1 /* 2 * wpa_supplicant - SME 3 * Copyright (c) 2009-2014, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "utils/eloop.h" 13 #include "common/ieee802_11_defs.h" 14 #include "common/ieee802_11_common.h" 15 #include "eapol_supp/eapol_supp_sm.h" 16 #include "common/wpa_common.h" 17 #include "common/sae.h" 18 #include "rsn_supp/wpa.h" 19 #include "rsn_supp/pmksa_cache.h" 20 #include "config.h" 21 #include "wpa_supplicant_i.h" 22 #include "driver_i.h" 23 #include "wpas_glue.h" 24 #include "wps_supplicant.h" 25 #include "p2p_supplicant.h" 26 #include "notify.h" 27 #include "bss.h" 28 #include "scan.h" 29 #include "sme.h" 30 #include "hs20_supplicant.h" 31 32 #define SME_AUTH_TIMEOUT 5 33 #define SME_ASSOC_TIMEOUT 5 34 35 static void sme_auth_timer(void *eloop_ctx, void *timeout_ctx); 36 static void sme_assoc_timer(void *eloop_ctx, void *timeout_ctx); 37 static void sme_obss_scan_timeout(void *eloop_ctx, void *timeout_ctx); 38 #ifdef CONFIG_IEEE80211W 39 static void sme_stop_sa_query(struct wpa_supplicant *wpa_s); 40 #endif /* CONFIG_IEEE80211W */ 41 42 43 #ifdef CONFIG_SAE 44 45 static int index_within_array(const int *array, int idx) 46 { 47 int i; 48 for (i = 0; i < idx; i++) { 49 if (array[i] <= 0) 50 return 0; 51 } 52 return 1; 53 } 54 55 56 static int sme_set_sae_group(struct wpa_supplicant *wpa_s) 57 { 58 int *groups = wpa_s->conf->sae_groups; 59 int default_groups[] = { 19, 20, 21, 25, 26, 0 }; 60 61 if (!groups || groups[0] <= 0) 62 groups = default_groups; 63 64 /* Configuration may have changed, so validate current index */ 65 if (!index_within_array(groups, wpa_s->sme.sae_group_index)) 66 return -1; 67 68 for (;;) { 69 int group = groups[wpa_s->sme.sae_group_index]; 70 if (group <= 0) 71 break; 72 if (sae_set_group(&wpa_s->sme.sae, group) == 0) { 73 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Selected SAE group %d", 74 wpa_s->sme.sae.group); 75 return 0; 76 } 77 wpa_s->sme.sae_group_index++; 78 } 79 80 return -1; 81 } 82 83 84 static struct wpabuf * sme_auth_build_sae_commit(struct wpa_supplicant *wpa_s, 85 struct wpa_ssid *ssid, 86 const u8 *bssid, int external) 87 { 88 struct wpabuf *buf; 89 size_t len; 90 const char *password; 91 92 #ifdef CONFIG_TESTING_OPTIONS 93 if (wpa_s->sae_commit_override) { 94 wpa_printf(MSG_DEBUG, "SAE: TESTING - commit override"); 95 buf = wpabuf_alloc(4 + wpabuf_len(wpa_s->sae_commit_override)); 96 if (!buf) 97 return NULL; 98 wpabuf_put_le16(buf, 1); /* Transaction seq# */ 99 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS); 100 wpabuf_put_buf(buf, wpa_s->sae_commit_override); 101 return buf; 102 } 103 #endif /* CONFIG_TESTING_OPTIONS */ 104 105 password = ssid->sae_password; 106 if (!password) 107 password = ssid->passphrase; 108 if (!password) { 109 wpa_printf(MSG_DEBUG, "SAE: No password available"); 110 return NULL; 111 } 112 113 if (sme_set_sae_group(wpa_s) < 0) { 114 wpa_printf(MSG_DEBUG, "SAE: Failed to select group"); 115 return NULL; 116 } 117 118 if (sae_prepare_commit(wpa_s->own_addr, bssid, 119 (u8 *) password, os_strlen(password), 120 ssid->sae_password_id, 121 &wpa_s->sme.sae) < 0) { 122 wpa_printf(MSG_DEBUG, "SAE: Could not pick PWE"); 123 return NULL; 124 } 125 126 len = wpa_s->sme.sae_token ? wpabuf_len(wpa_s->sme.sae_token) : 0; 127 if (ssid->sae_password_id) 128 len += 4 + os_strlen(ssid->sae_password_id); 129 buf = wpabuf_alloc(4 + SAE_COMMIT_MAX_LEN + len); 130 if (buf == NULL) 131 return NULL; 132 if (!external) { 133 wpabuf_put_le16(buf, 1); /* Transaction seq# */ 134 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS); 135 } 136 sae_write_commit(&wpa_s->sme.sae, buf, wpa_s->sme.sae_token, 137 ssid->sae_password_id); 138 139 return buf; 140 } 141 142 143 static struct wpabuf * sme_auth_build_sae_confirm(struct wpa_supplicant *wpa_s, 144 int external) 145 { 146 struct wpabuf *buf; 147 148 buf = wpabuf_alloc(4 + SAE_CONFIRM_MAX_LEN); 149 if (buf == NULL) 150 return NULL; 151 152 if (!external) { 153 wpabuf_put_le16(buf, 2); /* Transaction seq# */ 154 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS); 155 } 156 sae_write_confirm(&wpa_s->sme.sae, buf); 157 158 return buf; 159 } 160 161 #endif /* CONFIG_SAE */ 162 163 164 /** 165 * sme_auth_handle_rrm - Handle RRM aspects of current authentication attempt 166 * @wpa_s: Pointer to wpa_supplicant data 167 * @bss: Pointer to the bss which is the target of authentication attempt 168 */ 169 static void sme_auth_handle_rrm(struct wpa_supplicant *wpa_s, 170 struct wpa_bss *bss) 171 { 172 const u8 rrm_ie_len = 5; 173 u8 *pos; 174 const u8 *rrm_ie; 175 176 wpa_s->rrm.rrm_used = 0; 177 178 wpa_printf(MSG_DEBUG, 179 "RRM: Determining whether RRM can be used - device support: 0x%x", 180 wpa_s->drv_rrm_flags); 181 182 rrm_ie = wpa_bss_get_ie(bss, WLAN_EID_RRM_ENABLED_CAPABILITIES); 183 if (!rrm_ie || !(bss->caps & IEEE80211_CAP_RRM)) { 184 wpa_printf(MSG_DEBUG, "RRM: No RRM in network"); 185 return; 186 } 187 188 if (!((wpa_s->drv_rrm_flags & 189 WPA_DRIVER_FLAGS_DS_PARAM_SET_IE_IN_PROBES) && 190 (wpa_s->drv_rrm_flags & WPA_DRIVER_FLAGS_QUIET)) && 191 !(wpa_s->drv_rrm_flags & WPA_DRIVER_FLAGS_SUPPORT_RRM)) { 192 wpa_printf(MSG_DEBUG, 193 "RRM: Insufficient RRM support in driver - do not use RRM"); 194 return; 195 } 196 197 if (sizeof(wpa_s->sme.assoc_req_ie) < 198 wpa_s->sme.assoc_req_ie_len + rrm_ie_len + 2) { 199 wpa_printf(MSG_INFO, 200 "RRM: Unable to use RRM, no room for RRM IE"); 201 return; 202 } 203 204 wpa_printf(MSG_DEBUG, "RRM: Adding RRM IE to Association Request"); 205 pos = wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len; 206 os_memset(pos, 0, 2 + rrm_ie_len); 207 *pos++ = WLAN_EID_RRM_ENABLED_CAPABILITIES; 208 *pos++ = rrm_ie_len; 209 210 /* Set supported capabilites flags */ 211 if (wpa_s->drv_rrm_flags & WPA_DRIVER_FLAGS_TX_POWER_INSERTION) 212 *pos |= WLAN_RRM_CAPS_LINK_MEASUREMENT; 213 214 *pos |= WLAN_RRM_CAPS_BEACON_REPORT_PASSIVE | 215 WLAN_RRM_CAPS_BEACON_REPORT_ACTIVE | 216 WLAN_RRM_CAPS_BEACON_REPORT_TABLE; 217 218 if (wpa_s->lci) 219 pos[1] |= WLAN_RRM_CAPS_LCI_MEASUREMENT; 220 221 wpa_s->sme.assoc_req_ie_len += rrm_ie_len + 2; 222 wpa_s->rrm.rrm_used = 1; 223 } 224 225 226 static void sme_send_authentication(struct wpa_supplicant *wpa_s, 227 struct wpa_bss *bss, struct wpa_ssid *ssid, 228 int start) 229 { 230 struct wpa_driver_auth_params params; 231 struct wpa_ssid *old_ssid; 232 #ifdef CONFIG_IEEE80211R 233 const u8 *ie; 234 #endif /* CONFIG_IEEE80211R */ 235 #if defined(CONFIG_IEEE80211R) || defined(CONFIG_FILS) 236 const u8 *md = NULL; 237 #endif /* CONFIG_IEEE80211R || CONFIG_FILS */ 238 int i, bssid_changed; 239 struct wpabuf *resp = NULL; 240 u8 ext_capab[18]; 241 int ext_capab_len; 242 int skip_auth; 243 u8 *wpa_ie; 244 size_t wpa_ie_len; 245 #ifdef CONFIG_MBO 246 const u8 *mbo_ie; 247 #endif /* CONFIG_MBO */ 248 249 if (bss == NULL) { 250 wpa_msg(wpa_s, MSG_ERROR, "SME: No scan result available for " 251 "the network"); 252 wpas_connect_work_done(wpa_s); 253 return; 254 } 255 256 skip_auth = wpa_s->conf->reassoc_same_bss_optim && 257 wpa_s->reassoc_same_bss; 258 wpa_s->current_bss = bss; 259 260 os_memset(¶ms, 0, sizeof(params)); 261 wpa_s->reassociate = 0; 262 263 params.freq = bss->freq; 264 params.bssid = bss->bssid; 265 params.ssid = bss->ssid; 266 params.ssid_len = bss->ssid_len; 267 params.p2p = ssid->p2p_group; 268 269 if (wpa_s->sme.ssid_len != params.ssid_len || 270 os_memcmp(wpa_s->sme.ssid, params.ssid, params.ssid_len) != 0) 271 wpa_s->sme.prev_bssid_set = 0; 272 273 wpa_s->sme.freq = params.freq; 274 os_memcpy(wpa_s->sme.ssid, params.ssid, params.ssid_len); 275 wpa_s->sme.ssid_len = params.ssid_len; 276 277 params.auth_alg = WPA_AUTH_ALG_OPEN; 278 #ifdef IEEE8021X_EAPOL 279 if (ssid->key_mgmt & WPA_KEY_MGMT_IEEE8021X_NO_WPA) { 280 if (ssid->leap) { 281 if (ssid->non_leap == 0) 282 params.auth_alg = WPA_AUTH_ALG_LEAP; 283 else 284 params.auth_alg |= WPA_AUTH_ALG_LEAP; 285 } 286 } 287 #endif /* IEEE8021X_EAPOL */ 288 wpa_dbg(wpa_s, MSG_DEBUG, "Automatic auth_alg selection: 0x%x", 289 params.auth_alg); 290 if (ssid->auth_alg) { 291 params.auth_alg = ssid->auth_alg; 292 wpa_dbg(wpa_s, MSG_DEBUG, "Overriding auth_alg selection: " 293 "0x%x", params.auth_alg); 294 } 295 #ifdef CONFIG_SAE 296 wpa_s->sme.sae_pmksa_caching = 0; 297 if (wpa_key_mgmt_sae(ssid->key_mgmt)) { 298 const u8 *rsn; 299 struct wpa_ie_data ied; 300 301 rsn = wpa_bss_get_ie(bss, WLAN_EID_RSN); 302 if (!rsn) { 303 wpa_dbg(wpa_s, MSG_DEBUG, 304 "SAE enabled, but target BSS does not advertise RSN"); 305 } else if (wpa_parse_wpa_ie(rsn, 2 + rsn[1], &ied) == 0 && 306 wpa_key_mgmt_sae(ied.key_mgmt)) { 307 wpa_dbg(wpa_s, MSG_DEBUG, "Using SAE auth_alg"); 308 params.auth_alg = WPA_AUTH_ALG_SAE; 309 } else { 310 wpa_dbg(wpa_s, MSG_DEBUG, 311 "SAE enabled, but target BSS does not advertise SAE AKM for RSN"); 312 } 313 } 314 #endif /* CONFIG_SAE */ 315 316 for (i = 0; i < NUM_WEP_KEYS; i++) { 317 if (ssid->wep_key_len[i]) 318 params.wep_key[i] = ssid->wep_key[i]; 319 params.wep_key_len[i] = ssid->wep_key_len[i]; 320 } 321 params.wep_tx_keyidx = ssid->wep_tx_keyidx; 322 323 bssid_changed = !is_zero_ether_addr(wpa_s->bssid); 324 os_memset(wpa_s->bssid, 0, ETH_ALEN); 325 os_memcpy(wpa_s->pending_bssid, bss->bssid, ETH_ALEN); 326 if (bssid_changed) 327 wpas_notify_bssid_changed(wpa_s); 328 329 if ((wpa_bss_get_vendor_ie(bss, WPA_IE_VENDOR_TYPE) || 330 wpa_bss_get_ie(bss, WLAN_EID_RSN)) && 331 wpa_key_mgmt_wpa(ssid->key_mgmt)) { 332 int try_opportunistic; 333 const u8 *cache_id = NULL; 334 335 try_opportunistic = (ssid->proactive_key_caching < 0 ? 336 wpa_s->conf->okc : 337 ssid->proactive_key_caching) && 338 (ssid->proto & WPA_PROTO_RSN); 339 #ifdef CONFIG_FILS 340 if (wpa_key_mgmt_fils(ssid->key_mgmt)) 341 cache_id = wpa_bss_get_fils_cache_id(bss); 342 #endif /* CONFIG_FILS */ 343 if (pmksa_cache_set_current(wpa_s->wpa, NULL, bss->bssid, 344 wpa_s->current_ssid, 345 try_opportunistic, cache_id, 346 0) == 0) 347 eapol_sm_notify_pmkid_attempt(wpa_s->eapol); 348 wpa_s->sme.assoc_req_ie_len = sizeof(wpa_s->sme.assoc_req_ie); 349 if (wpa_supplicant_set_suites(wpa_s, bss, ssid, 350 wpa_s->sme.assoc_req_ie, 351 &wpa_s->sme.assoc_req_ie_len)) { 352 wpa_msg(wpa_s, MSG_WARNING, "SME: Failed to set WPA " 353 "key management and encryption suites"); 354 wpas_connect_work_done(wpa_s); 355 return; 356 } 357 #ifdef CONFIG_HS20 358 } else if (wpa_bss_get_vendor_ie(bss, OSEN_IE_VENDOR_TYPE) && 359 (ssid->key_mgmt & WPA_KEY_MGMT_OSEN)) { 360 /* No PMKSA caching, but otherwise similar to RSN/WPA */ 361 wpa_s->sme.assoc_req_ie_len = sizeof(wpa_s->sme.assoc_req_ie); 362 if (wpa_supplicant_set_suites(wpa_s, bss, ssid, 363 wpa_s->sme.assoc_req_ie, 364 &wpa_s->sme.assoc_req_ie_len)) { 365 wpa_msg(wpa_s, MSG_WARNING, "SME: Failed to set WPA " 366 "key management and encryption suites"); 367 wpas_connect_work_done(wpa_s); 368 return; 369 } 370 #endif /* CONFIG_HS20 */ 371 } else if ((ssid->key_mgmt & WPA_KEY_MGMT_IEEE8021X_NO_WPA) && 372 wpa_key_mgmt_wpa_ieee8021x(ssid->key_mgmt)) { 373 /* 374 * Both WPA and non-WPA IEEE 802.1X enabled in configuration - 375 * use non-WPA since the scan results did not indicate that the 376 * AP is using WPA or WPA2. 377 */ 378 wpa_supplicant_set_non_wpa_policy(wpa_s, ssid); 379 wpa_s->sme.assoc_req_ie_len = 0; 380 } else if (wpa_key_mgmt_wpa_any(ssid->key_mgmt)) { 381 wpa_s->sme.assoc_req_ie_len = sizeof(wpa_s->sme.assoc_req_ie); 382 if (wpa_supplicant_set_suites(wpa_s, NULL, ssid, 383 wpa_s->sme.assoc_req_ie, 384 &wpa_s->sme.assoc_req_ie_len)) { 385 wpa_msg(wpa_s, MSG_WARNING, "SME: Failed to set WPA " 386 "key management and encryption suites (no " 387 "scan results)"); 388 wpas_connect_work_done(wpa_s); 389 return; 390 } 391 #ifdef CONFIG_WPS 392 } else if (ssid->key_mgmt & WPA_KEY_MGMT_WPS) { 393 struct wpabuf *wps_ie; 394 wps_ie = wps_build_assoc_req_ie(wpas_wps_get_req_type(ssid)); 395 if (wps_ie && wpabuf_len(wps_ie) <= 396 sizeof(wpa_s->sme.assoc_req_ie)) { 397 wpa_s->sme.assoc_req_ie_len = wpabuf_len(wps_ie); 398 os_memcpy(wpa_s->sme.assoc_req_ie, wpabuf_head(wps_ie), 399 wpa_s->sme.assoc_req_ie_len); 400 } else 401 wpa_s->sme.assoc_req_ie_len = 0; 402 wpabuf_free(wps_ie); 403 wpa_supplicant_set_non_wpa_policy(wpa_s, ssid); 404 #endif /* CONFIG_WPS */ 405 } else { 406 wpa_supplicant_set_non_wpa_policy(wpa_s, ssid); 407 wpa_s->sme.assoc_req_ie_len = 0; 408 } 409 410 /* In case the WPA vendor IE is used, it should be placed after all the 411 * non-vendor IEs, as the lower layer expects the IEs to be ordered as 412 * defined in the standard. Store the WPA IE so it can later be 413 * inserted at the correct location. 414 */ 415 wpa_ie = NULL; 416 wpa_ie_len = 0; 417 if (wpa_s->wpa_proto == WPA_PROTO_WPA) { 418 wpa_ie = os_memdup(wpa_s->sme.assoc_req_ie, 419 wpa_s->sme.assoc_req_ie_len); 420 if (wpa_ie) { 421 wpa_dbg(wpa_s, MSG_DEBUG, "WPA: Storing WPA IE"); 422 423 wpa_ie_len = wpa_s->sme.assoc_req_ie_len; 424 wpa_s->sme.assoc_req_ie_len = 0; 425 } else { 426 wpa_msg(wpa_s, MSG_WARNING, "WPA: Failed copy WPA IE"); 427 wpas_connect_work_done(wpa_s); 428 return; 429 } 430 } 431 432 #ifdef CONFIG_IEEE80211R 433 ie = wpa_bss_get_ie(bss, WLAN_EID_MOBILITY_DOMAIN); 434 if (ie && ie[1] >= MOBILITY_DOMAIN_ID_LEN) 435 md = ie + 2; 436 wpa_sm_set_ft_params(wpa_s->wpa, ie, ie ? 2 + ie[1] : 0); 437 if (md) { 438 /* Prepare for the next transition */ 439 wpa_ft_prepare_auth_request(wpa_s->wpa, ie); 440 } 441 442 if (md && !wpa_key_mgmt_ft(ssid->key_mgmt)) 443 md = NULL; 444 if (md) { 445 wpa_dbg(wpa_s, MSG_DEBUG, "SME: FT mobility domain %02x%02x", 446 md[0], md[1]); 447 448 if (wpa_s->sme.assoc_req_ie_len + 5 < 449 sizeof(wpa_s->sme.assoc_req_ie)) { 450 struct rsn_mdie *mdie; 451 u8 *pos = wpa_s->sme.assoc_req_ie + 452 wpa_s->sme.assoc_req_ie_len; 453 *pos++ = WLAN_EID_MOBILITY_DOMAIN; 454 *pos++ = sizeof(*mdie); 455 mdie = (struct rsn_mdie *) pos; 456 os_memcpy(mdie->mobility_domain, md, 457 MOBILITY_DOMAIN_ID_LEN); 458 mdie->ft_capab = md[MOBILITY_DOMAIN_ID_LEN]; 459 wpa_s->sme.assoc_req_ie_len += 5; 460 } 461 462 if (wpa_s->sme.ft_used && 463 os_memcmp(md, wpa_s->sme.mobility_domain, 2) == 0 && 464 wpa_sm_has_ptk(wpa_s->wpa)) { 465 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Trying to use FT " 466 "over-the-air"); 467 params.auth_alg = WPA_AUTH_ALG_FT; 468 params.ie = wpa_s->sme.ft_ies; 469 params.ie_len = wpa_s->sme.ft_ies_len; 470 } 471 } 472 #endif /* CONFIG_IEEE80211R */ 473 474 #ifdef CONFIG_IEEE80211W 475 wpa_s->sme.mfp = wpas_get_ssid_pmf(wpa_s, ssid); 476 if (wpa_s->sme.mfp != NO_MGMT_FRAME_PROTECTION) { 477 const u8 *rsn = wpa_bss_get_ie(bss, WLAN_EID_RSN); 478 struct wpa_ie_data _ie; 479 if (rsn && wpa_parse_wpa_ie(rsn, 2 + rsn[1], &_ie) == 0 && 480 _ie.capabilities & 481 (WPA_CAPABILITY_MFPC | WPA_CAPABILITY_MFPR)) { 482 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Selected AP supports " 483 "MFP: require MFP"); 484 wpa_s->sme.mfp = MGMT_FRAME_PROTECTION_REQUIRED; 485 } 486 } 487 #endif /* CONFIG_IEEE80211W */ 488 489 #ifdef CONFIG_P2P 490 if (wpa_s->global->p2p) { 491 u8 *pos; 492 size_t len; 493 int res; 494 pos = wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len; 495 len = sizeof(wpa_s->sme.assoc_req_ie) - 496 wpa_s->sme.assoc_req_ie_len; 497 res = wpas_p2p_assoc_req_ie(wpa_s, bss, pos, len, 498 ssid->p2p_group); 499 if (res >= 0) 500 wpa_s->sme.assoc_req_ie_len += res; 501 } 502 #endif /* CONFIG_P2P */ 503 504 #ifdef CONFIG_FST 505 if (wpa_s->fst_ies) { 506 int fst_ies_len = wpabuf_len(wpa_s->fst_ies); 507 508 if (wpa_s->sme.assoc_req_ie_len + fst_ies_len <= 509 sizeof(wpa_s->sme.assoc_req_ie)) { 510 os_memcpy(wpa_s->sme.assoc_req_ie + 511 wpa_s->sme.assoc_req_ie_len, 512 wpabuf_head(wpa_s->fst_ies), 513 fst_ies_len); 514 wpa_s->sme.assoc_req_ie_len += fst_ies_len; 515 } 516 } 517 #endif /* CONFIG_FST */ 518 519 sme_auth_handle_rrm(wpa_s, bss); 520 521 wpa_s->sme.assoc_req_ie_len += wpas_supp_op_class_ie( 522 wpa_s, bss->freq, 523 wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len, 524 sizeof(wpa_s->sme.assoc_req_ie) - wpa_s->sme.assoc_req_ie_len); 525 526 if (params.p2p) 527 wpa_drv_get_ext_capa(wpa_s, WPA_IF_P2P_CLIENT); 528 else 529 wpa_drv_get_ext_capa(wpa_s, WPA_IF_STATION); 530 531 ext_capab_len = wpas_build_ext_capab(wpa_s, ext_capab, 532 sizeof(ext_capab)); 533 if (ext_capab_len > 0) { 534 u8 *pos = wpa_s->sme.assoc_req_ie; 535 if (wpa_s->sme.assoc_req_ie_len > 0 && pos[0] == WLAN_EID_RSN) 536 pos += 2 + pos[1]; 537 os_memmove(pos + ext_capab_len, pos, 538 wpa_s->sme.assoc_req_ie_len - 539 (pos - wpa_s->sme.assoc_req_ie)); 540 wpa_s->sme.assoc_req_ie_len += ext_capab_len; 541 os_memcpy(pos, ext_capab, ext_capab_len); 542 } 543 544 #ifdef CONFIG_HS20 545 if (is_hs20_network(wpa_s, ssid, bss)) { 546 struct wpabuf *hs20; 547 548 hs20 = wpabuf_alloc(20 + MAX_ROAMING_CONS_OI_LEN); 549 if (hs20) { 550 int pps_mo_id = hs20_get_pps_mo_id(wpa_s, ssid); 551 size_t len; 552 553 wpas_hs20_add_indication(hs20, pps_mo_id); 554 wpas_hs20_add_roam_cons_sel(hs20, ssid); 555 len = sizeof(wpa_s->sme.assoc_req_ie) - 556 wpa_s->sme.assoc_req_ie_len; 557 if (wpabuf_len(hs20) <= len) { 558 os_memcpy(wpa_s->sme.assoc_req_ie + 559 wpa_s->sme.assoc_req_ie_len, 560 wpabuf_head(hs20), wpabuf_len(hs20)); 561 wpa_s->sme.assoc_req_ie_len += wpabuf_len(hs20); 562 } 563 wpabuf_free(hs20); 564 } 565 } 566 #endif /* CONFIG_HS20 */ 567 568 if (wpa_ie) { 569 size_t len; 570 571 wpa_dbg(wpa_s, MSG_DEBUG, "WPA: Reinsert WPA IE"); 572 573 len = sizeof(wpa_s->sme.assoc_req_ie) - 574 wpa_s->sme.assoc_req_ie_len; 575 576 if (len > wpa_ie_len) { 577 os_memcpy(wpa_s->sme.assoc_req_ie + 578 wpa_s->sme.assoc_req_ie_len, 579 wpa_ie, wpa_ie_len); 580 wpa_s->sme.assoc_req_ie_len += wpa_ie_len; 581 } else { 582 wpa_dbg(wpa_s, MSG_DEBUG, "WPA: Failed to add WPA IE"); 583 } 584 585 os_free(wpa_ie); 586 } 587 588 if (wpa_s->vendor_elem[VENDOR_ELEM_ASSOC_REQ]) { 589 struct wpabuf *buf = wpa_s->vendor_elem[VENDOR_ELEM_ASSOC_REQ]; 590 size_t len; 591 592 len = sizeof(wpa_s->sme.assoc_req_ie) - 593 wpa_s->sme.assoc_req_ie_len; 594 if (wpabuf_len(buf) <= len) { 595 os_memcpy(wpa_s->sme.assoc_req_ie + 596 wpa_s->sme.assoc_req_ie_len, 597 wpabuf_head(buf), wpabuf_len(buf)); 598 wpa_s->sme.assoc_req_ie_len += wpabuf_len(buf); 599 } 600 } 601 602 #ifdef CONFIG_MBO 603 mbo_ie = wpa_bss_get_vendor_ie(bss, MBO_IE_VENDOR_TYPE); 604 if (mbo_ie) { 605 int len; 606 607 len = wpas_mbo_ie(wpa_s, wpa_s->sme.assoc_req_ie + 608 wpa_s->sme.assoc_req_ie_len, 609 sizeof(wpa_s->sme.assoc_req_ie) - 610 wpa_s->sme.assoc_req_ie_len, 611 !!mbo_attr_from_mbo_ie(mbo_ie, 612 OCE_ATTR_ID_CAPA_IND)); 613 if (len >= 0) 614 wpa_s->sme.assoc_req_ie_len += len; 615 } 616 #endif /* CONFIG_MBO */ 617 618 #ifdef CONFIG_SAE 619 if (!skip_auth && params.auth_alg == WPA_AUTH_ALG_SAE && 620 pmksa_cache_set_current(wpa_s->wpa, NULL, bss->bssid, ssid, 0, 621 NULL, WPA_KEY_MGMT_SAE) == 0) { 622 wpa_dbg(wpa_s, MSG_DEBUG, 623 "PMKSA cache entry found - try to use PMKSA caching instead of new SAE authentication"); 624 wpa_sm_set_pmk_from_pmksa(wpa_s->wpa); 625 params.auth_alg = WPA_AUTH_ALG_OPEN; 626 wpa_s->sme.sae_pmksa_caching = 1; 627 } 628 629 if (!skip_auth && params.auth_alg == WPA_AUTH_ALG_SAE) { 630 if (start) 631 resp = sme_auth_build_sae_commit(wpa_s, ssid, 632 bss->bssid, 0); 633 else 634 resp = sme_auth_build_sae_confirm(wpa_s, 0); 635 if (resp == NULL) { 636 wpas_connection_failed(wpa_s, bss->bssid); 637 return; 638 } 639 params.auth_data = wpabuf_head(resp); 640 params.auth_data_len = wpabuf_len(resp); 641 wpa_s->sme.sae.state = start ? SAE_COMMITTED : SAE_CONFIRMED; 642 } 643 #endif /* CONFIG_SAE */ 644 645 old_ssid = wpa_s->current_ssid; 646 wpa_s->current_ssid = ssid; 647 wpa_supplicant_rsn_supp_set_config(wpa_s, wpa_s->current_ssid); 648 wpa_supplicant_initiate_eapol(wpa_s); 649 650 #ifdef CONFIG_FILS 651 /* TODO: FILS operations can in some cases be done between different 652 * network_ctx (i.e., same credentials can be used with multiple 653 * networks). */ 654 if (params.auth_alg == WPA_AUTH_ALG_OPEN && 655 wpa_key_mgmt_fils(ssid->key_mgmt)) { 656 const u8 *indic; 657 u16 fils_info; 658 const u8 *realm, *username, *rrk; 659 size_t realm_len, username_len, rrk_len; 660 u16 next_seq_num; 661 662 /* 663 * Check FILS Indication element (FILS Information field) bits 664 * indicating supported authentication algorithms against local 665 * configuration (ssid->fils_dh_group). Try to use FILS 666 * authentication only if the AP supports the combination in the 667 * network profile. */ 668 indic = wpa_bss_get_ie(bss, WLAN_EID_FILS_INDICATION); 669 if (!indic || indic[1] < 2) { 670 wpa_printf(MSG_DEBUG, "SME: " MACSTR 671 " does not include FILS Indication element - cannot use FILS authentication with it", 672 MAC2STR(bss->bssid)); 673 goto no_fils; 674 } 675 676 fils_info = WPA_GET_LE16(indic + 2); 677 if (ssid->fils_dh_group == 0 && !(fils_info & BIT(9))) { 678 wpa_printf(MSG_DEBUG, "SME: " MACSTR 679 " does not support FILS SK without PFS - cannot use FILS authentication with it", 680 MAC2STR(bss->bssid)); 681 goto no_fils; 682 } 683 if (ssid->fils_dh_group != 0 && !(fils_info & BIT(10))) { 684 wpa_printf(MSG_DEBUG, "SME: " MACSTR 685 " does not support FILS SK with PFS - cannot use FILS authentication with it", 686 MAC2STR(bss->bssid)); 687 goto no_fils; 688 } 689 690 if (wpa_s->last_con_fail_realm && 691 eapol_sm_get_erp_info(wpa_s->eapol, &ssid->eap, 692 &username, &username_len, 693 &realm, &realm_len, &next_seq_num, 694 &rrk, &rrk_len) == 0 && 695 realm && realm_len == wpa_s->last_con_fail_realm_len && 696 os_memcmp(realm, wpa_s->last_con_fail_realm, 697 realm_len) == 0) { 698 wpa_printf(MSG_DEBUG, 699 "SME: FILS authentication for this realm failed last time - try to regenerate ERP key hierarchy"); 700 goto no_fils; 701 } 702 703 if (pmksa_cache_set_current(wpa_s->wpa, NULL, bss->bssid, 704 ssid, 0, 705 wpa_bss_get_fils_cache_id(bss), 706 0) == 0) 707 wpa_printf(MSG_DEBUG, 708 "SME: Try to use FILS with PMKSA caching"); 709 resp = fils_build_auth(wpa_s->wpa, ssid->fils_dh_group, md); 710 if (resp) { 711 int auth_alg; 712 713 if (ssid->fils_dh_group) 714 wpa_printf(MSG_DEBUG, 715 "SME: Try to use FILS SK authentication with PFS (DH Group %u)", 716 ssid->fils_dh_group); 717 else 718 wpa_printf(MSG_DEBUG, 719 "SME: Try to use FILS SK authentication without PFS"); 720 auth_alg = ssid->fils_dh_group ? 721 WPA_AUTH_ALG_FILS_SK_PFS : WPA_AUTH_ALG_FILS; 722 params.auth_alg = auth_alg; 723 params.auth_data = wpabuf_head(resp); 724 params.auth_data_len = wpabuf_len(resp); 725 wpa_s->sme.auth_alg = auth_alg; 726 } 727 } 728 no_fils: 729 #endif /* CONFIG_FILS */ 730 731 wpa_supplicant_cancel_sched_scan(wpa_s); 732 wpa_supplicant_cancel_scan(wpa_s); 733 734 wpa_msg(wpa_s, MSG_INFO, "SME: Trying to authenticate with " MACSTR 735 " (SSID='%s' freq=%d MHz)", MAC2STR(params.bssid), 736 wpa_ssid_txt(params.ssid, params.ssid_len), params.freq); 737 738 eapol_sm_notify_portValid(wpa_s->eapol, FALSE); 739 wpa_clear_keys(wpa_s, bss->bssid); 740 wpa_supplicant_set_state(wpa_s, WPA_AUTHENTICATING); 741 if (old_ssid != wpa_s->current_ssid) 742 wpas_notify_network_changed(wpa_s); 743 744 #ifdef CONFIG_HS20 745 hs20_configure_frame_filters(wpa_s); 746 #endif /* CONFIG_HS20 */ 747 748 #ifdef CONFIG_P2P 749 /* 750 * If multi-channel concurrency is not supported, check for any 751 * frequency conflict. In case of any frequency conflict, remove the 752 * least prioritized connection. 753 */ 754 if (wpa_s->num_multichan_concurrent < 2) { 755 int freq, num; 756 num = get_shared_radio_freqs(wpa_s, &freq, 1); 757 if (num > 0 && freq > 0 && freq != params.freq) { 758 wpa_printf(MSG_DEBUG, 759 "Conflicting frequency found (%d != %d)", 760 freq, params.freq); 761 if (wpas_p2p_handle_frequency_conflicts(wpa_s, 762 params.freq, 763 ssid) < 0) { 764 wpas_connection_failed(wpa_s, bss->bssid); 765 wpa_supplicant_mark_disassoc(wpa_s); 766 wpabuf_free(resp); 767 wpas_connect_work_done(wpa_s); 768 return; 769 } 770 } 771 } 772 #endif /* CONFIG_P2P */ 773 774 if (skip_auth) { 775 wpa_msg(wpa_s, MSG_DEBUG, 776 "SME: Skip authentication step on reassoc-to-same-BSS"); 777 wpabuf_free(resp); 778 sme_associate(wpa_s, ssid->mode, bss->bssid, WLAN_AUTH_OPEN); 779 return; 780 } 781 782 783 wpa_s->sme.auth_alg = params.auth_alg; 784 if (wpa_drv_authenticate(wpa_s, ¶ms) < 0) { 785 wpa_msg(wpa_s, MSG_INFO, "SME: Authentication request to the " 786 "driver failed"); 787 wpas_connection_failed(wpa_s, bss->bssid); 788 wpa_supplicant_mark_disassoc(wpa_s); 789 wpabuf_free(resp); 790 wpas_connect_work_done(wpa_s); 791 return; 792 } 793 794 eloop_register_timeout(SME_AUTH_TIMEOUT, 0, sme_auth_timer, wpa_s, 795 NULL); 796 797 /* 798 * Association will be started based on the authentication event from 799 * the driver. 800 */ 801 802 wpabuf_free(resp); 803 } 804 805 806 static void sme_auth_start_cb(struct wpa_radio_work *work, int deinit) 807 { 808 struct wpa_connect_work *cwork = work->ctx; 809 struct wpa_supplicant *wpa_s = work->wpa_s; 810 811 if (deinit) { 812 if (work->started) 813 wpa_s->connect_work = NULL; 814 815 wpas_connect_work_free(cwork); 816 return; 817 } 818 819 wpa_s->connect_work = work; 820 821 if (cwork->bss_removed || 822 !wpas_valid_bss_ssid(wpa_s, cwork->bss, cwork->ssid) || 823 wpas_network_disabled(wpa_s, cwork->ssid)) { 824 wpa_dbg(wpa_s, MSG_DEBUG, "SME: BSS/SSID entry for authentication not valid anymore - drop connection attempt"); 825 wpas_connect_work_done(wpa_s); 826 return; 827 } 828 829 /* Starting new connection, so clear the possibly used WPA IE from the 830 * previous association. */ 831 wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, NULL, 0); 832 833 sme_send_authentication(wpa_s, cwork->bss, cwork->ssid, 1); 834 } 835 836 837 void sme_authenticate(struct wpa_supplicant *wpa_s, 838 struct wpa_bss *bss, struct wpa_ssid *ssid) 839 { 840 struct wpa_connect_work *cwork; 841 842 if (bss == NULL || ssid == NULL) 843 return; 844 if (wpa_s->connect_work) { 845 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Reject sme_authenticate() call since connect_work exist"); 846 return; 847 } 848 849 if (radio_work_pending(wpa_s, "sme-connect")) { 850 /* 851 * The previous sme-connect work might no longer be valid due to 852 * the fact that the BSS list was updated. In addition, it makes 853 * sense to adhere to the 'newer' decision. 854 */ 855 wpa_dbg(wpa_s, MSG_DEBUG, 856 "SME: Remove previous pending sme-connect"); 857 radio_remove_works(wpa_s, "sme-connect", 0); 858 } 859 860 wpas_abort_ongoing_scan(wpa_s); 861 862 cwork = os_zalloc(sizeof(*cwork)); 863 if (cwork == NULL) 864 return; 865 cwork->bss = bss; 866 cwork->ssid = ssid; 867 cwork->sme = 1; 868 869 #ifdef CONFIG_SAE 870 wpa_s->sme.sae.state = SAE_NOTHING; 871 wpa_s->sme.sae.send_confirm = 0; 872 wpa_s->sme.sae_group_index = 0; 873 #endif /* CONFIG_SAE */ 874 875 if (radio_add_work(wpa_s, bss->freq, "sme-connect", 1, 876 sme_auth_start_cb, cwork) < 0) 877 wpas_connect_work_free(cwork); 878 } 879 880 881 #ifdef CONFIG_SAE 882 883 static int sme_external_auth_build_buf(struct wpabuf *buf, 884 struct wpabuf *params, 885 const u8 *sa, const u8 *da, 886 u16 auth_transaction, u16 seq_num) 887 { 888 struct ieee80211_mgmt *resp; 889 890 resp = wpabuf_put(buf, offsetof(struct ieee80211_mgmt, 891 u.auth.variable)); 892 893 resp->frame_control = host_to_le16((WLAN_FC_TYPE_MGMT << 2) | 894 (WLAN_FC_STYPE_AUTH << 4)); 895 os_memcpy(resp->da, da, ETH_ALEN); 896 os_memcpy(resp->sa, sa, ETH_ALEN); 897 os_memcpy(resp->bssid, da, ETH_ALEN); 898 resp->u.auth.auth_alg = host_to_le16(WLAN_AUTH_SAE); 899 resp->seq_ctrl = host_to_le16(seq_num << 4); 900 resp->u.auth.auth_transaction = host_to_le16(auth_transaction); 901 resp->u.auth.status_code = host_to_le16(WLAN_STATUS_SUCCESS); 902 if (params) 903 wpabuf_put_buf(buf, params); 904 905 return 0; 906 } 907 908 909 static void sme_external_auth_send_sae_commit(struct wpa_supplicant *wpa_s, 910 const u8 *bssid, 911 struct wpa_ssid *ssid) 912 { 913 struct wpabuf *resp, *buf; 914 915 resp = sme_auth_build_sae_commit(wpa_s, ssid, bssid, 1); 916 if (!resp) 917 return; 918 919 wpa_s->sme.sae.state = SAE_COMMITTED; 920 buf = wpabuf_alloc(4 + SAE_COMMIT_MAX_LEN + wpabuf_len(resp)); 921 if (!buf) { 922 wpabuf_free(resp); 923 return; 924 } 925 926 wpa_s->sme.seq_num++; 927 sme_external_auth_build_buf(buf, resp, wpa_s->own_addr, 928 bssid, 1, wpa_s->sme.seq_num); 929 wpa_drv_send_mlme(wpa_s, wpabuf_head(buf), wpabuf_len(buf), 1, 0); 930 wpabuf_free(resp); 931 wpabuf_free(buf); 932 } 933 934 935 static void sme_send_external_auth_status(struct wpa_supplicant *wpa_s, 936 u16 status) 937 { 938 struct external_auth params; 939 940 os_memset(¶ms, 0, sizeof(params)); 941 params.status = status; 942 os_memcpy(params.ssid, wpa_s->sme.ext_auth.ssid, 943 wpa_s->sme.ext_auth.ssid_len); 944 params.ssid_len = wpa_s->sme.ext_auth.ssid_len; 945 os_memcpy(params.bssid, wpa_s->sme.ext_auth.bssid, ETH_ALEN); 946 wpa_drv_send_external_auth_status(wpa_s, ¶ms); 947 } 948 949 950 static void sme_handle_external_auth_start(struct wpa_supplicant *wpa_s, 951 union wpa_event_data *data) 952 { 953 struct wpa_ssid *ssid; 954 size_t ssid_str_len = data->external_auth.ssid_len; 955 u8 *ssid_str = data->external_auth.ssid; 956 957 /* Get the SSID conf from the ssid string obtained */ 958 for (ssid = wpa_s->conf->ssid; ssid; ssid = ssid->next) { 959 if (!wpas_network_disabled(wpa_s, ssid) && 960 ssid_str_len == ssid->ssid_len && 961 os_memcmp(ssid_str, ssid->ssid, ssid_str_len) == 0 && 962 (ssid->key_mgmt & WPA_KEY_MGMT_SAE)) 963 break; 964 } 965 if (ssid) 966 sme_external_auth_send_sae_commit(wpa_s, 967 data->external_auth.bssid, 968 ssid); 969 else 970 sme_send_external_auth_status(wpa_s, 971 WLAN_STATUS_UNSPECIFIED_FAILURE); 972 } 973 974 975 static void sme_external_auth_send_sae_confirm(struct wpa_supplicant *wpa_s, 976 const u8 *da) 977 { 978 struct wpabuf *resp, *buf; 979 980 resp = sme_auth_build_sae_confirm(wpa_s, 1); 981 if (!resp) { 982 wpa_printf(MSG_DEBUG, "SAE: Confirm message buf alloc failure"); 983 return; 984 } 985 986 wpa_s->sme.sae.state = SAE_CONFIRMED; 987 buf = wpabuf_alloc(4 + SAE_CONFIRM_MAX_LEN + wpabuf_len(resp)); 988 if (!buf) { 989 wpa_printf(MSG_DEBUG, "SAE: Auth Confirm buf alloc failure"); 990 wpabuf_free(resp); 991 return; 992 } 993 wpa_s->sme.seq_num++; 994 sme_external_auth_build_buf(buf, resp, wpa_s->own_addr, 995 da, 2, wpa_s->sme.seq_num); 996 wpa_drv_send_mlme(wpa_s, wpabuf_head(buf), wpabuf_len(buf), 1, 0); 997 wpabuf_free(resp); 998 wpabuf_free(buf); 999 } 1000 1001 1002 void sme_external_auth_trigger(struct wpa_supplicant *wpa_s, 1003 union wpa_event_data *data) 1004 { 1005 if (RSN_SELECTOR_GET(&data->external_auth.key_mgmt_suite) != 1006 RSN_AUTH_KEY_MGMT_SAE) 1007 return; 1008 1009 if (data->external_auth.action == EXT_AUTH_START) { 1010 os_memcpy(&wpa_s->sme.ext_auth, data, 1011 sizeof(struct external_auth)); 1012 wpa_s->sme.seq_num = 0; 1013 wpa_s->sme.sae.state = SAE_NOTHING; 1014 wpa_s->sme.sae.send_confirm = 0; 1015 wpa_s->sme.sae_group_index = 0; 1016 sme_handle_external_auth_start(wpa_s, data); 1017 } else if (data->external_auth.action == EXT_AUTH_ABORT) { 1018 /* Report failure to driver for the wrong trigger */ 1019 sme_send_external_auth_status(wpa_s, 1020 WLAN_STATUS_UNSPECIFIED_FAILURE); 1021 } 1022 } 1023 1024 1025 static int sme_sae_auth(struct wpa_supplicant *wpa_s, u16 auth_transaction, 1026 u16 status_code, const u8 *data, size_t len, 1027 int external, const u8 *sa) 1028 { 1029 int *groups; 1030 1031 wpa_dbg(wpa_s, MSG_DEBUG, "SME: SAE authentication transaction %u " 1032 "status code %u", auth_transaction, status_code); 1033 1034 if (auth_transaction == 1 && 1035 status_code == WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ && 1036 wpa_s->sme.sae.state == SAE_COMMITTED && 1037 (external || wpa_s->current_bss) && wpa_s->current_ssid) { 1038 int default_groups[] = { 19, 20, 21, 25, 26, 0 }; 1039 u16 group; 1040 1041 groups = wpa_s->conf->sae_groups; 1042 if (!groups || groups[0] <= 0) 1043 groups = default_groups; 1044 1045 if (len < sizeof(le16)) { 1046 wpa_dbg(wpa_s, MSG_DEBUG, 1047 "SME: Too short SAE anti-clogging token request"); 1048 return -1; 1049 } 1050 group = WPA_GET_LE16(data); 1051 wpa_dbg(wpa_s, MSG_DEBUG, 1052 "SME: SAE anti-clogging token requested (group %u)", 1053 group); 1054 if (sae_group_allowed(&wpa_s->sme.sae, groups, group) != 1055 WLAN_STATUS_SUCCESS) { 1056 wpa_dbg(wpa_s, MSG_ERROR, 1057 "SME: SAE group %u of anti-clogging request is invalid", 1058 group); 1059 return -1; 1060 } 1061 wpabuf_free(wpa_s->sme.sae_token); 1062 wpa_s->sme.sae_token = wpabuf_alloc_copy(data + sizeof(le16), 1063 len - sizeof(le16)); 1064 if (!external) 1065 sme_send_authentication(wpa_s, wpa_s->current_bss, 1066 wpa_s->current_ssid, 1); 1067 else 1068 sme_external_auth_send_sae_commit( 1069 wpa_s, wpa_s->sme.ext_auth.bssid, 1070 wpa_s->current_ssid); 1071 return 0; 1072 } 1073 1074 if (auth_transaction == 1 && 1075 status_code == WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED && 1076 wpa_s->sme.sae.state == SAE_COMMITTED && 1077 (external || wpa_s->current_bss) && wpa_s->current_ssid) { 1078 wpa_dbg(wpa_s, MSG_DEBUG, "SME: SAE group not supported"); 1079 wpa_s->sme.sae_group_index++; 1080 if (sme_set_sae_group(wpa_s) < 0) 1081 return -1; /* no other groups enabled */ 1082 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Try next enabled SAE group"); 1083 if (!external) 1084 sme_send_authentication(wpa_s, wpa_s->current_bss, 1085 wpa_s->current_ssid, 1); 1086 else 1087 sme_external_auth_send_sae_commit( 1088 wpa_s, wpa_s->sme.ext_auth.bssid, 1089 wpa_s->current_ssid); 1090 return 0; 1091 } 1092 1093 if (auth_transaction == 1 && 1094 status_code == WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER) { 1095 const u8 *bssid = sa ? sa : wpa_s->pending_bssid; 1096 1097 wpa_msg(wpa_s, MSG_INFO, 1098 WPA_EVENT_SAE_UNKNOWN_PASSWORD_IDENTIFIER MACSTR, 1099 MAC2STR(bssid)); 1100 return -1; 1101 } 1102 1103 if (status_code != WLAN_STATUS_SUCCESS) 1104 return -1; 1105 1106 if (auth_transaction == 1) { 1107 u16 res; 1108 1109 groups = wpa_s->conf->sae_groups; 1110 1111 wpa_dbg(wpa_s, MSG_DEBUG, "SME SAE commit"); 1112 if ((!external && wpa_s->current_bss == NULL) || 1113 wpa_s->current_ssid == NULL) 1114 return -1; 1115 if (wpa_s->sme.sae.state != SAE_COMMITTED) 1116 return -1; 1117 if (groups && groups[0] <= 0) 1118 groups = NULL; 1119 res = sae_parse_commit(&wpa_s->sme.sae, data, len, NULL, NULL, 1120 groups); 1121 if (res == SAE_SILENTLY_DISCARD) { 1122 wpa_printf(MSG_DEBUG, 1123 "SAE: Drop commit message due to reflection attack"); 1124 return 0; 1125 } 1126 if (res != WLAN_STATUS_SUCCESS) 1127 return -1; 1128 1129 if (sae_process_commit(&wpa_s->sme.sae) < 0) { 1130 wpa_printf(MSG_DEBUG, "SAE: Failed to process peer " 1131 "commit"); 1132 return -1; 1133 } 1134 1135 wpabuf_free(wpa_s->sme.sae_token); 1136 wpa_s->sme.sae_token = NULL; 1137 if (!external) 1138 sme_send_authentication(wpa_s, wpa_s->current_bss, 1139 wpa_s->current_ssid, 0); 1140 else 1141 sme_external_auth_send_sae_confirm(wpa_s, sa); 1142 return 0; 1143 } else if (auth_transaction == 2) { 1144 wpa_dbg(wpa_s, MSG_DEBUG, "SME SAE confirm"); 1145 if (wpa_s->sme.sae.state != SAE_CONFIRMED) 1146 return -1; 1147 if (sae_check_confirm(&wpa_s->sme.sae, data, len) < 0) 1148 return -1; 1149 wpa_s->sme.sae.state = SAE_ACCEPTED; 1150 sae_clear_temp_data(&wpa_s->sme.sae); 1151 1152 if (external) { 1153 /* Report success to driver */ 1154 sme_send_external_auth_status(wpa_s, 1155 WLAN_STATUS_SUCCESS); 1156 } 1157 1158 return 1; 1159 } 1160 1161 return -1; 1162 } 1163 1164 1165 void sme_external_auth_mgmt_rx(struct wpa_supplicant *wpa_s, 1166 const u8 *auth_frame, size_t len) 1167 { 1168 const struct ieee80211_mgmt *header; 1169 size_t auth_length; 1170 1171 header = (const struct ieee80211_mgmt *) auth_frame; 1172 auth_length = IEEE80211_HDRLEN + sizeof(header->u.auth); 1173 1174 if (len < auth_length) { 1175 /* Notify failure to the driver */ 1176 sme_send_external_auth_status(wpa_s, 1177 WLAN_STATUS_UNSPECIFIED_FAILURE); 1178 return; 1179 } 1180 1181 if (le_to_host16(header->u.auth.auth_alg) == WLAN_AUTH_SAE) { 1182 int res; 1183 1184 res = sme_sae_auth( 1185 wpa_s, le_to_host16(header->u.auth.auth_transaction), 1186 le_to_host16(header->u.auth.status_code), 1187 header->u.auth.variable, 1188 len - auth_length, 1, header->sa); 1189 if (res < 0) { 1190 /* Notify failure to the driver */ 1191 sme_send_external_auth_status( 1192 wpa_s, WLAN_STATUS_UNSPECIFIED_FAILURE); 1193 return; 1194 } 1195 if (res != 1) 1196 return; 1197 1198 wpa_printf(MSG_DEBUG, 1199 "SME: SAE completed - setting PMK for 4-way handshake"); 1200 wpa_sm_set_pmk(wpa_s->wpa, wpa_s->sme.sae.pmk, PMK_LEN, 1201 wpa_s->sme.sae.pmkid, wpa_s->pending_bssid); 1202 } 1203 } 1204 1205 #endif /* CONFIG_SAE */ 1206 1207 1208 void sme_event_auth(struct wpa_supplicant *wpa_s, union wpa_event_data *data) 1209 { 1210 struct wpa_ssid *ssid = wpa_s->current_ssid; 1211 1212 if (ssid == NULL) { 1213 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Ignore authentication event " 1214 "when network is not selected"); 1215 return; 1216 } 1217 1218 if (wpa_s->wpa_state != WPA_AUTHENTICATING) { 1219 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Ignore authentication event " 1220 "when not in authenticating state"); 1221 return; 1222 } 1223 1224 if (os_memcmp(wpa_s->pending_bssid, data->auth.peer, ETH_ALEN) != 0) { 1225 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Ignore authentication with " 1226 "unexpected peer " MACSTR, 1227 MAC2STR(data->auth.peer)); 1228 return; 1229 } 1230 1231 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Authentication response: peer=" MACSTR 1232 " auth_type=%d auth_transaction=%d status_code=%d", 1233 MAC2STR(data->auth.peer), data->auth.auth_type, 1234 data->auth.auth_transaction, data->auth.status_code); 1235 wpa_hexdump(MSG_MSGDUMP, "SME: Authentication response IEs", 1236 data->auth.ies, data->auth.ies_len); 1237 1238 eloop_cancel_timeout(sme_auth_timer, wpa_s, NULL); 1239 1240 #ifdef CONFIG_SAE 1241 if (data->auth.auth_type == WLAN_AUTH_SAE) { 1242 int res; 1243 res = sme_sae_auth(wpa_s, data->auth.auth_transaction, 1244 data->auth.status_code, data->auth.ies, 1245 data->auth.ies_len, 0, NULL); 1246 if (res < 0) { 1247 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 1248 wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED); 1249 1250 } 1251 if (res != 1) 1252 return; 1253 1254 wpa_printf(MSG_DEBUG, "SME: SAE completed - setting PMK for " 1255 "4-way handshake"); 1256 wpa_sm_set_pmk(wpa_s->wpa, wpa_s->sme.sae.pmk, PMK_LEN, 1257 wpa_s->sme.sae.pmkid, wpa_s->pending_bssid); 1258 } 1259 #endif /* CONFIG_SAE */ 1260 1261 if (data->auth.status_code != WLAN_STATUS_SUCCESS) { 1262 char *ie_txt = NULL; 1263 1264 if (data->auth.ies && data->auth.ies_len) { 1265 size_t buflen = 2 * data->auth.ies_len + 1; 1266 ie_txt = os_malloc(buflen); 1267 if (ie_txt) { 1268 wpa_snprintf_hex(ie_txt, buflen, data->auth.ies, 1269 data->auth.ies_len); 1270 } 1271 } 1272 wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_AUTH_REJECT MACSTR 1273 " auth_type=%u auth_transaction=%u status_code=%u%s%s", 1274 MAC2STR(data->auth.peer), data->auth.auth_type, 1275 data->auth.auth_transaction, data->auth.status_code, 1276 ie_txt ? " ie=" : "", 1277 ie_txt ? ie_txt : ""); 1278 os_free(ie_txt); 1279 1280 #ifdef CONFIG_FILS 1281 if (wpa_s->sme.auth_alg == WPA_AUTH_ALG_FILS || 1282 wpa_s->sme.auth_alg == WPA_AUTH_ALG_FILS_SK_PFS) 1283 fils_connection_failure(wpa_s); 1284 #endif /* CONFIG_FILS */ 1285 1286 if (data->auth.status_code != 1287 WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG || 1288 wpa_s->sme.auth_alg == data->auth.auth_type || 1289 wpa_s->current_ssid->auth_alg == WPA_AUTH_ALG_LEAP) { 1290 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 1291 wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED); 1292 return; 1293 } 1294 1295 wpas_connect_work_done(wpa_s); 1296 1297 switch (data->auth.auth_type) { 1298 case WLAN_AUTH_OPEN: 1299 wpa_s->current_ssid->auth_alg = WPA_AUTH_ALG_SHARED; 1300 1301 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Trying SHARED auth"); 1302 wpa_supplicant_associate(wpa_s, wpa_s->current_bss, 1303 wpa_s->current_ssid); 1304 return; 1305 1306 case WLAN_AUTH_SHARED_KEY: 1307 wpa_s->current_ssid->auth_alg = WPA_AUTH_ALG_LEAP; 1308 1309 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Trying LEAP auth"); 1310 wpa_supplicant_associate(wpa_s, wpa_s->current_bss, 1311 wpa_s->current_ssid); 1312 return; 1313 1314 default: 1315 return; 1316 } 1317 } 1318 1319 #ifdef CONFIG_IEEE80211R 1320 if (data->auth.auth_type == WLAN_AUTH_FT) { 1321 const u8 *ric_ies = NULL; 1322 size_t ric_ies_len = 0; 1323 1324 if (wpa_s->ric_ies) { 1325 ric_ies = wpabuf_head(wpa_s->ric_ies); 1326 ric_ies_len = wpabuf_len(wpa_s->ric_ies); 1327 } 1328 if (wpa_ft_process_response(wpa_s->wpa, data->auth.ies, 1329 data->auth.ies_len, 0, 1330 data->auth.peer, 1331 ric_ies, ric_ies_len) < 0) { 1332 wpa_dbg(wpa_s, MSG_DEBUG, 1333 "SME: FT Authentication response processing failed"); 1334 wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_DISCONNECTED "bssid=" 1335 MACSTR 1336 " reason=%d locally_generated=1", 1337 MAC2STR(wpa_s->pending_bssid), 1338 WLAN_REASON_DEAUTH_LEAVING); 1339 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 1340 wpa_supplicant_mark_disassoc(wpa_s); 1341 return; 1342 } 1343 } 1344 #endif /* CONFIG_IEEE80211R */ 1345 1346 #ifdef CONFIG_FILS 1347 if (data->auth.auth_type == WLAN_AUTH_FILS_SK || 1348 data->auth.auth_type == WLAN_AUTH_FILS_SK_PFS) { 1349 u16 expect_auth_type; 1350 1351 expect_auth_type = wpa_s->sme.auth_alg == 1352 WPA_AUTH_ALG_FILS_SK_PFS ? WLAN_AUTH_FILS_SK_PFS : 1353 WLAN_AUTH_FILS_SK; 1354 if (data->auth.auth_type != expect_auth_type) { 1355 wpa_dbg(wpa_s, MSG_DEBUG, 1356 "SME: FILS Authentication response used different auth alg (%u; expected %u)", 1357 data->auth.auth_type, expect_auth_type); 1358 wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_DISCONNECTED "bssid=" 1359 MACSTR 1360 " reason=%d locally_generated=1", 1361 MAC2STR(wpa_s->pending_bssid), 1362 WLAN_REASON_DEAUTH_LEAVING); 1363 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 1364 wpa_supplicant_mark_disassoc(wpa_s); 1365 return; 1366 } 1367 1368 if (fils_process_auth(wpa_s->wpa, wpa_s->pending_bssid, 1369 data->auth.ies, data->auth.ies_len) < 0) { 1370 wpa_dbg(wpa_s, MSG_DEBUG, 1371 "SME: FILS Authentication response processing failed"); 1372 wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_DISCONNECTED "bssid=" 1373 MACSTR 1374 " reason=%d locally_generated=1", 1375 MAC2STR(wpa_s->pending_bssid), 1376 WLAN_REASON_DEAUTH_LEAVING); 1377 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 1378 wpa_supplicant_mark_disassoc(wpa_s); 1379 return; 1380 } 1381 } 1382 #endif /* CONFIG_FILS */ 1383 1384 sme_associate(wpa_s, ssid->mode, data->auth.peer, 1385 data->auth.auth_type); 1386 } 1387 1388 1389 #ifdef CONFIG_FILS 1390 #ifdef CONFIG_IEEE80211R 1391 static void remove_ie(u8 *buf, size_t *len, u8 eid) 1392 { 1393 u8 *pos, *next, *end; 1394 1395 pos = (u8 *) get_ie(buf, *len, eid); 1396 if (pos) { 1397 next = pos + 2 + pos[1]; 1398 end = buf + *len; 1399 *len -= 2 + pos[1]; 1400 os_memmove(pos, next, end - next); 1401 } 1402 } 1403 #endif /* CONFIG_IEEE80211R */ 1404 #endif /* CONFIG_FILS */ 1405 1406 1407 void sme_associate(struct wpa_supplicant *wpa_s, enum wpas_mode mode, 1408 const u8 *bssid, u16 auth_type) 1409 { 1410 struct wpa_driver_associate_params params; 1411 struct ieee802_11_elems elems; 1412 #ifdef CONFIG_FILS 1413 u8 nonces[2 * FILS_NONCE_LEN]; 1414 #endif /* CONFIG_FILS */ 1415 #ifdef CONFIG_HT_OVERRIDES 1416 struct ieee80211_ht_capabilities htcaps; 1417 struct ieee80211_ht_capabilities htcaps_mask; 1418 #endif /* CONFIG_HT_OVERRIDES */ 1419 #ifdef CONFIG_VHT_OVERRIDES 1420 struct ieee80211_vht_capabilities vhtcaps; 1421 struct ieee80211_vht_capabilities vhtcaps_mask; 1422 #endif /* CONFIG_VHT_OVERRIDES */ 1423 1424 os_memset(¶ms, 0, sizeof(params)); 1425 1426 #ifdef CONFIG_FILS 1427 if (auth_type == WLAN_AUTH_FILS_SK || 1428 auth_type == WLAN_AUTH_FILS_SK_PFS) { 1429 struct wpabuf *buf; 1430 const u8 *snonce, *anonce; 1431 const unsigned int max_hlp = 20; 1432 struct wpabuf *hlp[max_hlp]; 1433 unsigned int i, num_hlp = 0; 1434 struct fils_hlp_req *req; 1435 1436 dl_list_for_each(req, &wpa_s->fils_hlp_req, struct fils_hlp_req, 1437 list) { 1438 hlp[num_hlp] = wpabuf_alloc(2 * ETH_ALEN + 6 + 1439 wpabuf_len(req->pkt)); 1440 if (!hlp[num_hlp]) 1441 break; 1442 wpabuf_put_data(hlp[num_hlp], req->dst, ETH_ALEN); 1443 wpabuf_put_data(hlp[num_hlp], wpa_s->own_addr, 1444 ETH_ALEN); 1445 wpabuf_put_data(hlp[num_hlp], 1446 "\xaa\xaa\x03\x00\x00\x00", 6); 1447 wpabuf_put_buf(hlp[num_hlp], req->pkt); 1448 num_hlp++; 1449 if (num_hlp >= max_hlp) 1450 break; 1451 } 1452 1453 buf = fils_build_assoc_req(wpa_s->wpa, ¶ms.fils_kek, 1454 ¶ms.fils_kek_len, &snonce, 1455 &anonce, 1456 (const struct wpabuf **) hlp, 1457 num_hlp); 1458 for (i = 0; i < num_hlp; i++) 1459 wpabuf_free(hlp[i]); 1460 if (!buf) 1461 return; 1462 wpa_hexdump(MSG_DEBUG, "FILS: assoc_req before FILS elements", 1463 wpa_s->sme.assoc_req_ie, 1464 wpa_s->sme.assoc_req_ie_len); 1465 #ifdef CONFIG_IEEE80211R 1466 if (wpa_key_mgmt_ft(wpa_s->key_mgmt)) { 1467 /* Remove RSNE and MDE to allow them to be overridden 1468 * with FILS+FT specific values from 1469 * fils_build_assoc_req(). */ 1470 remove_ie(wpa_s->sme.assoc_req_ie, 1471 &wpa_s->sme.assoc_req_ie_len, 1472 WLAN_EID_RSN); 1473 wpa_hexdump(MSG_DEBUG, 1474 "FILS: assoc_req after RSNE removal", 1475 wpa_s->sme.assoc_req_ie, 1476 wpa_s->sme.assoc_req_ie_len); 1477 remove_ie(wpa_s->sme.assoc_req_ie, 1478 &wpa_s->sme.assoc_req_ie_len, 1479 WLAN_EID_MOBILITY_DOMAIN); 1480 wpa_hexdump(MSG_DEBUG, 1481 "FILS: assoc_req after MDE removal", 1482 wpa_s->sme.assoc_req_ie, 1483 wpa_s->sme.assoc_req_ie_len); 1484 } 1485 #endif /* CONFIG_IEEE80211R */ 1486 /* TODO: Make wpa_s->sme.assoc_req_ie use dynamic allocation */ 1487 if (wpa_s->sme.assoc_req_ie_len + wpabuf_len(buf) > 1488 sizeof(wpa_s->sme.assoc_req_ie)) { 1489 wpa_printf(MSG_ERROR, 1490 "FILS: Not enough buffer room for own AssocReq elements"); 1491 wpabuf_free(buf); 1492 return; 1493 } 1494 os_memcpy(wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len, 1495 wpabuf_head(buf), wpabuf_len(buf)); 1496 wpa_s->sme.assoc_req_ie_len += wpabuf_len(buf); 1497 wpabuf_free(buf); 1498 wpa_hexdump(MSG_DEBUG, "FILS: assoc_req after FILS elements", 1499 wpa_s->sme.assoc_req_ie, 1500 wpa_s->sme.assoc_req_ie_len); 1501 1502 os_memcpy(nonces, snonce, FILS_NONCE_LEN); 1503 os_memcpy(nonces + FILS_NONCE_LEN, anonce, FILS_NONCE_LEN); 1504 params.fils_nonces = nonces; 1505 params.fils_nonces_len = sizeof(nonces); 1506 } 1507 #endif /* CONFIG_FILS */ 1508 1509 #ifdef CONFIG_OWE 1510 #ifdef CONFIG_TESTING_OPTIONS 1511 if (get_ie_ext(wpa_s->sme.assoc_req_ie, wpa_s->sme.assoc_req_ie_len, 1512 WLAN_EID_EXT_OWE_DH_PARAM)) { 1513 wpa_printf(MSG_INFO, "TESTING: Override OWE DH element"); 1514 } else 1515 #endif /* CONFIG_TESTING_OPTIONS */ 1516 if (auth_type == WLAN_AUTH_OPEN && 1517 wpa_s->key_mgmt == WPA_KEY_MGMT_OWE) { 1518 struct wpabuf *owe_ie; 1519 u16 group; 1520 1521 if (wpa_s->current_ssid && wpa_s->current_ssid->owe_group) { 1522 group = wpa_s->current_ssid->owe_group; 1523 } else if (wpa_s->assoc_status_code == 1524 WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED) { 1525 if (wpa_s->last_owe_group == 19) 1526 group = 20; 1527 else if (wpa_s->last_owe_group == 20) 1528 group = 21; 1529 else 1530 group = OWE_DH_GROUP; 1531 } else { 1532 group = OWE_DH_GROUP; 1533 } 1534 1535 wpa_s->last_owe_group = group; 1536 wpa_printf(MSG_DEBUG, "OWE: Try to use group %u", group); 1537 owe_ie = owe_build_assoc_req(wpa_s->wpa, group); 1538 if (!owe_ie) { 1539 wpa_printf(MSG_ERROR, 1540 "OWE: Failed to build IE for Association Request frame"); 1541 return; 1542 } 1543 if (wpa_s->sme.assoc_req_ie_len + wpabuf_len(owe_ie) > 1544 sizeof(wpa_s->sme.assoc_req_ie)) { 1545 wpa_printf(MSG_ERROR, 1546 "OWE: Not enough buffer room for own Association Request frame elements"); 1547 wpabuf_free(owe_ie); 1548 return; 1549 } 1550 os_memcpy(wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len, 1551 wpabuf_head(owe_ie), wpabuf_len(owe_ie)); 1552 wpa_s->sme.assoc_req_ie_len += wpabuf_len(owe_ie); 1553 wpabuf_free(owe_ie); 1554 } 1555 #endif /* CONFIG_OWE */ 1556 1557 params.bssid = bssid; 1558 params.ssid = wpa_s->sme.ssid; 1559 params.ssid_len = wpa_s->sme.ssid_len; 1560 params.freq.freq = wpa_s->sme.freq; 1561 params.bg_scan_period = wpa_s->current_ssid ? 1562 wpa_s->current_ssid->bg_scan_period : -1; 1563 params.wpa_ie = wpa_s->sme.assoc_req_ie_len ? 1564 wpa_s->sme.assoc_req_ie : NULL; 1565 params.wpa_ie_len = wpa_s->sme.assoc_req_ie_len; 1566 wpa_hexdump(MSG_DEBUG, "SME: Association Request IEs", 1567 params.wpa_ie, params.wpa_ie_len); 1568 params.pairwise_suite = wpa_s->pairwise_cipher; 1569 params.group_suite = wpa_s->group_cipher; 1570 params.mgmt_group_suite = wpa_s->mgmt_group_cipher; 1571 params.key_mgmt_suite = wpa_s->key_mgmt; 1572 params.wpa_proto = wpa_s->wpa_proto; 1573 #ifdef CONFIG_HT_OVERRIDES 1574 os_memset(&htcaps, 0, sizeof(htcaps)); 1575 os_memset(&htcaps_mask, 0, sizeof(htcaps_mask)); 1576 params.htcaps = (u8 *) &htcaps; 1577 params.htcaps_mask = (u8 *) &htcaps_mask; 1578 wpa_supplicant_apply_ht_overrides(wpa_s, wpa_s->current_ssid, ¶ms); 1579 #endif /* CONFIG_HT_OVERRIDES */ 1580 #ifdef CONFIG_VHT_OVERRIDES 1581 os_memset(&vhtcaps, 0, sizeof(vhtcaps)); 1582 os_memset(&vhtcaps_mask, 0, sizeof(vhtcaps_mask)); 1583 params.vhtcaps = &vhtcaps; 1584 params.vhtcaps_mask = &vhtcaps_mask; 1585 wpa_supplicant_apply_vht_overrides(wpa_s, wpa_s->current_ssid, ¶ms); 1586 #endif /* CONFIG_VHT_OVERRIDES */ 1587 #ifdef CONFIG_IEEE80211R 1588 if (auth_type == WLAN_AUTH_FT && wpa_s->sme.ft_ies && 1589 get_ie(wpa_s->sme.ft_ies, wpa_s->sme.ft_ies_len, 1590 WLAN_EID_RIC_DATA)) { 1591 /* There seems to be a pretty inconvenient bug in the Linux 1592 * kernel IE splitting functionality when RIC is used. For now, 1593 * skip correct behavior in IE construction here (i.e., drop the 1594 * additional non-FT-specific IEs) to avoid kernel issues. This 1595 * is fine since RIC is used only for testing purposes in the 1596 * current implementation. */ 1597 wpa_printf(MSG_INFO, 1598 "SME: Linux kernel workaround - do not try to include additional IEs with RIC"); 1599 params.wpa_ie = wpa_s->sme.ft_ies; 1600 params.wpa_ie_len = wpa_s->sme.ft_ies_len; 1601 } else if (auth_type == WLAN_AUTH_FT && wpa_s->sme.ft_ies) { 1602 const u8 *rm_en, *pos, *end; 1603 size_t rm_en_len = 0; 1604 u8 *rm_en_dup = NULL, *wpos; 1605 1606 /* Remove RSNE, MDE, FTE to allow them to be overridden with 1607 * FT specific values */ 1608 remove_ie(wpa_s->sme.assoc_req_ie, 1609 &wpa_s->sme.assoc_req_ie_len, 1610 WLAN_EID_RSN); 1611 remove_ie(wpa_s->sme.assoc_req_ie, 1612 &wpa_s->sme.assoc_req_ie_len, 1613 WLAN_EID_MOBILITY_DOMAIN); 1614 remove_ie(wpa_s->sme.assoc_req_ie, 1615 &wpa_s->sme.assoc_req_ie_len, 1616 WLAN_EID_FAST_BSS_TRANSITION); 1617 rm_en = get_ie(wpa_s->sme.assoc_req_ie, 1618 wpa_s->sme.assoc_req_ie_len, 1619 WLAN_EID_RRM_ENABLED_CAPABILITIES); 1620 if (rm_en) { 1621 /* Need to remove RM Enabled Capabilities element as 1622 * well temporarily, so that it can be placed between 1623 * RSNE and MDE. */ 1624 rm_en_len = 2 + rm_en[1]; 1625 rm_en_dup = os_memdup(rm_en, rm_en_len); 1626 remove_ie(wpa_s->sme.assoc_req_ie, 1627 &wpa_s->sme.assoc_req_ie_len, 1628 WLAN_EID_RRM_ENABLED_CAPABILITIES); 1629 } 1630 wpa_hexdump(MSG_DEBUG, 1631 "SME: Association Request IEs after FT IE removal", 1632 wpa_s->sme.assoc_req_ie, 1633 wpa_s->sme.assoc_req_ie_len); 1634 if (wpa_s->sme.assoc_req_ie_len + wpa_s->sme.ft_ies_len + 1635 rm_en_len > sizeof(wpa_s->sme.assoc_req_ie)) { 1636 wpa_printf(MSG_ERROR, 1637 "SME: Not enough buffer room for FT IEs in Association Request frame"); 1638 os_free(rm_en_dup); 1639 return; 1640 } 1641 1642 os_memmove(wpa_s->sme.assoc_req_ie + wpa_s->sme.ft_ies_len + 1643 rm_en_len, 1644 wpa_s->sme.assoc_req_ie, 1645 wpa_s->sme.assoc_req_ie_len); 1646 pos = wpa_s->sme.ft_ies; 1647 end = pos + wpa_s->sme.ft_ies_len; 1648 wpos = wpa_s->sme.assoc_req_ie; 1649 if (*pos == WLAN_EID_RSN) { 1650 os_memcpy(wpos, pos, 2 + pos[1]); 1651 wpos += 2 + pos[1]; 1652 pos += 2 + pos[1]; 1653 } 1654 if (rm_en_dup) { 1655 os_memcpy(wpos, rm_en_dup, rm_en_len); 1656 wpos += rm_en_len; 1657 os_free(rm_en_dup); 1658 } 1659 os_memcpy(wpos, pos, end - pos); 1660 wpa_s->sme.assoc_req_ie_len += wpa_s->sme.ft_ies_len + 1661 rm_en_len; 1662 params.wpa_ie = wpa_s->sme.assoc_req_ie; 1663 params.wpa_ie_len = wpa_s->sme.assoc_req_ie_len; 1664 wpa_hexdump(MSG_DEBUG, 1665 "SME: Association Request IEs after FT override", 1666 params.wpa_ie, params.wpa_ie_len); 1667 } 1668 #endif /* CONFIG_IEEE80211R */ 1669 params.mode = mode; 1670 params.mgmt_frame_protection = wpa_s->sme.mfp; 1671 params.rrm_used = wpa_s->rrm.rrm_used; 1672 if (wpa_s->sme.prev_bssid_set) 1673 params.prev_bssid = wpa_s->sme.prev_bssid; 1674 1675 wpa_msg(wpa_s, MSG_INFO, "Trying to associate with " MACSTR 1676 " (SSID='%s' freq=%d MHz)", MAC2STR(params.bssid), 1677 params.ssid ? wpa_ssid_txt(params.ssid, params.ssid_len) : "", 1678 params.freq.freq); 1679 1680 wpa_supplicant_set_state(wpa_s, WPA_ASSOCIATING); 1681 1682 if (params.wpa_ie == NULL || 1683 ieee802_11_parse_elems(params.wpa_ie, params.wpa_ie_len, &elems, 0) 1684 < 0) { 1685 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Could not parse own IEs?!"); 1686 os_memset(&elems, 0, sizeof(elems)); 1687 } 1688 if (elems.rsn_ie) { 1689 params.wpa_proto = WPA_PROTO_RSN; 1690 wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, elems.rsn_ie - 2, 1691 elems.rsn_ie_len + 2); 1692 } else if (elems.wpa_ie) { 1693 params.wpa_proto = WPA_PROTO_WPA; 1694 wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, elems.wpa_ie - 2, 1695 elems.wpa_ie_len + 2); 1696 } else if (elems.osen) { 1697 params.wpa_proto = WPA_PROTO_OSEN; 1698 wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, elems.osen - 2, 1699 elems.osen_len + 2); 1700 } else 1701 wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, NULL, 0); 1702 if (wpa_s->current_ssid && wpa_s->current_ssid->p2p_group) 1703 params.p2p = 1; 1704 1705 if (wpa_s->p2pdev->set_sta_uapsd) 1706 params.uapsd = wpa_s->p2pdev->sta_uapsd; 1707 else 1708 params.uapsd = -1; 1709 1710 if (wpa_drv_associate(wpa_s, ¶ms) < 0) { 1711 wpa_msg(wpa_s, MSG_INFO, "SME: Association request to the " 1712 "driver failed"); 1713 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 1714 wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED); 1715 os_memset(wpa_s->pending_bssid, 0, ETH_ALEN); 1716 return; 1717 } 1718 1719 eloop_register_timeout(SME_ASSOC_TIMEOUT, 0, sme_assoc_timer, wpa_s, 1720 NULL); 1721 1722 #ifdef CONFIG_TESTING_OPTIONS 1723 wpabuf_free(wpa_s->last_assoc_req_wpa_ie); 1724 wpa_s->last_assoc_req_wpa_ie = NULL; 1725 if (params.wpa_ie) 1726 wpa_s->last_assoc_req_wpa_ie = 1727 wpabuf_alloc_copy(params.wpa_ie, params.wpa_ie_len); 1728 #endif /* CONFIG_TESTING_OPTIONS */ 1729 } 1730 1731 1732 int sme_update_ft_ies(struct wpa_supplicant *wpa_s, const u8 *md, 1733 const u8 *ies, size_t ies_len) 1734 { 1735 if (md == NULL || ies == NULL) { 1736 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Remove mobility domain"); 1737 os_free(wpa_s->sme.ft_ies); 1738 wpa_s->sme.ft_ies = NULL; 1739 wpa_s->sme.ft_ies_len = 0; 1740 wpa_s->sme.ft_used = 0; 1741 return 0; 1742 } 1743 1744 os_memcpy(wpa_s->sme.mobility_domain, md, MOBILITY_DOMAIN_ID_LEN); 1745 wpa_hexdump(MSG_DEBUG, "SME: FT IEs", ies, ies_len); 1746 os_free(wpa_s->sme.ft_ies); 1747 wpa_s->sme.ft_ies = os_memdup(ies, ies_len); 1748 if (wpa_s->sme.ft_ies == NULL) 1749 return -1; 1750 wpa_s->sme.ft_ies_len = ies_len; 1751 return 0; 1752 } 1753 1754 1755 static void sme_deauth(struct wpa_supplicant *wpa_s) 1756 { 1757 int bssid_changed; 1758 1759 bssid_changed = !is_zero_ether_addr(wpa_s->bssid); 1760 1761 if (wpa_drv_deauthenticate(wpa_s, wpa_s->pending_bssid, 1762 WLAN_REASON_DEAUTH_LEAVING) < 0) { 1763 wpa_msg(wpa_s, MSG_INFO, "SME: Deauth request to the driver " 1764 "failed"); 1765 } 1766 wpa_s->sme.prev_bssid_set = 0; 1767 1768 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 1769 wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED); 1770 os_memset(wpa_s->bssid, 0, ETH_ALEN); 1771 os_memset(wpa_s->pending_bssid, 0, ETH_ALEN); 1772 if (bssid_changed) 1773 wpas_notify_bssid_changed(wpa_s); 1774 } 1775 1776 1777 void sme_event_assoc_reject(struct wpa_supplicant *wpa_s, 1778 union wpa_event_data *data) 1779 { 1780 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Association with " MACSTR " failed: " 1781 "status code %d", MAC2STR(wpa_s->pending_bssid), 1782 data->assoc_reject.status_code); 1783 1784 eloop_cancel_timeout(sme_assoc_timer, wpa_s, NULL); 1785 1786 #ifdef CONFIG_SAE 1787 if (wpa_s->sme.sae_pmksa_caching && wpa_s->current_ssid && 1788 wpa_key_mgmt_sae(wpa_s->current_ssid->key_mgmt)) { 1789 wpa_dbg(wpa_s, MSG_DEBUG, 1790 "PMKSA caching attempt rejected - drop PMKSA cache entry and fall back to SAE authentication"); 1791 wpa_sm_aborted_cached(wpa_s->wpa); 1792 wpa_sm_pmksa_cache_flush(wpa_s->wpa, wpa_s->current_ssid); 1793 if (wpa_s->current_bss) { 1794 struct wpa_bss *bss = wpa_s->current_bss; 1795 struct wpa_ssid *ssid = wpa_s->current_ssid; 1796 1797 wpa_drv_deauthenticate(wpa_s, wpa_s->pending_bssid, 1798 WLAN_REASON_DEAUTH_LEAVING); 1799 wpas_connect_work_done(wpa_s); 1800 wpa_supplicant_mark_disassoc(wpa_s); 1801 wpa_supplicant_connect(wpa_s, bss, ssid); 1802 return; 1803 } 1804 } 1805 #endif /* CONFIG_SAE */ 1806 1807 /* 1808 * For now, unconditionally terminate the previous authentication. In 1809 * theory, this should not be needed, but mac80211 gets quite confused 1810 * if the authentication is left pending.. Some roaming cases might 1811 * benefit from using the previous authentication, so this could be 1812 * optimized in the future. 1813 */ 1814 sme_deauth(wpa_s); 1815 } 1816 1817 1818 void sme_event_auth_timed_out(struct wpa_supplicant *wpa_s, 1819 union wpa_event_data *data) 1820 { 1821 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Authentication timed out"); 1822 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 1823 wpa_supplicant_mark_disassoc(wpa_s); 1824 } 1825 1826 1827 void sme_event_assoc_timed_out(struct wpa_supplicant *wpa_s, 1828 union wpa_event_data *data) 1829 { 1830 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Association timed out"); 1831 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 1832 wpa_supplicant_mark_disassoc(wpa_s); 1833 } 1834 1835 1836 void sme_event_disassoc(struct wpa_supplicant *wpa_s, 1837 struct disassoc_info *info) 1838 { 1839 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Disassociation event received"); 1840 if (wpa_s->sme.prev_bssid_set) { 1841 /* 1842 * cfg80211/mac80211 can get into somewhat confused state if 1843 * the AP only disassociates us and leaves us in authenticated 1844 * state. For now, force the state to be cleared to avoid 1845 * confusing errors if we try to associate with the AP again. 1846 */ 1847 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Deauthenticate to clear " 1848 "driver state"); 1849 wpa_drv_deauthenticate(wpa_s, wpa_s->sme.prev_bssid, 1850 WLAN_REASON_DEAUTH_LEAVING); 1851 } 1852 } 1853 1854 1855 static void sme_auth_timer(void *eloop_ctx, void *timeout_ctx) 1856 { 1857 struct wpa_supplicant *wpa_s = eloop_ctx; 1858 if (wpa_s->wpa_state == WPA_AUTHENTICATING) { 1859 wpa_msg(wpa_s, MSG_DEBUG, "SME: Authentication timeout"); 1860 sme_deauth(wpa_s); 1861 } 1862 } 1863 1864 1865 static void sme_assoc_timer(void *eloop_ctx, void *timeout_ctx) 1866 { 1867 struct wpa_supplicant *wpa_s = eloop_ctx; 1868 if (wpa_s->wpa_state == WPA_ASSOCIATING) { 1869 wpa_msg(wpa_s, MSG_DEBUG, "SME: Association timeout"); 1870 sme_deauth(wpa_s); 1871 } 1872 } 1873 1874 1875 void sme_state_changed(struct wpa_supplicant *wpa_s) 1876 { 1877 /* Make sure timers are cleaned up appropriately. */ 1878 if (wpa_s->wpa_state != WPA_ASSOCIATING) 1879 eloop_cancel_timeout(sme_assoc_timer, wpa_s, NULL); 1880 if (wpa_s->wpa_state != WPA_AUTHENTICATING) 1881 eloop_cancel_timeout(sme_auth_timer, wpa_s, NULL); 1882 } 1883 1884 1885 void sme_disassoc_while_authenticating(struct wpa_supplicant *wpa_s, 1886 const u8 *prev_pending_bssid) 1887 { 1888 /* 1889 * mac80211-workaround to force deauth on failed auth cmd, 1890 * requires us to remain in authenticating state to allow the 1891 * second authentication attempt to be continued properly. 1892 */ 1893 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Allow pending authentication " 1894 "to proceed after disconnection event"); 1895 wpa_supplicant_set_state(wpa_s, WPA_AUTHENTICATING); 1896 os_memcpy(wpa_s->pending_bssid, prev_pending_bssid, ETH_ALEN); 1897 1898 /* 1899 * Re-arm authentication timer in case auth fails for whatever reason. 1900 */ 1901 eloop_cancel_timeout(sme_auth_timer, wpa_s, NULL); 1902 eloop_register_timeout(SME_AUTH_TIMEOUT, 0, sme_auth_timer, wpa_s, 1903 NULL); 1904 } 1905 1906 1907 void sme_clear_on_disassoc(struct wpa_supplicant *wpa_s) 1908 { 1909 wpa_s->sme.prev_bssid_set = 0; 1910 #ifdef CONFIG_SAE 1911 wpabuf_free(wpa_s->sme.sae_token); 1912 wpa_s->sme.sae_token = NULL; 1913 sae_clear_data(&wpa_s->sme.sae); 1914 #endif /* CONFIG_SAE */ 1915 #ifdef CONFIG_IEEE80211R 1916 if (wpa_s->sme.ft_ies || wpa_s->sme.ft_used) 1917 sme_update_ft_ies(wpa_s, NULL, NULL, 0); 1918 #endif /* CONFIG_IEEE80211R */ 1919 } 1920 1921 1922 void sme_deinit(struct wpa_supplicant *wpa_s) 1923 { 1924 os_free(wpa_s->sme.ft_ies); 1925 wpa_s->sme.ft_ies = NULL; 1926 wpa_s->sme.ft_ies_len = 0; 1927 #ifdef CONFIG_IEEE80211W 1928 sme_stop_sa_query(wpa_s); 1929 #endif /* CONFIG_IEEE80211W */ 1930 sme_clear_on_disassoc(wpa_s); 1931 1932 eloop_cancel_timeout(sme_assoc_timer, wpa_s, NULL); 1933 eloop_cancel_timeout(sme_auth_timer, wpa_s, NULL); 1934 eloop_cancel_timeout(sme_obss_scan_timeout, wpa_s, NULL); 1935 } 1936 1937 1938 static void sme_send_2040_bss_coex(struct wpa_supplicant *wpa_s, 1939 const u8 *chan_list, u8 num_channels, 1940 u8 num_intol) 1941 { 1942 struct ieee80211_2040_bss_coex_ie *bc_ie; 1943 struct ieee80211_2040_intol_chan_report *ic_report; 1944 struct wpabuf *buf; 1945 1946 wpa_printf(MSG_DEBUG, "SME: Send 20/40 BSS Coexistence to " MACSTR 1947 " (num_channels=%u num_intol=%u)", 1948 MAC2STR(wpa_s->bssid), num_channels, num_intol); 1949 wpa_hexdump(MSG_DEBUG, "SME: 20/40 BSS Intolerant Channels", 1950 chan_list, num_channels); 1951 1952 buf = wpabuf_alloc(2 + /* action.category + action_code */ 1953 sizeof(struct ieee80211_2040_bss_coex_ie) + 1954 sizeof(struct ieee80211_2040_intol_chan_report) + 1955 num_channels); 1956 if (buf == NULL) 1957 return; 1958 1959 wpabuf_put_u8(buf, WLAN_ACTION_PUBLIC); 1960 wpabuf_put_u8(buf, WLAN_PA_20_40_BSS_COEX); 1961 1962 bc_ie = wpabuf_put(buf, sizeof(*bc_ie)); 1963 bc_ie->element_id = WLAN_EID_20_40_BSS_COEXISTENCE; 1964 bc_ie->length = 1; 1965 if (num_intol) 1966 bc_ie->coex_param |= WLAN_20_40_BSS_COEX_20MHZ_WIDTH_REQ; 1967 1968 if (num_channels > 0) { 1969 ic_report = wpabuf_put(buf, sizeof(*ic_report)); 1970 ic_report->element_id = WLAN_EID_20_40_BSS_INTOLERANT; 1971 ic_report->length = num_channels + 1; 1972 ic_report->op_class = 0; 1973 os_memcpy(wpabuf_put(buf, num_channels), chan_list, 1974 num_channels); 1975 } 1976 1977 if (wpa_drv_send_action(wpa_s, wpa_s->assoc_freq, 0, wpa_s->bssid, 1978 wpa_s->own_addr, wpa_s->bssid, 1979 wpabuf_head(buf), wpabuf_len(buf), 0) < 0) { 1980 wpa_msg(wpa_s, MSG_INFO, 1981 "SME: Failed to send 20/40 BSS Coexistence frame"); 1982 } 1983 1984 wpabuf_free(buf); 1985 } 1986 1987 1988 int sme_proc_obss_scan(struct wpa_supplicant *wpa_s) 1989 { 1990 struct wpa_bss *bss; 1991 const u8 *ie; 1992 u16 ht_cap; 1993 u8 chan_list[P2P_MAX_CHANNELS], channel; 1994 u8 num_channels = 0, num_intol = 0, i; 1995 1996 if (!wpa_s->sme.sched_obss_scan) 1997 return 0; 1998 1999 wpa_s->sme.sched_obss_scan = 0; 2000 if (!wpa_s->current_bss || wpa_s->wpa_state != WPA_COMPLETED) 2001 return 1; 2002 2003 /* 2004 * Check whether AP uses regulatory triplet or channel triplet in 2005 * country info. Right now the operating class of the BSS channel 2006 * width trigger event is "unknown" (IEEE Std 802.11-2012 10.15.12), 2007 * based on the assumption that operating class triplet is not used in 2008 * beacon frame. If the First Channel Number/Operating Extension 2009 * Identifier octet has a positive integer value of 201 or greater, 2010 * then its operating class triplet. 2011 * 2012 * TODO: If Supported Operating Classes element is present in beacon 2013 * frame, have to lookup operating class in Annex E and fill them in 2014 * 2040 coex frame. 2015 */ 2016 ie = wpa_bss_get_ie(wpa_s->current_bss, WLAN_EID_COUNTRY); 2017 if (ie && (ie[1] >= 6) && (ie[5] >= 201)) 2018 return 1; 2019 2020 os_memset(chan_list, 0, sizeof(chan_list)); 2021 2022 dl_list_for_each(bss, &wpa_s->bss, struct wpa_bss, list) { 2023 /* Skip other band bss */ 2024 enum hostapd_hw_mode mode; 2025 mode = ieee80211_freq_to_chan(bss->freq, &channel); 2026 if (mode != HOSTAPD_MODE_IEEE80211G && 2027 mode != HOSTAPD_MODE_IEEE80211B) 2028 continue; 2029 2030 ie = wpa_bss_get_ie(bss, WLAN_EID_HT_CAP); 2031 ht_cap = (ie && (ie[1] == 26)) ? WPA_GET_LE16(ie + 2) : 0; 2032 wpa_printf(MSG_DEBUG, "SME OBSS scan BSS " MACSTR 2033 " freq=%u chan=%u ht_cap=0x%x", 2034 MAC2STR(bss->bssid), bss->freq, channel, ht_cap); 2035 2036 if (!ht_cap || (ht_cap & HT_CAP_INFO_40MHZ_INTOLERANT)) { 2037 if (ht_cap & HT_CAP_INFO_40MHZ_INTOLERANT) 2038 num_intol++; 2039 2040 /* Check whether the channel is already considered */ 2041 for (i = 0; i < num_channels; i++) { 2042 if (channel == chan_list[i]) 2043 break; 2044 } 2045 if (i != num_channels) 2046 continue; 2047 2048 chan_list[num_channels++] = channel; 2049 } 2050 } 2051 2052 sme_send_2040_bss_coex(wpa_s, chan_list, num_channels, num_intol); 2053 return 1; 2054 } 2055 2056 2057 static void wpa_obss_scan_freqs_list(struct wpa_supplicant *wpa_s, 2058 struct wpa_driver_scan_params *params) 2059 { 2060 /* Include only affected channels */ 2061 struct hostapd_hw_modes *mode; 2062 int count, i; 2063 int start, end; 2064 2065 mode = get_mode(wpa_s->hw.modes, wpa_s->hw.num_modes, 2066 HOSTAPD_MODE_IEEE80211G); 2067 if (mode == NULL) { 2068 /* No channels supported in this band - use empty list */ 2069 params->freqs = os_zalloc(sizeof(int)); 2070 return; 2071 } 2072 2073 if (wpa_s->sme.ht_sec_chan == HT_SEC_CHAN_UNKNOWN && 2074 wpa_s->current_bss) { 2075 const u8 *ie; 2076 2077 ie = wpa_bss_get_ie(wpa_s->current_bss, WLAN_EID_HT_OPERATION); 2078 if (ie && ie[1] >= 2) { 2079 u8 o; 2080 2081 o = ie[3] & HT_INFO_HT_PARAM_SECONDARY_CHNL_OFF_MASK; 2082 if (o == HT_INFO_HT_PARAM_SECONDARY_CHNL_ABOVE) 2083 wpa_s->sme.ht_sec_chan = HT_SEC_CHAN_ABOVE; 2084 else if (o == HT_INFO_HT_PARAM_SECONDARY_CHNL_BELOW) 2085 wpa_s->sme.ht_sec_chan = HT_SEC_CHAN_BELOW; 2086 } 2087 } 2088 2089 start = wpa_s->assoc_freq - 10; 2090 end = wpa_s->assoc_freq + 10; 2091 switch (wpa_s->sme.ht_sec_chan) { 2092 case HT_SEC_CHAN_UNKNOWN: 2093 /* HT40+ possible on channels 1..9 */ 2094 if (wpa_s->assoc_freq <= 2452) 2095 start -= 20; 2096 /* HT40- possible on channels 5-13 */ 2097 if (wpa_s->assoc_freq >= 2432) 2098 end += 20; 2099 break; 2100 case HT_SEC_CHAN_ABOVE: 2101 end += 20; 2102 break; 2103 case HT_SEC_CHAN_BELOW: 2104 start -= 20; 2105 break; 2106 } 2107 wpa_printf(MSG_DEBUG, 2108 "OBSS: assoc_freq %d possible affected range %d-%d", 2109 wpa_s->assoc_freq, start, end); 2110 2111 params->freqs = os_calloc(mode->num_channels + 1, sizeof(int)); 2112 if (params->freqs == NULL) 2113 return; 2114 for (count = 0, i = 0; i < mode->num_channels; i++) { 2115 int freq; 2116 2117 if (mode->channels[i].flag & HOSTAPD_CHAN_DISABLED) 2118 continue; 2119 freq = mode->channels[i].freq; 2120 if (freq - 10 >= end || freq + 10 <= start) 2121 continue; /* not affected */ 2122 params->freqs[count++] = freq; 2123 } 2124 } 2125 2126 2127 static void sme_obss_scan_timeout(void *eloop_ctx, void *timeout_ctx) 2128 { 2129 struct wpa_supplicant *wpa_s = eloop_ctx; 2130 struct wpa_driver_scan_params params; 2131 2132 if (!wpa_s->current_bss) { 2133 wpa_printf(MSG_DEBUG, "SME OBSS: Ignore scan request"); 2134 return; 2135 } 2136 2137 os_memset(¶ms, 0, sizeof(params)); 2138 wpa_obss_scan_freqs_list(wpa_s, ¶ms); 2139 params.low_priority = 1; 2140 wpa_printf(MSG_DEBUG, "SME OBSS: Request an OBSS scan"); 2141 2142 if (wpa_supplicant_trigger_scan(wpa_s, ¶ms)) 2143 wpa_printf(MSG_DEBUG, "SME OBSS: Failed to trigger scan"); 2144 else 2145 wpa_s->sme.sched_obss_scan = 1; 2146 os_free(params.freqs); 2147 2148 eloop_register_timeout(wpa_s->sme.obss_scan_int, 0, 2149 sme_obss_scan_timeout, wpa_s, NULL); 2150 } 2151 2152 2153 void sme_sched_obss_scan(struct wpa_supplicant *wpa_s, int enable) 2154 { 2155 const u8 *ie; 2156 struct wpa_bss *bss = wpa_s->current_bss; 2157 struct wpa_ssid *ssid = wpa_s->current_ssid; 2158 struct hostapd_hw_modes *hw_mode = NULL; 2159 int i; 2160 2161 eloop_cancel_timeout(sme_obss_scan_timeout, wpa_s, NULL); 2162 wpa_s->sme.sched_obss_scan = 0; 2163 wpa_s->sme.ht_sec_chan = HT_SEC_CHAN_UNKNOWN; 2164 if (!enable) 2165 return; 2166 2167 /* 2168 * Schedule OBSS scan if driver is using station SME in wpa_supplicant 2169 * or it expects OBSS scan to be performed by wpa_supplicant. 2170 */ 2171 if (!((wpa_s->drv_flags & WPA_DRIVER_FLAGS_SME) || 2172 (wpa_s->drv_flags & WPA_DRIVER_FLAGS_OBSS_SCAN)) || 2173 ssid == NULL || ssid->mode != IEEE80211_MODE_INFRA) 2174 return; 2175 2176 if (!wpa_s->hw.modes) 2177 return; 2178 2179 /* only HT caps in 11g mode are relevant */ 2180 for (i = 0; i < wpa_s->hw.num_modes; i++) { 2181 hw_mode = &wpa_s->hw.modes[i]; 2182 if (hw_mode->mode == HOSTAPD_MODE_IEEE80211G) 2183 break; 2184 } 2185 2186 /* Driver does not support HT40 for 11g or doesn't have 11g. */ 2187 if (i == wpa_s->hw.num_modes || !hw_mode || 2188 !(hw_mode->ht_capab & HT_CAP_INFO_SUPP_CHANNEL_WIDTH_SET)) 2189 return; 2190 2191 if (bss == NULL || bss->freq < 2400 || bss->freq > 2500) 2192 return; /* Not associated on 2.4 GHz band */ 2193 2194 /* Check whether AP supports HT40 */ 2195 ie = wpa_bss_get_ie(wpa_s->current_bss, WLAN_EID_HT_CAP); 2196 if (!ie || ie[1] < 2 || 2197 !(WPA_GET_LE16(ie + 2) & HT_CAP_INFO_SUPP_CHANNEL_WIDTH_SET)) 2198 return; /* AP does not support HT40 */ 2199 2200 ie = wpa_bss_get_ie(wpa_s->current_bss, 2201 WLAN_EID_OVERLAPPING_BSS_SCAN_PARAMS); 2202 if (!ie || ie[1] < 14) 2203 return; /* AP does not request OBSS scans */ 2204 2205 wpa_s->sme.obss_scan_int = WPA_GET_LE16(ie + 6); 2206 if (wpa_s->sme.obss_scan_int < 10) { 2207 wpa_printf(MSG_DEBUG, "SME: Invalid OBSS Scan Interval %u " 2208 "replaced with the minimum 10 sec", 2209 wpa_s->sme.obss_scan_int); 2210 wpa_s->sme.obss_scan_int = 10; 2211 } 2212 wpa_printf(MSG_DEBUG, "SME: OBSS Scan Interval %u sec", 2213 wpa_s->sme.obss_scan_int); 2214 eloop_register_timeout(wpa_s->sme.obss_scan_int, 0, 2215 sme_obss_scan_timeout, wpa_s, NULL); 2216 } 2217 2218 2219 #ifdef CONFIG_IEEE80211W 2220 2221 static const unsigned int sa_query_max_timeout = 1000; 2222 static const unsigned int sa_query_retry_timeout = 201; 2223 2224 static int sme_check_sa_query_timeout(struct wpa_supplicant *wpa_s) 2225 { 2226 u32 tu; 2227 struct os_reltime now, passed; 2228 os_get_reltime(&now); 2229 os_reltime_sub(&now, &wpa_s->sme.sa_query_start, &passed); 2230 tu = (passed.sec * 1000000 + passed.usec) / 1024; 2231 if (sa_query_max_timeout < tu) { 2232 wpa_dbg(wpa_s, MSG_DEBUG, "SME: SA Query timed out"); 2233 sme_stop_sa_query(wpa_s); 2234 wpa_supplicant_deauthenticate( 2235 wpa_s, WLAN_REASON_PREV_AUTH_NOT_VALID); 2236 return 1; 2237 } 2238 2239 return 0; 2240 } 2241 2242 2243 static void sme_send_sa_query_req(struct wpa_supplicant *wpa_s, 2244 const u8 *trans_id) 2245 { 2246 u8 req[2 + WLAN_SA_QUERY_TR_ID_LEN]; 2247 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Sending SA Query Request to " 2248 MACSTR, MAC2STR(wpa_s->bssid)); 2249 wpa_hexdump(MSG_DEBUG, "SME: SA Query Transaction ID", 2250 trans_id, WLAN_SA_QUERY_TR_ID_LEN); 2251 req[0] = WLAN_ACTION_SA_QUERY; 2252 req[1] = WLAN_SA_QUERY_REQUEST; 2253 os_memcpy(req + 2, trans_id, WLAN_SA_QUERY_TR_ID_LEN); 2254 if (wpa_drv_send_action(wpa_s, wpa_s->assoc_freq, 0, wpa_s->bssid, 2255 wpa_s->own_addr, wpa_s->bssid, 2256 req, sizeof(req), 0) < 0) 2257 wpa_msg(wpa_s, MSG_INFO, "SME: Failed to send SA Query " 2258 "Request"); 2259 } 2260 2261 2262 static void sme_sa_query_timer(void *eloop_ctx, void *timeout_ctx) 2263 { 2264 struct wpa_supplicant *wpa_s = eloop_ctx; 2265 unsigned int timeout, sec, usec; 2266 u8 *trans_id, *nbuf; 2267 2268 if (wpa_s->sme.sa_query_count > 0 && 2269 sme_check_sa_query_timeout(wpa_s)) 2270 return; 2271 2272 nbuf = os_realloc_array(wpa_s->sme.sa_query_trans_id, 2273 wpa_s->sme.sa_query_count + 1, 2274 WLAN_SA_QUERY_TR_ID_LEN); 2275 if (nbuf == NULL) { 2276 sme_stop_sa_query(wpa_s); 2277 return; 2278 } 2279 if (wpa_s->sme.sa_query_count == 0) { 2280 /* Starting a new SA Query procedure */ 2281 os_get_reltime(&wpa_s->sme.sa_query_start); 2282 } 2283 trans_id = nbuf + wpa_s->sme.sa_query_count * WLAN_SA_QUERY_TR_ID_LEN; 2284 wpa_s->sme.sa_query_trans_id = nbuf; 2285 wpa_s->sme.sa_query_count++; 2286 2287 if (os_get_random(trans_id, WLAN_SA_QUERY_TR_ID_LEN) < 0) { 2288 wpa_printf(MSG_DEBUG, "Could not generate SA Query ID"); 2289 sme_stop_sa_query(wpa_s); 2290 return; 2291 } 2292 2293 timeout = sa_query_retry_timeout; 2294 sec = ((timeout / 1000) * 1024) / 1000; 2295 usec = (timeout % 1000) * 1024; 2296 eloop_register_timeout(sec, usec, sme_sa_query_timer, wpa_s, NULL); 2297 2298 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Association SA Query attempt %d", 2299 wpa_s->sme.sa_query_count); 2300 2301 sme_send_sa_query_req(wpa_s, trans_id); 2302 } 2303 2304 2305 static void sme_start_sa_query(struct wpa_supplicant *wpa_s) 2306 { 2307 sme_sa_query_timer(wpa_s, NULL); 2308 } 2309 2310 2311 static void sme_stop_sa_query(struct wpa_supplicant *wpa_s) 2312 { 2313 eloop_cancel_timeout(sme_sa_query_timer, wpa_s, NULL); 2314 os_free(wpa_s->sme.sa_query_trans_id); 2315 wpa_s->sme.sa_query_trans_id = NULL; 2316 wpa_s->sme.sa_query_count = 0; 2317 } 2318 2319 2320 void sme_event_unprot_disconnect(struct wpa_supplicant *wpa_s, const u8 *sa, 2321 const u8 *da, u16 reason_code) 2322 { 2323 struct wpa_ssid *ssid; 2324 struct os_reltime now; 2325 2326 if (wpa_s->wpa_state != WPA_COMPLETED) 2327 return; 2328 ssid = wpa_s->current_ssid; 2329 if (wpas_get_ssid_pmf(wpa_s, ssid) == NO_MGMT_FRAME_PROTECTION) 2330 return; 2331 if (os_memcmp(sa, wpa_s->bssid, ETH_ALEN) != 0) 2332 return; 2333 if (reason_code != WLAN_REASON_CLASS2_FRAME_FROM_NONAUTH_STA && 2334 reason_code != WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA) 2335 return; 2336 if (wpa_s->sme.sa_query_count > 0) 2337 return; 2338 2339 os_get_reltime(&now); 2340 if (wpa_s->sme.last_unprot_disconnect.sec && 2341 !os_reltime_expired(&now, &wpa_s->sme.last_unprot_disconnect, 10)) 2342 return; /* limit SA Query procedure frequency */ 2343 wpa_s->sme.last_unprot_disconnect = now; 2344 2345 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Unprotected disconnect dropped - " 2346 "possible AP/STA state mismatch - trigger SA Query"); 2347 sme_start_sa_query(wpa_s); 2348 } 2349 2350 2351 void sme_sa_query_rx(struct wpa_supplicant *wpa_s, const u8 *sa, 2352 const u8 *data, size_t len) 2353 { 2354 int i; 2355 2356 if (wpa_s->sme.sa_query_trans_id == NULL || 2357 len < 1 + WLAN_SA_QUERY_TR_ID_LEN || 2358 data[0] != WLAN_SA_QUERY_RESPONSE) 2359 return; 2360 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Received SA Query response from " 2361 MACSTR " (trans_id %02x%02x)", MAC2STR(sa), data[1], data[2]); 2362 2363 if (os_memcmp(sa, wpa_s->bssid, ETH_ALEN) != 0) 2364 return; 2365 2366 for (i = 0; i < wpa_s->sme.sa_query_count; i++) { 2367 if (os_memcmp(wpa_s->sme.sa_query_trans_id + 2368 i * WLAN_SA_QUERY_TR_ID_LEN, 2369 data + 1, WLAN_SA_QUERY_TR_ID_LEN) == 0) 2370 break; 2371 } 2372 2373 if (i >= wpa_s->sme.sa_query_count) { 2374 wpa_dbg(wpa_s, MSG_DEBUG, "SME: No matching SA Query " 2375 "transaction identifier found"); 2376 return; 2377 } 2378 2379 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Reply to pending SA Query received " 2380 "from " MACSTR, MAC2STR(sa)); 2381 sme_stop_sa_query(wpa_s); 2382 } 2383 2384 #endif /* CONFIG_IEEE80211W */ 2385