1 /* 2 * Copyright (c) 2009, Atheros Communications, Inc. 3 * Copyright (c) 2011-2013, Qualcomm Atheros, Inc. 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 #include <sys/stat.h> 11 12 #include "common.h" 13 #include "eloop.h" 14 #include "common/ieee802_11_common.h" 15 #include "common/ieee802_11_defs.h" 16 #include "common/gas.h" 17 #include "common/wpa_ctrl.h" 18 #include "rsn_supp/wpa.h" 19 #include "wpa_supplicant_i.h" 20 #include "driver_i.h" 21 #include "config.h" 22 #include "scan.h" 23 #include "bss.h" 24 #include "blacklist.h" 25 #include "gas_query.h" 26 #include "interworking.h" 27 #include "hs20_supplicant.h" 28 29 30 #define OSU_MAX_ITEMS 10 31 32 struct osu_lang_string { 33 char lang[4]; 34 char text[253]; 35 }; 36 37 struct osu_icon { 38 u16 width; 39 u16 height; 40 char lang[4]; 41 char icon_type[256]; 42 char filename[256]; 43 unsigned int id; 44 unsigned int failed:1; 45 }; 46 47 struct osu_provider { 48 u8 bssid[ETH_ALEN]; 49 u8 osu_ssid[32]; 50 u8 osu_ssid_len; 51 char server_uri[256]; 52 u32 osu_methods; /* bit 0 = OMA-DM, bit 1 = SOAP-XML SPP */ 53 char osu_nai[256]; 54 struct osu_lang_string friendly_name[OSU_MAX_ITEMS]; 55 size_t friendly_name_count; 56 struct osu_lang_string serv_desc[OSU_MAX_ITEMS]; 57 size_t serv_desc_count; 58 struct osu_icon icon[OSU_MAX_ITEMS]; 59 size_t icon_count; 60 }; 61 62 63 void wpas_hs20_add_indication(struct wpabuf *buf, int pps_mo_id) 64 { 65 u8 conf; 66 67 wpabuf_put_u8(buf, WLAN_EID_VENDOR_SPECIFIC); 68 wpabuf_put_u8(buf, pps_mo_id >= 0 ? 7 : 5); 69 wpabuf_put_be24(buf, OUI_WFA); 70 wpabuf_put_u8(buf, HS20_INDICATION_OUI_TYPE); 71 conf = HS20_VERSION; 72 if (pps_mo_id >= 0) 73 conf |= HS20_PPS_MO_ID_PRESENT; 74 wpabuf_put_u8(buf, conf); 75 if (pps_mo_id >= 0) 76 wpabuf_put_le16(buf, pps_mo_id); 77 } 78 79 80 int is_hs20_network(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid, 81 struct wpa_bss *bss) 82 { 83 if (!wpa_s->conf->hs20 || !ssid) 84 return 0; 85 86 if (ssid->parent_cred) 87 return 1; 88 89 if (bss && !wpa_bss_get_vendor_ie(bss, HS20_IE_VENDOR_TYPE)) 90 return 0; 91 92 /* 93 * This may catch some non-Hotspot 2.0 cases, but it is safer to do that 94 * than cause Hotspot 2.0 connections without indication element getting 95 * added. Non-Hotspot 2.0 APs should ignore the unknown vendor element. 96 */ 97 98 if (!(ssid->key_mgmt & WPA_KEY_MGMT_IEEE8021X)) 99 return 0; 100 if (!(ssid->pairwise_cipher & WPA_CIPHER_CCMP)) 101 return 0; 102 if (ssid->proto != WPA_PROTO_RSN) 103 return 0; 104 105 return 1; 106 } 107 108 109 int hs20_get_pps_mo_id(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid) 110 { 111 struct wpa_cred *cred; 112 113 if (ssid == NULL) 114 return 0; 115 116 if (ssid->update_identifier) 117 return ssid->update_identifier; 118 119 if (ssid->parent_cred == NULL) 120 return 0; 121 122 for (cred = wpa_s->conf->cred; cred; cred = cred->next) { 123 if (ssid->parent_cred == cred) 124 return cred->update_identifier; 125 } 126 127 return 0; 128 } 129 130 131 void hs20_put_anqp_req(u32 stypes, const u8 *payload, size_t payload_len, 132 struct wpabuf *buf) 133 { 134 u8 *len_pos; 135 136 if (buf == NULL) 137 return; 138 139 len_pos = gas_anqp_add_element(buf, ANQP_VENDOR_SPECIFIC); 140 wpabuf_put_be24(buf, OUI_WFA); 141 wpabuf_put_u8(buf, HS20_ANQP_OUI_TYPE); 142 if (stypes == BIT(HS20_STYPE_NAI_HOME_REALM_QUERY)) { 143 wpabuf_put_u8(buf, HS20_STYPE_NAI_HOME_REALM_QUERY); 144 wpabuf_put_u8(buf, 0); /* Reserved */ 145 if (payload) 146 wpabuf_put_data(buf, payload, payload_len); 147 } else if (stypes == BIT(HS20_STYPE_ICON_REQUEST)) { 148 wpabuf_put_u8(buf, HS20_STYPE_ICON_REQUEST); 149 wpabuf_put_u8(buf, 0); /* Reserved */ 150 if (payload) 151 wpabuf_put_data(buf, payload, payload_len); 152 } else { 153 u8 i; 154 wpabuf_put_u8(buf, HS20_STYPE_QUERY_LIST); 155 wpabuf_put_u8(buf, 0); /* Reserved */ 156 for (i = 0; i < 32; i++) { 157 if (stypes & BIT(i)) 158 wpabuf_put_u8(buf, i); 159 } 160 } 161 gas_anqp_set_element_len(buf, len_pos); 162 163 gas_anqp_set_len(buf); 164 } 165 166 167 struct wpabuf * hs20_build_anqp_req(u32 stypes, const u8 *payload, 168 size_t payload_len) 169 { 170 struct wpabuf *buf; 171 172 buf = gas_anqp_build_initial_req(0, 100 + payload_len); 173 if (buf == NULL) 174 return NULL; 175 176 hs20_put_anqp_req(stypes, payload, payload_len, buf); 177 178 return buf; 179 } 180 181 182 int hs20_anqp_send_req(struct wpa_supplicant *wpa_s, const u8 *dst, u32 stypes, 183 const u8 *payload, size_t payload_len) 184 { 185 struct wpabuf *buf; 186 int ret = 0; 187 int freq; 188 struct wpa_bss *bss; 189 int res; 190 191 freq = wpa_s->assoc_freq; 192 bss = wpa_bss_get_bssid(wpa_s, dst); 193 if (bss) { 194 wpa_bss_anqp_unshare_alloc(bss); 195 freq = bss->freq; 196 } 197 if (freq <= 0) 198 return -1; 199 200 wpa_printf(MSG_DEBUG, "HS20: ANQP Query Request to " MACSTR " for " 201 "subtypes 0x%x", MAC2STR(dst), stypes); 202 203 buf = hs20_build_anqp_req(stypes, payload, payload_len); 204 if (buf == NULL) 205 return -1; 206 207 res = gas_query_req(wpa_s->gas, dst, freq, buf, anqp_resp_cb, wpa_s); 208 if (res < 0) { 209 wpa_printf(MSG_DEBUG, "ANQP: Failed to send Query Request"); 210 wpabuf_free(buf); 211 ret = -1; 212 } else 213 wpa_printf(MSG_DEBUG, "ANQP: Query started with dialog token " 214 "%u", res); 215 216 return ret; 217 } 218 219 220 static void hs20_set_osu_access_permission(const char *osu_dir, 221 const char *fname) 222 { 223 struct stat statbuf; 224 225 /* Get OSU directory information */ 226 if (stat(osu_dir, &statbuf) < 0) { 227 wpa_printf(MSG_WARNING, "Cannot stat the OSU directory %s", 228 osu_dir); 229 return; 230 } 231 232 if (chmod(fname, statbuf.st_mode) < 0) { 233 wpa_printf(MSG_WARNING, 234 "Cannot change the permissions for %s", fname); 235 return; 236 } 237 238 if (chown(fname, statbuf.st_uid, statbuf.st_gid) < 0) { 239 wpa_printf(MSG_WARNING, "Cannot change the ownership for %s", 240 fname); 241 } 242 } 243 244 static int hs20_process_icon_binary_file(struct wpa_supplicant *wpa_s, 245 const u8 *sa, const u8 *pos, 246 size_t slen) 247 { 248 char fname[256]; 249 int png; 250 FILE *f; 251 u16 data_len; 252 253 wpa_msg(wpa_s, MSG_INFO, "RX-HS20-ANQP " MACSTR " Icon Binary File", 254 MAC2STR(sa)); 255 256 if (slen < 4) { 257 wpa_dbg(wpa_s, MSG_DEBUG, "HS 2.0: Too short Icon Binary File " 258 "value from " MACSTR, MAC2STR(sa)); 259 return -1; 260 } 261 262 wpa_printf(MSG_DEBUG, "HS 2.0: Download Status Code %u", *pos); 263 if (*pos != 0) 264 return -1; 265 pos++; 266 slen--; 267 268 if ((size_t) 1 + pos[0] > slen) { 269 wpa_dbg(wpa_s, MSG_DEBUG, "HS 2.0: Too short Icon Binary File " 270 "value from " MACSTR, MAC2STR(sa)); 271 return -1; 272 } 273 wpa_hexdump_ascii(MSG_DEBUG, "Icon Type", pos + 1, pos[0]); 274 png = os_strncasecmp((char *) pos + 1, "image/png", 9) == 0; 275 slen -= 1 + pos[0]; 276 pos += 1 + pos[0]; 277 278 if (slen < 2) { 279 wpa_dbg(wpa_s, MSG_DEBUG, "HS 2.0: Too short Icon Binary File " 280 "value from " MACSTR, MAC2STR(sa)); 281 return -1; 282 } 283 data_len = WPA_GET_LE16(pos); 284 pos += 2; 285 slen -= 2; 286 287 if (data_len > slen) { 288 wpa_dbg(wpa_s, MSG_DEBUG, "HS 2.0: Too short Icon Binary File " 289 "value from " MACSTR, MAC2STR(sa)); 290 return -1; 291 } 292 293 wpa_printf(MSG_DEBUG, "Icon Binary Data: %u bytes", data_len); 294 if (wpa_s->conf->osu_dir == NULL) 295 return -1; 296 297 wpa_s->osu_icon_id++; 298 if (wpa_s->osu_icon_id == 0) 299 wpa_s->osu_icon_id++; 300 snprintf(fname, sizeof(fname), "%s/osu-icon-%u.%s", 301 wpa_s->conf->osu_dir, wpa_s->osu_icon_id, 302 png ? "png" : "icon"); 303 f = fopen(fname, "wb"); 304 if (f == NULL) 305 return -1; 306 307 hs20_set_osu_access_permission(wpa_s->conf->osu_dir, fname); 308 309 if (fwrite(pos, slen, 1, f) != 1) { 310 fclose(f); 311 unlink(fname); 312 return -1; 313 } 314 fclose(f); 315 316 wpa_msg(wpa_s, MSG_INFO, "RX-HS20-ANQP-ICON %s", fname); 317 return 0; 318 } 319 320 321 static void hs20_continue_icon_fetch(void *eloop_ctx, void *sock_ctx) 322 { 323 struct wpa_supplicant *wpa_s = eloop_ctx; 324 if (wpa_s->fetch_osu_icon_in_progress) 325 hs20_next_osu_icon(wpa_s); 326 } 327 328 329 static void hs20_osu_icon_fetch_result(struct wpa_supplicant *wpa_s, int res) 330 { 331 size_t i, j; 332 struct os_reltime now, tmp; 333 int dur; 334 335 os_get_reltime(&now); 336 os_reltime_sub(&now, &wpa_s->osu_icon_fetch_start, &tmp); 337 dur = tmp.sec * 1000 + tmp.usec / 1000; 338 wpa_printf(MSG_DEBUG, "HS 2.0: Icon fetch dur=%d ms res=%d", 339 dur, res); 340 341 for (i = 0; i < wpa_s->osu_prov_count; i++) { 342 struct osu_provider *osu = &wpa_s->osu_prov[i]; 343 for (j = 0; j < osu->icon_count; j++) { 344 struct osu_icon *icon = &osu->icon[j]; 345 if (icon->id || icon->failed) 346 continue; 347 if (res < 0) 348 icon->failed = 1; 349 else 350 icon->id = wpa_s->osu_icon_id; 351 return; 352 } 353 } 354 } 355 356 357 void hs20_parse_rx_hs20_anqp_resp(struct wpa_supplicant *wpa_s, 358 struct wpa_bss *bss, const u8 *sa, 359 const u8 *data, size_t slen) 360 { 361 const u8 *pos = data; 362 u8 subtype; 363 struct wpa_bss_anqp *anqp = NULL; 364 int ret; 365 366 if (slen < 2) 367 return; 368 369 if (bss) 370 anqp = bss->anqp; 371 372 subtype = *pos++; 373 slen--; 374 375 pos++; /* Reserved */ 376 slen--; 377 378 switch (subtype) { 379 case HS20_STYPE_CAPABILITY_LIST: 380 wpa_msg(wpa_s, MSG_INFO, "RX-HS20-ANQP " MACSTR 381 " HS Capability List", MAC2STR(sa)); 382 wpa_hexdump_ascii(MSG_DEBUG, "HS Capability List", pos, slen); 383 if (anqp) { 384 wpabuf_free(anqp->hs20_capability_list); 385 anqp->hs20_capability_list = 386 wpabuf_alloc_copy(pos, slen); 387 } 388 break; 389 case HS20_STYPE_OPERATOR_FRIENDLY_NAME: 390 wpa_msg(wpa_s, MSG_INFO, "RX-HS20-ANQP " MACSTR 391 " Operator Friendly Name", MAC2STR(sa)); 392 wpa_hexdump_ascii(MSG_DEBUG, "oper friendly name", pos, slen); 393 if (anqp) { 394 wpabuf_free(anqp->hs20_operator_friendly_name); 395 anqp->hs20_operator_friendly_name = 396 wpabuf_alloc_copy(pos, slen); 397 } 398 break; 399 case HS20_STYPE_WAN_METRICS: 400 wpa_hexdump(MSG_DEBUG, "WAN Metrics", pos, slen); 401 if (slen < 13) { 402 wpa_dbg(wpa_s, MSG_DEBUG, "HS 2.0: Too short WAN " 403 "Metrics value from " MACSTR, MAC2STR(sa)); 404 break; 405 } 406 wpa_msg(wpa_s, MSG_INFO, "RX-HS20-ANQP " MACSTR 407 " WAN Metrics %02x:%u:%u:%u:%u:%u", MAC2STR(sa), 408 pos[0], WPA_GET_LE32(pos + 1), WPA_GET_LE32(pos + 5), 409 pos[9], pos[10], WPA_GET_LE16(pos + 11)); 410 if (anqp) { 411 wpabuf_free(anqp->hs20_wan_metrics); 412 anqp->hs20_wan_metrics = wpabuf_alloc_copy(pos, slen); 413 } 414 break; 415 case HS20_STYPE_CONNECTION_CAPABILITY: 416 wpa_msg(wpa_s, MSG_INFO, "RX-HS20-ANQP " MACSTR 417 " Connection Capability", MAC2STR(sa)); 418 wpa_hexdump_ascii(MSG_DEBUG, "conn capability", pos, slen); 419 if (anqp) { 420 wpabuf_free(anqp->hs20_connection_capability); 421 anqp->hs20_connection_capability = 422 wpabuf_alloc_copy(pos, slen); 423 } 424 break; 425 case HS20_STYPE_OPERATING_CLASS: 426 wpa_msg(wpa_s, MSG_INFO, "RX-HS20-ANQP " MACSTR 427 " Operating Class", MAC2STR(sa)); 428 wpa_hexdump_ascii(MSG_DEBUG, "Operating Class", pos, slen); 429 if (anqp) { 430 wpabuf_free(anqp->hs20_operating_class); 431 anqp->hs20_operating_class = 432 wpabuf_alloc_copy(pos, slen); 433 } 434 break; 435 case HS20_STYPE_OSU_PROVIDERS_LIST: 436 wpa_msg(wpa_s, MSG_INFO, "RX-HS20-ANQP " MACSTR 437 " OSU Providers list", MAC2STR(sa)); 438 wpa_s->num_prov_found++; 439 if (anqp) { 440 wpabuf_free(anqp->hs20_osu_providers_list); 441 anqp->hs20_osu_providers_list = 442 wpabuf_alloc_copy(pos, slen); 443 } 444 break; 445 case HS20_STYPE_ICON_BINARY_FILE: 446 ret = hs20_process_icon_binary_file(wpa_s, sa, pos, slen); 447 if (wpa_s->fetch_osu_icon_in_progress) { 448 hs20_osu_icon_fetch_result(wpa_s, ret); 449 eloop_cancel_timeout(hs20_continue_icon_fetch, 450 wpa_s, NULL); 451 eloop_register_timeout(0, 0, hs20_continue_icon_fetch, 452 wpa_s, NULL); 453 } 454 break; 455 default: 456 wpa_printf(MSG_DEBUG, "HS20: Unsupported subtype %u", subtype); 457 break; 458 } 459 } 460 461 462 void hs20_notify_parse_done(struct wpa_supplicant *wpa_s) 463 { 464 if (!wpa_s->fetch_osu_icon_in_progress) 465 return; 466 if (eloop_is_timeout_registered(hs20_continue_icon_fetch, wpa_s, NULL)) 467 return; 468 /* 469 * We are going through icon fetch, but no icon response was received. 470 * Assume this means the current AP could not provide an answer to avoid 471 * getting stuck in fetch iteration. 472 */ 473 hs20_icon_fetch_failed(wpa_s); 474 } 475 476 477 static void hs20_free_osu_prov_entry(struct osu_provider *prov) 478 { 479 } 480 481 482 void hs20_free_osu_prov(struct wpa_supplicant *wpa_s) 483 { 484 size_t i; 485 for (i = 0; i < wpa_s->osu_prov_count; i++) 486 hs20_free_osu_prov_entry(&wpa_s->osu_prov[i]); 487 os_free(wpa_s->osu_prov); 488 wpa_s->osu_prov = NULL; 489 wpa_s->osu_prov_count = 0; 490 } 491 492 493 static void hs20_osu_fetch_done(struct wpa_supplicant *wpa_s) 494 { 495 char fname[256]; 496 FILE *f; 497 size_t i, j; 498 499 wpa_s->fetch_osu_info = 0; 500 wpa_s->fetch_osu_icon_in_progress = 0; 501 502 if (wpa_s->conf->osu_dir == NULL) { 503 hs20_free_osu_prov(wpa_s); 504 wpa_s->fetch_anqp_in_progress = 0; 505 return; 506 } 507 508 snprintf(fname, sizeof(fname), "%s/osu-providers.txt", 509 wpa_s->conf->osu_dir); 510 f = fopen(fname, "w"); 511 if (f == NULL) { 512 hs20_free_osu_prov(wpa_s); 513 return; 514 } 515 516 hs20_set_osu_access_permission(wpa_s->conf->osu_dir, fname); 517 518 for (i = 0; i < wpa_s->osu_prov_count; i++) { 519 struct osu_provider *osu = &wpa_s->osu_prov[i]; 520 if (i > 0) 521 fprintf(f, "\n"); 522 fprintf(f, "OSU-PROVIDER " MACSTR "\n" 523 "uri=%s\n" 524 "methods=%08x\n", 525 MAC2STR(osu->bssid), osu->server_uri, osu->osu_methods); 526 if (osu->osu_ssid_len) { 527 fprintf(f, "osu_ssid=%s\n", 528 wpa_ssid_txt(osu->osu_ssid, 529 osu->osu_ssid_len)); 530 } 531 if (osu->osu_nai[0]) 532 fprintf(f, "osu_nai=%s\n", osu->osu_nai); 533 for (j = 0; j < osu->friendly_name_count; j++) { 534 fprintf(f, "friendly_name=%s:%s\n", 535 osu->friendly_name[j].lang, 536 osu->friendly_name[j].text); 537 } 538 for (j = 0; j < osu->serv_desc_count; j++) { 539 fprintf(f, "desc=%s:%s\n", 540 osu->serv_desc[j].lang, 541 osu->serv_desc[j].text); 542 } 543 for (j = 0; j < osu->icon_count; j++) { 544 struct osu_icon *icon = &osu->icon[j]; 545 if (icon->failed) 546 continue; /* could not fetch icon */ 547 fprintf(f, "icon=%u:%u:%u:%s:%s:%s\n", 548 icon->id, icon->width, icon->height, icon->lang, 549 icon->icon_type, icon->filename); 550 } 551 } 552 fclose(f); 553 hs20_free_osu_prov(wpa_s); 554 555 wpa_msg(wpa_s, MSG_INFO, "OSU provider fetch completed"); 556 wpa_s->fetch_anqp_in_progress = 0; 557 } 558 559 560 void hs20_next_osu_icon(struct wpa_supplicant *wpa_s) 561 { 562 size_t i, j; 563 564 wpa_printf(MSG_DEBUG, "HS 2.0: Ready to fetch next icon"); 565 566 for (i = 0; i < wpa_s->osu_prov_count; i++) { 567 struct osu_provider *osu = &wpa_s->osu_prov[i]; 568 for (j = 0; j < osu->icon_count; j++) { 569 struct osu_icon *icon = &osu->icon[j]; 570 if (icon->id || icon->failed) 571 continue; 572 573 wpa_printf(MSG_DEBUG, "HS 2.0: Try to fetch icon '%s' " 574 "from " MACSTR, icon->filename, 575 MAC2STR(osu->bssid)); 576 os_get_reltime(&wpa_s->osu_icon_fetch_start); 577 if (hs20_anqp_send_req(wpa_s, osu->bssid, 578 BIT(HS20_STYPE_ICON_REQUEST), 579 (u8 *) icon->filename, 580 os_strlen(icon->filename)) < 0) { 581 icon->failed = 1; 582 continue; 583 } 584 return; 585 } 586 } 587 588 wpa_printf(MSG_DEBUG, "HS 2.0: No more icons to fetch"); 589 hs20_osu_fetch_done(wpa_s); 590 } 591 592 593 static void hs20_osu_add_prov(struct wpa_supplicant *wpa_s, struct wpa_bss *bss, 594 const u8 *osu_ssid, u8 osu_ssid_len, 595 const u8 *pos, size_t len) 596 { 597 struct osu_provider *prov; 598 const u8 *end = pos + len; 599 u16 len2; 600 const u8 *pos2; 601 u8 uri_len, osu_method_len, osu_nai_len; 602 603 wpa_hexdump(MSG_DEBUG, "HS 2.0: Parsing OSU Provider", pos, len); 604 prov = os_realloc_array(wpa_s->osu_prov, 605 wpa_s->osu_prov_count + 1, 606 sizeof(*prov)); 607 if (prov == NULL) 608 return; 609 wpa_s->osu_prov = prov; 610 prov = &prov[wpa_s->osu_prov_count]; 611 os_memset(prov, 0, sizeof(*prov)); 612 613 os_memcpy(prov->bssid, bss->bssid, ETH_ALEN); 614 os_memcpy(prov->osu_ssid, osu_ssid, osu_ssid_len); 615 prov->osu_ssid_len = osu_ssid_len; 616 617 /* OSU Friendly Name Length */ 618 if (pos + 2 > end) { 619 wpa_printf(MSG_DEBUG, "HS 2.0: Not enough room for OSU " 620 "Friendly Name Length"); 621 return; 622 } 623 len2 = WPA_GET_LE16(pos); 624 pos += 2; 625 if (len2 > end - pos) { 626 wpa_printf(MSG_DEBUG, "HS 2.0: Not enough room for OSU " 627 "Friendly Name Duples"); 628 return; 629 } 630 pos2 = pos; 631 pos += len2; 632 633 /* OSU Friendly Name Duples */ 634 while (pos2 + 4 <= pos && prov->friendly_name_count < OSU_MAX_ITEMS) { 635 struct osu_lang_string *f; 636 if (pos2 + 1 + pos2[0] > pos || pos2[0] < 3) { 637 wpa_printf(MSG_DEBUG, "Invalid OSU Friendly Name"); 638 break; 639 } 640 f = &prov->friendly_name[prov->friendly_name_count++]; 641 os_memcpy(f->lang, pos2 + 1, 3); 642 os_memcpy(f->text, pos2 + 1 + 3, pos2[0] - 3); 643 pos2 += 1 + pos2[0]; 644 } 645 646 /* OSU Server URI */ 647 if (pos + 1 > end) { 648 wpa_printf(MSG_DEBUG, 649 "HS 2.0: Not enough room for OSU Server URI length"); 650 return; 651 } 652 uri_len = *pos++; 653 if (uri_len > end - pos) { 654 wpa_printf(MSG_DEBUG, "HS 2.0: Not enough room for OSU Server " 655 "URI"); 656 return; 657 } 658 os_memcpy(prov->server_uri, pos, uri_len); 659 pos += uri_len; 660 661 /* OSU Method list */ 662 if (pos + 1 > end) { 663 wpa_printf(MSG_DEBUG, "HS 2.0: Not enough room for OSU Method " 664 "list length"); 665 return; 666 } 667 osu_method_len = pos[0]; 668 if (osu_method_len > end - pos - 1) { 669 wpa_printf(MSG_DEBUG, "HS 2.0: Not enough room for OSU Method " 670 "list"); 671 return; 672 } 673 pos2 = pos + 1; 674 pos += 1 + osu_method_len; 675 while (pos2 < pos) { 676 if (*pos2 < 32) 677 prov->osu_methods |= BIT(*pos2); 678 pos2++; 679 } 680 681 /* Icons Available Length */ 682 if (pos + 2 > end) { 683 wpa_printf(MSG_DEBUG, "HS 2.0: Not enough room for Icons " 684 "Available Length"); 685 return; 686 } 687 len2 = WPA_GET_LE16(pos); 688 pos += 2; 689 if (len2 > end - pos) { 690 wpa_printf(MSG_DEBUG, "HS 2.0: Not enough room for Icons " 691 "Available"); 692 return; 693 } 694 pos2 = pos; 695 pos += len2; 696 697 /* Icons Available */ 698 while (pos2 < pos) { 699 struct osu_icon *icon = &prov->icon[prov->icon_count]; 700 u8 flen; 701 702 if (pos2 + 2 + 2 + 3 + 1 + 1 > pos) { 703 wpa_printf(MSG_DEBUG, "HS 2.0: Invalid Icon Metadata"); 704 break; 705 } 706 707 icon->width = WPA_GET_LE16(pos2); 708 pos2 += 2; 709 icon->height = WPA_GET_LE16(pos2); 710 pos2 += 2; 711 os_memcpy(icon->lang, pos2, 3); 712 pos2 += 3; 713 714 flen = pos2[0]; 715 if (flen > pos - pos2 - 1) { 716 wpa_printf(MSG_DEBUG, "HS 2.0: Not room for Icon Type"); 717 break; 718 } 719 os_memcpy(icon->icon_type, pos2 + 1, flen); 720 pos2 += 1 + flen; 721 722 if (pos2 + 1 > pos) { 723 wpa_printf(MSG_DEBUG, "HS 2.0: Not room for Icon " 724 "Filename length"); 725 break; 726 } 727 flen = pos2[0]; 728 if (flen > pos - pos2 - 1) { 729 wpa_printf(MSG_DEBUG, "HS 2.0: Not room for Icon " 730 "Filename"); 731 break; 732 } 733 os_memcpy(icon->filename, pos2 + 1, flen); 734 pos2 += 1 + flen; 735 736 prov->icon_count++; 737 } 738 739 /* OSU_NAI */ 740 if (pos + 1 > end) { 741 wpa_printf(MSG_DEBUG, "HS 2.0: Not enough room for OSU_NAI"); 742 return; 743 } 744 osu_nai_len = pos[0]; 745 if (osu_nai_len > end - pos - 1) { 746 wpa_printf(MSG_DEBUG, "HS 2.0: Not enough room for OSU_NAI"); 747 return; 748 } 749 os_memcpy(prov->osu_nai, pos + 1, osu_nai_len); 750 pos += 1 + osu_nai_len; 751 752 /* OSU Service Description Length */ 753 if (pos + 2 > end) { 754 wpa_printf(MSG_DEBUG, "HS 2.0: Not enough room for OSU " 755 "Service Description Length"); 756 return; 757 } 758 len2 = WPA_GET_LE16(pos); 759 pos += 2; 760 if (len2 > end - pos) { 761 wpa_printf(MSG_DEBUG, "HS 2.0: Not enough room for OSU " 762 "Service Description Duples"); 763 return; 764 } 765 pos2 = pos; 766 pos += len2; 767 768 /* OSU Service Description Duples */ 769 while (pos2 + 4 <= pos && prov->serv_desc_count < OSU_MAX_ITEMS) { 770 struct osu_lang_string *f; 771 u8 descr_len; 772 773 descr_len = pos2[0]; 774 if (descr_len > pos - pos2 - 1 || descr_len < 3) { 775 wpa_printf(MSG_DEBUG, "Invalid OSU Service " 776 "Description"); 777 break; 778 } 779 f = &prov->serv_desc[prov->serv_desc_count++]; 780 os_memcpy(f->lang, pos2 + 1, 3); 781 os_memcpy(f->text, pos2 + 1 + 3, descr_len - 3); 782 pos2 += 1 + descr_len; 783 } 784 785 wpa_printf(MSG_DEBUG, "HS 2.0: Added OSU Provider through " MACSTR, 786 MAC2STR(bss->bssid)); 787 wpa_s->osu_prov_count++; 788 } 789 790 791 void hs20_osu_icon_fetch(struct wpa_supplicant *wpa_s) 792 { 793 struct wpa_bss *bss; 794 struct wpabuf *prov_anqp; 795 const u8 *pos, *end; 796 u16 len; 797 const u8 *osu_ssid; 798 u8 osu_ssid_len; 799 u8 num_providers; 800 801 hs20_free_osu_prov(wpa_s); 802 803 dl_list_for_each(bss, &wpa_s->bss, struct wpa_bss, list) { 804 if (bss->anqp == NULL) 805 continue; 806 prov_anqp = bss->anqp->hs20_osu_providers_list; 807 if (prov_anqp == NULL) 808 continue; 809 wpa_printf(MSG_DEBUG, "HS 2.0: Parsing OSU Providers list from " 810 MACSTR, MAC2STR(bss->bssid)); 811 wpa_hexdump_buf(MSG_DEBUG, "HS 2.0: OSU Providers list", 812 prov_anqp); 813 pos = wpabuf_head(prov_anqp); 814 end = pos + wpabuf_len(prov_anqp); 815 816 /* OSU SSID */ 817 if (pos + 1 > end) 818 continue; 819 if (pos + 1 + pos[0] > end) { 820 wpa_printf(MSG_DEBUG, "HS 2.0: Not enough room for " 821 "OSU SSID"); 822 continue; 823 } 824 osu_ssid_len = *pos++; 825 if (osu_ssid_len > 32) { 826 wpa_printf(MSG_DEBUG, "HS 2.0: Invalid OSU SSID " 827 "Length %u", osu_ssid_len); 828 continue; 829 } 830 osu_ssid = pos; 831 pos += osu_ssid_len; 832 833 if (pos + 1 > end) { 834 wpa_printf(MSG_DEBUG, "HS 2.0: Not enough room for " 835 "Number of OSU Providers"); 836 continue; 837 } 838 num_providers = *pos++; 839 wpa_printf(MSG_DEBUG, "HS 2.0: Number of OSU Providers: %u", 840 num_providers); 841 842 /* OSU Providers */ 843 while (pos + 2 < end && num_providers > 0) { 844 num_providers--; 845 len = WPA_GET_LE16(pos); 846 pos += 2; 847 if (len > (unsigned int) (end - pos)) 848 break; 849 hs20_osu_add_prov(wpa_s, bss, osu_ssid, 850 osu_ssid_len, pos, len); 851 pos += len; 852 } 853 854 if (pos != end) { 855 wpa_printf(MSG_DEBUG, "HS 2.0: Ignored %d bytes of " 856 "extra data after OSU Providers", 857 (int) (end - pos)); 858 } 859 } 860 861 wpa_s->fetch_osu_icon_in_progress = 1; 862 hs20_next_osu_icon(wpa_s); 863 } 864 865 866 static void hs20_osu_scan_res_handler(struct wpa_supplicant *wpa_s, 867 struct wpa_scan_results *scan_res) 868 { 869 wpa_printf(MSG_DEBUG, "OSU provisioning fetch scan completed"); 870 if (!wpa_s->fetch_osu_waiting_scan) { 871 wpa_printf(MSG_DEBUG, "OSU fetch have been canceled"); 872 return; 873 } 874 wpa_s->network_select = 0; 875 wpa_s->fetch_all_anqp = 1; 876 wpa_s->fetch_osu_info = 1; 877 wpa_s->fetch_osu_icon_in_progress = 0; 878 879 interworking_start_fetch_anqp(wpa_s); 880 } 881 882 883 int hs20_fetch_osu(struct wpa_supplicant *wpa_s) 884 { 885 if (wpa_s->wpa_state == WPA_INTERFACE_DISABLED) { 886 wpa_printf(MSG_DEBUG, "HS 2.0: Cannot start fetch_osu - " 887 "interface disabled"); 888 return -1; 889 } 890 891 if (wpa_s->scanning) { 892 wpa_printf(MSG_DEBUG, "HS 2.0: Cannot start fetch_osu - " 893 "scanning"); 894 return -1; 895 } 896 897 if (wpa_s->conf->osu_dir == NULL) { 898 wpa_printf(MSG_DEBUG, "HS 2.0: Cannot start fetch_osu - " 899 "osu_dir not configured"); 900 return -1; 901 } 902 903 if (wpa_s->fetch_anqp_in_progress || wpa_s->network_select) { 904 wpa_printf(MSG_DEBUG, "HS 2.0: Cannot start fetch_osu - " 905 "fetch in progress (%d, %d)", 906 wpa_s->fetch_anqp_in_progress, 907 wpa_s->network_select); 908 return -1; 909 } 910 911 wpa_msg(wpa_s, MSG_INFO, "Starting OSU provisioning information fetch"); 912 wpa_s->num_osu_scans = 0; 913 wpa_s->num_prov_found = 0; 914 hs20_start_osu_scan(wpa_s); 915 916 return 0; 917 } 918 919 920 void hs20_start_osu_scan(struct wpa_supplicant *wpa_s) 921 { 922 wpa_s->fetch_osu_waiting_scan = 1; 923 wpa_s->num_osu_scans++; 924 wpa_s->scan_req = MANUAL_SCAN_REQ; 925 wpa_s->scan_res_handler = hs20_osu_scan_res_handler; 926 wpa_supplicant_req_scan(wpa_s, 0, 0); 927 } 928 929 930 void hs20_cancel_fetch_osu(struct wpa_supplicant *wpa_s) 931 { 932 wpa_printf(MSG_DEBUG, "Cancel OSU fetch"); 933 interworking_stop_fetch_anqp(wpa_s); 934 wpa_s->fetch_osu_waiting_scan = 0; 935 wpa_s->network_select = 0; 936 wpa_s->fetch_osu_info = 0; 937 wpa_s->fetch_osu_icon_in_progress = 0; 938 } 939 940 941 void hs20_icon_fetch_failed(struct wpa_supplicant *wpa_s) 942 { 943 hs20_osu_icon_fetch_result(wpa_s, -1); 944 eloop_cancel_timeout(hs20_continue_icon_fetch, wpa_s, NULL); 945 eloop_register_timeout(0, 0, hs20_continue_icon_fetch, wpa_s, NULL); 946 } 947 948 949 void hs20_rx_subscription_remediation(struct wpa_supplicant *wpa_s, 950 const char *url, u8 osu_method) 951 { 952 if (url) 953 wpa_msg(wpa_s, MSG_INFO, HS20_SUBSCRIPTION_REMEDIATION "%u %s", 954 osu_method, url); 955 else 956 wpa_msg(wpa_s, MSG_INFO, HS20_SUBSCRIPTION_REMEDIATION); 957 } 958 959 960 void hs20_rx_deauth_imminent_notice(struct wpa_supplicant *wpa_s, u8 code, 961 u16 reauth_delay, const char *url) 962 { 963 if (!wpa_sm_pmf_enabled(wpa_s->wpa)) { 964 wpa_printf(MSG_DEBUG, "HS 2.0: Ignore deauthentication imminent notice since PMF was not enabled"); 965 return; 966 } 967 968 wpa_msg(wpa_s, MSG_INFO, HS20_DEAUTH_IMMINENT_NOTICE "%u %u %s", 969 code, reauth_delay, url); 970 971 if (code == HS20_DEAUTH_REASON_CODE_BSS) { 972 wpa_printf(MSG_DEBUG, "HS 2.0: Add BSS to blacklist"); 973 wpa_blacklist_add(wpa_s, wpa_s->bssid); 974 /* TODO: For now, disable full ESS since some drivers may not 975 * support disabling per BSS. */ 976 if (wpa_s->current_ssid) { 977 struct os_reltime now; 978 os_get_reltime(&now); 979 if (now.sec + reauth_delay <= 980 wpa_s->current_ssid->disabled_until.sec) 981 return; 982 wpa_printf(MSG_DEBUG, "HS 2.0: Disable network for %u seconds (BSS)", 983 reauth_delay); 984 wpa_s->current_ssid->disabled_until.sec = 985 now.sec + reauth_delay; 986 } 987 } 988 989 if (code == HS20_DEAUTH_REASON_CODE_ESS && wpa_s->current_ssid) { 990 struct os_reltime now; 991 os_get_reltime(&now); 992 if (now.sec + reauth_delay <= 993 wpa_s->current_ssid->disabled_until.sec) 994 return; 995 wpa_printf(MSG_DEBUG, "HS 2.0: Disable network for %u seconds", 996 reauth_delay); 997 wpa_s->current_ssid->disabled_until.sec = 998 now.sec + reauth_delay; 999 } 1000 } 1001 1002 1003 void hs20_deinit(struct wpa_supplicant *wpa_s) 1004 { 1005 eloop_cancel_timeout(hs20_continue_icon_fetch, wpa_s, NULL); 1006 hs20_free_osu_prov(wpa_s); 1007 } 1008