1 /* 2 * WPA Supplicant - Basic mesh peer management 3 * Copyright (c) 2013-2014, cozybit, Inc. All rights reserved. 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "utils/includes.h" 10 11 #include "utils/common.h" 12 #include "utils/eloop.h" 13 #include "common/ieee802_11_defs.h" 14 #include "ap/hostapd.h" 15 #include "ap/sta_info.h" 16 #include "ap/ieee802_11.h" 17 #include "wpa_supplicant_i.h" 18 #include "driver_i.h" 19 #include "mesh_mpm.h" 20 #include "mesh_rsn.h" 21 22 struct mesh_peer_mgmt_ie { 23 const u8 *proto_id; 24 const u8 *llid; 25 const u8 *plid; 26 const u8 *reason; 27 const u8 *pmk; 28 }; 29 30 static void plink_timer(void *eloop_ctx, void *user_data); 31 32 33 enum plink_event { 34 PLINK_UNDEFINED, 35 OPN_ACPT, 36 OPN_RJCT, 37 OPN_IGNR, 38 CNF_ACPT, 39 CNF_RJCT, 40 CNF_IGNR, 41 CLS_ACPT, 42 CLS_IGNR 43 }; 44 45 static const char * const mplstate[] = { 46 [PLINK_LISTEN] = "LISTEN", 47 [PLINK_OPEN_SENT] = "OPEN_SENT", 48 [PLINK_OPEN_RCVD] = "OPEN_RCVD", 49 [PLINK_CNF_RCVD] = "CNF_RCVD", 50 [PLINK_ESTAB] = "ESTAB", 51 [PLINK_HOLDING] = "HOLDING", 52 [PLINK_BLOCKED] = "BLOCKED" 53 }; 54 55 static const char * const mplevent[] = { 56 [PLINK_UNDEFINED] = "UNDEFINED", 57 [OPN_ACPT] = "OPN_ACPT", 58 [OPN_RJCT] = "OPN_RJCT", 59 [OPN_IGNR] = "OPN_IGNR", 60 [CNF_ACPT] = "CNF_ACPT", 61 [CNF_RJCT] = "CNF_RJCT", 62 [CNF_IGNR] = "CNF_IGNR", 63 [CLS_ACPT] = "CLS_ACPT", 64 [CLS_IGNR] = "CLS_IGNR" 65 }; 66 67 68 static int mesh_mpm_parse_peer_mgmt(struct wpa_supplicant *wpa_s, 69 u8 action_field, 70 const u8 *ie, size_t len, 71 struct mesh_peer_mgmt_ie *mpm_ie) 72 { 73 os_memset(mpm_ie, 0, sizeof(*mpm_ie)); 74 75 /* remove optional PMK at end */ 76 if (len >= 16) { 77 len -= 16; 78 mpm_ie->pmk = ie + len - 16; 79 } 80 81 if ((action_field == PLINK_OPEN && len != 4) || 82 (action_field == PLINK_CONFIRM && len != 6) || 83 (action_field == PLINK_CLOSE && len != 6 && len != 8)) { 84 wpa_msg(wpa_s, MSG_DEBUG, "MPM: Invalid peer mgmt ie"); 85 return -1; 86 } 87 88 /* required fields */ 89 if (len < 4) 90 return -1; 91 mpm_ie->proto_id = ie; 92 mpm_ie->llid = ie + 2; 93 ie += 4; 94 len -= 4; 95 96 /* close reason is always present at end for close */ 97 if (action_field == PLINK_CLOSE) { 98 if (len < 2) 99 return -1; 100 mpm_ie->reason = ie + len - 2; 101 len -= 2; 102 } 103 104 /* plid, present for confirm, and possibly close */ 105 if (len) 106 mpm_ie->plid = ie; 107 108 return 0; 109 } 110 111 112 static int plink_free_count(struct hostapd_data *hapd) 113 { 114 if (hapd->max_plinks > hapd->num_plinks) 115 return hapd->max_plinks - hapd->num_plinks; 116 return 0; 117 } 118 119 120 static u16 copy_supp_rates(struct wpa_supplicant *wpa_s, 121 struct sta_info *sta, 122 struct ieee802_11_elems *elems) 123 { 124 if (!elems->supp_rates) { 125 wpa_msg(wpa_s, MSG_ERROR, "no supported rates from " MACSTR, 126 MAC2STR(sta->addr)); 127 return WLAN_STATUS_UNSPECIFIED_FAILURE; 128 } 129 130 if (elems->supp_rates_len + elems->ext_supp_rates_len > 131 sizeof(sta->supported_rates)) { 132 wpa_msg(wpa_s, MSG_ERROR, 133 "Invalid supported rates element length " MACSTR 134 " %d+%d", MAC2STR(sta->addr), elems->supp_rates_len, 135 elems->ext_supp_rates_len); 136 return WLAN_STATUS_UNSPECIFIED_FAILURE; 137 } 138 139 sta->supported_rates_len = merge_byte_arrays( 140 sta->supported_rates, sizeof(sta->supported_rates), 141 elems->supp_rates, elems->supp_rates_len, 142 elems->ext_supp_rates, elems->ext_supp_rates_len); 143 144 return WLAN_STATUS_SUCCESS; 145 } 146 147 148 /* return true if elems from a neighbor match this MBSS */ 149 static Boolean matches_local(struct wpa_supplicant *wpa_s, 150 struct ieee802_11_elems *elems) 151 { 152 struct mesh_conf *mconf = wpa_s->ifmsh->mconf; 153 154 if (elems->mesh_config_len < 5) 155 return FALSE; 156 157 return (mconf->meshid_len == elems->mesh_id_len && 158 os_memcmp(mconf->meshid, elems->mesh_id, 159 elems->mesh_id_len) == 0 && 160 mconf->mesh_pp_id == elems->mesh_config[0] && 161 mconf->mesh_pm_id == elems->mesh_config[1] && 162 mconf->mesh_cc_id == elems->mesh_config[2] && 163 mconf->mesh_sp_id == elems->mesh_config[3] && 164 mconf->mesh_auth_id == elems->mesh_config[4]); 165 } 166 167 168 /* check if local link id is already used with another peer */ 169 static Boolean llid_in_use(struct wpa_supplicant *wpa_s, u16 llid) 170 { 171 struct sta_info *sta; 172 struct hostapd_data *hapd = wpa_s->ifmsh->bss[0]; 173 174 for (sta = hapd->sta_list; sta; sta = sta->next) { 175 if (sta->my_lid == llid) 176 return TRUE; 177 } 178 179 return FALSE; 180 } 181 182 183 /* generate an llid for a link and set to initial state */ 184 static void mesh_mpm_init_link(struct wpa_supplicant *wpa_s, 185 struct sta_info *sta) 186 { 187 u16 llid; 188 189 do { 190 if (os_get_random((u8 *) &llid, sizeof(llid)) < 0) 191 continue; 192 } while (!llid || llid_in_use(wpa_s, llid)); 193 194 sta->my_lid = llid; 195 sta->peer_lid = 0; 196 197 /* 198 * We do not use wpa_mesh_set_plink_state() here because there is no 199 * entry in kernel yet. 200 */ 201 sta->plink_state = PLINK_LISTEN; 202 } 203 204 205 static void mesh_mpm_send_plink_action(struct wpa_supplicant *wpa_s, 206 struct sta_info *sta, 207 enum plink_action_field type, 208 u16 close_reason) 209 { 210 struct wpabuf *buf; 211 struct hostapd_iface *ifmsh = wpa_s->ifmsh; 212 struct hostapd_data *bss = ifmsh->bss[0]; 213 struct mesh_conf *conf = ifmsh->mconf; 214 u8 supp_rates[2 + 2 + 32]; 215 #ifdef CONFIG_IEEE80211N 216 u8 ht_capa_oper[2 + 26 + 2 + 22]; 217 #endif /* CONFIG_IEEE80211N */ 218 u8 *pos, *cat; 219 u8 ie_len, add_plid = 0; 220 int ret; 221 int ampe = conf->security & MESH_CONF_SEC_AMPE; 222 size_t buf_len; 223 224 if (!sta) 225 return; 226 227 buf_len = 2 + /* capability info */ 228 2 + /* AID */ 229 2 + 8 + /* supported rates */ 230 2 + (32 - 8) + 231 2 + 32 + /* mesh ID */ 232 2 + 7 + /* mesh config */ 233 2 + 23 + /* peering management */ 234 2 + 96 + /* AMPE */ 235 2 + 16; /* MIC */ 236 #ifdef CONFIG_IEEE80211N 237 if (type != PLINK_CLOSE && wpa_s->mesh_ht_enabled) { 238 buf_len += 2 + 26 + /* HT capabilities */ 239 2 + 22; /* HT operation */ 240 } 241 #endif /* CONFIG_IEEE80211N */ 242 buf = wpabuf_alloc(buf_len); 243 if (!buf) 244 return; 245 246 cat = wpabuf_mhead_u8(buf); 247 wpabuf_put_u8(buf, WLAN_ACTION_SELF_PROTECTED); 248 wpabuf_put_u8(buf, type); 249 250 if (type != PLINK_CLOSE) { 251 u8 info; 252 253 /* capability info */ 254 wpabuf_put_le16(buf, ampe ? IEEE80211_CAP_PRIVACY : 0); 255 256 /* aid */ 257 if (type == PLINK_CONFIRM) 258 wpabuf_put_le16(buf, sta->peer_lid); 259 260 /* IE: supp + ext. supp rates */ 261 pos = hostapd_eid_supp_rates(bss, supp_rates); 262 pos = hostapd_eid_ext_supp_rates(bss, pos); 263 wpabuf_put_data(buf, supp_rates, pos - supp_rates); 264 265 /* IE: Mesh ID */ 266 wpabuf_put_u8(buf, WLAN_EID_MESH_ID); 267 wpabuf_put_u8(buf, conf->meshid_len); 268 wpabuf_put_data(buf, conf->meshid, conf->meshid_len); 269 270 /* IE: mesh conf */ 271 wpabuf_put_u8(buf, WLAN_EID_MESH_CONFIG); 272 wpabuf_put_u8(buf, 7); 273 wpabuf_put_u8(buf, conf->mesh_pp_id); 274 wpabuf_put_u8(buf, conf->mesh_pm_id); 275 wpabuf_put_u8(buf, conf->mesh_cc_id); 276 wpabuf_put_u8(buf, conf->mesh_sp_id); 277 wpabuf_put_u8(buf, conf->mesh_auth_id); 278 info = (bss->num_plinks > 63 ? 63 : bss->num_plinks) << 1; 279 /* TODO: Add Connected to Mesh Gate/AS subfields */ 280 wpabuf_put_u8(buf, info); 281 /* always forwarding & accepting plinks for now */ 282 wpabuf_put_u8(buf, 0x1 | 0x8); 283 } else { /* Peer closing frame */ 284 /* IE: Mesh ID */ 285 wpabuf_put_u8(buf, WLAN_EID_MESH_ID); 286 wpabuf_put_u8(buf, conf->meshid_len); 287 wpabuf_put_data(buf, conf->meshid, conf->meshid_len); 288 } 289 290 /* IE: Mesh Peering Management element */ 291 ie_len = 4; 292 if (ampe) 293 ie_len += PMKID_LEN; 294 switch (type) { 295 case PLINK_OPEN: 296 break; 297 case PLINK_CONFIRM: 298 ie_len += 2; 299 add_plid = 1; 300 break; 301 case PLINK_CLOSE: 302 ie_len += 2; 303 add_plid = 1; 304 ie_len += 2; /* reason code */ 305 break; 306 } 307 308 wpabuf_put_u8(buf, WLAN_EID_PEER_MGMT); 309 wpabuf_put_u8(buf, ie_len); 310 /* peering protocol */ 311 if (ampe) 312 wpabuf_put_le16(buf, 1); 313 else 314 wpabuf_put_le16(buf, 0); 315 wpabuf_put_le16(buf, sta->my_lid); 316 if (add_plid) 317 wpabuf_put_le16(buf, sta->peer_lid); 318 if (type == PLINK_CLOSE) 319 wpabuf_put_le16(buf, close_reason); 320 if (ampe) { 321 if (sta->sae == NULL) { 322 wpa_msg(wpa_s, MSG_INFO, "Mesh MPM: no SAE session"); 323 goto fail; 324 } 325 mesh_rsn_get_pmkid(wpa_s->mesh_rsn, sta, 326 wpabuf_put(buf, PMKID_LEN)); 327 } 328 329 #ifdef CONFIG_IEEE80211N 330 if (type != PLINK_CLOSE && wpa_s->mesh_ht_enabled) { 331 pos = hostapd_eid_ht_capabilities(bss, ht_capa_oper); 332 pos = hostapd_eid_ht_operation(bss, pos); 333 wpabuf_put_data(buf, ht_capa_oper, pos - ht_capa_oper); 334 } 335 #endif /* CONFIG_IEEE80211N */ 336 337 if (ampe && mesh_rsn_protect_frame(wpa_s->mesh_rsn, sta, cat, buf)) { 338 wpa_msg(wpa_s, MSG_INFO, 339 "Mesh MPM: failed to add AMPE and MIC IE"); 340 goto fail; 341 } 342 343 ret = wpa_drv_send_action(wpa_s, wpa_s->assoc_freq, 0, 344 sta->addr, wpa_s->own_addr, wpa_s->own_addr, 345 wpabuf_head(buf), wpabuf_len(buf), 0); 346 if (ret < 0) 347 wpa_msg(wpa_s, MSG_INFO, 348 "Mesh MPM: failed to send peering frame"); 349 350 fail: 351 wpabuf_free(buf); 352 } 353 354 355 /* configure peering state in ours and driver's station entry */ 356 void wpa_mesh_set_plink_state(struct wpa_supplicant *wpa_s, 357 struct sta_info *sta, 358 enum mesh_plink_state state) 359 { 360 struct hostapd_sta_add_params params; 361 int ret; 362 363 sta->plink_state = state; 364 365 os_memset(¶ms, 0, sizeof(params)); 366 params.addr = sta->addr; 367 params.plink_state = state; 368 params.set = 1; 369 370 wpa_msg(wpa_s, MSG_DEBUG, "MPM set " MACSTR " into %s", 371 MAC2STR(sta->addr), mplstate[state]); 372 ret = wpa_drv_sta_add(wpa_s, ¶ms); 373 if (ret) { 374 wpa_msg(wpa_s, MSG_ERROR, "Driver failed to set " MACSTR 375 ": %d", MAC2STR(sta->addr), ret); 376 } 377 } 378 379 380 static void mesh_mpm_fsm_restart(struct wpa_supplicant *wpa_s, 381 struct sta_info *sta) 382 { 383 struct hostapd_data *hapd = wpa_s->ifmsh->bss[0]; 384 385 eloop_cancel_timeout(plink_timer, wpa_s, sta); 386 387 ap_free_sta(hapd, sta); 388 } 389 390 391 static void plink_timer(void *eloop_ctx, void *user_data) 392 { 393 struct wpa_supplicant *wpa_s = eloop_ctx; 394 struct sta_info *sta = user_data; 395 u16 reason = 0; 396 struct mesh_conf *conf = wpa_s->ifmsh->mconf; 397 398 switch (sta->plink_state) { 399 case PLINK_OPEN_RCVD: 400 case PLINK_OPEN_SENT: 401 /* retry timer */ 402 if (sta->mpm_retries < conf->dot11MeshMaxRetries) { 403 eloop_register_timeout( 404 conf->dot11MeshRetryTimeout / 1000, 405 (conf->dot11MeshRetryTimeout % 1000) * 1000, 406 plink_timer, wpa_s, sta); 407 mesh_mpm_send_plink_action(wpa_s, sta, PLINK_OPEN, 0); 408 sta->mpm_retries++; 409 break; 410 } 411 reason = WLAN_REASON_MESH_MAX_RETRIES; 412 /* fall through on else */ 413 414 case PLINK_CNF_RCVD: 415 /* confirm timer */ 416 if (!reason) 417 reason = WLAN_REASON_MESH_CONFIRM_TIMEOUT; 418 wpa_mesh_set_plink_state(wpa_s, sta, PLINK_HOLDING); 419 eloop_register_timeout(conf->dot11MeshHoldingTimeout / 1000, 420 (conf->dot11MeshHoldingTimeout % 1000) * 1000, 421 plink_timer, wpa_s, sta); 422 mesh_mpm_send_plink_action(wpa_s, sta, PLINK_CLOSE, reason); 423 break; 424 case PLINK_HOLDING: 425 /* holding timer */ 426 mesh_mpm_fsm_restart(wpa_s, sta); 427 break; 428 default: 429 break; 430 } 431 } 432 433 434 /* initiate peering with station */ 435 static void 436 mesh_mpm_plink_open(struct wpa_supplicant *wpa_s, struct sta_info *sta, 437 enum mesh_plink_state next_state) 438 { 439 struct mesh_conf *conf = wpa_s->ifmsh->mconf; 440 441 eloop_cancel_timeout(plink_timer, wpa_s, sta); 442 eloop_register_timeout(conf->dot11MeshRetryTimeout / 1000, 443 (conf->dot11MeshRetryTimeout % 1000) * 1000, 444 plink_timer, wpa_s, sta); 445 mesh_mpm_send_plink_action(wpa_s, sta, PLINK_OPEN, 0); 446 wpa_mesh_set_plink_state(wpa_s, sta, next_state); 447 } 448 449 450 int mesh_mpm_plink_close(struct hostapd_data *hapd, 451 struct sta_info *sta, void *ctx) 452 { 453 struct wpa_supplicant *wpa_s = ctx; 454 int reason = WLAN_REASON_MESH_PEERING_CANCELLED; 455 456 if (sta) { 457 wpa_mesh_set_plink_state(wpa_s, sta, PLINK_HOLDING); 458 mesh_mpm_send_plink_action(wpa_s, sta, PLINK_CLOSE, reason); 459 wpa_printf(MSG_DEBUG, "MPM closing plink sta=" MACSTR, 460 MAC2STR(sta->addr)); 461 eloop_cancel_timeout(plink_timer, wpa_s, sta); 462 return 0; 463 } 464 465 return 1; 466 } 467 468 469 void mesh_mpm_deinit(struct wpa_supplicant *wpa_s, struct hostapd_iface *ifmsh) 470 { 471 struct hostapd_data *hapd = ifmsh->bss[0]; 472 473 /* notify peers we're leaving */ 474 ap_for_each_sta(hapd, mesh_mpm_plink_close, wpa_s); 475 476 hapd->num_plinks = 0; 477 hostapd_free_stas(hapd); 478 } 479 480 481 /* for mesh_rsn to indicate this peer has completed authentication, and we're 482 * ready to start AMPE */ 483 void mesh_mpm_auth_peer(struct wpa_supplicant *wpa_s, const u8 *addr) 484 { 485 struct hostapd_data *data = wpa_s->ifmsh->bss[0]; 486 struct hostapd_sta_add_params params; 487 struct sta_info *sta; 488 int ret; 489 490 sta = ap_get_sta(data, addr); 491 if (!sta) { 492 wpa_msg(wpa_s, MSG_DEBUG, "no such mesh peer"); 493 return; 494 } 495 496 /* TODO: Should do nothing if this STA is already authenticated, but 497 * the AP code already sets this flag. */ 498 sta->flags |= WLAN_STA_AUTH; 499 500 mesh_rsn_init_ampe_sta(wpa_s, sta); 501 502 os_memset(¶ms, 0, sizeof(params)); 503 params.addr = sta->addr; 504 params.flags = WPA_STA_AUTHENTICATED | WPA_STA_AUTHORIZED; 505 params.set = 1; 506 507 wpa_msg(wpa_s, MSG_DEBUG, "MPM authenticating " MACSTR, 508 MAC2STR(sta->addr)); 509 ret = wpa_drv_sta_add(wpa_s, ¶ms); 510 if (ret) { 511 wpa_msg(wpa_s, MSG_ERROR, 512 "Driver failed to set " MACSTR ": %d", 513 MAC2STR(sta->addr), ret); 514 } 515 516 if (!sta->my_lid) 517 mesh_mpm_init_link(wpa_s, sta); 518 519 mesh_mpm_plink_open(wpa_s, sta, PLINK_OPEN_SENT); 520 } 521 522 /* 523 * Initialize a sta_info structure for a peer and upload it into the driver 524 * in preparation for beginning authentication or peering. This is done when a 525 * Beacon (secure or open mesh) or a peering open frame (for open mesh) is 526 * received from the peer for the first time. 527 */ 528 static struct sta_info * mesh_mpm_add_peer(struct wpa_supplicant *wpa_s, 529 const u8 *addr, 530 struct ieee802_11_elems *elems) 531 { 532 struct hostapd_sta_add_params params; 533 struct mesh_conf *conf = wpa_s->ifmsh->mconf; 534 struct hostapd_data *data = wpa_s->ifmsh->bss[0]; 535 struct sta_info *sta; 536 int ret; 537 538 sta = ap_get_sta(data, addr); 539 if (!sta) { 540 sta = ap_sta_add(data, addr); 541 if (!sta) 542 return NULL; 543 } 544 545 /* initialize sta */ 546 if (copy_supp_rates(wpa_s, sta, elems)) { 547 ap_free_sta(data, sta); 548 return NULL; 549 } 550 551 mesh_mpm_init_link(wpa_s, sta); 552 553 #ifdef CONFIG_IEEE80211N 554 copy_sta_ht_capab(data, sta, elems->ht_capabilities); 555 update_ht_state(data, sta); 556 #endif /* CONFIG_IEEE80211N */ 557 558 /* insert into driver */ 559 os_memset(¶ms, 0, sizeof(params)); 560 params.supp_rates = sta->supported_rates; 561 params.supp_rates_len = sta->supported_rates_len; 562 params.addr = addr; 563 params.plink_state = sta->plink_state; 564 params.aid = sta->peer_lid; 565 params.listen_interval = 100; 566 params.ht_capabilities = sta->ht_capabilities; 567 params.flags |= WPA_STA_WMM; 568 params.flags_mask |= WPA_STA_AUTHENTICATED; 569 if (conf->security == MESH_CONF_SEC_NONE) { 570 params.flags |= WPA_STA_AUTHORIZED; 571 params.flags |= WPA_STA_AUTHENTICATED; 572 } else { 573 sta->flags |= WLAN_STA_MFP; 574 params.flags |= WPA_STA_MFP; 575 } 576 577 ret = wpa_drv_sta_add(wpa_s, ¶ms); 578 if (ret) { 579 wpa_msg(wpa_s, MSG_ERROR, 580 "Driver failed to insert " MACSTR ": %d", 581 MAC2STR(addr), ret); 582 ap_free_sta(data, sta); 583 return NULL; 584 } 585 586 return sta; 587 } 588 589 590 void wpa_mesh_new_mesh_peer(struct wpa_supplicant *wpa_s, const u8 *addr, 591 struct ieee802_11_elems *elems) 592 { 593 struct mesh_conf *conf = wpa_s->ifmsh->mconf; 594 struct hostapd_data *data = wpa_s->ifmsh->bss[0]; 595 struct sta_info *sta; 596 struct wpa_ssid *ssid = wpa_s->current_ssid; 597 598 sta = mesh_mpm_add_peer(wpa_s, addr, elems); 599 if (!sta) 600 return; 601 602 if (ssid && ssid->no_auto_peer) { 603 wpa_msg(wpa_s, MSG_INFO, "will not initiate new peer link with " 604 MACSTR " because of no_auto_peer", MAC2STR(addr)); 605 if (data->mesh_pending_auth) { 606 struct os_reltime age; 607 const struct ieee80211_mgmt *mgmt; 608 struct hostapd_frame_info fi; 609 610 mgmt = wpabuf_head(data->mesh_pending_auth); 611 os_reltime_age(&data->mesh_pending_auth_time, &age); 612 if (age.sec < 2 && 613 os_memcmp(mgmt->sa, addr, ETH_ALEN) == 0) { 614 wpa_printf(MSG_DEBUG, 615 "mesh: Process pending Authentication frame from %u.%06u seconds ago", 616 (unsigned int) age.sec, 617 (unsigned int) age.usec); 618 os_memset(&fi, 0, sizeof(fi)); 619 ieee802_11_mgmt( 620 data, 621 wpabuf_head(data->mesh_pending_auth), 622 wpabuf_len(data->mesh_pending_auth), 623 &fi); 624 } 625 wpabuf_free(data->mesh_pending_auth); 626 data->mesh_pending_auth = NULL; 627 } 628 return; 629 } 630 631 if (conf->security == MESH_CONF_SEC_NONE) 632 mesh_mpm_plink_open(wpa_s, sta, PLINK_OPEN_SENT); 633 else 634 mesh_rsn_auth_sae_sta(wpa_s, sta); 635 } 636 637 638 void mesh_mpm_mgmt_rx(struct wpa_supplicant *wpa_s, struct rx_mgmt *rx_mgmt) 639 { 640 struct hostapd_frame_info fi; 641 642 os_memset(&fi, 0, sizeof(fi)); 643 fi.datarate = rx_mgmt->datarate; 644 fi.ssi_signal = rx_mgmt->ssi_signal; 645 ieee802_11_mgmt(wpa_s->ifmsh->bss[0], rx_mgmt->frame, 646 rx_mgmt->frame_len, &fi); 647 } 648 649 650 static void mesh_mpm_plink_estab(struct wpa_supplicant *wpa_s, 651 struct sta_info *sta) 652 { 653 struct hostapd_data *hapd = wpa_s->ifmsh->bss[0]; 654 struct mesh_conf *conf = wpa_s->ifmsh->mconf; 655 u8 seq[6] = {}; 656 657 wpa_msg(wpa_s, MSG_INFO, "mesh plink with " MACSTR " established", 658 MAC2STR(sta->addr)); 659 660 if (conf->security & MESH_CONF_SEC_AMPE) { 661 wpa_drv_set_key(wpa_s, WPA_ALG_CCMP, sta->addr, 0, 0, 662 seq, sizeof(seq), sta->mtk, sizeof(sta->mtk)); 663 wpa_drv_set_key(wpa_s, WPA_ALG_CCMP, sta->addr, 1, 0, 664 seq, sizeof(seq), 665 sta->mgtk, sizeof(sta->mgtk)); 666 wpa_drv_set_key(wpa_s, WPA_ALG_IGTK, sta->addr, 4, 0, 667 seq, sizeof(seq), 668 sta->mgtk, sizeof(sta->mgtk)); 669 670 wpa_hexdump_key(MSG_DEBUG, "mtk:", sta->mtk, sizeof(sta->mtk)); 671 wpa_hexdump_key(MSG_DEBUG, "mgtk:", 672 sta->mgtk, sizeof(sta->mgtk)); 673 } 674 675 wpa_mesh_set_plink_state(wpa_s, sta, PLINK_ESTAB); 676 hapd->num_plinks++; 677 678 sta->flags |= WLAN_STA_ASSOC; 679 680 eloop_cancel_timeout(plink_timer, wpa_s, sta); 681 682 /* Send ctrl event */ 683 wpa_msg_ctrl(wpa_s, MSG_INFO, MESH_PEER_CONNECTED MACSTR, 684 MAC2STR(sta->addr)); 685 } 686 687 688 static void mesh_mpm_fsm(struct wpa_supplicant *wpa_s, struct sta_info *sta, 689 enum plink_event event) 690 { 691 struct hostapd_data *hapd = wpa_s->ifmsh->bss[0]; 692 struct mesh_conf *conf = wpa_s->ifmsh->mconf; 693 u16 reason = 0; 694 695 wpa_msg(wpa_s, MSG_DEBUG, "MPM " MACSTR " state %s event %s", 696 MAC2STR(sta->addr), mplstate[sta->plink_state], 697 mplevent[event]); 698 699 switch (sta->plink_state) { 700 case PLINK_LISTEN: 701 switch (event) { 702 case CLS_ACPT: 703 mesh_mpm_fsm_restart(wpa_s, sta); 704 break; 705 case OPN_ACPT: 706 mesh_mpm_plink_open(wpa_s, sta, PLINK_OPEN_RCVD); 707 mesh_mpm_send_plink_action(wpa_s, sta, PLINK_CONFIRM, 708 0); 709 break; 710 default: 711 break; 712 } 713 break; 714 case PLINK_OPEN_SENT: 715 switch (event) { 716 case OPN_RJCT: 717 case CNF_RJCT: 718 reason = WLAN_REASON_MESH_CONFIG_POLICY_VIOLATION; 719 /* fall-through */ 720 case CLS_ACPT: 721 wpa_mesh_set_plink_state(wpa_s, sta, PLINK_HOLDING); 722 if (!reason) 723 reason = WLAN_REASON_MESH_CLOSE_RCVD; 724 eloop_register_timeout( 725 conf->dot11MeshHoldingTimeout / 1000, 726 (conf->dot11MeshHoldingTimeout % 1000) * 1000, 727 plink_timer, wpa_s, sta); 728 mesh_mpm_send_plink_action(wpa_s, sta, 729 PLINK_CLOSE, reason); 730 break; 731 case OPN_ACPT: 732 /* retry timer is left untouched */ 733 wpa_mesh_set_plink_state(wpa_s, sta, PLINK_OPEN_RCVD); 734 mesh_mpm_send_plink_action(wpa_s, sta, 735 PLINK_CONFIRM, 0); 736 break; 737 case CNF_ACPT: 738 wpa_mesh_set_plink_state(wpa_s, sta, PLINK_CNF_RCVD); 739 eloop_register_timeout( 740 conf->dot11MeshConfirmTimeout / 1000, 741 (conf->dot11MeshConfirmTimeout % 1000) * 1000, 742 plink_timer, wpa_s, sta); 743 break; 744 default: 745 break; 746 } 747 break; 748 case PLINK_OPEN_RCVD: 749 switch (event) { 750 case OPN_RJCT: 751 case CNF_RJCT: 752 reason = WLAN_REASON_MESH_CONFIG_POLICY_VIOLATION; 753 /* fall-through */ 754 case CLS_ACPT: 755 wpa_mesh_set_plink_state(wpa_s, sta, PLINK_HOLDING); 756 if (!reason) 757 reason = WLAN_REASON_MESH_CLOSE_RCVD; 758 eloop_register_timeout( 759 conf->dot11MeshHoldingTimeout / 1000, 760 (conf->dot11MeshHoldingTimeout % 1000) * 1000, 761 plink_timer, wpa_s, sta); 762 sta->mpm_close_reason = reason; 763 mesh_mpm_send_plink_action(wpa_s, sta, 764 PLINK_CLOSE, reason); 765 break; 766 case OPN_ACPT: 767 mesh_mpm_send_plink_action(wpa_s, sta, 768 PLINK_CONFIRM, 0); 769 break; 770 case CNF_ACPT: 771 if (conf->security & MESH_CONF_SEC_AMPE) 772 mesh_rsn_derive_mtk(wpa_s, sta); 773 mesh_mpm_plink_estab(wpa_s, sta); 774 break; 775 default: 776 break; 777 } 778 break; 779 case PLINK_CNF_RCVD: 780 switch (event) { 781 case OPN_RJCT: 782 case CNF_RJCT: 783 reason = WLAN_REASON_MESH_CONFIG_POLICY_VIOLATION; 784 /* fall-through */ 785 case CLS_ACPT: 786 wpa_mesh_set_plink_state(wpa_s, sta, PLINK_HOLDING); 787 if (!reason) 788 reason = WLAN_REASON_MESH_CLOSE_RCVD; 789 eloop_register_timeout( 790 conf->dot11MeshHoldingTimeout / 1000, 791 (conf->dot11MeshHoldingTimeout % 1000) * 1000, 792 plink_timer, wpa_s, sta); 793 sta->mpm_close_reason = reason; 794 mesh_mpm_send_plink_action(wpa_s, sta, 795 PLINK_CLOSE, reason); 796 break; 797 case OPN_ACPT: 798 mesh_mpm_plink_estab(wpa_s, sta); 799 mesh_mpm_send_plink_action(wpa_s, sta, 800 PLINK_CONFIRM, 0); 801 break; 802 default: 803 break; 804 } 805 break; 806 case PLINK_ESTAB: 807 switch (event) { 808 case CLS_ACPT: 809 wpa_mesh_set_plink_state(wpa_s, sta, PLINK_HOLDING); 810 reason = WLAN_REASON_MESH_CLOSE_RCVD; 811 812 eloop_register_timeout( 813 conf->dot11MeshHoldingTimeout / 1000, 814 (conf->dot11MeshHoldingTimeout % 1000) * 1000, 815 plink_timer, wpa_s, sta); 816 sta->mpm_close_reason = reason; 817 818 wpa_msg(wpa_s, MSG_INFO, "mesh plink with " MACSTR 819 " closed with reason %d", 820 MAC2STR(sta->addr), reason); 821 822 wpa_msg_ctrl(wpa_s, MSG_INFO, 823 MESH_PEER_DISCONNECTED MACSTR, 824 MAC2STR(sta->addr)); 825 826 hapd->num_plinks--; 827 828 mesh_mpm_send_plink_action(wpa_s, sta, 829 PLINK_CLOSE, reason); 830 break; 831 case OPN_ACPT: 832 mesh_mpm_send_plink_action(wpa_s, sta, 833 PLINK_CONFIRM, 0); 834 break; 835 default: 836 break; 837 } 838 break; 839 case PLINK_HOLDING: 840 switch (event) { 841 case CLS_ACPT: 842 mesh_mpm_fsm_restart(wpa_s, sta); 843 break; 844 case OPN_ACPT: 845 case CNF_ACPT: 846 case OPN_RJCT: 847 case CNF_RJCT: 848 reason = sta->mpm_close_reason; 849 mesh_mpm_send_plink_action(wpa_s, sta, 850 PLINK_CLOSE, reason); 851 break; 852 default: 853 break; 854 } 855 break; 856 default: 857 wpa_msg(wpa_s, MSG_DEBUG, 858 "Unsupported MPM event %s for state %s", 859 mplevent[event], mplstate[sta->plink_state]); 860 break; 861 } 862 } 863 864 865 void mesh_mpm_action_rx(struct wpa_supplicant *wpa_s, 866 const struct ieee80211_mgmt *mgmt, size_t len) 867 { 868 u8 action_field; 869 struct hostapd_data *hapd = wpa_s->ifmsh->bss[0]; 870 struct mesh_conf *mconf = wpa_s->ifmsh->mconf; 871 struct sta_info *sta; 872 u16 plid = 0, llid = 0; 873 enum plink_event event; 874 struct ieee802_11_elems elems; 875 struct mesh_peer_mgmt_ie peer_mgmt_ie; 876 const u8 *ies; 877 size_t ie_len; 878 int ret; 879 880 if (mgmt->u.action.category != WLAN_ACTION_SELF_PROTECTED) 881 return; 882 883 action_field = mgmt->u.action.u.slf_prot_action.action; 884 if (action_field != PLINK_OPEN && 885 action_field != PLINK_CONFIRM && 886 action_field != PLINK_CLOSE) 887 return; 888 889 ies = mgmt->u.action.u.slf_prot_action.variable; 890 ie_len = (const u8 *) mgmt + len - 891 mgmt->u.action.u.slf_prot_action.variable; 892 893 /* at least expect mesh id and peering mgmt */ 894 if (ie_len < 2 + 2) { 895 wpa_printf(MSG_DEBUG, 896 "MPM: Ignore too short action frame %u ie_len %u", 897 action_field, (unsigned int) ie_len); 898 return; 899 } 900 wpa_printf(MSG_DEBUG, "MPM: Received PLINK action %u", action_field); 901 902 if (action_field == PLINK_OPEN || action_field == PLINK_CONFIRM) { 903 wpa_printf(MSG_DEBUG, "MPM: Capability 0x%x", 904 WPA_GET_LE16(ies)); 905 ies += 2; /* capability */ 906 ie_len -= 2; 907 } 908 if (action_field == PLINK_CONFIRM) { 909 wpa_printf(MSG_DEBUG, "MPM: AID 0x%x", WPA_GET_LE16(ies)); 910 ies += 2; /* aid */ 911 ie_len -= 2; 912 } 913 914 /* check for mesh peering, mesh id and mesh config IEs */ 915 if (ieee802_11_parse_elems(ies, ie_len, &elems, 0) == ParseFailed) { 916 wpa_printf(MSG_DEBUG, "MPM: Failed to parse PLINK IEs"); 917 return; 918 } 919 if (!elems.peer_mgmt) { 920 wpa_printf(MSG_DEBUG, 921 "MPM: No Mesh Peering Management element"); 922 return; 923 } 924 if (action_field != PLINK_CLOSE) { 925 if (!elems.mesh_id || !elems.mesh_config) { 926 wpa_printf(MSG_DEBUG, 927 "MPM: No Mesh ID or Mesh Configuration element"); 928 return; 929 } 930 931 if (!matches_local(wpa_s, &elems)) { 932 wpa_printf(MSG_DEBUG, 933 "MPM: Mesh ID or Mesh Configuration element do not match local MBSS"); 934 return; 935 } 936 } 937 938 ret = mesh_mpm_parse_peer_mgmt(wpa_s, action_field, 939 elems.peer_mgmt, 940 elems.peer_mgmt_len, 941 &peer_mgmt_ie); 942 if (ret) { 943 wpa_printf(MSG_DEBUG, "MPM: Mesh parsing rejected frame"); 944 return; 945 } 946 947 /* the sender's llid is our plid and vice-versa */ 948 plid = WPA_GET_LE16(peer_mgmt_ie.llid); 949 if (peer_mgmt_ie.plid) 950 llid = WPA_GET_LE16(peer_mgmt_ie.plid); 951 wpa_printf(MSG_DEBUG, "MPM: plid=0x%x llid=0x%x", plid, llid); 952 953 sta = ap_get_sta(hapd, mgmt->sa); 954 955 /* 956 * If this is an open frame from an unknown STA, and this is an 957 * open mesh, then go ahead and add the peer before proceeding. 958 */ 959 if (!sta && action_field == PLINK_OPEN && 960 !(mconf->security & MESH_CONF_SEC_AMPE)) 961 sta = mesh_mpm_add_peer(wpa_s, mgmt->sa, &elems); 962 963 if (!sta) { 964 wpa_printf(MSG_DEBUG, "MPM: No STA entry for peer"); 965 return; 966 } 967 968 #ifdef CONFIG_SAE 969 /* peer is in sae_accepted? */ 970 if (sta->sae && sta->sae->state != SAE_ACCEPTED) { 971 wpa_printf(MSG_DEBUG, "MPM: SAE not yet accepted for peer"); 972 return; 973 } 974 #endif /* CONFIG_SAE */ 975 976 if (!sta->my_lid) 977 mesh_mpm_init_link(wpa_s, sta); 978 979 if ((mconf->security & MESH_CONF_SEC_AMPE) && 980 mesh_rsn_process_ampe(wpa_s, sta, &elems, 981 &mgmt->u.action.category, 982 ies, ie_len)) { 983 wpa_printf(MSG_DEBUG, "MPM: RSN process rejected frame"); 984 return; 985 } 986 987 if (sta->plink_state == PLINK_BLOCKED) { 988 wpa_printf(MSG_DEBUG, "MPM: PLINK_BLOCKED"); 989 return; 990 } 991 992 /* Now we will figure out the appropriate event... */ 993 switch (action_field) { 994 case PLINK_OPEN: 995 if (plink_free_count(hapd) == 0) { 996 event = OPN_IGNR; 997 wpa_printf(MSG_INFO, 998 "MPM: Peer link num over quota(%d)", 999 hapd->max_plinks); 1000 } else if (sta->peer_lid && sta->peer_lid != plid) { 1001 event = OPN_IGNR; 1002 } else { 1003 sta->peer_lid = plid; 1004 event = OPN_ACPT; 1005 } 1006 break; 1007 case PLINK_CONFIRM: 1008 if (plink_free_count(hapd) == 0) { 1009 event = CNF_IGNR; 1010 wpa_printf(MSG_INFO, 1011 "MPM: Peer link num over quota(%d)", 1012 hapd->max_plinks); 1013 } else if (sta->my_lid != llid || 1014 (sta->peer_lid && sta->peer_lid != plid)) { 1015 event = CNF_IGNR; 1016 } else { 1017 if (!sta->peer_lid) 1018 sta->peer_lid = plid; 1019 event = CNF_ACPT; 1020 } 1021 break; 1022 case PLINK_CLOSE: 1023 if (sta->plink_state == PLINK_ESTAB) 1024 /* Do not check for llid or plid. This does not 1025 * follow the standard but since multiple plinks 1026 * per cand are not supported, it is necessary in 1027 * order to avoid a livelock when MP A sees an 1028 * establish peer link to MP B but MP B does not 1029 * see it. This can be caused by a timeout in 1030 * B's peer link establishment or B being 1031 * restarted. 1032 */ 1033 event = CLS_ACPT; 1034 else if (sta->peer_lid != plid) 1035 event = CLS_IGNR; 1036 else if (peer_mgmt_ie.plid && sta->my_lid != llid) 1037 event = CLS_IGNR; 1038 else 1039 event = CLS_ACPT; 1040 break; 1041 default: 1042 /* 1043 * This cannot be hit due to the action_field check above, but 1044 * compilers may not be able to figure that out and can warn 1045 * about uninitialized event below. 1046 */ 1047 return; 1048 } 1049 mesh_mpm_fsm(wpa_s, sta, event); 1050 } 1051 1052 1053 /* called by ap_free_sta */ 1054 void mesh_mpm_free_sta(struct sta_info *sta) 1055 { 1056 eloop_cancel_timeout(plink_timer, ELOOP_ALL_CTX, sta); 1057 eloop_cancel_timeout(mesh_auth_timer, ELOOP_ALL_CTX, sta); 1058 } 1059
