1 /* 2 * wpa_supplicant - SME 3 * Copyright (c) 2009-2014, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "utils/eloop.h" 13 #include "common/ieee802_11_defs.h" 14 #include "common/ieee802_11_common.h" 15 #include "common/ocv.h" 16 #include "eapol_supp/eapol_supp_sm.h" 17 #include "common/wpa_common.h" 18 #include "common/sae.h" 19 #include "common/dpp.h" 20 #include "rsn_supp/wpa.h" 21 #include "rsn_supp/pmksa_cache.h" 22 #include "config.h" 23 #include "wpa_supplicant_i.h" 24 #include "driver_i.h" 25 #include "wpas_glue.h" 26 #include "wps_supplicant.h" 27 #include "p2p_supplicant.h" 28 #include "notify.h" 29 #include "bss.h" 30 #include "scan.h" 31 #include "sme.h" 32 #include "hs20_supplicant.h" 33 34 #define SME_AUTH_TIMEOUT 5 35 #define SME_ASSOC_TIMEOUT 5 36 37 static void sme_auth_timer(void *eloop_ctx, void *timeout_ctx); 38 static void sme_assoc_timer(void *eloop_ctx, void *timeout_ctx); 39 static void sme_obss_scan_timeout(void *eloop_ctx, void *timeout_ctx); 40 #ifdef CONFIG_IEEE80211W 41 static void sme_stop_sa_query(struct wpa_supplicant *wpa_s); 42 #endif /* CONFIG_IEEE80211W */ 43 44 45 #ifdef CONFIG_SAE 46 47 static int index_within_array(const int *array, int idx) 48 { 49 int i; 50 for (i = 0; i < idx; i++) { 51 if (array[i] <= 0) 52 return 0; 53 } 54 return 1; 55 } 56 57 58 static int sme_set_sae_group(struct wpa_supplicant *wpa_s) 59 { 60 int *groups = wpa_s->conf->sae_groups; 61 int default_groups[] = { 19, 20, 21, 0 }; 62 63 if (!groups || groups[0] <= 0) 64 groups = default_groups; 65 66 /* Configuration may have changed, so validate current index */ 67 if (!index_within_array(groups, wpa_s->sme.sae_group_index)) 68 return -1; 69 70 for (;;) { 71 int group = groups[wpa_s->sme.sae_group_index]; 72 if (group <= 0) 73 break; 74 if (sae_set_group(&wpa_s->sme.sae, group) == 0) { 75 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Selected SAE group %d", 76 wpa_s->sme.sae.group); 77 return 0; 78 } 79 wpa_s->sme.sae_group_index++; 80 } 81 82 return -1; 83 } 84 85 86 static struct wpabuf * sme_auth_build_sae_commit(struct wpa_supplicant *wpa_s, 87 struct wpa_ssid *ssid, 88 const u8 *bssid, int external, 89 int reuse) 90 { 91 struct wpabuf *buf; 92 size_t len; 93 const char *password; 94 95 #ifdef CONFIG_TESTING_OPTIONS 96 if (wpa_s->sae_commit_override) { 97 wpa_printf(MSG_DEBUG, "SAE: TESTING - commit override"); 98 buf = wpabuf_alloc(4 + wpabuf_len(wpa_s->sae_commit_override)); 99 if (!buf) 100 return NULL; 101 if (!external) { 102 wpabuf_put_le16(buf, 1); /* Transaction seq# */ 103 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS); 104 } 105 wpabuf_put_buf(buf, wpa_s->sae_commit_override); 106 return buf; 107 } 108 #endif /* CONFIG_TESTING_OPTIONS */ 109 110 password = ssid->sae_password; 111 if (!password) 112 password = ssid->passphrase; 113 if (!password) { 114 wpa_printf(MSG_DEBUG, "SAE: No password available"); 115 return NULL; 116 } 117 118 if (reuse && wpa_s->sme.sae.tmp && 119 os_memcmp(bssid, wpa_s->sme.sae.tmp->bssid, ETH_ALEN) == 0) { 120 wpa_printf(MSG_DEBUG, 121 "SAE: Reuse previously generated PWE on a retry with the same AP"); 122 goto reuse_data; 123 } 124 if (sme_set_sae_group(wpa_s) < 0) { 125 wpa_printf(MSG_DEBUG, "SAE: Failed to select group"); 126 return NULL; 127 } 128 129 if (sae_prepare_commit(wpa_s->own_addr, bssid, 130 (u8 *) password, os_strlen(password), 131 ssid->sae_password_id, 132 &wpa_s->sme.sae) < 0) { 133 wpa_printf(MSG_DEBUG, "SAE: Could not pick PWE"); 134 return NULL; 135 } 136 if (wpa_s->sme.sae.tmp) 137 os_memcpy(wpa_s->sme.sae.tmp->bssid, bssid, ETH_ALEN); 138 139 reuse_data: 140 len = wpa_s->sme.sae_token ? wpabuf_len(wpa_s->sme.sae_token) : 0; 141 if (ssid->sae_password_id) 142 len += 4 + os_strlen(ssid->sae_password_id); 143 buf = wpabuf_alloc(4 + SAE_COMMIT_MAX_LEN + len); 144 if (buf == NULL) 145 return NULL; 146 if (!external) { 147 wpabuf_put_le16(buf, 1); /* Transaction seq# */ 148 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS); 149 } 150 sae_write_commit(&wpa_s->sme.sae, buf, wpa_s->sme.sae_token, 151 ssid->sae_password_id); 152 153 return buf; 154 } 155 156 157 static struct wpabuf * sme_auth_build_sae_confirm(struct wpa_supplicant *wpa_s, 158 int external) 159 { 160 struct wpabuf *buf; 161 162 buf = wpabuf_alloc(4 + SAE_CONFIRM_MAX_LEN); 163 if (buf == NULL) 164 return NULL; 165 166 if (!external) { 167 wpabuf_put_le16(buf, 2); /* Transaction seq# */ 168 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS); 169 } 170 sae_write_confirm(&wpa_s->sme.sae, buf); 171 172 return buf; 173 } 174 175 #endif /* CONFIG_SAE */ 176 177 178 /** 179 * sme_auth_handle_rrm - Handle RRM aspects of current authentication attempt 180 * @wpa_s: Pointer to wpa_supplicant data 181 * @bss: Pointer to the bss which is the target of authentication attempt 182 */ 183 static void sme_auth_handle_rrm(struct wpa_supplicant *wpa_s, 184 struct wpa_bss *bss) 185 { 186 const u8 rrm_ie_len = 5; 187 u8 *pos; 188 const u8 *rrm_ie; 189 190 wpa_s->rrm.rrm_used = 0; 191 192 wpa_printf(MSG_DEBUG, 193 "RRM: Determining whether RRM can be used - device support: 0x%x", 194 wpa_s->drv_rrm_flags); 195 196 rrm_ie = wpa_bss_get_ie(bss, WLAN_EID_RRM_ENABLED_CAPABILITIES); 197 if (!rrm_ie || !(bss->caps & IEEE80211_CAP_RRM)) { 198 wpa_printf(MSG_DEBUG, "RRM: No RRM in network"); 199 return; 200 } 201 202 if (!((wpa_s->drv_rrm_flags & 203 WPA_DRIVER_FLAGS_DS_PARAM_SET_IE_IN_PROBES) && 204 (wpa_s->drv_rrm_flags & WPA_DRIVER_FLAGS_QUIET)) && 205 !(wpa_s->drv_rrm_flags & WPA_DRIVER_FLAGS_SUPPORT_RRM)) { 206 wpa_printf(MSG_DEBUG, 207 "RRM: Insufficient RRM support in driver - do not use RRM"); 208 return; 209 } 210 211 if (sizeof(wpa_s->sme.assoc_req_ie) < 212 wpa_s->sme.assoc_req_ie_len + rrm_ie_len + 2) { 213 wpa_printf(MSG_INFO, 214 "RRM: Unable to use RRM, no room for RRM IE"); 215 return; 216 } 217 218 wpa_printf(MSG_DEBUG, "RRM: Adding RRM IE to Association Request"); 219 pos = wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len; 220 os_memset(pos, 0, 2 + rrm_ie_len); 221 *pos++ = WLAN_EID_RRM_ENABLED_CAPABILITIES; 222 *pos++ = rrm_ie_len; 223 224 /* Set supported capabilites flags */ 225 if (wpa_s->drv_rrm_flags & WPA_DRIVER_FLAGS_TX_POWER_INSERTION) 226 *pos |= WLAN_RRM_CAPS_LINK_MEASUREMENT; 227 228 *pos |= WLAN_RRM_CAPS_BEACON_REPORT_PASSIVE | 229 WLAN_RRM_CAPS_BEACON_REPORT_ACTIVE | 230 WLAN_RRM_CAPS_BEACON_REPORT_TABLE; 231 232 if (wpa_s->lci) 233 pos[1] |= WLAN_RRM_CAPS_LCI_MEASUREMENT; 234 235 wpa_s->sme.assoc_req_ie_len += rrm_ie_len + 2; 236 wpa_s->rrm.rrm_used = 1; 237 } 238 239 240 static void sme_send_authentication(struct wpa_supplicant *wpa_s, 241 struct wpa_bss *bss, struct wpa_ssid *ssid, 242 int start) 243 { 244 struct wpa_driver_auth_params params; 245 struct wpa_ssid *old_ssid; 246 #ifdef CONFIG_IEEE80211R 247 const u8 *ie; 248 #endif /* CONFIG_IEEE80211R */ 249 #if defined(CONFIG_IEEE80211R) || defined(CONFIG_FILS) 250 const u8 *md = NULL; 251 #endif /* CONFIG_IEEE80211R || CONFIG_FILS */ 252 int i, bssid_changed; 253 struct wpabuf *resp = NULL; 254 u8 ext_capab[18]; 255 int ext_capab_len; 256 int skip_auth; 257 u8 *wpa_ie; 258 size_t wpa_ie_len; 259 #ifdef CONFIG_MBO 260 const u8 *mbo_ie; 261 #endif /* CONFIG_MBO */ 262 263 if (bss == NULL) { 264 wpa_msg(wpa_s, MSG_ERROR, "SME: No scan result available for " 265 "the network"); 266 wpas_connect_work_done(wpa_s); 267 return; 268 } 269 270 skip_auth = wpa_s->conf->reassoc_same_bss_optim && 271 wpa_s->reassoc_same_bss; 272 wpa_s->current_bss = bss; 273 274 os_memset(¶ms, 0, sizeof(params)); 275 wpa_s->reassociate = 0; 276 277 params.freq = bss->freq; 278 params.bssid = bss->bssid; 279 params.ssid = bss->ssid; 280 params.ssid_len = bss->ssid_len; 281 params.p2p = ssid->p2p_group; 282 283 if (wpa_s->sme.ssid_len != params.ssid_len || 284 os_memcmp(wpa_s->sme.ssid, params.ssid, params.ssid_len) != 0) 285 wpa_s->sme.prev_bssid_set = 0; 286 287 wpa_s->sme.freq = params.freq; 288 os_memcpy(wpa_s->sme.ssid, params.ssid, params.ssid_len); 289 wpa_s->sme.ssid_len = params.ssid_len; 290 291 params.auth_alg = WPA_AUTH_ALG_OPEN; 292 #ifdef IEEE8021X_EAPOL 293 if (ssid->key_mgmt & WPA_KEY_MGMT_IEEE8021X_NO_WPA) { 294 if (ssid->leap) { 295 if (ssid->non_leap == 0) 296 params.auth_alg = WPA_AUTH_ALG_LEAP; 297 else 298 params.auth_alg |= WPA_AUTH_ALG_LEAP; 299 } 300 } 301 #endif /* IEEE8021X_EAPOL */ 302 wpa_dbg(wpa_s, MSG_DEBUG, "Automatic auth_alg selection: 0x%x", 303 params.auth_alg); 304 if (ssid->auth_alg) { 305 params.auth_alg = ssid->auth_alg; 306 wpa_dbg(wpa_s, MSG_DEBUG, "Overriding auth_alg selection: " 307 "0x%x", params.auth_alg); 308 } 309 #ifdef CONFIG_SAE 310 wpa_s->sme.sae_pmksa_caching = 0; 311 if (wpa_key_mgmt_sae(ssid->key_mgmt)) { 312 const u8 *rsn; 313 struct wpa_ie_data ied; 314 315 rsn = wpa_bss_get_ie(bss, WLAN_EID_RSN); 316 if (!rsn) { 317 wpa_dbg(wpa_s, MSG_DEBUG, 318 "SAE enabled, but target BSS does not advertise RSN"); 319 #ifdef CONFIG_DPP 320 } else if (wpa_parse_wpa_ie(rsn, 2 + rsn[1], &ied) == 0 && 321 (ssid->key_mgmt & WPA_KEY_MGMT_DPP) && 322 (ied.key_mgmt & WPA_KEY_MGMT_DPP)) { 323 wpa_dbg(wpa_s, MSG_DEBUG, "Prefer DPP over SAE when both are enabled"); 324 #endif /* CONFIG_DPP */ 325 } else if (wpa_parse_wpa_ie(rsn, 2 + rsn[1], &ied) == 0 && 326 wpa_key_mgmt_sae(ied.key_mgmt)) { 327 wpa_dbg(wpa_s, MSG_DEBUG, "Using SAE auth_alg"); 328 params.auth_alg = WPA_AUTH_ALG_SAE; 329 } else { 330 wpa_dbg(wpa_s, MSG_DEBUG, 331 "SAE enabled, but target BSS does not advertise SAE AKM for RSN"); 332 } 333 } 334 #endif /* CONFIG_SAE */ 335 336 for (i = 0; i < NUM_WEP_KEYS; i++) { 337 if (ssid->wep_key_len[i]) 338 params.wep_key[i] = ssid->wep_key[i]; 339 params.wep_key_len[i] = ssid->wep_key_len[i]; 340 } 341 params.wep_tx_keyidx = ssid->wep_tx_keyidx; 342 343 bssid_changed = !is_zero_ether_addr(wpa_s->bssid); 344 os_memset(wpa_s->bssid, 0, ETH_ALEN); 345 os_memcpy(wpa_s->pending_bssid, bss->bssid, ETH_ALEN); 346 if (bssid_changed) 347 wpas_notify_bssid_changed(wpa_s); 348 349 if ((wpa_bss_get_vendor_ie(bss, WPA_IE_VENDOR_TYPE) || 350 wpa_bss_get_ie(bss, WLAN_EID_RSN)) && 351 wpa_key_mgmt_wpa(ssid->key_mgmt)) { 352 int try_opportunistic; 353 const u8 *cache_id = NULL; 354 355 try_opportunistic = (ssid->proactive_key_caching < 0 ? 356 wpa_s->conf->okc : 357 ssid->proactive_key_caching) && 358 (ssid->proto & WPA_PROTO_RSN); 359 #ifdef CONFIG_FILS 360 if (wpa_key_mgmt_fils(ssid->key_mgmt)) 361 cache_id = wpa_bss_get_fils_cache_id(bss); 362 #endif /* CONFIG_FILS */ 363 if (pmksa_cache_set_current(wpa_s->wpa, NULL, bss->bssid, 364 wpa_s->current_ssid, 365 try_opportunistic, cache_id, 366 0) == 0) 367 eapol_sm_notify_pmkid_attempt(wpa_s->eapol); 368 wpa_s->sme.assoc_req_ie_len = sizeof(wpa_s->sme.assoc_req_ie); 369 if (wpa_supplicant_set_suites(wpa_s, bss, ssid, 370 wpa_s->sme.assoc_req_ie, 371 &wpa_s->sme.assoc_req_ie_len)) { 372 wpa_msg(wpa_s, MSG_WARNING, "SME: Failed to set WPA " 373 "key management and encryption suites"); 374 wpas_connect_work_done(wpa_s); 375 return; 376 } 377 #ifdef CONFIG_HS20 378 } else if (wpa_bss_get_vendor_ie(bss, OSEN_IE_VENDOR_TYPE) && 379 (ssid->key_mgmt & WPA_KEY_MGMT_OSEN)) { 380 /* No PMKSA caching, but otherwise similar to RSN/WPA */ 381 wpa_s->sme.assoc_req_ie_len = sizeof(wpa_s->sme.assoc_req_ie); 382 if (wpa_supplicant_set_suites(wpa_s, bss, ssid, 383 wpa_s->sme.assoc_req_ie, 384 &wpa_s->sme.assoc_req_ie_len)) { 385 wpa_msg(wpa_s, MSG_WARNING, "SME: Failed to set WPA " 386 "key management and encryption suites"); 387 wpas_connect_work_done(wpa_s); 388 return; 389 } 390 #endif /* CONFIG_HS20 */ 391 } else if ((ssid->key_mgmt & WPA_KEY_MGMT_IEEE8021X_NO_WPA) && 392 wpa_key_mgmt_wpa_ieee8021x(ssid->key_mgmt)) { 393 /* 394 * Both WPA and non-WPA IEEE 802.1X enabled in configuration - 395 * use non-WPA since the scan results did not indicate that the 396 * AP is using WPA or WPA2. 397 */ 398 wpa_supplicant_set_non_wpa_policy(wpa_s, ssid); 399 wpa_s->sme.assoc_req_ie_len = 0; 400 } else if (wpa_key_mgmt_wpa_any(ssid->key_mgmt)) { 401 wpa_s->sme.assoc_req_ie_len = sizeof(wpa_s->sme.assoc_req_ie); 402 if (wpa_supplicant_set_suites(wpa_s, NULL, ssid, 403 wpa_s->sme.assoc_req_ie, 404 &wpa_s->sme.assoc_req_ie_len)) { 405 wpa_msg(wpa_s, MSG_WARNING, "SME: Failed to set WPA " 406 "key management and encryption suites (no " 407 "scan results)"); 408 wpas_connect_work_done(wpa_s); 409 return; 410 } 411 #ifdef CONFIG_WPS 412 } else if (ssid->key_mgmt & WPA_KEY_MGMT_WPS) { 413 struct wpabuf *wps_ie; 414 wps_ie = wps_build_assoc_req_ie(wpas_wps_get_req_type(ssid)); 415 if (wps_ie && wpabuf_len(wps_ie) <= 416 sizeof(wpa_s->sme.assoc_req_ie)) { 417 wpa_s->sme.assoc_req_ie_len = wpabuf_len(wps_ie); 418 os_memcpy(wpa_s->sme.assoc_req_ie, wpabuf_head(wps_ie), 419 wpa_s->sme.assoc_req_ie_len); 420 } else 421 wpa_s->sme.assoc_req_ie_len = 0; 422 wpabuf_free(wps_ie); 423 wpa_supplicant_set_non_wpa_policy(wpa_s, ssid); 424 #endif /* CONFIG_WPS */ 425 } else { 426 wpa_supplicant_set_non_wpa_policy(wpa_s, ssid); 427 wpa_s->sme.assoc_req_ie_len = 0; 428 } 429 430 /* In case the WPA vendor IE is used, it should be placed after all the 431 * non-vendor IEs, as the lower layer expects the IEs to be ordered as 432 * defined in the standard. Store the WPA IE so it can later be 433 * inserted at the correct location. 434 */ 435 wpa_ie = NULL; 436 wpa_ie_len = 0; 437 if (wpa_s->wpa_proto == WPA_PROTO_WPA) { 438 wpa_ie = os_memdup(wpa_s->sme.assoc_req_ie, 439 wpa_s->sme.assoc_req_ie_len); 440 if (wpa_ie) { 441 wpa_dbg(wpa_s, MSG_DEBUG, "WPA: Storing WPA IE"); 442 443 wpa_ie_len = wpa_s->sme.assoc_req_ie_len; 444 wpa_s->sme.assoc_req_ie_len = 0; 445 } else { 446 wpa_msg(wpa_s, MSG_WARNING, "WPA: Failed copy WPA IE"); 447 wpas_connect_work_done(wpa_s); 448 return; 449 } 450 } 451 452 #ifdef CONFIG_IEEE80211R 453 ie = wpa_bss_get_ie(bss, WLAN_EID_MOBILITY_DOMAIN); 454 if (ie && ie[1] >= MOBILITY_DOMAIN_ID_LEN) 455 md = ie + 2; 456 wpa_sm_set_ft_params(wpa_s->wpa, ie, ie ? 2 + ie[1] : 0); 457 if (md && (!wpa_key_mgmt_ft(ssid->key_mgmt) || 458 !wpa_key_mgmt_ft(wpa_s->key_mgmt))) 459 md = NULL; 460 if (md) { 461 /* Prepare for the next transition */ 462 wpa_ft_prepare_auth_request(wpa_s->wpa, ie); 463 } 464 465 if (md) { 466 wpa_dbg(wpa_s, MSG_DEBUG, "SME: FT mobility domain %02x%02x", 467 md[0], md[1]); 468 469 if (wpa_s->sme.assoc_req_ie_len + 5 < 470 sizeof(wpa_s->sme.assoc_req_ie)) { 471 struct rsn_mdie *mdie; 472 u8 *pos = wpa_s->sme.assoc_req_ie + 473 wpa_s->sme.assoc_req_ie_len; 474 *pos++ = WLAN_EID_MOBILITY_DOMAIN; 475 *pos++ = sizeof(*mdie); 476 mdie = (struct rsn_mdie *) pos; 477 os_memcpy(mdie->mobility_domain, md, 478 MOBILITY_DOMAIN_ID_LEN); 479 mdie->ft_capab = md[MOBILITY_DOMAIN_ID_LEN]; 480 wpa_s->sme.assoc_req_ie_len += 5; 481 } 482 483 if (wpa_s->sme.prev_bssid_set && wpa_s->sme.ft_used && 484 os_memcmp(md, wpa_s->sme.mobility_domain, 2) == 0 && 485 wpa_sm_has_ptk(wpa_s->wpa)) { 486 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Trying to use FT " 487 "over-the-air"); 488 params.auth_alg = WPA_AUTH_ALG_FT; 489 params.ie = wpa_s->sme.ft_ies; 490 params.ie_len = wpa_s->sme.ft_ies_len; 491 } 492 } 493 #endif /* CONFIG_IEEE80211R */ 494 495 #ifdef CONFIG_IEEE80211W 496 wpa_s->sme.mfp = wpas_get_ssid_pmf(wpa_s, ssid); 497 if (wpa_s->sme.mfp != NO_MGMT_FRAME_PROTECTION) { 498 const u8 *rsn = wpa_bss_get_ie(bss, WLAN_EID_RSN); 499 struct wpa_ie_data _ie; 500 if (rsn && wpa_parse_wpa_ie(rsn, 2 + rsn[1], &_ie) == 0 && 501 _ie.capabilities & 502 (WPA_CAPABILITY_MFPC | WPA_CAPABILITY_MFPR)) { 503 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Selected AP supports " 504 "MFP: require MFP"); 505 wpa_s->sme.mfp = MGMT_FRAME_PROTECTION_REQUIRED; 506 } 507 } 508 #endif /* CONFIG_IEEE80211W */ 509 510 #ifdef CONFIG_P2P 511 if (wpa_s->global->p2p) { 512 u8 *pos; 513 size_t len; 514 int res; 515 pos = wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len; 516 len = sizeof(wpa_s->sme.assoc_req_ie) - 517 wpa_s->sme.assoc_req_ie_len; 518 res = wpas_p2p_assoc_req_ie(wpa_s, bss, pos, len, 519 ssid->p2p_group); 520 if (res >= 0) 521 wpa_s->sme.assoc_req_ie_len += res; 522 } 523 #endif /* CONFIG_P2P */ 524 525 #ifdef CONFIG_FST 526 if (wpa_s->fst_ies) { 527 int fst_ies_len = wpabuf_len(wpa_s->fst_ies); 528 529 if (wpa_s->sme.assoc_req_ie_len + fst_ies_len <= 530 sizeof(wpa_s->sme.assoc_req_ie)) { 531 os_memcpy(wpa_s->sme.assoc_req_ie + 532 wpa_s->sme.assoc_req_ie_len, 533 wpabuf_head(wpa_s->fst_ies), 534 fst_ies_len); 535 wpa_s->sme.assoc_req_ie_len += fst_ies_len; 536 } 537 } 538 #endif /* CONFIG_FST */ 539 540 sme_auth_handle_rrm(wpa_s, bss); 541 542 wpa_s->sme.assoc_req_ie_len += wpas_supp_op_class_ie( 543 wpa_s, ssid, bss->freq, 544 wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len, 545 sizeof(wpa_s->sme.assoc_req_ie) - wpa_s->sme.assoc_req_ie_len); 546 547 if (params.p2p) 548 wpa_drv_get_ext_capa(wpa_s, WPA_IF_P2P_CLIENT); 549 else 550 wpa_drv_get_ext_capa(wpa_s, WPA_IF_STATION); 551 552 ext_capab_len = wpas_build_ext_capab(wpa_s, ext_capab, 553 sizeof(ext_capab)); 554 if (ext_capab_len > 0) { 555 u8 *pos = wpa_s->sme.assoc_req_ie; 556 if (wpa_s->sme.assoc_req_ie_len > 0 && pos[0] == WLAN_EID_RSN) 557 pos += 2 + pos[1]; 558 os_memmove(pos + ext_capab_len, pos, 559 wpa_s->sme.assoc_req_ie_len - 560 (pos - wpa_s->sme.assoc_req_ie)); 561 wpa_s->sme.assoc_req_ie_len += ext_capab_len; 562 os_memcpy(pos, ext_capab, ext_capab_len); 563 } 564 565 #ifdef CONFIG_HS20 566 if (is_hs20_network(wpa_s, ssid, bss)) { 567 struct wpabuf *hs20; 568 569 hs20 = wpabuf_alloc(20 + MAX_ROAMING_CONS_OI_LEN); 570 if (hs20) { 571 int pps_mo_id = hs20_get_pps_mo_id(wpa_s, ssid); 572 size_t len; 573 574 wpas_hs20_add_indication(hs20, pps_mo_id, 575 get_hs20_version(bss)); 576 wpas_hs20_add_roam_cons_sel(hs20, ssid); 577 len = sizeof(wpa_s->sme.assoc_req_ie) - 578 wpa_s->sme.assoc_req_ie_len; 579 if (wpabuf_len(hs20) <= len) { 580 os_memcpy(wpa_s->sme.assoc_req_ie + 581 wpa_s->sme.assoc_req_ie_len, 582 wpabuf_head(hs20), wpabuf_len(hs20)); 583 wpa_s->sme.assoc_req_ie_len += wpabuf_len(hs20); 584 } 585 wpabuf_free(hs20); 586 } 587 } 588 #endif /* CONFIG_HS20 */ 589 590 if (wpa_ie) { 591 size_t len; 592 593 wpa_dbg(wpa_s, MSG_DEBUG, "WPA: Reinsert WPA IE"); 594 595 len = sizeof(wpa_s->sme.assoc_req_ie) - 596 wpa_s->sme.assoc_req_ie_len; 597 598 if (len > wpa_ie_len) { 599 os_memcpy(wpa_s->sme.assoc_req_ie + 600 wpa_s->sme.assoc_req_ie_len, 601 wpa_ie, wpa_ie_len); 602 wpa_s->sme.assoc_req_ie_len += wpa_ie_len; 603 } else { 604 wpa_dbg(wpa_s, MSG_DEBUG, "WPA: Failed to add WPA IE"); 605 } 606 607 os_free(wpa_ie); 608 } 609 610 if (wpa_s->vendor_elem[VENDOR_ELEM_ASSOC_REQ]) { 611 struct wpabuf *buf = wpa_s->vendor_elem[VENDOR_ELEM_ASSOC_REQ]; 612 size_t len; 613 614 len = sizeof(wpa_s->sme.assoc_req_ie) - 615 wpa_s->sme.assoc_req_ie_len; 616 if (wpabuf_len(buf) <= len) { 617 os_memcpy(wpa_s->sme.assoc_req_ie + 618 wpa_s->sme.assoc_req_ie_len, 619 wpabuf_head(buf), wpabuf_len(buf)); 620 wpa_s->sme.assoc_req_ie_len += wpabuf_len(buf); 621 } 622 } 623 624 #ifdef CONFIG_MBO 625 mbo_ie = wpa_bss_get_vendor_ie(bss, MBO_IE_VENDOR_TYPE); 626 if (mbo_ie) { 627 int len; 628 629 len = wpas_mbo_ie(wpa_s, wpa_s->sme.assoc_req_ie + 630 wpa_s->sme.assoc_req_ie_len, 631 sizeof(wpa_s->sme.assoc_req_ie) - 632 wpa_s->sme.assoc_req_ie_len, 633 !!mbo_attr_from_mbo_ie(mbo_ie, 634 OCE_ATTR_ID_CAPA_IND)); 635 if (len >= 0) 636 wpa_s->sme.assoc_req_ie_len += len; 637 } 638 #endif /* CONFIG_MBO */ 639 640 #ifdef CONFIG_SAE 641 if (!skip_auth && params.auth_alg == WPA_AUTH_ALG_SAE && 642 pmksa_cache_set_current(wpa_s->wpa, NULL, bss->bssid, ssid, 0, 643 NULL, 644 wpa_s->key_mgmt == WPA_KEY_MGMT_FT_SAE ? 645 WPA_KEY_MGMT_FT_SAE : 646 WPA_KEY_MGMT_SAE) == 0) { 647 wpa_dbg(wpa_s, MSG_DEBUG, 648 "PMKSA cache entry found - try to use PMKSA caching instead of new SAE authentication"); 649 wpa_sm_set_pmk_from_pmksa(wpa_s->wpa); 650 params.auth_alg = WPA_AUTH_ALG_OPEN; 651 wpa_s->sme.sae_pmksa_caching = 1; 652 } 653 654 if (!skip_auth && params.auth_alg == WPA_AUTH_ALG_SAE) { 655 if (start) 656 resp = sme_auth_build_sae_commit(wpa_s, ssid, 657 bss->bssid, 0, 658 start == 2); 659 else 660 resp = sme_auth_build_sae_confirm(wpa_s, 0); 661 if (resp == NULL) { 662 wpas_connection_failed(wpa_s, bss->bssid); 663 return; 664 } 665 params.auth_data = wpabuf_head(resp); 666 params.auth_data_len = wpabuf_len(resp); 667 wpa_s->sme.sae.state = start ? SAE_COMMITTED : SAE_CONFIRMED; 668 } 669 #endif /* CONFIG_SAE */ 670 671 old_ssid = wpa_s->current_ssid; 672 wpa_s->current_ssid = ssid; 673 wpa_supplicant_rsn_supp_set_config(wpa_s, wpa_s->current_ssid); 674 wpa_supplicant_initiate_eapol(wpa_s); 675 676 #ifdef CONFIG_FILS 677 /* TODO: FILS operations can in some cases be done between different 678 * network_ctx (i.e., same credentials can be used with multiple 679 * networks). */ 680 if (params.auth_alg == WPA_AUTH_ALG_OPEN && 681 wpa_key_mgmt_fils(ssid->key_mgmt)) { 682 const u8 *indic; 683 u16 fils_info; 684 const u8 *realm, *username, *rrk; 685 size_t realm_len, username_len, rrk_len; 686 u16 next_seq_num; 687 688 /* 689 * Check FILS Indication element (FILS Information field) bits 690 * indicating supported authentication algorithms against local 691 * configuration (ssid->fils_dh_group). Try to use FILS 692 * authentication only if the AP supports the combination in the 693 * network profile. */ 694 indic = wpa_bss_get_ie(bss, WLAN_EID_FILS_INDICATION); 695 if (!indic || indic[1] < 2) { 696 wpa_printf(MSG_DEBUG, "SME: " MACSTR 697 " does not include FILS Indication element - cannot use FILS authentication with it", 698 MAC2STR(bss->bssid)); 699 goto no_fils; 700 } 701 702 fils_info = WPA_GET_LE16(indic + 2); 703 if (ssid->fils_dh_group == 0 && !(fils_info & BIT(9))) { 704 wpa_printf(MSG_DEBUG, "SME: " MACSTR 705 " does not support FILS SK without PFS - cannot use FILS authentication with it", 706 MAC2STR(bss->bssid)); 707 goto no_fils; 708 } 709 if (ssid->fils_dh_group != 0 && !(fils_info & BIT(10))) { 710 wpa_printf(MSG_DEBUG, "SME: " MACSTR 711 " does not support FILS SK with PFS - cannot use FILS authentication with it", 712 MAC2STR(bss->bssid)); 713 goto no_fils; 714 } 715 716 if (wpa_s->last_con_fail_realm && 717 eapol_sm_get_erp_info(wpa_s->eapol, &ssid->eap, 718 &username, &username_len, 719 &realm, &realm_len, &next_seq_num, 720 &rrk, &rrk_len) == 0 && 721 realm && realm_len == wpa_s->last_con_fail_realm_len && 722 os_memcmp(realm, wpa_s->last_con_fail_realm, 723 realm_len) == 0) { 724 wpa_printf(MSG_DEBUG, 725 "SME: FILS authentication for this realm failed last time - try to regenerate ERP key hierarchy"); 726 goto no_fils; 727 } 728 729 if (pmksa_cache_set_current(wpa_s->wpa, NULL, bss->bssid, 730 ssid, 0, 731 wpa_bss_get_fils_cache_id(bss), 732 0) == 0) 733 wpa_printf(MSG_DEBUG, 734 "SME: Try to use FILS with PMKSA caching"); 735 resp = fils_build_auth(wpa_s->wpa, ssid->fils_dh_group, md); 736 if (resp) { 737 int auth_alg; 738 739 if (ssid->fils_dh_group) 740 wpa_printf(MSG_DEBUG, 741 "SME: Try to use FILS SK authentication with PFS (DH Group %u)", 742 ssid->fils_dh_group); 743 else 744 wpa_printf(MSG_DEBUG, 745 "SME: Try to use FILS SK authentication without PFS"); 746 auth_alg = ssid->fils_dh_group ? 747 WPA_AUTH_ALG_FILS_SK_PFS : WPA_AUTH_ALG_FILS; 748 params.auth_alg = auth_alg; 749 params.auth_data = wpabuf_head(resp); 750 params.auth_data_len = wpabuf_len(resp); 751 wpa_s->sme.auth_alg = auth_alg; 752 } 753 } 754 no_fils: 755 #endif /* CONFIG_FILS */ 756 757 wpa_supplicant_cancel_sched_scan(wpa_s); 758 wpa_supplicant_cancel_scan(wpa_s); 759 760 wpa_msg(wpa_s, MSG_INFO, "SME: Trying to authenticate with " MACSTR 761 " (SSID='%s' freq=%d MHz)", MAC2STR(params.bssid), 762 wpa_ssid_txt(params.ssid, params.ssid_len), params.freq); 763 764 eapol_sm_notify_portValid(wpa_s->eapol, FALSE); 765 wpa_clear_keys(wpa_s, bss->bssid); 766 wpa_supplicant_set_state(wpa_s, WPA_AUTHENTICATING); 767 if (old_ssid != wpa_s->current_ssid) 768 wpas_notify_network_changed(wpa_s); 769 770 #ifdef CONFIG_HS20 771 hs20_configure_frame_filters(wpa_s); 772 #endif /* CONFIG_HS20 */ 773 774 #ifdef CONFIG_P2P 775 /* 776 * If multi-channel concurrency is not supported, check for any 777 * frequency conflict. In case of any frequency conflict, remove the 778 * least prioritized connection. 779 */ 780 if (wpa_s->num_multichan_concurrent < 2) { 781 int freq, num; 782 num = get_shared_radio_freqs(wpa_s, &freq, 1); 783 if (num > 0 && freq > 0 && freq != params.freq) { 784 wpa_printf(MSG_DEBUG, 785 "Conflicting frequency found (%d != %d)", 786 freq, params.freq); 787 if (wpas_p2p_handle_frequency_conflicts(wpa_s, 788 params.freq, 789 ssid) < 0) { 790 wpas_connection_failed(wpa_s, bss->bssid); 791 wpa_supplicant_mark_disassoc(wpa_s); 792 wpabuf_free(resp); 793 wpas_connect_work_done(wpa_s); 794 return; 795 } 796 } 797 } 798 #endif /* CONFIG_P2P */ 799 800 if (skip_auth) { 801 wpa_msg(wpa_s, MSG_DEBUG, 802 "SME: Skip authentication step on reassoc-to-same-BSS"); 803 wpabuf_free(resp); 804 sme_associate(wpa_s, ssid->mode, bss->bssid, WLAN_AUTH_OPEN); 805 return; 806 } 807 808 809 wpa_s->sme.auth_alg = params.auth_alg; 810 if (wpa_drv_authenticate(wpa_s, ¶ms) < 0) { 811 wpa_msg(wpa_s, MSG_INFO, "SME: Authentication request to the " 812 "driver failed"); 813 wpas_connection_failed(wpa_s, bss->bssid); 814 wpa_supplicant_mark_disassoc(wpa_s); 815 wpabuf_free(resp); 816 wpas_connect_work_done(wpa_s); 817 return; 818 } 819 820 eloop_register_timeout(SME_AUTH_TIMEOUT, 0, sme_auth_timer, wpa_s, 821 NULL); 822 823 /* 824 * Association will be started based on the authentication event from 825 * the driver. 826 */ 827 828 wpabuf_free(resp); 829 } 830 831 832 static void sme_auth_start_cb(struct wpa_radio_work *work, int deinit) 833 { 834 struct wpa_connect_work *cwork = work->ctx; 835 struct wpa_supplicant *wpa_s = work->wpa_s; 836 837 if (deinit) { 838 if (work->started) 839 wpa_s->connect_work = NULL; 840 841 wpas_connect_work_free(cwork); 842 return; 843 } 844 845 wpa_s->connect_work = work; 846 847 if (cwork->bss_removed || 848 !wpas_valid_bss_ssid(wpa_s, cwork->bss, cwork->ssid) || 849 wpas_network_disabled(wpa_s, cwork->ssid)) { 850 wpa_dbg(wpa_s, MSG_DEBUG, "SME: BSS/SSID entry for authentication not valid anymore - drop connection attempt"); 851 wpas_connect_work_done(wpa_s); 852 return; 853 } 854 855 /* Starting new connection, so clear the possibly used WPA IE from the 856 * previous association. */ 857 wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, NULL, 0); 858 859 sme_send_authentication(wpa_s, cwork->bss, cwork->ssid, 1); 860 } 861 862 863 void sme_authenticate(struct wpa_supplicant *wpa_s, 864 struct wpa_bss *bss, struct wpa_ssid *ssid) 865 { 866 struct wpa_connect_work *cwork; 867 868 if (bss == NULL || ssid == NULL) 869 return; 870 if (wpa_s->connect_work) { 871 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Reject sme_authenticate() call since connect_work exist"); 872 return; 873 } 874 875 if (radio_work_pending(wpa_s, "sme-connect")) { 876 /* 877 * The previous sme-connect work might no longer be valid due to 878 * the fact that the BSS list was updated. In addition, it makes 879 * sense to adhere to the 'newer' decision. 880 */ 881 wpa_dbg(wpa_s, MSG_DEBUG, 882 "SME: Remove previous pending sme-connect"); 883 radio_remove_works(wpa_s, "sme-connect", 0); 884 } 885 886 wpas_abort_ongoing_scan(wpa_s); 887 888 cwork = os_zalloc(sizeof(*cwork)); 889 if (cwork == NULL) 890 return; 891 cwork->bss = bss; 892 cwork->ssid = ssid; 893 cwork->sme = 1; 894 895 #ifdef CONFIG_SAE 896 wpa_s->sme.sae.state = SAE_NOTHING; 897 wpa_s->sme.sae.send_confirm = 0; 898 wpa_s->sme.sae_group_index = 0; 899 #endif /* CONFIG_SAE */ 900 901 if (radio_add_work(wpa_s, bss->freq, "sme-connect", 1, 902 sme_auth_start_cb, cwork) < 0) 903 wpas_connect_work_free(cwork); 904 } 905 906 907 #ifdef CONFIG_SAE 908 909 static int sme_external_auth_build_buf(struct wpabuf *buf, 910 struct wpabuf *params, 911 const u8 *sa, const u8 *da, 912 u16 auth_transaction, u16 seq_num) 913 { 914 struct ieee80211_mgmt *resp; 915 916 resp = wpabuf_put(buf, offsetof(struct ieee80211_mgmt, 917 u.auth.variable)); 918 919 resp->frame_control = host_to_le16((WLAN_FC_TYPE_MGMT << 2) | 920 (WLAN_FC_STYPE_AUTH << 4)); 921 os_memcpy(resp->da, da, ETH_ALEN); 922 os_memcpy(resp->sa, sa, ETH_ALEN); 923 os_memcpy(resp->bssid, da, ETH_ALEN); 924 resp->u.auth.auth_alg = host_to_le16(WLAN_AUTH_SAE); 925 resp->seq_ctrl = host_to_le16(seq_num << 4); 926 resp->u.auth.auth_transaction = host_to_le16(auth_transaction); 927 resp->u.auth.status_code = host_to_le16(WLAN_STATUS_SUCCESS); 928 if (params) 929 wpabuf_put_buf(buf, params); 930 931 return 0; 932 } 933 934 935 static int sme_external_auth_send_sae_commit(struct wpa_supplicant *wpa_s, 936 const u8 *bssid, 937 struct wpa_ssid *ssid) 938 { 939 struct wpabuf *resp, *buf; 940 941 resp = sme_auth_build_sae_commit(wpa_s, ssid, bssid, 1, 0); 942 if (!resp) { 943 wpa_printf(MSG_DEBUG, "SAE: Failed to build SAE commit"); 944 return -1; 945 } 946 947 wpa_s->sme.sae.state = SAE_COMMITTED; 948 buf = wpabuf_alloc(4 + SAE_COMMIT_MAX_LEN + wpabuf_len(resp)); 949 if (!buf) { 950 wpabuf_free(resp); 951 return -1; 952 } 953 954 wpa_s->sme.seq_num++; 955 sme_external_auth_build_buf(buf, resp, wpa_s->own_addr, 956 bssid, 1, wpa_s->sme.seq_num); 957 wpa_drv_send_mlme(wpa_s, wpabuf_head(buf), wpabuf_len(buf), 1, 0); 958 wpabuf_free(resp); 959 wpabuf_free(buf); 960 961 return 0; 962 } 963 964 965 static void sme_send_external_auth_status(struct wpa_supplicant *wpa_s, 966 u16 status) 967 { 968 struct external_auth params; 969 970 os_memset(¶ms, 0, sizeof(params)); 971 params.status = status; 972 params.ssid = wpa_s->sme.ext_auth_ssid; 973 params.ssid_len = wpa_s->sme.ext_auth_ssid_len; 974 params.bssid = wpa_s->sme.ext_auth_bssid; 975 wpa_drv_send_external_auth_status(wpa_s, ¶ms); 976 } 977 978 979 static int sme_handle_external_auth_start(struct wpa_supplicant *wpa_s, 980 union wpa_event_data *data) 981 { 982 struct wpa_ssid *ssid; 983 size_t ssid_str_len = data->external_auth.ssid_len; 984 const u8 *ssid_str = data->external_auth.ssid; 985 986 /* Get the SSID conf from the ssid string obtained */ 987 for (ssid = wpa_s->conf->ssid; ssid; ssid = ssid->next) { 988 if (!wpas_network_disabled(wpa_s, ssid) && 989 ssid_str_len == ssid->ssid_len && 990 os_memcmp(ssid_str, ssid->ssid, ssid_str_len) == 0 && 991 (ssid->key_mgmt & (WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_FT_SAE))) 992 break; 993 } 994 if (!ssid || 995 sme_external_auth_send_sae_commit(wpa_s, data->external_auth.bssid, 996 ssid) < 0) 997 return -1; 998 999 return 0; 1000 } 1001 1002 1003 static void sme_external_auth_send_sae_confirm(struct wpa_supplicant *wpa_s, 1004 const u8 *da) 1005 { 1006 struct wpabuf *resp, *buf; 1007 1008 resp = sme_auth_build_sae_confirm(wpa_s, 1); 1009 if (!resp) { 1010 wpa_printf(MSG_DEBUG, "SAE: Confirm message buf alloc failure"); 1011 return; 1012 } 1013 1014 wpa_s->sme.sae.state = SAE_CONFIRMED; 1015 buf = wpabuf_alloc(4 + SAE_CONFIRM_MAX_LEN + wpabuf_len(resp)); 1016 if (!buf) { 1017 wpa_printf(MSG_DEBUG, "SAE: Auth Confirm buf alloc failure"); 1018 wpabuf_free(resp); 1019 return; 1020 } 1021 wpa_s->sme.seq_num++; 1022 sme_external_auth_build_buf(buf, resp, wpa_s->own_addr, 1023 da, 2, wpa_s->sme.seq_num); 1024 wpa_drv_send_mlme(wpa_s, wpabuf_head(buf), wpabuf_len(buf), 1, 0); 1025 wpabuf_free(resp); 1026 wpabuf_free(buf); 1027 } 1028 1029 1030 void sme_external_auth_trigger(struct wpa_supplicant *wpa_s, 1031 union wpa_event_data *data) 1032 { 1033 if (RSN_SELECTOR_GET(&data->external_auth.key_mgmt_suite) != 1034 RSN_AUTH_KEY_MGMT_SAE) 1035 return; 1036 1037 if (data->external_auth.action == EXT_AUTH_START) { 1038 if (!data->external_auth.bssid || !data->external_auth.ssid) 1039 return; 1040 os_memcpy(wpa_s->sme.ext_auth_bssid, data->external_auth.bssid, 1041 ETH_ALEN); 1042 os_memcpy(wpa_s->sme.ext_auth_ssid, data->external_auth.ssid, 1043 data->external_auth.ssid_len); 1044 wpa_s->sme.ext_auth_ssid_len = data->external_auth.ssid_len; 1045 wpa_s->sme.seq_num = 0; 1046 wpa_s->sme.sae.state = SAE_NOTHING; 1047 wpa_s->sme.sae.send_confirm = 0; 1048 wpa_s->sme.sae_group_index = 0; 1049 if (sme_handle_external_auth_start(wpa_s, data) < 0) 1050 sme_send_external_auth_status(wpa_s, 1051 WLAN_STATUS_UNSPECIFIED_FAILURE); 1052 } else if (data->external_auth.action == EXT_AUTH_ABORT) { 1053 /* Report failure to driver for the wrong trigger */ 1054 sme_send_external_auth_status(wpa_s, 1055 WLAN_STATUS_UNSPECIFIED_FAILURE); 1056 } 1057 } 1058 1059 1060 static int sme_sae_auth(struct wpa_supplicant *wpa_s, u16 auth_transaction, 1061 u16 status_code, const u8 *data, size_t len, 1062 int external, const u8 *sa) 1063 { 1064 int *groups; 1065 1066 wpa_dbg(wpa_s, MSG_DEBUG, "SME: SAE authentication transaction %u " 1067 "status code %u", auth_transaction, status_code); 1068 1069 if (auth_transaction == 1 && 1070 status_code == WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ && 1071 wpa_s->sme.sae.state == SAE_COMMITTED && 1072 (external || wpa_s->current_bss) && wpa_s->current_ssid) { 1073 int default_groups[] = { 19, 20, 21, 0 }; 1074 u16 group; 1075 1076 groups = wpa_s->conf->sae_groups; 1077 if (!groups || groups[0] <= 0) 1078 groups = default_groups; 1079 1080 if (len < sizeof(le16)) { 1081 wpa_dbg(wpa_s, MSG_DEBUG, 1082 "SME: Too short SAE anti-clogging token request"); 1083 return -1; 1084 } 1085 group = WPA_GET_LE16(data); 1086 wpa_dbg(wpa_s, MSG_DEBUG, 1087 "SME: SAE anti-clogging token requested (group %u)", 1088 group); 1089 if (sae_group_allowed(&wpa_s->sme.sae, groups, group) != 1090 WLAN_STATUS_SUCCESS) { 1091 wpa_dbg(wpa_s, MSG_ERROR, 1092 "SME: SAE group %u of anti-clogging request is invalid", 1093 group); 1094 return -1; 1095 } 1096 wpabuf_free(wpa_s->sme.sae_token); 1097 wpa_s->sme.sae_token = wpabuf_alloc_copy(data + sizeof(le16), 1098 len - sizeof(le16)); 1099 if (!external) 1100 sme_send_authentication(wpa_s, wpa_s->current_bss, 1101 wpa_s->current_ssid, 2); 1102 else 1103 sme_external_auth_send_sae_commit( 1104 wpa_s, wpa_s->sme.ext_auth_bssid, 1105 wpa_s->current_ssid); 1106 return 0; 1107 } 1108 1109 if (auth_transaction == 1 && 1110 status_code == WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED && 1111 wpa_s->sme.sae.state == SAE_COMMITTED && 1112 (external || wpa_s->current_bss) && wpa_s->current_ssid) { 1113 wpa_dbg(wpa_s, MSG_DEBUG, "SME: SAE group not supported"); 1114 wpa_s->sme.sae_group_index++; 1115 if (sme_set_sae_group(wpa_s) < 0) 1116 return -1; /* no other groups enabled */ 1117 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Try next enabled SAE group"); 1118 if (!external) 1119 sme_send_authentication(wpa_s, wpa_s->current_bss, 1120 wpa_s->current_ssid, 1); 1121 else 1122 sme_external_auth_send_sae_commit( 1123 wpa_s, wpa_s->sme.ext_auth_bssid, 1124 wpa_s->current_ssid); 1125 return 0; 1126 } 1127 1128 if (auth_transaction == 1 && 1129 status_code == WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER) { 1130 const u8 *bssid = sa ? sa : wpa_s->pending_bssid; 1131 1132 wpa_msg(wpa_s, MSG_INFO, 1133 WPA_EVENT_SAE_UNKNOWN_PASSWORD_IDENTIFIER MACSTR, 1134 MAC2STR(bssid)); 1135 return -1; 1136 } 1137 1138 if (status_code != WLAN_STATUS_SUCCESS) 1139 return -1; 1140 1141 if (auth_transaction == 1) { 1142 u16 res; 1143 1144 groups = wpa_s->conf->sae_groups; 1145 1146 wpa_dbg(wpa_s, MSG_DEBUG, "SME SAE commit"); 1147 if ((!external && wpa_s->current_bss == NULL) || 1148 wpa_s->current_ssid == NULL) 1149 return -1; 1150 if (wpa_s->sme.sae.state != SAE_COMMITTED) 1151 return -1; 1152 if (groups && groups[0] <= 0) 1153 groups = NULL; 1154 res = sae_parse_commit(&wpa_s->sme.sae, data, len, NULL, NULL, 1155 groups); 1156 if (res == SAE_SILENTLY_DISCARD) { 1157 wpa_printf(MSG_DEBUG, 1158 "SAE: Drop commit message due to reflection attack"); 1159 return 0; 1160 } 1161 if (res != WLAN_STATUS_SUCCESS) 1162 return -1; 1163 1164 if (sae_process_commit(&wpa_s->sme.sae) < 0) { 1165 wpa_printf(MSG_DEBUG, "SAE: Failed to process peer " 1166 "commit"); 1167 return -1; 1168 } 1169 1170 wpabuf_free(wpa_s->sme.sae_token); 1171 wpa_s->sme.sae_token = NULL; 1172 if (!external) 1173 sme_send_authentication(wpa_s, wpa_s->current_bss, 1174 wpa_s->current_ssid, 0); 1175 else 1176 sme_external_auth_send_sae_confirm(wpa_s, sa); 1177 return 0; 1178 } else if (auth_transaction == 2) { 1179 wpa_dbg(wpa_s, MSG_DEBUG, "SME SAE confirm"); 1180 if (wpa_s->sme.sae.state != SAE_CONFIRMED) 1181 return -1; 1182 if (sae_check_confirm(&wpa_s->sme.sae, data, len) < 0) 1183 return -1; 1184 wpa_s->sme.sae.state = SAE_ACCEPTED; 1185 sae_clear_temp_data(&wpa_s->sme.sae); 1186 1187 if (external) { 1188 /* Report success to driver */ 1189 sme_send_external_auth_status(wpa_s, 1190 WLAN_STATUS_SUCCESS); 1191 } 1192 1193 return 1; 1194 } 1195 1196 return -1; 1197 } 1198 1199 1200 void sme_external_auth_mgmt_rx(struct wpa_supplicant *wpa_s, 1201 const u8 *auth_frame, size_t len) 1202 { 1203 const struct ieee80211_mgmt *header; 1204 size_t auth_length; 1205 1206 header = (const struct ieee80211_mgmt *) auth_frame; 1207 auth_length = IEEE80211_HDRLEN + sizeof(header->u.auth); 1208 1209 if (len < auth_length) { 1210 /* Notify failure to the driver */ 1211 sme_send_external_auth_status(wpa_s, 1212 WLAN_STATUS_UNSPECIFIED_FAILURE); 1213 return; 1214 } 1215 1216 if (le_to_host16(header->u.auth.auth_alg) == WLAN_AUTH_SAE) { 1217 int res; 1218 1219 res = sme_sae_auth( 1220 wpa_s, le_to_host16(header->u.auth.auth_transaction), 1221 le_to_host16(header->u.auth.status_code), 1222 header->u.auth.variable, 1223 len - auth_length, 1, header->sa); 1224 if (res < 0) { 1225 /* Notify failure to the driver */ 1226 sme_send_external_auth_status( 1227 wpa_s, WLAN_STATUS_UNSPECIFIED_FAILURE); 1228 return; 1229 } 1230 if (res != 1) 1231 return; 1232 1233 wpa_printf(MSG_DEBUG, 1234 "SME: SAE completed - setting PMK for 4-way handshake"); 1235 wpa_sm_set_pmk(wpa_s->wpa, wpa_s->sme.sae.pmk, PMK_LEN, 1236 wpa_s->sme.sae.pmkid, wpa_s->pending_bssid); 1237 } 1238 } 1239 1240 #endif /* CONFIG_SAE */ 1241 1242 1243 void sme_event_auth(struct wpa_supplicant *wpa_s, union wpa_event_data *data) 1244 { 1245 struct wpa_ssid *ssid = wpa_s->current_ssid; 1246 1247 if (ssid == NULL) { 1248 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Ignore authentication event " 1249 "when network is not selected"); 1250 return; 1251 } 1252 1253 if (wpa_s->wpa_state != WPA_AUTHENTICATING) { 1254 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Ignore authentication event " 1255 "when not in authenticating state"); 1256 return; 1257 } 1258 1259 if (os_memcmp(wpa_s->pending_bssid, data->auth.peer, ETH_ALEN) != 0) { 1260 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Ignore authentication with " 1261 "unexpected peer " MACSTR, 1262 MAC2STR(data->auth.peer)); 1263 return; 1264 } 1265 1266 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Authentication response: peer=" MACSTR 1267 " auth_type=%d auth_transaction=%d status_code=%d", 1268 MAC2STR(data->auth.peer), data->auth.auth_type, 1269 data->auth.auth_transaction, data->auth.status_code); 1270 wpa_hexdump(MSG_MSGDUMP, "SME: Authentication response IEs", 1271 data->auth.ies, data->auth.ies_len); 1272 1273 eloop_cancel_timeout(sme_auth_timer, wpa_s, NULL); 1274 1275 #ifdef CONFIG_SAE 1276 if (data->auth.auth_type == WLAN_AUTH_SAE) { 1277 int res; 1278 res = sme_sae_auth(wpa_s, data->auth.auth_transaction, 1279 data->auth.status_code, data->auth.ies, 1280 data->auth.ies_len, 0, NULL); 1281 if (res < 0) { 1282 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 1283 wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED); 1284 1285 } 1286 if (res != 1) 1287 return; 1288 1289 wpa_printf(MSG_DEBUG, "SME: SAE completed - setting PMK for " 1290 "4-way handshake"); 1291 wpa_sm_set_pmk(wpa_s->wpa, wpa_s->sme.sae.pmk, PMK_LEN, 1292 wpa_s->sme.sae.pmkid, wpa_s->pending_bssid); 1293 } 1294 #endif /* CONFIG_SAE */ 1295 1296 if (data->auth.status_code != WLAN_STATUS_SUCCESS) { 1297 char *ie_txt = NULL; 1298 1299 if (data->auth.ies && data->auth.ies_len) { 1300 size_t buflen = 2 * data->auth.ies_len + 1; 1301 ie_txt = os_malloc(buflen); 1302 if (ie_txt) { 1303 wpa_snprintf_hex(ie_txt, buflen, data->auth.ies, 1304 data->auth.ies_len); 1305 } 1306 } 1307 wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_AUTH_REJECT MACSTR 1308 " auth_type=%u auth_transaction=%u status_code=%u%s%s", 1309 MAC2STR(data->auth.peer), data->auth.auth_type, 1310 data->auth.auth_transaction, data->auth.status_code, 1311 ie_txt ? " ie=" : "", 1312 ie_txt ? ie_txt : ""); 1313 os_free(ie_txt); 1314 1315 #ifdef CONFIG_FILS 1316 if (wpa_s->sme.auth_alg == WPA_AUTH_ALG_FILS || 1317 wpa_s->sme.auth_alg == WPA_AUTH_ALG_FILS_SK_PFS) 1318 fils_connection_failure(wpa_s); 1319 #endif /* CONFIG_FILS */ 1320 1321 if (data->auth.status_code != 1322 WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG || 1323 wpa_s->sme.auth_alg == data->auth.auth_type || 1324 wpa_s->current_ssid->auth_alg == WPA_AUTH_ALG_LEAP) { 1325 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 1326 wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED); 1327 return; 1328 } 1329 1330 wpas_connect_work_done(wpa_s); 1331 1332 switch (data->auth.auth_type) { 1333 case WLAN_AUTH_OPEN: 1334 wpa_s->current_ssid->auth_alg = WPA_AUTH_ALG_SHARED; 1335 1336 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Trying SHARED auth"); 1337 wpa_supplicant_associate(wpa_s, wpa_s->current_bss, 1338 wpa_s->current_ssid); 1339 return; 1340 1341 case WLAN_AUTH_SHARED_KEY: 1342 wpa_s->current_ssid->auth_alg = WPA_AUTH_ALG_LEAP; 1343 1344 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Trying LEAP auth"); 1345 wpa_supplicant_associate(wpa_s, wpa_s->current_bss, 1346 wpa_s->current_ssid); 1347 return; 1348 1349 default: 1350 return; 1351 } 1352 } 1353 1354 #ifdef CONFIG_IEEE80211R 1355 if (data->auth.auth_type == WLAN_AUTH_FT) { 1356 const u8 *ric_ies = NULL; 1357 size_t ric_ies_len = 0; 1358 1359 if (wpa_s->ric_ies) { 1360 ric_ies = wpabuf_head(wpa_s->ric_ies); 1361 ric_ies_len = wpabuf_len(wpa_s->ric_ies); 1362 } 1363 if (wpa_ft_process_response(wpa_s->wpa, data->auth.ies, 1364 data->auth.ies_len, 0, 1365 data->auth.peer, 1366 ric_ies, ric_ies_len) < 0) { 1367 wpa_dbg(wpa_s, MSG_DEBUG, 1368 "SME: FT Authentication response processing failed"); 1369 wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_DISCONNECTED "bssid=" 1370 MACSTR 1371 " reason=%d locally_generated=1", 1372 MAC2STR(wpa_s->pending_bssid), 1373 WLAN_REASON_DEAUTH_LEAVING); 1374 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 1375 wpa_supplicant_mark_disassoc(wpa_s); 1376 return; 1377 } 1378 } 1379 #endif /* CONFIG_IEEE80211R */ 1380 1381 #ifdef CONFIG_FILS 1382 if (data->auth.auth_type == WLAN_AUTH_FILS_SK || 1383 data->auth.auth_type == WLAN_AUTH_FILS_SK_PFS) { 1384 u16 expect_auth_type; 1385 1386 expect_auth_type = wpa_s->sme.auth_alg == 1387 WPA_AUTH_ALG_FILS_SK_PFS ? WLAN_AUTH_FILS_SK_PFS : 1388 WLAN_AUTH_FILS_SK; 1389 if (data->auth.auth_type != expect_auth_type) { 1390 wpa_dbg(wpa_s, MSG_DEBUG, 1391 "SME: FILS Authentication response used different auth alg (%u; expected %u)", 1392 data->auth.auth_type, expect_auth_type); 1393 wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_DISCONNECTED "bssid=" 1394 MACSTR 1395 " reason=%d locally_generated=1", 1396 MAC2STR(wpa_s->pending_bssid), 1397 WLAN_REASON_DEAUTH_LEAVING); 1398 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 1399 wpa_supplicant_mark_disassoc(wpa_s); 1400 return; 1401 } 1402 1403 if (fils_process_auth(wpa_s->wpa, wpa_s->pending_bssid, 1404 data->auth.ies, data->auth.ies_len) < 0) { 1405 wpa_dbg(wpa_s, MSG_DEBUG, 1406 "SME: FILS Authentication response processing failed"); 1407 wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_DISCONNECTED "bssid=" 1408 MACSTR 1409 " reason=%d locally_generated=1", 1410 MAC2STR(wpa_s->pending_bssid), 1411 WLAN_REASON_DEAUTH_LEAVING); 1412 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 1413 wpa_supplicant_mark_disassoc(wpa_s); 1414 return; 1415 } 1416 } 1417 #endif /* CONFIG_FILS */ 1418 1419 sme_associate(wpa_s, ssid->mode, data->auth.peer, 1420 data->auth.auth_type); 1421 } 1422 1423 1424 #ifdef CONFIG_IEEE80211R 1425 static void remove_ie(u8 *buf, size_t *len, u8 eid) 1426 { 1427 u8 *pos, *next, *end; 1428 1429 pos = (u8 *) get_ie(buf, *len, eid); 1430 if (pos) { 1431 next = pos + 2 + pos[1]; 1432 end = buf + *len; 1433 *len -= 2 + pos[1]; 1434 os_memmove(pos, next, end - next); 1435 } 1436 } 1437 #endif /* CONFIG_IEEE80211R */ 1438 1439 1440 void sme_associate(struct wpa_supplicant *wpa_s, enum wpas_mode mode, 1441 const u8 *bssid, u16 auth_type) 1442 { 1443 struct wpa_driver_associate_params params; 1444 struct ieee802_11_elems elems; 1445 #ifdef CONFIG_FILS 1446 u8 nonces[2 * FILS_NONCE_LEN]; 1447 #endif /* CONFIG_FILS */ 1448 #ifdef CONFIG_HT_OVERRIDES 1449 struct ieee80211_ht_capabilities htcaps; 1450 struct ieee80211_ht_capabilities htcaps_mask; 1451 #endif /* CONFIG_HT_OVERRIDES */ 1452 #ifdef CONFIG_VHT_OVERRIDES 1453 struct ieee80211_vht_capabilities vhtcaps; 1454 struct ieee80211_vht_capabilities vhtcaps_mask; 1455 #endif /* CONFIG_VHT_OVERRIDES */ 1456 1457 os_memset(¶ms, 0, sizeof(params)); 1458 1459 #ifdef CONFIG_FILS 1460 if (auth_type == WLAN_AUTH_FILS_SK || 1461 auth_type == WLAN_AUTH_FILS_SK_PFS) { 1462 struct wpabuf *buf; 1463 const u8 *snonce, *anonce; 1464 const unsigned int max_hlp = 20; 1465 struct wpabuf *hlp[max_hlp]; 1466 unsigned int i, num_hlp = 0; 1467 struct fils_hlp_req *req; 1468 1469 dl_list_for_each(req, &wpa_s->fils_hlp_req, struct fils_hlp_req, 1470 list) { 1471 hlp[num_hlp] = wpabuf_alloc(2 * ETH_ALEN + 6 + 1472 wpabuf_len(req->pkt)); 1473 if (!hlp[num_hlp]) 1474 break; 1475 wpabuf_put_data(hlp[num_hlp], req->dst, ETH_ALEN); 1476 wpabuf_put_data(hlp[num_hlp], wpa_s->own_addr, 1477 ETH_ALEN); 1478 wpabuf_put_data(hlp[num_hlp], 1479 "\xaa\xaa\x03\x00\x00\x00", 6); 1480 wpabuf_put_buf(hlp[num_hlp], req->pkt); 1481 num_hlp++; 1482 if (num_hlp >= max_hlp) 1483 break; 1484 } 1485 1486 buf = fils_build_assoc_req(wpa_s->wpa, ¶ms.fils_kek, 1487 ¶ms.fils_kek_len, &snonce, 1488 &anonce, 1489 (const struct wpabuf **) hlp, 1490 num_hlp); 1491 for (i = 0; i < num_hlp; i++) 1492 wpabuf_free(hlp[i]); 1493 if (!buf) 1494 return; 1495 wpa_hexdump(MSG_DEBUG, "FILS: assoc_req before FILS elements", 1496 wpa_s->sme.assoc_req_ie, 1497 wpa_s->sme.assoc_req_ie_len); 1498 #ifdef CONFIG_IEEE80211R 1499 if (wpa_key_mgmt_ft(wpa_s->key_mgmt)) { 1500 /* Remove RSNE and MDE to allow them to be overridden 1501 * with FILS+FT specific values from 1502 * fils_build_assoc_req(). */ 1503 remove_ie(wpa_s->sme.assoc_req_ie, 1504 &wpa_s->sme.assoc_req_ie_len, 1505 WLAN_EID_RSN); 1506 wpa_hexdump(MSG_DEBUG, 1507 "FILS: assoc_req after RSNE removal", 1508 wpa_s->sme.assoc_req_ie, 1509 wpa_s->sme.assoc_req_ie_len); 1510 remove_ie(wpa_s->sme.assoc_req_ie, 1511 &wpa_s->sme.assoc_req_ie_len, 1512 WLAN_EID_MOBILITY_DOMAIN); 1513 wpa_hexdump(MSG_DEBUG, 1514 "FILS: assoc_req after MDE removal", 1515 wpa_s->sme.assoc_req_ie, 1516 wpa_s->sme.assoc_req_ie_len); 1517 } 1518 #endif /* CONFIG_IEEE80211R */ 1519 /* TODO: Make wpa_s->sme.assoc_req_ie use dynamic allocation */ 1520 if (wpa_s->sme.assoc_req_ie_len + wpabuf_len(buf) > 1521 sizeof(wpa_s->sme.assoc_req_ie)) { 1522 wpa_printf(MSG_ERROR, 1523 "FILS: Not enough buffer room for own AssocReq elements"); 1524 wpabuf_free(buf); 1525 return; 1526 } 1527 os_memcpy(wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len, 1528 wpabuf_head(buf), wpabuf_len(buf)); 1529 wpa_s->sme.assoc_req_ie_len += wpabuf_len(buf); 1530 wpabuf_free(buf); 1531 wpa_hexdump(MSG_DEBUG, "FILS: assoc_req after FILS elements", 1532 wpa_s->sme.assoc_req_ie, 1533 wpa_s->sme.assoc_req_ie_len); 1534 1535 os_memcpy(nonces, snonce, FILS_NONCE_LEN); 1536 os_memcpy(nonces + FILS_NONCE_LEN, anonce, FILS_NONCE_LEN); 1537 params.fils_nonces = nonces; 1538 params.fils_nonces_len = sizeof(nonces); 1539 } 1540 #endif /* CONFIG_FILS */ 1541 1542 #ifdef CONFIG_OWE 1543 #ifdef CONFIG_TESTING_OPTIONS 1544 if (get_ie_ext(wpa_s->sme.assoc_req_ie, wpa_s->sme.assoc_req_ie_len, 1545 WLAN_EID_EXT_OWE_DH_PARAM)) { 1546 wpa_printf(MSG_INFO, "TESTING: Override OWE DH element"); 1547 } else 1548 #endif /* CONFIG_TESTING_OPTIONS */ 1549 if (auth_type == WLAN_AUTH_OPEN && 1550 wpa_s->key_mgmt == WPA_KEY_MGMT_OWE) { 1551 struct wpabuf *owe_ie; 1552 u16 group; 1553 1554 if (wpa_s->current_ssid && wpa_s->current_ssid->owe_group) { 1555 group = wpa_s->current_ssid->owe_group; 1556 } else if (wpa_s->assoc_status_code == 1557 WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED) { 1558 if (wpa_s->last_owe_group == 19) 1559 group = 20; 1560 else if (wpa_s->last_owe_group == 20) 1561 group = 21; 1562 else 1563 group = OWE_DH_GROUP; 1564 } else { 1565 group = OWE_DH_GROUP; 1566 } 1567 1568 wpa_s->last_owe_group = group; 1569 wpa_printf(MSG_DEBUG, "OWE: Try to use group %u", group); 1570 owe_ie = owe_build_assoc_req(wpa_s->wpa, group); 1571 if (!owe_ie) { 1572 wpa_printf(MSG_ERROR, 1573 "OWE: Failed to build IE for Association Request frame"); 1574 return; 1575 } 1576 if (wpa_s->sme.assoc_req_ie_len + wpabuf_len(owe_ie) > 1577 sizeof(wpa_s->sme.assoc_req_ie)) { 1578 wpa_printf(MSG_ERROR, 1579 "OWE: Not enough buffer room for own Association Request frame elements"); 1580 wpabuf_free(owe_ie); 1581 return; 1582 } 1583 os_memcpy(wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len, 1584 wpabuf_head(owe_ie), wpabuf_len(owe_ie)); 1585 wpa_s->sme.assoc_req_ie_len += wpabuf_len(owe_ie); 1586 wpabuf_free(owe_ie); 1587 } 1588 #endif /* CONFIG_OWE */ 1589 1590 #ifdef CONFIG_DPP2 1591 if (wpa_s->key_mgmt == WPA_KEY_MGMT_DPP && wpa_s->current_ssid && 1592 wpa_s->current_ssid->dpp_netaccesskey) { 1593 struct wpa_ssid *ssid = wpa_s->current_ssid; 1594 1595 dpp_pfs_free(wpa_s->dpp_pfs); 1596 wpa_s->dpp_pfs = dpp_pfs_init(ssid->dpp_netaccesskey, 1597 ssid->dpp_netaccesskey_len); 1598 if (!wpa_s->dpp_pfs) { 1599 wpa_printf(MSG_DEBUG, "DPP: Could not initialize PFS"); 1600 /* Try to continue without PFS */ 1601 goto pfs_fail; 1602 } 1603 if (wpa_s->sme.assoc_req_ie_len + 1604 wpabuf_len(wpa_s->dpp_pfs->ie) > 1605 sizeof(wpa_s->sme.assoc_req_ie)) { 1606 wpa_printf(MSG_ERROR, 1607 "DPP: Not enough buffer room for own Association Request frame elements"); 1608 dpp_pfs_free(wpa_s->dpp_pfs); 1609 wpa_s->dpp_pfs = NULL; 1610 goto pfs_fail; 1611 } 1612 os_memcpy(wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len, 1613 wpabuf_head(wpa_s->dpp_pfs->ie), 1614 wpabuf_len(wpa_s->dpp_pfs->ie)); 1615 wpa_s->sme.assoc_req_ie_len += wpabuf_len(wpa_s->dpp_pfs->ie); 1616 } 1617 pfs_fail: 1618 #endif /* CONFIG_DPP2 */ 1619 1620 if (wpa_s->current_ssid && wpa_s->current_ssid->multi_ap_backhaul_sta) { 1621 size_t multi_ap_ie_len; 1622 1623 multi_ap_ie_len = add_multi_ap_ie( 1624 wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len, 1625 sizeof(wpa_s->sme.assoc_req_ie) - 1626 wpa_s->sme.assoc_req_ie_len, 1627 MULTI_AP_BACKHAUL_STA); 1628 if (multi_ap_ie_len == 0) { 1629 wpa_printf(MSG_ERROR, 1630 "Multi-AP: Failed to build Multi-AP IE"); 1631 return; 1632 } 1633 wpa_s->sme.assoc_req_ie_len += multi_ap_ie_len; 1634 } 1635 1636 params.bssid = bssid; 1637 params.ssid = wpa_s->sme.ssid; 1638 params.ssid_len = wpa_s->sme.ssid_len; 1639 params.freq.freq = wpa_s->sme.freq; 1640 params.bg_scan_period = wpa_s->current_ssid ? 1641 wpa_s->current_ssid->bg_scan_period : -1; 1642 params.wpa_ie = wpa_s->sme.assoc_req_ie_len ? 1643 wpa_s->sme.assoc_req_ie : NULL; 1644 params.wpa_ie_len = wpa_s->sme.assoc_req_ie_len; 1645 wpa_hexdump(MSG_DEBUG, "SME: Association Request IEs", 1646 params.wpa_ie, params.wpa_ie_len); 1647 params.pairwise_suite = wpa_s->pairwise_cipher; 1648 params.group_suite = wpa_s->group_cipher; 1649 params.mgmt_group_suite = wpa_s->mgmt_group_cipher; 1650 params.key_mgmt_suite = wpa_s->key_mgmt; 1651 params.wpa_proto = wpa_s->wpa_proto; 1652 #ifdef CONFIG_HT_OVERRIDES 1653 os_memset(&htcaps, 0, sizeof(htcaps)); 1654 os_memset(&htcaps_mask, 0, sizeof(htcaps_mask)); 1655 params.htcaps = (u8 *) &htcaps; 1656 params.htcaps_mask = (u8 *) &htcaps_mask; 1657 wpa_supplicant_apply_ht_overrides(wpa_s, wpa_s->current_ssid, ¶ms); 1658 #endif /* CONFIG_HT_OVERRIDES */ 1659 #ifdef CONFIG_VHT_OVERRIDES 1660 os_memset(&vhtcaps, 0, sizeof(vhtcaps)); 1661 os_memset(&vhtcaps_mask, 0, sizeof(vhtcaps_mask)); 1662 params.vhtcaps = &vhtcaps; 1663 params.vhtcaps_mask = &vhtcaps_mask; 1664 wpa_supplicant_apply_vht_overrides(wpa_s, wpa_s->current_ssid, ¶ms); 1665 #endif /* CONFIG_VHT_OVERRIDES */ 1666 #ifdef CONFIG_IEEE80211R 1667 if (auth_type == WLAN_AUTH_FT && wpa_s->sme.ft_ies && 1668 get_ie(wpa_s->sme.ft_ies, wpa_s->sme.ft_ies_len, 1669 WLAN_EID_RIC_DATA)) { 1670 /* There seems to be a pretty inconvenient bug in the Linux 1671 * kernel IE splitting functionality when RIC is used. For now, 1672 * skip correct behavior in IE construction here (i.e., drop the 1673 * additional non-FT-specific IEs) to avoid kernel issues. This 1674 * is fine since RIC is used only for testing purposes in the 1675 * current implementation. */ 1676 wpa_printf(MSG_INFO, 1677 "SME: Linux kernel workaround - do not try to include additional IEs with RIC"); 1678 params.wpa_ie = wpa_s->sme.ft_ies; 1679 params.wpa_ie_len = wpa_s->sme.ft_ies_len; 1680 } else if (auth_type == WLAN_AUTH_FT && wpa_s->sme.ft_ies) { 1681 const u8 *rm_en, *pos, *end; 1682 size_t rm_en_len = 0; 1683 u8 *rm_en_dup = NULL, *wpos; 1684 1685 /* Remove RSNE, MDE, FTE to allow them to be overridden with 1686 * FT specific values */ 1687 remove_ie(wpa_s->sme.assoc_req_ie, 1688 &wpa_s->sme.assoc_req_ie_len, 1689 WLAN_EID_RSN); 1690 remove_ie(wpa_s->sme.assoc_req_ie, 1691 &wpa_s->sme.assoc_req_ie_len, 1692 WLAN_EID_MOBILITY_DOMAIN); 1693 remove_ie(wpa_s->sme.assoc_req_ie, 1694 &wpa_s->sme.assoc_req_ie_len, 1695 WLAN_EID_FAST_BSS_TRANSITION); 1696 rm_en = get_ie(wpa_s->sme.assoc_req_ie, 1697 wpa_s->sme.assoc_req_ie_len, 1698 WLAN_EID_RRM_ENABLED_CAPABILITIES); 1699 if (rm_en) { 1700 /* Need to remove RM Enabled Capabilities element as 1701 * well temporarily, so that it can be placed between 1702 * RSNE and MDE. */ 1703 rm_en_len = 2 + rm_en[1]; 1704 rm_en_dup = os_memdup(rm_en, rm_en_len); 1705 remove_ie(wpa_s->sme.assoc_req_ie, 1706 &wpa_s->sme.assoc_req_ie_len, 1707 WLAN_EID_RRM_ENABLED_CAPABILITIES); 1708 } 1709 wpa_hexdump(MSG_DEBUG, 1710 "SME: Association Request IEs after FT IE removal", 1711 wpa_s->sme.assoc_req_ie, 1712 wpa_s->sme.assoc_req_ie_len); 1713 if (wpa_s->sme.assoc_req_ie_len + wpa_s->sme.ft_ies_len + 1714 rm_en_len > sizeof(wpa_s->sme.assoc_req_ie)) { 1715 wpa_printf(MSG_ERROR, 1716 "SME: Not enough buffer room for FT IEs in Association Request frame"); 1717 os_free(rm_en_dup); 1718 return; 1719 } 1720 1721 os_memmove(wpa_s->sme.assoc_req_ie + wpa_s->sme.ft_ies_len + 1722 rm_en_len, 1723 wpa_s->sme.assoc_req_ie, 1724 wpa_s->sme.assoc_req_ie_len); 1725 pos = wpa_s->sme.ft_ies; 1726 end = pos + wpa_s->sme.ft_ies_len; 1727 wpos = wpa_s->sme.assoc_req_ie; 1728 if (*pos == WLAN_EID_RSN) { 1729 os_memcpy(wpos, pos, 2 + pos[1]); 1730 wpos += 2 + pos[1]; 1731 pos += 2 + pos[1]; 1732 } 1733 if (rm_en_dup) { 1734 os_memcpy(wpos, rm_en_dup, rm_en_len); 1735 wpos += rm_en_len; 1736 os_free(rm_en_dup); 1737 } 1738 os_memcpy(wpos, pos, end - pos); 1739 wpa_s->sme.assoc_req_ie_len += wpa_s->sme.ft_ies_len + 1740 rm_en_len; 1741 params.wpa_ie = wpa_s->sme.assoc_req_ie; 1742 params.wpa_ie_len = wpa_s->sme.assoc_req_ie_len; 1743 wpa_hexdump(MSG_DEBUG, 1744 "SME: Association Request IEs after FT override", 1745 params.wpa_ie, params.wpa_ie_len); 1746 } 1747 #endif /* CONFIG_IEEE80211R */ 1748 params.mode = mode; 1749 params.mgmt_frame_protection = wpa_s->sme.mfp; 1750 params.rrm_used = wpa_s->rrm.rrm_used; 1751 if (wpa_s->sme.prev_bssid_set) 1752 params.prev_bssid = wpa_s->sme.prev_bssid; 1753 1754 wpa_msg(wpa_s, MSG_INFO, "Trying to associate with " MACSTR 1755 " (SSID='%s' freq=%d MHz)", MAC2STR(params.bssid), 1756 params.ssid ? wpa_ssid_txt(params.ssid, params.ssid_len) : "", 1757 params.freq.freq); 1758 1759 wpa_supplicant_set_state(wpa_s, WPA_ASSOCIATING); 1760 1761 if (params.wpa_ie == NULL || 1762 ieee802_11_parse_elems(params.wpa_ie, params.wpa_ie_len, &elems, 0) 1763 < 0) { 1764 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Could not parse own IEs?!"); 1765 os_memset(&elems, 0, sizeof(elems)); 1766 } 1767 if (elems.rsn_ie) { 1768 params.wpa_proto = WPA_PROTO_RSN; 1769 wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, elems.rsn_ie - 2, 1770 elems.rsn_ie_len + 2); 1771 } else if (elems.wpa_ie) { 1772 params.wpa_proto = WPA_PROTO_WPA; 1773 wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, elems.wpa_ie - 2, 1774 elems.wpa_ie_len + 2); 1775 } else if (elems.osen) { 1776 params.wpa_proto = WPA_PROTO_OSEN; 1777 wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, elems.osen - 2, 1778 elems.osen_len + 2); 1779 } else 1780 wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, NULL, 0); 1781 if (wpa_s->current_ssid && wpa_s->current_ssid->p2p_group) 1782 params.p2p = 1; 1783 1784 if (wpa_s->p2pdev->set_sta_uapsd) 1785 params.uapsd = wpa_s->p2pdev->sta_uapsd; 1786 else 1787 params.uapsd = -1; 1788 1789 if (wpa_drv_associate(wpa_s, ¶ms) < 0) { 1790 wpa_msg(wpa_s, MSG_INFO, "SME: Association request to the " 1791 "driver failed"); 1792 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 1793 wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED); 1794 os_memset(wpa_s->pending_bssid, 0, ETH_ALEN); 1795 return; 1796 } 1797 1798 eloop_register_timeout(SME_ASSOC_TIMEOUT, 0, sme_assoc_timer, wpa_s, 1799 NULL); 1800 1801 #ifdef CONFIG_TESTING_OPTIONS 1802 wpabuf_free(wpa_s->last_assoc_req_wpa_ie); 1803 wpa_s->last_assoc_req_wpa_ie = NULL; 1804 if (params.wpa_ie) 1805 wpa_s->last_assoc_req_wpa_ie = 1806 wpabuf_alloc_copy(params.wpa_ie, params.wpa_ie_len); 1807 #endif /* CONFIG_TESTING_OPTIONS */ 1808 } 1809 1810 1811 int sme_update_ft_ies(struct wpa_supplicant *wpa_s, const u8 *md, 1812 const u8 *ies, size_t ies_len) 1813 { 1814 if (md == NULL || ies == NULL) { 1815 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Remove mobility domain"); 1816 os_free(wpa_s->sme.ft_ies); 1817 wpa_s->sme.ft_ies = NULL; 1818 wpa_s->sme.ft_ies_len = 0; 1819 wpa_s->sme.ft_used = 0; 1820 return 0; 1821 } 1822 1823 os_memcpy(wpa_s->sme.mobility_domain, md, MOBILITY_DOMAIN_ID_LEN); 1824 wpa_hexdump(MSG_DEBUG, "SME: FT IEs", ies, ies_len); 1825 os_free(wpa_s->sme.ft_ies); 1826 wpa_s->sme.ft_ies = os_memdup(ies, ies_len); 1827 if (wpa_s->sme.ft_ies == NULL) 1828 return -1; 1829 wpa_s->sme.ft_ies_len = ies_len; 1830 return 0; 1831 } 1832 1833 1834 static void sme_deauth(struct wpa_supplicant *wpa_s) 1835 { 1836 int bssid_changed; 1837 1838 bssid_changed = !is_zero_ether_addr(wpa_s->bssid); 1839 1840 if (wpa_drv_deauthenticate(wpa_s, wpa_s->pending_bssid, 1841 WLAN_REASON_DEAUTH_LEAVING) < 0) { 1842 wpa_msg(wpa_s, MSG_INFO, "SME: Deauth request to the driver " 1843 "failed"); 1844 } 1845 wpa_s->sme.prev_bssid_set = 0; 1846 1847 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 1848 wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED); 1849 os_memset(wpa_s->bssid, 0, ETH_ALEN); 1850 os_memset(wpa_s->pending_bssid, 0, ETH_ALEN); 1851 if (bssid_changed) 1852 wpas_notify_bssid_changed(wpa_s); 1853 } 1854 1855 1856 void sme_event_assoc_reject(struct wpa_supplicant *wpa_s, 1857 union wpa_event_data *data) 1858 { 1859 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Association with " MACSTR " failed: " 1860 "status code %d", MAC2STR(wpa_s->pending_bssid), 1861 data->assoc_reject.status_code); 1862 1863 eloop_cancel_timeout(sme_assoc_timer, wpa_s, NULL); 1864 1865 #ifdef CONFIG_SAE 1866 if (wpa_s->sme.sae_pmksa_caching && wpa_s->current_ssid && 1867 wpa_key_mgmt_sae(wpa_s->current_ssid->key_mgmt)) { 1868 wpa_dbg(wpa_s, MSG_DEBUG, 1869 "PMKSA caching attempt rejected - drop PMKSA cache entry and fall back to SAE authentication"); 1870 wpa_sm_aborted_cached(wpa_s->wpa); 1871 wpa_sm_pmksa_cache_flush(wpa_s->wpa, wpa_s->current_ssid); 1872 if (wpa_s->current_bss) { 1873 struct wpa_bss *bss = wpa_s->current_bss; 1874 struct wpa_ssid *ssid = wpa_s->current_ssid; 1875 1876 wpa_drv_deauthenticate(wpa_s, wpa_s->pending_bssid, 1877 WLAN_REASON_DEAUTH_LEAVING); 1878 wpas_connect_work_done(wpa_s); 1879 wpa_supplicant_mark_disassoc(wpa_s); 1880 wpa_supplicant_connect(wpa_s, bss, ssid); 1881 return; 1882 } 1883 } 1884 #endif /* CONFIG_SAE */ 1885 1886 /* 1887 * For now, unconditionally terminate the previous authentication. In 1888 * theory, this should not be needed, but mac80211 gets quite confused 1889 * if the authentication is left pending.. Some roaming cases might 1890 * benefit from using the previous authentication, so this could be 1891 * optimized in the future. 1892 */ 1893 sme_deauth(wpa_s); 1894 } 1895 1896 1897 void sme_event_auth_timed_out(struct wpa_supplicant *wpa_s, 1898 union wpa_event_data *data) 1899 { 1900 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Authentication timed out"); 1901 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 1902 wpa_supplicant_mark_disassoc(wpa_s); 1903 } 1904 1905 1906 void sme_event_assoc_timed_out(struct wpa_supplicant *wpa_s, 1907 union wpa_event_data *data) 1908 { 1909 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Association timed out"); 1910 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 1911 wpa_supplicant_mark_disassoc(wpa_s); 1912 } 1913 1914 1915 void sme_event_disassoc(struct wpa_supplicant *wpa_s, 1916 struct disassoc_info *info) 1917 { 1918 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Disassociation event received"); 1919 if (wpa_s->sme.prev_bssid_set) { 1920 /* 1921 * cfg80211/mac80211 can get into somewhat confused state if 1922 * the AP only disassociates us and leaves us in authenticated 1923 * state. For now, force the state to be cleared to avoid 1924 * confusing errors if we try to associate with the AP again. 1925 */ 1926 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Deauthenticate to clear " 1927 "driver state"); 1928 wpa_drv_deauthenticate(wpa_s, wpa_s->sme.prev_bssid, 1929 WLAN_REASON_DEAUTH_LEAVING); 1930 } 1931 } 1932 1933 1934 static void sme_auth_timer(void *eloop_ctx, void *timeout_ctx) 1935 { 1936 struct wpa_supplicant *wpa_s = eloop_ctx; 1937 if (wpa_s->wpa_state == WPA_AUTHENTICATING) { 1938 wpa_msg(wpa_s, MSG_DEBUG, "SME: Authentication timeout"); 1939 sme_deauth(wpa_s); 1940 } 1941 } 1942 1943 1944 static void sme_assoc_timer(void *eloop_ctx, void *timeout_ctx) 1945 { 1946 struct wpa_supplicant *wpa_s = eloop_ctx; 1947 if (wpa_s->wpa_state == WPA_ASSOCIATING) { 1948 wpa_msg(wpa_s, MSG_DEBUG, "SME: Association timeout"); 1949 sme_deauth(wpa_s); 1950 } 1951 } 1952 1953 1954 void sme_state_changed(struct wpa_supplicant *wpa_s) 1955 { 1956 /* Make sure timers are cleaned up appropriately. */ 1957 if (wpa_s->wpa_state != WPA_ASSOCIATING) 1958 eloop_cancel_timeout(sme_assoc_timer, wpa_s, NULL); 1959 if (wpa_s->wpa_state != WPA_AUTHENTICATING) 1960 eloop_cancel_timeout(sme_auth_timer, wpa_s, NULL); 1961 } 1962 1963 1964 void sme_disassoc_while_authenticating(struct wpa_supplicant *wpa_s, 1965 const u8 *prev_pending_bssid) 1966 { 1967 /* 1968 * mac80211-workaround to force deauth on failed auth cmd, 1969 * requires us to remain in authenticating state to allow the 1970 * second authentication attempt to be continued properly. 1971 */ 1972 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Allow pending authentication " 1973 "to proceed after disconnection event"); 1974 wpa_supplicant_set_state(wpa_s, WPA_AUTHENTICATING); 1975 os_memcpy(wpa_s->pending_bssid, prev_pending_bssid, ETH_ALEN); 1976 1977 /* 1978 * Re-arm authentication timer in case auth fails for whatever reason. 1979 */ 1980 eloop_cancel_timeout(sme_auth_timer, wpa_s, NULL); 1981 eloop_register_timeout(SME_AUTH_TIMEOUT, 0, sme_auth_timer, wpa_s, 1982 NULL); 1983 } 1984 1985 1986 void sme_clear_on_disassoc(struct wpa_supplicant *wpa_s) 1987 { 1988 wpa_s->sme.prev_bssid_set = 0; 1989 #ifdef CONFIG_SAE 1990 wpabuf_free(wpa_s->sme.sae_token); 1991 wpa_s->sme.sae_token = NULL; 1992 sae_clear_data(&wpa_s->sme.sae); 1993 #endif /* CONFIG_SAE */ 1994 #ifdef CONFIG_IEEE80211R 1995 if (wpa_s->sme.ft_ies || wpa_s->sme.ft_used) 1996 sme_update_ft_ies(wpa_s, NULL, NULL, 0); 1997 #endif /* CONFIG_IEEE80211R */ 1998 #ifdef CONFIG_IEEE80211W 1999 sme_stop_sa_query(wpa_s); 2000 #endif /* CONFIG_IEEE80211W */ 2001 } 2002 2003 2004 void sme_deinit(struct wpa_supplicant *wpa_s) 2005 { 2006 sme_clear_on_disassoc(wpa_s); 2007 2008 eloop_cancel_timeout(sme_assoc_timer, wpa_s, NULL); 2009 eloop_cancel_timeout(sme_auth_timer, wpa_s, NULL); 2010 eloop_cancel_timeout(sme_obss_scan_timeout, wpa_s, NULL); 2011 } 2012 2013 2014 static void sme_send_2040_bss_coex(struct wpa_supplicant *wpa_s, 2015 const u8 *chan_list, u8 num_channels, 2016 u8 num_intol) 2017 { 2018 struct ieee80211_2040_bss_coex_ie *bc_ie; 2019 struct ieee80211_2040_intol_chan_report *ic_report; 2020 struct wpabuf *buf; 2021 2022 wpa_printf(MSG_DEBUG, "SME: Send 20/40 BSS Coexistence to " MACSTR 2023 " (num_channels=%u num_intol=%u)", 2024 MAC2STR(wpa_s->bssid), num_channels, num_intol); 2025 wpa_hexdump(MSG_DEBUG, "SME: 20/40 BSS Intolerant Channels", 2026 chan_list, num_channels); 2027 2028 buf = wpabuf_alloc(2 + /* action.category + action_code */ 2029 sizeof(struct ieee80211_2040_bss_coex_ie) + 2030 sizeof(struct ieee80211_2040_intol_chan_report) + 2031 num_channels); 2032 if (buf == NULL) 2033 return; 2034 2035 wpabuf_put_u8(buf, WLAN_ACTION_PUBLIC); 2036 wpabuf_put_u8(buf, WLAN_PA_20_40_BSS_COEX); 2037 2038 bc_ie = wpabuf_put(buf, sizeof(*bc_ie)); 2039 bc_ie->element_id = WLAN_EID_20_40_BSS_COEXISTENCE; 2040 bc_ie->length = 1; 2041 if (num_intol) 2042 bc_ie->coex_param |= WLAN_20_40_BSS_COEX_20MHZ_WIDTH_REQ; 2043 2044 if (num_channels > 0) { 2045 ic_report = wpabuf_put(buf, sizeof(*ic_report)); 2046 ic_report->element_id = WLAN_EID_20_40_BSS_INTOLERANT; 2047 ic_report->length = num_channels + 1; 2048 ic_report->op_class = 0; 2049 os_memcpy(wpabuf_put(buf, num_channels), chan_list, 2050 num_channels); 2051 } 2052 2053 if (wpa_drv_send_action(wpa_s, wpa_s->assoc_freq, 0, wpa_s->bssid, 2054 wpa_s->own_addr, wpa_s->bssid, 2055 wpabuf_head(buf), wpabuf_len(buf), 0) < 0) { 2056 wpa_msg(wpa_s, MSG_INFO, 2057 "SME: Failed to send 20/40 BSS Coexistence frame"); 2058 } 2059 2060 wpabuf_free(buf); 2061 } 2062 2063 2064 int sme_proc_obss_scan(struct wpa_supplicant *wpa_s) 2065 { 2066 struct wpa_bss *bss; 2067 const u8 *ie; 2068 u16 ht_cap; 2069 u8 chan_list[P2P_MAX_CHANNELS], channel; 2070 u8 num_channels = 0, num_intol = 0, i; 2071 2072 if (!wpa_s->sme.sched_obss_scan) 2073 return 0; 2074 2075 wpa_s->sme.sched_obss_scan = 0; 2076 if (!wpa_s->current_bss || wpa_s->wpa_state != WPA_COMPLETED) 2077 return 1; 2078 2079 /* 2080 * Check whether AP uses regulatory triplet or channel triplet in 2081 * country info. Right now the operating class of the BSS channel 2082 * width trigger event is "unknown" (IEEE Std 802.11-2012 10.15.12), 2083 * based on the assumption that operating class triplet is not used in 2084 * beacon frame. If the First Channel Number/Operating Extension 2085 * Identifier octet has a positive integer value of 201 or greater, 2086 * then its operating class triplet. 2087 * 2088 * TODO: If Supported Operating Classes element is present in beacon 2089 * frame, have to lookup operating class in Annex E and fill them in 2090 * 2040 coex frame. 2091 */ 2092 ie = wpa_bss_get_ie(wpa_s->current_bss, WLAN_EID_COUNTRY); 2093 if (ie && (ie[1] >= 6) && (ie[5] >= 201)) 2094 return 1; 2095 2096 os_memset(chan_list, 0, sizeof(chan_list)); 2097 2098 dl_list_for_each(bss, &wpa_s->bss, struct wpa_bss, list) { 2099 /* Skip other band bss */ 2100 enum hostapd_hw_mode mode; 2101 mode = ieee80211_freq_to_chan(bss->freq, &channel); 2102 if (mode != HOSTAPD_MODE_IEEE80211G && 2103 mode != HOSTAPD_MODE_IEEE80211B) 2104 continue; 2105 2106 ie = wpa_bss_get_ie(bss, WLAN_EID_HT_CAP); 2107 ht_cap = (ie && (ie[1] == 26)) ? WPA_GET_LE16(ie + 2) : 0; 2108 wpa_printf(MSG_DEBUG, "SME OBSS scan BSS " MACSTR 2109 " freq=%u chan=%u ht_cap=0x%x", 2110 MAC2STR(bss->bssid), bss->freq, channel, ht_cap); 2111 2112 if (!ht_cap || (ht_cap & HT_CAP_INFO_40MHZ_INTOLERANT)) { 2113 if (ht_cap & HT_CAP_INFO_40MHZ_INTOLERANT) 2114 num_intol++; 2115 2116 /* Check whether the channel is already considered */ 2117 for (i = 0; i < num_channels; i++) { 2118 if (channel == chan_list[i]) 2119 break; 2120 } 2121 if (i != num_channels) 2122 continue; 2123 2124 chan_list[num_channels++] = channel; 2125 } 2126 } 2127 2128 sme_send_2040_bss_coex(wpa_s, chan_list, num_channels, num_intol); 2129 return 1; 2130 } 2131 2132 2133 static void wpa_obss_scan_freqs_list(struct wpa_supplicant *wpa_s, 2134 struct wpa_driver_scan_params *params) 2135 { 2136 /* Include only affected channels */ 2137 struct hostapd_hw_modes *mode; 2138 int count, i; 2139 int start, end; 2140 2141 mode = get_mode(wpa_s->hw.modes, wpa_s->hw.num_modes, 2142 HOSTAPD_MODE_IEEE80211G); 2143 if (mode == NULL) { 2144 /* No channels supported in this band - use empty list */ 2145 params->freqs = os_zalloc(sizeof(int)); 2146 return; 2147 } 2148 2149 if (wpa_s->sme.ht_sec_chan == HT_SEC_CHAN_UNKNOWN && 2150 wpa_s->current_bss) { 2151 const u8 *ie; 2152 2153 ie = wpa_bss_get_ie(wpa_s->current_bss, WLAN_EID_HT_OPERATION); 2154 if (ie && ie[1] >= 2) { 2155 u8 o; 2156 2157 o = ie[3] & HT_INFO_HT_PARAM_SECONDARY_CHNL_OFF_MASK; 2158 if (o == HT_INFO_HT_PARAM_SECONDARY_CHNL_ABOVE) 2159 wpa_s->sme.ht_sec_chan = HT_SEC_CHAN_ABOVE; 2160 else if (o == HT_INFO_HT_PARAM_SECONDARY_CHNL_BELOW) 2161 wpa_s->sme.ht_sec_chan = HT_SEC_CHAN_BELOW; 2162 } 2163 } 2164 2165 start = wpa_s->assoc_freq - 10; 2166 end = wpa_s->assoc_freq + 10; 2167 switch (wpa_s->sme.ht_sec_chan) { 2168 case HT_SEC_CHAN_UNKNOWN: 2169 /* HT40+ possible on channels 1..9 */ 2170 if (wpa_s->assoc_freq <= 2452) 2171 start -= 20; 2172 /* HT40- possible on channels 5-13 */ 2173 if (wpa_s->assoc_freq >= 2432) 2174 end += 20; 2175 break; 2176 case HT_SEC_CHAN_ABOVE: 2177 end += 20; 2178 break; 2179 case HT_SEC_CHAN_BELOW: 2180 start -= 20; 2181 break; 2182 } 2183 wpa_printf(MSG_DEBUG, 2184 "OBSS: assoc_freq %d possible affected range %d-%d", 2185 wpa_s->assoc_freq, start, end); 2186 2187 params->freqs = os_calloc(mode->num_channels + 1, sizeof(int)); 2188 if (params->freqs == NULL) 2189 return; 2190 for (count = 0, i = 0; i < mode->num_channels; i++) { 2191 int freq; 2192 2193 if (mode->channels[i].flag & HOSTAPD_CHAN_DISABLED) 2194 continue; 2195 freq = mode->channels[i].freq; 2196 if (freq - 10 >= end || freq + 10 <= start) 2197 continue; /* not affected */ 2198 params->freqs[count++] = freq; 2199 } 2200 } 2201 2202 2203 static void sme_obss_scan_timeout(void *eloop_ctx, void *timeout_ctx) 2204 { 2205 struct wpa_supplicant *wpa_s = eloop_ctx; 2206 struct wpa_driver_scan_params params; 2207 2208 if (!wpa_s->current_bss) { 2209 wpa_printf(MSG_DEBUG, "SME OBSS: Ignore scan request"); 2210 return; 2211 } 2212 2213 os_memset(¶ms, 0, sizeof(params)); 2214 wpa_obss_scan_freqs_list(wpa_s, ¶ms); 2215 params.low_priority = 1; 2216 wpa_printf(MSG_DEBUG, "SME OBSS: Request an OBSS scan"); 2217 2218 if (wpa_supplicant_trigger_scan(wpa_s, ¶ms)) 2219 wpa_printf(MSG_DEBUG, "SME OBSS: Failed to trigger scan"); 2220 else 2221 wpa_s->sme.sched_obss_scan = 1; 2222 os_free(params.freqs); 2223 2224 eloop_register_timeout(wpa_s->sme.obss_scan_int, 0, 2225 sme_obss_scan_timeout, wpa_s, NULL); 2226 } 2227 2228 2229 void sme_sched_obss_scan(struct wpa_supplicant *wpa_s, int enable) 2230 { 2231 const u8 *ie; 2232 struct wpa_bss *bss = wpa_s->current_bss; 2233 struct wpa_ssid *ssid = wpa_s->current_ssid; 2234 struct hostapd_hw_modes *hw_mode = NULL; 2235 int i; 2236 2237 eloop_cancel_timeout(sme_obss_scan_timeout, wpa_s, NULL); 2238 wpa_s->sme.sched_obss_scan = 0; 2239 wpa_s->sme.ht_sec_chan = HT_SEC_CHAN_UNKNOWN; 2240 if (!enable) 2241 return; 2242 2243 /* 2244 * Schedule OBSS scan if driver is using station SME in wpa_supplicant 2245 * or it expects OBSS scan to be performed by wpa_supplicant. 2246 */ 2247 if (!((wpa_s->drv_flags & WPA_DRIVER_FLAGS_SME) || 2248 (wpa_s->drv_flags & WPA_DRIVER_FLAGS_OBSS_SCAN)) || 2249 ssid == NULL || ssid->mode != WPAS_MODE_INFRA) 2250 return; 2251 2252 if (!wpa_s->hw.modes) 2253 return; 2254 2255 /* only HT caps in 11g mode are relevant */ 2256 for (i = 0; i < wpa_s->hw.num_modes; i++) { 2257 hw_mode = &wpa_s->hw.modes[i]; 2258 if (hw_mode->mode == HOSTAPD_MODE_IEEE80211G) 2259 break; 2260 } 2261 2262 /* Driver does not support HT40 for 11g or doesn't have 11g. */ 2263 if (i == wpa_s->hw.num_modes || !hw_mode || 2264 !(hw_mode->ht_capab & HT_CAP_INFO_SUPP_CHANNEL_WIDTH_SET)) 2265 return; 2266 2267 if (bss == NULL || bss->freq < 2400 || bss->freq > 2500) 2268 return; /* Not associated on 2.4 GHz band */ 2269 2270 /* Check whether AP supports HT40 */ 2271 ie = wpa_bss_get_ie(wpa_s->current_bss, WLAN_EID_HT_CAP); 2272 if (!ie || ie[1] < 2 || 2273 !(WPA_GET_LE16(ie + 2) & HT_CAP_INFO_SUPP_CHANNEL_WIDTH_SET)) 2274 return; /* AP does not support HT40 */ 2275 2276 ie = wpa_bss_get_ie(wpa_s->current_bss, 2277 WLAN_EID_OVERLAPPING_BSS_SCAN_PARAMS); 2278 if (!ie || ie[1] < 14) 2279 return; /* AP does not request OBSS scans */ 2280 2281 wpa_s->sme.obss_scan_int = WPA_GET_LE16(ie + 6); 2282 if (wpa_s->sme.obss_scan_int < 10) { 2283 wpa_printf(MSG_DEBUG, "SME: Invalid OBSS Scan Interval %u " 2284 "replaced with the minimum 10 sec", 2285 wpa_s->sme.obss_scan_int); 2286 wpa_s->sme.obss_scan_int = 10; 2287 } 2288 wpa_printf(MSG_DEBUG, "SME: OBSS Scan Interval %u sec", 2289 wpa_s->sme.obss_scan_int); 2290 eloop_register_timeout(wpa_s->sme.obss_scan_int, 0, 2291 sme_obss_scan_timeout, wpa_s, NULL); 2292 } 2293 2294 2295 #ifdef CONFIG_IEEE80211W 2296 2297 static const unsigned int sa_query_max_timeout = 1000; 2298 static const unsigned int sa_query_retry_timeout = 201; 2299 static const unsigned int sa_query_ch_switch_max_delay = 5000; /* in usec */ 2300 2301 static int sme_check_sa_query_timeout(struct wpa_supplicant *wpa_s) 2302 { 2303 u32 tu; 2304 struct os_reltime now, passed; 2305 os_get_reltime(&now); 2306 os_reltime_sub(&now, &wpa_s->sme.sa_query_start, &passed); 2307 tu = (passed.sec * 1000000 + passed.usec) / 1024; 2308 if (sa_query_max_timeout < tu) { 2309 wpa_dbg(wpa_s, MSG_DEBUG, "SME: SA Query timed out"); 2310 sme_stop_sa_query(wpa_s); 2311 wpa_supplicant_deauthenticate( 2312 wpa_s, WLAN_REASON_PREV_AUTH_NOT_VALID); 2313 return 1; 2314 } 2315 2316 return 0; 2317 } 2318 2319 2320 static void sme_send_sa_query_req(struct wpa_supplicant *wpa_s, 2321 const u8 *trans_id) 2322 { 2323 u8 req[2 + WLAN_SA_QUERY_TR_ID_LEN + OCV_OCI_EXTENDED_LEN]; 2324 u8 req_len = 2 + WLAN_SA_QUERY_TR_ID_LEN; 2325 2326 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Sending SA Query Request to " 2327 MACSTR, MAC2STR(wpa_s->bssid)); 2328 wpa_hexdump(MSG_DEBUG, "SME: SA Query Transaction ID", 2329 trans_id, WLAN_SA_QUERY_TR_ID_LEN); 2330 req[0] = WLAN_ACTION_SA_QUERY; 2331 req[1] = WLAN_SA_QUERY_REQUEST; 2332 os_memcpy(req + 2, trans_id, WLAN_SA_QUERY_TR_ID_LEN); 2333 2334 #ifdef CONFIG_OCV 2335 if (wpa_sm_ocv_enabled(wpa_s->wpa)) { 2336 struct wpa_channel_info ci; 2337 2338 if (wpa_drv_channel_info(wpa_s, &ci) != 0) { 2339 wpa_printf(MSG_WARNING, 2340 "Failed to get channel info for OCI element in SA Query Request frame"); 2341 return; 2342 } 2343 2344 if (ocv_insert_extended_oci(&ci, req + req_len) < 0) 2345 return; 2346 2347 req_len += OCV_OCI_EXTENDED_LEN; 2348 } 2349 #endif /* CONFIG_OCV */ 2350 2351 if (wpa_drv_send_action(wpa_s, wpa_s->assoc_freq, 0, wpa_s->bssid, 2352 wpa_s->own_addr, wpa_s->bssid, 2353 req, req_len, 0) < 0) 2354 wpa_msg(wpa_s, MSG_INFO, "SME: Failed to send SA Query " 2355 "Request"); 2356 } 2357 2358 2359 static void sme_sa_query_timer(void *eloop_ctx, void *timeout_ctx) 2360 { 2361 struct wpa_supplicant *wpa_s = eloop_ctx; 2362 unsigned int timeout, sec, usec; 2363 u8 *trans_id, *nbuf; 2364 2365 if (wpa_s->sme.sa_query_count > 0 && 2366 sme_check_sa_query_timeout(wpa_s)) 2367 return; 2368 2369 nbuf = os_realloc_array(wpa_s->sme.sa_query_trans_id, 2370 wpa_s->sme.sa_query_count + 1, 2371 WLAN_SA_QUERY_TR_ID_LEN); 2372 if (nbuf == NULL) { 2373 sme_stop_sa_query(wpa_s); 2374 return; 2375 } 2376 if (wpa_s->sme.sa_query_count == 0) { 2377 /* Starting a new SA Query procedure */ 2378 os_get_reltime(&wpa_s->sme.sa_query_start); 2379 } 2380 trans_id = nbuf + wpa_s->sme.sa_query_count * WLAN_SA_QUERY_TR_ID_LEN; 2381 wpa_s->sme.sa_query_trans_id = nbuf; 2382 wpa_s->sme.sa_query_count++; 2383 2384 if (os_get_random(trans_id, WLAN_SA_QUERY_TR_ID_LEN) < 0) { 2385 wpa_printf(MSG_DEBUG, "Could not generate SA Query ID"); 2386 sme_stop_sa_query(wpa_s); 2387 return; 2388 } 2389 2390 timeout = sa_query_retry_timeout; 2391 sec = ((timeout / 1000) * 1024) / 1000; 2392 usec = (timeout % 1000) * 1024; 2393 eloop_register_timeout(sec, usec, sme_sa_query_timer, wpa_s, NULL); 2394 2395 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Association SA Query attempt %d", 2396 wpa_s->sme.sa_query_count); 2397 2398 sme_send_sa_query_req(wpa_s, trans_id); 2399 } 2400 2401 2402 static void sme_start_sa_query(struct wpa_supplicant *wpa_s) 2403 { 2404 sme_sa_query_timer(wpa_s, NULL); 2405 } 2406 2407 2408 static void sme_stop_sa_query(struct wpa_supplicant *wpa_s) 2409 { 2410 if (wpa_s->sme.sa_query_trans_id) 2411 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Stop SA Query"); 2412 eloop_cancel_timeout(sme_sa_query_timer, wpa_s, NULL); 2413 os_free(wpa_s->sme.sa_query_trans_id); 2414 wpa_s->sme.sa_query_trans_id = NULL; 2415 wpa_s->sme.sa_query_count = 0; 2416 } 2417 2418 2419 void sme_event_unprot_disconnect(struct wpa_supplicant *wpa_s, const u8 *sa, 2420 const u8 *da, u16 reason_code) 2421 { 2422 struct wpa_ssid *ssid; 2423 struct os_reltime now; 2424 2425 if (wpa_s->wpa_state != WPA_COMPLETED) 2426 return; 2427 ssid = wpa_s->current_ssid; 2428 if (wpas_get_ssid_pmf(wpa_s, ssid) == NO_MGMT_FRAME_PROTECTION) 2429 return; 2430 if (os_memcmp(sa, wpa_s->bssid, ETH_ALEN) != 0) 2431 return; 2432 if (reason_code != WLAN_REASON_CLASS2_FRAME_FROM_NONAUTH_STA && 2433 reason_code != WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA) 2434 return; 2435 if (wpa_s->sme.sa_query_count > 0) 2436 return; 2437 2438 os_get_reltime(&now); 2439 if (wpa_s->sme.last_unprot_disconnect.sec && 2440 !os_reltime_expired(&now, &wpa_s->sme.last_unprot_disconnect, 10)) 2441 return; /* limit SA Query procedure frequency */ 2442 wpa_s->sme.last_unprot_disconnect = now; 2443 2444 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Unprotected disconnect dropped - " 2445 "possible AP/STA state mismatch - trigger SA Query"); 2446 sme_start_sa_query(wpa_s); 2447 } 2448 2449 2450 void sme_event_ch_switch(struct wpa_supplicant *wpa_s) 2451 { 2452 unsigned int usec; 2453 u32 _rand; 2454 2455 if (wpa_s->wpa_state != WPA_COMPLETED || 2456 !wpa_sm_ocv_enabled(wpa_s->wpa)) 2457 return; 2458 2459 wpa_dbg(wpa_s, MSG_DEBUG, 2460 "SME: Channel switch completed - trigger new SA Query to verify new operating channel"); 2461 sme_stop_sa_query(wpa_s); 2462 2463 if (os_get_random((u8 *) &_rand, sizeof(_rand)) < 0) 2464 _rand = os_random(); 2465 usec = _rand % (sa_query_ch_switch_max_delay + 1); 2466 eloop_register_timeout(0, usec, sme_sa_query_timer, wpa_s, NULL); 2467 } 2468 2469 2470 static void sme_process_sa_query_request(struct wpa_supplicant *wpa_s, 2471 const u8 *sa, const u8 *data, 2472 size_t len) 2473 { 2474 u8 resp[2 + WLAN_SA_QUERY_TR_ID_LEN + OCV_OCI_EXTENDED_LEN]; 2475 u8 resp_len = 2 + WLAN_SA_QUERY_TR_ID_LEN; 2476 2477 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Sending SA Query Response to " 2478 MACSTR, MAC2STR(wpa_s->bssid)); 2479 2480 resp[0] = WLAN_ACTION_SA_QUERY; 2481 resp[1] = WLAN_SA_QUERY_RESPONSE; 2482 os_memcpy(resp + 2, data + 1, WLAN_SA_QUERY_TR_ID_LEN); 2483 2484 #ifdef CONFIG_OCV 2485 if (wpa_sm_ocv_enabled(wpa_s->wpa)) { 2486 struct wpa_channel_info ci; 2487 2488 if (wpa_drv_channel_info(wpa_s, &ci) != 0) { 2489 wpa_printf(MSG_WARNING, 2490 "Failed to get channel info for OCI element in SA Query Response frame"); 2491 return; 2492 } 2493 2494 if (ocv_insert_extended_oci(&ci, resp + resp_len) < 0) 2495 return; 2496 2497 resp_len += OCV_OCI_EXTENDED_LEN; 2498 } 2499 #endif /* CONFIG_OCV */ 2500 2501 if (wpa_drv_send_action(wpa_s, wpa_s->assoc_freq, 0, wpa_s->bssid, 2502 wpa_s->own_addr, wpa_s->bssid, 2503 resp, resp_len, 0) < 0) 2504 wpa_msg(wpa_s, MSG_INFO, 2505 "SME: Failed to send SA Query Response"); 2506 } 2507 2508 2509 static void sme_process_sa_query_response(struct wpa_supplicant *wpa_s, 2510 const u8 *sa, const u8 *data, 2511 size_t len) 2512 { 2513 int i; 2514 2515 if (!wpa_s->sme.sa_query_trans_id) 2516 return; 2517 2518 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Received SA Query response from " 2519 MACSTR " (trans_id %02x%02x)", MAC2STR(sa), data[1], data[2]); 2520 2521 if (os_memcmp(sa, wpa_s->bssid, ETH_ALEN) != 0) 2522 return; 2523 2524 for (i = 0; i < wpa_s->sme.sa_query_count; i++) { 2525 if (os_memcmp(wpa_s->sme.sa_query_trans_id + 2526 i * WLAN_SA_QUERY_TR_ID_LEN, 2527 data + 1, WLAN_SA_QUERY_TR_ID_LEN) == 0) 2528 break; 2529 } 2530 2531 if (i >= wpa_s->sme.sa_query_count) { 2532 wpa_dbg(wpa_s, MSG_DEBUG, "SME: No matching SA Query " 2533 "transaction identifier found"); 2534 return; 2535 } 2536 2537 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Reply to pending SA Query received " 2538 "from " MACSTR, MAC2STR(sa)); 2539 sme_stop_sa_query(wpa_s); 2540 } 2541 2542 2543 void sme_sa_query_rx(struct wpa_supplicant *wpa_s, const u8 *sa, 2544 const u8 *data, size_t len) 2545 { 2546 if (len < 1 + WLAN_SA_QUERY_TR_ID_LEN) 2547 return; 2548 2549 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Received SA Query frame from " 2550 MACSTR " (trans_id %02x%02x)", MAC2STR(sa), data[1], data[2]); 2551 2552 #ifdef CONFIG_OCV 2553 if (wpa_sm_ocv_enabled(wpa_s->wpa)) { 2554 struct ieee802_11_elems elems; 2555 struct wpa_channel_info ci; 2556 2557 if (ieee802_11_parse_elems(data + 1 + WLAN_SA_QUERY_TR_ID_LEN, 2558 len - 1 - WLAN_SA_QUERY_TR_ID_LEN, 2559 &elems, 1) == ParseFailed) { 2560 wpa_printf(MSG_DEBUG, 2561 "SA Query: Failed to parse elements"); 2562 return; 2563 } 2564 2565 if (wpa_drv_channel_info(wpa_s, &ci) != 0) { 2566 wpa_printf(MSG_WARNING, 2567 "Failed to get channel info to validate received OCI in SA Query Action frame"); 2568 return; 2569 } 2570 2571 if (ocv_verify_tx_params(elems.oci, elems.oci_len, &ci, 2572 channel_width_to_int(ci.chanwidth), 2573 ci.seg1_idx) != 0) { 2574 wpa_printf(MSG_WARNING, "%s", ocv_errorstr); 2575 return; 2576 } 2577 } 2578 #endif /* CONFIG_OCV */ 2579 2580 if (data[0] == WLAN_SA_QUERY_REQUEST) 2581 sme_process_sa_query_request(wpa_s, sa, data, len); 2582 else if (data[0] == WLAN_SA_QUERY_RESPONSE) 2583 sme_process_sa_query_response(wpa_s, sa, data, len); 2584 } 2585 2586 #endif /* CONFIG_IEEE80211W */ 2587