPA_GET_LE16(pos
+ 2);
1382 wpa_s
->wnm_reply
= reply
;
1384 wpa_printf(MSG_DEBUG
, "WNM: BSS Transition Management Request: "
1385 "dialog_token=%u request_mode=0x%x "
1386 "disassoc_timer=%u validity_interval=%u",
1387 wpa_s
->wnm_dialog_token
, wpa_s
->wnm_mode
,
1388 wpa_s
->wnm_dissoc_timer
, valid_int
);
1390 #if defined(CONFIG_MBO) && defined(CONFIG_TESTING_OPTIONS)
1391 if (wpa_s
->reject_btm_req_reason
) {
1392 wpa_printf(MSG_INFO
,
1393 "WNM: Testing - reject BSS Transition Management Request: reject_btm_req_reason=%d",
1394 wpa_s
->reject_btm_req_reason
);
1395 wnm_send_bss_transition_mgmt_resp(
1396 wpa_s
, wpa_s
->wnm_dialog_token
,
1397 wpa_s
->reject_btm_req_reason
,
1398 MBO_TRANSITION_REJECT_REASON_UNSPECIFIED
, 0, NULL
);
1401 #endif /* CONFIG_MBO && CONFIG_TESTING_OPTIONS */
1405 if (wpa_s
->wnm_mode
& WNM_BSS_TM_REQ_BSS_TERMINATION_INCLUDED
) {
1406 if (end
- pos
< 12) {
1407 wpa_printf(MSG_DEBUG
, "WNM: Too short BSS TM Request");
1410 os_memcpy(wpa_s
->wnm_bss_termination_duration
, pos
, 12);
1411 pos
+= 12; /* BSS Termination Duration */
1414 if (wpa_s
->wnm_mode
& WNM_BSS_TM_REQ_ESS_DISASSOC_IMMINENT
) {
1417 if (end
- pos
< 1 || 1 + pos
[0] > end
- pos
) {
1418 wpa_printf(MSG_DEBUG
, "WNM: Invalid BSS Transition "
1419 "Management Request (URL)");
1422 os_memcpy(url
, pos
+ 1, pos
[0]);
1426 wpa_msg(wpa_s
, MSG_INFO
, ESS_DISASSOC_IMMINENT
"%d %u %s",
1427 wpa_sm_pmf_enabled(wpa_s
->wpa
),
1428 wpa_s
->wnm_dissoc_timer
* beacon_int
* 128 / 125, url
);
1431 if (wpa_s
->wnm_mode
& WNM_BSS_TM_REQ_DISASSOC_IMMINENT
) {
1432 wpa_msg(wpa_s
, MSG_INFO
, "WNM: Disassociation Imminent - "
1433 "Disassociation Timer %u", wpa_s
->wnm_dissoc_timer
);
1434 if (wpa_s
->wnm_dissoc_timer
&& !wpa_s
->scanning
) {
1435 /* TODO: mark current BSS less preferred for
1437 wpa_printf(MSG_DEBUG
, "Trying to find another BSS");
1438 wpa_supplicant_req_scan(wpa_s
, 0, 0);
1443 vendor
= get_ie(pos
, end
- pos
, WLAN_EID_VENDOR_SPECIFIC
);
1445 wpas_mbo_ie_trans_req(wpa_s
, vendor
+ 2, vendor
[1]);
1446 #endif /* CONFIG_MBO */
1448 if (wpa_s
->wnm_mode
& WNM_BSS_TM_REQ_PREF_CAND_LIST_INCLUDED
) {
1449 unsigned int valid_ms
;
1451 wpa_msg(wpa_s
, MSG_INFO
, "WNM: Preferred List Available");
1452 wnm_deallocate_memory(wpa_s
);
1453 wpa_s
->wnm_neighbor_report_elements
= os_calloc(
1454 WNM_MAX_NEIGHBOR_REPORT
,
1455 sizeof(struct neighbor_report
));
1456 if (wpa_s
->wnm_neighbor_report_elements
== NULL
)
1459 while (end
- pos
>= 2 &&
1460 wpa_s
->wnm_num_neighbor_report
< WNM_MAX_NEIGHBOR_REPORT
)
1465 wpa_printf(MSG_DEBUG
, "WNM: Neighbor report tag %u",
1467 if (len
> end
- pos
) {
1468 wpa_printf(MSG_DEBUG
, "WNM: Truncated request");
1471 if (tag
== WLAN_EID_NEIGHBOR_REPORT
) {
1472 struct neighbor_report
*rep
;
1473 rep
= &wpa_s
->wnm_neighbor_report_elements
[
1474 wpa_s
->wnm_num_neighbor_report
];
1475 wnm_parse_neighbor_report(wpa_s
, pos
, len
, rep
);
1476 wpa_s
->wnm_num_neighbor_report
++;
1478 if (wpa_s
->wnm_mbo_trans_reason_present
&&
1479 wpa_s
->wnm_num_neighbor_report
== 1) {
1481 wpa_printf(MSG_DEBUG
,
1482 "WNM: First transition candidate is "
1483 MACSTR
, MAC2STR(rep
->bssid
));
1485 #endif /* CONFIG_MBO */
1491 if (!wpa_s
->wnm_num_neighbor_report
) {
1492 wpa_printf(MSG_DEBUG
,
1493 "WNM: Candidate list included bit is set, but no candidates found");
1494 wnm_send_bss_transition_mgmt_resp(
1495 wpa_s
, wpa_s
->wnm_dialog_token
,
1496 WNM_BSS_TM_REJECT_NO_SUITABLE_CANDIDATES
,
1497 MBO_TRANSITION_REJECT_REASON_UNSPECIFIED
, 0,
1502 wnm_sort_cand_list(wpa_s
);
1503 wnm_dump_cand_list(wpa_s
);
1504 valid_ms
= valid_int
* beacon_int
* 128 / 125;
1505 wpa_printf(MSG_DEBUG
, "WNM: Candidate list valid for %u ms",
1507 os_get_reltime(&wpa_s
->wnm_cand_valid_until
);
1508 wpa_s
->wnm_cand_valid_until
.sec
+= valid_ms
/ 1000;
1509 wpa_s
->wnm_cand_valid_until
.usec
+= (valid_ms
% 1000) * 1000;
1510 wpa_s
->wnm_cand_valid_until
.sec
+=
1511 wpa_s
->wnm_cand_valid_until
.usec
/ 1000000;
1512 wpa_s
->wnm_cand_valid_until
.usec
%= 1000000;
1513 os_memcpy(wpa_s
->wnm_cand_from_bss
, wpa_s
->bssid
, ETH_ALEN
);
1516 * Fetch the latest scan results from the kernel and check for
1517 * candidates based on those results first. This can help in
1518 * finding more up-to-date information should the driver has
1519 * done some internal scanning operations after the last scan
1520 * result update in wpa_supplicant.
1522 if (wnm_fetch_scan_results(wpa_s
) > 0)
1526 * Try to use previously received scan results, if they are
1527 * recent enough to use for a connection.
1529 if (wpa_s
->last_scan_res_used
> 0) {
1530 struct os_reltime now
;
1532 os_get_reltime(&now
);
1533 if (!os_reltime_expired(&now
, &wpa_s
->last_scan
, 10)) {
1534 wpa_printf(MSG_DEBUG
,
1535 "WNM: Try to use recent scan results");
1536 if (wnm_scan_process(wpa_s
, 0) > 0)
1538 wpa_printf(MSG_DEBUG
,
1539 "WNM: No match in previous scan results - try a new scan");
1543 wnm_set_scan_freqs(wpa_s
);
1544 if (wpa_s
->wnm_num_neighbor_report
== 1) {
1545 os_memcpy(wpa_s
->next_scan_bssid
,
1546 wpa_s
->wnm_neighbor_report_elements
[0].bssid
,
1548 wpa_printf(MSG_DEBUG
,
1549 "WNM: Scan only for a specific BSSID since there is only a single candidate "
1550 MACSTR
, MAC2STR(wpa_s
->next_scan_bssid
));
1552 wpa_supplicant_req_scan(wpa_s
, 0, 0);
1554 enum bss_trans_mgmt_status_code status
;
1555 if (wpa_s
->wnm_mode
& WNM_BSS_TM_REQ_ESS_DISASSOC_IMMINENT
)
1556 status
= WNM_BSS_TM_ACCEPT
;
1558 wpa_msg(wpa_s
, MSG_INFO
, "WNM: BSS Transition Management Request did not include candidates");
1559 status
= WNM_BSS_TM_REJECT_UNSPECIFIED
;
1561 wnm_send_bss_transition_mgmt_resp(
1562 wpa_s
, wpa_s
->wnm_dialog_token
, status
,
1563 MBO_TRANSITION_REJECT_REASON_UNSPECIFIED
, 0, NULL
);
1568 #define BTM_QUERY_MIN_SIZE 4
1570 int wnm_send_bss_transition_mgmt_query(struct wpa_supplicant
*wpa_s
,
1572 const char *btm_candidates
,
1578 wpa_printf(MSG_DEBUG
, "WNM: Send BSS Transition Management Query to "
1579 MACSTR
" query_reason=%u%s",
1580 MAC2STR(wpa_s
->bssid
), query_reason
,
1581 cand_list
? " candidate list" : "");
1583 buf
= wpabuf_alloc(BTM_QUERY_MIN_SIZE
);
1587 wpabuf_put_u8(buf
, WLAN_ACTION_WNM
);
1588 wpabuf_put_u8(buf
, WNM_BSS_TRANS_MGMT_QUERY
);
1589 wpabuf_put_u8(buf
, 1);
1590 wpabuf_put_u8(buf
, query_reason
);
1593 wnm_add_cand_list(wpa_s
, &buf
);
1595 if (btm_candidates
) {
1596 const size_t max_len
= 1000;
1598 ret
= wpabuf_resize(&buf
, max_len
);
1604 ret
= ieee802_11_parse_candidate_list(btm_candidates
,
1612 wpabuf_put(buf
, ret
);
1615 ret
= wpa_drv_send_action(wpa_s
, wpa_s
->assoc_freq
, 0, wpa_s
->bssid
,
1616 wpa_s
->own_addr
, wpa_s
->bssid
,
1617 wpabuf_head_u8(buf
), wpabuf_len(buf
), 0);
1624 static void ieee802_11_rx_wnm_notif_req_wfa(struct wpa_supplicant
*wpa_s
,
1625 const u8
*sa
, const u8
*data
,
1628 const u8
*pos
, *end
, *next
;
1634 while (end
- pos
> 1) {
1637 wpa_printf(MSG_DEBUG
, "WNM: WFA subelement %u len %u",
1639 if (ie_len
> end
- pos
) {
1640 wpa_printf(MSG_DEBUG
, "WNM: Not enough room for "
1644 next
= pos
+ ie_len
;
1649 wpa_printf(MSG_DEBUG
, "WNM: Subelement OUI %06x type %u",
1650 WPA_GET_BE24(pos
), pos
[3]);
1653 if (ie
== WLAN_EID_VENDOR_SPECIFIC
&& ie_len
>= 5 &&
1654 WPA_GET_BE24(pos
) == OUI_WFA
&&
1655 pos
[3] == HS20_WNM_SUB_REM_NEEDED
) {
1656 /* Subscription Remediation subelement */
1662 wpa_printf(MSG_DEBUG
, "WNM: Subscription Remediation "
1664 ie_end
= pos
+ ie_len
;
1668 wpa_printf(MSG_DEBUG
, "WNM: No Server URL included");
1672 if (url_len
+ 1 > ie_end
- pos
) {
1673 wpa_printf(MSG_DEBUG
, "WNM: Not enough room for Server URL (len=%u) and Server Method (left %d)",
1675 (int) (ie_end
- pos
));
1678 url
= os_malloc(url_len
+ 1);
1681 os_memcpy(url
, pos
, url_len
);
1682 url
[url_len
] = '\0';
1683 osu_method
= pos
[url_len
];
1685 hs20_rx_subscription_remediation(wpa_s
, url
,
1692 if (ie
== WLAN_EID_VENDOR_SPECIFIC
&& ie_len
>= 8 &&
1693 WPA_GET_BE24(pos
) == OUI_WFA
&&
1694 pos
[3] == HS20_WNM_DEAUTH_IMMINENT_NOTICE
) {
1701 ie_end
= pos
+ ie_len
;
1704 reauth_delay
= WPA_GET_LE16(pos
);
1707 wpa_printf(MSG_DEBUG
, "WNM: HS 2.0 Deauthentication "
1708 "Imminent - Reason Code %u "
1709 "Re-Auth Delay %u URL Length %u",
1710 code
, reauth_delay
, url_len
);
1711 if (url_len
> ie_end
- pos
)
1713 url
= os_malloc(url_len
+ 1);
1716 os_memcpy(url
, pos
, url_len
);
1717 url
[url_len
] = '\0';
1718 hs20_rx_deauth_imminent_notice(wpa_s
, code
,
1725 if (ie
== WLAN_EID_VENDOR_SPECIFIC
&& ie_len
>= 5 &&
1726 WPA_GET_BE24(pos
) == OUI_WFA
&&
1727 pos
[3] == HS20_WNM_T_C_ACCEPTANCE
) {
1732 ie_end
= pos
+ ie_len
;
1735 wpa_printf(MSG_DEBUG
,
1736 "WNM: HS 2.0 Terms and Conditions Acceptance (URL Length %u)",
1738 if (url_len
> ie_end
- pos
)
1740 url
= os_malloc(url_len
+ 1);
1743 os_memcpy(url
, pos
, url_len
);
1744 url
[url_len
] = '\0';
1745 hs20_rx_t_c_acceptance(wpa_s
, url
);
1750 #endif /* CONFIG_HS20 */
1757 static void ieee802_11_rx_wnm_notif_req(struct wpa_supplicant
*wpa_s
,
1758 const u8
*sa
, const u8
*frm
, int len
)
1760 const u8
*pos
, *end
;
1761 u8 dialog_token
, type
;
1763 /* Dialog Token [1] | Type [1] | Subelements */
1765 if (len
< 2 || sa
== NULL
)
1769 dialog_token
= *pos
++;
1772 wpa_dbg(wpa_s
, MSG_DEBUG
, "WNM: Received WNM-Notification Request "
1773 "(dialog_token %u type %u sa " MACSTR
")",
1774 dialog_token
, type
, MAC2STR(sa
));
1775 wpa_hexdump(MSG_DEBUG
, "WNM-Notification Request subelements",
1778 if (wpa_s
->wpa_state
!= WPA_COMPLETED
||
1779 os_memcmp(sa
, wpa_s
->bssid
, ETH_ALEN
) != 0) {
1780 wpa_dbg(wpa_s
, MSG_DEBUG
, "WNM: WNM-Notification frame not "
1781 "from our AP - ignore it");
1787 ieee802_11_rx_wnm_notif_req_wfa(wpa_s
, sa
, pos
, end
- pos
);
1790 wpa_dbg(wpa_s
, MSG_DEBUG
, "WNM: Ignore unknown "
1791 "WNM-Notification type %u", type
);
1797 static void ieee802_11_rx_wnm_coloc_intf_req(struct wpa_supplicant
*wpa_s
,
1798 const u8
*sa
, const u8
*frm
,
1801 u8 dialog_token
, req_info
, auto_report
, timeout
;
1803 if (!wpa_s
->conf
->coloc_intf_reporting
)
1806 /* Dialog Token [1] | Request Info [1] */
1810 dialog_token
= frm
[0];
1812 auto_report
= req_info
& 0x03;
1813 timeout
= req_info
>> 2;
1815 wpa_dbg(wpa_s
, MSG_DEBUG
,
1816 "WNM: Received Collocated Interference Request (dialog_token %u auto_report %u timeout %u sa " MACSTR
")",
1817 dialog_token
, auto_report
, timeout
, MAC2STR(sa
));
1819 if (dialog_token
== 0)
1820 return; /* only nonzero values are used for request */
1822 if (wpa_s
->wpa_state
!= WPA_COMPLETED
||
1823 os_memcmp(sa
, wpa_s
->bssid
, ETH_ALEN
) != 0) {
1824 wpa_dbg(wpa_s
, MSG_DEBUG
,
1825 "WNM: Collocated Interference Request frame not from current AP - ignore it");
1829 wpa_msg(wpa_s
, MSG_INFO
, COLOC_INTF_REQ
"%u %u %u",
1830 dialog_token
, auto_report
, timeout
);
1831 wpa_s
->coloc_intf_dialog_token
= dialog_token
;
1832 wpa_s
->coloc_intf_auto_report
= auto_report
;
1833 wpa_s
->coloc_intf_timeout
= timeout
;
1837 void ieee802_11_rx_wnm_action(struct wpa_supplicant
*wpa_s
,
1838 const struct ieee80211_mgmt
*mgmt
, size_t len
)
1840 const u8
*pos
, *end
;
1843 if (len
< IEEE80211_HDRLEN
+ 2)
1846 pos
= ((const u8
*) mgmt
) + IEEE80211_HDRLEN
+ 1;
1848 end
= ((const u8
*) mgmt
) + len
;
1850 wpa_printf(MSG_DEBUG
, "WNM: RX action %u from " MACSTR
,
1851 act
, MAC2STR(mgmt
->sa
));
1852 if (wpa_s
->wpa_state
< WPA_ASSOCIATED
||
1853 os_memcmp(mgmt
->sa
, wpa_s
->bssid
, ETH_ALEN
) != 0) {
1854 wpa_printf(MSG_DEBUG
, "WNM: Ignore unexpected WNM Action "
1860 case WNM_BSS_TRANS_MGMT_REQ
:
1861 ieee802_11_rx_bss_trans_mgmt_req(wpa_s
, pos
, end
,
1862 !(mgmt
->da
[0] & 0x01));
1864 case WNM_SLEEP_MODE_RESP
:
1865 ieee802_11_rx_wnmsleep_resp(wpa_s
, pos
, end
- pos
);
1867 case WNM_NOTIFICATION_REQ
:
1868 ieee802_11_rx_wnm_notif_req(wpa_s
, mgmt
->sa
, pos
, end
- pos
);
1870 case WNM_COLLOCATED_INTERFERENCE_REQ
:
1871 ieee802_11_rx_wnm_coloc_intf_req(wpa_s
, mgmt
->sa
, pos
,
1875 wpa_printf(MSG_ERROR
, "WNM: Unknown request");
1881 int wnm_send_coloc_intf_report(struct wpa_supplicant
*wpa_s
, u8 dialog_token
,
1882 const struct wpabuf
*elems
)
1887 if (wpa_s
->wpa_state
< WPA_ASSOCIATED
|| !elems
)
1890 wpa_printf(MSG_DEBUG
, "WNM: Send Collocated Interference Report to "
1891 MACSTR
" (dialog token %u)",
1892 MAC2STR(wpa_s
->bssid
), dialog_token
);
1894 buf
= wpabuf_alloc(3 + wpabuf_len(elems
));
1898 wpabuf_put_u8(buf
, WLAN_ACTION_WNM
);
1899 wpabuf_put_u8(buf
, WNM_COLLOCATED_INTERFERENCE_REPORT
);
1900 wpabuf_put_u8(buf
, dialog_token
);
1901 wpabuf_put_buf(buf
, elems
);
1903 ret
= wpa_drv_send_action(wpa_s
, wpa_s
->assoc_freq
, 0, wpa_s
->bssid
,
1904 wpa_s
->own_addr
, wpa_s
->bssid
,
1905 wpabuf_head_u8(buf
), wpabuf_len(buf
), 0);
1911 void wnm_set_coloc_intf_elems(struct wpa_supplicant
*wpa_s
,
1912 struct wpabuf
*elems
)
1914 wpabuf_free(wpa_s
->coloc_intf_elems
);
1915 if (elems
&& wpabuf_len(elems
) == 0) {
1919 wpa_s
->coloc_intf_elems
= elems
;
1921 if (wpa_s
->conf
->coloc_intf_reporting
&& wpa_s
->coloc_intf_elems
&&
1922 wpa_s
->coloc_intf_dialog_token
&&
1923 (wpa_s
->coloc_intf_auto_report
== 1 ||
1924 wpa_s
->coloc_intf_auto_report
== 3)) {
1925 /* TODO: Check that there has not been less than
1926 * wpa_s->coloc_intf_timeout * 200 TU from the last report.
1928 wnm_send_coloc_intf_report(wpa_s
,
1929 wpa_s
->coloc_intf_dialog_token
,
1930 wpa_s
->coloc_intf_elems
);
1935 void wnm_clear_coloc_intf_reporting(struct wpa_supplicant
*wpa_s
)
1938 wpa_s
->coloc_intf_dialog_token
= 0;
1939 wpa_s
->coloc_intf_auto_report
= 0;
1940 #endif /* CONFIG_WNM */