1 /* 2 * wpa_supplicant - SME 3 * Copyright (c) 2009-2014, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "utils/eloop.h" 13 #include "common/ieee802_11_defs.h" 14 #include "common/ieee802_11_common.h" 15 #include "common/ocv.h" 16 #include "eapol_supp/eapol_supp_sm.h" 17 #include "common/wpa_common.h" 18 #include "common/sae.h" 19 #include "common/dpp.h" 20 #include "rsn_supp/wpa.h" 21 #include "rsn_supp/pmksa_cache.h" 22 #include "config.h" 23 #include "wpa_supplicant_i.h" 24 #include "driver_i.h" 25 #include "wpas_glue.h" 26 #include "wps_supplicant.h" 27 #include "p2p_supplicant.h" 28 #include "notify.h" 29 #include "bss.h" 30 #include "scan.h" 31 #include "sme.h" 32 #include "hs20_supplicant.h" 33 34 #define SME_AUTH_TIMEOUT 5 35 #define SME_ASSOC_TIMEOUT 5 36 37 static void sme_auth_timer(void *eloop_ctx, void *timeout_ctx); 38 static void sme_assoc_timer(void *eloop_ctx, void *timeout_ctx); 39 static void sme_obss_scan_timeout(void *eloop_ctx, void *timeout_ctx); 40 static void sme_stop_sa_query(struct wpa_supplicant *wpa_s); 41 42 43 #ifdef CONFIG_SAE 44 45 static int index_within_array(const int *array, int idx) 46 { 47 int i; 48 for (i = 0; i < idx; i++) { 49 if (array[i] <= 0) 50 return 0; 51 } 52 return 1; 53 } 54 55 56 static int sme_set_sae_group(struct wpa_supplicant *wpa_s) 57 { 58 int *groups = wpa_s->conf->sae_groups; 59 int default_groups[] = { 19, 20, 21, 0 }; 60 61 if (!groups || groups[0] <= 0) 62 groups = default_groups; 63 64 /* Configuration may have changed, so validate current index */ 65 if (!index_within_array(groups, wpa_s->sme.sae_group_index)) 66 return -1; 67 68 for (;;) { 69 int group = groups[wpa_s->sme.sae_group_index]; 70 if (group <= 0) 71 break; 72 if (sae_set_group(&wpa_s->sme.sae, group) == 0) { 73 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Selected SAE group %d", 74 wpa_s->sme.sae.group); 75 return 0; 76 } 77 wpa_s->sme.sae_group_index++; 78 } 79 80 return -1; 81 } 82 83 84 static struct wpabuf * sme_auth_build_sae_commit(struct wpa_supplicant *wpa_s, 85 struct wpa_ssid *ssid, 86 const u8 *bssid, int external, 87 int reuse, int *ret_use_pt, 88 bool *ret_use_pk) 89 { 90 struct wpabuf *buf; 91 size_t len; 92 const char *password; 93 struct wpa_bss *bss; 94 int use_pt = 0; 95 bool use_pk = false; 96 u8 rsnxe_capa = 0; 97 98 if (ret_use_pt) 99 *ret_use_pt = 0; 100 if (ret_use_pk) 101 *ret_use_pk = false; 102 103 #ifdef CONFIG_TESTING_OPTIONS 104 if (wpa_s->sae_commit_override) { 105 wpa_printf(MSG_DEBUG, "SAE: TESTING - commit override"); 106 buf = wpabuf_alloc(4 + wpabuf_len(wpa_s->sae_commit_override)); 107 if (!buf) 108 return NULL; 109 if (!external) { 110 wpabuf_put_le16(buf, 1); /* Transaction seq# */ 111 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS); 112 } 113 wpabuf_put_buf(buf, wpa_s->sae_commit_override); 114 return buf; 115 } 116 #endif /* CONFIG_TESTING_OPTIONS */ 117 118 password = ssid->sae_password; 119 if (!password) 120 password = ssid->passphrase; 121 if (!password) { 122 wpa_printf(MSG_DEBUG, "SAE: No password available"); 123 return NULL; 124 } 125 126 if (reuse && wpa_s->sme.sae.tmp && 127 os_memcmp(bssid, wpa_s->sme.sae.tmp->bssid, ETH_ALEN) == 0) { 128 wpa_printf(MSG_DEBUG, 129 "SAE: Reuse previously generated PWE on a retry with the same AP"); 130 use_pt = wpa_s->sme.sae.h2e; 131 use_pk = wpa_s->sme.sae.pk; 132 goto reuse_data; 133 } 134 if (sme_set_sae_group(wpa_s) < 0) { 135 wpa_printf(MSG_DEBUG, "SAE: Failed to select group"); 136 return NULL; 137 } 138 139 bss = wpa_bss_get_bssid_latest(wpa_s, bssid); 140 if (!bss) { 141 wpa_printf(MSG_DEBUG, 142 "SAE: BSS not available, update scan result to get BSS"); 143 wpa_supplicant_update_scan_results(wpa_s); 144 bss = wpa_bss_get_bssid_latest(wpa_s, bssid); 145 } 146 if (bss) { 147 const u8 *rsnxe; 148 149 rsnxe = wpa_bss_get_ie(bss, WLAN_EID_RSNX); 150 if (rsnxe && rsnxe[1] >= 1) 151 rsnxe_capa = rsnxe[2]; 152 } 153 154 if (ssid->sae_password_id && wpa_s->conf->sae_pwe != 3) 155 use_pt = 1; 156 #ifdef CONFIG_SAE_PK 157 if ((rsnxe_capa & BIT(WLAN_RSNX_CAPAB_SAE_PK)) && 158 ssid->sae_pk != SAE_PK_MODE_DISABLED && 159 ((ssid->sae_password && 160 sae_pk_valid_password(ssid->sae_password)) || 161 (!ssid->sae_password && ssid->passphrase && 162 sae_pk_valid_password(ssid->passphrase)))) { 163 use_pt = 1; 164 use_pk = true; 165 } 166 167 if (ssid->sae_pk == SAE_PK_MODE_ONLY && !use_pk) { 168 wpa_printf(MSG_DEBUG, 169 "SAE: Cannot use PK with the selected AP"); 170 return NULL; 171 } 172 #endif /* CONFIG_SAE_PK */ 173 174 if (use_pt || wpa_s->conf->sae_pwe == 1 || wpa_s->conf->sae_pwe == 2) { 175 use_pt = !!(rsnxe_capa & BIT(WLAN_RSNX_CAPAB_SAE_H2E)); 176 177 if ((wpa_s->conf->sae_pwe == 1 || ssid->sae_password_id) && 178 wpa_s->conf->sae_pwe != 3 && 179 !use_pt) { 180 wpa_printf(MSG_DEBUG, 181 "SAE: Cannot use H2E with the selected AP"); 182 return NULL; 183 } 184 } 185 186 if (use_pt && 187 sae_prepare_commit_pt(&wpa_s->sme.sae, ssid->pt, 188 wpa_s->own_addr, bssid, 189 wpa_s->sme.sae_rejected_groups, NULL) < 0) 190 return NULL; 191 if (!use_pt && 192 sae_prepare_commit(wpa_s->own_addr, bssid, 193 (u8 *) password, os_strlen(password), 194 &wpa_s->sme.sae) < 0) { 195 wpa_printf(MSG_DEBUG, "SAE: Could not pick PWE"); 196 return NULL; 197 } 198 if (wpa_s->sme.sae.tmp) { 199 os_memcpy(wpa_s->sme.sae.tmp->bssid, bssid, ETH_ALEN); 200 if (use_pt && use_pk) 201 wpa_s->sme.sae.pk = 1; 202 #ifdef CONFIG_SAE_PK 203 os_memcpy(wpa_s->sme.sae.tmp->own_addr, wpa_s->own_addr, 204 ETH_ALEN); 205 os_memcpy(wpa_s->sme.sae.tmp->peer_addr, bssid, ETH_ALEN); 206 sae_pk_set_password(&wpa_s->sme.sae, password); 207 #endif /* CONFIG_SAE_PK */ 208 } 209 210 reuse_data: 211 len = wpa_s->sme.sae_token ? 3 + wpabuf_len(wpa_s->sme.sae_token) : 0; 212 if (ssid->sae_password_id) 213 len += 4 + os_strlen(ssid->sae_password_id); 214 buf = wpabuf_alloc(4 + SAE_COMMIT_MAX_LEN + len); 215 if (buf == NULL) 216 return NULL; 217 if (!external) { 218 wpabuf_put_le16(buf, 1); /* Transaction seq# */ 219 if (use_pk) 220 wpabuf_put_le16(buf, WLAN_STATUS_SAE_PK); 221 else if (use_pt) 222 wpabuf_put_le16(buf, WLAN_STATUS_SAE_HASH_TO_ELEMENT); 223 else 224 wpabuf_put_le16(buf,WLAN_STATUS_SUCCESS); 225 } 226 if (sae_write_commit(&wpa_s->sme.sae, buf, wpa_s->sme.sae_token, 227 ssid->sae_password_id) < 0) { 228 wpabuf_free(buf); 229 return NULL; 230 } 231 if (ret_use_pt) 232 *ret_use_pt = use_pt; 233 if (ret_use_pk) 234 *ret_use_pk = use_pk; 235 236 return buf; 237 } 238 239 240 static struct wpabuf * sme_auth_build_sae_confirm(struct wpa_supplicant *wpa_s, 241 int external) 242 { 243 struct wpabuf *buf; 244 245 buf = wpabuf_alloc(4 + SAE_CONFIRM_MAX_LEN); 246 if (buf == NULL) 247 return NULL; 248 249 if (!external) { 250 wpabuf_put_le16(buf, 2); /* Transaction seq# */ 251 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS); 252 } 253 sae_write_confirm(&wpa_s->sme.sae, buf); 254 255 return buf; 256 } 257 258 #endif /* CONFIG_SAE */ 259 260 261 /** 262 * sme_auth_handle_rrm - Handle RRM aspects of current authentication attempt 263 * @wpa_s: Pointer to wpa_supplicant data 264 * @bss: Pointer to the bss which is the target of authentication attempt 265 */ 266 static void sme_auth_handle_rrm(struct wpa_supplicant *wpa_s, 267 struct wpa_bss *bss) 268 { 269 const u8 rrm_ie_len = 5; 270 u8 *pos; 271 const u8 *rrm_ie; 272 273 wpa_s->rrm.rrm_used = 0; 274 275 wpa_printf(MSG_DEBUG, 276 "RRM: Determining whether RRM can be used - device support: 0x%x", 277 wpa_s->drv_rrm_flags); 278 279 rrm_ie = wpa_bss_get_ie(bss, WLAN_EID_RRM_ENABLED_CAPABILITIES); 280 if (!rrm_ie || !(bss->caps & IEEE80211_CAP_RRM)) { 281 wpa_printf(MSG_DEBUG, "RRM: No RRM in network"); 282 return; 283 } 284 285 if (!((wpa_s->drv_rrm_flags & 286 WPA_DRIVER_FLAGS_DS_PARAM_SET_IE_IN_PROBES) && 287 (wpa_s->drv_rrm_flags & WPA_DRIVER_FLAGS_QUIET)) && 288 !(wpa_s->drv_rrm_flags & WPA_DRIVER_FLAGS_SUPPORT_RRM)) { 289 wpa_printf(MSG_DEBUG, 290 "RRM: Insufficient RRM support in driver - do not use RRM"); 291 return; 292 } 293 294 if (sizeof(wpa_s->sme.assoc_req_ie) < 295 wpa_s->sme.assoc_req_ie_len + rrm_ie_len + 2) { 296 wpa_printf(MSG_INFO, 297 "RRM: Unable to use RRM, no room for RRM IE"); 298 return; 299 } 300 301 wpa_printf(MSG_DEBUG, "RRM: Adding RRM IE to Association Request"); 302 pos = wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len; 303 os_memset(pos, 0, 2 + rrm_ie_len); 304 *pos++ = WLAN_EID_RRM_ENABLED_CAPABILITIES; 305 *pos++ = rrm_ie_len; 306 307 /* Set supported capabilities flags */ 308 if (wpa_s->drv_rrm_flags & WPA_DRIVER_FLAGS_TX_POWER_INSERTION) 309 *pos |= WLAN_RRM_CAPS_LINK_MEASUREMENT; 310 311 *pos |= WLAN_RRM_CAPS_BEACON_REPORT_PASSIVE | 312 WLAN_RRM_CAPS_BEACON_REPORT_ACTIVE | 313 WLAN_RRM_CAPS_BEACON_REPORT_TABLE; 314 315 if (wpa_s->lci) 316 pos[1] |= WLAN_RRM_CAPS_LCI_MEASUREMENT; 317 318 wpa_s->sme.assoc_req_ie_len += rrm_ie_len + 2; 319 wpa_s->rrm.rrm_used = 1; 320 } 321 322 323 static void sme_send_authentication(struct wpa_supplicant *wpa_s, 324 struct wpa_bss *bss, struct wpa_ssid *ssid, 325 int start) 326 { 327 struct wpa_driver_auth_params params; 328 struct wpa_ssid *old_ssid; 329 #ifdef CONFIG_IEEE80211R 330 const u8 *ie; 331 #endif /* CONFIG_IEEE80211R */ 332 #if defined(CONFIG_IEEE80211R) || defined(CONFIG_FILS) 333 const u8 *md = NULL; 334 #endif /* CONFIG_IEEE80211R || CONFIG_FILS */ 335 int bssid_changed; 336 struct wpabuf *resp = NULL; 337 u8 ext_capab[18]; 338 int ext_capab_len; 339 int skip_auth; 340 u8 *wpa_ie; 341 size_t wpa_ie_len; 342 #ifdef CONFIG_MBO 343 const u8 *mbo_ie; 344 #endif /* CONFIG_MBO */ 345 int omit_rsnxe = 0; 346 347 if (bss == NULL) { 348 wpa_msg(wpa_s, MSG_ERROR, "SME: No scan result available for " 349 "the network"); 350 wpas_connect_work_done(wpa_s); 351 return; 352 } 353 354 skip_auth = wpa_s->conf->reassoc_same_bss_optim && 355 wpa_s->reassoc_same_bss; 356 wpa_s->current_bss = bss; 357 358 os_memset(¶ms, 0, sizeof(params)); 359 wpa_s->reassociate = 0; 360 361 params.freq = bss->freq; 362 params.bssid = bss->bssid; 363 params.ssid = bss->ssid; 364 params.ssid_len = bss->ssid_len; 365 params.p2p = ssid->p2p_group; 366 367 if (wpa_s->sme.ssid_len != params.ssid_len || 368 os_memcmp(wpa_s->sme.ssid, params.ssid, params.ssid_len) != 0) 369 wpa_s->sme.prev_bssid_set = 0; 370 371 wpa_s->sme.freq = params.freq; 372 os_memcpy(wpa_s->sme.ssid, params.ssid, params.ssid_len); 373 wpa_s->sme.ssid_len = params.ssid_len; 374 375 params.auth_alg = WPA_AUTH_ALG_OPEN; 376 #ifdef IEEE8021X_EAPOL 377 if (ssid->key_mgmt & WPA_KEY_MGMT_IEEE8021X_NO_WPA) { 378 if (ssid->leap) { 379 if (ssid->non_leap == 0) 380 params.auth_alg = WPA_AUTH_ALG_LEAP; 381 else 382 params.auth_alg |= WPA_AUTH_ALG_LEAP; 383 } 384 } 385 #endif /* IEEE8021X_EAPOL */ 386 wpa_dbg(wpa_s, MSG_DEBUG, "Automatic auth_alg selection: 0x%x", 387 params.auth_alg); 388 if (ssid->auth_alg) { 389 params.auth_alg = ssid->auth_alg; 390 wpa_dbg(wpa_s, MSG_DEBUG, "Overriding auth_alg selection: " 391 "0x%x", params.auth_alg); 392 } 393 #ifdef CONFIG_SAE 394 wpa_s->sme.sae_pmksa_caching = 0; 395 if (wpa_key_mgmt_sae(ssid->key_mgmt)) { 396 const u8 *rsn; 397 struct wpa_ie_data ied; 398 399 rsn = wpa_bss_get_ie(bss, WLAN_EID_RSN); 400 if (!rsn) { 401 wpa_dbg(wpa_s, MSG_DEBUG, 402 "SAE enabled, but target BSS does not advertise RSN"); 403 #ifdef CONFIG_DPP 404 } else if (wpa_parse_wpa_ie(rsn, 2 + rsn[1], &ied) == 0 && 405 (ssid->key_mgmt & WPA_KEY_MGMT_DPP) && 406 (ied.key_mgmt & WPA_KEY_MGMT_DPP)) { 407 wpa_dbg(wpa_s, MSG_DEBUG, "Prefer DPP over SAE when both are enabled"); 408 #endif /* CONFIG_DPP */ 409 } else if (wpa_parse_wpa_ie(rsn, 2 + rsn[1], &ied) == 0 && 410 wpa_key_mgmt_sae(ied.key_mgmt)) { 411 wpa_dbg(wpa_s, MSG_DEBUG, "Using SAE auth_alg"); 412 params.auth_alg = WPA_AUTH_ALG_SAE; 413 } else { 414 wpa_dbg(wpa_s, MSG_DEBUG, 415 "SAE enabled, but target BSS does not advertise SAE AKM for RSN"); 416 } 417 } 418 #endif /* CONFIG_SAE */ 419 420 #ifdef CONFIG_WEP 421 { 422 int i; 423 424 for (i = 0; i < NUM_WEP_KEYS; i++) { 425 if (ssid->wep_key_len[i]) 426 params.wep_key[i] = ssid->wep_key[i]; 427 params.wep_key_len[i] = ssid->wep_key_len[i]; 428 } 429 params.wep_tx_keyidx = ssid->wep_tx_keyidx; 430 } 431 #endif /* CONFIG_WEP */ 432 433 if ((wpa_bss_get_vendor_ie(bss, WPA_IE_VENDOR_TYPE) || 434 wpa_bss_get_ie(bss, WLAN_EID_RSN)) && 435 wpa_key_mgmt_wpa(ssid->key_mgmt)) { 436 int try_opportunistic; 437 const u8 *cache_id = NULL; 438 439 try_opportunistic = (ssid->proactive_key_caching < 0 ? 440 wpa_s->conf->okc : 441 ssid->proactive_key_caching) && 442 (ssid->proto & WPA_PROTO_RSN); 443 #ifdef CONFIG_FILS 444 if (wpa_key_mgmt_fils(ssid->key_mgmt)) 445 cache_id = wpa_bss_get_fils_cache_id(bss); 446 #endif /* CONFIG_FILS */ 447 if (pmksa_cache_set_current(wpa_s->wpa, NULL, bss->bssid, 448 wpa_s->current_ssid, 449 try_opportunistic, cache_id, 450 0) == 0) 451 eapol_sm_notify_pmkid_attempt(wpa_s->eapol); 452 wpa_s->sme.assoc_req_ie_len = sizeof(wpa_s->sme.assoc_req_ie); 453 if (wpa_supplicant_set_suites(wpa_s, bss, ssid, 454 wpa_s->sme.assoc_req_ie, 455 &wpa_s->sme.assoc_req_ie_len)) { 456 wpa_msg(wpa_s, MSG_WARNING, "SME: Failed to set WPA " 457 "key management and encryption suites"); 458 wpas_connect_work_done(wpa_s); 459 return; 460 } 461 #ifdef CONFIG_HS20 462 } else if (wpa_bss_get_vendor_ie(bss, OSEN_IE_VENDOR_TYPE) && 463 (ssid->key_mgmt & WPA_KEY_MGMT_OSEN)) { 464 /* No PMKSA caching, but otherwise similar to RSN/WPA */ 465 wpa_s->sme.assoc_req_ie_len = sizeof(wpa_s->sme.assoc_req_ie); 466 if (wpa_supplicant_set_suites(wpa_s, bss, ssid, 467 wpa_s->sme.assoc_req_ie, 468 &wpa_s->sme.assoc_req_ie_len)) { 469 wpa_msg(wpa_s, MSG_WARNING, "SME: Failed to set WPA " 470 "key management and encryption suites"); 471 wpas_connect_work_done(wpa_s); 472 return; 473 } 474 #endif /* CONFIG_HS20 */ 475 } else if ((ssid->key_mgmt & WPA_KEY_MGMT_IEEE8021X_NO_WPA) && 476 wpa_key_mgmt_wpa_ieee8021x(ssid->key_mgmt)) { 477 /* 478 * Both WPA and non-WPA IEEE 802.1X enabled in configuration - 479 * use non-WPA since the scan results did not indicate that the 480 * AP is using WPA or WPA2. 481 */ 482 wpa_supplicant_set_non_wpa_policy(wpa_s, ssid); 483 wpa_s->sme.assoc_req_ie_len = 0; 484 } else if (wpa_key_mgmt_wpa_any(ssid->key_mgmt)) { 485 wpa_s->sme.assoc_req_ie_len = sizeof(wpa_s->sme.assoc_req_ie); 486 if (wpa_supplicant_set_suites(wpa_s, NULL, ssid, 487 wpa_s->sme.assoc_req_ie, 488 &wpa_s->sme.assoc_req_ie_len)) { 489 wpa_msg(wpa_s, MSG_WARNING, "SME: Failed to set WPA " 490 "key management and encryption suites (no " 491 "scan results)"); 492 wpas_connect_work_done(wpa_s); 493 return; 494 } 495 #ifdef CONFIG_WPS 496 } else if (ssid->key_mgmt & WPA_KEY_MGMT_WPS) { 497 struct wpabuf *wps_ie; 498 wps_ie = wps_build_assoc_req_ie(wpas_wps_get_req_type(ssid)); 499 if (wps_ie && wpabuf_len(wps_ie) <= 500 sizeof(wpa_s->sme.assoc_req_ie)) { 501 wpa_s->sme.assoc_req_ie_len = wpabuf_len(wps_ie); 502 os_memcpy(wpa_s->sme.assoc_req_ie, wpabuf_head(wps_ie), 503 wpa_s->sme.assoc_req_ie_len); 504 } else 505 wpa_s->sme.assoc_req_ie_len = 0; 506 wpabuf_free(wps_ie); 507 wpa_supplicant_set_non_wpa_policy(wpa_s, ssid); 508 #endif /* CONFIG_WPS */ 509 } else { 510 wpa_supplicant_set_non_wpa_policy(wpa_s, ssid); 511 wpa_s->sme.assoc_req_ie_len = 0; 512 } 513 514 /* In case the WPA vendor IE is used, it should be placed after all the 515 * non-vendor IEs, as the lower layer expects the IEs to be ordered as 516 * defined in the standard. Store the WPA IE so it can later be 517 * inserted at the correct location. 518 */ 519 wpa_ie = NULL; 520 wpa_ie_len = 0; 521 if (wpa_s->wpa_proto == WPA_PROTO_WPA) { 522 wpa_ie = os_memdup(wpa_s->sme.assoc_req_ie, 523 wpa_s->sme.assoc_req_ie_len); 524 if (wpa_ie) { 525 wpa_dbg(wpa_s, MSG_DEBUG, "WPA: Storing WPA IE"); 526 527 wpa_ie_len = wpa_s->sme.assoc_req_ie_len; 528 wpa_s->sme.assoc_req_ie_len = 0; 529 } else { 530 wpa_msg(wpa_s, MSG_WARNING, "WPA: Failed copy WPA IE"); 531 wpas_connect_work_done(wpa_s); 532 return; 533 } 534 } 535 536 #ifdef CONFIG_IEEE80211R 537 ie = wpa_bss_get_ie(bss, WLAN_EID_MOBILITY_DOMAIN); 538 if (ie && ie[1] >= MOBILITY_DOMAIN_ID_LEN) 539 md = ie + 2; 540 wpa_sm_set_ft_params(wpa_s->wpa, ie, ie ? 2 + ie[1] : 0); 541 if (md && (!wpa_key_mgmt_ft(ssid->key_mgmt) || 542 !wpa_key_mgmt_ft(wpa_s->key_mgmt))) 543 md = NULL; 544 if (md) { 545 /* Prepare for the next transition */ 546 wpa_ft_prepare_auth_request(wpa_s->wpa, ie); 547 } 548 549 if (md) { 550 wpa_dbg(wpa_s, MSG_DEBUG, "SME: FT mobility domain %02x%02x", 551 md[0], md[1]); 552 553 omit_rsnxe = !wpa_bss_get_ie(bss, WLAN_EID_RSNX); 554 if (wpa_s->sme.assoc_req_ie_len + 5 < 555 sizeof(wpa_s->sme.assoc_req_ie)) { 556 struct rsn_mdie *mdie; 557 u8 *pos = wpa_s->sme.assoc_req_ie + 558 wpa_s->sme.assoc_req_ie_len; 559 *pos++ = WLAN_EID_MOBILITY_DOMAIN; 560 *pos++ = sizeof(*mdie); 561 mdie = (struct rsn_mdie *) pos; 562 os_memcpy(mdie->mobility_domain, md, 563 MOBILITY_DOMAIN_ID_LEN); 564 mdie->ft_capab = md[MOBILITY_DOMAIN_ID_LEN]; 565 wpa_s->sme.assoc_req_ie_len += 5; 566 } 567 568 if (wpa_s->sme.prev_bssid_set && wpa_s->sme.ft_used && 569 os_memcmp(md, wpa_s->sme.mobility_domain, 2) == 0 && 570 wpa_sm_has_ptk(wpa_s->wpa)) { 571 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Trying to use FT " 572 "over-the-air"); 573 params.auth_alg = WPA_AUTH_ALG_FT; 574 params.ie = wpa_s->sme.ft_ies; 575 params.ie_len = wpa_s->sme.ft_ies_len; 576 } 577 } 578 #endif /* CONFIG_IEEE80211R */ 579 580 wpa_s->sme.mfp = wpas_get_ssid_pmf(wpa_s, ssid); 581 if (wpa_s->sme.mfp != NO_MGMT_FRAME_PROTECTION) { 582 const u8 *rsn = wpa_bss_get_ie(bss, WLAN_EID_RSN); 583 struct wpa_ie_data _ie; 584 if (rsn && wpa_parse_wpa_ie(rsn, 2 + rsn[1], &_ie) == 0 && 585 _ie.capabilities & 586 (WPA_CAPABILITY_MFPC | WPA_CAPABILITY_MFPR)) { 587 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Selected AP supports " 588 "MFP: require MFP"); 589 wpa_s->sme.mfp = MGMT_FRAME_PROTECTION_REQUIRED; 590 } 591 } 592 593 #ifdef CONFIG_P2P 594 if (wpa_s->global->p2p) { 595 u8 *pos; 596 size_t len; 597 int res; 598 pos = wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len; 599 len = sizeof(wpa_s->sme.assoc_req_ie) - 600 wpa_s->sme.assoc_req_ie_len; 601 res = wpas_p2p_assoc_req_ie(wpa_s, bss, pos, len, 602 ssid->p2p_group); 603 if (res >= 0) 604 wpa_s->sme.assoc_req_ie_len += res; 605 } 606 #endif /* CONFIG_P2P */ 607 608 #ifdef CONFIG_FST 609 if (wpa_s->fst_ies) { 610 int fst_ies_len = wpabuf_len(wpa_s->fst_ies); 611 612 if (wpa_s->sme.assoc_req_ie_len + fst_ies_len <= 613 sizeof(wpa_s->sme.assoc_req_ie)) { 614 os_memcpy(wpa_s->sme.assoc_req_ie + 615 wpa_s->sme.assoc_req_ie_len, 616 wpabuf_head(wpa_s->fst_ies), 617 fst_ies_len); 618 wpa_s->sme.assoc_req_ie_len += fst_ies_len; 619 } 620 } 621 #endif /* CONFIG_FST */ 622 623 sme_auth_handle_rrm(wpa_s, bss); 624 625 wpa_s->sme.assoc_req_ie_len += wpas_supp_op_class_ie( 626 wpa_s, ssid, bss, 627 wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len, 628 sizeof(wpa_s->sme.assoc_req_ie) - wpa_s->sme.assoc_req_ie_len); 629 630 if (params.p2p) 631 wpa_drv_get_ext_capa(wpa_s, WPA_IF_P2P_CLIENT); 632 else 633 wpa_drv_get_ext_capa(wpa_s, WPA_IF_STATION); 634 635 ext_capab_len = wpas_build_ext_capab(wpa_s, ext_capab, 636 sizeof(ext_capab)); 637 if (ext_capab_len > 0) { 638 u8 *pos = wpa_s->sme.assoc_req_ie; 639 if (wpa_s->sme.assoc_req_ie_len > 0 && pos[0] == WLAN_EID_RSN) 640 pos += 2 + pos[1]; 641 os_memmove(pos + ext_capab_len, pos, 642 wpa_s->sme.assoc_req_ie_len - 643 (pos - wpa_s->sme.assoc_req_ie)); 644 wpa_s->sme.assoc_req_ie_len += ext_capab_len; 645 os_memcpy(pos, ext_capab, ext_capab_len); 646 } 647 648 #ifdef CONFIG_TESTING_OPTIONS 649 if (wpa_s->rsnxe_override_assoc && 650 wpabuf_len(wpa_s->rsnxe_override_assoc) <= 651 sizeof(wpa_s->sme.assoc_req_ie) - wpa_s->sme.assoc_req_ie_len) { 652 wpa_printf(MSG_DEBUG, "TESTING: RSNXE AssocReq override"); 653 os_memcpy(wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len, 654 wpabuf_head(wpa_s->rsnxe_override_assoc), 655 wpabuf_len(wpa_s->rsnxe_override_assoc)); 656 wpa_s->sme.assoc_req_ie_len += 657 wpabuf_len(wpa_s->rsnxe_override_assoc); 658 } else 659 #endif /* CONFIG_TESTING_OPTIONS */ 660 if (wpa_s->rsnxe_len > 0 && 661 wpa_s->rsnxe_len <= 662 sizeof(wpa_s->sme.assoc_req_ie) - wpa_s->sme.assoc_req_ie_len && 663 !omit_rsnxe) { 664 os_memcpy(wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len, 665 wpa_s->rsnxe, wpa_s->rsnxe_len); 666 wpa_s->sme.assoc_req_ie_len += wpa_s->rsnxe_len; 667 } 668 669 #ifdef CONFIG_HS20 670 if (is_hs20_network(wpa_s, ssid, bss)) { 671 struct wpabuf *hs20; 672 673 hs20 = wpabuf_alloc(20 + MAX_ROAMING_CONS_OI_LEN); 674 if (hs20) { 675 int pps_mo_id = hs20_get_pps_mo_id(wpa_s, ssid); 676 size_t len; 677 678 wpas_hs20_add_indication(hs20, pps_mo_id, 679 get_hs20_version(bss)); 680 wpas_hs20_add_roam_cons_sel(hs20, ssid); 681 len = sizeof(wpa_s->sme.assoc_req_ie) - 682 wpa_s->sme.assoc_req_ie_len; 683 if (wpabuf_len(hs20) <= len) { 684 os_memcpy(wpa_s->sme.assoc_req_ie + 685 wpa_s->sme.assoc_req_ie_len, 686 wpabuf_head(hs20), wpabuf_len(hs20)); 687 wpa_s->sme.assoc_req_ie_len += wpabuf_len(hs20); 688 } 689 wpabuf_free(hs20); 690 } 691 } 692 #endif /* CONFIG_HS20 */ 693 694 if (wpa_ie) { 695 size_t len; 696 697 wpa_dbg(wpa_s, MSG_DEBUG, "WPA: Reinsert WPA IE"); 698 699 len = sizeof(wpa_s->sme.assoc_req_ie) - 700 wpa_s->sme.assoc_req_ie_len; 701 702 if (len > wpa_ie_len) { 703 os_memcpy(wpa_s->sme.assoc_req_ie + 704 wpa_s->sme.assoc_req_ie_len, 705 wpa_ie, wpa_ie_len); 706 wpa_s->sme.assoc_req_ie_len += wpa_ie_len; 707 } else { 708 wpa_dbg(wpa_s, MSG_DEBUG, "WPA: Failed to add WPA IE"); 709 } 710 711 os_free(wpa_ie); 712 } 713 714 if (wpa_s->vendor_elem[VENDOR_ELEM_ASSOC_REQ]) { 715 struct wpabuf *buf = wpa_s->vendor_elem[VENDOR_ELEM_ASSOC_REQ]; 716 size_t len; 717 718 len = sizeof(wpa_s->sme.assoc_req_ie) - 719 wpa_s->sme.assoc_req_ie_len; 720 if (wpabuf_len(buf) <= len) { 721 os_memcpy(wpa_s->sme.assoc_req_ie + 722 wpa_s->sme.assoc_req_ie_len, 723 wpabuf_head(buf), wpabuf_len(buf)); 724 wpa_s->sme.assoc_req_ie_len += wpabuf_len(buf); 725 } 726 } 727 728 #ifdef CONFIG_MBO 729 mbo_ie = wpa_bss_get_vendor_ie(bss, MBO_IE_VENDOR_TYPE); 730 if (!wpa_s->disable_mbo_oce && mbo_ie) { 731 int len; 732 733 len = wpas_mbo_ie(wpa_s, wpa_s->sme.assoc_req_ie + 734 wpa_s->sme.assoc_req_ie_len, 735 sizeof(wpa_s->sme.assoc_req_ie) - 736 wpa_s->sme.assoc_req_ie_len, 737 !!mbo_attr_from_mbo_ie(mbo_ie, 738 OCE_ATTR_ID_CAPA_IND)); 739 if (len >= 0) 740 wpa_s->sme.assoc_req_ie_len += len; 741 } 742 #endif /* CONFIG_MBO */ 743 744 #ifdef CONFIG_SAE 745 if (!skip_auth && params.auth_alg == WPA_AUTH_ALG_SAE && 746 pmksa_cache_set_current(wpa_s->wpa, NULL, bss->bssid, ssid, 0, 747 NULL, 748 wpa_s->key_mgmt == WPA_KEY_MGMT_FT_SAE ? 749 WPA_KEY_MGMT_FT_SAE : 750 WPA_KEY_MGMT_SAE) == 0) { 751 wpa_dbg(wpa_s, MSG_DEBUG, 752 "PMKSA cache entry found - try to use PMKSA caching instead of new SAE authentication"); 753 wpa_sm_set_pmk_from_pmksa(wpa_s->wpa); 754 params.auth_alg = WPA_AUTH_ALG_OPEN; 755 wpa_s->sme.sae_pmksa_caching = 1; 756 } 757 758 if (!skip_auth && params.auth_alg == WPA_AUTH_ALG_SAE) { 759 if (start) 760 resp = sme_auth_build_sae_commit(wpa_s, ssid, 761 bss->bssid, 0, 762 start == 2, NULL, 763 NULL); 764 else 765 resp = sme_auth_build_sae_confirm(wpa_s, 0); 766 if (resp == NULL) { 767 wpas_connection_failed(wpa_s, bss->bssid); 768 return; 769 } 770 params.auth_data = wpabuf_head(resp); 771 params.auth_data_len = wpabuf_len(resp); 772 wpa_s->sme.sae.state = start ? SAE_COMMITTED : SAE_CONFIRMED; 773 } 774 #endif /* CONFIG_SAE */ 775 776 bssid_changed = !is_zero_ether_addr(wpa_s->bssid); 777 os_memset(wpa_s->bssid, 0, ETH_ALEN); 778 os_memcpy(wpa_s->pending_bssid, bss->bssid, ETH_ALEN); 779 if (bssid_changed) 780 wpas_notify_bssid_changed(wpa_s); 781 782 old_ssid = wpa_s->current_ssid; 783 wpa_s->current_ssid = ssid; 784 wpa_supplicant_rsn_supp_set_config(wpa_s, wpa_s->current_ssid); 785 wpa_supplicant_initiate_eapol(wpa_s); 786 787 #ifdef CONFIG_FILS 788 /* TODO: FILS operations can in some cases be done between different 789 * network_ctx (i.e., same credentials can be used with multiple 790 * networks). */ 791 if (params.auth_alg == WPA_AUTH_ALG_OPEN && 792 wpa_key_mgmt_fils(ssid->key_mgmt)) { 793 const u8 *indic; 794 u16 fils_info; 795 const u8 *realm, *username, *rrk; 796 size_t realm_len, username_len, rrk_len; 797 u16 next_seq_num; 798 799 /* 800 * Check FILS Indication element (FILS Information field) bits 801 * indicating supported authentication algorithms against local 802 * configuration (ssid->fils_dh_group). Try to use FILS 803 * authentication only if the AP supports the combination in the 804 * network profile. */ 805 indic = wpa_bss_get_ie(bss, WLAN_EID_FILS_INDICATION); 806 if (!indic || indic[1] < 2) { 807 wpa_printf(MSG_DEBUG, "SME: " MACSTR 808 " does not include FILS Indication element - cannot use FILS authentication with it", 809 MAC2STR(bss->bssid)); 810 goto no_fils; 811 } 812 813 fils_info = WPA_GET_LE16(indic + 2); 814 if (ssid->fils_dh_group == 0 && !(fils_info & BIT(9))) { 815 wpa_printf(MSG_DEBUG, "SME: " MACSTR 816 " does not support FILS SK without PFS - cannot use FILS authentication with it", 817 MAC2STR(bss->bssid)); 818 goto no_fils; 819 } 820 if (ssid->fils_dh_group != 0 && !(fils_info & BIT(10))) { 821 wpa_printf(MSG_DEBUG, "SME: " MACSTR 822 " does not support FILS SK with PFS - cannot use FILS authentication with it", 823 MAC2STR(bss->bssid)); 824 goto no_fils; 825 } 826 827 if (wpa_s->last_con_fail_realm && 828 eapol_sm_get_erp_info(wpa_s->eapol, &ssid->eap, 829 &username, &username_len, 830 &realm, &realm_len, &next_seq_num, 831 &rrk, &rrk_len) == 0 && 832 realm && realm_len == wpa_s->last_con_fail_realm_len && 833 os_memcmp(realm, wpa_s->last_con_fail_realm, 834 realm_len) == 0) { 835 wpa_printf(MSG_DEBUG, 836 "SME: FILS authentication for this realm failed last time - try to regenerate ERP key hierarchy"); 837 goto no_fils; 838 } 839 840 if (pmksa_cache_set_current(wpa_s->wpa, NULL, bss->bssid, 841 ssid, 0, 842 wpa_bss_get_fils_cache_id(bss), 843 0) == 0) 844 wpa_printf(MSG_DEBUG, 845 "SME: Try to use FILS with PMKSA caching"); 846 resp = fils_build_auth(wpa_s->wpa, ssid->fils_dh_group, md); 847 if (resp) { 848 int auth_alg; 849 850 if (ssid->fils_dh_group) 851 wpa_printf(MSG_DEBUG, 852 "SME: Try to use FILS SK authentication with PFS (DH Group %u)", 853 ssid->fils_dh_group); 854 else 855 wpa_printf(MSG_DEBUG, 856 "SME: Try to use FILS SK authentication without PFS"); 857 auth_alg = ssid->fils_dh_group ? 858 WPA_AUTH_ALG_FILS_SK_PFS : WPA_AUTH_ALG_FILS; 859 params.auth_alg = auth_alg; 860 params.auth_data = wpabuf_head(resp); 861 params.auth_data_len = wpabuf_len(resp); 862 wpa_s->sme.auth_alg = auth_alg; 863 } 864 } 865 no_fils: 866 #endif /* CONFIG_FILS */ 867 868 wpa_supplicant_cancel_sched_scan(wpa_s); 869 wpa_supplicant_cancel_scan(wpa_s); 870 871 wpa_msg(wpa_s, MSG_INFO, "SME: Trying to authenticate with " MACSTR 872 " (SSID='%s' freq=%d MHz)", MAC2STR(params.bssid), 873 wpa_ssid_txt(params.ssid, params.ssid_len), params.freq); 874 875 eapol_sm_notify_portValid(wpa_s->eapol, false); 876 wpa_clear_keys(wpa_s, bss->bssid); 877 wpa_supplicant_set_state(wpa_s, WPA_AUTHENTICATING); 878 if (old_ssid != wpa_s->current_ssid) 879 wpas_notify_network_changed(wpa_s); 880 881 #ifdef CONFIG_HS20 882 hs20_configure_frame_filters(wpa_s); 883 #endif /* CONFIG_HS20 */ 884 885 #ifdef CONFIG_P2P 886 /* 887 * If multi-channel concurrency is not supported, check for any 888 * frequency conflict. In case of any frequency conflict, remove the 889 * least prioritized connection. 890 */ 891 if (wpa_s->num_multichan_concurrent < 2) { 892 int freq, num; 893 num = get_shared_radio_freqs(wpa_s, &freq, 1); 894 if (num > 0 && freq > 0 && freq != params.freq) { 895 wpa_printf(MSG_DEBUG, 896 "Conflicting frequency found (%d != %d)", 897 freq, params.freq); 898 if (wpas_p2p_handle_frequency_conflicts(wpa_s, 899 params.freq, 900 ssid) < 0) { 901 wpas_connection_failed(wpa_s, bss->bssid); 902 wpa_supplicant_mark_disassoc(wpa_s); 903 wpabuf_free(resp); 904 wpas_connect_work_done(wpa_s); 905 return; 906 } 907 } 908 } 909 #endif /* CONFIG_P2P */ 910 911 if (skip_auth) { 912 wpa_msg(wpa_s, MSG_DEBUG, 913 "SME: Skip authentication step on reassoc-to-same-BSS"); 914 wpabuf_free(resp); 915 sme_associate(wpa_s, ssid->mode, bss->bssid, WLAN_AUTH_OPEN); 916 return; 917 } 918 919 920 wpa_s->sme.auth_alg = params.auth_alg; 921 if (wpa_drv_authenticate(wpa_s, ¶ms) < 0) { 922 wpa_msg(wpa_s, MSG_INFO, "SME: Authentication request to the " 923 "driver failed"); 924 wpas_connection_failed(wpa_s, bss->bssid); 925 wpa_supplicant_mark_disassoc(wpa_s); 926 wpabuf_free(resp); 927 wpas_connect_work_done(wpa_s); 928 return; 929 } 930 931 eloop_register_timeout(SME_AUTH_TIMEOUT, 0, sme_auth_timer, wpa_s, 932 NULL); 933 934 /* 935 * Association will be started based on the authentication event from 936 * the driver. 937 */ 938 939 wpabuf_free(resp); 940 } 941 942 943 static void sme_auth_start_cb(struct wpa_radio_work *work, int deinit) 944 { 945 struct wpa_connect_work *cwork = work->ctx; 946 struct wpa_supplicant *wpa_s = work->wpa_s; 947 948 wpa_s->roam_in_progress = false; 949 #ifdef CONFIG_WNM 950 wpa_s->bss_trans_mgmt_in_progress = false; 951 #endif /* CONFIG_WNM */ 952 953 if (deinit) { 954 if (work->started) 955 wpa_s->connect_work = NULL; 956 957 wpas_connect_work_free(cwork); 958 return; 959 } 960 961 wpa_s->connect_work = work; 962 963 if (cwork->bss_removed || 964 !wpas_valid_bss_ssid(wpa_s, cwork->bss, cwork->ssid) || 965 wpas_network_disabled(wpa_s, cwork->ssid)) { 966 wpa_dbg(wpa_s, MSG_DEBUG, "SME: BSS/SSID entry for authentication not valid anymore - drop connection attempt"); 967 wpas_connect_work_done(wpa_s); 968 return; 969 } 970 971 /* Starting new connection, so clear the possibly used WPA IE from the 972 * previous association. */ 973 wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, NULL, 0); 974 wpa_sm_set_assoc_rsnxe(wpa_s->wpa, NULL, 0); 975 wpa_s->rsnxe_len = 0; 976 977 sme_send_authentication(wpa_s, cwork->bss, cwork->ssid, 1); 978 } 979 980 981 void sme_authenticate(struct wpa_supplicant *wpa_s, 982 struct wpa_bss *bss, struct wpa_ssid *ssid) 983 { 984 struct wpa_connect_work *cwork; 985 986 if (bss == NULL || ssid == NULL) 987 return; 988 if (wpa_s->connect_work) { 989 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Reject sme_authenticate() call since connect_work exist"); 990 return; 991 } 992 993 if (wpa_s->roam_in_progress) { 994 wpa_dbg(wpa_s, MSG_DEBUG, 995 "SME: Reject sme_authenticate() in favor of explicit roam request"); 996 return; 997 } 998 #ifdef CONFIG_WNM 999 if (wpa_s->bss_trans_mgmt_in_progress) { 1000 wpa_dbg(wpa_s, MSG_DEBUG, 1001 "SME: Reject sme_authenticate() in favor of BSS transition management request"); 1002 return; 1003 } 1004 #endif /* CONFIG_WNM */ 1005 if (radio_work_pending(wpa_s, "sme-connect")) { 1006 /* 1007 * The previous sme-connect work might no longer be valid due to 1008 * the fact that the BSS list was updated. In addition, it makes 1009 * sense to adhere to the 'newer' decision. 1010 */ 1011 wpa_dbg(wpa_s, MSG_DEBUG, 1012 "SME: Remove previous pending sme-connect"); 1013 radio_remove_works(wpa_s, "sme-connect", 0); 1014 } 1015 1016 wpas_abort_ongoing_scan(wpa_s); 1017 1018 cwork = os_zalloc(sizeof(*cwork)); 1019 if (cwork == NULL) 1020 return; 1021 cwork->bss = bss; 1022 cwork->ssid = ssid; 1023 cwork->sme = 1; 1024 1025 #ifdef CONFIG_SAE 1026 wpa_s->sme.sae.state = SAE_NOTHING; 1027 wpa_s->sme.sae.send_confirm = 0; 1028 wpa_s->sme.sae_group_index = 0; 1029 #endif /* CONFIG_SAE */ 1030 1031 if (radio_add_work(wpa_s, bss->freq, "sme-connect", 1, 1032 sme_auth_start_cb, cwork) < 0) 1033 wpas_connect_work_free(cwork); 1034 } 1035 1036 1037 #ifdef CONFIG_SAE 1038 1039 static int sme_external_auth_build_buf(struct wpabuf *buf, 1040 struct wpabuf *params, 1041 const u8 *sa, const u8 *da, 1042 u16 auth_transaction, u16 seq_num, 1043 u16 status_code) 1044 { 1045 struct ieee80211_mgmt *resp; 1046 1047 resp = wpabuf_put(buf, offsetof(struct ieee80211_mgmt, 1048 u.auth.variable)); 1049 1050 resp->frame_control = host_to_le16((WLAN_FC_TYPE_MGMT << 2) | 1051 (WLAN_FC_STYPE_AUTH << 4)); 1052 os_memcpy(resp->da, da, ETH_ALEN); 1053 os_memcpy(resp->sa, sa, ETH_ALEN); 1054 os_memcpy(resp->bssid, da, ETH_ALEN); 1055 resp->u.auth.auth_alg = host_to_le16(WLAN_AUTH_SAE); 1056 resp->seq_ctrl = host_to_le16(seq_num << 4); 1057 resp->u.auth.auth_transaction = host_to_le16(auth_transaction); 1058 resp->u.auth.status_code = host_to_le16(status_code); 1059 if (params) 1060 wpabuf_put_buf(buf, params); 1061 1062 return 0; 1063 } 1064 1065 1066 static int sme_external_auth_send_sae_commit(struct wpa_supplicant *wpa_s, 1067 const u8 *bssid, 1068 struct wpa_ssid *ssid) 1069 { 1070 struct wpabuf *resp, *buf; 1071 int use_pt; 1072 bool use_pk; 1073 u16 status; 1074 1075 resp = sme_auth_build_sae_commit(wpa_s, ssid, bssid, 1, 0, &use_pt, 1076 &use_pk); 1077 if (!resp) { 1078 wpa_printf(MSG_DEBUG, "SAE: Failed to build SAE commit"); 1079 return -1; 1080 } 1081 1082 wpa_s->sme.sae.state = SAE_COMMITTED; 1083 buf = wpabuf_alloc(4 + SAE_COMMIT_MAX_LEN + wpabuf_len(resp)); 1084 if (!buf) { 1085 wpabuf_free(resp); 1086 return -1; 1087 } 1088 1089 wpa_s->sme.seq_num++; 1090 if (use_pk) 1091 status = WLAN_STATUS_SAE_PK; 1092 else if (use_pt) 1093 status = WLAN_STATUS_SAE_HASH_TO_ELEMENT; 1094 else 1095 status = WLAN_STATUS_SUCCESS; 1096 sme_external_auth_build_buf(buf, resp, wpa_s->own_addr, 1097 bssid, 1, wpa_s->sme.seq_num, status); 1098 wpa_drv_send_mlme(wpa_s, wpabuf_head(buf), wpabuf_len(buf), 1, 0, 0); 1099 wpabuf_free(resp); 1100 wpabuf_free(buf); 1101 1102 return 0; 1103 } 1104 1105 1106 static void sme_send_external_auth_status(struct wpa_supplicant *wpa_s, 1107 u16 status) 1108 { 1109 struct external_auth params; 1110 1111 os_memset(¶ms, 0, sizeof(params)); 1112 params.status = status; 1113 params.ssid = wpa_s->sme.ext_auth_ssid; 1114 params.ssid_len = wpa_s->sme.ext_auth_ssid_len; 1115 params.bssid = wpa_s->sme.ext_auth_bssid; 1116 if (wpa_s->conf->sae_pmkid_in_assoc && status == WLAN_STATUS_SUCCESS) 1117 params.pmkid = wpa_s->sme.sae.pmkid; 1118 wpa_drv_send_external_auth_status(wpa_s, ¶ms); 1119 } 1120 1121 1122 static int sme_handle_external_auth_start(struct wpa_supplicant *wpa_s, 1123 union wpa_event_data *data) 1124 { 1125 struct wpa_ssid *ssid; 1126 size_t ssid_str_len = data->external_auth.ssid_len; 1127 const u8 *ssid_str = data->external_auth.ssid; 1128 1129 /* Get the SSID conf from the ssid string obtained */ 1130 for (ssid = wpa_s->conf->ssid; ssid; ssid = ssid->next) { 1131 if (!wpas_network_disabled(wpa_s, ssid) && 1132 ssid_str_len == ssid->ssid_len && 1133 os_memcmp(ssid_str, ssid->ssid, ssid_str_len) == 0 && 1134 (ssid->key_mgmt & (WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_FT_SAE))) 1135 break; 1136 } 1137 if (!ssid || 1138 sme_external_auth_send_sae_commit(wpa_s, data->external_auth.bssid, 1139 ssid) < 0) 1140 return -1; 1141 1142 return 0; 1143 } 1144 1145 1146 static void sme_external_auth_send_sae_confirm(struct wpa_supplicant *wpa_s, 1147 const u8 *da) 1148 { 1149 struct wpabuf *resp, *buf; 1150 1151 resp = sme_auth_build_sae_confirm(wpa_s, 1); 1152 if (!resp) { 1153 wpa_printf(MSG_DEBUG, "SAE: Confirm message buf alloc failure"); 1154 return; 1155 } 1156 1157 wpa_s->sme.sae.state = SAE_CONFIRMED; 1158 buf = wpabuf_alloc(4 + SAE_CONFIRM_MAX_LEN + wpabuf_len(resp)); 1159 if (!buf) { 1160 wpa_printf(MSG_DEBUG, "SAE: Auth Confirm buf alloc failure"); 1161 wpabuf_free(resp); 1162 return; 1163 } 1164 wpa_s->sme.seq_num++; 1165 sme_external_auth_build_buf(buf, resp, wpa_s->own_addr, 1166 da, 2, wpa_s->sme.seq_num, 1167 WLAN_STATUS_SUCCESS); 1168 wpa_drv_send_mlme(wpa_s, wpabuf_head(buf), wpabuf_len(buf), 1, 0, 0); 1169 wpabuf_free(resp); 1170 wpabuf_free(buf); 1171 } 1172 1173 1174 void sme_external_auth_trigger(struct wpa_supplicant *wpa_s, 1175 union wpa_event_data *data) 1176 { 1177 if (RSN_SELECTOR_GET(&data->external_auth.key_mgmt_suite) != 1178 RSN_AUTH_KEY_MGMT_SAE) 1179 return; 1180 1181 if (data->external_auth.action == EXT_AUTH_START) { 1182 if (!data->external_auth.bssid || !data->external_auth.ssid) 1183 return; 1184 os_memcpy(wpa_s->sme.ext_auth_bssid, data->external_auth.bssid, 1185 ETH_ALEN); 1186 os_memcpy(wpa_s->sme.ext_auth_ssid, data->external_auth.ssid, 1187 data->external_auth.ssid_len); 1188 wpa_s->sme.ext_auth_ssid_len = data->external_auth.ssid_len; 1189 wpa_s->sme.seq_num = 0; 1190 wpa_s->sme.sae.state = SAE_NOTHING; 1191 wpa_s->sme.sae.send_confirm = 0; 1192 wpa_s->sme.sae_group_index = 0; 1193 if (sme_handle_external_auth_start(wpa_s, data) < 0) 1194 sme_send_external_auth_status(wpa_s, 1195 WLAN_STATUS_UNSPECIFIED_FAILURE); 1196 } else if (data->external_auth.action == EXT_AUTH_ABORT) { 1197 /* Report failure to driver for the wrong trigger */ 1198 sme_send_external_auth_status(wpa_s, 1199 WLAN_STATUS_UNSPECIFIED_FAILURE); 1200 } 1201 } 1202 1203 1204 static int sme_sae_is_group_enabled(struct wpa_supplicant *wpa_s, int group) 1205 { 1206 int *groups = wpa_s->conf->sae_groups; 1207 int default_groups[] = { 19, 20, 21, 0 }; 1208 int i; 1209 1210 if (!groups) 1211 groups = default_groups; 1212 1213 for (i = 0; groups[i] > 0; i++) { 1214 if (groups[i] == group) 1215 return 1; 1216 } 1217 1218 return 0; 1219 } 1220 1221 1222 static int sme_check_sae_rejected_groups(struct wpa_supplicant *wpa_s, 1223 const struct wpabuf *groups) 1224 { 1225 size_t i, count; 1226 const u8 *pos; 1227 1228 if (!groups) 1229 return 0; 1230 1231 pos = wpabuf_head(groups); 1232 count = wpabuf_len(groups) / 2; 1233 for (i = 0; i < count; i++) { 1234 int enabled; 1235 u16 group; 1236 1237 group = WPA_GET_LE16(pos); 1238 pos += 2; 1239 enabled = sme_sae_is_group_enabled(wpa_s, group); 1240 wpa_printf(MSG_DEBUG, "SAE: Rejected group %u is %s", 1241 group, enabled ? "enabled" : "disabled"); 1242 if (enabled) 1243 return 1; 1244 } 1245 1246 return 0; 1247 } 1248 1249 1250 static int sme_sae_auth(struct wpa_supplicant *wpa_s, u16 auth_transaction, 1251 u16 status_code, const u8 *data, size_t len, 1252 int external, const u8 *sa) 1253 { 1254 int *groups; 1255 1256 wpa_dbg(wpa_s, MSG_DEBUG, "SME: SAE authentication transaction %u " 1257 "status code %u", auth_transaction, status_code); 1258 1259 if (auth_transaction == 1 && 1260 status_code == WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ && 1261 wpa_s->sme.sae.state == SAE_COMMITTED && 1262 (external || wpa_s->current_bss) && wpa_s->current_ssid) { 1263 int default_groups[] = { 19, 20, 21, 0 }; 1264 u16 group; 1265 const u8 *token_pos; 1266 size_t token_len; 1267 int h2e = 0; 1268 1269 groups = wpa_s->conf->sae_groups; 1270 if (!groups || groups[0] <= 0) 1271 groups = default_groups; 1272 1273 wpa_hexdump(MSG_DEBUG, "SME: SAE anti-clogging token request", 1274 data, len); 1275 if (len < sizeof(le16)) { 1276 wpa_dbg(wpa_s, MSG_DEBUG, 1277 "SME: Too short SAE anti-clogging token request"); 1278 return -1; 1279 } 1280 group = WPA_GET_LE16(data); 1281 wpa_dbg(wpa_s, MSG_DEBUG, 1282 "SME: SAE anti-clogging token requested (group %u)", 1283 group); 1284 if (sae_group_allowed(&wpa_s->sme.sae, groups, group) != 1285 WLAN_STATUS_SUCCESS) { 1286 wpa_dbg(wpa_s, MSG_ERROR, 1287 "SME: SAE group %u of anti-clogging request is invalid", 1288 group); 1289 return -1; 1290 } 1291 wpabuf_free(wpa_s->sme.sae_token); 1292 token_pos = data + sizeof(le16); 1293 token_len = len - sizeof(le16); 1294 h2e = wpa_s->sme.sae.h2e; 1295 if (h2e) { 1296 if (token_len < 3) { 1297 wpa_dbg(wpa_s, MSG_DEBUG, 1298 "SME: Too short SAE anti-clogging token container"); 1299 return -1; 1300 } 1301 if (token_pos[0] != WLAN_EID_EXTENSION || 1302 token_pos[1] == 0 || 1303 token_pos[1] > token_len - 2 || 1304 token_pos[2] != WLAN_EID_EXT_ANTI_CLOGGING_TOKEN) { 1305 wpa_dbg(wpa_s, MSG_DEBUG, 1306 "SME: Invalid SAE anti-clogging token container header"); 1307 return -1; 1308 } 1309 token_len = token_pos[1] - 1; 1310 token_pos += 3; 1311 } 1312 wpa_s->sme.sae_token = wpabuf_alloc_copy(token_pos, token_len); 1313 wpa_hexdump_buf(MSG_DEBUG, "SME: Requested anti-clogging token", 1314 wpa_s->sme.sae_token); 1315 if (!external) 1316 sme_send_authentication(wpa_s, wpa_s->current_bss, 1317 wpa_s->current_ssid, 2); 1318 else 1319 sme_external_auth_send_sae_commit( 1320 wpa_s, wpa_s->sme.ext_auth_bssid, 1321 wpa_s->current_ssid); 1322 return 0; 1323 } 1324 1325 if (auth_transaction == 1 && 1326 status_code == WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED && 1327 wpa_s->sme.sae.state == SAE_COMMITTED && 1328 (external || wpa_s->current_bss) && wpa_s->current_ssid) { 1329 wpa_dbg(wpa_s, MSG_DEBUG, "SME: SAE group not supported"); 1330 int_array_add_unique(&wpa_s->sme.sae_rejected_groups, 1331 wpa_s->sme.sae.group); 1332 wpa_s->sme.sae_group_index++; 1333 if (sme_set_sae_group(wpa_s) < 0) 1334 return -1; /* no other groups enabled */ 1335 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Try next enabled SAE group"); 1336 if (!external) 1337 sme_send_authentication(wpa_s, wpa_s->current_bss, 1338 wpa_s->current_ssid, 1); 1339 else 1340 sme_external_auth_send_sae_commit( 1341 wpa_s, wpa_s->sme.ext_auth_bssid, 1342 wpa_s->current_ssid); 1343 return 0; 1344 } 1345 1346 if (auth_transaction == 1 && 1347 status_code == WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER) { 1348 const u8 *bssid = sa ? sa : wpa_s->pending_bssid; 1349 1350 wpa_msg(wpa_s, MSG_INFO, 1351 WPA_EVENT_SAE_UNKNOWN_PASSWORD_IDENTIFIER MACSTR, 1352 MAC2STR(bssid)); 1353 return -1; 1354 } 1355 1356 if (status_code != WLAN_STATUS_SUCCESS && 1357 status_code != WLAN_STATUS_SAE_HASH_TO_ELEMENT && 1358 status_code != WLAN_STATUS_SAE_PK) { 1359 const u8 *bssid = sa ? sa : wpa_s->pending_bssid; 1360 1361 wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_AUTH_REJECT MACSTR 1362 " auth_type=%u auth_transaction=%u status_code=%u", 1363 MAC2STR(bssid), WLAN_AUTH_SAE, 1364 auth_transaction, status_code); 1365 return -1; 1366 } 1367 1368 if (auth_transaction == 1) { 1369 u16 res; 1370 1371 groups = wpa_s->conf->sae_groups; 1372 1373 wpa_dbg(wpa_s, MSG_DEBUG, "SME SAE commit"); 1374 if ((!external && wpa_s->current_bss == NULL) || 1375 wpa_s->current_ssid == NULL) 1376 return -1; 1377 if (wpa_s->sme.sae.state != SAE_COMMITTED) { 1378 wpa_printf(MSG_DEBUG, 1379 "SAE: Ignore commit message while waiting for confirm"); 1380 return 0; 1381 } 1382 if (wpa_s->sme.sae.h2e && status_code == WLAN_STATUS_SUCCESS) { 1383 wpa_printf(MSG_DEBUG, 1384 "SAE: Unexpected use of status code 0 in SAE commit when H2E was expected"); 1385 return -1; 1386 } 1387 if ((!wpa_s->sme.sae.h2e || wpa_s->sme.sae.pk) && 1388 status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT) { 1389 wpa_printf(MSG_DEBUG, 1390 "SAE: Unexpected use of status code for H2E in SAE commit when H2E was not expected"); 1391 return -1; 1392 } 1393 if (!wpa_s->sme.sae.pk && 1394 status_code == WLAN_STATUS_SAE_PK) { 1395 wpa_printf(MSG_DEBUG, 1396 "SAE: Unexpected use of status code for PK in SAE commit when PK was not expected"); 1397 return -1; 1398 } 1399 1400 if (groups && groups[0] <= 0) 1401 groups = NULL; 1402 res = sae_parse_commit(&wpa_s->sme.sae, data, len, NULL, NULL, 1403 groups, status_code == 1404 WLAN_STATUS_SAE_HASH_TO_ELEMENT || 1405 status_code == WLAN_STATUS_SAE_PK); 1406 if (res == SAE_SILENTLY_DISCARD) { 1407 wpa_printf(MSG_DEBUG, 1408 "SAE: Drop commit message due to reflection attack"); 1409 return 0; 1410 } 1411 if (res != WLAN_STATUS_SUCCESS) 1412 return -1; 1413 1414 if (wpa_s->sme.sae.tmp && 1415 sme_check_sae_rejected_groups( 1416 wpa_s, 1417 wpa_s->sme.sae.tmp->peer_rejected_groups)) 1418 return -1; 1419 1420 if (sae_process_commit(&wpa_s->sme.sae) < 0) { 1421 wpa_printf(MSG_DEBUG, "SAE: Failed to process peer " 1422 "commit"); 1423 return -1; 1424 } 1425 1426 wpabuf_free(wpa_s->sme.sae_token); 1427 wpa_s->sme.sae_token = NULL; 1428 if (!external) 1429 sme_send_authentication(wpa_s, wpa_s->current_bss, 1430 wpa_s->current_ssid, 0); 1431 else 1432 sme_external_auth_send_sae_confirm(wpa_s, sa); 1433 return 0; 1434 } else if (auth_transaction == 2) { 1435 if (status_code != WLAN_STATUS_SUCCESS) 1436 return -1; 1437 wpa_dbg(wpa_s, MSG_DEBUG, "SME SAE confirm"); 1438 if (wpa_s->sme.sae.state != SAE_CONFIRMED) 1439 return -1; 1440 if (sae_check_confirm(&wpa_s->sme.sae, data, len) < 0) 1441 return -1; 1442 wpa_s->sme.sae.state = SAE_ACCEPTED; 1443 sae_clear_temp_data(&wpa_s->sme.sae); 1444 1445 if (external) { 1446 /* Report success to driver */ 1447 sme_send_external_auth_status(wpa_s, 1448 WLAN_STATUS_SUCCESS); 1449 } 1450 1451 return 1; 1452 } 1453 1454 return -1; 1455 } 1456 1457 1458 static int sme_sae_set_pmk(struct wpa_supplicant *wpa_s, const u8 *bssid) 1459 { 1460 wpa_printf(MSG_DEBUG, 1461 "SME: SAE completed - setting PMK for 4-way handshake"); 1462 wpa_sm_set_pmk(wpa_s->wpa, wpa_s->sme.sae.pmk, PMK_LEN, 1463 wpa_s->sme.sae.pmkid, bssid); 1464 if (wpa_s->conf->sae_pmkid_in_assoc) { 1465 /* Update the own RSNE contents now that we have set the PMK 1466 * and added a PMKSA cache entry based on the successfully 1467 * completed SAE exchange. In practice, this will add the PMKID 1468 * into RSNE. */ 1469 if (wpa_s->sme.assoc_req_ie_len + 2 + PMKID_LEN > 1470 sizeof(wpa_s->sme.assoc_req_ie)) { 1471 wpa_msg(wpa_s, MSG_WARNING, 1472 "RSN: Not enough room for inserting own PMKID into RSNE"); 1473 return -1; 1474 } 1475 if (wpa_insert_pmkid(wpa_s->sme.assoc_req_ie, 1476 &wpa_s->sme.assoc_req_ie_len, 1477 wpa_s->sme.sae.pmkid) < 0) 1478 return -1; 1479 wpa_hexdump(MSG_DEBUG, 1480 "SME: Updated Association Request IEs", 1481 wpa_s->sme.assoc_req_ie, 1482 wpa_s->sme.assoc_req_ie_len); 1483 } 1484 1485 return 0; 1486 } 1487 1488 1489 void sme_external_auth_mgmt_rx(struct wpa_supplicant *wpa_s, 1490 const u8 *auth_frame, size_t len) 1491 { 1492 const struct ieee80211_mgmt *header; 1493 size_t auth_length; 1494 1495 header = (const struct ieee80211_mgmt *) auth_frame; 1496 auth_length = IEEE80211_HDRLEN + sizeof(header->u.auth); 1497 1498 if (len < auth_length) { 1499 /* Notify failure to the driver */ 1500 sme_send_external_auth_status(wpa_s, 1501 WLAN_STATUS_UNSPECIFIED_FAILURE); 1502 return; 1503 } 1504 1505 if (le_to_host16(header->u.auth.auth_alg) == WLAN_AUTH_SAE) { 1506 int res; 1507 1508 res = sme_sae_auth( 1509 wpa_s, le_to_host16(header->u.auth.auth_transaction), 1510 le_to_host16(header->u.auth.status_code), 1511 header->u.auth.variable, 1512 len - auth_length, 1, header->sa); 1513 if (res < 0) { 1514 /* Notify failure to the driver */ 1515 sme_send_external_auth_status( 1516 wpa_s, WLAN_STATUS_UNSPECIFIED_FAILURE); 1517 return; 1518 } 1519 if (res != 1) 1520 return; 1521 1522 if (sme_sae_set_pmk(wpa_s, wpa_s->sme.ext_auth_bssid) < 0) 1523 return; 1524 } 1525 } 1526 1527 #endif /* CONFIG_SAE */ 1528 1529 1530 void sme_event_auth(struct wpa_supplicant *wpa_s, union wpa_event_data *data) 1531 { 1532 struct wpa_ssid *ssid = wpa_s->current_ssid; 1533 1534 if (ssid == NULL) { 1535 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Ignore authentication event " 1536 "when network is not selected"); 1537 return; 1538 } 1539 1540 if (wpa_s->wpa_state != WPA_AUTHENTICATING) { 1541 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Ignore authentication event " 1542 "when not in authenticating state"); 1543 return; 1544 } 1545 1546 if (os_memcmp(wpa_s->pending_bssid, data->auth.peer, ETH_ALEN) != 0) { 1547 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Ignore authentication with " 1548 "unexpected peer " MACSTR, 1549 MAC2STR(data->auth.peer)); 1550 return; 1551 } 1552 1553 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Authentication response: peer=" MACSTR 1554 " auth_type=%d auth_transaction=%d status_code=%d", 1555 MAC2STR(data->auth.peer), data->auth.auth_type, 1556 data->auth.auth_transaction, data->auth.status_code); 1557 wpa_hexdump(MSG_MSGDUMP, "SME: Authentication response IEs", 1558 data->auth.ies, data->auth.ies_len); 1559 1560 eloop_cancel_timeout(sme_auth_timer, wpa_s, NULL); 1561 1562 #ifdef CONFIG_SAE 1563 if (data->auth.auth_type == WLAN_AUTH_SAE) { 1564 int res; 1565 res = sme_sae_auth(wpa_s, data->auth.auth_transaction, 1566 data->auth.status_code, data->auth.ies, 1567 data->auth.ies_len, 0, data->auth.peer); 1568 if (res < 0) { 1569 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 1570 wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED); 1571 1572 } 1573 if (res != 1) 1574 return; 1575 1576 if (sme_sae_set_pmk(wpa_s, wpa_s->pending_bssid) < 0) 1577 return; 1578 } 1579 #endif /* CONFIG_SAE */ 1580 1581 if (data->auth.status_code != WLAN_STATUS_SUCCESS) { 1582 char *ie_txt = NULL; 1583 1584 if (data->auth.ies && data->auth.ies_len) { 1585 size_t buflen = 2 * data->auth.ies_len + 1; 1586 ie_txt = os_malloc(buflen); 1587 if (ie_txt) { 1588 wpa_snprintf_hex(ie_txt, buflen, data->auth.ies, 1589 data->auth.ies_len); 1590 } 1591 } 1592 wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_AUTH_REJECT MACSTR 1593 " auth_type=%u auth_transaction=%u status_code=%u%s%s", 1594 MAC2STR(data->auth.peer), data->auth.auth_type, 1595 data->auth.auth_transaction, data->auth.status_code, 1596 ie_txt ? " ie=" : "", 1597 ie_txt ? ie_txt : ""); 1598 os_free(ie_txt); 1599 1600 #ifdef CONFIG_FILS 1601 if (wpa_s->sme.auth_alg == WPA_AUTH_ALG_FILS || 1602 wpa_s->sme.auth_alg == WPA_AUTH_ALG_FILS_SK_PFS) 1603 fils_connection_failure(wpa_s); 1604 #endif /* CONFIG_FILS */ 1605 1606 if (data->auth.status_code != 1607 WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG || 1608 wpa_s->sme.auth_alg == data->auth.auth_type || 1609 wpa_s->current_ssid->auth_alg == WPA_AUTH_ALG_LEAP) { 1610 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 1611 wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED); 1612 return; 1613 } 1614 1615 wpas_connect_work_done(wpa_s); 1616 1617 switch (data->auth.auth_type) { 1618 case WLAN_AUTH_OPEN: 1619 wpa_s->current_ssid->auth_alg = WPA_AUTH_ALG_SHARED; 1620 1621 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Trying SHARED auth"); 1622 wpa_supplicant_associate(wpa_s, wpa_s->current_bss, 1623 wpa_s->current_ssid); 1624 return; 1625 1626 case WLAN_AUTH_SHARED_KEY: 1627 wpa_s->current_ssid->auth_alg = WPA_AUTH_ALG_LEAP; 1628 1629 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Trying LEAP auth"); 1630 wpa_supplicant_associate(wpa_s, wpa_s->current_bss, 1631 wpa_s->current_ssid); 1632 return; 1633 1634 default: 1635 return; 1636 } 1637 } 1638 1639 #ifdef CONFIG_IEEE80211R 1640 if (data->auth.auth_type == WLAN_AUTH_FT) { 1641 const u8 *ric_ies = NULL; 1642 size_t ric_ies_len = 0; 1643 1644 if (wpa_s->ric_ies) { 1645 ric_ies = wpabuf_head(wpa_s->ric_ies); 1646 ric_ies_len = wpabuf_len(wpa_s->ric_ies); 1647 } 1648 if (wpa_ft_process_response(wpa_s->wpa, data->auth.ies, 1649 data->auth.ies_len, 0, 1650 data->auth.peer, 1651 ric_ies, ric_ies_len) < 0) { 1652 wpa_dbg(wpa_s, MSG_DEBUG, 1653 "SME: FT Authentication response processing failed"); 1654 wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_DISCONNECTED "bssid=" 1655 MACSTR 1656 " reason=%d locally_generated=1", 1657 MAC2STR(wpa_s->pending_bssid), 1658 WLAN_REASON_DEAUTH_LEAVING); 1659 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 1660 wpa_supplicant_mark_disassoc(wpa_s); 1661 return; 1662 } 1663 } 1664 #endif /* CONFIG_IEEE80211R */ 1665 1666 #ifdef CONFIG_FILS 1667 if (data->auth.auth_type == WLAN_AUTH_FILS_SK || 1668 data->auth.auth_type == WLAN_AUTH_FILS_SK_PFS) { 1669 u16 expect_auth_type; 1670 1671 expect_auth_type = wpa_s->sme.auth_alg == 1672 WPA_AUTH_ALG_FILS_SK_PFS ? WLAN_AUTH_FILS_SK_PFS : 1673 WLAN_AUTH_FILS_SK; 1674 if (data->auth.auth_type != expect_auth_type) { 1675 wpa_dbg(wpa_s, MSG_DEBUG, 1676 "SME: FILS Authentication response used different auth alg (%u; expected %u)", 1677 data->auth.auth_type, expect_auth_type); 1678 wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_DISCONNECTED "bssid=" 1679 MACSTR 1680 " reason=%d locally_generated=1", 1681 MAC2STR(wpa_s->pending_bssid), 1682 WLAN_REASON_DEAUTH_LEAVING); 1683 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 1684 wpa_supplicant_mark_disassoc(wpa_s); 1685 return; 1686 } 1687 1688 if (fils_process_auth(wpa_s->wpa, wpa_s->pending_bssid, 1689 data->auth.ies, data->auth.ies_len) < 0) { 1690 wpa_dbg(wpa_s, MSG_DEBUG, 1691 "SME: FILS Authentication response processing failed"); 1692 wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_DISCONNECTED "bssid=" 1693 MACSTR 1694 " reason=%d locally_generated=1", 1695 MAC2STR(wpa_s->pending_bssid), 1696 WLAN_REASON_DEAUTH_LEAVING); 1697 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 1698 wpa_supplicant_mark_disassoc(wpa_s); 1699 return; 1700 } 1701 } 1702 #endif /* CONFIG_FILS */ 1703 1704 sme_associate(wpa_s, ssid->mode, data->auth.peer, 1705 data->auth.auth_type); 1706 } 1707 1708 1709 #ifdef CONFIG_IEEE80211R 1710 static void remove_ie(u8 *buf, size_t *len, u8 eid) 1711 { 1712 u8 *pos, *next, *end; 1713 1714 pos = (u8 *) get_ie(buf, *len, eid); 1715 if (pos) { 1716 next = pos + 2 + pos[1]; 1717 end = buf + *len; 1718 *len -= 2 + pos[1]; 1719 os_memmove(pos, next, end - next); 1720 } 1721 } 1722 #endif /* CONFIG_IEEE80211R */ 1723 1724 1725 void sme_associate(struct wpa_supplicant *wpa_s, enum wpas_mode mode, 1726 const u8 *bssid, u16 auth_type) 1727 { 1728 struct wpa_driver_associate_params params; 1729 struct ieee802_11_elems elems; 1730 struct wpa_ssid *ssid = wpa_s->current_ssid; 1731 #ifdef CONFIG_FILS 1732 u8 nonces[2 * FILS_NONCE_LEN]; 1733 #endif /* CONFIG_FILS */ 1734 #ifdef CONFIG_HT_OVERRIDES 1735 struct ieee80211_ht_capabilities htcaps; 1736 struct ieee80211_ht_capabilities htcaps_mask; 1737 #endif /* CONFIG_HT_OVERRIDES */ 1738 #ifdef CONFIG_VHT_OVERRIDES 1739 struct ieee80211_vht_capabilities vhtcaps; 1740 struct ieee80211_vht_capabilities vhtcaps_mask; 1741 #endif /* CONFIG_VHT_OVERRIDES */ 1742 1743 os_memset(¶ms, 0, sizeof(params)); 1744 1745 #ifdef CONFIG_FILS 1746 if (auth_type == WLAN_AUTH_FILS_SK || 1747 auth_type == WLAN_AUTH_FILS_SK_PFS) { 1748 struct wpabuf *buf; 1749 const u8 *snonce, *anonce; 1750 const unsigned int max_hlp = 20; 1751 struct wpabuf *hlp[max_hlp]; 1752 unsigned int i, num_hlp = 0; 1753 struct fils_hlp_req *req; 1754 1755 dl_list_for_each(req, &wpa_s->fils_hlp_req, struct fils_hlp_req, 1756 list) { 1757 hlp[num_hlp] = wpabuf_alloc(2 * ETH_ALEN + 6 + 1758 wpabuf_len(req->pkt)); 1759 if (!hlp[num_hlp]) 1760 break; 1761 wpabuf_put_data(hlp[num_hlp], req->dst, ETH_ALEN); 1762 wpabuf_put_data(hlp[num_hlp], wpa_s->own_addr, 1763 ETH_ALEN); 1764 wpabuf_put_data(hlp[num_hlp], 1765 "\xaa\xaa\x03\x00\x00\x00", 6); 1766 wpabuf_put_buf(hlp[num_hlp], req->pkt); 1767 num_hlp++; 1768 if (num_hlp >= max_hlp) 1769 break; 1770 } 1771 1772 buf = fils_build_assoc_req(wpa_s->wpa, ¶ms.fils_kek, 1773 ¶ms.fils_kek_len, &snonce, 1774 &anonce, 1775 (const struct wpabuf **) hlp, 1776 num_hlp); 1777 for (i = 0; i < num_hlp; i++) 1778 wpabuf_free(hlp[i]); 1779 if (!buf) 1780 return; 1781 wpa_hexdump(MSG_DEBUG, "FILS: assoc_req before FILS elements", 1782 wpa_s->sme.assoc_req_ie, 1783 wpa_s->sme.assoc_req_ie_len); 1784 #ifdef CONFIG_IEEE80211R 1785 if (wpa_key_mgmt_ft(wpa_s->key_mgmt)) { 1786 /* Remove RSNE and MDE to allow them to be overridden 1787 * with FILS+FT specific values from 1788 * fils_build_assoc_req(). */ 1789 remove_ie(wpa_s->sme.assoc_req_ie, 1790 &wpa_s->sme.assoc_req_ie_len, 1791 WLAN_EID_RSN); 1792 wpa_hexdump(MSG_DEBUG, 1793 "FILS: assoc_req after RSNE removal", 1794 wpa_s->sme.assoc_req_ie, 1795 wpa_s->sme.assoc_req_ie_len); 1796 remove_ie(wpa_s->sme.assoc_req_ie, 1797 &wpa_s->sme.assoc_req_ie_len, 1798 WLAN_EID_MOBILITY_DOMAIN); 1799 wpa_hexdump(MSG_DEBUG, 1800 "FILS: assoc_req after MDE removal", 1801 wpa_s->sme.assoc_req_ie, 1802 wpa_s->sme.assoc_req_ie_len); 1803 } 1804 #endif /* CONFIG_IEEE80211R */ 1805 /* TODO: Make wpa_s->sme.assoc_req_ie use dynamic allocation */ 1806 if (wpa_s->sme.assoc_req_ie_len + wpabuf_len(buf) > 1807 sizeof(wpa_s->sme.assoc_req_ie)) { 1808 wpa_printf(MSG_ERROR, 1809 "FILS: Not enough buffer room for own AssocReq elements"); 1810 wpabuf_free(buf); 1811 return; 1812 } 1813 os_memcpy(wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len, 1814 wpabuf_head(buf), wpabuf_len(buf)); 1815 wpa_s->sme.assoc_req_ie_len += wpabuf_len(buf); 1816 wpabuf_free(buf); 1817 wpa_hexdump(MSG_DEBUG, "FILS: assoc_req after FILS elements", 1818 wpa_s->sme.assoc_req_ie, 1819 wpa_s->sme.assoc_req_ie_len); 1820 1821 os_memcpy(nonces, snonce, FILS_NONCE_LEN); 1822 os_memcpy(nonces + FILS_NONCE_LEN, anonce, FILS_NONCE_LEN); 1823 params.fils_nonces = nonces; 1824 params.fils_nonces_len = sizeof(nonces); 1825 } 1826 #endif /* CONFIG_FILS */ 1827 1828 #ifdef CONFIG_OWE 1829 #ifdef CONFIG_TESTING_OPTIONS 1830 if (get_ie_ext(wpa_s->sme.assoc_req_ie, wpa_s->sme.assoc_req_ie_len, 1831 WLAN_EID_EXT_OWE_DH_PARAM)) { 1832 wpa_printf(MSG_INFO, "TESTING: Override OWE DH element"); 1833 } else 1834 #endif /* CONFIG_TESTING_OPTIONS */ 1835 if (auth_type == WLAN_AUTH_OPEN && 1836 wpa_s->key_mgmt == WPA_KEY_MGMT_OWE) { 1837 struct wpabuf *owe_ie; 1838 u16 group; 1839 1840 if (ssid && ssid->owe_group) { 1841 group = ssid->owe_group; 1842 } else if (wpa_s->assoc_status_code == 1843 WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED) { 1844 if (wpa_s->last_owe_group == 19) 1845 group = 20; 1846 else if (wpa_s->last_owe_group == 20) 1847 group = 21; 1848 else 1849 group = OWE_DH_GROUP; 1850 } else { 1851 group = OWE_DH_GROUP; 1852 } 1853 1854 wpa_s->last_owe_group = group; 1855 wpa_printf(MSG_DEBUG, "OWE: Try to use group %u", group); 1856 owe_ie = owe_build_assoc_req(wpa_s->wpa, group); 1857 if (!owe_ie) { 1858 wpa_printf(MSG_ERROR, 1859 "OWE: Failed to build IE for Association Request frame"); 1860 return; 1861 } 1862 if (wpa_s->sme.assoc_req_ie_len + wpabuf_len(owe_ie) > 1863 sizeof(wpa_s->sme.assoc_req_ie)) { 1864 wpa_printf(MSG_ERROR, 1865 "OWE: Not enough buffer room for own Association Request frame elements"); 1866 wpabuf_free(owe_ie); 1867 return; 1868 } 1869 os_memcpy(wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len, 1870 wpabuf_head(owe_ie), wpabuf_len(owe_ie)); 1871 wpa_s->sme.assoc_req_ie_len += wpabuf_len(owe_ie); 1872 wpabuf_free(owe_ie); 1873 } 1874 #endif /* CONFIG_OWE */ 1875 1876 #ifdef CONFIG_DPP2 1877 if (DPP_VERSION > 1 && wpa_s->key_mgmt == WPA_KEY_MGMT_DPP && ssid && 1878 ssid->dpp_netaccesskey && ssid->dpp_pfs != 2 && 1879 !ssid->dpp_pfs_fallback) { 1880 struct rsn_pmksa_cache_entry *pmksa; 1881 1882 pmksa = pmksa_cache_get_current(wpa_s->wpa); 1883 if (!pmksa || !pmksa->dpp_pfs) 1884 goto pfs_fail; 1885 1886 dpp_pfs_free(wpa_s->dpp_pfs); 1887 wpa_s->dpp_pfs = dpp_pfs_init(ssid->dpp_netaccesskey, 1888 ssid->dpp_netaccesskey_len); 1889 if (!wpa_s->dpp_pfs) { 1890 wpa_printf(MSG_DEBUG, "DPP: Could not initialize PFS"); 1891 /* Try to continue without PFS */ 1892 goto pfs_fail; 1893 } 1894 if (wpa_s->sme.assoc_req_ie_len + 1895 wpabuf_len(wpa_s->dpp_pfs->ie) > 1896 sizeof(wpa_s->sme.assoc_req_ie)) { 1897 wpa_printf(MSG_ERROR, 1898 "DPP: Not enough buffer room for own Association Request frame elements"); 1899 dpp_pfs_free(wpa_s->dpp_pfs); 1900 wpa_s->dpp_pfs = NULL; 1901 goto pfs_fail; 1902 } 1903 os_memcpy(wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len, 1904 wpabuf_head(wpa_s->dpp_pfs->ie), 1905 wpabuf_len(wpa_s->dpp_pfs->ie)); 1906 wpa_s->sme.assoc_req_ie_len += wpabuf_len(wpa_s->dpp_pfs->ie); 1907 } 1908 pfs_fail: 1909 #endif /* CONFIG_DPP2 */ 1910 1911 wpa_s->mscs_setup_done = false; 1912 if (wpa_bss_ext_capab(wpa_s->current_bss, WLAN_EXT_CAPAB_MSCS) && 1913 wpa_s->robust_av.valid_config) { 1914 struct wpabuf *mscs_ie; 1915 size_t mscs_ie_len, buf_len, *wpa_ie_len, max_ie_len; 1916 1917 buf_len = 3 + /* MSCS descriptor IE header */ 1918 1 + /* Request type */ 1919 2 + /* User priority control */ 1920 4 + /* Stream timeout */ 1921 3 + /* TCLAS Mask IE header */ 1922 wpa_s->robust_av.frame_classifier_len; 1923 mscs_ie = wpabuf_alloc(buf_len); 1924 if (!mscs_ie) { 1925 wpa_printf(MSG_INFO, 1926 "MSCS: Failed to allocate MSCS IE"); 1927 goto mscs_fail; 1928 } 1929 1930 wpa_ie_len = &wpa_s->sme.assoc_req_ie_len; 1931 max_ie_len = sizeof(wpa_s->sme.assoc_req_ie); 1932 wpas_populate_mscs_descriptor_ie(&wpa_s->robust_av, mscs_ie); 1933 if ((*wpa_ie_len + wpabuf_len(mscs_ie)) <= max_ie_len) { 1934 wpa_hexdump_buf(MSG_MSGDUMP, "MSCS IE", mscs_ie); 1935 mscs_ie_len = wpabuf_len(mscs_ie); 1936 os_memcpy(wpa_s->sme.assoc_req_ie + *wpa_ie_len, 1937 wpabuf_head(mscs_ie), mscs_ie_len); 1938 *wpa_ie_len += mscs_ie_len; 1939 } 1940 1941 wpabuf_free(mscs_ie); 1942 } 1943 mscs_fail: 1944 1945 if (ssid && ssid->multi_ap_backhaul_sta) { 1946 size_t multi_ap_ie_len; 1947 1948 multi_ap_ie_len = add_multi_ap_ie( 1949 wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len, 1950 sizeof(wpa_s->sme.assoc_req_ie) - 1951 wpa_s->sme.assoc_req_ie_len, 1952 MULTI_AP_BACKHAUL_STA); 1953 if (multi_ap_ie_len == 0) { 1954 wpa_printf(MSG_ERROR, 1955 "Multi-AP: Failed to build Multi-AP IE"); 1956 return; 1957 } 1958 wpa_s->sme.assoc_req_ie_len += multi_ap_ie_len; 1959 } 1960 1961 params.bssid = bssid; 1962 params.ssid = wpa_s->sme.ssid; 1963 params.ssid_len = wpa_s->sme.ssid_len; 1964 params.freq.freq = wpa_s->sme.freq; 1965 params.bg_scan_period = ssid ? ssid->bg_scan_period : -1; 1966 params.wpa_ie = wpa_s->sme.assoc_req_ie_len ? 1967 wpa_s->sme.assoc_req_ie : NULL; 1968 params.wpa_ie_len = wpa_s->sme.assoc_req_ie_len; 1969 wpa_hexdump(MSG_DEBUG, "SME: Association Request IEs", 1970 params.wpa_ie, params.wpa_ie_len); 1971 params.pairwise_suite = wpa_s->pairwise_cipher; 1972 params.group_suite = wpa_s->group_cipher; 1973 params.mgmt_group_suite = wpa_s->mgmt_group_cipher; 1974 params.key_mgmt_suite = wpa_s->key_mgmt; 1975 params.wpa_proto = wpa_s->wpa_proto; 1976 #ifdef CONFIG_HT_OVERRIDES 1977 os_memset(&htcaps, 0, sizeof(htcaps)); 1978 os_memset(&htcaps_mask, 0, sizeof(htcaps_mask)); 1979 params.htcaps = (u8 *) &htcaps; 1980 params.htcaps_mask = (u8 *) &htcaps_mask; 1981 wpa_supplicant_apply_ht_overrides(wpa_s, ssid, ¶ms); 1982 #endif /* CONFIG_HT_OVERRIDES */ 1983 #ifdef CONFIG_VHT_OVERRIDES 1984 os_memset(&vhtcaps, 0, sizeof(vhtcaps)); 1985 os_memset(&vhtcaps_mask, 0, sizeof(vhtcaps_mask)); 1986 params.vhtcaps = &vhtcaps; 1987 params.vhtcaps_mask = &vhtcaps_mask; 1988 wpa_supplicant_apply_vht_overrides(wpa_s, ssid, ¶ms); 1989 #endif /* CONFIG_VHT_OVERRIDES */ 1990 #ifdef CONFIG_HE_OVERRIDES 1991 wpa_supplicant_apply_he_overrides(wpa_s, ssid, ¶ms); 1992 #endif /* CONFIG_HE_OVERRIDES */ 1993 #ifdef CONFIG_IEEE80211R 1994 if (auth_type == WLAN_AUTH_FT && wpa_s->sme.ft_ies && 1995 get_ie(wpa_s->sme.ft_ies, wpa_s->sme.ft_ies_len, 1996 WLAN_EID_RIC_DATA)) { 1997 /* There seems to be a pretty inconvenient bug in the Linux 1998 * kernel IE splitting functionality when RIC is used. For now, 1999 * skip correct behavior in IE construction here (i.e., drop the 2000 * additional non-FT-specific IEs) to avoid kernel issues. This 2001 * is fine since RIC is used only for testing purposes in the 2002 * current implementation. */ 2003 wpa_printf(MSG_INFO, 2004 "SME: Linux kernel workaround - do not try to include additional IEs with RIC"); 2005 params.wpa_ie = wpa_s->sme.ft_ies; 2006 params.wpa_ie_len = wpa_s->sme.ft_ies_len; 2007 } else if (auth_type == WLAN_AUTH_FT && wpa_s->sme.ft_ies) { 2008 const u8 *rm_en, *pos, *end; 2009 size_t rm_en_len = 0; 2010 u8 *rm_en_dup = NULL, *wpos; 2011 2012 /* Remove RSNE, MDE, FTE to allow them to be overridden with 2013 * FT specific values */ 2014 remove_ie(wpa_s->sme.assoc_req_ie, 2015 &wpa_s->sme.assoc_req_ie_len, 2016 WLAN_EID_RSN); 2017 remove_ie(wpa_s->sme.assoc_req_ie, 2018 &wpa_s->sme.assoc_req_ie_len, 2019 WLAN_EID_MOBILITY_DOMAIN); 2020 remove_ie(wpa_s->sme.assoc_req_ie, 2021 &wpa_s->sme.assoc_req_ie_len, 2022 WLAN_EID_FAST_BSS_TRANSITION); 2023 rm_en = get_ie(wpa_s->sme.assoc_req_ie, 2024 wpa_s->sme.assoc_req_ie_len, 2025 WLAN_EID_RRM_ENABLED_CAPABILITIES); 2026 if (rm_en) { 2027 /* Need to remove RM Enabled Capabilities element as 2028 * well temporarily, so that it can be placed between 2029 * RSNE and MDE. */ 2030 rm_en_len = 2 + rm_en[1]; 2031 rm_en_dup = os_memdup(rm_en, rm_en_len); 2032 remove_ie(wpa_s->sme.assoc_req_ie, 2033 &wpa_s->sme.assoc_req_ie_len, 2034 WLAN_EID_RRM_ENABLED_CAPABILITIES); 2035 } 2036 wpa_hexdump(MSG_DEBUG, 2037 "SME: Association Request IEs after FT IE removal", 2038 wpa_s->sme.assoc_req_ie, 2039 wpa_s->sme.assoc_req_ie_len); 2040 if (wpa_s->sme.assoc_req_ie_len + wpa_s->sme.ft_ies_len + 2041 rm_en_len > sizeof(wpa_s->sme.assoc_req_ie)) { 2042 wpa_printf(MSG_ERROR, 2043 "SME: Not enough buffer room for FT IEs in Association Request frame"); 2044 os_free(rm_en_dup); 2045 return; 2046 } 2047 2048 os_memmove(wpa_s->sme.assoc_req_ie + wpa_s->sme.ft_ies_len + 2049 rm_en_len, 2050 wpa_s->sme.assoc_req_ie, 2051 wpa_s->sme.assoc_req_ie_len); 2052 pos = wpa_s->sme.ft_ies; 2053 end = pos + wpa_s->sme.ft_ies_len; 2054 wpos = wpa_s->sme.assoc_req_ie; 2055 if (*pos == WLAN_EID_RSN) { 2056 os_memcpy(wpos, pos, 2 + pos[1]); 2057 wpos += 2 + pos[1]; 2058 pos += 2 + pos[1]; 2059 } 2060 if (rm_en_dup) { 2061 os_memcpy(wpos, rm_en_dup, rm_en_len); 2062 wpos += rm_en_len; 2063 os_free(rm_en_dup); 2064 } 2065 os_memcpy(wpos, pos, end - pos); 2066 wpa_s->sme.assoc_req_ie_len += wpa_s->sme.ft_ies_len + 2067 rm_en_len; 2068 params.wpa_ie = wpa_s->sme.assoc_req_ie; 2069 params.wpa_ie_len = wpa_s->sme.assoc_req_ie_len; 2070 wpa_hexdump(MSG_DEBUG, 2071 "SME: Association Request IEs after FT override", 2072 params.wpa_ie, params.wpa_ie_len); 2073 } 2074 #endif /* CONFIG_IEEE80211R */ 2075 params.mode = mode; 2076 params.mgmt_frame_protection = wpa_s->sme.mfp; 2077 params.rrm_used = wpa_s->rrm.rrm_used; 2078 if (wpa_s->sme.prev_bssid_set) 2079 params.prev_bssid = wpa_s->sme.prev_bssid; 2080 2081 wpa_msg(wpa_s, MSG_INFO, "Trying to associate with " MACSTR 2082 " (SSID='%s' freq=%d MHz)", MAC2STR(params.bssid), 2083 params.ssid ? wpa_ssid_txt(params.ssid, params.ssid_len) : "", 2084 params.freq.freq); 2085 2086 wpa_supplicant_set_state(wpa_s, WPA_ASSOCIATING); 2087 2088 if (params.wpa_ie == NULL || 2089 ieee802_11_parse_elems(params.wpa_ie, params.wpa_ie_len, &elems, 0) 2090 < 0) { 2091 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Could not parse own IEs?!"); 2092 os_memset(&elems, 0, sizeof(elems)); 2093 } 2094 if (elems.rsn_ie) { 2095 params.wpa_proto = WPA_PROTO_RSN; 2096 wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, elems.rsn_ie - 2, 2097 elems.rsn_ie_len + 2); 2098 } else if (elems.wpa_ie) { 2099 params.wpa_proto = WPA_PROTO_WPA; 2100 wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, elems.wpa_ie - 2, 2101 elems.wpa_ie_len + 2); 2102 } else if (elems.osen) { 2103 params.wpa_proto = WPA_PROTO_OSEN; 2104 wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, elems.osen - 2, 2105 elems.osen_len + 2); 2106 } else 2107 wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, NULL, 0); 2108 if (elems.rsnxe) 2109 wpa_sm_set_assoc_rsnxe(wpa_s->wpa, elems.rsnxe - 2, 2110 elems.rsnxe_len + 2); 2111 else 2112 wpa_sm_set_assoc_rsnxe(wpa_s->wpa, NULL, 0); 2113 if (ssid && ssid->p2p_group) 2114 params.p2p = 1; 2115 2116 if (wpa_s->p2pdev->set_sta_uapsd) 2117 params.uapsd = wpa_s->p2pdev->sta_uapsd; 2118 else 2119 params.uapsd = -1; 2120 2121 if (wpa_drv_associate(wpa_s, ¶ms) < 0) { 2122 wpa_msg(wpa_s, MSG_INFO, "SME: Association request to the " 2123 "driver failed"); 2124 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 2125 wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED); 2126 os_memset(wpa_s->pending_bssid, 0, ETH_ALEN); 2127 return; 2128 } 2129 2130 eloop_register_timeout(SME_ASSOC_TIMEOUT, 0, sme_assoc_timer, wpa_s, 2131 NULL); 2132 2133 #ifdef CONFIG_TESTING_OPTIONS 2134 wpabuf_free(wpa_s->last_assoc_req_wpa_ie); 2135 wpa_s->last_assoc_req_wpa_ie = NULL; 2136 if (params.wpa_ie) 2137 wpa_s->last_assoc_req_wpa_ie = 2138 wpabuf_alloc_copy(params.wpa_ie, params.wpa_ie_len); 2139 #endif /* CONFIG_TESTING_OPTIONS */ 2140 } 2141 2142 2143 int sme_update_ft_ies(struct wpa_supplicant *wpa_s, const u8 *md, 2144 const u8 *ies, size_t ies_len) 2145 { 2146 if (md == NULL || ies == NULL) { 2147 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Remove mobility domain"); 2148 os_free(wpa_s->sme.ft_ies); 2149 wpa_s->sme.ft_ies = NULL; 2150 wpa_s->sme.ft_ies_len = 0; 2151 wpa_s->sme.ft_used = 0; 2152 return 0; 2153 } 2154 2155 os_memcpy(wpa_s->sme.mobility_domain, md, MOBILITY_DOMAIN_ID_LEN); 2156 wpa_hexdump(MSG_DEBUG, "SME: FT IEs", ies, ies_len); 2157 os_free(wpa_s->sme.ft_ies); 2158 wpa_s->sme.ft_ies = os_memdup(ies, ies_len); 2159 if (wpa_s->sme.ft_ies == NULL) 2160 return -1; 2161 wpa_s->sme.ft_ies_len = ies_len; 2162 return 0; 2163 } 2164 2165 2166 static void sme_deauth(struct wpa_supplicant *wpa_s) 2167 { 2168 int bssid_changed; 2169 2170 bssid_changed = !is_zero_ether_addr(wpa_s->bssid); 2171 2172 if (wpa_drv_deauthenticate(wpa_s, wpa_s->pending_bssid, 2173 WLAN_REASON_DEAUTH_LEAVING) < 0) { 2174 wpa_msg(wpa_s, MSG_INFO, "SME: Deauth request to the driver " 2175 "failed"); 2176 } 2177 wpa_s->sme.prev_bssid_set = 0; 2178 2179 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 2180 wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED); 2181 os_memset(wpa_s->bssid, 0, ETH_ALEN); 2182 os_memset(wpa_s->pending_bssid, 0, ETH_ALEN); 2183 if (bssid_changed) 2184 wpas_notify_bssid_changed(wpa_s); 2185 } 2186 2187 2188 void sme_event_assoc_reject(struct wpa_supplicant *wpa_s, 2189 union wpa_event_data *data) 2190 { 2191 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Association with " MACSTR " failed: " 2192 "status code %d", MAC2STR(wpa_s->pending_bssid), 2193 data->assoc_reject.status_code); 2194 2195 eloop_cancel_timeout(sme_assoc_timer, wpa_s, NULL); 2196 2197 #ifdef CONFIG_SAE 2198 if (wpa_s->sme.sae_pmksa_caching && wpa_s->current_ssid && 2199 wpa_key_mgmt_sae(wpa_s->current_ssid->key_mgmt)) { 2200 wpa_dbg(wpa_s, MSG_DEBUG, 2201 "PMKSA caching attempt rejected - drop PMKSA cache entry and fall back to SAE authentication"); 2202 wpa_sm_aborted_cached(wpa_s->wpa); 2203 wpa_sm_pmksa_cache_flush(wpa_s->wpa, wpa_s->current_ssid); 2204 if (wpa_s->current_bss) { 2205 struct wpa_bss *bss = wpa_s->current_bss; 2206 struct wpa_ssid *ssid = wpa_s->current_ssid; 2207 2208 wpa_drv_deauthenticate(wpa_s, wpa_s->pending_bssid, 2209 WLAN_REASON_DEAUTH_LEAVING); 2210 wpas_connect_work_done(wpa_s); 2211 wpa_supplicant_mark_disassoc(wpa_s); 2212 wpa_supplicant_connect(wpa_s, bss, ssid); 2213 return; 2214 } 2215 } 2216 #endif /* CONFIG_SAE */ 2217 2218 /* 2219 * For now, unconditionally terminate the previous authentication. In 2220 * theory, this should not be needed, but mac80211 gets quite confused 2221 * if the authentication is left pending.. Some roaming cases might 2222 * benefit from using the previous authentication, so this could be 2223 * optimized in the future. 2224 */ 2225 sme_deauth(wpa_s); 2226 } 2227 2228 2229 void sme_event_auth_timed_out(struct wpa_supplicant *wpa_s, 2230 union wpa_event_data *data) 2231 { 2232 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Authentication timed out"); 2233 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 2234 wpa_supplicant_mark_disassoc(wpa_s); 2235 } 2236 2237 2238 void sme_event_assoc_timed_out(struct wpa_supplicant *wpa_s, 2239 union wpa_event_data *data) 2240 { 2241 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Association timed out"); 2242 wpas_connection_failed(wpa_s, wpa_s->pending_bssid); 2243 wpa_supplicant_mark_disassoc(wpa_s); 2244 } 2245 2246 2247 void sme_event_disassoc(struct wpa_supplicant *wpa_s, 2248 struct disassoc_info *info) 2249 { 2250 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Disassociation event received"); 2251 if (wpa_s->sme.prev_bssid_set) { 2252 /* 2253 * cfg80211/mac80211 can get into somewhat confused state if 2254 * the AP only disassociates us and leaves us in authenticated 2255 * state. For now, force the state to be cleared to avoid 2256 * confusing errors if we try to associate with the AP again. 2257 */ 2258 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Deauthenticate to clear " 2259 "driver state"); 2260 wpa_drv_deauthenticate(wpa_s, wpa_s->sme.prev_bssid, 2261 WLAN_REASON_DEAUTH_LEAVING); 2262 } 2263 } 2264 2265 2266 static void sme_auth_timer(void *eloop_ctx, void *timeout_ctx) 2267 { 2268 struct wpa_supplicant *wpa_s = eloop_ctx; 2269 if (wpa_s->wpa_state == WPA_AUTHENTICATING) { 2270 wpa_msg(wpa_s, MSG_DEBUG, "SME: Authentication timeout"); 2271 sme_deauth(wpa_s); 2272 } 2273 } 2274 2275 2276 static void sme_assoc_timer(void *eloop_ctx, void *timeout_ctx) 2277 { 2278 struct wpa_supplicant *wpa_s = eloop_ctx; 2279 if (wpa_s->wpa_state == WPA_ASSOCIATING) { 2280 wpa_msg(wpa_s, MSG_DEBUG, "SME: Association timeout"); 2281 sme_deauth(wpa_s); 2282 } 2283 } 2284 2285 2286 void sme_state_changed(struct wpa_supplicant *wpa_s) 2287 { 2288 /* Make sure timers are cleaned up appropriately. */ 2289 if (wpa_s->wpa_state != WPA_ASSOCIATING) 2290 eloop_cancel_timeout(sme_assoc_timer, wpa_s, NULL); 2291 if (wpa_s->wpa_state != WPA_AUTHENTICATING) 2292 eloop_cancel_timeout(sme_auth_timer, wpa_s, NULL); 2293 } 2294 2295 2296 void sme_disassoc_while_authenticating(struct wpa_supplicant *wpa_s, 2297 const u8 *prev_pending_bssid) 2298 { 2299 /* 2300 * mac80211-workaround to force deauth on failed auth cmd, 2301 * requires us to remain in authenticating state to allow the 2302 * second authentication attempt to be continued properly. 2303 */ 2304 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Allow pending authentication " 2305 "to proceed after disconnection event"); 2306 wpa_supplicant_set_state(wpa_s, WPA_AUTHENTICATING); 2307 os_memcpy(wpa_s->pending_bssid, prev_pending_bssid, ETH_ALEN); 2308 2309 /* 2310 * Re-arm authentication timer in case auth fails for whatever reason. 2311 */ 2312 eloop_cancel_timeout(sme_auth_timer, wpa_s, NULL); 2313 eloop_register_timeout(SME_AUTH_TIMEOUT, 0, sme_auth_timer, wpa_s, 2314 NULL); 2315 } 2316 2317 2318 void sme_clear_on_disassoc(struct wpa_supplicant *wpa_s) 2319 { 2320 wpa_s->sme.prev_bssid_set = 0; 2321 #ifdef CONFIG_SAE 2322 wpabuf_free(wpa_s->sme.sae_token); 2323 wpa_s->sme.sae_token = NULL; 2324 sae_clear_data(&wpa_s->sme.sae); 2325 #endif /* CONFIG_SAE */ 2326 #ifdef CONFIG_IEEE80211R 2327 if (wpa_s->sme.ft_ies || wpa_s->sme.ft_used) 2328 sme_update_ft_ies(wpa_s, NULL, NULL, 0); 2329 #endif /* CONFIG_IEEE80211R */ 2330 sme_stop_sa_query(wpa_s); 2331 } 2332 2333 2334 void sme_deinit(struct wpa_supplicant *wpa_s) 2335 { 2336 sme_clear_on_disassoc(wpa_s); 2337 #ifdef CONFIG_SAE 2338 os_free(wpa_s->sme.sae_rejected_groups); 2339 wpa_s->sme.sae_rejected_groups = NULL; 2340 #endif /* CONFIG_SAE */ 2341 2342 eloop_cancel_timeout(sme_assoc_timer, wpa_s, NULL); 2343 eloop_cancel_timeout(sme_auth_timer, wpa_s, NULL); 2344 eloop_cancel_timeout(sme_obss_scan_timeout, wpa_s, NULL); 2345 } 2346 2347 2348 static void sme_send_2040_bss_coex(struct wpa_supplicant *wpa_s, 2349 const u8 *chan_list, u8 num_channels, 2350 u8 num_intol) 2351 { 2352 struct ieee80211_2040_bss_coex_ie *bc_ie; 2353 struct ieee80211_2040_intol_chan_report *ic_report; 2354 struct wpabuf *buf; 2355 2356 wpa_printf(MSG_DEBUG, "SME: Send 20/40 BSS Coexistence to " MACSTR 2357 " (num_channels=%u num_intol=%u)", 2358 MAC2STR(wpa_s->bssid), num_channels, num_intol); 2359 wpa_hexdump(MSG_DEBUG, "SME: 20/40 BSS Intolerant Channels", 2360 chan_list, num_channels); 2361 2362 buf = wpabuf_alloc(2 + /* action.category + action_code */ 2363 sizeof(struct ieee80211_2040_bss_coex_ie) + 2364 sizeof(struct ieee80211_2040_intol_chan_report) + 2365 num_channels); 2366 if (buf == NULL) 2367 return; 2368 2369 wpabuf_put_u8(buf, WLAN_ACTION_PUBLIC); 2370 wpabuf_put_u8(buf, WLAN_PA_20_40_BSS_COEX); 2371 2372 bc_ie = wpabuf_put(buf, sizeof(*bc_ie)); 2373 bc_ie->element_id = WLAN_EID_20_40_BSS_COEXISTENCE; 2374 bc_ie->length = 1; 2375 if (num_intol) 2376 bc_ie->coex_param |= WLAN_20_40_BSS_COEX_20MHZ_WIDTH_REQ; 2377 2378 if (num_channels > 0) { 2379 ic_report = wpabuf_put(buf, sizeof(*ic_report)); 2380 ic_report->element_id = WLAN_EID_20_40_BSS_INTOLERANT; 2381 ic_report->length = num_channels + 1; 2382 ic_report->op_class = 0; 2383 os_memcpy(wpabuf_put(buf, num_channels), chan_list, 2384 num_channels); 2385 } 2386 2387 if (wpa_drv_send_action(wpa_s, wpa_s->assoc_freq, 0, wpa_s->bssid, 2388 wpa_s->own_addr, wpa_s->bssid, 2389 wpabuf_head(buf), wpabuf_len(buf), 0) < 0) { 2390 wpa_msg(wpa_s, MSG_INFO, 2391 "SME: Failed to send 20/40 BSS Coexistence frame"); 2392 } 2393 2394 wpabuf_free(buf); 2395 } 2396 2397 2398 int sme_proc_obss_scan(struct wpa_supplicant *wpa_s) 2399 { 2400 struct wpa_bss *bss; 2401 const u8 *ie; 2402 u16 ht_cap; 2403 u8 chan_list[P2P_MAX_CHANNELS], channel; 2404 u8 num_channels = 0, num_intol = 0, i; 2405 2406 if (!wpa_s->sme.sched_obss_scan) 2407 return 0; 2408 2409 wpa_s->sme.sched_obss_scan = 0; 2410 if (!wpa_s->current_bss || wpa_s->wpa_state != WPA_COMPLETED) 2411 return 1; 2412 2413 /* 2414 * Check whether AP uses regulatory triplet or channel triplet in 2415 * country info. Right now the operating class of the BSS channel 2416 * width trigger event is "unknown" (IEEE Std 802.11-2012 10.15.12), 2417 * based on the assumption that operating class triplet is not used in 2418 * beacon frame. If the First Channel Number/Operating Extension 2419 * Identifier octet has a positive integer value of 201 or greater, 2420 * then its operating class triplet. 2421 * 2422 * TODO: If Supported Operating Classes element is present in beacon 2423 * frame, have to lookup operating class in Annex E and fill them in 2424 * 2040 coex frame. 2425 */ 2426 ie = wpa_bss_get_ie(wpa_s->current_bss, WLAN_EID_COUNTRY); 2427 if (ie && (ie[1] >= 6) && (ie[5] >= 201)) 2428 return 1; 2429 2430 os_memset(chan_list, 0, sizeof(chan_list)); 2431 2432 dl_list_for_each(bss, &wpa_s->bss, struct wpa_bss, list) { 2433 /* Skip other band bss */ 2434 enum hostapd_hw_mode mode; 2435 mode = ieee80211_freq_to_chan(bss->freq, &channel); 2436 if (mode != HOSTAPD_MODE_IEEE80211G && 2437 mode != HOSTAPD_MODE_IEEE80211B) 2438 continue; 2439 2440 ie = wpa_bss_get_ie(bss, WLAN_EID_HT_CAP); 2441 ht_cap = (ie && (ie[1] == 26)) ? WPA_GET_LE16(ie + 2) : 0; 2442 wpa_printf(MSG_DEBUG, "SME OBSS scan BSS " MACSTR 2443 " freq=%u chan=%u ht_cap=0x%x", 2444 MAC2STR(bss->bssid), bss->freq, channel, ht_cap); 2445 2446 if (!ht_cap || (ht_cap & HT_CAP_INFO_40MHZ_INTOLERANT)) { 2447 if (ht_cap & HT_CAP_INFO_40MHZ_INTOLERANT) 2448 num_intol++; 2449 2450 /* Check whether the channel is already considered */ 2451 for (i = 0; i < num_channels; i++) { 2452 if (channel == chan_list[i]) 2453 break; 2454 } 2455 if (i != num_channels) 2456 continue; 2457 2458 chan_list[num_channels++] = channel; 2459 } 2460 } 2461 2462 sme_send_2040_bss_coex(wpa_s, chan_list, num_channels, num_intol); 2463 return 1; 2464 } 2465 2466 2467 static void wpa_obss_scan_freqs_list(struct wpa_supplicant *wpa_s, 2468 struct wpa_driver_scan_params *params) 2469 { 2470 /* Include only affected channels */ 2471 struct hostapd_hw_modes *mode; 2472 int count, i; 2473 int start, end; 2474 2475 mode = get_mode(wpa_s->hw.modes, wpa_s->hw.num_modes, 2476 HOSTAPD_MODE_IEEE80211G, false); 2477 if (mode == NULL) { 2478 /* No channels supported in this band - use empty list */ 2479 params->freqs = os_zalloc(sizeof(int)); 2480 return; 2481 } 2482 2483 if (wpa_s->sme.ht_sec_chan == HT_SEC_CHAN_UNKNOWN && 2484 wpa_s->current_bss) { 2485 const u8 *ie; 2486 2487 ie = wpa_bss_get_ie(wpa_s->current_bss, WLAN_EID_HT_OPERATION); 2488 if (ie && ie[1] >= 2) { 2489 u8 o; 2490 2491 o = ie[3] & HT_INFO_HT_PARAM_SECONDARY_CHNL_OFF_MASK; 2492 if (o == HT_INFO_HT_PARAM_SECONDARY_CHNL_ABOVE) 2493 wpa_s->sme.ht_sec_chan = HT_SEC_CHAN_ABOVE; 2494 else if (o == HT_INFO_HT_PARAM_SECONDARY_CHNL_BELOW) 2495 wpa_s->sme.ht_sec_chan = HT_SEC_CHAN_BELOW; 2496 } 2497 } 2498 2499 start = wpa_s->assoc_freq - 10; 2500 end = wpa_s->assoc_freq + 10; 2501 switch (wpa_s->sme.ht_sec_chan) { 2502 case HT_SEC_CHAN_UNKNOWN: 2503 /* HT40+ possible on channels 1..9 */ 2504 if (wpa_s->assoc_freq <= 2452) 2505 start -= 20; 2506 /* HT40- possible on channels 5-13 */ 2507 if (wpa_s->assoc_freq >= 2432) 2508 end += 20; 2509 break; 2510 case HT_SEC_CHAN_ABOVE: 2511 end += 20; 2512 break; 2513 case HT_SEC_CHAN_BELOW: 2514 start -= 20; 2515 break; 2516 } 2517 wpa_printf(MSG_DEBUG, 2518 "OBSS: assoc_freq %d possible affected range %d-%d", 2519 wpa_s->assoc_freq, start, end); 2520 2521 params->freqs = os_calloc(mode->num_channels + 1, sizeof(int)); 2522 if (params->freqs == NULL) 2523 return; 2524 for (count = 0, i = 0; i < mode->num_channels; i++) { 2525 int freq; 2526 2527 if (mode->channels[i].flag & HOSTAPD_CHAN_DISABLED) 2528 continue; 2529 freq = mode->channels[i].freq; 2530 if (freq - 10 >= end || freq + 10 <= start) 2531 continue; /* not affected */ 2532 params->freqs[count++] = freq; 2533 } 2534 } 2535 2536 2537 static void sme_obss_scan_timeout(void *eloop_ctx, void *timeout_ctx) 2538 { 2539 struct wpa_supplicant *wpa_s = eloop_ctx; 2540 struct wpa_driver_scan_params params; 2541 2542 if (!wpa_s->current_bss) { 2543 wpa_printf(MSG_DEBUG, "SME OBSS: Ignore scan request"); 2544 return; 2545 } 2546 2547 os_memset(¶ms, 0, sizeof(params)); 2548 wpa_obss_scan_freqs_list(wpa_s, ¶ms); 2549 params.low_priority = 1; 2550 wpa_printf(MSG_DEBUG, "SME OBSS: Request an OBSS scan"); 2551 2552 if (wpa_supplicant_trigger_scan(wpa_s, ¶ms)) 2553 wpa_printf(MSG_DEBUG, "SME OBSS: Failed to trigger scan"); 2554 else 2555 wpa_s->sme.sched_obss_scan = 1; 2556 os_free(params.freqs); 2557 2558 eloop_register_timeout(wpa_s->sme.obss_scan_int, 0, 2559 sme_obss_scan_timeout, wpa_s, NULL); 2560 } 2561 2562 2563 void sme_sched_obss_scan(struct wpa_supplicant *wpa_s, int enable) 2564 { 2565 const u8 *ie; 2566 struct wpa_bss *bss = wpa_s->current_bss; 2567 struct wpa_ssid *ssid = wpa_s->current_ssid; 2568 struct hostapd_hw_modes *hw_mode = NULL; 2569 int i; 2570 2571 eloop_cancel_timeout(sme_obss_scan_timeout, wpa_s, NULL); 2572 wpa_s->sme.sched_obss_scan = 0; 2573 wpa_s->sme.ht_sec_chan = HT_SEC_CHAN_UNKNOWN; 2574 if (!enable) 2575 return; 2576 2577 /* 2578 * Schedule OBSS scan if driver is using station SME in wpa_supplicant 2579 * or it expects OBSS scan to be performed by wpa_supplicant. 2580 */ 2581 if (!((wpa_s->drv_flags & WPA_DRIVER_FLAGS_SME) || 2582 (wpa_s->drv_flags & WPA_DRIVER_FLAGS_OBSS_SCAN)) || 2583 ssid == NULL || ssid->mode != WPAS_MODE_INFRA) 2584 return; 2585 2586 #ifdef CONFIG_HT_OVERRIDES 2587 /* No need for OBSS scan if HT40 is explicitly disabled */ 2588 if (ssid->disable_ht40) 2589 return; 2590 #endif /* CONFIG_HT_OVERRIDES */ 2591 2592 if (!wpa_s->hw.modes) 2593 return; 2594 2595 /* only HT caps in 11g mode are relevant */ 2596 for (i = 0; i < wpa_s->hw.num_modes; i++) { 2597 hw_mode = &wpa_s->hw.modes[i]; 2598 if (hw_mode->mode == HOSTAPD_MODE_IEEE80211G) 2599 break; 2600 } 2601 2602 /* Driver does not support HT40 for 11g or doesn't have 11g. */ 2603 if (i == wpa_s->hw.num_modes || !hw_mode || 2604 !(hw_mode->ht_capab & HT_CAP_INFO_SUPP_CHANNEL_WIDTH_SET)) 2605 return; 2606 2607 if (bss == NULL || bss->freq < 2400 || bss->freq > 2500) 2608 return; /* Not associated on 2.4 GHz band */ 2609 2610 /* Check whether AP supports HT40 */ 2611 ie = wpa_bss_get_ie(wpa_s->current_bss, WLAN_EID_HT_CAP); 2612 if (!ie || ie[1] < 2 || 2613 !(WPA_GET_LE16(ie + 2) & HT_CAP_INFO_SUPP_CHANNEL_WIDTH_SET)) 2614 return; /* AP does not support HT40 */ 2615 2616 ie = wpa_bss_get_ie(wpa_s->current_bss, 2617 WLAN_EID_OVERLAPPING_BSS_SCAN_PARAMS); 2618 if (!ie || ie[1] < 14) 2619 return; /* AP does not request OBSS scans */ 2620 2621 wpa_s->sme.obss_scan_int = WPA_GET_LE16(ie + 6); 2622 if (wpa_s->sme.obss_scan_int < 10) { 2623 wpa_printf(MSG_DEBUG, "SME: Invalid OBSS Scan Interval %u " 2624 "replaced with the minimum 10 sec", 2625 wpa_s->sme.obss_scan_int); 2626 wpa_s->sme.obss_scan_int = 10; 2627 } 2628 wpa_printf(MSG_DEBUG, "SME: OBSS Scan Interval %u sec", 2629 wpa_s->sme.obss_scan_int); 2630 eloop_register_timeout(wpa_s->sme.obss_scan_int, 0, 2631 sme_obss_scan_timeout, wpa_s, NULL); 2632 } 2633 2634 2635 static const unsigned int sa_query_max_timeout = 1000; 2636 static const unsigned int sa_query_retry_timeout = 201; 2637 static const unsigned int sa_query_ch_switch_max_delay = 5000; /* in usec */ 2638 2639 static int sme_check_sa_query_timeout(struct wpa_supplicant *wpa_s) 2640 { 2641 u32 tu; 2642 struct os_reltime now, passed; 2643 os_get_reltime(&now); 2644 os_reltime_sub(&now, &wpa_s->sme.sa_query_start, &passed); 2645 tu = (passed.sec * 1000000 + passed.usec) / 1024; 2646 if (sa_query_max_timeout < tu) { 2647 wpa_dbg(wpa_s, MSG_DEBUG, "SME: SA Query timed out"); 2648 sme_stop_sa_query(wpa_s); 2649 wpa_supplicant_deauthenticate( 2650 wpa_s, WLAN_REASON_PREV_AUTH_NOT_VALID); 2651 return 1; 2652 } 2653 2654 return 0; 2655 } 2656 2657 2658 static void sme_send_sa_query_req(struct wpa_supplicant *wpa_s, 2659 const u8 *trans_id) 2660 { 2661 u8 req[2 + WLAN_SA_QUERY_TR_ID_LEN + OCV_OCI_EXTENDED_LEN]; 2662 u8 req_len = 2 + WLAN_SA_QUERY_TR_ID_LEN; 2663 2664 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Sending SA Query Request to " 2665 MACSTR, MAC2STR(wpa_s->bssid)); 2666 wpa_hexdump(MSG_DEBUG, "SME: SA Query Transaction ID", 2667 trans_id, WLAN_SA_QUERY_TR_ID_LEN); 2668 req[0] = WLAN_ACTION_SA_QUERY; 2669 req[1] = WLAN_SA_QUERY_REQUEST; 2670 os_memcpy(req + 2, trans_id, WLAN_SA_QUERY_TR_ID_LEN); 2671 2672 #ifdef CONFIG_OCV 2673 if (wpa_sm_ocv_enabled(wpa_s->wpa)) { 2674 struct wpa_channel_info ci; 2675 2676 if (wpa_drv_channel_info(wpa_s, &ci) != 0) { 2677 wpa_printf(MSG_WARNING, 2678 "Failed to get channel info for OCI element in SA Query Request frame"); 2679 return; 2680 } 2681 2682 #ifdef CONFIG_TESTING_OPTIONS 2683 if (wpa_s->oci_freq_override_saquery_req) { 2684 wpa_printf(MSG_INFO, 2685 "TEST: Override SA Query Request OCI frequency %d -> %d MHz", 2686 ci.frequency, 2687 wpa_s->oci_freq_override_saquery_req); 2688 ci.frequency = wpa_s->oci_freq_override_saquery_req; 2689 } 2690 #endif /* CONFIG_TESTING_OPTIONS */ 2691 2692 if (ocv_insert_extended_oci(&ci, req + req_len) < 0) 2693 return; 2694 2695 req_len += OCV_OCI_EXTENDED_LEN; 2696 } 2697 #endif /* CONFIG_OCV */ 2698 2699 if (wpa_drv_send_action(wpa_s, wpa_s->assoc_freq, 0, wpa_s->bssid, 2700 wpa_s->own_addr, wpa_s->bssid, 2701 req, req_len, 0) < 0) 2702 wpa_msg(wpa_s, MSG_INFO, "SME: Failed to send SA Query " 2703 "Request"); 2704 } 2705 2706 2707 static void sme_sa_query_timer(void *eloop_ctx, void *timeout_ctx) 2708 { 2709 struct wpa_supplicant *wpa_s = eloop_ctx; 2710 unsigned int timeout, sec, usec; 2711 u8 *trans_id, *nbuf; 2712 2713 if (wpa_s->sme.sa_query_count > 0 && 2714 sme_check_sa_query_timeout(wpa_s)) 2715 return; 2716 2717 nbuf = os_realloc_array(wpa_s->sme.sa_query_trans_id, 2718 wpa_s->sme.sa_query_count + 1, 2719 WLAN_SA_QUERY_TR_ID_LEN); 2720 if (nbuf == NULL) { 2721 sme_stop_sa_query(wpa_s); 2722 return; 2723 } 2724 if (wpa_s->sme.sa_query_count == 0) { 2725 /* Starting a new SA Query procedure */ 2726 os_get_reltime(&wpa_s->sme.sa_query_start); 2727 } 2728 trans_id = nbuf + wpa_s->sme.sa_query_count * WLAN_SA_QUERY_TR_ID_LEN; 2729 wpa_s->sme.sa_query_trans_id = nbuf; 2730 wpa_s->sme.sa_query_count++; 2731 2732 if (os_get_random(trans_id, WLAN_SA_QUERY_TR_ID_LEN) < 0) { 2733 wpa_printf(MSG_DEBUG, "Could not generate SA Query ID"); 2734 sme_stop_sa_query(wpa_s); 2735 return; 2736 } 2737 2738 timeout = sa_query_retry_timeout; 2739 sec = ((timeout / 1000) * 1024) / 1000; 2740 usec = (timeout % 1000) * 1024; 2741 eloop_register_timeout(sec, usec, sme_sa_query_timer, wpa_s, NULL); 2742 2743 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Association SA Query attempt %d", 2744 wpa_s->sme.sa_query_count); 2745 2746 sme_send_sa_query_req(wpa_s, trans_id); 2747 } 2748 2749 2750 static void sme_start_sa_query(struct wpa_supplicant *wpa_s) 2751 { 2752 sme_sa_query_timer(wpa_s, NULL); 2753 } 2754 2755 2756 static void sme_stop_sa_query(struct wpa_supplicant *wpa_s) 2757 { 2758 if (wpa_s->sme.sa_query_trans_id) 2759 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Stop SA Query"); 2760 eloop_cancel_timeout(sme_sa_query_timer, wpa_s, NULL); 2761 os_free(wpa_s->sme.sa_query_trans_id); 2762 wpa_s->sme.sa_query_trans_id = NULL; 2763 wpa_s->sme.sa_query_count = 0; 2764 } 2765 2766 2767 void sme_event_unprot_disconnect(struct wpa_supplicant *wpa_s, const u8 *sa, 2768 const u8 *da, u16 reason_code) 2769 { 2770 struct wpa_ssid *ssid; 2771 struct os_reltime now; 2772 2773 if (wpa_s->wpa_state != WPA_COMPLETED) 2774 return; 2775 ssid = wpa_s->current_ssid; 2776 if (wpas_get_ssid_pmf(wpa_s, ssid) == NO_MGMT_FRAME_PROTECTION) 2777 return; 2778 if (os_memcmp(sa, wpa_s->bssid, ETH_ALEN) != 0) 2779 return; 2780 if (reason_code != WLAN_REASON_CLASS2_FRAME_FROM_NONAUTH_STA && 2781 reason_code != WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA) 2782 return; 2783 if (wpa_s->sme.sa_query_count > 0) 2784 return; 2785 #ifdef CONFIG_TESTING_OPTIONS 2786 if (wpa_s->disable_sa_query) 2787 return; 2788 #endif /* CONFIG_TESTING_OPTIONS */ 2789 2790 os_get_reltime(&now); 2791 if (wpa_s->sme.last_unprot_disconnect.sec && 2792 !os_reltime_expired(&now, &wpa_s->sme.last_unprot_disconnect, 10)) 2793 return; /* limit SA Query procedure frequency */ 2794 wpa_s->sme.last_unprot_disconnect = now; 2795 2796 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Unprotected disconnect dropped - " 2797 "possible AP/STA state mismatch - trigger SA Query"); 2798 sme_start_sa_query(wpa_s); 2799 } 2800 2801 2802 void sme_event_ch_switch(struct wpa_supplicant *wpa_s) 2803 { 2804 unsigned int usec; 2805 u32 _rand; 2806 2807 if (wpa_s->wpa_state != WPA_COMPLETED || 2808 !wpa_sm_ocv_enabled(wpa_s->wpa)) 2809 return; 2810 2811 wpa_dbg(wpa_s, MSG_DEBUG, 2812 "SME: Channel switch completed - trigger new SA Query to verify new operating channel"); 2813 sme_stop_sa_query(wpa_s); 2814 2815 if (os_get_random((u8 *) &_rand, sizeof(_rand)) < 0) 2816 _rand = os_random(); 2817 usec = _rand % (sa_query_ch_switch_max_delay + 1); 2818 eloop_register_timeout(0, usec, sme_sa_query_timer, wpa_s, NULL); 2819 } 2820 2821 2822 static void sme_process_sa_query_request(struct wpa_supplicant *wpa_s, 2823 const u8 *sa, const u8 *data, 2824 size_t len) 2825 { 2826 u8 resp[2 + WLAN_SA_QUERY_TR_ID_LEN + OCV_OCI_EXTENDED_LEN]; 2827 u8 resp_len = 2 + WLAN_SA_QUERY_TR_ID_LEN; 2828 2829 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Sending SA Query Response to " 2830 MACSTR, MAC2STR(wpa_s->bssid)); 2831 2832 resp[0] = WLAN_ACTION_SA_QUERY; 2833 resp[1] = WLAN_SA_QUERY_RESPONSE; 2834 os_memcpy(resp + 2, data + 1, WLAN_SA_QUERY_TR_ID_LEN); 2835 2836 #ifdef CONFIG_OCV 2837 if (wpa_sm_ocv_enabled(wpa_s->wpa)) { 2838 struct wpa_channel_info ci; 2839 2840 if (wpa_drv_channel_info(wpa_s, &ci) != 0) { 2841 wpa_printf(MSG_WARNING, 2842 "Failed to get channel info for OCI element in SA Query Response frame"); 2843 return; 2844 } 2845 2846 #ifdef CONFIG_TESTING_OPTIONS 2847 if (wpa_s->oci_freq_override_saquery_resp) { 2848 wpa_printf(MSG_INFO, 2849 "TEST: Override SA Query Response OCI frequency %d -> %d MHz", 2850 ci.frequency, 2851 wpa_s->oci_freq_override_saquery_resp); 2852 ci.frequency = wpa_s->oci_freq_override_saquery_resp; 2853 } 2854 #endif /* CONFIG_TESTING_OPTIONS */ 2855 2856 if (ocv_insert_extended_oci(&ci, resp + resp_len) < 0) 2857 return; 2858 2859 resp_len += OCV_OCI_EXTENDED_LEN; 2860 } 2861 #endif /* CONFIG_OCV */ 2862 2863 if (wpa_drv_send_action(wpa_s, wpa_s->assoc_freq, 0, wpa_s->bssid, 2864 wpa_s->own_addr, wpa_s->bssid, 2865 resp, resp_len, 0) < 0) 2866 wpa_msg(wpa_s, MSG_INFO, 2867 "SME: Failed to send SA Query Response"); 2868 } 2869 2870 2871 static void sme_process_sa_query_response(struct wpa_supplicant *wpa_s, 2872 const u8 *sa, const u8 *data, 2873 size_t len) 2874 { 2875 int i; 2876 2877 if (!wpa_s->sme.sa_query_trans_id) 2878 return; 2879 2880 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Received SA Query response from " 2881 MACSTR " (trans_id %02x%02x)", MAC2STR(sa), data[1], data[2]); 2882 2883 if (os_memcmp(sa, wpa_s->bssid, ETH_ALEN) != 0) 2884 return; 2885 2886 for (i = 0; i < wpa_s->sme.sa_query_count; i++) { 2887 if (os_memcmp(wpa_s->sme.sa_query_trans_id + 2888 i * WLAN_SA_QUERY_TR_ID_LEN, 2889 data + 1, WLAN_SA_QUERY_TR_ID_LEN) == 0) 2890 break; 2891 } 2892 2893 if (i >= wpa_s->sme.sa_query_count) { 2894 wpa_dbg(wpa_s, MSG_DEBUG, "SME: No matching SA Query " 2895 "transaction identifier found"); 2896 return; 2897 } 2898 2899 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Reply to pending SA Query received " 2900 "from " MACSTR, MAC2STR(sa)); 2901 sme_stop_sa_query(wpa_s); 2902 } 2903 2904 2905 void sme_sa_query_rx(struct wpa_supplicant *wpa_s, const u8 *da, const u8 *sa, 2906 const u8 *data, size_t len) 2907 { 2908 if (len < 1 + WLAN_SA_QUERY_TR_ID_LEN) 2909 return; 2910 if (is_multicast_ether_addr(da)) { 2911 wpa_printf(MSG_DEBUG, 2912 "IEEE 802.11: Ignore group-addressed SA Query frame (A1=" MACSTR " A2=" MACSTR ")", 2913 MAC2STR(da), MAC2STR(sa)); 2914 return; 2915 } 2916 2917 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Received SA Query frame from " 2918 MACSTR " (trans_id %02x%02x)", MAC2STR(sa), data[1], data[2]); 2919 2920 #ifdef CONFIG_OCV 2921 if (wpa_sm_ocv_enabled(wpa_s->wpa)) { 2922 struct ieee802_11_elems elems; 2923 struct wpa_channel_info ci; 2924 2925 if (ieee802_11_parse_elems(data + 1 + WLAN_SA_QUERY_TR_ID_LEN, 2926 len - 1 - WLAN_SA_QUERY_TR_ID_LEN, 2927 &elems, 1) == ParseFailed) { 2928 wpa_printf(MSG_DEBUG, 2929 "SA Query: Failed to parse elements"); 2930 return; 2931 } 2932 2933 if (wpa_drv_channel_info(wpa_s, &ci) != 0) { 2934 wpa_printf(MSG_WARNING, 2935 "Failed to get channel info to validate received OCI in SA Query Action frame"); 2936 return; 2937 } 2938 2939 if (ocv_verify_tx_params(elems.oci, elems.oci_len, &ci, 2940 channel_width_to_int(ci.chanwidth), 2941 ci.seg1_idx) != OCI_SUCCESS) { 2942 wpa_msg(wpa_s, MSG_INFO, OCV_FAILURE "addr=" MACSTR 2943 " frame=saquery%s error=%s", 2944 MAC2STR(sa), data[0] == WLAN_SA_QUERY_REQUEST ? 2945 "req" : "resp", ocv_errorstr); 2946 return; 2947 } 2948 } 2949 #endif /* CONFIG_OCV */ 2950 2951 if (data[0] == WLAN_SA_QUERY_REQUEST) 2952 sme_process_sa_query_request(wpa_s, sa, data, len); 2953 else if (data[0] == WLAN_SA_QUERY_RESPONSE) 2954 sme_process_sa_query_response(wpa_s, sa, data, len); 2955 } 2956