1 /* 2 * wpa_supplicant - SME 3 * Copyright (c) 2009-2014, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "utils/eloop.h" 13 #include "common/ieee802_11_defs.h" 14 #include "common/ieee802_11_common.h" 15 #include "common/ocv.h" 16 #include "common/hw_features_common.h" 17 #include "eapol_supp/eapol_supp_sm.h" 18 #include "common/wpa_common.h" 19 #include "common/sae.h" 20 #include "common/dpp.h" 21 #include "rsn_supp/wpa.h" 22 #include "rsn_supp/pmksa_cache.h" 23 #include "config.h" 24 #include "wpa_supplicant_i.h" 25 #include "driver_i.h" 26 #include "wpas_glue.h" 27 #include "wps_supplicant.h" 28 #include "p2p_supplicant.h" 29 #include "notify.h" 30 #include "bss.h" 31 #include "scan.h" 32 #include "sme.h" 33 #include "hs20_supplicant.h" 34 35 #define SME_AUTH_TIMEOUT 5 36 #define SME_ASSOC_TIMEOUT 5 37 38 static void sme_auth_timer(void *eloop_ctx, void *timeout_ctx); 39 static void sme_assoc_timer(void *eloop_ctx, void *timeout_ctx); 40 static void sme_obss_scan_timeout(void *eloop_ctx, void *timeout_ctx); 41 static void sme_stop_sa_query(struct wpa_supplicant *wpa_s); 42 43 44 #ifdef CONFIG_SAE 45 46 static int index_within_array(const int *array, int idx) 47 { 48 int i; 49 for (i = 0; i < idx; i++) { 50 if (array[i] <= 0) 51 return 0; 52 } 53 return 1; 54 } 55 56 57 static int sme_set_sae_group(struct wpa_supplicant *wpa_s) 58 { 59 int *groups = wpa_s->conf->sae_groups; 60 int default_groups[] = { 19, 20, 21, 0 }; 61 62 if (!groups || groups[0] <= 0) 63 groups = default_groups; 64 65 /* Configuration may have changed, so validate current index */ 66 if (!index_within_array(groups, wpa_s->sme.sae_group_index)) 67 return -1; 68 69 for (;;) { 70 int group = groups[wpa_s->sme.sae_group_index]; 71 if (group <= 0) 72 break; 73 if (sae_set_group(&wpa_s->sme.sae, group) == 0) { 74 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Selected SAE group %d", 75 wpa_s->sme.sae.group); 76 return 0; 77 } 78 wpa_s->sme.sae_group_index++; 79 } 80 81 return -1; 82 } 83 84 85 static struct wpabuf * sme_auth_build_sae_commit(struct wpa_supplicant *wpa_s, 86 struct wpa_ssid *ssid, 87 const u8 *bssid, int external, 88 int reuse, int *ret_use_pt, 89 bool *ret_use_pk) 90 { 91 struct wpabuf *buf; 92 size_t len; 93 const char *password; 94 struct wpa_bss *bss; 95 int use_pt = 0; 96 bool use_pk = false; 97 u8 rsnxe_capa = 0; 98 99 if (ret_use_pt) 100 *ret_use_pt = 0; 101 if (ret_use_pk) 102 *ret_use_pk = false; 103 104 #ifdef CONFIG_TESTING_OPTIONS 105 if (wpa_s->sae_commit_override) { 106 wpa_printf(MSG_DEBUG, "SAE: TESTING - commit override"); 107 buf = wpabuf_alloc(4 + wpabuf_len(wpa_s->sae_commit_override)); 108 if (!buf) 109 return NULL; 110 if (!external) { 111 wpabuf_put_le16(buf, 1); /* Transaction seq# */ 112 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS); 113 } 114 wpabuf_put_buf(buf, wpa_s->sae_commit_override); 115 return buf; 116 } 117 #endif /* CONFIG_TESTING_OPTIONS */ 118 119 password = ssid->sae_password; 120 if (!password) 121 password = ssid->passphrase; 122 if (!password) { 123 wpa_printf(MSG_DEBUG, "SAE: No password available"); 124 return NULL; 125 } 126 127 if (reuse && wpa_s->sme.sae.tmp && 128 os_memcmp(bssid, wpa_s->sme.sae.tmp->bssid, ETH_ALEN) == 0) { 129 wpa_printf(MSG_DEBUG, 130 "SAE: Reuse previously generated PWE on a retry with the same AP"); 131 use_pt = wpa_s->sme.sae.h2e; 132 use_pk = wpa_s->sme.sae.pk; 133 goto reuse_data; 134 } 135 if (sme_set_sae_group(wpa_s) < 0) { 136 wpa_printf(MSG_DEBUG, "SAE: Failed to select group"); 137 return NULL; 138 } 139 140 bss = wpa_bss_get_bssid_latest(wpa_s, bssid); 141 if (bss) { 142 const u8 *rsnxe; 143 144 rsnxe = wpa_bss_get_ie(bss, WLAN_EID_RSNX); 145 if (rsnxe && rsnxe[1] >= 1) 146 rsnxe_capa = rsnxe[2]; 147 } 148 149 if (ssid->sae_password_id && wpa_s->conf->sae_pwe != 3) 150 use_pt = 1; 151 #ifdef CONFIG_SAE_PK 152 if ((rsnxe_capa & BIT(WLAN_RSNX_CAPAB_SAE_PK)) && 153 ssid->sae_pk != SAE_PK_MODE_DISABLED && 154 ((ssid->sae_password && 155 sae_pk_valid_password(ssid->sae_password)) || 156 (!ssid->sae_password && ssid->passphrase && 157 sae_pk_valid_password(ssid->passphrase)))) { 158 use_pt = 1; 159 use_pk = true; 160 } 161 162 if (ssid->sae_pk == SAE_PK_MODE_ONLY && !use_pk) { 163 wpa_printf(MSG_DEBUG, 164 "SAE: Cannot use PK with the selected AP"); 165 return NULL; 166 } 167 #endif /* CONFIG_SAE_PK */ 168 169 if (use_pt || wpa_s->conf->sae_pwe == 1 || wpa_s->conf->sae_pwe == 2) { 170 use_pt = !!(rsnxe_capa & BIT(WLAN_RSNX_CAPAB_SAE_H2E)); 171 172 if ((wpa_s->conf->sae_pwe == 1 || ssid->sae_password_id) && 173 wpa_s->conf->sae_pwe != 3 && 174 !use_pt) { 175 wpa_printf(MSG_DEBUG, 176 "SAE: Cannot use H2E with the selected AP"); 177 return NULL; 178 } 179 } 180 181 if (use_pt && 182 sae_prepare_commit_pt(&wpa_s->sme.sae, ssid->pt, 183 wpa_s->own_addr, bssid, 184 wpa_s->sme.sae_rejected_groups, NULL) < 0) 185 return NULL; 186 if (!use_pt && 187 sae_prepare_commit(wpa_s->own_addr, bssid, 188 (u8 *) password, os_strlen(password), 189 &wpa_s->sme.sae) < 0) { 190 wpa_printf(MSG_DEBUG, "SAE: Could not pick PWE"); 191 return NULL; 192 } 193 if (wpa_s->sme.sae.tmp) { 194 os_memcpy(wpa_s->sme.sae.tmp->bssid, bssid, ETH_ALEN); 195 if (use_pt && use_pk) 196 wpa_s->sme.sae.pk = 1; 197 #ifdef CONFIG_SAE_PK 198 os_memcpy(wpa_s->sme.sae.tmp->own_addr, wpa_s->own_addr, 199 ETH_ALEN); 200 os_memcpy(wpa_s->sme.sae.tmp->peer_addr, bssid, ETH_ALEN); 201 sae_pk_set_password(&wpa_s->sme.sae, password); 202 #endif /* CONFIG_SAE_PK */ 203 } 204 205 reuse_data: 206 len = wpa_s->sme.sae_token ? 3 + wpabuf_len(wpa_s->sme.sae_token) : 0; 207 if (ssid->sae_password_id) 208 len += 4 + os_strlen(ssid->sae_password_id); 209 buf = wpabuf_alloc(4 + SAE_COMMIT_MAX_LEN + len); 210 if (buf == NULL) 211 return NULL; 212 if (!external) { 213 wpabuf_put_le16(buf, 1); /* Transaction seq# */ 214 if (use_pk) 215 wpabuf_put_le16(buf, WLAN_STATUS_SAE_PK); 216 else if (use_pt) 217 wpabuf_put_le16(buf, WLAN_STATUS_SAE_HASH_TO_ELEMENT); 218 else 219 wpabuf_put_le16(buf,WLAN_STATUS_SUCCESS); 220 } 221 if (sae_write_commit(&wpa_s->sme.sae, buf, wpa_s->sme.sae_token, 222 ssid->sae_password_id) < 0) { 223 wpabuf_free(buf); 224 return NULL; 225 } 226 if (ret_use_pt) 227 *ret_use_pt = use_pt; 228 if (ret_use_pk) 229 *ret_use_pk = use_pk; 230 231 return buf; 232 } 233 234 235 static struct wpabuf * sme_auth_build_sae_confirm(struct wpa_supplicant *wpa_s, 236 int external) 237 { 238 struct wpabuf *buf; 239 240 buf = wpabuf_alloc(4 + SAE_CONFIRM_MAX_LEN); 241 if (buf == NULL) 242 return NULL; 243 244 if (!external) { 245 wpabuf_put_le16(buf, 2); /* Transaction seq# */ 246 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS); 247 } 248 sae_write_confirm(&wpa_s->sme.sae, buf); 249 250 return buf; 251 } 252 253 #endif /* CONFIG_SAE */ 254 255 256 /** 257 * sme_auth_handle_rrm - Handle RRM aspects of current authentication attempt 258 * @wpa_s: Pointer to wpa_supplicant data 259 * @bss: Pointer to the bss which is the target of authentication attempt 260 */ 261 static void sme_auth_handle_rrm(struct wpa_supplicant *wpa_s, 262 struct wpa_bss *bss) 263 { 264 const u8 rrm_ie_len = 5; 265 u8 *pos; 266 const u8 *rrm_ie; 267 268 wpa_s->rrm.rrm_used = 0; 269 270 wpa_printf(MSG_DEBUG, 271 "RRM: Determining whether RRM can be used - device support: 0x%x", 272 wpa_s->drv_rrm_flags); 273 274 rrm_ie = wpa_bss_get_ie(bss, WLAN_EID_RRM_ENABLED_CAPABILITIES); 275 if (!rrm_ie || !(bss->caps & IEEE80211_CAP_RRM)) { 276 wpa_printf(MSG_DEBUG, "RRM: No RRM in network"); 277 return; 278 } 279 280 if (!((wpa_s->drv_rrm_flags & 281 WPA_DRIVER_FLAGS_DS_PARAM_SET_IE_IN_PROBES) && 282 (wpa_s->drv_rrm_flags & WPA_DRIVER_FLAGS_QUIET)) && 283 !(wpa_s->drv_rrm_flags & WPA_DRIVER_FLAGS_SUPPORT_RRM)) { 284 wpa_printf(MSG_DEBUG, 285 "RRM: Insufficient RRM support in driver - do not use RRM"); 286 return; 287 } 288 289 if (sizeof(wpa_s->sme.assoc_req_ie) < 290 wpa_s->sme.assoc_req_ie_len + rrm_ie_len + 2) { 291 wpa_printf(MSG_INFO, 292 "RRM: Unable to use RRM, no room for RRM IE"); 293 return; 294 } 295 296 wpa_printf(MSG_DEBUG, "RRM: Adding RRM IE to Association Request"); 297 pos = wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len; 298 os_memset(pos, 0, 2 + rrm_ie_len); 299 *pos++ = WLAN_EID_RRM_ENABLED_CAPABILITIES; 300 *pos++ = rrm_ie_len; 301 302 /* Set supported capabilities flags */ 303 if (wpa_s->drv_rrm_flags & WPA_DRIVER_FLAGS_TX_POWER_INSERTION) 304 *pos |= WLAN_RRM_CAPS_LINK_MEASUREMENT; 305 306 *pos |= WLAN_RRM_CAPS_BEACON_REPORT_PASSIVE | 307 WLAN_RRM_CAPS_BEACON_REPORT_ACTIVE | 308 WLAN_RRM_CAPS_BEACON_REPORT_TABLE; 309 310 if (wpa_s->lci) 311 pos[1] |= WLAN_RRM_CAPS_LCI_MEASUREMENT; 312 313 wpa_s->sme.assoc_req_ie_len += rrm_ie_len + 2; 314 wpa_s->rrm.rrm_used = 1; 315 } 316 317 318 static void sme_send_authentication(struct wpa_supplicant *wpa_s, 319 struct wpa_bss *bss, struct wpa_ssid *ssid, 320 int start) 321 { 322 struct wpa_driver_auth_params params; 323 struct wpa_ssid *old_ssid; 324 #ifdef CONFIG_IEEE80211R 325 const u8 *ie; 326 #endif /* CONFIG_IEEE80211R */ 327 #if defined(CONFIG_IEEE80211R) || defined(CONFIG_FILS) 328 const u8 *md = NULL; 329 #endif /* CONFIG_IEEE80211R || CONFIG_FILS */ 330 int bssid_changed; 331 struct wpabuf *resp = NULL; 332 u8 ext_capab[18]; 333 int ext_capab_len; 334 int skip_auth; 335 u8 *wpa_ie; 336 size_t wpa_ie_len; 337 #ifdef CONFIG_MBO 338 const u8 *mbo_ie; 339 #endif /* CONFIG_MBO */ 340 int omit_rsnxe = 0; 341 342 if (bss == NULL) { 343 wpa_msg(wpa_s, MSG_ERROR, "SME: No scan result available for " 344 "the network"); 345 wpas_connect_work_done(wpa_s); 346 return; 347 } 348 349 skip_auth = wpa_s->conf->reassoc_same_bss_optim && 350 wpa_s->reassoc_same_bss; 351 wpa_s->current_bss = bss; 352 353 os_memset(¶ms, 0, sizeof(params)); 354 wpa_s->reassociate = 0; 355 356 params.freq = bss->freq; 357 params.bssid = bss->bssid; 358 params.ssid = bss->ssid; 359 params.ssid_len = bss->ssid_len; 360 params.p2p = ssid->p2p_group; 361 362 if (wpa_s->sme.ssid_len != params.ssid_len || 363 os_memcmp(wpa_s->sme.ssid, params.ssid, params.ssid_len) != 0) 364 wpa_s->sme.prev_bssid_set = 0; 365 366 wpa_s->sme.freq = params.freq; 367 os_memcpy(wpa_s->sme.ssid, params.ssid, params.ssid_len); 368 wpa_s->sme.ssid_len = params.ssid_len; 369 370 params.auth_alg = WPA_AUTH_ALG_OPEN; 371 #ifdef IEEE8021X_EAPOL 372 if (ssid->key_mgmt & WPA_KEY_MGMT_IEEE8021X_NO_WPA) { 373 if (ssid->leap) { 374 if (ssid->non_leap == 0) 375 params.auth_alg = WPA_AUTH_ALG_LEAP; 376 else 377 params.auth_alg |= WPA_AUTH_ALG_LEAP; 378 } 379 } 380 #endif /* IEEE8021X_EAPOL */ 381 wpa_dbg(wpa_s, MSG_DEBUG, "Automatic auth_alg selection: 0x%x", 382 params.auth_alg); 383 if (ssid->auth_alg) { 384 params.auth_alg = ssid->auth_alg; 385 wpa_dbg(wpa_s, MSG_DEBUG, "Overriding auth_alg selection: " 386 "0x%x", params.auth_alg); 387 } 388 #ifdef CONFIG_SAE 389 wpa_s->sme.sae_pmksa_caching = 0; 390 if (wpa_key_mgmt_sae(ssid->key_mgmt)) { 391 const u8 *rsn; 392 struct wpa_ie_data ied; 393 394 rsn = wpa_bss_get_ie(bss, WLAN_EID_RSN); 395 if (!rsn) { 396 wpa_dbg(wpa_s, MSG_DEBUG, 397 "SAE enabled, but target BSS does not advertise RSN"); 398 #ifdef CONFIG_DPP 399 } else if (wpa_parse_wpa_ie(rsn, 2 + rsn[1], &ied) == 0 && 400 (ssid->key_mgmt & WPA_KEY_MGMT_DPP) && 401 (ied.key_mgmt & WPA_KEY_MGMT_DPP)) { 402 wpa_dbg(wpa_s, MSG_DEBUG, "Prefer DPP over SAE when both are enabled"); 403 #endif /* CONFIG_DPP */ 404 } else if (wpa_parse_wpa_ie(rsn, 2 + rsn[1], &ied) == 0 && 405 wpa_key_mgmt_sae(ied.key_mgmt)) { 406 wpa_dbg(wpa_s, MSG_DEBUG, "Using SAE auth_alg"); 407 params.auth_alg = WPA_AUTH_ALG_SAE; 408 } else { 409 wpa_dbg(wpa_s, MSG_DEBUG, 410 "SAE enabled, but target BSS does not advertise SAE AKM for RSN"); 411 } 412 } 413 #endif /* CONFIG_SAE */ 414 415 #ifdef CONFIG_WEP 416 { 417 int i; 418 419 for (i = 0; i < NUM_WEP_KEYS; i++) { 420 if (ssid->wep_key_len[i]) 421 params.wep_key[i] = ssid->wep_key[i]; 422 params.wep_key_len[i] = ssid->wep_key_len[i]; 423 } 424 params.wep_tx_keyidx = ssid->wep_tx_keyidx; 425 } 426 #endif /* CONFIG_WEP */ 427 428 if ((wpa_bss_get_vendor_ie(bss, WPA_IE_VENDOR_TYPE) || 429 wpa_bss_get_ie(bss, WLAN_EID_RSN)) && 430 wpa_key_mgmt_wpa(ssid->key_mgmt)) { 431 int try_opportunistic; 432 const u8 *cache_id = NULL; 433 434 try_opportunistic = (ssid->proactive_key_caching < 0 ? 435 wpa_s->conf->okc : 436 ssid->proactive_key_caching) && 437 (ssid->proto & WPA_PROTO_RSN); 438 #ifdef CONFIG_FILS 439 if (wpa_key_mgmt_fils(ssid->key_mgmt)) 440 cache_id = wpa_bss_get_fils_cache_id(bss); 441 #endif /* CONFIG_FILS */ 442 if (pmksa_cache_set_current(wpa_s->wpa, NULL, bss->bssid, 443 wpa_s->current_ssid, 444 try_opportunistic, cache_id, 445 0) == 0) 446 eapol_sm_notify_pmkid_attempt(wpa_s->eapol); 447 wpa_s->sme.assoc_req_ie_len = sizeof(wpa_s->sme.assoc_req_ie); 448 if (wpa_supplicant_set_suites(wpa_s, bss, ssid, 449 wpa_s->sme.assoc_req_ie, 450 &wpa_s->sme.assoc_req_ie_len)) { 451 wpa_msg(wpa_s, MSG_WARNING, "SME: Failed to set WPA " 452 "key management and encryption suites"); 453 wpas_connect_work_done(wpa_s); 454 return; 455 } 456 #ifdef CONFIG_HS20 457 } else if (wpa_bss_get_vendor_ie(bss, OSEN_IE_VENDOR_TYPE) && 458 (ssid->key_mgmt & WPA_KEY_MGMT_OSEN)) { 459 /* No PMKSA caching, but otherwise similar to RSN/WPA */ 460 wpa_s->sme.assoc_req_ie_len = sizeof(wpa_s->sme.assoc_req_ie); 461 if (wpa_supplicant_set_suites(wpa_s, bss, ssid, 462 wpa_s->sme.assoc_req_ie, 463 &wpa_s->sme.assoc_req_ie_len)) { 464 wpa_msg(wpa_s, MSG_WARNING, "SME: Failed to set WPA " 465 "key management and encryption suites"); 466 wpas_connect_work_done(wpa_s); 467 return; 468 } 469 #endif /* CONFIG_HS20 */ 470 } else if ((ssid->key_mgmt & WPA_KEY_MGMT_IEEE8021X_NO_WPA) && 471 wpa_key_mgmt_wpa_ieee8021x(ssid->key_mgmt)) { 472 /* 473 * Both WPA and non-WPA IEEE 802.1X enabled in configuration - 474 * use non-WPA since the scan results did not indicate that the 475 * AP is using WPA or WPA2. 476 */ 477 wpa_supplicant_set_non_wpa_policy(wpa_s, ssid); 478 wpa_s->sme.assoc_req_ie_len = 0; 479 } else if (wpa_key_mgmt_wpa_any(ssid->key_mgmt)) { 480 wpa_s->sme.assoc_req_ie_len = sizeof(wpa_s->sme.assoc_req_ie); 481 if (wpa_supplicant_set_suites(wpa_s, NULL, ssid, 482 wpa_s->sme.assoc_req_ie, 483 &wpa_s->sme.assoc_req_ie_len)) { 484 wpa_msg(wpa_s, MSG_WARNING, "SME: Failed to set WPA " 485 "key management and encryption suites (no " 486 "scan results)"); 487 wpas_connect_work_done(wpa_s); 488 return; 489 } 490 #ifdef CONFIG_WPS 491 } else if (ssid->key_mgmt & WPA_KEY_MGMT_WPS) { 492 struct wpabuf *wps_ie; 493 wps_ie = wps_build_assoc_req_ie(wpas_wps_get_req_type(ssid)); 494 if (wps_ie && wpabuf_len(wps_ie) <= 495 sizeof(wpa_s->sme.assoc_req_ie)) { 496 wpa_s->sme.assoc_req_ie_len = wpabuf_len(wps_ie); 497 os_memcpy(wpa_s->sme.assoc_req_ie, wpabuf_head(wps_ie), 498 wpa_s->sme.assoc_req_ie_len); 499 } else 500 wpa_s->sme.assoc_req_ie_len = 0; 501 wpabuf_free(wps_ie); 502 wpa_supplicant_set_non_wpa_policy(wpa_s, ssid); 503 #endif /* CONFIG_WPS */ 504 } else { 505 wpa_supplicant_set_non_wpa_policy(wpa_s, ssid); 506 wpa_s->sme.assoc_req_ie_len = 0; 507 } 508 509 /* In case the WPA vendor IE is used, it should be placed after all the 510 * non-vendor IEs, as the lower layer expects the IEs to be ordered as 511 * defined in the standard. Store the WPA IE so it can later be 512 * inserted at the correct location. 513 */ 514 wpa_ie = NULL; 515 wpa_ie_len = 0; 516 if (wpa_s->wpa_proto == WPA_PROTO_WPA) { 517 wpa_ie = os_memdup(wpa_s->sme.assoc_req_ie, 518 wpa_s->sme.assoc_req_ie_len); 519 if (wpa_ie) { 520 wpa_dbg(wpa_s, MSG_DEBUG, "WPA: Storing WPA IE"); 521 522 wpa_ie_len = wpa_s->sme.assoc_req_ie_len; 523 wpa_s->sme.assoc_req_ie_len = 0; 524 } else { 525 wpa_msg(wpa_s, MSG_WARNING, "WPA: Failed copy WPA IE"); 526 wpas_connect_work_done(wpa_s); 527 return; 528 } 529 } 530 531 #ifdef CONFIG_IEEE80211R 532 ie = wpa_bss_get_ie(bss, WLAN_EID_MOBILITY_DOMAIN); 533 if (ie && ie[1] >= MOBILITY_DOMAIN_ID_LEN) 534 md = ie + 2; 535 wpa_sm_set_ft_params(wpa_s->wpa, ie, ie ? 2 + ie[1] : 0); 536 if (md && (!wpa_key_mgmt_ft(ssid->key_mgmt) || 537 !wpa_key_mgmt_ft(wpa_s->key_mgmt))) 538 md = NULL; 539 if (md) { 540 /* Prepare for the next transition */ 541 wpa_ft_prepare_auth_request(wpa_s->wpa, ie); 542 } 543 544 if (md) { 545 wpa_dbg(wpa_s, MSG_DEBUG, "SME: FT mobility domain %02x%02x", 546 md[0], md[1]); 547 548 omit_rsnxe = !wpa_bss_get_ie(bss, WLAN_EID_RSNX); 549 if (wpa_s->sme.assoc_req_ie_len + 5 < 550 sizeof(wpa_s->sme.assoc_req_ie)) { 551 struct rsn_mdie *mdie; 552 u8 *pos = wpa_s->sme.assoc_req_ie + 553 wpa_s->sme.assoc_req_ie_len; 554 *pos++ = WLAN_EID_MOBILITY_DOMAIN; 555 *pos++ = sizeof(*mdie); 556 mdie = (struct rsn_mdie *) pos; 557 os_memcpy(mdie->mobility_domain, md, 558 MOBILITY_DOMAIN_ID_LEN); 559 mdie->ft_capab = md[MOBILITY_DOMAIN_ID_LEN]; 560 wpa_s->sme.assoc_req_ie_len += 5; 561 } 562 563 if (wpa_s->sme.prev_bssid_set && wpa_s->sme.ft_used && 564 os_memcmp(md, wpa_s->sme.mobility_domain, 2) == 0 && 565 wpa_sm_has_ptk(wpa_s->wpa)) { 566 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Trying to use FT " 567 "over-the-air"); 568 params.auth_alg = WPA_AUTH_ALG_FT; 569 params.ie = wpa_s->sme.ft_ies; 570 params.ie_len = wpa_s->sme.ft_ies_len; 571 } 572 } 573 #endif /* CONFIG_IEEE80211R */ 574 575 wpa_s->sme.mfp = wpas_get_ssid_pmf(wpa_s, ssid); 576 if (wpa_s->sme.mfp != NO_MGMT_FRAME_PROTECTION) { 577 const u8 *rsn = wpa_bss_get_ie(bss, WLAN_EID_RSN); 578 struct wpa_ie_data _ie; 579 if (rsn && wpa_parse_wpa_ie(rsn, 2 + rsn[1], &_ie) == 0 && 580 _ie.capabilities & 581 (WPA_CAPABILITY_MFPC | WPA_CAPABILITY_MFPR)) { 582 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Selected AP supports " 583 "MFP: require MFP"); 584 wpa_s->sme.mfp = MGMT_FRAME_PROTECTION_REQUIRED; 585 } 586 } 587 588 #ifdef CONFIG_P2P 589 if (wpa_s->global->p2p) { 590 u8 *pos; 591 size_t len; 592 int res; 593 pos = wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len; 594 len = sizeof(wpa_s->sme.assoc_req_ie) - 595 wpa_s->sme.assoc_req_ie_len; 596 res = wpas_p2p_assoc_req_ie(wpa_s, bss, pos, len, 597 ssid->p2p_group); 598 if (res >= 0) 599 wpa_s->sme.assoc_req_ie_len += res; 600 } 601 #endif /* CONFIG_P2P */ 602 603 #ifdef CONFIG_FST 604 if (wpa_s->fst_ies) { 605 int fst_ies_len = wpabuf_len(wpa_s->fst_ies); 606 607 if (wpa_s->sme.assoc_req_ie_len + fst_ies_len <= 608 sizeof(wpa_s->sme.assoc_req_ie)) { 609 os_memcpy(wpa_s->sme.assoc_req_ie + 610 wpa_s->sme.assoc_req_ie_len, 611 wpabuf_head(wpa_s->fst_ies), 612 fst_ies_len); 613 wpa_s->sme.assoc_req_ie_len += fst_ies_len; 614 } 615 } 616 #endif /* CONFIG_FST */ 617 618 sme_auth_handle_rrm(wpa_s, bss); 619 620 wpa_s->sme.assoc_req_ie_len += wpas_supp_op_class_ie( 621 wpa_s, ssid, bss, 622 wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len, 623 sizeof(wpa_s->sme.assoc_req_ie) - wpa_s->sme.assoc_req_ie_len); 624 625 if (params.p2p) 626 wpa_drv_get_ext_capa(wpa_s, WPA_IF_P2P_CLIENT); 627 else 628 wpa_drv_get_ext_capa(wpa_s, WPA_IF_STATION); 629 630 ext_capab_len = wpas_build_ext_capab(wpa_s, ext_capab, 631 sizeof(ext_capab)); 632 if (ext_capab_len > 0) { 633 u8 *pos = wpa_s->sme.assoc_req_ie; 634 if (wpa_s->sme.assoc_req_ie_len > 0 && pos[0] == WLAN_EID_RSN) 635 pos += 2 + pos[1]; 636 os_memmove(pos + ext_capab_len, pos, 637 wpa_s->sme.assoc_req_ie_len - 638 (pos - wpa_s->sme.assoc_req_ie)); 639 wpa_s->sme.assoc_req_ie_len += ext_capab_len; 640 os_memcpy(pos, ext_capab, ext_capab_len); 641 } 642 643 #ifdef CONFIG_TESTING_OPTIONS 644 if (wpa_s->rsnxe_override_assoc && 645 wpabuf_len(wpa_s->rsnxe_override_assoc) <= 646 sizeof(wpa_s->sme.assoc_req_ie) - wpa_s->sme.assoc_req_ie_len) { 647 wpa_printf(MSG_DEBUG, "TESTING: RSNXE AssocReq override"); 648 os_memcpy(wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len, 649 wpabuf_head(wpa_s->rsnxe_override_assoc), 650 wpabuf_len(wpa_s->rsnxe_override_assoc)); 651 wpa_s->sme.assoc_req_ie_len += 652 wpabuf_len(wpa_s->rsnxe_override_assoc); 653 } else 654 #endif /* CONFIG_TESTING_OPTIONS */ 655 if (wpa_s->rsnxe_len > 0 && 656 wpa_s->rsnxe_len <= 657 sizeof(wpa_s->sme.assoc_req_ie) - wpa_s->sme.assoc_req_ie_len && 658 !omit_rsnxe) { 659 os_memcpy(wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len, 660 wpa_s->rsnxe, wpa_s->rsnxe_len); 661 wpa_s->sme.assoc_req_ie_len += wpa_s->rsnxe_len; 662 } 663 664 #ifdef CONFIG_HS20 665 if (is_hs20_network(wpa_s, ssid, bss)) { 666 struct wpabuf *hs20; 667 668 hs20 = wpabuf_alloc(20 + MAX_ROAMING_CONS_OI_LEN); 669 if (hs20) { 670 int pps_mo_id = hs20_get_pps_mo_id(wpa_s, ssid); 671 size_t len; 672 673 wpas_hs20_add_indication(hs20, pps_mo_id, 674 get_hs20_version(bss)); 675 wpas_hs20_add_roam_cons_sel(hs20, ssid); 676 len = sizeof(wpa_s->sme.assoc_req_ie) - 677 wpa_s->sme.assoc_req_ie_len; 678 if (wpabuf_len(hs20) <= len) { 679 os_memcpy(wpa_s->sme.assoc_req_ie + 680 wpa_s->sme.assoc_req_ie_len, 681 wpabuf_head(hs20), wpabuf_len(hs20)); 682 wpa_s->sme.assoc_req_ie_len += wpabuf_len(hs20); 683 } 684 wpabuf_free(hs20); 685 } 686 } 687 #endif /* CONFIG_HS20 */ 688 689 if (wpa_ie) { 690 size_t len; 691 692 wpa_dbg(wpa_s, MSG_DEBUG, "WPA: Reinsert WPA IE"); 693 694 len = sizeof(wpa_s->sme.assoc_req_ie) - 695 wpa_s->sme.assoc_req_ie_len; 696 697 if (len > wpa_ie_len) { 698 os_memcpy(wpa_s->sme.assoc_req_ie + 699 wpa_s->sme.assoc_req_ie_len, 700 wpa_ie, wpa_ie_len); 701 wpa_s->sme.assoc_req_ie_len += wpa_ie_len; 702 } else { 703 wpa_dbg(wpa_s, MSG_DEBUG, "WPA: Failed to add WPA IE"); 704 } 705 706 os_free(wpa_ie); 707 } 708 709 if (wpa_s->vendor_elem[VENDOR_ELEM_ASSOC_REQ]) { 710 struct wpabuf *buf = wpa_s->vendor_elem[VENDOR_ELEM_ASSOC_REQ]; 711 size_t len; 712 713 len = sizeof(wpa_s->sme.assoc_req_ie) - 714 wpa_s->sme.assoc_req_ie_len; 715 if (wpabuf_len(buf) <= len) { 716 os_memcpy(wpa_s->sme.assoc_req_ie + 717 wpa_s->sme.assoc_req_ie_len, 718 wpabuf_head(buf), wpabuf_len(buf)); 719 wpa_s->sme.assoc_req_ie_len += wpabuf_len(buf); 720 } 721 } 722 723 #ifdef CONFIG_MBO 724 mbo_ie = wpa_bss_get_vendor_ie(bss, MBO_IE_VENDOR_TYPE); 725 if (!wpa_s->disable_mbo_oce && mbo_ie) { 726 int len; 727 728 len = wpas_mbo_ie(wpa_s, wpa_s->sme.assoc_req_ie + 729 wpa_s->sme.assoc_req_ie_len, 730 sizeof(wpa_s->sme.assoc_req_ie) - 731 wpa_s->sme.assoc_req_ie_len, 732 !!mbo_attr_from_mbo_ie(mbo_ie, 733 OCE_ATTR_ID_CAPA_IND)); 734 if (len >= 0) 735 wpa_s->sme.assoc_req_ie_len += len; 736 } 737 #endif /* CONFIG_MBO */ 738 739 #ifdef CONFIG_SAE 740 if (!skip_auth && params.auth_alg == WPA_AUTH_ALG_SAE && 741 pmksa_cache_set_current(wpa_s->wpa, NULL, bss->bssid, ssid, 0, 742 NULL, 743 wpa_s->key_mgmt == WPA_KEY_MGMT_FT_SAE ? 744 WPA_KEY_MGMT_FT_SAE : 745 WPA_KEY_MGMT_SAE) == 0) { 746 wpa_dbg(wpa_s, MSG_DEBUG, 747 "PMKSA cache entry found - try to use PMKSA caching instead of new SAE authentication"); 748 wpa_sm_set_pmk_from_pmksa(wpa_s->wpa); 749 params.auth_alg = WPA_AUTH_ALG_OPEN; 750 wpa_s->sme.sae_pmksa_caching = 1; 751 } 752 753 if (!skip_auth && params.auth_alg == WPA_AUTH_ALG_SAE) { 754 if (start) 755 resp = sme_auth_build_sae_commit(wpa_s, ssid, 756 bss->bssid, 0, 757 start == 2, NULL, 758 NULL); 759 else 760 resp = sme_auth_build_sae_confirm(wpa_s, 0); 761 if (resp == NULL) { 762 wpas_connection_failed(wpa_s, bss->bssid); 763 return; 764 } 765 params.auth_data = wpabuf_head(resp); 766 params.auth_data_len = wpabuf_len(resp); 767 wpa_s->sme.sae.state = start ? SAE_COMMITTED : SAE_CONFIRMED; 768 } 769 #endif /* CONFIG_SAE */ 770 771 bssid_changed = !is_zero_ether_addr(wpa_s->bssid); 772 os_memset(wpa_s->bssid, 0, ETH_ALEN); 773 os_memcpy(wpa_s->pending_bssid, bss->bssid, ETH_ALEN); 774 if (bssid_changed) 775 wpas_notify_bssid_changed(wpa_s); 776 777 old_ssid = wpa_s->current_ssid; 778 wpa_s->current_ssid = ssid; 779 wpa_supplicant_rsn_supp_set_config(wpa_s, wpa_s->current_ssid); 780 wpa_supplicant_initiate_eapol(wpa_s); 781 782 #ifdef CONFIG_FILS 783 /* TODO: FILS operations can in some cases be done between different 784 * network_ctx (i.e., same credentials can be used with multiple 785 * networks). */ 786 if (params.auth_alg == WPA_AUTH_ALG_OPEN && 787 wpa_key_mgmt_fils(ssid->key_mgmt)) { 788 const u8 *indic; 789 u16 fils_info; 790 const u8 *realm, *username, *rrk; 791 size_t realm_len, username_len, rrk_len; 792 u16 next_seq_num; 793 794 /* 795 * Check FILS Indication element (FILS Information field) bits 796 * indicating supported authentication algorithms against local 797 * configuration (ssid->fils_dh_group). Try to use FILS 798 * authentication only if the AP supports the combination in the 799 * network profile. */ 800 indic = wpa_bss_get_ie(bss, WLAN_EID_FILS_INDICATION); 801 if (!indic || indic[1] < 2) { 802 wpa_printf(MSG_DEBUG, "SME: " MACSTR 803 " does not include FILS Indication element - cannot use FILS authentication with it", 804 MAC2STR(bss->bssid)); 805 goto no_fils; 806 } 807 808 fils_info = WPA_GET_LE16(indic + 2); 809 if (ssid->fils_dh_group == 0 && !(fils_info & BIT(9))) { 810 wpa_printf(MSG_DEBUG, "SME: " MACSTR 811 " does not support FILS SK without PFS - cannot use FILS authentication with it", 812 MAC2STR(bss->bssid)); 813 goto no_fils; 814 } 815 if (ssid->fils_dh_group != 0 && !(fils_info & BIT(10))) { 816 wpa_printf(MSG_DEBUG, "SME: " MACSTR 817 " does not support FILS SK with PFS - cannot use FILS authentication with it", 818 MAC2STR(bss->bssid)); 819 goto no_fils; 820 } 821 822 if (wpa_s->last_con_fail_realm && 823 eapol_sm_get_erp_info(wpa_s->eapol, &ssid->eap, 824 &username, &username_len, 825 &realm, &realm_len, &next_seq_num, 826 &rrk, &rrk_len) == 0 && 827 realm && realm_len == wpa_s->last_con_fail_realm_len && 828 os_memcmp(realm, wpa_s->last_con_fail_realm, 829 realm_len) == 0) { 830 wpa_printf(MSG_DEBUG, 831 "SME: FILS authentication for this realm failed last time - try to regenerate ERP key hierarchy"); 832 goto no_fils; 833 } 834 835 if (pmksa_cache_set_current(wpa_s->wpa, NULL, bss->bssid, 836 ssid, 0, 837 wpa_bss_get_fils_cache_id(bss), 838 0) == 0) 839 wpa_printf(MSG_DEBUG, 840 "SME: Try to use FILS with PMKSA caching"); 841 resp = fils_build_auth(wpa_s->wpa, ssid->fils_dh_group, md); 842 if (resp) { 843 int auth_alg; 844 845 if (ssid->fils_dh_group) 846 wpa_printf(MSG_DEBUG, 847 "SME: Try to use FILS SK authentication with PFS (DH Group %u)", 848 ssid->fils_dh_group); 849 else 850 wpa_printf(MSG_DEBUG, 851 "SME: Try to use FILS SK authentication without PFS"); 852 auth_alg = ssid->fils_dh_group ? 853 WPA_AUTH_ALG_FILS_SK_PFS : WPA_AUTH_ALG_FILS; 854 params.auth_alg = auth_alg; 855 params.auth_data = wpabuf_head(resp); 856 params.auth_data_len = wpabuf_len(resp); 857 wpa_s->sme.auth_alg = auth_alg; 858 } 859 } 860 no_fils: 861 #endif /* CONFIG_FILS */ 862 863 wpa_supplicant_cancel_sched_scan(wpa_s); 864 wpa_supplicant_cancel_scan(wpa_s); 865 866 wpa_msg(wpa_s, MSG_INFO, "SME: Trying to authenticate with " MACSTR 867 " (SSID='%s' freq=%d MHz)", MAC2STR(params.bssid), 868 wpa_ssid_txt(params.ssid, params.ssid_len), params.freq); 869 870 eapol_sm_notify_portValid(wpa_s->eapol, false); 871 wpa_clear_keys(wpa_s, bss->bssid); 872 wpa_supplicant_set_state(wpa_s, WPA_AUTHENTICATING); 873 if (old_ssid != wpa_s->current_ssid) 874 wpas_notify_network_changed(wpa_s); 875 876 #ifdef CONFIG_HS20 877 hs20_configure_frame_filters(wpa_s); 878 #endif /* CONFIG_HS20 */ 879 880 #ifdef CONFIG_P2P 881 /* 882 * If multi-channel concurrency is not supported, check for any 883 * frequency conflict. In case of any frequency conflict, remove the 884 * least prioritized connection. 885 */ 886 if (wpa_s->num_multichan_concurrent < 2) { 887 int freq, num; 888 num = get_shared_radio_freqs(wpa_s, &freq, 1); 889 if (num > 0 && freq > 0 && freq != params.freq) { 890 wpa_printf(MSG_DEBUG, 891 "Conflicting frequency found (%d != %d)", 892 freq, params.freq); 893 if (wpas_p2p_handle_frequency_conflicts(wpa_s, 894 params.freq, 895 ssid) < 0) { 896 wpas_connection_failed(wpa_s, bss->bssid); 897 wpa_supplicant_mark_disassoc(wpa_s); 898 wpabuf_free(resp); 899 wpas_connect_work_done(wpa_s); 900 return; 901 } 902 } 903 } 904 #endif /* CONFIG_P2P */ 905 906 if (skip_auth) { 907 wpa_msg(wpa_s, MSG_DEBUG, 908 "SME: Skip authentication step on reassoc-to-same-BSS"); 909 wpabuf_free(resp); 910 sme_associate(wpa_s, ssid->mode, bss->bssid, WLAN_AUTH_OPEN); 911 return; 912 } 913 914 915 wpa_s->sme.auth_alg = params.auth_alg; 916 if (wpa_drv_authenticate(wpa_s, ¶ms) < 0) { 917 wpa_msg(wpa_s, MSG_INFO, "SME: Authentication request to the " 918 "driver failed"); 919 wpas_connection_failed(wpa_s, bss->bssid); 920 wpa_supplicant_mark_disassoc(wpa_s); 921 wpabuf_free(resp); 922 wpas_connect_work_done(wpa_s); 923 return; 924 } 925 926 eloop_register_timeout(SME_AUTH_TIMEOUT, 0, sme_auth_timer, wpa_s, 927 NULL); 928 929 /* 930 * Association will be started based on the authentication event from 931 * the driver. 932 */ 933 934 wpabuf_free(resp); 935 } 936 937 938 static void sme_auth_start_cb(struct wpa_radio_work *work, int deinit) 939 { 940 struct wpa_connect_work *cwork = work->ctx; 941 struct wpa_supplicant *wpa_s = work->wpa_s; 942 943 wpa_s->roam_in_progress = false; 944 945 if (deinit) { 946 if (work->started) 947 wpa_s->connect_work = NULL; 948 949 wpas_connect_work_free(cwork); 950 return; 951 } 952 953 wpa_s->connect_work = work; 954 955 if (cwork->bss_removed || 956 !wpas_valid_bss_ssid(wpa_s, cwork->bss, cwork->ssid) || 957 wpas_network_disabled(wpa_s, cwork->ssid)) { 958 wpa_dbg(wpa_s, MSG_DEBUG, "SME: BSS/SSID entry for authentication not valid anymore - drop connection attempt"); 959 wpas_connect_work_done(wpa_s); 960 return; 961 } 962 963 /* Starting new connection, so clear the possibly used WPA IE from the 964 * previous association. */ 965 wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, NULL, 0); 966 wpa_sm_set_assoc_rsnxe(wpa_s->wpa, NULL, 0); 967 wpa_s->rsnxe_len = 0; 968 969 sme_send_authentication(wpa_s, cwork->bss, cwork->ssid, 1); 970 } 971 972 973 void sme_authenticate(struct wpa_supplicant *wpa_s, 974 struct wpa_bss *bss, struct wpa_ssid *ssid) 975 { 976 struct wpa_connect_work *cwork; 977 978 if (bss == NULL || ssid == NULL) 979 return; 980 if (wpa_s->connect_work) { 981 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Reject sme_authenticate() call since connect_work exist"); 982 return; 983 } 984 985 if (wpa_s->roam_in_progress) { 986 wpa_dbg(wpa_s, MSG_DEBUG, 987 "SME: Reject sme_authenticate() in favor of explicit roam request"); 988 return; 989 } 990 if (radio_work_pending(wpa_s, "sme-connect")) { 991 /* 992 * The previous sme-connect work might no longer be valid due to 993 * the fact that the BSS list was updated. In addition, it makes 994 * sense to adhere to the 'newer' decision. 995 */ 996 wpa_dbg(wpa_s, MSG_DEBUG, 997 "SME: Remove previous pending sme-connect"); 998 radio_remove_works(wpa_s, "sme-connect", 0); 999 } 1000 1001 wpas_abort_ongoing_scan(wpa_s); 1002 1003 cwork = os_zalloc(sizeof(*cwork)); 1004 if (cwork == NULL) 1005 return; 1006 cwork->bss = bss; 1007 cwork->ssid = ssid; 1008 cwork->sme = 1; 1009 1010 #ifdef CONFIG_SAE 1011 wpa_s->sme.sae.state = SAE_NOTHING; 1012 wpa_s->sme.sae.send_confirm = 0; 1013 wpa_s->sme.sae_group_index = 0; 1014 #endif /* CONFIG_SAE */ 1015 1016 if (radio_add_work(wpa_s, bss->freq, "sme-connect", 1, 1017 sme_auth_start_cb, cwork) < 0) 1018 wpas_connect_work_free(cwork); 1019 } 1020 1021 1022 #ifdef CONFIG_SAE 1023 1024 static int sme_external_auth_build_buf(struct wpabuf *buf, 1025 struct wpabuf *params, 1026 const u8 *sa, const u8 *da, 1027 u16 auth_transaction, u16 seq_num, 1028 u16 status_code) 1029 { 1030 struct ieee80211_mgmt *resp; 1031 1032 resp = wpabuf_put(buf, offsetof(struct ieee80211_mgmt, 1033 u.auth.variable)); 1034 1035 resp->frame_control = host_to_le16((WLAN_FC_TYPE_MGMT << 2) | 1036 (WLAN_FC_STYPE_AUTH << 4)); 1037 os_memcpy(resp->da, da, ETH_ALEN); 1038 os_memcpy(resp->sa, sa, ETH_ALEN); 1039 os_memcpy(resp->bssid, da, ETH_ALEN); 1040 resp->u.auth.auth_alg = host_to_le16(WLAN_AUTH_SAE); 1041 resp->seq_ctrl = host_to_le16(seq_num << 4); 1042 resp->u.auth.auth_transaction = host_to_le16(auth_transaction); 1043 resp->u.auth.status_code = host_to_le16(status_code); 1044 if (params) 1045 wpabuf_put_buf(buf, params); 1046 1047 return 0; 1048 } 1049 1050 1051 static int sme_external_auth_send_sae_commit(struct wpa_supplicant *wpa_s, 1052 const u8 *bssid, 1053 struct wpa_ssid *ssid) 1054 { 1055 struct wpabuf *resp, *buf; 1056 int use_pt; 1057 bool use_pk; 1058 u16 status; 1059 1060 resp = sme_auth_build_sae_commit(wpa_s, ssid, bssid, 1, 0, &use_pt, 1061 &use_pk); 1062 if (!resp) { 1063 wpa_printf(MSG_DEBUG, "SAE: Failed to build SAE commit"); 1064 return -1; 1065 } 1066 1067 wpa_s->sme.sae.state = SAE_COMMITTED; 1068 buf = wpabuf_alloc(4 + SAE_COMMIT_MAX_LEN + wpabuf_len(resp)); 1069 if (!buf) { 1070 wpabuf_free(resp); 1071 return -1; 1072 } 1073 1074 wpa_s->sme.seq_num++; 1075 if (use_pk) 1076 status = WLAN_STATUS_SAE_PK; 1077 else if (use_pt) 1078 status = WLAN_STATUS_SAE_HASH_TO_ELEMENT; 1079 else 1080 status = WLAN_STATUS_SUCCESS; 1081 sme_external_auth_build_buf(buf, resp, wpa_s->own_addr, 1082 bssid, 1, wpa_s->sme.seq_num, status); 1083 wpa_drv_send_mlme(wpa_s, wpabuf_head(buf), wpabuf_len(buf), 1, 0, 0); 1084 wpabuf_free(resp); 1085 wpabuf_free(buf); 1086 1087 return 0; 1088 } 1089 1090 1091 static void sme_send_external_auth_status(struct wpa_supplicant *wpa_s, 1092 u16 status) 1093 { 1094 struct external_auth params; 1095 1096 os_memset(¶ms, 0, sizeof(params)); 1097 params.status = status; 1098 params.ssid = wpa_s->sme.ext_auth_ssid; 1099 params.ssid_len = wpa_s->sme.ext_auth_ssid_len; 1100 params.bssid = wpa_s->sme.ext_auth_bssid; 1101 if (wpa_s->conf->sae_pmkid_in_assoc && status == WLAN_STATUS_SUCCESS) 1102 params.pmkid = wpa_s->sme.sae.pmkid; 1103 wpa_drv_send_external_auth_status(wpa_s, ¶ms); 1104 } 1105 1106 1107 static int sme_handle_external_auth_start(struct wpa_supplicant *wpa_s, 1108 union wpa_event_data *data) 1109 { 1110 struct wpa_ssid *ssid; 1111 size_t ssid_str_len = data->external_auth.ssid_len; 1112 const u8 *ssid_str = data->external_auth.ssid; 1113 1114 /* Get the SSID conf from the ssid string obtained */ 1115 for (ssid = wpa_s->conf->ssid; ssid; ssid = ssid->next) { 1116 if (!wpas_network_disabled(wpa_s, ssid) && 1117 ssid_str_len == ssid->ssid_len && 1118 os_memcmp(ssid_str, ssid->ssid, ssid_str_len) == 0 && 1119 (ssid->key_mgmt & (WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_FT_SAE))) 1120 break; 1121 } 1122 if (!ssid || 1123 sme_external_auth_send_sae_commit(wpa_s, data->external_auth.bssid, 1124 ssid) < 0) 1125 return -1; 1126 1127 return 0; 1128 } 1129 1130 1131 static void sme_external_auth_send_sae_confirm(struct wpa_supplicant *wpa_s, 1132 const u8 *da) 1133 { 1134 struct wpabuf *resp, *buf; 1135 1136 resp = sme_auth_build_sae_confirm(wpa_s, 1); 1137 if (!resp) { 1138 wpa_printf(MSG_DEBUG, "SAE: Confirm message buf alloc failure"); 1139 return; 1140 } 1141 1142 wpa_s->sme.sae.state = SAE_CONFIRMED; 1143 buf = wpabuf_alloc(4 + SAE_CONFIRM_MAX_LEN + wpabuf_len(resp)); 1144 if (!buf) { 1145 wpa_printf(MSG_DEBUG, "SAE: Auth Confirm buf alloc failure"); 1146 wpabuf_free(resp); 1147 return; 1148 } 1149 wpa_s->sme.seq_num++; 1150 sme_external_auth_build_buf(buf, resp, wpa_s->own_addr, 1151 da, 2, wpa_s->sme.seq_num, 1152 WLAN_STATUS_SUCCESS); 1153 wpa_drv_send_mlme(wpa_s, wpabuf_head(buf), wpabuf_len(buf), 1, 0, 0); 1154 wpabuf_free(resp); 1155 wpabuf_free(buf); 1156 } 1157 1158 1159 void sme_external_auth_trigger(struct wpa_supplicant *wpa_s, 1160 union wpa_event_data *data) 1161 { 1162 if (RSN_SELECTOR_GET(&data->external_auth.key_mgmt_suite) != 1163 RSN_AUTH_KEY_MGMT_SAE) 1164 return; 1165 1166 if (data->external_auth.action == EXT_AUTH_START) { 1167 if (!data->external_auth.bssid || !data->external_auth.ssid) 1168 return; 1169 os_memcpy(wpa_s->sme.ext_auth_bssid, data->external_auth.bssid, 1170 ETH_ALEN); 1171 os_memcpy(wpa_s->sme.ext_auth_ssid, data->external_auth.ssid, 1172 data->external_auth.ssid_len); 1173 wpa_s->sme.ext_auth_ssid_len = data->external_auth.ssid_len; 1174 wpa_s->sme.seq_num = 0; 1175 wpa_s->sme.sae.state = SAE_NOTHING; 1176 wpa_s->sme.sae.send_confirm = 0; 1177 wpa_s->sme.sae_group_index = 0; 1178 if (sme_handle_external_auth_start(wpa_s, data) < 0) 1179 sme_send_external_auth_status(wpa_s, 1180 WLAN_STATUS_UNSPECIFIED_FAILURE); 1181 } else if (data->external_auth.action == EXT_AUTH_ABORT) { 1182 /* Report failure to driver for the wrong trigger */ 1183 sme_send_external_auth_status(wpa_s, 1184 WLAN_STATUS_UNSPECIFIED_FAILURE); 1185 } 1186 } 1187 1188 1189 static int sme_sae_is_group_enabled(struct wpa_supplicant *wpa_s, int group) 1190 { 1191 int *groups = wpa_s->conf->sae_groups; 1192 int default_groups[] = { 19, 20, 21, 0 }; 1193 int i; 1194 1195 if (!groups) 1196 groups = default_groups; 1197 1198 for (i = 0; groups[i] > 0; i++) { 1199 if (groups[i] == group) 1200 return 1; 1201 } 1202 1203 return 0; 1204 } 1205 1206 1207 static int sme_check_sae_rejected_groups(struct wpa_supplicant *wpa_s, 1208 const struct wpabuf *groups) 1209 { 1210 size_t i, count; 1211 const u8 *pos; 1212 1213 if (!groups) 1214 return 0; 1215 1216 pos = wpabuf_head(groups); 1217 count = wpabuf_len(groups) / 2; 1218 for (i = 0; i < count; i++) { 1219 int enabled; 1220 u16 group; 1221 1222 group = WPA_GET_LE16(pos); 1223 pos += 2; 1224 enabled = sme_sae_is_group_enabled(wpa_s, group); 1225 wpa_printf(MSG_DEBUG, "SAE: Rejected group %u is %s", 1226 group, enabled ? "enabled" : "disabled"); 1227 if (enabled) 1228 return 1; 1229 } 1230 1231 return 0; 1232 } 1233 1234 1235 static int sme_sae_auth(struct wpa_supplicant *wpa_s, u16 auth_transaction, 1236 u16 status_code, const u8 *data, size_t len, 1237 int external, const u8 *sa) 1238 { 1239 int *groups; 1240 1241 wpa_dbg(wpa_s, MSG_DEBUG, "SME: SAE authentication transaction %u " 1242 "status code %u", auth_transaction, status_code); 1243 1244 if (auth_transaction == 1 && 1245 status_code == WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ && 1246 wpa_s->sme.sae.state == SAE_COMMITTED && 1247 (external || wpa_s->current_bss) && wpa_s->current_ssid) { 1248 int default_groups[] = { 19, 20, 21, 0 }; 1249 u16 group; 1250 const u8 *token_pos; 1251 size_t token_len; 1252 int h2e = 0; 1253 1254 groups = wpa_s->conf->sae_groups; 1255 if (!groups || groups[0] <= 0) 1256 groups = default_groups; 1257 1258 wpa_hexdump(MSG_DEBUG, "SME: SAE anti-clogging token request", 1259 data, len); 1260 if (len < sizeof(le16)) { 1261 wpa_dbg(wpa_s, MSG_DEBUG, 1262 "SME: Too short SAE anti-clogging token request"); 1263 return -1; 1264 } 1265 group = WPA_GET_LE16(data); 1266 wpa_dbg(wpa_s, MSG_DEBUG, 1267 "SME: SAE anti-clogging token requested (group %u)", 1268 group); 1269 if (sae_group_allowed(&wpa_s->sme.sae, groups, group) != 1270 WLAN_STATUS_SUCCESS) { 1271 wpa_dbg(wpa_s, MSG_ERROR, 1272 "SME: SAE group %u of anti-clogging request is invalid", 1273 group); 1274 return -1; 1275 } 1276 wpabuf_free(wpa_s->sme.sae_token); 1277 token_pos = data + sizeof(le16); 1278 token_len = len - sizeof(le16); 1279 h2e = wpa_s->sme.sae.h2e; 1280 if (h2e) { 1281 if (token_len < 3) { 1282 wpa_dbg(wpa_s, MSG_DEBUG, 1283 "SME: Too short SAE anti-clogging token container"); 1284 return -1; 1285 } 1286 if (token_pos[0] != WLAN_EID_EXTENSION || 1287 token_pos[1] == 0 || 1288 token_pos[1] > token_len - 2 || 1289 token_pos[2] != WLAN_EID_EXT_ANTI_CLOGGING_TOKEN) { 1290 wpa_dbg(wpa_s, MSG_DEBUG, 1291 "SME: Invalid SAE anti-clogging token container header"); 1292 return -1; 1293 } 1294 token_len = token_pos[1] - 1; 1295 token_pos += 3; 1296 } 1297 wpa_s->sme.sae_token = wpabuf_alloc_copy(token_pos, token_len); 1298 wpa_hexdump_buf(MSG_DEBUG, "SME: Requested anti-clogging token", 1299 wpa_s->sme.sae_token); 1300 if (!external) 1301 sme_send_authentication(wpa_s, wpa_s->current_bss, 1302 wpa_s->current_ssid, 2); 1303 else 1304 sme_external_auth_send_sae_commit( 1305 wpa_s, wpa_s->sme.ext_auth_bssid, 1306 wpa_s->current_ssid); 1307 return 0; 1308 } 1309 1310 if (auth_transaction == 1 && 1311 status_code == WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED && 1312 wpa_s->sme.sae.state == SAE_COMMITTED && 1313 (external || wpa_s->current_bss) && wpa_s->current_ssid) { 1314 wpa_dbg(wpa_s, MSG_DEBUG, "SME: SAE group not supported"); 1315 int_array_add_unique(&wpa_s->sme.sae_rejected_groups, 1316 wpa_s->sme.sae.group); 1317 wpa_s->sme.sae_group_index++; 1318 if (sme_set_sae_group(wpa_s) < 0) 1319 return -1; /* no other groups enabled */ 1320 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Try next enabled SAE group"); 1321 if (!external) 1322 sme_send_authentication(wpa_s, wpa_s->current_bss, 1323 wpa_s->current_ssid, 1); 1324 else 1325 sme_external_auth_send_sae_commit( 1326 wpa_s, wpa_s->sme.ext_auth_bssid, 1327 wpa_s->current_ssid); 1328 return 0; 1329 } 1330 1331 if (auth_transaction == 1 && 1332 status_code == WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER) { 1333 const u8 *bssid = sa ? sa : wpa_s->pending_bssid; 1334 1335 wpa_msg(wpa_s, MSG_INFO, 1336 WPA_EVENT_SAE_UNKNOWN_PASSWORD_IDENTIFIER MACSTR, 1337 MAC2STR(bssid)); 1338 return -1; 1339 } 1340 1341 if (status_code != WLAN_STATUS_SUCCESS && 1342 status_code != WLAN_STATUS_SAE_HASH_TO_ELEMENT && 1343 status_code != WLAN_STATUS_SAE_PK) { 1344 const u8 *bssid = sa ? sa : wpa_s->pending_bssid; 1345 1346 wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_AUTH_REJECT MACSTR 1347 " auth_type=%u auth_transaction=%u status_code=%u", 1348 MAC2STR(bssid), WLAN_AUTH_SAE, 1349 auth_transaction, status_code); 1350 return -1; 1351 } 1352 1353 if (auth_transaction == 1) { 1354 u16 res; 1355 1356 groups = wpa_s->conf->sae_groups; 1357 1358 wpa_dbg(wpa_s, MSG_DEBUG, "SME SAE commit"); 1359 if ((!external && wpa_s->current_bss == NULL) || 1360 wpa_s->current_ssid == NULL) 1361 return -1; 1362 if (wpa_s->sme.sae.state != SAE_COMMITTED) { 1363 wpa_printf(MSG_DEBUG, 1364 "SAE: Ignore commit message while waiting for confirm"); 1365 return 0; 1366 } 1367 if (wpa_s->sme.sae.h2e && status_code == WLAN_STATUS_SUCCESS) { 1368 wpa_printf(MSG_DEBUG, 1369 "SAE: Unexpected use of status code 0 in SAE commit when H2E was expected"); 1370 return -1; 1371 } 1372 if ((!wpa_s->sme.sae.h2e || wpa_s->sme.sae.pk) && 1373 status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT) { 1374 wpa_printf(MSG_DEBUG, 1375 "SAE: Unexpected use of status code for H2E in SAE commit when H2E was not expected"); 1376 return -1; 1377 } 1378 if (!wpa_s->sme.sae.pk && 1379 status_code == WLAN_STATUS_SAE_PK) { 1380 wpa_printf(MSG_DEBUG, 1381 "SAE: Unexpected use of status code for PK in SAE commit when PK was not expected"); 1382 return -1; 1383 } 1384 1385 if (groups && groups[0] <= 0) 1386 groups = NULL; 1387 res = sae_parse_commit(&wpa_s->sme.sae, data, len, NULL, NULL, 1388 groups, status_code == 1389 WLAN_STATUS_SAE_HASH_TO_ELEMENT || 1390 status_code == WLAN_STATUS_SAE_PK); 1391 if (res == SAE_SILENTLY_DISCARD) { 1392 wpa_printf(MSG_DEBUG, 1393 "SAE: Drop commit message due to reflection attack"); 1394 return 0; 1395 } 1396 if (res != WLAN_STATUS_SUCCESS) 1397 return -1; 1398 1399 if (wpa_s->sme.sae.tmp && 1400 sme_check_sae_rejected_groups( 1401 wpa_s, 1402 wpa_s->sme.sae.tmp->peer_rejected_groups)) 1403 return -1; 1404 1405 if (sae_process_commit(&wpa_s->sme.sae) < 0) { 1406 wpa_printf(MSG_DEBUG, "SAE: Failed to process peer " 1407 "commit"); 1408 return -1; 1409 } 1410 1411 wpabuf_free(wpa_s->sme.sae_token); 1412 wpa_s->sme.sae_token = NULL; 1413 if (!external) 1414 sme_send_authentication(wpa_s, wpa_s->current_bss, 1415 wpa_s->current_ssid, 0); 1416 else 1417 sme_external_auth_send_sae_confirm(wpa_s, sa); 1418 return 0; 1419 } else if (auth_transaction == 2) { 1420 if (status_code != WLAN_STATUS_SUCCESS) 1421 return -1; 1422 wpa_dbg(wpa_s, MSG_DEBUG, "SME SAE confirm"); 1423 if (wpa_s->sme.sae.state != SAE_CONFIRMED) 1424 return -1; 1425 if (sae_check_confirm(&wpa_s->sme.sae, data, len) < 0) 1426 return -1; 1427 wpa_s->sme.sae.state = SAE_ACCEPTED; 1428 sae_clear_temp_data(&wpa_s->sme.sae); 1429 1430 if (external) { 1431 /* Report success to driver */ 1432 sme_send_external_auth_status(wpa_s, 1433 WLAN_STATUS_SUCCESS); 1434 } 1435 1436 return 1; 1437 } 1438 1439 return -1; 1440 } 1441 1442 1443 static int sme_sae_set_pmk(struct wpa_supplicant *wpa_s, const u8 *bssid) 1444 { 1445 wpa_printf(MSG_DEBUG, 1446 "SME: SAE completed - setting PMK for 4-way handshake"); 1447 wpa_sm_set_pmk(wpa_s->wpa, wpa_s->sme.sae.pmk, PMK_LEN, 1448 wpa_s->sme.sae.pmkid, bssid); 1449 if (wpa_s->conf->sae_pmkid_in_assoc) { 1450 /* Update the own RSNE contents now that we have set the PMK 1451 * and added a PMKSA cache entry based on the successfully 1452 * completed SAE exchange. In practice, this will add the PMKID 1453 * into RSNE. */ 1454 if (wpa_s->sme.assoc_req_ie_len + 2 + PMKID_LEN > 1455 sizeof(wpa_s->sme.assoc_req_ie)) { 1456 wpa_msg(wpa_s, MSG_WARNING, 1457 "RSN: Not enough room for inserting own PMKID into RSNE"); 1458 return -1; 1459 } 1460 if (wpa_insert_pmkid(wpa_s->sme.assoc_req_ie, 1461 &wpa_s->sme.assoc_req_ie_len, 1462 wpa_s->sme.sae.pmkid) < 0) 1463 return -1; 1464 wpa_hexdump(MSG_DEBUG, 1465 "SME: Updated Association Request IEs", 1466 wpa_s->sme.assoc_req_ie, 1467 wpa_s->sme.assoc_req_ie_len); 1468 } 1469 1470 return 0; 1471 } 1472 1473 1474 void sme_external_auth_mgmt_rx(struct wpa_supplicant *wpa_s, 1475 const u8 *auth_frame, size_t len) 1476 { 1477 const struct ieee80211_mgmt *header; 1478 size_t auth_length; 1479 1480 header = (const struct ieee80211_mgmt *) auth_frame; 1481 auth_length = IEEE80211_HDRLEN + sizeof(header->u.auth); 1482 1483 if (len < auth_length) { 1484 /* Notify failure to the driver */ 1485 sme_send_external_auth_status(wpa_s, 1486 WLAN_STATUS_UNSPECIFIED_FAILURE); 1487 return; 1488 } 1489 1490 if (le_to_host16(header->u.auth.auth_alg) == WLAN_AUTH_SAE) { 1491 int res; 1492 1493 res = sme_sae_auth( 1494 wpa_s, le_to_host16(header->u.auth.auth_transaction), 1495 le_to_host16(header->u.auth.status_code), 1496 header->u.auth.variable, 1497 len - auth_length, 1, header->sa); 1498 if (res < 0) { 1499 /* Notify failure to the driver */ 1500 sme_send_external_auth_status( 1501 wpa_s, WLAN_STATUS_UNSPECIFIED_FAILURE); 1502 return; 1503 } 1504 if (res != 1) 1505 return; 1506 1507 if (sme_sae_set_pmk(wpa_s, wpa_s->sme.ext_auth_bssid) < 0) 1508 return; 1509 } 1510 } 1511 1512 #endif /* CONFIG_SAE */ 1513 1514 1515 void sme_event_auth(struct wpa_supplicant *wpa_s, union wpa_event_data *data) 1516 { 1517 struct wpa_ssid *ssid = wpa_s->current_ssid; 1518 1519 if (ssid == NULL) { 1520 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Ignore authentication event " 1521 "when network is not selected"); 1522 return; 1523 } 1524 1525 if (wpa_s->wpa_state != WPA_AUTHENTICATING) { 1526 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Ignore authentication event " 1527 "when not in authenticating state"); 1528 return; 1529 } 1530 1531 if (os_memcmp(wpa_s->pending_bssid, data->auth.peer, ETH_ALEN) != 0) { 1532 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Ignore authentication with " 1533 "unexpected peer " MACSTR, 1534 MAC2STR(data->auth.peer)); 1535 return; 1536 } 1537 1538 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Authentication response: peer=" MACSTR 1539 " auth_type=%d auth_transaction=%d status_code=%d", 1540 MAC2STR(data->auth.peer), data->auth.auth_type, 1541 data->auth.auth_transaction, data->auth.status_code); 1542 wpa_hexdump(MSG_MSGDUMP, "SME: Authentication response IEs", 1543 data->auth.ies, data->auth.ies_len); 1544 1545 eloop_cancel_timeout(sme_auth_timer, wpa_s, NULL); 1546 1547 #ifdef CONFIG_SAE 1548 if (data->auth.auth_type == WLAN_AUTH_SAE) { 1549 int res; 1550 res = sme_sae_auth(wpa_s, data->auth.auth_transaction, 1551 data->auth.status_code, data->auth.ies, 1552 data->auth.ies_len, 0, data->auth.peer); 1553 if (res < 0) { 1554 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 1555 wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED); 1556 1557 } 1558 if (res != 1) 1559 return; 1560 1561 if (sme_sae_set_pmk(wpa_s, wpa_s->pending_bssid) < 0) 1562 return; 1563 } 1564 #endif /* CONFIG_SAE */ 1565 1566 if (data->auth.status_code != WLAN_STATUS_SUCCESS) { 1567 char *ie_txt = NULL; 1568 1569 if (data->auth.ies && data->auth.ies_len) { 1570 size_t buflen = 2 * data->auth.ies_len + 1; 1571 ie_txt = os_malloc(buflen); 1572 if (ie_txt) { 1573 wpa_snprintf_hex(ie_txt, buflen, data->auth.ies, 1574 data->auth.ies_len); 1575 } 1576 } 1577 wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_AUTH_REJECT MACSTR 1578 " auth_type=%u auth_transaction=%u status_code=%u%s%s", 1579 MAC2STR(data->auth.peer), data->auth.auth_type, 1580 data->auth.auth_transaction, data->auth.status_code, 1581 ie_txt ? " ie=" : "", 1582 ie_txt ? ie_txt : ""); 1583 os_free(ie_txt); 1584 1585 #ifdef CONFIG_FILS 1586 if (wpa_s->sme.auth_alg == WPA_AUTH_ALG_FILS || 1587 wpa_s->sme.auth_alg == WPA_AUTH_ALG_FILS_SK_PFS) 1588 fils_connection_failure(wpa_s); 1589 #endif /* CONFIG_FILS */ 1590 1591 if (data->auth.status_code != 1592 WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG || 1593 wpa_s->sme.auth_alg == data->auth.auth_type || 1594 wpa_s->current_ssid->auth_alg == WPA_AUTH_ALG_LEAP) { 1595 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 1596 wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED); 1597 return; 1598 } 1599 1600 wpas_connect_work_done(wpa_s); 1601 1602 switch (data->auth.auth_type) { 1603 case WLAN_AUTH_OPEN: 1604 wpa_s->current_ssid->auth_alg = WPA_AUTH_ALG_SHARED; 1605 1606 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Trying SHARED auth"); 1607 wpa_supplicant_associate(wpa_s, wpa_s->current_bss, 1608 wpa_s->current_ssid); 1609 return; 1610 1611 case WLAN_AUTH_SHARED_KEY: 1612 wpa_s->current_ssid->auth_alg = WPA_AUTH_ALG_LEAP; 1613 1614 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Trying LEAP auth"); 1615 wpa_supplicant_associate(wpa_s, wpa_s->current_bss, 1616 wpa_s->current_ssid); 1617 return; 1618 1619 default: 1620 return; 1621 } 1622 } 1623 1624 #ifdef CONFIG_IEEE80211R 1625 if (data->auth.auth_type == WLAN_AUTH_FT) { 1626 const u8 *ric_ies = NULL; 1627 size_t ric_ies_len = 0; 1628 1629 if (wpa_s->ric_ies) { 1630 ric_ies = wpabuf_head(wpa_s->ric_ies); 1631 ric_ies_len = wpabuf_len(wpa_s->ric_ies); 1632 } 1633 if (wpa_ft_process_response(wpa_s->wpa, data->auth.ies, 1634 data->auth.ies_len, 0, 1635 data->auth.peer, 1636 ric_ies, ric_ies_len) < 0) { 1637 wpa_dbg(wpa_s, MSG_DEBUG, 1638 "SME: FT Authentication response processing failed"); 1639 wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_DISCONNECTED "bssid=" 1640 MACSTR 1641 " reason=%d locally_generated=1", 1642 MAC2STR(wpa_s->pending_bssid), 1643 WLAN_REASON_DEAUTH_LEAVING); 1644 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 1645 wpa_supplicant_mark_disassoc(wpa_s); 1646 return; 1647 } 1648 } 1649 #endif /* CONFIG_IEEE80211R */ 1650 1651 #ifdef CONFIG_FILS 1652 if (data->auth.auth_type == WLAN_AUTH_FILS_SK || 1653 data->auth.auth_type == WLAN_AUTH_FILS_SK_PFS) { 1654 u16 expect_auth_type; 1655 1656 expect_auth_type = wpa_s->sme.auth_alg == 1657 WPA_AUTH_ALG_FILS_SK_PFS ? WLAN_AUTH_FILS_SK_PFS : 1658 WLAN_AUTH_FILS_SK; 1659 if (data->auth.auth_type != expect_auth_type) { 1660 wpa_dbg(wpa_s, MSG_DEBUG, 1661 "SME: FILS Authentication response used different auth alg (%u; expected %u)", 1662 data->auth.auth_type, expect_auth_type); 1663 wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_DISCONNECTED "bssid=" 1664 MACSTR 1665 " reason=%d locally_generated=1", 1666 MAC2STR(wpa_s->pending_bssid), 1667 WLAN_REASON_DEAUTH_LEAVING); 1668 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 1669 wpa_supplicant_mark_disassoc(wpa_s); 1670 return; 1671 } 1672 1673 if (fils_process_auth(wpa_s->wpa, wpa_s->pending_bssid, 1674 data->auth.ies, data->auth.ies_len) < 0) { 1675 wpa_dbg(wpa_s, MSG_DEBUG, 1676 "SME: FILS Authentication response processing failed"); 1677 wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_DISCONNECTED "bssid=" 1678 MACSTR 1679 " reason=%d locally_generated=1", 1680 MAC2STR(wpa_s->pending_bssid), 1681 WLAN_REASON_DEAUTH_LEAVING); 1682 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 1683 wpa_supplicant_mark_disassoc(wpa_s); 1684 return; 1685 } 1686 } 1687 #endif /* CONFIG_FILS */ 1688 1689 sme_associate(wpa_s, ssid->mode, data->auth.peer, 1690 data->auth.auth_type); 1691 } 1692 1693 1694 #ifdef CONFIG_IEEE80211R 1695 static void remove_ie(u8 *buf, size_t *len, u8 eid) 1696 { 1697 u8 *pos, *next, *end; 1698 1699 pos = (u8 *) get_ie(buf, *len, eid); 1700 if (pos) { 1701 next = pos + 2 + pos[1]; 1702 end = buf + *len; 1703 *len -= 2 + pos[1]; 1704 os_memmove(pos, next, end - next); 1705 } 1706 } 1707 #endif /* CONFIG_IEEE80211R */ 1708 1709 1710 void sme_associate(struct wpa_supplicant *wpa_s, enum wpas_mode mode, 1711 const u8 *bssid, u16 auth_type) 1712 { 1713 struct wpa_driver_associate_params params; 1714 struct ieee802_11_elems elems; 1715 struct wpa_ssid *ssid = wpa_s->current_ssid; 1716 #ifdef CONFIG_FILS 1717 u8 nonces[2 * FILS_NONCE_LEN]; 1718 #endif /* CONFIG_FILS */ 1719 #ifdef CONFIG_HT_OVERRIDES 1720 struct ieee80211_ht_capabilities htcaps; 1721 struct ieee80211_ht_capabilities htcaps_mask; 1722 #endif /* CONFIG_HT_OVERRIDES */ 1723 #ifdef CONFIG_VHT_OVERRIDES 1724 struct ieee80211_vht_capabilities vhtcaps; 1725 struct ieee80211_vht_capabilities vhtcaps_mask; 1726 #endif /* CONFIG_VHT_OVERRIDES */ 1727 1728 os_memset(¶ms, 0, sizeof(params)); 1729 1730 #ifdef CONFIG_FILS 1731 if (auth_type == WLAN_AUTH_FILS_SK || 1732 auth_type == WLAN_AUTH_FILS_SK_PFS) { 1733 struct wpabuf *buf; 1734 const u8 *snonce, *anonce; 1735 const unsigned int max_hlp = 20; 1736 struct wpabuf *hlp[max_hlp]; 1737 unsigned int i, num_hlp = 0; 1738 struct fils_hlp_req *req; 1739 1740 dl_list_for_each(req, &wpa_s->fils_hlp_req, struct fils_hlp_req, 1741 list) { 1742 hlp[num_hlp] = wpabuf_alloc(2 * ETH_ALEN + 6 + 1743 wpabuf_len(req->pkt)); 1744 if (!hlp[num_hlp]) 1745 break; 1746 wpabuf_put_data(hlp[num_hlp], req->dst, ETH_ALEN); 1747 wpabuf_put_data(hlp[num_hlp], wpa_s->own_addr, 1748 ETH_ALEN); 1749 wpabuf_put_data(hlp[num_hlp], 1750 "\xaa\xaa\x03\x00\x00\x00", 6); 1751 wpabuf_put_buf(hlp[num_hlp], req->pkt); 1752 num_hlp++; 1753 if (num_hlp >= max_hlp) 1754 break; 1755 } 1756 1757 buf = fils_build_assoc_req(wpa_s->wpa, ¶ms.fils_kek, 1758 ¶ms.fils_kek_len, &snonce, 1759 &anonce, 1760 (const struct wpabuf **) hlp, 1761 num_hlp); 1762 for (i = 0; i < num_hlp; i++) 1763 wpabuf_free(hlp[i]); 1764 if (!buf) 1765 return; 1766 wpa_hexdump(MSG_DEBUG, "FILS: assoc_req before FILS elements", 1767 wpa_s->sme.assoc_req_ie, 1768 wpa_s->sme.assoc_req_ie_len); 1769 #ifdef CONFIG_IEEE80211R 1770 if (wpa_key_mgmt_ft(wpa_s->key_mgmt)) { 1771 /* Remove RSNE and MDE to allow them to be overridden 1772 * with FILS+FT specific values from 1773 * fils_build_assoc_req(). */ 1774 remove_ie(wpa_s->sme.assoc_req_ie, 1775 &wpa_s->sme.assoc_req_ie_len, 1776 WLAN_EID_RSN); 1777 wpa_hexdump(MSG_DEBUG, 1778 "FILS: assoc_req after RSNE removal", 1779 wpa_s->sme.assoc_req_ie, 1780 wpa_s->sme.assoc_req_ie_len); 1781 remove_ie(wpa_s->sme.assoc_req_ie, 1782 &wpa_s->sme.assoc_req_ie_len, 1783 WLAN_EID_MOBILITY_DOMAIN); 1784 wpa_hexdump(MSG_DEBUG, 1785 "FILS: assoc_req after MDE removal", 1786 wpa_s->sme.assoc_req_ie, 1787 wpa_s->sme.assoc_req_ie_len); 1788 } 1789 #endif /* CONFIG_IEEE80211R */ 1790 /* TODO: Make wpa_s->sme.assoc_req_ie use dynamic allocation */ 1791 if (wpa_s->sme.assoc_req_ie_len + wpabuf_len(buf) > 1792 sizeof(wpa_s->sme.assoc_req_ie)) { 1793 wpa_printf(MSG_ERROR, 1794 "FILS: Not enough buffer room for own AssocReq elements"); 1795 wpabuf_free(buf); 1796 return; 1797 } 1798 os_memcpy(wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len, 1799 wpabuf_head(buf), wpabuf_len(buf)); 1800 wpa_s->sme.assoc_req_ie_len += wpabuf_len(buf); 1801 wpabuf_free(buf); 1802 wpa_hexdump(MSG_DEBUG, "FILS: assoc_req after FILS elements", 1803 wpa_s->sme.assoc_req_ie, 1804 wpa_s->sme.assoc_req_ie_len); 1805 1806 os_memcpy(nonces, snonce, FILS_NONCE_LEN); 1807 os_memcpy(nonces + FILS_NONCE_LEN, anonce, FILS_NONCE_LEN); 1808 params.fils_nonces = nonces; 1809 params.fils_nonces_len = sizeof(nonces); 1810 } 1811 #endif /* CONFIG_FILS */ 1812 1813 #ifdef CONFIG_OWE 1814 #ifdef CONFIG_TESTING_OPTIONS 1815 if (get_ie_ext(wpa_s->sme.assoc_req_ie, wpa_s->sme.assoc_req_ie_len, 1816 WLAN_EID_EXT_OWE_DH_PARAM)) { 1817 wpa_printf(MSG_INFO, "TESTING: Override OWE DH element"); 1818 } else 1819 #endif /* CONFIG_TESTING_OPTIONS */ 1820 if (auth_type == WLAN_AUTH_OPEN && 1821 wpa_s->key_mgmt == WPA_KEY_MGMT_OWE) { 1822 struct wpabuf *owe_ie; 1823 u16 group; 1824 1825 if (ssid && ssid->owe_group) { 1826 group = ssid->owe_group; 1827 } else if (wpa_s->assoc_status_code == 1828 WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED) { 1829 if (wpa_s->last_owe_group == 19) 1830 group = 20; 1831 else if (wpa_s->last_owe_group == 20) 1832 group = 21; 1833 else 1834 group = OWE_DH_GROUP; 1835 } else { 1836 group = OWE_DH_GROUP; 1837 } 1838 1839 wpa_s->last_owe_group = group; 1840 wpa_printf(MSG_DEBUG, "OWE: Try to use group %u", group); 1841 owe_ie = owe_build_assoc_req(wpa_s->wpa, group); 1842 if (!owe_ie) { 1843 wpa_printf(MSG_ERROR, 1844 "OWE: Failed to build IE for Association Request frame"); 1845 return; 1846 } 1847 if (wpa_s->sme.assoc_req_ie_len + wpabuf_len(owe_ie) > 1848 sizeof(wpa_s->sme.assoc_req_ie)) { 1849 wpa_printf(MSG_ERROR, 1850 "OWE: Not enough buffer room for own Association Request frame elements"); 1851 wpabuf_free(owe_ie); 1852 return; 1853 } 1854 os_memcpy(wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len, 1855 wpabuf_head(owe_ie), wpabuf_len(owe_ie)); 1856 wpa_s->sme.assoc_req_ie_len += wpabuf_len(owe_ie); 1857 wpabuf_free(owe_ie); 1858 } 1859 #endif /* CONFIG_OWE */ 1860 1861 #ifdef CONFIG_DPP2 1862 if (DPP_VERSION > 1 && wpa_s->key_mgmt == WPA_KEY_MGMT_DPP && ssid && 1863 ssid->dpp_netaccesskey && ssid->dpp_pfs != 2 && 1864 !ssid->dpp_pfs_fallback) { 1865 struct rsn_pmksa_cache_entry *pmksa; 1866 1867 pmksa = pmksa_cache_get_current(wpa_s->wpa); 1868 if (!pmksa || !pmksa->dpp_pfs) 1869 goto pfs_fail; 1870 1871 dpp_pfs_free(wpa_s->dpp_pfs); 1872 wpa_s->dpp_pfs = dpp_pfs_init(ssid->dpp_netaccesskey, 1873 ssid->dpp_netaccesskey_len); 1874 if (!wpa_s->dpp_pfs) { 1875 wpa_printf(MSG_DEBUG, "DPP: Could not initialize PFS"); 1876 /* Try to continue without PFS */ 1877 goto pfs_fail; 1878 } 1879 if (wpa_s->sme.assoc_req_ie_len + 1880 wpabuf_len(wpa_s->dpp_pfs->ie) > 1881 sizeof(wpa_s->sme.assoc_req_ie)) { 1882 wpa_printf(MSG_ERROR, 1883 "DPP: Not enough buffer room for own Association Request frame elements"); 1884 dpp_pfs_free(wpa_s->dpp_pfs); 1885 wpa_s->dpp_pfs = NULL; 1886 goto pfs_fail; 1887 } 1888 os_memcpy(wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len, 1889 wpabuf_head(wpa_s->dpp_pfs->ie), 1890 wpabuf_len(wpa_s->dpp_pfs->ie)); 1891 wpa_s->sme.assoc_req_ie_len += wpabuf_len(wpa_s->dpp_pfs->ie); 1892 } 1893 pfs_fail: 1894 #endif /* CONFIG_DPP2 */ 1895 1896 wpa_s->mscs_setup_done = false; 1897 if (wpa_bss_ext_capab(wpa_s->current_bss, WLAN_EXT_CAPAB_MSCS) && 1898 wpa_s->robust_av.valid_config) { 1899 struct wpabuf *mscs_ie; 1900 size_t mscs_ie_len, buf_len, *wpa_ie_len, max_ie_len; 1901 1902 buf_len = 3 + /* MSCS descriptor IE header */ 1903 1 + /* Request type */ 1904 2 + /* User priority control */ 1905 4 + /* Stream timeout */ 1906 3 + /* TCLAS Mask IE header */ 1907 wpa_s->robust_av.frame_classifier_len; 1908 mscs_ie = wpabuf_alloc(buf_len); 1909 if (!mscs_ie) { 1910 wpa_printf(MSG_INFO, 1911 "MSCS: Failed to allocate MSCS IE"); 1912 goto mscs_fail; 1913 } 1914 1915 wpa_ie_len = &wpa_s->sme.assoc_req_ie_len; 1916 max_ie_len = sizeof(wpa_s->sme.assoc_req_ie); 1917 wpas_populate_mscs_descriptor_ie(&wpa_s->robust_av, mscs_ie); 1918 if ((*wpa_ie_len + wpabuf_len(mscs_ie)) <= max_ie_len) { 1919 wpa_hexdump_buf(MSG_MSGDUMP, "MSCS IE", mscs_ie); 1920 mscs_ie_len = wpabuf_len(mscs_ie); 1921 os_memcpy(wpa_s->sme.assoc_req_ie + *wpa_ie_len, 1922 wpabuf_head(mscs_ie), mscs_ie_len); 1923 *wpa_ie_len += mscs_ie_len; 1924 } 1925 1926 wpabuf_free(mscs_ie); 1927 } 1928 mscs_fail: 1929 1930 if (ssid && ssid->multi_ap_backhaul_sta) { 1931 size_t multi_ap_ie_len; 1932 1933 multi_ap_ie_len = add_multi_ap_ie( 1934 wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len, 1935 sizeof(wpa_s->sme.assoc_req_ie) - 1936 wpa_s->sme.assoc_req_ie_len, 1937 MULTI_AP_BACKHAUL_STA); 1938 if (multi_ap_ie_len == 0) { 1939 wpa_printf(MSG_ERROR, 1940 "Multi-AP: Failed to build Multi-AP IE"); 1941 return; 1942 } 1943 wpa_s->sme.assoc_req_ie_len += multi_ap_ie_len; 1944 } 1945 1946 params.bssid = bssid; 1947 params.ssid = wpa_s->sme.ssid; 1948 params.ssid_len = wpa_s->sme.ssid_len; 1949 params.freq.freq = wpa_s->sme.freq; 1950 params.bg_scan_period = ssid ? ssid->bg_scan_period : -1; 1951 params.wpa_ie = wpa_s->sme.assoc_req_ie_len ? 1952 wpa_s->sme.assoc_req_ie : NULL; 1953 params.wpa_ie_len = wpa_s->sme.assoc_req_ie_len; 1954 wpa_hexdump(MSG_DEBUG, "SME: Association Request IEs", 1955 params.wpa_ie, params.wpa_ie_len); 1956 params.pairwise_suite = wpa_s->pairwise_cipher; 1957 params.group_suite = wpa_s->group_cipher; 1958 params.mgmt_group_suite = wpa_s->mgmt_group_cipher; 1959 params.key_mgmt_suite = wpa_s->key_mgmt; 1960 params.wpa_proto = wpa_s->wpa_proto; 1961 #ifdef CONFIG_HT_OVERRIDES 1962 os_memset(&htcaps, 0, sizeof(htcaps)); 1963 os_memset(&htcaps_mask, 0, sizeof(htcaps_mask)); 1964 params.htcaps = (u8 *) &htcaps; 1965 params.htcaps_mask = (u8 *) &htcaps_mask; 1966 wpa_supplicant_apply_ht_overrides(wpa_s, ssid, ¶ms); 1967 #endif /* CONFIG_HT_OVERRIDES */ 1968 #ifdef CONFIG_VHT_OVERRIDES 1969 os_memset(&vhtcaps, 0, sizeof(vhtcaps)); 1970 os_memset(&vhtcaps_mask, 0, sizeof(vhtcaps_mask)); 1971 params.vhtcaps = &vhtcaps; 1972 params.vhtcaps_mask = &vhtcaps_mask; 1973 wpa_supplicant_apply_vht_overrides(wpa_s, ssid, ¶ms); 1974 #endif /* CONFIG_VHT_OVERRIDES */ 1975 #ifdef CONFIG_HE_OVERRIDES 1976 wpa_supplicant_apply_he_overrides(wpa_s, ssid, ¶ms); 1977 #endif /* CONFIG_HE_OVERRIDES */ 1978 #ifdef CONFIG_IEEE80211R 1979 if (auth_type == WLAN_AUTH_FT && wpa_s->sme.ft_ies && 1980 get_ie(wpa_s->sme.ft_ies, wpa_s->sme.ft_ies_len, 1981 WLAN_EID_RIC_DATA)) { 1982 /* There seems to be a pretty inconvenient bug in the Linux 1983 * kernel IE splitting functionality when RIC is used. For now, 1984 * skip correct behavior in IE construction here (i.e., drop the 1985 * additional non-FT-specific IEs) to avoid kernel issues. This 1986 * is fine since RIC is used only for testing purposes in the 1987 * current implementation. */ 1988 wpa_printf(MSG_INFO, 1989 "SME: Linux kernel workaround - do not try to include additional IEs with RIC"); 1990 params.wpa_ie = wpa_s->sme.ft_ies; 1991 params.wpa_ie_len = wpa_s->sme.ft_ies_len; 1992 } else if (auth_type == WLAN_AUTH_FT && wpa_s->sme.ft_ies) { 1993 const u8 *rm_en, *pos, *end; 1994 size_t rm_en_len = 0; 1995 u8 *rm_en_dup = NULL, *wpos; 1996 1997 /* Remove RSNE, MDE, FTE to allow them to be overridden with 1998 * FT specific values */ 1999 remove_ie(wpa_s->sme.assoc_req_ie, 2000 &wpa_s->sme.assoc_req_ie_len, 2001 WLAN_EID_RSN); 2002 remove_ie(wpa_s->sme.assoc_req_ie, 2003 &wpa_s->sme.assoc_req_ie_len, 2004 WLAN_EID_MOBILITY_DOMAIN); 2005 remove_ie(wpa_s->sme.assoc_req_ie, 2006 &wpa_s->sme.assoc_req_ie_len, 2007 WLAN_EID_FAST_BSS_TRANSITION); 2008 rm_en = get_ie(wpa_s->sme.assoc_req_ie, 2009 wpa_s->sme.assoc_req_ie_len, 2010 WLAN_EID_RRM_ENABLED_CAPABILITIES); 2011 if (rm_en) { 2012 /* Need to remove RM Enabled Capabilities element as 2013 * well temporarily, so that it can be placed between 2014 * RSNE and MDE. */ 2015 rm_en_len = 2 + rm_en[1]; 2016 rm_en_dup = os_memdup(rm_en, rm_en_len); 2017 remove_ie(wpa_s->sme.assoc_req_ie, 2018 &wpa_s->sme.assoc_req_ie_len, 2019 WLAN_EID_RRM_ENABLED_CAPABILITIES); 2020 } 2021 wpa_hexdump(MSG_DEBUG, 2022 "SME: Association Request IEs after FT IE removal", 2023 wpa_s->sme.assoc_req_ie, 2024 wpa_s->sme.assoc_req_ie_len); 2025 if (wpa_s->sme.assoc_req_ie_len + wpa_s->sme.ft_ies_len + 2026 rm_en_len > sizeof(wpa_s->sme.assoc_req_ie)) { 2027 wpa_printf(MSG_ERROR, 2028 "SME: Not enough buffer room for FT IEs in Association Request frame"); 2029 os_free(rm_en_dup); 2030 return; 2031 } 2032 2033 os_memmove(wpa_s->sme.assoc_req_ie + wpa_s->sme.ft_ies_len + 2034 rm_en_len, 2035 wpa_s->sme.assoc_req_ie, 2036 wpa_s->sme.assoc_req_ie_len); 2037 pos = wpa_s->sme.ft_ies; 2038 end = pos + wpa_s->sme.ft_ies_len; 2039 wpos = wpa_s->sme.assoc_req_ie; 2040 if (*pos == WLAN_EID_RSN) { 2041 os_memcpy(wpos, pos, 2 + pos[1]); 2042 wpos += 2 + pos[1]; 2043 pos += 2 + pos[1]; 2044 } 2045 if (rm_en_dup) { 2046 os_memcpy(wpos, rm_en_dup, rm_en_len); 2047 wpos += rm_en_len; 2048 os_free(rm_en_dup); 2049 } 2050 os_memcpy(wpos, pos, end - pos); 2051 wpa_s->sme.assoc_req_ie_len += wpa_s->sme.ft_ies_len + 2052 rm_en_len; 2053 params.wpa_ie = wpa_s->sme.assoc_req_ie; 2054 params.wpa_ie_len = wpa_s->sme.assoc_req_ie_len; 2055 wpa_hexdump(MSG_DEBUG, 2056 "SME: Association Request IEs after FT override", 2057 params.wpa_ie, params.wpa_ie_len); 2058 } 2059 #endif /* CONFIG_IEEE80211R */ 2060 params.mode = mode; 2061 params.mgmt_frame_protection = wpa_s->sme.mfp; 2062 params.rrm_used = wpa_s->rrm.rrm_used; 2063 if (wpa_s->sme.prev_bssid_set) 2064 params.prev_bssid = wpa_s->sme.prev_bssid; 2065 2066 wpa_msg(wpa_s, MSG_INFO, "Trying to associate with " MACSTR 2067 " (SSID='%s' freq=%d MHz)", MAC2STR(params.bssid), 2068 params.ssid ? wpa_ssid_txt(params.ssid, params.ssid_len) : "", 2069 params.freq.freq); 2070 2071 wpa_supplicant_set_state(wpa_s, WPA_ASSOCIATING); 2072 2073 if (params.wpa_ie == NULL || 2074 ieee802_11_parse_elems(params.wpa_ie, params.wpa_ie_len, &elems, 0) 2075 < 0) { 2076 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Could not parse own IEs?!"); 2077 os_memset(&elems, 0, sizeof(elems)); 2078 } 2079 if (elems.rsn_ie) { 2080 params.wpa_proto = WPA_PROTO_RSN; 2081 wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, elems.rsn_ie - 2, 2082 elems.rsn_ie_len + 2); 2083 } else if (elems.wpa_ie) { 2084 params.wpa_proto = WPA_PROTO_WPA; 2085 wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, elems.wpa_ie - 2, 2086 elems.wpa_ie_len + 2); 2087 } else if (elems.osen) { 2088 params.wpa_proto = WPA_PROTO_OSEN; 2089 wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, elems.osen - 2, 2090 elems.osen_len + 2); 2091 } else 2092 wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, NULL, 0); 2093 if (elems.rsnxe) 2094 wpa_sm_set_assoc_rsnxe(wpa_s->wpa, elems.rsnxe - 2, 2095 elems.rsnxe_len + 2); 2096 else 2097 wpa_sm_set_assoc_rsnxe(wpa_s->wpa, NULL, 0); 2098 if (ssid && ssid->p2p_group) 2099 params.p2p = 1; 2100 2101 if (wpa_s->p2pdev->set_sta_uapsd) 2102 params.uapsd = wpa_s->p2pdev->sta_uapsd; 2103 else 2104 params.uapsd = -1; 2105 2106 if (wpa_drv_associate(wpa_s, ¶ms) < 0) { 2107 wpa_msg(wpa_s, MSG_INFO, "SME: Association request to the " 2108 "driver failed"); 2109 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 2110 wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED); 2111 os_memset(wpa_s->pending_bssid, 0, ETH_ALEN); 2112 return; 2113 } 2114 2115 eloop_register_timeout(SME_ASSOC_TIMEOUT, 0, sme_assoc_timer, wpa_s, 2116 NULL); 2117 2118 #ifdef CONFIG_TESTING_OPTIONS 2119 wpabuf_free(wpa_s->last_assoc_req_wpa_ie); 2120 wpa_s->last_assoc_req_wpa_ie = NULL; 2121 if (params.wpa_ie) 2122 wpa_s->last_assoc_req_wpa_ie = 2123 wpabuf_alloc_copy(params.wpa_ie, params.wpa_ie_len); 2124 #endif /* CONFIG_TESTING_OPTIONS */ 2125 } 2126 2127 2128 int sme_update_ft_ies(struct wpa_supplicant *wpa_s, const u8 *md, 2129 const u8 *ies, size_t ies_len) 2130 { 2131 if (md == NULL || ies == NULL) { 2132 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Remove mobility domain"); 2133 os_free(wpa_s->sme.ft_ies); 2134 wpa_s->sme.ft_ies = NULL; 2135 wpa_s->sme.ft_ies_len = 0; 2136 wpa_s->sme.ft_used = 0; 2137 return 0; 2138 } 2139 2140 os_memcpy(wpa_s->sme.mobility_domain, md, MOBILITY_DOMAIN_ID_LEN); 2141 wpa_hexdump(MSG_DEBUG, "SME: FT IEs", ies, ies_len); 2142 os_free(wpa_s->sme.ft_ies); 2143 wpa_s->sme.ft_ies = os_memdup(ies, ies_len); 2144 if (wpa_s->sme.ft_ies == NULL) 2145 return -1; 2146 wpa_s->sme.ft_ies_len = ies_len; 2147 return 0; 2148 } 2149 2150 2151 static void sme_deauth(struct wpa_supplicant *wpa_s) 2152 { 2153 int bssid_changed; 2154 2155 bssid_changed = !is_zero_ether_addr(wpa_s->bssid); 2156 2157 if (wpa_drv_deauthenticate(wpa_s, wpa_s->pending_bssid, 2158 WLAN_REASON_DEAUTH_LEAVING) < 0) { 2159 wpa_msg(wpa_s, MSG_INFO, "SME: Deauth request to the driver " 2160 "failed"); 2161 } 2162 wpa_s->sme.prev_bssid_set = 0; 2163 2164 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 2165 wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED); 2166 os_memset(wpa_s->bssid, 0, ETH_ALEN); 2167 os_memset(wpa_s->pending_bssid, 0, ETH_ALEN); 2168 if (bssid_changed) 2169 wpas_notify_bssid_changed(wpa_s); 2170 } 2171 2172 2173 void sme_event_assoc_reject(struct wpa_supplicant *wpa_s, 2174 union wpa_event_data *data) 2175 { 2176 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Association with " MACSTR " failed: " 2177 "status code %d", MAC2STR(wpa_s->pending_bssid), 2178 data->assoc_reject.status_code); 2179 2180 eloop_cancel_timeout(sme_assoc_timer, wpa_s, NULL); 2181 2182 #ifdef CONFIG_SAE 2183 if (wpa_s->sme.sae_pmksa_caching && wpa_s->current_ssid && 2184 wpa_key_mgmt_sae(wpa_s->current_ssid->key_mgmt)) { 2185 wpa_dbg(wpa_s, MSG_DEBUG, 2186 "PMKSA caching attempt rejected - drop PMKSA cache entry and fall back to SAE authentication"); 2187 wpa_sm_aborted_cached(wpa_s->wpa); 2188 wpa_sm_pmksa_cache_flush(wpa_s->wpa, wpa_s->current_ssid); 2189 if (wpa_s->current_bss) { 2190 struct wpa_bss *bss = wpa_s->current_bss; 2191 struct wpa_ssid *ssid = wpa_s->current_ssid; 2192 2193 wpa_drv_deauthenticate(wpa_s, wpa_s->pending_bssid, 2194 WLAN_REASON_DEAUTH_LEAVING); 2195 wpas_connect_work_done(wpa_s); 2196 wpa_supplicant_mark_disassoc(wpa_s); 2197 wpa_supplicant_connect(wpa_s, bss, ssid); 2198 return; 2199 } 2200 } 2201 #endif /* CONFIG_SAE */ 2202 2203 /* 2204 * For now, unconditionally terminate the previous authentication. In 2205 * theory, this should not be needed, but mac80211 gets quite confused 2206 * if the authentication is left pending.. Some roaming cases might 2207 * benefit from using the previous authentication, so this could be 2208 * optimized in the future. 2209 */ 2210 sme_deauth(wpa_s); 2211 } 2212 2213 2214 void sme_event_auth_timed_out(struct wpa_supplicant *wpa_s, 2215 union wpa_event_data *data) 2216 { 2217 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Authentication timed out"); 2218 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 2219 wpa_supplicant_mark_disassoc(wpa_s); 2220 } 2221 2222 2223 void sme_event_assoc_timed_out(struct wpa_supplicant *wpa_s, 2224 union wpa_event_data *data) 2225 { 2226 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Association timed out"); 2227 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 2228 wpa_supplicant_mark_disassoc(wpa_s); 2229 } 2230 2231 2232 void sme_event_disassoc(struct wpa_supplicant *wpa_s, 2233 struct disassoc_info *info) 2234 { 2235 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Disassociation event received"); 2236 if (wpa_s->sme.prev_bssid_set) { 2237 /* 2238 * cfg80211/mac80211 can get into somewhat confused state if 2239 * the AP only disassociates us and leaves us in authenticated 2240 * state. For now, force the state to be cleared to avoid 2241 * confusing errors if we try to associate with the AP again. 2242 */ 2243 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Deauthenticate to clear " 2244 "driver state"); 2245 wpa_drv_deauthenticate(wpa_s, wpa_s->sme.prev_bssid, 2246 WLAN_REASON_DEAUTH_LEAVING); 2247 } 2248 } 2249 2250 2251 static void sme_auth_timer(void *eloop_ctx, void *timeout_ctx) 2252 { 2253 struct wpa_supplicant *wpa_s = eloop_ctx; 2254 if (wpa_s->wpa_state == WPA_AUTHENTICATING) { 2255 wpa_msg(wpa_s, MSG_DEBUG, "SME: Authentication timeout"); 2256 sme_deauth(wpa_s); 2257 } 2258 } 2259 2260 2261 static void sme_assoc_timer(void *eloop_ctx, void *timeout_ctx) 2262 { 2263 struct wpa_supplicant *wpa_s = eloop_ctx; 2264 if (wpa_s->wpa_state == WPA_ASSOCIATING) { 2265 wpa_msg(wpa_s, MSG_DEBUG, "SME: Association timeout"); 2266 sme_deauth(wpa_s); 2267 } 2268 } 2269 2270 2271 void sme_state_changed(struct wpa_supplicant *wpa_s) 2272 { 2273 /* Make sure timers are cleaned up appropriately. */ 2274 if (wpa_s->wpa_state != WPA_ASSOCIATING) 2275 eloop_cancel_timeout(sme_assoc_timer, wpa_s, NULL); 2276 if (wpa_s->wpa_state != WPA_AUTHENTICATING) 2277 eloop_cancel_timeout(sme_auth_timer, wpa_s, NULL); 2278 } 2279 2280 2281 void sme_disassoc_while_authenticating(struct wpa_supplicant *wpa_s, 2282 const u8 *prev_pending_bssid) 2283 { 2284 /* 2285 * mac80211-workaround to force deauth on failed auth cmd, 2286 * requires us to remain in authenticating state to allow the 2287 * second authentication attempt to be continued properly. 2288 */ 2289 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Allow pending authentication " 2290 "to proceed after disconnection event"); 2291 wpa_supplicant_set_state(wpa_s, WPA_AUTHENTICATING); 2292 os_memcpy(wpa_s->pending_bssid, prev_pending_bssid, ETH_ALEN); 2293 2294 /* 2295 * Re-arm authentication timer in case auth fails for whatever reason. 2296 */ 2297 eloop_cancel_timeout(sme_auth_timer, wpa_s, NULL); 2298 eloop_register_timeout(SME_AUTH_TIMEOUT, 0, sme_auth_timer, wpa_s, 2299 NULL); 2300 } 2301 2302 2303 void sme_clear_on_disassoc(struct wpa_supplicant *wpa_s) 2304 { 2305 wpa_s->sme.prev_bssid_set = 0; 2306 #ifdef CONFIG_SAE 2307 wpabuf_free(wpa_s->sme.sae_token); 2308 wpa_s->sme.sae_token = NULL; 2309 sae_clear_data(&wpa_s->sme.sae); 2310 #endif /* CONFIG_SAE */ 2311 #ifdef CONFIG_IEEE80211R 2312 if (wpa_s->sme.ft_ies || wpa_s->sme.ft_used) 2313 sme_update_ft_ies(wpa_s, NULL, NULL, 0); 2314 #endif /* CONFIG_IEEE80211R */ 2315 sme_stop_sa_query(wpa_s); 2316 } 2317 2318 2319 void sme_deinit(struct wpa_supplicant *wpa_s) 2320 { 2321 sme_clear_on_disassoc(wpa_s); 2322 #ifdef CONFIG_SAE 2323 os_free(wpa_s->sme.sae_rejected_groups); 2324 wpa_s->sme.sae_rejected_groups = NULL; 2325 #endif /* CONFIG_SAE */ 2326 2327 eloop_cancel_timeout(sme_assoc_timer, wpa_s, NULL); 2328 eloop_cancel_timeout(sme_auth_timer, wpa_s, NULL); 2329 eloop_cancel_timeout(sme_obss_scan_timeout, wpa_s, NULL); 2330 } 2331 2332 2333 static void sme_send_2040_bss_coex(struct wpa_supplicant *wpa_s, 2334 const u8 *chan_list, u8 num_channels, 2335 u8 num_intol) 2336 { 2337 struct ieee80211_2040_bss_coex_ie *bc_ie; 2338 struct ieee80211_2040_intol_chan_report *ic_report; 2339 struct wpabuf *buf; 2340 2341 wpa_printf(MSG_DEBUG, "SME: Send 20/40 BSS Coexistence to " MACSTR 2342 " (num_channels=%u num_intol=%u)", 2343 MAC2STR(wpa_s->bssid), num_channels, num_intol); 2344 wpa_hexdump(MSG_DEBUG, "SME: 20/40 BSS Intolerant Channels", 2345 chan_list, num_channels); 2346 2347 buf = wpabuf_alloc(2 + /* action.category + action_code */ 2348 sizeof(struct ieee80211_2040_bss_coex_ie) + 2349 sizeof(struct ieee80211_2040_intol_chan_report) + 2350 num_channels); 2351 if (buf == NULL) 2352 return; 2353 2354 wpabuf_put_u8(buf, WLAN_ACTION_PUBLIC); 2355 wpabuf_put_u8(buf, WLAN_PA_20_40_BSS_COEX); 2356 2357 bc_ie = wpabuf_put(buf, sizeof(*bc_ie)); 2358 bc_ie->element_id = WLAN_EID_20_40_BSS_COEXISTENCE; 2359 bc_ie->length = 1; 2360 if (num_intol) 2361 bc_ie->coex_param |= WLAN_20_40_BSS_COEX_20MHZ_WIDTH_REQ; 2362 2363 if (num_channels > 0) { 2364 ic_report = wpabuf_put(buf, sizeof(*ic_report)); 2365 ic_report->element_id = WLAN_EID_20_40_BSS_INTOLERANT; 2366 ic_report->length = num_channels + 1; 2367 ic_report->op_class = 0; 2368 os_memcpy(wpabuf_put(buf, num_channels), chan_list, 2369 num_channels); 2370 } 2371 2372 if (wpa_drv_send_action(wpa_s, wpa_s->assoc_freq, 0, wpa_s->bssid, 2373 wpa_s->own_addr, wpa_s->bssid, 2374 wpabuf_head(buf), wpabuf_len(buf), 0) < 0) { 2375 wpa_msg(wpa_s, MSG_INFO, 2376 "SME: Failed to send 20/40 BSS Coexistence frame"); 2377 } 2378 2379 wpabuf_free(buf); 2380 } 2381 2382 2383 int sme_proc_obss_scan(struct wpa_supplicant *wpa_s, 2384 struct wpa_scan_results *scan_res) 2385 { 2386 const u8 *ie; 2387 u8 chan_list[P2P_MAX_CHANNELS], channel; 2388 u8 num_channels = 0, num_intol = 0, i; 2389 size_t j; 2390 int pri_freq, sec_freq; 2391 2392 if (!wpa_s->sme.sched_obss_scan) 2393 return 0; 2394 2395 wpa_s->sme.sched_obss_scan = 0; 2396 if (!wpa_s->current_bss || wpa_s->wpa_state != WPA_COMPLETED) 2397 return 1; 2398 2399 /* 2400 * Check whether AP uses regulatory triplet or channel triplet in 2401 * country info. Right now the operating class of the BSS channel 2402 * width trigger event is "unknown" (IEEE Std 802.11-2012 10.15.12), 2403 * based on the assumption that operating class triplet is not used in 2404 * beacon frame. If the First Channel Number/Operating Extension 2405 * Identifier octet has a positive integer value of 201 or greater, 2406 * then its operating class triplet. 2407 * 2408 * TODO: If Supported Operating Classes element is present in beacon 2409 * frame, have to lookup operating class in Annex E and fill them in 2410 * 2040 coex frame. 2411 */ 2412 ie = wpa_bss_get_ie(wpa_s->current_bss, WLAN_EID_COUNTRY); 2413 if (ie && (ie[1] >= 6) && (ie[5] >= 201)) 2414 return 1; 2415 2416 os_memset(chan_list, 0, sizeof(chan_list)); 2417 2418 pri_freq = wpa_s->assoc_freq; 2419 2420 switch (wpa_s->sme.ht_sec_chan) { 2421 case HT_SEC_CHAN_ABOVE: 2422 sec_freq = pri_freq + 20; 2423 break; 2424 case HT_SEC_CHAN_BELOW: 2425 sec_freq = pri_freq - 20; 2426 break; 2427 case HT_SEC_CHAN_UNKNOWN: 2428 default: 2429 wpa_msg(wpa_s, MSG_WARNING, 2430 "Undefined secondary channel: drop OBSS scan results"); 2431 return 1; 2432 } 2433 2434 for (j = 0; j < scan_res->num; j++) { 2435 struct wpa_scan_res *bss = scan_res->res[j]; 2436 enum hostapd_hw_mode mode; 2437 int res; 2438 2439 /* Skip other band bss */ 2440 mode = ieee80211_freq_to_chan(bss->freq, &channel); 2441 if (mode != HOSTAPD_MODE_IEEE80211G && 2442 mode != HOSTAPD_MODE_IEEE80211B) 2443 continue; 2444 2445 res = check_bss_coex_40mhz(bss, pri_freq, sec_freq); 2446 if (res) { 2447 if (res == 2) 2448 num_intol++; 2449 2450 /* Check whether the channel is already considered */ 2451 for (i = 0; i < num_channels; i++) { 2452 if (channel == chan_list[i]) 2453 break; 2454 } 2455 if (i != num_channels) 2456 continue; 2457 2458 chan_list[num_channels++] = channel; 2459 } 2460 } 2461 2462 sme_send_2040_bss_coex(wpa_s, chan_list, num_channels, num_intol); 2463 return 1; 2464 } 2465 2466 2467 static void wpa_obss_scan_freqs_list(struct wpa_supplicant *wpa_s, 2468 struct wpa_driver_scan_params *params) 2469 { 2470 /* Include only affected channels */ 2471 struct hostapd_hw_modes *mode; 2472 int count, i; 2473 int start, end; 2474 2475 mode = get_mode(wpa_s->hw.modes, wpa_s->hw.num_modes, 2476 HOSTAPD_MODE_IEEE80211G, false); 2477 if (mode == NULL) { 2478 /* No channels supported in this band - use empty list */ 2479 params->freqs = os_zalloc(sizeof(int)); 2480 return; 2481 } 2482 2483 if (wpa_s->sme.ht_sec_chan == HT_SEC_CHAN_UNKNOWN && 2484 wpa_s->current_bss) { 2485 const u8 *ie; 2486 2487 ie = wpa_bss_get_ie(wpa_s->current_bss, WLAN_EID_HT_OPERATION); 2488 if (ie && ie[1] >= 2) { 2489 u8 o; 2490 2491 o = ie[3] & HT_INFO_HT_PARAM_SECONDARY_CHNL_OFF_MASK; 2492 if (o == HT_INFO_HT_PARAM_SECONDARY_CHNL_ABOVE) 2493 wpa_s->sme.ht_sec_chan = HT_SEC_CHAN_ABOVE; 2494 else if (o == HT_INFO_HT_PARAM_SECONDARY_CHNL_BELOW) 2495 wpa_s->sme.ht_sec_chan = HT_SEC_CHAN_BELOW; 2496 } 2497 } 2498 2499 start = wpa_s->assoc_freq - 10; 2500 end = wpa_s->assoc_freq + 10; 2501 switch (wpa_s->sme.ht_sec_chan) { 2502 case HT_SEC_CHAN_UNKNOWN: 2503 /* HT40+ possible on channels 1..9 */ 2504 if (wpa_s->assoc_freq <= 2452) 2505 start -= 20; 2506 /* HT40- possible on channels 5-13 */ 2507 if (wpa_s->assoc_freq >= 2432) 2508 end += 20; 2509 break; 2510 case HT_SEC_CHAN_ABOVE: 2511 end += 20; 2512 break; 2513 case HT_SEC_CHAN_BELOW: 2514 start -= 20; 2515 break; 2516 } 2517 wpa_printf(MSG_DEBUG, 2518 "OBSS: assoc_freq %d possible affected range %d-%d", 2519 wpa_s->assoc_freq, start, end); 2520 2521 params->freqs = os_calloc(mode->num_channels + 1, sizeof(int)); 2522 if (params->freqs == NULL) 2523 return; 2524 for (count = 0, i = 0; i < mode->num_channels; i++) { 2525 int freq; 2526 2527 if (mode->channels[i].flag & HOSTAPD_CHAN_DISABLED) 2528 continue; 2529 freq = mode->channels[i].freq; 2530 if (freq - 10 >= end || freq + 10 <= start) 2531 continue; /* not affected */ 2532 params->freqs[count++] = freq; 2533 } 2534 } 2535 2536 2537 static void sme_obss_scan_timeout(void *eloop_ctx, void *timeout_ctx) 2538 { 2539 struct wpa_supplicant *wpa_s = eloop_ctx; 2540 struct wpa_driver_scan_params params; 2541 2542 if (!wpa_s->current_bss) { 2543 wpa_printf(MSG_DEBUG, "SME OBSS: Ignore scan request"); 2544 return; 2545 } 2546 2547 os_memset(¶ms, 0, sizeof(params)); 2548 wpa_obss_scan_freqs_list(wpa_s, ¶ms); 2549 params.low_priority = 1; 2550 wpa_printf(MSG_DEBUG, "SME OBSS: Request an OBSS scan"); 2551 2552 if (wpa_supplicant_trigger_scan(wpa_s, ¶ms)) 2553 wpa_printf(MSG_DEBUG, "SME OBSS: Failed to trigger scan"); 2554 else 2555 wpa_s->sme.sched_obss_scan = 1; 2556 os_free(params.freqs); 2557 2558 eloop_register_timeout(wpa_s->sme.obss_scan_int, 0, 2559 sme_obss_scan_timeout, wpa_s, NULL); 2560 } 2561 2562 2563 void sme_sched_obss_scan(struct wpa_supplicant *wpa_s, int enable) 2564 { 2565 const u8 *ie; 2566 struct wpa_bss *bss = wpa_s->current_bss; 2567 struct wpa_ssid *ssid = wpa_s->current_ssid; 2568 struct hostapd_hw_modes *hw_mode = NULL; 2569 int i; 2570 2571 eloop_cancel_timeout(sme_obss_scan_timeout, wpa_s, NULL); 2572 wpa_s->sme.sched_obss_scan = 0; 2573 wpa_s->sme.ht_sec_chan = HT_SEC_CHAN_UNKNOWN; 2574 if (!enable) 2575 return; 2576 2577 /* 2578 * Schedule OBSS scan if driver is using station SME in wpa_supplicant 2579 * or it expects OBSS scan to be performed by wpa_supplicant. 2580 */ 2581 if (!((wpa_s->drv_flags & WPA_DRIVER_FLAGS_SME) || 2582 (wpa_s->drv_flags & WPA_DRIVER_FLAGS_OBSS_SCAN)) || 2583 ssid == NULL || ssid->mode != WPAS_MODE_INFRA) 2584 return; 2585 2586 if (!wpa_s->hw.modes) 2587 return; 2588 2589 /* only HT caps in 11g mode are relevant */ 2590 for (i = 0; i < wpa_s->hw.num_modes; i++) { 2591 hw_mode = &wpa_s->hw.modes[i]; 2592 if (hw_mode->mode == HOSTAPD_MODE_IEEE80211G) 2593 break; 2594 } 2595 2596 /* Driver does not support HT40 for 11g or doesn't have 11g. */ 2597 if (i == wpa_s->hw.num_modes || !hw_mode || 2598 !(hw_mode->ht_capab & HT_CAP_INFO_SUPP_CHANNEL_WIDTH_SET)) 2599 return; 2600 2601 if (bss == NULL || bss->freq < 2400 || bss->freq > 2500) 2602 return; /* Not associated on 2.4 GHz band */ 2603 2604 /* Check whether AP supports HT40 */ 2605 ie = wpa_bss_get_ie(wpa_s->current_bss, WLAN_EID_HT_CAP); 2606 if (!ie || ie[1] < 2 || 2607 !(WPA_GET_LE16(ie + 2) & HT_CAP_INFO_SUPP_CHANNEL_WIDTH_SET)) 2608 return; /* AP does not support HT40 */ 2609 2610 ie = wpa_bss_get_ie(wpa_s->current_bss, 2611 WLAN_EID_OVERLAPPING_BSS_SCAN_PARAMS); 2612 if (!ie || ie[1] < 14) 2613 return; /* AP does not request OBSS scans */ 2614 2615 wpa_s->sme.obss_scan_int = WPA_GET_LE16(ie + 6); 2616 if (wpa_s->sme.obss_scan_int < 10) { 2617 wpa_printf(MSG_DEBUG, "SME: Invalid OBSS Scan Interval %u " 2618 "replaced with the minimum 10 sec", 2619 wpa_s->sme.obss_scan_int); 2620 wpa_s->sme.obss_scan_int = 10; 2621 } 2622 wpa_printf(MSG_DEBUG, "SME: OBSS Scan Interval %u sec", 2623 wpa_s->sme.obss_scan_int); 2624 eloop_register_timeout(wpa_s->sme.obss_scan_int, 0, 2625 sme_obss_scan_timeout, wpa_s, NULL); 2626 } 2627 2628 2629 static const unsigned int sa_query_max_timeout = 1000; 2630 static const unsigned int sa_query_retry_timeout = 201; 2631 static const unsigned int sa_query_ch_switch_max_delay = 5000; /* in usec */ 2632 2633 static int sme_check_sa_query_timeout(struct wpa_supplicant *wpa_s) 2634 { 2635 u32 tu; 2636 struct os_reltime now, passed; 2637 os_get_reltime(&now); 2638 os_reltime_sub(&now, &wpa_s->sme.sa_query_start, &passed); 2639 tu = (passed.sec * 1000000 + passed.usec) / 1024; 2640 if (sa_query_max_timeout < tu) { 2641 wpa_dbg(wpa_s, MSG_DEBUG, "SME: SA Query timed out"); 2642 sme_stop_sa_query(wpa_s); 2643 wpa_supplicant_deauthenticate( 2644 wpa_s, WLAN_REASON_PREV_AUTH_NOT_VALID); 2645 return 1; 2646 } 2647 2648 return 0; 2649 } 2650 2651 2652 static void sme_send_sa_query_req(struct wpa_supplicant *wpa_s, 2653 const u8 *trans_id) 2654 { 2655 u8 req[2 + WLAN_SA_QUERY_TR_ID_LEN + OCV_OCI_EXTENDED_LEN]; 2656 u8 req_len = 2 + WLAN_SA_QUERY_TR_ID_LEN; 2657 2658 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Sending SA Query Request to " 2659 MACSTR, MAC2STR(wpa_s->bssid)); 2660 wpa_hexdump(MSG_DEBUG, "SME: SA Query Transaction ID", 2661 trans_id, WLAN_SA_QUERY_TR_ID_LEN); 2662 req[0] = WLAN_ACTION_SA_QUERY; 2663 req[1] = WLAN_SA_QUERY_REQUEST; 2664 os_memcpy(req + 2, trans_id, WLAN_SA_QUERY_TR_ID_LEN); 2665 2666 #ifdef CONFIG_OCV 2667 if (wpa_sm_ocv_enabled(wpa_s->wpa)) { 2668 struct wpa_channel_info ci; 2669 2670 if (wpa_drv_channel_info(wpa_s, &ci) != 0) { 2671 wpa_printf(MSG_WARNING, 2672 "Failed to get channel info for OCI element in SA Query Request frame"); 2673 return; 2674 } 2675 2676 #ifdef CONFIG_TESTING_OPTIONS 2677 if (wpa_s->oci_freq_override_saquery_req) { 2678 wpa_printf(MSG_INFO, 2679 "TEST: Override SA Query Request OCI frequency %d -> %d MHz", 2680 ci.frequency, 2681 wpa_s->oci_freq_override_saquery_req); 2682 ci.frequency = wpa_s->oci_freq_override_saquery_req; 2683 } 2684 #endif /* CONFIG_TESTING_OPTIONS */ 2685 2686 if (ocv_insert_extended_oci(&ci, req + req_len) < 0) 2687 return; 2688 2689 req_len += OCV_OCI_EXTENDED_LEN; 2690 } 2691 #endif /* CONFIG_OCV */ 2692 2693 if (wpa_drv_send_action(wpa_s, wpa_s->assoc_freq, 0, wpa_s->bssid, 2694 wpa_s->own_addr, wpa_s->bssid, 2695 req, req_len, 0) < 0) 2696 wpa_msg(wpa_s, MSG_INFO, "SME: Failed to send SA Query " 2697 "Request"); 2698 } 2699 2700 2701 static void sme_sa_query_timer(void *eloop_ctx, void *timeout_ctx) 2702 { 2703 struct wpa_supplicant *wpa_s = eloop_ctx; 2704 unsigned int timeout, sec, usec; 2705 u8 *trans_id, *nbuf; 2706 2707 if (wpa_s->sme.sa_query_count > 0 && 2708 sme_check_sa_query_timeout(wpa_s)) 2709 return; 2710 2711 nbuf = os_realloc_array(wpa_s->sme.sa_query_trans_id, 2712 wpa_s->sme.sa_query_count + 1, 2713 WLAN_SA_QUERY_TR_ID_LEN); 2714 if (nbuf == NULL) { 2715 sme_stop_sa_query(wpa_s); 2716 return; 2717 } 2718 if (wpa_s->sme.sa_query_count == 0) { 2719 /* Starting a new SA Query procedure */ 2720 os_get_reltime(&wpa_s->sme.sa_query_start); 2721 } 2722 trans_id = nbuf + wpa_s->sme.sa_query_count * WLAN_SA_QUERY_TR_ID_LEN; 2723 wpa_s->sme.sa_query_trans_id = nbuf; 2724 wpa_s->sme.sa_query_count++; 2725 2726 if (os_get_random(trans_id, WLAN_SA_QUERY_TR_ID_LEN) < 0) { 2727 wpa_printf(MSG_DEBUG, "Could not generate SA Query ID"); 2728 sme_stop_sa_query(wpa_s); 2729 return; 2730 } 2731 2732 timeout = sa_query_retry_timeout; 2733 sec = ((timeout / 1000) * 1024) / 1000; 2734 usec = (timeout % 1000) * 1024; 2735 eloop_register_timeout(sec, usec, sme_sa_query_timer, wpa_s, NULL); 2736 2737 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Association SA Query attempt %d", 2738 wpa_s->sme.sa_query_count); 2739 2740 sme_send_sa_query_req(wpa_s, trans_id); 2741 } 2742 2743 2744 static void sme_start_sa_query(struct wpa_supplicant *wpa_s) 2745 { 2746 sme_sa_query_timer(wpa_s, NULL); 2747 } 2748 2749 2750 static void sme_stop_sa_query(struct wpa_supplicant *wpa_s) 2751 { 2752 if (wpa_s->sme.sa_query_trans_id) 2753 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Stop SA Query"); 2754 eloop_cancel_timeout(sme_sa_query_timer, wpa_s, NULL); 2755 os_free(wpa_s->sme.sa_query_trans_id); 2756 wpa_s->sme.sa_query_trans_id = NULL; 2757 wpa_s->sme.sa_query_count = 0; 2758 } 2759 2760 2761 void sme_event_unprot_disconnect(struct wpa_supplicant *wpa_s, const u8 *sa, 2762 const u8 *da, u16 reason_code) 2763 { 2764 struct wpa_ssid *ssid; 2765 struct os_reltime now; 2766 2767 if (wpa_s->wpa_state != WPA_COMPLETED) 2768 return; 2769 ssid = wpa_s->current_ssid; 2770 if (wpas_get_ssid_pmf(wpa_s, ssid) == NO_MGMT_FRAME_PROTECTION) 2771 return; 2772 if (os_memcmp(sa, wpa_s->bssid, ETH_ALEN) != 0) 2773 return; 2774 if (reason_code != WLAN_REASON_CLASS2_FRAME_FROM_NONAUTH_STA && 2775 reason_code != WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA) 2776 return; 2777 if (wpa_s->sme.sa_query_count > 0) 2778 return; 2779 #ifdef CONFIG_TESTING_OPTIONS 2780 if (wpa_s->disable_sa_query) 2781 return; 2782 #endif /* CONFIG_TESTING_OPTIONS */ 2783 2784 os_get_reltime(&now); 2785 if (wpa_s->sme.last_unprot_disconnect.sec && 2786 !os_reltime_expired(&now, &wpa_s->sme.last_unprot_disconnect, 10)) 2787 return; /* limit SA Query procedure frequency */ 2788 wpa_s->sme.last_unprot_disconnect = now; 2789 2790 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Unprotected disconnect dropped - " 2791 "possible AP/STA state mismatch - trigger SA Query"); 2792 sme_start_sa_query(wpa_s); 2793 } 2794 2795 2796 void sme_event_ch_switch(struct wpa_supplicant *wpa_s) 2797 { 2798 unsigned int usec; 2799 u32 _rand; 2800 2801 if (wpa_s->wpa_state != WPA_COMPLETED || 2802 !wpa_sm_ocv_enabled(wpa_s->wpa)) 2803 return; 2804 2805 wpa_dbg(wpa_s, MSG_DEBUG, 2806 "SME: Channel switch completed - trigger new SA Query to verify new operating channel"); 2807 sme_stop_sa_query(wpa_s); 2808 2809 if (os_get_random((u8 *) &_rand, sizeof(_rand)) < 0) 2810 _rand = os_random(); 2811 usec = _rand % (sa_query_ch_switch_max_delay + 1); 2812 eloop_register_timeout(0, usec, sme_sa_query_timer, wpa_s, NULL); 2813 } 2814 2815 2816 static void sme_process_sa_query_request(struct wpa_supplicant *wpa_s, 2817 const u8 *sa, const u8 *data, 2818 size_t len) 2819 { 2820 u8 resp[2 + WLAN_SA_QUERY_TR_ID_LEN + OCV_OCI_EXTENDED_LEN]; 2821 u8 resp_len = 2 + WLAN_SA_QUERY_TR_ID_LEN; 2822 2823 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Sending SA Query Response to " 2824 MACSTR, MAC2STR(wpa_s->bssid)); 2825 2826 resp[0] = WLAN_ACTION_SA_QUERY; 2827 resp[1] = WLAN_SA_QUERY_RESPONSE; 2828 os_memcpy(resp + 2, data + 1, WLAN_SA_QUERY_TR_ID_LEN); 2829 2830 #ifdef CONFIG_OCV 2831 if (wpa_sm_ocv_enabled(wpa_s->wpa)) { 2832 struct wpa_channel_info ci; 2833 2834 if (wpa_drv_channel_info(wpa_s, &ci) != 0) { 2835 wpa_printf(MSG_WARNING, 2836 "Failed to get channel info for OCI element in SA Query Response frame"); 2837 return; 2838 } 2839 2840 #ifdef CONFIG_TESTING_OPTIONS 2841 if (wpa_s->oci_freq_override_saquery_resp) { 2842 wpa_printf(MSG_INFO, 2843 "TEST: Override SA Query Response OCI frequency %d -> %d MHz", 2844 ci.frequency, 2845 wpa_s->oci_freq_override_saquery_resp); 2846 ci.frequency = wpa_s->oci_freq_override_saquery_resp; 2847 } 2848 #endif /* CONFIG_TESTING_OPTIONS */ 2849 2850 if (ocv_insert_extended_oci(&ci, resp + resp_len) < 0) 2851 return; 2852 2853 resp_len += OCV_OCI_EXTENDED_LEN; 2854 } 2855 #endif /* CONFIG_OCV */ 2856 2857 if (wpa_drv_send_action(wpa_s, wpa_s->assoc_freq, 0, wpa_s->bssid, 2858 wpa_s->own_addr, wpa_s->bssid, 2859 resp, resp_len, 0) < 0) 2860 wpa_msg(wpa_s, MSG_INFO, 2861 "SME: Failed to send SA Query Response"); 2862 } 2863 2864 2865 static void sme_process_sa_query_response(struct wpa_supplicant *wpa_s, 2866 const u8 *sa, const u8 *data, 2867 size_t len) 2868 { 2869 int i; 2870 2871 if (!wpa_s->sme.sa_query_trans_id) 2872 return; 2873 2874 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Received SA Query response from " 2875 MACSTR " (trans_id %02x%02x)", MAC2STR(sa), data[1], data[2]); 2876 2877 if (os_memcmp(sa, wpa_s->bssid, ETH_ALEN) != 0) 2878 return; 2879 2880 for (i = 0; i < wpa_s->sme.sa_query_count; i++) { 2881 if (os_memcmp(wpa_s->sme.sa_query_trans_id + 2882 i * WLAN_SA_QUERY_TR_ID_LEN, 2883 data + 1, WLAN_SA_QUERY_TR_ID_LEN) == 0) 2884 break; 2885 } 2886 2887 if (i >= wpa_s->sme.sa_query_count) { 2888 wpa_dbg(wpa_s, MSG_DEBUG, "SME: No matching SA Query " 2889 "transaction identifier found"); 2890 return; 2891 } 2892 2893 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Reply to pending SA Query received " 2894 "from " MACSTR, MAC2STR(sa)); 2895 sme_stop_sa_query(wpa_s); 2896 } 2897 2898 2899 void sme_sa_query_rx(struct wpa_supplicant *wpa_s, const u8 *da, const u8 *sa, 2900 const u8 *data, size_t len) 2901 { 2902 if (len < 1 + WLAN_SA_QUERY_TR_ID_LEN) 2903 return; 2904 if (is_multicast_ether_addr(da)) { 2905 wpa_printf(MSG_DEBUG, 2906 "IEEE 802.11: Ignore group-addressed SA Query frame (A1=" MACSTR " A2=" MACSTR ")", 2907 MAC2STR(da), MAC2STR(sa)); 2908 return; 2909 } 2910 2911 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Received SA Query frame from " 2912 MACSTR " (trans_id %02x%02x)", MAC2STR(sa), data[1], data[2]); 2913 2914 #ifdef CONFIG_OCV 2915 if (wpa_sm_ocv_enabled(wpa_s->wpa)) { 2916 struct ieee802_11_elems elems; 2917 struct wpa_channel_info ci; 2918 2919 if (ieee802_11_parse_elems(data + 1 + WLAN_SA_QUERY_TR_ID_LEN, 2920 len - 1 - WLAN_SA_QUERY_TR_ID_LEN, 2921 &elems, 1) == ParseFailed) { 2922 wpa_printf(MSG_DEBUG, 2923 "SA Query: Failed to parse elements"); 2924 return; 2925 } 2926 2927 if (wpa_drv_channel_info(wpa_s, &ci) != 0) { 2928 wpa_printf(MSG_WARNING, 2929 "Failed to get channel info to validate received OCI in SA Query Action frame"); 2930 return; 2931 } 2932 2933 if (ocv_verify_tx_params(elems.oci, elems.oci_len, &ci, 2934 channel_width_to_int(ci.chanwidth), 2935 ci.seg1_idx) != OCI_SUCCESS) { 2936 wpa_msg(wpa_s, MSG_INFO, OCV_FAILURE "addr=" MACSTR 2937 " frame=saquery%s error=%s", 2938 MAC2STR(sa), data[0] == WLAN_SA_QUERY_REQUEST ? 2939 "req" : "resp", ocv_errorstr); 2940 return; 2941 } 2942 } 2943 #endif /* CONFIG_OCV */ 2944 2945 if (data[0] == WLAN_SA_QUERY_REQUEST) 2946 sme_process_sa_query_request(wpa_s, sa, data, len); 2947 else if (data[0] == WLAN_SA_QUERY_RESPONSE) 2948 sme_process_sa_query_response(wpa_s, sa, data, len); 2949 } 2950