1 /* 2 * Interworking (IEEE 802.11u) 3 * Copyright (c) 2011-2013, Qualcomm Atheros, Inc. 4 * Copyright (c) 2011-2014, Jouni Malinen <j@w1.fi> 5 * 6 * This software may be distributed under the terms of the BSD license. 7 * See README for more details. 8 */ 9 10 #include "includes.h" 11 12 #include "common.h" 13 #include "common/ieee802_11_defs.h" 14 #include "common/gas.h" 15 #include "common/wpa_ctrl.h" 16 #include "utils/pcsc_funcs.h" 17 #include "utils/eloop.h" 18 #include "drivers/driver.h" 19 #include "eap_common/eap_defs.h" 20 #include "eap_peer/eap.h" 21 #include "eap_peer/eap_methods.h" 22 #include "eapol_supp/eapol_supp_sm.h" 23 #include "rsn_supp/wpa.h" 24 #include "wpa_supplicant_i.h" 25 #include "config.h" 26 #include "config_ssid.h" 27 #include "bss.h" 28 #include "scan.h" 29 #include "notify.h" 30 #include "driver_i.h" 31 #include "gas_query.h" 32 #include "hs20_supplicant.h" 33 #include "interworking.h" 34 35 36 #if defined(EAP_SIM) | defined(EAP_SIM_DYNAMIC) 37 #define INTERWORKING_3GPP 38 #else 39 #if defined(EAP_AKA) | defined(EAP_AKA_DYNAMIC) 40 #define INTERWORKING_3GPP 41 #else 42 #if defined(EAP_AKA_PRIME) | defined(EAP_AKA_PRIME_DYNAMIC) 43 #define INTERWORKING_3GPP 44 #endif 45 #endif 46 #endif 47 48 static void interworking_next_anqp_fetch(struct wpa_supplicant *wpa_s); 49 static struct wpa_cred * interworking_credentials_available_realm( 50 struct wpa_supplicant *wpa_s, struct wpa_bss *bss, int ignore_bw, 51 int *excluded); 52 static struct wpa_cred * interworking_credentials_available_3gpp( 53 struct wpa_supplicant *wpa_s, struct wpa_bss *bss, int ignore_bw, 54 int *excluded); 55 56 57 static int cred_prio_cmp(const struct wpa_cred *a, const struct wpa_cred *b) 58 { 59 if (a->priority > b->priority) 60 return 1; 61 if (a->priority < b->priority) 62 return -1; 63 if (a->provisioning_sp == NULL || b->provisioning_sp == NULL || 64 os_strcmp(a->provisioning_sp, b->provisioning_sp) != 0) 65 return 0; 66 if (a->sp_priority < b->sp_priority) 67 return 1; 68 if (a->sp_priority > b->sp_priority) 69 return -1; 70 return 0; 71 } 72 73 74 static void interworking_reconnect(struct wpa_supplicant *wpa_s) 75 { 76 unsigned int tried; 77 78 if (wpa_s->wpa_state >= WPA_AUTHENTICATING) { 79 wpa_supplicant_cancel_sched_scan(wpa_s); 80 wpa_s->own_disconnect_req = 1; 81 wpa_supplicant_deauthenticate(wpa_s, 82 WLAN_REASON_DEAUTH_LEAVING); 83 } 84 wpa_s->disconnected = 0; 85 wpa_s->reassociate = 1; 86 tried = wpa_s->interworking_fast_assoc_tried; 87 wpa_s->interworking_fast_assoc_tried = 1; 88 89 if (!tried && wpa_supplicant_fast_associate(wpa_s) >= 0) 90 return; 91 92 wpa_s->interworking_fast_assoc_tried = 0; 93 wpa_supplicant_req_scan(wpa_s, 0, 0); 94 } 95 96 97 static struct wpabuf * anqp_build_req(u16 info_ids[], size_t num_ids, 98 struct wpabuf *extra) 99 { 100 struct wpabuf *buf; 101 size_t i; 102 u8 *len_pos; 103 104 buf = gas_anqp_build_initial_req(0, 4 + num_ids * 2 + 105 (extra ? wpabuf_len(extra) : 0)); 106 if (buf == NULL) 107 return NULL; 108 109 len_pos = gas_anqp_add_element(buf, ANQP_QUERY_LIST); 110 for (i = 0; i < num_ids; i++) 111 wpabuf_put_le16(buf, info_ids[i]); 112 gas_anqp_set_element_len(buf, len_pos); 113 if (extra) 114 wpabuf_put_buf(buf, extra); 115 116 gas_anqp_set_len(buf); 117 118 return buf; 119 } 120 121 122 static void interworking_anqp_resp_cb(void *ctx, const u8 *dst, 123 u8 dialog_token, 124 enum gas_query_result result, 125 const struct wpabuf *adv_proto, 126 const struct wpabuf *resp, 127 u16 status_code) 128 { 129 struct wpa_supplicant *wpa_s = ctx; 130 131 wpa_printf(MSG_DEBUG, "ANQP: Response callback dst=" MACSTR 132 " dialog_token=%u result=%d status_code=%u", 133 MAC2STR(dst), dialog_token, result, status_code); 134 anqp_resp_cb(wpa_s, dst, dialog_token, result, adv_proto, resp, 135 status_code); 136 interworking_next_anqp_fetch(wpa_s); 137 } 138 139 140 static int cred_with_roaming_consortium(struct wpa_supplicant *wpa_s) 141 { 142 struct wpa_cred *cred; 143 144 for (cred = wpa_s->conf->cred; cred; cred = cred->next) { 145 if (cred->roaming_consortium_len) 146 return 1; 147 if (cred->required_roaming_consortium_len) 148 return 1; 149 } 150 return 0; 151 } 152 153 154 static int cred_with_3gpp(struct wpa_supplicant *wpa_s) 155 { 156 struct wpa_cred *cred; 157 158 for (cred = wpa_s->conf->cred; cred; cred = cred->next) { 159 if (cred->pcsc || cred->imsi) 160 return 1; 161 } 162 return 0; 163 } 164 165 166 static int cred_with_nai_realm(struct wpa_supplicant *wpa_s) 167 { 168 struct wpa_cred *cred; 169 170 for (cred = wpa_s->conf->cred; cred; cred = cred->next) { 171 if (cred->pcsc || cred->imsi) 172 continue; 173 if (!cred->eap_method) 174 return 1; 175 if (cred->realm && cred->roaming_consortium_len == 0) 176 return 1; 177 } 178 return 0; 179 } 180 181 182 static int cred_with_domain(struct wpa_supplicant *wpa_s) 183 { 184 struct wpa_cred *cred; 185 186 for (cred = wpa_s->conf->cred; cred; cred = cred->next) { 187 if (cred->domain || cred->pcsc || cred->imsi || 188 cred->roaming_partner) 189 return 1; 190 } 191 return 0; 192 } 193 194 195 #ifdef CONFIG_HS20 196 197 static int cred_with_min_backhaul(struct wpa_supplicant *wpa_s) 198 { 199 struct wpa_cred *cred; 200 201 for (cred = wpa_s->conf->cred; cred; cred = cred->next) { 202 if (cred->min_dl_bandwidth_home || 203 cred->min_ul_bandwidth_home || 204 cred->min_dl_bandwidth_roaming || 205 cred->min_ul_bandwidth_roaming) 206 return 1; 207 } 208 return 0; 209 } 210 211 212 static int cred_with_conn_capab(struct wpa_supplicant *wpa_s) 213 { 214 struct wpa_cred *cred; 215 216 for (cred = wpa_s->conf->cred; cred; cred = cred->next) { 217 if (cred->num_req_conn_capab) 218 return 1; 219 } 220 return 0; 221 } 222 223 #endif /* CONFIG_HS20 */ 224 225 226 static int additional_roaming_consortiums(struct wpa_bss *bss) 227 { 228 const u8 *ie; 229 ie = wpa_bss_get_ie(bss, WLAN_EID_ROAMING_CONSORTIUM); 230 if (ie == NULL || ie[1] == 0) 231 return 0; 232 return ie[2]; /* Number of ANQP OIs */ 233 } 234 235 236 static void interworking_continue_anqp(void *eloop_ctx, void *sock_ctx) 237 { 238 struct wpa_supplicant *wpa_s = eloop_ctx; 239 interworking_next_anqp_fetch(wpa_s); 240 } 241 242 243 static int interworking_anqp_send_req(struct wpa_supplicant *wpa_s, 244 struct wpa_bss *bss) 245 { 246 struct wpabuf *buf; 247 int ret = 0; 248 int res; 249 u16 info_ids[8]; 250 size_t num_info_ids = 0; 251 struct wpabuf *extra = NULL; 252 int all = wpa_s->fetch_all_anqp; 253 254 wpa_msg(wpa_s, MSG_DEBUG, "Interworking: ANQP Query Request to " MACSTR, 255 MAC2STR(bss->bssid)); 256 wpa_s->interworking_gas_bss = bss; 257 258 info_ids[num_info_ids++] = ANQP_CAPABILITY_LIST; 259 if (all) { 260 info_ids[num_info_ids++] = ANQP_VENUE_NAME; 261 info_ids[num_info_ids++] = ANQP_NETWORK_AUTH_TYPE; 262 } 263 if (all || (cred_with_roaming_consortium(wpa_s) && 264 additional_roaming_consortiums(bss))) 265 info_ids[num_info_ids++] = ANQP_ROAMING_CONSORTIUM; 266 if (all) 267 info_ids[num_info_ids++] = ANQP_IP_ADDR_TYPE_AVAILABILITY; 268 if (all || cred_with_nai_realm(wpa_s)) 269 info_ids[num_info_ids++] = ANQP_NAI_REALM; 270 if (all || cred_with_3gpp(wpa_s)) { 271 info_ids[num_info_ids++] = ANQP_3GPP_CELLULAR_NETWORK; 272 wpa_supplicant_scard_init(wpa_s, NULL); 273 } 274 if (all || cred_with_domain(wpa_s)) 275 info_ids[num_info_ids++] = ANQP_DOMAIN_NAME; 276 wpa_hexdump(MSG_DEBUG, "Interworking: ANQP Query info", 277 (u8 *) info_ids, num_info_ids * 2); 278 279 #ifdef CONFIG_HS20 280 if (wpa_bss_get_vendor_ie(bss, HS20_IE_VENDOR_TYPE)) { 281 u8 *len_pos; 282 283 extra = wpabuf_alloc(100); 284 if (!extra) 285 return -1; 286 287 len_pos = gas_anqp_add_element(extra, ANQP_VENDOR_SPECIFIC); 288 wpabuf_put_be24(extra, OUI_WFA); 289 wpabuf_put_u8(extra, HS20_ANQP_OUI_TYPE); 290 wpabuf_put_u8(extra, HS20_STYPE_QUERY_LIST); 291 wpabuf_put_u8(extra, 0); /* Reserved */ 292 wpabuf_put_u8(extra, HS20_STYPE_CAPABILITY_LIST); 293 if (all) 294 wpabuf_put_u8(extra, 295 HS20_STYPE_OPERATOR_FRIENDLY_NAME); 296 if (all || cred_with_min_backhaul(wpa_s)) 297 wpabuf_put_u8(extra, HS20_STYPE_WAN_METRICS); 298 if (all || cred_with_conn_capab(wpa_s)) 299 wpabuf_put_u8(extra, HS20_STYPE_CONNECTION_CAPABILITY); 300 if (all) 301 wpabuf_put_u8(extra, HS20_STYPE_OPERATING_CLASS); 302 if (all) 303 wpabuf_put_u8(extra, HS20_STYPE_OSU_PROVIDERS_LIST); 304 gas_anqp_set_element_len(extra, len_pos); 305 } 306 #endif /* CONFIG_HS20 */ 307 308 buf = anqp_build_req(info_ids, num_info_ids, extra); 309 wpabuf_free(extra); 310 if (buf == NULL) 311 return -1; 312 313 res = gas_query_req(wpa_s->gas, bss->bssid, bss->freq, buf, 314 interworking_anqp_resp_cb, wpa_s); 315 if (res < 0) { 316 wpa_msg(wpa_s, MSG_DEBUG, "ANQP: Failed to send Query Request"); 317 wpabuf_free(buf); 318 ret = -1; 319 eloop_register_timeout(0, 0, interworking_continue_anqp, wpa_s, 320 NULL); 321 } else 322 wpa_msg(wpa_s, MSG_DEBUG, 323 "ANQP: Query started with dialog token %u", res); 324 325 return ret; 326 } 327 328 329 struct nai_realm_eap { 330 u8 method; 331 u8 inner_method; 332 enum nai_realm_eap_auth_inner_non_eap inner_non_eap; 333 u8 cred_type; 334 u8 tunneled_cred_type; 335 }; 336 337 struct nai_realm { 338 u8 encoding; 339 char *realm; 340 u8 eap_count; 341 struct nai_realm_eap *eap; 342 }; 343 344 345 static void nai_realm_free(struct nai_realm *realms, u16 count) 346 { 347 u16 i; 348 349 if (realms == NULL) 350 return; 351 for (i = 0; i < count; i++) { 352 os_free(realms[i].eap); 353 os_free(realms[i].realm); 354 } 355 os_free(realms); 356 } 357 358 359 static const u8 * nai_realm_parse_eap(struct nai_realm_eap *e, const u8 *pos, 360 const u8 *end) 361 { 362 u8 elen, auth_count, a; 363 const u8 *e_end; 364 365 if (pos + 3 > end) { 366 wpa_printf(MSG_DEBUG, "No room for EAP Method fixed fields"); 367 return NULL; 368 } 369 370 elen = *pos++; 371 if (pos + elen > end || elen < 2) { 372 wpa_printf(MSG_DEBUG, "No room for EAP Method subfield"); 373 return NULL; 374 } 375 e_end = pos + elen; 376 e->method = *pos++; 377 auth_count = *pos++; 378 wpa_printf(MSG_DEBUG, "EAP Method: len=%u method=%u auth_count=%u", 379 elen, e->method, auth_count); 380 381 for (a = 0; a < auth_count; a++) { 382 u8 id, len; 383 384 if (pos + 2 > end || pos + 2 + pos[1] > end) { 385 wpa_printf(MSG_DEBUG, "No room for Authentication " 386 "Parameter subfield"); 387 return NULL; 388 } 389 390 id = *pos++; 391 len = *pos++; 392 393 switch (id) { 394 case NAI_REALM_EAP_AUTH_NON_EAP_INNER_AUTH: 395 if (len < 1) 396 break; 397 e->inner_non_eap = *pos; 398 if (e->method != EAP_TYPE_TTLS) 399 break; 400 switch (*pos) { 401 case NAI_REALM_INNER_NON_EAP_PAP: 402 wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP"); 403 break; 404 case NAI_REALM_INNER_NON_EAP_CHAP: 405 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP"); 406 break; 407 case NAI_REALM_INNER_NON_EAP_MSCHAP: 408 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP"); 409 break; 410 case NAI_REALM_INNER_NON_EAP_MSCHAPV2: 411 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2"); 412 break; 413 } 414 break; 415 case NAI_REALM_EAP_AUTH_INNER_AUTH_EAP_METHOD: 416 if (len < 1) 417 break; 418 e->inner_method = *pos; 419 wpa_printf(MSG_DEBUG, "Inner EAP method: %u", 420 e->inner_method); 421 break; 422 case NAI_REALM_EAP_AUTH_CRED_TYPE: 423 if (len < 1) 424 break; 425 e->cred_type = *pos; 426 wpa_printf(MSG_DEBUG, "Credential Type: %u", 427 e->cred_type); 428 break; 429 case NAI_REALM_EAP_AUTH_TUNNELED_CRED_TYPE: 430 if (len < 1) 431 break; 432 e->tunneled_cred_type = *pos; 433 wpa_printf(MSG_DEBUG, "Tunneled EAP Method Credential " 434 "Type: %u", e->tunneled_cred_type); 435 break; 436 default: 437 wpa_printf(MSG_DEBUG, "Unsupported Authentication " 438 "Parameter: id=%u len=%u", id, len); 439 wpa_hexdump(MSG_DEBUG, "Authentication Parameter " 440 "Value", pos, len); 441 break; 442 } 443 444 pos += len; 445 } 446 447 return e_end; 448 } 449 450 451 static const u8 * nai_realm_parse_realm(struct nai_realm *r, const u8 *pos, 452 const u8 *end) 453 { 454 u16 len; 455 const u8 *f_end; 456 u8 realm_len, e; 457 458 if (end - pos < 4) { 459 wpa_printf(MSG_DEBUG, "No room for NAI Realm Data " 460 "fixed fields"); 461 return NULL; 462 } 463 464 len = WPA_GET_LE16(pos); /* NAI Realm Data field Length */ 465 pos += 2; 466 if (pos + len > end || len < 3) { 467 wpa_printf(MSG_DEBUG, "No room for NAI Realm Data " 468 "(len=%u; left=%u)", 469 len, (unsigned int) (end - pos)); 470 return NULL; 471 } 472 f_end = pos + len; 473 474 r->encoding = *pos++; 475 realm_len = *pos++; 476 if (pos + realm_len > f_end) { 477 wpa_printf(MSG_DEBUG, "No room for NAI Realm " 478 "(len=%u; left=%u)", 479 realm_len, (unsigned int) (f_end - pos)); 480 return NULL; 481 } 482 wpa_hexdump_ascii(MSG_DEBUG, "NAI Realm", pos, realm_len); 483 r->realm = dup_binstr(pos, realm_len); 484 if (r->realm == NULL) 485 return NULL; 486 pos += realm_len; 487 488 if (pos + 1 > f_end) { 489 wpa_printf(MSG_DEBUG, "No room for EAP Method Count"); 490 return NULL; 491 } 492 r->eap_count = *pos++; 493 wpa_printf(MSG_DEBUG, "EAP Count: %u", r->eap_count); 494 if (pos + r->eap_count * 3 > f_end) { 495 wpa_printf(MSG_DEBUG, "No room for EAP Methods"); 496 return NULL; 497 } 498 r->eap = os_calloc(r->eap_count, sizeof(struct nai_realm_eap)); 499 if (r->eap == NULL) 500 return NULL; 501 502 for (e = 0; e < r->eap_count; e++) { 503 pos = nai_realm_parse_eap(&r->eap[e], pos, f_end); 504 if (pos == NULL) 505 return NULL; 506 } 507 508 return f_end; 509 } 510 511 512 static struct nai_realm * nai_realm_parse(struct wpabuf *anqp, u16 *count) 513 { 514 struct nai_realm *realm; 515 const u8 *pos, *end; 516 u16 i, num; 517 size_t left; 518 519 if (anqp == NULL) 520 return NULL; 521 left = wpabuf_len(anqp); 522 if (left < 2) 523 return NULL; 524 525 pos = wpabuf_head_u8(anqp); 526 end = pos + left; 527 num = WPA_GET_LE16(pos); 528 wpa_printf(MSG_DEBUG, "NAI Realm Count: %u", num); 529 pos += 2; 530 left -= 2; 531 532 if (num > left / 5) { 533 wpa_printf(MSG_DEBUG, "Invalid NAI Realm Count %u - not " 534 "enough data (%u octets) for that many realms", 535 num, (unsigned int) left); 536 return NULL; 537 } 538 539 realm = os_calloc(num, sizeof(struct nai_realm)); 540 if (realm == NULL) 541 return NULL; 542 543 for (i = 0; i < num; i++) { 544 pos = nai_realm_parse_realm(&realm[i], pos, end); 545 if (pos == NULL) { 546 nai_realm_free(realm, num); 547 return NULL; 548 } 549 } 550 551 *count = num; 552 return realm; 553 } 554 555 556 static int nai_realm_match(struct nai_realm *realm, const char *home_realm) 557 { 558 char *tmp, *pos, *end; 559 int match = 0; 560 561 if (realm->realm == NULL || home_realm == NULL) 562 return 0; 563 564 if (os_strchr(realm->realm, ';') == NULL) 565 return os_strcasecmp(realm->realm, home_realm) == 0; 566 567 tmp = os_strdup(realm->realm); 568 if (tmp == NULL) 569 return 0; 570 571 pos = tmp; 572 while (*pos) { 573 end = os_strchr(pos, ';'); 574 if (end) 575 *end = '\0'; 576 if (os_strcasecmp(pos, home_realm) == 0) { 577 match = 1; 578 break; 579 } 580 if (end == NULL) 581 break; 582 pos = end + 1; 583 } 584 585 os_free(tmp); 586 587 return match; 588 } 589 590 591 static int nai_realm_cred_username(struct wpa_supplicant *wpa_s, 592 struct nai_realm_eap *eap) 593 { 594 if (eap_get_name(EAP_VENDOR_IETF, eap->method) == NULL) { 595 wpa_msg(wpa_s, MSG_DEBUG, 596 "nai-realm-cred-username: EAP method not supported: %d", 597 eap->method); 598 return 0; /* method not supported */ 599 } 600 601 if (eap->method != EAP_TYPE_TTLS && eap->method != EAP_TYPE_PEAP && 602 eap->method != EAP_TYPE_FAST) { 603 /* Only tunneled methods with username/password supported */ 604 wpa_msg(wpa_s, MSG_DEBUG, 605 "nai-realm-cred-username: Method: %d is not TTLS, PEAP, or FAST", 606 eap->method); 607 return 0; 608 } 609 610 if (eap->method == EAP_TYPE_PEAP || eap->method == EAP_TYPE_FAST) { 611 if (eap->inner_method && 612 eap_get_name(EAP_VENDOR_IETF, eap->inner_method) == NULL) { 613 wpa_msg(wpa_s, MSG_DEBUG, 614 "nai-realm-cred-username: PEAP/FAST: Inner method not supported: %d", 615 eap->inner_method); 616 return 0; 617 } 618 if (!eap->inner_method && 619 eap_get_name(EAP_VENDOR_IETF, EAP_TYPE_MSCHAPV2) == NULL) { 620 wpa_msg(wpa_s, MSG_DEBUG, 621 "nai-realm-cred-username: MSCHAPv2 not supported"); 622 return 0; 623 } 624 } 625 626 if (eap->method == EAP_TYPE_TTLS) { 627 if (eap->inner_method == 0 && eap->inner_non_eap == 0) 628 return 1; /* Assume TTLS/MSCHAPv2 is used */ 629 if (eap->inner_method && 630 eap_get_name(EAP_VENDOR_IETF, eap->inner_method) == NULL) { 631 wpa_msg(wpa_s, MSG_DEBUG, 632 "nai-realm-cred-username: TTLS, but inner not supported: %d", 633 eap->inner_method); 634 return 0; 635 } 636 if (eap->inner_non_eap && 637 eap->inner_non_eap != NAI_REALM_INNER_NON_EAP_PAP && 638 eap->inner_non_eap != NAI_REALM_INNER_NON_EAP_CHAP && 639 eap->inner_non_eap != NAI_REALM_INNER_NON_EAP_MSCHAP && 640 eap->inner_non_eap != NAI_REALM_INNER_NON_EAP_MSCHAPV2) { 641 wpa_msg(wpa_s, MSG_DEBUG, 642 "nai-realm-cred-username: TTLS, inner-non-eap not supported: %d", 643 eap->inner_non_eap); 644 return 0; 645 } 646 } 647 648 if (eap->inner_method && 649 eap->inner_method != EAP_TYPE_GTC && 650 eap->inner_method != EAP_TYPE_MSCHAPV2) { 651 wpa_msg(wpa_s, MSG_DEBUG, 652 "nai-realm-cred-username: inner-method not GTC or MSCHAPv2: %d", 653 eap->inner_method); 654 return 0; 655 } 656 657 return 1; 658 } 659 660 661 static int nai_realm_cred_cert(struct wpa_supplicant *wpa_s, 662 struct nai_realm_eap *eap) 663 { 664 if (eap_get_name(EAP_VENDOR_IETF, eap->method) == NULL) { 665 wpa_msg(wpa_s, MSG_DEBUG, 666 "nai-realm-cred-cert: Method not supported: %d", 667 eap->method); 668 return 0; /* method not supported */ 669 } 670 671 if (eap->method != EAP_TYPE_TLS) { 672 /* Only EAP-TLS supported for credential authentication */ 673 wpa_msg(wpa_s, MSG_DEBUG, 674 "nai-realm-cred-cert: Method not TLS: %d", 675 eap->method); 676 return 0; 677 } 678 679 return 1; 680 } 681 682 683 static struct nai_realm_eap * nai_realm_find_eap(struct wpa_supplicant *wpa_s, 684 struct wpa_cred *cred, 685 struct nai_realm *realm) 686 { 687 u8 e; 688 689 if (cred->username == NULL || 690 cred->username[0] == '\0' || 691 ((cred->password == NULL || 692 cred->password[0] == '\0') && 693 (cred->private_key == NULL || 694 cred->private_key[0] == '\0'))) { 695 wpa_msg(wpa_s, MSG_DEBUG, 696 "nai-realm-find-eap: incomplete cred info: username: %s password: %s private_key: %s", 697 cred->username ? cred->username : "NULL", 698 cred->password ? cred->password : "NULL", 699 cred->private_key ? cred->private_key : "NULL"); 700 return NULL; 701 } 702 703 for (e = 0; e < realm->eap_count; e++) { 704 struct nai_realm_eap *eap = &realm->eap[e]; 705 if (cred->password && cred->password[0] && 706 nai_realm_cred_username(wpa_s, eap)) 707 return eap; 708 if (cred->private_key && cred->private_key[0] && 709 nai_realm_cred_cert(wpa_s, eap)) 710 return eap; 711 } 712 713 return NULL; 714 } 715 716 717 #ifdef INTERWORKING_3GPP 718 719 static int plmn_id_match(struct wpabuf *anqp, const char *imsi, int mnc_len) 720 { 721 u8 plmn[3], plmn2[3]; 722 const u8 *pos, *end; 723 u8 udhl; 724 725 /* 726 * See Annex A of 3GPP TS 24.234 v8.1.0 for description. The network 727 * operator is allowed to include only two digits of the MNC, so allow 728 * matches based on both two and three digit MNC assumptions. Since some 729 * SIM/USIM cards may not expose MNC length conveniently, we may be 730 * provided the default MNC length 3 here and as such, checking with MNC 731 * length 2 is justifiable even though 3GPP TS 24.234 does not mention 732 * that case. Anyway, MCC/MNC pair where both 2 and 3 digit MNC is used 733 * with otherwise matching values would not be good idea in general, so 734 * this should not result in selecting incorrect networks. 735 */ 736 /* Match with 3 digit MNC */ 737 plmn[0] = (imsi[0] - '0') | ((imsi[1] - '0') << 4); 738 plmn[1] = (imsi[2] - '0') | ((imsi[5] - '0') << 4); 739 plmn[2] = (imsi[3] - '0') | ((imsi[4] - '0') << 4); 740 /* Match with 2 digit MNC */ 741 plmn2[0] = (imsi[0] - '0') | ((imsi[1] - '0') << 4); 742 plmn2[1] = (imsi[2] - '0') | 0xf0; 743 plmn2[2] = (imsi[3] - '0') | ((imsi[4] - '0') << 4); 744 745 if (anqp == NULL) 746 return 0; 747 pos = wpabuf_head_u8(anqp); 748 end = pos + wpabuf_len(anqp); 749 if (pos + 2 > end) 750 return 0; 751 if (*pos != 0) { 752 wpa_printf(MSG_DEBUG, "Unsupported GUD version 0x%x", *pos); 753 return 0; 754 } 755 pos++; 756 udhl = *pos++; 757 if (pos + udhl > end) { 758 wpa_printf(MSG_DEBUG, "Invalid UDHL"); 759 return 0; 760 } 761 end = pos + udhl; 762 763 wpa_printf(MSG_DEBUG, "Interworking: Matching against MCC/MNC alternatives: %02x:%02x:%02x or %02x:%02x:%02x (IMSI %s, MNC length %d)", 764 plmn[0], plmn[1], plmn[2], plmn2[0], plmn2[1], plmn2[2], 765 imsi, mnc_len); 766 767 while (pos + 2 <= end) { 768 u8 iei, len; 769 const u8 *l_end; 770 iei = *pos++; 771 len = *pos++ & 0x7f; 772 if (pos + len > end) 773 break; 774 l_end = pos + len; 775 776 if (iei == 0 && len > 0) { 777 /* PLMN List */ 778 u8 num, i; 779 wpa_hexdump(MSG_DEBUG, "Interworking: PLMN List information element", 780 pos, len); 781 num = *pos++; 782 for (i = 0; i < num; i++) { 783 if (pos + 3 > l_end) 784 break; 785 if (os_memcmp(pos, plmn, 3) == 0 || 786 os_memcmp(pos, plmn2, 3) == 0) 787 return 1; /* Found matching PLMN */ 788 pos += 3; 789 } 790 } else { 791 wpa_hexdump(MSG_DEBUG, "Interworking: Unrecognized 3GPP information element", 792 pos, len); 793 } 794 795 pos = l_end; 796 } 797 798 return 0; 799 } 800 801 802 static int build_root_nai(char *nai, size_t nai_len, const char *imsi, 803 size_t mnc_len, char prefix) 804 { 805 const char *sep, *msin; 806 char *end, *pos; 807 size_t msin_len, plmn_len; 808 809 /* 810 * TS 23.003, Clause 14 (3GPP to WLAN Interworking) 811 * Root NAI: 812 * <aka:0|sim:1><IMSI>@wlan.mnc<MNC>.mcc<MCC>.3gppnetwork.org 813 * <MNC> is zero-padded to three digits in case two-digit MNC is used 814 */ 815 816 if (imsi == NULL || os_strlen(imsi) > 16) { 817 wpa_printf(MSG_DEBUG, "No valid IMSI available"); 818 return -1; 819 } 820 sep = os_strchr(imsi, '-'); 821 if (sep) { 822 plmn_len = sep - imsi; 823 msin = sep + 1; 824 } else if (mnc_len && os_strlen(imsi) >= 3 + mnc_len) { 825 plmn_len = 3 + mnc_len; 826 msin = imsi + plmn_len; 827 } else 828 return -1; 829 if (plmn_len != 5 && plmn_len != 6) 830 return -1; 831 msin_len = os_strlen(msin); 832 833 pos = nai; 834 end = nai + nai_len; 835 if (prefix) 836 *pos++ = prefix; 837 os_memcpy(pos, imsi, plmn_len); 838 pos += plmn_len; 839 os_memcpy(pos, msin, msin_len); 840 pos += msin_len; 841 pos += os_snprintf(pos, end - pos, "@wlan.mnc"); 842 if (plmn_len == 5) { 843 *pos++ = '0'; 844 *pos++ = imsi[3]; 845 *pos++ = imsi[4]; 846 } else { 847 *pos++ = imsi[3]; 848 *pos++ = imsi[4]; 849 *pos++ = imsi[5]; 850 } 851 os_snprintf(pos, end - pos, ".mcc%c%c%c.3gppnetwork.org", 852 imsi[0], imsi[1], imsi[2]); 853 854 return 0; 855 } 856 857 858 static int set_root_nai(struct wpa_ssid *ssid, const char *imsi, char prefix) 859 { 860 char nai[100]; 861 if (build_root_nai(nai, sizeof(nai), imsi, 0, prefix) < 0) 862 return -1; 863 return wpa_config_set_quoted(ssid, "identity", nai); 864 } 865 866 #endif /* INTERWORKING_3GPP */ 867 868 869 static int already_connected(struct wpa_supplicant *wpa_s, 870 struct wpa_cred *cred, struct wpa_bss *bss) 871 { 872 struct wpa_ssid *ssid, *sel_ssid; 873 struct wpa_bss *selected; 874 875 if (wpa_s->wpa_state < WPA_ASSOCIATED || wpa_s->current_ssid == NULL) 876 return 0; 877 878 ssid = wpa_s->current_ssid; 879 if (ssid->parent_cred != cred) 880 return 0; 881 882 if (ssid->ssid_len != bss->ssid_len || 883 os_memcmp(ssid->ssid, bss->ssid, bss->ssid_len) != 0) 884 return 0; 885 886 sel_ssid = NULL; 887 selected = wpa_supplicant_pick_network(wpa_s, &sel_ssid); 888 if (selected && sel_ssid && sel_ssid->priority > ssid->priority) 889 return 0; /* higher priority network in scan results */ 890 891 return 1; 892 } 893 894 895 static void remove_duplicate_network(struct wpa_supplicant *wpa_s, 896 struct wpa_cred *cred, 897 struct wpa_bss *bss) 898 { 899 struct wpa_ssid *ssid; 900 901 for (ssid = wpa_s->conf->ssid; ssid; ssid = ssid->next) { 902 if (ssid->parent_cred != cred) 903 continue; 904 if (ssid->ssid_len != bss->ssid_len || 905 os_memcmp(ssid->ssid, bss->ssid, bss->ssid_len) != 0) 906 continue; 907 908 break; 909 } 910 911 if (ssid == NULL) 912 return; 913 914 wpa_printf(MSG_DEBUG, "Interworking: Remove duplicate network entry for the same credential"); 915 916 if (ssid == wpa_s->current_ssid) { 917 wpa_sm_set_config(wpa_s->wpa, NULL); 918 eapol_sm_notify_config(wpa_s->eapol, NULL, NULL); 919 wpa_s->own_disconnect_req = 1; 920 wpa_supplicant_deauthenticate(wpa_s, 921 WLAN_REASON_DEAUTH_LEAVING); 922 } 923 924 wpas_notify_network_removed(wpa_s, ssid); 925 wpa_config_remove_network(wpa_s->conf, ssid->id); 926 } 927 928 929 static int interworking_set_hs20_params(struct wpa_supplicant *wpa_s, 930 struct wpa_ssid *ssid) 931 { 932 const char *key_mgmt = NULL; 933 #ifdef CONFIG_IEEE80211R 934 int res; 935 struct wpa_driver_capa capa; 936 937 res = wpa_drv_get_capa(wpa_s, &capa); 938 if (res == 0 && capa.key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_FT) { 939 key_mgmt = wpa_s->conf->pmf != NO_MGMT_FRAME_PROTECTION ? 940 "WPA-EAP WPA-EAP-SHA256 FT-EAP" : 941 "WPA-EAP FT-EAP"; 942 } 943 #endif /* CONFIG_IEEE80211R */ 944 945 if (!key_mgmt) 946 key_mgmt = wpa_s->conf->pmf != NO_MGMT_FRAME_PROTECTION ? 947 "WPA-EAP WPA-EAP-SHA256" : "WPA-EAP"; 948 if (wpa_config_set(ssid, "key_mgmt", key_mgmt, 0) < 0) 949 return -1; 950 if (wpa_config_set(ssid, "proto", "RSN", 0) < 0) 951 return -1; 952 if (wpa_config_set(ssid, "pairwise", "CCMP", 0) < 0) 953 return -1; 954 return 0; 955 } 956 957 958 static int interworking_connect_3gpp(struct wpa_supplicant *wpa_s, 959 struct wpa_cred *cred, 960 struct wpa_bss *bss, int only_add) 961 { 962 #ifdef INTERWORKING_3GPP 963 struct wpa_ssid *ssid; 964 int eap_type; 965 int res; 966 char prefix; 967 968 if (bss->anqp == NULL || bss->anqp->anqp_3gpp == NULL) 969 return -1; 970 971 wpa_msg(wpa_s, MSG_DEBUG, "Interworking: Connect with " MACSTR 972 " (3GPP)", MAC2STR(bss->bssid)); 973 974 if (already_connected(wpa_s, cred, bss)) { 975 wpa_msg(wpa_s, MSG_INFO, INTERWORKING_ALREADY_CONNECTED MACSTR, 976 MAC2STR(bss->bssid)); 977 return wpa_s->current_ssid->id; 978 } 979 980 remove_duplicate_network(wpa_s, cred, bss); 981 982 ssid = wpa_config_add_network(wpa_s->conf); 983 if (ssid == NULL) 984 return -1; 985 ssid->parent_cred = cred; 986 987 wpas_notify_network_added(wpa_s, ssid); 988 wpa_config_set_network_defaults(ssid); 989 ssid->priority = cred->priority; 990 ssid->temporary = 1; 991 ssid->ssid = os_zalloc(bss->ssid_len + 1); 992 if (ssid->ssid == NULL) 993 goto fail; 994 os_memcpy(ssid->ssid, bss->ssid, bss->ssid_len); 995 ssid->ssid_len = bss->ssid_len; 996 ssid->eap.sim_num = cred->sim_num; 997 998 if (interworking_set_hs20_params(wpa_s, ssid) < 0) 999 goto fail; 1000 1001 eap_type = EAP_TYPE_SIM; 1002 if (cred->pcsc && wpa_s->scard && scard_supports_umts(wpa_s->scard)) 1003 eap_type = EAP_TYPE_AKA; 1004 if (cred->eap_method && cred->eap_method[0].vendor == EAP_VENDOR_IETF) { 1005 if (cred->eap_method[0].method == EAP_TYPE_SIM || 1006 cred->eap_method[0].method == EAP_TYPE_AKA || 1007 cred->eap_method[0].method == EAP_TYPE_AKA_PRIME) 1008 eap_type = cred->eap_method[0].method; 1009 } 1010 1011 switch (eap_type) { 1012 case EAP_TYPE_SIM: 1013 prefix = '1'; 1014 res = wpa_config_set(ssid, "eap", "SIM", 0); 1015 break; 1016 case EAP_TYPE_AKA: 1017 prefix = '0'; 1018 res = wpa_config_set(ssid, "eap", "AKA", 0); 1019 break; 1020 case EAP_TYPE_AKA_PRIME: 1021 prefix = '6'; 1022 res = wpa_config_set(ssid, "eap", "AKA'", 0); 1023 break; 1024 default: 1025 res = -1; 1026 break; 1027 } 1028 if (res < 0) { 1029 wpa_msg(wpa_s, MSG_DEBUG, 1030 "Selected EAP method (%d) not supported", eap_type); 1031 goto fail; 1032 } 1033 1034 if (!cred->pcsc && set_root_nai(ssid, cred->imsi, prefix) < 0) { 1035 wpa_msg(wpa_s, MSG_DEBUG, "Failed to set Root NAI"); 1036 goto fail; 1037 } 1038 1039 if (cred->milenage && cred->milenage[0]) { 1040 if (wpa_config_set_quoted(ssid, "password", 1041 cred->milenage) < 0) 1042 goto fail; 1043 } else if (cred->pcsc) { 1044 if (wpa_config_set_quoted(ssid, "pcsc", "") < 0) 1045 goto fail; 1046 if (wpa_s->conf->pcsc_pin && 1047 wpa_config_set_quoted(ssid, "pin", wpa_s->conf->pcsc_pin) 1048 < 0) 1049 goto fail; 1050 } 1051 1052 wpa_s->next_ssid = ssid; 1053 wpa_config_update_prio_list(wpa_s->conf); 1054 if (!only_add) 1055 interworking_reconnect(wpa_s); 1056 1057 return ssid->id; 1058 1059 fail: 1060 wpas_notify_network_removed(wpa_s, ssid); 1061 wpa_config_remove_network(wpa_s->conf, ssid->id); 1062 #endif /* INTERWORKING_3GPP */ 1063 return -1; 1064 } 1065 1066 1067 static int roaming_consortium_element_match(const u8 *ie, const u8 *rc_id, 1068 size_t rc_len) 1069 { 1070 const u8 *pos, *end; 1071 u8 lens; 1072 1073 if (ie == NULL) 1074 return 0; 1075 1076 pos = ie + 2; 1077 end = ie + 2 + ie[1]; 1078 1079 /* Roaming Consortium element: 1080 * Number of ANQP OIs 1081 * OI #1 and #2 lengths 1082 * OI #1, [OI #2], [OI #3] 1083 */ 1084 1085 if (pos + 2 > end) 1086 return 0; 1087 1088 pos++; /* skip Number of ANQP OIs */ 1089 lens = *pos++; 1090 if (pos + (lens & 0x0f) + (lens >> 4) > end) 1091 return 0; 1092 1093 if ((lens & 0x0f) == rc_len && os_memcmp(pos, rc_id, rc_len) == 0) 1094 return 1; 1095 pos += lens & 0x0f; 1096 1097 if ((lens >> 4) == rc_len && os_memcmp(pos, rc_id, rc_len) == 0) 1098 return 1; 1099 pos += lens >> 4; 1100 1101 if (pos < end && (size_t) (end - pos) == rc_len && 1102 os_memcmp(pos, rc_id, rc_len) == 0) 1103 return 1; 1104 1105 return 0; 1106 } 1107 1108 1109 static int roaming_consortium_anqp_match(const struct wpabuf *anqp, 1110 const u8 *rc_id, size_t rc_len) 1111 { 1112 const u8 *pos, *end; 1113 u8 len; 1114 1115 if (anqp == NULL) 1116 return 0; 1117 1118 pos = wpabuf_head(anqp); 1119 end = pos + wpabuf_len(anqp); 1120 1121 /* Set of <OI Length, OI> duples */ 1122 while (pos < end) { 1123 len = *pos++; 1124 if (pos + len > end) 1125 break; 1126 if (len == rc_len && os_memcmp(pos, rc_id, rc_len) == 0) 1127 return 1; 1128 pos += len; 1129 } 1130 1131 return 0; 1132 } 1133 1134 1135 static int roaming_consortium_match(const u8 *ie, const struct wpabuf *anqp, 1136 const u8 *rc_id, size_t rc_len) 1137 { 1138 return roaming_consortium_element_match(ie, rc_id, rc_len) || 1139 roaming_consortium_anqp_match(anqp, rc_id, rc_len); 1140 } 1141 1142 1143 static int cred_no_required_oi_match(struct wpa_cred *cred, struct wpa_bss *bss) 1144 { 1145 const u8 *ie; 1146 1147 if (cred->required_roaming_consortium_len == 0) 1148 return 0; 1149 1150 ie = wpa_bss_get_ie(bss, WLAN_EID_ROAMING_CONSORTIUM); 1151 1152 if (ie == NULL && 1153 (bss->anqp == NULL || bss->anqp->roaming_consortium == NULL)) 1154 return 1; 1155 1156 return !roaming_consortium_match(ie, 1157 bss->anqp ? 1158 bss->anqp->roaming_consortium : NULL, 1159 cred->required_roaming_consortium, 1160 cred->required_roaming_consortium_len); 1161 } 1162 1163 1164 static int cred_excluded_ssid(struct wpa_cred *cred, struct wpa_bss *bss) 1165 { 1166 size_t i; 1167 1168 if (!cred->excluded_ssid) 1169 return 0; 1170 1171 for (i = 0; i < cred->num_excluded_ssid; i++) { 1172 struct excluded_ssid *e = &cred->excluded_ssid[i]; 1173 if (bss->ssid_len == e->ssid_len && 1174 os_memcmp(bss->ssid, e->ssid, e->ssid_len) == 0) 1175 return 1; 1176 } 1177 1178 return 0; 1179 } 1180 1181 1182 static int cred_below_min_backhaul(struct wpa_supplicant *wpa_s, 1183 struct wpa_cred *cred, struct wpa_bss *bss) 1184 { 1185 int res; 1186 unsigned int dl_bandwidth, ul_bandwidth; 1187 const u8 *wan; 1188 u8 wan_info, dl_load, ul_load; 1189 u16 lmd; 1190 u32 ul_speed, dl_speed; 1191 1192 if (!cred->min_dl_bandwidth_home && 1193 !cred->min_ul_bandwidth_home && 1194 !cred->min_dl_bandwidth_roaming && 1195 !cred->min_ul_bandwidth_roaming) 1196 return 0; /* No bandwidth constraint specified */ 1197 1198 if (bss->anqp == NULL || bss->anqp->hs20_wan_metrics == NULL) 1199 return 0; /* No WAN Metrics known - ignore constraint */ 1200 1201 wan = wpabuf_head(bss->anqp->hs20_wan_metrics); 1202 wan_info = wan[0]; 1203 if (wan_info & BIT(3)) 1204 return 1; /* WAN link at capacity */ 1205 lmd = WPA_GET_LE16(wan + 11); 1206 if (lmd == 0) 1207 return 0; /* Downlink/Uplink Load was not measured */ 1208 dl_speed = WPA_GET_LE32(wan + 1); 1209 ul_speed = WPA_GET_LE32(wan + 5); 1210 dl_load = wan[9]; 1211 ul_load = wan[10]; 1212 1213 if (dl_speed >= 0xffffff) 1214 dl_bandwidth = dl_speed / 255 * (255 - dl_load); 1215 else 1216 dl_bandwidth = dl_speed * (255 - dl_load) / 255; 1217 1218 if (ul_speed >= 0xffffff) 1219 ul_bandwidth = ul_speed / 255 * (255 - ul_load); 1220 else 1221 ul_bandwidth = ul_speed * (255 - ul_load) / 255; 1222 1223 res = interworking_home_sp_cred(wpa_s, cred, bss->anqp ? 1224 bss->anqp->domain_name : NULL); 1225 if (res > 0) { 1226 if (cred->min_dl_bandwidth_home > dl_bandwidth) 1227 return 1; 1228 if (cred->min_ul_bandwidth_home > ul_bandwidth) 1229 return 1; 1230 } else { 1231 if (cred->min_dl_bandwidth_roaming > dl_bandwidth) 1232 return 1; 1233 if (cred->min_ul_bandwidth_roaming > ul_bandwidth) 1234 return 1; 1235 } 1236 1237 return 0; 1238 } 1239 1240 1241 static int cred_over_max_bss_load(struct wpa_supplicant *wpa_s, 1242 struct wpa_cred *cred, struct wpa_bss *bss) 1243 { 1244 const u8 *ie; 1245 int res; 1246 1247 if (!cred->max_bss_load) 1248 return 0; /* No BSS Load constraint specified */ 1249 1250 ie = wpa_bss_get_ie(bss, WLAN_EID_BSS_LOAD); 1251 if (ie == NULL || ie[1] < 3) 1252 return 0; /* No BSS Load advertised */ 1253 1254 res = interworking_home_sp_cred(wpa_s, cred, bss->anqp ? 1255 bss->anqp->domain_name : NULL); 1256 if (res <= 0) 1257 return 0; /* Not a home network */ 1258 1259 return ie[4] > cred->max_bss_load; 1260 } 1261 1262 1263 static int has_proto_match(const u8 *pos, const u8 *end, u8 proto) 1264 { 1265 while (pos + 4 <= end) { 1266 if (pos[0] == proto && pos[3] == 1 /* Open */) 1267 return 1; 1268 pos += 4; 1269 } 1270 1271 return 0; 1272 } 1273 1274 1275 static int has_proto_port_match(const u8 *pos, const u8 *end, u8 proto, 1276 u16 port) 1277 { 1278 while (pos + 4 <= end) { 1279 if (pos[0] == proto && WPA_GET_LE16(&pos[1]) == port && 1280 pos[3] == 1 /* Open */) 1281 return 1; 1282 pos += 4; 1283 } 1284 1285 return 0; 1286 } 1287 1288 1289 static int cred_conn_capab_missing(struct wpa_supplicant *wpa_s, 1290 struct wpa_cred *cred, struct wpa_bss *bss) 1291 { 1292 int res; 1293 const u8 *capab, *end; 1294 unsigned int i, j; 1295 int *ports; 1296 1297 if (!cred->num_req_conn_capab) 1298 return 0; /* No connection capability constraint specified */ 1299 1300 if (bss->anqp == NULL || bss->anqp->hs20_connection_capability == NULL) 1301 return 0; /* No Connection Capability known - ignore constraint 1302 */ 1303 1304 res = interworking_home_sp_cred(wpa_s, cred, bss->anqp ? 1305 bss->anqp->domain_name : NULL); 1306 if (res > 0) 1307 return 0; /* No constraint in home network */ 1308 1309 capab = wpabuf_head(bss->anqp->hs20_connection_capability); 1310 end = capab + wpabuf_len(bss->anqp->hs20_connection_capability); 1311 1312 for (i = 0; i < cred->num_req_conn_capab; i++) { 1313 ports = cred->req_conn_capab_port[i]; 1314 if (!ports) { 1315 if (!has_proto_match(capab, end, 1316 cred->req_conn_capab_proto[i])) 1317 return 1; 1318 } else { 1319 for (j = 0; ports[j] > -1; j++) { 1320 if (!has_proto_port_match( 1321 capab, end, 1322 cred->req_conn_capab_proto[i], 1323 ports[j])) 1324 return 1; 1325 } 1326 } 1327 } 1328 1329 return 0; 1330 } 1331 1332 1333 static struct wpa_cred * interworking_credentials_available_roaming_consortium( 1334 struct wpa_supplicant *wpa_s, struct wpa_bss *bss, int ignore_bw, 1335 int *excluded) 1336 { 1337 struct wpa_cred *cred, *selected = NULL; 1338 const u8 *ie; 1339 int is_excluded = 0; 1340 1341 ie = wpa_bss_get_ie(bss, WLAN_EID_ROAMING_CONSORTIUM); 1342 1343 if (ie == NULL && 1344 (bss->anqp == NULL || bss->anqp->roaming_consortium == NULL)) 1345 return NULL; 1346 1347 if (wpa_s->conf->cred == NULL) 1348 return NULL; 1349 1350 for (cred = wpa_s->conf->cred; cred; cred = cred->next) { 1351 if (cred->roaming_consortium_len == 0) 1352 continue; 1353 1354 if (!roaming_consortium_match(ie, 1355 bss->anqp ? 1356 bss->anqp->roaming_consortium : 1357 NULL, 1358 cred->roaming_consortium, 1359 cred->roaming_consortium_len)) 1360 continue; 1361 1362 if (cred_no_required_oi_match(cred, bss)) 1363 continue; 1364 if (!ignore_bw && cred_below_min_backhaul(wpa_s, cred, bss)) 1365 continue; 1366 if (!ignore_bw && cred_over_max_bss_load(wpa_s, cred, bss)) 1367 continue; 1368 if (!ignore_bw && cred_conn_capab_missing(wpa_s, cred, bss)) 1369 continue; 1370 if (cred_excluded_ssid(cred, bss)) { 1371 if (excluded == NULL) 1372 continue; 1373 if (selected == NULL) { 1374 selected = cred; 1375 is_excluded = 1; 1376 } 1377 } else { 1378 if (selected == NULL || is_excluded || 1379 cred_prio_cmp(selected, cred) < 0) { 1380 selected = cred; 1381 is_excluded = 0; 1382 } 1383 } 1384 } 1385 1386 if (excluded) 1387 *excluded = is_excluded; 1388 1389 return selected; 1390 } 1391 1392 1393 static int interworking_set_eap_params(struct wpa_ssid *ssid, 1394 struct wpa_cred *cred, int ttls) 1395 { 1396 if (cred->eap_method) { 1397 ttls = cred->eap_method->vendor == EAP_VENDOR_IETF && 1398 cred->eap_method->method == EAP_TYPE_TTLS; 1399 1400 os_free(ssid->eap.eap_methods); 1401 ssid->eap.eap_methods = 1402 os_malloc(sizeof(struct eap_method_type) * 2); 1403 if (ssid->eap.eap_methods == NULL) 1404 return -1; 1405 os_memcpy(ssid->eap.eap_methods, cred->eap_method, 1406 sizeof(*cred->eap_method)); 1407 ssid->eap.eap_methods[1].vendor = EAP_VENDOR_IETF; 1408 ssid->eap.eap_methods[1].method = EAP_TYPE_NONE; 1409 } 1410 1411 if (ttls && cred->username && cred->username[0]) { 1412 const char *pos; 1413 char *anon; 1414 /* Use anonymous NAI in Phase 1 */ 1415 pos = os_strchr(cred->username, '@'); 1416 if (pos) { 1417 size_t buflen = 9 + os_strlen(pos) + 1; 1418 anon = os_malloc(buflen); 1419 if (anon == NULL) 1420 return -1; 1421 os_snprintf(anon, buflen, "anonymous%s", pos); 1422 } else if (cred->realm) { 1423 size_t buflen = 10 + os_strlen(cred->realm) + 1; 1424 anon = os_malloc(buflen); 1425 if (anon == NULL) 1426 return -1; 1427 os_snprintf(anon, buflen, "anonymous@%s", cred->realm); 1428 } else { 1429 anon = os_strdup("anonymous"); 1430 if (anon == NULL) 1431 return -1; 1432 } 1433 if (wpa_config_set_quoted(ssid, "anonymous_identity", anon) < 1434 0) { 1435 os_free(anon); 1436 return -1; 1437 } 1438 os_free(anon); 1439 } 1440 1441 if (cred->username && cred->username[0] && 1442 wpa_config_set_quoted(ssid, "identity", cred->username) < 0) 1443 return -1; 1444 1445 if (cred->password && cred->password[0]) { 1446 if (cred->ext_password && 1447 wpa_config_set(ssid, "password", cred->password, 0) < 0) 1448 return -1; 1449 if (!cred->ext_password && 1450 wpa_config_set_quoted(ssid, "password", cred->password) < 1451 0) 1452 return -1; 1453 } 1454 1455 if (cred->client_cert && cred->client_cert[0] && 1456 wpa_config_set_quoted(ssid, "client_cert", cred->client_cert) < 0) 1457 return -1; 1458 1459 #ifdef ANDROID 1460 if (cred->private_key && 1461 os_strncmp(cred->private_key, "keystore://", 11) == 0) { 1462 /* Use OpenSSL engine configuration for Android keystore */ 1463 if (wpa_config_set_quoted(ssid, "engine_id", "keystore") < 0 || 1464 wpa_config_set_quoted(ssid, "key_id", 1465 cred->private_key + 11) < 0 || 1466 wpa_config_set(ssid, "engine", "1", 0) < 0) 1467 return -1; 1468 } else 1469 #endif /* ANDROID */ 1470 if (cred->private_key && cred->private_key[0] && 1471 wpa_config_set_quoted(ssid, "private_key", cred->private_key) < 0) 1472 return -1; 1473 1474 if (cred->private_key_passwd && cred->private_key_passwd[0] && 1475 wpa_config_set_quoted(ssid, "private_key_passwd", 1476 cred->private_key_passwd) < 0) 1477 return -1; 1478 1479 if (cred->phase1) { 1480 os_free(ssid->eap.phase1); 1481 ssid->eap.phase1 = os_strdup(cred->phase1); 1482 } 1483 if (cred->phase2) { 1484 os_free(ssid->eap.phase2); 1485 ssid->eap.phase2 = os_strdup(cred->phase2); 1486 } 1487 1488 if (cred->ca_cert && cred->ca_cert[0] && 1489 wpa_config_set_quoted(ssid, "ca_cert", cred->ca_cert) < 0) 1490 return -1; 1491 1492 if (cred->domain_suffix_match && cred->domain_suffix_match[0] && 1493 wpa_config_set_quoted(ssid, "domain_suffix_match", 1494 cred->domain_suffix_match) < 0) 1495 return -1; 1496 1497 ssid->eap.ocsp = cred->ocsp; 1498 1499 return 0; 1500 } 1501 1502 1503 static int interworking_connect_roaming_consortium( 1504 struct wpa_supplicant *wpa_s, struct wpa_cred *cred, 1505 struct wpa_bss *bss, int only_add) 1506 { 1507 struct wpa_ssid *ssid; 1508 1509 wpa_msg(wpa_s, MSG_DEBUG, "Interworking: Connect with " MACSTR 1510 " based on roaming consortium match", MAC2STR(bss->bssid)); 1511 1512 if (already_connected(wpa_s, cred, bss)) { 1513 wpa_msg(wpa_s, MSG_INFO, INTERWORKING_ALREADY_CONNECTED MACSTR, 1514 MAC2STR(bss->bssid)); 1515 return wpa_s->current_ssid->id; 1516 } 1517 1518 remove_duplicate_network(wpa_s, cred, bss); 1519 1520 ssid = wpa_config_add_network(wpa_s->conf); 1521 if (ssid == NULL) 1522 return -1; 1523 ssid->parent_cred = cred; 1524 wpas_notify_network_added(wpa_s, ssid); 1525 wpa_config_set_network_defaults(ssid); 1526 ssid->priority = cred->priority; 1527 ssid->temporary = 1; 1528 ssid->ssid = os_zalloc(bss->ssid_len + 1); 1529 if (ssid->ssid == NULL) 1530 goto fail; 1531 os_memcpy(ssid->ssid, bss->ssid, bss->ssid_len); 1532 ssid->ssid_len = bss->ssid_len; 1533 1534 if (interworking_set_hs20_params(wpa_s, ssid) < 0) 1535 goto fail; 1536 1537 if (cred->eap_method == NULL) { 1538 wpa_msg(wpa_s, MSG_DEBUG, 1539 "Interworking: No EAP method set for credential using roaming consortium"); 1540 goto fail; 1541 } 1542 1543 if (interworking_set_eap_params( 1544 ssid, cred, 1545 cred->eap_method->vendor == EAP_VENDOR_IETF && 1546 cred->eap_method->method == EAP_TYPE_TTLS) < 0) 1547 goto fail; 1548 1549 wpa_s->next_ssid = ssid; 1550 wpa_config_update_prio_list(wpa_s->conf); 1551 if (!only_add) 1552 interworking_reconnect(wpa_s); 1553 1554 return ssid->id; 1555 1556 fail: 1557 wpas_notify_network_removed(wpa_s, ssid); 1558 wpa_config_remove_network(wpa_s->conf, ssid->id); 1559 return -1; 1560 } 1561 1562 1563 static int interworking_connect_helper(struct wpa_supplicant *wpa_s, 1564 struct wpa_bss *bss, int allow_excluded, 1565 int only_add) 1566 { 1567 struct wpa_cred *cred, *cred_rc, *cred_3gpp; 1568 struct wpa_ssid *ssid; 1569 struct nai_realm *realm; 1570 struct nai_realm_eap *eap = NULL; 1571 u16 count, i; 1572 char buf[100]; 1573 int excluded = 0, *excl = allow_excluded ? &excluded : NULL; 1574 const char *name; 1575 1576 if (wpa_s->conf->cred == NULL || bss == NULL) 1577 return -1; 1578 if (disallowed_bssid(wpa_s, bss->bssid) || 1579 disallowed_ssid(wpa_s, bss->ssid, bss->ssid_len)) { 1580 wpa_msg(wpa_s, MSG_DEBUG, 1581 "Interworking: Reject connection to disallowed BSS " 1582 MACSTR, MAC2STR(bss->bssid)); 1583 return -1; 1584 } 1585 1586 wpa_printf(MSG_DEBUG, "Interworking: Considering BSS " MACSTR 1587 " for connection (allow_excluded=%d)", 1588 MAC2STR(bss->bssid), allow_excluded); 1589 1590 if (!wpa_bss_get_ie(bss, WLAN_EID_RSN)) { 1591 /* 1592 * We currently support only HS 2.0 networks and those are 1593 * required to use WPA2-Enterprise. 1594 */ 1595 wpa_msg(wpa_s, MSG_DEBUG, 1596 "Interworking: Network does not use RSN"); 1597 return -1; 1598 } 1599 1600 cred_rc = interworking_credentials_available_roaming_consortium( 1601 wpa_s, bss, 0, excl); 1602 if (cred_rc) { 1603 wpa_msg(wpa_s, MSG_DEBUG, 1604 "Interworking: Highest roaming consortium matching credential priority %d sp_priority %d", 1605 cred_rc->priority, cred_rc->sp_priority); 1606 if (allow_excluded && excl && !(*excl)) 1607 excl = NULL; 1608 } 1609 1610 cred = interworking_credentials_available_realm(wpa_s, bss, 0, excl); 1611 if (cred) { 1612 wpa_msg(wpa_s, MSG_DEBUG, 1613 "Interworking: Highest NAI Realm list matching credential priority %d sp_priority %d", 1614 cred->priority, cred->sp_priority); 1615 if (allow_excluded && excl && !(*excl)) 1616 excl = NULL; 1617 } 1618 1619 cred_3gpp = interworking_credentials_available_3gpp(wpa_s, bss, 0, 1620 excl); 1621 if (cred_3gpp) { 1622 wpa_msg(wpa_s, MSG_DEBUG, 1623 "Interworking: Highest 3GPP matching credential priority %d sp_priority %d", 1624 cred_3gpp->priority, cred_3gpp->sp_priority); 1625 if (allow_excluded && excl && !(*excl)) 1626 excl = NULL; 1627 } 1628 1629 if (!cred_rc && !cred && !cred_3gpp) { 1630 wpa_msg(wpa_s, MSG_DEBUG, 1631 "Interworking: No full credential matches - consider options without BW(etc.) limits"); 1632 cred_rc = interworking_credentials_available_roaming_consortium( 1633 wpa_s, bss, 1, excl); 1634 if (cred_rc) { 1635 wpa_msg(wpa_s, MSG_DEBUG, 1636 "Interworking: Highest roaming consortium matching credential priority %d sp_priority %d (ignore BW)", 1637 cred_rc->priority, cred_rc->sp_priority); 1638 if (allow_excluded && excl && !(*excl)) 1639 excl = NULL; 1640 } 1641 1642 cred = interworking_credentials_available_realm(wpa_s, bss, 1, 1643 excl); 1644 if (cred) { 1645 wpa_msg(wpa_s, MSG_DEBUG, 1646 "Interworking: Highest NAI Realm list matching credential priority %d sp_priority %d (ignore BW)", 1647 cred->priority, cred->sp_priority); 1648 if (allow_excluded && excl && !(*excl)) 1649 excl = NULL; 1650 } 1651 1652 cred_3gpp = interworking_credentials_available_3gpp(wpa_s, bss, 1653 1, excl); 1654 if (cred_3gpp) { 1655 wpa_msg(wpa_s, MSG_DEBUG, 1656 "Interworking: Highest 3GPP matching credential priority %d sp_priority %d (ignore BW)", 1657 cred_3gpp->priority, cred_3gpp->sp_priority); 1658 if (allow_excluded && excl && !(*excl)) 1659 excl = NULL; 1660 } 1661 } 1662 1663 if (cred_rc && 1664 (cred == NULL || cred_prio_cmp(cred_rc, cred) >= 0) && 1665 (cred_3gpp == NULL || cred_prio_cmp(cred_rc, cred_3gpp) >= 0)) 1666 return interworking_connect_roaming_consortium(wpa_s, cred_rc, 1667 bss, only_add); 1668 1669 if (cred_3gpp && 1670 (cred == NULL || cred_prio_cmp(cred_3gpp, cred) >= 0)) { 1671 return interworking_connect_3gpp(wpa_s, cred_3gpp, bss, 1672 only_add); 1673 } 1674 1675 if (cred == NULL) { 1676 wpa_msg(wpa_s, MSG_DEBUG, 1677 "Interworking: No matching credentials found for " 1678 MACSTR, MAC2STR(bss->bssid)); 1679 return -1; 1680 } 1681 1682 realm = nai_realm_parse(bss->anqp ? bss->anqp->nai_realm : NULL, 1683 &count); 1684 if (realm == NULL) { 1685 wpa_msg(wpa_s, MSG_DEBUG, 1686 "Interworking: Could not parse NAI Realm list from " 1687 MACSTR, MAC2STR(bss->bssid)); 1688 return -1; 1689 } 1690 1691 for (i = 0; i < count; i++) { 1692 if (!nai_realm_match(&realm[i], cred->realm)) 1693 continue; 1694 eap = nai_realm_find_eap(wpa_s, cred, &realm[i]); 1695 if (eap) 1696 break; 1697 } 1698 1699 if (!eap) { 1700 wpa_msg(wpa_s, MSG_DEBUG, 1701 "Interworking: No matching credentials and EAP method found for " 1702 MACSTR, MAC2STR(bss->bssid)); 1703 nai_realm_free(realm, count); 1704 return -1; 1705 } 1706 1707 wpa_msg(wpa_s, MSG_DEBUG, "Interworking: Connect with " MACSTR, 1708 MAC2STR(bss->bssid)); 1709 1710 if (already_connected(wpa_s, cred, bss)) { 1711 wpa_msg(wpa_s, MSG_INFO, INTERWORKING_ALREADY_CONNECTED MACSTR, 1712 MAC2STR(bss->bssid)); 1713 nai_realm_free(realm, count); 1714 return 0; 1715 } 1716 1717 remove_duplicate_network(wpa_s, cred, bss); 1718 1719 ssid = wpa_config_add_network(wpa_s->conf); 1720 if (ssid == NULL) { 1721 nai_realm_free(realm, count); 1722 return -1; 1723 } 1724 ssid->parent_cred = cred; 1725 wpas_notify_network_added(wpa_s, ssid); 1726 wpa_config_set_network_defaults(ssid); 1727 ssid->priority = cred->priority; 1728 ssid->temporary = 1; 1729 ssid->ssid = os_zalloc(bss->ssid_len + 1); 1730 if (ssid->ssid == NULL) 1731 goto fail; 1732 os_memcpy(ssid->ssid, bss->ssid, bss->ssid_len); 1733 ssid->ssid_len = bss->ssid_len; 1734 1735 if (interworking_set_hs20_params(wpa_s, ssid) < 0) 1736 goto fail; 1737 1738 if (wpa_config_set(ssid, "eap", eap_get_name(EAP_VENDOR_IETF, 1739 eap->method), 0) < 0) 1740 goto fail; 1741 1742 switch (eap->method) { 1743 case EAP_TYPE_TTLS: 1744 if (eap->inner_method) { 1745 os_snprintf(buf, sizeof(buf), "\"autheap=%s\"", 1746 eap_get_name(EAP_VENDOR_IETF, 1747 eap->inner_method)); 1748 if (wpa_config_set(ssid, "phase2", buf, 0) < 0) 1749 goto fail; 1750 break; 1751 } 1752 switch (eap->inner_non_eap) { 1753 case NAI_REALM_INNER_NON_EAP_PAP: 1754 if (wpa_config_set(ssid, "phase2", "\"auth=PAP\"", 0) < 1755 0) 1756 goto fail; 1757 break; 1758 case NAI_REALM_INNER_NON_EAP_CHAP: 1759 if (wpa_config_set(ssid, "phase2", "\"auth=CHAP\"", 0) 1760 < 0) 1761 goto fail; 1762 break; 1763 case NAI_REALM_INNER_NON_EAP_MSCHAP: 1764 if (wpa_config_set(ssid, "phase2", "\"auth=MSCHAP\"", 1765 0) < 0) 1766 goto fail; 1767 break; 1768 case NAI_REALM_INNER_NON_EAP_MSCHAPV2: 1769 if (wpa_config_set(ssid, "phase2", "\"auth=MSCHAPV2\"", 1770 0) < 0) 1771 goto fail; 1772 break; 1773 default: 1774 /* EAP params were not set - assume TTLS/MSCHAPv2 */ 1775 if (wpa_config_set(ssid, "phase2", "\"auth=MSCHAPV2\"", 1776 0) < 0) 1777 goto fail; 1778 break; 1779 } 1780 break; 1781 case EAP_TYPE_PEAP: 1782 case EAP_TYPE_FAST: 1783 if (wpa_config_set(ssid, "phase1", "\"fast_provisioning=2\"", 1784 0) < 0) 1785 goto fail; 1786 if (wpa_config_set(ssid, "pac_file", 1787 "\"blob://pac_interworking\"", 0) < 0) 1788 goto fail; 1789 name = eap_get_name(EAP_VENDOR_IETF, 1790 eap->inner_method ? eap->inner_method : 1791 EAP_TYPE_MSCHAPV2); 1792 if (name == NULL) 1793 goto fail; 1794 os_snprintf(buf, sizeof(buf), "\"auth=%s\"", name); 1795 if (wpa_config_set(ssid, "phase2", buf, 0) < 0) 1796 goto fail; 1797 break; 1798 case EAP_TYPE_TLS: 1799 break; 1800 } 1801 1802 if (interworking_set_eap_params(ssid, cred, 1803 eap->method == EAP_TYPE_TTLS) < 0) 1804 goto fail; 1805 1806 nai_realm_free(realm, count); 1807 1808 wpa_s->next_ssid = ssid; 1809 wpa_config_update_prio_list(wpa_s->conf); 1810 if (!only_add) 1811 interworking_reconnect(wpa_s); 1812 1813 return ssid->id; 1814 1815 fail: 1816 wpas_notify_network_removed(wpa_s, ssid); 1817 wpa_config_remove_network(wpa_s->conf, ssid->id); 1818 nai_realm_free(realm, count); 1819 return -1; 1820 } 1821 1822 1823 int interworking_connect(struct wpa_supplicant *wpa_s, struct wpa_bss *bss, 1824 int only_add) 1825 { 1826 return interworking_connect_helper(wpa_s, bss, 1, only_add); 1827 } 1828 1829 1830 #ifdef PCSC_FUNCS 1831 static int interworking_pcsc_read_imsi(struct wpa_supplicant *wpa_s) 1832 { 1833 size_t len; 1834 1835 if (wpa_s->imsi[0] && wpa_s->mnc_len) 1836 return 0; 1837 1838 len = sizeof(wpa_s->imsi) - 1; 1839 if (scard_get_imsi(wpa_s->scard, wpa_s->imsi, &len)) { 1840 scard_deinit(wpa_s->scard); 1841 wpa_s->scard = NULL; 1842 wpa_msg(wpa_s, MSG_ERROR, "Could not read IMSI"); 1843 return -1; 1844 } 1845 wpa_s->imsi[len] = '\0'; 1846 wpa_s->mnc_len = scard_get_mnc_len(wpa_s->scard); 1847 wpa_printf(MSG_DEBUG, "SCARD: IMSI %s (MNC length %d)", 1848 wpa_s->imsi, wpa_s->mnc_len); 1849 1850 return 0; 1851 } 1852 #endif /* PCSC_FUNCS */ 1853 1854 1855 static struct wpa_cred * interworking_credentials_available_3gpp( 1856 struct wpa_supplicant *wpa_s, struct wpa_bss *bss, int ignore_bw, 1857 int *excluded) 1858 { 1859 struct wpa_cred *selected = NULL; 1860 #ifdef INTERWORKING_3GPP 1861 struct wpa_cred *cred; 1862 int ret; 1863 int is_excluded = 0; 1864 1865 if (bss->anqp == NULL || bss->anqp->anqp_3gpp == NULL) { 1866 wpa_msg(wpa_s, MSG_DEBUG, 1867 "interworking-avail-3gpp: not avail, anqp: %p anqp_3gpp: %p", 1868 bss->anqp, bss->anqp ? bss->anqp->anqp_3gpp : NULL); 1869 return NULL; 1870 } 1871 1872 #ifdef CONFIG_EAP_PROXY 1873 if (!wpa_s->imsi[0]) { 1874 size_t len; 1875 wpa_msg(wpa_s, MSG_DEBUG, 1876 "Interworking: IMSI not available - try to read again through eap_proxy"); 1877 wpa_s->mnc_len = eapol_sm_get_eap_proxy_imsi(wpa_s->eapol, 1878 wpa_s->imsi, 1879 &len); 1880 if (wpa_s->mnc_len > 0) { 1881 wpa_s->imsi[len] = '\0'; 1882 wpa_msg(wpa_s, MSG_DEBUG, 1883 "eap_proxy: IMSI %s (MNC length %d)", 1884 wpa_s->imsi, wpa_s->mnc_len); 1885 } else { 1886 wpa_msg(wpa_s, MSG_DEBUG, 1887 "eap_proxy: IMSI not available"); 1888 } 1889 } 1890 #endif /* CONFIG_EAP_PROXY */ 1891 1892 for (cred = wpa_s->conf->cred; cred; cred = cred->next) { 1893 char *sep; 1894 const char *imsi; 1895 int mnc_len; 1896 char imsi_buf[16]; 1897 size_t msin_len; 1898 1899 #ifdef PCSC_FUNCS 1900 if (cred->pcsc && wpa_s->scard) { 1901 if (interworking_pcsc_read_imsi(wpa_s) < 0) 1902 continue; 1903 imsi = wpa_s->imsi; 1904 mnc_len = wpa_s->mnc_len; 1905 goto compare; 1906 } 1907 #endif /* PCSC_FUNCS */ 1908 #ifdef CONFIG_EAP_PROXY 1909 if (cred->pcsc && wpa_s->mnc_len > 0 && wpa_s->imsi[0]) { 1910 imsi = wpa_s->imsi; 1911 mnc_len = wpa_s->mnc_len; 1912 goto compare; 1913 } 1914 #endif /* CONFIG_EAP_PROXY */ 1915 1916 if (cred->imsi == NULL || !cred->imsi[0] || 1917 (!wpa_s->conf->external_sim && 1918 (cred->milenage == NULL || !cred->milenage[0]))) 1919 continue; 1920 1921 sep = os_strchr(cred->imsi, '-'); 1922 if (sep == NULL || 1923 (sep - cred->imsi != 5 && sep - cred->imsi != 6)) 1924 continue; 1925 mnc_len = sep - cred->imsi - 3; 1926 os_memcpy(imsi_buf, cred->imsi, 3 + mnc_len); 1927 sep++; 1928 msin_len = os_strlen(cred->imsi); 1929 if (3 + mnc_len + msin_len >= sizeof(imsi_buf) - 1) 1930 msin_len = sizeof(imsi_buf) - 3 - mnc_len - 1; 1931 os_memcpy(&imsi_buf[3 + mnc_len], sep, msin_len); 1932 imsi_buf[3 + mnc_len + msin_len] = '\0'; 1933 imsi = imsi_buf; 1934 1935 #if defined(PCSC_FUNCS) || defined(CONFIG_EAP_PROXY) 1936 compare: 1937 #endif /* PCSC_FUNCS || CONFIG_EAP_PROXY */ 1938 wpa_msg(wpa_s, MSG_DEBUG, 1939 "Interworking: Parsing 3GPP info from " MACSTR, 1940 MAC2STR(bss->bssid)); 1941 ret = plmn_id_match(bss->anqp->anqp_3gpp, imsi, mnc_len); 1942 wpa_msg(wpa_s, MSG_DEBUG, "PLMN match %sfound", 1943 ret ? "" : "not "); 1944 if (ret) { 1945 if (cred_no_required_oi_match(cred, bss)) 1946 continue; 1947 if (!ignore_bw && 1948 cred_below_min_backhaul(wpa_s, cred, bss)) 1949 continue; 1950 if (!ignore_bw && 1951 cred_over_max_bss_load(wpa_s, cred, bss)) 1952 continue; 1953 if (!ignore_bw && 1954 cred_conn_capab_missing(wpa_s, cred, bss)) 1955 continue; 1956 if (cred_excluded_ssid(cred, bss)) { 1957 if (excluded == NULL) 1958 continue; 1959 if (selected == NULL) { 1960 selected = cred; 1961 is_excluded = 1; 1962 } 1963 } else { 1964 if (selected == NULL || is_excluded || 1965 cred_prio_cmp(selected, cred) < 0) { 1966 selected = cred; 1967 is_excluded = 0; 1968 } 1969 } 1970 } 1971 } 1972 1973 if (excluded) 1974 *excluded = is_excluded; 1975 #endif /* INTERWORKING_3GPP */ 1976 return selected; 1977 } 1978 1979 1980 static struct wpa_cred * interworking_credentials_available_realm( 1981 struct wpa_supplicant *wpa_s, struct wpa_bss *bss, int ignore_bw, 1982 int *excluded) 1983 { 1984 struct wpa_cred *cred, *selected = NULL; 1985 struct nai_realm *realm; 1986 u16 count, i; 1987 int is_excluded = 0; 1988 1989 if (bss->anqp == NULL || bss->anqp->nai_realm == NULL) 1990 return NULL; 1991 1992 if (wpa_s->conf->cred == NULL) 1993 return NULL; 1994 1995 wpa_msg(wpa_s, MSG_DEBUG, "Interworking: Parsing NAI Realm list from " 1996 MACSTR, MAC2STR(bss->bssid)); 1997 realm = nai_realm_parse(bss->anqp->nai_realm, &count); 1998 if (realm == NULL) { 1999 wpa_msg(wpa_s, MSG_DEBUG, 2000 "Interworking: Could not parse NAI Realm list from " 2001 MACSTR, MAC2STR(bss->bssid)); 2002 return NULL; 2003 } 2004 2005 for (cred = wpa_s->conf->cred; cred; cred = cred->next) { 2006 if (cred->realm == NULL) 2007 continue; 2008 2009 for (i = 0; i < count; i++) { 2010 if (!nai_realm_match(&realm[i], cred->realm)) 2011 continue; 2012 if (nai_realm_find_eap(wpa_s, cred, &realm[i])) { 2013 if (cred_no_required_oi_match(cred, bss)) 2014 continue; 2015 if (!ignore_bw && 2016 cred_below_min_backhaul(wpa_s, cred, bss)) 2017 continue; 2018 if (!ignore_bw && 2019 cred_over_max_bss_load(wpa_s, cred, bss)) 2020 continue; 2021 if (!ignore_bw && 2022 cred_conn_capab_missing(wpa_s, cred, bss)) 2023 continue; 2024 if (cred_excluded_ssid(cred, bss)) { 2025 if (excluded == NULL) 2026 continue; 2027 if (selected == NULL) { 2028 selected = cred; 2029 is_excluded = 1; 2030 } 2031 } else { 2032 if (selected == NULL || is_excluded || 2033 cred_prio_cmp(selected, cred) < 0) 2034 { 2035 selected = cred; 2036 is_excluded = 0; 2037 } 2038 } 2039 break; 2040 } else { 2041 wpa_msg(wpa_s, MSG_DEBUG, 2042 "Interworking: realm-find-eap returned false"); 2043 } 2044 } 2045 } 2046 2047 nai_realm_free(realm, count); 2048 2049 if (excluded) 2050 *excluded = is_excluded; 2051 2052 return selected; 2053 } 2054 2055 2056 static struct wpa_cred * interworking_credentials_available_helper( 2057 struct wpa_supplicant *wpa_s, struct wpa_bss *bss, int ignore_bw, 2058 int *excluded) 2059 { 2060 struct wpa_cred *cred, *cred2; 2061 int excluded1, excluded2; 2062 2063 if (disallowed_bssid(wpa_s, bss->bssid) || 2064 disallowed_ssid(wpa_s, bss->ssid, bss->ssid_len)) { 2065 wpa_printf(MSG_DEBUG, "Interworking: Ignore disallowed BSS " 2066 MACSTR, MAC2STR(bss->bssid)); 2067 return NULL; 2068 } 2069 2070 cred = interworking_credentials_available_realm(wpa_s, bss, ignore_bw, 2071 &excluded1); 2072 cred2 = interworking_credentials_available_3gpp(wpa_s, bss, ignore_bw, 2073 &excluded2); 2074 if (cred && cred2 && 2075 (cred_prio_cmp(cred2, cred) >= 0 || (!excluded2 && excluded1))) { 2076 cred = cred2; 2077 excluded1 = excluded2; 2078 } 2079 if (!cred) { 2080 cred = cred2; 2081 excluded1 = excluded2; 2082 } 2083 2084 cred2 = interworking_credentials_available_roaming_consortium( 2085 wpa_s, bss, ignore_bw, &excluded2); 2086 if (cred && cred2 && 2087 (cred_prio_cmp(cred2, cred) >= 0 || (!excluded2 && excluded1))) { 2088 cred = cred2; 2089 excluded1 = excluded2; 2090 } 2091 if (!cred) { 2092 cred = cred2; 2093 excluded1 = excluded2; 2094 } 2095 2096 if (excluded) 2097 *excluded = excluded1; 2098 return cred; 2099 } 2100 2101 2102 static struct wpa_cred * interworking_credentials_available( 2103 struct wpa_supplicant *wpa_s, struct wpa_bss *bss, int *excluded) 2104 { 2105 struct wpa_cred *cred; 2106 2107 if (excluded) 2108 *excluded = 0; 2109 cred = interworking_credentials_available_helper(wpa_s, bss, 0, 2110 excluded); 2111 if (cred) 2112 return cred; 2113 return interworking_credentials_available_helper(wpa_s, bss, 1, 2114 excluded); 2115 } 2116 2117 2118 int domain_name_list_contains(struct wpabuf *domain_names, 2119 const char *domain, int exact_match) 2120 { 2121 const u8 *pos, *end; 2122 size_t len; 2123 2124 len = os_strlen(domain); 2125 pos = wpabuf_head(domain_names); 2126 end = pos + wpabuf_len(domain_names); 2127 2128 while (pos + 1 < end) { 2129 if (pos + 1 + pos[0] > end) 2130 break; 2131 2132 wpa_hexdump_ascii(MSG_DEBUG, "Interworking: AP domain name", 2133 pos + 1, pos[0]); 2134 if (pos[0] == len && 2135 os_strncasecmp(domain, (const char *) (pos + 1), len) == 0) 2136 return 1; 2137 if (!exact_match && pos[0] > len && pos[pos[0] - len] == '.') { 2138 const char *ap = (const char *) (pos + 1); 2139 int offset = pos[0] - len; 2140 if (os_strncasecmp(domain, ap + offset, len) == 0) 2141 return 1; 2142 } 2143 2144 pos += 1 + pos[0]; 2145 } 2146 2147 return 0; 2148 } 2149 2150 2151 int interworking_home_sp_cred(struct wpa_supplicant *wpa_s, 2152 struct wpa_cred *cred, 2153 struct wpabuf *domain_names) 2154 { 2155 size_t i; 2156 int ret = -1; 2157 #ifdef INTERWORKING_3GPP 2158 char nai[100], *realm; 2159 2160 char *imsi = NULL; 2161 int mnc_len = 0; 2162 if (cred->imsi) 2163 imsi = cred->imsi; 2164 #ifdef PCSC_FUNCS 2165 else if (cred->pcsc && wpa_s->scard) { 2166 if (interworking_pcsc_read_imsi(wpa_s) < 0) 2167 return -1; 2168 imsi = wpa_s->imsi; 2169 mnc_len = wpa_s->mnc_len; 2170 } 2171 #endif /* PCSC_FUNCS */ 2172 #ifdef CONFIG_EAP_PROXY 2173 else if (cred->pcsc && wpa_s->mnc_len > 0 && wpa_s->imsi[0]) { 2174 imsi = wpa_s->imsi; 2175 mnc_len = wpa_s->mnc_len; 2176 } 2177 #endif /* CONFIG_EAP_PROXY */ 2178 if (domain_names && 2179 imsi && build_root_nai(nai, sizeof(nai), imsi, mnc_len, 0) == 0) { 2180 realm = os_strchr(nai, '@'); 2181 if (realm) 2182 realm++; 2183 wpa_msg(wpa_s, MSG_DEBUG, 2184 "Interworking: Search for match with SIM/USIM domain %s", 2185 realm); 2186 if (realm && 2187 domain_name_list_contains(domain_names, realm, 1)) 2188 return 1; 2189 if (realm) 2190 ret = 0; 2191 } 2192 #endif /* INTERWORKING_3GPP */ 2193 2194 if (domain_names == NULL || cred->domain == NULL) 2195 return ret; 2196 2197 for (i = 0; i < cred->num_domain; i++) { 2198 wpa_msg(wpa_s, MSG_DEBUG, 2199 "Interworking: Search for match with home SP FQDN %s", 2200 cred->domain[i]); 2201 if (domain_name_list_contains(domain_names, cred->domain[i], 1)) 2202 return 1; 2203 } 2204 2205 return 0; 2206 } 2207 2208 2209 static int interworking_home_sp(struct wpa_supplicant *wpa_s, 2210 struct wpabuf *domain_names) 2211 { 2212 struct wpa_cred *cred; 2213 2214 if (domain_names == NULL || wpa_s->conf->cred == NULL) 2215 return -1; 2216 2217 for (cred = wpa_s->conf->cred; cred; cred = cred->next) { 2218 int res = interworking_home_sp_cred(wpa_s, cred, domain_names); 2219 if (res) 2220 return res; 2221 } 2222 2223 return 0; 2224 } 2225 2226 2227 static int interworking_find_network_match(struct wpa_supplicant *wpa_s) 2228 { 2229 struct wpa_bss *bss; 2230 struct wpa_ssid *ssid; 2231 2232 dl_list_for_each(bss, &wpa_s->bss, struct wpa_bss, list) { 2233 for (ssid = wpa_s->conf->ssid; ssid; ssid = ssid->next) { 2234 if (wpas_network_disabled(wpa_s, ssid) || 2235 ssid->mode != WPAS_MODE_INFRA) 2236 continue; 2237 if (ssid->ssid_len != bss->ssid_len || 2238 os_memcmp(ssid->ssid, bss->ssid, ssid->ssid_len) != 2239 0) 2240 continue; 2241 /* 2242 * TODO: Consider more accurate matching of security 2243 * configuration similarly to what is done in events.c 2244 */ 2245 return 1; 2246 } 2247 } 2248 2249 return 0; 2250 } 2251 2252 2253 static int roaming_partner_match(struct wpa_supplicant *wpa_s, 2254 struct roaming_partner *partner, 2255 struct wpabuf *domain_names) 2256 { 2257 wpa_printf(MSG_DEBUG, "Interworking: Comparing roaming_partner info fqdn='%s' exact_match=%d priority=%u country='%s'", 2258 partner->fqdn, partner->exact_match, partner->priority, 2259 partner->country); 2260 wpa_hexdump_ascii(MSG_DEBUG, "Interworking: Domain names", 2261 wpabuf_head(domain_names), 2262 wpabuf_len(domain_names)); 2263 if (!domain_name_list_contains(domain_names, partner->fqdn, 2264 partner->exact_match)) 2265 return 0; 2266 /* TODO: match Country */ 2267 return 1; 2268 } 2269 2270 2271 static u8 roaming_prio(struct wpa_supplicant *wpa_s, struct wpa_cred *cred, 2272 struct wpa_bss *bss) 2273 { 2274 size_t i; 2275 2276 if (bss->anqp == NULL || bss->anqp->domain_name == NULL) { 2277 wpa_printf(MSG_DEBUG, "Interworking: No ANQP domain name info -> use default roaming partner priority 128"); 2278 return 128; /* cannot check preference with domain name */ 2279 } 2280 2281 if (interworking_home_sp_cred(wpa_s, cred, bss->anqp->domain_name) > 0) 2282 { 2283 wpa_printf(MSG_DEBUG, "Interworking: Determined to be home SP -> use maximum preference 0 as roaming partner priority"); 2284 return 0; /* max preference for home SP network */ 2285 } 2286 2287 for (i = 0; i < cred->num_roaming_partner; i++) { 2288 if (roaming_partner_match(wpa_s, &cred->roaming_partner[i], 2289 bss->anqp->domain_name)) { 2290 wpa_printf(MSG_DEBUG, "Interworking: Roaming partner preference match - priority %u", 2291 cred->roaming_partner[i].priority); 2292 return cred->roaming_partner[i].priority; 2293 } 2294 } 2295 2296 wpa_printf(MSG_DEBUG, "Interworking: No roaming partner preference match - use default roaming partner priority 128"); 2297 return 128; 2298 } 2299 2300 2301 static struct wpa_bss * pick_best_roaming_partner(struct wpa_supplicant *wpa_s, 2302 struct wpa_bss *selected, 2303 struct wpa_cred *cred) 2304 { 2305 struct wpa_bss *bss; 2306 u8 best_prio, prio; 2307 struct wpa_cred *cred2; 2308 2309 /* 2310 * Check if any other BSS is operated by a more preferred roaming 2311 * partner. 2312 */ 2313 2314 best_prio = roaming_prio(wpa_s, cred, selected); 2315 wpa_printf(MSG_DEBUG, "Interworking: roaming_prio=%u for selected BSS " 2316 MACSTR " (cred=%d)", best_prio, MAC2STR(selected->bssid), 2317 cred->id); 2318 2319 dl_list_for_each(bss, &wpa_s->bss, struct wpa_bss, list) { 2320 if (bss == selected) 2321 continue; 2322 cred2 = interworking_credentials_available(wpa_s, bss, NULL); 2323 if (!cred2) 2324 continue; 2325 if (!wpa_bss_get_ie(bss, WLAN_EID_RSN)) 2326 continue; 2327 prio = roaming_prio(wpa_s, cred2, bss); 2328 wpa_printf(MSG_DEBUG, "Interworking: roaming_prio=%u for BSS " 2329 MACSTR " (cred=%d)", prio, MAC2STR(bss->bssid), 2330 cred2->id); 2331 if (prio < best_prio) { 2332 int bh1, bh2, load1, load2, conn1, conn2; 2333 bh1 = cred_below_min_backhaul(wpa_s, cred, selected); 2334 load1 = cred_over_max_bss_load(wpa_s, cred, selected); 2335 conn1 = cred_conn_capab_missing(wpa_s, cred, selected); 2336 bh2 = cred_below_min_backhaul(wpa_s, cred2, bss); 2337 load2 = cred_over_max_bss_load(wpa_s, cred2, bss); 2338 conn2 = cred_conn_capab_missing(wpa_s, cred2, bss); 2339 wpa_printf(MSG_DEBUG, "Interworking: old: %d %d %d new: %d %d %d", 2340 bh1, load1, conn1, bh2, load2, conn2); 2341 if (bh1 || load1 || conn1 || !(bh2 || load2 || conn2)) { 2342 wpa_printf(MSG_DEBUG, "Interworking: Better roaming partner " MACSTR " selected", MAC2STR(bss->bssid)); 2343 best_prio = prio; 2344 selected = bss; 2345 } 2346 } 2347 } 2348 2349 return selected; 2350 } 2351 2352 2353 static void interworking_select_network(struct wpa_supplicant *wpa_s) 2354 { 2355 struct wpa_bss *bss, *selected = NULL, *selected_home = NULL; 2356 struct wpa_bss *selected2 = NULL, *selected2_home = NULL; 2357 unsigned int count = 0; 2358 const char *type; 2359 int res; 2360 struct wpa_cred *cred, *selected_cred = NULL; 2361 struct wpa_cred *selected_home_cred = NULL; 2362 struct wpa_cred *selected2_cred = NULL; 2363 struct wpa_cred *selected2_home_cred = NULL; 2364 2365 wpa_s->network_select = 0; 2366 2367 wpa_printf(MSG_DEBUG, "Interworking: Select network (auto_select=%d)", 2368 wpa_s->auto_select); 2369 dl_list_for_each(bss, &wpa_s->bss, struct wpa_bss, list) { 2370 int excluded = 0; 2371 int bh, bss_load, conn_capab; 2372 cred = interworking_credentials_available(wpa_s, bss, 2373 &excluded); 2374 if (!cred) 2375 continue; 2376 2377 if (!wpa_bss_get_ie(bss, WLAN_EID_RSN)) { 2378 /* 2379 * We currently support only HS 2.0 networks and those 2380 * are required to use WPA2-Enterprise. 2381 */ 2382 wpa_msg(wpa_s, MSG_DEBUG, 2383 "Interworking: Credential match with " MACSTR 2384 " but network does not use RSN", 2385 MAC2STR(bss->bssid)); 2386 continue; 2387 } 2388 if (!excluded) 2389 count++; 2390 res = interworking_home_sp(wpa_s, bss->anqp ? 2391 bss->anqp->domain_name : NULL); 2392 if (res > 0) 2393 type = "home"; 2394 else if (res == 0) 2395 type = "roaming"; 2396 else 2397 type = "unknown"; 2398 bh = cred_below_min_backhaul(wpa_s, cred, bss); 2399 bss_load = cred_over_max_bss_load(wpa_s, cred, bss); 2400 conn_capab = cred_conn_capab_missing(wpa_s, cred, bss); 2401 wpa_msg(wpa_s, MSG_INFO, "%s" MACSTR " type=%s%s%s%s id=%d priority=%d sp_priority=%d", 2402 excluded ? INTERWORKING_BLACKLISTED : INTERWORKING_AP, 2403 MAC2STR(bss->bssid), type, 2404 bh ? " below_min_backhaul=1" : "", 2405 bss_load ? " over_max_bss_load=1" : "", 2406 conn_capab ? " conn_capab_missing=1" : "", 2407 cred->id, cred->priority, cred->sp_priority); 2408 if (excluded) 2409 continue; 2410 if (wpa_s->auto_select || 2411 (wpa_s->conf->auto_interworking && 2412 wpa_s->auto_network_select)) { 2413 if (bh || bss_load || conn_capab) { 2414 if (selected2_cred == NULL || 2415 cred_prio_cmp(cred, selected2_cred) > 0) { 2416 wpa_printf(MSG_DEBUG, "Interworking: Mark as selected2"); 2417 selected2 = bss; 2418 selected2_cred = cred; 2419 } 2420 if (res > 0 && 2421 (selected2_home_cred == NULL || 2422 cred_prio_cmp(cred, selected2_home_cred) > 2423 0)) { 2424 wpa_printf(MSG_DEBUG, "Interworking: Mark as selected2_home"); 2425 selected2_home = bss; 2426 selected2_home_cred = cred; 2427 } 2428 } else { 2429 if (selected_cred == NULL || 2430 cred_prio_cmp(cred, selected_cred) > 0) { 2431 wpa_printf(MSG_DEBUG, "Interworking: Mark as selected"); 2432 selected = bss; 2433 selected_cred = cred; 2434 } 2435 if (res > 0 && 2436 (selected_home_cred == NULL || 2437 cred_prio_cmp(cred, selected_home_cred) > 2438 0)) { 2439 wpa_printf(MSG_DEBUG, "Interworking: Mark as selected_home"); 2440 selected_home = bss; 2441 selected_home_cred = cred; 2442 } 2443 } 2444 } 2445 } 2446 2447 if (selected_home && selected_home != selected && 2448 selected_home_cred && 2449 (selected_cred == NULL || 2450 cred_prio_cmp(selected_home_cred, selected_cred) >= 0)) { 2451 /* Prefer network operated by the Home SP */ 2452 wpa_printf(MSG_DEBUG, "Interworking: Overrided selected with selected_home"); 2453 selected = selected_home; 2454 selected_cred = selected_home_cred; 2455 } 2456 2457 if (!selected) { 2458 if (selected2_home) { 2459 wpa_printf(MSG_DEBUG, "Interworking: Use home BSS with BW limit mismatch since no other network could be selected"); 2460 selected = selected2_home; 2461 selected_cred = selected2_home_cred; 2462 } else if (selected2) { 2463 wpa_printf(MSG_DEBUG, "Interworking: Use visited BSS with BW limit mismatch since no other network could be selected"); 2464 selected = selected2; 2465 selected_cred = selected2_cred; 2466 } 2467 } 2468 2469 if (count == 0) { 2470 /* 2471 * No matching network was found based on configured 2472 * credentials. Check whether any of the enabled network blocks 2473 * have matching APs. 2474 */ 2475 if (interworking_find_network_match(wpa_s)) { 2476 wpa_msg(wpa_s, MSG_DEBUG, 2477 "Interworking: Possible BSS match for enabled network configurations"); 2478 if (wpa_s->auto_select) { 2479 interworking_reconnect(wpa_s); 2480 return; 2481 } 2482 } 2483 2484 if (wpa_s->auto_network_select) { 2485 wpa_msg(wpa_s, MSG_DEBUG, 2486 "Interworking: Continue scanning after ANQP fetch"); 2487 wpa_supplicant_req_scan(wpa_s, wpa_s->scan_interval, 2488 0); 2489 return; 2490 } 2491 2492 wpa_msg(wpa_s, MSG_INFO, INTERWORKING_NO_MATCH "No network " 2493 "with matching credentials found"); 2494 if (wpa_s->wpa_state == WPA_SCANNING) 2495 wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED); 2496 } 2497 2498 if (selected) { 2499 wpa_printf(MSG_DEBUG, "Interworking: Selected " MACSTR, 2500 MAC2STR(selected->bssid)); 2501 selected = pick_best_roaming_partner(wpa_s, selected, 2502 selected_cred); 2503 wpa_printf(MSG_DEBUG, "Interworking: Selected " MACSTR 2504 " (after best roaming partner selection)", 2505 MAC2STR(selected->bssid)); 2506 wpa_msg(wpa_s, MSG_INFO, INTERWORKING_SELECTED MACSTR, 2507 MAC2STR(selected->bssid)); 2508 interworking_connect(wpa_s, selected, 0); 2509 } 2510 } 2511 2512 2513 static struct wpa_bss_anqp * 2514 interworking_match_anqp_info(struct wpa_supplicant *wpa_s, struct wpa_bss *bss) 2515 { 2516 struct wpa_bss *other; 2517 2518 if (is_zero_ether_addr(bss->hessid)) 2519 return NULL; /* Cannot be in the same homegenous ESS */ 2520 2521 dl_list_for_each(other, &wpa_s->bss, struct wpa_bss, list) { 2522 if (other == bss) 2523 continue; 2524 if (other->anqp == NULL) 2525 continue; 2526 if (other->anqp->roaming_consortium == NULL && 2527 other->anqp->nai_realm == NULL && 2528 other->anqp->anqp_3gpp == NULL && 2529 other->anqp->domain_name == NULL) 2530 continue; 2531 if (!(other->flags & WPA_BSS_ANQP_FETCH_TRIED)) 2532 continue; 2533 if (os_memcmp(bss->hessid, other->hessid, ETH_ALEN) != 0) 2534 continue; 2535 if (bss->ssid_len != other->ssid_len || 2536 os_memcmp(bss->ssid, other->ssid, bss->ssid_len) != 0) 2537 continue; 2538 2539 wpa_msg(wpa_s, MSG_DEBUG, 2540 "Interworking: Share ANQP data with already fetched BSSID " 2541 MACSTR " and " MACSTR, 2542 MAC2STR(other->bssid), MAC2STR(bss->bssid)); 2543 other->anqp->users++; 2544 return other->anqp; 2545 } 2546 2547 return NULL; 2548 } 2549 2550 2551 static void interworking_next_anqp_fetch(struct wpa_supplicant *wpa_s) 2552 { 2553 struct wpa_bss *bss; 2554 int found = 0; 2555 const u8 *ie; 2556 2557 wpa_printf(MSG_DEBUG, "Interworking: next_anqp_fetch - " 2558 "fetch_anqp_in_progress=%d fetch_osu_icon_in_progress=%d", 2559 wpa_s->fetch_anqp_in_progress, 2560 wpa_s->fetch_osu_icon_in_progress); 2561 2562 if (eloop_terminated() || !wpa_s->fetch_anqp_in_progress) { 2563 wpa_printf(MSG_DEBUG, "Interworking: Stop next-ANQP-fetch"); 2564 return; 2565 } 2566 2567 if (wpa_s->fetch_osu_icon_in_progress) { 2568 wpa_printf(MSG_DEBUG, "Interworking: Next icon (in progress)"); 2569 hs20_next_osu_icon(wpa_s); 2570 return; 2571 } 2572 2573 dl_list_for_each(bss, &wpa_s->bss, struct wpa_bss, list) { 2574 if (!(bss->caps & IEEE80211_CAP_ESS)) 2575 continue; 2576 ie = wpa_bss_get_ie(bss, WLAN_EID_EXT_CAPAB); 2577 if (ie == NULL || ie[1] < 4 || !(ie[5] & 0x80)) 2578 continue; /* AP does not support Interworking */ 2579 if (disallowed_bssid(wpa_s, bss->bssid) || 2580 disallowed_ssid(wpa_s, bss->ssid, bss->ssid_len)) 2581 continue; /* Disallowed BSS */ 2582 2583 if (!(bss->flags & WPA_BSS_ANQP_FETCH_TRIED)) { 2584 if (bss->anqp == NULL) { 2585 bss->anqp = interworking_match_anqp_info(wpa_s, 2586 bss); 2587 if (bss->anqp) { 2588 /* Shared data already fetched */ 2589 continue; 2590 } 2591 bss->anqp = wpa_bss_anqp_alloc(); 2592 if (bss->anqp == NULL) 2593 break; 2594 } 2595 found++; 2596 bss->flags |= WPA_BSS_ANQP_FETCH_TRIED; 2597 wpa_msg(wpa_s, MSG_INFO, "Starting ANQP fetch for " 2598 MACSTR, MAC2STR(bss->bssid)); 2599 interworking_anqp_send_req(wpa_s, bss); 2600 break; 2601 } 2602 } 2603 2604 if (found == 0) { 2605 if (wpa_s->fetch_osu_info) { 2606 if (wpa_s->num_prov_found == 0 && 2607 wpa_s->fetch_osu_waiting_scan && 2608 wpa_s->num_osu_scans < 3) { 2609 wpa_printf(MSG_DEBUG, "HS 2.0: No OSU providers seen - try to scan again"); 2610 hs20_start_osu_scan(wpa_s); 2611 return; 2612 } 2613 wpa_printf(MSG_DEBUG, "Interworking: Next icon"); 2614 hs20_osu_icon_fetch(wpa_s); 2615 return; 2616 } 2617 wpa_msg(wpa_s, MSG_INFO, "ANQP fetch completed"); 2618 wpa_s->fetch_anqp_in_progress = 0; 2619 if (wpa_s->network_select) 2620 interworking_select_network(wpa_s); 2621 } 2622 } 2623 2624 2625 void interworking_start_fetch_anqp(struct wpa_supplicant *wpa_s) 2626 { 2627 struct wpa_bss *bss; 2628 2629 dl_list_for_each(bss, &wpa_s->bss, struct wpa_bss, list) 2630 bss->flags &= ~WPA_BSS_ANQP_FETCH_TRIED; 2631 2632 wpa_s->fetch_anqp_in_progress = 1; 2633 2634 /* 2635 * Start actual ANQP operation from eloop call to make sure the loop 2636 * does not end up using excessive recursion. 2637 */ 2638 eloop_register_timeout(0, 0, interworking_continue_anqp, wpa_s, NULL); 2639 } 2640 2641 2642 int interworking_fetch_anqp(struct wpa_supplicant *wpa_s) 2643 { 2644 if (wpa_s->fetch_anqp_in_progress || wpa_s->network_select) 2645 return 0; 2646 2647 wpa_s->network_select = 0; 2648 wpa_s->fetch_all_anqp = 1; 2649 wpa_s->fetch_osu_info = 0; 2650 2651 interworking_start_fetch_anqp(wpa_s); 2652 2653 return 0; 2654 } 2655 2656 2657 void interworking_stop_fetch_anqp(struct wpa_supplicant *wpa_s) 2658 { 2659 if (!wpa_s->fetch_anqp_in_progress) 2660 return; 2661 2662 wpa_s->fetch_anqp_in_progress = 0; 2663 } 2664 2665 2666 int anqp_send_req(struct wpa_supplicant *wpa_s, const u8 *dst, 2667 u16 info_ids[], size_t num_ids, u32 subtypes) 2668 { 2669 struct wpabuf *buf; 2670 struct wpabuf *hs20_buf = NULL; 2671 int ret = 0; 2672 int freq; 2673 struct wpa_bss *bss; 2674 int res; 2675 2676 freq = wpa_s->assoc_freq; 2677 bss = wpa_bss_get_bssid(wpa_s, dst); 2678 if (bss) { 2679 wpa_bss_anqp_unshare_alloc(bss); 2680 freq = bss->freq; 2681 } 2682 if (freq <= 0) 2683 return -1; 2684 2685 wpa_msg(wpa_s, MSG_DEBUG, 2686 "ANQP: Query Request to " MACSTR " for %u id(s)", 2687 MAC2STR(dst), (unsigned int) num_ids); 2688 2689 #ifdef CONFIG_HS20 2690 if (subtypes != 0) { 2691 hs20_buf = wpabuf_alloc(100); 2692 if (hs20_buf == NULL) 2693 return -1; 2694 hs20_put_anqp_req(subtypes, NULL, 0, hs20_buf); 2695 } 2696 #endif /* CONFIG_HS20 */ 2697 2698 buf = anqp_build_req(info_ids, num_ids, hs20_buf); 2699 wpabuf_free(hs20_buf); 2700 if (buf == NULL) 2701 return -1; 2702 2703 res = gas_query_req(wpa_s->gas, dst, freq, buf, anqp_resp_cb, wpa_s); 2704 if (res < 0) { 2705 wpa_msg(wpa_s, MSG_DEBUG, "ANQP: Failed to send Query Request"); 2706 wpabuf_free(buf); 2707 ret = -1; 2708 } else { 2709 wpa_msg(wpa_s, MSG_DEBUG, 2710 "ANQP: Query started with dialog token %u", res); 2711 } 2712 2713 return ret; 2714 } 2715 2716 2717 static void interworking_parse_rx_anqp_resp(struct wpa_supplicant *wpa_s, 2718 struct wpa_bss *bss, const u8 *sa, 2719 u16 info_id, 2720 const u8 *data, size_t slen) 2721 { 2722 const u8 *pos = data; 2723 struct wpa_bss_anqp *anqp = NULL; 2724 #ifdef CONFIG_HS20 2725 u8 type; 2726 #endif /* CONFIG_HS20 */ 2727 2728 if (bss) 2729 anqp = bss->anqp; 2730 2731 switch (info_id) { 2732 case ANQP_CAPABILITY_LIST: 2733 wpa_msg(wpa_s, MSG_INFO, "RX-ANQP " MACSTR 2734 " ANQP Capability list", MAC2STR(sa)); 2735 wpa_hexdump_ascii(MSG_DEBUG, "ANQP: Capability list", 2736 pos, slen); 2737 if (anqp) { 2738 wpabuf_free(anqp->capability_list); 2739 anqp->capability_list = wpabuf_alloc_copy(pos, slen); 2740 } 2741 break; 2742 case ANQP_VENUE_NAME: 2743 wpa_msg(wpa_s, MSG_INFO, "RX-ANQP " MACSTR 2744 " Venue Name", MAC2STR(sa)); 2745 wpa_hexdump_ascii(MSG_DEBUG, "ANQP: Venue Name", pos, slen); 2746 if (anqp) { 2747 wpabuf_free(anqp->venue_name); 2748 anqp->venue_name = wpabuf_alloc_copy(pos, slen); 2749 } 2750 break; 2751 case ANQP_NETWORK_AUTH_TYPE: 2752 wpa_msg(wpa_s, MSG_INFO, "RX-ANQP " MACSTR 2753 " Network Authentication Type information", 2754 MAC2STR(sa)); 2755 wpa_hexdump_ascii(MSG_DEBUG, "ANQP: Network Authentication " 2756 "Type", pos, slen); 2757 if (anqp) { 2758 wpabuf_free(anqp->network_auth_type); 2759 anqp->network_auth_type = wpabuf_alloc_copy(pos, slen); 2760 } 2761 break; 2762 case ANQP_ROAMING_CONSORTIUM: 2763 wpa_msg(wpa_s, MSG_INFO, "RX-ANQP " MACSTR 2764 " Roaming Consortium list", MAC2STR(sa)); 2765 wpa_hexdump_ascii(MSG_DEBUG, "ANQP: Roaming Consortium", 2766 pos, slen); 2767 if (anqp) { 2768 wpabuf_free(anqp->roaming_consortium); 2769 anqp->roaming_consortium = wpabuf_alloc_copy(pos, slen); 2770 } 2771 break; 2772 case ANQP_IP_ADDR_TYPE_AVAILABILITY: 2773 wpa_msg(wpa_s, MSG_INFO, "RX-ANQP " MACSTR 2774 " IP Address Type Availability information", 2775 MAC2STR(sa)); 2776 wpa_hexdump(MSG_MSGDUMP, "ANQP: IP Address Availability", 2777 pos, slen); 2778 if (anqp) { 2779 wpabuf_free(anqp->ip_addr_type_availability); 2780 anqp->ip_addr_type_availability = 2781 wpabuf_alloc_copy(pos, slen); 2782 } 2783 break; 2784 case ANQP_NAI_REALM: 2785 wpa_msg(wpa_s, MSG_INFO, "RX-ANQP " MACSTR 2786 " NAI Realm list", MAC2STR(sa)); 2787 wpa_hexdump_ascii(MSG_DEBUG, "ANQP: NAI Realm", pos, slen); 2788 if (anqp) { 2789 wpabuf_free(anqp->nai_realm); 2790 anqp->nai_realm = wpabuf_alloc_copy(pos, slen); 2791 } 2792 break; 2793 case ANQP_3GPP_CELLULAR_NETWORK: 2794 wpa_msg(wpa_s, MSG_INFO, "RX-ANQP " MACSTR 2795 " 3GPP Cellular Network information", MAC2STR(sa)); 2796 wpa_hexdump_ascii(MSG_DEBUG, "ANQP: 3GPP Cellular Network", 2797 pos, slen); 2798 if (anqp) { 2799 wpabuf_free(anqp->anqp_3gpp); 2800 anqp->anqp_3gpp = wpabuf_alloc_copy(pos, slen); 2801 } 2802 break; 2803 case ANQP_DOMAIN_NAME: 2804 wpa_msg(wpa_s, MSG_INFO, "RX-ANQP " MACSTR 2805 " Domain Name list", MAC2STR(sa)); 2806 wpa_hexdump_ascii(MSG_MSGDUMP, "ANQP: Domain Name", pos, slen); 2807 if (anqp) { 2808 wpabuf_free(anqp->domain_name); 2809 anqp->domain_name = wpabuf_alloc_copy(pos, slen); 2810 } 2811 break; 2812 case ANQP_VENDOR_SPECIFIC: 2813 if (slen < 3) 2814 return; 2815 2816 switch (WPA_GET_BE24(pos)) { 2817 #ifdef CONFIG_HS20 2818 case OUI_WFA: 2819 pos += 3; 2820 slen -= 3; 2821 2822 if (slen < 1) 2823 return; 2824 type = *pos++; 2825 slen--; 2826 2827 switch (type) { 2828 case HS20_ANQP_OUI_TYPE: 2829 hs20_parse_rx_hs20_anqp_resp(wpa_s, bss, sa, 2830 pos, slen); 2831 break; 2832 default: 2833 wpa_msg(wpa_s, MSG_DEBUG, 2834 "HS20: Unsupported ANQP vendor type %u", 2835 type); 2836 break; 2837 } 2838 break; 2839 #endif /* CONFIG_HS20 */ 2840 default: 2841 wpa_msg(wpa_s, MSG_DEBUG, 2842 "Interworking: Unsupported vendor-specific ANQP OUI %06x", 2843 WPA_GET_BE24(pos)); 2844 return; 2845 } 2846 break; 2847 default: 2848 wpa_msg(wpa_s, MSG_DEBUG, 2849 "Interworking: Unsupported ANQP Info ID %u", info_id); 2850 break; 2851 } 2852 } 2853 2854 2855 void anqp_resp_cb(void *ctx, const u8 *dst, u8 dialog_token, 2856 enum gas_query_result result, 2857 const struct wpabuf *adv_proto, 2858 const struct wpabuf *resp, u16 status_code) 2859 { 2860 struct wpa_supplicant *wpa_s = ctx; 2861 const u8 *pos; 2862 const u8 *end; 2863 u16 info_id; 2864 u16 slen; 2865 struct wpa_bss *bss = NULL, *tmp; 2866 const char *anqp_result = "SUCCESS"; 2867 2868 wpa_printf(MSG_DEBUG, "Interworking: anqp_resp_cb dst=" MACSTR 2869 " dialog_token=%u result=%d status_code=%u", 2870 MAC2STR(dst), dialog_token, result, status_code); 2871 if (result != GAS_QUERY_SUCCESS) { 2872 if (wpa_s->fetch_osu_icon_in_progress) 2873 hs20_icon_fetch_failed(wpa_s); 2874 anqp_result = "FAILURE"; 2875 goto out; 2876 } 2877 2878 pos = wpabuf_head(adv_proto); 2879 if (wpabuf_len(adv_proto) < 4 || pos[0] != WLAN_EID_ADV_PROTO || 2880 pos[1] < 2 || pos[3] != ACCESS_NETWORK_QUERY_PROTOCOL) { 2881 wpa_msg(wpa_s, MSG_DEBUG, 2882 "ANQP: Unexpected Advertisement Protocol in response"); 2883 if (wpa_s->fetch_osu_icon_in_progress) 2884 hs20_icon_fetch_failed(wpa_s); 2885 anqp_result = "INVALID_FRAME"; 2886 goto out; 2887 } 2888 2889 /* 2890 * If possible, select the BSS entry based on which BSS entry was used 2891 * for the request. This can help in cases where multiple BSS entries 2892 * may exist for the same AP. 2893 */ 2894 dl_list_for_each_reverse(tmp, &wpa_s->bss, struct wpa_bss, list) { 2895 if (tmp == wpa_s->interworking_gas_bss && 2896 os_memcmp(tmp->bssid, dst, ETH_ALEN) == 0) { 2897 bss = tmp; 2898 break; 2899 } 2900 } 2901 if (bss == NULL) 2902 bss = wpa_bss_get_bssid(wpa_s, dst); 2903 2904 pos = wpabuf_head(resp); 2905 end = pos + wpabuf_len(resp); 2906 2907 while (pos < end) { 2908 unsigned int left = end - pos; 2909 2910 if (left < 4) { 2911 wpa_msg(wpa_s, MSG_DEBUG, "ANQP: Invalid element"); 2912 anqp_result = "INVALID_FRAME"; 2913 goto out_parse_done; 2914 } 2915 info_id = WPA_GET_LE16(pos); 2916 pos += 2; 2917 slen = WPA_GET_LE16(pos); 2918 pos += 2; 2919 left -= 4; 2920 if (left < slen) { 2921 wpa_msg(wpa_s, MSG_DEBUG, 2922 "ANQP: Invalid element length for Info ID %u", 2923 info_id); 2924 anqp_result = "INVALID_FRAME"; 2925 goto out_parse_done; 2926 } 2927 interworking_parse_rx_anqp_resp(wpa_s, bss, dst, info_id, pos, 2928 slen); 2929 pos += slen; 2930 } 2931 2932 out_parse_done: 2933 hs20_notify_parse_done(wpa_s); 2934 out: 2935 wpa_msg(wpa_s, MSG_INFO, ANQP_QUERY_DONE "addr=" MACSTR " result=%s", 2936 MAC2STR(dst), anqp_result); 2937 } 2938 2939 2940 static void interworking_scan_res_handler(struct wpa_supplicant *wpa_s, 2941 struct wpa_scan_results *scan_res) 2942 { 2943 wpa_msg(wpa_s, MSG_DEBUG, 2944 "Interworking: Scan results available - start ANQP fetch"); 2945 interworking_start_fetch_anqp(wpa_s); 2946 } 2947 2948 2949 int interworking_select(struct wpa_supplicant *wpa_s, int auto_select, 2950 int *freqs) 2951 { 2952 interworking_stop_fetch_anqp(wpa_s); 2953 wpa_s->network_select = 1; 2954 wpa_s->auto_network_select = 0; 2955 wpa_s->auto_select = !!auto_select; 2956 wpa_s->fetch_all_anqp = 0; 2957 wpa_s->fetch_osu_info = 0; 2958 wpa_msg(wpa_s, MSG_DEBUG, 2959 "Interworking: Start scan for network selection"); 2960 wpa_s->scan_res_handler = interworking_scan_res_handler; 2961 wpa_s->normal_scans = 0; 2962 wpa_s->scan_req = MANUAL_SCAN_REQ; 2963 os_free(wpa_s->manual_scan_freqs); 2964 wpa_s->manual_scan_freqs = freqs; 2965 wpa_s->after_wps = 0; 2966 wpa_s->known_wps_freq = 0; 2967 wpa_supplicant_req_scan(wpa_s, 0, 0); 2968 2969 return 0; 2970 } 2971 2972 2973 static void gas_resp_cb(void *ctx, const u8 *addr, u8 dialog_token, 2974 enum gas_query_result result, 2975 const struct wpabuf *adv_proto, 2976 const struct wpabuf *resp, u16 status_code) 2977 { 2978 struct wpa_supplicant *wpa_s = ctx; 2979 struct wpabuf *n; 2980 2981 wpa_msg(wpa_s, MSG_INFO, GAS_RESPONSE_INFO "addr=" MACSTR 2982 " dialog_token=%d status_code=%d resp_len=%d", 2983 MAC2STR(addr), dialog_token, status_code, 2984 resp ? (int) wpabuf_len(resp) : -1); 2985 if (!resp) 2986 return; 2987 2988 n = wpabuf_dup(resp); 2989 if (n == NULL) 2990 return; 2991 wpabuf_free(wpa_s->prev_gas_resp); 2992 wpa_s->prev_gas_resp = wpa_s->last_gas_resp; 2993 os_memcpy(wpa_s->prev_gas_addr, wpa_s->last_gas_addr, ETH_ALEN); 2994 wpa_s->prev_gas_dialog_token = wpa_s->last_gas_dialog_token; 2995 wpa_s->last_gas_resp = n; 2996 os_memcpy(wpa_s->last_gas_addr, addr, ETH_ALEN); 2997 wpa_s->last_gas_dialog_token = dialog_token; 2998 } 2999 3000 3001 int gas_send_request(struct wpa_supplicant *wpa_s, const u8 *dst, 3002 const struct wpabuf *adv_proto, 3003 const struct wpabuf *query) 3004 { 3005 struct wpabuf *buf; 3006 int ret = 0; 3007 int freq; 3008 struct wpa_bss *bss; 3009 int res; 3010 size_t len; 3011 u8 query_resp_len_limit = 0; 3012 3013 freq = wpa_s->assoc_freq; 3014 bss = wpa_bss_get_bssid(wpa_s, dst); 3015 if (bss) 3016 freq = bss->freq; 3017 if (freq <= 0) 3018 return -1; 3019 3020 wpa_msg(wpa_s, MSG_DEBUG, "GAS request to " MACSTR " (freq %d MHz)", 3021 MAC2STR(dst), freq); 3022 wpa_hexdump_buf(MSG_DEBUG, "Advertisement Protocol ID", adv_proto); 3023 wpa_hexdump_buf(MSG_DEBUG, "GAS Query", query); 3024 3025 len = 3 + wpabuf_len(adv_proto) + 2; 3026 if (query) 3027 len += wpabuf_len(query); 3028 buf = gas_build_initial_req(0, len); 3029 if (buf == NULL) 3030 return -1; 3031 3032 /* Advertisement Protocol IE */ 3033 wpabuf_put_u8(buf, WLAN_EID_ADV_PROTO); 3034 wpabuf_put_u8(buf, 1 + wpabuf_len(adv_proto)); /* Length */ 3035 wpabuf_put_u8(buf, query_resp_len_limit & 0x7f); 3036 wpabuf_put_buf(buf, adv_proto); 3037 3038 /* GAS Query */ 3039 if (query) { 3040 wpabuf_put_le16(buf, wpabuf_len(query)); 3041 wpabuf_put_buf(buf, query); 3042 } else 3043 wpabuf_put_le16(buf, 0); 3044 3045 res = gas_query_req(wpa_s->gas, dst, freq, buf, gas_resp_cb, wpa_s); 3046 if (res < 0) { 3047 wpa_msg(wpa_s, MSG_DEBUG, "GAS: Failed to send Query Request"); 3048 wpabuf_free(buf); 3049 ret = -1; 3050 } else 3051 wpa_msg(wpa_s, MSG_DEBUG, 3052 "GAS: Query started with dialog token %u", res); 3053 3054 return ret; 3055 } 3056