1 /* 2 * wpa_supplicant - SME 3 * Copyright (c) 2009-2014, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "utils/eloop.h" 13 #include "common/ieee802_11_defs.h" 14 #include "common/ieee802_11_common.h" 15 #include "common/ocv.h" 16 #include "eapol_supp/eapol_supp_sm.h" 17 #include "common/wpa_common.h" 18 #include "common/sae.h" 19 #include "common/dpp.h" 20 #include "rsn_supp/wpa.h" 21 #include "rsn_supp/pmksa_cache.h" 22 #include "config.h" 23 #include "wpa_supplicant_i.h" 24 #include "driver_i.h" 25 #include "wpas_glue.h" 26 #include "wps_supplicant.h" 27 #include "p2p_supplicant.h" 28 #include "notify.h" 29 #include "bss.h" 30 #include "scan.h" 31 #include "sme.h" 32 #include "hs20_supplicant.h" 33 34 #define SME_AUTH_TIMEOUT 5 35 #define SME_ASSOC_TIMEOUT 5 36 37 static void sme_auth_timer(void *eloop_ctx, void *timeout_ctx); 38 static void sme_assoc_timer(void *eloop_ctx, void *timeout_ctx); 39 static void sme_obss_scan_timeout(void *eloop_ctx, void *timeout_ctx); 40 static void sme_stop_sa_query(struct wpa_supplicant *wpa_s); 41 42 43 #ifdef CONFIG_SAE 44 45 static int index_within_array(const int *array, int idx) 46 { 47 int i; 48 for (i = 0; i < idx; i++) { 49 if (array[i] <= 0) 50 return 0; 51 } 52 return 1; 53 } 54 55 56 static int sme_set_sae_group(struct wpa_supplicant *wpa_s) 57 { 58 int *groups = wpa_s->conf->sae_groups; 59 int default_groups[] = { 19, 20, 21, 0 }; 60 61 if (!groups || groups[0] <= 0) 62 groups = default_groups; 63 64 /* Configuration may have changed, so validate current index */ 65 if (!index_within_array(groups, wpa_s->sme.sae_group_index)) 66 return -1; 67 68 for (;;) { 69 int group = groups[wpa_s->sme.sae_group_index]; 70 if (group <= 0) 71 break; 72 if (sae_set_group(&wpa_s->sme.sae, group) == 0) { 73 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Selected SAE group %d", 74 wpa_s->sme.sae.group); 75 return 0; 76 } 77 wpa_s->sme.sae_group_index++; 78 } 79 80 return -1; 81 } 82 83 84 static struct wpabuf * sme_auth_build_sae_commit(struct wpa_supplicant *wpa_s, 85 struct wpa_ssid *ssid, 86 const u8 *bssid, int external, 87 int reuse, int *ret_use_pt, 88 bool *ret_use_pk) 89 { 90 struct wpabuf *buf; 91 size_t len; 92 const char *password; 93 struct wpa_bss *bss; 94 int use_pt = 0; 95 bool use_pk = false; 96 u8 rsnxe_capa = 0; 97 98 if (ret_use_pt) 99 *ret_use_pt = 0; 100 if (ret_use_pk) 101 *ret_use_pk = false; 102 103 #ifdef CONFIG_TESTING_OPTIONS 104 if (wpa_s->sae_commit_override) { 105 wpa_printf(MSG_DEBUG, "SAE: TESTING - commit override"); 106 buf = wpabuf_alloc(4 + wpabuf_len(wpa_s->sae_commit_override)); 107 if (!buf) 108 return NULL; 109 if (!external) { 110 wpabuf_put_le16(buf, 1); /* Transaction seq# */ 111 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS); 112 } 113 wpabuf_put_buf(buf, wpa_s->sae_commit_override); 114 return buf; 115 } 116 #endif /* CONFIG_TESTING_OPTIONS */ 117 118 password = ssid->sae_password; 119 if (!password) 120 password = ssid->passphrase; 121 if (!password) { 122 wpa_printf(MSG_DEBUG, "SAE: No password available"); 123 return NULL; 124 } 125 126 if (reuse && wpa_s->sme.sae.tmp && 127 os_memcmp(bssid, wpa_s->sme.sae.tmp->bssid, ETH_ALEN) == 0) { 128 wpa_printf(MSG_DEBUG, 129 "SAE: Reuse previously generated PWE on a retry with the same AP"); 130 use_pt = wpa_s->sme.sae.h2e; 131 use_pk = wpa_s->sme.sae.pk; 132 goto reuse_data; 133 } 134 if (sme_set_sae_group(wpa_s) < 0) { 135 wpa_printf(MSG_DEBUG, "SAE: Failed to select group"); 136 return NULL; 137 } 138 139 bss = wpa_bss_get_bssid_latest(wpa_s, bssid); 140 if (!bss) { 141 wpa_printf(MSG_DEBUG, 142 "SAE: BSS not available, update scan result to get BSS"); 143 wpa_supplicant_update_scan_results(wpa_s); 144 bss = wpa_bss_get_bssid_latest(wpa_s, bssid); 145 } 146 if (bss) { 147 const u8 *rsnxe; 148 149 rsnxe = wpa_bss_get_ie(bss, WLAN_EID_RSNX); 150 if (rsnxe && rsnxe[1] >= 1) 151 rsnxe_capa = rsnxe[2]; 152 } 153 154 if (ssid->sae_password_id && wpa_s->conf->sae_pwe != 3) 155 use_pt = 1; 156 #ifdef CONFIG_SAE_PK 157 if ((rsnxe_capa & BIT(WLAN_RSNX_CAPAB_SAE_PK)) && 158 ssid->sae_pk != SAE_PK_MODE_DISABLED && 159 ((ssid->sae_password && 160 sae_pk_valid_password(ssid->sae_password)) || 161 (!ssid->sae_password && ssid->passphrase && 162 sae_pk_valid_password(ssid->passphrase)))) { 163 use_pt = 1; 164 use_pk = true; 165 } 166 167 if (ssid->sae_pk == SAE_PK_MODE_ONLY && !use_pk) { 168 wpa_printf(MSG_DEBUG, 169 "SAE: Cannot use PK with the selected AP"); 170 return NULL; 171 } 172 #endif /* CONFIG_SAE_PK */ 173 174 if (use_pt || wpa_s->conf->sae_pwe == 1 || wpa_s->conf->sae_pwe == 2) { 175 use_pt = !!(rsnxe_capa & BIT(WLAN_RSNX_CAPAB_SAE_H2E)); 176 177 if ((wpa_s->conf->sae_pwe == 1 || ssid->sae_password_id) && 178 wpa_s->conf->sae_pwe != 3 && 179 !use_pt) { 180 wpa_printf(MSG_DEBUG, 181 "SAE: Cannot use H2E with the selected AP"); 182 return NULL; 183 } 184 } 185 186 if (use_pt && 187 sae_prepare_commit_pt(&wpa_s->sme.sae, ssid->pt, 188 wpa_s->own_addr, bssid, 189 wpa_s->sme.sae_rejected_groups, NULL) < 0) 190 return NULL; 191 if (!use_pt && 192 sae_prepare_commit(wpa_s->own_addr, bssid, 193 (u8 *) password, os_strlen(password), 194 &wpa_s->sme.sae) < 0) { 195 wpa_printf(MSG_DEBUG, "SAE: Could not pick PWE"); 196 return NULL; 197 } 198 if (wpa_s->sme.sae.tmp) { 199 os_memcpy(wpa_s->sme.sae.tmp->bssid, bssid, ETH_ALEN); 200 if (use_pt && use_pk) 201 wpa_s->sme.sae.pk = 1; 202 #ifdef CONFIG_SAE_PK 203 os_memcpy(wpa_s->sme.sae.tmp->own_addr, wpa_s->own_addr, 204 ETH_ALEN); 205 os_memcpy(wpa_s->sme.sae.tmp->peer_addr, bssid, ETH_ALEN); 206 sae_pk_set_password(&wpa_s->sme.sae, password); 207 #endif /* CONFIG_SAE_PK */ 208 } 209 210 reuse_data: 211 len = wpa_s->sme.sae_token ? 3 + wpabuf_len(wpa_s->sme.sae_token) : 0; 212 if (ssid->sae_password_id) 213 len += 4 + os_strlen(ssid->sae_password_id); 214 buf = wpabuf_alloc(4 + SAE_COMMIT_MAX_LEN + len); 215 if (buf == NULL) 216 return NULL; 217 if (!external) { 218 wpabuf_put_le16(buf, 1); /* Transaction seq# */ 219 if (use_pk) 220 wpabuf_put_le16(buf, WLAN_STATUS_SAE_PK); 221 else if (use_pt) 222 wpabuf_put_le16(buf, WLAN_STATUS_SAE_HASH_TO_ELEMENT); 223 else 224 wpabuf_put_le16(buf,WLAN_STATUS_SUCCESS); 225 } 226 if (sae_write_commit(&wpa_s->sme.sae, buf, wpa_s->sme.sae_token, 227 ssid->sae_password_id) < 0) { 228 wpabuf_free(buf); 229 return NULL; 230 } 231 if (ret_use_pt) 232 *ret_use_pt = use_pt; 233 if (ret_use_pk) 234 *ret_use_pk = use_pk; 235 236 return buf; 237 } 238 239 240 static struct wpabuf * sme_auth_build_sae_confirm(struct wpa_supplicant *wpa_s, 241 int external) 242 { 243 struct wpabuf *buf; 244 245 buf = wpabuf_alloc(4 + SAE_CONFIRM_MAX_LEN); 246 if (buf == NULL) 247 return NULL; 248 249 if (!external) { 250 wpabuf_put_le16(buf, 2); /* Transaction seq# */ 251 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS); 252 } 253 sae_write_confirm(&wpa_s->sme.sae, buf); 254 255 return buf; 256 } 257 258 #endif /* CONFIG_SAE */ 259 260 261 /** 262 * sme_auth_handle_rrm - Handle RRM aspects of current authentication attempt 263 * @wpa_s: Pointer to wpa_supplicant data 264 * @bss: Pointer to the bss which is the target of authentication attempt 265 */ 266 static void sme_auth_handle_rrm(struct wpa_supplicant *wpa_s, 267 struct wpa_bss *bss) 268 { 269 const u8 rrm_ie_len = 5; 270 u8 *pos; 271 const u8 *rrm_ie; 272 273 wpa_s->rrm.rrm_used = 0; 274 275 wpa_printf(MSG_DEBUG, 276 "RRM: Determining whether RRM can be used - device support: 0x%x", 277 wpa_s->drv_rrm_flags); 278 279 rrm_ie = wpa_bss_get_ie(bss, WLAN_EID_RRM_ENABLED_CAPABILITIES); 280 if (!rrm_ie || !(bss->caps & IEEE80211_CAP_RRM)) { 281 wpa_printf(MSG_DEBUG, "RRM: No RRM in network"); 282 return; 283 } 284 285 if (!((wpa_s->drv_rrm_flags & 286 WPA_DRIVER_FLAGS_DS_PARAM_SET_IE_IN_PROBES) && 287 (wpa_s->drv_rrm_flags & WPA_DRIVER_FLAGS_QUIET)) && 288 !(wpa_s->drv_rrm_flags & WPA_DRIVER_FLAGS_SUPPORT_RRM)) { 289 wpa_printf(MSG_DEBUG, 290 "RRM: Insufficient RRM support in driver - do not use RRM"); 291 return; 292 } 293 294 if (sizeof(wpa_s->sme.assoc_req_ie) < 295 wpa_s->sme.assoc_req_ie_len + rrm_ie_len + 2) { 296 wpa_printf(MSG_INFO, 297 "RRM: Unable to use RRM, no room for RRM IE"); 298 return; 299 } 300 301 wpa_printf(MSG_DEBUG, "RRM: Adding RRM IE to Association Request"); 302 pos = wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len; 303 os_memset(pos, 0, 2 + rrm_ie_len); 304 *pos++ = WLAN_EID_RRM_ENABLED_CAPABILITIES; 305 *pos++ = rrm_ie_len; 306 307 /* Set supported capabilities flags */ 308 if (wpa_s->drv_rrm_flags & WPA_DRIVER_FLAGS_TX_POWER_INSERTION) 309 *pos |= WLAN_RRM_CAPS_LINK_MEASUREMENT; 310 311 *pos |= WLAN_RRM_CAPS_BEACON_REPORT_PASSIVE | 312 WLAN_RRM_CAPS_BEACON_REPORT_ACTIVE | 313 WLAN_RRM_CAPS_BEACON_REPORT_TABLE; 314 315 if (wpa_s->lci) 316 pos[1] |= WLAN_RRM_CAPS_LCI_MEASUREMENT; 317 318 wpa_s->sme.assoc_req_ie_len += rrm_ie_len + 2; 319 wpa_s->rrm.rrm_used = 1; 320 } 321 322 323 static void sme_send_authentication(struct wpa_supplicant *wpa_s, 324 struct wpa_bss *bss, struct wpa_ssid *ssid, 325 int start) 326 { 327 struct wpa_driver_auth_params params; 328 struct wpa_ssid *old_ssid; 329 #ifdef CONFIG_IEEE80211R 330 const u8 *ie; 331 #endif /* CONFIG_IEEE80211R */ 332 #if defined(CONFIG_IEEE80211R) || defined(CONFIG_FILS) 333 const u8 *md = NULL; 334 #endif /* CONFIG_IEEE80211R || CONFIG_FILS */ 335 int bssid_changed; 336 struct wpabuf *resp = NULL; 337 u8 ext_capab[18]; 338 int ext_capab_len; 339 int skip_auth; 340 u8 *wpa_ie; 341 size_t wpa_ie_len; 342 #ifdef CONFIG_MBO 343 const u8 *mbo_ie; 344 #endif /* CONFIG_MBO */ 345 int omit_rsnxe = 0; 346 347 if (bss == NULL) { 348 wpa_msg(wpa_s, MSG_ERROR, "SME: No scan result available for " 349 "the network"); 350 wpas_connect_work_done(wpa_s); 351 return; 352 } 353 354 skip_auth = wpa_s->conf->reassoc_same_bss_optim && 355 wpa_s->reassoc_same_bss; 356 wpa_s->current_bss = bss; 357 358 os_memset(¶ms, 0, sizeof(params)); 359 wpa_s->reassociate = 0; 360 361 params.freq = bss->freq; 362 params.bssid = bss->bssid; 363 params.ssid = bss->ssid; 364 params.ssid_len = bss->ssid_len; 365 params.p2p = ssid->p2p_group; 366 367 if (wpa_s->sme.ssid_len != params.ssid_len || 368 os_memcmp(wpa_s->sme.ssid, params.ssid, params.ssid_len) != 0) 369 wpa_s->sme.prev_bssid_set = 0; 370 371 wpa_s->sme.freq = params.freq; 372 os_memcpy(wpa_s->sme.ssid, params.ssid, params.ssid_len); 373 wpa_s->sme.ssid_len = params.ssid_len; 374 375 params.auth_alg = WPA_AUTH_ALG_OPEN; 376 #ifdef IEEE8021X_EAPOL 377 if (ssid->key_mgmt & WPA_KEY_MGMT_IEEE8021X_NO_WPA) { 378 if (ssid->leap) { 379 if (ssid->non_leap == 0) 380 params.auth_alg = WPA_AUTH_ALG_LEAP; 381 else 382 params.auth_alg |= WPA_AUTH_ALG_LEAP; 383 } 384 } 385 #endif /* IEEE8021X_EAPOL */ 386 wpa_dbg(wpa_s, MSG_DEBUG, "Automatic auth_alg selection: 0x%x", 387 params.auth_alg); 388 if (ssid->auth_alg) { 389 params.auth_alg = ssid->auth_alg; 390 wpa_dbg(wpa_s, MSG_DEBUG, "Overriding auth_alg selection: " 391 "0x%x", params.auth_alg); 392 } 393 #ifdef CONFIG_SAE 394 wpa_s->sme.sae_pmksa_caching = 0; 395 if (wpa_key_mgmt_sae(ssid->key_mgmt)) { 396 const u8 *rsn; 397 struct wpa_ie_data ied; 398 399 rsn = wpa_bss_get_ie(bss, WLAN_EID_RSN); 400 if (!rsn) { 401 wpa_dbg(wpa_s, MSG_DEBUG, 402 "SAE enabled, but target BSS does not advertise RSN"); 403 #ifdef CONFIG_DPP 404 } else if (wpa_parse_wpa_ie(rsn, 2 + rsn[1], &ied) == 0 && 405 (ssid->key_mgmt & WPA_KEY_MGMT_DPP) && 406 (ied.key_mgmt & WPA_KEY_MGMT_DPP)) { 407 wpa_dbg(wpa_s, MSG_DEBUG, "Prefer DPP over SAE when both are enabled"); 408 #endif /* CONFIG_DPP */ 409 } else if (wpa_parse_wpa_ie(rsn, 2 + rsn[1], &ied) == 0 && 410 wpa_key_mgmt_sae(ied.key_mgmt)) { 411 wpa_dbg(wpa_s, MSG_DEBUG, "Using SAE auth_alg"); 412 params.auth_alg = WPA_AUTH_ALG_SAE; 413 } else { 414 wpa_dbg(wpa_s, MSG_DEBUG, 415 "SAE enabled, but target BSS does not advertise SAE AKM for RSN"); 416 } 417 } 418 #endif /* CONFIG_SAE */ 419 420 #ifdef CONFIG_WEP 421 { 422 int i; 423 424 for (i = 0; i < NUM_WEP_KEYS; i++) { 425 if (ssid->wep_key_len[i]) 426 params.wep_key[i] = ssid->wep_key[i]; 427 params.wep_key_len[i] = ssid->wep_key_len[i]; 428 } 429 params.wep_tx_keyidx = ssid->wep_tx_keyidx; 430 } 431 #endif /* CONFIG_WEP */ 432 433 if ((wpa_bss_get_vendor_ie(bss, WPA_IE_VENDOR_TYPE) || 434 wpa_bss_get_ie(bss, WLAN_EID_RSN)) && 435 wpa_key_mgmt_wpa(ssid->key_mgmt)) { 436 int try_opportunistic; 437 const u8 *cache_id = NULL; 438 439 try_opportunistic = (ssid->proactive_key_caching < 0 ? 440 wpa_s->conf->okc : 441 ssid->proactive_key_caching) && 442 (ssid->proto & WPA_PROTO_RSN); 443 #ifdef CONFIG_FILS 444 if (wpa_key_mgmt_fils(ssid->key_mgmt)) 445 cache_id = wpa_bss_get_fils_cache_id(bss); 446 #endif /* CONFIG_FILS */ 447 if (pmksa_cache_set_current(wpa_s->wpa, NULL, bss->bssid, 448 wpa_s->current_ssid, 449 try_opportunistic, cache_id, 450 0) == 0) 451 eapol_sm_notify_pmkid_attempt(wpa_s->eapol); 452 wpa_s->sme.assoc_req_ie_len = sizeof(wpa_s->sme.assoc_req_ie); 453 if (wpa_supplicant_set_suites(wpa_s, bss, ssid, 454 wpa_s->sme.assoc_req_ie, 455 &wpa_s->sme.assoc_req_ie_len)) { 456 wpa_msg(wpa_s, MSG_WARNING, "SME: Failed to set WPA " 457 "key management and encryption suites"); 458 wpas_connect_work_done(wpa_s); 459 return; 460 } 461 #ifdef CONFIG_HS20 462 } else if (wpa_bss_get_vendor_ie(bss, OSEN_IE_VENDOR_TYPE) && 463 (ssid->key_mgmt & WPA_KEY_MGMT_OSEN)) { 464 /* No PMKSA caching, but otherwise similar to RSN/WPA */ 465 wpa_s->sme.assoc_req_ie_len = sizeof(wpa_s->sme.assoc_req_ie); 466 if (wpa_supplicant_set_suites(wpa_s, bss, ssid, 467 wpa_s->sme.assoc_req_ie, 468 &wpa_s->sme.assoc_req_ie_len)) { 469 wpa_msg(wpa_s, MSG_WARNING, "SME: Failed to set WPA " 470 "key management and encryption suites"); 471 wpas_connect_work_done(wpa_s); 472 return; 473 } 474 #endif /* CONFIG_HS20 */ 475 } else if ((ssid->key_mgmt & WPA_KEY_MGMT_IEEE8021X_NO_WPA) && 476 wpa_key_mgmt_wpa_ieee8021x(ssid->key_mgmt)) { 477 /* 478 * Both WPA and non-WPA IEEE 802.1X enabled in configuration - 479 * use non-WPA since the scan results did not indicate that the 480 * AP is using WPA or WPA2. 481 */ 482 wpa_supplicant_set_non_wpa_policy(wpa_s, ssid); 483 wpa_s->sme.assoc_req_ie_len = 0; 484 } else if (wpa_key_mgmt_wpa_any(ssid->key_mgmt)) { 485 wpa_s->sme.assoc_req_ie_len = sizeof(wpa_s->sme.assoc_req_ie); 486 if (wpa_supplicant_set_suites(wpa_s, NULL, ssid, 487 wpa_s->sme.assoc_req_ie, 488 &wpa_s->sme.assoc_req_ie_len)) { 489 wpa_msg(wpa_s, MSG_WARNING, "SME: Failed to set WPA " 490 "key management and encryption suites (no " 491 "scan results)"); 492 wpas_connect_work_done(wpa_s); 493 return; 494 } 495 #ifdef CONFIG_WPS 496 } else if (ssid->key_mgmt & WPA_KEY_MGMT_WPS) { 497 struct wpabuf *wps_ie; 498 wps_ie = wps_build_assoc_req_ie(wpas_wps_get_req_type(ssid)); 499 if (wps_ie && wpabuf_len(wps_ie) <= 500 sizeof(wpa_s->sme.assoc_req_ie)) { 501 wpa_s->sme.assoc_req_ie_len = wpabuf_len(wps_ie); 502 os_memcpy(wpa_s->sme.assoc_req_ie, wpabuf_head(wps_ie), 503 wpa_s->sme.assoc_req_ie_len); 504 } else 505 wpa_s->sme.assoc_req_ie_len = 0; 506 wpabuf_free(wps_ie); 507 wpa_supplicant_set_non_wpa_policy(wpa_s, ssid); 508 #endif /* CONFIG_WPS */ 509 } else { 510 wpa_supplicant_set_non_wpa_policy(wpa_s, ssid); 511 wpa_s->sme.assoc_req_ie_len = 0; 512 } 513 514 /* In case the WPA vendor IE is used, it should be placed after all the 515 * non-vendor IEs, as the lower layer expects the IEs to be ordered as 516 * defined in the standard. Store the WPA IE so it can later be 517 * inserted at the correct location. 518 */ 519 wpa_ie = NULL; 520 wpa_ie_len = 0; 521 if (wpa_s->wpa_proto == WPA_PROTO_WPA) { 522 wpa_ie = os_memdup(wpa_s->sme.assoc_req_ie, 523 wpa_s->sme.assoc_req_ie_len); 524 if (wpa_ie) { 525 wpa_dbg(wpa_s, MSG_DEBUG, "WPA: Storing WPA IE"); 526 527 wpa_ie_len = wpa_s->sme.assoc_req_ie_len; 528 wpa_s->sme.assoc_req_ie_len = 0; 529 } else { 530 wpa_msg(wpa_s, MSG_WARNING, "WPA: Failed copy WPA IE"); 531 wpas_connect_work_done(wpa_s); 532 return; 533 } 534 } 535 536 #ifdef CONFIG_IEEE80211R 537 ie = wpa_bss_get_ie(bss, WLAN_EID_MOBILITY_DOMAIN); 538 if (ie && ie[1] >= MOBILITY_DOMAIN_ID_LEN) 539 md = ie + 2; 540 wpa_sm_set_ft_params(wpa_s->wpa, ie, ie ? 2 + ie[1] : 0); 541 if (md && (!wpa_key_mgmt_ft(ssid->key_mgmt) || 542 !wpa_key_mgmt_ft(wpa_s->key_mgmt))) 543 md = NULL; 544 if (md) { 545 /* Prepare for the next transition */ 546 wpa_ft_prepare_auth_request(wpa_s->wpa, ie); 547 } 548 549 if (md) { 550 wpa_dbg(wpa_s, MSG_DEBUG, "SME: FT mobility domain %02x%02x", 551 md[0], md[1]); 552 553 omit_rsnxe = !wpa_bss_get_ie(bss, WLAN_EID_RSNX); 554 if (wpa_s->sme.assoc_req_ie_len + 5 < 555 sizeof(wpa_s->sme.assoc_req_ie)) { 556 struct rsn_mdie *mdie; 557 u8 *pos = wpa_s->sme.assoc_req_ie + 558 wpa_s->sme.assoc_req_ie_len; 559 *pos++ = WLAN_EID_MOBILITY_DOMAIN; 560 *pos++ = sizeof(*mdie); 561 mdie = (struct rsn_mdie *) pos; 562 os_memcpy(mdie->mobility_domain, md, 563 MOBILITY_DOMAIN_ID_LEN); 564 mdie->ft_capab = md[MOBILITY_DOMAIN_ID_LEN]; 565 wpa_s->sme.assoc_req_ie_len += 5; 566 } 567 568 if (wpa_s->sme.prev_bssid_set && wpa_s->sme.ft_used && 569 os_memcmp(md, wpa_s->sme.mobility_domain, 2) == 0 && 570 wpa_sm_has_ptk(wpa_s->wpa)) { 571 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Trying to use FT " 572 "over-the-air"); 573 params.auth_alg = WPA_AUTH_ALG_FT; 574 params.ie = wpa_s->sme.ft_ies; 575 params.ie_len = wpa_s->sme.ft_ies_len; 576 } 577 } 578 #endif /* CONFIG_IEEE80211R */ 579 580 wpa_s->sme.mfp = wpas_get_ssid_pmf(wpa_s, ssid); 581 if (wpa_s->sme.mfp != NO_MGMT_FRAME_PROTECTION) { 582 const u8 *rsn = wpa_bss_get_ie(bss, WLAN_EID_RSN); 583 struct wpa_ie_data _ie; 584 if (rsn && wpa_parse_wpa_ie(rsn, 2 + rsn[1], &_ie) == 0 && 585 _ie.capabilities & 586 (WPA_CAPABILITY_MFPC | WPA_CAPABILITY_MFPR)) { 587 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Selected AP supports " 588 "MFP: require MFP"); 589 wpa_s->sme.mfp = MGMT_FRAME_PROTECTION_REQUIRED; 590 } 591 } 592 593 #ifdef CONFIG_P2P 594 if (wpa_s->global->p2p) { 595 u8 *pos; 596 size_t len; 597 int res; 598 pos = wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len; 599 len = sizeof(wpa_s->sme.assoc_req_ie) - 600 wpa_s->sme.assoc_req_ie_len; 601 res = wpas_p2p_assoc_req_ie(wpa_s, bss, pos, len, 602 ssid->p2p_group); 603 if (res >= 0) 604 wpa_s->sme.assoc_req_ie_len += res; 605 } 606 #endif /* CONFIG_P2P */ 607 608 #ifdef CONFIG_FST 609 if (wpa_s->fst_ies) { 610 int fst_ies_len = wpabuf_len(wpa_s->fst_ies); 611 612 if (wpa_s->sme.assoc_req_ie_len + fst_ies_len <= 613 sizeof(wpa_s->sme.assoc_req_ie)) { 614 os_memcpy(wpa_s->sme.assoc_req_ie + 615 wpa_s->sme.assoc_req_ie_len, 616 wpabuf_head(wpa_s->fst_ies), 617 fst_ies_len); 618 wpa_s->sme.assoc_req_ie_len += fst_ies_len; 619 } 620 } 621 #endif /* CONFIG_FST */ 622 623 sme_auth_handle_rrm(wpa_s, bss); 624 625 wpa_s->sme.assoc_req_ie_len += wpas_supp_op_class_ie( 626 wpa_s, ssid, bss, 627 wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len, 628 sizeof(wpa_s->sme.assoc_req_ie) - wpa_s->sme.assoc_req_ie_len); 629 630 if (params.p2p) 631 wpa_drv_get_ext_capa(wpa_s, WPA_IF_P2P_CLIENT); 632 else 633 wpa_drv_get_ext_capa(wpa_s, WPA_IF_STATION); 634 635 ext_capab_len = wpas_build_ext_capab(wpa_s, ext_capab, 636 sizeof(ext_capab)); 637 if (ext_capab_len > 0) { 638 u8 *pos = wpa_s->sme.assoc_req_ie; 639 if (wpa_s->sme.assoc_req_ie_len > 0 && pos[0] == WLAN_EID_RSN) 640 pos += 2 + pos[1]; 641 os_memmove(pos + ext_capab_len, pos, 642 wpa_s->sme.assoc_req_ie_len - 643 (pos - wpa_s->sme.assoc_req_ie)); 644 wpa_s->sme.assoc_req_ie_len += ext_capab_len; 645 os_memcpy(pos, ext_capab, ext_capab_len); 646 } 647 648 #ifdef CONFIG_TESTING_OPTIONS 649 if (wpa_s->rsnxe_override_assoc && 650 wpabuf_len(wpa_s->rsnxe_override_assoc) <= 651 sizeof(wpa_s->sme.assoc_req_ie) - wpa_s->sme.assoc_req_ie_len) { 652 wpa_printf(MSG_DEBUG, "TESTING: RSNXE AssocReq override"); 653 os_memcpy(wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len, 654 wpabuf_head(wpa_s->rsnxe_override_assoc), 655 wpabuf_len(wpa_s->rsnxe_override_assoc)); 656 wpa_s->sme.assoc_req_ie_len += 657 wpabuf_len(wpa_s->rsnxe_override_assoc); 658 } else 659 #endif /* CONFIG_TESTING_OPTIONS */ 660 if (wpa_s->rsnxe_len > 0 && 661 wpa_s->rsnxe_len <= 662 sizeof(wpa_s->sme.assoc_req_ie) - wpa_s->sme.assoc_req_ie_len && 663 !omit_rsnxe) { 664 os_memcpy(wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len, 665 wpa_s->rsnxe, wpa_s->rsnxe_len); 666 wpa_s->sme.assoc_req_ie_len += wpa_s->rsnxe_len; 667 } 668 669 #ifdef CONFIG_HS20 670 if (is_hs20_network(wpa_s, ssid, bss)) { 671 struct wpabuf *hs20; 672 673 hs20 = wpabuf_alloc(20 + MAX_ROAMING_CONS_OI_LEN); 674 if (hs20) { 675 int pps_mo_id = hs20_get_pps_mo_id(wpa_s, ssid); 676 size_t len; 677 678 wpas_hs20_add_indication(hs20, pps_mo_id, 679 get_hs20_version(bss)); 680 wpas_hs20_add_roam_cons_sel(hs20, ssid); 681 len = sizeof(wpa_s->sme.assoc_req_ie) - 682 wpa_s->sme.assoc_req_ie_len; 683 if (wpabuf_len(hs20) <= len) { 684 os_memcpy(wpa_s->sme.assoc_req_ie + 685 wpa_s->sme.assoc_req_ie_len, 686 wpabuf_head(hs20), wpabuf_len(hs20)); 687 wpa_s->sme.assoc_req_ie_len += wpabuf_len(hs20); 688 } 689 wpabuf_free(hs20); 690 } 691 } 692 #endif /* CONFIG_HS20 */ 693 694 if (wpa_ie) { 695 size_t len; 696 697 wpa_dbg(wpa_s, MSG_DEBUG, "WPA: Reinsert WPA IE"); 698 699 len = sizeof(wpa_s->sme.assoc_req_ie) - 700 wpa_s->sme.assoc_req_ie_len; 701 702 if (len > wpa_ie_len) { 703 os_memcpy(wpa_s->sme.assoc_req_ie + 704 wpa_s->sme.assoc_req_ie_len, 705 wpa_ie, wpa_ie_len); 706 wpa_s->sme.assoc_req_ie_len += wpa_ie_len; 707 } else { 708 wpa_dbg(wpa_s, MSG_DEBUG, "WPA: Failed to add WPA IE"); 709 } 710 711 os_free(wpa_ie); 712 } 713 714 if (wpa_s->vendor_elem[VENDOR_ELEM_ASSOC_REQ]) { 715 struct wpabuf *buf = wpa_s->vendor_elem[VENDOR_ELEM_ASSOC_REQ]; 716 size_t len; 717 718 len = sizeof(wpa_s->sme.assoc_req_ie) - 719 wpa_s->sme.assoc_req_ie_len; 720 if (wpabuf_len(buf) <= len) { 721 os_memcpy(wpa_s->sme.assoc_req_ie + 722 wpa_s->sme.assoc_req_ie_len, 723 wpabuf_head(buf), wpabuf_len(buf)); 724 wpa_s->sme.assoc_req_ie_len += wpabuf_len(buf); 725 } 726 } 727 728 #ifdef CONFIG_MBO 729 mbo_ie = wpa_bss_get_vendor_ie(bss, MBO_IE_VENDOR_TYPE); 730 if (!wpa_s->disable_mbo_oce && mbo_ie) { 731 int len; 732 733 len = wpas_mbo_ie(wpa_s, wpa_s->sme.assoc_req_ie + 734 wpa_s->sme.assoc_req_ie_len, 735 sizeof(wpa_s->sme.assoc_req_ie) - 736 wpa_s->sme.assoc_req_ie_len, 737 !!mbo_attr_from_mbo_ie(mbo_ie, 738 OCE_ATTR_ID_CAPA_IND)); 739 if (len >= 0) 740 wpa_s->sme.assoc_req_ie_len += len; 741 } 742 #endif /* CONFIG_MBO */ 743 744 #ifdef CONFIG_SAE 745 if (!skip_auth && params.auth_alg == WPA_AUTH_ALG_SAE && 746 pmksa_cache_set_current(wpa_s->wpa, NULL, bss->bssid, ssid, 0, 747 NULL, 748 wpa_s->key_mgmt == WPA_KEY_MGMT_FT_SAE ? 749 WPA_KEY_MGMT_FT_SAE : 750 WPA_KEY_MGMT_SAE) == 0) { 751 wpa_dbg(wpa_s, MSG_DEBUG, 752 "PMKSA cache entry found - try to use PMKSA caching instead of new SAE authentication"); 753 wpa_sm_set_pmk_from_pmksa(wpa_s->wpa); 754 params.auth_alg = WPA_AUTH_ALG_OPEN; 755 wpa_s->sme.sae_pmksa_caching = 1; 756 } 757 758 if (!skip_auth && params.auth_alg == WPA_AUTH_ALG_SAE) { 759 if (start) 760 resp = sme_auth_build_sae_commit(wpa_s, ssid, 761 bss->bssid, 0, 762 start == 2, NULL, 763 NULL); 764 else 765 resp = sme_auth_build_sae_confirm(wpa_s, 0); 766 if (resp == NULL) { 767 wpas_connection_failed(wpa_s, bss->bssid); 768 return; 769 } 770 params.auth_data = wpabuf_head(resp); 771 params.auth_data_len = wpabuf_len(resp); 772 wpa_s->sme.sae.state = start ? SAE_COMMITTED : SAE_CONFIRMED; 773 } 774 #endif /* CONFIG_SAE */ 775 776 bssid_changed = !is_zero_ether_addr(wpa_s->bssid); 777 os_memset(wpa_s->bssid, 0, ETH_ALEN); 778 os_memcpy(wpa_s->pending_bssid, bss->bssid, ETH_ALEN); 779 if (bssid_changed) 780 wpas_notify_bssid_changed(wpa_s); 781 782 old_ssid = wpa_s->current_ssid; 783 wpa_s->current_ssid = ssid; 784 wpa_supplicant_rsn_supp_set_config(wpa_s, wpa_s->current_ssid); 785 wpa_supplicant_initiate_eapol(wpa_s); 786 787 #ifdef CONFIG_FILS 788 /* TODO: FILS operations can in some cases be done between different 789 * network_ctx (i.e., same credentials can be used with multiple 790 * networks). */ 791 if (params.auth_alg == WPA_AUTH_ALG_OPEN && 792 wpa_key_mgmt_fils(ssid->key_mgmt)) { 793 const u8 *indic; 794 u16 fils_info; 795 const u8 *realm, *username, *rrk; 796 size_t realm_len, username_len, rrk_len; 797 u16 next_seq_num; 798 799 /* 800 * Check FILS Indication element (FILS Information field) bits 801 * indicating supported authentication algorithms against local 802 * configuration (ssid->fils_dh_group). Try to use FILS 803 * authentication only if the AP supports the combination in the 804 * network profile. */ 805 indic = wpa_bss_get_ie(bss, WLAN_EID_FILS_INDICATION); 806 if (!indic || indic[1] < 2) { 807 wpa_printf(MSG_DEBUG, "SME: " MACSTR 808 " does not include FILS Indication element - cannot use FILS authentication with it", 809 MAC2STR(bss->bssid)); 810 goto no_fils; 811 } 812 813 fils_info = WPA_GET_LE16(indic + 2); 814 if (ssid->fils_dh_group == 0 && !(fils_info & BIT(9))) { 815 wpa_printf(MSG_DEBUG, "SME: " MACSTR 816 " does not support FILS SK without PFS - cannot use FILS authentication with it", 817 MAC2STR(bss->bssid)); 818 goto no_fils; 819 } 820 if (ssid->fils_dh_group != 0 && !(fils_info & BIT(10))) { 821 wpa_printf(MSG_DEBUG, "SME: " MACSTR 822 " does not support FILS SK with PFS - cannot use FILS authentication with it", 823 MAC2STR(bss->bssid)); 824 goto no_fils; 825 } 826 827 if (wpa_s->last_con_fail_realm && 828 eapol_sm_get_erp_info(wpa_s->eapol, &ssid->eap, 829 &username, &username_len, 830 &realm, &realm_len, &next_seq_num, 831 &rrk, &rrk_len) == 0 && 832 realm && realm_len == wpa_s->last_con_fail_realm_len && 833 os_memcmp(realm, wpa_s->last_con_fail_realm, 834 realm_len) == 0) { 835 wpa_printf(MSG_DEBUG, 836 "SME: FILS authentication for this realm failed last time - try to regenerate ERP key hierarchy"); 837 goto no_fils; 838 } 839 840 if (pmksa_cache_set_current(wpa_s->wpa, NULL, bss->bssid, 841 ssid, 0, 842 wpa_bss_get_fils_cache_id(bss), 843 0) == 0) 844 wpa_printf(MSG_DEBUG, 845 "SME: Try to use FILS with PMKSA caching"); 846 resp = fils_build_auth(wpa_s->wpa, ssid->fils_dh_group, md); 847 if (resp) { 848 int auth_alg; 849 850 if (ssid->fils_dh_group) 851 wpa_printf(MSG_DEBUG, 852 "SME: Try to use FILS SK authentication with PFS (DH Group %u)", 853 ssid->fils_dh_group); 854 else 855 wpa_printf(MSG_DEBUG, 856 "SME: Try to use FILS SK authentication without PFS"); 857 auth_alg = ssid->fils_dh_group ? 858 WPA_AUTH_ALG_FILS_SK_PFS : WPA_AUTH_ALG_FILS; 859 params.auth_alg = auth_alg; 860 params.auth_data = wpabuf_head(resp); 861 params.auth_data_len = wpabuf_len(resp); 862 wpa_s->sme.auth_alg = auth_alg; 863 } 864 } 865 no_fils: 866 #endif /* CONFIG_FILS */ 867 868 wpa_supplicant_cancel_sched_scan(wpa_s); 869 wpa_supplicant_cancel_scan(wpa_s); 870 871 wpa_msg(wpa_s, MSG_INFO, "SME: Trying to authenticate with " MACSTR 872 " (SSID='%s' freq=%d MHz)", MAC2STR(params.bssid), 873 wpa_ssid_txt(params.ssid, params.ssid_len), params.freq); 874 875 eapol_sm_notify_portValid(wpa_s->eapol, false); 876 wpa_clear_keys(wpa_s, bss->bssid); 877 wpa_supplicant_set_state(wpa_s, WPA_AUTHENTICATING); 878 if (old_ssid != wpa_s->current_ssid) 879 wpas_notify_network_changed(wpa_s); 880 881 #ifdef CONFIG_HS20 882 hs20_configure_frame_filters(wpa_s); 883 #endif /* CONFIG_HS20 */ 884 885 #ifdef CONFIG_P2P 886 /* 887 * If multi-channel concurrency is not supported, check for any 888 * frequency conflict. In case of any frequency conflict, remove the 889 * least prioritized connection. 890 */ 891 if (wpa_s->num_multichan_concurrent < 2) { 892 int freq, num; 893 num = get_shared_radio_freqs(wpa_s, &freq, 1); 894 if (num > 0 && freq > 0 && freq != params.freq) { 895 wpa_printf(MSG_DEBUG, 896 "Conflicting frequency found (%d != %d)", 897 freq, params.freq); 898 if (wpas_p2p_handle_frequency_conflicts(wpa_s, 899 params.freq, 900 ssid) < 0) { 901 wpas_connection_failed(wpa_s, bss->bssid); 902 wpa_supplicant_mark_disassoc(wpa_s); 903 wpabuf_free(resp); 904 wpas_connect_work_done(wpa_s); 905 return; 906 } 907 } 908 } 909 #endif /* CONFIG_P2P */ 910 911 if (skip_auth) { 912 wpa_msg(wpa_s, MSG_DEBUG, 913 "SME: Skip authentication step on reassoc-to-same-BSS"); 914 wpabuf_free(resp); 915 sme_associate(wpa_s, ssid->mode, bss->bssid, WLAN_AUTH_OPEN); 916 return; 917 } 918 919 920 wpa_s->sme.auth_alg = params.auth_alg; 921 if (wpa_drv_authenticate(wpa_s, ¶ms) < 0) { 922 wpa_msg(wpa_s, MSG_INFO, "SME: Authentication request to the " 923 "driver failed"); 924 wpas_connection_failed(wpa_s, bss->bssid); 925 wpa_supplicant_mark_disassoc(wpa_s); 926 wpabuf_free(resp); 927 wpas_connect_work_done(wpa_s); 928 return; 929 } 930 931 eloop_register_timeout(SME_AUTH_TIMEOUT, 0, sme_auth_timer, wpa_s, 932 NULL); 933 934 /* 935 * Association will be started based on the authentication event from 936 * the driver. 937 */ 938 939 wpabuf_free(resp); 940 } 941 942 943 static void sme_auth_start_cb(struct wpa_radio_work *work, int deinit) 944 { 945 struct wpa_connect_work *cwork = work->ctx; 946 struct wpa_supplicant *wpa_s = work->wpa_s; 947 948 wpa_s->roam_in_progress = false; 949 950 if (deinit) { 951 if (work->started) 952 wpa_s->connect_work = NULL; 953 954 wpas_connect_work_free(cwork); 955 return; 956 } 957 958 wpa_s->connect_work = work; 959 960 if (cwork->bss_removed || 961 !wpas_valid_bss_ssid(wpa_s, cwork->bss, cwork->ssid) || 962 wpas_network_disabled(wpa_s, cwork->ssid)) { 963 wpa_dbg(wpa_s, MSG_DEBUG, "SME: BSS/SSID entry for authentication not valid anymore - drop connection attempt"); 964 wpas_connect_work_done(wpa_s); 965 return; 966 } 967 968 /* Starting new connection, so clear the possibly used WPA IE from the 969 * previous association. */ 970 wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, NULL, 0); 971 wpa_sm_set_assoc_rsnxe(wpa_s->wpa, NULL, 0); 972 wpa_s->rsnxe_len = 0; 973 974 sme_send_authentication(wpa_s, cwork->bss, cwork->ssid, 1); 975 } 976 977 978 void sme_authenticate(struct wpa_supplicant *wpa_s, 979 struct wpa_bss *bss, struct wpa_ssid *ssid) 980 { 981 struct wpa_connect_work *cwork; 982 983 if (bss == NULL || ssid == NULL) 984 return; 985 if (wpa_s->connect_work) { 986 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Reject sme_authenticate() call since connect_work exist"); 987 return; 988 } 989 990 if (wpa_s->roam_in_progress) { 991 wpa_dbg(wpa_s, MSG_DEBUG, 992 "SME: Reject sme_authenticate() in favor of explicit roam request"); 993 return; 994 } 995 if (radio_work_pending(wpa_s, "sme-connect")) { 996 /* 997 * The previous sme-connect work might no longer be valid due to 998 * the fact that the BSS list was updated. In addition, it makes 999 * sense to adhere to the 'newer' decision. 1000 */ 1001 wpa_dbg(wpa_s, MSG_DEBUG, 1002 "SME: Remove previous pending sme-connect"); 1003 radio_remove_works(wpa_s, "sme-connect", 0); 1004 } 1005 1006 wpas_abort_ongoing_scan(wpa_s); 1007 1008 cwork = os_zalloc(sizeof(*cwork)); 1009 if (cwork == NULL) 1010 return; 1011 cwork->bss = bss; 1012 cwork->ssid = ssid; 1013 cwork->sme = 1; 1014 1015 #ifdef CONFIG_SAE 1016 wpa_s->sme.sae.state = SAE_NOTHING; 1017 wpa_s->sme.sae.send_confirm = 0; 1018 wpa_s->sme.sae_group_index = 0; 1019 #endif /* CONFIG_SAE */ 1020 1021 if (radio_add_work(wpa_s, bss->freq, "sme-connect", 1, 1022 sme_auth_start_cb, cwork) < 0) 1023 wpas_connect_work_free(cwork); 1024 } 1025 1026 1027 #ifdef CONFIG_SAE 1028 1029 static int sme_external_auth_build_buf(struct wpabuf *buf, 1030 struct wpabuf *params, 1031 const u8 *sa, const u8 *da, 1032 u16 auth_transaction, u16 seq_num, 1033 u16 status_code) 1034 { 1035 struct ieee80211_mgmt *resp; 1036 1037 resp = wpabuf_put(buf, offsetof(struct ieee80211_mgmt, 1038 u.auth.variable)); 1039 1040 resp->frame_control = host_to_le16((WLAN_FC_TYPE_MGMT << 2) | 1041 (WLAN_FC_STYPE_AUTH << 4)); 1042 os_memcpy(resp->da, da, ETH_ALEN); 1043 os_memcpy(resp->sa, sa, ETH_ALEN); 1044 os_memcpy(resp->bssid, da, ETH_ALEN); 1045 resp->u.auth.auth_alg = host_to_le16(WLAN_AUTH_SAE); 1046 resp->seq_ctrl = host_to_le16(seq_num << 4); 1047 resp->u.auth.auth_transaction = host_to_le16(auth_transaction); 1048 resp->u.auth.status_code = host_to_le16(status_code); 1049 if (params) 1050 wpabuf_put_buf(buf, params); 1051 1052 return 0; 1053 } 1054 1055 1056 static int sme_external_auth_send_sae_commit(struct wpa_supplicant *wpa_s, 1057 const u8 *bssid, 1058 struct wpa_ssid *ssid) 1059 { 1060 struct wpabuf *resp, *buf; 1061 int use_pt; 1062 bool use_pk; 1063 u16 status; 1064 1065 resp = sme_auth_build_sae_commit(wpa_s, ssid, bssid, 1, 0, &use_pt, 1066 &use_pk); 1067 if (!resp) { 1068 wpa_printf(MSG_DEBUG, "SAE: Failed to build SAE commit"); 1069 return -1; 1070 } 1071 1072 wpa_s->sme.sae.state = SAE_COMMITTED; 1073 buf = wpabuf_alloc(4 + SAE_COMMIT_MAX_LEN + wpabuf_len(resp)); 1074 if (!buf) { 1075 wpabuf_free(resp); 1076 return -1; 1077 } 1078 1079 wpa_s->sme.seq_num++; 1080 if (use_pk) 1081 status = WLAN_STATUS_SAE_PK; 1082 else if (use_pt) 1083 status = WLAN_STATUS_SAE_HASH_TO_ELEMENT; 1084 else 1085 status = WLAN_STATUS_SUCCESS; 1086 sme_external_auth_build_buf(buf, resp, wpa_s->own_addr, 1087 bssid, 1, wpa_s->sme.seq_num, status); 1088 wpa_drv_send_mlme(wpa_s, wpabuf_head(buf), wpabuf_len(buf), 1, 0, 0); 1089 wpabuf_free(resp); 1090 wpabuf_free(buf); 1091 1092 return 0; 1093 } 1094 1095 1096 static void sme_send_external_auth_status(struct wpa_supplicant *wpa_s, 1097 u16 status) 1098 { 1099 struct external_auth params; 1100 1101 os_memset(¶ms, 0, sizeof(params)); 1102 params.status = status; 1103 params.ssid = wpa_s->sme.ext_auth_ssid; 1104 params.ssid_len = wpa_s->sme.ext_auth_ssid_len; 1105 params.bssid = wpa_s->sme.ext_auth_bssid; 1106 if (wpa_s->conf->sae_pmkid_in_assoc && status == WLAN_STATUS_SUCCESS) 1107 params.pmkid = wpa_s->sme.sae.pmkid; 1108 wpa_drv_send_external_auth_status(wpa_s, ¶ms); 1109 } 1110 1111 1112 static int sme_handle_external_auth_start(struct wpa_supplicant *wpa_s, 1113 union wpa_event_data *data) 1114 { 1115 struct wpa_ssid *ssid; 1116 size_t ssid_str_len = data->external_auth.ssid_len; 1117 const u8 *ssid_str = data->external_auth.ssid; 1118 1119 /* Get the SSID conf from the ssid string obtained */ 1120 for (ssid = wpa_s->conf->ssid; ssid; ssid = ssid->next) { 1121 if (!wpas_network_disabled(wpa_s, ssid) && 1122 ssid_str_len == ssid->ssid_len && 1123 os_memcmp(ssid_str, ssid->ssid, ssid_str_len) == 0 && 1124 (ssid->key_mgmt & (WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_FT_SAE))) 1125 break; 1126 } 1127 if (!ssid || 1128 sme_external_auth_send_sae_commit(wpa_s, data->external_auth.bssid, 1129 ssid) < 0) 1130 return -1; 1131 1132 return 0; 1133 } 1134 1135 1136 static void sme_external_auth_send_sae_confirm(struct wpa_supplicant *wpa_s, 1137 const u8 *da) 1138 { 1139 struct wpabuf *resp, *buf; 1140 1141 resp = sme_auth_build_sae_confirm(wpa_s, 1); 1142 if (!resp) { 1143 wpa_printf(MSG_DEBUG, "SAE: Confirm message buf alloc failure"); 1144 return; 1145 } 1146 1147 wpa_s->sme.sae.state = SAE_CONFIRMED; 1148 buf = wpabuf_alloc(4 + SAE_CONFIRM_MAX_LEN + wpabuf_len(resp)); 1149 if (!buf) { 1150 wpa_printf(MSG_DEBUG, "SAE: Auth Confirm buf alloc failure"); 1151 wpabuf_free(resp); 1152 return; 1153 } 1154 wpa_s->sme.seq_num++; 1155 sme_external_auth_build_buf(buf, resp, wpa_s->own_addr, 1156 da, 2, wpa_s->sme.seq_num, 1157 WLAN_STATUS_SUCCESS); 1158 wpa_drv_send_mlme(wpa_s, wpabuf_head(buf), wpabuf_len(buf), 1, 0, 0); 1159 wpabuf_free(resp); 1160 wpabuf_free(buf); 1161 } 1162 1163 1164 void sme_external_auth_trigger(struct wpa_supplicant *wpa_s, 1165 union wpa_event_data *data) 1166 { 1167 if (RSN_SELECTOR_GET(&data->external_auth.key_mgmt_suite) != 1168 RSN_AUTH_KEY_MGMT_SAE) 1169 return; 1170 1171 if (data->external_auth.action == EXT_AUTH_START) { 1172 if (!data->external_auth.bssid || !data->external_auth.ssid) 1173 return; 1174 os_memcpy(wpa_s->sme.ext_auth_bssid, data->external_auth.bssid, 1175 ETH_ALEN); 1176 os_memcpy(wpa_s->sme.ext_auth_ssid, data->external_auth.ssid, 1177 data->external_auth.ssid_len); 1178 wpa_s->sme.ext_auth_ssid_len = data->external_auth.ssid_len; 1179 wpa_s->sme.seq_num = 0; 1180 wpa_s->sme.sae.state = SAE_NOTHING; 1181 wpa_s->sme.sae.send_confirm = 0; 1182 wpa_s->sme.sae_group_index = 0; 1183 if (sme_handle_external_auth_start(wpa_s, data) < 0) 1184 sme_send_external_auth_status(wpa_s, 1185 WLAN_STATUS_UNSPECIFIED_FAILURE); 1186 } else if (data->external_auth.action == EXT_AUTH_ABORT) { 1187 /* Report failure to driver for the wrong trigger */ 1188 sme_send_external_auth_status(wpa_s, 1189 WLAN_STATUS_UNSPECIFIED_FAILURE); 1190 } 1191 } 1192 1193 1194 static int sme_sae_is_group_enabled(struct wpa_supplicant *wpa_s, int group) 1195 { 1196 int *groups = wpa_s->conf->sae_groups; 1197 int default_groups[] = { 19, 20, 21, 0 }; 1198 int i; 1199 1200 if (!groups) 1201 groups = default_groups; 1202 1203 for (i = 0; groups[i] > 0; i++) { 1204 if (groups[i] == group) 1205 return 1; 1206 } 1207 1208 return 0; 1209 } 1210 1211 1212 static int sme_check_sae_rejected_groups(struct wpa_supplicant *wpa_s, 1213 const struct wpabuf *groups) 1214 { 1215 size_t i, count; 1216 const u8 *pos; 1217 1218 if (!groups) 1219 return 0; 1220 1221 pos = wpabuf_head(groups); 1222 count = wpabuf_len(groups) / 2; 1223 for (i = 0; i < count; i++) { 1224 int enabled; 1225 u16 group; 1226 1227 group = WPA_GET_LE16(pos); 1228 pos += 2; 1229 enabled = sme_sae_is_group_enabled(wpa_s, group); 1230 wpa_printf(MSG_DEBUG, "SAE: Rejected group %u is %s", 1231 group, enabled ? "enabled" : "disabled"); 1232 if (enabled) 1233 return 1; 1234 } 1235 1236 return 0; 1237 } 1238 1239 1240 static int sme_sae_auth(struct wpa_supplicant *wpa_s, u16 auth_transaction, 1241 u16 status_code, const u8 *data, size_t len, 1242 int external, const u8 *sa) 1243 { 1244 int *groups; 1245 1246 wpa_dbg(wpa_s, MSG_DEBUG, "SME: SAE authentication transaction %u " 1247 "status code %u", auth_transaction, status_code); 1248 1249 if (auth_transaction == 1 && 1250 status_code == WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ && 1251 wpa_s->sme.sae.state == SAE_COMMITTED && 1252 (external || wpa_s->current_bss) && wpa_s->current_ssid) { 1253 int default_groups[] = { 19, 20, 21, 0 }; 1254 u16 group; 1255 const u8 *token_pos; 1256 size_t token_len; 1257 int h2e = 0; 1258 1259 groups = wpa_s->conf->sae_groups; 1260 if (!groups || groups[0] <= 0) 1261 groups = default_groups; 1262 1263 wpa_hexdump(MSG_DEBUG, "SME: SAE anti-clogging token request", 1264 data, len); 1265 if (len < sizeof(le16)) { 1266 wpa_dbg(wpa_s, MSG_DEBUG, 1267 "SME: Too short SAE anti-clogging token request"); 1268 return -1; 1269 } 1270 group = WPA_GET_LE16(data); 1271 wpa_dbg(wpa_s, MSG_DEBUG, 1272 "SME: SAE anti-clogging token requested (group %u)", 1273 group); 1274 if (sae_group_allowed(&wpa_s->sme.sae, groups, group) != 1275 WLAN_STATUS_SUCCESS) { 1276 wpa_dbg(wpa_s, MSG_ERROR, 1277 "SME: SAE group %u of anti-clogging request is invalid", 1278 group); 1279 return -1; 1280 } 1281 wpabuf_free(wpa_s->sme.sae_token); 1282 token_pos = data + sizeof(le16); 1283 token_len = len - sizeof(le16); 1284 h2e = wpa_s->sme.sae.h2e; 1285 if (h2e) { 1286 if (token_len < 3) { 1287 wpa_dbg(wpa_s, MSG_DEBUG, 1288 "SME: Too short SAE anti-clogging token container"); 1289 return -1; 1290 } 1291 if (token_pos[0] != WLAN_EID_EXTENSION || 1292 token_pos[1] == 0 || 1293 token_pos[1] > token_len - 2 || 1294 token_pos[2] != WLAN_EID_EXT_ANTI_CLOGGING_TOKEN) { 1295 wpa_dbg(wpa_s, MSG_DEBUG, 1296 "SME: Invalid SAE anti-clogging token container header"); 1297 return -1; 1298 } 1299 token_len = token_pos[1] - 1; 1300 token_pos += 3; 1301 } 1302 wpa_s->sme.sae_token = wpabuf_alloc_copy(token_pos, token_len); 1303 wpa_hexdump_buf(MSG_DEBUG, "SME: Requested anti-clogging token", 1304 wpa_s->sme.sae_token); 1305 if (!external) 1306 sme_send_authentication(wpa_s, wpa_s->current_bss, 1307 wpa_s->current_ssid, 2); 1308 else 1309 sme_external_auth_send_sae_commit( 1310 wpa_s, wpa_s->sme.ext_auth_bssid, 1311 wpa_s->current_ssid); 1312 return 0; 1313 } 1314 1315 if (auth_transaction == 1 && 1316 status_code == WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED && 1317 wpa_s->sme.sae.state == SAE_COMMITTED && 1318 (external || wpa_s->current_bss) && wpa_s->current_ssid) { 1319 wpa_dbg(wpa_s, MSG_DEBUG, "SME: SAE group not supported"); 1320 int_array_add_unique(&wpa_s->sme.sae_rejected_groups, 1321 wpa_s->sme.sae.group); 1322 wpa_s->sme.sae_group_index++; 1323 if (sme_set_sae_group(wpa_s) < 0) 1324 return -1; /* no other groups enabled */ 1325 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Try next enabled SAE group"); 1326 if (!external) 1327 sme_send_authentication(wpa_s, wpa_s->current_bss, 1328 wpa_s->current_ssid, 1); 1329 else 1330 sme_external_auth_send_sae_commit( 1331 wpa_s, wpa_s->sme.ext_auth_bssid, 1332 wpa_s->current_ssid); 1333 return 0; 1334 } 1335 1336 if (auth_transaction == 1 && 1337 status_code == WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER) { 1338 const u8 *bssid = sa ? sa : wpa_s->pending_bssid; 1339 1340 wpa_msg(wpa_s, MSG_INFO, 1341 WPA_EVENT_SAE_UNKNOWN_PASSWORD_IDENTIFIER MACSTR, 1342 MAC2STR(bssid)); 1343 return -1; 1344 } 1345 1346 if (status_code != WLAN_STATUS_SUCCESS && 1347 status_code != WLAN_STATUS_SAE_HASH_TO_ELEMENT && 1348 status_code != WLAN_STATUS_SAE_PK) { 1349 const u8 *bssid = sa ? sa : wpa_s->pending_bssid; 1350 1351 wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_AUTH_REJECT MACSTR 1352 " auth_type=%u auth_transaction=%u status_code=%u", 1353 MAC2STR(bssid), WLAN_AUTH_SAE, 1354 auth_transaction, status_code); 1355 return -1; 1356 } 1357 1358 if (auth_transaction == 1) { 1359 u16 res; 1360 1361 groups = wpa_s->conf->sae_groups; 1362 1363 wpa_dbg(wpa_s, MSG_DEBUG, "SME SAE commit"); 1364 if ((!external && wpa_s->current_bss == NULL) || 1365 wpa_s->current_ssid == NULL) 1366 return -1; 1367 if (wpa_s->sme.sae.state != SAE_COMMITTED) { 1368 wpa_printf(MSG_DEBUG, 1369 "SAE: Ignore commit message while waiting for confirm"); 1370 return 0; 1371 } 1372 if (wpa_s->sme.sae.h2e && status_code == WLAN_STATUS_SUCCESS) { 1373 wpa_printf(MSG_DEBUG, 1374 "SAE: Unexpected use of status code 0 in SAE commit when H2E was expected"); 1375 return -1; 1376 } 1377 if ((!wpa_s->sme.sae.h2e || wpa_s->sme.sae.pk) && 1378 status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT) { 1379 wpa_printf(MSG_DEBUG, 1380 "SAE: Unexpected use of status code for H2E in SAE commit when H2E was not expected"); 1381 return -1; 1382 } 1383 if (!wpa_s->sme.sae.pk && 1384 status_code == WLAN_STATUS_SAE_PK) { 1385 wpa_printf(MSG_DEBUG, 1386 "SAE: Unexpected use of status code for PK in SAE commit when PK was not expected"); 1387 return -1; 1388 } 1389 1390 if (groups && groups[0] <= 0) 1391 groups = NULL; 1392 res = sae_parse_commit(&wpa_s->sme.sae, data, len, NULL, NULL, 1393 groups, status_code == 1394 WLAN_STATUS_SAE_HASH_TO_ELEMENT || 1395 status_code == WLAN_STATUS_SAE_PK); 1396 if (res == SAE_SILENTLY_DISCARD) { 1397 wpa_printf(MSG_DEBUG, 1398 "SAE: Drop commit message due to reflection attack"); 1399 return 0; 1400 } 1401 if (res != WLAN_STATUS_SUCCESS) 1402 return -1; 1403 1404 if (wpa_s->sme.sae.tmp && 1405 sme_check_sae_rejected_groups( 1406 wpa_s, 1407 wpa_s->sme.sae.tmp->peer_rejected_groups)) 1408 return -1; 1409 1410 if (sae_process_commit(&wpa_s->sme.sae) < 0) { 1411 wpa_printf(MSG_DEBUG, "SAE: Failed to process peer " 1412 "commit"); 1413 return -1; 1414 } 1415 1416 wpabuf_free(wpa_s->sme.sae_token); 1417 wpa_s->sme.sae_token = NULL; 1418 if (!external) 1419 sme_send_authentication(wpa_s, wpa_s->current_bss, 1420 wpa_s->current_ssid, 0); 1421 else 1422 sme_external_auth_send_sae_confirm(wpa_s, sa); 1423 return 0; 1424 } else if (auth_transaction == 2) { 1425 if (status_code != WLAN_STATUS_SUCCESS) 1426 return -1; 1427 wpa_dbg(wpa_s, MSG_DEBUG, "SME SAE confirm"); 1428 if (wpa_s->sme.sae.state != SAE_CONFIRMED) 1429 return -1; 1430 if (sae_check_confirm(&wpa_s->sme.sae, data, len) < 0) 1431 return -1; 1432 wpa_s->sme.sae.state = SAE_ACCEPTED; 1433 sae_clear_temp_data(&wpa_s->sme.sae); 1434 1435 if (external) { 1436 /* Report success to driver */ 1437 sme_send_external_auth_status(wpa_s, 1438 WLAN_STATUS_SUCCESS); 1439 } 1440 1441 return 1; 1442 } 1443 1444 return -1; 1445 } 1446 1447 1448 static int sme_sae_set_pmk(struct wpa_supplicant *wpa_s, const u8 *bssid) 1449 { 1450 wpa_printf(MSG_DEBUG, 1451 "SME: SAE completed - setting PMK for 4-way handshake"); 1452 wpa_sm_set_pmk(wpa_s->wpa, wpa_s->sme.sae.pmk, PMK_LEN, 1453 wpa_s->sme.sae.pmkid, bssid); 1454 if (wpa_s->conf->sae_pmkid_in_assoc) { 1455 /* Update the own RSNE contents now that we have set the PMK 1456 * and added a PMKSA cache entry based on the successfully 1457 * completed SAE exchange. In practice, this will add the PMKID 1458 * into RSNE. */ 1459 if (wpa_s->sme.assoc_req_ie_len + 2 + PMKID_LEN > 1460 sizeof(wpa_s->sme.assoc_req_ie)) { 1461 wpa_msg(wpa_s, MSG_WARNING, 1462 "RSN: Not enough room for inserting own PMKID into RSNE"); 1463 return -1; 1464 } 1465 if (wpa_insert_pmkid(wpa_s->sme.assoc_req_ie, 1466 &wpa_s->sme.assoc_req_ie_len, 1467 wpa_s->sme.sae.pmkid) < 0) 1468 return -1; 1469 wpa_hexdump(MSG_DEBUG, 1470 "SME: Updated Association Request IEs", 1471 wpa_s->sme.assoc_req_ie, 1472 wpa_s->sme.assoc_req_ie_len); 1473 } 1474 1475 return 0; 1476 } 1477 1478 1479 void sme_external_auth_mgmt_rx(struct wpa_supplicant *wpa_s, 1480 const u8 *auth_frame, size_t len) 1481 { 1482 const struct ieee80211_mgmt *header; 1483 size_t auth_length; 1484 1485 header = (const struct ieee80211_mgmt *) auth_frame; 1486 auth_length = IEEE80211_HDRLEN + sizeof(header->u.auth); 1487 1488 if (len < auth_length) { 1489 /* Notify failure to the driver */ 1490 sme_send_external_auth_status(wpa_s, 1491 WLAN_STATUS_UNSPECIFIED_FAILURE); 1492 return; 1493 } 1494 1495 if (le_to_host16(header->u.auth.auth_alg) == WLAN_AUTH_SAE) { 1496 int res; 1497 1498 res = sme_sae_auth( 1499 wpa_s, le_to_host16(header->u.auth.auth_transaction), 1500 le_to_host16(header->u.auth.status_code), 1501 header->u.auth.variable, 1502 len - auth_length, 1, header->sa); 1503 if (res < 0) { 1504 /* Notify failure to the driver */ 1505 sme_send_external_auth_status( 1506 wpa_s, WLAN_STATUS_UNSPECIFIED_FAILURE); 1507 return; 1508 } 1509 if (res != 1) 1510 return; 1511 1512 if (sme_sae_set_pmk(wpa_s, wpa_s->sme.ext_auth_bssid) < 0) 1513 return; 1514 } 1515 } 1516 1517 #endif /* CONFIG_SAE */ 1518 1519 1520 void sme_event_auth(struct wpa_supplicant *wpa_s, union wpa_event_data *data) 1521 { 1522 struct wpa_ssid *ssid = wpa_s->current_ssid; 1523 1524 if (ssid == NULL) { 1525 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Ignore authentication event " 1526 "when network is not selected"); 1527 return; 1528 } 1529 1530 if (wpa_s->wpa_state != WPA_AUTHENTICATING) { 1531 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Ignore authentication event " 1532 "when not in authenticating state"); 1533 return; 1534 } 1535 1536 if (os_memcmp(wpa_s->pending_bssid, data->auth.peer, ETH_ALEN) != 0) { 1537 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Ignore authentication with " 1538 "unexpected peer " MACSTR, 1539 MAC2STR(data->auth.peer)); 1540 return; 1541 } 1542 1543 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Authentication response: peer=" MACSTR 1544 " auth_type=%d auth_transaction=%d status_code=%d", 1545 MAC2STR(data->auth.peer), data->auth.auth_type, 1546 data->auth.auth_transaction, data->auth.status_code); 1547 wpa_hexdump(MSG_MSGDUMP, "SME: Authentication response IEs", 1548 data->auth.ies, data->auth.ies_len); 1549 1550 eloop_cancel_timeout(sme_auth_timer, wpa_s, NULL); 1551 1552 #ifdef CONFIG_SAE 1553 if (data->auth.auth_type == WLAN_AUTH_SAE) { 1554 int res; 1555 res = sme_sae_auth(wpa_s, data->auth.auth_transaction, 1556 data->auth.status_code, data->auth.ies, 1557 data->auth.ies_len, 0, data->auth.peer); 1558 if (res < 0) { 1559 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 1560 wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED); 1561 1562 } 1563 if (res != 1) 1564 return; 1565 1566 if (sme_sae_set_pmk(wpa_s, wpa_s->pending_bssid) < 0) 1567 return; 1568 } 1569 #endif /* CONFIG_SAE */ 1570 1571 if (data->auth.status_code != WLAN_STATUS_SUCCESS) { 1572 char *ie_txt = NULL; 1573 1574 if (data->auth.ies && data->auth.ies_len) { 1575 size_t buflen = 2 * data->auth.ies_len + 1; 1576 ie_txt = os_malloc(buflen); 1577 if (ie_txt) { 1578 wpa_snprintf_hex(ie_txt, buflen, data->auth.ies, 1579 data->auth.ies_len); 1580 } 1581 } 1582 wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_AUTH_REJECT MACSTR 1583 " auth_type=%u auth_transaction=%u status_code=%u%s%s", 1584 MAC2STR(data->auth.peer), data->auth.auth_type, 1585 data->auth.auth_transaction, data->auth.status_code, 1586 ie_txt ? " ie=" : "", 1587 ie_txt ? ie_txt : ""); 1588 os_free(ie_txt); 1589 1590 #ifdef CONFIG_FILS 1591 if (wpa_s->sme.auth_alg == WPA_AUTH_ALG_FILS || 1592 wpa_s->sme.auth_alg == WPA_AUTH_ALG_FILS_SK_PFS) 1593 fils_connection_failure(wpa_s); 1594 #endif /* CONFIG_FILS */ 1595 1596 if (data->auth.status_code != 1597 WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG || 1598 wpa_s->sme.auth_alg == data->auth.auth_type || 1599 wpa_s->current_ssid->auth_alg == WPA_AUTH_ALG_LEAP) { 1600 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 1601 wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED); 1602 return; 1603 } 1604 1605 wpas_connect_work_done(wpa_s); 1606 1607 switch (data->auth.auth_type) { 1608 case WLAN_AUTH_OPEN: 1609 wpa_s->current_ssid->auth_alg = WPA_AUTH_ALG_SHARED; 1610 1611 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Trying SHARED auth"); 1612 wpa_supplicant_associate(wpa_s, wpa_s->current_bss, 1613 wpa_s->current_ssid); 1614 return; 1615 1616 case WLAN_AUTH_SHARED_KEY: 1617 wpa_s->current_ssid->auth_alg = WPA_AUTH_ALG_LEAP; 1618 1619 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Trying LEAP auth"); 1620 wpa_supplicant_associate(wpa_s, wpa_s->current_bss, 1621 wpa_s->current_ssid); 1622 return; 1623 1624 default: 1625 return; 1626 } 1627 } 1628 1629 #ifdef CONFIG_IEEE80211R 1630 if (data->auth.auth_type == WLAN_AUTH_FT) { 1631 const u8 *ric_ies = NULL; 1632 size_t ric_ies_len = 0; 1633 1634 if (wpa_s->ric_ies) { 1635 ric_ies = wpabuf_head(wpa_s->ric_ies); 1636 ric_ies_len = wpabuf_len(wpa_s->ric_ies); 1637 } 1638 if (wpa_ft_process_response(wpa_s->wpa, data->auth.ies, 1639 data->auth.ies_len, 0, 1640 data->auth.peer, 1641 ric_ies, ric_ies_len) < 0) { 1642 wpa_dbg(wpa_s, MSG_DEBUG, 1643 "SME: FT Authentication response processing failed"); 1644 wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_DISCONNECTED "bssid=" 1645 MACSTR 1646 " reason=%d locally_generated=1", 1647 MAC2STR(wpa_s->pending_bssid), 1648 WLAN_REASON_DEAUTH_LEAVING); 1649 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 1650 wpa_supplicant_mark_disassoc(wpa_s); 1651 return; 1652 } 1653 } 1654 #endif /* CONFIG_IEEE80211R */ 1655 1656 #ifdef CONFIG_FILS 1657 if (data->auth.auth_type == WLAN_AUTH_FILS_SK || 1658 data->auth.auth_type == WLAN_AUTH_FILS_SK_PFS) { 1659 u16 expect_auth_type; 1660 1661 expect_auth_type = wpa_s->sme.auth_alg == 1662 WPA_AUTH_ALG_FILS_SK_PFS ? WLAN_AUTH_FILS_SK_PFS : 1663 WLAN_AUTH_FILS_SK; 1664 if (data->auth.auth_type != expect_auth_type) { 1665 wpa_dbg(wpa_s, MSG_DEBUG, 1666 "SME: FILS Authentication response used different auth alg (%u; expected %u)", 1667 data->auth.auth_type, expect_auth_type); 1668 wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_DISCONNECTED "bssid=" 1669 MACSTR 1670 " reason=%d locally_generated=1", 1671 MAC2STR(wpa_s->pending_bssid), 1672 WLAN_REASON_DEAUTH_LEAVING); 1673 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 1674 wpa_supplicant_mark_disassoc(wpa_s); 1675 return; 1676 } 1677 1678 if (fils_process_auth(wpa_s->wpa, wpa_s->pending_bssid, 1679 data->auth.ies, data->auth.ies_len) < 0) { 1680 wpa_dbg(wpa_s, MSG_DEBUG, 1681 "SME: FILS Authentication response processing failed"); 1682 wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_DISCONNECTED "bssid=" 1683 MACSTR 1684 " reason=%d locally_generated=1", 1685 MAC2STR(wpa_s->pending_bssid), 1686 WLAN_REASON_DEAUTH_LEAVING); 1687 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 1688 wpa_supplicant_mark_disassoc(wpa_s); 1689 return; 1690 } 1691 } 1692 #endif /* CONFIG_FILS */ 1693 1694 sme_associate(wpa_s, ssid->mode, data->auth.peer, 1695 data->auth.auth_type); 1696 } 1697 1698 1699 #ifdef CONFIG_IEEE80211R 1700 static void remove_ie(u8 *buf, size_t *len, u8 eid) 1701 { 1702 u8 *pos, *next, *end; 1703 1704 pos = (u8 *) get_ie(buf, *len, eid); 1705 if (pos) { 1706 next = pos + 2 + pos[1]; 1707 end = buf + *len; 1708 *len -= 2 + pos[1]; 1709 os_memmove(pos, next, end - next); 1710 } 1711 } 1712 #endif /* CONFIG_IEEE80211R */ 1713 1714 1715 void sme_associate(struct wpa_supplicant *wpa_s, enum wpas_mode mode, 1716 const u8 *bssid, u16 auth_type) 1717 { 1718 struct wpa_driver_associate_params params; 1719 struct ieee802_11_elems elems; 1720 struct wpa_ssid *ssid = wpa_s->current_ssid; 1721 #ifdef CONFIG_FILS 1722 u8 nonces[2 * FILS_NONCE_LEN]; 1723 #endif /* CONFIG_FILS */ 1724 #ifdef CONFIG_HT_OVERRIDES 1725 struct ieee80211_ht_capabilities htcaps; 1726 struct ieee80211_ht_capabilities htcaps_mask; 1727 #endif /* CONFIG_HT_OVERRIDES */ 1728 #ifdef CONFIG_VHT_OVERRIDES 1729 struct ieee80211_vht_capabilities vhtcaps; 1730 struct ieee80211_vht_capabilities vhtcaps_mask; 1731 #endif /* CONFIG_VHT_OVERRIDES */ 1732 1733 os_memset(¶ms, 0, sizeof(params)); 1734 1735 #ifdef CONFIG_FILS 1736 if (auth_type == WLAN_AUTH_FILS_SK || 1737 auth_type == WLAN_AUTH_FILS_SK_PFS) { 1738 struct wpabuf *buf; 1739 const u8 *snonce, *anonce; 1740 const unsigned int max_hlp = 20; 1741 struct wpabuf *hlp[max_hlp]; 1742 unsigned int i, num_hlp = 0; 1743 struct fils_hlp_req *req; 1744 1745 dl_list_for_each(req, &wpa_s->fils_hlp_req, struct fils_hlp_req, 1746 list) { 1747 hlp[num_hlp] = wpabuf_alloc(2 * ETH_ALEN + 6 + 1748 wpabuf_len(req->pkt)); 1749 if (!hlp[num_hlp]) 1750 break; 1751 wpabuf_put_data(hlp[num_hlp], req->dst, ETH_ALEN); 1752 wpabuf_put_data(hlp[num_hlp], wpa_s->own_addr, 1753 ETH_ALEN); 1754 wpabuf_put_data(hlp[num_hlp], 1755 "\xaa\xaa\x03\x00\x00\x00", 6); 1756 wpabuf_put_buf(hlp[num_hlp], req->pkt); 1757 num_hlp++; 1758 if (num_hlp >= max_hlp) 1759 break; 1760 } 1761 1762 buf = fils_build_assoc_req(wpa_s->wpa, ¶ms.fils_kek, 1763 ¶ms.fils_kek_len, &snonce, 1764 &anonce, 1765 (const struct wpabuf **) hlp, 1766 num_hlp); 1767 for (i = 0; i < num_hlp; i++) 1768 wpabuf_free(hlp[i]); 1769 if (!buf) 1770 return; 1771 wpa_hexdump(MSG_DEBUG, "FILS: assoc_req before FILS elements", 1772 wpa_s->sme.assoc_req_ie, 1773 wpa_s->sme.assoc_req_ie_len); 1774 #ifdef CONFIG_IEEE80211R 1775 if (wpa_key_mgmt_ft(wpa_s->key_mgmt)) { 1776 /* Remove RSNE and MDE to allow them to be overridden 1777 * with FILS+FT specific values from 1778 * fils_build_assoc_req(). */ 1779 remove_ie(wpa_s->sme.assoc_req_ie, 1780 &wpa_s->sme.assoc_req_ie_len, 1781 WLAN_EID_RSN); 1782 wpa_hexdump(MSG_DEBUG, 1783 "FILS: assoc_req after RSNE removal", 1784 wpa_s->sme.assoc_req_ie, 1785 wpa_s->sme.assoc_req_ie_len); 1786 remove_ie(wpa_s->sme.assoc_req_ie, 1787 &wpa_s->sme.assoc_req_ie_len, 1788 WLAN_EID_MOBILITY_DOMAIN); 1789 wpa_hexdump(MSG_DEBUG, 1790 "FILS: assoc_req after MDE removal", 1791 wpa_s->sme.assoc_req_ie, 1792 wpa_s->sme.assoc_req_ie_len); 1793 } 1794 #endif /* CONFIG_IEEE80211R */ 1795 /* TODO: Make wpa_s->sme.assoc_req_ie use dynamic allocation */ 1796 if (wpa_s->sme.assoc_req_ie_len + wpabuf_len(buf) > 1797 sizeof(wpa_s->sme.assoc_req_ie)) { 1798 wpa_printf(MSG_ERROR, 1799 "FILS: Not enough buffer room for own AssocReq elements"); 1800 wpabuf_free(buf); 1801 return; 1802 } 1803 os_memcpy(wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len, 1804 wpabuf_head(buf), wpabuf_len(buf)); 1805 wpa_s->sme.assoc_req_ie_len += wpabuf_len(buf); 1806 wpabuf_free(buf); 1807 wpa_hexdump(MSG_DEBUG, "FILS: assoc_req after FILS elements", 1808 wpa_s->sme.assoc_req_ie, 1809 wpa_s->sme.assoc_req_ie_len); 1810 1811 os_memcpy(nonces, snonce, FILS_NONCE_LEN); 1812 os_memcpy(nonces + FILS_NONCE_LEN, anonce, FILS_NONCE_LEN); 1813 params.fils_nonces = nonces; 1814 params.fils_nonces_len = sizeof(nonces); 1815 } 1816 #endif /* CONFIG_FILS */ 1817 1818 #ifdef CONFIG_OWE 1819 #ifdef CONFIG_TESTING_OPTIONS 1820 if (get_ie_ext(wpa_s->sme.assoc_req_ie, wpa_s->sme.assoc_req_ie_len, 1821 WLAN_EID_EXT_OWE_DH_PARAM)) { 1822 wpa_printf(MSG_INFO, "TESTING: Override OWE DH element"); 1823 } else 1824 #endif /* CONFIG_TESTING_OPTIONS */ 1825 if (auth_type == WLAN_AUTH_OPEN && 1826 wpa_s->key_mgmt == WPA_KEY_MGMT_OWE) { 1827 struct wpabuf *owe_ie; 1828 u16 group; 1829 1830 if (ssid && ssid->owe_group) { 1831 group = ssid->owe_group; 1832 } else if (wpa_s->assoc_status_code == 1833 WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED) { 1834 if (wpa_s->last_owe_group == 19) 1835 group = 20; 1836 else if (wpa_s->last_owe_group == 20) 1837 group = 21; 1838 else 1839 group = OWE_DH_GROUP; 1840 } else { 1841 group = OWE_DH_GROUP; 1842 } 1843 1844 wpa_s->last_owe_group = group; 1845 wpa_printf(MSG_DEBUG, "OWE: Try to use group %u", group); 1846 owe_ie = owe_build_assoc_req(wpa_s->wpa, group); 1847 if (!owe_ie) { 1848 wpa_printf(MSG_ERROR, 1849 "OWE: Failed to build IE for Association Request frame"); 1850 return; 1851 } 1852 if (wpa_s->sme.assoc_req_ie_len + wpabuf_len(owe_ie) > 1853 sizeof(wpa_s->sme.assoc_req_ie)) { 1854 wpa_printf(MSG_ERROR, 1855 "OWE: Not enough buffer room for own Association Request frame elements"); 1856 wpabuf_free(owe_ie); 1857 return; 1858 } 1859 os_memcpy(wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len, 1860 wpabuf_head(owe_ie), wpabuf_len(owe_ie)); 1861 wpa_s->sme.assoc_req_ie_len += wpabuf_len(owe_ie); 1862 wpabuf_free(owe_ie); 1863 } 1864 #endif /* CONFIG_OWE */ 1865 1866 #ifdef CONFIG_DPP2 1867 if (DPP_VERSION > 1 && wpa_s->key_mgmt == WPA_KEY_MGMT_DPP && ssid && 1868 ssid->dpp_netaccesskey && ssid->dpp_pfs != 2 && 1869 !ssid->dpp_pfs_fallback) { 1870 struct rsn_pmksa_cache_entry *pmksa; 1871 1872 pmksa = pmksa_cache_get_current(wpa_s->wpa); 1873 if (!pmksa || !pmksa->dpp_pfs) 1874 goto pfs_fail; 1875 1876 dpp_pfs_free(wpa_s->dpp_pfs); 1877 wpa_s->dpp_pfs = dpp_pfs_init(ssid->dpp_netaccesskey, 1878 ssid->dpp_netaccesskey_len); 1879 if (!wpa_s->dpp_pfs) { 1880 wpa_printf(MSG_DEBUG, "DPP: Could not initialize PFS"); 1881 /* Try to continue without PFS */ 1882 goto pfs_fail; 1883 } 1884 if (wpa_s->sme.assoc_req_ie_len + 1885 wpabuf_len(wpa_s->dpp_pfs->ie) > 1886 sizeof(wpa_s->sme.assoc_req_ie)) { 1887 wpa_printf(MSG_ERROR, 1888 "DPP: Not enough buffer room for own Association Request frame elements"); 1889 dpp_pfs_free(wpa_s->dpp_pfs); 1890 wpa_s->dpp_pfs = NULL; 1891 goto pfs_fail; 1892 } 1893 os_memcpy(wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len, 1894 wpabuf_head(wpa_s->dpp_pfs->ie), 1895 wpabuf_len(wpa_s->dpp_pfs->ie)); 1896 wpa_s->sme.assoc_req_ie_len += wpabuf_len(wpa_s->dpp_pfs->ie); 1897 } 1898 pfs_fail: 1899 #endif /* CONFIG_DPP2 */ 1900 1901 wpa_s->mscs_setup_done = false; 1902 if (wpa_bss_ext_capab(wpa_s->current_bss, WLAN_EXT_CAPAB_MSCS) && 1903 wpa_s->robust_av.valid_config) { 1904 struct wpabuf *mscs_ie; 1905 size_t mscs_ie_len, buf_len, *wpa_ie_len, max_ie_len; 1906 1907 buf_len = 3 + /* MSCS descriptor IE header */ 1908 1 + /* Request type */ 1909 2 + /* User priority control */ 1910 4 + /* Stream timeout */ 1911 3 + /* TCLAS Mask IE header */ 1912 wpa_s->robust_av.frame_classifier_len; 1913 mscs_ie = wpabuf_alloc(buf_len); 1914 if (!mscs_ie) { 1915 wpa_printf(MSG_INFO, 1916 "MSCS: Failed to allocate MSCS IE"); 1917 goto mscs_fail; 1918 } 1919 1920 wpa_ie_len = &wpa_s->sme.assoc_req_ie_len; 1921 max_ie_len = sizeof(wpa_s->sme.assoc_req_ie); 1922 wpas_populate_mscs_descriptor_ie(&wpa_s->robust_av, mscs_ie); 1923 if ((*wpa_ie_len + wpabuf_len(mscs_ie)) <= max_ie_len) { 1924 wpa_hexdump_buf(MSG_MSGDUMP, "MSCS IE", mscs_ie); 1925 mscs_ie_len = wpabuf_len(mscs_ie); 1926 os_memcpy(wpa_s->sme.assoc_req_ie + *wpa_ie_len, 1927 wpabuf_head(mscs_ie), mscs_ie_len); 1928 *wpa_ie_len += mscs_ie_len; 1929 } 1930 1931 wpabuf_free(mscs_ie); 1932 } 1933 mscs_fail: 1934 1935 if (ssid && ssid->multi_ap_backhaul_sta) { 1936 size_t multi_ap_ie_len; 1937 1938 multi_ap_ie_len = add_multi_ap_ie( 1939 wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len, 1940 sizeof(wpa_s->sme.assoc_req_ie) - 1941 wpa_s->sme.assoc_req_ie_len, 1942 MULTI_AP_BACKHAUL_STA); 1943 if (multi_ap_ie_len == 0) { 1944 wpa_printf(MSG_ERROR, 1945 "Multi-AP: Failed to build Multi-AP IE"); 1946 return; 1947 } 1948 wpa_s->sme.assoc_req_ie_len += multi_ap_ie_len; 1949 } 1950 1951 params.bssid = bssid; 1952 params.ssid = wpa_s->sme.ssid; 1953 params.ssid_len = wpa_s->sme.ssid_len; 1954 params.freq.freq = wpa_s->sme.freq; 1955 params.bg_scan_period = ssid ? ssid->bg_scan_period : -1; 1956 params.wpa_ie = wpa_s->sme.assoc_req_ie_len ? 1957 wpa_s->sme.assoc_req_ie : NULL; 1958 params.wpa_ie_len = wpa_s->sme.assoc_req_ie_len; 1959 wpa_hexdump(MSG_DEBUG, "SME: Association Request IEs", 1960 params.wpa_ie, params.wpa_ie_len); 1961 params.pairwise_suite = wpa_s->pairwise_cipher; 1962 params.group_suite = wpa_s->group_cipher; 1963 params.mgmt_group_suite = wpa_s->mgmt_group_cipher; 1964 params.key_mgmt_suite = wpa_s->key_mgmt; 1965 params.wpa_proto = wpa_s->wpa_proto; 1966 #ifdef CONFIG_HT_OVERRIDES 1967 os_memset(&htcaps, 0, sizeof(htcaps)); 1968 os_memset(&htcaps_mask, 0, sizeof(htcaps_mask)); 1969 params.htcaps = (u8 *) &htcaps; 1970 params.htcaps_mask = (u8 *) &htcaps_mask; 1971 wpa_supplicant_apply_ht_overrides(wpa_s, ssid, ¶ms); 1972 #endif /* CONFIG_HT_OVERRIDES */ 1973 #ifdef CONFIG_VHT_OVERRIDES 1974 os_memset(&vhtcaps, 0, sizeof(vhtcaps)); 1975 os_memset(&vhtcaps_mask, 0, sizeof(vhtcaps_mask)); 1976 params.vhtcaps = &vhtcaps; 1977 params.vhtcaps_mask = &vhtcaps_mask; 1978 wpa_supplicant_apply_vht_overrides(wpa_s, ssid, ¶ms); 1979 #endif /* CONFIG_VHT_OVERRIDES */ 1980 #ifdef CONFIG_HE_OVERRIDES 1981 wpa_supplicant_apply_he_overrides(wpa_s, ssid, ¶ms); 1982 #endif /* CONFIG_HE_OVERRIDES */ 1983 #ifdef CONFIG_IEEE80211R 1984 if (auth_type == WLAN_AUTH_FT && wpa_s->sme.ft_ies && 1985 get_ie(wpa_s->sme.ft_ies, wpa_s->sme.ft_ies_len, 1986 WLAN_EID_RIC_DATA)) { 1987 /* There seems to be a pretty inconvenient bug in the Linux 1988 * kernel IE splitting functionality when RIC is used. For now, 1989 * skip correct behavior in IE construction here (i.e., drop the 1990 * additional non-FT-specific IEs) to avoid kernel issues. This 1991 * is fine since RIC is used only for testing purposes in the 1992 * current implementation. */ 1993 wpa_printf(MSG_INFO, 1994 "SME: Linux kernel workaround - do not try to include additional IEs with RIC"); 1995 params.wpa_ie = wpa_s->sme.ft_ies; 1996 params.wpa_ie_len = wpa_s->sme.ft_ies_len; 1997 } else if (auth_type == WLAN_AUTH_FT && wpa_s->sme.ft_ies) { 1998 const u8 *rm_en, *pos, *end; 1999 size_t rm_en_len = 0; 2000 u8 *rm_en_dup = NULL, *wpos; 2001 2002 /* Remove RSNE, MDE, FTE to allow them to be overridden with 2003 * FT specific values */ 2004 remove_ie(wpa_s->sme.assoc_req_ie, 2005 &wpa_s->sme.assoc_req_ie_len, 2006 WLAN_EID_RSN); 2007 remove_ie(wpa_s->sme.assoc_req_ie, 2008 &wpa_s->sme.assoc_req_ie_len, 2009 WLAN_EID_MOBILITY_DOMAIN); 2010 remove_ie(wpa_s->sme.assoc_req_ie, 2011 &wpa_s->sme.assoc_req_ie_len, 2012 WLAN_EID_FAST_BSS_TRANSITION); 2013 rm_en = get_ie(wpa_s->sme.assoc_req_ie, 2014 wpa_s->sme.assoc_req_ie_len, 2015 WLAN_EID_RRM_ENABLED_CAPABILITIES); 2016 if (rm_en) { 2017 /* Need to remove RM Enabled Capabilities element as 2018 * well temporarily, so that it can be placed between 2019 * RSNE and MDE. */ 2020 rm_en_len = 2 + rm_en[1]; 2021 rm_en_dup = os_memdup(rm_en, rm_en_len); 2022 remove_ie(wpa_s->sme.assoc_req_ie, 2023 &wpa_s->sme.assoc_req_ie_len, 2024 WLAN_EID_RRM_ENABLED_CAPABILITIES); 2025 } 2026 wpa_hexdump(MSG_DEBUG, 2027 "SME: Association Request IEs after FT IE removal", 2028 wpa_s->sme.assoc_req_ie, 2029 wpa_s->sme.assoc_req_ie_len); 2030 if (wpa_s->sme.assoc_req_ie_len + wpa_s->sme.ft_ies_len + 2031 rm_en_len > sizeof(wpa_s->sme.assoc_req_ie)) { 2032 wpa_printf(MSG_ERROR, 2033 "SME: Not enough buffer room for FT IEs in Association Request frame"); 2034 os_free(rm_en_dup); 2035 return; 2036 } 2037 2038 os_memmove(wpa_s->sme.assoc_req_ie + wpa_s->sme.ft_ies_len + 2039 rm_en_len, 2040 wpa_s->sme.assoc_req_ie, 2041 wpa_s->sme.assoc_req_ie_len); 2042 pos = wpa_s->sme.ft_ies; 2043 end = pos + wpa_s->sme.ft_ies_len; 2044 wpos = wpa_s->sme.assoc_req_ie; 2045 if (*pos == WLAN_EID_RSN) { 2046 os_memcpy(wpos, pos, 2 + pos[1]); 2047 wpos += 2 + pos[1]; 2048 pos += 2 + pos[1]; 2049 } 2050 if (rm_en_dup) { 2051 os_memcpy(wpos, rm_en_dup, rm_en_len); 2052 wpos += rm_en_len; 2053 os_free(rm_en_dup); 2054 } 2055 os_memcpy(wpos, pos, end - pos); 2056 wpa_s->sme.assoc_req_ie_len += wpa_s->sme.ft_ies_len + 2057 rm_en_len; 2058 params.wpa_ie = wpa_s->sme.assoc_req_ie; 2059 params.wpa_ie_len = wpa_s->sme.assoc_req_ie_len; 2060 wpa_hexdump(MSG_DEBUG, 2061 "SME: Association Request IEs after FT override", 2062 params.wpa_ie, params.wpa_ie_len); 2063 } 2064 #endif /* CONFIG_IEEE80211R */ 2065 params.mode = mode; 2066 params.mgmt_frame_protection = wpa_s->sme.mfp; 2067 params.rrm_used = wpa_s->rrm.rrm_used; 2068 if (wpa_s->sme.prev_bssid_set) 2069 params.prev_bssid = wpa_s->sme.prev_bssid; 2070 2071 wpa_msg(wpa_s, MSG_INFO, "Trying to associate with " MACSTR 2072 " (SSID='%s' freq=%d MHz)", MAC2STR(params.bssid), 2073 params.ssid ? wpa_ssid_txt(params.ssid, params.ssid_len) : "", 2074 params.freq.freq); 2075 2076 wpa_supplicant_set_state(wpa_s, WPA_ASSOCIATING); 2077 2078 if (params.wpa_ie == NULL || 2079 ieee802_11_parse_elems(params.wpa_ie, params.wpa_ie_len, &elems, 0) 2080 < 0) { 2081 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Could not parse own IEs?!"); 2082 os_memset(&elems, 0, sizeof(elems)); 2083 } 2084 if (elems.rsn_ie) { 2085 params.wpa_proto = WPA_PROTO_RSN; 2086 wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, elems.rsn_ie - 2, 2087 elems.rsn_ie_len + 2); 2088 } else if (elems.wpa_ie) { 2089 params.wpa_proto = WPA_PROTO_WPA; 2090 wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, elems.wpa_ie - 2, 2091 elems.wpa_ie_len + 2); 2092 } else if (elems.osen) { 2093 params.wpa_proto = WPA_PROTO_OSEN; 2094 wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, elems.osen - 2, 2095 elems.osen_len + 2); 2096 } else 2097 wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, NULL, 0); 2098 if (elems.rsnxe) 2099 wpa_sm_set_assoc_rsnxe(wpa_s->wpa, elems.rsnxe - 2, 2100 elems.rsnxe_len + 2); 2101 else 2102 wpa_sm_set_assoc_rsnxe(wpa_s->wpa, NULL, 0); 2103 if (ssid && ssid->p2p_group) 2104 params.p2p = 1; 2105 2106 if (wpa_s->p2pdev->set_sta_uapsd) 2107 params.uapsd = wpa_s->p2pdev->sta_uapsd; 2108 else 2109 params.uapsd = -1; 2110 2111 if (wpa_drv_associate(wpa_s, ¶ms) < 0) { 2112 wpa_msg(wpa_s, MSG_INFO, "SME: Association request to the " 2113 "driver failed"); 2114 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 2115 wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED); 2116 os_memset(wpa_s->pending_bssid, 0, ETH_ALEN); 2117 return; 2118 } 2119 2120 eloop_register_timeout(SME_ASSOC_TIMEOUT, 0, sme_assoc_timer, wpa_s, 2121 NULL); 2122 2123 #ifdef CONFIG_TESTING_OPTIONS 2124 wpabuf_free(wpa_s->last_assoc_req_wpa_ie); 2125 wpa_s->last_assoc_req_wpa_ie = NULL; 2126 if (params.wpa_ie) 2127 wpa_s->last_assoc_req_wpa_ie = 2128 wpabuf_alloc_copy(params.wpa_ie, params.wpa_ie_len); 2129 #endif /* CONFIG_TESTING_OPTIONS */ 2130 } 2131 2132 2133 int sme_update_ft_ies(struct wpa_supplicant *wpa_s, const u8 *md, 2134 const u8 *ies, size_t ies_len) 2135 { 2136 if (md == NULL || ies == NULL) { 2137 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Remove mobility domain"); 2138 os_free(wpa_s->sme.ft_ies); 2139 wpa_s->sme.ft_ies = NULL; 2140 wpa_s->sme.ft_ies_len = 0; 2141 wpa_s->sme.ft_used = 0; 2142 return 0; 2143 } 2144 2145 os_memcpy(wpa_s->sme.mobility_domain, md, MOBILITY_DOMAIN_ID_LEN); 2146 wpa_hexdump(MSG_DEBUG, "SME: FT IEs", ies, ies_len); 2147 os_free(wpa_s->sme.ft_ies); 2148 wpa_s->sme.ft_ies = os_memdup(ies, ies_len); 2149 if (wpa_s->sme.ft_ies == NULL) 2150 return -1; 2151 wpa_s->sme.ft_ies_len = ies_len; 2152 return 0; 2153 } 2154 2155 2156 static void sme_deauth(struct wpa_supplicant *wpa_s) 2157 { 2158 int bssid_changed; 2159 2160 bssid_changed = !is_zero_ether_addr(wpa_s->bssid); 2161 2162 if (wpa_drv_deauthenticate(wpa_s, wpa_s->pending_bssid, 2163 WLAN_REASON_DEAUTH_LEAVING) < 0) { 2164 wpa_msg(wpa_s, MSG_INFO, "SME: Deauth request to the driver " 2165 "failed"); 2166 } 2167 wpa_s->sme.prev_bssid_set = 0; 2168 2169 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 2170 wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED); 2171 os_memset(wpa_s->bssid, 0, ETH_ALEN); 2172 os_memset(wpa_s->pending_bssid, 0, ETH_ALEN); 2173 if (bssid_changed) 2174 wpas_notify_bssid_changed(wpa_s); 2175 } 2176 2177 2178 void sme_event_assoc_reject(struct wpa_supplicant *wpa_s, 2179 union wpa_event_data *data) 2180 { 2181 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Association with " MACSTR " failed: " 2182 "status code %d", MAC2STR(wpa_s->pending_bssid), 2183 data->assoc_reject.status_code); 2184 2185 eloop_cancel_timeout(sme_assoc_timer, wpa_s, NULL); 2186 2187 #ifdef CONFIG_SAE 2188 if (wpa_s->sme.sae_pmksa_caching && wpa_s->current_ssid && 2189 wpa_key_mgmt_sae(wpa_s->current_ssid->key_mgmt)) { 2190 wpa_dbg(wpa_s, MSG_DEBUG, 2191 "PMKSA caching attempt rejected - drop PMKSA cache entry and fall back to SAE authentication"); 2192 wpa_sm_aborted_cached(wpa_s->wpa); 2193 wpa_sm_pmksa_cache_flush(wpa_s->wpa, wpa_s->current_ssid); 2194 if (wpa_s->current_bss) { 2195 struct wpa_bss *bss = wpa_s->current_bss; 2196 struct wpa_ssid *ssid = wpa_s->current_ssid; 2197 2198 wpa_drv_deauthenticate(wpa_s, wpa_s->pending_bssid, 2199 WLAN_REASON_DEAUTH_LEAVING); 2200 wpas_connect_work_done(wpa_s); 2201 wpa_supplicant_mark_disassoc(wpa_s); 2202 wpa_supplicant_connect(wpa_s, bss, ssid); 2203 return; 2204 } 2205 } 2206 #endif /* CONFIG_SAE */ 2207 2208 /* 2209 * For now, unconditionally terminate the previous authentication. In 2210 * theory, this should not be needed, but mac80211 gets quite confused 2211 * if the authentication is left pending.. Some roaming cases might 2212 * benefit from using the previous authentication, so this could be 2213 * optimized in the future. 2214 */ 2215 sme_deauth(wpa_s); 2216 } 2217 2218 2219 void sme_event_auth_timed_out(struct wpa_supplicant *wpa_s, 2220 union wpa_event_data *data) 2221 { 2222 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Authentication timed out"); 2223 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 2224 wpa_supplicant_mark_disassoc(wpa_s); 2225 } 2226 2227 2228 void sme_event_assoc_timed_out(struct wpa_supplicant *wpa_s, 2229 union wpa_event_data *data) 2230 { 2231 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Association timed out"); 2232 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 2233 wpa_supplicant_mark_disassoc(wpa_s); 2234 } 2235 2236 2237 void sme_event_disassoc(struct wpa_supplicant *wpa_s, 2238 struct disassoc_info *info) 2239 { 2240 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Disassociation event received"); 2241 if (wpa_s->sme.prev_bssid_set) { 2242 /* 2243 * cfg80211/mac80211 can get into somewhat confused state if 2244 * the AP only disassociates us and leaves us in authenticated 2245 * state. For now, force the state to be cleared to avoid 2246 * confusing errors if we try to associate with the AP again. 2247 */ 2248 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Deauthenticate to clear " 2249 "driver state"); 2250 wpa_drv_deauthenticate(wpa_s, wpa_s->sme.prev_bssid, 2251 WLAN_REASON_DEAUTH_LEAVING); 2252 } 2253 } 2254 2255 2256 static void sme_auth_timer(void *eloop_ctx, void *timeout_ctx) 2257 { 2258 struct wpa_supplicant *wpa_s = eloop_ctx; 2259 if (wpa_s->wpa_state == WPA_AUTHENTICATING) { 2260 wpa_msg(wpa_s, MSG_DEBUG, "SME: Authentication timeout"); 2261 sme_deauth(wpa_s); 2262 } 2263 } 2264 2265 2266 static void sme_assoc_timer(void *eloop_ctx, void *timeout_ctx) 2267 { 2268 struct wpa_supplicant *wpa_s = eloop_ctx; 2269 if (wpa_s->wpa_state == WPA_ASSOCIATING) { 2270 wpa_msg(wpa_s, MSG_DEBUG, "SME: Association timeout"); 2271 sme_deauth(wpa_s); 2272 } 2273 } 2274 2275 2276 void sme_state_changed(struct wpa_supplicant *wpa_s) 2277 { 2278 /* Make sure timers are cleaned up appropriately. */ 2279 if (wpa_s->wpa_state != WPA_ASSOCIATING) 2280 eloop_cancel_timeout(sme_assoc_timer, wpa_s, NULL); 2281 if (wpa_s->wpa_state != WPA_AUTHENTICATING) 2282 eloop_cancel_timeout(sme_auth_timer, wpa_s, NULL); 2283 } 2284 2285 2286 void sme_disassoc_while_authenticating(struct wpa_supplicant *wpa_s, 2287 const u8 *prev_pending_bssid) 2288 { 2289 /* 2290 * mac80211-workaround to force deauth on failed auth cmd, 2291 * requires us to remain in authenticating state to allow the 2292 * second authentication attempt to be continued properly. 2293 */ 2294 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Allow pending authentication " 2295 "to proceed after disconnection event"); 2296 wpa_supplicant_set_state(wpa_s, WPA_AUTHENTICATING); 2297 os_memcpy(wpa_s->pending_bssid, prev_pending_bssid, ETH_ALEN); 2298 2299 /* 2300 * Re-arm authentication timer in case auth fails for whatever reason. 2301 */ 2302 eloop_cancel_timeout(sme_auth_timer, wpa_s, NULL); 2303 eloop_register_timeout(SME_AUTH_TIMEOUT, 0, sme_auth_timer, wpa_s, 2304 NULL); 2305 } 2306 2307 2308 void sme_clear_on_disassoc(struct wpa_supplicant *wpa_s) 2309 { 2310 wpa_s->sme.prev_bssid_set = 0; 2311 #ifdef CONFIG_SAE 2312 wpabuf_free(wpa_s->sme.sae_token); 2313 wpa_s->sme.sae_token = NULL; 2314 sae_clear_data(&wpa_s->sme.sae); 2315 #endif /* CONFIG_SAE */ 2316 #ifdef CONFIG_IEEE80211R 2317 if (wpa_s->sme.ft_ies || wpa_s->sme.ft_used) 2318 sme_update_ft_ies(wpa_s, NULL, NULL, 0); 2319 #endif /* CONFIG_IEEE80211R */ 2320 sme_stop_sa_query(wpa_s); 2321 } 2322 2323 2324 void sme_deinit(struct wpa_supplicant *wpa_s) 2325 { 2326 sme_clear_on_disassoc(wpa_s); 2327 #ifdef CONFIG_SAE 2328 os_free(wpa_s->sme.sae_rejected_groups); 2329 wpa_s->sme.sae_rejected_groups = NULL; 2330 #endif /* CONFIG_SAE */ 2331 2332 eloop_cancel_timeout(sme_assoc_timer, wpa_s, NULL); 2333 eloop_cancel_timeout(sme_auth_timer, wpa_s, NULL); 2334 eloop_cancel_timeout(sme_obss_scan_timeout, wpa_s, NULL); 2335 } 2336 2337 2338 static void sme_send_2040_bss_coex(struct wpa_supplicant *wpa_s, 2339 const u8 *chan_list, u8 num_channels, 2340 u8 num_intol) 2341 { 2342 struct ieee80211_2040_bss_coex_ie *bc_ie; 2343 struct ieee80211_2040_intol_chan_report *ic_report; 2344 struct wpabuf *buf; 2345 2346 wpa_printf(MSG_DEBUG, "SME: Send 20/40 BSS Coexistence to " MACSTR 2347 " (num_channels=%u num_intol=%u)", 2348 MAC2STR(wpa_s->bssid), num_channels, num_intol); 2349 wpa_hexdump(MSG_DEBUG, "SME: 20/40 BSS Intolerant Channels", 2350 chan_list, num_channels); 2351 2352 buf = wpabuf_alloc(2 + /* action.category + action_code */ 2353 sizeof(struct ieee80211_2040_bss_coex_ie) + 2354 sizeof(struct ieee80211_2040_intol_chan_report) + 2355 num_channels); 2356 if (buf == NULL) 2357 return; 2358 2359 wpabuf_put_u8(buf, WLAN_ACTION_PUBLIC); 2360 wpabuf_put_u8(buf, WLAN_PA_20_40_BSS_COEX); 2361 2362 bc_ie = wpabuf_put(buf, sizeof(*bc_ie)); 2363 bc_ie->element_id = WLAN_EID_20_40_BSS_COEXISTENCE; 2364 bc_ie->length = 1; 2365 if (num_intol) 2366 bc_ie->coex_param |= WLAN_20_40_BSS_COEX_20MHZ_WIDTH_REQ; 2367 2368 if (num_channels > 0) { 2369 ic_report = wpabuf_put(buf, sizeof(*ic_report)); 2370 ic_report->element_id = WLAN_EID_20_40_BSS_INTOLERANT; 2371 ic_report->length = num_channels + 1; 2372 ic_report->op_class = 0; 2373 os_memcpy(wpabuf_put(buf, num_channels), chan_list, 2374 num_channels); 2375 } 2376 2377 if (wpa_drv_send_action(wpa_s, wpa_s->assoc_freq, 0, wpa_s->bssid, 2378 wpa_s->own_addr, wpa_s->bssid, 2379 wpabuf_head(buf), wpabuf_len(buf), 0) < 0) { 2380 wpa_msg(wpa_s, MSG_INFO, 2381 "SME: Failed to send 20/40 BSS Coexistence frame"); 2382 } 2383 2384 wpabuf_free(buf); 2385 } 2386 2387 2388 int sme_proc_obss_scan(struct wpa_supplicant *wpa_s) 2389 { 2390 struct wpa_bss *bss; 2391 const u8 *ie; 2392 u16 ht_cap; 2393 u8 chan_list[P2P_MAX_CHANNELS], channel; 2394 u8 num_channels = 0, num_intol = 0, i; 2395 2396 if (!wpa_s->sme.sched_obss_scan) 2397 return 0; 2398 2399 wpa_s->sme.sched_obss_scan = 0; 2400 if (!wpa_s->current_bss || wpa_s->wpa_state != WPA_COMPLETED) 2401 return 1; 2402 2403 /* 2404 * Check whether AP uses regulatory triplet or channel triplet in 2405 * country info. Right now the operating class of the BSS channel 2406 * width trigger event is "unknown" (IEEE Std 802.11-2012 10.15.12), 2407 * based on the assumption that operating class triplet is not used in 2408 * beacon frame. If the First Channel Number/Operating Extension 2409 * Identifier octet has a positive integer value of 201 or greater, 2410 * then its operating class triplet. 2411 * 2412 * TODO: If Supported Operating Classes element is present in beacon 2413 * frame, have to lookup operating class in Annex E and fill them in 2414 * 2040 coex frame. 2415 */ 2416 ie = wpa_bss_get_ie(wpa_s->current_bss, WLAN_EID_COUNTRY); 2417 if (ie && (ie[1] >= 6) && (ie[5] >= 201)) 2418 return 1; 2419 2420 os_memset(chan_list, 0, sizeof(chan_list)); 2421 2422 dl_list_for_each(bss, &wpa_s->bss, struct wpa_bss, list) { 2423 /* Skip other band bss */ 2424 enum hostapd_hw_mode mode; 2425 mode = ieee80211_freq_to_chan(bss->freq, &channel); 2426 if (mode != HOSTAPD_MODE_IEEE80211G && 2427 mode != HOSTAPD_MODE_IEEE80211B) 2428 continue; 2429 2430 ie = wpa_bss_get_ie(bss, WLAN_EID_HT_CAP); 2431 ht_cap = (ie && (ie[1] == 26)) ? WPA_GET_LE16(ie + 2) : 0; 2432 wpa_printf(MSG_DEBUG, "SME OBSS scan BSS " MACSTR 2433 " freq=%u chan=%u ht_cap=0x%x", 2434 MAC2STR(bss->bssid), bss->freq, channel, ht_cap); 2435 2436 if (!ht_cap || (ht_cap & HT_CAP_INFO_40MHZ_INTOLERANT)) { 2437 if (ht_cap & HT_CAP_INFO_40MHZ_INTOLERANT) 2438 num_intol++; 2439 2440 /* Check whether the channel is already considered */ 2441 for (i = 0; i < num_channels; i++) { 2442 if (channel == chan_list[i]) 2443 break; 2444 } 2445 if (i != num_channels) 2446 continue; 2447 2448 chan_list[num_channels++] = channel; 2449 } 2450 } 2451 2452 sme_send_2040_bss_coex(wpa_s, chan_list, num_channels, num_intol); 2453 return 1; 2454 } 2455 2456 2457 static void wpa_obss_scan_freqs_list(struct wpa_supplicant *wpa_s, 2458 struct wpa_driver_scan_params *params) 2459 { 2460 /* Include only affected channels */ 2461 struct hostapd_hw_modes *mode; 2462 int count, i; 2463 int start, end; 2464 2465 mode = get_mode(wpa_s->hw.modes, wpa_s->hw.num_modes, 2466 HOSTAPD_MODE_IEEE80211G, false); 2467 if (mode == NULL) { 2468 /* No channels supported in this band - use empty list */ 2469 params->freqs = os_zalloc(sizeof(int)); 2470 return; 2471 } 2472 2473 if (wpa_s->sme.ht_sec_chan == HT_SEC_CHAN_UNKNOWN && 2474 wpa_s->current_bss) { 2475 const u8 *ie; 2476 2477 ie = wpa_bss_get_ie(wpa_s->current_bss, WLAN_EID_HT_OPERATION); 2478 if (ie && ie[1] >= 2) { 2479 u8 o; 2480 2481 o = ie[3] & HT_INFO_HT_PARAM_SECONDARY_CHNL_OFF_MASK; 2482 if (o == HT_INFO_HT_PARAM_SECONDARY_CHNL_ABOVE) 2483 wpa_s->sme.ht_sec_chan = HT_SEC_CHAN_ABOVE; 2484 else if (o == HT_INFO_HT_PARAM_SECONDARY_CHNL_BELOW) 2485 wpa_s->sme.ht_sec_chan = HT_SEC_CHAN_BELOW; 2486 } 2487 } 2488 2489 start = wpa_s->assoc_freq - 10; 2490 end = wpa_s->assoc_freq + 10; 2491 switch (wpa_s->sme.ht_sec_chan) { 2492 case HT_SEC_CHAN_UNKNOWN: 2493 /* HT40+ possible on channels 1..9 */ 2494 if (wpa_s->assoc_freq <= 2452) 2495 start -= 20; 2496 /* HT40- possible on channels 5-13 */ 2497 if (wpa_s->assoc_freq >= 2432) 2498 end += 20; 2499 break; 2500 case HT_SEC_CHAN_ABOVE: 2501 end += 20; 2502 break; 2503 case HT_SEC_CHAN_BELOW: 2504 start -= 20; 2505 break; 2506 } 2507 wpa_printf(MSG_DEBUG, 2508 "OBSS: assoc_freq %d possible affected range %d-%d", 2509 wpa_s->assoc_freq, start, end); 2510 2511 params->freqs = os_calloc(mode->num_channels + 1, sizeof(int)); 2512 if (params->freqs == NULL) 2513 return; 2514 for (count = 0, i = 0; i < mode->num_channels; i++) { 2515 int freq; 2516 2517 if (mode->channels[i].flag & HOSTAPD_CHAN_DISABLED) 2518 continue; 2519 freq = mode->channels[i].freq; 2520 if (freq - 10 >= end || freq + 10 <= start) 2521 continue; /* not affected */ 2522 params->freqs[count++] = freq; 2523 } 2524 } 2525 2526 2527 static void sme_obss_scan_timeout(void *eloop_ctx, void *timeout_ctx) 2528 { 2529 struct wpa_supplicant *wpa_s = eloop_ctx; 2530 struct wpa_driver_scan_params params; 2531 2532 if (!wpa_s->current_bss) { 2533 wpa_printf(MSG_DEBUG, "SME OBSS: Ignore scan request"); 2534 return; 2535 } 2536 2537 os_memset(¶ms, 0, sizeof(params)); 2538 wpa_obss_scan_freqs_list(wpa_s, ¶ms); 2539 params.low_priority = 1; 2540 wpa_printf(MSG_DEBUG, "SME OBSS: Request an OBSS scan"); 2541 2542 if (wpa_supplicant_trigger_scan(wpa_s, ¶ms)) 2543 wpa_printf(MSG_DEBUG, "SME OBSS: Failed to trigger scan"); 2544 else 2545 wpa_s->sme.sched_obss_scan = 1; 2546 os_free(params.freqs); 2547 2548 eloop_register_timeout(wpa_s->sme.obss_scan_int, 0, 2549 sme_obss_scan_timeout, wpa_s, NULL); 2550 } 2551 2552 2553 void sme_sched_obss_scan(struct wpa_supplicant *wpa_s, int enable) 2554 { 2555 const u8 *ie; 2556 struct wpa_bss *bss = wpa_s->current_bss; 2557 struct wpa_ssid *ssid = wpa_s->current_ssid; 2558 struct hostapd_hw_modes *hw_mode = NULL; 2559 int i; 2560 2561 eloop_cancel_timeout(sme_obss_scan_timeout, wpa_s, NULL); 2562 wpa_s->sme.sched_obss_scan = 0; 2563 wpa_s->sme.ht_sec_chan = HT_SEC_CHAN_UNKNOWN; 2564 if (!enable) 2565 return; 2566 2567 /* 2568 * Schedule OBSS scan if driver is using station SME in wpa_supplicant 2569 * or it expects OBSS scan to be performed by wpa_supplicant. 2570 */ 2571 if (!((wpa_s->drv_flags & WPA_DRIVER_FLAGS_SME) || 2572 (wpa_s->drv_flags & WPA_DRIVER_FLAGS_OBSS_SCAN)) || 2573 ssid == NULL || ssid->mode != WPAS_MODE_INFRA) 2574 return; 2575 2576 #ifdef CONFIG_HT_OVERRIDES 2577 /* No need for OBSS scan if HT40 is explicitly disabled */ 2578 if (ssid->disable_ht40) 2579 return; 2580 #endif /* CONFIG_HT_OVERRIDES */ 2581 2582 if (!wpa_s->hw.modes) 2583 return; 2584 2585 /* only HT caps in 11g mode are relevant */ 2586 for (i = 0; i < wpa_s->hw.num_modes; i++) { 2587 hw_mode = &wpa_s->hw.modes[i]; 2588 if (hw_mode->mode == HOSTAPD_MODE_IEEE80211G) 2589 break; 2590 } 2591 2592 /* Driver does not support HT40 for 11g or doesn't have 11g. */ 2593 if (i == wpa_s->hw.num_modes || !hw_mode || 2594 !(hw_mode->ht_capab & HT_CAP_INFO_SUPP_CHANNEL_WIDTH_SET)) 2595 return; 2596 2597 if (bss == NULL || bss->freq < 2400 || bss->freq > 2500) 2598 return; /* Not associated on 2.4 GHz band */ 2599 2600 /* Check whether AP supports HT40 */ 2601 ie = wpa_bss_get_ie(wpa_s->current_bss, WLAN_EID_HT_CAP); 2602 if (!ie || ie[1] < 2 || 2603 !(WPA_GET_LE16(ie + 2) & HT_CAP_INFO_SUPP_CHANNEL_WIDTH_SET)) 2604 return; /* AP does not support HT40 */ 2605 2606 ie = wpa_bss_get_ie(wpa_s->current_bss, 2607 WLAN_EID_OVERLAPPING_BSS_SCAN_PARAMS); 2608 if (!ie || ie[1] < 14) 2609 return; /* AP does not request OBSS scans */ 2610 2611 wpa_s->sme.obss_scan_int = WPA_GET_LE16(ie + 6); 2612 if (wpa_s->sme.obss_scan_int < 10) { 2613 wpa_printf(MSG_DEBUG, "SME: Invalid OBSS Scan Interval %u " 2614 "replaced with the minimum 10 sec", 2615 wpa_s->sme.obss_scan_int); 2616 wpa_s->sme.obss_scan_int = 10; 2617 } 2618 wpa_printf(MSG_DEBUG, "SME: OBSS Scan Interval %u sec", 2619 wpa_s->sme.obss_scan_int); 2620 eloop_register_timeout(wpa_s->sme.obss_scan_int, 0, 2621 sme_obss_scan_timeout, wpa_s, NULL); 2622 } 2623 2624 2625 static const unsigned int sa_query_max_timeout = 1000; 2626 static const unsigned int sa_query_retry_timeout = 201; 2627 static const unsigned int sa_query_ch_switch_max_delay = 5000; /* in usec */ 2628 2629 static int sme_check_sa_query_timeout(struct wpa_supplicant *wpa_s) 2630 { 2631 u32 tu; 2632 struct os_reltime now, passed; 2633 os_get_reltime(&now); 2634 os_reltime_sub(&now, &wpa_s->sme.sa_query_start, &passed); 2635 tu = (passed.sec * 1000000 + passed.usec) / 1024; 2636 if (sa_query_max_timeout < tu) { 2637 wpa_dbg(wpa_s, MSG_DEBUG, "SME: SA Query timed out"); 2638 sme_stop_sa_query(wpa_s); 2639 wpa_supplicant_deauthenticate( 2640 wpa_s, WLAN_REASON_PREV_AUTH_NOT_VALID); 2641 return 1; 2642 } 2643 2644 return 0; 2645 } 2646 2647 2648 static void sme_send_sa_query_req(struct wpa_supplicant *wpa_s, 2649 const u8 *trans_id) 2650 { 2651 u8 req[2 + WLAN_SA_QUERY_TR_ID_LEN + OCV_OCI_EXTENDED_LEN]; 2652 u8 req_len = 2 + WLAN_SA_QUERY_TR_ID_LEN; 2653 2654 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Sending SA Query Request to " 2655 MACSTR, MAC2STR(wpa_s->bssid)); 2656 wpa_hexdump(MSG_DEBUG, "SME: SA Query Transaction ID", 2657 trans_id, WLAN_SA_QUERY_TR_ID_LEN); 2658 req[0] = WLAN_ACTION_SA_QUERY; 2659 req[1] = WLAN_SA_QUERY_REQUEST; 2660 os_memcpy(req + 2, trans_id, WLAN_SA_QUERY_TR_ID_LEN); 2661 2662 #ifdef CONFIG_OCV 2663 if (wpa_sm_ocv_enabled(wpa_s->wpa)) { 2664 struct wpa_channel_info ci; 2665 2666 if (wpa_drv_channel_info(wpa_s, &ci) != 0) { 2667 wpa_printf(MSG_WARNING, 2668 "Failed to get channel info for OCI element in SA Query Request frame"); 2669 return; 2670 } 2671 2672 #ifdef CONFIG_TESTING_OPTIONS 2673 if (wpa_s->oci_freq_override_saquery_req) { 2674 wpa_printf(MSG_INFO, 2675 "TEST: Override SA Query Request OCI frequency %d -> %d MHz", 2676 ci.frequency, 2677 wpa_s->oci_freq_override_saquery_req); 2678 ci.frequency = wpa_s->oci_freq_override_saquery_req; 2679 } 2680 #endif /* CONFIG_TESTING_OPTIONS */ 2681 2682 if (ocv_insert_extended_oci(&ci, req + req_len) < 0) 2683 return; 2684 2685 req_len += OCV_OCI_EXTENDED_LEN; 2686 } 2687 #endif /* CONFIG_OCV */ 2688 2689 if (wpa_drv_send_action(wpa_s, wpa_s->assoc_freq, 0, wpa_s->bssid, 2690 wpa_s->own_addr, wpa_s->bssid, 2691 req, req_len, 0) < 0) 2692 wpa_msg(wpa_s, MSG_INFO, "SME: Failed to send SA Query " 2693 "Request"); 2694 } 2695 2696 2697 static void sme_sa_query_timer(void *eloop_ctx, void *timeout_ctx) 2698 { 2699 struct wpa_supplicant *wpa_s = eloop_ctx; 2700 unsigned int timeout, sec, usec; 2701 u8 *trans_id, *nbuf; 2702 2703 if (wpa_s->sme.sa_query_count > 0 && 2704 sme_check_sa_query_timeout(wpa_s)) 2705 return; 2706 2707 nbuf = os_realloc_array(wpa_s->sme.sa_query_trans_id, 2708 wpa_s->sme.sa_query_count + 1, 2709 WLAN_SA_QUERY_TR_ID_LEN); 2710 if (nbuf == NULL) { 2711 sme_stop_sa_query(wpa_s); 2712 return; 2713 } 2714 if (wpa_s->sme.sa_query_count == 0) { 2715 /* Starting a new SA Query procedure */ 2716 os_get_reltime(&wpa_s->sme.sa_query_start); 2717 } 2718 trans_id = nbuf + wpa_s->sme.sa_query_count * WLAN_SA_QUERY_TR_ID_LEN; 2719 wpa_s->sme.sa_query_trans_id = nbuf; 2720 wpa_s->sme.sa_query_count++; 2721 2722 if (os_get_random(trans_id, WLAN_SA_QUERY_TR_ID_LEN) < 0) { 2723 wpa_printf(MSG_DEBUG, "Could not generate SA Query ID"); 2724 sme_stop_sa_query(wpa_s); 2725 return; 2726 } 2727 2728 timeout = sa_query_retry_timeout; 2729 sec = ((timeout / 1000) * 1024) / 1000; 2730 usec = (timeout % 1000) * 1024; 2731 eloop_register_timeout(sec, usec, sme_sa_query_timer, wpa_s, NULL); 2732 2733 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Association SA Query attempt %d", 2734 wpa_s->sme.sa_query_count); 2735 2736 sme_send_sa_query_req(wpa_s, trans_id); 2737 } 2738 2739 2740 static void sme_start_sa_query(struct wpa_supplicant *wpa_s) 2741 { 2742 sme_sa_query_timer(wpa_s, NULL); 2743 } 2744 2745 2746 static void sme_stop_sa_query(struct wpa_supplicant *wpa_s) 2747 { 2748 if (wpa_s->sme.sa_query_trans_id) 2749 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Stop SA Query"); 2750 eloop_cancel_timeout(sme_sa_query_timer, wpa_s, NULL); 2751 os_free(wpa_s->sme.sa_query_trans_id); 2752 wpa_s->sme.sa_query_trans_id = NULL; 2753 wpa_s->sme.sa_query_count = 0; 2754 } 2755 2756 2757 void sme_event_unprot_disconnect(struct wpa_supplicant *wpa_s, const u8 *sa, 2758 const u8 *da, u16 reason_code) 2759 { 2760 struct wpa_ssid *ssid; 2761 struct os_reltime now; 2762 2763 if (wpa_s->wpa_state != WPA_COMPLETED) 2764 return; 2765 ssid = wpa_s->current_ssid; 2766 if (wpas_get_ssid_pmf(wpa_s, ssid) == NO_MGMT_FRAME_PROTECTION) 2767 return; 2768 if (os_memcmp(sa, wpa_s->bssid, ETH_ALEN) != 0) 2769 return; 2770 if (reason_code != WLAN_REASON_CLASS2_FRAME_FROM_NONAUTH_STA && 2771 reason_code != WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA) 2772 return; 2773 if (wpa_s->sme.sa_query_count > 0) 2774 return; 2775 #ifdef CONFIG_TESTING_OPTIONS 2776 if (wpa_s->disable_sa_query) 2777 return; 2778 #endif /* CONFIG_TESTING_OPTIONS */ 2779 2780 os_get_reltime(&now); 2781 if (wpa_s->sme.last_unprot_disconnect.sec && 2782 !os_reltime_expired(&now, &wpa_s->sme.last_unprot_disconnect, 10)) 2783 return; /* limit SA Query procedure frequency */ 2784 wpa_s->sme.last_unprot_disconnect = now; 2785 2786 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Unprotected disconnect dropped - " 2787 "possible AP/STA state mismatch - trigger SA Query"); 2788 sme_start_sa_query(wpa_s); 2789 } 2790 2791 2792 void sme_event_ch_switch(struct wpa_supplicant *wpa_s) 2793 { 2794 unsigned int usec; 2795 u32 _rand; 2796 2797 if (wpa_s->wpa_state != WPA_COMPLETED || 2798 !wpa_sm_ocv_enabled(wpa_s->wpa)) 2799 return; 2800 2801 wpa_dbg(wpa_s, MSG_DEBUG, 2802 "SME: Channel switch completed - trigger new SA Query to verify new operating channel"); 2803 sme_stop_sa_query(wpa_s); 2804 2805 if (os_get_random((u8 *) &_rand, sizeof(_rand)) < 0) 2806 _rand = os_random(); 2807 usec = _rand % (sa_query_ch_switch_max_delay + 1); 2808 eloop_register_timeout(0, usec, sme_sa_query_timer, wpa_s, NULL); 2809 } 2810 2811 2812 static void sme_process_sa_query_request(struct wpa_supplicant *wpa_s, 2813 const u8 *sa, const u8 *data, 2814 size_t len) 2815 { 2816 u8 resp[2 + WLAN_SA_QUERY_TR_ID_LEN + OCV_OCI_EXTENDED_LEN]; 2817 u8 resp_len = 2 + WLAN_SA_QUERY_TR_ID_LEN; 2818 2819 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Sending SA Query Response to " 2820 MACSTR, MAC2STR(wpa_s->bssid)); 2821 2822 resp[0] = WLAN_ACTION_SA_QUERY; 2823 resp[1] = WLAN_SA_QUERY_RESPONSE; 2824 os_memcpy(resp + 2, data + 1, WLAN_SA_QUERY_TR_ID_LEN); 2825 2826 #ifdef CONFIG_OCV 2827 if (wpa_sm_ocv_enabled(wpa_s->wpa)) { 2828 struct wpa_channel_info ci; 2829 2830 if (wpa_drv_channel_info(wpa_s, &ci) != 0) { 2831 wpa_printf(MSG_WARNING, 2832 "Failed to get channel info for OCI element in SA Query Response frame"); 2833 return; 2834 } 2835 2836 #ifdef CONFIG_TESTING_OPTIONS 2837 if (wpa_s->oci_freq_override_saquery_resp) { 2838 wpa_printf(MSG_INFO, 2839 "TEST: Override SA Query Response OCI frequency %d -> %d MHz", 2840 ci.frequency, 2841 wpa_s->oci_freq_override_saquery_resp); 2842 ci.frequency = wpa_s->oci_freq_override_saquery_resp; 2843 } 2844 #endif /* CONFIG_TESTING_OPTIONS */ 2845 2846 if (ocv_insert_extended_oci(&ci, resp + resp_len) < 0) 2847 return; 2848 2849 resp_len += OCV_OCI_EXTENDED_LEN; 2850 } 2851 #endif /* CONFIG_OCV */ 2852 2853 if (wpa_drv_send_action(wpa_s, wpa_s->assoc_freq, 0, wpa_s->bssid, 2854 wpa_s->own_addr, wpa_s->bssid, 2855 resp, resp_len, 0) < 0) 2856 wpa_msg(wpa_s, MSG_INFO, 2857 "SME: Failed to send SA Query Response"); 2858 } 2859 2860 2861 static void sme_process_sa_query_response(struct wpa_supplicant *wpa_s, 2862 const u8 *sa, const u8 *data, 2863 size_t len) 2864 { 2865 int i; 2866 2867 if (!wpa_s->sme.sa_query_trans_id) 2868 return; 2869 2870 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Received SA Query response from " 2871 MACSTR " (trans_id %02x%02x)", MAC2STR(sa), data[1], data[2]); 2872 2873 if (os_memcmp(sa, wpa_s->bssid, ETH_ALEN) != 0) 2874 return; 2875 2876 for (i = 0; i < wpa_s->sme.sa_query_count; i++) { 2877 if (os_memcmp(wpa_s->sme.sa_query_trans_id + 2878 i * WLAN_SA_QUERY_TR_ID_LEN, 2879 data + 1, WLAN_SA_QUERY_TR_ID_LEN) == 0) 2880 break; 2881 } 2882 2883 if (i >= wpa_s->sme.sa_query_count) { 2884 wpa_dbg(wpa_s, MSG_DEBUG, "SME: No matching SA Query " 2885 "transaction identifier found"); 2886 return; 2887 } 2888 2889 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Reply to pending SA Query received " 2890 "from " MACSTR, MAC2STR(sa)); 2891 sme_stop_sa_query(wpa_s); 2892 } 2893 2894 2895 void sme_sa_query_rx(struct wpa_supplicant *wpa_s, const u8 *da, const u8 *sa, 2896 const u8 *data, size_t len) 2897 { 2898 if (len < 1 + WLAN_SA_QUERY_TR_ID_LEN) 2899 return; 2900 if (is_multicast_ether_addr(da)) { 2901 wpa_printf(MSG_DEBUG, 2902 "IEEE 802.11: Ignore group-addressed SA Query frame (A1=" MACSTR " A2=" MACSTR ")", 2903 MAC2STR(da), MAC2STR(sa)); 2904 return; 2905 } 2906 2907 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Received SA Query frame from " 2908 MACSTR " (trans_id %02x%02x)", MAC2STR(sa), data[1], data[2]); 2909 2910 #ifdef CONFIG_OCV 2911 if (wpa_sm_ocv_enabled(wpa_s->wpa)) { 2912 struct ieee802_11_elems elems; 2913 struct wpa_channel_info ci; 2914 2915 if (ieee802_11_parse_elems(data + 1 + WLAN_SA_QUERY_TR_ID_LEN, 2916 len - 1 - WLAN_SA_QUERY_TR_ID_LEN, 2917 &elems, 1) == ParseFailed) { 2918 wpa_printf(MSG_DEBUG, 2919 "SA Query: Failed to parse elements"); 2920 return; 2921 } 2922 2923 if (wpa_drv_channel_info(wpa_s, &ci) != 0) { 2924 wpa_printf(MSG_WARNING, 2925 "Failed to get channel info to validate received OCI in SA Query Action frame"); 2926 return; 2927 } 2928 2929 if (ocv_verify_tx_params(elems.oci, elems.oci_len, &ci, 2930 channel_width_to_int(ci.chanwidth), 2931 ci.seg1_idx) != OCI_SUCCESS) { 2932 wpa_msg(wpa_s, MSG_INFO, OCV_FAILURE "addr=" MACSTR 2933 " frame=saquery%s error=%s", 2934 MAC2STR(sa), data[0] == WLAN_SA_QUERY_REQUEST ? 2935 "req" : "resp", ocv_errorstr); 2936 return; 2937 } 2938 } 2939 #endif /* CONFIG_OCV */ 2940 2941 if (data[0] == WLAN_SA_QUERY_REQUEST) 2942 sme_process_sa_query_request(wpa_s, sa, data, len); 2943 else if (data[0] == WLAN_SA_QUERY_RESPONSE) 2944 sme_process_sa_query_response(wpa_s, sa, data, len); 2945 } 2946