xref: /freebsd/contrib/wpa/wpa_supplicant/sme.c (revision ec0ea6efa1ad229d75c394c1a9b9cac33af2b1d3)
1 /*
2  * wpa_supplicant - SME
3  * Copyright (c) 2009-2014, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "utils/eloop.h"
13 #include "common/ieee802_11_defs.h"
14 #include "common/ieee802_11_common.h"
15 #include "common/ocv.h"
16 #include "common/hw_features_common.h"
17 #include "eapol_supp/eapol_supp_sm.h"
18 #include "common/wpa_common.h"
19 #include "common/sae.h"
20 #include "common/dpp.h"
21 #include "rsn_supp/wpa.h"
22 #include "rsn_supp/pmksa_cache.h"
23 #include "config.h"
24 #include "wpa_supplicant_i.h"
25 #include "driver_i.h"
26 #include "wpas_glue.h"
27 #include "wps_supplicant.h"
28 #include "p2p_supplicant.h"
29 #include "notify.h"
30 #include "bss.h"
31 #include "scan.h"
32 #include "sme.h"
33 #include "hs20_supplicant.h"
34 
35 #define SME_AUTH_TIMEOUT 5
36 #define SME_ASSOC_TIMEOUT 5
37 
38 static void sme_auth_timer(void *eloop_ctx, void *timeout_ctx);
39 static void sme_assoc_timer(void *eloop_ctx, void *timeout_ctx);
40 static void sme_obss_scan_timeout(void *eloop_ctx, void *timeout_ctx);
41 static void sme_stop_sa_query(struct wpa_supplicant *wpa_s);
42 
43 
44 #ifdef CONFIG_SAE
45 
46 static int index_within_array(const int *array, int idx)
47 {
48 	int i;
49 	for (i = 0; i < idx; i++) {
50 		if (array[i] <= 0)
51 			return 0;
52 	}
53 	return 1;
54 }
55 
56 
57 static int sme_set_sae_group(struct wpa_supplicant *wpa_s)
58 {
59 	int *groups = wpa_s->conf->sae_groups;
60 	int default_groups[] = { 19, 20, 21, 0 };
61 
62 	if (!groups || groups[0] <= 0)
63 		groups = default_groups;
64 
65 	/* Configuration may have changed, so validate current index */
66 	if (!index_within_array(groups, wpa_s->sme.sae_group_index))
67 		return -1;
68 
69 	for (;;) {
70 		int group = groups[wpa_s->sme.sae_group_index];
71 		if (group <= 0)
72 			break;
73 		if (sae_set_group(&wpa_s->sme.sae, group) == 0) {
74 			wpa_dbg(wpa_s, MSG_DEBUG, "SME: Selected SAE group %d",
75 				wpa_s->sme.sae.group);
76 			return 0;
77 		}
78 		wpa_s->sme.sae_group_index++;
79 	}
80 
81 	return -1;
82 }
83 
84 
85 static struct wpabuf * sme_auth_build_sae_commit(struct wpa_supplicant *wpa_s,
86 						 struct wpa_ssid *ssid,
87 						 const u8 *bssid, int external,
88 						 int reuse, int *ret_use_pt,
89 						 bool *ret_use_pk)
90 {
91 	struct wpabuf *buf;
92 	size_t len;
93 	const char *password;
94 	struct wpa_bss *bss;
95 	int use_pt = 0;
96 	bool use_pk = false;
97 	u8 rsnxe_capa = 0;
98 
99 	if (ret_use_pt)
100 		*ret_use_pt = 0;
101 	if (ret_use_pk)
102 		*ret_use_pk = false;
103 
104 #ifdef CONFIG_TESTING_OPTIONS
105 	if (wpa_s->sae_commit_override) {
106 		wpa_printf(MSG_DEBUG, "SAE: TESTING - commit override");
107 		buf = wpabuf_alloc(4 + wpabuf_len(wpa_s->sae_commit_override));
108 		if (!buf)
109 			return NULL;
110 		if (!external) {
111 			wpabuf_put_le16(buf, 1); /* Transaction seq# */
112 			wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
113 		}
114 		wpabuf_put_buf(buf, wpa_s->sae_commit_override);
115 		return buf;
116 	}
117 #endif /* CONFIG_TESTING_OPTIONS */
118 
119 	password = ssid->sae_password;
120 	if (!password)
121 		password = ssid->passphrase;
122 	if (!password) {
123 		wpa_printf(MSG_DEBUG, "SAE: No password available");
124 		return NULL;
125 	}
126 
127 	if (reuse && wpa_s->sme.sae.tmp &&
128 	    os_memcmp(bssid, wpa_s->sme.sae.tmp->bssid, ETH_ALEN) == 0) {
129 		wpa_printf(MSG_DEBUG,
130 			   "SAE: Reuse previously generated PWE on a retry with the same AP");
131 		use_pt = wpa_s->sme.sae.h2e;
132 		use_pk = wpa_s->sme.sae.pk;
133 		goto reuse_data;
134 	}
135 	if (sme_set_sae_group(wpa_s) < 0) {
136 		wpa_printf(MSG_DEBUG, "SAE: Failed to select group");
137 		return NULL;
138 	}
139 
140 	bss = wpa_bss_get_bssid_latest(wpa_s, bssid);
141 	if (bss) {
142 		const u8 *rsnxe;
143 
144 		rsnxe = wpa_bss_get_ie(bss, WLAN_EID_RSNX);
145 		if (rsnxe && rsnxe[1] >= 1)
146 			rsnxe_capa = rsnxe[2];
147 	}
148 
149 	if (ssid->sae_password_id && wpa_s->conf->sae_pwe != 3)
150 		use_pt = 1;
151 #ifdef CONFIG_SAE_PK
152 	if ((rsnxe_capa & BIT(WLAN_RSNX_CAPAB_SAE_PK)) &&
153 	    ssid->sae_pk != SAE_PK_MODE_DISABLED &&
154 	    ((ssid->sae_password &&
155 	      sae_pk_valid_password(ssid->sae_password)) ||
156 	     (!ssid->sae_password && ssid->passphrase &&
157 	      sae_pk_valid_password(ssid->passphrase)))) {
158 		use_pt = 1;
159 		use_pk = true;
160 	}
161 
162 	if (ssid->sae_pk == SAE_PK_MODE_ONLY && !use_pk) {
163 		wpa_printf(MSG_DEBUG,
164 			   "SAE: Cannot use PK with the selected AP");
165 		return NULL;
166 	}
167 #endif /* CONFIG_SAE_PK */
168 
169 	if (use_pt || wpa_s->conf->sae_pwe == 1 || wpa_s->conf->sae_pwe == 2) {
170 		use_pt = !!(rsnxe_capa & BIT(WLAN_RSNX_CAPAB_SAE_H2E));
171 
172 		if ((wpa_s->conf->sae_pwe == 1 || ssid->sae_password_id) &&
173 		    wpa_s->conf->sae_pwe != 3 &&
174 		    !use_pt) {
175 			wpa_printf(MSG_DEBUG,
176 				   "SAE: Cannot use H2E with the selected AP");
177 			return NULL;
178 		}
179 	}
180 
181 	if (use_pt &&
182 	    sae_prepare_commit_pt(&wpa_s->sme.sae, ssid->pt,
183 				  wpa_s->own_addr, bssid,
184 				  wpa_s->sme.sae_rejected_groups, NULL) < 0)
185 		return NULL;
186 	if (!use_pt &&
187 	    sae_prepare_commit(wpa_s->own_addr, bssid,
188 			       (u8 *) password, os_strlen(password),
189 			       &wpa_s->sme.sae) < 0) {
190 		wpa_printf(MSG_DEBUG, "SAE: Could not pick PWE");
191 		return NULL;
192 	}
193 	if (wpa_s->sme.sae.tmp) {
194 		os_memcpy(wpa_s->sme.sae.tmp->bssid, bssid, ETH_ALEN);
195 		if (use_pt && use_pk)
196 			wpa_s->sme.sae.pk = 1;
197 #ifdef CONFIG_SAE_PK
198 		os_memcpy(wpa_s->sme.sae.tmp->own_addr, wpa_s->own_addr,
199 			  ETH_ALEN);
200 		os_memcpy(wpa_s->sme.sae.tmp->peer_addr, bssid, ETH_ALEN);
201 		sae_pk_set_password(&wpa_s->sme.sae, password);
202 #endif /* CONFIG_SAE_PK */
203 	}
204 
205 reuse_data:
206 	len = wpa_s->sme.sae_token ? 3 + wpabuf_len(wpa_s->sme.sae_token) : 0;
207 	if (ssid->sae_password_id)
208 		len += 4 + os_strlen(ssid->sae_password_id);
209 	buf = wpabuf_alloc(4 + SAE_COMMIT_MAX_LEN + len);
210 	if (buf == NULL)
211 		return NULL;
212 	if (!external) {
213 		wpabuf_put_le16(buf, 1); /* Transaction seq# */
214 		if (use_pk)
215 			wpabuf_put_le16(buf, WLAN_STATUS_SAE_PK);
216 		else if (use_pt)
217 			wpabuf_put_le16(buf, WLAN_STATUS_SAE_HASH_TO_ELEMENT);
218 		else
219 			wpabuf_put_le16(buf,WLAN_STATUS_SUCCESS);
220 	}
221 	if (sae_write_commit(&wpa_s->sme.sae, buf, wpa_s->sme.sae_token,
222 			     ssid->sae_password_id) < 0) {
223 		wpabuf_free(buf);
224 		return NULL;
225 	}
226 	if (ret_use_pt)
227 		*ret_use_pt = use_pt;
228 	if (ret_use_pk)
229 		*ret_use_pk = use_pk;
230 
231 	return buf;
232 }
233 
234 
235 static struct wpabuf * sme_auth_build_sae_confirm(struct wpa_supplicant *wpa_s,
236 						  int external)
237 {
238 	struct wpabuf *buf;
239 
240 	buf = wpabuf_alloc(4 + SAE_CONFIRM_MAX_LEN);
241 	if (buf == NULL)
242 		return NULL;
243 
244 	if (!external) {
245 		wpabuf_put_le16(buf, 2); /* Transaction seq# */
246 		wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
247 	}
248 	sae_write_confirm(&wpa_s->sme.sae, buf);
249 
250 	return buf;
251 }
252 
253 #endif /* CONFIG_SAE */
254 
255 
256 /**
257  * sme_auth_handle_rrm - Handle RRM aspects of current authentication attempt
258  * @wpa_s: Pointer to wpa_supplicant data
259  * @bss: Pointer to the bss which is the target of authentication attempt
260  */
261 static void sme_auth_handle_rrm(struct wpa_supplicant *wpa_s,
262 				struct wpa_bss *bss)
263 {
264 	const u8 rrm_ie_len = 5;
265 	u8 *pos;
266 	const u8 *rrm_ie;
267 
268 	wpa_s->rrm.rrm_used = 0;
269 
270 	wpa_printf(MSG_DEBUG,
271 		   "RRM: Determining whether RRM can be used - device support: 0x%x",
272 		   wpa_s->drv_rrm_flags);
273 
274 	rrm_ie = wpa_bss_get_ie(bss, WLAN_EID_RRM_ENABLED_CAPABILITIES);
275 	if (!rrm_ie || !(bss->caps & IEEE80211_CAP_RRM)) {
276 		wpa_printf(MSG_DEBUG, "RRM: No RRM in network");
277 		return;
278 	}
279 
280 	if (!((wpa_s->drv_rrm_flags &
281 	       WPA_DRIVER_FLAGS_DS_PARAM_SET_IE_IN_PROBES) &&
282 	      (wpa_s->drv_rrm_flags & WPA_DRIVER_FLAGS_QUIET)) &&
283 	    !(wpa_s->drv_rrm_flags & WPA_DRIVER_FLAGS_SUPPORT_RRM)) {
284 		wpa_printf(MSG_DEBUG,
285 			   "RRM: Insufficient RRM support in driver - do not use RRM");
286 		return;
287 	}
288 
289 	if (sizeof(wpa_s->sme.assoc_req_ie) <
290 	    wpa_s->sme.assoc_req_ie_len + rrm_ie_len + 2) {
291 		wpa_printf(MSG_INFO,
292 			   "RRM: Unable to use RRM, no room for RRM IE");
293 		return;
294 	}
295 
296 	wpa_printf(MSG_DEBUG, "RRM: Adding RRM IE to Association Request");
297 	pos = wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len;
298 	os_memset(pos, 0, 2 + rrm_ie_len);
299 	*pos++ = WLAN_EID_RRM_ENABLED_CAPABILITIES;
300 	*pos++ = rrm_ie_len;
301 
302 	/* Set supported capabilities flags */
303 	if (wpa_s->drv_rrm_flags & WPA_DRIVER_FLAGS_TX_POWER_INSERTION)
304 		*pos |= WLAN_RRM_CAPS_LINK_MEASUREMENT;
305 
306 	*pos |= WLAN_RRM_CAPS_BEACON_REPORT_PASSIVE |
307 		WLAN_RRM_CAPS_BEACON_REPORT_ACTIVE |
308 		WLAN_RRM_CAPS_BEACON_REPORT_TABLE;
309 
310 	if (wpa_s->lci)
311 		pos[1] |= WLAN_RRM_CAPS_LCI_MEASUREMENT;
312 
313 	wpa_s->sme.assoc_req_ie_len += rrm_ie_len + 2;
314 	wpa_s->rrm.rrm_used = 1;
315 }
316 
317 
318 static void sme_send_authentication(struct wpa_supplicant *wpa_s,
319 				    struct wpa_bss *bss, struct wpa_ssid *ssid,
320 				    int start)
321 {
322 	struct wpa_driver_auth_params params;
323 	struct wpa_ssid *old_ssid;
324 #ifdef CONFIG_IEEE80211R
325 	const u8 *ie;
326 #endif /* CONFIG_IEEE80211R */
327 #if defined(CONFIG_IEEE80211R) || defined(CONFIG_FILS)
328 	const u8 *md = NULL;
329 #endif /* CONFIG_IEEE80211R || CONFIG_FILS */
330 	int bssid_changed;
331 	struct wpabuf *resp = NULL;
332 	u8 ext_capab[18];
333 	int ext_capab_len;
334 	int skip_auth;
335 	u8 *wpa_ie;
336 	size_t wpa_ie_len;
337 #ifdef CONFIG_MBO
338 	const u8 *mbo_ie;
339 #endif /* CONFIG_MBO */
340 	int omit_rsnxe = 0;
341 
342 	if (bss == NULL) {
343 		wpa_msg(wpa_s, MSG_ERROR, "SME: No scan result available for "
344 			"the network");
345 		wpas_connect_work_done(wpa_s);
346 		return;
347 	}
348 
349 	skip_auth = wpa_s->conf->reassoc_same_bss_optim &&
350 		wpa_s->reassoc_same_bss;
351 	wpa_s->current_bss = bss;
352 
353 	os_memset(&params, 0, sizeof(params));
354 	wpa_s->reassociate = 0;
355 
356 	params.freq = bss->freq;
357 	params.bssid = bss->bssid;
358 	params.ssid = bss->ssid;
359 	params.ssid_len = bss->ssid_len;
360 	params.p2p = ssid->p2p_group;
361 
362 	if (wpa_s->sme.ssid_len != params.ssid_len ||
363 	    os_memcmp(wpa_s->sme.ssid, params.ssid, params.ssid_len) != 0)
364 		wpa_s->sme.prev_bssid_set = 0;
365 
366 	wpa_s->sme.freq = params.freq;
367 	os_memcpy(wpa_s->sme.ssid, params.ssid, params.ssid_len);
368 	wpa_s->sme.ssid_len = params.ssid_len;
369 
370 	params.auth_alg = WPA_AUTH_ALG_OPEN;
371 #ifdef IEEE8021X_EAPOL
372 	if (ssid->key_mgmt & WPA_KEY_MGMT_IEEE8021X_NO_WPA) {
373 		if (ssid->leap) {
374 			if (ssid->non_leap == 0)
375 				params.auth_alg = WPA_AUTH_ALG_LEAP;
376 			else
377 				params.auth_alg |= WPA_AUTH_ALG_LEAP;
378 		}
379 	}
380 #endif /* IEEE8021X_EAPOL */
381 	wpa_dbg(wpa_s, MSG_DEBUG, "Automatic auth_alg selection: 0x%x",
382 		params.auth_alg);
383 	if (ssid->auth_alg) {
384 		params.auth_alg = ssid->auth_alg;
385 		wpa_dbg(wpa_s, MSG_DEBUG, "Overriding auth_alg selection: "
386 			"0x%x", params.auth_alg);
387 	}
388 #ifdef CONFIG_SAE
389 	wpa_s->sme.sae_pmksa_caching = 0;
390 	if (wpa_key_mgmt_sae(ssid->key_mgmt)) {
391 		const u8 *rsn;
392 		struct wpa_ie_data ied;
393 
394 		rsn = wpa_bss_get_ie(bss, WLAN_EID_RSN);
395 		if (!rsn) {
396 			wpa_dbg(wpa_s, MSG_DEBUG,
397 				"SAE enabled, but target BSS does not advertise RSN");
398 #ifdef CONFIG_DPP
399 		} else if (wpa_parse_wpa_ie(rsn, 2 + rsn[1], &ied) == 0 &&
400 			   (ssid->key_mgmt & WPA_KEY_MGMT_DPP) &&
401 			   (ied.key_mgmt & WPA_KEY_MGMT_DPP)) {
402 			wpa_dbg(wpa_s, MSG_DEBUG, "Prefer DPP over SAE when both are enabled");
403 #endif /* CONFIG_DPP */
404 		} else if (wpa_parse_wpa_ie(rsn, 2 + rsn[1], &ied) == 0 &&
405 			   wpa_key_mgmt_sae(ied.key_mgmt)) {
406 			wpa_dbg(wpa_s, MSG_DEBUG, "Using SAE auth_alg");
407 			params.auth_alg = WPA_AUTH_ALG_SAE;
408 		} else {
409 			wpa_dbg(wpa_s, MSG_DEBUG,
410 				"SAE enabled, but target BSS does not advertise SAE AKM for RSN");
411 		}
412 	}
413 #endif /* CONFIG_SAE */
414 
415 #ifdef CONFIG_WEP
416 	{
417 		int i;
418 
419 		for (i = 0; i < NUM_WEP_KEYS; i++) {
420 			if (ssid->wep_key_len[i])
421 				params.wep_key[i] = ssid->wep_key[i];
422 			params.wep_key_len[i] = ssid->wep_key_len[i];
423 		}
424 		params.wep_tx_keyidx = ssid->wep_tx_keyidx;
425 	}
426 #endif /* CONFIG_WEP */
427 
428 	if ((wpa_bss_get_vendor_ie(bss, WPA_IE_VENDOR_TYPE) ||
429 	     wpa_bss_get_ie(bss, WLAN_EID_RSN)) &&
430 	    wpa_key_mgmt_wpa(ssid->key_mgmt)) {
431 		int try_opportunistic;
432 		const u8 *cache_id = NULL;
433 
434 		try_opportunistic = (ssid->proactive_key_caching < 0 ?
435 				     wpa_s->conf->okc :
436 				     ssid->proactive_key_caching) &&
437 			(ssid->proto & WPA_PROTO_RSN);
438 #ifdef CONFIG_FILS
439 		if (wpa_key_mgmt_fils(ssid->key_mgmt))
440 			cache_id = wpa_bss_get_fils_cache_id(bss);
441 #endif /* CONFIG_FILS */
442 		if (pmksa_cache_set_current(wpa_s->wpa, NULL, bss->bssid,
443 					    wpa_s->current_ssid,
444 					    try_opportunistic, cache_id,
445 					    0) == 0)
446 			eapol_sm_notify_pmkid_attempt(wpa_s->eapol);
447 		wpa_s->sme.assoc_req_ie_len = sizeof(wpa_s->sme.assoc_req_ie);
448 		if (wpa_supplicant_set_suites(wpa_s, bss, ssid,
449 					      wpa_s->sme.assoc_req_ie,
450 					      &wpa_s->sme.assoc_req_ie_len)) {
451 			wpa_msg(wpa_s, MSG_WARNING, "SME: Failed to set WPA "
452 				"key management and encryption suites");
453 			wpas_connect_work_done(wpa_s);
454 			return;
455 		}
456 #ifdef CONFIG_HS20
457 	} else if (wpa_bss_get_vendor_ie(bss, OSEN_IE_VENDOR_TYPE) &&
458 		   (ssid->key_mgmt & WPA_KEY_MGMT_OSEN)) {
459 		/* No PMKSA caching, but otherwise similar to RSN/WPA */
460 		wpa_s->sme.assoc_req_ie_len = sizeof(wpa_s->sme.assoc_req_ie);
461 		if (wpa_supplicant_set_suites(wpa_s, bss, ssid,
462 					      wpa_s->sme.assoc_req_ie,
463 					      &wpa_s->sme.assoc_req_ie_len)) {
464 			wpa_msg(wpa_s, MSG_WARNING, "SME: Failed to set WPA "
465 				"key management and encryption suites");
466 			wpas_connect_work_done(wpa_s);
467 			return;
468 		}
469 #endif /* CONFIG_HS20 */
470 	} else if ((ssid->key_mgmt & WPA_KEY_MGMT_IEEE8021X_NO_WPA) &&
471 		   wpa_key_mgmt_wpa_ieee8021x(ssid->key_mgmt)) {
472 		/*
473 		 * Both WPA and non-WPA IEEE 802.1X enabled in configuration -
474 		 * use non-WPA since the scan results did not indicate that the
475 		 * AP is using WPA or WPA2.
476 		 */
477 		wpa_supplicant_set_non_wpa_policy(wpa_s, ssid);
478 		wpa_s->sme.assoc_req_ie_len = 0;
479 	} else if (wpa_key_mgmt_wpa_any(ssid->key_mgmt)) {
480 		wpa_s->sme.assoc_req_ie_len = sizeof(wpa_s->sme.assoc_req_ie);
481 		if (wpa_supplicant_set_suites(wpa_s, NULL, ssid,
482 					      wpa_s->sme.assoc_req_ie,
483 					      &wpa_s->sme.assoc_req_ie_len)) {
484 			wpa_msg(wpa_s, MSG_WARNING, "SME: Failed to set WPA "
485 				"key management and encryption suites (no "
486 				"scan results)");
487 			wpas_connect_work_done(wpa_s);
488 			return;
489 		}
490 #ifdef CONFIG_WPS
491 	} else if (ssid->key_mgmt & WPA_KEY_MGMT_WPS) {
492 		struct wpabuf *wps_ie;
493 		wps_ie = wps_build_assoc_req_ie(wpas_wps_get_req_type(ssid));
494 		if (wps_ie && wpabuf_len(wps_ie) <=
495 		    sizeof(wpa_s->sme.assoc_req_ie)) {
496 			wpa_s->sme.assoc_req_ie_len = wpabuf_len(wps_ie);
497 			os_memcpy(wpa_s->sme.assoc_req_ie, wpabuf_head(wps_ie),
498 				  wpa_s->sme.assoc_req_ie_len);
499 		} else
500 			wpa_s->sme.assoc_req_ie_len = 0;
501 		wpabuf_free(wps_ie);
502 		wpa_supplicant_set_non_wpa_policy(wpa_s, ssid);
503 #endif /* CONFIG_WPS */
504 	} else {
505 		wpa_supplicant_set_non_wpa_policy(wpa_s, ssid);
506 		wpa_s->sme.assoc_req_ie_len = 0;
507 	}
508 
509 	/* In case the WPA vendor IE is used, it should be placed after all the
510 	 * non-vendor IEs, as the lower layer expects the IEs to be ordered as
511 	 * defined in the standard. Store the WPA IE so it can later be
512 	 * inserted at the correct location.
513 	 */
514 	wpa_ie = NULL;
515 	wpa_ie_len = 0;
516 	if (wpa_s->wpa_proto == WPA_PROTO_WPA) {
517 		wpa_ie = os_memdup(wpa_s->sme.assoc_req_ie,
518 				   wpa_s->sme.assoc_req_ie_len);
519 		if (wpa_ie) {
520 			wpa_dbg(wpa_s, MSG_DEBUG, "WPA: Storing WPA IE");
521 
522 			wpa_ie_len = wpa_s->sme.assoc_req_ie_len;
523 			wpa_s->sme.assoc_req_ie_len = 0;
524 		} else {
525 			wpa_msg(wpa_s, MSG_WARNING, "WPA: Failed copy WPA IE");
526 			wpas_connect_work_done(wpa_s);
527 			return;
528 		}
529 	}
530 
531 #ifdef CONFIG_IEEE80211R
532 	ie = wpa_bss_get_ie(bss, WLAN_EID_MOBILITY_DOMAIN);
533 	if (ie && ie[1] >= MOBILITY_DOMAIN_ID_LEN)
534 		md = ie + 2;
535 	wpa_sm_set_ft_params(wpa_s->wpa, ie, ie ? 2 + ie[1] : 0);
536 	if (md && (!wpa_key_mgmt_ft(ssid->key_mgmt) ||
537 		   !wpa_key_mgmt_ft(wpa_s->key_mgmt)))
538 		md = NULL;
539 	if (md) {
540 		/* Prepare for the next transition */
541 		wpa_ft_prepare_auth_request(wpa_s->wpa, ie);
542 	}
543 
544 	if (md) {
545 		wpa_dbg(wpa_s, MSG_DEBUG, "SME: FT mobility domain %02x%02x",
546 			md[0], md[1]);
547 
548 		omit_rsnxe = !wpa_bss_get_ie(bss, WLAN_EID_RSNX);
549 		if (wpa_s->sme.assoc_req_ie_len + 5 <
550 		    sizeof(wpa_s->sme.assoc_req_ie)) {
551 			struct rsn_mdie *mdie;
552 			u8 *pos = wpa_s->sme.assoc_req_ie +
553 				wpa_s->sme.assoc_req_ie_len;
554 			*pos++ = WLAN_EID_MOBILITY_DOMAIN;
555 			*pos++ = sizeof(*mdie);
556 			mdie = (struct rsn_mdie *) pos;
557 			os_memcpy(mdie->mobility_domain, md,
558 				  MOBILITY_DOMAIN_ID_LEN);
559 			mdie->ft_capab = md[MOBILITY_DOMAIN_ID_LEN];
560 			wpa_s->sme.assoc_req_ie_len += 5;
561 		}
562 
563 		if (wpa_s->sme.prev_bssid_set && wpa_s->sme.ft_used &&
564 		    os_memcmp(md, wpa_s->sme.mobility_domain, 2) == 0 &&
565 		    wpa_sm_has_ptk(wpa_s->wpa)) {
566 			wpa_dbg(wpa_s, MSG_DEBUG, "SME: Trying to use FT "
567 				"over-the-air");
568 			params.auth_alg = WPA_AUTH_ALG_FT;
569 			params.ie = wpa_s->sme.ft_ies;
570 			params.ie_len = wpa_s->sme.ft_ies_len;
571 		}
572 	}
573 #endif /* CONFIG_IEEE80211R */
574 
575 	wpa_s->sme.mfp = wpas_get_ssid_pmf(wpa_s, ssid);
576 	if (wpa_s->sme.mfp != NO_MGMT_FRAME_PROTECTION) {
577 		const u8 *rsn = wpa_bss_get_ie(bss, WLAN_EID_RSN);
578 		struct wpa_ie_data _ie;
579 		if (rsn && wpa_parse_wpa_ie(rsn, 2 + rsn[1], &_ie) == 0 &&
580 		    _ie.capabilities &
581 		    (WPA_CAPABILITY_MFPC | WPA_CAPABILITY_MFPR)) {
582 			wpa_dbg(wpa_s, MSG_DEBUG, "SME: Selected AP supports "
583 				"MFP: require MFP");
584 			wpa_s->sme.mfp = MGMT_FRAME_PROTECTION_REQUIRED;
585 		}
586 	}
587 
588 #ifdef CONFIG_P2P
589 	if (wpa_s->global->p2p) {
590 		u8 *pos;
591 		size_t len;
592 		int res;
593 		pos = wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len;
594 		len = sizeof(wpa_s->sme.assoc_req_ie) -
595 			wpa_s->sme.assoc_req_ie_len;
596 		res = wpas_p2p_assoc_req_ie(wpa_s, bss, pos, len,
597 					    ssid->p2p_group);
598 		if (res >= 0)
599 			wpa_s->sme.assoc_req_ie_len += res;
600 	}
601 #endif /* CONFIG_P2P */
602 
603 #ifdef CONFIG_FST
604 	if (wpa_s->fst_ies) {
605 		int fst_ies_len = wpabuf_len(wpa_s->fst_ies);
606 
607 		if (wpa_s->sme.assoc_req_ie_len + fst_ies_len <=
608 		    sizeof(wpa_s->sme.assoc_req_ie)) {
609 			os_memcpy(wpa_s->sme.assoc_req_ie +
610 				  wpa_s->sme.assoc_req_ie_len,
611 				  wpabuf_head(wpa_s->fst_ies),
612 				  fst_ies_len);
613 			wpa_s->sme.assoc_req_ie_len += fst_ies_len;
614 		}
615 	}
616 #endif /* CONFIG_FST */
617 
618 	sme_auth_handle_rrm(wpa_s, bss);
619 
620 	wpa_s->sme.assoc_req_ie_len += wpas_supp_op_class_ie(
621 		wpa_s, ssid, bss,
622 		wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len,
623 		sizeof(wpa_s->sme.assoc_req_ie) - wpa_s->sme.assoc_req_ie_len);
624 
625 	if (params.p2p)
626 		wpa_drv_get_ext_capa(wpa_s, WPA_IF_P2P_CLIENT);
627 	else
628 		wpa_drv_get_ext_capa(wpa_s, WPA_IF_STATION);
629 
630 	ext_capab_len = wpas_build_ext_capab(wpa_s, ext_capab,
631 					     sizeof(ext_capab));
632 	if (ext_capab_len > 0) {
633 		u8 *pos = wpa_s->sme.assoc_req_ie;
634 		if (wpa_s->sme.assoc_req_ie_len > 0 && pos[0] == WLAN_EID_RSN)
635 			pos += 2 + pos[1];
636 		os_memmove(pos + ext_capab_len, pos,
637 			   wpa_s->sme.assoc_req_ie_len -
638 			   (pos - wpa_s->sme.assoc_req_ie));
639 		wpa_s->sme.assoc_req_ie_len += ext_capab_len;
640 		os_memcpy(pos, ext_capab, ext_capab_len);
641 	}
642 
643 #ifdef CONFIG_TESTING_OPTIONS
644 	if (wpa_s->rsnxe_override_assoc &&
645 	    wpabuf_len(wpa_s->rsnxe_override_assoc) <=
646 	    sizeof(wpa_s->sme.assoc_req_ie) - wpa_s->sme.assoc_req_ie_len) {
647 		wpa_printf(MSG_DEBUG, "TESTING: RSNXE AssocReq override");
648 		os_memcpy(wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len,
649 			  wpabuf_head(wpa_s->rsnxe_override_assoc),
650 			  wpabuf_len(wpa_s->rsnxe_override_assoc));
651 		wpa_s->sme.assoc_req_ie_len +=
652 			wpabuf_len(wpa_s->rsnxe_override_assoc);
653 	} else
654 #endif /* CONFIG_TESTING_OPTIONS */
655 	if (wpa_s->rsnxe_len > 0 &&
656 	    wpa_s->rsnxe_len <=
657 	    sizeof(wpa_s->sme.assoc_req_ie) - wpa_s->sme.assoc_req_ie_len &&
658 	    !omit_rsnxe) {
659 		os_memcpy(wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len,
660 			  wpa_s->rsnxe, wpa_s->rsnxe_len);
661 		wpa_s->sme.assoc_req_ie_len += wpa_s->rsnxe_len;
662 	}
663 
664 #ifdef CONFIG_HS20
665 	if (is_hs20_network(wpa_s, ssid, bss)) {
666 		struct wpabuf *hs20;
667 
668 		hs20 = wpabuf_alloc(20 + MAX_ROAMING_CONS_OI_LEN);
669 		if (hs20) {
670 			int pps_mo_id = hs20_get_pps_mo_id(wpa_s, ssid);
671 			size_t len;
672 
673 			wpas_hs20_add_indication(hs20, pps_mo_id,
674 						 get_hs20_version(bss));
675 			wpas_hs20_add_roam_cons_sel(hs20, ssid);
676 			len = sizeof(wpa_s->sme.assoc_req_ie) -
677 				wpa_s->sme.assoc_req_ie_len;
678 			if (wpabuf_len(hs20) <= len) {
679 				os_memcpy(wpa_s->sme.assoc_req_ie +
680 					  wpa_s->sme.assoc_req_ie_len,
681 					  wpabuf_head(hs20), wpabuf_len(hs20));
682 				wpa_s->sme.assoc_req_ie_len += wpabuf_len(hs20);
683 			}
684 			wpabuf_free(hs20);
685 		}
686 	}
687 #endif /* CONFIG_HS20 */
688 
689 	if (wpa_ie) {
690 		size_t len;
691 
692 		wpa_dbg(wpa_s, MSG_DEBUG, "WPA: Reinsert WPA IE");
693 
694 		len = sizeof(wpa_s->sme.assoc_req_ie) -
695 			wpa_s->sme.assoc_req_ie_len;
696 
697 		if (len > wpa_ie_len) {
698 			os_memcpy(wpa_s->sme.assoc_req_ie +
699 				  wpa_s->sme.assoc_req_ie_len,
700 				  wpa_ie, wpa_ie_len);
701 			wpa_s->sme.assoc_req_ie_len += wpa_ie_len;
702 		} else {
703 			wpa_dbg(wpa_s, MSG_DEBUG, "WPA: Failed to add WPA IE");
704 		}
705 
706 		os_free(wpa_ie);
707 	}
708 
709 	if (wpa_s->vendor_elem[VENDOR_ELEM_ASSOC_REQ]) {
710 		struct wpabuf *buf = wpa_s->vendor_elem[VENDOR_ELEM_ASSOC_REQ];
711 		size_t len;
712 
713 		len = sizeof(wpa_s->sme.assoc_req_ie) -
714 			wpa_s->sme.assoc_req_ie_len;
715 		if (wpabuf_len(buf) <= len) {
716 			os_memcpy(wpa_s->sme.assoc_req_ie +
717 				  wpa_s->sme.assoc_req_ie_len,
718 				  wpabuf_head(buf), wpabuf_len(buf));
719 			wpa_s->sme.assoc_req_ie_len += wpabuf_len(buf);
720 		}
721 	}
722 
723 #ifdef CONFIG_MBO
724 	mbo_ie = wpa_bss_get_vendor_ie(bss, MBO_IE_VENDOR_TYPE);
725 	if (!wpa_s->disable_mbo_oce && mbo_ie) {
726 		int len;
727 
728 		len = wpas_mbo_ie(wpa_s, wpa_s->sme.assoc_req_ie +
729 				  wpa_s->sme.assoc_req_ie_len,
730 				  sizeof(wpa_s->sme.assoc_req_ie) -
731 				  wpa_s->sme.assoc_req_ie_len,
732 				  !!mbo_attr_from_mbo_ie(mbo_ie,
733 							 OCE_ATTR_ID_CAPA_IND));
734 		if (len >= 0)
735 			wpa_s->sme.assoc_req_ie_len += len;
736 	}
737 #endif /* CONFIG_MBO */
738 
739 #ifdef CONFIG_SAE
740 	if (!skip_auth && params.auth_alg == WPA_AUTH_ALG_SAE &&
741 	    pmksa_cache_set_current(wpa_s->wpa, NULL, bss->bssid, ssid, 0,
742 				    NULL,
743 				    wpa_s->key_mgmt == WPA_KEY_MGMT_FT_SAE ?
744 				    WPA_KEY_MGMT_FT_SAE :
745 				    WPA_KEY_MGMT_SAE) == 0) {
746 		wpa_dbg(wpa_s, MSG_DEBUG,
747 			"PMKSA cache entry found - try to use PMKSA caching instead of new SAE authentication");
748 		wpa_sm_set_pmk_from_pmksa(wpa_s->wpa);
749 		params.auth_alg = WPA_AUTH_ALG_OPEN;
750 		wpa_s->sme.sae_pmksa_caching = 1;
751 	}
752 
753 	if (!skip_auth && params.auth_alg == WPA_AUTH_ALG_SAE) {
754 		if (start)
755 			resp = sme_auth_build_sae_commit(wpa_s, ssid,
756 							 bss->bssid, 0,
757 							 start == 2, NULL,
758 							 NULL);
759 		else
760 			resp = sme_auth_build_sae_confirm(wpa_s, 0);
761 		if (resp == NULL) {
762 			wpas_connection_failed(wpa_s, bss->bssid);
763 			return;
764 		}
765 		params.auth_data = wpabuf_head(resp);
766 		params.auth_data_len = wpabuf_len(resp);
767 		wpa_s->sme.sae.state = start ? SAE_COMMITTED : SAE_CONFIRMED;
768 	}
769 #endif /* CONFIG_SAE */
770 
771 	bssid_changed = !is_zero_ether_addr(wpa_s->bssid);
772 	os_memset(wpa_s->bssid, 0, ETH_ALEN);
773 	os_memcpy(wpa_s->pending_bssid, bss->bssid, ETH_ALEN);
774 	if (bssid_changed)
775 		wpas_notify_bssid_changed(wpa_s);
776 
777 	old_ssid = wpa_s->current_ssid;
778 	wpa_s->current_ssid = ssid;
779 	wpa_supplicant_rsn_supp_set_config(wpa_s, wpa_s->current_ssid);
780 	wpa_supplicant_initiate_eapol(wpa_s);
781 
782 #ifdef CONFIG_FILS
783 	/* TODO: FILS operations can in some cases be done between different
784 	 * network_ctx (i.e., same credentials can be used with multiple
785 	 * networks). */
786 	if (params.auth_alg == WPA_AUTH_ALG_OPEN &&
787 	    wpa_key_mgmt_fils(ssid->key_mgmt)) {
788 		const u8 *indic;
789 		u16 fils_info;
790 		const u8 *realm, *username, *rrk;
791 		size_t realm_len, username_len, rrk_len;
792 		u16 next_seq_num;
793 
794 		/*
795 		 * Check FILS Indication element (FILS Information field) bits
796 		 * indicating supported authentication algorithms against local
797 		 * configuration (ssid->fils_dh_group). Try to use FILS
798 		 * authentication only if the AP supports the combination in the
799 		 * network profile. */
800 		indic = wpa_bss_get_ie(bss, WLAN_EID_FILS_INDICATION);
801 		if (!indic || indic[1] < 2) {
802 			wpa_printf(MSG_DEBUG, "SME: " MACSTR
803 				   " does not include FILS Indication element - cannot use FILS authentication with it",
804 				   MAC2STR(bss->bssid));
805 			goto no_fils;
806 		}
807 
808 		fils_info = WPA_GET_LE16(indic + 2);
809 		if (ssid->fils_dh_group == 0 && !(fils_info & BIT(9))) {
810 			wpa_printf(MSG_DEBUG, "SME: " MACSTR
811 				   " does not support FILS SK without PFS - cannot use FILS authentication with it",
812 				   MAC2STR(bss->bssid));
813 			goto no_fils;
814 		}
815 		if (ssid->fils_dh_group != 0 && !(fils_info & BIT(10))) {
816 			wpa_printf(MSG_DEBUG, "SME: " MACSTR
817 				   " does not support FILS SK with PFS - cannot use FILS authentication with it",
818 				   MAC2STR(bss->bssid));
819 			goto no_fils;
820 		}
821 
822 		if (wpa_s->last_con_fail_realm &&
823 		    eapol_sm_get_erp_info(wpa_s->eapol, &ssid->eap,
824 					  &username, &username_len,
825 					  &realm, &realm_len, &next_seq_num,
826 					  &rrk, &rrk_len) == 0 &&
827 		    realm && realm_len == wpa_s->last_con_fail_realm_len &&
828 		    os_memcmp(realm, wpa_s->last_con_fail_realm,
829 			      realm_len) == 0) {
830 			wpa_printf(MSG_DEBUG,
831 				   "SME: FILS authentication for this realm failed last time - try to regenerate ERP key hierarchy");
832 			goto no_fils;
833 		}
834 
835 		if (pmksa_cache_set_current(wpa_s->wpa, NULL, bss->bssid,
836 					    ssid, 0,
837 					    wpa_bss_get_fils_cache_id(bss),
838 					    0) == 0)
839 			wpa_printf(MSG_DEBUG,
840 				   "SME: Try to use FILS with PMKSA caching");
841 		resp = fils_build_auth(wpa_s->wpa, ssid->fils_dh_group, md);
842 		if (resp) {
843 			int auth_alg;
844 
845 			if (ssid->fils_dh_group)
846 				wpa_printf(MSG_DEBUG,
847 					   "SME: Try to use FILS SK authentication with PFS (DH Group %u)",
848 					   ssid->fils_dh_group);
849 			else
850 				wpa_printf(MSG_DEBUG,
851 					   "SME: Try to use FILS SK authentication without PFS");
852 			auth_alg = ssid->fils_dh_group ?
853 				WPA_AUTH_ALG_FILS_SK_PFS : WPA_AUTH_ALG_FILS;
854 			params.auth_alg = auth_alg;
855 			params.auth_data = wpabuf_head(resp);
856 			params.auth_data_len = wpabuf_len(resp);
857 			wpa_s->sme.auth_alg = auth_alg;
858 		}
859 	}
860 no_fils:
861 #endif /* CONFIG_FILS */
862 
863 	wpa_supplicant_cancel_sched_scan(wpa_s);
864 	wpa_supplicant_cancel_scan(wpa_s);
865 
866 	wpa_msg(wpa_s, MSG_INFO, "SME: Trying to authenticate with " MACSTR
867 		" (SSID='%s' freq=%d MHz)", MAC2STR(params.bssid),
868 		wpa_ssid_txt(params.ssid, params.ssid_len), params.freq);
869 
870 	eapol_sm_notify_portValid(wpa_s->eapol, false);
871 	wpa_clear_keys(wpa_s, bss->bssid);
872 	wpa_supplicant_set_state(wpa_s, WPA_AUTHENTICATING);
873 	if (old_ssid != wpa_s->current_ssid)
874 		wpas_notify_network_changed(wpa_s);
875 
876 #ifdef CONFIG_HS20
877 	hs20_configure_frame_filters(wpa_s);
878 #endif /* CONFIG_HS20 */
879 
880 #ifdef CONFIG_P2P
881 	/*
882 	 * If multi-channel concurrency is not supported, check for any
883 	 * frequency conflict. In case of any frequency conflict, remove the
884 	 * least prioritized connection.
885 	 */
886 	if (wpa_s->num_multichan_concurrent < 2) {
887 		int freq, num;
888 		num = get_shared_radio_freqs(wpa_s, &freq, 1);
889 		if (num > 0 && freq > 0 && freq != params.freq) {
890 			wpa_printf(MSG_DEBUG,
891 				   "Conflicting frequency found (%d != %d)",
892 				   freq, params.freq);
893 			if (wpas_p2p_handle_frequency_conflicts(wpa_s,
894 								params.freq,
895 								ssid) < 0) {
896 				wpas_connection_failed(wpa_s, bss->bssid);
897 				wpa_supplicant_mark_disassoc(wpa_s);
898 				wpabuf_free(resp);
899 				wpas_connect_work_done(wpa_s);
900 				return;
901 			}
902 		}
903 	}
904 #endif /* CONFIG_P2P */
905 
906 	if (skip_auth) {
907 		wpa_msg(wpa_s, MSG_DEBUG,
908 			"SME: Skip authentication step on reassoc-to-same-BSS");
909 		wpabuf_free(resp);
910 		sme_associate(wpa_s, ssid->mode, bss->bssid, WLAN_AUTH_OPEN);
911 		return;
912 	}
913 
914 
915 	wpa_s->sme.auth_alg = params.auth_alg;
916 	if (wpa_drv_authenticate(wpa_s, &params) < 0) {
917 		wpa_msg(wpa_s, MSG_INFO, "SME: Authentication request to the "
918 			"driver failed");
919 		wpas_connection_failed(wpa_s, bss->bssid);
920 		wpa_supplicant_mark_disassoc(wpa_s);
921 		wpabuf_free(resp);
922 		wpas_connect_work_done(wpa_s);
923 		return;
924 	}
925 
926 	eloop_register_timeout(SME_AUTH_TIMEOUT, 0, sme_auth_timer, wpa_s,
927 			       NULL);
928 
929 	/*
930 	 * Association will be started based on the authentication event from
931 	 * the driver.
932 	 */
933 
934 	wpabuf_free(resp);
935 }
936 
937 
938 static void sme_auth_start_cb(struct wpa_radio_work *work, int deinit)
939 {
940 	struct wpa_connect_work *cwork = work->ctx;
941 	struct wpa_supplicant *wpa_s = work->wpa_s;
942 
943 	wpa_s->roam_in_progress = false;
944 
945 	if (deinit) {
946 		if (work->started)
947 			wpa_s->connect_work = NULL;
948 
949 		wpas_connect_work_free(cwork);
950 		return;
951 	}
952 
953 	wpa_s->connect_work = work;
954 
955 	if (cwork->bss_removed ||
956 	    !wpas_valid_bss_ssid(wpa_s, cwork->bss, cwork->ssid) ||
957 	    wpas_network_disabled(wpa_s, cwork->ssid)) {
958 		wpa_dbg(wpa_s, MSG_DEBUG, "SME: BSS/SSID entry for authentication not valid anymore - drop connection attempt");
959 		wpas_connect_work_done(wpa_s);
960 		return;
961 	}
962 
963 	/* Starting new connection, so clear the possibly used WPA IE from the
964 	 * previous association. */
965 	wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, NULL, 0);
966 	wpa_sm_set_assoc_rsnxe(wpa_s->wpa, NULL, 0);
967 	wpa_s->rsnxe_len = 0;
968 
969 	sme_send_authentication(wpa_s, cwork->bss, cwork->ssid, 1);
970 }
971 
972 
973 void sme_authenticate(struct wpa_supplicant *wpa_s,
974 		      struct wpa_bss *bss, struct wpa_ssid *ssid)
975 {
976 	struct wpa_connect_work *cwork;
977 
978 	if (bss == NULL || ssid == NULL)
979 		return;
980 	if (wpa_s->connect_work) {
981 		wpa_dbg(wpa_s, MSG_DEBUG, "SME: Reject sme_authenticate() call since connect_work exist");
982 		return;
983 	}
984 
985 	if (wpa_s->roam_in_progress) {
986 		wpa_dbg(wpa_s, MSG_DEBUG,
987 			"SME: Reject sme_authenticate() in favor of explicit roam request");
988 		return;
989 	}
990 	if (radio_work_pending(wpa_s, "sme-connect")) {
991 		/*
992 		 * The previous sme-connect work might no longer be valid due to
993 		 * the fact that the BSS list was updated. In addition, it makes
994 		 * sense to adhere to the 'newer' decision.
995 		 */
996 		wpa_dbg(wpa_s, MSG_DEBUG,
997 			"SME: Remove previous pending sme-connect");
998 		radio_remove_works(wpa_s, "sme-connect", 0);
999 	}
1000 
1001 	wpas_abort_ongoing_scan(wpa_s);
1002 
1003 	cwork = os_zalloc(sizeof(*cwork));
1004 	if (cwork == NULL)
1005 		return;
1006 	cwork->bss = bss;
1007 	cwork->ssid = ssid;
1008 	cwork->sme = 1;
1009 
1010 #ifdef CONFIG_SAE
1011 	wpa_s->sme.sae.state = SAE_NOTHING;
1012 	wpa_s->sme.sae.send_confirm = 0;
1013 	wpa_s->sme.sae_group_index = 0;
1014 #endif /* CONFIG_SAE */
1015 
1016 	if (radio_add_work(wpa_s, bss->freq, "sme-connect", 1,
1017 			   sme_auth_start_cb, cwork) < 0)
1018 		wpas_connect_work_free(cwork);
1019 }
1020 
1021 
1022 #ifdef CONFIG_SAE
1023 
1024 static int sme_external_auth_build_buf(struct wpabuf *buf,
1025 				       struct wpabuf *params,
1026 				       const u8 *sa, const u8 *da,
1027 				       u16 auth_transaction, u16 seq_num,
1028 				       u16 status_code)
1029 {
1030 	struct ieee80211_mgmt *resp;
1031 
1032 	resp = wpabuf_put(buf, offsetof(struct ieee80211_mgmt,
1033 					u.auth.variable));
1034 
1035 	resp->frame_control = host_to_le16((WLAN_FC_TYPE_MGMT << 2) |
1036 					   (WLAN_FC_STYPE_AUTH << 4));
1037 	os_memcpy(resp->da, da, ETH_ALEN);
1038 	os_memcpy(resp->sa, sa, ETH_ALEN);
1039 	os_memcpy(resp->bssid, da, ETH_ALEN);
1040 	resp->u.auth.auth_alg = host_to_le16(WLAN_AUTH_SAE);
1041 	resp->seq_ctrl = host_to_le16(seq_num << 4);
1042 	resp->u.auth.auth_transaction = host_to_le16(auth_transaction);
1043 	resp->u.auth.status_code = host_to_le16(status_code);
1044 	if (params)
1045 		wpabuf_put_buf(buf, params);
1046 
1047 	return 0;
1048 }
1049 
1050 
1051 static int sme_external_auth_send_sae_commit(struct wpa_supplicant *wpa_s,
1052 					     const u8 *bssid,
1053 					     struct wpa_ssid *ssid)
1054 {
1055 	struct wpabuf *resp, *buf;
1056 	int use_pt;
1057 	bool use_pk;
1058 	u16 status;
1059 
1060 	resp = sme_auth_build_sae_commit(wpa_s, ssid, bssid, 1, 0, &use_pt,
1061 					 &use_pk);
1062 	if (!resp) {
1063 		wpa_printf(MSG_DEBUG, "SAE: Failed to build SAE commit");
1064 		return -1;
1065 	}
1066 
1067 	wpa_s->sme.sae.state = SAE_COMMITTED;
1068 	buf = wpabuf_alloc(4 + SAE_COMMIT_MAX_LEN + wpabuf_len(resp));
1069 	if (!buf) {
1070 		wpabuf_free(resp);
1071 		return -1;
1072 	}
1073 
1074 	wpa_s->sme.seq_num++;
1075 	if (use_pk)
1076 		status = WLAN_STATUS_SAE_PK;
1077 	else if (use_pt)
1078 		status = WLAN_STATUS_SAE_HASH_TO_ELEMENT;
1079 	else
1080 		status = WLAN_STATUS_SUCCESS;
1081 	sme_external_auth_build_buf(buf, resp, wpa_s->own_addr,
1082 				    bssid, 1, wpa_s->sme.seq_num, status);
1083 	wpa_drv_send_mlme(wpa_s, wpabuf_head(buf), wpabuf_len(buf), 1, 0, 0);
1084 	wpabuf_free(resp);
1085 	wpabuf_free(buf);
1086 
1087 	return 0;
1088 }
1089 
1090 
1091 static void sme_send_external_auth_status(struct wpa_supplicant *wpa_s,
1092 					  u16 status)
1093 {
1094 	struct external_auth params;
1095 
1096 	os_memset(&params, 0, sizeof(params));
1097 	params.status = status;
1098 	params.ssid = wpa_s->sme.ext_auth_ssid;
1099 	params.ssid_len = wpa_s->sme.ext_auth_ssid_len;
1100 	params.bssid = wpa_s->sme.ext_auth_bssid;
1101 	if (wpa_s->conf->sae_pmkid_in_assoc && status == WLAN_STATUS_SUCCESS)
1102 		params.pmkid = wpa_s->sme.sae.pmkid;
1103 	wpa_drv_send_external_auth_status(wpa_s, &params);
1104 }
1105 
1106 
1107 static int sme_handle_external_auth_start(struct wpa_supplicant *wpa_s,
1108 					  union wpa_event_data *data)
1109 {
1110 	struct wpa_ssid *ssid;
1111 	size_t ssid_str_len = data->external_auth.ssid_len;
1112 	const u8 *ssid_str = data->external_auth.ssid;
1113 
1114 	/* Get the SSID conf from the ssid string obtained */
1115 	for (ssid = wpa_s->conf->ssid; ssid; ssid = ssid->next) {
1116 		if (!wpas_network_disabled(wpa_s, ssid) &&
1117 		    ssid_str_len == ssid->ssid_len &&
1118 		    os_memcmp(ssid_str, ssid->ssid, ssid_str_len) == 0 &&
1119 		    (ssid->key_mgmt & (WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_FT_SAE)))
1120 			break;
1121 	}
1122 	if (!ssid ||
1123 	    sme_external_auth_send_sae_commit(wpa_s, data->external_auth.bssid,
1124 					      ssid) < 0)
1125 		return -1;
1126 
1127 	return 0;
1128 }
1129 
1130 
1131 static void sme_external_auth_send_sae_confirm(struct wpa_supplicant *wpa_s,
1132 					       const u8 *da)
1133 {
1134 	struct wpabuf *resp, *buf;
1135 
1136 	resp = sme_auth_build_sae_confirm(wpa_s, 1);
1137 	if (!resp) {
1138 		wpa_printf(MSG_DEBUG, "SAE: Confirm message buf alloc failure");
1139 		return;
1140 	}
1141 
1142 	wpa_s->sme.sae.state = SAE_CONFIRMED;
1143 	buf = wpabuf_alloc(4 + SAE_CONFIRM_MAX_LEN + wpabuf_len(resp));
1144 	if (!buf) {
1145 		wpa_printf(MSG_DEBUG, "SAE: Auth Confirm buf alloc failure");
1146 		wpabuf_free(resp);
1147 		return;
1148 	}
1149 	wpa_s->sme.seq_num++;
1150 	sme_external_auth_build_buf(buf, resp, wpa_s->own_addr,
1151 				    da, 2, wpa_s->sme.seq_num,
1152 				    WLAN_STATUS_SUCCESS);
1153 	wpa_drv_send_mlme(wpa_s, wpabuf_head(buf), wpabuf_len(buf), 1, 0, 0);
1154 	wpabuf_free(resp);
1155 	wpabuf_free(buf);
1156 }
1157 
1158 
1159 void sme_external_auth_trigger(struct wpa_supplicant *wpa_s,
1160 			       union wpa_event_data *data)
1161 {
1162 	if (RSN_SELECTOR_GET(&data->external_auth.key_mgmt_suite) !=
1163 	    RSN_AUTH_KEY_MGMT_SAE)
1164 		return;
1165 
1166 	if (data->external_auth.action == EXT_AUTH_START) {
1167 		if (!data->external_auth.bssid || !data->external_auth.ssid)
1168 			return;
1169 		os_memcpy(wpa_s->sme.ext_auth_bssid, data->external_auth.bssid,
1170 			  ETH_ALEN);
1171 		os_memcpy(wpa_s->sme.ext_auth_ssid, data->external_auth.ssid,
1172 			  data->external_auth.ssid_len);
1173 		wpa_s->sme.ext_auth_ssid_len = data->external_auth.ssid_len;
1174 		wpa_s->sme.seq_num = 0;
1175 		wpa_s->sme.sae.state = SAE_NOTHING;
1176 		wpa_s->sme.sae.send_confirm = 0;
1177 		wpa_s->sme.sae_group_index = 0;
1178 		if (sme_handle_external_auth_start(wpa_s, data) < 0)
1179 			sme_send_external_auth_status(wpa_s,
1180 					      WLAN_STATUS_UNSPECIFIED_FAILURE);
1181 	} else if (data->external_auth.action == EXT_AUTH_ABORT) {
1182 		/* Report failure to driver for the wrong trigger */
1183 		sme_send_external_auth_status(wpa_s,
1184 					      WLAN_STATUS_UNSPECIFIED_FAILURE);
1185 	}
1186 }
1187 
1188 
1189 static int sme_sae_is_group_enabled(struct wpa_supplicant *wpa_s, int group)
1190 {
1191 	int *groups = wpa_s->conf->sae_groups;
1192 	int default_groups[] = { 19, 20, 21, 0 };
1193 	int i;
1194 
1195 	if (!groups)
1196 		groups = default_groups;
1197 
1198 	for (i = 0; groups[i] > 0; i++) {
1199 		if (groups[i] == group)
1200 			return 1;
1201 	}
1202 
1203 	return 0;
1204 }
1205 
1206 
1207 static int sme_check_sae_rejected_groups(struct wpa_supplicant *wpa_s,
1208 					 const struct wpabuf *groups)
1209 {
1210 	size_t i, count;
1211 	const u8 *pos;
1212 
1213 	if (!groups)
1214 		return 0;
1215 
1216 	pos = wpabuf_head(groups);
1217 	count = wpabuf_len(groups) / 2;
1218 	for (i = 0; i < count; i++) {
1219 		int enabled;
1220 		u16 group;
1221 
1222 		group = WPA_GET_LE16(pos);
1223 		pos += 2;
1224 		enabled = sme_sae_is_group_enabled(wpa_s, group);
1225 		wpa_printf(MSG_DEBUG, "SAE: Rejected group %u is %s",
1226 			   group, enabled ? "enabled" : "disabled");
1227 		if (enabled)
1228 			return 1;
1229 	}
1230 
1231 	return 0;
1232 }
1233 
1234 
1235 static int sme_sae_auth(struct wpa_supplicant *wpa_s, u16 auth_transaction,
1236 			u16 status_code, const u8 *data, size_t len,
1237 			int external, const u8 *sa)
1238 {
1239 	int *groups;
1240 
1241 	wpa_dbg(wpa_s, MSG_DEBUG, "SME: SAE authentication transaction %u "
1242 		"status code %u", auth_transaction, status_code);
1243 
1244 	if (auth_transaction == 1 &&
1245 	    status_code == WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ &&
1246 	    wpa_s->sme.sae.state == SAE_COMMITTED &&
1247 	    (external || wpa_s->current_bss) && wpa_s->current_ssid) {
1248 		int default_groups[] = { 19, 20, 21, 0 };
1249 		u16 group;
1250 		const u8 *token_pos;
1251 		size_t token_len;
1252 		int h2e = 0;
1253 
1254 		groups = wpa_s->conf->sae_groups;
1255 		if (!groups || groups[0] <= 0)
1256 			groups = default_groups;
1257 
1258 		wpa_hexdump(MSG_DEBUG, "SME: SAE anti-clogging token request",
1259 			    data, len);
1260 		if (len < sizeof(le16)) {
1261 			wpa_dbg(wpa_s, MSG_DEBUG,
1262 				"SME: Too short SAE anti-clogging token request");
1263 			return -1;
1264 		}
1265 		group = WPA_GET_LE16(data);
1266 		wpa_dbg(wpa_s, MSG_DEBUG,
1267 			"SME: SAE anti-clogging token requested (group %u)",
1268 			group);
1269 		if (sae_group_allowed(&wpa_s->sme.sae, groups, group) !=
1270 		    WLAN_STATUS_SUCCESS) {
1271 			wpa_dbg(wpa_s, MSG_ERROR,
1272 				"SME: SAE group %u of anti-clogging request is invalid",
1273 				group);
1274 			return -1;
1275 		}
1276 		wpabuf_free(wpa_s->sme.sae_token);
1277 		token_pos = data + sizeof(le16);
1278 		token_len = len - sizeof(le16);
1279 		h2e = wpa_s->sme.sae.h2e;
1280 		if (h2e) {
1281 			if (token_len < 3) {
1282 				wpa_dbg(wpa_s, MSG_DEBUG,
1283 					"SME: Too short SAE anti-clogging token container");
1284 				return -1;
1285 			}
1286 			if (token_pos[0] != WLAN_EID_EXTENSION ||
1287 			    token_pos[1] == 0 ||
1288 			    token_pos[1] > token_len - 2 ||
1289 			    token_pos[2] != WLAN_EID_EXT_ANTI_CLOGGING_TOKEN) {
1290 				wpa_dbg(wpa_s, MSG_DEBUG,
1291 					"SME: Invalid SAE anti-clogging token container header");
1292 				return -1;
1293 			}
1294 			token_len = token_pos[1] - 1;
1295 			token_pos += 3;
1296 		}
1297 		wpa_s->sme.sae_token = wpabuf_alloc_copy(token_pos, token_len);
1298 		wpa_hexdump_buf(MSG_DEBUG, "SME: Requested anti-clogging token",
1299 				wpa_s->sme.sae_token);
1300 		if (!external)
1301 			sme_send_authentication(wpa_s, wpa_s->current_bss,
1302 						wpa_s->current_ssid, 2);
1303 		else
1304 			sme_external_auth_send_sae_commit(
1305 				wpa_s, wpa_s->sme.ext_auth_bssid,
1306 				wpa_s->current_ssid);
1307 		return 0;
1308 	}
1309 
1310 	if (auth_transaction == 1 &&
1311 	    status_code == WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED &&
1312 	    wpa_s->sme.sae.state == SAE_COMMITTED &&
1313 	    (external || wpa_s->current_bss) && wpa_s->current_ssid) {
1314 		wpa_dbg(wpa_s, MSG_DEBUG, "SME: SAE group not supported");
1315 		int_array_add_unique(&wpa_s->sme.sae_rejected_groups,
1316 				     wpa_s->sme.sae.group);
1317 		wpa_s->sme.sae_group_index++;
1318 		if (sme_set_sae_group(wpa_s) < 0)
1319 			return -1; /* no other groups enabled */
1320 		wpa_dbg(wpa_s, MSG_DEBUG, "SME: Try next enabled SAE group");
1321 		if (!external)
1322 			sme_send_authentication(wpa_s, wpa_s->current_bss,
1323 						wpa_s->current_ssid, 1);
1324 		else
1325 			sme_external_auth_send_sae_commit(
1326 				wpa_s, wpa_s->sme.ext_auth_bssid,
1327 				wpa_s->current_ssid);
1328 		return 0;
1329 	}
1330 
1331 	if (auth_transaction == 1 &&
1332 	    status_code == WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER) {
1333 		const u8 *bssid = sa ? sa : wpa_s->pending_bssid;
1334 
1335 		wpa_msg(wpa_s, MSG_INFO,
1336 			WPA_EVENT_SAE_UNKNOWN_PASSWORD_IDENTIFIER MACSTR,
1337 			MAC2STR(bssid));
1338 		return -1;
1339 	}
1340 
1341 	if (status_code != WLAN_STATUS_SUCCESS &&
1342 	    status_code != WLAN_STATUS_SAE_HASH_TO_ELEMENT &&
1343 	    status_code != WLAN_STATUS_SAE_PK) {
1344 		const u8 *bssid = sa ? sa : wpa_s->pending_bssid;
1345 
1346 		wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_AUTH_REJECT MACSTR
1347 			" auth_type=%u auth_transaction=%u status_code=%u",
1348 			MAC2STR(bssid), WLAN_AUTH_SAE,
1349 			auth_transaction, status_code);
1350 		return -1;
1351 	}
1352 
1353 	if (auth_transaction == 1) {
1354 		u16 res;
1355 
1356 		groups = wpa_s->conf->sae_groups;
1357 
1358 		wpa_dbg(wpa_s, MSG_DEBUG, "SME SAE commit");
1359 		if ((!external && wpa_s->current_bss == NULL) ||
1360 		    wpa_s->current_ssid == NULL)
1361 			return -1;
1362 		if (wpa_s->sme.sae.state != SAE_COMMITTED) {
1363 			wpa_printf(MSG_DEBUG,
1364 				   "SAE: Ignore commit message while waiting for confirm");
1365 			return 0;
1366 		}
1367 		if (wpa_s->sme.sae.h2e && status_code == WLAN_STATUS_SUCCESS) {
1368 			wpa_printf(MSG_DEBUG,
1369 				   "SAE: Unexpected use of status code 0 in SAE commit when H2E was expected");
1370 			return -1;
1371 		}
1372 		if ((!wpa_s->sme.sae.h2e || wpa_s->sme.sae.pk) &&
1373 		    status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT) {
1374 			wpa_printf(MSG_DEBUG,
1375 				   "SAE: Unexpected use of status code for H2E in SAE commit when H2E was not expected");
1376 			return -1;
1377 		}
1378 		if (!wpa_s->sme.sae.pk &&
1379 		    status_code == WLAN_STATUS_SAE_PK) {
1380 			wpa_printf(MSG_DEBUG,
1381 				   "SAE: Unexpected use of status code for PK in SAE commit when PK was not expected");
1382 			return -1;
1383 		}
1384 
1385 		if (groups && groups[0] <= 0)
1386 			groups = NULL;
1387 		res = sae_parse_commit(&wpa_s->sme.sae, data, len, NULL, NULL,
1388 				       groups, status_code ==
1389 				       WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
1390 				       status_code == WLAN_STATUS_SAE_PK);
1391 		if (res == SAE_SILENTLY_DISCARD) {
1392 			wpa_printf(MSG_DEBUG,
1393 				   "SAE: Drop commit message due to reflection attack");
1394 			return 0;
1395 		}
1396 		if (res != WLAN_STATUS_SUCCESS)
1397 			return -1;
1398 
1399 		if (wpa_s->sme.sae.tmp &&
1400 		    sme_check_sae_rejected_groups(
1401 			    wpa_s,
1402 			    wpa_s->sme.sae.tmp->peer_rejected_groups))
1403 			return -1;
1404 
1405 		if (sae_process_commit(&wpa_s->sme.sae) < 0) {
1406 			wpa_printf(MSG_DEBUG, "SAE: Failed to process peer "
1407 				   "commit");
1408 			return -1;
1409 		}
1410 
1411 		wpabuf_free(wpa_s->sme.sae_token);
1412 		wpa_s->sme.sae_token = NULL;
1413 		if (!external)
1414 			sme_send_authentication(wpa_s, wpa_s->current_bss,
1415 						wpa_s->current_ssid, 0);
1416 		else
1417 			sme_external_auth_send_sae_confirm(wpa_s, sa);
1418 		return 0;
1419 	} else if (auth_transaction == 2) {
1420 		if (status_code != WLAN_STATUS_SUCCESS)
1421 			return -1;
1422 		wpa_dbg(wpa_s, MSG_DEBUG, "SME SAE confirm");
1423 		if (wpa_s->sme.sae.state != SAE_CONFIRMED)
1424 			return -1;
1425 		if (sae_check_confirm(&wpa_s->sme.sae, data, len) < 0)
1426 			return -1;
1427 		wpa_s->sme.sae.state = SAE_ACCEPTED;
1428 		sae_clear_temp_data(&wpa_s->sme.sae);
1429 
1430 		if (external) {
1431 			/* Report success to driver */
1432 			sme_send_external_auth_status(wpa_s,
1433 						      WLAN_STATUS_SUCCESS);
1434 		}
1435 
1436 		return 1;
1437 	}
1438 
1439 	return -1;
1440 }
1441 
1442 
1443 static int sme_sae_set_pmk(struct wpa_supplicant *wpa_s, const u8 *bssid)
1444 {
1445 	wpa_printf(MSG_DEBUG,
1446 		   "SME: SAE completed - setting PMK for 4-way handshake");
1447 	wpa_sm_set_pmk(wpa_s->wpa, wpa_s->sme.sae.pmk, PMK_LEN,
1448 		       wpa_s->sme.sae.pmkid, bssid);
1449 	if (wpa_s->conf->sae_pmkid_in_assoc) {
1450 		/* Update the own RSNE contents now that we have set the PMK
1451 		 * and added a PMKSA cache entry based on the successfully
1452 		 * completed SAE exchange. In practice, this will add the PMKID
1453 		 * into RSNE. */
1454 		if (wpa_s->sme.assoc_req_ie_len + 2 + PMKID_LEN >
1455 		    sizeof(wpa_s->sme.assoc_req_ie)) {
1456 			wpa_msg(wpa_s, MSG_WARNING,
1457 				"RSN: Not enough room for inserting own PMKID into RSNE");
1458 			return -1;
1459 		}
1460 		if (wpa_insert_pmkid(wpa_s->sme.assoc_req_ie,
1461 				     &wpa_s->sme.assoc_req_ie_len,
1462 				     wpa_s->sme.sae.pmkid) < 0)
1463 			return -1;
1464 		wpa_hexdump(MSG_DEBUG,
1465 			    "SME: Updated Association Request IEs",
1466 			    wpa_s->sme.assoc_req_ie,
1467 			    wpa_s->sme.assoc_req_ie_len);
1468 	}
1469 
1470 	return 0;
1471 }
1472 
1473 
1474 void sme_external_auth_mgmt_rx(struct wpa_supplicant *wpa_s,
1475 			       const u8 *auth_frame, size_t len)
1476 {
1477 	const struct ieee80211_mgmt *header;
1478 	size_t auth_length;
1479 
1480 	header = (const struct ieee80211_mgmt *) auth_frame;
1481 	auth_length = IEEE80211_HDRLEN + sizeof(header->u.auth);
1482 
1483 	if (len < auth_length) {
1484 		/* Notify failure to the driver */
1485 		sme_send_external_auth_status(wpa_s,
1486 					      WLAN_STATUS_UNSPECIFIED_FAILURE);
1487 		return;
1488 	}
1489 
1490 	if (le_to_host16(header->u.auth.auth_alg) == WLAN_AUTH_SAE) {
1491 		int res;
1492 
1493 		res = sme_sae_auth(
1494 			wpa_s, le_to_host16(header->u.auth.auth_transaction),
1495 			le_to_host16(header->u.auth.status_code),
1496 			header->u.auth.variable,
1497 			len - auth_length, 1, header->sa);
1498 		if (res < 0) {
1499 			/* Notify failure to the driver */
1500 			sme_send_external_auth_status(
1501 				wpa_s, WLAN_STATUS_UNSPECIFIED_FAILURE);
1502 			return;
1503 		}
1504 		if (res != 1)
1505 			return;
1506 
1507 		if (sme_sae_set_pmk(wpa_s, wpa_s->sme.ext_auth_bssid) < 0)
1508 			return;
1509 	}
1510 }
1511 
1512 #endif /* CONFIG_SAE */
1513 
1514 
1515 void sme_event_auth(struct wpa_supplicant *wpa_s, union wpa_event_data *data)
1516 {
1517 	struct wpa_ssid *ssid = wpa_s->current_ssid;
1518 
1519 	if (ssid == NULL) {
1520 		wpa_dbg(wpa_s, MSG_DEBUG, "SME: Ignore authentication event "
1521 			"when network is not selected");
1522 		return;
1523 	}
1524 
1525 	if (wpa_s->wpa_state != WPA_AUTHENTICATING) {
1526 		wpa_dbg(wpa_s, MSG_DEBUG, "SME: Ignore authentication event "
1527 			"when not in authenticating state");
1528 		return;
1529 	}
1530 
1531 	if (os_memcmp(wpa_s->pending_bssid, data->auth.peer, ETH_ALEN) != 0) {
1532 		wpa_dbg(wpa_s, MSG_DEBUG, "SME: Ignore authentication with "
1533 			"unexpected peer " MACSTR,
1534 			MAC2STR(data->auth.peer));
1535 		return;
1536 	}
1537 
1538 	wpa_dbg(wpa_s, MSG_DEBUG, "SME: Authentication response: peer=" MACSTR
1539 		" auth_type=%d auth_transaction=%d status_code=%d",
1540 		MAC2STR(data->auth.peer), data->auth.auth_type,
1541 		data->auth.auth_transaction, data->auth.status_code);
1542 	wpa_hexdump(MSG_MSGDUMP, "SME: Authentication response IEs",
1543 		    data->auth.ies, data->auth.ies_len);
1544 
1545 	eloop_cancel_timeout(sme_auth_timer, wpa_s, NULL);
1546 
1547 #ifdef CONFIG_SAE
1548 	if (data->auth.auth_type == WLAN_AUTH_SAE) {
1549 		int res;
1550 		res = sme_sae_auth(wpa_s, data->auth.auth_transaction,
1551 				   data->auth.status_code, data->auth.ies,
1552 				   data->auth.ies_len, 0, data->auth.peer);
1553 		if (res < 0) {
1554 			wpas_connection_failed(wpa_s, wpa_s->pending_bssid);
1555 			wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED);
1556 
1557 		}
1558 		if (res != 1)
1559 			return;
1560 
1561 		if (sme_sae_set_pmk(wpa_s, wpa_s->pending_bssid) < 0)
1562 			return;
1563 	}
1564 #endif /* CONFIG_SAE */
1565 
1566 	if (data->auth.status_code != WLAN_STATUS_SUCCESS) {
1567 		char *ie_txt = NULL;
1568 
1569 		if (data->auth.ies && data->auth.ies_len) {
1570 			size_t buflen = 2 * data->auth.ies_len + 1;
1571 			ie_txt = os_malloc(buflen);
1572 			if (ie_txt) {
1573 				wpa_snprintf_hex(ie_txt, buflen, data->auth.ies,
1574 						 data->auth.ies_len);
1575 			}
1576 		}
1577 		wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_AUTH_REJECT MACSTR
1578 			" auth_type=%u auth_transaction=%u status_code=%u%s%s",
1579 			MAC2STR(data->auth.peer), data->auth.auth_type,
1580 			data->auth.auth_transaction, data->auth.status_code,
1581 			ie_txt ? " ie=" : "",
1582 			ie_txt ? ie_txt : "");
1583 		os_free(ie_txt);
1584 
1585 #ifdef CONFIG_FILS
1586 		if (wpa_s->sme.auth_alg == WPA_AUTH_ALG_FILS ||
1587 		    wpa_s->sme.auth_alg == WPA_AUTH_ALG_FILS_SK_PFS)
1588 			fils_connection_failure(wpa_s);
1589 #endif /* CONFIG_FILS */
1590 
1591 		if (data->auth.status_code !=
1592 		    WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG ||
1593 		    wpa_s->sme.auth_alg == data->auth.auth_type ||
1594 		    wpa_s->current_ssid->auth_alg == WPA_AUTH_ALG_LEAP) {
1595 			wpas_connection_failed(wpa_s, wpa_s->pending_bssid);
1596 			wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED);
1597 			return;
1598 		}
1599 
1600 		wpas_connect_work_done(wpa_s);
1601 
1602 		switch (data->auth.auth_type) {
1603 		case WLAN_AUTH_OPEN:
1604 			wpa_s->current_ssid->auth_alg = WPA_AUTH_ALG_SHARED;
1605 
1606 			wpa_dbg(wpa_s, MSG_DEBUG, "SME: Trying SHARED auth");
1607 			wpa_supplicant_associate(wpa_s, wpa_s->current_bss,
1608 						 wpa_s->current_ssid);
1609 			return;
1610 
1611 		case WLAN_AUTH_SHARED_KEY:
1612 			wpa_s->current_ssid->auth_alg = WPA_AUTH_ALG_LEAP;
1613 
1614 			wpa_dbg(wpa_s, MSG_DEBUG, "SME: Trying LEAP auth");
1615 			wpa_supplicant_associate(wpa_s, wpa_s->current_bss,
1616 						 wpa_s->current_ssid);
1617 			return;
1618 
1619 		default:
1620 			return;
1621 		}
1622 	}
1623 
1624 #ifdef CONFIG_IEEE80211R
1625 	if (data->auth.auth_type == WLAN_AUTH_FT) {
1626 		const u8 *ric_ies = NULL;
1627 		size_t ric_ies_len = 0;
1628 
1629 		if (wpa_s->ric_ies) {
1630 			ric_ies = wpabuf_head(wpa_s->ric_ies);
1631 			ric_ies_len = wpabuf_len(wpa_s->ric_ies);
1632 		}
1633 		if (wpa_ft_process_response(wpa_s->wpa, data->auth.ies,
1634 					    data->auth.ies_len, 0,
1635 					    data->auth.peer,
1636 					    ric_ies, ric_ies_len) < 0) {
1637 			wpa_dbg(wpa_s, MSG_DEBUG,
1638 				"SME: FT Authentication response processing failed");
1639 			wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_DISCONNECTED "bssid="
1640 				MACSTR
1641 				" reason=%d locally_generated=1",
1642 				MAC2STR(wpa_s->pending_bssid),
1643 				WLAN_REASON_DEAUTH_LEAVING);
1644 			wpas_connection_failed(wpa_s, wpa_s->pending_bssid);
1645 			wpa_supplicant_mark_disassoc(wpa_s);
1646 			return;
1647 		}
1648 	}
1649 #endif /* CONFIG_IEEE80211R */
1650 
1651 #ifdef CONFIG_FILS
1652 	if (data->auth.auth_type == WLAN_AUTH_FILS_SK ||
1653 	    data->auth.auth_type == WLAN_AUTH_FILS_SK_PFS) {
1654 		u16 expect_auth_type;
1655 
1656 		expect_auth_type = wpa_s->sme.auth_alg ==
1657 			WPA_AUTH_ALG_FILS_SK_PFS ? WLAN_AUTH_FILS_SK_PFS :
1658 			WLAN_AUTH_FILS_SK;
1659 		if (data->auth.auth_type != expect_auth_type) {
1660 			wpa_dbg(wpa_s, MSG_DEBUG,
1661 				"SME: FILS Authentication response used different auth alg (%u; expected %u)",
1662 				data->auth.auth_type, expect_auth_type);
1663 			wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_DISCONNECTED "bssid="
1664 				MACSTR
1665 				" reason=%d locally_generated=1",
1666 				MAC2STR(wpa_s->pending_bssid),
1667 				WLAN_REASON_DEAUTH_LEAVING);
1668 			wpas_connection_failed(wpa_s, wpa_s->pending_bssid);
1669 			wpa_supplicant_mark_disassoc(wpa_s);
1670 			return;
1671 		}
1672 
1673 		if (fils_process_auth(wpa_s->wpa, wpa_s->pending_bssid,
1674 				      data->auth.ies, data->auth.ies_len) < 0) {
1675 			wpa_dbg(wpa_s, MSG_DEBUG,
1676 				"SME: FILS Authentication response processing failed");
1677 			wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_DISCONNECTED "bssid="
1678 				MACSTR
1679 				" reason=%d locally_generated=1",
1680 				MAC2STR(wpa_s->pending_bssid),
1681 				WLAN_REASON_DEAUTH_LEAVING);
1682 			wpas_connection_failed(wpa_s, wpa_s->pending_bssid);
1683 			wpa_supplicant_mark_disassoc(wpa_s);
1684 			return;
1685 		}
1686 	}
1687 #endif /* CONFIG_FILS */
1688 
1689 	sme_associate(wpa_s, ssid->mode, data->auth.peer,
1690 		      data->auth.auth_type);
1691 }
1692 
1693 
1694 #ifdef CONFIG_IEEE80211R
1695 static void remove_ie(u8 *buf, size_t *len, u8 eid)
1696 {
1697 	u8 *pos, *next, *end;
1698 
1699 	pos = (u8 *) get_ie(buf, *len, eid);
1700 	if (pos) {
1701 		next = pos + 2 + pos[1];
1702 		end = buf + *len;
1703 		*len -= 2 + pos[1];
1704 		os_memmove(pos, next, end - next);
1705 	}
1706 }
1707 #endif /* CONFIG_IEEE80211R */
1708 
1709 
1710 void sme_associate(struct wpa_supplicant *wpa_s, enum wpas_mode mode,
1711 		   const u8 *bssid, u16 auth_type)
1712 {
1713 	struct wpa_driver_associate_params params;
1714 	struct ieee802_11_elems elems;
1715 	struct wpa_ssid *ssid = wpa_s->current_ssid;
1716 #ifdef CONFIG_FILS
1717 	u8 nonces[2 * FILS_NONCE_LEN];
1718 #endif /* CONFIG_FILS */
1719 #ifdef CONFIG_HT_OVERRIDES
1720 	struct ieee80211_ht_capabilities htcaps;
1721 	struct ieee80211_ht_capabilities htcaps_mask;
1722 #endif /* CONFIG_HT_OVERRIDES */
1723 #ifdef CONFIG_VHT_OVERRIDES
1724 	struct ieee80211_vht_capabilities vhtcaps;
1725 	struct ieee80211_vht_capabilities vhtcaps_mask;
1726 #endif /* CONFIG_VHT_OVERRIDES */
1727 
1728 	os_memset(&params, 0, sizeof(params));
1729 
1730 #ifdef CONFIG_FILS
1731 	if (auth_type == WLAN_AUTH_FILS_SK ||
1732 	    auth_type == WLAN_AUTH_FILS_SK_PFS) {
1733 		struct wpabuf *buf;
1734 		const u8 *snonce, *anonce;
1735 		const unsigned int max_hlp = 20;
1736 		struct wpabuf *hlp[max_hlp];
1737 		unsigned int i, num_hlp = 0;
1738 		struct fils_hlp_req *req;
1739 
1740 		dl_list_for_each(req, &wpa_s->fils_hlp_req, struct fils_hlp_req,
1741 				 list) {
1742 			hlp[num_hlp] = wpabuf_alloc(2 * ETH_ALEN + 6 +
1743 					      wpabuf_len(req->pkt));
1744 			if (!hlp[num_hlp])
1745 				break;
1746 			wpabuf_put_data(hlp[num_hlp], req->dst, ETH_ALEN);
1747 			wpabuf_put_data(hlp[num_hlp], wpa_s->own_addr,
1748 					ETH_ALEN);
1749 			wpabuf_put_data(hlp[num_hlp],
1750 					"\xaa\xaa\x03\x00\x00\x00", 6);
1751 			wpabuf_put_buf(hlp[num_hlp], req->pkt);
1752 			num_hlp++;
1753 			if (num_hlp >= max_hlp)
1754 				break;
1755 		}
1756 
1757 		buf = fils_build_assoc_req(wpa_s->wpa, &params.fils_kek,
1758 					   &params.fils_kek_len, &snonce,
1759 					   &anonce,
1760 					   (const struct wpabuf **) hlp,
1761 					   num_hlp);
1762 		for (i = 0; i < num_hlp; i++)
1763 			wpabuf_free(hlp[i]);
1764 		if (!buf)
1765 			return;
1766 		wpa_hexdump(MSG_DEBUG, "FILS: assoc_req before FILS elements",
1767 			    wpa_s->sme.assoc_req_ie,
1768 			    wpa_s->sme.assoc_req_ie_len);
1769 #ifdef CONFIG_IEEE80211R
1770 		if (wpa_key_mgmt_ft(wpa_s->key_mgmt)) {
1771 			/* Remove RSNE and MDE to allow them to be overridden
1772 			 * with FILS+FT specific values from
1773 			 * fils_build_assoc_req(). */
1774 			remove_ie(wpa_s->sme.assoc_req_ie,
1775 				  &wpa_s->sme.assoc_req_ie_len,
1776 				  WLAN_EID_RSN);
1777 			wpa_hexdump(MSG_DEBUG,
1778 				    "FILS: assoc_req after RSNE removal",
1779 				    wpa_s->sme.assoc_req_ie,
1780 				    wpa_s->sme.assoc_req_ie_len);
1781 			remove_ie(wpa_s->sme.assoc_req_ie,
1782 				  &wpa_s->sme.assoc_req_ie_len,
1783 				  WLAN_EID_MOBILITY_DOMAIN);
1784 			wpa_hexdump(MSG_DEBUG,
1785 				    "FILS: assoc_req after MDE removal",
1786 				    wpa_s->sme.assoc_req_ie,
1787 				    wpa_s->sme.assoc_req_ie_len);
1788 		}
1789 #endif /* CONFIG_IEEE80211R */
1790 		/* TODO: Make wpa_s->sme.assoc_req_ie use dynamic allocation */
1791 		if (wpa_s->sme.assoc_req_ie_len + wpabuf_len(buf) >
1792 		    sizeof(wpa_s->sme.assoc_req_ie)) {
1793 			wpa_printf(MSG_ERROR,
1794 				   "FILS: Not enough buffer room for own AssocReq elements");
1795 			wpabuf_free(buf);
1796 			return;
1797 		}
1798 		os_memcpy(wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len,
1799 			  wpabuf_head(buf), wpabuf_len(buf));
1800 		wpa_s->sme.assoc_req_ie_len += wpabuf_len(buf);
1801 		wpabuf_free(buf);
1802 		wpa_hexdump(MSG_DEBUG, "FILS: assoc_req after FILS elements",
1803 			    wpa_s->sme.assoc_req_ie,
1804 			    wpa_s->sme.assoc_req_ie_len);
1805 
1806 		os_memcpy(nonces, snonce, FILS_NONCE_LEN);
1807 		os_memcpy(nonces + FILS_NONCE_LEN, anonce, FILS_NONCE_LEN);
1808 		params.fils_nonces = nonces;
1809 		params.fils_nonces_len = sizeof(nonces);
1810 	}
1811 #endif /* CONFIG_FILS */
1812 
1813 #ifdef CONFIG_OWE
1814 #ifdef CONFIG_TESTING_OPTIONS
1815 	if (get_ie_ext(wpa_s->sme.assoc_req_ie, wpa_s->sme.assoc_req_ie_len,
1816 		       WLAN_EID_EXT_OWE_DH_PARAM)) {
1817 		wpa_printf(MSG_INFO, "TESTING: Override OWE DH element");
1818 	} else
1819 #endif /* CONFIG_TESTING_OPTIONS */
1820 	if (auth_type == WLAN_AUTH_OPEN &&
1821 	    wpa_s->key_mgmt == WPA_KEY_MGMT_OWE) {
1822 		struct wpabuf *owe_ie;
1823 		u16 group;
1824 
1825 		if (ssid && ssid->owe_group) {
1826 			group = ssid->owe_group;
1827 		} else if (wpa_s->assoc_status_code ==
1828 			   WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED) {
1829 			if (wpa_s->last_owe_group == 19)
1830 				group = 20;
1831 			else if (wpa_s->last_owe_group == 20)
1832 				group = 21;
1833 			else
1834 				group = OWE_DH_GROUP;
1835 		} else {
1836 			group = OWE_DH_GROUP;
1837 		}
1838 
1839 		wpa_s->last_owe_group = group;
1840 		wpa_printf(MSG_DEBUG, "OWE: Try to use group %u", group);
1841 		owe_ie = owe_build_assoc_req(wpa_s->wpa, group);
1842 		if (!owe_ie) {
1843 			wpa_printf(MSG_ERROR,
1844 				   "OWE: Failed to build IE for Association Request frame");
1845 			return;
1846 		}
1847 		if (wpa_s->sme.assoc_req_ie_len + wpabuf_len(owe_ie) >
1848 		    sizeof(wpa_s->sme.assoc_req_ie)) {
1849 			wpa_printf(MSG_ERROR,
1850 				   "OWE: Not enough buffer room for own Association Request frame elements");
1851 			wpabuf_free(owe_ie);
1852 			return;
1853 		}
1854 		os_memcpy(wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len,
1855 			  wpabuf_head(owe_ie), wpabuf_len(owe_ie));
1856 		wpa_s->sme.assoc_req_ie_len += wpabuf_len(owe_ie);
1857 		wpabuf_free(owe_ie);
1858 	}
1859 #endif /* CONFIG_OWE */
1860 
1861 #ifdef CONFIG_DPP2
1862 	if (DPP_VERSION > 1 && wpa_s->key_mgmt == WPA_KEY_MGMT_DPP && ssid &&
1863 	    ssid->dpp_netaccesskey && ssid->dpp_pfs != 2 &&
1864 	    !ssid->dpp_pfs_fallback) {
1865 		struct rsn_pmksa_cache_entry *pmksa;
1866 
1867 		pmksa = pmksa_cache_get_current(wpa_s->wpa);
1868 		if (!pmksa || !pmksa->dpp_pfs)
1869 			goto pfs_fail;
1870 
1871 		dpp_pfs_free(wpa_s->dpp_pfs);
1872 		wpa_s->dpp_pfs = dpp_pfs_init(ssid->dpp_netaccesskey,
1873 					      ssid->dpp_netaccesskey_len);
1874 		if (!wpa_s->dpp_pfs) {
1875 			wpa_printf(MSG_DEBUG, "DPP: Could not initialize PFS");
1876 			/* Try to continue without PFS */
1877 			goto pfs_fail;
1878 		}
1879 		if (wpa_s->sme.assoc_req_ie_len +
1880 		    wpabuf_len(wpa_s->dpp_pfs->ie) >
1881 		    sizeof(wpa_s->sme.assoc_req_ie)) {
1882 			wpa_printf(MSG_ERROR,
1883 				   "DPP: Not enough buffer room for own Association Request frame elements");
1884 			dpp_pfs_free(wpa_s->dpp_pfs);
1885 			wpa_s->dpp_pfs = NULL;
1886 			goto pfs_fail;
1887 		}
1888 		os_memcpy(wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len,
1889 			  wpabuf_head(wpa_s->dpp_pfs->ie),
1890 			  wpabuf_len(wpa_s->dpp_pfs->ie));
1891 		wpa_s->sme.assoc_req_ie_len += wpabuf_len(wpa_s->dpp_pfs->ie);
1892 	}
1893 pfs_fail:
1894 #endif /* CONFIG_DPP2 */
1895 
1896 	wpa_s->mscs_setup_done = false;
1897 	if (wpa_bss_ext_capab(wpa_s->current_bss, WLAN_EXT_CAPAB_MSCS) &&
1898 	    wpa_s->robust_av.valid_config) {
1899 		struct wpabuf *mscs_ie;
1900 		size_t mscs_ie_len, buf_len, *wpa_ie_len, max_ie_len;
1901 
1902 		buf_len = 3 +	/* MSCS descriptor IE header */
1903 			  1 +	/* Request type */
1904 			  2 +	/* User priority control */
1905 			  4 +	/* Stream timeout */
1906 			  3 +	/* TCLAS Mask IE header */
1907 			  wpa_s->robust_av.frame_classifier_len;
1908 		mscs_ie = wpabuf_alloc(buf_len);
1909 		if (!mscs_ie) {
1910 			wpa_printf(MSG_INFO,
1911 				   "MSCS: Failed to allocate MSCS IE");
1912 			goto mscs_fail;
1913 		}
1914 
1915 		wpa_ie_len = &wpa_s->sme.assoc_req_ie_len;
1916 		max_ie_len = sizeof(wpa_s->sme.assoc_req_ie);
1917 		wpas_populate_mscs_descriptor_ie(&wpa_s->robust_av, mscs_ie);
1918 		if ((*wpa_ie_len + wpabuf_len(mscs_ie)) <= max_ie_len) {
1919 			wpa_hexdump_buf(MSG_MSGDUMP, "MSCS IE", mscs_ie);
1920 			mscs_ie_len = wpabuf_len(mscs_ie);
1921 			os_memcpy(wpa_s->sme.assoc_req_ie + *wpa_ie_len,
1922 				  wpabuf_head(mscs_ie), mscs_ie_len);
1923 			*wpa_ie_len += mscs_ie_len;
1924 		}
1925 
1926 		wpabuf_free(mscs_ie);
1927 	}
1928 mscs_fail:
1929 
1930 	if (ssid && ssid->multi_ap_backhaul_sta) {
1931 		size_t multi_ap_ie_len;
1932 
1933 		multi_ap_ie_len = add_multi_ap_ie(
1934 			wpa_s->sme.assoc_req_ie + wpa_s->sme.assoc_req_ie_len,
1935 			sizeof(wpa_s->sme.assoc_req_ie) -
1936 			wpa_s->sme.assoc_req_ie_len,
1937 			MULTI_AP_BACKHAUL_STA);
1938 		if (multi_ap_ie_len == 0) {
1939 			wpa_printf(MSG_ERROR,
1940 				   "Multi-AP: Failed to build Multi-AP IE");
1941 			return;
1942 		}
1943 		wpa_s->sme.assoc_req_ie_len += multi_ap_ie_len;
1944 	}
1945 
1946 	params.bssid = bssid;
1947 	params.ssid = wpa_s->sme.ssid;
1948 	params.ssid_len = wpa_s->sme.ssid_len;
1949 	params.freq.freq = wpa_s->sme.freq;
1950 	params.bg_scan_period = ssid ? ssid->bg_scan_period : -1;
1951 	params.wpa_ie = wpa_s->sme.assoc_req_ie_len ?
1952 		wpa_s->sme.assoc_req_ie : NULL;
1953 	params.wpa_ie_len = wpa_s->sme.assoc_req_ie_len;
1954 	wpa_hexdump(MSG_DEBUG, "SME: Association Request IEs",
1955 		    params.wpa_ie, params.wpa_ie_len);
1956 	params.pairwise_suite = wpa_s->pairwise_cipher;
1957 	params.group_suite = wpa_s->group_cipher;
1958 	params.mgmt_group_suite = wpa_s->mgmt_group_cipher;
1959 	params.key_mgmt_suite = wpa_s->key_mgmt;
1960 	params.wpa_proto = wpa_s->wpa_proto;
1961 #ifdef CONFIG_HT_OVERRIDES
1962 	os_memset(&htcaps, 0, sizeof(htcaps));
1963 	os_memset(&htcaps_mask, 0, sizeof(htcaps_mask));
1964 	params.htcaps = (u8 *) &htcaps;
1965 	params.htcaps_mask = (u8 *) &htcaps_mask;
1966 	wpa_supplicant_apply_ht_overrides(wpa_s, ssid, &params);
1967 #endif /* CONFIG_HT_OVERRIDES */
1968 #ifdef CONFIG_VHT_OVERRIDES
1969 	os_memset(&vhtcaps, 0, sizeof(vhtcaps));
1970 	os_memset(&vhtcaps_mask, 0, sizeof(vhtcaps_mask));
1971 	params.vhtcaps = &vhtcaps;
1972 	params.vhtcaps_mask = &vhtcaps_mask;
1973 	wpa_supplicant_apply_vht_overrides(wpa_s, ssid, &params);
1974 #endif /* CONFIG_VHT_OVERRIDES */
1975 #ifdef CONFIG_HE_OVERRIDES
1976 	wpa_supplicant_apply_he_overrides(wpa_s, ssid, &params);
1977 #endif /* CONFIG_HE_OVERRIDES */
1978 #ifdef CONFIG_IEEE80211R
1979 	if (auth_type == WLAN_AUTH_FT && wpa_s->sme.ft_ies &&
1980 	    get_ie(wpa_s->sme.ft_ies, wpa_s->sme.ft_ies_len,
1981 		   WLAN_EID_RIC_DATA)) {
1982 		/* There seems to be a pretty inconvenient bug in the Linux
1983 		 * kernel IE splitting functionality when RIC is used. For now,
1984 		 * skip correct behavior in IE construction here (i.e., drop the
1985 		 * additional non-FT-specific IEs) to avoid kernel issues. This
1986 		 * is fine since RIC is used only for testing purposes in the
1987 		 * current implementation. */
1988 		wpa_printf(MSG_INFO,
1989 			   "SME: Linux kernel workaround - do not try to include additional IEs with RIC");
1990 		params.wpa_ie = wpa_s->sme.ft_ies;
1991 		params.wpa_ie_len = wpa_s->sme.ft_ies_len;
1992 	} else if (auth_type == WLAN_AUTH_FT && wpa_s->sme.ft_ies) {
1993 		const u8 *rm_en, *pos, *end;
1994 		size_t rm_en_len = 0;
1995 		u8 *rm_en_dup = NULL, *wpos;
1996 
1997 		/* Remove RSNE, MDE, FTE to allow them to be overridden with
1998 		 * FT specific values */
1999 		remove_ie(wpa_s->sme.assoc_req_ie,
2000 			  &wpa_s->sme.assoc_req_ie_len,
2001 			  WLAN_EID_RSN);
2002 		remove_ie(wpa_s->sme.assoc_req_ie,
2003 			  &wpa_s->sme.assoc_req_ie_len,
2004 			  WLAN_EID_MOBILITY_DOMAIN);
2005 		remove_ie(wpa_s->sme.assoc_req_ie,
2006 			  &wpa_s->sme.assoc_req_ie_len,
2007 			  WLAN_EID_FAST_BSS_TRANSITION);
2008 		rm_en = get_ie(wpa_s->sme.assoc_req_ie,
2009 			       wpa_s->sme.assoc_req_ie_len,
2010 			       WLAN_EID_RRM_ENABLED_CAPABILITIES);
2011 		if (rm_en) {
2012 			/* Need to remove RM Enabled Capabilities element as
2013 			 * well temporarily, so that it can be placed between
2014 			 * RSNE and MDE. */
2015 			rm_en_len = 2 + rm_en[1];
2016 			rm_en_dup = os_memdup(rm_en, rm_en_len);
2017 			remove_ie(wpa_s->sme.assoc_req_ie,
2018 				  &wpa_s->sme.assoc_req_ie_len,
2019 				  WLAN_EID_RRM_ENABLED_CAPABILITIES);
2020 		}
2021 		wpa_hexdump(MSG_DEBUG,
2022 			    "SME: Association Request IEs after FT IE removal",
2023 			    wpa_s->sme.assoc_req_ie,
2024 			    wpa_s->sme.assoc_req_ie_len);
2025 		if (wpa_s->sme.assoc_req_ie_len + wpa_s->sme.ft_ies_len +
2026 		    rm_en_len > sizeof(wpa_s->sme.assoc_req_ie)) {
2027 			wpa_printf(MSG_ERROR,
2028 				   "SME: Not enough buffer room for FT IEs in Association Request frame");
2029 			os_free(rm_en_dup);
2030 			return;
2031 		}
2032 
2033 		os_memmove(wpa_s->sme.assoc_req_ie + wpa_s->sme.ft_ies_len +
2034 			   rm_en_len,
2035 			   wpa_s->sme.assoc_req_ie,
2036 			   wpa_s->sme.assoc_req_ie_len);
2037 		pos = wpa_s->sme.ft_ies;
2038 		end = pos + wpa_s->sme.ft_ies_len;
2039 		wpos = wpa_s->sme.assoc_req_ie;
2040 		if (*pos == WLAN_EID_RSN) {
2041 			os_memcpy(wpos, pos, 2 + pos[1]);
2042 			wpos += 2 + pos[1];
2043 			pos += 2 + pos[1];
2044 		}
2045 		if (rm_en_dup) {
2046 			os_memcpy(wpos, rm_en_dup, rm_en_len);
2047 			wpos += rm_en_len;
2048 			os_free(rm_en_dup);
2049 		}
2050 		os_memcpy(wpos, pos, end - pos);
2051 		wpa_s->sme.assoc_req_ie_len += wpa_s->sme.ft_ies_len +
2052 			rm_en_len;
2053 		params.wpa_ie = wpa_s->sme.assoc_req_ie;
2054 		params.wpa_ie_len = wpa_s->sme.assoc_req_ie_len;
2055 		wpa_hexdump(MSG_DEBUG,
2056 			    "SME: Association Request IEs after FT override",
2057 			    params.wpa_ie, params.wpa_ie_len);
2058 	}
2059 #endif /* CONFIG_IEEE80211R */
2060 	params.mode = mode;
2061 	params.mgmt_frame_protection = wpa_s->sme.mfp;
2062 	params.rrm_used = wpa_s->rrm.rrm_used;
2063 	if (wpa_s->sme.prev_bssid_set)
2064 		params.prev_bssid = wpa_s->sme.prev_bssid;
2065 
2066 	wpa_msg(wpa_s, MSG_INFO, "Trying to associate with " MACSTR
2067 		" (SSID='%s' freq=%d MHz)", MAC2STR(params.bssid),
2068 		params.ssid ? wpa_ssid_txt(params.ssid, params.ssid_len) : "",
2069 		params.freq.freq);
2070 
2071 	wpa_supplicant_set_state(wpa_s, WPA_ASSOCIATING);
2072 
2073 	if (params.wpa_ie == NULL ||
2074 	    ieee802_11_parse_elems(params.wpa_ie, params.wpa_ie_len, &elems, 0)
2075 	    < 0) {
2076 		wpa_dbg(wpa_s, MSG_DEBUG, "SME: Could not parse own IEs?!");
2077 		os_memset(&elems, 0, sizeof(elems));
2078 	}
2079 	if (elems.rsn_ie) {
2080 		params.wpa_proto = WPA_PROTO_RSN;
2081 		wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, elems.rsn_ie - 2,
2082 					elems.rsn_ie_len + 2);
2083 	} else if (elems.wpa_ie) {
2084 		params.wpa_proto = WPA_PROTO_WPA;
2085 		wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, elems.wpa_ie - 2,
2086 					elems.wpa_ie_len + 2);
2087 	} else if (elems.osen) {
2088 		params.wpa_proto = WPA_PROTO_OSEN;
2089 		wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, elems.osen - 2,
2090 					elems.osen_len + 2);
2091 	} else
2092 		wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, NULL, 0);
2093 	if (elems.rsnxe)
2094 		wpa_sm_set_assoc_rsnxe(wpa_s->wpa, elems.rsnxe - 2,
2095 				       elems.rsnxe_len + 2);
2096 	else
2097 		wpa_sm_set_assoc_rsnxe(wpa_s->wpa, NULL, 0);
2098 	if (ssid && ssid->p2p_group)
2099 		params.p2p = 1;
2100 
2101 	if (wpa_s->p2pdev->set_sta_uapsd)
2102 		params.uapsd = wpa_s->p2pdev->sta_uapsd;
2103 	else
2104 		params.uapsd = -1;
2105 
2106 	if (wpa_drv_associate(wpa_s, &params) < 0) {
2107 		wpa_msg(wpa_s, MSG_INFO, "SME: Association request to the "
2108 			"driver failed");
2109 		wpas_connection_failed(wpa_s, wpa_s->pending_bssid);
2110 		wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED);
2111 		os_memset(wpa_s->pending_bssid, 0, ETH_ALEN);
2112 		return;
2113 	}
2114 
2115 	eloop_register_timeout(SME_ASSOC_TIMEOUT, 0, sme_assoc_timer, wpa_s,
2116 			       NULL);
2117 
2118 #ifdef CONFIG_TESTING_OPTIONS
2119 	wpabuf_free(wpa_s->last_assoc_req_wpa_ie);
2120 	wpa_s->last_assoc_req_wpa_ie = NULL;
2121 	if (params.wpa_ie)
2122 		wpa_s->last_assoc_req_wpa_ie =
2123 			wpabuf_alloc_copy(params.wpa_ie, params.wpa_ie_len);
2124 #endif /* CONFIG_TESTING_OPTIONS */
2125 }
2126 
2127 
2128 int sme_update_ft_ies(struct wpa_supplicant *wpa_s, const u8 *md,
2129 		      const u8 *ies, size_t ies_len)
2130 {
2131 	if (md == NULL || ies == NULL) {
2132 		wpa_dbg(wpa_s, MSG_DEBUG, "SME: Remove mobility domain");
2133 		os_free(wpa_s->sme.ft_ies);
2134 		wpa_s->sme.ft_ies = NULL;
2135 		wpa_s->sme.ft_ies_len = 0;
2136 		wpa_s->sme.ft_used = 0;
2137 		return 0;
2138 	}
2139 
2140 	os_memcpy(wpa_s->sme.mobility_domain, md, MOBILITY_DOMAIN_ID_LEN);
2141 	wpa_hexdump(MSG_DEBUG, "SME: FT IEs", ies, ies_len);
2142 	os_free(wpa_s->sme.ft_ies);
2143 	wpa_s->sme.ft_ies = os_memdup(ies, ies_len);
2144 	if (wpa_s->sme.ft_ies == NULL)
2145 		return -1;
2146 	wpa_s->sme.ft_ies_len = ies_len;
2147 	return 0;
2148 }
2149 
2150 
2151 static void sme_deauth(struct wpa_supplicant *wpa_s)
2152 {
2153 	int bssid_changed;
2154 
2155 	bssid_changed = !is_zero_ether_addr(wpa_s->bssid);
2156 
2157 	if (wpa_drv_deauthenticate(wpa_s, wpa_s->pending_bssid,
2158 				   WLAN_REASON_DEAUTH_LEAVING) < 0) {
2159 		wpa_msg(wpa_s, MSG_INFO, "SME: Deauth request to the driver "
2160 			"failed");
2161 	}
2162 	wpa_s->sme.prev_bssid_set = 0;
2163 
2164 	wpas_connection_failed(wpa_s, wpa_s->pending_bssid);
2165 	wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED);
2166 	os_memset(wpa_s->bssid, 0, ETH_ALEN);
2167 	os_memset(wpa_s->pending_bssid, 0, ETH_ALEN);
2168 	if (bssid_changed)
2169 		wpas_notify_bssid_changed(wpa_s);
2170 }
2171 
2172 
2173 void sme_event_assoc_reject(struct wpa_supplicant *wpa_s,
2174 			    union wpa_event_data *data)
2175 {
2176 	wpa_dbg(wpa_s, MSG_DEBUG, "SME: Association with " MACSTR " failed: "
2177 		"status code %d", MAC2STR(wpa_s->pending_bssid),
2178 		data->assoc_reject.status_code);
2179 
2180 	eloop_cancel_timeout(sme_assoc_timer, wpa_s, NULL);
2181 
2182 #ifdef CONFIG_SAE
2183 	if (wpa_s->sme.sae_pmksa_caching && wpa_s->current_ssid &&
2184 	    wpa_key_mgmt_sae(wpa_s->current_ssid->key_mgmt)) {
2185 		wpa_dbg(wpa_s, MSG_DEBUG,
2186 			"PMKSA caching attempt rejected - drop PMKSA cache entry and fall back to SAE authentication");
2187 		wpa_sm_aborted_cached(wpa_s->wpa);
2188 		wpa_sm_pmksa_cache_flush(wpa_s->wpa, wpa_s->current_ssid);
2189 		if (wpa_s->current_bss) {
2190 			struct wpa_bss *bss = wpa_s->current_bss;
2191 			struct wpa_ssid *ssid = wpa_s->current_ssid;
2192 
2193 			wpa_drv_deauthenticate(wpa_s, wpa_s->pending_bssid,
2194 					       WLAN_REASON_DEAUTH_LEAVING);
2195 			wpas_connect_work_done(wpa_s);
2196 			wpa_supplicant_mark_disassoc(wpa_s);
2197 			wpa_supplicant_connect(wpa_s, bss, ssid);
2198 			return;
2199 		}
2200 	}
2201 #endif /* CONFIG_SAE */
2202 
2203 	/*
2204 	 * For now, unconditionally terminate the previous authentication. In
2205 	 * theory, this should not be needed, but mac80211 gets quite confused
2206 	 * if the authentication is left pending.. Some roaming cases might
2207 	 * benefit from using the previous authentication, so this could be
2208 	 * optimized in the future.
2209 	 */
2210 	sme_deauth(wpa_s);
2211 }
2212 
2213 
2214 void sme_event_auth_timed_out(struct wpa_supplicant *wpa_s,
2215 			      union wpa_event_data *data)
2216 {
2217 	wpa_dbg(wpa_s, MSG_DEBUG, "SME: Authentication timed out");
2218 	wpas_connection_failed(wpa_s, wpa_s->pending_bssid);
2219 	wpa_supplicant_mark_disassoc(wpa_s);
2220 }
2221 
2222 
2223 void sme_event_assoc_timed_out(struct wpa_supplicant *wpa_s,
2224 			       union wpa_event_data *data)
2225 {
2226 	wpa_dbg(wpa_s, MSG_DEBUG, "SME: Association timed out");
2227 	wpas_connection_failed(wpa_s, wpa_s->pending_bssid);
2228 	wpa_supplicant_mark_disassoc(wpa_s);
2229 }
2230 
2231 
2232 void sme_event_disassoc(struct wpa_supplicant *wpa_s,
2233 			struct disassoc_info *info)
2234 {
2235 	wpa_dbg(wpa_s, MSG_DEBUG, "SME: Disassociation event received");
2236 	if (wpa_s->sme.prev_bssid_set) {
2237 		/*
2238 		 * cfg80211/mac80211 can get into somewhat confused state if
2239 		 * the AP only disassociates us and leaves us in authenticated
2240 		 * state. For now, force the state to be cleared to avoid
2241 		 * confusing errors if we try to associate with the AP again.
2242 		 */
2243 		wpa_dbg(wpa_s, MSG_DEBUG, "SME: Deauthenticate to clear "
2244 			"driver state");
2245 		wpa_drv_deauthenticate(wpa_s, wpa_s->sme.prev_bssid,
2246 				       WLAN_REASON_DEAUTH_LEAVING);
2247 	}
2248 }
2249 
2250 
2251 static void sme_auth_timer(void *eloop_ctx, void *timeout_ctx)
2252 {
2253 	struct wpa_supplicant *wpa_s = eloop_ctx;
2254 	if (wpa_s->wpa_state == WPA_AUTHENTICATING) {
2255 		wpa_msg(wpa_s, MSG_DEBUG, "SME: Authentication timeout");
2256 		sme_deauth(wpa_s);
2257 	}
2258 }
2259 
2260 
2261 static void sme_assoc_timer(void *eloop_ctx, void *timeout_ctx)
2262 {
2263 	struct wpa_supplicant *wpa_s = eloop_ctx;
2264 	if (wpa_s->wpa_state == WPA_ASSOCIATING) {
2265 		wpa_msg(wpa_s, MSG_DEBUG, "SME: Association timeout");
2266 		sme_deauth(wpa_s);
2267 	}
2268 }
2269 
2270 
2271 void sme_state_changed(struct wpa_supplicant *wpa_s)
2272 {
2273 	/* Make sure timers are cleaned up appropriately. */
2274 	if (wpa_s->wpa_state != WPA_ASSOCIATING)
2275 		eloop_cancel_timeout(sme_assoc_timer, wpa_s, NULL);
2276 	if (wpa_s->wpa_state != WPA_AUTHENTICATING)
2277 		eloop_cancel_timeout(sme_auth_timer, wpa_s, NULL);
2278 }
2279 
2280 
2281 void sme_disassoc_while_authenticating(struct wpa_supplicant *wpa_s,
2282 				       const u8 *prev_pending_bssid)
2283 {
2284 	/*
2285 	 * mac80211-workaround to force deauth on failed auth cmd,
2286 	 * requires us to remain in authenticating state to allow the
2287 	 * second authentication attempt to be continued properly.
2288 	 */
2289 	wpa_dbg(wpa_s, MSG_DEBUG, "SME: Allow pending authentication "
2290 		"to proceed after disconnection event");
2291 	wpa_supplicant_set_state(wpa_s, WPA_AUTHENTICATING);
2292 	os_memcpy(wpa_s->pending_bssid, prev_pending_bssid, ETH_ALEN);
2293 
2294 	/*
2295 	 * Re-arm authentication timer in case auth fails for whatever reason.
2296 	 */
2297 	eloop_cancel_timeout(sme_auth_timer, wpa_s, NULL);
2298 	eloop_register_timeout(SME_AUTH_TIMEOUT, 0, sme_auth_timer, wpa_s,
2299 			       NULL);
2300 }
2301 
2302 
2303 void sme_clear_on_disassoc(struct wpa_supplicant *wpa_s)
2304 {
2305 	wpa_s->sme.prev_bssid_set = 0;
2306 #ifdef CONFIG_SAE
2307 	wpabuf_free(wpa_s->sme.sae_token);
2308 	wpa_s->sme.sae_token = NULL;
2309 	sae_clear_data(&wpa_s->sme.sae);
2310 #endif /* CONFIG_SAE */
2311 #ifdef CONFIG_IEEE80211R
2312 	if (wpa_s->sme.ft_ies || wpa_s->sme.ft_used)
2313 		sme_update_ft_ies(wpa_s, NULL, NULL, 0);
2314 #endif /* CONFIG_IEEE80211R */
2315 	sme_stop_sa_query(wpa_s);
2316 }
2317 
2318 
2319 void sme_deinit(struct wpa_supplicant *wpa_s)
2320 {
2321 	sme_clear_on_disassoc(wpa_s);
2322 #ifdef CONFIG_SAE
2323 	os_free(wpa_s->sme.sae_rejected_groups);
2324 	wpa_s->sme.sae_rejected_groups = NULL;
2325 #endif /* CONFIG_SAE */
2326 
2327 	eloop_cancel_timeout(sme_assoc_timer, wpa_s, NULL);
2328 	eloop_cancel_timeout(sme_auth_timer, wpa_s, NULL);
2329 	eloop_cancel_timeout(sme_obss_scan_timeout, wpa_s, NULL);
2330 }
2331 
2332 
2333 static void sme_send_2040_bss_coex(struct wpa_supplicant *wpa_s,
2334 				   const u8 *chan_list, u8 num_channels,
2335 				   u8 num_intol)
2336 {
2337 	struct ieee80211_2040_bss_coex_ie *bc_ie;
2338 	struct ieee80211_2040_intol_chan_report *ic_report;
2339 	struct wpabuf *buf;
2340 
2341 	wpa_printf(MSG_DEBUG, "SME: Send 20/40 BSS Coexistence to " MACSTR
2342 		   " (num_channels=%u num_intol=%u)",
2343 		   MAC2STR(wpa_s->bssid), num_channels, num_intol);
2344 	wpa_hexdump(MSG_DEBUG, "SME: 20/40 BSS Intolerant Channels",
2345 		    chan_list, num_channels);
2346 
2347 	buf = wpabuf_alloc(2 + /* action.category + action_code */
2348 			   sizeof(struct ieee80211_2040_bss_coex_ie) +
2349 			   sizeof(struct ieee80211_2040_intol_chan_report) +
2350 			   num_channels);
2351 	if (buf == NULL)
2352 		return;
2353 
2354 	wpabuf_put_u8(buf, WLAN_ACTION_PUBLIC);
2355 	wpabuf_put_u8(buf, WLAN_PA_20_40_BSS_COEX);
2356 
2357 	bc_ie = wpabuf_put(buf, sizeof(*bc_ie));
2358 	bc_ie->element_id = WLAN_EID_20_40_BSS_COEXISTENCE;
2359 	bc_ie->length = 1;
2360 	if (num_intol)
2361 		bc_ie->coex_param |= WLAN_20_40_BSS_COEX_20MHZ_WIDTH_REQ;
2362 
2363 	if (num_channels > 0) {
2364 		ic_report = wpabuf_put(buf, sizeof(*ic_report));
2365 		ic_report->element_id = WLAN_EID_20_40_BSS_INTOLERANT;
2366 		ic_report->length = num_channels + 1;
2367 		ic_report->op_class = 0;
2368 		os_memcpy(wpabuf_put(buf, num_channels), chan_list,
2369 			  num_channels);
2370 	}
2371 
2372 	if (wpa_drv_send_action(wpa_s, wpa_s->assoc_freq, 0, wpa_s->bssid,
2373 				wpa_s->own_addr, wpa_s->bssid,
2374 				wpabuf_head(buf), wpabuf_len(buf), 0) < 0) {
2375 		wpa_msg(wpa_s, MSG_INFO,
2376 			"SME: Failed to send 20/40 BSS Coexistence frame");
2377 	}
2378 
2379 	wpabuf_free(buf);
2380 }
2381 
2382 
2383 int sme_proc_obss_scan(struct wpa_supplicant *wpa_s,
2384 		       struct wpa_scan_results *scan_res)
2385 {
2386 	const u8 *ie;
2387 	u8 chan_list[P2P_MAX_CHANNELS], channel;
2388 	u8 num_channels = 0, num_intol = 0, i;
2389 	size_t j;
2390 	int pri_freq, sec_freq;
2391 
2392 	if (!wpa_s->sme.sched_obss_scan)
2393 		return 0;
2394 
2395 	wpa_s->sme.sched_obss_scan = 0;
2396 	if (!wpa_s->current_bss || wpa_s->wpa_state != WPA_COMPLETED)
2397 		return 1;
2398 
2399 	/*
2400 	 * Check whether AP uses regulatory triplet or channel triplet in
2401 	 * country info. Right now the operating class of the BSS channel
2402 	 * width trigger event is "unknown" (IEEE Std 802.11-2012 10.15.12),
2403 	 * based on the assumption that operating class triplet is not used in
2404 	 * beacon frame. If the First Channel Number/Operating Extension
2405 	 * Identifier octet has a positive integer value of 201 or greater,
2406 	 * then its operating class triplet.
2407 	 *
2408 	 * TODO: If Supported Operating Classes element is present in beacon
2409 	 * frame, have to lookup operating class in Annex E and fill them in
2410 	 * 2040 coex frame.
2411 	 */
2412 	ie = wpa_bss_get_ie(wpa_s->current_bss, WLAN_EID_COUNTRY);
2413 	if (ie && (ie[1] >= 6) && (ie[5] >= 201))
2414 		return 1;
2415 
2416 	os_memset(chan_list, 0, sizeof(chan_list));
2417 
2418 	pri_freq = wpa_s->assoc_freq;
2419 
2420 	switch (wpa_s->sme.ht_sec_chan) {
2421 	case HT_SEC_CHAN_ABOVE:
2422 		sec_freq = pri_freq + 20;
2423 		break;
2424 	case HT_SEC_CHAN_BELOW:
2425 		sec_freq = pri_freq - 20;
2426 		break;
2427 	case HT_SEC_CHAN_UNKNOWN:
2428 	default:
2429 		wpa_msg(wpa_s, MSG_WARNING,
2430 			"Undefined secondary channel: drop OBSS scan results");
2431 		return 1;
2432 	}
2433 
2434 	for (j = 0; j < scan_res->num; j++) {
2435 		struct wpa_scan_res *bss = scan_res->res[j];
2436 		enum hostapd_hw_mode mode;
2437 		int res;
2438 
2439 		/* Skip other band bss */
2440 		mode = ieee80211_freq_to_chan(bss->freq, &channel);
2441 		if (mode != HOSTAPD_MODE_IEEE80211G &&
2442 		    mode != HOSTAPD_MODE_IEEE80211B)
2443 			continue;
2444 
2445 		res = check_bss_coex_40mhz(bss, pri_freq, sec_freq);
2446 		if (res) {
2447 			if (res == 2)
2448 				num_intol++;
2449 
2450 			/* Check whether the channel is already considered */
2451 			for (i = 0; i < num_channels; i++) {
2452 				if (channel == chan_list[i])
2453 					break;
2454 			}
2455 			if (i != num_channels)
2456 				continue;
2457 
2458 			chan_list[num_channels++] = channel;
2459 		}
2460 	}
2461 
2462 	sme_send_2040_bss_coex(wpa_s, chan_list, num_channels, num_intol);
2463 	return 1;
2464 }
2465 
2466 
2467 static void wpa_obss_scan_freqs_list(struct wpa_supplicant *wpa_s,
2468 				     struct wpa_driver_scan_params *params)
2469 {
2470 	/* Include only affected channels */
2471 	struct hostapd_hw_modes *mode;
2472 	int count, i;
2473 	int start, end;
2474 
2475 	mode = get_mode(wpa_s->hw.modes, wpa_s->hw.num_modes,
2476 			HOSTAPD_MODE_IEEE80211G, false);
2477 	if (mode == NULL) {
2478 		/* No channels supported in this band - use empty list */
2479 		params->freqs = os_zalloc(sizeof(int));
2480 		return;
2481 	}
2482 
2483 	if (wpa_s->sme.ht_sec_chan == HT_SEC_CHAN_UNKNOWN &&
2484 	    wpa_s->current_bss) {
2485 		const u8 *ie;
2486 
2487 		ie = wpa_bss_get_ie(wpa_s->current_bss, WLAN_EID_HT_OPERATION);
2488 		if (ie && ie[1] >= 2) {
2489 			u8 o;
2490 
2491 			o = ie[3] & HT_INFO_HT_PARAM_SECONDARY_CHNL_OFF_MASK;
2492 			if (o == HT_INFO_HT_PARAM_SECONDARY_CHNL_ABOVE)
2493 				wpa_s->sme.ht_sec_chan = HT_SEC_CHAN_ABOVE;
2494 			else if (o == HT_INFO_HT_PARAM_SECONDARY_CHNL_BELOW)
2495 				wpa_s->sme.ht_sec_chan = HT_SEC_CHAN_BELOW;
2496 		}
2497 	}
2498 
2499 	start = wpa_s->assoc_freq - 10;
2500 	end = wpa_s->assoc_freq + 10;
2501 	switch (wpa_s->sme.ht_sec_chan) {
2502 	case HT_SEC_CHAN_UNKNOWN:
2503 		/* HT40+ possible on channels 1..9 */
2504 		if (wpa_s->assoc_freq <= 2452)
2505 			start -= 20;
2506 		/* HT40- possible on channels 5-13 */
2507 		if (wpa_s->assoc_freq >= 2432)
2508 			end += 20;
2509 		break;
2510 	case HT_SEC_CHAN_ABOVE:
2511 		end += 20;
2512 		break;
2513 	case HT_SEC_CHAN_BELOW:
2514 		start -= 20;
2515 		break;
2516 	}
2517 	wpa_printf(MSG_DEBUG,
2518 		   "OBSS: assoc_freq %d possible affected range %d-%d",
2519 		   wpa_s->assoc_freq, start, end);
2520 
2521 	params->freqs = os_calloc(mode->num_channels + 1, sizeof(int));
2522 	if (params->freqs == NULL)
2523 		return;
2524 	for (count = 0, i = 0; i < mode->num_channels; i++) {
2525 		int freq;
2526 
2527 		if (mode->channels[i].flag & HOSTAPD_CHAN_DISABLED)
2528 			continue;
2529 		freq = mode->channels[i].freq;
2530 		if (freq - 10 >= end || freq + 10 <= start)
2531 			continue; /* not affected */
2532 		params->freqs[count++] = freq;
2533 	}
2534 }
2535 
2536 
2537 static void sme_obss_scan_timeout(void *eloop_ctx, void *timeout_ctx)
2538 {
2539 	struct wpa_supplicant *wpa_s = eloop_ctx;
2540 	struct wpa_driver_scan_params params;
2541 
2542 	if (!wpa_s->current_bss) {
2543 		wpa_printf(MSG_DEBUG, "SME OBSS: Ignore scan request");
2544 		return;
2545 	}
2546 
2547 	os_memset(&params, 0, sizeof(params));
2548 	wpa_obss_scan_freqs_list(wpa_s, &params);
2549 	params.low_priority = 1;
2550 	wpa_printf(MSG_DEBUG, "SME OBSS: Request an OBSS scan");
2551 
2552 	if (wpa_supplicant_trigger_scan(wpa_s, &params))
2553 		wpa_printf(MSG_DEBUG, "SME OBSS: Failed to trigger scan");
2554 	else
2555 		wpa_s->sme.sched_obss_scan = 1;
2556 	os_free(params.freqs);
2557 
2558 	eloop_register_timeout(wpa_s->sme.obss_scan_int, 0,
2559 			       sme_obss_scan_timeout, wpa_s, NULL);
2560 }
2561 
2562 
2563 void sme_sched_obss_scan(struct wpa_supplicant *wpa_s, int enable)
2564 {
2565 	const u8 *ie;
2566 	struct wpa_bss *bss = wpa_s->current_bss;
2567 	struct wpa_ssid *ssid = wpa_s->current_ssid;
2568 	struct hostapd_hw_modes *hw_mode = NULL;
2569 	int i;
2570 
2571 	eloop_cancel_timeout(sme_obss_scan_timeout, wpa_s, NULL);
2572 	wpa_s->sme.sched_obss_scan = 0;
2573 	wpa_s->sme.ht_sec_chan = HT_SEC_CHAN_UNKNOWN;
2574 	if (!enable)
2575 		return;
2576 
2577 	/*
2578 	 * Schedule OBSS scan if driver is using station SME in wpa_supplicant
2579 	 * or it expects OBSS scan to be performed by wpa_supplicant.
2580 	 */
2581 	if (!((wpa_s->drv_flags & WPA_DRIVER_FLAGS_SME) ||
2582 	      (wpa_s->drv_flags & WPA_DRIVER_FLAGS_OBSS_SCAN)) ||
2583 	    ssid == NULL || ssid->mode != WPAS_MODE_INFRA)
2584 		return;
2585 
2586 	if (!wpa_s->hw.modes)
2587 		return;
2588 
2589 	/* only HT caps in 11g mode are relevant */
2590 	for (i = 0; i < wpa_s->hw.num_modes; i++) {
2591 		hw_mode = &wpa_s->hw.modes[i];
2592 		if (hw_mode->mode == HOSTAPD_MODE_IEEE80211G)
2593 			break;
2594 	}
2595 
2596 	/* Driver does not support HT40 for 11g or doesn't have 11g. */
2597 	if (i == wpa_s->hw.num_modes || !hw_mode ||
2598 	    !(hw_mode->ht_capab & HT_CAP_INFO_SUPP_CHANNEL_WIDTH_SET))
2599 		return;
2600 
2601 	if (bss == NULL || bss->freq < 2400 || bss->freq > 2500)
2602 		return; /* Not associated on 2.4 GHz band */
2603 
2604 	/* Check whether AP supports HT40 */
2605 	ie = wpa_bss_get_ie(wpa_s->current_bss, WLAN_EID_HT_CAP);
2606 	if (!ie || ie[1] < 2 ||
2607 	    !(WPA_GET_LE16(ie + 2) & HT_CAP_INFO_SUPP_CHANNEL_WIDTH_SET))
2608 		return; /* AP does not support HT40 */
2609 
2610 	ie = wpa_bss_get_ie(wpa_s->current_bss,
2611 			    WLAN_EID_OVERLAPPING_BSS_SCAN_PARAMS);
2612 	if (!ie || ie[1] < 14)
2613 		return; /* AP does not request OBSS scans */
2614 
2615 	wpa_s->sme.obss_scan_int = WPA_GET_LE16(ie + 6);
2616 	if (wpa_s->sme.obss_scan_int < 10) {
2617 		wpa_printf(MSG_DEBUG, "SME: Invalid OBSS Scan Interval %u "
2618 			   "replaced with the minimum 10 sec",
2619 			   wpa_s->sme.obss_scan_int);
2620 		wpa_s->sme.obss_scan_int = 10;
2621 	}
2622 	wpa_printf(MSG_DEBUG, "SME: OBSS Scan Interval %u sec",
2623 		   wpa_s->sme.obss_scan_int);
2624 	eloop_register_timeout(wpa_s->sme.obss_scan_int, 0,
2625 			       sme_obss_scan_timeout, wpa_s, NULL);
2626 }
2627 
2628 
2629 static const unsigned int sa_query_max_timeout = 1000;
2630 static const unsigned int sa_query_retry_timeout = 201;
2631 static const unsigned int sa_query_ch_switch_max_delay = 5000; /* in usec */
2632 
2633 static int sme_check_sa_query_timeout(struct wpa_supplicant *wpa_s)
2634 {
2635 	u32 tu;
2636 	struct os_reltime now, passed;
2637 	os_get_reltime(&now);
2638 	os_reltime_sub(&now, &wpa_s->sme.sa_query_start, &passed);
2639 	tu = (passed.sec * 1000000 + passed.usec) / 1024;
2640 	if (sa_query_max_timeout < tu) {
2641 		wpa_dbg(wpa_s, MSG_DEBUG, "SME: SA Query timed out");
2642 		sme_stop_sa_query(wpa_s);
2643 		wpa_supplicant_deauthenticate(
2644 			wpa_s, WLAN_REASON_PREV_AUTH_NOT_VALID);
2645 		return 1;
2646 	}
2647 
2648 	return 0;
2649 }
2650 
2651 
2652 static void sme_send_sa_query_req(struct wpa_supplicant *wpa_s,
2653 				  const u8 *trans_id)
2654 {
2655 	u8 req[2 + WLAN_SA_QUERY_TR_ID_LEN + OCV_OCI_EXTENDED_LEN];
2656 	u8 req_len = 2 + WLAN_SA_QUERY_TR_ID_LEN;
2657 
2658 	wpa_dbg(wpa_s, MSG_DEBUG, "SME: Sending SA Query Request to "
2659 		MACSTR, MAC2STR(wpa_s->bssid));
2660 	wpa_hexdump(MSG_DEBUG, "SME: SA Query Transaction ID",
2661 		    trans_id, WLAN_SA_QUERY_TR_ID_LEN);
2662 	req[0] = WLAN_ACTION_SA_QUERY;
2663 	req[1] = WLAN_SA_QUERY_REQUEST;
2664 	os_memcpy(req + 2, trans_id, WLAN_SA_QUERY_TR_ID_LEN);
2665 
2666 #ifdef CONFIG_OCV
2667 	if (wpa_sm_ocv_enabled(wpa_s->wpa)) {
2668 		struct wpa_channel_info ci;
2669 
2670 		if (wpa_drv_channel_info(wpa_s, &ci) != 0) {
2671 			wpa_printf(MSG_WARNING,
2672 				   "Failed to get channel info for OCI element in SA Query Request frame");
2673 			return;
2674 		}
2675 
2676 #ifdef CONFIG_TESTING_OPTIONS
2677 		if (wpa_s->oci_freq_override_saquery_req) {
2678 			wpa_printf(MSG_INFO,
2679 				   "TEST: Override SA Query Request OCI frequency %d -> %d MHz",
2680 				   ci.frequency,
2681 				   wpa_s->oci_freq_override_saquery_req);
2682 			ci.frequency = wpa_s->oci_freq_override_saquery_req;
2683 		}
2684 #endif /* CONFIG_TESTING_OPTIONS */
2685 
2686 		if (ocv_insert_extended_oci(&ci, req + req_len) < 0)
2687 			return;
2688 
2689 		req_len += OCV_OCI_EXTENDED_LEN;
2690 	}
2691 #endif /* CONFIG_OCV */
2692 
2693 	if (wpa_drv_send_action(wpa_s, wpa_s->assoc_freq, 0, wpa_s->bssid,
2694 				wpa_s->own_addr, wpa_s->bssid,
2695 				req, req_len, 0) < 0)
2696 		wpa_msg(wpa_s, MSG_INFO, "SME: Failed to send SA Query "
2697 			"Request");
2698 }
2699 
2700 
2701 static void sme_sa_query_timer(void *eloop_ctx, void *timeout_ctx)
2702 {
2703 	struct wpa_supplicant *wpa_s = eloop_ctx;
2704 	unsigned int timeout, sec, usec;
2705 	u8 *trans_id, *nbuf;
2706 
2707 	if (wpa_s->sme.sa_query_count > 0 &&
2708 	    sme_check_sa_query_timeout(wpa_s))
2709 		return;
2710 
2711 	nbuf = os_realloc_array(wpa_s->sme.sa_query_trans_id,
2712 				wpa_s->sme.sa_query_count + 1,
2713 				WLAN_SA_QUERY_TR_ID_LEN);
2714 	if (nbuf == NULL) {
2715 		sme_stop_sa_query(wpa_s);
2716 		return;
2717 	}
2718 	if (wpa_s->sme.sa_query_count == 0) {
2719 		/* Starting a new SA Query procedure */
2720 		os_get_reltime(&wpa_s->sme.sa_query_start);
2721 	}
2722 	trans_id = nbuf + wpa_s->sme.sa_query_count * WLAN_SA_QUERY_TR_ID_LEN;
2723 	wpa_s->sme.sa_query_trans_id = nbuf;
2724 	wpa_s->sme.sa_query_count++;
2725 
2726 	if (os_get_random(trans_id, WLAN_SA_QUERY_TR_ID_LEN) < 0) {
2727 		wpa_printf(MSG_DEBUG, "Could not generate SA Query ID");
2728 		sme_stop_sa_query(wpa_s);
2729 		return;
2730 	}
2731 
2732 	timeout = sa_query_retry_timeout;
2733 	sec = ((timeout / 1000) * 1024) / 1000;
2734 	usec = (timeout % 1000) * 1024;
2735 	eloop_register_timeout(sec, usec, sme_sa_query_timer, wpa_s, NULL);
2736 
2737 	wpa_dbg(wpa_s, MSG_DEBUG, "SME: Association SA Query attempt %d",
2738 		wpa_s->sme.sa_query_count);
2739 
2740 	sme_send_sa_query_req(wpa_s, trans_id);
2741 }
2742 
2743 
2744 static void sme_start_sa_query(struct wpa_supplicant *wpa_s)
2745 {
2746 	sme_sa_query_timer(wpa_s, NULL);
2747 }
2748 
2749 
2750 static void sme_stop_sa_query(struct wpa_supplicant *wpa_s)
2751 {
2752 	if (wpa_s->sme.sa_query_trans_id)
2753 		wpa_dbg(wpa_s, MSG_DEBUG, "SME: Stop SA Query");
2754 	eloop_cancel_timeout(sme_sa_query_timer, wpa_s, NULL);
2755 	os_free(wpa_s->sme.sa_query_trans_id);
2756 	wpa_s->sme.sa_query_trans_id = NULL;
2757 	wpa_s->sme.sa_query_count = 0;
2758 }
2759 
2760 
2761 void sme_event_unprot_disconnect(struct wpa_supplicant *wpa_s, const u8 *sa,
2762 				 const u8 *da, u16 reason_code)
2763 {
2764 	struct wpa_ssid *ssid;
2765 	struct os_reltime now;
2766 
2767 	if (wpa_s->wpa_state != WPA_COMPLETED)
2768 		return;
2769 	ssid = wpa_s->current_ssid;
2770 	if (wpas_get_ssid_pmf(wpa_s, ssid) == NO_MGMT_FRAME_PROTECTION)
2771 		return;
2772 	if (os_memcmp(sa, wpa_s->bssid, ETH_ALEN) != 0)
2773 		return;
2774 	if (reason_code != WLAN_REASON_CLASS2_FRAME_FROM_NONAUTH_STA &&
2775 	    reason_code != WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA)
2776 		return;
2777 	if (wpa_s->sme.sa_query_count > 0)
2778 		return;
2779 #ifdef CONFIG_TESTING_OPTIONS
2780 	if (wpa_s->disable_sa_query)
2781 		return;
2782 #endif /* CONFIG_TESTING_OPTIONS */
2783 
2784 	os_get_reltime(&now);
2785 	if (wpa_s->sme.last_unprot_disconnect.sec &&
2786 	    !os_reltime_expired(&now, &wpa_s->sme.last_unprot_disconnect, 10))
2787 		return; /* limit SA Query procedure frequency */
2788 	wpa_s->sme.last_unprot_disconnect = now;
2789 
2790 	wpa_dbg(wpa_s, MSG_DEBUG, "SME: Unprotected disconnect dropped - "
2791 		"possible AP/STA state mismatch - trigger SA Query");
2792 	sme_start_sa_query(wpa_s);
2793 }
2794 
2795 
2796 void sme_event_ch_switch(struct wpa_supplicant *wpa_s)
2797 {
2798 	unsigned int usec;
2799 	u32 _rand;
2800 
2801 	if (wpa_s->wpa_state != WPA_COMPLETED ||
2802 	    !wpa_sm_ocv_enabled(wpa_s->wpa))
2803 		return;
2804 
2805 	wpa_dbg(wpa_s, MSG_DEBUG,
2806 		"SME: Channel switch completed - trigger new SA Query to verify new operating channel");
2807 	sme_stop_sa_query(wpa_s);
2808 
2809 	if (os_get_random((u8 *) &_rand, sizeof(_rand)) < 0)
2810 		_rand = os_random();
2811 	usec = _rand % (sa_query_ch_switch_max_delay + 1);
2812 	eloop_register_timeout(0, usec, sme_sa_query_timer, wpa_s, NULL);
2813 }
2814 
2815 
2816 static void sme_process_sa_query_request(struct wpa_supplicant *wpa_s,
2817 					 const u8 *sa, const u8 *data,
2818 					 size_t len)
2819 {
2820 	u8 resp[2 + WLAN_SA_QUERY_TR_ID_LEN + OCV_OCI_EXTENDED_LEN];
2821 	u8 resp_len = 2 + WLAN_SA_QUERY_TR_ID_LEN;
2822 
2823 	wpa_dbg(wpa_s, MSG_DEBUG, "SME: Sending SA Query Response to "
2824 		MACSTR, MAC2STR(wpa_s->bssid));
2825 
2826 	resp[0] = WLAN_ACTION_SA_QUERY;
2827 	resp[1] = WLAN_SA_QUERY_RESPONSE;
2828 	os_memcpy(resp + 2, data + 1, WLAN_SA_QUERY_TR_ID_LEN);
2829 
2830 #ifdef CONFIG_OCV
2831 	if (wpa_sm_ocv_enabled(wpa_s->wpa)) {
2832 		struct wpa_channel_info ci;
2833 
2834 		if (wpa_drv_channel_info(wpa_s, &ci) != 0) {
2835 			wpa_printf(MSG_WARNING,
2836 				   "Failed to get channel info for OCI element in SA Query Response frame");
2837 			return;
2838 		}
2839 
2840 #ifdef CONFIG_TESTING_OPTIONS
2841 		if (wpa_s->oci_freq_override_saquery_resp) {
2842 			wpa_printf(MSG_INFO,
2843 				   "TEST: Override SA Query Response OCI frequency %d -> %d MHz",
2844 				   ci.frequency,
2845 				   wpa_s->oci_freq_override_saquery_resp);
2846 			ci.frequency = wpa_s->oci_freq_override_saquery_resp;
2847 		}
2848 #endif /* CONFIG_TESTING_OPTIONS */
2849 
2850 		if (ocv_insert_extended_oci(&ci, resp + resp_len) < 0)
2851 			return;
2852 
2853 		resp_len += OCV_OCI_EXTENDED_LEN;
2854 	}
2855 #endif /* CONFIG_OCV */
2856 
2857 	if (wpa_drv_send_action(wpa_s, wpa_s->assoc_freq, 0, wpa_s->bssid,
2858 				wpa_s->own_addr, wpa_s->bssid,
2859 				resp, resp_len, 0) < 0)
2860 		wpa_msg(wpa_s, MSG_INFO,
2861 			"SME: Failed to send SA Query Response");
2862 }
2863 
2864 
2865 static void sme_process_sa_query_response(struct wpa_supplicant *wpa_s,
2866 					  const u8 *sa, const u8 *data,
2867 					  size_t len)
2868 {
2869 	int i;
2870 
2871 	if (!wpa_s->sme.sa_query_trans_id)
2872 		return;
2873 
2874 	wpa_dbg(wpa_s, MSG_DEBUG, "SME: Received SA Query response from "
2875 		MACSTR " (trans_id %02x%02x)", MAC2STR(sa), data[1], data[2]);
2876 
2877 	if (os_memcmp(sa, wpa_s->bssid, ETH_ALEN) != 0)
2878 		return;
2879 
2880 	for (i = 0; i < wpa_s->sme.sa_query_count; i++) {
2881 		if (os_memcmp(wpa_s->sme.sa_query_trans_id +
2882 			      i * WLAN_SA_QUERY_TR_ID_LEN,
2883 			      data + 1, WLAN_SA_QUERY_TR_ID_LEN) == 0)
2884 			break;
2885 	}
2886 
2887 	if (i >= wpa_s->sme.sa_query_count) {
2888 		wpa_dbg(wpa_s, MSG_DEBUG, "SME: No matching SA Query "
2889 			"transaction identifier found");
2890 		return;
2891 	}
2892 
2893 	wpa_dbg(wpa_s, MSG_DEBUG, "SME: Reply to pending SA Query received "
2894 		"from " MACSTR, MAC2STR(sa));
2895 	sme_stop_sa_query(wpa_s);
2896 }
2897 
2898 
2899 void sme_sa_query_rx(struct wpa_supplicant *wpa_s, const u8 *da, const u8 *sa,
2900 		     const u8 *data, size_t len)
2901 {
2902 	if (len < 1 + WLAN_SA_QUERY_TR_ID_LEN)
2903 		return;
2904 	if (is_multicast_ether_addr(da)) {
2905 		wpa_printf(MSG_DEBUG,
2906 			   "IEEE 802.11: Ignore group-addressed SA Query frame (A1=" MACSTR " A2=" MACSTR ")",
2907 			   MAC2STR(da), MAC2STR(sa));
2908 		return;
2909 	}
2910 
2911 	wpa_dbg(wpa_s, MSG_DEBUG, "SME: Received SA Query frame from "
2912 		MACSTR " (trans_id %02x%02x)", MAC2STR(sa), data[1], data[2]);
2913 
2914 #ifdef CONFIG_OCV
2915 	if (wpa_sm_ocv_enabled(wpa_s->wpa)) {
2916 		struct ieee802_11_elems elems;
2917 		struct wpa_channel_info ci;
2918 
2919 		if (ieee802_11_parse_elems(data + 1 + WLAN_SA_QUERY_TR_ID_LEN,
2920 					   len - 1 - WLAN_SA_QUERY_TR_ID_LEN,
2921 					   &elems, 1) == ParseFailed) {
2922 			wpa_printf(MSG_DEBUG,
2923 				   "SA Query: Failed to parse elements");
2924 			return;
2925 		}
2926 
2927 		if (wpa_drv_channel_info(wpa_s, &ci) != 0) {
2928 			wpa_printf(MSG_WARNING,
2929 				   "Failed to get channel info to validate received OCI in SA Query Action frame");
2930 			return;
2931 		}
2932 
2933 		if (ocv_verify_tx_params(elems.oci, elems.oci_len, &ci,
2934 					 channel_width_to_int(ci.chanwidth),
2935 					 ci.seg1_idx) != OCI_SUCCESS) {
2936 			wpa_msg(wpa_s, MSG_INFO, OCV_FAILURE "addr=" MACSTR
2937 				" frame=saquery%s error=%s",
2938 				MAC2STR(sa), data[0] == WLAN_SA_QUERY_REQUEST ?
2939 				"req" : "resp", ocv_errorstr);
2940 			return;
2941 		}
2942 	}
2943 #endif /* CONFIG_OCV */
2944 
2945 	if (data[0] == WLAN_SA_QUERY_REQUEST)
2946 		sme_process_sa_query_request(wpa_s, sa, data, len);
2947 	else if (data[0] == WLAN_SA_QUERY_RESPONSE)
2948 		sme_process_sa_query_response(wpa_s, sa, data, len);
2949 }
2950